From 85d35cce63aeeda0a3f06570cf8c828a84dd5cbf Mon Sep 17 00:00:00 2001 From: overweight <5324761+overweight@user.noreply.gitee.com> Date: Mon, 30 Sep 2019 11:03:07 -0400 Subject: [PATCH] Package init --- ...xc.isulad.init.args-config-interface.patch | 222 + ...-add-support-share-namespace-by-path.patch | 35 + ...lxc.isulad.populate.device-interface.patch | 406 + 0004-support-isulad-fifo-log.patch | 96 + 0005-auto-mount-cgroup-sys-and-proc.patch | 80 + ...hen-set-no-ro-mount-mount-propagatio.patch | 39 + 0007-use-isulad-log-format.patch | 74 + ...lad-modify-exit-code-and-stop-signal.patch | 106 + ...lxc_start-add-default-terminal-fifos.patch | 538 + ...e-pid-ppid-info-into-file-for-isulad.patch | 453 + ...FIFO-to-monitor-state-of-lxc-monitor.patch | 261 + 0012-Init-fifos-in-lxc_attach_terminal.patch | 28 + 0013-isulad-set-env-home-in-container.patch | 139 + ...upport-rotate-for-container-log-file.patch | 93 + 0015-fix-high-gcc-compile-bug.patch | 41 + 0016-add-masked-paths-and-ro-paths.patch | 381 + ...check-cgroup-cpu.shares-after-setted.patch | 99 + ...xc-attach-add-support-terminal-fifos.patch | 410 + ...eadonly-and-make-soft-link-of-subcgr.patch | 87 + ...fix-log-error-when-symlink-subcgroup.patch | 44 + 0021-lxc-attch-add-error-message.patch | 374 + 0022-support-rootfs-mount-propagation.patch | 507 + ...uid-and-gid-from-lxc-container-confi.patch | 31 + ...ymlink-in-mount-entry-and-not-permit.patch | 821 ++ 0025-support-oci-hooks.patch | 3087 ++++++ ...and-do-not-destroy-directory-when-de.patch | 132 + 0027-fix-bug-of-memory-leak.patch | 78 + 0028-support-rootfs-for-container.patch | 123 + ...dd-start-timeout-to-limit-start-time.patch | 436 + 0030-support-block-device-as-rootfs.patch | 287 + 0031-clean-add-clean-resources-api.patch | 488 + ...-caps-when-cap.keep-ISULAD_KEEP_NONE.patch | 33 + ...upport-mount-squashfs-in-mount-entry.patch | 369 + 0034-some-small-bugfix.patch | 155 + 0035-lxc-fixup-builds-with-newer-glibc.patch | 25 + ...aps-add-drop-caps-of-current-process.patch | 256 + ...t-signal-handlers-and-set-umask-0027.patch | 113 + ...ven-terminal-as-controlling-terminal.patch | 46 + ...-message-when-container-start-failed.patch | 816 ++ ...t-200ms-for-cmds-send-to-lxc-monitor.patch | 107 + 0041-return-1-when-_lxc_start-fails.patch | 25 + 0042-lxc-seccomp-adopt-to-lxc3.0.patch | 169 + ...er-of-handler-to-fix-coredump-of-att.patch | 28 + ...upport-space-in-volume-mount-and-env.patch | 118 + ...fifos-Add-terminal-fifos-dynamically.patch | 254 + 0046-Do-not-test-cgroup-writeable.patch | 48 + ...mory-leak-in-lxc_global_config_value.patch | 44 + ...r-ONLCR-flag-from-master-of-terminal.patch | 59 + ...-Add-100ms-timeout-for-console-epoll.patch | 28 + ...ules-for-specified-architecture-only.patch | 408 + 0051-if-ocihook-is-empty.patch | 34 + ...mp-fail-when-all-specified-in-config.patch | 192 + ...estroy-empty-cgroup-path-return-ture.patch | 31 + 0054-fix-invalid-log-message.patch | 42 + 0055-Fix-compile-error.patch | 229 + ...INUX_CAPABILITY_VERSION_3-to-set-cap.patch | 48 + 0057-confile-add-support-umask.patch | 146 + ...not-check-ppid-when-set-death-signal.patch | 36 + 0059-delete-unused-variable-ppid.patch | 27 + ...le-to-write-console-log-of-container.patch | 610 ++ ...e-the-path-args-envs-execvp-dirctory.patch | 50 + ...fore-set-read-only-path-and-masked-p.patch | 74 + ...ignore-systemcall-load-failure-error.patch | 27 + ...-Reduce-seccomp-processing-log-level.patch | 46 + ...eturn-true-if-storage_init-init-fail.patch | 30 + ...oes-not-report-an-error-after-execut.patch | 28 + ...t-error-when-remove-directory-failed.patch | 72 + ...tdout-stderr-log-of-container-consol.patch | 1244 +++ ...esses-if-container-shared-pid-namesp.patch | 207 + ...rocess-for-shared-container-when-con.patch | 400 + ...-path-according-to-cgroup-mountpoint.patch | 126 + 0072-lxc-adapt-to-docker-18.09.patch | 66 + 0073-lxc-support-set-additional-groups.patch | 247 + 0074-lxc-only-add-valid-fd-to-mainloop.patch | 28 + 0075-lxc-add-timeout-for-attach.patch | 278 + 0076-lxc-delete-unused-variable.patch | 26 + ...-files.limit-to-max-and-fix-bug-of-s.patch | 117 + 0078-Run-pre-start-hook-before-chroot.patch | 70 + ...inherid-env-from-parent-in-oci-hooks.patch | 29 + 0080-lxc-fix-compile-error.patch | 35 + ...c-Change-the-range-of-attach-timeout.patch | 78 + ...-lxc-fix-memory-leak-cause-by-setenv.patch | 150 + 0083-lxc-free-lxc-handler.patch | 41 + 0084-lxc-memory-leak-of-lxc_grow_array.patch | 28 + 0085-lxc-update-json-file-from-isulad.patch | 1089 ++ 0086-confile-add-support-systemd.patch | 150 + 0087-lxc-adapt-to-spec-of-oci-hook.patch | 41 + 0088-fix-lxc-build-error.patch | 29 + ...dd-get-container-processes-pids-func.patch | 177 + 0090-lxc-remove-unused-variable.patch | 26 + ...spaced-kernel-params-can-be-changed-.patch | 118 + ...put-error-when-create-unified-cgroup.patch | 45 + 0093-optimize-isulad_kit-operator.patch | 424 + 0094-exec-load-uid-gid-and-groups.patch | 197 + ...e-unified-hierarchy-for-the-systemd-.patch | 56 + 0096-close-inherited-fd-in-hook-process.patch | 34 + ...error-when-fork-exec-error-for-hooks.patch | 72 + ...d-mount-from-host-tmpfs-for-system-c.patch | 67 + ...al-do-not-close-the-master-fd-of-pty.patch | 28 + 0100-start-add-check-save-pid-info-file.patch | 139 + 0101-lxc-fix-code-error.patch | 8983 +++++++++++++++++ 0102-lxc-fix-compile-warnings.patch | 84 + 0103-lxc-fix-code-error-in-conf.c.patch | 109 + 0104-lxc-fix-code-error.patch | 179 + 0105-lxc-fix-code-error-warnings.patch | 74 + ...t-to-1s-for-cmds-send-to-lxc-monitor.patch | 31 + 0107-add-log-for-failure-of-rename-file.patch | 33 + 0108-check-calloc-input-valid.patch | 33 + 0109-add-secure-compile-flags-to-lxc.patch | 104 + 0110-add-doc-for-lxc.patch | 31 + ...xc-use-safe_strdup-instead-of-strdup.patch | 752 ++ 0112-fix-secure-errors.patch | 278 + ...-Malloc-parameter-check-and-judgment.patch | 575 ++ 0114-lxc-fix-code-errors.patch | 155 + 0115-fix-compile-error-on-ubuntu.patch | 371 + 0116-lxc-set-base-cgroup-path-to.patch | 34 + ...ce-with-dir-mode-750-and-set-uid-gid.patch | 53 + 0118-fix-sscanf-return-value-check.patch | 55 + 0119-remove-unuse-binary.patch | 33 + 0120-remove-unuse-unmount-namespace.patch | 25 + ...timize-log-when-root-path-is-invalid.patch | 26 + 0122-lxc-fix-code-reivew-errors.patch | 210 + lxc-2.0.6-fix-lxc-net.patch | 11 + lxc-2.0.7-fix-init.patch | 46 + lxc-3.0.3.tar.gz | Bin 0 -> 1263371 bytes ...019-5736-runC-rexec-callers-as-memfd.patch | 401 + lxc.spec | 428 + 127 files changed, 33795 insertions(+) create mode 100644 0001-confile-add-lxc.isulad.init.args-config-interface.patch create mode 100644 0002-namespace-add-support-share-namespace-by-path.patch create mode 100644 0003-confile-add-lxc.isulad.populate.device-interface.patch create mode 100644 0004-support-isulad-fifo-log.patch create mode 100644 0005-auto-mount-cgroup-sys-and-proc.patch create mode 100644 0006-conf.c-fix-bug-when-set-no-ro-mount-mount-propagatio.patch create mode 100644 0007-use-isulad-log-format.patch create mode 100644 0008-isulad-modify-exit-code-and-stop-signal.patch create mode 100644 0009-lxc_start-add-default-terminal-fifos.patch create mode 100644 0010-Save-pid-ppid-info-into-file-for-isulad.patch create mode 100644 0011-Add-exit-FIFO-to-monitor-state-of-lxc-monitor.patch create mode 100644 0012-Init-fifos-in-lxc_attach_terminal.patch create mode 100644 0013-isulad-set-env-home-in-container.patch create mode 100644 0014-support-rotate-for-container-log-file.patch create mode 100644 0015-fix-high-gcc-compile-bug.patch create mode 100644 0016-add-masked-paths-and-ro-paths.patch create mode 100644 0017-isulad-check-cgroup-cpu.shares-after-setted.patch create mode 100644 0018-lxc-attach-add-support-terminal-fifos.patch create mode 100644 0019-remount-cgroup-readonly-and-make-soft-link-of-subcgr.patch create mode 100644 0020-fix-log-error-when-symlink-subcgroup.patch create mode 100644 0021-lxc-attch-add-error-message.patch create mode 100644 0022-support-rootfs-mount-propagation.patch create mode 100644 0023-attach.c-change-uid-and-gid-from-lxc-container-confi.patch create mode 100644 0024-isulad-support-symlink-in-mount-entry-and-not-permit.patch create mode 100644 0025-support-oci-hooks.patch create mode 100644 0026-remove-filelock-and-do-not-destroy-directory-when-de.patch create mode 100644 0027-fix-bug-of-memory-leak.patch create mode 100644 0028-support-rootfs-for-container.patch create mode 100644 0029-add-start-timeout-to-limit-start-time.patch create mode 100644 0030-support-block-device-as-rootfs.patch create mode 100644 0031-clean-add-clean-resources-api.patch create mode 100644 0032-Drop-all-caps-when-cap.keep-ISULAD_KEEP_NONE.patch create mode 100644 0033-support-mount-squashfs-in-mount-entry.patch create mode 100644 0034-some-small-bugfix.patch create mode 100644 0035-lxc-fixup-builds-with-newer-glibc.patch create mode 100644 0036-drop_caps-add-drop-caps-of-current-process.patch create mode 100644 0037-restore-default-signal-handlers-and-set-umask-0027.patch create mode 100644 0038-make-the-given-terminal-as-controlling-terminal.patch create mode 100644 0039-print-error-message-when-container-start-failed.patch create mode 100644 0040-add-timeout-200ms-for-cmds-send-to-lxc-monitor.patch create mode 100644 0041-return-1-when-_lxc_start-fails.patch create mode 100644 0042-lxc-seccomp-adopt-to-lxc3.0.patch create mode 100644 0043-check-null-pointer-of-handler-to-fix-coredump-of-att.patch create mode 100644 0044-support-space-in-volume-mount-and-env.patch create mode 100644 0045-add_terminal_fifos-Add-terminal-fifos-dynamically.patch create mode 100644 0046-Do-not-test-cgroup-writeable.patch create mode 100644 0047-Fix-memory-leak-in-lxc_global_config_value.patch create mode 100644 0048-clear-ONLCR-flag-from-master-of-terminal.patch create mode 100644 0049-Add-100ms-timeout-for-console-epoll.patch create mode 100644 0050-seccomp-add-rules-for-specified-architecture-only.patch create mode 100644 0051-if-ocihook-is-empty.patch create mode 100644 0052-Fix-seccomp-fail-when-all-specified-in-config.patch create mode 100644 0053-destroy-empty-cgroup-path-return-ture.patch create mode 100644 0054-fix-invalid-log-message.patch create mode 100644 0055-Fix-compile-error.patch create mode 100644 0056-caps-use-_LINUX_CAPABILITY_VERSION_3-to-set-cap.patch create mode 100644 0057-confile-add-support-umask.patch create mode 100644 0058-do-not-check-ppid-when-set-death-signal.patch create mode 100644 0059-delete-unused-variable-ppid.patch create mode 100644 0060-using-json-file-to-write-console-log-of-container.patch create mode 100644 0061-Fix-hook-use-the-path-args-envs-execvp-dirctory.patch create mode 100644 0062-setup-sysctls-before-set-read-only-path-and-masked-p.patch create mode 100644 0063-lxc-ignore-systemcall-load-failure-error.patch create mode 100644 0064-lxc-Reduce-seccomp-processing-log-level.patch create mode 100644 0065-Storage-return-true-if-storage_init-init-fail.patch create mode 100644 0066-lxc-Pids-limit-does-not-report-an-error-after-execut.patch create mode 100644 0067-lxc-report-error-when-remove-directory-failed.patch create mode 100644 0068-support-record-stdout-stderr-log-of-container-consol.patch create mode 100644 0069-lxc-killall-processes-if-container-shared-pid-namesp.patch create mode 100644 0070-lxc-signal-all-process-for-shared-container-when-con.patch create mode 100644 0071-lxc-get-cgroup-path-according-to-cgroup-mountpoint.patch create mode 100644 0072-lxc-adapt-to-docker-18.09.patch create mode 100644 0073-lxc-support-set-additional-groups.patch create mode 100644 0074-lxc-only-add-valid-fd-to-mainloop.patch create mode 100644 0075-lxc-add-timeout-for-attach.patch create mode 100644 0076-lxc-delete-unused-variable.patch create mode 100644 0077-lxc-set-negative-files.limit-to-max-and-fix-bug-of-s.patch create mode 100644 0078-Run-pre-start-hook-before-chroot.patch create mode 100644 0079-inherid-env-from-parent-in-oci-hooks.patch create mode 100644 0080-lxc-fix-compile-error.patch create mode 100644 0081-lxc-Change-the-range-of-attach-timeout.patch create mode 100644 0082-lxc-fix-memory-leak-cause-by-setenv.patch create mode 100644 0083-lxc-free-lxc-handler.patch create mode 100644 0084-lxc-memory-leak-of-lxc_grow_array.patch create mode 100644 0085-lxc-update-json-file-from-isulad.patch create mode 100644 0086-confile-add-support-systemd.patch create mode 100644 0087-lxc-adapt-to-spec-of-oci-hook.patch create mode 100644 0088-fix-lxc-build-error.patch create mode 100644 0089-lxc-add-get-container-processes-pids-func.patch create mode 100644 0090-lxc-remove-unused-variable.patch create mode 100644 0091-lxc-support-namespaced-kernel-params-can-be-changed-.patch create mode 100644 0092-lxc-add-output-error-when-create-unified-cgroup.patch create mode 100644 0093-optimize-isulad_kit-operator.patch create mode 100644 0094-exec-load-uid-gid-and-groups.patch create mode 100644 0095-lxc-don-t-use-the-unified-hierarchy-for-the-systemd-.patch create mode 100644 0096-close-inherited-fd-in-hook-process.patch create mode 100644 0097-lxc-report-error-when-fork-exec-error-for-hooks.patch create mode 100644 0098-lxc-make-dev-bind-mount-from-host-tmpfs-for-system-c.patch create mode 100644 0099-terminal-do-not-close-the-master-fd-of-pty.patch create mode 100644 0100-start-add-check-save-pid-info-file.patch create mode 100644 0101-lxc-fix-code-error.patch create mode 100644 0102-lxc-fix-compile-warnings.patch create mode 100644 0103-lxc-fix-code-error-in-conf.c.patch create mode 100644 0104-lxc-fix-code-error.patch create mode 100644 0105-lxc-fix-code-error-warnings.patch create mode 100644 0106-set-timeout-to-1s-for-cmds-send-to-lxc-monitor.patch create mode 100644 0107-add-log-for-failure-of-rename-file.patch create mode 100644 0108-check-calloc-input-valid.patch create mode 100644 0109-add-secure-compile-flags-to-lxc.patch create mode 100644 0110-add-doc-for-lxc.patch create mode 100644 0111-lxc-use-safe_strdup-instead-of-strdup.patch create mode 100644 0112-fix-secure-errors.patch create mode 100644 0113-Malloc-parameter-check-and-judgment.patch create mode 100644 0114-lxc-fix-code-errors.patch create mode 100644 0115-fix-compile-error-on-ubuntu.patch create mode 100644 0116-lxc-set-base-cgroup-path-to.patch create mode 100644 0117-pupulate-device-with-dir-mode-750-and-set-uid-gid.patch create mode 100644 0118-fix-sscanf-return-value-check.patch create mode 100644 0119-remove-unuse-binary.patch create mode 100644 0120-remove-unuse-unmount-namespace.patch create mode 100644 0121-optimize-log-when-root-path-is-invalid.patch create mode 100644 0122-lxc-fix-code-reivew-errors.patch create mode 100644 lxc-2.0.6-fix-lxc-net.patch create mode 100644 lxc-2.0.7-fix-init.patch create mode 100644 lxc-3.0.3.tar.gz create mode 100644 lxc-CVE-2019-5736-runC-rexec-callers-as-memfd.patch create mode 100644 lxc.spec diff --git a/0001-confile-add-lxc.isulad.init.args-config-interface.patch b/0001-confile-add-lxc.isulad.init.args-config-interface.patch new file mode 100644 index 0000000..66ccc2b --- /dev/null +++ b/0001-confile-add-lxc.isulad.init.args-config-interface.patch @@ -0,0 +1,222 @@ +From a6f57fc8bbe7b0e2d2d77f300c3c84a2956634b6 Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Thu, 10 Jan 2019 06:54:37 -0500 +Subject: [PATCH 001/122] confile: add lxc.isulad.init.args config interface + +lxc.isulad.init.args config interface is used to specify the args for +the container. + +Signed-off-by: LiFeng +--- + src/lxc/conf.c | 13 +++++++++++ + src/lxc/conf.h | 8 +++++++ + src/lxc/confile.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++ + src/lxc/lxccontainer.c | 30 +++++++++++++++++++++++++ + 4 files changed, 112 insertions(+) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index d95bc4c..f20d629 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -4014,6 +4014,18 @@ void lxc_clear_includes(struct lxc_conf *conf) + } + } + ++/*isulad clear init args*/ ++int lxc_clear_init_args(struct lxc_conf *lxc_conf) ++{ ++ int i; ++ ++ for (i = 0; i < lxc_conf->init_argc; i++) ++ free(lxc_conf->init_argv[i]); ++ free(lxc_conf->init_argv); ++ ++ return 0; ++} ++ + void lxc_conf_free(struct lxc_conf *conf) + { + if (!conf) +@@ -4057,6 +4069,7 @@ void lxc_conf_free(struct lxc_conf *conf) + lxc_clear_limits(conf, "lxc.prlimit"); + lxc_clear_sysctls(conf, "lxc.sysctl"); + lxc_clear_procs(conf, "lxc.proc"); ++ lxc_clear_init_args(conf); + free(conf->cgroup_meta.dir); + free(conf->cgroup_meta.controllers); + free(conf); +diff --git a/src/lxc/conf.h b/src/lxc/conf.h +index 41f67cf..95c3027 100644 +--- a/src/lxc/conf.h ++++ b/src/lxc/conf.h +@@ -376,6 +376,10 @@ struct lxc_conf { + + /* procs */ + struct lxc_list procs; ++ ++ /* isulad add: init args used to repalce init_cmd*/ ++ char **init_argv; ++ size_t init_argc; + }; + + extern int write_id_mapping(enum idtype idtype, pid_t pid, const char *buf, +@@ -442,4 +446,8 @@ extern int lxc_clear_sysctls(struct lxc_conf *c, const char *key); + extern int setup_proc_filesystem(struct lxc_list *procs, pid_t pid); + extern int lxc_clear_procs(struct lxc_conf *c, const char *key); + ++/* isulad add begin */ ++int lxc_clear_init_args(struct lxc_conf *lxc_conf); ++/* isulad add end */ ++ + #endif /* __LXC_CONF_H */ +diff --git a/src/lxc/confile.c b/src/lxc/confile.c +index 05c6823..7297b35 100644 +--- a/src/lxc/confile.c ++++ b/src/lxc/confile.c +@@ -150,6 +150,10 @@ lxc_config_define(tty_dir); + lxc_config_define(uts_name); + lxc_config_define(sysctl); + lxc_config_define(proc); ++/*isulad add begin*/ ++lxc_config_define(init_args); ++/*isulad add end*/ ++ + + static struct lxc_config_t config_jump_table[] = { + { "lxc.arch", set_config_personality, get_config_personality, clr_config_personality, }, +@@ -234,6 +238,10 @@ static struct lxc_config_t config_jump_table[] = { + { "lxc.uts.name", set_config_uts_name, get_config_uts_name, clr_config_uts_name, }, + { "lxc.sysctl", set_config_sysctl, get_config_sysctl, clr_config_sysctl, }, + { "lxc.proc", set_config_proc, get_config_proc, clr_config_proc, }, ++ ++ /*isulad add begin*/ ++ { "lxc.isulad.init.args", set_config_init_args, get_config_init_args, clr_config_init_args, }, ++ /*isulad add end*/ + }; + + static const size_t config_jump_table_size = sizeof(config_jump_table) / sizeof(struct lxc_config_t); +@@ -2184,6 +2192,33 @@ static int set_config_namespace_share(const char *key, const char *value, + return set_config_string_item(&lxc_conf->ns_share[ns_idx], value); + } + ++/* isulad: set config for init args */ ++static int set_config_init_args(const char *key, const char *value, ++ struct lxc_conf *lxc_conf, void *data) ++{ ++ int ret = 0; ++ char *tmp = NULL; ++ char *new_value = NULL; ++ ++ ret = set_config_string_item(&new_value, value); ++ if (ret || !new_value) ++ return ret; ++ ++ tmp = realloc(lxc_conf->init_argv, (lxc_conf->init_argc + 1) * sizeof(char *)); ++ if (!tmp) { ++ ERROR("Out of memory"); ++ free(new_value); ++ return -1; ++ } ++ ++ lxc_conf->init_argv = (char **)tmp; ++ ++ lxc_conf->init_argv[lxc_conf->init_argc] = new_value; ++ lxc_conf->init_argc++; ++ ++ return 0; ++} ++ + struct parse_line_conf { + struct lxc_conf *conf; + bool from_include; +@@ -3716,6 +3751,25 @@ static int get_config_namespace_share(const char *key, char *retv, int inlen, + return fulllen; + } + ++/* isulad: get config init args */ ++static int get_config_init_args(const char *key, char *retv, int inlen, ++ struct lxc_conf *c, void *data) ++{ ++ int i, len, fulllen = 0; ++ struct lxc_list *it; ++ ++ if (!retv) ++ inlen = 0; ++ else ++ memset(retv, 0, inlen); ++ ++ for (i = 0; i < c->init_argc; i++) { ++ strprint(retv, inlen, "%s", c->init_argv[i]); ++ } ++ ++ return fulllen; ++} ++ + /* Callbacks to clear config items. */ + static inline int clr_config_personality(const char *key, struct lxc_conf *c, + void *data) +@@ -4520,6 +4574,13 @@ static int clr_config_net_ipv6_address(const char *key, + return 0; + } + ++/* isulad: clr config init args*/ ++static inline int clr_config_init_args(const char *key, struct lxc_conf *c, ++ void *data) ++{ ++ return lxc_clear_init_args(c); ++} ++ + static int get_config_net_nic(const char *key, char *retv, int inlen, + struct lxc_conf *c, void *data) + { +diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c +index ad70886..b4cacce 100644 +--- a/src/lxc/lxccontainer.c ++++ b/src/lxc/lxccontainer.c +@@ -847,6 +847,31 @@ static bool wait_on_daemonized_start(struct lxc_handler *handler, int pid) + return true; + } + ++/* isulad: use init argv as init cmd */ ++static char **use_init_args(char **init_argv, size_t init_args) ++{ ++ size_t i; ++ int nargs = 0; ++ char **argv; ++ ++ if (!init_argv) ++ return NULL; ++ ++ do { ++ argv = malloc(sizeof(char *)); ++ } while (!argv); ++ ++ argv[0] = NULL; ++ for (i = 0; i < init_args; i++) ++ push_arg(&argv, init_argv[i], &nargs); ++ ++ if (nargs == 0) { ++ free(argv); ++ return NULL; ++ } ++ return argv; ++} ++ + static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const argv[]) + { + int ret; +@@ -903,6 +928,11 @@ static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const a + argv = init_cmd = split_init_cmd(conf->init_cmd); + } + ++ /* isulad: use init argv as init cmd */ ++ if (!argv) { ++ argv = init_cmd = use_init_args(conf->init_argv, conf->init_argc); ++ } ++ + /* ... otherwise use default_args. */ + if (!argv) { + if (useinit) { +-- +1.8.3.1 + diff --git a/0002-namespace-add-support-share-namespace-by-path.patch b/0002-namespace-add-support-share-namespace-by-path.patch new file mode 100644 index 0000000..87c2c5c --- /dev/null +++ b/0002-namespace-add-support-share-namespace-by-path.patch @@ -0,0 +1,35 @@ +From d1e8ab945fadac5ee11eb150b1cdfb6aeec407c2 Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Thu, 10 Jan 2019 08:42:19 -0500 +Subject: [PATCH 002/122] namespace: add support share namespace by path + +Signed-off-by: LiFeng +--- + src/lxc/confile_utils.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/src/lxc/confile_utils.c b/src/lxc/confile_utils.c +index 7280463..9049ce8 100644 +--- a/src/lxc/confile_utils.c ++++ b/src/lxc/confile_utils.c +@@ -789,6 +789,17 @@ int lxc_inherit_namespace(const char *lxcname_or_pid, const char *lxcpath, + int fd, pid; + char *dup, *lastslash; + ++ /* isulad: add support share namespace by path. ++ * e.g. "lxc.namespace.share.net = /proc/PID/ns/net or /var/run/netns/net" ++ */ ++ if (file_exists(lxcname_or_pid) && !dir_exists(lxcname_or_pid)) { ++ fd = open(lxcname_or_pid, O_RDONLY | O_CLOEXEC); ++ if (fd < 0) ++ return -EINVAL; ++ ++ return fd; ++ } ++ + lastslash = strrchr(lxcname_or_pid, '/'); + if (lastslash) { + dup = strdup(lxcname_or_pid); +-- +1.8.3.1 + diff --git a/0003-confile-add-lxc.isulad.populate.device-interface.patch b/0003-confile-add-lxc.isulad.populate.device-interface.patch new file mode 100644 index 0000000..4dd2ad8 --- /dev/null +++ b/0003-confile-add-lxc.isulad.populate.device-interface.patch @@ -0,0 +1,406 @@ +From 8a8f3a04e8a6f3494a072ffe0cc9124049c5ba63 Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Fri, 11 Jan 2019 01:51:25 -0500 +Subject: [PATCH 003/122] confile: add lxc.isulad.populate.device interface + +Signed-off-by: LiFeng +--- + src/lxc/conf.c | 125 +++++++++++++++++++++++++++++++++++++++++++++++++++--- + src/lxc/conf.h | 28 +++++++++++- + src/lxc/confile.c | 124 +++++++++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 269 insertions(+), 8 deletions(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index f20d629..20b7aba 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -2745,6 +2745,10 @@ struct lxc_conf *lxc_conf_init(void) + memset(&new->cgroup_meta, 0, sizeof(struct lxc_cgroup)); + memset(&new->ns_share, 0, sizeof(char *) * LXC_NS_MAX); + ++ /* isulad add begin */ ++ lxc_list_init(&new->populate_devs); ++ /* isulad add end */ ++ + return new; + } + +@@ -3487,6 +3491,85 @@ static bool execveat_supported(void) + return true; + } + ++/* isulad: setup devices which will be populated in the container.*/ ++static int setup_populate_devs(const struct lxc_rootfs *rootfs, struct lxc_list *devs) ++{ ++ int ret; ++ char *pathdirname; ++ char path[MAXPATHLEN]; ++ mode_t cmask; ++ mode_t file_mode = 0; ++ struct lxc_populate_devs *dev_elem; ++ struct lxc_list *it; ++ ++ INFO("Populating devices into container"); ++ cmask = umask(S_IXUSR | S_IXGRP | S_IXOTH); ++ lxc_list_for_each(it, devs) { ++ dev_elem = it->elem; ++ ++ ret = snprintf(path, MAXPATHLEN, "%s/%s", rootfs->path ? rootfs->mount : "", dev_elem->name); ++ if (ret < 0 || ret >= MAXPATHLEN) ++ return -1; ++ ++ /* create any missing directories */ ++ pathdirname = strdup(path); ++ pathdirname = dirname(pathdirname); ++ ret = mkdir_p(pathdirname, 0750); ++ free(pathdirname); ++ if (ret < 0) { ++ WARN("Failed to create target directory"); ++ return -1; ++ } ++ ++ if (!strcmp(dev_elem->type, "c")) { ++ file_mode = dev_elem->file_mode | S_IFCHR; ++ } else if (!strcmp(dev_elem->type, "b")) { ++ file_mode = dev_elem->file_mode | S_IFBLK; ++ } else { ++ ERROR("Failed to parse devices type '%s'", dev_elem->type); ++ return -1; ++ } ++ ++ DEBUG("Try to mknod '%s':'%d':'%d':'%d'\n", path, ++ file_mode, dev_elem->maj, dev_elem->min); ++ ++ ret = mknod(path, file_mode, makedev(dev_elem->maj, dev_elem->min)); ++ if (ret && errno != EEXIST) { ++ SYSERROR("Failed to mknod '%s':'%d':'%d':'%d'", dev_elem->name, ++ file_mode, dev_elem->maj, dev_elem->min); ++ ++ char hostpath[MAXPATHLEN]; ++ FILE *pathfile; ++ ++ // Unprivileged containers cannot create devices, so ++ // try to bind mount the device from the host ++ ret = snprintf(hostpath, MAXPATHLEN, "/dev/%s", dev_elem->name); ++ if (ret < 0 || ret >= MAXPATHLEN) ++ return -1; ++ pathfile = fopen(path, "wb"); ++ if (!pathfile) { ++ SYSERROR("Failed to create device mount target '%s'", path); ++ return -1; ++ } ++ fclose(pathfile); ++ if (safe_mount(hostpath, path, 0, MS_BIND, NULL, ++ rootfs->path ? rootfs->mount : NULL) != 0) { ++ SYSERROR("Failed bind mounting device %s from host into container", ++ dev_elem->name); ++ return -1; ++ } ++ } ++ if (chown(path, dev_elem->uid, dev_elem->gid) < 0) { ++ ERROR("Error chowning %s", path); ++ return -1; ++ } ++ } ++ umask(cmask); ++ ++ INFO("Populated devices into container /dev"); ++ return 0; ++} ++ + int lxc_setup(struct lxc_handler *handler) + { + int ret; +@@ -3584,6 +3667,16 @@ int lxc_setup(struct lxc_handler *handler) + return -1; + } + ++ /*isulad: move mount entrues here, before we do lxc_fill_autodev and populate devices */ ++ if (!lxc_list_empty(&lxc_conf->mount_list)) { ++ ret = setup_mount_entries(lxc_conf, &lxc_conf->rootfs, ++ &lxc_conf->mount_list, name, lxcpath); ++ if (ret < 0) { ++ ERROR("Failed to setup mount entries"); ++ return -1; ++ } ++ } ++ + ret = run_lxc_hooks(name, "mount", lxc_conf, NULL); + if (ret < 0) { + ERROR("Failed to run mount hooks"); +@@ -3604,12 +3697,11 @@ int lxc_setup(struct lxc_handler *handler) + } + } + +- if (!lxc_list_empty(&lxc_conf->mount_list)) { +- ret = setup_mount_entries(lxc_conf, &lxc_conf->rootfs, +- &lxc_conf->mount_list, name, lxcpath); +- if (ret < 0) { +- ERROR("Failed to setup mount entries"); +- return -1; ++ /* isulad: setup devices which will be populated in the container. */ ++ if (!lxc_list_empty(&lxc_conf->populate_devs)) { ++ if (setup_populate_devs(&lxc_conf->rootfs, &lxc_conf->populate_devs)) { ++ ERROR("Failed to setup devices in the container"); ++ return -1;; + } + } + +@@ -4026,6 +4118,22 @@ int lxc_clear_init_args(struct lxc_conf *lxc_conf) + return 0; + } + ++/*isulad: clear populate devices*/ ++int lxc_clear_populate_devices(struct lxc_conf *c) ++{ ++ struct lxc_list *it,*next; ++ ++ lxc_list_for_each_safe(it, &c->populate_devs, next) { ++ struct lxc_populate_devs *dev_elem = it->elem; ++ lxc_list_del(it); ++ free(dev_elem->name); ++ free(dev_elem->type); ++ free(dev_elem); ++ free(it); ++ } ++ return 0; ++} ++ + void lxc_conf_free(struct lxc_conf *conf) + { + if (!conf) +@@ -4069,9 +4177,12 @@ void lxc_conf_free(struct lxc_conf *conf) + lxc_clear_limits(conf, "lxc.prlimit"); + lxc_clear_sysctls(conf, "lxc.sysctl"); + lxc_clear_procs(conf, "lxc.proc"); +- lxc_clear_init_args(conf); + free(conf->cgroup_meta.dir); + free(conf->cgroup_meta.controllers); ++ /* isulad add begin */ ++ lxc_clear_init_args(conf); ++ lxc_clear_populate_devices(conf); ++ /* isulad add end */ + free(conf); + } + +diff --git a/src/lxc/conf.h b/src/lxc/conf.h +index 95c3027..cced868 100644 +--- a/src/lxc/conf.h ++++ b/src/lxc/conf.h +@@ -171,6 +171,26 @@ struct lxc_rootfs { + }; + + /* ++ * iSulad: Defines a structure to store the devices which will ++ * be attached in container ++ * @name : the target device name in container ++ * @type : the type of target device "c" or "b" ++ * @mode : file mode for the device ++ * @maj : major number for the device ++ * @min : minor number for the device ++ */ ++struct lxc_populate_devs { ++ char *name; ++ char *type; ++ mode_t file_mode; ++ int maj; ++ int min; ++ uid_t uid; ++ gid_t gid; ++}; ++ ++ ++/* + * Automatic mounts for LXC to perform inside the container + */ + enum { +@@ -377,9 +397,13 @@ struct lxc_conf { + /* procs */ + struct lxc_list procs; + +- /* isulad add: init args used to repalce init_cmd*/ ++ /* isulad add begin */ ++ /* init args used to repalce init_cmd*/ + char **init_argv; + size_t init_argc; ++ /* populate devices*/ ++ struct lxc_list populate_devs; ++ /* isulad add end */ + }; + + extern int write_id_mapping(enum idtype idtype, pid_t pid, const char *buf, +@@ -448,6 +472,8 @@ extern int lxc_clear_procs(struct lxc_conf *c, const char *key); + + /* isulad add begin */ + int lxc_clear_init_args(struct lxc_conf *lxc_conf); ++int lxc_clear_populate_devices(struct lxc_conf *c); ++ + /* isulad add end */ + + #endif /* __LXC_CONF_H */ +diff --git a/src/lxc/confile.c b/src/lxc/confile.c +index 7297b35..e3212d3 100644 +--- a/src/lxc/confile.c ++++ b/src/lxc/confile.c +@@ -152,6 +152,7 @@ lxc_config_define(sysctl); + lxc_config_define(proc); + /*isulad add begin*/ + lxc_config_define(init_args); ++lxc_config_define(populate_device); + /*isulad add end*/ + + +@@ -241,6 +242,7 @@ static struct lxc_config_t config_jump_table[] = { + + /*isulad add begin*/ + { "lxc.isulad.init.args", set_config_init_args, get_config_init_args, clr_config_init_args, }, ++ { "lxc.isulad.populate.device", set_config_populate_device, get_config_populate_device, clr_config_populate_device, }, + /*isulad add end*/ + }; + +@@ -2219,6 +2221,93 @@ static int set_config_init_args(const char *key, const char *value, + return 0; + } + ++/* isulad: set config for init args */ ++static int set_config_populate_device(const char *key, const char *value, ++ struct lxc_conf *lxc_conf, void *data) ++{ ++ int ret = 0, major = 0, minor = 0; ++ uid_t uid = (uid_t)-1; ++ gid_t gid = (gid_t)-1; ++ char name[PATH_MAX] = {0}; ++ char type[3] = {0}; ++ char *replace_value = NULL; ++ mode_t filemode = 0; ++ struct lxc_list *iter; ++ struct lxc_list *dev_list = NULL; ++ struct lxc_populate_devs *dev_elem = NULL; ++ ++ if (lxc_config_value_empty(value)) ++ return lxc_clear_populate_devices(lxc_conf); ++ ++ /* lxc.populate.device = PATH_IN_CONTAINER:DEVICETYPE:MAJOR:MINOR:MODE:UID:GID ++ * For e.g. lxc.populate.device = /dev/sda:b:8:0:0666:0:0 ++ */ ++ ret = sscanf(value, "%[^:]:%2[^:]:%i:%i:%i:%u:%u", name, type, &major, &minor, &filemode, &uid, &gid); ++ if (ret != 7) ++ return -1; ++ ++ /* find existing list element */ ++ lxc_list_for_each(iter, &lxc_conf->populate_devs) { ++ dev_elem = iter->elem; ++ ++ if (strcmp(name, dev_elem->name) != 0) ++ continue; ++ ++ replace_value = strdup(type); ++ if (!replace_value) ++ return -1; ++ ++ free(dev_elem->type); ++ dev_elem->type = replace_value; ++ dev_elem->file_mode = filemode; ++ dev_elem->maj = major; ++ dev_elem->min = minor; ++ dev_elem->uid = (uid_t)uid; ++ dev_elem->gid = (gid_t)gid; ++ return 0; ++ } ++ ++ /* allocate list element */ ++ dev_list = malloc(sizeof(*dev_list)); ++ if (!dev_list) ++ goto on_error; ++ ++ lxc_list_init(dev_list); ++ ++ dev_elem = malloc(sizeof(*dev_elem)); ++ if (!dev_elem) ++ goto on_error; ++ memset(dev_elem, 0, sizeof(*dev_elem)); ++ ++ dev_elem->name = strdup(name); ++ if (!dev_elem->name) ++ goto on_error; ++ ++ dev_elem->type = strdup(type); ++ if (!dev_elem->type) ++ goto on_error; ++ ++ dev_elem->file_mode = filemode; ++ dev_elem->maj = major; ++ dev_elem->min = minor; ++ ++ lxc_list_add_elem(dev_list, dev_elem); ++ ++ lxc_list_add_tail(&lxc_conf->populate_devs, dev_list); ++ ++ return 0; ++ ++on_error: ++ free(dev_list); ++ if (dev_elem) { ++ free(dev_elem->name); ++ free(dev_elem->type); ++ free(dev_elem); ++ } ++ return -1; ++ ++} ++ + struct parse_line_conf { + struct lxc_conf *conf; + bool from_include; +@@ -3770,6 +3859,34 @@ static int get_config_init_args(const char *key, char *retv, int inlen, + return fulllen; + } + ++/* isulad: get config populate device ++ * If you ask for 'lxc.populate.device', then all populate device ++ * entries will be printed, in 'lxc.populate.device = path_in_container:type:major:minor:mode:uid:gid' format. ++ * For e.g. lxc.populate.device = /dev/sda:b:8:0:0666:0:0 ++ */ ++static int get_config_populate_device(const char *key, char *retv, int inlen, ++ struct lxc_conf *c, void *data) ++{ ++ int len; ++ struct lxc_list *it; ++ int fulllen = 0; ++ ++ if (!retv) ++ inlen = 0; ++ else ++ memset(retv, 0, inlen); ++ ++ lxc_list_for_each(it, &c->populate_devs) { ++ struct lxc_populate_devs *elem = it->elem; ++ strprint(retv, inlen, "lxc.populate.device = %s:%s:%d:%d:%o:%u:%u\n", ++ elem->name, elem->type, elem->maj, ++ elem->min, elem->file_mode, elem->uid, elem->gid); ++ } ++ ++ return fulllen; ++} ++ ++ + /* Callbacks to clear config items. */ + static inline int clr_config_personality(const char *key, struct lxc_conf *c, + void *data) +@@ -4581,6 +4698,13 @@ static inline int clr_config_init_args(const char *key, struct lxc_conf *c, + return lxc_clear_init_args(c); + } + ++/* isulad: clr config populate devices*/ ++static inline int clr_config_populate_device(const char *key, struct lxc_conf *c, ++ void *data) ++{ ++ return lxc_clear_populate_devices(c); ++} ++ + static int get_config_net_nic(const char *key, char *retv, int inlen, + struct lxc_conf *c, void *data) + { +-- +1.8.3.1 + diff --git a/0004-support-isulad-fifo-log.patch b/0004-support-isulad-fifo-log.patch new file mode 100644 index 0000000..b328314 --- /dev/null +++ b/0004-support-isulad-fifo-log.patch @@ -0,0 +1,96 @@ +From e5e1a628b279c604fe5eaf0cc6646e6510dfe6f7 Mon Sep 17 00:00:00 2001 +From: liuhao +Date: Fri, 11 Jan 2019 16:11:34 +0800 +Subject: [PATCH 004/122] support isulad fifo log + +support isulad fifo log in lxc3.0 + +Signed-off-by: LiFeng +--- + src/lxc/log.c | 42 ++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 40 insertions(+), 2 deletions(-) + +diff --git a/src/lxc/log.c b/src/lxc/log.c +index 1e0cc6a..4e74459 100644 +--- a/src/lxc/log.c ++++ b/src/lxc/log.c +@@ -68,6 +68,7 @@ static int syslog_enable = 0; + int lxc_quiet_specified; + int lxc_log_use_global_fd; + static int lxc_loglevel_specified; ++static bool isulad_use_log_fifo_flag = false; + + static char log_prefix[LXC_LOG_PREFIX_SIZE] = "lxc"; + static char *log_fname = NULL; +@@ -138,6 +139,37 @@ static char *lxc_log_get_va_msg(struct lxc_log_event *event) + return msg; + } + ++static const char *isulad_use_log_fifo(const char *file) ++{ ++#define ISULAD_FIFO_PREFIX "fifo:" ++ ++ if (strncmp(file, ISULAD_FIFO_PREFIX, strlen(ISULAD_FIFO_PREFIX)) == 0) { ++ isulad_use_log_fifo_flag = true; ++ return (file + strlen(ISULAD_FIFO_PREFIX)); ++ } ++ return file; ++} ++ ++static int isulad_open_fifo(const char *file_path) ++{ ++#define LOG_FIFO_SIZE (1024 * 1024) ++ int fd = -1; ++ ++ fd = lxc_unpriv(open(file_path, O_RDWR | O_NONBLOCK | O_CLOEXEC, 0640)); ++ if (fd == -1) { ++ fprintf(stderr, "Open fifo %s failed: %s\n", file_path, strerror(errno)); ++ return -1; ++ } ++ ++ if (fcntl(fd, F_SETPIPE_SZ, LOG_FIFO_SIZE) == -1) { ++ printf("Set fifo buffer size failed: %s", strerror(errno)); ++ close(fd); ++ return -1; ++ } ++ ++ return fd; ++} ++ + /*---------------------------------------------------------------------------*/ + static int log_append_syslog(const struct lxc_log_appender *appender, + struct lxc_log_event *event) +@@ -609,7 +641,11 @@ static int __lxc_log_set_file(const char *fname, int create_dirs) + return -1; + } + +- lxc_log_fd = log_open(fname); ++ if (isulad_use_log_fifo_flag) { ++ lxc_log_fd = isulad_open_fifo(fname); ++ } else { ++ lxc_log_fd = log_open(fname); ++ } + if (lxc_log_fd == -1) + return -1; + +@@ -642,6 +678,7 @@ int lxc_log_init(struct lxc_log *log) + { + int ret; + int lxc_priority = LXC_LOG_LEVEL_ERROR; ++ const char *tmp_log_fname; + + if (!log) + return -1; +@@ -673,7 +710,8 @@ int lxc_log_init(struct lxc_log *log) + if (strcmp(log->file, "none") == 0) + return 0; + +- ret = __lxc_log_set_file(log->file, 1); ++ tmp_log_fname = isulad_use_log_fifo(log->file); ++ ret = __lxc_log_set_file(tmp_log_fname, 1); + if (ret < 0) { + ERROR("Failed to enable logfile"); + return -1; +-- +1.8.3.1 + diff --git a/0005-auto-mount-cgroup-sys-and-proc.patch b/0005-auto-mount-cgroup-sys-and-proc.patch new file mode 100644 index 0000000..192542d --- /dev/null +++ b/0005-auto-mount-cgroup-sys-and-proc.patch @@ -0,0 +1,80 @@ +From f3c5a99c7bd1ecef02051489a97cbe0a1def254f Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Thu, 10 Jan 2019 20:40:19 +0800 +Subject: [PATCH 005/122] auto mount cgroup sys and proc + +Signed-off-by: LiFeng +--- + src/lxc/cgroups/cgfsng.c | 8 ++++++-- + src/lxc/conf.c | 15 ++++++++++++--- + 2 files changed, 18 insertions(+), 5 deletions(-) + +diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c +index acc6c30..aff2b5e 100644 +--- a/src/lxc/cgroups/cgfsng.c ++++ b/src/lxc/cgroups/cgfsng.c +@@ -1648,6 +1648,10 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops, + + /* Mount tmpfs */ + tmpfspath = must_make_path(root, "/sys/fs/cgroup", NULL); ++ if (mkdir_p(tmpfspath, 0755) < 0) { ++ ERROR("Failed to create directory: %s", tmpfspath); ++ goto on_error; ++ } + ret = safe_mount(NULL, tmpfspath, "tmpfs", + MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_RELATIME, + "size=10240k,mode=755", root); +@@ -1700,8 +1704,8 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops, + continue; + } + +- path2 = must_make_path(controllerpath, h->container_base_path, +- ops->container_cgroup, NULL); ++ // Ignore ops->container_cgroup so we will not see directory lxc after /sys/fs/cgroup/xxx in container ++ path2 = must_make_path(controllerpath, h->container_base_path, NULL); + ret = mkdir_p(path2, 0755); + if (ret < 0) { + free(controllerpath); +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 20b7aba..18753d1 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -670,8 +670,8 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha + { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sysrq-trigger", "%r/proc/sysrq-trigger", NULL, MS_BIND, NULL }, + { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL, "%r/proc/sysrq-trigger", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL }, + { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW, "proc", "%r/proc", "proc", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL }, +- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RW, "sysfs", "%r/sys", "sysfs", 0, NULL }, +- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RO, "sysfs", "%r/sys", "sysfs", MS_RDONLY, NULL }, ++ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RW, "sysfs", "%r/sys", "sysfs", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL }, ++ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RO, "sysfs", "%r/sys", "sysfs", MS_RDONLY|MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL }, + { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/sys", "sysfs", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL }, + { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, NULL, "%r/sys", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL }, + { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/sys/devices/virtual/net", "sysfs", 0, NULL }, +@@ -710,6 +710,15 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha + return -1; + } + ++ if (mkdir_p(destination, 0755) < 0) { ++ SYSERROR("Failed to create mount target '%s'", destination); ++ saved_errno = errno; ++ free(source); ++ free(destination); ++ errno = saved_errno; ++ return -1; ++ } ++ + mflags = add_required_remount_flags(source, destination, + default_mounts[i].flags); + r = safe_mount(source, destination, default_mounts[i].fstype, +@@ -717,7 +726,7 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha + conf->rootfs.path ? conf->rootfs.mount : NULL); + saved_errno = errno; + if (r < 0 && errno == ENOENT) { +- INFO("Mount source or target for \"%s\" on \"%s\" does " ++ INFO("Mount source for \"%s\" on \"%s\" does " + "not exist. Skipping", source, destination); + r = 0; + } else if (r < 0) { +-- +1.8.3.1 + diff --git a/0006-conf.c-fix-bug-when-set-no-ro-mount-mount-propagatio.patch b/0006-conf.c-fix-bug-when-set-no-ro-mount-mount-propagatio.patch new file mode 100644 index 0000000..2c549ef --- /dev/null +++ b/0006-conf.c-fix-bug-when-set-no-ro-mount-mount-propagatio.patch @@ -0,0 +1,39 @@ +From 32f9ca00819b53c1f3bc933da8d489b3766c184d Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Fri, 11 Jan 2019 16:55:01 +0800 +Subject: [PATCH 006/122] conf.c: fix bug when set no ro mount, mount + propagation will be skipped + +Signed-off-by: LiFeng +--- + src/lxc/conf.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 18753d1..37a5ff7 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -2087,6 +2087,9 @@ static int mount_entry(const char *fsname, const char *target, + } + } + ++#ifdef HAVE_STATVFS ++ skipremount: ++#endif + if (pflags) { + ret = mount(NULL, target, NULL, pflags, NULL); + if (ret < 0) { +@@ -2103,10 +2106,6 @@ static int mount_entry(const char *fsname, const char *target, + DEBUG("Changed mount propagation for \"%s\"", target); + } + +- +-#ifdef HAVE_STATVFS +-skipremount: +-#endif + DEBUG("Mounted \"%s\" on \"%s\" with filesystem type \"%s\"", + srcpath ? srcpath : "(null)", target, fstype); + +-- +1.8.3.1 + diff --git a/0007-use-isulad-log-format.patch b/0007-use-isulad-log-format.patch new file mode 100644 index 0000000..e71c533 --- /dev/null +++ b/0007-use-isulad-log-format.patch @@ -0,0 +1,74 @@ +From efd10df536bcbfa56369c82bda4adc77b0ea7240 Mon Sep 17 00:00:00 2001 +From: liuhao +Date: Fri, 11 Jan 2019 17:00:48 +0800 +Subject: [PATCH 007/122] use isulad log format + +use isulad log format + +Signed-off-by: LiFeng +--- + src/lxc/log.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/src/lxc/log.c b/src/lxc/log.c +index 4e74459..91fb7ef 100644 +--- a/src/lxc/log.c ++++ b/src/lxc/log.c +@@ -139,6 +139,7 @@ static char *lxc_log_get_va_msg(struct lxc_log_event *event) + return msg; + } + ++/* use fifo to save log */ + static const char *isulad_use_log_fifo(const char *file) + { + #define ISULAD_FIFO_PREFIX "fifo:" +@@ -150,6 +151,7 @@ static const char *isulad_use_log_fifo(const char *file) + return file; + } + ++/* open isulad fifo */ + static int isulad_open_fifo(const char *file_path) + { + #define LOG_FIFO_SIZE (1024 * 1024) +@@ -349,6 +351,8 @@ static int log_append_logfile(const struct lxc_log_appender *appender, + ssize_t ret; + int fd_to_use = -1; + const char *log_container_name; ++ const char *isulad_prefix; ++ size_t isulad_len = 0; + + #ifndef NO_LXC_CONF + if (current_config) +@@ -367,11 +371,14 @@ static int log_append_logfile(const struct lxc_log_appender *appender, + if (lxc_unix_epoch_to_utc(date_time, LXC_LOG_TIME_SIZE, &event->timestamp) < 0) + return -1; + ++ /* use isulad log format */ ++ if (log_container_name && strlen(log_container_name) > 15) { ++ isulad_len = strlen(log_container_name) - 15; ++ } ++ isulad_prefix = log_container_name ? (log_container_name + isulad_len) : log_prefix; + n = snprintf(buffer, sizeof(buffer), +- "%s%s%s %s %-8s %s - %s:%s:%d - ", +- log_prefix, +- log_container_name ? " " : "", +- log_container_name ? log_container_name : "", ++ "%15s %s %-8s %s - %s:%s:%d - ", ++ isulad_prefix, + date_time, + lxc_log_priority_to_string(event->priority), + event->category, +@@ -752,7 +759,9 @@ int lxc_log_init(struct lxc_log *log) + + if (lxc_log_fd != -1) { + lxc_log_category_lxc.appender = &log_appender_logfile; +- lxc_log_category_lxc.appender->next = &log_appender_stderr; ++ if (!lxc_quiet_specified) ++ if (!log->quiet) ++ lxc_log_category_lxc.appender->next = &log_appender_stderr; + } + + return ret; +-- +1.8.3.1 + diff --git a/0008-isulad-modify-exit-code-and-stop-signal.patch b/0008-isulad-modify-exit-code-and-stop-signal.patch new file mode 100644 index 0000000..02516d7 --- /dev/null +++ b/0008-isulad-modify-exit-code-and-stop-signal.patch @@ -0,0 +1,106 @@ +From a5754c856857cee09e307e4e8459e8e99167e46a Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Fri, 11 Jan 2019 17:44:53 +0800 +Subject: [PATCH 008/122] isulad: modify exit code and stop signal + +1. modify default stop signal and disable reboot by signal. +2. send '128 + signal' if container is killed by signal. + +Signed-off-by: LiFeng +--- + src/lxc/lxccontainer.c | 6 ++---- + src/lxc/start.c | 33 ++++++++++++++++----------------- + 2 files changed, 18 insertions(+), 21 deletions(-) + +diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c +index b4cacce..1d7f5be 100644 +--- a/src/lxc/lxccontainer.c ++++ b/src/lxc/lxccontainer.c +@@ -2069,7 +2069,8 @@ static bool do_lxcapi_shutdown(struct lxc_container *c, int timeout) + { + int killret, ret; + pid_t pid; +- int haltsignal = SIGPWR, state_client_fd = -EBADF; ++ // isulad: keep default signal the same as docker ++ int haltsignal = SIGTERM, state_client_fd = -EBADF; + lxc_state_t states[MAX_STATE] = {0}; + + if (!c) +@@ -2082,11 +2083,8 @@ static bool do_lxcapi_shutdown(struct lxc_container *c, int timeout) + if (pid <= 0) + return true; + +- /* Detect whether we should send SIGRTMIN + 3 (e.g. systemd). */ + if (c->lxc_conf && c->lxc_conf->haltsignal) + haltsignal = c->lxc_conf->haltsignal; +- else if (task_blocks_signal(pid, (SIGRTMIN + 3))) +- haltsignal = (SIGRTMIN + 3); + + /* Add a new state client before sending the shutdown signal so that we + * don't miss a state. +diff --git a/src/lxc/start.c b/src/lxc/start.c +index 72e2de2..d64bdac 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -1893,11 +1893,14 @@ out_abort: + return -1; + } + ++// isulad: send '128 + signal' if container is killed by signal. ++#define ExitSignalOffset 128 ++ + int __lxc_start(const char *name, struct lxc_handler *handler, + struct lxc_operations* ops, void *data, const char *lxcpath, + bool daemonize, int *error_num) + { +- int ret, status; ++ int ret, status, exit_code; + struct lxc_conf *conf = handler->conf; + + ret = lxc_init(name, handler); +@@ -1966,22 +1969,18 @@ int __lxc_start(const char *name, struct lxc_handler *handler, + * reboot. This should mean it was an lxc-execute which simply exited. + * In any case, treat it as a 'halt'. + */ ++ // isulad: recored log for container init exit + if (WIFSIGNALED(status)) { +- switch(WTERMSIG(status)) { +- case SIGINT: /* halt */ +- DEBUG("Container \"%s\" is halting", name); +- break; +- case SIGHUP: /* reboot */ +- DEBUG("Container \"%s\" is rebooting", name); +- handler->conf->reboot = REBOOT_REQ; +- break; +- case SIGSYS: /* seccomp */ +- DEBUG("Container \"%s\" violated its seccomp policy", name); +- break; +- default: +- DEBUG("Unknown exit status for container \"%s\" init %d", name, WTERMSIG(status)); +- break; +- } ++ int signal = WTERMSIG(status); ++ signal = WTERMSIG(status); ++ exit_code = ExitSignalOffset + signal; ++ ERROR("Container \"%s\" init exited with signal %d", name, signal); ++ } else if (WIFEXITED(status)) { ++ exit_code = WEXITSTATUS(status); ++ ERROR("Container \"%s\" init exited with status %d", name, exit_code); ++ } else { ++ exit_code = -1; ++ ERROR("Container \"%s\" init exited with unknown status", name); + } + + ret = lxc_restore_phys_nics_to_netns(handler); +@@ -1994,7 +1993,7 @@ int __lxc_start(const char *name, struct lxc_handler *handler, + handler->pinfd = -1; + } + +- lxc_monitor_send_exit_code(name, status, handler->lxcpath); ++ lxc_monitor_send_exit_code(name, exit_code, handler->lxcpath); + lxc_error_set_and_log(handler->pid, status); + if (error_num) + *error_num = handler->exit_status; +-- +1.8.3.1 + diff --git a/0009-lxc_start-add-default-terminal-fifos.patch b/0009-lxc_start-add-default-terminal-fifos.patch new file mode 100644 index 0000000..ecc7c0e --- /dev/null +++ b/0009-lxc_start-add-default-terminal-fifos.patch @@ -0,0 +1,538 @@ +From ca1b4a1738d4c409ddabbc5e75b8da7438b2792f Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Fri, 11 Jan 2019 21:52:11 -0500 +Subject: [PATCH 009/122] lxc_start: add default terminal fifos + +Signed-off-by: LiFeng +--- + src/lxc/conf.c | 4 + + src/lxc/lxccontainer.c | 30 +++++++ + src/lxc/lxccontainer.h | 10 +++ + src/lxc/terminal.c | 194 +++++++++++++++++++++++++++++++++++++++++++++- + src/lxc/terminal.h | 16 ++++ + src/lxc/tools/arguments.h | 5 ++ + src/lxc/tools/lxc_start.c | 11 +++ + src/lxc/utils.c | 23 ++++++ + src/lxc/utils.h | 4 + + 9 files changed, 294 insertions(+), 3 deletions(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 37a5ff7..7b7f95b 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -2714,6 +2714,10 @@ struct lxc_conf *lxc_conf_init(void) + new->console.slave = -1; + new->console.name[0] = '\0'; + memset(&new->console.ringbuf, 0, sizeof(struct lxc_ringbuf)); ++ /* isulad init console fifos */ ++ new->console.init_fifo[0] = NULL; ++ new->console.init_fifo[1] = NULL; ++ lxc_list_init(&new->console.fifos); + new->maincmd_fd = -1; + new->nbd_idx = -1; + new->rootfs.mount = strdup(default_rootfs_mount); +diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c +index 1d7f5be..318c71e 100644 +--- a/src/lxc/lxccontainer.c ++++ b/src/lxc/lxccontainer.c +@@ -4961,6 +4961,33 @@ out: + return ret; + } + ++/* isulad add set console fifos*/ ++static bool do_lxcapi_set_terminal_default_fifos(struct lxc_container *c, const char *in, const char *out) ++{ ++ struct lxc_conf *conf; ++ ++ if (!c || !c->lxc_conf || !in || !out) ++ return false; ++ if (container_mem_lock(c)) { ++ ERROR("Error getting mem lock"); ++ return false; ++ } ++ ++ conf = c->lxc_conf; ++ if (conf->console.init_fifo[0]) ++ free(conf->console.init_fifo[0]); ++ conf->console.init_fifo[0] = strdup(in); ++ ++ if (conf->console.init_fifo[1]) ++ free(conf->console.init_fifo[1]); ++ conf->console.init_fifo[1] = strdup(out); ++ ++ container_mem_unlock(c); ++ return true; ++} ++ ++WRAP_API_2(bool, lxcapi_set_terminal_default_fifos, const char *, const char *) ++ + struct lxc_container *lxc_container_new(const char *name, const char *configpath) + { + struct lxc_container *c; +@@ -5084,6 +5111,9 @@ struct lxc_container *lxc_container_new(const char *name, const char *configpath + c->migrate = lxcapi_migrate; + c->console_log = lxcapi_console_log; + ++ /* isulad add begin */ ++ c->set_terminal_init_fifos = lxcapi_set_terminal_default_fifos; ++ /* isulad add end */ + return c; + + err: +diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h +index 9e06215..486531e 100644 +--- a/src/lxc/lxccontainer.h ++++ b/src/lxc/lxccontainer.h +@@ -847,6 +847,16 @@ struct lxc_container { + * \return \c true if the container was rebooted successfully, else \c false. + */ + bool (*reboot2)(struct lxc_container *c, int timeout); ++ ++ /*! isulad add ++ * \brief An API call to change the path of the console default fifos ++ * ++ * \param c Container. ++ * \param path Value of the console path. ++ * ++ * \return \c true on success, else \c false. ++ */ ++ bool (*set_terminal_init_fifos)(struct lxc_container *c, const char *in, const char *out); + }; + + /*! +diff --git a/src/lxc/terminal.c b/src/lxc/terminal.c +index 4060e7f..c507712 100644 +--- a/src/lxc/terminal.c ++++ b/src/lxc/terminal.c +@@ -364,6 +364,20 @@ static int lxc_terminal_write_log_file(struct lxc_terminal *terminal, char *buf, + return bytes_read; + } + ++/* isulad: forward data to all fifos */ ++static void lxc_forward_data_to_fifo(struct lxc_list *list, char *buf, int r) ++{ ++ struct lxc_list *it,*next; ++ struct lxc_fifos_fd *elem = NULL; ++ ++ lxc_list_for_each_safe(it, list, next) { ++ elem = it->elem; ++ lxc_write_nointr(elem->out_fd, buf, r); ++ } ++ ++ return; ++} ++ + int lxc_terminal_io_cb(int fd, uint32_t events, void *data, + struct lxc_epoll_descr *descr) + { +@@ -384,7 +398,13 @@ int lxc_terminal_io_cb(int fd, uint32_t events, void *data, + terminal->tty_state = NULL; + } + terminal->peer = -EBADF; +- } else { ++ close(fd); ++ return LXC_MAINLOOP_CONTINUE; /* isulad: do not close mainloop when peer close*/ ++ } else if (lxc_terminal_is_fifo(fd, &terminal->fifos)) { ++ /* isulad: delete fifos when the client close */ ++ lxc_terminal_delete_fifo(fd, &terminal->fifos); ++ return LXC_MAINLOOP_CONTINUE; ++ } else { + ERROR("Handler received unexpected file descriptor"); + } + close(fd); +@@ -392,7 +412,7 @@ int lxc_terminal_io_cb(int fd, uint32_t events, void *data, + return LXC_MAINLOOP_CLOSE; + } + +- if (fd == terminal->peer) ++ if (fd == terminal->peer || lxc_terminal_is_fifo(fd, &terminal->fifos)) + w = lxc_write_nointr(terminal->master, buf, r); + + w_rbuf = w_log = 0; +@@ -401,6 +421,9 @@ int lxc_terminal_io_cb(int fd, uint32_t events, void *data, + if (terminal->peer >= 0) + w = lxc_write_nointr(terminal->peer, buf, r); + ++ /* isulad: forward data to fifos */ ++ lxc_forward_data_to_fifo(&terminal->fifos, buf, r); ++ + /* write to terminal ringbuffer */ + if (terminal->buffer_size > 0) + w_rbuf = lxc_ringbuf_write(&terminal->ringbuf, buf, r); +@@ -450,6 +473,27 @@ static int lxc_terminal_mainloop_add_peer(struct lxc_terminal *terminal) + return 0; + } + ++/* isulad add fifo to mainloop */ ++static int lxc_console_mainloop_add_fifo(struct lxc_terminal *terminal) ++{ ++ int ret = 0; ++ struct lxc_list *it,*next; ++ struct lxc_fifos_fd *elem = NULL; ++ ++ lxc_list_for_each_safe(it, &terminal->fifos, next) { ++ elem = it->elem; ++ if (elem->in_fd >= 0) { ++ ret = lxc_mainloop_add_handler(terminal->descr, elem->in_fd, ++ lxc_terminal_io_cb, terminal); ++ if (ret) { ++ ERROR("console fifo %s not added to mainloop", elem->in_fifo); ++ return -1; ++ } ++ } ++ } ++ return ret; ++} ++ + int lxc_terminal_mainloop_add(struct lxc_epoll_descr *descr, + struct lxc_terminal *terminal) + { +@@ -473,7 +517,20 @@ int lxc_terminal_mainloop_add(struct lxc_epoll_descr *descr, + */ + terminal->descr = descr; + +- return lxc_terminal_mainloop_add_peer(terminal); ++ ret = lxc_terminal_mainloop_add_peer(terminal); ++ if (ret < 0) { ++ ERROR("Failed to add handler for terminal peer to mainloop"); ++ return -1; ++ } ++ ++ /* isulad add fifo to mainloop */ ++ ret = lxc_console_mainloop_add_fifo(terminal); ++ if (ret < 0) { ++ ERROR("Failed to add handler for terminal fifos to mainloop"); ++ return -1; ++ } ++ ++ return 0; + } + + int lxc_setup_tios(int fd, struct termios *oldtios) +@@ -812,6 +869,9 @@ void lxc_terminal_delete(struct lxc_terminal *terminal) + if (terminal->log_fd >= 0) + close(terminal->log_fd); + terminal->log_fd = -1; ++ ++ /* isulad: delete all fifos */ ++ lxc_terminal_delete_fifo(-1, &terminal->fifos); + } + + /** +@@ -880,6 +940,77 @@ int lxc_terminal_create_log_file(struct lxc_terminal *terminal) + return 0; + } + ++/* isulad: open terminal fifos */ ++static int terminal_fifo_open(const char *fifo_path, int flags) ++{ ++ int fd = -1; ++ ++ fd = open(fifo_path, flags); ++ if (fd < 0) { ++ WARN("Failed to open fifo %s to send message: %s.", fifo_path, ++ strerror(errno)); ++ return -1; ++ } ++ ++ return fd; ++} ++ ++/* isulad: set terminal fifos */ ++static int lxc_terminal_set_fifo(struct lxc_terminal *console, const char *in, const char *out) ++{ ++ int fifofd_in = -1, fifofd_out = -1; ++ struct lxc_fifos_fd *fifo_elem = NULL; ++ ++ if (!in || !out) ++ return -1; ++ ++ if (!fifo_exists(in) || !fifo_exists(out)) { ++ ERROR("File %s or %s does not refer to a FIFO", in, out); ++ return -1; ++ } ++ ++ fifofd_in = terminal_fifo_open(in, O_RDONLY | O_NONBLOCK | O_CLOEXEC); ++ if (fifofd_in < 0) { ++ ERROR("Failed to open FIFO: %s", in); ++ return -1; ++ } ++ ++ fifofd_out = terminal_fifo_open(out, O_WRONLY | O_NONBLOCK | O_CLOEXEC); ++ if (fifofd_out < 0) { ++ ERROR("Failed to open FIFO: %s", out); ++ close(fifofd_in); ++ return -1; ++ } ++ ++ fifo_elem = malloc(sizeof(*fifo_elem)); ++ if (!fifo_elem) { ++ close(fifofd_in); ++ close(fifofd_out); ++ return -1; ++ } ++ memset(fifo_elem, 0, sizeof(*fifo_elem)); ++ ++ fifo_elem->in_fifo = strdup(in); ++ fifo_elem->out_fifo = strdup(out); ++ fifo_elem->in_fd = fifofd_in; ++ fifo_elem->out_fd = fifofd_out; ++ lxc_list_add_elem(&fifo_elem->node, fifo_elem); ++ lxc_list_add_tail(&console->fifos, &fifo_elem->node); ++ ++ return fifofd_in; ++} ++ ++/* isulad: add default fifos */ ++static int lxc_terminal_fifo_default(struct lxc_terminal *terminal) ++{ ++ if (!terminal->init_fifo[0] || !terminal->init_fifo[1]) { ++ ERROR("Invalid default terminal fifos"); ++ return -1; ++ } ++ ++ return lxc_terminal_set_fifo(terminal, terminal->init_fifo[0], terminal->init_fifo[1]); ++} ++ + int lxc_terminal_create(struct lxc_terminal *terminal) + { + int ret; +@@ -902,6 +1033,13 @@ int lxc_terminal_create(struct lxc_terminal *terminal) + goto err; + } + ++ /* isulad: make master NONBLOCK */ ++ ret = fd_nonblock(terminal->master); ++ if (ret < 0) { ++ SYSERROR("Failed to set O_NONBLOCK flag on terminal master"); ++ goto err; ++ } ++ + ret = fd_cloexec(terminal->slave, true); + if (ret < 0) { + SYSERROR("Failed to set FD_CLOEXEC flag on terminal slave"); +@@ -914,6 +1052,13 @@ int lxc_terminal_create(struct lxc_terminal *terminal) + goto err; + } + ++ /* isulad: open fifos */ ++ ret = lxc_terminal_fifo_default(terminal); ++ if (ret < 0) { ++ ERROR("Failed to allocate fifo terminal"); ++ goto err; ++ } ++ + return 0; + + err: +@@ -1198,12 +1343,55 @@ void lxc_terminal_init(struct lxc_terminal *terminal) + lxc_terminal_info_init(&terminal->proxy); + } + ++/* isulad: judge the fd whether is fifo */ ++static bool lxc_terminal_is_fifo(int fd, struct lxc_list *list) ++{ ++ struct lxc_list *it,*next; ++ struct lxc_fifos_fd *elem = NULL; ++ ++ lxc_list_for_each_safe(it, list, next) { ++ elem = it->elem; ++ if (elem->in_fd == fd) ++ return true; ++ } ++ ++ return false; ++} ++ ++/* isulad: if fd == -1, means delete all the fifos*/ ++int lxc_terminal_delete_fifo(int fd, struct lxc_list *list) ++{ ++ struct lxc_list *it,*next; ++ struct lxc_fifos_fd *elem = NULL; ++ ++ lxc_list_for_each_safe(it, list, next) { ++ elem = it->elem; ++ if (elem->in_fd == fd || -1 == fd) { ++ INFO("Delete fifo fd %d", fd); ++ lxc_list_del(it); ++ if (elem->in_fifo) ++ free(elem->in_fifo); ++ if (elem->out_fifo) ++ free(elem->out_fifo); ++ close(elem->in_fd); ++ close(elem->out_fd); ++ free(elem); ++ } ++ } ++ ++ return 0; ++} ++ + void lxc_terminal_conf_free(struct lxc_terminal *terminal) + { + free(terminal->log_path); + free(terminal->path); + if (terminal->buffer_size > 0 && terminal->ringbuf.addr) + lxc_ringbuf_release(&terminal->ringbuf); ++ /*isulad: free console fifos */ ++ free(terminal->init_fifo[0]); ++ free(terminal->init_fifo[1]); ++ lxc_terminal_delete_fifo(-1, &terminal->fifos); + } + + int lxc_terminal_map_ids(struct lxc_conf *c, struct lxc_terminal *terminal) +diff --git a/src/lxc/terminal.h b/src/lxc/terminal.h +index bfd271f..d25da65 100644 +--- a/src/lxc/terminal.h ++++ b/src/lxc/terminal.h +@@ -115,6 +115,17 @@ struct lxc_terminal { + /* the in-memory ringbuffer */ + struct lxc_ringbuf ringbuf; + }; ++ char *init_fifo[2]; /* isulad: default fifos for the start */ ++ struct lxc_list fifos; /* isulad: fifos used to forward teminal */ ++}; ++ ++/* isulad: fifo struct */ ++struct lxc_fifos_fd { ++ char *in_fifo; ++ char *out_fifo; ++ int in_fd; ++ int out_fd; ++ struct lxc_list node; + }; + + /** +@@ -295,4 +306,9 @@ extern void lxc_terminal_init(struct lxc_terminal *terminal); + extern int lxc_terminal_map_ids(struct lxc_conf *c, + struct lxc_terminal *terminal); + ++/* isulad: judge the fd whether is fifo*/ ++static bool lxc_terminal_is_fifo(int fd, struct lxc_list *list); ++/* isulad: if fd == -1, means delete all the fifos*/ ++int lxc_terminal_delete_fifo(int fd, struct lxc_list *list); ++ + #endif /* __LXC_TERMINAL_H */ +diff --git a/src/lxc/tools/arguments.h b/src/lxc/tools/arguments.h +index 810050a..b7af2b5 100644 +--- a/src/lxc/tools/arguments.h ++++ b/src/lxc/tools/arguments.h +@@ -62,6 +62,7 @@ struct lxc_arguments { + + /* for lxc-start */ + const char *share_ns[32]; /* size must be greater than LXC_NS_MAX */ ++ const char *terminal_fifos[2]; /* isulad add, fifos used to redirct stdin/out/err */ + + /* for lxc-console */ + unsigned int ttynum; +@@ -172,6 +173,10 @@ struct lxc_arguments { + #define OPT_SHARE_IPC OPT_USAGE - 4 + #define OPT_SHARE_UTS OPT_USAGE - 5 + #define OPT_SHARE_PID OPT_USAGE - 6 ++/* isulad add begin */ ++#define OPT_INPUT_FIFO OPT_USAGE - 7 ++#define OPT_OUTPUT_FIFO OPT_USAGE - 8 ++/* isulad add end*/ + + extern int lxc_arguments_parse(struct lxc_arguments *args, int argc, + char *const argv[]); +diff --git a/src/lxc/tools/lxc_start.c b/src/lxc/tools/lxc_start.c +index 4553cb5..8f03f11 100644 +--- a/src/lxc/tools/lxc_start.c ++++ b/src/lxc/tools/lxc_start.c +@@ -69,6 +69,8 @@ static const struct option my_longopts[] = { + {"share-ipc", required_argument, 0, OPT_SHARE_IPC}, + {"share-uts", required_argument, 0, OPT_SHARE_UTS}, + {"share-pid", required_argument, 0, OPT_SHARE_PID}, ++ {"in-fifo", required_argument, 0, OPT_INPUT_FIFO}, ++ {"out-fifo", required_argument, 0, OPT_OUTPUT_FIFO}, + LXC_COMMON_OPTIONS + }; + +@@ -140,6 +142,12 @@ static int my_parser(struct lxc_arguments *args, int c, char *arg) + case OPT_SHARE_PID: + args->share_ns[LXC_NS_PID] = arg; + break; ++ case OPT_INPUT_FIFO: ++ args->terminal_fifos[0] = arg; ++ break; ++ case OPT_OUTPUT_FIFO: ++ args->terminal_fifos[1] = arg; ++ break; + } + return 0; + } +@@ -322,6 +330,9 @@ int main(int argc, char *argv[]) + if (my_args.close_all_fds) + c->want_close_all_fds(c, true); + ++ if (my_args.terminal_fifos[0] && my_args.terminal_fifos[1]) ++ c->set_terminal_init_fifos(c, my_args.terminal_fifos[0], my_args.terminal_fifos[1]); ++ + if (args == default_args) + err = c->start(c, 0, NULL) ? EXIT_SUCCESS : EXIT_FAILURE; + else +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index 6e9165a..67c3b3e 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -611,6 +611,19 @@ bool dir_exists(const char *path) + return S_ISDIR(sb.st_mode); + } + ++bool fifo_exists(const char *path) ++{ ++ struct stat sb; ++ int ret; ++ ++ ret = stat(path, &sb); ++ if (ret < 0) ++ // could be something other than eexist, just say no ++ return false; ++ return S_ISFIFO(sb.st_mode); ++} ++ ++ + /* Note we don't use SHA-1 here as we don't want to depend on HAVE_GNUTLS. + * FNV has good anti collision properties and we're not worried + * about pre-image resistance or one-way-ness, we're just trying to make +@@ -1715,6 +1728,16 @@ int fd_cloexec(int fd, bool cloexec) + return 0; + } + ++/* isulad: fd_nonblock */ ++int fd_nonblock(int fd) ++{ ++ long flags; ++ ++ flags = fcntl(fd, F_GETFL); ++ ++ return fcntl(fd, F_SETFL, flags | O_NONBLOCK); ++} ++ + int recursive_destroy(char *dirname) + { + int ret; +diff --git a/src/lxc/utils.h b/src/lxc/utils.h +index 94196d0..2d38178 100644 +--- a/src/lxc/utils.h ++++ b/src/lxc/utils.h +@@ -147,6 +147,8 @@ extern gid_t get_ns_gid(gid_t orig); + + extern bool dir_exists(const char *path); + ++extern bool fifo_exists(const char *path); ++ + #define FNV1A_64_INIT ((uint64_t)0xcbf29ce484222325ULL) + extern uint64_t fnv_64a_buf(void *buf, size_t len, uint64_t hval); + +@@ -242,4 +244,6 @@ extern int fd_cloexec(int fd, bool cloexec); + extern int recursive_destroy(char *dirname); + extern int lxc_setup_keyring(void); + ++extern int fd_nonblock(int fd); ++ + #endif /* __LXC_UTILS_H */ +-- +1.8.3.1 + diff --git a/0010-Save-pid-ppid-info-into-file-for-isulad.patch b/0010-Save-pid-ppid-info-into-file-for-isulad.patch new file mode 100644 index 0000000..b36818a --- /dev/null +++ b/0010-Save-pid-ppid-info-into-file-for-isulad.patch @@ -0,0 +1,453 @@ +From 25c94a75d742ee2c66d431ebf73c9cd0fc2e4f42 Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Fri, 11 Jan 2019 22:53:56 -0500 +Subject: [PATCH 010/122] Save pid/ppid info into file for isulad + +Signed-off-by: LiFeng +--- + src/lxc/conf.c | 1 + + src/lxc/conf.h | 2 + + src/lxc/lxccontainer.c | 24 ++++++++++ + src/lxc/lxccontainer.h | 10 ++++ + src/lxc/start.c | 41 +++++++++++++++++ + src/lxc/tools/arguments.h | 2 + + src/lxc/tools/lxc_start.c | 20 ++++++++ + src/lxc/utils.c | 114 ++++++++++++++++++++++++++++++++++++++++++++++ + src/lxc/utils.h | 66 +++++++++++++++++++++++++++ + 9 files changed, 280 insertions(+) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 7b7f95b..0b4b63b 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -4194,6 +4194,7 @@ void lxc_conf_free(struct lxc_conf *conf) + /* isulad add begin */ + lxc_clear_init_args(conf); + lxc_clear_populate_devices(conf); ++ free(conf->container_info_file); + /* isulad add end */ + free(conf); + } +diff --git a/src/lxc/conf.h b/src/lxc/conf.h +index cced868..e0954f9 100644 +--- a/src/lxc/conf.h ++++ b/src/lxc/conf.h +@@ -403,6 +403,8 @@ struct lxc_conf { + size_t init_argc; + /* populate devices*/ + struct lxc_list populate_devs; ++ ++ char *container_info_file; + /* isulad add end */ + }; + +diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c +index 318c71e..5679b9b 100644 +--- a/src/lxc/lxccontainer.c ++++ b/src/lxc/lxccontainer.c +@@ -4988,6 +4988,29 @@ static bool do_lxcapi_set_terminal_default_fifos(struct lxc_container *c, const + + WRAP_API_2(bool, lxcapi_set_terminal_default_fifos, const char *, const char *) + ++/* isulad add set info file path */ ++static bool do_lxcapi_set_container_info_file(struct lxc_container *c, const char *info_file) ++{ ++ struct lxc_conf *conf; ++ ++ if (!c || !c->lxc_conf || !info_file) ++ return false; ++ if (container_mem_lock(c)) { ++ ERROR("Error getting mem lock"); ++ return false; ++ } ++ ++ conf = c->lxc_conf; ++ if (conf->container_info_file) ++ free(conf->container_info_file); ++ conf->container_info_file = strdup(info_file); ++ ++ container_mem_unlock(c); ++ return true; ++} ++ ++WRAP_API_1(bool, lxcapi_set_container_info_file, const char *) ++ + struct lxc_container *lxc_container_new(const char *name, const char *configpath) + { + struct lxc_container *c; +@@ -5113,6 +5136,7 @@ struct lxc_container *lxc_container_new(const char *name, const char *configpath + + /* isulad add begin */ + c->set_terminal_init_fifos = lxcapi_set_terminal_default_fifos; ++ c->set_container_info_file = lxcapi_set_container_info_file; + /* isulad add end */ + return c; + +diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h +index 486531e..3c845fe 100644 +--- a/src/lxc/lxccontainer.h ++++ b/src/lxc/lxccontainer.h +@@ -857,6 +857,16 @@ struct lxc_container { + * \return \c true on success, else \c false. + */ + bool (*set_terminal_init_fifos)(struct lxc_container *c, const char *in, const char *out); ++ ++ /*! isulad add ++ * \brief An API call to set the path of info file ++ * ++ * \param c Container. ++ * \param info_file Value of the path of info file. ++ * ++ * \return \c true on success, else \c false. ++ */ ++ bool (*set_container_info_file) (struct lxc_container *c, const char *info_file); + }; + + /*! +diff --git a/src/lxc/start.c b/src/lxc/start.c +index d64bdac..9d71dd7 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -1553,6 +1553,39 @@ static inline int do_share_ns(void *arg) + return 0; + } + ++/* isuald: save pid/ppid info */ ++static int lxc_save_container_info(char *filename, pid_t pid) ++{ ++ FILE *pid_fp = NULL; ++ int ret = 0; ++ pid_t p_pid = 0; ++ unsigned long long start_at = 0; ++ unsigned long long p_start_at = 0; ++ ++ pid_fp = fopen(filename, "w"); ++ if (pid_fp == NULL) { ++ SYSERROR("Failed to create pidfile '%s'",filename); ++ ret = -1; ++ goto out; ++ } ++ ++ start_at = lxc_get_process_startat(pid); ++ ++ p_pid = getpid(); ++ p_start_at = lxc_get_process_startat(p_pid); ++ ++ if (fprintf(pid_fp, "%d %llu %d %llu\n", pid, start_at, p_pid, p_start_at) < 0) { ++ SYSERROR("Failed to write '%s'", filename); ++ ret = -1; ++ goto out; ++ } ++out: ++ if (pid_fp) ++ fclose(pid_fp); ++ pid_fp = NULL; ++ return ret; ++} ++ + /* lxc_spawn() performs crucial setup tasks and clone()s the new process which + * exec()s the requested container binary. + * Note that lxc_spawn() runs in the parent namespaces. Any operations performed +@@ -1683,6 +1716,14 @@ static int lxc_spawn(struct lxc_handler *handler) + } + TRACE("Cloned child process %d", handler->pid); + ++ /* isulad: save pid/ppid info into file*/ ++ if (handler->conf->container_info_file) { ++ if (lxc_save_container_info(handler->conf->container_info_file, handler->pid)) { ++ ERROR("Failed to save cloned container pid"); ++ goto out_delete_net; ++ } ++ } ++ + for (i = 0; i < LXC_NS_MAX; i++) + if (handler->ns_on_clone_flags & ns_info[i].clone_flag) + INFO("Cloned %s", ns_info[i].flag_name); +diff --git a/src/lxc/tools/arguments.h b/src/lxc/tools/arguments.h +index b7af2b5..b6df23f 100644 +--- a/src/lxc/tools/arguments.h ++++ b/src/lxc/tools/arguments.h +@@ -63,6 +63,7 @@ struct lxc_arguments { + /* for lxc-start */ + const char *share_ns[32]; /* size must be greater than LXC_NS_MAX */ + const char *terminal_fifos[2]; /* isulad add, fifos used to redirct stdin/out/err */ ++ const char *container_info; /* isulad: file used to store pid and ppid info of container */ + + /* for lxc-console */ + unsigned int ttynum; +@@ -176,6 +177,7 @@ struct lxc_arguments { + /* isulad add begin */ + #define OPT_INPUT_FIFO OPT_USAGE - 7 + #define OPT_OUTPUT_FIFO OPT_USAGE - 8 ++#define OPT_CONTAINER_INFO OPT_USAGE - 9 + /* isulad add end*/ + + extern int lxc_arguments_parse(struct lxc_arguments *args, int argc, +diff --git a/src/lxc/tools/lxc_start.c b/src/lxc/tools/lxc_start.c +index 8f03f11..2f94d67 100644 +--- a/src/lxc/tools/lxc_start.c ++++ b/src/lxc/tools/lxc_start.c +@@ -69,8 +69,11 @@ static const struct option my_longopts[] = { + {"share-ipc", required_argument, 0, OPT_SHARE_IPC}, + {"share-uts", required_argument, 0, OPT_SHARE_UTS}, + {"share-pid", required_argument, 0, OPT_SHARE_PID}, ++ /* isulad add begin */ + {"in-fifo", required_argument, 0, OPT_INPUT_FIFO}, + {"out-fifo", required_argument, 0, OPT_OUTPUT_FIFO}, ++ {"container-pidfile", required_argument, 0, OPT_CONTAINER_INFO}, ++ /* isulad add end */ + LXC_COMMON_OPTIONS + }; + +@@ -148,6 +151,9 @@ static int my_parser(struct lxc_arguments *args, int c, char *arg) + case OPT_OUTPUT_FIFO: + args->terminal_fifos[1] = arg; + break; ++ case OPT_CONTAINER_INFO: ++ args->container_info = arg; ++ break; + } + return 0; + } +@@ -189,6 +195,7 @@ int main(int argc, char *argv[]) + struct lxc_log log; + int err = EXIT_FAILURE; + char *rcfile = NULL; ++ char *container_info_file = NULL; /* isulad: info file*/ + char *const default_args[] = { + "/sbin/init", + NULL, +@@ -313,6 +320,18 @@ int main(int argc, char *argv[]) + goto out; + } + ++ /* isulad: container info file used to store pid and ppid info of container*/ ++ if (my_args.container_info != NULL) { ++ if (ensure_path(&container_info_file, my_args.container_info) < 0) { ++ ERROR("Failed to ensure container's piddile '%s'", my_args.container_info); ++ goto out; ++ } ++ if (!c->set_container_info_file(c, container_info_file)) { ++ ERROR("Failed to set container's piddile '%s'", container_info_file); ++ goto out; ++ } ++ } ++ + if (my_args.console) + if (!c->set_config_item(c, "lxc.console.path", my_args.console)) + goto out; +@@ -353,5 +372,6 @@ int main(int argc, char *argv[]) + + out: + lxc_container_put(c); ++ free(container_info_file); + exit(err); + } +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index 67c3b3e..4728284 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -1828,3 +1828,117 @@ int lxc_setup_keyring(void) + + return ret; + } ++ ++/* isulad: read file to buffer */ ++static int lxc_file2str(const char *filename, char ret[], int cap) ++{ ++ int fd, num_read; ++ ++ if ((fd = open(filename, O_RDONLY | O_CLOEXEC)) == -1) ++ return -1;/*lint !e960*/ ++ if ((num_read = read(fd, ret, cap - 1)) <= 0) ++ num_read = -1;/*lint !e960*/ ++ else ++ ret[num_read] = 0;/*lint !e613*//*lint !e960*/ ++ close(fd); ++ ++ return num_read; ++} ++ ++/* isuald: lxc_stat2proc() makes sure it can handle arbitrary executable file basenames ++ * for `cmd', i.e. those with embedded whitespace or embedded ')'s. ++ * Such names confuse %s (see scanf(3)), so the string is split and %39c ++ * is used instead. (except for embedded ')' "(%[^)]c)" would work. ++ */ ++static proc_t *lxc_stat2proc(char *S) ++{ ++ int num; ++ proc_t *P = NULL; ++ char *tmp = NULL; ++ ++ if (!S) ++ return NULL;/*lint !e960*/ ++ ++ tmp = strrchr(S, ')'); /* split into "PID (cmd" and "" *//*lint !e586*/ ++ if (!tmp) ++ return NULL;/*lint !e960*/ ++ *tmp = '\0'; /* replace trailing ')' with NUL */ ++ ++ P = malloc(sizeof(proc_t)); ++ if (!P) ++ return NULL;/*lint !e960*/ ++ memset(P, 0x00, sizeof(proc_t)); ++ ++ /* parse these two strings separately, skipping the leading "(". */ ++ num = sscanf(S, "%d (%15c", &P->pid, P->cmd); /* comm[16] in kernel */ ++ if (num < 0 && errno) { ++ ERROR("Call sscanf error: %s", strerror(errno)); ++ free(P); ++ return NULL; ++ } ++ num = sscanf(tmp + 2, /* skip space after ')' too */ ++ "%c " ++ "%d %d %d %d %d " ++ "%lu %lu %lu %lu %lu " ++ "%Lu %Lu %Lu %Lu " /* utime stime cutime cstime *//*lint !e566*/ ++ "%ld %ld %ld %ld " ++ "%Lu " /* start_time *//*lint !e566*/ ++ "%lu " ++ "%ld " ++ "%lu %lu %lu %lu %lu %lu " ++ "%*s %*s %*s %*s " /* discard, no RT signals & Linux 2.1 used hex */ ++ "%lu %lu %lu " ++ "%d %d " ++ "%lu %lu", ++ &P->state, ++ &P->ppid, &P->pgrp, &P->session, &P->tty, &P->tpgid, ++ &P->flags, &P->min_flt, &P->cmin_flt, &P->maj_flt, &P->cmaj_flt, ++ &P->utime, &P->stime, &P->cutime, &P->cstime,/*lint !e561*/ ++ &P->priority, &P->nice, &P->timeout, &P->it_real_value, ++ &P->start_time,/*lint !e561*/ ++ &P->vsize, ++ &P->rss, ++ &P->rss_rlim, &P->start_code, &P->end_code, &P->start_stack, &P->kstk_esp, ++ &P->kstk_eip, ++ &P->wchan, &P->nswap, &P->cnswap, ++ &P->exit_signal, &P->processor, /* 2.2.1 ends with "exit_signal" */ ++ &P->rtprio, &P->sched /* both added to 2.5.18 */ ++ ); ++ ++ if (P->tty == 0) ++ P->tty = -1; /* the old notty val, update elsewhere bef. moving to 0 *//*lint !e960*/ ++ return P; ++} ++ ++/* isulad: get starttime of process pid */ ++unsigned long long lxc_get_process_startat(pid_t pid) ++{ ++ int sret = 0; ++ unsigned long long startat = 0; ++ proc_t *pid_info = NULL; ++ char filename[PATH_MAX] = {0}; ++ char sbuf[1024] = {0}; /* bufs for stat */ ++ ++ sret = snprintf(filename, sizeof(filename), "/proc/%d/stat", pid); ++ if (sret < 0 || sret >= sizeof(filename)) {/*lint !e574*/ ++ ERROR("Failed to sprintf filename"); ++ goto out; ++ } ++ ++ if ((lxc_file2str(filename, sbuf, sizeof(sbuf))) == -1) { ++ SYSERROR("Failed to read pidfile %s", filename); ++ goto out; ++ } ++ ++ pid_info = lxc_stat2proc(sbuf); ++ if (!pid_info) {/*lint !e574*/ ++ ERROR("Failed to get proc stat info"); ++ goto out; ++ } ++ ++ startat = pid_info->start_time; ++out: ++ free(pid_info); ++ return startat; ++} ++ +diff --git a/src/lxc/utils.h b/src/lxc/utils.h +index 2d38178..8e4ed89 100644 +--- a/src/lxc/utils.h ++++ b/src/lxc/utils.h +@@ -56,6 +56,71 @@ extern char *get_rundir(void); + #endif + #endif + ++/* isuald: ++ ld cutime, cstime, priority, nice, timeout, it_real_value, rss, ++ c state, ++ d ppid, pgrp, session, tty, tpgid, ++ s signal, blocked, sigignore, sigcatch, ++ lu flags, min_flt, cmin_flt, maj_flt, cmaj_flt, utime, stime, ++ lu rss_rlim, start_code, end_code, start_stack, kstk_esp, kstk_eip, ++ lu start_time, vsize, wchan, nswap, cnswap, ++*/ ++ ++/* Basic data structure which holds all information we can get about a process. ++ * (unless otherwise specified, fields are read from /proc/#/stat) ++ * ++ * Most of it comes from task_struct in linux/sched.h ++ */ ++typedef struct proc_t { ++ // 1st 16 bytes ++ int pid; /* process id */ ++ int ppid; /* pid of parent process */ ++ ++ char state; /* single-char code for process state (S=sleeping) */ ++ ++ unsigned long long ++ utime, /* user-mode CPU time accumulated by process */ ++ stime, /* kernel-mode CPU time accumulated by process */ ++ // and so on... ++ cutime, /* cumulative utime of process and reaped children */ ++ cstime, /* cumulative stime of process and reaped children */ ++ start_time; /* start time of process -- seconds since 1-1-70 */ ++ ++ long ++ priority, /* kernel scheduling priority */ ++ timeout, /* ? */ ++ nice, /* standard unix nice level of process */ ++ rss, /* resident set size from /proc/#/stat (pages) */ ++ it_real_value; /* ? */ ++ unsigned long ++ rtprio, /* real-time priority */ ++ sched, /* scheduling class */ ++ vsize, /* number of pages of virtual memory ... */ ++ rss_rlim, /* resident set size limit? */ ++ flags, /* kernel flags for the process */ ++ min_flt, /* number of minor page faults since process start */ ++ maj_flt, /* number of major page faults since process start */ ++ cmin_flt, /* cumulative min_flt of process and child processes */ ++ cmaj_flt, /* cumulative maj_flt of process and child processes */ ++ nswap, /* ? */ ++ cnswap, /* cumulative nswap ? */ ++ start_code, /* address of beginning of code segment */ ++ end_code, /* address of end of code segment */ ++ start_stack, /* address of the bottom of stack for the process */ ++ kstk_esp, /* kernel stack pointer */ ++ kstk_eip, /* kernel instruction pointer */ ++ wchan; /* address of kernel wait channel proc is sleeping in */ ++ ++ char cmd[16]; /* basename of executable file in call to exec(2) */ ++ int ++ pgrp, /* process group id */ ++ session, /* session id */ ++ tty, /* full device number of controlling terminal */ ++ tpgid, /* terminal process group id */ ++ exit_signal, /* might not be SIGCHLD */ ++ processor; /* current (or most recent?) CPU */ ++} proc_t; ++ + static inline int lxc_set_cloexec(int fd) + { + return fcntl(fd, F_SETFD, FD_CLOEXEC); +@@ -245,5 +310,6 @@ extern int recursive_destroy(char *dirname); + extern int lxc_setup_keyring(void); + + extern int fd_nonblock(int fd); ++extern int unsigned long long lxc_get_process_startat(pid_t pid); + + #endif /* __LXC_UTILS_H */ +-- +1.8.3.1 + diff --git a/0011-Add-exit-FIFO-to-monitor-state-of-lxc-monitor.patch b/0011-Add-exit-FIFO-to-monitor-state-of-lxc-monitor.patch new file mode 100644 index 0000000..5e2454a --- /dev/null +++ b/0011-Add-exit-FIFO-to-monitor-state-of-lxc-monitor.patch @@ -0,0 +1,261 @@ +From dab4938915c64b201434719712dd5222a11b9dcf Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Sat, 12 Jan 2019 02:07:15 -0500 +Subject: [PATCH 011/122] Add exit FIFO to monitor state of [lxc monitor] + +Signed-off-by: LiFeng +--- + src/lxc/conf.c | 3 +++ + src/lxc/conf.h | 2 ++ + src/lxc/confile.c | 8 ++++---- + src/lxc/lxccontainer.c | 20 +++++++++++++++++++- + src/lxc/lxccontainer.h | 6 ++++++ + src/lxc/start.c | 10 ++++++++++ + src/lxc/start.h | 2 ++ + src/lxc/terminal.c | 4 ++-- + src/lxc/tools/arguments.h | 2 ++ + src/lxc/tools/lxc_start.c | 9 +++++++++ + 10 files changed, 59 insertions(+), 7 deletions(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 0b4b63b..bc45e44 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -2759,6 +2759,7 @@ struct lxc_conf *lxc_conf_init(void) + + /* isulad add begin */ + lxc_list_init(&new->populate_devs); ++ new->exit_fd = -1; + /* isulad add end */ + + return new; +@@ -4195,6 +4196,8 @@ void lxc_conf_free(struct lxc_conf *conf) + lxc_clear_init_args(conf); + lxc_clear_populate_devices(conf); + free(conf->container_info_file); ++ if (conf->exit_fd != -1) ++ close(conf->exit_fd); + /* isulad add end */ + free(conf); + } +diff --git a/src/lxc/conf.h b/src/lxc/conf.h +index e0954f9..2d939cd 100644 +--- a/src/lxc/conf.h ++++ b/src/lxc/conf.h +@@ -405,6 +405,8 @@ struct lxc_conf { + struct lxc_list populate_devs; + + char *container_info_file; ++ ++ int exit_fd; /* exit fifo fd*/ + /* isulad add end */ + }; + +diff --git a/src/lxc/confile.c b/src/lxc/confile.c +index e3212d3..cbef2e2 100644 +--- a/src/lxc/confile.c ++++ b/src/lxc/confile.c +@@ -240,10 +240,10 @@ static struct lxc_config_t config_jump_table[] = { + { "lxc.sysctl", set_config_sysctl, get_config_sysctl, clr_config_sysctl, }, + { "lxc.proc", set_config_proc, get_config_proc, clr_config_proc, }, + +- /*isulad add begin*/ +- { "lxc.isulad.init.args", set_config_init_args, get_config_init_args, clr_config_init_args, }, +- { "lxc.isulad.populate.device", set_config_populate_device, get_config_populate_device, clr_config_populate_device, }, +- /*isulad add end*/ ++ /*isulad add begin*/ ++ { "lxc.isulad.init.args", set_config_init_args, get_config_init_args, clr_config_init_args, }, ++ { "lxc.isulad.populate.device", set_config_populate_device, get_config_populate_device, clr_config_populate_device, }, ++ /*isulad add end*/ + }; + + static const size_t config_jump_table_size = sizeof(config_jump_table) / sizeof(struct lxc_config_t); +diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c +index 5679b9b..8029f33 100644 +--- a/src/lxc/lxccontainer.c ++++ b/src/lxc/lxccontainer.c +@@ -295,6 +295,10 @@ static void lxc_container_free(struct lxc_container *c) + free(c->config_path); + c->config_path = NULL; + ++ /* isulad: free exit fifo */ ++ free(c->exit_fifo); ++ c->exit_fifo = NULL; ++ + free(c); + } + +@@ -882,7 +886,7 @@ static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const a + NULL, + }; + char **init_cmd = NULL; +- int keepfds[3] = {-1, -1, -1}; ++ int keepfds[4] = {-1, -1, -1, -1}; + + /* container does exist */ + if (!c) +@@ -1077,6 +1081,16 @@ static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const a + } + } + ++ /* isulad: open exit fifo */ ++ if (c->exit_fifo) { ++ conf->exit_fd = open(c->exit_fifo, O_WRONLY | O_NONBLOCK | O_CLOEXEC); ++ if (conf->exit_fd < 0) { ++ ERROR("Failed to open exit fifo %s: %s.", c->exit_fifo, strerror(errno)); ++ ret = 1; ++ goto on_error; ++ } ++ } ++ + conf->reboot = REBOOT_NONE; + + /* Unshare the mount namespace if requested */ +@@ -1111,6 +1125,10 @@ reboot: + keepfds[0] = handler->conf->maincmd_fd; + keepfds[1] = handler->state_socket_pair[0]; + keepfds[2] = handler->state_socket_pair[1]; ++ /* isulad: keep exit fifo fd */ ++ if (conf->exit_fd >= 0) { ++ keepfds[3] = conf->exit_fd; ++ } + ret = lxc_check_inherited(conf, c->daemonize, keepfds, + sizeof(keepfds) / sizeof(keepfds[0])); + if (ret < 0) { +diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h +index 3c845fe..503038a 100644 +--- a/src/lxc/lxccontainer.h ++++ b/src/lxc/lxccontainer.h +@@ -81,6 +81,12 @@ struct lxc_container { + */ + char *pidfile; + ++ /*! isulad: ++ * \private ++ * exit FIFO File to open used monitor the state of lxc monitor process. ++ */ ++ char *exit_fifo; ++ + /*! + * \private + * Container semaphore lock. +diff --git a/src/lxc/start.c b/src/lxc/start.c +index 9d71dd7..9365d11 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -730,6 +730,7 @@ struct lxc_handler *lxc_init_handler(const char *name, struct lxc_conf *conf, + handler->nsfd[i] = -1; + + handler->name = name; ++ handler->exit_code = -1; /* isulad: record exit code of container */ + + if (daemonize && handler->conf->reboot == REBOOT_NONE) { + /* Create socketpair() to synchronize on daemonized startup. +@@ -1005,6 +1006,14 @@ void lxc_fini(const char *name, struct lxc_handler *handler) + */ + lxc_monitor_send_state(name, STOPPED, handler->lxcpath); + ++ ++ /* isuald: write exit code to exit fifo */ ++ if (handler->conf->exit_fd >= 0) { ++ ret = write(handler->conf->exit_fd, &handler->exit_code, sizeof(int)); ++ if (ret != sizeof(int)) ++ SYSERROR("Failed to write to exit code to exit fifo."); ++ } ++ + /* The command socket is closed so no one can acces the command + * socket anymore so there's no need to lock it. + */ +@@ -2038,6 +2047,7 @@ int __lxc_start(const char *name, struct lxc_handler *handler, + lxc_error_set_and_log(handler->pid, status); + if (error_num) + *error_num = handler->exit_status; ++ handler->exit_code = exit_code; /* isuald: record exit code*/ + + out_fini: + lxc_delete_network(handler); +diff --git a/src/lxc/start.h b/src/lxc/start.h +index df987dc..f59bf54 100644 +--- a/src/lxc/start.h ++++ b/src/lxc/start.h +@@ -133,6 +133,8 @@ struct lxc_handler { + int exit_status; + + struct cgroup_ops *cgroup_ops; ++ ++ int exit_code;/* isulad: record the exit code of container */ + }; + + struct execute_args { +diff --git a/src/lxc/terminal.c b/src/lxc/terminal.c +index c507712..508e2e6 100644 +--- a/src/lxc/terminal.c ++++ b/src/lxc/terminal.c +@@ -1004,8 +1004,8 @@ static int lxc_terminal_set_fifo(struct lxc_terminal *console, const char *in, c + static int lxc_terminal_fifo_default(struct lxc_terminal *terminal) + { + if (!terminal->init_fifo[0] || !terminal->init_fifo[1]) { +- ERROR("Invalid default terminal fifos"); +- return -1; ++ DEBUG("Invalid default terminal fifos"); ++ return 0; + } + + return lxc_terminal_set_fifo(terminal, terminal->init_fifo[0], terminal->init_fifo[1]); +diff --git a/src/lxc/tools/arguments.h b/src/lxc/tools/arguments.h +index b6df23f..61f4a0a 100644 +--- a/src/lxc/tools/arguments.h ++++ b/src/lxc/tools/arguments.h +@@ -64,6 +64,7 @@ struct lxc_arguments { + const char *share_ns[32]; /* size must be greater than LXC_NS_MAX */ + const char *terminal_fifos[2]; /* isulad add, fifos used to redirct stdin/out/err */ + const char *container_info; /* isulad: file used to store pid and ppid info of container */ ++ const char *exit_monitor_fifo; /* isulad: fifo used to monitor state of monitor process */ + + /* for lxc-console */ + unsigned int ttynum; +@@ -178,6 +179,7 @@ struct lxc_arguments { + #define OPT_INPUT_FIFO OPT_USAGE - 7 + #define OPT_OUTPUT_FIFO OPT_USAGE - 8 + #define OPT_CONTAINER_INFO OPT_USAGE - 9 ++#define OPT_EXIT_FIFO OPT_USAGE - 10 + /* isulad add end*/ + + extern int lxc_arguments_parse(struct lxc_arguments *args, int argc, +diff --git a/src/lxc/tools/lxc_start.c b/src/lxc/tools/lxc_start.c +index 2f94d67..60c7d70 100644 +--- a/src/lxc/tools/lxc_start.c ++++ b/src/lxc/tools/lxc_start.c +@@ -73,6 +73,7 @@ static const struct option my_longopts[] = { + {"in-fifo", required_argument, 0, OPT_INPUT_FIFO}, + {"out-fifo", required_argument, 0, OPT_OUTPUT_FIFO}, + {"container-pidfile", required_argument, 0, OPT_CONTAINER_INFO}, ++ {"exit-fifo", required_argument, 0, OPT_EXIT_FIFO}, + /* isulad add end */ + LXC_COMMON_OPTIONS + }; +@@ -154,6 +155,9 @@ static int my_parser(struct lxc_arguments *args, int c, char *arg) + case OPT_CONTAINER_INFO: + args->container_info = arg; + break; ++ case OPT_EXIT_FIFO: ++ args->exit_monitor_fifo = arg; ++ break; + } + return 0; + } +@@ -332,6 +336,11 @@ int main(int argc, char *argv[]) + } + } + ++ /* isulad: fifo used to monitor state of monitor process */ ++ if (my_args.exit_monitor_fifo != NULL) { ++ c->exit_fifo = strdup(my_args.exit_monitor_fifo); ++ } ++ + if (my_args.console) + if (!c->set_config_item(c, "lxc.console.path", my_args.console)) + goto out; +-- +1.8.3.1 + diff --git a/0012-Init-fifos-in-lxc_attach_terminal.patch b/0012-Init-fifos-in-lxc_attach_terminal.patch new file mode 100644 index 0000000..1e2815a --- /dev/null +++ b/0012-Init-fifos-in-lxc_attach_terminal.patch @@ -0,0 +1,28 @@ +From 1ea4f8a2c3d3070fa9aafd9f055bed3b9018198b Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Sat, 12 Jan 2019 03:23:53 -0500 +Subject: [PATCH 012/122] Init fifos in lxc_attach_terminal + +Signed-off-by: LiFeng +--- + src/lxc/terminal.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/lxc/terminal.c b/src/lxc/terminal.c +index 508e2e6..410f643 100644 +--- a/src/lxc/terminal.c ++++ b/src/lxc/terminal.c +@@ -1341,6 +1341,10 @@ void lxc_terminal_init(struct lxc_terminal *terminal) + terminal->peer = -EBADF; + terminal->log_fd = -EBADF; + lxc_terminal_info_init(&terminal->proxy); ++ /* isulad init console fifos */ ++ terminal->init_fifo[0] = NULL; ++ terminal->init_fifo[1] = NULL; ++ lxc_list_init(&terminal->fifos); + } + + /* isulad: judge the fd whether is fifo */ +-- +1.8.3.1 + diff --git a/0013-isulad-set-env-home-in-container.patch b/0013-isulad-set-env-home-in-container.patch new file mode 100644 index 0000000..c78deaf --- /dev/null +++ b/0013-isulad-set-env-home-in-container.patch @@ -0,0 +1,139 @@ +From 4fad66dc56b5863b3e272408b265eddf244434ef Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Sat, 12 Jan 2019 14:42:27 +0800 +Subject: [PATCH 013/122] isulad: set env home in container + +Signed-off-by: LiFeng +--- + src/lxc/attach.c | 5 +++++ + src/lxc/cgroups/cgfsng.c | 5 +++-- + src/lxc/conf.c | 2 +- + src/lxc/start.c | 4 ++++ + src/lxc/utils.c | 29 +++++++++++++++++++++++++++++ + src/lxc/utils.h | 3 +++ + 6 files changed, 45 insertions(+), 3 deletions(-) + +diff --git a/src/lxc/attach.c b/src/lxc/attach.c +index e7ba705..2bbf1eb 100644 +--- a/src/lxc/attach.c ++++ b/src/lxc/attach.c +@@ -876,6 +876,11 @@ static int attach_child_main(struct attach_clone_payload *payload) + else + new_gid = ns_root_gid; + ++ // isulad: set env home in container ++ if (lxc_setup_env_home(new_uid) < 0) { ++ goto on_error; ++ } ++ + if ((init_ctx->container && init_ctx->container->lxc_conf && + init_ctx->container->lxc_conf->no_new_privs) || + (options->attach_flags & LXC_ATTACH_NO_NEW_PRIVS)) { +diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c +index aff2b5e..3e702b3 100644 +--- a/src/lxc/cgroups/cgfsng.c ++++ b/src/lxc/cgroups/cgfsng.c +@@ -1704,8 +1704,9 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops, + continue; + } + +- // Ignore ops->container_cgroup so we will not see directory lxc after /sys/fs/cgroup/xxx in container +- path2 = must_make_path(controllerpath, h->container_base_path, NULL); ++ // isulad: ignore ops->container_cgroup so we will not see directory lxc after /sys/fs/cgroup/xxx in container, ++ // isulad: ignore h->container_base_path so we will not see subgroup of /sys/fs/cgroup/xxx/subgroup in container ++ path2 = must_make_path(controllerpath, NULL); + ret = mkdir_p(path2, 0755); + if (ret < 0) { + free(controllerpath); +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index bc45e44..5065e69 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -3680,7 +3680,7 @@ int lxc_setup(struct lxc_handler *handler) + return -1; + } + +- /*isulad: move mount entrues here, before we do lxc_fill_autodev and populate devices */ ++ /*isulad: move mount entries here, before we do lxc_fill_autodev and populate devices */ + if (!lxc_list_empty(&lxc_conf->mount_list)) { + ret = setup_mount_entries(lxc_conf, &lxc_conf->rootfs, + &lxc_conf->mount_list, name, lxcpath); +diff --git a/src/lxc/start.c b/src/lxc/start.c +index 9365d11..b13326c 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -1398,6 +1398,10 @@ static int do_start(void *data) + new_uid = handler->conf->init_uid; + new_gid = handler->conf->init_gid; + ++ // isulad: set env home in container ++ if (lxc_setup_env_home(new_uid) < 0) ++ goto out_warn_father; ++ + /* Avoid unnecessary syscalls. */ + if (new_uid == nsuid) + new_uid = LXC_INVALID_UID; +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index 4728284..74e74a1 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -45,6 +45,7 @@ + #include + #include + #include ++#include + + #include "config.h" + #include "log.h" +@@ -1829,6 +1830,34 @@ int lxc_setup_keyring(void) + return ret; + } + ++// isulad: set env home in container ++int lxc_setup_env_home(uid_t uid) ++{ ++#define __DEFAULT_HOMEDIR__ "/" ++ int ret = 0; ++ char *homedir; ++ struct passwd pwd, *result = NULL; ++ char buf[BUFSIZ]; ++ ++ ret = getpwuid_r(uid, &pwd, buf, BUFSIZ, &result); ++ if (ret || !result || !result->pw_dir) { ++ WARN("User invalid, can not find user '%u'", uid); ++ homedir = __DEFAULT_HOMEDIR__; ++ } else { ++ homedir = result->pw_dir; ++ } ++ ++ // if we didn't configure HOME, set it based on uid ++ if (setenv("HOME", homedir, 0) < 0) { ++ SYSERROR("Unable to set env 'HOME'"); ++ return -1; ++ } ++ ++ NOTICE("Setted env 'HOME' to %s", homedir); ++ return 0; ++} ++ ++ + /* isulad: read file to buffer */ + static int lxc_file2str(const char *filename, char ret[], int cap) + { +diff --git a/src/lxc/utils.h b/src/lxc/utils.h +index 8e4ed89..364bf67 100644 +--- a/src/lxc/utils.h ++++ b/src/lxc/utils.h +@@ -309,6 +309,9 @@ extern int fd_cloexec(int fd, bool cloexec); + extern int recursive_destroy(char *dirname); + extern int lxc_setup_keyring(void); + ++// isulad: set env home in container ++extern int lxc_setup_env_home(uid_t uid); ++ + extern int fd_nonblock(int fd); + extern int unsigned long long lxc_get_process_startat(pid_t pid); + +-- +1.8.3.1 + diff --git a/0014-support-rotate-for-container-log-file.patch b/0014-support-rotate-for-container-log-file.patch new file mode 100644 index 0000000..318276c --- /dev/null +++ b/0014-support-rotate-for-container-log-file.patch @@ -0,0 +1,93 @@ +From e30d1a025a5f74c90a60a36fb6b61ccce18b88cf Mon Sep 17 00:00:00 2001 +From: liuhao +Date: Sat, 12 Jan 2019 15:29:56 +0800 +Subject: [PATCH 014/122] support rotate for container log file + +support rotate for container log file + +Signed-off-by: LiFeng +--- + src/lxc/confile.c | 3 +++ + src/lxc/terminal.c | 40 ++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 43 insertions(+) + +diff --git a/src/lxc/confile.c b/src/lxc/confile.c +index cbef2e2..e782211 100644 +--- a/src/lxc/confile.c ++++ b/src/lxc/confile.c +@@ -1802,11 +1802,14 @@ static int set_config_console_rotate(const char *key, const char *value, + if (lxc_safe_uint(value, &lxc_conf->console.log_rotate) < 0) + return -1; + ++ /* ++ * isulad: support rotate muti-files + if (lxc_conf->console.log_rotate > 1) { + ERROR("The \"lxc.console.rotate\" config key can only be set " + "to 0 or 1"); + return -1; + } ++ */ + + return 0; + } +diff --git a/src/lxc/terminal.c b/src/lxc/terminal.c +index 410f643..3bb3a52 100644 +--- a/src/lxc/terminal.c ++++ b/src/lxc/terminal.c +@@ -229,6 +229,39 @@ static int lxc_terminal_truncate_log_file(struct lxc_terminal *terminal) + return lxc_unpriv(ftruncate(terminal->log_fd, 0)); + } + ++/* ++ * isuald: support mult-logfiles ++ * */ ++static int lxc_terminal_rename_old_log_file(struct lxc_terminal *terminal) ++{ ++ int ret; ++ size_t i; ++ char tmp[PATH_MAX] = {0}; ++ char *rename_fname = NULL; ++ ++ for (i = terminal->log_rotate - 1; i > 1; i--) { ++ ret = sprintf(tmp, "%s.%d", terminal->log_path, i); ++ if (ret < 0) ++ return -EFBIG; ++ if (rename_fname) ++ free(rename_fname); ++ rename_fname = strdup(tmp); ++ ret = sprintf(tmp, "%s.%d", terminal->log_path, (i - 1)); ++ if (ret < 0) { ++ free(rename_fname); ++ return -EFBIG; ++ } ++ ret = lxc_unpriv(rename(tmp, rename_fname)); ++ if (ret < 0 && errno != ENOENT) ++ return ret; ++ } ++ ++ if (rename_fname) ++ free(rename_fname); ++ ++ return 0; ++} ++ + static int lxc_terminal_rotate_log_file(struct lxc_terminal *terminal) + { + int ret; +@@ -242,6 +275,13 @@ static int lxc_terminal_rotate_log_file(struct lxc_terminal *terminal) + if (terminal->log_fd < 0) + return -EBADF; + ++ /* isuald: rotate old log file first */ ++ ret = lxc_terminal_rename_old_log_file(terminal); ++ if(ret != 0) { ++ ERROR("Rename old log file failed"); ++ return ret; ++ } ++ + len = strlen(terminal->log_path) + sizeof(".1"); + tmp = alloca(len); + +-- +1.8.3.1 + diff --git a/0015-fix-high-gcc-compile-bug.patch b/0015-fix-high-gcc-compile-bug.patch new file mode 100644 index 0000000..af55a22 --- /dev/null +++ b/0015-fix-high-gcc-compile-bug.patch @@ -0,0 +1,41 @@ +From d4c2a04690f61c6d42c69f53b96cc039e94d5256 Mon Sep 17 00:00:00 2001 +From: liuhao +Date: Sat, 12 Jan 2019 16:28:41 +0800 +Subject: [PATCH 015/122] fix high gcc compile bug + +fix high gcc compile bug + +Signed-off-by: LiFeng +--- + src/lxc/terminal.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/lxc/terminal.c b/src/lxc/terminal.c +index 3bb3a52..7aa4730 100644 +--- a/src/lxc/terminal.c ++++ b/src/lxc/terminal.c +@@ -235,18 +235,18 @@ static int lxc_terminal_truncate_log_file(struct lxc_terminal *terminal) + static int lxc_terminal_rename_old_log_file(struct lxc_terminal *terminal) + { + int ret; +- size_t i; ++ unsigned int i; + char tmp[PATH_MAX] = {0}; + char *rename_fname = NULL; + + for (i = terminal->log_rotate - 1; i > 1; i--) { +- ret = sprintf(tmp, "%s.%d", terminal->log_path, i); ++ ret = sprintf(tmp, "%s.%u", terminal->log_path, i); + if (ret < 0) + return -EFBIG; + if (rename_fname) + free(rename_fname); + rename_fname = strdup(tmp); +- ret = sprintf(tmp, "%s.%d", terminal->log_path, (i - 1)); ++ ret = sprintf(tmp, "%s.%u", terminal->log_path, (i - 1)); + if (ret < 0) { + free(rename_fname); + return -EFBIG; +-- +1.8.3.1 + diff --git a/0016-add-masked-paths-and-ro-paths.patch b/0016-add-masked-paths-and-ro-paths.patch new file mode 100644 index 0000000..373a8a0 --- /dev/null +++ b/0016-add-masked-paths-and-ro-paths.patch @@ -0,0 +1,381 @@ +From 478dfb4eadd6812bd63fc0d37cf1acad21a58e6a Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Sat, 12 Jan 2019 15:55:52 +0800 +Subject: [PATCH 016/122] add masked paths and ro paths + +Signed-off-by: LiFeng +--- + src/lxc/conf.c | 135 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ + src/lxc/conf.h | 8 ++++ + src/lxc/confile.c | 113 ++++++++++++++++++++++++++++++++++++++++++++- + 3 files changed, 255 insertions(+), 1 deletion(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 5065e69..537f956 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -1343,6 +1343,95 @@ static int lxc_mount_rootfs(struct lxc_conf *conf) + return 0; + } + ++ ++// maskPath masks the top of the specified path inside a container to avoid ++// security issues from processes reading information from non-namespace aware ++// mounts ( proc/kcore ). ++static bool mask_path(const char *path) ++{ ++ int ret; ++ ++ if (!path) ++ return true; ++ ++ ret = mount("/dev/null", path, "", MS_BIND, ""); ++ if (ret < 0 && errno != ENOENT) { ++ if (errno == ENOTDIR) { ++ ret = mount("tmpfs", path, "tmpfs", MS_RDONLY, ""); ++ if (ret < 0) ++ goto error; ++ return true; ++ } ++ goto error; ++ } ++ return true; ++ ++error: ++ SYSERROR("Failed to mask path \"%s\": %s", path, strerror(errno)); ++ return false; ++} ++ ++// remount_readonly will bind over the top of an existing path and ensure that it is read-only. ++static bool remount_readonly(const char *path) ++{ ++ int ret, savederrno, i; ++ ++ if (!path) ++ return true; ++ ++ for (i = 0; i < 5; i++) { ++ ret = mount("", path, "", MS_REMOUNT | MS_RDONLY, ""); ++ if (ret < 0 && errno != ENOENT) { ++ if (errno == EINVAL) { ++ // Probably not a mountpoint, use bind-mount ++ ret = mount(path, path, "", MS_BIND, ""); ++ if (ret < 0) ++ goto on_error; ++ ret = mount(path, path, "", MS_BIND | MS_REMOUNT | MS_RDONLY | MS_REC | \ ++ MS_NOEXEC | MS_NOSUID | MS_NODEV, ""); ++ if (ret < 0) ++ goto on_error; ++ } else if (errno == EBUSY) { ++ DEBUG("Try to mount \"%s\" to readonly after 100ms.", path); ++ usleep(100 * 1000); ++ continue; ++ } else { ++ goto on_error; ++ } ++ } ++ return true; ++ } ++ ++on_error: ++ SYSERROR("Unable to mount \"%s\" to readonly", path); ++ return false; ++} ++ ++// isulad: setup rootfs masked paths ++static int setup_rootfs_maskedpaths(struct lxc_list *maskedpaths) ++{ ++ struct lxc_list *it; ++ ++ lxc_list_for_each(it, maskedpaths) { ++ if (!mask_path((char *)it->elem)) ++ return -1; ++ } ++ ++ return 0; ++} ++// isulad: setup rootfs ro paths ++static int setup_rootfs_ropaths(struct lxc_list *ropaths) ++{ ++ struct lxc_list *it; ++ ++ lxc_list_for_each(it, ropaths) { ++ if (!remount_readonly((char *)it->elem)) ++ return -1; ++ } ++ ++ return 0; ++} ++ + int lxc_chroot(const struct lxc_rootfs *rootfs) + { + int i, ret; +@@ -2759,6 +2848,8 @@ struct lxc_conf *lxc_conf_init(void) + + /* isulad add begin */ + lxc_list_init(&new->populate_devs); ++ lxc_list_init(&new->rootfs.maskedpaths); ++ lxc_list_init(&new->rootfs.ropaths); + new->exit_fd = -1; + /* isulad add end */ + +@@ -3759,6 +3850,22 @@ int lxc_setup(struct lxc_handler *handler) + if (ret < 0) + return -1; + ++ //isulad: setup rootfs masked paths ++ if (!lxc_list_empty(&lxc_conf->rootfs.maskedpaths)) { ++ if (setup_rootfs_maskedpaths(&lxc_conf->rootfs.maskedpaths)) { ++ ERROR("failed to setup maskedpaths"); ++ return -1; ++ } ++ } ++ ++ // isulad: setup rootfs ro paths ++ if (!lxc_list_empty(&lxc_conf->rootfs.ropaths)) { ++ if (setup_rootfs_ropaths(&lxc_conf->rootfs.ropaths)) { ++ ERROR("failed to setup readonlypaths"); ++ return -1; ++ } ++ } ++ + ret = setup_personality(lxc_conf->personality); + if (ret < 0) { + ERROR("Failed to set personality"); +@@ -4147,6 +4254,32 @@ int lxc_clear_populate_devices(struct lxc_conf *c) + return 0; + } + ++/*isulad: clear rootfs masked paths*/ ++int lxc_clear_rootfs_masked_paths(struct lxc_conf *c) ++{ ++ struct lxc_list *it,*next; ++ ++ lxc_list_for_each_safe(it, &c->rootfs.maskedpaths, next) { ++ lxc_list_del(it); ++ free(it->elem); ++ free(it); ++ } ++ return 0; ++} ++ ++/*isulad: clear rootfs ro paths*/ ++int lxc_clear_rootfs_ro_paths(struct lxc_conf *c) ++{ ++ struct lxc_list *it,*next; ++ ++ lxc_list_for_each_safe(it, &c->rootfs.ropaths, next) { ++ lxc_list_del(it); ++ free(it->elem); ++ free(it); ++ } ++ return 0; ++} ++ + void lxc_conf_free(struct lxc_conf *conf) + { + if (!conf) +@@ -4195,6 +4328,8 @@ void lxc_conf_free(struct lxc_conf *conf) + /* isulad add begin */ + lxc_clear_init_args(conf); + lxc_clear_populate_devices(conf); ++ lxc_clear_rootfs_masked_paths(conf); ++ lxc_clear_rootfs_ro_paths(conf); + free(conf->container_info_file); + if (conf->exit_fd != -1) + close(conf->exit_fd); +diff --git a/src/lxc/conf.h b/src/lxc/conf.h +index 2d939cd..7927812 100644 +--- a/src/lxc/conf.h ++++ b/src/lxc/conf.h +@@ -160,6 +160,8 @@ struct lxc_tty_info { + * @options : mount options + * @mountflags : the portion of @options that are flags + * @data : the portion of @options that are not flags ++ * @maskedpaths: A list of paths to be msked over inside the container ++ * @ropaths : A list of paths to be remounted with readonly inside the container + */ + struct lxc_rootfs { + char *path; +@@ -168,6 +170,10 @@ struct lxc_rootfs { + char *options; + unsigned long mountflags; + char *data; ++ /* isulad: maskedpaths */ ++ struct lxc_list maskedpaths; ++ /* isulad: ropaths */ ++ struct lxc_list ropaths; + }; + + /* +@@ -477,6 +483,8 @@ extern int lxc_clear_procs(struct lxc_conf *c, const char *key); + /* isulad add begin */ + int lxc_clear_init_args(struct lxc_conf *lxc_conf); + int lxc_clear_populate_devices(struct lxc_conf *c); ++int lxc_clear_rootfs_masked_paths(struct lxc_conf *c); ++int lxc_clear_rootfs_ro_paths(struct lxc_conf *c); + + /* isulad add end */ + +diff --git a/src/lxc/confile.c b/src/lxc/confile.c +index e782211..e199965 100644 +--- a/src/lxc/confile.c ++++ b/src/lxc/confile.c +@@ -139,6 +139,8 @@ lxc_config_define(pty_max); + lxc_config_define(rootfs_mount); + lxc_config_define(rootfs_options); + lxc_config_define(rootfs_path); ++lxc_config_define(rootfs_masked_paths); ++lxc_config_define(rootfs_ro_paths); + lxc_config_define(seccomp_profile); + lxc_config_define(selinux_context); + lxc_config_define(signal_halt); +@@ -243,6 +245,8 @@ static struct lxc_config_t config_jump_table[] = { + /*isulad add begin*/ + { "lxc.isulad.init.args", set_config_init_args, get_config_init_args, clr_config_init_args, }, + { "lxc.isulad.populate.device", set_config_populate_device, get_config_populate_device, clr_config_populate_device, }, ++ { "lxc.isulad.rootfs.maskedpaths", set_config_rootfs_masked_paths, get_config_rootfs_masked_paths, clr_config_rootfs_masked_paths, }, ++ { "lxc.isulad.rootfs.ropaths", set_config_rootfs_ro_paths, get_config_rootfs_ro_paths, clr_config_rootfs_ro_paths, }, + /*isulad add end*/ + }; + +@@ -2224,7 +2228,7 @@ static int set_config_init_args(const char *key, const char *value, + return 0; + } + +-/* isulad: set config for init args */ ++/* isulad: set config for populate device */ + static int set_config_populate_device(const char *key, const char *value, + struct lxc_conf *lxc_conf, void *data) + { +@@ -2308,6 +2312,62 @@ on_error: + free(dev_elem); + } + return -1; ++} ++ ++/* isulad: set config for rootfs masked paths */ ++static int set_config_rootfs_masked_paths(const char *key, const char *value, ++ struct lxc_conf *lxc_conf, void *data) ++{ ++ struct lxc_list *list_item = NULL; ++ ++ if (lxc_config_value_empty(value)) ++ return lxc_clear_rootfs_masked_paths(lxc_conf); ++ ++ list_item = malloc(sizeof(*list_item)); ++ if (!list_item) ++ goto on_error; ++ ++ list_item->elem = strdup(value); ++ ++ if (!list_item->elem) ++ goto on_error; ++ ++ lxc_list_add_tail(&lxc_conf->rootfs.maskedpaths, list_item); ++ ++ return 0; ++ ++on_error: ++ free(list_item); ++ ++ return -1; ++} ++ ++/* isulad: set config for rootfs ro paths */ ++static int set_config_rootfs_ro_paths(const char *key, const char *value, ++ struct lxc_conf *lxc_conf, void *data) ++{ ++ struct lxc_list *list_item = NULL; ++ ++ if (lxc_config_value_empty(value)) ++ return lxc_clear_rootfs_ro_paths(lxc_conf); ++ ++ list_item = malloc(sizeof(*list_item)); ++ if (!list_item) ++ goto on_error; ++ ++ list_item->elem = strdup(value); ++ ++ if (!list_item->elem) ++ goto on_error; ++ ++ lxc_list_add_tail(&lxc_conf->rootfs.ropaths, list_item); ++ ++ return 0; ++ ++on_error: ++ free(list_item); ++ ++ return -1; + + } + +@@ -3889,6 +3949,43 @@ static int get_config_populate_device(const char *key, char *retv, int inlen, + return fulllen; + } + ++// isulad: get config rootfs masked paths ++static int get_config_rootfs_masked_paths(const char *key, char *retv, int inlen, ++ struct lxc_conf *c, void *data) ++{ ++ int len, fulllen = 0; ++ struct lxc_list *it; ++ ++ if (!retv) ++ inlen = 0; ++ else ++ memset(retv, 0, inlen); ++ ++ lxc_list_for_each(it, &c->rootfs.maskedpaths) { ++ strprint(retv, inlen, "%s\n", (char *)it->elem); ++ } ++ ++ return fulllen; ++} ++ ++// isulad: get config rootfs ro paths ++static int get_config_rootfs_ro_paths(const char *key, char *retv, int inlen, ++ struct lxc_conf *c, void *data) ++{ ++ int len, fulllen = 0; ++ struct lxc_list *it; ++ ++ if (!retv) ++ inlen = 0; ++ else ++ memset(retv, 0, inlen); ++ ++ lxc_list_for_each(it, &c->rootfs.ropaths) { ++ strprint(retv, inlen, "%s\n", (char *)it->elem); ++ } ++ ++ return fulllen; ++} + + /* Callbacks to clear config items. */ + static inline int clr_config_personality(const char *key, struct lxc_conf *c, +@@ -4708,6 +4805,20 @@ static inline int clr_config_populate_device(const char *key, struct lxc_conf *c + return lxc_clear_populate_devices(c); + } + ++/* isulad: clr config rootfs masked paths */ ++static inline int clr_config_rootfs_masked_paths(const char *key, struct lxc_conf *c, ++ void *data) ++{ ++ return lxc_clear_rootfs_masked_paths(c); ++} ++ ++/* isulad: clr config rootfs ro paths */ ++static inline int clr_config_rootfs_ro_paths(const char *key, struct lxc_conf *c, ++ void *data) ++{ ++ return lxc_clear_rootfs_ro_paths(c); ++} ++ + static int get_config_net_nic(const char *key, char *retv, int inlen, + struct lxc_conf *c, void *data) + { +-- +1.8.3.1 + diff --git a/0017-isulad-check-cgroup-cpu.shares-after-setted.patch b/0017-isulad-check-cgroup-cpu.shares-after-setted.patch new file mode 100644 index 0000000..46330e8 --- /dev/null +++ b/0017-isulad-check-cgroup-cpu.shares-after-setted.patch @@ -0,0 +1,99 @@ +From b4cf90f64f23198555372e4d1ca1a1a7ea0ee81f Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Mon, 14 Jan 2019 11:03:03 +0800 +Subject: [PATCH 017/122] isulad: check cgroup cpu.shares after setted + +Signed-off-by: LiFeng +--- + src/lxc/cgroups/cgfsng.