From 264f4ed83ceb4338c73743be19ba3612c5c82017 Mon Sep 17 00:00:00 2001 From: Craig Peters Date: Fri, 1 Mar 2019 11:45:26 -0800 Subject: [PATCH 01/32] Updated the note to indicate doc work for 1.14 --- content/en/docs/getting-started-guides/windows/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/getting-started-guides/windows/_index.md b/content/en/docs/getting-started-guides/windows/_index.md index 5d0ca0d122804..42c4e3e80f675 100644 --- a/content/en/docs/getting-started-guides/windows/_index.md +++ b/content/en/docs/getting-started-guides/windows/_index.md @@ -3,7 +3,7 @@ title: Using Windows Server Containers in Kubernetes toc_hide: true --- {{< note >}} -These instructions were recently updated based on Windows Server platform enhancements and the Kubernetes v1.9 release +These instructions are under revision for the v1.14 release with a [tracking issue](https://github.com/kubernetes/website/issues/12426). You can find the WIP draft in a [Google Doc](https://docs.google.com/document/d/1a2bRd7PZXygIEm4cEcCeLXpEqJ7opakP_j4Pc6AJVYA/edit?usp=sharing) {{< /note >}} Kubernetes version 1.5 introduced Alpha support for Windows Server From aef823ff0ee1d3910f3d669150ed382b31345d79 Mon Sep 17 00:00:00 2001 From: Craig Peters Date: Tue, 12 Mar 2019 15:23:10 -0700 Subject: [PATCH 02/32] first attempt at md export from gdoc --- .../getting-started-guides/windows/_index.md | 1545 ++++++++++++++--- 1 file changed, 1262 insertions(+), 283 deletions(-) diff --git a/content/en/docs/getting-started-guides/windows/_index.md b/content/en/docs/getting-started-guides/windows/_index.md index 42c4e3e80f675..8e7ead5936117 100644 --- a/content/en/docs/getting-started-guides/windows/_index.md +++ b/content/en/docs/getting-started-guides/windows/_index.md @@ -6,396 +6,1375 @@ toc_hide: true These instructions are under revision for the v1.14 release with a [tracking issue](https://github.com/kubernetes/website/issues/12426). You can find the WIP draft in a [Google Doc](https://docs.google.com/document/d/1a2bRd7PZXygIEm4cEcCeLXpEqJ7opakP_j4Pc6AJVYA/edit?usp=sharing) {{< /note >}} -Kubernetes version 1.5 introduced Alpha support for Windows Server -Containers based on the Windows Server 2016 operating system. With the -release of Windows Server version 1709 and using Kubernetes v1.9 users -are able to deploy a Kubernetes cluster either on-premises or in a -private/public cloud using a number of different network topologies -and CNI plugins. Some key feature improvements for Windows Server -Containers on Kubernetes include: - -- Improved support for pods! Shared network namespace (compartment) with multiple Windows Server containers (shared kernel) -- Reduced network complexity by using a single network endpoint per pod -- Kernel-Based load-balancing using the Virtual Filtering Platform (VFP) Hyper-v Switch Extension (analogous to Linux iptables) -- Container Runtime Interface (CRI) pod and node level statistics -- Support for kubeadm commands to add Windows Server nodes to a Kubernetes environment - -The Kubernetes control plane (API Server, Scheduler, Controller Manager, etc) continue to run on Linux, while the kubelet and kube-proxy can be run on Windows Server 2016 or later +## ​Motivation + +Windows applications constitute a large portion of the services and applications that run in many organizations. [Windows containers](https://aka.ms/windowscontainers) provide a modern way to encapsulate processes and package dependencies, making it easier to use DevOps practices and follow cloud native patterns for Windows applications. Kubernetes has become the defacto standard container orchestrator, and the release of Kubernetes 1.14 includes production support for scheduling Windows containers on Windows nodes in a Kubernetes cluster, enabling a vast ecosystem of Windows applications to leverage the power of Kubernetes. Enterprises with investments in Windows-based applications and Linux-based applications don't have to look for separate orchestrators to manage their workloads, leading to increased operational efficiencies across their deployments, regardless of operating system. + + +## ​Intro to Windows containers in Kubernetes + +To enable the orchestration of Windows containers in Kubernetes, simply include Windows nodes in your existing Linux cluster. Scheduling Windows containers in [Pods](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/) on Kubernetes is as simple and easy as scheduling Linux-based containers. + +In order to run Windows containers, your Kubernetes cluster must include multiple operating systems, with control plane nodes running Linux and workers running either Windows or Linux depending on your workload needs. Windows Server 2019 is the only Windows operating system supported, enabling [Kubernetes Node](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/architecture/architecture.md#the-kubernetes-node) on Windows (including kubelet, [container runtime](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/containerd), and kube-proxy). For a detailed explanation of Windows distribution channels see the [Microsoft documentation](https://docs.microsoft.com/en-us/windows-server/get-started-19/servicing-channels-19). + +NOTE: The Kubernetes control plane, including the [master components](https://kubernetes.io/docs/concepts/overview/components/), will continue to run on Linux. There are no plans have a Windows-only Kubernetes cluster. + + +## ​Supported Functionality and Limitations + + +### ​Supported Functionality + + +#### Compute + +From an API and kubectl perspective, Windows containers behave in much the same way as Linux-based containers. However, there are some notable differences in key functionality which are outlined in the limitation section. + +Let's start with the operating system version. Refer to the following table for Windows operating system support in Kubernetes. A single heterogeneous Kubernetes cluster can have both Windows and Linux worker nodes. Windows containers have to be scheduled on Windows nodes and Linux containers on Linux nodes. + + + + + + + + + + + + + + + + + + + + + +
Kubernetes version + Host OS version (Kubernetes Node) + + +
+ Windows Server 1709 + Windows Server 1803 + Windows Server 1809/Windows Server 2019 +
Kubernetes v1.14 + Not Supported + Not Supported + Supported for Windows Server containers Builds 17763.* with Docker EE-basic 18.09 +
+ + + + NOTE: The Windows Server Host Operating System is subject to the [Windows Server ](https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing) licensing. The Windows Container images are subject to the [Supplemental License Terms for Windows containers](https://docs.microsoft.com/en-us/virtualization/windowscontainers/images-eula). + + + NOTE: Windows containers have strict compatibility rules, [where the host OS version must match the container base image OS version.](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/version-compatibility) + +Key Kubernetes elements work the same way in Windows as they do in Linux. In this section, we will talk about some of the key workload enablers and how they map to Windows. + + + +* [Pods](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/) + + A Pod is the basic building block of Kubernetes–the smallest and simplest unit in the Kubernetes object model that you create or deploy. The following Pod capabilities, properties and events are supported with Windows containers: + + + + * Single or multiple containers per Pod with process isolation and volume sharing + * Pod status fields + * Readiness and Liveness probes + * postStart & preStop container lifecycle events + * ConfigMap, Secrets: as environment variables or volumes + * EmptyDir + * Named pipe host mounts + * Resource limits +* [Controllers](https://kubernetes.io/docs/concepts/workloads/controllers/) + + Kubernetes controllers handle the desired state of Pods. The following workload controllers are supported with Windows containers: + + * ReplicaSet + * ReplicationController + * Deployments + * StatefulSets + * DaemonSet + * Job + * CronJob +* [Services](https://kubernetes.io/docs/concepts/services-networking/service/) + + A Kubernetes Service is an abstraction which defines a logical set of Pods and a policy by which to access them - sometimes called a micro-service. You can use services for cross-operating system connectivity. In Windows, services can utilize the following types, properties and capabilities: + + * Service Environment variables + * NodePort + * ClusterIP + * LoadBalancer + * ExternalName + * Headless services + +Pods, Controllers and Services are critical elements to managing Windows workloads on Kubernetes. However, on their own they are not enough to enable the proper lifecycle management of Windows workloads in a dynamic cloud native environment. We added support for the following features: + + + +* Pod and container metrics +* Horizontal Pod Autoscaler support +* KubeCtl Exec +* Resource Quotas +* Scheduler preemption + + +#### Container Runtime + +Docker EE-basic 18.09 is required on Windows Server 2019 / 1809 nodes for Kubernetes. This works with the dockershim code included in the kubelet. Additional runtimes such as CRI-ContainerD may be supported in later Kubernetes versions. + + +#### Storage + +Kubernetes Volumes enable complex applications with data persistence and Pod volume sharing requirements to be deployed on Kubernetes. Kubernetes on Windows supports the following types of [volumes](https://kubernetes.io/docs/concepts/storage/volumes/): + + + +* FlexVolume out-of-tree plugin with [SMB and iSCSI ](https://github.com/Microsoft/K8s-Storage-Plugins/tree/master/flexvolume/windows)support +* [azureDisk](https://kubernetes.io/docs/concepts/storage/volumes/#azuredisk) +* [azureFile ](https://kubernetes.io/docs/concepts/storage/volumes/#azurefile) + + +#### ​Networking + +Networking for Windows containers is exposed through [CNI plugins](https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/). Windows containers function similarly to virtual machines in regards to networking. Each container has a virtual network adapter (vNIC) which is connected to a Hyper-V virtual switch (vSwitch). The Host Networking Service (HNS) and the Host Compute Service (HCS) work together to create containers and attach container vNICs to networks. HCS is responsible for the management of containers whereas HNS is responsible for the management of networking resources such as: + + + +* Virtual networks (including creation of vSwitches) +* Endpoints / vNICs +* Namespaces +* Policies (Packet encapsulations, Load-balancing rules, ACLs, NAT'ing rules, etc.) + +The following service spec types are supported: + + + +* NodePort +* ClusterIP +* LoadBalancer +* ExternalName + +Windows supports five different networking drivers/modes: L2bridge, L2tunnel, Overlay, Transparent, and NAT. In a heterogeneous cluster with Windows and Linux work nodes, you need to select a networking solution that is compatible on both Windows and Linux. The following out-of-tree plugins are supported on Windows, with recommendations on when to use each CNI: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Network Driver + Description + Container Packet Modifications + Network Plugins + Network Plugin Characteristics +
L2bridge + Containers are attached to an external vSwitch. Containers are attached to the underlay network, although the physical network doesn't need to learn the container MACs because they are rewritten on ingress/egress. Inter-container traffic is bridged inside the container host. + MAC is rewritten to host MAC, IP remains the same. + win-bridge, Azure-CNI, Flannel host-gateway uses win-bridge + win-bridge uses L2bridge network mode, connects containers to the underlay of hosts, offering best performance. Requires L2 adjacency between container hosts +
L2Tunnel + This is a special case of l2bridge, but only used on Azure. All packets are sent to the virtualization host where SDN policy is applied. + MAC rewritten, IP visible on the underlay network + Azure-CNI + Azure-CNI allows integration of containers with Azure vNET, and allows them to leverage the set of capabilities that Azure Virtual Network provides. For example, securely connect to Azure services or use Azure NSGs. See azure-cni for some examples +
Overlay (Overlay networking for Windows in Kubernetes is in alpha stage) + Containers are given a vNIC connected to an external vSwitch. Each overlay network gets its own IP subnet, defined by a custom IP prefix.The overlay network driver uses VXLAN encapsulation. + Encapsulated with an outer header, inner packet remains the same. + Win-overlay, Flannel VXLAN (uses win-overlay), +

+OVN-Kubernetes (uses OpenVSwitch on Windows - Prebuilt certified installer), requires KB4482887 +

win-overlay should be used when virtual container networks are desired to be isolated from underlay of hosts (e.g. for security reasons). Allows for IPs to be re-used for different overlay networks (which have different VNID tags) if you are restricted on IPs in your datacenter. This option may be used when the container hosts are not L2 adjacent but have L3 connectivity +
Transparent (not used in Kubernetes) + Containers are given a vNIC connected to an external vSwitch. Containers are attached to the underlay network directly and the physical network needs to learn the container MACs. + Both MAC and IP remains the same. + + Included here for completeness +
NAT (not used in Kubernetes) + Containers are given a vNIC connected to an internal vSwitch. DNS/DHCP is provided using an internal component called WinNAT + MAC and IP is rewritten to host MAC/IP. + nat + Included here for completeness +
+ + +Furthermore, for simplified consumption of the win-bridge and win-overlay plugins for end-users with automated network configurations, [Flannel](https://github.com/coreos/flannel) has added support for Windows in their [meta plugin](https://github.com/containernetworking/plugins/tree/master/plugins/meta/flannel) via the [VXLAN network backend](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan) (**alpha support** ; delegates to win-overlay) and [host-gateway network backend](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#host-gw) (stable support; delegates to win-bridge) with the [host-local plugin](https://github.com/containernetworking/plugins/tree/master/plugins/ipam/host-local) used for IP address management and the meta CNI network plugin [flannel](https://github.com/containernetworking/plugins/tree/master/plugins/meta/flannel#windows-support-experimental) for interacting between the delegated CNI plugin (win-bridge or win-overlay) and providing the host-local IPAM the correct range from subnet.env file provisioned by the flanneld agent. + +For the node, pod, and service objects, the following network flows are supported for TCP/UDP traffic: + + + +* Pod -> Pod (IP) +* Pod -> Pod (Name) +* Pod -> Service (Cluster IP) +* Pod -> Service (PQDN, but only if there are no ".") +* Pod -> Service (FQDN) +* Pod -> External (IP) +* Pod -> External (DNS) +* Node -> Pod +* Pod -> Node + +The following IPAM options are supported on Windows: + + + +* [Host-local](https://github.com/containernetworking/plugins/tree/master/plugins/ipam/host-local) +* HNS IPAM (Inbox platform IPAM, this is a fallback when no IPAM is set) +* [Azure-vnet-ipam](https://github.com/Azure/azure-container-networking/blob/master/docs/ipam.md) (for azure-cni only) + + +### ​​​​Limitations + + +#### Control Plane + +Windows is only supported as a worker node in the Kubernetes architecture and component matrix. This means that a Kubernetes cluster must always include Linux master nodes, zero or more Linux worker nodes, and zero or more Windows worker nodes. + + +#### ​Compute + + +##### Resource management and process isolation + + Linux cgroups are used as a pod boundary for resource controls in Linux. Containers are created within that boundary for network, process and file system isolation. The cgroups APIs can be used to gather cpu/io/memory stats. In contrast, Windows uses a Job object per container with a system namespace filter to contain all processes in a container and provide logical isolation from the host. There is no way to run a Windows container without the namespace filtering in place. This means that system privileges cannot be asserted in the context of the host, and thus privileged containers are not available on Windows. Containers cannot assume an identity from the host because the Security Account Manager (SAM) is separate. + + +##### Operating System Restrictions + +Windows has strict compatibility rules, where the host OS version must match the container base image OS version. Only Windows containers with a container operating system of Windows Server 2019 are supported. Hyper-V isolation of containers, enabling some backward compatibility of Windows container image versions, is planned for a future release. + + +##### Feature Restrictions + + + +* TerminationGracePeriod: not implemented +* Single file mapping: to be implemented with CRI-ContainerD +* Termination message: to be implemented with CRI-ContainerD +* Privileged Containers: not currently supported in Windows containers +* HugePages +* The existing node problem detector is Linux-only and requires privileged containers. In general, we don't expect this to be used on Windows because privileged containers are not supported +* Not all features of shared namespaces are supported (see API section for more details) + + +##### Memory Reservations and Handling + +Windows does not have an out-of-memory process killer as Linux does. Windows always treats all user-mode memory allocations as virtual, and pagefiles are mandatory. The net effect is that Windows won't reach out of memory conditions the same way Linux does, and processes will page to disk instead of being subject to out of memory (OOM) termination. If memory is over-provisioned and all physical memory is exhausted, then paging can slow down performance. + +Keeping memory usage within reasonable bounds is possible with a two-step process. First, use the kubelet parameters `--kubelet-reserve` and/or `--system-reserve` to account for memory usage on the node (outside of containers). This will reduce [NodeAllocatable](https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable)). As you deploy workloads, use resource limits (must set only limits or limits must equal requests) on containers. This will also subtract from NodeAllocatable and prevent the scheduler from adding more pods once a node is full. + +A best practice to avoid over-provisioning is to configure the kubelet with a system reserved memory of at least 2GB to account for Windows, Docker, and Kubernetes processes. + +The behaviour of the flags behave differently as described below: + + + +* --kubelet-reserve, --system-reserve , and --eviction-hard flags update Node Allocatable +* Eviction by using --enforce-node-allocable is not implemented +* Eviction by using --eviction-hard and --eviction-soft are not implemented +* MemoryPressure Condition is not implemented +* There are no OOM eviction actions taken by the kubelet +* Kubelet running on the windows node does not have memory restrictions. --kubelet-reserve and --system-reserve do not set limits on kubelet or processes running the host. This means kubelet or a process on the host could cause memory resource starvation outside the node-allocatable and scheduler + + +#### ​Storage + +Windows has a layered filesystem driver to mount container layers and create a copy filesystem based on NTFS. All file paths in the container are resolved only within the context of that container. + + + +* Volume mounts can only target a directory in the container, and not an individual file +* Volume mounts cannot project files or directories back to the host filesystem +* Read-only filesystems are not supported because write access is always required for the Windows registry and SAM database. However, read-only volumes are supported +* Volume user-masks and permissions are not available. Because the SAM is not shared between the host & container, there's no mapping between them. All permissions are resolved within the context of the container + +As a result, the following storage functionality is not supported on Windows nodes + + + +* Windows does not support volume subpath mounts. Only the entire volume can be mounted in a Windows container. +* Subpath volume mounting for Secrets +* Host mount projection +* DefaultMode (due to UID/GID dependency) +* Read-only root filesystem. Mapped volumes still support readOnly +* Block device mapping +* Memory as the storage medium +* CSI plugins which require privileged containers +* File system features like uui/guid, per-user Linux filesystem permissions +* NFS based storage/volume support + + +#### Networking + +Windows Container Networking differs in some important ways from Linux networking. The [Microsoft documentation for Windows Container Networking](https://docs.microsoft.com/en-us/virtualization/windowscontainers/container-networking/architecture) contains additional details and background. + +The Windows host networking networking service and virtual switch implement namespacing and can create virtual NICs as needed for a pod or container. However, many configurations such as DNS, routes, and metrics are stored in the Windows registry database rather than /etc/... files as they are on Linux. The Windows registry for the container is separate from that of the host, so concepts like mapping /etc/resolv.conf from the host into a container don't have the same effect they would on Linux. These must be configured using Windows APIs run in the context of that container. Therefore CNI implementations need to call the HNS instead of relying on file mappings to pass network details into the pod or container. + +The following networking functionality is not supported on Windows nodes + + + +* Host networking mode is not available for Windows pods +* Local NodePort access from the node itself will fail (works for other nodes or external clients) +* Accessing service VIPs from nodes will be available with a future release of Windows Server +* Overlay networking support in kube-proxy is an alpha release. In addition, it requires [KB4482887](https://support.microsoft.com/en-us/help/4482887/windows-10-update-kb4482887) to be installed on Windows Server 2019 +* Outbound communication using the ICMP protocol via the win-overlay, win-bridge, and Azure-CNI plugin. Specifically, the Windows data plane ([VFP](https://www.microsoft.com/en-us/research/project/azure-virtual-filtering-platform/)) doesn't support ICMP packet transpositions. This means: + * ICMP packets directed to destinations within the same network (e.g. pod to pod communication via ping) will work as expected and without any limitations + * TCP/UDP packets will work as expected and without any limitations + * ICMP packets directed to pass through a remote network (e.g. pod to external internet communication via ping) cannot be transposed and thus will not be routed back to their source + * Since TCP/UDP packets can still be transposed, one can substitute **ping ** with **curl ** to be able to debug connectivity to the outside world. + + +##### CNI Plugins + + + +* Windows reference network plugins win-bridge and win-overlay do not currently implement [CNI spec](https://github.com/containernetworking/cni/blob/master/SPEC.md) v0.4.0 due to missing "CHECK" implementation. +* The Flannel VXLAN CNI has the following limitations on Windows: +1. Node-pod connectivity isn't possible by design. It's only possible for local pods with Flannel PR[ https://github.com/coreos/flannel/pull/1096](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcoreos%2Fflannel%2Fpull%2F1096&data=02%7C01%7CDavid.Schott%40microsoft.com%7Cfa26c088fac743188e7d08d69ea3d836%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636870823885740325&sdata=1QEvw9Gh6IioT7ruVhhXAlSgN1a%2FMsqn4ViDQSSSVjs%3D&reserved=0) +2. We are restricted to using VNI 4096 and UDP port 4789. The VNI limitation is being worked on and will be overcome (open-source flannel changes). See official [Flannel VXLAN ](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan)backend docs for more details on these parameters. + + +##### DNS + + + +* ClusterFirstWithHostNet is not supported for DNS. Windows treats all names with a '.' as a FQDN and skips PQDN resolution +* On Linux, you have a DNS suffix list, which is used when trying to resolve PQDNs. On Windows, we only have 1 DNS suffix, which is the the DNS suffix associated with that pod's namespace (mydns.svc.cluster.local for example). Windows can resolve FQDNs and services or names resolvable with just that suffix. For example, a pod spawned in the default namespace, will have the DNS suffix **default.svc.cluster.local**. On a Windows pod, we will be able to resolve both **kubernetes.default.svc.cluster.local** and **kubernetes**, but not the in-betweens, like **kubernetes.default** or **kubernetes.default.svc**. + +Security + +Secrets are written in clear text on the node's volume (as compared to tmpfs/in-memory on linux). This means customers have to do two things + + + +1. Use file ACLs to secure the secrets file location +2. ​Use volume-level encryption using [BitLocker](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server) + +[RunAsUser ](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups)is not currently supported on Windows. The workaround is to create local accounts before packaging the container. The RunAsUsername capability may be added in a future release. + +Linux specific pod security context privileges such as SELinux, AppArmor, Seccomp, Capabilities (POSIX Capabilities), and others are not supported. + +In addition, as mentioned already, privileged containers are not supported on Windows. + + +#### API + +There are no differences in how most of the Kubernetes APIs work for Windows. The subtleties around what's different come down to differences in the OS and container runtime. In certain situations, some properties on workload APIs such as Pod or Container were designed with an assumption that they are implemented on Linux, failing to run on Windows. \ + \ +At a high level, these OS concepts are different: -{{< note >}} -Windows Server Containers on Kubernetes is a Beta feature in Kubernetes v1.9 -{{< /note >}} -## Get Windows Binaries -We recommend using the release binaries that can be found at [https://github.com/kubernetes/kubernetes/releases/latest](https://github.com/kubernetes/kubernetes/releases/latest). Under the CHANGELOG you can find the Node Binaries link for Windows-amd64, which will include kubeadm, kubectl, kubelet and kube-proxy. -If you wish to build the code yourself, please refer to detailed build instructions [here](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/compiling-kubernetes-binaries). +* Identity - Linux uses userID (UID) and groupID (GID) which are represented as integer types. User and group names are not canonical - they are just an alias in /etc/groups or /etc/passwd back to UID+GID. Windows uses a larger binary security identifier (SID) which is stored in the Windows Security Access Manager (SAM) database. This database is not shared between the host and containers, or between containers. +* File permissions - Windows uses an access control list based on SIDs, rather than a bitmask of permissions and UID+GID +* File paths - convention on Windows is to use **\** instead of **/**. The Go IO libraries typically accept both and just make it work, but when you're setting a path or command line that's interpreted inside a container, **\** may be needed. +* Signals - Windows interactive apps handle termination differently, and can implement one or more of these: + * A UI thread will handle well-defined messages including WM_CLOSE + * Console apps will handle ctrl-c or ctrl-break using a Control Handler + * Services will register a Service Control Handler function that can accept SERVICE_CONTROL_STOP control codes -## Prerequisites -In Kubernetes version 1.9 or later, Windows Server Containers for Kubernetes are supported using the following: +Exit Codes follow the same convention where 0 is success, nonzero is failure. The specific error codes may differ across Windows and Linux. However, exit codes passed from the Kubernetes components (kubelet, kube-proxy) will be unchanged. -1. Kubernetes control plane running on existing Linux infrastructure (version 1.9 or later). -2. Kubenet network plugin setup on the Linux nodes. -3. Windows Server 2016 RTM or later. Windows Server version 1709 or later is preferred; it unlocks key capabilities like shared network namespace. -4. Docker Version 17.06.1-ee-2 or later for Windows Server nodes (Linux nodes and Kubernetes control plane can run any Kubernetes supported Docker Version). -## Networking -There are several supported network configurations with Kubernetes v1.9 on Windows, including both Layer-3 routed and overlay topologies using third-party network plugins. +##### V1.Container -1. [Upstream L3 Routing](#upstream-l3-routing-topology) - IP routes configured in upstream ToR -2. [Host-Gateway](#host-gateway-topology) - IP routes configured on each host -3. [Open vSwitch (OVS) & Open Virtual Network (OVN) with Overlay](#using-ovn-with-ovs) - overlay networks (supports STT and Geneve tunneling types) -4. [Future - In Review] Overlay - VXLAN or IP-in-IP encapsulation using Flannel -5. [Future] Layer-3 Routing with BGP (Calico) - -The selection of which network configuration and topology to deploy depends on the physical network topology and a user's ability to configure routes, performance concerns with encapsulation, and requirement to integrate with third-party network plugins. - -### Future CNI Plugins -An additional two CNI plugins [win-l2bridge (host-gateway) and win-overlay (vxlan)] are in [PR review](https://github.com/containernetworking/plugins/pull/85). These two CNI plugins, when ready, can either be used directly or with Flannel. - -### Linux -The above networking approaches are already supported on Linux using a bridge interface, which essentially creates a private network local to the node. Similar to the Windows side, routes to all other pod CIDRs must be created in order to send packets via the "public" NIC. - -### Windows -Windows supports the CNI network model and uses plugins to interface with the Windows Host Networking Service (HNS) to configure host networking and policy. At the time of this writing, the only publicly available CNI plugin from Microsoft is built from a private repo and available here [wincni.exe](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/cni/wincni.exe). It uses an l2bridge network created through the Windows Host Networking Service (HNS) by an administrator using HNS PowerShell commands on each node as documented in the [Windows Host Setup](#windows-host-setup) section below. Source code for the future CNI plugins will be made available publicly. - -#### Upstream L3 Routing Topology -In this topology, networking is achieved using L3 routing with static IP routes configured in an upstream Top of Rack (ToR) switch/router. Each cluster node is connected to the management network with a host IP. Additionally, each node uses a local 'l2bridge' network with a pod CIDR assigned. All pods on a given worker node will be connected to the pod CIDR subnet ('l2bridge' network). In order to enable network communication between pods running on different nodes, the upstream router has static routes configured with pod CIDR prefix => Host IP. - -The following example diagram illustrates the Windows Server networking setup for Kubernetes using Upstream L3 Routing Setup: -![K8s Cluster using L3 Routing with ToR](UpstreamRouting.png) - -#### Host-Gateway Topology -This topology is similar to the Upstream L3 Routing topology with the only difference being that static IP routes are configured directly on each cluster node and not in the upstream ToR. Each node uses a local 'l2bridge' network with a pod CIDR assigned as before and has routing table entries for all other pod CIDR subnets assigned to the remote cluster nodes. -#### Using OVN with OVS -The following diagram gives a general overview of the architecture and interaction between components: -![Overlay using OVN controller and OVS Switch Extension](ovn_kubernetes.png) +* V1.Container.ResourceRequirements.limits.cpu and V1.Container.ResourceRequirements.limits.memory - Windows doesn't use hard limits for CPU allocations. Instead, a share system is used. The existing fields based on millicores are scaled into relative shares that are followed by the Windows scheduler. [see: kuberuntime/helpers_windows.go](https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/kuberuntime/helpers_windows.go), [see: resource controls in Microsoft docs](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/resource-controls) + * Huge pages are not implemented in the Windows container runtime, and are not available. They require [asserting a user privilege](https://docs.microsoft.com/en-us/windows/desktop/Memory/large-page-support) that's not configurable for containers. +* V1.Container.ResourceRequirements.requests.cpu and V1.Container.ResourceRequirements.requests.memory - Requests are subtracted from node available resources, so they can be used to avoid overprovisioning a node. However, they cannot be used to guarantee resources in an overprovisioned node. They should be applied to all containers as a best practice if the operator wants to avoid overprovisioning entirely. +* V1.Container.SecurityContext.allowPrivilegeEscalation - not possible on Windows, none of the capabilities are hooked up +* V1.Container.SecurityContext.Capabilities - POSIX capabilities are not implemented on Windows +* V1.Container.SecurityContext.privileged - Windows doesn't support privileged containers +* V1.Container.SecurityContext.procMount - Windows doesn't have a /proc filesystem +* V1.Container.SecurityContext.readOnlyRootFilesystem - not possible on Windows, write access is required for registry & system processes to run inside the container +* V1.Container.SecurityContext.runAsGroup - not possible on Windows, no GID support +* V1.Container.SecurityContext.runAsNonRoot - Windows does not have a root user. The closest equivalent is ContainerAdministrator which is an identity that doesn't exist on the node. +* V1.Container.SecurityContext.runAsUser - not possible on Windows, no UID support as int. +* V1.Container.SecurityContext.seLinuxOptions - not possible on Windows, no SELinux +* V1.Container.terminationMessagePath - this has some limitations in that Windows doesn't support mapping single files. The default value is /dev/termination-log, which does work because it does not exist on Windows by default. -(The above image is from [https://github.com/openvswitch/ovn-kubernetes#overlay-mode-architecture-diagram](https://github.com/openvswitch/ovn-kubernetes#overlay-mode-architecture-diagram)) +##### +V1.Pod -Due to its architecture, OVN has a central component which stores your networking intent in a database. Other components i.e. kube-apiserver, kube-controller-manager, kube-scheduler etc. can be deployed on that central node as well. +* V1.Pod.hostIPC, v1.pod.hostpid - host namespace sharing is not possible on Windows +* V1.Pod.hostNetwork - There is no Windows OS support to share the host network +* V1.Pod.dnsPolicy - ClusterFirstWithHostNet - is not supported because Host Networking is not supported on Windows. +* V1.Pod.podSecurityContext - see [V1.PodSecurityContext](https://github.com/kubernetes/enhancements/blob/master/keps/sig-windows/20190103-windows-node-support.md#v1podsecuritycontext) +* V1.Pod.shareProcessNamespace - this is an beta feature, and depends on Linux namespaces which are not implemented on Windows. Windows cannot share process namespaces or the container's root filesystem. Only the network can be shared. +* V1.Pod.terminationGracePeriodSeconds - this is not fully implemented in Docker on Windows, see: [reference](https://github.com/moby/moby/issues/25982). The behavior today is that the ENTRYPOINT process is sent CTRL_SHUTDOWN_EVENT, then Windows waits 5 seconds by hardcoded default, and finally shuts down all processes using the normal Windows shutdown behavior. The 5 second default is actually in the Windows registry [inside the container](https://github.com/moby/moby/issues/25982#issuecomment-426441183), so it can be overridden when the container is built. +* V1.Pod.volumeDevices - this is an beta feature, and is not implemented on Windows. Windows cannot attach raw block devices to pods. +* V1.Pod.volumes - EmptyDir, Secret, ConfigMap, HostPath - all work and have tests in TestGrid + * V1.emptyDirVolumeSource - the Node default medium is disk on Windows. Memory is not supported, as Windows does not have a built-in RAM disk. +* V1.VolumeMount.mountPropagation - only MountPropagationHostToContainer is available. Windows cannot create mounts within a pod or project them back to the node. -## Setting up Windows Server Containers on Kubernetes -To run Windows Server Containers on Kubernetes, you'll need to set up both your host machines and the Kubernetes node components for Windows. Depending on your network topology, routes may need to be set up for pod communication on different nodes. +##### +V1.PodSecurityContext -### Host Setup -#### For 1. Upstream L3 Routing Topology and 2. Host-Gateway Topology +None of the PodSecurityContext fields work on Windows. They're listed here for reference. -##### Linux Host Setup -1. Linux hosts should be setup according to their respective distro documentation and the requirements of the Kubernetes version you will be using. -2. Configure Linux Master node using steps [here](https://github.com/MicrosoftDocs/Virtualization-Documentation/blob/live/virtualization/windowscontainers/kubernetes/creating-a-linux-master.md) -3. [Optional] CNI network plugin installed. -##### Windows Host Setup +* V1.PodSecurityContext.SELinuxOptions - SELinux is not available on Windows +* V1.PodSecurityContext.RunAsUser - provides a UID, not available on Windows +* V1.PodSecurityContext.RunAsGroup - provides a GID, not available on Windows +* V1.PodSecurityContext.RunAsNonRoot - Windows does not have a root user. The closest equivalent is ContainerAdministrator which is an identity that doesn't exist on the node. +* V1.PodSecurityContext.SupplementalGroups - provides GID, not available on Windows +* V1.PodSecurityContext.Sysctls - these are part of the Linux sysctl interface. There's no equivalent on Windows. -1. Windows Server container host running the required Windows Server and Docker versions. Follow the setup instructions outlined by this help topic: https://docs.microsoft.com/en-us/virtualization/windowscontainers/quick-start/quick-start-windows-server. -2. [Get Windows Binaries](#get-windows-binaries) kubelet.exe, kube-proxy.exe, and kubectl.exe using instructions -3. Copy Node spec file (kube config) from Linux master node with X.509 keys -4. Create the HNS Network, ensure the correct CNI network config, and start kubelet.exe using this script [start-kubelet.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/start-kubelet.ps1) -5. Start kube-proxy using this script [start-kubeproxy.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/start-kubeproxy.ps1) -6. [Only required for #2 Host-Gateway mode] Add static routes on Windows host using this script [AddRoutes.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/AddRoutes.ps1) +# ​User Guide: Add Windows Nodes in Kubernetes -More detailed instructions can be found [here](https://github.com/MicrosoftDocs/Virtualization-Documentation/blob/live/virtualization/windowscontainers/kubernetes/getting-started-kubernetes-windows.md). -**Windows CNI Config Example** -Today, Windows CNI plugin is based on wincni.exe code with the following example, configuration file. This is based on the ToR example diagram shown above, specifying the configuration to apply to Windows node-1. Of special interest is Windows node-1 pod CIDR (10.10.187.64/26) and the associated gateway of cbr0 (10.10.187.66). The exception list is specifying the Service CIDR (11.0.0.0/8), Cluster CIDR (10.10.0.0/16), and Management (or Host) CIDR (10.127.132.128/25). +## ​Objectives + +The Kubernetes platform can now be used to run both Linux and Windows containers. One or more Windows nodes can be registered to a cluster. This guide shows how to: + + + +* Register a Windows node to the cluster +* Configure networking so pods on Linux and Windows can communicate + + +## ​Before you begin + + + +* Obtain a [Windows Server license](https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing) in order to run the Windows node that will execute the Windows container. You can use your organization's licenses for the cluster, or acquire one from Microsoft, a reseller, or via the major cloud providers such as GCP, AWS, and Azure by provisioning a virtual machine running Windows Server through their marketplaces. A [time-limited trial](https://www.microsoft.com/en-us/cloud-platform/windows-server-trial) is also available. +* Build a Linux-based Kubernetes cluster in which you have access to the control plane (some examples include [Getting Started from Scratch](https://kubernetes.io/docs/setup/scratch/), [kubeadm](https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/), [AKS Engine](https://kubernetes.io/docs/setup/turnkey/azure/), [GCE](https://kubernetes.io/docs/setup/turnkey/gce/), [AWS](https://kubernetes.io/docs/setup/turnkey/aws/)). + + +## ​Getting Started: Adding a Windows Node to Your Cluster + + +### ​Plan IP Addressing + +Kubernetes cluster management requires careful planning of your IP addresses so that you do not inadvertently cause network collision. This guide assumes that you are familiar with the [Kubernetes networking concepts](https://kubernetes.io/docs/concepts/cluster-administration/networking/). + +In order to deploy your cluster you will need the following address spaces: + + + + + + + + + + + + + + + + + + + + + + + +
Subnet / address range + Description + Default value +
Service Subnet + A non-routable, purely virtual subnet that is used by pods to uniformly access services without caring about the network topology. It is translated to/from routable address space by kube-proxy running on the nodes. + "10.96.0.0/12" +
Cluster Subnet + This is a global subnet that is used by all pods in the cluster. Each node is assigned a smaller /24 subnet from this for their pods to use. It must be large enough to accommodate all pods used in your cluster. To calculate minimumsubnet size: (number of nodes) + (number of nodes * maximum pods per node that you configure) +

+Example: for a 5 node cluster for 100 pods per node: (5) + (5 * 100) = 505. +

"10.244.0.0/16" +
Kubernetes DNS Service IP + IP address of kube-dns service that will be used for DNS resolution & cluster service discovery. + "10.96.0.10" +
+ + +Review the networking options supported in 'Intro to Windows containers in Kubernetes: Supported Functionality: Networking' to determine how you need to allocate IP addresses for your cluster. + + +### Components that run on Windows + +While the Kubernetes control plane runs on your Linux node(s), the following components will be configured and run on your Windows node(s). + + + +1. kubelet +2. kube-proxy +3. kubectl (optional) +4. Container runtime + +Get the latest binaries from [https://github.com/kubernetes/kubernetes/releases](https://github.com/kubernetes/kubernetes/releases), starting with v1.14 or later. The Windows-amd64 binaries for kubeadm, kubectl, kubelet, and kube-proxy can be found under the CHANGELOG link. + + +### ​Networking Configuration + +Once you have a Linux-based Kubernetes master node you are ready to choose a networking solution. This guide illustrates using Flannel in VXLAN mode for simplicity. + + +#### ​Configuring Flannel in VXLAN mode on the Linux controller + + + +1. Prepare Kubernetes master for Flannel + +Some minor preparation is recommended on the Kubernetes master in our cluster. It is recommended to enable bridged IPv4 traffic to iptables chains when using Flannel. This can be done using the following command: -Note: this file assumes that a user previous created 'l2bridge' host networks on each Windows node using `-HNSNetwork` cmdlets as shown in the `start-kubelet.ps1` and `start-kubeproxy.ps1` scripts linked above -```json -{ - "cniVersion": "0.2.0", - "name": "l2bridge", - "type": "wincni.exe", - "master": "Ethernet", - "ipam": { - "environment": "azure", - "subnet": "10.10.187.64/26", - "routes": [{ - "GW": "10.10.187.66" - }] - }, - "dns": { - "Nameservers": [ - "11.0.0.10" - ] - }, - "AdditionalArgs": [{ - "Name": "EndpointPolicy", - "Value": { - "Type": "OutBoundNAT", - "ExceptionList": [ - "11.0.0.0/8", - "10.10.0.0/16", - "10.127.132.128/25" - ] - } - }, - { - "Name": "EndpointPolicy", - "Value": { - "Type": "ROUTE", - "DestinationPrefix": "11.0.0.0/8", - "NeedEncap": true - } - }, - { - "Name": "EndpointPolicy", - "Value": { - "Type": "ROUTE", - "DestinationPrefix": "10.127.132.213/32", - "NeedEncap": true - } - } - ] -} ``` +sudo sysctl net.bridge.bridge-nf-call-iptables=1 -#### DNS configurations - -DNS configurations for Windows containers are set by CNI plugins which support `dns` capabilities. To enable `dns` capabilities, the following options should be included in the CNI configuration file: - -```json -{ - ... - "capabilities": {"dns": true}, -} -``` - -The following DNS options from kubelet will be passed to CNI plugins: - -- servers: List of DNS servers. -- searches: List of DNS search domains. -- options: List of DNS options. - -e.g. - -```json -"dns" { - "servers": ["10.0.0.10"], - "searches": ["default.svc.cluster.local","svc.cluster.local","cluster.local"], - "options": [] -} -``` - -#### For 3. Open vSwitch (OVS) & Open Virtual Network (OVN) with Overlay +``` -{{< note >}} -Fully automated setup via Ansible playbooks is [available](https://github.com/openvswitch/ovn-kubernetes/tree/master/contrib). -{{< /note >}} -For manual setup, continue the following steps. -##### Linux Host Setup +1. Download & configure Flannel + +Download the most recent Flannel manifest: + + +``` +wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml +``` + + +There are two sections you should modify to enable the vxlan networking backend: -Setting up the central node and the components needed is out of scope of this document. You can read [these instructions](https://github.com/openvswitch/ovn-kubernetes#k8s-master-node-initialization) for that. +After applying the steps below, the `net-conf.json` section of `kube-flannel.yml` should look as follows: -Adding a Linux minion is also out of scope and you can read it here: [Linux minion](https://github.com/openvswitch/ovn-kubernetes#k8s-minion-node-initializations). +``` +net-conf.json: | + { + "Network": "10.244.0.0/16", + "Backend": { + "Type": "vxlan", + "VNI" : 4096, + "Port": 4789 + } + } + +``` -##### Windows Host Setup -Adding a Windows minion requires you to install OVS and OVN binaries. Windows Server container host running the required Windows Server and Docker versions. Follow the setup instructions outlined by [this help topic](https://docs.microsoft.com/en-us/virtualization/windowscontainers/quick-start/quick-start-windows-server). This type of deployment is supported starting with Windows Server 2016 RTM. -Compiling OVS and generating the installer will not be treated in this document. For a step by step instruction please visit [this link](http://docs.openvswitch.org/en/latest/intro/install/windows/#open-vswitch-on-windows). -For a prebuilt certified installer please visit [this link](https://cloudbase.it/openvswitch/#download) and download the latest version of it. +1. In the `net-conf.json` section of your `kube-flannel.yml`, double-check: + 1. The cluster subnet (e.g. "10.244.0.0/16") is set as per your IP plan. + * VNI 4096 is set in the backend + * Port 4789 is set in the backend +2. In the `cni-conf.json` section of your `kube-flannel.yml`, change the network name to "`vxlan0"`. -The following guide uses the prebuilt certified installer. +Note: The VNI must be set to 4096 and port 4789 for Flannel on Linux to interoperate with Flannel on Windows. Support for other VNIs is coming soon. See [VXLAN](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan) for an explanation of these fields. -Installing OVS can be done either via the GUI dialogs or unattended. Adding a Windows host to your setup requires you to have `OVN Host` together with the default installation features. Below is the dialog image on what needs to be installed: +Your `cni-conf.json` should look as follows: -![OVN OVS Windows Installer](OVN_OVS_Windows_Installer.png) -For an unattended installation please use the following command: ``` -cmd /c 'msiexec /i openvswitch.msi ADDLOCAL="OpenvSwitchCLI,OpenvSwitchDriver,OVNHost" /qn' +cni-conf.json: | + { + "name": "vxlan0", + "plugins": [ + { + "type": "flannel", + "delegate": { + "hairpinMode": true, + "isDefaultGateway": true + } + }, + { + "type": "portmap", + "capabilities": { + "portMappings": true + } + } + ] + } + ``` -The installer propagates new environment variables. Please open a new command shell or logoff/logon to ensure the environment variables are refreshed. -For overlay, OVS on Windows requires a transparent docker network to function properly. Please use the following to create a transparent docker network which will be used by OVS. From powershell: + +1. Apply the Flannel yaml and Validate + +Let's apply the Flannel configuration: + + ``` -docker network create -d transparent --gateway $GATEWAY_IP --subnet $SUBNET ` - -o com.docker.network.windowsshim.interface="$INTERFACE_ALIAS" external +kubectl apply -f kube-flannel.yml ``` -Where $SUBNET is the minion subnet which will be used to spawn pods on (the one which will be used by kubernetes), $GATEWAY_IP is the first IP of the $SUBNET and $INTERFACE_ALIAS is the interface used for creating the overlay tunnels (must have connectivity with the rests of the OVN hosts). -Example: + + +Next, since the Flannel pods are Linux-based, apply a NodeSelector patch, which can be found [here](https://github.com/Microsoft/SDN/blob/1d5c055bb195fecba07ad094d2d7c18c188f9d2d/Kubernetes/flannel/l2bridge/manifests/node-selector-patch.yml), to the Flannel DaemonSet pod: + + ``` -docker network create -d transparent --gateway 10.0.1.1 --subnet 10.0.1.0/24 ` - -o com.docker.network.windowsshim.interface="Ethernet0" external + kubectl patch ds/kube-flannel-ds-amd64 --patch "$(cat node-selector-patch.yml)" -n=kube-system ``` -After creating the docker network please run the next commands from powershell. (creates an OVS bridge, adds the interface under the bridge and enables the OVS forwarding switch extension) + + +After a few minutes, you should see all the pods as running if the Flannel pod network was deployed. + + ``` -$a = Get-NetAdapter | where Name -Match HNSTransparent -Rename-NetAdapter $a[0].Name -NewName HNSTransparent -Stop-Service ovs-vswitchd -force; Disable-VMSwitchExtension "Cloudbase Open vSwitch Extension"; -ovs-vsctl --no-wait del-br br-ex -ovs-vsctl --no-wait --may-exist add-br br-ex -ovs-vsctl --no-wait add-port br-ex HNSTransparent -- set interface HNSTransparent type=internal -ovs-vsctl --no-wait add-port br-ex $INTERFACE_ALIAS -Enable-VMSwitchExtension "Cloudbase Open vSwitch Extension"; sleep 2; Restart-Service ovs-vswitchd +kubectl get pods --all-namespaces ``` -Besides of the above, setting up a Windows host is the same as the Linux host. Follow the steps from [here](https://github.com/openvswitch/ovn-kubernetes#k8s-minion-node-initializations). -**Windows CNI Setup** -Today, Windows OVN&OVS CNI plugin is based on ovn_cni.exe which can be downloaded from [here](https://cloudbase.it/downloads/ovn_cni.exe). A sample of CNI config file is the following: + + +

>>>>> gd2md-html alert: inline image link here (to images/Running-Windows0.png). Store image on your image server and adjust path/filename if necessary.
(Back to top)(Next alert)
>>>>>

+ + +![alt_text](images/Running-Windows0.png "image_tooltip") + + +Verify that the Flannel DaemonSet has the NodeSelector applied. + + ``` -{ - "name": "net", - "type": "ovn_cni.exe", - "bridge": "br-int", - "isGateway": "true", - "ipMasq": "false", - "ipam": { - "type": "host-local", - "subnet": "$SUBNET" - } -} +kubectl get ds -n kube-system ``` -Where $SUBNET is the subnet that was used in the previous ```docker network create``` command. -For a complete guide on Google Cloud Platform (GCP), namely Google Compute Engine (GCE) visit [this](https://github.com/apprenda/kubernetes-ovn-heterogeneous-cluster#heterogeneous-kubernetes-cluster-on-top-of-ovn). -For a complete guide on Amazon Web Services (AWS) visit [this](https://github.com/justeat/kubernetes-windows-aws-ovs#kubernetes-on-windows-in-aws-using-ovn). -## Starting the Cluster -To start your cluster, you'll need to start both the Linux-based Kubernetes control plane, and the Windows Server-based Kubernetes node components (kubelet and kube-proxy). For the OVS & OVN only the kubelet is required. -## Starting the Linux-based Control Plane -Use your preferred method to start Kubernetes cluster on Linux. Please note that Cluster CIDR might need to be updated. +

>>>>> gd2md-html alert: inline image link here (to images/Running-Windows1.png). Store image on your image server and adjust path/filename if necessary.
(Back to top)(Next alert)
>>>>>

-## Support for kubeadm join -If your cluster has been created by [kubeadm](https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/), -and your networking is setup correctly using one of the methods listed above (networking is setup outside of kubeadm), you can use kubeadm to add a Windows node to your cluster. At a high level, you first have to initialize the master with kubeadm (Linux), then set up the CNI based networking (outside of kubeadm), and finally start joining Windows or Linux worker nodes to the cluster. For additional documentation and reference material, visit the kubeadm link above. +![alt_text](images/Running-Windows1.png "image_tooltip") -The kubeadm binary can be found at [Kubernetes Releases](https://github.com/kubernetes/kubernetes/releases), inside the node binaries archive. Adding a Windows node is not any different than adding a Linux node: -`kubeadm.exe join --token : --discovery-token-ca-cert-hash sha256:` -See [joining-your-nodes](https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#joining-your-nodes) for more details. +### Join Windows Worker -## Supported Features +In this section we'll cover configuring a Windows node from scratch to join a cluster on-prem. If your cluster is on a cloud you'll likely want to follow the cloud specific guides in the next section. -The examples listed below assume running Windows nodes on Windows Server 1709. If you are running Windows Server 2016, the examples will need the image updated to specify `image: microsoft/windowsservercore:ltsc2016`. This is due to the requirement for container images to match the host operating system version when using process isolation. Not specifying a tag will implicitly use the `:latest` tag which can lead to surprising behaviors. Please consult with [https://hub.docker.com/r/microsoft/windowsservercore/](https://hub.docker.com/r/microsoft/windowsservercore/) for additional information on Windows Server Core image tagging. -### Scheduling Pods on Windows -Because your cluster has both Linux and Windows nodes, you must explicitly set the `nodeSelector` constraint to be able to schedule pods to Windows nodes. You must set nodeSelector with the label `beta.kubernetes.io/os` to the value `windows`; see the following example: +#### Preparing a Windows Node -{{< codenew file="windows/simple-pod.yaml" >}} +Note: All code snippets in Windows sections are to be run in a PowerShell environment with elevated permissions (Admin). + + + +1. Install Docker (requires a system reboot) + +Kubernetes uses [Docker](https://www.docker.com/) as its container engine, so we need to install it. You can follow the [official Docs instructions](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-docker/configure-docker-daemon#install-docker), the [Docker instructions](https://store.docker.com/editions/enterprise/docker-ee-server-windows), or try these steps: + + +``` +PS C:\Users\Administrator\Install-Module -Name DockerMsftProvider -Repository PSGallery -Force +PS C:\Users\Administrator\Install-Package -Name Docker -ProviderName DockerMsftProvider +PS C:\Users\Administrator\Restart-Computer -Force +``` + + +If you are behind a proxy, the following PowerShell environment variables must be defined: + + +``` +[Environment]::SetEnvironmentVariable("HTTP_PROXY", "http://proxy.example.com:80/", [EnvironmentVariableTarget]::Machine) +[Environment]::SetEnvironmentVariable("HTTPS_PROXY", "http://proxy.example.com:443/", [EnvironmentVariableTarget]::Machine) +``` + + +If after reboot you may see the following error: + + + +

>>>>> gd2md-html alert: inline image link here (to images/Running-Windows2.png). Store image on your image server and adjust path/filename if necessary.
(Back to top)(Next alert)
>>>>>

+ + +![alt_text](images/Running-Windows2.png "image_tooltip") + + +If so then you need to restart the docker service manually: + + +``` +Start-Service docker +``` + + +Note: the "pause" (infrastructure) image is on Microsoft Container Registry (MCR) and the DOCKERFILE is available at [https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile) + + +``` +docker pull mcr.microsoft.com/k8s/core/pause:1.0.0 + +``` + + + +2. Prepare a Windows directory for Kubernetes + +Create a "Kubernetes for Windows" directory to store Kubernetes binaries as well as any deployment scripts and config files. + + +``` +mkdir c:\k + +``` + + + +3. Copy Kubernetes certificate + +Copy the Kubernetes certificate file (`$HOME/.kube/config`) [from Linux controller](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/creating-a-linux-master#collect-cluster-information) to this new `C:\k` directory on your Windows node. + +Tip: You can use tools such as [xcopy](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/xcopy) or [WinSCP](https://winscp.net/eng/download.php) to transfer the config file between nodes. -{{< note >}} -This example assumes you are running on Windows Server 1709, so uses the image tag to support that. If you are on a different version, you will need to update the tag. For example, if on Windows Server 2016, update to use `"image": "microsoft/iis"` which will default to that OS version. -{{< /note >}} -### Secrets and ConfigMaps -Secrets and ConfigMaps can be utilized in Windows Server Containers, but must be used as environment variables. See limitations section below for additional details. -**Examples:** +4. Download Kubernetes binaries -Windows pod with secrets mapped to environment variables +To be able to run Kubernetes, you first need to download the `kubectl`, `kubelet`, and `kube-proxy` binaries. You can download these from the links in the CHANGELOG.md file of the [latest releases](https://github.com/kubernetes/kubernetes/releases/). -{{< codenew file="windows/secret-pod.yaml" >}} +Use the [Expand-Archive](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.archive/expand-archive?view=powershell-6) PowerShell command to extract the archive and place the binaries into `C:\k`. -Windows Pod with configMap values mapped to environment variables -{{< codenew file="windows/configmap-pod.yaml" >}} +#### Join the Windows node to the Flannel cluster -### Volumes -Some supported Volume Mounts are local, emptyDir, hostPath. One thing to remember is that paths must either be escaped, or use forward slashes, for example `mountPath: "C:\\etc\\foo"` or `mountPath: "C:/etc/foo"`. +The Flannel overlay deployment scripts and documentation are available in [this repository](https://github.com/Microsoft/SDN/tree/master/Kubernetes/flannel/overlay). The following steps are a simple walkthrough of the more comprehensive instructions available there. -Persistent Volume Claims are supported for supported volume types. +Download the [Flannel start.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/start.ps1) script, the contents of which should be extracted to `C:\k`: -**Examples:** -Windows pod with a hostPath volume +``` +cd c:\k +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 +wget https://raw.githubusercontent.com/Microsoft/SDN/master/Kubernetes/flannel/start.ps1 -o c:\k\start.ps1 +``` + + +Note: [start.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/start.ps1) references [install.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/install.ps1), which will download additional files such as the `flanneld` executable and the [Dockerfile for infrastructure pod](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile) and install those for you. For overlay networking mode, the [firewall](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/helper.psm1#L111) will be opened for local UDP port 4789. There may be multiple powershell windows being opened/closed as well as a few seconds of network outage while the new external vSwitch for the pod network is being created the first time. Run the script using the arguments as specified below: + + +``` +.\start.ps1 -ManagementIP -NetworkMode overlay -ClusterCIDR -ServiceCIDR -KubeDnsServiceIP -LogDir + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
``` + +Parameter + Default Value + Notes +
-ManagementIP + N/A (required) + The IP address assigned to the Windows node. You can use ipconfig to find this. +
-NetworkMode + l2bridge + We're using overlay here +
-ClusterCIDR + 10.244.0.0/16 + Refer to your cluster IP plan +
-ServiceCIDR + 10.96.0.0/12 + Refer to your cluster IP plan +
-KubeDnsServiceIP + 10.96.0.10 + +
-InterfaceName + Ethernet + The name of the network interface of the Windows host. You can use ipconfig to find this. +
-LogDir + C:\k + The directory where kubelet and kube-proxy logs are redirected into their respective output files. +
+ + +Now you can view the Windows nodes in your cluster by running the following: + + +``` +kubectl get nodes +``` + + + +### ​Public Cloud Providers + + +#### Azure + +AKS-Engine can deploy a complete, customizable Kubernetes cluster with both Linux & Windows nodes. There is a step-by-step walkthrough available in the [docs on GitHub](https://github.com/Azure/aks-engine/blob/master/docs/topics/windows.md). + + +#### ​GCP + +Users can easily deploy a complete Kubernetes cluster on GCE following this step-by-step walkthrough on [GitHub](https://github.com/kubernetes/kubernetes/blob/master/cluster/gce/windows/README-GCE-Windows-kube-up.md) + + +#### ​Deployment with kubeadm and cluster API + +Kubeadm is becoming the de facto standard for users to deploy a Kubernetes cluster. Windows node support in kubeadm will come in a future release. We are also making investments in cluster API to ensure Windows nodes are properly provisioned. + + +#### Next Steps + +Now that you've configured a Windows worker in your cluster to run Windows containers you may want to add one or more Linux nodes as well to run Linux containers. Now you're ready to proceed to the next step to schedule Windows containers on your cluster. + + +# User Guide: Running Windows containers in Kubernetes + + +## Objectives + + + +* Configure a deployment to run Windows containers on the Windows node +* (Optional) Configure Windows service identity using Group Managed Service Accounts (gMSA) + + +## Before you begin + + + +* Create a Kubernetes cluster that includes a master and a worker node running Windows Server +* It is important to note that creating and deploying services and workloads on Kubernetes behaves in much the same way for Linux and Windows containers. [Kubectl commands](https://kubernetes.io/docs/reference/kubectl/overview/) to interface with the cluster are identical. The example in the section below is provided simply to jumpstart your experience with Windows containers. + + +## ​Getting Started: Deploying a Windows Container + + + +1. Create a simple webserver example: + +Create a service spec `win-webserver.yaml` with the contents below: [TODO create this as a file in the docs folder and add a link] + + +``` +apiVersion: v1 +kind: Service +metadata: + name: win-webserver + labels: + app: win-webserver +spec: + ports: + # the port that this service should serve on + - port: 80 + targetPort: 80 + selector: + app: win-webserver + type: NodePort +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + labels: + app: win-webserver + name: win-webserver +spec: + replicas: 2 + template: + metadata: + labels: + app: win-webserver + name: win-webserver + spec: + containers: + - name: windowswebserver + image: mcr.microsoft.com/windows/servercore:ltsc2019 + command: + - powershell.exe + - -command + - "<#code used from https://gist.github.com/wagnerandrade/5424431#> ; $$listener = New-Object System.Net.HttpListener ; $$listener.Prefixes.Add('http://*:80/') ; $$listener.Start() ; $$callerCounts = @{} ; Write-Host('Listening at http://*:80/') ; while ($$listener.IsListening) { ;$$context = $$listener.GetContext() ;$$requestUrl = $$context.Request.Url ;$$clientIP = $$context.Request.RemoteEndPoint.Address ;$$response = $$context.Response ;Write-Host '' ;Write-Host('> {0}' -f $$requestUrl) ; ;$$count = 1 ;$$k=$$callerCounts.Get_Item($$clientIP) ;if ($$k -ne $$null) { $$count += $$k } ;$$callerCounts.Set_Item($$clientIP, $$count) ;$$ip=(Get-NetAdapter | Get-NetIpAddress); $$header='

Windows Container Web Server

' ;$$callerCountsString='' ;$$callerCounts.Keys | % { $$callerCountsString+='

IP {0} callerCount {1} ' -f $$ip[1].IPAddress,$$callerCounts.Item($$_) } ;$$footer='' ;$$content='{0}{1}{2}' -f $$header,$$callerCountsString,$$footer ;Write-Output $$content ;$$buffer = [System.Text.Encoding]::UTF8.GetBytes($$content) ;$$response.ContentLength64 = $$buffer.Length ;$$response.OutputStream.Write($$buffer, 0, $$buffer.Length) ;$$response.Close() ;$$responseStatus = $$response.StatusCode ;Write-Host('< {0}' -f $$responseStatus) } ; " + nodeSelector: + beta.kubernetes.io/os: windows +``` + + +Note: Port mapping is also supported, but for simplicity in this example the container port 80 is exposed directly to the service. + + + +2. Check that all nodes are healthy: + + ``` + kubectl get nodes + ``` + + +3. Deploy the service and watch for pod updates: + + ``` + kubectl apply -f win-webserver.yaml + + kubectl get pods -o wide -w + When the service is deployed correctly both Pods will be marked as Ready. To exit the watch command, press Ctrl+C. + + ``` + + + +4. Check that the deployment succeeded. To verify: + * Two containers per pod on the Windows node, use `docker ps` + * Two pods listed from the Linux master, use `kubectl get pods` + * Node-to-pod communication across the network, `curl` port 80 of your pod IPs from the Linux master to check for a web server response + * Pod-to-pod communication, ping between pods (and across hosts, if you have more than one Windows node) using docker exec or kubectl exec + * Service-to-pod communication, `curl` the virtual service IP (seen under `kubectl get services`) from the Linux master and from individual pods + * Service discovery, `curl` the service name with the Kubernetes[ default DNS suffix](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#services) + * Inbound connectivity, `curl` the NodePort from the Linux master or machines outside of the cluster + * Outbound connectivity, `curl` external IPs from inside the pod using kubectl exec + +**Note: **Windows _container hosts_ are not able to access the IP of services scheduled on them due to current platform limitations of the Windows networking stack. Only Windows _pods_ are able to access service IPs. + + +## Managing Workload Identity with Group Managed Service Accounts + +Starting with Kubernetes v1.14, Windows container workloads can be configured to use Group Managed Service Accounts (GMSA). Group Managed Service Accounts are a specific type of Active Directory account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other administrators across multiple servers. Containers configured with a GMSA can access external Active Directory Domain resources while carrying the identity configured with the GMSA. Learn more about configuring and using GMSA for Windows containers [here](https://kubernetes.io/docs/concepts/configuration/workload-identity/). + + +### Taints and Tolerations + + +## ​Secrets Management + + + +1. Create a secret by following the[ standard directions](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#create-a-secret) +2. Configure your pod to receive the secret via an environment variable. + + `--- \ +apiVersion: v1 \ +kind: Pod \ +metadata: \ + name: secret-envars-test-pod \ +spec: \ + containers: \ + - name: envars-test-container \ + image: microsoft/windowsservercore:ltsc2019 \ + imagePullPolicy: Never \ + command: \ + - ping \ + - -t \ + - localhost \ + env: \ + - name: SECRET_USERNAME \ + valueFrom: \ + secretKeyRef: \ + name: test-secret \ + key: username \ + - name: SECRET_PASSWORD \ + valueFrom: \ + secretKeyRef: \ + name: test-secret \ + key: password` \ + + +3. Deploy the pod and verify that it is running: + + +``` +kubectl create -f https://k8s.io/docs/getting-started-guides/windows/secret-pod.yaml +kubectl get pod secret-envars-test-pod + +``` + + + +1. Open a shell into the container running the pod: + + +``` +kubectl exec -it secret-envars-test-pod -- powershell + +``` + + + +1. See that the secret is in the environment variable: + + +``` +echo $env:SECRET_USERNAME $env:SECRET_PASSWORD +``` + + +You should see the output:` \ +my-app \ +39528$vdg7Jb` + + +# ​Getting Help and Troubleshooting + + + +1. How do I know start.ps1 on Windows completed successfully? + +You should see kubelet, kube-proxy, and (if you chose Flannel as your networking solution) flanneld host-agent processes running on your node, with running logs being displayed in separate PoSh windows. In addition to this, your Windows node should be listed as "Ready" in your Kubernetes cluster. + + + +2. Can I configure the Kubernetes node processes as in the background? + 1. As native Windows Services + +Kubelet & kube-proxy can be run as native [Windows Services](https://kubernetes.io/docs/getting-started-guides/windows/#kubelet-and-kube-proxy-can-now-run-as-windows-services). See [Windows Services on Kubernetes](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/kube-windows-services) for example steps. [TO DO create a section for setting up as Windows Services] + + + + 2. Using nssm.exe + +You can also always use alternative service managers like [nssm.exe](https://nssm.cc/) to always run these processes (flanneld, kubelet & kube-proxy) in the background for you. For initial troubleshooting, you can use the following flags in [nssm.exe](https://nssm.cc/) to redirect stdout and stderr to a output file: + + +``` +nssm set AppStdout C:\k\mysvc.log +nssm set AppStderr C:\k\mysvc.log +``` + + +For additional details, see official [nssm usage](https://nssm.cc/usage) docs. -{{< codenew file="windows/hostpath-volume-pod.yaml" >}} -Windows pod with multiple emptyDir volumes -{{< codenew file="windows/emptydir-pod.yaml" >}} +3. My Windows Pods do not have network connectivity -### DaemonSets +If you are using virtual machines, ensure that MAC spoofing is enabled on all the VM network adapter(s). -DaemonSets are supported -{{< codenew file="windows/daemonset.yaml" >}} -### Metrics +4. My Windows Pods cannot ping external resources -Windows Stats use a hybrid model: pod and container level stats come from CRI (via dockershim), while node level stats come from the "winstats" package that exports cadvisor like data structures using windows specific perf counters from the node. +Windows pods do not have outbound rules programmed for the ICMP protocol today. However, TCP/UDP is supported. When trying to demonstrate connectivity to resources outside of the cluster, please substitute `ping ` with corresponding `curl ` commands. \ + \ +If you are still facing problems, most likely your network configuration in [cni.conf](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf) deserves some extra attention. You can always edit this static file, the configuration will be applied to any newly created Kubernetes resources. \ + \ +One of the Kubernetes networking requirements (see [Kubernetes model](https://kubernetes.io/docs/concepts/cluster-administration/networking/)) is for cluster communication to occur without NAT internally. To honor this requirement, there is an [ExceptionList](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf#L20) for all the communication where we do not want outbound NAT to occur. However, this also means that you need to exclude the external IP you are trying to query from the ExceptionList. Only then will the traffic originating from your Windows pods be SNAT'ed correctly to receive a response from the outside world. In this regard, your ExceptionList in `cni.conf` should look as follows: -### Container Resources -Container resources (CPU and memory) could be set now for windows containers in v1.10. +``` +"ExceptionList": [ + "10.244.0.0/16", # Cluster subnet + "10.96.0.0/12", # Service subnet + "10.127.130.0/24" # Management (host) subnet + ] + +``` + -{{< codenew file="windows/deploy-resource.yaml" >}} -### Hyper-V Containers +5. My Windows node cannot access NodePort service -Hyper-V containers are supported as experimental in v1.10. To create a Hyper-V container, kubelet should be started with feature gates `HyperVContainer=true` and Pod should include annotation `experimental.windows.kubernetes.io/isolation-type=hyperv`. +Local NodePort access from the node itself will fail. This is a known limitation. NodePort access will work from other nodes or external clients. -{{< codenew file="windows/deploy-hyperv.yaml" >}} -### Kubelet and kube-proxy can now run as Windows services -Starting with kubernetes v1.11, kubelet and kube-proxy can run as Windows services. +6. vNICs and HNS endpoints of containers are being deleted -This means that you can now register them as Windows services via `sc` command. More details about how to create Windows services with `sc` can be found [here](https://support.microsoft.com/en-us/help/251192/how-to-create-a-windows-service-by-using-sc-exe). +This issue can be caused when the `hostname-override` parameter is not passed to [kube-proxy](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/). To resolve it, users need to pass the hostname to kube-proxy as follows: -**Examples:** -To create the service: ``` -PS > sc.exe create binPath= " --windows-service " -CMD > sc create binPath= " --windows-service " +C:\k\kube-proxy.exe --hostname-override=$(hostname) + ``` -Please note that if the arguments contain spaces, it must be escaped. Example: + + + +7. With flannel my nodes are having issues after rejoining a cluster + +Whenever a previously deleted node is being rejoined to the cluster, flannelD will try to assign a new pod subnet to the node. Users should remove the old pod subnet configuration files in the following paths: + + ``` -PS > sc.exe create kubelet binPath= "C:\kubelet.exe --windows-service --hostname-override 'minion' " -CMD > sc create kubelet binPath= "C:\kubelet.exe --windows-service --hostname-override 'minion' " +Remove-Item C:\k\SourceVip.json +Remove-Item C:\k\SourceVipRequest.json + ``` -To start the service: + + + +8. After launching `start.ps1`, flanneld is stuck in "Waiting for the Network to be created" + +There are numerous reports of this issue which are being investigated; most likely it is a timing issue for when the management IP of the flannel network is set. A workaround is to simply relaunch start.ps1 or relaunch it manually as follows: + + ``` -PS > Start-Service kubelet; Start-Service kube-proxy -CMD > net start kubelet && net start kube-proxy +PS C:> [Environment]::SetEnvironmentVariable("NODE_NAME", "") +PS C:> C:\flannel\flanneld.exe --kubeconfig-file=c:\k\config --iface= --ip-masq=1 --kube-subnet-mgr=1 + ``` -To stop the service: + + + +9. My Windows Pods cannot launch because of missing `/run/flannel/subnet.env` + +This indicates that Flannel didn't launch correctly. You can either try to restart flanneld.exe or you can copy the files over manually from `/run/flannel/subnet.env` on the Kubernetes master to` C:\run\flannel\subnet.env` on the Windows worker node and modify the `FLANNEL_SUBNET` row to a different number. For example, if node subnet 10.244.4.1/24 is desired: + + ``` -PS > Stop-Service kubelet (-Force); Stop-Service kube-proxy (-Force) -CMD > net stop kubelet && net stop kube-proxy +FLANNEL_NETWORK=10.244.0.0/16 +FLANNEL_SUBNET=10.244.4.1/24 +FLANNEL_MTU=1500 +FLANNEL_IPMASQ=true + ``` -To query the service: + + + +10. My Windows node cannot access my services using the service IP + +This is a known limitation of the current networking stack on Windows. Windows pods are able to access the service IP however. + + + +11. No network adapter is found when starting kubelet + +The Windows networking stack needs a virtual adapter for Kubernetes networking to work. If the following commands return no results (in an admin shell), virtual network creation — a necessary prerequisite for Kubelet to work — has failed: + + ``` -PS > Get-Service kubelet; Get-Service kube-proxy; -CMD > sc.exe queryex kubelet && sc qc kubelet && sc.exe queryex kube-proxy && sc.exe qc kube-proxy +Get-HnsNetwork | ? Name -ieq "cbr0" +Get-NetAdapter | ? Name -Like "vEthernet (Ethernet*" ``` -## Known Limitations for Windows Server Containers with v1.9 -Some of these limitations will be addressed by the community in future releases of Kubernetes: +Often it is worthwhile to modify the [InterfaceName](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/start.ps1#L6) parameter of the start.ps1 script, in cases where the host's network adapter isn't "Ethernet". Otherwise, consult the output of the `start-kubelet.ps1` script to see if there are errors during virtual network creation. + + + +12. My Pods are stuck at "Container Creating" or restarting over and over + +Check that your pause image is compatible with your OS version. The [instructions](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/deploying-resources) assume that both the OS and the containers are version 1803. If you have a later version of Windows, such as an Insider build, you will need to adjust the images accordingly. Please refer to the Microsoft's [Docker repository](https://hub.docker.com/u/microsoft/) for images. Regardless, both the pause image Dockerfile and the sample service will expect the image to be tagged as :latest. + +If these steps don't resolve your problem, you can get help running Windows Containers on Windows nodes in Kubernetes through: + + + +* StackOverflow [Windows Server Container](https://stackoverflow.com/questions/tagged/windows-server-container) topic +* Kubernetes Official Forum [discuss.kubernetes.io](https://discuss.kubernetes.io/) +* Kubernetes Slack [#SIG-Windows Channel](https://kubernetes.slack.com/messages/C0SJ4AFB7) + + +### Bugs and Feature Requests + +If you have what looks like a bug, or you would like to make a feature request, please use the [Github issue tracking system](https://github.com/kubernetes/kubernetes/issues). + +Before you file an issue, please search existing issues to see if your issue is already covered. + +If filing a bug, please include detailed information about how to reproduce the problem, such as: + + + +* Kubernetes version: kubectl version +* Cloud provider, OS distro, network configuration, and Docker version +* Steps to reproduce the problem +* Tag the issue sig/windows to bring it to the Windows Special Interest Group member attention + + +# Roadmap + +We have a lot of features in our roadmap. + + +### CRI-ContainerD + +ContainerD is another OCI-compliant runtime that recently graduated as a CNCF project. It's currently tested on Linux, but 1.3 will bring support for Windows and Hyper-V. [[reference](https://blog.docker.com/2019/02/containerd-graduates-within-the-cncf/)] + +The CRI-ContainerD interface will be able to manage sandboxes based on Hyper-V. This provides a foundation where RuntimeClasses could be implemented for new use cases including: + + + +* Hypervisor-based isolation between pods for additional security +* Backwards compatibility allowing a node to run a newer Windows Server version without requiring containers to be rebuilt +* Specific CPU/NUMA settings for a pod +* Memory isolation and reservations + + +### Deployment with kubeadm and cluster API + +Kubeadm is becoming the de facto standard for users to deploy a Kubernetes cluster. Windows node support in kubeadm will come in a future release. We are also making investments in cluster API to ensure Windows nodes are properly provisioned. + + +# Document 2: Windows Node contribution specifics + +[https://contributor.kubernetes.io/contributors/guide/](https://contributor.kubernetes.io/contributors/guide/) Under Contributing section + + +## Joining the SIG-Windows Mailing List and Slack Channel + +The best way to get in contact with the contributors working on Windows support is through the Kubernetes Slack. To get a Slack invite, visit [http://slack.k8s.io/](http://slack.k8s.io/) . Once you're logged in, join us in the [#SIG-Windows](https://kubernetes.slack.com/messages/C0SJ4AFB7) channel. + +To get access to shared documents, meeting calendar, and additional discussions, be sure to also join the [SIG-Windows Google Group](https://groups.google.com/forum/#!forum/kubernetes-sig-windows). + + +## Building Kubernetes for Windows from Source + +The Kubernetes build scripts have not been ported to Windows, so it's best to run in a Linux VM where you can run the same Docker container used in the official Kubernetes builds. This simplifies the steps, but means that you cannot build under Windows Subsystem for Linux (WSL). + +It's best to skim over the [Building Kubernetes](https://github.com/kubernetes/kubernetes/blob/master/build/README.md) guide if you have never built Kubernetes before to get the latest info. These steps are a summary focused on cross-building the Windows node binaries (kubelet & kube-proxy). + + +### ​Build Prerequisites + +At least 60GB of disk space is required, and 16GB of memory (or memory + swap). + +Once you have a VM, install Git, [Docker-CE](https://docs.docker.com/install/), and make. The build scripts will pull a Docker container with the required version of golang and other needed tools preinstalled. + +If you're using Ubuntu, then install the following packages: git, build-essential, [Docker-CE](https://docs.docker.com/install/linux/docker-ce/ubuntu/). + + +### ​Pulling a PR (optional) + +If there is a PR you would like to build, it's easy. You can create a working branch, pull the changes from GitHub in a patch, apply, then build. + +The examples here are based off a patch on GitHub: [https://github.com/kubernetes/kubernetes/pull/74788](https://github.com/kubernetes/kubernetes/pull/74788) . Be sure to replace the URL with the PR you want to test. + +First, make sure your local clone is up-to-date with master: `git checkout master ; git pull master` + +Next, create a branch in your repo: `git checkout -b pr74788` + +Now, get the patch for the PR you want. Append .patch to the URL, and download it with curl: `curl -L -o pr74788.patch https://github.com/kubernetes/kubernetes/pull/74788.patch` + +Merge it with ``patch -p1 < pr74788.patch`` + +If there are errors, fix them as needed. Once you're done, delete the .patch file and then `git commit` the rest to your local branch. + + +### Building Kubernetes binaries for Windows + +You can build individual components such as kubelet, kube-proxy, or kubectl by running `./build/run.sh make KUBE_BUILD_PLATFORMS=windows/amd64` such as `./build/run.sh make kubelet KUBE_BUILD_PLATFORMS=windows/amd64` + +If you would like to build all binaries at once, then run `./build/run.sh make cross KUBE_BUILD_PLATFORMS=windows/amd64` + +Once the build completes, the files will be in _output/dockerized/bin. + + +## Running Your Own Cluster + + +## Testing Your Changes + + +### Updating the Node binaries + +Once you have binaries built (see Building Kubernetes binaries for Windows), the easiest way to test them is to replace them on an existing cluster. Use the steps above to build a cluster in your cloud of choice. To update the binaries on an existing node, follow these steps: + + + +1. Drain & cordon a node with `kubectl drain ` +2. Connect to the node with SSH or Windows Remote Desktop, and start PowerShell +3. On the node, run `Stop-Service kubelet -Force` +4. Copy kubelet.exe and kube-proxy.exe to a cloud storage account, or use SSH to copy them directly to the node. +5. Overwrite the existing kubelet & kube-proxy binaries. If you don't know where they are, run `sc.exe qc kubelet` or `sc.exe qc kube-proxy` and look at the BINARY_PATH_NAME returned. +6. Start the updated kubelet & kube-proxy with `Start-Service kubelet` + + +### ​Running Tests + +For the most up-to-date steps on how to build and run tests, please go to [https://github.com/kubernetes-sigs/windows-testing](https://github.com/kubernetes-sigs/windows-testing) . It has everything you need to build and run tests, as well as links to the SIG-Windows configurations used on [TestGrid](https://testgrid.k8s.io/sig-windows). + + +## Reporting Issues + + +### Gathering Logs + +Gathering trouble shooting info for CNI. [https://github.com/kubernetes/kubernetes/issues/74766#issuecomment-468736127](https://github.com/kubernetes/kubernetes/issues/74766#issuecomment-468736127) + +On the node before creating the pod for the first time. + +start-birstranfer [https://raw.githubusercontent.com/Microsoft/SDN/master/Kubernetes/windows/debug/collectlogs.ps1](https://raw.githubusercontent.com/Microsoft/SDN/master/Kubernetes/windows/debug/collectlogs.ps1) + +run collectlogs.ps1 + +then start the trace by running the following command + +C:\k\debug\starthnstrace.cmd + +repro the issue -- Shared network namespace (compartment) with multiple Windows Server containers (shared kernel) per pod is only supported on Windows Server 1709 or later -- Using Secrets and ConfigMaps as volume mounts is not supported -- Mount propagation is not supported on Windows -- The StatefulSet functionality for stateful applications is not supported -- Horizontal Pod Autoscaling for Windows Server Container pods has not been verified to work end-to-end -- Hyper-V isolated containers are not supported. -- Windows container OS must match the Host OS. If it does not, the pod will get stuck in a crash loop. -- Under the networking models of L3 or Host GW, Kubernetes Services are inaccessible to Windows nodes due to a Windows issue. This is not an issue if using OVN/OVS for networking. -- Windows kubelet.exe may fail to start when running on Windows Server under VMware Fusion [issue 57110](https://github.com/kubernetes/kubernetes/pull/57124) -- Flannel and Weavenet are not yet supported -- Some .Net Core applications expect environment variables with a colon (`:`) in the name. Kubernetes currently does not allow this. Replace colon (`:`) with double underscore (`__`) as documented [here](https://docs.microsoft.com/en-us/aspnet/core/fundamentals/configuration/?tabs=basicconfiguration#configuration-by-environment). -- As cgroups are not supported on windows, kubelet.exe should be started with the following additional arguments `--cgroups-per-qos=false --enforce-node-allocatable=""` [issue 61716](https://github.com/kubernetes/kubernetes/issues/61716) +run "netsh trace stop" -## Next steps and resources +then do again collectlogs.ps1 -- Support for Windows is in Beta as of v1.9 and your feedback is welcome. For information on getting involved, please head to [SIG-Windows](https://github.com/kubernetes/community/blob/master/sig-windows/README.md) -- Troubleshooting and Common Problems: [Link](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/common-problems) +and send us both before and after collectlogs.ps1 and C:\server.etl \ No newline at end of file From 0e14aa5bf0a3524e3b7181b567d6cbc9da156bb7 Mon Sep 17 00:00:00 2001 From: Craig Peters Date: Tue, 12 Mar 2019 15:32:47 -0700 Subject: [PATCH 03/32] simplifyig --- .../getting-started-guides/windows/_index.md | 1367 ----------------- 1 file changed, 1367 deletions(-) diff --git a/content/en/docs/getting-started-guides/windows/_index.md b/content/en/docs/getting-started-guides/windows/_index.md index 8e7ead5936117..e26f6ad8bbdac 100644 --- a/content/en/docs/getting-started-guides/windows/_index.md +++ b/content/en/docs/getting-started-guides/windows/_index.md @@ -11,1370 +11,3 @@ These instructions are under revision for the v1.14 release with a [tracking iss Windows applications constitute a large portion of the services and applications that run in many organizations. [Windows containers](https://aka.ms/windowscontainers) provide a modern way to encapsulate processes and package dependencies, making it easier to use DevOps practices and follow cloud native patterns for Windows applications. Kubernetes has become the defacto standard container orchestrator, and the release of Kubernetes 1.14 includes production support for scheduling Windows containers on Windows nodes in a Kubernetes cluster, enabling a vast ecosystem of Windows applications to leverage the power of Kubernetes. Enterprises with investments in Windows-based applications and Linux-based applications don't have to look for separate orchestrators to manage their workloads, leading to increased operational efficiencies across their deployments, regardless of operating system. -## ​Intro to Windows containers in Kubernetes - -To enable the orchestration of Windows containers in Kubernetes, simply include Windows nodes in your existing Linux cluster. Scheduling Windows containers in [Pods](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/) on Kubernetes is as simple and easy as scheduling Linux-based containers. - -In order to run Windows containers, your Kubernetes cluster must include multiple operating systems, with control plane nodes running Linux and workers running either Windows or Linux depending on your workload needs. Windows Server 2019 is the only Windows operating system supported, enabling [Kubernetes Node](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/architecture/architecture.md#the-kubernetes-node) on Windows (including kubelet, [container runtime](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/containerd), and kube-proxy). For a detailed explanation of Windows distribution channels see the [Microsoft documentation](https://docs.microsoft.com/en-us/windows-server/get-started-19/servicing-channels-19). - -NOTE: The Kubernetes control plane, including the [master components](https://kubernetes.io/docs/concepts/overview/components/), will continue to run on Linux. There are no plans have a Windows-only Kubernetes cluster. - - -## ​Supported Functionality and Limitations - - -### ​Supported Functionality - - -#### Compute - -From an API and kubectl perspective, Windows containers behave in much the same way as Linux-based containers. However, there are some notable differences in key functionality which are outlined in the limitation section. - -Let's start with the operating system version. Refer to the following table for Windows operating system support in Kubernetes. A single heterogeneous Kubernetes cluster can have both Windows and Linux worker nodes. Windows containers have to be scheduled on Windows nodes and Linux containers on Linux nodes. - - - - - - - - - - - - - - - - - - - - - -
Kubernetes version - Host OS version (Kubernetes Node) - - -
- Windows Server 1709 - Windows Server 1803 - Windows Server 1809/Windows Server 2019 -
Kubernetes v1.14 - Not Supported - Not Supported - Supported for Windows Server containers Builds 17763.* with Docker EE-basic 18.09 -
- - - - NOTE: The Windows Server Host Operating System is subject to the [Windows Server ](https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing) licensing. The Windows Container images are subject to the [Supplemental License Terms for Windows containers](https://docs.microsoft.com/en-us/virtualization/windowscontainers/images-eula). - - - NOTE: Windows containers have strict compatibility rules, [where the host OS version must match the container base image OS version.](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/version-compatibility) - -Key Kubernetes elements work the same way in Windows as they do in Linux. In this section, we will talk about some of the key workload enablers and how they map to Windows. - - - -* [Pods](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/) - - A Pod is the basic building block of Kubernetes–the smallest and simplest unit in the Kubernetes object model that you create or deploy. The following Pod capabilities, properties and events are supported with Windows containers: - - - - * Single or multiple containers per Pod with process isolation and volume sharing - * Pod status fields - * Readiness and Liveness probes - * postStart & preStop container lifecycle events - * ConfigMap, Secrets: as environment variables or volumes - * EmptyDir - * Named pipe host mounts - * Resource limits -* [Controllers](https://kubernetes.io/docs/concepts/workloads/controllers/) - - Kubernetes controllers handle the desired state of Pods. The following workload controllers are supported with Windows containers: - - * ReplicaSet - * ReplicationController - * Deployments - * StatefulSets - * DaemonSet - * Job - * CronJob -* [Services](https://kubernetes.io/docs/concepts/services-networking/service/) - - A Kubernetes Service is an abstraction which defines a logical set of Pods and a policy by which to access them - sometimes called a micro-service. You can use services for cross-operating system connectivity. In Windows, services can utilize the following types, properties and capabilities: - - * Service Environment variables - * NodePort - * ClusterIP - * LoadBalancer - * ExternalName - * Headless services - -Pods, Controllers and Services are critical elements to managing Windows workloads on Kubernetes. However, on their own they are not enough to enable the proper lifecycle management of Windows workloads in a dynamic cloud native environment. We added support for the following features: - - - -* Pod and container metrics -* Horizontal Pod Autoscaler support -* KubeCtl Exec -* Resource Quotas -* Scheduler preemption - - -#### Container Runtime - -Docker EE-basic 18.09 is required on Windows Server 2019 / 1809 nodes for Kubernetes. This works with the dockershim code included in the kubelet. Additional runtimes such as CRI-ContainerD may be supported in later Kubernetes versions. - - -#### Storage - -Kubernetes Volumes enable complex applications with data persistence and Pod volume sharing requirements to be deployed on Kubernetes. Kubernetes on Windows supports the following types of [volumes](https://kubernetes.io/docs/concepts/storage/volumes/): - - - -* FlexVolume out-of-tree plugin with [SMB and iSCSI ](https://github.com/Microsoft/K8s-Storage-Plugins/tree/master/flexvolume/windows)support -* [azureDisk](https://kubernetes.io/docs/concepts/storage/volumes/#azuredisk) -* [azureFile ](https://kubernetes.io/docs/concepts/storage/volumes/#azurefile) - - -#### ​Networking - -Networking for Windows containers is exposed through [CNI plugins](https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/). Windows containers function similarly to virtual machines in regards to networking. Each container has a virtual network adapter (vNIC) which is connected to a Hyper-V virtual switch (vSwitch). The Host Networking Service (HNS) and the Host Compute Service (HCS) work together to create containers and attach container vNICs to networks. HCS is responsible for the management of containers whereas HNS is responsible for the management of networking resources such as: - - - -* Virtual networks (including creation of vSwitches) -* Endpoints / vNICs -* Namespaces -* Policies (Packet encapsulations, Load-balancing rules, ACLs, NAT'ing rules, etc.) - -The following service spec types are supported: - - - -* NodePort -* ClusterIP -* LoadBalancer -* ExternalName - -Windows supports five different networking drivers/modes: L2bridge, L2tunnel, Overlay, Transparent, and NAT. In a heterogeneous cluster with Windows and Linux work nodes, you need to select a networking solution that is compatible on both Windows and Linux. The following out-of-tree plugins are supported on Windows, with recommendations on when to use each CNI: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Network Driver - Description - Container Packet Modifications - Network Plugins - Network Plugin Characteristics -
L2bridge - Containers are attached to an external vSwitch. Containers are attached to the underlay network, although the physical network doesn't need to learn the container MACs because they are rewritten on ingress/egress. Inter-container traffic is bridged inside the container host. - MAC is rewritten to host MAC, IP remains the same. - win-bridge, Azure-CNI, Flannel host-gateway uses win-bridge - win-bridge uses L2bridge network mode, connects containers to the underlay of hosts, offering best performance. Requires L2 adjacency between container hosts -
L2Tunnel - This is a special case of l2bridge, but only used on Azure. All packets are sent to the virtualization host where SDN policy is applied. - MAC rewritten, IP visible on the underlay network - Azure-CNI - Azure-CNI allows integration of containers with Azure vNET, and allows them to leverage the set of capabilities that Azure Virtual Network provides. For example, securely connect to Azure services or use Azure NSGs. See azure-cni for some examples -
Overlay (Overlay networking for Windows in Kubernetes is in alpha stage) - Containers are given a vNIC connected to an external vSwitch. Each overlay network gets its own IP subnet, defined by a custom IP prefix.The overlay network driver uses VXLAN encapsulation. - Encapsulated with an outer header, inner packet remains the same. - Win-overlay, Flannel VXLAN (uses win-overlay), -

-OVN-Kubernetes (uses OpenVSwitch on Windows - Prebuilt certified installer), requires KB4482887 -

win-overlay should be used when virtual container networks are desired to be isolated from underlay of hosts (e.g. for security reasons). Allows for IPs to be re-used for different overlay networks (which have different VNID tags) if you are restricted on IPs in your datacenter. This option may be used when the container hosts are not L2 adjacent but have L3 connectivity -
Transparent (not used in Kubernetes) - Containers are given a vNIC connected to an external vSwitch. Containers are attached to the underlay network directly and the physical network needs to learn the container MACs. - Both MAC and IP remains the same. - - Included here for completeness -
NAT (not used in Kubernetes) - Containers are given a vNIC connected to an internal vSwitch. DNS/DHCP is provided using an internal component called WinNAT - MAC and IP is rewritten to host MAC/IP. - nat - Included here for completeness -
- - -Furthermore, for simplified consumption of the win-bridge and win-overlay plugins for end-users with automated network configurations, [Flannel](https://github.com/coreos/flannel) has added support for Windows in their [meta plugin](https://github.com/containernetworking/plugins/tree/master/plugins/meta/flannel) via the [VXLAN network backend](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan) (**alpha support** ; delegates to win-overlay) and [host-gateway network backend](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#host-gw) (stable support; delegates to win-bridge) with the [host-local plugin](https://github.com/containernetworking/plugins/tree/master/plugins/ipam/host-local) used for IP address management and the meta CNI network plugin [flannel](https://github.com/containernetworking/plugins/tree/master/plugins/meta/flannel#windows-support-experimental) for interacting between the delegated CNI plugin (win-bridge or win-overlay) and providing the host-local IPAM the correct range from subnet.env file provisioned by the flanneld agent. - -For the node, pod, and service objects, the following network flows are supported for TCP/UDP traffic: - - - -* Pod -> Pod (IP) -* Pod -> Pod (Name) -* Pod -> Service (Cluster IP) -* Pod -> Service (PQDN, but only if there are no ".") -* Pod -> Service (FQDN) -* Pod -> External (IP) -* Pod -> External (DNS) -* Node -> Pod -* Pod -> Node - -The following IPAM options are supported on Windows: - - - -* [Host-local](https://github.com/containernetworking/plugins/tree/master/plugins/ipam/host-local) -* HNS IPAM (Inbox platform IPAM, this is a fallback when no IPAM is set) -* [Azure-vnet-ipam](https://github.com/Azure/azure-container-networking/blob/master/docs/ipam.md) (for azure-cni only) - - -### ​​​​Limitations - - -#### Control Plane - -Windows is only supported as a worker node in the Kubernetes architecture and component matrix. This means that a Kubernetes cluster must always include Linux master nodes, zero or more Linux worker nodes, and zero or more Windows worker nodes. - - -#### ​Compute - - -##### Resource management and process isolation - - Linux cgroups are used as a pod boundary for resource controls in Linux. Containers are created within that boundary for network, process and file system isolation. The cgroups APIs can be used to gather cpu/io/memory stats. In contrast, Windows uses a Job object per container with a system namespace filter to contain all processes in a container and provide logical isolation from the host. There is no way to run a Windows container without the namespace filtering in place. This means that system privileges cannot be asserted in the context of the host, and thus privileged containers are not available on Windows. Containers cannot assume an identity from the host because the Security Account Manager (SAM) is separate. - - -##### Operating System Restrictions - -Windows has strict compatibility rules, where the host OS version must match the container base image OS version. Only Windows containers with a container operating system of Windows Server 2019 are supported. Hyper-V isolation of containers, enabling some backward compatibility of Windows container image versions, is planned for a future release. - - -##### Feature Restrictions - - - -* TerminationGracePeriod: not implemented -* Single file mapping: to be implemented with CRI-ContainerD -* Termination message: to be implemented with CRI-ContainerD -* Privileged Containers: not currently supported in Windows containers -* HugePages -* The existing node problem detector is Linux-only and requires privileged containers. In general, we don't expect this to be used on Windows because privileged containers are not supported -* Not all features of shared namespaces are supported (see API section for more details) - - -##### Memory Reservations and Handling - -Windows does not have an out-of-memory process killer as Linux does. Windows always treats all user-mode memory allocations as virtual, and pagefiles are mandatory. The net effect is that Windows won't reach out of memory conditions the same way Linux does, and processes will page to disk instead of being subject to out of memory (OOM) termination. If memory is over-provisioned and all physical memory is exhausted, then paging can slow down performance. - -Keeping memory usage within reasonable bounds is possible with a two-step process. First, use the kubelet parameters `--kubelet-reserve` and/or `--system-reserve` to account for memory usage on the node (outside of containers). This will reduce [NodeAllocatable](https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable)). As you deploy workloads, use resource limits (must set only limits or limits must equal requests) on containers. This will also subtract from NodeAllocatable and prevent the scheduler from adding more pods once a node is full. - -A best practice to avoid over-provisioning is to configure the kubelet with a system reserved memory of at least 2GB to account for Windows, Docker, and Kubernetes processes. - -The behaviour of the flags behave differently as described below: - - - -* --kubelet-reserve, --system-reserve , and --eviction-hard flags update Node Allocatable -* Eviction by using --enforce-node-allocable is not implemented -* Eviction by using --eviction-hard and --eviction-soft are not implemented -* MemoryPressure Condition is not implemented -* There are no OOM eviction actions taken by the kubelet -* Kubelet running on the windows node does not have memory restrictions. --kubelet-reserve and --system-reserve do not set limits on kubelet or processes running the host. This means kubelet or a process on the host could cause memory resource starvation outside the node-allocatable and scheduler - - -#### ​Storage - -Windows has a layered filesystem driver to mount container layers and create a copy filesystem based on NTFS. All file paths in the container are resolved only within the context of that container. - - - -* Volume mounts can only target a directory in the container, and not an individual file -* Volume mounts cannot project files or directories back to the host filesystem -* Read-only filesystems are not supported because write access is always required for the Windows registry and SAM database. However, read-only volumes are supported -* Volume user-masks and permissions are not available. Because the SAM is not shared between the host & container, there's no mapping between them. All permissions are resolved within the context of the container - -As a result, the following storage functionality is not supported on Windows nodes - - - -* Windows does not support volume subpath mounts. Only the entire volume can be mounted in a Windows container. -* Subpath volume mounting for Secrets -* Host mount projection -* DefaultMode (due to UID/GID dependency) -* Read-only root filesystem. Mapped volumes still support readOnly -* Block device mapping -* Memory as the storage medium -* CSI plugins which require privileged containers -* File system features like uui/guid, per-user Linux filesystem permissions -* NFS based storage/volume support - - -#### Networking - -Windows Container Networking differs in some important ways from Linux networking. The [Microsoft documentation for Windows Container Networking](https://docs.microsoft.com/en-us/virtualization/windowscontainers/container-networking/architecture) contains additional details and background. - -The Windows host networking networking service and virtual switch implement namespacing and can create virtual NICs as needed for a pod or container. However, many configurations such as DNS, routes, and metrics are stored in the Windows registry database rather than /etc/... files as they are on Linux. The Windows registry for the container is separate from that of the host, so concepts like mapping /etc/resolv.conf from the host into a container don't have the same effect they would on Linux. These must be configured using Windows APIs run in the context of that container. Therefore CNI implementations need to call the HNS instead of relying on file mappings to pass network details into the pod or container. - -The following networking functionality is not supported on Windows nodes - - - -* Host networking mode is not available for Windows pods -* Local NodePort access from the node itself will fail (works for other nodes or external clients) -* Accessing service VIPs from nodes will be available with a future release of Windows Server -* Overlay networking support in kube-proxy is an alpha release. In addition, it requires [KB4482887](https://support.microsoft.com/en-us/help/4482887/windows-10-update-kb4482887) to be installed on Windows Server 2019 -* Outbound communication using the ICMP protocol via the win-overlay, win-bridge, and Azure-CNI plugin. Specifically, the Windows data plane ([VFP](https://www.microsoft.com/en-us/research/project/azure-virtual-filtering-platform/)) doesn't support ICMP packet transpositions. This means: - * ICMP packets directed to destinations within the same network (e.g. pod to pod communication via ping) will work as expected and without any limitations - * TCP/UDP packets will work as expected and without any limitations - * ICMP packets directed to pass through a remote network (e.g. pod to external internet communication via ping) cannot be transposed and thus will not be routed back to their source - * Since TCP/UDP packets can still be transposed, one can substitute **ping ** with **curl ** to be able to debug connectivity to the outside world. - - -##### CNI Plugins - - - -* Windows reference network plugins win-bridge and win-overlay do not currently implement [CNI spec](https://github.com/containernetworking/cni/blob/master/SPEC.md) v0.4.0 due to missing "CHECK" implementation. -* The Flannel VXLAN CNI has the following limitations on Windows: -1. Node-pod connectivity isn't possible by design. It's only possible for local pods with Flannel PR[ https://github.com/coreos/flannel/pull/1096](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcoreos%2Fflannel%2Fpull%2F1096&data=02%7C01%7CDavid.Schott%40microsoft.com%7Cfa26c088fac743188e7d08d69ea3d836%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636870823885740325&sdata=1QEvw9Gh6IioT7ruVhhXAlSgN1a%2FMsqn4ViDQSSSVjs%3D&reserved=0) -2. We are restricted to using VNI 4096 and UDP port 4789. The VNI limitation is being worked on and will be overcome (open-source flannel changes). See official [Flannel VXLAN ](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan)backend docs for more details on these parameters. - - -##### DNS - - - -* ClusterFirstWithHostNet is not supported for DNS. Windows treats all names with a '.' as a FQDN and skips PQDN resolution -* On Linux, you have a DNS suffix list, which is used when trying to resolve PQDNs. On Windows, we only have 1 DNS suffix, which is the the DNS suffix associated with that pod's namespace (mydns.svc.cluster.local for example). Windows can resolve FQDNs and services or names resolvable with just that suffix. For example, a pod spawned in the default namespace, will have the DNS suffix **default.svc.cluster.local**. On a Windows pod, we will be able to resolve both **kubernetes.default.svc.cluster.local** and **kubernetes**, but not the in-betweens, like **kubernetes.default** or **kubernetes.default.svc**. - -Security - -Secrets are written in clear text on the node's volume (as compared to tmpfs/in-memory on linux). This means customers have to do two things - - - -1. Use file ACLs to secure the secrets file location -2. ​Use volume-level encryption using [BitLocker](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server) - -[RunAsUser ](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups)is not currently supported on Windows. The workaround is to create local accounts before packaging the container. The RunAsUsername capability may be added in a future release. - -Linux specific pod security context privileges such as SELinux, AppArmor, Seccomp, Capabilities (POSIX Capabilities), and others are not supported. - -In addition, as mentioned already, privileged containers are not supported on Windows. - - -#### API - -There are no differences in how most of the Kubernetes APIs work for Windows. The subtleties around what's different come down to differences in the OS and container runtime. In certain situations, some properties on workload APIs such as Pod or Container were designed with an assumption that they are implemented on Linux, failing to run on Windows. \ - \ -At a high level, these OS concepts are different: - - - -* Identity - Linux uses userID (UID) and groupID (GID) which are represented as integer types. User and group names are not canonical - they are just an alias in /etc/groups or /etc/passwd back to UID+GID. Windows uses a larger binary security identifier (SID) which is stored in the Windows Security Access Manager (SAM) database. This database is not shared between the host and containers, or between containers. -* File permissions - Windows uses an access control list based on SIDs, rather than a bitmask of permissions and UID+GID -* File paths - convention on Windows is to use **\** instead of **/**. The Go IO libraries typically accept both and just make it work, but when you're setting a path or command line that's interpreted inside a container, **\** may be needed. -* Signals - Windows interactive apps handle termination differently, and can implement one or more of these: - * A UI thread will handle well-defined messages including WM_CLOSE - * Console apps will handle ctrl-c or ctrl-break using a Control Handler - * Services will register a Service Control Handler function that can accept SERVICE_CONTROL_STOP control codes - -Exit Codes follow the same convention where 0 is success, nonzero is failure. The specific error codes may differ across Windows and Linux. However, exit codes passed from the Kubernetes components (kubelet, kube-proxy) will be unchanged. - - -##### V1.Container - - - -* V1.Container.ResourceRequirements.limits.cpu and V1.Container.ResourceRequirements.limits.memory - Windows doesn't use hard limits for CPU allocations. Instead, a share system is used. The existing fields based on millicores are scaled into relative shares that are followed by the Windows scheduler. [see: kuberuntime/helpers_windows.go](https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/kuberuntime/helpers_windows.go), [see: resource controls in Microsoft docs](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/resource-controls) - * Huge pages are not implemented in the Windows container runtime, and are not available. They require [asserting a user privilege](https://docs.microsoft.com/en-us/windows/desktop/Memory/large-page-support) that's not configurable for containers. -* V1.Container.ResourceRequirements.requests.cpu and V1.Container.ResourceRequirements.requests.memory - Requests are subtracted from node available resources, so they can be used to avoid overprovisioning a node. However, they cannot be used to guarantee resources in an overprovisioned node. They should be applied to all containers as a best practice if the operator wants to avoid overprovisioning entirely. -* V1.Container.SecurityContext.allowPrivilegeEscalation - not possible on Windows, none of the capabilities are hooked up -* V1.Container.SecurityContext.Capabilities - POSIX capabilities are not implemented on Windows -* V1.Container.SecurityContext.privileged - Windows doesn't support privileged containers -* V1.Container.SecurityContext.procMount - Windows doesn't have a /proc filesystem -* V1.Container.SecurityContext.readOnlyRootFilesystem - not possible on Windows, write access is required for registry & system processes to run inside the container -* V1.Container.SecurityContext.runAsGroup - not possible on Windows, no GID support -* V1.Container.SecurityContext.runAsNonRoot - Windows does not have a root user. The closest equivalent is ContainerAdministrator which is an identity that doesn't exist on the node. -* V1.Container.SecurityContext.runAsUser - not possible on Windows, no UID support as int. -* V1.Container.SecurityContext.seLinuxOptions - not possible on Windows, no SELinux -* V1.Container.terminationMessagePath - this has some limitations in that Windows doesn't support mapping single files. The default value is /dev/termination-log, which does work because it does not exist on Windows by default. - -##### -V1.Pod - -* V1.Pod.hostIPC, v1.pod.hostpid - host namespace sharing is not possible on Windows -* V1.Pod.hostNetwork - There is no Windows OS support to share the host network -* V1.Pod.dnsPolicy - ClusterFirstWithHostNet - is not supported because Host Networking is not supported on Windows. -* V1.Pod.podSecurityContext - see [V1.PodSecurityContext](https://github.com/kubernetes/enhancements/blob/master/keps/sig-windows/20190103-windows-node-support.md#v1podsecuritycontext) -* V1.Pod.shareProcessNamespace - this is an beta feature, and depends on Linux namespaces which are not implemented on Windows. Windows cannot share process namespaces or the container's root filesystem. Only the network can be shared. -* V1.Pod.terminationGracePeriodSeconds - this is not fully implemented in Docker on Windows, see: [reference](https://github.com/moby/moby/issues/25982). The behavior today is that the ENTRYPOINT process is sent CTRL_SHUTDOWN_EVENT, then Windows waits 5 seconds by hardcoded default, and finally shuts down all processes using the normal Windows shutdown behavior. The 5 second default is actually in the Windows registry [inside the container](https://github.com/moby/moby/issues/25982#issuecomment-426441183), so it can be overridden when the container is built. -* V1.Pod.volumeDevices - this is an beta feature, and is not implemented on Windows. Windows cannot attach raw block devices to pods. -* V1.Pod.volumes - EmptyDir, Secret, ConfigMap, HostPath - all work and have tests in TestGrid - * V1.emptyDirVolumeSource - the Node default medium is disk on Windows. Memory is not supported, as Windows does not have a built-in RAM disk. -* V1.VolumeMount.mountPropagation - only MountPropagationHostToContainer is available. Windows cannot create mounts within a pod or project them back to the node. - -##### -V1.PodSecurityContext - - -None of the PodSecurityContext fields work on Windows. They're listed here for reference. - - - -* V1.PodSecurityContext.SELinuxOptions - SELinux is not available on Windows -* V1.PodSecurityContext.RunAsUser - provides a UID, not available on Windows -* V1.PodSecurityContext.RunAsGroup - provides a GID, not available on Windows -* V1.PodSecurityContext.RunAsNonRoot - Windows does not have a root user. The closest equivalent is ContainerAdministrator which is an identity that doesn't exist on the node. -* V1.PodSecurityContext.SupplementalGroups - provides GID, not available on Windows -* V1.PodSecurityContext.Sysctls - these are part of the Linux sysctl interface. There's no equivalent on Windows. - - -# ​User Guide: Add Windows Nodes in Kubernetes - - -## ​Objectives - -The Kubernetes platform can now be used to run both Linux and Windows containers. One or more Windows nodes can be registered to a cluster. This guide shows how to: - - - -* Register a Windows node to the cluster -* Configure networking so pods on Linux and Windows can communicate - - -## ​Before you begin - - - -* Obtain a [Windows Server license](https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing) in order to run the Windows node that will execute the Windows container. You can use your organization's licenses for the cluster, or acquire one from Microsoft, a reseller, or via the major cloud providers such as GCP, AWS, and Azure by provisioning a virtual machine running Windows Server through their marketplaces. A [time-limited trial](https://www.microsoft.com/en-us/cloud-platform/windows-server-trial) is also available. -* Build a Linux-based Kubernetes cluster in which you have access to the control plane (some examples include [Getting Started from Scratch](https://kubernetes.io/docs/setup/scratch/), [kubeadm](https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/), [AKS Engine](https://kubernetes.io/docs/setup/turnkey/azure/), [GCE](https://kubernetes.io/docs/setup/turnkey/gce/), [AWS](https://kubernetes.io/docs/setup/turnkey/aws/)). - - -## ​Getting Started: Adding a Windows Node to Your Cluster - - -### ​Plan IP Addressing - -Kubernetes cluster management requires careful planning of your IP addresses so that you do not inadvertently cause network collision. This guide assumes that you are familiar with the [Kubernetes networking concepts](https://kubernetes.io/docs/concepts/cluster-administration/networking/). - -In order to deploy your cluster you will need the following address spaces: - - - - - - - - - - - - - - - - - - - - - - - -
Subnet / address range - Description - Default value -
Service Subnet - A non-routable, purely virtual subnet that is used by pods to uniformly access services without caring about the network topology. It is translated to/from routable address space by kube-proxy running on the nodes. - "10.96.0.0/12" -
Cluster Subnet - This is a global subnet that is used by all pods in the cluster. Each node is assigned a smaller /24 subnet from this for their pods to use. It must be large enough to accommodate all pods used in your cluster. To calculate minimumsubnet size: (number of nodes) + (number of nodes * maximum pods per node that you configure) -

-Example: for a 5 node cluster for 100 pods per node: (5) + (5 * 100) = 505. -

"10.244.0.0/16" -
Kubernetes DNS Service IP - IP address of kube-dns service that will be used for DNS resolution & cluster service discovery. - "10.96.0.10" -
- - -Review the networking options supported in 'Intro to Windows containers in Kubernetes: Supported Functionality: Networking' to determine how you need to allocate IP addresses for your cluster. - - -### Components that run on Windows - -While the Kubernetes control plane runs on your Linux node(s), the following components will be configured and run on your Windows node(s). - - - -1. kubelet -2. kube-proxy -3. kubectl (optional) -4. Container runtime - -Get the latest binaries from [https://github.com/kubernetes/kubernetes/releases](https://github.com/kubernetes/kubernetes/releases), starting with v1.14 or later. The Windows-amd64 binaries for kubeadm, kubectl, kubelet, and kube-proxy can be found under the CHANGELOG link. - - -### ​Networking Configuration - -Once you have a Linux-based Kubernetes master node you are ready to choose a networking solution. This guide illustrates using Flannel in VXLAN mode for simplicity. - - -#### ​Configuring Flannel in VXLAN mode on the Linux controller - - - -1. Prepare Kubernetes master for Flannel - -Some minor preparation is recommended on the Kubernetes master in our cluster. It is recommended to enable bridged IPv4 traffic to iptables chains when using Flannel. This can be done using the following command: - - -``` -sudo sysctl net.bridge.bridge-nf-call-iptables=1 - -``` - - - -1. Download & configure Flannel - -Download the most recent Flannel manifest: - - -``` -wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml -``` - - -There are two sections you should modify to enable the vxlan networking backend: - -After applying the steps below, the `net-conf.json` section of `kube-flannel.yml` should look as follows: - - -``` -net-conf.json: | - { - "Network": "10.244.0.0/16", - "Backend": { - "Type": "vxlan", - "VNI" : 4096, - "Port": 4789 - } - } - -``` - - - -1. In the `net-conf.json` section of your `kube-flannel.yml`, double-check: - 1. The cluster subnet (e.g. "10.244.0.0/16") is set as per your IP plan. - * VNI 4096 is set in the backend - * Port 4789 is set in the backend -2. In the `cni-conf.json` section of your `kube-flannel.yml`, change the network name to "`vxlan0"`. - -Note: The VNI must be set to 4096 and port 4789 for Flannel on Linux to interoperate with Flannel on Windows. Support for other VNIs is coming soon. See [VXLAN](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan) for an explanation of these fields. - -Your `cni-conf.json` should look as follows: - - -``` -cni-conf.json: | - { - "name": "vxlan0", - "plugins": [ - { - "type": "flannel", - "delegate": { - "hairpinMode": true, - "isDefaultGateway": true - } - }, - { - "type": "portmap", - "capabilities": { - "portMappings": true - } - } - ] - } - -``` - - - -1. Apply the Flannel yaml and Validate - -Let's apply the Flannel configuration: - - -``` -kubectl apply -f kube-flannel.yml -``` - - -Next, since the Flannel pods are Linux-based, apply a NodeSelector patch, which can be found [here](https://github.com/Microsoft/SDN/blob/1d5c055bb195fecba07ad094d2d7c18c188f9d2d/Kubernetes/flannel/l2bridge/manifests/node-selector-patch.yml), to the Flannel DaemonSet pod: - - -``` - kubectl patch ds/kube-flannel-ds-amd64 --patch "$(cat node-selector-patch.yml)" -n=kube-system -``` - - -After a few minutes, you should see all the pods as running if the Flannel pod network was deployed. - - -``` -kubectl get pods --all-namespaces -``` - - - - -

>>>>> gd2md-html alert: inline image link here (to images/Running-Windows0.png). Store image on your image server and adjust path/filename if necessary.
(Back to top)(Next alert)
>>>>>

- - -![alt_text](images/Running-Windows0.png "image_tooltip") - - -Verify that the Flannel DaemonSet has the NodeSelector applied. - - -``` -kubectl get ds -n kube-system -``` - - - - -

>>>>> gd2md-html alert: inline image link here (to images/Running-Windows1.png). Store image on your image server and adjust path/filename if necessary.
(Back to top)(Next alert)
>>>>>

- - -![alt_text](images/Running-Windows1.png "image_tooltip") - - - -### Join Windows Worker - -In this section we'll cover configuring a Windows node from scratch to join a cluster on-prem. If your cluster is on a cloud you'll likely want to follow the cloud specific guides in the next section. - - -#### Preparing a Windows Node - -Note: All code snippets in Windows sections are to be run in a PowerShell environment with elevated permissions (Admin). - - - -1. Install Docker (requires a system reboot) - -Kubernetes uses [Docker](https://www.docker.com/) as its container engine, so we need to install it. You can follow the [official Docs instructions](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-docker/configure-docker-daemon#install-docker), the [Docker instructions](https://store.docker.com/editions/enterprise/docker-ee-server-windows), or try these steps: - - -``` -PS C:\Users\Administrator\Install-Module -Name DockerMsftProvider -Repository PSGallery -Force -PS C:\Users\Administrator\Install-Package -Name Docker -ProviderName DockerMsftProvider -PS C:\Users\Administrator\Restart-Computer -Force -``` - - -If you are behind a proxy, the following PowerShell environment variables must be defined: - - -``` -[Environment]::SetEnvironmentVariable("HTTP_PROXY", "http://proxy.example.com:80/", [EnvironmentVariableTarget]::Machine) -[Environment]::SetEnvironmentVariable("HTTPS_PROXY", "http://proxy.example.com:443/", [EnvironmentVariableTarget]::Machine) -``` - - -If after reboot you may see the following error: - - - -

>>>>> gd2md-html alert: inline image link here (to images/Running-Windows2.png). Store image on your image server and adjust path/filename if necessary.
(Back to top)(Next alert)
>>>>>

- - -![alt_text](images/Running-Windows2.png "image_tooltip") - - -If so then you need to restart the docker service manually: - - -``` -Start-Service docker -``` - - -Note: the "pause" (infrastructure) image is on Microsoft Container Registry (MCR) and the DOCKERFILE is available at [https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile) - - -``` -docker pull mcr.microsoft.com/k8s/core/pause:1.0.0 - -``` - - - -2. Prepare a Windows directory for Kubernetes - -Create a "Kubernetes for Windows" directory to store Kubernetes binaries as well as any deployment scripts and config files. - - -``` -mkdir c:\k - -``` - - - -3. Copy Kubernetes certificate - -Copy the Kubernetes certificate file (`$HOME/.kube/config`) [from Linux controller](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/creating-a-linux-master#collect-cluster-information) to this new `C:\k` directory on your Windows node. - -Tip: You can use tools such as [xcopy](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/xcopy) or [WinSCP](https://winscp.net/eng/download.php) to transfer the config file between nodes. - - - -4. Download Kubernetes binaries - -To be able to run Kubernetes, you first need to download the `kubectl`, `kubelet`, and `kube-proxy` binaries. You can download these from the links in the CHANGELOG.md file of the [latest releases](https://github.com/kubernetes/kubernetes/releases/). - -Use the [Expand-Archive](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.archive/expand-archive?view=powershell-6) PowerShell command to extract the archive and place the binaries into `C:\k`. - - -#### Join the Windows node to the Flannel cluster - -The Flannel overlay deployment scripts and documentation are available in [this repository](https://github.com/Microsoft/SDN/tree/master/Kubernetes/flannel/overlay). The following steps are a simple walkthrough of the more comprehensive instructions available there. - -Download the [Flannel start.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/start.ps1) script, the contents of which should be extracted to `C:\k`: - - -``` -cd c:\k -[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -wget https://raw.githubusercontent.com/Microsoft/SDN/master/Kubernetes/flannel/start.ps1 -o c:\k\start.ps1 -``` - - -Note: [start.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/start.ps1) references [install.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/install.ps1), which will download additional files such as the `flanneld` executable and the [Dockerfile for infrastructure pod](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile) and install those for you. For overlay networking mode, the [firewall](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/helper.psm1#L111) will be opened for local UDP port 4789. There may be multiple powershell windows being opened/closed as well as a few seconds of network outage while the new external vSwitch for the pod network is being created the first time. Run the script using the arguments as specified below: - - -``` -.\start.ps1 -ManagementIP -NetworkMode overlay -ClusterCIDR -ServiceCIDR -KubeDnsServiceIP -LogDir - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
``` - -Parameter - Default Value - Notes -
-ManagementIP - N/A (required) - The IP address assigned to the Windows node. You can use ipconfig to find this. -
-NetworkMode - l2bridge - We're using overlay here -
-ClusterCIDR - 10.244.0.0/16 - Refer to your cluster IP plan -
-ServiceCIDR - 10.96.0.0/12 - Refer to your cluster IP plan -
-KubeDnsServiceIP - 10.96.0.10 - -
-InterfaceName - Ethernet - The name of the network interface of the Windows host. You can use ipconfig to find this. -
-LogDir - C:\k - The directory where kubelet and kube-proxy logs are redirected into their respective output files. -
- - -Now you can view the Windows nodes in your cluster by running the following: - - -``` -kubectl get nodes -``` - - - -### ​Public Cloud Providers - - -#### Azure - -AKS-Engine can deploy a complete, customizable Kubernetes cluster with both Linux & Windows nodes. There is a step-by-step walkthrough available in the [docs on GitHub](https://github.com/Azure/aks-engine/blob/master/docs/topics/windows.md). - - -#### ​GCP - -Users can easily deploy a complete Kubernetes cluster on GCE following this step-by-step walkthrough on [GitHub](https://github.com/kubernetes/kubernetes/blob/master/cluster/gce/windows/README-GCE-Windows-kube-up.md) - - -#### ​Deployment with kubeadm and cluster API - -Kubeadm is becoming the de facto standard for users to deploy a Kubernetes cluster. Windows node support in kubeadm will come in a future release. We are also making investments in cluster API to ensure Windows nodes are properly provisioned. - - -#### Next Steps - -Now that you've configured a Windows worker in your cluster to run Windows containers you may want to add one or more Linux nodes as well to run Linux containers. Now you're ready to proceed to the next step to schedule Windows containers on your cluster. - - -# User Guide: Running Windows containers in Kubernetes - - -## Objectives - - - -* Configure a deployment to run Windows containers on the Windows node -* (Optional) Configure Windows service identity using Group Managed Service Accounts (gMSA) - - -## Before you begin - - - -* Create a Kubernetes cluster that includes a master and a worker node running Windows Server -* It is important to note that creating and deploying services and workloads on Kubernetes behaves in much the same way for Linux and Windows containers. [Kubectl commands](https://kubernetes.io/docs/reference/kubectl/overview/) to interface with the cluster are identical. The example in the section below is provided simply to jumpstart your experience with Windows containers. - - -## ​Getting Started: Deploying a Windows Container - - - -1. Create a simple webserver example: - -Create a service spec `win-webserver.yaml` with the contents below: [TODO create this as a file in the docs folder and add a link] - - -``` -apiVersion: v1 -kind: Service -metadata: - name: win-webserver - labels: - app: win-webserver -spec: - ports: - # the port that this service should serve on - - port: 80 - targetPort: 80 - selector: - app: win-webserver - type: NodePort ---- -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - labels: - app: win-webserver - name: win-webserver -spec: - replicas: 2 - template: - metadata: - labels: - app: win-webserver - name: win-webserver - spec: - containers: - - name: windowswebserver - image: mcr.microsoft.com/windows/servercore:ltsc2019 - command: - - powershell.exe - - -command - - "<#code used from https://gist.github.com/wagnerandrade/5424431#> ; $$listener = New-Object System.Net.HttpListener ; $$listener.Prefixes.Add('http://*:80/') ; $$listener.Start() ; $$callerCounts = @{} ; Write-Host('Listening at http://*:80/') ; while ($$listener.IsListening) { ;$$context = $$listener.GetContext() ;$$requestUrl = $$context.Request.Url ;$$clientIP = $$context.Request.RemoteEndPoint.Address ;$$response = $$context.Response ;Write-Host '' ;Write-Host('> {0}' -f $$requestUrl) ; ;$$count = 1 ;$$k=$$callerCounts.Get_Item($$clientIP) ;if ($$k -ne $$null) { $$count += $$k } ;$$callerCounts.Set_Item($$clientIP, $$count) ;$$ip=(Get-NetAdapter | Get-NetIpAddress); $$header='

Windows Container Web Server

' ;$$callerCountsString='' ;$$callerCounts.Keys | % { $$callerCountsString+='

IP {0} callerCount {1} ' -f $$ip[1].IPAddress,$$callerCounts.Item($$_) } ;$$footer='' ;$$content='{0}{1}{2}' -f $$header,$$callerCountsString,$$footer ;Write-Output $$content ;$$buffer = [System.Text.Encoding]::UTF8.GetBytes($$content) ;$$response.ContentLength64 = $$buffer.Length ;$$response.OutputStream.Write($$buffer, 0, $$buffer.Length) ;$$response.Close() ;$$responseStatus = $$response.StatusCode ;Write-Host('< {0}' -f $$responseStatus) } ; " - nodeSelector: - beta.kubernetes.io/os: windows -``` - - -Note: Port mapping is also supported, but for simplicity in this example the container port 80 is exposed directly to the service. - - - -2. Check that all nodes are healthy: - - ``` - kubectl get nodes - ``` - - -3. Deploy the service and watch for pod updates: - - ``` - kubectl apply -f win-webserver.yaml - - kubectl get pods -o wide -w - When the service is deployed correctly both Pods will be marked as Ready. To exit the watch command, press Ctrl+C. - - ``` - - - -4. Check that the deployment succeeded. To verify: - * Two containers per pod on the Windows node, use `docker ps` - * Two pods listed from the Linux master, use `kubectl get pods` - * Node-to-pod communication across the network, `curl` port 80 of your pod IPs from the Linux master to check for a web server response - * Pod-to-pod communication, ping between pods (and across hosts, if you have more than one Windows node) using docker exec or kubectl exec - * Service-to-pod communication, `curl` the virtual service IP (seen under `kubectl get services`) from the Linux master and from individual pods - * Service discovery, `curl` the service name with the Kubernetes[ default DNS suffix](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#services) - * Inbound connectivity, `curl` the NodePort from the Linux master or machines outside of the cluster - * Outbound connectivity, `curl` external IPs from inside the pod using kubectl exec - -**Note: **Windows _container hosts_ are not able to access the IP of services scheduled on them due to current platform limitations of the Windows networking stack. Only Windows _pods_ are able to access service IPs. - - -## Managing Workload Identity with Group Managed Service Accounts - -Starting with Kubernetes v1.14, Windows container workloads can be configured to use Group Managed Service Accounts (GMSA). Group Managed Service Accounts are a specific type of Active Directory account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other administrators across multiple servers. Containers configured with a GMSA can access external Active Directory Domain resources while carrying the identity configured with the GMSA. Learn more about configuring and using GMSA for Windows containers [here](https://kubernetes.io/docs/concepts/configuration/workload-identity/). - - -### Taints and Tolerations - - -## ​Secrets Management - - - -1. Create a secret by following the[ standard directions](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#create-a-secret) -2. Configure your pod to receive the secret via an environment variable. - - `--- \ -apiVersion: v1 \ -kind: Pod \ -metadata: \ - name: secret-envars-test-pod \ -spec: \ - containers: \ - - name: envars-test-container \ - image: microsoft/windowsservercore:ltsc2019 \ - imagePullPolicy: Never \ - command: \ - - ping \ - - -t \ - - localhost \ - env: \ - - name: SECRET_USERNAME \ - valueFrom: \ - secretKeyRef: \ - name: test-secret \ - key: username \ - - name: SECRET_PASSWORD \ - valueFrom: \ - secretKeyRef: \ - name: test-secret \ - key: password` \ - - -3. Deploy the pod and verify that it is running: - - -``` -kubectl create -f https://k8s.io/docs/getting-started-guides/windows/secret-pod.yaml -kubectl get pod secret-envars-test-pod - -``` - - - -1. Open a shell into the container running the pod: - - -``` -kubectl exec -it secret-envars-test-pod -- powershell - -``` - - - -1. See that the secret is in the environment variable: - - -``` -echo $env:SECRET_USERNAME $env:SECRET_PASSWORD -``` - - -You should see the output:` \ -my-app \ -39528$vdg7Jb` - - -# ​Getting Help and Troubleshooting - - - -1. How do I know start.ps1 on Windows completed successfully? - -You should see kubelet, kube-proxy, and (if you chose Flannel as your networking solution) flanneld host-agent processes running on your node, with running logs being displayed in separate PoSh windows. In addition to this, your Windows node should be listed as "Ready" in your Kubernetes cluster. - - - -2. Can I configure the Kubernetes node processes as in the background? - 1. As native Windows Services - -Kubelet & kube-proxy can be run as native [Windows Services](https://kubernetes.io/docs/getting-started-guides/windows/#kubelet-and-kube-proxy-can-now-run-as-windows-services). See [Windows Services on Kubernetes](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/kube-windows-services) for example steps. [TO DO create a section for setting up as Windows Services] - - - - 2. Using nssm.exe - -You can also always use alternative service managers like [nssm.exe](https://nssm.cc/) to always run these processes (flanneld, kubelet & kube-proxy) in the background for you. For initial troubleshooting, you can use the following flags in [nssm.exe](https://nssm.cc/) to redirect stdout and stderr to a output file: - - -``` -nssm set AppStdout C:\k\mysvc.log -nssm set AppStderr C:\k\mysvc.log -``` - - -For additional details, see official [nssm usage](https://nssm.cc/usage) docs. - - - -3. My Windows Pods do not have network connectivity - -If you are using virtual machines, ensure that MAC spoofing is enabled on all the VM network adapter(s). - - - -4. My Windows Pods cannot ping external resources - -Windows pods do not have outbound rules programmed for the ICMP protocol today. However, TCP/UDP is supported. When trying to demonstrate connectivity to resources outside of the cluster, please substitute `ping ` with corresponding `curl ` commands. \ - \ -If you are still facing problems, most likely your network configuration in [cni.conf](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf) deserves some extra attention. You can always edit this static file, the configuration will be applied to any newly created Kubernetes resources. \ - \ -One of the Kubernetes networking requirements (see [Kubernetes model](https://kubernetes.io/docs/concepts/cluster-administration/networking/)) is for cluster communication to occur without NAT internally. To honor this requirement, there is an [ExceptionList](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf#L20) for all the communication where we do not want outbound NAT to occur. However, this also means that you need to exclude the external IP you are trying to query from the ExceptionList. Only then will the traffic originating from your Windows pods be SNAT'ed correctly to receive a response from the outside world. In this regard, your ExceptionList in `cni.conf` should look as follows: - - -``` -"ExceptionList": [ - "10.244.0.0/16", # Cluster subnet - "10.96.0.0/12", # Service subnet - "10.127.130.0/24" # Management (host) subnet - ] - -``` - - - -5. My Windows node cannot access NodePort service - -Local NodePort access from the node itself will fail. This is a known limitation. NodePort access will work from other nodes or external clients. - - - -6. vNICs and HNS endpoints of containers are being deleted - -This issue can be caused when the `hostname-override` parameter is not passed to [kube-proxy](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/). To resolve it, users need to pass the hostname to kube-proxy as follows: - - -``` -C:\k\kube-proxy.exe --hostname-override=$(hostname) - -``` - - - -7. With flannel my nodes are having issues after rejoining a cluster - -Whenever a previously deleted node is being rejoined to the cluster, flannelD will try to assign a new pod subnet to the node. Users should remove the old pod subnet configuration files in the following paths: - - -``` -Remove-Item C:\k\SourceVip.json -Remove-Item C:\k\SourceVipRequest.json - -``` - - - -8. After launching `start.ps1`, flanneld is stuck in "Waiting for the Network to be created" - -There are numerous reports of this issue which are being investigated; most likely it is a timing issue for when the management IP of the flannel network is set. A workaround is to simply relaunch start.ps1 or relaunch it manually as follows: - - -``` -PS C:> [Environment]::SetEnvironmentVariable("NODE_NAME", "") -PS C:> C:\flannel\flanneld.exe --kubeconfig-file=c:\k\config --iface= --ip-masq=1 --kube-subnet-mgr=1 - -``` - - - -9. My Windows Pods cannot launch because of missing `/run/flannel/subnet.env` - -This indicates that Flannel didn't launch correctly. You can either try to restart flanneld.exe or you can copy the files over manually from `/run/flannel/subnet.env` on the Kubernetes master to` C:\run\flannel\subnet.env` on the Windows worker node and modify the `FLANNEL_SUBNET` row to a different number. For example, if node subnet 10.244.4.1/24 is desired: - - -``` -FLANNEL_NETWORK=10.244.0.0/16 -FLANNEL_SUBNET=10.244.4.1/24 -FLANNEL_MTU=1500 -FLANNEL_IPMASQ=true - -``` - - - -10. My Windows node cannot access my services using the service IP - -This is a known limitation of the current networking stack on Windows. Windows pods are able to access the service IP however. - - - -11. No network adapter is found when starting kubelet - -The Windows networking stack needs a virtual adapter for Kubernetes networking to work. If the following commands return no results (in an admin shell), virtual network creation — a necessary prerequisite for Kubelet to work — has failed: - - -``` -Get-HnsNetwork | ? Name -ieq "cbr0" -Get-NetAdapter | ? Name -Like "vEthernet (Ethernet*" -``` - - -Often it is worthwhile to modify the [InterfaceName](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/start.ps1#L6) parameter of the start.ps1 script, in cases where the host's network adapter isn't "Ethernet". Otherwise, consult the output of the `start-kubelet.ps1` script to see if there are errors during virtual network creation. - - - -12. My Pods are stuck at "Container Creating" or restarting over and over - -Check that your pause image is compatible with your OS version. The [instructions](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/deploying-resources) assume that both the OS and the containers are version 1803. If you have a later version of Windows, such as an Insider build, you will need to adjust the images accordingly. Please refer to the Microsoft's [Docker repository](https://hub.docker.com/u/microsoft/) for images. Regardless, both the pause image Dockerfile and the sample service will expect the image to be tagged as :latest. - -If these steps don't resolve your problem, you can get help running Windows Containers on Windows nodes in Kubernetes through: - - - -* StackOverflow [Windows Server Container](https://stackoverflow.com/questions/tagged/windows-server-container) topic -* Kubernetes Official Forum [discuss.kubernetes.io](https://discuss.kubernetes.io/) -* Kubernetes Slack [#SIG-Windows Channel](https://kubernetes.slack.com/messages/C0SJ4AFB7) - - -### Bugs and Feature Requests - -If you have what looks like a bug, or you would like to make a feature request, please use the [Github issue tracking system](https://github.com/kubernetes/kubernetes/issues). - -Before you file an issue, please search existing issues to see if your issue is already covered. - -If filing a bug, please include detailed information about how to reproduce the problem, such as: - - - -* Kubernetes version: kubectl version -* Cloud provider, OS distro, network configuration, and Docker version -* Steps to reproduce the problem -* Tag the issue sig/windows to bring it to the Windows Special Interest Group member attention - - -# Roadmap - -We have a lot of features in our roadmap. - - -### CRI-ContainerD - -ContainerD is another OCI-compliant runtime that recently graduated as a CNCF project. It's currently tested on Linux, but 1.3 will bring support for Windows and Hyper-V. [[reference](https://blog.docker.com/2019/02/containerd-graduates-within-the-cncf/)] - -The CRI-ContainerD interface will be able to manage sandboxes based on Hyper-V. This provides a foundation where RuntimeClasses could be implemented for new use cases including: - - - -* Hypervisor-based isolation between pods for additional security -* Backwards compatibility allowing a node to run a newer Windows Server version without requiring containers to be rebuilt -* Specific CPU/NUMA settings for a pod -* Memory isolation and reservations - - -### Deployment with kubeadm and cluster API - -Kubeadm is becoming the de facto standard for users to deploy a Kubernetes cluster. Windows node support in kubeadm will come in a future release. We are also making investments in cluster API to ensure Windows nodes are properly provisioned. - - -# Document 2: Windows Node contribution specifics - -[https://contributor.kubernetes.io/contributors/guide/](https://contributor.kubernetes.io/contributors/guide/) Under Contributing section - - -## Joining the SIG-Windows Mailing List and Slack Channel - -The best way to get in contact with the contributors working on Windows support is through the Kubernetes Slack. To get a Slack invite, visit [http://slack.k8s.io/](http://slack.k8s.io/) . Once you're logged in, join us in the [#SIG-Windows](https://kubernetes.slack.com/messages/C0SJ4AFB7) channel. - -To get access to shared documents, meeting calendar, and additional discussions, be sure to also join the [SIG-Windows Google Group](https://groups.google.com/forum/#!forum/kubernetes-sig-windows). - - -## Building Kubernetes for Windows from Source - -The Kubernetes build scripts have not been ported to Windows, so it's best to run in a Linux VM where you can run the same Docker container used in the official Kubernetes builds. This simplifies the steps, but means that you cannot build under Windows Subsystem for Linux (WSL). - -It's best to skim over the [Building Kubernetes](https://github.com/kubernetes/kubernetes/blob/master/build/README.md) guide if you have never built Kubernetes before to get the latest info. These steps are a summary focused on cross-building the Windows node binaries (kubelet & kube-proxy). - - -### ​Build Prerequisites - -At least 60GB of disk space is required, and 16GB of memory (or memory + swap). - -Once you have a VM, install Git, [Docker-CE](https://docs.docker.com/install/), and make. The build scripts will pull a Docker container with the required version of golang and other needed tools preinstalled. - -If you're using Ubuntu, then install the following packages: git, build-essential, [Docker-CE](https://docs.docker.com/install/linux/docker-ce/ubuntu/). - - -### ​Pulling a PR (optional) - -If there is a PR you would like to build, it's easy. You can create a working branch, pull the changes from GitHub in a patch, apply, then build. - -The examples here are based off a patch on GitHub: [https://github.com/kubernetes/kubernetes/pull/74788](https://github.com/kubernetes/kubernetes/pull/74788) . Be sure to replace the URL with the PR you want to test. - -First, make sure your local clone is up-to-date with master: `git checkout master ; git pull master` - -Next, create a branch in your repo: `git checkout -b pr74788` - -Now, get the patch for the PR you want. Append .patch to the URL, and download it with curl: `curl -L -o pr74788.patch https://github.com/kubernetes/kubernetes/pull/74788.patch` - -Merge it with ``patch -p1 < pr74788.patch`` - -If there are errors, fix them as needed. Once you're done, delete the .patch file and then `git commit` the rest to your local branch. - - -### Building Kubernetes binaries for Windows - -You can build individual components such as kubelet, kube-proxy, or kubectl by running `./build/run.sh make KUBE_BUILD_PLATFORMS=windows/amd64` such as `./build/run.sh make kubelet KUBE_BUILD_PLATFORMS=windows/amd64` - -If you would like to build all binaries at once, then run `./build/run.sh make cross KUBE_BUILD_PLATFORMS=windows/amd64` - -Once the build completes, the files will be in _output/dockerized/bin. - - -## Running Your Own Cluster - - -## Testing Your Changes - - -### Updating the Node binaries - -Once you have binaries built (see Building Kubernetes binaries for Windows), the easiest way to test them is to replace them on an existing cluster. Use the steps above to build a cluster in your cloud of choice. To update the binaries on an existing node, follow these steps: - - - -1. Drain & cordon a node with `kubectl drain ` -2. Connect to the node with SSH or Windows Remote Desktop, and start PowerShell -3. On the node, run `Stop-Service kubelet -Force` -4. Copy kubelet.exe and kube-proxy.exe to a cloud storage account, or use SSH to copy them directly to the node. -5. Overwrite the existing kubelet & kube-proxy binaries. If you don't know where they are, run `sc.exe qc kubelet` or `sc.exe qc kube-proxy` and look at the BINARY_PATH_NAME returned. -6. Start the updated kubelet & kube-proxy with `Start-Service kubelet` - - -### ​Running Tests - -For the most up-to-date steps on how to build and run tests, please go to [https://github.com/kubernetes-sigs/windows-testing](https://github.com/kubernetes-sigs/windows-testing) . It has everything you need to build and run tests, as well as links to the SIG-Windows configurations used on [TestGrid](https://testgrid.k8s.io/sig-windows). - - -## Reporting Issues - - -### Gathering Logs - -Gathering trouble shooting info for CNI. [https://github.com/kubernetes/kubernetes/issues/74766#issuecomment-468736127](https://github.com/kubernetes/kubernetes/issues/74766#issuecomment-468736127) - -On the node before creating the pod for the first time. - -start-birstranfer [https://raw.githubusercontent.com/Microsoft/SDN/master/Kubernetes/windows/debug/collectlogs.ps1](https://raw.githubusercontent.com/Microsoft/SDN/master/Kubernetes/windows/debug/collectlogs.ps1) - -run collectlogs.ps1 - -then start the trace by running the following command - -C:\k\debug\starthnstrace.cmd - -repro the issue - -run "netsh trace stop" - -then do again collectlogs.ps1 - -and send us both before and after collectlogs.ps1 and C:\server.etl \ No newline at end of file From 425a934a25fda97cf4057b6c4440807332649d35 Mon Sep 17 00:00:00 2001 From: Craig Peters Date: Tue, 12 Mar 2019 15:53:24 -0700 Subject: [PATCH 04/32] big attempt --- .../getting-started-guides/windows/_index.md | 1361 ++++++++++++++++ .../windows/complete-staging.md | 1363 +++++++++++++++++ .../flannel-master-kubeclt-get-pods.png | Bin 0 -> 111844 bytes .../windows/flannel-master-kubectl-get-ds.png | Bin 0 -> 25610 bytes .../windows/windows-docker-error.png | Bin 0 -> 81774 bytes 5 files changed, 2724 insertions(+) create mode 100644 content/en/docs/getting-started-guides/windows/complete-staging.md create mode 100644 content/en/docs/getting-started-guides/windows/flannel-master-kubeclt-get-pods.png create mode 100644 content/en/docs/getting-started-guides/windows/flannel-master-kubectl-get-ds.png create mode 100644 content/en/docs/getting-started-guides/windows/windows-docker-error.png diff --git a/content/en/docs/getting-started-guides/windows/_index.md b/content/en/docs/getting-started-guides/windows/_index.md index e26f6ad8bbdac..54b4c976487ce 100644 --- a/content/en/docs/getting-started-guides/windows/_index.md +++ b/content/en/docs/getting-started-guides/windows/_index.md @@ -6,8 +6,1369 @@ toc_hide: true These instructions are under revision for the v1.14 release with a [tracking issue](https://github.com/kubernetes/website/issues/12426). You can find the WIP draft in a [Google Doc](https://docs.google.com/document/d/1a2bRd7PZXygIEm4cEcCeLXpEqJ7opakP_j4Pc6AJVYA/edit?usp=sharing) {{< /note >}} +# Document 1: Using Windows containers in Kubernetes. Section: ​Overview + +([https://kubernetes.io/docs/getting-started-guides/windows/](https://kubernetes.io/docs/getting-started-guides/windows/) [https://github.com/kubernetes/website/pull/12929](https://github.com/kubernetes/website/pull/12929)) + + ## ​Motivation Windows applications constitute a large portion of the services and applications that run in many organizations. [Windows containers](https://aka.ms/windowscontainers) provide a modern way to encapsulate processes and package dependencies, making it easier to use DevOps practices and follow cloud native patterns for Windows applications. Kubernetes has become the defacto standard container orchestrator, and the release of Kubernetes 1.14 includes production support for scheduling Windows containers on Windows nodes in a Kubernetes cluster, enabling a vast ecosystem of Windows applications to leverage the power of Kubernetes. Enterprises with investments in Windows-based applications and Linux-based applications don't have to look for separate orchestrators to manage their workloads, leading to increased operational efficiencies across their deployments, regardless of operating system. +## ​Intro to Windows containers in Kubernetes + +To enable the orchestration of Windows containers in Kubernetes, simply include Windows nodes in your existing Linux cluster. Scheduling Windows containers in [Pods](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/) on Kubernetes is as simple and easy as scheduling Linux-based containers. + +In order to run Windows containers, your Kubernetes cluster must include multiple operating systems, with control plane nodes running Linux and workers running either Windows or Linux depending on your workload needs. Windows Server 2019 is the only Windows operating system supported, enabling [Kubernetes Node](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/architecture/architecture.md#the-kubernetes-node) on Windows (including kubelet, [container runtime](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/containerd), and kube-proxy). For a detailed explanation of Windows distribution channels see the [Microsoft documentation](https://docs.microsoft.com/en-us/windows-server/get-started-19/servicing-channels-19). + +NOTE: The Kubernetes control plane, including the [master components](https://kubernetes.io/docs/concepts/overview/components/), will continue to run on Linux. There are no plans have a Windows-only Kubernetes cluster. + + +## ​Supported Functionality and Limitations + + +### ​Supported Functionality + + +#### Compute + +From an API and kubectl perspective, Windows containers behave in much the same way as Linux-based containers. However, there are some notable differences in key functionality which are outlined in the limitation section. + +Let's start with the operating system version. Refer to the following table for Windows operating system support in Kubernetes. A single heterogeneous Kubernetes cluster can have both Windows and Linux worker nodes. Windows containers have to be scheduled on Windows nodes and Linux containers on Linux nodes. + + + + + + + + + + + + + + + + + + + + + +
Kubernetes version + Host OS version (Kubernetes Node) + + +
+ Windows Server 1709 + Windows Server 1803 + Windows Server 1809/Windows Server 2019 +
Kubernetes v1.14 + Not Supported + Not Supported + Supported for Windows Server containers Builds 17763.* with Docker EE-basic 18.09 +
+ + + + NOTE: The Windows Server Host Operating System is subject to the [Windows Server ](https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing) licensing. The Windows Container images are subject to the [Supplemental License Terms for Windows containers](https://docs.microsoft.com/en-us/virtualization/windowscontainers/images-eula). + + + NOTE: Windows containers have strict compatibility rules, [where the host OS version must match the container base image OS version.](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/version-compatibility) + +Key Kubernetes elements work the same way in Windows as they do in Linux. In this section, we will talk about some of the key workload enablers and how they map to Windows. + + + +* [Pods](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/) + + A Pod is the basic building block of Kubernetes–the smallest and simplest unit in the Kubernetes object model that you create or deploy. The following Pod capabilities, properties and events are supported with Windows containers: + + + + * Single or multiple containers per Pod with process isolation and volume sharing + * Pod status fields + * Readiness and Liveness probes + * postStart & preStop container lifecycle events + * ConfigMap, Secrets: as environment variables or volumes + * EmptyDir + * Named pipe host mounts + * Resource limits +* [Controllers](https://kubernetes.io/docs/concepts/workloads/controllers/) + + Kubernetes controllers handle the desired state of Pods. The following workload controllers are supported with Windows containers: + + * ReplicaSet + * ReplicationController + * Deployments + * StatefulSets + * DaemonSet + * Job + * CronJob +* [Services](https://kubernetes.io/docs/concepts/services-networking/service/) + + A Kubernetes Service is an abstraction which defines a logical set of Pods and a policy by which to access them - sometimes called a micro-service. You can use services for cross-operating system connectivity. In Windows, services can utilize the following types, properties and capabilities: + + * Service Environment variables + * NodePort + * ClusterIP + * LoadBalancer + * ExternalName + * Headless services + +Pods, Controllers and Services are critical elements to managing Windows workloads on Kubernetes. However, on their own they are not enough to enable the proper lifecycle management of Windows workloads in a dynamic cloud native environment. We added support for the following features: + + + +* Pod and container metrics +* Horizontal Pod Autoscaler support +* KubeCtl Exec +* Resource Quotas +* Scheduler preemption + + +#### Container Runtime + +Docker EE-basic 18.09 is required on Windows Server 2019 / 1809 nodes for Kubernetes. This works with the dockershim code included in the kubelet. Additional runtimes such as CRI-ContainerD may be supported in later Kubernetes versions. + + +#### Storage + +Kubernetes Volumes enable complex applications with data persistence and Pod volume sharing requirements to be deployed on Kubernetes. Kubernetes on Windows supports the following types of [volumes](https://kubernetes.io/docs/concepts/storage/volumes/): + + + +* FlexVolume out-of-tree plugin with [SMB and iSCSI ](https://github.com/Microsoft/K8s-Storage-Plugins/tree/master/flexvolume/windows)support +* [azureDisk](https://kubernetes.io/docs/concepts/storage/volumes/#azuredisk) +* [azureFile ](https://kubernetes.io/docs/concepts/storage/volumes/#azurefile) + + +#### ​Networking + +Networking for Windows containers is exposed through [CNI plugins](https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/). Windows containers function similarly to virtual machines in regards to networking. Each container has a virtual network adapter (vNIC) which is connected to a Hyper-V virtual switch (vSwitch). The Host Networking Service (HNS) and the Host Compute Service (HCS) work together to create containers and attach container vNICs to networks. HCS is responsible for the management of containers whereas HNS is responsible for the management of networking resources such as: + + + +* Virtual networks (including creation of vSwitches) +* Endpoints / vNICs +* Namespaces +* Policies (Packet encapsulations, Load-balancing rules, ACLs, NAT'ing rules, etc.) + +The following service spec types are supported: + + + +* NodePort +* ClusterIP +* LoadBalancer +* ExternalName + +Windows supports five different networking drivers/modes: L2bridge, L2tunnel, Overlay, Transparent, and NAT. In a heterogeneous cluster with Windows and Linux work nodes, you need to select a networking solution that is compatible on both Windows and Linux. The following out-of-tree plugins are supported on Windows, with recommendations on when to use each CNI: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Network Driver + Description + Container Packet Modifications + Network Plugins + Network Plugin Characteristics +
L2bridge + Containers are attached to an external vSwitch. Containers are attached to the underlay network, although the physical network doesn't need to learn the container MACs because they are rewritten on ingress/egress. Inter-container traffic is bridged inside the container host. + MAC is rewritten to host MAC, IP remains the same. + win-bridge, Azure-CNI, Flannel host-gateway uses win-bridge + win-bridge uses L2bridge network mode, connects containers to the underlay of hosts, offering best performance. Requires L2 adjacency between container hosts +
L2Tunnel + This is a special case of l2bridge, but only used on Azure. All packets are sent to the virtualization host where SDN policy is applied. + MAC rewritten, IP visible on the underlay network + Azure-CNI + Azure-CNI allows integration of containers with Azure vNET, and allows them to leverage the set of capabilities that Azure Virtual Network provides. For example, securely connect to Azure services or use Azure NSGs. See azure-cni for some examples +
Overlay (Overlay networking for Windows in Kubernetes is in alpha stage) + Containers are given a vNIC connected to an external vSwitch. Each overlay network gets its own IP subnet, defined by a custom IP prefix.The overlay network driver uses VXLAN encapsulation. + Encapsulated with an outer header, inner packet remains the same. + Win-overlay, Flannel VXLAN (uses win-overlay), +

+OVN-Kubernetes (uses OpenVSwitch on Windows - Prebuilt certified installer), requires KB4482887 +

win-overlay should be used when virtual container networks are desired to be isolated from underlay of hosts (e.g. for security reasons). Allows for IPs to be re-used for different overlay networks (which have different VNID tags) if you are restricted on IPs in your datacenter. This option may be used when the container hosts are not L2 adjacent but have L3 connectivity +
Transparent (not used in Kubernetes) + Containers are given a vNIC connected to an external vSwitch. Containers are attached to the underlay network directly and the physical network needs to learn the container MACs. + Both MAC and IP remains the same. + + Included here for completeness +
NAT (not used in Kubernetes) + Containers are given a vNIC connected to an internal vSwitch. DNS/DHCP is provided using an internal component called WinNAT + MAC and IP is rewritten to host MAC/IP. + nat + Included here for completeness +
+ + +Furthermore, for simplified consumption of the win-bridge and win-overlay plugins for end-users with automated network configurations, [Flannel](https://github.com/coreos/flannel) has added support for Windows in their [meta plugin](https://github.com/containernetworking/plugins/tree/master/plugins/meta/flannel) via the [VXLAN network backend](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan) (**alpha support** ; delegates to win-overlay) and [host-gateway network backend](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#host-gw) (stable support; delegates to win-bridge) with the [host-local plugin](https://github.com/containernetworking/plugins/tree/master/plugins/ipam/host-local) used for IP address management and the meta CNI network plugin [flannel](https://github.com/containernetworking/plugins/tree/master/plugins/meta/flannel#windows-support-experimental) for interacting between the delegated CNI plugin (win-bridge or win-overlay) and providing the host-local IPAM the correct range from subnet.env file provisioned by the flanneld agent. + +For the node, pod, and service objects, the following network flows are supported for TCP/UDP traffic: + + + +* Pod -> Pod (IP) +* Pod -> Pod (Name) +* Pod -> Service (Cluster IP) +* Pod -> Service (PQDN, but only if there are no ".") +* Pod -> Service (FQDN) +* Pod -> External (IP) +* Pod -> External (DNS) +* Node -> Pod +* Pod -> Node + +The following IPAM options are supported on Windows: + + + +* [Host-local](https://github.com/containernetworking/plugins/tree/master/plugins/ipam/host-local) +* HNS IPAM (Inbox platform IPAM, this is a fallback when no IPAM is set) +* [Azure-vnet-ipam](https://github.com/Azure/azure-container-networking/blob/master/docs/ipam.md) (for azure-cni only) + + +### ​​​​Limitations + + +#### Control Plane + +Windows is only supported as a worker node in the Kubernetes architecture and component matrix. This means that a Kubernetes cluster must always include Linux master nodes, zero or more Linux worker nodes, and zero or more Windows worker nodes. + + +#### ​Compute + + +##### Resource management and process isolation + + Linux cgroups are used as a pod boundary for resource controls in Linux. Containers are created within that boundary for network, process and file system isolation. The cgroups APIs can be used to gather cpu/io/memory stats. In contrast, Windows uses a Job object per container with a system namespace filter to contain all processes in a container and provide logical isolation from the host. There is no way to run a Windows container without the namespace filtering in place. This means that system privileges cannot be asserted in the context of the host, and thus privileged containers are not available on Windows. Containers cannot assume an identity from the host because the Security Account Manager (SAM) is separate. + + +##### Operating System Restrictions + +Windows has strict compatibility rules, where the host OS version must match the container base image OS version. Only Windows containers with a container operating system of Windows Server 2019 are supported. Hyper-V isolation of containers, enabling some backward compatibility of Windows container image versions, is planned for a future release. + + +##### Feature Restrictions + + + +* TerminationGracePeriod: not implemented +* Single file mapping: to be implemented with CRI-ContainerD +* Termination message: to be implemented with CRI-ContainerD +* Privileged Containers: not currently supported in Windows containers +* HugePages +* The existing node problem detector is Linux-only and requires privileged containers. In general, we don't expect this to be used on Windows because privileged containers are not supported +* Not all features of shared namespaces are supported (see API section for more details) + + +##### Memory Reservations and Handling + +Windows does not have an out-of-memory process killer as Linux does. Windows always treats all user-mode memory allocations as virtual, and pagefiles are mandatory. The net effect is that Windows won't reach out of memory conditions the same way Linux does, and processes will page to disk instead of being subject to out of memory (OOM) termination. If memory is over-provisioned and all physical memory is exhausted, then paging can slow down performance. + +Keeping memory usage within reasonable bounds is possible with a two-step process. First, use the kubelet parameters `--kubelet-reserve` and/or `--system-reserve` to account for memory usage on the node (outside of containers). This will reduce [NodeAllocatable](https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable)). As you deploy workloads, use resource limits (must set only limits or limits must equal requests) on containers. This will also subtract from NodeAllocatable and prevent the scheduler from adding more pods once a node is full. + +A best practice to avoid over-provisioning is to configure the kubelet with a system reserved memory of at least 2GB to account for Windows, Docker, and Kubernetes processes. + +The behaviour of the flags behave differently as described below: + + + +* --kubelet-reserve, --system-reserve , and --eviction-hard flags update Node Allocatable +* Eviction by using --enforce-node-allocable is not implemented +* Eviction by using --eviction-hard and --eviction-soft are not implemented +* MemoryPressure Condition is not implemented +* There are no OOM eviction actions taken by the kubelet +* Kubelet running on the windows node does not have memory restrictions. --kubelet-reserve and --system-reserve do not set limits on kubelet or processes running the host. This means kubelet or a process on the host could cause memory resource starvation outside the node-allocatable and scheduler + + +#### ​Storage + +Windows has a layered filesystem driver to mount container layers and create a copy filesystem based on NTFS. All file paths in the container are resolved only within the context of that container. + + + +* Volume mounts can only target a directory in the container, and not an individual file +* Volume mounts cannot project files or directories back to the host filesystem +* Read-only filesystems are not supported because write access is always required for the Windows registry and SAM database. However, read-only volumes are supported +* Volume user-masks and permissions are not available. Because the SAM is not shared between the host & container, there's no mapping between them. All permissions are resolved within the context of the container + +As a result, the following storage functionality is not supported on Windows nodes + + + +* Windows does not support volume subpath mounts. Only the entire volume can be mounted in a Windows container. +* Subpath volume mounting for Secrets +* Host mount projection +* DefaultMode (due to UID/GID dependency) +* Read-only root filesystem. Mapped volumes still support readOnly +* Block device mapping +* Memory as the storage medium +* CSI plugins which require privileged containers +* File system features like uui/guid, per-user Linux filesystem permissions +* NFS based storage/volume support + + +#### Networking + +Windows Container Networking differs in some important ways from Linux networking. The [Microsoft documentation for Windows Container Networking](https://docs.microsoft.com/en-us/virtualization/windowscontainers/container-networking/architecture) contains additional details and background. + +The Windows host networking networking service and virtual switch implement namespacing and can create virtual NICs as needed for a pod or container. However, many configurations such as DNS, routes, and metrics are stored in the Windows registry database rather than /etc/... files as they are on Linux. The Windows registry for the container is separate from that of the host, so concepts like mapping /etc/resolv.conf from the host into a container don't have the same effect they would on Linux. These must be configured using Windows APIs run in the context of that container. Therefore CNI implementations need to call the HNS instead of relying on file mappings to pass network details into the pod or container. + +The following networking functionality is not supported on Windows nodes + + + +* Host networking mode is not available for Windows pods +* Local NodePort access from the node itself will fail (works for other nodes or external clients) +* Accessing service VIPs from nodes will be available with a future release of Windows Server +* Overlay networking support in kube-proxy is an alpha release. In addition, it requires [KB4482887](https://support.microsoft.com/en-us/help/4482887/windows-10-update-kb4482887) to be installed on Windows Server 2019 +* Outbound communication using the ICMP protocol via the win-overlay, win-bridge, and Azure-CNI plugin. Specifically, the Windows data plane ([VFP](https://www.microsoft.com/en-us/research/project/azure-virtual-filtering-platform/)) doesn't support ICMP packet transpositions. This means: + * ICMP packets directed to destinations within the same network (e.g. pod to pod communication via ping) will work as expected and without any limitations + * TCP/UDP packets will work as expected and without any limitations + * ICMP packets directed to pass through a remote network (e.g. pod to external internet communication via ping) cannot be transposed and thus will not be routed back to their source + * Since TCP/UDP packets can still be transposed, one can substitute **ping ** with **curl ** to be able to debug connectivity to the outside world. + + +##### CNI Plugins + + + +* Windows reference network plugins win-bridge and win-overlay do not currently implement [CNI spec](https://github.com/containernetworking/cni/blob/master/SPEC.md) v0.4.0 due to missing "CHECK" implementation. +* The Flannel VXLAN CNI has the following limitations on Windows: +1. Node-pod connectivity isn't possible by design. It's only possible for local pods with Flannel PR[ https://github.com/coreos/flannel/pull/1096](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcoreos%2Fflannel%2Fpull%2F1096&data=02%7C01%7CDavid.Schott%40microsoft.com%7Cfa26c088fac743188e7d08d69ea3d836%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636870823885740325&sdata=1QEvw9Gh6IioT7ruVhhXAlSgN1a%2FMsqn4ViDQSSSVjs%3D&reserved=0) +2. We are restricted to using VNI 4096 and UDP port 4789. The VNI limitation is being worked on and will be overcome (open-source flannel changes). See official [Flannel VXLAN ](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan)backend docs for more details on these parameters. + + +##### DNS + + + +* ClusterFirstWithHostNet is not supported for DNS. Windows treats all names with a '.' as a FQDN and skips PQDN resolution +* On Linux, you have a DNS suffix list, which is used when trying to resolve PQDNs. On Windows, we only have 1 DNS suffix, which is the the DNS suffix associated with that pod's namespace (mydns.svc.cluster.local for example). Windows can resolve FQDNs and services or names resolvable with just that suffix. For example, a pod spawned in the default namespace, will have the DNS suffix **default.svc.cluster.local**. On a Windows pod, we will be able to resolve both **kubernetes.default.svc.cluster.local** and **kubernetes**, but not the in-betweens, like **kubernetes.default** or **kubernetes.default.svc**. + +Security + +Secrets are written in clear text on the node's volume (as compared to tmpfs/in-memory on linux). This means customers have to do two things + + + +1. Use file ACLs to secure the secrets file location +2. ​Use volume-level encryption using [BitLocker](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server) + +[RunAsUser ](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups)is not currently supported on Windows. The workaround is to create local accounts before packaging the container. The RunAsUsername capability may be added in a future release. + +Linux specific pod security context privileges such as SELinux, AppArmor, Seccomp, Capabilities (POSIX Capabilities), and others are not supported. + +In addition, as mentioned already, privileged containers are not supported on Windows. + + +#### API + +There are no differences in how most of the Kubernetes APIs work for Windows. The subtleties around what's different come down to differences in the OS and container runtime. In certain situations, some properties on workload APIs such as Pod or Container were designed with an assumption that they are implemented on Linux, failing to run on Windows. \ + \ +At a high level, these OS concepts are different: + + + +* Identity - Linux uses userID (UID) and groupID (GID) which are represented as integer types. User and group names are not canonical - they are just an alias in /etc/groups or /etc/passwd back to UID+GID. Windows uses a larger binary security identifier (SID) which is stored in the Windows Security Access Manager (SAM) database. This database is not shared between the host and containers, or between containers. +* File permissions - Windows uses an access control list based on SIDs, rather than a bitmask of permissions and UID+GID +* File paths - convention on Windows is to use **\** instead of **/**. The Go IO libraries typically accept both and just make it work, but when you're setting a path or command line that's interpreted inside a container, **\** may be needed. +* Signals - Windows interactive apps handle termination differently, and can implement one or more of these: + * A UI thread will handle well-defined messages including WM_CLOSE + * Console apps will handle ctrl-c or ctrl-break using a Control Handler + * Services will register a Service Control Handler function that can accept SERVICE_CONTROL_STOP control codes + +Exit Codes follow the same convention where 0 is success, nonzero is failure. The specific error codes may differ across Windows and Linux. However, exit codes passed from the Kubernetes components (kubelet, kube-proxy) will be unchanged. + + +##### V1.Container + + + +* V1.Container.ResourceRequirements.limits.cpu and V1.Container.ResourceRequirements.limits.memory - Windows doesn't use hard limits for CPU allocations. Instead, a share system is used. The existing fields based on millicores are scaled into relative shares that are followed by the Windows scheduler. [see: kuberuntime/helpers_windows.go](https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/kuberuntime/helpers_windows.go), [see: resource controls in Microsoft docs](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/resource-controls) + * Huge pages are not implemented in the Windows container runtime, and are not available. They require [asserting a user privilege](https://docs.microsoft.com/en-us/windows/desktop/Memory/large-page-support) that's not configurable for containers. +* V1.Container.ResourceRequirements.requests.cpu and V1.Container.ResourceRequirements.requests.memory - Requests are subtracted from node available resources, so they can be used to avoid overprovisioning a node. However, they cannot be used to guarantee resources in an overprovisioned node. They should be applied to all containers as a best practice if the operator wants to avoid overprovisioning entirely. +* V1.Container.SecurityContext.allowPrivilegeEscalation - not possible on Windows, none of the capabilities are hooked up +* V1.Container.SecurityContext.Capabilities - POSIX capabilities are not implemented on Windows +* V1.Container.SecurityContext.privileged - Windows doesn't support privileged containers +* V1.Container.SecurityContext.procMount - Windows doesn't have a /proc filesystem +* V1.Container.SecurityContext.readOnlyRootFilesystem - not possible on Windows, write access is required for registry & system processes to run inside the container +* V1.Container.SecurityContext.runAsGroup - not possible on Windows, no GID support +* V1.Container.SecurityContext.runAsNonRoot - Windows does not have a root user. The closest equivalent is ContainerAdministrator which is an identity that doesn't exist on the node. +* V1.Container.SecurityContext.runAsUser - not possible on Windows, no UID support as int. +* V1.Container.SecurityContext.seLinuxOptions - not possible on Windows, no SELinux +* V1.Container.terminationMessagePath - this has some limitations in that Windows doesn't support mapping single files. The default value is /dev/termination-log, which does work because it does not exist on Windows by default. + +##### +V1.Pod + +* V1.Pod.hostIPC, v1.pod.hostpid - host namespace sharing is not possible on Windows +* V1.Pod.hostNetwork - There is no Windows OS support to share the host network +* V1.Pod.dnsPolicy - ClusterFirstWithHostNet - is not supported because Host Networking is not supported on Windows. +* V1.Pod.podSecurityContext - see [V1.PodSecurityContext](https://github.com/kubernetes/enhancements/blob/master/keps/sig-windows/20190103-windows-node-support.md#v1podsecuritycontext) +* V1.Pod.shareProcessNamespace - this is an beta feature, and depends on Linux namespaces which are not implemented on Windows. Windows cannot share process namespaces or the container's root filesystem. Only the network can be shared. +* V1.Pod.terminationGracePeriodSeconds - this is not fully implemented in Docker on Windows, see: [reference](https://github.com/moby/moby/issues/25982). The behavior today is that the ENTRYPOINT process is sent CTRL_SHUTDOWN_EVENT, then Windows waits 5 seconds by hardcoded default, and finally shuts down all processes using the normal Windows shutdown behavior. The 5 second default is actually in the Windows registry [inside the container](https://github.com/moby/moby/issues/25982#issuecomment-426441183), so it can be overridden when the container is built. +* V1.Pod.volumeDevices - this is an beta feature, and is not implemented on Windows. Windows cannot attach raw block devices to pods. +* V1.Pod.volumes - EmptyDir, Secret, ConfigMap, HostPath - all work and have tests in TestGrid + * V1.emptyDirVolumeSource - the Node default medium is disk on Windows. Memory is not supported, as Windows does not have a built-in RAM disk. +* V1.VolumeMount.mountPropagation - only MountPropagationHostToContainer is available. Windows cannot create mounts within a pod or project them back to the node. + +##### +V1.PodSecurityContext + + +None of the PodSecurityContext fields work on Windows. They're listed here for reference. + + + +* V1.PodSecurityContext.SELinuxOptions - SELinux is not available on Windows +* V1.PodSecurityContext.RunAsUser - provides a UID, not available on Windows +* V1.PodSecurityContext.RunAsGroup - provides a GID, not available on Windows +* V1.PodSecurityContext.RunAsNonRoot - Windows does not have a root user. The closest equivalent is ContainerAdministrator which is an identity that doesn't exist on the node. +* V1.PodSecurityContext.SupplementalGroups - provides GID, not available on Windows +* V1.PodSecurityContext.Sysctls - these are part of the Linux sysctl interface. There's no equivalent on Windows. + + +# ​User Guide: Add Windows Nodes in Kubernetes + + +## ​Objectives + +The Kubernetes platform can now be used to run both Linux and Windows containers. One or more Windows nodes can be registered to a cluster. This guide shows how to: + + + +* Register a Windows node to the cluster +* Configure networking so pods on Linux and Windows can communicate + + +## ​Before you begin + + + +* Obtain a [Windows Server license](https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing) in order to run the Windows node that will execute the Windows container. You can use your organization's licenses for the cluster, or acquire one from Microsoft, a reseller, or via the major cloud providers such as GCP, AWS, and Azure by provisioning a virtual machine running Windows Server through their marketplaces. A [time-limited trial](https://www.microsoft.com/en-us/cloud-platform/windows-server-trial) is also available. +* Build a Linux-based Kubernetes cluster in which you have access to the control plane (some examples include [Getting Started from Scratch](https://kubernetes.io/docs/setup/scratch/), [kubeadm](https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/), [AKS Engine](https://kubernetes.io/docs/setup/turnkey/azure/), [GCE](https://kubernetes.io/docs/setup/turnkey/gce/), [AWS](https://kubernetes.io/docs/setup/turnkey/aws/)). + + +## ​Getting Started: Adding a Windows Node to Your Cluster + + +### ​Plan IP Addressing + +Kubernetes cluster management requires careful planning of your IP addresses so that you do not inadvertently cause network collision. This guide assumes that you are familiar with the [Kubernetes networking concepts](https://kubernetes.io/docs/concepts/cluster-administration/networking/). + +In order to deploy your cluster you will need the following address spaces: + + + + + + + + + + + + + + + + + + + + + + + +
Subnet / address range + Description + Default value +
Service Subnet + A non-routable, purely virtual subnet that is used by pods to uniformly access services without caring about the network topology. It is translated to/from routable address space by kube-proxy running on the nodes. + "10.96.0.0/12" +
Cluster Subnet + This is a global subnet that is used by all pods in the cluster. Each node is assigned a smaller /24 subnet from this for their pods to use. It must be large enough to accommodate all pods used in your cluster. To calculate minimumsubnet size: (number of nodes) + (number of nodes * maximum pods per node that you configure) +