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 61 insertions(+) + +diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c +index 3e702b3..ab5732b 100644 +--- a/src/lxc/cgroups/cgfsng.c ++++ b/src/lxc/cgroups/cgfsng.c +@@ -2204,6 +2204,42 @@ static int cg_legacy_set_data(struct cgroup_ops *ops, const char *filename, + return ret; + } + ++/* Called from setup_limits - here we have the container's cgroup_data because ++ * we created the cgroups. ++ */ ++static int cg_legacy_get_data(struct cgroup_ops *ops, const char *filename, ++ char *value, size_t len) ++{ ++ char *fullpath, *p; ++ struct hierarchy *h; ++ int ret = 0; ++ char *controller = NULL; ++ ++ len = strlen(filename); ++ controller = alloca(len + 1); ++ (void)strlcpy(controller, filename, len + 1); ++ ++ p = strchr(controller, '.'); ++ if (p) ++ *p = '\0'; ++ ++ ++ h = get_hierarchy(ops, controller); ++ if (!h) { ++ ERROR("Failed to setup limits for the \"%s\" controller. " ++ "The controller seems to be unused by \"cgfsng\" cgroup " ++ "driver or not enabled on the cgroup hierarchy", ++ controller); ++ errno = ENOENT; ++ return -ENOENT; ++ } ++ ++ fullpath = must_make_path(h->container_full_path, filename, NULL); ++ ret = lxc_read_from_file(fullpath, value, len); ++ free(fullpath); ++ return ret; ++} ++ + static bool __cg_legacy_setup_limits(struct cgroup_ops *ops, + struct lxc_list *cgroup_settings, + bool do_devices) +@@ -2211,6 +2247,8 @@ static bool __cg_legacy_setup_limits(struct cgroup_ops *ops, + struct lxc_list *iterator, *next, *sorted_cgroup_settings; + struct lxc_cgroup *cg; + bool ret = false; ++ char value[21]; ++ long long int readvalue, setvalue; + + if (lxc_list_empty(cgroup_settings)) + return true; +@@ -2236,6 +2274,29 @@ static bool __cg_legacy_setup_limits(struct cgroup_ops *ops, + DEBUG("Set controller \"%s\" set to \"%s\"", + cg->subsystem, cg->value); + } ++ // isulad: check cpu shares ++ if (strcmp(cg->subsystem, "cpu.shares") == 0) { ++ if (cg_legacy_get_data(ops, cg->subsystem, value, sizeof(value)) < 0) { ++ SYSERROR("Error get %s", cg->subsystem); ++ goto out; ++ } ++ trim(value); ++ if (lxc_safe_long_long(cg->value, &setvalue) != 0) { ++ SYSERROR("Invalid value %s", cg->value); ++ goto out; ++ } ++ if (lxc_safe_long_long(value, &readvalue) != 0) { ++ SYSERROR("Invalid value %s", value); ++ goto out; ++ } ++ if (setvalue > readvalue) { ++ ERROR("The maximum allowed cpu-shares is %s", value); ++ goto out; ++ } else if (setvalue < readvalue) { ++ ERROR("The minimum allowed cpu-shares is %s", value); ++ goto out; ++ } ++ } + } + + ret = true; +-- +1.8.3.1 + diff --git a/0018-lxc-attach-add-support-terminal-fifos.patch b/0018-lxc-attach-add-support-terminal-fifos.patch new file mode 100644 index 0000000..a6f8b6e --- /dev/null +++ b/0018-lxc-attach-add-support-terminal-fifos.patch @@ -0,0 +1,410 @@ +From d6a38c35cb5986f1263e3dd1b6206217e34a2ec8 Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Mon, 14 Jan 2019 02:18:26 -0500 +Subject: [PATCH 018/122] lxc-attach: add support terminal fifos + +1. support terminal fifos to redirect terminal +2. support lxc-attach run in background + +Signed-off-by: LiFeng +--- + src/lxc/attach.c | 18 ++++- + src/lxc/attach_options.h | 3 + + src/lxc/terminal.c | 27 +++++-- + src/lxc/tools/arguments.h | 2 +- + src/lxc/tools/lxc_attach.c | 181 +++++++++++++++++++++++++++++++++++++++++---- + 5 files changed, 204 insertions(+), 27 deletions(-) + +diff --git a/src/lxc/attach.c b/src/lxc/attach.c +index 2bbf1eb..1886bde 100644 +--- a/src/lxc/attach.c ++++ b/src/lxc/attach.c +@@ -988,12 +988,23 @@ on_error: + } + + static int lxc_attach_terminal(struct lxc_conf *conf, +- struct lxc_terminal *terminal) ++ struct lxc_terminal *terminal, lxc_attach_options_t *options) + { + int ret; + + lxc_terminal_init(terminal); + ++ /* isulad: if we pass fifo in option, use them as init fifos */ ++ if (options->init_fifo[0] && options->init_fifo[1]) { ++ if (terminal->init_fifo[0]) ++ free(terminal->init_fifo[0]); ++ terminal->init_fifo[0] = strdup(options->init_fifo[0]); ++ ++ if (terminal->init_fifo[1]) ++ free(terminal->init_fifo[1]); ++ terminal->init_fifo[1] = strdup(options->init_fifo[1]); ++ } ++ + ret = lxc_terminal_create(terminal); + if (ret < 0) { + ERROR("Failed to create terminal"); +@@ -1203,7 +1214,7 @@ int lxc_attach(const char *name, const char *lxcpath, + } + + if (options->attach_flags & LXC_ATTACH_TERMINAL) { +- ret = lxc_attach_terminal(conf, &terminal); ++ ret = lxc_attach_terminal(conf, &terminal, options); + if (ret < 0) { + ERROR("Failed to setup new terminal"); + free(cwd); +@@ -1489,7 +1500,7 @@ int lxc_attach(const char *name, const char *lxcpath, + } + + if (pid == 0) { +- if (options->attach_flags & LXC_ATTACH_TERMINAL) { ++ if (options->attach_flags & LXC_ATTACH_TERMINAL && terminal.tty_state) { + ret = pthread_sigmask(SIG_SETMASK, + &terminal.tty_state->oldmask, NULL); + if (ret < 0) { +@@ -1497,7 +1508,6 @@ int lxc_attach(const char *name, const char *lxcpath, + _exit(EXIT_FAILURE); + } + } +- + ret = attach_child_main(&payload); + if (ret < 0) + ERROR("Failed to exec"); +diff --git a/src/lxc/attach_options.h b/src/lxc/attach_options.h +index 193fd7e..081618c 100644 +--- a/src/lxc/attach_options.h ++++ b/src/lxc/attach_options.h +@@ -135,6 +135,8 @@ typedef struct lxc_attach_options_t { + + /*! File descriptor to log output. */ + int log_fd; ++ ++ char *init_fifo[2]; /* isulad: default fifos for the start */ + } lxc_attach_options_t; + + /*! Default attach options to use */ +@@ -153,6 +155,7 @@ typedef struct lxc_attach_options_t { + /* .stdout_fd = */ 1, \ + /* .stderr_fd = */ 2, \ + /* .log_fd = */ -EBADF, \ ++ /* .init_fifo = */ {NULL, NULL}, \ + } + + /*! +diff --git a/src/lxc/terminal.c b/src/lxc/terminal.c +index 7aa4730..ee3aef2 100644 +--- a/src/lxc/terminal.c ++++ b/src/lxc/terminal.c +@@ -514,7 +514,7 @@ static int lxc_terminal_mainloop_add_peer(struct lxc_terminal *terminal) + } + + /* isulad add fifo to mainloop */ +-static int lxc_console_mainloop_add_fifo(struct lxc_terminal *terminal) ++static int lxc_terminal_mainloop_add_fifo(struct lxc_terminal *terminal) + { + int ret = 0; + struct lxc_list *it,*next; +@@ -564,7 +564,7 @@ int lxc_terminal_mainloop_add(struct lxc_epoll_descr *descr, + } + + /* isulad add fifo to mainloop */ +- ret = lxc_console_mainloop_add_fifo(terminal); ++ ret = lxc_terminal_mainloop_add_fifo(terminal); + if (ret < 0) { + ERROR("Failed to add handler for terminal fifos to mainloop"); + return -1; +@@ -789,13 +789,28 @@ void lxc_terminal_free(struct lxc_conf *conf, int fd) + static int lxc_terminal_peer_default(struct lxc_terminal *terminal) + { + struct lxc_terminal_state *ts; +- const char *path; ++ const char *path = NULL; + int ret = 0; + + if (terminal->path) + path = terminal->path; +- else +- path = "/dev/tty"; ++ ++ /* isulad: if no console was given, try current controlling terminal, there ++ * won't be one if we were started as a daemon (-d) ++ */ ++ if (!path && !access("/dev/tty", F_OK)) { ++ int fd; ++ fd = open("/dev/tty", O_RDWR); ++ if (fd >= 0) { ++ close(fd); ++ path = "/dev/tty"; ++ } ++ } ++ ++ if (!path) { ++ DEBUG("Not have a controlling terminal"); ++ return 0; ++ } + + terminal->peer = lxc_unpriv(open(path, O_RDWR | O_CLOEXEC)); + if (terminal->peer < 0) { +@@ -1355,7 +1370,7 @@ int lxc_terminal_prepare_login(int fd) + if (ret < 0) + return -1; + +- ret = lxc_terminal_set_stdfds(fd); ++ ret = set_stdfds(fd); + if (ret < 0) + return -1; + +diff --git a/src/lxc/tools/arguments.h b/src/lxc/tools/arguments.h +index 61f4a0a..047e9f1 100644 +--- a/src/lxc/tools/arguments.h ++++ b/src/lxc/tools/arguments.h +@@ -62,7 +62,7 @@ struct lxc_arguments { + + /* for lxc-start */ + const char *share_ns[32]; /* size must be greater than LXC_NS_MAX */ +- const char *terminal_fifos[2]; /* isulad add, fifos used to redirct stdin/out/err */ ++ char *terminal_fifos[2]; /* isulad add, fifos used to redirct stdin/out/err */ + const char *container_info; /* isulad: file used to store pid and ppid info of container */ + const char *exit_monitor_fifo; /* isulad: fifo used to monitor state of monitor process */ + +diff --git a/src/lxc/tools/lxc_attach.c b/src/lxc/tools/lxc_attach.c +index 8c8e7d3..6d0ffe5 100644 +--- a/src/lxc/tools/lxc_attach.c ++++ b/src/lxc/tools/lxc_attach.c +@@ -75,6 +75,8 @@ static const struct option my_longopts[] = { + {"set-var", required_argument, 0, 'v'}, + {"pty-log", required_argument, 0, 'L'}, + {"rcfile", required_argument, 0, 'f'}, ++ {"in-fifo", required_argument, 0, OPT_INPUT_FIFO}, /* isulad add terminal fifos*/ ++ {"out-fifo", required_argument, 0, OPT_OUTPUT_FIFO}, + LXC_COMMON_OPTIONS + }; + +@@ -133,6 +135,9 @@ Options :\n\ + .log_file = "none", + }; + ++// isulad: send '128 + signal' if container is killed by signal. ++#define ExitSignalOffset 128 ++ + static int my_parser(struct lxc_arguments *args, int c, char *arg) + { + int ret; +@@ -190,6 +195,12 @@ static int my_parser(struct lxc_arguments *args, int c, char *arg) + case 'f': + args->rcfile = arg; + break; ++ case OPT_INPUT_FIFO: ++ args->terminal_fifos[0] = arg; ++ break; ++ case OPT_OUTPUT_FIFO: ++ args->terminal_fifos[1] = arg; ++ break; + } + + return 0; +@@ -253,10 +264,143 @@ static int lxc_attach_create_log_file(const char *log_file) + return fd; + } + ++/*isulad: attach with terminal*/ ++static int do_attach_foreground(struct lxc_container *c, lxc_attach_command_t *command, ++ lxc_attach_options_t *attach_options, ++ char **errmsg) ++{ ++ int ret = 0; ++ pid_t pid; ++ int wexit = -1; ++ int signal; ++ ++ if (command->program) ++ ret = c->attach(c, lxc_attach_run_command, command, attach_options, &pid); ++ else ++ ret = c->attach(c, lxc_attach_run_shell, NULL, attach_options, &pid); ++ if (ret < 0) ++ goto out; ++ ++ ret = lxc_wait_for_pid_status(pid); ++ if (ret < 0) ++ goto out; ++ ++ if (WIFEXITED(ret)) ++ wexit = WEXITSTATUS(ret); ++ else ++ wexit = -1; ++ ++ if (WIFSIGNALED(ret)) { ++ signal = WTERMSIG(ret); ++ wexit = ExitSignalOffset + signal; ++ } ++out: ++ //if (c->lxc_conf->errmsg) ++ // *errmsg = strdup(c->lxc_conf->errmsg); ++ return wexit; ++} ++ ++static void close_msg_pipe(int *errpipe) ++{ ++ if (errpipe[0] >= 0) { ++ close(errpipe[0]); ++ errpipe[0] = -1; ++ } ++ if (errpipe[1] >= 0) { ++ close(errpipe[1]); ++ errpipe[1] = -1; ++ } ++} ++ ++/*isulad: attach without terminal in background */ ++static int do_attach_background(struct lxc_container *c, lxc_attach_command_t *command, ++ lxc_attach_options_t *attach_options, ++ char **errmsg) ++{ ++ int ret = 0; ++ int msgpipe[2]; ++ pid_t pid = 0; ++ ssize_t size_read; ++ char msgbuf[BUFSIZ + 1] = {0}; ++ ++ //pipdfd for get error message of child or grandchild process. ++ if (pipe2(msgpipe, O_CLOEXEC) != 0) { ++ SYSERROR("Failed to init msgpipe"); ++ return -1; ++ } ++ ++ pid = fork(); ++ if (pid < 0) { ++ close_msg_pipe(msgpipe); ++ return -1; ++ } ++ ++ if (pid != 0) { ++ close(msgpipe[1]); ++ msgpipe[1] = -1; ++ size_read = read(msgpipe[0], msgbuf, BUFSIZ); ++ if (size_read > 0) { ++ *errmsg = strdup(msgbuf); ++ ret = -1; ++ } ++ ++ close(msgpipe[0]); ++ msgpipe[0] = -1; ++ ++ return ret; ++ } ++ ++ /* second fork to be reparented by init */ ++ pid = fork(); ++ if (pid < 0) { ++ SYSERROR("Error doing dual-fork"); ++ close_msg_pipe(msgpipe); ++ exit(1); ++ } ++ if (pid != 0) { ++ close_msg_pipe(msgpipe); ++ exit(0); ++ } ++ ++ close(msgpipe[0]); ++ msgpipe[0] = -1; ++ ++ if (null_stdfds() < 0) { ++ ERROR("failed to close fds"); ++ exit(1); ++ } ++ setsid(); ++ ++ if (command->program) ++ ret = c->attach(c, lxc_attach_run_command, command, attach_options, &pid); ++ else ++ ret = c->attach(c, lxc_attach_run_shell, NULL, attach_options, &pid); ++ if (ret < 0) { ++ //if (c->lxc_conf->errmsg) ++ // lxc_write_error_message(msgpipe[1], "%s", c->lxc_conf->errmsg); ++ close(msgpipe[1]); ++ msgpipe[1] = -1; ++ ret = -1; ++ goto out; ++ } ++ ++ close(msgpipe[1]); ++ msgpipe[1] = -1; ++ ++ ret = wait_for_pid(pid); ++out: ++ lxc_container_put(c); ++ if (ret) ++ exit(EXIT_FAILURE); ++ else ++ exit(0); ++} ++ + int main(int argc, char *argv[]) + { + int ret = -1; + int wexit = 0; ++ char *errmsg = NULL; + struct lxc_log log; + pid_t pid; + lxc_attach_options_t attach_options = LXC_ATTACH_OPTIONS_DEFAULT; +@@ -316,8 +460,13 @@ int main(int argc, char *argv[]) + if (elevated_privileges) + attach_options.attach_flags &= ~(elevated_privileges); + +- if (stdfd_is_pty()) ++ if (my_args.terminal_fifos[0] && my_args.terminal_fifos[1]) { ++ attach_options.init_fifo[0] = my_args.terminal_fifos[0]; ++ attach_options.init_fifo[1] = my_args.terminal_fifos[1]; ++ attach_options.attach_flags |= LXC_ATTACH_TERMINAL; ++ } else if (stdfd_is_pty()) { + attach_options.attach_flags |= LXC_ATTACH_TERMINAL; ++ } + + attach_options.namespaces = namespace_flags; + attach_options.personality = new_personality; +@@ -332,27 +481,27 @@ int main(int argc, char *argv[]) + + if (my_args.console_log) { + attach_options.log_fd = lxc_attach_create_log_file(my_args.console_log); +- if (attach_options.log_fd < 0) +- goto out; ++ if (attach_options.log_fd < 0) { ++ ERROR("Failed to create log file for %s", c->name); ++ lxc_container_put(c); ++ exit(EXIT_FAILURE); ++ } + } + +- if (command.program) +- ret = c->attach(c, lxc_attach_run_command, &command, &attach_options, &pid); ++ /* isulad: add do attach background */ ++ if (attach_options.attach_flags & LXC_ATTACH_TERMINAL) ++ wexit = do_attach_foreground(c, &command, &attach_options, &errmsg); + else +- ret = c->attach(c, lxc_attach_run_shell, NULL, &attach_options, &pid); +- if (ret < 0) +- goto out; ++ wexit = do_attach_background(c, &command, &attach_options, &errmsg); + +- ret = lxc_wait_for_pid_status(pid); +- if (ret < 0) +- goto out; +- +- if (WIFEXITED(ret)) +- wexit = WEXITSTATUS(ret); ++ if (errmsg) { ++ fprintf(stderr, "%s:%s:%s:%d starting container process caused \"%s\"", c->name, ++ __FILE__, __func__, __LINE__, errmsg); ++ free(errmsg); ++ } + +-out: + lxc_container_put(c); +- if (ret >= 0) ++ if (wexit >= 0) + exit(wexit); + + exit(EXIT_FAILURE); +-- +1.8.3.1 + diff --git a/0019-remount-cgroup-readonly-and-make-soft-link-of-subcgr.patch b/0019-remount-cgroup-readonly-and-make-soft-link-of-subcgr.patch new file mode 100644 index 0000000..055fd2f --- /dev/null +++ b/0019-remount-cgroup-readonly-and-make-soft-link-of-subcgr.patch @@ -0,0 +1,87 @@ +From bd056022ef54a8dc6a859495f0edde96471bd7e5 Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Mon, 14 Jan 2019 13:51:01 +0800 +Subject: [PATCH 019/122] remount cgroup readonly and make soft link of + subcgroup + +Signed-off-by: LiFeng +--- + src/lxc/cgroups/cgfsng.c | 44 ++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 44 insertions(+) + +diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c +index ab5732b..705985f 100644 +--- a/src/lxc/cgroups/cgfsng.c ++++ b/src/lxc/cgroups/cgfsng.c +@@ -1621,6 +1621,7 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops, + int i, ret; + char *tmpfspath = NULL; + bool has_cgns = false, retval = false, wants_force_mount = false; ++ char **merged = NULL; + + if ((type & LXC_AUTO_CGROUP_MASK) == 0) + return true; +@@ -1667,6 +1668,14 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops, + continue; + controller++; + ++ // isulad: symlink subcgroup ++ if (strchr(controller, ',') != NULL) { ++ int pret; ++ pret = lxc_append_string(&merged, controller); ++ if (pret < 0) ++ goto on_error; ++ } ++ + controllerpath = must_make_path(tmpfspath, controller, NULL); + if (dir_exists(controllerpath)) { + free(controllerpath); +@@ -1721,10 +1730,45 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops, + if (ret < 0) + goto on_error; + } ++ ++ // isulad: symlink subcgroup ++ if (merged) { ++ char **mc; ++ for (mc = merged; *mc; mc++) { ++ char *token; ++ char *merge = must_copy_string(*mc); ++ lxc_iterate_parts(token, merge, ",") { ++ int mret; ++ char *link; ++ link = must_make_path(tmpfspath, token, NULL); ++ mret = symlink(*mc, link); ++ if (mret < 0 && errno != EEXIST) { ++ SYSERROR("Failed to create link %s for target %s", link, merge); ++ free(merge); ++ free(link); ++ goto on_error; ++ } ++ free(link); ++ } ++ free(merge); ++ } ++ } ++ ++ ++ // isulad: remount /sys/fs/cgroup to readonly ++ if (type == LXC_AUTO_CGROUP_FULL_RO || type == LXC_AUTO_CGROUP_RO) { ++ ret = mount(tmpfspath, tmpfspath, "bind", ++ MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_RELATIME|MS_RDONLY|MS_BIND|MS_REMOUNT, NULL); ++ if (ret < 0) { ++ SYSERROR("Failed to remount /sys/fs/cgroup."); ++ goto on_error; ++ } ++ } + retval = true; + + on_error: + free(tmpfspath); ++ lxc_free_array((void **)merged, free); + return retval; + } + +-- +1.8.3.1 + diff --git a/0020-fix-log-error-when-symlink-subcgroup.patch b/0020-fix-log-error-when-symlink-subcgroup.patch new file mode 100644 index 0000000..ce875dc --- /dev/null +++ b/0020-fix-log-error-when-symlink-subcgroup.patch @@ -0,0 +1,44 @@ +From ab9da60c84c2b37049e514d7a597fc8747dbc52f Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Mon, 14 Jan 2019 15:33:12 +0800 +Subject: [PATCH 020/122] fix log error when symlink subcgroup + +Signed-off-by: LiFeng +--- + src/lxc/cgroups/cgfsng.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c +index 705985f..7f2a200 100644 +--- a/src/lxc/cgroups/cgfsng.c ++++ b/src/lxc/cgroups/cgfsng.c +@@ -1736,21 +1736,21 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops, + char **mc; + for (mc = merged; *mc; mc++) { + char *token; +- char *merge = must_copy_string(*mc); +- lxc_iterate_parts(token, merge, ",") { ++ char *copy = must_copy_string(*mc); ++ lxc_iterate_parts(token, copy, ",") { + int mret; + char *link; + link = must_make_path(tmpfspath, token, NULL); + mret = symlink(*mc, link); + if (mret < 0 && errno != EEXIST) { +- SYSERROR("Failed to create link %s for target %s", link, merge); +- free(merge); ++ SYSERROR("Failed to create link %s for target %s", link, *mc); ++ free(copy); + free(link); + goto on_error; + } + free(link); + } +- free(merge); ++ free(copy); + } + } + +-- +1.8.3.1 + diff --git a/0021-lxc-attch-add-error-message.patch b/0021-lxc-attch-add-error-message.patch new file mode 100644 index 0000000..f0d7687 --- /dev/null +++ b/0021-lxc-attch-add-error-message.patch @@ -0,0 +1,374 @@ +From 54f592ec7a2a79b7e5ecdec5b9bf484536e90438 Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Mon, 14 Jan 2019 04:29:40 -0500 +Subject: [PATCH 021/122] lxc-attch: add error message + +Signed-off-by: LiFeng +--- + src/lxc/attach.c | 49 +++++++++++++++++++++++++++++++++++++++++----- + src/lxc/attach.h | 4 ++-- + src/lxc/attach_options.h | 6 +++--- + src/lxc/conf.c | 27 +++++++++++++++++++++---- + src/lxc/conf.h | 3 +++ + src/lxc/lxccontainer.c | 4 ++-- + src/lxc/tools/lxc_attach.c | 8 ++++---- + src/lxc/tools/lxc_ls.c | 4 ++-- + src/lxc/utils.c | 21 ++++++++++++++++++++ + src/lxc/utils.h | 1 + + 10 files changed, 105 insertions(+), 22 deletions(-) + +diff --git a/src/lxc/attach.c b/src/lxc/attach.c +index 1886bde..570b9d0 100644 +--- a/src/lxc/attach.c ++++ b/src/lxc/attach.c +@@ -757,10 +757,15 @@ static int attach_child_main(struct attach_clone_payload *payload) + gid_t ns_root_gid = 0; + lxc_attach_options_t* options = payload->options; + struct lxc_proc_context_info* init_ctx = payload->init_ctx; ++ int msg_fd = -1; + bool needs_lsm = (options->namespaces & CLONE_NEWNS) && + (options->attach_flags & LXC_ATTACH_LSM) && + init_ctx->lsm_label; + ++ /*isulad: record errpipe fd*/ ++ msg_fd = init_ctx->container->lxc_conf->errpipe[1]; ++ init_ctx->container->lxc_conf->errpipe[1] = -1; ++ + /* A description of the purpose of this functionality is provided in the + * lxc-attach(1) manual page. We have to remount here and not in the + * parent process, otherwise /proc may not properly reflect the new pid +@@ -980,7 +985,7 @@ static int attach_child_main(struct attach_clone_payload *payload) + goto on_error; + + /* We're done, so we can now do whatever the user intended us to do. */ +- _exit(payload->exec_function(payload->exec_payload)); ++ _exit(payload->exec_function(payload->exec_payload, msg_fd)); + + on_error: + lxc_put_attach_clone_payload(payload); +@@ -1085,7 +1090,7 @@ static inline void lxc_attach_terminal_close_log(struct lxc_terminal *terminal) + + int lxc_attach(const char *name, const char *lxcpath, + lxc_attach_exec_t exec_function, void *exec_payload, +- lxc_attach_options_t *options, pid_t *attached_process) ++ lxc_attach_options_t *options, pid_t *attached_process, char **err_msg) + { + int i, ret, status; + int ipc_sockets[2]; +@@ -1268,6 +1273,15 @@ int lxc_attach(const char *name, const char *lxcpath, + return -1; + } + ++ ++ /* isulad: pipdfd for get error message of child or grandchild process. */ ++ if (pipe2(conf->errpipe, O_CLOEXEC) != 0) { ++ SYSERROR("Failed to init errpipe"); ++ free(cwd); ++ lxc_proc_put_context_info(init_ctx); ++ return -1; ++ } ++ + /* Create intermediate subprocess, two reasons: + * 1. We can't setns() in the child itself, since we want to make + * sure we are properly attached to the pidns. +@@ -1291,6 +1305,11 @@ int lxc_attach(const char *name, const char *lxcpath, + /* close unneeded file descriptors */ + close(ipc_sockets[1]); + free(cwd); ++ ++ /* isulad: close errpipe */ ++ close(conf->errpipe[1]); ++ conf->errpipe[1] = -1; ++ + lxc_proc_close_ns_fd(init_ctx); + if (options->attach_flags & LXC_ATTACH_TERMINAL) + lxc_attach_terminal_close_slave(&terminal); +@@ -1399,6 +1418,19 @@ int lxc_attach(const char *name, const char *lxcpath, + + *attached_process = attached_pid; + ++ /* isulad: read error msg from pipe */ ++ ssize_t size_read; ++ char errbuf[BUFSIZ + 1] = {0}; ++ ++ size_read = read(conf->errpipe[0], errbuf, BUFSIZ); ++ if (size_read > 0) { ++ if (err_msg) ++ *err_msg = strdup(errbuf); ++ if (!(*err_msg)) ++ ERROR("Out of memory"); ++ goto close_mainloop; ++ } ++ + /* Now shut down communication with child, we're done. */ + shutdown(ipc_sockets[0], SHUT_RDWR); + close(ipc_sockets[0]); +@@ -1439,7 +1471,11 @@ int lxc_attach(const char *name, const char *lxcpath, + + /* close unneeded file descriptors */ + close(ipc_sockets[0]); +- ipc_sockets[0] = -EBADF; ++ ipc_sockets[0] = -EBADF;\ ++ ++ /* isulad: close errpipe */ ++ close(conf->errpipe[0]); ++ conf->errpipe[0] = -1; + + if (options->attach_flags & LXC_ATTACH_TERMINAL) { + lxc_attach_terminal_close_master(&terminal); +@@ -1539,7 +1575,7 @@ int lxc_attach(const char *name, const char *lxcpath, + _exit(0); + } + +-int lxc_attach_run_command(void *payload) ++int lxc_attach_run_command(void *payload, int msg_fd) + { + int ret = -1; + lxc_attach_command_t *cmd = payload; +@@ -1556,11 +1592,14 @@ int lxc_attach_run_command(void *payload) + } + } + ++ /* isulad: write errorm messages */ ++ lxc_write_error_message(msg_fd, "exec: \"%s\": %s", cmd->program, strerror(errno)); ++ + SYSERROR("Failed to exec \"%s\"", cmd->program); + return ret; + } + +-int lxc_attach_run_shell(void* payload) ++int lxc_attach_run_shell(void* payload, int msg_fd) + { + uid_t uid; + struct passwd pwent; +diff --git a/src/lxc/attach.h b/src/lxc/attach.h +index 4bf9578..e62b98b 100644 +--- a/src/lxc/attach.h ++++ b/src/lxc/attach.h +@@ -42,7 +42,7 @@ struct lxc_proc_context_info { + }; + + extern int lxc_attach(const char *name, const char *lxcpath, +- lxc_attach_exec_t exec_function, void *exec_payload, +- lxc_attach_options_t *options, pid_t *attached_process); ++ lxc_attach_exec_t exec_function, void *exec_payload, ++ lxc_attach_options_t *options, pid_t *attached_process, char **err_msg); + + #endif /* __LXC_ATTACH_H */ +diff --git a/src/lxc/attach_options.h b/src/lxc/attach_options.h +index 081618c..7b0a8cb 100644 +--- a/src/lxc/attach_options.h ++++ b/src/lxc/attach_options.h +@@ -71,7 +71,7 @@ enum { + * + * \return Function should return \c 0 on success, and any other value to denote failure. + */ +-typedef int (*lxc_attach_exec_t)(void* payload); ++typedef int (*lxc_attach_exec_t)(void* payload, int msg_fd); + + /*! + * LXC attach options for \ref lxc_container \c attach(). +@@ -173,7 +173,7 @@ typedef struct lxc_attach_command_t { + * + * \return \c -1 on error, exit code of lxc_attach_command_t program on success. + */ +-extern int lxc_attach_run_command(void* payload); ++extern int lxc_attach_run_command(void* payload, int msg_fd); + + /*! + * \brief Run a shell command in the container. +@@ -182,7 +182,7 @@ extern int lxc_attach_run_command(void* payload); + * + * \return Exit code of shell. + */ +-extern int lxc_attach_run_shell(void* payload); ++extern int lxc_attach_run_shell(void* payload, int msg_fd); + + #ifdef __cplusplus + } +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 537f956..8d8230f 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -2803,10 +2803,6 @@ struct lxc_conf *lxc_conf_init(void) + new->console.slave = -1; + new->console.name[0] = '\0'; + memset(&new->console.ringbuf, 0, sizeof(struct lxc_ringbuf)); +- /* isulad init console fifos */ +- new->console.init_fifo[0] = NULL; +- new->console.init_fifo[1] = NULL; +- lxc_list_init(&new->console.fifos); + new->maincmd_fd = -1; + new->nbd_idx = -1; + new->rootfs.mount = strdup(default_rootfs_mount); +@@ -2851,6 +2847,14 @@ struct lxc_conf *lxc_conf_init(void) + lxc_list_init(&new->rootfs.maskedpaths); + lxc_list_init(&new->rootfs.ropaths); + new->exit_fd = -1; ++ /* isulad init console fifos */ ++ new->console.init_fifo[0] = NULL; ++ new->console.init_fifo[1] = NULL; ++ lxc_list_init(&new->console.fifos); ++ ++ new->errmsg = NULL; ++ new->errpipe[0] = -1; ++ new->errpipe[1] = -1; + /* isulad add end */ + + return new; +@@ -4280,6 +4284,19 @@ int lxc_clear_rootfs_ro_paths(struct lxc_conf *c) + return 0; + } + ++/*isulad: close error pipe */ ++void lxc_close_error_pipe(int *errpipe) ++{ ++ if (errpipe[0] >= 0) { ++ close(errpipe[0]); ++ errpipe[0] = -1; ++ } ++ if (errpipe[1] >= 0) { ++ close(errpipe[1]); ++ errpipe[1] = -1; ++ } ++} ++ + void lxc_conf_free(struct lxc_conf *conf) + { + if (!conf) +@@ -4333,6 +4350,8 @@ void lxc_conf_free(struct lxc_conf *conf) + free(conf->container_info_file); + if (conf->exit_fd != -1) + close(conf->exit_fd); ++ free(conf->errmsg); ++ lxc_close_error_pipe(conf->errpipe); + /* isulad add end */ + free(conf); + } +diff --git a/src/lxc/conf.h b/src/lxc/conf.h +index 7927812..db474e1 100644 +--- a/src/lxc/conf.h ++++ b/src/lxc/conf.h +@@ -413,6 +413,9 @@ struct lxc_conf { + char *container_info_file; + + int exit_fd; /* exit fifo fd*/ ++ ++ char *errmsg; /* record error messages */ ++ int errpipe[2];//pipdfd for get error message of child or grandchild process. + /* isulad add end */ + }; + +diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c +index 8029f33..31f4819 100644 +--- a/src/lxc/lxccontainer.c ++++ b/src/lxc/lxccontainer.c +@@ -4063,7 +4063,7 @@ static int lxcapi_attach(struct lxc_container *c, lxc_attach_exec_t exec_functio + + current_config = c->lxc_conf; + +- ret = lxc_attach(c->name, c->config_path, exec_function, exec_payload, options, attached_process); ++ ret = lxc_attach(c->name, c->config_path, exec_function, exec_payload, options, attached_process, &c->lxc_conf->errmsg); + current_config = NULL; + return ret; + } +@@ -4080,7 +4080,7 @@ static int do_lxcapi_attach_run_wait(struct lxc_container *c, lxc_attach_options + command.program = (char*)program; + command.argv = (char**)argv; + +- r = lxc_attach(c->name, c->config_path, lxc_attach_run_command, &command, options, &pid); ++ r = lxc_attach(c->name, c->config_path, lxc_attach_run_command, &command, options, &pid, NULL); + if (r < 0) { + ERROR("ups"); + return r; +diff --git a/src/lxc/tools/lxc_attach.c b/src/lxc/tools/lxc_attach.c +index 6d0ffe5..a590fd1 100644 +--- a/src/lxc/tools/lxc_attach.c ++++ b/src/lxc/tools/lxc_attach.c +@@ -295,8 +295,8 @@ static int do_attach_foreground(struct lxc_container *c, lxc_attach_command_t *c + wexit = ExitSignalOffset + signal; + } + out: +- //if (c->lxc_conf->errmsg) +- // *errmsg = strdup(c->lxc_conf->errmsg); ++ if (c->lxc_conf->errmsg) ++ *errmsg = strdup(c->lxc_conf->errmsg); + return wexit; + } + +@@ -376,8 +376,8 @@ static int do_attach_background(struct lxc_container *c, lxc_attach_command_t *c + else + ret = c->attach(c, lxc_attach_run_shell, NULL, attach_options, &pid); + if (ret < 0) { +- //if (c->lxc_conf->errmsg) +- // lxc_write_error_message(msgpipe[1], "%s", c->lxc_conf->errmsg); ++ if (c->lxc_conf->errmsg) ++ lxc_write_error_message(msgpipe[1], "%s", c->lxc_conf->errmsg); + close(msgpipe[1]); + msgpipe[1] = -1; + ret = -1; +diff --git a/src/lxc/tools/lxc_ls.c b/src/lxc/tools/lxc_ls.c +index cb3eb1e..e261c7b 100644 +--- a/src/lxc/tools/lxc_ls.c ++++ b/src/lxc/tools/lxc_ls.c +@@ -122,7 +122,7 @@ struct wrapargs { + /* + * Takes struct wrapargs as argument. + */ +-static int ls_get_wrapper(void *wrap); ++static int ls_get_wrapper(void *wrap, int msgfd); + + /* + * To calculate swap usage we should not simply check memory.usage_in_bytes and +@@ -1023,7 +1023,7 @@ static int my_parser(struct lxc_arguments *args, int c, char *arg) + return 0; + } + +-static int ls_get_wrapper(void *wrap) ++static int ls_get_wrapper(void *wrap, int msgfd) + { + int ret = -1; + size_t len = 0; +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index 74e74a1..8ec9f46 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -1971,3 +1971,24 @@ out: + return startat; + } + ++/* isulad: write error message */ ++void lxc_write_error_message(int errfd, const char *format, ...) ++{ ++ int ret; ++ char errbuf[BUFSIZ + 1] = {0}; ++ ssize_t sret; ++ va_list argp; ++ ++ if (errfd <= 0) ++ return; ++ ++ va_start(argp, format); ++ ret = vsnprintf(errbuf, BUFSIZ, format, argp); ++ va_end(argp); ++ if (ret < 0) ++ SYSERROR("Failed to call vsnprintf"); ++ sret = write(errfd, errbuf, strlen(errbuf)); ++ if (sret < 0) ++ SYSERROR("Write errbuf failed"); ++} ++ +diff --git a/src/lxc/utils.h b/src/lxc/utils.h +index 364bf67..3d56fd9 100644 +--- a/src/lxc/utils.h ++++ b/src/lxc/utils.h +@@ -314,5 +314,6 @@ extern int lxc_setup_env_home(uid_t uid); + + extern int fd_nonblock(int fd); + extern int unsigned long long lxc_get_process_startat(pid_t pid); ++extern void lxc_write_error_message(int errfd, const char *format, ...); + + #endif /* __LXC_UTILS_H */ +-- +1.8.3.1 + diff --git a/0022-support-rootfs-mount-propagation.patch b/0022-support-rootfs-mount-propagation.patch new file mode 100644 index 0000000..f3153e0 --- /dev/null +++ b/0022-support-rootfs-mount-propagation.patch @@ -0,0 +1,507 @@ +From daa98c9452fcebe022bd6dcad29633719ef6917e Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Mon, 14 Jan 2019 17:02:02 +0800 +Subject: [PATCH 022/122] support rootfs mount propagation + +Signed-off-by: LiFeng +--- + src/lxc/conf.c | 230 ++++++++++++++++++++++++++-------------- + src/lxc/conf.h | 2 +- + src/lxc/confile.c | 8 +- + src/lxc/criu.c | 4 +- + src/lxc/storage/btrfs.c | 4 +- + src/lxc/storage/dir.c | 9 +- + src/lxc/storage/overlay.c | 4 +- + src/lxc/storage/storage_utils.c | 4 +- + src/lxc/storage/zfs.c | 4 +- + 9 files changed, 165 insertions(+), 104 deletions(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 8d8230f..55d1e45 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -1296,11 +1296,102 @@ static int lxc_fill_autodev(const struct lxc_rootfs *rootfs) + return 0; + } + ++static void null_endofword(char *word) ++{ ++ while (*word && *word != ' ' && *word != '\t') ++ word++; ++ *word = '\0'; ++} ++ ++/* skip @nfields spaces in @src */ ++static char *get_field(char *src, int nfields) ++{ ++ int i; ++ char *p = src; ++ ++ for (i = 0; i < nfields; i++) { ++ while (*p && *p != ' ' && *p != '\t') ++ p++; ++ ++ if (!*p) ++ break; ++ ++ p++; ++ } ++ ++ return p; ++} ++ ++static int rootfs_parent_mount_private(char *rootfs) ++{ ++ /* walk /proc/self/mountinfo and change parent of rootfs to private */ ++ FILE *f = fopen("/proc/self/mountinfo", "r"); ++ char *line = NULL; ++ char *parent = NULL, *options = NULL; ++ size_t len = 0; ++ int ret = 0; ++ ++ if (!f) { ++ SYSERROR("Failed to open /proc/self/mountinfo to make parent of rootfs to private"); ++ return -1; ++ } ++ ++ while (getline(&line, &len, f) != -1) { ++ char *target, *opts, *tmptarget; ++ target = get_field(line, 4); ++ if (!target) ++ continue; ++ tmptarget = strdup(target); ++ if (!tmptarget) ++ continue; ++ null_endofword(tmptarget); ++ if (!strstr(rootfs, tmptarget)) { ++ free(tmptarget); ++ continue; ++ } ++ if (!parent || strlen(tmptarget) > strlen(parent)) { ++ free(parent); ++ parent = tmptarget; ++ } else { ++ free(tmptarget); ++ continue; ++ } ++ opts = get_field(target, 2); ++ if (!opts) ++ continue; ++ null_endofword(opts); ++ free(options); ++ options = strdup(opts); ++ if (!options) ++ continue; ++ } ++ ++ if (!parent || !options) { ++ ERROR("Could not find parent mount of %s", rootfs); ++ ret = -1; ++ } else { ++ if (strstr(options, "shared")) { ++ if (mount(NULL, parent, NULL, MS_PRIVATE, NULL)) { ++ SYSERROR("Failed to make %s private", parent); ++ ret = -1; ++ } ++ DEBUG("Mounted parent %s of rootfs %s to private", parent, rootfs); ++ } ++ } ++ free(parent); ++ free(options); ++ fclose(f); ++ free(line); ++ return ret; ++} ++ + static int lxc_mount_rootfs(struct lxc_conf *conf) + { + int ret; + struct lxc_storage *bdev; + const struct lxc_rootfs *rootfs = &conf->rootfs; ++ unsigned long flags, mntflags, pflags; ++ char *mntdata; + + if (!rootfs->path) { + ret = mount("", "/", NULL, MS_SLAVE | MS_REC, 0); +@@ -1319,6 +1410,44 @@ static int lxc_mount_rootfs(struct lxc_conf *conf) + return -1; + } + ++ // isulad-start: support mount propagations of rootfs ++ //Get rootfs mnt propagation options, such as slave or shared ++ if (parse_mntopts(conf->rootfs.options, &mntflags, &pflags, &mntdata) < 0) { ++ free(mntdata); ++ return -1; ++ } ++ free(mntdata); ++ ++ flags = MS_SLAVE | MS_REC; ++ if (pflags) ++ flags = pflags; ++ ++ /* Mount propagation inside container can not greater than host. ++ * So we must change propagation of root according to flags, default is rslave. ++ * That means shared propagation inside container is disabled by default. ++ */ ++ ret = mount("", "/", NULL, flags, NULL); ++ if (ret < 0) { ++ SYSERROR("Failed to make / to propagation flags %lu.", flags); ++ return -1; ++ } ++ ++ /* Make parent mount private to make sure following bind mount does ++ * not propagate in other namespaces. Also it will help with kernel ++ * check pass in pivot_root. (IS_SHARED(new_mnt->mnt_parent)) ++ */ ++ ret = rootfs_parent_mount_private(conf->rootfs.mount); ++ if (ret != 0) { ++ ERROR("Failed to make parent of rootfs %s to private.", conf->rootfs.mount); ++ return -1; ++ } ++ ++ ret = mount(conf->rootfs.mount, conf->rootfs.mount, "bind", MS_BIND | MS_REC, NULL); ++ if (ret < 0) { ++ SYSERROR("Failed to mount rootfs %s", conf->rootfs.mount); ++ return -1; ++ }// isulad-end: support mount propagations of rootfs ++ + bdev = storage_init(conf); + if (!bdev) { + ERROR("Failed to mount rootfs \"%s\" onto \"%s\" with options \"%s\"", +@@ -1960,7 +2089,7 @@ static int lxc_setup_console(const struct lxc_rootfs *rootfs, + return lxc_setup_ttydir_console(rootfs, console, ttydir); + } + +-static void parse_mntopt(char *opt, unsigned long *flags, char **data, size_t size) ++static void parse_mntopt(char *opt, unsigned long *mflags, unsigned long *pflags, char **data, size_t size) + { + struct mount_opt *mo; + +@@ -1970,26 +2099,40 @@ static void parse_mntopt(char *opt, unsigned long *flags, char **data, size_t si + for (mo = &mount_opt[0]; mo->name != NULL; mo++) { + if (strncmp(opt, mo->name, strlen(mo->name)) == 0) { + if (mo->clear) +- *flags &= ~mo->flag; ++ *mflags &= ~mo->flag; + else +- *flags |= mo->flag; ++ *mflags |= mo->flag; + return; + } + } + ++ /* If opt is found in propagation_opt, set or clear flags. */ ++ for (mo = &propagation_opt[0]; mo->name != NULL; mo++) { ++ if (strncmp(opt, mo->name, strlen(mo->name)) != 0) ++ continue; ++ ++ if (mo->clear) ++ *pflags &= ~mo->flag; ++ else ++ *pflags |= mo->flag; ++ ++ return; ++ } ++ + if (strlen(*data)) + (void)strlcat(*data, ",", size); + + (void)strlcat(*data, opt, size); + } + +-int parse_mntopts(const char *mntopts, unsigned long *mntflags, char **mntdata) ++int parse_mntopts(const char *mntopts, unsigned long *mntflags, unsigned long *pflags, char **mntdata) + { + char *data, *p, *s; + size_t size; + + *mntdata = NULL; + *mntflags = 0L; ++ *pflags = 0L; + + if (!mntopts) + return 0; +@@ -2007,7 +2150,7 @@ int parse_mntopts(const char *mntopts, unsigned long *mntflags, char **mntdata) + *data = 0; + + lxc_iterate_parts(p, s, ",") +- parse_mntopt(p, mntflags, &data, size); ++ parse_mntopt(p, mntflags, pflags, &data, size); + + if (*data) + *mntdata = data; +@@ -2018,71 +2161,6 @@ int parse_mntopts(const char *mntopts, unsigned long *mntflags, char **mntdata) + return 0; + } + +-static void parse_propagationopt(char *opt, unsigned long *flags) +-{ +- struct mount_opt *mo; +- +- /* If opt is found in propagation_opt, set or clear flags. */ +- for (mo = &propagation_opt[0]; mo->name != NULL; mo++) { +- if (strncmp(opt, mo->name, strlen(mo->name)) != 0) +- continue; +- +- if (mo->clear) +- *flags &= ~mo->flag; +- else +- *flags |= mo->flag; +- +- return; +- } +-} +- +-int parse_propagationopts(const char *mntopts, unsigned long *pflags) +-{ +- char *p, *s; +- +- if (!mntopts) +- return 0; +- +- s = strdup(mntopts); +- if (!s) { +- SYSERROR("Failed to allocate memory"); +- return -ENOMEM; +- } +- +- *pflags = 0L; +- lxc_iterate_parts(p, s, ",") +- parse_propagationopt(p, pflags); +- free(s); +- +- return 0; +-} +- +-static void null_endofword(char *word) +-{ +- while (*word && *word != ' ' && *word != '\t') +- word++; +- *word = '\0'; +-} +- +-/* skip @nfields spaces in @src */ +-static char *get_field(char *src, int nfields) +-{ +- int i; +- char *p = src; +- +- for (i = 0; i < nfields; i++) { +- while (*p && *p != ' ' && *p != '\t') +- p++; +- +- if (!*p) +- break; +- +- p++; +- } +- +- return p; +-} +- + static int mount_entry(const char *fsname, const char *target, + const char *fstype, unsigned long mountflags, + unsigned long pflags, const char *data, bool optional, +@@ -2289,10 +2367,9 @@ static inline int mount_entry_on_generic(struct mntent *mntent, + const char *lxc_path) + { + int ret; +- unsigned long mntflags; ++ unsigned long mntflags, pflags; + char *mntdata; + bool dev, optional, relative; +- unsigned long pflags = 0; + char *rootfs_path = NULL; + + optional = hasmntopt(mntent, "optional") != NULL; +@@ -2312,11 +2389,7 @@ static inline int mount_entry_on_generic(struct mntent *mntent, + } + cull_mntent_opt(mntent); + +- ret = parse_propagationopts(mntent->mnt_opts, &pflags); +- if (ret < 0) +- return -1; +- +- ret = parse_mntopts(mntent->mnt_opts, &mntflags, &mntdata); ++ ret = parse_mntopts(mntent->mnt_opts, &mntflags, &pflags, &mntdata); + if (ret < 0) + return -1; + +@@ -3544,7 +3617,8 @@ int lxc_setup_rootfs_prepare_root(struct lxc_conf *conf, const char *name, + return 0; + } + +- remount_all_slave(); ++ if (!conf->rootfs.options) ++ remount_all_slave(); + + ret = run_lxc_hooks(name, "pre-mount", conf, NULL); + if (ret < 0) { +diff --git a/src/lxc/conf.h b/src/lxc/conf.h +index db474e1..7393dbf 100644 +--- a/src/lxc/conf.h ++++ b/src/lxc/conf.h +@@ -463,7 +463,7 @@ extern int userns_exec_1(struct lxc_conf *conf, int (*fn)(void *), void *data, + extern int userns_exec_full(struct lxc_conf *conf, int (*fn)(void *), + void *data, const char *fn_name); + extern int parse_mntopts(const char *mntopts, unsigned long *mntflags, +- char **mntdata); ++ unsigned long *pflags, char **mntdata); + extern int parse_propagationopts(const char *mntopts, unsigned long *pflags); + extern void tmp_proc_unmount(struct lxc_conf *lxc_conf); + extern void remount_all_slave(void); +diff --git a/src/lxc/confile.c b/src/lxc/confile.c +index e199965..db63b55 100644 +--- a/src/lxc/confile.c ++++ b/src/lxc/confile.c +@@ -2065,16 +2065,10 @@ static int set_config_rootfs_options(const char *key, const char *value, + char *mdata = NULL, *opts = NULL; + struct lxc_rootfs *rootfs = &lxc_conf->rootfs; + +- ret = parse_mntopts(value, &mflags, &mdata); ++ ret = parse_mntopts(value, &mflags, &pflags, &mdata); + if (ret < 0) + return -EINVAL; + +- ret = parse_propagationopts(value, &pflags); +- if (ret < 0) { +- free(mdata); +- return -EINVAL; +- } +- + ret = set_config_string_item(&opts, value); + if (ret < 0) { + free(mdata); +diff --git a/src/lxc/criu.c b/src/lxc/criu.c +index 31c1940..bb97859 100644 +--- a/src/lxc/criu.c ++++ b/src/lxc/criu.c +@@ -389,9 +389,9 @@ static void exec_criu(struct cgroup_ops *cgroup_ops, struct lxc_conf *conf, + while (getmntent_r(mnts, &mntent, buf, sizeof(buf))) { + char *fmt, *key, *val, *mntdata; + char arg[2 * PATH_MAX + 2]; +- unsigned long flags; ++ unsigned long flags, pflags; + +- if (parse_mntopts(mntent.mnt_opts, &flags, &mntdata) < 0) ++ if (parse_mntopts(mntent.mnt_opts, &flags, &pflags, &mntdata) < 0) + goto err; + + free(mntdata); +diff --git a/src/lxc/storage/btrfs.c b/src/lxc/storage/btrfs.c +index bbfce61..a02c215 100644 +--- a/src/lxc/storage/btrfs.c ++++ b/src/lxc/storage/btrfs.c +@@ -212,7 +212,7 @@ bool btrfs_detect(const char *path) + + int btrfs_mount(struct lxc_storage *bdev) + { +- unsigned long mntflags; ++ unsigned long mntflags, pflags; + char *mntdata; + const char *src; + int ret; +@@ -223,7 +223,7 @@ int btrfs_mount(struct lxc_storage *bdev) + if (!bdev->src || !bdev->dest) + return -22; + +- if (parse_mntopts(bdev->mntopts, &mntflags, &mntdata) < 0) { ++ if (parse_mntopts(bdev->mntopts, &mntflags, &pflags, &mntdata) < 0) { + free(mntdata); + return -22; + } +diff --git a/src/lxc/storage/dir.c b/src/lxc/storage/dir.c +index 79b6469..c7b5ee2 100644 +--- a/src/lxc/storage/dir.c ++++ b/src/lxc/storage/dir.c +@@ -170,20 +170,13 @@ int dir_mount(struct lxc_storage *bdev) + if (!bdev->src || !bdev->dest) + return -22; + +- ret = parse_mntopts(bdev->mntopts, &mntflags, &mntdata); ++ ret = parse_mntopts(bdev->mntopts, &mntflags, &pflags, &mntdata); + if (ret < 0) { + ERROR("Failed to parse mount options \"%s\"", bdev->mntopts); + free(mntdata); + return -EINVAL; + } + +- ret = parse_propagationopts(bdev->mntopts, &pflags); +- if (ret < 0) { +- ERROR("Failed to parse propagation options \"%s\"", bdev->mntopts); +- free(mntdata); +- return -EINVAL; +- } +- + src = lxc_storage_get_path(bdev->src, bdev->type); + + ret = mount(src, bdev->dest, "bind", MS_BIND | MS_REC | mntflags | pflags, mntdata); +diff --git a/src/lxc/storage/overlay.c b/src/lxc/storage/overlay.c +index 01546b1..90408a3 100644 +--- a/src/lxc/storage/overlay.c ++++ b/src/lxc/storage/overlay.c +@@ -495,7 +495,7 @@ int ovl_mount(struct lxc_storage *bdev) + char *options_work, *work, *lastslash; + int lastslashidx; + size_t len, len2; +- unsigned long mntflags; ++ unsigned long mntflags, pflags; + char *mntdata; + int ret, ret2; + +@@ -575,7 +575,7 @@ int ovl_mount(struct lxc_storage *bdev) + memcpy(work + lastslashidx, "olwork", STRLITERALLEN("olwork")); + work[lastslashidx + STRLITERALLEN("olwork")] = '\0'; + +- ret = parse_mntopts(bdev->mntopts, &mntflags, &mntdata); ++ ret = parse_mntopts(bdev->mntopts, &mntflags, &pflags, &mntdata); + if (ret < 0) { + ERROR("Failed to parse mount options"); + free(mntdata); +diff --git a/src/lxc/storage/storage_utils.c b/src/lxc/storage/storage_utils.c +index fa4e727..46e08a3 100644 +--- a/src/lxc/storage/storage_utils.c ++++ b/src/lxc/storage/storage_utils.c +@@ -396,7 +396,7 @@ int find_fstype_cb(char *buffer, void *data) + const char *options; + } *cbarg = data; + +- unsigned long mntflags; ++ unsigned long mntflags, pflags; + char *mntdata; + char *fstype; + +@@ -411,7 +411,7 @@ int find_fstype_cb(char *buffer, void *data) + DEBUG("Trying to mount \"%s\"->\"%s\" with FSType \"%s\"", cbarg->rootfs, + cbarg->target, fstype); + +- if (parse_mntopts(cbarg->options, &mntflags, &mntdata) < 0) { ++ if (parse_mntopts(cbarg->options, &mntflags, &pflags, &mntdata) < 0) { + free(mntdata); + return 0; + } +diff --git a/src/lxc/storage/zfs.c b/src/lxc/storage/zfs.c +index ba104da..752b0c5 100644 +--- a/src/lxc/storage/zfs.c ++++ b/src/lxc/storage/zfs.c +@@ -184,7 +184,7 @@ int zfs_mount(struct lxc_storage *bdev) + size_t oldlen, newlen, totallen; + char *mntdata, *tmp; + const char *src; +- unsigned long mntflags; ++ unsigned long mntflags, pflags; + char cmd_output[PATH_MAX] = {0}; + + if (strcmp(bdev->type, "zfs")) +@@ -193,7 +193,7 @@ int zfs_mount(struct lxc_storage *bdev) + if (!bdev->src || !bdev->dest) + return -22; + +- ret = parse_mntopts(bdev->mntopts, &mntflags, &mntdata); ++ ret = parse_mntopts(bdev->mntopts, &mntflags, &pflags, &mntdata); + if (ret < 0) { + ERROR("Failed to parse mount options"); + free(mntdata); +-- +1.8.3.1 + diff --git a/0023-attach.c-change-uid-and-gid-from-lxc-container-confi.patch b/0023-attach.c-change-uid-and-gid-from-lxc-container-confi.patch new file mode 100644 index 0000000..4e32882 --- /dev/null +++ b/0023-attach.c-change-uid-and-gid-from-lxc-container-confi.patch @@ -0,0 +1,31 @@ +From 37203bfbe3ff71fb158175bb436e0748e84415ef Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Mon, 14 Jan 2019 17:09:57 +0800 +Subject: [PATCH 023/122] attach.c: change uid and gid from lxc container + config + +Signed-off-by: LiFeng +--- + src/lxc/attach.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/lxc/attach.c b/src/lxc/attach.c +index 570b9d0..e6e4b0d 100644 +--- a/src/lxc/attach.c ++++ b/src/lxc/attach.c +@@ -1146,6 +1146,12 @@ int lxc_attach(const char *name, const char *lxcpath, + } + conf = init_ctx->container->lxc_conf; + ++ // isulad: always switch uid and gid for attach ++ if (options->uid == -1) ++ options->uid = init_ctx->container->lxc_conf->init_uid; ++ if (options->gid == -1) ++ options->gid = init_ctx->container->lxc_conf->init_gid; ++ + if (!fetch_seccomp(init_ctx->container, options)) + WARN("Failed to get seccomp policy"); + +-- +1.8.3.1 + diff --git a/0024-isulad-support-symlink-in-mount-entry-and-not-permit.patch b/0024-isulad-support-symlink-in-mount-entry-and-not-permit.patch new file mode 100644 index 0000000..2469900 --- /dev/null +++ b/0024-isulad-support-symlink-in-mount-entry-and-not-permit.patch @@ -0,0 +1,821 @@ +From 205213bbf95886772aa0b8974507741d5012dd45 Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Mon, 14 Jan 2019 20:12:06 +0800 +Subject: [PATCH 024/122] isulad: support symlink in mount entry, and not + permit mount to /proc + +Signed-off-by: LiFeng +--- + src/lxc/Makefile.am | 2 + + src/lxc/conf.c | 108 ++++++++++- + src/lxc/path.c | 546 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + src/lxc/path.h | 70 +++++++ + 4 files changed, 721 insertions(+), 5 deletions(-) + create mode 100644 src/lxc/path.c + create mode 100644 src/lxc/path.h + +diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am +index 08e2fab..f2928b7 100644 +--- a/src/lxc/Makefile.am ++++ b/src/lxc/Makefile.am +@@ -12,6 +12,7 @@ noinst_HEADERS = attach.h \ + confile_utils.h \ + criu.h \ + error.h \ ++ path.h \ + file_utils.h \ + ../include/netns_ifaddrs.h \ + initutils.h \ +@@ -95,6 +96,7 @@ liblxc_la_SOURCES = af_unix.c af_unix.h \ + commands_utils.c commands_utils.h \ + conf.c conf.h \ + confile.c confile.h \ ++ path.c path.h \ + confile_utils.c confile_utils.h \ + criu.c criu.h \ + error.c error.h \ +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 55d1e45..800573a 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -77,6 +77,7 @@ + #include "storage/overlay.h" + #include "syscall_wrappers.h" + #include "terminal.h" ++#include "path.h" + #include "utils.h" + + #ifdef MAJOR_IN_MKDEV +@@ -2309,6 +2310,79 @@ static void cull_mntent_opt(struct mntent *mntent) + } + } + ++/* isulad: checkMountDestination checks to ensure that the mount destination is not over the top of /proc. ++ * dest is required to be an abs path and have any symlinks resolved before calling this function. */ ++static int check_mount_destination(const char *rootfs, const char *dest) ++{ ++ const char *invalid_destinations[] = { ++ "/proc", ++ NULL ++ }; ++ // White list, it should be sub directories of invalid destinations ++ const char *valid_destinations[] = { ++ // These entries can be bind mounted by files emulated by fuse, ++ // so commands like top, free displays stats in container. ++ "/proc/cpuinfo", ++ "/proc/diskstats", ++ "/proc/meminfo", ++ "/proc/stat", ++ "/proc/swaps", ++ "/proc/uptime", ++ "/proc/net/dev", ++ NULL ++ }; ++ const char **valid, **invalid; ++ ++ for(valid = valid_destinations; *valid != NULL; valid++) { ++ char *fullpath, *relpath; ++ const char *parts[3] = { ++ rootfs, ++ *valid, ++ NULL ++ }; ++ fullpath = lxc_string_join("/", parts, false); ++ if (!fullpath) { ++ ERROR("Out of memory"); ++ return -1; ++ } ++ relpath = path_relative(fullpath, dest); ++ free(fullpath); ++ if (!relpath) ++ return -1; ++ if (!strcmp(relpath, ".")) { ++ free(relpath); ++ return 0; ++ } ++ free(relpath); ++ } ++ ++ for(invalid = invalid_destinations; *invalid != NULL; invalid++) { ++ char *fullpath, *relpath; ++ const char *parts[3] = { ++ rootfs, ++ *invalid, ++ NULL ++ }; ++ fullpath = lxc_string_join("/", parts, false); ++ if (!fullpath) { ++ ERROR("Out of memory"); ++ return -1; ++ } ++ relpath = path_relative(fullpath, dest); ++ free(fullpath); ++ if (!relpath) ++ return -1; ++ if (!strcmp(relpath, ".") || strncmp(relpath, "..", 2)) { ++ ERROR("%s cannot be mounted because it is located inside %s", dest, *invalid); ++ free(relpath); ++ return -1; ++ } ++ free(relpath); ++ } ++ ++ return 0; ++} ++ + static int mount_entry_create_dir_file(const struct mntent *mntent, + const char *path, + const struct lxc_rootfs *rootfs, +@@ -2370,7 +2444,8 @@ static inline int mount_entry_on_generic(struct mntent *mntent, + unsigned long mntflags, pflags; + char *mntdata; + bool dev, optional, relative; +- char *rootfs_path = NULL; ++ char *rootfs_path = NULL, *rpath = NULL; ++ const char *dest = path; + + optional = hasmntopt(mntent, "optional") != NULL; + dev = hasmntopt(mntent, "dev") != NULL; +@@ -2379,9 +2454,29 @@ static inline int mount_entry_on_generic(struct mntent *mntent, + if (rootfs && rootfs->path) + rootfs_path = rootfs->mount; + +- ret = mount_entry_create_dir_file(mntent, path, rootfs, lxc_name, +- lxc_path); ++ // isulad: ensure that the destination of the bind mount is resolved of symlinks at mount time because ++ // any previous mounts can invalidate the next mount's destination. ++ // this can happen when a user specifies mounts within other mounts to cause breakouts or other ++ // evil stuff to try to escape the container's rootfs. ++ if (rootfs_path) { ++ rpath = follow_symlink_in_scope(path, rootfs_path); ++ if (!rpath) { ++ ERROR("Failed to get real path for '%s'", path); ++ return -1; ++ } ++ dest = rpath; ++ ++ ret = check_mount_destination(rootfs_path, dest); ++ if (ret) { ++ ERROR("Mount destination is invalid: '%s'", dest); ++ free(rpath); ++ return -1; ++ } ++ } ++ ++ ret = mount_entry_create_dir_file(mntent, dest, rootfs, lxc_name, lxc_path); + if (ret < 0) { ++ free(rpath); + if (optional) + return 0; + +@@ -2390,13 +2485,16 @@ static inline int mount_entry_on_generic(struct mntent *mntent, + cull_mntent_opt(mntent); + + ret = parse_mntopts(mntent->mnt_opts, &mntflags, &pflags, &mntdata); +- if (ret < 0) ++ if (ret < 0) { ++ free(rpath); + return -1; ++ } + +- ret = mount_entry(mntent->mnt_fsname, path, mntent->mnt_type, mntflags, ++ ret = mount_entry(mntent->mnt_fsname, dest, mntent->mnt_type, mntflags, + pflags, mntdata, optional, dev, relative, rootfs_path); + + free(mntdata); ++ free(rpath); + return ret; + } + +diff --git a/src/lxc/path.c b/src/lxc/path.c +new file mode 100644 +index 0000000..e917dcb +--- /dev/null ++++ b/src/lxc/path.c +@@ -0,0 +1,546 @@ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "path.h" ++#include "log.h" ++ ++lxc_log_define(lxc_path_ui, lxc); ++ ++#define ISSLASH(C) ((C) == '/') ++#define IS_ABSOLUTE_FILE_NAME(F) (ISSLASH ((F)[0])) ++#define IS_RELATIVE_FILE_NAME(F) (! IS_ABSOLUTE_FILE_NAME (F)) ++ ++bool specify_current_dir(const char *path) ++{ ++ char *basec = NULL, *bname = NULL; ++ bool res = false; ++ ++ basec = strdup(path); ++ if (!basec) { ++ ERROR("Out of memory"); ++ return false; ++ } ++ ++ bname = basename(basec); ++ res = !strcmp(bname, "."); ++ free(basec); ++ return res; ++} ++ ++bool has_traling_path_separator(const char *path) ++{ ++ return path && strlen(path) && (path[strlen(path) - 1] == '/'); ++} ++ ++// PreserveTrailingDotOrSeparator returns the given cleaned path ++// and appends a trailing `/.` or `/` if its corresponding original ++// path ends with a trailing `/.` or `/`. If the cleaned ++// path already ends in a `.` path segment, then another is not added. If the ++// clean path already ends in a path separator, then another is not added. ++char *preserve_trailing_dot_or_separator(const char *cleanedpath, ++ const char *originalpath) ++{ ++ char *respath = NULL; ++ size_t len; ++ ++ len = strlen(cleanedpath) + 3; ++ respath = malloc(len); ++ if (!respath) { ++ ERROR("Out of memory"); ++ return NULL; ++ } ++ memset(respath, 0x00, len); ++ strcat(respath, cleanedpath); ++ ++ if (!specify_current_dir(cleanedpath) && specify_current_dir(originalpath)) { ++ if (!has_traling_path_separator(respath)) ++ strcat(respath, "/"); ++ strcat(respath, "."); ++ } ++ ++ if (!has_traling_path_separator(respath) && ++ has_traling_path_separator(originalpath)) ++ strcat(respath, "/"); ++ ++ return respath; ++} ++ ++ ++// Split splits path immediately following the final Separator, ++// separating it into a directory and file name component. ++// If there is no Separator in path, Split returns an empty dir ++// and file set to path. ++// The returned values have the property that path = dir+file. ++bool filepath_split(const char *path, char **dir, char **base) ++{ ++ ssize_t i; ++ size_t len; ++ ++ len = strlen(path); ++ i = len - 1; ++ while (i >= 0 && path[i] != '/') ++ i--; ++ ++ *dir = malloc(i + 2); ++ if (!*dir) { ++ ERROR("Out of memory"); ++ return false; ++ } ++ memcpy(*dir, path, i + 1); ++ *(*dir + i + 1) = '\0'; ++ ++ *base = strdup(path + i + 1); ++ if (!*base) { ++ ERROR("Out of memory"); ++ free(*dir); ++ *dir = NULL; ++ return false; ++ } ++ ++ return true; ++} ++ ++/* ++ * cleanpath is similar to realpath of glibc, but not expands symbolic links, ++ * and not check the existence of components of the path. ++ */ ++char *cleanpath(const char *path, char *resolved) ++{ ++ char *rpath, *dest; ++ const char *start, *end, *rpath_limit; ++ ++ if (path == NULL || path[0] == '\0') ++ return NULL; ++ ++ if (resolved == NULL) { ++ rpath = malloc(PATH_MAX); ++ if (rpath == NULL) { ++ ERROR("Out of memory"); ++ return NULL; ++ } ++ } else { ++ rpath = resolved; ++ } ++ rpath_limit = rpath + PATH_MAX; ++ ++ if (!IS_ABSOLUTE_FILE_NAME(path)) { ++ if (!getcwd(rpath, PATH_MAX)) { ++ ERROR("Failed to getcwd"); ++ rpath[0] = '\0'; ++ goto error; ++ } ++ dest = strchr(rpath, '\0'); ++ start = path; ++ } else { ++ dest = rpath; ++ *dest++ = '/'; ++ start = path; ++ } ++ ++ for (end = start; *start; start = end) { ++ /* Skip sequence of multiple path-separators. */ ++ while (ISSLASH(*start)) ++ ++start; ++ ++ /* Find end of path component. */ ++ for (end = start; *end && !ISSLASH(*end); ++end) ++ /* Nothing. */; ++ ++ if (end - start == 0) { ++ break; ++ } else if (end - start == 1 && start[0] == '.') { ++ /* nothing */; ++ } else if (end - start == 2 && start[0] == '.' && start[1] == '.') { ++ /* Back up to previous component, ignore if at root already. */ ++ if (dest > rpath + 1) ++ for (--dest; dest > rpath && !ISSLASH(dest[-1]); --dest) ++ continue; ++ } else { ++ size_t new_size; ++ ++ if (!ISSLASH(dest[-1])) ++ *dest++ = '/'; ++ ++ if (dest + (end - start) >= rpath_limit) { ++ long long dest_offset = dest - rpath; ++ char *new_rpath; ++ ++ if (resolved) { ++ printf("Path is to long"); ++ if (dest > rpath + 1) ++ dest--; ++ *dest = '\0'; ++ goto error; ++ } ++ ++ new_size = rpath_limit - rpath; ++ if (end - start + 1 > PATH_MAX) ++ new_size += end - start + 1; ++ else ++ new_size += PATH_MAX; ++ new_rpath = (char *) realloc(rpath, new_size); ++ if (new_rpath == NULL) { ++ ERROR("Out of memory"); ++ goto error; ++ } ++ rpath = new_rpath; ++ rpath_limit = rpath + new_size; ++ ++ dest = rpath + dest_offset; ++ } ++ ++ memcpy(dest, start, end - start); ++ dest += end - start; ++ *dest = '\0'; ++ } ++ } ++ if (dest > rpath + 1 && ISSLASH(dest[-1])) ++ --dest; ++ *dest = '\0'; ++ ++ return rpath; ++ ++error: ++ if (resolved == NULL) ++ free(rpath); ++ return NULL; ++} ++ ++// evalSymlinksInScope will evaluate symlinks in `path` within a scope `root` and return ++// a result guaranteed to be contained within the scope `root`, at the time of the call. ++// Symlinks in `root` are not evaluated and left as-is. ++// Errors encountered while attempting to evaluate symlinks in path will be returned. ++// Non-existing paths are valid and do not constitute an error. ++// `path` has to contain `root` as a prefix, or else an error will be returned. ++// Trying to break out from `root` does not constitute an error. ++// ++// Example: ++// If /foo/bar -> /outside, ++// FollowSymlinkInScope("/foo/bar", "/foo") == "/foo/outside" instead of "/oustide" ++char *eval_symlinks_in_scope(const char *fullpath, const char *rootpath) ++{ ++ char resroot[PATH_MAX] = {0}, *root = NULL; ++ char *rpath, *dest, *prefix, *extra_buf = NULL; ++ const char *start, *end, *rpath_limit; ++ int num_links = 0; ++ size_t prefix_len; ++ ++ if (!fullpath || !rootpath) ++ return NULL; ++ ++ root = cleanpath(rootpath, resroot); ++ if (!root) { ++ ERROR("Failed to get cleaned path"); ++ return NULL; ++ } ++ ++ if (!strcmp(fullpath, root)) ++ return strdup(fullpath); ++ ++ if (!strstr(fullpath, root)) { ++ ERROR("Path '%s' is not in '%s'", fullpath, root); ++ return NULL; ++ } ++ ++ rpath = malloc(PATH_MAX); ++ if (rpath == NULL) { ++ ERROR("Out of memory"); ++ goto error; ++ return NULL; ++ } ++ rpath_limit = rpath + PATH_MAX; ++ ++ prefix = root; ++ prefix_len = strlen(prefix); ++ if (!strcmp(prefix, "/")) ++ prefix_len = 0; ++ ++ dest = rpath; ++ if (prefix_len) { ++ memcpy(rpath, prefix, prefix_len); ++ dest += prefix_len; ++ } ++ *dest++ = '/'; ++ start = fullpath + prefix_len; ++ ++ for (end = start; *start; start = end) { ++ struct stat st; ++ int n; ++ ++ /* Skip sequence of multiple path-separators. */ ++ while (ISSLASH(*start)) ++ ++start; ++ ++ /* Find end of path component. */ ++ for (end = start; *end && !ISSLASH(*end); ++end) ++ /* Nothing. */; ++ ++ if (end - start == 0) { ++ break; ++ } else if (end - start == 1 && start[0] == '.') { ++ /* nothing */; ++ } else if (end - start == 2 && start[0] == '.' && start[1] == '.') { ++ /* Back up to previous component, ignore if at root already. */ ++ if (dest > rpath + prefix_len + 1) ++ for (--dest; dest > rpath && !ISSLASH(dest[-1]); --dest) ++ continue; ++ } else { ++ size_t new_size; ++ ++ if (!ISSLASH(dest[-1])) ++ *dest++ = '/'; ++ ++ if (dest + (end - start) >= rpath_limit) { ++ long long dest_offset = dest - rpath; ++ char *new_rpath; ++ ++ new_size = rpath_limit - rpath; ++ if (end - start + 1 > PATH_MAX) ++ new_size += end - start + 1; ++ else ++ new_size += PATH_MAX; ++ new_rpath = (char *) realloc(rpath, new_size); ++ if (new_rpath == NULL) { ++ ERROR("Out of memory"); ++ goto error; ++ } ++ rpath = new_rpath; ++ rpath_limit = rpath + new_size; ++ ++ dest = rpath + dest_offset; ++ } ++ ++ memcpy(dest, start, end - start); ++ dest += end - start; ++ *dest = '\0'; ++ ++ if (lstat(rpath, &st) < 0) { ++ // if rpath does not exist, accept it ++ continue; ++ } ++ ++ if (S_ISLNK(st.st_mode)) { ++ char *buf; ++ size_t len; ++ ++ if (++num_links > MAXSYMLINKS) { ++ ERROR("Too many links in '%s'", fullpath); ++ goto error; ++ } ++ ++ buf = malloc(PATH_MAX); ++ if (!buf) { ++ ERROR("Out of memory"); ++ goto error; ++ } ++ ++ n = readlink(rpath, buf, PATH_MAX - 1); ++ if (n < 0) { ++ free(buf); ++ goto error; ++ } ++ buf[n] = '\0'; ++ ++ if (!extra_buf) { ++ extra_buf = malloc(PATH_MAX); ++ if (!extra_buf) { ++ ERROR("Out of memory"); ++ free(buf); ++ goto error; ++ } ++ } ++ ++ len = strlen(end); ++ if ((long int)(n + len) >= PATH_MAX) { ++ free(buf); ++ ERROR("Path is too long"); ++ goto error; ++ } ++ ++ /* Careful here, end may be a pointer into extra_buf... */ ++ memmove(&extra_buf[n], end, len + 1); ++ fullpath = end = memcpy(extra_buf, buf, n); ++ ++ if (IS_ABSOLUTE_FILE_NAME(buf)) { ++ if (prefix_len) ++ memcpy(rpath, prefix, prefix_len); ++ dest = rpath + prefix_len; ++ *dest++ = '/'; /* It's an absolute symlink */ ++ } else { ++ /* Back up to previous component, ignore if at root ++ already: */ ++ if (dest > rpath + prefix_len + 1) ++ for (--dest; dest > rpath && !ISSLASH(dest[-1]); --dest) ++ continue; ++ } ++ } ++ } ++ } ++ if (dest > rpath + prefix_len + 1 && ISSLASH(dest[-1])) ++ --dest; ++ *dest = '\0'; ++ ++ if (extra_buf) ++ free(extra_buf); ++ ++ return rpath; ++ ++error: ++ if (extra_buf) ++ free(extra_buf); ++ free(rpath); ++ return NULL; ++} ++ ++// FollowSymlinkInScope is a wrapper around evalSymlinksInScope that returns an ++// absolute path. This function handles paths in a platform-agnostic manner. ++char *follow_symlink_in_scope(const char *fullpath, const char *rootpath) ++{ ++ char resfull[PATH_MAX] = {0}, *full = NULL; ++ char resroot[PATH_MAX] = {0}, *root = NULL; ++ ++ full = cleanpath(fullpath, resfull); ++ if (!full) { ++ ERROR("Failed to get cleaned path"); ++ return NULL; ++ } ++ ++ root = cleanpath(rootpath, resroot); ++ if (!root) { ++ ERROR("Failed to get cleaned path"); ++ return NULL; ++ } ++ ++ return eval_symlinks_in_scope(full, root); ++} ++ ++// GetResourcePath evaluates `path` in the scope of the container's rootpath, with proper path ++// sanitisation. Symlinks are all scoped to the rootpath of the container, as ++// though the container's rootpath was `/`. ++// ++// The BaseFS of a container is the host-facing path which is bind-mounted as ++// `/` inside the container. This method is essentially used to access a ++// particular path inside the container as though you were a process in that ++// container. ++int get_resource_path(const char *rootpath, const char *path, ++ char **scopepath) ++{ ++ char resolved[PATH_MAX] = {0}, *cleanedpath = NULL; ++ char *fullpath = NULL; ++ size_t len; ++ ++ if (!rootpath || !path || !scopepath) ++ return -1; ++ ++ *scopepath = NULL; ++ ++ cleanedpath = cleanpath(path, resolved); ++ if (!cleanedpath) { ++ ERROR("Failed to get cleaned path"); ++ return -1; ++ } ++ ++ len = strlen(rootpath) + strlen(cleanedpath) + 1; ++ fullpath = malloc(len); ++ if (!fullpath) { ++ ERROR("Out of memory"); ++ return -1; ++ } ++ snprintf(fullpath, len, "%s%s", rootpath, cleanedpath); ++ ++ *scopepath = follow_symlink_in_scope(fullpath, rootpath); ++ ++ free(fullpath); ++ return 0; ++} ++ ++// Rel returns a relative path that is lexically equivalent to targpath when ++// joined to basepath with an intervening separator. That is, ++// Join(basepath, Rel(basepath, targpath)) is equivalent to targpath itself. ++// On success, the returned path will always be relative to basepath, ++// even if basepath and targpath share no elements. ++// An error is returned if targpath can't be made relative to basepath or if ++// knowing the current working directory would be necessary to compute it. ++// Rel calls Clean on the result. ++char *path_relative(const char *basepath, const char *targpath) ++{ ++ char resbase[PATH_MAX] = {0}, *base = NULL; ++ char restarg[PATH_MAX] = {0}, *targ = NULL; ++ size_t bl = 0, tl = 0, b0 = 0, bi = 0, t0 = 0, ti = 0; ++ ++ base = cleanpath(basepath, resbase); ++ if (!base) { ++ ERROR("Failed to get cleaned path"); ++ return NULL; ++ } ++ ++ targ = cleanpath(targpath, restarg); ++ if (!targ) { ++ ERROR("Failed to get cleaned path"); ++ return NULL; ++ } ++ ++ if (strcmp(base, targ) == 0) ++ return strdup("."); ++ ++ bl = strlen(base); ++ tl = strlen(targ); ++ while(true) { ++ while(bi < bl && !ISSLASH(base[bi])) ++ bi++; ++ while(ti < tl && !ISSLASH(targ[ti])) ++ ti++; ++ //not the same string ++ if (((bi - b0) != (ti - t0)) || strncmp(base + b0, targ + t0, bi - b0)) ++ break; ++ if (bi < bl) ++ bi++; ++ if (ti < tl) ++ ti++; ++ b0 = bi; ++ t0 = ti; ++ } ++ ++ if (b0 != bl) { ++ // Base elements left. Must go up before going down. ++ int seps = 0, i; ++ size_t ncopyed = 0, seps_size; ++ char *buf; ++ ++ for (bi = b0; bi < bl; bi++) { ++ if (ISSLASH(base[bi])) ++ seps++; ++ } ++ //strlen(..) + strlen(/..) + '\0' ++ seps_size = 2 + seps * 3 + 1; ++ if (t0 != tl) ++ seps_size += 1 + tl - t0; ++ ++ buf = calloc(seps_size, 1); ++ if (!buf) { ++ ERROR("Out of memory"); ++ return NULL; ++ } ++ buf[ncopyed++] = '.'; ++ buf[ncopyed++] = '.'; ++ for (i = 0; i < seps; i++) { ++ buf[ncopyed++] = '/'; ++ buf[ncopyed++] = '.'; ++ buf[ncopyed++] = '.'; ++ } ++ if (t0 != tl) { ++ buf[ncopyed++] = '/'; ++ memcpy(buf + ncopyed, targ + t0, tl - t0 + 1); ++ } ++ return buf; ++ } ++ ++ return strdup(targ + t0); ++} +\ No newline at end of file +diff --git a/src/lxc/path.h b/src/lxc/path.h +new file mode 100644 +index 0000000..e3a04cc +--- /dev/null ++++ b/src/lxc/path.h +@@ -0,0 +1,70 @@ ++#ifndef __LCRD_PATH_H_ ++#define __LCRD_PATH_H_ ++ ++#include ++ ++bool specify_current_dir(const char *path); ++ ++bool has_traling_path_separator(const char *path); ++ ++// PreserveTrailingDotOrSeparator returns the given cleaned path ++// and appends a trailing `/.