+Example: for a 5 node cluster for 100 pods per node: (5) + (5 * 100) = 505. +

"10.244.0.0/16" +
Kubernetes DNS Service IP + IP address of kube-dns service that will be used for DNS resolution & cluster service discovery. + "10.96.0.10" +
+ + +Review the networking options supported in 'Intro to Windows containers in Kubernetes: Supported Functionality: Networking' to determine how you need to allocate IP addresses for your cluster. + + +### Components that run on Windows + +While the Kubernetes control plane runs on your Linux node(s), the following components will be configured and run on your Windows node(s). + + + +1. kubelet +2. kube-proxy +3. kubectl (optional) +4. Container runtime + +Get the latest binaries from [https://github.com/kubernetes/kubernetes/releases](https://github.com/kubernetes/kubernetes/releases), starting with v1.14 or later. The Windows-amd64 binaries for kubeadm, kubectl, kubelet, and kube-proxy can be found under the CHANGELOG link. + + +### ​Networking Configuration + +Once you have a Linux-based Kubernetes master node you are ready to choose a networking solution. This guide illustrates using Flannel in VXLAN mode for simplicity. + + +#### ​Configuring Flannel in VXLAN mode on the Linux controller + + + +1. Prepare Kubernetes master for Flannel + +Some minor preparation is recommended on the Kubernetes master in our cluster. It is recommended to enable bridged IPv4 traffic to iptables chains when using Flannel. This can be done using the following command: + + +``` +sudo sysctl net.bridge.bridge-nf-call-iptables=1 + +``` + + + +1. Download & configure Flannel + +Download the most recent Flannel manifest: + + +``` +wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml +``` + + +There are two sections you should modify to enable the vxlan networking backend: + +After applying the steps below, the `net-conf.json` section of `kube-flannel.yml` should look as follows: + + +``` +net-conf.json: | + { + "Network": "10.244.0.0/16", + "Backend": { + "Type": "vxlan", + "VNI" : 4096, + "Port": 4789 + } + } + +``` + + + +1. In the `net-conf.json` section of your `kube-flannel.yml`, double-check: + 1. The cluster subnet (e.g. "10.244.0.0/16") is set as per your IP plan. + * VNI 4096 is set in the backend + * Port 4789 is set in the backend +2. In the `cni-conf.json` section of your `kube-flannel.yml`, change the network name to "`vxlan0"`. + +Note: The VNI must be set to 4096 and port 4789 for Flannel on Linux to interoperate with Flannel on Windows. Support for other VNIs is coming soon. See [VXLAN](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan) for an explanation of these fields. + +Your `cni-conf.json` should look as follows: + + +``` +cni-conf.json: | + { + "name": "vxlan0", + "plugins": [ + { + "type": "flannel", + "delegate": { + "hairpinMode": true, + "isDefaultGateway": true + } + }, + { + "type": "portmap", + "capabilities": { + "portMappings": true + } + } + ] + } + +``` + + + +1. Apply the Flannel yaml and Validate + +Let's apply the Flannel configuration: + + +``` +kubectl apply -f kube-flannel.yml +``` + + +Next, since the Flannel pods are Linux-based, apply a NodeSelector patch, which can be found [here](https://github.com/Microsoft/SDN/blob/1d5c055bb195fecba07ad094d2d7c18c188f9d2d/Kubernetes/flannel/l2bridge/manifests/node-selector-patch.yml), to the Flannel DaemonSet pod: + + +``` + kubectl patch ds/kube-flannel-ds-amd64 --patch "$(cat node-selector-patch.yml)" -n=kube-system +``` + + +After a few minutes, you should see all the pods as running if the Flannel pod network was deployed. + + +``` +kubectl get pods --all-namespaces +``` + +![alt_text](flannel-master-kubeclt-get-pods.png "flannel master kubectl get pods screen capture") + + +Verify that the Flannel DaemonSet has the NodeSelector applied. + + +``` +kubectl get ds -n kube-system +``` + +![alt_text](flannel-master-kubectl-get-ds.png "flannel master kubectl get ds screen capture") + + + +### Join Windows Worker + +In this section we'll cover configuring a Windows node from scratch to join a cluster on-prem. If your cluster is on a cloud you'll likely want to follow the cloud specific guides in the next section. + + +#### Preparing a Windows Node + +Note: All code snippets in Windows sections are to be run in a PowerShell environment with elevated permissions (Admin). + + + +1. Install Docker (requires a system reboot) + +Kubernetes uses [Docker](https://www.docker.com/) as its container engine, so we need to install it. You can follow the [official Docs instructions](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-docker/configure-docker-daemon#install-docker), the [Docker instructions](https://store.docker.com/editions/enterprise/docker-ee-server-windows), or try these steps: + + +``` +PS C:\Users\Administrator\Install-Module -Name DockerMsftProvider -Repository PSGallery -Force +PS C:\Users\Administrator\Install-Package -Name Docker -ProviderName DockerMsftProvider +PS C:\Users\Administrator\Restart-Computer -Force +``` + + +If you are behind a proxy, the following PowerShell environment variables must be defined: + + +``` +[Environment]::SetEnvironmentVariable("HTTP_PROXY", "http://proxy.example.com:80/", [EnvironmentVariableTarget]::Machine) +[Environment]::SetEnvironmentVariable("HTTPS_PROXY", "http://proxy.example.com:443/", [EnvironmentVariableTarget]::Machine) +``` + + +If after reboot you may see the following error: + +![alt_text](windows-docker-error.png "windows docker error screen capture") + + +If so then you need to restart the docker service manually: + + +``` +Start-Service docker +``` + + +Note: the "pause" (infrastructure) image is on Microsoft Container Registry (MCR) and the DOCKERFILE is available at [https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile) + + +``` +docker pull mcr.microsoft.com/k8s/core/pause:1.0.0 + +``` + + + +2. Prepare a Windows directory for Kubernetes + +Create a "Kubernetes for Windows" directory to store Kubernetes binaries as well as any deployment scripts and config files. + + +``` +mkdir c:\k + +``` + + + +3. Copy Kubernetes certificate + +Copy the Kubernetes certificate file (`$HOME/.kube/config`) [from Linux controller](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/creating-a-linux-master#collect-cluster-information) to this new `C:\k` directory on your Windows node. + +Tip: You can use tools such as [xcopy](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/xcopy) or [WinSCP](https://winscp.net/eng/download.php) to transfer the config file between nodes. + + + +4. Download Kubernetes binaries + +To be able to run Kubernetes, you first need to download the `kubectl`, `kubelet`, and `kube-proxy` binaries. You can download these from the links in the CHANGELOG.md file of the [latest releases](https://github.com/kubernetes/kubernetes/releases/). + +Use the [Expand-Archive](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.archive/expand-archive?view=powershell-6) PowerShell command to extract the archive and place the binaries into `C:\k`. + + +#### Join the Windows node to the Flannel cluster + +The Flannel overlay deployment scripts and documentation are available in [this repository](https://github.com/Microsoft/SDN/tree/master/Kubernetes/flannel/overlay). The following steps are a simple walkthrough of the more comprehensive instructions available there. + +Download the [Flannel start.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/start.ps1) script, the contents of which should be extracted to `C:\k`: + + +``` +cd c:\k +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 +wget https://raw.githubusercontent.com/Microsoft/SDN/master/Kubernetes/flannel/start.ps1 -o c:\k\start.ps1 +``` + + +Note: [start.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/start.ps1) references [install.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/install.ps1), which will download additional files such as the `flanneld` executable and the [Dockerfile for infrastructure pod](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile) and install those for you. For overlay networking mode, the [firewall](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/helper.psm1#L111) will be opened for local UDP port 4789. There may be multiple powershell windows being opened/closed as well as a few seconds of network outage while the new external vSwitch for the pod network is being created the first time. Run the script using the arguments as specified below: + + +``` +.\start.ps1 -ManagementIP -NetworkMode overlay -ClusterCIDR -ServiceCIDR -KubeDnsServiceIP -LogDir + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
``` + +Parameter + Default Value + Notes +
-ManagementIP + N/A (required) + The IP address assigned to the Windows node. You can use ipconfig to find this. +
-NetworkMode + l2bridge + We're using overlay here +
-ClusterCIDR + 10.244.0.0/16 + Refer to your cluster IP plan +
-ServiceCIDR + 10.96.0.0/12 + Refer to your cluster IP plan +
-KubeDnsServiceIP + 10.96.0.10 + +
-InterfaceName + Ethernet + The name of the network interface of the Windows host. You can use ipconfig to find this. +
-LogDir + C:\k + The directory where kubelet and kube-proxy logs are redirected into their respective output files. +
+ + +Now you can view the Windows nodes in your cluster by running the following: + + +``` +kubectl get nodes +``` + + + +### ​Public Cloud Providers + + +#### Azure + +AKS-Engine can deploy a complete, customizable Kubernetes cluster with both Linux & Windows nodes. There is a step-by-step walkthrough available in the [docs on GitHub](https://github.com/Azure/aks-engine/blob/master/docs/topics/windows.md). + + +#### ​GCP + +Users can easily deploy a complete Kubernetes cluster on GCE following this step-by-step walkthrough on [GitHub](https://github.com/kubernetes/kubernetes/blob/master/cluster/gce/windows/README-GCE-Windows-kube-up.md) + + +#### ​Deployment with kubeadm and cluster API + +Kubeadm is becoming the de facto standard for users to deploy a Kubernetes cluster. Windows node support in kubeadm will come in a future release. We are also making investments in cluster API to ensure Windows nodes are properly provisioned. + + +#### Next Steps + +Now that you've configured a Windows worker in your cluster to run Windows containers you may want to add one or more Linux nodes as well to run Linux containers. Now you're ready to proceed to the next step to schedule Windows containers on your cluster. + + +# User Guide: Running Windows containers in Kubernetes + + +## Objectives + + + +* Configure a deployment to run Windows containers on the Windows node +* (Optional) Configure Windows service identity using Group Managed Service Accounts (gMSA) + + +## Before you begin + + + +* Create a Kubernetes cluster that includes a master and a worker node running Windows Server +* It is important to note that creating and deploying services and workloads on Kubernetes behaves in much the same way for Linux and Windows containers. [Kubectl commands](https://kubernetes.io/docs/reference/kubectl/overview/) to interface with the cluster are identical. The example in the section below is provided simply to jumpstart your experience with Windows containers. + + +## ​Getting Started: Deploying a Windows Container + + + +1. Create a simple webserver example: + +Create a service spec `win-webserver.yaml` with the contents below: [TODO create this as a file in the docs folder and add a link] + + +``` +apiVersion: v1 +kind: Service +metadata: + name: win-webserver + labels: + app: win-webserver +spec: + ports: + # the port that this service should serve on + - port: 80 + targetPort: 80 + selector: + app: win-webserver + type: NodePort +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + labels: + app: win-webserver + name: win-webserver +spec: + replicas: 2 + template: + metadata: + labels: + app: win-webserver + name: win-webserver + spec: + containers: + - name: windowswebserver + image: mcr.microsoft.com/windows/servercore:ltsc2019 + command: + - powershell.exe + - -command + - "<#code used from https://gist.github.com/wagnerandrade/5424431#> ; $$listener = New-Object System.Net.HttpListener ; $$listener.Prefixes.Add('http://*:80/') ; $$listener.Start() ; $$callerCounts = @{} ; Write-Host('Listening at http://*:80/') ; while ($$listener.IsListening) { ;$$context = $$listener.GetContext() ;$$requestUrl = $$context.Request.Url ;$$clientIP = $$context.Request.RemoteEndPoint.Address ;$$response = $$context.Response ;Write-Host '' ;Write-Host('> {0}' -f $$requestUrl) ; ;$$count = 1 ;$$k=$$callerCounts.Get_Item($$clientIP) ;if ($$k -ne $$null) { $$count += $$k } ;$$callerCounts.Set_Item($$clientIP, $$count) ;$$ip=(Get-NetAdapter | Get-NetIpAddress); $$header='

Windows Container Web Server

' ;$$callerCountsString='' ;$$callerCounts.Keys | % { $$callerCountsString+='

IP {0} callerCount {1} ' -f $$ip[1].IPAddress,$$callerCounts.Item($$_) } ;$$footer='' ;$$content='{0}{1}{2}' -f $$header,$$callerCountsString,$$footer ;Write-Output $$content ;$$buffer = [System.Text.Encoding]::UTF8.GetBytes($$content) ;$$response.ContentLength64 = $$buffer.Length ;$$response.OutputStream.Write($$buffer, 0, $$buffer.Length) ;$$response.Close() ;$$responseStatus = $$response.StatusCode ;Write-Host('< {0}' -f $$responseStatus) } ; " + nodeSelector: + beta.kubernetes.io/os: windows +``` + + +Note: Port mapping is also supported, but for simplicity in this example the container port 80 is exposed directly to the service. + + + +2. Check that all nodes are healthy: + + ``` + kubectl get nodes + ``` + + +3. Deploy the service and watch for pod updates: + + ``` + kubectl apply -f win-webserver.yaml + + kubectl get pods -o wide -w + When the service is deployed correctly both Pods will be marked as Ready. To exit the watch command, press Ctrl+C. + + ``` + + + +4. Check that the deployment succeeded. To verify: + * Two containers per pod on the Windows node, use `docker ps` + * Two pods listed from the Linux master, use `kubectl get pods` + * Node-to-pod communication across the network, `curl` port 80 of your pod IPs from the Linux master to check for a web server response + * Pod-to-pod communication, ping between pods (and across hosts, if you have more than one Windows node) using docker exec or kubectl exec + * Service-to-pod communication, `curl` the virtual service IP (seen under `kubectl get services`) from the Linux master and from individual pods + * Service discovery, `curl` the service name with the Kubernetes[ default DNS suffix](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#services) + * Inbound connectivity, `curl` the NodePort from the Linux master or machines outside of the cluster + * Outbound connectivity, `curl` external IPs from inside the pod using kubectl exec + +**Note: **Windows _container hosts_ are not able to access the IP of services scheduled on them due to current platform limitations of the Windows networking stack. Only Windows _pods_ are able to access service IPs. + + +## Managing Workload Identity with Group Managed Service Accounts + +Starting with Kubernetes v1.14, Windows container workloads can be configured to use Group Managed Service Accounts (GMSA). Group Managed Service Accounts are a specific type of Active Directory account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other administrators across multiple servers. Containers configured with a GMSA can access external Active Directory Domain resources while carrying the identity configured with the GMSA. Learn more about configuring and using GMSA for Windows containers [here](https://kubernetes.io/docs/concepts/configuration/workload-identity/). + + +### Taints and Tolerations + + +## ​Secrets Management + + + +1. Create a secret by following the[ standard directions](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#create-a-secret) +2. Configure your pod to receive the secret via an environment variable. + + `--- \ +apiVersion: v1 \ +kind: Pod \ +metadata: \ + name: secret-envars-test-pod \ +spec: \ + containers: \ + - name: envars-test-container \ + image: microsoft/windowsservercore:ltsc2019 \ + imagePullPolicy: Never \ + command: \ + - ping \ + - -t \ + - localhost \ + env: \ + - name: SECRET_USERNAME \ + valueFrom: \ + secretKeyRef: \ + name: test-secret \ + key: username \ + - name: SECRET_PASSWORD \ + valueFrom: \ + secretKeyRef: \ + name: test-secret \ + key: password` \ + + +3. Deploy the pod and verify that it is running: + + +``` +kubectl create -f https://k8s.io/docs/getting-started-guides/windows/secret-pod.yaml +kubectl get pod secret-envars-test-pod + +``` + + + +1. Open a shell into the container running the pod: + + +``` +kubectl exec -it secret-envars-test-pod -- powershell + +``` + + + +1. See that the secret is in the environment variable: + + +``` +echo $env:SECRET_USERNAME $env:SECRET_PASSWORD +``` + + +You should see the output:` \ +my-app \ +39528$vdg7Jb` + + +# ​Getting Help and Troubleshooting + + + +1. How do I know start.ps1 on Windows completed successfully? + +You should see kubelet, kube-proxy, and (if you chose Flannel as your networking solution) flanneld host-agent processes running on your node, with running logs being displayed in separate PoSh windows. In addition to this, your Windows node should be listed as "Ready" in your Kubernetes cluster. + + + +2. Can I configure the Kubernetes node processes as in the background? + 1. As native Windows Services + +Kubelet & kube-proxy can be run as native [Windows Services](https://kubernetes.io/docs/getting-started-guides/windows/#kubelet-and-kube-proxy-can-now-run-as-windows-services). See [Windows Services on Kubernetes](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/kube-windows-services) for example steps. [TO DO create a section for setting up as Windows Services] + + + + 2. Using nssm.exe + +You can also always use alternative service managers like [nssm.exe](https://nssm.cc/) to always run these processes (flanneld, kubelet & kube-proxy) in the background for you. For initial troubleshooting, you can use the following flags in [nssm.exe](https://nssm.cc/) to redirect stdout and stderr to a output file: + + +``` +nssm set AppStdout C:\k\mysvc.log +nssm set AppStderr C:\k\mysvc.log +``` + + +For additional details, see official [nssm usage](https://nssm.cc/usage) docs. + + + +3. My Windows Pods do not have network connectivity + +If you are using virtual machines, ensure that MAC spoofing is enabled on all the VM network adapter(s). + + + +4. My Windows Pods cannot ping external resources + +Windows pods do not have outbound rules programmed for the ICMP protocol today. However, TCP/UDP is supported. When trying to demonstrate connectivity to resources outside of the cluster, please substitute `ping ` with corresponding `curl ` commands. \ + \ +If you are still facing problems, most likely your network configuration in [cni.conf](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf) deserves some extra attention. You can always edit this static file, the configuration will be applied to any newly created Kubernetes resources. \ + \ +One of the Kubernetes networking requirements (see [Kubernetes model](https://kubernetes.io/docs/concepts/cluster-administration/networking/)) is for cluster communication to occur without NAT internally. To honor this requirement, there is an [ExceptionList](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf#L20) for all the communication where we do not want outbound NAT to occur. However, this also means that you need to exclude the external IP you are trying to query from the ExceptionList. Only then will the traffic originating from your Windows pods be SNAT'ed correctly to receive a response from the outside world. In this regard, your ExceptionList in `cni.conf` should look as follows: + + +``` +"ExceptionList": [ + "10.244.0.0/16", # Cluster subnet + "10.96.0.0/12", # Service subnet + "10.127.130.0/24" # Management (host) subnet + ] + +``` + + + +5. My Windows node cannot access NodePort service + +Local NodePort access from the node itself will fail. This is a known limitation. NodePort access will work from other nodes or external clients. + + + +6. vNICs and HNS endpoints of containers are being deleted + +This issue can be caused when the `hostname-override` parameter is not passed to [kube-proxy](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/). To resolve it, users need to pass the hostname to kube-proxy as follows: + + +``` +C:\k\kube-proxy.exe --hostname-override=$(hostname) + +``` + + + +7. With flannel my nodes are having issues after rejoining a cluster + +Whenever a previously deleted node is being rejoined to the cluster, flannelD will try to assign a new pod subnet to the node. Users should remove the old pod subnet configuration files in the following paths: + + +``` +Remove-Item C:\k\SourceVip.json +Remove-Item C:\k\SourceVipRequest.json + +``` + + + +8. After launching `start.ps1`, flanneld is stuck in "Waiting for the Network to be created" + +There are numerous reports of this issue which are being investigated; most likely it is a timing issue for when the management IP of the flannel network is set. A workaround is to simply relaunch start.ps1 or relaunch it manually as follows: + + +``` +PS C:> [Environment]::SetEnvironmentVariable("NODE_NAME", "") +PS C:> C:\flannel\flanneld.exe --kubeconfig-file=c:\k\config --iface= --ip-masq=1 --kube-subnet-mgr=1 + +``` + + + +9. My Windows Pods cannot launch because of missing `/run/flannel/subnet.env` + +This indicates that Flannel didn't launch correctly. You can either try to restart flanneld.exe or you can copy the files over manually from `/run/flannel/subnet.env` on the Kubernetes master to` C:\run\flannel\subnet.env` on the Windows worker node and modify the `FLANNEL_SUBNET` row to a different number. For example, if node subnet 10.244.4.1/24 is desired: + + +``` +FLANNEL_NETWORK=10.244.0.0/16 +FLANNEL_SUBNET=10.244.4.1/24 +FLANNEL_MTU=1500 +FLANNEL_IPMASQ=true + +``` + + + +10. My Windows node cannot access my services using the service IP + +This is a known limitation of the current networking stack on Windows. Windows pods are able to access the service IP however. + + + +11. No network adapter is found when starting kubelet + +The Windows networking stack needs a virtual adapter for Kubernetes networking to work. If the following commands return no results (in an admin shell), virtual network creation — a necessary prerequisite for Kubelet to work — has failed: + + +``` +Get-HnsNetwork | ? Name -ieq "cbr0" +Get-NetAdapter | ? Name -Like "vEthernet (Ethernet*" +``` + + +Often it is worthwhile to modify the [InterfaceName](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/start.ps1#L6) parameter of the start.ps1 script, in cases where the host's network adapter isn't "Ethernet". Otherwise, consult the output of the `start-kubelet.ps1` script to see if there are errors during virtual network creation. + + + +12. My Pods are stuck at "Container Creating" or restarting over and over + +Check that your pause image is compatible with your OS version. The [instructions](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/deploying-resources) assume that both the OS and the containers are version 1803. If you have a later version of Windows, such as an Insider build, you will need to adjust the images accordingly. Please refer to the Microsoft's [Docker repository](https://hub.docker.com/u/microsoft/) for images. Regardless, both the pause image Dockerfile and the sample service will expect the image to be tagged as :latest. + +If these steps don't resolve your problem, you can get help running Windows Containers on Windows nodes in Kubernetes through: + + + +* StackOverflow [Windows Server Container](https://stackoverflow.com/questions/tagged/windows-server-container) topic +* Kubernetes Official Forum [discuss.kubernetes.io](https://discuss.kubernetes.io/) +* Kubernetes Slack [#SIG-Windows Channel](https://kubernetes.slack.com/messages/C0SJ4AFB7) + + +### Bugs and Feature Requests + +If you have what looks like a bug, or you would like to make a feature request, please use the [Github issue tracking system](https://github.com/kubernetes/kubernetes/issues). + +Before you file an issue, please search existing issues to see if your issue is already covered. + +If filing a bug, please include detailed information about how to reproduce the problem, such as: + + + +* Kubernetes version: kubectl version +* Cloud provider, OS distro, network configuration, and Docker version +* Steps to reproduce the problem +* Tag the issue sig/windows to bring it to the Windows Special Interest Group member attention + + +# Roadmap + +We have a lot of features in our roadmap. + + +### CRI-ContainerD + +ContainerD is another OCI-compliant runtime that recently graduated as a CNCF project. It's currently tested on Linux, but 1.3 will bring support for Windows and Hyper-V. [[reference](https://blog.docker.com/2019/02/containerd-graduates-within-the-cncf/)] + +The CRI-ContainerD interface will be able to manage sandboxes based on Hyper-V. This provides a foundation where RuntimeClasses could be implemented for new use cases including: + + + +* Hypervisor-based isolation between pods for additional security +* Backwards compatibility allowing a node to run a newer Windows Server version without requiring containers to be rebuilt +* Specific CPU/NUMA settings for a pod +* Memory isolation and reservations + + +### Deployment with kubeadm and cluster API + +Kubeadm is becoming the de facto standard for users to deploy a Kubernetes cluster. Windows node support in kubeadm will come in a future release. We are also making investments in cluster API to ensure Windows nodes are properly provisioned. + + +# Document 2: Windows Node contribution specifics + +[https://contributor.kubernetes.io/contributors/guide/](https://contributor.kubernetes.io/contributors/guide/) Under Contributing section + + +## Joining the SIG-Windows Mailing List and Slack Channel + +The best way to get in contact with the contributors working on Windows support is through the Kubernetes Slack. To get a Slack invite, visit [http://slack.k8s.io/](http://slack.k8s.io/) . Once you're logged in, join us in the [#SIG-Windows](https://kubernetes.slack.com/messages/C0SJ4AFB7) channel. + +To get access to shared documents, meeting calendar, and additional discussions, be sure to also join the [SIG-Windows Google Group](https://groups.google.com/forum/#!forum/kubernetes-sig-windows). + + +## Building Kubernetes for Windows from Source + +The Kubernetes build scripts have not been ported to Windows, so it's best to run in a Linux VM where you can run the same Docker container used in the official Kubernetes builds. This simplifies the steps, but means that you cannot build under Windows Subsystem for Linux (WSL). + +It's best to skim over the [Building Kubernetes](https://github.com/kubernetes/kubernetes/blob/master/build/README.md) guide if you have never built Kubernetes before to get the latest info. These steps are a summary focused on cross-building the Windows node binaries (kubelet & kube-proxy). + + +### ​Build Prerequisites + +At least 60GB of disk space is required, and 16GB of memory (or memory + swap). + +Once you have a VM, install Git, [Docker-CE](https://docs.docker.com/install/), and make. The build scripts will pull a Docker container with the required version of golang and other needed tools preinstalled. + +If you're using Ubuntu, then install the following packages: git, build-essential, [Docker-CE](https://docs.docker.com/install/linux/docker-ce/ubuntu/). + + +### ​Pulling a PR (optional) + +If there is a PR you would like to build, it's easy. You can create a working branch, pull the changes from GitHub in a patch, apply, then build. + +The examples here are based off a patch on GitHub: [https://github.com/kubernetes/kubernetes/pull/74788](https://github.com/kubernetes/kubernetes/pull/74788) . Be sure to replace the URL with the PR you want to test. + +First, make sure your local clone is up-to-date with master: `git checkout master ; git pull master` + +Next, create a branch in your repo: `git checkout -b pr74788` + +Now, get the patch for the PR you want. Append .patch to the URL, and download it with curl: `curl -L -o pr74788.patch https://github.com/kubernetes/kubernetes/pull/74788.patch` + +Merge it with ``patch -p1 < pr74788.patch`` + +If there are errors, fix them as needed. Once you're done, delete the .patch file and then `git commit` the rest to your local branch. + + +### Building Kubernetes binaries for Windows + +You can build individual components such as kubelet, kube-proxy, or kubectl by running `./build/run.sh make KUBE_BUILD_PLATFORMS=windows/amd64` such as `./build/run.sh make kubelet KUBE_BUILD_PLATFORMS=windows/amd64` + +If you would like to build all binaries at once, then run `./build/run.sh make cross KUBE_BUILD_PLATFORMS=windows/amd64` + +Once the build completes, the files will be in _output/dockerized/bin. + + +## Running Your Own Cluster + + +## Testing Your Changes + + +### Updating the Node binaries + +Once you have binaries built (see Building Kubernetes binaries for Windows), the easiest way to test them is to replace them on an existing cluster. Use the steps above to build a cluster in your cloud of choice. To update the binaries on an existing node, follow these steps: + + + +1. Drain & cordon a node with `kubectl drain ` +2. Connect to the node with SSH or Windows Remote Desktop, and start PowerShell +3. On the node, run `Stop-Service kubelet -Force` +4. Copy kubelet.exe and kube-proxy.exe to a cloud storage account, or use SSH to copy them directly to the node. +5. Overwrite the existing kubelet & kube-proxy binaries. If you don't know where they are, run `sc.exe qc kubelet` or `sc.exe qc kube-proxy` and look at the BINARY_PATH_NAME returned. +6. Start the updated kubelet & kube-proxy with `Start-Service kubelet` + + +### ​Running Tests + +For the most up-to-date steps on how to build and run tests, please go to [https://github.com/kubernetes-sigs/windows-testing](https://github.com/kubernetes-sigs/windows-testing) . It has everything you need to build and run tests, as well as links to the SIG-Windows configurations used on [TestGrid](https://testgrid.k8s.io/sig-windows). + + +## Reporting Issues + + +### Gathering Logs + +Gathering trouble shooting info for CNI. [https://github.com/kubernetes/kubernetes/issues/74766#issuecomment-468736127](https://github.com/kubernetes/kubernetes/issues/74766#issuecomment-468736127) + +On the node before creating the pod for the first time. + +start-birstranfer [https://raw.githubusercontent.com/Microsoft/SDN/master/Kubernetes/windows/debug/collectlogs.ps1](https://raw.githubusercontent.com/Microsoft/SDN/master/Kubernetes/windows/debug/collectlogs.ps1) + +run collectlogs.ps1 + +then start the trace by running the following command + +C:\k\debug\starthnstrace.cmd + +repro the issue + +run "netsh trace stop" + +then do again collectlogs.ps1 + +and send us both before and after collectlogs.ps1 and C:\server.etl + + + + + + diff --git a/content/en/docs/getting-started-guides/windows/complete-staging.md b/content/en/docs/getting-started-guides/windows/complete-staging.md new file mode 100644 index 0000000000000..b894f3f337683 --- /dev/null +++ b/content/en/docs/getting-started-guides/windows/complete-staging.md @@ -0,0 +1,1363 @@ +# Document 1: Using Windows containers in Kubernetes. Section: ​Overview + +([https://kubernetes.io/docs/getting-started-guides/windows/](https://kubernetes.io/docs/getting-started-guides/windows/) [https://github.com/kubernetes/website/pull/12929](https://github.com/kubernetes/website/pull/12929)) + + +## ​Motivation + +Windows applications constitute a large portion of the services and applications that run in many organizations. [Windows containers](https://aka.ms/windowscontainers) provide a modern way to encapsulate processes and package dependencies, making it easier to use DevOps practices and follow cloud native patterns for Windows applications. Kubernetes has become the defacto standard container orchestrator, and the release of Kubernetes 1.14 includes production support for scheduling Windows containers on Windows nodes in a Kubernetes cluster, enabling a vast ecosystem of Windows applications to leverage the power of Kubernetes. Enterprises with investments in Windows-based applications and Linux-based applications don't have to look for separate orchestrators to manage their workloads, leading to increased operational efficiencies across their deployments, regardless of operating system. + + +## ​Intro to Windows containers in Kubernetes + +To enable the orchestration of Windows containers in Kubernetes, simply include Windows nodes in your existing Linux cluster. Scheduling Windows containers in [Pods](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/) on Kubernetes is as simple and easy as scheduling Linux-based containers. + +In order to run Windows containers, your Kubernetes cluster must include multiple operating systems, with control plane nodes running Linux and workers running either Windows or Linux depending on your workload needs. Windows Server 2019 is the only Windows operating system supported, enabling [Kubernetes Node](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/architecture/architecture.md#the-kubernetes-node) on Windows (including kubelet, [container runtime](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/containerd), and kube-proxy). For a detailed explanation of Windows distribution channels see the [Microsoft documentation](https://docs.microsoft.com/en-us/windows-server/get-started-19/servicing-channels-19). + +NOTE: The Kubernetes control plane, including the [master components](https://kubernetes.io/docs/concepts/overview/components/), will continue to run on Linux. There are no plans have a Windows-only Kubernetes cluster. + + +## ​Supported Functionality and Limitations + + +### ​Supported Functionality + + +#### Compute + +From an API and kubectl perspective, Windows containers behave in much the same way as Linux-based containers. However, there are some notable differences in key functionality which are outlined in the limitation section. + +Let's start with the operating system version. Refer to the following table for Windows operating system support in Kubernetes. A single heterogeneous Kubernetes cluster can have both Windows and Linux worker nodes. Windows containers have to be scheduled on Windows nodes and Linux containers on Linux nodes. + + + + + + + + + + + + + + + + + + + + + +
Kubernetes version + Host OS version (Kubernetes Node) + + +
+ Windows Server 1709 + Windows Server 1803 + Windows Server 1809/Windows Server 2019 +
Kubernetes v1.14 + Not Supported + Not Supported + Supported for Windows Server containers Builds 17763.* with Docker EE-basic 18.09 +
+ + + + NOTE: The Windows Server Host Operating System is subject to the [Windows Server ](https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing) licensing. The Windows Container images are subject to the [Supplemental License Terms for Windows containers](https://docs.microsoft.com/en-us/virtualization/windowscontainers/images-eula). + + + NOTE: Windows containers have strict compatibility rules, [where the host OS version must match the container base image OS version.](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/version-compatibility) + +Key Kubernetes elements work the same way in Windows as they do in Linux. In this section, we will talk about some of the key workload enablers and how they map to Windows. + + + +* [Pods](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/) + + A Pod is the basic building block of Kubernetes–the smallest and simplest unit in the Kubernetes object model that you create or deploy. The following Pod capabilities, properties and events are supported with Windows containers: + + + + * Single or multiple containers per Pod with process isolation and volume sharing + * Pod status fields + * Readiness and Liveness probes + * postStart & preStop container lifecycle events + * ConfigMap, Secrets: as environment variables or volumes + * EmptyDir + * Named pipe host mounts + * Resource limits +* [Controllers](https://kubernetes.io/docs/concepts/workloads/controllers/) + + Kubernetes controllers handle the desired state of Pods. The following workload controllers are supported with Windows containers: + + * ReplicaSet + * ReplicationController + * Deployments + * StatefulSets + * DaemonSet + * Job + * CronJob +* [Services](https://kubernetes.io/docs/concepts/services-networking/service/) + + A Kubernetes Service is an abstraction which defines a logical set of Pods and a policy by which to access them - sometimes called a micro-service. You can use services for cross-operating system connectivity. In Windows, services can utilize the following types, properties and capabilities: + + * Service Environment variables + * NodePort + * ClusterIP + * LoadBalancer + * ExternalName + * Headless services + +Pods, Controllers and Services are critical elements to managing Windows workloads on Kubernetes. However, on their own they are not enough to enable the proper lifecycle management of Windows workloads in a dynamic cloud native environment. We added support for the following features: + + + +* Pod and container metrics +* Horizontal Pod Autoscaler support +* KubeCtl Exec +* Resource Quotas +* Scheduler preemption + + +#### Container Runtime + +Docker EE-basic 18.09 is required on Windows Server 2019 / 1809 nodes for Kubernetes. This works with the dockershim code included in the kubelet. Additional runtimes such as CRI-ContainerD may be supported in later Kubernetes versions. + + +#### Storage + +Kubernetes Volumes enable complex applications with data persistence and Pod volume sharing requirements to be deployed on Kubernetes. Kubernetes on Windows supports the following types of [volumes](https://kubernetes.io/docs/concepts/storage/volumes/): + + + +* FlexVolume out-of-tree plugin with [SMB and iSCSI ](https://github.com/Microsoft/K8s-Storage-Plugins/tree/master/flexvolume/windows)support +* [azureDisk](https://kubernetes.io/docs/concepts/storage/volumes/#azuredisk) +* [azureFile ](https://kubernetes.io/docs/concepts/storage/volumes/#azurefile) + + +#### ​Networking + +Networking for Windows containers is exposed through [CNI plugins](https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/). Windows containers function similarly to virtual machines in regards to networking. Each container has a virtual network adapter (vNIC) which is connected to a Hyper-V virtual switch (vSwitch). The Host Networking Service (HNS) and the Host Compute Service (HCS) work together to create containers and attach container vNICs to networks. HCS is responsible for the management of containers whereas HNS is responsible for the management of networking resources such as: + + + +* Virtual networks (including creation of vSwitches) +* Endpoints / vNICs +* Namespaces +* Policies (Packet encapsulations, Load-balancing rules, ACLs, NAT'ing rules, etc.) + +The following service spec types are supported: + + + +* NodePort +* ClusterIP +* LoadBalancer +* ExternalName + +Windows supports five different networking drivers/modes: L2bridge, L2tunnel, Overlay, Transparent, and NAT. In a heterogeneous cluster with Windows and Linux work nodes, you need to select a networking solution that is compatible on both Windows and Linux. The following out-of-tree plugins are supported on Windows, with recommendations on when to use each CNI: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Network Driver + Description + Container Packet Modifications + Network Plugins + Network Plugin Characteristics +
L2bridge + Containers are attached to an external vSwitch. Containers are attached to the underlay network, although the physical network doesn't need to learn the container MACs because they are rewritten on ingress/egress. Inter-container traffic is bridged inside the container host. + MAC is rewritten to host MAC, IP remains the same. + win-bridge, Azure-CNI, Flannel host-gateway uses win-bridge + win-bridge uses L2bridge network mode, connects containers to the underlay of hosts, offering best performance. Requires L2 adjacency between container hosts +
L2Tunnel + This is a special case of l2bridge, but only used on Azure. All packets are sent to the virtualization host where SDN policy is applied. + MAC rewritten, IP visible on the underlay network + Azure-CNI + Azure-CNI allows integration of containers with Azure vNET, and allows them to leverage the set of capabilities that Azure Virtual Network provides. For example, securely connect to Azure services or use Azure NSGs. See azure-cni for some examples +
Overlay (Overlay networking for Windows in Kubernetes is in alpha stage) + Containers are given a vNIC connected to an external vSwitch. Each overlay network gets its own IP subnet, defined by a custom IP prefix.The overlay network driver uses VXLAN encapsulation. + Encapsulated with an outer header, inner packet remains the same. + Win-overlay, Flannel VXLAN (uses win-overlay), +

+OVN-Kubernetes (uses OpenVSwitch on Windows - Prebuilt certified installer), requires KB4482887 +

win-overlay should be used when virtual container networks are desired to be isolated from underlay of hosts (e.g. for security reasons). Allows for IPs to be re-used for different overlay networks (which have different VNID tags) if you are restricted on IPs in your datacenter. This option may be used when the container hosts are not L2 adjacent but have L3 connectivity +
Transparent (not used in Kubernetes) + Containers are given a vNIC connected to an external vSwitch. Containers are attached to the underlay network directly and the physical network needs to learn the container MACs. + Both MAC and IP remains the same. + + Included here for completeness +
NAT (not used in Kubernetes) + Containers are given a vNIC connected to an internal vSwitch. DNS/DHCP is provided using an internal component called WinNAT + MAC and IP is rewritten to host MAC/IP. + nat + Included here for completeness +
+ + +Furthermore, for simplified consumption of the win-bridge and win-overlay plugins for end-users with automated network configurations, [Flannel](https://github.com/coreos/flannel) has added support for Windows in their [meta plugin](https://github.com/containernetworking/plugins/tree/master/plugins/meta/flannel) via the [VXLAN network backend](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan) (**alpha support** ; delegates to win-overlay) and [host-gateway network backend](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#host-gw) (stable support; delegates to win-bridge) with the [host-local plugin](https://github.com/containernetworking/plugins/tree/master/plugins/ipam/host-local) used for IP address management and the meta CNI network plugin [flannel](https://github.com/containernetworking/plugins/tree/master/plugins/meta/flannel#windows-support-experimental) for interacting between the delegated CNI plugin (win-bridge or win-overlay) and providing the host-local IPAM the correct range from subnet.env file provisioned by the flanneld agent. + +For the node, pod, and service objects, the following network flows are supported for TCP/UDP traffic: + + + +* Pod -> Pod (IP) +* Pod -> Pod (Name) +* Pod -> Service (Cluster IP) +* Pod -> Service (PQDN, but only if there are no ".") +* Pod -> Service (FQDN) +* Pod -> External (IP) +* Pod -> External (DNS) +* Node -> Pod +* Pod -> Node + +The following IPAM options are supported on Windows: + + + +* [Host-local](https://github.com/containernetworking/plugins/tree/master/plugins/ipam/host-local) +* HNS IPAM (Inbox platform IPAM, this is a fallback when no IPAM is set) +* [Azure-vnet-ipam](https://github.com/Azure/azure-container-networking/blob/master/docs/ipam.md) (for azure-cni only) + + +### ​​​​Limitations + + +#### Control Plane + +Windows is only supported as a worker node in the Kubernetes architecture and component matrix. This means that a Kubernetes cluster must always include Linux master nodes, zero or more Linux worker nodes, and zero or more Windows worker nodes. + + +#### ​Compute + + +##### Resource management and process isolation + + Linux cgroups are used as a pod boundary for resource controls in Linux. Containers are created within that boundary for network, process and file system isolation. The cgroups APIs can be used to gather cpu/io/memory stats. In contrast, Windows uses a Job object per container with a system namespace filter to contain all processes in a container and provide logical isolation from the host. There is no way to run a Windows container without the namespace filtering in place. This means that system privileges cannot be asserted in the context of the host, and thus privileged containers are not available on Windows. Containers cannot assume an identity from the host because the Security Account Manager (SAM) is separate. + + +##### Operating System Restrictions + +Windows has strict compatibility rules, where the host OS version must match the container base image OS version. Only Windows containers with a container operating system of Windows Server 2019 are supported. Hyper-V isolation of containers, enabling some backward compatibility of Windows container image versions, is planned for a future release. + + +##### Feature Restrictions + + + +* TerminationGracePeriod: not implemented +* Single file mapping: to be implemented with CRI-ContainerD +* Termination message: to be implemented with CRI-ContainerD +* Privileged Containers: not currently supported in Windows containers +* HugePages +* The existing node problem detector is Linux-only and requires privileged containers. In general, we don't expect this to be used on Windows because privileged containers are not supported +* Not all features of shared namespaces are supported (see API section for more details) + + +##### Memory Reservations and Handling + +Windows does not have an out-of-memory process killer as Linux does. Windows always treats all user-mode memory allocations as virtual, and pagefiles are mandatory. The net effect is that Windows won't reach out of memory conditions the same way Linux does, and processes will page to disk instead of being subject to out of memory (OOM) termination. If memory is over-provisioned and all physical memory is exhausted, then paging can slow down performance. + +Keeping memory usage within reasonable bounds is possible with a two-step process. First, use the kubelet parameters `--kubelet-reserve` and/or `--system-reserve` to account for memory usage on the node (outside of containers). This will reduce [NodeAllocatable](https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable)). As you deploy workloads, use resource limits (must set only limits or limits must equal requests) on containers. This will also subtract from NodeAllocatable and prevent the scheduler from adding more pods once a node is full. + +A best practice to avoid over-provisioning is to configure the kubelet with a system reserved memory of at least 2GB to account for Windows, Docker, and Kubernetes processes. + +The behaviour of the flags behave differently as described below: + + + +* --kubelet-reserve, --system-reserve , and --eviction-hard flags update Node Allocatable +* Eviction by using --enforce-node-allocable is not implemented +* Eviction by using --eviction-hard and --eviction-soft are not implemented +* MemoryPressure Condition is not implemented +* There are no OOM eviction actions taken by the kubelet +* Kubelet running on the windows node does not have memory restrictions. --kubelet-reserve and --system-reserve do not set limits on kubelet or processes running the host. This means kubelet or a process on the host could cause memory resource starvation outside the node-allocatable and scheduler + + +#### ​Storage + +Windows has a layered filesystem driver to mount container layers and create a copy filesystem based on NTFS. All file paths in the container are resolved only within the context of that container. + + + +* Volume mounts can only target a directory in the container, and not an individual file +* Volume mounts cannot project files or directories back to the host filesystem +* Read-only filesystems are not supported because write access is always required for the Windows registry and SAM database. However, read-only volumes are supported +* Volume user-masks and permissions are not available. Because the SAM is not shared between the host & container, there's no mapping between them. All permissions are resolved within the context of the container + +As a result, the following storage functionality is not supported on Windows nodes + + + +* Windows does not support volume subpath mounts. Only the entire volume can be mounted in a Windows container. +* Subpath volume mounting for Secrets +* Host mount projection +* DefaultMode (due to UID/GID dependency) +* Read-only root filesystem. Mapped volumes still support readOnly +* Block device mapping +* Memory as the storage medium +* CSI plugins which require privileged containers +* File system features like uui/guid, per-user Linux filesystem permissions +* NFS based storage/volume support + + +#### Networking + +Windows Container Networking differs in some important ways from Linux networking. The [Microsoft documentation for Windows Container Networking](https://docs.microsoft.com/en-us/virtualization/windowscontainers/container-networking/architecture) contains additional details and background. + +The Windows host networking networking service and virtual switch implement namespacing and can create virtual NICs as needed for a pod or container. However, many configurations such as DNS, routes, and metrics are stored in the Windows registry database rather than /etc/... files as they are on Linux. The Windows registry for the container is separate from that of the host, so concepts like mapping /etc/resolv.conf from the host into a container don't have the same effect they would on Linux. These must be configured using Windows APIs run in the context of that container. Therefore CNI implementations need to call the HNS instead of relying on file mappings to pass network details into the pod or container. + +The following networking functionality is not supported on Windows nodes + + + +* Host networking mode is not available for Windows pods +* Local NodePort access from the node itself will fail (works for other nodes or external clients) +* Accessing service VIPs from nodes will be available with a future release of Windows Server +* Overlay networking support in kube-proxy is an alpha release. In addition, it requires [KB4482887](https://support.microsoft.com/en-us/help/4482887/windows-10-update-kb4482887) to be installed on Windows Server 2019 +* Outbound communication using the ICMP protocol via the win-overlay, win-bridge, and Azure-CNI plugin. Specifically, the Windows data plane ([VFP](https://www.microsoft.com/en-us/research/project/azure-virtual-filtering-platform/)) doesn't support ICMP packet transpositions. This means: + * ICMP packets directed to destinations within the same network (e.g. pod to pod communication via ping) will work as expected and without any limitations + * TCP/UDP packets will work as expected and without any limitations + * ICMP packets directed to pass through a remote network (e.g. pod to external internet communication via ping) cannot be transposed and thus will not be routed back to their source + * Since TCP/UDP packets can still be transposed, one can substitute **ping ** with **curl ** to be able to debug connectivity to the outside world. + + +##### CNI Plugins + + + +* Windows reference network plugins win-bridge and win-overlay do not currently implement [CNI spec](https://github.com/containernetworking/cni/blob/master/SPEC.md) v0.4.0 due to missing "CHECK" implementation. +* The Flannel VXLAN CNI has the following limitations on Windows: +1. Node-pod connectivity isn't possible by design. It's only possible for local pods with Flannel PR[ https://github.com/coreos/flannel/pull/1096](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcoreos%2Fflannel%2Fpull%2F1096&data=02%7C01%7CDavid.Schott%40microsoft.com%7Cfa26c088fac743188e7d08d69ea3d836%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636870823885740325&sdata=1QEvw9Gh6IioT7ruVhhXAlSgN1a%2FMsqn4ViDQSSSVjs%3D&reserved=0) +2. We are restricted to using VNI 4096 and UDP port 4789. The VNI limitation is being worked on and will be overcome (open-source flannel changes). See official [Flannel VXLAN ](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan)backend docs for more details on these parameters. + + +##### DNS + + + +* ClusterFirstWithHostNet is not supported for DNS. Windows treats all names with a '.' as a FQDN and skips PQDN resolution +* On Linux, you have a DNS suffix list, which is used when trying to resolve PQDNs. On Windows, we only have 1 DNS suffix, which is the the DNS suffix associated with that pod's namespace (mydns.svc.cluster.local for example). Windows can resolve FQDNs and services or names resolvable with just that suffix. For example, a pod spawned in the default namespace, will have the DNS suffix **default.svc.cluster.local**. On a Windows pod, we will be able to resolve both **kubernetes.default.svc.cluster.local** and **kubernetes**, but not the in-betweens, like **kubernetes.default** or **kubernetes.default.svc**. + +Security + +Secrets are written in clear text on the node's volume (as compared to tmpfs/in-memory on linux). This means customers have to do two things + + + +1. Use file ACLs to secure the secrets file location +2. ​Use volume-level encryption using [BitLocker](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server) + +[RunAsUser ](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups)is not currently supported on Windows. The workaround is to create local accounts before packaging the container. The RunAsUsername capability may be added in a future release. + +Linux specific pod security context privileges such as SELinux, AppArmor, Seccomp, Capabilities (POSIX Capabilities), and others are not supported. + +In addition, as mentioned already, privileged containers are not supported on Windows. + + +#### API + +There are no differences in how most of the Kubernetes APIs work for Windows. The subtleties around what's different come down to differences in the OS and container runtime. In certain situations, some properties on workload APIs such as Pod or Container were designed with an assumption that they are implemented on Linux, failing to run on Windows. \ + \ +At a high level, these OS concepts are different: + + + +* Identity - Linux uses userID (UID) and groupID (GID) which are represented as integer types. User and group names are not canonical - they are just an alias in /etc/groups or /etc/passwd back to UID+GID. Windows uses a larger binary security identifier (SID) which is stored in the Windows Security Access Manager (SAM) database. This database is not shared between the host and containers, or between containers. +* File permissions - Windows uses an access control list based on SIDs, rather than a bitmask of permissions and UID+GID +* File paths - convention on Windows is to use **\** instead of **/**. The Go IO libraries typically accept both and just make it work, but when you're setting a path or command line that's interpreted inside a container, **\** may be needed. +* Signals - Windows interactive apps handle termination differently, and can implement one or more of these: + * A UI thread will handle well-defined messages including WM_CLOSE + * Console apps will handle ctrl-c or ctrl-break using a Control Handler + * Services will register a Service Control Handler function that can accept SERVICE_CONTROL_STOP control codes + +Exit Codes follow the same convention where 0 is success, nonzero is failure. The specific error codes may differ across Windows and Linux. However, exit codes passed from the Kubernetes components (kubelet, kube-proxy) will be unchanged. + + +##### V1.Container + + + +* V1.Container.ResourceRequirements.limits.cpu and V1.Container.ResourceRequirements.limits.memory - Windows doesn't use hard limits for CPU allocations. Instead, a share system is used. The existing fields based on millicores are scaled into relative shares that are followed by the Windows scheduler. [see: kuberuntime/helpers_windows.go](https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/kuberuntime/helpers_windows.go), [see: resource controls in Microsoft docs](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/resource-controls) + * Huge pages are not implemented in the Windows container runtime, and are not available. They require [asserting a user privilege](https://docs.microsoft.com/en-us/windows/desktop/Memory/large-page-support) that's not configurable for containers. +* V1.Container.ResourceRequirements.requests.cpu and V1.Container.ResourceRequirements.requests.memory - Requests are subtracted from node available resources, so they can be used to avoid overprovisioning a node. However, they cannot be used to guarantee resources in an overprovisioned node. They should be applied to all containers as a best practice if the operator wants to avoid overprovisioning entirely. +* V1.Container.SecurityContext.allowPrivilegeEscalation - not possible on Windows, none of the capabilities are hooked up +* V1.Container.SecurityContext.Capabilities - POSIX capabilities are not implemented on Windows +* V1.Container.SecurityContext.privileged - Windows doesn't support privileged containers +* V1.Container.SecurityContext.procMount - Windows doesn't have a /proc filesystem +* V1.Container.SecurityContext.readOnlyRootFilesystem - not possible on Windows, write access is required for registry & system processes to run inside the container +* V1.Container.SecurityContext.runAsGroup - not possible on Windows, no GID support +* V1.Container.SecurityContext.runAsNonRoot - Windows does not have a root user. The closest equivalent is ContainerAdministrator which is an identity that doesn't exist on the node. +* V1.Container.SecurityContext.runAsUser - not possible on Windows, no UID support as int. +* V1.Container.SecurityContext.seLinuxOptions - not possible on Windows, no SELinux +* V1.Container.terminationMessagePath - this has some limitations in that Windows doesn't support mapping single files. The default value is /dev/termination-log, which does work because it does not exist on Windows by default. + +##### +V1.Pod + +* V1.Pod.hostIPC, v1.pod.hostpid - host namespace sharing is not possible on Windows +* V1.Pod.hostNetwork - There is no Windows OS support to share the host network +* V1.Pod.dnsPolicy - ClusterFirstWithHostNet - is not supported because Host Networking is not supported on Windows. +* V1.Pod.podSecurityContext - see [V1.PodSecurityContext](https://github.com/kubernetes/enhancements/blob/master/keps/sig-windows/20190103-windows-node-support.md#v1podsecuritycontext) +* V1.Pod.shareProcessNamespace - this is an beta feature, and depends on Linux namespaces which are not implemented on Windows. Windows cannot share process namespaces or the container's root filesystem. Only the network can be shared. +* V1.Pod.terminationGracePeriodSeconds - this is not fully implemented in Docker on Windows, see: [reference](https://github.com/moby/moby/issues/25982). The behavior today is that the ENTRYPOINT process is sent CTRL_SHUTDOWN_EVENT, then Windows waits 5 seconds by hardcoded default, and finally shuts down all processes using the normal Windows shutdown behavior. The 5 second default is actually in the Windows registry [inside the container](https://github.com/moby/moby/issues/25982#issuecomment-426441183), so it can be overridden when the container is built. +* V1.Pod.volumeDevices - this is an beta feature, and is not implemented on Windows. Windows cannot attach raw block devices to pods. +* V1.Pod.volumes - EmptyDir, Secret, ConfigMap, HostPath - all work and have tests in TestGrid + * V1.emptyDirVolumeSource - the Node default medium is disk on Windows. Memory is not supported, as Windows does not have a built-in RAM disk. +* V1.VolumeMount.mountPropagation - only MountPropagationHostToContainer is available. Windows cannot create mounts within a pod or project them back to the node. + +##### +V1.PodSecurityContext + + +None of the PodSecurityContext fields work on Windows. They're listed here for reference. + + + +* V1.PodSecurityContext.SELinuxOptions - SELinux is not available on Windows +* V1.PodSecurityContext.RunAsUser - provides a UID, not available on Windows +* V1.PodSecurityContext.RunAsGroup - provides a GID, not available on Windows +* V1.PodSecurityContext.RunAsNonRoot - Windows does not have a root user. The closest equivalent is ContainerAdministrator which is an identity that doesn't exist on the node. +* V1.PodSecurityContext.SupplementalGroups - provides GID, not available on Windows +* V1.PodSecurityContext.Sysctls - these are part of the Linux sysctl interface. There's no equivalent on Windows. + + +# ​User Guide: Add Windows Nodes in Kubernetes + + +## ​Objectives + +The Kubernetes platform can now be used to run both Linux and Windows containers. One or more Windows nodes can be registered to a cluster. This guide shows how to: + + + +* Register a Windows node to the cluster +* Configure networking so pods on Linux and Windows can communicate + + +## ​Before you begin + + + +* Obtain a [Windows Server license](https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing) in order to run the Windows node that will execute the Windows container. You can use your organization's licenses for the cluster, or acquire one from Microsoft, a reseller, or via the major cloud providers such as GCP, AWS, and Azure by provisioning a virtual machine running Windows Server through their marketplaces. A [time-limited trial](https://www.microsoft.com/en-us/cloud-platform/windows-server-trial) is also available. +* Build a Linux-based Kubernetes cluster in which you have access to the control plane (some examples include [Getting Started from Scratch](https://kubernetes.io/docs/setup/scratch/), [kubeadm](https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/), [AKS Engine](https://kubernetes.io/docs/setup/turnkey/azure/), [GCE](https://kubernetes.io/docs/setup/turnkey/gce/), [AWS](https://kubernetes.io/docs/setup/turnkey/aws/)). + + +## ​Getting Started: Adding a Windows Node to Your Cluster + + +### ​Plan IP Addressing + +Kubernetes cluster management requires careful planning of your IP addresses so that you do not inadvertently cause network collision. This guide assumes that you are familiar with the [Kubernetes networking concepts](https://kubernetes.io/docs/concepts/cluster-administration/networking/). + +In order to deploy your cluster you will need the following address spaces: + + + + + + + + + + + + + + + + + + + + + + + +
Subnet / address range + Description + Default value +
Service Subnet + A non-routable, purely virtual subnet that is used by pods to uniformly access services without caring about the network topology. It is translated to/from routable address space by kube-proxy running on the nodes. + "10.96.0.0/12" +
Cluster Subnet + This is a global subnet that is used by all pods in the cluster. Each node is assigned a smaller /24 subnet from this for their pods to use. It must be large enough to accommodate all pods used in your cluster. To calculate minimumsubnet size: (number of nodes) + (number of nodes * maximum pods per node that you configure) +

+Example: for a 5 node cluster for 100 pods per node: (5) + (5 * 100) = 505. +

"10.244.0.0/16" +
Kubernetes DNS Service IP + IP address of kube-dns service that will be used for DNS resolution & cluster service discovery. + "10.96.0.10" +
+ + +Review the networking options supported in 'Intro to Windows containers in Kubernetes: Supported Functionality: Networking' to determine how you need to allocate IP addresses for your cluster. + + +### Components that run on Windows + +While the Kubernetes control plane runs on your Linux node(s), the following components will be configured and run on your Windows node(s). + + + +1. kubelet +2. kube-proxy +3. kubectl (optional) +4. Container runtime + +Get the latest binaries from [https://github.com/kubernetes/kubernetes/releases](https://github.com/kubernetes/kubernetes/releases), starting with v1.14 or later. The Windows-amd64 binaries for kubeadm, kubectl, kubelet, and kube-proxy can be found under the CHANGELOG link. + + +### ​Networking Configuration + +Once you have a Linux-based Kubernetes master node you are ready to choose a networking solution. This guide illustrates using Flannel in VXLAN mode for simplicity. + + +#### ​Configuring Flannel in VXLAN mode on the Linux controller + + + +1. Prepare Kubernetes master for Flannel + +Some minor preparation is recommended on the Kubernetes master in our cluster. It is recommended to enable bridged IPv4 traffic to iptables chains when using Flannel. This can be done using the following command: + + +``` +sudo sysctl net.bridge.bridge-nf-call-iptables=1 + +``` + + + +1. Download & configure Flannel + +Download the most recent Flannel manifest: + + +``` +wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml +``` + + +There are two sections you should modify to enable the vxlan networking backend: + +After applying the steps below, the `net-conf.json` section of `kube-flannel.yml` should look as follows: + + +``` +net-conf.json: | + { + "Network": "10.244.0.0/16", + "Backend": { + "Type": "vxlan", + "VNI" : 4096, + "Port": 4789 + } + } + +``` + + + +1. In the `net-conf.json` section of your `kube-flannel.yml`, double-check: + 1. The cluster subnet (e.g. "10.244.0.0/16") is set as per your IP plan. + * VNI 4096 is set in the backend + * Port 4789 is set in the backend +2. In the `cni-conf.json` section of your `kube-flannel.yml`, change the network name to "`vxlan0"`. + +Note: The VNI must be set to 4096 and port 4789 for Flannel on Linux to interoperate with Flannel on Windows. Support for other VNIs is coming soon. See [VXLAN](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan) for an explanation of these fields. + +Your `cni-conf.json` should look as follows: + + +``` +cni-conf.json: | + { + "name": "vxlan0", + "plugins": [ + { + "type": "flannel", + "delegate": { + "hairpinMode": true, + "isDefaultGateway": true + } + }, + { + "type": "portmap", + "capabilities": { + "portMappings": true + } + } + ] + } + +``` + + + +1. Apply the Flannel yaml and Validate + +Let's apply the Flannel configuration: + + +``` +kubectl apply -f kube-flannel.yml +``` + + +Next, since the Flannel pods are Linux-based, apply a NodeSelector patch, which can be found [here](https://github.com/Microsoft/SDN/blob/1d5c055bb195fecba07ad094d2d7c18c188f9d2d/Kubernetes/flannel/l2bridge/manifests/node-selector-patch.yml), to the Flannel DaemonSet pod: + + +``` + kubectl patch ds/kube-flannel-ds-amd64 --patch "$(cat node-selector-patch.yml)" -n=kube-system +``` + + +After a few minutes, you should see all the pods as running if the Flannel pod network was deployed. + + +``` +kubectl get pods --all-namespaces +``` + +![alt_text](flannel-master-kubeclt-get-pods.png "flannel master kubectl get pods screen capture") + + +Verify that the Flannel DaemonSet has the NodeSelector applied. + + +``` +kubectl get ds -n kube-system +``` + +![alt_text](flannel-master-kubectl-get-ds.png "flannel master kubectl get ds screen capture") + + + +### Join Windows Worker + +In this section we'll cover configuring a Windows node from scratch to join a cluster on-prem. If your cluster is on a cloud you'll likely want to follow the cloud specific guides in the next section. + + +#### Preparing a Windows Node + +Note: All code snippets in Windows sections are to be run in a PowerShell environment with elevated permissions (Admin). + + + +1. Install Docker (requires a system reboot) + +Kubernetes uses [Docker](https://www.docker.com/) as its container engine, so we need to install it. You can follow the [official Docs instructions](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-docker/configure-docker-daemon#install-docker), the [Docker instructions](https://store.docker.com/editions/enterprise/docker-ee-server-windows), or try these steps: + + +``` +PS C:\Users\Administrator\Install-Module -Name DockerMsftProvider -Repository PSGallery -Force +PS C:\Users\Administrator\Install-Package -Name Docker -ProviderName DockerMsftProvider +PS C:\Users\Administrator\Restart-Computer -Force +``` + + +If you are behind a proxy, the following PowerShell environment variables must be defined: + + +``` +[Environment]::SetEnvironmentVariable("HTTP_PROXY", "http://proxy.example.com:80/", [EnvironmentVariableTarget]::Machine) +[Environment]::SetEnvironmentVariable("HTTPS_PROXY", "http://proxy.example.com:443/", [EnvironmentVariableTarget]::Machine) +``` + + +If after reboot you may see the following error: + +![alt_text](windows-docker-error.png "windows docker error screen capture") + + +If so then you need to restart the docker service manually: + + +``` +Start-Service docker +``` + + +Note: the "pause" (infrastructure) image is on Microsoft Container Registry (MCR) and the DOCKERFILE is available at [https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile) + + +``` +docker pull mcr.microsoft.com/k8s/core/pause:1.0.0 + +``` + + + +2. Prepare a Windows directory for Kubernetes + +Create a "Kubernetes for Windows" directory to store Kubernetes binaries as well as any deployment scripts and config files. + + +``` +mkdir c:\k + +``` + + + +3. Copy Kubernetes certificate + +Copy the Kubernetes certificate file (`$HOME/.kube/config`) [from Linux controller](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/creating-a-linux-master#collect-cluster-information) to this new `C:\k` directory on your Windows node. + +Tip: You can use tools such as [xcopy](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/xcopy) or [WinSCP](https://winscp.net/eng/download.php) to transfer the config file between nodes. + + + +4. Download Kubernetes binaries + +To be able to run Kubernetes, you first need to download the `kubectl`, `kubelet`, and `kube-proxy` binaries. You can download these from the links in the CHANGELOG.md file of the [latest releases](https://github.com/kubernetes/kubernetes/releases/). + +Use the [Expand-Archive](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.archive/expand-archive?view=powershell-6) PowerShell command to extract the archive and place the binaries into `C:\k`. + + +#### Join the Windows node to the Flannel cluster + +The Flannel overlay deployment scripts and documentation are available in [this repository](https://github.com/Microsoft/SDN/tree/master/Kubernetes/flannel/overlay). The following steps are a simple walkthrough of the more comprehensive instructions available there. + +Download the [Flannel start.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/start.ps1) script, the contents of which should be extracted to `C:\k`: + + +``` +cd c:\k +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 +wget https://raw.githubusercontent.com/Microsoft/SDN/master/Kubernetes/flannel/start.ps1 -o c:\k\start.ps1 +``` + + +Note: [start.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/start.ps1) references [install.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/install.ps1), which will download additional files such as the `flanneld` executable and the [Dockerfile for infrastructure pod](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile) and install those for you. For overlay networking mode, the [firewall](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/helper.psm1#L111) will be opened for local UDP port 4789. There may be multiple powershell windows being opened/closed as well as a few seconds of network outage while the new external vSwitch for the pod network is being created the first time. Run the script using the arguments as specified below: + + +``` +.\start.ps1 -ManagementIP -NetworkMode overlay -ClusterCIDR -ServiceCIDR -KubeDnsServiceIP -LogDir + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
``` + +Parameter + Default Value + Notes +
-ManagementIP + N/A (required) + The IP address assigned to the Windows node. You can use ipconfig to find this. +
-NetworkMode + l2bridge + We're using overlay here +
-ClusterCIDR + 10.244.0.0/16 + Refer to your cluster IP plan +
-ServiceCIDR + 10.96.0.0/12 + Refer to your cluster IP plan +
-KubeDnsServiceIP + 10.96.0.10 + +
-InterfaceName + Ethernet + The name of the network interface of the Windows host. You can use ipconfig to find this. +
-LogDir + C:\k + The directory where kubelet and kube-proxy logs are redirected into their respective output files. +
+ + +Now you can view the Windows nodes in your cluster by running the following: + + +``` +kubectl get nodes +``` + + + +### ​Public Cloud Providers + + +#### Azure + +AKS-Engine can deploy a complete, customizable Kubernetes cluster with both Linux & Windows nodes. There is a step-by-step walkthrough available in the [docs on GitHub](https://github.com/Azure/aks-engine/blob/master/docs/topics/windows.md). + + +#### ​GCP + +Users can easily deploy a complete Kubernetes cluster on GCE following this step-by-step walkthrough on [GitHub](https://github.com/kubernetes/kubernetes/blob/master/cluster/gce/windows/README-GCE-Windows-kube-up.md) + + +#### ​Deployment with kubeadm and cluster API + +Kubeadm is becoming the de facto standard for users to deploy a Kubernetes cluster. Windows node support in kubeadm will come in a future release. We are also making investments in cluster API to ensure Windows nodes are properly provisioned. + + +#### Next Steps + +Now that you've configured a Windows worker in your cluster to run Windows containers you may want to add one or more Linux nodes as well to run Linux containers. Now you're ready to proceed to the next step to schedule Windows containers on your cluster. + + +# User Guide: Running Windows containers in Kubernetes + + +## Objectives + + + +* Configure a deployment to run Windows containers on the Windows node +* (Optional) Configure Windows service identity using Group Managed Service Accounts (gMSA) + + +## Before you begin + + + +* Create a Kubernetes cluster that includes a master and a worker node running Windows Server +* It is important to note that creating and deploying services and workloads on Kubernetes behaves in much the same way for Linux and Windows containers. [Kubectl commands](https://kubernetes.io/docs/reference/kubectl/overview/) to interface with the cluster are identical. The example in the section below is provided simply to jumpstart your experience with Windows containers. + + +## ​Getting Started: Deploying a Windows Container + + + +1. Create a simple webserver example: + +Create a service spec `win-webserver.yaml` with the contents below: [TODO create this as a file in the docs folder and add a link] + + +``` +apiVersion: v1 +kind: Service +metadata: + name: win-webserver + labels: + app: win-webserver +spec: + ports: + # the port that this service should serve on + - port: 80 + targetPort: 80 + selector: + app: win-webserver + type: NodePort +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + labels: + app: win-webserver + name: win-webserver +spec: + replicas: 2 + template: + metadata: + labels: + app: win-webserver + name: win-webserver + spec: + containers: + - name: windowswebserver + image: mcr.microsoft.com/windows/servercore:ltsc2019 + command: + - powershell.exe + - -command + - "<#code used from https://gist.github.com/wagnerandrade/5424431#> ; $$listener = New-Object System.Net.HttpListener ; $$listener.Prefixes.Add('http://*:80/') ; $$listener.Start() ; $$callerCounts = @{} ; Write-Host('Listening at http://*:80/') ; while ($$listener.IsListening) { ;$$context = $$listener.GetContext() ;$$requestUrl = $$context.Request.Url ;$$clientIP = $$context.Request.RemoteEndPoint.Address ;$$response = $$context.Response ;Write-Host '' ;Write-Host('> {0}' -f $$requestUrl) ; ;$$count = 1 ;$$k=$$callerCounts.Get_Item($$clientIP) ;if ($$k -ne $$null) { $$count += $$k } ;$$callerCounts.Set_Item($$clientIP, $$count) ;$$ip=(Get-NetAdapter | Get-NetIpAddress); $$header='

Windows Container Web Server

' ;$$callerCountsString='' ;$$callerCounts.Keys | % { $$callerCountsString+='

IP {0} callerCount {1} ' -f $$ip[1].IPAddress,$$callerCounts.Item($$_) } ;$$footer='' ;$$content='{0}{1}{2}' -f $$header,$$callerCountsString,$$footer ;Write-Output $$content ;$$buffer = [System.Text.Encoding]::UTF8.GetBytes($$content) ;$$response.ContentLength64 = $$buffer.Length ;$$response.OutputStream.Write($$buffer, 0, $$buffer.Length) ;$$response.Close() ;$$responseStatus = $$response.StatusCode ;Write-Host('< {0}' -f $$responseStatus) } ; " + nodeSelector: + beta.kubernetes.io/os: windows +``` + + +Note: Port mapping is also supported, but for simplicity in this example the container port 80 is exposed directly to the service. + + + +2. Check that all nodes are healthy: + + ``` + kubectl get nodes + ``` + + +3. Deploy the service and watch for pod updates: + + ``` + kubectl apply -f win-webserver.yaml + + kubectl get pods -o wide -w + When the service is deployed correctly both Pods will be marked as Ready. To exit the watch command, press Ctrl+C. + + ``` + + + +4. Check that the deployment succeeded. To verify: + * Two containers per pod on the Windows node, use `docker ps` + * Two pods listed from the Linux master, use `kubectl get pods` + * Node-to-pod communication across the network, `curl` port 80 of your pod IPs from the Linux master to check for a web server response + * Pod-to-pod communication, ping between pods (and across hosts, if you have more than one Windows node) using docker exec or kubectl exec + * Service-to-pod communication, `curl` the virtual service IP (seen under `kubectl get services`) from the Linux master and from individual pods + * Service discovery, `curl` the service name with the Kubernetes[ default DNS suffix](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#services) + * Inbound connectivity, `curl` the NodePort from the Linux master or machines outside of the cluster + * Outbound connectivity, `curl` external IPs from inside the pod using kubectl exec + +**Note: **Windows _container hosts_ are not able to access the IP of services scheduled on them due to current platform limitations of the Windows networking stack. Only Windows _pods_ are able to access service IPs. + + +## Managing Workload Identity with Group Managed Service Accounts + +Starting with Kubernetes v1.14, Windows container workloads can be configured to use Group Managed Service Accounts (GMSA). Group Managed Service Accounts are a specific type of Active Directory account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other administrators across multiple servers. Containers configured with a GMSA can access external Active Directory Domain resources while carrying the identity configured with the GMSA. Learn more about configuring and using GMSA for Windows containers [here](https://kubernetes.io/docs/concepts/configuration/workload-identity/). + + +### Taints and Tolerations + + +## ​Secrets Management + + + +1. Create a secret by following the[ standard directions](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#create-a-secret) +2. Configure your pod to receive the secret via an environment variable. + + `--- \ +apiVersion: v1 \ +kind: Pod \ +metadata: \ + name: secret-envars-test-pod \ +spec: \ + containers: \ + - name: envars-test-container \ + image: microsoft/windowsservercore:ltsc2019 \ + imagePullPolicy: Never \ + command: \ + - ping \ + - -t \ + - localhost \ + env: \ + - name: SECRET_USERNAME \ + valueFrom: \ + secretKeyRef: \ + name: test-secret \ + key: username \ + - name: SECRET_PASSWORD \ + valueFrom: \ + secretKeyRef: \ + name: test-secret \ + key: password` \ + + +3. Deploy the pod and verify that it is running: + + +``` +kubectl create -f https://k8s.io/docs/getting-started-guides/windows/secret-pod.yaml +kubectl get pod secret-envars-test-pod + +``` + + + +1. Open a shell into the container running the pod: + + +``` +kubectl exec -it secret-envars-test-pod -- powershell + +``` + + + +1. See that the secret is in the environment variable: + + +``` +echo $env:SECRET_USERNAME $env:SECRET_PASSWORD +``` + + +You should see the output:` \ +my-app \ +39528$vdg7Jb` + + +# ​Getting Help and Troubleshooting + + + +1. How do I know start.ps1 on Windows completed successfully? + +You should see kubelet, kube-proxy, and (if you chose Flannel as your networking solution) flanneld host-agent processes running on your node, with running logs being displayed in separate PoSh windows. In addition to this, your Windows node should be listed as "Ready" in your Kubernetes cluster. + + + +2. Can I configure the Kubernetes node processes as in the background? + 1. As native Windows Services + +Kubelet & kube-proxy can be run as native [Windows Services](https://kubernetes.io/docs/getting-started-guides/windows/#kubelet-and-kube-proxy-can-now-run-as-windows-services). See [Windows Services on Kubernetes](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/kube-windows-services) for example steps. [TO DO create a section for setting up as Windows Services] + + + + 2. Using nssm.exe + +You can also always use alternative service managers like [nssm.exe](https://nssm.cc/) to always run these processes (flanneld, kubelet & kube-proxy) in the background for you. For initial troubleshooting, you can use the following flags in [nssm.exe](https://nssm.cc/) to redirect stdout and stderr to a output file: + + +``` +nssm set AppStdout C:\k\mysvc.log +nssm set AppStderr C:\k\mysvc.log +``` + + +For additional details, see official [nssm usage](https://nssm.cc/usage) docs. + + + +3. My Windows Pods do not have network connectivity + +If you are using virtual machines, ensure that MAC spoofing is enabled on all the VM network adapter(s). + + + +4. My Windows Pods cannot ping external resources + +Windows pods do not have outbound rules programmed for the ICMP protocol today. However, TCP/UDP is supported. When trying to demonstrate connectivity to resources outside of the cluster, please substitute `ping ` with corresponding `curl ` commands. \ + \ +If you are still facing problems, most likely your network configuration in [cni.conf](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf) deserves some extra attention. You can always edit this static file, the configuration will be applied to any newly created Kubernetes resources. \ + \ +One of the Kubernetes networking requirements (see [Kubernetes model](https://kubernetes.io/docs/concepts/cluster-administration/networking/)) is for cluster communication to occur without NAT internally. To honor this requirement, there is an [ExceptionList](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf#L20) for all the communication where we do not want outbound NAT to occur. However, this also means that you need to exclude the external IP you are trying to query from the ExceptionList. Only then will the traffic originating from your Windows pods be SNAT'ed correctly to receive a response from the outside world. In this regard, your ExceptionList in `cni.conf` should look as follows: + + +``` +"ExceptionList": [ + "10.244.0.0/16", # Cluster subnet + "10.96.0.0/12", # Service subnet + "10.127.130.0/24" # Management (host) subnet + ] + +``` + + + +5. My Windows node cannot access NodePort service + +Local NodePort access from the node itself will fail. This is a known limitation. NodePort access will work from other nodes or external clients. + + + +6. vNICs and HNS endpoints of containers are being deleted + +This issue can be caused when the `hostname-override` parameter is not passed to [kube-proxy](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/). To resolve it, users need to pass the hostname to kube-proxy as follows: + + +``` +C:\k\kube-proxy.exe --hostname-override=$(hostname) + +``` + + + +7. With flannel my nodes are having issues after rejoining a cluster + +Whenever a previously deleted node is being rejoined to the cluster, flannelD will try to assign a new pod subnet to the node. Users should remove the old pod subnet configuration files in the following paths: + + +``` +Remove-Item C:\k\SourceVip.json +Remove-Item C:\k\SourceVipRequest.json + +``` + + + +8. After launching `start.ps1`, flanneld is stuck in "Waiting for the Network to be created" + +There are numerous reports of this issue which are being investigated; most likely it is a timing issue for when the management IP of the flannel network is set. A workaround is to simply relaunch start.ps1 or relaunch it manually as follows: + + +``` +PS C:> [Environment]::SetEnvironmentVariable("NODE_NAME", "") +PS C:> C:\flannel\flanneld.exe --kubeconfig-file=c:\k\config --iface= --ip-masq=1 --kube-subnet-mgr=1 + +``` + + + +9. My Windows Pods cannot launch because of missing `/run/flannel/subnet.env` + +This indicates that Flannel didn't launch correctly. You can either try to restart flanneld.exe or you can copy the files over manually from `/run/flannel/subnet.env` on the Kubernetes master to` C:\run\flannel\subnet.env` on the Windows worker node and modify the `FLANNEL_SUBNET` row to a different number. For example, if node subnet 10.244.4.1/24 is desired: + + +``` +FLANNEL_NETWORK=10.244.0.0/16 +FLANNEL_SUBNET=10.244.4.1/24 +FLANNEL_MTU=1500 +FLANNEL_IPMASQ=true + +``` + + + +10. My Windows node cannot access my services using the service IP + +This is a known limitation of the current networking stack on Windows. Windows pods are able to access the service IP however. + + + +11. No network adapter is found when starting kubelet + +The Windows networking stack needs a virtual adapter for Kubernetes networking to work. If the following commands return no results (in an admin shell), virtual network creation — a necessary prerequisite for Kubelet to work — has failed: + + +``` +Get-HnsNetwork | ? Name -ieq "cbr0" +Get-NetAdapter | ? Name -Like "vEthernet (Ethernet*" +``` + + +Often it is worthwhile to modify the [InterfaceName](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/start.ps1#L6) parameter of the start.ps1 script, in cases where the host's network adapter isn't "Ethernet". Otherwise, consult the output of the `start-kubelet.ps1` script to see if there are errors during virtual network creation. + + + +12. My Pods are stuck at "Container Creating" or restarting over and over + +Check that your pause image is compatible with your OS version. The [instructions](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/deploying-resources) assume that both the OS and the containers are version 1803. If you have a later version of Windows, such as an Insider build, you will need to adjust the images accordingly. Please refer to the Microsoft's [Docker repository](https://hub.docker.com/u/microsoft/) for images. Regardless, both the pause image Dockerfile and the sample service will expect the image to be tagged as :latest. + +If these steps don't resolve your problem, you can get help running Windows Containers on Windows nodes in Kubernetes through: + + + +* StackOverflow [Windows Server Container](https://stackoverflow.com/questions/tagged/windows-server-container) topic +* Kubernetes Official Forum [discuss.kubernetes.io](https://discuss.kubernetes.io/) +* Kubernetes Slack [#SIG-Windows Channel](https://kubernetes.slack.com/messages/C0SJ4AFB7) + + +### Bugs and Feature Requests + +If you have what looks like a bug, or you would like to make a feature request, please use the [Github issue tracking system](https://github.com/kubernetes/kubernetes/issues). + +Before you file an issue, please search existing issues to see if your issue is already covered. + +If filing a bug, please include detailed information about how to reproduce the problem, such as: + + + +* Kubernetes version: kubectl version +* Cloud provider, OS distro, network configuration, and Docker version +* Steps to reproduce the problem +* Tag the issue sig/windows to bring it to the Windows Special Interest Group member attention + + +# Roadmap + +We have a lot of features in our roadmap. + + +### CRI-ContainerD + +ContainerD is another OCI-compliant runtime that recently graduated as a CNCF project. It's currently tested on Linux, but 1.3 will bring support for Windows and Hyper-V. [[reference](https://blog.docker.com/2019/02/containerd-graduates-within-the-cncf/)] + +The CRI-ContainerD interface will be able to manage sandboxes based on Hyper-V. This provides a foundation where RuntimeClasses could be implemented for new use cases including: + + + +* Hypervisor-based isolation between pods for additional security +* Backwards compatibility allowing a node to run a newer Windows Server version without requiring containers to be rebuilt +* Specific CPU/NUMA settings for a pod +* Memory isolation and reservations + + +### Deployment with kubeadm and cluster API + +Kubeadm is becoming the de facto standard for users to deploy a Kubernetes cluster. Windows node support in kubeadm will come in a future release. We are also making investments in cluster API to ensure Windows nodes are properly provisioned. + + +# Document 2: Windows Node contribution specifics + +[https://contributor.kubernetes.io/contributors/guide/](https://contributor.kubernetes.io/contributors/guide/) Under Contributing section + + +## Joining the SIG-Windows Mailing List and Slack Channel + +The best way to get in contact with the contributors working on Windows support is through the Kubernetes Slack. To get a Slack invite, visit [http://slack.k8s.io/](http://slack.k8s.io/) . Once you're logged in, join us in the [#SIG-Windows](https://kubernetes.slack.com/messages/C0SJ4AFB7) channel. + +To get access to shared documents, meeting calendar, and additional discussions, be sure to also join the [SIG-Windows Google Group](https://groups.google.com/forum/#!forum/kubernetes-sig-windows). + + +## Building Kubernetes for Windows from Source + +The Kubernetes build scripts have not been ported to Windows, so it's best to run in a Linux VM where you can run the same Docker container used in the official Kubernetes builds. This simplifies the steps, but means that you cannot build under Windows Subsystem for Linux (WSL). + +It's best to skim over the [Building Kubernetes](https://github.com/kubernetes/kubernetes/blob/master/build/README.md) guide if you have never built Kubernetes before to get the latest info. These steps are a summary focused on cross-building the Windows node binaries (kubelet & kube-proxy). + + +### ​Build Prerequisites + +At least 60GB of disk space is required, and 16GB of memory (or memory + swap). + +Once you have a VM, install Git, [Docker-CE](https://docs.docker.com/install/), and make. The build scripts will pull a Docker container with the required version of golang and other needed tools preinstalled. + +If you're using Ubuntu, then install the following packages: git, build-essential, [Docker-CE](https://docs.docker.com/install/linux/docker-ce/ubuntu/). + + +### ​Pulling a PR (optional) + +If there is a PR you would like to build, it's easy. You can create a working branch, pull the changes from GitHub in a patch, apply, then build. + +The examples here are based off a patch on GitHub: [https://github.com/kubernetes/kubernetes/pull/74788](https://github.com/kubernetes/kubernetes/pull/74788) . Be sure to replace the URL with the PR you want to test. + +First, make sure your local clone is up-to-date with master: `git checkout master ; git pull master` + +Next, create a branch in your repo: `git checkout -b pr74788` + +Now, get the patch for the PR you want. Append .patch to the URL, and download it with curl: `curl -L -o pr74788.patch https://github.com/kubernetes/kubernetes/pull/74788.patch` + +Merge it with ``patch -p1 < pr74788.patch`` + +If there are errors, fix them as needed. Once you're done, delete the .patch file and then `git commit` the rest to your local branch. + + +### Building Kubernetes binaries for Windows + +You can build individual components such as kubelet, kube-proxy, or kubectl by running `./build/run.sh make KUBE_BUILD_PLATFORMS=windows/amd64` such as `./build/run.sh make kubelet KUBE_BUILD_PLATFORMS=windows/amd64` + +If you would like to build all binaries at once, then run `./build/run.sh make cross KUBE_BUILD_PLATFORMS=windows/amd64` + +Once the build completes, the files will be in _output/dockerized/bin. + + +## Running Your Own Cluster + + +## Testing Your Changes + + +### Updating the Node binaries + +Once you have binaries built (see Building Kubernetes binaries for Windows), the easiest way to test them is to replace them on an existing cluster. Use the steps above to build a cluster in your cloud of choice. To update the binaries on an existing node, follow these steps: + + + +1. Drain & cordon a node with `kubectl drain ` +2. Connect to the node with SSH or Windows Remote Desktop, and start PowerShell +3. On the node, run `Stop-Service kubelet -Force` +4. Copy kubelet.exe and kube-proxy.exe to a cloud storage account, or use SSH to copy them directly to the node. +5. Overwrite the existing kubelet & kube-proxy binaries. If you don't know where they are, run `sc.exe qc kubelet` or `sc.exe qc kube-proxy` and look at the BINARY_PATH_NAME returned. +6. Start the updated kubelet & kube-proxy with `Start-Service kubelet` + + +### ​Running Tests + +For the most up-to-date steps on how to build and run tests, please go to [https://github.com/kubernetes-sigs/windows-testing](https://github.com/kubernetes-sigs/windows-testing) . It has everything you need to build and run tests, as well as links to the SIG-Windows configurations used on [TestGrid](https://testgrid.k8s.io/sig-windows). + + +## Reporting Issues + + +### Gathering Logs + +Gathering trouble shooting info for CNI. [https://github.com/kubernetes/kubernetes/issues/74766#issuecomment-468736127](https://github.com/kubernetes/kubernetes/issues/74766#issuecomment-468736127) + +On the node before creating the pod for the first time. + +start-birstranfer [https://raw.githubusercontent.com/Microsoft/SDN/master/Kubernetes/windows/debug/collectlogs.ps1](https://raw.githubusercontent.com/Microsoft/SDN/master/Kubernetes/windows/debug/collectlogs.ps1) + +run collectlogs.ps1 + +then start the trace by running the following command + +C:\k\debug\starthnstrace.cmd + +repro the issue + +run "netsh trace stop" + +then do again collectlogs.ps1 + +and send us both before and after collectlogs.ps1 and C:\server.etl + + + diff --git a/content/en/docs/getting-started-guides/windows/flannel-master-kubeclt-get-pods.png b/content/en/docs/getting-started-guides/windows/flannel-master-kubeclt-get-pods.png new file mode 100644 index 0000000000000000000000000000000000000000..73da333fcfcaae65b0ec6c81d1e43ac69d02d5b0 GIT binary patch literal 111844 zcmZ_0bC4#_wk|wv+qP|E+UB&aY1?+cZQHhObK15&ZR2fxzkScy`<@eVzj&f*WmZ=H zv9c;FmY#}GQjkP|#fAOx;|GGYl$gqoA7C^8wEsXu{&RM*!CCxAfHf!@>T=5Frl&3Bu@NSa99aZm zlo(nBSy>oC5CWW!m>(h-mj5Y`pMn$I2ZTr*g*_QvibVKN=@sQB*QR&Yc8=f;@FqFO z)`$xNwVNs0q$`VzU2Xox`#V-3)?2i1&>bW(pw^{&%US z#r6vF-2cKWI59FV-0|Rz(Pt*Ri;XV?pMf9D?63E=&yY~5OfN#ej#lWdn;tkdSKHUk zd4C<{Jv8PuZ7e|<@MM3k0iO5jhXkG%P@m&$?hs1vxo%e|+MTUPtjR1EsiT&P!yRfx_c|b^qVECCy(9_#`{Fs3!GDo=)1<_;d`z-9u3hb_YOE84uCrm~EVr8>N>=O;Dbz${K5;~a6 z9=>q=Sa~3Od3mUc-8FBl10-B28ulH$F<`g9HoU%bppxk?EKnhV#xww)!!M#hr|Zi=y+3rwn?sbV3X-i}`XAN%slWr{6dfqp3etV36TffQ#(w?+ z--Q0twup{>U8rR7=yXZg1-i;agGcz-FS_r5O{D0j#ijOhyzPx(f=;kt{uA?N{U>4R zAlSAUY&4d4zF4DAho4m7Q=g{#D)$vPnu0Tla9`qQs-HAIG$XRdGhO{>(C59RDnHsg zi#lGYemgd)$uSC{8YYAwjP(3~A^XrCVaRqxu;ly@HZEw6?+?y0^99gK8dk*9+Bb|^ zi%zV%K5uX)-#Nb^>hpYR98Ir7_jo+6fN=!({e)>k_}p@SKl~aMa5`t~XgfSdN0T{0 zP84$bcl_VenW6UdF@PO(#KVMBN5gNyt&Z#M!}6!4T~g4D0aJA#hlRU>*Oa0!T%2++ z4eFl`Ylm+P`L(A}h3=09sK2d#W9^60J;iM4@m>?FcTaF^%JJy1J^FyT&kKiB`_}yS z%&Nwp6XoJ04H{QN&{7ZLyG`yY$+uf;E&s|JRF z`V!&!q1W4EQ@%rb6%|t}{RR!wp=MK7a{J{KYN{tVs~kV7h~AE*5_>>6m53htX5x7@ z_Hn0ivO8+EYkq-T=ky=Vs z^*cgJ`Et>=IPLedV;fZMfudMlJB2oglhBi^PwBpX^*1qQ>#)}ABY}a)y-;7Ix!YsG zvz-1o&xELHtirIT`v*v#l_&Dk6N1NM%R7s;h1Ua2v)zITu#@>n{{`7j5yxK5ZfaBL zKFOG*{&f_%?DzR1^hbHcr?k$=_XydK9HSFIxZL-PaO<-$D7?9XTGtioS{57FL&3+H z{Bf7nevSi?LDv_or8WP$KxM}GB{jD~JO7{U&i#q}x(06kr>&BwMdarS8Re)6IZBXg znu?*!@yIGQbBYQz`p>M1tK0sLDD5*XbiX9eD~20SrG63I*#v3FtKYrasX~}UR)?N` z!?jAwhVOPlMSUTFhbLL~*W3mSCv#J*3Y%YJza(p#bgGdBNhVA=$>;>o3a)rFUG9f^ zL(^@~ZuSoP$MTm2YK)G3kWq01m6AYCkWq)ZC(MX`A)pSEyY*iSUU9S+I&wA|7*Ps5 zR_fhw6D%tDcSAcku87OV|D37$(@$K(IEtCMEU`d3XnAo82ovHgvl6(!5W;Ih577lvd4km z2~7`En_=|qDD(w8%Q^$YQxx^aC_ScaA>29aSse2ztr)@uT08 zpuPJloRcoHd`J2m(u&i_2D@|2Xa{fkzb3zS5z~0ld*#r8_rTCnaZ(az*lEEbra z+WGG|RBvPb^9TT2r4hN6hOqgca+E5@LkXx1A$#&OUx=FCo67U7Wh$(Nv}VvConY5_EhG0YSwcP6j1UVH*OyU1svgG+autz1qsumDD0T%VBi z%X*~8qNZBRntT58U}6*8u;LH?;RL~9*Hu1VUyB-xV*7TroSCC)@?aiN7E1`?b1z@_ zkzZNC#_Z$dMA;%J8R-G(!ydy>JzNq8=ssg(p7^*)LF2FJEe1Pon)}T!MGeIYzA@kl z&tpqdB=2l09$cC{cO@kihn0uq9Q&v7XbmY}Ukn)XR(<@+72(Wy2}Jv1T`VB;5{weg z->bc&5-mPSfl+Ep&EBW*3VFpi{`e3DAi;A{)pHwTnMk5W@NkmGZjfhx2|UI;w-}$a zEHB*#WM0sPJ~LjsCw;2PDJniyxSKYh=*iBO;rjS>8ulgN<#Bw^EU$$%oZB|)`ib98 z**I6qIaj<#c9dhjes0!xxT4#3T{-CRDXXnVf?#3oE$IMuz)(<(ZUM^ivSoC(-rm)p z%m4j-;>Ll-e$==V*AmM!*#G(V`_|_8;xC1jn>h8cy&iQ-@9KjYXA08b8m$&-eD+dDwznpCo53DZnu`!R9f9gf~KG5{3GOk2&>6U0o+IEn_&#y?O3gh z5=FNpt~U?u{a{)p?E1l!xU>m@6j~~f5@Lp^p&jgUm3USauk@RrN!f6*XZB+Cey#t3 z{}CB%bvEOM+0pjca{@>-wK{X?Wv`#(KyErJ;Jed3LpH1yVpWm%Ij<+VwXimVZ*ajd zT#;;YOP6YW+#&56d8|MV)8x$QJAl>Tu>i=5R*|A@Ve~gDg4OKzX^oO=c=)MrE|e{~ z4h_3jnepn<%CWmjZG3E`L-5iBZ(OnfheNK14it0t7A18|ynCd0*!5 z7Sv$TfFP1Ic%*9RZhz{0ixrzT7o8dA;|o_-VnQKLeBE=Qg>PvlOzxi=;g?04Pv4HR z+iNMPVmz)J*0>Pl9pAP9E&f3%&GejgExyxARsY=|=qR5k)Xm$PLF=Wu_N%)46PTV< zN^DjSYtQe2^rf8@W;t0q$dkq>{FiR^a9^I#1))(4CB#Rts>fCGZhS*S`Kn54K6C(| z1Fovq6AP0(gmmU8U}!$<3TZdydviAwG768ez*ZIe#P{SPoyUZiarUVe9f!Vaep@#x zZ})*7aei!(QLMi^c^KL68teAFB(&Ym57nmE@rrIcAXBgI;QG`$-e(}K!O94cF$+`N zmS1}60isy>Z&v4E+S{!xw{Z6L*8>z0;)LUgQZlktSHz+1?$}ne#Zg9yoj?PJsALj` zw>#L5@BMH7*5zPAywHO)@ND6MX3N%~;pC?to7Kp3*TQ%kS^6kQkl-#nDK6EOqLBAKG2y>W1B{FizRQl`D`M z&j>tj;}5XbB*r+B!xu%A@hHoaIm%v2iPD}wBTGr@p;Sh&0068vEEgTbVfBuRvWESdd?I5voT)C4>5`g=S2>3(qTgfwDD zHi)+1IFOll=v*8qmBFMJ41K;`D!5sKuA9}KPAzRgT(U>63;fh+AWwX(WBlWQ*s3M9 zVK73}8bJr^3lxQGxaUJ6@qXzugmwI><=P=rCqahgS&0NOUsY#-Ul+RS3ng1dSwO8; z6G^Tas5jdaTl3u|O~BLwfu8A#5&_+}XZ^bWS7cZmyMPh#K6QnQP)zzbzH3agxrUo} z-@+RUY4;QU+5Krq1UH@=j@JYv)nECfO&8s9U?5LHa^ty89{6uZm750|TZHRJ!Y_0X8i(;EPm9wx8^M>~KUpMkcPxX6Dn)c(R-HX9 z7dLfrxN&GA{yWSp)H_tUEd}(1tXrV~vyi7dHz*N&1eH?l`q=W&{|?FjUP$PYEL06e zSD^A}Gzm?5f<88I_;JZ&GjG2q2qwe*81Hfsp<8|0`CA^|$4olQ6+JVjdQ)w}`m)Lp z*-0>Now{N-4;_Wyob|@P@tcEx(u80(RCmNV?ye1bX6bLFy*+fO=KQS=&4=`Y^!E8M z@PhsUM!(5xHZQUd77N}XA?r}BCYigx1MNqILg;dE2g(j zQCGt0!y3~9;7}5u%jnW0t}*e7>WX{KkIRxcei&Tk*vBLH@xUX-W4HnSz|i7^;+>n% z*Q`nZho#-(aOZLb1sa9I__u|mS0z;vLLbTpfF;ePHtl7@_6y59f zQM-C}P`}j*p$Df>5TDx-nXMI};8P4;!0vXGzc!Qbub-TDeKeqWz4zR$FOT`#$6&_g zQD}lHXO~1MX;Ich?LQNUA!H1~Iw|M2m2 zTz-L3_&G+wk}D`T1g}Rln6nH0XBE+)%!Tu7+TN=hLx#n`vtTyItDqdG#kERO|lSJYy|V$l=Fk-f)VBtC8}upU=&?9*F;X$kw{12+=9VLw!u~4)s6jy z>V8b?v*9>lGziu4cLc+|ext*+cvBY2cp0U+RI{4@buwqjqNf;y2L}gfJDNwz z@7>y?XHTCRX3^oWMq}?OPbe_e@^p~d98sm|?YaiiX{HzQfl)KG?m*h->e+p6#e@Qe z{NRIcW#77ueJ_Q<`|fhn=Z*yiK~7PnzWD%V>%Bcre~HefNj`|EQV7()v|1ZNbrS?# z$WfqI&P%@iax-0-S*-5(laqVsFy47vQTf*!*`-GhT3o$+;>`ESO})#r*{g~lIxUYr z2R@zTH7faZ7j)mZ6>jV22jgY=IX9;5*zZ|GrD5Q0&*oppUDX{3 zdIE#t_0`$|r)|Qu-8VXQp{tzT;;F@i)}EZ@FDqz^|ATCLaQIpc8ule+?y~~oMd69q zOriO&2nT9y2|d`p-Q%)sqNutJTEZyewvab!X4(7jJvoxaPt>?K)`!!l%M(X zR+$kw{H=a(Y4paXHD<7ndi`TU^rvcTKkCPJPdDRQ_?%Y1NsmkBcSm8}sr@XbAGI!| z1FeZ5jWwpDnSNS;W90%dgjDOYG_Ek=rf|Wpsg~nx(r!RB(_KQtV{$xAp&a?9A;gCE z?C$=@(fy&~f}3&Cd(onT_Bj=%2}0~#*cMxV+;}{`^_><{GQ+Bm^iu@YOyy|0$=)p4 z>&4NFliwn(h(nQM(F2$2*9RM~#dnGdr`XG2iyB?nF#+?U6!yAWrT5i%PGh?1X}u8hDA%WwpZ_GSljI zLJ*Scb_s}_blh*$#AaJCjX~uQ^k4UTpOoq2XOAE#rfC^Ll~Wtr9a;hV7Czq*SkpQf zX))5EAuSy)^5q<(R)`Cma|xj!C!;C=!}!*Ti^a67GIdni{44h9O<|Fd8!&$4ay0T+ zc{eGhIa+CW^s(svO7!gFs_2^=?+P|>aCFkk++hJvo_Tn*-!xWK+h3?sJRWAo0hiz< zxi>}yiKD?+^igAXA)-EvGhJmJ={@H{q3BsV^N*6d3*1iCg(%jrh> z&(YBK*hukpFkZu?Hj<=LAMIZq6cozpo`4d1rw=Uyv_? zFSNWnDFFVb4L#Y?g$XhiQQV^o6fGyAn7um^{U_quI6VHAD&&Rud3a2nc&$oFY?}-i zdl_d5`P{-tB=Yp(Hr)#D%*)Tfcx~FU~uh(dotK9$s_KRBU zB%Xdg=8~4_bWEd>U)ndXWmm6j+@@t^j(5&-5yf!+pk!r@As%?)+()&fOcAA#i6~@nC`&60?k^pSSRN? zS^x1VmGd9)4RO#BF{~)X!RVvl2=}wZ4T%!?(F5)XAKLD8YE^$EiNmY|v_Co^R(`}u z7pxC)R)Kb8r}@T8fH2#jAAIpj0r#1@3!_y<_}#@dRcnkwHTGw=Qp6g!SqO9`rOETq{tfUH2taQ zr`b2yX=Wrmk`=u%X9$DgS{c-|MQ6%Givw$@07Ne|*NuSILrS*G)cCs_W}ABh3^Y1Yw}}LS$Vw9N;tR*I?Mu$)OaxeqJ)#) z1bKV&ENkshOa@kCCp}vrr@lFBE-wS%!~5xW@q}HR@!Z@k_n7vLi?OW64&YB%$@$}L z89NQgyB<9IYa`*`hg?1D}I43Md*{D)cU{i{WN*IGK5Rom205*-@ zUX+M35n)Sv!y|)>g%qQjlIhkL;0w%b=o!@!UHu}nm_N>^`HOE#Ik&r=3&Q3bzZk=@ zro0s7TIKDlP3){;Ed?)o9CJFyTNq8bhtI>7W;fm9Cmxh1+m_)$FvC0bXO;Yi;H zMj?}R9<{SF6bcJ@bDwiVyAG?vJv}X|Dpl8;L<0K`d=>eiPRyO(T*$wDda8{stvAHRtlSeP?z!tX>MXKT8MY0*)x9AKCfq$Aj$L<&ItDb?R&=Atq zbLG}N9yHV!Iv85N=>%Kb{VfT(OXumr9~&!840DPCq%Nk=RvHp#L@5>Jei=dz?0v`8 zL|sJ2z>5N1aO1$EXE$^m&ZlBTa)zmn33BH8EZcU2+weA(?bv5ua&rK~m5sV{OKGze z094HnLR9?dY1GO=@868t9UfSdvOC1Wz-GD-=CWygC%@6+z=;J<0A*A|}^3P~jB@T~^^!z}@Y zNQG6YY_2j!;hPS4ZGxw`1?p85W75lnEK54vts2)(8tv_EA@uM8)m6kX3lCUH%Gh96 z?qAd2U1baWZ)51FzJ8lKv=xCiWtR4vG&TViP7xWjXgeIRYAwb{5X=-=08%spYaWAX zfk(-LzAES=iRY*;C@98o>8`^l*4EzQ^GC{a5Xkb#-IheQn`%bNhcDgsv6^ z2-bWOqprYfPCP!yAd8r?SaedJpyIZW20^7O;Y#pjv{hjL)blk3uk z%=KPSbEIbzD=Z!vJ@NpWFcEZ_wRt{ulQ|t*s){o+D}B(X<;1I7AZ-D--8Hi^1*xnE zI48RF-8XTsOXY$sMJ+ZzDtL-jGvFW+dDQrD0y1p2DN%L4OqT|O^*&pD|+A1f);

?hmWu|brK@QlAxTn-C@fl#g22{hOAF^6 z0KgAOwKX*Y{fHlG_5yQhZVL@a^e4MMZ9f@-^Mx$w6+J6|j7=Ntpx~v&jBr$7x8oZX zi4!B6MA=XnN$%#+{8%h$r!ALa;#v&R)+TJe&)FCJ^8+xu8)LBPH@+8gy03FlH@HgS zKk;Bu%j5LXEKsd*1^DlzXa9L*KscTW70Pht>&70Q#vo|f!Rpki z_l4s(#-ag5@YO5ng$JNwa7j>f!I@nOB$$JHJzbnA5A4j6(c(ZPaiO zbSv(SNi4Krk)J;&5`QCkwYpu z&w=*=9`_NmKP(U%6OD{r_DyR&u4^2JRu)0LP02SBRpSRbYQt)7X^*+zoJJT0Yl#x} z_40KQUbt;JupcXVst5X0>QSWStlSAap{nvwoY!oodOdJ3>ANy|FZ-_)uhYBT?BcHx z0AC?p_Fi^2G0tG*x;yS7mFCf5^3=MiJ#R-pAkSUAxUcx z$YZIQtU>crI*J8#U+Q(XwMHZFOS9wci79T{vfR=B0)7 zy%-v^ZblvSoKO@39JiL|o=azw?TFUZTxrN|@@Tw}SxV|^VKsf;B3G-o=1KE?-d&dS z%u98nTz)an3=-YnI!p+9jVBM|*^RHSmVD*Y8wLN_Q&Ih|K~2zD=+(nEIyCu8L+)Ww zl#^C}_B(h!ZZiQNiMaUDH{=slSp)X_UFA6m#o3dJyh!aHb(w)cZ03|P6lZhTt;kR! zR=c4fw+6vGGqvSh(j%#iYEh00ilLfJp{RNV68rQb8vooSv6isTxJSYj3OE?_HMQ@H z3LDw>mlx?8rgmmpRsQJotJ0ee#)Pq9GGuf*?%g|lI3yAiN;nWII>%`8`!?QZW8eP9 zoaW8d*T}$AN)GW zD?NCGplJ<{_KP9RBPt1kD^8hy>WZM3&W(8aaTF$IWB`x8)?hkM{ zAcH+oz8|d&NbsWOoqo0A+BqK{l;NnS1(6FP6(DAEsOA`5wUBn&|LFPTuqcQ#6Ovbq z3%PqVnE76 zvzU_56%hizI=}?f?Pd?{saj@7j^)oTUt&|nlw*HJ5lUt;jwZ7kJLJPm*RUqUOx*`jF-H-LzE@(LYRuol8#Zi6&IEJuu&uPUCJVP(>r5c}Pdt|z{ z&6%$Z^s7J~(d$QVG1H0sW6BnZw;t?cs`o4!ah4gqZ)v`FxDRFUBBAI$wp%IC5B2~x z5v-G&{O?ax)EJV~27vVocm4w`yJe%$9+vm}-e>Vkh8 zUqa+SC!~&zgCgedy0ZSvZ*5JS@?&|j87pg2)A5lyo^#XCV8q=lHI(^H-f4lb_><`LpLo~3`HgL` z`}oM-%C`aWNi3gKuvd52H>&Mn6;xm zX(FmLR`1F9$IAM&)c2JFeO?pt8&k`zz@pIO);rx%)W{)s^yrE#b{H8xPKA-h?z9K| zL7#v0QL!brbhL9HGo?DdW#fRIAjpQGgx&_lf7f#bExOF zXjU7@27DFYH&kmZm$UWxb$ZI6LtQR8`XXEc7oP3AGK;+U`-?Zu9q`N2i2RT>A!g3*k!07C?Y3A^mq4%o% zPaENYVf@~u)q7Mm7+(yuuH}7^XAo=sS*dtS3UMMoeg}!?d(;O1tAl#33tdOAyF>K#X**mQE4rQ z%=^^(Fx@~IzF(5)v7Pdl&1U%h^Ugk~pl=Ww4YX8GZZ>>~?g zUjVI=I6V~9UzR!4;QLMsdOdy!9G8P;RROy_H)HX%sh@-W3XdyG`HkD+QTH;8;b$nB z86jGyisDvKn>?R3!)y!h9XOQf@5gWPl& zl`qx3+iB zBT)_xZGQKi7)`ib-_2;E)I$2J>77|v3%k0a;a5d6^SLs89s+W8R)w)H+zY&gH?%`L zD+Nc}4r^}BQ{kiqn{9<-aQ?h&Ocj7;zlZJa4;i-onAET($)tqycAe+`e zXvI!oU%y4R(~b676;<@(j`=1Hiya5ARjg~iJ;iVsL|pxl~q zFd6gtwr_mxU0Ey9P+iSU+s5)MqE+FQ^Yn_O=uG7oX0TuBTsx{J)Q!J>(GBF(NJ}l+?Sa#% z(+f5b=m?7wA@Jh0s=wY@br`v-ym+ao72wjk{_7Tlea1$2EMmkE)V6VcBAQ zafn2Ey>nxH?WwWfQRU-#Jh>u@wdh(&WXQ%9L%7qL<8lV9Bq(xKfR~sJ!lgg9QnEwbNIt?zaWZ zrP-V)@!fZtuW?7Ujkf%vBEpwiXQL~OMhg;YIgN+gb>QkjcDKh=_R0@y`;az@%s{GwNBp;F1>DWgU&-vaK$ z)z3!~-Bbcx_EN6Hufi0v+s2bzB};4~RHY{a}LD%J2U}zC-}}RM&^!J}8p_Z(dnHZpol_WY)h4a)=OOVO8~e zE3|Cq{{0&c;mCX#N&sLJ^w;2%_xf!G^Oug;8KUZZicn}?FOuwQHMqWGuen*cKF)e) z8*W@RAKt|(e`F|Ey3{5s@3e>QwztJhBPlC|QZ}w{SGyP2_422Tubn-#mCb|o%YmUM zf!}>w(O(4bJfJ|^PG%H#?0S--udl^am;gY1p?`_RB0zk+NvZFGz3_?zznSdcc0&>% z02PG2_&tf*x?PDbAxDyOUhbcK`!0rO-F&h1RQs4rW!SGj&ku!z{tslC z>YwuH4rV_!Ln;VtO2gldsFua#E4$g$rt8zpUvkr&(iNAToYe%ld7HVwzFFf84)M89 zg^<}b+q7%(FJ6uG3J26uXg*YU5aIelNidD#?gPkMm=X=x^A{944ALn(^0a@&-NFds zFTF!Zo~X_~C|wav{(69I)sL00g>PAnOUlMyUukG=PgG1K(tzDWQ}}6{wr66+XPH|o zQIfhlEPVyIof1L1Y%?r0#@JGT?XhBIjicTz-aTw_t!8=Jsrgd7K=Zm|D_US0(E0mJ zb#L5grWH_n)NM#%i@sbpm%Mdz6SeeK&_0f!Z(ABzT5W_sUOVH*jeV!y>8u;!y@wm2 z3g1?cNZmw&(g0n6J9KpUQ=`x3jw~iuSH)#%*uh|#*&Hjw97-Osr-n@_3+*?nl8(f# zwjCYCA7!p!tTWN6pYuLAcd4L025D$U=pI{3GS7~EW>`Rizl#Tu)^QfWgvDkLZLZK% z^Y4h0LUMwFd_7LB0Vx+KFSF%R{f5E27y`2v}* z9X2E_ttD-*@BpRv1A)i45?-qYu)b7c?%J^VxOcDfJSe|Nf}JFB!-&yG#`(x-A5*-C zy{C=uOg%sMkVv8uaoS(;1_Y^#L zSk9p8qr~55*9VcTJw`cXLdbGnBdzv_g0c89pVwP<7xvc{$4hE9lAFCz)lXiB!3MeRNoA zM(-f0h_aI)zVs=3)5XiGnMdF6J@HNHBu$f(Gd|}9ewAC6B+N)1^eYiCi*sn5O)?8w zWHre*V9>U~eiip`SDOkp(8MbHQ=p`4E@aVky7W`zv>cWie`04|a}X)RV;d3D+v+q* zR&JK`jW2~sXx)IPfB8)Y*+>sfL;(Ms%aY)XhUu5*uh-Y=%xy?WQAB?q)Lu15I=JG984pRlTX&l%lAavRUbH~SD~ zpLxdvB8?_z??BSQAc!eWFg05N-o?E-}EYh1Go7dw(*I@0yEA`{=_2*5Oiax z(GX1rAl{E?xiKGbu4GpNxEfp3f znO~S^9cak5@oV{u^jX9h?|^joTVk9@Xnri|_rrD#8a4y3EAQ+6b4SsF1DD+m_S@>D zgqh&B!YvQ_@oD<3o&yynf2jgwfOBD*a89zP$jAkDGm{9Pd>jCwfWBMvJaQkaR?_(T zraC5yCfh~(qtDWbzG6LXmjcLMwORM3aC=WVxzDx9+9osuG;F+K2yvlN} zhPjK~S73Vt&eh5N6g>q%WJGTz>}r_eYhcORau!f1YF@+z{V$l)gQB5k3#INvIOvRI zGLbpsjwzCa9v6K~zfhVy31^HbPMCt{#g$-bm;7sjIWH)r0e7Q zce&dN`S7XaeEgwOD}2poeP{DkLIAU^chVs+*lLwdDKuL_ezicxzQ5s`i_?DQCOQfF zo@W=S68}#Hy`czn_E*qDNN0iB|37Ppn*;iF$Tl}~p+)6?vNQho3e7lxvk$z%6A9P6 z{coNAZ?6pVA99gk%d1t1^?%oj{M(}bx6Iy$1{YsO3>`=hrC5~3!E7n!cX|)jYZsOLl(Q_mft+kwQhcSiIJX)6Sfr& zl5D#b@Yy{zedln_B80Wbc^4HL@3kH#A2&W`5S$>{Bxt- zNXQGy=GL7rURg1{G0ku!`&Y487Fd~NE62Z>WQmDE&d!6No*z({2TtW-?d-7)FqJ}! z86O0w5%I6*nvQqB#N1Qzb4=QexQ6noXuw!#V5mE}(R%D{`}Yx{-c5;JhBvkL}DnjgRIQ$^k0&}&_D%WX`Z=oHGhmJ-fAKLim*< z*oaDBvFRCD3zED4DtDpnpe(W(a7L=5ld_s33vBKVfY`NMyGRb9W0u@^tBzwqC9P&m zSj!0Y@cU4Dz8YO-H4)9AbQjDZ50dBvQb5dy6Fn27W_=+({<0Z^1U+_$v|$!RSlf8T zUwO+FRU;hlkEW3(E;b>D)0PJF(^s8Fo_g7cD+Ku5Ji8+Xi<0x5vc?#+P2ms>yagZA z@9<>m+c-ENdH3O)Ifo`d9*mU)uFUKZ^T^mvjR8-GPTKZXLPz`4dyrS@d^(n|5IgMH2 z9G*@wNh)6iY}8xxy9#0S5N}+?^TO-bJT)B;W282G(Ch46^1F@V7lS}5%nfEHh(Tlz zH|vddFRU_Z$Hj_sAGEd{q`@I;I29iCQIil|uWf{-BSOJ;CJnqo#(tC41YBu%z&42z zFuxwzfRt`4Mf-AWqi5r|>PYuzW2_n*b;A5(aXxDH+=hfaD?8K%H};_C)NG%*c7Ta! zN&Q_<_ne{kar2DasN2XfD>wNyOK8wn3?7PNC0dw-qTvF=*h38l0rMM!sbi%pFG-)K zzN`@H(?>OOkKgrK&d1V`TH70PA7&$`blL+MGwK+PfjdiOcAyfEQSxMdRk_uksP(E! z!x4lPC5;yWYsUdG6VX;ev`)i89bEwaJgVW6HCB{Tvg^tBmmNcB2_UEmiI1Wf8R8-B z@V*LGT1WEsIzd0)bUay%?6AAaaoQ>0Y*N;v?wA?E9O>Ysy8i&;yxm6zdgDW^zX4Z) zDRYnhvFbk|!U$4f%C+Rkw<^1SiV4JFYBv|S2eA|GDZQZHXRoC`gFroW6+Js7mr)0D z`fl7+eN@Dx!BCy5qbEvPE$G;5TWm^hI#YU4)|sK>DohfJ1>Sex@s|=*A)?c|PGmM` zW8{tXQ?y$6Ii1ZwFEBTCx1tgb(0Rv>bkBKnM+5`cV^@Nsb4WnpR}-PhFV>T~ZWIk% zgMM{8rCo>g4_)S=1N$?aPkCMHwc%ogu|$l#!Aop`!bed#t$; zlrn1Q7zL5?tmu--SOwRv5YA*gppnh(Jq~D;AT1mV1Qz(~0Ym5XQB;M}JsVRgcnIa} z@EaYY80iB5JDOQ?lyqu6G#3O4pAjVl*N}QATpOqro|PFj>m!KzM@UduN7!K{p^YJb z&j)8=kXPB=15d`wg*kyKR^d;-=TX#Y2#>UZ=qE3mr~G+Y8bFAT4P7+`OmK@QELZT1 z-g~~e4U&lcrF^iykc-ssi?+Ix8H9%gmN!`BZj-NaE}t*F4N=*l6yAv*w>}xqap}w# zF{RwcbT%DerrVx)$0|uR2#)ut;IFfxB(ZL6kBmTlBs%1rwjW7{MKUoGni349{BVu( z$jw9eHy+=6rksgR{31~M^15{pEkWFC0%k6XhaFVHIbDWHB$#pG&~R1x%&jMO!H$tV zgo;GaPC`? z!+wSscRX$p;qXOI*U)0|YA|)dj&`H_ICrWq4DSKs|wi#(%hN?0iP?!NZECFI`OO`ne0|U$*1ncw1 z8(GdFWBjAoOP;K&dmppO%z!Yy{ROu5ZiDe&VT+$b{RvcAyvBOF_ku;TzgHkvW$cB4 z6Lb|=sYZgR^#||D>@Ys`{%MLaEmqwE1D54(NC)I#xX^MS!NHLHEC~$J4XDTik`TVL z-|ie*-;EupU@%Q2xE|vw{GN2sv%|@)xtG`VjXB$G05R}0WuyOg1NK8hGMq&l2tyKQ zx7(;YHXzkR!GlbaGrNa|mMs5x@R0X3 zp086qyW&RsHr1bYJ?}e~*RTt>gt~E9t(OC;c$0BjRRg9Xga%e&1WW~FygrvN1==D! zxU#qn`?b49Y@Rq}iJ|QGdaGOBe7PTpQq&5-IX$mse2n&M(fhN@1@#*CoOuXx6U{;@-wf108^^@Pv zclN;wNtC*t{`=ZlbN_vd5h5W@YQDpM#wie$!!|3bc!r*x1D34jIBgbE&bpF~2kmpaVh5#(I_WV;?Yr*ilZ z+L->1RlQUXd=oU3-&;yqQ0GnFkWMazK#v5ye1eJKS`Tzzang-3nN8}Q+0Td_~?uUlfB#)2^#GaJ53<1SMI!2cKLBT`! z3P*tQQ#KSLa}lvu;>;|oJ-03@r^9;wWs2jq=eoA}Xm)bb^8pAUN-(NCAK0gg@CXY@ zy{oRZ20ZHQj8Gajni61Q;gqEDAdjZ!Pjs0tCno(ZwOB4(zz%baef8K*U)|WlGGR0o z{`=(n%WLYLB7{W)>{q3c0fC#rWkX!8xrtyq8VL zv{vkPjCgv+Z;{{nl#dgO@tr`7PU>1O7j{zA7lLDA+axhrj^AWw7Ax zKDY)A?i$?P-Q8V-YaqA=x8UwBgWKTtxboipdAGXieD%*c)u(%RuU>11cGF07%l-Rf zNl0(ief}d;x3ri%%e06#i={l%*pTzkfrT4ZK=;CL_}SjQ2dF@vc|t?|e$FsAFxH=( zEj1Qx6VUkLQT3cgl<|+TheE#%<8iJiG=4j`(;U5~Beinkw?J$f7^B&azH{J`c4A7O zh8bTuJ{c_W-3i6IDSsgP>uCZ4V}=SP?9G7utA_U#q8j`09cdRgb|lPVJVjsG zso4W!Tq(9dCx^SAA3=5mjTBc_f;?}oJ8vU98c|AANd4~gLK{lE1-{;@^&483x)zAt zjIin~jFAJYl~-Uesdw<)ikFPc$o^oe8|Hv32VLge<>3@|L?cxt!0+V&_)_friJ@y~ z!J=^|X9(C=QYcwBRQf_lkfrRWW=5yw-!Lp?60M2@|JC7fSPEZE!Wp?j23~1#2|11C z^9WC?)Rw?b#+DqJqE>lzV~^aY>(Xx|0bQT(R@A;UX>U)7lSSHn%~{l0_nT$u5=W>M z_XiqdeSc2fGtK@gU`#|VbwQ}QwSbjuDE zF+L{oLn5^8x|EZR7g)l5H@_Bs+-U;_JHm`L6r)T)Wd_{e_w;(47z2k!gd8JpX1Gc_ zpkBv)>?bm!_$^b02>--0gLj=0($+#5XH;A~1o2m&6XLVNf)$^b09F)o%{gkxYRmDt zctO!L5#b}@gF+TWRk4cTaUGoqpli^b=>Kc(wlK*_vPH1}%orsk*^1dI6SdI{%dYUo zcSVw3Wl+mniYcf3oO`}p`puQ;fO?nTe9dgh;2CnVtsvj*|1S@A@uF0s~dIxrL_ zHK5H7iSE!C3%}?NV88;C-CU38LhJ(97lKpo&^}lM*iofah32vn_uNw7IB~8b2DiOg z@*hv*+69q9p6Q|xkw>V5BwXvNb zXyOCNQ($Ec4b6rfj%5m+S&GRaM^ZP}ww20?oV#Q!$_HdwSj?qPp=#Swk7>dVGk3-4 zJvp_AY^xyDDMLA_-A-BUczH+^s{sY?|^yTo9AQ4s$|ic#4k^*5234Z=v* zn96Ro(^2@uP^uuB+6vXUoC=B& zzfvMipchC4_rnyJZ@Hfs&k5Ol97E-0W4l}-TI;kZ50h4#|5K5ZgoVsvLwRTuE^xW3 z7qJaI+o13eF;zC13jHdGb}TRrvSSj$!=(-Mp2nUMXDtJQi2ZO;1^%&?9*`_*1mrZz z&n<%mi69{B?dMualai~%J|wPJ;uEi4#bnH|qB&}~+&}r1?f_bb`fYjHfnOeV51(!l za>tg~g2FEEb%|AKT+Dhs;!06pQ>9d*a9QK(e_!prZ-Mx2pbSbOTbaDsD5>f7Hsi(I!gLm_418`Fi(IakLJitw9B z$?}nIX?`x8C`gSu%WZorlMXG_7WIL8NqNU`k1B(dTO!K0FH-zfJ#?f>?Gd2SO9ORY(Ek?!J>h*sRWBj4Js;ZfijdExGSi4Sq5^nUY@=Z!&>4F#Zu5{NVdX`TbG-Z?|B%rP`PF{|mAW zn&Bo#jeRMEAJtM$_ka;ntVkcuS^8VM2`=pu_P6{0CaLYRA0o zstq8YuOT=y_8Zl5utbVYcSJA2(G5PVxk=r0YQSw@Tn~ij^kR-&XL?~TVPe^Co&3@$ zKK_2H>)xN{_YH-f3Z<-yw9fOm5ddPp>sB1;iwlPP^K~tJvl&X8=Hc!_AW$O?H4GP~ znL4e`GZtpxc)Qwo9Ixlk#N~|Oi~8*yj$)_TE}k&-*Nn{yZHYTg9m~m~+k3wN(4=O1 zjfA#UZ>s)FFsl*G+xDaazSN$YOwUVKb!kRi@9psmKB29V3Chs(s^aY_UD>+?k}Ntq z&ytkavyikXsEh#~b=!R1_cn5<9y&&@m6|Ru44Iney|HV-ig$ZYMv|PPCAJzO{qQAP zE~KU9NSxh15ox25RIx*ld+Fw)ph!Nj*(*tXm#{&WytKX5vSHh-<);?{q>aoZmjgEM z{T#o_iyPX{^E8jT5)6ZtYAM6eh97dM6Z&Y?@mI7BZ@cF1K3jG}M4hT{#mflo;D&;B z^BR>I%;>Ci){seV2c^cVg`& zh~ccv^9qH1gNyhotE~eH&SzaI**V;9I56XiyX7Z=oP5Xbg}tr#RaaIWJ0CoasV%zF z5kU|r)91ue@n|`+v$~Q+y%~U5-Hzvt%I!rT{*7DX#CPp&FSc9t_h4%t{$V%G+5d>G z7|b9zpT9tl(tf{OZEml9u=+bV+Tf9HQKURmQs5?^uZW0x_eN@qB`z1qVgDeeZZxk6l>_-0z+ zaD9T&aJ}52Q4#Z{b$bVz8V!3s{7+k(Dpi4Yh?v~R2H|jtDU_$HO<0Ub6TnFzT&0Ur zYzq<&{qR7R9Q*VweCtoVj}Q+DQW@#wo4Zp|^;wD_!Jj(0MoZ!rgKjLIPbxYCRGvQ6 zD7gDt;Uz+Ma(LjpEeO`aGvR+lqnSM0{b%vaPbO_&D~i(h=%c!Oil_mJZrKg?!zc9d znl|XfkBHXb2+|=y2X=?d3E~N$jw^#nx>Te?A zJfF0~vFti@{k11@0;~2I?41?u4%P*Tyqjp}oF zptly^|E1+mp>Zq0^!qKXtcI49xSqakp-t$zVq+NZIw)^xGH)B`9jhQqW+0^ev#AE=9^k!PoCvbjP1!4 zPUgyt-_VJTolu*5=VKs=x->tNC|x-O;fjjZ8txKSfvB(?c(C_oLuzwhc7u&3WxTVw zBjSuDOkb>1_kn3lKoTy(Z(K0~wp5O(=Vohp2sV2;nAg<;DnoBKSSE0 zN`au@Mo_}B!hGi+m$LO8AHBPCngIhf_KBS4FNZk3{zO>vPw4RTW7Tt~ue!T}+HX~T z<|M)HXT93mrrUu$l(xcZ2%#n-OAprY10^gb$uSnWa~wSXrwm7ulf2Ixx`uPprM3+u1)(Imj|~4wiBRP0czfjJPGtX zGAyh|)U3ckvWa4b)4!QG0jrLTqUmmXT#T9j-~=_a0~@==@$HokEK_xJK)*~b-AAXE zaz53AfH$SU{J(#Gn?B)zjT{s3wnZGbf8Z`{Sw(s;f`=;IPZ8K=i02!i1w7%_e+f1S zx~O1@g2KG1;Nam~;__h*eyP;R2D83W#JpkWh18&OHQ7}3o28A5csC$ID~%m~&GtIE zD>!)-+%1>WGjvx$+;(98W=h7_8vs5^BelRc@7VjkwyAiCiB3;ULkdwcHxK3jA>QWR z#PbLcDvhu4t;nx>=;J^nk}P|xlU^U>tF+&+y#u>i(~2wc=ZRW1lGOszafcKygVNd4 zca`I@ib*^VXm!}x%2tbtr!Lu@Pi&+NnVWr|1i*p6s4EU=gqNS6xPh*WmSvDq6cIG` z|5+xd5$hfhGEg0Oo^~9O5i2p-{gYvOYE|2VeY*Bwcst}IxRp+AGRT}edRkfM=sJbc zb#JJz&X;)mJoO!R9^BtTTOt+wbI)nIl^`sOZ)$3aV3?9Wsqd&;34hUr&0SNSYd0)A zAahtKOdf22hU$gaWWyi$)2ZxJWVECwyYWS|iffE|SZtt^5om@S6K+1|vy;plnm+xr zwG+?gB#zrr6>fT2P%$-p`eNZ!+N@Nrx?0|E`p%I&TTw(X5uVi!JJDi^LoUMLwO-96MrR zty9fmLB5Phpe}a^9A&Qv+_aFTH6a;!&7j%AV-^YYfrz^l2&2!9G}hZX={@m+&wXO} zAM0-K5#?!3eV=2m{8gVtH`=lQ&kAsQBI(X4@J9RBkLc@TTIZHY($|t-@wW9Bj(%3h zIboVrxecy4Lc$eTE?0aPy_rctDL9j&`NAG&zlDdKTVQJEleQf1+lJ9v}VAA?2(b)un}g9_i&dCi-ulN=n}OMQNM`h5gK zbZBYry#M`Sq|;B_<%1g#JIf>oGps@ z_;jJqsN+yy7!88j9hyxv6X(4&=XK94)wRyvv)WZ1lcL)%9;ocH_}mWK%}ghFoRB;) zdd#FL3-z82RrqiED1VEF9D4VzXNs_(N?WwH+(+<8G5UV}oeXwp*~Wy2Kd-FW;F8Hy zrPNOfd)UyTCis4-iZyvG->3gYNG9Eca)_+r4EfZY})ivUN5KQLQc>0N(fyxf~cP z$U%qH6|6t~sQLN((La69aCchsVZyr&pHK_g$!Zs|7rY!z>L7v&Yf2Y*a#L3y2v;kL zo;eWHVV+-^k2?8s{xt&b8^(2vVJsx;YD`%cIgJp3AVmcwD1}weDwKr{9~s97*+P35 z{+{=7s~#`<2Hy_f{C6cT(8e$3Irna+pvDfdllr$qRdFkihepS>;oQbESrfrnjnnk( z#(~HiHR6QNZ3q}i<=3|Zt!Q<8ioE^&PkyqvIT1BGX-d;G!9Sid+UUPwE;yE9`VQN5 z0*`nQ!3`moCW;O#zES!E5%ukkd zyx}s!Zc4OOinqiAR)6)QI`_xTzh>gQ^_^Q%`6Quz4LL=pF&}@2DL%6)dI$#LD^(1oDi@dOjyycs9XRVB1A-kE;L?(}EQR?@|TW@DFfU(fxu zaEtF;{^hB4;4;>lIx)}Bp$twtil0)2>TC-OQXFo*I20a-<$K>P$PX+ux1a@WgmD+|e)5_C59+@yz>rL6Bj`#i_7oI;;7M+))#d*d zLk#r@cj{(y`$eyw*#Y(1*3m)HS-)~E) zNjw_}c!7;Dl3~F%E4e$dX=cbGxQq^yRgON`sIW6q?ZQ2n&cayPVu*SWSy2<78?Xm) zUV9zqrx_@V5?7%s4L<+m&OT@^IJodZ2tS z%HroaBa)WWlV#-PL?!XIxu$?+*BxR>`%%<=s8eNOD;^(cHHZM184p2k(udX?(<3Vwmv>N*I#dtZi$^+H=*oEht0Z#eyqg@^+5jyYUNH_ z@q`7FXJDO3A9>mQpiwiOgJVCLT~PsNX?yC*il?20Q^-41e>x@B&qt(YFKKKhWVA#vQ`6pFBES%Mm0akMp^- zk3@w6qBg$C6-#C$7NEZdaqw?&E|5ipmlYF{sOBowGl@40}vHHO3C zchQH^v<_^{$TM>RvcQ_xKLByhwjOqlP|Y0*y4d`d zafDgKOq8oH0Z5=eW0w(JX+djr?1SJgq@Sbys2(6G$byI`UCqzC^z*NS`{f=qU0;n# zgTn3`7rIMFg4%=N1!aBnmNjJqH}AK8=wP8F;V6Kz6Qnzg#9?DoQ8V2pB;amR&zm~U z^IIbhrq78VN;XA6EwSGA=+xZ8n@&$0g}DHpzu&&XUH1e5I>wWKcI;DLtY#l~a-lRh zE6Ve#4j@0iDlT%lrfwjjS(Q^uURTERCtAD~6(@yRHL0oWr{$~lrm*L`j_v*yg*HPD zA|oLY`jMP%1AXnn`uTq|b=J?NN!SP=q@;}dR)yNMI{bGO~u<3tunL>+)JuKM%wwQ<> z|NpfX8Fc$ShqslWMWNy=QD;wDZ%7E3omKdjB0=cX3LtB{B_kwM9Yp<XP$meGZ&K zutG~wC0JQ-M3z7OL?*yN2(lL1Q^9P#sj9}J#%hIsCELQmh?uj#qWi8uRkeObUB#p8 z=pZ@&{n1ZXj5WOt6|p8eVtt$$KZe>Sp4C-i+?G6Ql@4CGKEx(WLb?0k`1EIOcN>ampPGyYQVYkrTpMJ%0mej znNH}?P-FWpZiMM?uKBCyy?+XeoiAJgt-+IXvST?%)T3u`e^z+0h70r@;1bezBgo{c z>D{%W4Tz?Z%BzE+JCu|*o}Ih+D3ga8Pn%hjYm?twB>MO4$f&5`|Ct3l>AYRi=mouy zhg~Io%pH3>fm(}mD#6srNFS+MDyWY#reIy7hT<38lcQOkC<9-9!kqA7;v6raV zAUUqyYoaQkbniuFT(i}v%L>3{`Vt!)X46q=NaRVvsBO@Ii7+uv(e}9-bY_R8pu1q9 zFv(K+DW|p}d5~*vORO*#;jttIW+cp5%d^s63~JBbIg0zv`z!RoATT|2rT?d%Lit_5 z$`Cw=(M!Wi@O}@ZG1fVw(=rz3mg4q4s$kr8XvEh z`_5Phkq``Y6gh?q;B0 z@)z!VOI#uty{@%qa&7M)E|UE%LT@bfGBxXp(b**=kLP_Qz~y>heW;0Y_|wp>Q;%1f z`+^heb|Z95xT#=!E<$R*UuE}a%RAO$upk80KTnOqB4*OzMqSNGrQ6CG>hf&9yUL*) zhiRJh8s?M3RXD1(@VBa^$6|D%GgoK8pS(Z!n$welq@IYvZTB-j%uiKM6bijI@|4J|Nk^Wl911-fGASOHqQYiC^3Q>bdKm#oWJ5^`* zP4S9kREzZ2Ew2aTxl}CUxB)9CsdWEKrKGy+K^PTqd%o4VWVbods*2RPP_EjZo2aA^ zVzCT#OdQ-opI^_3zFMJ-0@Ml@`ptPeR+Qbe@mQV6%UxlisNHqPB4%l2xpokMuZ z$_28rO>VTZpr2~;)j!_=yuz3G{bsD+HEY3e{bb)*fQuU-V!*m`(EH=oCmECb+JAA_ zHMO_nG~BZdOH7{E0ti5%gn7+;L`3PAeEN z32M}*??NT)b(V=+NR)HqN|W);jgg2YwS>Xwa}Jl5mlUbR=xTC~9@`1U|LNe|s~9(^ z293|hPxA1=?qjBha|n=Ed1{+po!#$F)?fA!-P$D%tP-NrYGhAPEk~<5KGZlij0^YI zI)wiF1_ZDBxHLH>=m#3jQur-V`I<|d|^bj zO!yf??O(#k#cwxFhEW{-c~;>`O)i#L-WFhL^A9oonauq2Ghw>JG7TS3x^s~&jJVDHvX@Ax3i_5Pdr?O4L7bADK_sdH{7G!qP1}kff`tbP%e zXIk|a_{Vn#xHm?rUXX8fyYZ~E*wU9h?n?L3u`pu`U;0BU=NBxB_B&_)aS{Vi=% zbqoldhA8qf8EH`z@zH&GO|Ds;9G(mB4LuEr?q04u_6`?!ZeqXC`$9Coo%?<+85MoF z7>_lk6enve+%?^XeToJ>4rftY6pWpCd(-Brn2e8!dM;RxVK~N@ApgvJB?uFIM6)C0 z;PdvUWmnO=md>v~&|!qF@x!QX>SmGXdLk z9{^PX8!?no#LmJz8rR@SW{w|0%rVf=N`JwxRN=~?4gN8fF)swbxU`r=1F=swjlu0^ z6g-u^vdaha690Y89qs+)kF1VN!6LvS3CDP+!)`k(Besin{3p1AFZwXo{j22Bq#>48 z=GwBmp(8Q~F$+rn{gZ5oqVH+U-yT*w(B~cU1Y4{Al9aeD{h{cx_F;Ku#=L!pX8zz) z7EO)hpu3iPLlWKpl zBNY3=y!?KK%GJsYQ1l~~j>iy0+S~y&rR@|#SO3rrI0>iWGU)B#TWguYivgsKez6Vj zW1uD0mp0rkyb9=z>*6ZXElw1{hW`2JB&zICkMTKUevW*)>BIrB52CeAHk8(EIrsY8 zO;lK}xMi(E-EMe7H>iF84&c1m6Smte5BhBkq`Y_!b^!-@?V{kym3e!&O{?ko+c3Ss z`OzI0CQ?P#!C@3@KqH>K!|j)$E5;Br&8u3VP_JKtP`x`+U2-521w16Iz(s+}>|oXW za5K|FqkOA&u^+f17W(_eJBqb=wae}cD&RYz41 z(TwK)^W@vnl+)Y931z|cj!9?Hhl48x3vD50{7wqYlJXY+i9BFGp(z|Br{YTU(4Jpi zzUljUmbH(Caa6eSbLHe)CrY08LkhduKrvao)>CzyQOE(4hSgv6<64z9K^6qg6zp~V zS9I7%$;&nP;zW*Kd$4!|1J1_~Bp@op9~)opOHH2nz?)!Kh(srbc>Vd%x@da8j0@7| zz#-$SMz!SX-;$!8lH;X{V&vr0fYy;1_Z##~(@Ebi85spFM@A?&kzK#Be0)&2)m9?U zt+nuB;YigAL^ue22g(g8VLsMXC++Hj=yAFBg{VtF{`&EY>&*^aAoq8)(S+bf!6z&X zn&_}Op!mg%owQe#+B|er0jfUeHN9cTRa2nOuiv){=~{4q!=}JggWzB}>2n!G4e!K2 z0797x`U@*j&bHIz?wy~MXhgDtbsu*J5c`4!W0Z$;zxiV>SU_$2xi7OxJaCzR4#(F6V2vx~V!WR>XpiL%Oray^Jxj-4FD`iZZP(!f^dQ-z>++)Lh; zmz`K{&DVB44RPO#CGldYMv;V2kALbUT;s$^-`~UG^ZOJri739UZ^r&&xWRa zxAeK67Fg+v^DEL@KfB5P>)9FlrS#m1LqSYJq+ny}eJ|*ccSpp3Q+dX%wJu*WN6bd- z3){?SF|>D0{t&l#kNSKN(Yz64mAD$Oefd}8DXjYZBm`jjcOG@r+9ce{pcuozuMcBy zuQ8+`GO`A+L52DdoSPyTw~RV($5o%^_%!>zS{#d&;D{78$# zPY@DQ!J)8qb&nY?H9p|{#LZL`cSGFalYOLa{Iix>J>#i6DxE+x4uXAmn-<#@o9+RB zZOS-UAGfg69%zV@Vj&TU$VGO10T7A9?MQfLKkxEF@A5n&N`@ROI;;vHd^a#CL|W(^ z4y^xY_BgR+1EzgJ_)hG`-zUB4fv<@eReNnH&~+bnX8-u_{0TYlG4iibjl-=Fu^Fw> z6OWRPcmgYm((b_y)BTX)vs0V_JXdEB|5XZ-PgJ!}ZrkTY9`xJc%U-O4Xas>*+m5Dg z<;nTG3_asR1~>SDof;T@;>-ypG_T9*@)q^B7F1n1$+{;Hyp7i>;=~+le2WPMMgtLU zs}CN~eF7DEgq)ox%V{@F>cc}B8E z2`&1^@8|#?}(aq#QR;W zm#yt;^Mbx6M()JPJ=K@34PF&BwVZi={+r<(jt=v7YOv=i@fE|`>(=k6q~Img`s**E2f6y>q@=(od~tuSCt`fffHV8) ze98?LGg!vO8h4cYao;$wj+8XJ#Tqp=^v z@QWA16q?Om1z=_fc-VQ(Vaubc{LilUK%djCsBg;0NPt@%A-$Z0p(m5d7r>_gJ|!LD z|3{#OI6f}+#4*ck_#Wn7-av5ceB*%C-U$~bSUog7nXJ;FZ`o6!)7kMu&tl+^4VsHd z%Kv(JsEm;&{w}(nXDco%Jz|fLgOk7R3zK8q?MN&7(O0wGtJU9qtAD8gdsuK{r$Yy$ zzm(6{u}u${xjgQQ`Um33sAzESvqQTZ0({d+&e8;jO7|j=sF}ip|P}TpoDi z#q)USMN45pYhr}fCsVw?egP7ADe=1kbcc^jpF1|br`od{*&V))UTv5SG4oI%U;SJU zS9X@}!ZfZoLNB!ynSRRw7sS&kDo$~#4J1*@nexu0v>TeVOD>;x_l{3k8mX9P+GUNQ z)qHnFnm1MEy5P{rELIa|0WS0KL($RobuqMSgbCFp6EcX#9V6Jb+3^orcm#^yY=I;W zC7w~OSJz|J8i}nFl5^oR-iI&E1o@fv(Z{4HE>kFQe zg31`VkAaH;IbjAP^1TfNgGRqRxlnP((Vkobj1-9L3Nu`ZVexTLgW5CD2*OzKEWpdR za0^6M62%+QUw64Y>>E>3P`j}}l++K3aDt6J_dLsHueolu_ux`@%R*vIhZ~1QBBk)_ zi=GKpJHDeRpVAS%*AeqG6BJLMMaX~^SP}AT&`8LOYM2eqlGW;@5NRUU_(C!&@*T#mpOx znSDh7NN;}#ezF(3ji2b|`Gu4%Lxqoz45|#cMo<<#Gb5G#vJwP&I}ybaR*OliIo zwf=;Fe)h?Z4sNvl0X@4K5MM_lo=6y8}GzMTqQ4L1EynIoW}E3WU+(QgQX zhq1cyt%G7%GfwdYemdgIACVX0AOGXkGTG*iT1U*KvXJd~QM1KO&%fnxCQWJS#;}$o zukIZJZ23Sm z*}XQ!JVK;Ioy26j{guSDf>Yp21x&i+WBjtuVD(pok z+Y?|NL3(OG4m^5Z+6>XKTtRhU`6WvKVve1ajrMtjSNV9!Ku}TAE@ZH#P5{*p;jA zM$Tx%PVvtC)bfM1|*AhvHMP{ z-PnX7{^o2$`x*~e5Ym`m{-s;@b-w&WIBmgD(S1jr@*nb_@55+Byisul0bOHy=VQ6Z z>n)j6X6HhktE8LCKfC!HtgE6#9F1^qC|HZbpNDKAiV4#yDkz%I46$yBEo*Y@7+RTFqJ%jr1+E^se%ka zMV`J>M@)Y5t*_>nV|}w1+du^QAgjE_q3!nZl^;%e4eNL&L2Y5?uABwsSs+FeGFY3F z7W44M4Im?i46<{%2X0dTW)aFeUXNz~(Kr0Vg?c&*2|JG8T8&7Io3leB%T zos78YR?m`BlVK0`-IiIM8q_k^9eG@2ixLMGD+82uX^wNOx?;TQGQ3#17%T*_`9n^o zG*5@l_M*c6xB(jBUwt~kRoMLKx*5SU;^W;pdw??)cPsFXcV^#l!Nv~R9I}{wG-`w~ zn0Ml}VR5a$g2q|%+;?D?ChmRW#R*qKucdj~LF`tB zx4RJS8>6X`!WZkow?HyNfgg-Hfr?j03yC>tvEoXXUjUK~oIvAq9}H(2Lg&9~4Go-* z*YP|xJNo@5-&p-l71AdCr&zeSQJCZC_itHB79rB{>1*pdf!pg6_QLjUxFXpPo2+snMEp-Euwuf zN%EthfD_K3qI8Pw6FmUo^J2ewa3$Z=(lUxq&>rCVgTKDTot5;zl=PjH`v`o*WuR97Br|eG(e4M~T%_n0(rCoNI zZ@_jqimd24KwbLAe(QGJ{K(FJQdF8ju(o$ZFb8h2ro^&Ynr~jPk2-s3dpR5^fUF?E z^1XMo4z(6BQ|#H*^-^qoR%iB(Yf6gfxRA!Pnm|MxuK&N{5GSZjyZY&u6p<*j3Ifh; z_Z!m}_to!ufdDsPu9_yUgMDp?bh|oGcO=dDN<>!Mo@v8(>;M%a$^nOiiPQ;uZxl$2 zzFQL0?JDcvwuhB|;z27WvFJrpHyu2?-&bYCu2-!O*L4f=GkA1+QB-$^i31D~Yt#RT zu2}B>gjJnqC)_tgY$z9UFMsULB%Ag;a~kb@F0zl|S8O`0H;_;DdQ1I$5>+a zr$A+Hyt!h_ohQzP2l(~XVlxj;ozIOw;3R)FyNTzjkU3={haYbiI~E?~`x(&w51l1mCwU$+}XpxW)onttt5wq*z#EDc(CU%uN(A~ zL}X4RwQ3}KQP1t2%A_Fojz=7%BP<~#u|?(m`*9PuP;j>R6&*${MqU!j1=VMa* z)2K(m7wO-3CS#`*JWphWpVp1+AJYtuD@{d94`9=y|K6d;S;JAfAXm_o2hmB+=V6DB zn~bYM za}N{VF4fPi#uw=GJot{*?6DuGIpC95B-o+z{%lCXRKyCD&=qtZpJn>)??=*pielrH4iW2( zVNA5$G|~u~d9|@<|E5K4Axf0^rmrICSH_@^FfF8!^0Y?EQnDz1A_xg z^GK&@G<+qoMUsQK(r;ELoo3s@pIK2e@aD}yEr@n6Z~jzpk^o)Y_SKQNyzaByENwtD zR*6xgdRH9Lkg1`FB0ekSgb*ZDPDO2X8wWT_Pcw_I-h_3LoTOj}QPTq4OE~)A1^kZl z$G5?vW}r=#)ub9Dj5%H7pMxBT&RU9nQ~(0Y%mB!@rwq%Z`jyET1DGG=pV4HU%#h>M z;F9bObg&cUScZ*rMU}249)!#+g!diNn55u+q_UJ;8i23-urkD=euD^1JsCXS;_+oO zh7>7Zty{>O_0WP~9=%5X^y-t9{T?{d-eX9FBI3XrbHj8-v<*Wg(fStPCcBUi}z?hhd;2y>#Q7&&uIhmq}aJe zf$mS#zF@I_)}kD=!_KlD9k=8&7b%cB2U(hqC-9Hs^Yjq|camO=Y@O-~$>}kX2RZcT zbkIMAuohgwaKb$qq*o8)jG=4m*Viz9+8H6Ppuom^5;B=RtrCSa3V*1c^hG5K{^sW# zP6Q*OOGrw2#=1BGcF5(M=^&H2ljNxDtGRiZcoyIWE|w@lY1tTkZaPN(!eeQO-BV3~ z7FD$%PNpDT$#U|<8S;C`D{o8_F^C7%MLmw+lbiOj7=pYU4>V22xPKNco6<81-F3A#@3>VUU7@V z<#)k@d!)MDAHUFC5eo&6oyMw|7|zp8b-5bH#yze4!*^#9aH--YCp=2tdnj}*V1U_eOKxN)5D01Q##k%^u=!naD!dt8xu}bxxOQGi zegoBGdg@C9XJWM5SuELYc4URg zOUtZ)#OSbvEl^1zE3cFD{k@jb{fJ<#PeYj?l%PiAltWKG|Hsz4wo<=$#N>%@Op4$O z&4Gu7M8^#`vR|&;g>~q8iL{jdC0cIo$U!F8j|aLT;*Im}QGzk{_fncB_2$sG)P}yV z$3O`=E;jw$k?4V9Zx?0T{%8th7Jcr$?;#UU!;bvMO!&2{Zrf)7N>VCv#L0~&Bsx3v zl%q}k)xdQ-zt~!WmN+S&VtoJ?R^^D4zGoYi`zp_@+doQhpO`1fx(r(aJGptUZ2dNr zm!aJUBuFda?6Sv;?N+(|7dl6ET*}>*0_f>{^(iE2*f3lF$AE_v-B)pXO1~RY5cyMB z>;8a6cesVS=jX*>^2)0Rt3Gx=Y|8bG2082JezSv0%-yqHol`>d?vom-{`Ul$jWZ_B`}(Lw%5M`~T4OjzO9P z?Y8zzPixw?ZQHhOPusR_+cu{4v~AnAJ>5_9^t&TY#NOZjPUMfO9~GGqbyr1JR<3I; zR~MqV#gTk1x^6a39^{1x;OCXV-gVdM#dP21QR}XQ?daru44oEHtzPp_srz=^E+4t5 zpVuR%$JnM)Os3P1$%60eyB{ykUhF8*jgClq3!&P##RhPj-VOC~O^h033sjk^O0^a< za0716)R(3VGEs}_r83HRz1Kd{4esxa5jXrjc(7NoEHSx# zI@xYW`rZq&ryVXo@ia&=IM5>8-XX5FyB4OnxqRcldUOyl=3oC!_!&X~RhZAxD&$CV zQ={o+-mP0WUWED}vR<_1Z`K^{PN3*T1qA$!w;3rCR#BR;LT6778|P*g=0}imEM zunz8iU71TmD3yO8ZN zXZJ`Y+=C`!ndIw^R^rH)Wiz-r+NT6v4fvcbJWGm|-4&p15^o&w7avre>J`<4IJ8cC zHq%YuZ^=ui3Rzw+(?92*dCQ25oRN_H85^j`pXQ1mdZDiD&(vt+dW1v)*QrAFI_Lfz zTH5FeB~Iq}%a#5pxL0GBJHMMbu8}&db`j=GlZC+ zMQs06tW$Ms+T2Kl@eO5ehMT(lXD%qg6j*8azBaYIaR>}I!o4z&vU*U^35bvLQ0M&; z;B{PlM%g_fQ)H?sG_X6E)2qj+mcql5KA7nle6oDL|5Brj%tvAOvJtv3fu+x*{4kI> z8Ps+!kiclBSzaZSt$_wk-&Zi1D}eoA&xIXle}Y=a6@e0o;PklE+& zb+#vlFYcni%8Cl4CL5!_#@ufeBow~3S1G@MdfRDfk}RZCBS~{fr$zbvrHKx^EVmVs z51SELULW_lVYZ&6a7Ho4`J6Mz#v3~NgIEWp>ML4QQwxUsM6Xo;wSOy(^b^rsNi<+J zOlJ5;x9E9|hC0SbfLG8|ZfO2#!^;?UYtg~kNPS~@gog`+6G1LvWV7tm0E^2nG_;kQ zX#lnffhcs4I=wnA(1ihn?$d@L?r?pgt!x%*%G9M4;g2Z-DG*Kn7|OZcYm*u9rA7OJ zRJS2+*c9j0D0|6h6nB(KuQRwAp$f?Jc(7vQqiC>e`*+}bEm*eIAwOglX$ZR;h5ObJ z2uktK!@T07<8e=E{`B0B4KSE~2@WBT-c zk^_6+GKe(1Nxp{K2wn`Bf&Edcn@yBl$K!-2XE5YQAvwyx07qO0v<4x2#nV#PnWrU8 zJzXF|h~#-2<-W=^OLeJ`BN=f7<4uxR)ZG#zRDV|xIvmrbkU~Mwlfnoo7eiA+#1HfR z8y4E6Idqsd@*0{qa>p6Z7)OB5L;E977wY<|a#nGU`vT$e$+W@2Dkl8(W60w=^{1Rt zROE4;qK?y^vnDhW8)OVsfiA*;#O1gt2>#06mk?&=Nb~S#7=*vm-pq+_}qU@Be>?v z9X|9PZV^jv<}d<4qju+ZKYVC60~MfrXIIiS2S}<6W&rkxJH*$Skee0fGA|Hvo5HwW78tBviiR0LNNm6KdwQFEy5GKeWRyi< z-)=O14E2BaMP~!L_-S}+)`Ge7Gr%+Wi|xR%skI=hv>{E*J6jrCyv>aXgbuWpt8b0f z{=X($f$s_Te>VdP$ZVF-0|mO|i~l?W|Nl(~7IHN3Vd*ych;jV?aY;5S$O%bhix6U{ ze?7})`@N!wPYXy#T#JEt2u|T^b>8?N&w|Xk@iN|9h{;P|Y+TlmZ(?R^1usGekpoRESR%U~9_?%EUD-!JsOgKi_CcMrYE&x~iWN8~{u-KXvDHi6jLQPh72WO~=f zMIej0nBz=;|+HH&_p%H>$peB*JFjSI1Y;y|N!Y z!1wn@3OvbZefKpffiSN2p!RLGq?O7Ddx$jh0*}`G{FX+05ZcRun)xT?L{$AEHb&T= z0lm+hfDU$A)7B3K%H#R*ied8&v>4aS>Wl6{p+bQ2pur;q^F2^lUHF5=o%^94eR&!5-rv7y+TEE7Un31UEPK^i;r`@S z{Kbli5fc+R6E+)@yF7;%)6_r^azZz>&8G)(J~7wq+%>a^cSjL0mE9)X*v;6(~M?QAsvb&Cd`IH`IbrO%8NJK`D~T^M;!)-SQ?4h(jh^ z`-u0wWJveiITb!)`t3fs6lXU^S04|U7|&l^^3RiUYp=jp!OM5cmk<#G5~kp@B9Q#O zb|2P^(9p6YLONo2WTPC6XGS|ubxJ;MeSbA8`okZ)CsF^V-8$5#UtK+%!cX2f^F-ge z2{&a~H&G#q)_?nleh!9P+4X2FSR7$PQp&`N2#f3cIH z?|u;fp+F0Ku&6~3gU$@LVx+1@W3^f0@Gjm`)~*SX!VWIaXNk`9!dBW>Nyl;q-NL^T zO`_rOvd3EHreY^zW;|-~s;4N&-7)k>kE?~hE9{MX~bz?PRySoZ3#t`wX zL>CC9z4Hxv%#*RVxvBGj@Ybh8)gRy87*3(`FGF((=+h=sDuyc_8$S#FiiFqg^_pn? z52yiPLL~TA{w+kJzL65khFfhoV2EdEDyVGMDwfUq@idLDsHhZ~vrV2;v4F^GLAdQn z0C%yh`b(@*o*b@5w{7_h5dn=u7F&If{RZtogEt>~bTH@ZfyP#MJ;Ev$w_jdw%jFfE z?zB#&c!RqBu7te)E^zyK9*|*g4B#t4%~Aqu58x$qm8A`@}O9KW+H3qo0SUN7HYKi}$8ChW|u6UKfJ= zQc^?#C3KubdEa|AeNX*FKPonMkUFN29MyG4p2y4m)xO%$lz;f(!U1sj#aDixeGGUv zw41sU&mNtaR%SnK-EBta7c{g$KJR2l6(2Br-#LQk_PEnI>B3FZfTeZT)ggT9Szt%s zBPKIED&iddx}v%?K7nuL91-;!eN1S0>1#z!`07x7X<7^}#iPexbk_&y5Q+k8kDihkuoFZR{hk>=)-vSd#)<_)?rxxBK+bH8D0q+a1Wl01 zQ$mwACWL^&(}*6L@egP6iY+?VF9cF%{QIFceJNJ`SGNBJnpC>YTR3REB z|2(~^Ib+5?ZiN{oMZR}w9m;8IT5k=jPd0YrR@3YE{@dmbx9kdc$xRh;~*Ve-Q}*Mpc?^brM{;+J%u+z z61?hP8W;JP&fRQ1d@TRZVBnQF@v8~I#^Oe(G%Pp3>z?y<-B+C8ke-A{;43t7yi*AH z`;*>hdH)f4T8t%A;r1l0#KRg@N?(`deIDKLNZv`|VTQk;sU8LU0_Ty>ca1(iB_#x# zx%k+>Wy{>I`hJ$J#}&9A`G#(YBIR8s_;M6!L<7WGf}rQc??tvpWx2gZyL7iJ%K|T4 z5KnBmA+qU#Jpy5rKZqyH!8~nvV{K@G%67lrd;B8}Ge_wCMP_iOWD?&7XW|RoR-U{- zHs5g1wi*uj36T1cJMpFS;3&ghNDR`z?+Eq$JO4f@&X8etGub(Js!gLAh>WvZzuh&R zH>=LlJF67js@6$mc*Jp{D9sW6f-%NeP*!|(%gLX3diJI~u!nsKzw`NKZecgHA)O=Q zm)J%uM?d(0bYYcmZ`hgvW+<(Z(u}psb%Xq1@7e31WRSoDuhYH9=G4IgAB=CAg(8h+)8Ir+&A(<;JTdQ zFxqCIY9e>!#JDH!@sU8LYkZE6e}KKHwG~Gn*S2@Dn&7mbIKEP$0827mx@Uhd9`D8O zX?@$si*?sHX2BOUmP0D4+6Lmo;w)Yk3LrGJ+hjv$laAC15Ww46VU$ zJCKUxdq>OeQ0sU3Z0Pd6koA9hnLCrv?*!pL+CQ%@Ve=6PElBWWy^Qq{ZGR7ZIgiE@af9g8@!{i{SJH@m-k=0 z2Spr@hpi{qqZ&nwh{59I+UTf6uLjOYS{AgT)>eR6(a19sNiPK7Vr_d==%?f7V^27X zaFvoh;w|KK1M=}ePX{XO(nW(Wzn=tV6d)Z&hj~Y!)C+wJ+^Du#Ovf{-cH038XR$dv;|jCRPzMJVHT;nq*RX zY#$P6s( z3N2(Kl{jLc)&3(X1NOgyw&_sED7C_xP0j_wf0Wi;|gqxP-)F2PQ+nlf6ALa9OC4 zK35IzRPc2Dc(F2jgme|@p`yD{l*|k!lO4=k@r7Nqa|WB-Qm#Z@yb##1f)ElL5f)s! zS$-Y@z)?%I1}@ButkW^~LP4s(A_p&NQm4fhnZdK9`HSYjB$`}wovCS>Q8oNl3vy&J zCw48*Oegb}N#{}lIweoU2l3&En9}w^im=cjnY>vP3bXKb;HbtCeX1C42E0%(HT9N- z`K4cW$Ked+mSc}k&%y^MVd01w7>KJAyQCkd#T)gJrA=er;LJ#Gh?^7LwQi5BhL05H zL4~|cvW=Wzm}rJXIf>sfEv~Hl(YUK4qQaZ}oIGd^$YqA}EmRRd>%-f;LW%4X?M)O? zZsQeRg5$)3$q2Vk5-=UH&e&p%e02LbSd_^T~=GY*OK?#e8ztk}lbg|D)PcGUzX^^|(R5#=~m%-RLW(Tehr5jnJ~h(tys zLgLd=2TwbozCkrc^DHD>A~L>8na=!y;SEJq-0G-Z~ zP!Az$G@RUq(Rx9<*o?9Jt&K}~-%$v!vJ4wV z3@1lmz7#hEHVNj*nO)}1F^@Q{-G~6yFYY+ue}jn2iRAO5AwSIDD(aF}o5#@?aaZO^SR+-J6}=m#B)xD`#B3kOV%nMGp;XxUkK)E{!|0vN z(S#0?7`>#J0zVEAQICU;5nQ8r;&kZHK|=xEIiWM*g)*8xw+!p0GNShBaESj=y$UL3 zVDMWpF&QUAQfLLWZaZ7Fj;e6O<%K>u_lqAF-c+%kuHWIQJ)p=iUX1{(1YvC3e9`{u z?L@Te(Z2U5F}QBqjN15N_UN=C15p;2I@g+x9&WcBG)=m#U)aISpl^7RWyhBKW;e$q zV&{pwUEp(dJ}OAWbM1NAySJC6aBOb-vKKXi@5+^ZbY4;_5tDL*%N3|mN+9edg3t>6f*SA(=KvjSM-{2-xcmtV5Fx8swL<=VX^D4eGIWouryS) z++8qu-`Jv`XvK5}#NHjB(Vn!v%3L`;Y!=|8Xp8~$h{CQ9U7B);~v>5@VgOPGdir$?Z@(Lqg zP`E~FDR8hz9A-pPKka~^u&jn6!r&&LbZo zY1+cY^0gI~e@|eST$_Qsw9$^%;{%nP$no?23y;K4<~PknAERZ7KXltC@GabA`^yKD zq{E=*1y%uPJTW}}x#!02UaXkx+h2oavfn=KkcV{L*loD<2Lp9*`*|Bw#fEZkbNY<@ zWXO$X7k6YSOmw(WN=3rE;${Iv72?JC|m?bb9+$Qy71#Md7_u>IOJwVc0RC+ zi%Z)rv|qB?BEP~b!dcLS)SIw-JbY+xdQjN6b7Mpo$c>c-H&8S#F(P+iO0fEf%M2^S z6LI&TLx$l62Wn=7Y9mJMtb#jF#jBMs(_l8;j&NAnIvidS(cv9!N8l5$gE0vEgj#*>3dzYF z0uXb9?{z_0YXY&jluC(YWQS?9FHpS@SoX0%|J{UqjCxw&Bk)S(xS$VDP4q=>kQr^Y z5IJXf{FRHbei_un__O2ReqO0O?`k%e2ID@w(9Zia9oLN+1g7Kkz#Fn^1uCY%4e=r$ zjkuIX#8QfA*b(pjrpL7~0!m5Oo~2aO-lvNVyC&5Z=Q|c76Jk9aCAfs#i0Y)zZd-q1 zAy%fGsnl@XsWBeA3oSscNF;3AEpbQR2GZVEGt2&VfNZ39;8d8K1ac8lCQ^74fEZ5W z0}YlvBTF`OZqwRYRIBjLiG_?pljaou0~0OhUDh_c};dl z2b%lzv%La`j9X3psa-p^N32Kl%?G;e&0i#2ncUrIF$~b z7tZ13qy-CpIzAy-BLs0c*Y_G$Fg*G$gv*0UN%?@`D-$F46oQCBA;v%7$;+y(`5~&e zex)_(7V|R(eDVFlxap5h7=Ym3r~r=d;QinGVolY}>jyKS)&uq&9=HE_CZH~i;qB$# zfS8ZkL2ghNXg=BrJ~C=DRHmq|#s@1XNQsf88a5?wEn1a3qC(@tgSh%{Pi)eg2GMX` zW>Up^2#wBsz!b#zz&+A*2xrLC`uK@Fm$qeK)(6MV*ZoJ7-L#-m1>#sF+gO^BkSh(* ztChX`2ivNSxO<_KkUMTx*qxvk#!?$<$LjSOdVyf}0fXe4x<75+wIjQ#!zD-io7?_B zGcu#UuF!Cftn8~4eC)LYWgD{QOB#FF>JtOq^7R!Oai+RRw(3-f$XOsYE$LS&MHo#(C%+D`^@>KfvoKzK*;G3!7oJRD5Sf(73 zHHr`>J$MMIQN;PZAw)Y{rt!e}pPEOpzcaM!t_6n(;f)}AHe=TBJ=txnB&t$sx0|iM zWogzU5H~j|lZ_}#vJ6e+3k;h(s>Tv^A8O20%RI54Xd4Qz19Eo{1$j_dlh;bQ{GZrwj_yy$?sj!Q6Qxs!W5+|mAERN5_Z8A1s5S$F zVV+7>J3fEEH>O{tXx!4Esj#sY_&LISP`H?@zc~6h&bBzrW-4lG1lndjXBvu)t!U+e z!+tB9Hf&EfsOnv*S9%7?G*CJWS(f&u9Czuon8+8n#LeRXcei%!gPj@j;l%~xnJ%N?Bkl4z85Qi`7iQ9Sf>1NHp89c_!XNie2~)vNWxP&p<)JChD9n24}ZH0b_cCAZB!}f>cj3B7v0I? z*_NxA4Mb=E7-<6*hM@h(R7oc{IS4UBdnhkQtRX#m*;lXf56dgb_}A7JvpG&0-7EPL z{qL3Py$T7C6w0-S*ibJ5d30n@0t~@U@^p|PhWqe>zlY~u$~k%4mYkcNKcSaQ3)RV0 zncN@C5*91TRXvD{&!=lj(;OtEPCo2JX?RGG(;o}#;SUizdY3!T`z?!#ZJcpiAD})zy-HFb|KJ;nbuW4_aH4)z1%Ezr@3l7^_`(a zya>6wGwN)D8~bju`S<_}{38#7ibqA7{2DjZ-`%=M0F9Au%sQS< z>_}hiSNC=5b@SCGWZx;u(LAIm4kl1lhc!rtygP%Hag@88k;YUe-3RhdGd7amZm8BehP-AlK!% zhB5_}1yZz*`ckBkw@yO!~TGfNs;&O9XfAy<%DF-NY!-MYGM z!-V$PKjevcuUVR|y7yu1$|Xb`X->E>=V$Gs{f=pM#9zX;W0y;y@=u708I(iH=msZLSjt?lMeo=ZcxqSs zIJOx;uD-eV_w0GRpDi$b+Y%F-ocZnk+q6OiY|%IqDU4xn&qIV|gU5ODbo~C@ii=1ysaNotj$a zDwUojmo_$F;V!9J>+TTd@Kcg3($s5SSY%pZ8#q#@*B>W-&1}2<&`{O2@^iDz;_hNM zEf+R3FrQaUpwcJ`6f+*-QA9?LNa^g%CsX`NH}@7RqQ{aQL}H|ZD$jRT;DTB3%H!_Z zGMNb;$-j`B*Zs-TgC*x*q{o z<^fR^bbfed7`0K0fg#Md_|2=q9E}t73})TbPE=NsF`8Ts5X8X&DP$j}X0kBYF^|bS ze)j=cfHcA^*?732xC z#@X76&9nx`b{xn?}{>jm=W@{rdHZ~cD)lD z1M^Y=6|(498dp_TwnM>Ivp89;rfsHJmq)((OJn{3W+QH}c!~&Vq>!OaXG36v-q$Zn z;-w5Nz80DKOIuNG16*JJC!%vD-deV{DV!X&OPZZ~yA0w5k0x>vTYkgvirT<>>VUEV zDwJiZ;jRHGoCR^d>EZclB#+5#Pn&9d4MK0R&7AMr-PYsEgWoaUdMyG}uJGHRx5t~p znI`EtwCPu|*Gw$jVG1RB!}$RX7nlw9Oj14p5ls>Oi3HV^K&-Qej8}36~E1 z>Fd(!-RRi5ik5|;1i^9v>?G1L5?`xroW=#LlGnAe=0atIxw~7&bNL zOq8<#FJp4P`@^m^O$rB~TDYgApOXHjjmDhqfhiI&{abP=2NBRG97d?5`kVQeBx+)f z*3e_(#G0@_c4Z42_`!axM?wnrPMD*^Q730Q$3Ey{3;3fc(DfhJ7CP;3p~haZK{>$+hhc;3GbkVek@j}~rrc#8G zeOmTslZmv+YpZ=}nPp?)lQ)m-x#{V>{0TltWor-R;MXP#sxU;Uf!wu2GESv%S4B=) zFNp~^`XUdUT1E5hY_uFr`A}?E_%#k`2qiDj|JQ&pV!4vQRKAYTPW{S?0wS!asul6N zYxM{@jGoFo4cekE3Rlb0ZCnPZr^@;%1<7adMmAXX3_8$X%@^62 zBeO0ACM4Op$n${!tr#cN3oq2RJM5ne1j4k1<$t{*ce*U9OFFdTnwyCnKh!m$UXu+} z4Yi-QrF%W60E(+I41cmE&&O4%YJIJT^UE{aKxL*UDT3QOj4Mz6coh{7L1stgcN0be zK?G}95)Brf*fJ?vi$?2v*99EsfU5sis*H4jxXY2)-;h!NM!#}G zpgjKyg6JR%<&1n4J-8+d_Ac3nEWAYk?rUWypv;VZRR$Qlx__7~+zQFRBCS$ifVU(- zJ&}23PU{tl*(`-N-JW5?aP^DD#YA0IrL*?qrr!d{y8!xZ=?muZBi{QpCb4UTgJVqF z1TCAGYoz#4VIl%)O`BHKi$a@Xe!&p91oy4}ZC^fI>^l3FDo5Yn>`c4=z~yoW?@^$@ zpwv$bK6@BuN}1%hH!y=+zNs^dlEac9hhAsTT9vLZ-sRU$wUZUmyG4tjHGUB1qelOADHf24@^LNHnP84`uuJVy0Miat&+6 zV>7lOA}coxuJH2pD4m7vcR`CKjwuOkgN;?=?^Y6UtrD+j6pIu_>|`vw&fta0Fh=U> z9->zoqCRZ{)v!J+E~F^*IA@pviwNM&jfK`Weq_9ZYDqcUssYW6_|n}~G&4z|<-#~i zIM+z8B1UyhUxFC3W$Ud{#^Zt+#)u>vl_VSRURm% zARY#doB~jKts9KZi|k9xi{Kw{N$MC3O^>B=lvL4mx_9QJ$ zz7&-eLkn`cZAu{<23d&@ckl_P4pK5lI*nV5tsEC>&w~=3-7D+9Kc-CQ1RiQ*2fz?G zaz4ZtAD$GJ7V0qlkR?JHY}-r0hU7VEh< zb%>VDifB^~H8f~K%HrRe4j-zmDFC02xq{h7i)lzIHGC~W{;=fG=NFru%>LZ_J(*rc zZ))NbHcw-O3W=4z^b3olDv}Ue&1Wsk#D)EvQh)9U4oSGdliTz}6Qk_4Cy6G;mNz|8>+-(q6pmz z1)hP)1f>SlafANlp7=<}D&o@tbGrUsyys&kSU{U&Hv01f_w`+FE*iuuCUFMtSs%}q z1UDchq7iv+LUjThmEzzdU(p9+U8L3lIx3gmnDmS`yOF5WIDYW_Hy7RRwcNHg0lYW3 z-ah4EvW5oEoXw#>GD zyxxzvo`9E`<^5BKTr}JUCW95S$@epuXes?*mn60O!8U{pFRJ>p5O13HB@4MLutPwW ze*a6BHDJVJ7FFY(mCd^qpWc>#ue-8<1Yi5>9)hF}NU6r#2vYDPJ)u(UkW9Dxm~j1$UU+uwJE0(zJ~A{Nwa|8Z)bJ7MFx{s8u$Ln_&oG^ zAE}ONV@gHEzCr0fNhB-&E@_TDw)mdJMe1czz{Qi-BSdvfX2r}dcq{$w=@`hcdrRx; zk>!)T!_9X1gPTsgi)$Ck=1WJj&rd#zyhGt2yk%VM28*#72H_DF>8UmMqIhzDy@eG^ z7NfTbE5wK18Vpu5!sRJu52~k9o3FOhwsV@U1G!H0TE+k=tOb#|;(N8tcvoVy9l4`b zR(R~Q8!6A zPDd0zy{jL6PXZ#xZxABd{mB&iz4a!8%-F;@2*+R9e=XNCPwGcELsO#L2=0^dD{KXR zFXX{ya$-hs?(9<>NL=1)X}_=^Bt2w1AhYOLn+IM34q|$Y!D2VBtSfOJ5xTkJqa12Q?i4cN$@BWokYj$6qV$;HDOQPNLPU z$Vwx-;}E!3vbqwWEY3N<;V?qk*U-IMsB_2m^ql+qqIxzR!O&y?$nafm@MjBEkJKKQ zr)f>T+FbZH>f6C)+uBq$IjG>g>(D#B^7>zy7C&bWm2dmSd^gGn;{b zXC(e4N@t}24>Bj5?7c5MtLfpzd`gM=8*+dVF+<$-F2ba-;>>{f#So}u25+A~h(4_R z;8I#s(cluyY0F05Uw7K(hoZJ%$~rScuLaqTnc7~-%dXTJ2yOhkvQH5fMK3}vloY4Xo_S?>z1DkoFuSh10D2+?{_L{OhghhU2vI`RraZES4 zLnCHbCMh5l64$HKm1p^~lTwBVl4Y2EEg^`=JAaw9h#lA{tn$~NDL*kiK~i90%~i4L zPx!w?EG)n*b$nZEJ*WGuI+mh4Z$3k&j%kdxN0ac=?5@#Xk4*(~YD7E;7rY(9uhcSW zPi%+C@l&~dsLxt$Ylc5z#9ZMJu78r1a-pMbxKQvnKzA%(6u2Se8=D}>y^)r*4N*5I z^s+wJhxTo~+oN)NPe3b@W8J6{#;`DlEOo=agde|S9n+$BCBDx-rx8+23^&=-c5_j+ zXu_29wIFgsxAoDo#dAHXnnS{Q*1#_m^c@&nmG_p_P2yTE5qmwen?L7KhYD$xsS}m; zN#uEl84(;;7w|!Mu-gep2E#dQI~7!b(yF4yvc1@8V>(IQH1F5U;&|iYv*oB++fgW=L92NwN zqTea!Wbhl$XFUj>{n6lQ=-_$KpnFj zucM)Ix=ZoF`M!}-F%>186w>pz8CsfJ!@Sb_zMXk06a&YKy${vg**4DM?D}i_(NJ36 zYy-Kt>3T*X0f-2U^5bxRL07C;vw6(P+B;9psFSNa-(vvxP&+7tyricdqeofm9iId^u8V5cZ%XoYhUxw)FU zvDqcUc3Zql?t%wDyYum_+fJeOE>KLM03(!gg_(c9pHkxe(UhlkD23}H z5U+)YSS zJJQ4`Cc|zEw&24w@3OKo{$1h!-m+nSa{HKKS3;*xUp^%1Qhm`8+nXXF0P!<2=~L_a z;YQ0uLIqhFQY)yb8+svu{0*UU0t3X3YW(0rhHyKQ8F2TSeR})8nh+c=E~*0_S(xl`5pa zQ}nsx&=&STl<-g>L}>5_7Kc}#NSX5zD#P<9Yq}WFK@BW_8!Z*gOlnQ`a_RpIC&44M zSA64mh9m?M{ok7We~tlBSU=SROQNtqJ#PQ|82|HJmym#ZT9=U6kN*E*P)+_FYYS~^OePv= z=J3^tQapT?uL3UMcIfi{zGUZ6os#5=4S&*05&K;^=hwol|Nv?imw{%?E}3i#Efc$ngM5Ym*blWLpZhbn6v`Y`t6D zdCs%iw`cZ7X&JLPBr#ggqP1_)G%zLlljg5y&u8`wepg0I;^P$a+TlE5S0Hn zQLxtf&AZMarZ2bumVe*R8?|H%^om9o{jFe;KW|R(Z>yw#N~L293K>|M4(-U9hX`PJ z(axioK6x;{yy%YFI?QPOz*1MM8Or0I5Ogi+EZSVb(64@y)w#2Zme@TO0ZO~?e-Jfg z%;b*Ny_}<}*eM#FTnJ+Peb?kkH@JReT%`d=>G}f2`)UOtlq6<+uMDdv6GL;&33LhY zt5ARu6Im4DdAVf5SlJ5e!LRId^N`c3&n&lB+^b(p__`i=IpZSWxa%)K7gnWX`n)j% z9N>Z}rSb(f1?&NI-3)nddv7%+Jx*mMhkYJ===iv238gPX7-wz83KU3)4BfG6b$#&B z266jN=G=m5wsbrS$`n8|C zqj9Ie7vFR#{dhP*a?P3|XCU!Jqp@eoKcVV)zJAA=suwnOn7Q7Y9#X$z1Q0gb_6~-$ z?#BL}j+A9(NVe`b&a`R8bZ6RL3NdSZ zcGNxr4X9@*Pc&kbNDI<^%T&-=3`}i_eKcTh4ur7k4H2Q|A#HHf*~H&nb=NYw;<$FY zmw7EzWWsNz1LdlL!ZOtJV?@z$!!jwwf+y(ISz} zf!W%dQOryW>DuP>Pb4SyTx6-%OpONdK?bSXKxE>IccFU8(~*M>_yJ0>q+qqkfbaXu z&QD$DnUQL?9fbyPqD9js7S}+|blYz>B46{$?3l)(OFI^P>=R231luiFD#QS zv!EIJ_@bAPilMjBYOGSb%88VJW*jX}->g4hC6i>HXDKxj(U?NvU@$U1#5Xskd8*v{ z_A>2^2pIt@#lQF)p{r-gYibw^pzQg3L6rYHwl`gY+44Vjw`fY=dFoH5tL`}_@<>vK$6z1V%{v=SvVr%)T8YDP8 zAi|5J@23#N!?j}dQZynF(0PVI&&-Fd?U4IeS0U7H=^HU+XVi!1+TIjGIG_`$QKtVrpac>`5DJ=;1-m{Nk$;$7O`cv#VqntLiRso3C_k$o;^#| zQbyDr&AlO!h?*h)MvJV!C}7Z5ugth9^@Rl9V&eKUH4%W?j6;t3J*vD~n&{7jh9h|s zFlhwc3d~8PIni2LVdd9ZxZcoJ2^;4_$0QG{4*RjP9618DwXvj1JXWdmJXHyj_ad^j z$ylt24T^r3xa%3&HbX!V6Y#(kfuU&NMgtg?mbQvac7%^{`;D;Erh0 zg_C$-K_If?!NkEL*_PVTgEw@-3nL(+RNem-+r`%IzKZiWzia%t#_8wu9L!T&yOz>e zZ~1?{0Fdw5xuS>hMM$55XjQJB-zVbuAL8y?Sc_+PR4JmZ&J4Egk*Enpm0^ z7N_4vl)ZK;Hg}oJr)kqn)RI_Qad^b5O4{;rXZ)R{tCSk>KY4_2QAT(c?Hk4aSf|vY zUUK-0wX#Ji?$Zm|-WhD__9H2i`h9VX2!qkUniuu-u-9Hky`9Vc2qEz(iU&h`mB;q* zJS$a?l|@7s_jDPvh4*nerPeYu(XVo(Ch>HEsj|W}v#b`8_9-FZ2GfuD4K1Q1gyZfX zOK^bzgHbBfUNXlhMR;&danK2p?VNul=icC6N<=3l^aDsB9YeHzg}ps}VpL5nsK@Fv z*s)pT#Nv1SMJo5RFC1SI6U9V4zYQ#fm96P{R7n>ig$qhpEO4?uOcXN5zz<7@B;%tp(C{u=f?;_|hM=sZ|x(2MlOPPyadji zYI`}bJ&`EBsU+r9?tsW%e6DxO96rKhS%v(>jt+DvlLs8pq5HyUrOwD^)0E|4^Sr2^ zjvIv1Sd4%S02z5N%;9{BfO0Vp=ZMxo`=x}1Rm^|Ds9|m2PaBx>7e%)6+%XI1UJqDg#2KZ;6mob{R{T7D!odQi zN12`Q=HhGj7Cmo2=KwqmJ{}=?k1^e84d*OVUp<(LwDVJ z#!%5RjNt0NB;D)EdlK$p)6TN8f3NkrPkQ6Zd^Sd4FkI99(rv-vvBxjqDr0GNVoO&s znNpg;Sq4dMhxtcG-U}+ibCoRL^9hN9UFECqOnJa|U2&3k!wfrE!H zqOU^x(R1DJlSHYan}+WT{k86m@byY3Zz=r}4x7`0qKvi~j4jUfie)e=th{FUz8B%< zko}2c+91vR>G*D;1=}6|oegdeS*l3Me>c5js8x?Z_{%84vT9J>3U3&KTuWhjCfnef z#!m^~OLu$oGo*2lRYu#b`VI<9+B64+ksEQTQkUYpv-4ho8T(MZJeKdmg{QF*+z?qlk~NK3gJ%S2X+#8 zPW5M(ujGtdp1{lzQJ5I-n1|}79r*e`+wsMx`=ogw>JJ|^7pa%bm&WzF{VqgBMdRKn zVbZu-_q~c^M~~nS>vL)P>re!0I0@`!zU`W#YWnY#QD%o!DjNePY?)PcF!|NbUy`{x#X#YIj#eez=mk0oud zLh`1+qkZ8OG(k?pFlt^(Z8P@$@9*gwegYrmIp(}lqeIldF}Uo`Ut{@bP{9-XN3F0~ zv+&-%f5aA^KIy4Ei)WzL4aN9*S7OdJF8(IyO$8MdC#B7Z-LKt=O$V#6Engwc0}0oW z(U=(Lc!C1g{1bV2^@UGxoI6!EF33dCx72GN!9(gd@QHmHR8d1t4_BT>3Y^3^l)*X# zag&MPkPiew7h*vO7qMjaTr@fqp|@35@63Gu<9NMPII8GQHjYHZD{!rm(3Pw1G3Df%2llw?TPj%KH{ z+~hMgmr2+DJ=20Fvz^y+B-$WMyykw48#@L|hB$VNRW18baQv7Lt|z6x-d>;$g<{4^ z{F<_$E^06e!iTx()x?b+`?6(74{XHlKdmJWC$PSV_^Wjozw}RE|IPEQbeRI7QYIOqUPcdWvtM8#wAArnD@5OCB=v07eFhas7Vd)$*@-~*EqTI73 zso+Mz@RT5oA5@8VAEs&c<*PArWF)TYn@-EM_#j}0)mniQxwU8=M+>gdFeEa7VKE$j z#Y3Xn5W4YUJipaWYboC7ns;35{;+uu)_;76YZ52VpfVm&db}H+;feht_>eM8%+o6& z_=`rXmrVrbWa0Xdi zUw97t+K0ow7^>rx-9GHUzt(CgX~v5EOsccta=FJ zhX!L>?yI=(H@HXpA)fi|4jeD8=Rz+Sb02&S*IrkTY57O+tGB=JHBF^ldpj-}REP1$ z{)`nbZFApm=Ypx73m@rJ(^LX8Hv#rnT!*yu!N_YRcdV|Ju1%SohC%d&iQfMuKFD{R z+yo{JKY7;aEZ2F`{`ZKeflkw|J)|gmcVshOgV;o;Tkz;EQ4*V z!LJ@D#hSNv;HcL#>`^ax(i1ZKPWAC;H-*ei~ z7(N2SmpzEbmdwWHs+}k+^7u+#!oX_|ALp0p<6Iz_Op7SQcAJ^zpuQ?d+!d=a+?I!# zMO*O1%^#w0@J(2}WEiekd^>L4@fbcRO2P2O?CYYg`>HP}MCt$g0!0*HzP0xVwUb`t z@|C*Wlu7p%hIXeCDMxEU+|V5dnh5IJZZ`Qv}%=HK3o z#y@_74Eo^}@)=COcQxk6m14M)zbO<$Fmc&ZOka2j(hsf0t6S<&*+^wLJWldK6}WB` zxNh^{IwWKS);y@koi8~yS_DE0Dp(1N)?iiRKI9$$A2Rm?DBZ7T}axugcn;@#r zx4rb5q^L985nDWrx9)iv2df&8Cl*INEK>CCD_3F4u?O+uTW!**kR&%A`WvqM$@LhO zf0*>TiHl%I(S`<*XIzaQA1=nB*lLaP8r+ zdUx5lD-e>k9=aWWcGIhwRt(#J`!p)-dc#{Vug}AZ{SKU` z-u?{64x5d;pJ_&s(`OKIUCTJZTWn5ui<0$g@wZPESQizKxj*|qEUA1RTYm8JaTYR8 z>|8mE;Kd`N+Of3t75vxT+t5k@+#N5Do^daRg*9P#$#%SO--pPJnvayRsd(`Al~}&( zF=-?F+=dJ>aKk4X??3S(>^z~fM-1ZGW6w(D_>tWBn@PFwDgKh%it>67-P`RYIQ(Tf zj(;7%jrKFcYkStqi{UC-@o8q`>P5*2IPy7)vnh*-`KcW6CrufNL20UPc!mehaktEe zp)eEQJa#jlBY%lo@=J_OiNLK_&&IoXJE%BY(A&5OC+BYtzAxm)6|rR);Vn0=T88Nh zrn==ub(4o4J-t4Q?`S=VIa4q$upWgCv|4ex|0`0iL+a?ESpCpE4AH4zh}WQ+{0)U? zv2Suyr-eYT`P+yYwCpWL#Ao;59~0livdd;6n%2GkGVWZ`fa;njxfl!2fiXWHYd+i# zJAA6P*AAu;Evw3n`ths8jh)oA8?Qi&7*3bycbIP5UCR4Y0}w*v{u&7`&}pD z?z`>vY%d@G{`v%_rH#RWyjCPBnj~L}31bqGq^d&Z{#_7es)Cg$Xg;gtDW-a4DpCXX zpoR4wXT83~dgN!_yQnos<;IMjKEN%73+O`(&ZY@Qj-i#I#H)Xy% zjJy>yVTq1FVj^*^m?+_D%ggn_)mU1E9b10Dl6%Htbl4FJ$%amzVb@&>3k}7jv14I7 z@DFS`UVzLZ(spNNr->7gI4B6I5&8J;-`S|EX+sM)RusH8`=hPMeJ%~UL4}x*NMTK7 zOq4c#2{QKo8UM+sMQM|bQ6n3nsH}x@R3Z|2;!;I}$||R?q>+nK3r`<~`C=>Su+>jl zcGT$jSJ89`KkV6yEt~fttGO9Q;$L5%h&ok_cYRe3)L_zpFHlNrS2o+H zMQk!?wPP`9vJuDL*n|9xV$K5xsJp+}hq%i_keD_OGZZ_dc`P+gH<++qQW8>7dV@5x0sN#;U%5`XCbGYb=$1S zDXW2LNH~Jbu}J15C?_A$@BI)hJe@5uHKU#uufiC@SW}CgtoPQ-d74b$NuDc{XOJES zguv2NPUY6cGjfq%T7saQ5x62UN^&c)*pd;f9p}b1kM0339wcyW7#@b1S5Ckb)gBz6 zxuC>fiG!kPKR$hT1CAUoJS|+U1_w@m*vID)HJaANW3lRO7W_~($+|x@jO01R*sT- zJ~Ooj*`?L6r&6g84=3MOkncN6ZRRdCXMBQ>vzk#uG7QjjGgsdL^|)jVpot}zIig85 z5fjpFDE{IgijN(4^X&t>4#6~TpbxH|^F*%>^~Kx9ACQ-si>wN&C4P7#9xS%qj1Fk@*N>6PP`=8K<hy3zf?~!qlCR%H}w*!q0joi5A=5;5$IMa1wO9skI^YGpqpWzry znOmDHnT9YDwdz5f2MR}8FW0r_=v74bHMjLtgcw0`}a*P4M2tML0QsQ%mbw zAvdherM_~bxR`QdxLa>@g^b$v`$61O^+ffORm%jb}CJ6p{a+(^t#ie0HMXIlBpVg2JSi26DLTvPmS5PUzAC!yYlu1magn^&+1FmQe)3Dzp)}hB(qe3BMF9C*(4cghYC3NgX5?XHiKnuf z^T(ANIq4A`n`n=?#&NNx;5P0|2|j$ZRIC$ zoSQ9*7!6{raooIAp)BJVvMTG5-AiRz>bUctcB>V}=2mEij>Cu)&S&wxFz*s_gSxHg ziFXl}AdST*P|<96#Iaypgf>0{JMmZZIf!TAD#pedw3X$8(^e`rwq-Cg!W}oSbb`kQ zXehf9iJt;C;ujKcAm4W4%Gd+`xOV7_tD(+b`OMUGu@JegdG6xe{PDxpbsskkT1hkB z^lEOdhd7B9w6EdjvG}tSXG3EXR4FtOCVz`}-megS4R%%Lc=eZYTFN+a^4VEj4&OVw z_~a$y!p(uGj~v993!@QP59LlN5wNb8u8iz7<<=~n9`xWTGZ55a`JEiQ6v^$(~!davAR2I&DaG#5h z;c2rlAk>Jk)=KQ$bqofv*yXU#=)%Vv*D1@0>q0+V$#E^!2#cWUZ8TA-;3;0>0^E52 zJfx+@LVV>YnJ7Jal;(Kg>o)9 zs-$tzD#ZRhKKqNqWY*QC-tY|9J>9?3uS^{V?T8!k;1ic3nE{ftt|KG*XKLCq(Oi_* zeHESlO5fk)%P@R=8Xoy>^#aS9YFaj!P61c3 z>*+MTreb_5C^&m@k{2Zcf)Ws(b`w@VJ{PgXM~V+9?xLx=u90TnRMyW}VW2TZ0;x41 z2Fcf~gqkK8iwU=<_~A-Lwx>lAHXPxpv+?kng_4Zpv}EzZRhYE*v@+*)iU87O>b1E2 zfjJmEBnrVU=F5!+rIoHp-v+vdhy~U2A-R+ zY9wa(VCBb)Yn(MU)WgI-cX}ZEag^sA#~Y7+andIH^98CY^Dr#gj`3|f@c15Xp!x8* z{@n8mqi=SGwy)j$3SRsu3zeEw%)aYctQs>5k-NWwmM5IOS-zcLhxc0^{a9P9!3Yc;gWIW@*eTC?7L2by3`p+7g^Gac z=GV%xcGQ{aTH3*z%V&D`1}+2K1Yv(b>7W5 zgrt=w`C`rA8@CaAFL{P{tDU`9C?XlyCjvJ;xD3JH{|+DR&2#6jRm}YvZkcGu!r0F4 z?Cv{}Qfwd=Tt5$^2Po0{@niV8%Ws`0bRn~D!<&n|xsbE2q$!9^O2@hx_wx(K#$avs z+gSN-z9X-98(nR@aQ%V4y$5Q&=N;dZwneM~5pscU<2^22;_3|c<VU%opYi7_V@Vhr#Z+Lf`ie~MI4Q1=QW?Ybw&@`7dzkfB2sHRP38aZWfXPbXTG@h zq)OK{_WC2JJ&=Kih0tPg$T{)MoI%w1yn0s{Um`FSH?6!9am8;VW6N>;zYV2Q6(aaz z+K70pne1DmuZ*Kr0%hk-Pe00-4TCXr_!dca`rgsaCodV-Oj%d)GS?LaPKz4%ZC(f!ExlPee6So`~U8t4YIeZ#l7X3dXr{al9646kKStp48X zKImWKWW-MP$PH!n0o3Jq$&Ef};a~2j}F`SK`+=g@Fie;F{9i#y#cHz}xJN+{EBe2PY%-pN7aK;#H zD&9}?tZqEQ7@R~{Mz?lz(C3YUFzFS44uyq2fMw+f&TYYBn&{FZ##zKd#DX8T>_Plo zo_Njs5$>$3!;x2tQNloB9hR#?*wJL00ft!&lCReHCz>!dS|R1KbXF?8m@O8Xi#H&W zQOc7;%F##%SJ$bZbb*~pyLBf{WG~0$ph1{4bvWKUdceC1&wFmnpN~cC@LKf+sNMM% zUK{)iT)Fgi448BRc>7&!F6W}Xy_#0B)u^pk;nGo45WIgsA27{V2hGE(8yKK1=rG## zj?^SwjbF=?wMjQG$GFNp*pZu$&1D7;uEB%5$5pD7G(g%iI38+O%}~jpGTc&zqdAS3 zKWiZ-Zmma9MXAT{*89$~qo^*AM=|}O7hIEqy_?JF=T7ScsjoL9C~K7Z`!2~77^i~^oep0Zav`&v~QhhkILeQm7D#|A3SeeK^YAhWj@gDeJzGw#H~ zNuyEHdK4|ij>Ww_bWuSj3V->8JKN90&NvpL4 zs#irYqZGu(1|ggQk!s3vXd*6n%NQi4jKg(HheM-q9ia-J(TNy2oTttQzs5T+?)T82 z(-p<-@6JF&CZoa&SNaDP^|o(a45ZI-?V_Ddzm7+smVVw0)>ii|(+D=y@)?96FnAo6 zUpWeKAx9vxx}CAY*aKF}J{&voW6Vn(fgtkn_cM?8O>=ZXu=7vEsqCAgrRxqeWh7}} z%q~Z5rARMnk!Wbyj8RA*9YQfyT1ndU7WaNH=Z?op%@^N$M=@E+LA9j&`OHohf;{nV)KWfYr1Z+D91y4UC;s;~Z z@-c{Trb;^-eeAn7JaVJ@;8&Cz2Rw4aNEgOd#u4ZyPDfd~!J(x&c+_~PgY}3Liwfa$>dxa_hmwpE3>~UN;*fL+R|zcfkMQH< zwHZvB-NU^C_pSZvjmR∨>OilL4kia={yb2{cK~H6KS&9fQi4nowC*2Mq(qjUWxE z66w#IJP0w|co6=i{$meN(eHI&I_Z=Ciqsah!C^G9XLx|@Tojk+>60p+tpnF#LjpVE z%D@|^=9kX2G;Mm6XS3g-IQweiIWr_yio%j4YR`q)=JaqF(Hl?6q#24U(f zyDJxW5Tb%a9#^IoVh-{En+fR?TD@>>_sMx48aD_7*M%-wmXzb)X3>b7u zoowUgQ8NRe*pU)H65}U`9d_oiOip3cd7A#RPH&E7qF6@+!aPSO& zTt_j_uF>O&;Gg%~r>?X9LBuBzx!H$EIf;X4UgJYA!PT%a^@yN>b}C~gkvEreDJp6h zMliiyXj2GJR+-yVX`u^GyK}SjObtTB)u`o3b1{q~k`a;`K)&szQ2NY6`WXj>&{`;2 z%0rou9Ep?|`t)<7G;RC@80yMlrkpr)v@LSMx1xd@(or;Tk4&broG#MXP&RV|Ig&_u zHrzUwaRS9eO%sguoTJsgb5QtJ))i!lO8UvIy$Zggm zS0n`QqUa(L5E`8zrC3u8jz(%+D0wOUqSMA>Tw5)wxhC?>z1>Ac^4HxXz{v0IEfvUO z?2kE91|lq}1%o1YO1a1NOutyiOaM~62|=$B!GiL^^RP3X z;aC?_-uAKxxuFy%y55E9H8mP`Lh&tb^tEB`%wz% zD2xtu*T#i96Q&n_kG0S3L6i5cxVWU^7^*9WBeyyPspSW7h>>tBy{=Ix=+l;xhO2+M z3Jd6$s&QHLlKG9VA?H4lx}zdZ{rc9(NF!pyPrUy@?N~TgQ-wz>#*;u?I>8Y06$)} zh-Q}bTQ_9jt+iWWyQZDy@UHy99GjUzl@uBbT)GyIF7?CdUoP`|$M+JhS6v0`wSKtr z6dXt1!sBoDJ{?u(K7fw)yz@BQ?d8bY&i-V#AoY!v_}LUH_~J6|rlNWi);{woa=GxY zwTmdpGzVuyT2s3LYMwN?H=x9#lIG+sbVHCLXgivb{;l5mB?4;Fuyfif-14{x+0U>2 z@;GzFOd4UtZ37iAU*}e@n%Exudg8n7sLblRuVw6Osa-6%6EW?^`}qv%ALiD_Hw_p+O;4_9dZPR7KM05T)M*^L`>26FR8%qCi|;oc9a=?9aa% zBh8IxuV0Hb*N96Q~*ESt0pS1-8%*Spt2H2F5S zA~5$~xcm8yD63<{V=r8%E?R&^H@N!1S3i0YLCicn#obx28&2ab7enowcdZOTZsJ38 zciCNKC<7!8$C8KFfZ40u8=h`@@#!o5T`ODg?#E;Cw>uuis>MQdk;Y9``0A}~D4K3X zqlBxdoYCj0n3@bqDHp3}RN@&Jq`6_TFpss=59d5&dLdU-W9e%@-Yb@sR{DVd@Q;@e z_sfU)%r3>#v!yE?|9JJa)zrD%u;Cg!DIPLqTvc(7o3_1b>E^Ac??(DAc+;!kw{~J} zCe5`G10#d07|pr($NQJyS>}hIHYW_zq%9bx@%#8VN{%-{J(X5jVj?LR-=Q-ZCwfx7 z8Jj-Yhu1zk=+iGN+bQ|a-?3%d8cdx%8TT)7{@jU-s~9mFG0bWHtEaB<$WMP>ENFuk zU2U8jy^0s&)2p-dLB+i5>C2zQ^7IhKI&ief{X{eDa(Jznqj_isW8bAAt-Ml_<2`I|>>ES+=}uDQ}%Zcwgs z&bj19MLqfDncW%a5si7)Z;P;U?Oew_5^wz{?s;n$TFBqza{eLEBmVZ^A7CeS2KO3C z%nP?%@RxByBA>gW2nh*c?^qa+MhFG1nj!S1{KPZ^welpFyQVq~Bf+};K)I0Pg51jJ zSq$FE(>O8lc^xBZYJ!*!N>n8dfL(=3rpWE+o!?RXq)@0B(}mabVxQ=-==U+os^H>^`Aw2q72|8_byfdhA;J<1II6N#&eCs)$$h3jrXEWB0R{Y?=p~JitxbjcT15p&52P)Ew7?(T9 zpY+Qq{^O6cAR#wyBEABnP78j)h(Fa^A5j{(0!t!86nd zAk%lyIxiRZC>cRjgiYo%lXwT;im1>6SDo6mD@TZ^w2SmK9IkX-yD}K8qGm zj_W$e4N*B|Ts!%ri?*fqPWF#i-vw=mx$UA?5io~qc!xY?-4gE=1S`=S=d7DwaSXgq z;1s~fYG!UiS;fX!mwmNzv%uoS$-jf0&{qdp-wD5RRpZ4oB%URBYk+uABCCL7&buz{ zPp@tn*J*kzL60uK^q~lgpMamg^CL7oy&AhRtC%<3f2H6VnXsr*X_&&zXR^9}7Yd-* z;Gwd`uN+kG`b~cA8UYvm`LB@#FLtbJ1Gvr*aZe=q%gFfwf)_KAse``=%MH#Gu1UmN z*Gk1%%)6fQ3=!*5~rH`+pVB{#V1O*3?l z+$b!pqOW&!{6NV^oJDX5G5|Vhar3oD#gz|{^1hFX*l};`Rb7b-uE+S1 zVVGdtjeqQ50(ztWq!cGl+(4j%bx+47I?%JRi2!KgubY~gGg2rIbWd{@_D|&Wb$#S( zZ~NwTYoEUr3o@(Gw|}A$DIgbLeV;XhKT#=Z4IK`kPxS0o%X*6^eFmC8tK_g5DNqPdH1BRhOW&Fy~o)z z+V{Sr3mm*J;d?tDs73tweSgXyJHy!zw+{S_&xI+RPf|S3$mc>n7hxuC@SeQl0@A;* zzHaF_4M3g6QMkdT7)bMNZU)s0<%B1GEiDdSrC?gW!0=E+E1OZvAYeRvb`}S&C!<2a zw@n_jJ|Q4tMg4E_jeXk6?~Im)vOZlN+Gi(0R#?w))Q6ITzoZ zq4nFj7>eAc8-X74H-DMsCl@-%ICl$Y_l-w!KD+Inv)0t1%<&o#hat>qnv~9b%Bo7V zW@muu72PSQ&ROT=hGhg~1Y`vK5peo{mFZLH)0=?Ak@Wuxbt%rN2u%osDfq~SZC!8!ln2z`5$Hy4FtQ)QyyQkjbAKO<+&>wC{)2$W zRJ;H5>5TRyYT{KGK8Japg;SmI*Z$XLeEZ%uY!|zAa*+{`5s(q+rw9yQ{yQw2G8l_} zgE&a}t~alJ!jbdR=j64Y4n*#jjDU=QjDU>5SwTR^jjN^(#-dR^!GC1AaaPcm8@Uh> zxabsT$ybt5v1#?lLNi4({k+8Ah4^&kG06zX2wX4-2;X%TeJjhMcPb$Tc`(oreZOwC2wa;KI# zy-NG$Zl<CXD5k^WYTCzXdMMIHOdh@?^)xxPpdaF%d&rOpaqBuD0Z z@uVW^Z;(s2kry$YL&g(inDiwfz0Xhkzs9lt@<< zz|1O+bXBqw&c#Ou@`(E@0!ocW^PAJ{oI(+Wkm#|v`T3VIU-1p|4z;4F--Ne6-OglarUZ+qDLi&|AW9dD2VWIUi94<${QE(Kq?#J@0 zFTu~ROvceI84!Uf&uv=vE@AAuAC%0GJ7_t6_T&S&bLH*$$qhH)2L4^1q{pC;K6>WF zb;Z?F&oHjchaNl%%b$G_3nETnLRdBS7WW-YeOr^rbv^_){PuZVK3a=O%47YwuYEgm zxi%Sr3k`u;_x}}FPffy=$yNB~c*BJ@Jb65)g#dF%bIr5(XHVklA779A=LX}%_DnSK zBub9Mb6UX4H_Hh083KKD;;euoK*fb<2y|Kzyr$3kcivT`i%h_vN%Jwf`D<)HQ44+Z zMHJ?ihmk^g)>+grsQbzbKnbNL5L#U@bZUT2^q->UiF058f^{17ACh+{Su=k$8Sx=n zgt^gbMNRf`l$3+Z1SG@4Y* zxN;)Gnhv6JZ!@-*IO=LE%tvLVUrq~kC^XSyuz3DRgjtGVX{y6F8;_!1&6e);INWkPpW0Ayr93vBGw<7zS zjVP>bMY&JD(;ikVUnV1Po*Zf4qlcy=X?Qv&Cwl6Xa-e5@jc+q9vUP+9g424ZP=q5iCIO=_odL39xLGmt z!J{<`yT3buN_{gL`&~vACD&0w2n-HJ2)MRTP*$B566e>=9p-|y6;>bFeSVEc?yU;} z&ssAoEC4CWa{Tb`-6%Af;hjaZvvr2GwH8geJMrbw23V}_6`rf&v;Nvgit}0TcfV~= z7ePin@5i{h;y5x(n=UTJx!*pOi=|^K1So@O{V@fXU$q!1p@9fDJD7|r*oLz0Dr6Xn zaiYFO+P$_1P$;WI5FIrVQ!l#$qnOt*#km-)(HuioVY{z_r=W>p;AmX2Bo+Ag+cpzcOvPEK;@v9F-qncrVZ$(J+$7AMHyp9v zzi~mK3y(u^{TAdNIfP?Ead!VMHuC}zGIS2+ESrh60XBq{Z^7{`C(tA*&h86)`Gy;W zQNs{B_A*?3^K1;L`wAP|EvOQTv$H03Xe<(^UxyW!2f}2r(rv|qQQe+0WMs7X;@Zm| zoc+tivQ3Ggh*20YoEsrG%td0Wg=U0Qp1D6JXzO6*0ep9?9Mx?m`DEnmKOniqvxI=i z$}wQV6_}G2j3jq<9~~^&Cg{s@uqWpSGz!lT&y;ufOhLt2ojeDlqDoOxSB%46N_JRc zDuzy7jK$+zmj^(k;k6`{qp0==n8>r5O|IYM*PbCj#W{8)reA+MmW0)#)xZr?Vk*?o zU|SN*C3QH;Mf=evKCpgM1mVzxzd?_N8Vf27EwGT7&b_K|b^rA`P>Am<8~cUgbav3VfLfvZol+ZyxUiv^bj9@;oTS8zup?;w?0Z!C zDbCu^k%%8M2J^3*i4b7>>+DWee6FtQvk$SG>@7? z*FT1P-_1v>$;Q+5SP0sB=Emz_4BmnAvhO9@>J$|DOBsRl909Ab7296A8{6FD5Eed{ zMnQHic6sruf}I~h{QbvWZxn(; zFT*46J&NlaA49>RLwJ36H@w+>pZvxj0S7N$i{F2gMP3X9hK$6I|M)DfUD1e3P8`C| zU*GM2%Q^hq4!gYooB#3zHlM>@oU5j1-bZ)O!L=A^{s2$j{4Vk_6tSbn;)cgp;jsrx zvHGvy;!r`|x$2(W?x`X$WESGMG5FrfBy89~pSTt}9!%-HvWY8}VMr8>LSDHUcW<@B zn0PHlr;o;?|Fsg!xBmhkWwo4h%Qi`IRwxD_K6MPPeDF?O9;3(pzrV~=ky3nDKMdEd z`6Ut$z5qjM2436cVB89V5Ic4{UYcKx7uJ4)eA2PU|6(AMiy9s&k zyaVf!CGZRjKum8PcCoKpq`nSSeT}>k0(Ue8?(ZWdB?6OO?S1{M%om7A!Ls|;BJj&c zu<1}2YJ{thRw>1-`|;GgZiKqDN;q(e4Hhv}|KeCJrAO>y?8|42SJ9Bp8y@||FxAzGzodJe$niI6-ZTV#xe-{m4xyf& z2$lS+XZBTK6P%F5d3P`89YcKSy%WW1>gF?k1aBP}#Kr#c82%4|QW=iW5TK>08pckC z4-}}*&O=RDFp|@Q5Y3vZ_%C97BGTt&09&5KD?3_IH#iT*(9n4=30rb2(imR7z_J}L zobW-&biiknUy03fc5>iwn4*Mh3306*Bzyy$@SWG6AXJx~%z#A$L z4}_~cP#(3K>+3@JH6K9hvF%b@;#&K>T*dV+4;vqT6*)~EBa9v5D!IrATu%sCsOaoL zQOQd5n!>O+JPt~gSY4eK4gMtzPwwvNxNQYc{<~`EYlhe6v)`=*W@~2}%pcno95xgX=j~lq_+*T`oyqz6{fEa>(TN&mI2@*|@Bx2^&X^9&=oIIbSLJDHs`+YD8B-7Czth z56J*)p`=n@JAh5E@5IC(FToAT`3N$%;q$sdx%zT;Nv`{nARy^w$$m(i*os%zJ&zp| z??pm_7iNx9`>~DBAcwWRFdWzmtx_QgrH*YPG;=B3dsq06+jqL_t(ha!ik$-d=7tD#WBu#N^49@bgk*Q+AD0 zgJXN^lQtVkk-kW_6k*%8VFlG<>Vkn>Ogc!w^vAGu8PV$=hs3x5RCUla+-fK0`NSq6 zDBKfKmIi#(F@PRkulDpsVESB4qtaJ+qz*>ouqnBzkoVch3C!%69mQEVFyM`vh=@Us z^I;rt<~SS5P^us1iwYrf>V#;dXomahA07r@-)UI0C?9{Jg54p)8$9XZON&E9@gbOd zd{OPO2;=8XMrES`mhNt}k552opbNA@!@L-caBR?C#8qmjH6ci)5oLO)1@6WIe38ZQ z-{yYes)Q%UkY_+JeBBh}feu#B&|Bzy;727U$i)mnI>ntcY zkuS!vm9}s;`WRN+d7wfXTLRZ9DbbkVgsUr+*NBAaxN-g|ymPP=HD_}N*qb@)|AMzZ za=eNQg#l?|U=LLaM^QoJ?hW7Y2&65VhT@V#DC@E!&#HrO`W#G1jYl1y(aF{p=?7xG zMnng4-j#6PRl;Hs1C+yw8LABx<_iwZv)S}8(*c@SXvCtFg&5byFqp_Kt23O;E!Vm22#e;;3{ z{gdIZ_M(Am6~ZRAV;sZ=rbqtvY;t$oP(vX^@QNo-3`Jsq1(o~vqpE8e`b4#k=ghaF z2#>LNUh_j*VXCdfwv%>T1g;qY-H5PXcGmyZp6t)WiAZQKz?Pb36xI(9euZ~3{36F= zZiYJyhq6%BI1TO;T1G2@6Xw9RrxCsN+p#Z~VR1g;(E9pf#+pSa5NlR@4_XHKiL<8! z!p~HI%7Zzm>RSfO72dzSB9js9ZX4>WHY6Tie!-YAH4&fHS5V2P0g`h|V0hd7L?o)3 zp+A%}#A_E^p^nlHo_qkVgVks=XmKbv4ofG^Lt0KNRMsw3>C%yz<_*;DK~qsNY8f*+ zfJ#(wU(hPuF?q_3$UM0XxlO^axCLX@;&`a_hiR;7K=ptbwvIv^Ihl&dks%15G8zL^a8EtyE1l>!pSdWw zhJ_wAK4nrIKB=qZzHNoI zryb4tyRpMU`V@0ygfOQ?nvYN@9i0(<67TJOJzdVQP|k22k~3<#9p<#z_tThJOOc*H zqxqm*EOMHJjUSK5q)3FDHEsb2PK`lpEh&24HkA9`hJ;y}Xfbx9E%y{!W=uzLpbB0M ztn7StN~iY5@>V4{Ad}}$$G8v|coc5JY`tS}XHC@hJF#uswv&nNOzcc-+qP|66Wg}! ze{4H>bJttXQ|FvI)gN}%-XD5bcU5DpYhAzL7Tjeza*7*FX|z(k0|9!xl!46I`frd< z!OCpIWs+7$4M-aeUV?+~l;CwA52MeMc@P-0!kkAt$>gK`pq0iMCeB52GwTJ39eiM^ahymi3J6us&>f3ds*r+7Yus z5}@xHdrBU#6dAN9`;*Qv4}!Zt%&2;=7*~OJV2be!dC#(^j%)GrTlt$Y`(6fikb96L zlGQpqE&dzhci!SXY@{^vgH1wDISd_=?jAg^a+jC_-wz=Rvx4mCRXUX8ho z1LA(`@)vc?G_(|4-CVn`I)HlBkE)(7Hm%lG%M~@aRzwgiM*}0b zzMeEi(x5f2^2)@9pfv+MD|6lZp=s%oH#EKo#)FGoq3P_TAbm`%%fZdF1-`IsKnF-3 z@Iz~%IL+cM5YSxB+s7G8SRNn&6kC352n@n^B}S|%k9o;rv@2;ijC{jUPawve8Oec1 zFUEzAOfKlxziQQCR4&x&nI&yk0b#>=(s<}GwlZ#6e}@>%Y5P8S4G%gtd8lY|HDtu< zZ!AN$Zf5!SrnA@y_p`Gaq8IdgBNZ0dKNaFp?u)IkEh4=}NA*4i`zp`!P>A2O1K*<}o;Ks6hKv|6z za3=Fq0Odxwcgk;exZ`r1tA}JS3c%(dWe|1i_w4xg+(B?JqFPyjDRGL!+q^juV!0e2 zuZo=j1i9M32?s4B(LA^};M*CW&){jcYEwvFuaml2tkbe0r716j1eD=mvFbR=)(da6 zqY!f3KefYwC?s=FhxjU{$$4zXP$=6LyHdgLzzt_v&%-LN-8Zy0W}BdVT&&N!z%`+e z@2lRM;WX}q7$Nox3cp1I6lD~WX97~yV9ARX4UT_kY4cVXxwN03s~xY7lb)=|KI`^r zrK^EDn|_dU!O63XAvtqL%ST4)_0({R#X4cCjX$f~Sb07q zW|;wSVHa93E{#yA`46NZZ8&2;X!|WCp65ykf+4>9Ph=thyIB;8W`CL z{%F7Tj9j17B|YwOfNi5gX!TA&_4~=AQsy4Es&wRp=}SQwR&+b%=5QYhGB!wcbJ$~+ zF$aFdr&KqT0i*+DcY_6+>X}|&p{%EsKK_wpdX%)B|h~eW%Wb<#cZMad*M!juG_x3jvB2OEDk{{#sM|;?8iZm{z}Qn z?I8JA*jf?a@K(f*07gV0j&7-I@qScWo@ynd>k{)zQg=j11j?$4;DH9LFHb?(tZ23i za>?IilJhZdN-E_1Fe4h`A{s_Qa1Q!L{S_3?&}GDtT8gP$LHZh;$&H+ml70S%*40yBMPRsdXo2Q+mCe(p&iy@s4E@$VsTTrsY;Q zBw%QlyT(P9Rk)kvR@!5*x%CE-*c6m=Nusy2nwDr(RwHkyJ8hStff8YqBvqa&&OM z1Lyi%#|-&bX0-6CUx+y0JC^FxR)CTi4|6L%7FLE!Iw;+@d|`UCm8$**1U{(`mi)?B zU>!ZLAdZQUbKEAqI}B#v6-MCn^BgfTG4Lyide?uil{W(PT^bTE^YpJ&TJHnQ?4)0r9SpI3B zrx+5oV647TG~7Lqk^P)hlca}w@tE*c9al|oJ3*fn4Wx7D*|^Bv`oHl%OE0bKV6Jxwgw)G9LVh5|MbhdjG(u@m*U}iuP^D@2WNH?dsuwu%&pk zGXgSuW;`KgI-P%&k~-9=oUeYNq%@g1jQ`0G({#e<;@Ihj7SHNPI#dS}7)A>crNZKr z&zM-X=qjnX%dAJ<(|yo{pXI!ZV2ptTzBi@^UTGE7#@LS5m~M@@F~GM6)E*!a8fe;C zmmrhyf?3vmz5m2&CTi0{pOk?4+|LPY-NdD~4as7)CmzcCKpr`Dxqc<41*VpT-L9j@ zi@=-*zVzkljcCr}gHI1z?zdt}>kTm?_owc{)@CY!d}0vn4yDQ^rx=?W+0qpR<~8 zVCI#wft)-2*TWqKqC2eBo{`>8)&}M$-@qwWgv2rg3Dl?~$G_TRDi9MC>K$*i4&v@u zR$E&cM%y8n>y(0+Ip}FoN*Jp0dUbTY;AbB<2KeU^{a%46BTJI6v^FGyYhJ!kVXbK* zC6@MjB!dkumjqk|6S$KAzYvsxfR? z;-==p$xbB6dTN<#Bi$e!R@`C+ zJ?cJ6RApU8zjW&WS5#PT*iB#&LuF2qv|zX<9=Y`wj9NOAxd+_8T>%fMhr9f-R z!&Bp^5-Fkd2I>3Xh$C-iz~|TIZ0Bw7J$$oU3QS%;Qf|Lf@pHHh>};V~G$AOB$?LFo z;3$%z0UTCfANM+K2eAUOw@&IG^U6!Gy-l+!X?m}P>br3seN0P{yYg*KV$bZR<0y_BrsFbfe#tveq9Ftd>1*J{$?$ zJlcu*eSntf%!W!~+fq7vjV>y8pUwh^8Ka?|Jz`96z4mZ%Sr+^KNLC#Q;b4a2zXc44 zOTck=c`-OBiufJ6Sq-VMaV_`3J>T`4+u}THNC~3!;HZ7QT&MTXj$&R0Szq2<6Mphf z`Q~CWD0A3z^-&RwebL9iYCEOFl^-(D({=R!9#XGErW5;hUhP$Y)zoN~B7}7R%T>(g zr@~dl2TTEQf72zFaN=@G@t39rK|w+`$M;;uy0@6ePw&7pcDPFTQM|5ot2fK}pP*D$u--5{28Mh3?8D| z8ld3h_H3o9dH$sj+RX9lfj)pqjaY>L86bB1k*)89=yM+9kmX|7lU>wY;VN6S*GwNw zDA+}L-hB~UIon;I{MPk_Es={5#JUG^il7ATqae2BbJs@P|CBXbZ-H5R<5r0XV&j8b zt#?Jfl9Uvdk)fHF{{w$p-oz`sL_v%2 z%NuIIqc?N!$L7;&sSOE?`AUR229IDUqs{xF0{*aqR`@UUZi({w?*Z}ZhN=K5W(3;- z=UOx9}?oVzm^c~Xi4Il zk?AZaG#7Ntc`2TaW5HNQr(CelX9l_iN|f18OO@NUZ6K*&KuxB<9Hr^{rdWj1L{t?|uHY{X}}5pHkCR2MOW|8Yto z@$!DX=b0s4i+gPM>-!Z~RjyjJQ|;S4q9Ho6F&Lef>{f{-O7jG- z)H9|sFGzRg9KG1` z(@9I@wM*e)*+DvicMdO4ANm;dv&)EvS=y0#wOEm|PeUgDe>h;id_nVf;3`r_rO1CT z>4nN{nUPD#^bBy%7X5(oS!=eHWnZjQbtxgsvmHA3gub8{1QJ=Kx=MWfFXf03o`>`>7UV>r9+BVl_<6KK2F^>%;^nn{>!VKfwsj~ zC;2PsGGaC;%Kzk(Hcy!4kYhJHt@yy@MS`TK`0ud6imoIN+%mAgQAbgLBD z&Vqx3IRucVFp+sV7-KEkYOIR=5eUNQALB-qNmCCcAt5rKges!qY9W+IcE60hRd&!S?r3NWgYmXmh6Hl^H(jtlM>N=>~4&F&GM;z_>X*dPH^P|7t(Z9nv}^?r_Hgd;iVKUS4NHEL;NbEqc$3wqU>0 z@Axbu>h$d6v=rfXHW$e_O6&IEBUA2}6CqQd_tXX;cZ+5~LfXns0lQ_4xOOrNK=u zMzlWuputB$B@!|qv<0qv5_85o9ILTGp;TT-@fCHm=S+_D$^!<3?;)eLgXn7d&*;gR zSY$V@Z|z^rU?!L1Y;g?h&)BBbGp_~Wf%^dQ+kOWUVx5dzKP#&#ak0V zgd)$e7VXu2*+3g@F!|Goz9PRHPe@vnOLv3j%IGD6Wk$Wpw=~VYXE5H~MhuSq17MBn z9RECt890|fFg%?TMHOiycvP=;yMZj`gX=@^viKVHXZd_Lpq6>}+E>v86@_x_f z))1Nj>g6dq5plCQ9oPx!DQXFOPkSnDyT#rnnS`bTpGK8dG-Eqtn07#;Emg@Gw$`=F zU%a>4Y#=3YjyDMr%ykv45YpQLvYKx{|#L4tA% zEP3qn7~ta6g%&R_4)CT5HrVj-dThZfyarKwU#8WmOYRD1kgwY1nm!#>-wb@AbJ6Hy z@tZTEK_~uLq;adS3s=OH%lulpYT5iE6aO9G27kLK?#thUk;{KOn8)uimielQ1|3TI zklQoZurPdI)#^JC7~2!FE6=Vla6HGyg-(949-|?U77mCqcB8oW(cGg}ber|N?4cR? z$1^keC#C&Lw8(cO;vKw;zCDAX-q@90cU6mVaqbD*B*N>IBh2j#LjC(f)2&^B(J?7O zzPKTtA!=qoLC7O@$lX1$U=XV(W}I^6@gB1LtG1`$d}lic#Pz2+!d>KvvpsbeoHM2ObM0!z6XG&28^(_EYy)*S zfql%qznX6-P)_Aa!-qlVJ-od$DobFGTlMZ=4le!XKDG;5qL}ZuC{&Df^!I@mW3ID|*mfG{W&(|3yZ+C*&f83uXY&nx3p5J1fcYGbC zQU<36|MJyt2Wd7G4^dHQ?3%V)5gl!C{m(`3=7*5vADg5)-&eLIJWuR-`BKMfIOTd7 zOM5;KNJ~VVi3g4!x^uo6m~;z^Zn5$DjbcNfmKA1EEUYJn?{RAn<({3txPwh!FxRyv zZa)(DUJe7#$IMmtHsE6zSd4N0HSagNZJhdnZE_x4(QWLcA! zm9h4GZMZ6ImX_!;3H+!qJ8nieN_J0;1^W9JnNJpbj@n8*Z>GV$HDOr|AY!_GQ78yesklrpUK-h9e4&F(80XNw&#b84@PEa{Li1{nHVxy*>hKAyd!jGf#L3WBbGF)O!m0) z>3SaEL&rLw5LMgUCu&iiKj|(j|0*(T2twU_h|^hidc5%uId*FA7(8%(8dAN8iT`#uMt2w_TB#gn6)wAPSF8=2uR%q@f*ET#A(xF$FWqc5ys-&C$Tq z)?ARInHfz~;Jx%-XDQ8h_qnx4zhwGb)*c~y%KPL4vFwz6!E=By^~wVG^#;zPiqef) z$h?e^6d)4rW5$A%i=f^L$(G&!L$V#%9eTJ^VgUD@QyIM1UwZ*VBl5b9>Lk(YQ`wJj zK%zLLJR-jfu}~1H$uR~D8#B#$^8St)`Sl>PN;3W1`A7yv&Pv{s?e5tsF!-4bwVI@V zwIec(wgTyKc)|AvsmbD99n1@SRJd?Gr4Xa^Be~gJQ4C2y!N!+e2;*MnQwa(%EfZy! zc@(CZF*Y_i;-H;emdNr3|LxqAN9{==<6N3YuPUUsHdAN81in6}(GEkM*{y@O~+rE)0kR-IGA^X6joHjEs*euAAf%^S29$NAntMT!vkWs_@Rd74Vp zzZfET9ba3R^+&Fkvw`PcbKBgOz~>aLjR-jhcf1zDr8(Q6H9O4Q?n}uS#+fXqv!^m! z(KPop8>{zCSX(i@u$|Rpog6qBnuhwt^4jTE^h`y-8kbjBIaZepc=J6U{%O)yZx+4b z5|&Z3KjhivR7!;vKC)9J4s)u zorB2XULvSm+YiNj$?^1Rjs2c>=4k z(VzK@NlZpJHx87V|Dl4}V*J#9Oe4MYA;86|u)2~*<|MH*_$Y!~;e6-g44I7o!8h?% z%qXmIa_a;@$g-<3rSIdjOv-s~u4u8;*i+U@Jag+8@p37NVJBE}tPH3bi{Pv%BmFTh z7x2ekJot2#f>>!GCkMG4x+R`JYrZ+zb*OjEHKM~Os(p;hU}dDl@I-fE%9uPYnORK~ zi)X_Vz)FY=zL*W@@5=4nonk2vPi8rrtpK!NCq}4{&pTaHiNEGE^F)hPEFf^J`A+6^ zVKyXSw%eQtKb`UuichFL{7Kk}QTAbBnTax@Pvh1v$x<2-Nj!o{39m7GJ{%Sk%v(^1 zxFgx9yR0&r%uy?gaj1`maKgAIORgQvbXOEZXL@?1w73iy)v};p4gWTJ0~C;xXa;pV z0falxHNy5Q3i^*_za8g$U!bK4)q?mIGa?xh2cQ+0X2sL|{4>=61d=ya@K$ee(r z>%ovI^K4=hm^*2BT9 z*d8p~!sX52Q!4MYxfU4tE8;0tU5;)n1l?}w|E-qsp9u1c&RTmKhW>E5EKMy3Yt#IZ z3KKFW`3gxAJcjL`gZ)t7iR|JW+ds+b#k^qA+%yFH%eakA zcII9T&LOxMNK2=pzEPb|8{u-@8UMdgZa>)+d|={Ap4TGf?q?cWIjF%4J21D5#4g6t z(DF(o3cYVS_8c=o2zjzodoS0^t?*3}EPqRAf7`5)wMFeAm1oa7Sz?s zZv1~|_J3yh|31C&K4~AvX*MD2xUkzRhNZoFP4cxI$ zj@tk~G*-G&I7o>A-v>}yDde4hPAY|!^|;rOF?u6IJnr~HLPCrz!&5#OvhKXLUHBXH zBYUw-4e?0%y_~Uf7po})i9znuN6t~%o6i4tEFgfHHc3cOJ=~noSD#@=Fzza&{74mF z2;H}>fAOM){cN)GQ})3XzFQv#WatNEy%4-ybii8m8_oh z*K(aQ-ZNhBJri?bae0Ba>K$BM?L} zPxA#aQ%{b`&t;kx8-ym`8V+bm)Gw7RTd`p`0-5XWm=7JWlMisJY3ghUJbV0`McDnn z4gDskqFOkKFAnsho||pMGff{`0yA$elBma)uZlXS-LE1g`d{AP{(nL!ZZ;4i74ojz z=5^vWI%pxwTJxs{);&{6*i}J3E6;B>ve_FSV}1-`*cNvwa=JH?tXb=OpeQ-Ec}D*F+B@R(ZZaV(BBrl;WNmudBA`%69HZeI87( zGNMR?a6icVeK+CU_SVoK%YQQS*WSUg{Jas&)Gum93g)VVz8LZipPaH}ZxitQV+1{9 zO#%g_YDGK_B+S4&tUp*!#voFY-6uWXfaLtOmm3OSvAJ;Q3*HrMMowD{Q$|u8-+gW;Jkb z&jV+-Qpaze-|{ph8QoOia~cRANcSjjOxwmNIoi)m6-Z#;FK)Cw-|W0!aX>vDG%&Ah zQ5T65kHNhHYj5mjoSp+LgrHRSrg3Vk!DoRTV|o|A&0_`TQy4;Ar&3QSOr3oXcN^|v z1I6uNZRFXda0izcI&HckaR@>+PQ&XKcspj*vtri+fFYsF3OQfuP=wiT&=Ybw9cwBf zAzX5Wyc>`(Mq--o4GJkp;hL>&r+!4kdnfNo-|veCcK5Nw;%u;QcpC}}^MTx(gIPR7G;YrxX7JYVuyb%%*Hp!Z+T-^D)$nbaT`!Nk&ux5Pbk?2 zC{qoB4WUbTI{$K)P-_{sH= zTwjZ$34ePq@qTq$LX(AQD=8C&M8R0sZqYqbZuLO4fsQlp%I5c4GOqM0QVIp+MMNaj zpsBOj<1a_0g<6D&LQQ9525K@jL$r#zqDim1It+BTx>H^mU5GXkU;z9nZQpHC>%&JO z%}gNwIpPhtqYkzUr5l!U9_t9)<9Nj4t7k1vt<^~sW>dDwu_r-gmBy`PO z8S@)?J1(v$hod_TJYQ18|ldx(NpnM~h5+ZS2b*}#5n)6t?69h4e` z$dkq3Uiy=d2B@ovAO5#3MfDyE`&rgUv}rSc>eEh&BEgl8XbD96Gi$bqml<)N2+%c@;5 zcwI3P(~mmO6#hbB>08hVwTQ)(B)1rwNnDmnU4+UqU6ewU`vPab=*c&L8c3)kAb=B;ZSiQ{lbj2?~g4FkScB>>Bq=@D@!#Hoyi| zEQb;$MN8dH0!zCdL0HPBd{+uj#7m~s*RI^%>kGC{fXMO~xNJ4=M9;^sN(Js%ZzUN1 z2M)`KTX;as{F|yNKTIw&+PxCPC}yQ@(fZ7)cPs^=l`)Q>5+>O5g>~~Mtqe#pHK;9* zjcCXgEP|aZQos&bvK+7{G^MEEd7Cp{5;{PN#NybAN%vO?TN>#2n?Jz>pvJZvhQ zBc|2F3?J0zC@b?f13xk{XhbXeyE-vOpH^=IS#OJ8ec zG*UUf+ViqjLZ^XU?-A*O2pf$7yx6*seh_~Vl@r<%pfVe^;JxR!LqK$do$@v+xu zIAM)L=XDWA3j3%U;DF{%Hy%#O?RD$7g0PIJ2p{CB{D???KWLySj6 z(LmK=NoC~N3qNF!I``Fk@ZHv%5A33+YB(#k^CdK+Hq@}~9_|CpD6LAEG5o?OdZI^5 zlwKB(3cq7EiuqJ4F9OHZL$||UR;GEa_0{6_jK$NMqiUtPrDdv zU1Eo%EdUJ1l`Pm6ExI+|?eZ*fA}ZR+USBGrp}~v=oS}&a-t_rZ{O7B*Sz%^^{^4vD z$)XX|ij0hhOF-ZHHR%c#o5LnvRcu9V*0BH^>F(g(eJAM#L3j{O*fOIByXSe_Log~0 zH&<(i!|Fi5H_ky>TC`Od{VrA*G#GmejmJNZIW6|>2l3sEo|YrQz|b6_?@x?>%NCz= zxzGXFYKJy?S}RO?V!BRB4Md0sD!$kH4(iH*o^Y_!Q-YXKPYE?J+ap!*`dbZP z7a0%cRb@(v6!L+&0RXHb5I|pRTDLZB8vC_pLjCb|XY`w^ok%lZ90MX1AzMepng5c< zda6{|E7cJE1DNlu3_<-ojGrG=82}v14 z;DtzSSuxrO7rR*Slr}m~CfEd7nbH${eZn`lg3`tSKZ!pHs$^);o_W1ecDvZIxLw3~ zk2`;WommN-B|DE#NeOv${Adfa+^g6d7Ck)jk7luteK_EDVh0>Vzh4-6-k9gsYM#E2 zvdI$(ZNwCLpWA)gS~1$Yy@-`M*nIFT^EJTZ^?YM;4P|>>Jta8ZTTxm#)E^uJ)YMiH zoet!gh~^<&Ycc{`#-IE>4;3UorwvuEKS0F^Jn?(>o9bP8LvcWi>Q08SUM%-?Pr3WZ zGMomcUifwU5b)OnOJexNm_QA;2Ws~ro)`1~{W~i-+EbvIz87m`d)`~IkGgQR;HAaJ((Xw2`};bT@3D{XzW$t+(SsJSp~X#LUcb18U}H zvErY@tPBHW^20+dm>4)bnRKeG!+CGi?b2?PSZd1uw-xq=?OAO&Bdrg5UWmX@$x^<@L74qIaF12kezd4XO+&{%FG4t1NQ9p=j7N%Y*{<&ep;kZI)+tcutX@pslQ} zYHe-*=6iy|s=-uM@ryfXxsC zziS||71dQI38dha_vre~^zMrxyRjq2gDH-sX|2P_LP)Kyct-&N8#&23H>Ojc!P3fN zz^8k0tD`?O^{|byH~}@=`?jFt9F!G3dqK8AK-VMP&11%!p2w&bYJEFiy+n$={IPU@#=-C^gl+05B3X@#3cZt3kq3d9+|n# z8C!?9E6`L;TuZJ<(cHyiFEyebse`3pzPZkC5B}!(=^w>#=ZRjY_6%lvN-O4HC&*c~ zVoqklJQv3hLPLg(N8)3Vrvo3#`d=>`LW^WKVKyn^sy?d!g9W@*_}!|*{x5L zpee*$5vFNB<;{ov9n5ZG_c1H#UHfg*kLa7bT-dEk(~hdC@cp;d zl5r6q2-0x0evStiYV7L<=`F`@;a#cj`N=rVkwVDaoQDXYZvAT$6CDR{?*LFPb`L8oCKmFyi!B}0w;rxEgnJP2#OJFy51X%{{O|h<;i~Ky z7&+{oF6_eIqw#|TH>h?#qU%a(UeOAHf&D@G>$@P`3%MAd)Z?WJJ8m_C%f1%_ELVsY zCU9qx-NC-eQ>=kr;bjl;^~y@-jwb}mgIKu5JpX!H1Ob4bqeWw`0N;-WML9pw*EM}k zW+EgYvLQv+93v!Dmqzpw1&E;qs7N$K(EULtNfnu9!0fDd)#GPg?j-;yWfskAud@L& z3+sJ|@N5GyDu5^WgEM|)wHP8bTl&`RB2u@qz5}H4e22#+Fe2`Ru@uYzI!yMb`DlJ@ zW^5@q*s*=%sXreOtShs-1~MZNx@^3Qd}aLhz+5UR5P#@KVi``FQseQUUDaAeO$oj2 zAbV+&jzt`~vy3UOZK{N{ywPw4VZBWps_9s{%}=3@IqmR)#Js68GBRfwSNn7mB^dXK zb!g-aRa?OawiZx;0GBvjg>ebklEvwIvz!B?g4B*cMar0=$N9p*oI5}Ld{DM(PI^Ca zO>kRT$m4^dh3VVcd^uO2#7SHgs%_g^iJ5wXMacF^;N}kB9M#Mn=i69WhCtR|S2KvU z@ne4S50LaOae#7XCye+53OkDMvtdzIKt+UP7D|MR%gT{jktZ6QQ(G(eyf~-b^p>hm zcxK-8_g^e5Rq~0cP*LXR-5b-PvSmz+*w`g3QySsh;uH^1!jmM>oGxX{=qZz5EcYo{ ze=H1s;&2C$c2{rjcQU#w@Te>!lHcyA1(qK+HRo61vsSggn91bN6xDX*+=Z+>rg@H6 zZD$teqH?(3HEDf}4|O*u_|h{&8wn!uhW4D$-|cY@_vypn#S0;?E?EqESAiSqWixpC+lul7RX#d0MA?QKkk;ITM`x%)L(U=Ka)nj@ zP0ZI5Qs;bqK`w_F_4COaj$>Um<%L7VmI(_f4*3EtAdM-k<<{ha7#P*zWO5svar<+0 ze~VwRFrV-0i$C%*n_AvaQKmP5%UiGdp=l%jkzF&R+m3zzz9GXvqu%V-vf6iWxxs{X zDydEVA1{FKOBb_#sd&KzefkoEtO+Cs{YSUhS9Dy@Ohl^*{x60P!FODI-B0gH1OP~b zX4-E<6rbBSdO#9Kq1xbTOj8-8gF4}d3Q$(2cb+HvDsBGtR^;{7%(yh%!0+b)bJo>a5~_AWRC$kB zoiWkws^I(CsYIgt9D9lHJ#cgUoNZl_3~*TCd%H;pD&;X8xRvRUv;4Rx{=2TE{O+uU zXil>{gJ^tLaeE^0enNmYH}rE}oY%i&=WqW~pO+ucMq2N}$$|PBED+xBR+owE8$GQo zt$ij#m}{Y<`HkB|y|meOWQP-4NY= zDfrVcNINxVBRwugQ5lVY3fqPPV7bkZl}!7MM)0o$>%$@;g{cp>D*~75U~fx%TmtoK zfsa(`U#EH>M(K-+P>t>v1cpnbaN23FX5CA6=`G0FE#x|7e)5uPXh2KtY7eV*ckk-n z!dy-a9~kU^6jwX4pyg!wCUqy%hDFrHIe5e6rP@QQ?BGekt9X-gvi?ejb9nhD3}?Ij zy_S~4$G_rz7|clfZB{hCp3;CfB6r!p{#^{;4`w(YahTS0f!}#whV~4-T?bez_%kh5 z%yEq`qbg=NU*&cI5*tqG1J>mcIOuL4(mP&f3GoxpCT1oh-{0u*fj#dz4r%Yl<@F)* zvZ|N(vzXs!_X#U69UV5lOn$pBj=HU)HNCIX$y&!07)>0~gq$&4fpI3AGerHlRfE?_vY;JXz%4^MZh zmzZC8({)0Rz1}@AOQBdTQ6R>XwLTPb%w7|}{{7(w;*!c$OJRB)`%(U1KsZ@YU(ACV zu3Vt?H_Q~yCxD(o(k8l;FfU+XCyTSN~6&ccuO(o zOe{J$qjH6AF|pk{qC94wN7K$@R|cj1VS}|;ALs>X1|!oyKbIKmb&G1_*5h9#!KJ;T z(z#>PM#wXcS5<53?UeCd%vmj_iOV&Eq?&R4F#m2!EpXap*JhnF6x7?HrAi{yMdg93Aq~Ma1de&RkKErWVQ}JkQh9nucA~p-4lfd~&wm69yc=8h!L{ z+|*WAkGi*Ev&o>k3^Nn6cL>6>Tn@p;Htk6WQk1;W>{4g%v20Q~`U(sTZS3*T<00XD zl+0fzyCn##t(G-vJr(A?z{|KqiXAPAbms7ka|NuF8_TM@(M_S5t$l;*hQC7DXxjfD zw%$27lP`Mro!GV~wryi#CllMYZDV3v6HRQ}Hs5H%H+FI|-`}}a=iYm&tGcVY|LN-P zy?3v*KI?g~`dQ%udb&bq?%5*X+4={8x2YT$N0bVI-fkR3OkHMkaP=Q<6c*0Bk%4BC z(!Yrh`zvTGQd{fawSUTP_F(PNFB<6Y!RFbVi}GXQZ*7a6&44bS{(84)qRKjamjA3tU1V6tda7-lIlD;@bw926Jz)c z4xV_(PQ-kJ6&Qjs)3N63CaA1Trn+`%S3aY@zpwa7PsNiIzt!QvhrmCnd&K8*hN?90 zNqe-39hsezV!{3@oaRYOsD~XVWlCTrDWFAZmo@5DXyG<8SI9v3fIN~%jjg*7RrL9) z!uL!ldXi(q2U=zNm3%&2A-k>@AN3|3csL;Wmo-56{@sFcGMZViDc2Kbyv|?yBIC~x z`|OmxGL}u3+zItNwmt^^V9;V4UwuCsiev*-(NbY-q-cLvXF@g$1cP^+sPI*pf&={W zP9i8#?v3O77i4RWI!vzajPwd>-|ZkfK0&e-&UISZ5qtB5Gk>|%CP#>4RrQAa3U_4u zM*|6a2 z(#i|c>czRhZm+HO&I{KHH!y_C!^>i9sKfvda|RH=w>#xvj`jncG`!AS6SmM>Bw^3& zlY&$aET;k{g&dIqTEWbi%1N!85bW+ZnQUE>;7Ku;JE!#6ABGq-T2NwLlx$=;#xO>n zye7IQRK3(vVY|7%nHJu15bK`mu6Y{hN$t+{W%Y3EQ`3aRUM`z_C-<>J-$)z9X$xD+ zo1m4N^ZRCFQc*UyKDr4T)zgZMMevQ177E<#C6FQf`XX!W4V#6=09#SGHw}P&9hC8+ z4)7XL(|`{yJzB0c4bc+3(~%WlQjg53*wHC!F|#MGkg!$*BQIR(spoR5!$h!B`9+o4 z6(&a=)R6$1MTqqX3-DRscTWn*#;g9K(bdPV#`C1r>`sG1Pvyh^p&N{;5}@_Ev2-b2 zwe2k)N>j~rL5#cu?v2i5-d^9=9&06L`%I66k)b;Cb-(rRu{P>sV z@Go^$Qqm&qCKuGzRdqRYuq9O*cbWC?nTZL{*xKP?<01#Xa-j|+jeM-gyc~vu8`1CRZz3-NZ zLI);UBAjo1GkW89mATezgWYp-Oz%ZR05m&g=aJ;o9FYvuyV4*e^aO5589bo!BD}s? zeJoxSZzWb9iM>fJOvSnc5#nx6ao2@w4$fh{SL!KLj3hJMIcgBOIONsQw@{buoiOIq zLZ~`x2Z7goNrw1FBTX`3PVToC!8FFAVl*Y;$6ZPyvP*(D3uAO8-rUKt=_7aldn+pw zMt2|zbZJh>Pj64TiU|$B3VeRgsnON%gQ4?C(2N@MlJS8BiLcC-`9dS_&3R)|9o9&W zMQ6F4pca&;!S#HRDIQa~+ozk(dRdSCX$nx!5e*O#1SP^Ajl0ojWZP@JF>&`n2rhQ1 z(SKeL?+oT@<<1VYYLEj3s_jdr92!kqJ(-%g>mLcg8my8JA!mKPVUW>l_}CmApiYtkkR4FdTKn0MUy^oE45UYXKi zZN?DQv>mzHc|y(bG^yN5s_(`n&*C%~SzJoL2VXMI_C@3J+3Vk1d~yFaOx{4Jd(^w6 z1Pvk0R9mbr57IvjlzVYw_%e{`uX0Bzl$g<0zTTE@(hO|lVt3(Tb+#UF@|W?D%kf(G z$(pq+9B&v1yR$d2fLN~(yq`+jJ-nuWdltfz#=~`VdG$lD&5f=VV9kr$v1qXy9bRYe zFl^hAcJ+8rIt6)^C{tDsg}jbl-VKkQ9{3AZ_R{t44YNWnW8k;TrxRK=&T4(VpZAIt zHx5CZgB4+FxQx{*4hp=iBUjMNWDWwoQ zayGGSaQ{xidhtqo>R|FN556o7)sD8 z!r+1w(i`HE#g$QNm~9!dmAs2O+NF!%pGvU9@Rz+^|b63tvwJ7l`snWoprr$gI= zSJQ4E>)wBUDnd9WTc#!7%|UEJRr*EMKn0wWju_Y}jGUWajzn)J;FRE1FN*1OnBo08 zaLtm70ig#Ocwe1G1QSjAx%CBRJ~iDw0%R_>6lZ6o89PfM9s#C(_%63YBD`}V0?`Gq z2!u>^epni3>&Y?7+Bht7o~V*>j3b5DG7g_zNQN0*V06K+NKI5-umZiDJFBp|Dl@a; zE7otiZyP?pwVczsaH=t8&ELQjYWT&>J1+zDYt_f^AF%$7cfn_5sIdj?Q5B_t1P?8i z?vq_}VwF{V9|tIZw40%OSy-No`WarH1C*?wvP_1%F=Q=^V@tMM^^mesEd({ljtimc zyD?FPWmOH#xTzS_g=wEV%<5}1E~}_i(VKHM*zsKRteaxR9QU*L)75je%bR)( zr`{`;eZ-nV4L#QG_#4T2tgo!MvSvKP9ZxC0(=Hf!6jKjQuwXm{=N&E@EDGeXkD&a3SK~*ZIE$b&SMM zo>y%@$HsbcW=OdooiIic_+Z|1BSc}dltuj}g5MbOlIs9GlkY9je384ZQ|J;?I%o8o z5GDMnKIB+_nVQ@IrA1QiepCH{f4Cns>WQ==`~j028{59jdMfBU!HmsUBStgmhfyyj z)eE)?f1Ctal;9RJpQ!wI-0$Aww@xr}@`3tl?RX%YUK`wz-*jhtbe`-HM`}&5D9w7U5NR%+}XETEam})Pz??ZE+%ar=hjF zWQid>jc3jYzxId14(Psp3k^n7gQj7tyR_~R1AAHK?6ZmXPov71Y(Rdw-wL;}$&0u> zUY_`9p1PP5_NT>UcQ&7Sh?FJ^*YUaFUhX6=>D?i=3!0H(Xh#*i11Te%aW+QF(&jYd z_v;Konr?HbAbD9+FPNV0b6H7nOPvPe&}i2@S9AnS>M*?e*VjXPx%#gv!JqBxdF^2< z0z2P2F=VqyYf`Gzf`Re|(ztba^p8~WxUY79Ph%{1jw-ZSH+P~CvY}!K_}BkV&cfL` zgCRqK`Ha)+64!LaRcK$|X#Xpg2#fC;d2fcMs1{V$V_55t3TrqLXz?;Iutl4P>ZdYX zU-bta*h9wj4n1)m>-iC`rvYOPPy4j=LRQFXmy`942MAuzAaqY`uP#|@JrjKaZ~SA? zQ1jPp@B4i&4P1?7%b9vttAW^v>Ug{1$nhL(Y)mm~3lQ|3^7=YCT^~HI5;e<#LU}8k zH*ApZAmLD=m)Yi6#-+KO*0pfM41Le-s{R+WYOl=0)&^X`7S_o8sn@^MmMmt9d`S?X zJyB>V{|BA^-}^vXq269mN3bZ?6HyWQFa8}2Bz()k)EA#kFEIjFy2DVgY&RSJQ_3Iv zmPJv0Wk_>&r6|xThXs_A60{{}_dJaSqJkCs_$P}P|3 z)sS~z_U(F{)lL)OQvNgZ_-E+x9dwvu6|pDUeLuO*WZz}d--{Suec-Jg;Ubp&DX4&o zGldCPtTt1HCF&nJ-$lIp$MN!FMH|QqVH>7)7iAkyB7T3zupSoW-(sMD$nej_WAi&S z^egN7)ok%k7VE?}(#`L3$yvnz-Ne^zSd;7)T!&?DH*AUGIH48dkjR~#I7_q^Cf3H< zP1UD)ySgH`UVtB0ffeag{%m0dBIl}lU9?UA|IhRPKW8)odcUu6MKf_B zV!hu5nVCru@NlFq*oFzYm&e`qE9v6EKOid*T7?}sA$2*JhK?)flY+Nf2JMxglMDuU zV>6<3$5@&4+lWxBW`yQ}m{W1A9rv>161U<0`|zwI1I8z^3Q*}4=izS2MYnY)B*t8~ zgrK?l1*05Pd|_lfz?yXIqQ3t81A6nJr(wmBeMFUkqi0np*H@H|Obw9UaHds}8-W3v zujMy)eRs#(1NiSdv#Obq`t~&rpPoWj7*Sj?xjoou=JClEXH)MSY#pyB1B*&|(H9{TaAV;U4ysO>7|KYlk>@Hsf(U6Ka=`$L{~D zMu>u!{`P`H`&EWq@QTl9N7WX_KB2bt1kDuINCM)V=ZW~&5+r@L9?n|t1Nr%4n9$JE z?#*wM{ufHCD+)Gx9}YZLtpU(ofk@wiA7l4$*EZ{|NSVoOu7#=kn*aBPM%erd8~}ai z&n|FY@j@JzslreZDHS6C%AUMyx8gofot{cgo)ZHUF%$T39Tq5# zK}2qN1|ZW=KqpYe+j{1V5O7ITNX^C{dBTJgvv^>*kclvwpNbfdez>Rru48=1Gy<*2 z{fM!>Uzj+jy1f$}H1D;jV>S8m^LW?f@jKBW0wWR8lL#1+UBq-LlKeBL8+APzrorj~ zgl6`sMOg*TaHg@x)#HYe*-5|cpwiAN*wWSVy{)ebl?2IG2f-u1Gt#_fcmkR1)L}Vy zGf2;CA#4tXb&oaSITYj%2f}l+tOGbPCpCwm0^_=c&l=REILJzS#8+DDxwwDc7&HaSoR6Kp%w6AQO2HyG_b5HwHUPen?8jt ztZ)_ey%5QP!Oac0UePI0?=6zBF?fN+i>fiQkpY}m5h0jX_821EVa8$EBF2XFF*#1~ z*;#S8FZJD#6C=P@bTV+q8jgmt+yWq?n!)M`+aP|WuqT|{N4D&ND`XH~4fz4- zy{H|d0vW&K?;aMd$}yQXi`O z>BDF^>_sn;+g9PpO1aj%YT#sDrQKqm(1Pequz%W@tn014W*E6GC5ewk>Ufj@m){}! zKt-hogRf%&LsGvnXT4^RG+!ZQ1V43YJbLwu20<0qU8kBYkA1+xV71;akD=oz?9W7G zhcXWY+P(IaM7mtDHdJ3!dkW!V_ikHxqQ6?uwPPIPty>1Y9osIA_C+>W&^{TiL7NRN zeejQ3Tq`Gs&L5)c^I3gL8RIH&NU62z(3ysQ%bKhgFg~vz&>^gin+1TjI&%FF?t1r% ze-V=<`mYhc=s$%dEgP0M^e|{Bp2zra`-$Iew$)%%c-^}bx_{9gx8Z|wT;d?;e-QRO zpWr)H+H{V|4Hfl#KwRqnE($mbCcVN>dO$#UM2PGm{j@&tW2lD>qEzzy(OHx7mK8be zJxEw|O`$JaD&FS{b-+G|S-Weu#X5-gXm=B*tOt9dymzpX?Onb)G4)&K2`s7El5o77 z?SN=$YV_%jz$C%G>1X?F-!NB;qqqLWYrV)10kK~bFGG6eE(fT5iDSN3=COpoHRN(v zav0tADLjnf9?gtq3F6ylVZ1>e-lvxit?5emAI&m;d}Y#;r(n?7;db2GX_TNk zQbAiz!KZz6fmQ8QU7`KOa3;HLjXI|oKvgq7TPl7U6TRW5+>ZrhfgrBu86EeEzz9m4hT%Kw%n@6^u(;}t7QFzxvWe@yTw_@mb@R4Fg8X~zo= zY8~EU{^o$)m0C}mA8VWPBZO~0Yr)ND^M;6&pC2UJ=;9d(ax#d8q9Cgo>39Y3t92j4 zHL>}akub{B-HN;&%US6vv++T;>%*0309{rvK7$qSzIeobZw6`*ThFKFTbo7oUrWHI zwQH9T^?J9%m>6BIe8Rs$Z({(^wU&Yq%6dUydCw^lu8{ipp9O5U5Zb|a zfowN1l!3 z`F#EkrCBAaG@W3|9IBiRXb+M-_qy$=FIc3230jXpFJ^cLQBTI1g*D4>0)2@=@VJ=* zo0W-0VQPHOeuY#zGtGLu zs&=87FCE=ETA!@hN8C|K;ez|$;M(aLA-ujfeApE$$PT7P`LImv0dwBCKG0-?_ zrrX4?6VHsL91pn4e20^>0X%lcv$c1yg!U)uMsy;Py_zKt@@PsY0MTH~;9UCaFUD~_ zEykQbUN!LH=t!gg^poLOKE z>~BimZVIP@o1n>|tvj9q?tMR3zYdhM97+`L)$x))zBF$u567ySYvFK=h)*M=lIh5` zU<;vUegLD3gvd{jhITyyKSd$KU^Y=B_iH&&t0RV zU6qJyuuO*aTNIJ8Rwsfeg3TH2L-X)g*T+Gk^L2mAIB>r`*#fy`Qb5OtGDe(j!u}q5 zV7g#ucnfJpczIj2ock}>`y_Wngj#=9jIZ;;+v(+-tG6gSwJl3%`jwHP7&nh|_n^Y3 zFX+8^&Y)VP;(S6`K7H=GOj)NgFSquh-mH~eWB6fpf%e9dzz6pA30xh4ClY0I(>_sb zH>xfF`%@8c)eZdVtyt{K*x|3EdU4y{DG^Hi+%4g-J0atU{f8^6C(jCYyP9KS3*VBd zb`yv&cFUWRs+q0O#T;y>(|p*8XBCrx54suuX5_$^Yb*`J9qe|T7o^yC!y7n{(t7;0 zk?z3_yvqFO%xHW1E~KKr=L4EuNE@z7gGV@n;OU8}uaa*!IW*Xo9eX&q!K;5|fW7{7 z5@$P)-_zjLeaA50_G*PajP_gxAqS0=j&|w@oE^>E1yOw`9N+AT_C3l_Y>$kd%IWwm zURA#gV$nQKP<7m3wQ2rlSIv}7>^JL$Gk!jEOxs-#tB>&HW4D1*D}6k9sUmV@7q@4L ztxKfyMAyAvuygH|G!lUWF?Ck&`5(%Wf_%N!x%9z-aNW&I=Y4xy1m(3oU^8^@Jec^O z?4d45*^Ar3+<@xxjV^?epXQz-_In_D`Ws%t?Ee&b|7~ePLci_FS3i3EL)!{*b@h}w z4P7=d_4cW+lRp(J3FA7@jBnldQ;hhfGj-;hr__Vrz&gf=2*c{-;?)Z-C?_D&gkACl zUsb#HN%PS8UTcwv|MTxl$_MKl4uHJfWG{VK_;jE!CuH!-W<|4f-(K$so;%BsHbQt zgQSlEm)TSgSl-(qI)u5^AiHv?KfvF3idaEx$^)O;5SQ+J4O=qn-1fd?R&cK#g6q#U z(rTf#XehPN{*P4otZzB{bn*myfh-HHhYEX_#SHN7z@h#)zg1n<1OZF3`J3$l$`Ng) zC664K>ExK*r)%t^Em#82)Kkj{Rh``kP4Vh?@sd>tf2&sx@lwmEw;ve>)rS zuW1LyR{ycM4pK#h1w1g&1%6XUt{Mr}tlwmK0;$_rlK5tohs|MYGrJp?HElCCGn?<1 zFHiwr|A8G`vI_aT&JVWsG>^k8wYh;2WeY?JA0aFnRu+dB7ex4^X~-P3C&Xe6 zXh9B`B3)gA3qSEtL>;n_dlx!c9>n>s)^qWF>zn%))nl{&$iv4%n}6_VDK$zrqoXhv zK*OFKTpVzpl+%#kope#pdP@$GY|;`u+KFIqTSkHvlG){FQ z603<0vzYR$Xn8*zNUbLYn?GJtnS;Z4QmuN~^eNh8aAjae)0siAA1q&4l9D|!^q19B zStaB_;Snq>PB72{B3IU=yiOKl>e@&bx8PF0*uG8z~xc zH!I!}e&0vL^h0yhOIAMZsQ3@ZK(URcJ++9u^Vmk>pyrmMVdh1V&~eu9$WhMTN;!FB zohh?R@ZuXQr6PFP5zzK_J==3qI6t6Rm$h8pc)`qBDh(3Ak2%<&X8H$^ib+WBs7|d; zI>q!OJ6X$=_>37)yU>`-o{-URzTgrX-P2Ok>@hm=E=3Ja&V*)mhIPb~9~)Ze`9*)e zVI>@pLy6vLuj(8IV$sPO0YOo6W&^%=ftZ@JDCu0W0rG!@h{vCHvJS2$@|BCva^Ob8 zI|5w=eVjkG(=n2kuW;TZyP0;;F7^$)kXj0_PxQh8wpWi7*^)ub(vdq#2Cw)vEYQ#{ztWXH>MOBa!1TL$ z@Yc+Rt3O;~K*LpQUr?9cQlhLIR(#Ss(=(X#7-X!#<2wWF_Beb6f{3Y>env2BijecX z5$x%mh1(BMv^PCc&kMQ(Wz*VT)TnjCoTqigno`8NAh2C?JIR#LX;XGb>|9LvnG=+VIA{@YEstvq z5mr9JQI+A;g{hFHDI zp_#afPR-yb(R_&~BLhs1PY0!F{Me%vgkFc9vK3EIG-K(XJv{^+`z*JD`oUdgmGz`E z#5cJ-;qA;IRJeGN5nK-~CZKO`Xv}mah$AbeMH3b!1We>E+e}AlO$pWxBNQl;wd9@Ce1PABia!fwP&}L zg8XgygTsk%<4#7+1}jbz;)$_Y*}#d9oJ{=ubpH5amcSlMU~W_4g~f<@jly`S;yJ_| z&ey5%7}U9(89k!#K&UD6l{zXJXtPQ?-e`7refo5^MS;GLv07-dK>|9Pr8VlS)z{O$ zDo5LBITngp`Er#7h@XV`bao>23Oa-bL1?&`14AJ+pl(VX@d#~RYv`30A(WC|-Ko(` zU3ZU9bCOUFrGq7z90{3n7qO$;PkbNoN1$@^f#_rtJ>3Wh9L?38pegiTRJ@jFHM=$ntze=9 z(gxL314sTEZX0@dXIYBfrbK@T^`lm?iPA@9P1Dj1s#as@p(KphLXVESALuiCVnb#s zI6Z+b!*aG2VU4!ur5EMpsf3LeN{-lTKg)D-_NhBW#PPgPq%y_?dIme2MzougnrC{_ zF*&qpYX53FrC|mx^VmG~Ic~>s9kr{DtGz5FMK||*y}54Cb+!X(v8$Iz*3jYbJs@74 zT(~rx4e@HUwQEtqo$CKB)SN`1u&$s+MTN{Hb7(k3LksTV##ZzEhn(6{)7P`c(7M8=o)L4UWQLA1 zwbCgehQ%6kd$fA5ROA&RRaVEx$qroOVYuk(Yp8x>dl<7M-(vfZtRv#B?q z0CeLC2;+PW%7x|{yCEc@+t+8PA_1V9bOlLT zfhqad;i;&IYar{$I%%JzV2=V-fqnbB>JvT_q{A-7lec7vt+1dsq8xlYw#4M9Vm~u8 zSAGEa7up=`f@Ip$Ek7aP51TR?gia8HI2*3aRMPmkStu z83y$jOfeEsMua%7kkTLsDCmYgLj?Nt6EkC5!6v*urd{iM5bSt*A*6y=c{WI@1^&ku zAbnS1nZ96nzOgU=h#SNfD=$podWCt~zQ>@$5XqJ@QYyQpuwNvmm=1mn?zBwxYi;`o zk^L#s;YzySK~s0;{yL{sI3lkJC zu|teaDmR`miPSwv(k?!+XN$ z1xiX8WvO5XY9LOJnDbv8YKn$rpRGT-DJ@42>gb;UdK%X*ol{^b8^HM}HDp2YL0{7fazlzLkO0Nae`o>ElKVa|H>xq6E!(i^(D3#W-*n4>qgLBD&7q8?yG}m*E*t{gz?F%KH zWVpy_3s=i`e*=MQ>F)t3?((!lxoPUV14el3?R;b1Lx4m)@q#}J1c|J=)Sx03nB7H$ z87LtJzK9?1nD3T}Jt>z{HH|=8AHDm&Ju`T@4zz(T%Yn5L$a%o>Wo=H>wruv1KD zw9H34aXYY!cyAjr0t(Z3^|HDqjKYHQFGHzHGg;o_YE4Rh|1*ybiy+~y=s0SBupv#Wh1h!J4z9SDY?`4K0V|B zX=^3zCe+U3@oLnDOquios>-vPO`l!M?Ev0!Rn^>ZlJ0KG)jQ$g7}KiZsi#)Ily|$% z*`V)=ayWKH?>{kLUQy-hC{t&U`msviX_YuFo3e}xQ86s@Mb8k>J|Tb_X&ew2>w60H z;FZPLbSKDB;Bg1MCgA-57z}$fbE*FU7AatuM92ne;L}|ix?pz5kAmgJegzYMNutN zE2sI_Zo_YH-EezrvvYATsb1Oq$?*@|Doh;rbgHRlt@e4xg6_Be6j&k@Vkij#0d;Gd zZ7dnOB>J+p&AX+5r;`b-MwPSMcFI1!x#qSliL242=ki0-mAxAdwk8k>s~oTJ!37Xp z((=Zvf-gz3yP7Sa{zXE7Heyr#bsNQs6WNvcqr$0$bmf*C$U}Q_{1msVDNzs_e z1Q1y*1hsPKA}Hj^qSI|VVX+GQRN)y*u8W1^6YkZ}S;{GJ&Q~}^!D_z=dN9i-XENM` z2G{`TwKb9%t;)^j9e2@u+%h?EZPU_QRp)*m_r$-J%gqbpp&Q=8GX z!_k`OC4%exa41Cv+aAEc&_dqBlh$4^Db_5SRZ|XA&*5MG{kp0-<$~^Jg~pMCy5lvs zCQ3v2F?6QMR}VV&QA!xp5ZfP?!5K$5C?m&i;jXWa zzQBimI=y-n;G;_aj3N>NyYQf}LS9mS;JVhL^?ZKuZ3}jo-NbAIe=z~MsJ=z;KJwAR zHv&r82Bt+UiM?Eq2qHnq3g#H$pMRjTu3hQycyUn-rEPe%<1qEmHx6~MY$ad9X4kT# zo3qYvEuhX*c`9f7{PQBloZ1GN=uY!3LSl2Glx(4{an!CFXc!)6zkkTkWIGA1!7Yt}C0( z*5@0A4Q^p=1v~2~sKy92moL~akYx5dFnjum?O3uY7CEs=aJj~xbHtCekeA=0%QdEjzJvOD&4h$715Gu)Mqvk)Sx z?M8BIBkUfMj#mJX-l);v>#9C{YUF^B@w?&a=Gn}OOBGx2sIsOHlQ$Rl+2`7>lTTc) zlF|%=aKRy2qY{TUj+w+5re)n0-f-mGz-xpGf#zcwlU#3CBL%uxmreWpPg z+8Xr&nVTvrR_OmtlpveY3#MsHcXaY5SV57;jJ^?YO0$RQxuSzOFwI$iw38Fzv5T|$ zxn&NtND{eev}sT)Y-m7ja-}I=NN&v|vJ?u@#eKo({D_T|itH|ygopX=_}zI1uF663 zIjy`1tyw_^VXO58a(>~Sz1MZT|0g!a30x0dSW5olY0bOCm=b#Bhj@5GiHvxW7aOKP z5_A)3y1Ri6+vUe4AbmC|c0TFL0Nbf}w!HO>+s8SO6LT1Szl+o2^K;mn>xi8&2Mr6* z)`8BKefqN~|H8=G0cl;py)=Av^EPn82Q{}|98idz^i{E2)&&<009@ zRtclI+y9%tzcK4W=R1gef*IyaOkdP>ji=kzh8GUqVV>z1qhtpLPQ^x>L^P6JKXiAL z5lfJlvIUvb-Pa*SUsV%?uxS?*moN z{MNpeIc@c#lF<*!ciN%R-49El=ZTPnqq-m@FZSMia<#`1uhcIqw|-=L_Dkf_JfpuRAWh^Wrq@Gu6&8wWyIEWd;cdz|Z zS=~iBL%sU)dxlG1*6pWSbslTlZ6Jx?$}_$M0$!k`zx2A-ry%gdke|l0wa)(5j?Qn7 z`Rye3kc^C9HdWfj8vrM(HTy&OkNGE?pCNXS6~Xp1E@M%f9nB;`akcyPJTJWX0Vav; zu2q2$ukW5`>wE^@pJjl#e_8Nv5NKaQT%wqt&xG5Wdn~5NjqlIf$xjy_=ee<6=aj6W zZz4YJN4{ip3yhG?>#;{*XE?#iWldsp)p*g54bcwE4$2a}=EOL7_=>(ZcK5X{ z6RLUS5ZQ8iy0GD=elAUPf{S8xzc#*!40%r5wV2K% z*wA7baCWlZ?f_NV6KW(SwbMvT)-uv9t^ zh|;rn!jC+x@K!TDI&wL0=%Oo6=y_joV<_uU8;ed`&9Nr8Hv0H=t+gkcDX$9n$h=lf z;hV=a@m^Ud4pjZuNs~du>waI>kI)?=Q27gfP~!!v$+sg`5Bm$w6RZ+c0yg^1ryH}I zc1YYW(=alRDJf1pl`}kO1b(Sks^n|)=AqQ%gJ^}vB9sT2O!^Kp^_*{dwwzR(Hx%i@5Ww;}xlg?G{O-ySif0jMfcd_xmNH>ay;XQfn%ISJ&z3#>)c= zqA@I?79Wc72n7>gHtOvOlr_&3+{Jpf$ogdevGqsbxfO(KSgn2%xVf_=D**o(aDJ%( zv`k^lbi!5CmEqN|!uir7U2ST^{Yfm4L{MDkPiM{rsat_UPXu-dAGax=Vi(;FKO&$P zjR{-51zLKNcFDzZ<67>Vm9EaZL}T4h?|&>!PkQ2Rtej%)>l;anQd9WnCs{RMuCvYawXsf9Tp6g~!P*LxPk2h|V`{SNg zcYS8NV%;N{4Qp<2L0hP?2n3Zcn6$!qNPW_Sm?zCil;y%SgVxlP1@&sI!spM>Z+6Hu z1$({N8zT+cN+T1ZDeDnlEV!6q+U4T{A)--Ui~0d*wiQ*{1y?TF^K}iVH8{A#Uc5*e zUXtdA7U#>y7ep)^RWSG59S)f;JGSz)7QD5UP`2)>rbXvcSj#VmbGaX&QO>F~*i>kD z2sqg?7>&$!iK;gx&NyMlOfBf&wO7P0;0fEYH)hp*;CVUK^2y5roQswm8@3{sb-eEF z82ZD)0_=1;yvgS{Y>T%nUX7~%`W=zj4{p-%wxQ{&;gmb$1aCO&BWe^lq8uRE6H0rw zwEWn+3+c6Oa4n2BEOmOc4NU>88&4sVv&x2bH%nIzsHcR!6}he|7almxM@Z0kN!>1r z;FTwD)J=&fyup7IROMs&onbVpRmy#k{zu%+@`7^QKx34-8~Im5Hq!7gMq;Rk_aoL! zMIn25BJ>Ty=#_Jg15+`Y;#^-lCGm;0D`6EqY-pPwyxJ`vJCyp~f%}E-SBKlvJ5jz> zO%Iz8e9D~q9rc+gIwyG{uVERznN_TcVODR>zJY^hG#;*oY}gJr`0t56^8R_^DHg?% z8L_aBWi5UYMmGT*0vkEgfEAw2C!-#n<%QF6Yue+ISYo8le1Iy!K#!Yl%!&)<_7oPJ zUQ6KX5rwK!=q6+Qo_jVP@3WQmHloj+Ctf8i&1`uw*kZntl)`L(OA)lVK4#nV0!+b} zDRilPPOPQnfoNrHzpHn)!8CO$v8t_-^@!_GO z*8U8Sbe&1aefz_|h+XhoO_e&Oe2{bTXHJ;<;ygqbvp1GNUDH1Pm+SdZW{F+ajHjmeuQ%0*D$MjAU28tPc$f@w1!7IeI zU5Xw3rS`*qd&DnAQjZADW0?v}!X`(EZD%-1SJFqJ*@s`RM~3sdqP3*9wE6k5=~snV z*Do7^qW@n9=*-OP=>%X$^f|nbFf!0W*^J+DZli z-zMU>YM@(p?zi2r2N``qlOH9FNsL@v|5^6tGCp#iZR4O2}+PfJdEYU4j7cD=s$KFvx+h+ymE z+!dJ@Vy4pwz|VCW3MyHGfUS-G!~F8&p*P)voM%rUq;flvY|M{Ex7;`OR2T_1d+%P7Y7y60k5ZZ zxtY=@+G|O9f7l}s;2)Red%LT~Y(f5aVmei? z`xxX4_H@efV;uxhqx=NK|Ge1$5r4iD6MEWbW-9;!dkQL`MO-zJjs=;nTRNSaEQ+%T z4N3mvh6B5a9ke&N9uY{m|2_Ku+x8W`2e9_eU&I7%y8pjOVQ2bC@64y53g{8yP!4T#5*)OyVp7blKhwxH761%Aq@g*DSwD60A^UFX1H5N zWAildkp!A~Ae@wfT&u7;m^?sx^(YX_TQ{$`MF#xG?NC-d1^;c!z5z8rN>7frXwVWH zuc%kCNBw-$3zCFI+P@MG+YO6^l$4o#4rR2BA)2|wQo*-yzn#Q$Y&=D08+5^Or4e0> z1+j}2+*NYSu;Ky=mgngfR8|H?D1tS;la#|lV}llc0*MNVQ@UHp5Zx5@89*zRiXRhp6VcC~QNfOk~)pMltJD{Nw6Uc}3) z0R-Bta|SFEejbn!O?kwmy;G=ebD}s}H4XVoKx?OWqH0pVrECy&tnBvurfL8@yr{&=X0#5%?y*Kj7~2Dgp{yA=Sz*ob(y6Q7v?AY zn1Y--$b@grFtahN7$bt?I&iqZlLfr1r?1tj+wlK%T!5Q~4MoibDF8N~8nU|=v<>{F zaI0&PXyd~Plp)R!f_mi56B4xGmp!qt39XobfBD(&L2}`g*jN4&$w2j3=?P0Umy(P2 z={KxEpRi&w>#Z2p`lo6 z`R5L#xI?#Em@Cr@3N|MwYu+38UZ0e@d-S4{zoi23-7dWXB?0FhCd&e#K&nU ztwvunzJ*w6+>mJP8x*EwPA}!>vt;%J)o_i>P(|77Zz(@~=V8nuFBJ|q9ia{ySh+FH zhcBKIzp5X-7R|$asJ6bW8jQ2{V**2ze;4!%V$Q=St+|#TTN}ovX`i_ktn~|t$)@?G zYc&a})A6<|gz_bHFgz$uTW{4_1a3?ZU$Oz5_x}JpzROAAJ`E)C?#kPd zpt*vNKat55R2AwoZvV}h>wuw-Tu$`qB*Vj596m1h$WRe#0^c{w&^x8wn$^9~Yyr8F+DB{Y?Mn1`%`fFK~2(r1DKIpj4coI348g}NaY-Nj3c2oG!e@sJb?`G^7| zat9<%=i$L%t2dr6;<%!tadO(Vn+7z76QGp{2VgZsraQklb9Hj!E#2EwhSemY;vOf_jxrL^+U=ta5XEruMrg66smk)-q zrC?XJ;zgteQ7v-fwJM)jr&*KEtyFj4kRBc$CLz{~-OYd2EN%r$UdKl%^sdi=$6>)# z;%n+2@WdmNU(Te_;VAF>0Yp&f7iG2`y_E@;D3a(bgJ?G%F(}!p)d)ZmnWX0$X*QFw zZF+nhewJBcE9;Us`L@qK-8{d}_WggAb&k=QMBke4PSQy_wr$%sJGO1UNyoNrt7F@? z^TxJqWAdMS@64<<^{v*bv)8G8PSuCApZ$A~`itcBt@mT>^CPKJ{DXNQZTnbgBv^?A zfP_2SnnXc5_7oTXX1&AG5%zL<9Yx}J!!`3>FfTUtv+5$ntvgb4KOM)DzFPn@!8OO3 z<&{!*(y=S>m6LwigyZk_yt=nRisdvTn@MBGDxKi5YA51`0i;cdhqPu=(x^&gGr>N> zKrSeq`#?sgT$NMzBBGI4W~QFEyR;!Q*B4#_aW`V^^#&l8@2KJx8ObW}j?4b?&>WuF z4`kbMUs`h?HPse2F4f`w(!MQhZo<;U)@hh5&T48&xF#(_4AXRqH%_63Vp}}SE8T^% z{*k2Yrlg=ECs@>PE}9}N^A;a<*&hS4v=6B_@WRc^ZP;suk|**?6>4R{VeuwA`^cyt zm|FZ3G67}co`RERanXIhspU{CH+fGt9rRCTC<8patAg9LA&dP^y23DPK?g+DR5I*p zxudQa_Ri5>5Yv{(C9**O3e8_q85;>%0%g6(lm2{i7TF8y~21x%F0z$DkG_;~P8S0;&{QP}eBhb2`jKmy%-fMJ#9*92VzB$1gyoDlldI zS-;`HbQeeR>z@M!nr_L+tTejt_DNbGH<@c5K#dg3GGk-DZM1m+jF?p>ps%vszArJl zghKAmNg>Kh`A-6ZiFht7puF06;}Td@b5LIjCbCcfA`+&*K1Hh!I8l`Ipr59aTn@4A zn}LepF9!$9WBh^3oB=&O_-RwA-Pu?2#Pimr(B+YRNw8|GhL*QaPPm|E^uz)&KqZ*f zxxlw#4hrs4n2g#^IlCl~Cr)|=*tJBSJ&evBhtdJ?s>fSe(g{nSlpKgP_?-EhDfm(vz#+aV zHW7~&^b4Y^qAxJah>?d3I(gCbGG}UWyqcX4#7ldNZqTeIVN8LTl&_#7Bc#onmt3tn zSWX_qP*Hq0`wd^9tqo_mY>Gh3P9TgFYA?kT6(By9U+^!u&(AAFUf%vuIwvgY=_J-? z8;6VXp5sL^Y72n`PEvRvmYcCR2KVk%Xn_!R%8Bs`@MfBqi(4b74nwx?g>Onmg;;h_ zCddt5Nr^RdD`xDJ7Q5muX_cposFaW=jmHeje3=#eH|p%As)@^Z!83BNf%xJ+(pT== zqr?51H#{D#Up*?(yV6BbT5u^cQ6oX)!2s4ScO_&||J%JBZFM^@wf30rUxLP?Qrkd+ z=N;p>`>TDK>Vge*no!Z|_%!HduZ!V#!8FQI75V6Qs|anF|rwl&&w6!$V8u zkm~Pzmhd1D1gDt90+AyoJt#>jqjrHCH(OIL682G)(rq$&RA~nnHCQAD?VP_E8#S?J zJ*YzWXIqh;qP>FUHg@I^AUhV^)GDpZMDOMCp z=30Gk?A^qNcv{=?f=MVY_gff!jRaF-svdlR<}8r~bD0ryeG2jXt)>Cx zPgKJ+o179J)vbd|FRtP?wrp6`71_CVs%N`U(gTV#PZ)6S4to=3mh+?l93SBaON)N5ZST;zi z3X}zm-a{ZX61B~u2MfVfj}8=%Ci%(gC$y^SoYf0ml&MTUh~tmK>2nBKF%2pv#PtT) zT{QK*7DoIjY>%rySQ{4OYQzc+1@i;C?j{?wnw{6yJzjtHvy(s}AJHT&{+1>k&SQnTKS$^jQf?7el=@g9~bfw@L^hhgSd<*H;Y3Gy7T$Z3ADj2@u+WkLSy8 z;5vU_Bj<3JV+wxp*i3}nc#dl7vAhuQGUATR!;>#r_=W-9N=)0TWumMD=Z-?xyj|ZT zh)YH*iy6$GOU-vGGj%0O>Pu3+((Ue$u_ zPdD5(_eO>m(eaDBSLfe+!gh?kJa@K{*X%pWj&w}zSXI=pC4n-N>t5lI zpF_6Cq``gIJT+G?SdF`H<~((1X=keXFLX@Q_1?Zoj!q;TmqwdnBS2>`Q5?2I8C8~_H^lF+}ogSsafF2h?P^BLW`AAV{7;>ytE^4{S zE<{%`ANV{E&q6q#Titnm$6@{lhIsDo|<+_pa7fg@vvAo#!#LyubGK4&4pVW+~?l6lSf?W~RX-g?S?)dV*8ZbB zr}8ShS*RubA>iSeYjdy|AGcr5`A`})%G79*Jk*U#hV8)*Jy`dx(7%7F_?%%ql#`NW~0kQ2~siMaWr$=eIm z00=mPU}t|3GnvP@s#{NZ{rMJ?u+8j+XAkF1Iz4M-e`xqUWCHJQo@;*W^G!E#kKN@u zkEA9+1FqStcg@A%*cM#ZZ2HBc0`zLo7jw8*b?Wt4SSei#USFiQde@Hb&EYy?!9@-? z7b6=usR6_1g`K;rI=%Xxl36gY;fVJ)3D4c!i#xq(N{DtZ-}& zgK;MOLlkG;BA2^-*WtL-7G7G{45}Z8jEP9)j!yG5w>RW;(}vmJ#CGN5HSa`cU2{X; z)7+0PmH(WKaF zO{;6AJF_mDO+9P?lMR>m-DHiFrt57f>%r z!GaJXlQHE;{#L~9F*|bJHuF(a>cJD*-JDL6VoF=Rv820ubUy*}d1k=YI|fCJPjFcW z4N3&)(NAAIRs#wo@$#0>%AV>Lakprv=LFYlyi1MtnO$clZp%TO26R({wHVdyVo^2` z8n+-17Y5Z0c2J*#L5K;mzl$gYXY|uMXFi1VufBUv(g>+T(-}NKFQlBCl~zq-3|wz6 zQ(3{F3lcb$m8Vb2@-DlhFdWa??H6)7t?-j4+1@~8`n?NWo)HU2ppg$EZsI#jWgoAL zexe#PRK^HI(u%YS361dSh;helj*B$=L$Cy_CDDu4P3}Aux&ti2@zd)fbPl3oLI^Lv z2kOCeSM;?$EURc0J!}cy+oV;h$w~+rlgpN?4?Y(cF8MPk7>m`0Bgfx-3=an!oTVmJWI>c3f7vd6o$-!C1XaoAPTjYj#rE5(i6%;UVk!A}&V!tQ6inJX{ z+ez%IUW|Y64{C9*DioVF`$tlgRs}iH97Uv{pP~qwE6WVEFv4=Qe@Z82k6uw9Z{y;01HZ$8CA9x zq|**>Fn%;FKhkPKSuUofgaaS$YCa!hd{Kw5-`S$D&LQ5%?Z&6tjo_zbXDuM;%z0Fq zRLE(Y`NkPC+3|r6*X(U)5eVGJn(I%~kSKbZ&Wpx2H*=)59zSWM-`U$sqNpfT(+)x< zZL`D(e(R+sL6OW{gWL3FFaO2S^hN%>jg$2Q(5BVMYmqCNXQIn(lhbXAVs_-X*j|m9 zg+zR8J)GOchL^4)Urg`?2)OUqz>xvZ&}V8L~ON+w5N?oAk=FxlCjCEn+)Md zqDs;n<0=D9xRh^*I3;4umMlC%c&|s~={+sW%4zB~?fc_fJwj2wl!qv)?7KBAid=`U zuOIxg(?>Cfipd5kqT*{8$4ooY-A&tr-iXWu} zq*A{nkeDb{FHFDQyB`4yGb~LBiIA@60wN%*M*iUq!{$J$)Im~LNh+$inXuoAB(Wcv z(d7_&$1yn{IGG1u#yFT*P#$>KZ4cMg_FFuWw zAbTu6eD1C#1wbL0ZHA=Y*kIV~IFxV)R}M=l&|)5~N?*?D5&HfTSK!@%C#2j%;2MUe zCg;EaT$w)y4)hEw^?rItTt1ijN?Vj=L13xALe~mXgSiv)yC^ut9?~hV=ULR~qrL2a zOY(&oVW2O;nA9Mt} zB?GI5K3}xhI^7GI5g^5ahME})=2~c=Uo=5fEUqt1X4`}jAIvKKF5Xhqvt@ z+7Dym05SN7e(}5l8IA{9P3i2e02bQ1Bi^V8dLsHeN)3`mSvvaKdH{fR*$kZDPA?j7 zSXkSt&S>(=;(E^aYd|iyGZ*-|a3m6edI*A&&C*lxWW<41#tp5_!QR0c3~gF0dFGq7 zItb5YY{M(I)@Yhtr=%jg^<#{8zU$i84q>6oI%|e~u^`MylXl43ceF^pcRww3wEl=t zqTI9u!$XmTR9~3_+l_DDI-<5w5bBGh^x5Hp+3|AKb*6A1OW@S8!UQF8&_)>gPLUvG zf8x$ufOIi3cXJ6Q$OQ(l)3&3{JRHl^>LgecH%aH5XfN{#z8 z#>@ZWw-TZ`c66(Dv(k!>G(Fq+lo{R27~9MuMbI5M9d`=pltFp z+Eg)U>0;YP|JRt@1H{i>?!SrORPju3TWG>id~Re$Z|~!M&*qT&y;m+@a+;BI+3TSJXn6;JFEw|M@EjO+3suC8vL z)Q=2cDvp(S2QOdUoz$?=r(;ukAZ-Z#B_pgZU8E{=ypkQyyQLNen=e$AOrTKpKWFZRHD2QuZhh@1Op>+ z5qBmML-tuSN14hpjKLeDN;+r5A;)-Z=28AR2qzPrfMVfAOE5#+_PsF-A)rNJb4lz9 zeDSv-`O&~I0L4k1iG+D7b^g8BA15G&MXVl!ert6~9u+gOWiNUF3D8mNJ0Cactf>>F z#4Txz*K}gLXZ~38iWy5Nh7b^B8nh=1!8OYY64?0R!l`~YI!80J%0bA5nak@K92Bi; z_%F5gi<&^ zWSfOXWfXHhmJY9eSE8j4yiA6lh&zUhivoImVqo@6cB~bd_ugmC++`mfCNgQj2*tQ!%KSm*FL*YQi}GFYQz!TsqP(cru|jjVjY=x) zmR^&eVIk(0D0uQSGQ=m@%>?6r`+o%Sg73|u6B113y(nQe7HWnyrJI6@)amr@K!(DS zOG+TGVzmP;YVaBBMNt4(N$W~IlW+5OI-Rdg=GkK1b{2WvlqL5C-Dm~+L9CVG7rHIB*I~k3YkT6F zdcYxugc&w@&-z%E1DT^1?HP(Id6Jr*>D#^6ku|gxvLIH_a!eDQqTP$S$`k(e*@JY2 zFUn5bL`}tkRtq!8n%?Yk6<{gal5S~%c@ii&K>$0LMq(!GKxppmq)GQG&^&K2y=DgP ztd%59I0FGfI422$wG{Mk(ewR~=cyB7HR+8)PNz#2>==JVu?0ED%N0&lnhH&PJ)l_W z&_Fp7HSV4je?R-vN%c_G^yskY3`$co6A~{glmw50B=$_0hCmTn+`yp&v@nP@9m$8< z>flQk2PF|XYsW$&tN`83^(UYA39hGSuP7bNEx73P(EE?35M<6L9A!mF7;2DYT07O9 zl$Z|$_(~e#k#hcml`Ibz?~*d7I5KbLYP{dUhgcw zc-(tiB)z*^E9n<~p3uTG(yul50$i{3yn|!eb@Sv-R`MPY@B1Fcx^!Cp(rUBbpW7#O z#^{~FH|p_tz5PHXf20LCs(>Gi~Q4pe#0aa=7qg4zm-uQOrJwKD&(q{M_~ z2b1S$gxJ3Ze#8Y@;Nt<^5Lw_tf=nyqF#4q29xl9(BF`$t%wSjVd?Io}jW%Q?-7AK~ zy=$;eaJTXw;lG7wE+#k(g>lRDj=wh7O1{oMp8AIQ7pC%D9Hj@0(<4JZAKZ+MCx-3Z zsLppbu0KWbbKJs(GhFALG!+)*1BCZ6F-l@Q@kz_Zq5K31V|hK$*gs70 zcL@r5KL;@}>|$rslzG{7;c)<{qtH-7Gq`Buj-6gak}$0&sXTSBAwt?;yve;^p`$)4 zO`=qMHK*L{M>0g3u;8xtI+zv1ELy&X%cO^B)Yr3C{27hWpQL()vrS_qIInBA5pGGNi9IQ)_-5ivZw1pbI@bo?;bZykan?$RNRC<9- zPgM6k<)rM+*p}yHZl-W;+b1$D5^014saL4gtz5JWBuoMw(TGIvnB$N!u8b)zSW?2W zf|B5mTilOYi22x6bB(snmOnMfhj?yT@Lq?DZ`7eACtOcY98?%1Wl-ssG#NZDnMB0u z-~%H?mm7v}Znx-q5(hq6%VLiu;zwB0V0;M!GPB?iRa!_xI=$km^Vu)NV0-U_6*5s`cP@EsdGfRd6@!RLRaFr4ht*m_;T zC`@ed+v_hs5));6xR4$K8DS!&p!~F=e^e^}DU~x&5#!|bg{nC+@}gP4buYnoM>sC= z>wNY)=P(dIKYwHNxcSHwHm^LODriTb4LN80SFbVjl8x=Vrv~r9d%y1N%6DQlf37iD z<9$ax1WB&2cR2ZaCSJXp_QlDcgG4g7NFl~ z92FAHvom;CIMNiYb`4xf6zCivI}U`}WmOK+Ce66V4~R3GW}*hU4VF-}|I_>X)u@D7 zi}!+dWLivoCzyV3+I&n_!uMH&OYwdy9XU1sI}&UudtOve|L|jv{QyRj*&o@7x=-Phm7bNa1Ig`W-KI}|N)UL=Mu`xg354WlbSHGt4z39Lg)LEg=UP%jn zBip0V(8Y2^+ao+1vKMOh4F>->Qv9SLXOj1y_!Z>O}2iRhiLaSB4AgW0u zzhtT`H;|%U6zQvDAQimoGY%EIwC=5kYa&IRL;})!Qd1HNNK85RWW=ULQ9f>(KOa!= zwW~GMuDUijM-p5MFxlTPu`{@-cwlNz6d)regoZi?T(woEIjoIF;4&&<^t{yk)-lg& z|NbFILI=)ov0wp{R5{LJSY7%bFh<}_=y10)fs$Wm3`6NU(#htR2_kbg2J>L6gd$8; z&xaxnY}zMbu&2KPOtD-rEHSAjDLd`Rs3WGS{T9+W1B*8(f5KEmaD=n6sKp)QYi%Vm z=UTGcz}+o+fXF8);uGD^Wg>ec440SrUp|vh5DGkQ;7DY2!^B#{`Eh&YYi1kAA}20e z`IY%l(2G@l{TWIx?;Woh)7sXF6`QCaAH@2m6qCk7;5poMkic4!{tT9%f{B-Am0lRX zF&k4yWDLTTbVW7t!>p9o=hGxe?4(qLX{RvgpuKI0^RX;J6aRTv-3NkuQw4?c6iI5F zHWh~**KtXVaBS`1z*#e9aC#N!&-~^**GYz%H*%0t#CEa z`D|X7PP4=M{hYM(fF5CGWs0{x&Mm#BUdFC`CZdF<-|WWIQ0o$A=#Rvyk1wRZLZM1I zB1mTpaCAIkev-r?tG^kg&tUY9M|hGqC;aUf5gs4)Pd`p+iNKMJm_o8QUbai7X&G4= z4EDgEh#;srACwzlI2kdb!H8baiK2r7zI|_@B*!D$8T%)% zS-NM8>&$@VMa}56a*VPi=Fhr&{_mEY&#w~K`NEOi%LVL??NtlQ*fcvBzMp*TDSArv zue`(siDO|b-a^hZ*c)=O;p6$rbI1X9tj_Cis0wH8Ts^DNQRb3WSN^&yqex4Z{zV1f z=H?tjoK0J(dFz5ju%^i=j*xe9(qujyi$1UXMRZ*A8@+-R^mu@u`+9seD$cq2*VU1Nh~1qtVr>Ma5d!1{$vDuehMG zabu=c!x63mI|FJ-+PM)%d_-Ai<7o(l0%vTAzmORBMajKxrQtoJm7udpqm^PaykoeT zx6)VSZn17g4Z?{1J<>W>ktht2a zJH*wDSp6Df3u{_GL2`NlRHN_NW3;@2oK1$YQhXq-PqTQF+(|cKN^#tT{SZr5iwo^` z5xWyjT#|p677dIx3Jcj8Ypv1Kmew$1HpOs6v+iW>U*NC;G@f_^Gk@pt?#)Y91yBM! z3q7LxWy4<11~#jwjK&vLMlz8nUSy;?B6aMJ^2kQTW~o8dhJGgjR;B0Nc6(%n&n^{%d<)i?dje>!kxTsTs9Y8?X{+at!S{WBWmO`A!EHFSEk=N#*z6?_PI zZQI!`?d)!|Y%F=h8eCWR_z%56Bdg; zaqsyRz4q0Qlb6HXY@_7$p+cv>`Gkm|HT$6^C{FM1`NK<9!JKTcExonJs8zc0d2$5z@v`lmZXiVrhiH@4Q5)f%7Jgk3 z?p;lslVILBEqcWFXOl^K7OcT7ay=3KzJENksFb0qMp)3{8($~?XZlb7ZXpc+!kilg zvm+clWs|{Isg!0TVDh#qN3GuWU>NVk<`Ao5bDvLscCq5=2LEl^!Z@S3j_*{L9pXPf zs5dD4QQ%2jT*p2PkWzd7zD}vivUq~k4nt*ZZheb#|d1%59zBAtb$yH><%j^qBm%0`;%Xg+bBQGEre&Cfb4BATy#tRckS~=PsF8&G$-bgw0TUmua7W9{839 z0mI@$DaGBVj$#BL6sgBvSwT|#1m(;I^VwD2fBYZ(KCpy3XlVA{^uU#bTr;^Mtr$rv(mG^AE<1HEIj{JaDjz9dpL(o+P?NiYwppQ5MFj<UX2W z+ZMNPKzil4&1Zx10}9Ch^U@SxC?KE$`m;vW`u+Zr>dYG}umPI~kuWM=a>Dr)Q?fouZxwlk{&(*F6Xw68+J_M20ytu=`XX%o zX_1BW&^a|%2@_GqB;MfMmdh}k!TuAdi?pOH_3Oci4%*n4_2wa6F-Ir0C*w z|4pJv1JU}Q4$_ole1qtOedt`MZAyb^VJ~5B5QJeO!Iiyo05$Nc+M}=W9!m0%y}qsF z|4!+@b_fO`WF*WWXCmRPqD)Ok&l5sQ5qCS6%&~i#yTNZSRxbBEnL%Kpwa~U)D!=M9 zJ!jif>NbzaMq0z$&sH+9%3T+OcOjH(Ph{(EQw^EUF)YciXcN~ySnK8n=|nRoQs*3| z-cRr~(hLx)jYi1Sx@JO`E=;T8Z*OjB9|6wM>tKKQ0VJI0!s)IcmCCE!oj!~AC9{-E z%?Xu$)c?u-f2Hvf2P{|)a5!4>!U%3}N1nRiyNCTH-dR*jmOAUIm^|)@&!AW6?TW>a zEp-F$cEL{8GNt6_TyHoYmO`2S;xlj+bK{Pw_a2pex)IKZdU2UWw;Utin?1VpmnuVf zYR8M~;&U|A-AID=$jo}r#d;3OPTBH||``0*IwfH*w+Re(SvwDV|Vn2v5Mm*7vojk!@#-SO~$Htym x$UrU-AR@;s#QaR}KPlD!*&YAA6dI84{BYt&Uo2X1JwLuLNl{smDj|LU{{@0Dfl>ef literal 0 HcmV?d00001 diff --git a/content/en/docs/getting-started-guides/windows/flannel-master-kubectl-get-ds.png b/content/en/docs/getting-started-guides/windows/flannel-master-kubectl-get-ds.png new file mode 100644 index 0000000000000000000000000000000000000000..cda93533164cad8c145cdf8877940bc375d165ba GIT binary patch literal 25610 zcmZs@bzBpC+xIVul!OR~h=7Wo(jb#A6#?mzZgE4Tq=v2d7eLjbsXP1j?eM_@Kr}kg^uPf&6O)x=u}_7(z|lyS|921b1Dkb zZ?uY#6X_3`yPnF+D`kE6R!LW=KfX3`zjB53*5wbGT~@c8hhS7weENG69LK~X}!X6 z>i1_IEPa(DDCW6}wafh<+sC+zvzeMrc!cZ#%W{*hh+q1D?z?=CQ5td{G$mJ^En&mg zn_hwU+TDzQpZSCPqv`Y6AEJN2-&{Bq(($k?x(V0rK&038zZ=)r04x)L@b3yvoKGj% ziPg1pQ<+k*^x}ny>F$EX^ir&sl{)rVXQf&C>HyV>(iy#gLfh*C(#QGl*K$-L2b+3) z$ztiMInmip;_E{*r&2YFx(IZ@;KxJd@*AVSZ3#%oDbixs8;Y>Fw-pq-*%7%Ami06< zjV{!u&n*c?JJPr$77jTsfZWxR-RZ!6s(gfZONLM4zr_aRDv#{;Hw({)!VmC5(~y%| z2s_wNxj;NEX{QPl^&fnn0Vth>&&CD4BR}{mO5vPmo@R_r% z#CeOy8_^B*8$e;1^p9=S28C8)0;~1?iDl0w_wyw6#i6f}@)hunE9C#%5!og?u=)x8dylLb4pBP_G=z*I)hhtc|$@wTd4sc`dayrBP zfEb7%&HC@iETrtx)Aoz8S&KO;Ur4tirydJ`1T%29nKTTObSEluYr5^1(Zl_X1@9Mz z*r;`FUz~3n<@w($+dh2KcL)!(LOXwx+l#}OeGKKNJ*q>>EuA8r|H2lt17lByG5+e2 z8*k~88@FQ+gq?c>qkTt@gBt{!DjCaNRd zgw_TGPqQ+H&i#%J+?b@REj>B3xKnzj`Xu9-uwAL|T!cyHQpCMV3!&AiD*&AW-qGsPWjh|CqF!ubv!adCn;XsSm0SC6(>wb^GmTt{wB zZG(?YlN)nn_ol%}jJ|0uFKDvbd2dR-cwX$>^vKs`{(Y177!m_mm_pGWJUINl7iE(9 z8+}AzJ2~H=5>R|jjS+Qn(!B7b^!>EMI^h%+)ib3eBz zSN^CTTl#VekVVAc+PTj0=45_-?wNqoHsRBk2K3X!K5u$q@J{5i7ink*C}FXb93DCu ztEZ6&LS$;{<*aIdEbQBZ!`R8YXGB*;?UH7>TQ&URY+K=U8FIdi|DN2K%hx6B(|Uu# z^@Nf38SleMh9Jfzx#H8~7NX zHkk{w!^y~VT@a8AtPOuc!?55(7z=t?Zriv0n+m5?$~Ptb6u!w*w^|qmf9$1K+Irms zaWdsnw`Nc-oqkYaS8CHnS-x`wN1VWirZt{zK(>#-<;MVjVLE2>ZIK{4$m?|Prge+r zrWaA9)nzu+SNWdUGj%e3)GWQH{S=Hgo7OucG8r;I1GGl&0ysMo+3dHI*7QY1uhB^W z6Em_-JCT=*`Piw;6nYG~*uJ3KCQZFC)}|Guz5UvhRJr^G%Cy@9*nlN~=iyy#!Th!l zPwB98Pt_ava59U7@PPWUUT5*s)vR;-&SfLWfsq4ICu~T{mkhp_u^muto{pon`<0Ti z$(7v6%h{1VDStu4mcuR}dlC?RBZ@~5;y3Y*DOlz~2~LsgSf?}p?$%NkftEbiIcwc~ zxoB}P;*)q^p*505PJvnD-Q&-d)&~(E7k0S0h~32J(WO@}w><|7!>+{Wk}GwiokHTW zIBM-*o^_obYzqC^7W!HX*Bxo&0#?JR_tD1nDyqq@>WOvgsGZmUR3T z7gkp}n7sJkgYDm=^?DEo`4QFEmsK0ztdFszP1qpLzmwlmH@WbZ`DScmpJ$mqOT5By zjzUqy_s0z(wUL(lKMhuM$s2c~T}nQ4028cVn?!zmufPXP;K*B9$%)Mr#^#osF1eh8 zGBO?o=vi+EZu@7cNp`4zX;JNItNobsgYAk4EU*iZ`I~Qr0L02&$7no!k(x%@3MYr? zV==s;ZP^01q9o+@ zO)8&RMU76$Vv@CS_ImM4JS7BA*={y-Jp4iBg-FHDrVGSB=I9z1p(R4$@s+H((CeL% zSF|e%ax0!x%!j{?+wT!Z|Jc!RRX#)>yUvG~$FY!;gM)dQDb=?inUc&Z7Fo+2bsps+3%hb~3|0g=l#4F1M~4r@tl0i(LdxxsGAHo;=CgCf&#o(xp5 zbZBgKTU3+u5z45!vLSq+m6FSx<)S0V2=z>K^k)=ryNI4k)=re&U_&*n{xzAe!Z^PO ztl`bNf~`pGr_`X<@_uSgpp7M}vA%R4Lx| zXp5q>k>UWGhY&%N%4nC>0c{@y`_pVdS@I20#A!guY zm!-5>FqaX>G&N8rR)%7fIo&Z&+m}h({IOHmxMTT81U^)FkV~mEst8)xam0_<3dI3-&c}FK4%m)aJdL_cH3UcEDcFfMP0_U=Cf&KL6>xEj=w>R$kI<@(IEy&xtLv zqDCs=h zrcccO^mseb)9yyMT`oPcuXczT^~V&amFRNLh+vk9cv!h+J;cHW8cAebH1}&)*{!D_ z>>&~;J%=_*#ylExxX~zDa((^>pIHGZ4orW3dbHTtvAwciZ?5THqfPl|>+Wl!zIT-^ zRemYrwm#toWtMCFvt5;^*jZ-a#Hah;!DbH=RIgd~+j@R|QL6QSObmaDAdV1GHFt8! z&n8Kuez!!&7)9l{?{^6~-s0h&t=S^R`cC?ZGUcEH}LrOdbz`P06R?M&rB_DBiwud1qlCfh1UfR!yAoA@ml}=;!zwCUs`gJs~vFND{bMB+Q;7C%?g3d5RI=O12d(7l-*u+{|4->!G*wMlea;K=%l zoz*nd#4AE8pK+;{2RuJ*v0>3D4);85?b7zWnI#G(?AXs13c5_HQr7l&I!yx1LUS1( zH<#SB@#X4DHsi&!b9U5!8C1M> zkHT{>9w=L7^F^De*GFiznzLQHU-mSAcTA&BadZ4w!={;3Nxhl45Bzf_c?bXs&v+%| zNVAzDvGgEiywdun9nC;h!DKCNwtaV#XAxD%!t~&Lyr#;@Wj3*$l5B_-`;K_ zty2QL(=h@72SZu`ZdCG^S)1&1$i!~{9Hy_tDoq}iJC|Uk`}%e#5&`w#r=a!I(cuk= z^`D$y6J4Oy(I6tj$0T9S3Aa(rY|Tl@!&Ye&OY_@xiLr{RCj zO{K9#X-Kh@39^p=0Q#5eGcakfdt+pK`-I!}FH^Gh4gd9Ne^mIG4WQYXq9VkUP5yAy z)?rLnh|aoI`<~&`5K2&=rbsZYK5RR|<-nSa?N7tR)Rs7x04*2#)C2y%1>%1zD!K3$ z-n7ssbI-2Xdj0eAfsGKras!hYN(GxA({ko9+rgIRMJB~cKf+j=Qr;(AdD z0|GY9$gQrKxo3DAY)RtvY*)4FtW=2{PND^v$fA0o5Kvh)HONU&Q7fgNBNIBd^v#XtiTbG7B1;!l{tkNT&Op*d$P|x21-u~;RrUr!?xiTvEnvS6(@gVW? z$2e|#l>bH`pf+mwT;Jx_yHMMIdZK=fS=Q-3yGQHM{UH2}w}@-Sh^ShC(NlKFTQ1>}+%x=NsnQ#s-5KEDa$lF~Q*n1137jhXMFL=9 zRt}cE7PT8q>FOAw2e}pIgFF!S+KgwHy&wD`$w^DE3kxH7s>t6 z3gtmkgwyKG8lAmD6}o+6;R@&Udq1^h!*a!O_KTiM{&@A;kBk4Uvj5d-sIO8c<@Kvb zciWYW5^4~`LB?7l|9q555Bt&E*8|rg%fF)Ykm^ipMN=}fY~6MA_T#u8Sd4Z6xy8wM z>ZZfpnv=V{@(EiT>Pc=_OM&R5Bt7%q7Cqyg*CLM}!NbDboXP<&lJqqHJbI_>%6hvq z^10TXyaip+_FBb;4o%5?V$n}CGnEO<7xcP_MJ?eyk-d%Bp@&pe@9q$OOmb?`z;ae_u_F_hf;K{T2)c_86x>5W z)Ul!Jg?g6h{mu}N4PL<98!f?%g7^H$NtvLujP@ZOJ;D4WXt)v9T5Xj!AN6zKJDu_` zCe*!Y-j*G>`W%W z&sUz{6zsv15;0&M?ZGZN%QcL%=aZXqyil4I$kS}PfMUh(Nv1m!MztZLjjIT4sb_8% zN_hp1|86Wb+*c)}+M!|UTyN;@gfJWjIT!b|_}nHx6c9JY250SSH1H2U)eJURfRNe_ zGso-`MCZ-RrUE5dqa9K51+Hx8~d_!s5btX(I z2GCgLJfB}3X)@U5z2;4e%DK?XJrGfQcm_EZtyAu+14IYqKQPRVc=F zVg+KY)pyRvbnSFqC}%mDlfrRpLq#J`l(b<}WlFGD68^;* z${7{A<_lRwK4;Sl^rSG%p?x&t$TektTgfJRs`Mb^W7pQ(%w^L2Lok&Gz{HXQ}IEa(EdUEe-0tY(W$$Q0PT&YEG ztK`;ezJ`bFkB(vg8v|0(+|vB@xl#I2Z@^~Zcs`ZKb%!(%#<^l>@1sP^n%4jC4-OD`;gRatO=g;u)Zq5`Wsc&HjUDv4Ot^*A>{m9KnFnBkOL<&`1!PN( zeBoOo4OI0;54vz5Za%E(EMwQ|T)JD3S!R)EQHf2lEecwI*9!|_m2qy`dy<|mfN?ax zT|ed6#stp2PV6csAU#9a?hVC0%|Bg=gY#-6kL^r!Nf}(!wJtNa3XN)wm5-E^&di^_ z-wfe884Ns?l#TK2@8i%A^rx@(vR5A${|W)$az5SMEO1LLF2wgIB_`M`wdVEeFX?x1 z(ONGfUDhGGQW-S-pn11cKMwz$FGiW&kveN$=o>OK{cQ}>FQ+G@Irn-4B4onzs(tt( zowy$N)d=hq2>cv`9qXQdH=2AMEdF}b3Ebs$vH)gu#+cD8iG=RGF}Zz|+4Ux%R6`_` zt@(7krmpnlVS}n(48a2@ww6Rd#sbD^6>y{ zQ?M_+ImTPZSm$w9E1IQ7L}oLPd?DK*B1T|j%~-zVxs=kVfmFBZ0OZgPQiC>-CjU;# zE4>W5=OvynqphA$lVr%Ovd~f90n{fEZV$;Z)AYmre9TR+L|$OT6V=ccU!VDa_U!KEi8rRu=r9Sgc=GuEerd(D2`iGwkVsXF7+#&N}M zeJ}Dy1=2Eteo?$H*2qW|F`iTn7iK1$U#gf}kR{g+PCa9;@WqVOJdTKdbcmd`;jL{TB%+@mH=@;U~8b9b^r&dd_U;A5?$}I>h--o zZ)#VSvxgs5rawgzzYB(?D|zH?NJ@EZp^*V&2Zsg)fTQa&eIId~^;7WFlB$liY^qxJ zW27Ef-9jZaXg}3G8k({Gs$I*}&E$)_^31-!OeWFtd`^kI+;WX|Av=w1e7$x7F~K@W z3~BmOevqP$&JO1^b@BK^YR!DrPCwFBNgh}mVl4O@nPwKg_W-DBl5o4OLGD3{Yk`GF z5dw}Kl3EQ9$7ht4&!nrxx^2=(jnFjUS`x$B+=oVWRXD_uVWMk>6i<30motwV?L23~ zdS z>UqJ2^-&fKALjzT$@&rSpw9jxfvKZh|9lZ!`Rq%w2JToDsLAF%Kq*`1k;gyeRokhY zworryrZh;q7p1oi($QPb^X=t9-wnw{+283L9rzgadE*t*WYrp%!$t~gisoR3L6#epvCF_df(Mo zc1DQfp>^+7Dp1~h3JYlc=(6EsQr`vK61QRPN}rvAOkBC3Jo4(9WBVQyAiB~;aBdPyBm0+k3ENE3>BKQpej z1O`60_6nDo%x)Hr1Z+jN$O{KQ4IA{V76hS`>6Kfl#ZA@f-Q}5`~N$ zhYo|9cFhtNeDCdWW6?vt?t4GqV5`o4yJSWBjQy&YjQFfKFEGNs)i1=d_}-Ahrzpdx zF45V3&yoW0p`l9M#iyNpX=^SiEye$cpJRKYOQLy4$T^{uzxi3;t>H*lW zOf`Mal!6@uY^eelBk*c>Q5;8mUd6Oay{I21)%@PW*a#f}e=zufUC7D*?!{N{wH{5~ z&vw9%j+|WHJ=?q*Ok1WYYuwcv>MqN5q19(f!jbo zPUU)2H$w{X^`kfAaFb*ve^Rr^8p3yNyw|PBYqMNS;B2`5AS16StL@Xo{0TSq1IJY{Y>}zomJ9q{dULZ!f%WF> zU6LBkbIqQ~N5ewSy|eY@wX{ovW9fBMn1bDm#}RE}@woG;YAOV1>E#+(v!ed0)jL-A z^WKmY&1VDB`PPqwCr+b?qi3LiTKj~2@#x4kFk3?5k)Pcdrf%wKJd-GTKYdxY0NhYn zOglVi(l~3U{JwOoD5N?gQ&7CWQjODf-VP+WwRbOBpNMs2`G8hilh2GAO|>^zieus2 zN}}ibYL;2+Tf@^=XY~%j=$?aI&54q%_3Tii@}4f>R8QuT*c$UXs@eZgD}OSE9ZtN3 zdo1g(X4h=1a8R||k@(I~^ZsTi6sv=BZk~{4f*E8L<6$3+ZM_L0g|b}nl|xHXjuX4L zWdME0w_rt72&Xhg*oXRsSj24!;4tlrU)7Og%9(BKN46+k5a6?n{CCJxZuO_wT066u z3GbbbDP_VY_&%Ucz0}>pfDEiW7Bb8W5QNEss>`Oi>4mtzco~)#QIA4a)^!vJ zFvg7oeFXhN;;1A`iH42p10#s@gNAo5rFd%Xq(`@+1pdbVgFe-X6R6aN8iqns4oJkc) z&_$w~$EG@Tj0;73R`}hPXp4G?K0;iac|t3IXW@xt@s(}3H(;$B6hNhy7MaxSbWL6? zt#%PfLj}A?rDH!u%p`nk1D^Sqfi!+sJ>oK<$P+NFoS?bbNh@%B;p@1Lhfg1r5pS*3 zO_UVuoA?=kd>rDE-mT^YB(rrk$Qn!ijkz-@2#YiLX0U|%0PqHRYmAoxzpM_=TY67Q&i!{1KsgqAi2JJFLLqOHO^8i zd!w#Dey*>5*5n^(bM%A2r}JE~1`x0R_TXD+sB&kX*gZ7E>_2Xfl|NqjFnn%rH!!>g z=%!?C#)lTus~=SyeDJoXB#XgYV`KYxIWj&`=^fTb(87RUfm8a(7=;s!=pv@uB@Yzl zzHl2G^xNM8*Y8cQR)u~#%^yW6UR69fIbBw;I!a=c-H_l%KU@RXP)(!t`0m-HzIao% zfhBcF#%-5XT@AfzZs4d}fr6p{p6GtiV`Y#9A^sn)gx76yWMa%RuGIk64c^&9w^4rk zEPEL=(}n*U^)=7bpAeE}YRiLO3Xcs~;1)X`Rh_TfV$#T)h~lb@l|4}_ZvCv_^Zq6; z1_VVAI)#S=6MN#XPuJuk+| zC*&O&^yz7p)Qy!?7=1;+|BJ4iT)p~^d6@T5zrCUhdC7dSCAS?5A(6I&Wlhq$+58_HyAl3s?}!T!yOP zX?8XCKb9fs%04&{Iobw<2Q=hm-ei{J4eWn!|9*^LDj^Vl@Z)Nt@f3T3!p`r4k8Nnj zo}!oDr!GrO!ay#kUUhZ-auT47zIR1eyLvSukFX`G!)bljp3>Edj zO0AaZ>qqY0 z$wTi}k3u^#F-``_FN}&?dHRlN`IBR0w(5LC*6l~MIl;m&bS!xQv3`R&6zG@V=oKF^ zHhRoe5#qG&4@@qK6y7m{C14f|I^&lrUSBF4y<+bQu#FsV z5Y`T~s|qNUJfg^-d!}P&5T$!klVKV;Gn(e4ZIL+LSZn&f>;0gmJAN zTVB1rJ#j5)p<32$GbL{%d%<&8cqVByh9RCwYh%K$O*_SxPoIPp*{+`((s-P z*!}48mg=eQ+jyreVB@?LZ=DE)wdK*ORDecyL%rLkQgZ+5Efuoqd8sffHCl+LiOB7- zhp$GYxD`1~@pB&8O8D=}6yGY5qE}+bVv91rpI>!u7 zF5us02ld?k6&?v7xqDQ%!n#i4Jiar^j#fv@!#&Cp@NP{#0f*mo-sbl>TAY@nti5YJ zsZxm2yWQOD-|eqn;sOZbEwk&r?-B5~isZZ}vx2VA{LV?Y!ne2*5L=H}GDU6dLz;F% zC|-sK7J^h0ztw1%d|q)@54E)M`e@9aB^lz7L zPmLs9!*CwX{S!?(S(5llgD& zPU1lnx#mZ1e89ka5*KDKoTelkKrMp&l!JlSu8+w)L&-ai72(S8&k{Ex7h^{kIEm64qL?!MXg@%10Z?0|u&2RS(t)YM=hT zv6EbpB9q+WX6n0Q{fz%rl`U@p{$+xI*>_s$sCiJ9$R@02Ms^gR4Au9vGXFiVeO{jv zz?i?)H4H9G#I}uF&|pvP{i|Eq@@kv9cHMGL$eGoC98wjYY*bMjGVdg}kIYi&JI5VP z>H&|Ggw?LO7gJZkC{(L?QRbkX16>j!#Zv2^o@`Sz^RW#QS?fllPia-8Zpclg$o0yZ zZCizNgt4*c1oWb@VA6Og##AHk8fP)j{E+*_`oGYp)Yb6;*NY6Wm5jzk1VI*is*E?Lmw8yjcp5Q)mqoVSR39c|H%0C)DWNjivhO?3C&R@v zQ;wFW6`yDJ%=8&F86a46&DLALvDP!nU$R9)d-YDTzCA8%>doX=?+xQOb+$7j-(jGf-Ihz2fA*O7VsZ z)q4fBTwgoRP7;lew-GnrPeU?1Nf6&>j-F+Hl~i5OrpmQw0WZ7wbK51COZxHQxN!Pb zg3ZxzKEnHdpi&a+oT_Ne9kFLG^g9FhZyQ=tlev!*T7~YsA zJn6xiZO&GzNadYzqmQFT{lCARnhR4<;_EmYNVHEAdg#qMwe2@9*{Mrn*4Y&O?>f^0Y)QzT$h|^7w4MgXG+ylKGZ_khYhIWCX)XVh;B%ShC z@9g!