` or `/` if its corresponding original ++// path ends with a trailing `/.` or `/`. If the cleaned ++// path already ends in a `.` path segment, then another is not added. If the ++// clean path already ends in a path separator, then another is not added. ++char *preserve_trailing_dot_or_separator(const char *cleanedpath, ++ const char *originalpath); ++ ++ ++// Split splits path immediately following the final Separator, ++// separating it into a directory and file name component. ++// If there is no Separator in path, Split returns an empty dir ++// and file set to path. ++// The returned values have the property that path = dir+file. ++bool filepath_split(const char *path, char **dir, char **base); ++ ++/* ++ * cleanpath is similar to realpath of glibc, but not expands symbolic links, ++ * and not check the existence of components of the path. ++ */ ++char *cleanpath(const char *path, char *resolved); ++ ++// evalSymlinksInScope will evaluate symlinks in `path` within a scope `root` and return ++// a result guaranteed to be contained within the scope `root`, at the time of the call. ++// Symlinks in `root` are not evaluated and left as-is. ++// Errors encountered while attempting to evaluate symlinks in path will be returned. ++// Non-existing paths are valid and do not constitute an error. ++// `path` has to contain `root` as a prefix, or else an error will be returned. ++// Trying to break out from `root` does not constitute an error. ++// ++// Example: ++// If /foo/bar -> /outside, ++// FollowSymlinkInScope("/foo/bar", "/foo") == "/foo/outside" instead of "/oustide" ++char *eval_symlinks_in_scope(const char *fullpath, const char *rootpath); ++ ++// FollowSymlinkInScope is a wrapper around evalSymlinksInScope that returns an ++// absolute path. This function handles paths in a platform-agnostic manner. ++char *follow_symlink_in_scope(const char *fullpath, const char *rootpath); ++ ++// GetResourcePath evaluates `path` in the scope of the container's rootpath, with proper path ++// sanitisation. Symlinks are all scoped to the rootpath of the container, as ++// though the container's rootpath was `/`. ++// ++// The BaseFS of a container is the host-facing path which is bind-mounted as ++// `/` inside the container. This method is essentially used to access a ++// particular path inside the container as though you were a process in that ++// container. ++int get_resource_path(const char *rootpath, const char *path, ++ char **scopepath); ++ ++// Rel returns a relative path that is lexically equivalent to targpath when ++// joined to basepath with an intervening separator. That is, ++// Join(basepath, Rel(basepath, targpath)) is equivalent to targpath itself. ++// On success, the returned path will always be relative to basepath, ++// even if basepath and targpath share no elements. ++// An error is returned if targpath can't be made relative to basepath or if ++// knowing the current working directory would be necessary to compute it. ++// Rel calls Clean on the result. ++char *path_relative(const char *basepath, const char *targpath); ++ ++#endif +-- +1.8.3.1 + diff --git a/0025-support-oci-hooks.patch b/0025-support-oci-hooks.patch new file mode 100644 index 0000000..9001974 --- /dev/null +++ b/0025-support-oci-hooks.patch @@ -0,0 +1,3087 @@ +From a32efb4b476da94f343aa56e400b180a7686079e Mon Sep 17 00:00:00 2001 +From: liuhao +Date: Mon, 14 Jan 2019 17:47:17 +0800 +Subject: [PATCH 025/122] support oci hooks + +support oci hooks + +Signed-off-by: LiFeng +--- + configure.ac | 3 + + src/lxc/Makefile.am | 13 +- + src/lxc/conf.c | 528 ++++++++++++++++- + src/lxc/conf.h | 9 + + src/lxc/json/defs.c | 198 +++++++ + src/lxc/json/defs.h | 37 ++ + src/lxc/json/json_common.c | 1196 ++++++++++++++++++++++++++++++++++++++ + src/lxc/json/json_common.h | 185 ++++++ + src/lxc/json/oci_runtime_hooks.c | 53 ++ + src/lxc/json/oci_runtime_hooks.h | 15 + + src/lxc/json/oci_runtime_spec.c | 196 +++++++ + src/lxc/json/oci_runtime_spec.h | 37 ++ + src/lxc/json/read-file.c | 94 +++ + src/lxc/json/read-file.h | 11 + + src/lxc/lxccontainer.c | 66 +++ + src/lxc/lxccontainer.h | 7 + + src/lxc/start.c | 17 + + src/lxc/utils.c | 66 ++- + src/lxc/utils.h | 2 + + 19 files changed, 2716 insertions(+), 17 deletions(-) + create mode 100644 src/lxc/json/defs.c + create mode 100644 src/lxc/json/defs.h + create mode 100755 src/lxc/json/json_common.c + create mode 100755 src/lxc/json/json_common.h + create mode 100644 src/lxc/json/oci_runtime_hooks.c + create mode 100644 src/lxc/json/oci_runtime_hooks.h + create mode 100644 src/lxc/json/oci_runtime_spec.c + create mode 100644 src/lxc/json/oci_runtime_spec.h + create mode 100644 src/lxc/json/read-file.c + create mode 100644 src/lxc/json/read-file.h + +diff --git a/configure.ac b/configure.ac +index 950c8dd..4da52a2 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -120,6 +120,9 @@ AM_CONDITIONAL([DISTRO_UBUNTU], [test "x$with_distro" = "xubuntu"]) + + AC_CONFIG_LINKS([config/etc/default.conf:config/etc/${distroconf}]) + ++# Check yajl ++PKG_CHECK_MODULES([YAJL], [yajl >= 2],[],[AC_MSG_ERROR([You must install yajl >= 2])]) ++ + # Check for init system type + AC_MSG_CHECKING([for init system type]) + AC_ARG_WITH([init-script], +diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am +index f2928b7..5678b8d 100644 +--- a/src/lxc/Makefile.am ++++ b/src/lxc/Makefile.am +@@ -43,6 +43,11 @@ noinst_HEADERS = attach.h \ + ../tests/lxctest.h \ + tools/arguments.h \ + storage/storage_utils.h \ ++ json/defs.h \ ++ json/json_common.h \ ++ json/oci_runtime_hooks.h \ ++ json/oci_runtime_spec.h \ ++ json/read-file.h \ + utils.h + + if IS_BIONIC +@@ -140,6 +145,11 @@ liblxc_la_SOURCES = af_unix.c af_unix.h \ + terminal.c \ + utils.c utils.h \ + version.h \ ++ json/json_common.c json/json_common.h \ ++ json/defs.h json/defs.c \ ++ json/oci_runtime_hooks.c json/oci_runtime_hooks.h \ ++ json/oci_runtime_spec.c json/oci_runtime_spec.h \ ++ json/read-file.c json/read-file.h \ + $(LSM_SOURCES) + + if IS_BIONIC +@@ -192,6 +202,7 @@ AM_CFLAGS = -DLXCROOTFSMOUNT=\"$(LXCROOTFSMOUNT)\" \ + -I $(top_srcdir)/src \ + -I $(top_srcdir)/src/lxc \ + -I $(top_srcdir)/src/lxc/storage \ ++ -I $(top_srcdir)/src/lxc/json \ + -I $(top_srcdir)/src/lxc/cgroups + + if ENABLE_APPARMOR +@@ -224,7 +235,7 @@ liblxc_la_CFLAGS = -fPIC \ + liblxc_la_LDFLAGS = -pthread \ + -Wl,-no-undefined \ + -Wl,-soname,liblxc.so.$(firstword $(subst ., ,@LXC_ABI@)) \ +- -version-info @LXC_ABI_MAJOR@ ++ -version-info @LXC_ABI_MAJOR@ @YAJL_LIBS@ + + liblxc_la_LIBADD = $(CAP_LIBS) \ + $(GNUTLS_LIBS) \ +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 800573a..6a14de1 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -53,6 +53,7 @@ + #include + #include + #include ++#include + + #include "af_unix.h" + #include "caps.h" +@@ -137,7 +138,10 @@ char *lxchook_names[NUM_LXC_HOOKS] = { + "post-stop", + "clone", + "destroy", +- "start-host" ++ "start-host", ++ "oci-prestart", ++ "oci-poststart", ++ "oci-poststop" + }; + + struct mount_opt { +@@ -4082,13 +4086,530 @@ int lxc_setup(struct lxc_handler *handler) + return 0; + } + ++struct oci_hook_conf { ++ defs_hook *ocihook; ++ ++ int errfd; ++ int which; ++}; ++ ++struct wait_conf { ++ pid_t pid; ++ unsigned long long startat; ++ int timeout; ++ int errfd; ++ int which; ++}; ++ ++static char* generate_json_str(const char *name, const char *lxcpath, const char *rootfs) ++{ ++ char *cpid = NULL; ++ char *inmsg = NULL; ++ int rc = 0, ret = 0; ++ size_t size; ++ ++ if (!name || !lxcpath || !rootfs) { ++ ERROR("Invalid arguments"); ++ return NULL; ++ } ++ cpid = getenv("LXC_PID"); ++ if (!cpid) { ++ ERROR("Get container %s pid failed: %s", name, strerror(errno)); ++ cpid = "-1"; ++ } ++ // {"ociVersion":"","id":"xxx","pid":777,"root":"xxx","bundlePath":"xxx"} ++ size = 1 + 16 + 5 + strlen(name) + 3 + 6 + strlen(cpid) + 1 ++ + 7 + strlen(rootfs) + 3 + 13 + strlen(lxcpath) + 1 + strlen(name) + 3 + 1; ++ inmsg = malloc(size); ++ if (!inmsg) { ++ ERROR("Out of memory"); ++ ret = -1; ++ goto out_free; ++ } ++ rc = snprintf(inmsg, size, ++ "{\"ociVersion\":\"\",\"id\":\"%s\",\"pid\":%s,\"root\":\"%s\",\"bundlePath\":\"%s/%s\"}", ++ name, cpid, rootfs, lxcpath, name); ++ if (rc < 0 || rc >= size) { ++ ERROR("Create json string failed"); ++ ret = -1; ++ } ++ ++out_free: ++ if (ret) { ++ free(inmsg); ++ inmsg = NULL; ++ } ++ return inmsg; ++} ++ ++static char **merge_ocihook_env(char **oldenvs, size_t env_len, size_t *merge_env_len) ++{ ++ char **result; ++ size_t result_len = env_len; ++ size_t i, j; ++ char *tmpenv; ++ char *lxc_envs[] = {"LXC_CGNS_AWARE", "LXC_PID", "LXC_ROOTFS_MOUNT", ++ "LXC_CONFIG_FILE", "LXC_CGROUP_PATH", "LXC_ROOTFS_PATH", "LXC_NAME"}; ++ char *lxcenv_buf; ++ ++ result_len += (sizeof(lxc_envs) / sizeof(char *)) + 1; ++ result = malloc(sizeof(char *) * result_len); ++ if (!result) ++ return NULL; ++ memset(result, 0, sizeof(char *) * result_len); ++ ++ for(i = 0; i < env_len; i++) { ++ if (oldenvs[i]) ++ result[i] = strdup(oldenvs[i]); ++ } ++ ++ for(j = 0; j < (sizeof(lxc_envs) / sizeof(char *)); j++) { ++ tmpenv = getenv(lxc_envs[j]); ++ if (tmpenv && i < (result_len - 1)) { ++ lxcenv_buf = malloc(strlen(tmpenv) + 1 + strlen(lxc_envs[j]) + 1); ++ if (!lxcenv_buf) { ++ lxc_free_array((void **)result, free); ++ return NULL; ++ } ++ if (sprintf(lxcenv_buf, "%s=%s", lxc_envs[j], tmpenv) < 0) { ++ free(lxcenv_buf); ++ continue; ++ } ++ result[i++] = lxcenv_buf; ++ lxcenv_buf = NULL; ++ } ++ } ++ ++ *merge_env_len = i; ++ return result; ++} ++ ++static struct lxc_popen_FILE *lxc_popen_ocihook(char *commandpath, char **args, int args_len, ++ char **envs, int env_len, const char *instr) ++{ ++ int ret; ++ struct lxc_popen_FILE *fp = NULL; ++ int pipe_fds[2] = {-1, -1}; ++ int pipe_msg[2] = {-1, -1}; ++ pid_t child_pid; ++ ++ ret = pipe2(pipe_fds, O_CLOEXEC | O_NONBLOCK); ++ if (ret < 0) ++ return NULL; ++ ++ ret = pipe2(pipe_msg, O_CLOEXEC | O_NONBLOCK); ++ if (ret < 0) { ++ ERROR("Pipe msg failure"); ++ close(pipe_fds[0]); ++ close(pipe_fds[1]); ++ return NULL; ++ } ++ ++ child_pid = fork(); ++ if (child_pid < 0) ++ goto on_error; ++ ++ if (child_pid == 0) { ++ /* child */ ++ size_t result_capacity; ++ int r; ++ char **real_args; ++ ++ close(pipe_msg[1]); ++ if (pipe_msg[0] != STDIN_FILENO) ++ dup2(pipe_msg[0], STDIN_FILENO); ++ else { ++ if (fcntl(pipe_msg[0], F_SETFD, 0) != 0) { ++ SYSERROR("Failed to remove FD_CLOEXEC from fd."); ++ exit(127); ++ } ++ } ++ close(pipe_msg[0]); ++ ++ close(pipe_fds[0]); ++ ++ /* duplicate stdout */ ++ if (pipe_fds[1] != STDOUT_FILENO) ++ ret = dup2(pipe_fds[1], STDOUT_FILENO); ++ else ++ ret = fcntl(pipe_fds[1], F_SETFD, 0); ++ if (ret < 0) { ++ close(pipe_fds[1]); ++ _exit(EXIT_FAILURE); ++ } ++ ++ /* duplicate stderr */ ++ if (pipe_fds[1] != STDERR_FILENO) ++ ret = dup2(pipe_fds[1], STDERR_FILENO); ++ else ++ ret = fcntl(pipe_fds[1], F_SETFD, 0); ++ close(pipe_fds[1]); ++ if (ret < 0) ++ _exit(EXIT_FAILURE); ++ ++ /* ++ * Unblock signals. ++ * This is the main/only reason ++ * why we do our lousy popen() emulation. ++ */ ++ { ++ sigset_t mask; ++ sigfillset(&mask); ++ sigprocmask(SIG_UNBLOCK, &mask, NULL); ++ } ++ ++ result_capacity = args_len; ++ real_args = malloc(sizeof(char *) * (result_capacity + 2 + 1)); ++ if (!real_args) ++ _exit(EXIT_FAILURE); ++ memset(real_args, 0, sizeof(char *) * (result_capacity + 2 + 1)); ++ real_args[0] = strdup("sh"); ++ real_args[1] = strdup(commandpath); ++ for(r = 2; r < (args_len + 1); r++) ++ real_args[r] = strdup(args[r-1]); ++ ++ if (env_len > 0) ++ execvpe("/bin/sh", real_args, envs); ++ else ++ execvp("/bin/sh", real_args); ++ exit(127); ++ } ++ ++ /* parent */ ++ ++ close(pipe_fds[1]); ++ pipe_fds[1] = -1; ++ ++ close(pipe_msg[0]); ++ pipe_msg[0]= -1; ++ if (instr) { ++ size_t len = strlen(instr); ++ if (lxc_write_nointr(pipe_msg[1], instr, len) != len) { ++ WARN("Write instr: %s failed", instr); ++ } ++ } ++ close(pipe_msg[1]); ++ pipe_msg[1]= -1; ++ ++ fp = calloc(1, sizeof(*fp)); ++ if (!fp) { ++ ERROR("Failed to allocate memory"); ++ goto on_error; ++ } ++ ++ fp->child_pid = child_pid; ++ fp->pipe = pipe_fds[0]; ++ ++ return fp; ++ ++on_error: ++ ++ if (pipe_fds[0] >= 0) ++ close(pipe_fds[0]); ++ ++ if (pipe_fds[1] >= 0) ++ close(pipe_fds[1]); ++ ++ if (pipe_msg[0] >= 0) ++ close(pipe_msg[0]); ++ ++ if (pipe_msg[1] >= 0) ++ close(pipe_msg[1]); ++ ++ if (fp) ++ free(fp); ++ ++ return NULL; ++} ++ ++void* wait_ocihook_timeout(void *arg) ++{ ++ bool alive = false; ++ struct wait_conf *conf = (struct wait_conf *)arg; ++ ++ if (!conf || conf->timeout < 1) ++ goto out; ++ ++ sleep(conf->timeout); ++ ++ alive = lxc_process_alive(conf->pid, conf->startat); ++ ++ if (alive) { ++ ERROR("%s:%d: running %s hook caused \"hook ran past specified timeout of %.1fs\"", ++ __FILE__, __LINE__, ++ (conf->which == LXCHOOK_START_HOST) ? "prestart" : lxchook_names[conf->which], ++ (double)conf->timeout); ++ ++ if (conf->errfd >= 0) { ++ lxc_write_error_message(conf->errfd, "%s:%d: running %s hook caused \"hook ran past specified timeout of %.1fs\"", ++ __FILE__, __LINE__, ++ (conf->which == LXCHOOK_START_HOST) ? "prestart" : lxchook_names[conf->which], ++ (double)conf->timeout); ++ } ++ ++ if (kill(conf->pid, SIGKILL) && errno != ESRCH) { ++ ERROR("Send kill signal failed"); ++ goto out; ++ } ++ } ++ ++out: ++ free(conf); ++ return ((void *)0); ++} ++ ++static int run_ocihook_buffer(struct oci_hook_conf *oconf, char *inmsg) ++{ ++ struct lxc_popen_FILE *f; ++ char output[LXC_LOG_BUFFER_SIZE] = {0}; ++ int ret; ++ pthread_t ptid; ++ int err; ++ struct wait_conf *conf = NULL; ++ pthread_attr_t attr; ++ char *buffer = oconf->ocihook->path; ++ char *err_args_msg = NULL; ++ char *err_envs_msg = NULL; ++ char **hookenvs = NULL; ++ size_t hookenvs_len = 0; ++ ++ hookenvs = merge_ocihook_env(oconf->ocihook->env, oconf->ocihook->env_len, &hookenvs_len); ++ if (!hookenvs) { ++ ERROR("Out of memory."); ++ return -1; ++ } ++ ++ f = lxc_popen_ocihook(buffer, oconf->ocihook->args, oconf->ocihook->args_len, hookenvs, hookenvs_len, inmsg); ++ lxc_free_array((void **)hookenvs, free); ++ if (!f) { ++ SYSERROR("Failed to popen() %s.", buffer); ++ return -1; ++ } ++ ++ conf = malloc(sizeof(struct wait_conf)); ++ if (!conf) { ++ SYSERROR("Failed to malloc."); ++ goto on_error; ++ } ++ ++ memset(conf, 0x00, sizeof(struct wait_conf)); ++ ++ conf->pid = f->child_pid; ++ conf->startat = lxc_get_process_startat(conf->pid); ++ ++ INFO("hook_conf timeout %d", oconf->ocihook->timeout); ++ if(oconf->ocihook->timeout > 0) ++ conf->timeout = oconf->ocihook->timeout; ++ else { ++ conf->timeout = 30; ++ INFO("Set hook timeout 30s"); ++ } ++ conf->errfd = oconf->errfd; ++ conf->which = oconf->which; ++ ++ pthread_attr_init(&attr); ++ pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED); ++ err = pthread_create(&ptid, &attr, wait_ocihook_timeout, conf); ++ if (err != 0) { ++ ERROR("Create wait timeout thread failed"); ++ goto on_error; ++ } ++ ++ ret = lxc_wait_for_pid_status(f->child_pid); ++ ++ lxc_read_nointr(f->pipe, output, sizeof(output) - 1); ++ close(f->pipe); ++ free(f); ++ ++ if (ret == -1) { ++ SYSERROR("Script exited with error."); ++ goto print_hook; ++ } else if (WIFEXITED(ret) && WEXITSTATUS(ret) != 0) { ++ ERROR("Script exited with status %d. output:%s", WEXITSTATUS(ret), output); ++ if (conf->errfd >= 0) { ++ lxc_write_error_message(conf->errfd, "%s:%d: running %s hook caused \"error running hook: exit status %d, output:%s\"", ++ __FILE__, __LINE__, ++ (conf->which >= NUM_LXC_HOOKS) ? "invalid type" : lxchook_names[conf->which], ++ WEXITSTATUS(ret), output); ++ } ++ ++ goto print_hook; ++ } else if (WIFSIGNALED(ret)) { ++ ERROR("Script terminated by signal %d.", WTERMSIG(ret)); ++ if (conf->errfd >= 0) { ++ lxc_write_error_message(conf->errfd, "%s:%d: running %s hook caused \"error running hook: Script terminated by signal %d\"", ++ __FILE__, __LINE__, ++ (conf->which >= NUM_LXC_HOOKS) ? "invalid type" : lxchook_names[conf->which], ++ WTERMSIG(ret)); ++ } ++ ++ goto print_hook; ++ } ++ ++ return 0; ++ ++on_error: ++ if (f) { ++ if (f->pipe >= 0) ++ close(f->pipe); ++ free(f); ++ } ++ ++print_hook: ++ if (oconf->ocihook->args) ++ err_args_msg = lxc_string_join(" ", (const char **)oconf->ocihook->args, false); ++ if (oconf->ocihook->env) ++ err_envs_msg = lxc_string_join(" ", (const char **)oconf->ocihook->env, false); ++ ERROR("Hook script command: \"%s\", args: \"%s\", envs: \"%s\", timeout: %d.", ++ buffer, err_args_msg ? err_args_msg : "", ++ err_envs_msg ? err_envs_msg : "", conf->timeout); ++ ++ free(err_args_msg); ++ free(err_envs_msg); ++ return -1; ++} ++ ++static int run_ocihook_script_argv(const char *name, const char *section, ++ struct oci_hook_conf *oconf, ++ const char *lxcpath, const char *rootfs) ++{ ++ int ret; ++ const char *script = oconf->ocihook->path; ++ char *inmsg; ++ ++ INFO("Executing script \"%s\" for container \"%s\", config section \"%s\".", ++ script, name, section); ++ ++ inmsg = generate_json_str(name, lxcpath, rootfs); ++ if (!inmsg) { ++ return -1; ++ } ++ ++ ret = run_ocihook_buffer(oconf, inmsg); ++ free(inmsg); ++ inmsg = NULL; ++ return ret; ++} ++ ++static char *get_root_path(const char *path, const char *backend) ++{ ++ char *ret = NULL; ++ char *tmp = NULL; ++ ++ if (!path) { ++ ret = strdup("/"); ++ return ret; ++ } ++ if (!backend) { ++ goto default_out; ++ } ++ ++ if (strcmp(backend, "aufs") == 0 || ++ strcmp(backend, "overlayfs") == 0 || ++ strcmp(backend, "loop") == 0) { ++ tmp = strrchr(path, ':'); ++ tmp++; ++ ret = strdup(tmp); ++ if (!ret) { ++ ERROR("Out of memory"); ++ return NULL; ++ } ++ return ret; ++ } ++ ++default_out: ++ ret = strdup(path); ++ if (!ret) { ++ ERROR("Out of memory"); ++ return NULL; ++ } ++ return ret; ++} ++ ++static int run_oci_hooks(const char *name, const char *lxcpath, struct lxc_conf *lc, int which, int errfd) ++{ ++ struct oci_hook_conf work_conf = {0}; ++ oci_runtime_spec_hooks *ocihooks = NULL; ++ size_t i; ++ int ret = 0; ++ char *rootpath; ++ ++ if (!lc || !lc->ocihooks) { ++ return -1; ++ } ++ ++ rootpath = get_root_path(lc->rootfs.path, lc->rootfs.bdev_type); ++ if (!rootpath) { ++ ERROR("Get container %s rootpath failed.", name); ++ return -1; ++ } ++ ++ work_conf.errfd = errfd; ++ work_conf.which = which; ++ switch (which) { ++ case OCI_HOOK_PRESTART: ++ for (i = 0; i < lc->ocihooks->prestart_len; i++) { ++ work_conf.ocihook = lc->ocihooks->prestart[i]; ++ ret = run_ocihook_script_argv(name, "lxc", &work_conf, lxcpath, rootpath); ++ if (ret != 0) ++ break; ++ } ++ break; ++ case OCI_HOOK_POSTSTART: ++ for (i = 0; i < lc->ocihooks->poststart_len; i++) { ++ work_conf.ocihook = lc->ocihooks->poststart[i]; ++ ret = run_ocihook_script_argv(name, "lxc", &work_conf, lxcpath, rootpath); ++ if (ret != 0) ++ break; ++ } ++ break; ++ case OCI_HOOK_POSTSTOP: ++ for (i = 0; i < lc->ocihooks->poststop_len; i++) { ++ work_conf.ocihook = lc->ocihooks->poststop[i]; ++ ret = run_ocihook_script_argv(name, "lxc", &work_conf, lxcpath, rootpath); ++ if (ret != 0) ++ break; ++ } ++ break; ++ default: ++ ret = -1; ++ } ++ if (rootpath) ++ free(rootpath); ++ return ret; ++} ++ + int run_lxc_hooks(const char *name, char *hookname, struct lxc_conf *conf, + char *argv[]) + { + struct lxc_list *it; + int which = -1; + +- if (strcmp(hookname, "pre-start") == 0) ++ if (strcmp(hookname, "oci-prestart") == 0) { ++ int ret; ++ which = OCI_HOOK_PRESTART; ++ if (!argv || !argv[0]) { ++ ERROR("oci hook require lxcpath"); ++ return -1; ++ } ++ return run_oci_hooks(name, argv[0], conf, which, conf->errpipe[1]); ++ } else if (strcmp(hookname, "oci-poststart") == 0) { ++ int ret; ++ which = OCI_HOOK_POSTSTART; ++ if (!argv || !argv[0]) { ++ ERROR("oci hook require lxcpath"); ++ return -1; ++ } ++ return run_oci_hooks(name, argv[0], conf, which, conf->errpipe[1]); ++ } else if (strcmp(hookname, "oci-poststop") == 0) { ++ int ret; ++ which = OCI_HOOK_POSTSTOP; ++ if (!argv || !argv[0]) { ++ ERROR("oci hook require lxcpath"); ++ return -1; ++ } ++ return run_oci_hooks(name, argv[0], conf, which, conf->errpipe[1]); ++ } else if (strcmp(hookname, "pre-start") == 0) + which = LXCHOOK_PRESTART; + else if (strcmp(hookname, "start-host") == 0) + which = LXCHOOK_START_HOST; +@@ -4476,6 +4997,9 @@ void lxc_conf_free(struct lxc_conf *conf) + + if (current_config == conf) + current_config = NULL; ++ // isulad: free oci hooks ++ if (conf->ocihooks) ++ free_oci_runtime_spec_hooks(conf->ocihooks); + lxc_terminal_conf_free(&conf->console); + free(conf->rootfs.mount); + free(conf->rootfs.bdev_type); +diff --git a/src/lxc/conf.h b/src/lxc/conf.h +index 7393dbf..2263e47 100644 +--- a/src/lxc/conf.h ++++ b/src/lxc/conf.h +@@ -35,6 +35,7 @@ + #include + #include + ++#include "oci_runtime_hooks.h" + #include "compiler.h" + #include "config.h" + #include "list.h" +@@ -239,6 +240,9 @@ enum lxchooks { + LXCHOOK_CLONE, + LXCHOOK_DESTROY, + LXCHOOK_START_HOST, ++ OCI_HOOK_PRESTART, ++ OCI_HOOK_POSTSTART, ++ OCI_HOOK_POSTSTOP, + NUM_LXC_HOOKS + }; + +@@ -307,6 +311,11 @@ struct lxc_conf { + struct lxc_list hooks[NUM_LXC_HOOKS]; + }; + ++ /* ++ * isulad: support oci hook ++ * */ ++ oci_runtime_spec_hooks *ocihooks; ++ + char *lsm_aa_profile; + unsigned int lsm_aa_allow_incomplete; + char *lsm_se_context; +diff --git a/src/lxc/json/defs.c b/src/lxc/json/defs.c +new file mode 100644 +index 0000000..38df2f7 +--- /dev/null ++++ b/src/lxc/json/defs.c +@@ -0,0 +1,198 @@ ++// Generated from defs.json. Do not edit! ++#ifndef _GNU_SOURCE ++#define _GNU_SOURCE ++#endif ++#include ++#include ++#include "securec.h" ++#include "defs.h" ++ ++defs_hook *make_defs_hook(yajl_val tree, struct parser_context *ctx, parser_error *err) { ++ defs_hook *ret = NULL; ++ *err = 0; ++ if (tree == NULL) ++ return ret; ++ ret = safe_malloc(sizeof(*ret)); ++ { ++ yajl_val val = get_val(tree, "path", yajl_t_string); ++ if (val) { ++ char *str = YAJL_GET_STRING(val); ++ ret->path = safe_strdup(str ? str : ""); ++ } ++ } ++ { ++ yajl_val tmp = get_val(tree, "args", yajl_t_array); ++ if (tmp && YAJL_GET_ARRAY(tmp)) { ++ size_t i; ++ ret->args_len = YAJL_GET_ARRAY(tmp)->len; ++ ret->args = safe_malloc((YAJL_GET_ARRAY(tmp)->len + 1) * sizeof(*ret->args)); ++ for (i = 0; i < YAJL_GET_ARRAY(tmp)->len; i++) { ++ yajl_val val = YAJL_GET_ARRAY(tmp)->values[i]; ++ if (val) { ++ char *str = YAJL_GET_STRING(val); ++ ret->args[i] = safe_strdup(str ? str : ""); ++ } ++ } ++ } ++ } ++ { ++ yajl_val tmp = get_val(tree, "env", yajl_t_array); ++ if (tmp && YAJL_GET_ARRAY(tmp)) { ++ size_t i; ++ ret->env_len = YAJL_GET_ARRAY(tmp)->len; ++ ret->env = safe_malloc((YAJL_GET_ARRAY(tmp)->len + 1) * sizeof(*ret->env)); ++ for (i = 0; i < YAJL_GET_ARRAY(tmp)->len; i++) { ++ yajl_val val = YAJL_GET_ARRAY(tmp)->values[i]; ++ if (val) { ++ char *str = YAJL_GET_STRING(val); ++ ret->env[i] = safe_strdup(str ? str : ""); ++ } ++ } ++ } ++ } ++ { ++ yajl_val val = get_val(tree, "timeout", yajl_t_number); ++ if (val) { ++ int invalid = common_safe_int(YAJL_GET_NUMBER(val), (int *)&ret->timeout); ++ if (invalid) { ++ if (asprintf(err, "Invalid value '%s' with type 'integer' for key 'timeout': %s", YAJL_GET_NUMBER(val), strerror(-invalid)) < 0) ++ *err = safe_strdup("error allocating memory"); ++ free_defs_hook(ret); ++ return NULL; ++ } ++ } ++ } ++ if (ret->path == NULL) { ++ if (asprintf(err, "Required field '%s' not present", "path") < 0) ++ *err = safe_strdup("error allocating memory"); ++ free_defs_hook(ret); ++ return NULL; ++ } ++ ++ if (tree->type == yajl_t_object && (ctx->options & PARSE_OPTIONS_STRICT)) { ++ int i; ++ for (i = 0; i < tree->u.object.len; i++) ++ if (strcmp(tree->u.object.keys[i], "path") && ++ strcmp(tree->u.object.keys[i], "args") && ++ strcmp(tree->u.object.keys[i], "env") && ++ strcmp(tree->u.object.keys[i], "timeout")) { ++ if (ctx->stderr > 0) ++ fprintf(ctx->stderr, "WARNING: unknown key found: %s\n", tree->u.object.keys[i]); ++ } ++ } ++ return ret; ++} ++ ++void free_defs_hook(defs_hook *ptr) { ++ if (!ptr) ++ return; ++ free(ptr->path); ++ ptr->path = NULL; ++ if (ptr->args) { ++ size_t i; ++ for (i = 0; i < ptr->args_len; i++) { ++ if (ptr->args[i]) { ++ free(ptr->args[i]); ++ ptr->args[i] = NULL; ++ } ++ } ++ free(ptr->args); ++ ptr->args = NULL; ++ } ++ if (ptr->env) { ++ size_t i; ++ for (i = 0; i < ptr->env_len; i++) { ++ if (ptr->env[i]) { ++ free(ptr->env[i]); ++ ptr->env[i] = NULL; ++ } ++ } ++ free(ptr->env); ++ ptr->env = NULL; ++ } ++ free(ptr); ++} ++ ++yajl_gen_status gen_defs_hook(yajl_gen g, defs_hook *ptr, struct parser_context *ctx, parser_error *err) { ++ yajl_gen_status stat = yajl_gen_status_ok; ++ *err = 0; ++ stat = reformat_start_map(g); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) ||(ptr && ptr->path)) { ++ char *str = ""; ++ stat = reformat_map_key(g, "path", strlen("path")); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ if (ptr && ptr->path) { ++ str = ptr->path; ++ } ++ stat = reformat_string(g, str, strlen(str)); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) ||(ptr && ptr->args)) { ++ size_t len = 0, i; ++ stat = reformat_map_key(g, "args", strlen("args")); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ if (ptr && ptr->args) { ++ len = ptr->args_len; ++ } ++ if (!len && !(ctx->options & GEN_OPTIONS_SIMPLIFY)) ++ yajl_gen_config(g, yajl_gen_beautify, 0); ++ stat = reformat_start_array(g); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ for (i = 0; i < len; i++) { ++ stat = reformat_string(g, ptr->args[i], strlen(ptr->args[i])); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ stat = reformat_end_array(g); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ if (!len && !(ctx->options & GEN_OPTIONS_SIMPLIFY)) ++ yajl_gen_config(g, yajl_gen_beautify, 1); ++ } ++ if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) ||(ptr && ptr->env)) { ++ size_t len = 0, i; ++ stat = reformat_map_key(g, "env", strlen("env")); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ if (ptr && ptr->env) { ++ len = ptr->env_len; ++ } ++ if (!len && !(ctx->options & GEN_OPTIONS_SIMPLIFY)) ++ yajl_gen_config(g, yajl_gen_beautify, 0); ++ stat = reformat_start_array(g); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ for (i = 0; i < len; i++) { ++ stat = reformat_string(g, ptr->env[i], strlen(ptr->env[i])); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ stat = reformat_end_array(g); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ if (!len && !(ctx->options & GEN_OPTIONS_SIMPLIFY)) ++ yajl_gen_config(g, yajl_gen_beautify, 1); ++ } ++ if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) ||(ptr && ptr->timeout)) { ++ long long int num = 0; ++ stat = reformat_map_key(g, "timeout", strlen("timeout")); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ if (ptr && ptr->timeout) { ++ num = (long long int)ptr->timeout; ++ } ++ stat = reformat_int(g, num); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ stat = reformat_end_map(g); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ return yajl_gen_status_ok; ++} +diff --git a/src/lxc/json/defs.h b/src/lxc/json/defs.h +new file mode 100644 +index 0000000..0bbd8ac +--- /dev/null ++++ b/src/lxc/json/defs.h +@@ -0,0 +1,37 @@ ++// Generated from defs.json. Do not edit! ++#ifndef DEFS_SCHEMA_H ++#define DEFS_SCHEMA_H ++ ++#include ++#include ++#include "json_common.h" ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++typedef struct { ++ char *path; ++ ++ char **args; ++ size_t args_len; ++ ++ char **env; ++ size_t env_len; ++ ++ int timeout; ++ ++} ++defs_hook; ++ ++void free_defs_hook(defs_hook *ptr); ++ ++defs_hook *make_defs_hook(yajl_val tree, struct parser_context *ctx, parser_error *err); ++ ++yajl_gen_status gen_defs_hook(yajl_gen g, defs_hook *ptr, struct parser_context *ctx, parser_error *err); ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif +diff --git a/src/lxc/json/json_common.c b/src/lxc/json/json_common.c +new file mode 100755 +index 0000000..8b91844 +--- /dev/null ++++ b/src/lxc/json/json_common.c +@@ -0,0 +1,1196 @@ ++// Auto generated file. Do not edit! ++#define _GNU_SOURCE ++#include ++#include ++#include ++#include "json_common.h" ++ ++#define MAX_NUM_STR_LEN 21 ++ ++yajl_gen_status reformat_number(void *ctx, const char *str, size_t len) { ++ yajl_gen g = (yajl_gen) ctx; ++ return yajl_gen_number(g, str, len); ++} ++ ++yajl_gen_status reformat_uint(void *ctx, long long unsigned int num) { ++ char numstr[MAX_NUM_STR_LEN]; ++ int ret; ++ ++ ret = sprintf(numstr, "%llu", num); ++ if (ret < 0) { ++ return yajl_gen_in_error_state; ++ } ++ return reformat_number(ctx, (const char *)numstr, strlen(numstr)); ++} ++ ++yajl_gen_status reformat_int(void *ctx, long long int num) { ++ char numstr[MAX_NUM_STR_LEN]; ++ int ret; ++ ++ ret = sprintf(numstr, "%lld", num); ++ if (ret < 0) { ++ return yajl_gen_in_error_state; ++ } ++ return reformat_number(ctx, (const char *)numstr, strlen(numstr)); ++} ++ ++yajl_gen_status reformat_double(void *ctx, double num) { ++ yajl_gen g = (yajl_gen) ctx; ++ return yajl_gen_double(g, num); ++} ++ ++yajl_gen_status reformat_string(void *ctx, const char *str, size_t len) { ++ yajl_gen g = (yajl_gen) ctx; ++ return yajl_gen_string(g, (const unsigned char *)str, len); ++} ++ ++yajl_gen_status reformat_null(void *ctx) { ++ yajl_gen g = (yajl_gen) ctx; ++ return yajl_gen_null(g); ++} ++ ++yajl_gen_status reformat_bool(void *ctx, int boolean) { ++ yajl_gen g = (yajl_gen) ctx; ++ return yajl_gen_bool(g, boolean); ++} ++ ++yajl_gen_status reformat_map_key(void *ctx, const char *str, size_t len) { ++ yajl_gen g = (yajl_gen) ctx; ++ return yajl_gen_string(g, (const unsigned char *)str, len); ++} ++ ++yajl_gen_status reformat_start_map(void *ctx) { ++ yajl_gen g = (yajl_gen) ctx; ++ return yajl_gen_map_open(g); ++} ++ ++yajl_gen_status reformat_end_map(void *ctx) { ++ yajl_gen g = (yajl_gen) ctx; ++ return yajl_gen_map_close(g); ++} ++ ++yajl_gen_status reformat_start_array(void *ctx) { ++ yajl_gen g = (yajl_gen) ctx; ++ return yajl_gen_array_open(g); ++} ++ ++yajl_gen_status reformat_end_array(void *ctx) { ++ yajl_gen g = (yajl_gen) ctx; ++ return yajl_gen_array_close(g); ++} ++ ++bool json_gen_init(yajl_gen *g, struct parser_context *ctx) { ++ *g = yajl_gen_alloc(NULL); ++ if (NULL == *g) { ++ return false; ++ ++ } ++ yajl_gen_config(*g, yajl_gen_beautify, !(ctx->options & GEN_OPTIONS_SIMPLIFY)); ++ yajl_gen_config(*g, yajl_gen_validate_utf8, 1); ++ return true; ++} ++ ++yajl_val get_val(yajl_val tree, const char *name, yajl_type type) { ++ const char *path[] = { name, NULL }; ++ return yajl_tree_get(tree, path, type); ++} ++ ++void *safe_malloc(size_t size) { ++ void *ret = NULL; ++ if (size == 0) { ++ abort(); ++ } ++ ret = calloc(1, size); ++ if (ret == NULL) { ++ abort(); ++ } ++ return ret; ++} ++ ++int common_safe_double(const char *numstr, double *converted) { ++ char *err_str = NULL; ++ double d; ++ ++ if (!numstr) { ++ return -EINVAL; ++ } ++ ++ errno = 0; ++ d = strtod(numstr, &err_str); ++ if (errno > 0) { ++ return -errno; ++ } ++ ++ if (!err_str || err_str == numstr || *err_str != '\0') { ++ return -EINVAL; ++ } ++ ++ *converted = d; ++ return 0; ++} ++ ++int common_safe_uint8(const char *numstr, uint8_t *converted) { ++ char *err = NULL; ++ unsigned long int uli; ++ ++ if (!numstr) { ++ return -EINVAL; ++ } ++ ++ errno = 0; ++ uli = strtoul(numstr, &err, 0); ++ if (errno > 0) { ++ return -errno; ++ } ++ ++ if (!err || err == numstr || *err != '\0') { ++ return -EINVAL; ++ } ++ ++ if (uli > UINT8_MAX) { ++ return -ERANGE; ++ } ++ ++ *converted = (uint8_t)uli; ++ return 0; ++} ++ ++int common_safe_uint16(const char *numstr, uint16_t *converted) { ++ char *err = NULL; ++ unsigned long int uli; ++ ++ if (!numstr) { ++ return -EINVAL; ++ } ++ ++ errno = 0; ++ uli = strtoul(numstr, &err, 0); ++ if (errno > 0) { ++ return -errno; ++ } ++ ++ if (!err || err == numstr || *err != '\0') { ++ return -EINVAL; ++ } ++ ++ if (uli > UINT16_MAX) { ++ return -ERANGE; ++ } ++ ++ *converted = (uint16_t)uli; ++ return 0; ++} ++ ++int common_safe_uint32(const char *numstr, uint32_t *converted) { ++ char *err = NULL; ++ unsigned long long int ull; ++ ++ if (!numstr) { ++ return -EINVAL; ++ } ++ ++ errno = 0; ++ ull = strtoull(numstr, &err, 0); ++ if (errno > 0) { ++ return -errno; ++ } ++ ++ if (!err || err == numstr || *err != '\0') { ++ return -EINVAL; ++ } ++ ++ if (ull > UINT32_MAX) { ++ return -ERANGE; ++ } ++ ++ *converted = (uint32_t)ull; ++ return 0; ++} ++ ++int common_safe_uint64(const char *numstr, uint64_t *converted) { ++ char *err = NULL; ++ unsigned long long int ull; ++ ++ if (!numstr) { ++ return -EINVAL; ++ } ++ ++ errno = 0; ++ ull = strtoull(numstr, &err, 0); ++ if (errno > 0) { ++ return -errno; ++ } ++ ++ if (!err || err == numstr || *err != '\0') { ++ return -EINVAL; ++ } ++ ++ *converted = (uint64_t)ull; ++ return 0; ++} ++ ++int common_safe_uint(const char *numstr, unsigned int *converted) { ++ char *err = NULL; ++ unsigned long long int ull; ++ ++ if (!numstr) { ++ return -EINVAL; ++ } ++ ++ errno = 0; ++ ull = strtoull(numstr, &err, 0); ++ if (errno > 0) { ++ return -errno; ++ } ++ ++ if (!err || err == numstr || *err != '\0') { ++ return -EINVAL; ++ } ++ ++ if (ull > UINT_MAX) { ++ return -ERANGE; ++ } ++ ++ *converted = (unsigned int)ull; ++ return 0; ++} ++ ++int common_safe_int8(const char *numstr, int8_t *converted) { ++ char *err = NULL; ++ long int li; ++ ++ if (!numstr) { ++ return -EINVAL; ++ } ++ ++ errno = 0; ++ li = strtol(numstr, &err, 0); ++ if (errno > 0) { ++ return -errno; ++ } ++ ++ if (!err || err == numstr || *err != '\0') { ++ return -EINVAL; ++ } ++ ++ if (li > INT8_MAX || li < INT8_MIN) { ++ return -ERANGE; ++ } ++ ++ *converted = (int8_t)li; ++ return 0; ++} ++ ++int common_safe_int16(const char *numstr, int16_t *converted) { ++ char *err = NULL; ++ long int li; ++ ++ if (!numstr) { ++ return -EINVAL; ++ } ++ ++ errno = 0; ++ li = strtol(numstr, &err, 0); ++ if (errno > 0) { ++ return -errno; ++ } ++ ++ if (!err || err == numstr || *err != '\0') { ++ return -EINVAL; ++ } ++ ++ if (li > INT16_MAX || li < INT16_MIN) { ++ return -ERANGE; ++ } ++ ++ *converted = (int16_t)li; ++ return 0; ++} ++ ++int common_safe_int32(const char *numstr, int32_t *converted) { ++ char *err = NULL; ++ long long int lli; ++ ++ if (!numstr) { ++ return -EINVAL; ++ } ++ ++ errno = 0; ++ lli = strtol(numstr, &err, 0); ++ if (errno > 0) { ++ return -errno; ++ } ++ ++ if (!err || err == numstr || *err != '\0') { ++ return -EINVAL; ++ } ++ ++ if (lli > INT32_MAX || lli < INT32_MIN) { ++ return -ERANGE; ++ } ++ ++ *converted = (int32_t)lli; ++ return 0; ++} ++ ++int common_safe_int64(const char *numstr, int64_t *converted) { ++ char *err = NULL; ++ long long int lli; ++ ++ if (!numstr) { ++ return -EINVAL; ++ } ++ ++ errno = 0; ++ lli = strtoll(numstr, &err, 0); ++ if (errno > 0) { ++ return -errno; ++ } ++ ++ if (!err || err == numstr || *err != '\0') { ++ return -EINVAL; ++ } ++ ++ *converted = (int64_t)lli; ++ return 0; ++} ++ ++int common_safe_int(const char *numstr, int *converted) { ++ char *err = NULL; ++ long long int lli; ++ ++ if (!numstr) { ++ return -EINVAL; ++ } ++ ++ errno = 0; ++ lli = strtol(numstr, &err, 0); ++ if (errno > 0) { ++ return -errno; ++ } ++ ++ if (!err || err == numstr || *err != '\0') { ++ return -EINVAL; ++ } ++ ++ if (lli > INT_MAX || lli < INT_MIN) { ++ return -ERANGE; ++ } ++ ++ *converted = (int)lli; ++ return 0; ++} ++ ++char *safe_strdup(const char *src) ++{ ++ char *dst = NULL; ++ ++ if (!src) { ++ return NULL; ++ } ++ ++ dst = strdup(src); ++ if (!dst) { ++ abort(); ++ } ++ ++ return dst; ++} ++ ++ ++yajl_gen_status gen_json_map_int_int(void *ctx, json_map_int_int *map, struct parser_context *ptx, parser_error *err) { ++ yajl_gen_status stat = yajl_gen_status_ok; ++ yajl_gen g = (yajl_gen) ctx; ++ size_t len = 0, i = 0; ++ if (map) { ++ len = map->len; ++ } ++ if (!len && !(ptx->options & GEN_OPTIONS_SIMPLIFY)) { ++ yajl_gen_config(g, yajl_gen_beautify, 0); ++ } ++ stat = reformat_start_map(g); ++ if (yajl_gen_status_ok != stat) { ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ ++ } ++ for (i = 0; i < len; i++) { ++ char numstr[MAX_NUM_STR_LEN]; ++ int nret; ++ nret = sprintf(numstr, "%lld", (long long int)map->keys[i]); ++ if (nret < 0) { ++ if (!*err && asprintf(err, "Error to print string") < 0) { ++ *(err) = safe_strdup("error allocating memory"); ++ } ++ return yajl_gen_in_error_state; ++ } ++ stat = reformat_string(g, numstr, strlen(numstr)); ++ if (yajl_gen_status_ok != stat) { ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ stat = reformat_int(g, map->values[i]); ++ if (yajl_gen_status_ok != stat) { ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ } ++ ++ stat = reformat_end_map(g); ++ if (yajl_gen_status_ok != stat) { ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ if (!len && !(ptx->options & GEN_OPTIONS_SIMPLIFY)) { ++ yajl_gen_config(g, yajl_gen_beautify, 1); ++ } ++ return yajl_gen_status_ok; ++} ++ ++void free_json_map_int_int(json_map_int_int *map) { ++ if (map) { ++ size_t i; ++ for (i = 0; i < map->len; i++) { ++ // No need to free key for type int ++ // No need to free value for type int ++ } ++ free(map->keys); ++ map->keys = NULL; ++ free(map->values); ++ map->values = NULL; ++ free(map); ++ } ++} ++json_map_int_int *make_json_map_int_int(yajl_val src, struct parser_context *ctx, parser_error *err) { ++ json_map_int_int *ret = NULL; ++ if (src && YAJL_GET_OBJECT(src)) { ++ size_t i; ++ size_t len = YAJL_GET_OBJECT(src)->len; ++ ret = safe_malloc(sizeof(*ret)); ++ ret->len = len; ++ ret->keys = safe_malloc((len + 1) * sizeof(int)); ++ ret->values = safe_malloc((len + 1) * sizeof(int)); ++ for (i = 0; i < len; i++) { ++ const char *srckey = YAJL_GET_OBJECT(src)->keys[i]; ++ yajl_val srcval = YAJL_GET_OBJECT(src)->values[i]; ++ ++ if (srckey) { ++ int invalid; ++ invalid = common_safe_int(srckey, &(ret->keys[i])); ++ if (invalid) { ++ if (!*err && asprintf(err, "Invalid key '%s' with type 'int': %s", srckey, strerror(-invalid)) < 0) { ++ *(err) = safe_strdup("error allocating memory"); ++ } ++ free_json_map_int_int(ret); ++ return NULL; ++ } ++ } ++ ++ if (srcval) { ++ int invalid; ++ if (!YAJL_IS_NUMBER(srcval)) { ++ if (!*err && asprintf(err, "Invalid value with type 'int' for key '%s'", srckey) < 0) { ++ *(err) = safe_strdup("error allocating memory"); ++ } ++ free_json_map_int_int(ret); ++ return NULL; ++ } ++ invalid = common_safe_int(YAJL_GET_NUMBER(srcval), &(ret->values[i])); ++ if (invalid) { ++ if (!*err && asprintf(err, "Invalid value with type 'int' for key '%s': %s", srckey, strerror(-invalid)) < 0) { ++ *(err) = safe_strdup("error allocating memory"); ++ } ++ free_json_map_int_int(ret); ++ return NULL; ++ } ++ } ++ } ++ } ++ return ret; ++} ++int append_json_map_int_int(json_map_int_int *map, int key, int val) { ++ size_t len; ++ int *keys; ++ int *vals; ++ ++ if (!map) { ++ return -1; ++ } ++ ++ if ((SIZE_MAX / sizeof(int) - 1) < map->len) { ++ return -1; ++ } ++ ++ len = map->len + 1; ++ keys = safe_malloc(len * sizeof(int)); ++ vals = safe_malloc(len * sizeof(int)); ++ ++ if (map->len) { ++ if (memcpy(keys, map->keys, map->len * sizeof(int)) != EOK) { ++ free(keys); ++ free(vals); ++ return -1; ++ } ++ if (memcpy(vals, map->values, map->len * sizeof(int)) != EOK) { ++ free(keys); ++ free(vals); ++ return -1; ++ } ++ } ++ free(map->keys); ++ map->keys = keys; ++ free(map->values); ++ map->values = vals; ++ map->keys[map->len] = key; ++ map->values[map->len] = val; ++ ++ map->len++; ++ return 0; ++} ++ ++yajl_gen_status gen_json_map_int_bool(void *ctx, json_map_int_bool *map, struct parser_context *ptx, parser_error *err) { ++ yajl_gen_status stat = yajl_gen_status_ok; ++ yajl_gen g = (yajl_gen) ctx; ++ size_t len = 0, i = 0; ++ if (map) { ++ len = map->len; ++ } ++ if (!len && !(ptx->options & GEN_OPTIONS_SIMPLIFY)) { ++ yajl_gen_config(g, yajl_gen_beautify, 0); ++ } ++ stat = reformat_start_map(g); ++ if (yajl_gen_status_ok != stat) { ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ ++ } ++ for (i = 0; i < len; i++) { ++ char numstr[MAX_NUM_STR_LEN]; ++ int nret; ++ nret = sprintf(numstr, "%lld", (long long int)map->keys[i]); ++ if (nret < 0) { ++ if (!*err && asprintf(err, "Error to print string") < 0) { ++ *(err) = safe_strdup("error allocating memory"); ++ } ++ return yajl_gen_in_error_state; ++ } ++ stat = reformat_string(g, numstr, strlen(numstr)); ++ if (yajl_gen_status_ok != stat) { ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ stat = reformat_bool(g, map->values[i]); ++ if (yajl_gen_status_ok != stat) { ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ } ++ ++ stat = reformat_end_map(g); ++ if (yajl_gen_status_ok != stat) { ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ if (!len && !(ptx->options & GEN_OPTIONS_SIMPLIFY)) { ++ yajl_gen_config(g, yajl_gen_beautify, 1); ++ } ++ return yajl_gen_status_ok; ++} ++ ++void free_json_map_int_bool(json_map_int_bool *map) { ++ if (map) { ++ size_t i; ++ for (i = 0; i < map->len; i++) { ++ // No need to free key for type int ++ // No need to free value for type bool ++ } ++ free(map->keys); ++ map->keys = NULL; ++ free(map->values); ++ map->values = NULL; ++ free(map); ++ } ++} ++json_map_int_bool *make_json_map_int_bool(yajl_val src, struct parser_context *ctx, parser_error *err) { ++ json_map_int_bool *ret = NULL; ++ if (src && YAJL_GET_OBJECT(src)) { ++ size_t i; ++ size_t len = YAJL_GET_OBJECT(src)->len; ++ ret = safe_malloc(sizeof(*ret)); ++ ret->len = len; ++ ret->keys = safe_malloc((len + 1) * sizeof(int)); ++ ret->values = safe_malloc((len + 1) * sizeof(bool)); ++ for (i = 0; i < len; i++) { ++ const char *srckey = YAJL_GET_OBJECT(src)->keys[i]; ++ yajl_val srcval = YAJL_GET_OBJECT(src)->values[i]; ++ ++ if (srckey) { ++ int invalid; ++ invalid = common_safe_int(srckey, &(ret->keys[i])); ++ if (invalid) { ++ if (!*err && asprintf(err, "Invalid key '%s' with type 'int': %s", srckey, strerror(-invalid)) < 0) { ++ *(err) = safe_strdup("error allocating memory"); ++ } ++ free_json_map_int_bool(ret); ++ return NULL; ++ } ++ } ++ ++ if (srcval) { ++ if (YAJL_IS_TRUE(srcval)) { ++ ret->values[i] = true; ++ } else if (YAJL_IS_FALSE(srcval)) { ++ ret->values[i] = false; ++ } else { ++ if (!*err && asprintf(err, "Invalid value with type 'bool' for key '%s'", srckey) < 0) { ++ *(err) = safe_strdup("error allocating memory"); ++ } ++ free_json_map_int_bool(ret); ++ return NULL; ++ } ++ } ++ } ++ } ++ return ret; ++} ++int append_json_map_int_bool(json_map_int_bool *map, int key, bool val) { ++ size_t len; ++ int *keys; ++ bool *vals; ++ ++ if (!map) { ++ return -1; ++ } ++ ++ if ((SIZE_MAX / sizeof(int) - 1) < map->len || (SIZE_MAX / sizeof(bool) - 1) < map->len) { ++ return -1; ++ } ++ ++ len = map->len + 1; ++ keys = safe_malloc(len * sizeof(int)); ++ vals = safe_malloc(len * sizeof(bool)); ++ ++ if (map->len) { ++ if (memcpy(keys, map->keys, map->len * sizeof(int)) != EOK) { ++ free(keys); ++ free(vals); ++ return -1; ++ } ++ if (memcpy(vals, map->values, map->len * sizeof(bool)) != EOK) { ++ free(keys); ++ free(vals); ++ return -1; ++ } ++ } ++ free(map->keys); ++ map->keys = keys; ++ free(map->values); ++ map->values = vals; ++ map->keys[map->len] = key; ++ map->values[map->len] = val; ++ ++ map->len++; ++ return 0; ++} ++ ++yajl_gen_status gen_json_map_int_string(void *ctx, json_map_int_string *map, struct parser_context *ptx, parser_error *err) { ++ yajl_gen_status stat = yajl_gen_status_ok; ++ yajl_gen g = (yajl_gen) ctx; ++ size_t len = 0, i = 0; ++ if (map) { ++ len = map->len; ++ } ++ if (!len && !(ptx->options & GEN_OPTIONS_SIMPLIFY)) { ++ yajl_gen_config(g, yajl_gen_beautify, 0); ++ } ++ stat = reformat_start_map(g); ++ if (yajl_gen_status_ok != stat) { ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ ++ } ++ for (i = 0; i < len; i++) { ++ char numstr[MAX_NUM_STR_LEN]; ++ int nret; ++ nret = sprintf(numstr, "%lld", (long long int)map->keys[i]); ++ if (nret < 0) { ++ if (!*err && asprintf(err, "Error to print string") < 0) { ++ *(err) = safe_strdup("error allocating memory"); ++ } ++ return yajl_gen_in_error_state; ++ } ++ stat = reformat_string(g, numstr, strlen(numstr)); ++ if (yajl_gen_status_ok != stat) { ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ stat = reformat_string(g, map->values[i], strlen(map->values[i]));; ++ if (yajl_gen_status_ok != stat) { ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ } ++ ++ stat = reformat_end_map(g); ++ if (yajl_gen_status_ok != stat) { ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ if (!len && !(ptx->options & GEN_OPTIONS_SIMPLIFY)) { ++ yajl_gen_config(g, yajl_gen_beautify, 1); ++ } ++ return yajl_gen_status_ok; ++} ++ ++void free_json_map_int_string(json_map_int_string *map) { ++ if (map) { ++ size_t i; ++ for (i = 0; i < map->len; i++) { ++ // No need to free key for type int ++ free(map->values[i]); ++ map->values[i] = NULL; ++ } ++ free(map->keys); ++ map->keys = NULL; ++ free(map->values); ++ map->values = NULL; ++ free(map); ++ } ++} ++json_map_int_string *make_json_map_int_string(yajl_val src, struct parser_context *ctx, parser_error *err) { ++ json_map_int_string *ret = NULL; ++ if (src && YAJL_GET_OBJECT(src)) { ++ size_t i; ++ size_t len = YAJL_GET_OBJECT(src)->len; ++ ret = safe_malloc(sizeof(*ret)); ++ ret->len = len; ++ ret->keys = safe_malloc((len + 1) * sizeof(int)); ++ ret->values = safe_malloc((len + 1) * sizeof(char *)); ++ for (i = 0; i < len; i++) { ++ const char *srckey = YAJL_GET_OBJECT(src)->keys[i]; ++ yajl_val srcval = YAJL_GET_OBJECT(src)->values[i]; ++ ++ if (srckey) { ++ int invalid; ++ invalid = common_safe_int(srckey, &(ret->keys[i])); ++ if (invalid) { ++ if (!*err && asprintf(err, "Invalid key '%s' with type 'int': %s", srckey, strerror(-invalid)) < 0) { ++ *(err) = safe_strdup("error allocating memory"); ++ } ++ free_json_map_int_string(ret); ++ return NULL; ++ } ++ } ++ ++ if (srcval) { ++ if (!YAJL_IS_STRING(srcval)) { ++ if (!*err && asprintf(err, "Invalid value with type 'string' for key '%s'", srckey) < 0) { ++ *(err) = safe_strdup("error allocating memory"); ++ } ++ free_json_map_int_string(ret); ++ return NULL; ++ } ++ char *str = YAJL_GET_STRING(srcval); ++ ret->values[i] = safe_strdup(str ? str : ""); ++ } ++ } ++ } ++ return ret; ++} ++int append_json_map_int_string(json_map_int_string *map, int key, const char *val) { ++ size_t len; ++ int *keys; ++ char **vals; ++ ++ if (!map) { ++ return -1; ++ } ++ ++ if ((SIZE_MAX / sizeof(int) - 1) < map->len || (SIZE_MAX / sizeof(char *) - 1) < map->len) { ++ return -1; ++ } ++ ++ len = map->len + 1; ++ keys = safe_malloc(len * sizeof(int)); ++ vals = safe_malloc(len * sizeof(char *)); ++ ++ if (map->len) { ++ if (memcpy(keys, map->keys, map->len * sizeof(int)) != EOK) { ++ free(keys); ++ free(vals); ++ return -1; ++ } ++ if (memcpy(vals, map->values, map->len * sizeof(char *)) != EOK) { ++ free(keys); ++ free(vals); ++ return -1; ++ } ++ } ++ free(map->keys); ++ map->keys = keys; ++ free(map->values); ++ map->values = vals; ++ map->keys[map->len] = key; ++ map->values[map->len] = safe_strdup(val ? val : ""); ++ ++ map->len++; ++ return 0; ++} ++ ++yajl_gen_status gen_json_map_string_int(void *ctx, json_map_string_int *map, struct parser_context *ptx, parser_error *err) { ++ yajl_gen_status stat = yajl_gen_status_ok; ++ yajl_gen g = (yajl_gen) ctx; ++ size_t len = 0, i = 0; ++ if (map) { ++ len = map->len; ++ } ++ if (!len && !(ptx->options & GEN_OPTIONS_SIMPLIFY)) { ++ yajl_gen_config(g, yajl_gen_beautify, 0); ++ } ++ stat = reformat_start_map(g); ++ if (yajl_gen_status_ok != stat) { ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ ++ } ++ for (i = 0; i < len; i++) { ++ stat = reformat_string(g, map->keys[i], strlen(map->keys[i])); ++ if (yajl_gen_status_ok != stat) { ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ stat = reformat_int(g, map->values[i]); ++ if (yajl_gen_status_ok != stat) { ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ } ++ ++ stat = reformat_end_map(g); ++ if (yajl_gen_status_ok != stat) { ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ if (!len && !(ptx->options & GEN_OPTIONS_SIMPLIFY)) { ++ yajl_gen_config(g, yajl_gen_beautify, 1); ++ } ++ return yajl_gen_status_ok; ++} ++ ++void free_json_map_string_int(json_map_string_int *map) { ++ if (map) { ++ size_t i; ++ for (i = 0; i < map->len; i++) { ++ free(map->keys[i]); ++ map->keys[i] = NULL; ++ // No need to free value for type int ++ } ++ free(map->keys); ++ map->keys = NULL; ++ free(map->values); ++ map->values = NULL; ++ free(map); ++ } ++} ++json_map_string_int *make_json_map_string_int(yajl_val src, struct parser_context *ctx, parser_error *err) { ++ json_map_string_int *ret = NULL; ++ if (src && YAJL_GET_OBJECT(src)) { ++ size_t i; ++ size_t len = YAJL_GET_OBJECT(src)->len; ++ ret = safe_malloc(sizeof(*ret)); ++ ret->len = len; ++ ret->keys = safe_malloc((len + 1) * sizeof(char *)); ++ ret->values = safe_malloc((len + 1) * sizeof(int)); ++ for (i = 0; i < len; i++) { ++ const char *srckey = YAJL_GET_OBJECT(src)->keys[i]; ++ yajl_val srcval = YAJL_GET_OBJECT(src)->values[i]; ++ ret->keys[i] = safe_strdup(srckey ? srckey : ""); ++ ++ if (srcval) { ++ int invalid; ++ if (!YAJL_IS_NUMBER(srcval)) { ++ if (!*err && asprintf(err, "Invalid value with type 'int' for key '%s'", srckey) < 0) { ++ *(err) = safe_strdup("error allocating memory"); ++ } ++ free_json_map_string_int(ret); ++ return NULL; ++ } ++ invalid = common_safe_int(YAJL_GET_NUMBER(srcval), &(ret->values[i])); ++ if (invalid) { ++ if (!*err && asprintf(err, "Invalid value with type 'int' for key '%s': %s", srckey, strerror(-invalid)) < 0) { ++ *(err) = safe_strdup("error allocating memory"); ++ } ++ free_json_map_string_int(ret); ++ return NULL; ++ } ++ } ++ } ++ } ++ return ret; ++} ++int append_json_map_string_int(json_map_string_int *map, const char *key, int val) { ++ size_t len; ++ char **keys; ++ int *vals; ++ ++ if (!map) { ++ return -1; ++ } ++ ++ if ((SIZE_MAX / sizeof(char *) - 1) < map->len || (SIZE_MAX / sizeof(int) - 1) < map->len) { ++ return -1; ++ } ++ ++ len = map->len + 1; ++ keys = safe_malloc(len * sizeof(char *)); ++ vals = safe_malloc(len * sizeof(int)); ++ ++ if (map->len) { ++ if (memcpy(keys, map->keys, map->len * sizeof(char *)) != EOK) { ++ free(keys); ++ free(vals); ++ return -1; ++ } ++ if (memcpy(vals, map->values, map->len * sizeof(int)) != EOK) { ++ free(keys); ++ free(vals); ++ return -1; ++ } ++ } ++ free(map->keys); ++ map->keys = keys; ++ free(map->values); ++ map->values = vals; ++ map->keys[map->len] = safe_strdup(key ? key : ""); ++ map->values[map->len] = val; ++ ++ map->len++; ++ return 0; ++} ++ ++yajl_gen_status gen_json_map_string_bool(void *ctx, json_map_string_bool *map, struct parser_context *ptx, parser_error *err) { ++ yajl_gen_status stat = yajl_gen_status_ok; ++ yajl_gen g = (yajl_gen) ctx; ++ size_t len = 0, i = 0; ++ if (map) { ++ len = map->len; ++ } ++ if (!len && !