``a@{f8%CP80?N1i`Vml|ye}LcAX#!LlO1pQP3Rr1Yoe8*<61;1tw_1>Eu)#V zgEnCgT^Q^Ta>v1%Ks-0rj8^*nr~<%KPzcvtRld98cX>&Fzx7NE5^c;tn~@^V72 zrzsHy6*&6*P4mP9_3fk1D)*(Hd6*w1*T+tgX~8ohp3&!LPQs_#dAs53-h7S20yZ*< zqEE6qGc)3)v-Z-LX}8uUH|m(MeA=!TsPa=3{*qKY*dI8+w_y`W!W`}c37oc6jU;3| zI=)m`EtM9l>JM^lSsJw*oM-W~lnOpRxEof++dN)tmdK?A^N?V;1;^gSPu8Yine>yt zrSd}Hx-CP_D#`w)8A+t;*VB5z!KLw$xU)G{L|tax!2JfnHir%lz^mugM8!*?-d*SRlrZ4+-xiY!Qu_*{7=ep}of)!l{cHJ2> z=UnH*2J#BV-40`YF}7ju8SCc$v~Z=yGUUArtWOu9h_-0Ph(0B>aXmPxT5!@F|CzN! z;%ya}sjG6C?6QnrK9sE`6FBiQP@IgJq80)9_Hmowl(=z4+#{c=79OdO=$($2pN$tv zf9@ENCpsY}j;c3qj{#JCh$QXYVwM^&870O| zernV>$I?D?zBywU`eo`|qyHiH2w_6WgqkY-J-P_rxKg!?i zKkkt^^5s%s8XleWe(kGRnl@T`;CNPL6Vtnwfgg7Pc8Y<%5ScRZAvh8xt+9DDgAbE< zV?rY5!~T>xS%r%0-41n8o(!y_f@J4r2X;A+4QOx^Svp-Ng-@nm!{a{g-9xgvW0Oqx zhK05hMqwG7jzj90fT*+54!4-OBCC9xlmp> zwvc3XX1)eKE!~y9pGodj>R{nO*dz^^)N8iVn>YQ{KRAC3X5YBA^%Qwe|2k_9tIhbH z_Qk$7Wps@HonEa@XI5-ZY+b8+aGBmWo^kal?G}>Ym6Lo76i_H`XGVXzq6%0b}tOm+1Qe zy=o4&e)&6>7fAAg#MdspNfEl?-sF{(9&m9o!!^B^c{B+3nyLpZup3m69g_lH;O2rRvmNQe5w!y%=I6V~S;=e%C;|Pgx-EjE{8ht^MiPQv z4rH9(!jZaBSU8b!Q{};0_l zS@-+x+o(d3G2Q-Isjh@G(YYfMKfjAlD3ArR;-JK9ocK?^$2%;zdb(H{(fh<67VG97 z%6|GYL+6*`csTtS_GS{Oe`xoyoSPejX~n`#gx zIDAy_pVN{u^Cj=F6%{-%A?n5g_PcaQ+`>8%hGih zH1ZbgUtMa|NL_?}9GVJ2%bt(Bp}^)xmqsb#Wa*n0(jx`B-)(#$LIh#D$;_nNNU;|%~IdP{^KV<_V)c$`S#X9!BLBZ06N zqWqy?!@Hepw-tyxW;E}k0XXJRh+)Fs-DCo4H`t``(~ye^pA>(xH5LV4U85`qhWyNj zJ==g`1Gn5^{Wz=|_ZtXs)!y?-R3*7J=Rc6VPgu2fv1QfM#kZSdmo|@jlZqQIzFp=i zdHQ9p3EvPV(4O?fuAE~Ci9%L@cRUu-C9+zv{Vi#v=3bq_*fGX{z-_`A=Ou4Go2(MN zRned>Z&RA$sJDG2lK?WGioAN#(ZDi2se;Vf(!f8+Q3A4!jM9>xbYVBIilQZcquVx*Mt#O#C3Rl{xe`uvWG=!jO675=GW%4 zDF7?Lh6&*&P>o;U&K%APvoL$zcOamib>9<{CzXSI2d^{Z26AO~64@3^#(o+QqBh!Z3W6-{{ATrneo5&Wd3Z&* zqpIW)G_fZpwR|_J@owXyjjrDkP`Bwx_}sw|$p@yv7F=Jqi00V(7;d6#3IdAQ7=q6E z6_g&NBo68Cxjib6tTbMHuqjdh+UMinzJwQvP`70>%Pyh1=&TKNL{0>qFa0!lK_Az; z|0^e^2-I3ta-}4tHEcp=dM5^Uxh`0YWU2L=`CvQk7HsK-i(oeG4ScjVp_{TYW_z?p zcpJPXH`$0@7eyQGnFcHvx=F|^Ud_i9lt>pIlf!@Fd*x4Y3|Q30M@wcc-$EUHvuD6w%ms|+1{qR3B!c}~9wN}*@0}6em6ZGr&_));NodqkY!OY7%sA!Yh z{SGnTsxxrT;&7p6a^C!;m`NSsxpgZB?1+l>+3D2E(9v@7hEMd)4@|E?_HA*k@iE18 zp<)(gJk!~J0GOL-2sYyvKCvx8=1$ZQuYylVIMh1l;iZjfq~re1#@0Z0jz?=d4}9@?9^T0$0FIuS_Q*=S zvWvDXxOBk;=Lzn*L7o7a*y;t_)Gcb94qhQazZS{qm3Mo!pg_Rx)bFuW(;Ul(fSbzD zUWyc(b)RxBm%z_wtu+rHoP`9sy`G7|$UX>skNM8Jfw}T3DUNk5sM+A6FxK`qMC`|P zhz}0w816NS%32VF@2~D~HfxcPj}fmP0pnvY82{SPnG+ z_kfaNG?W>~mtghBG&?8M10{j)NKU9_8Fv|*AGz1)r`!D_?cZIs7xC|Kff}crl#&S& zzJp_rH)$1i@GQ^_DtFL>&;$BA_ZJs<{6)?>BB#UKMbzwNt&wtlX`B* zrX{_a`=PYWL^-^};Muuve&H*U%N4nnNw#yNU3-*I>C>-F*3;ENLE^_Nib+$i*cO#2 z_^H~|2-Fe2e3}kOZK!6sdcnM*^s^H5>pL{Mcb_@$yycB}iRI+NDWwjK>SFHIkTYG^ zv7Op_VSIbrZv(HVJjv$*TnHevu{KxSnqL39UbTYU1)v!?e&m~%>fP3kTs3FFCRwg} z2rj>Oei45!*UPH3zp zKL3&}U@x)nOAbO|OdoMNRdD6`dcWq9AF7R<5q*pHQ9Pc_{i@NTNhpwf@Hub4^@pZI z+o#Z=4yug)*JU)1WoI_wcv|x(VBAe|#_Z`UlYJR7>yAx}K|8YIb3hl;j`Y{i8n*hZfg>+(F`C++<#fQ%e@pLnPL^Y6Yfu~djn7an@I04!n zZ}WB8CG`v@8wt={{F2HhRKVn&`N!Dqi{ApI4R-qXSAZ zLrzm}!b#!lFL1m81%qm>-` zfX;*6*ZI%4jlD~2b+U)h9>P*)LXH*>;@ac0=R(BLCtkV2opbrW0Op&hkkvlpHVdtO z-rQ}6u!Kd;8%zSjFo^35F}*ZiGY_P|@9sJcPk;_C<13*|Y74=rbYZ%%L5ir;U--2{O4!LYh9q0ts5*oBRU6srhdBxNuHK9(%QY zI~Rog{p!kgc>Eqlb}S0Z>!vMd0SUT>k5}-B8p3XVr^-sGuX8wCYO3ZY*ZOuoyiuqK z>w4zN`2vj{4Lm8$;!zJZ%Q^0Yphrf@G|+VUkh6Ci#X?^pp4F`&F=C3Adl9FMpDdWP4RnD?J*nE!%-P`C0isF68^S7ZlElk$9%? zx}HsX=Nt9C*%^!G9g)<6XYoU1AVH3h;oVfcY)`?O#d}@&^QG|XXEuUr=7JD?aESf= z4$i}*IfR(QOtKA%L&=2muA`Vut~}c>wQhHVH0`_sFKkG{KJ(VEcP=7LFvG1E3ns=VcP zeS}5g$`1lRg}tzKe5bfLgwLJ5qG&feLCe=G&mH>QfnA3iURaeWDw;bdg(p*87!-C+ zmTOP01I$S+TIRK!C|~NZxew6VZ8v81eQd=OAc3kwQ)L1<-*A6iBgyZ>jAl}V$ z4D9zk?X?C)CDu_RpKbt#2ssuOFEe#Qq{NJk*%$1@27@1hb_P0sVrLGWm}kcWzw*=P zUnIDW(utGctR0?CCySX+Fg1s%_h}a)$wQMgTSPN_E}LP4TWTf66H9{&KBx9F#)4xk z>#Co+q^BR?=$M*Q{#eU&W53u)e{YFx&$*XCPbbcz0~`|4m=Q^BEY)`wgHD`AHtX|2 zqqBO{Pa+^;W-zOa1-;hu?-0BdrCFp%ZM-9FE0FHt*nNM|eF6c_;+vVfA+Z0DCAxAbh=6p7p#(pOBG z?rB5ybWvvs>n8r`GJ_0BBc7Yp!j{jarpHVFlHK;Y)A`JVO{o5zM(-Qd6L{E05jQK@ z*S7R(7#Xn8YGdKER!!t}VVb-?4`Zis(wS7Tr)}!>$77Wu4TVSwOun1sb)Ci$z*lhjRGF>IwZea8nzZbUq0v)hmITN)Df2z&(EPMRzsjQM5(+6)F4A5hBt0BpKVJDJ_^C?3`cs14~T z!-&6%^ZPy7rJ~YdKI{F6-(e1Z{p0OU!rH7+x}fCBI>nWi}qcJYX!kUj56mj%5Cm}T(KN%niqw|Q<1Ng z90IuxTi=xUKPcA~FCOf%AGwH$kIU6bC7VIC@)+|;Imlf@pLu?uZg^64zJIfyOFS>j zpF_$2{#E_v@2u?izs6TSo^e%d%e_c0FKF(YmnL^s>>UNbz~4%Y@cNsW73Rfp4ZEmJ zh1a2@gIdFX*-x0Sj!|Yp#Hw<&%4$~h0*m97PZxXcHswrz4s^4Q-OXt#HAQp}Sh&m} z^!QLpY#ZiEP-$14<55Euv)3@@s^rYQ_ZAU1qCeq<)FF%d)XX^@V;0xG_Sn<0drgHh zCGkbOr`o5hrPcfBIRctd%YvBFRm*?)P z_&$EWO-o|rp~)gi)*YIi{V$wT$-j$le=1))XLaO(!MZt6TlC1t@5~)5;irXzx{D^aq>N$k>+MHhofA=XU_q^VXabr+pN-_pRyvswuF@zhE~>vv@eweE$ch zZ5KeJCjR>wn$b4Qa8S8V$i0YZ0q)0V+&bG;Rll=Y7<_%z;A1KW*4E&6AJq0}6enPK zr+0_!LCWYDfsztSO>-kn&DUyT!0r{JOdoy31Cwx-E9GN-&l#lytnOV2wyBGJdY^Wc zq|vAIm(J#c$B5^Je9#2o`#->VlJzJN11TuzQ(GZ@3qoVuc^6tZ{Ngd`Q={G7P$GiK zdTuv-GJ3-9**2=Pfz;;)HAXzW3oRRAR`hx zLnJ_lAhNnnWk@u8Ie58h+BOnVJ1gv61mAqa5IYceP|Yw8QIl-=e=Lqs6%BP^%3c4w zpPIeZf8s!-XjG<9u3WT0H?Q4W2JGYk>E#yh^axaOZ%`giy zyI7(hl_CmTDJ(EHX=4NE1QoPv&(7X9s!3m=Uh5a&485JfBh?m8%9h@|pxG1*gcNZ0 zF*G|b0ODugzz+||PIH6jP?(R8`T+<;w9`kV2r4eij!>NOW(+PI1` z6F+D7*q7AqMiJk=0R)Tu$M>xxX8{m3DUSHWsug%8iJNuEJ=KWi+)w{oJhz(aK4;fy<3T&#DzWj*_S|&dJy&)6fYLIgdJ;V1s|D+ie9MnQiEB>~ zXU+x)Zy%T*|U0es} zoP(tPPQH7a0ZYqg&Wo@Cv#bSUBV>5dd4gkKf$Or0*&4M^o0jnd$Manpy_4tS%+MdW z_L7pbQX&%*{yP#7T2{UwS3p2RtO6v;ISzPjh(Y*S$c@GCdHc`iYdf?EpM!4R+IdpA zG;CIgYv=I*H^k*pG?$#Am8XhmqT)WE^X7X;CJKFy?d0{pNs(3OJx;LrVb($!xUb5D zjxmUT0Y8~D{rcyjjl`()22oyA-n;gVmGIm7g)OhvAhz!Xp&h_HM$aEm9_m8IywbS; zWxL%#QZJV{Xhq?zHlPUUFfNsMLxeYDI;eeFuU)tLXKOCvwc6el=J*&)MP3FXU>TNZ zidv2{hcyAFT}IJo)STJJu|ByKLq}t7eNN}G*w=E5gUSP4E}RV|F~TnPM>gFs7itfC zDX|ZmP`k_TImvr3mEzO0-Its(J2?V7lW_kWd#P~S8Lk+taeWw2 zyu=i>)aBL}z*vQZFs!Bc05K_z0?^!DW3$F8Cu|q)02EjE*HL= z!fVUrOJMv73)rjMeD-E~#&Do7`WYxe7_4 z2~}mF6QSn6SoZ3Z^K_Z{`QFs-j#sW8UJyEjIrdEiuSK1GKQ3&OobLX9@@B3}vn^)s z%MLQW-p{uy{%8sTL;ZT>Ia?F3Y-5j;W)Lp{dqNNVy3L6kSp|{Y`l~lo0d}PO%U+++ z4FaR~LB4Bx3|`wywU;p5$34B${JYfPc1VO!w&Z`}Ziet<2J9b(Ns7M=$;lWxObX$V z=ko3y|DER+F69$P>|TOHZuhiMhCY1z^*tsTAGQlo&@`KVJ-dk}gkxH#xTpAGqyC~+ zXAR1pnTTRzX*@w$oprMn8&i*!Er!s4Dv>ANW#Jn}c!`g$!qyY6VC&|z=@i13<(_q@m!X=h+wwj+1Ehae9!DQ5Q(z6xVaP0 zZ$%IZHMi{pdqVAw-L#wZDy+{w)w%m(;#4aGdU>>o1a`NJE>Amuu2Q@tUYHSQgfpzj zi?-nJ5H}S0ek)h^5b?&B{Gxb%!Gi?UXQiG2B!#2!5DA5X9ec zmvZ2^|91vsD=nJU@Bg9y-B$0KYqkH=t*OU@AL0gH+t;=gE;rVFTPyE5jQE-9V7>3@ zi{j@@tQdWk{%CE^z8mvU|NguBwcir53~Qw#@wyurqU1{DKK5DeGSh2ZUDU)( z>Ai&Z<~yV^)^W64&eFwp%zAnO_0xC-`FTn1mK7J=It_rHGRY9=9l04c2EL6dbJx}->8=98K;Yvd&q0;;`~Rt$|K;?iaa@6 zPY~40=*O#9Ss9w=*!-jgr>|OVX}04!5I>9~$5sT2^a=K3Ie%D*_z>`}(iH04B!xvh z<_$kcM*N|zbK5SF#i=RTcSG6y#SsfIc*<*Nk{ddO7%wKHnF(JmK!SFSxn4)CvD?IG z>9+TPota))(C{zLCHHqt2YgFYzFyG~?zIoIu9N6a%yFi((ZR7Xtee1omcf;cJZ$WV z%bIB1@lVWN^CAw75oYvD50rg2-`?U%+Sw@>sWZuG+ZItW#P=^q|>u`jH~*>Sy=B0V7XxfNwM+%EIsk)6$iOY7HRmky8{oQg7Xa^TT4F5w<}Xwgmbtq>5Qvg-i*`Uw zbvxK~-K)qFiqH9-;@_5C84n6fQG{Q^9CwMYxexXW1=>wln19F)*jkxR>)IgCD*^7z zGCy|-ETebrzCgamSbNSsVZWeklKMXResZ}!@x*PUOwZrg=#KezSHp=JY%&7#4>O5< zAH>`G=j_xEy9t*&{Eps99vycwWc_((u%okE4qvf&sYbGr?sPbPKc~78caN4oh#2Z+ zi?XZqa(JCeHc6{hc4@XJL%Tsi3)gI8q;JX?@{{-bJH;jbo=-f&%Eo_SayS1B?TWpY zLE(Y&!PyJH*h2nM>}RA?zAds;3VE*hreH*NXyd-C&Ga-;g7wa?3A&}I3TT~(B5hJM zM7A-$eW>%`$T~>{7v~;x&U)U;ib~#8yY6#yl8|a~pc42;MPJu5maI}JbZMLV7Xg$- z)Y(n9V;#Nfr82Gny)@o-;D|HfouervT4@IGZlWqzzwG&|L#d|Yt)UuP9c`*9liyO4 zndZKW7s`EiECT~e;dc3m*>E}5II^yu>v_i=T#s@E3^8uaHl@cwhm2+3ooJ_-Hjhh( z7quDklynd7RKp(hX{isOHe%#c03J#cutZMkXB=~sk;e}+j3AOl6Xa$O!RNc`52GH3 z22PSunBP70olUl$72LL3*)rXECz=h7mn8SS_KR%C?$nXUe@XCUxuH-*)gP`OFp;uW&-ml9V>hL$# zylwlxU)7jWY2su}GN&qr#L5q%Qa$>51}j6}7H4qf63uPyB(*fx&}@VNTyqz*sdD{h zbVI)>&h-$td0AW-bVsWP)VzO4wULZQPYr;|c7?$AVv@E(JYx6L1LfR^A+M}0a=gS* zUs{s(?X0NIr4PwYadY3k-`AFq0`Ka@~Yk}^E{VaW$VGnlt|eXj8x71@`1rVYwb zAM{`eSo*9~pZ_7}R>>U3Z!~MZ+U(9?JaTub(i<>>xy*snErbC>mkDuS-q|_}(O@}w z3j;k0LzrTB*Qa>&ja51HqhTI@8P2O zF}HBzti7pi5aR5WoB0Y-cIIcs5jMdo@N8!Cs{PbYm9zu}!OvIdUT|lm$P1sH8XYCl zy`l^NCWtAjO1i`s%dklcJo{SCf~(Qi!CsT_=y+$S7-jX};&FW2nv>7=1};2t1Q*Ct|`qcSR(|N4o6aE53c$Ql(* z=cT5%P(UOm37?$Z`u3g9yPU?Z`U%mVbNgk!3EGHtbkEnb?4#;THO1Q{$A?)ywR{qC zV|Aa{3iTZj4`qy+bvwwyG-$~`2QN)5D5x)qUD+o(o|+!@g=tX0U) z!^hZKgP!!#83<-|7Ub5#wL|-i`V|9rE`K|KYv{KGZFO7eF@k}uS?4g8NO_Vb1M zS#^E2B3I$)?dc*Sp@Zi6YB{1C#(b4t3*9yJ#w?9W&iA}HJ0zT6lbhg#CZaX&cKRud(q)>SJJ`IY|W`t4_z0I$5iwp@ZRw^ZFs8p_2z z6Ql!PDtyO8sNk5LB^EM%;Cg5iRk^z}bz=~_t64(U_x}=yxGptB9~j0YRk3KAT-#tE z%#7IAFfhARllJ9fxzeaP`Z6=sEZ-A-Alub}WaPwX)N71+lzZ@eZW|_ERD|aq)b{Dq z`yu4ONit2YnpNHM=hD!{xRQa$FzP*Mxgl5ndT4M&F?#FK13!)``n|Z4gl1Ex{W<6WpLq@@7L|Fa zOF$6KfXwg85A7(2x#3XB(kHwR!wM82LOnjj)U%En8C7)Ype=8_{5Q5>$1YwjFlaIr z*rXTaL`AUB#F(vvYJ~rnOQo9XOhxXy=1|wuf25ZS%W=|?Aja00!hh+{9KZnjwgN)NOY`HmKo^ND}Mh8UYNSqv$j*4#j z5J^?I=c~XYuRueUc#oAcX;R+&GAZD-3!)$_H?_Z|DaO29moK$m9|7F%&v@X_x|TWQ z2Lstx%{~Lc=54?AKN{zGDir<{I94(JGwCzUFJ>c(%ecD+FACa;U7W*XVJZ1Cv})W9 z4D^KJakJX9Pt~__Pq&UOZFWB-KbJdKb=iYh(_?ApyW6 z=Eq#VuL{qJEvsrNKp{k3hy<}&q~N*JV_)FPsS)jS`uxIZx?MaRJvy`~dK#a=tnYeD zZED_9ZQV|=2E}Bn!t&?SjdA9r`Z=tlXaGG$$=^-qUh}0GdYLRX<+en_#Hx(Nxd&la zue$=pQ9T;HqZ!ZEmbL1194QkLIR9j^2`lMUzm@6<@n#zR;wt4i8L&LC(!=_9kJS*0 zjiAWW_pxo?+_@Ae%qz(I>qm~8W8=l{Zj@23LxR6xtDa6;r#A`=)YkZS| z@cM?E<~K?fYqDpAa<~WN$C+!Z!6-4VMgf0f*9wxJbZH1I%6Yxd>xiG^vVWjvLA1*d{c;-pdZ_tml!$4Q#v9( zZ}1bvdjNya4gWrEceUjO{s=kQs>f7jo z)BWQW(M7x}ysf6iAYhc{eAEe=y!Ip|m6=0gp69?JmpLcs82~hzh?pm?63G z3{OO)P4o)^;Wd!8UC+A+NS3wj9adj8uw>Hi+uomw$~>odJ}1uJWP=TJPQLRODFa4{ zq?6KH)oLblnwM9MDES+}_#&lHVa_-XXfoEtF=JKyD3cxAU0LhXM^gp5>(d`2GOvt% zVy>#ltW4*OqMtgJUSpbEuv;-+GE@9nEC`B}ykLn0%)gd9#NNK0Q=2@+LX0mB!h2kK z&odc?mIJIHH?0<0)skDuFqAQR$XVWy|dT0y=<~a{ZH1IU!fP5<562Xdhd#=zwZ`qM9R@)+Ewa+edwIp1{gC)nA#Di*S| z>lODU0q^B``)lvD#XLoBTIwu2(_b8`rnzQpW=!m} zYH+M~f&&Gj?^&-+A3o}p_TH(6eWl8{{uT@o9*LuQ&y<1N#Y*4U-u6yWwAJ^!Q>QvvYVT z=Yq0Z=QUimkE?#i)aCgLO36}mt&eGEz?z>pR7OUEZ@ebI)u~NjB3uox+*(lu2ZVE) z;tys|ClIBevbf&$FS288Ybrl;a2q-z9EDPPq2y=RA$&IstM*#80=({S`X}{C$b<}B zin*yZ6`_4lsFsIV+isf!TIUxPt6!eXJHYEs1aW6Xo$H|XSEb5S=W*c@{uvmpg<#8bd~=#z83r{)DAx& zwh?R}p_c4cD84b^UYI5QUoo6eDm zURZP2iEO~~Gd=E;R=-A7S@2?`nCizj)-!1_JT=`qxyExvD@o}^tHADvAg3LxFad{; z`h4|n;ixY{(*xSEL80mH0caN`Nw;;~QbC!Tc*n{+*92;`Q(ZrU-LKeCE02jY35a_u zpH!NUJ$Bw~gv-rLuvWddB7rfyQY#Z1XXaK(Y0q>$es%oWej_j`9mQj+n^N5g;}JG~ zWAIYetvnrWtWZ6~b{0{`1|UzCT^-dv>ttn92YDn%1bbYY8jGnF=oHLloQPEBt`f;? zC}7p6c2GY6+1oRRhUy`)t-_ft)P=Q;D?fh_U6zmwELy`VB0MHVAhXp?W-8wBI#p>L z`@yS;H>o-9=*iz58$If1m*^)#3!kW<6J3jQ6A~F@;#fJ20q(QJlh*)^&R+g(IC);! zt3Gh}JVKzrI8c3^kxK)5Dby~dF7JW6Kzb2CBa62J9V~wEZRJ7T!Cm0~VDaUa!x=3v z&uabkxs?vK1j}ZiE$xF*NFBroINLBLw8z&d8l)xY^;)4_rTC8O)g#nw9Ik(Nc`DfN zC3=3s`tR_O6MGqGYlIPMky&&ZC=Q*UkC@DSidAv`4J2z$>( z96ufj4td#O&^2qbrEj|(&T9jV+;%=A-{%p>rhqeh zxNL<;Bi1AS*{l;sE}N_WdZCVc1%P~~1Iv;0lna_lc~Ua9MlX+`gM<{!M8LhZv7@+( z$eJelo+(q*fl0p{4h@I4gNB2)K2VnPy`FF7r5U+!c6_sIeO5kvm-vRsyS zN-SE~+bCRgbfaY2Kpr{1=tMd+!-iU+F$-am?VN20~f64k^h`uR0=<}TVy_b$Qj|k&eXH0zOg*r1USI}H=+usH4Rua+xL-U1e zfNzF$)qvqDx5!e(wl3e;X-O(9k(t!l`Ilxh zy?qRkeAB65DeaZ*H?YE&M#%qnZaQ=2D$yxXZui}q#y|og98Hu1OzWFC8h!d1UmKS`!N*6pZ94!MBYCiz|Ja?B0$wsc&C3Z zpdF+%oq>QbQU37)HqV>;bBhp=w3x7}2k=EMq>rlFADwKE%jW|+b zX={FjE&341S(IsA$CVaFUE!xKRa8_|;heJ9H5e4Jkkqv=i|>*DRkk#FtdaKAA!{b* zb+dEN_2kVI|M3r6SbvViHfJ|Ho@XjYy|Ggl4S=uxOq3j6wBVd@FdR=x)O?;J1^ zKXtZEHDi4t`|By=Hs@Xx4qbr5TRhhthS-d|d zE5WGZma72XMZKGnd`F83Vg4$~Q~OJJNL;yIWC9I=3!P@XS(JfAOuh^cp5T^N*soyN)Ke_n)T1JyrF;d(^Mc&?6F+l2DAm?WbYvf-64R3J z=*FFl{#%bXkjM#iQv?E^O56a$`tQoduCgL942@ncGnxq+hGCluFqMjIJn(oSq3$js z*{6v}CKiwM?FczH8*}=8>3Ndl$O#o#d*@oym_wdlmxC} zQW=##|D2qsuKaQVZ+_plt1M;qa3hS4y%q?RRP2iIFUwHUvyS|lJml&CrS#gX3r|Aw zG863XHWtw1c6G~ysab@AI}ZhqM#W)YR`)CFe-Hc*HN6p($e&_uD{(YE zI7ob82Wt^m2r;Wd(jpcawo}8rzem|#!#ehg%(~zvWV_vw)~DJ1E_F( zEz@9r$#$XQ>*(E0jlll)wqH%nk5srIqNf8x&vHZB=9!JI_Y>hN{FL*t|JSW!M6Fk! z34bI%>{oCmEq+9s9|pm~b#Gc1<;~a@jkId0R`ib+fe_4Fa69d!SiU^JR$Cdt4Sog; zV%2^_W>V|bbF3$6feQL2inTO})dN1wMcdQxS^;k|9TF=O4_oT@n zhLc8*J3kU@3I3hhkl|iTVCzHLj}!4t_DX%xr8i{vjgToP`aJ{TuX10c-TdS>T!-KM zfI3z#D8qyB%XP6|rG&1AvslkNe4RWDO5-SZ{H?<$Zk&jc$HiM7W}j4W4jMKY+l};} zzy8mr`;VQ70VEdPT#^f=sRMAWMk55 zu2kPQ@PP~bP%?R7ny1R4fR2e7_5#8mIcu1@0`x)^4UAWQK2&=$iaW=e)5exE)JX2^ zdLJYZz(anu9;eL5Kcrl$r~1d+0Cilfkb%Vex8uBsMvvt!H-4eOfpy(b_p(Ah?)X=J zL{Qq-`k{2O7^d7qwW}Y@wpy5jOL!y8&ONcG19HQWGOU|lU;%ek=<&y6G=mq89 z+ZTmVL3NpryU7OA%G%Z#7y3vYsW2vek(}$d`@Ea(URp@DgLRQ|vcnil8Am`5f~p@* z;xM-|<8HOPhn=#)W#pM&-86_u{Qrp4jgqNFU!D7bC`Z^yFw$%{9By62Y`g=t@q5ic zPHsEOn?Nrf4W-G?MHp)FrJ!NN3og?UWh!oeQ{|Dp) zw4`iTVUBTv(|9PYW1q%vZ0$IRq~|AwKCWzp*y`Y_;v~;0_z<4Jc+vy2lA0l?BPzFJ zORS>>eiL$lI*xtKL3bj~%XgI&&GJe@>We9Z5O1*E@reNW0--4c+>3)fUmE=|zpghU z4>=-`<*GqcfE2f28Cu}y@}S}OJERR-qa5lBDNj>sKO(}*tgYOc?X2j=#^mowDlvS~ zAX!=P-+w${?U9@x0+8>xr_!b|ass+@+Y7#g&`kyy1|~_eT1Dcgy48zSK2lFbl(=PB z8kGDz7~PH&`xOHh(mLCaKGEI*^}~Ur)_%k1-h8*VNQ)g#WP185u#1w*dvS_!1wt(S z8bpH25lzvEM6@Gd=9UyNc@dH+Dv_eZ%n`CDVUD6j`IlJn=jHx);gZKlw0AsIb#*xc zb3Aqm|8h(IZL5Lkw433=5edU)Ee6Z-{LWNztmV)KWebGDrSL@#WlXBZL>;D~BGXqb zO7nHALWWVYS(86h7+8yP=xW-)ML>Ut^zDQQi`q@Wtoe*X^QeC3LWezF8 zw1Hyib5})Elx!-&kyg1*En*cgC!?={rC_cKg=vib!uWnd#54|yZ`v5fQ<6nDvl~H{ zXEUBuD3rI>fM`7ttc+J0NaM$Jv?Uy!)PT7A@X*Gzes)P&GK|al6%qW zW=;NRKP8NSy>Qw6VE|{CKgX4 zD+sIf3rR@~h;d8CAcLBM*11i|xs zt;Q;q)M3oo#K0R=cxyglM$Z1q`(X0~&iT57j3q0J~o2t_@uNh22@^g*zuH-Vuk4iFnRXlk_^;SRd9X$ z%__y$vO{TzR9xTZXS1XnmlN+~wK)>?7&LPZ2|iDRJ~&fqf_pI3CdVWnCXZxtxRQbh z)2{}O#!K-VzZy1eM1~(@Jx&9_yUKJUfrV)2K`D8*V zNm5&Bm6|EFhq1rk7YSzvJXZwrs}@KM!c#>0O<~nyTR(eV!cD8bdz`&?UR|A~DVfB4 zeMc0gt-TfvQq*S`brE_0oiqVyFR(|D52(vx+eDXIGZz5k$i)U`s2rJrf*cvp3N%Pb zNyJ@i z`xi(~V+bi(;ILrES#r)C?I=h*HRD6PuuswE)O+P3@9XvdpVj@=HyI5jo9 z4|FNU3}h4|iFJ&uxhtFhn%oG|KC&6!$|+(x7Vi_Dtp|wQJD7dzWx&l;iv=}=PVe)w zz}8#mz;A)a2^pz*2ujzDf2ipR*C)gW>X=3S`HENL@5pP{dbj^q7lvWT;jWTbUdrNB~+nmpO^;Ra^9hc;TR^CB@neCje{<(oTIRIZ6524)PzBnVWY*zm|F~+hHv)Emi7wu?kovTAv-`~Lh5i;)7NDIkMgxGgIs1FVg%YbI^ zdvloVPM7k)ruBe$yRN>(j>liLNpPdFqm{2pXypySg(oj?f>V3SDE>6%sIN$xXi27< zH(7V#86A~hD-ZJNyrj8npdiO@?AEGMN#v1%;VbV$ddMZXpGyRAUVdyKNS^;j{b9}g zAFg^vZ;8at@^s$tpZHZPiw-=d0{3%2UNBCQz*Ed=zM5AW67ymxhDIgLwx5Qc+bS8* z3=;pkQ4RYJs*QfAk?0jdaC$+oGPd}sB(lw>xs_& zJC&6iyk^2;vCuaQ8y=MeCpnrX6BCMWY$mFU)Rgp@F2;2PI3}rKau-PSdi`^BjsA>Y zb$4<|T>njEdnut-OV0F=$*2A#C@={OQzbFmx|}q)>0+E@T#n3Se3r3dxl35thV#x* zRG4Om=``6FhLQ{|AX{Cz;}fBrGTS<#H&N&R9^Oi#v^q?xTC^uwH+hgg*%L;0wVv3Qa~wV!eZ6`HxxHfF0Wk!KpG zHMCA&G!FV2z(n>GBW~UUoBY-Spbt+vh&jcJ#mZ${b8|ZkBw7QZVP-}OysUJb8nXCk zTjRwV>q41X+_v2mJeFwf|DprVI#KZeFHm%%bb(C~b?xgx_-ZKD!ovEAQYJVtCN4@jcRdkQMu&V%URne&{I4L?m0?^dA6-xd-Ur3Dn@E}!|rjM z+Ot3VIhks4nzM48`53rlJ<~bT{Sht4pIW4C(t+@r{4sqQgN zkw|%AWF~~|{0HHM^d(1Y*zwv?URh_(iX}2ug?%RCrsP@(?d?{7`0XzxdLMRwf>Uy7 z3;OWk_4r5Dr(nh*sf0AwRu+qT8Q7low|-nbk|UAaXCoFs(|damrkl`&Y>skpok5=s zALlqEe%JcC4sSJltOUjU+=147T~iAp!*WKzO2^iIkpDGq%UIsOT$8{a9N>;k1VCyt znB53qilR`}dd7MMOAgN+-A)D#xk}ga_qn3Mv=@p7UB@>UYbwP*j_qtOF?Ki^Pr$!+^uE_}0b5J>P~Dbq|LzbzMq8+9Zx6ddTrP}+ z;P$^MfWu)Vg!{n_nHK|^_PI~a=ROm`68(K`H}a;ny7hVtmzf;x=7uM(%pxWlFsTyJ z*ZiAtZw60&`DsFCLOsOdQs%Oa!^(pHZKvuwx%m9abaQ2G5g5}-MCg4hK6edzAUXH= z%X_<6{&VzSO7Z>xrK+k*#K>5q8?;P4MQY~@)k3B!ns-N0c+EdoJ>KI^tobKf@|hEs zDEPI--_p?2YT|OSjm=uoEnK5`hpUF;IO5w%J_S@042#VA`+HGmJ0j)NKAY8z-aCB; zcM#g~5!-uvzdQmB{EXH@#KkgdRIKF8n+%b+K2g6YS^~%b^w8?}pdkEhgJosWxZ0eJqhJO5HYpcqJU$eccm2_cx zl>j#!xe|@7&&3bl*XnaWHl%wg2JgPY2}NK0?n?*jTtgVU1<(*}T&Uing;7$c8nAN_ z63j$tD7?FsRv<22weYtAGZ-!2&3J7IY~>k+F@7NC6WnEu)E5O9JIL`>=eZIRNV~y` z?i0Sx>6xTw&iXzZ+$&ziKL65z%i@MgER^~q@y8C14Slt+nh=Q>d@G#2pxE-1Zr4_p zLi3f`-B44Tp)$rDz-ID@vyw6Eey(DMdyr6bHP$?Iuz0Ys4;pJx88}uwPWk+8Ph7bm z@O{r%R(gZi*Xt#}V}!W#eR_Dgx;oCEB#FV^(}zDou?OQBkM1!PvC7-``9%z^8oFOT zIjGpo+0P5}$=4GH^6pn72L}+bw1&}X&xTF8n5eb8gB+X0HXAr}_&oDLpdpIC=O+f= z!+Xv5bS)6?dF$o;?)oPzxeO2Xs|$wksc(^n=iWP-#DVKtJs)gHo0{Kk$`XgvH*6(K z-u3}j(d$OCWm>6>c)4phc_-H*NeYO%CM4CPd?CjQp*xS%{4=(ez~#Riw~k6*5=j|KD->(OzSF8g5F5Q~+pk^PrZr3&6e<*QF1yM17z{iH`Y!k_iF6t`u$ z=}DE1b`Tj2fBf_}q1XHJ6U2B=qNSg-So7H@urGW1*i}&6~eY#Eq?`sYH zR6H@|2YIVj^Ds#c@;mmDy@P)$l*T}zHa@4Re6>W^TN5Xw>JDbLYaHxBr5Dgpsf15$ z$I7IJJpCg5YbwGbJD^yZMwExBupQ5QoW^lY>N8Y+xqHofZ@1%(sFVa=U*MLzn_;P! z)e%d;+W~>#mmj1(0VSZ60Xh98y^zV5JWOtyqNShUdHRiWx7*f!=kgwvOL>iOvtM?G zGZXDt)aqwp$4*6kp2Kf-S{cg@vy!lssVf+DL-T5) z7XFFY>5H$F0k@)z9}KX&2{t=kW(wD#mJkMzPSjaX%HXZG<6eil_I1AO#y&?@cfer> zIu0Z=cc1aL`$-N_TfTduvjqxC7u*S(m_SK{m+jAEd~*`)hYU}Rz`=^AeQW#8T0&vSsyfqz9OcVbZCUae7BP#( zlaET_{=4*T99Cco(!n4mUnPc6?-?lC{~a!#A%5_~=`R^=>*QcbY%{w%oyDRs@VSfi*la`Zh2C!^GuEXI;uCnc)$iVs z@8n4E?CNc{>=-yDTeg&qz!6Og727;S)t1yJBka6+>>(G4kHU} zd>&r_E|W&X-p1@%b~+5yBt?VIzHc561^)ZGCDD0}HNLrWdN;qXBaeSXjdYjk^=`9T zguenO-xxX(yIpdNMA>tjY}F}E>@$~!1$o*~+wOkOtjj)m0t`QVRH2rX1g8yS(hR2uK23=k z90~5%C0}(Nm&3z;98G!AVM|jWrj(Q!`NMu_$b2OG09P#vhICauY^PpL{QAaagcYq& zcdwly3^ManQe)3SgK%WD$N;|3?(pl=9!2G-GmP`(%_M(21wau-;yF&G(`8NSw@ALb z2rkXV{Kd|fWhN0S-)bdUjvKPW!!+4mS@lwV+Q-kW7a+eLfy}rY4nOCuYZQ8iRz1x`WBk8%EBexjiCS zcW%w}P9!B2P}Z#WLzP}CLimM43{?ztQotw(KQ$PWMk4#XjJGW8!z}r>9<1nVBk5v22)UXB*3X(bKC1!td*^3BP}F0YI&~!zyKe#|YjY6Y3H`0@0<bE1%cc{)kA`0~w;;wc>?}RTZPh|e@mSn+ z{N>0}9P){P2bNu9^-!>2nvyRp%$#+Cu5IwxZshALBC= z`HW}EMmqgkd-(B_YAd$xJGujbi~yq8tatpumTM6daQgd4$*(IK6JMK>u&k2TqSOGCz&@q%1UYA1(=v zAC0u2yRd5U6+~Z!&31Y9zm*f|h&JWSkn;4!p=!Qxp&Jd@In#bvuT>ykG&Rrpr(&CV z5_8OfZFHqW3MZt#xqZ1542YJqvhOu<>O1PdwT#tM(PhI7YNhrb;OKeBa%}d29 z8#}vD#*D4UM?%6lcBX&?a0M&Lz^!vv%>m`Q5zjYj|n;YooxVX~Znndt?#>=XrM51jOI`NQ%HX4*Xvi{PW8(%5HT{z%n zuz&{BXsjfHd^lLa&Rwf%JtBIS7`B_F_(#2BV%YTXsmYR_AB=R~i=03!*z}YVP>5}| zZ7GvhEy+zYWR{|~CCIa5hmGk(`({C(-AW+5WyZXd&R#vdmBkDTjyM1)?b;6k3g<+N z@j(V99A#`BQLA+7DhN6<4P4(mUPBI|&g5o8NtLOkzl6j_yfpAEzXu-rsB1=eR{?VL`ncOs*%E>z^v)UI}0rR==y4d=b zY4T;oi0_264(pWC`Wli_{zh%~SSCFjS{@?9a!yp7ky^tZwkt9{XI0OIv$~B2CR_~Rwe0FS5h6Xj$07fg)uCtZ4+wca>H?C_}0x9aRMI#r2UAUn4J|`bWmc* z%)b4VM(VkeC5!s4YN>2^bfSFdQ@nXNfK*#Sn1dL?a9eY>0|2rb9_@IiN?tLhby@xp z(35$}I(3NCB}Lzwpq+d}qsGy84$K2nu&kI3FsVH)pB;dyn4(Ia2_^Qa4pY} zL2ANT^HBpO-#qY3^2V&fWcR~5DLQGCmidhB$ypl>j76ChMPg)u3adR@UX*E!yD_?S zJlcE2EsZ~s&^{w}z>eW}U%pl&H$7MvtJx*hU)w`ALp`>7o8052`jm_$}UmD#l&dUa`0#T$z4 za`6pfUjP+jiun&AE$Uc#3jL!;jy@fmU>+W1(8AC?UxOfOH| z1cyuc40l&b9SN9{4YNT3m7F2G4NppypScpK6&2C7x9fjQy}1~ z=61s>HlTgjkTW~6ixZsE>`?;KpA;e_Wd`Mg1#g<-3!B`Q$f7t>%Ne_wK|k`a4I{x% zC$I6|A5&f|!{;8VR8tSs7cz(kf|xF1YQAfp>Ls+mzL;QX&*mU)G55Ak0$ z;NCBsKijj!6!ZmuTEy7xZ3b5r%6a-satm)Jjf|2?N~nvk{~%e0qjL)jUE&fK;&5v% z+k1}u5`?9fK6tKPywKVkhsrthw4pEa=#N0x6h?w~)BAi68USn|kEG$Csu$3wWnH5} zb93I(_K?6Y6KUl)l9VleG@j>3KO1%`I*xv{4N%{psKg#`MgeVClrk&aq7S_;nNjEt zUBt(G1JjbGHW_{%O6B#;dsUh0L=vVYO;pgPOHMCFapg>q!%_!0tl}YaLFh6W_i_1w zANyk&c-aBgU+Te4vUAqXM7JelkX{_ANgLl_edUgSud=dsNTQJ7y}x#+%{N7eF%^JGy`7&M+J z6m6tCWfdv&ELZ~Ztf&DR~VB*aY&dD|{=1_o7@E`LCug(wv8=w&wqfe_z|k!0y}&B$t9qf;Tk=*=w@@0Nc3iP<6-JJ; zq+rZF<5k5XqVbehk&(uGJ^9Lt=ZZ260Kq6UcJ_ws<;YNp$d6uR#CUs`>`cOqQ~Hte zpzRGZN}xqbXQ-pY;>s(`m>{=Ro(&1?7C*&z*)n;ZJ5&GsW{a{;x_YWLbMW1XsIVLn zwJH+RI%kq?w@3xBi@5`Yq#Fn3(-{jCz&|KU84jFDQH%`!#y$wl@q z`4-n{&93IqXYHsOy>5L9<&DW23F$)qDUd)bX^3+L5!q-icq0&i=Vc+nYaDP4-1$1l z$Rz^b{#vxHKuF(-GySc3CfDJsIlq4=UhLI3N)E1aQl@CIZ@YalTeR zc*pRGW6si>wek*ZSR=_fDQg9cS*r1N#qyH&pL4GCEp-lTji)Il>V3$n3DIMWaphDt z;AY(WMNnZ(8&d{;=mw;$Fl1o)p$X#nFqsXTV$JKr*HorR@bkXK4?!Y6NbKHm-uhd| z8C!l}{#54v{5K`4;{~P@)j&t6-}yrAL>V)`^-dDL--dZ?_{uG@n3kCR zyEz5b;n~w*cO~(p!wtN-4K#2}DTKVnH*g~oZPn{c)dnRRY_nYXz@pwQJPh1mW3*c8 z?TVVZ(9O1OX$xPy{ykZ3VP(+Ayd`6_UBuXJ&}iYHyVX@f@g4;}G3iIA2Z7n~lH`y; z`zaG1x{MBoKLv-p)6)_WO;auhcuRtsmY0E>`EvJ|lly)&x?2tlLVtQt?qDNSo*>(w zvTK%--DOB5+H6Pl7sSgOjWlyZvtEzeo~Rb7!jm+6m8c-^A!&_L@O86Jn7e*PICY^A z=*u*NzQ07fn_!LTl&w9ntRoz63d-S`*QWslk0JvtIo4W{UN zE7@-F1dhwoTFt=Tv_8sWWZ%XHOe^I2A%N!CaCeXPEXAc{IAXwM`{U-&&PPw51>1ucI!*8iSxr8j_xf{9E%q%PLM0~kx8OkYrTJPJTMJLO zRZ8mBz=k;pHO&KGW#{H45b-dj_~w+T<-jfHg@1U*m-=}bam(VTuEwy8^{<}QoY*pg zlhC4Qzfx%YcI6V2g6*e|R(A!aF;2*BIZWjSYPBCC&#VR?(*2$Q7MpE>pEVYD&TF-3g#SiP(}{pJpBu`jf(~nX^)|Z~ zz2vdSE=+XETrV<1`SaJZqb3P2hR;evH}VD;J5UB*-TNEIuN^N7ISAFXEek^WM(q%zs9pBXqtZ7hVmR8fxE)-KlPIw|hl;&n?TEDRBae7T7r{7s_vr9Uhu3YntbE6Q?n z=At%dlNh6fHbw~*gg_A)5yf0pi`YtpqQpMKqX$9W0t~M9Np82jcHtaFf&JN&3Yu`_qgS2n7#_YFpc_T%^G|8P@Hw6T*Apw z;CGJG{gz+Mcgr(krSr}x)Js=Yrf7>7e!@t^8SUW+rL+Jkiye1i%~RsxsCBIVuOjU~ z0&G8Tkh|?}*sDK0ao~135O`eSjV6gyYD|CA#2O~X=M#FOxAEUed4FP%O0KU^28`&} z9>o9`-GXbGn#UM*8x_?r#RUi2$v@=%FA>M)d4O*;_}V;S`roGC03@9RSUrbv2ry;b z-3SGxn}zz9{x!sJ+i`gYtB)e!XXlwO9NknLNfzb#AzLHIw?JGq`>Vzggduu z{C8TzK>%!J&qrXP72*H3_s3DyVFCN@*lohVj+pWv*mN)0R5;L^;}1mk>Vdzm?|-sN zmLOhT1T30w7_#+y@9EtObbrkz{&OmG5P?%=z;hLrt1B)lHW}n}BK}K13~GNSPQOCq z$H?Cpg#Yd6lB74vxr51(`0sN4&#$ej(6xI$<$9h3oc~3-#%LhgsmuPs(0`8RFXu;g zRLFayewTP1dT#v7VgEOeHN)^{L@ltWnE!apX$ceH=CA=Cj?ySMTG zE2xZyUTJ{Heq`+o5ZEcuYFpfg$a$W%zs?Wn99ZB?JeDTN{(cbT1LENK9QzyR)0l~W zCw%_#m&t%_L^XhDG9Jfq3I=nHdqS~s9qJ)&aI|j5LT9U@QuSp3L;e@rhxyF6YJRCX(jCaO5hNNe5^9G z1v0j&&5qFjZ7Qkn8 z%<DoH)qQ(!X>Ki1skeaM zy9eeExz66M~=Q*3JYtyop4CF{)^L z@n>1co?w7jWV7g>%=tBGzb^3)>Bq0dfKUoepdJ`{v!ksX9(I)Y{7Js{5XSzX1i7-z zJ{Rr|8G%_Gt$B+tp-X~*zMd&)=2PcI^v#*;1M`gb;+q=M=Mu8=MW}&-Yi654MHl~; zj}9m5g5A2muS%>yo*~WFI4ydN1yx)nYRzv%u3{<@Zjm&@*jZOb36b*P$ZG9s&=q3PBFRC*rNqpY#$O zO}doISy-T}sUHpxcWU1?vlpk_%{>G+xQMY^V&l^28W8~4+=5+_GD^U37?he0`^;`< zrmc=vocH-0wq~eqolkfKt6~QsnpPNk#}kxmEur-CONmEI5}&C~^@kWEq~JCOAfNmxev9edQOTVn z2jO;jiC_~31$1_O&*DV-<^>v#(G&D#lR)gTV<7j#2U`N-yCDl+A1$YE?4hcL4m9(l zb?LCta|9IDBe+4og+C8$P-YefN0D80R9e-K(M?fO}B7HMr50}gJa!aC5(}S$M&~hK>OoxU_ z^hcT9He`5T*mI`4vGX7coZo{(71pKqawgIoEvo((FTAn}JTHi-=#7HyWy4({KCI-< zY7z}i7Bg^|^pI0*8$xN43N;ZPJ>rx-ybC(@ApRODizAe1nYe%uMq=tY|xfUtr9i1?^h*J))}6UA7tp- z&b?2&QS>m}1^sbRRJw;5I}{9uEE%7{DR;N8^@D-0FdlvGVD#3M!cY%|lvE+%dJIX7 z;&X=4Ss`VX_4R5|zx-TTIdZ7P1D6PeHzD_vJ+Hij*G9EJppX300|&sZT%=B7c)ysj zQAGw@$kp0=(lt+?D%ID_&X%7Dqn@uETdyOz&^}P4p8SCp8bgX5CfuJ*Y-zf=zU!{T z{K5VHVxV*i!LpXUEUSLWC@)BZAjt98+))Y&#BG80G)2$V$J)3?9qg$`Z6 z+ra2VD2QmpP0&`4LrtBeom4@EL0=&73JLQVC>s;`p2>|Lu8^#Pg%v4n{9fmjs-0~C zupf8tC)^))mk44(T;JLZXzDjOap+Z5g-BMTnoRN6rgULDHr#jizG0~9SF_%8e9D2w zYBL63TCJQp9hhZQ4vZ)yeSU5er&0wl`@F`sR)0z0t?$MHv@G=_s15{uq7D!(^ge&u z;qR7Hi5>QdQccGU8*U24L}&%?uLg`E$7`G43%RT4s|c(FU^;~Y+(-zr32CUi8y)Zr z9k-xvnT;3w_pxqPfMR$WKnMwNgCh$*XU^{&T$T}1a>fQ34IMKcG7$Mfm0Tlr?jG=G zxLH8-%G`IhFr9WU9JuvxHld-nF$>$9A;D8#)7-NmcFAWdC`H-j)GCPbJ@9J z1SmH?VY%JM3^!tbt~_jLy^}<#9u;QLnOnY2yZLMZ zEJWym@yN79&iIp%#Ryc)mo`}3Ow&h9{m_T^`lhIZ_?kM`c(iiW95ELiPVxZDZPwc> zVwMwsQU|_7=2(bm1(XhF0qC5dRtTo}TgtB??ole#r+EA!ZpxcgTz!M0nse`hqF(5S zZl=J9s}*eb4LyDRjqP~(oRA*1%HAkn7_7z5h^Uj830|8)LH)@fVk+#Xr%h3wb&OpaC7cS_Vp&pOR?I@A#ZOn?`!?j^mKxA8bOLZ zy^N)t$oi!m?G|B{eqzGXvC!WO7aM3vd5*0wuS6YSMhZyZp6sy|tPLbDSb(dZISjhp zi!Ar5tx)m*q%{OEh#Q*Ga9r^Q8k zrYDPk59eR?in+RqeR2W>{N&QPvKKp@g?n#&;A&2V9@30Q@vb$A#rUKDYCjpM`r1h) z$Y|uLR$ZXNlf#YbW#HR3;_eDTys(v33P)mZEX771`hw2xNOCruu(Y2r1~QSulC(u< z1Fu4ji&s*cwYEWU#W&KtUr8ARV4yvDZ^rbJ)^q8&HK`^Gyu|FQ1tA(d)QlB8QMSgv5RCCx_dClzDg zt{gms%VP4LPH1hlBNP=^;5`Xw(_uJ5VqI%eCy31f|BkRN_gHBT(sAfq!iUsE{yA(r z1skF{6<-{@i+{wmTir6kV44O|$1p;84X9fa;~t9fY%Cx0;D>45^4C>_b+X@J2p%J0 zRuWXnBQDvO5SUn~Q2+@f}S*CCBm|?kD3C*lt&(Y&o|sCJA8g*V+09hJG|F7Z{a`u zptlp4k3V-@)(TNbvg@O&9yRr(O1Sw~`A>vI6M(Ij``V4rDNTvXWpOa^{a;@nBQg*UhK+&l(R*sm@!(cp`Zf;3-68D^23~igk|APllDRzG3rS zYK%c3tSgg8rzAbtPL{f9qo)Jk%X#KN(bJ8hIY)YM<%e>_X7wP0qi8GK@dG$60eDsc zY#j+3DcHHRr2s8^G9&HXz!n_q@K5nZ8(0@D*#6-AmDY0Z63xbw5EW~YUkUSA5nOU! zD~PAXZ1XB^y~$^9%S1o;P~bpeq+?x6#*MvFw9uJ4x_B$ivKCgZDY0Y3BU2tC?LMzy z=({tOb(I5CNYyeHSn*!ju}`+<5y|g!C(4-$$4T*cdJG1?k$qGMM7qv%q*@*>^psTl zXAecqhsO_G)&>}7FU=Rn(t3`{IP53^S9g;j5BwsRk|g)+MzqFA^{vlDm4aD#EjTeIqfQMmV&J$u18Mu2LPe|`za5dGqAG- z8f<=s>*p6N4!>GhYtz^Z_E;?JXy>|*^LS>{L-g_Xp zrEN^;EgC$VFv@?@@$*zcgwp`vW%&W#X>ii}0~Qx=AIvDRkMa4H z+Ec1-O)sc7GTWlr+V%Gtt+yf9+36^0zwL$tjS)9tOn?5@1lf*GbChA3s2)7OsjHI; zDakr-ADQ}3FQp&K64s%h(%2RUaciX!J(ht<#&2~=dgq;;v+ifP-=BSo2i26qVVPUFzHyL;pA?tJ9Fd*8b! z=X^hV>>hj6u3CGpIoDiOdqtkPN_rAcQsiWveG9d0MkFSSu}qPx)#X^fS$IYj38Z(s zn!=e7J^Aaq(ISOZk^fBoph*+4b>jw&+!AA}iKNRH#xp3^r8P?|^$;{j&^JLF_!m)7$Di@);u`ny!d zh3*i8P~T_cpc@L$xlwH1)5jGQo^{?7KiUj~;djxk+K*$ne~JX$y0u9h&vf^0oDQY^ zP*tfrt!s5swRt+b!<+t?uyK3;#Cf40cR8cRRAi0i3DrWGMoI(?&0|nQd(USO>)vmZw)OfxL?iJwEU}Ucvo^gW9;xBdl+jZ+bpFlf$-QwrWpp2@7;MH+&c2bkUQYXRd+M1Wm-rs zV6IbhfP>3T`uC;F2R9+)a7vw?sb72wk5#mSatW6spt;!@6y=4m0p;_rezN{pWGqot zxI*mF+f-O2G1VZLFq8+82bWHexwGb46JZL+q8@Ai@`IAQpdMxSF#~@`qW4jksojkX z>6RkhJ`Ec3G6_b^`NsL_62Lk*y^o>>|P()Q|@|HxQu&DHyIB(vP;(RkzV>9HBiJLJ+a!uCAXL84)At5`BcY7ciTI7U>8Ta1Hn_ay%Qaz7ZNG ztB#>i5X!N|9x1dg7U`s%2wAnUzycQvOUu^A$hbH>GGBoeu@=OV5@G*%L+C`2|_TEza9j4byOPE`k=Zr zMo0MlO8PeGdv4bE;im>cXmy4$1}sfpmQK4xM{6#&?t(fZvItaG36I_7 zz>cisjx_$cOJVEr&7A5u)EUPAT??+?gqc!H)xd4AYjg1Mv}VvmAvrW8j$&3%3z9o_ z#b8MPDSt{mJ0Jh7;Gs@?e?x2lwn4XQy(36%Eo|KkOxRgHMrZrARd*z{DXi^j#}mIf z+6kGRp!Z@HO}>FS^z8DMAdU4sVHqfHA@eGPP3?B~81sxwZ8oe%@tEa;LQm5U>szk& z{>4qygh997qj4+4apRfY(DRMz5UL@b0o9;(P=DQHz!95_G*|)m$~$%UhnR+`PF2V( zhBfg^>vSg8I0qJndbJurzKMQL8qgu4TK(jt$tLZ40(kMOQ&|dBQ_%_Huxf&0kHN;( z)(*3@k5SiQIX<3zwLo*--yGk&GvC*bhHHX@{Af!%!Wl-;|C3CebkoAT@0PJsRNRqYaL+- z?td|CtCn(JOmiPL^5(SPYM2VR^I*``tp)5!KHj#! zXXX{(=>uUAF0&ysoJ3Hf`_YpSq2uqWfm)3m z$}v%)Wg)Z~H7&~iMw$`~gX8M%uc$|J+cB!3v=V!O9aZg&jBsCHimI4~@3>dZrYvnX zk&fB7Y>ZhSgX$y+{MoN<%p}t!aLjsSQYnzay|a6<6*xni$wj$rTg3IaYMa5~$sZ&z z?$y;yJlMW@$TqSY^k;7u@)a*WB`tOEEg!`cS48i>`qp~Lgrya^x(k@|h8Ux1n$eH(jAuI*T zkxMkzDV-`wAq0!!^i!OFoYF3SLL(xx^r5R|;F%>Q$uK8tFmo@^bUZTpaGK}TVHG>+ zn9weJXBX$c)N5}22D^lu?2BhU7oM{*a|2|0`t`lJiAtN`%Exc84XNj>>fDTz%+T$T zS>~a&sh3YRs)o_V!O}J5z)6nrwA7C>jXla>DvH6Hp7*&jP$CBxpMk(pFU%Flk6ptl z^a|N0K&9w)M3`swkU1TVm}3EwWovd6NT0IE5MG#AfFjF7C|oFWw-^yp=)DeZqt{2v zMd5bzU5$BZe#ePlo)pXO%w$l0F;+yM1Sjt=7e8&5WuC;4X57lg1ika5I2wK;mo&UZ z`tQ1Tn@-$sOEmno8;Wt9#n3%k!`2JxdjH}=C3gOR&~R~b?F$tNfuE!H?y9MXUL}fA z=H_$UgpSrT2-Q43?r(uvtL>e}#(}xHBggm+9g8F*LLcb=vUTp? z{+9HroaC>l?uOn9TPy)R+T(rgCJ4leyDJJt_cYA17Vr0eo>f$JZwI=%?b7Z*vzBQ4 zNea!*U-Nd*`v9@Q^KZ}m+tK>`OV*Zv+Y%$s$(DF`$QbML{0BE@UI=xpn%U{_!^yX; zEJ}wHf}o_EJ3(cYtY<+$d_*jpT4KExl!oEcU8p^2!nM!LUh43*r|tdfUp>s%IeWDp1tN&}WgdsG{?@r#^GsNZ)$AuP(1*5nSLysmu+NN%{$viu6;<&Ct*be~hqC zYY|H9uKXeCD^@fu0^F4ZXtxUHcZgkfBEyqkEwtBwH-|l-d0o)k9a(LovF+xC| z8Se23O#1^V4Q{G1o!`>V?EKdldhPrh&=E_vi&Q2Htxaz{H26q@<#765hRzInrKDUB z#5tfg6<}Z>J`ueO@Igj?D=hf$A8klPx-6+z&ugE#*cAZU?Y@4ZoZV@o-0GCvsiWG4 zgZo*$*ioqBf*gh=^-*?KA1hb5ah!}QP$1uXzUkbF__lkjb;#a?f}J2B$c(YE!Dv{{KHT z(lIN}CfC&!RZ$5=mTAB;60&k{8Sr3Ug7Qbde?0@)t_yY^5qU;=*y_4nM9Hvj%7%&(gm!P$|}@*~{Wb&nJz(6@Wwi`F($n3I~A) zrC7(CENK&-Q08N0DMPTx4f4^*N-gii`_ypmh1i?s!hH5L%Poz6T6iD)cMHxe#)JmW z=>kk7LADRW3*%Y>w*6Gffv%{KG1*B1_q}~i-ShJ)eSPVMH9JwQ(F_Unt4K_Ibx}?K z8$SOT@bAEq{r-Dy%7Qu4-NOAE6dS%hzx?DWFO>?Ui@czY^V>h;N)@0@r1U4Ch>0jH z7CoJ94%c*^{ZPvW|833w=xV&yjc-x~Y3Hm1sOh{TsSHX0@$U=|Cy?7OqA}QHZ`;-u zFmdnKu{$8l9(<2*s6B@3p|HbwIRRp-j%6*aFAC_+Wj7U?a<_k9F8)~fUm^Z~W3(}Q z=kN(BUoBL?9mie^fgICVb6L6`D+1QEh(5o$KR74>ZbbGy5Lz8B9?)I%wq#f)7K3Bb z!m(>m#nm4lcyEKk1ps$9On&AGO1*3sErFfw&asdXhf4Ms`UFfCI2G-C#zHUbMG z62pm{Q7FGRUt4-lVVoKlu|hs9Uv|toYnxLwpBEyN)gGK3L&ATI$O=$WES0^BC;sET z{MVp=@%UON@OI7VF|o3-If9lC965Mqr4>cejugEVE-;Fyr*?84_H`MG$%UumZZyHu zxut4belz@9&W&0%Hv&!~*aHB=SWJ8YSbKXC$Aul$&W&;lps(A-iras$mjjcPSPQV@PeXMbRz`L9^=uRE+#d?E_Gkn@ud_$Rbsh!d>i z8!>MGXz7}aKlRCgn|4@+6_4lff%dDm(#O9K#N88YIM>AU&p&S*jt(h*EV$I zAL7rZ7Nufv!(*H;((cP*LdinvKnjn!g*_{0GM3xXQ!`p^;6(=5PzuhmRz~}hPqZzB z2gM(?;lR86TbT+8uFfOc3mC^j+w))-uHJZr@fe%XrNrM!xjvr9t1d*w5TPZ*VP#yz zeeczj#(J(~{0>pO`7M`L?G{gt(1bgleTXL!Vv@mV!lsd*h(j-y;>(*@vxCE)%s zMp2jvbO)jHv~Bmckq^6(&)oHC%!uEsfdsP7pJYZNq1yH{R}u!?)zjBX)WO4xUfX_F zYeagl*y37F-SE_o;?Qjt>vm>-hB6U>N4z{~f_8kAyCv77pu<^%B3`gzoD6ljGq^kN z-3s+M1OzO>godsqYfxl)Us=Y3?Rg;H z#}zm0FFo&j8(n>F{uBG2kavv;u2!m?ikagXa6;Sz2&o_dRRj2pt70BgpV+M}eih1Z zX_5O;4bX5IJK;gbQQAwffI%;)a#sH2hIL_$1{m^gV(%%fS67q#VJeDJa(UD)yNs?m zfa9o~v2deO2G0Qyw?)tYmq^FQ_J>nbjF=2G!) zU@Q;Yl2hGB@tciJj#~A_Etf#F1lHh}q>cWFg!uEBDEc$dE*w4(Z>}~b%YU!Fw$V0R zJ=y1&#mefJ=)>GGHX}E*eWxl1fI%+1F|&JH;CSUR=b(MO3(+U|96nt`QBDz71fuFr=Xld3(Y5@FrsI+#9lQiO&T6f z(hi2O&)YAjWi4(9-}f^b!axv#`@(g1$fPm;#f_Pm>(r$)LNHGn_p_a<*b6raB7c;0 zk~_VkJx9fM0dAD-4@qy6C6%F`lfl=s4j7#^KW6FxelD9?ag^d|+T6f>`y9=XJCYCi zlEf@ZqnvBFuNa!|tqGRI#%Jmww@I=`WWX!QE1Rwr^t?WUJ8K7zhXFS!p_8@5lWYlQ zBML|!Og@%bxdAaC0^Cx96|JQwHpnYEk+ibEQ=pL>Uq`7r|S%3;&q&=kzh4Cb2KF*+}@~xm*fiEaAgpHcq1lV z{bW_pTKB~#nW0O6BJXO=D}LFC>hz@#VW1N81&7~s+Ut<{c4nV0HTgXaP+GA=F}cPw z3x^JJRk8b9V%h#CI@UcbJ)R8EDQuA$Ec{l(oUuk1BcSW(o!u^0Em{)3xLz68Ed6!Q zvuR~JhhFVg-mjnc$Mx6119-->b-!s8PYkrJj@_88PlZ#(#b&0_DCYm1(h^-NHHT}9mk%2M*vNx#*4#sz@qk!RN2JFa$epkpFMgJ zcyn2w>9r+r$;sJ(!sZ0S#HCYNsf6v}#A*Mulx7QH5MGGgnNf7TG!Do8tn_45yNN&! zI5^phj10mY_ab18{P2lboJDi_ETl+RWdu5>Xk-C<9f;BYp135+MpSkO{9C^2f_#WTGcwdhk`XT0HOdF*lHDrv4>WeG4r6u(? zD{r8X*IF2Uluu_4(~@pX-f?k-8WQ?N@u8ju)zA=`^^SHGP=`9!eQVuV&9vCmNX3lo zN6bc&rxv3;F2L?3VPL_stQw!&NIC1CwqL$0VXJ~_1BNC97%x+^ZMn5ERh)>D6UMhV zv-GysQf1{(&R)3%E#8m%10*rbbfKGLFGjdVT5o2!>!VXPxyXRTyG!z=md*xG$v5C; zr>~_?5_E3O<1 zx^*-=;%uQQRRT?&M2tIEKy2CbBqncSc62&&?}1CrGX2$bv@TzezD->AKbrcvDf%0I z&p*3lBRrMxgtPQr3wZa1iHQn+GE22=7cZ*_UTzDD1M8uXVPB&azsNa)68vYDPW63v z$eudvju^!4W`D7ij?au zjSD-c-1`S5b2P6(G8>Rgk)v0zVH|SJ&Nd{$OXL-?@ zcA>2w?E5C>Rp3F>y2t9qOvIK*B>osNmV78zTH|`Dt-;G} zN=;|q#rkUROY4kCd6-dou*pb^1Hbo=h3;wRGK2C)@ZILellczsno$<@1GJFq$C>S@ zRy~f%*TszzL;7AhLSx4YpX(yds9gW2%d&rQDVP zH(cq0hrJ|~os@$1uE}=fv+bMx5IeQIiE8);XTAnKA$a+oXnk+uivh|Af`KtTCQZU3 z9NaXfp3&87dr8Wnx(Ty<If_JD5Ti=3 z2X?r{Sm+csid<90m>nIU47)LKcsjS;W6Is$-CRN8X!exl@Z#7nmUk z5@vLS$GDq}>3AY(ZN~q}2|##n)AGW#Sh#;GhRHcGftn}-f!^Lt#gVdi*U$H<92`2y zLzZ&QZQ;pZ9EItZ%X;`UP4pUW1UP~&f}l`Mi|Y!+kH7IhP1^74<^j+}m(>WRYlI?W zBt|c%J6)S?=w_)#*K1SRmYy2nKux-DkwC6YNR&ufr7!rA7hSDZu72)V8din=b5mT~ zF*~wb12p6|LO$yUhr!RSm~)_0pAW`fkw~v(9}idTbl1g*-E#e!Eniedj61`tEdQ4s zEko<|TezwF)t~)v38hM0zi^egi$!NjM{`zq;}a~dl06`sv^Bb3j^#gHr3KnEbgEBt z9cKr1F}*yRyuC!B)nF;^ED*@^mSFG%E+%^o@;m?fK8H=V>|VXeILKaxi}Jt7Nnky<`bzIq|Y z;{3EL=PqAaJ^T8SKP|k*TCCYa%hri??i$xTFO?ghk(*YOrS4dnuH;?i;iy@Ovj{5} z!|o>c6bEk1jmuL<_bZhq`?q3>lUFUjtcG$p27T|{ z0eYF4HpO8SN$#6`g*HhFH##3WV9?z_z=m#*@T*P%ch)=9p9Q(3^4v` zk(PRT#p+mM3m3OMpP^LlR78WlMLn&iQsY^E9=`8jWxTY6FBdGkn+M7h(dn+eUcOQc z2l7ssmC2Yr&phuxM3*As*niEBYI1K_b6P4c0+Bjh zyDl4kgr9~mf7J>^?_Tp5r#o!$n#XlnnhE{ypMPlId|w}|k$i|M_)q_E(U<{(DOJw! z=vA?>KXA7`yP&)zI#J{2mi~E{*MX*%zKf8Gm;{r)jUi`r-FNZgsgKX~cKr_8GKWn8 z#)|w{y4Z!!Lx3e}77^F5N7K-D4G<^^3S{>#yI(dOl0_uzZ>jbjU;#d$k@Lq$TG}_I zMkKS`Nad@j#Vt%)HKd|8usBPmC9Bzz(7tlnXD@>4mWWaB=i$PgK4`nA1oeKouj#Y-~nkm;vg~ z2J`45$gDlP8%3SvE0<82|LPd2%t`v&YOFe-Re)`-Kafu;iwS!2(;)6)b9@T?i8R1j z#5(gBIwt-_{u8uQZneZofPEAXRNaXF?i)zihVYMDn+m~60BGa9y50Vzw03e0(DRGQ z%0OtIi|z=Y6diNb^ z)$b!FGiYJx{(PhNw!v%9B(o|f0McE(Z=_g%oebGi(jTaxtZwmOvg{Bc`wppDu!UEC zcEQM}f^nThOM>y^#rW)=hjUlds*glKub92;Be&BOO=rVd?EBcBKM4wq@1$s(Rp-2+ zAXcjz%}7HK=T{s-OA}rZnMEq)_oEX0`o&P@`uK6fN1~2FYPX#fTX=n&Nk6ch^VTbL zut(_LhY{#$I?Z$9NCGZoY7ry*#6{up`x^RvZ)tQ2rw_X*6O^1bKSqJSeRA5Q>~Z5n zomTQS)nzQ>rh%~fv}rkzl>_q#P0r|LL0XNbX=*wSe}WNG>~wlvrp`zs!oVD+=T9Pz zII*!8FS7UGK0nJw!a*GKp2by|lVwBc1z3VIlE^Vb+P3MBh zNWC!;zWNg{{zPJ@fH~DNEcFQnn>8$@?Ama;cG8%$Sl12lL{5>Ag7;}7agMEAvB9RJ zdpK>^MaLsd^czX(p#(#|TBY+3MB=ehbVWTx+(;~JWX#bp1C9lpw?D!dS5xzPP&)6F zbfq-@L?>Ai2p$Au=yg;QCTu&(r5Mr4sQ0zWVl4K*d>so1LM;}vEV|~G@jxK(iCWzPhKc!Xjdh)&O6O}DDP&s zF0Q~FX8p~Xa9%Q?oQHpg9j6%ABp7CAAf;@byY8xl6IrNB zjeWG*ROYkFpEK!&^VSJx?^X$rbhWk8n${|_5U8%OO9PsygeOr=D8-FJkxo<2) zW~%cFBX4=qs7?(R)ky)FF>NP8#(A1$#C(bC1sr>GV_KX*XDUm)^-kNCnYG;nvS`_$ zzT~;Qc0=ZAqP%uv%!`NZ&ztzXsAtF?ff^6k8-}3X_n(>e8W%a67a-X|B2)f6hb-yd zZHb^c`hCOqG&dDzt=M6acgfvs=&S{uZN$VyT(<+n+aB2}R6CC-m#C4?a$;DW_FC%e_%NP^l82AQ%e#h-YfcqAF4r31e zDkU}2cWLg<{h^jH?GLZ9?YHoU zdAzcAKLM9b03>^~4=&G! z0#@~mQRal{ZCmO~)nE2p9nhRtnga2kNJ;pqkbvBrCBV{Xpd6i%j(y6xne%obB6-hv zrPfR2#+`otV=D0RjL#XP0B<(**_s?~T2Dv)1;N`T-uRkB(XxE4B+S8o9EC%LBK6QM z*A{P^@Nq+xV7qb%hH-t(vg3BKcizJshhgQKDI;#GP}fyC){8qE7KsBG)U+6*PZmF~ z60uf9109nCJeb>f%zsd+0;CbB7|ZTlFd)QEMXXn1671}=ql=zswwc$J8u%BL-;L+@ zn)*wk{1GIAFps?d?PXY7383j!X4cQ3%WG>{^L)`z{E|P5hKwF*?aH1MM-LyYERkw< zP)J|2WgxLoIMsgZo@jHzT3<4tuHc$lhga5ZQ8{U6cilF*82VWNn);$z;(-5WOunS; zrbL0Hpv48U`FRS>Tn0cE7=4l}3w1LUVO2&)lE3{qabM}s#oJ>Uk7>SWifVS-D1_Ng zKB;CZ;t1_PIU8+LgYOaM#-3tG3b!Ty*=pAew}84x-s5r?;TRrgTeLf!SaLZ2+H)R} zzTUkN4R>Aqi&3lPAsXA0s~7Is`OPQFF*xwX(t+dVAx&OQt_)d;Lbnk1CI53y0H z>l|4>sC#T`%3xO432Vf2a6E~JZmo4u;-3icD^vIV&D8Umh;F6ZNVxx*sk6QP#+iY` zU`qEl7K;29#Qb{kWdK7n@1Lxde9>29MR9|y^!wjPyzr{Z?~BK9R)g99u|f{CKh6FX zJO1VBo|=>CzC_Id1jvVyJDR0N)|%f`$J@Y$=7t~uMOJ;MLNUYh%j$!gfcnA!pvQm6Zp?U4g^G?qRBL986vqUR!Jq&htfIN=ff8?ZK{B?_EFfQVknCHLW-vM60!J)mk!O z03L`SoqA6)Gmd%c<-zw|GTJj~{vJ!P=uf?LtBm$qhn)#RFghnPPNk_*dl(|>vQ*1wG=bTWJ!to)BGLY*q z|BFKtOJVPndXbWgF*9=|t`cnahT#bLjQB)OOW#&}<(=YSn}6Jygg=jaYa|28`Pzec z4%{A;b=ulR%Lc7Rc;0 zF6~yJR$?__JIbdaoHfarf#H&aK^$Ja+l;6D&5{m=*?$ngb?rBQp zr6=b@fPD>(0$QpyK{L2{E=TF+cUevS6+08do3g)xaJRPKvgfkvhhz8Y%SK>1IwgYH z3^z>)7X|m{ZO`>4;BUR$>Ct5@9~D*(<~rpU{(K)!Cx6eS6E0`)XML)N3FbQwIs8^V zCirs>YRlN(J6(R)D|&cwoQ_Rcl%Zhz%v@#5G$$MVEOYJ$a6eggkFZA2(cI+6k`W>4 z^tfPKV`{{QxV5EkZS5psQVfJ*B70^tcr$A#*xkW;kV&bi!JuGiQX*B{rvrxFSC zyyrpnNi7R>37_=QAuZ82RxB*L6a+PTNV zC$wDgtgLw0A}d!QvUNyj$yhJCCxrKvy{Y~N1-^tLuVxMxa~~W9dXwgYs?3ja2K`Zx z-wwlR_wwvekTYM0e$tO6Cqq(#d3VN=3o4!v=W;Or%5EOI4rwq#K>M_k|6fL?R1_pv6pll*>OfiyBP4;(v0qJygedePXT;{TNd)MxG=katS(;TPfzSOFg_TioO z**z+N(I;T@-Lb|;htw*7BKYEA@J9VYumb^VbE{-0i{gVVz6*gl!KKR6>*QQ$fhYl2SGBdCzrd5|iNf5wo&Ie)uo=xfaWd;tusR zB0&!u3KK)Yl}xPV-f5neM(Ukt*f`8TCD6py+@`*LRtj81l@>|#m+SYrZqyrU66=HReZU@Hv*713%y5oiHjfg)Jx^RMqmg(s zmg4#wi%DjmDQFwEHUr^FB=I?Gl@-M%vzbFZi>vA_;;uKOsWBYKQaUnO)_3>)f>KBT zG3wn$jxed))N&ETON9{SCzCGS7)Z;3^zLLQ$BErxZy?F1;|cXRHLmto8{kGa7Urp= z*B&^quX?5FJx?V7yl8DL&I}tV>uyC4!K%B&h4vkte172J2!mk_hH-LHdrX{$KT27` zt3kgJMRt^?lY}f@=nmMGY%ZZ9yOz;tKnou69fV%Z6wVU+U+!M9ygK!sX1U+Hm9x)X zYEt|K!kKuXa{<*w^Zdw#Iz1^>33_LqAzL(au& z!X=F(oebXO!G#%SYs22bkPH?3s6Xp+ZRI{b3quRuri(Qhe0i#Whe^Ew=RG!f_6rYnw3-ft?+ve&(6Ylsv>VjPtl_e|sFd=UG3g zrH{ZD6e|v$75dzHXnKRpW|?{4+ygpDS)AlV2Phoj1ebeMRj*S=+0Y zhL$_1Hb@AzH*TLgqrC@Rs1+b~npqYbbP}d-B|Qx*E$VR=3+i2OajarnuO1&L%w5mu zG-Wk8#(VOfZ=PPgkN zdzojb5Ai#?DA}ucGBQO(xVT{_p4#$yAI5qwJsLf?-I;FeGhyK?rJ?rAokWZXs>1x}SOHFyoVMe$g@BXZY zw#f+zVxHS118=MInP!!*Nk-#*bmO8a=VWs2_oY#$T#IVYshb{9w)304w3A-|X~dRR zd6XmxnueE@EQ_t{hraoBm_NJ_m9~vzX0*sCNp9RSID2kYE!QOdS4XEq*doRc+AQ~X@0mfJZI=xEcvJef9!EJn?IVQEpb_;U0OpEq42|2qp$eRyQT zFE9xe#2c72DaJS=CRJw8ZBeMVbzyyRy@s)0 zBa(n1il?;%i+Gt=#9}TFO-q9!orET8*BqBNYWeMH9!4HK`e;;qhrr9TV|*1x#BU1Y z-E4#mVP+{W0c`cK>aPS&&q(ENo)fZspWXgaQ?9)yOWp5v$DFA77Al!lbqzq7U##Tv62DNOR2y+YOn|Dbj_G9>yB}c;mEl z(UC;%02EoMO^dm{m<;^m=(+UX`KZ-C-A6v@dY-B1d(Tfn)s4xkm?$#!##m>sc5%Jh z4>^K9m*VqRW^OpRroPnxn05N7Lb!Eyd1L5PZ07OJ`+wl#%DG3rxK_1bfakM1nJO>j zj~j=!hYeeMKB3^(%mNe z0@L2)co#`(Y^I)cxT)R&IN@TGKx|1=r+=T~)t{P&s5+oa%p$>Np$jA`-hy10-6Xv12VK%uAixzSmv@CqEIC>0|G-Y~{i@>C$a$CuRKK)I^? zF`en`K=IfpzU_*kFgGDOD3RQU@b|aj>D?i7stidF^9s=CGQ7$4bw}Jt`pRts))b}D zzT`oH)tSNh()^HY1nGPoy7{0GLDMGw%E6fa)c1=9eFq{~NIV;-DJBPbT9q1L$FW@E z?d$i*hCSU$*_gV;Muen}2{!;crlgkd9B%}uK) z1dA#I52Fl#K)Zi+ja$o)*;0GnO-y^V6Pqy| zJ!5ua<`B-dn_-Q#IFqlYRHwW&>GN5mH?1afrYSRk2RmxST&0JZiB_byXA3PBOZCqu zcYanFG0pBg2JXZ~?f$ghtzOyvX`BLnfG7IIm3ecw%p6=u6~D4$4Aiw!erP{PF+GN{ z7O*0I$t7eOP$c~IHu+%CoD%WF`n@|k2gv$%G#y!(4VQy79)?h^=d;Vk*{VM;yOQFR z;9XI-=Dj4jEE>al-rf(*sLhDink1TYg;yYIe|kX0flQ;eprfjv;rJ^({4(3LcI@0alwVn(_bwGXG_cEiSj9a>_zf_kSlG@|j z6;R0N2Ih_Ta%di3;_`p)Dc^sk^+aO4nsIfm$AU9fb3z&#FH!Jm8-stJnqM4mov=st zTn+2RdZLkYgu{o`gRi}_l@#Q)#e9vhr0yhO@u@t|a~mC)o}5#akR9m z0jJ({8hq%vwC&I!?~g1-sXy(+(QI=3qWjw62~fM^KJC}}v-Bj|H`ppsbwlk>olF`D zHeB)vXb|i+&_3M^Ke8(*J`PcCIi2NB>X80qN)RGn2Ef5wo&hCbCxZjEdGPa|;QPq5~-;TL2Afn;2Q z)`Y?b%DZlk{b76Cw_Hhua z44{nRpLDsSy`{59Hx;q3;pPoIy1*UeGV`+a9J2PVO$N8|Z_h?Sb5o8%%ISM&r?1}Gg19TV}(;(!qR)gxGE3n$*iWAg4OR==J?Rq z$wt35?iT6M=>Y=OwVCzKD)vI_2V_|sx{fCK3wPM6fX3^p~?a(3tg~>R`#%c{~a2%AWM_ulZ zcnnJq<;EN9LQ?$$D*%8nmw!U0Sjou|p@{>Jyc#e+r{?Zj4vcU1!x+H9yE|+_Wsbvb z^f;({Op)9#0`2fQ-rJX74d<2JIg+jK>v@SyOx~ww&>>ykG(ShssBN_jUxI8wzE#Z@ zP8JqhijHk5L6+T;w{AL>l8c6bbPX2e@2)vk)#ruh+{Luowb9j7DK$mx$=oaMtg}kd z4OcuXUq?HClY`-2Xl)z@h{vp$;Mqj}R=5`N7)A`r(-EcQ17^_w`4O8wRYg{ApS zW{akvwQBY+hYK5z7e%xa|G>asdutkg_xIS(in9Lc2mY%;$mg|%$GD9+_`_cp^>eVul2L zGSqSxTxYET4lowxrbajJFRT5Q1rAD2VH0YWjO)AWvNpdsl&MLSjVsqX|F?Z!d1dun zx@6DdS8M5KMnhSw{xg6Rf8CF(<$bTi+*hYSPV-~$&o(Q`LKOMJqF1U8YmJY% zGXWM|`x!O5GCDc;tPjnb31Tz&2m@ z{K;mvRV@bXmcAy1439E`d)Z^peO7~9%{%sK?h*A9g* zS5>2@Z4cMtlsS>4h~?+|+~~CG07_oR&4+mGuN5%w0|exlAwD7U1w0387H9A7$aV?X zR1UIep8-)gOw~1>*T}S1P%OaH_!R;`FwT%uE zGs|Xi=@8u|ETsLoV_Zl4ixh&eq-3*4;jEE{HhVI&MGS9wYDcq^SRm`b95yn5uA@pZA zc~5U}+e+*`3lz?8=9OUeI_g~lEy@)VX%<~?al8B4$9zw~+gN%$F1`2|84#H7z z#2-@VsS;jA%n&*R#Ndo84qv|L?Jws@=1xi-SiEsqb}DOmaqNo z@s9KQ6k%!E+}KdCcSVH^dDuPJlhxh`JG(HP6h>AlNQld}sf2^}buuor#XN%?!j84y zeeR|#&xQnqelKbk$)VDi&BC5Bdv1LFxO#}0TOtVR_0-cQB|yOs9Hw_c8wV}{C}(ts z{Wb*CFP5B}xyRx^AQ9~EBITg93-~@6&B#c5} zpuLqeoW@IQYW_9nI{UpOK!7Q#e-JTR%ews|T7TkrWmx&*0N=~PNT$_>v(~7P#>_g{EM>Ly*pI>O%bRR4k+4SBXO`E~^x1ZNp{F+Z1xO-yO~7@F9c$|Izi9QE_b1w(ubW1lJIp zKyY`5;O_43?(P~iNMpg>-JQlgxHazX(9kq|+<>gK^-Bhonhx0m1^k_$#+g0OvS}H|6 zbQwPSi2+MRNZ^K~hc%9EN7L#0NGa<}0a%UGbfPEVvIkPVx>qn(TzF;o+*$f%(QUqK zN4>zInzSE&3rF!#8)}csd?emJh{rFpwae-0uV&+*DYzVX>M>ZV^j-49g8LX=?t7DU zXNoapiHgJE%(ypLfc>KGBa|yWJD)xwNSQI(tm(Bs!^V?zyS)p73gJGz(-8-V5i}Iw zKbdYv&{@rzu%m1}K=r_p}5jhV8NT}ye28o_`wJ7py=WcwfnF3V~0P(gu^&R=7jgU~g% z)@Lw_zb%!(vt=Si=8C@Jbc%>o=d&w?JVOHA2^Q#HPr}a+`RQ|aCNF0=ssKYD4@G9+ z3ybv0p9R`?GN%6wBHlxm|AjfY6Z;PcWI0m%7Z;UQ=Ld2c*XG#bRgstb_JuP$>mtE9 zDGBOJ!5&TAvAiGFMEhdHKFJVe#R|wxQOQ&ACx#9;5|yN?$~G5V;`{kg>mgA2!$(?^ zT&)!bLAx(xeMOPMo%=`uY{W~U$G(uibm4xlxSRKIxq@QCepfCuq#ep(krjG-bBs;} zZnqIM1Ylrw_UWcyQk4v$qjKJiCDCNst=9DmAH&Ouo&Xh}=;Ah2y>Ndzm(+A3``Cz# zq`B*BiEc}GcD_K&K{d=-``MxUq7YC~61m(jHT_*n|Q6if!Y8pIrKO>BP8wC;RJdg|iJ_<#D={YQBUCgJ@t55&z zky>ss8C+eP>0Dx|oxhWInlkDPN47|<()MFM2tZQ~RgLZ&9WcbUuJ!Z51E{%u8tg#Z z-Ik5^PDngFpIivgHr;*P4^r%e#KE*6SK%Iny(P1lZBHjL4yV1#-QIrYMe;>9h`zCN?siS?K_bX6*nBy zgd?jS2E~&o1#K>8C)P}5DhtG()&!%cIp0qlUu;!y8quG1*JbX|6SG2>A))fue*VLg+&PHGI=`e1CdE$sw9aXc>h7p} ze&6v+A6lJkJ3IboFZh)sy5r(0@m_+X!8z+o)}gGvZh?ULJ%!or(o4q=H0)7-X))Fe z3DAQDQQQhJi;+z^xA{XW?H4&~+*4J>`;XBMrmMvz-|h{+vjzxeSh-8K(0thr39omY z(PfzMO)9nG#e(2~&sIpXJx$3C2o)_*m%mG7{NJg1kOA%c%Q)Qqr>W_0N?i`S7&3MsXzYBwBk!sf;s3ltdyu*Kkt zn|dN2I|vM9I;gdF-&9J3y>rDkh;;o&Ibxn@+ilgM0ikE3k8`bh5A>6NYSrk_{X*mN z_u{>oTK9!Z_$TxLc`E9Q0&YHoTb0v=Y6G|-MxVsnccg!WhQ{(kxrf`yWxiaPMGdHb z$fuZz!5tZLiZ`;>7Sy8BaMcnvM2TG;+1wkXNjV__({zbGWqsFjLuU zuWr40NQT%aq4dz+?B&Q#l_T|9N?nkpQ2YPRa9*OmxMp?uNF%9Im5ZqI?S3ey8f$U) zBwCOf++g@r!QaY|T|MyzC6`qc4oEZG_`~sERg=rMZhnP3-IP~|xj+7j%b%RfYK{QF z>@nPgpc0|?fi(+FhzucVvGC+6zIHos^M3Wq6i<_c#`*c8j*eBCgW`}QKI=tynhU{# z{!QGMW4bU^HDV))SH-C=AGD$P?kyj)l~>hQb6WdQ*ie_bM#*M+NYwe5rTRgE-e4!$ zA3ith=cyEJga-UF)_2jOtUka{72R9)ul$ecd+Ln|hu_AQVKOAo2Y+IiM5w7~ndg<= zo(J;yfdcjj1iT#HXS>w>1IUYe@(HaUx1$+dc4JW!oL9(X+aILNH(t4QBoD*Za(1R^ z%SV+r9Chk6xC-8c(I^4GOXO|7L7e_rD; zy^kX4o|E@4cA{TBUZ-&?Rm5GoRyV8NnoMz2>R3an<`sVzfvq5D6mn+Sw?xgC<;I8G zC{Q1WvJyH^$QMetNL@oiNO==S`IXlj&xvZKpPrlp;ePjjuR-F$bewBftmg2!yH~E7 z@P&1_scQqyYcJE^uEg|cL)z7b(0C3*A zy6|-u)uB&3iM7k|6{^*%VhXnA1}Z<6?v#3Zq;Sdi>KSFc^mZj&`uiVQn)KV0QU4c@ z%JK4FPy*$DmT}A?va9n|c$3x+1?49N_Y0pMOCpqTjlJo^lo-X50!VyVn7^pBJqIME zFB=Xf7RVQ<`^Ix8ugxEi0V=h8en&g7)xThy8Ll0pFWz94Wb!5+zc;?LvZe^X?u6dn zKi>3(t#n@ZN_Q)j=l~+b(Ad~AaG(A7p6pC|D6KqlqN=%*YI@j}HZunF0@_nu*ladB z6807R$BGMR96bJi^&>kAHY+-il`^E|&07(7Ei1f%rPZh?n7=&&12tNBO2FM&hD?W8#+#D{|QgRE$&uKkq8=Ah1@ z#cdyJd4N2F#B8P~=RL-S=aK%%{C=fA@hq5l9BYK*L6|Di@wr;bi$ zGHae$R33iZ+*kQqtTE(72*-K36+Qb;+$SDmE32Ys#q2S^Q|Xk|y_ND47u9Ey;Z^5) z9>7c`BA}#YtTN`z|FlUSnI@St%fZc#OSEEHFZv{)Fr^vg&kDt23Z*w{P0y)tan^QS z)=6VP1^|GW27FA~+b_Zy;dE)>8l{dGA>z#6#Ox>I1lADPzKWXh2ptV}i=;ECJT>AajMnxan z?!eGi@Of*?!2TO~-EQmP`$Zh1r4~X_K>)hkuyt*;589oSt z?{Dd`+1ciD*y+XkxY5RnbBxr`*eAbdqw?CVn^|@!pDwMu&loOn zJH693Dmw;0@-KVgL;H<=m^19cGHy1-d3pur?Aj@mre>xHppScf>sIH(4wn{%wLf zpTeu3TjP3{mkniOu7ew}KPoft$!~PigGpuZoh8U_FoT(l3gI$86DYTqx^{MUVG%-& z#e?cR&(Yb;`3}gCFNy4gOSJJdB(br=N7580u52VuIN@p|zDF>K&-S9S;y|qXr3h({ z5r4TcN4{lP-VJd-{NyDIKHjCu5&Wc%Wc4-BYzdO*=?6Q-@$0vYpsq5LdFtD;mGYZT z>SEwQ-1os49#mLJOHJrGElv@@y*3sv#HWPmZ@r}4yGFPVM}5UNSef=-M`LNuiB?~P zL|vNe^hRKX@c5r{*T&5Z>yTKo@zQ4S!SA#l_V=YIBZm@F8+5{k;}n22seL>ez6H*Dt=$ zVEIlhOFYT2CRPxi#P&@g#>?dl4LqUFJ6Q-0=}YC7g+ZK0_t`-Cm)BbU%*{Uzm-)f; zmkl$PhKIJOzpgLTRn=SaLY738dANWxqv#CM*U?Kn8A`fKFnZ06v*$+_L54owrMJdD zBFLJ$pfWji>E+cmpom#W^C~Qx;^Q0pkD?@mxJB#bQeMS5QZ42}^R;r&RfkQnnHKAHMuX^fPXTs2JWby6Ez|XnHf|kXUfXBN>b4u^=9W?}HF{o!v{!&L z{4h)M3`6Zb8u@K%Yx+75gb^Fvb3Ly_IufO4%M3a+1Jd}*t}S^|^wo9I?2CETaA!1JnI`{vW#f@ZiUPdQi4AEML_s3**#CXb7-#gB7UJmdwLMiEc!-e+) zc^XgOgkpzf)63JSp0>TC{rAIj2zY&np|+KyO@hRJ)w9z#nzDHVLi#Gsd1oMkkmd2Y z`b)K#;ffHby&DfjHLydQ2d(2qp0DZ!3DwRr*cymc*=kMm_4&%mlI40Nv!ym=3;u{L zasY^3Q0qDh&qnOnSLCwZ=A-|sU5?S@__U46s&MucGd7tTv+lXt(^CqsfIXJL!b$Q& zT1D^2TP=a}9@O1z#?x)KM}$iFaxuj=r`Ol|ynl{Q;D5+vMFwnEm7rqTdE$<5(h7U2 zv|KRLSh_lij@?MXzwFuBo|y_R><`Fh#1)Ny-8#@*|6KOkvsFEfub9DwN;~{{XVFvQ zF7z4LbHOD*mlnAh*DzStLNpZe=fqJSHzc_XGp1Rgz%eMI0x?k{d8-W$g(QbB@*IhO zozSx2PpjirZ9Y!80#KHZsR}-xjwe>E0n;sJg!tbsn&pEa#|IJROtKH1jt{mlH#g(n zPuLZaxNX?*Y5Q?r4z?E=ej)M5XM@j9*(M1qo=@)Rt3&L4w1WVt^GTPD5WO4@{5Z$?vV ztsle*HfO{3@GpnTBh^dgJELmX_wM@KXAon$FHL@4yDoKJ4H%2 z`tNsKz8XxoxL`L~BG(7kC{XeFnOx0gP}vq4`-Y=o0aWt~x=@BWEBmvNb++~e#m9(a z;!wLjgSJeXV2o~A@_uQ{`kJ8IXvBEO^ac+~Y4R1p<$zonv&XS%>rJjN9z?Acv_rnp zu}(~DSdaHS_<#&*-^Vj;tjd+r_G+s1!j4@?nJqH2UkxuBHEfL>4x_nEd}^Vi%C4vP zR_5ksVDaa-XVtyD6|+nh>&g==5ITFhP8iezonFfW0q*Cw z0V-YPTAVrO=Thsf5Gg13s{{RM;H-S3hpHh&iI$I__MhoJrM`<~Hj6!rOcDDN7}NUF z_9|o>;%=NA_oh5G!s(Flc}u!c;0C<~1pX0{5^>HuWw^OEajBe7S%csuMQlk$A%`mC9~5;`(NW=Q-eQmZY;WXRnw?0@#O3ZH|%Q%`yAvn#go z0v9HK`JPU_6#=<<=JAX60lL3b3L@-lKnyXnAOhRx>538X5A^9SejE=m^DRM(dCQ}R z-ej(TiFY@!L|pW!p)G8jK!6dN&YHj7YDsi)Qnv$REPq9%APj`)IEj{UJ(e!$lFxSp z+WcKuEO)_f4v$siKe5JB(ljhZ#syCJmF_jD1O&5aO!!n*ev6Nm&K9sb;#gbwWxgHo zVj~T@tjdGbS`^YUl(~q_q;kWf;D^*2+GyIegrLG88%xOY{;-?R7;{0rR-*` zn7~15r92&lFuR}HKhVR%Nn6dU=IY=n0e$$+2)2t0Z+^I{Y%+;@(xPvu1ZQbM2@A*) z3%0Tw-bJ0eV3!1Mh%UTskuSVm;p9I-z9)wjHFQs0mHwmfIOP_E3ALhBCf9-J35tnl03r>zLrNfrq`An*`5Nh7OXafvk z&Vmb}K8HGu?;aYR`_AX0LEH)lCKJ<&beKl6{f!~dhb3<&Q4>~foxH$C z@^E7nxhrIt@|;aV4|ZT#>JGPN1ElV<`J$gv19E2xqm;Jo*k0$iw>WvPZ+72+`;Tup z9{ksWpr---!sf%>h6Uo?Si5~LW7BJ08L?MdGLnDUl?Vw_A@&6{8D-KhHo8Vr-%;|5gIlNaDf!yIj3@yhrryI5Q+*A(d=Z z009%b4V*$dV#mMnEej)RZx21v`9UPPiV~}ZPRP)NNMPOb>l6J!g0kvNtx_ov{*4Oc z8U2xhHj_EOfj~~T9{UxB^leKE8w3ie-B~4vFDoe;Btzq>#az2xRb2Zy*tWh%7f>*w zBON7JAc7d2--)3maig@k@%b7I6@Ed(J&2x~SRYAN_Z^H~E&PdnYAF$7{-ap8?$aW& zI{bsJP;{h5bY8=! z{@_Q+(|Tb_z#dpLTk^bOiQ{;7RVi$eQSmxY;IGwboYXauqg55~cwYEO?UP;qxuHbS z_l8mwv8HE0uYJ2|s`2F%Y>Zo;`=HzP>MZG=j#@#-443YT#H`~0CwljcQd-7@57Lfg zh?2|gyIOK_<(I@M;a8t|WG;YquyZ!wVg&(nr<#fzcbr9Io?)P~S?8j`*aB=a_R@E< z$uCOxW>oL+2G$aoB)r>%C9!_ECEG42G(mEoEnKdeYXwQonT^7!$n7x27VFmbq@3k~ zb!zq~nNNU~ZD-<_a`J3gPemRY?s2xGY-;H;I5r;>ol z$)BxQTK=!wnV?TyRV$|4I^RlrY03+C#@_U>VBm|G)XOizfk3JNlqWmar)C#1)mBQ3 z4^;_IZYa-jt#g7s)>sEPWap~zKwtrL0s|DA7j+At*n>VGc7joD%T$4^od>|>moIzL zFK5O#sk0JXJjQ}m$eV6!fJoSVYC}`!p}_EUGd;2_Z`GT1kr?PPz};hDfFGEZE%u}$ z{_|h9B_Z+?{R)gLH<&stw64oZM}cKM-rhoC%9GtT1fzDm0#1yQnX0u;L>z@jLWPm* z<umby+-vv-2X2(Vu%Ez z<-`#lu(NAx#G3tcUVhbJqC3WYj{9_rga6FvvUt34N;E!+P#ZUden9JfFK+)^$ zG_smp=o@BbBQ&LbW#STCPZB$;Ph?v(V3U|jAdmg_I(qoSH?t1)trXnLOIP;rzM0?<)lT#$nFN8YRx|Ou-f7GnpPJ9WnsL=Yg%E zK_g`d*8i!&0ORg#2?@{zlj<&z0a;^oXS`Zbe%utsN6330V+1d@!kB+4m2&5Y?hfK* z0iG=|g*S8x50{p@5t=X0uGUgVAIwngb71|`+Lmz^kyJDsEB8K-Q7`vSjUuZY#D91= z8_dSb)e*IWkW;`Z3=B&MtL#NKPF&Um=@%rSl~{+Am!TPCSrZD2A;3PV7!B>K{5~@Z zIf;QvPHy{5TNrU`^=Thd0OazSM>5tkg=lb}>o6$Y35Wglexk-&AXRIj!3s){+s5qS zFBTvmh*;+0?C{F(_BWdMR}w#Vbiw7D0MYfe;)*c^8E6F$SMAj7;fV;NtxjA!eN}NMfcE{6g))Q3hSU#|GU78wnw;oRWpOG^YSZuIB85N2F48&!~I2GiA z%shfhxcZnWfn`eBX)Hjme+;#8AAY7I1bxwmzgJC^ z;jF_Ve!Y${m~ounEl5QrV>i5QzAdY8R40(O3GU17wrxVwx~ zq2?fDl%TKb-K6vjkL3K5>HEAyY~T)iI0b9;u%`)Lv~jGbz=xD)p^rY$%RZ#89`5g< zCNCCrbbZ2=v!*KJDw)uU)cM#@^l%S9$dFohEK^a&^`~lsBq?mQJi(n5F&3a_NoYIG z)ar3$0FbYS$7e-fnsD3pF^r!HqlBz#P_9aR-c*I~NGHrJ+ZFqt}~S z;j}%4!V)kkjh_fmm+v+6WD0&-h+qqAODA+SeE>kUPa=DdBxMP4VhS<2!LQv8c%wbY=L)}HrraQ3vOhpSjCnYA)6t1$ z_@UO*BVrHH5Cfa?t}G&=X&Jf5yvz}RW7DKHJ2>x}^QvZ^9tNSIa7NbooNhSSq!Qe@ z52Cok{8dPQ)VBu*)4xr~FTQ`45r3Qf=XDrFhhCL%iB;Qzb}ILxEm181^tOXz5#k{a z;drX7mDoMNKCRE>9POm4&-k4bGbN6_y5sv|xGrVHemY!S+$y4>mS2+SL42cn7C5Vac>YdRAcPTi zzSz#FZ-jpBV|~(au2;_=hJRCcbXVyct;Rm*hP$43AuPS*OtLxFp{~qR)ajqmFGay~ zZDGsJtnkWz%7@Z48x%S87)DEhRQ{tj_`}MkCjFUKz3GgAaGN6VYgs{hy-!4QWfMlT zyZe>vg3+{Xkb~SGSbn@}{W5S4Fsi*Db}BAdu)p1oZchez3(*eIL*a%5z)@J!WoXyW zqpJsZUE=B<)X;_h!k4ur2{V>O+tHUF`TcE&^SYtADI}gZM@EhxuT`4Px;dH6y*rJ| z0i!w{2kEUp$MB*j>|LDYi%C?L(yN_XwQuu9$`ih%bFTxfO?6D0H;HCM4N-uNj|3Nw z7s=n@FDPdoM79C&Uwx%GJ;`K5gto(R{~_p*jyP|4f1t5)I*IpNoh#LHCww^i7;sF(|bfM<}XEMZcl5`ee%)bZGWS_!ID+&LI_&h(UbtHb z;!ZRQ#B(_>h!7frsS34h_sjS8+jL1D^4~VfuWu4}xWxNib68WB1^WRihwwS`D1B=R zMjWrDLwn}$>@RULguF-#w_f~gRHTv1w=|B`O@A&Ovi?nOEfVz_xznW z0L9y%t9K~s@$PEf=!s{8i7ozz%H934O-{}G$Z%y%Nm6H1OJ1=UpQLl4>sH5csTzTo z*pJwD{H&_UQfsB&g>h^ex3BtsPgr<1+J6_vlfOLc6>b)nFqWq8DD2&n7rF2;NZE!w zYjQVVY&V?yad249PDbEO%|67TIM%j=V?Ws_dv1?)l;qwU6T)BYSH)K!J6OBU z^xhp5Oz+CA%c+x5)+)peAhH52eR+{%`@iu$L%8NUuaREsy1uSFIDJ!yk3YQ74z28R z*tH80Fx5 z=71|obVfcRm(GM;BtJ_?l>FFSUcMqiK6Y)+Z*SIH69m8b@(~!(KBJ7=HR}vpup(-lV|nLzZd)67M`-IBQN}+2c3R3iUI$#|=VXmjyZ#n=@ zOGbZ9d~#D(&-H`M^alFFKneym-*W1GeVS^!fj|w?@47*LVDIVC9z0GFSZq6xMU$Do z{s*p_?kuIT;V^TGTJEpm~BzDrG`G-chI7)4W+0zOcNAto{ z1|g58SfcBjh4j$;n3wM(-N+HF8p^A+XvEQiLM2xU&-K&tU2a>knuYa3oL95meW}Cl zx0-L2AxGngguV4KcG}{Xb#9?!aqZEbjDS0;3wx0yZCw+bgKw&oCpgBx!%U?m>J)7i zo8_Gje&)ptCel(GEiBYU?l=Bjp9v~(c*Sn;|; zJ%!B(r!{c|1}xi&)XT)=TOrV+{+5hDVE2ggfR^n}32ec21f^RA@f&|Iz3=&Xmh#o* zbQ>xEA-(TBD5z{tP{=Am(ru08)q}llm(xQx!faRM_s&M#;xiIoovoaMt|2{?8D7=9 zKZOCCm7*hGqDp+dIFi z;u%#X<_sy4L=LLu>}jhYy9Grf6;dV| zSlWwLH?#oeo;DQP5($$HcmYa0?BdE_gKwBWyq|Cq>65y6JChEL`;)ep{ULK;ov(n~ zyiO#OVPn}=><@?!JK1lU;Z0p1Gi`s&z-A#?Zb)qlzmM4|y-FB(5vt2Z13MLMZeOh0 z*se8TBzn+fyKag2iuyUv@8O(=Q{}GGxd>%a^rCcjDlPxk^@Xy}fJ1T<+hJ%8q{Lj7 zv2@KT-hO7&lJ1J{YzGYGdneJR=%4ff7faWlzFv60(ZzjjveMJwcH$Xg7|^I8mjv^> zIOj&U2Zw*riGi-ueX{e$-)#PSwNS%8bn91^R`E1Nb8ZFBzlP~+xXN8(=5uxU;#?8- zY5mtu<(%hrO^Hw0K41aJza0A^GA++7k@~YMJ{~$(fK*vY$45It{-fi(z-Rth4b(&g z@0Ix*=Gxa>t5!x5!f9v~n$MKw`p-YsH&-toy}CXl(w=O6I}!aJocP(*-%d5%Z}QbRe`fTSD!B>vH6+{*t>r`9znk z^&qgA!X7+@A)7L`%jkf`PpnFhezT82x?SBM@L1AIf z*X;8Arm*V0q3khD@u7o|B1N7)n=?{d&!`KCuSJ-p#ie4T9o*+PRkrs-A^5n0T(i@4 zZgIV0MH7!lD^=I^z!<-?;mHob|2qEimC?_ifbsH(G7q>qMf6K!J+f!gL-;g^f4Od( zw{l8jwv_9uLQgl+Tqb}mLpyJ8q-DAJ37@a&Pkuxfp+6)Qj_KJDZ%Cj2s}O^)hIX_g z1po^ErN>3%N}MDWLw<17U?6iVRe$GuIDM5HD7L$q4h7po+(Fk?;sg^ z9|GCKuy~v6I%tR?OMZcB2Fu&o0k1;dulD7(o&JX3GrPvwHp#Rf>7!=Jcr zt=INvq;CV{{!c$bvsOa%(z%z(j-s7R=E;|@v`IG7-zWqu&weIhw=B?Qhlr{8BtJQU(>Mq{eWJ6&KQO0K7!}&Fv+>3oHnh@B!NO-nv+uo)s}XM{C5k6g z>!J~0MsyIhewwl&>N{WKe&mYlBV*JH$L)>-)f;1P{V|uS3RC~x8v7=q< z$4<4g$IG)JJgLRMw|2;I#xFw!?KcF7f242gE<@h7y6M*~PjN#I1ti6x?x?a-t|2Wg zgzeTcPVRGWwP)vv`j`*1cNQa7XyF7yq{A9rW^bjbzB!~U#p0XpVq`O zBdE!Eer#p;ObvrP9q|0Iu{2Mewz5i`PE&zbSnmdQSj5Wu@J%~>pp&76RK!?}pu$qJ0 zC(rHh9?&oB0uWk$xzP3~8(+XM4p>$rsOTmfJW1x?_wj0O4P{Uh_cxY(A(YK@aAHX1 zab^okUPKVb3kxB?e6(;lQZnQgZftom`FoQ2bibL*;nvAJpYD2Q2XzR!fENLBJGHi= za;*c8m#4{dY|HNbXFboiSDY(Q8A_ve{J>5H#ZEh*E|M%qSOSeD*YnjlVfX!4`rRO{ z*kF^~6udpYtkJy`^yE?5`46r>*>%emO&(b+$Etr2A&3l((~eKSdk|CS(oZSTsOS`D z9~Bvv!gKx>BN$sl!dOX@RiNF6 zUqF4%(hfTk^5%v5p~oBc4WtxJ$2+%gLTysRMr-0R`d!m%wPeHl8>)S|ka_IWSA-&Nrq$LsV*<=Mji#uEA!5!KZj`B#*{dDU z(p42Or6LLQs)vwshjX+0mxATWVlOha6UPn@kT4e^5JI(25l6BrpLSg$9z}2fgSv*0Uq?rmuqoXu+wbNIP%f6zR^liCa%%-`dfFt6_xAhl)$vtLv>n^)63+zB>^qR1WjFfY z+b|)Ff2B0KPA2kop6l|A6E38%X1<2*nje?wWl5xbs+x!)Uuxe*og14_eR*RJEwI#k$<5h_pu0)F z55PpFU+XOneM(c!#qK!b?+DT5Yn9TPOC9&RL+ck{gud{Gi1tGiN9B;*+c>Z;Si02M zxJU4roToqLiz*B3fo`4lLE%eWt?kYK<^l*=>PoC7!3rAIFRD`}Eyv3w<{@_At4A9r@Y|Yi z#I*UtPm+94BIL`!%VQ{8ST{sMt{Wh@k&zJ{Akd7wnOQDQZByrhG(dJqzSBDv;bdR~ z2id36^+MEJQ>Po4T{lqt2gfExp!GqT7UX`4x!m7%ynUN$_|S?4VhV}6MF~NG^(zvZ zq=PzG=3-~~^Hn2jhtw?*3+LT>f|^GVS$7N2Ay)kL1YG*Fxo&$85l){EJKF0~w-u<> z(^g%=qf)=__UKKEY=d9kL_(_FV>f>%^xZj-L$xrVc$w@&o0A}ce4Burz{?13lPaYv zGi2vmxA%EU%JzoYx-KrzAr9-zFM6}p$X>Wp9_N|YIgB-f$$@K1=Av952p{lA*CcyVwUzrj;J@{zH0(6>Cz2_S3MblcY-g33K~w>SkF(E+||pK zoWVXuPi9`82fqSjpwfisA>$66**CrB1k1u9eQ(hc2Mqzke#dSjN$Rx_@H}rWm06%%Q?bJ&pPAo3W4Cu>l2qM6r%U?n#^=`q%l-I zIL5dMjKDBp);wy!d4ul3e?31BGyt+ycCeyL>GGky=%hFgkVfF-iySo*&j&&AA#L|k z?3!aOpW>fxv|l$hJ+Pvi*_`(oKfgU+S--gbVcJPGx&IiyWyV|``6%7t&6LYCx1Td| z(tk-r20q@0=`&Eh+Iq109U3422we2|_2%KVtW-5DC>=2#_!8d7(tM{c)+p?@qZYcp zXt7817oH0)rgwr`V|Ss|1U#7;JKJ!2kdEEL$A`ec_U*-IDxeKqm|Eum#MWsAi=sv% zCT;sUK|_jqN?2#CDvcHVdighTtc4ca_U=@!4U+Hul# z<&{*9^dZZH;FxMTJDw+A!CeAp6;zU>mWpHH=7(*cYbyI~+m@oQjG$8hha$PV~5VWb`bi_KLXN&A@jAYfMrO?!!_XQikeq>ud>`}uP z`{ZLQ37qr*A zOOE9E`=caKJ+r3O^#bIj`1XKahQ0F~1Eb30tmqwRth zEY#u;MQU+Z4er4`f&tpP+$<^rx}PKBe$Yh{MF*biJ|$>k&~{I9WgCR*may1D_t-`4 z+<(3xqe@OIY<6c)_$@=L(jUxZ1_}km*C6vul749*VS-CdxUP9pV1ve<&LN; zCqzl_^x0mwUQ`5Zp_fH2Z~Tmp%A6ZP+5en1f3@CD&qblD>m~KAQT}oR!A6QI2?6(w z73+CnCq3%%mTFT4FY(kyY3ckItb>Orlf-Ovj0*A2Lf_qKM`z>Rs6kxO!{KRpIxDKi zBH3Mxw5;1v-jO2DZ%n~OZw?Nb;fQE_NNtBqBA<4)x- z$pNl*>mFz)Mhjn~0jYuL%GOi>ACMKR+4#1jt8;JrfEXa08ENIv<{<-1tQIx{pWEmC%Zh( zb~ru?u*yJF_6ylEpS5bcLTDe=^x=_9I=aoRGYf67IxN+Ki z>1hC8>I~OH;VnAsvD>3%rC`D15(}om&CZ>KUK#VgM>rUvP-^Zt(y-ZxW z;dzaZTG1Z$$d7WVHOf$P-Xx3xvM$ znt?a)m{^$%<_w0Kx#uWFF4prgkC3BmdfLgXt{oCQx%X>bB5H5q93V(Uc}|ijQUeoO zbI-@{aRfoPq*VQgCiqFzguVGl{6C&Ib7HFYH;|zEuf-y6IyrIkHP9WuO8y8;gTtNK zD%}K5&B3MFp1(c)sWbGWtq7{Sx<;6!JHxv*6*;{z3I=^U9*~I>(f|)}lzGs_(@U!- z)uY9B)G21|TSJwl!-c5>hrx#NIQ{66a0E4jgqZ?&cW&N)qTr^)MyF1nlpk6u@T;Ul zzJRxCl*3DC@?B7382y!#u zl{nnUH{j;`4S_jzN;#7R9tMh&s!No2ibIGlFpUtOF0tZr(nI!lQ+B3nCi>S0${Hw% z13IXY3C~5+2#9I0F4A$WaC&uR*L=lChqi|# zoA*W3`94s8r;;{78~%PBr#aW^anP7X`QrfYW!rzW+PZR0Id&gWcY7GfK``yzk!qOt z!b>yH`+G=kZdD^A(uuuE>)TMWwlmOAsr4e-8PET)4o5^LU2sFl^+8^H4W$~Hzk?AxqlE$Dz&(G&oV z73_w%vYP#-2uT|KrD8!D*WHCVI2|uOUvg&@b@@}qo}9y>dU5jbYdSs<*}8Go@_XWe zDm9H~u?2)LFFgva@W$K~T zaiS<3B96K#|EHYHbGyxiD_O1L|D)?1pDO|Sv^|qdY)x$2wllGvoQWp3ZCevt6Ki7Y z#I`3kPK=Xe^VHV+?uV`Y1G=iKy1GB~@4oJ3eZ+fqDG;1x zq+Z2Wovol07^Z)|;a95kdp5N`#XjtBidkFd?+?2l!B`jA(3Er^p-HW#kpj1qDZ~(d zUhf-tv48W}YL0~sHn>W{TZqMjZ<>5Nlz>ZP39g*6Gz=`+e-X<$cGa696mlkIkoQh@ z2&BEkjk|@HnsAfi>Of}%`w!nSrh5iNq*-bp@3!nt#}kebOcKAFM8+)iF#V2Uq{;lf zGxS8d)?*0}>VDx{H+>!QW}M^|&(V_KF}iEV#mxn0B+oLAx8kJ`3I{Zq&({T;7Y;J( zg#Ml0w5VSX2xZO@v4reOY8Y3(*o|t8MhEHHL3L4p8H6S-_i-tWOM{1Qq_T>8Xh8P5 zQudfcL<>5DZSWiEV~JTNl*4$olU`(pLY{UZyT->fYkYrAoKzqy2!sCNj?8myS}Ut- zR=-YTNnXaAe00{SPeJlns6<2|_mcsVc5~^>M!tcmy1#QCV3vAsPZ?>F&prmn*HQyj z#GITE2Cs;+sV{~~qW;J+Ik+CYlP@tNhiCZT_WHc}Vt=S%Bt(F6&1iV*;QW2}1vl=W zKCZ)uxr}TXAEA-H>OnO)(k(;9*?moC*E+W+OsL45nP8!6E|M~l{Bk>(Tbp31O|U%? z3qJpeU4f&?;lSb=w#E;;_jd0q?&G8;#9ync7O)#-r_S*W|EM<2Kyi!94i@pWYvv<5 zhhAXUd?z)nrf-teMe%}~^{!{}T1(68s}>jG3@0D1I|EBlJk4wD(AO=_$ z3%+Er@fQo$LN81lTDQ_2W1~jUGw*#>%R3k2Q}BT&veFt8C*x}+9?MK_j!q*6GQKhr z$yE#r=WPKOd#O0)P&q>`6}Vb&Ub^O%n-=0=iY8hK0NpQNa?_1q>@*fi-tWy_bc@QG z;53>TIpFVmqh9|K66RP&_TVuqRrcvsx?83GQrsONYEM#Q;SJ#@_k2<=*Z#+|ZK^F4 z4}pwTKsT+Dj-?xWBm2fL`&FxT-rZT=l;-bQO|0l;rY(yN0CIa9!H&2|iSt#=)#lq_ zBjJ+EtFGs^{sip(zc_6w+8)9tkcs!UHQJTi8cnX;znL(rb_I901M&-fn%@jN<%M(g zX{DF!7@PT8Bze&<`o}KiQS`Jf<=aDZ#D{I!=e#cAEY$SF=DRni} zVoK?bCA0~`sPDbNG4%05^84U93h40(^S2R*yokjX?PnVW*aBW@(@7|h8}*|cSvs(q zI7;v2)Y04V;&()RF;#(s#=kWsOrWp}{F+bT`UfTLB zL-@t4#}hQgj69|-v;Urn=om7Nd5~EqE3tH%h_iOReiKS==1b6=p^$b13%vM%H>^!llIsiGKrX;%SwGWeHuRaV87}kxm}loSYF4W#bRNPZUt>OseY| z1}|K!U$5!Xy?R^kpza`4H&)@oW0tC@MmtR@X~oqA_u#nei~o~U>fu!pAm10*^0&=C z#`4(Dq^M>vD_z^F+F2mRM64~gm~g3<^kXvX6{`{BlQwd3;1;NQy{4x->Ju5Xx7hPx zmIn5GlQ5~$BVRyTy%N@h;uErc%<*kkzev zJAi+CQj+=+BYgd)SM0l*OX~d0G^m{pncXfTY_DZKL6JPyFuY#fP_GdV_m%A0zTK?f z|$~+yIAh{d;Bm3(p98{~7^$l!_UH$EbAzAE=CSN>6{_N#4O^eVVpZ9aw0SiU1`&FfJ6|LcJGIG&@X+J(bTB%j)ow$sVqHS}2)_{f3N<}CVsionrW6;$KkjJ-Z% zA|=s_s@{5M#n$~($|P%7_t76!g33{1v{Q8_V2B^Ahd)3SXxbjP=;a?4WWFlxp-c;* zNHj}5xnhy74^pyDIHx&n5F??`zD`aDfs8RI8_6I>7=9zYi@b@0S4jyHOTNFY5m$_J3UG$QuPq#}mHuVU)cLcbo!P z{hwv;OuD&Wy0GT*O)s!QXc5n5nqu{oUBWT~?~mBtohBDYwJ%RT9g`61=34o)q&R5+ z^yrYEUL5i`DDkFvF}?HtYPSi$b?MsN9+ph*qIp=^U=g0cgFY3=kJ8JaMjpp1)C@v5 zfohH~ay3!Iu(?I3CT9pol}w@{lE}!}H2sNc{WoT%0-HBkXYh4)pOs6kK5#@4Wo5-P z(YjHIQ#WN}RcHcc0>)>mZEO0m3}Jb5Ez@1(+hVVOW^NKHgvuDnWA{d@swI!=+Kj)~ zn7<}HUp_|*N((4Q7{p!y*zpji{#~#)I#9lLGjG4ywY$HjW&>&Mwt1C@K(&p?-rY=t zlxYS*-d$~Ybc#{60^wI|<2X}t+yQV<`OV*8+zAG-g?=EGb0Kt-&p9&i!|09OfZh*v zH(30I{D?OpEnod$4D3!mUMFkBgvt?Q?(U9lIHdF51_(T-N(8eZW!D6skfr*QQKVnr z9Ty5Z`XU8!c{b1kKIz?(BjU0f(V4;w*tp37xX)kHJB91v8JUA2N!8cN<5Wy;PTZxk z?mk?i_eF*m=^lz-{Zi+=FaiSn$V7|lv-$>%lZnO@%_?ljw+*y71IHL@5a(@rK5V}| zpnBg-al2pFNZbVT&Q?M!)DQW06Q+EVRRvx@b5R9Vl3o`$o&!r2Xj#JikrSG1^Ip(b zepq28d%ymLS$MIvU1Msl6J4XG27{8(jk0bDZ(6OS_^T5aLf&}sz(SOGXcxFL z!WuF#Vu><6j3~smm3VL0v{+E$Ha^hNeFLtbwx1a=s2 zO<&I3HTNo39G?`F8IlIUjGb#%O>8sI9DSI1MZ-gV<)@f8Q69&|Xcu2;4EXbvG^$NL$9Yt_$E zK5bXx71T+gqz?DEOH8MeGJ9{RU5bOgQ`5Q`wZru`#F#?K86%P6Ta0=i<5NIrhpP}# z$srx5W%7VXO>hwTh%_;Csw_@xuM4cP$KVUI#1)*zTo>nK){g%Abp&ZYxJMLRJC&1_e!QbUdDrd&%xM;a@F+Vif=0Ip3Xk|SlQ?duWW3jT}( z)A(r+6{CS;gBJ1!EE|jeK}pUBk!4N$OP2JXyLDsyG45LYv7r`2SSIA)!lj+**|;tx z;jl_nEf*^Z!cnk#^FY+%WJRns)sR>)C`Lu`9VyeNB`>#_oKnx&vMUkkXflyEDVoX^ z(@g`Z$+ws_cXrQo_(KMhBS*PL_;j$kUlm%7IRB-f@<_gM>E9p!v+NJN#5p-5g-h-a zU89bnr`iB`R>j2)k(H)pr1(C4L-wZbXXJxd3t116(HHbF2jF5NLGfgs2DpVnQcX|; zjDj=?L7M}R0Ge!825qb^*oFoUbu$U{=U5)+Ld+5Y^t7)=6Nm1%TN5#Aozw7<%Q5Gb zc^BJVoG?QZw9`zztf7KR54kgGwR=hne@J3q*2KjMmqpKHJC8eoaIHL(n>p)uU?X=?0688&a4tskuWMw&8-=g1_y(DXG@y(ffAE ze#Js?b;gQQ$rvv&-RMY~`mr=WjG-pYPiFGA+V@(`xX{gaKF9`iylU^A6KnLgg= zL*uqr967Otk~o87YGDMtF7de_UVN1A zX`$P3GBk+sEpHy#&sBfZ7jAvW;PF_sk-u&dB@YfDmSZf%0MYQc!&Al~0N@gnZpO_h zXr2x0M`=prY&?moUwm+Y)mJWUe>HzhD-FGJVoGp#IzxCjR8njwA%(C~686!7GOYJIXVf3sDEPS|DD=>XD zB%&K=uY6rwb`iV7p1){3fY&ps2z_v66_7m9soGAApk8UAPRxn9@2Fd!f*dlIH}ykE z-FN2-{rL`WuzmDn|5b=5>LP|bo6eTgLVC?DSFFo|2p9+2%NiTxSqT-$@dY3&#a>y7 zZe>86FhD3c(iv_Zj|L|fqT-DD4mO#CT#e9{d_7RrR^M48T`DmS^k@RsIZT+bj_}%f zHTScJEQ61j>~M8Yf4v|Bo1gEpyf*wo}^Jx}DPn)SfyD`UQNbSnEbrycqQ zk1#IR&4l6B;^dh-*E&!mfSAnS#FPPKAJy$Q!8(xF0O#$VmT!0vI+VQW=(fp=se+1L zieo|>%sQBbOWsCPmb7w4?c6@6$4|nbh#$UM5d)+Mh1n1f#BA@+d&A?Yrq_m9 zLvQp-Ss6Kk>f2K5+ciyf%b+=bp+bWMKSh>T%O45nUiK4H%gmOyBK23!K)9+9W5C^? zOyMm;C_U%I=?f%|aU6v*#lu1-0r)n=f@DWUVs?@95v)6uA9qF4XZ7Ye|uDY5&=3zd1wssT8Z+iF9P5@>Pk|u3}*Ivot~w`bQLo!MCzPuM}JrCZx;r z*D=pNpSL-Toi|0;NR;r7h;RABA4M+NDKw5XFT1c(2Ex#^1sp9C(a=7 zF_Z|oEbV}=)e-*~R?a=or1szJorw6*!6SbDA;|lbjE0*ES7?-Aw%<4REnH5V9NZ}3 zdU^>OwLK%#q^a&=Uxp3x0+73l5Z%Qg_tvjUWM3PHZeuC9FmM#(y4@{)mbre$ZwI#? zqTA)uu*>Y84$117Z?5J?XSj79 z8_#1HKd}bivEg*S=0`v`Wbp*|JQ*$-vRjoLD94jwn1HA>U&Z_4%jQ<3xWy}s`)ZLh z9y)sM_3janM|_WCa*>8h zs68(=waOaY^)2b>McNxeNd+0L5e|5td48GcO3!kd$q+{c3{P9ob^F9Yv`kg;7aRL> z(;`0bJQ}3-;F9HMbQ0tl*oL3}WvE)bh_5rV$fI=M4#&;-=(o+oJTVr<`<>J?4r_rn zqpZ-8fHBH>nHZrI(Mx>PytCSKISVJ|d#pQl)uHyzCGhPFWAs!#yoqttP8$EXWa2{$!%j?aHYImaHWV^ zX<$DD4OaH!3%75n*3DG#rLujKV}Qwmi;oY=^*-c!qAW`O?U}!L^|5!ml8qpI4ms%K zG}+rB#XF^GZ1qunyEd-sVZjzHbbqEPCTSKQ`YIe!OklgkzOhfsp13b?OK`#WUhi|u z^H1Dz2a+kMj+wqw7~4N#Qr#WXSD%X!nCuJQjt0h+uD0Gm^DrRk_~N-2-Sy>@21c)tZMjf#C zl`qq-aFHQimG(xkqU(Q}!EYIqlamb1=tU2rM9=UPL-vQM)$1Ro1qRgBILV1eb8Q_z zH~;W3&E6los@Md|>5g$5%69X)d>a%M-n2M4NghzsX8H@B;eET`Jo)B+W!hPH=;S4a z`{OQv_T7%WR4~to!Z{*s&9iQ7YkuX$e;jm&zjxePB`0~p)9TKy>6a(l_$P{Kw7RV2 z=V;DLl>e{1J4}^*yS}Jbzh6EdRVxR5wgh>6Cxk|hu20?;X*`VJQWyn{<`nz(VyggPLm%>ufwdEa(YW) zs|-3oA}R-Q`tN++w04=?cv?{0)<*+?ggF6@Z!g=FwLFi*;_sCI2M2kLApOrrD|_e= zk9YKcwMP9%7^Re46)YgG3bTRUA~w zjb1kF#*e?T(D!~b$_lmvhZ?rdJOC`70W?)kjh_fTEv!Wl)y_%Jc5E3=na8i0=~|62 za8_(1_||$YfoBOQ+70#5>5E+~{C!*O) z0MT`nlHPF=K8oSk+u3_vI>H)*;Axn;4$8+Smd_M~29X^`%ftX^j0xrHgGz9${~MF! zvVFLIk7`Zvi#a=vKYvt9qz$#NlNd#)w*jQjK1A}&`qdd*WI^N}|3Qi~irjLzvHf|q zA9xZ?MKUU>l?(dtGJ!kWqhUXn+S1h3z=4v;B0&3&A1RUh1%Izt%H5o|xqg#Oe&`x` zZf5>1(l^tlCwF>hw~X0eD38ppSlH^plr)djcLF%uB(pT)O*)1nhyut{Q!_PRSa z-c{^g=)bMpx4w;_R#usCUoX@dN$G{1xg8E50^zSc$FF%bsSUpF7(wzIX_{^%_Je(@ z1ld?bKFvPdb=&I3kHeNcqce={5$6)NDj; zg5q`w9}mAcFthuuy+Rr01WBayC%# zvEwWeL65<4mTx#XKom8TUDVep7Ap>e!3`gy_LLI>&=ytiyFS&8>}ldUKK!IhBr(^p zgTAGd?P|c&k=HK^pGOq9zH}8UnulX%!>Z|MQWF4!Va#mXXN=%>^N~>;fA6)-;i8PB z2r$9w$YU~xLTwIz>4*LU(jHj<8GDa5@qpgGP6GB33hl7ATB*RBz_Bl7J`o>4^W*10 z(+p|Ti(9pWJQ~Dn7xB27$sL9m_Y!R60^MPuBwwW{73*A&S!X8E=^YlYJ`w>b>M3Myi8p5xi@@I^--9aJj4 zMZ{0|3Z?M3=ds3UcUkXUpxXj9LQadyD5(d*XSyi6UXN3K>^yq|C!7s>9vDBs*fP;? zKO8^kGGK0B_0Q9wh-9B2YCQG<2~Cj};&UCzd#45R$1ia(I7~Lo$Ua2~O?wJtau|Yh z@q{+M5*DZ^Uh;ES2&yVoF(LwkV|cf8J9fy!oL@?jL;gs(6z4b5lYwyQgd#H7Z#X3o z>tn*-8YkOh6>K_@!zTL*9**fGh8O#!ZE<8dy!>*U z@P-?0`7xYmK5Qa85?>)cQv95s>KOT|q3wAWOly_jzdw}B%0EYFgc$#>CWp5|%0or4 zmy}#*1LDy)lbyP-5YaIrom0fVj~Dkv!*gLZJ&*1U`+<(#pXb;8x@BgOyz$YBD-4DE zwi_2YfSc^s%G%~Wv6ou!j(Z4T=S#tPn0)0op1rNvY^d~|6k zD$#Jkp+8&~DL`G$uxAwFoH&Y#5@O*DRn?or{-6wve%>TROcs5S1#&buHHQaRGYWIo zxx0lR+|JHN0-FnJEp=yAk1!NOA19zGgl#PpHAMy$G~Kj{$ZTQWQ!1o723xut&z{nF z)Y5kVe*+zb%Vqd@Rv$vKW|LV#tII;a%i^pmeE++0v0-e@pQs&OZ zipaMr8VI^PS68&5ps~w_@9GjlS`y395rt%AlHZEmVHqh%DZb6gT(Mgw%d>qPb+aeS zQ?Vz{==Xd~y}c!6cwTu=3m$E_O|>0uSeq&IZO)<@`~}a0q#=L%G&LR&L)q90lJzK3 z)>N>n)bE&ZbGHsY03)gxVSV>f3~La%n%!)crT(y??3IMVcyfxL88ot~@7`@0fcXQN z-;C>hY+DU=HnkjyD~_p~m&5WV@Rl$G2rio5f`3YWlpB4hRIXALuP*`NCnxv2mr&<2 znQ?lze!OQ?0)9#2AU`^xsq={-?W5jRfED%Xd|Ed#sc5; z*8MJyxyOl-5a&PmcLCC1YSSsShnB&;hXz5M$um}```Y0IM=-Bb+}u53_trwbL~sRM z>?A}p76C5|*Ah*WmZIe$rYpvYy@iB=8I>l}3u@kVw{oBVn_eL2Tar)WA!Zz@x%5r^ zUSJr3Sunh894HRMJF1ECN_XL&n6)g5S1)T~mw9U^iy&Ch>sA-RH+$YJ>I zvI#Gf_xFnMqCz%19=^)-X3ijC;kD@=+Hb(J!MN!-&SI>Yp(h-p;8FPt(C;Oo=AOsNd@o(19J(?Or9w(PUO ziW-$u_CkN1WFma;=7N0D>aMUFL&<5Pslb=NXY<3nvrDs)x0!-AJn!c@1T#aS%gc$~ zRE8#6MVMF(!g&9tE7qtW!TkHgMwKh?FJNngnSW_teK@a1G-*?37(j(r^}Z|d#hyy7 z{G13|j&XC=#E=nl)4!&abV3iVK@R~St}DGc^oW&o){(;ulJQgNeFZ=xd) z7j=HS%!lUIvsXJLo7NS2(IsPdH$(QmFI5-3?hXqGx(jR1>Odh&g^c0AX-eMFd>`|Z zv{SBErFnOWkGc|qUsp0kITR+2wg))s#|8#glDsoRqiC){K&}gNI#g%8W#%b*JlvX$ z3$5Bzv`Mo3QPa)1^Yy~cm<`l3Nxk=zqej@*9#S8C?>NyhTudkm-1(Fk8qm@fvLXQh z$yMLHgtlMcU5u;FO0^LsQAqPAWaUt%5<_#{7!{*<=FIE6Za0! z%*J}GlR`E~Zbs843%WU%a9xx)!jX37j2`khwy)t9_z%C}`RQs_FHV;C<@i$4$74@q zpzoVLMujZJfMG9uW-c}OVlDOcszoXtL??&x^kcmDVi85z=5o9`H-qzJW%Hs{q3<$; ziW~Pf!=CbUj)VM+Y|ZJx{0Xx|J|lb_d;zU`hE?Y0HaRkxjz<>V?_AfMBCb!L0V}TB zzY}^UM-#)@tZ1!*%BUlKB9l(j9n*V>1}?s;K%J(%9Sl3DtPHv$UV* zvh4!2MWCAozw0JYuy`U&Y0UDz`NuVp)CWI67gNG!F&hSEug!921F+b;{kSC{&;Z%G z7b@vtnS$LP@^_NM_R+&jnYLWBPw4Vd)J0GKbKVYvo`kBX z&!5mg#8EU>W`on3gXlf4_4likxsqZ{*)1RCJ5`z zd=6V@BrQDo!7yEb67`0B^Lpm5-5h>97@`d|MdA%|a_NeYAPjf9Cx9E;ivH(Elz|Tc z?|}h}6WvLkS*~9r_^hszUclF`&%9?Ne0J>=#rH32?Ym~w?SYR7wrt)L+)A?zCPdS7 zuVZ9ou7Sq!$vIePQ5+Tt~$|hVFtwp#Z~u}qCnB6B2i0+ z@YeUMTR$Kzac=L9TxLI4&1Hn|3#U(U=ysUjB~JQ5e8x*j74q{ks}DcCz?+wgxSt^@ zR#0 zrY$UBujrH4qkOr4RH*0-^+DQ8pZSEr3SagvFu@PDvjO4EDSUTnOYx6z2b3PSU7xUG zb8SzFPkWf~hwe5?n*YolbG-~UxEq?-mN(p=c$xMO1j_smnmG0?eWs?seG2jS&W?AA ztxv$%x|4BXC%HcLPMX&;#y#!P+L52m0$*g!xcJ3f{voWgk&|xvVz_48Z8tJcPM0ng z?po@{tkHs6fwjVtx>WEr@HFk(0>x=8YVW4}ex}?D;Hre?<-i?<9hY$xs=Rae;ZAH?cLPnf-Suu>P=_`Hdg@U&aHs2)^&mNVIiv^qU0D9QHVC|K+bgV6J!={wjHP3_^1cf5 zG)_cHfz%r{$x8FQiQYs4N+?x3NLi|2Q0!%Dhw0vJ*7z2zoZG zvcpZwsRR)6ecfgz4)MUz z5ednqMoyi?Vox324Ve6Cj47r(C!xsi<-tJX=fYVW{Da7vxeh#?qELV6XW+kh-*e`4 zS8EEps~=xvq4r^xey|l9Ee5ra6Z?Gw$p0DEQtFQNH!NnnhMmpJk-H!d%E&mMU|Z&Gs={n4W}_L${=*P{Juv0=(l+(>n;{<|#XDM; zv|)jvmv}JhG_^%IO#Ku$I}cG~Y!1qm=?Uey_#wcmMqBM}F=4gdc2q zsS~~1>AlEC@T6%?+vpl3cU8Y~_ekw9-N$^5VX5g{5#vrT)wg;9o1Ko3W@u7(P)-{0 z{`iYRhBJgD?m0A)A5DN1d#Vd)Jl^Rc;jc3Y7D^WuhW;9Aem#1QrL8AJTKQ12lcX~kh}W{&T_a5+}l%(@#G)Vq&1iyF+iPFbZ5IR_0x*T_FY77 z`}sO5XS6mxDDgZS|7bF{lUG-w7-*c_ z1i9lbRNU5?9k^|5zWTM6T{wI4tpK0@I+2HRtDZoJE7Smv;EU*M^XGF)wg(s)Z-720YQ(K z~Bm?zprb>8zc+ zjGO*ghB_^hUqU;?Jx?4Lv87PspjUt`#p9HF3_8|amc1EoMrrR`?TH$Zm6Rx5&ZJlCKq8OpT_whrdzH2<{6hP-fg~&y1bwXXiJZD<*m5%1C|t&YL?i4$y|~N zzxNbhvG7YISV2;z5yt0*<0ojP3FmR#WiU@S z*lblCO%?@8IFDqBc&7PXq%SWr{q!GF88Lc&b>wdgozEfHGdc8DY6RWK?9;Uo^Apq) zX?7I*fo|gun)k<^Cpsi}YgUgj+>w*f{B=iY#`!o!(9{0B1x4or->)34!v3^y;aM5} zlf>|A{XV6qPIV4_;R(biGz=o4VEyIyboMEv;MXwn%SS1mX+P-g84_wYXu@kuE=4Wp z+k8BzlOxbu$M#N9l|0z_L4YCAQNMu)Z!!nAbH9XHSI_UP|wA*W#*|y&ZVbBp0Ck({v_ZVDh;B4sMhOyow;*f@{ z)qo^k(?U}{TTkOKZ_3~+4UbD>wDm0KIClW}7Jy;`jI+PS7*~sB$tb=*uf|!h(+>5F zc5=+u$C=kPi*Z84Bs9DAKzxd+s0J#%a@07jOMu@^ZC6ef^CGY*#MYY9dKVf9FUfR96aj7l_^!}vpuTbE#~y|rkT_`rFTAJh2P{#|#* z%o{t-h}$-N(cakV&53<2XQngODfLjFPzT4*C2u%;q!prpz!%7Prs2D67?2Xcer%Jm zA_Vz>E6?g7ZxuzFG+(R|a%QQ#hkT2S9022&A2&xf5IMd*5-${3T*rBSl%Fp<_bWFC!|5G#UwrraSwG_l=U&$^v9r=Gdkiii<)vnK zli5n)ig5#jXnces{AH@cbIuX0qxqXvAH7yfN^eshZ;6PBGr@V)10OmQ)31nuaa5xC zlNKizrxC0kcX56m#u3=ktOh8y7dvMO;)x;KI_hBr1On-CF2ri(Ka@-eF`IJAqQ7vA3KJ9z+P}1-x)8D)SAZ~T{;h^K(OAF( z5$pxR(_;bFAqs>(Cyj`_yjV{=dyNTNl{6NnKGFs%FO+mjA5J zn}2JJa>m#+$WqVjo|jo}=8M~=`)x@t(-fXJow^c!>1e1PWixS2O`Fxris;mdomWtzzNM2qpt`UvzOZ~I8qu1ysOIQg3@So{TM$8cd z`6MUf5p#O4|2Av8AYW@QD+hARV{ACe084Ia#oyo#bH=HIee(IdDE6aYi>n+yNs2WU6(2mEO`ikT_UKY!HO!QPKpgG$}d-J|HpJ-Og4|QBo zW+4n7PDnPICJDXLAQF=dPuCJkL&-B6f2a>3n_o+qA~h7^o9U>j)mxKzT-aBSvZ$h{qd0-_-N_zC}-b z@}GT>KisH*{V7=hC37nZrnHI~5OXgQo7+oiNA>Q|YlTS=dnQQBfdhH!n` zc(yA$nuoJ6*k4&{*;zbFRENKNAHTz2llQl&UBx)$o*&Kt!nz3b+B}V`_agq`RI(Fb zPgp8YotCi*IhrB@O$mlKM^j~(tEG$DyET6Q6hgewV4E8b=Ae9mICk^yBWQ=bQVzQV4%w6UePTE16k1z5dElgHAI z@wNA~oDdHJWWDaV*NZmF@MXQ9NPIx#Q4OVM)!hja73OoGu~K?6X0p_ zlN=vhs9xQZYl^qZsDXlSn3vWg;<`@ohCX{F=se#`7KQ$pfJ0NfcVr;qs7uH)oO>!X zBNyei`r--vT^S=zHOd|}aBOt1`BNpqd^Gu5nzv0E7i3;#2^hFrCh4`|!XqD2+Lg^7HXs2zTZ zVVk4^#7JDaK`;)Q!Iv*Wdp{&Z)nf@_&7r08KbG!2eBoF&HeiA4VgQUpJ4R}Q4Q3co(hJTlC;-Kc5`M0e&oOsGjUKAcewjc?Y zw~wHmAd9O_iD_P+>#7Lxom9C0LigBR>MWi+L`C9}I4Fv(}He!?Am>lsdGI z8qDqxLtRbzq1D3p)D#kp43!!>?sE^#0%fe&>I9Xg^$Uixx|I(9Ww52!yb9wMOY9Uo z@k^{a&?2+}3-PeuQhK~pb`^HgM@)_yOQ$VK41aHv56792GyP>w*+7ysE!iE)pbW=k zCI63zUEgAE5dHNLaxpI$ciesPwt%*HU65O?CzkNMl6hz4!G~ZqYv4pB4No~mC04AF zJWfHSNCYa>A4|#RTxS4ERL2tuJiBPQuQn(|)25e~5+C0qSMZnQnS%@4bSEee zAqYls_%K!RPW?Scvq~M4Rw75A;ZMGX2E6fV&)^jmudJL!x!OEuqv%4Od7+;$5WvB* zQAmKz?AFVmk}8T0rlZ3dq)J!rRs_$f@8(bk2S3qJzxiMX#Zc4~m}1t(QI* zPL+B^0l9Mq_pqcmp*Pd(%mb?{wobCEGD3&qXxP2X1ZLJt#rp2uU z46R5TB^2$bA7hbm&huy~rZE=u2i3nRFqo6S585|I-m$)~ZIxnDtNxk5lTC&21ZwhL z%g52x@Xuv@jfvIZa+*{{^OJ)@QvLWI^?PL!!-K=wX6>d!b&4~1Ntapi8tK6a6D!Rz zZoz$-EBxoDvUN{;4l@0D*&J;kKo%=BpdZp4G+w)U2;V%eri!D6PTZ$ca6a>UbgpKYE8tEpL54U6bJxd$5Qk07ns87qCMLH7BGm6)I_2#Q#yMJzKfZsOxp)`#+Nzz_4+ELI+> z+>;&uIPkJeOBfjYhQ1}7f-x_-=D3m%cjMbirI-A3OW<2;+{Ko>j;JW4*^wFs)8#V~ z{S=RhoV!v8a5H+6*!iCtFbgD!cN7@Mr)+LDmsS9mB{e98<*6aD8q6217$ziw%U1@a z4+-DUnwxQ|%6Mhj{YPT^CvoBn*79KHjjCl?`)0~dWyM=HVqr+a(c{-o)14OZvQA)F z&k0!-N7eakpXP4M3C;v&`R8krkGhkB&95&j$6t+FeMubtMK3;)0%)4i?yPQY2~E6? zn_tIXCdZE7(wVKpG$8N$D?eq7bZnr28x_4Ln|h$`6m$QVKZ*YGDI71_9j0w$BWX-l zys0v>KL#S5un}>b>D!~kjbgrcjD@Fem_6JD6T5?VH*Xx;*S;?qqTwtw;=wc7q+tAw z3`bynh$Uh>bWeAw{ZPq6f4_7%x|E?A>ZI?SJ6W=vRn4AWq{RvnT3wu%4h{(F?+{mG zw4s~(w5P|Dbtd1dJ5q;9CFoWjS_5kXgRH-PMBNg$rfnc?#eqDEYl*#901~0aJZC#% zM)*dF5ze*!Vz!%F1*0DVF6gBedKOm`EL#E!-5PvLhl&Q* z@S^Msa}t>HoDh{rezDCiQE#ClKK+vyqF`8}g_K%=aF@t=zX_{-I(GxI{qRz>msag@ z&m-~c)DM|M2qileJ-E>d=Sn!=e>4nPJ4)gE5y6=gpewH(=ZW>TR`oe@bA zkEbs@D(RMsYU^`b-V($i?yiY$Tl|APlL$=5V>0O01uU*ktYy&AzZ~CCOB}plsGfJEk^hp;w(8E)kU_$13;6RdjIDfHxA9vypBH) zK2MIM{Z`_|VVW;x``iPDPLxdv5TZiB@4`SR*-sPT1f>17%b>LVy=FgiVXfKdZ2%2x zjI;g%cDdX9sZZRfN`IDr1UZeJX;<4xP+*VD=;9nA&8-w4yM}qg2rbFg`iSG(%0tVK z_qI)(cidq6ZKRqlK^(&&Kl7=qV#ZRSKU|R_Z!MCVcTtZX@8-gMfkTP>-f8^58+_Ov z82jHp_0pUfA4*k)z)KEZa&^q7r&nk(eTI?hG!_AW@2yH|v!7DuJT4A`-wm=HE&Y)* z!PRJ}hbZ=0y2X}%m1%Ao6MNx=8~ZX~+E;taTj-%5Kt{x)7N92;80o#fuYL~YV`6+q zg>P*@9pjgB_V(7u;NmAKbMC)TzGjPm{+8YqF^H(RF~wOsav8*nA~QZZ2{V723#JX; zE680Ai_2Vq5#_7@4B`DK;r_IDJDGCv^-V?Z1PWSN*pM^05;fe|ONzL2Kkd(C%^bJk zBhkne&_7ao<+DsZPQer=-gZ5_44e&Z2M`S8ZA9DjO=oSPw9e@iWsy=~^xR)FbM${q zF*Wt8feuGk1X>eex?LSj7?Io}aMv}ZY8YunpmmZ56sk8$Ypxy7gQY#r#ND%^TL+<} zimq1DhoNb(H%=5)_O>;&8g;tk1Yk7&vFR|>9H5*^A^{#GLo1}|6T zP~u9_`&iIm-Df4vE~ef!*A?v^9ggnZRwXFvcrN_q2~h#?xoUK>sr2agJ_aI*&xN@u z3?<3}9lWIq{gvk26MU8CpZN@uH61ncqb`@xzWk34Oo0ENU)AN@r!t{580+n zQ41mZ9i~w!3C1ssh;d@CGbwC}6T~ypBG+$SYX8`ljvufXt|twbix@_jWWZmBxccd` zD7GO4k+t^?l<<2=dJK%mY26NjD(K93Rhd!>8YCUL4en^S z+r#I&DsID|F2fdJUpm)jsc}~n)ENb9XbRW!3Bz2@0$EMS6a92w*+4xBhEoPqL)113y<=c53lj_#A zO}B9a2%$Kanke4Lx(d{0`fbtdWZw)0cC>uuClf=K$(POo67Az`KrQKVpnK_d!5l&&f@cZhP2ob<&aw6ktsBH$fTBA3A~K z8CW#QT4IVPLYtI0^Sj=lLJTE&yh{|oYgBWGBNqX;O3S~4wzs-kAMS@=ZkmpzFparql9n|7LyyWY02_GOB$IY+spP%xLs#Rb-f0QD z%a}9w1b>Mi6_^{^s;nOBgXd>uId7|})kxeyVx{~o?8V_RKdK{l2!8*#^GnPuQ?6r~ zj*fbO#IRv&*4{wQn>qNJ2-c}6tL?k6+LPRF&Pom=V_$iaC=Ry}IxVJ;1T5=Ssd!>< zEjd)~{WA9Vf3PMr#J|>qZ2?#K(OYh2e`x7Tt?7-L3=Al%_&(yF7O{5+S?N1H%sIjw zC2KIKEtgq*iX{4SjBkX6u{$!ucP{%9EztQJh*To(n?muG*oBo>o-<>5XcgIA&EzX< z7yP!|4DzF3#Sq;aNz?YwL-&6fhOTTD5cE*~B2gI4L554f5Qhb$CTK(%2R9=Tjt1V`76ws{1Rb9sJVbDOuq$r*U4xpJ9!5PkgyMvOWneti1Rt9uRCP(I zVHY3Io#&5@Ii2gE|4-GO8V}+<-w2M0B2tY$AyyEs)3gR8I@TQ;7wT|uAjLLGd78lv z=^~QopX0`4D@yLl@x)gdDVUh#S9hSB;LHU zJ&2LyxG__-?(yF^RSqm>Y64;Bc~vC67TTUWDSB9z4ZA-{Jo^l+N4$B&!I5kXiQK)o z3V{;aK7%9n%EyA5-`imhbLl_8nvNmdtpd<@BFu4@!%z%yC^|d+xrtx=1bMD`1LXx< zsd(OWwYiu|=Y~0lyS_JWC3%0Nw)CN@FGvW4u_2%2ZDh={l+5xAkcId$Bj`heh%kmZA4#Wy3bWhu@XL>-;skF}zfN2yY&B%QJOB)eb9M?nh>s=lv%}eNjJ7U| z%y$gGUdbR|Sw@*qLhX)57kSv=Z4t_)(QlwLx%0BMw6c2&-SE&BYo+1t$vJ4HK}Q(d z`tv2M_?X?oiwv7S;{a#dl&aC!N!Xpla`<`2q#5OJTN-36|unCifM+fiY4sFP? zE%oY{9~nO4eNQ~W`HPR)_sP-hc>G4rXbBIhP8&K~OfAY^r(5PbUO&nVp6hhlP3(=F=nItY z!-IJ&_b!Kqz5hmR%IqYh7tLhcXAgn9x5HT7+=-7E2_t=dP?YM{LoYz8x}X!6#Styh z?asS6j|vg@-Q0s>I>i*q(2) zFQQyT+>bfsJ>!&+VptOZQ~-YE@CZo`eXONf3@&Jn{qALKqN&lTpJ~GOZU4Qzp0wZd zL0(Op{%s6R#w6DodB24d?qRS&(xk)4wW%lgiEQt)tDr<>M$cydcH{#Zt4@&A5De^> z)!hu9tC1K{-M_2-G|b8phUp@(Ngz1I+4}u@K2SD8p}uD5d5r`kxCcqIR|&LHSKEKW zyQSlc{>E%c$r~A{Yk&+uA%M_8JG=0DK z7rXv)*ZaBiv|}=A04Z1&iFBmIt>5$#FIwi82?>e^9YfvHnY7%;Y<23{a=qmGGhBL$ zZUJj=0JP?G_EfQZR?D^W(QNG&G7y%(Ap2OEZ>=EJDOgnF10k_b3CfRP86`xTfs<8T zvT|g?X-6iOYZ!!Na)1#?pk!KxsGQGRE_iHv=_woROxx4qMA_knq+vnTSt)b123hArM4&sse#y+}qge65T8GIE_lN%L2u6SRoI zOCshP0Bl4r?Gixgdp$wt#iM)8JI$YK9(MzNX=i8b3P2|9-b76tC-4d|rKJhXlR}TY zKbu+o`H`It3ec8=f%)7%!k;X!8IEUNw}#mO|HyqoN8Gx zRAY}SBox&TDmPAR=ZI&@!G82bQ&_rXsSE>}3xSmVM@TrJ;e|l4plZE(J|VW&^uf_M zcY}|PA4l8}{7sVQ5CA)&n}!o^&*FpVTEop_Wp*4Acuk5EVxtV$<^GHA>)U9Hlj`h@=i<9M3l`?nasTh+_>R07E z@q8bH+W5)g#vyNx?)L}|-*2!6qaM;>;T2$4PyG3qpKP(OtImMT1BcD10E_~YWv6csUF<$=gZn08>2SJ1uo+^)-c70Nam!EX&z_M9X zbbXKGiu!x_jGLkA>@R$WA4abJvnVq2qWwy0reD@MXQ9>25-mXBjw0qYpm0uA{gjd1 zQpsFzJVd)-v-6IW^Vdz+CzED(kI6_Ph(*ZZAqXTmM&b?(VrTb=vuC&@wr)hXg0+Oy z9ubvangLEEiH+?NMKdpd1kY87RV-w2QS}AjO1g_2Os{X>+CP`2K=quStoNHZE71M*nbosOkvzLV&Sbp$KRf^Ds5mGJK%g?=V=p&Wbz7Vr zO8qasVZXF?(-=t`ZUEP0bM?X3`}3FQ$B<8)WG|X-;7&=KJ~>of!*=I^e=M#mgvuZ} zK0E#aGo*O@NqMPdf6(auL~RbInldvdHzA=E@}H|}a4w2~avx2ibGotj2NA5ad1d50sUF|||vt-yG9ASel{ z7VhUeTylfD!#}O^pXT}hYz!2pLpcaef@)+y%R7e$Fxv$}Y(C_P79w3lx$Gc2x^{G5 zO5OpxF8f}}n_maU>emIwMo#xaGdx6~_?-}#$OtI#C^5R1ny|YcYYq#|&PFMF9?Khx zB|wqfV3P}3O$u(Xm;XapF<-w+dYBuW22=9CwhWK~LckQGIvcH%eq26b;(RQ)I9jn= z4I|wyZ?D}$Q=qSJoLuNf$g*neO^(-z5@$%F6t?bq>KC2_iH21- z7*0diYFyQCNtKwDP6*7SZVxC7tDKoG%DT^% zC5QUMwK!XP@28RshqsR=a)&q3r{iClE;r9d^8Qr*tuZz`3l5%j{OZX)(%J}qsW56J z<#iKM*?xW~QWNZyW$_6&1BC4tZDk;692UyDSQ2-*XEq^SbudMSE^o-XO(>cUD?+Vv zVW(aZ#_#M=^6ERN<~b1-G6gezJWm5dAtLl}AUplmKRu;(izOIYPe9hVuEF>pmqO5Y z1$|@;xI!^O{V!C3&(8!kx}357<)%_aOvJUrtZy$j-tMkcj%-@(y!XYLA)!AJ(`=d3 zxS!gnuat)%xL}4VKIGGvcWw>0WQn`E7FcW{9q+rE^e)G~;wXrSaxPpSjb>I%nEZT} zi{)Yzjwj~9vhnqqKdH7*$@wl0V8;{hb+qI6nf0fLVPNVq9L5hjJ086ifydEp&8-O8 zgtcx{z38(M9=F4(-7SRKVS6q*SAqyPMT4fO=QRuPOZ8fu-uMD;u~nd1VTa_6?a11 zcG0Zx^A1d}K_vVXL=tfJs*E-4Q-9_MjVAy@JAqJLlwX7qS(t7|rz`Cmm5|ih&#Wz` z@+qaI-RI`FC&&oSiO)^eRf6*RVipr<@Dc>m6)cgWZ&4 zEqyYltol6@*3h;DXDo}_8s5iqi-z&7uqew*F@t!_cqY#1Hrn3%@79j*!|Ao9Q;wAr z-4WeS$OAtkOZP3T1qqCiDXwRS)ejo|R@OvKaNZ}L8@N(DCqk*B;f%RZ6<>Rn$*kXt zGoN%dC{au21LPru&D7YytGQY!jNu7vL(EL}qb35XuiMPvS|g4QI;UqS(BA?5MFUX@2pzHeZ24VAgg-9;T$r-2I*s@kGScwfVS)!?t=9WXJBo=b z6Z%=$K%))}j!T6d>vqs{(;;s_+2aQtxtgr zK_fjoBaKdILVwm3Oyz zn6RI~7nU3u4zONqmq)Z)P&ILhpY==2zk?+s@pH55SK2U7#Qwfw+Wkwvvb|OOx?k!! zf5w)`y?1S7`81yJL;2890d5OJyVBNQYy;o6a-*a@KXFxA>*l--E(6d|B}uc`x5C&p zgqni9(Tc(OGpQ6)$4G~|=fRs?e%PBT`*Yi$`lR^aUgJASyte&l3r@%IzLWi{dteI$ zQS@+5Aeo2}TIIC)2@20o;!Qk|B@4bL4r~ft4%yCcXNU-A{YML-QQWh`iF-=F1<5nG z{SkY3kYiy8y+~5?+UY}yK$j%HgwRY?v77iS3qrfel_Jt^8~ft!piMW;*{gdy3j?3s z`4a{E9ouWC>PDeeR})fm!A1-ebu0WSxzQy-NY?J~^`GkYmYt866vwhbYnvUT`ORw# ztC6`O`t~D-7lwbj0BRyCgi?+6cda0Xh>K5c?*VIVJVo^#xjP1|G%%XGx#ip@P!V4S z6JZ#P#17g9c_B+cAn7pTiQq!D?{G&S+;$>b{{Ae4LWZn=mut zN(nllL~;1Y+2`5g_ZR~Jwp;Fg4w}nMZE!x%)RxDyi#L#O31I1I<3xnf3%EXc-@@!7 z`Gb}>hS;}?;g5h1=JR?O_$~R7*sLu!4Kr{g4NZCHnwqaCY?yWb1@9X0)qzyR{hpw0 zvt#r9rp;TizQ_6Q{=O5Y@ZFV6Dpruj;3eVNY{m0p*KTLEql@zKbh*L3E7QD)zx4>p zzmEgujD_$=yrlaJT+aGDx9^>wHse0X%5ueTf|UYiQn(QT zsaqIe5V+tYm=@R9a8+kO?quns7xt3kJoxf8)!Qk`InXKh^|v=6*w0IglXx}uVf$hf zj}LIOJm_`#H{s3D7u5uA#^hXnAN~BRxaJLl|J{^{|AX0==~kF+5MDa2$FsRTb%3f8 z|Gvp*cBR50rM^v6FX8TO&6} z2v5f!?%)%!d$k`ud&FrEK8FHYeBfz%yGUzr4Hu@)FK}ePv(8bptnAba))Ni-FGjFL z+K&qdD!6pi2vCNIs*Q$yD$1c>)8h71EF+Erae)NZ4dwC)Dxd7MFcpyLY2=gs% zcS9prrd-+@IOJYnsgXVp&8X7V89&3^#9z&sZ1-FE;m|%m?E(m5zCG^#DEHcJS>$Hp z6~6PcH|JIV(X#b0PuRG;E8q|~eihhZX3f(UPx3dm$=P>UtHaGBy3N7NSg^mtqSu@8 zH$)vb!OA}Z2@nN@09Bkvz_9v@*eR383ABH|Kk;6#wZ!bVs;WwfzfY6Ye7_iPG8F#( za{lK_2L_J6mNzl~PS8?{b3o{Y61p#|O4RV2cNys{K%|HL|Kj3n{>#N@6yViIkx$p+ z|Nn6MaA<^_PJfo)-mN@>%=x4JfV#mzS(&&|X%XQ_zsI03ls_o=z!jtKMwAz3hxgy$e7n8-T0iO6$E>l|qU@iN($z^o6W-!vL+}iB_qVcpElG=CE>^04o zAzO{R-i{$wMCOavfb*#0+2%duz^pemO>^5O4}ob1L+)E~6y>;|Lqa8qglB;1;o%f? zd}+{TB7IcQPzL|!EP>&fat44e?LK{9>Tg;v79edI>UzBV+vsEaDKPFG0-u8q6)TDd ztKUaE*#XMqz)7BFlG-$rV6U*MYpgT+T%*lYz9;lePHhg8Gv=x?h zbvd4|4ukn*KNcb0-KZ`D+{j;E1b-?cGfXV3FQMdUrfuqqG9HmJ9{w!%@Z$zQy&od+ zs!~c5&Lj3Ub!uQ+1{CdWsU}NT5E2sNeIV*&@8eG@+)?7A_JNb8JsV=YHy8)n^$md6 z`$a;>ssl#=l&dRFQjM9SgJHG_yQSIV-jmd*h4u+zerg}AQ7shPtQl137>yiI=gFOJ zXcI9x^B93=_!T3nbX!uiMc--%>F}zcGjWfFs~Q0um+^Hfq4`-gFFQopFej>>lQ3Hy z+#b}AmHMsCjMnFE>Hm%4^OosI{bSToK`$iR9Re9}sP6^-ZgIqEd>M<4`_M}}9Z%+6 zW6_M!W^G!~f3DvHNZ_r-UImmkTNUq}tu7?o#anP`{7G!Ylo#c}4-6YKUG4ddKYfSv zWhsx+fyE@hdMCgL0UXbTQn7T&OEfGC&W_|cnz%EDojnu7jh6NUeGl=XCfv!4r>H0O zzMN7yrwS_AU6+$E8%zP6$O9)>3I-kD5!VCCRfjlmuX=GpHd}7_WXHUuc-9-mg1jyr z1xEK%m5YsLG~MN3Z*Go(RwWHe5dVJWIB)@IX_GA94o8`504_5pPCc zD1p3vERaz}uK982?MibZH|Wt|Oe%hf_`&<}l|s)Ow|K85;@_{5z*nwCLJ=4~7q~qw zUVbD8l3sreu=!n_>@!b^w%Zw6cB{ zqR&mMpBoFDCxj+%PTYRRx!?A{<-5V_J~mk|y}wdj0uIGY&m(sin6ACbep@2#U)|qi zl^9Y^n2ZEc2Qb=2djE)tqMb=QwPhI`eTuIs%- z00sAm6=7n|V{vcSBP#~pL;i5fp{HSf-A=>%^#y~Cwm~C+$lV8*0E}MW`lSKmFF|-H z953GB%FIT6+%PTSxU|RT^*x%v)(nxlYiWf%)IfyY)JKas8ND`Wq?z&L3$iFtD2m1w zX+)a(CAy`HU7dpecqD+Uyt90xo%DoZ#kF(l?gVdbwBpnGj0P!l7P#WYtPOkY(mMLx-T~CF+ko!!Sv>NeXCN$I7`?a;W=V;J1>{V+loh94Z}Q;c-0@zG$E({ z2da1KK5YX{u_?UcTVO|M#A&hx?Vwy zR99q{JX)~ClMtAQo2oZN)ba89d}7-Y+vgHs`TenWdaUW(=OqKKVl|If%|Y)Zl6*ej^GqG!)Hg43W{m> z+WB;OJlhi6rD>*T4^u!5?pAeSVjb%2f<+1Y%`q@~QZ8CX-r)e#{~+GMYl92ju-rnZ zafw2jiEAeZS@I@N5fK$3p6D~UM?P|EiyTaodUf}8cm zVAZZSZVvaNHdI%JLBB|y29l8wThsP_4%yAh+k<3woU6Xn;1onCAhA9MF+bQF{OUS5@LHrC?{EzVRaO?%mC7fDvNa4x;9)GV^GO(jX z6&>NPtzPo}OHtq0U5$v3E;qtm8a#5BX_f8NjtVrMxl+r8=eC9sb>$3z^_BX@bJv z2qP87NZabGzdtno5NPBu(_#5#VmFK)n#8+-i;Ggo5_-cJUuR3`l&?>Kn3ftDdrt0` zn`7+3k8^g2auT6X;y5D_t_!RkvC_J4$-wX3^BR>o>^tE)Ca4$Gu+L7puCkMpfC8!BHdkDh8}UF%0p z6=J4a9Ale4?*)E!$)1=BlTCnoZ5czGz6}ZypwR{!3GnTYOO)TNbJjVgEaxXyWGg{az;?oHX3=jSuGj*VMas2KJt z)n7Co`^}b!L1GnitU}vbhurK^>1$*b&VO!&+57a^|aV}$qMPq z2cFkPr9WMNK{?_3RcoplTSyMse5E=qDg^CzzdspP+AVR8&fO&jiYm3=e_)+6 zUyg}&Wz*c)e_{ZwvLETwF@4+nERqrs^V<%~*0w7J)paqB>qrSJoe%|RSpmPIi;o-k zXB(oWZI$9kg}6#1lJnBCRaww~QUuejykmbwtNLaNXK(@jx8Fj&8|_(BZ_T0{U9h_jDeL~8cd5x5hB*3wN|_%k%L%{YR>271tGubyS|_b zh`Q|ezMi~DQgPr)q-mTEPTr8f6><7=u`0ZVN?OK`l9~t;K!1`{w$KcmF}Qm1LFAn$ z{;>M5>SSZ_&)tQ{cNr<_x&J|K)70nhk`?)ksuCnD6h{Y01s$gX?G7Pz*f@C{k zgRCA2P`yp=)osTDdV6AQ6=+k86L=dG>Ej?dA#EnxGpH^+RlN_R$xFcZP)k;B1)4Xk zEKT&`*TiiHi@>%Oj5C-xU&(~2}d7Cfo1luN2h2T&} zjf`^Oul`QT2&aCJ=r{MmOo9ls&4v|GyQj}ZJ~=bzvNXgxOHCnB_{+ojT|-OV85P3? zB3~AzqN>Ct!A!3uCFj_uVx_JYctO`+%zr-_`|LpCUoaS=PF1oI8wEag8JP<orMIOVrzkdT@ZNvz#!G5 zN2$KirZQto_hr;EUFU?vN)tWdH$uV`mo=TzunFSUtL)VGvJF##`!+AyKx~bU zGaEsd2UwG9mFW7v&Nt<~!0uBW8lA+d^+$y>G#BnB=K039C(x*Pe01 zd3}K=CP5hKf}$Gb=Y*rRF#;GUOBKzwk&1jTnHKl8c0qLIkhaIe+-L(0b(OsOvP=_{ zkneu;VnIoe9P#wEL*uPlW?fYE87^L-WM0AFrptHf_Nm_z2w-@AD4ZbvNf%Q!j8WGh zj!dYEva*GoUYJ-w=*>pwhcMDgjGmz(#F=nq-d8C=0h(`ZoW>8I%aB2L8A{=Lkb{=u#4R8G23RE#O+=w(h=sL2Ygv)Ss7ycHa%=}eLPVc^yAf!pQ*lc)9V2P?x^hUiKwq9_LN*!(qGz(vt> z9~f#)XPfdwc}SBL9l*CB?X`SD2wQd2;+oEGK+@NNvq~;WXD1}^y=y?XMI;?|c(JBR z5|rGlEtR?XSW!+_~8G-z7ivyRUN;#;Z+j?nvDRFr;xDCKLyW&HEjmSCc| z{pcMzJ%iRgYSZvxTr6+K@0ZVQcwR9E1HJxjl<76Mgz76%gPr_Pj@Pg@1G>pKno$o^#uBq{c_?BX=VE#kh$r_6A<;;8@WP^h zIKrbng`%DO4HELmDyokvWP8=`08Q*rS@-SU<-oQvEz53y6}czE7j;S&*=nyLVTdpZ zX_EYYj+jvRTabJ8@)LjY`(lE6v^+<#t}AUZhy za$dbd${Tm6P~R7dKrtg^tm=Z5%T&A_Zz&S>2rcI>#}Bp<|Cm=ocCtt49LfycFf}|L z8{|#)r0>%}mL8=l9dJqFeZsXwpH5uE?Q_aB9R}fPe8>8$NmemxzZmhP zx=i_Ns9(AUm+fLzFS-yT=I|{v==CN1bd^NNksuPUgQKnaAW=PUG{16lXLmlov2N?S z$xT{YA3Cyi_W1XiYuDgHguq#7svL6%9*}LLmh^EC+g_Nxo;Q=CyaJK;C_)(Q>RsHnyb zh+ayzpSdKF@qeQoxwUk0tPoXPedsY4NZ8z5c@F9~f2`dqbif08xEVd6A1m0bb>n){cSx0rI@_`oDn3N>hQrvLdAMj#uyk^hx z=Y(SXe`K)Pn=3!_rP=NxNsJ)$x6(0sN%mv-M+vHE+DtA_sA_zRE~(nW=Mct}#l+H) z_~0=y14!@_sQ5pW^3Llib-h!6Dr#JUMQ+ICfM(Lr6u)|LPciLpl=A`&6`_ied{Ghx zW*Hyfs@Mtd@q_Bt51o9LSMb~p<9q9$YLdG%OQ~h(2*MlNB`IE@IcY_CeyOT|V3een zR&7Yv_ny=SVKaP>L!0OAJ@Lf*((ckpdbNOkiM&fg?eE3v-d0Txi}ty`+uDR*PLscB z#@&A_5H>Ul4mZ>Ec9G+Z9G_63O}MS27gvgg?CfHN>MGg)2APrRH5@axk`eKRH-B;< z`rDUQlAU_#i$6h!r!$Hhn*t_ev9gWH&Q)HcOv8}q!_|-%)bYtNA7mrLf5^sgR1{NT zWz+f+Q>F>G1c5XW!eOWQuT>mgxP0X|9hT~ohaKvRTQak-vM#UgAe?hY(#TVB-oDX< zHaKy4p#839b~My7$=(;GBu~kDe4}ZW!0Wb;pm!4JrWza3hjqYGMi|@HmrDr+Ku037 zuPxOY*AF;llz!6OaEWq+S5u(<{Rx&}3T1tkmg;EKkF|0_P0lX5YB}e56(9TIo@t;p zl3#-#*SWYDD=#1y*ntt#?94ZNy}a2a(AC{B2$(56P7W{XDTBmgb_H=n(ZqAv9y?yU zrR`f!Q0p6?rvfZzk=p|y;D7&0zvRXvU;M0|cNHIH^k`^b+ekNkv|>Bn{O?2p2#dJk z)V`FK`y#4+!C3Hlz`cfe^ji-=EWi>VDM&lufO&>2s2W5U17W%svKoOX`HXl?Y6825DkQ<(IVaSy*2 zw-n()GxVg&Ck=JgXAPr$p@}_T?5#T)3+ayYRvMImwng&zxow5+XM<+P;g!CvZ-S+> zp-@{{(cP{0)QbcM@_H_%2Uln^pB0+L*pks(uGXF8VX8#7f^vYlHKTFYM&1r+3F&_t zd-1&_wScZza^ao+I&*yXt0>rr$5PpTYd&+jlM=Lz_2@=37;4L)TOD*nGdb0r~yRp(|ZSg zN8TpJsnR|E=o~aPvt*wY1vl(=DnyBi0=#?Bur9dOaHjy+OhKs=8?zAt2zR*gN2_&R z>M@E=j-#Fad=njddY)yZL2h?LPKnb1<5QeuFw7FoWU}2)Mfapd_4N0LUA#}JxPsqh zCC6^2=fhU~lIuz@UQ00#)&Cy26REQm@cb9Ni^Mk^6JGxgwHcaBI}LO42_y_a#y!m3 zd%8k1{@qV&CYguZ{4Zz6o2@2?H*VkcC1I>t_w}}o^ypFxkIDZ=_#e>D_`jgt{e+bj zwdu>TLBn5<$L)1Vn$!&8%D^cs4)D|<54YpPF;y4bvek}CCEN`r)X{`i^Y(K4y&p=l!%cOS0w4vg_hwkH z`3B@&TP~?X!42}qvhDXW6cREV%ZnScbLMhXV5(s+rA;pKoQ)i^+N{ znKb40rRSPR@u#DYZbzArKYO2-+Te?_5W}ek1O<&e#gB~Kn|XuchkM2b8hW`lz9R-o(=%?+iZQo5=o73$UN|_pe)vEmU)2&s zhs^ZwUuR+e<8)bTG#%owQz{KT+h;Bsrnbje_O41vJP<^;s)|>r@j%y!RJ8nP=ra-H zJCXrBGfove^X7?IqqaiHh+?Bhiuy;$7R;G^8W&^xJ2q~Yva3xhh0C$d8S3!dY(G*h z%p_u_^lY7ydWYRhpj!`+A{yP|XIKgj&~y)Rx{mqw=~p_^jBN5J1m2K=*wVM#@Oi2> zYFRgqi0&;*y2gZJ1Z%vyJ%EpDZ``=S=R*{OowC(Aq=_BbU}%{EdgudWk%9@5<8=hV z4~pE2clcUcWQZOVeU_GPo=5c+lFFFhR0f}F=Nn|@n0!a``DibxkAzZFe{<3&gn!Cc zEBK0H(|YH-dA&yEio5wg^G#!2OG)+roca}VlVU(%dXr+tML?=ZA3L`FJTuo1zSzvf zg&dO{0+T!hO0z8D z$>thvp|A1=E7K-_1<9Fk(M~`gD#1&za-t79Gs5>*ncnhd#v#V<3t`89CKU-aN#*?( zfAd)n6l*%PQAj2|wtvD9vm`!aX28ceRT_k@mi*J(w|_amQiv1{mWET}j=sb#{*}k8 zjqIxWCRWo%Ah#J{M8b}q!S$U4pnZb3r06JZCt(Ybro|p!`$RO0Vv*FEaTue_Jx#fg z)g1_Hmpkd*WN97F^vAQ;xVqOB0*;OUQu=Yz%Kn^Rrkm{C3w#04a5zp@Ec9+ywu=xM zH|dMKp~3nJin@siWl Date: Tue, 12 Mar 2019 17:42:17 -0700 Subject: [PATCH 05/32] moving DRAFT windows content to PR for review --- .../windows/windows-contributing.md | 103 ++++++++++++++++++ 1 file changed, 103 insertions(+) create mode 100644 content/en/docs/getting-started-guides/windows/windows-contributing.md diff --git a/content/en/docs/getting-started-guides/windows/windows-contributing.md b/content/en/docs/getting-started-guides/windows/windows-contributing.md new file mode 100644 index 0000000000000..11739f9d6a58d --- /dev/null +++ b/content/en/docs/getting-started-guides/windows/windows-contributing.md @@ -0,0 +1,103 @@ +# Document 2: Windows Node contribution specifics + +[https://github.com/kubernetes/community/tree/master/contributors/guide](https://github.com/kubernetes/community/tree/master/contributors/guide) Under Contributing section + + +## Joining the SIG-Windows Mailing List and Slack Channel + +The best way to get in contact with the contributors working on Windows support is through the Kubernetes Slack. To get a Slack invite, visit [http://slack.k8s.io/](http://slack.k8s.io/) . Once you're logged in, join us in the [#SIG-Windows](https://kubernetes.slack.com/messages/C0SJ4AFB7) channel. + +To get access to shared documents, meeting calendar, and additional discussions, be sure to also join the [SIG-Windows Google Group](https://groups.google.com/forum/#!forum/kubernetes-sig-windows). + + +## Building Kubernetes for Windows from Source + +The Kubernetes build scripts have not been ported to Windows, so it's best to run in a Linux VM where you can run the same Docker container used in the official Kubernetes builds. This simplifies the steps, but means that you cannot build under Windows Subsystem for Linux (WSL). + +It's best to skim over the [Building Kubernetes](https://github.com/kubernetes/kubernetes/blob/master/build/README.md) guide if you have never built Kubernetes before to get the latest info. These steps are a summary focused on cross-building the Windows node binaries (kubelet & kube-proxy). + + +### ​Build Prerequisites + +At least 60GB of disk space is required, and 16GB of memory (or memory + swap). + +Once you have a VM, install Git, [Docker-CE](https://docs.docker.com/install/), and make. The build scripts will pull a Docker container with the required version of golang and other needed tools preinstalled. + +If you're using Ubuntu, then install the following packages: git, build-essential, [Docker-CE](https://docs.docker.com/install/linux/docker-ce/ubuntu/). + + +### ​Pulling a PR (optional) + +If there is a PR you would like to build, it's easy. You can create a working branch, pull the changes from GitHub in a patch, apply, then build. + +The examples here are based off a patch on GitHub: [https://github.com/kubernetes/kubernetes/pull/74788](https://github.com/kubernetes/kubernetes/pull/74788) . Be sure to replace the URL with the PR you want to test. + +First, make sure your local clone is up-to-date with master: `git checkout master ; git pull master` + +Next, create a branch in your repo: `git checkout -b pr74788` + +Now, get the patch for the PR you want. Append .patch to the URL, and download it with curl: `curl -L -o pr74788.patch https://github.com/kubernetes/kubernetes/pull/74788.patch` + +Merge it with ``patch -p1 < pr74788.patch`` + +If there are errors, fix them as needed. Once you're done, delete the .patch file and then `git commit` the rest to your local branch. + + +### Building Kubernetes binaries for Windows + +You can build individual components such as kubelet, kube-proxy, or kubectl by running `./build/run.sh make KUBE_BUILD_PLATFORMS=windows/amd64` such as `./build/run.sh make kubelet KUBE_BUILD_PLATFORMS=windows/amd64` + +If you would like to build all binaries at once, then run `./build/run.sh make cross KUBE_BUILD_PLATFORMS=windows/amd64` + +Once the build completes, the files will be in _output/dockerized/bin. + + +## Running Your Own Cluster + + +## Testing Your Changes + + +### Updating the Node binaries + +Once you have binaries built (see Building Kubernetes binaries for Windows), the easiest way to test them is to replace them on an existing cluster. Use the steps above to build a cluster in your cloud of choice. To update the binaries on an existing node, follow these steps: + + + +1. Drain & cordon a node with `kubectl drain ` +2. Connect to the node with SSH or Windows Remote Desktop, and start PowerShell +3. On the node, run `Stop-Service kubelet -Force` +4. Copy kubelet.exe and kube-proxy.exe to a cloud storage account, or use SSH to copy them directly to the node. +5. Overwrite the existing kubelet & kube-proxy binaries. If you don't know where they are, run `sc.exe qc kubelet` or `sc.exe qc kube-proxy` and look at the BINARY_PATH_NAME returned. +6. Start the updated kubelet & kube-proxy with `Start-Service kubelet` + + +### ​Running Tests + +For the most up-to-date steps on how to build and run tests, please go to [https://github.com/kubernetes-sigs/windows-testing](https://github.com/kubernetes-sigs/windows-testing) . It has everything you need to build and run tests, as well as links to the SIG-Windows configurations used on [TestGrid](https://testgrid.k8s.io/sig-windows). + + +## Reporting Issues + + +### Gathering Logs + +Gathering trouble shooting info for CNI. [https://github.com/kubernetes/kubernetes/issues/74766#issuecomment-468736127](https://github.com/kubernetes/kubernetes/issues/74766#issuecomment-468736127) + +On the node before creating the pod for the first time. + +start-birstranfer [https://raw.githubusercontent.com/Microsoft/SDN/master/Kubernetes/windows/debug/collectlogs.ps1](https://raw.githubusercontent.com/Microsoft/SDN/master/Kubernetes/windows/debug/collectlogs.ps1) + +run collectlogs.ps1 + +then start the trace by running the following command + +C:\k\debug\starthnstrace.cmd + +repro the issue + +run "netsh trace stop" + +then do again collectlogs.ps1 + +and send us both before and after collectlogs.ps1 and C:\server.etl From 5ebda61d86f64bfc5ebc39587ef21d70dbe92eaa Mon Sep 17 00:00:00 2001 From: Craig Peters Date: Tue, 12 Mar 2019 17:46:58 -0700 Subject: [PATCH 06/32] moving content to PR in markdown for review --- .../windows/OVN_OVS_Windows_Installer.png | Bin 42455 -> 0 bytes .../windows/UpstreamRouting.png | Bin 88719 -> 0 bytes .../getting-started-guides/windows/_index.md | 233 +-- .../windows/complete-staging.md | 1363 ----------------- .../windows/ovn_kubernetes.png | Bin 106577 -> 0 bytes .../windows/windows-setup.png | Bin 51061 -> 0 bytes 6 files changed, 38 insertions(+), 1558 deletions(-) delete mode 100644 content/en/docs/getting-started-guides/windows/OVN_OVS_Windows_Installer.png delete mode 100644 content/en/docs/getting-started-guides/windows/UpstreamRouting.png delete mode 100644 content/en/docs/getting-started-guides/windows/complete-staging.md delete mode 100644 content/en/docs/getting-started-guides/windows/ovn_kubernetes.png delete mode 100644 content/en/docs/getting-started-guides/windows/windows-setup.png diff --git a/content/en/docs/getting-started-guides/windows/OVN_OVS_Windows_Installer.png b/content/en/docs/getting-started-guides/windows/OVN_OVS_Windows_Installer.png deleted file mode 100644 index 520f6ae9e6c54b752ef6b60df6d4b11a17741cd0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 42455 zcmV*WKv}CzDuBp9TqXiNx1 zdI^eM5u_)%_n!G?-YI9!xh28f->&=pGt0(vPo4VAJI`AN6GBi<%1JpXC*`F7*>wNp zQ#b;Ymnv0i@#4k7=TlQtUw!q}oH-yT<)oaHll~4V3n*{Wq{*X?j{fjxbUiP+KOee5 zPyLLZx*wG(^F!CJU2~v3C*`D^l#~7rDO*r}=DCLD%CnzmPNRLvr~91wIS0yfQclWA zIqC0{vIXU6d_yF0{O21t#{G0XB9xz-U9aqrFW|85J7+&1Tn6pxiziotqra5Y-M75|ksQb=4l{ccHq7}BcaeR?y=1z)j ze~bOo{Myhn*~@n5od28ZHhkq~zy5R5|G!dla&m;LHEY)VkL3hooRpLl{6(6>*x1;= zCL)K1@=~Qrtz5a19!!`pfkU~%@p7ljJ(n*zER+L;R8~Xe-0azB2M=!XH->UHu#ZV3 z%Pw~Q^~An#Vl=NFQ8{;119x(DSKq#9(V`Z+X4jj1V)W;Wkoa#4+k;P{JH;~{%b~fE zR(;*k$~&pOe`ka0RU7uz*{c8l8;Kz&{kIbZ%5Zoc;nM$6P9CZE=%LR)(?1&WWcE`C zD5p5yym|B6w{L&j?dP{pag9@?OuI??%2pPle;k9ivI5zb%vpWjI_3 z{$1%Wmf&B5^4SQT*nR?4s)SCITjYT9JI{><*!1u%^vtmnh%T{e7Su1p)WJh~vls<#BOw-MV$72Zs+I-o9;H?-yQJv3m8=rAvb! z`|PvNLO^*~9Mr~!#=gk)tv+%>+{q|{Asa0y-}%hOC;55n8T*Ra`bM}D;WMo8DD=02 zUIn+&3=UyAuoD&bw~LaMdrMmdAe)S9FZ){*9}%1xeWI*`HE?7iOja!@FWVAzr|)aC zU57TS+QcJang;bjix*ec>P=MYQOJJSY9V)87ipkp|!N_+P|v6fBj$`s%Cn@1aA7 z22dP8Xv~BOR7ekgEKi<1hGA^mw#{}ntXQUx0lA{L$c$ZKMvJ&pTf_tU@Szie3z5&B zb#TJk`*-!NcV?*dOo$9C{0;f7;8y{5DC}|26?Qa|hXOeS25A6TZ}KtpjD?Z#^5Er2 zaLKi--Wg@$sQHjh69jx#mQ@wVnh+(lHDXZZgl$>p*UyHp89E_4X@4n|^S>fTK~lMF zVypg9$TkfnTR6%UwjbuCziIlrK{=9WP7nS?97n-We(>PI#~yoZ{P^)@OO~WRcPAt? zcKdA{vU<%;zf(zx^-)Fbjg3@zq#n?pU<2*bMd?8 z-(I+|b^G=*Wy*Bv(j_h~E-fw1{-xbQCRHL8SxLuLtj56OSi}-JX@)qa9*NnZ1 z^#xd#7A%hXXZAMPtj~!3FbB&2_UZ2i<^Q(?i-Pid@4oxSty>3MH@=>H{pq4-YNG2` z{wPuVkw^OX@BjY$@1t;YskWqM$!WpjSVt=emV?1s(1%@yAG3&ENrdos2Q76qnj!>C zpk-Jw5;~s{>RTb0)~sNZW#U9-gxYY^5k_1OcJL(ZmW@ae2ydOJe5}&Y@ZxPqg5_U^ zaul*@!o7{7s6$)PN2|v0P#(TzgT9W!*Nmfyv(0XVsQ>F=KYR#5(b ztM;U6=gytgt5=^fV@BzcB{O`!;64qz<~qrzWZ*ZSL%dD zuwA)zRZ|x!VX9A`K8uf4vapn^%WP^-(8947NaRpTv_5^%u}T8E?S{j8mV%|V(4t(( zZw0>!Wd)-S^UP2m)4|yW)Yc2dV-~-zm+;>L8yy`zdh}>|{Povg z)2sinGXM8djzwBd3YT*F#{Xpcf6GNkhw|imKnv=q%oW7Bh{&p!WlyBR%?bfYZ^x(k<3zsVOeczvJp84sg=ZapR z(XcO-&Hvlk{tu*_;hK}erJTNzlm2$e3FXRch@UJ{q)5w_^&2)Uzw0;Gz7LYGC-3`z z1IKexPRdC+>3=C@5l$;7<)oaHlXBAEKjlDqPRdC+DJT8UryMBHNjWJe<)r`llmq2C zDJSKmob*4Ra-cjX<)oaHlm6!ugYrU!DkF@M;iCVr5e0ue$YrqW0fJ0F3It3u6OjNS zCN@p_7lDZjrhgH$dO_l^LH`o$qCXIJVeDr1FxW6r04}=-3h=)MqTix-8iw0LJYMAS z8d14$R5blZqM{6M6!N&}gY-ir(?`;8lk{{m{Wi|bG&3`>Ka=<}X_iPJ6S2$$Oya|Y z=Zfcu@chvC!vW1!6f@1i1~CkA4=VwCgnj^?pvMH>z-Kig{;^;5tRF$ypdhT|@;06V z>>|IB~bM1?)e1)wdvz18pE|4&n^{<;4dZXyT+If3D7zhPb+MQ&N zWaFN2nY@#v4;f4%-4;289HIJ<3^_KfGessI#)S%062pKG09Q2O1Hk2mo9W>4Qv_#d z4!sr&;Da7ybt7mO3ZTS*R~dkQhGBSEUk0G32u@*&E2fqGn8is z6x`X(OqyX6Kj!0y_w)emYyjW>0PT3l@1y@r3huNA(tgMe{0!M?hD|>)128dxkbzjw zbWTxLztBo#VT!Z~Mtq=Pt%-4%N(hNv#Qs773gnK#i-b9;gBJ<$h&E>^5Jwu06VWYs zH!z6o5{_ERc9!(Z8Z<@5aje%>mY)kb3ucMb;ogq*=8l-c+#~Z}WD#~VVBO=v9yrh7fG|M6olY{+&D-fH;}$)jfX)U|007+#FgeKd$v)4= zj41>|mH{`E(uE;c&~sd(f=oHam^|haKXpL2(3wfNY*+#+Dl|8g3`N3?F4Z*^=3uMR z#7_x@N?KPkyR9KLiIo^op90Vc5u!SgW5^EccO-XYd9&W9anL0VQd!gU`N<^RE~LLWcy8-BlO`e8*2u+AW!<|~7UMJ-`{6;@ob zM>ynbWWlZ_lvyXkFQFV0g9G$23V~W-MOqyGhM?Ez*~>yw*RSzz2_UXya6^bhd_fad z{KyW>YyZX0QiXa`Hqrc!Q?{Sfk)1?>@1Rs<(h*#sKv@HU0B)fcW-6!b_`NOvPX4N&nXJ)KJBB$J|fI{TZM4$EGjkcsGIgM3&(vtQ;20G(FAGH5JtZLIztj(4`@c5`sAuUpyWT?m}jFffUa=C%u6V2gtS|ipi!J!gv_A zuA}%)dmoc6=)9B3g!e!u>#=@{^;DK;of8ChzSL06o(T<;$;)dssS}HFXrOe8b$09~ z`aRm*K*GH(%cj>?ml1jfiEu64qeMq=QNc3jA=Y3x^4p262Eu$7>$BDW1&*ubkL-`Z z!oBm|IQUd{#P%YSj%rZOr8m}7IY|ObPFFPV;_NSl3o7<9>W~T@8C*P*;I64>m7v;s?XdpD%^ubU&(?>EhkS~*D+$I@7 zwq#O3XRBQb=$zTd#MDp#SwcEY9YDOW!7Os6By^fg$%)%AJz%{@vg#lzqM-2;JV;20 zkrPte>=4y;F4%%0UT+3(HJ$n4^0;aU0!w>q0ZaG+`Ab52sD4L+kR+%)LB}@goQcVN z%7+pG34=t3LE1pzzztPyn^u`@?B~P_A(E@nfG|WEv3>;qB<;pB!;zhl>;}l}oPO~T z17O|lVT(vN9~TtaA?Nft!{9^#$95A`N))n*pTjzk>?R}JG3~kx(@h}^(SrcPcb0ty z?y%Se?FhCAOpKfhzF;5=7C3`}Oyd!p1WWc&j6}E=B4eR%ccPW#UbwWuCuk_LnBz^h z?hQ+whePYgi-SAu{Qv4;xnoZ24pWgyskmT)a)L!+TsG(=HR_xxLTL|XP!60U?P0V> zn!vYkb*Ra~j*GO8A*3&~T^gX%iN6}RZm%6Kk1J#+rh;|VI#R)^%eG;Z zeO5j56`N4u0x1OABUqjyj_fW_BZ0JTaG>|N8I)68cNv_Jf!PRi`jO=@AjKUZ&=Ej9 zli7)%a8)WSDA|~zLXzp{mIVUY5pOxhxpQO}6SGY?c8s`Salvqato0wca0}6(DDugW z&=esL+3H<#RgDxOtKJs3noN%4O1%aOo}!10S1>` z0)p8BV>jp1G5nORXmD~B0E!VHhR0*NsZ{ReCNAus7dTCWiPnS)=9w9ca>=-j(i!Cf z(t3s@(1CIhCN4w*x?&sbaw01)W-O|~g>)uv5iXB&;5NA;P7yCsKNA|$9grQ8c#(f2 zae^|BI@};7rz5$z!F+WCd=|5T34pW?-OJB&2y&iiAgBU@p;HpuIKT7G+%QdA; zROf`d#{-ryE`vcltUKu#VFaFH^VEAKi3jpH6WbZ#?gtUx4{J&v|EXklKz2H^RL4V- zUsBx<%dr-0Cqo=X(n?Nrqn%Lg7D*Tn*Y?i)t!l;*-=n?Fy2X@z+YB;j$u_}){`xHr z9M5(l*|=!@#mB>^U?>-_BMQw0|3FieP)>3tk$_yx6g#Z*nE|j?WPnb)p5I_1A^q)_ zRx8rXjzP8oMlKvH-N39FmaJM z&Y+zB&ESCUgV6%>4O_aJSchOl?A(r~U6>%n-Gr+~nI$OkY3u}%(mImbCrq3JCL6sr z1XUZP4^XE=3+YlFXH$e)T2n*tFc>t=nnD=#E|O1IxDXb$wZ08-!n&x4CC7fmn z@V}sr3V@ko29WOo#>UVFWGa0D?gV8h_XXt*9bJZbqm4HCqmrx7tlOAP#!WF*%)zQUs`0+F$(2niL@Z& zRmOy9U|PgdkxM0*TWdvQ#X#IiA z2+LT5)8!O*+zi|i>-1ojj)XYO;mHLi;Vz~Q#cr<=9VJX$JWEu^DhiBMx^#HBlJQ9&+C{h=vFS+ z<{{2t4YUKVsj`4DuylW*eaIU#;{QXVgV>lkuYO-@#P0W`n(3sZ*udn z0O4L8tRDqHo67JV_;(+tH<1wD!FJ0s5%$TcS$1!NotWyR-Ghsqr4Su~V9}1Vo(ydB zjW#j@L55q%E}k1%aV(MXT$eV&k}dyPD9`d4Bf?b%N!*(iN;Y(7P^afzJF&1dYx*w_A#t91aAX z&FD+FiyMs@9uJBF6Bn-+%oe@O@Bqv=m^DjA2DyEkSu3)C83NF`gf0M`4m^;l8KBEy z&mBVy-hNo*iY=B6v7`VyHkxfZ0!_)W07Y#AaQmcXx`Rvy&7_k$4;I72QSI4pe~D#) zFIYh#2(Zi%hFJ{-1O^FrEk7nMXluX0jVuA|h%I{&Ru$RFn+Aemg+Yv*gGuAZEx30m z44Al!gq&_j5=JrX;_H}y)DqhTmWr z2?uTl<%}?7dLU*I=9aoB;AC7ND$#eiSa;V}Io!k)C^AmD_&EtfMRm}rax(+~bTEgyQjD1X)+JjhXyj^w#R}4&q_k=4; zmIZbaTvnN(2ySd^Eo>;*<#eG7$QD>aGF2qKO2-D{ z%>yViGhp5Zgk)}Vf{);mf+=$*0G-=lC{9BGI+KM7w-LmWAvFwJnj zsQaP662wJyL9Zjb+!}!?%0|D`0U^{%KP1s^JFvKN$z^jk3`pii38-I?=^gZB`}@u~Fp>CQiB5HKanw&8bBq#C8zU!59Yqx`2X*?u|Lm?gCLs zOv^Bx2vP;ebeMEaQ@WdSPKNt2`GxK(0I<%wG*hc`K8L%ZS~HeDhlbSzMrNfW-WI8O zoj)UXhk(`@40)Akz-4t6qIb4CEROv?3(X_zJhS`qJ4W;DKER<|=gQgar!8^$`p*qK ziCgqb?#anki_zd!QK9p)QL`Wa2Yce%9~aD*j`%RMfGd+Hig-LO@DT;~A}>8-H0gZk<%%WQ z-GA(v@y_!fXHYa})H#Ln^xLMNB0HyCd@-HlUN3j9?YYA9AgRNKtwt6%)Asto; z3f!fAw5)d+X#y9xp2}3OGA*ysU?JVsaE?n^u3K5+oR}$RCM*n0kpvgbEL|GFfOu{) z`j|v7PHt z>9L!iaWQ%iGbx@U30A(!SoIW669P5~N7E*%==H5rv9qe9a z)110%+~XGZf3fK4A?-G-%k<=x`n<~>!(PwXhg!c8|lKh)GC}g$Vk8a{ppmS&ZX*a2rbpy z=6Q9CY3Gi$6)?1ZR^9R6NRDUg&5^JCmABawgYrTJDq8`Yv?s9z;@UZ7++u*d+-2_N zck0K#+Mx3m4;X`cg~wytQNK^GowoSJTH{YXw{qXyrUwSyJ$P-vjF~)V@qh-U*sH#c zAK0wp>dI46whn~fC~aAzn$uHahHqHXvl%^;c3^(rmq(|#(DO5{%zi9w&*$gL)N57} zrG2tt*7*ls?)yk7^ke*@H#)uXEnk*m!(({dW|huK>syxkeoyn>2`P*~cN@TTqX!zS ze)Z9&bmj1U>Vi@8#~!_R;*LrEAB68-*wA=(v4nT(r7h@QW9+f6>yqa+J20@&z|~#m zUY*+@Eq)(q*03}}=jXMpG3pqydKQoC;ssT$A?)WQnJ!p1re@v9g(4@W zD>w+*iV8tUa5EFDFNUL}75#!ND?sjT3k3pKOgDJOa*sy0{(2DA4Q|sds3e4xMUduF z5OJMu<5=vk58a8C>7lbMAzq^E$~4n^E|LSLOP@92Yl;w$B7m{|{Q&sjimBQWN@~g} z4J?AddW6?GM*8%|t-poYHkJkjGN=GYNIjp7#l$?48V^>(EHk}em8*lh!JPHL^%O`L ziRr>=14E-3Qpto=HzPzw+FH3jv=1;tP@xnM!Pzc#0(#;;uRrb8>CQ{z=QKGu=$=>CRPUd>rw583U9;1cE*nnHZT9KF0)1Brsr>c)9k(K* z-R3LPsf6B`O6Ze!CJeyyo3tKXY4(*l^-)!o!Z9-KelLX zX7zPn^=!6pUg5X|)cW0#J7zVkkX_-rbIqmN$dJvc zOiK}xVKO1QfKu2Pz_uIe80Z)7pyc8mPss8Z)`;*QA{GNu#}6%tEK`|)0Cy1%3`BU4 z+1X^K)|A4wU8;O6O|n%cZ?3#8p6Q3uZ=!4`GdkY~E2oFx$wRlk^;{54E2$hyuh9sd zUq|!50OjE(3G`pVaU`Vjf>pVR1??RHypBJQjE`Hd&$HrqGo?g4AD z*Kp-RZV&P>lR?ye?C;ZRr!5;&YwDTKi+9dxeCVa3BUV@GmAt!aDReO{eo5T)?S~ID zgGGeeZoVR*Ja)>Sy#vv_MomYhxJb;x7EHKkpava( z8C-tPtZ~opuC(^!PE8N4xO?yc^u&NmQ)AN>4~(67`uP=m<~IFo(A`5unTN$82@b*Mfnl{k$Y6yamJj7mA(&1onI`3viMGa$?-h_qrv0o`B@aZIC{*230QcI%b}H?bpo*o+Yp;$)

%9%0nWiFFKtVmLG7GKj)@))`$gR3w&Dp)&q6iR_cm zP#~3aYZ+-6BVs)UOko0#0>U~#dfus+ZuQ&tE#yIWntr_UXVUJqS{Ddu@vUh%oUlaf z7K%iyibA4oMCK)X1WQnsLiW$dk7hUB36vKuT!YWLbh3q!ELcB{V9}WtOB|v{F;jMf z?A(0x5h@#aiQDZmmGtWJ1^Ka`|&SdDlulANji^QF{fW~{)V*p z6>*(rC83s^uDn4dae(r84&@`0>2)ftGYP%W2Txp?+c1q{`j|7Q3zN{}2iJRcy-{Pr zx`Y?e{3m*hP6Y~Bc-gVVW=zNKulH})tOR|@FY})ty}iYhJzeh8i+y4H^15pauiDh6 z>6aVsdHqY$sQaaH)zg*_i=A@1%i{Ox#51VKh&9hnzVgna@h`=8Tth2|W^z)q_)!Hq zZb#f;90x_$;+12`=|XcWh!<}60+DQ?2E~FGTk&;Om=_u1m7ArLU>po7r|@;9SWCfa zf0lZvkck5p;h6->dOi<_l7~ zrsi37GKjiPSi(9F&Lin{Zrw--58fk`3VO9`QF${hC92Q|1w`O-5gJTpo2X_oF_Bk< z?lepbVGY2fovv_;70y#09ve=Yw+sJ1!OsXZ2cJ6;b_U7i2(JyjUlG|wiNbWw(r8N5 z0C&410VTGZExWvE+|CxYqNhx6o?WZnL}~#WOu=Q*XB~tLpE9#FjSr^)$P&%73$JdM zt5KsypMLtO&+m6UM|)UIOiWTz^1tg_AeG-$6U&y6wn_mtK23}1Q*5GTq=>t|du8t9 z@q@~DTEiD~USiPvN1@JdU7ArZZOMSzZ~ySzqW9-COdMQp%39`l=`%A+#5~hr*h^iS zl|u0^RqM3+=?zyVGbr!0HFlB)kN(#I2w7$Mc&%Kl-R!=zk0`_DrT{Dcxn+u(^$j#*gg$X1ST4^gs(BK5 z%UE@ctFGGAs%hf3dncrz`kj7z{h_qglWNUM>pXJ>&F!F)6W6vIb$P}kX$yPS7;_xe z7?8538{!hWvLY81EuqQ=Ai@gGpwk=XBgYMxZb)lOHukX68Jbc~XM+R@QC$Rg4JV`{ zr1yKMUgQ z@Imr03UkT+LMu?0E(`0i8%5dW&4x6|=b}2qW?_;}09iY1h&LLy^9kI*~ zcQr7fvCM!F-T~sJ;?#ur?Ea@)cVbcP?l6()ygU9m9R+vjY){#5W3hFEF#JtO z6M1p*UxM`l`Sbtz=jD6ux$n{+f2i9#bZCG1^5qK`F6`g`X{l0W{C=g}x^u=xOB~7{ zwmjN}85SWG{0G=(J3@rUhaqy zGj>Hnzhd#P4(Pb)+t|^I6Z+u!tp|>Fbx+>f8vS!ztp&f-7&2*3XS{I0JL4|aSo=YT zrit5&ym<^g`1qk2^~k07peM){VhAG&9+8pR7c=e!6S2Gn<8)I-1pu+#3b zE?;O}Q@Qq@db@dyO}7RiwG{;tH(}&8B65B5NZ-jM{N?$#=xQI zLIFWj$l00;>vn_3kc*g*#l-f4sQi0isxxHlcw0aYX(z)X4oQ<3EJACD?TnNWj@&Ln zG$@HKbYG#0k9i8*$5|&c{YGW-qsyO;?l6(4ygRs5ZnaK8gr2sQHA3U+$qXJ0L0p^$ zo!MgcP^nTSM~@y(50)%h_Wk$YPnB=@Y{5#OpyFrCMe9S8H_RH)>_K)S?YnuiULLjPByt(u*6*6z^Z|6?^Z2xS%^H98 zQiUn+xxCd{4_!31Hdw6u5Wi^Rv*S;pfUm~*4GH}pKxqGiVW zjyY0y9G*PA7JT=Y`0?X9?_oyhz@gub(CL>uZbifT&U&~o`svi3?<+K|eQa>Och@%Q zb!kG4w7rSvO4Vvs;)nQmCw3Zpl7(|&A?qZdBNYTg6VGiuObeyNt@4q!W0~Y$i0}`D z2$2BdJpPvq$EahvM(l(TCBk8#jj*;WNY#Bt5aH-uEr+c#h;4F`u??`GWefmn z506eNeI^VMyHvVZOJ;^UUGwNkY>865#emy)S8}+)=HET_?ows%bNdL61dGl@p?uA3 z&FjLn_iejT776xWcS1Qr_Ku@37Q+$fDxhEJL~7Trb?DGRdepsp&!b0Ej~q#&$Nl>C zU$l71=usn^G-eVMrn!Ie;(xF3#O_(tLx#v1>*|M1e zdU|^L(xuC?GGS0qj<_tqjjLeq0!=*Eimq%qi4e`Ot!lJ!Zx}8Q2+OoHL^Hc@gT+e` zTer|>eLkiT_xa3BW_WJ+eM|)kT0s+Kf&w;RwTL6h!2jI*obBKP@lx1U63ByvZ;?{y z)8XVY4Cy%yJ82*YwP-M}q9};c6ZFw-t74TGmB%~kzpe;ZLHZPkQYZ=Yq6xiT|M z9?m7e0=3Hsy1EsL#=3-)ot-)>E*ZInf)s`dM@Gv(#RL~~6&R20ts%WvLd+iyQC)Rl zeTA-^9hFEN2zuOs<~qtF>kQHD-W0xLO(awtGy*CHIaQ|m1Vfa?n{DFJ@XI!!!wh5n zw0=((#ysI)g(Z{|xhQqnmR!<;5J>@+`6`Qu_=3o0bEg&PgHL%7FBAnLl`Hq*huf}SzcF&;SbC5zUxC}{>4{$*TDx}bJMX-sL%HAYzw55M z&YnHHe*JrA&YYsCO{MatO`o{yu0oeC{XTHuz#ct%Jp6F&UAsQ|=%by53KbeU^tJi( z=Z_dMDq`1VITr*Ai%rOb=P~bX;P_y}D?%VN2NEk{wMHev$PVM68P4QeUy8`_Y;RB4 z`kBS5MJ~1@Gi(*aR(!+TU0FaZ2HAAj zFeeJcxBfz~BNAvt8K5&m7Z=5S7L|zty4UMsv0Pw}iztZV;$a>~!t(6V4!^uyA#KB~ z+6%s8A-Xctxo;8iWndl$LkqYV1n4T7wqryox>n<4m5x-iPv^4{a|Hw_2M{OVtHLKd zDW}_lG6si*3Nxs!eoN%T{^0xU2&kjEcAhApcL{ShYquk0xBrt)_KJj2RbkC#X1*OV#K#*Cd1TuxbISgS6a%^XIC^6J&A<;$0E?ATF>iC_2Y*JswO zIVVq^TD^M3lTSXqckiBx6)PV1U263pWkR#p#beEBfFpe(Ta7PI=_dr;19)!#EQSlrA z-3Mk*0O%qbSEgWl&EPM{mM{z{S$GV9Y}mY!hZ$g-d&xjuE>MTM#SR#-djRa>$h4ry z%Yx{_eiyKM@UV!bY|#;br9*lKxqS;_F5YHwbTiTs+wseX0xVX$DI$)B1a!wpa||ur zh}e)@l*!E}0nG{D&W6vRrpY5|V1?s)BrgZ`Oh_cyvW;o$uW9X{>$fs#^OII9vjC4h z7IJLL|LQWhzSo4VLXemUr+8pw7T$}95H|r>9b&6cst*uxK&*u`5to9O(hlk=INu@9 zNZpX+vGu~qXYAl^sZV*Ibjw&V2+6?f7;}CmAWJQrY+>lRi3r@t!@Wu>My6C7g1a6D&sCO%AojGL>j`y&_V?ZUi$qz#Gw4mv12FMwf#XNIZ}}T zh~8U>7Rbn<^Q=?5_Mt$G56hf@A&a!^5)G; z&u`kadB=`zZQFJjH*O3C>ysx>rlcI%wQKj(sgt&D-QKrvT;s;g`}gnLty`DNmoJYV zJ+@%Mf*m@v@85sm8*fZWN=km@kvetjKC*4w_P5@8JF6PREHYx@yJCc{LrA#>5sE3k zZz0>#ib{zl)4T^XlO=~TK~)bsV~V}tf+EKf^YCGBe?fJ=HXoECASsq0vH&~y?9)1wS}YM@nQz( zz`8`iF;Ffr-vrpUb8L?b*ie)mQ%uh!zI2vte9PajAN8} z6tsg2c3AbuUJf@xmBUSaTfbtBVl-OM{TbeQ?t4VQ`#`#X8&oQ21qC? zNo5FQjRSo|I1FQuls4Sba8Sh+fJ;QVDbW)iC=`|_C9(q8I?ULKT*uhW`JL`s zS_vaSxpkHlDP5&@?FKB6wLSfb^89e}8-AR-c=_L|bX02~1?BgaE`P5#yBrJ2mGATK zF4O<|um5r5+hbaw2qK1(=;}gt0pl6dGM8kP5GYiz!0*4Dp>Lb|#*DFJry%YIWpy5; zZSkX8%G76TWSM(}NMWFyapjKEU@OpGP%US%CJbH^2j?erbYHM5FI1gK_LfTuNC0|( zuVoC)vIPu^#c09K&tlbyuuzclsH%LQb&$dgw$nKf(@{bw=6nm+wgv)xJ2$p{gc*QP zi$1a10tp?-iCgcZ+OQKwer!tRR)BH~I;mhZxR4H*Zir2&VVdEg7HP%|j|WFb(V2#! zd6ZX#uj7KBAGUh&`FMOTlFqjkWpX;~zrg}Y!=^<%=3+oe4VK2z37QVI46-D2_6KBh z>=JI}*yZ3}5X=?esRF)v#7CP9n|x0YpYpn92RK-23rQf`dXf%M3SYbQ8~xmwc5m`C9^&(!+W*~(;n=iuYbtU8V0yv)`C2rsU%g5Ndj3f2@$EZ4 z&J`W~+r<=m_tfcg#*Uv3w*|_VE%kWAM=L*6@t0qJJ$(4+u8%)9O@?3v3lwPAz7;+A z{EIJ6o;*cgde>cdwQ19ezW?CC&(54VOW%_(U+&heTh*)?69@!$?~cEA?RrQkPfYx} zW5@Od3KU39{pO>OcK-0=52|z&{cG2*Rla=rKmYvm*s)_9H*S%php2k>YVF#!DN^LV z3m3j!vu54*-;1X_9#^YYPe1%{tjFV_U)izagFpYgs#Tb(6DRu*P+qW#rQ#49{SYMn z7~qZ^5Q7UYv{kci!E2MNM<2#UrKyoHLo zh|A`{VBmm;jL?<=Yj1Mf*s~8J$w4zMD7PDP3rgAs=mv*%%oU`tAur!P)bM&3<>HCL zEEIufO?Uain*dEd(rchF!MMQ`_(gkZ@3Le^NUPr$tkQ zJG*LF(vXM=5`C})|bQyTu$iYKj?&tAX?x$ZRCcn^Y;OWz6Dpf51%~5vqz(KDpSh$$JIVPrR zQsU?IOz*gU%a^aD2)=Q{nvx|;s%H}u6KmCC79u*7CnY7-tXWeL%~!8p?b);U)@|F| zE>}Xrp8ECc>xDXc^k{43o-(k*9B|Vd&4F@(m=O%e1A=d15#9K1*xZirea405gQJJoR2QO8 zk_h>Mhi5*3L)pU*2=Y9;YI7B9Xg;iU4O`-ZXp-&7)lc@#4}- zM&!~%H+e)VqJXnD^c9<&>nhY~UjD%n!6msn=F$9>9{K%}C9TuURj%>?Kej=+Ot()S z`u3ZYKY#o-_!8~T`HMc7JAZ*Q%|t?*!>SxWYN68yZA%3 z*v1bOE1G)vQ~Gnz;Nc72T}}r`OicB!zf3?3$_K1nx8c-@!w){l3U&7ExpU{v*Qymu z#de-CUF}KJty{Og_~KBZLIpVlr>Cb^toYEk-+lM)!Uf&CcRO_G(C@!rYS^&Bz4zWr zuTGjYnf|+a^-8W>xssEU6B72eZ{Lo-xm&j$J9q9(N=mF=y*hovnl)?bYrA&sQm9a& zUw-+eY}pDoZs>}K5PBd6<%J4VB8;K4p*fcVEJqG-;oc zdkS(i=j=I#;Is_Ty=)_Mwuct%Wx;gZD`itM=C<5O>n~wn zWpF!1B%LF$OZw?>ahq)jz&3GlGgxQY04o=^`<<5oy4C9we}mLc>c`e5a1Bx86nM-@v) z8Zs!7-d*%sRm`IyC2>cec~0rp@-q5g86r8!yY4ofPw~w$?UUFx72>P`t954 z&7SW5Wl}1A`@Q$xUAkoPQ)e#xcHv8U!_>DIE?>R*WYWh}9#2e8eX2w6D_8!c=Lhxc zHgno&dN5=5l9g*VrG6dHPQEgF;i8ok(_*Su`TC2G>6y5`L!zUi=FVZ>r}O47erfPf z`ia7Y3+(-5XVt1z=*jLqdLKPPp*#_>dE#=NI*(DXXAj2pTC`{ZJy^PQSzMpK1q&3Q zz4OYS?9=)4<@@1>i}~{9OGrqdsQu%Q-_w(?y*6~lj9CQ=c2#@UyZ$EroF)pWy{ijOoa zTdcUF0Og+@a945We|O=+FE?&vsFtZBq5R^-->zN_VS{+-%#pJntqWH#QS~~T4^+K; zUrF0ZGyP)RKd_}~qZ67dI(M$Cf1IJ1F?as*mxoT!j9gLS!Ucc3co;E)Wx=V_=T|MA zL5~}?c>drQNs7Ho+`qj>wMxk;$6n|+H1(@p^vs}F$1Pm4nie^x+Czz-eMry5^&eWV zPR$5c1`(;K?K(D&%kZ;l*hD}X6erjHprfykB6@nb2K zDpgELIa0G`?R)OIXXwyZYS*rnJG7lscO`Atg}a}0Ivsax+qP}nw(X>2+qP})*tYE* zCp+ew@%@Ld4(g!lsjLaF*2S^<#w@JPpMLo%jNb>5YIPte~-jF z4Tt#HY&Q=ovs`2c4rt$OoQJ{X!U1J)gvd3&P|>=LUU1(F+hn_0~V|oRG)=n})n67gZVfoERK> z1T*9x6BK$QmxSsbg0V+JGp!^4nVsMMJ9yAE)3gyk5ey6xrC@zdFahP)qy64JI2Nug z?s}XDyaN^5&r@qJ^VU9?d5!}*up}nl0SI&7%pxUzIWmmazsa*c7y++nC8yp`BBb~O z-F&xICCaoV!dI1kPo|jg2mE#P zH1{SHWJNQlwaQUnrp`Ypx+rW1AO)W)g^;GT681w=e-~|G-nZK)Qw_6*5E2#Y z$B67FzjSH1$ZM`&QB@jlg9Rw5;??S9S+_M_p(DYUH^Nx=!XtK^BX^=w)r*`Y9K-GD z{OfGqq;jvQ_f;?$`r{L6LqY%So&z~o6c$f7_L@TXU_7}}a;n>KPD_WYwbKK%OcdKH zCvzyzn$gqSb$z2zSI|z%u+^&>4a=s$dd84y79$Ri%u32m-xleWl1xz(vx*AL0U1UkcJn zr9zXBIS$}t8>Btno88nT3OxnV+Imeqb{ithq+hmUWre3XUl1tw8dD+?ULa#ozsl?u zu4Tlh=Vtc5YrBVLJjTZ5^-Iwt54KUPb8d|{WofBFH)24c@*GFam2h*hu_ z?w0(kENwG&C(8ueqO@U+2hRd4`>q$(WLGdP*la~De=Te!aa$zV6$d$6OBMZIq;!J( zVEq$vA)*oSj-Z5;+{M$*&RJDO)=2JD$7zi;jg6mD>%`O#b zSkab9z1V^A*D#t)NETf)pVyV@Z?}vh*G`*?PP1)gr{)i!vt}(n-S+f&;EanJL5Bav z&m`9YcDI2C`cD@41`Wd3Zzq8!^V}`#I)f9B^7WJ9L*F1&`$Q6`z3a>}Dczx7ji7o9 z!}w$-_iNn5^n$@@xhr3&4??j@QyXU7&m@IRX*Xv|Cs{!ci5Qd%rw5W=FLpG@lB|z_6sKsL1zhzp~0u`~8`8JqNg) zztz_>T-)u)*Xj2ijL0e1AO`ZQZ5B(Nbo(59k4@39n$=&R3CZw zcjTt#oboG$7<#Duzv(xB193h$T^dc9J75r8lOm zBQF{-KPXE}8>3ItvU1X=-=n;NFjE$v;c{yyf0M#xQhzz)K$sLlVTb=ZEx{&iSgOw| zD0rC1OYW$g6(&|Z9&S4h2{`WWBO&&*PA_SP$|1* z*eDi53JiT-n81sS=eVd(GY~t9UvqHeP1lY1!Y`iz?!9+`#cnmlSt=!f>rld%y|TlF z6jGOh?#P%Hushf+OJE#8E)TQSHj%ACiC2OX)xW=zdtpMVPAjT2ANY@JrFm0C+M4H- zLWeam!h!J!@G|l8vsf5dtvRscov2-|IP|UKF5Ar>j>ao%_HMR2rjp<8&h)%fY6q2c z18hHrjmq^DCfDD9{>wIC0)i&7FIp{bfI8d2bxsMj+P15r0QgxbFAy z@U$Mw^YZb;H}~Fbvt&nU6LSG>#+x$w?IC)Hj?O$@S7^09-X4%uDpxCY zJ%8N)ruQJuWUIE?>Ar;Ld#Crf!@BO~%H{psj||-QaYLYco}h!5mF4x`?G>0K$PQ@N zp)8e;37Y@)SdIK9rC$zhvdB^Ow~cnOdKNoP>>E)P;1{Z}U1(OgSc4jhG=e(*XmRF}?7{^Jp`+bKZgB+`9v6%agG zK2@Zn{IM1HO1_{Ptty;RXO0_3D&(kPgI`*PI|NCBX6o#9>mv~yg{_IEbt6F(w9M4==3kDHf`zIgKUE7yAey1plhtKeXM#+1tpB5C>q9} zG{rl7R4k%&9tzgK5adQ9Qr36DiJ|djwl)aGwOqz^7J1_0r#047_^k1|m{8{%9g=Ud zyH?7R*uVTCR+CVZ$?O`BX_#|~QgCs(=MG#79^q3L*xvs}3l>8-y>KR(Jn6N&dJSEH z;;|-w9(gG4$Ys7{=`wJ$*uJ}azsq{=f?g02d5aA%jAEDG-a$eD&xhogw}p|IY-Qwx2S$pr}v|0?nbjB$&(x;c4R*-gXQ#+K-l%2$6arm|Vq zR-AzB_#ug;Ol}H8+N1AL$l!tlO!D{&k7QF=BgsziKbI9><%?=kDnDDd>Z&cf7n@Aa6juDHCzHJB#eQoqfegF_J-XZAh|!ltFut!Ytat3o>!5k2W| zcp8D`>E%nLq-(OOnXb+&dGqE^y@;1;Yd|zz!g`*+?kSiwtlqkgo&b_ij8c8d8KQ2h zDB4mY{{vR_m8xuN{=u?=l)|GD)y#?`%0CN6Vx_b~Je4w%4TkW)$UF#Kwa*+E8_#}S z23sE(M28wo!n}LCT3No7U&umW9T@5r(E)=~8?U>Q2Ll%fTeWA)xbQMk8rnCjA}&=m zFm~Ub#@a)TJmR3y=Za4L>ZW2MYkj%gOBYO2(v%!F2coUQk*K#}DnmKBlrnxKwZtw< zY&I#?n&(cvbT7wA*v4*rD&Bp1?6hlb$LV?Fudmc&^S>-f=Q;Q zw+5s*R~0@07tX6&OOB>8)v^KZw}#Tvmr|*|qJIN}1wEW=PTQTffoqMOpW&dB1<(7_ zw;{C2*`u+Psa9K!+N$aAe4H);u#g7_pWk$P^|U3X&9LVwDU>RLJYM^QK*{9sg}^Hw zy#jgPL#ywXk=>&Nah3f}*Z`omqgGaghl2C4wtdOKQWa)|fr0Vu-x-n1vb+-x4T^2O zQM+~iwpEB>H9eC)xWC+)tW;|#7K*a)%v7pYUv72gu67ABa!iMake-ZBkcWC1Td0La zT14v)Aj>wIXKqL~fJ63x5d)T9Y6$zeg?z9cArq5}ft>6xG9~&k*00_(uWG zxY5X6;uxW6K9ok_;3J4S$Cz1}WtgG1s4LQIMJFlXsO%Vv1L}lGNgwqvnqxmeEruZc zk5UJkJu{kj@aWPaacNe~%N-q`U|9WBKkH&luXkSF7-i!#yLjQ@+&qa8 zd&_BeBA;>l2+iHLbUS}j5)Tql-WrCAP^?m~Z?Vx*DOXHi7LXi|cRAlKROc|4_wxkK z=GXGRy+h~paJpEsS#I9sOD6k%JhT#t#oBJRaq#d6El~m1OI#`;@VxcE`~$z`iR-mS zDxR0y5w92=J_-0!<++!3Gt1?w94fV%z+9a5ItQ=ZHr)I7X`S5n$G2kKtFM-LOSM|7snK% z=7k`rgSMOV+ToGN*WF)MOMsFLU?nT3Na+1ODmdfYE8S%UC$YW-o7PCDSMjVH9J>RQ zQ{zK(W43C4q;IsN;AQyC{v`R^QCB0u=XBc-F`fTPed_Uk`ku{NzqkCbWd(YM4n4ZA zTf=0kCjz1!SkkB0Zyej5{^qz)V8vAko!J7HtdXx{SJD&1>Uo3Pp*?#Sv(f_Q7L>)3cG8HBjv9-uSv0v zN^vn`U)}JcUy14Rnl)QB#%6wRgI>>0N_4V8=-lj-cBM3ex z_57I-*MNtE^5`^p8n4=*k}Bs;z3GK3o|aGX5BIpy0VI`BqFc~=z(_?5Qwhlx-mezh zchjFofAYKy5vwsaTJ0~Iz%D*Pkev!f%#GHaes^|G+Zr2`a}@X#;Sz4cbJIxWlg??Z z>&JEaCIF!c%a>h<(6>Ygf_fdZ){shT}dU<=t02KT;p(hgDzpJuxWSpm1^f z_6E(t;I5bl=nnLeRPJ#(!8r$ECBDDL8=Kf;c_SH8zg)Z4K9Ptvu%oeIYrvYiOrfg- z1MIUts2LeFzC%`8lqtkHM5)fQHYh5hm3ym#`P0}CPy;&y9pRCI>A-`d>z2I>?hsBd z2*x#R&9Hs04M zba4_j-vF^2sRX%0OFGVNmbHh$MQ+vUV@tZ6lac)2WX!U)*k_wc{eaSAN=|a?6Xl{W zD4NXm@Ul7L*fkwPlrlF?xGxe&l}mO89Z*Icm9yqp2<~$-zKS50y06Q! z!;Q_vZ2}n+nVo2?oRz^23t06)#*Axto7183jN%T6I&&C zj8Y`uSvk@ELcCN}$#K0OaAd+YcfaX`mukhIAyB=t)`!-4arLC*fym8uzxD!Jf=TucsNen06B+z+sUVLc%qNq zSs$x&wR+%L26VTLNIsT7yH8%x>>3qojHr2jm6jYmx)byUn=|a_uL&Ac(_aybV#l6Z zM_sX(P3`YyN1D$LS0|@a2_tvzUp_BF!ROO6UaK`-Md!-b4H}IbAEb}stJ&0i zksvPTPDOZj)ig56tM*S4q&@2Uhm8V0)-IuX<9%8cYp>B_Zf?y*gUTFIMc@KIB7s3X z5Ir00vOnhi?&u{Tfb)zKc{)G&@dJ(5UFGDFCER*raDwLj59n5(?mcRYdpjr=1dFcvj=Tv}S&NaQy@O)7e|m%#zw-&^kA<4Hud zr!Yd-rco56FQPHB*x{di45tv-K!#?-qAzAW8KSSe^^C>+pzy~3eDJiAF1+;T(U9bK zSPQATolIg-VEk>wnHg1UN6$<>1ds`WKLh$qC;Y(7E=oU33!(3$7K*v)JQq zs}@%jS1z^nq=ozW6~x!{Zdo*UT?|%!MR;J^EYO%L+s5CE94BI3J7;s#-`k*RmMiXU ze_n-1r<%59XB7!9H5tw_lB3V<^3YA;)iKa<$d!V`40D`WE@669E_RZq3maM(FNR_6 zNC^g+qk~8-v84tTpQZL+vX&UONk6dLSH1(<32Pb8e>jY75!1yP@(P9NqfWuc@(yOP z^g*2aaFkH(niD$FqL7d8a=fZzxf1oUrvBrWs595hBN8w3YYkqQoWT@mp0H|AF7+qy z?n=tG<(1v;jiw3DdFRgN9Eapbwg*;J61f~2)LTlSzlvP9x08SoO)E_$oLn+n?D8*5 zP9_Bd@1JKHcI=p$9eCsaIkFXM{HXoexAnQoK=$|)nou%jA@B7o;}6KcPnWUq{u8_< z0~n4B$Ast~{ej0}wina`(Z&#Im&LKiRMZjK^0Aaf%?Pac{t z3pF5)M3_QnRgjB~DPz zIY~WiVj(Ir;F=NY9gYzVLzBT~zhZ`lN^a0EYP)Rq%~L^+FKF&CR-YiA$`I!nr4g=I zq}w>xenhdbj;Nl&H~AaouZ1poznKZ=fSLP(7vlY|N zXJqIy^g7qoJ=)+^;gn+Hi0lS4NKEa6#a*jv-sv5O$YvV(slETkwJvFA9V$nuaJV`+ zkprcCrcx8PhkUT8Wqw}EmmpWKXV;%pvtiRdN$+R+cgv)d8Y5@c`5~V@U8LPD(DF5x z&Nf~P-HRCP6MFqHlpaE4wo+SAEycb5mr|m<+FUurAGZK3&|hozFxUUot&|U)TKS!0 zvG|9zOv|%+=}Od0Pdg%H3Ed}R3P9Vf7lp<1b)1|6fm!OJ6HvP3eL#4|{wf(cC)Je<|XX75}S zhIf)I$I{Mw#YRA;oL^Sy2dU<|trl(5_AP&BvSZLMp_lShyO#Cj(vRW4c}9Vb9Ytk~ zG%mb>j=C4>KTkW~&}`hitK!Bn`~q}~`q>l5^*Fb7_YlM-j*3pA8s380=|aRVnuI14 z_#lsZ=sA4AFCz670^zdr4RscABpp{qdT^|$15qZVe@y774Ej$Hux89A6&RSvhdPSC znXYEy@LBg;+>-Q|wh=N=_EC(}cP8JN6}_pF1qI)A9S*;wXU9cIR8Hh%>}36N<1#Z@ zinYlUD%IrBe#uhFn_Xjwg;G}|dq5A^7Y|ywO#Ev0}T2>XQ*O7zno%Ye2RKw z@7IbSD{i{BhvoR&z4QoDlp}Bpi*9Sf-K@~GP?1tjqJ+?X4bE!aru%L`eON{eSG0y! zs-`PzxeZ>kVf9qWtk0kXAzE#~DmD=^92(x)e#q5pom2j7B$-7jO&0^~_A_p3aOR`k&-5K`ag0vjdev<^JI2hwBA zxM1;&oFz5&?z257R@5v%mJ%vDA*Qo$0HN(@w{?++HT6uIEMz@1z77K&`>@>?-Ye~f ze1J9Af%r+7#&6sy6PJ3?i0zF1b9{0il*!AKa4)3+;|bolznGL>#+JOW7Buot-R@AG zwBo6Xl{egQv-_9}OL5eQmFCEFdk0R!{<{11_?^)Si}yeI7;vn{+Hbv-?w!dMnfu}S zPvAJP%q*HM!J^$z3|q#$t5TwJPmEGVN?Xs?b;|;U^@66cg8%84CW?+4Nta`d+{0~Y z{n&q&8B1?CCYq;i35L3o6673-4stmgFG zItC7hiZaey4@!O8aq6%<4U@3m=HMyNmSdMB2MOkJUzL|)aYn+O9E?;*Ap!n2aUmSs zYc;`th$9MinFCP?ktw8X)8GF7LKcW=&bR_1Nska+azkYhJJM!pdaebyJAL4& zd*ZmW2Sn<#F^ZyC?@>C5{>lL15F3*E#nJP-KSl7Q#;*pX;|#)6%{pM2&3LV(ed*Bw@B6ETzKgDl#jXBGVc+=$9zUdanO-#gYrYLVs|#TkCO~G8K%|Zwq-!wb zfgMu_A1^_-h7og}Fht&qQR&r&mMt&2xJR}9h(e2=@YERI6-{TA{E0iRH-qW^dXVo> zzIQd3jT6zphRfV52P{H|J25T_51Yel+ckax^hWDwuujd{%*dtZ^92&!H5X=^*TseI z6ko2E+1wLut?n=sTI&~cIsQl-$>0y{!9_wmttBV5D-mf!xrh(}MjkS#RHlK!%E^lS} zdM$c93t0Tim2;q79okLHRfu_Z^gWxmh$^Ax8YgE5=8VWjr_fU>u@?-%Q{Z5#C(1IV zrA49o<#_PvvHqh?;XSVcM-`mE{lAXBG=#iI>tB{LD|byhlaAXyLsKuk^|MUc2;&O_ z`d9PNGLy~muG$dmXwc?yr-6lQAqS&>r)gmxlwuz17gBCGo-hH03iq(Dne zFFmXH;Ur4@io%qlJw=E2_SAto|KI~yIXs1O=vYn`qr098x#T>0-Y9JZp@}$iBS-Lp zt$%y-G98dUCtC5FE}6*>S0idX+r}0Y+C58LEd1yh!@%Y$!wl@PJo`6I5n<1zyh@u!|4HTR0^{j~~A<;*qE=?cUzqgJo;@#L&2GH(DJoAsd{2OMjj%EyVZ^yb z#BCkZ`g9dVgxCr};=0?85E9Br=w$Knm}=M35<|DZNz#(0fB05j<=ED@q2OJ(zNFe0HX>Acn^BJ9a@aNYV!U6s6{O3z<1mk?T6UvSv#4vb z8}S&Rl4)SN6DaM8xug$Pwa)3Hl+|h>k1!m>UlMPG zT?P!@sTqzkeT0#Y*F5R=8ri0V&AydXp8K6x^VHq9_Sh4hXO|;=ea?JtD3tpCN0$7& zX&>?fG`{QRMsB%GR!G$>Amo3vl~v7tZp*OcAHS>Ug2^M?hT-JJ*NT|@hxee}4z0!;0AQ=mVOodlz9yrH372E_Dx+AOod6_JLqmvwGFxI}_*^u~H^EHLAX20)b{Yl?`XwCX za#Ux{r|t|g4{%7!_*SYZQZx$OE6Lx7oUv}95$RmgRmkbKw)U3?bicjlyTbMfe{I#z z9wpl#QP7#&ZE}~t&e>6tBJ!Jhgj3uti`zwDh|bH-{K`I2okUYHKr0nt*0C)G{SBo| zvdx6{Tqd=#zUw_TV^u^bt_0NgT{e&0Rubt`xIRqMwFO4M1TKMBD5*x~z_I$!>}vr#n8C@BPLs_5*M z1ilotl^P#eomhu^J(2o;e(V-by0p)x)Y|Agw(CGsV2mfwdv*?5#PR=G)Uk!yxGFl( z{Yd*j;t(-s{c_|)%Z%Y%(R=AJ7B9Gm89gG$qSURC6SmAxc@8SGL+nk;<2d zr*v(RkrD3wTD$VkQ)iy?VDM)#Y2+O)czf1HlDdtM^oO0~%HOAsn{Q;OU-KjqH5~kG z5DJ~}y-j9<=RV55%Q(8XL+4D1M!{~qLRil9 z7B_I0R#{fdBYESsy9mkksEyR3y3`RlRFk!(Z%ZcHnA9dL?Jw)^+EcxFhb56bna|%F zyc0z9#b$`UrPf7`Q;DuxJ$p78KYZignj))fUXMM{t8}QSNM#D;EF@`pB6-em#Iwsj zC1;a$<7sNd0)}uOl)1txxY=Js08Y#zJvM9+REAw9XxPDofgDZ!vx>}Ve; zT2437=}Z$#PF6%U(IsK&G4j_yWmTud>MuT_>01*#>2X$3#d9G1Ou!VLZRfQ$VA5*4 z-9UapFn|uWnNEE}s6@_2ImlyM(kodxlr~AMtmXE&lpF=%`FX*5`F5K>j@K=fo zL3U(mEy`b^<*)2t-=nsVmxV`9uh3_tm{>4la%R{{(O_-)%GF{_p%o{d>y-TgZe}Lc zOsrnnm~Qhq^JvMy>x5Ff5*)f%bJ&G-$#yO6PBt=|{N6reG0K!4QbB8&Mmx+zIIksz zMNm}d71CbW@NVC$+LA1aDJ48j)Ai0Sk0eMTcHKt2bG$;MntCI6|GVPgL|V%rewX;b zcJ>t|k(2foVF5POvqyA*f!zvbkr;ids@DD?h|5?g&PG;_9bidrgc7xHL}XS~IW3wK?@ID@Wi{T~SeU zoO^ewYu;zHej!vT3s&VP-1a~oqRYFN=}HQUkDet1D`PR?(pG-8aAmu$ceE}JO1@4Y#$Alczw9pH_=Ept2IhPdH0+_V$e4x8`!AK-PVSzjC57)WKd z8@DNNe^lg3fp@MfF=c2u??Q2+)r4r~Qr%K{JhUX3|0edR4Ba36V7c9O9~!U_mt)S- z7OWv7R}@?WkyE(}Cpz^Y?AOSj!RQ_NLDQk>QuIetknxf-zS7N9bIq3YyZRp`%u*|X z$}!rNnRi-;mgHSS9sPpQ_vdZFD;?%t*;x*xP2?K0^KevU&Q#(Z(aKStgOtP{V_1t1 zL|h|E#>I0}K2e+BflU!zX&69mS05#62Fe}xAYew0&F%CL3?()s=kCWLulHsl8eBll zuWYHk4wUcILlbPeOyhX`@OE&mnuAz`3BvWv+_LW^(AV;4nfiUX79Y_d?1L2v>P2pv zmdLj8XbLXfOs#Xnph|DR?oaF$7rZE#Nvae-CECI=Vj#4t@Xh!|S5&9p2Yx7y4gOQg zgEE7Ou%Wh<$kx(aE;k+Q)_`TI2mSu5l%{~jW*E^#62m;=k%WhX%AjjQIVv2(oc zUmrPp+dNu{yoNX)Pcw|nVtKW8d=?O%cS6IHUM7R8N6R>aBfut8&pWR>E=&hmjhdCI zSaP-KL0H$;G&^+KimI2cB$7QfxjH31wc>HJ*n%D2Qq#CdY9^kZ;wY-wy*ZwMwpb%d z-bh1~v?h{*WXc1y5HfZD-g!Z%L|OS>ILaL%H`6g4&UUL}C9z6Wt2!F?idk>xP?2^S z69uQ}d`x3YwYhjjq{n+Sd2drxnQk||Lx*|L?vxrz8W6FaJu(V`l-94!)F>UKEu1;F zbTQZu>Iyz^Z^L^uODsA`d05K6& zF@Mnsu3CD0uL}hzY42AaNMF#f-K@OkRbsxTAu3FQ!DKcLZX0BIzGV!&jIyG6PhI!i zPB|+!75UAGc&T2Zcl3&}xg-Z^dv!yI)-bEvRr!{M_d!sF@lC3NT;wak63!BoMRMZa zR`~&jTvs13`()=>r*3sBNLU6_sbQ26uHYW$$ zinf%MFD;A9jc&;~VQgkIA9%{V$hyC?j`@eZeO~Ld(QjiBV`n6UkGj1 zp@}T9e5z4DdwTr)8g0rrJ9Hk!k4=P)g6_bxAliA)eJ#nAR_|-!wiTVm7D1`NWQpT} zls!!=C9KV(+?iHcNyT)2(PeQ_PQO6tI$ABoC6^1{M9X+ZAgq-{xZMQ# z$UNl0+TseWyXSvY+;_?-8h8F{d)L`kbz*{YV%>+?oD{34FP`@h#dn@p2`e^McH3pd zTzWnuo>fKJ>wG;iL=qUID$tSl{t<$E8NNoqeJ z#;&QcPz{_V9(OHW61W^RiyxAYM8J8`f7}y87D!h4Y##R@Va+4&!+j6$@}rO|griT? zZ3FUR`9H511gB<0o1`}RUP=+x-yu)FO$XAk&>a}3gtUz}l;Sco#*td*n>+K!qOVQr zPPU>Lz)ihD9-y_RFx~De?Pski`dH+2D1C{gP6rdCxTlwn=lqToTXOs~^v3omj1~iY zF^%E#*ycF;QHfzRLxBm;LzFG*d3`)hF3x!YsWx%WNSt)mTn;%yMq;f){|W5PN4rW6 zkSlf}eX>c!O}xMqldY*oNd43?9pIc;%X#JsAExEKuzlho``-xcd>;{#c-jk{H)-}r z+T_@MS8%<0EcLO|yrGLo)ABkSM`)dTtG<|eIWZv!%_-H-#@gpikSmlwN)-uSC@$#|Te!<% z5s^JPGy$|)M$*b}`Lv8Th(xa;iFB%Z2)Kbv&$cYc0tYKzs-Q#C+(g zmK+1K08?eR(&)Gzk_fbx8yv+WxJvJvUew-EuBn<5ss^qn7RC-*E4C9tu`L}>v_Uq$am=-b#$Ejs#$>t;K3PHy% zGDnDGOB+^jB{E|iLicwVb2l1R=Ax=hd<7C-$J~91x$pB|Q6Ni-Xb1W^;cq(D=xdQx zAd_Ls+$8FrWBdd#{70rEj0CAkS2!nC3d8!}hVE@mKRS-iJ_taV0k?$}k%h^SFP#Ml zox(zEaOKDz!S$Ut);8g^+B`ilM%Fb8OUTy`5KnbQjMW;GB*Vn8gJ!jasB zOiTyww^j=*IgAsVi?V2Bl1VOdW6tjTa~F4Jb6d5OwtlC!67>ZQg|tAX#AL9w<;Ek*78 zHZCv9V&Wa~X>-w!gp`3i(d-5VoK_=@BnUW=u~D2?<@NK4205M*aTzLQCYW1;h<44~ zE|J8ZIJxB^zGsMU>o{_J9Rxkw@3n&iSu0V^qf89E&E5{y&sD6qnd|&^ed`dJ^`p=1Axu8?aTpcx~LzCQm2E2aKPzD~xt=O2q$1}bz z%sSFVNvdQ>M%)P$x2g^~Rz;O!Q| z8~4AJV^7aVY03etrkR_(W@)$%yK}f1*7P*9_v3scz@_ctfo>L?yU+EJio^w`R-?G< zl(@!;?sJu616v4u*({M-&Qir@?dEqENxD{=uN;)h99QOngY6gE zvDiMX*}CwH;zeaSBZ(uGBoyw#gI9>o`yi?-OTeVQN`yF1kpZ=%m*w?VK^yG7Eya$4 z+b!6al!V8bY7g71C~q5a{bmV^s>`s~bQQpQ3Pe1zgP3+QDNQP=Qys;rm4r|#q(N+J zy5v(6BkgS3_QJYwJRmxa1ovI4)oVaOZIQ_*&%HJXqax%uxfW}RKjpkrBQci?&gn>w zIXu88E)j2OtH*n?7-yBr^>8UtwC8Uv@BXc1=7h7-$aY zSQlAP7xdcWySvwTLAdahofLxqSx1EFc<-NvWSI@FV{HniI@AhhX8eJO#66#vm$5VE zRXBswO*(SIroQ!R!z!yfN7ZyrXI+<&f>}M$DRE>?so`IXpLKrE*IqmNv#1;sq>xxq z^s&7xi#}Yypls6(4Xs3ewinw6mc`Z8$AYuJM7+qoqf`X$6S20-y{(vH=5jx7UWqlO zX|6ofd7^l&g-Nb{?{Uimtab;)OWL20wT@#b*rTE!8|N}Rc!~`a%*_c))WPFaSh-4f zSb;0m;-m51G~h&?HkXpp86W$O^gdEQy(nFAfGj7QJf^W(QXqzNsXz!!8>k4Z~9oCH_VAgPV?z}#|h%0UOF&Y4psC~2&-QkHGs zuu+~iFe@$}l_64`impxFGA0$eD=HNR$|Shg$dNwSruF-hkhLyTEtNbVW-+@$kZx~J zw~5Nl4#4ZiX<-J?J4`0UTvP4cps#afJ0(qXq&lAIL+V+A9c;J$alH66v?-oJFWky! ztSEpRGQoLwEa<6ANYZUGQ75s<5z|EYnCkMcOzh-Z6|h)trQ3$j;1-XQce*MUFP&CG zqQmMJAQ)cxvxF4TT|a%Y+cX^~t3Yr%z9U$;*7RUx{z22k82HBKa3#Xkr^2fE|ou1v#>P3qOY+yy|LFV z%`N+Ub!3YHVG?r zgVD&U;iKEjqs`vc+@ z`Lv3>tZ!?j7GMG2uiPJtvBP^nt@0P^lWsRRrZKntDP*bOcuZSNsJZJvpfp z&C$jtyKPohv6!wL$Ig`=Na?`d2uST=(oTdhqM{ zx74MXG(Q=_)LvuXy_>xSs>TU#E%@e@37iBaOS;5$+_jQ0;~XOP!puciwt-{o z*LCErAK6!vUHf&0m0cr}k(*z-!|M084p%~n(OqX5dg}U8Fp44Sv(bZ zuuIQZdPhCDni}`I6W9tVA>FcD0H186id;i81z2zowK^?fOxEf=^pZc@1c75TJmY@s zFP|IGN^SdB9L3p$P8&{eZj5wPBUuz)6ugcZm*HA%vZMgy(_nZi?poYY)E-_LPR-Po zCuJ|4MGh)z7X?zIWy6ap{5DI0nyiok=EfJc9}_)HofNV;Np4+ET@`TGUpMg-HDl_g z)-Gd%Hp3ybYA!{Lin!gnM;uttS8r_2UbOZXNnNSz3H7@Y&{fN`w?HziKf39gp8s`V zU*xh#gHxD$)K{mqg2-}GqmNK@VJ{j&FEqF4u$0>Ex@2I_>6Mpm$X~V02SlP4_=h~p z0JLXWE|kr7KgE)0bvgDhK;xaN$~U91aYuC5)6}%G5ER$WCx^VMFR?HHq=KQ;aAUVZ zFWQXGvWOpJ?%34R!~ap}8HYY*u_u(`&q1(UE2hTZ*>Hk8e7)F#Op3bLTl15=-ssRu z{_@5tbkdL>mE6fq)0!2uTe-No0F&=YiMWb7I$roP=3XKYn(0Wx6w%_T~rL>9s~zxk6kZK^-y3C zksX73u8E2#t#iBCZ1#1ljX`jzY#O$&r%m4Qf*2InSz2o2D*+#^-)rh74GkT^p{9f& zTiwhziSM0DZeQSfq&q>++2T;&oWM*}^U)J7^46N{n-{utQ8=lpTbvLeU0Nn8JsJAk z`?%urxW~}&^;jum62Kmcu>En4V;o;WM=4tim$F|0S7UJ)&tUg!f@6p+J$&=<_-dZl z?=Ss$U)bZvEKv7+@v?oYM?!>ij<>+3xPvE~Ai=glV0p_Jx~QvXQ#8i0(w==QhZ%PM zao#jdgi+%(z|bR=>81<3Y;)B}VOdT8|io0TMXQpGLC<-4}+*3P^TFEkVbNN`@MsEkfz)Jr3 zdom3F{9k+D71h)hwF}Y?C?FzDnt+I*7ZK?oAWZ>-6s30srGyfCq)TrBq@#o;0s>M( z6{SdMQUn47q=a5W4JF)-=bZoLALBm!WsLi9Uv_qOvgclF&b7X8&AHZIGn`@I%Kf4s zc*t|TR{?P%>X^sGmn_GXP{c%e2mdc0V>D3lfj%#%c**iO4`B9IQ_qObr< z=cnQ>62`YP?94@rm|5l$pC0M7JHnd74KH+QOBPI;v`GJQIdmcJ`y3O=AL2G3103az&;<7V*p4WRSJ0)%JQ?#4b4?WL^U?GV+UK`SWz#{q!Sq_dZE>=*dA{D<&41&4Z28 zgQVC$P^#9YHP>0t@7WYgoO#=Mpn3-zV7vGm`e_czhs7+_jh%H-AlRM~Yaly}vFSLk zmrf3_lQf7$nfR~MiCEJc7|z~0omKl-$CA(J!w7SX&*_ny{cG=AAB%LP z-BR*;c~+JWa_19d*OzW!^^?pID#FNOA^^F@XH zI%PON^Xy+7Fnd84snUD9g?d;Sitw&Ch%8huuI+OCx;GNa!W`y*AM(y_&;H(Dl84&8 z167basjj+qF&cPG(bL`J+@DGx>A>dfrKbFz9QF}<`4WHV~$feA*hzN3xR$y2NHNJ77t1-=mqS@OJj66j&){PJZanO9wf9{Q!uX8(b)#53Lq zZ=X9Fqav+@+lsD}rneOo6=ADz!Fs%FA?%bReht@U*|W-&#Hk#IjGx(NUsQj?ka$ZN9;>@4Qq%-#|%)Fx@J? z*T)gNz$NmG?<@Ui#&r;#$0_5xBhi?4h#q)D>4F+DZ50&?MZH|Hpv~hEGTD2s#maZArVe z*Uat~n6i1_5?s3ICKWdUT(bw*N-Ec@PX*T)Sn1Fn#n5PirSd8~UWSSZFBQ=bPGva{ z)VvGf9m6IK^A-E|6+yjqcI7~6YT`wK`FS^QNv?5>rTVovX>hm)_pv``<`y@BiUhp@)Hz;Gj2WA7x+B$u>`Tu`Ifu-J{Q zgDd*9{Z2zGdC1DPw`N{`jM~UY>51!MU>#Lstc2oYzCdE&k0Dj4HHL~Toi9?m@~;JV`h&jZ z)AdrQ3GN(+RtjA(!XE*}W=#+W?lS{{v@L(nu1aB*$VLa2bhs{+O$u()`baH&k2*I{ z_CXgWNM@U#{c$}?6OIdNw=A(}f^dvFc4^NocO*A%B@H@M3`g&X(kIutle+H~<}G&n z%^JR|n+j!$-vNv0>&#V)r}pg3&!7+2SFyC4c862Ag%DdpEA{Z2?%J5TL4`DP5gZEg zvq{9YXt$FfV(iQPbjZog3wZvh1~(#ZE=_sXrCb4T9BsC)pEIO-UE?>%N^U*V%O``xew?t zk-bw~J4_){<1A`;3JwK9hqmNyG5e2>%;ECyT5R(^EHNmGpWl{Mb1v@CGFZ8DqZqJ| z`#p2KJHN+$v97*4HcU)tv)w@`!RcFEMAfY=A5WLjhxds)-RC0JQ4(w9vsH8hVZm!L ze8|Dx(jRXSQ<3D${WV2Fhf_a-on{}Mol;`K(5bIwGM4Y_wn?Z(uSHf}lNOcId7q7R z?x|sZD7G{3{Jv05xJ@s0jd2M-dr+!w9z3lmbqAFajpaDVGX-*e8$Li`H!oB<25*M( z>_jiSQ|z=i!XYom6nn}C%mj-k*b(2UiVUuof!?aWqxbHS*5mJgpCW)GA(p}KaD#-I z)UMig=Gj00f-}83cs1UNH?&|p#XYJ?gUI0H5S<6nqda(S{tl|6wxe0M1#+2E-f3=# z(OaVFuSGhFXjEVFt0j36N|$bxicNnkuF>Nga;M!Qp0`D6@kZ;a6FQvL0_W@T{l%gI zA`onT^{<~H55cx!bfo*;Io498%~S}v8#RfZskkGMM%eh*hG%h+c*O($FnD}~Z>NAm zpu18lFx@N|>@#BbAcGyY*XxeoX+LY92XoxD`J>dY?1HO27B25E)2bB9vNsc}1raeM zhTZgT-<>0o$j93r3~bt6bIb}S|AK`KuMD+S32j{`BmP+mE+E?&%L70}y$K?!_3-Bg z3+Z&e)uHMY#j&GUPU8`Erb=d>#Ot!`%YyqW_p`M<{f3(7itfD4Fp1=sEXQ$a9g}ML zkOjeYMc;AX)#y}Uc4M{_wT6LinoBeDCg9q{H$e|bDD*?GRJTbv^5ql8js0LrtKDZI3Hm?oYdRM)coegQ+zBWz~mKda*H zxycNfM+%;uCKAVpu8~1U8@M=X}@%VSJ8l`Q5UG z9yo8V2-wt(_XC!h&~xe#uw?73XkCn!bltLI74PK1ah+|Z)eK2HV_^&77j1RtJg+gf z`Crs?DTdR^nM+?T!}T6dpe zwm*>K{8ZMwYgA`Wh*h+y^Rh}w*0+89EwV)WTaP^t-{@VsW`3F2d zyCQH3N7bWpP&pw^8$Q@Ua3JC|ey{(*&)ky$uFcOV?SBn-vjrE_CE$=qCn$}{xhC8t zQTocB*CV4Rduf!@2ayb?ph@L}DY#-zw+`F*MM!`_bI=8Oya!KXxiG+uJ8sxnOVyC0 z$g`g`c0278G>>A=Zg}`XNKD@?d|p-63H{=|UL?J)_iujnEQ5x(dBP`~}0z41?19ZQdLs)j~R zZ$&MG^SQ9n|I~%^Q$>~|6eiP;LrgJsJ%Y7*@r=DZq}YAzUw`3h2%m-VmqLH84TyPR z3c$ZAnCKd8Srax6ewNC{b1IhC_VTL`P!Y&qt%tv|*N=9#escZ@O29GytMdM{&0B;^ z>>_WCI1(W|7%G9(37XcpCnP3>9Lh}k zHUpA>Ti6at5#O!57;CvQ%`p&dG@T4jp8273;SEeK-u7?+N!>=?tZo84prkKMbM)?? zfNl3Yn|9~domE4ju}2fmj4^R>a0wA|$;mY(vD11U{Z z@b^pf4f>+Z*uTcaZ2&U4R%6U)3T8;1cMsN}!9@2m~AMko_kiB#AgP zCUb8T+K#ZT@2A6N)s^ZpV_#b)U+Xl8xyCiQ64j_%8CEpy<89OxBgi>b)6l9CtWsF| zz*AU6Jq_&)Hfb2|>h1)bFBfxE?UsdPSE7ml)kSHp{N#u3ArxcRR*I{{WdiHDE7-(+ z`xKp}!oVi=H=z>|uV!WXAJP9_K1pO3F{-P&i6w$tzXP|3ccrH4_@vJB<&4$Nom%NW z50&m#d`mLr(krD_SL*VNzia$M%DtV)^y;o;ZfW6($FJWh`g?C~reJcyGw3UAQa4&mO-&tVe&wwJXq5Q_+``S8 zHtp@BaUFZ{dToOL3oO;n<7LG0b6fcK1J}2m*^M0Fi~cci0Q}>v)gbA$sQE)!Lu=5 z7)H#WLc7@aNj4-|G`#Fe^%eUboMguRXZ?G+(4F<@Ps4EMzo{p0vd) zlvOQL@$V#z$G5kAo4huG@PK?y7;)E@df);;&l_;ea};*qIXu8EAH0bU8>M{oNy7pa zl56}P)MWUD6?4^3;wB#sA?Mo=%uSCkP?t3@zBz~{J~4W2@Pp~E86%E`%V2Xr&`30$ zHvYXlpR-}McV*7~Rf#8a1=PCpg`(jCDUcNwQFVM@c;-mCaa_K`ty*z?0)9NQ7*4U0 z5ZIIVLpg4aigk0IWqH(3XQJutLbB=y8b%EyF_>nxW4R0`6+^+jP8#DY2WKz+*Rg26 zbM48?ei6aX!?I0MZ#2MzZ0cV5MYe_Pl)4L^hKq&sOlZ%}V$SC2AIl0}HnyT4oY!MS zq6eGq7eLt*of06IfD&JRM7J6atQO9(`MZHPvEIaf2RwlPTciKC=X`*Gr_Yt@T@$=! zb@$^tB{eTZbRY$=d0KzYln_(t?HV7<@Ii-B^Gv8O-x8vBwxj^rzEUwm`U2zrCDg{`twqxGfG$co_JoU0DP9$`crh zLTUJE!pZ-1$nweLwe=M|Ql+P}IlH<_`EKBQE`F?!7~L6tqNK+MMYV#giqG!ilb5JUu-vLB6Of!h?jd$~;#oQGclf z)c?`iZv@-?7v=Lm=avZ5j7sJPies{i+VM-N{gst`@xy-xqJM4j-$JwhFXVqru|ZK< zJ_p`0jrK&#sR{`Hsb}Q$8Vm*gQ=XTUT=s5ZiDD85HSzV@R7#2f?Fca^!bymTm^pwJ z^S?2-r=;dH8^+X`9VX_!Q8VU+84wX4NM*Ku+t{2%a5s5)IeXc7JEq$I=`wZ z8+g0l2+#qa5o+z@@7sq)S>rr4(v5>aEK=HQepvk2FP1-ZP;0XR*X-3TB3_yVUkg3! zrD@Rdtq|s_eRbb)+O8y@VlhSPsH7=X1+~V7?L7UQ>d^a!hqboU1x-Bhz}B1_P5d`w zy}Cj2nI`-RrIS-n%*I6RV}}9TfgM{_6Y15WiWPds1S>{t6^Eiep-X|x^t&6s z{N8mB>2e^NXn@81mu!5V(?30{hZ%6HZN04QP|$Mbj=60@O(x~>#8Dlh){^Vn| z{X)*K8}0p7C5bZdR&iXAIs2-m7;PDy_?-O{khs3E{sXhr7m1h4v-z-#j!}YrD_$>k zKoJf_6tULclkLL6sj44fR=m~4@MJkCOhp)KVfKY%fh@KuyEvqFX$D_;PaN!c;*^@p zQ-sd3*>m1wtsWo#D9!>eo#7(~n^S=J4l|pX@>4I>ST^x30SQx(kxvJhhLurc{x*_= zo<+XVW43PW;epfErE;b28#Z>G$-={RRe8zYJQk?Ndan_$E2IKSC-%Z2|rRQ^en&*bLiEx=nrpW?Kr=I!GU}yL&LcQqH|o?fEjLiJ$h9;wm1^b zBx5{sZ`aaQUWUE$PNR=zMI8Jj;7ygrWY$bRiJF{)gA`4w-tq40XCqMEGzZSQtnp`7 zoineFa$=wNJ2{Kc`Agy_%rl8=mR5npcu@1{xam)VLeOxX#uSqeO{!>w{B%O%dPixr z?Q5Y$%WhAk>egwmuwwdIwcoSc`+_yAP-D5aMH-=KaSpR|*=C#8nb-5O#-CV4dzFwy zu9o1y;ml~XLyOzK_(41U%)I@v;p_VIx#kCp-CXGhBBC$5Gs{N%jZP$xGxVq5U3&>1 zwWL{Q>>D(>MKW|KQr(t?F2bDqtA4xSPiY|L<%euA21v%FQNUS-ZZ)4mYty_&5Ik9{ zYQL~izS_~6aPn9$VzNim2QeuD=C7c33+z3-TWsdTx3t0@w`Cg`NEk6~nv`hLw8nR@ z9mIH2tMaGUD^0N-xT!E28NCv+5%E%hTD(7+&r3Vx?-eA1J}}$W+r3sry~ye zZQA^q#Ot$YRbp`kzL;jhS5RVZ%eYyhdO`8{aX{!x))->vN01=NUlbIGQ&S%Mg&@sK z;Aw$4xKriygfa^I1Uj|dJ65M~=5v6|oIX9G9*}d?w;CN^^6d||iJ}LF8E-T#T@8_2 z*CM5jN2~@u_iTDUU-y5tUo~dWBoB)b!%0M&A)S`vLjbp!=p89JkWohRmr7dXMDf(h zNOgZD4a5ASokscC0M5W=3SiJ}dF|_UF5olo;EEwi1i5f+7Z0Qv;DFA`0D%vpN0&aM zxPWI)kboipVsWHJumNI=<&Ce>0G~ulSN}UaV~R>kP3_F423DrXS3|d^p)&z#njqa_ zk171c`V?A2)T|{j(VOQN1-U4}f8{uw32)v0c6q+vH5Pd=;Z)sf1oQEnVj<3AQj~B~ z&|QrcazS2h-CmmS|Dor-Bt>XB6-B32X#1w(Xkka+=Y=hW@SD(9C&cL?p(8F=rd4{A zEqi!ffxwpo*PV`i?TmB>CPj~Mo|FiGRXva*a!X~tzaQBzeFy6TTjcA^&JS|yPCJiN zMw#8j@>~L&10G-vIhf-Th?6b>2l#~*k_k8_x_lO#T&O6z+&X+6(EeL}FMdn9olguV3@#lM92S0Yt zJ1e4`YnL|kIm3Ceo6Qs7%QD!#0W<+Nb$+iQE%IAJs_Blzgnl6fewq3yYC}?hS7aA0NcIQ`%9QdhUnGIS=64SbqXy z@U-_^elu@ZW%K)w*5=!s4@y$BrR1tb zzpA@ff;Sy|Ok4t@E93otleF!lS~yLb*CY9IEb&GOWKpCbkx$MTi1?E5++2TgXSA*h z*~u&Ur7{Rt4aNA5;?dErX`JH8nFUxe;A~9fcfx#FFIXLKo$%qqY8 zGml+nIa}`cG|QkPGRLT;qPb!2pSn#HP=#ztsD_C{%*pmGU&nWwQl`X2iou%D08(amQ^zhuQsK@MbN zYh|DJt28@C$ibV2rLS-8R}Ze-*mejeJNas~DQo=Y?&X~`hS%bp^*bx-;>fKRDVe#w zv!;b;qY^QW6i8BTrRX&f-&Qp0ZfukO5Xn~kY`QuH)Q`phg>=U|7*!^0m#nQGN_=J5$I$m)@@c zL30W?o#D|U0u^sHJB~C%rA*oO8Fz|Gzl#JIXGi;ew`kVI8(gC3IUR28t#dUxS#{v+ zX`3^~&dnBzU{PV~H+a$NcE6qF@73qj&1xaVRcZ!T-1W_?x-q{(D?fej}`(PVPd+`B+s7^mk+wmT*VA3`@4xDh?v0=4>rvd5?P1+1NVi3o@uy43lHV`9SX%$H>Lp# zSx>@mVP_xz=!A08sGxxDmo>cAm7NS2S@;`q}!$or*CA&EQ-j5O}Y0TWO ztl;J4p}Pez-uZrqtP0VC61OFQRUWE*0A2{jxjd{!XJuq)P5bXY2F>9rp1SUG$=0L5 vgj|*rqxpV7NDO(&Jeq*VB|yX^bkdtdw7`;OMpR=YvQOa=e|Zm2(1 zeE|Sm>i_@+kc7Vqzyu_ry3I;J z2)wU)`z?Ur?zc`VYE>%LVA_RcDjs1r&((XyYgC|BA?-Q%^ZG^jp1pS^bWVN^=IT;f z441DcE14GE$T%4CaS;2lX9y~H7_8fvbNlf-!TT7V9Tp#tJb`0U_TbHm3b|iO3USC2 zlr&2I3ntF>Vui?4cI(SXJ=M=GRd43lrfIqA}r|!}KU3S#E zw?AGO_R&o2NvnsGz;a_-Uba`s&itE7QRfpjSly<~QzQAc!hlW72|ILza8^aZ<1$V| z(J8HKHB-79zFRQs_g}80@qkI1Pt8VP0L)|SRN#4wFRq{Bgk$cr!MucnfM+@iY$_9b zKt>nGBxr&ory54Ju2GH{>J9}u)ztIMOlQ<<{qQkB+UI&UzeT+)KoT1<^!%V!Bm0K9 z_nYClBwH=US|w%U`O8qb(A9AVG%J2*G#7TdKTyf4_Tt`bDJVYl(_!EY4zMtDk?$f| z9-!(l=yiz_D6wd|(ZD7eaV+{1aa+{^(4tuoSYqh|a825$9K!LQLxRDqwiCIBvl7XLbUDyhx8tg1##y>Iw4R z-SE*Ycv2Vsm@}A5}$R7{IYSY!ysq@ca7j{yd{A( z4SqhAjABOxf~#1EuaEk7C3UXZeBAp6x!8*{ODx*u;`i zbp#+?OGI~;95!u`P6KOFH#5#eTOZapv}*fUy5B3KrUrKpUzq@hbR#X;J~pbGQl_uQa+#I^oNw;&Y-Q(D zxrR0gZu&#D&Nbo8YK;O#oq6&;k+;wQM23@o$em=>MOCRM9NM7CU< z?vP8_W1^t;QhUjnRTCYnwDrF< zsWAhYAovJ~d$el~3t)je^hMCS)DV_gQ?GuZ`Wl;oop3~mkSy;jL|L}E++eXBDA-51oo1t2aRUs}u06N_``9J~zvqs#kszuR z%%jV!gXL-UUXh-%rRqRy)@O9HP<7yKm%F3526+&+7lygV70rjL+Nnl}86dpmAP>9* zlK{vRx0^{JNt-b6_~o$*P0KYNSGC*QveytI+TUssh4Zx;bQr^SLF`Un;%&nSeKRAus zb_e=>J*84WnaR|#cIX9Bm6?lUti9dg(QZ`+N6NTmf;9READowPh9RA^6RK!`IQlLJ zo8294NvEU1MT zI+qrIqKmu`#kLt&x~EO+G)gz3#+1Svu45J@TFMt+j;N;M#mLp|T|6bYB3B+FI+1+4 z;)CDqoQd5N!ZclgWcnF=#x*~EWvcxvFat>L)O?9}Aid@^%)-{l4$_G&Py0jf8R<;&D)@^)$ z(kM4?b(p~Ed@vH^M|~odxRN7j6WADt5FsFdk4)}Wu?r!1fw+?)fCrd%V8sih{#a? z`&8}f$L6;CNbw@Ez?>LgSefsH3*$AsVe}mEpe72#+^*$$Tk4U21jGM}Pt`&=L_hypzJX@IQ662AGt6mNu-TfrMa>h*NceIXp!nZ)4 zLs!~AbS%aWqMi*LowwZ1vLsusNGC3W_(ZbsH5(JoR7Q1?wrKlUKQIG#?a@7#a{78a zAn9|%3T3HkGVWe+BixU9*p!WlQq-P=c{r11@4)JrbgW1#xe60{<_5244#)3o7XuN+ zOl!HvfRe}0&f>-qe-&qtC-|t`tf>S@*r=1G4JqW-s%IAnYUhVW-*uQ7zxUk50hCGC`_!++rf9mfP9%)&j5g1BdS=3#X8`+oDwoK7Q#Rx_MpE zsrNYDGu1ouY;DN9S4^gyJbUd$Ic+N+=-S9{u1Uq-TOH_7;&%aF^XUO47qFE=SKJ_P za0|IyrQoB6!t;mgwBvzxr*?gEhb-n(HjUG@-{Q-;<*j^#K=2&vsUXEstl-CZ0gpp5 zMZuF|lI4R~%r^=`MgSo1l(3N(vTsC_9qJE0FQx%PVlr3?lC3nTJ8a88F^c!gPhLt- z*zjQ^hV?`n#2$ax)%teL48Sq+Gg~V~2>?nzMfM8lNfkxU)hqQRSPKQQ+I*nh3Ex-F z5`;hYVK6*OuI!CH%Z_eB30G?73T;`ub3I*2zfQ|c=uxTm0;pYTAjLG#%cqafbn~&v zKh3Xq1?Sv^`kMTl>BcW(Eh&60vM8TRR{3 zSm3cqs+^1?nZr+34PLcN<`GwTe;~-)=$W+4i!PaZ9y`cDnj|fE(}@IH#4hk641h=5 zPa(yUc)bmbInJOfxxIAL=>q^ZaN9DeXFK_#8uZmGDTsJ%Kl_4-g`TXgA4nhvk0qQ* zk8r4tw8)2+b1qPE@_*#gpZVr?+j>b?@7{^PR|?c%Lk1Vwa^tMqb*=ggv$cU9`y?d! zUd%${{-lCvP*+alhQ7otWr`LtDW>EE?WBO+#TVq}ikPG0FK3}|y7BhDP`yebqv$cb zrwEZqm}~n0%ue5&>eeQ+R~3CT5zDDY$)C?EP#4c;`Usi*1aJ)ipkrt+@(oHHaj)tE zLaGB7&<22(C-FJl0i^FaL(I1YKLWh$nKNCU5RTby8>Pe%zPWT7Q zcIOXCT5R|}Qljja8F|N{YasrHCV*O7GU3ckkbF+QaM`?-+3IIH!Wlu`ZqhAdegZj@ z zDieU+s_wFHH)ym$t(dp-uO%_46a;u3YjeDFWhOUiwgtlu>pY_^ixfAc&ku?ax;;3n zkh7QHTBhHeOxN_4GtHZXyX}C?y(~#@koVGc?8ZnJD*c{G*QC!mGt(Ea!sw>^(&yLlqg-*!_l?Z z!RsIx0x*52FVFzM@?0`iJSW(hu)0;Dwy-8$tU*m4A+hO5&g{XQcD9(=uW!>F_G>;R zpCaD2@p6U+8AiYt{H|L2G(_p`skN6b5$SRmk!i~UUSdlYJtI%4AEyek9<6|^>J`B3 zXE%xsnDx%N0zRbPI8vFA9Xjt@%+cUi(?(w(yQoV>re&u;yp4i^cRf~BU zIlvnnm$4LP9m9*k?mJ2jy(lu%5E))z4ztS;%LMS2XGf%;(yxk^fYAg~kA}xt(C5{jq zo3_{##7yW}5H?O*nN_+!=u|&`tlwr`b~xm29cyU~Xwk&d-j!h9AGl?dG6f_KCcrByb!$XYcp)#UAreF6eU; zEPyu?;2@bjoj#Nu36>2+osBzONK+K`pOV`q3v@9QDSn+rynRFlC4OQFV0X&ivF5C2bub+zkOuG~oCcM0 z+E^qMVxDqnQgsR_uf5c-mmosfJ^MuKf2YsZ{+WMjelof2YEFQjQLrZ!UFQ##jx=Cz$SJ4rk=JnUp5aP9Bc#L`N zG`mLo)EU<;>vU_R4cb?j;90Ilz#17jnE1T(GTie`!}Uif{a8^GUP7Py-!NfQzAQDA zTQ8SqdgHX%$g)q@>O-uD-fdSc^lr=+=Na$SA)4KH$lEaG!QNkV2w2~pHdZ%iDR=kV z^Fa_!hE}{rTAlEm+K=CIzz*N{g-w9ho2L1Vk=DH6T5{@+Bqr<<>%tO2rN0ve5>-pw z{s;)kmjK^-LR1*7bkgQrH7d-M%qFj9{Pe)1DuEXLP~HoOIiI|H_=&5S)uq82l5;V9 zfR2@C8n5T%9-fQQiGTMT!7Li2_h!0dV|)CDa>1(?CWib33zoMYa!P`~4h!IMosO=U zJ`c*{Nt7dq_<8|5Q57u{RHSf4nRaQy6pt>Yoo$cg5C%yKxSc$8vq!vx()CtPM|Cx* zcv5a(DW2>tNn{Nd)wz28(!B)9wU%L$jh;;jm~N9D6ErgK9>yU4(9rlb6pU<@l+%Yq|YFViUH-0m*Z;E!;6 zml*k|J&=5IRG9lt17UGfD6-%%g3CdjmeiVrAVXx6Xw#WT>`6O}5d~nJXnyoQd zK$KlTMGUvyHePM|+REaJac;XXax!?CfFkAVFg`PU9e((OecdTDE~{5i@yDA{S0Nt| z*4l^C3=l(U6vcM3U75qQC*Y8IbMDYIR`%iv4>o6aIz zNme%)bV|xbb%Vrwj;jyPgZnvbDDkUzwSIWanK|RI>GwSA+q1uq0G}Qc?0`}m!W@Br ze+L`VcUUy0}wPmRts z8N}G^4wdE9{u!hkHFOxdoKL-7dopU+-rzKDS_&r_6|or=zvX^;Z=%MfAF`Jrhf369 zQ2$nPC*SMS)2&zbn$}O(>=HMMUL4;1+h}TZAn50Bd2<21_3f5xox+Lq4`Mo_$1a!I zYvD~jgg)i;S|iOvQSea2?nwa?a58$Cb>w$hRYK}_DVuY>8Ld#`Hqci1{SRgZjvDoi4 zedH=|-wnm__d9-C*|PgTwWx11vn;%Md|12qr|=@^`(6pM@z^Vi_8r-T2`a~-fag*C z(3~@hKsC~}|j%D4#~w%vi3$Ms)hc($`N z+Gc>}4FODfO3aFE3=9;ffBgUg@NE1u*hvx<*lAYP-3MCdjYz~A_KyNChn!;(OoY-C zWiV{*+!J+v{LJcPiJ4^53#8csLj_=Qi`+(nyOuym8n5O> zI1mxf_4dfVl6s}l`}|1@eE3~Mjqvm={o5t?dJAQoV?E(3T->^E;6@$#&Z2XI=UJ0D zH@svQ?p$NNkuBd=@RqP~mJInVmAbu*^@b`$fq*qF=&x9Hz>X5`N#@ckRo(B_B7w>h z^dtq}-hI@`&L#yu&Stzpv@e76)rGVPc;U>ci6E8qVd|@*bR8u_U9(|}JF~Vt%)zTFc_(w|UmNN*aJ>$RzV(TUWLuXiOKhzZ$w32#e0;j-q%-eab7q$% z=6>*^)Nxe_bdsNSRCcY%b?O`sz46e1xv-mTr8|UCftpiFMS0vR;Y8!&w7-DR$gK%^p^Up4}GN4{{pzL&Ns9sWwV)p5)k`mcji&ref{X2Mz4n| z`=(CQK^X^rl~CMeagy0o{Uw5InTfB5K_wG_blIGe_NuQ2jL}Mx|7xWFN@JAMd0AoW zFS6nvwNs5J2;erCjXU4ZtB~waEhkwA78Wt~CIN6WC69m5R12bz{lrW6G+fV~u#pS2 z7NJp6uLQ6iR{XmlpM-yF9a4O6+n1&A*DSo&iChXz&V4ZYi5dg%acIcdIjo2op#EYWbd;FmEh_wvp z(E0x2Ww9r&#$D$S)1rJ0%EH2iM35q5Tv7n`gBAlIt( zoZ_cgaju!aNp!|QpZ@ROR{53D^6uy! zSj}DUsKq^1hpY=E+Y%#Za2)+Zo-nAi#jS@&y6RV)+-2+#OL^msTlPcipV^ z?SHA@;JavHTmz@|5<8#voSf^VO9Gp)J6JudZ2v&TJ!`iu0NZHO0-C|yca^gnmA1PT zNsUPKfMa73C1W;+ClnHyO-zvi$?V-&gWp%MVzI!Mra~b$W9ewxVfC#=^M(dGNO@l@LTnbL#mDEw{pa3m^|R}LRpZqNW28m& zlqx-b59<^ek9i&caaiqU5vC|LcQ7403`(hblinx9KW2Eqj(`74+RtxGIh{gf14HW^ zH6(vqATg&V#tWbFPMaQ=Pxzj5o>b}?)Ar{!mh;-xS5 zL|a5QE-mO#PUlFu`YP(c(!<~2L{^1*E|7X_0 zfW8MHK+qqac9!D>+}1+ic4x}Wt5N5CLLU!*6J&tU6&ZlP2pNrT;e9V!tDz#^G~ft5 z<}RqE%3$i@>TyZLFvK#N1p@FD8s<-NIM}_tT%G^Vd)jOIF?a62RkxS~6+p+>d$u75k zg0iO>7Xzo^M5Fw1SNR+Kg%_j&u&VFkONr#3>@e1`b>qXTO~|GBH1cQa5AXF6;j`|W zPhEhJr!GVFeFo^7C2=b`(0o~4pQB4|T_8@9PoDQ=()N$H*t~nxR5r@g6U0WkR2eth zz+ z644>x8VPxaD4Sh7;+1@G{OFv1Rls6dPIjGqjn_cn2;z4-^i9pY2MA}o8_r|Oqvb!@ zT^xRtFbj1(q1&6buUs2f!|l{>L3%XEqmu$8$~`J3Y9x9_M?NO%%d$-9e4Q^oP{?9{ zGpVj24YJ7U6GrElvR+phw>*j23KyA7L&@N1E7k^L2X;pCgzfrFgDM3?IZ072)f>B? zUbjslb|l%4+C1jGt>%hZtZDy>{FubN!EvlIA=hv}rw_Z`!f|naa-EKTN|L!vs)E<+XLne)NaYfl=GsPt58z3B+Gg&<%5BHUvrIg_v}mQl~?4Q>Owp7 zaq}qe$JUkRH~jxV=h_BAhSE9$0{}zJgy58gp;yi^_o^i zoeuY-Lt7cE?YI3bd2Dte15K0n-8we6UcSfJhT-PGgMO?n;Bcq=Lik{b+B=6GPqH4U z;wqLGnX6aD;)nHGW&C!I4O<gKyntj+dE;*FH?#^6dR%mD3Y!$=F6=!b`Q3*S8s&RD7`HibL$O?I=RonXO&CiV?m9CLmk07p&z zLzT?f*{>7yoWb72k1G22lISSQTIa2L!S^*K`$&c^gi-nqOChy51xuD^UPROO6a%n< z9$riUbDi}d!%kxK&F6XvPC<~pZ?b{oWXE;Fn8C&j4&;(``s;txrH;frLa?&Y(YgYq zClAj&@cq4X*OdcI5Z z6{0OzAth-eZ4u82!)zXUc(oID-;j}=u6Tt1udZ9P}{zHVPUb>`}Pt+Q7E9Ei`Uik?bOEW!##jklFv>Jw3a*JVR z<=1xvtPPtGqj0D{zf$-oPIlYuk1n|*l^4;6XJ zq(~p92)?8n&#X*yFbM^C!PB-$DOGA^%fIK4Rd_#aEYZvIszZ`z7hP{0D_*;k<;{X8 z*x%Ot0^}No0-WpO=%8BuZ;zDu7;8QVu6E2sQn#-ZcD@5gkMB`T>$?p41rcCkT1F^w zCOmso|8b}Y*-^ysIr3GUuv{|Q8ap3R#tk-s8 z%D^EyXz>Hl$1GXgmq(i{xrThTb0|uup1~7c2@^FE>Qz1tLE_hZq5=BZ^h3uFG4cYc+zWv%Cqo&_*Za@kpOK^*oFrN%er+f z1h6A{FnBkDQ2*{mSq4k#yn~`FKApdcIOtoP=u{#pCl4>9&2?QVY>r3U>y8#KWldRQ zJ`eAC-=|XDE}DOT_bVkn21rMPfkE=)E?*;#ZKyj`^lBxp+wc9!Vq|EsvqlUDlr9Z%T3U2!|20f+SXMce zhv=F1^>`1f)o$UnK8I#&)8gSSaS+~U|Fl_*^Nj|{^TSaZb+rr-&|km1nVLd9j9tht8kSkK z#C+x%RahiFnWA3MZO<@TYW$AwU|m#3{+`EaVKaKf$=z+A1%_`li|12_Z#HSWcX`h3 zcwV_)muDFV_Epv;ONFEN7j+B0uK*B1tcAW7`Es1iN@feqHRlVna=4#Z*#386#Bi5q za9wJ})T1AMO(i=h|FVRp5{VYAliDT!M)oq={3Pzc;R!8L6i5BZSA+s81Q-J8=&2-^ zb&Al6g5L~4+A0|1JZI)d%R^e{i-*|*KfL&lo86pH$a1-Iv!*qW0OWyzEcmE11+6Ct zS{u+YgQ0gojU&9!r3W>#VSRZ_&_@Jz>#1U?^}+7!$*nh1;!R6Xoy6 zlWKTC+P$q0(D=UhzwJiR`;xu*s4k)>kH^x+QuUi3pJg#PUeWo_^o8R|8%v$#QZ$3S zL%a6^ZWY6yV6dTaMTu2jacyEj8AU1HWvoGKa3Mv9tc<8%y|1h_$_ zM!1Yi5PTE1a${|LJ`Kj4>a1DiKfQm=pzD05=iW3#Uw5WTRjd#U+7h?sX}h5?a22;&#-YzTfJIh+wV!C zRkJP6V=hlzO3@a~2_P>35)T{y-18D;_zHV@Yi$7O@m{fS(;x^YB9>9YD&`x%@-Wt0j_@0epWb=iDWG-cGG? z;|ibK6Z*tB0i-f@xTmwuRDk1*)f=A`*Kn(hb(q0uijVkUF7Nl*DMIleDC;y@UI-uV z;bsub+5$BIESr}k7J_%LI|NAhQv(04cS$-g&mKL7S6mk%DF6%KeR4N{dMNJZUIXFg zTOOH(Mo=y>$oy2^k!H-|^n@Ln@IyP5efbGr8|7^6^Dq^SNO#*U0);vt!NQv(YnMkV zk%!(Y1onx7t4cdxH;{s&Mvh_Xsl?M-D6kb#DiN?(Gf53MJG0a zm@j>d>?YxOjUXIHRmm?|s`}dAwt7_UagVCsHMVad3AjVa=U*Z(YZDQLCekC>E>`;1 z$P{4&RvpY|JTN0CZ2Yn5ZpUfb)v=H>oIKn2TA*UKiZ~mxz{;@Br-8 zO%9nobBDi8$S=@RhM&RgqlV`#gahe9k8W00! zTkZL`n!dOkp(BK2FR6KeGmr1zs2Pw)^L<@U7F_R;ItuTs57_KBcv=@EWyJq4c>s98 z93fn4>%A~^40Jf;I|fveV}FRS8E&qig~?JHyW7cNo?>~q^I0q&Up}W zXQPg11NM99{M$Pl=-&5ChO-?lY#>hSTqx`z&cvvz`tqwy4!5t#0x|TW5IxDcXk#%M zJCAhvI(iRjwVHNeUyULi^mKT{^k&FCXEPjKJB#+u zd?dn4W5crRonb>{0q`J|@p=9zGiR&fCM$kJ(X)UDQnRfaE-RU><87$eWuDxSU6JWP zJ2oM~OJSZ&d-efC@^!OL6Iiw}A%X_giNa_zLC=Z1Fq5wJT6iA;u3hj$$xfa3JSu}E ze%j~HF7}U!jWgQ}6Rx3?)>6&!_g)QZyW;5Uj4c{bWjgOPSfEjYr14UPvawN=hf*6FU*GK z5R?=@B^|dpe8E&i+3jEp-lzYg*O!_r_sT+F?1+$0_flg1jh@AiqHgSn9iVMxm2Y=W zCcCk*1wGu9q2Xp}9sT{M>Y{xf*^aJ5H=N8dlB_Fdar3|p;G)d zJ!JDz5=LW~pViY22NiYV`K&D`hpPY12A}S=;N7W}U|o~T6*}tnsT&;&KdLnfxvLf^ z1F2O5_Y7Ew2K5W(s`F7j`7h5;i=E?^hZ=)w>g$LsM|RizqFCgV{YQo{Y>Lhi>aSye zO8ty>Xt(Hy&ggrJ1F`maAu#?(vyqq@&Lzn z#Ktrl{2MqQxxI$u^yTe*F3UbdmOK}2FKO>q02$*kfRok1=zlOkF@7#?_c!5J>CI2i z){VVBP*gq5p4pZ>aL~lvEu6nsDZ98#+Vy=bHH;nmX7B5K(nyL2h^>C8w8SIEbMIdm zaFiP`bT2Ai2Ak2u-a-uByM|@D;%ui(uq{%_k+!=EyAtv_5NU@9&AQlYd%wnK8-$*j ze;*|~@Bgy_k z5vh6fQW$pOhVaMZ#(stWLqMz^jS-@`9ZhXij}vVZs>mNhCkrVQsw0AsF>7L*dKnt?-LYUBgfGll4Lo&1J zy&< zo_4Q4r==hmcY_F$Wxz-zWIxdry(C{>R&Oo!N5bfdEV;kgU)I_BqiCn^&#HKxJ7B#i z%lam9iKuJW?Re3_lsv|2^Vexui`dbVUe^Ap#I%ZhZ(;&Q^24FKHCt1mfJl6itMpGKp;%!1ZnP1Tt%vzl*kqUQl-?H zYqlz8*K zvIg$WVhYr|tem>}q4J~_giKm@=Ve=tXpGVINfX;j&+`O7$`;ydcoyPV>8N^m=ooOS zJ!p@1j6xep%v~fvw$vqpbFUMd1>1zf6jFx)h{DR6Z%(l+u3TW+6zRoSHJQ5R{%I{WuF+bj znBk7j5vlp{GAx$5*qQJ{S&~zciCRtnmlHkk$P*giAybmm)T|i6f;mxTxL1w0vpga^ zAeBwe&IPZ>f7^Lk3^2{T9V{vMBK;ZvUae)ds4^pn0n&aJUa#}hvrz$6wV3)Um>ZvZ zpq*d@Yi-kF?`n8BXjZZCu@(#b3x4uK@d<^xNC)t<$qlr49Br|)jn!~jMlJFBog}$7 zDYWOkk$Lzi&D>>k61x0!S8!Rzl~5lwF;od1>gsRKycV)#UOD@>jutM6t60egheGwcl>G~BEtVBWt50W&GR8Ex_YWGiKFQOR?*oh0;l>_ z3HtzT9tBR?_FvD(W%69{sY;iZ@ad>wW0xIdIFxbFJx2%N&6RE2M|;#fMGC!Gv$6Ol z`Jc%X+KU}QpOq3UV%#cMX5M_T&HGFLD5*b3pNFLHR;cBf+I4Rc0`$GO%dfCxGEkr? ze_uZ6kY2K_90siF!O->Mpa0D+)y4GL?1~)O3Z^hF(2|(PxlF8cPk8;IYzbHhY?u$^ zK@@ccPFtM(z+P;2lj^amc+Cew&-E~}<(y@mcyX6;6!JjY+Jf{!qt5bfj7IuHkRIJ*-zj_yr65v?WDr}kY6 zuFSZ!d!v#_6fB6o#*fV<*p^HE2;|xIJ^ph?R8oCF2G=wZ=sgJ=T`Z-oH5!Vlsi>&Q zO-OIDepI}BveztAF^eqV&YoSCN0>q@S$3L?cxkTqnX3ghAt;MBHfF5dNzcggozy@0 z>E~a!c$_Cg(Aq1zlzd_O@hd{MZ3zZKxRA#)?E|ZTnDh)I1r_yar_ zE`&{6exJt?CtbWmW(y_>A;u^F@LO8Rgv5NMD-ThAv_ihD$M@)mL#fV+dpno+@jIwXwz#|H=7qe~D8@1C#H5AC)YdYa+ewjy6_YANnsA_qKeUDC1@Pn5 z;US!fPzGf+A$56zxs=3Br{Z?mMsEkxx0RW0*tEdMXgjiOoua&l3`N_o`^@09<(tEZ zNX)0NE&L3Sw8|yLFKqDN>?9DPEd&DjLPyXn;^1FV9SVuhN7~l-fp-TC-Bf^1Y z&aHV=`@_^Bi5|w&ieqd*O}hqQ|3ni4tG?eeXxZ_cHn@X?sR1hMrkM+$0s#Chzi-T_ zi{Qto^m*UbELESi`cFf86Z;r9U+BqvJ5BX=r&HC)0A#t90{YRdlD>eZhIw=zO}eAb z7pf+|;dD2r7UU(W=92%n57o7+4u-3zhHi!+ z-#o^5cRQH+uV8fTjH~*n_}2Bof#TJ-25;hb@n5BQV@T5Q{%=<3Z&DTj_(%I*-pka= zGIjd*=S!iM^0gJaD(!FT4q1n+mBOu;B99-5DsnW;*X<-4jo85#Zy6d5oQY@Ev@d+H zaYCYUf z4jH8c=m^^JHecMkvUbU2q^|{Dc|4@*Fr?WEruQD!v%_*_7fc6o_!2gDlC=lo3vHAw^NtyKMS&!|?Eto>tKR$6RZaTrS4ev^BXS^Q|4 zSHUV5%MV4{8w?(K%$RzMY&PT1{m8$` zb?1jP-b+<$9TmXN_7G>;#KXO^);@Xf?J3!{n8xjHcAIYL@$LV|o>+Gr%V`r4`t%JQ zBbjlFu<*4->5oduzdxOv)@CRw)OWr^CB~jeG96t6!z-_Gw=vWqOdG^E7S32JhG9NV z)wsPXiQQ;@69?}u&-nBvs{Jr*Q^E{%{*f^7Uv)csOWP3;0vJIh-y=0ARf&sWqpa6B zW#?PITm@E*G>yU9B~L2`ojD9byNh6k5h@M7p}6$LwmXe`eYbB!u#mSRXcw}aG8yp| zN#pq4^4ALLa1;1X4q*sPZ4XC>n0SKmnH1qB1&h;tOJLPO4@v=Z^d9bf%Yq37Q7?0@ zww%t*+tzun%{+?siz*pDhi&S${7F{lSj)o9UQv5^u>-j1I$FwqdhXQTt)U_)gS|d> z?$c7@QugWdm*Snmx4LI5MD-IFhQ{)Du8be?y=>y03G5ldJZG=J`x?ha*;Co$E=Acq zYg)={N20Gr{qN*E4oQ|3`0nD$mu0Ot{Uj0PcwD~=o$_b=ExVOL+f4>iU~{J=T`k8a zA!PWTK+CAS;P7%ieI65UhuEK#Y!9`}JxBJ?xhk4?vzfTyrUAyzUFw^f{PBUbYAjvo zb$HLAq%6`Y$N?P}60BTT&?Ij%HY;L~RbBs!w_94qQdZ`@V6GR7_g>@4E4u*SaOZKX zYmHF0LFfyM(d}}!s`=(4V@YiQ`lxT&&=mzK6L(+pQ26fjw63) zDn|FE8%uAKVACBP4Tr3l1#{{#yP6KKdE%O|de;wq-K+B!%y13ol3iR}%8116n}FN# zZ|~tn5l;-r3nTYNnahtr&=?*TgW#z?=7KPoq`MOwUa#Gf_0 zN{xI`0aU(e-}}=Y)gx5KXyfU)A!9G4&lvg2qVgJH`fsN0s@199$>)rb0xdV+hDBH~ z5;78KUc|o2u4`C&DySAQC;ocrEuc?`g2325Wje5?oM!wKp-_9 zgB+3*7#|Llj_2^1whnv-k`LcJ{CG+!K-ky@gb1i@CaVBkgeHy@{!C`~J3*JSpUK%2 zNGG42&kt?=G;uGiAgUTavfbQK%k@ro_nnX$N_(_(-G0>==-Q=&BQj#`Qsqp)}>`ZO!!3121E($?+7>Fu0 zLkeFn5Z_euvv{PgILyTNNcm9$QKP!zCVIR#t<%lY0pt}wUPV{$*(lRW^FEq#%q1pRTo z@-e&a4Ziy6T*0pG@cHjk`!bZbeHr+d?>MW;@@b?!D^D;+RB(8{82wD_6OT4ZHz7yE zWm*Fhgk^Iu0p%`<^4$6*HvJBN=1f4H?Km2gta`2&3eYpjm+4LcrBMH2^V-0Z!70@` zPa}?%?+3r?JBG`qDU`CJ=OTVRc-;b+!tF@PX{IZVh`W6jzP+2?E5X0Lco|iECyim` zp(I-qG7t#4A!A>+ckfQ~l_~;-A_0^MTH9yGqkO2r=r2cF?#_RpL*&wkZ_G{6kEz98L-s_Xe~tUUs)0U^1*Tz-A6X*g})0)HJ$j^>{h^nFDS?TzR|P*?Xx z_2D8ZeKd`@G5)xM={D3*uq_wQQJu!2w>%%|&A-}wDfp=@E;BdiCCAg3XU8Ey*#o)t zXsHzOAA&UBn=3|8*h)zP{sU;V{h*QA!&iVP`Ge7{+zouGTx?P#UdgUh5ns`@O;nZ5 zEG^r;3B@0W_ain=i1l;kGUfWdp4@EO&oGSHR80{K&iUj9S8-dtMSIsEj!+-JfHfsg@0s5ME_CS_d z-{gKlBx8zl%9%h_W8ESBvxqAQ?tQWX4)suuY0!uT&Hzb(i)3?98cTflF>f2 zTiN;owyp5%HE!EqB%l)avgtb}bo(KLKwh83#^;f>kE}uS-G&zp z3|fFe;Y3}|#C2H}dD~GG47^03 ziQm{1jY4BbniHX7soh)SNGJDIrIGT>w9koM5n{5>v&9tV+c^SIC#QBnq?XbRZlB0W zl^+A9;{mCk+@5o`QEAb3w0(PCSrPu+IAHlMWo_<2`Zm=Ge4veQ;`n}W%HG4_@vef! zrn<$)*^SL=XT_1>lEY?0rS07-baNFKCVr&^D!%#mX8j(J@V@rw76s`t=tcyjl@yR>bR*p*JwT;PNofIT7~L@h=^WjiqjS{QJHEg7v%mM* zIrpA(@AEw8oV%!WJ>VWEjvy_|_IUMEmTqDBlFjj+=xWU+XPnF{-o^<0&*5S)wxLNe`~Xc}#xunzf4o&6sg47y_x+)%;|ww?%>Z#~&0VkYnCX+pTY-D!3bfm{ zp8myM9iJ?R%(n5|9>oPdKzIJ@ZWZ8(mKTSEM0|G|K%$qk$_5~kfJ*yg`E2CsC=z&a zvY{#uzYwQvLp9{dA-5q}Bg%4@lRNS|sqIQ4J3Cnn>2N*x7Zc=b=&GiDuH+(8h`|ww z>MC`g@iAS6F7kihf!58mogXerG_x$FBM~O|x013vDrMR5#oMwSdf)A)-O-2Jm6t(n zqa~`76RZDXVdPUgu*1_X_o;QBpQQn0B8R?|lQpk*QmF56vw>&$xdL!>PYlG`0^`E_JS847#BFqruB(!GeBY<{6N3@Q zdNkOikp3<&8wt9YK|UNy-g5TJ_1^Tt?%itr&nqbAH;E;6S7q9-rW@QAw!E7TADdfu z>IZ*b9RF>AOI!n;7=#lb5+J)}FXVvETM_;h=m9p$D>ct>}EVx)~6k?-c*q38PPkv&+ zXsIc-3%m@(pO)}k%uKx&k@F04cc?Rh;D8&XcBZRtmz^^b5(-4D`1Y}Mz5%9dZez1Z zE8Jj4)TOc7Mn{EJm_gae;9euo=K6gher|R}&ni*XMK4fd(%F0X4#>pQd4L$ca0nt; zJdOtQ{MFoTM!kqM|FpvuYQ`>f#`;=U)c)-p%_G{Mylvy`rQyZ5Wjs8~B=NwO zW6_Vi`~JR?hRy|7n&O&$lo$HxSo)*fX2l{v+uiX`$MrlxMhI}T+;KUKAiuDb!BEwo z@`G+TK->7;is5Bjl#BXuv6K5oixE%dK-|coe9dGVAbEn3W!Nii^7V^C$A#kuvk`R# zyYiIRuUUqL<>ysZ5@iZMJxR}anJK@M(002$<32M1cWuKTZF~DuG>pe|>rcO)=4b>h z+l;j9oe_Myem_HKsoD4M&E&?(>ME%)j_F6VQCV+X6S^(muOz|Y+ogOUoyWTUn+UxgTN&}exn0m9gTj?_!C zITo|Vq@l#=%Fl_(oXOYo_~DJbNFnU@MBlFvd6hTXu;i+9L^)MTC$tp5A99tgZ2MyE zNP>gze)N(#Xg^>i$PIT@pRWN^`Q1+n^w~+r3x;z@A`8!^bBH>{+1BJcCbPY5qaP+a zBCkB6Mc5X<>wtT8*R|Fslnu!!_I9YL){kUYZffRQ0+wz(vd>O4uRXi$?|r2oO4DDI z9-&&DUPUP3DeTzvv&Ca<9KQ~xqUXqA|F8#t(&u{CbvwCUk@fW?EoWo<(<|+j8f50YCs7J8Ss`?azx91Wm5s% zwGol%`3f_Y819A`Galxpbk}+JGnPE-ILE4#DZngY7i2Lvx*bqJN!piB8|TD;w$1dP zff?M4DrDO4n!c`Za8@1Y8%`1YwphFtpSdma8@n-*#zFVK!K#cBbR`PBHBsjQNoT@1 zAYg(xpb_OvItLn;>mh-8g#A=E$!}XYsh9YaA4yZ*#y+`!p`S*OC}>s$p)?9XVRcZE;i7OthSX(pk&aBK=!k-SyN4`yEBBtBXDdNVLITQi z{yQn1g{^-#D)s`=XkVlh#J|FZJtuybRw~g7KPyOPt25lA4Eb8zptjOHTs2vjoh_jJKD}-&NA2?$&)1r1@xe{`CJ%c$$*16Niypl)OP6x_iTn8d~|c_L(~e z5bLhbanqepd4}^>iMH5Nz7uFcGC5I{^)bR6k4aKYyDh@$KAc8+wUfQpXhjsQelld# zUKYUNXz1JYR_m7aaMBNap$*!tkpYhn*VVICXx%h=5Lu_FERb(Uq|<4wFF0!2d}_y< zf7UU`5d>_wu`pS3i7G?aCGszc>Jk}~9sU05Z7JX?&vy}1UnJ#d%DE$&W`mXmlmHT% zwBY(+)W1%F;-ddg4OaDO zr)3r5FY#rlb=D^iq2)Uy6-uzJBQRzEFpc)bLWNxPh77&YAAOd=dLPCB0V|iL08{LW z6c>k}4`V;1Fe|AU5q=YYv`LD=#>(kMYMzz<{KoH}<^ZOBJdsHvM~~)gdy)TVl!Yf} z(3D8FC80|OK>NBfBjep^k!!0fDR7Il1D2$AT`f5mnZY9@YO7xncI8g$+8q#wa>W97 z)eYZt__oYf?fmsMDWM`~=-LRVt!zWW)!4#G(i+^LZLWFgWJnzf6$UNAeE*P@zdkK> zFL|Q#CkCdB)GtvovdFa$pR9V2Xg9sWsvKbp23y=CCVEg44bM9MpbAZBpHgK|WNMH( zXo+*oE%Lec0fC{gLe9i`Uq<~!j+)$L?b4dVBW*!d&*?geAEnlbapq zbv*N&!9qZEew9yl*}V8H(H+pLW{N;Tn?q7#C3sH2(&-xfO<<}pGRuS5^)3vq&GyCi zTv6wt^3`l483!uCSJR$$l;EWE*sis4TO(Ze6z^RyU2JF2uB7KSTZ?)>NR6+6)i%Zy z&KuZ<-r2U9Ac&-49)^_dv<=Ge9n{9EXnWJ8#!eyZ0uc-is=MJmAvfJi94IN{kxKFC zRA7Wo#TUC$@3c!{$qy=GR$dYdY|79{InEf;1f1OySRLN)4%7poj@iwxZ-=CbGNO@Lcq82V*GGi6>D%)9nAEKzjL+X+ECfKJ-e()u)yd9Hk^T~i-BWQPuVH#Vk9!WZal(!2VdP*` zBjvSQ#u-jrnpj97kalRR=Cal?3Q+dwU4m~ptX37e#pYh6@Rvr=a(MdlX)jm1bpuP? zkSji;h^B~{w>#kjkx~XzgUN5Bgtc4HXNgW*;K9K~#e1DLmxWGo?bqv3P`~502F_fe zeh*3etN?Di^z!|AaJ!&T?-R4}LFWMs<+8gP9s-=u!Eo@&=%}SX8Ci|RrM>c zspscD81j<(VUd4Og#7$GJ5aFM@v_j(++ve}XX;RQ$d0@N|L1Y*W&Lj2mA(6`0{swY zn}vGEsL<>OLl3CKoR+k5<0O6Z5+g69%E#Vg6hSN#6O$e7)U=gsGn^*S)KkATumWER zl%&Xc@xgyBgkrn1aAonGo(>WHqekz75(t5o`aMo3{XZAW3K~4hM?&~`3i*Fd?z7-* zT!|j_MXUw?WywXYR$L$CjnEGp&H|})viYXwyV%|Cs;WrZsGExk)t%1s3e+sCuSHjj zC)o!zl%keX+OXp3>?BsOe6Ihj-Bn6gT9Vrc8t<13VCd(=sEX;3r(k9@&cHK%Vo7QN6E|D#dFk~W?d}R^>LXXpondHssq-k2Ku(r| zlgC|*v*XBR#!4U(0i=3TVcFE&>=eb_bTPiWCA18l6DeZGs>EN713mabSIfd3ot$Fz z_4VDp{hgYs(De(UXCz{tiHoZ*HTOH~XK~MQm@!&;hN^%hK)D(`ptzIWSLvM@6_6Z$igBGo3%;!iLvN@o z)Iv38(!<8Q4tI6M|F{q;OJPJ?9&prT_+4HccV%qy#Jj)jngKa5WAl%|qj#nqVeCX7 z-g4Ytxc(}h++yWs#LF$lmHj+!+LTUCurGo zW=VKQYNP9#PA{$aq4}o%Xm@@e9JdU*J50m>0JLcBWDT1UGf9AiC2F$Tj#DMM z*NJw&gduzP@!&sWZa0zff+IEuw=mJ8k_EiPdmGZ>a~I2nlHFL*qoJw&y6N4VT`F4! zgtoYWv^pD*Cn)f$RC1v1BFoEoqm18G2W+h)Nx4N?lV{22)LzHY@Z`4)hSXu#!0Jxm ziFJ+Sq)FefOW`S|(9&e;V0v(H@NTMgR{tfqlU^jn-5dBD*ekBmh{D|x_WxmWJW{Rli4 z4!Q{Q@{)dE%+{J z=KcGbpbhPC3G~KK@cibF&_J)Ni|0(y#_J7xxdger( z?6nG@{dKz{{MZ<9%TGKaVxO|@I|5V2<@m0OvCRNFh*%`_5?XYTR@o&lg)b?ufw6J8 zgwFc)KHL|J9!D&L;CGy7My3+BL<2e2Sy3a9)vt@X@D$?!@!Pe#g~;u`xVC#c59bwY zw*=DS6y2H9NktMg!&K6+)<@NilwADbUxKXj5U2d;;1&mu$zIviwX>GhlOsE0x9z*F1QP9xy_&}{xh84pJpCcEnt|QvAd@MA z)5Y`A6h@KvDgm0BnhG?E+Vx<=adCDH*t(wNZj`_aF?Mx;eXFyDg~i2oy0doX^`Wn; z$S-JX)=g}yz8nk! zQ;&hKgNSJ#Mxm=4s#~DM$rj!Im#*o8ZRrMS8_81*qxe^l^8S;5^4Y%36j?>C(}Th- z1p|KvH!3!*w1K!_tA~FdG6q><3{cH7ThQx&%{F(V61vG^8hL$b*4cvs+8@I?K0iY- zx+g5$%^uyB(0~8znb^K{Aw2%aRF$y|0Q=8%tPetV1 zycw^QTWCVVnW}cPDH|ip#$w0Xd^v59hZ)sv-v9#T~92!sykHg!8U zVO8$`8v9cf$ywTMW=G;pEPnfWl5gLhJ3m-^9ey7rp;ujfvUxiy!ypOCak#1IiBkd%Xx>e4xGb~a`;^okpzU zU{r9Pz?qaRjr3mm<-^p{Vkm4yxXKg zz2(juBE~UvA_PGkmQX;tJ;b)uBv25tY3qiP=HBd^u?{>Fx&&V|sFu^ogb#33MAP5i z2QZOAyvmw#ik_5+V7*nC_LD>yVV;l->hks8ai?4xJwZEgu(4s)p8`254^x&||A+8` z^>P{#izeJ6R@_26MEwvkLT(8_u;0!C?yC7*R7LAg`xxLy4S}A4K(F)dMX6b0$p??A z(9q3kfxB%lx12J4)|TgM5wb>Bo0&09mkbP)-nC#WRxJtJH}$B&beTBRWpwcn$5B)D zQR;fndU~^G=<&e;?gdIS%#*W*B4RPY41+s*$;Y!s_N-C^-31d}$ zI36oz`V4`K8V4ju+%p`jn&Zzr?pw}}YZyVw0`%1GTY@fSvg?!d0RBodM4^)yKp zc5~E*4Bo{#MtlKo{RQRkL6c%^XE{$h z=4j%a_uF4nSn3YlzdLR{R}>l1BxeDo7@*1qu*j>DZI|7Mm20`$+KTqG7o2Yn-F;=i|5GL**yx$^aJJ!gUza7lgu%%C0<^DTFao>WpR zc~fV&-jEm@1|m3azdOpvGbY~nI>@&?GuM~)bGN#l47y8{+KXVV<)#+ZTD`#4ShtkZrxE88>NVm#)D*2S*i{;}MFZ_dz)laijoxV1|HH+>c5pQ+YZ6H>t&Dx9 zfY9vwt%_$IY*(n4Y6fI=63xx0d?`BKaJ|ewt(kg*sRs4XG4Tty80+X#Itnu2J~d#w zk-QpDVb?#_N(3xFl#17kK=Yv}T4?V}RL;{TMqg(X;3!)kSv-a4Ms@ITL;Nj)A!0i< zD|1c!`gh$tTUL=^tX}n-3s|~I99Z8|`J#=%p*TWpJZ|_KMqHv}5dgihwcvD5r|yx1 zr8IL+HE$FzyK_mZmzEORJP8{W=hsN~-Pza)X#GRPIYG4&~n4QmwyH#t=LKqEthH2 z z&BPBN1_}C}l+*ZmCJIwbfgdwC_T=4l)Kww~Z z>;00~a%TEgQ*w_{@0`x^t#54!es6xGe{*4lq_6i$RoX~liiuC%W)45@>e;U|HH+3k zsyR)b*f3vqZKDZe{#V{8Qn%e}kx}o~36sSeCU^$eyzi&uu z`$v(dBgo=cgR3<>?bPL2WP9BgrG0_USs|m62CkW)LGGZbbw8yU$0kq9eTDnxAES>{ zfD5Z;5zB1zh9b|PrPiE_d}lZ5I>7~OcssRw-Mo91)w2I8+xX^8#sj4WDQ+*m z4pMTab`PAInvvN+bwlvy7L3!zEmF4ZI~UDcUS-&R3}bd;@75jqFM5w_P_hb{Fuy(O zV1+S;%tBBa!=$vO;BY}1)e?sz<-Cv}Bs<-qV)mTq2lD)|Du>0bMp{Ra^}d>5^&yO5 zcvx50d3`2T3Z1N{Ak{ym^l9rIfrKMP}HPcO&b%n|UkK7Et|yUPYn*G@7972gP9-9W~UTKBUI z&e3AydC3Px2dEA zlZSptM)^Wo%ArsZYIeZk5;g@rN!x*G0FcwufwV?}0XQgA4MvT;WH(H1=Bra$P`EPF zAihGY%e@bIt#+MMt|PYqf)nrS0FV#a$~(+fy0PRdinVt~$5ALsXJ9#ej|h9%I2eTF zGAE1Zmm$0tRCCEvjM~e@PxK15X1r%nicE{sxq{h>iSLFZrc2W7BNz2hzN;G~FIS6; zm3N9>vP=@~;kM=6&gbBc67)Z`AJlG`Ob2KS>+#*SAQ6tDFhxLVuR7@|AH@et83{YW zD>oInk{n=4xkHSxAHwqtGE{FnQD7K0;uhA)lMZOVtUs!b{#!(@DIFx0GYEV!x!{i= z5|Xo@E-SvPU1{7~fF?QW=xkDoEKLj}CH(vSUGDpL?6)~+ z-=C78E8yYZvI<|6DZlETzQ>W<-J;Q&#*t*Y#-dp8>MMjYQF6aE@q$hEZK} z>G5G*^Kl7r-4To!ks~PvzhBwyPDj;UcW5));4N?;2{9#+yMw(0uh~)5^fFwRYN3k1 zYynrVUvpx7Z`pu>7qIYR!`)3W(v~V)?{utpmT5M3lBSdTj3CPPxIG|wgli4EqdL3e ze7{8!Sz3v?$mzEQUGsA-PkGW|L$ z<6>0ij@RX6hlYmH5ea-z6N7126a<8+vS*G})Rsv_2s0U?QEC_%C|R^ziO>h#Vapd) zRK)GPoN7JJ0_l58q@||P`T`xwgl~BokoVw|@W1r~WXm3atbp72kDVO@t=6d-8Gn-N zmO=$@x7XBv62)i3^WM}2hNg*5bL25Ptpo)5`ua6FzWw^$N0;$yIu}NzZ^ZoSZJCrt zmy3>=R(RF<7AQOe+j=z90-*gnyTkIqKoa2R5WN4=#fi5~CU8tH}ush2- z#~k|6*Y~z-zpl2vxoNf9Ho(#JGY*jh{pOX9%$H9Ge?pV%MsQ5a&i?hXjMecDeWnTj zO5DAL$bOjr{pU4=wAAF|_rIfet^{H*3~I+T@zO zs^|AT|KulnEbMLIOYJ|DkX3?_;l}qLSLCm}bc2U+=You5WNfVVfcNxgs>j^iZ29RG zZCeh2<#u}p&o5u9Nsi^+f|iH7Lf?8DSPKz7d2;4{^$I7BHt*`lcrfW-R`5$yz=kjU zGdTFDB%0ZNFNRV1>T5i9I13?8QB~CXOY?(dvhiUZ2v|#3-oda{!;Eh2NyjeB&CSil zkb46iPDjJ?HS<G9q%<7WP1Wd2VjJ+fzsBa4)HxO1q!DJ=Xo0mK*ZTs4vNjZxN?rTPo zFV;7kGPhIstw+^AsN-Q&hM*6=GB2t8$}j>bW4}+Mv)EBmJ9i&lMhu8E)S%6#d=(LC zk1;37D?)ybddWL3qM`JRPt{vX3aV;~^-vmkpB)P@-BlgS%a9;0pG{VT_A3=t<-as- z`-^{liQRGXf}N}Mt<}$~L9gQKl6jOzQ)>+_7Llr>DN{r-1Wz0_p9EFie*G>H+-&*1 zg~RFd=gF^jS?Euq4P~DQ>ESxua9CHge>^<2_aVGyYr-0oxiZ5xwcqSGpfWQfWGRAj z(6e_{JlE|ULLDK@Jj;RU_)#ewO_kQn06$H&Q^V;m^_m)1=#DMpWNug`y$02HGJ&yr)UE#S$b8qH34o5RSbZH-jI&Q%wDFy zpz!5jUiq~soDX1-IEJfO5J`}3#YX=n$fU;nz`xskdz&Y3!g_@D#$gEE)ES@MP@AI^ zbqsNSV>X_B>W1}vXQ-kt_d0`hjeTDUPgb(36Q9-&5PEl>CNP`~FTcL_mcHzieWp6L z*`E1f$>3jncj$h3*6NH7a(}6jZ}W1HINLW=e_@^uL0?U9f17akyS++5_rQ^;gV1EU zi=rVo0Ps#Sg(6yt?Z$_RumgK=1Q8a}N#dmTnvA%mqk@X>OZ(;O>t}8M_pU#@}OAb{esN{8AYRKEb)vtdEYzn#r$BcOI zSqAZ=90)r4me59@PsNw>0q$myXXgaFsDGFuRDj&>PC!V3;u-hRhnSEDD@gCFk3~jn zR6$fhNjBdSz^c3T`z8TL{QI}5KVHr#H*eiC5O#R5iRb@4J!+$?fB9~=19c5giY;wVm{iU}a;1y@#={q}Mu z3n2FPt&Bwr@%J9Y%>}CU%&Em&@^&Gw{98eMqF^ zJNi3whWj}8Pfg1t;|FOZcY6?==NqksMi6trc2y_9q5447O;HbSO@3@H6TRerG@7|D z$cp$Bt))RB&v{kyy9ED5ZuZ61_-?F%0lJHU4sna*0%gz|*s!+sEhD1DcgijwHsOwN zM*=9pC&hbIgdJs*r9>T-V^5mF6OH>om}h1_+KgqDOhA=$o;?elDYJ#rhQx2iU0lOerCLSMq)kY0Uv3KN_tHZjy|0=&OQ;>UWLvk2fK2 z=8!+0(UGaGidV13$Kx4ljK=~9KTygQ8UDB9M79|3i|!ewm)^`Yhh-}n(xDss85aJt z2JkFqGffVRdKn_+F2Pk{y;F_#V%Q!1VDu_U%$Xl6gXdC}3>ds|WZ0$_vj2cgg_R^` zns}C|b>u~dTgP_SG614T+?!B^uWyodWPmP2Q*Q2?7uPW{aeQUZpN`N_(X2I$k0Oqv zz6S`I_}QB=F;y(pbKdb|oOGgjdw>4^1@$@?pp2|>rt=a=!@+L$ai87~dMOk~i_`ZN z>)9O@ohG#kfKWHY?+xZCxl1JSl#a8F#3KNWx1(u(3i&iw9F5mhA4KeB&jr|^CHeCh z+*Cm^NgF#AO=MB^H)Mmey3*zBR8&;;nj#N2j*(T9|dsy+c_{1_9KX=tNn;{y5+K!dP@AdI~OHQdqsM*4(`+^Du&c?S8~Fs+K` z!5j_aX#Cn3lnkDa1>qp`tgFZY)WGE0Hg;=o^FClus+cA~B==!lOB5uclzdUVsz1&}X? zX&NUq;r}f>;T~2ZhFWI7rn&nxB*YSdeAz;0mz{{>NTDtJuW?=XAne!` zWXO^)8r@SR3)+)2)22O(~Zth#tG zTvidp$0_0A;lJ-Drc#bHr7aQyPiPn{4cT6VP}l)+O#5J=Jy`#_vS5T0a>vivR7t70 zMXQD%Y)RoXmIa_(Kr0JD6?hwhv}p+{LtZ44^?J6%Mj?KV;r)*OtTJAL_rB*c-=61v zYR!9ofatRzK8dGqcn^J%F98<*redZv5_ySJ;rrb`^wz0@rf^oRvjaoYrpu~mK|mn; zuy!NMvBRH(YAtr-OqwzN52=)|$p{)HD@yE72tXEu8t-2sdgobR`SM|W{Gn*0tW0Fo z3K}E_ME{XLpYpFm2T=um+YcdEe zFK2xpGpCu*3~*ygBp=7LaqN}0E(jZdVdpB5`X2A7@tsOf5_+VWBladbHekffB-KTM zc#aT-L{-pCy~R5YX*U>$ft>X(pQRdp?9>fr!6uKW%=WOf27D0&2)%89UR=~}o!CCucp`h0jwD zKlPS2b@=sDHx_NyHv;}!R~HTP1z?&-c67^SnfQxd9tAYfLCmjESa-G(6rYqJKa<^( zgL#jNtqN3ZZEkMPqX!+g-bhT9gW&DQDR+`TswkQ&r-Rq;hKg{juuz)o%SA7Qr?8OjViV-zsbYxS;Ly9|;> zLvgVQ)YV#^Ed+<~eD?Rx2=)4ewU`3BpF3vb5;ywK?rYtTN~5^*WLf(FcREwec>uYm zZgypi^l z+<8SsMLx&QR#u@R)0fzbDebrA*=kK;`eWK1Jg9r4w{rkk_o1beAHWYtAIGkIf}RLa zaEZbi>O3@LrorHSDcw*@ZXVc}`1*#jY|lk0OjP7I!B`ZfR%7dize_LHg&iF2_ZmOA zY3y1P+m!p;KLBlp`Cr9+{Q=7tqknuYV_rsLne!+9VE+iYOh7TVX4jqeGeE1Y zji|D+G9Q3r5ea~tP<{;?YNbk3&H9rz6@vz6Vuai4Pu$PmkkhoX?%|;_n&Lrhb;|Yj z?EEqR>@X^84-|Fu7!~5dn*hBajJUh>X zAZBb+fjg5ICmd+rmWQyQJCg0%%l(-J@@vW<2Coo?%nU1l6`-C1u))LG0027R{PRUO z)%8cKo2B5Jp2evoXbce*i2wQ5jWgl*-z9SLRkf)?OVl^409UG2x(!Zr97#{mOj*en zz8n$xNPghl?wEEYd=Yu|jFUu0P8NGo^%lFHmAC^%TXqMMI0!pX_1E`n6mEy}0zW_T zjJ3b@Jb6b%M1)#F+>T#<$ue@79@#D-$Ma*Os1z^b*7{3ERn_>^aoeF$s4Fe1c>rMk zo>Qiot4opdC6#62pE`<_jlfCEkwf}%8?9K7Nt@7i+2>%*@iEpFz>GS&+UqR!OizQ+Jd0E+sHa|ED?(PTv?cmu& z6*&^Kep0!Zz?Q@gs<3%6D(glu+*Lgsv^o$kbalKR@8yMhG|s;te_#!|7QIhF`-S?v z^PU@%y!iDPKLKd7tlj44^>`v;ch51x%>x)Iuagj%Rmc*I6Mx4c#OVFbGtPS{r{z`! zwqjdUybRf9J%Y1xKl;C&JQ%zjmu7e!F0OKpR{VBDZ&1O_54g+GofHr&(5=+y2b85u z+0XBG*62{ae-3;7x3gjiKxvsy88o#Qi26F_(LvMAAo`KgoUl)4KpL7Z5x^MtUQy@z zU{TBu&Be{Gc@2-JQz1TKf~w^46ru{^N+`=%?0rt4&3;JG@waDom<3Cg$zx;t9JQSn zKSMey4p{c~_69IcNL9twp7}Q-eaJhCe~NG@ZelI$kXOGCBT@R#{NX@)f{>Lk@JXuP z6}oA;nD=p*)^-jzMU=Ciw$>*T+EZZj|$R%;Mtm9v>SZ%9)C4g^8s37Z#=c{Ir`W z*30x;A)F}{6hPDA)Ge;%0np^@>gEK!0r-JXPMFN8#>dAy06Ll^RyKt9F9 z#M~QVBxc-OUOcDImWzEugOC`p$!iVXwwIk+U?ugc>hA1efd?t{qH1Om<~ZJIb~3Q5=xG#K04MH zc3sCTce1Mz0<8F)2k5IC|HW8PEj9)!!Iy7eFvi^XuRIXQ%E^t>IJf>ComTZZ+Kxg^ zuDSIcKG$#ZK7F;dN%l+PCge51`m>efW0?JClsbg@V#_g0w>I3kF(3@>-%Ip{^~eGC zEwsiai>w&t508)ZE69A%5-)d`CdH`a|I?oH)3_BWXdP^&<30bjc4--KeeU zKh5Pd>9cutxbU2Yf+tI_h`KqqM2=PL-XD=rW#sqCGcZ}hSa107d5{DBB8i769{`8B zR9ncE+y)1wDn&iy@L|N~Z$bHW!2Ch)KB67!uat@bR1ZWy#VFe+(j-_S=3en>z8IyQ zuK6`1RX%R~#ET zp}-Z^Dwjb$Wpy78K;jFG6QlB*IbXx!FD?3@QR5b6rhJY>>VzPZ#x(5pCy@ag>lU^f zRRXnlP9}X=J28<)x%a<5DybGS1YX?*-Hl&oeS0e+G5|Puy63XrMbYj*^8mQt3%or} zOw4$-NZw@DmO}ecQ6=Bx{!%imHb?UI;+U0+avjJesnAug1`?9#@ zhiH^;dm%G2>Yh%zqvQ4U2~V=#Ie)aENGbcBno0#4IqwTq{uWvnEUBSeo3YSOZ0l%m zqV~A8VBHI+gBn`9->qB`#-CVJ=&b=+3FAMX>yy;{Dj+_B-_h$#l|RwT!VBQs-d;N# z0Px-_eb)N?{?O~;-X}69Mqm<4;PvY+@^c4AM=qm)Q{WaFrSMz-zoDrJRnKc6-Oy8P z%IqJMS|+|nN9mJ`i@BJ9sE~Q4D2xY0p-MK1USdo}pxVO1lXK#WwMUiR8o;aVkzB!Q zjkWU4u+b$rUUOWE`mWUErSfRsCZm$X=It;AtFS;O2tkaTcr)gGawMOaoZNHxR`ra- zJAv~LDwQ#GIQ8`xI78AxI*!*~hb`fo{;9ew)J#cxFdXpuqyA}}gqofXf7jvhn9I&rN*S;JhUf|Ycu%sR8yXoEwHMzQYKz#2M}z zI@2xX$jGm54h6S+tc+0*jYp_{`gC%B^{Vd$E)Ui|=@S7L(VHLDXOUP9q!=zwBV{d< zEY)hBUenPq{Ygvy2g=d+};FS?5&`%w&*k*+K#y6!Z1b2Y%oA; zfJ1b>LpGsEG@-v46QJ}7AiDJK@;sV$s#4zVqYt7Gr1$;JUVU5O@=|ml=TMAn0di0eIxK~0Y*=9M6 z{Gu}&fF}iz)l@AlEw!b2yRNkvm8xKq+wl~_K$cMapf%L0=0M*7>Iv>kmXV4&i4*oK z_q;{zm=%>DiS-(W(M?4=DvY)n5{+bxtb5UTt6To|BFFQU%qqrKn%u*x7xASlF(lOX zmc%|`qzmzXvfY$;gTF&I_6-gyB6KNRm{rBVz*v+JVFH#Nh5mjFGScr>GBPs1z*^V@ zkjiZ!P)GfP&lBa=%9oq?SR<)AKR@)}oOTlFm1_MuHB2t=|9z0*a4Pyuo%0Q$24`!x zc}ctO`0}z!cM_JldY8?0T@-qx?oeanyRMyNH8kE;7D2(0jb8v8YO06I&k8c{PYCp? zKS$)i8Fy4gnXE}H-!C~f{!n{QOWZc^@aXis<-=d^l9FO~dVsW3+o`fy4B^gvhxt^K z9n+!kMPhMs#`QHOACy-Mp?)<&OVV$kRnz$4X7!8jq(Dh=`NUa24=tK5E4gbNJGs?+ zWnSKIUW!gm+`xupD)hH`GtF$mqQTXr8sBNEjf;6Vni!dxF%d`K&DGmVmQh^pSK=q0 zHvdt}6zyE+9&JezhUN{H?^OL$4Vky6nXne^ossXS+;;fgs*?{gZvj3Mk0#9B=%wcFdacjhXRd@O|3RUGn? z1);>pL*G*kU8dI5`32J?)EUfiY7@gX+-CR_0-pw1Dh*;t!e8nL58LU7*fc{ zQO!wr)}dB}&inoz!2-vlt|yQeD{SoS z1LSgK*sHxO=PoA3MJmx{e|0&9>>vKplCa*V@xf=ISjOow3})4G)Hq21)BBE*%K&Q_nFfyGYLcFckl#9q-A&|d9HS0Lpk5zAWa&ai|7LKg}|;j{?&9z4Y;)X zTxn@(R$OeIs8TKEl-=Vx8Y74souo5^2K(l{W?iJy@zYSK2_U3Y`-*)*H8d!j} zAYxLQvOp@iys}oJT7wsFO#2qk+5eUB&GqiPr2Ol}yLi0;z>LGEDtC**!%>cjJ{ArU z;-_Fu)x>9b;S!t>)}7(u>0HkqJ+D6-0&}EBA*236!&B9Z=wJtDXM&XPL&aJ#LVw6m zUAL>#Ivpc3aIWR>=krNP-hUX=B1)j5BmL4$1Fq8+YzWj>{XR*Hqz;XuIr{)jT~37b zJ-#Kh46DQc$*^xY)8vP%M&7sYl6!snwPMcTgU^t`SaSXkc@T&al91SqMU%!)($F{3 zV=JEzHJ?yBSXPROG*#%Fqs2FPUnQl|&tV_^D)Z_0-1yA*;?nxS@vqo`yMb#NsQU@- zYalv3-GH6Oyjv}*N@?11wmN96Hh64$R+Y_j<`W1C9&&+|xr4n(MLs12=~`4_))Wt! zX1#UsQeet$@s=pObvQxl%u0%apI7s*_;YFeLG!=hOBDX~pDy?MT?4a5GrjQvX2D_F z;)P=Lsw~=U$G!QtW*kN2u4ZO+@w1cOoQL9%5+(i48sRsL2Q$e>*Zdrl`M1%6f;Hbt zO8Qgx(HgcIFMa+0IWFmXpWylcd3m6PeuN3QvQ$77dl|oEr5Yi_uKzVvsMDn3&hGA? z`3Z_Q_{fol6P)<;XP=Ku&!ZX)UqLndNGln}Q5opx@BU_oybUB=!Hs8Gs!>+G{^xT4 z)S$wYWmN}A^VVH|{pwXD{g2{LcZd=y7WG49M{Ic?*8mr7nk%+Ijlvg+Z=b$(WjYW0 zXHWZN)oVTel&2A)57S@&=DqXhPr=9Lz^ldld+48jzIh0&%g}ZUu4`G-$k`~9lYK^b z92hc$af^Wp*SNwVH(0rQ^C}pR37|Zg6_F|2`)F!=`U?D76%HdER(A}_(FXplg+{lC zxh2+9!gq&G+w{6liwI5CPTYW{g0)8!6e=L7H^6lRa~m4wBeI`vJHBl@G7e{#dTL^X zP7#OD1sOKr4P75y`u=dSX!eSA#XUJo=tn1C`I$Dm?Z5Jf-eFx`-Rdzn-n+`HjQ8&o z8hL7F;~>74C;-$g*rKRIeexP1ptq1;=R8t8Y-R)0tD4Jkzq0j8DhcWWhS^fe;Z5pOF~Wes*sL_g@u8z zqy98DdnF?(vPV1@Wst!#$8MaW>LQ={HU=@4jAUA=SL)xsyYGM39$TrjkI_}R`<~Z< zQoi7Q-7b;d=vi_k3b&SkEb7hQzHxXpIqq!*m{|l)3<=COmgHyP(6E!iLm3|RzPNZ@ zLF3u^;TeWS&RNC>gRgCXX{m!w<;K9i$c=L|u6e8a?o~be z;Z9a&s!~u+!-zVL=94@$BNZRb{V(g|LjK2hbIE{tw!wtSp6D!gw%-av!D_H%hy z>P)|sr~xPi#lgWdSb0;Rg(4(+-!ba*! z-`x-ji8j9sb@lQR)_CzE3o4F1A|WdJeDFPAagj5--`{_RC}wrC%{=o)231N4*AWxo zEku%ZIA8H*l?Ct9AGVZO?qQl|DX|$c#mFjGA8EI|XD&HMGn#Wg`(GLxeMdzMoY@j5 zA|uguOqbMUE(hBX>wbbj46FXSxVOrPBm&Evmk%urqzKG)KnGgb&^RXkL4rf?~J!rhSe(st0 zCqcDozWckj(Hiqsg_pY`+HXv0A98dTmnzs#ya`+ie#mKHK){axMhz15`d-$H-?u)& z@FyNpp_?TM!!zt zpD2TXj*ULFB=>7^F$WJ%F0{h=(?#$JmwG-2s;k`}f|o zbGgUSx0osX0N1P`Kgd1f(F@`wxT2@ z2?5Y}nWzduq{Fo>?>9GJrG|+M3cho2*!|N7QfOWxt`EVsNU~YBqqj%wO>Iqw@;zR*hNGPZ74#(+E7hW z52R3GRr|zy+ZM@-eQR>xh=*b6wGUzq;5WybeLodMg}e(QOcJs535<96pUY)Uev5YEN@I4eWom&2|L zJad1l^;nA2*o?DUiAkA~-$5CC&!f>yO$}#*g8Pe!OQ1r@)&M{&E_Ztrq4k)+vFI~g zB#x1hDLwqhPKL0WA7#M}{bI!fAB!vDJvVfd>IsEHfME*V=4up`%HnlF?9*nSL$m3h z2Bk>8LT|4Y*tp1#{Fgz0qz&{9Vx#~Oy!Sf#`spOYKmx;a-B(H(9oc9&?edS03 z-vaT>hoWmTX={nr-r#Ba-VDPD?OGatNT_Jl4t8f^7Tg0DN8x}W)Z2e^Q%c82gq1Zj zlaG)1;4U^-MGz%aV8EY&TUI^^j}+-0m~so3N#^3_el#*SKPk6WwN$SJ7CA9c@qjD) zz^zKS9;be!Is3(on3!7TOlSCGhng5BpbVp};}%|%rtEW2H)u-x&WCd`;N{DgmI8() zXl+=0LqosFu3|Fs62zMRS=IrcId3}D`MKDJtCfr~EDX|n#gHCjE+`|Nf@lq-u%=X1 zYSmgInM6%`1hcNE>`nLUH@z3rgx71LUC(n~zLR5Ve~R=F_>#-JEFWMW<+k{F|uj0t0}1$uAajvEC_XZHv=jnIewl zI9R)#sl33JXMg4gUpW91zU)R(3=W30oK5&Rm7oeXMr(srLD=*4N6u|DN4sc)4XMW~ znwkgQz+QP1nLu7k4n~K3i8fiV%fff1V{B}-m{{huZ zs^1``LWPSn4laC@2pL7FMS%eQP0e<~zYy#DPvFp$E|myk&Jtg!TMHNf z7Jauq(w`O4%fmDu4XI9W8FG|O$!}Gf892@`ex&+ua^2d%mQ5z>0vNNI2#625`brZ& zm_LxVULjg)a;`8N;+c6cUlGJBO1loq>e6G~_14c=_uBXVQr($pR2{ERj87(Kk>=M1 z9F%*+?m)7%o|SI3u93t~IEn>Ja@d92dtU%fyrmposy@6#>ek$ck#yAz-qeiQ2Il5V zOseo&Yc%)cRV4)7OdcjCrc#g-Gcvr)z}Zat{I5%ahoK9{7Z^yndrwAvdN|=YMYjcQ z6tzlqKf?X9W2SQcbHCm{CF;ar<0`_;F(V7Wwmn(sBJi?s46YgKS?q|yaD7?K# zNoc{Mw{XSJ_4M@8QyFHp-C~|MH1Xl9*!^Qm;hVNIW_=LmHhKW26}d3>Grnf!+=DQ3 z8VW5g!->)4xLkQZ!fqUL@sW|fXO_eY^T@vonA;#PVC?M@3fEb}#S#I{h=lKIGf}je z^>urL%pLyEp*->+QE~AP4vvoY?(Tv%e1VCi$m6cAu1>+{WCmRJfB&dkS;jy_!I%Mu zXXLaEofN`Wo;=^IDR1n`{PzeB%l!C3StTWRxn78Y{3(Z+5lqTSoPx%i@b|%mwT=!# zP&nL4hAqjNf+a>jKg~5niN#i^&PS#pr@e^-O!>F32F<-93BE;U6jUOjK7amPQsl(5 zpP%<^KL396XO57NBxCgoIr)1W7QXZ{6Og~8-e?(vyKTAB@k{t^(#}+D5`j|Nceg{w z^t2om`-3>l4c_HoE9D9(AW(^pD=+^9zw_h8liwL0EmU~upY$nxb7A+{<{uY}1B z8m61%-6TS$B`Io34bFwc>mxG4hEkv?|@t$eOz57r3~IG^iX(!;sTMq46H3*E5pWq z|5ifbnqcczh#}N_1+CW}C_nMG0G^5b0+|m91a#T9MNbru^|hZ>%?Ed;`Y}M$4c)n4 z#oE}}#m1{a+36BWsDZ(GK{q!yeKWIPet4UyE!ThJZbUWv%p>5r@jKN1{|-PKgs5Lq zot;*45bJ(>KZ_TG(FtL7ey#~TP+Qj&kRiaRe0e7!gLUQe-f)VO;;DW56H)}-;5Mb@ zt%jxsq3CbXbPJowoDUzWCme(iyuhSn<*!|LLKzzT(|ssa~hn(0_HWJ24PhmHymc;{onN$DL(v5C)5P>%HAMmacCteh=zV zG6pzXM}|g1m-prazX#`T=j52!DJj*Bt$b8N<%fo^M7ytapwD>$U6^bvEWgvV za&dPW^1(Lpa;p_{>dba*0CGHO90#wSBeB*%!sPM3%6`uF>a2@5}v4Nr^?czOt@+wR!+Z zY~u^rH(|_X>Y=}=;%nCCHA? zkqoiGW5p|tFLf~KMPab^bUSu8UKpo6LSuLtVcwZ!$>1C6ZHn$7p}w}Q5)xL+x#V;WSMb|bP*u{tbPNlCURX_jgYXyzcHMQ*R&TnKe{cmGBrLsy=B z{P2M@KdB^q*Wbjnq|}TFjQ5&PO7q+jo4 z92QizQ4-9thTU?lU0vUT@YZ%f$lW1oDJBg8__9Fo%DeN~IkerXa|%SYw(CdJ&z2W? zEgd`7o-c?|;pgGy|6*|$>w`XKU=a#RNT`Etqp@tRh7SKQqRbaI@0C{hB%&3w5hIHe z6G|Xy;tf@TJq0jH?EsE0j@d{#oWF8uVZrJ9@^}9u(DCI{;rjU7jGNlI8&oDGH+!lD z|5S>VJ<7u}A>d0oDwOb7p2XJnC67(q-SXC*f~&Kf<#RQzl05&%Y3hxfKBU(KxW|~} z+9-PA*}%{d}}*eOYpe{2lQdSRuONY%`S++A@z^YZ4#Q># zOdnuFWVW{B)%A1rk5Rl)msMmNL%3L&nQ?GIB3e2OA30U|@=JXko%4dEf-h6)#caVLm$q9qnCHR`#LMXX1;Wv4HSAXEHI`VCb zqRXyzcZ`z((j%P%)a0=r-~5{x?5b4NF`4_81+rf1pwkV>hhM`xto%1;)GY~xGBOPG zr>4sT|C*JZuz-jtPPgQqwE)P20&g~P{(zoICkI0y^CY6}hGvD4#(}7wBy`H#Gk)yL z)864I+wCa6AYnIq!KA}kg{l^3(=1jsW8;-Og7&(tQ&G7;T$DC@B!^|pz#2NC`tVs; zHvA-G_*ehAI^uok`g(>4cjyyRPf^XUuDdzIR|)U6EZsPq=xJ~z(5pf$-a*{?dp(w9GXfKnUOjT9&H2mpv^iW6ibqy;%gmhALutx z?$wgow*!KAN{a1_ECn(QCZ;(@Gpd1RON%TJe~zxOGS|^rf%<;EjSnz3XzLjz#V(&; zsh^GQGC%E>KAgU0HqeJgd0`XT1V>%_e5=tE1j^cEBL&`le5XcpjVTW$(IWc>DQ5^H zaL{0^;f^@$kP~GQHt-z~ZAUicM`3 z5bU>>mY2*8r^P9Pz?=dQxiL{!8>oaX6>uK?1)%iH<}8KA??`Hv$+%Dfo#!>>pE=i6 zQTM)1chVjHjcC|PN>SI;Xt4EG2|=H!Y&$(2?i?71dUkGmtJJf#_mNf;4{fmb=`fZy z77H^dwk*aY=s>etTeUyUWH9+b=Fl#}E1icC-AfgyfY-6mf_iY_p!-~QdZ#s9DgT)W ze|tyJ^7QZIq;5}6AOPn=+RF#SRjx@w??q2YTpvfw_qJKkD-{C-U1z zQ{k8jmO8`+hK72Mj$9xNPbzNazanh8ygdt#%WFC@)fVW0qPiOUe_eYTVuFGcKG&#q zxrab^whBQZ<)rt;(2wdQ$i{dVdmj+6GU(GeaJ9=72F%YpKqpQvN3hDpz7-|;uYmj7 zX`?d`Li8XEqjPtsQu1>Ud@ zzBw4(^=d0Wp#R;Sp`oEls?MlnNF@7vB?G6HKI#@{Ynfc>3%r)#`&J%6lvXe#hXCoi z%gxP;y_==16)$C_a1eBBBAvgmBkZ*LPfYl+_v~g7?G0IIE8i|3^jb%A1>`SEN}t71 zYUX{Nzv*~et_E(okfPh&rQ4?~bb5_}QSALAGcB4nC1+&MkkE`HePx|ioBz_3eljt1 zadGj@r0(@rF!?|C5TFSrb_n;&*h(6~9)NXl;%TX@|FC~!q+V0}YjnZT+>kufZxQ=g z5iN>EB!ntg+9Nu{FLzl9Z#R>#`*HAPAJ+c(3EL@4q_!y1-g_!z7B^LLS|=WWv#Ebc;Q{xQ_T zJpLBE&O9&AYLZP;V{FI&pjLvdr`Pzx%)N3_>W>Lqiz-{~+v^Zip`F9>iI?IvWC>rt zvZfxNcX;?T(lu7Onp*-;9B@u1%KSs)*`WZxq~$xk-yL81vM`XamF)!~kb zQrvTgQ6}Jk>tW_Ic0%ylBrl#Dnd!=B&om|THaK7dsLtA_L|!gNeiuCK0cp9rG_LAg zrBQ?M-{MU3KOkY6bZ_iL%%i$enJqyGJOxz-{U4e|ktOg7tZ`-E6@lG^+17v$`CxPV z0HngIoy$a<=LI|gQMmM+9Cf84TT8>V#Ycd0&{Qck@1NBw8=F^S`N5YSRl}rlX7Waa z1}w5?2Go7O!UaN?wjA@pqG|Sr4_^vI#x`)P5DObz7aa{msBY?q4{Bfm_b=PSdS=SfbA)h zZ}d$5irI>kgY@gwp(une!apskP&2xQh|-t3e|z;$$oinY!^GH_x}wyal-xFj8)7m3 zX1*?fkZV5}$AOFh&*_3nD@lLna<}kTEZ!8L#6}?W;u0*(2VXOiH_BXdE_IxIlf3W1 zWvr5gv!sGVSBJ!RA3xH9x%$rZ_x*Xp#wvb*hEHd7^kgPd|Lxmh`b(wOckAP4Dx97c zqf{(hqvpi3SXh5IN23ch+1)rAAhkfQ?`wsn&igzPg_WB|t!zH@E8+uGSv)>D=ERO$ zCMf;2>@rzg(3vnGGX`JXMOAIJC5(#yG(U-`fp`qK{lsKRnVyd zh6TCpqlDE}D^89oyg@Rr|JzLyM8M;B&Xv1!B>Hw#$-Ny?7W%kI<279F@1dGnlP25W z;E&V+<@0xELwhmT%PspQlPq`B%$Y1?M>%LiPv3-)?m`$m|96|b0;w+*!v(B zcCWGd2%7)|0#WO%2*A8hV&FYvsOr z%^b6~UuBpvFO6w!?q7WU>~bb!|6{n*wQ>iYNd+rkOg#UMn}M1v~dM4O7f~N+p}+;FEhH z%}#JoNFl-cvfO{CqHP8t`AnVz9UWATa!>Y5G?C$^zr`x%{_ua>YEFSLtQ~Dcgnr0( zY!J*|VL@ah=EHW2sNq@hGq4X2yOS zU)eF+zKka4j$V<2pMvkvgMrGQAQGqbTu2cSn;37V4Rt3!XJ&BYxBxYODp(fiuA!9E zva(vZNTRNDhv7eEfkot@kQIOSV*_$s+;1ZVfbofhEPOJES~)sJ`u2w(=P0uzipHge zv4{huIZEBTvhBagQ3SqpSN@N$XfOi|Nas5Pm1Sy6 z{+bxBuj2D*#;fB~YhFjlJfdOO(G?p*;WujzHP8}xu6^U?w4Xq-)jmkN z75T0>#QrH-%_T{r{pXa9TTK}ZezU@Eg|Z>JxEK&R_pUJDGbwI1_gKYJfL z5spaw2WfL*$gr#h%6%{|Fp#s>5pFzFsQil+cDR3f%3D}xaoc`RF`{3QUey+FA%Q(v z7J9lKRp-v_X3gg~;r%mnvg;2UNd>^5l^;doR0QgvDAo!07ku>fpOI_Fv~UQac|@>} zLi~%1N7vYgmEC08P-1w+tT6n5BNGoNjXPtdpBg~N8AzWLhZLFnJ1&cwpK>bjCoG;5 z4P>*i=x z5L{!&oM75c@xuHsAlv6JRp>s;whus1TPAWy$Ngld=DGTAuD8V9)UL#3`BL;>rg!oQMmF6yUf3AAM##<=ry(gRLEdEC6&q!X{ULJlvH5E^l zf{$VG0|E~eSczh}pQ^%JLtii9Ei@e;yL;9=RLfE>S@B3=v>nly_g5*7g8Pw(EI(5I z@Lk;X5gNL2w_3oVf9zlAVgy5$5+9(9EN^gsquo5ZRGTTJbvu}Lk>te3^?>YR!-;tIw`k^tn7J+!hJ{x}dnnzRWpT!&=VuGv_G^N* zN7kbH!hv-_Vw97Uym3&^8*?Br;CDw2-;}!+P`*HMnuf;$nf_(SN_MorFHIFnSGumS zQd@Q%U0kTsYL&9LinBF%HE10H{*C~$6@VS`ZmAdGbs4A;BD0u2ovqm>ysz=TOG^kp zWq}-{Bkwrd@Y+|n;F1Ny9Yw$MBcIM9i0wj7(UD;`zq=){p-eExl~l-J^`tHae_mB) zX+wZ5P~Tud(D|`6cgbj+gu5ETzS2az<7>+U4BF^r5gsK+TH+iUP;IW@hHgkcp(xn+ zi1~J6nCGeqFD_^lbHlXc=ac<@(dgSc@rbH!2^HX|eD}4`_IFLTm-)UocbU5(Bf?WM z=$_JAb9~?Lq7Rzx-t&Nw!PM?jy8_LK;|kB+`w`yBzjUk#$mN3#K(I^Cr3C<`58c4k zy_P?zqb$C4g6)k}PF@Xklz=i*(}4`jp@2*7g<>~N^Ejg$PyJ}h9eh{lC0OlcbR|`^J5U<{EtKYq zk{aZkzA1myaobmM__&(rLZo%CWO{;ie_Ncmw_Bt4}BX{)Hb6#}KYh@hi|^j)4dvMmzBnBINV%0bW0b8{!_ zjSk$AgG{}UM|Kh~^kZ2*@+BMD0@C|e8Qb@*e+8@q`GGP*FcLbM5}1v(R%<(iB~DMeElW&@|)Gy-TbRb;G`vLgX1ve_9>+AfBx za2R-+-Ruecu zhHvzk)Q-OqEbob->HU*ClxPNp${dtXF4LA(j~~0AM4fxi!!GARbAw4sSlsSQ>+$Vb zRr^XSgjU1ur9uL~BIji&WG}{g_(w1ox49^JzJcz^F(a;`rJmTA+-HB0&f%&9<`jYk zfN#~VlK^z2Sl}x^x%*3DtB=d~kEb|xJn0HVOz&0pBAmJ_p`gxfIi~+B^AL)n?R+Jh zA;-Q;r!-ttl`H*4b3}%*lNFB^fLBD%s{_l8man=cxOYr*?fXZZ;MfXKE_H6;Y>l%L zSYf>y{R;v)XnLJsxWD9Hn;u;%WKlev+~SY~pr*}i0tEcgHu;^6qb9E485O{M-VKYg zN&=UO_^L|!Uxv&YD0%vKyblv~3y&$tRh(4aRKmirV5s_j*AO}{I3;e`6je=72Cqe1 z;{zyp$1d@-qqtrdl&P}sYJq$V3vwJOS#q49Xvc1*Obb{F1DI8AqkeGX2^IcD$W`m0 z*2;b6bb&YEf59se=jnLL_V@)0@XM!yJctfgvaXVNw0HDAr7>8Msgi=87Y~w-0HTJ0 zR~XAjXcp|#SKJ@9R~g2_;}4}Eg~2qNTtxamVboOx7`N})sM2-;3d`s*I4@-ITq9+zqZjFpjLu0||r%YiHDg`4Nt#ajoQ8bZC`!eGW8zNImq>(JEqT zV3)TC6D@yq3evuPUp;L7(So)g(fz+q>RNy5sxbbF;x$;I|Fg2hnzZn3K?wU=Mw51} z)!61jvK(`xW&2}t;&aoU%Mo3=6dUl{-{LbnzwHHcaa4XVTksF>HiR|8KmBouVvdQG4(^+**L$yyz&{T_b^GtvUG9~bJF7iz09Lf1mjW5+*`lb3 zyOZe$K;;$ID;+%!B@_EW4+Lni0v8t5N1>xr=3FOpmH(rQVF5kK&^^(?Y5%1(wBo<1 zMW%kSRSd z{UnqIkxNEwGhaKn^P1l_$M+5YgMbyS2F9nYh_FlaVg14QAZf+qW1ovqVg~YBAH5XC zB}XTMB1(htw;q9C%Ccm~LVrLuI~(pzVly8pZxs`ugr~x<+WY_i7MC3+bF$(LF?9Mt zz^bse`lHe%VI-+T>WcvRl*Lfk1Vvp#QwTW9cP`=YQhf0mN#+oG9l4ZTwxvsKt0Lib zwWt4^lg%y5{hOch9N=`r-A-xC+X1AjscFYexL+_R;6<<_gTfz%mX;pa=)SVy+#82k zw`tK1y_F_DBzZ%E`k3aw*=fgXpImp!%9FBoiutU9iOt1stzQbn%(G-oHc zjouuXVmiY0(qt?xoj|&qP852G7?XDvDnA-|-*ltz_n_-%Qocu_-GohEyX4(nUA(@4 zTX0b`&Pyp5NwEXl|sirj-oHV# zUBpg;;JM9^-b4^unur>GlyRK@Nr}h!%uK&EQmeoJr^#CrP`myxD6G}MW8U@eIUsWv z-J%Oc?kHPH=u1#*{1f6*iB@a>nL zgGmcX73Pu7!*pmG&Vt|8ZcxaT3pWzL%%78FRw8c6469_ulB-K#W%?nVDi-Qc6dovaD zo`K;N`vKwcm%LBpnR>V0zMs*pHM)I|YG0b6hA*K=VWRN&9O7p1{y}r(C!Zkl7e*ZN zPo3EUe_KAIi);s693W1lQK%<|cwg1ns6;TpKF*w3M% zBUqLSC>pfeycGNIYsjnm?LO6hDSXWJ4K$2Hv(PWuo*%jITNRdeyy*3fCWtsJ^dbrw zK|~u z!Zrg!EhY|d`NW!S62fGjxH;4Q=xzK$XYDIuXfrVvLfkHPxVfr5V)mzsO6c(WY{`uboT zsmU>F-rW8gmZ7+a@L+(D{z{_d6eT1Nb)^@TId}>Kdg>y0u0`{ODcityeRUp=3keK) zya(??`k_&V-jd_>OgDOf~@W%YgGn_7M1?hn$qxpQwo+?+Ce;t~5l-(XGk+RpfI;s9QlV~b}*v=R|A{`T0= zB%H*x6y3teA9o92S9d{gA`G3$!4>jkY$Q+*lMW9~KDDFRggA)GAW6bcAwnB|Ek^F= zV4)EP1iJAsomMaVEMHx|yn?+hL$^o{P>^PV&H91Te#}6D@(*=Bo(PgdCI5f`dkbIg z^`t~>s*;&~A=lJ-tW3v@18mY7D)K0hLw(53z>sPdbZ+pNLR`#qn}~;t7rTFl>)~|4 zJ7%=Fgjgho<$oxHe->5f=)Dfu_H}sy1G%gOkAgV>hx6S zt3AwEQkfX?vHav^);YNaDCn59YeA>PV4HtG&XHO~ zeL;f-m`u>?BQTiaxM%z9s$??x0gG(0iqF*_$ozAKL>fl&*ivX5bhgX@(aOe;(36yhGDoNd9e4eae3=iSeZS+E%jBfNL(>yIFuoKu;vmBxdC zMCl?gpUi9P6&%-ifn?DIS%4DpeawHC4;Vy$()Bg3#oOd2C8(QrO`2YQz_m)S9B&Er z;LPH+5YTDd>Uf1U@vNK}gFY`up3k?kXd}b(>I4_>pcKLneVve5^$Dc^)ac5v8CIGW zTt=dG8h(F!wW#T)lgAp!g~rGDw4zP7et&+@D@^z?$?-8ZgBLbvvVq`Cu(Jod+0Rvr z4D)=$rQI4X4q{`Dp!o@)%uAGgOK}x9$)w7f8U73Sf{G*+XdAl( zstD|rr%?5adLkBGxK}kMKBmY+It$w*2zXTSkx(B@Vup%f42ecFi@`s&tecT zZElTfL82Xh^puRtIBQo;ayJ@5OHEHth_eG43aCs>On?OLuD3LyLPA1Vo$Xp7r-YKj z-%yZm!7jLd!*}Vu!4?azvgXpBM~3JCnU&t&$%)EUaQP==r`tNgu;~W|A`2^T(dpK3 z%syp1b8A6JnQj_rcBT#&ur<;BO{vV2PUoCGFF0_U3Yq2yqHQUUxA{ep_+lT|#w@#H z!j@OZ1b-!cA_2Y#IM943anTEz=KQOYOk41%LC}WPlmP>+lFwU*yrOa~ zR*?i+wb*)7cfkSv<5rJ7KR?&m7%)~~bpdaJ8WvDW(lSWoP!c%EqomqDPY=qpGGe+a z$HowO;PXKbA2dI2`aN)0_#mYe;77~syRlUgY6|f2?YZq?lPt%6o%!TdSFF{hGM1H* zO|B#t+AS%ft)Oy{HgSkH-~$eBLdSqLiU8Pl66^4gt9v*kEYs4xL=F{CHpQJs84pq( z(i+z1Ha6+8|7?lsG>J&(5v?iLU(^6@)QhxtdfQ!bq?TW%A5_d^PX+&g^vSxyQ601A ztmfJ+cvuc_Bd;LlWNnUD-{)?*Kjh?eS|xsz4*IaVx`wX-1G5^?aV)RHIuYVq0PJz- zJi@~pq1nV;2v4Ye#=s%Jtj(Ylz%7aD7F^M%Xte0QYnK+yxF$AV#W1@sC?Qn2p+Tq! zwYRB`_VvefROeL{dHs=aG3v@yT2diedzaLjAw6Y_x*LEIJhqXGHV~q9$cF0cj~!$i zski@98+3S5lv7>}wI)$H_9ZKCo276DNm#v8n99u_@>YyN8@Kcv68{8%8h+rKkG^RG zGzKCEZDba^+4&*`72Ro&WN{LZ&#*>J8~+G%o2bc5gRUl`6PA?j`)RFAweaQn>0z21 z<=!sINQZg)QahkD^_EJR5D-SYSI_FXzf$~C?JUsxzE@2OtKc~n_HStlS(#wMyVcfn zWzbtfIC4u;2|^hjmYJHZ1ZFB8LN~lz+=ZZGG!vuH+E&}-ho(V$5Q=<-dt3e3)gBMS z)KRjO)yF3^t7TQKJI_JMAD9rHPWYtfJ=|y?@sLIy)g!00Uh1E}D%(bwNP~`(2r&Sa zNCZDg3I%CUcWyOm#!9PkM)aCM7M*()hK&rJ0Q+((&5X7h7Cb`MImLkjeQ78PkY8L7 z%B>M&`+`AWM27?$`m#a*%}?{}d*d@LyimhDT;U{3$x&&FkA{vvCuN>KB)}LJGV3#2 z=EQD@nwpwq&w%KShQji9V}gP_e1}X4U*_a3h5Qh*#vul7q`m5dd<>2729mWNp-Qj6@ZWh14*nw5Rv|?8KgtIEf5t1ymF^2RC zoVf1xgS1pn3Y2#)=HZ^Pz(UV0t^cp$fi$*!EiC$7?=(l7afBm0;;lhXOp0Tw4m^d* z^B>6l*!fnv%p=)@Ue`#s%pO{NYXY*NttVK(K9llnh>eW zGX9(ZX55fzO5iTagmGTCcD_PT0; zoS(}}MwUmq^LExG@#(U!&6ae^p{@Ba`bB}pO-H)sD`msBxy4#?ub=_8v{@OC;iV z@e$(V$JrQyY?crE|K~z3%_{VUA4`a}aa0Udw(p zaBjZZ`rw{W(zMO`;Kwl7y`)7$KG$XOl4_*69x(rmX#sGS*XD&%@%G)N500bo<8d1= z5KN&SsTtbCLRxr4QG*lI2cwjx^0%tDM)VjVnK$!`3!t?p_(O{$7I03^!mB}I-@LDj zN`_pVu8qb?P~WP9TXjSxlvSPmRmNTwyK$>P=<+xD4}P_av?Eo`VgX={rfX4gXk_h; zkhLg@?~YZ^p9qVJetQ$nowyPghpqPf`KP)Csj~;Jor&hdjp~iIJiPfyWQJ!cYYu~m zE;piMkQ(UO`q1>fY5H$P(;A8J95cW+Y!qOgE#Wde|94n&z7sj`Lk|W&QLNB{PKebp z1ra-hJgf^0*lpM~sOGbg~Q3CX+h zE9X!~(u`Ue-sVl;qFETkd)YFQb3`$cbYGWwWC8eY{mLC59X+1@yRu@52pZ0lT0OnH zy)LP$(i(4yGP8Un={!@d#QfOF&hC>&&NFl`g88lKX_##9^2Mqs#xg&;1vXY$jxh%l zQyM5T%+U0l_<=|PnWy%fmqt|wEQ{RjP+5LK3Pw%E34(a+x$<`!zQkEZ-m18*zB*Bi zTq5Ot-ze|~IR!b(YV9HsIhmQt!Uxh9plfa2`8sGYXr%&VR`w730@la_H+(>5B{RkA z`sHsrKFH-;=eF-nU>n6U9*jB=0MD^v@`S@n4EO>q?g%hDM323wMT4222Nx*#kKww# zY^j5_;oqZnK$Zl*QeG6aWj2dsk}KWJZ-BJuijzGwk7wzb_O)}Fa6 zz5t7=ub?pT*l(#d$eFc|NWA-GV~~T9QJ#4WPxuCEXqezZK}Ht0tEi%)2Zd%f20z(q z7a-X=rr?)a67cf!`frLbEcW9~?ET0#wkTq!jWg!OR8&;ZFA22vj;U(?XxMy4tzn?V z&bN6J8;`;+%*8-vnzZilZS`1W^U*>Ht_^*zB{*J&;ybKz|blHygI(8;(ZhfX$#ec`ES%8 z95{m+V2{u7@i9Zx(($pI8~r6$L;DpisK|D5a+1q$C@fS&@;sQ_X=|tFv?W5* zGe$w`8;{pkm&J2U)uMyNFcrZIbS9GUI^pR=^76@cbO}m35e1@a6n^0=aTo&pZ_F0w zKnW%%+XN*{d%saw$P6ii zFZz3=Mhn;1*Z)m*A|oRkpPN%>Vq#jAKC2vTWDATLc>$Dq_D2s2N_R%lKItYjKKOafcRnEz%ZuElu%a#ezG*-HMb7 z?(Xi;77bFI;u@U$(%(7f-VgU5xNF_D_>e{3Bzy1KGxN+dvu9(#*3aF=GV{$!pK${{ zy&hKN9IbtFkL>X45(Z~K8X8(+N{WJjfB;GeBLlrP2{#T1Ewj^=?Ao)DSdw@;79U%~ zcO{$|f>_~OCd&a=I=1!R&8?cbqO+@*_V}QV9+APYp=DEOks-_pL6Q{*^k2dwb-gH`TlF7m*tck zvyst~B2R_WnRb zyr3@9Ka-ZiHdwC$&`foG&2Az1e>;d?VCIr6p*}fkt6p32*yhDuhUfzI0l`*p8+A}+ z3x8`rVy^_^tQB%PFJJvR88$BSATyrcd%&@#R+Qbaug2H#wCj_+lWdxb$Mv@lzU~#T zPhMoq0J;&*^rPHg>_hCOR#tlkCINFE*sfei#;@*0 z>VNT{9}3Wa@%YSns0*q;?fh}N_ImT(eD@RA(u2b9>H0w1mfW8G6wKbMl^%lqvF$fC zmB}xr>~jAcDW!|J$-_>k+fMjoNLU`27nlq^^;nX?bN8X5^gW@1yzfIOK5uMpInq#P z;G5v(u}#rob;Ef*3#LO&#QZX6veS{KMr37LHV=pcg#*=)b zZ~I4?y~9x7#>^}joA)ksz8XP-g8zGwqIeLd1uOj+8uCM_;6TY>s9O7)c({&%IIj5#KY!Jj5xp(Z=P)ed(LH<#oDE}rDFoO4Eu?v{ zK@f-jY#D1A?TLONLIqQP&?~)hxk9QO&y#%7Bt6|oVfN~RfkfOmQRruD28 zNvc@05r0~L%sF5r0_E97vgc437ke+rMi(9ji@s(C)*29KxfsNLal)Q4`I;W^MCl;P zuy$T-?q4Y1B$m*gm$R=LwifsMV}gvmI1%{}FZygEI2BNbCCSZRBQME48tyT3aC75Q z=qvR8wALLNa+<05J@{Dpj!B@aYC3?cxDUbnZ@wtXg1Q=t)Z9V(`*%h_e>8x?c)%_| z2o7LTd3+p@;G+PbWX?f(vP9A-i2#G@{SKG!j`uY46~t@@&980SD#r*394wWuR-C?^&1no&GNMrgm#RXO;*d35CL2wjJ4< zN~$5q(F3+3ys`|`W3{D|;qCe=us^1!LbrWO?ejpZ0D%$EMRk)(dvf8E0*c zEPfyz7(`EY@^VSn>Juumfkj>>C0ot#e#F@AL$2gufI#>L4oEdJ!Ox_8%JEl#H%yWp-PfP1lqP?Jx8YCOjXzSdA7mk<@%^9jJfEtSTGd5f#@BK-o$`+)AR53ErZZU>qi zBV4MS>b<&gw#)0L=Ju1*;jE%=4mdc z{q4t(d^LkQ7e7moTdgUhFxvc7E__|4*C#((vv<3p$>9?M zV`;=aMlwkXL6L|6@&~aGPBoc39_ZH#U*m$wodNAf!uL|^7(f;=?Sh~p)e8&{bkh7p z%Dd@NH5M$_v%+g*FzNN`jWAFf=!w15)59#vZdTNi@^F~+8Iw=9?@UYsArieqFcWq2 z;f(oFRwhOT)d_3uYPMy#6atQzPH=w;NGsC86X@KLch&#v*ORWVXuRU$oQRx;AZAp@ znc^ALfc2q;LS3>5xM;oQ4)}t^w~^B#XKdrH%tfVoqbgCxWz$#33@F|Zpstr@vWda! zAxI!IygGfvVA*=rt6?ohwW&g<@uJ&jQfuTOE?F1!z?{y|Gdn^3$QpML5BJ`+O3Voa>sb}o{!?*uDrZ~FFkVX_4%X! zDN+EK@X!r!rA5T?$q8A2TJl2xIo9vE6J3SC1FR`_z-N}_!ZH+)Ul#{%dQ>KXi&JCH zU(m%CW&hyqBgApUzM-DI$TuhVnCwWZm{b?9DU<6Cgm2$d6jPSB8t7c!m!;)`k{#0W z4&LawzMGpl5>f7`9_AEJDz{QoL-DUh;l8X-WYoDiN(P1To~Tjc4Ph3OY8>Y34(c|N z9JJl`xAfa-d|+f}W@3~OJzy` zc~?VhFw6!rwZ-kF47im3CF%xr*%k#U@{qjSWF3|P3b#fT%I606^js=Fl+UafJNjUr zcOXJM3Au}n@DrD#MR4))VtXi=$AUfI>X$ez&EQGmz>+unY#fY*06WLt+A{jWOHk9$ zkP^6!Z+vEk6!p7*KyXNHtzbk%%$GC^br)(&&|`^?p_gKO^Uk2VUdnC{4MYmVEF_e~MAK+Q zk^Uo-LA#AJhYO3?)0ixvFimEP13wXDvCl@YsYXZ=1m%UU7DAhW@S9XRyt}2nkv(By z`9;0LHX#d`G=g@Ne)XcfALTH3IopZDGY4j3NUafd(lwVCk1_xlf8I7z9E*vel%hu< z(pVM=i<{M|n;#gO>N#hd)1$80wX3>_jOs&a?z+EK+R(B$lqF-AwX?m@;F%E&7G_72G#3B~ zjp^A)Oxhh}P!vB8$ zbc%h7uASU~kwPS52P4PhqownJa6tD3D9Sd9{w5lddITE~Y9on!-j}QbBXc*mv{8JK z5NZdx2=@19hI*1AML7(=kRiPd>A8^o;Z}}gl;N1=me5bHoQAlgGY9ut4h1_j3*9pqSck!W=|nRzi5m^S|f4t0h>j zpQ@9Gi4b#8D%K)o3yF>+8A*n)sUKmMvK4t6@wCxi^Vk&+{~LV9&UG9|zDG&Z%pt01AdxGz(BRqO`Od0_Ak94YI>a|kBc^;)1a68J#hZ{TwpNIX#-};*C z%xPes$E)06E~}d;e=I2#)z|RYinp{UfAm(ikr+HR^L&=HQ@4vZv^g7Zh+~K>Pax@D zWMd+AHGRJR11cK_A-wO#TjEdZE78&VHKdmwX`pwrxoR|l`T}atm=o8O#Xfw!DTNt^FOuD{*W#v_H#?a0Z zu1iK!kFV?QDnHTv!vDI;fZ~0!89Xe4v7i=d&4m(`gl-%=i-{8zf1!dmMxR&rk{<@8&^6bSku>BBRB#pA{A91L{r@g?k~ODkt7UHslQsX{v$7nQ zee2~&kEn64PhNmWp}}I9Q_Mth z#RSXL>ZOw+n9~P#%RVs1|7eHW)k2OT9RWD`gS9#d=Am^dY6ziFrlKs2ks=7>_Y=je zqUfM3HRD8RcgE6+qJV2wpv@fF9II$Y1P)hmhi372gCqe~Z3j>Gs@ZN3XTNv<7gkeND}h|A_*gk+yMfvqD2Q+V&4a8w`o{%r#!#Dh*8E_TY;t zF=fj}fV7LOE`Ym%+giYixdygvze8Uh*FER_sWP%zCj^_X!k*ey_qkI4CK2&(mynzN zsM2445mQlQAH@bk3s|M>$}0b&@u|S`s-8$Ij8B_jU&fQ6-h@M%f8Pi4E0Xw$Ia4fG zP)0jU*I4+~i&h1mOM-=(FCJRx#|asAnB{Ai(JsrYA#jD={*HRd_KCJj_xp~OnIO3o z56mdLXY7$qAr*n3FRH^Wr^m|)6_H1Sb$XG~FK({l@~XK6f~mRG*v6MXn24IcTh(m{R2BWV57ymNqrlP+i(i+U4JY$IJVy6P8RuI z8wc}Dr_IfBVr2zF+5@-n#f>0cl^t=#@8Kgf?WJ-zvTQDHdC5{ybLzd2bD&we$$`S| zc?aGJ%I_pg6n`+h=y4<6*|ITag+q^0mLUm4&ZZsZ6R_{&pcwI+ z{m+*Le3vl|4t^I&?qm1E({S;1^e%QIN=H%{=^?42$l@A$mnV9uN46A2 zPohn9XUc#ZLt9z%^@5Qyhcb<9X2&8ut$B+R_M^_DbT)=St~HSujN#|bVt%xp`^K_q zskRJ0;?H#Lr+(TgKy>MBNfxIm?G{TQag>{;dd*9*3z^yKpL*=3NSjtsDr@$US`= zxKJqj#9|WU8QNpbPhUuca0cHcGBa6-M}-#*`PeI28+Lz<-|6;Lf2q#-9x)+VZ3W>y zzHPeePN=DfuZg?Ah?Zy-MonR6pb5k8`|82NwmHZIouz5G6fqxIeo@RIuGsh^Izb7& zHhr@1Y#7sd6hl36FcmM*G!yr%##c?5VY@+&`FY#KqrGbazIihEYYfav%<^9Cf!-&* zN%h)w11~ZIt~p|C$p5zU7I{yGgL z!*W8tOb&MI{JW~2fc=r7-3f8xy?W8dOZ1W9*xhWUG#teDjMp~&@#d82aXS$gp=p?4 zBZGWcs@wVbM18)$V&!P3>FX+{586&cGSA+eyhP&}8Dwtrp~}LG*9{`;PfzUr&_FvT zJU&s26N{7166JJQlxYX16CL@ICL@lLnIDw~I+DhnDrl0GT-MdVk}%|yPD zXG~D46MigNkb&Z`UJ=dPeLIx))y3VWmol-#`0NRo7@RDc6VPX5Jcnj`dW2~a+{e7k zb*1X&A7g>B-O!QGim44qE5$VyZW34;{0Bl+4$LL_N|wQD{S#0wxNpCAL|&gG&~5)w zN+|#4L3xz~W4ST;8&2)5x8-2aQego$C1by7Sy;Z@6oxt`r!qZ+llk4rZUvM2KQkN6+|nEOHRv--uOzQWUA3BhPX#U-E>xNFAcLKt zLDet=t6aU3r&i-JfhmD$I0LpUA-3J(OOm{SdK4wu!|d)z2+F`QZxrMeFBx=&H1IPF zI#(+dAyu9y1zXj%9>6w#M6gkp(lbz;aJn_SVnLVSn+UIF;ac?EpXj^Kl)*T`k~c|~ zze;?`<^CTTfziL|zZox)hvi>KHBk%NeRzh&9jIOXF_)p%?l17VfPeIghlbCwS8A3X zk24s==g2o>9T4e?UOBSMit5bKS^RI4U12{WR@Q6-SCT4_8fYLqkgK1TDE&nME8|vb zlZS&HqQ3Ea>X#MDut(<%#;mpIktA0s!^S$Zp4roX(rU{NW>3>Fc!!9KXNm(nE|F=X zP|ok6g4$@1OuAEwTQE^!S;+_;c+{S281w3r$z&un@|v-I_>=j<$i!FH6a%PY!d1;) z3o{CPTyYLJarZ#EK6fkWK$d&DSL&~bJ~HSrglW}KwD&9uFN(|;krKX^E8wZdRX|Ee zaZr*p*7rqUqil2Jm=;ig#o+MTk}W+Jz@PWudj2FZ4WPPsW>-I6@A`x!nKJb`MnuP7 zX@iP=ppQ!vj|JL*EPs<^LQxaDb6LWhCHhi%Hz+aHJ+-^M@AWxdSQ9~sRJ@zNE{tWMxMzR0eU3L?xjKKE|SU*j+ zwslqqG&=6ON;WVDvs`wP(Q^kU`~gfn?G7~f2B0lPrG)-ly}S-}z%F{yvA^ygVrKaF zVdCbwFwMy^!kT)8atDd-V}8t!1_%)Q@Pt=EQ~% zMLrYlvq%1NtLO0^-52Ll-O%vOl}aA-jOOEgcXtBQ(zDwErNFSWOXK8lDXj(}Leo=I zcmvA7$o!C0n2*U)v+CoO-JvnXjE_D)7?#X}a*KW`ti~kr18d4iegmxZSWESu4Ce#J z6U;Zg4TjVjb-8`;pq7u%a4(?=(~jXC6N50w`MIL(HrdLW>(BoQ^ulMaRD+Q2I5M@z zUXp)ic6{E)!$gqZQ_`FWcPUURPTTx_#r8i-d-xrTdTKYlhPX3IaBxr`yK0kX?ouBs zA{OJ@C+*|T_V$~x8^oA|E9LqJv7mNOk@`h_%>Bq`A00UgZSgz^OnsUdhKNM<%ahMt zI1YRn+M_~mU*Yo_i-1SHQoQ^e28D=B6?rV@jmqfFdKxL}+M@y($y03qw!67`)6;ep zz}@j)2rh9UDsze|~@dK^^Qwq>v?M{(@W9si_Va`*fVD-hDS@z%r6{qP4;CmI3?Mf zhUS%b02q`LjqLqYA31fNZH!G@KJcj?mCsicO0tz+k7g!jDQ1WuKp7|wHMm#7Ug|iz zc&30<0dz&1;PlHo0;A_(Cdaop0qX>Lmv?Jn<8dHh7vS;BksnepS3fKG4g{NHy33q{ zy6>~_PfCKvrw5~v3`?@ToNXyIy7=$iQ8&p?MgIN)H_F0V>(`se#Baf91KMTDv6JErM&#ry_pRGGmKIGf?Fg;-_N2j zro>(Qtxo)-$lmI#qTnzv^JoZvJo=(bbV)rre!3L7H~I;f_&i7zWbGLCRu(yr!wlk zGTO7H`&%X#WgGV!OSc$C(=Wo;5lgM-ZMB4^bp5>hQ@vibg;2Wog0zFnGzsL%Nj|l2 zek5r67^s4+9XwewJlXR*9pfj4en|W$l!3vQ5>*GSbzE!68su$-l>vc9Nct3oq_3v8 z#s`h~(&5|uo@S?Sk$ktBv?~XPUM4$pejb0vyj_p76*D!f`{y}u>t{dDIAtl80}FaA zif`J#j`TaVh`jgPLEa&IDl(7aSEGKYieJ^J;yZJ!3V7vT3upWcl1&%ZO8a5C7Hgnh;pYk1H zrddTHEAZoo4#>e9WK*p~LyYaJLA^VqOKGI8V^oSF>jgJU4JVQo6{oNMvx|#y!M)_m zKp=wkh$9&iW1)5kP5Zn_x=B;P!V7p1v>&x!*qRKGGB6|7K#%}|>7*PPydczT&ahhG z!j2PVSC*#HtoC=!mskmhl{gcfgiPL7hj%jVnI1>2Rr35?I;$vzMgirOV7 zGRm6b8p#MW^5AZxzvXi;l;p6?-JY$Z^e%i{t=?8%+ zda8{YY~c}(EwaX82zP_A5V}LKEZBjT2xp*fJ=^D7gHK9&&M`q#9rNxC=Qo}!FL;mm z09%iz)ad)~(z&j90k~5J3YlYP^dO!-+~-4Sx^~yKM5pl6iL-j* z+k~aqIntEgpNu)TB00lc0E~D*}J9rXosS`C4p~U`7C{ctYL)k{TnwjNvq7Gh45g_CNidx%>IJ=rRzt2yPm`%8u z-EptPm&F4bikp}MR5R=JRoT@&E2$pyzR>9*Y3k7f9PJN^3W%*|Dr`hLX^JPtm#rmt ze?q<2klDy!cd;+w=Hp{QNnY-F4q1vNfe33k#nEEFw1 z1VOw9(7#aY{H%1;D9I|tFHFZN&r5ke@YaiW3CM^8Q#vZgaDV-G8YU-`g0IJ14MZmY zyvMeyO};c6SYADdII*t#a7x!cT-Ap_`7$-A5)``8M)Yb2Ql; zEFTw%`Ua3pRp400Qz?jtEhII~q|Q4oS%DD_p1NXeZ>Bi4*hf|@O5DYHR1=skL6e#f z%VCn;;=@fFP&+a|(Od${kZTKW?q1fIqsL8bWNTemrESR8kN&kV9H&goonJjEFHb3A zS##*ezPQA%V;5BAD4}ID`k?f1D0Bfg{WOaxNUW#T`Hai71t8RgT_av4+xIU@3pYy!g-=Zgc7| zC(p|f?7)E3X+1kel&DT=Dq3`w#%H^O7$i^Lvv=12`m-T@%`ZljO-3NzK)LZ?soTX z9I!;a6nDpBXLbS;N0%E~aMFx+=21DAjz8!cWzU#zKfWf1U6O1~F1WpccZkROn}+lB z9AS%oXZ!e&09rshF-5FVv2sOe>lqd*2`Xx-o71hFo!jH%p<$}+&)%CIEb@Ho4u+vp zcd;Z=94M60EH`JM7*dUk7@4s7j|K$GPYF#2dKueeo4!72;!gMt z^~nLSQZo;h<4B7*(PAN?X^z^4VcUEIKiZc;$jr3a)Z}4B|AJZ;&gKpxV%M`rpi?bC zfWiUSfsdrwyg91o?7UUm#8~aW#$(!w>TMAF!7$vC-}m~W^b*PMQuM{)rF_bl@ZY48 zm4KLQX0cq|{Fz$xMIRF^zXe!-vX8mK(1SKjeQ&p54F3#CLzRJIU$rzDDJMC!IuvV@ z_ZqHA9l900Jo0oM5>-;OY~qA_s{MxY z0rrNkX^z3%j$Z0iftr}j@6e^cWVG(ZzC9j#(clNqn>OJ>*{yiKQd!iDK4UTXp~h!V z=#<=)Ih;kTIDduKqk5Fo_2+cS*frZsc@W)_HSu;9^MDiFXuB^GC zE$kk#@85`C8}8A>8OnHmjpPb}Tc%mC#C-HE%@?a5%dghNSTgQfAVx5b=jTiRYDnR) zhhNiotdk#q=6v?3W#nn9&G?hslD*6aX$xSL8yK#7>_MH#u*Iw;%LJ+)<~?B_XQzyc zv|$p?U@sFOc{gYj@4_b?^I`z5Uaop+g}_RSs%^=QO4dgF{Z8!-X_#VZ1~h%xLx zgG5>1h;h&>Rr}6IwV`Y;1p0KD(>ZqZq+GB+wqehFv)BuM_qqU}CzeOlVGCBm20WMj z8$A63h48w&rfK~`Utr>%RnQs*XX{KEp2K&0zqn#{qUu^l;y2eB1X3nYle;nZ)TE*@;jYerY;T%`WMwX3fxj4+b8Qu~u3y&U6i`kM6k@n>e@vRnlU29l( z2cGvdlLm^6)(p2QjFH8h@hK_lvrvm-JVD9RA>uB#rK+?%3))OdlFepaMA^^!HTDXv zb=u*abJ>_lN-^@_U0JwuPE={qz;v8f&Z&z4^6FxLYU*O5O)+v^!7~kPj9==d;oFwn z*1(bap-42-#{Am`7Ql7IDHfoXqJm3DWGy?Jo}f^cK zW*pe0J$;?1S~q@0zDRjlH>K_5P{D4jV{&asUtQ0)hF9Js=OHT$C>wfPv<%EM2YTT3 z#BbBcA71s_DY97jI%AbV5+!S#$GTy1uL45TSP)E?g%y-iQEOv1TD83>Je0XgsqyT% zl;G{s*mR#3drfPd+i+yX)Agmkfm;4~#QchQm(v%+;}1axbYsuGBo8yhA8iNW@PdEV z_Hp^lrfBylk?wz1ABShQ*PdAf4d5LQS>+w@h{&4cmvIxU@+e$TOlKxw_*4s~sp&1) z#Un@ES^Dko5>erh!OogyA=Tc)XC4N^mxZGRLoc%}QvOAC+pry37)WyDaM|xP` z-p27n_1aS2EqNgZam!e<{i0?yJGAg+8Qs^d$Ewa5DlTdlx(RM~x%ESCIEuBiL3mmp zW#G`Bif5mnjQgc3IYh$x_)az{B~nH4p5SIb_54ivyP3RFYw8Wtl1>cXN1WXDUEj=I z8a(Uk`G6<TJ>rVh*Mx3;3Lj5~3Q@2seoFPV-)C}TSQ zyfVX+*e8C2NPdsXhrDd8`%>Ep7}(-odX4-i!Xn1c!RH`@OR`Ur6=&%J#^1)RV-@El z>J+l6ikA5Ipo1qc_WWf_v~a;l|Bs@M`W*2k2C}R~5dM_#rK8Kqw)cba$er3{8Dn?D zdvkGtNR;ghfnUsxqm%M_e@=6qX9HFqF$|L55;Ah@zu2;AMx|>9m>VUD_yHyh2jlpz z)Zb%BP9oF&0Sgw}>9E%ZY2GWb6?jJ_xF??s;DqzFuB6-6(()p=^TSAbjLwf@AfJ9_ zlyNcA`%A$is=l){=aTh{>takt4rw3$Cx>%|8C=7TzC(e?X z6eZ|T>zIeZ;oj5*5%|p%D_;%qo;18-Z1MOg&;Dk^c#>93{GGRB8g5ak$cs}gEJs9d zIIjk$c=gTV@cvje6?G%!`2xrMgj@tP!+I+1H`1nyFN|79(S_-oH!Ooa>ka``rnn8m z6NaQz9;v?fiqgt49xME|FVG=2p7LnCXe-}d;E!Q-={T|4b^}^xUCN)^HBze%<)35O z6%PbhK{SZZvq2vse9+&1u?X!HN*QQ@d2_t%j^N=laGucnK)a{Z8!6~ob}omx^}1n%rnL4{){mU zK-;dg?RL@%Mp$6CygyZKw;vmp92Fp~Mf3mX^?z-E0 z4qn0m{jPMHOF3uGx2QOITNy4JoC37V=r!MOkQtkDG5i>8255=WP?c7mxtE8@@V?zG zVm64lfv6!}HFR-A1C$M}mG*4{$wyd)FF^M>st{ppB)1=}zdj0kxoQ^MyRqLf&%(-Y;ZCX?>hO5G$&``4cPkZEXLu=Pso5EO^ zUWBL?H9e{Q*^2wFvRRiBQ&|U9Wl1qZ`FYqMGtRuL&^uN#i0cNU(DCmYk@|*HK`~tw z&339dottf9THXj>CJK#lGSQewgUkiAm%cd@c-uCuav2Hk_r#3~I@yYw8N2iAzpj!u zJCHMh=#BP>p-9@Prxwvm2jIm@A^KYuhXEOhk)7fO`0=N9slPoZU$-ZkZK_fC{(y~H z)!X6*CqDOwUR_riv7s0m>?;~LW{QuOEviy~-F6oBnloozOsV0B%mdT)+I;qI)p1O$ zU7)PbXB|F-7H0x2CqN*QuL_)~Hw*!HeMBYmz0~cHPYBk2jZj#_2eE}_@FDA;8C!R2Al0j(++Uw#5 zmy^A(av@7mkQpR0rjcfe#N^Qi5u;P(RJ6dNdwLY_DHjtPH~V;5=9+w@_>vHEe^rlu zUycN;Tw#2Zw1S@n)r$F6c(&6$X-U)JwB0U|8N*^#fAYN0=@~fZpw2+XtK`ych}9=s zd<`tT>fF4wcwn#|2d605@{22|_wOAFoJJjkgnz>HnVpCG4%FD6Zl`n~--tT+B}1iP zwm*v5u8hw_Ey(glia{WKaV1%)H-A+#&R1B)!3k#ybAhX;64~lpWpVX}JVggq$4Xe! zeeat(4@J`hu*`!_!f6I&8f#e23ts=sulU8+dTbp3*fy3VL6t|n*K*RWtQ*mm4Fxb& zF*h_C#YVXoI6UOIrHXZoaqrJj#D=fB~waye!~84l%r9LDJlI%yO( znI6Ir!n4OWo{Prw$c*}?C+8hW{*con9B{@eXH$wYd&V)>=e(rYYb2xZk9R+|1d`mBbM1hOYJg!0RNOm?1qtjYcDSdWMeCsH!#`Lc^c6n^qF8Hs$mSb2yBs28PdVmfT^ z?6=`T8Ocgt;9s5hl6KYRrgZH#*k}dWQMc|dTDRw1J`31+iaG{4lqbxgJ^+XB(zp!Nvmx>YaoksfDzDcd;PxG>*S<_@1I!(ekiu1JRuHI+`_})*ruk zD7Y$V19=#{@TZbrNj7FAJ4`OUQ*fv=T>N?+CqF_eJ@2`j{Kd-InCVJ(fS$h>MGbPrkV`8mD21$`pUbdi9&4Lf7`t^Mz}7z zX=HlRda^sk>d^ieAqJzmEdGeC4J033xV%A7YBpnKV`22rci+}lSD;QOVmR`iKKy}{ zP;=6EsaBCyE%*cai?OrbnP4>DS81dlDt9oD{61m*MZ~GJ(^+`d99mwgDc&?kII`ZV zK1?wk&uhb*Py`#6Jt?ji`=Kp(g#hDB7xzI8Ww*43SuyVh$V^F1O-UWXf}L==*;u63 z1o1x3%fs4fMN}D4Br*ilJ&7FZad5UfV>#Ll$Vos*p}b?Lw__LLQmBlC;g&=Argg7YK1HCF zZp7nUc6SCbvN}Xo1Hm;xXohGL9a$&ul;zX2v(kN@bxWekXZaE`Akkb)rbX3s1szRa zi(u#j&$^ILy$g> zyjLOKDjkM``zJJtJiZ|q`w{adS1**{`@8lvtp`pVrSjFor9q&k-(>L#3!X>mt1sNg z+>UeVPEW=B25Xam5d?W=T= zEi&89&9~UXDMOHnGqHhuWR3!#JDxIgkJA86P=@!3Y^XY7O(`#_Ug`ma{da=464)^b zHKe=WZalXt!u0(rW1p2wGM}etsR9Loaw-Gg2}#yF?vo`JsJR$tf53|hM&`b zym~F`#oOUN`oQagAcv(l^VMtX)q%E1gXtc&k2vWcs$kG+6 z{1Z>@6R;a{nMvqXqPq!6hSG0k%<{g4Fz{E6MKMyHH*=b6x4tBbk{sOl-RUlp=XI>Ez7LT;Zd&#S&YUnru!v-6GXzEsD>HWlMLSqNSY!M5G(*{7dEk!UR~Ytx=J$cMqtZZ)dtlpqwLOqO%I>5d>jN8|!QgFe%VFm|N6YJf zCDaUr11C^0F+>W#z+IUkKKcu){e117iS33KV0_FQxO}wmA!aV^>^)a*N(}KyUfIoE z7HCrV!1MqA@Bg6{sD1v0WNj`$)G*d_pmFFHO{9tDx;x3*kHVV_9p%eFyyRo%Un>9m17RInOzw%t4u0yut%QSR?EQ+Y_x4$e zhkJA?H!jTcgY6Q(`&lqM$<3w%3=LzOm{N!>*)#iI?sY$3t8z~oY&ulpbkW|3P<~sQ z;@(`BjW+j}I|Tx7O~B@@4!9YencVI7W>Df*j$j0rqpg}oH(;-;DLM5%nz!wP-u7+$nXNm0X8;Z6 z7&*&6oMbJLAj;`=BQ;u&cW+EdqVS?oAul`xt1Ihi-cfB_c)yC_u0{h+(lUj z7*^T{E(YE#It+v=Wd=?;^vUFSy&JPjG4d*seno$-E8fs%QgcqT$J(@^_%5)ImU_^I zc0mG~K(eac+vP@GaAlnOPWXe}(|H@|uEcW2ibJM5za`=U#Nlz8J9-H=fPo22rSNMp z_Y)gk-A5BoRAF^o{f=~MFDDOJ=|$-M9jW-`{P+!DT28-8vR7G+UFWkdFw6A^z3xre zMifp~bX%dgjt^FgtqGam!-G!>kG;nG_eLf^$YrXZMFt^u1k4M3p8tY283~c~&%y|V z)m^v~UB_c^87f67|MDX=d%mDz zyHvB;EBmuY*+4CbH)o=pL6i%>0|7ZMLAxx~x~l;Y6hs$4hy%7DI2FZ@pP)tCUUfdt zqxm9vf#CH`87YC!yKb9q#nDwsQ^cfO&zk*qy^%V_M6*MXr2;Bg{KK|<=XpEkYX)T! z_FFxAvpRM><|`pJ8h+J}IkihJ=U$<4#q-)lDnktIKa<<0p~G{Vp9vbE+M}A#sto@v z`23RXkIlV9%5yyt_mCGO{E1FpU#}NrVd^^lvl;7DL)N$$>|@)L^DDlH$w6VWJ`DZ+ z1&6U*9r2gNb{U9n1?2@O4dGSXWKLgK!(_#7Q=z8~O~v%jwV|_Qtnfbn?j`Q{-8G-O z5LPK5O}$_FxEq))Fki?Yz2#We{g!bqu-giG_)x{5YY!%3LN<0o`UPC2s?e1mKMlj* zgOV48Bz)4i$=ZuX2~G%ZC7x`x3KG4`e!Q+9fqkk;-%QeZYrGFmxRz(2vO%dJS6d2b z&`4gGl21tP?T|eUx%Mbc1C1pYP0x%bx$S(A*yFXn-IaVHZrR6twOeL)X;>8=0>!ob z)ULR-&UlU_Ki8jEP&xMW(uNa}xyAc6e^%Aey7zi_Fit?<4j=kkdQA)gT;+d>3^#C_ zW)&K{1b$tv6A6NoHGG_2I||uB5W3fXoD#{#TYYxsS5+wb3P&N@uyJVTDLr-^i_^YV zFuNRzXaeSvD(d!bD5zTay^ka7OQ5DD6Z~{ja#B9Y|AyagLr(G-tft@7|uS6Qai*65v2T)xb0l1 z>ZOb%Uw>UV-=dEXAV<3PA9CF>DGirpNlUvg+*+H(?vsv}M(*YD5Y_5G47xk#Qo$vMwC=k>bp`*ok`4fuFwzKqPd z`U8*#tB|3FruDhl-w~=n=|r`ul*%FM0(o|#jBBENC|vmSOI^d0svaTA|U zdUg)av9~)TY09AN{0jsYW%A$MWf>!7Z@}R&i;J72>3xWKN%CtAS3pHhrTzKmv%3rY zH>Z4CbZEw}y}okwa9DRjw8w&t_NHzhB7_&3XAnc3=2a|>s2K=|jYo*{LgvYZN4R6j zpw}WKn-}&pXm-b^ES*h=`HfFZMZ1;n=hm7b+Ace_qktr`IsEfs#@Vt&nWK@jq{*da z1~j-Lv7DJDoF)eNd@b_r~9jT4=Wh`KRP^U3ChWEvn5ky%xzJ~TV`Mj3-D zdXHdMd`-WO!a2)Gllyb+8AOYdqZ7s)TQgh2=mzr4UMBO)Rz6YDA97C*!}x5*V0EQG!W?FSem9UzOQVzdyb$Tr<@3`6g-VMMNWYijN8@J?|8#WaJ|U z3Bhjn5GwbZPvCi^9a_IL#!<`(R$TQL>XF_r&BwS~uZ{OlvNy!qlcjWV`6CE1SiJ%a zwqs+=Xe1AslC`J$Dm%BLXL14%^~;t1ZhJ~|{>5h+54uz|AGgSSq+|ZuYq|d5Jw;bB z%^FW3q)_(@0WVptV$)nx-CwK~OSc2w2U>GvzIn~yh{#PI>(Yuas|YmZs-Nc@I&>X9 z(BHD?8vrx4IttU9P7E4CE=Z#^U0izbk2@czfZC>0sAi*7m1A4Wq{p`JI2RO(a_?Ks zlS?dJ^-R5!8~&?dr{PpDANire`2jr0y{Gyv z^-E0x6de&1X9T)^d=Ci*6@WnmqQ_`9LwcH{;Wc}x9Wyod7V<*6&0jk0x8EOgZ_Srm zhB+%o&5baRZpTH$OLj+Blj%GlbbcZK07Q(B{jhr~#v-!D2GDk#g%SFKugbJ;Wwvc80BknvD;mQ506%a+aEDPdFc%AgShlE@$nlrg|`Uk6bX4cUhqI z4eS?{l7y7X1o=|%10^@=HSz<0F1LxkVLu_Y?c>YVH-rAoZ}T(VhA;cs=jDP1hB1yQWIK^@{ne&C9?ce+|q+y|~c$?GPR5d-fmG$D0 z<`+wsDYw=&B%v1WB(IaQuiHMJv5iW4mX-%bDonmrtq+P1b=(0d!;9v;gIB>LTdpsu zj+^D$^+BFl@5KYgGuxBN=zx(yyJFb>wxy|N@+y$)wA>&+*Gia){K`nNL*8uHu>C8X zsedhR)`!C&QoU7+l$iB1+Cs1!=8caQt7gQVI!+Qthj|ybcO~*LiZ6`k)rGo=_hJ*1 zof7(Wwg&~Eu=~h}{i35r*GVgq!{q5pz$(OC@I&)ka~o?mb!y~}%D6gD(qm`af%n|Q zii3zAYvJzJ`;UW&&q0hgpw1tWMJg<#CTA+Fk z?M8nSG$zxO(@VRnh&~U+u z%{%JBC=dd%vFD6dO{;S$UNlo=!*N)i<^z2`JM)u;5D4VtH(pPH!V{~k3h_# zE9O%A?Anb(5O02mb1`)p7}W5Qx!A89>ip+-WB+FUz%8EMI0p6ELIc*UOQGf=f-m;A zJv0>P)^z*!Sns(?$HOdKP5A4<(v7F`5w}p}z$e$pG)Q_zp zf4Ux`V8NC1(3h@VF5c*#mOEbcO_3KoO6yJu=H}C1Es$$caF826dK9POR#lU~Q!2_- zPbjw?oxR`LLZR{;y-C=7R(JJ5#;J+rz_je*xy{hitey*wA6QplJXPHfqQuaYHcPC> zMr>*$5cN|7;Vey0D*V$i#L4J0@ASMM{66!~uIH`BR2+@*fmsJ5V_?pp(K0!?2BHw??$%1m_1_}8CG_R zA}azKi0dg)c-Y9YW3l0PQj;67=%QUB?o%kqK6COm_h|QqsS6LJeU9enjfvXfbCi+Z z_ee7YxB{HHO0&3;$ZUVQ*1JEBdt$PVZ#nuJ7wj$45;r@WWmDFCYFxessp3z!+y)Xa})CGcwdBf8r@iS((bQ;|qxfk_cbuLq;2C)VwziC9)0+pZJvZq z2~4+G+Nqrxqute2Q2>R77GdfF8RBmxR&{>Vv1W+hM>ntKxGBxZc7_h4jZ`5;vtj1LLf z1J;$;QmL0*(lkQd+;^i!TMSOqEJKshsZz=Q{sQAjk~SnwtEH{{r%pKh9BDvBN#QS5 zoTSThX_IkYR_u}KdmIOC8w)0+A(pTmDUr{b7i-v-=v`HnwH~WG^XmqQeKbJhRjqaG z<40Z2v2|lhox-zrA?QV;V6=;XEoA46cxe)yL}q4D7$TV-sdq^^_{So;iVCkIbd?Z z^J;S6iSC=4B-GQiZWoHn+G<=isy=g$j!``NV==i{_lg~`;oyy>#3#*$bIyQ^dy@4#snq7-qRNO5j#Eye#b65+^Kn+ebUU_{ zhhf3q=%v7OJr#v%tq!ppE^Xq($q|Sgiez31HFKj-^YjiIEgiMa`=nndkW7{u=p(U# zs_{d$+N<lz5d)i*QycY`7{ zU!P}+JO|VHC9EKfPR4RGR0H~Io``n$;>HrFN^Ss72l5NyJo>-VY_XViRy`#nMv929 zfz;nrTwRl?lv=hs)EVIi#k|~qv}4HG#vn$B*NcqihA}>X5)SF;ZF4Hp&68U53qS4h zN`U5T3RZd}^Ox>T#f~#8and=|@MQ2${oe^#UMuaATIaKyT6H!m$BN@M09>=b`VD|-wjQ1bg}HgZ{<}_i1@A~9Far!#c8ojG%dU+_ z(s}_k%*q&;qyO7j-Tt7@{WJ%hP(C`}Ky`JSLMgw-iY~olt4iu`BbZh&B!U7`t05nS@_Xv_ zrC0;j8z${@=$XOsym780BPs9Vr7{hid1liEZ3`30j@UtVy?V{l4EN zqE z<3h?d_~)=S3gkEisM`k84IS9UNO3u~gXa(FbKv{1GAV@T3ji)K%QrpTa4J7cRG*fw zSVDx_x1$g{_=WhsIIYq_BQd4|)~A7uL>%eP*QJ=|9}Z<`O?PJ-+E83buMSb($o*I-`4;5-A-%#^_A9_8X+cUI9M4szRb?QA*@6>p@W4XhS&FPjm zf4<~B)muhPPNdehh|8P+vtLYLN6|KvYiV)oc74i;t`~sWHF3883se3JR{pQ_gPy{6Ye3acjB8&LvN>*6O`bNI}dEA8)_N5kYg2dgdw*Z(NU!Bk<;`J!t z%YLUb$)W|-=Gl`c51qR0#y!P_d2q31$T9U@QJw;!wp0=UrYXB#LVSMj#>Pjlq=)U( z^hZStRH%c<+0q#A7t-o+YV&KsKF_C*kf&}~xy4VF_O&6lxbkz=&Wm9hsS&>n57;b- zKc{Y#Pksfw^Gbg}#U2k~QCvJcXCKU>_OlP{Pez{pg5jEL$D-G`QLn19c~k=3_mn&K z2DnLZ3fgnnOI!l$-zb>j&5pXa;XxDgz43QS5u{Li@IX?ztFyyd96&u= z_1-bXNU7I+K!KGLfRDPMCAj&P$RAE$E5Z)<-J5eSa za#PWDf!5vB)eJ-A1oWI)!C`|6<5DM-^&9tPbT3KR98VN1b0nx=&Dd}YzuC0#%EZZr zVJoaCx5@>O1_4KG<2Ujn2QH0!lyYQ{dI;EFhAmfwMIhY1%M50#h27Dm>&fh3mfrUJ{ z|G<&bgF{Y8c~U2aJZ}-gwO=MRHVYW|;hn1^rjx_C$u%5b0u04;jWChg9La^74;ujw zFZLf4)&*Q2#izg7sVCLGS@xXd4_+eLgdjxef9WiS^pYS_23r~Z0WbRcXGg4Q1WoFGa6iOOy$yjj( zR1!g!FlZLCQ&u&~xGeoipJ#0+&P;>2WtQp=@;&Jj(~t%BQ$^BLFT3?c;a zrvs(0J$(S>ic)3v(~)(8J47>56mM_Edq+PfNmQDpCr0ok;PCBUkZoLfpeG+~oF2xh z)UDU0JMAd<-F+kk%=E(oe$0~*4}4n%F4}CikhC<#3h>RNk~P7yZNW07f_nHqC(Y5G z>&1{N9%P6cR}8jr|%w>1%P93Ht!XKx|$!PE95|49~qLG)ffJE`)&HXeDy&|qGw2Qqo7{oeHAwdiJ= z-QGk(ZT|Tz1ZNcUpht%40x5W_>Ry-Q##l|(^%0)}e}n|hG=s4IV0E<+u&hV-jfBpQ z#1=O?$I-(DUoTd&QSeAvLwiI9j0KuAcg~upye3OMJf=M>SOa$qJzB!YDgyFvu+p#t zb`;mT`}F~QY}ERl$wzdUUY{J;HiCF+{7Rw%lU4U=$}Hr<>mv0_a>MAmF=k>vLll_^ zOO!S>ME>pqT4E|tg#)=HOy@o8PHSHiP{IXZr@x#KVzZU zC62t2o1B91D;}~ByzW&9MmBYY_6;2(ZkE~_o$%6o=Pdd3EN(;<{$@5m5N_fVIY?JT zTI58Wt?`qN&!{zaV}q`B+Y|phWfzt`P%Lwxc9 zA=ieo{bJm-ab8A|OQLlcFmZK%GHTp7Fy0D=jBO6&>&Ia8GCVy*B|+!{BPyqPOxyE5 z*|HEV5d`l+x%hMlch27A%YBU8@-B~F_D_H-a@N4qXgp$$7QL6J9mANH@pX4?YDcb^ z@aKmie=C#dwLF~|8IHYH7w>3U=9L{}l=3<{Xm2=wSz+*0#95Ux%T}Dc)I*?~y{bBZ z6OYdV)o-fKQIq3B_TC>AfyGP2g=<2p#|EZ3>S4F2!>IqAhBfFtx3p1 z=e;UM9vR-+JR@99DLs7G-}OaJIvLD+t+#io{xuz(lKecS>^SA5?0l;Xqko%edr30~))W3>mH6A5qM(#M<4n`f`i@u_`{@l(}P>QnjU(9<0 z@qwB=kp?LqBvCDasYoEpeB-pN+cRMD?K>MbGB`q9yKY%3xIDJ*xHHpe@P>+=iuoNG zAJ(?0V*TNIHYXJamvA|r-uFRY-tl7cK==`7fc@B!`{UAwsD$TZn(Hm<>Z2HN0^Jyf z%UP{c&Qqe$&%d^PF7|{$0`D=v7PVrC%DP{V+jL{F@hLCKp&>VzS8Q?1iL8@fj|LYT zHLr{uR?+NE?l;{%wfLi|j40VsSDO|i=WC1#6Flk%!c6&}R)xlIuJd{x`;LGYOHURI zm7nUwfRE5Ax<5lK$~vEUD?W$$Bz7=bo%+4lj@W8_0a5?tQ6#WX10M*`iGh&_u;_C_ z7nV?39M{x!{4+H*K5yGDns{`A@7Pp7;6L9@+N7qY-i+R*j@}(^E<5?|_RBsT@Z!P} zk=T;xqaRP%YX#rrWLw7{V8JNDmyMz~Z!9`w__+D`%SaPR8cm=)kG~8P)vB^!wcVp}#7DsTcf!GT`o!NHiRuy~T zwG-fh)M@<(GywV|8mr;l$9YHYAFCBIvUK(dqwK_iJ3Yo^=f z1V@3#a}KWY?5a_;C86$G>~k`UC$+5()_2s z25Lo92YF|&x+q329gJPmeP3H>Y!w~JL=(y*T$8Y!k&t9t> zalHG}hXw;|W61jc3<-OZXjLCo?seTM(#@mgEt`@}IBr zNBQp{uu=G*r$A}sU%<_R`I%w#Qn;65&pLDZhbhin^zV46PfQ)+zSRvv#0y=HU^r-8*th$MUG7^m!2N^3aE=omW);)(u2CEI-J7Hnh!s% zPVsf4>wdWA|L_xHUO46n$r<;Lp{od!5E1Lnu4qI?N_L8|dh9=Mmm|-aGh?(Y>w0#C zoV%$PYHeo}#<&nPhhD%oXlzBUS@bGB+J^5f+C>uHH1D}{+{-8r`QzX!dC*>J=8f1^ zPPbBby@0#~ke$-fBM+4L=Ez|9PHd#p0&#^}^H{`}jVjd3t4hLz=7#ncf%aD(Rjtw= zK72?83ik%CE*>Q56Z|A6Xh>!zChD%tY=3dPzm5N-Sc-VzI_oUMhp%tr>?9DSEH8E= zSXQE5I57KOdjH+Z7P5O96qb(J-Q7J~Utj;JJai-agI0VA;BAKORbP~v06F4@MqACD zwFj=MB84d=|DwAu>YjH$-^3t&Bf5Ypz#H4Hd6uEwt;(&GJtm*+&C%+ zf|mh)u58ucx_-?;Wc=|P#xYA&bhpY2n~Er&{V!NtMbky99KsGnD0~?02!X0U&9Vmy z<;9l-R@*O=_tPue-COVr5mk|&a}W=fGxn9VDHrTBbrAdptf^(EGoRRo14Wkpl3V{i z*vxx@GOm!!$+nqYA-%FYW&j{`~!=rw5g5@F6k;*d!5)e3i!DG!$beZ$3SxYp6ZQM z@_fy8P>9HX%~HhYrFyGNd$a|z0VqipzPQ?N?P%}x1S?X9FT;w%%c|FNArHx`AcyM4 z*u@~_eNgrCCXlNswRzWAEQXAzT2J+%69ri z`OUEZ+NSO#FmwN~6v|DW6n^~&lO~Ea2gbNlO9u|>vMohY&iFkmh<{cSh!YNqtx}gP zdHaBAk`RoD-w2o=;ecE%RCvKN?Zh}cs9riOIErn}+ECvpQ3qjj$Ir`I4W15fJgZ%T zNJfi&`w$G*hVmCQG-1UW&Lm~cXWa-DZ4Xh3?ep>94&|nJBK1_9mk8Q~FycBl0y7@cAK<9?ZSL5jTptZ~2Eb z23p@tKjYva^h-=SHhxJ*hj{J15XKCExDBclUVOh8I zHwx;RNgE!X`!R@sssu9lQ&`6aW#k8*KK9_8Uae}wxpc#X4} z<8n7K@MrTwz)sT{l(Q|=+{teM_be?oVwWg|npfmr=$9pFFvD6Tlf#ITM`YyZRbK0A zyz|YOpqowXTRU`chxyY#3y)=@?Vyj^g;#C)=z^BGM-*Jbcy0ulC6>^8v!P(TTzP<1 z@Bj1>9~DQ!j8wtXv~@InypNBNHAds*&j=Z&G_ano%u*znB6bCT&4~04VD(%ujvm1Y z0D$X^XkYXv>AJ^p)A=LLH6+KRVSvT)Tjuydz2N7qp!g5zWY`9|A0uSip^pV$U*p|Q zB4bw#{tARf`?r`or*Ua+)lr!gfRAIO`|P3uMjMRKU#>z#tK<+tpQnp+_uez(R96=e z%~3&!)A_XtSmIP?&YJsmeC7R?CG$is^3oQKZ@0yE=KJq&s?M5GThZ(mAN4DuHN?`u zRahH(?7Z#P2Z#u<$w{Nr&+Ttpft}RP#O-oT7 zYY7~N=oEEuF5WQZxNLDEBeg~xqEa%oyPOY_iC>tI8F*B5dHz7Pkj5AD>4PJWQkJME zCUFz@IZ*O&shU@>+Q-&}RXWoMDwepb#_I6m5pw}xhl_qOFgVCga`P0b@iug8p51+I z_QWX^}J}7a>QdPlePEDcW)MBe8R63VT zQ`(IBTj3u+lI|Vu?|Hw1vH~htXTGqBd|@Zo;Lag_RAFdQ%XjwFipk{O>u@OF(BeNq zEBFVGOdWKXa@Q9(AN0oBAQY5YPmM&o^Lunt*X)G4_ml?>u0sC6slwdX4}5>aG9-ZL z_8_)uFeQC~jY7@Fz_V4&dkgOd8~yVeJGghPgTH_b<+DYoujPldq@#m+k=JDKdu$Xo zJ@dZbM^YAN@EDBz&=bQO3hu$0~sJheQn??(tU<9qxzGQlF}cU{8zmKv|F0~mydJT z;iB(1UJ@LX6qv3c1s{z+7~!7}dR0+BH zv(^)DWBJPW^aKJ;f|h{-)#UYG=!cB@w{2C}dH|vWkiqHC4H1T?Ff1DG9w>!}p(3w1 z2g^&K&faU%BfWaMh>;!4WEPoyWex!()XhpybzJQmo#Q9$-iCGqu5>`%lX`5-NMU2- zd9T-HIAY6AlnIrYJu1*00z4~^OY;YtJY9UN7n7NnL3fyzg@g*CN2Rb%(*Z2HG28p^ z7$e=IfM{cz!}_Xr8tn8(t@OEQ_<31Kuc-%Hu zd-qt=Co(>l{e4k&Cty*oR>^$`Y&fo{`vQ5IP+kG`z#=EJR44?Fob4$NM2eMX5M-$it2(>{+hFZ=eG zVNB`|ta(B?MsdHru>zQ$Yv!zIa3zME0@?V{sTU6D>j)6+HpLF8&IJB5Mt!aI{Ag^- zn>=I7_V!e#e6HK|Lx}#O>BScedR6oU!R~w`2>38Yy{JTQg#V*I>_;3Kp?zjeA&c3s zTFtu>b2o-aOtzK@d)wp)*2I0H&4@x~Zm>A)L-QBc^+WH0nOBl3JCg1osdX0CTqZ!C z&}ol{8(t4?N&?nTCqLO?N}5Vat@@a=`A-^0mC~tVeOFk1lkTY1cR8s?qMPS_*@vzs z^luBkK0ESkJi0P9OzQ3JJ@^~m5h$_&H`woy>-hT2$f{Hu=zW|!y(s-+uT2L@fs`zt44iW#EeaKnmpzvM>@~( zK|Iywe>k{jOT1go1lE(g&?vc_tuzF9F)C9U=$AqaT+-5Bl*U$3t-%{gga ztn6=C(v2zM&`}dCn*3XAll@F&7PN3gj9s#M3)@YQk<4Qqy@i=*bsIc_GCjBdG^(sm z9MnAD>qjxUiB;7{6yw`le=JS+v0PRj=r7t9JOQ~TS_F6(-}g}2go>6g-Ex$*DY!Z8dB&JGK5JRvpwP)5CxyKi zf%}lV$+qOx_a{iMsTneypcUo0AzcYe1779)$;&2r6JlN933sa9*u>u;%cJr2i52*H z={t!@OR_j?*_GllXZp7W!2e2icV<%q-_{=?4q+WtpxAkFoBh42oLqyxPRZwNM$h=j z&RsE$y%e#N{i2{=piDB5rshY}#W!biDe0iO{|)=OFIkkpKN`dh(u>$K#c!sN-C3{m zJ#C-gK^D>aid1&e?7C?Z7Q}R~{7k*d{+@Pk-3BP3A_#2-$9AiDxJKRtO;}{tFSjq< z@(dF^?BWA#tsocLzm%~4PZl*l(QTMKDvd!{Ok2u>b;pE&B*QFO(9^+>cRVW>C}B1b z19`8n@AdMZ`#$ZK3W)`#i{T{$Zwc=HEQ0QTWKsgery^#;EO+}48Fp1M@EfwY73oz13) zh4Wm;neP@fH@8X-20;KLzYwov>HRIU=ep2NhuATlejp8ijs!xZoO(-s>(*J~BO9(Cb$%I&6K&w23V zzepYQOxm9W8oO*+L^yhqZ?oxaf2&lY{&rO=fqGL0SaRkRy0!h z7_sBbPr&~r&WipK+5hErqkW??u(Okp&TZT1A)LBUA@?K6`FWCcVek4s#Zg_b!!}RL z3r7jwmec|ZZL4zGDc=k!2UD+CDrPOks>~zG4^;@H_PP=V>r3=a%bJ~i`)QVoeuR$? zRP*qaCA5Q!i%|L5vY z&WR0!gU^%Z?4ya^Su5#ct*+5^XfAX@kuT!Cm2%cRC8aFtQclfrJNr zyoELB$eVw#Na;78=nu$62h%^BSaTy}uscv|$|VN0y;FezO(u(hlGn+y@f?zV>(TfI zRdb=j&lcw0s?+}F{loKba0>6pC}BrwOG8FLIInwyqwRK4d4DLk(e@PyVRdQJ1y5)N0 zaCb6fbUX?Q5~m97&e@{WGZfb5HHIbiV6y_FYID8sjbwU?N^D{2H+X($lVzG;IZdKJ zihsp`Ux+HGD=~(XHxPpb+CJdG*U$KF?vcdMVV5fold7eH6`59S%?E5NrI)Ou7?avx zqjEM7sX5rXj^K|`vc(wQ&rJ&qUk8y>UJ3jyDRGVBowm50(}I;f-279IQ6SB7CovYL z&36*e>YSesb18A(FW%u&eW=N20t<<6;ix<1kwoYH){nWTQ__)%X=yk<_zqi(yffR9 z|ELuC?2#Z*yGX0OU_^a>Q2yxrw$)aV4&_I?2w?su)nHF+G@Hi7EyXND8Ax8S$LGOW z(71mPZD7Zfc3ZCp{ytJex%(MG$6EKjlu6IR1}pZ)t^pdK(Lwyj1Y>|XYUL=SDgWaq zu)cmWw9j$r#9k6>VU!ua4dSj`UygfwhHCOxXsZDN%}>@eyI$9QtO>3>jr%HlV3$6J zas8rA@CThPy*ni}R#AA0lO=C&-~O65UO>K}9;a%KgU&vq)U&C%#u6l-h3m~Dsej$R zCIQYaIwALjrs8%$Nx1QB5j&Yd=C6ZyJ(IZU*JsM$h>3h@D^9oSntUso!~Xj<+`u+8 z;Y=%nP@Ml8j&|oQn}&|f8))C*3{*2MIsX1U-ya@=K;&vWF?wzv>Ii=Um{|f;5DCV7 z{&4OfZ_tFGo`X3^X(Uvv8EO_S?!^9ZUCsd8b}qBxNRx-gs7v1J&aSPjr$5pX-TxcT zj?KP3SB_TS?%L6BnkAv`rMuHpC3FD{mf-bX(+Q+P!ilfIB|?>&X}hSDneRYOAUrys zIffaE3Dz$|iE-;c(WFvp*Wy>~Ck2*KwN?`41}H0$p1N->+GNb9YM58zVrP)FeJ6>z zOMc2tdxFs5>&7a}jccmaCe-L-N?}3Jg$Ng2bm*5k$LuuiuWOI5Z&qv2?lNo(PrlJ9 z{bU6cO#Cjw8$p^+P2b!U7l&J?Sir6>Ht5BKBnkwM9NioL5Zk6r%KEWa2mX1j=O{&@Hw8_7Uc)UUI@#sXhswjf1hQ zD~s}-S4QNWv3pwjn;D57|C%Pg8mRQ}MBfgY%0bkZ-{Lpf2)K(gOo&iZps1Js;d)*C zdk6*XOOamN0{;ArqK&;>f{nm!pS*Duv-~8zU_Ik3n8#p<;;Sz}axgZxU415Uel*uT53@Ax5s@4p-E`eyvy%Lh8oA6Aa>&IQ=SDk>sA69$<#aI3P_x z^l%y+=!S)d#cF<_HIj#nt?f#WU(^X#d$pYeTpSUKo%g)AD*;RlSIb&blfD~|GT-UoN1DRuUypZh=Mar#)6;{p^gQ@k3!er_iAVr zjcl6Tii;F#-b4vataBvO%EEq=Yv91C*+B4ih|i+>G%gz8xIIrwtSQLHH-i(}F%9h) zSqhbBFtIAhidFS+0Ftd?1dt$aTwXIdv7Dc7H!w_PXepki?mskgS8~;pCJB6f%rZ+o zduSwM3PyL!qp#X$i11*`LeVU5yxjnXw|W>QBi1A9;QAtYRfk8acCDhZ#vf4Id3?=> z@~Xah+sdVX_K?Q6J~%C_GBe5ld(L>_6jxYa$j*{p9}dtiIhWlOM8~b3$E_~p9u}ia zS*7YbGxI^I7~N2F*4cYbn*EEY^+Fyo_lzgWvp*h&050k(ARMw5b0pCHp<+#1W0IO2 z=|LI{>Q6F)ES>X$G4ipu?4%H}Qwo>JHF8EU8`!%sfQDczWrF%2U;x0M@lX1{P1QTx z{ko{jPsMQe{2ggOoPfnu# z{ZfP(@`HM|EVT6L4Htx8SD@q>2C2bay0v5ur>tPDlbqcuM5uaixL>*v{H>;}DTNW$ zKC*rMcD2pa61D7uw`)S(0|QhIylMJAAn9gRQoLh}5tECattq1+j?8iU06btrV4jq5 zo@orkK%)1<&EbtmjBmwqSCzxmxTYj8mij+316Vho$UZ3z7Eh;As=do+HnR6d{PR;| z5A|8C8@6GHGMXxD1+yGbs$0D?m}09?+ziXxKA1cnBz$}6(P<<7X2wF>qSX)LyW-wF z>@LeL%8~zdw!xb_1+KH^oN|k z1kP$Hn(SOoYJbp$$UCp+o8$AW9F>M5ZIL1Qpjuk&;0GzJg~xA36B7Ou*cqZ;BS7Ua zskPgbMsrCRDi)e$Zbw;nj6wW;q@aRSKxA*@*ZU=wtnZPIYA3T9Nieo$+@wQ`4H% z985awzb{dGb>8!^D=Sm@YmTVMGq3b*S#PRc%O1RXDFekSxJkEX>kUnL$b9mO|45*4 z&SrAf0>MZiad7A4;QPg=6B?{3eK6ZX{Bpt>(&m-os495CA5or5te#q+gs@|B#*w2h z03GRniufj{5&b?#Vd2~F8&D$Fzk>5ZBoo1`jtg1IIrfUrb$ygxbvZ&y4{jTMK|!JZ zpuVAL3&4RYe8+RhZD{eG`Jl0a8=xd$WLv-gg+wkKSTICyrNMd?5Qf-px^itj__$zL zAkfdwwJ2w`Im|wKvY~4pvd|1@@Z=r9TP=SW688H~cWy=o`%qSDcmTlelm=cB73u}- z$Qu%Vj;|_~EkOi(xwQwkZs2jRE}|iWr!%Fymy;ymPGHNz{=cPv{~#}bP`c+ZspdLD za(;Bo>#T>7=F|@780VMWCqL}@EkndA5%Z{!cSM}F{q#YV4S()YVu!fLF zjkl!-N{B`RhKG>VY!n@XBfbkY(e6}L99vK~^or{nn~UTc9E;cTwyU)Y)oMM>^Os_8 zGQ{J!4P3+D&^XFa*i@-8_F|_irDQBir_B=y?}*Q;y+F26_f=-smoNJL6l7U3`Upo# z28D!9X(I1`QVa8kFK)lj?N1?EZZ|@_{Nqk-7+qofBjGh2Yc+N{{GB-?@<0iI)Ys{% ztiW1Sl!Q_7OlyItCP4fA4+j)ae<^u(slr(t`etZmSeGS(W7V&xPV*Inu3`ey63EoldmJ$o-Ul%8W!nP*>Vd-;cPGlckB*qy`!hWuO`0VBlYokPqW-li0>Bw<}jPtVZRfhW#RU)EyAHhe@<4* zram)eZlj)_gYu7g4+(`NCYp!I1d~Oxm>GYmG?|;}|BUuXe-+&I%G_PFhr-PhQBHG1 zpPB3P{dd9o`6_e?7im8W+^u12kW0MWcKn`_x{KyJJ43{z?Fb^_q-T_8TQ9`po{v~R zvdGdKUWyvSE`;re?wgtTvuN@kzk@5oQ7C1Das1i28re)P;}gn*!0%rTs<(a3K_aZs zkGNkHk8W26@tQha=S&e?*L%oaR*>*Iw$&E7$9Zw(-Eo1-=ld6bx}`rC3^coaG4y6- zP;8VYdyTyM-rnfm!RVfN&##FqM{TvHZ_%0GBvOKA?2o_STKEp%=uuApE=R`5_GkZj zN&B+pX3$VOS(3kKVt1Q6`MKB2_V4zOW^+}yzeGE{BrEPrN}VfEkCskE(aElqrjO?P z2W182^QV{DhFqx;Cin|+f9)8nm8M$h=a2b1+*c#oNZW0h|9Y2NqG+;K?EGC@iSb!5 zJ(-2lYFyOui}uEG6rl>di?R4~p<~xlP;+$GU3$Xhoy#M+`n$@la=m25yb`31lXDJz z!=Rq^J#mU%3+WZAB>%yMEaQ$NIHr8oNp*?L1{+SDy}0i5^rzeVv-&?5R-V32Su?ax zDf{q@D<;);3_rLLVauogyn6CvP7tN87SPEQlgVC#wWHXLwSXTzql3LsE%O}i!=O|@ z(R8mGy*LQ!@?FS*woD!)Ju-psIJ!`8c2#4Et#+-kbvy{B#}vb_6$VJgzM7brD6-!q zi{^_S#v$&Ib@4!IL*Ni$18)T_G6%32eh+9RS^@+I0P zT0fXxS7xW|jcpwp13Iv!TtV6VTH@RK<;`T^c%J=p4kuB%?uBxFq94L*>XRgyTed~Q zri}4J8F||71$Od$r`BcuT15iOI~I6=y&Bdtn`*^y86;3Ted6*{Y2&A|D{Cr!|J?1O zi7%b^^WErz7M^YfeeTR94ba_uSEt{waQG8xuSF$j~G`u3fI7VeNDGl5jt+kzADugF4Gl7__>Wx zyc_AAT8na5Lw;MwEL|;mX@A3|lK}~jEZs>RoG&4$g^NO>!d~KoaRC!gk2_R&AeyZB zkhe@RjVm4FwamZ};Eie|D@Gjb1k2S+90rnyM%y5Fswv6(-tJn;?VW#_%T7UjajfS| zj^(9Vxyu)IK(3Uss))K8-cDAmZjYNKCwo8fg}uH1nf!HoedCwIKWErbz5Uj4u9VwR|<5yB#*Xz%5?+<^63(~*&_2-0-Z^F)c!b!*T5{nR|gX_-lN+@K<+ zk6HYwqt+eOz`3}L0|E{d4XS?}#O4OVP>Sxy^gT+b;ep>6BT?j8Cr|!p&@4TH27jMU zULz4amO$IkbOxON|JTn1Sp+#1z zXJ(Z+<*$%;$7AbF?^^SiKk+=&6nLJd8}Fqg1)26&m)e}#H?RVgZ)`Vt6~(QgO-2(e zL99I|o5&jAbriduTxpwr<-4J7R#91bGTGE979OiNGH{?co?*Mg7B~yl3YfWFFewjd zCK?uHeYu<1HfZRvkd+1*N|YYn=us$IbGF?(!Dpvb4|RHQrmwaG3qo&{gluwBB-T_k zIGcg6Gb)82boR>YrKi z@>`=Ad(53s#B1wKr^}xUoY;R0%YOcahYFW2wTM&rp4%+0?f17XGxzT4gNiaZ65(tV zyA>QwszjxKjW>0<8w(dAgABe^wbphBjXZ0fl-mMj=_u){fastQLSVr zc<&Ps>~mW;s^mG~kQ};hF!671QtVDKbc5HFy$ZgyTUu1jgkcWKXTO9i<4NDUfgwY) z7SIU#q3B#G+Kl;eM6o+@g*^0nWsqmh(~&mMKX~VVU2UXF=0@(@K-f;4Mcf4896*Th zwS+tPU-Ee7m^<5k?zRkw+&iP*9PG;nF%-TekqVQ)mmbwh7)|$vX4IMH>pj^obm)hd z>uiHcN0WvoT$P$eN^ewUU-&_6yxjfNf7H?cV;6$etemf z+iE*M_``+blaPrmiUbkP#dS#A4O5 zx1)?Lf(lkbB_S4d7(v0M7#1N!P!nRq0rby1@A$LIK0I z4x|)KY?wHqAGiG|HhZc4DE&VVFOzlz$A0s z$`P^peR}NaR0KU}l~_@wOUUGPv=0x{SO?}=+#xGCs3u*Yed!B;bwGll==mu&u16^6 z?LJ^<#?M2qtl-}^v|BsN{m%V%im3SRWC={~iW@grAUh%9|k}}`&_wN2p zi4vR-M*fM7)v0CJpqfkkm8upyAZv)@^z_t}OA|@C6zGH1EK4LqESxA!C7BuH(#m=F ztyDTE7Z*SBER$6RN)Yk#yzoNhE06}g%^!L6Nl>NkKqPa2)tzm7w6E*x66}qeu}{(0 ztJfBJHeK~3#TczWs43AG#|)5@1JbP1Ywds*#XZXo_!f01Gmxd7Sf1{y+1%3R7;Cn`#9H}RYD>FiXT-(nCny2Yxzq8bWSyKQcV=yBR>OXVdV z^mCK05E6kKN0~Q*U{$VHF%=-C>6jG0*N;6L>?t)cO zh=27POaoqUqx)HX)zfaP*e!H$TaLRSM`^+)I!{S^Ln%E!>eY{2$rC)kXz#ESrg)BN z6;Q;LaHdRY!m%MOw8r*w@mEG6%Zzg~oeksKFw)A5#bN{7+bf)qPhM<%d#HpcS_irZ zHpGut(rC0v48&GW_$RmEVHSzl zQjV+C{tY~n@1?LZGb>F@N)qMnI^i4-nFtxQS+wCWshc`UB_5r_TXN= zNm%;Y{u`2$x-zF^Fqz=91J@)6j5&;anf#ganD43EL(;pQ1nN|`ZR4ZB$#j@kx(^?6 zb=8%zSgX8lcURolD(D~S|5Z&@>2h`uAd{`Zr`0s%A~bSQP4PqODk1%+-*O++Ao1yKp(yl&i@L zBb|?{x9WXiW)Ka#-f5MXj@8BnvSOHpZsfI_nIcfR!+cmHmFsa~nn7OO6x^I5$5sS2 zt*C&9j^GxIL+`*X8Brb{Je))#p%g~}Z;Nm#C@7%x2m~u^hSxG^nXO2dg5W93_O#7f zZLUevtjXGi!VIvom~jog_--rKzlEe^#y5~AL64C}=r;o1U-PYLuYRlfle^?9eRI~h z3#*!|=@$qDLl&qQL@Uc{8#p6XnAV727g2A?8D+20f wnhstTs6SJUEwtdN^05|H011w=Z)21pqYwug?0ifO=HV;Hk9i+`=^m2)AKo8?mjD0& diff --git a/content/en/docs/getting-started-guides/windows/_index.md b/content/en/docs/getting-started-guides/windows/_index.md index 54b4c976487ce..1650b361a9bc0 100644 --- a/content/en/docs/getting-started-guides/windows/_index.md +++ b/content/en/docs/getting-started-guides/windows/_index.md @@ -6,11 +6,6 @@ toc_hide: true These instructions are under revision for the v1.14 release with a [tracking issue](https://github.com/kubernetes/website/issues/12426). You can find the WIP draft in a [Google Doc](https://docs.google.com/document/d/1a2bRd7PZXygIEm4cEcCeLXpEqJ7opakP_j4Pc6AJVYA/edit?usp=sharing) {{< /note >}} -# Document 1: Using Windows containers in Kubernetes. Section: ​Overview - -([https://kubernetes.io/docs/getting-started-guides/windows/](https://kubernetes.io/docs/getting-started-guides/windows/) [https://github.com/kubernetes/website/pull/12929](https://github.com/kubernetes/website/pull/12929)) - - ## ​Motivation Windows applications constitute a large portion of the services and applications that run in many organizations. [Windows containers](https://aka.ms/windowscontainers) provide a modern way to encapsulate processes and package dependencies, making it easier to use DevOps practices and follow cloud native patterns for Windows applications. Kubernetes has become the defacto standard container orchestrator, and the release of Kubernetes 1.14 includes production support for scheduling Windows containers on Windows nodes in a Kubernetes cluster, enabling a vast ecosystem of Windows applications to leverage the power of Kubernetes. Enterprises with investments in Windows-based applications and Linux-based applications don't have to look for separate orchestrators to manage their workloads, leading to increased operational efficiencies across their deployments, regardless of operating system. @@ -662,11 +657,7 @@ Next, since the Flannel pods are Linux-based, apply a NodeSelector patch, which ``` kubectl patch ds/kube-flannel-ds-amd64 --patch "$(cat node-selector-patch.yml)" -n=kube-system ``` - - After a few minutes, you should see all the pods as running if the Flannel pod network was deployed. - - ``` kubectl get pods --all-namespaces ``` @@ -683,9 +674,7 @@ kubectl get ds -n kube-system ![alt_text](flannel-master-kubectl-get-ds.png "flannel master kubectl get ds screen capture") - - -### Join Windows Worker +#### Join Windows Worker In this section we'll cover configuring a Windows node from scratch to join a cluster on-prem. If your cluster is on a cloud you'll likely want to follow the cloud specific guides in the next section. @@ -715,13 +704,9 @@ If you are behind a proxy, the following PowerShell environment variables must b [Environment]::SetEnvironmentVariable("HTTP_PROXY", "http://proxy.example.com:80/", [EnvironmentVariableTarget]::Machine) [Environment]::SetEnvironmentVariable("HTTPS_PROXY", "http://proxy.example.com:443/", [EnvironmentVariableTarget]::Machine) ``` - - If after reboot you may see the following error: ![alt_text](windows-docker-error.png "windows docker error screen capture") - - If so then you need to restart the docker service manually: @@ -756,7 +741,7 @@ mkdir c:\k Copy the Kubernetes certificate file (`$HOME/.kube/config`) [from Linux controller](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/creating-a-linux-master#collect-cluster-information) to this new `C:\k` directory on your Windows node. -Tip: You can use tools such as [xcopy](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/xcopy) or [WinSCP](https://winscp.net/eng/download.php) to transfer the config file between nodes. +Tip: You can use tools such as [xcopy](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/xcopy), [WinSCP](https://winscp.net/eng/download.php), [PowerShell wrapper for WinSCP](https://www.powershellgallery.com/packages/WinSCP/5.13.2.0) to transfer the config file between nodes. @@ -786,11 +771,11 @@ Note: [start.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flanne ``` .\start.ps1 -ManagementIP -NetworkMode overlay -ClusterCIDR -ServiceCIDR -KubeDnsServiceIP -LogDir - +``` - @@ -890,15 +875,15 @@ Kubeadm is becoming the de facto standard for users to deploy a Kubernetes clust Now that you've configured a Windows worker in your cluster to run Windows containers you may want to add one or more Linux nodes as well to run Linux containers. Now you're ready to proceed to the next step to schedule Windows containers on your cluster. -# User Guide: Running Windows containers in Kubernetes +# User Guide: Scheduling Windows containers in Kubernetes ## Objectives -* Configure a deployment to run Windows containers on the Windows node -* (Optional) Configure Windows service identity using Group Managed Service Accounts (gMSA) +* Configure an example deployment to run Windows containers on the Windows node +* (Optional) Configure an Active Directory Identity for your Pod using Group Managed Service Accounts (GMSA) ## Before you begin @@ -1001,97 +986,63 @@ Note: Port mapping is also supported, but for simplicity in this example the con Starting with Kubernetes v1.14, Windows container workloads can be configured to use Group Managed Service Accounts (GMSA). Group Managed Service Accounts are a specific type of Active Directory account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other administrators across multiple servers. Containers configured with a GMSA can access external Active Directory Domain resources while carrying the identity configured with the GMSA. Learn more about configuring and using GMSA for Windows containers [here](https://kubernetes.io/docs/concepts/configuration/workload-identity/). -### Taints and Tolerations - - -## ​Secrets Management - - - -1. Create a secret by following the[ standard directions](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#create-a-secret) -2. Configure your pod to receive the secret via an environment variable. - - `--- \ -apiVersion: v1 \ -kind: Pod \ -metadata: \ - name: secret-envars-test-pod \ -spec: \ - containers: \ - - name: envars-test-container \ - image: microsoft/windowsservercore:ltsc2019 \ - imagePullPolicy: Never \ - command: \ - - ping \ - - -t \ - - localhost \ - env: \ - - name: SECRET_USERNAME \ - valueFrom: \ - secretKeyRef: \ - name: test-secret \ - key: username \ - - name: SECRET_PASSWORD \ - valueFrom: \ - secretKeyRef: \ - name: test-secret \ - key: password` \ - - -3. Deploy the pod and verify that it is running: +## Taints and Tolerations +Users today will need to use some combination of taints and node selectors in order to keep Linux and Windows workloads on their respective OS-specific nodes. This will likely impose a burden only on Windows users. The recommended approach is outlined below, with one of its main goals being that this approach should not break compatibility for existing Linux workloads. -``` -kubectl create -f https://k8s.io/docs/getting-started-guides/windows/secret-pod.yaml -kubectl get pod secret-envars-test-pod - -``` +### Ensuring OS-specific workloads land on the appropriate container host +Users can ensure Windows containers can be scheduled on the appropriate host using Taints and Tolerations. All Kubernetes nodes today have the following default labels: -1. Open a shell into the container running the pod: -``` -kubectl exec -it secret-envars-test-pod -- powershell +* beta.kubernetes.io/os = [windows|linux] +* beta.kubernetes.io/arch = [amd64|arm64|...] -``` +If a Pod specification does not specify a nodeSelector like `"beta.kubernetes.io/os": windows`, it is possible the Pod can be scheduled on any host, Windows or Linux. This can be problematic since a Windows container can only run on Windows and a Linux container can only run on Linux. The best practice is to use a nodeSelector. +However, we understand that in many cases users have a pre-existing large number of deployments for Linux containers, as well as an ecosystem of off-the-shelf configurations, such as community Helm charts, and programmatic Pod generation cases, such as with Operators. In those situations, you may be hesitant to make the configuration change to add nodeSelectors. The alternative is to use Taints. Because the kubelet can set Taints during registration, it could easily be modified to automatically add a taint when running on Windows only. +For example: `--register-with-taints='os=Win1809:NoSchedule'` -1. See that the secret is in the environment variable: +By adding a taint to all Windows nodes, nothing will be scheduled on them (that includes existing Linux Pods). In order for a Windows Pod to be scheduled on a Windows node, it would need both the nodeSelector to choose Windows, and the appropriate matching toleration. ``` -echo $env:SECRET_USERNAME $env:SECRET_PASSWORD +nodeSelector: + "beta.kubernetes.io/os": windows +tolerations: + - key: "os" + operator: "Equal" + value: "Win1809" + effect: "NoSchedule" ``` -You should see the output:` \ -my-app \ -39528$vdg7Jb` - # ​Getting Help and Troubleshooting +Your main source of help for troubleshooting your Kubernetes cluster should start with this [section](https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/). Some additional, Windows-specific troubleshooting help is included in this section. -1. How do I know start.ps1 on Windows completed successfully? -You should see kubelet, kube-proxy, and (if you chose Flannel as your networking solution) flanneld host-agent processes running on your node, with running logs being displayed in separate PoSh windows. In addition to this, your Windows node should be listed as "Ready" in your Kubernetes cluster. +1. How do I know start.ps1 completed successfully? +You should see kubelet, kube-proxy, and (if you chose Flannel as your networking solution) flanneld host-agent processes running on your node, with running logs being displayed in separate PowerShell windows. In addition to this, your Windows node should be listed as "Ready" in your Kubernetes cluster. -2. Can I configure the Kubernetes node processes as in the background? + +2. Can I configure the Kubernetes node processes run in the background? 1. As native Windows Services -Kubelet & kube-proxy can be run as native [Windows Services](https://kubernetes.io/docs/getting-started-guides/windows/#kubelet-and-kube-proxy-can-now-run-as-windows-services). See [Windows Services on Kubernetes](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/kube-windows-services) for example steps. [TO DO create a section for setting up as Windows Services] +Kubelet & kube-proxy can be run as native [Windows Services](https://kubernetes.io/docs/getting-started-guides/windows/#kubelet-and-kube-proxy-can-now-run-as-windows-services). See [Windows Services on Kubernetes](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/kube-windows-services) for example steps. [TODO create a section for setting up as Windows Services] 2. Using nssm.exe -You can also always use alternative service managers like [nssm.exe](https://nssm.cc/) to always run these processes (flanneld, kubelet & kube-proxy) in the background for you. For initial troubleshooting, you can use the following flags in [nssm.exe](https://nssm.cc/) to redirect stdout and stderr to a output file: +Kubelet and kube-proxy are already configured to run as native Windows Services. However, you can also always use alternative service managers like [nssm.exe](https://nssm.cc/) to run these processes (flanneld, kubelet & kube-proxy) in the background for you. For initial troubleshooting, you can use the following flags in [nssm.exe](https://nssm.cc/) to redirect stdout and stderr to a output file: ``` @@ -1112,7 +1063,7 @@ If you are using virtual machines, ensure that MAC spoofing is enabled on all th 4. My Windows Pods cannot ping external resources -Windows pods do not have outbound rules programmed for the ICMP protocol today. However, TCP/UDP is supported. When trying to demonstrate connectivity to resources outside of the cluster, please substitute `ping ` with corresponding `curl ` commands. \ +Windows Pods do not have outbound rules programmed for the ICMP protocol today. However, TCP/UDP is supported. When trying to demonstrate connectivity to resources outside of the cluster, please substitute `ping ` with corresponding `curl ` commands. \ \ If you are still facing problems, most likely your network configuration in [cni.conf](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf) deserves some extra attention. You can always edit this static file, the configuration will be applied to any newly created Kubernetes resources. \ \ @@ -1150,7 +1101,7 @@ C:\k\kube-proxy.exe --hostname-override=$(hostname) 7. With flannel my nodes are having issues after rejoining a cluster -Whenever a previously deleted node is being rejoined to the cluster, flannelD will try to assign a new pod subnet to the node. Users should remove the old pod subnet configuration files in the following paths: +Whenever a previously deleted node is being re-joined to the cluster, flannelD will try to assign a new pod subnet to the node. Users should remove the old pod subnet configuration files in the following paths: ``` @@ -1191,7 +1142,7 @@ FLANNEL_IPMASQ=true 10. My Windows node cannot access my services using the service IP -This is a known limitation of the current networking stack on Windows. Windows pods are able to access the service IP however. +This is a known limitation of the current networking stack on Windows. Windows Pods are able to access the service IP however. @@ -1221,6 +1172,9 @@ If these steps don't resolve your problem, you can get help running Windows Cont * StackOverflow [Windows Server Container](https://stackoverflow.com/questions/tagged/windows-server-container) topic * Kubernetes Official Forum [discuss.kubernetes.io](https://discuss.kubernetes.io/) * Kubernetes Slack [#SIG-Windows Channel](https://kubernetes.slack.com/messages/C0SJ4AFB7) +1. DNS resolution is not properly working + +Check the DNS limitations for Windows in this section [todo insert link]. ### Bugs and Feature Requests @@ -1260,115 +1214,4 @@ The CRI-ContainerD interface will be able to manage sandboxes based on Hyper-V. ### Deployment with kubeadm and cluster API -Kubeadm is becoming the de facto standard for users to deploy a Kubernetes cluster. Windows node support in kubeadm will come in a future release. We are also making investments in cluster API to ensure Windows nodes are properly provisioned. - - -# Document 2: Windows Node contribution specifics - -[https://contributor.kubernetes.io/contributors/guide/](https://contributor.kubernetes.io/contributors/guide/) Under Contributing section - - -## Joining the SIG-Windows Mailing List and Slack Channel - -The best way to get in contact with the contributors working on Windows support is through the Kubernetes Slack. To get a Slack invite, visit [http://slack.k8s.io/](http://slack.k8s.io/) . Once you're logged in, join us in the [#SIG-Windows](https://kubernetes.slack.com/messages/C0SJ4AFB7) channel. - -To get access to shared documents, meeting calendar, and additional discussions, be sure to also join the [SIG-Windows Google Group](https://groups.google.com/forum/#!forum/kubernetes-sig-windows). - - -## Building Kubernetes for Windows from Source - -The Kubernetes build scripts have not been ported to Windows, so it's best to run in a Linux VM where you can run the same Docker container used in the official Kubernetes builds. This simplifies the steps, but means that you cannot build under Windows Subsystem for Linux (WSL). - -It's best to skim over the [Building Kubernetes](https://github.com/kubernetes/kubernetes/blob/master/build/README.md) guide if you have never built Kubernetes before to get the latest info. These steps are a summary focused on cross-building the Windows node binaries (kubelet & kube-proxy). - - -### ​Build Prerequisites - -At least 60GB of disk space is required, and 16GB of memory (or memory + swap). - -Once you have a VM, install Git, [Docker-CE](https://docs.docker.com/install/), and make. The build scripts will pull a Docker container with the required version of golang and other needed tools preinstalled. - -If you're using Ubuntu, then install the following packages: git, build-essential, [Docker-CE](https://docs.docker.com/install/linux/docker-ce/ubuntu/). - - -### ​Pulling a PR (optional) - -If there is a PR you would like to build, it's easy. You can create a working branch, pull the changes from GitHub in a patch, apply, then build. - -The examples here are based off a patch on GitHub: [https://github.com/kubernetes/kubernetes/pull/74788](https://github.com/kubernetes/kubernetes/pull/74788) . Be sure to replace the URL with the PR you want to test. - -First, make sure your local clone is up-to-date with master: `git checkout master ; git pull master` - -Next, create a branch in your repo: `git checkout -b pr74788` - -Now, get the patch for the PR you want. Append .patch to the URL, and download it with curl: `curl -L -o pr74788.patch https://github.com/kubernetes/kubernetes/pull/74788.patch` - -Merge it with ``patch -p1 < pr74788.patch`` - -If there are errors, fix them as needed. Once you're done, delete the .patch file and then `git commit` the rest to your local branch. - - -### Building Kubernetes binaries for Windows - -You can build individual components such as kubelet, kube-proxy, or kubectl by running `./build/run.sh make KUBE_BUILD_PLATFORMS=windows/amd64` such as `./build/run.sh make kubelet KUBE_BUILD_PLATFORMS=windows/amd64` - -If you would like to build all binaries at once, then run `./build/run.sh make cross KUBE_BUILD_PLATFORMS=windows/amd64` - -Once the build completes, the files will be in _output/dockerized/bin. - - -## Running Your Own Cluster - - -## Testing Your Changes - - -### Updating the Node binaries - -Once you have binaries built (see Building Kubernetes binaries for Windows), the easiest way to test them is to replace them on an existing cluster. Use the steps above to build a cluster in your cloud of choice. To update the binaries on an existing node, follow these steps: - - - -1. Drain & cordon a node with `kubectl drain ` -2. Connect to the node with SSH or Windows Remote Desktop, and start PowerShell -3. On the node, run `Stop-Service kubelet -Force` -4. Copy kubelet.exe and kube-proxy.exe to a cloud storage account, or use SSH to copy them directly to the node. -5. Overwrite the existing kubelet & kube-proxy binaries. If you don't know where they are, run `sc.exe qc kubelet` or `sc.exe qc kube-proxy` and look at the BINARY_PATH_NAME returned. -6. Start the updated kubelet & kube-proxy with `Start-Service kubelet` - - -### ​Running Tests - -For the most up-to-date steps on how to build and run tests, please go to [https://github.com/kubernetes-sigs/windows-testing](https://github.com/kubernetes-sigs/windows-testing) . It has everything you need to build and run tests, as well as links to the SIG-Windows configurations used on [TestGrid](https://testgrid.k8s.io/sig-windows). - - -## Reporting Issues - - -### Gathering Logs - -Gathering trouble shooting info for CNI. [https://github.com/kubernetes/kubernetes/issues/74766#issuecomment-468736127](https://github.com/kubernetes/kubernetes/issues/74766#issuecomment-468736127) - -On the node before creating the pod for the first time. - -start-birstranfer [https://raw.githubusercontent.com/Microsoft/SDN/master/Kubernetes/windows/debug/collectlogs.ps1](https://raw.githubusercontent.com/Microsoft/SDN/master/Kubernetes/windows/debug/collectlogs.ps1) - -run collectlogs.ps1 - -then start the trace by running the following command - -C:\k\debug\starthnstrace.cmd - -repro the issue - -run "netsh trace stop" - -then do again collectlogs.ps1 - -and send us both before and after collectlogs.ps1 and C:\server.etl - - - - - - +Kubeadm is becoming the de facto standard for users to deploy a Kubernetes cluster. Windows node support in kubeadm will come in a future release. We are also making investments in cluster API to ensure Windows nodes are properly provisioned. \ No newline at end of file diff --git a/content/en/docs/getting-started-guides/windows/complete-staging.md b/content/en/docs/getting-started-guides/windows/complete-staging.md deleted file mode 100644 index b894f3f337683..0000000000000 --- a/content/en/docs/getting-started-guides/windows/complete-staging.md +++ /dev/null @@ -1,1363 +0,0 @@ -# Document 1: Using Windows containers in Kubernetes. Section: ​Overview - -([https://kubernetes.io/docs/getting-started-guides/windows/](https://kubernetes.io/docs/getting-started-guides/windows/) [https://github.com/kubernetes/website/pull/12929](https://github.com/kubernetes/website/pull/12929)) - - -## ​Motivation - -Windows applications constitute a large portion of the services and applications that run in many organizations. [Windows containers](https://aka.ms/windowscontainers) provide a modern way to encapsulate processes and package dependencies, making it easier to use DevOps practices and follow cloud native patterns for Windows applications. Kubernetes has become the defacto standard container orchestrator, and the release of Kubernetes 1.14 includes production support for scheduling Windows containers on Windows nodes in a Kubernetes cluster, enabling a vast ecosystem of Windows applications to leverage the power of Kubernetes. Enterprises with investments in Windows-based applications and Linux-based applications don't have to look for separate orchestrators to manage their workloads, leading to increased operational efficiencies across their deployments, regardless of operating system. - - -## ​Intro to Windows containers in Kubernetes - -To enable the orchestration of Windows containers in Kubernetes, simply include Windows nodes in your existing Linux cluster. Scheduling Windows containers in [Pods](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/) on Kubernetes is as simple and easy as scheduling Linux-based containers. - -In order to run Windows containers, your Kubernetes cluster must include multiple operating systems, with control plane nodes running Linux and workers running either Windows or Linux depending on your workload needs. Windows Server 2019 is the only Windows operating system supported, enabling [Kubernetes Node](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/architecture/architecture.md#the-kubernetes-node) on Windows (including kubelet, [container runtime](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/containerd), and kube-proxy). For a detailed explanation of Windows distribution channels see the [Microsoft documentation](https://docs.microsoft.com/en-us/windows-server/get-started-19/servicing-channels-19). - -NOTE: The Kubernetes control plane, including the [master components](https://kubernetes.io/docs/concepts/overview/components/), will continue to run on Linux. There are no plans have a Windows-only Kubernetes cluster. - - -## ​Supported Functionality and Limitations - - -### ​Supported Functionality - - -#### Compute - -From an API and kubectl perspective, Windows containers behave in much the same way as Linux-based containers. However, there are some notable differences in key functionality which are outlined in the limitation section. - -Let's start with the operating system version. Refer to the following table for Windows operating system support in Kubernetes. A single heterogeneous Kubernetes cluster can have both Windows and Linux worker nodes. Windows containers have to be scheduled on Windows nodes and Linux containers on Linux nodes. - - -
``` + Parameter
- - - - - - - - - - - - - - - - - - -
Kubernetes version - Host OS version (Kubernetes Node) - - -
- Windows Server 1709 - Windows Server 1803 - Windows Server 1809/Windows Server 2019 -
Kubernetes v1.14 - Not Supported - Not Supported - Supported for Windows Server containers Builds 17763.* with Docker EE-basic 18.09 -
- - - - NOTE: The Windows Server Host Operating System is subject to the [Windows Server ](https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing) licensing. The Windows Container images are subject to the [Supplemental License Terms for Windows containers](https://docs.microsoft.com/en-us/virtualization/windowscontainers/images-eula). - - - NOTE: Windows containers have strict compatibility rules, [where the host OS version must match the container base image OS version.](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/version-compatibility) - -Key Kubernetes elements work the same way in Windows as they do in Linux. In this section, we will talk about some of the key workload enablers and how they map to Windows. - - - -* [Pods](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/) - - A Pod is the basic building block of Kubernetes–the smallest and simplest unit in the Kubernetes object model that you create or deploy. The following Pod capabilities, properties and events are supported with Windows containers: - - - - * Single or multiple containers per Pod with process isolation and volume sharing - * Pod status fields - * Readiness and Liveness probes - * postStart & preStop container lifecycle events - * ConfigMap, Secrets: as environment variables or volumes - * EmptyDir - * Named pipe host mounts - * Resource limits -* [Controllers](https://kubernetes.io/docs/concepts/workloads/controllers/) - - Kubernetes controllers handle the desired state of Pods. The following workload controllers are supported with Windows containers: - - * ReplicaSet - * ReplicationController - * Deployments - * StatefulSets - * DaemonSet - * Job - * CronJob -* [Services](https://kubernetes.io/docs/concepts/services-networking/service/) - - A Kubernetes Service is an abstraction which defines a logical set of Pods and a policy by which to access them - sometimes called a micro-service. You can use services for cross-operating system connectivity. In Windows, services can utilize the following types, properties and capabilities: - - * Service Environment variables - * NodePort - * ClusterIP - * LoadBalancer - * ExternalName - * Headless services - -Pods, Controllers and Services are critical elements to managing Windows workloads on Kubernetes. However, on their own they are not enough to enable the proper lifecycle management of Windows workloads in a dynamic cloud native environment. We added support for the following features: - - - -* Pod and container metrics -* Horizontal Pod Autoscaler support -* KubeCtl Exec -* Resource Quotas -* Scheduler preemption - - -#### Container Runtime - -Docker EE-basic 18.09 is required on Windows Server 2019 / 1809 nodes for Kubernetes. This works with the dockershim code included in the kubelet. Additional runtimes such as CRI-ContainerD may be supported in later Kubernetes versions. - - -#### Storage - -Kubernetes Volumes enable complex applications with data persistence and Pod volume sharing requirements to be deployed on Kubernetes. Kubernetes on Windows supports the following types of [volumes](https://kubernetes.io/docs/concepts/storage/volumes/): - - - -* FlexVolume out-of-tree plugin with [SMB and iSCSI ](https://github.com/Microsoft/K8s-Storage-Plugins/tree/master/flexvolume/windows)support -* [azureDisk](https://kubernetes.io/docs/concepts/storage/volumes/#azuredisk) -* [azureFile ](https://kubernetes.io/docs/concepts/storage/volumes/#azurefile) - - -#### ​Networking - -Networking for Windows containers is exposed through [CNI plugins](https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/). Windows containers function similarly to virtual machines in regards to networking. Each container has a virtual network adapter (vNIC) which is connected to a Hyper-V virtual switch (vSwitch). The Host Networking Service (HNS) and the Host Compute Service (HCS) work together to create containers and attach container vNICs to networks. HCS is responsible for the management of containers whereas HNS is responsible for the management of networking resources such as: - - - -* Virtual networks (including creation of vSwitches) -* Endpoints / vNICs -* Namespaces -* Policies (Packet encapsulations, Load-balancing rules, ACLs, NAT'ing rules, etc.) - -The following service spec types are supported: - - - -* NodePort -* ClusterIP -* LoadBalancer -* ExternalName - -Windows supports five different networking drivers/modes: L2bridge, L2tunnel, Overlay, Transparent, and NAT. In a heterogeneous cluster with Windows and Linux work nodes, you need to select a networking solution that is compatible on both Windows and Linux. The following out-of-tree plugins are supported on Windows, with recommendations on when to use each CNI: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Network Driver - Description - Container Packet Modifications - Network Plugins - Network Plugin Characteristics -
L2bridge - Containers are attached to an external vSwitch. Containers are attached to the underlay network, although the physical network doesn't need to learn the container MACs because they are rewritten on ingress/egress. Inter-container traffic is bridged inside the container host. - MAC is rewritten to host MAC, IP remains the same. - win-bridge, Azure-CNI, Flannel host-gateway uses win-bridge - win-bridge uses L2bridge network mode, connects containers to the underlay of hosts, offering best performance. Requires L2 adjacency between container hosts -
L2Tunnel - This is a special case of l2bridge, but only used on Azure. All packets are sent to the virtualization host where SDN policy is applied. - MAC rewritten, IP visible on the underlay network - Azure-CNI - Azure-CNI allows integration of containers with Azure vNET, and allows them to leverage the set of capabilities that Azure Virtual Network provides. For example, securely connect to Azure services or use Azure NSGs. See azure-cni for some examples -
Overlay (Overlay networking for Windows in Kubernetes is in alpha stage) - Containers are given a vNIC connected to an external vSwitch. Each overlay network gets its own IP subnet, defined by a custom IP prefix.The overlay network driver uses VXLAN encapsulation. - Encapsulated with an outer header, inner packet remains the same. - Win-overlay, Flannel VXLAN (uses win-overlay), -

-OVN-Kubernetes (uses OpenVSwitch on Windows - Prebuilt certified installer), requires KB4482887 -

win-overlay should be used when virtual container networks are desired to be isolated from underlay of hosts (e.g. for security reasons). Allows for IPs to be re-used for different overlay networks (which have different VNID tags) if you are restricted on IPs in your datacenter. This option may be used when the container hosts are not L2 adjacent but have L3 connectivity -
Transparent (not used in Kubernetes) - Containers are given a vNIC connected to an external vSwitch. Containers are attached to the underlay network directly and the physical network needs to learn the container MACs. - Both MAC and IP remains the same. - - Included here for completeness -
NAT (not used in Kubernetes) - Containers are given a vNIC connected to an internal vSwitch. DNS/DHCP is provided using an internal component called WinNAT - MAC and IP is rewritten to host MAC/IP. - nat - Included here for completeness -
- - -Furthermore, for simplified consumption of the win-bridge and win-overlay plugins for end-users with automated network configurations, [Flannel](https://github.com/coreos/flannel) has added support for Windows in their [meta plugin](https://github.com/containernetworking/plugins/tree/master/plugins/meta/flannel) via the [VXLAN network backend](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan) (**alpha support** ; delegates to win-overlay) and [host-gateway network backend](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#host-gw) (stable support; delegates to win-bridge) with the [host-local plugin](https://github.com/containernetworking/plugins/tree/master/plugins/ipam/host-local) used for IP address management and the meta CNI network plugin [flannel](https://github.com/containernetworking/plugins/tree/master/plugins/meta/flannel#windows-support-experimental) for interacting between the delegated CNI plugin (win-bridge or win-overlay) and providing the host-local IPAM the correct range from subnet.env file provisioned by the flanneld agent. - -For the node, pod, and service objects, the following network flows are supported for TCP/UDP traffic: - - - -* Pod -> Pod (IP) -* Pod -> Pod (Name) -* Pod -> Service (Cluster IP) -* Pod -> Service (PQDN, but only if there are no ".") -* Pod -> Service (FQDN) -* Pod -> External (IP) -* Pod -> External (DNS) -* Node -> Pod -* Pod -> Node - -The following IPAM options are supported on Windows: - - - -* [Host-local](https://github.com/containernetworking/plugins/tree/master/plugins/ipam/host-local) -* HNS IPAM (Inbox platform IPAM, this is a fallback when no IPAM is set) -* [Azure-vnet-ipam](https://github.com/Azure/azure-container-networking/blob/master/docs/ipam.md) (for azure-cni only) - - -### ​​​​Limitations - - -#### Control Plane - -Windows is only supported as a worker node in the Kubernetes architecture and component matrix. This means that a Kubernetes cluster must always include Linux master nodes, zero or more Linux worker nodes, and zero or more Windows worker nodes. - - -#### ​Compute - - -##### Resource management and process isolation - - Linux cgroups are used as a pod boundary for resource controls in Linux. Containers are created within that boundary for network, process and file system isolation. The cgroups APIs can be used to gather cpu/io/memory stats. In contrast, Windows uses a Job object per container with a system namespace filter to contain all processes in a container and provide logical isolation from the host. There is no way to run a Windows container without the namespace filtering in place. This means that system privileges cannot be asserted in the context of the host, and thus privileged containers are not available on Windows. Containers cannot assume an identity from the host because the Security Account Manager (SAM) is separate. - - -##### Operating System Restrictions - -Windows has strict compatibility rules, where the host OS version must match the container base image OS version. Only Windows containers with a container operating system of Windows Server 2019 are supported. Hyper-V isolation of containers, enabling some backward compatibility of Windows container image versions, is planned for a future release. - - -##### Feature Restrictions - - - -* TerminationGracePeriod: not implemented -* Single file mapping: to be implemented with CRI-ContainerD -* Termination message: to be implemented with CRI-ContainerD -* Privileged Containers: not currently supported in Windows containers -* HugePages -* The existing node problem detector is Linux-only and requires privileged containers. In general, we don't expect this to be used on Windows because privileged containers are not supported -* Not all features of shared namespaces are supported (see API section for more details) - - -##### Memory Reservations and Handling - -Windows does not have an out-of-memory process killer as Linux does. Windows always treats all user-mode memory allocations as virtual, and pagefiles are mandatory. The net effect is that Windows won't reach out of memory conditions the same way Linux does, and processes will page to disk instead of being subject to out of memory (OOM) termination. If memory is over-provisioned and all physical memory is exhausted, then paging can slow down performance. - -Keeping memory usage within reasonable bounds is possible with a two-step process. First, use the kubelet parameters `--kubelet-reserve` and/or `--system-reserve` to account for memory usage on the node (outside of containers). This will reduce [NodeAllocatable](https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable)). As you deploy workloads, use resource limits (must set only limits or limits must equal requests) on containers. This will also subtract from NodeAllocatable and prevent the scheduler from adding more pods once a node is full. - -A best practice to avoid over-provisioning is to configure the kubelet with a system reserved memory of at least 2GB to account for Windows, Docker, and Kubernetes processes. - -The behaviour of the flags behave differently as described below: - - - -* --kubelet-reserve, --system-reserve , and --eviction-hard flags update Node Allocatable -* Eviction by using --enforce-node-allocable is not implemented -* Eviction by using --eviction-hard and --eviction-soft are not implemented -* MemoryPressure Condition is not implemented -* There are no OOM eviction actions taken by the kubelet -* Kubelet running on the windows node does not have memory restrictions. --kubelet-reserve and --system-reserve do not set limits on kubelet or processes running the host. This means kubelet or a process on the host could cause memory resource starvation outside the node-allocatable and scheduler - - -#### ​Storage - -Windows has a layered filesystem driver to mount container layers and create a copy filesystem based on NTFS. All file paths in the container are resolved only within the context of that container. - - - -* Volume mounts can only target a directory in the container, and not an individual file -* Volume mounts cannot project files or directories back to the host filesystem -* Read-only filesystems are not supported because write access is always required for the Windows registry and SAM database. However, read-only volumes are supported -* Volume user-masks and permissions are not available. Because the SAM is not shared between the host & container, there's no mapping between them. All permissions are resolved within the context of the container - -As a result, the following storage functionality is not supported on Windows nodes - - - -* Windows does not support volume subpath mounts. Only the entire volume can be mounted in a Windows container. -* Subpath volume mounting for Secrets -* Host mount projection -* DefaultMode (due to UID/GID dependency) -* Read-only root filesystem. Mapped volumes still support readOnly -* Block device mapping -* Memory as the storage medium -* CSI plugins which require privileged containers -* File system features like uui/guid, per-user Linux filesystem permissions -* NFS based storage/volume support - - -#### Networking - -Windows Container Networking differs in some important ways from Linux networking. The [Microsoft documentation for Windows Container Networking](https://docs.microsoft.com/en-us/virtualization/windowscontainers/container-networking/architecture) contains additional details and background. - -The Windows host networking networking service and virtual switch implement namespacing and can create virtual NICs as needed for a pod or container. However, many configurations such as DNS, routes, and metrics are stored in the Windows registry database rather than /etc/... files as they are on Linux. The Windows registry for the container is separate from that of the host, so concepts like mapping /etc/resolv.conf from the host into a container don't have the same effect they would on Linux. These must be configured using Windows APIs run in the context of that container. Therefore CNI implementations need to call the HNS instead of relying on file mappings to pass network details into the pod or container. - -The following networking functionality is not supported on Windows nodes - - - -* Host networking mode is not available for Windows pods -* Local NodePort access from the node itself will fail (works for other nodes or external clients) -* Accessing service VIPs from nodes will be available with a future release of Windows Server -* Overlay networking support in kube-proxy is an alpha release. In addition, it requires [KB4482887](https://support.microsoft.com/en-us/help/4482887/windows-10-update-kb4482887) to be installed on Windows Server 2019 -* Outbound communication using the ICMP protocol via the win-overlay, win-bridge, and Azure-CNI plugin. Specifically, the Windows data plane ([VFP](https://www.microsoft.com/en-us/research/project/azure-virtual-filtering-platform/)) doesn't support ICMP packet transpositions. This means: - * ICMP packets directed to destinations within the same network (e.g. pod to pod communication via ping) will work as expected and without any limitations - * TCP/UDP packets will work as expected and without any limitations - * ICMP packets directed to pass through a remote network (e.g. pod to external internet communication via ping) cannot be transposed and thus will not be routed back to their source - * Since TCP/UDP packets can still be transposed, one can substitute **ping ** with **curl ** to be able to debug connectivity to the outside world. - - -##### CNI Plugins - - - -* Windows reference network plugins win-bridge and win-overlay do not currently implement [CNI spec](https://github.com/containernetworking/cni/blob/master/SPEC.md) v0.4.0 due to missing "CHECK" implementation. -* The Flannel VXLAN CNI has the following limitations on Windows: -1. Node-pod connectivity isn't possible by design. It's only possible for local pods with Flannel PR[ https://github.com/coreos/flannel/pull/1096](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcoreos%2Fflannel%2Fpull%2F1096&data=02%7C01%7CDavid.Schott%40microsoft.com%7Cfa26c088fac743188e7d08d69ea3d836%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636870823885740325&sdata=1QEvw9Gh6IioT7ruVhhXAlSgN1a%2FMsqn4ViDQSSSVjs%3D&reserved=0) -2. We are restricted to using VNI 4096 and UDP port 4789. The VNI limitation is being worked on and will be overcome (open-source flannel changes). See official [Flannel VXLAN ](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan)backend docs for more details on these parameters. - - -##### DNS - - - -* ClusterFirstWithHostNet is not supported for DNS. Windows treats all names with a '.' as a FQDN and skips PQDN resolution -* On Linux, you have a DNS suffix list, which is used when trying to resolve PQDNs. On Windows, we only have 1 DNS suffix, which is the the DNS suffix associated with that pod's namespace (mydns.svc.cluster.local for example). Windows can resolve FQDNs and services or names resolvable with just that suffix. For example, a pod spawned in the default namespace, will have the DNS suffix **default.svc.cluster.local**. On a Windows pod, we will be able to resolve both **kubernetes.default.svc.cluster.local** and **kubernetes**, but not the in-betweens, like **kubernetes.default** or **kubernetes.default.svc**. - -Security - -Secrets are written in clear text on the node's volume (as compared to tmpfs/in-memory on linux). This means customers have to do two things - - - -1. Use file ACLs to secure the secrets file location -2. ​Use volume-level encryption using [BitLocker](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server) - -[RunAsUser ](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups)is not currently supported on Windows. The workaround is to create local accounts before packaging the container. The RunAsUsername capability may be added in a future release. - -Linux specific pod security context privileges such as SELinux, AppArmor, Seccomp, Capabilities (POSIX Capabilities), and others are not supported. - -In addition, as mentioned already, privileged containers are not supported on Windows. - - -#### API - -There are no differences in how most of the Kubernetes APIs work for Windows. The subtleties around what's different come down to differences in the OS and container runtime. In certain situations, some properties on workload APIs such as Pod or Container were designed with an assumption that they are implemented on Linux, failing to run on Windows. \ - \ -At a high level, these OS concepts are different: - - - -* Identity - Linux uses userID (UID) and groupID (GID) which are represented as integer types. User and group names are not canonical - they are just an alias in /etc/groups or /etc/passwd back to UID+GID. Windows uses a larger binary security identifier (SID) which is stored in the Windows Security Access Manager (SAM) database. This database is not shared between the host and containers, or between containers. -* File permissions - Windows uses an access control list based on SIDs, rather than a bitmask of permissions and UID+GID -* File paths - convention on Windows is to use **\** instead of **/**. The Go IO libraries typically accept both and just make it work, but when you're setting a path or command line that's interpreted inside a container, **\** may be needed. -* Signals - Windows interactive apps handle termination differently, and can implement one or more of these: - * A UI thread will handle well-defined messages including WM_CLOSE - * Console apps will handle ctrl-c or ctrl-break using a Control Handler - * Services will register a Service Control Handler function that can accept SERVICE_CONTROL_STOP control codes - -Exit Codes follow the same convention where 0 is success, nonzero is failure. The specific error codes may differ across Windows and Linux. However, exit codes passed from the Kubernetes components (kubelet, kube-proxy) will be unchanged. - - -##### V1.Container - - - -* V1.Container.ResourceRequirements.limits.cpu and V1.Container.ResourceRequirements.limits.memory - Windows doesn't use hard limits for CPU allocations. Instead, a share system is used. The existing fields based on millicores are scaled into relative shares that are followed by the Windows scheduler. [see: kuberuntime/helpers_windows.go](https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/kuberuntime/helpers_windows.go), [see: resource controls in Microsoft docs](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/resource-controls) - * Huge pages are not implemented in the Windows container runtime, and are not available. They require [asserting a user privilege](https://docs.microsoft.com/en-us/windows/desktop/Memory/large-page-support) that's not configurable for containers. -* V1.Container.ResourceRequirements.requests.cpu and V1.Container.ResourceRequirements.requests.memory - Requests are subtracted from node available resources, so they can be used to avoid overprovisioning a node. However, they cannot be used to guarantee resources in an overprovisioned node. They should be applied to all containers as a best practice if the operator wants to avoid overprovisioning entirely. -* V1.Container.SecurityContext.allowPrivilegeEscalation - not possible on Windows, none of the capabilities are hooked up -* V1.Container.SecurityContext.Capabilities - POSIX capabilities are not implemented on Windows -* V1.Container.SecurityContext.privileged - Windows doesn't support privileged containers -* V1.Container.SecurityContext.procMount - Windows doesn't have a /proc filesystem -* V1.Container.SecurityContext.readOnlyRootFilesystem - not possible on Windows, write access is required for registry & system processes to run inside the container -* V1.Container.SecurityContext.runAsGroup - not possible on Windows, no GID support -* V1.Container.SecurityContext.runAsNonRoot - Windows does not have a root user. The closest equivalent is ContainerAdministrator which is an identity that doesn't exist on the node. -* V1.Container.SecurityContext.runAsUser - not possible on Windows, no UID support as int. -* V1.Container.SecurityContext.seLinuxOptions - not possible on Windows, no SELinux -* V1.Container.terminationMessagePath - this has some limitations in that Windows doesn't support mapping single files. The default value is /dev/termination-log, which does work because it does not exist on Windows by default. - -##### -V1.Pod - -* V1.Pod.hostIPC, v1.pod.hostpid - host namespace sharing is not possible on Windows -* V1.Pod.hostNetwork - There is no Windows OS support to share the host network -* V1.Pod.dnsPolicy - ClusterFirstWithHostNet - is not supported because Host Networking is not supported on Windows. -* V1.Pod.podSecurityContext - see [V1.PodSecurityContext](https://github.com/kubernetes/enhancements/blob/master/keps/sig-windows/20190103-windows-node-support.md#v1podsecuritycontext) -* V1.Pod.shareProcessNamespace - this is an beta feature, and depends on Linux namespaces which are not implemented on Windows. Windows cannot share process namespaces or the container's root filesystem. Only the network can be shared. -* V1.Pod.terminationGracePeriodSeconds - this is not fully implemented in Docker on Windows, see: [reference](https://github.com/moby/moby/issues/25982). The behavior today is that the ENTRYPOINT process is sent CTRL_SHUTDOWN_EVENT, then Windows waits 5 seconds by hardcoded default, and finally shuts down all processes using the normal Windows shutdown behavior. The 5 second default is actually in the Windows registry [inside the container](https://github.com/moby/moby/issues/25982#issuecomment-426441183), so it can be overridden when the container is built. -* V1.Pod.volumeDevices - this is an beta feature, and is not implemented on Windows. Windows cannot attach raw block devices to pods. -* V1.Pod.volumes - EmptyDir, Secret, ConfigMap, HostPath - all work and have tests in TestGrid - * V1.emptyDirVolumeSource - the Node default medium is disk on Windows. Memory is not supported, as Windows does not have a built-in RAM disk. -* V1.VolumeMount.mountPropagation - only MountPropagationHostToContainer is available. Windows cannot create mounts within a pod or project them back to the node. - -##### -V1.PodSecurityContext - - -None of the PodSecurityContext fields work on Windows. They're listed here for reference. - - - -* V1.PodSecurityContext.SELinuxOptions - SELinux is not available on Windows -* V1.PodSecurityContext.RunAsUser - provides a UID, not available on Windows -* V1.PodSecurityContext.RunAsGroup - provides a GID, not available on Windows -* V1.PodSecurityContext.RunAsNonRoot - Windows does not have a root user. The closest equivalent is ContainerAdministrator which is an identity that doesn't exist on the node. -* V1.PodSecurityContext.SupplementalGroups - provides GID, not available on Windows -* V1.PodSecurityContext.Sysctls - these are part of the Linux sysctl interface. There's no equivalent on Windows. - - -# ​User Guide: Add Windows Nodes in Kubernetes - - -## ​Objectives - -The Kubernetes platform can now be used to run both Linux and Windows containers. One or more Windows nodes can be registered to a cluster. This guide shows how to: - - - -* Register a Windows node to the cluster -* Configure networking so pods on Linux and Windows can communicate - - -## ​Before you begin - - - -* Obtain a [Windows Server license](https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing) in order to run the Windows node that will execute the Windows container. You can use your organization's licenses for the cluster, or acquire one from Microsoft, a reseller, or via the major cloud providers such as GCP, AWS, and Azure by provisioning a virtual machine running Windows Server through their marketplaces. A [time-limited trial](https://www.microsoft.com/en-us/cloud-platform/windows-server-trial) is also available. -* Build a Linux-based Kubernetes cluster in which you have access to the control plane (some examples include [Getting Started from Scratch](https://kubernetes.io/docs/setup/scratch/), [kubeadm](https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/), [AKS Engine](https://kubernetes.io/docs/setup/turnkey/azure/), [GCE](https://kubernetes.io/docs/setup/turnkey/gce/), [AWS](https://kubernetes.io/docs/setup/turnkey/aws/)). - - -## ​Getting Started: Adding a Windows Node to Your Cluster - - -### ​Plan IP Addressing - -Kubernetes cluster management requires careful planning of your IP addresses so that you do not inadvertently cause network collision. This guide assumes that you are familiar with the [Kubernetes networking concepts](https://kubernetes.io/docs/concepts/cluster-administration/networking/). - -In order to deploy your cluster you will need the following address spaces: - - - - - - - - - - - - - - - - - - - - - - - -
Subnet / address range - Description - Default value -
Service Subnet - A non-routable, purely virtual subnet that is used by pods to uniformly access services without caring about the network topology. It is translated to/from routable address space by kube-proxy running on the nodes. - "10.96.0.0/12" -
Cluster Subnet - This is a global subnet that is used by all pods in the cluster. Each node is assigned a smaller /24 subnet from this for their pods to use. It must be large enough to accommodate all pods used in your cluster. To calculate minimumsubnet size: (number of nodes) + (number of nodes * maximum pods per node that you configure) -

-Example: for a 5 node cluster for 100 pods per node: (5) + (5 * 100) = 505. -

"10.244.0.0/16" -
Kubernetes DNS Service IP - IP address of kube-dns service that will be used for DNS resolution & cluster service discovery. - "10.96.0.10" -
- - -Review the networking options supported in 'Intro to Windows containers in Kubernetes: Supported Functionality: Networking' to determine how you need to allocate IP addresses for your cluster. - - -### Components that run on Windows - -While the Kubernetes control plane runs on your Linux node(s), the following components will be configured and run on your Windows node(s). - - - -1. kubelet -2. kube-proxy -3. kubectl (optional) -4. Container runtime - -Get the latest binaries from [https://github.com/kubernetes/kubernetes/releases](https://github.com/kubernetes/kubernetes/releases), starting with v1.14 or later. The Windows-amd64 binaries for kubeadm, kubectl, kubelet, and kube-proxy can be found under the CHANGELOG link. - - -### ​Networking Configuration - -Once you have a Linux-based Kubernetes master node you are ready to choose a networking solution. This guide illustrates using Flannel in VXLAN mode for simplicity. - - -#### ​Configuring Flannel in VXLAN mode on the Linux controller - - - -1. Prepare Kubernetes master for Flannel - -Some minor preparation is recommended on the Kubernetes master in our cluster. It is recommended to enable bridged IPv4 traffic to iptables chains when using Flannel. This can be done using the following command: - - -``` -sudo sysctl net.bridge.bridge-nf-call-iptables=1 - -``` - - - -1. Download & configure Flannel - -Download the most recent Flannel manifest: - - -``` -wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml -``` - - -There are two sections you should modify to enable the vxlan networking backend: - -After applying the steps below, the `net-conf.json` section of `kube-flannel.yml` should look as follows: - - -``` -net-conf.json: | - { - "Network": "10.244.0.0/16", - "Backend": { - "Type": "vxlan", - "VNI" : 4096, - "Port": 4789 - } - } - -``` - - - -1. In the `net-conf.json` section of your `kube-flannel.yml`, double-check: - 1. The cluster subnet (e.g. "10.244.0.0/16") is set as per your IP plan. - * VNI 4096 is set in the backend - * Port 4789 is set in the backend -2. In the `cni-conf.json` section of your `kube-flannel.yml`, change the network name to "`vxlan0"`. - -Note: The VNI must be set to 4096 and port 4789 for Flannel on Linux to interoperate with Flannel on Windows. Support for other VNIs is coming soon. See [VXLAN](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan) for an explanation of these fields. - -Your `cni-conf.json` should look as follows: - - -``` -cni-conf.json: | - { - "name": "vxlan0", - "plugins": [ - { - "type": "flannel", - "delegate": { - "hairpinMode": true, - "isDefaultGateway": true - } - }, - { - "type": "portmap", - "capabilities": { - "portMappings": true - } - } - ] - } - -``` - - - -1. Apply the Flannel yaml and Validate - -Let's apply the Flannel configuration: - - -``` -kubectl apply -f kube-flannel.yml -``` - - -Next, since the Flannel pods are Linux-based, apply a NodeSelector patch, which can be found [here](https://github.com/Microsoft/SDN/blob/1d5c055bb195fecba07ad094d2d7c18c188f9d2d/Kubernetes/flannel/l2bridge/manifests/node-selector-patch.yml), to the Flannel DaemonSet pod: - - -``` - kubectl patch ds/kube-flannel-ds-amd64 --patch "$(cat node-selector-patch.yml)" -n=kube-system -``` - - -After a few minutes, you should see all the pods as running if the Flannel pod network was deployed. - - -``` -kubectl get pods --all-namespaces -``` - -![alt_text](flannel-master-kubeclt-get-pods.png "flannel master kubectl get pods screen capture") - - -Verify that the Flannel DaemonSet has the NodeSelector applied. - - -``` -kubectl get ds -n kube-system -``` - -![alt_text](flannel-master-kubectl-get-ds.png "flannel master kubectl get ds screen capture") - - - -### Join Windows Worker - -In this section we'll cover configuring a Windows node from scratch to join a cluster on-prem. If your cluster is on a cloud you'll likely want to follow the cloud specific guides in the next section. - - -#### Preparing a Windows Node - -Note: All code snippets in Windows sections are to be run in a PowerShell environment with elevated permissions (Admin). - - - -1. Install Docker (requires a system reboot) - -Kubernetes uses [Docker](https://www.docker.com/) as its container engine, so we need to install it. You can follow the [official Docs instructions](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-docker/configure-docker-daemon#install-docker), the [Docker instructions](https://store.docker.com/editions/enterprise/docker-ee-server-windows), or try these steps: - - -``` -PS C:\Users\Administrator\Install-Module -Name DockerMsftProvider -Repository PSGallery -Force -PS C:\Users\Administrator\Install-Package -Name Docker -ProviderName DockerMsftProvider -PS C:\Users\Administrator\Restart-Computer -Force -``` - - -If you are behind a proxy, the following PowerShell environment variables must be defined: - - -``` -[Environment]::SetEnvironmentVariable("HTTP_PROXY", "http://proxy.example.com:80/", [EnvironmentVariableTarget]::Machine) -[Environment]::SetEnvironmentVariable("HTTPS_PROXY", "http://proxy.example.com:443/", [EnvironmentVariableTarget]::Machine) -``` - - -If after reboot you may see the following error: - -![alt_text](windows-docker-error.png "windows docker error screen capture") - - -If so then you need to restart the docker service manually: - - -``` -Start-Service docker -``` - - -Note: the "pause" (infrastructure) image is on Microsoft Container Registry (MCR) and the DOCKERFILE is available at [https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile) - - -``` -docker pull mcr.microsoft.com/k8s/core/pause:1.0.0 - -``` - - - -2. Prepare a Windows directory for Kubernetes - -Create a "Kubernetes for Windows" directory to store Kubernetes binaries as well as any deployment scripts and config files. - - -``` -mkdir c:\k - -``` - - - -3. Copy Kubernetes certificate - -Copy the Kubernetes certificate file (`$HOME/.kube/config`) [from Linux controller](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/creating-a-linux-master#collect-cluster-information) to this new `C:\k` directory on your Windows node. - -Tip: You can use tools such as [xcopy](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/xcopy) or [WinSCP](https://winscp.net/eng/download.php) to transfer the config file between nodes. - - - -4. Download Kubernetes binaries - -To be able to run Kubernetes, you first need to download the `kubectl`, `kubelet`, and `kube-proxy` binaries. You can download these from the links in the CHANGELOG.md file of the [latest releases](https://github.com/kubernetes/kubernetes/releases/). - -Use the [Expand-Archive](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.archive/expand-archive?view=powershell-6) PowerShell command to extract the archive and place the binaries into `C:\k`. - - -#### Join the Windows node to the Flannel cluster - -The Flannel overlay deployment scripts and documentation are available in [this repository](https://github.com/Microsoft/SDN/tree/master/Kubernetes/flannel/overlay). The following steps are a simple walkthrough of the more comprehensive instructions available there. - -Download the [Flannel start.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/start.ps1) script, the contents of which should be extracted to `C:\k`: - - -``` -cd c:\k -[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -wget https://raw.githubusercontent.com/Microsoft/SDN/master/Kubernetes/flannel/start.ps1 -o c:\k\start.ps1 -``` - - -Note: [start.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/start.ps1) references [install.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/install.ps1), which will download additional files such as the `flanneld` executable and the [Dockerfile for infrastructure pod](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile) and install those for you. For overlay networking mode, the [firewall](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/helper.psm1#L111) will be opened for local UDP port 4789. There may be multiple powershell windows being opened/closed as well as a few seconds of network outage while the new external vSwitch for the pod network is being created the first time. Run the script using the arguments as specified below: - - -``` -.\start.ps1 -ManagementIP -NetworkMode overlay -ClusterCIDR -ServiceCIDR -KubeDnsServiceIP -LogDir - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
``` - -Parameter - Default Value - Notes -
-ManagementIP - N/A (required) - The IP address assigned to the Windows node. You can use ipconfig to find this. -
-NetworkMode - l2bridge - We're using overlay here -
-ClusterCIDR - 10.244.0.0/16 - Refer to your cluster IP plan -
-ServiceCIDR - 10.96.0.0/12 - Refer to your cluster IP plan -
-KubeDnsServiceIP - 10.96.0.10 - -
-InterfaceName - Ethernet - The name of the network interface of the Windows host. You can use ipconfig to find this. -
-LogDir - C:\k - The directory where kubelet and kube-proxy logs are redirected into their respective output files. -
- - -Now you can view the Windows nodes in your cluster by running the following: - - -``` -kubectl get nodes -``` - - - -### ​Public Cloud Providers - - -#### Azure - -AKS-Engine can deploy a complete, customizable Kubernetes cluster with both Linux & Windows nodes. There is a step-by-step walkthrough available in the [docs on GitHub](https://github.com/Azure/aks-engine/blob/master/docs/topics/windows.md). - - -#### ​GCP - -Users can easily deploy a complete Kubernetes cluster on GCE following this step-by-step walkthrough on [GitHub](https://github.com/kubernetes/kubernetes/blob/master/cluster/gce/windows/README-GCE-Windows-kube-up.md) - - -#### ​Deployment with kubeadm and cluster API - -Kubeadm is becoming the de facto standard for users to deploy a Kubernetes cluster. Windows node support in kubeadm will come in a future release. We are also making investments in cluster API to ensure Windows nodes are properly provisioned. - - -#### Next Steps - -Now that you've configured a Windows worker in your cluster to run Windows containers you may want to add one or more Linux nodes as well to run Linux containers. Now you're ready to proceed to the next step to schedule Windows containers on your cluster. - - -# User Guide: Running Windows containers in Kubernetes - - -## Objectives - - - -* Configure a deployment to run Windows containers on the Windows node -* (Optional) Configure Windows service identity using Group Managed Service Accounts (gMSA) - - -## Before you begin - - - -* Create a Kubernetes cluster that includes a master and a worker node running Windows Server -* It is important to note that creating and deploying services and workloads on Kubernetes behaves in much the same way for Linux and Windows containers. [Kubectl commands](https://kubernetes.io/docs/reference/kubectl/overview/) to interface with the cluster are identical. The example in the section below is provided simply to jumpstart your experience with Windows containers. - - -## ​Getting Started: Deploying a Windows Container - - - -1. Create a simple webserver example: - -Create a service spec `win-webserver.yaml` with the contents below: [TODO create this as a file in the docs folder and add a link] - - -``` -apiVersion: v1 -kind: Service -metadata: - name: win-webserver - labels: - app: win-webserver -spec: - ports: - # the port that this service should serve on - - port: 80 - targetPort: 80 - selector: - app: win-webserver - type: NodePort ---- -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - labels: - app: win-webserver - name: win-webserver -spec: - replicas: 2 - template: - metadata: - labels: - app: win-webserver - name: win-webserver - spec: - containers: - - name: windowswebserver - image: mcr.microsoft.com/windows/servercore:ltsc2019 - command: - - powershell.exe - - -command - - "<#code used from https://gist.github.com/wagnerandrade/5424431#> ; $$listener = New-Object System.Net.HttpListener ; $$listener.Prefixes.Add('http://*:80/') ; $$listener.Start() ; $$callerCounts = @{} ; Write-Host('Listening at http://*:80/') ; while ($$listener.IsListening) { ;$$context = $$listener.GetContext() ;$$requestUrl = $$context.Request.Url ;$$clientIP = $$context.Request.RemoteEndPoint.Address ;$$response = $$context.Response ;Write-Host '' ;Write-Host('> {0}' -f $$requestUrl) ; ;$$count = 1 ;$$k=$$callerCounts.Get_Item($$clientIP) ;if ($$k -ne $$null) { $$count += $$k } ;$$callerCounts.Set_Item($$clientIP, $$count) ;$$ip=(Get-NetAdapter | Get-NetIpAddress); $$header='