(ptx->options & GEN_OPTIONS_SIMPLIFY)) { ++ yajl_gen_config(g, yajl_gen_beautify, 0); ++ } ++ stat = reformat_start_map(g); ++ if (yajl_gen_status_ok != stat) { ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ ++ } ++ for (i = 0; i < len; i++) { ++ stat = reformat_string(g, map->keys[i], strlen(map->keys[i])); ++ if (yajl_gen_status_ok != stat) { ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ stat = reformat_bool(g, map->values[i]); ++ if (yajl_gen_status_ok != stat) { ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ } ++ ++ stat = reformat_end_map(g); ++ if (yajl_gen_status_ok != stat) { ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ if (!len && !(ptx->options & GEN_OPTIONS_SIMPLIFY)) { ++ yajl_gen_config(g, yajl_gen_beautify, 1); ++ } ++ return yajl_gen_status_ok; ++} ++ ++void free_json_map_string_bool(json_map_string_bool *map) { ++ if (map) { ++ size_t i; ++ for (i = 0; i < map->len; i++) { ++ free(map->keys[i]); ++ map->keys[i] = NULL; ++ // No need to free value for type bool ++ } ++ free(map->keys); ++ map->keys = NULL; ++ free(map->values); ++ map->values = NULL; ++ free(map); ++ } ++} ++json_map_string_bool *make_json_map_string_bool(yajl_val src, struct parser_context *ctx, parser_error *err) { ++ json_map_string_bool *ret = NULL; ++ if (src && YAJL_GET_OBJECT(src)) { ++ size_t i; ++ size_t len = YAJL_GET_OBJECT(src)->len; ++ ret = safe_malloc(sizeof(*ret)); ++ ret->len = len; ++ ret->keys = safe_malloc((len + 1) * sizeof(char *)); ++ ret->values = safe_malloc((len + 1) * sizeof(bool)); ++ for (i = 0; i < len; i++) { ++ const char *srckey = YAJL_GET_OBJECT(src)->keys[i]; ++ yajl_val srcval = YAJL_GET_OBJECT(src)->values[i]; ++ ret->keys[i] = safe_strdup(srckey ? srckey : ""); ++ ++ if (srcval) { ++ if (YAJL_IS_TRUE(srcval)) { ++ ret->values[i] = true; ++ } else if (YAJL_IS_FALSE(srcval)) { ++ ret->values[i] = false; ++ } else { ++ if (!*err && asprintf(err, "Invalid value with type 'bool' for key '%s'", srckey) < 0) { ++ *(err) = safe_strdup("error allocating memory"); ++ } ++ free_json_map_string_bool(ret); ++ return NULL; ++ } ++ } ++ } ++ } ++ return ret; ++} ++int append_json_map_string_bool(json_map_string_bool *map, const char *key, bool val) { ++ size_t len; ++ char **keys; ++ bool *vals; ++ ++ if (!map) { ++ return -1; ++ } ++ ++ if ((SIZE_MAX / sizeof(char *) - 1) < map->len || (SIZE_MAX / sizeof(bool) - 1) < map->len) { ++ return -1; ++ } ++ ++ len = map->len + 1; ++ keys = safe_malloc(len * sizeof(char *)); ++ vals = safe_malloc(len * sizeof(bool)); ++ ++ if (map->len) { ++ if (memcpy(keys, map->keys, map->len * sizeof(char *)) != EOK) { ++ free(keys); ++ free(vals); ++ return -1; ++ } ++ if (memcpy(vals, map->values, map->len * sizeof(bool)) != EOK) { ++ free(keys); ++ free(vals); ++ return -1; ++ } ++ } ++ free(map->keys); ++ map->keys = keys; ++ free(map->values); ++ map->values = vals; ++ map->keys[map->len] = safe_strdup(key ? key : ""); ++ map->values[map->len] = val; ++ ++ map->len++; ++ return 0; ++} ++ ++yajl_gen_status gen_json_map_string_string(void *ctx, json_map_string_string *map, struct parser_context *ptx, parser_error *err) { ++ yajl_gen_status stat = yajl_gen_status_ok; ++ yajl_gen g = (yajl_gen) ctx; ++ size_t len = 0, i = 0; ++ if (map) { ++ len = map->len; ++ } ++ if (!len && !(ptx->options & GEN_OPTIONS_SIMPLIFY)) { ++ yajl_gen_config(g, yajl_gen_beautify, 0); ++ } ++ stat = reformat_start_map(g); ++ if (yajl_gen_status_ok != stat) { ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ ++ } ++ for (i = 0; i < len; i++) { ++ stat = reformat_string(g, map->keys[i], strlen(map->keys[i])); ++ if (yajl_gen_status_ok != stat) { ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ stat = reformat_string(g, map->values[i], strlen(map->values[i]));; ++ if (yajl_gen_status_ok != stat) { ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ } ++ ++ stat = reformat_end_map(g); ++ if (yajl_gen_status_ok != stat) { ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ if (!len && !(ptx->options & GEN_OPTIONS_SIMPLIFY)) { ++ yajl_gen_config(g, yajl_gen_beautify, 1); ++ } ++ return yajl_gen_status_ok; ++} ++ ++void free_json_map_string_string(json_map_string_string *map) { ++ if (map) { ++ size_t i; ++ for (i = 0; i < map->len; i++) { ++ free(map->keys[i]); ++ map->keys[i] = NULL; ++ free(map->values[i]); ++ map->values[i] = NULL; ++ } ++ free(map->keys); ++ map->keys = NULL; ++ free(map->values); ++ map->values = NULL; ++ free(map); ++ } ++} ++json_map_string_string *make_json_map_string_string(yajl_val src, struct parser_context *ctx, parser_error *err) { ++ json_map_string_string *ret = NULL; ++ if (src && YAJL_GET_OBJECT(src)) { ++ size_t i; ++ size_t len = YAJL_GET_OBJECT(src)->len; ++ ret = safe_malloc(sizeof(*ret)); ++ ret->len = len; ++ ret->keys = safe_malloc((len + 1) * sizeof(char *)); ++ ret->values = safe_malloc((len + 1) * sizeof(char *)); ++ for (i = 0; i < len; i++) { ++ const char *srckey = YAJL_GET_OBJECT(src)->keys[i]; ++ yajl_val srcval = YAJL_GET_OBJECT(src)->values[i]; ++ ret->keys[i] = safe_strdup(srckey ? srckey : ""); ++ ++ if (srcval) { ++ if (!YAJL_IS_STRING(srcval)) { ++ if (!*err && asprintf(err, "Invalid value with type 'string' for key '%s'", srckey) < 0) { ++ *(err) = safe_strdup("error allocating memory"); ++ } ++ free_json_map_string_string(ret); ++ return NULL; ++ } ++ char *str = YAJL_GET_STRING(srcval); ++ ret->values[i] = safe_strdup(str ? str : ""); ++ } ++ } ++ } ++ return ret; ++} ++int append_json_map_string_string(json_map_string_string *map, const char *key, const char *val) { ++ size_t len; ++ char **keys; ++ char **vals; ++ ++ if (!map) { ++ return -1; ++ } ++ ++ if ((SIZE_MAX / sizeof(char *) - 1) < map->len) { ++ return -1; ++ } ++ ++ len = map->len + 1; ++ keys = safe_malloc(len * sizeof(char *)); ++ vals = safe_malloc(len * sizeof(char *)); ++ ++ if (map->len) { ++ if (memcpy(keys, map->keys, map->len * sizeof(char *)) != EOK) { ++ free(keys); ++ free(vals); ++ return -1; ++ } ++ if (memcpy(vals, map->values, map->len * sizeof(char *)) != EOK) { ++ free(keys); ++ free(vals); ++ return -1; ++ } ++ } ++ free(map->keys); ++ map->keys = keys; ++ free(map->values); ++ map->values = vals; ++ map->keys[map->len] = safe_strdup(key ? key : ""); ++ map->values[map->len] = safe_strdup(val ? val : ""); ++ ++ map->len++; ++ return 0; ++} +diff --git a/src/lxc/json/json_common.h b/src/lxc/json/json_common.h +new file mode 100755 +index 0000000..904fe3c +--- /dev/null ++++ b/src/lxc/json/json_common.h +@@ -0,0 +1,185 @@ ++// Auto generated file. Do not edit! ++#ifndef _JSON_COMMON_H ++#define _JSON_COMMON_H ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "securec.h" ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++# undef linux ++ ++//options to report error if there is unknown key found in json ++# define PARSE_OPTIONS_STRICT 0x01 ++//options to generate all key and value ++# define GEN_OPTIONS_ALLKEYVALUE 0x02 ++//options to generate simplify(no indent) json string ++# define GEN_OPTIONS_SIMPLIFY 0x04 ++ ++#define GEN_SET_ERROR_AND_RETURN(stat, err) { \ ++ if (!*(err)) {\ ++ if (asprintf(err, "%s: %s: %d: error generating json, errcode: %d", __FILE__, __func__, __LINE__, stat) < 0) { \ ++ *(err) = safe_strdup("error allocating memory"); \ ++ } \ ++ }\ ++ return stat; \ ++ } ++ ++typedef char *parser_error; ++ ++struct parser_context { ++ unsigned int options; ++ FILE *stderr; ++}; ++ ++yajl_gen_status reformat_number(void *ctx, const char *str, size_t len); ++ ++yajl_gen_status reformat_uint(void *ctx, long long unsigned int num); ++ ++yajl_gen_status reformat_int(void *ctx, long long int num); ++ ++yajl_gen_status reformat_double(void *ctx, double num); ++ ++yajl_gen_status reformat_string(void *ctx, const char *str, size_t len); ++ ++yajl_gen_status reformat_null(void *ctx); ++ ++yajl_gen_status reformat_bool(void *ctx, int boolean); ++ ++yajl_gen_status reformat_map_key(void *ctx, const char *str, size_t len); ++ ++yajl_gen_status reformat_start_map(void *ctx); ++ ++yajl_gen_status reformat_end_map(void *ctx); ++ ++yajl_gen_status reformat_start_array(void *ctx); ++ ++yajl_gen_status reformat_end_array(void *ctx); ++ ++bool json_gen_init(yajl_gen *g, struct parser_context *ctx); ++ ++yajl_val get_val(yajl_val tree, const char *name, yajl_type type); ++ ++void *safe_malloc(size_t size); ++ ++int common_safe_double(const char *numstr, double *converted); ++ ++int common_safe_uint8(const char *numstr, uint8_t *converted); ++ ++int common_safe_uint16(const char *numstr, uint16_t *converted); ++ ++int common_safe_uint32(const char *numstr, uint32_t *converted); ++ ++int common_safe_uint64(const char *numstr, uint64_t *converted); ++ ++int common_safe_uint(const char *numstr, unsigned int *converted); ++ ++int common_safe_int8(const char *numstr, int8_t *converted); ++ ++int common_safe_int16(const char *numstr, int16_t *converted); ++ ++int common_safe_int32(const char *numstr, int32_t *converted); ++ ++int common_safe_int64(const char *numstr, int64_t *converted); ++ ++int common_safe_int(const char *numstr, int *converted); ++ ++char *safe_strdup(const char *src); ++ ++typedef struct { ++ int *keys; ++ int *values; ++ size_t len; ++} json_map_int_int; ++ ++void free_json_map_int_int(json_map_int_int *map); ++ ++json_map_int_int *make_json_map_int_int(yajl_val src, struct parser_context *ctx, parser_error *err); ++ ++yajl_gen_status gen_json_map_int_int(void *ctx, json_map_int_int *map, struct parser_context *ptx, parser_error *err); ++ ++int append_json_map_int_int(json_map_int_int *map, int key, int val); ++ ++typedef struct { ++ int *keys; ++ bool *values; ++ size_t len; ++} json_map_int_bool; ++ ++void free_json_map_int_bool(json_map_int_bool *map); ++ ++json_map_int_bool *make_json_map_int_bool(yajl_val src, struct parser_context *ctx, parser_error *err); ++ ++yajl_gen_status gen_json_map_int_bool(void *ctx, json_map_int_bool *map, struct parser_context *ptx, parser_error *err); ++ ++int append_json_map_int_bool(json_map_int_bool *map, int key, bool val); ++ ++typedef struct { ++ int *keys; ++ char **values; ++ size_t len; ++} json_map_int_string; ++ ++void free_json_map_int_string(json_map_int_string *map); ++ ++json_map_int_string *make_json_map_int_string(yajl_val src, struct parser_context *ctx, parser_error *err); ++ ++yajl_gen_status gen_json_map_int_string(void *ctx, json_map_int_string *map, struct parser_context *ptx, parser_error *err); ++ ++int append_json_map_int_string(json_map_int_string *map, int key, const char *val); ++ ++typedef struct { ++ char **keys; ++ int *values; ++ size_t len; ++} json_map_string_int; ++ ++void free_json_map_string_int(json_map_string_int *map); ++ ++json_map_string_int *make_json_map_string_int(yajl_val src, struct parser_context *ctx, parser_error *err); ++ ++yajl_gen_status gen_json_map_string_int(void *ctx, json_map_string_int *map, struct parser_context *ptx, parser_error *err); ++ ++int append_json_map_string_int(json_map_string_int *map, const char *key, int val); ++ ++typedef struct { ++ char **keys; ++ bool *values; ++ size_t len; ++} json_map_string_bool; ++ ++void free_json_map_string_bool(json_map_string_bool *map); ++ ++json_map_string_bool *make_json_map_string_bool(yajl_val src, struct parser_context *ctx, parser_error *err); ++ ++yajl_gen_status gen_json_map_string_bool(void *ctx, json_map_string_bool *map, struct parser_context *ptx, parser_error *err); ++ ++int append_json_map_string_bool(json_map_string_bool *map, const char *key, bool val); ++ ++typedef struct { ++ char **keys; ++ char **values; ++ size_t len; ++} json_map_string_string; ++ ++void free_json_map_string_string(json_map_string_string *map); ++ ++json_map_string_string *make_json_map_string_string(yajl_val src, struct parser_context *ctx, parser_error *err); ++ ++yajl_gen_status gen_json_map_string_string(void *ctx, json_map_string_string *map, struct parser_context *ptx, parser_error *err); ++ ++int append_json_map_string_string(json_map_string_string *map, const char *key, const char *val); ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif +\ No newline at end of file +diff --git a/src/lxc/json/oci_runtime_hooks.c b/src/lxc/json/oci_runtime_hooks.c +new file mode 100644 +index 0000000..3aa134e +--- /dev/null ++++ b/src/lxc/json/oci_runtime_hooks.c +@@ -0,0 +1,53 @@ ++/****************************************************************************** ++ * Copyright (C), 1988-1999, Huawei Tech. Co., Ltd. ++ * FileName: oci_runtime_hooks.c ++ * Author: maoweiyong Version: 0.1 Date: 2018-11-07 ++ * Explanation: provide oci runtime hooks functions ++ ******************************************************************************/ ++#ifndef _GNU_SOURCE ++#define _GNU_SOURCE ++#endif ++#include ++#include "oci_runtime_hooks.h" ++ ++#include "log.h" ++#include "utils.h" ++ ++#define PARSE_ERR_BUFFER_SIZE 1024 ++ ++oci_runtime_spec_hooks *oci_runtime_spec_hooks_parse_file(const char *filename, ++ struct parser_context *ctx, parser_error *err) ++{ ++ yajl_val tree; ++ size_t filesize; ++ ++ if (!filename || !err) { ++ return NULL; ++ } ++ *err = NULL; ++ struct parser_context tmp_ctx; ++ if (!ctx) { ++ ctx = &tmp_ctx; ++ memset(&tmp_ctx, 0, sizeof(tmp_ctx)); ++ } ++ char *content = read_file(filename, &filesize); ++ char errbuf[PARSE_ERR_BUFFER_SIZE]; ++ if (content == NULL) { ++ if (asprintf(err, "cannot read the file: %s", filename) < 0) { ++ *err = strdup("error allocating memory"); ++ } ++ return NULL; ++ } ++ tree = yajl_tree_parse(content, errbuf, sizeof(errbuf)); ++ free(content); ++ if (tree == NULL) { ++ if (asprintf(err, "cannot parse the file: %s", errbuf) < 0) { ++ *err = strdup("error allocating memory"); ++ } ++ return NULL; ++ } ++ oci_runtime_spec_hooks *ptr = make_oci_runtime_spec_hooks(tree, ctx, ++ err); ++ yajl_tree_free(tree); ++ return ptr; ++} +diff --git a/src/lxc/json/oci_runtime_hooks.h b/src/lxc/json/oci_runtime_hooks.h +new file mode 100644 +index 0000000..bf570c9 +--- /dev/null ++++ b/src/lxc/json/oci_runtime_hooks.h +@@ -0,0 +1,15 @@ ++/****************************************************************************** ++ * Copyright (C), 1988-1999, Huawei Tech. Co., Ltd. ++ * FileName: oci_runtime_hooks.h ++ * Author: tanyifeng Version: 0.1 Date: 2018-11-08 ++ * Explanation: provide container oci runtime hooks function definition ++ ******************************************************************************/ ++#ifndef _CONTAINER_HOOKS_H ++# define _CONTAINER_HOOKS_H ++ ++# include "oci_runtime_spec.h" ++ ++oci_runtime_spec_hooks *oci_runtime_spec_hooks_parse_file(const char *filename, ++ struct parser_context *ctx, parser_error *err); ++ ++#endif +diff --git a/src/lxc/json/oci_runtime_spec.c b/src/lxc/json/oci_runtime_spec.c +new file mode 100644 +index 0000000..1f6073c +--- /dev/null ++++ b/src/lxc/json/oci_runtime_spec.c +@@ -0,0 +1,196 @@ ++// Generated from spec.json. Do not edit! ++#ifndef _GNU_SOURCE ++#define _GNU_SOURCE ++#endif ++#include ++#include ++#include "securec.h" ++#include "oci_runtime_spec.h" ++ ++oci_runtime_spec_hooks *make_oci_runtime_spec_hooks(yajl_val tree, struct parser_context *ctx, parser_error *err) { ++ oci_runtime_spec_hooks *ret = NULL; ++ *err = 0; ++ if (tree == NULL) ++ return ret; ++ ret = safe_malloc(sizeof(*ret)); ++ { ++ yajl_val tmp = get_val(tree, "prestart", yajl_t_array); ++ if (tmp && YAJL_GET_ARRAY(tmp)) { ++ size_t i; ++ ret->prestart_len = YAJL_GET_ARRAY(tmp)->len; ++ ret->prestart = safe_malloc((YAJL_GET_ARRAY(tmp)->len + 1) * sizeof(*ret->prestart)); ++ for (i = 0; i < YAJL_GET_ARRAY(tmp)->len; i++) { ++ yajl_val val = YAJL_GET_ARRAY(tmp)->values[i]; ++ ret->prestart[i] = make_defs_hook(val, ctx, err); ++ if (ret->prestart[i] == NULL) { ++ free_oci_runtime_spec_hooks(ret); ++ return NULL; ++ } ++ } ++ } ++ } ++ { ++ yajl_val tmp = get_val(tree, "poststart", yajl_t_array); ++ if (tmp && YAJL_GET_ARRAY(tmp)) { ++ size_t i; ++ ret->poststart_len = YAJL_GET_ARRAY(tmp)->len; ++ ret->poststart = safe_malloc((YAJL_GET_ARRAY(tmp)->len + 1) * sizeof(*ret->poststart)); ++ for (i = 0; i < YAJL_GET_ARRAY(tmp)->len; i++) { ++ yajl_val val = YAJL_GET_ARRAY(tmp)->values[i]; ++ ret->poststart[i] = make_defs_hook(val, ctx, err); ++ if (ret->poststart[i] == NULL) { ++ free_oci_runtime_spec_hooks(ret); ++ return NULL; ++ } ++ } ++ } ++ } ++ { ++ yajl_val tmp = get_val(tree, "poststop", yajl_t_array); ++ if (tmp && YAJL_GET_ARRAY(tmp)) { ++ size_t i; ++ ret->poststop_len = YAJL_GET_ARRAY(tmp)->len; ++ ret->poststop = safe_malloc((YAJL_GET_ARRAY(tmp)->len + 1) * sizeof(*ret->poststop)); ++ for (i = 0; i < YAJL_GET_ARRAY(tmp)->len; i++) { ++ yajl_val val = YAJL_GET_ARRAY(tmp)->values[i]; ++ ret->poststop[i] = make_defs_hook(val, ctx, err); ++ if (ret->poststop[i] == NULL) { ++ free_oci_runtime_spec_hooks(ret); ++ return NULL; ++ } ++ } ++ } ++ } ++ ++ if (tree->type == yajl_t_object && (ctx->options & PARSE_OPTIONS_STRICT)) { ++ int i; ++ for (i = 0; i < tree->u.object.len; i++) ++ if (strcmp(tree->u.object.keys[i], "prestart") && ++ strcmp(tree->u.object.keys[i], "poststart") && ++ strcmp(tree->u.object.keys[i], "poststop")) { ++ if (ctx->stderr > 0) ++ fprintf(ctx->stderr, "WARNING: unknown key found: %s\n", tree->u.object.keys[i]); ++ } ++ } ++ return ret; ++} ++ ++void free_oci_runtime_spec_hooks(oci_runtime_spec_hooks *ptr) { ++ if (!ptr) ++ return; ++ if (ptr->prestart) { ++ size_t i; ++ for (i = 0; i < ptr->prestart_len; i++) ++ if (ptr->prestart[i]) { ++ free_defs_hook(ptr->prestart[i]); ++ ptr->prestart[i] = NULL; ++ } ++ free(ptr->prestart); ++ ptr->prestart = NULL; ++ } ++ if (ptr->poststart) { ++ size_t i; ++ for (i = 0; i < ptr->poststart_len; i++) ++ if (ptr->poststart[i]) { ++ free_defs_hook(ptr->poststart[i]); ++ ptr->poststart[i] = NULL; ++ } ++ free(ptr->poststart); ++ ptr->poststart = NULL; ++ } ++ if (ptr->poststop) { ++ size_t i; ++ for (i = 0; i < ptr->poststop_len; i++) ++ if (ptr->poststop[i]) { ++ free_defs_hook(ptr->poststop[i]); ++ ptr->poststop[i] = NULL; ++ } ++ free(ptr->poststop); ++ ptr->poststop = NULL; ++ } ++ free(ptr); ++} ++ ++yajl_gen_status gen_oci_runtime_spec_hooks(yajl_gen g, oci_runtime_spec_hooks *ptr, struct parser_context *ctx, parser_error *err) { ++ yajl_gen_status stat = yajl_gen_status_ok; ++ *err = 0; ++ stat = reformat_start_map(g); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) ||(ptr && ptr->prestart)) { ++ size_t len = 0, i; ++ stat = reformat_map_key(g, "prestart", strlen("prestart")); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ if (ptr && ptr->prestart) { ++ len = ptr->prestart_len; ++ } ++ if (!len && !(ctx->options & GEN_OPTIONS_SIMPLIFY)) ++ yajl_gen_config(g, yajl_gen_beautify, 0); ++ stat = reformat_start_array(g); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ for (i = 0; i < len; i++) { ++ stat = gen_defs_hook(g, ptr->prestart[i], ctx, err); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ stat = reformat_end_array(g); ++ if (!len && !(ctx->options & GEN_OPTIONS_SIMPLIFY)) ++ yajl_gen_config(g, yajl_gen_beautify, 1); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) ||(ptr && ptr->poststart)) { ++ size_t len = 0, i; ++ stat = reformat_map_key(g, "poststart", strlen("poststart")); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ if (ptr && ptr->poststart) { ++ len = ptr->poststart_len; ++ } ++ if (!len && !(ctx->options & GEN_OPTIONS_SIMPLIFY)) ++ yajl_gen_config(g, yajl_gen_beautify, 0); ++ stat = reformat_start_array(g); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ for (i = 0; i < len; i++) { ++ stat = gen_defs_hook(g, ptr->poststart[i], ctx, err); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ stat = reformat_end_array(g); ++ if (!len && !(ctx->options & GEN_OPTIONS_SIMPLIFY)) ++ yajl_gen_config(g, yajl_gen_beautify, 1); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) ||(ptr && ptr->poststop)) { ++ size_t len = 0, i; ++ stat = reformat_map_key(g, "poststop", strlen("poststop")); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ if (ptr && ptr->poststop) { ++ len = ptr->poststop_len; ++ } ++ if (!len && !(ctx->options & GEN_OPTIONS_SIMPLIFY)) ++ yajl_gen_config(g, yajl_gen_beautify, 0); ++ stat = reformat_start_array(g); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ for (i = 0; i < len; i++) { ++ stat = gen_defs_hook(g, ptr->poststop[i], ctx, err); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ stat = reformat_end_array(g); ++ if (!len && !(ctx->options & GEN_OPTIONS_SIMPLIFY)) ++ yajl_gen_config(g, yajl_gen_beautify, 1); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ stat = reformat_end_map(g); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ return yajl_gen_status_ok; ++} +diff --git a/src/lxc/json/oci_runtime_spec.h b/src/lxc/json/oci_runtime_spec.h +new file mode 100644 +index 0000000..ef3f161 +--- /dev/null ++++ b/src/lxc/json/oci_runtime_spec.h +@@ -0,0 +1,37 @@ ++// Generated from spec.json. Do not edit! ++#ifndef OCI_RUNTIME_SPEC_SCHEMA_H ++#define OCI_RUNTIME_SPEC_SCHEMA_H ++ ++#include ++#include ++#include "json_common.h" ++#include "defs.h" ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++typedef struct { ++ defs_hook **prestart; ++ size_t prestart_len; ++ ++ defs_hook **poststart; ++ size_t poststart_len; ++ ++ defs_hook **poststop; ++ size_t poststop_len; ++ ++} ++oci_runtime_spec_hooks; ++ ++void free_oci_runtime_spec_hooks(oci_runtime_spec_hooks *ptr); ++ ++oci_runtime_spec_hooks *make_oci_runtime_spec_hooks(yajl_val tree, struct parser_context *ctx, parser_error *err); ++ ++yajl_gen_status gen_oci_runtime_spec_hooks(yajl_gen g, oci_runtime_spec_hooks *ptr, struct parser_context *ctx, parser_error *err); ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif +diff --git a/src/lxc/json/read-file.c b/src/lxc/json/read-file.c +new file mode 100644 +index 0000000..ad0eda1 +--- /dev/null ++++ b/src/lxc/json/read-file.c +@@ -0,0 +1,94 @@ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include "read-file.h" ++ ++#ifndef O_CLOEXEC ++#define O_CLOEXEC 02000000 ++#endif ++ ++char *fread_file(FILE *stream, size_t *length) ++{ ++ char *buf = NULL, *tmpbuf = NULL; ++ size_t off = 0; ++ ++ while (1) { ++ size_t ret, newsize; ++ ++ newsize = off + BUFSIZ + 1; ++ tmpbuf = (char *)calloc(1, newsize); ++ if (tmpbuf == NULL) { ++ goto out; ++ } ++ ++ if (buf) { ++ memcpy(tmpbuf, buf, off); ++ ++ memset(buf, 0, off); ++ ++ free(buf); ++ } ++ ++ buf = tmpbuf; ++ ret = fread(buf + off, 1, BUFSIZ, stream); ++ if (!ret && ferror(stream)) { ++ tmpbuf = NULL; ++ goto out; ++ } ++ if (ret < BUFSIZ || feof(stream)) { ++ *length = off + ret + 1; ++ buf[*length - 1] = '\0'; ++ return buf; ++ } ++ off += BUFSIZ; ++ } ++out: ++ if (buf) { ++ free(buf); ++ } ++ if (tmpbuf) { ++ free(tmpbuf); ++ } ++ return NULL; ++ ++} ++ ++char *read_file(const char *path, size_t *length) ++{ ++ char *buf = NULL; ++ char rpath[PATH_MAX + 1] = {0}; ++ int fd, tmperrno; ++ FILE *fp; ++ ++ if (!path || !length) { ++ return NULL; ++ } ++ ++ if (strlen(path) > PATH_MAX || NULL == realpath(path, rpath)) { ++ return NULL; ++ } ++ ++ fd = open(rpath, O_RDONLY | O_CLOEXEC, 0640); ++ if (fd < 0) { ++ return NULL; ++ } ++ ++ fp = fdopen(fd, "r"); ++ tmperrno = errno; ++ if (!fp) { ++ close(fd); ++ errno = tmperrno; ++ return NULL; ++ } ++ ++ buf = fread_file(fp, length); ++ fclose(fp); ++ return buf; ++} +diff --git a/src/lxc/json/read-file.h b/src/lxc/json/read-file.h +new file mode 100644 +index 0000000..5d6e0eb +--- /dev/null ++++ b/src/lxc/json/read-file.h +@@ -0,0 +1,11 @@ ++#ifndef READ_FILE_H ++#define READ_FILE_H ++ ++#include ++#include ++ ++extern char *fread_file(FILE *stream, size_t *length); ++ ++extern char *read_file(const char *path, size_t *length); ++ ++#endif +diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c +index 31f4819..68134d8 100644 +--- a/src/lxc/lxccontainer.c ++++ b/src/lxc/lxccontainer.c +@@ -271,6 +271,9 @@ static void lxc_container_free(struct lxc_container *c) + free(c->configfile); + c->configfile = NULL; + ++ free(c->ocihookfile); ++ c->ocihookfile = NULL; ++ + free(c->error_string); + c->error_string = NULL; + +@@ -612,6 +615,30 @@ static bool load_config_locked(struct lxc_container *c, const char *fname) + return true; + } + ++static bool load_ocihooks_locked(struct lxc_container *c) ++{ ++ parser_error err = NULL; ++ oci_runtime_spec_hooks *hooks; ++ ++ if (!c->lxc_conf) ++ c->lxc_conf = lxc_conf_init(); ++ ++ if (!c->lxc_conf) ++ return false; ++ ++ hooks = oci_runtime_spec_hooks_parse_file(c->ocihookfile, NULL, &err); ++ if (!hooks) { ++ fprintf(stderr, "parse oci hooks config failed: %s\n", err); ++ free(err); ++ return true; ++ } ++ c->lxc_conf->ocihooks = hooks; ++ ++ if (err) ++ free(err); ++ return true; ++} ++ + static bool do_lxcapi_load_config(struct lxc_container *c, const char *alt_file) + { + int lret; +@@ -645,6 +672,9 @@ static bool do_lxcapi_load_config(struct lxc_container *c, const char *alt_file) + + ret = load_config_locked(c, fname); + ++ if (ret && file_exists(c->ocihookfile)) ++ ret = load_ocihooks_locked(c); ++ + if (need_disklock) + container_disk_unlock(c); + else +@@ -3242,6 +3272,37 @@ static bool set_config_filename(struct lxc_container *c) + return true; + } + ++/* ++ * isulad: set oci hook file path ++ * */ ++static bool set_oci_hook_config_filename(struct lxc_container *c) ++{ ++#define OCI_HOOK_JSON_FILE_NAME "ocihooks.json" ++ char *newpath; ++ int len, ret; ++ ++ if (!c->config_path) ++ return false; ++ ++ /* $lxc_path + "/" + c->name + "/" + "config" + '\0' */ ++ len = strlen(c->config_path) + strlen(c->name) + strlen(OCI_HOOK_JSON_FILE_NAME) + 3; ++ newpath = malloc(len); ++ if (!newpath) ++ return false; ++ ++ ret = snprintf(newpath, len, "%s/%s/%s", c->config_path, c->name, OCI_HOOK_JSON_FILE_NAME); ++ if (ret < 0 || ret >= len) { ++ fprintf(stderr, "Error printing out config file name\n"); ++ free(newpath); ++ return false; ++ } ++ ++ free(c->ocihookfile); ++ c->ocihookfile = newpath; ++ ++ return true; ++} ++ + static bool do_lxcapi_set_config_path(struct lxc_container *c, const char *path) + { + char *p; +@@ -5081,6 +5142,11 @@ struct lxc_container *lxc_container_new(const char *name, const char *configpath + goto err; + } + ++ if (!set_oci_hook_config_filename(c)) { ++ fprintf(stderr, "Error allocating oci hooks file pathname\n"); ++ goto err; ++ } ++ + if (file_exists(c->configfile) && !lxcapi_load_config(c, NULL)) { + fprintf(stderr, "Failed to load config for %s\n", name); + goto err; +diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h +index 503038a..5d23cc7 100644 +--- a/src/lxc/lxccontainer.h ++++ b/src/lxc/lxccontainer.h +@@ -77,6 +77,13 @@ struct lxc_container { + + /*! + * \private ++ * isulad: support oci hook from json file ++ * full path of json file ++ * */ ++ char *ocihookfile; ++ ++ /*! ++ * \private + * File to store pid. + */ + char *pidfile; +diff --git a/src/lxc/start.c b/src/lxc/start.c +index b13326c..63f5af8 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -1887,6 +1887,16 @@ static int lxc_spawn(struct lxc_handler *handler) + goto out_delete_net; + } + ++ /* isulad: Run oci prestart hook at here */ ++ char* oci_hook_args[1]; ++ oci_hook_args[0] = alloca(strlen(lxcpath) + 1); ++ (void)strlcpy(oci_hook_args[0], lxcpath, strlen(lxcpath)); ++ ret = run_lxc_hooks(name, "oci-prestart", conf, oci_hook_args); ++ if (ret < 0) { ++ ERROR("Failed to run oci prestart hooks"); ++ goto out_delete_net; ++ } ++ + /* Tell the child to complete its initialization and wait for it to exec + * or return an error. (The child will never return + * LXC_SYNC_READY_START+1. It will either close the sync pipe, causing +@@ -1922,6 +1932,13 @@ static int lxc_spawn(struct lxc_handler *handler) + if (ret < 0) + goto out_abort; + ++ /* isulad: Run oci prestart hook at here */ ++ ret = run_lxc_hooks(name, "oci-poststart", conf, oci_hook_args); ++ if (ret < 0) { ++ ERROR("Failed to run oci poststart hooks"); ++ goto out_delete_net; ++ } ++ + ret = lxc_set_state(name, handler, RUNNING); + if (ret < 0) { + ERROR("Failed to set state to \"%s\"", lxc_state2str(RUNNING)); +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index 8ec9f46..d1a22f7 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -1864,11 +1864,11 @@ static int lxc_file2str(const char *filename, char ret[], int cap) + int fd, num_read; + + if ((fd = open(filename, O_RDONLY | O_CLOEXEC)) == -1) +- return -1;/*lint !e960*/ ++ return -1; + if ((num_read = read(fd, ret, cap - 1)) <= 0) +- num_read = -1;/*lint !e960*/ ++ num_read = -1; + else +- ret[num_read] = 0;/*lint !e613*//*lint !e960*/ ++ ret[num_read] = 0; + close(fd); + + return num_read; +@@ -1886,16 +1886,16 @@ static proc_t *lxc_stat2proc(char *S) + char *tmp = NULL; + + if (!S) +- return NULL;/*lint !e960*/ ++ return NULL; + +- tmp = strrchr(S, ')'); /* split into "PID (cmd" and "" *//*lint !e586*/ ++ tmp = strrchr(S, ')'); /* split into "PID (cmd" and "" */ + if (!tmp) +- return NULL;/*lint !e960*/ ++ return NULL; + *tmp = '\0'; /* replace trailing ')' with NUL */ + + P = malloc(sizeof(proc_t)); + if (!P) +- return NULL;/*lint !e960*/ ++ return NULL; + memset(P, 0x00, sizeof(proc_t)); + + /* parse these two strings separately, skipping the leading "(". */ +@@ -1909,9 +1909,9 @@ static proc_t *lxc_stat2proc(char *S) + "%c " + "%d %d %d %d %d " + "%lu %lu %lu %lu %lu " +- "%Lu %Lu %Lu %Lu " /* utime stime cutime cstime *//*lint !e566*/ ++ "%Lu %Lu %Lu %Lu " /* utime stime cutime cstime */ + "%ld %ld %ld %ld " +- "%Lu " /* start_time *//*lint !e566*/ ++ "%Lu " /* start_time */ + "%lu " + "%ld " + "%lu %lu %lu %lu %lu %lu " +@@ -1922,9 +1922,9 @@ static proc_t *lxc_stat2proc(char *S) + &P->state, + &P->ppid, &P->pgrp, &P->session, &P->tty, &P->tpgid, + &P->flags, &P->min_flt, &P->cmin_flt, &P->maj_flt, &P->cmaj_flt, +- &P->utime, &P->stime, &P->cutime, &P->cstime,/*lint !e561*/ ++ &P->utime, &P->stime, &P->cutime, &P->cstime, + &P->priority, &P->nice, &P->timeout, &P->it_real_value, +- &P->start_time,/*lint !e561*/ ++ &P->start_time, + &P->vsize, + &P->rss, + &P->rss_rlim, &P->start_code, &P->end_code, &P->start_stack, &P->kstk_esp, +@@ -1935,7 +1935,7 @@ static proc_t *lxc_stat2proc(char *S) + ); + + if (P->tty == 0) +- P->tty = -1; /* the old notty val, update elsewhere bef. moving to 0 *//*lint !e960*/ ++ P->tty = -1; /* the old notty val, update elsewhere bef. moving to 0 */ + return P; + } + +@@ -1949,7 +1949,7 @@ unsigned long long lxc_get_process_startat(pid_t pid) + char sbuf[1024] = {0}; /* bufs for stat */ + + sret = snprintf(filename, sizeof(filename), "/proc/%d/stat", pid); +- if (sret < 0 || sret >= sizeof(filename)) {/*lint !e574*/ ++ if (sret < 0 || sret >= sizeof(filename)) { + ERROR("Failed to sprintf filename"); + goto out; + } +@@ -1960,7 +1960,7 @@ unsigned long long lxc_get_process_startat(pid_t pid) + } + + pid_info = lxc_stat2proc(sbuf); +- if (!pid_info) {/*lint !e574*/ ++ if (!pid_info) { + ERROR("Failed to get proc stat info"); + goto out; + } +@@ -1992,3 +1992,41 @@ void lxc_write_error_message(int errfd, const char *format, ...) + SYSERROR("Write errbuf failed"); + } + ++bool lxc_process_alive(pid_t pid, unsigned long long start_time) ++{ ++ int ret; ++ int sret = 0; ++ bool alive = true; ++ proc_t *pid_info = NULL; ++ char filename[PATH_MAX] = {0}; ++ char sbuf[1024] = {0}; /* bufs for stat */ ++ ++ sret = kill(pid, 0); ++ if (sret < 0 && errno == ESRCH) ++ return false; ++ ++ sret = snprintf(filename, sizeof(filename), "/proc/%d/stat", pid); ++ if (sret < 0 || sret >= sizeof(filename)) { ++ ERROR("Failed to sprintf filename"); ++ goto out; ++ } ++ ++ if ((lxc_file2str(filename, sbuf, sizeof(sbuf))) == -1) { ++ ERROR("Failed to read pidfile %s", filename); ++ alive = false; ++ goto out; ++ } ++ ++ pid_info = lxc_stat2proc(sbuf); ++ if (!pid_info) { ++ ERROR("Failed to get proc stat info"); ++ alive = false; ++ goto out; ++ } ++ ++ if (start_time != pid_info->start_time) ++ alive = false; ++out: ++ free(pid_info); ++ return alive; ++} +diff --git a/src/lxc/utils.h b/src/lxc/utils.h +index 3d56fd9..abc88ca 100644 +--- a/src/lxc/utils.h ++++ b/src/lxc/utils.h +@@ -316,4 +316,6 @@ extern int fd_nonblock(int fd); + extern int unsigned long long lxc_get_process_startat(pid_t pid); + extern void lxc_write_error_message(int errfd, const char *format, ...); + ++extern bool lxc_process_alive(pid_t pid, unsigned long long start_time); ++ + #endif /* __LXC_UTILS_H */ +-- +1.8.3.1 + diff --git a/0026-remove-filelock-and-do-not-destroy-directory-when-de.patch b/0026-remove-filelock-and-do-not-destroy-directory-when-de.patch new file mode 100644 index 0000000..a786d69 --- /dev/null +++ b/0026-remove-filelock-and-do-not-destroy-directory-when-de.patch @@ -0,0 +1,132 @@ +From 693b1ab25741606299037bc660387a5d109f238c Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Mon, 14 Jan 2019 21:13:00 +0800 +Subject: [PATCH 026/122] remove filelock and do not destroy directory when + destroy container + +Signed-off-by: LiFeng +--- + src/lxc/lxccontainer.c | 14 ++++++++++++-- + src/lxc/lxclock.c | 25 +++++++++++++++++++++++++ + src/lxc/lxclock.h | 5 +++++ + src/lxc/storage/dir.c | 12 +----------- + 4 files changed, 43 insertions(+), 13 deletions(-) + +diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c +index 68134d8..81c0ec3 100644 +--- a/src/lxc/lxccontainer.c ++++ b/src/lxc/lxccontainer.c +@@ -2996,8 +2996,14 @@ static bool container_destroy(struct lxc_container *c, + bool bret = false; + int ret = 0; + +- if (!c || !do_lxcapi_is_defined(c)) ++ if (!c) + return false; ++ // isulad: if container is not defined, we need to remove disk lock file ++ // which is created in lxc_container_new. ++ if (!do_lxcapi_is_defined(c)) { ++ container_disk_removelock(c); ++ return false; ++ } + + conf = c->lxc_conf; + if (container_disk_lock(c)) +@@ -3124,12 +3130,16 @@ out: + free(path); + + container_disk_unlock(c); ++ if (bret) { ++ if (container_disk_removelock(c)) ++ bret = false; ++ } + return bret; + } + + static bool do_lxcapi_destroy(struct lxc_container *c) + { +- if (!c || !lxcapi_is_defined(c)) ++ if (!c) + return false; + + if (has_snapshots(c)) { +diff --git a/src/lxc/lxclock.c b/src/lxc/lxclock.c +index e3d4654..8890968 100644 +--- a/src/lxc/lxclock.c ++++ b/src/lxc/lxclock.c +@@ -198,6 +198,21 @@ on_error: + return l; + } + ++static int lxc_removelock(struct lxc_lock *l) ++{ ++ int ret = 0; ++ ++ if (l->type == LXC_LOCK_FLOCK) { ++ ret = unlink(l->u.f.fname); ++ if (ret && errno != ENOENT) { ++ SYSERROR("Error unlink %s", l->u.f.fname); ++ return ret; ++ } ++ } ++ ++ return ret; ++} ++ + int lxclock(struct lxc_lock *l, int timeout) + { + struct flock lk; +@@ -386,3 +401,13 @@ void container_disk_unlock(struct lxc_container *c) + lxcunlock(c->slock); + lxcunlock(c->privlock); + } ++ ++int container_disk_removelock(struct lxc_container *c) ++{ ++ int ret; ++ ++ ret = lxc_removelock(c->slock); ++ if (ret) ++ return ret; ++ return lxc_removelock(c->privlock); ++} +diff --git a/src/lxc/lxclock.h b/src/lxc/lxclock.h +index 364a71b..e86bc34 100644 +--- a/src/lxc/lxclock.h ++++ b/src/lxc/lxclock.h +@@ -174,4 +174,9 @@ extern int container_disk_lock(struct lxc_container *c); + */ + extern void container_disk_unlock(struct lxc_container *c); + ++/*! ++ * \brief isulad: remove the containers disk lock file. ++ */ ++int container_disk_removelock(struct lxc_container *c); ++ + #endif +diff --git a/src/lxc/storage/dir.c b/src/lxc/storage/dir.c +index c7b5ee2..deeecec 100644 +--- a/src/lxc/storage/dir.c ++++ b/src/lxc/storage/dir.c +@@ -123,17 +123,7 @@ int dir_create(struct lxc_storage *bdev, const char *dest, const char *n, + + int dir_destroy(struct lxc_storage *orig) + { +- int ret; +- const char *src; +- +- src = lxc_storage_get_path(orig->src, orig->src); +- +- ret = lxc_rmdir_onedev(src, NULL); +- if (ret < 0) { +- ERROR("Failed to delete \"%s\"", src); +- return -1; +- } +- ++ // isulad: do not destroy rootfs for directory, it should be managed by caller + return 0; + } + +-- +1.8.3.1 + diff --git a/0027-fix-bug-of-memory-leak.patch b/0027-fix-bug-of-memory-leak.patch new file mode 100644 index 0000000..40c3e7c --- /dev/null +++ b/0027-fix-bug-of-memory-leak.patch @@ -0,0 +1,78 @@ +From 4f4a8726feb02b846d9602feac517fc4dfbe1ede Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Mon, 14 Jan 2019 21:24:25 +0800 +Subject: [PATCH 027/122] fix bug of memory leak + +Signed-off-by: LiFeng +--- + src/lxc/conf.c | 11 +++++++++++ + src/lxc/conf.h | 1 + + src/lxc/lxccontainer.c | 11 +++++++---- + 3 files changed, 19 insertions(+), 4 deletions(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 6a14de1..e076bf2 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -4822,6 +4822,16 @@ int lxc_clear_procs(struct lxc_conf *c, const char *key) + return 0; + } + ++int lxc_clear_namespace(struct lxc_conf *c) ++{ ++ int i; ++ for (i = 0; i < LXC_NS_MAX; i++) { ++ free(c->ns_share[i]); ++ c->ns_share[i] = NULL; ++ } ++ return 0; ++} ++ + int lxc_clear_groups(struct lxc_conf *c) + { + struct lxc_list *it, *next; +@@ -5036,6 +5046,7 @@ void lxc_conf_free(struct lxc_conf *conf) + lxc_clear_limits(conf, "lxc.prlimit"); + lxc_clear_sysctls(conf, "lxc.sysctl"); + lxc_clear_procs(conf, "lxc.proc"); ++ lxc_clear_namespace(conf); + free(conf->cgroup_meta.dir); + free(conf->cgroup_meta.controllers); + /* isulad add begin */ +diff --git a/src/lxc/conf.h b/src/lxc/conf.h +index 2263e47..44feb98 100644 +--- a/src/lxc/conf.h ++++ b/src/lxc/conf.h +@@ -491,6 +491,7 @@ extern int setup_sysctl_parameters(struct lxc_list *sysctls); + extern int lxc_clear_sysctls(struct lxc_conf *c, const char *key); + extern int setup_proc_filesystem(struct lxc_list *procs, pid_t pid); + extern int lxc_clear_procs(struct lxc_conf *c, const char *key); ++extern int lxc_clear_namespace(struct lxc_conf *c); + + /* isulad add begin */ + int lxc_clear_init_args(struct lxc_conf *lxc_conf); +diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c +index 81c0ec3..e6272fc 100644 +--- a/src/lxc/lxccontainer.c ++++ b/src/lxc/lxccontainer.c +@@ -5418,10 +5418,13 @@ int list_active_containers(const char *lxcpath, char ***nret, + continue; + } + +- if (array_contains(&ct_name, p, ct_name_cnt)) { +- if (is_hashed) +- free(p); +- continue; ++ ++ if (ct_name && ct_name_cnt) { ++ if (array_contains(&ct_name, p, ct_name_cnt)) { ++ if (is_hashed) ++ free(p); ++ continue; ++ } + } + + if (!add_to_array(&ct_name, p, ct_name_cnt)) { +-- +1.8.3.1 + diff --git a/0028-support-rootfs-for-container.patch b/0028-support-rootfs-for-container.patch new file mode 100644 index 0000000..996cd47 --- /dev/null +++ b/0028-support-rootfs-for-container.patch @@ -0,0 +1,123 @@ +From 53fa77bebc3e896396036cb3a482f75f138da788 Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Tue, 15 Jan 2019 09:45:44 +0800 +Subject: [PATCH 028/122] support rootfs / for container + +Signed-off-by: LiFeng +--- + src/lxc/conf.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 53 insertions(+), 8 deletions(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index e076bf2..f429491 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -888,9 +888,6 @@ static int lxc_setup_ttys(struct lxc_conf *conf) + char *ttydir = ttys->dir; + char path[PATH_MAX], lxcpath[PATH_MAX]; + +- if (!conf->rootfs.path) +- return 0; +- + for (i = 0; i < ttys->max; i++) { + struct lxc_terminal_info *tty = &ttys->tty[i]; + +@@ -1394,7 +1391,7 @@ static int lxc_mount_rootfs(struct lxc_conf *conf) + { + int ret; + struct lxc_storage *bdev; +- const struct lxc_rootfs *rootfs = &conf->rootfs; ++ struct lxc_rootfs *rootfs = &conf->rootfs; + unsigned long flags, mntflags, pflags; + char *mntdata; + +@@ -1405,6 +1402,17 @@ static int lxc_mount_rootfs(struct lxc_conf *conf) + return -1; + } + ++ // isulad: bind mount / to rootfs.mount. then we can do pivot root even if we use / as root. ++ if (!access(rootfs->mount, F_OK)) { ++ rootfs->path = strdup("/"); ++ if (mount("/", rootfs->mount, NULL, MS_BIND, 0)) { ++ SYSERROR("Failed to mount / to %s.", rootfs->mount); ++ return -1; ++ } ++ } else { ++ INFO("Use '/' as container rootfs, but no valid mountpoint provided. Something may go wrong."); ++ } ++ + return 0; + } + +@@ -3854,6 +3862,35 @@ static int setup_populate_devs(const struct lxc_rootfs *rootfs, struct lxc_list + return 0; + } + ++// isulad: setup rootfs mountopts ++static int setup_rootfs_mountopts(const struct lxc_rootfs *rootfs) ++{ ++ unsigned long mntflags, pflags; ++ char *mntdata; ++ ++ // only remount / when container shares rootfs with host. ++ if(!rootfs || !rootfs->path || strcmp(rootfs->path, "/")) ++ return 0; ++ if (!rootfs->options) ++ return 0; ++ ++ if (parse_mntopts(rootfs->options, &mntflags, &pflags, &mntdata) < 0) { ++ free(mntdata); ++ return -1; ++ } ++ free(mntdata); ++ ++ if (mntflags & MS_RDONLY) { ++ DEBUG("remounting / as readonly"); ++ if (mount("/", "/", NULL, MS_BIND |MS_REMOUNT| MS_RDONLY, 0)) { ++ SYSERROR("Failed to make / readonly."); ++ return -1; ++ } ++ } ++ return 0; ++} ++ ++ + int lxc_setup(struct lxc_handler *handler) + { + int ret; +@@ -4020,12 +4057,20 @@ int lxc_setup(struct lxc_handler *handler) + return -1; + } + +- ret = lxc_setup_devpts(lxc_conf); +- if (ret < 0) { +- ERROR("Failed to setup new devpts instance"); ++ /* isulad: remount rootfs readonly if necessary */ ++ if (setup_rootfs_mountopts(&lxc_conf->rootfs)) { ++ ERROR("failed to set rootfs for '%s'", name); + return -1; + } + ++ if (lxc_conf->rootfs.path) { ++ ret = lxc_setup_devpts(lxc_conf); ++ if (ret < 0) { ++ ERROR("Failed to setup new devpts instance"); ++ return -1; ++ } ++ } ++ + ret = lxc_create_ttys(handler); + if (ret < 0) + return -1; +@@ -4184,7 +4229,7 @@ static char **merge_ocihook_env(char **oldenvs, size_t env_len, size_t *merge_en + return result; + } + +-static struct lxc_popen_FILE *lxc_popen_ocihook(char *commandpath, char **args, int args_len, ++static struct lxc_popen_FILE *lxc_popen_ocihook(char *commandpath, char **args, int args_len, + char **envs, int env_len, const char *instr) + { + int ret; +-- +1.8.3.1 + diff --git a/0029-add-start-timeout-to-limit-start-time.patch b/0029-add-start-timeout-to-limit-start-time.patch new file mode 100644 index 0000000..fcb2344 --- /dev/null +++ b/0029-add-start-timeout-to-limit-start-time.patch @@ -0,0 +1,436 @@ +From 96dc86e154cd49f9a999409e4fb679ed78e16af6 Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Mon, 14 Jan 2019 21:38:07 -0500 +Subject: [PATCH 029/122] add start timeout to limit start time + +Signed-off-by: LiFeng +--- + src/lxc/conf.c | 6 +-- + src/lxc/execute.c | 4 +- + src/lxc/lxc.h | 8 ++-- + src/lxc/lxccontainer.c | 21 ++++++++- + src/lxc/lxccontainer.h | 16 +++++++ + src/lxc/start.c | 106 +++++++++++++++++++++++++++++++++++++++++++--- + src/lxc/start.h | 6 +-- + src/lxc/tools/arguments.h | 2 + + src/lxc/tools/lxc_start.c | 26 ++++++++++++ + 9 files changed, 175 insertions(+), 20 deletions(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index f429491..439353b 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -4381,14 +4381,12 @@ void* wait_ocihook_timeout(void *arg) + + if (alive) { + ERROR("%s:%d: running %s hook caused \"hook ran past specified timeout of %.1fs\"", +- __FILE__, __LINE__, +- (conf->which == LXCHOOK_START_HOST) ? "prestart" : lxchook_names[conf->which], ++ __FILE__, __LINE__, lxchook_names[conf->which], + (double)conf->timeout); + + if (conf->errfd >= 0) { + lxc_write_error_message(conf->errfd, "%s:%d: running %s hook caused \"hook ran past specified timeout of %.1fs\"", +- __FILE__, __LINE__, +- (conf->which == LXCHOOK_START_HOST) ? "prestart" : lxchook_names[conf->which], ++ __FILE__, __LINE__, lxchook_names[conf->which], + (double)conf->timeout); + } + +diff --git a/src/lxc/execute.c b/src/lxc/execute.c +index 45ca67e..d388e63 100644 +--- a/src/lxc/execute.c ++++ b/src/lxc/execute.c +@@ -111,12 +111,12 @@ static struct lxc_operations execute_start_ops = { + + int lxc_execute(const char *name, char *const argv[], int quiet, + struct lxc_handler *handler, const char *lxcpath, +- bool daemonize, int *error_num) ++ bool daemonize, int *error_num, unsigned int start_timeout) + { + struct execute_args args = {.argv = argv, .quiet = quiet}; + + TRACE("Doing lxc_execute"); + handler->conf->is_execute = true; + return __lxc_start(name, handler, &execute_start_ops, &args, lxcpath, +- daemonize, error_num); ++ daemonize, error_num, start_timeout); + } +diff --git a/src/lxc/lxc.h b/src/lxc/lxc.h +index 22e3509..687b4b2 100644 +--- a/src/lxc/lxc.h ++++ b/src/lxc/lxc.h +@@ -55,7 +55,7 @@ struct lxc_handler; + */ + extern int lxc_start(const char *name, char *const argv[], + struct lxc_handler *handler, const char *lxcpath, +- bool daemonize, int *error_num); ++ bool daemonize, int *error_num, unsigned int start_timeout); + + /* + * Start the specified command inside an application container +@@ -66,9 +66,9 @@ extern int lxc_start(const char *name, char *const argv[], + * @daemonize : whether or not the container is daemonized + * Returns 0 on success, < 0 otherwise + */ +-extern int lxc_execute(const char *name, char *const argv[], int quiet, +- struct lxc_handler *handler, const char *lxcpath, +- bool daemonize, int *error_num); ++int lxc_execute(const char *name, char *const argv[], int quiet, ++ struct lxc_handler *handler, const char *lxcpath, ++ bool daemonize, int *error_num, unsigned int start_timeout); + + /* + * Close the fd associated with the monitoring +diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c +index e6272fc..beae459 100644 +--- a/src/lxc/lxccontainer.c ++++ b/src/lxc/lxccontainer.c +@@ -1169,10 +1169,10 @@ reboot: + + if (useinit) + ret = lxc_execute(c->name, argv, 1, handler, c->config_path, +- c->daemonize, &c->error_num); ++ c->daemonize, &c->error_num, c->start_timeout); + else + ret = lxc_start(c->name, argv, handler, c->config_path, +- c->daemonize, &c->error_num); ++ c->daemonize, &c->error_num, c->start_timeout); + + if (conf->reboot == REBOOT_REQ) { + INFO("Container requested reboot"); +@@ -5100,6 +5100,22 @@ static bool do_lxcapi_set_container_info_file(struct lxc_container *c, const cha + + WRAP_API_1(bool, lxcapi_set_container_info_file, const char *) + ++/* isulad add start timeout */ ++static bool do_lxcapi_set_start_timeout(struct lxc_container *c, unsigned int start_timeout) ++{ ++ if (!c || !c->lxc_conf) ++ return false; ++ if (container_mem_lock(c)) { ++ ERROR("Error getting mem lock"); ++ return false; ++ } ++ c->start_timeout = start_timeout; ++ container_mem_unlock(c); ++ return true; ++} ++ ++WRAP_API_1(bool, lxcapi_set_start_timeout, unsigned int) ++ + struct lxc_container *lxc_container_new(const char *name, const char *configpath) + { + struct lxc_container *c; +@@ -5231,6 +5247,7 @@ struct lxc_container *lxc_container_new(const char *name, const char *configpath + /* isulad add begin */ + c->set_terminal_init_fifos = lxcapi_set_terminal_default_fifos; + c->set_container_info_file = lxcapi_set_container_info_file; ++ c->set_start_timeout = lxcapi_set_start_timeout; + /* isulad add end */ + return c; + +diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h +index 5d23cc7..77de704 100644 +--- a/src/lxc/lxccontainer.h ++++ b/src/lxc/lxccontainer.h +@@ -94,6 +94,12 @@ struct lxc_container { + */ + char *exit_fifo; + ++ /*! isulad: ++ * \private ++ * start_timeout. ++ */ ++ unsigned int start_timeout; ++ + /*! + * \private + * Container semaphore lock. +@@ -880,6 +886,16 @@ struct lxc_container { + * \return \c true on success, else \c false. + */ + bool (*set_container_info_file) (struct lxc_container *c, const char *info_file); ++ ++ /*! isulad add ++ * \brief An API call to set start timeout ++ * ++ * \param c Container. ++ * \param start_timeout Value of start timeout. ++ * ++ * \return \c true on success, else \c false. ++ */ ++ bool (*set_start_timeout)(struct lxc_container *c, unsigned int start_timeout); + }; + + /*! +diff --git a/src/lxc/start.c b/src/lxc/start.c +index 63f5af8..f7be9e4 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -93,7 +93,22 @@ extern void mod_all_rdeps(struct lxc_container *c, bool inc); + static bool do_destroy_container(struct lxc_handler *handler); + static int lxc_rmdir_onedev_wrapper(void *data); + static void lxc_destroy_container_on_signal(struct lxc_handler *handler, +- const char *name); ++ const char *name); ++ ++/* isulad: start timeout thread */ ++typedef enum { ++ START_INIT, ++ START_TIMEOUT, ++ START_MAX, ++} start_timeout_t; ++ ++static start_timeout_t global_timeout_state = START_INIT; ++static sem_t global_timeout_sem; ++ ++struct start_timeout_conf { ++ unsigned int timeout; ++ int errfd; ++}; + + static void print_top_failing_dir(const char *path) + { +@@ -1897,6 +1912,12 @@ static int lxc_spawn(struct lxc_handler *handler) + goto out_delete_net; + } + ++ if (START_TIMEOUT == global_timeout_state) { ++ //lxc_write_error_message(conf->errpipe[1], "Starting the container \"%s\" timeout.", name); ++ ERROR("Starting the container \"%s\" timeout.", name); ++ goto out_delete_net; ++ } ++ + /* Tell the child to complete its initialization and wait for it to exec + * or return an error. (The child will never return + * LXC_SYNC_READY_START+1. It will either close the sync pipe, causing +@@ -1936,7 +1957,13 @@ static int lxc_spawn(struct lxc_handler *handler) + ret = run_lxc_hooks(name, "oci-poststart", conf, oci_hook_args); + if (ret < 0) { + ERROR("Failed to run oci poststart hooks"); +- goto out_delete_net; ++ goto out_abort; ++ } ++ ++ if (START_TIMEOUT == global_timeout_state) { ++ //lxc_write_error_message(conf->errpipe[1], "Starting the container \"%s\" timeout.", name); ++ ERROR("Starting the container \"%s\" timeout.", name); ++ goto out_abort; + } + + ret = lxc_set_state(name, handler, RUNNING); +@@ -1964,12 +1991,71 @@ out_abort: + return -1; + } + ++/* isulad: start timeout thread function */ ++static void* wait_start_timeout(void *arg) ++{ ++ struct start_timeout_conf *conf = (struct start_timeout_conf *)arg; ++ ++ sem_post(&global_timeout_sem); ++ ++ if (!conf || conf->timeout < 1) ++ goto out; ++ ++ sleep(conf->timeout); ++ ++ global_timeout_state = START_TIMEOUT; ++ ++out: ++ free(conf); ++ return ((void *)0); ++} ++ ++/* isulad: create start timeout thread */ ++static int create_start_timeout_thread(struct lxc_conf *conf, unsigned int start_timeout) ++{ ++ int ret = 0; ++ pthread_t ptid; ++ pthread_attr_t attr; ++ struct start_timeout_conf *timeout_conf = NULL; ++ ++ if (sem_init(&global_timeout_sem, 0, 0)) { ++ ERROR("Failed to init start timeout semaphore");/*lint !e613*/ ++ ret = -1; ++ return ret; ++ } ++ ++ timeout_conf = malloc(sizeof(struct start_timeout_conf)); ++ if (!timeout_conf) { ++ ERROR("Failed to malloc start timeout conf"); ++ ret = -1; ++ goto out; ++ } ++ ++ memset(timeout_conf, 0, sizeof(struct start_timeout_conf)); ++ timeout_conf->errfd = conf->errpipe[1]; ++ timeout_conf->timeout = start_timeout; ++ ++ pthread_attr_init(&attr); ++ pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED); ++ ret = pthread_create(&ptid, &attr, wait_start_timeout, timeout_conf); ++ if (ret != 0) { ++ ERROR("Create start wait timeout thread failed"); ++ free(timeout_conf); ++ goto out; ++ } ++ ++ sem_wait(&global_timeout_sem); ++out: ++ sem_destroy(&global_timeout_sem); ++ return ret; ++} ++ + // isulad: send '128 + signal' if container is killed by signal. + #define ExitSignalOffset 128 + + int __lxc_start(const char *name, struct lxc_handler *handler, + struct lxc_operations* ops, void *data, const char *lxcpath, +- bool daemonize, int *error_num) ++ bool daemonize, int *error_num, unsigned int start_timeout) + { + int ret, status, exit_code; + struct lxc_conf *conf = handler->conf; +@@ -1983,8 +2069,18 @@ int __lxc_start(const char *name, struct lxc_handler *handler, + handler->data = data; + handler->daemonize = daemonize; + ++ /* isulad: add start timeout limit */ ++ if (start_timeout > 0) { ++ ret = create_start_timeout_thread(conf, start_timeout); ++ if (ret) { ++ ERROR("Failed to create start timeout thread for container \"%s\".", name); ++ goto out_fini_nonet; ++ } ++ } ++ + if (!attach_block_device(handler->conf)) { + ERROR("Failed to attach block device"); ++ ret = -1; + goto out_fini_nonet; + } + +@@ -2114,14 +2210,14 @@ static struct lxc_operations start_ops = { + }; + + int lxc_start(const char *name, char *const argv[], struct lxc_handler *handler, +- const char *lxcpath, bool daemonize, int *error_num) ++ const char *lxcpath, bool daemonize, int *error_num, unsigned int start_timeout) + { + struct start_args start_arg = { + .argv = argv, + }; + + TRACE("Doing lxc_start"); +- return __lxc_start(name, handler, &start_ops, &start_arg, lxcpath, daemonize, error_num); ++ return __lxc_start(name, handler, &start_ops, &start_arg, lxcpath, daemonize, error_num, start_timeout); + } + + static void lxc_destroy_container_on_signal(struct lxc_handler *handler, +diff --git a/src/lxc/start.h b/src/lxc/start.h +index f59bf54..a96f2ae 100644 +--- a/src/lxc/start.h ++++ b/src/lxc/start.h +@@ -174,9 +174,9 @@ extern void lxc_fini(const char *name, struct lxc_handler *handler); + */ + extern int lxc_check_inherited(struct lxc_conf *conf, bool closeall, + int *fds_to_ignore, size_t len_fds); +-extern int __lxc_start(const char *, struct lxc_handler *, +- struct lxc_operations *, void *, const char *, bool, +- int *); ++extern int __lxc_start(const char *name, struct lxc_handler *handler, ++ struct lxc_operations* ops, void *data, const char *lxcpath, ++ bool daemonize, int *error_num, unsigned int start_timeout); + + extern int resolve_clone_flags(struct lxc_handler *handler); + +diff --git a/src/lxc/tools/arguments.h b/src/lxc/tools/arguments.h +index 047e9f1..afab9f5 100644 +--- a/src/lxc/tools/arguments.h ++++ b/src/lxc/tools/arguments.h +@@ -65,6 +65,7 @@ struct lxc_arguments { + char *terminal_fifos[2]; /* isulad add, fifos used to redirct stdin/out/err */ + const char *container_info; /* isulad: file used to store pid and ppid info of container */ + const char *exit_monitor_fifo; /* isulad: fifo used to monitor state of monitor process */ ++ unsigned int start_timeout; /* isulad: Seconds for waiting on a container to start before it is killed*/ + + /* for lxc-console */ + unsigned int ttynum; +@@ -180,6 +181,7 @@ struct lxc_arguments { + #define OPT_OUTPUT_FIFO OPT_USAGE - 8 + #define OPT_CONTAINER_INFO OPT_USAGE - 9 + #define OPT_EXIT_FIFO OPT_USAGE - 10 ++#define OPT_START_TIMEOUT OPT_USAGE - 11 + /* isulad add end*/ + + extern int lxc_arguments_parse(struct lxc_arguments *args, int argc, +diff --git a/src/lxc/tools/lxc_start.c b/src/lxc/tools/lxc_start.c +index 60c7d70..f37f8a6 100644 +--- a/src/lxc/tools/lxc_start.c ++++ b/src/lxc/tools/lxc_start.c +@@ -40,6 +40,7 @@ + #include + #include + #include ++#include + + #include + +@@ -74,6 +75,7 @@ static const struct option my_longopts[] = { + {"out-fifo", required_argument, 0, OPT_OUTPUT_FIFO}, + {"container-pidfile", required_argument, 0, OPT_CONTAINER_INFO}, + {"exit-fifo", required_argument, 0, OPT_EXIT_FIFO}, ++ {"start-timeout", required_argument, 0, OPT_START_TIMEOUT}, + /* isulad add end */ + LXC_COMMON_OPTIONS + }; +@@ -108,6 +110,18 @@ Options :\n\ + .pidfile = NULL, + }; + ++static bool is_non_negative_num(const char *s) ++{ ++ if (!s || !strcmp(s, "")) ++ return false; ++ while(*s != '\0') { ++ if(!isdigit(*s)) ++ return false; ++ ++s; ++ } ++ return true; ++} ++ + static int my_parser(struct lxc_arguments *args, int c, char *arg) + { + switch (c) { +@@ -158,6 +172,13 @@ static int my_parser(struct lxc_arguments *args, int c, char *arg) + case OPT_EXIT_FIFO: + args->exit_monitor_fifo = arg; + break; ++ case OPT_START_TIMEOUT: ++ if(!is_non_negative_num(arg)) { ++ fprintf(stderr, "Error start timeout parameter:%s.