Windows Container Web Server

' ;$$callerCountsString='' ;$$callerCounts.Keys | % { $$callerCountsString+='

IP {0} callerCount {1} ' -f $$ip[1].IPAddress,$$callerCounts.Item($$_) } ;$$footer='' ;$$content='{0}{1}{2}' -f $$header,$$callerCountsString,$$footer ;Write-Output $$content ;$$buffer = [System.Text.Encoding]::UTF8.GetBytes($$content) ;$$response.ContentLength64 = $$buffer.Length ;$$response.OutputStream.Write($$buffer, 0, $$buffer.Length) ;$$response.Close() ;$$responseStatus = $$response.StatusCode ;Write-Host('< {0}' -f $$responseStatus) } ; " - nodeSelector: - beta.kubernetes.io/os: windows -``` - - -Note: Port mapping is also supported, but for simplicity in this example the container port 80 is exposed directly to the service. - - - -2. Check that all nodes are healthy: - - ``` - kubectl get nodes - ``` - - -3. Deploy the service and watch for pod updates: - - ``` - kubectl apply -f win-webserver.yaml - - kubectl get pods -o wide -w - When the service is deployed correctly both Pods will be marked as Ready. To exit the watch command, press Ctrl+C. - - ``` - - - -4. Check that the deployment succeeded. To verify: - * Two containers per pod on the Windows node, use `docker ps` - * Two pods listed from the Linux master, use `kubectl get pods` - * Node-to-pod communication across the network, `curl` port 80 of your pod IPs from the Linux master to check for a web server response - * Pod-to-pod communication, ping between pods (and across hosts, if you have more than one Windows node) using docker exec or kubectl exec - * Service-to-pod communication, `curl` the virtual service IP (seen under `kubectl get services`) from the Linux master and from individual pods - * Service discovery, `curl` the service name with the Kubernetes[ default DNS suffix](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#services) - * Inbound connectivity, `curl` the NodePort from the Linux master or machines outside of the cluster - * Outbound connectivity, `curl` external IPs from inside the pod using kubectl exec - -**Note: **Windows _container hosts_ are not able to access the IP of services scheduled on them due to current platform limitations of the Windows networking stack. Only Windows _pods_ are able to access service IPs. - - -## Managing Workload Identity with Group Managed Service Accounts - -Starting with Kubernetes v1.14, Windows container workloads can be configured to use Group Managed Service Accounts (GMSA). Group Managed Service Accounts are a specific type of Active Directory account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other administrators across multiple servers. Containers configured with a GMSA can access external Active Directory Domain resources while carrying the identity configured with the GMSA. Learn more about configuring and using GMSA for Windows containers [here](https://kubernetes.io/docs/concepts/configuration/workload-identity/). - - -### Taints and Tolerations - - -## ​Secrets Management - - - -1. Create a secret by following the[ standard directions](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#create-a-secret) -2. Configure your pod to receive the secret via an environment variable. - - `--- \ -apiVersion: v1 \ -kind: Pod \ -metadata: \ - name: secret-envars-test-pod \ -spec: \ - containers: \ - - name: envars-test-container \ - image: microsoft/windowsservercore:ltsc2019 \ - imagePullPolicy: Never \ - command: \ - - ping \ - - -t \ - - localhost \ - env: \ - - name: SECRET_USERNAME \ - valueFrom: \ - secretKeyRef: \ - name: test-secret \ - key: username \ - - name: SECRET_PASSWORD \ - valueFrom: \ - secretKeyRef: \ - name: test-secret \ - key: password` \ - - -3. Deploy the pod and verify that it is running: - - -``` -kubectl create -f https://k8s.io/docs/getting-started-guides/windows/secret-pod.yaml -kubectl get pod secret-envars-test-pod - -``` - - - -1. Open a shell into the container running the pod: - - -``` -kubectl exec -it secret-envars-test-pod -- powershell - -``` - - - -1. See that the secret is in the environment variable: - - -``` -echo $env:SECRET_USERNAME $env:SECRET_PASSWORD -``` - - -You should see the output:` \ -my-app \ -39528$vdg7Jb` - - -# ​Getting Help and Troubleshooting - - - -1. How do I know start.ps1 on Windows completed successfully? - -You should see kubelet, kube-proxy, and (if you chose Flannel as your networking solution) flanneld host-agent processes running on your node, with running logs being displayed in separate PoSh windows. In addition to this, your Windows node should be listed as "Ready" in your Kubernetes cluster. - - - -2. Can I configure the Kubernetes node processes as in the background? - 1. As native Windows Services - -Kubelet & kube-proxy can be run as native [Windows Services](https://kubernetes.io/docs/getting-started-guides/windows/#kubelet-and-kube-proxy-can-now-run-as-windows-services). See [Windows Services on Kubernetes](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/kube-windows-services) for example steps. [TO DO create a section for setting up as Windows Services] - - - - 2. Using nssm.exe - -You can also always use alternative service managers like [nssm.exe](https://nssm.cc/) to always run these processes (flanneld, kubelet & kube-proxy) in the background for you. For initial troubleshooting, you can use the following flags in [nssm.exe](https://nssm.cc/) to redirect stdout and stderr to a output file: - - -``` -nssm set AppStdout C:\k\mysvc.log -nssm set AppStderr C:\k\mysvc.log -``` - - -For additional details, see official [nssm usage](https://nssm.cc/usage) docs. - - - -3. My Windows Pods do not have network connectivity - -If you are using virtual machines, ensure that MAC spoofing is enabled on all the VM network adapter(s). - - - -4. My Windows Pods cannot ping external resources - -Windows pods do not have outbound rules programmed for the ICMP protocol today. However, TCP/UDP is supported. When trying to demonstrate connectivity to resources outside of the cluster, please substitute `ping ` with corresponding `curl ` commands. \ - \ -If you are still facing problems, most likely your network configuration in [cni.conf](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf) deserves some extra attention. You can always edit this static file, the configuration will be applied to any newly created Kubernetes resources. \ - \ -One of the Kubernetes networking requirements (see [Kubernetes model](https://kubernetes.io/docs/concepts/cluster-administration/networking/)) is for cluster communication to occur without NAT internally. To honor this requirement, there is an [ExceptionList](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf#L20) for all the communication where we do not want outbound NAT to occur. However, this also means that you need to exclude the external IP you are trying to query from the ExceptionList. Only then will the traffic originating from your Windows pods be SNAT'ed correctly to receive a response from the outside world. In this regard, your ExceptionList in `cni.conf` should look as follows: - - -``` -"ExceptionList": [ - "10.244.0.0/16", # Cluster subnet - "10.96.0.0/12", # Service subnet - "10.127.130.0/24" # Management (host) subnet - ] - -``` - - - -5. My Windows node cannot access NodePort service - -Local NodePort access from the node itself will fail. This is a known limitation. NodePort access will work from other nodes or external clients. - - - -6. vNICs and HNS endpoints of containers are being deleted - -This issue can be caused when the `hostname-override` parameter is not passed to [kube-proxy](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/). To resolve it, users need to pass the hostname to kube-proxy as follows: - - -``` -C:\k\kube-proxy.exe --hostname-override=$(hostname) - -``` - - - -7. With flannel my nodes are having issues after rejoining a cluster - -Whenever a previously deleted node is being rejoined to the cluster, flannelD will try to assign a new pod subnet to the node. Users should remove the old pod subnet configuration files in the following paths: - - -``` -Remove-Item C:\k\SourceVip.json -Remove-Item C:\k\SourceVipRequest.json - -``` - - - -8. After launching `start.ps1`, flanneld is stuck in "Waiting for the Network to be created" - -There are numerous reports of this issue which are being investigated; most likely it is a timing issue for when the management IP of the flannel network is set. A workaround is to simply relaunch start.ps1 or relaunch it manually as follows: - - -``` -PS C:> [Environment]::SetEnvironmentVariable("NODE_NAME", "") -PS C:> C:\flannel\flanneld.exe --kubeconfig-file=c:\k\config --iface= --ip-masq=1 --kube-subnet-mgr=1 - -``` - - - -9. My Windows Pods cannot launch because of missing `/run/flannel/subnet.env` - -This indicates that Flannel didn't launch correctly. You can either try to restart flanneld.exe or you can copy the files over manually from `/run/flannel/subnet.env` on the Kubernetes master to` C:\run\flannel\subnet.env` on the Windows worker node and modify the `FLANNEL_SUBNET` row to a different number. For example, if node subnet 10.244.4.1/24 is desired: - - -``` -FLANNEL_NETWORK=10.244.0.0/16 -FLANNEL_SUBNET=10.244.4.1/24 -FLANNEL_MTU=1500 -FLANNEL_IPMASQ=true - -``` - - - -10. My Windows node cannot access my services using the service IP - -This is a known limitation of the current networking stack on Windows. Windows pods are able to access the service IP however. - - - -11. No network adapter is found when starting kubelet - -The Windows networking stack needs a virtual adapter for Kubernetes networking to work. If the following commands return no results (in an admin shell), virtual network creation — a necessary prerequisite for Kubelet to work — has failed: - - -``` -Get-HnsNetwork | ? Name -ieq "cbr0" -Get-NetAdapter | ? Name -Like "vEthernet (Ethernet*" -``` - - -Often it is worthwhile to modify the [InterfaceName](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/start.ps1#L6) parameter of the start.ps1 script, in cases where the host's network adapter isn't "Ethernet". Otherwise, consult the output of the `start-kubelet.ps1` script to see if there are errors during virtual network creation. - - - -12. My Pods are stuck at "Container Creating" or restarting over and over - -Check that your pause image is compatible with your OS version. The [instructions](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/deploying-resources) assume that both the OS and the containers are version 1803. If you have a later version of Windows, such as an Insider build, you will need to adjust the images accordingly. Please refer to the Microsoft's [Docker repository](https://hub.docker.com/u/microsoft/) for images. Regardless, both the pause image Dockerfile and the sample service will expect the image to be tagged as :latest. - -If these steps don't resolve your problem, you can get help running Windows Containers on Windows nodes in Kubernetes through: - - - -* StackOverflow [Windows Server Container](https://stackoverflow.com/questions/tagged/windows-server-container) topic -* Kubernetes Official Forum [discuss.kubernetes.io](https://discuss.kubernetes.io/) -* Kubernetes Slack [#SIG-Windows Channel](https://kubernetes.slack.com/messages/C0SJ4AFB7) - - -### Bugs and Feature Requests - -If you have what looks like a bug, or you would like to make a feature request, please use the [Github issue tracking system](https://github.com/kubernetes/kubernetes/issues). - -Before you file an issue, please search existing issues to see if your issue is already covered. - -If filing a bug, please include detailed information about how to reproduce the problem, such as: - - - -* Kubernetes version: kubectl version -* Cloud provider, OS distro, network configuration, and Docker version -* Steps to reproduce the problem -* Tag the issue sig/windows to bring it to the Windows Special Interest Group member attention - - -# Roadmap - -We have a lot of features in our roadmap. - - -### CRI-ContainerD - -ContainerD is another OCI-compliant runtime that recently graduated as a CNCF project. It's currently tested on Linux, but 1.3 will bring support for Windows and Hyper-V. [[reference](https://blog.docker.com/2019/02/containerd-graduates-within-the-cncf/)] - -The CRI-ContainerD interface will be able to manage sandboxes based on Hyper-V. This provides a foundation where RuntimeClasses could be implemented for new use cases including: - - - -* Hypervisor-based isolation between pods for additional security -* Backwards compatibility allowing a node to run a newer Windows Server version without requiring containers to be rebuilt -* Specific CPU/NUMA settings for a pod -* Memory isolation and reservations - - -### Deployment with kubeadm and cluster API - -Kubeadm is becoming the de facto standard for users to deploy a Kubernetes cluster. Windows node support in kubeadm will come in a future release. We are also making investments in cluster API to ensure Windows nodes are properly provisioned. - - -# Document 2: Windows Node contribution specifics - -[https://contributor.kubernetes.io/contributors/guide/](https://contributor.kubernetes.io/contributors/guide/) Under Contributing section - - -## Joining the SIG-Windows Mailing List and Slack Channel - -The best way to get in contact with the contributors working on Windows support is through the Kubernetes Slack. To get a Slack invite, visit [http://slack.k8s.io/](http://slack.k8s.io/) . Once you're logged in, join us in the [#SIG-Windows](https://kubernetes.slack.com/messages/C0SJ4AFB7) channel. - -To get access to shared documents, meeting calendar, and additional discussions, be sure to also join the [SIG-Windows Google Group](https://groups.google.com/forum/#!forum/kubernetes-sig-windows). - - -## Building Kubernetes for Windows from Source - -The Kubernetes build scripts have not been ported to Windows, so it's best to run in a Linux VM where you can run the same Docker container used in the official Kubernetes builds. This simplifies the steps, but means that you cannot build under Windows Subsystem for Linux (WSL). - -It's best to skim over the [Building Kubernetes](https://github.com/kubernetes/kubernetes/blob/master/build/README.md) guide if you have never built Kubernetes before to get the latest info. These steps are a summary focused on cross-building the Windows node binaries (kubelet & kube-proxy). - - -### ​Build Prerequisites - -At least 60GB of disk space is required, and 16GB of memory (or memory + swap). - -Once you have a VM, install Git, [Docker-CE](https://docs.docker.com/install/), and make. The build scripts will pull a Docker container with the required version of golang and other needed tools preinstalled. - -If you're using Ubuntu, then install the following packages: git, build-essential, [Docker-CE](https://docs.docker.com/install/linux/docker-ce/ubuntu/). - - -### ​Pulling a PR (optional) - -If there is a PR you would like to build, it's easy. You can create a working branch, pull the changes from GitHub in a patch, apply, then build. - -The examples here are based off a patch on GitHub: [https://github.com/kubernetes/kubernetes/pull/74788](https://github.com/kubernetes/kubernetes/pull/74788) . Be sure to replace the URL with the PR you want to test. - -First, make sure your local clone is up-to-date with master: `git checkout master ; git pull master` - -Next, create a branch in your repo: `git checkout -b pr74788` - -Now, get the patch for the PR you want. Append .patch to the URL, and download it with curl: `curl -L -o pr74788.patch https://github.com/kubernetes/kubernetes/pull/74788.patch` - -Merge it with ``patch -p1 < pr74788.patch`` - -If there are errors, fix them as needed. Once you're done, delete the .patch file and then `git commit` the rest to your local branch. - - -### Building Kubernetes binaries for Windows - -You can build individual components such as kubelet, kube-proxy, or kubectl by running `./build/run.sh make KUBE_BUILD_PLATFORMS=windows/amd64` such as `./build/run.sh make kubelet KUBE_BUILD_PLATFORMS=windows/amd64` - -If you would like to build all binaries at once, then run `./build/run.sh make cross KUBE_BUILD_PLATFORMS=windows/amd64` - -Once the build completes, the files will be in _output/dockerized/bin. - - -## Running Your Own Cluster - - -## Testing Your Changes - - -### Updating the Node binaries - -Once you have binaries built (see Building Kubernetes binaries for Windows), the easiest way to test them is to replace them on an existing cluster. Use the steps above to build a cluster in your cloud of choice. To update the binaries on an existing node, follow these steps: - - - -1. Drain & cordon a node with `kubectl drain ` -2. Connect to the node with SSH or Windows Remote Desktop, and start PowerShell -3. On the node, run `Stop-Service kubelet -Force` -4. Copy kubelet.exe and kube-proxy.exe to a cloud storage account, or use SSH to copy them directly to the node. -5. Overwrite the existing kubelet & kube-proxy binaries. If you don't know where they are, run `sc.exe qc kubelet` or `sc.exe qc kube-proxy` and look at the BINARY_PATH_NAME returned. -6. Start the updated kubelet & kube-proxy with `Start-Service kubelet` - - -### ​Running Tests - -For the most up-to-date steps on how to build and run tests, please go to [https://github.com/kubernetes-sigs/windows-testing](https://github.com/kubernetes-sigs/windows-testing) . It has everything you need to build and run tests, as well as links to the SIG-Windows configurations used on [TestGrid](https://testgrid.k8s.io/sig-windows). - - -## Reporting Issues - - -### Gathering Logs - -Gathering trouble shooting info for CNI. [https://github.com/kubernetes/kubernetes/issues/74766#issuecomment-468736127](https://github.com/kubernetes/kubernetes/issues/74766#issuecomment-468736127) - -On the node before creating the pod for the first time. - -start-birstranfer [https://raw.githubusercontent.com/Microsoft/SDN/master/Kubernetes/windows/debug/collectlogs.ps1](https://raw.githubusercontent.com/Microsoft/SDN/master/Kubernetes/windows/debug/collectlogs.ps1) - -run collectlogs.ps1 - -then start the trace by running the following command - -C:\k\debug\starthnstrace.cmd - -repro the issue - -run "netsh trace stop" - -then do again collectlogs.ps1 - -and send us both before and after collectlogs.ps1 and C:\server.etl - - - diff --git a/content/en/docs/getting-started-guides/windows/ovn_kubernetes.png b/content/en/docs/getting-started-guides/windows/ovn_kubernetes.png deleted file mode 100644 index 739d75aad765c15319d5f1d12e71951af5dd7d1f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 106577 zcmdqJWmJ^i9yg4ll$0RSDd5mDh)5$L62ed-Ey93E2}q|(C>=wLm z5(7vI2t)Jk0X^q_&N*wnAD^`zKHRs%T-Vi~k$R3PxD6y>hO_mu)B|@r_scJ@}8m*xk z{sKIGoda>QT3@|x6XlhJOZo?~WIC$kRzz?PHi7meb^=21^&`d8U2?qBP~k5#uY`z8F=CQ%RlhZ0_Kapevp0cNtFJ zPk@V{BDfTvka;FhoO>=$zvKm7(v!9tzQ>CqH|IyappUKEv-lale@G}4cfrg!%HV92 zU39F`T|o~gY|mj*kC*Xb2O+%M9y2Kx54b8Pi=!3%e|(b^UTPlTX)$RcdS$w9xY#(6 zPxpy^8_jdbe3=vJ3#)sds`gVT9_t>KG*XnQwpynr(Fksf!6|a2f*-jQx2~t@?ze2S zNHrlSJBB7DalHE)_4n|`3hthyv~x5QvkK%cbcN+E&tT1o!)Dn;YCZ!qqIOBVRazlx zyY>U=Y z^rgON=;rQo1^Q7bzF|rQJsxUG^v(HD6}765U+Tm4tMt4eGpw&KqVezoQ2$~n2?@N8 z7yeL1MgM~~cjtRkc6lUab7Z_O4|O?fXc3~MFbTIADe?sV%@Bt(nMd0j`E7Qe3xb;VD_0Eu$39KL&>}YZ&VXhr-YV|0o}Ta8F{<>o zjRMU`Wbp+f9*c1|zndbhl-3FMn1qr7$;~9LA5Ov7l!Bmdh(4s8xqxFO9Rm@tU-089 zb|9@Z9WKlh&BUYi==1}<@8!Onl{axi1eK1`x z`|UUHO~EQ`Qm49z7n}iX_ANh3-7r?Ti4Mr@G27`$9uS>aHJ#TVZhY;!;bXwf`HD*i z`TjH0J$~AcnJZC@!YZ%Z!(Hj1UtpF$E!D#np~riQ@>IcICb@xIPOf+ejTXBOV0V-A z?Y@A9`ae|4i77!WE(n*Jhl&1vqKB?ZXfJ9l4X2MCYNmG23a=%(8c*z)(lIpmsh!`V zNU}`8{lP4$132{}@gKTta^>lj4PJ>ri1*yB^pI?yjrF)8B?LTqEAS>7YrQbv!$mm1 z+UVKWKJL1sgm`#4tbb&%@Q$g0f93vXp+Kz=wrkXEd5;2naj<|$l|+P%X-() z*tZ@ssfeV>C9vaTroTJJ^B{z!3{j|Xdl}^NM#akT-qMy|-JSx@R2FIfKBZTn-6E(9 znW5WIuReUphf}1*e=os=_8_}umA=oV3wc}cy#3yEQt=j%!$$sZ51E`Mp#K>yICTa; z8Ak1>@Y&~-OG_yom$Z3i45Q44&c=6I3NP7yM%Sj;C@51R;$6x6bzJ#@qYLeP2 zg<^!4e6H;#1}5vYh+b9a$RaZ6{PCqB#l9k6ifk^kX?SwJ=gvnXwxo9q-MXiLAhP9D%3qB7ot+y|$a9 z;Pv8KTk!j~Kfxh`Am=Q7^R?NH4xzzuQSgQ3A6jAfz%z79V~xj607Y__|FBXtKpe-t zH-8*k0K>Q5UXJ-RZwCiKq%w=AqI)9v_Q9>wpduF`9Ih>ht%Jz~wZE_|GrBc%*=;)jJjZM#A4Hs?xm=w$+lmfo-DNGvCE|cbcjoL$3 zD9OpOI6wCjP5Dz%QOiW)N}p}yvNt!*GUAp0Zpp)qXb-#`Oh*>cyHJ48(u*w@3ysNF z)hgh_rigsy@e#Li)IG<$(z~#r<84tf$(|^-|Mlz8oh;yEa!CGiQr!uqu5;rvjMVHM z$%C5LnV($lyjRaswWz%re2LFZ93H}aOSSg;WeG)O_1$10z#u*Of9;P=fo_K;jJ-Iz zb=&(bUBt@nB8`xFqR#Jc_w?dSG#4;gYOfhe53k}*{qMJ4DMDt%m<+T!c7@iM7jqJO zdStKQj3eXmA63c`#*o8FSR2$oGrjJVu2d`OK#pGDFb}n74juFsSYzUizzJISuPKVY zTSkTR256lZtw^-w)v}}E;o`r#67kUE{MEeOM?MK_j~`PuUqc8SP(B6%3;N>$GFlMQ z2q&^L3AqmIq*`|D8nxH=f_PAgn?;sR=Ou#fHNbcPt$F{_DV-x2_i>eh)-;!`Sxn zuuh*R@2QDBXscao*q?oETND!}SaYW(oc@YMYh?Tdp}O}D$>ww;`*PqN@anw|`{kh$ zs8uIj^}?I5ljrwWYlZqe`TnlswV0dD$r9B;qi@U}C9{`PVAg2r<>mF%T}|>tXLIV( z(pU@{{pzLm7T!94q0zr1#gdqv=7q+J{t-rS=2B6uMz`deltGYY?r9t1e}t)kmd1|FNOGP#QGutmVD;HF?^P%1?o;VLxU)OdD#P6)jZFc2FyPJ- zV2bmMA;P%V9Si=U_32%D?;?Nc~C%T2RnVkT8G z?>wPRKlCN^=Z93AhWc*l`IYgWz8o>X$lUt&Wf*(!M+t$IV1)mW#w}Nn+v$ugXmW*C z#iVagkcAp%TfxcTRKzNf7rEt}7Q!l=QWf!|#mE39gWXsS)lRP)k378R9R=JHY}0YUXt1yixupv}Dz552hAV5~NIV?yC|mAT4zZy9~m z!wR1q%gJ}Hsohf(&*d3K5GuJ?EeW2I``X$pXQD+rH%KZD@Qcecwa?*nHb>|m9FTkK z^ODjO{g&jjqewRiITrTV>RPNBw{TmdQ9qK%sQU}{Yh^`^8{yf~~@yJcK?aC_YG zdZVlkvHq`EjTX)Xb#GnF%{&W4{~hF(4l&N3&;C4M}*GA(HdSWpP{ zDR>PhYK5qy^JtV8rbtwMa0|KJnzFuOQY30e)Hc zFeYt|_K*_%3#l?_P^7=Fg;4WBVlMW;TEq+P%Pg;xP%Z1R=Kc75+0>)U!XlaPYE|rK z8C|41WJXjy>G+A`0IcQWk4&oSLC<@bo%-WW)l(}Wl&5zD>q4Dp?;u62BY$JDYA!Bi z;Y{MO4}eMbiOSRKnw2~Ye;LTo(0O^xl21m;&>R&$=mjv~sBKvXfi6hnkR=~rsBr0z zDqI_f&Orj*yKac7gr0pIOBU%+;g#U%U0q!jt#h5oD}WfCDDcJaD~MaJ@t4|O2EGot zeGz@`Jh75K8nS0KnV{_790*OD3On9*8Aa=@XL3%J32ZTmEH)5s-+$;QB6$^w=+NO1sS6?$k-n_=w?9m#$PCZtWP%tjC!O05n_F=wSLtZc zw`?gTQ>rYRIKH(z)_54QQqto)BRgAw^?#qab+1;sYEIL6p-pQ%1e~Fd2(awcY-Aqwwwyk;iJ21XtZi?*HFlo`hZ995$kShp8Hg~NMKI1M3iQ#r4PO#>I2e9N7tADfw48Sy zI`dANzl%?-eO4(y)Ks|{n;!iPnAlvQJ9&H5y~fPl1w6c`o-=Zdbt5ivrX$swrVA4S z`DT81{kEoW*o;>xT`uxAII_NLxN7!|-L}RJjn5}B>pzeQpQ=gBa-F$s%T+r zMXR_vbk!GkGfSTj5nHl*EF7h-lg z2R=3&n91%0F-bjDRD?e3oE+N}q4#UXW#Ty({fDs$QtKfC&ZDue&h7X-;#+ee<;NLv z{Tj8q?A5c+5MvdVskjF=5`7(iPPjs-!D}=hEZeEX4}X7$?>#+iJir+g+CC=)I_|wc z8;7m5ssDN1VWim^Q-_HCU}MoKGYrTuFst44iVm~!2G~B?JLmI~VAJy<*9NvJu+lthOx=Xg z`TJ+-0TpzHBN7$ptqb?iHWv$@ukXv$J{{1mcAof-N??`VVn>!g$jX$cAXvMk2yjL~ z9u5l5s+sM@uHs4pcyJM21!Q%;8Sl?`T0U0!#^P%>234zYWZk3q@Z|0H1IhR2Cl2p_ zVh{h|JAH%@h(`Wm#tP*U!|~Wg65QN6W`puAJ9XWi*mzj6T7)|T7h@=@vv1(T`N;+0 z5IQ5U{b-5+5JILW=3VS)IGnNkykw$ObnK^QWhKSgkDqSA*>Irf+wb0P-;FjG|Adm) z{!FmQHQoG&^7OWhk}Kv0zsAxrS*iPZK8lnlRM&0|7-3kC*I8ZNabkuH!${!U4Zbj$ z=~j;sA*P0%swHQn+Ff>T@0mihs$PsKwyhZ6V}y^9y-x(PS)w4= zJF26N#KyM$39O9g!FsE!`*|FbRr?f>-u}DZD`IcZzB(NTUz|44cb$J0WSuXbDeG#C zy`n5qxl7K(gusRnSq4wy%H=f&%Rz$TOBF#CJ+nA216=}6DSj?K+0t-nG=;(lTp_s9d9b<7D})77{o_L! zRyA&#XKEjzxq);gnVi(apqeUdma2Ncl9k#zGESq#XP@@>0SxNBZ6`hxE;8FCHrY2$ z1E|P&phX5JXBOu*^ItGn5kqx4{qE@3PBk)F`{1Iixv+>lo)1~6kejRX_Pe}S5A0cP zYkYmy3o~D0_VHVNr6zb34q_&bY*ZdQ->x*BF1rN*RASG4K5nVQw~g{FigZ!^Ms!Iq z-OtR=cF)vq*tHA9Q8v66xRG+)?70W{AciD`!OzlmY(|o#WXy-WF>DEH|N9s1zsmKerD_CD1sxt5f^s=jwMyA@WO8pskmg$22}3$l+B-?nZ5k9CQ% z?c|i={>ImUdn zZ|F27I->!=To=7}LoXQI7ubt_aCbtH@4u83E9OqDB(7-jhG*`))PZ?e->Dq4~VWodKU2@V3ZFFCU~{1hxYlg->NYpkf4{ zzU;1HRo?RcWMH1|zMU&khGf!|qNRb0I6$^~|`UgGVt6#mL z04hu2gPm8xHn;C9yX;OCZ6-!`qsnOpgQuBRN2((ipO|dEi=*PppkB1K!Xuj3XpM%? z9SHZ&lInsGF8&*9FfSlABw8W@zBtzF8<<)a zzRy=A*xd*)vs?RaQE)rQ)d!*IUY7=B)fk%hf#2jNoel5i!XvIIu1_I7AJxDy|J5>>xGCiOPKWo!~A(s2gdVSb3n#}2)C~yQP z7s_M*!gMvskQaWCbS8W-8V-cd-XnWlSBI@%>mSDzkJzq{qdL1MDlw(QjijUxi&C)V z{Ki;kC4U>HEc5%plh-sG_GU2E4a_%hLRk6PqlsD3Ir#KjumPlP+ktLY-c&_bc4$=s zKO;D4|K^u!O`6}sJ|HZ^f%#YG^{D#wxUQ}64|5bp3hs+^R6tW7qr#);N!p8KzXwYd8U3sg)6gNp%O%_SDBJ_h(cdfKkTod zi83fw+eE4Q(cKt?kX55TFprkiO~_m_vNtX}`{ifsI|2oU(f+99myBB#}t?hvHsrGmYmwHa6|Egxja%eO0-he7g`g};u z2irk(ATjmRlSoLUqz@4}c0V@ii@0q2MZJ&!3jEygn4iS8YY;(UHRq>wI+ znrG=e$I?$>RkxSuTan8?de!~7<~4)Vb9$Fl(48t|tknIz|4HK9$m=f23k+uq-5@(K7Em9{&Ph4 zruN|H$VlGTz%|yCbxWvS=D(kD>KfUYQJu_<_s#l~MHF&P_TK|9a}z?VA*2byT(IZH zXVx*X+|CRxB$2zlRV|C2;8KA)vA+46w9%HOUAsHfVFvP4-u;pOkQs8%rr*kIly(6u z$giO1gVJJ1jfdo^#%|vhcGlwwb;YE)5J&_G(GE2lCzeK4it(OJa@;}@umG;Hg+wZ0W zh5|w~%|&mTPLS8|nyN6Q55HzK?4obFDOxV;*uVB2JbWrde70B($(8FrS65H% z?xX$(dE^!4sP@q{rr3rTFRn*fNj!N1lYzeVd8Q7$f8FqL&yZvFKv&ViZh z6uIvA@Wg3%RxchlY&e20^;Q8>bKS7621NA?RN1d&r#OeMI`m}` zQ**Z+AFUlPuHw21KXMsRow$5pGBDI@f5%_wV$4P`)Z9VclYj>Vz(}@ccMW7YHsyL= zbaNwXDC(PYbF#tni)HDN*dHLI%r}>8gTp@24rIy0yG_$KWEz{RSfZDScyIjRIK|h- z@lx}ZM?W7we&6!~ZiBkuRw^UnjoenIEyx=sF^(~(SX!Dsvmy_ntB`qF{?#U0ej&l3h&@vP8wVxm5 ztU&Nk=+XRM{Z<(y&*7qM;@H*JS+u8S2jHhApoAtj@8`s5HYwZOD3xCCOJcZT*8F7=D3&KHe`aZEB^x{8XXE8-c4wO{Oj4wH~tzSegj zVQwRBWS1o!0d7QI!2eHt@2zvzQPC3xiKXuLW`7z!2Z!^{f|lnmvDI`2k7FWs#+^|= zxgQ75o=HTzA0}l)SAXZ_N=4kKkpOAfxtsGTE}W@?mOo4p9g)nEmSa^;r(V>91M%uM zpFYGzb1~>m6c=8`b)31YT+pABU$^((FZXX$w>4qpjpnf$$2l(^kETnkIm{r$~q56FLzp+%^RmHZ&__Yf{zL)<>^1R4ip+; z>eqaWfkuCb@|nG|u|IiidXkypamgbel{*JQC-;UOLuDfI0(y~??vo~a&y(INvj8}h zZZja#+6fH%nXllD=v>RN9=rJVuzSP7ays4Y-|N)LnL5vDv_`)2asPP%3IZCt0=+An z1p(i-@fDrBajab;Ji-{tw3?6_PQ)1w^Pjz08`V9&8t!6?BN1W~kTR>T-V^jAccPYk zu(`Z+exW_Ovv}y{Jzs1;tLzm*3g&j{!5Swur3TrSyWaPK;%9kcxQ(7%N!$n| zjQvOB`s%fZv`d!mlX9!Rb}Qm+)D4?C_DC=nCBlSs&!Lj?G04lnYi=RE!=#X2y*JB1 zA^<_O3t3z+ks6rs^AG9@0iJ%RYHu+g^G%txe>|e5!fnNHcc)dh=mcj3fELSjLv~c> z`;K>QPBT51L9afuQ9^l6X!WKxtzLd~JeM|ezVJmg*6H_cc&JF#x^YP@m9jzV3=>IV73{WnVx)!l;;!2Pm=cf?tom{G=kjtN?$G|n ze&V~cai?Vv7|seVFrsni!4*(J;WQRIwii7nx=DzugM(A^;FKZsJ1D+iQI152yUgA3 z_iyxBWjv1A4Zn9z#M*ye%b?6N`+h0?Fn0S^H8!zPXjhU`9Uh(wN_U^FD;^(DTo`>P zv|qpMEy>!#B$<$VPGVGx*}@)-vBebLR)Od1A+p$q-+$RK=4M)_FXE4XA0pz%g=>D- z1uK*VUHuXWMPjFm=1PkB;vqgP48We6CD-b%GzXK#y;Y7{TvZ)UzGnWsZUfDCsvcF8 zKs|!U;E{~}6-@5ydK*QI{v1oD<6ImZE_0nR7X+*1Kr7D%*O~otIjS|Qx_WrqS8RDY zf3|Af+S@NO-E~xccPrg2&LZKd)$zxSOo>_yHMWvwiy4du0x3Ef}h#T%mtf;tg8mx^CjfmlIzJie~pf$gEx=QW7SBxD= zKV676_S?mPj-yWyt}Cr)7i^A`$>IJgqin2s`i|j``J*Z$mIRFdhy&w*Iw$qla#y?f zur+V!Z}&T(0P}2e5TxCupfq3ukSH*Ycu-rta~?`NiOmF0emF18fiy=a9NW}}3uF}E zazR^K;*%=N0fd53@C;&^?y!JB_cw!d(MeH>W!ksbL9QLJalh8B@L+uMFm=^IPSK&} zCpS{mHsQ3wC>RL+_6R)g$~zXhd*O9*R%4?X z=;Abk9&pAh@oaUMZINA<<2mVU^`slC2_YEee6v{Q(15ui;h1_yR>WleMvc#!J|pJ2 zH)~J5Ajqe25EFzJhW20Z9kR{YCU4fnu5aQZ(IV}WjWOp6nlsBH0^uBjo=c~;ytoF zRF_#gWaXELcB*intdW~LyF;(vL|w$okl@|*9sFgcHrs$<-e?*aM^7~rL^4y; z(@F6cudOA@9%U(~Ef4W7RV>F!rWp%~Nmbl#xZxkYDO>8=1&~C&+ZmF zw)u8QW==IG=-Qcqc{>Cca{Dn=vs4s!{=#LPwOf9FcXwlo!vFp$5TFG>;Cdr$j!)Lq z^!GYwwrGB6Tq`nruWcyi5OcS9C0>l2v<-w=PBz+g*X8?j-VliKx=F}OTsvgq=2xL) zx8?YRh~l=bsDgq;KXybeXpDSp)^FU?Ll0efh+Q3rI*i@?hc4I2BXI@Rw^?J%_;|W^ zbsN?MtFTVUa*(HbRp{V4PM%KlGQ%Gl&9>`(VSD5(vCkAjFkfTdqR!HZ9aM3ztSvYeT_UO-o zRm-Ivvq{I?V7@++N^dWsaTTE- zQ`G4@fdvN5meE>HXrAmlW@hQ9p6W&*^vHe)u7e8%VdiwsV>@MV@R7Ha*%so`+jx9` zz+qVLx9}Of1z|+v+T+~6>%9pRjGa&S2Z%0O)bGG!xXe20Ukgs)7W_;nBOh$y6Hl7n z%in6^qc=B6Lu6He>g?@aeG^59Czp=e^VPSFfW6xQ;GTkYw@o>-tV{aouUrIN&aL22?oFAOQ$A79mww^_zCDXgw;kulG4Ja!2?Y zZTe%g-$b3kV*?|-Z@v-1dBHH@uV3p?{&n2JLL#IuE|-9$EMP<{0%nyH+ByTZ?q(Xb zIQ8zLTSR!2aGdA=EC1Q6vOJ9-Pk!qD)-n+9ThltoByt1-p%aFNhL*E!F}-7B{D+5! zxJBs2oio7<<-#fh9^3POZ2e>yp4c8r!}p&{9Dyak{1gxwh%2}u&9qgs36yknMpxW^ zqWi*;PL5|FG$5qM|7f$+ZWuZ~4xwk4D}N#dPVo2w7`#X!#K(IMx|DBDUI7iXs`uG#c* z8oYn-Y}Ek~9+v)S$^&fDcNq-i+@v7D3tSIk{a{PMwOH+Yq`Xpdd~OjG|9?zvk2)se zlH7s+xy`k-(NZ<uvfS%a*dIBdsiANk2a`!sPoF+*`}~R;0C!8{1H}uipx>5JL5U7* z_PmCdL05VFFm?Oun}pGo#{1d(l!IJ2Vj6t+XUo59eE**ZdnmnkU?sjeaDD_o-0-pW zM2#GauV2}!f>9+Piq$&J^IhHch;2=+7L}mio1hucWrG=kv79L>Iy_h?NCsj(W(P-_ z!wnySLYYAAKEYGg-Wo6wwo^45t7eHoqolvl{5NGGWTV?{9|A>`KG?DzeXtvpqb8p;la+e9_z5BsO-HXrNnx$& zMOMsLrj!vQLpBs@Gn)DxYQ-yjbDD%SINBaLIwtz>W&8I6jz0NM#fACW+uP&D2p3jw z_XBhb?`?{QdMzr9C|qQ=@9YbKgI;E7d6^LwB?qpTd~7{B+{b*T)&%Lp|5|J7GWz}p z05F$m3lQHOidF)we)ok~_CAk~T^!2uPJD|8a7X}1eNKk~FGc*PQ3Nb5t*$2Y=j$)6 z2HyjTY=JL45f_1q(i-KvtCzG^ZmIID;No#{ml->*r~bjnjkv6t^e%2)M#nm>)y88# zz)gn#;^xcH#$|7{w4LV5)%NWYxFLWP!{EoS%@gm&%(SEn08|a~v;^>x$1^p1{2@#%@PL<W{U^Zx;$~YNTal+ILJ~uQzi9vq9|Q~oQNo-egzziHXbIg zI$R1m)qws)Rl0|CR$(eolO}X8xLz@^MIU=7zA&G?mXgmi8FwAxzP9QxO=!GoLEqt0 zGtNF(v zNJCsWd$yLq_{%e991_th>ob2 z0@Cj5^wtEkf7EJ5OT`oJG2!%bJ@4vCFa`#@`6v4Hl_n%ye$_ey{0d0B&eHFIs|E6} z!Kj$lLcbrRWjYyx|iT^J#@XSed< zF{9og*$`_7tG-&!G!w(uUc$8*{n?}Q=SJ`P}&G%~?`$cZ_-h4vtp58*0<8>p)dwgfF6f-V%Q?}KlmG4>A=0{aGK!O{c^^R}u zCr~`9lc&e-mk|=LT1-tSo6FNH^b2*^8aH=WZ%6H#F8kA(AKe?H;q6|T-(Qdlo{G|} zf!e(+|+G!!4e2iu#OIXCn$`MBv3>5_V@j`*qOA%iMR-&4T;dxD`qNaw_>1~vCf4seaUVZ@yxy&WwL!AbFB~}{t zP`rS75#n}~DssDJd1fUd6z`o01I;HjeVrHAuiwz-i30;|mmYK^2tXhA zL4K~S4UWfuJ#|ePMqls3`_)2;;JOMgcpRv_?8vr1PCh-It?h0UQ;tuthEO}xRXz-UfRDyad7rpuB6wag6Ds`f5PKuK+*n^n z=Z57vLqmZH!v*FyolL9YQytF0!p|OdG#-Tcta(oY?DK~J$}`Wzyi9~3K0BoWyM}fG zl?5){3FSF2D6nL%u6%5Wb<$u}V)y~J#5XOvlkDgrFC1JZRPumTz;17`s8PT}=^OZK zr$6#C>m^w-PYdW~OdZs^kXa`f=u6O-f#%q7Vs7AL4Z22HOR?dr|LK`rv+7Xl+;lcX z8iwdPV?P6Z$oGi_19%+co6c>Y#OtD#FX-fvO!D*@awaAwP`jaPC(XQg*r@<0&zui| z29XWx-pLBL7eG_8sY7(yyi4r(bhFguwbRxb5vs^13c)lq==+t-d9gXrcqpf)naQWq;u?I1!1D>)0sQvR|d-6nb;aja-OGzVM-JaOVVgt-3D@2#zPxCv;l zKD>Ti<;l95XJUt7At~HhA<>h6jnr;qvxf*3ejYf$z%@T?t@Gj5ATS)rX%x?S1KWHR zIP30m(_3d`ERq+oKJrfVDU5&;?P)X?_qukiYhRyE*H42!YWLm-GfWqm)SMJ=p@CeM zAW71B_p34Pmkat53&Xi{&t&|g=1NpO^+tD&x*)t}@=uO@EhCNOsj3eX$0>xjqHWVq z>JO@vAuk@Wod!%fX^0WzJFYpVkEi_!vmpcvgt90k!UtFKJ_?5jlnE$9u7FEQmoN+8 z-a^fr&KXoYXRQ{U;~o8?x!v;8Ir2s4*`j0{UL?ErhC-6Z#4M>O>$9G_`NsZ*OO+I4 zv#!mzMLS{a-!*rp9$v~3T(XXQIV;0hcQu2;Fwx78d}%(~Yk@~8;73)-YT9x01~OjL z$2dL0w0P4yD$i5eZomEFb6+#YBEMbve%X*vmn# zgdPXm`?4W!UH_8|=$g5^SE{F*j!p_`>7>DKo49K4V#bO~q7>(d3>3jdPS0}!K)Pwo z_OyNR4B-CrB^yw}+K7qrQ9McZzvzn#`t^wgToMaQX?*Qg+~&5~i=ER{L4|vkeO=;? z#7tJ$dmk*;1SVH$7>A$jpC>gO{{rz7J2K(BKx$tT)brXKO83>ZqC!)CNN54$=ho3|!XY~FSjn>{0)=l33_ z`sl|IO72N~qGa29xAyt{ekpGAJdXn3jigFkkCE1OE&ZSbjh*y7AR()7>imX}c>dQ( z;PBfYFNnT~wrnC*Qc?{{bg4trpofAvI;3FtF&E;Y;s8MrHyo}wcFeYe!hN%TJFRTP zOts_-@~vVo7d1&gQTzIDvyxW>uCAFa*ErnHoe0?^c+>N_Pl?Pu^Wzst!0V|^q(K(> zxy~*8q~2I{FvA6W&q;!m7X^E_cRPZCi;$cNVoo-kcUj3*ML{RATB(tzFi3&{pYNBKZXf(r(!6mS>?ZWC9K zMgE#<#++1mXtKaQb-_>94O(n-gp}H*7o}1T{>}o3Rmx4F)W4?OFb@{GAg+6txQg!l zwd*{=1-&v%;0AD$%2f+^G9x+c4_=j%1}aDgSW2I%%_F}4nHmmKvYOgy?cOh%IS)Qt zXq#d_f1YS8b?Y+Hfk7;gnruIc!tCw*Fs0k#)J>6-td{{X{|4aze&7(q;XW4BSUDnL z1dzBdVYD5 zSGs%SrZ83RSp}re`&eQ_dAp8Y>@|gW&%#O=(ENW_AWoC5lXk;x6ZTU+AO#Fc6>&ir zDd}FcTJ-WxF0Cwk%MzBzxS%=S^De=PbffO0ySNE*nVXRSKxtfLguJJvp%eU_{ zkMM>5eBy$>dAao7Sm02C0nZE#3uaIyi!^{&jSDSN98c?FDm00{HTV@#L1QW7uJF76 zMrGpEX0;JlL;4|-i)qqgdyU6BzcX;d+)okqk%9~lL33Kvk=xqZ-c~g-0$E32{C5q> zyI$VjphkER)FXAmS;&+hT*fU@M?#fA0;jXJlDIP6N`*)g zcp`XNiSi-F{Yoe4(@-*a!BU&!q&VqoUViQ4vo*%pD!^?@rMc)h;wU_c)NmF4m|t`) z!m_f7*!h~tdDm_6yEG!;&QYchdjm5-xS#^(2~7K!PbA3H{-yaeOfo+A9qPC4;W~ks zNXgacmC;Il`_Vt4Q8@JDh^OY5xN)LL&bF_qun*FH_r7*)1?&@3f-syS3IA-=nA8LG zRBvx=xcK~DsVl_n=d|c-)*38{xOIEss_(4%oxCJUjEloeOf>rlfd&pc0wNb8U3-u`Ny3#kUvTGy`F;@&=t$=WFWgrvdsOf;baBPx7cmgMa?aAOEqpr@oo3iPhJ4mlvA435jYjy<3 z@9cUC2cvA}#+$A|Lw=N)=m(LE`+4^FClhOq&4V>A;HG3AY#JrLSwrV>C_kaLLPodp zO|C8bk>ork@sas_!)_G+F&-cST-(HC#%aWAy}jKI2tr)2{+DdNy;a6#D5vfvz^V~M zE=+=vLySwexbnl2B%c|^$>DlD{KpU!q!hc7h z8dM%J2b(>KfaZ>?vb!oOoK()B($#jby9xgiO4B<$%#$qUn1H+Cfh%$rly#SmUt$n` z80fPeW`-EAb*Db7NZN{@!yf4=O2wn4fAw5f>J+vv7}nypDHZ>Vz5*?j@)I* zvIEmY?*u|k_l2q)gSvRA5AKb%j(GXhMaFL(1{t(SB8aIW)lr3|O?S3@7VK}z=RQAM zI9)$4z2@|xaWB7d!`?d8HNjDGvs1)(6e!Wu=)~cwJ7ER5fiqqi!74jZ8Nn#lT^YeF zIZzovFVa#O!6H3Und&xT)35?U+?M^@+YuY~0C=lDkOY3iceHk5OK{SySLLc_1+~V_ zTfr2pf>+Z#-dHn&^1Zd>R3NqG&U!Qa^LjHTkXi#)F%yN`f=;-pk_`OmgGw^S8~pE? z-N&37x^^eQodMQ0FT1`Rts?U-5C^#cvtxYsw|}0-)R*tYCOj1G6`KlNpcTZ~4Gsxm zdewyD8xKbt+`L~#D4J6t|<4C|i7MGXnpITMtLv>!lpwpEc2!5>)J+<26WSYLa3 zBY^m(42!wJO)EK_UG^@w+TQ}3?Im9gsYmGwt^OAYpeMJ5d^V5sJoeXaZ2 zw!QcE^17Y0v~+|0+C+VW{bYl0!wR@m@Y@~~fEw(Nj}9AFK0d>5C@e1SsjLULQyNxQ zDkrz?K?|h8{=tKf{Vd+g!n^bSN7mvVzcL)X!ToE*%7^-K=e4+qjb`gcz85cEq^*2K zDKxAAnAEV+7IURx1)z=w+z3KL*W-ho_3E`5AQyIbdwDv1yc|%6BLdfobI!0HE-1Uu zO3Vq7JJzk=_T0rJ<~v(ZO*u&g7^28!pU+<+F6w+QZ8n<%%?g6fZ3ypgGd+90R>#); zYTWllc!sBm&zw0ACnC2g1^Nu}DSC!3!BvC46>56xwekauv3pLnbLe>R#u_6X16@O> z1Bh-QMb9y&a{&}Uvq5+HI_Qv$n*e)ijpRD9rw1>MN-bZdcuc=?ZX&+gW?-GlCA-_M zY1fl@INiFL_|2~|Q%`emsW#%QgIl~5zXpwyFi9WzVBmJbR3|juJuewM(9@hT|Hbvn zD1Fgva1%PQ7{P^T*IT}CX0dFq{w#p*b@tg+j~X?D}+rG3uXdgpG*bGpEPr;2AL z)3+r3r@K43%RXMK?=D8^6bSuDiJibU=;Lex=t<$m?uOZc$2tC@&jk-tEt3byahx&EffwNtW5PEJuk)j zkgZe`?=i{S1lz``FX-CLR6?~yPWu{yU$Nw-L}fA^82dwfJIOtxssds&R5aH*Z_*|f+& z!+hrV(Dj`#<``~L!P{pLP13W}V4h*&_Me8G*EP@r2Y(R&w2T$OUzLH)@Vcze&Hf&w%+lwfJFvsag`WDx)X1VwUOh*Ym?zwR?f*dha#1RA+&@?4|KjI}{Jt+y zq7bL5}Vn~#bkhRSc5shWY5}`$e z5LvQhXOxh2vNdEU#_l~Y<9?p!{=M&Uy!SuPbKLj1uJ3a0=jU@?6ZRIZy^%#~)THCc zmBQe}@fM4qM^!K83bpg^350)WJjR><=SV{YL5LYB*Ge@Z?~dIE9<==U{X?5`4ECPh zDs`JdPKS)W0AR^E`BA>jI)-Q)bT1zPH1o%&Gv=!>#;nFmd>aubjLTpWUg~db{GiE@ z^y<(xSs@3^7_nGD7C+OOKMbY|^(zV}S^>{Q@Hbg?yUD({wsp5eaKzX9rrB5TPU^qY5oZ)VVKuyIVl zXhFI#N*lL>+4l6)mvome$;_O3jCt!SYmRUX4{%hTW3Dkm+uh>%y}K{Bzc_iXWI@`a zVTFp>&dfiyuIlK32NWo>iy!{a3lS1r_gXZ}0Xgp${ik9yJy8@K0)XAAGDnSU{J2vc zUg~{0j}PVQW&iP$x%rX8@8|hn%#>aT07>%P ze^QH7w{E9~TCk==KdINecq{OXi{PUqdbP_X*9YltvXuuXTP(e)$tl8Ulz4(Xv(NUb8nxk?PqV z96j)MUprA#gfGvMU;q8EpWVi&S}X>8Kob2y&qje;$U?;X&i;Tm#-)Dqg#KqMYo7y5 z8j5|jQiI9sxusc+Co{6HJU(}ci2C-Agm^l9 zn^cW4dIuDwpqrW3h=f%&9pZGhoZx@xI2<@iT8wdyKdTI5ZnEri3fggOZJeaBU`z>oMD&-mJ}OT)w!6 zY%1B@U;7%r?GM8iw&71Xk~4h1I{{eV|09HYF7-6cy#tH}F-%g&vu+&C`cQ4WcHwGL ze@2%MKb-{3t{CdGI;j}+CcqS??rj(P|5@O6f7)EpLApadIc>tBx65C&ewBP(n@O7P z^4D((AAM($^m1>oNSoXeQ(^n_xZvuAF2C~v9ml@*$OYk7=G!}9v*BB^;dk%$Z-VWi zEoI$OnwOeP4ny069Og1tr;RK!moEP_v>42OVKEsXkF{Ux=h-dMo& z+H4FLK(0@Bn(9%K67IOV+IcJem4gs?c)r5|kYxXR9RJhQyyvQO@!?#JT4#F;-*B)h zrrYki(A}r0rOIUo=GJy*32$$3lh#q6l(mlHd`nH(=(&-`UT^OSc6Rohd-H#K1`+G$ z`sY&Nz!Tx2C&HP}z+Eyh5R|=(5J--|xfgNR z(^gFMUY(X(ovsYR>^_a(Mq5?1D9Up|D3UL_q3-YBkGyI4GyFQK7b4E3v$Onq*Y@^s z@af~x4WWisv1vbUd8I8d3Or|DeyVrXuHb8%7v7M!G@ftFtVOyg&+hSk(ywlU4c zndaVLv#{6LS>wTMQzdR=UB33IT`j(u%x*Om7F`{}Xmy6Isd8?4z-_fcZ%%1m!KaoU zm-Ikzhep+2zJ-0{)C)S_NAK9%JaXMuZ17I!&83JNd4GbAV+T1^W|GI|J`9|Le|6!_ zP|RiA+Sg_dx3_IK#ys)20Te?YBADXu8;xqwm9BTUy&=;0Q(ZejFib-bDkQq_q$O=V{!4 z?Tlv04Q=(n#`&&R>6)q>6c#cb&n+C!&7WN=9-8yG26RkSMy%#p(+v(fuHz4qL+s^F zkiJ|!C}F0FuIZ?#9++Efnfb&q!Qv&~s2uclW}oEyksoq~`vZ7GWgiGWJP+^MmuGx7 zEj=CQbBI7u7Fz|Cx&t&1KE7vJkQI*YkG%@`JdNDMO zKRyIROeQye@4;`l&`wqkFuKZz*36H{YD9^KIi4_MzO(v_yIyrCmUj1f(P;kY1|9kM zyAH3E9a!R*YV?ak{*bXkk=A$b8o=vK8j=WU$5Su7nbQ3Wn4b}w4a%v4KnzNJcVFl6 zeUkoe%(^PcdRM|NJ+J~C4dJdX#WzQDk_H1B8MN5A%T|ZQTo3M$(86zvy^$CDW6YJo zZoDkK&YCZgcyMheZheMPOlL*W#@3cU@=TB=E1d0}gMfPAa&E+9pMNadwIlH827jfZ zr43g@^y9GHj^PHcu&KlHcR0(Wj$K@+xeHeWGQy;R=Ia|D&v?~pr<2~w>+vlHxs?kl z2V14szqxpM6*DOZ*!@NZogIZMxqw`WsQlFNR`ZIC!bZZxm&fQzX7(P7f~eE`0x|6! z6aAK!njwC}rQ10g*eX zckfffZ{&4p69e~DsQ3&#CaRw;G`+Rfd4f6kf(WzGZy1wQb?84&i0k_+u(?z52)HCf z6hR~y(bvWoK~APU?qq>3ibh+}g186rBSs3KAKKfK=`PXZ#GUn8@m|V_i>y}tAh#9d zY{dnYj<46Su;S8kIGEj7O(yC(k+*ElGuRZB@)pUn7ZH(&ZW!e_BQg_~=-xjUcuqOd zu_=MO8UD~L5OZVEQyj&$ClGU94PSmfl&sEx%S7Ui&!PTR&0Q?MCU zsehLBfHzDrVpFx~*jG+>7{AvH*;BrG1Sw_p!#RL&$<57eOaLL@p+>zjl#VL?{@!G0 z1cULrBY$FP_4>v`{xhqC$IKTMX;TbE&Im<*SAv&3Lm~D~i4~=x!E9X}6H&C8*aqc6O9rs1GXMUM>* z4pxDT)5}pe%ypdEhEBqUdHbYG6W%EH`SBXM!|FEM&uH;Jk_~fJ(N_rtIZH%IW=Q%h zhi&RmRg_&UMnR$B^bZ_jX)4Gs_1_yjHx;chM}|XRpl(t1nmdoCRhmwU+fOV1HJ`DU zPjnxiXsW}XIUKb7$vjN|SxTt<84mBi*xpLjMg|xQ)XP~EWDZ{S zf`e|*q#iV1fN;Jn&)Hf!Mv~F-Te=vTVbgOC;x%$%l=#a#jPh1 z5nVAa4K|oqdT~#SH%2P^w@e5gGNfwyTaQ zlq1ZJi?xPe_DS}kh1gR<{)j}r4$H0n%7GCwcyIjGJRiLE{kv&)X9S*ycXk?y1}yG@}8q^AmnPA<55!_YP9(I-k1F3NhJoKZjZL*P4%U^ibi!^?sL^z4LwaXh> z83Yrh{ofSw8^vTtF$FKnnwZWOX6J>lY;L&4e_z5#b$8#w$t6H2XLzz|2g0oo1-Bjv zxt#WcOG5l%inD=}mR!FBF)bBRXW^v~M7SQ@ss0N==I=NltBQ2Odezk`z$d(EyHOMX zM}H0R)SC}T2~&=xYU&Fn>z@VN-nM5L@j`B9Z$5X#rr~N5n2?aLFx_m!A4)K3j{YKu zrUn|NdT29bcz9npx`75QxH&HInfd{{_gCs2&~(P2Uw7o2`mVreV-_%QSX$IG8V&So zu6k4;kZ3|&t@7#ah@X9qYXm!yHb&a)}x?b-bEjG97I)mj zG4o@>S2FR)IUxVSra?7MPoVNp2pr<$tuvq+(H1v&+l4oWbvKfPJIvhT$Du_td&PJD zN)E1p89CK=ZPshc^UfnL1L~24xK~}{6d|pS0~Gc@PkLY#DyPZevuH`x$QHLWyPTeb zMGKuo9|M5meP5o^6Byj>2~!xOJ*P^p)U=@9bc{7d!G-Xg!eb$hgl+w4dq<5a!Th3< zwElhGrQlT}h+zvVA}FrthHMLF6lxDB_U3_X+Z39SeXUa9;jR>_^*PB zZ;k{#fABBh%n3@nQL5X)YS2R!YRi>HHGwv!UO@CM`$AR+;?XJM5UVDF$JzYZ2b-oN z9@FK!s9{@q4pZ>yI%^F4zF0=r3SPPSjQ~{k^E&HSmxREXL4d>iug#a|;4tW@5j9fV z=FW=@-nG3l6#4W2`Ab6D8_(U^exQ~K$h^cr_J2KToA_bybv6)UQRtB+{f1uAXIEOm=J{#n>L*?yWO(3~_+)sWi;&!4Q8wD*zUZ^zPBHcOqYBWtZ(+Xok^K~=4gw{>+oMg_Ox2TPGjBSS;4 z(ipfW12H2y%8Aj=g@|Q-rYE3|FK;=@$q6ua6iSospZ7uD2CZm?$!?&~m^yuBiq(Ad ziMKxKSZix5*wGQN)z7Iij^aACbwF$-pX|dLNtAtszoI-nOW8}8-93mK%epn*Q%fTj z_5JU{EZRMGd9TcxsYEJ?l_jt6>d++971_k5fu#<%i!BP+j#5uGet$+Zx)sp^dhV?w z6*c$Hn<>kykRN$ zK}anYkU`6;<6Bbb%2Mp*+RrVvD3LLl4P_nQQ6UVeBQP|&OEWus^HQ|MIO%5g>$J~a|(~| zKI_bP3Cmdj(P3i2TmP36p01mEVSH*EN=XQ`2FWeJfNE@+>XzaBL}gK})p_Zz=%c|x z)kA+$3L6j*hNUWspc;z$*O_A^R!HFhw9X3h?)X<5B@PqW80={)r z1*Ga)Y#P)qK>fE%D1b_!oVIj=u50|M%7~r76DG@X&-@>Wy#iyCpL{zD_T4JHV)And z=Cp5X!-hvhE$d6RU(2>gkcP1t`FmB*m41b4!WQVt1HCl)Wb6 zLwC0x{2khhoZ`1b);?1?aX4Z_K9@^^FXYj5v{Zw96%UF3rXdG8;eo6Vae#kY-!*NN z*bWNFt><>k9~MP6+urL`HdqWRvp{wl-g}3JKoaw5V6YBVo*H8hJGOcJU(VNBV>Hkq zAy8?7yu-pB_+iJlq{hc&gA@3Gwpxss=8~CRv;Fo{KMrBX!><>T7dh?A_{B=T(_s|u zHb^A?VY3dzJXC{)T>bLoYjR_A^QIvVL{UYgMW5_DR%5*5%#Q*q<#|^Lw{hn1YKM3? z^Sdq`WOquDV?#rh)NlHmy@e(Q!ZhgQ#;YNh@Nca5O9<@E`MHATvj=Jc2dN?t<;*ib7=(K(nMR)1FfmIq<0Nw{w zzdsTH_JW7A_>X57Z~Yjt#JJC+vnjk+=qSfbar=IK2ZIEqxm^~HcOV<{e5f zC>8bPA@z-cUHXY#JX4?krWw)@5ZO4XnC;OiV}CcK7j*DAOOJDw^E0`n*_|H4ZFir^ zWd?JpD?O_CTYcwY2uO*s=d++$n-fMh zlRtZ11G8_Xn>xKKzOfJExUT26sU5rwIHAt!om03I7B&Zus5zxX+@#rQZ*XqTM&(wv zICr&%n$Y7t-4e9VZi zX0VqVo7TEQ28@mSi>bH?rKxH2&!nSe*@dKl2Sf^CMbh54ca6~5Jms@-E!)A|ivcHo z1`0Efo%L420Wok<1D<3IrDVTZfPY=^Ej)5QllMk+Qky1Sdqh7Co6AwEIcvu}L(UR> z7ekA?yu$J)drsIZyO3)2|x5xAurUW5&8Jc(E>D)JE)B zy{zqR8ZWCQk?{6UtfbPGzM@*vJ%>5d1t)1@YeHVXQnf-#m2H~VoZ>|KZ1t;ZkK+5u zts&tCS4XCgWOR(~(M({q_M9|$v^xkBI`=c#e?__5rBG!T(Q|Na-GgK`HAc7U)mtN5 zI@L2cx8#%KO`nNCv^GJs1$shdV<`<7cf+`LZqy}Wl{JBL_%&b26z{M_R8 zo_EpSt?ajZ3R+87{Sk$mW`!cz~A)h~*5GUY#tab&ywLgDIh@tU!}Dgq*kizQP& zVNPD{+a%*&kPc4H$doImdTr`Ld6>Odl5?@9+t{ib7S2`{0@BM}|H!#)Iw2)w z>g#k8;duPD(_aE!(hK)+dez(>FkTQ6uct8^vJk1&2ngONE&swHv7M5cU6Sud-o5XX zj|Ih3e{N+okOYaoeRQQU?~+k~;Gi6*Zp^kIFv|Zg`||FOy8f9z z#q(!!tq@Cf!S`<5;0#z&v#BPGNP%Rjv*(!Wt=?>tbFv%DxWwEJ!NER(3J>=7`QVAY z-H#TX9d|J-?pxYM>CB|$XUVz!^x<(Zp^Ln!=SAm;pD7$6+2d!%cO9D6)I#HmNmnhg z)k{s^7H#$tjt_R`YD^528RKU>i*G8bsR?r3`IwMO7G(S@|1c%Qvn=k(*wVvmVUBcn zyvrUn;hlU=Hc^5I7!DLqTYG$8D@+(^;P*fb+j$WJZ&bEA)ydo$b6g+hnCR!tEKn)zVz$0J8CCEbsvRp{ zt7n#~^*IhKS(|p8+>se3pVhg1n$X<+$UPyiVXQtfgPW1DZ+hUZ$b6((sa~ledMC#e<>N$Zl~6971qUzCMq5Kuo zj)w|bgmWgAi%Na#MS&RZiuA*BJg4}un#B@dZQ0f(apRn?Z_4E!xQrQbiZ6X>+~DLI z(`ngs=>}T=9bT!J~`9mkibPPLTGD< zm+0%27azS}D!vu8@_f;MKzL$TUTJy8Od+MT&Y+luVp8M2JzOR^%!xdpRxkIwHaq=kJ%!gV z{A#R#Bm_LH3{)$KN}k{Fx}}`MmHTIET_-BRr;p-M++qKjaGdc2@g5Od-CR`qC%5Yo z|5&Geb?=^-D{gAIiS% z7%K_@Nk_SF9l0gqfhJb+s@4`ZeAWdRf=uIA+=BO(B@KEjC)4?bYvIcUp@t=5L5unlxaC1B z=y9}1aiS~hYdk!MBCJ|=L0GBIy_ue3-nPAklKp1w*e!NtQgAAhqt^LYqH)(O5>*ENV1|cXY=*vis zVa#=!1Ej1geD-?UCl$WU6dvubX41~kZoNr>3cU~ZwZz?u#@A4-8bAIp+%h(8k{fC( zNHr5FI9LW^)`Bsk`yBC2V&gwn_f($3qcP!{1P22Fuffx&b2JTdCdoH$XoO{4ioO4} zAnQ_2x#g>f37={`7HoCwFr$3%E|gT=u(O6HB)Bxxuoh0UHBr!Ih_wD(@l%k+fv1eg zjjBtJX%bh)wLCW<#&KoJQDwh{QNMjVPUCNm(F*DV5JboIz;cfCDCGdo?2(zhf zjC7RfyG5mF;^KRq#$)vz@Jfw8}G~qY-myfB~3hlf@OfsGB7-U6IRHfEc z>97Jtf|3wq^6;Dr4LX+G_@&dP0%G@T$y~urD>+X`kF%%f{>4`NNc5cy{X*WmmwU4F zqgx) zLQbTglI`+QoH5xD33AALOKT@f1v&2a7Y6KW)ga(Tui$4$7X`-`?>4$9$4d)zhzJs6 zURWdw9>$ll$Sb+EQ1VxljQSRPb3ey?+X*$iy<6ddxCUWZixB3$Cfbz916{8>*J=G7 z^1ZPIPT#yLj$Wi?z-4$_3J9>VB*hck zmGCslawTDUT+90OKFX~3g3ISP*(Gp&^zugA{O~Qy1iwVItt6;EDe&4nt48#I(;E==& zjN>?$q(~sfSW2vM*_4k$67Rjs(4{2F9U(aAoBf#`w^}{s+nltY^f1~hr@EVaak1o} z1|jpWbp5Bqn(U8;=>)-n9gV@Tvv{Wymw$fUVY01* za`H<@+r)Q|dne9V@_1!DeKx_E3w@Q0t+Ec7jgr%ZAYxO4WcS_c>wjDJC(~WC%zie^ zW6il=sQza{w#Q7V2Y1)8<~+x@SYE;FQj=3`xQYam7yVz^Px7M6NWNoNn|_#R;%AQf zj)bIM-+vL0Jz}5E&-w3{^lA}g)|&EW=PU@ZDsp#%1s}4WUpe9Y_trF4^92hbQdIV! zdz#*tIsL=TB`n`~kCZJ44hHHnXra*#f=KDu@6&%BLQya#YiZ6G&#Aa7+?06ao*MqX zPw-AcOUaAYz%hONo;`F6{Nx8wKju0MQZN1(vC~JVlJh4qRWY?^+SiJBj+C_vw$for zzv&R_Z8<)KT}tO~R+J1ccB&|pGB?MHghnWA&Scdoq3wa$`ZiK zNyp_@Bz7;|TNO>vl3bS+vB-a6Bw*HzpP`XVTzlg+pv^1)kvQlvWs-O?z2jFex!%Kk zV`^JX;*Q5N1rMIANG`Co4(p-Eq~(KyU5r$_ohH%?Ds)$3?p8UGWY{F1LZMh;%Z>n$ zkpM+OU21Vq(QHA^K7QPFVD#z6qc*w&JOZEmf5+R z-De+3iT8_#nkoMc_e96!^CQJxgzqk&i4(rr@)59%2c?9)-a!~;$*3ceVdEsXiNTDE zi`A-HNh9?7^2M|p9V3d-ZeGpA^SISg;^1D95-oHGMf=M*M~&>7O=w}|*#MVqD8I>n z#1+Y)k%C~r`&KaR}UL;QvpJ z7o}REp>Q!x?sF}>fS2w0B^tIGA54?>)q}KeJNv_MOb zfE{#G%d`;cY}pru8c65#tT$Yl_*i!MPKGy$xy;)=1J@W;kRCGSBkrS{EiEFUcWYj^R536Mdkd6JeP@ zx9lK46~fJECUigoVk$Qti>7AG?*!%YqA)DTQJj zMTxpN;x5sXNMy(QpN5tBTx>@z%xs1Fu7no;Tg5Q}8WA zFT!sVTfpuWo$7S@00~$7qGqvrmp&`j{g!a3tWCuyvEt9_PZjEEMC`2-^9BltkmKq7 zthTaHu5&ZuqO2VHphw^EcD~NfhMS=sRxS>%huXv2?0IPxBn_8(RR$`_O7Up7INPXU zt2eH>1$guHGz9ECP545-$=30SwC*cY9r2#Vw^uG?Pac1xVNpieX58SngBmbCquIsb zo`ej6p*93hyjZD|dhozvXyh>Nfz2bDfc*?@P?~T_8*mBn#Y=3zwLsr0t93f335|(# zm{SbiS(AY#`p7ZuG5?;i6#FTLq%tY~o50WXapu!ToheDIoy>7N6RA`_IGnM+`DUV1 z%~|46tvh{Xb+Jmn_r7}S*qT9Ph4{$tYI{_0uJ5^olCT~xWp#?}#M1bC*@0zRdm40i zVyd6_Q~616>-f*}UisofrD4C2Z+@|CzR=Gy|KrD3^E0d*n+@^nS4lEo@7hK;M9(|w z6V7=S(oDhUlQnv>QkF=aA3l#6_1wX4~x)i9bxU zY)vNzOUSWC(`BT4Yu^;FPzL`juIjpAhL=nqn1|I?gse%%|7rcSGMM!6Km?107nXWk z`-@q;ZZ-%TUGZm14speHv1`g}5)SA_?zDKd5GR);zN4Hn;I(2p*-1AU{42qTKA%79 z!L|L8=;cNxtp`!TV{GDGq;$31*wvJfIj{S~{-f7kDe+dX_4t&h$C1@#i4J_nDBs;f z<4EJLKOFbiJ7}rN4u*E`rs$}Cl;8Daq(Z|qSx>=B*1~0Oy*+*(MzTdbWdT-xF>~dC zxjt{LY^YhxXhZD^I3d8Qoqe%#l{Mo1rzoupL74Z04&>vnMR$sLhO5S(v))6vGXs*R+B@Bwrm{YJ&8BT!;KGkby}1) z+q3ts$S~lRGb8eBa+Wq6_WC%M`1VC};tYR-f7b}!G=^Np<+&o(metZG)za^(XYw>P zZoja#)TFc0WbO&GXa6zk)hDsAzWDo_%f+Ta8|&(|*y!KZ^)ZLErlyO1Itq;~Ty{lH zhF$bte@s~T^w~#A9UAwrqd?bi=fX0t%*cue!$4ITNgUqxgwg%9N)OKvzB8MvdY9K| zI-PTuon+Esi?kz9PSnVf{sbu2{=NGo7wEqqum8wNN+|4)UmBoeT_3!IfHIYBW8z#w zzDgQUtY9T?rF~?&$L7s0WHb!o6MWTd95#CA$IzH8?+N?i$1LVlq?>@HrfXJ+c9hhq zPl5~h8I^2ay0;pHBzoI}r>KjmUoYKR63~wo@VXmC@luvtFqPalK|03x_yIBJUNga< z^yN1tg%(G2wZm6wg`62CJSQ{(X|*ps{j;%=w?{deK-o#ShtwipqBs zdrNFcT!&9~TLXHKu(M`7(md?qz4hN7MIK7~+8vHm(pR!(4mWHf1a!D4-|Z^BUJ^>I zX&V{EV_DwcoGPIbb=o6U(2AX$J9U2LNO8sbSq*}+^Uk8v8^cTrB?YCVqwL%L zDW;PIi9Q0Rov1;!+YxncPNd_fhnUD1lzP6bPFgJ-K%pvww(dKV|I4_{%4HuCfo0+R zcQd?^bJccolP@Pr;_Fr?#r`ahPUsjoTbpsD&#snZkNukeL~7vfzDT`Sl-Y-govlTN z6MdYT+@_BjML$@4YBt~#m%FtcVp}Q}pkC@6Q?bm`jSe$URuI1$M$1)7*j_Kk_fro= z7w~(GFA(oO@`c#?`CN9nWVWfK=P63dAKYDV(1H85EP;pEh*%?QpOMH~Aja%ORvSsM zb!`^M({8`eyg1tbsfFw&YR0^9Z&<-GePWuk>CZX0o&rr*eWY`65Zb9NyE4}d<*TA@*>E49;2iE# zNE>vvVdv3lS!CBG6`l$q>A^1{aeumX@bMJ9omkJMg%Zoa+7%qO_&4J`@+ z9zI4(Y>(cz&)w^ndy#k3_a z(`#9hpClzuyAKbyJTT9l^P1e9Bi>r-Xjy%1xAey6=s|gvjflpxkEd=jF5IKD`jp%_ zW=@gsEOLEEg+1|V4iDHYChS9fP-ORQma>g8+@G9>U%H&E*RptY=GDy4YL8Wl zI1h-$Grp~A6cvsoc@13cNBib;PE)&D+fBPN(9rqE^d&k@{(8xb>#_P9n(JY{;?fx< zX`gj_v-0)hA1uly`m!+)@~D>gGcL8hqZnN)O`Sp8%ReM>N67iTrYciMh#fxbzg&ta zU!B6fk;gK*5WLdWzyErIUPzu88?71r9nR;G4~SpS*6geYN6f~uM>s+nN*W)0D!cD; zw`B+AksM1ti)j~$Rrq_G^~=fM`uUU(piuuVKTFK6LT8fH(mL;sD<++sm zYky_mh^uCd-bP-~a7IuMLk4Fd{wo%%5CsGS6fH0xVB6xn-ud@dLL8vzPi zGrb8t7l>Mo7I4vEJ|T%ar5QiLc9zXzYE&*mwGtqmv_vXoP=pz59X)lnB>J1>Q_;D;513!B*vHTeQU3fwEs#78g#8j|ma` zb2Us_A{QN(4oaJb?f(FfcAPyJ=8fwf+43(cLdgU;kaKV)zsLk!Ll(VoSo~hUS8L?E{(zBK3YvLF3ZQuCR zhC{)EJJ_ME3vJKMa-{?njVFH3H2W)q-6`;iH0&x*#W76g#yrZI-XhpEPbv_Sb?+v4 z>^|V(08qUN@Y)M@S|T|l_LU}qWz4OiL)r7m>cZQ~A+E9L{WS-|BOSfdSHE^lMlA;` zAMA22c_H5}yMUj6!m?l-X2fkvD%I6+D65h?$^Ur8&DFuGKw@6mX^pL`)X~F1%*NT)L7wYjtF`75>j838HCWH>*Vn_!C zV?HN5GuarB>E^CxeXeeh8FBfYL0!Fibr%cn;PTm}#k0BtdIFz^7ILphmHG?}=V1Fs z^G$uOH5b|)yP4qJf zZ8IsSA1XyB5yCh;+ai>U6;;W0DtDV-qU24win=KaT-@2=@{WCPuraPlokN?GbFP5q8YunpYvSG$^Px4SNm0M z5Ui_`No?GWRU?nNFKJ<@fa2 zMTD5yzscF-r1!*bXF{8^&(+96t!9Pq^p%F(wx1I|u;YYy;@TUITQw16SXM-=zz6wh zQ<21mLd?Mc@nq5Y1_&r<9fjD%Mi9wM36Me~(Dmnd!Cdjy7vav;XUkU#+EC?e_*KqrQQ5g;!nR>=CB4;GxdG)01{{neU%t3K>I@@TaE+n;j_wZ~ z`ihOHxlENoiTN==B=;b6mJ7%0$aBzEpX>(%%?+i7=OKb~Nv7?l0weEPNTjcW%&Fr2 zWxjd}MTI zxB4_#Sfu)=qlw=WD*QIge%Ij!Z|C(J8^d*74RP^;(T;}?I^r3^&&t%Hn~db%5kIFZ z#RY)R2&aNh)p>zk2Axr)H==%@)>K1FEMvE%l2TI!A`@V%r8NkBoVH&hvmL%>^Tp=* zHvN3l(ZEbh*$!P#hoaGt>hYt4;&S9rv-WZ*+XQ~G3}6=^D$a#aC5=@m&-lHoQ^LNC zI;8KtvBT^*mF*GTFjE4KYZ*%a0%)wj9{?ttG#5Q~#GlnFy?*|^m?OSHU#d#Hn$Kj$ zHw_|o!|L%5E<>Sar{H=)TYy{k@a1LEXrRTyY2cVoZ>Pu6r=8a7?y7ur}?9^+EebNid00 z{Vq}t+dAx#f8ewCl>w}$fnLO%y$B2%@RJO7+fZM=K%4?J_>UA1^mEcm4pCE#Bi~5) zn7OE0*w4##^)Z%#GoBVvHK&IVwOM#9w^8~<(k%qTlk+AbvNEr&_!#l0#|* z-oUQeBu}=p?Sf@Q4L)`BN>PLl{ZeiARldju9JJ=%ivz*XN{1IUV~Y?CrE3y<0Y(p4 zQ_v-X9EjgF%emi8FmLNg0;fJ6eR|<%_Jux^#nK;UH-CR!?w!peNH@`A1TH>aQKuwj z+tjR@pX@fA%#gDe(00c&)L?7?fQO2Dx|xacJ;*B#2Qn0RFH_MmjzdLN5tmY$_KHUV zuL8}<3HTp=pfC>Bf*G%1zc=zyN$fH-952TWk%$}Ya<7>bs)wFMzO!z7dpT$JS@vBT zxe=M+L75YeY0(S}o$iG%t}Bqf4YEYSi#tUz#58fdg*7fAg6haSm1ptf^7Qx7Atuc&(Fr4+{%r#t(g72^`8LUt4r1kXmHZHDW;+YKAtL(XYzQ|fG{~a zY6qzFC_RBz`BH$u1N{Up23Sz<=i(5~pU&Ghp@z4|dFnMP_l6ETcS=}g7`)3{utV;2 zs_nuXK7wBLT#4BxEln4k5zKsOp8@=QbxjSZRZSxMm?At3km&5?j~Bsa`uC=*tl2HK z1StP#wL&VJ(B4L{Ts~udcn+CJ+2Z(lRD6gc0Q(=#jS(~&~?;Y3P8`$^u zAk)gVV-b1*jN@w0gpY8a#a=L%20esC{OfObOR2c@c`Hcu&-7||8{qbp`;kOBV|Ec*M!YbV~23sza+?g#qSIhUWYd5&j0SMHY)R6&CAk#wT> zB*Z<>1gTLO@0XHe=KzuoG>uQMRmL@kT|XH~8fOqQ;WBJW0CYM47}zh*3Sqhp&e{0_ zh7girQD#0_NapA)_Hg+%1461=rU)N*f~`69e8N)BA9}c{ELSxU1trf#Gz=S4_Rl4V zjNZBTx@HP6+X$1AN)%oxhgDu(^zPqh@l0hoMJ1vD22CNe@#Oxts1Lt)^nORq|NTg& z;b@pKcR+gI$jUsn5bgico31Cy*R$huA3x{H&zhlNi`8VHKzJSU@Z^B1cohwgZ4AHb>w2lbuc3SO7-AeV4a90Q6v}v`ox7s#x;BV zy1z@Yz;`7~VVEcepG!*nYg=l;85w8E+Ew%A=2AiTtTzuCCELGh%m%c0EGp#X%mrpT> z$pZTd+|>ztI2Bdj4_;{hP7o`BP6q>+?aQLa5fQ2NS(!K%91NVm?Mb7+6m->qkNdO(caVq8 zsfuA1)(_a-YoUTWRH=wfSo$$Ok%vs5z@e}=AT>3V8UU4;9-q4JE$qiy2=m&8p;m%? zA?wSIgZL@$DbN3|<$Cr52xhXoT?B3oX8+`csKeF+>7?HQ)D3nvzo6tPuF;Qm2_}-O zce;_h!KaLHoViBTm@k!^9FlC~2g32^YDC@PVi93M7(hv|iWU`sEk_`8Ir`=^-M|$2 zr6He?$(br$IkboN`fz>ZY=g!67NZ(aWAIaO)OqwQ&xT?T;J-FAv!MKzI;iiOPoqS{xp)6k#^a)_O;R=DV36?&T-w*<2+e z`FQ-f+({w$!)2hHB2b=Z)>P>pF#<*_U`i#dn(SUe_|X;TNuSe%YuSQ@rlPZRAhjdYKjy;fWH#o6 zk{ju{K@!1zE&^@Qo@2+|zu&YPfaIJ^BgeS_tS)8cYMQBaGpwB&(4dh|I$JX)CO z#`PAtVosjaj6pm7_lV&SP;}@r*16uVM~C*2*7&eCwIR-U!iyJp;5W%ln!u;bfEjh; z2m|eX!5vircCo7i<9_TejS@LdgPL1nCDMJG#casa7qD&(qMt<~$bmPWe@so~FN8^l z#vAeH(oHrf%kyK%_}ZW$4|wA;w_vqm*`OQ)!_t5oadVfQ(~G^cx#>O?H+SFK$e!_J z-@x8tr7ei*Z2>4lVA#D9Q3R$c{*OvF+(im}U=ak7FM9|<@7THR@)ezvagikpUApEg zT^*XUY@>JNBb0DH6gS^ZMyK59tLH;$aks$e56vZR6la*17$d|^pNG&2t%|S+DV*sO zHj${lb{c)F(rxT8&c6-#TF~)scOn(Jj``n9YZUk8cnGP<|EfWLme;Vb^OtSA0xel{ zV7ysfpXbzxm5G8xHm~V&=O*b6jafGAX#z6i5k76B0`s2^C@)@x|1rog}i`z}VIy z8(~e>D+?3Q=ouRcw)&4t$Mj1YMR!I@K&JbXk)0BP-EcjyUZI+ipVx)f1#GvDP>unhWGnm`e=T& z{K=C7i2rsy2sR~2*vIMjfMeoWJX%7-4~7TqhIsEE%NN)P-<9m$%Rc41vEq6#Jw;`G zP$jCP__y?XzrQf)aFhc~ovQxo001uU&~JnJ2)w|zM5KhH^DXarb*lBKHT4*dbcX1o zo;!ez2Z*_5ugIAlW8n$<8ho3BEM`s0=1syAkAmfC8FvD3r+gp^A)ABuuF?Wwz9au0 z42ko2c1^vQ&&<9pY1g;`&JoFjYKd{@(s?%~Lf>VT8ZY#^Ss<|;uaX#IWZ){nJ#hbL zWB(&Dfj?ljp(ts6p@3J#Q3cZLT9^p@t(J(`S&hfL>0vrWKVoHK(vCwC^k0!ze`%hz zNzp@WEZt!SE*NhBbqW+;r&A64FWUWkVY&I7Vv%$9T$vPn z2+b7!&*$rLt92yD*0rc@;auAh>b)%D8s_hni0PK|{&Y^(<8@$d?heua9k?iK6f?6& zXdh;9FEX>FQRFqJ<5SBUHvR;RC|E4`hrL8*quA?L#Czx8z%*!nph~ zpA|nG_kW*H9TzZZ$yXmoTD9>2=5>@WPaA((va;y(;!eWo-5`v8p=6ZU9LR3q`z%u7 zWdWi`z0>E?ddHIOyQ_)&x$gNs^EGb{RI?tPzgtgE=vZUk-f)U05T;h#MjR#(wph;M z?L?NOH|w*_9>rD$O%)*_XP-&VC- zMaFM^F*vJ~Yl<@mjq#DRX%=y4TQk_M#QWb3{Kt0&@%*2%>qq^o*(c1>+`T+E(A@Ql z$OfMF;E0dRFS(MGojWCq0`{x&`rJaT&9Cd`AD9F0I|VnCNwe(y+ZnYqbYOOa2k8CpR}o3~QY5W>FD~?wfuvS->=M zUmp1V9t3tby@ukzCcpc+q`*kb*_kHoMiuBMNKh&Uk@N+M0Ak3 z$toL5L{E2X7Z|rN9w@o5ZW%ISiQHOpZq|{u5Jh+qgoYX~kooti?{M-cYcCB?nmkVi zW}RER-)Q|$#6eXtJNgs_k--I_x@D&NCgHQ;Tg-<2g-%ILBjO_`q~E*qnVjo`@|l#= zvp+woUB1I`{$J4obg=)!3tv^O&fk@|e?qQEB8^|q;pbE^=7C;Y7r z?aLPE4_l|=x!5V@XGxNhKkP^bkYHd@zX9`N0%$-yuYgan^}eXg{0~a;LRG}uq2L1j z+xJ=@FQbBkT6ACVMj>%y?40W`;($2sMWwrRCN0lh$$5L;ETEA4uP}xXYXPKU^b8De z1P>$?ASIa>7lVPYC9!hxu(v2Vo@9vg@tRe4Mwp z7KfU;;zh0>RYEz)Ll6)N(ILhPGREaD!T9tQs@vDcR{z4_|7;A?wO_--15;DUaIG4! z3uJ?9;L6K6JHQNfC<4nsH*d1nUCEhrrg!1F-nkOn&<$$iVV87R8c)ku+t$)13buXbU4iXM3%V(`EccwSgHTNG(SK_JjtQ?T2Qnw` za1ba0rG3NRV~WEjev#0>)Def-!c7=ML8-cy=z_b#8jwdg?vmxCJ*$nktH&ou9ONvd=}Z) z{N5cX-tG^$-Kk$R-G&`RJ@x|Z2owyiy5x}R$S;|Nu5Of^w8ahojM`C_KW{heuYK56 zsXuNBhK{G!_Mr}4zq?-9=c%{emc722wLbambg!vd@-ckQeX+CR$S_LoJey%%`n+KM zGec&a^eg)W#do#AB1}?*Dk#3OMJ!Ai^@=5o`Co-qbr6BihQ=Gu?IaH%YZZronZUvG`E7=N8s`3GDQ?+WglrgHWP z*wgL8p4XUGBwRR6k%bGbu@KUG_O8{H#oD&Mnp7YGz0|Ex6w;ebVoy%jBHVIgIx9Jxgqt_FlPxK@`-H~Y^nW{xV65(N*DT3Iz8_z8l z2S@qEu~1Y8=MeUa=fZ~njNxU(s}+F>0v&q#_Z<|;

;5+pZHH^-q8EoJS2|JDTL zpFKCvpEb7$VATHqyZqaX1TW^$Pa-k}Sspg?8`oPOyd(`Se-<^%G=}VYiuS2Z{E#YsMe<_%FoC;UGY^v;OaN!A+)*vzfK*r7ioz=MknS=>-B! z;s|qB_3gu$7{O!gA4^GuRy=1%FE`y6C5L~Cc!rbMg%m73S*l&r@)yeD6ARickGR6d zr{3$m%Iu{OOJD90YPo<|-;Z>@D$4&@YSZnVdAe(?LT|y(GrQz<0XjS-sK7>uJ-n6h zPzZh52XD#$q)(PHHRqE4u{V#G-)}H=*nk1v+guuj;ss`Zt$Z_e$I`zZybjGX5-vS=bUwP3)t=5gc+4OV_oIr~ zU-0y&JN|S!$!4#Bk*qMW^j{$d7{FBpyY&56tXLbKAs$ggnd^fU2^-0znxz}6=gNL*|=Gkm|9 zktCT58tZS)LWP=Wc*-#L0768BZk!Q{B@EXkq^@Lv3rp#i(ZvC`Yf z(c{%hE!k4%V0EjgfL5ju&|Tmg8J18o!)DfEI^iLDx=)%!-LOLF?N9g?JW+2uBfj@+ z?ypYj9RGF?|76+}Vb}$u+vZ#smFmwIp4*EoFxB3>H+nuWu=j1+UnShO7kJZAvLv5; z4$p|=Vz=zgWVA2Pze?BpAmn3)BO){m#L|b94132^f)bCvFj!C~g?8i&Pd@57)Tt=` zr~Y)<=TSSJcLE8lBYrKT8tALNJs=vGVXw$=U3W|Lx&h-Xt>27T)&lWPkg4?)-P0 z321etju4rh&oBpH2BQWJ;{P=QV8bU&{vJ7en9u*L-*juVO!9HYQ|F_NvW>US!f8qY z>Z_JG;p)PuLv9X%f4jbGv5@H1iqs$DRiR98O*Xw&4cGlpJBmQ%Vh{EEUPIQOsBE6P z!Va>gn)0n?gXyj~l~8PvyIHlKr?{eyy^ZPG?(yY4@d-9>ICjp+C+aGuLtTk2hgwn` zhMztSg=DLQFplv$hCyoY&K&ty%F0H(+j+kKP@6uI`8Pwt-ta1a?^7Yg`^Xw(Fvq|G zKGb5kmi_MrAQcq4RSUV}FMak*DdSKnJ%6|?A}I?q7~U)oum5%mX6Vw+zDRAP#7MuM zkdH54d?s{h#dLSH3GS8KyH{WW4}!qXCGtS6&k57VGs|=I@1ovUWBQQm(0fB8WbDX) z=b}m9^G@^QV&HIpN|Kbv>(vMI!=}}*-zFYfC%$Plzr5T%Bs?T&{?z<(vMtP4Uquw> z5gIWr_fr#bOVM0fL|mB{+4RnjX=POW+D0Y5zaZA74Rpp8lUJ6R5BM{D81>7})of^Q z@L*^{@NjasDgM{qpD&fKH@z}8Q}l!G$K+z7=d-3-4noV`M5&M*r6l@m^*~pDQ&uN8 zeUP=pCCLMKE^uhL{wcLt5&8#1jAd}T-dS~Y!&18lSTX6=dqB9WfoPl>9Wld(%h=(AoE#wMHN*QDIs)d&dRcgT{(f^spIU*0;_KSo@n_)upNGg}t0 zFUN+9XGJ-i7^^2G$a!9q22!&3^@AzSY|^zF`WL*)zWe?e!`@V z;Fg8ew2p}SjOU^>3yX%0PsBT&bGb7Sk7h#);s!EYc z%cWGzd^$61m~0|h+l>mz$5IUoYe1QnY)r5#W1kD{F{7cv>mr1J$7?Pr!dh09|D3WR z1ZG??UYkKl*aJJ+*2ef|x`<$nI;P zf7ZMdk}v;1zbK`;1T4QwwyqGpEo#zXm!@U>pilzl_I zURRVE95LyuLO(+L73`yq?95{v|2m%v2dZ5yUH^^J?*~dOWC&T7#Bz@nde+LQyg|6! zI>!5s`%U4qC_IeB9&#nAg0|`~9%+n6t@Rc}(tU!sRU>OB@HK;uZQI=Lli7KF1E+`7 zilrNTuhAUZnL*vy@`+?Ia?ckI63#g1>Oa`!ye4-zV0&4srQFooo0M-m*HDyE8)L|l zh!M_?l5vWu1*2|ih!W^B%{))n3dBhju#r!Ce)WO7_~@pl^@vuXHv#eimHd2PJ>TKg zRi$Y+Do;dViM?p;Na8OAdz)8ZhWa=-1T^bfD2{b2qsGR6$n;x0l0g5OdTFGr+QXt( z9AzYW7vyn97T|FrtHAF`Be%>eUB5x86NWe@f4tlTnS0C8yc7UU8hOouhXjtPQ9p9- z+IV(d1qnYgW}WsQ--=Yi;=6kMGMH@d@1sXo(mOO}@%*LPmGU?oQ8~~jo4&a)r+<4+ zqThxuA@H3v6R(4SNwev$I%7=5H{~-n?&>PElm-+*QXAdAxf8J99sDUxceJOKR&ow& z2^!*Y&N#-6!#S57Un+zjYOKCInv|33+X{ryT-f(t#K{>##8AMR$L$T;NDPnjkROji zKVts1FYPX9+&S85AoXl0dUnS*`kWj{%Ze?9%l%iR+OvH};}4WVZt zRz9r-3~nE1F;tnu>-{5lI2%&YS|DeO=BMGu^}Tq3D>6OHyKe5#~WT@DqJVHz;XVZ)f38rZT3vkIrUT z(xN`3tbrjXM<63U+uQ%eUgyde4Px#}2^FeU-U9pk>+2*sDNgDkpF+|&#HXIcIR6}T!GhQ(5`?~y!G~JYi>&&6R96izqn`**Gg#_X&RVeKzS1VQ$8Fiok;Epl%tIDV1d|W|!Zm4JLei+Tix?}S; zd0KY{)i)0%BQOTifoSc0EPJ=aX?--wgQCZ5oyPjyQ$32Qt@b8Y&HL85;|z>Fr?w1H zXx>yvblwjNp=2%*sCj7{C%O4YMH`>Vl$JJcE^j;DXP-Looq7V$htHGwK?9Htc>bDH zPsosn3cQM`vQ1Z8Wx|&CbIKC&k=n&!>0GQ?PH&W=Z1?+%dAZH|PJWT<>nK`s%OZP>{Vg+sOc#V|DS*7tk}4{O_d%uUDCm zJG8cm@ndcAIJr0mYj{weh&`i4Oh<2cJ~}1e&;6?Q35pHHhyZe_ zim&E>S*HhZAW?xfv0g0jh+*QsXFRm2M)BM{?yoZZa*7z{mKfhc4lPIc{>_@B(f)04 zFI8Fb%vz1|Ja_QfY8D z-_hWaVRdau6;^Dfj{uvm1=o6_DoPEQ$ zz3<)pw_(fm-8;F^pv; zGJZ901Y|)O;aa^=liiW0dXqIPV&09>BehLAD0*eK-J9s_%fHZ4j?jJv9S%Oa`c?m| zbs8E*o+&&}Cd!8!i!g+&k7c<>1s#1_`n5MblUz7tn#qB+!!=WKbX>KFjG16;q}cP{ z_1%Y|-9W@zvM;vb$Q1zMYe!0QhrCXH8KtT6l^ESCVYQ29T63Rsmm>1{C=y;dsF{dN zKQ_5)c$%YOu2SxquA2YehwYXA{602&(J~%^b|=I432I>^6irn!>7puXJkYDdRXLJ& z4?UTFL2IdUyYh>f_s4(U+~DreE{d?o@jY1~(xJX?8B19)^lW~Vhw73yQwbx*8-jJK z2DLs*Y>K~Cs60fDtipa59P`GQQvAEi_P|VT+*`&JLPe9!%4Vem_fK6HtAx`*=;t^r z-xeJ*z5N~7Z#UzOEF{ow&6p>Heldw2%64m4_nz&EIQ2E@p=K`GU|=-(3LBc6oP-T9 z7FrSZ5wBXL0t{VT*yO;Sw=J!lQwZ8!DrHyCyJ#EAZzHnp(uAfF^TyyWY!B$7_v$W$FZr#_!~&`tzH}sS&1#N zpS!ziU_SCG>^)#P1{6feo6RjN@h%uwK4kTU%xl`j78tXMb_}GH1zJqus~#1@i(t8P zC-16>mKZgyL)Rc!^rDs~>X*)2v3}x`5=9A8=^x2*h>TkO-y~8Gym6S{&a#OamB-`E z)>Nwo(S5+|rJ@f=?p+c9*_JTKwuBW74L?&=#uGs9o#d7%G-2LU-QRxe@_v?9Hg#eq zyi1On>@jb9z4qv@Vt?0hJSo0b%?oLX{;hYi8eAK;Y;9?H5Ki|`ubRXwmW#5Ik0Th{ z3&Q*H`IW$W%F`iiy2UD}eifuso17uSd<64xlfA#F5~79XmgmLmIB@*jLzHrHCkI=% z8*JHN!kffcs?UxLEEzl^7T3aC(z+lwJ?g6ZMRAylXI;uVnw37?nbSW^9aAXf8&J zHnq=Dj=c_7%1LJNAD+di7CZvPSsl*sak9E0qF3d9bQj%Jg z{teQI1v$|UjrM;pG=`>j-_|U%AraLD1T%? zE{wY-7V`BKMI2Aox3c3LW#)WoL*|Z|jV(mAcHgspuOQRn@AhqYW2|@(`aBr*Wp*J8 zZDf0?s#KlhX~vyENPNAj!Ph>o5fDc_HTT3p-qzJ)E+ zxM~mr0?0eK|3q^pR228_TT&-^bm~Ssb3aQfRat ztFu+?D__>2M~H<;kO|GcAGmctZZDhaLir}feEg@v>V1MEWk+SduEQbu7YCgr#(N|S z?^{gp#gVaqrgEYNY`rlTmYKx&QvJj}jZf?8W&cREL2T12oxN3tcB5q1X_wY6w+?0@X8O;s_f z=CkG{AE8zrRhBd+!BEKqRcPq*Ftj0lK8w{QV_QN&9G^1Y*gm*<{9;fkoN-OxudNJ- z_8YkyS|nO^Vv+Ih<5Rx1B}1wG()uqWw>~42lOx%7}|JD9VdaP*8> zQ&6mjH|O!;W1>}speuVRr)j4hfd&kbC@L!TFKd|pfSJ48?`-$w4b9IX z&k3BQ!}K$$43!Yv_s@?c)YTCVQ)KJx?rC{Ne<@4-g^bJuOYI)RMja;2yAilRp%fnv zX*FB_>hv4sCt{bUAl2tzMJ<}NtdCz-R_FP| z{`F7=Z4@`PB^W7ZW|1<>@;x{DziIWk|F~D=MQa52I?}>8;roZp-$%CDBx+zj z8{AYz?;6{sw7srzLyN&OGIo`$JEP+s?Z8 zs~{)8duJ7lE2Rure?TB0Lh(bj${>!3g%rCaH~FZ){Prj(;8CEPJ&J|XjAK8F#f`|DQo9+jrWfZo;-|mveFTIMtZ1%A_TiniEOkzcksJL(GUAY;caBZ zCL#k^Hct0ZT8Z9irW(vmJPf;jTVRLy(I4C}X42#KL3DRFIl_gM_|VHvCx?<^94&b= zsPs<|QJ2I-k-qPIwrx#V9e1<@=__)kB?zpE$eGc_HKbg5nwkFIW8~~wp^?EKRD)g{ zy-ddM+*0dK#8LQdteC!>=WjNE-_!M64bRYBRfd4-z>YLZzd{bM}1$oA! zC8>6pwoliFSFnKKP_%9YyYW>QsJ212y+6|%uU=UxjomM*8r1egkwQH?AwVMMptPoInQG97nIYCFcp)KrI>h)Rp2kJI#v@r1a-9qP5~8B@+hh?c9% zx50CWnCvw-y0KqpEVJweZpyG0eHJSTkYx1q=ykj^G&ee`vhhzoe)coqu-MwRaF9g= zRVcW$L*)60zG<~?1navRMpw2ce#42Z@3J(DSnr$4b1`aXP4X-giQga})<%b>dav*Z zAeM)|zFpJ-cVI}e`S{5I~;aTgf4pQ(tuDyWX^O(Kgq5-w6MZ^9V(lRG4bAp2yTLf63$Zi)!% z85!xqF{iWddcb`v$zmV?(xr)Rg z088+qQ0%LI3R{t-;x~PNj2;Vl{5-uNjXk7;54U!dAR7KPa|q$3YvV3fs>tOi72? zlF>$f@RCwcz_4q*bDaaj`rWtl0KslHJ@gVI14_okA4-A<$ z^L|&+j2)9!*3LjnhU8y)e8H=eTy+ZpWo3-koJCFaNC78vsYQ=H)A*JM9XgW#`3R(8 zgCf1Kh||=#YY_c@ab@G3&{5N{jYYL?S65eCXQw}k8Cu#8U_jvR?*2kRfb?ZTf6g!& zmluh6Mu;3q`8OHSr_YTk3vhDT<4Q&QV$Z;z3T@8k4?k*&;7%4r&SaO$?Y%4~SN8QWkk-LX8eS2*-(!1f;jck>5Xl>WK?$9oN7s*xb7KQtIh2?~r<5Eu+x#`rloIUH^WdV^`aSfFF46SyyP`rLc6X#YS!Ct~aB2&~>MfQ$40c?6)B zTZ~Y%=vF-$85s!)4HX637TB@FfYYK8FbmgiaArzm(+`6VBpP3ztZTP;@&nc4X98wT zBcOrP29__t870uZ^^S1S`-T-*5=Q_nywR^z9_>a~Rxl?&9H_~k0r^EIkSb!6k%gb{ zPMQKEjH~;b!{fWlMbpk8%&9s@8lWH#0sSz>WBH0xO&__uua;3kqXE_x(BB*bqhu4% z-Ww7gF0Q9XUSl^OR`RZPr6AM0qsDgj2e2^*^I(9X^j;g7j*~TF0sjAR+Em(`sYVAD ze;o(&jpZJfc3_!MJuVNrfsObvXbNB5%=GC24%9~j?5#^lhTiS>cQ@re58mW_4hX1N z&%4_FQ60B_QvqXm;$SSwo){WwhqXSO+rPVIe4ox3BcBU}0lVI1U@d$Flza}iSB~T& z-sB8Q>21KO?&#*Ql}1?j`SI~F-^UYLuuB5f3Y3rA!;6WJ4_I4!Ps_kSLq~_q#Kgqsb1$f>rWTW$8dg=s zom)^q0|fXaBqV)(eQ(Un=qoBJq7xDVLGRdmbMw`XK=i(!KSh<4o_%m~%GNBx!NWt! z64Fn+Kcy#v=EAn8j{*GU{XQF|<6KsrMC!o`>3CG|n-v z43j?~P3|1==}lJ982^f7!7EYjKXB^$OH!1FA)?{@-GO8~71AL?B`Ux*%$Q3}ppqeV zXX1+z^hx(Nl_NhFR_L|;M%B!%pDtLQsPHB)r}WNyO}eZvv|)L&wE{U&YJ5+&{{5*J zjZD9@yDM~i=jYj?p7n?NWm~49jovgRElv@Gq*R+a39E|xG;479yGmIYzA>-%0BJwN z+d}m#pyY+Y9n30FbV^8U;20sh&y%v|^vlqZKXYM4d5U$q69F59$G7K+HmlAXm_<=Z zFXk|Jc;^}y9g^c?So~hL*vyhmVRaG??wGZEKY2y^I6C>~bPLRZtQc_sY%Qa!BX9~m z`GD26@x?CKqn-M0^WFRmK7YqDkAN7}7+6|sSA2aWZbs1VQ&aJaJ?F{cFjGgclRV(; z9=8~OBo<`F^Di(@n-8kGn`CALA8+Rl);5N{)tiRRQ4iz|j#o&%Hz@2icXIme6J|Hx z^UGY9-ct<1={%tUkVl@~D~*=~D8qFjQAAbpDLp+>EbnSCsHmu(prMI6IB@v+`C;SZ z2NbFmnC$#1Ool+8(ko}ce#SAFj^@fHb6euJTyKy8n?)Qv2Boe^L!SsVJbI&!0JJ9< z7!pQCFMv^Ql;diT@m!rF@oQI>o=A#t;16nawlzX5^ohIW?+&vkaK*kl8DQtM`ojp! z>7N>U9wQ4s+&X#QUvFORRSq9bn`bTq^xxdL>_5^vrh2wyEB0i86e`@`KOCvYmqAbW*ze}8{;c^RCU zNg4EvA}m`xxMOmXsHLUF{jm9x<9#1C1_|V`KPpyGR1_BIms{H3$F#S%#~|f?f`t04 z3)qM+udgGsv$JCmb0FN^TuK9X@#BNW!yLm_@2$x)%7u@c6ivV+-5qGOM{4a2&-Q1D zy#AhvW(s>9O}w*T2Dao~Y4$ClzhXHX0LTwbC8yy7eQIe-Kub@u$-4<&=Jnw5<+C)j>z70^eDsU{-fZ-?djHd5z(iMz0eFHj~wZ! z=fIX6HN)e8-}!KX0$ASnRt^gT4?#?jp4rVeWWTGm+nT9n78DX%-rf#1&-jP}nrtzE ziuxg2K8bB>G!H$)`>&tZ=)4$i)!e5d&<)8ICd^Zc)L~^F8;u zbrb{^I_^Ngd<2x#WKqI@8R4d1f+u}6;OP9esz#Wh^Myx-G|7IMGshs?w0Ot~ZNqvD zWbTjj1jrJ0ad2@>uJ+Wd?XiT;uz`~&^aIJN)A!!FVRz|`l$3Y)WJccZJC}WIgu`Jb z3wI{zpC$%{gG2LFrIf6=KdJ`ZxEfgLiD%}DA{Y{%c5_PhCrf5ZHd3$|YL@`ohMcNX zEY4X)b?~ZqNvcun56_Z?W(%t_llgqySKI<%>cbU|O z=N#As1W@-V)?ApqJC1O&TEG{EBF8N~){FGg_60SKDUa_ndl#qMR=2TlBhcj8vlnv} zFfc}|yU1Cemhn>cKB9{IvgrH0L6c?HAcXhP7_wLpvl(QG$iUY)=A?TN$;Sspe-X1c zmuG*(i<6U+TP@=UnpHI^xWM60vp$ozC=WK}TbNZE-joVSKj&C1P$tOrR3xFJhIW+( z3#-C(J$AvCq*q8bf z$^->3;hX&YgMt<+z?UuUQn5bnl0TM&*d{`_6EN^i$mTPbRg_ZIt!cKiIp=yb8%3%& z2NieK9TG7qsnzM^7qoYjhlckjMD1;VDBR{g`+$)Mexef%pNx%d!3GF_sY|->TX$0yx`MJPyD&NWJSiO@uxG;V! zBE-i+sJXBt@9mUwG0a&9QPp8pbtP23VXizME`yG zsEJwInV7`AcBER0F1cc1dl^%8V)dGC`e1SAP+S5rA03`Bm5w_N2L)b|zF1(*xDAz4 zb`~OC0;^2l_wF>qf==u29CAT)WzvEx{cBwUP9njn z2nB!VQrRs^dbI&RJ?Ilu4aj#T-#Hl)1Q}M#o?pfZZv!<=tVwzIrzW`dNvqO2U&iQC z>oWvVL-&w;dKwGc$qKv^*b zf5;0HvkZgTaiZ7+4O?~zW8rb3M-PN~Ls1Pk{Z83PKUgizriy0Z1#8XJ*U z2b^ThJ&OjYF%VF$!wJhRk%XlF?-bsLK+q6P_nt+^4ZtoXGrX(cNC8hQeil)9_Z}@p z-gbnq1R<#RxzyA_rQfCQ$^6frYvI~w2@sqP;jW43c*jR;6Y(Rb?XIi5}+9i;A4vlQ=Y^JP5soCWutX_Rti zv`PEl#SBfG2?2yGKv4WKefn0j$ca*(2;FJtR2R4CC<-B_w8C08C_(YB)atEklL%S5tu<3cJN+2p(O zoluX}Rw5FEGfwTd@5u}yx$O52bi@2M23j=+y|t=nj4OqKw%5 zO#j-(#tP`P>i|U_JO8)u(xIPw{64IgT6%r`;VLd3_d$frdM8(nmj86=Wqar6M}PFQ zyv0ei4tdvPNGiRfAy#!9=2#G)rc?7rPeCvr97KqCyP+*m^zH}6Fr&n=*(Z4lcI)Oj zThteF?PpL>+3{Fk6Erd}Q)p&^G8~g#;=vMm%02f{L1i%!m(SWlTSp1<7DaMU`xxYS zRBQ8iwG3Kk!2G3$rQipm)&QwvNfXXjqV<*i&~0MDc?>2lRy^S`XOkZG9E8pde6FaE z;9v)M8?t$gq6Mq!mv|1jn70+u`Mx;Ep1bEwQ8UD1_?!!~O;uH;mvEXPO#1QyzrBv# z-F}??o4t*XCQQDs{AcqxV2xhxkYWQsnucxd35nK0;|lHvj9#E=gI#LgnOvo@&y zds;bpyd=2I&29JD|G6AI&5sML*J0%R?Oy&iBbf_zKSJ}*{9Es5%96I|87|B18h*iP zSO`-{JG{Bs-km}!b`wdb$K$c8S3%6oP{1&EWswA4y{LG?z*WVUs%l*x&mXVt?;pw& zGW@NR2>ru|y{bTyA7tq@D_&vJ&Rd6OG=5x@{HpKBWLWV_=KyLpsfp&q<)X61;S%Ir zB~l6TWjv)hcye>vLuSwSiO9yUQXZk@i5tKShP;K+5n~}WmU1#FDru3^E3tS1CPz1Z zLu$NBCYCo>#*Qu&^tRzzxA!Xr3~_3ebQ}i(oj1txGr6|MjHPzN&d%jkPrnq{EwPyD z=VGwqN^yJ^SMp-=)_l~QyL8{faf`CdZca_(zpQ=5vqPJU(Wr!f>2-T9Crjd*3p*ly zOhR%tTXRH`miriJxSexr3(RMVLN~=B@-8 zdb$zdYw&OBAU(*^UJE4~#J7kHu+`K_9H~MaXT@#vdJ*~|;`0h+WW_F1pXIPJW7me^ zdS088)P3D=-=tQiDn87ys9wFxDOJ$O8L0E` z4c{RAv4@kXb(LV&z+#A4_gFG!np#M00in_L!7g7yUbRwxdQtn~w#(JM5z}8~rC?pg?zLhz`_$l-%JQu^MgY)pJ+p4f1FuZX;SoO8E0FBdtnyhNe z+%lzR9?jCTzre4tRa1fTnybFr$kpss&S8-591fdj6euSQ_X@=eH77p`FVH&xf=5}1 zq|>+b1x46M1Z$`7)4@_>gsJO1h0G=DY5!1NX7kM2Dg<;l^>*g?cQ@I+?x*HaZkw1P z7nn>Pyw;^(^9{67JIG1X0+^z^bir$iYSxvWSo1ry@+DWI6T6U1T_#E#OWZ>|nL63A zhmyUr7DYa@R5;nGXaPM8+aLQnwgWb34;!az#Ry zqQxLFxVBZcvn|UR17qloNhDz)!LPv?$n-Vlw?b4x`+?rw)giLcXr0N?WiD0k-6f4`MJ3|onQ?7+75Nk&|?=hZJ#rqiB|FX|#e4syV1_7N5q zmV~slc+vREm*JM6oy2!3CL4y}bXjN$!{#vht#>(1CrOG9+4*BQKLNe37{&9=BVkcH z^m#9o_3C{{ezgV>+8MinGt9BFB_HPam-SvkD5DvlUc(LbvL5wN}?p=UwX9D}<=c+RRur({0~a$#T7fKKrJz zU?Hh1iw-{1=KD*xv*94TxWl~BrJ`Wd>LZWMUZBGZk|j6XQItRN)h^ylG;S{(e|evl z>02}Zwym;N{o6Nh?-U-0^k%P}bb6NofnQQz=Mu-s3~Bd1E_vEWw?D+w_@w1_{g4vz zZ7W;|)}cefp?^ICxvxZD=4nQ7dX=uxzy+F zUdxMFl-Zi-J>;zgFGOdLDk2(wE*fdEsu`7wN6uO! zj$?-Rbbqh!XL-x{;vF$dq+IhWN)c0Y1)BuzgC#GuY&`R)Z!(;#@xk}!03t2;63h+n zZ=(23yPiGD$okIOn)w-2uiLOSG{Lj=TonZtS{@|Akq6Vpj~rJG${bH~6hDF}M{qexYjCAJ0^`ncEgokl9^e>z#wvT zR283qAUi7yVX{=ebA2EwCMhX6J)IoD!89~9NS2nCGP1Iws;apEux23-!UCl)VxFFY zk(45la3C9Cg53aRb69Fa+?%b%f&=BH`i*cT9S*P0HxP*2U(vj>Uw~nfy)uHs_W(`% z0h))4b*rB;YZkWwmuonk24aS3yB~5gul;js8k&E!L@E!uv9WQou$O?Cm>7r4j=DmI zAPF3X3_!!<@V<42k#M0HdYu!rT&GuN~&R9yO&M?O5*SIgmou8WO2elpt zMxG4pQ%u*idPqYa4;sMUha~MG&yRSm$)rj56HEWxN^6uH_+M9uVrhK+Hv2<|BKzN! zQqDzc;aY42YzhiEsyQ>GtFEDuos;uueSMvgiAhvN1?S}S)bV^rL$ARZjfmZ#D-fLs z&S0FKIp^l*Q}gqa0CWw|BW)>M<_2Pa+tw7j&`?myM)BjSC3Z4M`P zfS*GbAb*Yk0!_un_DtmV2ou4u zLg}G6Zf^Xs0%d6cs^=?x36qVZH(u!q1vq(Eo#QIUr!$LxNcipP z@bPv*<_ch@dXAPmaj>y{FBg3%;i&cbd3Q9GI6$N$J|m&#_&nUh0q4IL`{A_7&W{N0-uuYrc_p;nOZF97qSzK^)-i za0DKX$v+n)2Dtsv>1ikUWutt3K})GHIi=4nr|{jG+CTaLPAhmMk>=WJ1{T_X2_;o*@#+-F4E|z zKs}Zv+Ykcc#a6RJ!5A8`*XfNIvWwsD%A9epX{6*D(6^Cb{)Y{b##B#Q#E88A-gHYAr~lWe~!xZ7mpaC z^Kq?z#0?;HB;e%E(Cfn`a0t465s^47e!sZ7x>{L)dIF~w z;lvgPAiO-m+W=?>15T3x;%o_=uJ*N`aX5f+i;l(~Oy)!aH{25}tX>d`a0mzjKb~$F zgIh2pGO}l-JG|Ux8d9uX{s>NwPZaC;gPBUk;Eenuy}^YF1UW{49-peQCF3T=1ao`> zL69(6Z1LiASVDM4ArN5bb4Sn{Nzn<2Wo$~yC=i@h!OsDqK_nWm#PRX?xp{e1;Etc3 zo`$o&1_saB3|nB}9Kf@I?(S|zR#wT6ANk>lg1$axiDvlUzn{Qf%c<8%8RS0jZOPxn zuD1MdEr0^Z6if353s!ibYgI~k6DHebn~n)o7P{{~gQhU@*0;VX9=Jz;V3Zh#YM|)= z=(*v2OHAtn04-`8MI`kIlFJML3i! zRcl1v*Dph|3Wd?%eNdfFV}cf!2(i&ayDq0CFri#PA{qd4L^7-X|I*g)qQEK!-u<># zjL6Pcuqt=*K2HA5WcqzVLb{lVrZK_{D>00&n``Cg$X&>{YXN z+-q7Nfdu1PJMa~vFpTaTb>G@Fy=EdXP#as~r9mRm+HnA#NqOTXQ_epgmqp2|==EF$ zZycvt;|lm1OBiQ>Ru7BYv^gscS|MNUI(D z7?!EoP)g*%LTA`}@+hXNKh5?UoIRMKVTf+v&%b6VW9pR6o2XIDV62eo|1t6F%4^KK zxM%iNEJV81X81*C+}puFcMS;uhLQ#y6WIoNcufD*i^B0(>DlS3{nF=eFU133l}}09 zwoo`5K0d}m*Cc&wo&;%BvLc{#U@0T?-qy#LmF_a>%7L_h=**Ez8K{`}2ob-UwzY{h zL>0H2_2{`)J>h?v7{J|`~4c%^}P0VX%B~;{_%Z-@`HT61M=Dk5z?{&D-c-l*1Gv>S`_wLbcE{rxfV2q z*N^Qze&>irQOnNwM`CN0CqaV8mzp}DVF1xvsRlHB*t|bTKL4%Z`$ci$GqS3=zk;l+ zL|YscPXPD6|5}-E)5pWd!agPO32PnkL$}ik(@9Rn=qJ533|oDCfjSix`hHyF)01$; znKyfoJ^6Kool%2Lr5=TkVzJ2=SGp~9W_zc@-S2H{EYO$HKYU3!{Y0&u550f0W&XUm z;-?!)Z;@gC%G^tIiSfO>ZMUo)rUzOtc21;*f)|&LR+)ohAwA{%@5r{F^*T3k!q;5Y z3TV&d1pUgR6R)eJi@to1rJ|)=_a?WE0`OnCdplLk)PlM$^@P$++QT$EY)S1MNlqnt zO_|jvobwtc*;dllB}SJ1%);%->61RMJo5bYX=xZdG4n&tx+QTE{K&=GWr@~x57OvJ^ePndl$8 z?CErhs8>&7e+X8c2W-k`_Ws6JvLll*s&8X0Q@{{j_b5i}^d`=F{KosOggYIaFzJLX zw4dZ$d~w^8ryY+oc{+^!)~;y3^}hCSVpsSsCpterAFmj8*%`fkFn1sZlIFCvwQ&v~ zyM&QA`BR}%`_=@vHZWm`1BGuGWpp-g|Hcq?YZStgceY{v>amn_O2U$iIgvtyz5?!i z7R72vau=lPI;3ZbjiaGyYr=ysC zhCp&}t=Oph^i9|}s3PEd-_@zGWoTqU#Rc*iUG$6tKoZR6VxeeFbskH6nXXQjIHTe;%_7T1H2dBbbDL*=t)S)cqdD=ohG(02q&`GNhz?n z$IrQ4ZA27F@*?9`5%%)tTDe`AV#n@{v!>GTv^z%)L-|Ktg%e-2mVAq?$bjo7RXLvY zQrF2?AD+L)DNGJjh1U3ZhTZPY20wV-2FXoSO|8X!){}f$WGW5C^5pZ})uCtA?}YVr zlq~hEFp|WCTE7Q|us~MOowNvo%4O54=1j7y;Y7ZrGz)$?h z0$vecj-d3ZS8t43v~l+`C#}iOG=C>B7u4C1m$&PjPJXqI-V~H5Ug0wu2+Nh9QA(<% zg`W>MpK~UNwz&8CNqB$UrqghvbNfx$y@N0 z<)?Ut@aH>wFWTq}q74}wjqBW~yPj}yn}Nd$R`PwE?zgH*^9)gYVNL#tVAWG-)8n+d z1`)bn{KNv~m|87DdP{#*&MU99yB950>6xLm7h>g;@%2>oFtf|y$Ipajr+@E*C}@l& zeDrQ@d=;eV{rinXXC|-_{Q>-aX-3&2V_-r>;KnTVA~JZ1W%!)5;cOfzP{_p{g}4h- zLbi#p!Y!VIJdzatH))xPjArU1ME88Intc<98#5WW zAgss+x4@TQ5whY`XilGFjwcJN<*^&LDx>G~kvo-=su_AO<8+U`%L&g2-iFWXg|j{rz&Zmaf?o6{UFTs)5HJB?n=}w{XP~ zGQ)1qc`b8!9U~NwZQG!t2ikOLq8%5LX!{|r6lY8xPE?rgpN*_C#x=+OSxy z{A>(|pGdJ4gOi1Z67H9;S{L_G#Pgi`=bjd3MQNl$3U)?O2N$$QFmDayE9Fg?Kg%U8 z&nTosHl#bEWMaC#%pzvWq=I}0B>hn@3FS_)7=~z^Ki}jwBuM`_fdH@g^(4g2tOlA} zZftRpkx8yEs7P}LzNLs2Q^nzNm4i$abZ&bdt-d@l})^l=>S zPI!v9Z1`glV$Z(bb)18WynBYQ_u=5hX$;4CTvX0jZYImC!wlz;@I_Ooy_xjO-QFR# z9%HWvezq1(oz-L@!%mKYQ71m`+|Ry**G9IG*%bxy<|;2;3gl%yJ}crj0&hI0vRQvi zD=T*g_K0Qv{n>zx>#TixS|Q#u1+TCrTxUZ6e$scSy);KfPmlW!(+wp*tm@s^D__5= zsWpDFN=op1L418dZSL-S%(f@BB5LW}#4ve?-CbvOlBNlKfxBVIJ7#73#5Pr4%Y&w( zia}?mns}J-ck#B?J7RkSG^9`C;};f;ib)tX2y|n=wi&zBESpKjDkWs-{Qz|Vv5Ajg z?+Fh|-6z`hAGzb?6#$*-I48}?Eq_r(7!g!UR%VRWQN5?Zna4t(eeD>*Y zh@%R;OZ4H&ZSU9npk%*wD6h6x5~Y;q>e+q8sU?pC`UcRfzayh$q7G!r(ID$uM~F#_ z;O++=Ki^<~(C;H&C$Jm*7F18sY}c;$|~E`6d?PuQy}b_2mJ_$30KZKz3v>i{Ytn zwjlq>ATY0!P*zTWJL8_n#PVI653fqlFL>v|*q5`&3^X?*b(p?wUluh~(lmJFu|IMD z#S?x|lEMNl(|oZetLC$hc~HbRM|5{T@GNX-Jgp&Zwd?^WmpT>W3BXfLu01z83PzASKxD_{5s1?pk5{T>f#$glwiOo(=6{(?pQgt3utizbh*z@0h93 z`0TPyXB+|)8t(4T8zPAyL|hZgj_}@SgQG03bG0di^q|s2Mz>`zAoc@?kfn64Gdy&w zz(MJn6@Bch*?l?fZSfewUNhjWWibq({`T!Sfj4A4{f1$4aj18V5Sz+nOMlcfjrrT_ zoSd+_^jj)zMtDi?Cc&cMTyXP}mZDN>tj6d2=%t5!4k7zL5ZdkU^!n3E*A0#r+qr*VrIV?W zY&=s%&IK_W{ORP&z1Pdw^N@`XW6ot$`;FpPdeo?12jXd-eD9RW>qxAPo#?guCnizj zEf{WnO~hn^ylh+YO;wlf7v;Y@7y#7&2-`fd`1%XTGCFLy=1{C>BBvrHIbn?Iu;zP? z+7FV7x4)qVYczcT5fIn<%mvPp!$E4%QKXl8{PXH%_M-53rCy&D580O7+h>+D*m=+b zP)(1EEDg`Nz1)|DlDE5o@RXwp)ZU`CdVT__Sk5$?2gC_J{Q%nZL$A1kFhH(oM6dH~ zgOI?5Ntv4)B*t-Gz**BD0$B?93KE)to?4>{vqzE<4KenZg~XntJF)k+F) zXpcSsbMbWZ9f5=L3PhRgZM^_EqD>7;?(+p1680vYG=J=y@2J6&J6QI z@@C5m4MHmyz5SoMsKzc!EI*8%2x}}4-Vf?j1ITlA(e_Q z_c@_;u;r6Igid-LncAdb?$syO9eUS-AyxNE`2eSTKA3BBcJ4fjv*Z|Cw=VU)y!f9| zDERPLgn_a(jPZ#GwH;7Xo7AlD-LBhsU2AZk|J(ux)Jql+zp&KH2QlVKBj>yLi-{=icQ=le{1EUq)wzVEer zSz*XxwQ>#ifkIzk%p|6YC&l`j{Dwxi6{1V zL2YYH8ko8rjW{EiwmYxRb@66l(nb71wm8f$Ge}C?+K9!zaNSyD3#B0WPER;1&FU`*g73`*4=>Baxxhk8f3sDvL|rnL4y%-$Heza!*igK$FcHr{;bY0E2xX2 zh=Z;55Y&kUep(WJQW!9YBno~d|!KI7Ln1)kv930N7 z(5#8{@_HG{2ITYwZcB3;>UTzoQ(3gs$y9HfYnPa5Xa?QdDW`(xCy_Vw#ZVc+%pjJdHIP!Zy|jeM*< zKh?K|PTG0%n7pxiSI|UQjZ?0(5S|e^WcI4e$fYhG)GIV{I6`Ypb7frUYDnIF zc2BiH{6>XZdrxKy6f08|hGgs?^PxbQ&|(W_y|ZKExhw49%(mT6YMq%24`Bg0AS}LM zXpjus1SM*LGBP*a=by`a-;@n@Jo$INlu)WchRu|OF!G2Rru&qy@tr9uxAF#wAQihc zAQ9c$#_Zxm+!bjy-MHQAQEGuNDzLVPm}x%kf&UCHorI6c`Z^DCEvdY`oc8C@ zL4~vTju+7yrQx#Uj~Ug~M-3IUKMsq8eG3eG?>i{dz2lK~V3;%0HI}cTEqczY_Ub8O zTKT*s_l0|7d`|ETsci@$bg9;H-JrId`Xw+RLbj-{e+u~oH~4bAC5|^~y)!3s&AGwf zy*VK)P$Gaz^6i%d1a5h<`bWw97gGm{S@d!}uu{CkHYg7^`rj@)RbBZdH!3e@6W#P^ZT2|Xk*AfSc}l*bUP`*3LzWA$%Lir;^V>b5VyPLW&ryrz*jckUc06AO8THZXWZbAhyE!}LsW zp`@Rp|8-%*Ox=Dak}+ugAaODHwfg6?{!j0MTYh-0;=|DHV3~< zZLB@5br;=I{3u~rp_bV(VWE?uvJmO+_TJdL;)f94X9=8XNnKYJK%(D$DFe7b8#i8d z|5{m~(Y1)Dy+UEJtkCO!Kc7M@HTC(uxiMp_FzVRio*XuQ&zt(V4f)W=bo2+e&|fn# zx+k30N;)JJf^u_n8+JEmV@yg&!t%@CaThfGIB*82B^qX^r?^M6j9gK zr7uQU&RhI^B+n(47zSEVw6K3Rb-=M7fGmW5k5=JSlZYo-+MM})W3ERezzGa&JDx^R zsKrownoy>awm={#lqKoB54JPeZSwKBLwz#ni+1DRwB>kYu-?|ko0()q=T-fJOE6?` zHmrC=4B|J}e7(v66+5;Z;u@x=n1R*DaniJYoOA2mH=#XpB=PmU^gxn#V#dlkD;hdO)91 z$5JLKB`}cikjTxQK8@7SChzciJ$pg{gWe^;Ai6=^agSNK8x&hyw@c7d)7r zq%OqZ-?8UpKU#VUl&%2U2H!!Ni_;d5UeHSuN-t?7FcEg22EZk_&YcfaflYo*ave*{ z#w7R0t&Wt){WwPxn2f*l!2VefY6b~wz@?s6TH4q97X0oB_%usWxM?N&rcDuUT{17SXoLqQi?t;E-sEwQviXn_;^~pyS_Z$X>Qq!7r0>7Fq%yZ zgux}{(-&&p+%qwo2!+MY%4OA$jlEcUh*BPQ9wy%6HH5W0;lKo5q7dITVP32HeUjh{qB zJXj1B)~RFK2DCCWM0+!QyJYD4H4AI9l25sb2>)s!P`f?%8R?|BW z&|)Nh;1bVoMh~};%UQI!UjpdJU39LUo}Wc!yvuFP!t&qGSk5JUUTsBQi4%W54P^P@abyl?A0ek zoTrhCGmfl~EWcp|d?d}`eP?jz*Ir9xybwkzFt=veyv({(?R#L&H+lcG5S=QsTASF~ zc9QSK`G6zO%kJ&RyL-O@b_a@YBk)0EFd}iv5sdec$$D|TQ#>Ou_~i+l+atdE@)b~~ zWEsLt9VNE}(O_w5gSOO+jH_P-(a_%;2GWN@CKF?9NqZ=HVE}Q)AaWC7Prb9M_kHVW zpib&z_5j+vU14PKWxbZy-1YaK8W+;8p7uRD)y@48n(}nX8^bh7awR5*>robPszCjz z*jZUmfP9auOr8s@_!OxCBJ!rLWHEfL;YZKqg0tL!L@$AoW;rLPk_@*17SZ!hk-^VX z#bfv_!UeyD3$gLCgk_Skl7g@iez39T%Rx}92fkmrBMQO4pjhy?RLOA5kZX!VthiX7 zfw$0hpYnIT7S{{SFqL1r;uJR{l}cNrc&G1z!#)?hSwixsr~A>Dg2=u&YQh;ThC$>E z{q?(i2ji8{4UqW4=dz%QhfE-JteUadnL{-pxeqkHM-Jm|;_D~E1m!+Neewgn{G=b+ zUu>d|5?B^K7Nm|Qm1h*h!zOO6!m?F+Yx53WEwK_h!PW%2mybD;cy z0Z)H2mAqgNVWH8nh%3EO3~r17}Pt zXp4R2dI&1d!4K~~e9(5jKn^Oq4IS&j^rYcet|QLO-}l`>x%cS$;`p1Q(ROJnbqxa^ zv?c#f|uw;7x##7A=5m-^H`h-i3>AEq__p0GR_fvYzIB#~(Aj`4yi8Q<1iS_}=xvqwdMt z_V-%DKk9i42`)y;7@~c{x=8)wTbUepxe<+>vILyQbY!CG<$vS?Y=ndi27epZI&d-+ z3{{jFE^8P)<;B{-bGrH^pA49$r2M47&Ttg&Fu3s zzc9ZrWie$b(Nlss@?n&V&&ws$VDj3`e#-jJ^3J%c%uztdo#lmv&}u?L7VJ$5Ss3I4 zm}fXPKAyqD7EM>0jp;t(7xs^&O7GMh#=;MHTc?MyFk8<1&7Y6bPe&HbUYMW{)FcWe zDWa^BIfV!c5R|~eeOU+MWn1^u~bNODovkn|1;TO;?|PxGhnCZ$cDI zJp`keI0u}dXg@Pe9nRU_uI<_mCD_0d^`oJ-D_$p zmsGXs-F(eLHM2c!XP00;I8@fDQ#V_Cf6CYyP>5iijHa^PgqDJR4=`l2BWCOOFJVuZ zH!9}(N7_-XWY2P33P*5n}yZgo?C|6t}^#LoKacTY}4aSCsW{XPL8^ykGy z=!wSaOwUmS)yO6wIls6bDbJS=QYum@USI(jrm!Fi~L-OCh#75>U6)T=+iE>)Gbbw&)Ti)%OZ&!b|&p@FY9W`Qu_{% z=)Z>`O4U{kYbbU^$mD##@eT)7qQY;0NlAgV0hw4n;)20599Sop(z8;TSN63p_oW^> zgmmz!zuFgaSY}pO98=&7pzdU1*gb_n`lMrOo3qX`jRc(95fzkK9vc}CBwRLD9aQCY0_d7V+5jj_u=QItxI zJDOGCJV`lM@wn&dQzo4F(O&;!k0h@~k?Pg8yPsV*K)xX8>JWJ}`xt>ay~WI}`Q)&~ zWkPj=?+59jB~LmTgn2Npbc(8FBON0~x&f4HpZoqactM@c}r5n4)jcsk3T^QNbd0%(ye~oci+rbe7)vdzQP)r zYbIuD%WC_6%vfM@A$h1gV>;%}b9I)LccZGYiyeOP%ATD3JFV}l&Ay&{?2cL5yXv!? zSQ0&aykc?pgXSX-KvDdAZ_nqpE`!@^h^uYB^z16d=`DsZ+UwZOg;yoqyUT*rtpaM? zRcl27A<~|OIXq4xG&OO@5j9ijdy%M6{PGQ=^rpPhXXc!oDc8F zKi_c0#*}mRLLy-xVr}a6cS-~QY~GimoM45okenz|+7-LP5y2~15s;#UORpAOVo}?VaAYij~wSorJpj=Hswl>O*k!R6>C3cu%qQ!7+hsSCP2dw8YsNn1v%_J>+=CFt6;+XPoB`1|fe*PV4bbQ<^`qNy zTf-rmL=d|6QZBVb0r(QaPxm5z9b#B55olf@YbVu})kBhDj6!XL4^b=gbyG z#F`~7&_|r@n$^mfrBj{pycK%@GkvaO>#6(Vfe6|>QBhG{6cKsj zer^RdjtUGH^IM?CL9Wfv+p8PNtIq)`o;KrIY#f zfT@sZJ*~JC5C|PtvN{b8LL$uxt_Kost``e3`CZi|G3i;|*esAueB<|1WG$#oArJ+Qy4haNnn->6zpr$m_=IMW*m@1hq4xXj0W>7{ z(YiYe42lK>2w{_#e2F!CS1g6pn_~=j#<@$Hh{`JmM{9Li81SHkEw9*3mATh6C@Sj} zJ&W1i$;+B?h8e7SpiygfB(79wGP#7W5?`AyPG2XYBX2nFQ?jIT9H+z;s* zNL_{Tl^)OyTE3^xIqTXeS@f70NOnk%0C-Lm7b7F1R-E4-PtCT;udS6>LY#reZITe> zH$nH`#V%2EJxo{q@k2lTbULQ2VtpA2&;tSy0PG66q|zsLXkgT5f`6nngKR=BA@ND| zEXRumP%FcI_YlPP?69!Tf@Yhc)`fbga3L3FEZk7^Wg!iDv^UK1336XvC3i4>3*9XJ9)Qo{mH;>-%zq38HI;8sW@u+Y<3KY7S3U?*MSw0ij|GL`aKo z97ZVo<5?DZu^eiNXI){BZ$Xs~vT081qS|@|=73!DrPRHUC0vof7730EC6X;BPC}t9 zKK2>WXtxMRBb5LA2_j8iSr`k`ZiHgShNP|iF<1CeH`yJ=<@>Q(Z>g9WuwqGQg3peR zpL{GT2iu1xf0c~T5;Hp)Xdbmc zJPQj4A{wT_yP@3wf6wU{4WZ#T{7wu!0Ro)(e<9WHlOcZk=ol>_@{yWE($?8FxYAdD z-UgUb4$coK5qKG@1+-7#Tm!6^J{O|~Lm;YHU(2w8lZO1CdwbLaMeCFN@9jCsarP^N z=Lg2B=b#fU0d9s;A79!-#f(d}{q=+Fhu`ss)dmRr8HZX}HKqlJCW8g9M&qumTWgW& zDv$H)MK)w9Jomm0XUn*IUHk4cEt_@kA5~2mSK8lO#gq7~ZVRz6^2uLM`k!PJV7W9Ls6Ol>o258UD9A$qPs+L9WEv?vaCo(y)5v7iqC$HA zC&?05Jw?zqEnP>cz{7*x+zzEm^UzO;OBSE*30@u*|sfe1*>d8 zNd60LTl3UwDj*#q?aDEBx56z9SZ_HpbfDjsc}?Ij`8X>&Oik9W)iX!Rw|D`a#SvuLuTKYfENJ);Men~Fux`XES!^5>(I-Qurj37uA`wxLeyr7{WZJAAM5kWtM!ilT-C6X?E~b&E&Z~{Su!dPi0?9 zQg_V@;9za~GQq*77-p9~P?>w*j09nG@ zRwt)6t7KG#3>%->@xXSGQuVl0Wz=iQJrknY^gi1f)*`9av~W#%;`x`_fYB*vgMnk=vxfvS@$}sT&&$!s5j~U+2xlN z5`aA+f&YzB)*QoUO@oI8%)Y|%%qW$YPNVlOyX+ONPuEgBQOu>$jkH_84b@w^Ym!pk zStLOvwB~Ar5Q$7{sjyVxSWZghQl(GT%r1t{<+9G*yH&BRT2Nv0l;1T0$lx@J|A`Vk zs)HFQPcO`p7S{(TdWjSkd>&Wc=5ptI`5QH(FT+d$|Dm+~H*(1EduYIJpX(&+*g{t< zGpuZ(Q&t1~BXY-gG&FO3rqcX~UH@OGXv_w~mn_a#nSlP}r1*wT>TrK{Mb;tJ5{~{{s`<*Eg2B33W zspM8VrO0_+sZXJ7F2ECE3wlRB&8(}F1QrL-UDcdljnePTpBMm!h_toK2qgDHIvEwE zcl*ir$EtMN=A_S#k&)}5w&?D30OKQ!8LjA6kDTj>S%?iNqI;UTIop0USzYIY{Fy(W zl5O+#ITd6H&th_-$sE`dXO5L_>2F*nb%s{SuCWoqpP-DM3+bW@X#rc$Qo+!?owe|4 z0SGrH-`F0D&so?-6Wk6e`#Jum)(C}*ICzkdBXw?i7} zEO@PjN&i3PmH>n zwer0_a8JRa9mMO}k!HC$Z(#ETe$oH8l=N#nmg_)ogh15rM#g(Hz1ZrvZ-LM}mZDS+ zwGzQ(I%kj`U4qDLUw=_@x!_f5h8Ji3%4j7BxqLVa|M-iiZ!ZM1DRk7 zk)BW5d53Smdb_prlO*}IKE(76%Rk;QHZ}&d!C!B6z^Q*Pn9@xy8OmfnCZY1LGN8U0u%OlT21d5WX{j?*C2S zV8Pn>;I*GnF`bc5P#fD-B;h+bW_9|zo&pOceA+gGX3 z3u%A??+1&(ziMM3G5@S(*J5XlENmZZ_LB`wdgAfS4^F~sa;MP@Y-Zx)JNY@g^OGs+ zY75C}UEqM;NKiu9fHv{37bh*!=}62r*dGVmhBw;=aXeanEg*(n91iRPpI--m^;LY& zeN%t73)1ioP%eu=zW`bfZ>jy#IR0ik(UOEcdKXBt^h)0(n-=G;dg1ob7W#o&O5Lm7 zofMKRs%+Xm)de#N7=-O_iW@~o>A=JUqbm&fH}GzNbn%IJ{&P;jh;6^jUst`J$RE_x zN}aT|Ju*gl4ZAry)m!(b{aR_xn;cZ~tIH=%1OG`mf4f&c*|T!ztxRVOQQ2?WYhy8r zQJ=)ES>xgBvt*7*GMcr(IhBh1z(<;4nv`Lc)b0|QdBQImI9jEx7hUwTZ4`_E*IDz` zP4z+p5e1QWnPd$!M!h;AEsNLSAP|z_-rmMUgf;XJkrf(faYZ1{Q})aG#z-EEcYH|P7rXMJ-Zn4heZwBu+)~l4 zQEd9H#g;17h1oz6-#oRpZ+;?Zvhk{kiom+SSID|~$CRs;T7GzMD z!co_Iz7S3qaXQJ!nU%YpXpD16nOj~^#7INepkZ76+SiJqH3l9R_i?5Zu0LL`krl2v zzLr=Ry+OXMnSJnZ+h^)5LBPhk(fW4diBN~E04TaCwf^h+yXE+17}z-7`%*4fH#cBA zA8S9qy&zgRs~7|VHvr|gWo~{u>%>=&mO48ln}9{;O;1JbEK7G;p%4g|PKdoWTX)17 zU&a}6iZ3*{UAId#oh+ejSa?XOq?w|o^y28pqbZY_LzC{%ggvg5H` zC*w<`^-Cn^Tf=8T6BsMbjE3o~LYA!Ckm!yd>a1TRKIkT=t0vF$9*W^SiP{6m(1saA z{CYZSRT#{z+oOG))wgbY>~EnTrZ%tHxkajPLH$spcSTGK#Z(C{ngcDI-4tN*FLnnv z4~!k@J1dNlYwGVr2NuY_lktTyHY!Nxn8h#FGuSI9C$q{XBv}zV7?0jk9!={0J|d=i zQcUBpxxkx8XWlxqF%Z!#gdo{Oox|-$6z6~APw$d0-t$?Z;9e#}6Zt$WDt4htSKYi{ z+}CC?V6=F@+o@>P4(C4gElEPYP*lV9Fsu89!UD^^e|K4FIk`>`)1g1ToQy_j*C&`v zzzvO_XwVlehBgHvjGx%emnmnJ;`R+A%Q)7%`j;ry)AM<;BxH9X9`%Y6Q$nsp-rs9? zYUC*9uK^ut$!A?`?1I#@kB^ik(p5EgSIE#cigVbpU7zhA4myKY8);GRkX@dH2qXK{4J>>hq%nG<%=OIey%J}Hs|Gh$xAuf zqP%3fDVV+@C+dFhgNDn(WY_jC4mc5?gT@Y3IBA$&$E0IE+DQ)5<96@5`Np~%2P}W< zI`>g{d5gaGvv~b}89B&~7F7d&GRR-vC#s+{&5X$|@tr-Qh>+zsO+F_X)>+ylPeoar z#b^-Qj|ifjzb>tC4J~P9ScMcRzMVOZu2~ndQ%pNw-)mSQ*G)$x=o8N$3d1QSq-&(! zK6q79@a>EwcJs6faB$G2V`g>Ny6+6ngIJv}0E3&B|B!0Hj@Sa&03~!?89p3eGiI#R z?mrx5<6a>jsP!Lo>PelR@B0Ako)R*RyEO zme+QjZDA_aqFTy}Wl8iX4bQ2(N4|>N(v>21xB&{Zaw<&%=B+|~_q|A0D=3;u4iBgV z3J}?ZA;n|2&@ma1y=gGb{8@47AaZ`~PK>v2|G0#0YtC$Gv>i?8DK=_UP#;=G@hMHw$v| z_TRKm$ON0@WZ2mXu1|Rv@nYeFpGMj(64{R^)FabcmlHd_4~>tiaR#)JrkHoHA2MCU z7Bja>9;QuUL)Y@iP{3=MN*+M+drgaFnT48dvx$h&Ml}=5`rw9c?cuYL5k4f~XaH0o z@P_1XC~eNa{fsmw?2|1!Vd+5&DZvA(w9R@Q<7tJOQEA!+U)RG2p|$BqHS42?Dg!54ln@Njdu7~JPXUnU6mBOoN6HvgND=-CKD0LO4J8Ss)^!}}BY)cBXq@BukeF8Q|w z0!^Za3-9Rw#y#*q()sUb*|Fh;_pehl&!V-ZeI3F!%^7$#!EmO2(*DY-@;DFzxtbht zC5-$r+SgIL4wFUUW>ahV@89JbY6AzhMy*Kwec_a=MsD%@pJ~X>*|G2v&>ef3z*>HL zx{sk?WCKbQCL_zP3O~gR*G|E`a||SJy}lOpLVX>5XAIv?p6xBN{`?akfcE#F zs`+ma6aJdK)^U~AiHM>KbL3+AFdZ|+d8S*s^+C-Nyt64#Dds`Y{Hia{z*F28?>8ZD zH7aE3AmM*J?!So5Z^W_S8Io4v6U=!x1o4nfmcXAph!XwLuIuy5G52A+U2%r~a3Gzo z7TwL~Bjrd{I~Vy3)piZR(dqNlLSG=8=VT&4yij7i$NK~uBwcm+Z&&!~Vw_XqIkvo? zn%R%p(B2Bq14+>SL#2^pmEnKn0^}KbDTvGgX4mrUs{NvxyMIf>jiY@4EzOVjXZHMu z%J+-@LrL1J;W3v__un6+#tGP~!Q6yD4Q5|q*gP%&aailXi(@v?nJWuxcjUN}=RSa8 zWqY=1c$!$+0dm`f?(T^zcz z)J?mq^Q5gkSC!Lc<2AGU z3Z0Yg=GwF{*tOkp9z>-yaF*YnD3dSs~^nck~iy`o)qMe~wXYXS4+ zmXF>LNGk!|HHsk?o%i;w*b?G*)aV!j8d%OXr6evlmLpPK9kCr?XXO9$iXj8H1=)2M zMRr8_H$PSV#AF(BOb(waKZEyS{wuynbFRS~%^BYj7P5o8X3IUn2b{eB!KOFWIqwf@ z>nwhG?f}eV2xNL@t6yXIDZ2_oH~W5$0C3v#;Xm^WeV!$0egPr00nlmu5Fi!=!W1F7 zXKg=OGrDP5>Z=Suh8&opf7$6ABI%tVdC(PD+VXg_z;U$P=9%Qd45f}l>Pl)KV1#Dy zU}?O`y|%V?Y;q@j4n%-%7yXx|e!M?^1<#Z7+M~8+oMr-TQAV3$RH9;U#LnWBdKmRqW#G>Y$b6w}j(2 z-9Ui^C6dcY(^cG~QduXcaX|GZlM6QEeD;HY2 zw>jBvCa5aZ?+q3KGZ_L=5?w9t-vY@(UiVbCHEg7Bebvi?S{%$F5ExH-3YuLNs|(K%8a)_A*V#WkMA1>5lT9!M zE5L^&H~*Af;Pa@bA1qzpv4$+@)bGWBh(;!e*nwsrMp|*FAPu4A9^Wjv^-ASI6BR$; zz*HAo6;Mk+usf#W&sLr_4z6KfNgE7QcaJ&jH6+ebW&G}=z_+z*@8N{hc=YbN-ZgJa zER7cnM^#`q7;I^kY}zf`S*VON45pwUqVr*J{=uN#9qiRqj=7OH&If*bU%L`XcLwbC z5Iffl8#UtX2&Vy(AK&1g2GJ$ZO_?;qvaovTiqEQ@Nk8aU|4NQRL_T$IAV&b?V1XP0 ze2Ru*02A}ijSyEbBw!g&r=XpFzVG3%FZp+gWI#}Uxwpcx@Sw9XjxTz+=12v@R&g5G z?U#Y4V>Fu&4SU`_GuPER*EB-#*m+}yLQ|X|)0`9Oj&n82njPuV9?Z7QR1Mt|SHKC& zC48za9lWjWi(jkV04GpHl}LfjJv4Ow*yet=qS@8~#+3lcZTr{Co`X(A18&ZEa(nTK z1}Cg|XIHg-4$AeBHC()jwCJ11;4B4`p-kxfHA6v9HL)*aym3xMZ0Qj+*>!a3s;q`i z!NvjA3ZR4Oze(Dj#9x=5s@W#eA8Qh2PDygmoaEU4wdjLa7@r&8r*qkr{*>)i5(+ig zh&z;a{zKT!mqkDbG7?oaCGrhJ8;)IZAinwv9uPeJXFNjMPWhNHWkV3gjq?1muwnhH z2}w1I(E=RUO;TZhxdf{3K_qDLd%y(1$B6!b0=&x!qK`V>Y@c5=B50oeEY3Yb)y9}} zRt%YqXisR@7nFNm$K{x*y67PbGgbPVh!wbqU0h#xkY?{a_AV8K0m*|0SdgI+OotQp zCmEIuCr1;#$yUwXqkEkVV)T5v|AbIe>vYw64i~zmBu!GZ=b#1c(xSaQx;X&Q6{P$M zKt$4Xkm?krIl;pjN_(IL+kY_bV)h+#k%Ss|D+J!U(NdQ>uarRdeGrPq?R1@AJG)l2 z3Zy_o)E{{C4;NrhB3L|UAQ_tUIU=UwmN!9sdJ!B&;WyQ3A}UKjX(#%m~G_>=mJL#)8}#~yz`_d|Jao&2ljC+ zBjrpv`^RUYx}>Bss%BxORQ+)tOc}1=UmBIiGQGiU~ zqo=_~HU4l7{fb{cT6Ys504m05GIUt_6N_?Hhe)yvR1gCm*db~7=!U!be@4a6Gk|mv z)9jiQRd^Kq9(RFQfB#kdhW*-rraAqXg8t7SIt$D;1o1l-r2YOUoZOH1f4bkm>jeLj zbN?cw%d`JY=qRX+*LuAHE#nG~_KJ@BihK|4CfsMks}Hxwzo#DkNUc8lx&J*!>hNZ5 zZEYgIl{!kH=(oRk2#XhdyUIEJ2%t8Urq^o1-6jb*ud41v26W$@6y07N|oZ1cK z9{czQ1_!g44;K^@g`GY{)uTv`b3=YHJH)#L%J*lSnJ#E2S^$iGGIDA?CyICLZ?;}o zem#B<<={}Xx4*wEIRsYp61ey$oIALyLC-ALzMGd9-?2pw#9y<(ez5#LW>+-mD*nqJ z_=QpslfS$E<;sA_nE*-6cv*Bw;Pk zJ+m-Eu9{B`{Qsdvy`zp7I>0Q&a{-1{gjvAG z2KxImhK;?{fO-AH7VE)SzP3mqS zKEksIK0g4SU$DLXz~@JY$g!NXn-KCZ}u@?>yop%$I?J1Jn_m(`E-KS3^`)rTmuh`|=2O**FhGu_W z+b?AOOUqF}sV0kRr|y58f5Bs+$>i~wn$e|4CdCd%76Llg>0U5$iI&`{>Rtqy$8@px z_m0hHykPtr_}bdpJ*mcIFRZN%fu8vwA1z=TT;Kv8B*>b39$!w$1@z`NVuv5_vnAyF zO=xfEP2JpEOSQ5;SM_hiMAfco36jF~U*An&^4^dEgR5Nkw%^nj@OKHz;gu^q6&$vj z90Y;3nU2X$Z7{7kQS*b(m!*2~T3YLq3zYj+B=`{jOW+BZe*BMo5GQwLytWDEBxQ6- z>=-gSzhe~zbBSEvv&Sufu{8+}%66%bR$cp+5( z<3n*0?_JJk9kd9b(!UPO5csag5eGa3s|l;_KVBhE^rz1uf{~+lJ&tZ&=bb|YS$sxB z#2@pDl1V$I`?9)al^Wq!~qAr9#u$ z=Ga>zr#5Nfv%_uYv1gl@bf%G{2Ki&7OP%O^Sz5Q}Gh}FE&qa1duay!tDSYkeb`a*pO8y7s7E5XpU^3yroXT;j|Z41KkO{k&x&V9;cr&Xb( zbj+n>XB=F=^v+FG_g}ZC@h^D?En`4HY>iL-d@#~&u%3v>issf%zp2fMitpo!aaFt+ z^dM{gu=$*h8gN*?!&4vWyy{^O7)iI=0I9)=vNnK9kfMS|ckUCjOE%uT_A0OTx~eAUthfUDjdc#M80ZUI z0j9(SGj@;tc%41R{6PHSn`w^Y6#9FOYTDzkk{yIrJ_4N(pYHe{K+$|Csb6Lpt}eQm zX(o|lv<>H+Akgx)zaX|K#W6-4lV^p^7heV8XA(b^S z4__A5=>vgo-yCVT>iw3XrqlChx98Wn(Yf|l^GAl0ZJa=$PzeI|OZg+II4x+xshtro zX**_A;aCqam~AVF*IQ<`E&NHPEX4RYBy4U2emq8bGO|W6^X(;Dq&O0vX; zMBuSaB7lJAhm)WIvXPIEPxC`#fi}E@0kkTuvT1)48S7y&?s>D1etd`@%yEa5pT%Pb zpEYPFAA(P?02&LW_w-5pGtsmPs4ro}kaCKCfx*d1$(8xq%{F>hAfw6mJ+8R`Byn)T z!E*!-#n*ZfnE#Kx_l#<4``$+JaMW`|K#m2ZdPGHvAYE!aprCX`K&1B)iu4kS9tBhc zRGOj6L3#;AY6t-lkWd2B2?PZ~Co!}DA>>_~U-{pAzr1(cG48jQF&swB-h1u2)|&H~ zb3SX%cVNwz0bKv2;JirFD+E+5sjs*FPtmE)`W*8v|m7?WKi| z@B6#>$PoyFxMYXdE-h3gq;z>(9?G@f_douD-MDu5buij@!o}HVU3$~PnvWmH+9pA&LkY4Xz$6xGyL~#D>&U{=mV-hW3hnjBYzi@{ zLibYtW+^c(`v&$&Nu@*QG5|jUwHp)vdKSwkh&uV-X}xd-*nSR(egeJe$#l>J)opdG zQh6c6?~})PRbltj1kj3fISpR^){X~)XY$vtUzb?87MEgoI28GRIZx`;mxkAMuGISC z#zu~Upi_}Y#EY1oGx5nd_ZQmhN=+d23IF_dZ5@|?^1PPLUvH2fLv=KVs4Yv%XtBBf__cdJTb7Uzs^fA0QmfeXAX4i*o}Of;kbM72;yU?bZ}R8&PvS?N zF~>AV#*Fg)o1(F2e{;Gx_$o)Q3-pXF1?6~`K@Z76E^YoCP@8+B5%jr@4x7}uI=j`N zb=5clG_!RB{WSOJSSCF`E9OwTXCY7vj;`c@?ztdh`sAFwkbo?$cQjz>p9Wqv@5a82 z-RF{7Fbk_eUtYDyls-y&evEZU1OL}mfialJMrW>igI@og*G;|+tpR7wDNC~b8O6Yt zSEKV+d=oDHPPA4FM^=Z6r3VBC&dWq8)gg7LG-pHGc4HkXXHF_G58>=%=MCx>xJN2SAGebO75&5)m%s}?e zxjXBP$ctwUfu!-}vsyi?)A&N<$o<8y@UR$E$?1XW+~&rOZ|8|a6ToClu89jw_ZfAJ z|89-Yxkji-(h#7Jc<2;)5JiGQb1?_J!G^!jua0rEIs#8MMMl;x@p5SbYS=uH{Jl@uU5W^Tyhz zR`{->w?+5){L0--w#Lo2vV1dhJ6vo6jLyVCirMCXWb@CpUszad-$Po7#V~I`nw6C` z^h?;?h2FG(%EyiUohg?X%i~THJ4BAVQ31}|?5k3B)3q*jURH^ti%W^}p~RD!@(dsS z;E3efwQ(zT@{{*{5~01nJMF8qhvyThf~NNz&=`krC}BcL^`J`dZ``PCkl zbpCQ+Tp0U)e*5|fuZ*n_gIpvJr5s&ewD6O^((J&4jq4(gaj+psa^XC$ zYs`5rtAt2KaA*h5oo>v(|5nd@p4855GX(knpq1>O%lDyB9pIg_u-sUk#@f(hbGp*e zfy;aQCo+{Bsv76@hLOg8ylO#>2jRWT>&nvG@(!yjeLZ2}&m_&|v~w2>%tkXr!HTdi zs};jydJ2(+@(z1d%kqCkR~=~eZ~x$Q%E&Bgcn!zpe5ko-$w|BV&!2`i^C#4sv~WD7NCCSn|H{m?U z{G#pc?ZWOimmoeU6j(}+5X9Qn{NxRJE+ao}JWLtKxmXw=XBu$Xio2zh!t>M0tm^cW z!g&wM?s>E=g052EfC%^l08U}i2i%zdacynik3W02>y63r?#<2{@GEfJY&yS3eixF~ z?1PEe+x#N{hPgA1@O`>h=b1cr(swm7B48nqvAUGEoHkrCu;IKoX>Pd4Ij>9d8)FqX ziT!?i9_~#WYYpPfFj_dV*dOGba51S!q9W6{L#_SI+8ELJLx^v7fZSRF5i!4{q+j zQ7H)yLZZfd8^mz>X21A~e*~l?RIFV3-j_06hGi!z{Lq(NUOclqXK%M1s^#-*poZx+ zNt=Mryuz{>gyVJjJ*PC0_m8{dLeyQfJs&S1hWFStL)d>Au`3cuayv+qsR=ozSw32k z1IN`*>>PEA5a!~iAN6lSYnz$W34D3+@!Yo)F!6(BGwe5ju+$_LPK0IGYi&j$3`3r0 zxBpa3ylYY>pQsb^>y4a|q~8x#;mH92A{G>AgSrXu!z7>Fp@#_q^nca`opunKj7-ge4gD`@(10sM(&>kO}D1Ri7 zo?KKRrq2uV3CcF%Dq8R;LqVEbKk8{`rC4TL9=uEd_kfun=2TqvLqODla;8?_WuB+# z!E6A>K!?iQRcpWD2TpluO`mI*->M!EJZr`#hB!9Us<#L4ywl0^2aT>dyBqekTTO^A z$)m+1h~ld3jjghMdP&n+oz9@+BE#9IO_(Vf;oBiYyl+80aZP~NoW7WVtsn>TJS_k9 zU;A$Xg*busw%NrqYluT;3%&h|A+kgAh*uHYt1?JJ-Pv0B2h}tu{6Y8x7JKSL55gh0 z?|qsvZ7|k<_uX#jc4l37r_@oI?eIEsgiT#p*Gep;N4%pudcriA)EU3fAUvHEuG9JE zi~ab2xBwm3*B`RxjWqHP#}qQsN1|Fjj43Vp7<5*`Jy3$J-z^irG~B4=J%ln$nzm278(A|}O0!*Pykedf7w%&(_u zjZ$Pd;vGI&ANs$9 zbD)-nHNv(Vw7IqBK$Dc3jyOJUH+CSiUMQ1s^Oy00lY}Nj>VX@{H{54$_7HHbr57Vc z%LnLmnvQQd-Ck&S{Y$i2z(EsI*_*64Rk7?Amno}nRUNwZy&GPGl?y<2`a8dq3up_q zQuVIY!l##m<+zDy-`JcS(K*$Wa8H(}czsXm9``SD4i$@_T7 z>BC=8P)YB~>3?Z9C`ohk^H|&4sB~g~&^f%gq3AX&RkD9QNFlY3pp8!2Ce+fyry8AW zIwY0`qhg)mUGsI9?urw~OMBjh@NNwK!tf>eVs?oJcfUojCuw8HnET7|L0cQi-9z#v zW{^HO>Q}ImfGQPFAlfO*J}1d5I~lRnu}Z(`{-ibL`tOPhnr2o3$>rFCJ&>h;1^_m; zUn+tcdzd$O1^G6XtpA>dVVC>x)c0!@eA=4fyvC*spKyp;!a1v!r>~2DavMdw%NTqy zu07mT-}`M^3W*|gHt_CX;CmfS=8t}k@R2rBSp^B7+|V@2 zV7L?wKA9n^3~!YP=v^L$m0Ol8sx7nZhv@Czy6}ukv_LPmsm|hZ($dPxAb0c6C}^l* z`?Er$xMXp_i~o<-wJGEBHn`ZQvlhe=W~lGe zzW4hg(CG4F=iSMCd}=GenT|HyHK$Jc;fFyr8o_|`JpV)Ev_ka`5&{$bMIJUn!3mp#G1mnDIb>i3(XsS7+t-j8M0sZUmr2>@I?+^LS zhbKba6@TroTK&<|;O}HuW5B>7OXSPd98Es~&ArP_G+9JUh{QSTof;vJ=}DLxkIXB6_Pa>|S<>3rW%^^Qr;_l~O@yL*`hucibbH+Vte^k3$u0qsl?X zWbgI&|HgQQzEI-n`!miFN(2pEsQWY_S=GLOM@88C%vn(UoVKv`E=*#NeZ{|WEtg$&=f-+$%Alro^GmG zvd+>wUCDt%{c`->IVtN>3$KRTR#sL}N@%k>oAJ769z-GR|LxYd4sqUmJ*Js33D0jH zQM9rGIIP_*;SiqoeOC7zyZ4aOdHSYP*?GhVX{XsxX!apg!bG^m1yZIg0#;jj`frA8 z#@5io8GZ-np~yw1tV0zP6*!n4#=9E(B=tnF2gegDfy2AHAs)~%lmXcwZ02x@icJq3 zs16dZ?$a|`f*MGz3rV6GuZ;5FK4Q4ELwQ#y)3(_rbYKKxU+!Z*Hla&-(E{S+K=Nc! zZ@S_Nz-XYQSJQ{fx+#kwNA*o#aq1%o&(M`Yx)eIVwFFU?K-`g4KTB0<84CMdgg`k^ zYo|C_S(8uAuF<9kZ^Y&ci7|n``aiK*t#=s@2_x*Le=d;bA3UwQu%DRoDFN z9qp!%Kf6HBM%Y-OV!8W9z>XY-@XqGuADH@Hv1zuyk@I4|az=Ohn?fumneo#5?VcnK zS{O;G?Yg6*sy!RwjCquH-ZS-7X?}tjn!C?@+*JHjQLdI*LAa!`Rh`;%H@!G=Z7txK zh7(V;YLjYkp}$HT*=oSM5$2n%UDSq+6O-}AckOVV`_smPL0<ct3EnHvj_8CP_%PO{56Z|GnziRxMGkq^W4hT2 zOP`|nLzDn0y$a@`|GE3@EJ*pi0qI*PYu_W?xmZ6NKX_Lp^CJ}FO||rW2{K~YP~P+# zsPFj+6rL&U2A+c}IHLP+Ee@UQXF;%31`nq1p^y5VuxrmK+Vh?E*C*~g3Zd^S+Kk?2 zTX6097J^g9R;kL6cEN6=>CP7;b~PBA$h_pOM;^ka$GQdcRX5ikWda%ZrK#Ocn8+9B zXfQ5!*iB4@0U!r{#?@J%rH(&WPW%C9K0Dkrb!4`T=EQzwcmO|K5t z^QtMYY7Q;oSb^2V^@AbLCLz0#uB;11cw`Ls?uXj(^YQ{w2Z4eIJ3xEk~9?x4*_S zAfXSHWMR3Guk)iV7u8%!Rx*Y#m`xh>c{6=ZqpXT3S|=JMjKbDw!fdEX9TJ%Z%&oa! z7zcR~R`sq1c8ygvQtrT-zvGp&GN@YUmBIJ1-qdsqfNI+}T%2!55fg6Av6e)rCJ(#L;t_h?}uhc8Lo9aZr@fOSG&u>B|ae=7z?&B1lmP{CbmIC1Yz0p;GDt~yyA-CV3Yu<|f`1yfD-23uU z$99$Ut<1}Q^7CE0kbSHQq=z@8AZwnQsQ3gE0LN28l9vN zi11k0S)1UN3*DRhoa707gBi3%$?{Fsp;bBB@+n$+d>4A7=`k;5DbGEiG&LbZ|ERym zsEvc@EgoQQ>UrToM8xny$m?RyK8L6hDOa6qSW#@+DR4-KX4Baj`KZ)#}4(|HpFHMiC7L*|Zb&G$!mbWd1LF>aTn;(KK%Ri{T zto#94k(Iq+{9@URzcc;VHfQLB4C2&!=hli`==|ySC7hUX?08!aqjo?7UT5C8j1++) zZH%_6+mA3LPyB#n9^<&&2YPSK-ty#j6R&oCVnu=C-b(wRxT=+np9ZWiYdXn+=?l&8q~%CiXOyx zSDgrs20^J->8XcKj1PL{JCc(Y!GDE4zTGF~$Znn9A-|T+o^@?>2V_`DppP=xmU845(q? zDui_#d?cJiZ8if8$tO#5VxyV&6|&6~OiFV%E&FN!bsqt!`(o({q#>uv`=t+m0=vGn zkub(+lW`k8<_T^oMjEZz8e=eU_{l8+5THuTb6o-E@V#?tJaD7lpj|pvZDXqy4 z15Io00=^%>{H3Ob!OgFs#_2(r0s=jI5Gbyd&qu32EtVz>wS%@`C}2arg@C{f4hm^G zaYn61X3|B2e~RK&<2^EQU$z0*uRLM+~GeivWaBpt1mb9T$_ z=pheZj$J5(2cpXHsD2B|ngqq0Q)R@f+MiU_zHHrmXBIdiE47~2yf-Yeooqk+QLehT z+|8?kc-7H|EQX;Jy9wLl+UV738^N{pZ)l4Ek}=ybWAma_1Mn5kjs883dg`k^^2F1> zXB&gwA_PbkqrHopKe>W926?!Qfrod~(PEwPA;%w<_{E&+YiV(ri$?f_>^|o($()EP z%GSyJIeg^r>4>fP`JxQ`)DasDPt)2MiT9bt`_`dFu0Ng^;%BdxpZX}HZ}#1%czHum zbXG0Xd}*R2!NN;+(dde8v5eUrd(H~6L8M8%l>l^FvPZdD0rf!!BNJ49VC#7VbpW%dB}^>xHmOCQfZc zH01lfcYrhZAt8fZtrnTz{3$qI(o)XCczVnz;F_!YLYlyE=0O&A&4wJjZDH7s+1Ar) zD2`v#NiQ~P#R$elZvB97TI@_ku$u^9-dSyhFLoQ8ylQ^QTmqF0oB1`$;5X*k zUE0x8Tu(dRpCVye93G!n;n}T;W0#JQ_GwwR(le)Q*&c z$V=_Do`e*%ZVf0M$OD}Kmbj4h-5JcQ4p9n=X zd3Fj=+jE0D{T8g3yc4qpCFs-HYLSx70n4{6LkOHRR&`TnGLM7xR%ZDg8NY!!XbS!j zW{GIx^PURTEyd2x*NY16UCI|v&&rC&1}{Dho{lHDXlAQ;zhpk1v(>}=3}fyDn5ec) zD7uT)CwpfEq?(o&6&2O*uXm@S`NWBU2FkS-s6yP#S8RvvX)~`zY`a7%Gy@Jr2WWR& z?GdgVvhElLY8S^twBiIs%#uEJZxpKzfy{PLT|KqTkcA}`lm>X?4^Hv44-F0Z2C)|2 zV|R++K_lQLmKjLN2MLq=i<(pv2tAptPVjqA1;Q;cK?wc`GIBi7`B-ZQXsOMNj9iRb zm>uOBA`1m6bM@T1wHmri4Q6hu%)FWk>W~jwi!DGH$KJlBr^d7l zv!7nwbQPM$$Q!64^1oRh>?B~<@9#U)jP|Puk*A;sQW`f#c1AF?9ybi1ZQLEb-xWeL zb4@NZ9P}*znS?}p)$!TTCq`$0=lOV_fo0NW0oYD3Ejb(c^LXSb?F2!qs#!txup7|7rR9bynjmK=YK~}w<5r1Q6GqG}aAjW|)pFZQM;*}sJMCkyo zCXJ5F)NaOj8ma>cVugvd;k6p`4)maoR@rAtyC$72mkU)dkGXR=j`Tm0Iq+_eQUW!! zA#&-9>|JE`%g7y0rrrJ*!~I)Lz}bsW05ln@ICfo}3aBvZ5CyD*xo5)^2WWZZM(|Ht z)t@b_RKWc17_WA5aCa92^@q6u#nms2f|!nFZciUrSo-zK17bR*w-{(OwHvDqDZijb1~|yt1;Gc~w^TB~pnP zR}eZ_px>$YBbcQkB||kt#;b|ivC|jSd>Wjuc?GdNEA85%gF#bgAt>h|m)^UBh@?>3 z;no{zJL!=d-W{-=OOE5+O6Py!tw!B8@i;guip*|U8kV=ZpPVPt-eOAT}v6;*tFfNs@g{c!DxD6`z_`5_Owi& z_VR1g95sT&#_5DD81@aDUe%lVqEwq#%&)irNomo)!gn z3IK(Ip3UDG>6-OvR?IZ79nrn@BY3!mKk zs+k-SAQ*BzLX7P((4Pkmw40Ok&l?Q9zS*&gbv+;+6Emxt$tmE-ntW`hSYjr*4=c{MI|Mc}zyU?`Gx799U z1n%NTS>abA>?q*(#4_sAGlc!}ZZ(&*3S(^4Krpt>3nM?`4fZJQ*)vgNuh5;=V0?@P&T2C{kq-;Q6K<}xGK z3va7$Jh=5y6S=h18Y=CA&yHoP2N*WZ_F2r}!1JcSU~HP;Hcft=YgDOi?*y7BR`_85 z?QuGNdo&VxzLdE>6SZ+@VF-bfT+F>b!VI038E>OfA%3v?G}C8`?CG=K;Np^yUec!o zsN_2}&k(cOQ$EJ~GeiNOtpfpSd^q9oQOoG<4(vGQTKS}(OH=sDHR`xSP$#QYamta0 zMNr)MI_%IOuIKdNDbrj``vrkY%98(8*-ScZpc>yU0#thtq>U%)uBkT#AttF`9H{H< zY(7((v`#}$^fh9Qw?&f!;To0D$=TT^g}F}9k{s$XLwSVnzYQMsguQ^~gIKjYzcWS7 z2_{d9N3A*AU$I`&_ul>)EA<6WCh}6oYAzES5V}ncV0iR`_;%#R!pzvX%WNvg+RGqv zgDkNj2p;AN_K$^E8DHzk7Mw3Q)JGzN+(N1He?~t{5Bh=*^okG9(?Not&zlaB)P4r_ z0GJ*$%`0w8h4KQQz1Z=r!9D543s$_UKz2PGzp8+!?ZB^1aUuFtrZTA*A}q(qVpe z*N+-UH|R9N0%+G54 zCM?@j9&%|*HU1-OXi?DC1fR<+AdI7K-|~oDuiR-z2XCL?ApHD1l!;tF_)%^BTkL>( z$R%RkMtr?Hb9-kALzuw}HA(eZ)xTL)VM&ygmp=>gki!7uu&|g4fJAqx2E%Cn^X|@2 zs}(hJjrhlLM2_CAFTfUe3Qa|d9pF9dI*xOYUo#OvCr>OnFx*<4Lzz-e%4Tcp-*u(F zcnheVVLIb8sRyhoKxk9Eun?e5o3FuM3#s}?MrKP~K=#!%P?khyjE@JkW5==A)F0bw z@8iJE{oeB-p{>|zZ>?8Pd*KItHWyLXe)uTA(Ro)P7=J?3zCClJaf8Kn2~wP-RGa4i zDo&OXBlV=+8coCuD}wwQ9cuhS072HX^qaE{dpy0p^R+dT8Vf`mUy!{>QBl)+A)Q$A zP)RXdTA6c72v!$l5#|bn(^B5+(`$v8ZD6Y&mgIJE7I&z6LrPwXrMhquxnUSTzp$PD zzMb#oz0~8htQQ3~Aq^lHITF zog~*=@6Z}tW)z!s&a3{13qYPYEd&6Z~EW=!uZ-seG*Y1pKqG#H`!l4j@WUN=CG>e^CuB?Ew zz}-_In*A`~KXwu?I3XZ3<%8HC`N5#F(Q7-0V`v@GV1PDi>$a9nH_**J?MHt-H#j)R zz@@lYhbT4sF}rr^&~;xxt>d#o(>0fYbh+`Fh|9IGt>7?sX8g_$n1>B858Q_Q@pPLT zDy}X^h9!2dyU+#=zo3M`<6xh})dRtLFs0dMd@V~9eh(}Ri>Vm2F75F)szQ96V=2iQY$2y9z2`1@Q$Exv&)oU5_!$Wx)ua>n40Gx-I}_f+O0+Br+hH{aa;&J-*l4 zR%a-X5Ey_wP=C}_cZ2f1}4nBqkj0a{`sdgM#0Q3+rmZr-&x;T%HxEkF#V{0WIXac(tJ`UIqZ}_b*8<3 ztukh25bRNu;J8q>YK3rfz}`dE-F4mAP(AR3C+(oJ;1d%GnEvQnm+W|{NsMB|8d;6H zgrE)2dj-DdRuXq1ZbLZ2_Yz5lM5=0;8HC3468 z=vkV!v7g9afMLvTeTf$liiN~O@eV)+C!UZwVBXHR*BhMHt>UVl`OEZCAQ@N0JD z!+tmUf5zQ!`wiU;=_}@Rnzxh27m(2z^EC=TEF++5B1`F?yY6r4*^!b5Kj+@=tWF_j{j|5W(P$Wl+QytM;jHqoSwvYHy)P>c zmA%-Pr5P0Ip&V#7xwU!vnWx#J63d3M${QG}IAOmz&NU#E^@l_JV>YLA&TCOJ!sP64 zG-+KY=4G59J{1=&)}5GBdrICvxligD@|k3k*9s+84IhUiUEy zW&uLrs;tt81MnmwGT$ZNp*xqeotuLk$Mjz{+MmyvqKXv6cMeKnRncpI=%*f&K;`}B zwEkCHMgN~AfnW1;-9>5zT+(&Y!6fR?O=>CZ-xQTx%uf!ceo zJ?I8Ukq>ZT*v2P&Z(hChd2npbn3Yt`N+%uJwcokkr%=?Esu}HTA#ZGdb}y57Wh$^C z?*7$8OSU|I)nO)jf>~I0K~&Itn;$od8jA=`pB!0&%NPHh7sh##eSR6+?UT<{^6Ble z#gxB0$-O8C{tak~G)Pm#r6bSlZ3O^LHAV->oFsgFCJ0Ow){oY_b1>8uyq=fpT-O_Q zL)SAjv@xL=H zWAl@394krQIQQ(avCi=;IpvKP({)NES4EGVswO<>3opI?k8=2U#X*6_y9Yd`t|iWD zNqeV+E#{i#qQ(nrY}{d}2K4~?uvHybXEtb}%#ouyIDZH-M|6C6WD1Y)@Q2A74|4U9!AudlEc$A^4$?_2$ z%GrAdJ=c za2pS0pBoX(pTzpD9QtgO--2^prg@s}6|6!Ju~R4xp1}V~ABd6}I!aue3=+%gGg*_M zJyL9OyykvY_T#&ck27AH;U1LOE{i!iPuqkf%M3@nKH>Cj!5q`EQIvGv&LCMvvwWd& zMXm3FzcArF-Uo~Xl!6B%!I@=e1kW$+2x)V+n;G!OO9`OGn?V$jQx*2G)2Z_BxBEk` z_@?#ylaHB8I}Gx{4o+=qXZZ(fC7r6h*O``;WnE?T+rtK}C>cLwhufmRan#Y-R2O}u z-AcQ}c$$pg38&?9yCpP_NYdS7f+Vpw_e?IyXD683Rrkv~X+=NC)o3vl*%f#_TCQ`R z#?oo(U zj*kYG7;>rLD&PI~L9Cg3ZP6ra`$l#CNtTugkk5UhJLxaw(GX0v=MSD40K(*GA2ke| z71!SGv@w`E4Fu?Ws|WVJYg;MkhsNaYSJuj<@8q3liBt8pXeqDA#pYn@=iSeNEqU<3 z3e_z!&OJ_{QbF_Ee+-MIuBVBt-8v=Lr!XAhNRSshqVLr<6DnHtmOj}Mkvs4@5J4@F z>PEH6*4L71LUa~X=F?=7{XA-OEq*u0Eg|3_Tz{K>8f@VzG?V_;gK@^Q z`Y5xBzi>`7MOF%XrcT}8 zd%qQ!{&F3x`hFiO5A$x_ zL`qgx)@KfQVF~g4uV7iqg460gL6h6xF+TZkriLglz6E%;wV#+p{y&{}|O5h=r+yTq3K`J#O7n-CB?J8Dxme z8X5?`T*;5`w3$Sx8f1nvV!fw$K@}`;mlM!kQY12zf~Xp+;j1}2eFNcC#&N@rEfI9( z){ml{SRf2KXXY!)l-~`n$nXBDbX+%s@!%_THDK#MQTl3zo}^96Qn6reX%rY&q(Xpd zb0qWS4ih|7*icQ7+a;e)U~_z8Qbve(&gClW^9^$JZCso0-&m_nhX8;|uy9&z@KdcC zo87Q-d1A71pUr7LtQm9DzDv@mh7t8#Cet*R_swQsgYRp* z(H!noIl|OmLVWV0(Anji&?%Gm)yVftX1$j6!P0`NbdRRs151+Z6BEO$vhFb^r*S>U zuE`HeV3yxIr(|6EJMHsGS(uZaWYS$L6(BSvoVbJmWUXFIL(8~>6rlxf8T}$l2R@dLTfnGY*`}5F4k3oU57BMr$ zui0#{J-cq(H{pS&)D<5R3C{g}7tR!NIyDYI-O;GIYma$*bklQDA-UoLm&Aj<$}?K8 z?}-|hJ~(eBI_Q?Hj{lsUwwwx{Y8-2#@z!ow*1S+&f=ATb_#o>917DZC;xMy!0_=jX zP~Q@k5{q)&MVhm(a`DjLeQ>)~*H*f5RY$JQ0g#CEvu<4oM`EAhea_#x^))HP< z6N_)UDU^7Aq(9`wCH46|_$h60{k{@yv%!RtI1`v00Eb>;4lF33RC48xnn@2`<$S%s z8f$;OU-9Bco@RrtH~0YC_!%(NH=yVxa9|r|CWNb5=l$5_mq+-K;gPPu`mKN5-pD)Q#4C@o zyejKqm3;Ykr}fUY+T3vu?K+xu$sqb%1N_saoSv|JsdUfa*X|#`$S+1c>kTx6mJC#4 zlI7uW2eKCKWQv;`^)YYML0WpJ6x_e!JFJ{(>XU{tEvTCB0ojL|9E+uRH&)R4|$+=7)>Wq@txym4Bk7Ij{(LK~Lt!csE1x3!X(EP?cW^EQgR=z5-I)VrF@v<{Ev9KD9ng7WMlhu4Th z?>!l^t|gN<1_Sd(JVnh=AM;tdkE@g1dO)r0p`$Xpp4$30DJJ7XWyXiWlKaqz&UXKu zbT4)iWl>jts@4M#E&quBn9sz;$czs;k5|s~;!av*=ZE#!wdw};k+{L2T6A1~Wo0p~ z+>Mqo|L|^Fs%Bd^#Ql@R^{zT;gR6;0Ma+LD7O&nlS$6z!&z&9l;xD6*pF4xrRO@)-&U?WP6oG0J>23^cJ4Wh(!WAX;jK(UidcB z>1k(S`10r1cE-8GW$eZZ9{TS+1m5p2ko*ea)n1K|0ezBu2s6N^!<7o%;K}cY$2P$y zy(f@{06(_BKzj%JIel0f4t#hID$gDMrsdbe7dte1=qbstX0VvRKcIBr+`-ByDgmrS z8gt64E_Z;3$vgwr{pMG735d!r3D##G7 zJXFiY#^zMzi9(YbKhwc~r5jgNLrt*2sA_;BZ#j{2^jguI%O#dwf4>X6S`8S=xa|#g zr|7Le?G@g4)uA684!y-4K(i-jJ;1)wWQ7j@Z@0aZQ0@AhvM%QgzKx^j?Y)V*Z2tH@ z$79@6oe;54zH~78FWC7MHpP7uJjULfbgJ^Z6Ll|Op)P{4Hz7)d-aQ30D`hdQ052Se z@zQPn=dwI$JWLbmGZNorw)$}|0~UDh>s*~E%@aH|dFdN2N3WQ<5OGar2UKmb1rHV?Y${?e24#B3t3hLSG!uN|H9dPTUE%=FkP(62*`ESgs#} zjVjGO+%IFVb-?S_zA?H2%QXK2vK+oJoSlx<7QWEdWh_kw$X-g%!IUV1%`Aedf<7TZ zVErug5QmuGNY^jf8!7pMzSc+eZ4^LELh4wuCGPQp=?VwNJHXw&*`OWedw)&Pvd zD8Kw~5&1Q9Qvu`hG$>^FUQYNlOU2*pCFHN_CFu$hiBVkUHxkd+-On$d>H&IBEJwfA zu=&1-G57i$-U;+G9WC(StsaW_zYd`u%$r%1<5NBLdY*Gxj&|)~+!#Y>w%-)Nh3Tb| z6^`~jgx`D-OvT`2hBJV1SC zThfyCJyX&&pmS@s-~Knd1-j?|!$d&8`Tw%5K+Z$&7(x%w9Jw^jaM+c)brE0~$y_ZtIuVM7&;5$on()@*#J3$$e5CDW?^` zG_av0e%uRv))uSGqpWgO?KdkN)4JXZZO%V-8h4#j_cYFtw(#b{NACM0>Zj#d_s!9M zp(&trXZ0DZ=IPphG?7kC&7_r?e?7^*HAnAU$9`WNmOmT&!#$@*H9Tm6dv-(75=0Vb zMN+P3aN!;=Jt{W3!ltpDRWgoy`X>!;|0L4-sb0C1xC-SIPU703wQbQ+pnxwqOu%*= z!w#ZL=u$a7`;Iw!+wRQoiMpryhB!x{ghVZ&+E`lt57xd0vq;((mv%F8Wzvz=@!YKh z*)hp7RmOyE=%*R=@e6?gI<-SeBE*&2+y?vO=H@4L&*8pQe9sF)aq?Y|Vs{)pE>q-E z6tue9RArQJ6{b)UgE##B{UV}HpjS(Lg0UdRln8o7zf$f-ZRmxWX=X7dKgBF6_-dlyd+}yPm7k^pj%BE%yJlzSj?=`Fuam433X_m)h>(_QIn0BIn=)*P>y+JC zvb?vbCeq_W!@6sn@x8ax&WjIRW@BWA-J`;$i{X>OXs)e?b)6?(y?yq}A%&rCZ*M6lTg0Z7H zlLoz%`xn2w?-owu;Ch8MT%w3z^&7o~Szq02{cAn!n=$NMB-6PLN!YqJMVJ5U$0Eh& zb&+UHw2VC6Oye$g7|cw|gn~>`*XQ@!oDq3Kr}l}x+3^AeUXmWEpcgV5!YN13xw9yJ zmgaTfU+z0^cJ5T)>))KBPx=oV7Rja>IY+<+PO>{Ki*cQJ_Nx79k3k7nnZW^O^QH*A z`&+cktclVkQobLr9(xLJzmQ_mT~*Eo7XX>XEVCU|auaMUF!y;fghW_gT~$wQC~D~l zGg@h;w0ck7_%oo_yY0n^!nbyo%X=J*Yq|m@awg;Nb9#PKt_uCl&iTpRph-RHJXH-} zyK=ZcAJXUViEjL!EYp2obfa6>M%4J4Vo|wnx7d|f3UvJi{R)(oi3aF z?q5B%hN9SJ{IA}=JRHh5Y`gMHWr>7rrA4wu_AL}8F&JatlV)TuTgftHNkx(oW1A?$ z*t2FA;b$y^31yp9$T~5W1~c>Cqxb!eq3qgUXqG{-W)wRVFnws#IgrWl4#C!Em;{F(cjBSq!}^TOg~!py z7SrR4XA3~tOWSXaw<-V1A~{IGJup#EqZKx$VL6YweU(A&mdDzfBVufhdE(<0H-^qe zDjnt?E+Pj6?ITX4@24$OmNu1egUwDlv0AeoQKkZj`q8Wb%(`5sr)?!Ez!LbT~bFUokHj}#3Khlp4 zOT3jL$ATy&1#j#hGjVZqoPQDfMSUyQO{~2Ax-y(!9VG}r^@;a1E2g>SIozm+hNy!n zv)7a#FJml_jJ}ZvIsZk%R9LANDqh#$8P~!sDulmw`?p5j>#keI&-~sft(6gNkBjpF zkV9K=%cgn@8H9XI-uT$ELySoQ;wr5V>CJKn)p6Rrpr5V37g7-mf3mQxR-BF~CM8@W zt<7bnNtF&U{7A6T54l^DGn$z?PjdK-sar-Z`Al!@u%Fo8f5p93OSQvpx{)nKqdmLqb0r9iv#X1yhqPyR z(YGase-{L8fA}<}*q-W*rcK_RLkhnlA?LRWf|^n$sy!0rhiztr64|uYXs0TCOulPa zwq*`&7*FnWknd)ak)Wp*GOCIDw)ZC7k%H^&a0PbzIQq~`{eGG3)sb4J@gC7_w+{9I zdm91p7jt*tn!blkfo<^~t^#iQe{N#b{S(0SxsMN)gmWk8pA#xEfn$ItJwac(5F^F~ zE-8+su*4SuQ0*MpUy9Z990NcsLZ__RkO_>{y=jimC*qxJztZz|`kxWKZ}?AyggEsj zt}X?P4;BY+o{ha+sTY_F2>twpTT8O-eI##HBZ9;Hu4c(9vR$Bk&5`ugO=`zCnq&`3 zdn@obzW5RWkiv6oZB-2>+~FVfsg>$St7Mf>^PI10Jr3o%9hy#m%F>%{zw$*_FcyEH z`MeOMzwPyX0FUh;w88rQI5Wl$3&lR5tvzwfrnCgejBk{Lj)wa(7mQ(JiOM#wu`0>Z zy4iHKkj?mJom{Q&FN(e_zF+$C~~GPd;yU&&&DX`eLH*hgp-)IQS`Z}!t_rl zm#>@4Ry39BwMZk!KMES)1#F4JcwW|y<53AQ`*#|56cLpV}=cXRnw1V^i);QyPMUU+B zQ9x9`4+?(KP|aL0dZB8Y(a)NENHIdWD9Y~X)xoRcgHoK|&tv(D$Tltw>&~uR>_GGh zfJ3MqXKf#E31u~%oZf|Mu^h-s8Fj7#+k0#06U{1IT$;Gfhk4qjoicY?*oM$z-RSE^ zUUlg*Fs50t!TqMKX}HufQ!wtU)jO$NC8(RxAR>RWU-(Rfv_$L9}^em=XVwkG~`U{OQHnB81WB|K4n*Hgkk*%Dcep*5_v{%>GHh><=b~m z7tOcGJc7X}3qNr_^CssTK2{-5Z6lMg*KG1b#J36QBNAEzs`LPl`N-DkD9?^7@Lq!X zbP^O{Y4;2&j@0Q@25rkTdNd-R%vif0yFv_+P48Q~739lEpKE*=Z=vHypsKMfrG$&C z8vIj_d-ef@fXX{wOn;HmTw8p=RhHzvdiW_RRwh$ms`h)Jz*~mvR)oD^`=NVP}dZxOit7j=RM{+zL9UQ-yltN0CAF}?7efKB zU1v&EAY{16iLWfU&-1$?hT3}oE8oL;IdFVXhEr(k&|M>zrr|(V9+n{R_D+wGng>4) zNxH@==pC|PUljN`YRZi-KKNW1Z_%<79HU@XylrTio9C>DrT1v1W?7MKXzuK8NUm3w ziq$j`tBt`pM5TJTjhPe6I|WXwKF>Nmw1C5t&kvyTPrxb7%sGC1e7)&Vi{*^6uf~k_ zi~45QNgbmTcnfmf_brt_zGkXpeP2BXy;VanTO(hSx|wZu{4B~gQpJ0Ww+u*uoREwc z{P%IRh0PFBu66{%pqa7sDzo^t9~zH^_*y9*u1(8;kv|vf7!Y|@Dge^og1k`R{^8a<^PH@tE2dHe}JI19s=TNrC zU*9%HtJgX|V9e=dpRqg><^6;s-HnAc!rZU_koHQ$RH$D&}ww=6$tV=vsN){PG*-k(a@yhVEohrM$kh?)y zdGE24Ok2iA42RnwzAsv# z=VAD(Fyl<;vzI~l-{P>^sVT^TIO+&>Y#884%LUM!MpK67&D~Cp{tJ_-W|5u0cHT9^ zu-hkJ=x8}HC^=gM7;uGnT5Frs^(}k-jIhJD zDP0;?KFd>L$-2MDv5)K5ML&sTPvjRNl^B8{OFVN(<~>oEnQwfyd~~HJ0DgU*TFiNx zNHCxZ;6Cn{ zbeYfTeI|VAitC>+7{%U_uGNdJ==IfH-^M0p)m!sxp>A&Itlr97*$FnTWjd|PuK?)J zz%ISDT3`VX+xOj*1UUY^ZX-*W%!fj$>dyXwjVf??pUon`?zo@25A(Zv6s=X=Ilu&( zBaDDBDf7SoYao2@uK(Hl!@Tsr4ej-w&n0?XV{#i*S6!I<>~nTmPak+53wS%}b+4Fnf?kbNb z=`7{Zr>;d|>tMWv;#;ddAaAH-fB30}X^V5vbz9_a^QqS>kl=weXTilbDs0X?j^cnwU-m!+N zLrJM4OAk<$a-F^*(2XTLY;?er0-> zGP)qPoqo_nZ)F)zvB~Nz2{nl_a^wI|6xag2#SFg3w6ys`6~~s>s3}OfuHe|79p08F z0iAwVk%ftA8`W`1of0O~NO2t9saRR!i39XXCtdo)(1&YoYk1Wu0HvwF+ORL_f=5 z2rxQ)C$D%t%Th|3f8@`B(V>51G@5oQgDocAyA@l7A4j|z-s;6HC>yPN|LeQ-W&CrD!c$M1 zUprq~lG%4o_O_*|(_#~gQS;SiAzYT2(PGh=a?=eaZeE@S`poA=r>%Or^Omf>TC!+y zFY6kf#Xm|!Od0AZbPYmFSrs6@;TvD!e5jmJ7g@b~#nyP{sz>XC;=;$F*2m4a-<7ui zP8L)UuqAE{$-j!K#X8t2%wOHPo?h?!k+_eajK+^CjYhLUH1?_AxgEiuN+{5U>7eatJ9 z)ZOvtB!s5w7ErEy8FiD4A>}tBFW4m@lqjSJwI_{RIzX9P&k9SUzJ9px>hg@Ith;f~ z!ud@G8eqe#=XBQ2-JeOZ?gWS1X4kLhx4m3<)*ChbXi>r==q6NUc&?77F}PqFIT9kr zXc?`sKDk~*KTr8%$v!Wc)R{Ks@$1%|NqWa(hR8Y?dy6-t8ua|9u zd2)~TvCO(@!E!Zyv{4+0w-ICv^B~uF^CbZ54;MLj9WWDEg0if9uXu0Dp~fe@!k(Gr zG}RAyT+M;tmcQy`_HQBMp>FXX|6QQ#qGw>IEM%MYE&Sr)$MWSCRnZySIN8GnO~CoN zOBoW5UfG;l)JfJG6~%2<(ogwtJVw7~ttpzb$UY!Vvs;0RKUli<;gyxc@$=Q4gYSU; z0!@UfiLU4OXPk5Zj?5|#hN zS{#h8CrCwJnY^-EfRCbvO=0Msy@qHHk|)0``AKfn)-#r`&jYyfN4f+h+3!B`j;BIo z+$7BByIzKPWa8$AB6|cPzYKWKT1hHyKTrs~I7`=5TQx*~+W1w4zdEF=X9Y4Fq4YmC za!wnC*N?a=%-UeCFRT20tS>${^T7U z6LcL2c|U?WhL>r|*+TTyU!%w`H3-**8&7JbmK6%X_+ELs{u(oFa;qJdB0cFFQnqUh zc~~3>m+~VJ2kza81nMZuI|80~G0rmGn^yOK7Ufnn4;P;>cR21A@9j~DS$O>1We#ea z>;+z8`xA;-2XKdLEh2xYx0Wap7|P5)mAT|NZx5y3W`^45@4Vx2h~&q2G3tHE#AgJR zMq#mF2WUu_Ol|5fSNLg7EpF>f*#gx#tp&MON*BTL$@hq$)lfE;uyd@TJyFHDkI0hoZ*W)va(PpA=JmT@T|<%Q#vb+A>pH#&PWeIZx)NWSMgE2mR+kT!|0GkJDr@ zMjM)iu{F;{@t;1b;wMH>Ma-%J4)PyGENmKw%3hO}XVq`gdA%6qr z5Y5xB&I$LjVzyo?nK@a%j({R!Y?lB$wj`HJG+*W&y==hc(65NP$vJQ|<9os7FpKGZ z9XLX#J;9~i`TnEo?eM((QYpFLS!pZSMx@6#Gl|Mi`cDEV8Mi&ZoGJ2r6CW-cYw4DP zr3i@>{K*`#WaaJGu@qDSrtpxK1Fl@6$f0sU5$bfJz-O$@u*1GjQDc*0{mWh@#X+N3 zU~5OV>?(1Aw+Z4x@O&P(#O0ba2UA#&F_PX()`^9+tCQKQG;sB{A4m!&-=sp}H$K=!v-VJ>H{mtNA zCf5q2)4CG=-GC!@d%g`sHQT$iegrOiOivH(qnVzd&-)zyh);=TE&WWiwvaqCHeZtw zBRP~_cL%GMl0L9!)9=q3EX>?R|5d>^(8e+Md4Hc)&2LezYWG*z+>5ruL% ztaui6v&MehM4g*C^#P{W4Y1qD(hk#L3Y>f*Q8khI&Sq=1;F$Ld5EdcqJ^+S#i~8!o z_FyU~s3E+gCsY@G=X!r!E0Yld&Qip^*F`4?t8TVOg3m|D17yZV3w@NGh@2rc06DRR z=0dv;$#%msUBjV-pvqmR(gc~y=o=D>nt8VFnEIN%hulgqll+^BDN6R%C(^b(vPd*@ zH=$)!_4_0U?041*zuuN=D4?(tuK0eS=X#Gv`WVVN_a*=m`T90>U)X7c zzde?4{ttaG$2I_xGy3#N4}G5PQK!x>KzHjhI1~BLqiknA_p;OqG_Pd=u9ME>r!x~I z4s^^q`u5_F1m93sKpT4q;t~jqIwNVh)mmFngv#Z+>(0XwZ;2q5GP{sQN!w0>g~x#V zb+CajR2g*NNVGg+j9=#Ozn~RntEt*#O%;LVKvpw(Xhjb7p~AMJhNC_MxVs}8Edf3q z16U?zYPbB6USc&_oi-WtXG6}{T$`{q*WP|{FE^cFlYE95ZT62Ra=DC;m52nPK>`LJ zqt#;+Y#+W9?!|CQvqn);Ha*4)%Dx*|#|PL&{op^4Xc$LiKe~O$AV#4>`!yj)1dq}o zJbvYpA^{BF0fM3MQ%dPq#62Hd0~njB)aZv$W7ctw7uG(ShNCs3`YZLlPCbMB`SxLej&q$M@2>7 zJ`Fo;;jyi$)GJk+#F0KUJ$Nf4-4o4bh#wb=Do-y={g|q`t069(*7;}8_TDGpZj#dr zq7dIWx)gG8WidZ|A)kNd`KcBdHhiBpNxy|B&nE(zxnW|s|BCv46aWPCnvGI}n1QZ;} zfE1alhtqe>W34RylXS=rpby<*fI;Y6;6HQza@%k0Znk5l=(Mqu@+JIXpg#Y=oycxA z(EJm#Dq419LzZ}paREVmy!^(OQ0c#Osf`*iEBrt-^Dg13-?4X<5TmcCK&-6#u6Lp+ zKE4tQ8B+svQVo6pvfGt-NGSN>i`#^xaLRD}nVy%*@K*pn(3Vj{;TlR~{DtLEH#e1w zK6M{5dn<+H!6X)z?@cJTfa!Anwrmb0_;gDP5?QWoX{?B0d-*XuK|gQ+X>s0YHFK|z zKA(ef%HuJK{zuul;JMCl3v{g4@0i{k7#0C!qeX=~UcK|kvw)}9d)#6IZTtR?9dPCX zu_aMTf~oS^+?J=d$#>a27aK1X2}kKAFVxFXUy6gqxzJ*Y6UE_Qt))x7)y=DWqClnm zyV269ZJLvGe-wptdW&eV=giWdHM3tBH4m(w909ySSGAm=l}ph5jRU z=BF%acPK&si3Mg{Btt5u@Mf20`>6#f7;La%7vgtxsKx-lS&t1@$xa;;3Lp+>s^xXKXP*y>tb6G^tEqCm@k2KA$@_K#q~KH6;^nKoHS20gWQ>huvaG!;XI)#U zXBn9Tj-C6kzQt&QAEDipBKm4v7;bsJYeEhyh%jp}t(t1sUqi(CrUXU5zSKy*lULV3zVpH%1vkC& z_uLU)T=0rY^9q*5vf4u#FDQ5@*5M>7u^P}7S1$`&Pz3e2-fB8?64+0u|DMc##h7=q>j!qz{Yj#}_c5`=p=C-=` zMkzv+Irn#?9*{*GhG7J^l~cOquHd diff --git a/content/en/docs/getting-started-guides/windows/windows-setup.png b/content/en/docs/getting-started-guides/windows/windows-setup.png deleted file mode 100644 index e11c58d596e35013d644e6cd263b5f5de8116c7d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 51061 zcmc$_bySpZ_dZJZ&=Nxq-6bI%L$|01ND4@aASfx_C7qH|iYO_lbb~0}O1FS?55u`f z-_QGg-|zYTan2uSomtD}V&<87?t9;RU;EnE-cOXit{Q{@N`Quj2GLMgHb6teG)F^2 zPr}0h@4O(1fP??g-3`=~&^`>%Z-PIt>=bnr(a@^m2@zJ<;BS0abz^rlG~y1_KlC1# zH#TT!Jp>xcig&%tcdnejF^p%P5~{Xi5K1hx6)>3pz+}v}4$fQXju0pD+HR}muYB>? zMs$tF%Ijw@eYQ2ZyfaQEHsdIxIgS$DF@I(hu5lwhJ-WyeJF|k(EtbU6WeR;xTsHl7 z$*2_d^VWzL8zkpLhs#LnN%yKUkJ*NkCa2w*j}=-0vnC%M$4%Z%e3=Nink*~x3s{zK zcdT@I!3q`UP zxYwW8)B=P(&7r#4q`c2jSc;DjwUw}AoB!9#y00D9e@mSiMLv~Z&GH)hYOh;AFWyO+t&UvqYzx*oxZ?!yPkz^jRCZUnWu)b}9 zT(!9S`?UE~_Nxl(BTf#;RT+YWQAYi<(?oee?tQc8H`1AHQdKQB3z$83=dNaV{ZA{9 zzbgEZhk09fjZXjD_|IJ;NSJbEeZ>pAwL0dJC-sr#4E5=7b5J=SanWl!n3udn8> zWu8BSpKIC z^SASQ7=5+(Q5F?wLAccx5_f#5|1W1K*Mf(_ifZ@QiedZeqJn45=ignD_@rG=;;+x* z=dXTy)`YzMvtQCM(-93Qiz;nP0N6&&^7R=BR-UsFxt?=ke4hUW_s6TrfUEmm)?X4@ z2Lq7qx-ilk@wc5j?L9~*KK{2un#~LsswEm@CEUqisR9QYa5muCoXnsNwVQnZAf4gX zgU@d4`wgDE9IoI{kw>NS-*s2Em*eFpYRqa)I33QKcKrk;RX)GFUtxGwoNoS$4eru> z{%8lf1{wD~Uro2ewK99~Ux8#e&XKwpkQ`1Y{&+8f=7KLO@jI}0cPuTP#1mzP*R6O= zQqQ=g*S7@&&I!wOF9X;|NS|h=ELs2lwEVLDK4W5RtdB3zj!p$z60?Ul>G z%bWs2$$Ln#XGWa=9ph!tgMKFwEaQVs9J@rnX+=9YhX`7-VDPZ}O}l{?SI3h9(hjIo z9+cjd!LWF-uadUJTljM&asSKnt-Hdq@w&>TbE$0bC|wtOL&pQX>m$ACr$#FO>mD;j zA_$ieQZo<%e!S8dwYx9YrROi_POCvIg44UnGt~dFe$Izi5OVtLEN{2dj=Q-!g315v z)jZ;nhmZr8$`K3t-GwYMCrWNO*=xeX!NkNUVBLi=5Q6C{VfQ4YxKO|V8Tto=?(rvv z?>1iwEN`F=a?vH=@&WOoyuuZT)fBI54kkDLYlZU|!RCyg0^iDQCiQ7&N_zs%I+(N< z-S}rH*n~x_RxWJAXeYb^M;_T%0a*Pf>z$TLluDoEh25G5UnxP!x z?rYk9+HnA5uIRA+KqRsAy4Zg&REuv%v&m5Lv;87e?)$%N3WW+JK1HqBu)_SieY@cY zQ-^9I_=o9w2DTrSR+wMnY}Ru;a|0T+vR1-WXdPZ4v;>=!!%v8^h$hR8Lk?KsHm^Md z65|io2k&ESw+3OFCe@?j4+O#har2YuR4X&OoxCuR190sBNg4jrf530kmGiLWj;x>7 z*Q=!%!Gzdp#VG~8|4*~R|DP!;j?PQ|YEw^Q-e;>_OF(itc6v`~YGEgKy5@S#WzG5L zr~TCX=6yc4l~i&=T!qvEXRo}kPZ!VOM)$0-W-nIpE_7q_t!Vj4Vu(G*8j%-U5?ArB zg4JJHJ{)eb_~ zFuaiuy(gwRRMJOwbbS`kjR)nZzJ1u4UbyChE9Z!u1P6L>jf~z!ly;HGNRd4m!WzPM zL2OUzG5Tz_AoM)1j(@tme^CFMB;X7_@gT0YM7<;6`ZVCWq4?T+^?2)Lz(r}14ko(Gmil(aUDhE|#FB&sV)F7NTjEXBM+v8BQAFPEOx3}c=Ng1KS%JIr zhppF@Ps}Ftp3j_mA|{(guNlT7!Q{%77J9zh&|>;o2q zIS)>^$XYIEcaeIFn5-C-2)_moTUqJ}B5SN1NlsOLIC_l#VZ}PqMXY866&EgojVp^$ zaE;9%oQG}?uMDl{r5}fiBH9LgT^iigMqGo|EDsqxW%pWh%jC(u}JS6v4VxWV}Cu0;%gQNcr^aI|*g@_j%d<%pCGahq0KIyJx{I=dVyZTssR4 zY8VKZE+zR+SrU)8?i;NxgRXsU#XOm$EirI!?FPmZOItC>^*r^wY4Z#332!S%C9Mur z@oXosXCP*m{?rcLX6{YT*4=}jhg-J8HwQ9gZ5tpo2}X<0G@OPMrH)451=Z-aAjHjH ztZYQB++`FhExEmWBe+pu*FgvEM#F;3nr+UckP|qAZi(hZ(do*{(+J!*-+*~Fmj)$w zgFi|aM^U* z7WyjgJpHH?Z7DF(zGxOp$mWeJI9i&WG)k#wktE5RL>kI$HSdY9jtDlMeL=3=dE~!| zn_Rb$q~g7~D}1``zNn3%*R+@Ajs0-{>*^#At{bmsX#rZg!go7h5JHDDF?DFWW|S#! zVtD=R=MXLZG6>fG5#tzjcjs6^5w{GW(36Qf~}UYdGg* zCuX>duQh?sK1%0KmxUbZ(#ojK$jmSBWqgs1H1qiG$li+z{12aad?k7tm&UD`9L#Ol zA)fl^nhpz`5o0_khs^kFOQB#}`MZbsMgNo{)Ny;^1S-vI`2KdV42`rlf`F9)aS&C| z6SgwX<$(9+&KY7Z?#vFov75HWQKB~Dosb021lW_nn+t4wHy`Cma<*J@wI;8W`1LR} zoO-LSD#`Z1Z!K9SlHe9Nkr#B(ru`NizD-Cuhx>9z9K0W!?4cJZTr{yiLBEwpSc*Y88T zsOt$h07qYXDc0f~7AD;rzgtNdp8LAGzi3rR-PkA+)GU$s;)V_GoNwx}?1fN8N2}FGPo}Z-X|u(RtFo1d8|C822Jo2|M8*mNlqh105g-U zEtRFoSOJ4L);|VF5bYFvYTL4M+`Lr`8;I`ba6}X8amqS9JCN7N_C(j!Cc{Eo=~_+u zaegT9!fPoZJT9G8M`4!nCq0vpKD*%uJUOY}FP}z_!UwsUbZI}iE={vWMN}eEF^4Y8 z!|^lj1Mm5KKi)4zJEF4!L_oX)25?*u*Fx_79D!d!m<3dK{}%Pw^JwRwB#MPTGcT@! zW89+swZ`*M2};bM4$uEkukl_PN?zwIPx4{4j4f#uee)@%PN9Oiq6~2>yMI+%(yJPe zDbleWa@hy!9Tkcr31}-z>5X%qO`?s@_LIV5sCZ@A_a0}bc2T60qU~{Dlj&nPQ-+B? z#(P7K4D3ABn$sQqAxk2s`{`BuCR%9My>k1{q35xc-eJu(hh9qyR!L%e65Ma@{aN)F z*3Eoa@K+&^Br%WDs*bEo*WxPc5Egll#|^W|9&m*m6c&_wzrxgjOLbLLNo&Amp}M*4 zsc3E`^O<4$=({)0{W7gvF0KH$i0{dN82{I*+lpXVE9s3nMKE-P`J#Xo)2OhCZjRX2 z`Q-emouYb2cpy(yBOodl0x&OZRU!$c?;!69ZyVCZs~EZy2u6 zQ8l}k#>A#`7wq+u^o?mHs6T`Q5@d1UkrZBTxGx#jfEB~pB>Y`p@;oKezvlsnA5wkx z#B^{$)?Dr3Z4IbflwZL^^F{R00z%`>8CCVd)~iQ3)Dvho>mOshiS2%AVeJW(_9?9# znOY>LlRl*8<3p?o7FkhPj*#}EZyf24?9Ec-k+nFlUq$cYypa`<6hC)*`D1tX)%9Au zjG$Q~mf6&5-BF<8YR!OCMwlo9+9--ux3a?qnVhecJb$R*g*-leI%>mE?g{B5m0)kR zXvgA{fE8K66;fjxANT!m@VWEJHTuiW0K>_n;QZ6#1V07h){h4S{Z^CkOKvh;rxF3I zG0Fb`(&OzZXv64~6~6LRfUxC48DsZL1#R_?f(|YC1M4liL~#3Owu^9b@^w!N4Go`a z7F_AX}$scz!h0DBdMar zp~Yg@5cE~^iR_kd^s2-iyOGpyMP89thKWHxGaM^EIfl`r=_TAJt*GfVt+R0uA(J5Z z2RYP>U_(jiy-E&vdoo@G*!gfaj5&>qAJNEh*^wbe1wq6w&u#KhRG1~@rPZ#mkCbUL zk=5nS91r;uZ+bow?2@^@xD?9DE#dBV-M-(#SvBXUi05;Xl4Ubclkq56^Uo#Y!wAh{}tYjO_b5%iyvBErU{>4kfI`0b}>WIUQ0balaAwg*%@CwXrnb8wt z(KljUOVOPUDU~hcV;1hW%79CJGm$-`TSjIP^xCTeV{FGVx0{vAs{%` z^T`iy`D&NTCSOAAJOyYKEI6r6pNq-(x4vn0q1>~voi+%4?U51^azkoHCRFb0Ddksx zkc2ZnBt)HQl#215PaQr?8}?WHcF*QjzH66^sc70*_b5~>cy9_ZmFabYw@*O*l0l%V z>aeq|gWbC4WQ;rUg3&=H}b8{G+G7_0VtZ{te4@EqlWRWR|P{jXsVOf#4| ze?op$k$5f@>zi{tDhQiBUySZM6I7k>xvJS{#5|}3wpA*{&n-OUYBMVid9b(RVs}?$ zPF325Uqn_*ifc&J=IU-KJ39{aW%-X1E3vAL+9KGv=I?YOGMqq`z* zy>Dz9-wO^ffgAnLcfE=#s8CD%^}BE{D6!+HA(mc*ht_2)=CB7W^?$z0xcM$jl;~O5 zmrJe}mMcP60<00Sn%zGxmJq_hS@Hk#U9}6xWiCkk)vwbq`FLdap#S^9h08F3n{39V z@rUT82l5vLb5cl+;sAAdov~Rp%tLf2|NLdGP?P@DfYf-gbwarid(In+dfmO4`4_`} zYj+#^894{pN{F>v`g>u8N&9upx2{`N6IwrU+3=gz4vqV&mR2PP+OR*Fci2vFUo;yF z{c>qSO#R0+zzE_VBc$uM z0_MW{cIjlF?p6AiK_7hdfOAfIZ@0RyYa=UEF@-gtD73W8lT@Px+`_DssD8fTw03k* zzZyH8@9VX~WMU!bk>J>iBL5$E?wd6q{c6*vvt<{)Qkgv`ti5ryYRxPb8UO z?==IXs>6B*)pSp^SV45?cdlFxBZ z6E22z8{<%B%F8_MC8vDJ@Zn*fj?BGPB~<~D#6)|1N2OW6yPn9vxd@u%lQDWnWwnk0 z*-O)7xn$}nD;25WN9#NWR0FRts^gEMoC=hma<0i;Yyg1a3=+4!RmA*d@M{+>SC<9v zLS}+|v)a|ZMAGxDRdkAXkD?R8WoM3dH8<|dtp>Y;1cJ6T_)*tP` zScRj$g^UYY_pCr`#JY@;IQZClfp-UKl1v<|lL#)WI)3H6%Qt0k%t;$;+y$rqYaov! z*nER}qqm;(F%G(k9a(-*7M!V&~?=I=Szb@y3T7D%Pox_PZt!yvWwy2xK{VN>F@feIM7&&Q{tkP zC3YTBKVKgVZObk?shv~PJ%{IGsmo?%J*w}+1eK=fIBx749W?JD#>cKWeCd6F+P2bS0&S4lt6NZj#>vOiIgCuiPY zw3*SV%}-gnlYDJ3jd>l!*hHPG4o5_=>wu7t*z~0R8}O_S_W8FeaQ5!X=U|erSQsT% zOf?8{>d1}jjG!eF&%L$9MdHe);wfWNsy_TdG|3(nqUp)<07blhwHom(ewPbgO3FaK z{*CbSHQA-mpu4zkd|PV9hsLMM%zjAgBO66s9`JeMlH8Gmyc2!HSXWU>{7RvsT*H+d zi`OikVy28a$ToNADTWr+i0ewZ;FVa0u7rfvnhSCA@Y5>@9mQwng+n|s`dk9*BJLL$ z>KHg2N^J5Tnt?N{RdE*YoLL}I79Tw@6Diy9RJ?_7b{_lXKhe+*xb2Ay4~@wP&!F8Q z9jXg!sxUJ*tkh^!TQV`xQiylwoUe?yd-X(=fitU^S3{xRq|_7R!fjy1R}NgG-jNV) z!MIjzMUF{o)5(haly5A9W1%se*=}k7woEE|Yp3Az3^uJm@>L#k&i$wm@&(fRW4)%i(7vRI{jJaIoTtevLIna#k z^>-)}kly*UoI^_Sdu#qRsVEO3oF(%nqoz6}>DS$d1)?^RPw*LYZz;zH2$@lEu}5tR z{u;38)#?BRc4sXt3a5*CNn=4w$|q4w7(X^vv-Km8MKo)oG+#BF=q7Nk{t6PqPsrWN z3h>WSQ|ief{f|eith=l|lIDvg+w-{QAhM3jTBnUwpAw^$4igk4;8I`nReid6Cq)^` z!n|O!d@u1N#bQ90=})ZC9hinj-cLtYk7uv8bGz1^Q=)3h<+hyb!(1 ziwM?0#MQ!q0*gWy5SzHi!k81o?F}a$dEil*R&zzY#e9A`-1;IvAx8hv50ANPz;kI* zKb-F1Z{DugolR$c%I`<)5`kt{2*=k~u12)t5>T_DN%r3Bop>^*{pVB%`#%`(aBJU9 z4WJFyN~)*W>qmTmJq+$|G93NNaV-b=l0a`+i*Tw5ZwyJABM~zEp%I*=!2LJKl+2-W z-W%){Gk$ja)Qsrtg8iHeCiBu~<2UZVuY~(#N#9w z3C8qaePxf|l~IC*i+;=K%C%>n)W;-PR=pLG9c5!`Pr{Jvz1ozlm+9ax+4q<~7}_fR z(Le0{p4)?-gzm<;FiOc37qwM}l-ofuuZC{h_TwatZ0-34}St8esy3rH{iE zri2Su#AKP7q}b=TZGIQSuoq1x`~V5G$_-C$eNxxg#{FR&OC!oOskAcmC3@etEg~31 zZQ$P)S^nTZUbguYD^HS#c<@)RO{S_TOxAImM)vj1TVpIbwdFy5_AKV}BI$oT;L~I` zadCo1Ur4Wi!EZTe1__&KO5AxBk`^dV^{c&U=0wpUH;+<3Hq+l@Ipqk^VanyWT41va?lG8I{o z+=phKSWqXbMLuoe`btBap;rt3CHz65#wPSjERq~FeJoDY2F9q9EW8a^N3`I9clz$_ z2@lMeV92#=Bpe?VHcQl}>xjKyGv*eAXry%pwyAeCf5JNc_NO+w5)0HlZQVy8Ahicp zir8@Sy?KO>n&0Dt2Ur<~tS@1fAs;l^OXuq^ zxi2Gm7&ad?HFMW=`Wh!`aabX*zP$$J(_+dB8H};JI=qZ)vHj%k4bcp3547oS*!)Na-U5#<$@MX70w)Dj$GNK z6@_XxoHtK2Z07etL2~GF=dOxQk+|Cg^*WPK%#znF8}g`K;ZZ$}c&}Tm#DfuRwAfU7 zS)I?Fx6kV3XrOGPTqVSz6f3;pb?U0ow=6O_KfcGuw7mUHH8O|satv(VISD@U;%4#Uk^$*|Tup?F9{Ej0RpCG)shvrW}W@37H_-_vc7Q^d|&a;>gAnh%!{# z=9m~27`o@ItcA(>W+)x-K+@q9C#2?|J03zB9T8D~69(m#O_uTSITI1eVvjHaP%7^g zmG$EF@#desumKZ%Z>uz-WR@NPU7^&;_i*NJX&gwKeU*JkQ9-NGmlvDkr2|60S- zajjA9(-9$3dkD^+)+5%qEOqA<&@(6HYU`{~OJZsxrcr|8V6cWKgs8sSh;J~ef?F{uNy ze&jhJ6{G)Q$p7K9gdSX`>wVC-L4s~G+deuV4*$Jh8ULf@Jk-9(Y1ILkgC9mU3BzC2 zv!M*|=l2tOUd~>EK3$qJ&cAk!(l8SKvwB8gOO%YFVZ#hW{r|QZqx+!TDQJzcCkA2t z?<2$qDpB9|&2_fKAdqGM+bhUrp6=~cI~j8RpFaCpef+^$dRLDH)BEpH0F4FFT1Wvb z459{gB5a?Q%5H$r14sO?OPpMO)&ip@^#;QJI@ce`6E%0hCX(>i=>IwDz#h<-l?Q5( zhD|={|6VpDNY1D#Be_=r_P>`cBmT3|7A3y?`?DMGCcsu)$!UfD<+zN50>(#(tzED) zrN66B7i_vvlSgX&=bG^4Jmez}QAU{FBNv=#)}GbQzo*8Kh7QG=v5TrD7`5p~j@`Ex^38=pbHJbw#FW2JW9 z>A27GMcY9*e@bxcvjY|E%IEE@aZ2Ic*D?2k03nhLXj5X5Y;YfBMGaT<4pZnnun+&Y zw^{}cS{(yX1s|AI4CBVx7-0phOMLFjF=*gsA*G*B@KH{IsDCo;Lv45aF;}GpVl8In zpbhiJ8R$EZnscd(ZUFCOrl2;h#shxKZIIOKcS$05_|;cU9wGDD!}33o*IEgtDfB(b zX*W;^(YzR!cXa`52UI<3{Ex1~O910SK4iO3m@1DSOFS069cHdAK##93h9akidFrZ9 z2#RBDjxaoh>Q#q9|J~z1=Yz9x0rmx)1F%yZpPpe7c{QHd{g6wL4t&6Pg?Hr;B4FJB4xMFs1U?vK4y*t{o(hGPZ+Y5^a?_OTVh|}Rk1WaMyscU@^?Nm}J7%vt4*-iv-`c%(8B zd(-kTf|I!FHwptr6DI-G-==sQmyMk$PG3%^gU3>;D`(4L7ET}f*eVLx`6<@q$J+R1s1DdZNO5OSnn87{PTZ}#ss{tI@s&!> z?e!h}nBRJnvbYs1IICaV6047(Lh)~^6Nl{Po)LX4t=BPfsZmz0-dKGcs)ZTA`7T~z zK_oT9D6~^o`ie+Lc=nFPV1Bt*_dQf(Su_u{ix8{y2B&sy)#aS_q??9d#e%vy7Y$2) zT_YF^Xw)^w^QYRle-aQp!hAsWsvJ1W_OJPF+JgD13jA8MV47|?Qz2zy6gZ~KZ@jz5 zew@LZV4|Q`0p!`2f<<_sH|Y($ol3wYmZf~Ra7IDG@|fuM01zi0k*&o8+KQu&%E;|{ z;n-BZZ?gN-&A;>Ly6pi>(U$RLo9pHdGVh<*4d!onBnH7lKe2^0x?C$3c>^B?c>J`J zPX1EtZt?wB#>36PYuOYnKPeOzj)Az3>=K~NZ0upcEJ9`GMa~c`zUb;_w!6|H+ma$&N*pW1K&4>4?*G zd%H?Z=?g8+1m>beBeWZDoRthMN%ZIm)}Z{A;oF13w zYIOy|(QV|%?I)rv$qZ$(C5>gEE$1fWW#j@QuzppEJ;brZebeqk)6+YRG&A5#0a5T% zdyQvJL`>+z-#{0KXE$Q3VPmNYnvwi}lK9hc0;9(u_dNVQ#zB8MzPk&O!^QK0vO&Xc z^gmy}YJbopZ`GMe8YSl89(ZuGs@eLq86h|(bXAqD%Yu1_rO1kKAK+_}Zf335+C zX3d^A;j%Ipiv^L9&0zN@f$1`Vv^xCY37yL4gC!=)oe7EP(#KFuzjN{;c`EP*Hkk z6g`n#H)}oMLcV>X;00hFWN{zB@~kiKnE$c1S$j;oky$;-#S=lShhWR}_vo+o+&74@ z_kfAnOEH2_0P_gd))7Y7{Uw5TSdr0XN0$xrW-)yL{J9wX>5&C5FX@qYlxV%Yf&Bew`Pn8+ulj zSO3rpnOy(#9l%eO3ij27_WMM>OhiGhjLmK}2XDoLN%ydR#rKY1 zKl=`GsIPps%abO)?k(UjppztIIkq%=2ACQx28c;bUF>cu(&Y~kCpW8}%v3uQS@a7i z>VO7rS(=S`N1u_#Y6Li9U1S z+P+#uFX^5L_^ciB?`o(nP;&o;p_=d&?t$fWC9oS9gcI`b8_}nT2^Zbw1V#I;BU)KO zNEL4z8$d4s{M)gL|RALx$6h% zLeoi~XGJ6v`1|VS8|p{z+}41PWQ$sdU+=LDzsP2>OPW1gSU&ld#Z%>KTIC2CS55N4 zN3Im4C&4cTwLuU-PaBXW-;vksZ@51x{*IX;*Lz=%k&-Lg8(1Kw+R)-y+IAE4g-568 z-8WXZCoW%DUU+#e4S}&fVZ#dB^n4B~h{Ke`!rQ%>p*&0~%?>cIl`Z8&g}y@Bq>51% z-L2%7$^5FtauE=zTCIf7>Jmp34r^x5g!}aGzu_`dm+|}pxY&vZ;19%j2DKA*rkY4(ZC*JJ9f6vJLZKK|v+$&=@T6C<0zFaQN>*PruD}{_ER{ae zd-qL0vIrWWCXw!SujG%1K7L!-m3*`MMnM|e9i3V$4a1ay0uKUqgU@?Fc_(uaPaJ^p*Jmpoj|O^Tb07w5hT6!^9f>u{UVmmx}`eD-p$n z#>@qsr|Z}O>GT=&(*Jx0llgTSlYu_{$KcT9GXbXq5NxB38a5UR?@LB0M{)hId`Yf^ zXNMHkP(52hhbdgt3?!Bse4@d-8qW6Kqyasr(|8khy)e!devxb-?My&dI`uU+&@I7e zekQB2OjqShSh~ufBM3@7rIEb;1ve`p~ zMu8Y#9_^O?yB_32sgZ=mJVa4QX&d>o%yL})cUf*92-3dS#+MWcE2A*U)dV##eap7c z-=-j8o5)*s<#Wi5DUF+t@}q|weMSfX2Bh}_S?>y*$x{L!mWW2t7YoDq?f&odDmlk+ z5_1^JG?h(s&feW~!w@d4*aO7(`^W61T`*ez8fp4Q9sey#{t@G;%IDX>2pe%7pMktl zEwU;UCq{2lDD_I6$N1}XeXt&g(6=Frc5WN3Pr9OmlUrf zATS2a9Y(j2xk>0I!Tk-P>p|JZv);oR;5g3{UcT(}kYE9<4u^3^wxKhPx6W?VH z9u25wl|=*xWK8G#F|t1GJBH^D$#V;=Ph?A|WP6d{gflDT#KT4#H)L~F?>{YdWwokK3Vp~2uPc94!2E{%g!gU)CFg0v z+0FA+hlB_DNj{koh((2cq2p3Kfg%hZGwt5$OresK(z4Kd8YA%B&?x0SGC}CwJNg@7 ztW%(>zknyOb22!4kF-r^7;l1O8B>a7IkDM9y<@HoZ=bLtoLSF<5%>)^P9(9+mSS+Z zH0?QQ52)G)@;qT{iftrwXhz-%0>;3P!x1N(ByX9K18MGdEztpb+46&!;vtGI1hD`k}k_gm}yo%A^J$d^NO@ljP?PWw4;Pc*;qMll3rZNuw2%1T<&hk z?1!*uJXUsIZQa#km~g0-`UqZvxUhdQk88A7*p;>IJN#I+qE*bhZ%n3=(2Y!-o_`IV zwp7_L*(Z4Ba}_RaaOdp&CH$^f0NpWHNK}Z4#=%Scjo?@?wFQItDyzeDAP%?G0W~j1 zWt3VPqN;>&7{m#XKz}ef$QZ;{t(G0s+KTp`ZZcl#Prbbl8v%kuT&A>OU^sSP8`}u8 z?26M?DitCCa5DUIFaX{3GuG>&MxRp3J<+U9)G!Ocqo4k}=Iz=n_=qgS{9C(>MOJOv zBJc16j5#m0v6_gMdB45R>gH^hszx9BU*=pk-e%ul34`D&jwDp<)Pd-8gd7F7y5(yV$;Is@2vc( z(?;G8G`DxY6R}quxf$~`((5Cq5S?2KhHw9h#26MqaeTf%8smd%L+yIiGTrLFuicVC}D-P0kz-l4q!2( zDYT!biCGdV4@dMb-QQ3-9~*y7O=jZrJoF{@DUW^2VG}b}V*)#PGv3%ISdM;U;*N_I zsFQkck#CURCOk@^<+8h+P$scE_A!VOReqYJF-o%u$bjk7@#w~}C;wg+Z^*~l$EWT? zL9KxW-d(#Cv0Q%+^(nIfmS&;3CPfK1+Xz5G9Nh8%$GUqH+ zgJ7Hb4%w@Mi|rCCy_~y@8$vAaIeb_XmU^SfVYt3#FlPp3XcwQm`f8bW)-*Q#aJsYtF%^fEUd4du^R@n%d*1cvtrpAvcsnS&nPXzP-4^ zb|dhmrimMu0#kg4uLT&h#YnS7zWS(Oxfd7-$YHYbOL|Z3C3Z6FS_g5o`HGNds&AF*cvE#i|4q$B_2e zJ(TyDr>~Up0l9fBly8lBZG-^#D>OCmBk-23+mO+i*)zIqgV5)hIy$xx+C6 zrT`q;`bmPwx`2eUrIl3&3UtQETkMI2VPLUT6r1mo<&8#bt0-ugKvjB3C1c4A zbVJnzAdHCb*gkkh^ua}{n^`48x$ee#wx=Rf@gm)C>fTT=2U#7EGD2F(NOL?`fU=Nw zQMviw-T?4>pxc@>x-g7Xl4Z15T8;WY^6UBScX1nu)nS)}q|tY&=Ev`!=to#- zKZ2Tv?*S3v7n45uqpo-v7Dg|{SemBwww}*eBd794`QK7|1={6H1EY$$VB=Rx_CG4p`lJ&h1%|X}P@(q9-OeGdIZPe{GJii&K!ZFg2tB>ZNNb251j^#-N6G1 z%Rmp3Eau$ok-r*kj1f>}NhUvD3vf;qy&Ha~({<-<&7)~vAE035D|gb~PYi!2YQ?>XK5Qw~l=-5co*=)EC(<5CqdVQqS~_G!$Jw%$C_3iS&C-8M z1skEa?Dn-RWhGweqjQZeNy_v76R5}`x``_o>&D+w)!unZa52>KVe(!bFE_Kfi|6%y z%Z>c@@7bOWxc}i<(nH_kPefhkWcO)f75k}88Uh?~`*H(XMHpI(PlVzOoh`RME)+KD zwwnD5T*B|romg{c{O+T4`8*-&zFi+thq>{>T~S;b3le_zm>{ zO~R2d4LCrPWU*OxhXjDMr`My$w06=-Q= z!%+$Y?Nj;@iz$$Pq5I^`;Pm@wUoTTC@BdzDVZ_m=Iw$SpUfLmNku3Hs>AMDr6tVQ~ z{!wngm7f6*ukLL-+2=uSp9x;7%o;%KqqQt=QvE1e+1>fETc@3p^y2Oj&=|QX%D%#; zlN7iiUsger1^3-M`|AZfj(U@}>ohRd^_7M~p{o0YN7Q=#+nVhBO z3_NtzboR3Hm*u@+y+z9Fo5C}66oX0C@gtz3*CalPtljF0==Xh zMW!P|d_GSj4aLT_*y<T-L#^vz=r7IF#&{ z$-Chl#E6Bbj~|lfZ!>i>=_BRDQatu+3-hf~8%ov0Aw1JC*n2)W@o>664tn*tCUvW) z&45&rS2yPv<}jCpEX)2q7U9e{hNc){o053U#YL|aQnzsmECpaqrFRorYy&KQzLjNx zW#0F%ad4?{DoYWsnuZc@;cLCSEd7Fj#_6e_d98M=TtWx`hZe_KK=KN;({n4^(eS* z!5o%RKRKxo4i4Lv0n{f^O;e-8HrXZmfg;+z1ZX`IR$!#uyTuD3jC6}SJ_+jnSG6Fb zuY%Xf<`#*1fR0RJrk+kCWs1MgJFdZ}|{q)5Z-G zODx^pu!PbL(%lVG(v75ubhEUubPEU)iXZ|4f^-?Qh=g=1DX9qWtX^LC^*rxi@O<%$ zu$((H=ge{ZYNB0>*yVx))biLE{LLUxfPr50DDhj zuBn%+REN%tZZQdDj`QQV6mIP3Mb87dq$z#7_=2G8o=8RH`=K*{#gt};+isYPulhz(wL>aF(% z@HOqp4PCFQgejGgS&eeFs-DVMy;0@l?%Qk(YZY2$0aRCXLHWv5+FZXaInAjDfHq;n z&)X6qM+?K&+(d*8u65cSWeLM7e^_LVA+CtLCEAF5)N>6(GvP!!4PRBFw}`blT;rWi z1bQ*FcNyzm{pYdtKGk~>P!-P9Ywls2XaVs^;PB7yAJ zIH!Wm(Ad;<`WhQCwJ}Mp^Uj_Kod3=+3nLdGoRRC8GaMI3*BAudLB$mPYs6krs2kA|Yx+c#(RKMyI}7 zT~_-oZ!=->SW*oJGK{rwH^m#R@6a-7tRFOMrT`xTNe`3JPIir{tV64T&? z3_yZjbm)7%K21ipw9jglX1h{P{l9(T7|%vY$@&(|T##lG))9K#JBrjXq#zlDRuKZ8 zZhNfa?}{YG4#63CrqjNla&BMV-~qHpgITmrI6!fHnG_pN2vLV{E|jGxcMy#Z_>M4R zG;9qv@dW+2Hw5L!`(1jl*YXS4`Kj-DP=^+MeXX@Z-q=y-()h9(#DU7sU}mTnZKa7m z)eI<7>dkBtoLHHOsHlKYn1KJ<4HExP+y8iIeL6zU~6vAtE#)<6#$fzs>yN&i;X zPRsod9)g};r(p*N;?@uF$eyq19?|2qgaD2J}3J^E-VtPUhk1Y6B{S#>e_d!s0 z0BMd7pvoxHlthU@ZB2Tj)jWx41`MudDrUNv4j`F4q(zWi(S<5Wk@sBDt@KA#5tPTu zGXoZ{eu&*hq28gVxnl2>H^mNUzbwiE)0k?&=?;2$C?j*}w+{?&9TUqe_u3{!2S7_D zS||^yJDw~p7F9~niSe)-446MI=0U?ot>r(q{ur4=b0TWh*=4yJuIj&K41E` zt~sPnKJ?|ZR#!COrBro0mcu?INq*IKHd=@pw&rb0;ml-7XoWEMR~tHixWTv?uQn0< zD~_b&?(oEC=MniB0KrGTJasw-b}n5w(Ds?MCYzGg+{wjy>c-1wW^qr$OXV@aaGsp6 z$s9UTPvJ0?SfId7GNRc9str}MgZm_lbS3Go!ufz5xbr{Kpb^ii*=5;HI#DhebEV1QThZLaN2=$inXMLIp&Z}-TQPemgfvo8QRJ4J ze+P&CR3ETVRwe;)PnlGHt98nV;*9jc7DU>yW@USLar$Uf@Oafi4F(?r#NjC+Vmz=Y zi26Rps{2cxiw^W_|8XS5^UQAsG-SW_U70^gb{t1XIj9L$rv-wnE2X_~+O*D3{#DYA zx9%u%UG;yzjK$spEOP0_hfH`-KYySwfWUG8J>T(?>&{*H_yZcZLB~;*psYx9iV7kn z&=1GE9A7Z_vvReQOq7Oy#N1WZTK=*L%znGabsYMI^Map!YpW^zsNw)=9=MTp=0cHK zVf})cnmF@Dd}mBY{4vwL4peo|qVi?X;y-o?#p@x^uI49~vz+Bh1&5ALX@_m~BlD&D zyot0#=I-6nkOH|)r{4xqHl9gA{u#5m1owzVY+?JJq|rRUwUo1{7iZ z&5&eyOr|9DwrxNg(G;LMU^Uhm@-sX$&~XX!f!WR?k;ip02|eCp7X$dSAtL`3vfJAW zxe8muOv)_I!D+?@12;WQr7#&2NKN(uyj z>yEw=Qr$=~j!O`RxUdgM^}-EbXfQh!t48V^ZIRQlKC%!W6iOBzk-I0h%7CdBD!p1zb~i+w>siJDO-!p5hHZ#?&J_bkk{C_7Wde^%t!U8G+Ra?=Sd+4L4{?Tdh}o8`cu=S}bM^nHi0QrX2>EwKa0P?*At+KYMk zjqJy>gAaFCe&s|RU@EUI%0{loi|M~3lQWjq&w%b^2kg?Awuim!xyO|^mO3;zpwVj* z23Gm8&Y#Na7bM*dsO|LQVw0L}fi0eN#+fsw6$4X>?6Z0rjOaei=h9*ELBT&>mf}fT2`nNanH8z^Yu>qHR9C;a@EO|4sHms!DP}7X zQA)Df)W@=u+TB1{u9V_=d?fg)f3NnzGI!^C!YRzLn0NWXj+e{O^HR~+8h(H{#-zpR-Wg+WFzAeAje9Hw$#F%5l{q@MYbS(0KLAxskb4 ztwR1<{`I_VFJQ#g5)Z?GZ31w>>^ za!Kmb6L3(=!W8GS=3fLe=BTxcM)HtWQO^DVC*6|5pSE@yLkZ6}MqvL@00D-Y9Q;Li z1z}=jKK1uwCN1aS7{IydzLoN$h#l-QoRMp0Q_FtINxN6{-d4DifW737x{j;--AYi6 z<&dw*vxPXvwNWN5`@Tjp4>dH;a);;Hi-CA&BV8&a8hf7pqZ$hqrW5^4I9S^2FEtC~ z>Ky-`DxUmzX`d31x?(dCQDLGEmSy&HxFtY}52;!wVxjmO`keT#Sehk+Z}_Qr&`V!v ze8Qm^fKz|VX~lT~&W)V}h}H@Q9|VJsqV?8fI2w6N*pVy^)n~!S-JAZYmUEo0@rL8L zM%9rz#y7ol|Mai!kdeefyO_;aX9Xy5y|B$^shqJxdzGzdqJU4Z@z%I_7UgR;p*z_5toX!xMlEX(80YZY zMEH~5QN%ndz5>;$k4 zy%d02cLTi_nP*74plsFm32(4T4)?fodqu zp)H0#XHHjGEl5V&@s{37$NMgrGgPYCs}eX;FBkr2a}n2L!s+J=%c7vV*|hpp~b~>z|Ulb#BP_<{sUhA+D<*l+(t-sE)aDN8=sm^q)b?p)01)?zsk*W~Mt- z?QUKG8$Mdgtr~<90p9!a)l)ERfRrVqdIfN&1`u&(e;)K%9Gw^LkcU=h8Rl`XxCEd0 zx3Cc9aC|NG6zv0Qx*wkG>{p;|_dstWx=)4XLuXTV0D{?m4yxP#HlG+Mf`Xc}`%vJ@ zr4H$%BxNR=OCgH=qw+q92Oknk^*!}e5-6(+mND$ObLLPfT9|SE*jn;c!7uaosRn}| zp9%XGdf62iF60HclP^H%{^W8uLeBmWNb|7nX^0?zL zrXvyk@qqIX@~`^>-biSA@bq{sI`z8cYw0hd6+o_hc@b<)dPS{YLJArfXnq)YG$1Y9 z?j?=8d!P2NHrTMI(>J3KrxEWk%pZs_?@BZ}<|;*j$?)1uDFDLhWPoHJ0_(`(hW5RP z{KeKy;=%SqYYxo~d)_P8irk&Ikp zy4vuI|5)C1@ynD9MS4T>Dr_3rQi%ROMb;9AU1cdH6%QB_X7*~HXSbCm1xFNW8e?H1P5%=i{bT(9tOnNwPT zoQ^XK#DFb=xD5)67w|p4hjh{}z}R4S13@jy(T)KzP0J0d5?*;QrbMoUL_hmggIRH& z+-R8!Zye+n?YnLlYXf6z?$_x!12y0W2RAYv1-wC_04pKQD2Mt%-L;N?0I5$q@P#2Y z;7HTTa2wzW{|M7hQ5u)N)Lq&7gfxmNY#om?AV5F=jQhNy%M?06#l0 z&||{&n?UN0qyiSa{8BgwIxkT1D+Z4PL`d<1LP1E$WJsydU;oxqGzI&r4VVq+RZRIO zv%(v(ppRttd)NejYk)~77X`Ud+hSrxEP>Ia2aJH>^qXH;*3zf?>38uCL844IcLT`o z814pE6sYqHr%=EmhlY4@{rmCA05SV6b_8aO{gHw{czABV>v4u$;3E)_Hda>ar6}9C zfWu0j0e!AVOW-@O(wr8M!bSZ=uVPl$wZ{SGMt68Jpzb>P%-!K&H;!iP;G z?R}SlPyW9b4ofXgK=O-1C18+f=uk;^{t%6-xl+Tp8_D}x1h}~BW2^4JtA`w{f|`9S z7K|P4Kp{|20#)%+za8U)5llSKU67Qf3PEm6nSR?Vuq_+9tWNAEP)I1_%AEALN9*_g zHKCc41EbZeiLX-=@rUD9wPO~u^}H{kA#)up!u&V0?qVWsMD-q2YuUD9NJ<);%$)U66}i4h2UnZv2BXPuhdhy%G+w_u-`2*0e?-NN?pH?npR>eTR;fcYboJ%FCb;z4C>98$DGb!9*J*9au9YXvD*Ohcnvy4=b^!s ziBW~391T#DGMf0?Lw8b{tJowmGerXaHNnB|&IN{d$~Y>2uHQ;YJ-vY%RJZzAI?^g) z7}ynn@2?q0dk#EG4No^#ipGTc=!=ld;%F`#3vV#5u-XO4h{57)pLo=rV9W8Pyy$TO+6a%jkdw8R>oWWxg zFk;A)2x|AvJ4DWU9|++88lU{3jZ;7>r^Z72@Z6;it59}df$SczYe0DaNUfITh%Mmu z82aJh7k*>v^5u7s&6jMrpN;3~73c#RaIcm?&40gEG$@i~fO{AD^GMb6zrMqVqF@m4 zUOYIu_JsZ8huqE#Sat4naxGHAG{^g;r+;aY$wfTj9Rt4kYQkSvYY_uowTeIhsEN;Mf2qbT#4p)CKrJ=+wbyi-Y6k&u70Q?z9(dj<@E{ zCjnA>5-^w}{|+WeUmatr(8`06N-!Pcir^1}-}z&^ZG;@kP7ct$FFjl&)&yx9$3$RG zAA%E;&zw{s&Kg<_%k`xV%bWsqiTApia2q-BNA2;$YxNN={|{)LVyhZ07%<` z$Mdk86pPRrsFQxb4dQlSD&+p2CH_6Y&;{UAPZDaXn_HDhNaG_YY#zsePXvaIKilbU z%+tK--3Q300JfeGVERe3HJwZjD}6wf2j=J!93O~dn@*zQv5?2sdTq#349J|t zdylVgVFdmK-VDhFLh`-PnI^oW5&Xnl3&`$c^7=d<57{5!Yt!s-K#?NL=Te8?5P;6_ zTm9q|6^2Cr{PzMKK*M!>dr|DPmsADg7+2{Ou=d?9Nbd-6QekU3r$0sVJW*4rz&%^xOi#7HzUHQ7qsFl7)`jLuWv;0b`wM(+2Ro_2oM$A*-5h zr53@j#cM{e7>-7CaOU3vA-lnbalh+M`}j9Rt}XJn>OqlF@8VTF1|AR$4$^oUr?Z0o z7^C&b?@I=@t_!|i92mF>#oKVCkLDrI6ZP_C%v#jqF3HlkJ8Pn9y9YA2P%X&zEG4ovEukNT^uR49E_9!c4z;c0TYT zF?+}yg!ZnXLsklD??6sj?*|K{J6(N@wk?p#Z;){B>4|kW(yRt7E&4d&mEQ?mMoV

(=WtOZ#KGW;fsu0HSHgqK%4LP{>!!1;YY}6a zCU93_%TX4E`MZhs1QFSV4`)T1VQEsaHmebl?W3R%iFKx#74PRJlc?^oxw?AN_7vMQ z3774f7VN_>8+|YpbRM|03KndZSaz0;{avn)FoR}=%?k;WAwEbUtr}dh1#XYr@b3iB z;3h+AS$BryA=`z)E+&(Rx7QWZsDDdQN+b}F81+fmGWS*X%l+#&v`RWR8Pho=vxYw7 zor^{@!dJZ_Ig$2+q00$b^R{!Na0;6Lx-rWp`kh}kXm*It@H(>fCR;;S&!+_F z<%;*g-uUb%y9hexutjGc-SfmF9i&QA84-};`7gPIa?t}F>IDA|MuXQgSwVE3-A$aA zDe+k647~XZIzh^}+I&6*B}NeW(L9T?`f;O0W&~nSx;9w*!<~IO=NFge#OCZoK6EP3 zrzVI{K7{2M+=>(!9Jg72L={Bv*MX3p=49 zHAAH`7RiHj0;NKcggolJ6D2w zaHtCt$X%$8)1DkKZS6$anj=3aze;^CfkP%Cs)LIvja z@h>PaZ3#+FzZ~%4P97M|U%7t7_FHnij>TngCj_D?hGin9Z}y63mCx#$DGX-|5Nd=? zAFVP!i z>q<>qU9#RlTB)ve%Y-bRO*LJ1j1cQ!rJ6jeA6K-hc2$9XzPz~~tkN52crA})Ax0#)&sTk< zMyq&ts+H_{Ej}tZvs9M#ukIOL-FQ>ZG#8`OwD?sSS-5)PM#rpA zQs_TQyX4^26#Fak^jRG|2}wS=ClPt$uX&CdMSH;5kakworl@D1$8GZ}bO)=C;g}Jh zqHNZTnKUSt8S6dI1MDus|1_Kaj(V~jhtG8B20oc2(3L9t0Tl4N0DKZ0)&1(b)xuXs z-F>8q7Wez7SM`7zvU>{e;{Yz@S9ULcTM+j~ zF24_#8Z`RBRnPYMubakVhxkAKUiq=oG}QmP#sGHG>fhHjB<(ZeXNZ?1AWpFU>ymZ* cvwQweI52R(7j*6^CjpnXh5@cg%|7aX0e^o#-T(jq From a449d5e4cc46ef6a2dde87cbec166da16feb89f9 Mon Sep 17 00:00:00 2001 From: Craig Peters Date: Tue, 12 Mar 2019 17:54:24 -0700 Subject: [PATCH 07/32] updated note tags --- .../getting-started-guides/windows/_index.md | 55 +++++++++---------- 1 file changed, 27 insertions(+), 28 deletions(-) diff --git a/content/en/docs/getting-started-guides/windows/_index.md b/content/en/docs/getting-started-guides/windows/_index.md index 1650b361a9bc0..9d0abc80a62dd 100644 --- a/content/en/docs/getting-started-guides/windows/_index.md +++ b/content/en/docs/getting-started-guides/windows/_index.md @@ -3,7 +3,7 @@ title: Using Windows Server Containers in Kubernetes toc_hide: true --- {{< note >}} -These instructions are under revision for the v1.14 release with a [tracking issue](https://github.com/kubernetes/website/issues/12426). You can find the WIP draft in a [Google Doc](https://docs.google.com/document/d/1a2bRd7PZXygIEm4cEcCeLXpEqJ7opakP_j4Pc6AJVYA/edit?usp=sharing) +These instructions are under review for the v1.14 release with a [tracking issue](https://github.com/kubernetes/website/issues/12426). {{< /note >}} ## ​Motivation @@ -17,8 +17,9 @@ To enable the orchestration of Windows containers in Kubernetes, simply include In order to run Windows containers, your Kubernetes cluster must include multiple operating systems, with control plane nodes running Linux and workers running either Windows or Linux depending on your workload needs. Windows Server 2019 is the only Windows operating system supported, enabling [Kubernetes Node](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/architecture/architecture.md#the-kubernetes-node) on Windows (including kubelet, [container runtime](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/containerd), and kube-proxy). For a detailed explanation of Windows distribution channels see the [Microsoft documentation](https://docs.microsoft.com/en-us/windows-server/get-started-19/servicing-channels-19). -NOTE: The Kubernetes control plane, including the [master components](https://kubernetes.io/docs/concepts/overview/components/), will continue to run on Linux. There are no plans have a Windows-only Kubernetes cluster. - +{{< note >}} +The Kubernetes control plane, including the [master components](https://kubernetes.io/docs/concepts/overview/components/), will continue to run on Linux. There are no plans have a Windows-only Kubernetes cluster. +{{}} ## ​Supported Functionality and Limitations @@ -67,12 +68,12 @@ Let's start with the operating system version. Refer to the following table for - - NOTE: The Windows Server Host Operating System is subject to the [Windows Server ](https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing) licensing. The Windows Container images are subject to the [Supplemental License Terms for Windows containers](https://docs.microsoft.com/en-us/virtualization/windowscontainers/images-eula). - - - NOTE: Windows containers have strict compatibility rules, [where the host OS version must match the container base image OS version.](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/version-compatibility) - +{{< note >}} + The Windows Server Host Operating System is subject to the [Windows Server ](https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing) licensing. The Windows Container images are subject to the [Supplemental License Terms for Windows containers](https://docs.microsoft.com/en-us/virtualization/windowscontainers/images-eula). +{{}} +{{< note >}} + Windows containers have strict compatibility rules, [where the host OS version must match the container base image OS version.](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/version-compatibility) +{{}} Key Kubernetes elements work the same way in Windows as they do in Linux. In this section, we will talk about some of the key workload enablers and how they map to Windows. @@ -610,9 +611,9 @@ net-conf.json: | * VNI 4096 is set in the backend * Port 4789 is set in the backend 2. In the `cni-conf.json` section of your `kube-flannel.yml`, change the network name to "`vxlan0"`. - -Note: The VNI must be set to 4096 and port 4789 for Flannel on Linux to interoperate with Flannel on Windows. Support for other VNIs is coming soon. See [VXLAN](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan) for an explanation of these fields. - +{{< note >}} +The VNI must be set to 4096 and port 4789 for Flannel on Linux to interoperate with Flannel on Windows. Support for other VNIs is coming soon. See [VXLAN](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan) for an explanation of these fields. +{{< note >}} Your `cni-conf.json` should look as follows: @@ -680,9 +681,9 @@ In this section we'll cover configuring a Windows node from scratch to join a cl #### Preparing a Windows Node - -Note: All code snippets in Windows sections are to be run in a PowerShell environment with elevated permissions (Admin). - +{{< note >}} +All code snippets in Windows sections are to be run in a PowerShell environment with elevated permissions (Admin). +{{}} 1. Install Docker (requires a system reboot) @@ -714,17 +715,15 @@ If so then you need to restart the docker service manually: Start-Service docker ``` - -Note: the "pause" (infrastructure) image is on Microsoft Container Registry (MCR) and the DOCKERFILE is available at [https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile) - +{{< note >}} +The "pause" (infrastructure) image is on Microsoft Container Registry (MCR) and the DOCKERFILE is available at [https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile) +{{}} ``` docker pull mcr.microsoft.com/k8s/core/pause:1.0.0 ``` - - 2. Prepare a Windows directory for Kubernetes Create a "Kubernetes for Windows" directory to store Kubernetes binaries as well as any deployment scripts and config files. @@ -765,9 +764,9 @@ cd c:\k wget https://raw.githubusercontent.com/Microsoft/SDN/master/Kubernetes/flannel/start.ps1 -o c:\k\start.ps1 ``` - -Note: [start.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/start.ps1) references [install.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/install.ps1), which will download additional files such as the `flanneld` executable and the [Dockerfile for infrastructure pod](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile) and install those for you. For overlay networking mode, the [firewall](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/helper.psm1#L111) will be opened for local UDP port 4789. There may be multiple powershell windows being opened/closed as well as a few seconds of network outage while the new external vSwitch for the pod network is being created the first time. Run the script using the arguments as specified below: - +{{< note >}} +[start.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/start.ps1) references [install.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/install.ps1), which will download additional files such as the `flanneld` executable and the [Dockerfile for infrastructure pod](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile) and install those for you. For overlay networking mode, the [firewall](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/helper.psm1#L111) will be opened for local UDP port 4789. There may be multiple powershell windows being opened/closed as well as a few seconds of network outage while the new external vSwitch for the pod network is being created the first time. Run the script using the arguments as specified below: +{{}} ``` .\start.ps1 -ManagementIP -NetworkMode overlay -ClusterCIDR -ServiceCIDR -KubeDnsServiceIP -LogDir @@ -944,9 +943,9 @@ spec: beta.kubernetes.io/os: windows ``` - +{{< note >}} Note: Port mapping is also supported, but for simplicity in this example the container port 80 is exposed directly to the service. - +{{}} 2. Check that all nodes are healthy: @@ -977,9 +976,9 @@ Note: Port mapping is also supported, but for simplicity in this example the con * Service discovery, `curl` the service name with the Kubernetes[ default DNS suffix](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#services) * Inbound connectivity, `curl` the NodePort from the Linux master or machines outside of the cluster * Outbound connectivity, `curl` external IPs from inside the pod using kubectl exec - -**Note: **Windows _container hosts_ are not able to access the IP of services scheduled on them due to current platform limitations of the Windows networking stack. Only Windows _pods_ are able to access service IPs. - +{{< note >}} +**Windows _container hosts_ are not able to access the IP of services scheduled on them due to current platform limitations of the Windows networking stack. Only Windows _pods_ are able to access service IPs. +{{}} ## Managing Workload Identity with Group Managed Service Accounts From 06c757899b7b4e91f5a1a1202c78dae99534d6e2 Mon Sep 17 00:00:00 2001 From: Michael Michael Date: Tue, 12 Mar 2019 22:33:29 -0500 Subject: [PATCH 08/32] Delete windows-contributing.md deleting this file as it is already ported to the github contributor guide --- .../windows/windows-contributing.md | 103 ------------------ 1 file changed, 103 deletions(-) delete mode 100644 content/en/docs/getting-started-guides/windows/windows-contributing.md diff --git a/content/en/docs/getting-started-guides/windows/windows-contributing.md b/content/en/docs/getting-started-guides/windows/windows-contributing.md deleted file mode 100644 index 11739f9d6a58d..0000000000000 --- a/content/en/docs/getting-started-guides/windows/windows-contributing.md +++ /dev/null @@ -1,103 +0,0 @@ -# Document 2: Windows Node contribution specifics - -[https://github.com/kubernetes/community/tree/master/contributors/guide](https://github.com/kubernetes/community/tree/master/contributors/guide) Under Contributing section - - -## Joining the SIG-Windows Mailing List and Slack Channel - -The best way to get in contact with the contributors working on Windows support is through the Kubernetes Slack. To get a Slack invite, visit [http://slack.k8s.io/](http://slack.k8s.io/) . Once you're logged in, join us in the [#SIG-Windows](https://kubernetes.slack.com/messages/C0SJ4AFB7) channel. - -To get access to shared documents, meeting calendar, and additional discussions, be sure to also join the [SIG-Windows Google Group](https://groups.google.com/forum/#!forum/kubernetes-sig-windows). - - -## Building Kubernetes for Windows from Source - -The Kubernetes build scripts have not been ported to Windows, so it's best to run in a Linux VM where you can run the same Docker container used in the official Kubernetes builds. This simplifies the steps, but means that you cannot build under Windows Subsystem for Linux (WSL). - -It's best to skim over the [Building Kubernetes](https://github.com/kubernetes/kubernetes/blob/master/build/README.md) guide if you have never built Kubernetes before to get the latest info. These steps are a summary focused on cross-building the Windows node binaries (kubelet & kube-proxy). - - -### ​Build Prerequisites - -At least 60GB of disk space is required, and 16GB of memory (or memory + swap). - -Once you have a VM, install Git, [Docker-CE](https://docs.docker.com/install/), and make. The build scripts will pull a Docker container with the required version of golang and other needed tools preinstalled. - -If you're using Ubuntu, then install the following packages: git, build-essential, [Docker-CE](https://docs.docker.com/install/linux/docker-ce/ubuntu/). - - -### ​Pulling a PR (optional) - -If there is a PR you would like to build, it's easy. You can create a working branch, pull the changes from GitHub in a patch, apply, then build. - -The examples here are based off a patch on GitHub: [https://github.com/kubernetes/kubernetes/pull/74788](https://github.com/kubernetes/kubernetes/pull/74788) . Be sure to replace the URL with the PR you want to test. - -First, make sure your local clone is up-to-date with master: `git checkout master ; git pull master` - -Next, create a branch in your repo: `git checkout -b pr74788` - -Now, get the patch for the PR you want. Append .patch to the URL, and download it with curl: `curl -L -o pr74788.patch https://github.com/kubernetes/kubernetes/pull/74788.patch` - -Merge it with ``patch -p1 < pr74788.patch`` - -If there are errors, fix them as needed. Once you're done, delete the .patch file and then `git commit` the rest to your local branch. - - -### Building Kubernetes binaries for Windows - -You can build individual components such as kubelet, kube-proxy, or kubectl by running `./build/run.sh make KUBE_BUILD_PLATFORMS=windows/amd64` such as `./build/run.sh make kubelet KUBE_BUILD_PLATFORMS=windows/amd64` - -If you would like to build all binaries at once, then run `./build/run.sh make cross KUBE_BUILD_PLATFORMS=windows/amd64` - -Once the build completes, the files will be in _output/dockerized/bin. - - -## Running Your Own Cluster - - -## Testing Your Changes - - -### Updating the Node binaries - -Once you have binaries built (see Building Kubernetes binaries for Windows), the easiest way to test them is to replace them on an existing cluster. Use the steps above to build a cluster in your cloud of choice. To update the binaries on an existing node, follow these steps: - - - -1. Drain & cordon a node with `kubectl drain ` -2. Connect to the node with SSH or Windows Remote Desktop, and start PowerShell -3. On the node, run `Stop-Service kubelet -Force` -4. Copy kubelet.exe and kube-proxy.exe to a cloud storage account, or use SSH to copy them directly to the node. -5. Overwrite the existing kubelet & kube-proxy binaries. If you don't know where they are, run `sc.exe qc kubelet` or `sc.exe qc kube-proxy` and look at the BINARY_PATH_NAME returned. -6. Start the updated kubelet & kube-proxy with `Start-Service kubelet` - - -### ​Running Tests - -For the most up-to-date steps on how to build and run tests, please go to [https://github.com/kubernetes-sigs/windows-testing](https://github.com/kubernetes-sigs/windows-testing) . It has everything you need to build and run tests, as well as links to the SIG-Windows configurations used on [TestGrid](https://testgrid.k8s.io/sig-windows). - - -## Reporting Issues - - -### Gathering Logs - -Gathering trouble shooting info for CNI. [https://github.com/kubernetes/kubernetes/issues/74766#issuecomment-468736127](https://github.com/kubernetes/kubernetes/issues/74766#issuecomment-468736127) - -On the node before creating the pod for the first time. - -start-birstranfer [https://raw.githubusercontent.com/Microsoft/SDN/master/Kubernetes/windows/debug/collectlogs.ps1](https://raw.githubusercontent.com/Microsoft/SDN/master/Kubernetes/windows/debug/collectlogs.ps1) - -run collectlogs.ps1 - -then start the trace by running the following command - -C:\k\debug\starthnstrace.cmd - -repro the issue - -run "netsh trace stop" - -then do again collectlogs.ps1 - -and send us both before and after collectlogs.ps1 and C:\server.etl From 7ad4efc39db495d3f933d23d2c05c13f2f393d68 Mon Sep 17 00:00:00 2001 From: Craig Peters Date: Tue, 12 Mar 2019 20:46:33 -0700 Subject: [PATCH 09/32] fixed formatting in intro and cluster setup guide --- .../getting-started-guides/windows/_index.md | 467 +++++++----------- 1 file changed, 174 insertions(+), 293 deletions(-) diff --git a/content/en/docs/getting-started-guides/windows/_index.md b/content/en/docs/getting-started-guides/windows/_index.md index 9d0abc80a62dd..a73e56fc6fe76 100644 --- a/content/en/docs/getting-started-guides/windows/_index.md +++ b/content/en/docs/getting-started-guides/windows/_index.md @@ -19,21 +19,18 @@ In order to run Windows containers, your Kubernetes cluster must include multipl {{< note >}} The Kubernetes control plane, including the [master components](https://kubernetes.io/docs/concepts/overview/components/), will continue to run on Linux. There are no plans have a Windows-only Kubernetes cluster. -{{}} +{{< /note >}} ## ​Supported Functionality and Limitations - ### ​Supported Functionality - #### Compute From an API and kubectl perspective, Windows containers behave in much the same way as Linux-based containers. However, there are some notable differences in key functionality which are outlined in the limitation section. Let's start with the operating system version. Refer to the following table for Windows operating system support in Kubernetes. A single heterogeneous Kubernetes cluster can have both Windows and Linux worker nodes. Windows containers have to be scheduled on Windows nodes and Linux containers on Linux nodes. -
Kubernetes version @@ -67,103 +64,87 @@ Let's start with the operating system version. Refer to the following table for
- {{< note >}} The Windows Server Host Operating System is subject to the [Windows Server ](https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing) licensing. The Windows Container images are subject to the [Supplemental License Terms for Windows containers](https://docs.microsoft.com/en-us/virtualization/windowscontainers/images-eula). -{{}} +{{< /note >}} {{< note >}} Windows containers have strict compatibility rules, [where the host OS version must match the container base image OS version.](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/version-compatibility) -{{}} -Key Kubernetes elements work the same way in Windows as they do in Linux. In this section, we will talk about some of the key workload enablers and how they map to Windows. - - - -* [Pods](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/) +{{< /note >}} - A Pod is the basic building block of Kubernetes–the smallest and simplest unit in the Kubernetes object model that you create or deploy. The following Pod capabilities, properties and events are supported with Windows containers: +Key Kubernetes elements work the same way in Windows as they do in Linux. In this section, we will talk about some of the key workload enablers and how they map to Windows. +* [Pods](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/) + A Pod is the basic building block of Kubernetes–the smallest and simplest unit in the Kubernetes object model that you create or deploy. The following Pod capabilities, properties and events are supported with Windows containers: - * Single or multiple containers per Pod with process isolation and volume sharing - * Pod status fields - * Readiness and Liveness probes - * postStart & preStop container lifecycle events - * ConfigMap, Secrets: as environment variables or volumes - * EmptyDir - * Named pipe host mounts - * Resource limits -* [Controllers](https://kubernetes.io/docs/concepts/workloads/controllers/) + * Single or multiple containers per Pod with process isolation and volume sharing + * Pod status fields + * Readiness and Liveness probes + * postStart & preStop container lifecycle events + * ConfigMap, Secrets: as environment variables or volumes + * EmptyDir + * Named pipe host mounts + * Resource limits +* [Controllers](https://kubernetes.io/docs/concepts/workloads/controllers/) Kubernetes controllers handle the desired state of Pods. The following workload controllers are supported with Windows containers: - * ReplicaSet - * ReplicationController - * Deployments - * StatefulSets - * DaemonSet - * Job - * CronJob -* [Services](https://kubernetes.io/docs/concepts/services-networking/service/) + * ReplicaSet + * ReplicationController + * Deployments + * StatefulSets + * DaemonSet + * Job + * CronJob +* [Services](https://kubernetes.io/docs/concepts/services-networking/service/) A Kubernetes Service is an abstraction which defines a logical set of Pods and a policy by which to access them - sometimes called a micro-service. You can use services for cross-operating system connectivity. In Windows, services can utilize the following types, properties and capabilities: - * Service Environment variables - * NodePort - * ClusterIP - * LoadBalancer - * ExternalName - * Headless services + * Service Environment variables + * NodePort + * ClusterIP + * LoadBalancer + * ExternalName + * Headless services Pods, Controllers and Services are critical elements to managing Windows workloads on Kubernetes. However, on their own they are not enough to enable the proper lifecycle management of Windows workloads in a dynamic cloud native environment. We added support for the following features: - - -* Pod and container metrics -* Horizontal Pod Autoscaler support -* KubeCtl Exec -* Resource Quotas -* Scheduler preemption - +* Pod and container metrics +* Horizontal Pod Autoscaler support +* KubeCtl Exec +* Resource Quotas +* Scheduler preemption #### Container Runtime Docker EE-basic 18.09 is required on Windows Server 2019 / 1809 nodes for Kubernetes. This works with the dockershim code included in the kubelet. Additional runtimes such as CRI-ContainerD may be supported in later Kubernetes versions. - #### Storage Kubernetes Volumes enable complex applications with data persistence and Pod volume sharing requirements to be deployed on Kubernetes. Kubernetes on Windows supports the following types of [volumes](https://kubernetes.io/docs/concepts/storage/volumes/): - - -* FlexVolume out-of-tree plugin with [SMB and iSCSI ](https://github.com/Microsoft/K8s-Storage-Plugins/tree/master/flexvolume/windows)support -* [azureDisk](https://kubernetes.io/docs/concepts/storage/volumes/#azuredisk) -* [azureFile ](https://kubernetes.io/docs/concepts/storage/volumes/#azurefile) - +* FlexVolume out-of-tree plugin with [SMB and iSCSI](https://github.com/Microsoft/K8s-Storage-Plugins/tree/master/flexvolume/windows)support +* [azureDisk](https://kubernetes.io/docs/concepts/storage/volumes/#azuredisk) +* [azureFile](https://kubernetes.io/docs/concepts/storage/volumes/#azurefile) #### ​Networking Networking for Windows containers is exposed through [CNI plugins](https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/). Windows containers function similarly to virtual machines in regards to networking. Each container has a virtual network adapter (vNIC) which is connected to a Hyper-V virtual switch (vSwitch). The Host Networking Service (HNS) and the Host Compute Service (HCS) work together to create containers and attach container vNICs to networks. HCS is responsible for the management of containers whereas HNS is responsible for the management of networking resources such as: - - -* Virtual networks (including creation of vSwitches) -* Endpoints / vNICs -* Namespaces -* Policies (Packet encapsulations, Load-balancing rules, ACLs, NAT'ing rules, etc.) +* Virtual networks (including creation of vSwitches) +* Endpoints / vNICs +* Namespaces +* Policies (Packet encapsulations, Load-balancing rules, ACLs, NAT'ing rules, etc.) The following service spec types are supported: - - -* NodePort -* ClusterIP -* LoadBalancer -* ExternalName +* NodePort +* ClusterIP +* LoadBalancer +* ExternalName Windows supports five different networking drivers/modes: L2bridge, L2tunnel, Overlay, Transparent, and NAT. In a heterogeneous cluster with Windows and Linux work nodes, you need to select a networking solution that is compatible on both Windows and Linux. The following out-of-tree plugins are supported on Windows, with recommendations on when to use each CNI: - @@ -241,65 +221,51 @@ Windows supports five different networking drivers/modes: L2bridge, L2tunnel, Ov
Network Driver @@ -209,8 +190,7 @@ Windows supports five different networking drivers/modes: L2bridge, L2tunnel, Ov Encapsulated with an outer header, inner packet remains the same. Win-overlay, Flannel VXLAN (uses win-overlay), -

-OVN-Kubernetes (uses OpenVSwitch on Windows - Prebuilt certified installer), requires KB4482887 + OVN-Kubernetes (uses OpenVSwitch on Windows - Prebuilt certified installer), requires KB4482887

win-overlay should be used when virtual container networks are desired to be isolated from underlay of hosts (e.g. for security reasons). Allows for IPs to be re-used for different overlay networks (which have different VNID tags) if you are restricted on IPs in your datacenter. This option may be used when the container hosts are not L2 adjacent but have L3 connectivity
- Furthermore, for simplified consumption of the win-bridge and win-overlay plugins for end-users with automated network configurations, [Flannel](https://github.com/coreos/flannel) has added support for Windows in their [meta plugin](https://github.com/containernetworking/plugins/tree/master/plugins/meta/flannel) via the [VXLAN network backend](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan) (**alpha support** ; delegates to win-overlay) and [host-gateway network backend](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#host-gw) (stable support; delegates to win-bridge) with the [host-local plugin](https://github.com/containernetworking/plugins/tree/master/plugins/ipam/host-local) used for IP address management and the meta CNI network plugin [flannel](https://github.com/containernetworking/plugins/tree/master/plugins/meta/flannel#windows-support-experimental) for interacting between the delegated CNI plugin (win-bridge or win-overlay) and providing the host-local IPAM the correct range from subnet.env file provisioned by the flanneld agent. For the node, pod, and service objects, the following network flows are supported for TCP/UDP traffic: - - -* Pod -> Pod (IP) -* Pod -> Pod (Name) -* Pod -> Service (Cluster IP) -* Pod -> Service (PQDN, but only if there are no ".") -* Pod -> Service (FQDN) -* Pod -> External (IP) -* Pod -> External (DNS) -* Node -> Pod -* Pod -> Node +* Pod -> Pod (IP) +* Pod -> Pod (Name) +* Pod -> Service (Cluster IP) +* Pod -> Service (PQDN, but only if there are no ".") +* Pod -> Service (FQDN) +* Pod -> External (IP) +* Pod -> External (DNS) +* Node -> Pod +* Pod -> Node The following IPAM options are supported on Windows: - - -* [Host-local](https://github.com/containernetworking/plugins/tree/master/plugins/ipam/host-local) -* HNS IPAM (Inbox platform IPAM, this is a fallback when no IPAM is set) -* [Azure-vnet-ipam](https://github.com/Azure/azure-container-networking/blob/master/docs/ipam.md) (for azure-cni only) - +* [Host-local](https://github.com/containernetworking/plugins/tree/master/plugins/ipam/host-local) +* HNS IPAM (Inbox platform IPAM, this is a fallback when no IPAM is set) +* [Azure-vnet-ipam](https://github.com/Azure/azure-container-networking/blob/master/docs/ipam.md) (for azure-cni only) ### ​​​​Limitations - #### Control Plane Windows is only supported as a worker node in the Kubernetes architecture and component matrix. This means that a Kubernetes cluster must always include Linux master nodes, zero or more Linux worker nodes, and zero or more Windows worker nodes. - #### ​Compute - ##### Resource management and process isolation Linux cgroups are used as a pod boundary for resource controls in Linux. Containers are created within that boundary for network, process and file system isolation. The cgroups APIs can be used to gather cpu/io/memory stats. In contrast, Windows uses a Job object per container with a system namespace filter to contain all processes in a container and provide logical isolation from the host. There is no way to run a Windows container without the namespace filtering in place. This means that system privileges cannot be asserted in the context of the host, and thus privileged containers are not available on Windows. Containers cannot assume an identity from the host because the Security Account Manager (SAM) is separate. - ##### Operating System Restrictions -Windows has strict compatibility rules, where the host OS version must match the container base image OS version. Only Windows containers with a container operating system of Windows Server 2019 are supported. Hyper-V isolation of containers, enabling some backward compatibility of Windows container image versions, is planned for a future release. - +Windows has strict compatibility rules, where the host OS version must match the container base image OS version. Only Windows containers with a container operating system of Windows Server 2019 are supported. Hyper-V isolation of containers, enabling some backward compatibility of Windows container image versions, is planned for a future release. ##### Feature Restrictions - - -* TerminationGracePeriod: not implemented -* Single file mapping: to be implemented with CRI-ContainerD -* Termination message: to be implemented with CRI-ContainerD -* Privileged Containers: not currently supported in Windows containers -* HugePages -* The existing node problem detector is Linux-only and requires privileged containers. In general, we don't expect this to be used on Windows because privileged containers are not supported -* Not all features of shared namespaces are supported (see API section for more details) - +* TerminationGracePeriod: not implemented +* Single file mapping: to be implemented with CRI-ContainerD +* Termination message: to be implemented with CRI-ContainerD +* Privileged Containers: not currently supported in Windows containers +* HugePages +* The existing node problem detector is Linux-only and requires privileged containers. In general, we don't expect this to be used on Windows because privileged containers are not supported +* Not all features of shared namespaces are supported (see API section for more details) ##### Memory Reservations and Handling @@ -311,87 +277,70 @@ A best practice to avoid over-provisioning is to configure the kubelet with a sy The behaviour of the flags behave differently as described below: - - -* --kubelet-reserve, --system-reserve , and --eviction-hard flags update Node Allocatable -* Eviction by using --enforce-node-allocable is not implemented -* Eviction by using --eviction-hard and --eviction-soft are not implemented -* MemoryPressure Condition is not implemented -* There are no OOM eviction actions taken by the kubelet -* Kubelet running on the windows node does not have memory restrictions. --kubelet-reserve and --system-reserve do not set limits on kubelet or processes running the host. This means kubelet or a process on the host could cause memory resource starvation outside the node-allocatable and scheduler - +* --kubelet-reserve, --system-reserve , and --eviction-hard flags update Node Allocatable +* Eviction by using --enforce-node-allocable is not implemented +* Eviction by using --eviction-hard and --eviction-soft are not implemented +* MemoryPressure Condition is not implemented +* There are no OOM eviction actions taken by the kubelet +* Kubelet running on the windows node does not have memory restrictions. --kubelet-reserve and --system-reserve do not set limits on kubelet or processes running the host. This means kubelet or a process on the host could cause memory resource starvation outside the node-allocatable and scheduler #### ​Storage Windows has a layered filesystem driver to mount container layers and create a copy filesystem based on NTFS. All file paths in the container are resolved only within the context of that container. - - -* Volume mounts can only target a directory in the container, and not an individual file -* Volume mounts cannot project files or directories back to the host filesystem -* Read-only filesystems are not supported because write access is always required for the Windows registry and SAM database. However, read-only volumes are supported -* Volume user-masks and permissions are not available. Because the SAM is not shared between the host & container, there's no mapping between them. All permissions are resolved within the context of the container +* Volume mounts can only target a directory in the container, and not an individual file +* Volume mounts cannot project files or directories back to the host filesystem +* Read-only filesystems are not supported because write access is always required for the Windows registry and SAM database. However, read-only volumes are supported +* Volume user-masks and permissions are not available. Because the SAM is not shared between the host & container, there's no mapping between them. All permissions are resolved within the context of the container As a result, the following storage functionality is not supported on Windows nodes - - -* Windows does not support volume subpath mounts. Only the entire volume can be mounted in a Windows container. -* Subpath volume mounting for Secrets -* Host mount projection -* DefaultMode (due to UID/GID dependency) -* Read-only root filesystem. Mapped volumes still support readOnly -* Block device mapping -* Memory as the storage medium -* CSI plugins which require privileged containers -* File system features like uui/guid, per-user Linux filesystem permissions -* NFS based storage/volume support - +* Windows does not support volume subpath mounts. Only the entire volume can be mounted in a Windows container. +* Subpath volume mounting for Secrets +* Host mount projection +* DefaultMode (due to UID/GID dependency) +* Read-only root filesystem. Mapped volumes still support readOnly +* Block device mapping +* Memory as the storage medium +* CSI plugins which require privileged containers +* File system features like uui/guid, per-user Linux filesystem permissions +* NFS based storage/volume support #### Networking -Windows Container Networking differs in some important ways from Linux networking. The [Microsoft documentation for Windows Container Networking](https://docs.microsoft.com/en-us/virtualization/windowscontainers/container-networking/architecture) contains additional details and background. +Windows Container Networking differs in some important ways from Linux networking. The [Microsoft documentation for Windows Container Networking](https://docs.microsoft.com/en-us/virtualization/windowscontainers/container-networking/architecture) contains additional details and background. The Windows host networking networking service and virtual switch implement namespacing and can create virtual NICs as needed for a pod or container. However, many configurations such as DNS, routes, and metrics are stored in the Windows registry database rather than /etc/... files as they are on Linux. The Windows registry for the container is separate from that of the host, so concepts like mapping /etc/resolv.conf from the host into a container don't have the same effect they would on Linux. These must be configured using Windows APIs run in the context of that container. Therefore CNI implementations need to call the HNS instead of relying on file mappings to pass network details into the pod or container. The following networking functionality is not supported on Windows nodes - - -* Host networking mode is not available for Windows pods -* Local NodePort access from the node itself will fail (works for other nodes or external clients) -* Accessing service VIPs from nodes will be available with a future release of Windows Server -* Overlay networking support in kube-proxy is an alpha release. In addition, it requires [KB4482887](https://support.microsoft.com/en-us/help/4482887/windows-10-update-kb4482887) to be installed on Windows Server 2019 -* Outbound communication using the ICMP protocol via the win-overlay, win-bridge, and Azure-CNI plugin. Specifically, the Windows data plane ([VFP](https://www.microsoft.com/en-us/research/project/azure-virtual-filtering-platform/)) doesn't support ICMP packet transpositions. This means: - * ICMP packets directed to destinations within the same network (e.g. pod to pod communication via ping) will work as expected and without any limitations - * TCP/UDP packets will work as expected and without any limitations - * ICMP packets directed to pass through a remote network (e.g. pod to external internet communication via ping) cannot be transposed and thus will not be routed back to their source - * Since TCP/UDP packets can still be transposed, one can substitute **ping ** with **curl ** to be able to debug connectivity to the outside world. - +* Host networking mode is not available for Windows pods +* Local NodePort access from the node itself will fail (works for other nodes or external clients) +* Accessing service VIPs from nodes will be available with a future release of Windows Server +* Overlay networking support in kube-proxy is an alpha release. In addition, it requires [KB4482887](https://support.microsoft.com/en-us/help/4482887/windows-10-update-kb4482887) to be installed on Windows Server 2019 +* Outbound communication using the ICMP protocol via the win-overlay, win-bridge, and Azure-CNI plugin. Specifically, the Windows data plane ([VFP](https://www.microsoft.com/en-us/research/project/azure-virtual-filtering-platform/)) doesn't support ICMP packet transpositions. This means: + * ICMP packets directed to destinations within the same network (e.g. pod to pod communication via ping) will work as expected and without any limitations + * TCP/UDP packets will work as expected and without any limitations + * ICMP packets directed to pass through a remote network (e.g. pod to external internet communication via ping) cannot be transposed and thus will not be routed back to their source + * Since TCP/UDP packets can still be transposed, one can substitute **ping ** with **curl ** to be able to debug connectivity to the outside world. ##### CNI Plugins +* Windows reference network plugins win-bridge and win-overlay do not currently implement [CNI spec](https://github.com/containernetworking/cni/blob/master/SPEC.md) v0.4.0 due to missing "CHECK" implementation. +* The Flannel VXLAN CNI has the following limitations on Windows: - -* Windows reference network plugins win-bridge and win-overlay do not currently implement [CNI spec](https://github.com/containernetworking/cni/blob/master/SPEC.md) v0.4.0 due to missing "CHECK" implementation. -* The Flannel VXLAN CNI has the following limitations on Windows: 1. Node-pod connectivity isn't possible by design. It's only possible for local pods with Flannel PR[ https://github.com/coreos/flannel/pull/1096](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcoreos%2Fflannel%2Fpull%2F1096&data=02%7C01%7CDavid.Schott%40microsoft.com%7Cfa26c088fac743188e7d08d69ea3d836%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636870823885740325&sdata=1QEvw9Gh6IioT7ruVhhXAlSgN1a%2FMsqn4ViDQSSSVjs%3D&reserved=0) 2. We are restricted to using VNI 4096 and UDP port 4789. The VNI limitation is being worked on and will be overcome (open-source flannel changes). See official [Flannel VXLAN ](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan)backend docs for more details on these parameters. - ##### DNS +* ClusterFirstWithHostNet is not supported for DNS. Windows treats all names with a '.' as a FQDN and skips PQDN resolution +* On Linux, you have a DNS suffix list, which is used when trying to resolve PQDNs. On Windows, we only have 1 DNS suffix, which is the the DNS suffix associated with that pod's namespace (mydns.svc.cluster.local for example). Windows can resolve FQDNs and services or names resolvable with just that suffix. For example, a pod spawned in the default namespace, will have the DNS suffix **default.svc.cluster.local**. On a Windows pod, we will be able to resolve both **kubernetes.default.svc.cluster.local** and **kubernetes**, but not the in-betweens, like **kubernetes.default** or **kubernetes.default.svc**. - -* ClusterFirstWithHostNet is not supported for DNS. Windows treats all names with a '.' as a FQDN and skips PQDN resolution -* On Linux, you have a DNS suffix list, which is used when trying to resolve PQDNs. On Windows, we only have 1 DNS suffix, which is the the DNS suffix associated with that pod's namespace (mydns.svc.cluster.local for example). Windows can resolve FQDNs and services or names resolvable with just that suffix. For example, a pod spawned in the default namespace, will have the DNS suffix **default.svc.cluster.local**. On a Windows pod, we will be able to resolve both **kubernetes.default.svc.cluster.local** and **kubernetes**, but not the in-betweens, like **kubernetes.default** or **kubernetes.default.svc**. - -Security +##### Security Secrets are written in clear text on the node's volume (as compared to tmpfs/in-memory on linux). This means customers have to do two things - - 1. Use file ACLs to secure the secrets file location 2. ​Use volume-level encryption using [BitLocker](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server) @@ -401,105 +350,84 @@ Linux specific pod security context privileges such as SELinux, AppArmor, Seccom In addition, as mentioned already, privileged containers are not supported on Windows. - #### API -There are no differences in how most of the Kubernetes APIs work for Windows. The subtleties around what's different come down to differences in the OS and container runtime. In certain situations, some properties on workload APIs such as Pod or Container were designed with an assumption that they are implemented on Linux, failing to run on Windows. \ - \ -At a high level, these OS concepts are different: - +There are no differences in how most of the Kubernetes APIs work for Windows. The subtleties around what's different come down to differences in the OS and container runtime. In certain situations, some properties on workload APIs such as Pod or Container were designed with an assumption that they are implemented on Linux, failing to run on Windows. +At a high level, these OS concepts are different: -* Identity - Linux uses userID (UID) and groupID (GID) which are represented as integer types. User and group names are not canonical - they are just an alias in /etc/groups or /etc/passwd back to UID+GID. Windows uses a larger binary security identifier (SID) which is stored in the Windows Security Access Manager (SAM) database. This database is not shared between the host and containers, or between containers. -* File permissions - Windows uses an access control list based on SIDs, rather than a bitmask of permissions and UID+GID -* File paths - convention on Windows is to use **\** instead of **/**. The Go IO libraries typically accept both and just make it work, but when you're setting a path or command line that's interpreted inside a container, **\** may be needed. -* Signals - Windows interactive apps handle termination differently, and can implement one or more of these: - * A UI thread will handle well-defined messages including WM_CLOSE - * Console apps will handle ctrl-c or ctrl-break using a Control Handler - * Services will register a Service Control Handler function that can accept SERVICE_CONTROL_STOP control codes +* Identity - Linux uses userID (UID) and groupID (GID) which are represented as integer types. User and group names are not canonical - they are just an alias in /etc/groups or /etc/passwd back to UID+GID. Windows uses a larger binary security identifier (SID) which is stored in the Windows Security Access Manager (SAM) database. This database is not shared between the host and containers, or between containers. +* File permissions - Windows uses an access control list based on SIDs, rather than a bitmask of permissions and UID+GID +* File paths - convention on Windows is to use **\** instead of **/**. The Go IO libraries typically accept both and just make it work, but when you're setting a path or command line that's interpreted inside a container, **\** may be needed. +* Signals - Windows interactive apps handle termination differently, and can implement one or more of these: + * A UI thread will handle well-defined messages including WM_CLOSE + * Console apps will handle ctrl-c or ctrl-break using a Control Handler + * Services will register a Service Control Handler function that can accept SERVICE_CONTROL_STOP control codes Exit Codes follow the same convention where 0 is success, nonzero is failure. The specific error codes may differ across Windows and Linux. However, exit codes passed from the Kubernetes components (kubelet, kube-proxy) will be unchanged. - ##### V1.Container - - -* V1.Container.ResourceRequirements.limits.cpu and V1.Container.ResourceRequirements.limits.memory - Windows doesn't use hard limits for CPU allocations. Instead, a share system is used. The existing fields based on millicores are scaled into relative shares that are followed by the Windows scheduler. [see: kuberuntime/helpers_windows.go](https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/kuberuntime/helpers_windows.go), [see: resource controls in Microsoft docs](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/resource-controls) - * Huge pages are not implemented in the Windows container runtime, and are not available. They require [asserting a user privilege](https://docs.microsoft.com/en-us/windows/desktop/Memory/large-page-support) that's not configurable for containers. -* V1.Container.ResourceRequirements.requests.cpu and V1.Container.ResourceRequirements.requests.memory - Requests are subtracted from node available resources, so they can be used to avoid overprovisioning a node. However, they cannot be used to guarantee resources in an overprovisioned node. They should be applied to all containers as a best practice if the operator wants to avoid overprovisioning entirely. -* V1.Container.SecurityContext.allowPrivilegeEscalation - not possible on Windows, none of the capabilities are hooked up -* V1.Container.SecurityContext.Capabilities - POSIX capabilities are not implemented on Windows -* V1.Container.SecurityContext.privileged - Windows doesn't support privileged containers -* V1.Container.SecurityContext.procMount - Windows doesn't have a /proc filesystem -* V1.Container.SecurityContext.readOnlyRootFilesystem - not possible on Windows, write access is required for registry & system processes to run inside the container -* V1.Container.SecurityContext.runAsGroup - not possible on Windows, no GID support -* V1.Container.SecurityContext.runAsNonRoot - Windows does not have a root user. The closest equivalent is ContainerAdministrator which is an identity that doesn't exist on the node. -* V1.Container.SecurityContext.runAsUser - not possible on Windows, no UID support as int. -* V1.Container.SecurityContext.seLinuxOptions - not possible on Windows, no SELinux -* V1.Container.terminationMessagePath - this has some limitations in that Windows doesn't support mapping single files. The default value is /dev/termination-log, which does work because it does not exist on Windows by default. - -##### -V1.Pod - -* V1.Pod.hostIPC, v1.pod.hostpid - host namespace sharing is not possible on Windows -* V1.Pod.hostNetwork - There is no Windows OS support to share the host network -* V1.Pod.dnsPolicy - ClusterFirstWithHostNet - is not supported because Host Networking is not supported on Windows. -* V1.Pod.podSecurityContext - see [V1.PodSecurityContext](https://github.com/kubernetes/enhancements/blob/master/keps/sig-windows/20190103-windows-node-support.md#v1podsecuritycontext) -* V1.Pod.shareProcessNamespace - this is an beta feature, and depends on Linux namespaces which are not implemented on Windows. Windows cannot share process namespaces or the container's root filesystem. Only the network can be shared. -* V1.Pod.terminationGracePeriodSeconds - this is not fully implemented in Docker on Windows, see: [reference](https://github.com/moby/moby/issues/25982). The behavior today is that the ENTRYPOINT process is sent CTRL_SHUTDOWN_EVENT, then Windows waits 5 seconds by hardcoded default, and finally shuts down all processes using the normal Windows shutdown behavior. The 5 second default is actually in the Windows registry [inside the container](https://github.com/moby/moby/issues/25982#issuecomment-426441183), so it can be overridden when the container is built. -* V1.Pod.volumeDevices - this is an beta feature, and is not implemented on Windows. Windows cannot attach raw block devices to pods. -* V1.Pod.volumes - EmptyDir, Secret, ConfigMap, HostPath - all work and have tests in TestGrid - * V1.emptyDirVolumeSource - the Node default medium is disk on Windows. Memory is not supported, as Windows does not have a built-in RAM disk. -* V1.VolumeMount.mountPropagation - only MountPropagationHostToContainer is available. Windows cannot create mounts within a pod or project them back to the node. - -##### -V1.PodSecurityContext - +* V1.Container.ResourceRequirements.limits.cpu and V1.Container.ResourceRequirements.limits.memory - Windows doesn't use hard limits for CPU allocations. Instead, a share system is used. The existing fields based on millicores are scaled into relative shares that are followed by the Windows scheduler. [see: kuberuntime/helpers_windows.go](https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/kuberuntime/helpers_windows.go), [see: resource controls in Microsoft docs](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/resource-controls) + * Huge pages are not implemented in the Windows container runtime, and are not available. They require [asserting a user privilege](https://docs.microsoft.com/en-us/windows/desktop/Memory/large-page-support) that's not configurable for containers. +* V1.Container.ResourceRequirements.requests.cpu and V1.Container.ResourceRequirements.requests.memory - Requests are subtracted from node available resources, so they can be used to avoid overprovisioning a node. However, they cannot be used to guarantee resources in an overprovisioned node. They should be applied to all containers as a best practice if the operator wants to avoid overprovisioning entirely. +* V1.Container.SecurityContext.allowPrivilegeEscalation - not possible on Windows, none of the capabilities are hooked up +* V1.Container.SecurityContext.Capabilities - POSIX capabilities are not implemented on Windows +* V1.Container.SecurityContext.privileged - Windows doesn't support privileged containers +* V1.Container.SecurityContext.procMount - Windows doesn't have a /proc filesystem +* V1.Container.SecurityContext.readOnlyRootFilesystem - not possible on Windows, write access is required for registry & system processes to run inside the container +* V1.Container.SecurityContext.runAsGroup - not possible on Windows, no GID support +* V1.Container.SecurityContext.runAsNonRoot - Windows does not have a root user. The closest equivalent is ContainerAdministrator which is an identity that doesn't exist on the node. +* V1.Container.SecurityContext.runAsUser - not possible on Windows, no UID support as int. +* V1.Container.SecurityContext.seLinuxOptions - not possible on Windows, no SELinux +* V1.Container.terminationMessagePath - this has some limitations in that Windows doesn't support mapping single files. The default value is /dev/termination-log, which does work because it does not exist on Windows by default. + +##### V1.Pod + +* V1.Pod.hostIPC, v1.pod.hostpid - host namespace sharing is not possible on Windows +* V1.Pod.hostNetwork - There is no Windows OS support to share the host network +* V1.Pod.dnsPolicy - ClusterFirstWithHostNet - is not supported because Host Networking is not supported on Windows. +* V1.Pod.podSecurityContext - see [V1.PodSecurityContext](https://github.com/kubernetes/enhancements/blob/master/keps/sig-windows/20190103-windows-node-support.md#v1podsecuritycontext) +* V1.Pod.shareProcessNamespace - this is an beta feature, and depends on Linux namespaces which are not implemented on Windows. Windows cannot share process namespaces or the container's root filesystem. Only the network can be shared. +* V1.Pod.terminationGracePeriodSeconds - this is not fully implemented in Docker on Windows, see: [reference](https://github.com/moby/moby/issues/25982). The behavior today is that the ENTRYPOINT process is sent CTRL_SHUTDOWN_EVENT, then Windows waits 5 seconds by hardcoded default, and finally shuts down all processes using the normal Windows shutdown behavior. The 5 second default is actually in the Windows registry [inside the container](https://github.com/moby/moby/issues/25982#issuecomment-426441183), so it can be overridden when the container is built. +* V1.Pod.volumeDevices - this is an beta feature, and is not implemented on Windows. Windows cannot attach raw block devices to pods. +* V1.Pod.volumes - EmptyDir, Secret, ConfigMap, HostPath - all work and have tests in TestGrid + * V1.emptyDirVolumeSource - the Node default medium is disk on Windows. Memory is not supported, as Windows does not have a built-in RAM disk. +* V1.VolumeMount.mountPropagation - only MountPropagationHostToContainer is available. Windows cannot create mounts within a pod or project them back to the node. + +##### V1.PodSecurityContext None of the PodSecurityContext fields work on Windows. They're listed here for reference. - - -* V1.PodSecurityContext.SELinuxOptions - SELinux is not available on Windows -* V1.PodSecurityContext.RunAsUser - provides a UID, not available on Windows -* V1.PodSecurityContext.RunAsGroup - provides a GID, not available on Windows -* V1.PodSecurityContext.RunAsNonRoot - Windows does not have a root user. The closest equivalent is ContainerAdministrator which is an identity that doesn't exist on the node. -* V1.PodSecurityContext.SupplementalGroups - provides GID, not available on Windows -* V1.PodSecurityContext.Sysctls - these are part of the Linux sysctl interface. There's no equivalent on Windows. - +* V1.PodSecurityContext.SELinuxOptions - SELinux is not available on Windows +* V1.PodSecurityContext.RunAsUser - provides a UID, not available on Windows +* V1.PodSecurityContext.RunAsGroup - provides a GID, not available on Windows +* V1.PodSecurityContext.RunAsNonRoot - Windows does not have a root user. The closest equivalent is ContainerAdministrator which is an identity that doesn't exist on the node. +* V1.PodSecurityContext.SupplementalGroups - provides GID, not available on Windows +* V1.PodSecurityContext.Sysctls - these are part of the Linux sysctl interface. There's no equivalent on Windows. # ​User Guide: Add Windows Nodes in Kubernetes - ## ​Objectives The Kubernetes platform can now be used to run both Linux and Windows containers. One or more Windows nodes can be registered to a cluster. This guide shows how to: - - -* Register a Windows node to the cluster -* Configure networking so pods on Linux and Windows can communicate - +* Register a Windows node to the cluster +* Configure networking so pods on Linux and Windows can communicate ## ​Before you begin - - -* Obtain a [Windows Server license](https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing) in order to run the Windows node that will execute the Windows container. You can use your organization's licenses for the cluster, or acquire one from Microsoft, a reseller, or via the major cloud providers such as GCP, AWS, and Azure by provisioning a virtual machine running Windows Server through their marketplaces. A [time-limited trial](https://www.microsoft.com/en-us/cloud-platform/windows-server-trial) is also available. -* Build a Linux-based Kubernetes cluster in which you have access to the control plane (some examples include [Getting Started from Scratch](https://kubernetes.io/docs/setup/scratch/), [kubeadm](https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/), [AKS Engine](https://kubernetes.io/docs/setup/turnkey/azure/), [GCE](https://kubernetes.io/docs/setup/turnkey/gce/), [AWS](https://kubernetes.io/docs/setup/turnkey/aws/)). - +* Obtain a [Windows Server license](https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing) in order to run the Windows node that will execute the Windows container. You can use your organization's licenses for the cluster, or acquire one from Microsoft, a reseller, or via the major cloud providers such as GCP, AWS, and Azure by provisioning a virtual machine running Windows Server through their marketplaces. A [time-limited trial](https://www.microsoft.com/en-us/cloud-platform/windows-server-trial) is also available. +* Build a Linux-based Kubernetes cluster in which you have access to the control plane (some examples include [Getting Started from Scratch](https://kubernetes.io/docs/setup/scratch/), [kubeadm](https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/), [AKS Engine](https://kubernetes.io/docs/setup/turnkey/azure/), [GCE](https://kubernetes.io/docs/setup/turnkey/gce/), [AWS](https://kubernetes.io/docs/setup/turnkey/aws/)). ## ​Getting Started: Adding a Windows Node to Your Cluster - ### ​Plan IP Addressing Kubernetes cluster management requires careful planning of your IP addresses so that you do not inadvertently cause network collision. This guide assumes that you are familiar with the [Kubernetes networking concepts](https://kubernetes.io/docs/concepts/cluster-administration/networking/). In order to deploy your cluster you will need the following address spaces: -
Subnet / address range @@ -521,7 +449,6 @@ In order to deploy your cluster you will need the following address spaces: Cluster Subnet This is a global subnet that is used by all pods in the cluster. Each node is assigned a smaller /24 subnet from this for their pods to use. It must be large enough to accommodate all pods used in your cluster. To calculate minimumsubnet size: (number of nodes) + (number of nodes * maximum pods per node that you configure) -

Example: for a 5 node cluster for 100 pods per node: (5) + (5 * 100) = 505.