\n", arg); ++ return -1; ++ } ++ args->start_timeout = (unsigned int)atoi(arg); ++ break; + } + return 0; + } +@@ -341,6 +362,11 @@ int main(int argc, char *argv[]) + c->exit_fifo = strdup(my_args.exit_monitor_fifo); + } + ++ /* isulad: add start timeout */ ++ if(my_args.start_timeout) { ++ c->set_start_timeout(c, my_args.start_timeout); ++ } ++ + if (my_args.console) + if (!c->set_config_item(c, "lxc.console.path", my_args.console)) + goto out; +-- +1.8.3.1 + diff --git a/0030-support-block-device-as-rootfs.patch b/0030-support-block-device-as-rootfs.patch new file mode 100644 index 0000000..4f2f3b4 --- /dev/null +++ b/0030-support-block-device-as-rootfs.patch @@ -0,0 +1,287 @@ +From 3d30577047030ebf63101324509f1d1ecfb837b8 Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Tue, 15 Jan 2019 16:00:30 +0800 +Subject: [PATCH 030/122] support block device as rootfs + +Signed-off-by: LiFeng +--- + src/lxc/Makefile.am | 1 + + src/lxc/conf.c | 10 ++--- + src/lxc/storage/block.c | 86 +++++++++++++++++++++++++++++++++++++++++ + src/lxc/storage/block.h | 41 ++++++++++++++++++++ + src/lxc/storage/dir.c | 10 +---- + src/lxc/storage/storage.c | 18 +++++++++ + src/lxc/storage/storage_utils.c | 2 +- + 7 files changed, 153 insertions(+), 15 deletions(-) + create mode 100644 src/lxc/storage/block.c + create mode 100644 src/lxc/storage/block.h + +diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am +index 5678b8d..260a7eb 100644 +--- a/src/lxc/Makefile.am ++++ b/src/lxc/Makefile.am +@@ -130,6 +130,7 @@ liblxc_la_SOURCES = af_unix.c af_unix.h \ + start.c start.h \ + storage/btrfs.c storage/btrfs.h \ + storage/dir.c storage/dir.h \ ++ storage/block.c storage/block.h \ + storage/loop.c storage/loop.h \ + storage/lvm.c storage/lvm.h \ + storage/nbd.c storage/nbd.h \ +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 439353b..88763ee 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -3865,13 +3865,10 @@ static int setup_populate_devs(const struct lxc_rootfs *rootfs, struct lxc_list + // isulad: setup rootfs mountopts + static int setup_rootfs_mountopts(const struct lxc_rootfs *rootfs) + { +- unsigned long mntflags, pflags; ++ unsigned long mflags, mntflags, pflags; + char *mntdata; + +- // only remount / when container shares rootfs with host. +- if(!rootfs || !rootfs->path || strcmp(rootfs->path, "/")) +- return 0; +- if (!rootfs->options) ++ if(!rootfs || !rootfs->options) + return 0; + + if (parse_mntopts(rootfs->options, &mntflags, &pflags, &mntdata) < 0) { +@@ -3881,8 +3878,9 @@ static int setup_rootfs_mountopts(const struct lxc_rootfs *rootfs) + free(mntdata); + + if (mntflags & MS_RDONLY) { ++ mflags = add_required_remount_flags("/", NULL, MS_BIND | MS_REC | mntflags | pflags | MS_REMOUNT); + DEBUG("remounting / as readonly"); +- if (mount("/", "/", NULL, MS_BIND |MS_REMOUNT| MS_RDONLY, 0)) { ++ if (mount("/", "/", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY, 0) < 0) { + SYSERROR("Failed to make / readonly."); + return -1; + } +diff --git a/src/lxc/storage/block.c b/src/lxc/storage/block.c +new file mode 100644 +index 0000000..eb75e70 +--- /dev/null ++++ b/src/lxc/storage/block.c +@@ -0,0 +1,86 @@ ++/* ++ * lxc: linux Container library ++ * ++ * (C) Copyright IBM Corp. 2007, 2008 ++ * ++ * Authors: ++ * Daniel Lezcano ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ++ */ ++ ++#ifndef _GNU_SOURCE ++#define _GNU_SOURCE 1 ++#endif ++#include ++#include ++ ++#include "config.h" ++#include "log.h" ++#include "storage.h" ++#include "storage_utils.h" ++#include "utils.h" ++ ++lxc_log_define(blk, lxc); ++ ++int blk_destroy(struct lxc_storage *orig) ++{ ++ return 0; ++} ++ ++bool blk_detect(const char *path) ++{ ++ struct stat statbuf; ++ int ret; ++ ++ if (!strncmp(path, "blk:", 4)) ++ return true; ++ ++ ret = stat(path, &statbuf); ++ if (ret == -1 && errno == EPERM) { ++ SYSERROR("blk_detect: failed to look at \"%s\"", path); ++ return false; ++ } ++ ++ if (ret == 0 && S_ISBLK(statbuf.st_mode)) ++ return true; ++ ++ return false; ++} ++ ++int blk_mount(struct lxc_storage *bdev) ++{ ++ const char *src; ++ if (strcmp(bdev->type, "blk")) ++ return -22; ++ ++ if (!bdev->src || !bdev->dest) ++ return -22; ++ ++ src = lxc_storage_get_path(bdev->src, bdev->type); ++ ++ return mount_unknown_fs(src, bdev->dest, bdev->mntopts); ++} ++ ++int blk_umount(struct lxc_storage *bdev) ++{ ++ if (strcmp(bdev->type, "blk")) ++ return -22; ++ ++ if (!bdev->src || !bdev->dest) ++ return -22; ++ ++ return umount(bdev->dest); ++} +diff --git a/src/lxc/storage/block.h b/src/lxc/storage/block.h +new file mode 100644 +index 0000000..2fa7565 +--- /dev/null ++++ b/src/lxc/storage/block.h +@@ -0,0 +1,41 @@ ++/* ++ * lxc: linux Container library ++ * ++ * (C) Copyright IBM Corp. 2007, 2008 ++ * ++ * Authors: ++ * Daniel Lezcano ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ++ */ ++ ++#ifndef __LXC_BLK_H ++#define __LXC_BLK_H ++ ++#include ++#include ++ ++struct lxc_storage; ++ ++struct bdev_specs; ++ ++struct lxc_conf; ++ ++extern int blk_destroy(struct lxc_storage *orig); ++extern bool blk_detect(const char *path); ++extern int blk_mount(struct lxc_storage *bdev); ++extern int blk_umount(struct lxc_storage *bdev); ++ ++#endif /* __LXC_BLK_H */ +diff --git a/src/lxc/storage/dir.c b/src/lxc/storage/dir.c +index deeecec..2b548d0 100644 +--- a/src/lxc/storage/dir.c ++++ b/src/lxc/storage/dir.c +@@ -150,7 +150,7 @@ bool dir_detect(const char *path) + int dir_mount(struct lxc_storage *bdev) + { + int ret; +- unsigned long mflags = 0, mntflags = 0, pflags = 0; ++ unsigned long mntflags = 0, pflags = 0; + char *mntdata; + const char *src; + +@@ -169,13 +169,7 @@ int dir_mount(struct lxc_storage *bdev) + + src = lxc_storage_get_path(bdev->src, bdev->type); + +- ret = mount(src, bdev->dest, "bind", MS_BIND | MS_REC | mntflags | pflags, mntdata); +- if ((0 == ret) && (mntflags & MS_RDONLY)) { +- DEBUG("Remounting \"%s\" on \"%s\" readonly", +- src ? src : "(none)", bdev->dest ? bdev->dest : "(none)"); +- mflags = add_required_remount_flags(src, bdev->dest, MS_BIND | MS_REC | mntflags | pflags | MS_REMOUNT); +- ret = mount(src, bdev->dest, "bind", mflags, mntdata); +- } ++ ret = mount(src, bdev->dest, "bind", MS_BIND | MS_REC | (mntflags & ~MS_RDONLY) | pflags, mntdata); + + if (ret < 0) { + SYSERROR("Failed to mount \"%s\" on \"%s\"", src, bdev->dest); +diff --git a/src/lxc/storage/storage.c b/src/lxc/storage/storage.c +index c4f4c2e..18f754a 100644 +--- a/src/lxc/storage/storage.c ++++ b/src/lxc/storage/storage.c +@@ -61,6 +61,7 @@ + #include "storage_utils.h" + #include "utils.h" + #include "zfs.h" ++#include "block.h" + + #ifndef HAVE_STRLCPY + #include "include/strlcpy.h" +@@ -114,6 +115,21 @@ static const struct lxc_storage_ops loop_ops = { + .can_backup = true, + }; + ++/* block */ ++static const struct lxc_storage_ops blk_ops = { ++ .detect = &blk_detect, ++ .mount = &blk_mount, ++ .umount = &blk_umount, ++ .clone_paths = NULL, ++ .destroy = &blk_destroy, ++ .create = NULL, ++ .copy = NULL, ++ .snapshot = NULL, ++ .can_snapshot = false, ++ .can_backup = true, ++}; ++ ++ + /* lvm */ + static const struct lxc_storage_ops lvm_ops = { + .detect = &lvm_detect, +@@ -199,6 +215,8 @@ static const struct lxc_storage_type bdevs[] = { + { .name = "overlayfs", .ops = &ovl_ops, }, + { .name = "loop", .ops = &loop_ops, }, + { .name = "nbd", .ops = &nbd_ops, }, ++ //isulad: block device ++ { .name = "blk", .ops = &blk_ops, } + }; + + static const size_t numbdevs = sizeof(bdevs) / sizeof(struct lxc_storage_type); +diff --git a/src/lxc/storage/storage_utils.c b/src/lxc/storage/storage_utils.c +index 46e08a3..b4dcb57 100644 +--- a/src/lxc/storage/storage_utils.c ++++ b/src/lxc/storage/storage_utils.c +@@ -416,7 +416,7 @@ int find_fstype_cb(char *buffer, void *data) + return 0; + } + +- if (mount(cbarg->rootfs, cbarg->target, fstype, mntflags, mntdata)) { ++ if (mount(cbarg->rootfs, cbarg->target, fstype, (mntflags & ~MS_RDONLY), mntdata)) { + SYSDEBUG("Failed to mount"); + free(mntdata); + return 0; +-- +1.8.3.1 + diff --git a/0031-clean-add-clean-resources-api.patch b/0031-clean-add-clean-resources-api.patch new file mode 100644 index 0000000..755910f --- /dev/null +++ b/0031-clean-add-clean-resources-api.patch @@ -0,0 +1,488 @@ +From 37d787b93122a6b61d99a3d71f6101f405031a95 Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Tue, 15 Jan 2019 04:20:57 -0500 +Subject: [PATCH 031/122] clean: add clean resources api + +Signed-off-by: LiFeng +--- + src/lxc/cgroups/cgfsng.c | 124 +++++++++++++++++------------------------ + src/lxc/cgroups/cgroup.c | 2 +- + src/lxc/cgroups/cgroup.h | 4 +- + src/lxc/lxccontainer.c | 18 ++++++ + src/lxc/lxccontainer.h | 10 ++++ + src/lxc/start.c | 141 +++++++++++++++++++++++++++++++++++++++++++++++ + src/lxc/start.h | 4 ++ + 7 files changed, 228 insertions(+), 75 deletions(-) + +diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c +index 7f2a200..8b913a6 100644 +--- a/src/lxc/cgroups/cgfsng.c ++++ b/src/lxc/cgroups/cgfsng.c +@@ -1050,12 +1050,15 @@ static int cgroup_rmdir(struct hierarchy **hierarchies, + int ret; + struct hierarchy *h = hierarchies[i]; + +- if (!h->container_full_path) +- continue; ++ if (!h->container_full_path) { ++ h->container_full_path = must_make_path(h->mountpoint, h->container_base_path, container_cgroup, NULL); ++ } + + ret = recursive_destroy(h->container_full_path); +- if (ret < 0) +- WARN("Failed to destroy \"%s\"", h->container_full_path); ++ if (ret < 0) { ++ ERROR("Failed to destroy \"%s\"", h->container_full_path); ++ return -1; ++ } + + free(h->container_full_path); + h->container_full_path = NULL; +@@ -1102,7 +1105,8 @@ static int cgroup_rmdir_wrapper(void *data) + return cgroup_rmdir(arg->hierarchies, arg->container_cgroup); + } + +-__cgfsng_ops static void cgfsng_payload_destroy(struct cgroup_ops *ops, ++/* isulad: fix return bool instead of void*/ ++__cgfsng_ops static bool cgfsng_payload_destroy(struct cgroup_ops *ops, + struct lxc_handler *handler) + { + int ret; +@@ -1113,6 +1117,8 @@ __cgfsng_ops static void cgfsng_payload_destroy(struct cgroup_ops *ops, + wrap.hierarchies = ops->hierarchies; + wrap.conf = handler->conf; + ++ INFO("cgfsng_payload_destroy.%p, %s", ops->hierarchies, ops->container_cgroup); ++ + if (handler->conf && !lxc_list_empty(&handler->conf->id_map)) + ret = userns_exec_1(handler->conf, cgroup_rmdir_wrapper, &wrap, + "cgroup_rmdir_wrapper"); +@@ -1120,8 +1126,10 @@ __cgfsng_ops static void cgfsng_payload_destroy(struct cgroup_ops *ops, + ret = cgroup_rmdir(ops->hierarchies, ops->container_cgroup); + if (ret < 0) { + WARN("Failed to destroy cgroups"); +- return; ++ return false; + } ++ ++ return true; + } + + static bool cg_unified_create_cgroup(struct hierarchy *h, char *cgname) +@@ -1232,12 +1240,20 @@ static bool create_path_for_hierarchy(struct hierarchy *h, char *cgname) + { + int ret; + ++ h->container_full_path = must_make_path(h->mountpoint, h->container_base_path, cgname, NULL); ++ ++ if (file_exists(h->container_full_path)) { // it must not already exist ++ ERROR("Cgroup path \"%s\" already exist.", h->container_full_path); ++ //lxc_write_error_message(errfd, "%s:%d: Cgroup path \"%s\" already exist.", ++ // __FILE__, __LINE__, h->fullcgpath); ++ return false; ++ } ++ + if (!cg_legacy_handle_cpuset_hierarchy(h, cgname)) { + ERROR("Failed to handle legacy cpuset controller"); + return false; + } + +- h->container_full_path = must_make_path(h->mountpoint, h->container_base_path, cgname, NULL); + ret = mkdir_eexist_on_last(h->container_full_path, 0755); + if (ret < 0) { + ERROR("Failed to create cgroup \"%s\"", h->container_full_path); +@@ -1259,83 +1275,26 @@ static void remove_path_for_hierarchy(struct hierarchy *h, char *cgname) + h->container_full_path = NULL; + } + +-/* Try to create the same cgroup in all hierarchies. Start with cgroup_pattern; +- * next cgroup_pattern-1, -2, ..., -999. +- */ ++/* isulad: create hierarchies path, if fail, return the error */ + __cgfsng_ops static bool cgfsng_payload_create(struct cgroup_ops *ops, + struct lxc_handler *handler) + { + int i; +- size_t len; +- char *container_cgroup, *offset, *tmp; +- int idx = 0; +- struct lxc_conf *conf = handler->conf; +- +- if (ops->container_cgroup) { +- WARN("cgfsng_create called a second time: %s", ops->container_cgroup); +- return false; +- } ++ char *container_cgroup = ops->container_cgroup; + +- if (!conf) +- return false; +- +- if (conf->cgroup_meta.dir) +- tmp = lxc_string_join("/", (const char *[]){conf->cgroup_meta.dir, handler->name, NULL}, false); +- else +- tmp = lxc_string_replace("%n", handler->name, ops->cgroup_pattern); +- if (!tmp) { +- ERROR("Failed expanding cgroup name pattern"); ++ if (!container_cgroup) { ++ ERROR("cgfsng_create container_cgroup is invalid"); + return false; + } + +- len = strlen(tmp) + 5; /* leave room for -NNN\0 */ +- container_cgroup = must_realloc(NULL, len); +- (void)strlcpy(container_cgroup, tmp, len); +- free(tmp); +- offset = container_cgroup + len - 5; +- +-again: +- if (idx == 1000) { +- ERROR("Too many conflicting cgroup names"); +- goto out_free; +- } +- +- if (idx) { +- int ret; +- +- ret = snprintf(offset, 5, "-%d", idx); +- if (ret < 0 || (size_t)ret >= 5) { +- FILE *f = fopen("/dev/null", "w"); +- if (f) { +- fprintf(f, "Workaround for GCC7 bug: " +- "https://gcc.gnu.org/bugzilla/" +- "show_bug.cgi?id=78969"); +- fclose(f); +- } +- } +- } +- + for (i = 0; ops->hierarchies[i]; i++) { + if (!create_path_for_hierarchy(ops->hierarchies[i], container_cgroup)) { +- int j; +- ERROR("Failed to create cgroup \"%s\"", ops->hierarchies[i]->container_full_path); +- free(ops->hierarchies[i]->container_full_path); +- ops->hierarchies[i]->container_full_path = NULL; +- for (j = 0; j < i; j++) +- remove_path_for_hierarchy(ops->hierarchies[j], container_cgroup); +- idx++; +- goto again; ++ SYSERROR("Failed to create %s", ops->hierarchies[i]->container_full_path); ++ return false; + } + } + +- ops->container_cgroup = container_cgroup; +- + return true; +- +-out_free: +- free(container_cgroup); +- +- return false; + } + + __cgfsng_ops static bool cgfsng_payload_enter(struct cgroup_ops *ops, pid_t pid) +@@ -2701,9 +2660,15 @@ static bool cg_init(struct cgroup_ops *ops) + return cg_hybrid_init(ops); + } + +-__cgfsng_ops static bool cgfsng_data_init(struct cgroup_ops *ops) ++__cgfsng_ops static bool cgfsng_data_init(struct cgroup_ops *ops, struct lxc_handler *handler) + { + const char *cgroup_pattern; ++ char *container_cgroup, *tmp; ++ struct lxc_conf *conf = handler->conf; ++ size_t len; ++ ++ if (!conf) ++ return false; + + /* copy system-wide cgroup information */ + cgroup_pattern = lxc_global_config_value("lxc.cgroup.pattern"); +@@ -2714,6 +2679,22 @@ __cgfsng_ops static bool cgfsng_data_init(struct cgroup_ops *ops) + } + ops->cgroup_pattern = must_copy_string(cgroup_pattern); + ++ /* isulad: init ops->container_cgroup here instead of in cgfsng_payload_create*/ ++ if (conf->cgroup_meta.dir) ++ tmp = lxc_string_join("/", (const char *[]){conf->cgroup_meta.dir, handler->name, NULL}, false); ++ else ++ tmp = lxc_string_replace("%n", handler->name, ops->cgroup_pattern); ++ if (!tmp) { ++ ERROR("Failed expanding cgroup name pattern"); ++ return false; ++ } ++ ++ len = strlen(tmp) + 1; ++ container_cgroup = must_realloc(NULL, len); ++ (void)strlcpy(container_cgroup, tmp, len); ++ free(tmp); ++ ops->container_cgroup = container_cgroup; ++ + return true; + } + +@@ -2735,7 +2716,6 @@ struct cgroup_ops *cgfsng_ops_init(void) + + cgfsng_ops->data_init = cgfsng_data_init; + cgfsng_ops->destroy = cgfsng_payload_destroy; +- cgfsng_ops->destroy = cgfsng_payload_destroy; + cgfsng_ops->payload_create = cgfsng_payload_create; + cgfsng_ops->payload_enter = cgfsng_payload_enter; + cgfsng_ops->escape = cgfsng_escape; +diff --git a/src/lxc/cgroups/cgroup.c b/src/lxc/cgroups/cgroup.c +index 04e0311..8e7aef9 100644 +--- a/src/lxc/cgroups/cgroup.c ++++ b/src/lxc/cgroups/cgroup.c +@@ -50,7 +50,7 @@ struct cgroup_ops *cgroup_init(struct lxc_handler *handler) + return NULL; + } + +- if (!cgroup_ops->data_init(cgroup_ops)) ++ if (!cgroup_ops->data_init(cgroup_ops, handler)) + return NULL; + + TRACE("Initialized cgroup driver %s", cgroup_ops->driver); +diff --git a/src/lxc/cgroups/cgroup.h b/src/lxc/cgroups/cgroup.h +index ba4c153..fa4871e 100644 +--- a/src/lxc/cgroups/cgroup.h ++++ b/src/lxc/cgroups/cgroup.h +@@ -123,8 +123,8 @@ struct cgroup_ops { + */ + cgroup_layout_t cgroup_layout; + +- bool (*data_init)(struct cgroup_ops *ops); +- void (*destroy)(struct cgroup_ops *ops, struct lxc_handler *handler); ++ bool (*data_init)(struct cgroup_ops *ops, struct lxc_handler *handler); ++ bool (*destroy)(struct cgroup_ops *ops, struct lxc_handler *handler); + bool (*payload_create)(struct cgroup_ops *ops, struct lxc_handler *handler); + bool (*payload_enter)(struct cgroup_ops *ops, pid_t pid); + const char *(*get_cgroup)(struct cgroup_ops *ops, const char *controller); +diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c +index beae459..38059fa 100644 +--- a/src/lxc/lxccontainer.c ++++ b/src/lxc/lxccontainer.c +@@ -5116,6 +5116,23 @@ static bool do_lxcapi_set_start_timeout(struct lxc_container *c, unsigned int s + + WRAP_API_1(bool, lxcapi_set_start_timeout, unsigned int) + ++/* isulad add clean resources */ ++static bool do_lxcapi_clean_container_resource(struct lxc_container *c, pid_t pid) ++{ ++ int ret; ++ ++ if (!c) ++ return false; ++ ++ ret = do_lxcapi_clean_resource(c->name, c->config_path, c->lxc_conf, pid); ++ if (ret) ++ ERROR("Failed to clean container %s resource", c->name); ++ return ret == 0; ++ ++} ++ ++WRAP_API_1(bool, lxcapi_clean_container_resource, pid_t) ++ + struct lxc_container *lxc_container_new(const char *name, const char *configpath) + { + struct lxc_container *c; +@@ -5248,6 +5265,7 @@ struct lxc_container *lxc_container_new(const char *name, const char *configpath + c->set_terminal_init_fifos = lxcapi_set_terminal_default_fifos; + c->set_container_info_file = lxcapi_set_container_info_file; + c->set_start_timeout = lxcapi_set_start_timeout; ++ c->clean_container_resource = lxcapi_clean_container_resource; + /* isulad add end */ + return c; + +diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h +index 77de704..679ca42 100644 +--- a/src/lxc/lxccontainer.h ++++ b/src/lxc/lxccontainer.h +@@ -896,6 +896,16 @@ struct lxc_container { + * \return \c true on success, else \c false. + */ + bool (*set_start_timeout)(struct lxc_container *c, unsigned int start_timeout); ++ ++ /*! isulad add ++ * \brief An API call to clean resources of container ++ * ++ * \param c Container. ++ * \param pid Value of container process. ++ * ++ * \return \c true on success, else \c false. ++ */ ++ bool (*clean_container_resource) (struct lxc_container *c, pid_t pid); + }; + + /*! +diff --git a/src/lxc/start.c b/src/lxc/start.c +index f7be9e4..08d753a 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -1895,6 +1895,11 @@ static int lxc_spawn(struct lxc_handler *handler) + if (ret < 0) + SYSERROR("Failed to set environment variable: LXC_PID=%s", pidstr); + ++ if (handler->cgroup_ops->container_cgroup) { ++ if (setenv("LXC_CGROUP_PATH", handler->cgroup_ops->container_cgroup, 1)) ++ SYSERROR("Failed to set environment variable: LXC_CGROUP_PATH=%s.", handler->cgroup_ops->container_cgroup); ++ } ++ + /* Run any host-side start hooks */ + ret = run_lxc_hooks(name, "start-host", conf, NULL); + if (ret < 0) { +@@ -2289,3 +2294,139 @@ static bool do_destroy_container(struct lxc_handler *handler) + + return storage_destroy(handler->conf); + } ++ ++/*isulad: init handler for clean */ ++static struct lxc_handler *lxc_init_clean_handler(char *name, char *lxcpath, struct lxc_conf *conf, pid_t pid) ++{ ++ int i; ++ struct lxc_handler *handler; ++ ++ handler = malloc(sizeof(*handler)); ++ if (!handler) ++ return NULL; ++ ++ memset(handler, 0, sizeof(*handler)); ++ ++ /* Note that am_guest_unpriv() checks the effective uid. We ++ * probably don't care if we are real root only if we are running ++ * as root so this should be fine. ++ */ ++ handler->am_root = !am_guest_unpriv(); ++ handler->data_sock[0] = handler->data_sock[1] = -1; ++ handler->conf = conf; ++ handler->lxcpath = lxcpath; ++ handler->pinfd = -1; ++ handler->sigfd = -EBADF; ++ handler->init_died = false; ++ handler->pid = pid; ++ handler->state_socket_pair[0] = handler->state_socket_pair[1] = -1; ++ if (handler->conf->reboot == REBOOT_NONE) ++ lxc_list_init(&handler->conf->state_clients); ++ ++ for (i = 0; i < LXC_NS_MAX; i++) ++ handler->nsfd[i] = -1; ++ ++ handler->name = name; ++ handler->exit_code = -1; /* isulad: record exit code of container */ ++ ++ handler->cgroup_ops = cgroup_init(handler); ++ if (!handler->cgroup_ops) { ++ ERROR("Failed to initialize cgroup driver"); ++ goto on_error; ++ } ++ ++ INFO("Container \"%s\" 's clean handler is initialized.", name); ++ ++ return handler; ++ ++on_error: ++ lxc_free_handler(handler); ++ ++ return NULL; ++} ++ ++/*isulad: set env for clean resources */ ++static void clean_resource_set_env(struct lxc_handler *handler) ++{ ++ const char *name = handler->name; ++ struct lxc_conf *conf = handler->conf; ++ char pidstr[20]; ++ ++ /* Start of environment variable setup for hooks. */ ++ if (name && setenv("LXC_NAME", name, 1)) ++ SYSERROR("Failed to set environment variable: LXC_NAME=%s.", name); ++ ++ if (conf->rcfile && setenv("LXC_CONFIG_FILE", conf->rcfile, 1)) ++ SYSERROR("Failed to set environment variable: LXC_CONFIG_FILE=%s.", conf->rcfile); ++ ++ if (conf->rootfs.mount && setenv("LXC_ROOTFS_MOUNT", conf->rootfs.mount, 1)) ++ SYSERROR("Failed to set environment variable: LXC_ROOTFS_MOUNT=%s.", conf->rootfs.mount); ++ ++ if (conf->rootfs.path && setenv("LXC_ROOTFS_PATH", conf->rootfs.path, 1)) ++ SYSERROR("Failed to set environment variable: LXC_ROOTFS_PATH=%s.", conf->rootfs.path); ++ ++ if (conf->console.path && setenv("LXC_CONSOLE", conf->console.path, 1)) ++ SYSERROR("Failed to set environment variable: LXC_CONSOLE=%s.", conf->console.path); ++ ++ if (conf->console.log_path && setenv("LXC_CONSOLE_LOGPATH", conf->console.log_path, 1)) ++ SYSERROR("Failed to set environment variable: LXC_CONSOLE_LOGPATH=%s.", conf->console.log_path); ++ ++ if (setenv("LXC_CGNS_AWARE", "1", 1)) ++ SYSERROR("Failed to set environment variable LXC_CGNS_AWARE=1."); ++ ++ ++ snprintf(pidstr, 20, "%d", handler->pid); ++ if (setenv("LXC_PID", pidstr, 1)) ++ SYSERROR("Failed to set environment variable: LXC_PID=%s.", pidstr); ++ ++ if (handler->cgroup_ops->container_cgroup) { ++ if (setenv("LXC_CGROUP_PATH", handler->cgroup_ops->container_cgroup, 1)) ++ SYSERROR("Failed to set environment variable: LXC_CGROUP_PATH=%s.", handler->cgroup_ops->container_cgroup); ++ } ++ /* End of environment variable setup for hooks. */ ++} ++ ++/*isulad: do_lxcapi_clean_resource */ ++int do_lxcapi_clean_resource(char *name, char *lxcpath, struct lxc_conf *conf, pid_t pid) ++{ ++ int ret = 0; ++ struct lxc_handler *handler = NULL; ++ int retry_count = 0; ++ int max_retry = 10; ++ ++ handler = lxc_init_clean_handler(name, lxcpath, conf, pid); ++ if (!handler) { ++ ERROR("Failed to init container %s clean handler", name); ++ ret = -1; ++ goto out; ++ } ++ ++ clean_resource_set_env(handler); ++ ++ char* oci_hook_args[1]; ++ oci_hook_args[0] = alloca(strlen(handler->lxcpath) + 1); ++ (void)strlcpy(oci_hook_args[0], handler->lxcpath, strlen(handler->lxcpath)); ++ ++ if (run_lxc_hooks(handler->name, "oci-poststop", handler->conf, oci_hook_args)) { ++ ERROR("Failed to run lxc.hook.post-stop for container \"%s\".", handler->name); ++ ret = -1; ++ } ++ ++retry: ++ if (!handler->cgroup_ops->destroy(handler->cgroup_ops, handler)) { ++ if (retry_count < max_retry) { ++ usleep(100 * 1000); /* 100 millisecond */ ++ retry_count++; ++ goto retry; ++ } ++ ERROR("Failed to destroy cgroup for container \"%s\".", handler->name); ++ ret = -1; ++ } ++ ++ ++out_fini_handler: ++ lxc_free_handler(handler); ++out: ++ return ret; ++} ++ +diff --git a/src/lxc/start.h b/src/lxc/start.h +index a96f2ae..1d84325 100644 +--- a/src/lxc/start.h ++++ b/src/lxc/start.h +@@ -180,4 +180,8 @@ extern int __lxc_start(const char *name, struct lxc_handler *handler, + + extern int resolve_clone_flags(struct lxc_handler *handler); + ++/*isulad: do_lxcapi_clean_resource */ ++extern int do_lxcapi_clean_resource(char *name, char *lxcpath, struct lxc_conf *conf, pid_t pid); ++ ++ + #endif +-- +1.8.3.1 + diff --git a/0032-Drop-all-caps-when-cap.keep-ISULAD_KEEP_NONE.patch b/0032-Drop-all-caps-when-cap.keep-ISULAD_KEEP_NONE.patch new file mode 100644 index 0000000..a93a188 --- /dev/null +++ b/0032-Drop-all-caps-when-cap.keep-ISULAD_KEEP_NONE.patch @@ -0,0 +1,33 @@ +From 37c5a4630e798ff4a24f1336560c41b2b8fec01b Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Tue, 15 Jan 2019 05:39:39 -0500 +Subject: [PATCH 032/122] Drop all caps when cap.keep=ISULAD_KEEP_NONE + +Signed-off-by: LiFeng +--- + src/lxc/conf.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 88763ee..54b967b 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -2805,6 +2805,15 @@ static int dropcaps_except(struct lxc_list *caps) + lxc_list_for_each (iterator, caps) { + keep_entry = iterator->elem; + ++ /* isulad: Do not keep any cap*/ ++ if (strcmp(keep_entry, "ISULAD_KEEP_NONE") == 0) { ++ DEBUG("Do not keep any capability"); ++ for(i = 0; i < numcaps; i++) { ++ caplist[i] = 0; ++ } ++ break; ++ } ++ + capid = parse_cap(keep_entry); + if (capid == -2) + continue; +-- +1.8.3.1 + diff --git a/0033-support-mount-squashfs-in-mount-entry.patch b/0033-support-mount-squashfs-in-mount-entry.patch new file mode 100644 index 0000000..5354551 --- /dev/null +++ b/0033-support-mount-squashfs-in-mount-entry.patch @@ -0,0 +1,369 @@ +From e7f83b7c8b21942051e86e094d867cc79ff93524 Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Tue, 15 Jan 2019 19:54:13 +0800 +Subject: [PATCH 033/122] support mount squashfs in mount entry + +Signed-off-by: LiFeng +--- + src/lxc/conf.c | 88 +++++++++++++++++++++++++++++++++++++++-- + src/lxc/storage/loop.c | 36 ++++++++++++++--- + src/lxc/storage/storage_utils.c | 36 ++++++++++++++++- + src/lxc/utils.c | 33 ++++++++++++++-- + src/lxc/utils.h | 1 + + 5 files changed, 181 insertions(+), 13 deletions(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 54b967b..fea0f59 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -78,6 +78,7 @@ + #include "storage/overlay.h" + #include "syscall_wrappers.h" + #include "terminal.h" ++#include "loop.h" + #include "path.h" + #include "utils.h" + +@@ -2444,6 +2445,82 @@ static int mount_entry_create_dir_file(const struct mntent *mntent, + return 0; + } + ++static int mount_entry_with_loop_dev(const char *src, const char *dest, const char *fstype, ++ char *mnt_opts, const char *rootfs) ++{ ++ int srcfd = -1, destfd, ret, saved_errno; ++ char srcbuf[50], destbuf[50]; // only needs enough for /proc/self/fd/ ++ const char *mntsrc = src; ++ int max_retry = 5; ++ struct lxc_storage loop; ++ ++ if (!rootfs) ++ rootfs = ""; ++ ++ /* todo - allow symlinks for relative paths if 'allowsymlinks' option is passed */ ++ if (src && src[0] != '/') { ++ INFO("this is a relative mount"); ++ srcfd = open_without_symlink(src, NULL); ++ if (srcfd < 0) ++ return srcfd; ++ ret = snprintf(srcbuf, sizeof(srcbuf), "/proc/self/fd/%d", srcfd); ++ if (ret < 0 || ret > sizeof(srcbuf)) { ++ close(srcfd); ++ ERROR("Failed to print string"); ++ return -EINVAL; ++ } ++ mntsrc = srcbuf; ++ } ++ ++ destfd = open_without_symlink(dest, rootfs); ++ if (destfd < 0) { ++ if (srcfd != -1) { ++ saved_errno = errno; ++ close(srcfd); ++ errno = saved_errno; ++ } ++ return destfd; ++ } ++ ++ ret = snprintf(destbuf, sizeof(destbuf), "/proc/self/fd/%d", destfd); ++ if (ret < 0 || ret > sizeof(destbuf)) { ++ if (srcfd != -1) ++ close(srcfd); ++ close(destfd); ++ ERROR("Out of memory"); ++ return -EINVAL; ++ } ++ ++retry: ++ loop.src = (char *)mntsrc; ++ loop.dest = destbuf; ++ loop.mntopts = mnt_opts; ++ loop.type = "loop"; ++ loop.lofd = -1; ++ ret = loop_mount(&loop); ++ if (ret < 0) { ++ /* If loop is used by other program, mount may fail. So ++ * we do retry to ensure mount ok */ ++ if (max_retry > 0) { ++ max_retry--; ++ DEBUG("mount entry with loop dev failed, retry mount." ++ "retry count left %d", max_retry); ++ goto retry; ++ } ++ } ++ if (loop.lofd != -1) ++ close(loop.lofd); ++ if (srcfd != -1) ++ close(srcfd); ++ close(destfd); ++ if (ret < 0) { ++ SYSERROR("Failed to mount %s onto %s", src, dest); ++ return ret; ++ } ++ ++ return 0; ++} ++ + /* rootfs, lxc_name, and lxc_path can be NULL when the container is created + * without a rootfs. */ + static inline int mount_entry_on_generic(struct mntent *mntent, +@@ -2502,8 +2579,14 @@ static inline int mount_entry_on_generic(struct mntent *mntent, + return -1; + } + +- ret = mount_entry(mntent->mnt_fsname, dest, mntent->mnt_type, mntflags, +- pflags, mntdata, optional, dev, relative, rootfs_path); ++ // isulad: support squashfs ++ if (strcmp(mntent->mnt_type, "squashfs") == 0) { ++ ret = mount_entry_with_loop_dev(mntent->mnt_fsname, dest, mntent->mnt_type, ++ mntent->mnt_opts, rootfs_path); ++ } else { ++ ret = mount_entry(mntent->mnt_fsname, dest, mntent->mnt_type, mntflags, ++ pflags, mntdata, optional, dev, relative, rootfs_path); ++ } + + free(mntdata); + free(rpath); +@@ -3897,7 +3980,6 @@ static int setup_rootfs_mountopts(const struct lxc_rootfs *rootfs) + return 0; + } + +- + int lxc_setup(struct lxc_handler *handler) + { + int ret; +diff --git a/src/lxc/storage/loop.c b/src/lxc/storage/loop.c +index 35cb13e..760def8 100644 +--- a/src/lxc/storage/loop.c ++++ b/src/lxc/storage/loop.c +@@ -41,6 +41,7 @@ + #include "loop.h" + #include "storage.h" + #include "storage_utils.h" ++#include "lxclock.h" + #include "utils.h" + + lxc_log_define(loop, lxc); +@@ -236,9 +237,11 @@ bool loop_detect(const char *path) + + int loop_mount(struct lxc_storage *bdev) + { +- int ret, loopfd; ++ int ret = 0; ++ int loopfd, lret; + char loname[PATH_MAX]; + const char *src; ++ struct lxc_lock *l = NULL; + + if (strcmp(bdev->type, "loop")) + return -22; +@@ -246,13 +249,29 @@ int loop_mount(struct lxc_storage *bdev) + if (!bdev->src || !bdev->dest) + return -22; + ++ /* isulad: do lock before mount, so we can avoid use loop which is used by ++ * other starting contianers */ ++ l = lxc_newlock("mount_lock", "mount_lock"); ++ if (!l) { ++ SYSERROR("create file lock error when mount fs"); ++ return -1; ++ } ++ ++ lret = lxclock(l, 0); ++ if (lret) { ++ SYSERROR("try to lock failed when mount fs"); ++ ret = -1; ++ goto out; ++ } ++ + /* skip prefix */ + src = lxc_storage_get_path(bdev->src, bdev->type); + + loopfd = lxc_prepare_loop_dev(src, loname, LO_FLAGS_AUTOCLEAR); + if (loopfd < 0) { + ERROR("Failed to prepare loop device for loop file \"%s\"", src); +- return -1; ++ ret = -1; ++ goto out; + } + DEBUG("Prepared loop device \"%s\"", loname); + +@@ -261,14 +280,21 @@ int loop_mount(struct lxc_storage *bdev) + ERROR("Failed to mount rootfs \"%s\" on \"%s\" via loop device \"%s\"", + bdev->src, bdev->dest, loname); + close(loopfd); +- return -1; ++ ret = -1; ++ goto out; + } + + bdev->lofd = loopfd; + DEBUG("Mounted rootfs \"%s\" on \"%s\" via loop device \"%s\"", + bdev->src, bdev->dest, loname); +- +- return 0; ++out: ++ lret = lxcunlock(l); ++ if (lret) { ++ SYSERROR("try to unlock failed when mount fs"); ++ ret = -1; ++ } ++ lxc_putlock(l); ++ return ret; + } + + int loop_umount(struct lxc_storage *bdev) +diff --git a/src/lxc/storage/storage_utils.c b/src/lxc/storage/storage_utils.c +index b4dcb57..0a87778 100644 +--- a/src/lxc/storage/storage_utils.c ++++ b/src/lxc/storage/storage_utils.c +@@ -339,10 +339,14 @@ int is_blktype(struct lxc_storage *b) + return 0; + } + ++// isulad: recored error ++static char **mount_errors = NULL; ++ + int mount_unknown_fs(const char *rootfs, const char *target, + const char *options) + { + size_t i; ++ char *errs = NULL; + int ret; + struct cbarg { + const char *rootfs; +@@ -371,15 +375,30 @@ int mount_unknown_fs(const char *rootfs, const char *target, + ret = lxc_file_for_each_line(fsfile[i], find_fstype_cb, &cbarg); + if (ret < 0) { + ERROR("Failed to parse \"%s\"", fsfile[i]); ++ lxc_free_array((void**)mount_errors, free); ++ mount_errors = NULL; + return -1; + } + +- if (ret) ++ if (ret) { ++ lxc_free_array((void**)mount_errors, free); ++ mount_errors = NULL; + return 0; ++ } ++ } ++ ++ if (mount_errors != NULL) { ++ errs = lxc_string_join("\n", (const char **)mount_errors, false); ++ if (errs == NULL) { ++ ERROR("failed to join mount errors"); ++ } + } + +- ERROR("Failed to determine FSType for \"%s\"", rootfs); ++ ERROR("Failed to determine FSType for \"%s\": %s", rootfs, errs ? errs : "unknown reason"); + ++ free(errs); ++ lxc_free_array((void**)mount_errors, free); ++ mount_errors = NULL; + return -1; + } + +@@ -399,6 +418,8 @@ int find_fstype_cb(char *buffer, void *data) + unsigned long mntflags, pflags; + char *mntdata; + char *fstype; ++ char mount_err[BUFSIZ] = {0}; ++ int ret; + + /* we don't try 'nodev' entries */ + if (strstr(buffer, "nodev")) +@@ -419,6 +440,17 @@ int find_fstype_cb(char *buffer, void *data) + if (mount(cbarg->rootfs, cbarg->target, fstype, (mntflags & ~MS_RDONLY), mntdata)) { + SYSDEBUG("Failed to mount"); + free(mntdata); ++ // isulad: recored error ++ ret = snprintf(mount_err, BUFSIZ, "\t\tmount %s onto %s with FSType %s failed: %s", ++ cbarg->rootfs, cbarg->target, fstype, strerror(errno)); ++ if (ret < 0 || (size_t)ret >= BUFSIZ) { ++ ERROR("failed to format output mount error"); ++ return 0; ++ } ++ ++ if (lxc_append_string(&mount_errors, mount_err) < 0) { ++ ERROR("failed to append mount error"); ++ } + return 0; + } + +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index d1a22f7..120a13d 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -1053,7 +1053,7 @@ static int open_if_safe(int dirfd, const char *nextpath) + * + * Return an open fd for the path, or <0 on error. + */ +-static int open_without_symlink(const char *target, const char *prefix_skip) ++int open_without_symlink(const char *target, const char *prefix_skip) + { + int curlen = 0, dirfd, fulllen, i; + char *dup; +@@ -1473,6 +1473,9 @@ static int lxc_get_unused_loop_dev(char *name_loop) + { + int loop_nr, ret; + int fd_ctl = -1, fd_tmp = -1; ++ // isulad: retry and try mknod ++ int max_retry = 200; ++ bool try_mknod = true; + + fd_ctl = open("/dev/loop-control", O_RDWR | O_CLOEXEC); + if (fd_ctl < 0) { +@@ -1489,10 +1492,34 @@ static int lxc_get_unused_loop_dev(char *name_loop) + ret = snprintf(name_loop, LO_NAME_SIZE, "/dev/loop%d", loop_nr); + if (ret < 0 || ret >= LO_NAME_SIZE) + goto on_error; +- ++retry: + fd_tmp = open(name_loop, O_RDWR | O_CLOEXEC); +- if (fd_tmp < 0) ++ if (fd_tmp < 0) { ++ /* Success of LOOP_CTL_GET_FREE doesn't mean /dev/loop$i is ready, ++ * we try to make node by ourself to avoid wait. */ ++ if (try_mknod) { ++ /* Do not check result of mknod because LOOP_CTL_GET_FREE ++ * alse do mknod, so this mknod may fail as node already ++ * exist. If we can open the node without error, we can ++ * say that it's be created successfully. ++ * ++ * note: 7 is the major device number of loopback devices ++ * in kernel. ++ */ ++ mknod(name_loop, S_IFBLK | 0640, makedev(7, loop_nr)); ++ try_mknod = false; ++ goto retry; ++ } ++ /* we need to wait some time to make sure it's ready for open if ++ * it can't open even if we have already try to make node by ourself. */ ++ if (max_retry > 0) { ++ max_retry--; ++ usleep(5000); /* 5 millisecond */ ++ goto retry; ++ } + SYSERROR("Failed to open loop \"%s\"", name_loop); ++ goto on_error; ++ } + + on_error: + close(fd_ctl); +diff --git a/src/lxc/utils.h b/src/lxc/utils.h +index abc88ca..4313942 100644 +--- a/src/lxc/utils.h ++++ b/src/lxc/utils.h +@@ -224,6 +224,7 @@ extern bool cgns_supported(void); + extern char *choose_init(const char *rootfs); + extern bool switch_to_ns(pid_t pid, const char *ns); + extern char *get_template_path(const char *t); ++extern int open_without_symlink(const char *target, const char *prefix_skip); + extern int safe_mount(const char *src, const char *dest, const char *fstype, + unsigned long flags, const void *data, + const char *rootfs); +-- +1.8.3.1 + diff --git a/0034-some-small-bugfix.patch b/0034-some-small-bugfix.patch new file mode 100644 index 0000000..b3bf1b2 --- /dev/null +++ b/0034-some-small-bugfix.patch @@ -0,0 +1,155 @@ +From 8e7742314071cbb163c1fc6ab4eb96bffd6bc64a Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Tue, 15 Jan 2019 20:39:11 +0800 +Subject: [PATCH 034/122] some small bugfix + +1. support new container without load config to save time +2. try to create workdir if not exist + +Signed-off-by: LiFeng +--- + src/lxc/attach.c | 16 ++++++++++++++++ + src/lxc/lxc.h | 5 +++++ + src/lxc/lxccontainer.c | 21 +++++++++++++++++---- + src/lxc/lxccontainer.h | 12 ++++++++++++ + src/lxc/start.c | 12 ++++++++---- + 5 files changed, 58 insertions(+), 8 deletions(-) + +diff --git a/src/lxc/attach.c b/src/lxc/attach.c +index e6e4b0d..8cbbf96 100644 +--- a/src/lxc/attach.c ++++ b/src/lxc/attach.c +@@ -806,6 +806,22 @@ static int attach_child_main(struct attach_clone_payload *payload) + TRACE("Dropped capabilities"); + } + ++ /* isulad: set workdir */ ++ if (init_ctx && init_ctx->container && init_ctx->container->lxc_conf && init_ctx->container->lxc_conf->init_cwd) { ++ char *init_cwd; ++ init_cwd = init_ctx->container->lxc_conf->init_cwd; ++ /* try to create workdir if not exist */ ++ struct stat st; ++ if (stat(init_cwd, &st) < 0 && mkdir_p(init_cwd, 0750) < 0) { ++ SYSERROR("Try to create directory \"%s\" as workdir failed when attach", init_cwd); ++ goto on_error; ++ } ++ if (chdir(init_cwd)) { ++ SYSERROR("Could not change directory to \"%s\" when attach", init_cwd); ++ goto on_error; ++ } ++ } ++ + /* Always set the environment (specify (LXC_ATTACH_KEEP_ENV, NULL, NULL) + * if you want this to be a no-op). + */ +diff --git a/src/lxc/lxc.h b/src/lxc/lxc.h +index 687b4b2..5df5080 100644 +--- a/src/lxc/lxc.h ++++ b/src/lxc/lxc.h +@@ -104,6 +104,11 @@ extern lxc_state_t lxc_state(const char *name, const char *lxcpath); + extern struct lxc_container *lxc_container_new(const char *name, const char *configpath); + + /* ++ * Create a new container without loading config. ++ */ ++extern struct lxc_container *lxc_container_without_config_new(const char *name, const char *configpath); ++ ++/* + * Returns 1 on success, 0 on failure. + */ + extern int lxc_container_get(struct lxc_container *c); +diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c +index 38059fa..e99c41c 100644 +--- a/src/lxc/lxccontainer.c ++++ b/src/lxc/lxccontainer.c +@@ -5133,7 +5133,7 @@ static bool do_lxcapi_clean_container_resource(struct lxc_container *c, pid_t pi + + WRAP_API_1(bool, lxcapi_clean_container_resource, pid_t) + +-struct lxc_container *lxc_container_new(const char *name, const char *configpath) ++static struct lxc_container *do_lxc_container_new(const char *name, const char *configpath, bool load_config) + { + struct lxc_container *c; + size_t len; +@@ -5190,9 +5190,11 @@ struct lxc_container *lxc_container_new(const char *name, const char *configpath + goto err; + } + +- if (file_exists(c->configfile) && !lxcapi_load_config(c, NULL)) { +- fprintf(stderr, "Failed to load config for %s\n", name); +- goto err; ++ if (load_config) { ++ if (file_exists(c->configfile) && !lxcapi_load_config(c, NULL)) { ++ fprintf(stderr, "Failed to load config for %s\n", name); ++ goto err; ++ } + } + + if (ongoing_create(c) == 2) { +@@ -5274,6 +5276,17 @@ err: + return NULL; + } + ++// isulad: new container without load config to save time ++struct lxc_container *lxc_container_without_config_new(const char *name, const char *configpath) ++{ ++ return do_lxc_container_new(name, configpath, false); ++} ++ ++struct lxc_container *lxc_container_new(const char *name, const char *configpath) ++{ ++ return do_lxc_container_new(name, configpath, true); ++} ++ + int lxc_get_wait_states(const char **states) + { + int i; +diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h +index 679ca42..a00e0ec 100644 +--- a/src/lxc/lxccontainer.h ++++ b/src/lxc/lxccontainer.h +@@ -1040,6 +1040,18 @@ struct lxc_console_log { + struct lxc_container *lxc_container_new(const char *name, const char *configpath); + + /*! ++ * \brief Create a new container without loading config. ++ * ++ * \param name Name to use for container. ++ * \param configpath Full path to configuration file to use. ++ * ++ * \return Newly-allocated container, or \c NULL on error. ++ * ++ * \note This function can only used for listing container. ++ */ ++struct lxc_container *lxc_container_without_config_new(const char *name, const char *configpath); ++ ++/*! + * \brief Add a reference to the specified container. + * + * \param c Container. +diff --git a/src/lxc/start.c b/src/lxc/start.c +index 08d753a..040909c 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -1364,10 +1364,14 @@ static int do_start(void *data) + setsid(); + + if (handler->conf->init_cwd) { +- ret = chdir(handler->conf->init_cwd); +- if (ret < 0) { +- SYSERROR("Could not change directory to \"%s\"", +- handler->conf->init_cwd); ++ /* isulad: try to craete workdir if not exist */ ++ struct stat st; ++ if (stat(handler->conf->init_cwd, &st) < 0 && mkdir_p(handler->conf->init_cwd, 0755) < 0) { ++ SYSERROR("Try to create directory \"%s\" as workdir failed", handler->conf->init_cwd); ++ goto out_warn_father; ++ } ++ if (chdir(handler->conf->init_cwd)) { ++ SYSERROR("Could not change directory to \"%s\"", handler->conf->init_cwd); + goto out_warn_father; + } + } +-- +1.8.3.1 + diff --git a/0035-lxc-fixup-builds-with-newer-glibc.patch b/0035-lxc-fixup-builds-with-newer-glibc.patch new file mode 100644 index 0000000..15a2a4e --- /dev/null +++ b/0035-lxc-fixup-builds-with-newer-glibc.patch @@ -0,0 +1,25 @@ +From b84e0641198d562f8da88dcf98e24f55358523c7 Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Wed, 16 Jan 2019 20:53:25 +0800 +Subject: [PATCH 035/122] lxc: fixup builds with newer glibc + +Signed-off-by: LiFeng +--- + src/lxc/utils.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index 120a13d..c8fb993 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -44,6 +44,7 @@ + #include + #include + #include ++#include + #include + #include + +-- +1.8.3.1 + diff --git a/0036-drop_caps-add-drop-caps-of-current-process.patch b/0036-drop_caps-add-drop-caps-of-current-process.patch new file mode 100644 index 0000000..cd4641d --- /dev/null +++ b/0036-drop_caps-add-drop-caps-of-current-process.patch @@ -0,0 +1,256 @@ +From 191cff886b75864a9304eb5e56fa29662978ffec Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Tue, 15 Jan 2019 22:55:06 -0500 +Subject: [PATCH 036/122] drop_caps: add drop caps of current process + +Signed-off-by: LiFeng +--- + src/lxc/attach.c | 26 +++++++++++++--- + src/lxc/cgroups/cgfsng.c | 35 ++++++++++----------- + src/lxc/conf.c | 79 ++++++++++++++++++++++++++++++++++++++++++++++++ + src/lxc/conf.h | 1 + + src/lxc/start.c | 16 ++++++++++ + 5 files changed, 135 insertions(+), 22 deletions(-) + +diff --git a/src/lxc/attach.c b/src/lxc/attach.c +index 8cbbf96..3f60fe1 100644 +--- a/src/lxc/attach.c ++++ b/src/lxc/attach.c +@@ -936,11 +936,6 @@ static int attach_child_main(struct attach_clone_payload *payload) + TRACE("Loaded seccomp profile"); + } + +- close(payload->ipc_socket); +- payload->ipc_socket = -EBADF; +- lxc_proc_put_context_info(init_ctx); +- payload->init_ctx = NULL; +- + /* The following is done after the communication socket is shut down. + * That way, all errors that might (though unlikely) occur up until this + * point will have their messages printed to the original stderr (if +@@ -997,9 +992,30 @@ static int attach_child_main(struct attach_clone_payload *payload) + if (new_gid == ns_root_gid) + new_gid = LXC_INVALID_GID; + ++ if (prctl(PR_SET_KEEPCAPS, 1) < 0) { ++ SYSERROR("Failed to keep permitted capabilities"); ++ goto on_error; ++ } ++ + if (!lxc_switch_uid_gid(new_uid, new_gid)) + goto on_error; + ++ if (prctl(PR_SET_KEEPCAPS, 0) < 0) { ++ SYSERROR("Failed to clear permitted capabilities"); ++ goto on_error; ++ } ++ ++ if (init_ctx->container && init_ctx->container->lxc_conf && ++ lxc_drop_caps(init_ctx->container->lxc_conf) != 0) { ++ ERROR("Failed to drop caps."); ++ goto on_error; ++ } ++ ++ close(payload->ipc_socket); ++ payload->ipc_socket = -EBADF; ++ lxc_proc_put_context_info(init_ctx); ++ payload->init_ctx = NULL; ++ + /* We're done, so we can now do whatever the user intended us to do. */ + _exit(payload->exec_function(payload->exec_payload, msg_fd)); + +diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c +index 8b913a6..bc1481d 100644 +--- a/src/lxc/cgroups/cgfsng.c ++++ b/src/lxc/cgroups/cgfsng.c +@@ -2664,11 +2664,11 @@ __cgfsng_ops static bool cgfsng_data_init(struct cgroup_ops *ops, struct lxc_han + { + const char *cgroup_pattern; + char *container_cgroup, *tmp; +- struct lxc_conf *conf = handler->conf; ++ struct lxc_conf *conf = NULL; + size_t len; + +- if (!conf) +- return false; ++ if (handler) ++ conf = handler->conf; + + /* copy system-wide cgroup information */ + cgroup_pattern = lxc_global_config_value("lxc.cgroup.pattern"); +@@ -2680,21 +2680,22 @@ __cgfsng_ops static bool cgfsng_data_init(struct cgroup_ops *ops, struct lxc_han + ops->cgroup_pattern = must_copy_string(cgroup_pattern); + + /* isulad: init ops->container_cgroup here instead of in cgfsng_payload_create*/ +- if (conf->cgroup_meta.dir) +- tmp = lxc_string_join("/", (const char *[]){conf->cgroup_meta.dir, handler->name, NULL}, false); +- else +- tmp = lxc_string_replace("%n", handler->name, ops->cgroup_pattern); +- if (!tmp) { +- ERROR("Failed expanding cgroup name pattern"); +- return false; +- } +- +- len = strlen(tmp) + 1; +- container_cgroup = must_realloc(NULL, len); +- (void)strlcpy(container_cgroup, tmp, len); +- free(tmp); +- ops->container_cgroup = container_cgroup; ++ if (conf) { ++ if (conf->cgroup_meta.dir) ++ tmp = lxc_string_join("/", (const char *[]){conf->cgroup_meta.dir, handler->name, NULL}, false); ++ else ++ tmp = lxc_string_replace("%n", handler->name, ops->cgroup_pattern); ++ if (!tmp) { ++ ERROR("Failed expanding cgroup name pattern"); ++ return false; ++ } + ++ len = strlen(tmp) + 1; ++ container_cgroup = must_realloc(NULL, len); ++ (void)strlcpy(container_cgroup, tmp, len); ++ free(tmp); ++ ops->container_cgroup = container_cgroup; ++ } + return true; + } + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index fea0f59..6134ed3 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -4220,6 +4220,85 @@ int lxc_setup(struct lxc_handler *handler) + return 0; + } + ++/* isulad drop caps for container*/ ++int lxc_drop_caps(struct lxc_conf *conf) ++{ ++#define __DEF_CAP_TO_MASK(x) (1U << ((x) & 31)) ++#if HAVE_LIBCAP ++ struct lxc_list *iterator; ++ char *keep_entry; ++ int i, capid; ++ int numcaps = lxc_caps_last_cap() + 1; ++ struct lxc_list *caps = NULL; ++ ++ if (lxc_list_empty(&conf->keepcaps)) ++ return 0; ++ ++ caps = &conf->keepcaps; ++ ++ if (numcaps <= 0 || numcaps > 200) ++ return -1; ++ ++ // caplist[i] is 1 if we keep capability i ++ int *caplist = alloca(numcaps * sizeof(int)); ++ memset(caplist, 0, numcaps * sizeof(int)); ++ ++ lxc_list_for_each(iterator, caps) { ++ ++ keep_entry = iterator->elem; ++ /* isulad: Do not keep any cap*/ ++ if (strcmp(keep_entry, "ISULAD_KEEP_NONE") == 0) { ++ DEBUG("Do not keep any capability"); ++ for(i = 0; i < numcaps; i++) { ++ caplist[i] = 0; ++ } ++ break; ++ } ++ ++ capid = parse_cap(keep_entry); ++ ++ if (capid == -2) ++ continue; ++ ++ if (capid < 0) { ++ ERROR("unknown capability %s", keep_entry); ++ return -1; ++ } ++ ++ DEBUG("keep capability '%s' (%d)", keep_entry, capid); ++ ++ caplist[capid] = 1; ++ } ++ ++ struct __user_cap_header_struct cap_header_data; ++ struct __user_cap_data_struct cap_data_data[2]; ++ ++ cap_user_header_t cap_header = &cap_header_data; ++ cap_user_data_t cap_data = &cap_data_data[0]; ++ ++ memset(cap_header, 0 ,sizeof(struct __user_cap_header_struct)); ++ memset(cap_data, 0, sizeof(struct __user_cap_data_struct) * 2); ++ ++ cap_header->pid = 0; ++ cap_header->version = _LINUX_CAPABILITY_VERSION; ++ ++ for (i = 0; i < numcaps; i++) { ++ if (caplist[i]) { ++ cap_data[CAP_TO_INDEX(i)].effective = cap_data[CAP_TO_INDEX(i)].effective | __DEF_CAP_TO_MASK(i); ++ cap_data[CAP_TO_INDEX(i)].permitted = cap_data[CAP_TO_INDEX(i)].permitted | __DEF_CAP_TO_MASK(i); ++ cap_data[CAP_TO_INDEX(i)].inheritable = cap_data[CAP_TO_INDEX(i)].inheritable | __DEF_CAP_TO_MASK(i); ++ } ++ } ++ ++ if (capset(cap_header, cap_data)) { ++ SYSERROR("Failed to set capabilitys"); ++ return -1; ++ } ++ ++#endif ++ return 0; ++} ++ + struct oci_hook_conf { + defs_hook *ocihook; + +diff --git a/src/lxc/conf.h b/src/lxc/conf.h +index 44feb98..b92c48e 100644 +--- a/src/lxc/conf.h ++++ b/src/lxc/conf.h +@@ -498,6 +498,7 @@ int lxc_clear_init_args(struct lxc_conf *lxc_conf); + int lxc_clear_populate_devices(struct lxc_conf *c); + int lxc_clear_rootfs_masked_paths(struct lxc_conf *c); + int lxc_clear_rootfs_ro_paths(struct lxc_conf *c); ++int lxc_drop_caps(struct lxc_conf *conf); + + /* isulad add end */ + +diff --git a/src/lxc/start.c b/src/lxc/start.c +index 040909c..357e81d 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -1411,6 +1411,11 @@ static int do_start(void *data) + } + } + ++ if (prctl(PR_SET_KEEPCAPS, 1) < 0) { ++ SYSERROR("Failed to keep permitted capabilities"); ++ goto out_warn_father; ++ } ++ + /* The container has been setup. We can now switch to an unprivileged + * uid/gid. + */ +@@ -1448,6 +1453,17 @@ static int do_start(void *data) + goto out_warn_father; + } + ++ /* isulad: drop the cap of current process */ ++ if (prctl(PR_SET_KEEPCAPS, 0) < 0) { ++ SYSERROR("Failed to clear permitted capabilities"); ++ goto out_warn_father; ++ } ++ ++ if (lxc_drop_caps(handler->conf)) { ++ SYSERROR("Failed to drop caps"); ++ goto out_warn_father; ++ } ++ + /* After this call, we are in error because this ops should not return + * as it execs. + */ +-- +1.8.3.1 + diff --git a/0037-restore-default-signal-handlers-and-set-umask-0027.patch b/0037-restore-default-signal-handlers-and-set-umask-0027.patch new file mode 100644 index 0000000..6ae6146 --- /dev/null +++ b/0037-restore-default-signal-handlers-and-set-umask-0027.patch @@ -0,0 +1,113 @@ +From 9eadf4f23de1863de62710b08b624a468048a773 Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Tue, 15 Jan 2019 23:14:14 -0500 +Subject: [PATCH 037/122] restore default signal handlers and set umask 0027 + +Signed-off-by: LiFeng +--- + src/lxc/attach.c | 22 +++++++++++++++++++++- + src/lxc/conf.c | 3 +++ + src/lxc/start.c | 18 +++++++++++++++++- + 3 files changed, 41 insertions(+), 2 deletions(-) + +diff --git a/src/lxc/attach.c b/src/lxc/attach.c +index 3f60fe1..4ccdd74 100644 +--- a/src/lxc/attach.c ++++ b/src/lxc/attach.c +@@ -750,7 +750,7 @@ static void lxc_put_attach_clone_payload(struct attach_clone_payload *p) + + static int attach_child_main(struct attach_clone_payload *payload) + { +- int fd, lsm_fd, ret; ++ int fd, lsm_fd, ret, i; + uid_t new_uid; + gid_t new_gid; + uid_t ns_root_uid = 0; +@@ -761,11 +761,31 @@ static int attach_child_main(struct attach_clone_payload *payload) + bool needs_lsm = (options->namespaces & CLONE_NEWNS) && + (options->attach_flags & LXC_ATTACH_LSM) && + init_ctx->lsm_label; ++ sigset_t mask; ++ + + /*isulad: record errpipe fd*/ + msg_fd = init_ctx->container->lxc_conf->errpipe[1]; + init_ctx->container->lxc_conf->errpipe[1] = -1; + ++ /*isulad: set system umask 0027 for safe control */ ++ umask(0027); ++ ++ /*isulad: restore default signal handlers and unblock all signals*/ ++ for (i = 1; i < NSIG; i++) ++ signal(i, SIG_DFL); ++ ++ ret = sigfillset(&mask); ++ if (ret < 0) { ++ SYSERROR("Failed to fill signal mask"); ++ goto on_error;; ++ } ++ ret = sigprocmask(SIG_UNBLOCK, &mask, NULL); ++ if (ret < 0) { ++ SYSERROR("Failed to set signal mask"); ++ goto on_error; ++ } ++ + /* A description of the purpose of this functionality is provided in the + * lxc-attach(1) manual page. We have to remount here and not in the + * parent process, otherwise /proc may not properly reflect the new pid +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 6134ed3..88cebfd 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -4180,6 +4180,9 @@ int lxc_setup(struct lxc_handler *handler) + } + } + ++ /*isulad: set system umask 0027 for safe control*/ ++ umask(0027); ++ + ret = setup_personality(lxc_conf->personality); + if (ret < 0) { + ERROR("Failed to set personality"); +diff --git a/src/lxc/start.c b/src/lxc/start.c +index 357e81d..708ab7f 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -1103,7 +1103,7 @@ void lxc_abort(const char *name, struct lxc_handler *handler) + + static int do_start(void *data) + { +- int ret; ++ int ret, i; + char path[PATH_MAX]; + uid_t new_uid; + gid_t new_gid; +@@ -1112,9 +1112,25 @@ static int do_start(void *data) + gid_t nsgid = 0; + int devnull_fd = -1; + struct lxc_handler *handler = data; ++ sigset_t mask; + + lxc_sync_fini_parent(handler); + ++ /*isulad: restore default signal handlers and unblock all signals*/ ++ for (i = 1; i < NSIG; i++) ++ signal(i, SIG_DFL); ++ ++ ret = sigfillset(&mask); ++ if (ret < 0) { ++ SYSERROR("Failed to fill signal mask"); ++ goto out_warn_father;; ++ } ++ ret = sigprocmask(SIG_UNBLOCK, &mask, NULL); ++ if (ret < 0) { ++ SYSERROR("Failed to set signal mask"); ++ goto out_warn_father; ++ } ++ + /* This prctl must be before the synchro, so if the parent dies before + * we set the parent death signal, we will detect its death with the + * synchro right after, otherwise we have a window where the parent can +-- +1.8.3.1 + diff --git a/0038-make-the-given-terminal-as-controlling-terminal.patch b/0038-make-the-given-terminal-as-controlling-terminal.patch new file mode 100644 index 0000000..fff5c08 --- /dev/null +++ b/0038-make-the-given-terminal-as-controlling-terminal.patch @@ -0,0 +1,46 @@ +From 05bdc32a321530e46325ca7fe8f67f9195f54962 Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Tue, 15 Jan 2019 23:24:21 -0500 +Subject: [PATCH 038/122] make the given terminal as controlling terminal + +Avoid warning when start cmd /bin/sh : +sh: cannot set terminal process group (-1): Inappropriate ioctl for device +sh: no job control in this shell + +Signed-off-by: LiFeng +--- + src/lxc/start.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/lxc/start.c b/src/lxc/start.c +index 708ab7f..ec61b32 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -1330,7 +1330,15 @@ static int do_start(void *data) + * setup on its console ie. the pty allocated in lxc_terminal_setup() so + * make sure that that pty is stdin,stdout,stderr. + */ ++ setsid(); + if (handler->conf->console.slave >= 0) { ++ /* isulad:make the given terminal as controlling terminal to avoid warning ++ * sh: cannot set terminal process group (-1): Inappropriate ioctl for device ++ * sh: no job control in this shell */ ++ if (ioctl(handler->conf->console.slave, TIOCSCTTY, NULL) < 0) { ++ ERROR("Faild to make the given terminal the controlling terminal of the calling process"); ++ goto out_warn_father; ++ } + if (handler->daemonize || !handler->conf->is_execute) + ret = set_stdfds(handler->conf->console.slave); + else +@@ -1377,8 +1385,6 @@ static int do_start(void *data) + devnull_fd = -1; + } + +- setsid(); +- + if (handler->conf->init_cwd) { + /* isulad: try to craete workdir if not exist */ + struct stat st; +-- +1.8.3.1 + diff --git a/0039-print-error-message-when-container-start-failed.patch b/0039-print-error-message-when-container-start-failed.patch new file mode 100644 index 0000000..36dc467 --- /dev/null +++ b/0039-print-error-message-when-container-start-failed.patch @@ -0,0 +1,816 @@ +From b8925094ceb77cc94c8305725aae4877636c13c1 Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Wed, 16 Jan 2019 14:38:38 +0800 +Subject: [PATCH 039/122] print error message when container start failed + +Signed-off-by: tanyifeng +Signed-off-by: LiFeng +--- + src/lxc/attach.c | 6 +-- + src/lxc/cgroups/cgfsng.c | 22 +++++++-- + src/lxc/cgroups/cgroup.c | 4 +- + src/lxc/cgroups/cgroup.h | 2 + + src/lxc/conf.c | 122 ++++++++++++++++++++++++++-------------------- + src/lxc/conf.h | 5 +- + src/lxc/execute.c | 3 +- + src/lxc/lxccontainer.c | 37 ++++++++++++-- + src/lxc/start.c | 14 ++++-- + src/lxc/start.h | 2 +- + src/lxc/tools/lxc_start.c | 3 ++ + 11 files changed, 147 insertions(+), 73 deletions(-) + +diff --git a/src/lxc/attach.c b/src/lxc/attach.c +index 4ccdd74..b44ea74 100644 +--- a/src/lxc/attach.c ++++ b/src/lxc/attach.c +@@ -1396,7 +1396,7 @@ int lxc_attach(const char *name, const char *lxcpath, + + /* Setup resource limits */ + if (!lxc_list_empty(&conf->limits)) { +- ret = setup_resource_limits(&conf->limits, pid); ++ ret = setup_resource_limits(&conf->limits, pid, -1); + if (ret < 0) + goto on_error; + } +@@ -1650,8 +1650,8 @@ int lxc_attach_run_command(void *payload, int msg_fd) + } + } + +- /* isulad: write errorm messages */ +- lxc_write_error_message(msg_fd, "exec: \"%s\": %s", cmd->program, strerror(errno)); ++ /* isulad: write error messages */ ++ lxc_write_error_message(msg_fd, "exec: \"%s\": %s.", cmd->program, strerror(errno)); + + SYSERROR("Failed to exec \"%s\"", cmd->program); + return ret; +diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c +index bc1481d..47b12a6 100644 +--- a/src/lxc/cgroups/cgfsng.c ++++ b/src/lxc/cgroups/cgfsng.c +@@ -1236,7 +1236,7 @@ static int mkdir_eexist_on_last(const char *dir, mode_t mode) + return 0; + } + +-static bool create_path_for_hierarchy(struct hierarchy *h, char *cgname) ++static bool create_path_for_hierarchy(struct hierarchy *h, char *cgname, int errfd) + { + int ret; + +@@ -1244,8 +1244,8 @@ static bool create_path_for_hierarchy(struct hierarchy *h, char *cgname) + + if (file_exists(h->container_full_path)) { // it must not already exist + ERROR("Cgroup path \"%s\" already exist.", h->container_full_path); +- //lxc_write_error_message(errfd, "%s:%d: Cgroup path \"%s\" already exist.", +- // __FILE__, __LINE__, h->fullcgpath); ++ lxc_write_error_message(errfd, "%s:%d: Cgroup path \"%s\" already exist.", ++ __FILE__, __LINE__, h->container_full_path); + return false; + } + +@@ -1288,7 +1288,7 @@ __cgfsng_ops static bool cgfsng_payload_create(struct cgroup_ops *ops, + } + + for (i = 0; ops->hierarchies[i]; i++) { +- if (!create_path_for_hierarchy(ops->hierarchies[i], container_cgroup)) { ++ if (!create_path_for_hierarchy(ops->hierarchies[i], container_cgroup, ops->errfd)) { + SYSERROR("Failed to create %s", ops->hierarchies[i]->container_full_path); + return false; + } +@@ -2203,6 +2203,11 @@ static int cg_legacy_set_data(struct cgroup_ops *ops, const char *filename, + + fullpath = must_make_path(h->container_full_path, filename, NULL); + ret = lxc_write_to_file(fullpath, value, strlen(value), false, 0666); ++ if (ret) { ++ lxc_write_error_message(ops->errfd, ++ "%s:%d: setting cgroup config for ready process caused \"failed to write %s to %s: %s\".", ++ __FILE__, __LINE__, value, fullpath, strerror(errno)); ++ } + free(fullpath); + return ret; + } +@@ -2294,9 +2299,15 @@ static bool __cg_legacy_setup_limits(struct cgroup_ops *ops, + } + if (setvalue > readvalue) { + ERROR("The maximum allowed cpu-shares is %s", value); ++ lxc_write_error_message(ops->errfd, ++ "%s:%d: setting cgroup config for ready process caused \"The maximum allowed cpu-shares is %s\".", ++ __FILE__, __LINE__, value); + goto out; + } else if (setvalue < readvalue) { + ERROR("The minimum allowed cpu-shares is %s", value); ++ lxc_write_error_message(ops->errfd, ++ "%s:%d: setting cgroup config for ready process caused \"The minimum allowed cpu-shares is %s\".", ++ __FILE__, __LINE__, value); + goto out; + } + } +@@ -2699,7 +2710,7 @@ __cgfsng_ops static bool cgfsng_data_init(struct cgroup_ops *ops, struct lxc_han + return true; + } + +-struct cgroup_ops *cgfsng_ops_init(void) ++struct cgroup_ops *cgfsng_ops_init(int errfd) + { + struct cgroup_ops *cgfsng_ops; + +@@ -2715,6 +2726,7 @@ struct cgroup_ops *cgfsng_ops_init(void) + return NULL; + } + ++ cgfsng_ops->errfd = errfd; + cgfsng_ops->data_init = cgfsng_data_init; + cgfsng_ops->destroy = cgfsng_payload_destroy; + cgfsng_ops->payload_create = cgfsng_payload_create; +diff --git a/src/lxc/cgroups/cgroup.c b/src/lxc/cgroups/cgroup.c +index 8e7aef9..7442c31 100644 +--- a/src/lxc/cgroups/cgroup.c ++++ b/src/lxc/cgroups/cgroup.c +@@ -38,13 +38,13 @@ + + lxc_log_define(cgroup, lxc); + +-extern struct cgroup_ops *cgfsng_ops_init(void); ++extern struct cgroup_ops *cgfsng_ops_init(int errfd); + + struct cgroup_ops *cgroup_init(struct lxc_handler *handler) + { + struct cgroup_ops *cgroup_ops; + +- cgroup_ops = cgfsng_ops_init(); ++ cgroup_ops = cgfsng_ops_init(handler->conf->errpipe[1]); + if (!cgroup_ops) { + ERROR("Failed to initialize cgroup driver"); + return NULL; +diff --git a/src/lxc/cgroups/cgroup.h b/src/lxc/cgroups/cgroup.h +index fa4871e..b6116f6 100644 +--- a/src/lxc/cgroups/cgroup.h ++++ b/src/lxc/cgroups/cgroup.h +@@ -92,6 +92,8 @@ struct cgroup_ops { + char **cgroup_use; + char *cgroup_pattern; + char *container_cgroup; ++ /* isulad: errfd */ ++ int errfd; + + /* @hierarchies + * - A NULL-terminated array of struct hierarchy, one per legacy +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 88cebfd..8fa63f7 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -2414,6 +2414,8 @@ static int mount_entry_create_dir_file(const struct mntent *mntent, + ret = mkdir_p(path, 0755); + if (ret < 0 && errno != EEXIST) { + SYSERROR("Failed to create directory \"%s\"", path); ++ lxc_write_error_message(rootfs->errfd, "%s:%d: mkdir %s: %s.", ++ __FILE__, __LINE__, path, strerror(errno)); + return -1; + } + } +@@ -2435,12 +2437,17 @@ static int mount_entry_create_dir_file(const struct mntent *mntent, + free(p1); + if (ret < 0 && errno != EEXIST) { + SYSERROR("Failed to create directory \"%s\"", path); ++ lxc_write_error_message(rootfs->errfd, "%s:%d: mkdir %s: %s.", ++ __FILE__, __LINE__, p2, strerror(errno)); + return -1; + } + + ret = mknod(path, S_IFREG | 0000, 0); +- if (ret < 0 && errno != EEXIST) ++ if (ret < 0 && errno != EEXIST) { ++ lxc_write_error_message(rootfs->errfd, "%s:%d: open %s: %s.", ++ __FILE__, __LINE__, path, strerror(errno)); + return -errno; ++ } + + return 0; + } +@@ -2550,7 +2557,9 @@ static inline int mount_entry_on_generic(struct mntent *mntent, + if (rootfs_path) { + rpath = follow_symlink_in_scope(path, rootfs_path); + if (!rpath) { +- ERROR("Failed to get real path for '%s'", path); ++ ERROR("Failed to get real path of '%s' in scope '%s'.", path, rootfs_path); ++ lxc_write_error_message(rootfs->errfd, "%s:%d: failed to get real path of '%s' in scope '%s'.", ++ __FILE__, __LINE__, path, rootfs_path); + return -1; + } + dest = rpath; +@@ -2558,6 +2567,8 @@ static inline int mount_entry_on_generic(struct mntent *mntent, + ret = check_mount_destination(rootfs_path, dest); + if (ret) { + ERROR("Mount destination is invalid: '%s'", dest); ++ lxc_write_error_message(rootfs->errfd, "%s:%d: mount destination is invalid: '%s'.", ++ __FILE__, __LINE__, dest); + free(rpath); + return -1; + } +@@ -2587,6 +2598,10 @@ static inline int mount_entry_on_generic(struct mntent *mntent, + ret = mount_entry(mntent->mnt_fsname, dest, mntent->mnt_type, mntflags, + pflags, mntdata, optional, dev, relative, rootfs_path); + } ++ if (ret < 0) { ++ lxc_write_error_message(rootfs->errfd, "%s:%d: failed to mount %s as type %s.", ++ __FILE__, __LINE__, mntent->mnt_fsname, mntent->mnt_type); ++ } + + free(mntdata); + free(rpath); +@@ -2949,7 +2964,7 @@ static int parse_resource(const char *res) + return resid; + } + +-int setup_resource_limits(struct lxc_list *limits, pid_t pid) ++int setup_resource_limits(struct lxc_list *limits, pid_t pid, int errfd) + { + int resid; + struct lxc_list *it; +@@ -2966,7 +2981,10 @@ int setup_resource_limits(struct lxc_list *limits, pid_t pid) + + #if HAVE_PRLIMIT || HAVE_PRLIMIT64 + if (prlimit(pid, resid, &lim->limit, NULL) != 0) { +- SYSERROR("Failed to set limit %s", lim->resource); ++ SYSERROR("Failed to set limit %s %lu %lu.", lim->resource, lim->limit.rlim_cur, lim->limit.rlim_max); ++ lxc_write_error_message(errfd, "%s:%d: Failed to set limit %s %lu %lu: %s.", ++ __FILE__, __LINE__, lim->resource, ++ lim->limit.rlim_cur, lim->limit.rlim_max, strerror(errno)); + return -1; + } + +@@ -3989,6 +4007,8 @@ int lxc_setup(struct lxc_handler *handler) + ret = lxc_setup_rootfs_prepare_root(lxc_conf, name, lxcpath); + if (ret < 0) { + ERROR("Failed to setup rootfs"); ++ lxc_write_error_message(lxc_conf->errpipe[1], "%s:%d: failed to setup rootfs %s.", ++ __FILE__, __LINE__, lxc_conf->rootfs.path); + return -1; + } + +@@ -3996,31 +4016,31 @@ int lxc_setup(struct lxc_handler *handler) + ret = setup_utsname(lxc_conf->utsname); + if (ret < 0) { + ERROR("Failed to setup the utsname %s", name); +- return -1; ++ goto on_error; + } + } + + ret = lxc_setup_keyring(); + if (ret < 0) +- return -1; ++ goto on_error; + + ret = lxc_setup_network_in_child_namespaces(lxc_conf, &lxc_conf->network); + if (ret < 0) { + ERROR("Failed to setup network"); +- return -1; ++ goto on_error; + } + + ret = lxc_network_send_name_and_ifindex_to_parent(handler); + if (ret < 0) { + ERROR("Failed to send network device names and ifindices to parent"); +- return -1; ++ goto on_error; + } + + if (lxc_conf->autodev > 0) { + ret = mount_autodev(name, &lxc_conf->rootfs, lxcpath); + if (ret < 0) { + ERROR("Failed to mount \"/dev\""); +- return -1; ++ goto on_error; + } + } + +@@ -4030,13 +4050,14 @@ int lxc_setup(struct lxc_handler *handler) + ret = lxc_mount_auto_mounts(lxc_conf, lxc_conf->auto_mounts & ~LXC_AUTO_CGROUP_MASK, handler); + if (ret < 0) { + ERROR("Failed to setup first automatic mounts"); +- return -1; ++ goto on_error; + } + ++ lxc_conf->rootfs.errfd = lxc_conf->errpipe[1]; + ret = setup_mount(lxc_conf, &lxc_conf->rootfs, lxc_conf->fstab, name, lxcpath); + if (ret < 0) { + ERROR("Failed to setup mounts"); +- return -1; ++ goto on_error; + } + + if (lxc_conf->is_execute) { +@@ -4047,13 +4068,13 @@ int lxc_setup(struct lxc_handler *handler) + ret = snprintf(path, PATH_MAX, SBINDIR "/init.lxc.static"); + if (ret < 0 || ret >= PATH_MAX) { + ERROR("Path to init.lxc.static too long"); +- return -1; ++ goto on_error; + } + + fd = open(path, O_PATH | O_CLOEXEC); + if (fd < 0) { + SYSERROR("Unable to open lxc.init.static"); +- return -1; ++ goto on_error; + } + + ((struct execute_args *)handler->data)->init_fd = fd; +@@ -4062,7 +4083,7 @@ int lxc_setup(struct lxc_handler *handler) + ret = lxc_execute_bind_init(handler); + if (ret < 0) { + ERROR("Failed to bind-mount the lxc init system"); +- return -1; ++ goto on_error; + } + } + } +@@ -4074,7 +4095,7 @@ int lxc_setup(struct lxc_handler *handler) + ret = lxc_mount_auto_mounts(lxc_conf, lxc_conf->auto_mounts & LXC_AUTO_CGROUP_MASK, handler); + if (ret < 0) { + ERROR("Failed to setup remaining automatic mounts"); +- return -1; ++ goto on_error; + } + + /*isulad: move mount entries here, before we do lxc_fill_autodev and populate devices */ +@@ -4083,27 +4104,27 @@ int lxc_setup(struct lxc_handler *handler) + &lxc_conf->mount_list, name, lxcpath); + if (ret < 0) { + ERROR("Failed to setup mount entries"); +- return -1; ++ goto on_error; + } + } + + ret = run_lxc_hooks(name, "mount", lxc_conf, NULL); + if (ret < 0) { + ERROR("Failed to run mount hooks"); +- return -1; ++ goto on_error; + } + + if (lxc_conf->autodev > 0) { + ret = run_lxc_hooks(name, "autodev", lxc_conf, NULL); + if (ret < 0) { + ERROR("Failed to run autodev hooks"); +- return -1; ++ goto on_error; + } + + ret = lxc_fill_autodev(&lxc_conf->rootfs); + if (ret < 0) { + ERROR("Failed to populate \"/dev\""); +- return -1; ++ goto on_error; + } + } + +@@ -4111,64 +4132,64 @@ int lxc_setup(struct lxc_handler *handler) + if (!lxc_list_empty(&lxc_conf->populate_devs)) { + if (setup_populate_devs(&lxc_conf->rootfs, &lxc_conf->populate_devs)) { + ERROR("Failed to setup devices in the container"); +- return -1;; ++ goto on_error; + } + } + + /* Make sure any start hooks are in the container */ + if (!verify_start_hooks(lxc_conf)) { + ERROR("Failed to verify start hooks"); +- return -1; ++ goto on_error; + } + + ret = lxc_setup_console(&lxc_conf->rootfs, &lxc_conf->console, + lxc_conf->ttys.dir); + if (ret < 0) { + ERROR("Failed to setup console"); +- return -1; ++ goto on_error; + } + + ret = lxc_setup_dev_symlinks(&lxc_conf->rootfs); + if (ret < 0) { + ERROR("Failed to setup \"/dev\" symlinks"); +- return -1; ++ goto on_error; + } + + ret = lxc_create_tmp_proc_mount(lxc_conf); + if (ret < 0) { + ERROR("Failed to \"/proc\" LSMs"); +- return -1; ++ goto on_error; + } + + ret = lxc_setup_rootfs_switch_root(&lxc_conf->rootfs); + if (ret < 0) { + ERROR("Failed to pivot root into rootfs"); +- return -1; ++ goto on_error; + } + + /* isulad: remount rootfs readonly if necessary */ + if (setup_rootfs_mountopts(&lxc_conf->rootfs)) { + ERROR("failed to set rootfs for '%s'", name); +- return -1; ++ goto on_error; + } + + if (lxc_conf->rootfs.path) { + ret = lxc_setup_devpts(lxc_conf); + if (ret < 0) { + ERROR("Failed to setup new devpts instance"); +- return -1; ++ goto on_error; + } + } + + ret = lxc_create_ttys(handler); + if (ret < 0) +- return -1; ++ goto on_error; + + //isulad: setup rootfs masked paths + if (!lxc_list_empty(&lxc_conf->rootfs.maskedpaths)) { + if (setup_rootfs_maskedpaths(&lxc_conf->rootfs.maskedpaths)) { + ERROR("failed to setup maskedpaths"); +- return -1; ++ goto on_error; + } + } + +@@ -4176,7 +4197,7 @@ int lxc_setup(struct lxc_handler *handler) + if (!lxc_list_empty(&lxc_conf->rootfs.ropaths)) { + if (setup_rootfs_ropaths(&lxc_conf->rootfs.ropaths)) { + ERROR("failed to setup readonlypaths"); +- return -1; ++ goto on_error; + } + } + +@@ -4186,7 +4207,7 @@ int lxc_setup(struct lxc_handler *handler) + ret = setup_personality(lxc_conf->personality); + if (ret < 0) { + ERROR("Failed to set personality"); +- return -1; ++ goto on_error; + } + + /* Set sysctl value to a path under /proc/sys as determined from the +@@ -4197,7 +4218,7 @@ int lxc_setup(struct lxc_handler *handler) + ret = setup_sysctl_parameters(&lxc_conf->sysctls); + if (ret < 0) { + ERROR("Failed to setup sysctl parameters"); +- return -1; ++ goto on_error; + } + } + +@@ -4206,21 +4227,24 @@ int lxc_setup(struct lxc_handler *handler) + ERROR("Container requests lxc.cap.drop and " + "lxc.cap.keep: either use lxc.cap.drop or " + "lxc.cap.keep, not both"); +- return -1; ++ goto on_error; + } + + if (dropcaps_except(&lxc_conf->keepcaps)) { + ERROR("Failed to keep capabilities"); +- return -1; ++ goto on_error; + } + } else if (setup_caps(&lxc_conf->caps)) { + ERROR("Failed to drop capabilities"); +- return -1; ++ goto on_error; + } + + NOTICE("The container \"%s\" is set up", name); + + return 0; ++on_error: ++ lxc_write_error_message(lxc_conf->errpipe[1], "Failed to setup lxc, please check the config file."); ++ return -1; + } + + /* isulad drop caps for container*/ +@@ -4555,11 +4579,9 @@ void* wait_ocihook_timeout(void *arg) + __FILE__, __LINE__, lxchook_names[conf->which], + (double)conf->timeout); + +- if (conf->errfd >= 0) { +- lxc_write_error_message(conf->errfd, "%s:%d: running %s hook caused \"hook ran past specified timeout of %.1fs\"", +- __FILE__, __LINE__, lxchook_names[conf->which], +- (double)conf->timeout); +- } ++ lxc_write_error_message(conf->errfd, "%s:%d: running %s hook caused \"hook ran past specified timeout of %.1fs\".", ++ __FILE__, __LINE__, lxchook_names[conf->which], ++ (double)conf->timeout); + + if (kill(conf->pid, SIGKILL) && errno != ESRCH) { + ERROR("Send kill signal failed"); +@@ -4640,22 +4662,18 @@ static int run_ocihook_buffer(struct oci_hook_conf *oconf, char *inmsg) + goto print_hook; + } else if (WIFEXITED(ret) && WEXITSTATUS(ret) != 0) { + ERROR("Script exited with status %d. output:%s", WEXITSTATUS(ret), output); +- if (conf->errfd >= 0) { +- lxc_write_error_message(conf->errfd, "%s:%d: running %s hook caused \"error running hook: exit status %d, output:%s\"", +- __FILE__, __LINE__, +- (conf->which >= NUM_LXC_HOOKS) ? "invalid type" : lxchook_names[conf->which], +- WEXITSTATUS(ret), output); +- } ++ lxc_write_error_message(conf->errfd, "%s:%d: running %s hook caused \"error running hook: exit status %d, output:%s\".", ++ __FILE__, __LINE__, ++ (conf->which >= NUM_LXC_HOOKS) ? "invalid type" : lxchook_names[conf->which], ++ WEXITSTATUS(ret), output); + + goto print_hook; + } else if (WIFSIGNALED(ret)) { + ERROR("Script terminated by signal %d.", WTERMSIG(ret)); +- if (conf->errfd >= 0) { +- lxc_write_error_message(conf->errfd, "%s:%d: running %s hook caused \"error running hook: Script terminated by signal %d\"", +- __FILE__, __LINE__, +- (conf->which >= NUM_LXC_HOOKS) ? "invalid type" : lxchook_names[conf->which], +- WTERMSIG(ret)); +- } ++ lxc_write_error_message(conf->errfd, "%s:%d: running %s hook caused \"error running hook: Script terminated by signal %d\".", ++ __FILE__, __LINE__, ++ (conf->which >= NUM_LXC_HOOKS) ? "invalid type" : lxchook_names[conf->which], ++ WTERMSIG(ret)); + + goto print_hook; + } +diff --git a/src/lxc/conf.h b/src/lxc/conf.h +index b92c48e..88f5b41 100644 +--- a/src/lxc/conf.h ++++ b/src/lxc/conf.h +@@ -175,6 +175,8 @@ struct lxc_rootfs { + struct lxc_list maskedpaths; + /* isulad: ropaths */ + struct lxc_list ropaths; ++ /* isulad: errfd */ ++ int errfd; + }; + + /* +@@ -462,7 +464,7 @@ extern int lxc_setup_rootfs_prepare_root(struct lxc_conf *conf, + const char *name, const char *lxcpath); + extern int lxc_setup(struct lxc_handler *handler); + extern int lxc_setup_parent(struct lxc_handler *handler); +-extern int setup_resource_limits(struct lxc_list *limits, pid_t pid); ++extern int setup_resource_limits(struct lxc_list *limits, pid_t pid, int errfd); + extern int find_unmapped_nsid(struct lxc_conf *conf, enum idtype idtype); + extern int mapped_hostid(unsigned id, struct lxc_conf *conf, + enum idtype idtype); +@@ -499,6 +501,7 @@ int lxc_clear_populate_devices(struct lxc_conf *c); + int lxc_clear_rootfs_masked_paths(struct lxc_conf *c); + int lxc_clear_rootfs_ro_paths(struct lxc_conf *c); + int lxc_drop_caps(struct lxc_conf *conf); ++void lxc_close_error_pipe(int *errpipe); + + /* isulad add end */ + +diff --git a/src/lxc/execute.c b/src/lxc/execute.c +index d388e63..3fc46c6 100644 +--- a/src/lxc/execute.c ++++ b/src/lxc/execute.c +@@ -40,7 +40,7 @@ + + lxc_log_define(execute, start); + +-static int execute_start(struct lxc_handler *handler, void* data) ++static int execute_start(struct lxc_handler *handler, void* data, int fd) + { + int argc_add, j; + char **argv; +@@ -91,6 +91,7 @@ static int execute_start(struct lxc_handler *handler, void* data) + else + execvp(argv[0], argv); + SYSERROR("Failed to exec %s", argv[0]); ++ lxc_write_error_message(fd, "Failed to exec: \"%s\": %s.", argv[0], strerror(errno)); + + free(argv); + out1: +diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c +index e99c41c..d641851 100644 +--- a/src/lxc/lxccontainer.c ++++ b/src/lxc/lxccontainer.c +@@ -916,7 +916,9 @@ static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const a + NULL, + }; + char **init_cmd = NULL; +- int keepfds[4] = {-1, -1, -1, -1}; ++ int keepfds[] = {-1, -1, -1, -1, -1}; ++ ssize_t size_read; ++ char errbuf[BUFSIZ + 1] = {0}; + + /* container does exist */ + if (!c) +@@ -962,7 +964,7 @@ static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const a + argv = init_cmd = split_init_cmd(conf->init_cmd); + } + +- /* isulad: use init argv as init cmd */ ++ /* isulad: use init argv as init cmd */ + if (!argv) { + argv = init_cmd = use_init_args(conf->init_argv, conf->init_argc); + } +@@ -986,10 +988,19 @@ static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const a + char title[2048]; + pid_t pid; + ++ //isulad: pipdfd for get error message of child or grandchild process. ++ if (pipe2(conf->errpipe, O_CLOEXEC) != 0) { ++ SYSERROR("Failed to init errpipe"); ++ free_init_cmd(init_cmd); ++ lxc_free_handler(handler); ++ return false; ++ } ++ + pid = fork(); + if (pid < 0) { + free_init_cmd(init_cmd); + lxc_free_handler(handler); ++ lxc_close_error_pipe(conf->errpipe); + return false; + } + +@@ -999,11 +1010,23 @@ static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const a + * the PID file, child will do the free and unlink. + */ + c->pidfile = NULL; ++ close(conf->errpipe[1]); ++ conf->errpipe[1] = -1; + + /* Wait for container to tell us whether it started + * successfully. + */ + started = wait_on_daemonized_start(handler, pid); ++ if (!started) { ++ size_read = read(conf->errpipe[0], errbuf, BUFSIZ); ++ if (size_read > 0) { ++ conf->errmsg = strdup(errbuf); ++ if (!conf->errmsg) ++ ERROR("Out of memory"); ++ } ++ } ++ close(conf->errpipe[0]); ++ conf->errpipe[0] = -1; + + free_init_cmd(init_cmd); + lxc_free_handler(handler); +@@ -1039,6 +1062,7 @@ static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const a + if (pid != 0) { + free_init_cmd(init_cmd); + lxc_free_handler(handler); ++ lxc_close_error_pipe(conf->errpipe); + _exit(EXIT_SUCCESS); + } + +@@ -1050,10 +1074,12 @@ static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const a + SYSERROR("Failed to change to \"/\" directory"); + _exit(EXIT_FAILURE); + } +- ++ close(conf->errpipe[0]); ++ conf->errpipe[0] = -1; + keepfds[0] = handler->conf->maincmd_fd; + keepfds[1] = handler->state_socket_pair[0]; + keepfds[2] = handler->state_socket_pair[1]; ++ keepfds[4] = conf->errpipe[1]; + ret = lxc_check_inherited(conf, true, keepfds, + sizeof(keepfds) / sizeof(keepfds[0])); + if (ret < 0) +@@ -1088,6 +1114,7 @@ static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const a + if (w < 0 || (size_t)w >= sizeof(pidstr)) { + free_init_cmd(init_cmd); + lxc_free_handler(handler); ++ lxc_close_error_pipe(conf->errpipe); + + SYSERROR("Failed to write monitor pid to \"%s\"", c->pidfile); + +@@ -1101,6 +1128,7 @@ static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const a + if (ret < 0) { + free_init_cmd(init_cmd); + lxc_free_handler(handler); ++ lxc_close_error_pipe(conf->errpipe); + + SYSERROR("Failed to write monitor pid to \"%s\"", c->pidfile); + +@@ -1159,6 +1187,9 @@ reboot: + if (conf->exit_fd >= 0) { + keepfds[3] = conf->exit_fd; + } ++ /* isulad: keep errpipe fd */ ++ if (c->daemonize) ++ keepfds[4] = conf->errpipe[1]; + ret = lxc_check_inherited(conf, c->daemonize, keepfds, + sizeof(keepfds) / sizeof(keepfds[0])); + if (ret < 0) { +diff --git a/src/lxc/start.c b/src/lxc/start.c +index ec61b32..3e6854f 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -892,6 +892,7 @@ int lxc_init(const char *name, struct lxc_handler *handler) + ret = lxc_terminal_setup(conf); + if (ret < 0) { + ERROR("Failed to create console"); ++ lxc_write_error_message(conf->errpipe[1], "Failed to create console for container \"%s\".", name); + goto out_restore_sigmask; + } + TRACE("Created console"); +@@ -1390,6 +1391,8 @@ static int do_start(void *data) + struct stat st; + if (stat(handler->conf->init_cwd, &st) < 0 && mkdir_p(handler->conf->init_cwd, 0755) < 0) { + SYSERROR("Try to create directory \"%s\" as workdir failed", handler->conf->init_cwd); ++ lxc_write_error_message(handler->conf->errpipe[1], "%s:%d: Failed to create workdir: %s.", ++ __FILE__, __LINE__, strerror(errno)); + goto out_warn_father; + } + if (chdir(handler->conf->init_cwd)) { +@@ -1489,7 +1492,7 @@ static int do_start(void *data) + /* After this call, we are in error because this ops should not return + * as it execs. + */ +- handler->ops->start(handler, handler->data); ++ handler->ops->start(handler, handler->data, handler->daemonize ? handler->conf->errpipe[1] : -1); + + out_warn_father: + /* We want the parent to know something went wrong, so we return a +@@ -1898,7 +1901,7 @@ static int lxc_spawn(struct lxc_handler *handler) + goto out_delete_net; + + if (!lxc_list_empty(&conf->limits)) { +- ret = setup_resource_limits(&conf->limits, handler->pid); ++ ret = setup_resource_limits(&conf->limits, handler->pid, conf->errpipe[1]); + if (ret < 0) { + ERROR("Failed to setup resource limits"); + goto out_delete_net; +@@ -1960,7 +1963,7 @@ static int lxc_spawn(struct lxc_handler *handler) + } + + if (START_TIMEOUT == global_timeout_state) { +- //lxc_write_error_message(conf->errpipe[1], "Starting the container \"%s\" timeout.", name); ++ lxc_write_error_message(conf->errpipe[1], "Starting the container \"%s\" timeout.", name); + ERROR("Starting the container \"%s\" timeout.", name); + goto out_delete_net; + } +@@ -2008,7 +2011,7 @@ static int lxc_spawn(struct lxc_handler *handler) + } + + if (START_TIMEOUT == global_timeout_state) { +- //lxc_write_error_message(conf->errpipe[1], "Starting the container \"%s\" timeout.", name); ++ lxc_write_error_message(conf->errpipe[1], "Starting the container \"%s\" timeout.", name); + ERROR("Starting the container \"%s\" timeout.", name); + goto out_abort; + } +@@ -2232,7 +2235,7 @@ struct start_args { + char *const *argv; + }; + +-static int start(struct lxc_handler *handler, void* data) ++static int start(struct lxc_handler *handler, void* data, int fd) + { + struct start_args *arg = data; + +@@ -2240,6 +2243,7 @@ static int start(struct lxc_handler *handler, void* data) + + execvp(arg->argv[0], arg->argv); + SYSERROR("Failed to exec \"%s\"", arg->argv[0]); ++ lxc_write_error_message(fd, "exec: \"%s\": %s.", arg->argv[0], strerror(errno)); + return 0; + } + +diff --git a/src/lxc/start.h b/src/lxc/start.h +index 1d84325..ab72e6e 100644 +--- a/src/lxc/start.h ++++ b/src/lxc/start.h +@@ -145,7 +145,7 @@ struct execute_args { + }; + + struct lxc_operations { +- int (*start)(struct lxc_handler *, void *); ++ int (*start)(struct lxc_handler *, void *, int); + int (*post_start)(struct lxc_handler *, void *); + }; + +diff --git a/src/lxc/tools/lxc_start.c b/src/lxc/tools/lxc_start.c +index f37f8a6..ec48701 100644 +--- a/src/lxc/tools/lxc_start.c ++++ b/src/lxc/tools/lxc_start.c +@@ -392,6 +392,9 @@ int main(int argc, char *argv[]) + else + err = c->start(c, 0, args) ? EXIT_SUCCESS : EXIT_FAILURE; + if (err) { ++ if (c->lxc_conf->errmsg) ++ fprintf(stderr, "%s:%s:%s:%d starting container process caused \"%s\"", c->name, ++ __FILE__, __func__, __LINE__, c->lxc_conf->errmsg); + ERROR("The container failed to start"); + + if (my_args.daemonize) +-- +1.8.3.1 + diff --git a/0040-add-timeout-200ms-for-cmds-send-to-lxc-monitor.patch b/0040-add-timeout-200ms-for-cmds-send-to-lxc-monitor.patch new file mode 100644 index 0000000..223472b --- /dev/null +++ b/0040-add-timeout-200ms-for-cmds-send-to-lxc-monitor.patch @@ -0,0 +1,107 @@ +From a03cf6d594d7b310138b898fd1c49ce031322e48 Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Wed, 16 Jan 2019 02:22:13 -0500 +Subject: [PATCH 040/122] add timeout(200ms) for cmds send to [lxc monitor] + +Signed-off-by: LiFeng +--- + src/lxc/af_unix.c | 25 +++++++++++++++++++++++-- + src/lxc/af_unix.h | 2 ++ + src/lxc/commands.c | 7 +++++-- + 3 files changed, 30 insertions(+), 4 deletions(-) + +diff --git a/src/lxc/af_unix.c b/src/lxc/af_unix.c +index 02f32c4..24500a8 100644 +--- a/src/lxc/af_unix.c ++++ b/src/lxc/af_unix.c +@@ -194,8 +194,9 @@ int lxc_abstract_unix_send_fds(int fd, int *sendfds, int num_sendfds, + return ret; + } + +-int lxc_abstract_unix_recv_fds(int fd, int *recvfds, int num_recvfds, +- void *data, size_t size) ++/* isulad: add wait timeout Microseconds*/ ++int lxc_abstract_unix_recv_fds_timeout(int fd, int *recvfds, int num_recvfds, ++ void *data, size_t size, unsigned int timeout) + { + int ret; + struct msghdr msg; +@@ -204,6 +205,7 @@ int lxc_abstract_unix_recv_fds(int fd, int *recvfds, int num_recvfds, + char buf[1] = {0}; + char *cmsgbuf; + size_t cmsgbufsize = CMSG_SPACE(num_recvfds * sizeof(int)); ++ struct timeval out; + + memset(&msg, 0, sizeof(msg)); + memset(&iov, 0, sizeof(iov)); +@@ -222,6 +224,19 @@ int lxc_abstract_unix_recv_fds(int fd, int *recvfds, int num_recvfds, + msg.msg_iov = &iov; + msg.msg_iovlen = 1; + ++ if (timeout > 0) { ++ memset(&out, 0, sizeof(out)); ++ out.tv_sec = timeout / 1000000; ++ out.tv_usec = timeout % 1000000; ++ ret = setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, ++ (const void *)&out, sizeof(out)); ++ if (ret < 0) { ++ ERROR("Failed to set %u timeout on containter " ++ "state socket", timeout); ++ goto out; ++ } ++ } ++ + ret = recvmsg(fd, &msg, 0); + if (ret <= 0) + goto out; +@@ -238,6 +253,12 @@ out: + return ret; + } + ++int lxc_abstract_unix_recv_fds(int fd, int *recvfds, int num_recvfds, ++ void *data, size_t size) ++{ ++ return lxc_abstract_unix_recv_fds_timeout(fd, recvfds, num_recvfds, data, size, 0); ++} ++ + int lxc_abstract_unix_send_credential(int fd, void *data, size_t size) + { + struct msghdr msg = {0}; +diff --git a/src/lxc/af_unix.h b/src/lxc/af_unix.h +index f2c2fdc..74fd77f 100644 +--- a/src/lxc/af_unix.h ++++ b/src/lxc/af_unix.h +@@ -37,5 +37,7 @@ extern int lxc_abstract_unix_recv_fds(int fd, int *recvfds, int num_recvfds, + void *data, size_t size); + extern int lxc_abstract_unix_send_credential(int fd, void *data, size_t size); + extern int lxc_abstract_unix_rcv_credential(int fd, void *data, size_t size); ++extern int lxc_abstract_unix_recv_fds_timeout(int fd, int *recvfds, int num_recvfds, ++ void *data, size_t size, unsigned int timeout); + + #endif /* __LXC_AF_UNIX_H */ +diff --git a/src/lxc/commands.c b/src/lxc/commands.c +index 133384d..47a824a 100644 +--- a/src/lxc/commands.c ++++ b/src/lxc/commands.c +@@ -126,13 +126,16 @@ static int lxc_cmd_rsp_recv(int sock, struct lxc_cmd_rr *cmd) + int ret, rspfd; + struct lxc_cmd_rsp *rsp = &cmd->rsp; + +- ret = lxc_abstract_unix_recv_fds(sock, &rspfd, 1, rsp, sizeof(*rsp)); ++ /*isulad: add timeout 200ms to avoid long block due to [lxc monitor] error*/ ++ ret = lxc_abstract_unix_recv_fds_timeout(sock, &rspfd, 1, rsp, sizeof(*rsp), 200 * 1000); + if (ret < 0) { + SYSWARN("Failed to receive response for command \"%s\"", + lxc_cmd_str(cmd->req.cmd)); + +- if (errno == ECONNRESET) ++ if (errno == ECONNRESET || errno == EAGAIN || errno == EWOULDBLOCK) { ++ errno = ECONNRESET; /*isulad set errno ECONNRESET when timeout */ + return -1; ++ } + + return -1; + } +-- +1.8.3.1 + diff --git a/0041-return-1-when-_lxc_start-fails.patch b/0041-return-1-when-_lxc_start-fails.patch new file mode 100644 index 0000000..ad6c1e0 --- /dev/null +++ b/0041-return-1-when-_lxc_start-fails.patch @@ -0,0 +1,25 @@ +From ea7fe5755309e9054ac06542b8fc0abb25039b7e Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Wed, 16 Jan 2019 05:53:36 -0500 +Subject: [PATCH 041/122] return -1 when _lxc_start fails + +Signed-off-by: LiFeng +--- + src/lxc/start.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/lxc/start.c b/src/lxc/start.c +index 3e6854f..7bbcb00 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -2175,6 +2175,7 @@ int __lxc_start(const char *name, struct lxc_handler *handler, + + if (!handler->init_died && handler->pid > 0) { + ERROR("Child process is not killed"); ++ ret = -1; + goto out_abort; + } + +-- +1.8.3.1 + diff --git a/0042-lxc-seccomp-adopt-to-lxc3.0.patch b/0042-lxc-seccomp-adopt-to-lxc3.0.patch new file mode 100644 index 0000000..1f2989c --- /dev/null +++ b/0042-lxc-seccomp-adopt-to-lxc3.0.patch @@ -0,0 +1,169 @@ +From 6beb5e3a4afe7fede796fc547a29c6175512f024 Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Thu, 17 Jan 2019 03:09:00 +0800 +Subject: [PATCH 042/122] lxc: seccomp adopt to lxc3.0 + +Signed-off-by: LiFeng +--- + src/lxc/seccomp.c | 127 ++++++++++++++++++++++++++++-------------------------- + 1 file changed, 65 insertions(+), 62 deletions(-) + +diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c +index 1e14be1..27bdc22 100644 +--- a/src/lxc/seccomp.c ++++ b/src/lxc/seccomp.c +@@ -936,86 +936,89 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c + SCMP_ARCH_NATIVE, line, rule.action, + get_action_name(rule.action)); + +- if (ctx.architectures[0] != SCMP_ARCH_NATIVE) { +- if (!do_resolve_add_rule(ctx.architectures[0], line, +- ctx.contexts[0], &rule)) +- goto bad_rule; +- +- INFO("Added compat rule for arch %d for %s action %d(%s)", +- ctx.architectures[0], line, rule.action, +- get_action_name(rule.action)); +- } ++ if (cur_rule_arch == lxc_seccomp_arch_all) { ++ if (ctx.architectures[0] != SCMP_ARCH_NATIVE) { ++ if (!do_resolve_add_rule(ctx.architectures[0], line, ++ ctx.contexts[0], &rule)) ++ goto bad_rule; ++ ++ INFO("Added compat rule for arch %d for %s action %d(%s)", ++ ctx.architectures[0], line, rule.action, ++ get_action_name(rule.action)); ++ } + +- if (ctx.architectures[1] != SCMP_ARCH_NATIVE) { +- if (!do_resolve_add_rule(ctx.architectures[1], line, +- ctx.contexts[1], &rule)) +- goto bad_rule; ++ if (ctx.architectures[1] != SCMP_ARCH_NATIVE) { ++ if (!do_resolve_add_rule(ctx.architectures[1], line, ++ ctx.contexts[1], &rule)) ++ goto bad_rule; + +- INFO("Added compat rule for arch %d for %s action %d(%s)", +- ctx.architectures[1], line, rule.action, +- get_action_name(rule.action)); +- } ++ INFO("Added compat rule for arch %d for %s action %d(%s)", ++ ctx.architectures[1], line, rule.action, ++ get_action_name(rule.action)); ++ } + +- if (ctx.architectures[2] != SCMP_ARCH_NATIVE) { +- if (!do_resolve_add_rule(ctx.architectures[2], line, ++ if (ctx.architectures[2] != SCMP_ARCH_NATIVE) { ++ if (!do_resolve_add_rule(ctx.architectures[2], line, + ctx.contexts[2], &rule)) +- goto bad_rule; ++ goto bad_rule; + +- INFO("Added native rule for arch %d for %s action %d(%s)", +- ctx.architectures[2], line, rule.action, +- get_action_name(rule.action)); ++ INFO("Added native rule for arch %d for %s action %d(%s)", ++ ctx.architectures[2], line, rule.action, ++ get_action_name(rule.action)); ++ } + } + } + +- INFO("Merging compat seccomp contexts into main context"); +- if (ctx.contexts[0]) { +- if (ctx.needs_merge[0]) { +- ret = seccomp_merge(conf->seccomp_ctx, ctx.contexts[0]); +- if (ret < 0) { +- ERROR("Failed to merge first compat seccomp " ++ if (cur_rule_arch == lxc_seccomp_arch_all) { ++ INFO("Merging compat seccomp contexts into main context"); ++ if (ctx.contexts[0]) { ++ if (ctx.needs_merge[0]) { ++ ret = seccomp_merge(conf->seccomp_ctx, ctx.contexts[0]); ++ if (ret < 0) { ++ ERROR("Failed to merge first compat seccomp " + "context into main context"); +- goto bad; +- } ++ goto bad; ++ } + +- TRACE("Merged first compat seccomp context into main context"); +- } else { +- seccomp_release(ctx.contexts[0]); +- ctx.contexts[0] = NULL; ++ TRACE("Merged first compat seccomp context into main context"); ++ } else { ++ seccomp_release(ctx.contexts[0]); ++ ctx.contexts[0] = NULL; ++ } + } +- } + +- if (ctx.contexts[1]) { +- if (ctx.needs_merge[1]) { +- ret = seccomp_merge(conf->seccomp_ctx, ctx.contexts[1]); +- if (ret < 0) { +- ERROR("Failed to merge first compat seccomp " +- "context into main context"); +- goto bad; +- } ++ if (ctx.contexts[1]) { ++ if (ctx.needs_merge[1]) { ++ ret = seccomp_merge(conf->seccomp_ctx, ctx.contexts[1]); ++ if (ret < 0) { ++ ERROR("Failed to merge first compat seccomp " ++ "context into main context"); ++ goto bad; ++ } + +- TRACE("Merged second compat seccomp context into main context"); +- } else { +- seccomp_release(ctx.contexts[1]); +- ctx.contexts[1] = NULL; ++ TRACE("Merged second compat seccomp context into main context"); ++ } else { ++ seccomp_release(ctx.contexts[1]); ++ ctx.contexts[1] = NULL; ++ } + } +- } + +- if (ctx.contexts[2]) { +- if (ctx.needs_merge[2]) { +- ret = seccomp_merge(conf->seccomp_ctx, ctx.contexts[2]); +- if (ret < 0) { +- ERROR("Failed to merge third compat seccomp " +- "context into main context"); +- goto bad; +- } ++ if (ctx.contexts[2]) { ++ if (ctx.needs_merge[2]) { ++ ret = seccomp_merge(conf->seccomp_ctx, ctx.contexts[2]); ++ if (ret < 0) { ++ ERROR("Failed to merge third compat seccomp " ++ "context into main context"); ++ goto bad; ++ } + +- TRACE("Merged third compat seccomp context into main context"); +- } else { +- seccomp_release(ctx.contexts[2]); +- ctx.contexts[2] = NULL; ++ TRACE("Merged third compat seccomp context into main context"); ++ } else { ++ seccomp_release(ctx.contexts[2]); ++ ctx.contexts[2] = NULL; ++ } + } + } +- + free(line); + return 0; + +-- +1.8.3.1 + diff --git a/0043-check-null-pointer-of-handler-to-fix-coredump-of-att.patch b/0043-check-null-pointer-of-handler-to-fix-coredump-of-att.patch new file mode 100644 index 0000000..e34ca7b --- /dev/null +++ b/0043-check-null-pointer-of-handler-to-fix-coredump-of-att.patch @@ -0,0 +1,28 @@ +From 7be24baf1379d45651d10f63cb7e1cb59bdc733c Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Thu, 17 Jan 2019 10:19:37 +0800 +Subject: [PATCH 043/122] check null pointer of handler to fix coredump of + attach + +Signed-off-by: tanyifeng +Signed-off-by: LiFeng +--- + src/lxc/cgroups/cgroup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lxc/cgroups/cgroup.c b/src/lxc/cgroups/cgroup.c +index 7442c31..720a6c9 100644 +--- a/src/lxc/cgroups/cgroup.c ++++ b/src/lxc/cgroups/cgroup.c +@@ -44,7 +44,7 @@ struct cgroup_ops *cgroup_init(struct lxc_handler *handler) + { + struct cgroup_ops *cgroup_ops; + +- cgroup_ops = cgfsng_ops_init(handler->conf->errpipe[1]); ++ cgroup_ops = cgfsng_ops_init(handler ? handler->conf->errpipe[1] : -1); + if (!cgroup_ops) { + ERROR("Failed to initialize cgroup driver"); + return NULL; +-- +1.8.3.1 + diff --git a/0044-support-space-in-volume-mount-and-env.patch b/0044-support-space-in-volume-mount-and-env.patch new file mode 100644 index 0000000..7fe8a48 --- /dev/null +++ b/0044-support-space-in-volume-mount-and-env.patch @@ -0,0 +1,118 @@ +From baabb2596394fecf89c610e2473d8b930595f3aa Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Thu, 17 Jan 2019 10:18:23 +0800 +Subject: [PATCH 044/122] support space in --volume, --mount and --env + +Signed-off-by: tanyifeng +Signed-off-by: LiFeng +--- + src/lxc/conf.c | 16 ++++++++++++++++ + src/lxc/confile.c | 9 ++++++++- + src/lxc/namespace.h | 1 + + src/lxc/utils.h | 3 +++ + 4 files changed, 28 insertions(+), 1 deletion(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 8fa63f7..48e31af 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -54,6 +54,7 @@ + #include + #include + #include ++#include + + #include "af_unix.h" + #include "caps.h" +@@ -2695,6 +2696,19 @@ static int mount_file_entries(const struct lxc_conf *conf, + int ret = -1; + + while (getmntent_r(file, &mntent, buf, sizeof(buf))) { ++ /* Note: Workaround for volume file path with space*/ ++ mntent.mnt_fsname = lxc_string_replace(SPACE_MAGIC_STR, " ", mntent.mnt_fsname); ++ if(!mntent.mnt_fsname) { ++ SYSERROR("memory allocation error"); ++ return -1; ++ } ++ mntent.mnt_dir = lxc_string_replace(SPACE_MAGIC_STR, " ", mntent.mnt_dir); ++ if(!mntent.mnt_dir) { ++ SYSERROR("memory allocation error"); ++ free(mntent.mnt_fsname); ++ return -1; ++ } ++ ERROR("mntent.mnt_fsname:%s, mntent.mnt_dir:%s", mntent.mnt_fsname, mntent.mnt_dir); + if (!rootfs->path) + ret = mount_entry_on_systemfs(&mntent); + else if (mntent.mnt_dir[0] != '/') +@@ -2703,6 +2717,8 @@ static int mount_file_entries(const struct lxc_conf *conf, + else + ret = mount_entry_on_absolute_rootfs(&mntent, rootfs, + lxc_name, lxc_path); ++ free(mntent.mnt_fsname); ++ free(mntent.mnt_dir); + if (ret < 0) + return -1; + } +diff --git a/src/lxc/confile.c b/src/lxc/confile.c +index db63b55..7e9d5c8 100644 +--- a/src/lxc/confile.c ++++ b/src/lxc/confile.c +@@ -1036,6 +1036,7 @@ static int set_config_environment(const char *key, const char *value, + struct lxc_conf *lxc_conf, void *data) + { + struct lxc_list *list_item = NULL; ++ char *replaced; + + if (lxc_config_value_empty(value)) + return lxc_clear_environment(lxc_conf); +@@ -1044,7 +1045,12 @@ static int set_config_environment(const char *key, const char *value, + if (!list_item) + goto on_error; + +- list_item->elem = strdup(value); ++ /* isulad: recover space replaced by SPACE_MAGIC_STR */ ++ replaced = lxc_string_replace(SPACE_MAGIC_STR, " ", value); ++ if(!replaced) ++ goto on_error; ++ ++ list_item->elem = replaced; + + if (!list_item->elem) + goto on_error; +@@ -3661,6 +3667,7 @@ static int get_config_environment(const char *key, char *retv, int inlen, + memset(retv, 0, inlen); + + lxc_list_for_each(it, &c->environment) { ++ + strprint(retv, inlen, "%s\n", (char *)it->elem); + } + +diff --git a/src/lxc/namespace.h b/src/lxc/namespace.h +index ab583da..9caaf89 100644 +--- a/src/lxc/namespace.h ++++ b/src/lxc/namespace.h +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + + #ifndef CLONE_PARENT_SETTID + #define CLONE_PARENT_SETTID 0x00100000 +diff --git a/src/lxc/utils.h b/src/lxc/utils.h +index 4313942..73ffdd9 100644 +--- a/src/lxc/utils.h ++++ b/src/lxc/utils.h +@@ -43,6 +43,9 @@ + #include "raw_syscalls.h" + #include "string_utils.h" + ++/* isulad: replace space with SPACE_MAGIC_STR */ ++#define SPACE_MAGIC_STR "[#)" ++ + /* returns 1 on success, 0 if there were any failures */ + extern int lxc_rmdir_onedev(const char *path, const char *exclude); + extern int get_u16(unsigned short *val, const char *arg, int base); +-- +1.8.3.1 + diff --git a/0045-add_terminal_fifos-Add-terminal-fifos-dynamically.patch b/0045-add_terminal_fifos-Add-terminal-fifos-dynamically.patch new file mode 100644 index 0000000..2cbfe24 --- /dev/null +++ b/0045-add_terminal_fifos-Add-terminal-fifos-dynamically.patch @@ -0,0 +1,254 @@ +From 698f04aa780eed16e70f96f3405596e98f3828a2 Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Thu, 17 Jan 2019 02:18:14 -0500 +Subject: [PATCH 045/122] add_terminal_fifos: Add terminal fifos dynamically + +Signed-off-by: LiFeng +--- + src/lxc/commands.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++ + src/lxc/commands.h | 4 ++++ + src/lxc/lxccontainer.c | 24 +++++++++++++++++++ + src/lxc/lxccontainer.h | 10 ++++++++ + src/lxc/terminal.c | 47 ++++++++++++++++++++++++++++++++++++++ + src/lxc/terminal.h | 1 + + 6 files changed, 148 insertions(+) + +diff --git a/src/lxc/commands.c b/src/lxc/commands.c +index 47a824a..46b2805 100644 +--- a/src/lxc/commands.c ++++ b/src/lxc/commands.c +@@ -96,6 +96,7 @@ static const char *lxc_cmd_str(lxc_cmd_t cmd) + [LXC_CMD_ADD_STATE_CLIENT] = "add_state_client", + [LXC_CMD_CONSOLE_LOG] = "console_log", + [LXC_CMD_SERVE_STATE_CLIENTS] = "serve_state_clients", ++ [LXC_CMD_SET_TERMINAL_FIFOS] = "set_terminal_fifos", + }; + + if (cmd >= LXC_CMD_MAX) +@@ -1056,6 +1057,66 @@ reap_client_fd: + return 1; + } + ++/* ++ * isulad: lxc_cmd_set_terminal_fifos: Set the fifos used for the container as terminal input/output ++ * ++ * @hashed_sock_name: hashed socket name ++ * ++ * Returns 0 when success, else when fail. ++ */ ++int lxc_cmd_set_terminal_fifos(const char *name, const char *lxcpath, const char *in_fifo, const char *out_fifo) ++{ ++ int ret = 0, stopped = 0; ++ int len = 0; ++ char *tmp = NULL; ++ ++ if (!in_fifo || !out_fifo) { ++ return -1; ++ } ++ ++ len = strlen(in_fifo) + strlen("&&&&") + strlen(out_fifo) + 1; ++ tmp = malloc(len); ++ if (!tmp) ++ return -1; ++ snprintf(tmp, len, "%s%s%s", in_fifo, "&&&&", out_fifo); ++ ++ struct lxc_cmd_rr cmd = { ++ .req = { ++ .cmd = LXC_CMD_SET_TERMINAL_FIFOS, ++ .datalen = strlen(tmp)+1, ++ .data = tmp, ++ }, ++ }; ++ ++ ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); ++ if (ret < 0) { ++ ERROR("Failed to send command to container"); ++ free(tmp); ++ return -1; ++ } ++ ++ if (cmd.rsp.ret != 0) { ++ ERROR("Command response error:%d", cmd.rsp.ret); ++ free(tmp); ++ return -1; ++ } ++ ++ free(tmp); ++ return 0; ++} ++ ++static int lxc_cmd_set_terminal_fifos_callback(int fd, struct lxc_cmd_req *req, ++ struct lxc_handler *handler) ++{ ++ struct lxc_cmd_rsp rsp; ++ memset(&rsp, 0, sizeof(rsp)); ++ ++ rsp.ret = lxc_terminal_add_fifos(handler->conf, req->data);; ++ ++ return lxc_cmd_rsp_send(fd, &rsp); ++ ++} ++ + static int lxc_cmd_process(int fd, struct lxc_cmd_req *req, + struct lxc_handler *handler) + { +@@ -1075,6 +1136,7 @@ static int lxc_cmd_process(int fd, struct lxc_cmd_req *req, + [LXC_CMD_ADD_STATE_CLIENT] = lxc_cmd_add_state_client_callback, + [LXC_CMD_CONSOLE_LOG] = lxc_cmd_console_log_callback, + [LXC_CMD_SERVE_STATE_CLIENTS] = lxc_cmd_serve_state_clients_callback, ++ [LXC_CMD_SET_TERMINAL_FIFOS] = lxc_cmd_set_terminal_fifos_callback, + }; + + if (req->cmd >= LXC_CMD_MAX) { +diff --git a/src/lxc/commands.h b/src/lxc/commands.h +index 2c024b6..0c64544 100644 +--- a/src/lxc/commands.h ++++ b/src/lxc/commands.h +@@ -46,6 +46,7 @@ typedef enum { + LXC_CMD_ADD_STATE_CLIENT, + LXC_CMD_CONSOLE_LOG, + LXC_CMD_SERVE_STATE_CLIENTS, ++ LXC_CMD_SET_TERMINAL_FIFOS, + LXC_CMD_MAX, + } lxc_cmd_t; + +@@ -125,4 +126,7 @@ extern int lxc_try_cmd(const char *name, const char *lxcpath); + extern int lxc_cmd_console_log(const char *name, const char *lxcpath, + struct lxc_console_log *log); + ++extern int lxc_cmd_set_terminal_fifos(const char *name, const char *lxcpath, ++ const char *in_fifo, const char *out_fifo); ++ + #endif /* __commands_h */ +diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c +index d641851..bfbf223 100644 +--- a/src/lxc/lxccontainer.c ++++ b/src/lxc/lxccontainer.c +@@ -5164,6 +5164,29 @@ static bool do_lxcapi_clean_container_resource(struct lxc_container *c, pid_t pi + + WRAP_API_1(bool, lxcapi_clean_container_resource, pid_t) + ++/* isulad add clean resources */ ++static bool do_lxcapi_add_terminal_fifo(struct lxc_container *c, const char *in_fifo, const char *out_fifo) ++{ ++ bool ret = true; ++ ++ if (!c || !c->lxc_conf || !in_fifo || !out_fifo) ++ return false; ++ if (container_mem_lock(c)) { ++ ERROR("Error getting mem lock"); ++ return false; ++ } ++ ++ if (lxc_cmd_set_terminal_fifos(c->name, c->config_path, in_fifo, out_fifo)) { ++ ERROR("Error set console fifos"); ++ ret = false; ++ } ++ ++ container_mem_unlock(c); ++ return ret; ++} ++ ++WRAP_API_2(bool, lxcapi_add_terminal_fifo, const char *, const char *) ++ + static struct lxc_container *do_lxc_container_new(const char *name, const char *configpath, bool load_config) + { + struct lxc_container *c; +@@ -5299,6 +5322,7 @@ static struct lxc_container *do_lxc_container_new(const char *name, const char * + c->set_container_info_file = lxcapi_set_container_info_file; + c->set_start_timeout = lxcapi_set_start_timeout; + c->clean_container_resource = lxcapi_clean_container_resource; ++ c->add_terminal_fifos = lxcapi_add_terminal_fifo; + /* isulad add end */ + return c; + +diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h +index a00e0ec..c1d83ba 100644 +--- a/src/lxc/lxccontainer.h ++++ b/src/lxc/lxccontainer.h +@@ -878,6 +878,16 @@ struct lxc_container { + bool (*set_terminal_init_fifos)(struct lxc_container *c, const char *in, const char *out); + + /*! isulad add ++ * \brief An API call to add the path of terminal fifos ++ * ++ * \param c Container. ++ * \param path Value of the console path.. ++ * ++ * \return \c true on success, else \c false. ++ */ ++ bool (*add_terminal_fifos)(struct lxc_container *c, const char *in, const char *out); ++ ++ /*! isulad add + * \brief An API call to set the path of info file + * + * \param c Container. +diff --git a/src/lxc/terminal.c b/src/lxc/terminal.c +index ee3aef2..a33830d 100644 +--- a/src/lxc/terminal.c ++++ b/src/lxc/terminal.c +@@ -1473,3 +1473,50 @@ int lxc_terminal_map_ids(struct lxc_conf *c, struct lxc_terminal *terminal) + + return 0; + } ++ ++/* isulad: add fifos dynamic*/ ++int lxc_terminal_add_fifos(struct lxc_conf *conf, const char *fifonames) ++{ ++ int ret = 0; ++ struct lxc_terminal *terminal = &conf->console; ++ int fifofd_in = -1; ++ char *tmp = NULL, *saveptr = NULL, *in = NULL, *out = NULL; ++ ++ tmp = strdup(fifonames); ++ if (!tmp) { ++ ret = -1; ++ goto free_out; ++ } ++ ++ in = strtok_r(tmp, "&&&&", &saveptr); ++ if (!in) { ++ ret = -1; ++ goto free_out; ++ } ++ out = strtok_r(NULL, "&&&&", &saveptr); ++ if (!out) { ++ ret = -1; ++ goto free_out; ++ } ++ ++ fifofd_in = lxc_terminal_set_fifo(terminal, in, out); ++ if (fifofd_in < 0) { ++ ERROR("Faild to set fifos to console config"); ++ ret = -1; ++ goto free_out; ++ } ++ ++ if (lxc_mainloop_add_handler(terminal->descr, fifofd_in, ++ lxc_terminal_io_cb, terminal)) { ++ ERROR("console fifo not added to mainloop"); ++ lxc_terminal_delete_fifo(fifofd_in, &terminal->fifos); ++ ret = -1; ++ goto free_out; ++ } ++ ++free_out: ++ if (tmp) ++ free(tmp); ++ return ret; ++} ++ +diff --git a/src/lxc/terminal.h b/src/lxc/terminal.h +index d25da65..d006b80 100644 +--- a/src/lxc/terminal.h ++++ b/src/lxc/terminal.h +@@ -310,5 +310,6 @@ extern int lxc_terminal_map_ids(struct lxc_conf *c, + static bool lxc_terminal_is_fifo(int fd, struct lxc_list *list); + /* isulad: if fd == -1, means delete all the fifos*/ + int lxc_terminal_delete_fifo(int fd, struct lxc_list *list); ++int lxc_terminal_add_fifos(struct lxc_conf *conf, const char *fifonames); + + #endif /* __LXC_TERMINAL_H */ +-- +1.8.3.1 + diff --git a/0046-Do-not-test-cgroup-writeable.patch b/0046-Do-not-test-cgroup-writeable.patch new file mode 100644 index 0000000..b2bb987 --- /dev/null +++ b/0046-Do-not-test-cgroup-writeable.patch @@ -0,0 +1,48 @@ +From 623f6fbd09a7694546ca7c57a564d984261c4f82 Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Thu, 17 Jan 2019 03:49:16 -0500 +Subject: [PATCH 046/122] Do not test cgroup writeable + +If we run isulad in docker without cgroup namespace, the base_cgroup will be docker/XXX.., +mountpoint+base_cgroup may be not exist + +Signed-off-by: LiFeng +--- + src/lxc/cgroups/cgfsng.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c +index 47b12a6..6bfa693 100644 +--- a/src/lxc/cgroups/cgfsng.c ++++ b/src/lxc/cgroups/cgfsng.c +@@ -581,7 +581,7 @@ static bool cg_legacy_handle_cpuset_hierarchy(struct hierarchy *h, char *cgname) + if (slash) + *slash = '/'; + +- ret = mkdir(cgpath, 0755); ++ ret = mkdir_p(cgpath, 0755); + if (ret < 0) { + if (errno != EEXIST) { + SYSERROR("Failed to create directory \"%s\"", cgpath); +@@ -2489,13 +2489,17 @@ static bool cg_hybrid_init(struct cgroup_ops *ops) + + trim(base_cgroup); + prune_init_scope(base_cgroup); ++ ++ /* isulad: ++ * do not test writeable, if we run isulad in docker without cgroup namespace. ++ * the base_cgroup will be docker/XXX.., mountpoint+base_cgroup may be not exist + if (type == CGROUP2_SUPER_MAGIC) + writeable = test_writeable_v2(mountpoint, base_cgroup); + else + writeable = test_writeable_v1(mountpoint, base_cgroup); + if (!writeable) + goto next; +- ++ */ + if (type == CGROUP2_SUPER_MAGIC) { + char *cgv2_ctrl_path; + +-- +1.8.3.1 + diff --git a/0047-Fix-memory-leak-in-lxc_global_config_value.patch b/0047-Fix-memory-leak-in-lxc_global_config_value.patch new file mode 100644 index 0000000..8d169c4 --- /dev/null +++ b/0047-Fix-memory-leak-in-lxc_global_config_value.patch @@ -0,0 +1,44 @@ +From ec20a5a0e68d0b70ec0014d3f34385cdd3c44370 Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Thu, 17 Jan 2019 07:43:23 -0500 +Subject: [PATCH 047/122] Fix memory leak in lxc_global_config_value + +Signed-off-by: LiFeng +--- + src/lxc/cgroups/cgroup.c | 2 ++ + src/lxc/initutils.c | 5 ----- + 2 files changed, 2 insertions(+), 5 deletions(-) + +diff --git a/src/lxc/cgroups/cgroup.c b/src/lxc/cgroups/cgroup.c +index 720a6c9..8d559be 100644 +--- a/src/lxc/cgroups/cgroup.c ++++ b/src/lxc/cgroups/cgroup.c +@@ -95,6 +95,8 @@ void cgroup_exit(struct cgroup_ops *ops) + } + free(ops->hierarchies); + ++ free(ops); ++ + return; + } + +diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c +index 09b521e..60147a5 100644 +--- a/src/lxc/initutils.c ++++ b/src/lxc/initutils.c +@@ -74,12 +74,7 @@ const char *lxc_global_config_value(const char *option_name) + { NULL, NULL }, + }; + +- /* placed in the thread local storage pool for non-bionic targets */ +-#ifdef HAVE_TLS +- static thread_local const char *values[sizeof(options) / sizeof(options[0])] = {0}; +-#else + static const char *values[sizeof(options) / sizeof(options[0])] = {0}; +-#endif + + /* user_config_path is freed as soon as it is used */ + char *user_config_path = NULL; +-- +1.8.3.1 + diff --git a/0048-clear-ONLCR-flag-from-master-of-terminal.patch b/0048-clear-ONLCR-flag-from-master-of-terminal.patch new file mode 100644 index 0000000..753971d --- /dev/null +++ b/0048-clear-ONLCR-flag-from-master-of-terminal.patch @@ -0,0 +1,59 @@ +From 26125894df9e3297f34c02d62ae5271b5ec88348 Mon Sep 17 00:00:00 2001 +From: liuhao +Date: Thu, 17 Jan 2019 20:46:33 +0800 +Subject: [PATCH 048/122] clear ONLCR flag from master of terminal + +clear ONLCR flag from master of terminal + +Signed-off-by: liuhao +Signed-off-by: LiFeng +--- + src/lxc/terminal.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +diff --git a/src/lxc/terminal.c b/src/lxc/terminal.c +index a33830d..95140e0 100644 +--- a/src/lxc/terminal.c ++++ b/src/lxc/terminal.c +@@ -1066,6 +1066,24 @@ static int lxc_terminal_fifo_default(struct lxc_terminal *terminal) + return lxc_terminal_set_fifo(terminal, terminal->init_fifo[0], terminal->init_fifo[1]); + } + ++/* ++ * isulad: disable (XSI) Map NL to CR-NL on output. ++ * */ ++static int use_unix_newline(int master_fd) ++{ ++ struct termios oldtios; ++ int ret; ++ ++ ret = tcgetattr(master_fd, &oldtios); ++ if (ret < 0) ++ return -1; ++ oldtios.c_oflag &= ~ONLCR; ++ ret = tcsetattr(master_fd, TCSAFLUSH, &oldtios); ++ if (ret < 0) ++ return -1; ++ return 0; ++} ++ + int lxc_terminal_create(struct lxc_terminal *terminal) + { + int ret; +@@ -1082,6 +1100,13 @@ int lxc_terminal_create(struct lxc_terminal *terminal) + goto err; + } + ++ /* isulad: clear ONLCR flag */ ++ ret = use_unix_newline(terminal->master); ++ if (ret < 0) { ++ SYSERROR("Failed to clear ONLCR flag on terminal master"); ++ goto err; ++ } ++ + ret = fd_cloexec(terminal->master, true); + if (ret < 0) { + SYSERROR("Failed to set FD_CLOEXEC flag on terminal master"); +-- +1.8.3.1 + diff --git a/0049-Add-100ms-timeout-for-console-epoll.patch b/0049-Add-100ms-timeout-for-console-epoll.patch new file mode 100644 index 0000000..74cd812 --- /dev/null +++ b/0049-Add-100ms-timeout-for-console-epoll.patch @@ -0,0 +1,28 @@ +From 81e84198f02323caabcab2200f2bedf9212a87d7 Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Sat, 19 Jan 2019 02:05:17 -0500 +Subject: [PATCH 049/122] Add 100ms timeout for console epoll + +add 100ms timeout for console epoll to avoid lose console + +Signed-off-by: LiFeng +--- + src/lxc/start.