"10.244.0.0/16" @@ -537,16 +464,12 @@ Example: for a 5 node cluster for 100 pods per node: (5) + (5 * 100) = 505
- Review the networking options supported in 'Intro to Windows containers in Kubernetes: Supported Functionality: Networking' to determine how you need to allocate IP addresses for your cluster. - ### Components that run on Windows While the Kubernetes control plane runs on your Linux node(s), the following components will be configured and run on your Windows node(s). - - 1. kubelet 2. kube-proxy 3. kubectl (optional) @@ -554,44 +477,34 @@ While the Kubernetes control plane runs on your Linux node(s), the following com Get the latest binaries from [https://github.com/kubernetes/kubernetes/releases](https://github.com/kubernetes/kubernetes/releases), starting with v1.14 or later. The Windows-amd64 binaries for kubeadm, kubectl, kubelet, and kube-proxy can be found under the CHANGELOG link. - ### ​Networking Configuration Once you have a Linux-based Kubernetes master node you are ready to choose a networking solution. This guide illustrates using Flannel in VXLAN mode for simplicity. - #### ​Configuring Flannel in VXLAN mode on the Linux controller - - 1. Prepare Kubernetes master for Flannel Some minor preparation is recommended on the Kubernetes master in our cluster. It is recommended to enable bridged IPv4 traffic to iptables chains when using Flannel. This can be done using the following command: - -``` +```bash sudo sysctl net.bridge.bridge-nf-call-iptables=1 ``` - - 1. Download & configure Flannel Download the most recent Flannel manifest: - -``` +```bash wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml ``` - There are two sections you should modify to enable the vxlan networking backend: After applying the steps below, the `net-conf.json` section of `kube-flannel.yml` should look as follows: - -``` +```json net-conf.json: | { "Network": "10.244.0.0/16", @@ -604,20 +517,17 @@ net-conf.json: | ``` - - 1. In the `net-conf.json` section of your `kube-flannel.yml`, double-check: 1. The cluster subnet (e.g. "10.244.0.0/16") is set as per your IP plan. - * VNI 4096 is set in the backend - * Port 4789 is set in the backend + * VNI 4096 is set in the backend + * Port 4789 is set in the backend 2. In the `cni-conf.json` section of your `kube-flannel.yml`, change the network name to "`vxlan0"`. {{< note >}} The VNI must be set to 4096 and port 4789 for Flannel on Linux to interoperate with Flannel on Windows. Support for other VNIs is coming soon. See [VXLAN](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan) for an explanation of these fields. -{{< note >}} +{{< /note >}} Your `cni-conf.json` should look as follows: - -``` +```json cni-conf.json: | { "name": "vxlan0", @@ -640,36 +550,31 @@ cni-conf.json: | ``` - - 1. Apply the Flannel yaml and Validate Let's apply the Flannel configuration: - -``` +```bash kubectl apply -f kube-flannel.yml ``` - Next, since the Flannel pods are Linux-based, apply a NodeSelector patch, which can be found [here](https://github.com/Microsoft/SDN/blob/1d5c055bb195fecba07ad094d2d7c18c188f9d2d/Kubernetes/flannel/l2bridge/manifests/node-selector-patch.yml), to the Flannel DaemonSet pod: - -``` - kubectl patch ds/kube-flannel-ds-amd64 --patch "$(cat node-selector-patch.yml)" -n=kube-system +```bash +kubectl patch ds/kube-flannel-ds-amd64 --patch "$(cat node-selector-patch.yml)" -n=kube-system ``` + After a few minutes, you should see all the pods as running if the Flannel pod network was deployed. -``` + +```bash kubectl get pods --all-namespaces ``` ![alt_text](flannel-master-kubeclt-get-pods.png "flannel master kubectl get pods screen capture") - Verify that the Flannel DaemonSet has the NodeSelector applied. - -``` +```bash kubectl get ds -n kube-system ``` @@ -679,86 +584,72 @@ kubectl get ds -n kube-system In this section we'll cover configuring a Windows node from scratch to join a cluster on-prem. If your cluster is on a cloud you'll likely want to follow the cloud specific guides in the next section. - #### Preparing a Windows Node {{< note >}} All code snippets in Windows sections are to be run in a PowerShell environment with elevated permissions (Admin). -{{}} - +{{< /note >}} 1. Install Docker (requires a system reboot) Kubernetes uses [Docker](https://www.docker.com/) as its container engine, so we need to install it. You can follow the [official Docs instructions](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-docker/configure-docker-daemon#install-docker), the [Docker instructions](https://store.docker.com/editions/enterprise/docker-ee-server-windows), or try these steps: - -``` +```powershell PS C:\Users\Administrator\Install-Module -Name DockerMsftProvider -Repository PSGallery -Force PS C:\Users\Administrator\Install-Package -Name Docker -ProviderName DockerMsftProvider PS C:\Users\Administrator\Restart-Computer -Force ``` - If you are behind a proxy, the following PowerShell environment variables must be defined: - -``` +```powershell [Environment]::SetEnvironmentVariable("HTTP_PROXY", "http://proxy.example.com:80/", [EnvironmentVariableTarget]::Machine) [Environment]::SetEnvironmentVariable("HTTPS_PROXY", "http://proxy.example.com:443/", [EnvironmentVariableTarget]::Machine) ``` + If after reboot you may see the following error: ![alt_text](windows-docker-error.png "windows docker error screen capture") If so then you need to restart the docker service manually: - -``` +```powershell Start-Service docker ``` {{< note >}} The "pause" (infrastructure) image is on Microsoft Container Registry (MCR) and the DOCKERFILE is available at [https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile) -{{}} +{{< /note >}} -``` +```powershell docker pull mcr.microsoft.com/k8s/core/pause:1.0.0 - ``` 2. Prepare a Windows directory for Kubernetes Create a "Kubernetes for Windows" directory to store Kubernetes binaries as well as any deployment scripts and config files. - -``` +```powershell mkdir c:\k - ``` - - 3. Copy Kubernetes certificate Copy the Kubernetes certificate file (`$HOME/.kube/config`) [from Linux controller](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/creating-a-linux-master#collect-cluster-information) to this new `C:\k` directory on your Windows node. Tip: You can use tools such as [xcopy](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/xcopy), [WinSCP](https://winscp.net/eng/download.php), [PowerShell wrapper for WinSCP](https://www.powershellgallery.com/packages/WinSCP/5.13.2.0) to transfer the config file between nodes. - - 4. Download Kubernetes binaries To be able to run Kubernetes, you first need to download the `kubectl`, `kubelet`, and `kube-proxy` binaries. You can download these from the links in the CHANGELOG.md file of the [latest releases](https://github.com/kubernetes/kubernetes/releases/). Use the [Expand-Archive](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.archive/expand-archive?view=powershell-6) PowerShell command to extract the archive and place the binaries into `C:\k`. - #### Join the Windows node to the Flannel cluster The Flannel overlay deployment scripts and documentation are available in [this repository](https://github.com/Microsoft/SDN/tree/master/Kubernetes/flannel/overlay). The following steps are a simple walkthrough of the more comprehensive instructions available there. Download the [Flannel start.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/start.ps1) script, the contents of which should be extracted to `C:\k`: - -``` +```powershell cd c:\k [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 wget https://raw.githubusercontent.com/Microsoft/SDN/master/Kubernetes/flannel/start.ps1 -o c:\k\start.ps1 @@ -766,16 +657,15 @@ wget https://raw.githubusercontent.com/Microsoft/SDN/master/Kubernetes/flannel/s {{< note >}} [start.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/start.ps1) references [install.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/install.ps1), which will download additional files such as the `flanneld` executable and the [Dockerfile for infrastructure pod](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile) and install those for you. For overlay networking mode, the [firewall](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/helper.psm1#L111) will be opened for local UDP port 4789. There may be multiple powershell windows being opened/closed as well as a few seconds of network outage while the new external vSwitch for the pod network is being created the first time. Run the script using the arguments as specified below: -{{}} +{{< /note >}} -``` +```powershell .\start.ps1 -ManagementIP -NetworkMode overlay -ClusterCIDR -ServiceCIDR -KubeDnsServiceIP -LogDir ```
- Parameter Default Value @@ -841,39 +731,30 @@ Parameter
- Now you can view the Windows nodes in your cluster by running the following: - -``` +```bash kubectl get nodes ``` - - ### ​Public Cloud Providers - #### Azure AKS-Engine can deploy a complete, customizable Kubernetes cluster with both Linux & Windows nodes. There is a step-by-step walkthrough available in the [docs on GitHub](https://github.com/Azure/aks-engine/blob/master/docs/topics/windows.md). - #### ​GCP Users can easily deploy a complete Kubernetes cluster on GCE following this step-by-step walkthrough on [GitHub](https://github.com/kubernetes/kubernetes/blob/master/cluster/gce/windows/README-GCE-Windows-kube-up.md) - #### ​Deployment with kubeadm and cluster API Kubeadm is becoming the de facto standard for users to deploy a Kubernetes cluster. Windows node support in kubeadm will come in a future release. We are also making investments in cluster API to ensure Windows nodes are properly provisioned. - #### Next Steps Now that you've configured a Windows worker in your cluster to run Windows containers you may want to add one or more Linux nodes as well to run Linux containers. Now you're ready to proceed to the next step to schedule Windows containers on your cluster. - # User Guide: Scheduling Windows containers in Kubernetes From 5292447f09b0af6af5607b1b986dbcf51949eb90 Mon Sep 17 00:00:00 2001 From: Craig Peters Date: Tue, 12 Mar 2019 21:03:12 -0700 Subject: [PATCH 10/32] updating formatting for running containers guide --- .../getting-started-guides/windows/_index.md | 186 ++++++------------ 1 file changed, 58 insertions(+), 128 deletions(-) diff --git a/content/en/docs/getting-started-guides/windows/_index.md b/content/en/docs/getting-started-guides/windows/_index.md index a73e56fc6fe76..47435fefdd7c1 100644 --- a/content/en/docs/getting-started-guides/windows/_index.md +++ b/content/en/docs/getting-started-guides/windows/_index.md @@ -65,10 +65,10 @@ Let's start with the operating system version. Refer to the following table for {{< note >}} - The Windows Server Host Operating System is subject to the [Windows Server ](https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing) licensing. The Windows Container images are subject to the [Supplemental License Terms for Windows containers](https://docs.microsoft.com/en-us/virtualization/windowscontainers/images-eula). +The Windows Server Host Operating System is subject to the [Windows Server ](https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing) licensing. The Windows Container images are subject to the [Supplemental License Terms for Windows containers](https://docs.microsoft.com/en-us/virtualization/windowscontainers/images-eula). {{< /note >}} {{< note >}} - Windows containers have strict compatibility rules, [where the host OS version must match the container base image OS version.](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/version-compatibility) +Windows containers have strict compatibility rules, [where the host OS version must match the container base image OS version.](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/version-compatibility) {{< /note >}} Key Kubernetes elements work the same way in Windows as they do in Linux. In this section, we will talk about some of the key workload enablers and how they map to Windows. @@ -757,33 +757,23 @@ Now that you've configured a Windows worker in your cluster to run Windows conta # User Guide: Scheduling Windows containers in Kubernetes - ## Objectives - - -* Configure an example deployment to run Windows containers on the Windows node -* (Optional) Configure an Active Directory Identity for your Pod using Group Managed Service Accounts (GMSA) - +* Configure an example deployment to run Windows containers on the Windows node +* (Optional) Configure an Active Directory Identity for your Pod using Group Managed Service Accounts (GMSA) ## Before you begin - - -* Create a Kubernetes cluster that includes a master and a worker node running Windows Server -* It is important to note that creating and deploying services and workloads on Kubernetes behaves in much the same way for Linux and Windows containers. [Kubectl commands](https://kubernetes.io/docs/reference/kubectl/overview/) to interface with the cluster are identical. The example in the section below is provided simply to jumpstart your experience with Windows containers. - +* Create a Kubernetes cluster that includes a master and a worker node running Windows Server +* It is important to note that creating and deploying services and workloads on Kubernetes behaves in much the same way for Linux and Windows containers. [Kubectl commands](https://kubernetes.io/docs/reference/kubectl/overview/) to interface with the cluster are identical. The example in the section below is provided simply to jumpstart your experience with Windows containers. ## ​Getting Started: Deploying a Windows Container - - 1. Create a simple webserver example: Create a service spec `win-webserver.yaml` with the contents below: [TODO create this as a file in the docs folder and add a link] - -``` +```yaml apiVersion: v1 kind: Service metadata: @@ -826,59 +816,51 @@ spec: {{< note >}} Note: Port mapping is also supported, but for simplicity in this example the container port 80 is exposed directly to the service. -{{}} - +{{< /note >}} 2. Check that all nodes are healthy: - ``` - kubectl get nodes - ``` - +```bash +kubectl get nodes +``` 3. Deploy the service and watch for pod updates: - ``` - kubectl apply -f win-webserver.yaml - - kubectl get pods -o wide -w - When the service is deployed correctly both Pods will be marked as Ready. To exit the watch command, press Ctrl+C. - - ``` - +```bash +kubectl apply -f win-webserver.yaml +kubectl get pods -o wide -w +``` +When the service is deployed correctly both Pods will be marked as Ready. To exit the watch command, press Ctrl+C. 4. Check that the deployment succeeded. To verify: - * Two containers per pod on the Windows node, use `docker ps` - * Two pods listed from the Linux master, use `kubectl get pods` - * Node-to-pod communication across the network, `curl` port 80 of your pod IPs from the Linux master to check for a web server response - * Pod-to-pod communication, ping between pods (and across hosts, if you have more than one Windows node) using docker exec or kubectl exec - * Service-to-pod communication, `curl` the virtual service IP (seen under `kubectl get services`) from the Linux master and from individual pods - * Service discovery, `curl` the service name with the Kubernetes[ default DNS suffix](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#services) - * Inbound connectivity, `curl` the NodePort from the Linux master or machines outside of the cluster - * Outbound connectivity, `curl` external IPs from inside the pod using kubectl exec + +* Two containers per pod on the Windows node, use `docker ps` +* Two pods listed from the Linux master, use `kubectl get pods` +* Node-to-pod communication across the network, `curl` port 80 of your pod IPs from the Linux master to check for a web server response +* Pod-to-pod communication, ping between pods (and across hosts, if you have more than one Windows node) using docker exec or kubectl exec +* Service-to-pod communication, `curl` the virtual service IP (seen under `kubectl get services`) from the Linux master and from individual pods +* Service discovery, `curl` the service name with the Kubernetes[ default DNS suffix](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#services) +* Inbound connectivity, `curl` the NodePort from the Linux master or machines outside of the cluster +* Outbound connectivity, `curl` external IPs from inside the pod using kubectl exec {{< note >}} **Windows _container hosts_ are not able to access the IP of services scheduled on them due to current platform limitations of the Windows networking stack. Only Windows _pods_ are able to access service IPs. -{{}} +{{< /note >}} ## Managing Workload Identity with Group Managed Service Accounts Starting with Kubernetes v1.14, Windows container workloads can be configured to use Group Managed Service Accounts (GMSA). Group Managed Service Accounts are a specific type of Active Directory account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other administrators across multiple servers. Containers configured with a GMSA can access external Active Directory Domain resources while carrying the identity configured with the GMSA. Learn more about configuring and using GMSA for Windows containers [here](https://kubernetes.io/docs/concepts/configuration/workload-identity/). - ## Taints and Tolerations Users today will need to use some combination of taints and node selectors in order to keep Linux and Windows workloads on their respective OS-specific nodes. This will likely impose a burden only on Windows users. The recommended approach is outlined below, with one of its main goals being that this approach should not break compatibility for existing Linux workloads. - ### Ensuring OS-specific workloads land on the appropriate container host Users can ensure Windows containers can be scheduled on the appropriate host using Taints and Tolerations. All Kubernetes nodes today have the following default labels: - - -* beta.kubernetes.io/os = [windows|linux] -* beta.kubernetes.io/arch = [amd64|arm64|...] +* beta.kubernetes.io/os = [windows|linux] +* beta.kubernetes.io/arch = [amd64|arm64|...] If a Pod specification does not specify a nodeSelector like `"beta.kubernetes.io/os": windows`, it is possible the Pod can be scheduled on any host, Windows or Linux. This can be problematic since a Windows container can only run on Windows and a Linux container can only run on Linux. The best practice is to use a nodeSelector. @@ -888,8 +870,7 @@ For example: `--register-with-taints='os=Win1809:NoSchedule'` By adding a taint to all Windows nodes, nothing will be scheduled on them (that includes existing Linux Pods). In order for a Windows Pod to be scheduled on a Windows node, it would need both the nodeSelector to choose Windows, and the appropriate matching toleration. - -``` +```yaml nodeSelector: "beta.kubernetes.io/os": windows tolerations: @@ -899,58 +880,42 @@ tolerations: effect: "NoSchedule" ``` - - # ​Getting Help and Troubleshooting Your main source of help for troubleshooting your Kubernetes cluster should start with this [section](https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/). Some additional, Windows-specific troubleshooting help is included in this section. - - 1. How do I know start.ps1 completed successfully? You should see kubelet, kube-proxy, and (if you chose Flannel as your networking solution) flanneld host-agent processes running on your node, with running logs being displayed in separate PowerShell windows. In addition to this, your Windows node should be listed as "Ready" in your Kubernetes cluster. - - 2. Can I configure the Kubernetes node processes run in the background? - 1. As native Windows Services + 1. As native Windows Services Kubelet & kube-proxy can be run as native [Windows Services](https://kubernetes.io/docs/getting-started-guides/windows/#kubelet-and-kube-proxy-can-now-run-as-windows-services). See [Windows Services on Kubernetes](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/kube-windows-services) for example steps. [TODO create a section for setting up as Windows Services] - - - - 2. Using nssm.exe + 2. Using nssm.exe Kubelet and kube-proxy are already configured to run as native Windows Services. However, you can also always use alternative service managers like [nssm.exe](https://nssm.cc/) to run these processes (flanneld, kubelet & kube-proxy) in the background for you. For initial troubleshooting, you can use the following flags in [nssm.exe](https://nssm.cc/) to redirect stdout and stderr to a output file: - -``` +```powershell nssm set AppStdout C:\k\mysvc.log nssm set AppStderr C:\k\mysvc.log ``` - For additional details, see official [nssm usage](https://nssm.cc/usage) docs. - - 3. My Windows Pods do not have network connectivity If you are using virtual machines, ensure that MAC spoofing is enabled on all the VM network adapter(s). +4. My Windows Pods cannot ping external resources +Windows Pods do not have outbound rules programmed for the ICMP protocol today. However, TCP/UDP is supported. When trying to demonstrate connectivity to resources outside of the cluster, please substitute `ping ` with corresponding `curl ` commands. -4. My Windows Pods cannot ping external resources +If you are still facing problems, most likely your network configuration in [cni.conf](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf) deserves some extra attention. You can always edit this static file, the configuration will be applied to any newly created Kubernetes resources. -Windows Pods do not have outbound rules programmed for the ICMP protocol today. However, TCP/UDP is supported. When trying to demonstrate connectivity to resources outside of the cluster, please substitute `ping ` with corresponding `curl ` commands. \ - \ -If you are still facing problems, most likely your network configuration in [cni.conf](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf) deserves some extra attention. You can always edit this static file, the configuration will be applied to any newly created Kubernetes resources. \ - \ One of the Kubernetes networking requirements (see [Kubernetes model](https://kubernetes.io/docs/concepts/cluster-administration/networking/)) is for cluster communication to occur without NAT internally. To honor this requirement, there is an [ExceptionList](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf#L20) for all the communication where we do not want outbound NAT to occur. However, this also means that you need to exclude the external IP you are trying to query from the ExceptionList. Only then will the traffic originating from your Windows pods be SNAT'ed correctly to receive a response from the outside world. In this regard, your ExceptionList in `cni.conf` should look as follows: - -``` +```conf "ExceptionList": [ "10.244.0.0/16", # Cluster subnet "10.96.0.0/12", # Service subnet @@ -959,105 +924,77 @@ One of the Kubernetes networking requirements (see [Kubernetes model](https://ku ``` - - 5. My Windows node cannot access NodePort service Local NodePort access from the node itself will fail. This is a known limitation. NodePort access will work from other nodes or external clients. - - 6. vNICs and HNS endpoints of containers are being deleted This issue can be caused when the `hostname-override` parameter is not passed to [kube-proxy](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/). To resolve it, users need to pass the hostname to kube-proxy as follows: - -``` +```powershell C:\k\kube-proxy.exe --hostname-override=$(hostname) - ``` - - 7. With flannel my nodes are having issues after rejoining a cluster Whenever a previously deleted node is being re-joined to the cluster, flannelD will try to assign a new pod subnet to the node. Users should remove the old pod subnet configuration files in the following paths: - -``` +```powershell Remove-Item C:\k\SourceVip.json Remove-Item C:\k\SourceVipRequest.json - ``` - - 8. After launching `start.ps1`, flanneld is stuck in "Waiting for the Network to be created" There are numerous reports of this issue which are being investigated; most likely it is a timing issue for when the management IP of the flannel network is set. A workaround is to simply relaunch start.ps1 or relaunch it manually as follows: - -``` +```powershell PS C:> [Environment]::SetEnvironmentVariable("NODE_NAME", "") PS C:> C:\flannel\flanneld.exe --kubeconfig-file=c:\k\config --iface= --ip-masq=1 --kube-subnet-mgr=1 - ``` - - 9. My Windows Pods cannot launch because of missing `/run/flannel/subnet.env` This indicates that Flannel didn't launch correctly. You can either try to restart flanneld.exe or you can copy the files over manually from `/run/flannel/subnet.env` on the Kubernetes master to` C:\run\flannel\subnet.env` on the Windows worker node and modify the `FLANNEL_SUBNET` row to a different number. For example, if node subnet 10.244.4.1/24 is desired: - -``` +```env FLANNEL_NETWORK=10.244.0.0/16 FLANNEL_SUBNET=10.244.4.1/24 FLANNEL_MTU=1500 FLANNEL_IPMASQ=true - ``` - - 10. My Windows node cannot access my services using the service IP This is a known limitation of the current networking stack on Windows. Windows Pods are able to access the service IP however. - - 11. No network adapter is found when starting kubelet The Windows networking stack needs a virtual adapter for Kubernetes networking to work. If the following commands return no results (in an admin shell), virtual network creation — a necessary prerequisite for Kubelet to work — has failed: - -``` +```powershell Get-HnsNetwork | ? Name -ieq "cbr0" Get-NetAdapter | ? Name -Like "vEthernet (Ethernet*" ``` - Often it is worthwhile to modify the [InterfaceName](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/start.ps1#L6) parameter of the start.ps1 script, in cases where the host's network adapter isn't "Ethernet". Otherwise, consult the output of the `start-kubelet.ps1` script to see if there are errors during virtual network creation. - - 12. My Pods are stuck at "Container Creating" or restarting over and over Check that your pause image is compatible with your OS version. The [instructions](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/deploying-resources) assume that both the OS and the containers are version 1803. If you have a later version of Windows, such as an Insider build, you will need to adjust the images accordingly. Please refer to the Microsoft's [Docker repository](https://hub.docker.com/u/microsoft/) for images. Regardless, both the pause image Dockerfile and the sample service will expect the image to be tagged as :latest. If these steps don't resolve your problem, you can get help running Windows Containers on Windows nodes in Kubernetes through: +* StackOverflow [Windows Server Container](https://stackoverflow.com/questions/tagged/windows-server-container) topic +* Kubernetes Official Forum [discuss.kubernetes.io](https://discuss.kubernetes.io/) +* Kubernetes Slack [#SIG-Windows Channel](https://kubernetes.slack.com/messages/C0SJ4AFB7) +13. DNS resolution is not properly working -* StackOverflow [Windows Server Container](https://stackoverflow.com/questions/tagged/windows-server-container) topic -* Kubernetes Official Forum [discuss.kubernetes.io](https://discuss.kubernetes.io/) -* Kubernetes Slack [#SIG-Windows Channel](https://kubernetes.slack.com/messages/C0SJ4AFB7) -1. DNS resolution is not properly working - -Check the DNS limitations for Windows in this section [todo insert link]. +Check the DNS limitations for Windows in this section [todo insert link]. - -### Bugs and Feature Requests +## Bugs and Feature Requests If you have what looks like a bug, or you would like to make a feature request, please use the [Github issue tracking system](https://github.com/kubernetes/kubernetes/issues). @@ -1065,33 +1002,26 @@ Before you file an issue, please search existing issues to see if your issue is If filing a bug, please include detailed information about how to reproduce the problem, such as: - - -* Kubernetes version: kubectl version -* Cloud provider, OS distro, network configuration, and Docker version -* Steps to reproduce the problem -* Tag the issue sig/windows to bring it to the Windows Special Interest Group member attention - +* Kubernetes version: kubectl version +* Cloud provider, OS distro, network configuration, and Docker version +* Steps to reproduce the problem +* Tag the issue sig/windows to bring it to the Windows Special Interest Group member attention # Roadmap -We have a lot of features in our roadmap. - +We have a lot of features in our roadmap. -### CRI-ContainerD +## CRI-ContainerD ContainerD is another OCI-compliant runtime that recently graduated as a CNCF project. It's currently tested on Linux, but 1.3 will bring support for Windows and Hyper-V. [[reference](https://blog.docker.com/2019/02/containerd-graduates-within-the-cncf/)] The CRI-ContainerD interface will be able to manage sandboxes based on Hyper-V. This provides a foundation where RuntimeClasses could be implemented for new use cases including: +* Hypervisor-based isolation between pods for additional security +* Backwards compatibility allowing a node to run a newer Windows Server version without requiring containers to be rebuilt +* Specific CPU/NUMA settings for a pod +* Memory isolation and reservations - -* Hypervisor-based isolation between pods for additional security -* Backwards compatibility allowing a node to run a newer Windows Server version without requiring containers to be rebuilt -* Specific CPU/NUMA settings for a pod -* Memory isolation and reservations - - -### Deployment with kubeadm and cluster API +## Deployment with kubeadm and cluster API Kubeadm is becoming the de facto standard for users to deploy a Kubernetes cluster. Windows node support in kubeadm will come in a future release. We are also making investments in cluster API to ensure Windows nodes are properly provisioned. \ No newline at end of file From 07352c0951470483c6c0e512132a7ed1d089d6c7 Mon Sep 17 00:00:00 2001 From: Craig Peters Date: Tue, 12 Mar 2019 21:07:55 -0700 Subject: [PATCH 11/32] rejiggered end of troubleshooting --- content/en/docs/getting-started-guides/windows/_index.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/content/en/docs/getting-started-guides/windows/_index.md b/content/en/docs/getting-started-guides/windows/_index.md index 47435fefdd7c1..b237f7db4e327 100644 --- a/content/en/docs/getting-started-guides/windows/_index.md +++ b/content/en/docs/getting-started-guides/windows/_index.md @@ -984,16 +984,16 @@ Often it is worthwhile to modify the [InterfaceName](https://github.com/Microsof Check that your pause image is compatible with your OS version. The [instructions](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/deploying-resources) assume that both the OS and the containers are version 1803. If you have a later version of Windows, such as an Insider build, you will need to adjust the images accordingly. Please refer to the Microsoft's [Docker repository](https://hub.docker.com/u/microsoft/) for images. Regardless, both the pause image Dockerfile and the sample service will expect the image to be tagged as :latest. +## Further investigation + +Check the DNS limitations for Windows in this section [todo insert link]. + If these steps don't resolve your problem, you can get help running Windows Containers on Windows nodes in Kubernetes through: * StackOverflow [Windows Server Container](https://stackoverflow.com/questions/tagged/windows-server-container) topic * Kubernetes Official Forum [discuss.kubernetes.io](https://discuss.kubernetes.io/) * Kubernetes Slack [#SIG-Windows Channel](https://kubernetes.slack.com/messages/C0SJ4AFB7) -13. DNS resolution is not properly working - -Check the DNS limitations for Windows in this section [todo insert link]. - ## Bugs and Feature Requests If you have what looks like a bug, or you would like to make a feature request, please use the [Github issue tracking system](https://github.com/kubernetes/kubernetes/issues). From e220d257e6ef0e70007458f8a60f5cc29ddd02ac Mon Sep 17 00:00:00 2001 From: Craig Peters Date: Wed, 13 Mar 2019 10:31:53 -0700 Subject: [PATCH 12/32] fixed minor typos --- content/en/docs/getting-started-guides/windows/_index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/docs/getting-started-guides/windows/_index.md b/content/en/docs/getting-started-guides/windows/_index.md index b237f7db4e327..2cc6ff35f69c3 100644 --- a/content/en/docs/getting-started-guides/windows/_index.md +++ b/content/en/docs/getting-started-guides/windows/_index.md @@ -111,7 +111,7 @@ Pods, Controllers and Services are critical elements to managing Windows workloa * Pod and container metrics * Horizontal Pod Autoscaler support -* KubeCtl Exec +* kubectl Exec * Resource Quotas * Scheduler preemption @@ -335,7 +335,7 @@ The following networking functionality is not supported on Windows nodes ##### DNS * ClusterFirstWithHostNet is not supported for DNS. Windows treats all names with a '.' as a FQDN and skips PQDN resolution -* On Linux, you have a DNS suffix list, which is used when trying to resolve PQDNs. On Windows, we only have 1 DNS suffix, which is the the DNS suffix associated with that pod's namespace (mydns.svc.cluster.local for example). Windows can resolve FQDNs and services or names resolvable with just that suffix. For example, a pod spawned in the default namespace, will have the DNS suffix **default.svc.cluster.local**. On a Windows pod, we will be able to resolve both **kubernetes.default.svc.cluster.local** and **kubernetes**, but not the in-betweens, like **kubernetes.default** or **kubernetes.default.svc**. +* On Linux, you have a DNS suffix list, which is used when trying to resolve PQDNs. On Windows, we only have 1 DNS suffix, which is the DNS suffix associated with that pod's namespace (mydns.svc.cluster.local for example). Windows can resolve FQDNs and services or names resolvable with just that suffix. For example, a pod spawned in the default namespace, will have the DNS suffix **default.svc.cluster.local**. On a Windows pod, we will be able to resolve both **kubernetes.default.svc.cluster.local** and **kubernetes**, but not the in-betweens, like **kubernetes.default** or **kubernetes.default.svc**. ##### Security From 67d065b5a667079d75141d358958a434fd399a35 Mon Sep 17 00:00:00 2001 From: Craig Peters Date: Wed, 13 Mar 2019 10:42:51 -0700 Subject: [PATCH 13/32] Clarified the windows binary download step --- content/en/docs/getting-started-guides/windows/_index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/docs/getting-started-guides/windows/_index.md b/content/en/docs/getting-started-guides/windows/_index.md index 2cc6ff35f69c3..ed4d60ad99a5b 100644 --- a/content/en/docs/getting-started-guides/windows/_index.md +++ b/content/en/docs/getting-started-guides/windows/_index.md @@ -475,7 +475,7 @@ While the Kubernetes control plane runs on your Linux node(s), the following com 3. kubectl (optional) 4. Container runtime -Get the latest binaries from [https://github.com/kubernetes/kubernetes/releases](https://github.com/kubernetes/kubernetes/releases), starting with v1.14 or later. The Windows-amd64 binaries for kubeadm, kubectl, kubelet, and kube-proxy can be found under the CHANGELOG link. +Get the latest binaries from [https://github.com/kubernetes/kubernetes/releases](https://github.com/kubernetes/kubernetes/releases), starting with v1.14 or later. The Windows-amd64 binaries for kubeadm, kubectl, kubelet, and kube-proxy can be found under the CHANGELOG link. ### ​Networking Configuration @@ -639,7 +639,7 @@ Tip: You can use tools such as [xcopy](https://docs.microsoft.com/en-us/windows- 4. Download Kubernetes binaries -To be able to run Kubernetes, you first need to download the `kubectl`, `kubelet`, and `kube-proxy` binaries. You can download these from the links in the CHANGELOG.md file of the [latest releases](https://github.com/kubernetes/kubernetes/releases/). +To be able to run Kubernetes, you first need to download the `kubelet` and `kube-proxy` binaries. You download these from the Node Binaries links in the CHANGELOG.md file of the [latest releases](https://github.com/kubernetes/kubernetes/releases/). For example 'kubernetes-node-windows-amd64.tar.gz'. You may also optionally download `kubectl` to run on Windows which you can find under Client Binaries. Use the [Expand-Archive](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.archive/expand-archive?view=powershell-6) PowerShell command to extract the archive and place the binaries into `C:\k`. From 288959931f40604b87f12fb5d4c48f210f14d786 Mon Sep 17 00:00:00 2001 From: Michael Michael Date: Sat, 16 Mar 2019 00:35:41 -0500 Subject: [PATCH 14/32] Update _index.md making updates based on feedback --- .../getting-started-guides/windows/_index.md | 72 ++++++++++--------- 1 file changed, 38 insertions(+), 34 deletions(-) diff --git a/content/en/docs/getting-started-guides/windows/_index.md b/content/en/docs/getting-started-guides/windows/_index.md index ed4d60ad99a5b..e17bcc429845d 100644 --- a/content/en/docs/getting-started-guides/windows/_index.md +++ b/content/en/docs/getting-started-guides/windows/_index.md @@ -6,24 +6,28 @@ toc_hide: true These instructions are under review for the v1.14 release with a [tracking issue](https://github.com/kubernetes/website/issues/12426). {{< /note >}} -## ​Motivation +## Motivation Windows applications constitute a large portion of the services and applications that run in many organizations. [Windows containers](https://aka.ms/windowscontainers) provide a modern way to encapsulate processes and package dependencies, making it easier to use DevOps practices and follow cloud native patterns for Windows applications. Kubernetes has become the defacto standard container orchestrator, and the release of Kubernetes 1.14 includes production support for scheduling Windows containers on Windows nodes in a Kubernetes cluster, enabling a vast ecosystem of Windows applications to leverage the power of Kubernetes. Enterprises with investments in Windows-based applications and Linux-based applications don't have to look for separate orchestrators to manage their workloads, leading to increased operational efficiencies across their deployments, regardless of operating system. -## ​Intro to Windows containers in Kubernetes +## Intro to Windows containers in Kubernetes To enable the orchestration of Windows containers in Kubernetes, simply include Windows nodes in your existing Linux cluster. Scheduling Windows containers in [Pods](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/) on Kubernetes is as simple and easy as scheduling Linux-based containers. In order to run Windows containers, your Kubernetes cluster must include multiple operating systems, with control plane nodes running Linux and workers running either Windows or Linux depending on your workload needs. Windows Server 2019 is the only Windows operating system supported, enabling [Kubernetes Node](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/architecture/architecture.md#the-kubernetes-node) on Windows (including kubelet, [container runtime](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/containerd), and kube-proxy). For a detailed explanation of Windows distribution channels see the [Microsoft documentation](https://docs.microsoft.com/en-us/windows-server/get-started-19/servicing-channels-19). {{< note >}} -The Kubernetes control plane, including the [master components](https://kubernetes.io/docs/concepts/overview/components/), will continue to run on Linux. There are no plans have a Windows-only Kubernetes cluster. +The Kubernetes control plane, including the [master components](https://kubernetes.io/docs/concepts/overview/components/), will continue to run on Linux. There are no plans to have a Windows-only Kubernetes cluster. {{< /note >}} -## ​Supported Functionality and Limitations +{{< note >}} +In this document, when we talk about Windows containers we mean Windows containers with process isolation. Windows containers with [Hyper-V isolation](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/hyperv-container) is planned for a future release. +{{< /note >}} + +## Supported Functionality and Limitations -### ​Supported Functionality +### Supported Functionality #### Compute @@ -68,7 +72,7 @@ Let's start with the operating system version. Refer to the following table for The Windows Server Host Operating System is subject to the [Windows Server ](https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing) licensing. The Windows Container images are subject to the [Supplemental License Terms for Windows containers](https://docs.microsoft.com/en-us/virtualization/windowscontainers/images-eula). {{< /note >}} {{< note >}} -Windows containers have strict compatibility rules, [where the host OS version must match the container base image OS version.](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/version-compatibility) +Windows containers with process isolation have strict compatibility rules, [where the host OS version must match the container base image OS version.](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/version-compatibility). Once we support Windows containers with Hyper-V isolation in Kubernetes, the limitation and compatibility rules will change. {{< /note >}} Key Kubernetes elements work the same way in Windows as they do in Linux. In this section, we will talk about some of the key workload enablers and how they map to Windows. @@ -127,7 +131,7 @@ Kubernetes Volumes enable complex applications with data persistence and Pod vol * [azureDisk](https://kubernetes.io/docs/concepts/storage/volumes/#azuredisk) * [azureFile](https://kubernetes.io/docs/concepts/storage/volumes/#azurefile) -#### ​Networking +#### Networking Networking for Windows containers is exposed through [CNI plugins](https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/). Windows containers function similarly to virtual machines in regards to networking. Each container has a virtual network adapter (vNIC) which is connected to a Hyper-V virtual switch (vSwitch). The Host Networking Service (HNS) and the Host Compute Service (HCS) work together to create containers and attach container vNICs to networks. HCS is responsible for the management of containers whereas HNS is responsible for the management of networking resources such as: @@ -143,7 +147,7 @@ The following service spec types are supported: * LoadBalancer * ExternalName -Windows supports five different networking drivers/modes: L2bridge, L2tunnel, Overlay, Transparent, and NAT. In a heterogeneous cluster with Windows and Linux work nodes, you need to select a networking solution that is compatible on both Windows and Linux. The following out-of-tree plugins are supported on Windows, with recommendations on when to use each CNI: +Windows supports five different networking drivers/modes: L2bridge, L2tunnel, Overlay, Transparent, and NAT. In a heterogeneous cluster with Windows and Linux worker nodes, you need to select a networking solution that is compatible on both Windows and Linux. The following out-of-tree plugins are supported on Windows, with recommendations on when to use each CNI: @@ -221,7 +225,7 @@ Windows supports five different networking drivers/modes: L2bridge, L2tunnel, Ov
-Furthermore, for simplified consumption of the win-bridge and win-overlay plugins for end-users with automated network configurations, [Flannel](https://github.com/coreos/flannel) has added support for Windows in their [meta plugin](https://github.com/containernetworking/plugins/tree/master/plugins/meta/flannel) via the [VXLAN network backend](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan) (**alpha support** ; delegates to win-overlay) and [host-gateway network backend](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#host-gw) (stable support; delegates to win-bridge) with the [host-local plugin](https://github.com/containernetworking/plugins/tree/master/plugins/ipam/host-local) used for IP address management and the meta CNI network plugin [flannel](https://github.com/containernetworking/plugins/tree/master/plugins/meta/flannel#windows-support-experimental) for interacting between the delegated CNI plugin (win-bridge or win-overlay) and providing the host-local IPAM the correct range from subnet.env file provisioned by the flanneld agent. +As outlined above, the [Flannel](https://github.com/coreos/flannel) CNI [meta plugin](https://github.com/containernetworking/plugins/tree/master/plugins/meta/flannel) is also supported on [Windows](https://github.com/containernetworking/plugins/tree/master/plugins/meta/flannel#windows-support-experimental) via the [VXLAN network backend](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan) (**alpha support** ; delegates to win-overlay) and [host-gateway network backend](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#host-gw) (stable support; delegates to win-bridge). This plugin supports delegating to one of the reference CNI plugins (win-overlay, win-bridge), to work in conjunction with Flannel daemon on Windows (Flanneld) for automatic node subnet lease assignment and HNS network creation. This plugin reads in its own configuration file (net-conf.json), and aggregates it with the environment variables from the FlannelD generated subnet.env file. It then delegates to one of the reference CNI plugins for network plumbing, and sends the correct configuration containing the node-assigned subnet to the IPAM plugin (e.g. host-local). For the node, pod, and service objects, the following network flows are supported for TCP/UDP traffic: @@ -241,13 +245,13 @@ The following IPAM options are supported on Windows: * HNS IPAM (Inbox platform IPAM, this is a fallback when no IPAM is set) * [Azure-vnet-ipam](https://github.com/Azure/azure-container-networking/blob/master/docs/ipam.md) (for azure-cni only) -### ​​​​Limitations +### Limitations #### Control Plane Windows is only supported as a worker node in the Kubernetes architecture and component matrix. This means that a Kubernetes cluster must always include Linux master nodes, zero or more Linux worker nodes, and zero or more Windows worker nodes. -#### ​Compute +#### Compute ##### Resource management and process isolation @@ -259,11 +263,11 @@ Windows has strict compatibility rules, where the host OS version must match the ##### Feature Restrictions -* TerminationGracePeriod: not implemented +* TerminationGracePeriod: not implemented * Single file mapping: to be implemented with CRI-ContainerD * Termination message: to be implemented with CRI-ContainerD * Privileged Containers: not currently supported in Windows containers -* HugePages +* HugePages: not currently supported in Windows containers * The existing node problem detector is Linux-only and requires privileged containers. In general, we don't expect this to be used on Windows because privileged containers are not supported * Not all features of shared namespaces are supported (see API section for more details) @@ -275,7 +279,7 @@ Keeping memory usage within reasonable bounds is possible with a two-step proces A best practice to avoid over-provisioning is to configure the kubelet with a system reserved memory of at least 2GB to account for Windows, Docker, and Kubernetes processes. -The behaviour of the flags behave differently as described below: +The behavior of the flags behave differently as described below: * --kubelet-reserve, --system-reserve , and --eviction-hard flags update Node Allocatable * Eviction by using --enforce-node-allocable is not implemented @@ -284,7 +288,7 @@ The behaviour of the flags behave differently as described below: * There are no OOM eviction actions taken by the kubelet * Kubelet running on the windows node does not have memory restrictions. --kubelet-reserve and --system-reserve do not set limits on kubelet or processes running the host. This means kubelet or a process on the host could cause memory resource starvation outside the node-allocatable and scheduler -#### ​Storage +#### Storage Windows has a layered filesystem driver to mount container layers and create a copy filesystem based on NTFS. All file paths in the container are resolved only within the context of that container. @@ -295,7 +299,7 @@ Windows has a layered filesystem driver to mount container layers and create a c As a result, the following storage functionality is not supported on Windows nodes -* Windows does not support volume subpath mounts. Only the entire volume can be mounted in a Windows container. +* Volume subpath mounts. Only the entire volume can be mounted in a Windows container. * Subpath volume mounting for Secrets * Host mount projection * DefaultMode (due to UID/GID dependency) @@ -329,7 +333,7 @@ The following networking functionality is not supported on Windows nodes * Windows reference network plugins win-bridge and win-overlay do not currently implement [CNI spec](https://github.com/containernetworking/cni/blob/master/SPEC.md) v0.4.0 due to missing "CHECK" implementation. * The Flannel VXLAN CNI has the following limitations on Windows: -1. Node-pod connectivity isn't possible by design. It's only possible for local pods with Flannel PR[ https://github.com/coreos/flannel/pull/1096](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcoreos%2Fflannel%2Fpull%2F1096&data=02%7C01%7CDavid.Schott%40microsoft.com%7Cfa26c088fac743188e7d08d69ea3d836%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636870823885740325&sdata=1QEvw9Gh6IioT7ruVhhXAlSgN1a%2FMsqn4ViDQSSSVjs%3D&reserved=0) +1. Node-pod connectivity isn't possible by design. It's only possible for local pods with Flannel [PR 1096](https://github.com/coreos/flannel/pull/1096) 2. We are restricted to using VNI 4096 and UDP port 4789. The VNI limitation is being worked on and will be overcome (open-source flannel changes). See official [Flannel VXLAN ](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan)backend docs for more details on these parameters. ##### DNS @@ -342,7 +346,7 @@ The following networking functionality is not supported on Windows nodes Secrets are written in clear text on the node's volume (as compared to tmpfs/in-memory on linux). This means customers have to do two things 1. Use file ACLs to secure the secrets file location -2. ​Use volume-level encryption using [BitLocker](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server) +2. Use volume-level encryption using [BitLocker](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server) [RunAsUser ](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups)is not currently supported on Windows. The workaround is to create local accounts before packaging the container. The RunAsUsername capability may be added in a future release. @@ -388,9 +392,9 @@ Exit Codes follow the same convention where 0 is success, nonzero is failure. Th * V1.Pod.hostNetwork - There is no Windows OS support to share the host network * V1.Pod.dnsPolicy - ClusterFirstWithHostNet - is not supported because Host Networking is not supported on Windows. * V1.Pod.podSecurityContext - see [V1.PodSecurityContext](https://github.com/kubernetes/enhancements/blob/master/keps/sig-windows/20190103-windows-node-support.md#v1podsecuritycontext) -* V1.Pod.shareProcessNamespace - this is an beta feature, and depends on Linux namespaces which are not implemented on Windows. Windows cannot share process namespaces or the container's root filesystem. Only the network can be shared. -* V1.Pod.terminationGracePeriodSeconds - this is not fully implemented in Docker on Windows, see: [reference](https://github.com/moby/moby/issues/25982). The behavior today is that the ENTRYPOINT process is sent CTRL_SHUTDOWN_EVENT, then Windows waits 5 seconds by hardcoded default, and finally shuts down all processes using the normal Windows shutdown behavior. The 5 second default is actually in the Windows registry [inside the container](https://github.com/moby/moby/issues/25982#issuecomment-426441183), so it can be overridden when the container is built. -* V1.Pod.volumeDevices - this is an beta feature, and is not implemented on Windows. Windows cannot attach raw block devices to pods. +* V1.Pod.shareProcessNamespace - this is a beta feature, and depends on Linux namespaces which are not implemented on Windows. Windows cannot share process namespaces or the container's root filesystem. Only the network can be shared. +* V1.Pod.terminationGracePeriodSeconds - this is not fully implemented in Docker on Windows, see: [reference](https://github.com/moby/moby/issues/25982). The behavior today is that the ENTRYPOINT process is sent CTRL_SHUTDOWN_EVENT, then Windows waits 5 seconds by default, and finally shuts down all processes using the normal Windows shutdown behavior. The 5 second default is actually in the Windows registry [inside the container](https://github.com/moby/moby/issues/25982#issuecomment-426441183), so it can be overridden when the container is built. +* V1.Pod.volumeDevices - this is a beta feature, and is not implemented on Windows. Windows cannot attach raw block devices to pods. * V1.Pod.volumes - EmptyDir, Secret, ConfigMap, HostPath - all work and have tests in TestGrid * V1.emptyDirVolumeSource - the Node default medium is disk on Windows. Memory is not supported, as Windows does not have a built-in RAM disk. * V1.VolumeMount.mountPropagation - only MountPropagationHostToContainer is available. Windows cannot create mounts within a pod or project them back to the node. @@ -406,23 +410,23 @@ None of the PodSecurityContext fields work on Windows. They're listed here for r * V1.PodSecurityContext.SupplementalGroups - provides GID, not available on Windows * V1.PodSecurityContext.Sysctls - these are part of the Linux sysctl interface. There's no equivalent on Windows. -# ​User Guide: Add Windows Nodes in Kubernetes +# User Guide: Add Windows Nodes in Kubernetes -## ​Objectives +## Objectives The Kubernetes platform can now be used to run both Linux and Windows containers. One or more Windows nodes can be registered to a cluster. This guide shows how to: * Register a Windows node to the cluster * Configure networking so pods on Linux and Windows can communicate -## ​Before you begin +## Before you begin * Obtain a [Windows Server license](https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing) in order to run the Windows node that will execute the Windows container. You can use your organization's licenses for the cluster, or acquire one from Microsoft, a reseller, or via the major cloud providers such as GCP, AWS, and Azure by provisioning a virtual machine running Windows Server through their marketplaces. A [time-limited trial](https://www.microsoft.com/en-us/cloud-platform/windows-server-trial) is also available. * Build a Linux-based Kubernetes cluster in which you have access to the control plane (some examples include [Getting Started from Scratch](https://kubernetes.io/docs/setup/scratch/), [kubeadm](https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/), [AKS Engine](https://kubernetes.io/docs/setup/turnkey/azure/), [GCE](https://kubernetes.io/docs/setup/turnkey/gce/), [AWS](https://kubernetes.io/docs/setup/turnkey/aws/)). -## ​Getting Started: Adding a Windows Node to Your Cluster +## Getting Started: Adding a Windows Node to Your Cluster -### ​Plan IP Addressing +### Plan IP Addressing Kubernetes cluster management requires careful planning of your IP addresses so that you do not inadvertently cause network collision. This guide assumes that you are familiar with the [Kubernetes networking concepts](https://kubernetes.io/docs/concepts/cluster-administration/networking/). @@ -477,11 +481,11 @@ While the Kubernetes control plane runs on your Linux node(s), the following com Get the latest binaries from [https://github.com/kubernetes/kubernetes/releases](https://github.com/kubernetes/kubernetes/releases), starting with v1.14 or later. The Windows-amd64 binaries for kubeadm, kubectl, kubelet, and kube-proxy can be found under the CHANGELOG link. -### ​Networking Configuration +### Networking Configuration Once you have a Linux-based Kubernetes master node you are ready to choose a networking solution. This guide illustrates using Flannel in VXLAN mode for simplicity. -#### ​Configuring Flannel in VXLAN mode on the Linux controller +#### Configuring Flannel in VXLAN mode on the Linux controller 1. Prepare Kubernetes master for Flannel @@ -737,7 +741,7 @@ Now you can view the Windows nodes in your cluster by running the following: kubectl get nodes ``` -### ​Public Cloud Providers +### Public Cloud Providers #### Azure @@ -747,7 +751,7 @@ AKS-Engine can deploy a complete, customizable Kubernetes cluster with both Linu Users can easily deploy a complete Kubernetes cluster on GCE following this step-by-step walkthrough on [GitHub](https://github.com/kubernetes/kubernetes/blob/master/cluster/gce/windows/README-GCE-Windows-kube-up.md) -#### ​Deployment with kubeadm and cluster API +#### Deployment with kubeadm and cluster API Kubeadm is becoming the de facto standard for users to deploy a Kubernetes cluster. Windows node support in kubeadm will come in a future release. We are also making investments in cluster API to ensure Windows nodes are properly provisioned. @@ -767,7 +771,7 @@ Now that you've configured a Windows worker in your cluster to run Windows conta * Create a Kubernetes cluster that includes a master and a worker node running Windows Server * It is important to note that creating and deploying services and workloads on Kubernetes behaves in much the same way for Linux and Windows containers. [Kubectl commands](https://kubernetes.io/docs/reference/kubectl/overview/) to interface with the cluster are identical. The example in the section below is provided simply to jumpstart your experience with Windows containers. -## ​Getting Started: Deploying a Windows Container +## Getting Started: Deploying a Windows Container 1. Create a simple webserver example: @@ -880,7 +884,7 @@ tolerations: effect: "NoSchedule" ``` -# ​Getting Help and Troubleshooting +# Getting Help and Troubleshooting Your main source of help for troubleshooting your Kubernetes cluster should start with this [section](https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/). Some additional, Windows-specific troubleshooting help is included in this section. @@ -888,7 +892,7 @@ Your main source of help for troubleshooting your Kubernetes cluster should star You should see kubelet, kube-proxy, and (if you chose Flannel as your networking solution) flanneld host-agent processes running on your node, with running logs being displayed in separate PowerShell windows. In addition to this, your Windows node should be listed as "Ready" in your Kubernetes cluster. -2. Can I configure the Kubernetes node processes run in the background? +2. Can I configure the Kubernetes node processes to run in the background? 1. As native Windows Services Kubelet & kube-proxy can be run as native [Windows Services](https://kubernetes.io/docs/getting-started-guides/windows/#kubelet-and-kube-proxy-can-now-run-as-windows-services). See [Windows Services on Kubernetes](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/kube-windows-services) for example steps. [TODO create a section for setting up as Windows Services] @@ -1024,4 +1028,4 @@ The CRI-ContainerD interface will be able to manage sandboxes based on Hyper-V. ## Deployment with kubeadm and cluster API -Kubeadm is becoming the de facto standard for users to deploy a Kubernetes cluster. Windows node support in kubeadm will come in a future release. We are also making investments in cluster API to ensure Windows nodes are properly provisioned. \ No newline at end of file +Kubeadm is becoming the de facto standard for users to deploy a Kubernetes cluster. Windows node support in kubeadm will come in a future release. We are also making investments in cluster API to ensure Windows nodes are properly provisioned. From 3dd18c3862fcc19a9d5dcb74c27a22c10c9d966d Mon Sep 17 00:00:00 2001 From: Michael Michael Date: Sat, 16 Mar 2019 00:55:17 -0500 Subject: [PATCH 15/32] Update _index.md updating ovn-kubernetes docs --- .../getting-started-guides/windows/_index.md | 25 +++++++++++-------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/content/en/docs/getting-started-guides/windows/_index.md b/content/en/docs/getting-started-guides/windows/_index.md index e17bcc429845d..67af1a51a63ba 100644 --- a/content/en/docs/getting-started-guides/windows/_index.md +++ b/content/en/docs/getting-started-guides/windows/_index.md @@ -187,28 +187,33 @@ Windows supports five different networking drivers/modes: L2bridge, L2tunnel, Ov - Overlay (Overlay networking for Windows in Kubernetes is in alpha stage) + Overlay (Overlay networking for Windows in Kubernetes is in alpha stage) Containers are given a vNIC connected to an external vSwitch. Each overlay network gets its own IP subnet, defined by a custom IP prefix.The overlay network driver uses VXLAN encapsulation. Encapsulated with an outer header, inner packet remains the same. - Win-overlay, Flannel VXLAN (uses win-overlay), - OVN-Kubernetes (uses OpenVSwitch on Windows - Prebuilt certified installer), requires KB4482887 + Win-overlay, Flannel VXLAN (uses win-overlay) win-overlay should be used when virtual container networks are desired to be isolated from underlay of hosts (e.g. for security reasons). Allows for IPs to be re-used for different overlay networks (which have different VNID tags) if you are restricted on IPs in your datacenter. This option may be used when the container hosts are not L2 adjacent but have L3 connectivity - Transparent (not used in Kubernetes) + Transparent (special use case for ovn-kubernetes) - Containers are given a vNIC connected to an external vSwitch. Containers are attached to the underlay network directly and the physical network needs to learn the container MACs. + Containers are given a vNIC connected to a required external vSwitch. Containers are attached to the underlay network directly (external vSwitch) and the physical network needs to learn the container MACs. The external vSwitch enables intra-pod communication via logical networks (logical switches and routers) - Both MAC and IP remains the same. + Packet is encapsulated either via GENEVE or STT tunneling to reach pods which are not on the same host. + +Packets are forwarded or dropped via the tunnel metadata information supplied by the ovn network controller. + +NAT is done for north-south communication. + ovn-kubernetes - Included here for completeness + + Deploy via ansible. Distributed ACLs can be applied via Kubernetes policies. IPAM support. Load-balancing can be achieved without kube-proxy. NATing is done without using iptables/netsh. @@ -747,7 +752,7 @@ kubectl get nodes AKS-Engine can deploy a complete, customizable Kubernetes cluster with both Linux & Windows nodes. There is a step-by-step walkthrough available in the [docs on GitHub](https://github.com/Azure/aks-engine/blob/master/docs/topics/windows.md). -#### ​GCP +#### GCP Users can easily deploy a complete Kubernetes cluster on GCE following this step-by-step walkthrough on [GitHub](https://github.com/kubernetes/kubernetes/blob/master/cluster/gce/windows/README-GCE-Windows-kube-up.md) @@ -844,7 +849,7 @@ When the service is deployed correctly both Pods will be marked as Ready. To exi * Node-to-pod communication across the network, `curl` port 80 of your pod IPs from the Linux master to check for a web server response * Pod-to-pod communication, ping between pods (and across hosts, if you have more than one Windows node) using docker exec or kubectl exec * Service-to-pod communication, `curl` the virtual service IP (seen under `kubectl get services`) from the Linux master and from individual pods -* Service discovery, `curl` the service name with the Kubernetes[ default DNS suffix](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#services) +* Service discovery, `curl` the service name with the Kubernetes [default DNS suffix](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#services) * Inbound connectivity, `curl` the NodePort from the Linux master or machines outside of the cluster * Outbound connectivity, `curl` external IPs from inside the pod using kubectl exec {{< note >}} @@ -853,7 +858,7 @@ When the service is deployed correctly both Pods will be marked as Ready. To exi ## Managing Workload Identity with Group Managed Service Accounts -Starting with Kubernetes v1.14, Windows container workloads can be configured to use Group Managed Service Accounts (GMSA). Group Managed Service Accounts are a specific type of Active Directory account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other administrators across multiple servers. Containers configured with a GMSA can access external Active Directory Domain resources while carrying the identity configured with the GMSA. Learn more about configuring and using GMSA for Windows containers [here](https://kubernetes.io/docs/concepts/configuration/workload-identity/). +Starting with Kubernetes v1.14, Windows container workloads can be configured to use Group Managed Service Accounts (GMSA). Group Managed Service Accounts are a specific type of Active Directory account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other administrators across multiple servers. Containers configured with a GMSA can access external Active Directory Domain resources while carrying the identity configured with the GMSA. Learn more about configuring and using GMSA for Windows containers [here](/content/en/docs/tasks/configure-pod-container/configure-gmsa.md). ## Taints and Tolerations From f14665567c75d3a52907aa86ba97a3493ef6567a Mon Sep 17 00:00:00 2001 From: Michael Michael Date: Sat, 16 Mar 2019 22:24:06 -0500 Subject: [PATCH 16/32] Update _index.md --- .../getting-started-guides/windows/_index.md | 30 +++++++++---------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/content/en/docs/getting-started-guides/windows/_index.md b/content/en/docs/getting-started-guides/windows/_index.md index 67af1a51a63ba..393517ddc2a52 100644 --- a/content/en/docs/getting-started-guides/windows/_index.md +++ b/content/en/docs/getting-started-guides/windows/_index.md @@ -2,10 +2,6 @@ title: Using Windows Server Containers in Kubernetes toc_hide: true --- -{{< note >}} -These instructions are under review for the v1.14 release with a [tracking issue](https://github.com/kubernetes/website/issues/12426). -{{< /note >}} - ## Motivation Windows applications constitute a large portion of the services and applications that run in many organizations. [Windows containers](https://aka.ms/windowscontainers) provide a modern way to encapsulate processes and package dependencies, making it easier to use DevOps practices and follow cloud native patterns for Windows applications. Kubernetes has become the defacto standard container orchestrator, and the release of Kubernetes 1.14 includes production support for scheduling Windows containers on Windows nodes in a Kubernetes cluster, enabling a vast ecosystem of Windows applications to leverage the power of Kubernetes. Enterprises with investments in Windows-based applications and Linux-based applications don't have to look for separate orchestrators to manage their workloads, leading to increased operational efficiencies across their deployments, regardless of operating system. @@ -72,7 +68,7 @@ Let's start with the operating system version. Refer to the following table for The Windows Server Host Operating System is subject to the [Windows Server ](https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing) licensing. The Windows Container images are subject to the [Supplemental License Terms for Windows containers](https://docs.microsoft.com/en-us/virtualization/windowscontainers/images-eula). {{< /note >}} {{< note >}} -Windows containers with process isolation have strict compatibility rules, [where the host OS version must match the container base image OS version.](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/version-compatibility). Once we support Windows containers with Hyper-V isolation in Kubernetes, the limitation and compatibility rules will change. +Windows containers with process isolation have strict compatibility rules, [where the host OS version must match the container base image OS version](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/version-compatibility). Once we support Windows containers with Hyper-V isolation in Kubernetes, the limitation and compatibility rules will change. {{< /note >}} Key Kubernetes elements work the same way in Windows as they do in Linux. In this section, we will talk about some of the key workload enablers and how they map to Windows. @@ -130,6 +126,7 @@ Kubernetes Volumes enable complex applications with data persistence and Pod vol * FlexVolume out-of-tree plugin with [SMB and iSCSI](https://github.com/Microsoft/K8s-Storage-Plugins/tree/master/flexvolume/windows)support * [azureDisk](https://kubernetes.io/docs/concepts/storage/volumes/#azuredisk) * [azureFile](https://kubernetes.io/docs/concepts/storage/volumes/#azurefile) +* [gcePersistentDisk](https://kubernetes.io/docs/concepts/storage/volumes/#gcepersistentdisk) #### Networking @@ -600,17 +597,18 @@ All code snippets in Windows sections are to be run in a PowerShell environment 1. Install Docker (requires a system reboot) -Kubernetes uses [Docker](https://www.docker.com/) as its container engine, so we need to install it. You can follow the [official Docs instructions](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-docker/configure-docker-daemon#install-docker), the [Docker instructions](https://store.docker.com/editions/enterprise/docker-ee-server-windows), or try these steps: +Kubernetes uses [Docker](https://www.docker.com/) as its container engine, so we need to install it. You can follow the [official Docs instructions](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-docker/configure-docker-daemon#install-docker), the [Docker instructions](https://store.docker.com/editions/enterprise/docker-ee-server-windows), or try the following *recommended* steps: -```powershell -PS C:\Users\Administrator\Install-Module -Name DockerMsftProvider -Repository PSGallery -Force -PS C:\Users\Administrator\Install-Package -Name Docker -ProviderName DockerMsftProvider -PS C:\Users\Administrator\Restart-Computer -Force +```PowerShell +Enable-WindowsOptionalFeature -FeatureName Containers +Restart-Computer -Force +Install-Module -Name DockerMsftProvider -Repository PSGallery -Force +Install-Package -Name Docker -ProviderName DockerMsftProvider ``` If you are behind a proxy, the following PowerShell environment variables must be defined: -```powershell +```PowerShell [Environment]::SetEnvironmentVariable("HTTP_PROXY", "http://proxy.example.com:80/", [EnvironmentVariableTarget]::Machine) [Environment]::SetEnvironmentVariable("HTTPS_PROXY", "http://proxy.example.com:443/", [EnvironmentVariableTarget]::Machine) ``` @@ -620,7 +618,7 @@ If after reboot you may see the following error: ![alt_text](windows-docker-error.png "windows docker error screen capture") If so then you need to restart the docker service manually: -```powershell +```PowerShell Start-Service docker ``` @@ -628,7 +626,7 @@ Start-Service docker The "pause" (infrastructure) image is on Microsoft Container Registry (MCR) and the DOCKERFILE is available at [https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile) {{< /note >}} -```powershell +```PowerShell docker pull mcr.microsoft.com/k8s/core/pause:1.0.0 ``` @@ -636,7 +634,7 @@ docker pull mcr.microsoft.com/k8s/core/pause:1.0.0 Create a "Kubernetes for Windows" directory to store Kubernetes binaries as well as any deployment scripts and config files. -```powershell +```PowerShell mkdir c:\k ``` @@ -658,7 +656,7 @@ The Flannel overlay deployment scripts and documentation are available in [this Download the [Flannel start.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/start.ps1) script, the contents of which should be extracted to `C:\k`: -```powershell +```PowerShell cd c:\k [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 wget https://raw.githubusercontent.com/Microsoft/SDN/master/Kubernetes/flannel/start.ps1 -o c:\k\start.ps1 @@ -668,7 +666,7 @@ wget https://raw.githubusercontent.com/Microsoft/SDN/master/Kubernetes/flannel/s [start.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/start.ps1) references [install.ps1](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/install.ps1), which will download additional files such as the `flanneld` executable and the [Dockerfile for infrastructure pod](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile) and install those for you. For overlay networking mode, the [firewall](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/helper.psm1#L111) will be opened for local UDP port 4789. There may be multiple powershell windows being opened/closed as well as a few seconds of network outage while the new external vSwitch for the pod network is being created the first time. Run the script using the arguments as specified below: {{< /note >}} -```powershell +```PowerShell .\start.ps1 -ManagementIP -NetworkMode overlay -ClusterCIDR -ServiceCIDR -KubeDnsServiceIP -LogDir ``` From 9b1b1b36e9836440ac0cb54569bc1ccf8b08da9e Mon Sep 17 00:00:00 2001 From: Michael Michael Date: Mon, 18 Mar 2019 10:19:08 -0500 Subject: [PATCH 17/32] Update _index.md --- content/en/docs/getting-started-guides/windows/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/getting-started-guides/windows/_index.md b/content/en/docs/getting-started-guides/windows/_index.md index 393517ddc2a52..c81ac866b0112 100644 --- a/content/en/docs/getting-started-guides/windows/_index.md +++ b/content/en/docs/getting-started-guides/windows/_index.md @@ -1,5 +1,5 @@ --- -title: Using Windows Server Containers in Kubernetes +title: Adding Windows nodes and scheduling Windows containers in Kubernetes toc_hide: true --- ## Motivation From 185124a230305292b75e503f829985672aa41e97 Mon Sep 17 00:00:00 2001 From: Michael Michael Date: Mon, 18 Mar 2019 10:27:57 -0500 Subject: [PATCH 18/32] updating relative docs links updating all the links to be relative links to /docs --- .../getting-started-guides/windows/_index.md | 42 +++++++++---------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/content/en/docs/getting-started-guides/windows/_index.md b/content/en/docs/getting-started-guides/windows/_index.md index c81ac866b0112..08757dc8e1b7c 100644 --- a/content/en/docs/getting-started-guides/windows/_index.md +++ b/content/en/docs/getting-started-guides/windows/_index.md @@ -9,12 +9,12 @@ Windows applications constitute a large portion of the services and applications ## Intro to Windows containers in Kubernetes -To enable the orchestration of Windows containers in Kubernetes, simply include Windows nodes in your existing Linux cluster. Scheduling Windows containers in [Pods](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/) on Kubernetes is as simple and easy as scheduling Linux-based containers. +To enable the orchestration of Windows containers in Kubernetes, simply include Windows nodes in your existing Linux cluster. Scheduling Windows containers in [Pods](/docs/concepts/workloads/pods/pod-overview/) on Kubernetes is as simple and easy as scheduling Linux-based containers. In order to run Windows containers, your Kubernetes cluster must include multiple operating systems, with control plane nodes running Linux and workers running either Windows or Linux depending on your workload needs. Windows Server 2019 is the only Windows operating system supported, enabling [Kubernetes Node](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/architecture/architecture.md#the-kubernetes-node) on Windows (including kubelet, [container runtime](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/containerd), and kube-proxy). For a detailed explanation of Windows distribution channels see the [Microsoft documentation](https://docs.microsoft.com/en-us/windows-server/get-started-19/servicing-channels-19). {{< note >}} -The Kubernetes control plane, including the [master components](https://kubernetes.io/docs/concepts/overview/components/), will continue to run on Linux. There are no plans to have a Windows-only Kubernetes cluster. +The Kubernetes control plane, including the [master components](/docs/concepts/overview/components/), will continue to run on Linux. There are no plans to have a Windows-only Kubernetes cluster. {{< /note >}} {{< note >}} @@ -73,7 +73,7 @@ Windows containers with process isolation have strict compatibility rules, [wher Key Kubernetes elements work the same way in Windows as they do in Linux. In this section, we will talk about some of the key workload enablers and how they map to Windows. -* [Pods](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/) +* [Pods](/docs/concepts/workloads/pods/pod-overview/) A Pod is the basic building block of Kubernetes–the smallest and simplest unit in the Kubernetes object model that you create or deploy. The following Pod capabilities, properties and events are supported with Windows containers: @@ -85,7 +85,7 @@ Key Kubernetes elements work the same way in Windows as they do in Linux. In thi * EmptyDir * Named pipe host mounts * Resource limits -* [Controllers](https://kubernetes.io/docs/concepts/workloads/controllers/) +* [Controllers](/docs/concepts/workloads/controllers/) Kubernetes controllers handle the desired state of Pods. The following workload controllers are supported with Windows containers: @@ -96,7 +96,7 @@ Key Kubernetes elements work the same way in Windows as they do in Linux. In thi * DaemonSet * Job * CronJob -* [Services](https://kubernetes.io/docs/concepts/services-networking/service/) +* [Services](/docs/concepts/services-networking/service/) A Kubernetes Service is an abstraction which defines a logical set of Pods and a policy by which to access them - sometimes called a micro-service. You can use services for cross-operating system connectivity. In Windows, services can utilize the following types, properties and capabilities: @@ -121,16 +121,16 @@ Docker EE-basic 18.09 is required on Windows Server 2019 / 1809 nodes for Kubern #### Storage -Kubernetes Volumes enable complex applications with data persistence and Pod volume sharing requirements to be deployed on Kubernetes. Kubernetes on Windows supports the following types of [volumes](https://kubernetes.io/docs/concepts/storage/volumes/): +Kubernetes Volumes enable complex applications with data persistence and Pod volume sharing requirements to be deployed on Kubernetes. Kubernetes on Windows supports the following types of [volumes](/docs/concepts/storage/volumes/): * FlexVolume out-of-tree plugin with [SMB and iSCSI](https://github.com/Microsoft/K8s-Storage-Plugins/tree/master/flexvolume/windows)support -* [azureDisk](https://kubernetes.io/docs/concepts/storage/volumes/#azuredisk) -* [azureFile](https://kubernetes.io/docs/concepts/storage/volumes/#azurefile) -* [gcePersistentDisk](https://kubernetes.io/docs/concepts/storage/volumes/#gcepersistentdisk) +* [azureDisk](/docs/concepts/storage/volumes/#azuredisk) +* [azureFile](/docs/concepts/storage/volumes/#azurefile) +* [gcePersistentDisk](/docs/concepts/storage/volumes/#gcepersistentdisk) #### Networking -Networking for Windows containers is exposed through [CNI plugins](https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/). Windows containers function similarly to virtual machines in regards to networking. Each container has a virtual network adapter (vNIC) which is connected to a Hyper-V virtual switch (vSwitch). The Host Networking Service (HNS) and the Host Compute Service (HCS) work together to create containers and attach container vNICs to networks. HCS is responsible for the management of containers whereas HNS is responsible for the management of networking resources such as: +Networking for Windows containers is exposed through [CNI plugins](/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/). Windows containers function similarly to virtual machines in regards to networking. Each container has a virtual network adapter (vNIC) which is connected to a Hyper-V virtual switch (vSwitch). The Host Networking Service (HNS) and the Host Compute Service (HCS) work together to create containers and attach container vNICs to networks. HCS is responsible for the management of containers whereas HNS is responsible for the management of networking resources such as: * Virtual networks (including creation of vSwitches) * Endpoints / vNICs @@ -277,7 +277,7 @@ Windows has strict compatibility rules, where the host OS version must match the Windows does not have an out-of-memory process killer as Linux does. Windows always treats all user-mode memory allocations as virtual, and pagefiles are mandatory. The net effect is that Windows won't reach out of memory conditions the same way Linux does, and processes will page to disk instead of being subject to out of memory (OOM) termination. If memory is over-provisioned and all physical memory is exhausted, then paging can slow down performance. -Keeping memory usage within reasonable bounds is possible with a two-step process. First, use the kubelet parameters `--kubelet-reserve` and/or `--system-reserve` to account for memory usage on the node (outside of containers). This will reduce [NodeAllocatable](https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable)). As you deploy workloads, use resource limits (must set only limits or limits must equal requests) on containers. This will also subtract from NodeAllocatable and prevent the scheduler from adding more pods once a node is full. +Keeping memory usage within reasonable bounds is possible with a two-step process. First, use the kubelet parameters `--kubelet-reserve` and/or `--system-reserve` to account for memory usage on the node (outside of containers). This will reduce [NodeAllocatable](/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable)). As you deploy workloads, use resource limits (must set only limits or limits must equal requests) on containers. This will also subtract from NodeAllocatable and prevent the scheduler from adding more pods once a node is full. A best practice to avoid over-provisioning is to configure the kubelet with a system reserved memory of at least 2GB to account for Windows, Docker, and Kubernetes processes. @@ -350,7 +350,7 @@ Secrets are written in clear text on the node's volume (as compared to tmpfs/in- 1. Use file ACLs to secure the secrets file location 2. Use volume-level encryption using [BitLocker](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server) -[RunAsUser ](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups)is not currently supported on Windows. The workaround is to create local accounts before packaging the container. The RunAsUsername capability may be added in a future release. +[RunAsUser ](/docs/concepts/policy/pod-security-policy/#users-and-groups)is not currently supported on Windows. The workaround is to create local accounts before packaging the container. The RunAsUsername capability may be added in a future release. Linux specific pod security context privileges such as SELinux, AppArmor, Seccomp, Capabilities (POSIX Capabilities), and others are not supported. @@ -424,13 +424,13 @@ The Kubernetes platform can now be used to run both Linux and Windows containers ## Before you begin * Obtain a [Windows Server license](https://www.microsoft.com/en-us/cloud-platform/windows-server-pricing) in order to run the Windows node that will execute the Windows container. You can use your organization's licenses for the cluster, or acquire one from Microsoft, a reseller, or via the major cloud providers such as GCP, AWS, and Azure by provisioning a virtual machine running Windows Server through their marketplaces. A [time-limited trial](https://www.microsoft.com/en-us/cloud-platform/windows-server-trial) is also available. -* Build a Linux-based Kubernetes cluster in which you have access to the control plane (some examples include [Getting Started from Scratch](https://kubernetes.io/docs/setup/scratch/), [kubeadm](https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/), [AKS Engine](https://kubernetes.io/docs/setup/turnkey/azure/), [GCE](https://kubernetes.io/docs/setup/turnkey/gce/), [AWS](https://kubernetes.io/docs/setup/turnkey/aws/)). +* Build a Linux-based Kubernetes cluster in which you have access to the control plane (some examples include [Getting Started from Scratch](/docs/setup/scratch/), [kubeadm](/docs/setup/independent/create-cluster-kubeadm/), [AKS Engine](/docs/setup/turnkey/azure/), [GCE](/docs/setup/turnkey/gce/), [AWS](/docs/setup/turnkey/aws/)). ## Getting Started: Adding a Windows Node to Your Cluster ### Plan IP Addressing -Kubernetes cluster management requires careful planning of your IP addresses so that you do not inadvertently cause network collision. This guide assumes that you are familiar with the [Kubernetes networking concepts](https://kubernetes.io/docs/concepts/cluster-administration/networking/). +Kubernetes cluster management requires careful planning of your IP addresses so that you do not inadvertently cause network collision. This guide assumes that you are familiar with the [Kubernetes networking concepts](/docs/concepts/cluster-administration/networking/). In order to deploy your cluster you will need the following address spaces: @@ -772,7 +772,7 @@ Now that you've configured a Windows worker in your cluster to run Windows conta ## Before you begin * Create a Kubernetes cluster that includes a master and a worker node running Windows Server -* It is important to note that creating and deploying services and workloads on Kubernetes behaves in much the same way for Linux and Windows containers. [Kubectl commands](https://kubernetes.io/docs/reference/kubectl/overview/) to interface with the cluster are identical. The example in the section below is provided simply to jumpstart your experience with Windows containers. +* It is important to note that creating and deploying services and workloads on Kubernetes behaves in much the same way for Linux and Windows containers. [Kubectl commands](/docs/reference/kubectl/overview/) to interface with the cluster are identical. The example in the section below is provided simply to jumpstart your experience with Windows containers. ## Getting Started: Deploying a Windows Container @@ -847,7 +847,7 @@ When the service is deployed correctly both Pods will be marked as Ready. To exi * Node-to-pod communication across the network, `curl` port 80 of your pod IPs from the Linux master to check for a web server response * Pod-to-pod communication, ping between pods (and across hosts, if you have more than one Windows node) using docker exec or kubectl exec * Service-to-pod communication, `curl` the virtual service IP (seen under `kubectl get services`) from the Linux master and from individual pods -* Service discovery, `curl` the service name with the Kubernetes [default DNS suffix](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#services) +* Service discovery, `curl` the service name with the Kubernetes [default DNS suffix](/docs/concepts/services-networking/dns-pod-service/#services) * Inbound connectivity, `curl` the NodePort from the Linux master or machines outside of the cluster * Outbound connectivity, `curl` external IPs from inside the pod using kubectl exec {{< note >}} @@ -856,7 +856,7 @@ When the service is deployed correctly both Pods will be marked as Ready. To exi ## Managing Workload Identity with Group Managed Service Accounts -Starting with Kubernetes v1.14, Windows container workloads can be configured to use Group Managed Service Accounts (GMSA). Group Managed Service Accounts are a specific type of Active Directory account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other administrators across multiple servers. Containers configured with a GMSA can access external Active Directory Domain resources while carrying the identity configured with the GMSA. Learn more about configuring and using GMSA for Windows containers [here](/content/en/docs/tasks/configure-pod-container/configure-gmsa.md). +Starting with Kubernetes v1.14, Windows container workloads can be configured to use Group Managed Service Accounts (GMSA). Group Managed Service Accounts are a specific type of Active Directory account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other administrators across multiple servers. Containers configured with a GMSA can access external Active Directory Domain resources while carrying the identity configured with the GMSA. Learn more about configuring and using GMSA for Windows containers [here](/docs/tasks/configure-pod-container/configure-gmsa.md). ## Taints and Tolerations @@ -889,7 +889,7 @@ tolerations: # Getting Help and Troubleshooting -Your main source of help for troubleshooting your Kubernetes cluster should start with this [section](https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/). Some additional, Windows-specific troubleshooting help is included in this section. +Your main source of help for troubleshooting your Kubernetes cluster should start with this [section](/tasks/debug-application-cluster/troubleshooting/). Some additional, Windows-specific troubleshooting help is included in this section. 1. How do I know start.ps1 completed successfully? @@ -898,7 +898,7 @@ You should see kubelet, kube-proxy, and (if you chose Flannel as your networking 2. Can I configure the Kubernetes node processes to run in the background? 1. As native Windows Services -Kubelet & kube-proxy can be run as native [Windows Services](https://kubernetes.io/docs/getting-started-guides/windows/#kubelet-and-kube-proxy-can-now-run-as-windows-services). See [Windows Services on Kubernetes](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/kube-windows-services) for example steps. [TODO create a section for setting up as Windows Services] +Kubelet & kube-proxy can be run as native [Windows Services](/docs/getting-started-guides/windows/#kubelet-and-kube-proxy-can-now-run-as-windows-services). See [Windows Services on Kubernetes](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/kube-windows-services) for example steps. [TODO create a section for setting up as Windows Services] 2. Using nssm.exe Kubelet and kube-proxy are already configured to run as native Windows Services. However, you can also always use alternative service managers like [nssm.exe](https://nssm.cc/) to run these processes (flanneld, kubelet & kube-proxy) in the background for you. For initial troubleshooting, you can use the following flags in [nssm.exe](https://nssm.cc/) to redirect stdout and stderr to a output file: @@ -920,7 +920,7 @@ Windows Pods do not have outbound rules programmed for the ICMP protocol today. If you are still facing problems, most likely your network configuration in [cni.conf](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf) deserves some extra attention. You can always edit this static file, the configuration will be applied to any newly created Kubernetes resources. -One of the Kubernetes networking requirements (see [Kubernetes model](https://kubernetes.io/docs/concepts/cluster-administration/networking/)) is for cluster communication to occur without NAT internally. To honor this requirement, there is an [ExceptionList](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf#L20) for all the communication where we do not want outbound NAT to occur. However, this also means that you need to exclude the external IP you are trying to query from the ExceptionList. Only then will the traffic originating from your Windows pods be SNAT'ed correctly to receive a response from the outside world. In this regard, your ExceptionList in `cni.conf` should look as follows: +One of the Kubernetes networking requirements (see [Kubernetes model](/docs/concepts/cluster-administration/networking/)) is for cluster communication to occur without NAT internally. To honor this requirement, there is an [ExceptionList](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf#L20) for all the communication where we do not want outbound NAT to occur. However, this also means that you need to exclude the external IP you are trying to query from the ExceptionList. Only then will the traffic originating from your Windows pods be SNAT'ed correctly to receive a response from the outside world. In this regard, your ExceptionList in `cni.conf` should look as follows: ```conf "ExceptionList": [ @@ -937,7 +937,7 @@ Local NodePort access from the node itself will fail. This is a known limitation 6. vNICs and HNS endpoints of containers are being deleted -This issue can be caused when the `hostname-override` parameter is not passed to [kube-proxy](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/). To resolve it, users need to pass the hostname to kube-proxy as follows: +This issue can be caused when the `hostname-override` parameter is not passed to [kube-proxy](/docs/reference/command-line-tools-reference/kube-proxy/). To resolve it, users need to pass the hostname to kube-proxy as follows: ```powershell C:\k\kube-proxy.exe --hostname-override=$(hostname) From 394937ed3f74fb429abf29bfd415ab9b3462c7f4 Mon Sep 17 00:00:00 2001 From: Michael Michael Date: Mon, 18 Mar 2019 11:02:52 -0500 Subject: [PATCH 19/32] Update _index.md --- content/en/docs/getting-started-guides/windows/_index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/docs/getting-started-guides/windows/_index.md b/content/en/docs/getting-started-guides/windows/_index.md index 08757dc8e1b7c..3c81c038f10c7 100644 --- a/content/en/docs/getting-started-guides/windows/_index.md +++ b/content/en/docs/getting-started-guides/windows/_index.md @@ -889,7 +889,7 @@ tolerations: # Getting Help and Troubleshooting -Your main source of help for troubleshooting your Kubernetes cluster should start with this [section](/tasks/debug-application-cluster/troubleshooting/). Some additional, Windows-specific troubleshooting help is included in this section. +Your main source of help for troubleshooting your Kubernetes cluster should start with this [section](/docs/tasks/debug-application-cluster/troubleshooting/). Some additional, Windows-specific troubleshooting help is included in this section. 1. How do I know start.ps1 completed successfully? @@ -898,7 +898,7 @@ You should see kubelet, kube-proxy, and (if you chose Flannel as your networking 2. Can I configure the Kubernetes node processes to run in the background? 1. As native Windows Services -Kubelet & kube-proxy can be run as native [Windows Services](/docs/getting-started-guides/windows/#kubelet-and-kube-proxy-can-now-run-as-windows-services). See [Windows Services on Kubernetes](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/kube-windows-services) for example steps. [TODO create a section for setting up as Windows Services] +Kubelet & kube-proxy can be run as native Windows Services. See [Windows Services on Kubernetes](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/kube-windows-services) for example steps. [TODO create a section for setting up as Windows Services] 2. Using nssm.exe Kubelet and kube-proxy are already configured to run as native Windows Services. However, you can also always use alternative service managers like [nssm.exe](https://nssm.cc/) to run these processes (flanneld, kubelet & kube-proxy) in the background for you. For initial troubleshooting, you can use the following flags in [nssm.exe](https://nssm.cc/) to redirect stdout and stderr to a output file: From a13278b484a0a7c78fa4d38baf71c478b6570611 Mon Sep 17 00:00:00 2001 From: Michael Michael Date: Mon, 18 Mar 2019 12:13:39 -0500 Subject: [PATCH 20/32] Update _index.md updates for windows services and ovn-kubernetes --- .../getting-started-guides/windows/_index.md | 61 +++++++++++++------ 1 file changed, 42 insertions(+), 19 deletions(-) diff --git a/content/en/docs/getting-started-guides/windows/_index.md b/content/en/docs/getting-started-guides/windows/_index.md index 3c81c038f10c7..19174de0fd6ec 100644 --- a/content/en/docs/getting-started-guides/windows/_index.md +++ b/content/en/docs/getting-started-guides/windows/_index.md @@ -193,12 +193,12 @@ Windows supports five different networking drivers/modes: L2bridge, L2tunnel, Ov Win-overlay, Flannel VXLAN (uses win-overlay) win-overlay should be used when virtual container networks are desired to be isolated from underlay of hosts (e.g. for security reasons). Allows for IPs to be re-used for different overlay networks (which have different VNID tags) if you are restricted on IPs in your datacenter. This option may be used when the container hosts are not L2 adjacent but have L3 connectivity - + Transparent (special use case for ovn-kubernetes) - Containers are given a vNIC connected to a required external vSwitch. Containers are attached to the underlay network directly (external vSwitch) and the physical network needs to learn the container MACs. The external vSwitch enables intra-pod communication via logical networks (logical switches and routers) + Requires an external vSwitch. Containers are attached to an external vSwitch which will enable intra-pod communication via logical networks (logical switches and routers). Packet is encapsulated either via GENEVE or STT tunneling to reach pods which are not on the same host. @@ -642,7 +642,7 @@ mkdir c:\k Copy the Kubernetes certificate file (`$HOME/.kube/config`) [from Linux controller](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/creating-a-linux-master#collect-cluster-information) to this new `C:\k` directory on your Windows node. -Tip: You can use tools such as [xcopy](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/xcopy), [WinSCP](https://winscp.net/eng/download.php), [PowerShell wrapper for WinSCP](https://www.powershellgallery.com/packages/WinSCP/5.13.2.0) to transfer the config file between nodes. +Tip: You can use tools such as [xcopy](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/xcopy), [WinSCP](https://winscp.net/eng/download.php), or this [PowerShell wrapper for WinSCP](https://www.powershellgallery.com/packages/WinSCP/5.13.2.0) to transfer the config file between nodes. 4. Download Kubernetes binaries @@ -895,13 +895,36 @@ Your main source of help for troubleshooting your Kubernetes cluster should star You should see kubelet, kube-proxy, and (if you chose Flannel as your networking solution) flanneld host-agent processes running on your node, with running logs being displayed in separate PowerShell windows. In addition to this, your Windows node should be listed as "Ready" in your Kubernetes cluster. -2. Can I configure the Kubernetes node processes to run in the background? +1. Can I configure the Kubernetes node processes to run in the background? + +Kubelet and kube-proxy are already configured to run as native Windows Services. You have two options for configuring these node components as services. + 1. As native Windows Services -Kubelet & kube-proxy can be run as native Windows Services. See [Windows Services on Kubernetes](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/kube-windows-services) for example steps. [TODO create a section for setting up as Windows Services] - 2. Using nssm.exe +Kubelet & kube-proxy can be run as native Windows Services using `sc.exe`. + +```powershell +# Create the services for kubelet and kube-proxy in two separate commands +sc.exe create binPath= " --service " + +# Please note that if the arguments contain spaces, they must be escaped. +sc.exe create kubelet binPath= "C:\kubelet.exe --service --hostname-override 'minion' " + +# Start the services +Start-Service kubelet +Start-Service kube-proxy + +# Stop the service +Stop-Service kubelet (-Force) +Stop-Service kube-proxy (-Force) + +# Query the service status +Get-Service kubelet +Get-Service kube-proxy +``` + 1. Using nssm.exe -Kubelet and kube-proxy are already configured to run as native Windows Services. However, you can also always use alternative service managers like [nssm.exe](https://nssm.cc/) to run these processes (flanneld, kubelet & kube-proxy) in the background for you. For initial troubleshooting, you can use the following flags in [nssm.exe](https://nssm.cc/) to redirect stdout and stderr to a output file: +You can also always use alternative service managers like [nssm.exe](https://nssm.cc/) to run these processes (flanneld, kubelet & kube-proxy) in the background for you. See [Windows Services on Kubernetes](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/kube-windows-services) for example steps. For initial troubleshooting, you can use the following flags in [nssm.exe](https://nssm.cc/) to redirect stdout and stderr to a output file: ```powershell nssm set AppStdout C:\k\mysvc.log @@ -910,11 +933,11 @@ nssm set AppStderr C:\k\mysvc.log For additional details, see official [nssm usage](https://nssm.cc/usage) docs. -3. My Windows Pods do not have network connectivity +1. My Windows Pods do not have network connectivity If you are using virtual machines, ensure that MAC spoofing is enabled on all the VM network adapter(s). -4. My Windows Pods cannot ping external resources +1. My Windows Pods cannot ping external resources Windows Pods do not have outbound rules programmed for the ICMP protocol today. However, TCP/UDP is supported. When trying to demonstrate connectivity to resources outside of the cluster, please substitute `ping ` with corresponding `curl ` commands. @@ -931,11 +954,11 @@ One of the Kubernetes networking requirements (see [Kubernetes model](/docs/conc ``` -5. My Windows node cannot access NodePort service +1. My Windows node cannot access NodePort service Local NodePort access from the node itself will fail. This is a known limitation. NodePort access will work from other nodes or external clients. -6. vNICs and HNS endpoints of containers are being deleted +1. vNICs and HNS endpoints of containers are being deleted This issue can be caused when the `hostname-override` parameter is not passed to [kube-proxy](/docs/reference/command-line-tools-reference/kube-proxy/). To resolve it, users need to pass the hostname to kube-proxy as follows: @@ -943,7 +966,7 @@ This issue can be caused when the `hostname-override` parameter is not passed to C:\k\kube-proxy.exe --hostname-override=$(hostname) ``` -7. With flannel my nodes are having issues after rejoining a cluster +1. With flannel my nodes are having issues after rejoining a cluster Whenever a previously deleted node is being re-joined to the cluster, flannelD will try to assign a new pod subnet to the node. Users should remove the old pod subnet configuration files in the following paths: @@ -952,7 +975,7 @@ Remove-Item C:\k\SourceVip.json Remove-Item C:\k\SourceVipRequest.json ``` -8. After launching `start.ps1`, flanneld is stuck in "Waiting for the Network to be created" +1. After launching `start.ps1`, flanneld is stuck in "Waiting for the Network to be created" There are numerous reports of this issue which are being investigated; most likely it is a timing issue for when the management IP of the flannel network is set. A workaround is to simply relaunch start.ps1 or relaunch it manually as follows: @@ -961,7 +984,7 @@ PS C:> [Environment]::SetEnvironmentVariable("NODE_NAME", " C:\flannel\flanneld.exe --kubeconfig-file=c:\k\config --iface= --ip-masq=1 --kube-subnet-mgr=1 ``` -9. My Windows Pods cannot launch because of missing `/run/flannel/subnet.env` +1. My Windows Pods cannot launch because of missing `/run/flannel/subnet.env` This indicates that Flannel didn't launch correctly. You can either try to restart flanneld.exe or you can copy the files over manually from `/run/flannel/subnet.env` on the Kubernetes master to` C:\run\flannel\subnet.env` on the Windows worker node and modify the `FLANNEL_SUBNET` row to a different number. For example, if node subnet 10.244.4.1/24 is desired: @@ -972,11 +995,11 @@ FLANNEL_MTU=1500 FLANNEL_IPMASQ=true ``` -10. My Windows node cannot access my services using the service IP +1. My Windows node cannot access my services using the service IP This is a known limitation of the current networking stack on Windows. Windows Pods are able to access the service IP however. -11. No network adapter is found when starting kubelet +1. No network adapter is found when starting kubelet The Windows networking stack needs a virtual adapter for Kubernetes networking to work. If the following commands return no results (in an admin shell), virtual network creation — a necessary prerequisite for Kubelet to work — has failed: @@ -987,7 +1010,7 @@ Get-NetAdapter | ? Name -Like "vEthernet (Ethernet*" Often it is worthwhile to modify the [InterfaceName](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/start.ps1#L6) parameter of the start.ps1 script, in cases where the host's network adapter isn't "Ethernet". Otherwise, consult the output of the `start-kubelet.ps1` script to see if there are errors during virtual network creation. -12. My Pods are stuck at "Container Creating" or restarting over and over +1. My Pods are stuck at "Container Creating" or restarting over and over Check that your pause image is compatible with your OS version. The [instructions](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/deploying-resources) assume that both the OS and the containers are version 1803. If you have a later version of Windows, such as an Insider build, you will need to adjust the images accordingly. Please refer to the Microsoft's [Docker repository](https://hub.docker.com/u/microsoft/) for images. Regardless, both the pause image Dockerfile and the sample service will expect the image to be tagged as :latest. @@ -999,7 +1022,7 @@ If these steps don't resolve your problem, you can get help running Windows Cont * StackOverflow [Windows Server Container](https://stackoverflow.com/questions/tagged/windows-server-container) topic * Kubernetes Official Forum [discuss.kubernetes.io](https://discuss.kubernetes.io/) -* Kubernetes Slack [#SIG-Windows Channel](https://kubernetes.slack.com/messages/C0SJ4AFB7) +* Kubernetes Slack [#SIG-Windows Channel](https://kubernetes.slack.com/messages/sig-windows) ## Bugs and Feature Requests @@ -1016,7 +1039,7 @@ If filing a bug, please include detailed information about how to reproduce the # Roadmap -We have a lot of features in our roadmap. +We have a lot of features in our roadmap. ## CRI-ContainerD From 945e282939badcf378a1106e8d9d1dc6081e4746 Mon Sep 17 00:00:00 2001 From: Craig Peters Date: Mon, 18 Mar 2019 12:08:03 -0700 Subject: [PATCH 21/32] formatted for correct step numbering --- .../getting-started-guides/windows/_index.md | 471 +++++++++--------- 1 file changed, 234 insertions(+), 237 deletions(-) diff --git a/content/en/docs/getting-started-guides/windows/_index.md b/content/en/docs/getting-started-guides/windows/_index.md index 19174de0fd6ec..56d2901b2d1cd 100644 --- a/content/en/docs/getting-started-guides/windows/_index.md +++ b/content/en/docs/getting-started-guides/windows/_index.md @@ -491,100 +491,97 @@ Once you have a Linux-based Kubernetes master node you are ready to choose a net 1. Prepare Kubernetes master for Flannel -Some minor preparation is recommended on the Kubernetes master in our cluster. It is recommended to enable bridged IPv4 traffic to iptables chains when using Flannel. This can be done using the following command: + Some minor preparation is recommended on the Kubernetes master in our cluster. It is recommended to enable bridged IPv4 traffic to iptables chains when using Flannel. This can be done using the following command: -```bash -sudo sysctl net.bridge.bridge-nf-call-iptables=1 - -``` + ```bash + sudo sysctl net.bridge.bridge-nf-call-iptables=1 + ``` 1. Download & configure Flannel -Download the most recent Flannel manifest: - -```bash -wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml -``` + Download the most recent Flannel manifest: -There are two sections you should modify to enable the vxlan networking backend: + ```bash + wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml + ``` -After applying the steps below, the `net-conf.json` section of `kube-flannel.yml` should look as follows: + There are two sections you should modify to enable the vxlan networking backend: -```json -net-conf.json: | - { - "Network": "10.244.0.0/16", - "Backend": { - "Type": "vxlan", - "VNI" : 4096, - "Port": 4789 - } - } + After applying the steps below, the `net-conf.json` section of `kube-flannel.yml` should look as follows: -``` + ```json + net-conf.json: | + { + "Network": "10.244.0.0/16", + "Backend": { + "Type": "vxlan", + "VNI" : 4096, + "Port": 4789 + } + } + ``` 1. In the `net-conf.json` section of your `kube-flannel.yml`, double-check: 1. The cluster subnet (e.g. "10.244.0.0/16") is set as per your IP plan. - * VNI 4096 is set in the backend - * Port 4789 is set in the backend -2. In the `cni-conf.json` section of your `kube-flannel.yml`, change the network name to "`vxlan0"`. -{{< note >}} -The VNI must be set to 4096 and port 4789 for Flannel on Linux to interoperate with Flannel on Windows. Support for other VNIs is coming soon. See [VXLAN](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan) for an explanation of these fields. -{{< /note >}} -Your `cni-conf.json` should look as follows: - -```json -cni-conf.json: | - { - "name": "vxlan0", - "plugins": [ - { - "type": "flannel", - "delegate": { - "hairpinMode": true, - "isDefaultGateway": true - } - }, + * VNI 4096 is set in the backend + * Port 4789 is set in the backend + 2. In the `cni-conf.json` section of your `kube-flannel.yml`, change the network name to "`vxlan0"`. + {{< note >}} + The VNI must be set to 4096 and port 4789 for Flannel on Linux to interoperate with Flannel on Windows. Support for other VNIs is coming soon. See [VXLAN](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan) for an explanation of these fields. + {{< /note >}} + Your `cni-conf.json` should look as follows: + + ```json + cni-conf.json: | { - "type": "portmap", - "capabilities": { - "portMappings": true - } + "name": "vxlan0", + "plugins": [ + { + "type": "flannel", + "delegate": { + "hairpinMode": true, + "isDefaultGateway": true + } + }, + { + "type": "portmap", + "capabilities": { + "portMappings": true + } + } + ] } - ] - } - -``` + ``` 1. Apply the Flannel yaml and Validate -Let's apply the Flannel configuration: + Let's apply the Flannel configuration: -```bash -kubectl apply -f kube-flannel.yml -``` + ```bash + kubectl apply -f kube-flannel.yml + ``` -Next, since the Flannel pods are Linux-based, apply a NodeSelector patch, which can be found [here](https://github.com/Microsoft/SDN/blob/1d5c055bb195fecba07ad094d2d7c18c188f9d2d/Kubernetes/flannel/l2bridge/manifests/node-selector-patch.yml), to the Flannel DaemonSet pod: + Next, since the Flannel pods are Linux-based, apply a NodeSelector patch, which can be found [here](https://github.com/Microsoft/SDN/blob/1d5c055bb195fecba07ad094d2d7c18c188f9d2d/Kubernetes/flannel/l2bridge/manifests/node-selector-patch.yml), to the Flannel DaemonSet pod: -```bash -kubectl patch ds/kube-flannel-ds-amd64 --patch "$(cat node-selector-patch.yml)" -n=kube-system -``` + ```bash + kubectl patch ds/kube-flannel-ds-amd64 --patch "$(cat node-selector-patch.yml)" -n=kube-system + ``` -After a few minutes, you should see all the pods as running if the Flannel pod network was deployed. + After a few minutes, you should see all the pods as running if the Flannel pod network was deployed. -```bash -kubectl get pods --all-namespaces -``` + ```bash + kubectl get pods --all-namespaces + ``` -![alt_text](flannel-master-kubeclt-get-pods.png "flannel master kubectl get pods screen capture") + ![alt_text](flannel-master-kubeclt-get-pods.png "flannel master kubectl get pods screen capture") -Verify that the Flannel DaemonSet has the NodeSelector applied. + Verify that the Flannel DaemonSet has the NodeSelector applied. -```bash -kubectl get ds -n kube-system -``` + ```bash + kubectl get ds -n kube-system + ``` -![alt_text](flannel-master-kubectl-get-ds.png "flannel master kubectl get ds screen capture") + ![alt_text](flannel-master-kubectl-get-ds.png "flannel master kubectl get ds screen capture") #### Join Windows Worker @@ -597,58 +594,58 @@ All code snippets in Windows sections are to be run in a PowerShell environment 1. Install Docker (requires a system reboot) -Kubernetes uses [Docker](https://www.docker.com/) as its container engine, so we need to install it. You can follow the [official Docs instructions](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-docker/configure-docker-daemon#install-docker), the [Docker instructions](https://store.docker.com/editions/enterprise/docker-ee-server-windows), or try the following *recommended* steps: + Kubernetes uses [Docker](https://www.docker.com/) as its container engine, so we need to install it. You can follow the [official Docs instructions](https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-docker/configure-docker-daemon#install-docker), the [Docker instructions](https://store.docker.com/editions/enterprise/docker-ee-server-windows), or try the following *recommended* steps: -```PowerShell -Enable-WindowsOptionalFeature -FeatureName Containers -Restart-Computer -Force -Install-Module -Name DockerMsftProvider -Repository PSGallery -Force -Install-Package -Name Docker -ProviderName DockerMsftProvider -``` + ```PowerShell + Enable-WindowsOptionalFeature -FeatureName Containers + Restart-Computer -Force + Install-Module -Name DockerMsftProvider -Repository PSGallery -Force + Install-Package -Name Docker -ProviderName DockerMsftProvider + ``` -If you are behind a proxy, the following PowerShell environment variables must be defined: + If you are behind a proxy, the following PowerShell environment variables must be defined: -```PowerShell -[Environment]::SetEnvironmentVariable("HTTP_PROXY", "http://proxy.example.com:80/", [EnvironmentVariableTarget]::Machine) -[Environment]::SetEnvironmentVariable("HTTPS_PROXY", "http://proxy.example.com:443/", [EnvironmentVariableTarget]::Machine) -``` + ```PowerShell + [Environment]::SetEnvironmentVariable("HTTP_PROXY", "http://proxy.example.com:80/", [EnvironmentVariableTarget]::Machine) + [Environment]::SetEnvironmentVariable("HTTPS_PROXY", "http://proxy.example.com:443/", [EnvironmentVariableTarget]::Machine) + ``` -If after reboot you may see the following error: + If after reboot you may see the following error: -![alt_text](windows-docker-error.png "windows docker error screen capture") -If so then you need to restart the docker service manually: + ![alt_text](windows-docker-error.png "windows docker error screen capture") + If so then you need to restart the docker service manually: -```PowerShell -Start-Service docker -``` + ```PowerShell + Start-Service docker + ``` -{{< note >}} -The "pause" (infrastructure) image is on Microsoft Container Registry (MCR) and the DOCKERFILE is available at [https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile) -{{< /note >}} + {{< note >}} + The "pause" (infrastructure) image is on Microsoft Container Registry (MCR) and the DOCKERFILE is available at [https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile) + {{< /note >}} -```PowerShell -docker pull mcr.microsoft.com/k8s/core/pause:1.0.0 -``` + ```PowerShell + docker pull mcr.microsoft.com/k8s/core/pause:1.0.0 + ``` -2. Prepare a Windows directory for Kubernetes +1. Prepare a Windows directory for Kubernetes -Create a "Kubernetes for Windows" directory to store Kubernetes binaries as well as any deployment scripts and config files. + Create a "Kubernetes for Windows" directory to store Kubernetes binaries as well as any deployment scripts and config files. -```PowerShell -mkdir c:\k -``` + ```PowerShell + mkdir c:\k + ``` -3. Copy Kubernetes certificate +1. Copy Kubernetes certificate -Copy the Kubernetes certificate file (`$HOME/.kube/config`) [from Linux controller](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/creating-a-linux-master#collect-cluster-information) to this new `C:\k` directory on your Windows node. + Copy the Kubernetes certificate file (`$HOME/.kube/config`) [from Linux controller](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/creating-a-linux-master#collect-cluster-information) to this new `C:\k` directory on your Windows node. -Tip: You can use tools such as [xcopy](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/xcopy), [WinSCP](https://winscp.net/eng/download.php), or this [PowerShell wrapper for WinSCP](https://www.powershellgallery.com/packages/WinSCP/5.13.2.0) to transfer the config file between nodes. + Tip: You can use tools such as [xcopy](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/xcopy), [WinSCP](https://winscp.net/eng/download.php), or this [PowerShell wrapper for WinSCP](https://www.powershellgallery.com/packages/WinSCP/5.13.2.0) to transfer the config file between nodes. -4. Download Kubernetes binaries +1. Download Kubernetes binaries -To be able to run Kubernetes, you first need to download the `kubelet` and `kube-proxy` binaries. You download these from the Node Binaries links in the CHANGELOG.md file of the [latest releases](https://github.com/kubernetes/kubernetes/releases/). For example 'kubernetes-node-windows-amd64.tar.gz'. You may also optionally download `kubectl` to run on Windows which you can find under Client Binaries. + To be able to run Kubernetes, you first need to download the `kubelet` and `kube-proxy` binaries. You download these from the Node Binaries links in the CHANGELOG.md file of the [latest releases](https://github.com/kubernetes/kubernetes/releases/). For example 'kubernetes-node-windows-amd64.tar.gz'. You may also optionally download `kubectl` to run on Windows which you can find under Client Binaries. -Use the [Expand-Archive](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.archive/expand-archive?view=powershell-6) PowerShell command to extract the archive and place the binaries into `C:\k`. + Use the [Expand-Archive](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.archive/expand-archive?view=powershell-6) PowerShell command to extract the archive and place the binaries into `C:\k`. #### Join the Windows node to the Flannel cluster @@ -778,81 +775,81 @@ Now that you've configured a Windows worker in your cluster to run Windows conta 1. Create a simple webserver example: -Create a service spec `win-webserver.yaml` with the contents below: [TODO create this as a file in the docs folder and add a link] + Create a service spec `win-webserver.yaml` with the contents below: [TODO create this as a file in the docs folder and add a link] -```yaml -apiVersion: v1 -kind: Service -metadata: - name: win-webserver - labels: - app: win-webserver -spec: - ports: - # the port that this service should serve on - - port: 80 - targetPort: 80 - selector: - app: win-webserver - type: NodePort ---- -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - labels: - app: win-webserver - name: win-webserver -spec: - replicas: 2 - template: + ```yaml + apiVersion: v1 + kind: Service + metadata: + name: win-webserver + labels: + app: win-webserver + spec: + ports: + # the port that this service should serve on + - port: 80 + targetPort: 80 + selector: + app: win-webserver + type: NodePort + --- + apiVersion: extensions/v1beta1 + kind: Deployment metadata: labels: app: win-webserver name: win-webserver spec: - containers: - - name: windowswebserver - image: mcr.microsoft.com/windows/servercore:ltsc2019 - command: - - powershell.exe - - -command - - "<#code used from https://gist.github.com/wagnerandrade/5424431#> ; $$listener = New-Object System.Net.HttpListener ; $$listener.Prefixes.Add('http://*:80/') ; $$listener.Start() ; $$callerCounts = @{} ; Write-Host('Listening at http://*:80/') ; while ($$listener.IsListening) { ;$$context = $$listener.GetContext() ;$$requestUrl = $$context.Request.Url ;$$clientIP = $$context.Request.RemoteEndPoint.Address ;$$response = $$context.Response ;Write-Host '' ;Write-Host('> {0}' -f $$requestUrl) ; ;$$count = 1 ;$$k=$$callerCounts.Get_Item($$clientIP) ;if ($$k -ne $$null) { $$count += $$k } ;$$callerCounts.Set_Item($$clientIP, $$count) ;$$ip=(Get-NetAdapter | Get-NetIpAddress); $$header='

Windows Container Web Server

' ;$$callerCountsString='' ;$$callerCounts.Keys | % { $$callerCountsString+='

IP {0} callerCount {1} ' -f $$ip[1].IPAddress,$$callerCounts.Item($$_) } ;$$footer='' ;$$content='{0}{1}{2}' -f $$header,$$callerCountsString,$$footer ;Write-Output $$content ;$$buffer = [System.Text.Encoding]::UTF8.GetBytes($$content) ;$$response.ContentLength64 = $$buffer.Length ;$$response.OutputStream.Write($$buffer, 0, $$buffer.Length) ;$$response.Close() ;$$responseStatus = $$response.StatusCode ;Write-Host('< {0}' -f $$responseStatus) } ; " - nodeSelector: - beta.kubernetes.io/os: windows -``` - -{{< note >}} -Note: Port mapping is also supported, but for simplicity in this example the container port 80 is exposed directly to the service. -{{< /note >}} - -2. Check that all nodes are healthy: - -```bash -kubectl get nodes -``` - -3. Deploy the service and watch for pod updates: - -```bash -kubectl apply -f win-webserver.yaml -kubectl get pods -o wide -w -``` - -When the service is deployed correctly both Pods will be marked as Ready. To exit the watch command, press Ctrl+C. - -4. Check that the deployment succeeded. To verify: - -* Two containers per pod on the Windows node, use `docker ps` -* Two pods listed from the Linux master, use `kubectl get pods` -* Node-to-pod communication across the network, `curl` port 80 of your pod IPs from the Linux master to check for a web server response -* Pod-to-pod communication, ping between pods (and across hosts, if you have more than one Windows node) using docker exec or kubectl exec -* Service-to-pod communication, `curl` the virtual service IP (seen under `kubectl get services`) from the Linux master and from individual pods -* Service discovery, `curl` the service name with the Kubernetes [default DNS suffix](/docs/concepts/services-networking/dns-pod-service/#services) -* Inbound connectivity, `curl` the NodePort from the Linux master or machines outside of the cluster -* Outbound connectivity, `curl` external IPs from inside the pod using kubectl exec -{{< note >}} -**Windows _container hosts_ are not able to access the IP of services scheduled on them due to current platform limitations of the Windows networking stack. Only Windows _pods_ are able to access service IPs. -{{< /note >}} + replicas: 2 + template: + metadata: + labels: + app: win-webserver + name: win-webserver + spec: + containers: + - name: windowswebserver + image: mcr.microsoft.com/windows/servercore:ltsc2019 + command: + - powershell.exe + - -command + - "<#code used from https://gist.github.com/wagnerandrade/5424431#> ; $$listener = New-Object System.Net.HttpListener ; $$listener.Prefixes.Add('http://*:80/') ; $$listener.Start() ; $$callerCounts = @{} ; Write-Host('Listening at http://*:80/') ; while ($$listener.IsListening) { ;$$context = $$listener.GetContext() ;$$requestUrl = $$context.Request.Url ;$$clientIP = $$context.Request.RemoteEndPoint.Address ;$$response = $$context.Response ;Write-Host '' ;Write-Host('> {0}' -f $$requestUrl) ; ;$$count = 1 ;$$k=$$callerCounts.Get_Item($$clientIP) ;if ($$k -ne $$null) { $$count += $$k } ;$$callerCounts.Set_Item($$clientIP, $$count) ;$$ip=(Get-NetAdapter | Get-NetIpAddress); $$header='

Windows Container Web Server

' ;$$callerCountsString='' ;$$callerCounts.Keys | % { $$callerCountsString+='

IP {0} callerCount {1} ' -f $$ip[1].IPAddress,$$callerCounts.Item($$_) } ;$$footer='' ;$$content='{0}{1}{2}' -f $$header,$$callerCountsString,$$footer ;Write-Output $$content ;$$buffer = [System.Text.Encoding]::UTF8.GetBytes($$content) ;$$response.ContentLength64 = $$buffer.Length ;$$response.OutputStream.Write($$buffer, 0, $$buffer.Length) ;$$response.Close() ;$$responseStatus = $$response.StatusCode ;Write-Host('< {0}' -f $$responseStatus) } ; " + nodeSelector: + beta.kubernetes.io/os: windows + ``` + + {{< note >}} + Note: Port mapping is also supported, but for simplicity in this example the container port 80 is exposed directly to the service. + {{< /note >}} + +1. Check that all nodes are healthy: + + ```bash + kubectl get nodes + ``` + +1. Deploy the service and watch for pod updates: + + ```bash + kubectl apply -f win-webserver.yaml + kubectl get pods -o wide -w + ``` + + When the service is deployed correctly both Pods will be marked as Ready. To exit the watch command, press Ctrl+C. + +1. Check that the deployment succeeded. To verify: + + * Two containers per pod on the Windows node, use `docker ps` + * Two pods listed from the Linux master, use `kubectl get pods` + * Node-to-pod communication across the network, `curl` port 80 of your pod IPs from the Linux master to check for a web server response + * Pod-to-pod communication, ping between pods (and across hosts, if you have more than one Windows node) using docker exec or kubectl exec + * Service-to-pod communication, `curl` the virtual service IP (seen under `kubectl get services`) from the Linux master and from individual pods + * Service discovery, `curl` the service name with the Kubernetes [default DNS suffix](/docs/concepts/services-networking/dns-pod-service/#services) + * Inbound connectivity, `curl` the NodePort from the Linux master or machines outside of the cluster + * Outbound connectivity, `curl` external IPs from inside the pod using kubectl exec + {{< note >}} + **Windows _container hosts_ are not able to access the IP of services scheduled on them due to current platform limitations of the Windows networking stack. Only Windows _pods_ are able to access service IPs. + {{< /note >}} ## Managing Workload Identity with Group Managed Service Accounts @@ -893,126 +890,126 @@ Your main source of help for troubleshooting your Kubernetes cluster should star 1. How do I know start.ps1 completed successfully? -You should see kubelet, kube-proxy, and (if you chose Flannel as your networking solution) flanneld host-agent processes running on your node, with running logs being displayed in separate PowerShell windows. In addition to this, your Windows node should be listed as "Ready" in your Kubernetes cluster. + You should see kubelet, kube-proxy, and (if you chose Flannel as your networking solution) flanneld host-agent processes running on your node, with running logs being displayed in separate PowerShell windows. In addition to this, your Windows node should be listed as "Ready" in your Kubernetes cluster. 1. Can I configure the Kubernetes node processes to run in the background? -Kubelet and kube-proxy are already configured to run as native Windows Services. You have two options for configuring these node components as services. + Kubelet and kube-proxy are already configured to run as native Windows Services. You have two options for configuring these node components as services. - 1. As native Windows Services + 1. As native Windows Services -Kubelet & kube-proxy can be run as native Windows Services using `sc.exe`. + Kubelet & kube-proxy can be run as native Windows Services using `sc.exe`. -```powershell -# Create the services for kubelet and kube-proxy in two separate commands -sc.exe create binPath= " --service " + ```powershell + # Create the services for kubelet and kube-proxy in two separate commands + sc.exe create binPath= " --service " -# Please note that if the arguments contain spaces, they must be escaped. -sc.exe create kubelet binPath= "C:\kubelet.exe --service --hostname-override 'minion' " + # Please note that if the arguments contain spaces, they must be escaped. + sc.exe create kubelet binPath= "C:\kubelet.exe --service --hostname-override 'minion' " -# Start the services -Start-Service kubelet -Start-Service kube-proxy + # Start the services + Start-Service kubelet + Start-Service kube-proxy -# Stop the service -Stop-Service kubelet (-Force) -Stop-Service kube-proxy (-Force) + # Stop the service + Stop-Service kubelet (-Force) + Stop-Service kube-proxy (-Force) -# Query the service status -Get-Service kubelet -Get-Service kube-proxy -``` - 1. Using nssm.exe + # Query the service status + Get-Service kubelet + Get-Service kube-proxy + ``` -You can also always use alternative service managers like [nssm.exe](https://nssm.cc/) to run these processes (flanneld, kubelet & kube-proxy) in the background for you. See [Windows Services on Kubernetes](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/kube-windows-services) for example steps. For initial troubleshooting, you can use the following flags in [nssm.exe](https://nssm.cc/) to redirect stdout and stderr to a output file: + 1. Using nssm.exe -```powershell -nssm set AppStdout C:\k\mysvc.log -nssm set AppStderr C:\k\mysvc.log -``` + You can also always use alternative service managers like [nssm.exe](https://nssm.cc/) to run these processes (flanneld, kubelet & kube-proxy) in the background for you. See [Windows Services on Kubernetes](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/kube-windows-services) for example steps. For initial troubleshooting, you can use the following flags in [nssm.exe](https://nssm.cc/) to redirect stdout and stderr to a output file: + + ```powershell + nssm set AppStdout C:\k\mysvc.log + nssm set AppStderr C:\k\mysvc.log + ``` -For additional details, see official [nssm usage](https://nssm.cc/usage) docs. + For additional details, see official [nssm usage](https://nssm.cc/usage) docs. 1. My Windows Pods do not have network connectivity -If you are using virtual machines, ensure that MAC spoofing is enabled on all the VM network adapter(s). + If you are using virtual machines, ensure that MAC spoofing is enabled on all the VM network adapter(s). 1. My Windows Pods cannot ping external resources -Windows Pods do not have outbound rules programmed for the ICMP protocol today. However, TCP/UDP is supported. When trying to demonstrate connectivity to resources outside of the cluster, please substitute `ping ` with corresponding `curl ` commands. + Windows Pods do not have outbound rules programmed for the ICMP protocol today. However, TCP/UDP is supported. When trying to demonstrate connectivity to resources outside of the cluster, please substitute `ping ` with corresponding `curl ` commands. -If you are still facing problems, most likely your network configuration in [cni.conf](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf) deserves some extra attention. You can always edit this static file, the configuration will be applied to any newly created Kubernetes resources. + If you are still facing problems, most likely your network configuration in [cni.conf](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf) deserves some extra attention. You can always edit this static file, the configuration will be applied to any newly created Kubernetes resources. -One of the Kubernetes networking requirements (see [Kubernetes model](/docs/concepts/cluster-administration/networking/)) is for cluster communication to occur without NAT internally. To honor this requirement, there is an [ExceptionList](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf#L20) for all the communication where we do not want outbound NAT to occur. However, this also means that you need to exclude the external IP you are trying to query from the ExceptionList. Only then will the traffic originating from your Windows pods be SNAT'ed correctly to receive a response from the outside world. In this regard, your ExceptionList in `cni.conf` should look as follows: + One of the Kubernetes networking requirements (see [Kubernetes model](/docs/concepts/cluster-administration/networking/)) is for cluster communication to occur without NAT internally. To honor this requirement, there is an [ExceptionList](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/cni/config/cni.conf#L20) for all the communication where we do not want outbound NAT to occur. However, this also means that you need to exclude the external IP you are trying to query from the ExceptionList. Only then will the traffic originating from your Windows pods be SNAT'ed correctly to receive a response from the outside world. In this regard, your ExceptionList in `cni.conf` should look as follows: -```conf -"ExceptionList": [ + ```conf + "ExceptionList": [ "10.244.0.0/16", # Cluster subnet "10.96.0.0/12", # Service subnet "10.127.130.0/24" # Management (host) subnet ] - -``` + ``` 1. My Windows node cannot access NodePort service -Local NodePort access from the node itself will fail. This is a known limitation. NodePort access will work from other nodes or external clients. + Local NodePort access from the node itself will fail. This is a known limitation. NodePort access will work from other nodes or external clients. 1. vNICs and HNS endpoints of containers are being deleted -This issue can be caused when the `hostname-override` parameter is not passed to [kube-proxy](/docs/reference/command-line-tools-reference/kube-proxy/). To resolve it, users need to pass the hostname to kube-proxy as follows: + This issue can be caused when the `hostname-override` parameter is not passed to [kube-proxy](/docs/reference/command-line-tools-reference/kube-proxy/). To resolve it, users need to pass the hostname to kube-proxy as follows: -```powershell -C:\k\kube-proxy.exe --hostname-override=$(hostname) -``` + ```powershell + C:\k\kube-proxy.exe --hostname-override=$(hostname) + ``` 1. With flannel my nodes are having issues after rejoining a cluster -Whenever a previously deleted node is being re-joined to the cluster, flannelD will try to assign a new pod subnet to the node. Users should remove the old pod subnet configuration files in the following paths: + Whenever a previously deleted node is being re-joined to the cluster, flannelD will try to assign a new pod subnet to the node. Users should remove the old pod subnet configuration files in the following paths: -```powershell -Remove-Item C:\k\SourceVip.json -Remove-Item C:\k\SourceVipRequest.json -``` + ```powershell + Remove-Item C:\k\SourceVip.json + Remove-Item C:\k\SourceVipRequest.json + ``` 1. After launching `start.ps1`, flanneld is stuck in "Waiting for the Network to be created" -There are numerous reports of this issue which are being investigated; most likely it is a timing issue for when the management IP of the flannel network is set. A workaround is to simply relaunch start.ps1 or relaunch it manually as follows: + There are numerous reports of this issue which are being investigated; most likely it is a timing issue for when the management IP of the flannel network is set. A workaround is to simply relaunch start.ps1 or relaunch it manually as follows: -```powershell -PS C:> [Environment]::SetEnvironmentVariable("NODE_NAME", "") -PS C:> C:\flannel\flanneld.exe --kubeconfig-file=c:\k\config --iface= --ip-masq=1 --kube-subnet-mgr=1 -``` + ```powershell + PS C:> [Environment]::SetEnvironmentVariable("NODE_NAME", "") + PS C:> C:\flannel\flanneld.exe --kubeconfig-file=c:\k\config --iface= --ip-masq=1 --kube-subnet-mgr=1 + ``` 1. My Windows Pods cannot launch because of missing `/run/flannel/subnet.env` -This indicates that Flannel didn't launch correctly. You can either try to restart flanneld.exe or you can copy the files over manually from `/run/flannel/subnet.env` on the Kubernetes master to` C:\run\flannel\subnet.env` on the Windows worker node and modify the `FLANNEL_SUBNET` row to a different number. For example, if node subnet 10.244.4.1/24 is desired: + This indicates that Flannel didn't launch correctly. You can either try to restart flanneld.exe or you can copy the files over manually from `/run/flannel/subnet.env` on the Kubernetes master to` C:\run\flannel\subnet.env` on the Windows worker node and modify the `FLANNEL_SUBNET` row to a different number. For example, if node subnet 10.244.4.1/24 is desired: -```env -FLANNEL_NETWORK=10.244.0.0/16 -FLANNEL_SUBNET=10.244.4.1/24 -FLANNEL_MTU=1500 -FLANNEL_IPMASQ=true -``` + ```env + FLANNEL_NETWORK=10.244.0.0/16 + FLANNEL_SUBNET=10.244.4.1/24 + FLANNEL_MTU=1500 + FLANNEL_IPMASQ=true + ``` 1. My Windows node cannot access my services using the service IP -This is a known limitation of the current networking stack on Windows. Windows Pods are able to access the service IP however. + This is a known limitation of the current networking stack on Windows. Windows Pods are able to access the service IP however. 1. No network adapter is found when starting kubelet -The Windows networking stack needs a virtual adapter for Kubernetes networking to work. If the following commands return no results (in an admin shell), virtual network creation — a necessary prerequisite for Kubelet to work — has failed: + The Windows networking stack needs a virtual adapter for Kubernetes networking to work. If the following commands return no results (in an admin shell), virtual network creation — a necessary prerequisite for Kubelet to work — has failed: -```powershell -Get-HnsNetwork | ? Name -ieq "cbr0" -Get-NetAdapter | ? Name -Like "vEthernet (Ethernet*" -``` + ```powershell + Get-HnsNetwork | ? Name -ieq "cbr0" + Get-NetAdapter | ? Name -Like "vEthernet (Ethernet*" + ``` -Often it is worthwhile to modify the [InterfaceName](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/start.ps1#L6) parameter of the start.ps1 script, in cases where the host's network adapter isn't "Ethernet". Otherwise, consult the output of the `start-kubelet.ps1` script to see if there are errors during virtual network creation. + Often it is worthwhile to modify the [InterfaceName](https://github.com/Microsoft/SDN/blob/master/Kubernetes/flannel/l2bridge/start.ps1#L6) parameter of the start.ps1 script, in cases where the host's network adapter isn't "Ethernet". Otherwise, consult the output of the `start-kubelet.ps1` script to see if there are errors during virtual network creation. 1. My Pods are stuck at "Container Creating" or restarting over and over -Check that your pause image is compatible with your OS version. The [instructions](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/deploying-resources) assume that both the OS and the containers are version 1803. If you have a later version of Windows, such as an Insider build, you will need to adjust the images accordingly. Please refer to the Microsoft's [Docker repository](https://hub.docker.com/u/microsoft/) for images. Regardless, both the pause image Dockerfile and the sample service will expect the image to be tagged as :latest. + Check that your pause image is compatible with your OS version. The [instructions](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/deploying-resources) assume that both the OS and the containers are version 1803. If you have a later version of Windows, such as an Insider build, you will need to adjust the images accordingly. Please refer to the Microsoft's [Docker repository](https://hub.docker.com/u/microsoft/) for images. Regardless, both the pause image Dockerfile and the sample service will expect the image to be tagged as :latest. ## Further investigation From 914af4ff701d0764cee0824e8f2131a451770950 Mon Sep 17 00:00:00 2001 From: Craig Peters Date: Mon, 18 Mar 2019 12:27:13 -0700 Subject: [PATCH 22/32] fix typos --- .../getting-started-guides/windows/_index.md | 20 ++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/content/en/docs/getting-started-guides/windows/_index.md b/content/en/docs/getting-started-guides/windows/_index.md index 56d2901b2d1cd..b1485c252615b 100644 --- a/content/en/docs/getting-started-guides/windows/_index.md +++ b/content/en/docs/getting-started-guides/windows/_index.md @@ -443,6 +443,15 @@ In order to deploy your cluster you will need the following address spaces: Default value + + --- + + --- + + --- + + + Service Subnet @@ -677,6 +686,15 @@ Parameter Notes + + +--- + + --- + + --- + + -ManagementIP @@ -775,7 +793,7 @@ Now that you've configured a Windows worker in your cluster to run Windows conta 1. Create a simple webserver example: - Create a service spec `win-webserver.yaml` with the contents below: [TODO create this as a file in the docs folder and add a link] + Create a service spec `win-webserver.yaml` with the contents below: ```yaml apiVersion: v1 From 530f56d05565b301c8fd0f9924aa1c9be58f8cd5 Mon Sep 17 00:00:00 2001 From: Michael Michael Date: Mon, 18 Mar 2019 15:09:57 -0500 Subject: [PATCH 23/32] Update _index.md updates for flannel PR in troubleshooting --- content/en/docs/getting-started-guides/windows/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/getting-started-guides/windows/_index.md b/content/en/docs/getting-started-guides/windows/_index.md index b1485c252615b..c42b84f75eae2 100644 --- a/content/en/docs/getting-started-guides/windows/_index.md +++ b/content/en/docs/getting-started-guides/windows/_index.md @@ -992,7 +992,7 @@ Your main source of help for troubleshooting your Kubernetes cluster should star 1. After launching `start.ps1`, flanneld is stuck in "Waiting for the Network to be created" - There are numerous reports of this issue which are being investigated; most likely it is a timing issue for when the management IP of the flannel network is set. A workaround is to simply relaunch start.ps1 or relaunch it manually as follows: + There are numerous reports of this [issue which are being investigated](https://github.com/coreos/flannel/issues/1066); most likely it is a timing issue for when the management IP of the flannel network is set. A workaround is to simply relaunch start.ps1 or relaunch it manually as follows: ```powershell PS C:> [Environment]::SetEnvironmentVariable("NODE_NAME", "") From e495861d54411e3e9169553b579d9eaa055b5785 Mon Sep 17 00:00:00 2001 From: Michael Michael Date: Mon, 18 Mar 2019 15:31:39 -0500 Subject: [PATCH 24/32] Update _index.md --- content/en/docs/getting-started-guides/windows/_index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/docs/getting-started-guides/windows/_index.md b/content/en/docs/getting-started-guides/windows/_index.md index c42b84f75eae2..f757c4b4e5e0d 100644 --- a/content/en/docs/getting-started-guides/windows/_index.md +++ b/content/en/docs/getting-started-guides/windows/_index.md @@ -412,7 +412,7 @@ None of the PodSecurityContext fields work on Windows. They're listed here for r * V1.PodSecurityContext.SupplementalGroups - provides GID, not available on Windows * V1.PodSecurityContext.Sysctls - these are part of the Linux sysctl interface. There's no equivalent on Windows. -# User Guide: Add Windows Nodes in Kubernetes +# User Guide: Add Windows Nodes in Kubernetes {#UG-windows-nodes} ## Objectives @@ -786,7 +786,7 @@ Now that you've configured a Windows worker in your cluster to run Windows conta ## Before you begin -* Create a Kubernetes cluster that includes a master and a worker node running Windows Server +* Create a Kubernetes cluster that includes a [master and a worker node running Windows Server](#UG-windows-nodes) * It is important to note that creating and deploying services and workloads on Kubernetes behaves in much the same way for Linux and Windows containers. [Kubectl commands](/docs/reference/kubectl/overview/) to interface with the cluster are identical. The example in the section below is provided simply to jumpstart your experience with Windows containers. ## Getting Started: Deploying a Windows Container From f4210e619b8038858092bb4227f2e8b838ac2954 Mon Sep 17 00:00:00 2001 From: Michael Michael Date: Mon, 18 Mar 2019 16:16:49 -0500 Subject: [PATCH 25/32] Update _index.md updating a few sections like roadmap, services, troubleshooting/filing tickets --- .../getting-started-guides/windows/_index.md | 76 +++++++++++++++---- 1 file changed, 62 insertions(+), 14 deletions(-) diff --git a/content/en/docs/getting-started-guides/windows/_index.md b/content/en/docs/getting-started-guides/windows/_index.md index f757c4b4e5e0d..3c4f28a2e9199 100644 --- a/content/en/docs/getting-started-guides/windows/_index.md +++ b/content/en/docs/getting-started-guides/windows/_index.md @@ -338,7 +338,7 @@ The following networking functionality is not supported on Windows nodes 1. Node-pod connectivity isn't possible by design. It's only possible for local pods with Flannel [PR 1096](https://github.com/coreos/flannel/pull/1096) 2. We are restricted to using VNI 4096 and UDP port 4789. The VNI limitation is being worked on and will be overcome (open-source flannel changes). See official [Flannel VXLAN ](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan)backend docs for more details on these parameters. -##### DNS +##### DNS {#dns-limitations} * ClusterFirstWithHostNet is not supported for DNS. Windows treats all names with a '.' as a FQDN and skips PQDN resolution * On Linux, you have a DNS suffix list, which is used when trying to resolve PQDNs. On Windows, we only have 1 DNS suffix, which is the DNS suffix associated with that pod's namespace (mydns.svc.cluster.local for example). Windows can resolve FQDNs and services or names resolvable with just that suffix. For example, a pod spawned in the default namespace, will have the DNS suffix **default.svc.cluster.local**. On a Windows pod, we will be able to resolve both **kubernetes.default.svc.cluster.local** and **kubernetes**, but not the in-betweens, like **kubernetes.default** or **kubernetes.default.svc**. @@ -786,7 +786,7 @@ Now that you've configured a Windows worker in your cluster to run Windows conta ## Before you begin -* Create a Kubernetes cluster that includes a [master and a worker node running Windows Server](#UG-windows-nodes) +* Create a Kubernetes cluster that includes a [master and a worker node running Windows Server](#UG-windows-nodes) * It is important to note that creating and deploying services and workloads on Kubernetes behaves in much the same way for Linux and Windows containers. [Kubectl commands](/docs/reference/kubectl/overview/) to interface with the cluster are identical. The example in the section below is provided simply to jumpstart your experience with Windows containers. ## Getting Started: Deploying a Windows Container @@ -912,7 +912,7 @@ Your main source of help for troubleshooting your Kubernetes cluster should star 1. Can I configure the Kubernetes node processes to run in the background? - Kubelet and kube-proxy are already configured to run as native Windows Services. You have two options for configuring these node components as services. + Kubelet and kube-proxy are already configured to run as native Windows Services, offering resiliency by re-starting the services automatically in the event of failure (for example a process crash). You have two options for configuring these node components as services. 1. As native Windows Services @@ -940,7 +940,51 @@ Your main source of help for troubleshooting your Kubernetes cluster should star 1. Using nssm.exe - You can also always use alternative service managers like [nssm.exe](https://nssm.cc/) to run these processes (flanneld, kubelet & kube-proxy) in the background for you. See [Windows Services on Kubernetes](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/kube-windows-services) for example steps. For initial troubleshooting, you can use the following flags in [nssm.exe](https://nssm.cc/) to redirect stdout and stderr to a output file: + You can also always use alternative service managers like [nssm.exe](https://nssm.cc/) to run these processes (flanneld, kubelet & kube-proxy) in the background for you. You can use this [sample script](https://github.com/Microsoft/SDN/tree/master/Kubernetes/flannel/register-svc.ps1), leveraging nssm.exe to register kubelet, kube-proxy, and flanneld.exe to run as Windows services in the background. + + ```powershell + register-svc.ps1 -NetworkMode -ManagementIP -ClusterCIDR -KubeDnsServiceIP -LogDir + + # NetworkMode = The network mode l2bridge (flannel host-gw, also the default value) or overlay (flannel vxlan) chosen as a network solution + # ManagementIP = The IP address assigned to the Windows node. You can use ipconfig to find this + # ClusterCIDR = The cluster subnet range. (Default value 10.244.0.0/16) + # KubeDnsServiceIP = The Kubernetes DNS service IP (Default value 10.96.0.10) + # LogDir = The directory where kubelet and kube-proxy logs are redirected into their respective output files (Default value C:\k) + ``` + + If the above referenced script is not suitable, you can manually configure nssm.exe using the following examples. + ```powershell + # Register flanneld.exe + nssm install flanneld C:\flannel\flanneld.exe + nssm set flanneld AppParameters --kubeconfig-file=c:\k\config --iface= --ip-masq=1 --kube-subnet-mgr=1 + nssm set flanneld AppEnvironmentExtra NODE_NAME= + nssm set flanneld AppDirectory C:\flannel + nssm start flanneld + + # Register kubelet.exe + nssm install kubelet C:\k\kubelet.exe + nssm set kubelet AppParameters --hostname-override= --v=6 --pod-infra-container-image=kubeletwin/pause --resolv-conf="" --allow-privileged=true --enable-debugging-handlers --cluster-dns= --cluster-domain=cluster.local --kubeconfig=c:\k\config --hairpin-mode=promiscuous-bridge --image-pull-progress-deadline=20m --cgroups-per-qos=false --log-dir= --logtostderr=false --enforce-node-allocatable="" --network-plugin=cni --cni-bin-dir=c:\k\cni --cni-conf-dir=c:\k\cni\config + nssm set kubelet AppDirectory C:\k + nssm start kubelet + + # Register kube-proxy.exe (l2bridge / host-gw) + nssm install kube-proxy C:\k\kube-proxy.exe + nssm set kube-proxy AppDirectory c:\k + nssm set kube-proxy AppParameters --v=4 --proxy-mode=kernelspace --hostname-override=--kubeconfig=c:\k\config --enable-dsr=false --log-dir= --logtostderr=false + nssm.exe set kube-proxy AppEnvironmentExtra KUBE_NETWORK=cbr0 + nssm set kube-proxy DependOnService kubelet + nssm start kube-proxy + + # Register kube-proxy.exe (overlay / vxlan) + nssm install kube-proxy C:\k\kube-proxy.exe + nssm set kube-proxy AppDirectory c:\k + nssm set kube-proxy AppParameters --v=4 --proxy-mode=kernelspace --feature-gates="WinOverlay=true" --hostname-override= --kubeconfig=c:\k\config --network-name=vxlan0 --source-vip= --enable-dsr=false --log-dir= --logtostderr=false + nssm set kube-proxy DependOnService kubelet + nssm start kube-proxy + ``` + + + For initial troubleshooting, you can use the following flags in [nssm.exe](https://nssm.cc/) to redirect stdout and stderr to a output file: ```powershell nssm set AppStdout C:\k\mysvc.log @@ -1031,30 +1075,29 @@ Your main source of help for troubleshooting your Kubernetes cluster should star ## Further investigation -Check the DNS limitations for Windows in this section [todo insert link]. +Check the DNS limitations for Windows in this [section](#dns-limitations). -If these steps don't resolve your problem, you can get help running Windows Containers on Windows nodes in Kubernetes through: +If these steps don't resolve your problem, you can get help running Windows containers on Windows nodes in Kubernetes through: * StackOverflow [Windows Server Container](https://stackoverflow.com/questions/tagged/windows-server-container) topic * Kubernetes Official Forum [discuss.kubernetes.io](https://discuss.kubernetes.io/) * Kubernetes Slack [#SIG-Windows Channel](https://kubernetes.slack.com/messages/sig-windows) -## Bugs and Feature Requests - -If you have what looks like a bug, or you would like to make a feature request, please use the [Github issue tracking system](https://github.com/kubernetes/kubernetes/issues). +## Reporting Issues and Feature Requests -Before you file an issue, please search existing issues to see if your issue is already covered. +If you have what looks like a bug, or you would like to make a feature request, please use the [Github issue tracking system](https://github.com/kubernetes/kubernetes/issues). You can open issues on [GitHub](https://github.com/kubernetes/kubernetes/issues/new/choose) and assign them to SIG-Windows. You should first search the list of issues in case it was reported previously and comment with your experience on the issue and add additional logs. SIG-Windows Slack is also a great avenue to get some initial support and troubleshooting ideas prior to creating a ticket. If filing a bug, please include detailed information about how to reproduce the problem, such as: * Kubernetes version: kubectl version -* Cloud provider, OS distro, network configuration, and Docker version -* Steps to reproduce the problem -* Tag the issue sig/windows to bring it to the Windows Special Interest Group member attention +* Environment details: Cloud provider, OS distro, networking choice and configuration, and Docker version +* Detailed steps to reproduce the problem +* Relevant logs +* Tag the issue sig/windows by commenting on the issue with `/sig windows` to bring it to a SIG-Windows member's attention # Roadmap -We have a lot of features in our roadmap. +We have a lot of features in our roadmap. An abbreviated high level list is included below, but we encourage you to view our [roadmap project](https://github.com/orgs/kubernetes/projects/8) and help us make Windows support better by [contributing](https://github.com/kubernetes/community/blob/master/sig-windows/). ## CRI-ContainerD @@ -1070,3 +1113,8 @@ The CRI-ContainerD interface will be able to manage sandboxes based on Hyper-V. ## Deployment with kubeadm and cluster API Kubeadm is becoming the de facto standard for users to deploy a Kubernetes cluster. Windows node support in kubeadm will come in a future release. We are also making investments in cluster API to ensure Windows nodes are properly provisioned. + +## A few other big ticket items +### Beta support for Group Managed Service Accounts +### More CNIs +### More Storage Plugins From cd82c1f89476135c73b3e9998925b652fb188107 Mon Sep 17 00:00:00 2001 From: Michael Michael Date: Mon, 18 Mar 2019 16:33:48 -0500 Subject: [PATCH 26/32] Update _index.md --- content/en/docs/getting-started-guides/windows/_index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/docs/getting-started-guides/windows/_index.md b/content/en/docs/getting-started-guides/windows/_index.md index 3c4f28a2e9199..b34c0414c947d 100644 --- a/content/en/docs/getting-started-guides/windows/_index.md +++ b/content/en/docs/getting-started-guides/windows/_index.md @@ -904,7 +904,7 @@ tolerations: # Getting Help and Troubleshooting -Your main source of help for troubleshooting your Kubernetes cluster should start with this [section](/docs/tasks/debug-application-cluster/troubleshooting/). Some additional, Windows-specific troubleshooting help is included in this section. +Your main source of help for troubleshooting your Kubernetes cluster should start with this [section](/docs/tasks/debug-application-cluster/troubleshooting/). Some additional, Windows-specific troubleshooting help is included in this section. Logs are an important element of troubleshooting issues in Kubernetes. Make sure to include them any time you seek troubleshooting assistance from other contributors. Follow the instructions in the SIG-Windows [contributing guide on gathering logs](https://github.com/kubernetes/community/blob/master/sig-windows/CONTRIBUTING.md#gathering-logs). 1. How do I know start.ps1 completed successfully? @@ -1092,7 +1092,7 @@ If filing a bug, please include detailed information about how to reproduce the * Kubernetes version: kubectl version * Environment details: Cloud provider, OS distro, networking choice and configuration, and Docker version * Detailed steps to reproduce the problem -* Relevant logs +* [Relevant logs](https://github.com/kubernetes/community/blob/master/sig-windows/CONTRIBUTING.md#gathering-logs) * Tag the issue sig/windows by commenting on the issue with `/sig windows` to bring it to a SIG-Windows member's attention # Roadmap From 81d5ac7df81f3e58a67a1bedb069900d0671e0ed Mon Sep 17 00:00:00 2001 From: Michael Michael Date: Mon, 18 Mar 2019 16:53:54 -0500 Subject: [PATCH 27/32] Update _index.md --- content/en/docs/getting-started-guides/windows/_index.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/content/en/docs/getting-started-guides/windows/_index.md b/content/en/docs/getting-started-guides/windows/_index.md index b34c0414c947d..2ee58d72f6db2 100644 --- a/content/en/docs/getting-started-guides/windows/_index.md +++ b/content/en/docs/getting-started-guides/windows/_index.md @@ -759,6 +759,10 @@ Now you can view the Windows nodes in your cluster by running the following: kubectl get nodes ``` +{{< note >}} +You may want to configure your Windows node components like kubelet and kube-proxy to run as services. View the services and background processes section under [troubleshooting](#troubleshooting) for additional instructions. Once you are running the node components as services, collecting logs becomes an important part of troubleshooting. View the [gelevant logs](https://github.com/kubernetes/community/blob/master/sig-windows/CONTRIBUTING.md#gathering-logs) section of the contributing guide for further instructions. +{{< /note >}} + ### Public Cloud Providers #### Azure @@ -902,7 +906,7 @@ tolerations: effect: "NoSchedule" ``` -# Getting Help and Troubleshooting +# Getting Help and Troubleshooting {#troubleshooting} Your main source of help for troubleshooting your Kubernetes cluster should start with this [section](/docs/tasks/debug-application-cluster/troubleshooting/). Some additional, Windows-specific troubleshooting help is included in this section. Logs are an important element of troubleshooting issues in Kubernetes. Make sure to include them any time you seek troubleshooting assistance from other contributors. Follow the instructions in the SIG-Windows [contributing guide on gathering logs](https://github.com/kubernetes/community/blob/master/sig-windows/CONTRIBUTING.md#gathering-logs). @@ -910,7 +914,7 @@ Your main source of help for troubleshooting your Kubernetes cluster should star You should see kubelet, kube-proxy, and (if you chose Flannel as your networking solution) flanneld host-agent processes running on your node, with running logs being displayed in separate PowerShell windows. In addition to this, your Windows node should be listed as "Ready" in your Kubernetes cluster. -1. Can I configure the Kubernetes node processes to run in the background? +1. Can I configure the Kubernetes node processes to run in the background as services? Kubelet and kube-proxy are already configured to run as native Windows Services, offering resiliency by re-starting the services automatically in the event of failure (for example a process crash). You have two options for configuring these node components as services. From f18f1a89b59a27a8108419aece08fd307b6cbe46 Mon Sep 17 00:00:00 2001 From: Michael Michael Date: Mon, 18 Mar 2019 23:39:04 -0500 Subject: [PATCH 28/32] Update _index.md --- content/en/docs/getting-started-guides/windows/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/getting-started-guides/windows/_index.md b/content/en/docs/getting-started-guides/windows/_index.md index 2ee58d72f6db2..56080952c81f3 100644 --- a/content/en/docs/getting-started-guides/windows/_index.md +++ b/content/en/docs/getting-started-guides/windows/_index.md @@ -914,7 +914,7 @@ Your main source of help for troubleshooting your Kubernetes cluster should star You should see kubelet, kube-proxy, and (if you chose Flannel as your networking solution) flanneld host-agent processes running on your node, with running logs being displayed in separate PowerShell windows. In addition to this, your Windows node should be listed as "Ready" in your Kubernetes cluster. -1. Can I configure the Kubernetes node processes to run in the background as services? +1. Can I configure the Kubernetes node processes to run in the background as services? {#windows-services} Kubelet and kube-proxy are already configured to run as native Windows Services, offering resiliency by re-starting the services automatically in the event of failure (for example a process crash). You have two options for configuring these node components as services. From b24c6924a0505c6d42826914a7a3aa6c6788d4c4 Mon Sep 17 00:00:00 2001 From: Craig Peters Date: Mon, 18 Mar 2019 21:43:32 -0700 Subject: [PATCH 29/32] Fixed a few whitespace issues --- content/en/docs/getting-started-guides/windows/_index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/docs/getting-started-guides/windows/_index.md b/content/en/docs/getting-started-guides/windows/_index.md index 56080952c81f3..93422aaca366f 100644 --- a/content/en/docs/getting-started-guides/windows/_index.md +++ b/content/en/docs/getting-started-guides/windows/_index.md @@ -790,7 +790,7 @@ Now that you've configured a Windows worker in your cluster to run Windows conta ## Before you begin -* Create a Kubernetes cluster that includes a [master and a worker node running Windows Server](#UG-windows-nodes) +* Create a Kubernetes cluster that includes a [master and a worker node running Windows Server](#UG-windows-nodes) * It is important to note that creating and deploying services and workloads on Kubernetes behaves in much the same way for Linux and Windows containers. [Kubectl commands](/docs/reference/kubectl/overview/) to interface with the cluster are identical. The example in the section below is provided simply to jumpstart your experience with Windows containers. ## Getting Started: Deploying a Windows Container @@ -808,7 +808,7 @@ Now that you've configured a Windows worker in your cluster to run Windows conta app: win-webserver spec: ports: - # the port that this service should serve on + # the port that this service should serve on - port: 80 targetPort: 80 selector: From 418fd436a9b45c8bc610e1ad62bcf6f7a803c167 Mon Sep 17 00:00:00 2001 From: Michael Michael Date: Mon, 18 Mar 2019 23:47:47 -0500 Subject: [PATCH 30/32] Update _index.md --- content/en/docs/getting-started-guides/windows/_index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/docs/getting-started-guides/windows/_index.md b/content/en/docs/getting-started-guides/windows/_index.md index 93422aaca366f..9bb84878b95dc 100644 --- a/content/en/docs/getting-started-guides/windows/_index.md +++ b/content/en/docs/getting-started-guides/windows/_index.md @@ -760,7 +760,7 @@ kubectl get nodes ``` {{< note >}} -You may want to configure your Windows node components like kubelet and kube-proxy to run as services. View the services and background processes section under [troubleshooting](#troubleshooting) for additional instructions. Once you are running the node components as services, collecting logs becomes an important part of troubleshooting. View the [gelevant logs](https://github.com/kubernetes/community/blob/master/sig-windows/CONTRIBUTING.md#gathering-logs) section of the contributing guide for further instructions. +You may want to configure your Windows node components like kubelet and kube-proxy to run as services. View the services and background processes section under [troubleshooting](#troubleshooting) for additional instructions. Once you are running the node components as services, collecting logs becomes an important part of troubleshooting. View the [gathering logs](https://github.com/kubernetes/community/blob/master/sig-windows/CONTRIBUTING.md#gathering-logs) section of the contributing guide for further instructions. {{< /note >}} ### Public Cloud Providers @@ -914,7 +914,7 @@ Your main source of help for troubleshooting your Kubernetes cluster should star You should see kubelet, kube-proxy, and (if you chose Flannel as your networking solution) flanneld host-agent processes running on your node, with running logs being displayed in separate PowerShell windows. In addition to this, your Windows node should be listed as "Ready" in your Kubernetes cluster. -1. Can I configure the Kubernetes node processes to run in the background as services? {#windows-services} +1. Can I configure the Kubernetes node processes to run in the background as services? Kubelet and kube-proxy are already configured to run as native Windows Services, offering resiliency by re-starting the services automatically in the event of failure (for example a process crash). You have two options for configuring these node components as services. From 814f38499f2cec4a2c424afcf4c418faafa3f15b Mon Sep 17 00:00:00 2001 From: Michael Michael Date: Tue, 19 Mar 2019 00:10:29 -0500 Subject: [PATCH 31/32] Update _index.md --- .../en/docs/getting-started-guides/windows/_index.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/content/en/docs/getting-started-guides/windows/_index.md b/content/en/docs/getting-started-guides/windows/_index.md index 9bb84878b95dc..6710c14f86779 100644 --- a/content/en/docs/getting-started-guides/windows/_index.md +++ b/content/en/docs/getting-started-guides/windows/_index.md @@ -793,13 +793,11 @@ Now that you've configured a Windows worker in your cluster to run Windows conta * Create a Kubernetes cluster that includes a [master and a worker node running Windows Server](#UG-windows-nodes) * It is important to note that creating and deploying services and workloads on Kubernetes behaves in much the same way for Linux and Windows containers. [Kubectl commands](/docs/reference/kubectl/overview/) to interface with the cluster are identical. The example in the section below is provided simply to jumpstart your experience with Windows containers. -## Getting Started: Deploying a Windows Container +## Getting Started: Deploying a Windows container -1. Create a simple webserver example: +To deploy a Windows container on Kubernetes, you must first create an example application. The example YAML file below creates a simple webserver application. Create a service spec named `win-webserver.yaml` with the contents below: - Create a service spec `win-webserver.yaml` with the contents below: - - ```yaml +```yaml apiVersion: v1 kind: Service metadata: @@ -838,7 +836,7 @@ Now that you've configured a Windows worker in your cluster to run Windows conta - "<#code used from https://gist.github.com/wagnerandrade/5424431#> ; $$listener = New-Object System.Net.HttpListener ; $$listener.Prefixes.Add('http://*:80/') ; $$listener.Start() ; $$callerCounts = @{} ; Write-Host('Listening at http://*:80/') ; while ($$listener.IsListening) { ;$$context = $$listener.GetContext() ;$$requestUrl = $$context.Request.Url ;$$clientIP = $$context.Request.RemoteEndPoint.Address ;$$response = $$context.Response ;Write-Host '' ;Write-Host('> {0}' -f $$requestUrl) ; ;$$count = 1 ;$$k=$$callerCounts.Get_Item($$clientIP) ;if ($$k -ne $$null) { $$count += $$k } ;$$callerCounts.Set_Item($$clientIP, $$count) ;$$ip=(Get-NetAdapter | Get-NetIpAddress); $$header='

Windows Container Web Server

' ;$$callerCountsString='' ;$$callerCounts.Keys | % { $$callerCountsString+='

IP {0} callerCount {1} ' -f $$ip[1].IPAddress,$$callerCounts.Item($$_) } ;$$footer='' ;$$content='{0}{1}{2}' -f $$header,$$callerCountsString,$$footer ;Write-Output $$content ;$$buffer = [System.Text.Encoding]::UTF8.GetBytes($$content) ;$$response.ContentLength64 = $$buffer.Length ;$$response.OutputStream.Write($$buffer, 0, $$buffer.Length) ;$$response.Close() ;$$responseStatus = $$response.StatusCode ;Write-Host('< {0}' -f $$responseStatus) } ; " nodeSelector: beta.kubernetes.io/os: windows - ``` +``` {{< note >}} Note: Port mapping is also supported, but for simplicity in this example the container port 80 is exposed directly to the service. From 8376485b9d87e95627995d7d85349332d28810ec Mon Sep 17 00:00:00 2001 From: Michael Michael Date: Tue, 19 Mar 2019 00:26:10 -0500 Subject: [PATCH 32/32] Update _index.md --- .../getting-started-guides/windows/_index.md | 36 ++++++++++--------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/content/en/docs/getting-started-guides/windows/_index.md b/content/en/docs/getting-started-guides/windows/_index.md index 6710c14f86779..3f16e6b1bc63b 100644 --- a/content/en/docs/getting-started-guides/windows/_index.md +++ b/content/en/docs/getting-started-guides/windows/_index.md @@ -534,10 +534,12 @@ Once you have a Linux-based Kubernetes master node you are ready to choose a net 1. The cluster subnet (e.g. "10.244.0.0/16") is set as per your IP plan. * VNI 4096 is set in the backend * Port 4789 is set in the backend - 2. In the `cni-conf.json` section of your `kube-flannel.yml`, change the network name to "`vxlan0"`. - {{< note >}} - The VNI must be set to 4096 and port 4789 for Flannel on Linux to interoperate with Flannel on Windows. Support for other VNIs is coming soon. See [VXLAN](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan) for an explanation of these fields. - {{< /note >}} + 2. In the `cni-conf.json` section of your `kube-flannel.yml`, change the network name to `vxlan0`. + +{{< note >}} +The VNI must be set to 4096 and port 4789 for Flannel on Linux to interoperate with Flannel on Windows. Support for other VNIs is coming soon. See [VXLAN](https://github.com/coreos/flannel/blob/master/Documentation/backends.md#vxlan) for an explanation of these fields. +{{< /note >}} + Your `cni-conf.json` should look as follows: ```json @@ -619,18 +621,17 @@ All code snippets in Windows sections are to be run in a PowerShell environment [Environment]::SetEnvironmentVariable("HTTPS_PROXY", "http://proxy.example.com:443/", [EnvironmentVariableTarget]::Machine) ``` - If after reboot you may see the following error: + If after reboot you see the following error, you need to restart the docker service manually - ![alt_text](windows-docker-error.png "windows docker error screen capture") - If so then you need to restart the docker service manually: + ![alt_text](windows-docker-error.png "windows docker error screen capture") ```PowerShell Start-Service docker ``` - {{< note >}} - The "pause" (infrastructure) image is on Microsoft Container Registry (MCR) and the DOCKERFILE is available at [https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile) - {{< /note >}} +{{< note >}} +The "pause" (infrastructure) image is hosted on Microsoft Container Registry (MCR) and the DOCKERFILE is available at [https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile](https://github.com/Microsoft/SDN/blob/master/Kubernetes/windows/Dockerfile) +{{< /note >}} ```PowerShell docker pull mcr.microsoft.com/k8s/core/pause:1.0.0 @@ -646,7 +647,7 @@ All code snippets in Windows sections are to be run in a PowerShell environment 1. Copy Kubernetes certificate - Copy the Kubernetes certificate file (`$HOME/.kube/config`) [from Linux controller](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/creating-a-linux-master#collect-cluster-information) to this new `C:\k` directory on your Windows node. + Copy the Kubernetes certificate file `$HOME/.kube/config` [from the Linux controller](https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/creating-a-linux-master#collect-cluster-information) to this new `C:\k` directory on your Windows node. Tip: You can use tools such as [xcopy](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/xcopy), [WinSCP](https://winscp.net/eng/download.php), or this [PowerShell wrapper for WinSCP](https://www.powershellgallery.com/packages/WinSCP/5.13.2.0) to transfer the config file between nodes. @@ -838,9 +839,9 @@ To deploy a Windows container on Kubernetes, you must first create an example ap beta.kubernetes.io/os: windows ``` - {{< note >}} - Note: Port mapping is also supported, but for simplicity in this example the container port 80 is exposed directly to the service. - {{< /note >}} +{{< note >}} +Port mapping is also supported, but for simplicity in this example the container port 80 is exposed directly to the service. +{{< /note >}} 1. Check that all nodes are healthy: @@ -867,9 +868,10 @@ To deploy a Windows container on Kubernetes, you must first create an example ap * Service discovery, `curl` the service name with the Kubernetes [default DNS suffix](/docs/concepts/services-networking/dns-pod-service/#services) * Inbound connectivity, `curl` the NodePort from the Linux master or machines outside of the cluster * Outbound connectivity, `curl` external IPs from inside the pod using kubectl exec - {{< note >}} - **Windows _container hosts_ are not able to access the IP of services scheduled on them due to current platform limitations of the Windows networking stack. Only Windows _pods_ are able to access service IPs. - {{< /note >}} + +{{< note >}} +Windows container hosts are not able to access the IP of services scheduled on them due to current platform limitations of the Windows networking stack. Only Windows pods are able to access service IPs. +{{< /note >}} ## Managing Workload Identity with Group Managed Service Accounts

{>V{k_u(+QAy%&Q-5R1AY`MI7LNb{+z@!dhi zyJ3=sOw1;cML`PEu~`zh2kWIGb!5Sd37Vn}Ak)%|12zS;@QB$O8O)QCb?V`TdUD5) zs&0D2;7s6YaUeeHx8CzP(9O3ofII*X|GV>Mi_f(61;t^nPykKW?o*kI8xR)OgyHB& z!;eityG(*fV1%Ql>Rm%~GF@CW* z!hjgRr64@^mD?`7trc$K7&1YrXtv%S^zAWlwB{;h+jACo)yH)%8D0zBeDBd{A@*wq ziYzhK#!@y|9YY^zQ=XsYKwm-{db=ZN9UNeY_21-bzHWJDJekdKHw~?q^Qqll`K(Jd z_-o(50VpOj>Db_E2Sj(RtbM8^vQ$Q}3EK~qzf#^_>(^cKa74M~yGsqhD|7h>1F%?4bAEcbnuw!S zray%9ntcnxA+5$gf8py@{5xu}f>@u+r!yjs6+4|?hDA4Dz+SRWed#^=ScoCor;i=p zslDlNnn*=w5Q;a}@^zE{3DE830RGHD@reIE>T8HG@em!L@4z?>I< zJM8TTSy#tX#{?!mh}H#nlvxWCnba?N(iT20iTj{tJG{{ke73w49(b5@#17>BO>F4p zudF%JaY<}u(r9tHP41MJip%C0l3MEJ2pxD6^c(8>F7X{Ee8QQhUpG)kQ$)Z^+(rrd zNloLlTdC4UUV}6G(_%fMJK+mS-FSW9V zPLZ$o$2jj?CN?^?>xocFWwtv5W*mvh|xB3E=MfxV7wh4|tmV>gGFh3_fqS}Mz|MfCJ;dTXr9 z(fFhkl6auzrPEGI<-`;D=)s9tBj?8`VyH!Z9Vw*yRtJsnW{ry(%4AbW6Avme;Wg40 zBB9oDvI?Z?p?wc3&{Ij1N<0g<&!pHvZE0wDO{fM9R3qU20Wqw0Ed9QwnNz;b~oaG%^l00B_*p z#(|M|{gmXcNr~%UGv9Pi^JSjR#PwM4v{7<*(R_Gr7_C%MT$|ZqZF7|0V7VdQ_EB78 zMJow4pORrZr~tDvX`2A{GJ(V!nrBKdyNKWboZGvsWSRcJMwvMN?V$N+{t|JVk2;mP zmKdL}G?{b5s~O07Ip*^9s_&^6{&6^{^=_BBjhbjLQi387<^T81KzYhvHT5!!U#73l6nQSjK>giSL`! zht>5=c5H9Qn>oiSQ7AbTXcL?(eO!w%z(@ddG5GpgVJy0Q9FLiQeT*+4>c_|#n&sm! zXA?wniYhQa0Yl=jGDS`HZjNojkVV(^l7L9#NVSx=_og4+fV8Exb?08GU}Ac*C2(PF zBPp||Q=Z1Ofj`m)SE|(84kN|p0o`o$Y0-uPi3uq0^2)NUR zhNQ# zaNRyeX5q;jkgoQ4jWt5Yj3X_2K2_L?##dt)#j}Kt>3z&FS9}%}RiJfx8CHU}2A^zj zQq#f5G!jhULQOyxdQH|e*`2oRufF4Alc5L%eTYSgajb0rxiZO)k5Nb^Y0vfSm$LFK z%vWO<1g%y+&n}7os+rA0YdNpgd){Rw{@o47qW)S9i2E-~G^<2A-W98MC`yJOp@pmJrOxc9!a+lPfFtgH3 znN9q>FTScE!8r#s1cOaz!|}GUPnZX|Ue}NgY4mz<)(3yXL@u1!6VA_Gk3Xv~Rg)00 zHkSvI6NT*mY$ezE0uZy>r>zvcO;RbCA1i$cyTLwNc{EVnvjdaM61-mN=$(j_YuY7Y z8v*u>X?T;HGhNkA_Nu=nJXi&Mwj-|QoY%-FNb%u?qo#J7a> zzQ&u(2NLfhJGH9W)VjDH88f#Kix;ZTGpyia{AZn6((EWdzeG1<_gcy8BtLk~eZ(*) z!tEzxWA*Us%V*1E+|_1gfj9E*q(9Jj7by&~cwPh$$_8l2H9P1Kt6$pKh|R%jp6ufu zmn#xF;}6N4(Ax&#yE+mIb^-ORLn4db?~zL={4lu!_yAKdXjddAYzLu(WoR>8mhQkA zn4g|PipxxX^NOD3GW0(Be>crYMnU6E#vwsdDnV{1Qw;r^*M5XX3nEj3R{-1{PEnL? zP;<(e86%~le9Jt#2H)F8JWF22BK-48GDhww9CPgAX)i;ExLRX6#4wKCB57o|!IfD7 z@l8?^=P9-)&jLQWjJ=Mtkyy(M0XYg;w#CEJ@q@0mOSaPY1&nqqNs#hc_g0|cT7C?b*ip0cM*MF%x ziLQh!+_R>yFW4n9o;<@1>WW#iua>I=_--S?DAs{7*S z4rci%GKbFKwXw(An}`>^eqTS$h)dv_vz(MrpMAfoe!*nI_T^EJ&@P2kr+m=qI*v_1 zdU9Wk`riSRm-@EOrA2Tdr0}{@wLuWhDD{ouwR}ZiXv`b2{7xHYdZmI@lAy@9GE0-+ zsjKh^13`L)*`2v0N%h5xFU}Kvs6+VE6EI*JD5Nu``Wo5LHtM1mdgF{J{`MkuhT^wl z8P@{?V_nbfym`edyzloCy7^A9;Qu)+A|z<5h_sZblbo8E3XD{hO&Pc@X%U@8oHZ=A`SVF#Hd z!Fx~9$%^_iAG`gKiL%u-G(@G=-nHiJhLx}tmFaryT1-5MxLW64P&F0ej8l_b`Sl}9 z?Sdp6`qez`nBKV-zLucMRXl%rxl_v1+kW4!>xW$F|5;>(qH+&fCJ70J_LPasLaG9d zpx#CV?J zL}FrMq{4~_iQg|~7}oHUCKF!7hg_qPt2|~V-Q}KrSRqK?4VJG}0;>8Var2vA55I)z znS4b7c9Y|>z^L((A4bVHh`d6vGA!_YZdfWj&vo`i|K2pgv2jz1U(b`o5be(z?i7Z! z^nidM(@!h$mmR?OyzvaBGVd&gRzJ0y7GZLsD(~e zMOTlGQsdqXO#CL|jb%+FkrCBNmv{QSlI5&MEM(yl2MUq{5*AP&gL-$I6k=W=lkPtn zJ;1&8kQY_RSHcR>cRPyV0~_LlD&ap(fIsc@0kN(^5D~p_f98HGF%q^{O0*w$5QQws z?S96#bTkyV$8U>Pw!MQ%aPxa$hU`6bYQgy2apmH%k~=G|q=12)5RwSYx7r3H_LeH_ zfC?(cAHO9zPS!DMHo7zhmBl1%_Q zf`MDR4!~^$7msv<0Z7yg(hjsP_gNy58DNpB9Bre8g}+Aq*W}q9l;NP=qj{?KWa5P^C7)>-8cMPonbyeevj$ zeFPbTq`l#Q3^-3m=nm^fBU)WrrOaxpc7C^C1IjcY9wVjrR6zVKI3X-sTn<5l{`1-q zE%)919e@>`Gj8obd`GT-Fzq2*v0+AJXw%gQG1map z00L*@SKvpFEscZyv@HAZTiooid7UDDHJh58j09Rhg9+6}ebR<&yfSvfm)EdL(RN zcR7j9tuPC7DQU>=kcIE|NO{x7BZkLS6>8VyI1D(IM?ntKS0-Zay;7X91ph3osSjp9 za_Cwv0a@f-%ZATnF(SyCmb}7AMqF4Z0b#req!m+cGa^8vl3?d$(iqdD-bv9*dZl2BXC&Bl=T1VGJHF| z0p@rhfSHu)5Fw`*uRu(n(T0hwRLOYYZ0ViImFEE4IjCKI#J`tr5e&lnnS|Le&?$U| z%`6HMY^dE;>SJl80)wVxnY87$*W_gIsBdUBRcjrg*rI^FL#|}fBy+D-P1BQAa!p*j zwnOoWM9a|h+;O#T9tu6X*nuI#no8;tW|^I2{_{^E+JlIhD-ZI|zPXh50$49y$=MmF zZoKS-@h{z&FKV+Ij?m?&@}^YRf~q0=r`q)iBC(zdZ^QP<(a)SHQe961TN^f9hem?Y zStIi|ACaKZVbc$oNqtNug+ma{P$l{yx&dbHMUljqPvVW&#or>u-1QKFAY3bS^^>}# zf*HEikuNSdh>%5BZlT_VIa{utl8&@Y<_sw>` zWiPT?iR9{$(S~}9N~iG#Q(FEnAEdT?EXS`WWd-*eBc2l$d6ts?w^GIGh5YF0&9m;9 zOr+iIX4%89W+8=YW>AlB8*#)rWD1B5%eIObp|QRrD3woP-&wt&W7rrwj#SM#9-29v zjD*Bd1*iSf6{Vd9Mz{pepUNW`qWAABtMcplg`xeC*SxINEk^<$oY`Z8w@MKB^SUczY=^8$cIN zgoRO9Pb#DhAX>A5i@qL20up$2A@-NulZ_8npdc>9=@$smYY zf%W~jXTxMmgnk{>;UOrA(-gWA-bUH@>JDhxL|Y3-gNq`iH5^EJAE;?#FxFHOgxB~3 z8zMBxdEJ`G9eyq|;E~M4$qDL!q(Pd|=-IUuz4BT^eJHoC#5?R|Ul*gVOHwVCH`u5- z*2nHqd~~y^ntiEw2w|?f%tZ(KmCpnc%26N$P8@}9Ex47)^6Nsf1YzZhf@JXpaYl6oIWk+R+a}g0*n-q>tnh4G`$kBWI_}v4$;yYb7$p2-e*?eb z;<()l1b7zqccceW62c4Gh#|w`h<1MYi2AOq3ejUpjMy^l>RxdE_vXg#)6k^*OhBLc z35yal98Z*%>DScK3Y2rqWQy{$;(h9uTpLo)oAT<2 z5(=`SPw*T?!mq`FVzyah*Q5#YGhT^iW%QiQ6LYuAb&RVQ^5_+$%g=T>nlcptIuvmR zC=m@qaV*%Z*j1QuRS*^7DUH(M5}h%abULkagm0iesY*XS2%08}ZKQ3A;@KuPsl195 ze2Vr1w?d?X7c!hV$o%<7ii+JDG=P53xhVGKG8N21LLBNTx6o!3T;_NUVl)0(Kq=M2 z5Iu6^KqG55a7zS;2 zzB4?$-(`&+C%*In4hdDbYh`Khjb-zFC-JNYcoB>>1!{TUc3_`25G{FFg+s#Ip~j>< zXYK;%D6s$Yl{zB^iga;?wP@#tkw6gK{KV~%T)QLyV=I4W_n%3fi^p9F96lc=yhLD2 zu79LmEnEBef_EFCpBmEvLSIX_6qdZgHHKpT4@-4xNwa_ZIU+N$1i{ zg4}{^IK8hKUK?sMND1^NzsS7DEu!V`_N2X>!06=nl32Zo|BIc-Pw@osPgRN?)-xRw z8UxU$*%#K=mYP%Q5pHZ=!YmZ;22BNZj%>K3*2`Lv6+3ef2=t#Yn;jr6A?#}trZBuC zb_<`uVQ(S%{kBg=mX?HxWYV2Zwz29X)vknsz)P2-UCz$!p_KaOLme3uy*RcfbpPp$ zWzZH+-x9JBV7~ioCI0d*tODFW;xQB8I<&$aM|W6i8VvR0q-5|- zTHfSKlk&7N4B=S14Z#0#fLKYI#T5)LD$?n(3+vVxU7?(Ky&JMQbe2u6;z zgUj2C-2$Ra^wN58G5wT{x034>>I|Taz=#+m3>%#L(`g+|5Y>r;kfbydzr-h49VvZy z@=`bNkOaps>7^WNUM+A5o_S)vOk++$HE5uUWn>oI)}df%p)=}d9`@5*4%Bae@`Cw*LZ>D@+OhlsTi{IB}2Ntss#`c_<$pOF}tIhOhS1f$$Zw;$9sQdwS2 z3#0t{L3cDYNtMV{LHtYy_SC0TGiZ&XsTD0gxqZA46xi`*>rSwx85cU+EeFZmR8 z!J4U_@OR7v&b8XlVbgvv?n z`pxRwIs~Uo+{2$_`g7zz#}}=kt6JSEsyNtMf6Rzn{Ok%4N*?eV;UeTQE1^0%WPA%9 z7H1~48;X-^jq!;JcAc)Y6m&N04d}YIktBtvVF`}Dq>|uRh4g&nQ}%(1Y~FZUnRc5T zSqFe7_Glu_c2p3d_Wqrpqyi#go7}*MsFmwQq}sky1dOjkHgG#V z$cfSmYA#fsRMfn+PdvWCjOgJ#UIBuV5qMBdB0WesPWKlOyhkMNFvLX)xii6<6t1(q zU5ZH{wUnXVIzICNInYv+-+48>9^J?; z3Xif+|0qrPTVoOWI!vl3ol+%Q_;B__%%j-{&2(#NJ@Z|n(mVQocj)@74;a3p8ssgM z{Y(b6aG)T1iguqs_v0(c80&UIDo%v&_t&Y?(a+pE5WfFgVax=KoWck{7A;eP=h26E zQ`1hGo!PnrlD(}067FQE<(hGSu%?<@;fl}Kn%Etup6}Y$CiMT7%hl-iapYN+YQTo%?i}FtJ>oL}x-VIQ&82`6>vpa7jU&ciJ zXF1`zQswggzxN|v#Rnibcfo)2Ay8#=zjitSx{Zm{Cpf=5@%O*L_0kyt4zNDblnY)M zEz}_e&|3PXNe{5Dv8F392KcdD>{1zkOCVAWFLyU?H&m5(-dYCgMb@}WZTf=CPTRNb z2WLJcfaI^Z?2_#nwg6uVIwvmt1LV|>PY|iv&c42TwCD?1{Q+bO3h7L0*Z5WyL=*4W zFc!!R=TrrIk?%t4Hg$5<8b`HHCQ#_Kc#qq;tz2tUcWra!7y@}hlqA^|O$OGhY^?!H z1-zULXz$GR4|<`qSz0l!d-+2vw@_u-!S!r}4bnij3N#|1)HR+Ig1ZJj??FAzu>X-_ z_?p!&{klZsK^l_}VS819N-l{WdS0+WH1BYsq#o(7+zO~F)g}nXpD>iX5AMHQf2$?i zRFp>ZDIJc6aR zMA%^90qOH15Y!Pc9QKM4Gg|1^=(*ypdK^U9o)IA7wMK2oRUJc;!^#gptRN>i>x_mC zkhg$op%x;QOc--gEVn-bLGaKV~0)D3*tY(~Z+y-~iq6 zM?WSK76c4*BYLttpU_iZ!#1B^&I)|VE$$>Je2}~ZZ{}OysLu_0l+S4iNLA|0k8*yC@@pe8rL!H`fXn7pjf@Glg?;z|z1@;czt5kldo%9eYOjfMYkOoJ8`MWml=Q-yynf6k` z6&K~!C}-qmW13Jg9A&y!I5zruEuk~8Y?XWDJy#*!*^}lz^mHH2QNBLJ@bzrrdF>FY z*>Fd1)qGC1B0+U>7Vb~-FHAuyQnI4t5lIVTE)EbAm-A6wb$nkz>wJ9)@$15V@ zz3=y;Q)JTCYGVS|PzPqX0xFt7UV~e-9 z4c*5Gna@y)Tp==D+VlY_RFbu9>Pw~k>#7GwwMya3YEVfJ9ha4H^D$rc7ku8Jr!1v74aZzp`LfaJaAmo7|pjhfDg0GgZ`Tf!1W zxm0|qmpJ|g%b~y4XL@s9y5&X!7vN(e?z0-OTYJ!aUa4+BgGj}gz|vby1@d)qEx1bc z3>w6fNNN@F5F=Glq5I5lO ze0nZTsPDSI-_~!zWY^u$G{ShkzIm6xZ1pqq5_b|Q8c`01X;(+C)?taBr@UeGnT0gl z$-J5=Tb=FGeo>}$#iQ}k$YU+Vw9bB)BI}m6$1Z9rPd|s47)Cu!&m}R^cvesmntl$+ zHzS*Nf-oqsWyG_HJlfc#5wQA#Bay~sz@Tt1khfW@RJvC`fIN23$&S4!2FN^0DGB6o9EUBbCT9;F^-q`tCqPEZABPBw(JM7-*YzvQjRkrPjq+=r~; zPc%K{B`gT4w9YerjJ?znTfgLE5*TLdjNFmOO;fq&4)Zqtm!7K<&h-0^p2e?ySFh5I znDyE|^u4gUT+0;yiPskj5Bh5(`5buT|@*3T;sH!7AyA`ijxyOaS%^GO(Cn+owpH< zkC(HKaKDf!U^%d$Ef5#=72OX$knK&ZzVoAj^uQyWXKj=@%Q+Gs-5tXbjlf(EXH1Fe zzK!S$+*|T&`-==*5ZCnOMf`uZzzKokhGYIIrk?W2?a)B9DGeIfbU_IucmIjyXMe)C zCzj<2z5t2RgPCXVJ$VUq$moUwl2e+O3TqY2JT|mqLEG_P*xt*Pu)lAf7yrV!Yx-s& z?C#OYFRqGMC!8bQmCAowhiMnrstaAcPx;lYrJ_AUXy<4O<17;e|hT3a;4i2|U`5dCMAv<%mN?mO`olh`f@aM0M2Wz~(kbP#93 zhwMD3N3j~yQFO;O5{;}^p~4S$1>fFm;Tj03Y)v_C)IwYBQ>fxQcNg&EJt^m2*(RtR z4~^PeK=H0^r50j|Gyje~t6DxgPcNm@>Yu2lla=AL;#4HZYC7jnsG<8`e6TP5K@?_7 zULe}n9Z&42m(QlAH~6D$iXZB*tPkj(JA8I5Jzf_Wz1T-=_Vh3u9k%#^-8g!;f_LA)0Yp} zz1hWKW)<&9TdduBcy2N{M?ckU_C40C3VBE*Y#1Y4h?YgN$;dhPoO!j-aC-g#`!Nm2 zKvwO8bps_q3yX5BURtlA-lTCUPBH3(DI&BAadxlPOb$DZQWLE&3)pBHXR9%a63 zh8~vyWQ&sU7-4EOVqeT8!`5}|des}1NYL+^z&+0q&C_~=aORf!b|iQyXqR3k6R<2B zz{%04i!md5y}}}B+DpB5dSa zLqujSgNLjCh}OGczG*5vD&|A3s*Bt?#psKHWvdp;uNI4T@G$jW2shO?9w2fx2m=m* zg%;GVqV@vU{Q&~hkA`S$5Zmy?fWq!U>=x9K1X>sS`x;dq9xPiV#tE4$Nc>yGh(>{; z#cBCwRZF#(r;7NhSzWp*%_a24vXLzo`W8Ioh;s^o`4*OvdbmxE$yP6*l6AmrQLmHW zP^kC4{ODOhQ?L@(aD2XR^0;`y8D-S#r&HP`Sn^Bi&KmqQW?RuxtV};IT`DnL1h#t5 zh)M0s^5Eid0QP=%H6>1_%&(uc8z|nsiW_(yJi7cL-HLlp;+* z1f)w>5fu;+P*j=Hg)f@a$yFo_Fz?Pqs=8VJJ;hwxbcR6b_JH$9&OFgk|aJZ+>(9lqGkbS zTVmdxT7}H&uLLAsn$cP(`!roB-JnBYCT5*HeP)^|EcwDOet?o6)sNU+Y~QFp+!A4B zYVRQ_P{|zLidOm^@x1Ef=TmPVyPz2HB!UlD4uYM34SVOcD4&Y{RtT!^R`7hSskSPjx zvf8{Dl`+0AR?g?833|j|Ig+8MYewLGdBqlv#eK#9^_$>E-60Eb86lv(W?62ISyIw;(nMjZ8GwQv13rijEe9SvBG;BQI z%G=`)2WDm~T}y?I6kai>&J17lnBg_Aaxh0#{e?3}XU3UdX8+TdC-hs_Ep*&wT9&h6Wl}AhpX<6cBaS{XV$Sf5 z`qj@Y%`wJ}?IVK>8nZU4o~flj>!;IlhHk>)N`@r9HX;>i{VsbXMNtPeW;~w?d21u; zv|rYVn=+&S@Ez%!^xe&s3%*t(k=NAge~DN%H;UVii)rh=dTi|Eh@uXOX*LOA*m_IT zr@!Zt+|(MJ<>$tFbWv05m0(z6o{}&x@pn67i|k65OvF%B!qMsLWt;yqqh;eANR`MQ z5e&CB0X!%@x@WK@EoZ3#iy_B)91Xigxq}vnqddkW$LNW?U%US96{fE8Iv>+?X*g`> zxc-cL5BWzYzF*B;QrVq~mHi_vXw*cR^I+(w;e z_Mw{JG_+Qg&SKdqPY15}8`+V=O0e8Yp>%_IjX|?mC&_@mojLuAX1dLHnfS<`Cpi<# z#@TqSD;x&Tvq@7l=%XT@(x0`gn#5)T?#9!#Tg6`gs1Iv(2u~{-ar8Kay%}-a&Rd)M z3=zc067by}%f14T<_C7aOUidjn{R@&BJfj6XnEr}FpH80ngkv(TGbA}!l@PngT<9c zP2a5b>|6VMo`7h?QBBZW1W`N`P$a>PqGk1@4dI)S#j7(kEz#*|F;JclJJDhtl~*74 zsiaoe1^sFOBUb&$0EkejQQVjGGV#$GZz8uC+;j;J9e&i}`l|Mb^Vd2+cKiA41LJ|r z_$vyagvZ(aOXG*yKN&9mV>R$+RNi%igU=u-Ezh~>*)gDBDIWbwJ zlu!ud<>Q< zMDQhn56xqrZkD_tE|9SlhEBPkH|02D6{Zqf>E%2gCbGS!P9kg(K`9zDi%D{6*h#FH^j%m0 z2ZPu{YL-p_^!XG*Oi(g=BOrl1kH9+;67r+sCur8Q@!H@7htfg8Uac*Dis0#O4fk8X z*7&Ddr8XxA#&#L3bogjzgY$Iul zXX~ZM?~FgC3N7QrzsPdy^sT`|1Znz2BS1SFwt_R@&ihbzX(h!-_=~X` zlRkFx^m@2zAsE1l=VVlmuIb#d82#Gh3D^veif|!TcOZ*P97%B#U*pT)>Oc9Y`m1d1 zdL|8MYG!)DyOQHas)N*D3)2^{Q;5NC~7IE5sA^DMCTlrY&>E&MbP_ zFB1n>7_q%erW!LnS(^_?_;<)2G<%w4Tuh4LKut6`6ZtZM+9Hj-+_jGD8JMD9 z`8&i=7bKGOQ*S*J@$YQCgKgiWpIoferZ+iW+T_NuKo+^4s&;C7&6PGG@AZqw>AZgs zTFRXvwFUFBlNLKlE9^ZxT5($JXR2t$kBZvo$URqc=yUl!5A(L1mhpH4N+7noWw?K7 zletOb+tCt3$7ywgiYxB$>`fe_e8ej4n&t;n^-mLIvDrWR)`xS#eCT_M3(zn&qqzx9 zeg6N$=n3u*fQ~qc*CZQ3YiCV!tL0*EIXZx-PJw=>Z2mPsRo81BcZkE?qRKd9>*4qX z=)8>2XHq-$JJmHqJkhb~*o?uCLrba5SJgBY(nM_ZcN3({3U2gJu02|a*v4*|y?ahQ z5ZV?w<#6SZdY`%L89ujBHHISasAd_kvDg2$;fNs{rc;Q$lE$&j+B%_`N9TCV&+8EQ z$o-PQ7TLDmAYL<1ufszjs*6#aJ;sL&XQGfT;hag)S#CX_S8FB2r=ix@&H@vba}v-Q zyf;L~j9Xt1G>iMPEab;img109slyBzPPr{D$KdK9lYr$5e&4J+S3>1qxB;I_8&7Xh zV0Ja}YcG@(kZbE*uP#>|V@S+tW1)^JG-ZzQH*quxUiRPLjq4u`9p+^G5+HHK>8mTp z-02*WJry>5@gL{}79q~{7X*==kQJ;Z6nT_N4R9m)7v>Nt+TEO)J~ZKVmPe)=-^Jav z*))EI2tArusP3}OMgK}RhHyTI&IJ?bHRmt=vhVi3buwZ-%SMJ-e`|RaoH9C5761y0 zb5fPOcBWcDeK7pR?~SVREw=Z=F@ajcjG-I&ysmW8<3uVR$plpa*Dtww%R_bkouX^+ z+-~d~`KG$c#PXLYSH#y4RNG$p8)l^_R~uq=2A%^rypH0G*KojkToX#peNfPEHpSFD zsXYh$>w!e4_U|;(%NXwH{%03b0ks1mCxRSKVcjqEkBI8IZ==f^#VQr3u`UR`*%imi{-(4b%h=aG_PNs>&cHqwAO7vs1O5ii@>^`ytt2;9<6=2Wv7Nl>urS|q8-ZCF z$?~atEfFXGaK>oJpwCo^z+#I;d_Mp6diyTriCeOfLaRm&^n6MqTH%cmd3eV?w>*{K zpD)oh9cDxw{Q_IB3{w9c0I`*v7CL7hS%P@?-HmF+Kl5&@DUp_Y*xLOU9m|^LG*X!< ztyf}fq62!~=rPw(L;YC^*FY-~9EZ$^qBExxU_&F~H)YLD938rVc5ze!?zv@s3!z>u!<(9SLz%ei*!E-VjnalV})sQ27=i7Ybld%m!sk8N+1S z>$FSv3zUhQBgzxG|J+CYhAc7Dnu`!eNyVeA{E>livzs%??28Z84D#iff8^pHr9T8~{ZK3JnfD^{ zo?ZuY9HV;zO@U3Q!5YG?_AOr)1hyFqm=Si4Q6^O9?~{5#I@Ny#?ZjG1K*-YK7L!|R zw(TvaDWnM__jr{CJnY=>#;oT&Ucw1~Jb%y|@|mY7Wn-_?xA9Lkr*SM+tIAmY4(>MZ zU9GWN?g0F+n~Qs71nI!R*abzupyCQT=7~M^8U@uI?@nW3e{n2b0P3x~Fa!(Dk-M>3 zP8^RX^7Q*de!G^pS^tldRZOW6Lu^4~;PB_Ww`bHfBUo3a0#cnSl>MBkK8n9a>h4kC z)gL;C?0;MBi}vtrs`46Nn(=f!vvE1LPQ)*!dA<7JxCHC)^kdvMiXw*6K^k&llUJ(R zs#{gL);#Z*j$g}&Rhc|XBR7Uu^E$EzlVT)5aVrQQ5G=wDcg17~>LW}@=l)nK53MBi zz()#`pZFmxQGBK?BqIoB`X9VVjY%h6PeyIBO&sciM%%o_njS}@+0HlK&U6~aI(ftzmCtpVy|x0cC}`utPRBp3m0IzK zf3SfuN1oJ?wjjdISt|>J<;K>9O;=C8J7sXr08ljhx0}B$OUqCS=@<}{W2<{A?QIHs z&DZ(b31d{`e7C-AdYHX4CwyqaJOfeO&s;xN_Y9;s7?^}M0Wjs$_Yqc@2F=d3A9pls zsKa!(qbp7`XLt5Nt-*SV>2~KpLkp8D#50~l#0(z)O!xYC znLpKgnwr7QtGk^Liy=Sx)5TjOD+z1&AD{nFzM9piH1jNu3HF&cu>ji}bY(J{yqrUt zF1*pD^L4`(|AgO^u)L&17RAlc-`nqgCue_4AA%#|G4%p+d084tkF~u{+O)10;3hC~ zqZ1WRR=ddxE=ZGR_sAGV|8&q>AIYDr7;9*;H?h$xPVf$}5uQaXMR|vJmCV$Uz7z$} zv~vbB*gS#k(re58=a^TvV4DIBU)KS!Q=Weh9^`K<}G&nyPj3{?L^>RDN`F zyf9TKS3`EkTvQJg8h0$<_Nt`Nu@A7kJaXes86;wE&(M*jOyV4cZBF6sbyYYH8$A_T zsascgnWM5yNLec{`|h6ImuL}$cw#&l6F*7yZu@FN1Cke>vZ|ksuX4Zv#Y3Hiae3%Hh98;jWw2m!*G!387 z-Ft_z_;t@0uNef`R@S1Qgv!X)v_0OC)`fZ5Y7`1f+*W&QM$3F|n|~yQ1cm{e3O@2R z=3C_h0!l}k&^^$NPC73es1XvTr;N|*o~=B;K(mH;^xSY07pq)Lx|$k#uw(f0(>zKb zxjQpth&`=$G_qp9bi>%;*cf*34KKHve!que(3;w`O3hi130ZtWmz1wY2m3cnK-4Tj z!5cj%V3w0+$Bj!2xN_19=Je!J?7jqgb>J^F)?x+j~4$>@CVRGLK*ZtNB^g2mtP zC4-B*0K!(nir zb~)#-G%*&Ve@75=87feqz@+ZMBa_8B6L|@d5!zZ%D2=NFFIoO5b$-4-JC)osd+u2G z?Dvyv2I+JFq40LaSuRTZc9bZ=kyXqm=~M@$+;OH?S+lZkZ^{0OXJ*DZJ(Th$W#~Iq z(={1o>{0mLV%#MG~*jD-g)24h^^t5GOFzj!D<*!B)tmy&K1y%t*05Q%|{_LPy zFlFS$IaQ9lA?fuW7+PLIr7)-}i%}e__AR{ve570G3+(T@FctOHBi)`CDOs-EPOMQd zV`s;^)?9&V%K3KGa-}q88KJw!o?wAceC7JRMFV)i4VXF;wkR`CZBwod+b8`^xh%miX!NK>8Kkm3cP>&>Qmxyz17Qyy+@iaa3 z6k1E4i;(rL!q>LI(=O}|^Dzm;Vs(-7*F#y>wSEHV5~{?bZ6zkJl5sfa(ubjRSH4^( zAe9lR8XS%k2V0v00~ytEWOp{F%-X_rMG?p`&GXEf^t>g?%pIWM(h{^OGExu838iQy zcl+!Y>6aair4D`n?b~*ekTIEv9?7GRIUx7ekQ`<3l>_?lVNMNniSnlYFCV0XC#gR^ zdbT}?`cUutz7pEpb6-9cXkYO|Wm>mm3}An|6E^C2h=Zr~cks+2+!Bx8Tx56Rm_7Jf zUQ7?&BxyQ)!+Dg*Z+takYgV|%Pe5G}Cnqi@X)YCOO3P=wU1qwe!526eecv#OAQ`iB z&79#OX}0DeI`OA2b)MHg(b)_37z28xVv~k55hx&xgyr^&AF9$I`4U#HRgrgSQB{?| zZ`7mnnbZqTPMcIYbiekkmusbHqkm}Zvwra|&lH&al}Iscxe!;V!7^XT>`<+0-&=cy+H?W^v^NJ#<+S zi*{y)OS#U_tbEnPvH^hKVg4c;$)J&5z~V)R=YaCD(RunUF5jjc#U}IduQ4X3b^u@I z!oa3=a~aJJgPs-#w9xdz;DJ~$dh4oG06#igmEl!!hDgn@RDKBTW9f|hi{z0fMscX+ z;ZeY$k*+Lep;|AC?PN_cn2vE9C+MuDVl>AEO}gW1MRAE=siWKP_w?}^hKkasscbV! zBK_}tJO?TSOYjlA*OduG4VuE8N0AIU)>O)FTI&Eo)1Z zGe$Xw-^ZDQcXx8LnwHpqI2lAoTO_Ei(z-iNKh;)m2B3{i_=sXP!!?;uDi|=XXeDbi z%&~Ogs1keiY^Zxr8%d-rGX4Y*kVmGyGp>W|fIBWF1X~=WEOJuU}2F zL+V|+Ay-AkQyc7M8O)1dzHm{~G`n>-q78 z6UC_ZOiWJa!Mzvuv@d#3RWhdc&UTzZ?ZiK1FrQIh^M3LCg07bC<>~%Cian%cy4W03 zN>eU_Kym%{uC%9z1pUCwND?8uYKi!N0T{xL4MALxLg=)7+QNC^Zd0_$kid8JuQxn_cG(u zipcahr@K@*#)>2XU8yBN3FFgOdDKI$FZ8UqqH2l(aA%tz3ttPM>r8{?p(u4d#d(G0 z27FD5veLxpe6fW-J0~OI)dW1fNr9~}&FrGBE_dxY4qdhQh3b+el?$1@3jKugEZTXV z>tz81`qvz-&*Fnn!h1*;=4>=#M;qFe5j44YrHtii9a^p)rvyznF2jr@4P+<=mfDx@O@o%y=-PLm+*B*^J({Kj!ZqP_t#cFfMT`FY5Q4rNU+eOFyAg& zK?8ctw%i;F!N${A2caS5ddDY=TosCL5D$so2Lsl26n)lq=7tZ5%B>NRk(P(H0(6GbOkVVpB&b9etGK!NlUzl`8+|ERf5KL`DWYAqghDZ zdGGZ^Htb2P#Rchev^NWy9T6~P9{b&KN2AnhhF(-})`J=B{Ms2nZ5&BUJl0^-CZ20R zfy@U02{|aqLe%lkzym1s_rwMqki28~PcdDU0Jc+dG18z0(x~P9_is7V{RnFvV!1M7gFu9SE->j;D( zbXU);UI+!{eZ$pKaG-R~#=gMF{Nm4_soF|ql4c{%1L`jrsgTWO$BL+X_}81ZB>%(z z3?(Pc+^ur3VtJf0QL<$jaiilq5C%`$iPo=}A!T6bh#MJro(fg99qbPQ0`F2gCriWv#R+=$S!MRQ9JyE-mK=7Ba z-K%fB4z#^Yd#I-;XQ(f<{fMUs>xm4Sl7bv0;{X+tGG4LEJuwj+E`VKr+(PnQDR7}7;~KmFl;nRf!(C)qYM%}lB9iSy8x&+i ztL=#AF*r)LfL(y&7Cv`s3wrJcuMz~E`1`C~l@ggB@TZfKTn`3V%M3ipB|qvBE?={zOj#UgrFd8;6Ud9XQ3jR*63mxfm^=RrrcJ zwF1yy6M!}FhJni5XN<=HsP_MIj@1NiGk{Pn@}^k$WabAplG;i)bNOWsqu7cr$%DEa z7a!p}fLbKcyIE1%@crA8g3Xmb*`T0VJ10-;V@`jy#pU=G*fTkj#?U1tku+3rOG>m* z-T<9}F@QZ-`E8f31_%$#Melq>pPMgq3Dk#-NU`^A+Z>zBr17co{vxxn2XNfjvgv=R zeJ+;Kyx>r1)%PQZ$9E`#Zwyad!#Jc!C|d};R^sOsNo8D48)S!Iu}1<|jC^hS08}(8 z+ax0vc;|Lu!Xmbe;-QN$Vy*WfrMqt0!!%?)AsF zcb$DKpvCPG&im z-kxR7_f{b6EvZ*Fzy=v=3|a#_8=1JkQFtbQe8oixN@?8ch}nB$7II2iXJl&r$>Zef zyoQOE$(r3P$jchPtv^0>d{U-VofT)K*-vR^4{C~(K1i23&`y76^v)BA4AEtc>*q$l z3HoHQj>s{lzRHj`!#NyzPqiSB}mqvD?`wwPoA=F(g~5@H;yFU z9?t*4m5Z;rv4$#?&)0Q8U0>3QRHfe)yyBi}j8W^OTm!(+D&&AJ8~GHKxPw%0tt^xv zIW*q@^IX0Nv|~_FfRw^@S>m#0bL)3J(0tF;=NW5nJavm;=U51u3#1-P|(0p<--B#rD zl)r;34y=OTDj2#4(C&ymE_@EcYeW71STEBE6KJT zBcaJ2Zxi4vpiyPorQ@C&IUeC$$ESZ)w}Xt2c5tSeTDAY0I1A8n#V{_ z3?M?5QRdj!_3{r*N)*Ol>UVottwi&zc24~?HL}pb-a$@cl;h!*KFn@-J+^bvD-OC6 z{IHI*JI)NxKHCrA6{qI(SbZ)d<+c-(l=F>WGAG$!`Ox3JKVz4xv*)ucFO|0FRoo78rlEutrzZU!HXyk{n^MHB~Q!b}EPnn(UWP_MxY0gS>Fh{%*|Hzy5@I zL+y_{&uI2{LVrl>4(!emNfQ#0vt`B}d5I@Q8Cx!qd%0zCk}u6nCL88|lr8b7Z-?m{ zq1|zwqne`aO0fPAYpdSBHENJou*Yg+;(cw0qF1pJG_VAFnHh=8XQ~)vAD{8|!4v41 z1SE8EKgnM0Go>}>=b0X{owo_eMyVm>`WeyXZ&}XDViqsEno0 zbq43Ibh=kaTh}!aZ{vzHvJfvRw|f!T%71h#ufoM`*xvcj3X2D@Ii9)f8ZTWims~?$ z$;oM!Ohz}TuOrCw4nD?qy}i)620TsAgQJ)Z$nsA#DA**ppycRyqr!D#AX=@IG^QNW=zHov)&Ff%49}+8cc`M+TwmkFH|%;p&Q$Fn zkfD|=NnK2IX`3e>`nrVxZ3=zcFq)#jLf`4$t2mN)lN72#>AC)Q78!j3$m1CS<;WLL z%eDniz9hb=g(W3@18}eFe^N(Z^