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lxc/start.c b/src/lxc/start.c +index 7bbcb00..daf2af4 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -643,7 +643,7 @@ int lxc_poll(const char *name, struct lxc_handler *handler) + goto out_mainloop_console; + + if (has_console) +- ret = lxc_mainloop(&descr_console, 0); ++ ret = lxc_mainloop(&descr_console, 100); + + out_mainloop_console: + if (has_console) { +-- +1.8.3.1 + diff --git a/0050-seccomp-add-rules-for-specified-architecture-only.patch b/0050-seccomp-add-rules-for-specified-architecture-only.patch new file mode 100644 index 0000000..16e5eba --- /dev/null +++ b/0050-seccomp-add-rules-for-specified-architecture-only.patch @@ -0,0 +1,408 @@ +From 043d4a1b634a850a201bd835ee59061cbbdbd030 Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Fri, 18 Jan 2019 02:11:11 -0500 +Subject: [PATCH 050/122] seccomp: add rules for specified architecture only + +LXC MR: https://github.com/lxc/lxc/pull/2786 + +Signed-off-by: LiFeng +--- + src/lxc/seccomp.c | 234 ++++++++++++++++++++++++++++++------------------------ + 1 file changed, 132 insertions(+), 102 deletions(-) + +diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c +index 27bdc22..4a9143b 100644 +--- a/src/lxc/seccomp.c ++++ b/src/lxc/seccomp.c +@@ -291,7 +291,7 @@ on_error: + #endif + + #if HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH +-enum lxc_hostarch_t { ++enum lxc_arch_t { + lxc_seccomp_arch_all = 0, + lxc_seccomp_arch_native, + lxc_seccomp_arch_i386, +@@ -345,8 +345,8 @@ int get_hostarch(void) + return lxc_seccomp_arch_unknown; + } + +-scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch, +- uint32_t default_policy_action, bool *needs_merge) ++scmp_filter_ctx get_new_ctx(enum lxc_arch_t n_arch, ++ uint32_t default_policy_action) + { + int ret; + uint32_t arch; +@@ -464,10 +464,7 @@ scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch, + return NULL; + } + TRACE("Removed native arch from main seccomp context"); +- +- *needs_merge = true; + } else { +- *needs_merge = false; + TRACE("Arch %d already present in main seccomp context", (int)n_arch); + } + +@@ -550,6 +547,27 @@ bool do_resolve_add_rule(uint32_t arch, char *line, scmp_filter_ctx ctx, + return true; + } + ++#define SCMP_ARCH_INDEX_MAX 3 ++ ++struct scmp_ctx_info { ++ uint32_t architectures[SCMP_ARCH_INDEX_MAX]; ++ enum lxc_arch_t lxc_arch[SCMP_ARCH_INDEX_MAX]; ++ scmp_filter_ctx contexts[SCMP_ARCH_INDEX_MAX]; ++ bool needs_merge[SCMP_ARCH_INDEX_MAX]; ++}; ++ ++static int get_arch_index(enum lxc_arch_t arch, struct scmp_ctx_info *ctx) ++{ ++ int i; ++ ++ for (i = 0; i < SCMP_ARCH_INDEX_MAX; i++) { ++ if (ctx->lxc_arch[i] == arch) ++ return i; ++ } ++ ++ return -1; ++} ++ + /* + * v2 consists of + * [x86] +@@ -568,15 +586,11 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c + { + int ret; + char *p; +- enum lxc_hostarch_t cur_rule_arch, native_arch; ++ enum lxc_arch_t cur_rule_arch, native_arch; + bool blacklist = false; + uint32_t default_policy_action = -1, default_rule_action = -1; + struct seccomp_v2_rule rule; +- struct scmp_ctx_info { +- uint32_t architectures[3]; +- scmp_filter_ctx contexts[3]; +- bool needs_merge[3]; +- } ctx; ++ struct scmp_ctx_info ctx; + + if (strncmp(line, "blacklist", 9) == 0) + blacklist = true; +@@ -617,23 +631,23 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c + cur_rule_arch = lxc_seccomp_arch_all; + + ctx.architectures[0] = SCMP_ARCH_X86; ++ ctx.lxc_arch[0] = lxc_seccomp_arch_i386; + ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_i386, +- default_policy_action, +- &ctx.needs_merge[0]); ++ default_policy_action); + if (!ctx.contexts[0]) + goto bad; + + ctx.architectures[1] = SCMP_ARCH_X32; ++ ctx.lxc_arch[1] = lxc_seccomp_arch_x32; + ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_x32, +- default_policy_action, +- &ctx.needs_merge[1]); ++ default_policy_action); + if (!ctx.contexts[1]) + goto bad; + + ctx.architectures[2] = SCMP_ARCH_X86_64; ++ ctx.lxc_arch[2] = lxc_seccomp_arch_amd64; + ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_amd64, +- default_policy_action, +- &ctx.needs_merge[2]); ++ default_policy_action); + if (!ctx.contexts[2]) + goto bad; + #ifdef SCMP_ARCH_PPC +@@ -641,17 +655,17 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c + cur_rule_arch = lxc_seccomp_arch_all; + + ctx.architectures[0] = SCMP_ARCH_PPC; ++ ctx.lxc_arch[0] = lxc_seccomp_arch_ppc; + ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_ppc, +- default_policy_action, +- &ctx.needs_merge[0]); ++ default_policy_action); + if (!ctx.contexts[0]) + goto bad; + +- ctx.architectures[2] = SCMP_ARCH_PPC64; +- ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_ppc64, +- default_policy_action, +- &ctx.needs_merge[2]); +- if (!ctx.contexts[2]) ++ ctx.architectures[1] = SCMP_ARCH_PPC64; ++ ctx.lxc_arch[1] = lxc_seccomp_arch_ppc64; ++ ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_ppc64, ++ default_policy_action); ++ if (!ctx.contexts[1]) + goto bad; + #endif + #ifdef SCMP_ARCH_ARM +@@ -659,18 +673,18 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c + cur_rule_arch = lxc_seccomp_arch_all; + + ctx.architectures[0] = SCMP_ARCH_ARM; ++ ctx.lxc_arch[0] = lxc_seccomp_arch_arm; + ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_arm, +- default_policy_action, +- &ctx.needs_merge[0]); ++ default_policy_action); + if (!ctx.contexts[0]) + goto bad; + + #ifdef SCMP_ARCH_AARCH64 +- ctx.architectures[2] = SCMP_ARCH_AARCH64; +- ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_arm64, +- default_policy_action, +- &ctx.needs_merge[2]); +- if (!ctx.contexts[2]) ++ ctx.architectures[1] = SCMP_ARCH_AARCH64; ++ ctx.lxc_arch[1] = lxc_seccomp_arch_arm64; ++ ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_arm64, ++ default_policy_action); ++ if (!ctx.contexts[1]) + goto bad; + #endif + #endif +@@ -679,46 +693,46 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c + cur_rule_arch = lxc_seccomp_arch_all; + + ctx.architectures[0] = SCMP_ARCH_MIPS; ++ ctx.lxc_arch[0] = lxc_seccomp_arch_mips; + ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_mips, +- default_policy_action, +- &ctx.needs_merge[0]); ++ default_policy_action); + if (!ctx.contexts[0]) + goto bad; + + ctx.architectures[1] = SCMP_ARCH_MIPS64N32; ++ ctx.lxc_arch[1] = lxc_seccomp_arch_mips64n32; + ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_mips64n32, +- default_policy_action, +- &ctx.needs_merge[1]); ++ default_policy_action); + if (!ctx.contexts[1]) + goto bad; + + ctx.architectures[2] = SCMP_ARCH_MIPS64; ++ ctx.lxc_arch[2] = lxc_seccomp_arch_mips64; + ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_mips64, +- default_policy_action, +- &ctx.needs_merge[2]); ++ default_policy_action); + if (!ctx.contexts[2]) + goto bad; + } else if (native_arch == lxc_seccomp_arch_mipsel64) { + cur_rule_arch = lxc_seccomp_arch_all; + + ctx.architectures[0] = SCMP_ARCH_MIPSEL; ++ ctx.lxc_arch[0] = lxc_seccomp_arch_mipsel; + ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_mipsel, +- default_policy_action, +- &ctx.needs_merge[0]); ++ default_policy_action); + if (!ctx.contexts[0]) + goto bad; + + ctx.architectures[1] = SCMP_ARCH_MIPSEL64N32; ++ ctx.lxc_arch[1] = lxc_seccomp_arch_mipsel64n32; + ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_mipsel64n32, +- default_policy_action, +- &ctx.needs_merge[1]); ++ default_policy_action); + if (!ctx.contexts[1]) + goto bad; + + ctx.architectures[2] = SCMP_ARCH_MIPSEL64; ++ ctx.lxc_arch[2] = lxc_seccomp_arch_mipsel64; + ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_mipsel64, +- default_policy_action, +- &ctx.needs_merge[2]); ++ default_policy_action); + if (!ctx.contexts[2]) + goto bad; + #endif +@@ -928,97 +942,113 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c + goto bad_rule; + } + +- if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, +- conf->seccomp_ctx, &rule)) +- goto bad_rule; ++ if (cur_rule_arch == native_arch) { ++ if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, ++ conf->seccomp_ctx, &rule)) ++ goto bad_rule; ++ ++ INFO("Added native rule for arch %d for %s action %d(%s)", ++ SCMP_ARCH_NATIVE, line, rule.action, ++ get_action_name(rule.action)); ++ } else if (cur_rule_arch != lxc_seccomp_arch_all) { ++ int arch_index = get_arch_index(cur_rule_arch, &ctx); ++ if (arch_index < 0) ++ goto bad_arch; + +- INFO("Added native rule for arch %d for %s action %d(%s)", +- SCMP_ARCH_NATIVE, line, rule.action, +- get_action_name(rule.action)); ++ if (!do_resolve_add_rule(ctx.architectures[arch_index], line, ++ ctx.contexts[arch_index], &rule)) ++ goto bad_rule; + +- if (cur_rule_arch == lxc_seccomp_arch_all) { ++ INFO("Added compat rule for arch %d for %s action %d(%s)", ++ ctx.architectures[arch_index], line, rule.action, ++ get_action_name(rule.action)); ++ ctx.needs_merge[arch_index] = true; ++ } else { + if (ctx.architectures[0] != SCMP_ARCH_NATIVE) { + if (!do_resolve_add_rule(ctx.architectures[0], line, +- ctx.contexts[0], &rule)) ++ ctx.contexts[0], &rule)) + goto bad_rule; + +- INFO("Added compat rule for arch %d for %s action %d(%s)", +- ctx.architectures[0], line, rule.action, +- get_action_name(rule.action)); ++ INFO("Added compat rule for arch %d for %s action %d(%s)", ++ ctx.architectures[0], line, rule.action, ++ get_action_name(rule.action)); ++ ctx.needs_merge[0] = true; + } + + if (ctx.architectures[1] != SCMP_ARCH_NATIVE) { + if (!do_resolve_add_rule(ctx.architectures[1], line, +- ctx.contexts[1], &rule)) ++ ctx.contexts[1], &rule)) + goto bad_rule; + + INFO("Added compat rule for arch %d for %s action %d(%s)", +- ctx.architectures[1], line, rule.action, +- get_action_name(rule.action)); ++ ctx.architectures[1], line, rule.action, ++ get_action_name(rule.action)); ++ ctx.needs_merge[1] = true; + } + + if (ctx.architectures[2] != SCMP_ARCH_NATIVE) { + if (!do_resolve_add_rule(ctx.architectures[2], line, +- ctx.contexts[2], &rule)) ++ ctx.contexts[2], &rule)) + goto bad_rule; + + INFO("Added native rule for arch %d for %s action %d(%s)", +- ctx.architectures[2], line, rule.action, +- get_action_name(rule.action)); ++ ctx.architectures[2], line, rule.action, ++ get_action_name(rule.action)); ++ ctx.needs_merge[2] = true; + } + } +- } + +- if (cur_rule_arch == lxc_seccomp_arch_all) { +- INFO("Merging compat seccomp contexts into main context"); +- if (ctx.contexts[0]) { +- if (ctx.needs_merge[0]) { +- ret = seccomp_merge(conf->seccomp_ctx, ctx.contexts[0]); +- if (ret < 0) { +- ERROR("Failed to merge first compat seccomp " +- "context into main context"); +- goto bad; +- } ++ } + +- TRACE("Merged first compat seccomp context into main context"); +- } else { +- seccomp_release(ctx.contexts[0]); +- ctx.contexts[0] = NULL; ++ INFO("Merging compat seccomp contexts into main context"); ++ if (ctx.contexts[0]) { ++ if (ctx.needs_merge[0]) { ++ ret = seccomp_merge(conf->seccomp_ctx, ctx.contexts[0]); ++ if (ret < 0) { ++ ERROR("%s - Failed to merge first compat seccomp " ++ "context into main context", strerror(-ret)); ++ goto bad; + } +- } + +- if (ctx.contexts[1]) { +- if (ctx.needs_merge[1]) { +- ret = seccomp_merge(conf->seccomp_ctx, ctx.contexts[1]); +- if (ret < 0) { +- ERROR("Failed to merge first compat seccomp " +- "context into main context"); +- goto bad; +- } ++ TRACE("Merged first compat seccomp context into main context"); ++ } else { ++ seccomp_release(ctx.contexts[0]); ++ ctx.contexts[0] = NULL; ++ } ++ } + +- TRACE("Merged second compat seccomp context into main context"); +- } else { +- seccomp_release(ctx.contexts[1]); +- ctx.contexts[1] = NULL; ++ if (ctx.contexts[1]) { ++ if (ctx.needs_merge[1]) { ++ ret = seccomp_merge(conf->seccomp_ctx, ctx.contexts[1]); ++ if (ret < 0) { ++ ERROR("%s - Failed to merge second compat seccomp " ++ "context into main context", strerror(-ret)); ++ goto bad; + } +- } + +- if (ctx.contexts[2]) { +- if (ctx.needs_merge[2]) { +- ret = seccomp_merge(conf->seccomp_ctx, ctx.contexts[2]); +- if (ret < 0) { +- ERROR("Failed to merge third compat seccomp " +- "context into main context"); +- goto bad; +- } ++ TRACE("Merged second compat seccomp context into main context"); ++ } else { ++ seccomp_release(ctx.contexts[1]); ++ ctx.contexts[1] = NULL; ++ } ++ } + +- TRACE("Merged third compat seccomp context into main context"); +- } else { +- seccomp_release(ctx.contexts[2]); +- ctx.contexts[2] = NULL; ++ if (ctx.contexts[2]) { ++ if (ctx.needs_merge[2]) { ++ ret = seccomp_merge(conf->seccomp_ctx, ctx.contexts[2]); ++ if (ret < 0) { ++ ERROR("%s - Failed to merge third compat seccomp " ++ "context into main context", strerror(-ret)); ++ goto bad; + } ++ ++ TRACE("Merged third compat seccomp context into main context"); ++ } else { ++ seccomp_release(ctx.contexts[2]); ++ ctx.contexts[2] = NULL; + } + } ++ + free(line); + return 0; + +-- +1.8.3.1 + diff --git a/0051-if-ocihook-is-empty.patch b/0051-if-ocihook-is-empty.patch new file mode 100644 index 0000000..5af0c61 --- /dev/null +++ b/0051-if-ocihook-is-empty.patch @@ -0,0 +1,34 @@ +From 4fc938241a649307d87700e90dc380651da4c550 Mon Sep 17 00:00:00 2001 +From: liuhao +Date: Tue, 22 Jan 2019 11:25:45 +0800 +Subject: [PATCH 051/122] if ocihook is empty + +return success + +Signed-off-by: liuhao +Signed-off-by: LiFeng +--- + src/lxc/conf.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 48e31af..6ea8f9c 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -4782,9 +4782,12 @@ static int run_oci_hooks(const char *name, const char *lxcpath, struct lxc_conf + int ret = 0; + char *rootpath; + +- if (!lc || !lc->ocihooks) { ++ if (!lc) { + return -1; + } ++ if (!lc->ocihooks) { ++ return 0; ++ } + + rootpath = get_root_path(lc->rootfs.path, lc->rootfs.bdev_type); + if (!rootpath) { +-- +1.8.3.1 + diff --git a/0052-Fix-seccomp-fail-when-all-specified-in-config.patch b/0052-Fix-seccomp-fail-when-all-specified-in-config.patch new file mode 100644 index 0000000..d1b9753 --- /dev/null +++ b/0052-Fix-seccomp-fail-when-all-specified-in-config.patch @@ -0,0 +1,192 @@ +From bbefc33a969a7cf0d4f671d96030fb044593a71a Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Mon, 21 Jan 2019 23:28:43 -0500 +Subject: [PATCH 052/122] Fix seccomp fail when [all] specified in config + +Signed-off-by: LiFeng +--- + src/lxc/seccomp.c | 56 +++++++++++++++++++++++++++---------------------------- + 1 file changed, 28 insertions(+), 28 deletions(-) + +diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c +index 4a9143b..3218a60 100644 +--- a/src/lxc/seccomp.c ++++ b/src/lxc/seccomp.c +@@ -346,7 +346,7 @@ int get_hostarch(void) + } + + scmp_filter_ctx get_new_ctx(enum lxc_arch_t n_arch, +- uint32_t default_policy_action) ++ uint32_t default_policy_action, uint32_t *architectures) + { + int ret; + uint32_t arch; +@@ -464,8 +464,10 @@ scmp_filter_ctx get_new_ctx(enum lxc_arch_t n_arch, + return NULL; + } + TRACE("Removed native arch from main seccomp context"); ++ *architectures = arch; + } else { + TRACE("Arch %d already present in main seccomp context", (int)n_arch); ++ *architectures = SCMP_ARCH_NATIVE; + } + + return ctx; +@@ -630,41 +632,36 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c + if (native_arch == lxc_seccomp_arch_amd64) { + cur_rule_arch = lxc_seccomp_arch_all; + +- ctx.architectures[0] = SCMP_ARCH_X86; + ctx.lxc_arch[0] = lxc_seccomp_arch_i386; + ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_i386, +- default_policy_action); ++ default_policy_action, &ctx.architectures[0]); + if (!ctx.contexts[0]) + goto bad; + +- ctx.architectures[1] = SCMP_ARCH_X32; + ctx.lxc_arch[1] = lxc_seccomp_arch_x32; + ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_x32, +- default_policy_action); ++ default_policy_action, &ctx.architectures[1]); + if (!ctx.contexts[1]) + goto bad; + +- ctx.architectures[2] = SCMP_ARCH_X86_64; + ctx.lxc_arch[2] = lxc_seccomp_arch_amd64; + ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_amd64, +- default_policy_action); ++ default_policy_action, &ctx.architectures[2]); + if (!ctx.contexts[2]) + goto bad; + #ifdef SCMP_ARCH_PPC + } else if (native_arch == lxc_seccomp_arch_ppc64) { + cur_rule_arch = lxc_seccomp_arch_all; + +- ctx.architectures[0] = SCMP_ARCH_PPC; + ctx.lxc_arch[0] = lxc_seccomp_arch_ppc; + ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_ppc, +- default_policy_action); ++ default_policy_action, &ctx.architectures[0]); + if (!ctx.contexts[0]) + goto bad; + +- ctx.architectures[1] = SCMP_ARCH_PPC64; + ctx.lxc_arch[1] = lxc_seccomp_arch_ppc64; + ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_ppc64, +- default_policy_action); ++ default_policy_action, &ctx.architectures[1]); + if (!ctx.contexts[1]) + goto bad; + #endif +@@ -672,18 +669,16 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c + } else if (native_arch == lxc_seccomp_arch_arm64) { + cur_rule_arch = lxc_seccomp_arch_all; + +- ctx.architectures[0] = SCMP_ARCH_ARM; + ctx.lxc_arch[0] = lxc_seccomp_arch_arm; + ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_arm, +- default_policy_action); ++ default_policy_action, &ctx.architectures[0]); + if (!ctx.contexts[0]) + goto bad; + + #ifdef SCMP_ARCH_AARCH64 +- ctx.architectures[1] = SCMP_ARCH_AARCH64; + ctx.lxc_arch[1] = lxc_seccomp_arch_arm64; + ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_arm64, +- default_policy_action); ++ default_policy_action, &ctx.architectures[1]); + if (!ctx.contexts[1]) + goto bad; + #endif +@@ -692,47 +687,41 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c + } else if (native_arch == lxc_seccomp_arch_mips64) { + cur_rule_arch = lxc_seccomp_arch_all; + +- ctx.architectures[0] = SCMP_ARCH_MIPS; + ctx.lxc_arch[0] = lxc_seccomp_arch_mips; + ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_mips, +- default_policy_action); ++ default_policy_action, &ctx.architectures[0]); + if (!ctx.contexts[0]) + goto bad; + +- ctx.architectures[1] = SCMP_ARCH_MIPS64N32; + ctx.lxc_arch[1] = lxc_seccomp_arch_mips64n32; + ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_mips64n32, +- default_policy_action); ++ default_policy_action, &ctx.architectures[1]); + if (!ctx.contexts[1]) + goto bad; + +- ctx.architectures[2] = SCMP_ARCH_MIPS64; + ctx.lxc_arch[2] = lxc_seccomp_arch_mips64; + ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_mips64, +- default_policy_action); ++ default_policy_action, &ctx.architectures[2]); + if (!ctx.contexts[2]) + goto bad; + } else if (native_arch == lxc_seccomp_arch_mipsel64) { + cur_rule_arch = lxc_seccomp_arch_all; +- +- ctx.architectures[0] = SCMP_ARCH_MIPSEL; ++; + ctx.lxc_arch[0] = lxc_seccomp_arch_mipsel; + ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_mipsel, +- default_policy_action); ++ default_policy_action, &ctx.architectures[0]); + if (!ctx.contexts[0]) + goto bad; + +- ctx.architectures[1] = SCMP_ARCH_MIPSEL64N32; + ctx.lxc_arch[1] = lxc_seccomp_arch_mipsel64n32; + ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_mipsel64n32, +- default_policy_action); ++ default_policy_action, &ctx.architectures[1]); + if (!ctx.contexts[1]) + goto bad; + +- ctx.architectures[2] = SCMP_ARCH_MIPSEL64; + ctx.lxc_arch[2] = lxc_seccomp_arch_mipsel64; + ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_mipsel64, +- default_policy_action); ++ default_policy_action, &ctx.architectures[2]); + if (!ctx.contexts[2]) + goto bad; + #endif +@@ -943,6 +932,7 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c + } + + if (cur_rule_arch == native_arch) { ++ /* add for native arch */ + if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, + conf->seccomp_ctx, &rule)) + goto bad_rule; +@@ -951,6 +941,7 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c + SCMP_ARCH_NATIVE, line, rule.action, + get_action_name(rule.action)); + } else if (cur_rule_arch != lxc_seccomp_arch_all) { ++ /* add for compat specified arch */ + int arch_index = get_arch_index(cur_rule_arch, &ctx); + if (arch_index < 0) + goto bad_arch; +@@ -964,6 +955,15 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c + get_action_name(rule.action)); + ctx.needs_merge[arch_index] = true; + } else { ++ /* add for all compat archs */ ++ if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, ++ conf->seccomp_ctx, &rule)) ++ goto bad_rule; ++ ++ INFO("Added native rule for arch %d for %s action %d(%s)", ++ SCMP_ARCH_NATIVE, line, rule.action, ++ get_action_name(rule.action)); ++ + if (ctx.architectures[0] != SCMP_ARCH_NATIVE) { + if (!do_resolve_add_rule(ctx.architectures[0], line, + ctx.contexts[0], &rule)) +-- +1.8.3.1 + diff --git a/0053-destroy-empty-cgroup-path-return-ture.patch b/0053-destroy-empty-cgroup-path-return-ture.patch new file mode 100644 index 0000000..e54fe32 --- /dev/null +++ b/0053-destroy-empty-cgroup-path-return-ture.patch @@ -0,0 +1,31 @@ +From d1ae3bc538d21355947a1d1695c22690bb9a68ae Mon Sep 17 00:00:00 2001 +From: liuhao +Date: Tue, 22 Jan 2019 14:45:54 +0800 +Subject: [PATCH 053/122] destroy empty cgroup path return ture + +destroy empty cgroup path return ture + +Signed-off-by: liuhao +Signed-off-by: LiFeng +--- + src/lxc/utils.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index c8fb993..24e975b 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -1776,6 +1776,10 @@ int recursive_destroy(char *dirname) + + dir = opendir(dirname); + if (!dir) { ++ if (errno == ENOENT) { ++ WARN("Destroy path: %s do not exist"); ++ return 0; ++ } + SYSERROR("Failed to open dir \"%s\"", dirname); + return -1; + } +-- +1.8.3.1 + diff --git a/0054-fix-invalid-log-message.patch b/0054-fix-invalid-log-message.patch new file mode 100644 index 0000000..44d1fee --- /dev/null +++ b/0054-fix-invalid-log-message.patch @@ -0,0 +1,42 @@ +From d423289dd6f287b66d62538d9bdedd745a939c50 Mon Sep 17 00:00:00 2001 +From: liuhao +Date: Tue, 22 Jan 2019 20:14:53 +0800 +Subject: [PATCH 054/122] fix invalid log message + +fix invalid log message + +Signed-off-by: liuhao +Signed-off-by: LiFeng +--- + src/lxc/conf.c | 1 - + src/lxc/utils.c | 2 +- + 2 files changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 6ea8f9c..1e403eb 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -2708,7 +2708,6 @@ static int mount_file_entries(const struct lxc_conf *conf, + free(mntent.mnt_fsname); + return -1; + } +- ERROR("mntent.mnt_fsname:%s, mntent.mnt_dir:%s", mntent.mnt_fsname, mntent.mnt_dir); + if (!rootfs->path) + ret = mount_entry_on_systemfs(&mntent); + else if (mntent.mnt_dir[0] != '/') +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index 24e975b..4db61c5 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -1777,7 +1777,7 @@ int recursive_destroy(char *dirname) + dir = opendir(dirname); + if (!dir) { + if (errno == ENOENT) { +- WARN("Destroy path: %s do not exist"); ++ WARN("Destroy path: \"%s\" do not exist", dirname); + return 0; + } + SYSERROR("Failed to open dir \"%s\"", dirname); +-- +1.8.3.1 + diff --git a/0055-Fix-compile-error.patch b/0055-Fix-compile-error.patch new file mode 100644 index 0000000..88d75de --- /dev/null +++ b/0055-Fix-compile-error.patch @@ -0,0 +1,229 @@ +From 9e3eb0c5c5258c6d8e658129ef87ae7ff3ffe64f Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Thu, 24 Jan 2019 05:14:24 -0500 +Subject: [PATCH 055/122] Fix compile error + +Signed-off-by: LiFeng +--- + src/lxc/cgroups/cgfsng.c | 13 ------------- + src/lxc/conf.c | 8 ++------ + src/lxc/confile.c | 1 - + src/lxc/start.c | 2 -- + src/lxc/terminal.c | 32 ++++++++++++++++---------------- + src/lxc/terminal.h | 3 --- + src/lxc/tools/lxc_attach.c | 2 -- + src/lxc/utils.c | 1 - + 8 files changed, 18 insertions(+), 44 deletions(-) + +diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c +index 6bfa693..e513218 100644 +--- a/src/lxc/cgroups/cgfsng.c ++++ b/src/lxc/cgroups/cgfsng.c +@@ -1263,18 +1263,6 @@ static bool create_path_for_hierarchy(struct hierarchy *h, char *cgname, int err + return cg_unified_create_cgroup(h, cgname); + } + +-static void remove_path_for_hierarchy(struct hierarchy *h, char *cgname) +-{ +- int ret; +- +- ret = rmdir(h->container_full_path); +- if (ret < 0) +- SYSERROR("Failed to rmdir(\"%s\") from failed creation attempt", h->container_full_path); +- +- free(h->container_full_path); +- h->container_full_path = NULL; +-} +- + /* isulad: create hierarchies path, if fail, return the error */ + __cgfsng_ops static bool cgfsng_payload_create(struct cgroup_ops *ops, + struct lxc_handler *handler) +@@ -2439,7 +2427,6 @@ static bool cg_hybrid_init(struct cgroup_ops *ops) + + while (getline(&line, &len, f) != -1) { + int type; +- bool writeable; + struct hierarchy *new; + char *base_cgroup = NULL, *mountpoint = NULL; + char **controller_list = NULL; +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 1e403eb..4800943 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -1518,7 +1518,7 @@ error: + // remount_readonly will bind over the top of an existing path and ensure that it is read-only. + static bool remount_readonly(const char *path) + { +- int ret, savederrno, i; ++ int ret, i; + + if (!path) + return true; +@@ -4005,7 +4005,7 @@ static int setup_rootfs_mountopts(const struct lxc_rootfs *rootfs) + if (mntflags & MS_RDONLY) { + mflags = add_required_remount_flags("/", NULL, MS_BIND | MS_REC | mntflags | pflags | MS_REMOUNT); + DEBUG("remounting / as readonly"); +- if (mount("/", "/", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY, 0) < 0) { ++ if (mount("/", "/", NULL, mflags, 0) < 0) { + SYSERROR("Failed to make / readonly."); + return -1; + } +@@ -4776,7 +4776,6 @@ default_out: + static int run_oci_hooks(const char *name, const char *lxcpath, struct lxc_conf *lc, int which, int errfd) + { + struct oci_hook_conf work_conf = {0}; +- oci_runtime_spec_hooks *ocihooks = NULL; + size_t i; + int ret = 0; + char *rootpath; +@@ -4836,7 +4835,6 @@ int run_lxc_hooks(const char *name, char *hookname, struct lxc_conf *conf, + int which = -1; + + if (strcmp(hookname, "oci-prestart") == 0) { +- int ret; + which = OCI_HOOK_PRESTART; + if (!argv || !argv[0]) { + ERROR("oci hook require lxcpath"); +@@ -4844,7 +4842,6 @@ int run_lxc_hooks(const char *name, char *hookname, struct lxc_conf *conf, + } + return run_oci_hooks(name, argv[0], conf, which, conf->errpipe[1]); + } else if (strcmp(hookname, "oci-poststart") == 0) { +- int ret; + which = OCI_HOOK_POSTSTART; + if (!argv || !argv[0]) { + ERROR("oci hook require lxcpath"); +@@ -4852,7 +4849,6 @@ int run_lxc_hooks(const char *name, char *hookname, struct lxc_conf *conf, + } + return run_oci_hooks(name, argv[0], conf, which, conf->errpipe[1]); + } else if (strcmp(hookname, "oci-poststop") == 0) { +- int ret; + which = OCI_HOOK_POSTSTOP; + if (!argv || !argv[0]) { + ERROR("oci hook require lxcpath"); +diff --git a/src/lxc/confile.c b/src/lxc/confile.c +index 7e9d5c8..f66d01b 100644 +--- a/src/lxc/confile.c ++++ b/src/lxc/confile.c +@@ -3909,7 +3909,6 @@ static int get_config_init_args(const char *key, char *retv, int inlen, + struct lxc_conf *c, void *data) + { + int i, len, fulllen = 0; +- struct lxc_list *it; + + if (!retv) + inlen = 0; +diff --git a/src/lxc/start.c b/src/lxc/start.c +index daf2af4..816b4a2 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -2470,8 +2470,6 @@ retry: + ret = -1; + } + +- +-out_fini_handler: + lxc_free_handler(handler); + out: + return ret; +diff --git a/src/lxc/terminal.c b/src/lxc/terminal.c +index 95140e0..252a644 100644 +--- a/src/lxc/terminal.c ++++ b/src/lxc/terminal.c +@@ -418,6 +418,21 @@ static void lxc_forward_data_to_fifo(struct lxc_list *list, char *buf, int r) + return; + } + ++/* isulad: judge the fd whether is fifo */ ++static bool lxc_terminal_is_fifo(int fd, struct lxc_list *list) ++{ ++ struct lxc_list *it,*next; ++ struct lxc_fifos_fd *elem = NULL; ++ ++ lxc_list_for_each_safe(it, list, next) { ++ elem = it->elem; ++ if (elem->in_fd == fd) ++ return true; ++ } ++ ++ return false; ++} ++ + int lxc_terminal_io_cb(int fd, uint32_t events, void *data, + struct lxc_epoll_descr *descr) + { +@@ -1067,7 +1082,7 @@ static int lxc_terminal_fifo_default(struct lxc_terminal *terminal) + } + + /* +- * isulad: disable (XSI) Map NL to CR-NL on output. ++ * isulad: disable (XSI) Map NL to CR-NL on output. + * */ + static int use_unix_newline(int master_fd) + { +@@ -1427,21 +1442,6 @@ void lxc_terminal_init(struct lxc_terminal *terminal) + lxc_list_init(&terminal->fifos); + } + +-/* isulad: judge the fd whether is fifo */ +-static bool lxc_terminal_is_fifo(int fd, struct lxc_list *list) +-{ +- struct lxc_list *it,*next; +- struct lxc_fifos_fd *elem = NULL; +- +- lxc_list_for_each_safe(it, list, next) { +- elem = it->elem; +- if (elem->in_fd == fd) +- return true; +- } +- +- return false; +-} +- + /* isulad: if fd == -1, means delete all the fifos*/ + int lxc_terminal_delete_fifo(int fd, struct lxc_list *list) + { +diff --git a/src/lxc/terminal.h b/src/lxc/terminal.h +index d006b80..0c9653c 100644 +--- a/src/lxc/terminal.h ++++ b/src/lxc/terminal.h +@@ -305,9 +305,6 @@ extern void lxc_terminal_info_init(struct lxc_terminal_info *terminal); + extern void lxc_terminal_init(struct lxc_terminal *terminal); + extern int lxc_terminal_map_ids(struct lxc_conf *c, + struct lxc_terminal *terminal); +- +-/* isulad: judge the fd whether is fifo*/ +-static bool lxc_terminal_is_fifo(int fd, struct lxc_list *list); + /* isulad: if fd == -1, means delete all the fifos*/ + int lxc_terminal_delete_fifo(int fd, struct lxc_list *list); + int lxc_terminal_add_fifos(struct lxc_conf *conf, const char *fifonames); +diff --git a/src/lxc/tools/lxc_attach.c b/src/lxc/tools/lxc_attach.c +index a590fd1..8856934 100644 +--- a/src/lxc/tools/lxc_attach.c ++++ b/src/lxc/tools/lxc_attach.c +@@ -398,11 +398,9 @@ out: + + int main(int argc, char *argv[]) + { +- int ret = -1; + int wexit = 0; + char *errmsg = NULL; + struct lxc_log log; +- pid_t pid; + lxc_attach_options_t attach_options = LXC_ATTACH_OPTIONS_DEFAULT; + lxc_attach_command_t command = (lxc_attach_command_t){.program = NULL}; + +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index 4db61c5..9a50fce 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -2026,7 +2026,6 @@ void lxc_write_error_message(int errfd, const char *format, ...) + + bool lxc_process_alive(pid_t pid, unsigned long long start_time) + { +- int ret; + int sret = 0; + bool alive = true; + proc_t *pid_info = NULL; +-- +1.8.3.1 + diff --git a/0056-caps-use-_LINUX_CAPABILITY_VERSION_3-to-set-cap.patch b/0056-caps-use-_LINUX_CAPABILITY_VERSION_3-to-set-cap.patch new file mode 100644 index 0000000..41c5c40 --- /dev/null +++ b/0056-caps-use-_LINUX_CAPABILITY_VERSION_3-to-set-cap.patch @@ -0,0 +1,48 @@ +From 65b5764a98f751e885ba8596b2b92c4e7a3e0310 Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Sat, 26 Jan 2019 02:22:48 -0500 +Subject: [PATCH 056/122] [caps]: use _LINUX_CAPABILITY_VERSION_3 to set cap + +Signed-off-by: LiFeng +--- + src/lxc/conf.c | 8 ++++---- + src/lxc/seccomp.c | 1 - + 2 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 4800943..0c6aa28 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -4322,13 +4322,13 @@ int lxc_drop_caps(struct lxc_conf *conf) + memset(cap_data, 0, sizeof(struct __user_cap_data_struct) * 2); + + cap_header->pid = 0; +- cap_header->version = _LINUX_CAPABILITY_VERSION; ++ cap_header->version = _LINUX_CAPABILITY_VERSION_3; + + for (i = 0; i < numcaps; i++) { + if (caplist[i]) { +- cap_data[CAP_TO_INDEX(i)].effective = cap_data[CAP_TO_INDEX(i)].effective | __DEF_CAP_TO_MASK(i); +- cap_data[CAP_TO_INDEX(i)].permitted = cap_data[CAP_TO_INDEX(i)].permitted | __DEF_CAP_TO_MASK(i); +- cap_data[CAP_TO_INDEX(i)].inheritable = cap_data[CAP_TO_INDEX(i)].inheritable | __DEF_CAP_TO_MASK(i); ++ cap_data[CAP_TO_INDEX(i)].effective = cap_data[CAP_TO_INDEX(i)].effective | (i > 31 ? __DEF_CAP_TO_MASK(i % 32) : __DEF_CAP_TO_MASK(i)); ++ cap_data[CAP_TO_INDEX(i)].permitted = cap_data[CAP_TO_INDEX(i)].permitted | (i > 31 ? __DEF_CAP_TO_MASK(i % 32) : __DEF_CAP_TO_MASK(i)); ++ cap_data[CAP_TO_INDEX(i)].inheritable = cap_data[CAP_TO_INDEX(i)].inheritable | (i > 31 ? __DEF_CAP_TO_MASK(i % 32) : __DEF_CAP_TO_MASK(i)); + } + } + +diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c +index 3218a60..4a5b3d0 100644 +--- a/src/lxc/seccomp.c ++++ b/src/lxc/seccomp.c +@@ -706,7 +706,6 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c + goto bad; + } else if (native_arch == lxc_seccomp_arch_mipsel64) { + cur_rule_arch = lxc_seccomp_arch_all; +-; + ctx.lxc_arch[0] = lxc_seccomp_arch_mipsel; + ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_mipsel, + default_policy_action, &ctx.architectures[0]); +-- +1.8.3.1 + diff --git a/0057-confile-add-support-umask.patch b/0057-confile-add-support-umask.patch new file mode 100644 index 0000000..1c9b306 --- /dev/null +++ b/0057-confile-add-support-umask.patch @@ -0,0 +1,146 @@ +From b35461f2219dba74b2a51c576ec667f8912632d1 Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Wed, 30 Jan 2019 03:39:42 -0500 +Subject: [PATCH 057/122] confile: add support umask + +lxc.isulad.umask=normal make the container umask to 0022 +lxc.isulad.umask=secure make the container umask to 0027 (default) + +Signed-off-by: LiFeng +--- + src/lxc/attach.c | 4 ++-- + src/lxc/conf.c | 5 +++-- + src/lxc/conf.h | 1 + + src/lxc/confile.c | 38 ++++++++++++++++++++++++++++++++++++++ + 4 files changed, 44 insertions(+), 4 deletions(-) + +diff --git a/src/lxc/attach.c b/src/lxc/attach.c +index b44ea74..9768897 100644 +--- a/src/lxc/attach.c ++++ b/src/lxc/attach.c +@@ -768,8 +768,8 @@ static int attach_child_main(struct attach_clone_payload *payload) + msg_fd = init_ctx->container->lxc_conf->errpipe[1]; + init_ctx->container->lxc_conf->errpipe[1] = -1; + +- /*isulad: set system umask 0027 for safe control */ +- umask(0027); ++ /*isulad: set system umask */ ++ umask(init_ctx->container->lxc_conf->umask); + + /*isulad: restore default signal handlers and unblock all signals*/ + for (i = 1; i < NSIG; i++) +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 0c6aa28..67beefe 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -3163,6 +3163,7 @@ struct lxc_conf *lxc_conf_init(void) + new->errmsg = NULL; + new->errpipe[0] = -1; + new->errpipe[1] = -1; ++ new->umask = 0027; /*default umask 0027*/ + /* isulad add end */ + + return new; +@@ -4216,8 +4217,8 @@ int lxc_setup(struct lxc_handler *handler) + } + } + +- /*isulad: set system umask 0027 for safe control*/ +- umask(0027); ++ /*isulad: set system umask */ ++ umask(lxc_conf->umask); + + ret = setup_personality(lxc_conf->personality); + if (ret < 0) { +diff --git a/src/lxc/conf.h b/src/lxc/conf.h +index 88f5b41..93cf15d 100644 +--- a/src/lxc/conf.h ++++ b/src/lxc/conf.h +@@ -427,6 +427,7 @@ struct lxc_conf { + + char *errmsg; /* record error messages */ + int errpipe[2];//pipdfd for get error message of child or grandchild process. ++ mode_t umask; //umask value + /* isulad add end */ + }; + +diff --git a/src/lxc/confile.c b/src/lxc/confile.c +index f66d01b..3940b32 100644 +--- a/src/lxc/confile.c ++++ b/src/lxc/confile.c +@@ -155,6 +155,7 @@ lxc_config_define(proc); + /*isulad add begin*/ + lxc_config_define(init_args); + lxc_config_define(populate_device); ++lxc_config_define(umask); + /*isulad add end*/ + + +@@ -247,6 +248,7 @@ static struct lxc_config_t config_jump_table[] = { + { "lxc.isulad.populate.device", set_config_populate_device, get_config_populate_device, clr_config_populate_device, }, + { "lxc.isulad.rootfs.maskedpaths", set_config_rootfs_masked_paths, get_config_rootfs_masked_paths, clr_config_rootfs_masked_paths, }, + { "lxc.isulad.rootfs.ropaths", set_config_rootfs_ro_paths, get_config_rootfs_ro_paths, clr_config_rootfs_ro_paths, }, ++ { "lxc.isulad.umask", set_config_umask, get_config_umask, clr_config_umask, }, + /*isulad add end*/ + }; + +@@ -2371,6 +2373,27 @@ on_error: + + } + ++/* isulad: set config for umask */ ++static int set_config_umask(const char *key, const char *value, ++ struct lxc_conf *lxc_conf, void *data) ++{ ++ if (lxc_config_value_empty(value)) { ++ ERROR("Empty umask"); ++ return -1; ++ } ++ ++ if (strcmp(value, "normal") == 0) { ++ lxc_conf->umask = 0022; ++ return 0; ++ } else if (strcmp(value, "secure") == 0) { ++ lxc_conf->umask = 0027; ++ return 0; ++ } else { ++ ERROR("Invalid native umask: %s", value); ++ return -1; ++ } ++} ++ + struct parse_line_conf { + struct lxc_conf *conf; + bool from_include; +@@ -3141,6 +3164,13 @@ static int get_config_tty_max(const char *key, char *retv, int inlen, + return lxc_get_conf_size_t(c, retv, inlen, c->ttys.max); + } + ++/* isulad add: get umask value*/ ++static int get_config_umask(const char *key, char *retv, int inlen, ++ struct lxc_conf *c, void *data) ++{ ++ return lxc_get_conf_size_t(c, retv, inlen, c->umask); ++} ++ + static int get_config_tty_dir(const char *key, char *retv, int inlen, + struct lxc_conf *c, void *data) + { +@@ -4396,6 +4426,14 @@ static int clr_config_namespace_share(const char *key, + return 0; + } + ++/* isulad add: clear umask value */ ++static inline int clr_config_umask(const char *key, struct lxc_conf *c, ++ void *data) ++{ ++ c->umask = 0027; ++ return 0; ++} ++ + static int get_config_includefiles(const char *key, char *retv, int inlen, + struct lxc_conf *c, void *data) + { +-- +1.8.3.1 + diff --git a/0058-do-not-check-ppid-when-set-death-signal.patch b/0058-do-not-check-ppid-when-set-death-signal.patch new file mode 100644 index 0000000..e7fe48f --- /dev/null +++ b/0058-do-not-check-ppid-when-set-death-signal.patch @@ -0,0 +1,36 @@ +From 920c4a399b121ade499482cae1768f995576b547 Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Tue, 12 Feb 2019 14:00:47 +0800 +Subject: [PATCH 058/122] do not check ppid when set death signal + +ppid will not be 0 if we shared host pid + +Signed-off-by: tanyifeng +Signed-off-by: LiFeng +--- + src/lxc/utils.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index 9a50fce..0aa87aa 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -1722,12 +1722,13 @@ int lxc_set_death_signal(int signal, pid_t parent) + prctl_arg(0), prctl_arg(0)); + + /* Check whether we have been orphaned. */ +- ppid = (pid_t)syscall(SYS_getppid); ++ /* isulad: delete this check, ppid will not be 0 if we shared host pid */ ++ /*ppid = (pid_t)syscall(SYS_getppid); + if (ppid != parent) { + ret = raise(SIGKILL); + if (ret < 0) + return -1; +- } ++ }*/ + + if (ret < 0) + return -1; +-- +1.8.3.1 + diff --git a/0059-delete-unused-variable-ppid.patch b/0059-delete-unused-variable-ppid.patch new file mode 100644 index 0000000..2de91a0 --- /dev/null +++ b/0059-delete-unused-variable-ppid.patch @@ -0,0 +1,27 @@ +From 897a0999c48453547cd8631a622defe233804be1 Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Tue, 12 Feb 2019 14:36:35 +0800 +Subject: [PATCH 059/122] delete unused variable ppid + +Signed-off-by: tanyifeng +Signed-off-by: LiFeng +--- + src/lxc/utils.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index 0aa87aa..91ba493 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -1716,7 +1716,7 @@ uint64_t lxc_find_next_power2(uint64_t n) + int lxc_set_death_signal(int signal, pid_t parent) + { + int ret; +- pid_t ppid; ++ //pid_t ppid; + + ret = prctl(PR_SET_PDEATHSIG, prctl_arg(signal), prctl_arg(0), + prctl_arg(0), prctl_arg(0)); +-- +1.8.3.1 + diff --git a/0060-using-json-file-to-write-console-log-of-container.patch b/0060-using-json-file-to-write-console-log-of-container.patch new file mode 100644 index 0000000..00b6ecd --- /dev/null +++ b/0060-using-json-file-to-write-console-log-of-container.patch @@ -0,0 +1,610 @@ +From 1e1274c4202cb8aac8395586f163d6b27b31ff28 Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Wed, 30 Jan 2019 17:44:19 +0800 +Subject: [PATCH 060/122] using json-file to write console log of container + +Signed-off-by: tanyifeng +Signed-off-by: LiFeng +--- + src/lxc/Makefile.am | 2 + + src/lxc/json/json_common.c | 14 ++- + src/lxc/json/json_common.h | 2 + + src/lxc/json/logger_json_file.c | 243 ++++++++++++++++++++++++++++++++++++++++ + src/lxc/json/logger_json_file.h | 45 ++++++++ + src/lxc/terminal.c | 166 +++++++++++++++++++++++++-- + 6 files changed, 457 insertions(+), 15 deletions(-) + create mode 100644 src/lxc/json/logger_json_file.c + create mode 100644 src/lxc/json/logger_json_file.h + +diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am +index 260a7eb..698f8f9 100644 +--- a/src/lxc/Makefile.am ++++ b/src/lxc/Makefile.am +@@ -47,6 +47,7 @@ noinst_HEADERS = attach.h \ + json/json_common.h \ + json/oci_runtime_hooks.h \ + json/oci_runtime_spec.h \ ++ json/logger_json_file.h \ + json/read-file.h \ + utils.h + +@@ -149,6 +150,7 @@ liblxc_la_SOURCES = af_unix.c af_unix.h \ + json/json_common.c json/json_common.h \ + json/defs.h json/defs.c \ + json/oci_runtime_hooks.c json/oci_runtime_hooks.h \ ++ json/logger_json_file.c json/logger_json_file.h \ + json/oci_runtime_spec.c json/oci_runtime_spec.h \ + json/read-file.c json/read-file.h \ + $(LSM_SOURCES) +diff --git a/src/lxc/json/json_common.c b/src/lxc/json/json_common.c +index 8b91844..e339ab3 100755 +--- a/src/lxc/json/json_common.c ++++ b/src/lxc/json/json_common.c +@@ -86,7 +86,7 @@ bool json_gen_init(yajl_gen *g, struct parser_context *ctx) { + + } + yajl_gen_config(*g, yajl_gen_beautify, !(ctx->options & GEN_OPTIONS_SIMPLIFY)); +- yajl_gen_config(*g, yajl_gen_validate_utf8, 1); ++ yajl_gen_config(*g, yajl_gen_validate_utf8, !(ctx->options & GEN_OPTIONS_NOT_VALIDATE_UTF8)); + return true; + } + +@@ -1156,7 +1156,7 @@ json_map_string_string *make_json_map_string_string(yajl_val src, struct parser_ + return ret; + } + int append_json_map_string_string(json_map_string_string *map, const char *key, const char *val) { +- size_t len; ++ size_t len, i; + char **keys; + char **vals; + +@@ -1164,6 +1164,14 @@ int append_json_map_string_string(json_map_string_string *map, const char *key, + return -1; + } + ++ for (i = 0; i < map->len; i++) { ++ if (strcmp(map->keys[i], key) == 0) { ++ free(map->values[i]); ++ map->values[i] = safe_strdup(val ? val : ""); ++ return 0; ++ } ++ } ++ + if ((SIZE_MAX / sizeof(char *) - 1) < map->len) { + return -1; + } +@@ -1193,4 +1201,4 @@ int append_json_map_string_string(json_map_string_string *map, const char *key, + + map->len++; + return 0; +-} ++} +\ No newline at end of file +diff --git a/src/lxc/json/json_common.h b/src/lxc/json/json_common.h +index 904fe3c..eb8281c 100755 +--- a/src/lxc/json/json_common.h ++++ b/src/lxc/json/json_common.h +@@ -23,6 +23,8 @@ extern "C" { + # define GEN_OPTIONS_ALLKEYVALUE 0x02 + //options to generate simplify(no indent) json string + # define GEN_OPTIONS_SIMPLIFY 0x04 ++//options not to validate utf8 data ++# define GEN_OPTIONS_NOT_VALIDATE_UTF8 0x08 + + #define GEN_SET_ERROR_AND_RETURN(stat, err) { \ + if (!*(err)) {\ +diff --git a/src/lxc/json/logger_json_file.c b/src/lxc/json/logger_json_file.c +new file mode 100644 +index 0000000..4d78103 +--- /dev/null ++++ b/src/lxc/json/logger_json_file.c +@@ -0,0 +1,243 @@ ++// Generated from json-file.json. Do not edit! ++#ifndef _GNU_SOURCE ++#define _GNU_SOURCE ++#endif ++#include ++#include ++#include "securec.h" ++#include "logger_json_file.h" ++ ++logger_json_file *make_logger_json_file(yajl_val tree, struct parser_context *ctx, parser_error *err) { ++ logger_json_file *ret = NULL; ++ *err = 0; ++ if (tree == NULL) ++ return ret; ++ ret = safe_malloc(sizeof(*ret)); ++ { ++ yajl_val tmp = get_val(tree, "log", yajl_t_string); ++ if (tmp) { ++ char *str = YAJL_GET_STRING(tmp); ++ ret->log = (uint8_t *)safe_strdup(str ? str : ""); ++ ret->log_len = str ? strlen(str) : 0; ++ } ++ } ++ { ++ yajl_val val = get_val(tree, "stream", yajl_t_string); ++ if (val) { ++ char *str = YAJL_GET_STRING(val); ++ ret->stream = safe_strdup(str ? str : ""); ++ } ++ } ++ { ++ yajl_val val = get_val(tree, "time", yajl_t_string); ++ if (val) { ++ char *str = YAJL_GET_STRING(val); ++ ret->time = safe_strdup(str ? str : ""); ++ } ++ } ++ { ++ yajl_val tmp = get_val(tree, "attrs", yajl_t_string); ++ if (tmp) { ++ char *str = YAJL_GET_STRING(tmp); ++ ret->attrs = (uint8_t *)safe_strdup(str ? str : ""); ++ ret->attrs_len = str ? strlen(str) : 0; ++ } ++ } ++ ++ if (tree->type == yajl_t_object && (ctx->options & PARSE_OPTIONS_STRICT)) { ++ int i; ++ for (i = 0; i < tree->u.object.len; i++) ++ if (strcmp(tree->u.object.keys[i], "log") && ++ strcmp(tree->u.object.keys[i], "stream") && ++ strcmp(tree->u.object.keys[i], "time") && ++ strcmp(tree->u.object.keys[i], "attrs")) { ++ if (ctx->stderr > 0) ++ fprintf(ctx->stderr, "WARNING: unknown key found: %s\n", tree->u.object.keys[i]); ++ } ++ } ++ return ret; ++} ++ ++void free_logger_json_file(logger_json_file *ptr) { ++ if (!ptr) ++ return; ++ free(ptr->log); ++ ptr->log = NULL; ++ free(ptr->stream); ++ ptr->stream = NULL; ++ free(ptr->time); ++ ptr->time = NULL; ++ free(ptr->attrs); ++ ptr->attrs = NULL; ++ free(ptr); ++} ++ ++yajl_gen_status gen_logger_json_file(yajl_gen g, logger_json_file *ptr, struct parser_context *ctx, parser_error *err) { ++ yajl_gen_status stat = yajl_gen_status_ok; ++ *err = 0; ++ stat = reformat_start_map(g); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) || (ptr && ptr->log && ptr->log_len)) { ++ const char *str = ""; ++ size_t len = 0; ++ stat = reformat_map_key(g, "log", strlen("log")); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ if (ptr && ptr->log) { ++ str = (const char *)ptr->log; ++ len = ptr->log_len; ++ } ++ stat = reformat_string(g, str, len); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) ||(ptr && ptr->stream)) { ++ char *str = ""; ++ stat = reformat_map_key(g, "stream", strlen("stream")); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ if (ptr && ptr->stream) { ++ str = ptr->stream; ++ } ++ stat = reformat_string(g, str, strlen(str)); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) ||(ptr && ptr->time)) { ++ char *str = ""; ++ stat = reformat_map_key(g, "time", strlen("time")); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ if (ptr && ptr->time) { ++ str = ptr->time; ++ } ++ stat = reformat_string(g, str, strlen(str)); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) || (ptr && ptr->attrs && ptr->attrs_len)) { ++ const char *str = ""; ++ size_t len = 0; ++ stat = reformat_map_key(g, "attrs", strlen("attrs")); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ if (ptr && ptr->attrs) { ++ str = (const char *)ptr->attrs; ++ len = ptr->attrs_len; ++ } ++ stat = reformat_string(g, str, len); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ stat = reformat_end_map(g); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ return yajl_gen_status_ok; ++} ++ ++ ++logger_json_file *logger_json_file_parse_file(const char *filename, struct parser_context *ctx, parser_error *err) { ++ logger_json_file *ptr; ++ size_t filesize; ++ char *content; ++ ++ if (!filename || !err) ++ return NULL; ++ ++ *err = NULL; ++ content = read_file(filename, &filesize); ++ if (content == NULL) { ++ if (asprintf(err, "cannot read the file: %s", filename) < 0) ++ *err = safe_strdup("error allocating memory"); ++ return NULL; ++ } ++ ptr = logger_json_file_parse_data(content, ctx, err); ++ free(content); ++ return ptr; ++} ++ ++logger_json_file *logger_json_file_parse_file_stream(FILE *stream, struct parser_context *ctx, parser_error *err) { ++ logger_json_file *ptr; ++ size_t filesize; ++ char *content ; ++ ++ if (!stream || !err) ++ return NULL; ++ ++ *err = NULL; ++ content = fread_file(stream, &filesize); ++ if (content == NULL) { ++ *err = safe_strdup("cannot read the file"); ++ return NULL; ++ } ++ ptr = logger_json_file_parse_data(content, ctx, err); ++ free(content); ++ return ptr; ++} ++ ++logger_json_file *logger_json_file_parse_data(const char *jsondata, struct parser_context *ctx, parser_error *err) { ++ logger_json_file *ptr; ++ yajl_val tree; ++ char errbuf[1024]; ++ struct parser_context tmp_ctx; ++ ++ if (!jsondata || !err) ++ return NULL; ++ ++ *err = NULL; ++ if (!ctx) { ++ ctx = &tmp_ctx; ++ memset(&tmp_ctx, 0, sizeof(tmp_ctx)); ++ } ++ tree = yajl_tree_parse(jsondata, errbuf, sizeof(errbuf)); ++ if (tree == NULL) { ++ if (asprintf(err, "cannot parse the data: %s", errbuf) < 0) ++ *err = safe_strdup("error allocating memory"); ++ return NULL; ++ } ++ ptr = make_logger_json_file(tree, ctx, err); ++ yajl_tree_free(tree); ++ return ptr; ++} ++char *logger_json_file_generate_json(logger_json_file *ptr, struct parser_context *ctx, parser_error *err) { ++ yajl_gen g = NULL; ++ struct parser_context tmp_ctx; ++ const unsigned char *gen_buf = NULL; ++ char *json_buf = NULL; ++ size_t gen_len = 0; ++ ++ if (!ptr || !err) ++ return NULL; ++ ++ *err = NULL; ++ if (!ctx) { ++ ctx = &tmp_ctx; ++ memset(&tmp_ctx, 0, sizeof(tmp_ctx)); ++ } ++ ++ if (!json_gen_init(&g, ctx)) { ++ *err = safe_strdup("Json_gen init failed"); ++ goto out; ++ } ++ if (yajl_gen_status_ok != gen_logger_json_file(g, ptr, ctx, err)) { ++ if (!*err) ++ *err = safe_strdup("Failed to generate json"); ++ goto free_out; ++ } ++ yajl_gen_get_buf(g, &gen_buf, &gen_len); ++ if (!gen_buf) { ++ *err = safe_strdup("Error to get generated json"); ++ goto free_out; ++ } ++ ++ json_buf = safe_malloc(gen_len + 1); ++ memcpy(json_buf, gen_buf, gen_len); ++ json_buf[gen_len] = '\0'; ++ ++free_out: ++ yajl_gen_clear(g); ++ yajl_gen_free(g); ++out: ++ return json_buf; ++} +diff --git a/src/lxc/json/logger_json_file.h b/src/lxc/json/logger_json_file.h +new file mode 100644 +index 0000000..ad5af7b +--- /dev/null ++++ b/src/lxc/json/logger_json_file.h +@@ -0,0 +1,45 @@ ++// Generated from json-file.json. Do not edit! ++#ifndef LOGGER_JSON_FILE_SCHEMA_H ++#define LOGGER_JSON_FILE_SCHEMA_H ++ ++#include ++#include ++#include "json_common.h" ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++typedef struct { ++ uint8_t *log; ++ size_t log_len; ++ ++ char *stream; ++ ++ char *time; ++ ++ uint8_t *attrs; ++ size_t attrs_len; ++ ++} ++logger_json_file; ++ ++void free_logger_json_file(logger_json_file *ptr); ++ ++logger_json_file *make_logger_json_file(yajl_val tree, struct parser_context *ctx, parser_error *err); ++ ++yajl_gen_status gen_logger_json_file(yajl_gen g, logger_json_file *ptr, struct parser_context *ctx, parser_error *err); ++ ++logger_json_file *logger_json_file_parse_file(const char *filename, struct parser_context *ctx, parser_error *err); ++ ++logger_json_file *logger_json_file_parse_file_stream(FILE *stream, struct parser_context *ctx, parser_error *err); ++ ++logger_json_file *logger_json_file_parse_data(const char *jsondata, struct parser_context *ctx, parser_error *err); ++ ++char *logger_json_file_generate_json(logger_json_file *ptr, struct parser_context *ctx, parser_error *err); ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif +diff --git a/src/lxc/terminal.c b/src/lxc/terminal.c +index 252a644..602d43d 100644 +--- a/src/lxc/terminal.c ++++ b/src/lxc/terminal.c +@@ -47,6 +47,7 @@ + #include "start.h" + #include "syscall_wrappers.h" + #include "terminal.h" ++#include "logger_json_file.h" + #include "utils.h" + + #if HAVE_PTY_H +@@ -298,7 +299,7 @@ static int lxc_terminal_rotate_log_file(struct lxc_terminal *terminal) + return lxc_terminal_create_log_file(terminal); + } + +-static int lxc_terminal_write_log_file(struct lxc_terminal *terminal, char *buf, ++static int lxc_terminal_rotate_write_data(struct lxc_terminal *terminal, const char *buf, + int bytes_read) + { + int ret; +@@ -357,16 +358,6 @@ static int lxc_terminal_write_log_file(struct lxc_terminal *terminal, char *buf, + if (bytes_read <= space_left) + return lxc_write_nointr(terminal->log_fd, buf, bytes_read); + +- /* There's not enough space left but at least write as much as we can +- * into the old log file. +- */ +- ret = lxc_write_nointr(terminal->log_fd, buf, space_left); +- if (ret < 0) +- return -1; +- +- /* Calculate how many bytes we still need to write. */ +- bytes_read -= space_left; +- + /* There'd be more to write but we aren't instructed to rotate the log + * file so simply return. There's no error on our side here. + */ +@@ -404,6 +395,151 @@ static int lxc_terminal_write_log_file(struct lxc_terminal *terminal, char *buf, + return bytes_read; + } + ++/* get time buffer */ ++static bool get_time_buffer(struct timespec *timestamp, char *timebuffer, ++ size_t maxsize) ++{ ++ struct tm tm_utc = { 0 }; ++ int32_t nanos = 0; ++ time_t seconds; ++ ++ if (!timebuffer || !maxsize) { ++ return false; ++ } ++ ++ seconds = (time_t)timestamp->tv_sec; ++ gmtime_r(&seconds, &tm_utc); ++ strftime(timebuffer, maxsize, "%Y-%m-%dT%H:%M:%S", &tm_utc); ++ ++ nanos = (int32_t)timestamp->tv_nsec; ++ sprintf(timebuffer + strlen(timebuffer), ".%09dZ", nanos); ++ ++ return true; ++} ++ ++/* get now time buffer */ ++static bool get_now_time_buffer(char *timebuffer, size_t maxsize) ++{ ++ int err = 0; ++ struct timespec ts; ++ ++ err = clock_gettime(CLOCK_REALTIME, &ts); ++ if (err != 0) { ++ ERROR("failed to get time"); ++ return false; ++ } ++ ++ return get_time_buffer(&ts, timebuffer, maxsize); ++} ++ ++static ssize_t lxc_logger_write(struct lxc_terminal *terminal, const char *buf, ++ int bytes_read) ++{ ++ logger_json_file *msg = NULL; ++ ssize_t ret = -1; ++ size_t len; ++ char *json = NULL, timebuffer[64]; ++ parser_error err = NULL; ++ struct parser_context ctx = { GEN_OPTIONS_SIMPLIFY | GEN_OPTIONS_NOT_VALIDATE_UTF8, stderr }; ++ ++ msg = calloc(sizeof(logger_json_file), 1); ++ if (!msg) { ++ return -errno; ++ } ++ msg->log = calloc(bytes_read, 1); ++ if (!msg->log) { ++ goto cleanup; ++ } ++ memcpy(msg->log, buf, bytes_read); ++ msg->log_len = bytes_read; ++ msg->stream = strdup("stdout"); ++ ++ get_now_time_buffer(timebuffer, sizeof(timebuffer)); ++ msg->time = strdup(timebuffer); ++ ++ json = logger_json_file_generate_json(msg, &ctx, &err); ++ if (!json) { ++ ERROR("Failed to generate json: %s", err); ++ goto cleanup; ++ } ++ len = strlen(json); ++ json[len] = '\n'; ++ ret = lxc_terminal_rotate_write_data(terminal, json, len + 1); ++cleanup: ++ free(json); ++ free_logger_json_file(msg); ++ free(err); ++ return ret; ++} ++ ++static int lxc_terminal_write_log_file(struct lxc_terminal *terminal, char *buf, ++ int bytes_read) ++{ ++#define __BUF_CACHE_SIZE (16 * LXC_TERMINAL_BUFFER_SIZE) ++ static char cache[__BUF_CACHE_SIZE]; ++ static int size = 0; ++ int upto, index; ++ int begin = 0, buf_readed = 0, buf_left = 0; ++ int ret; ++ ++ if (buf != NULL && bytes_read > 0) { ++ /* Work out how much more data we are okay with reading this time. */ ++ upto = size + bytes_read; ++ if (upto > __BUF_CACHE_SIZE) { ++ upto = __BUF_CACHE_SIZE; ++ } ++ ++ if (upto > size) { ++ buf_readed = upto - size; ++ memcpy(cache + size, buf, buf_readed); ++ buf_left = bytes_read - buf_readed; ++ size += buf_readed; ++ } ++ } ++ ++ // If we have no data to log, and there's no more coming, we're done. ++ if (size == 0) ++ return 0; ++ ++ // Break up the data that we've buffered up into lines, and log each in turn. ++ for (index = 0; index < size; index++) { ++ if (cache[index] == '\n') { ++ ret = lxc_logger_write(terminal, cache + begin, index - begin + 1); ++ if (ret < 0) { ++ WARN("Failed to log msg"); ++ } ++ begin = index + 1; ++ } ++ } ++ /* If there's no more coming, or the buffer is full but ++ * has no newlines, log whatever we haven't logged yet, ++ * noting that it's a partial log line. */ ++ if (buf == NULL || (begin == 0 && size == __BUF_CACHE_SIZE)) { ++ if (begin < size) { ++ ret = lxc_logger_write(terminal, cache + begin, index - begin + 1); ++ if (ret < 0) { ++ WARN("Failed to log msg"); ++ } ++ begin = 0; ++ size = 0; ++ } ++ if (buf == NULL) { ++ return 0; ++ } ++ } ++ /* Move any unlogged data to the front of the buffer in preparation for another read. */ ++ if (begin > 0) { ++ memcpy(cache, cache + begin, size - begin); ++ size -= begin; ++ } ++ /* Move left data to cache buffer */ ++ if (buf_left > 0) { ++ memcpy(cache + size, buf + buf_readed, buf_left); ++ size += buf_left; ++ } ++ return 0; ++} ++ + /* isulad: forward data to all fifos */ + static void lxc_forward_data_to_fifo(struct lxc_list *list, char *buf, int r) + { +@@ -437,7 +573,7 @@ int lxc_terminal_io_cb(int fd, uint32_t events, void *data, + struct lxc_epoll_descr *descr) + { + struct lxc_terminal *terminal = data; +- char buf[LXC_TERMINAL_BUFFER_SIZE]; ++ char buf[2 * LXC_TERMINAL_BUFFER_SIZE]; + int r, w, w_log, w_rbuf; + + w = r = lxc_read_nointr(fd, buf, sizeof(buf)); +@@ -447,6 +583,12 @@ int lxc_terminal_io_cb(int fd, uint32_t events, void *data, + + if (fd == terminal->master) { + terminal->master = -EBADF; ++ /* write remained buffer to terminal log */ ++ if (terminal->log_fd >= 0) { ++ w_log = lxc_terminal_write_log_file(terminal, NULL, 0); ++ if (w_log < 0) ++ TRACE("Failed to write %d bytes to terminal log", r); ++ } + } else if (fd == terminal->peer) { + if (terminal->tty_state) { + lxc_terminal_signal_fini(terminal->tty_state); +-- +1.8.3.1 + diff --git a/0061-Fix-hook-use-the-path-args-envs-execvp-dirctory.patch b/0061-Fix-hook-use-the-path-args-envs-execvp-dirctory.patch new file mode 100644 index 0000000..4c73880 --- /dev/null +++ b/0061-Fix-hook-use-the-path-args-envs-execvp-dirctory.patch @@ -0,0 +1,50 @@ +From c9dc04b4237ac01155a8ce37beae9db4ea7c2b1a Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Thu, 21 Feb 2019 05:37:05 -0500 +Subject: [PATCH 061/122] Fix hook: use the path, args, envs execvp dirctory + +Signed-off-by: LiFeng +--- + src/lxc/conf.c | 17 ++--------------- + 1 file changed, 2 insertions(+), 15 deletions(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 67beefe..c2f3cf5 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -4467,9 +4467,6 @@ static struct lxc_popen_FILE *lxc_popen_ocihook(char *commandpath, char **args, + + if (child_pid == 0) { + /* child */ +- size_t result_capacity; +- int r; +- char **real_args; + + close(pipe_msg[1]); + if (pipe_msg[0] != STDIN_FILENO) +@@ -4514,20 +4511,10 @@ static struct lxc_popen_FILE *lxc_popen_ocihook(char *commandpath, char **args, + sigprocmask(SIG_UNBLOCK, &mask, NULL); + } + +- result_capacity = args_len; +- real_args = malloc(sizeof(char *) * (result_capacity + 2 + 1)); +- if (!real_args) +- _exit(EXIT_FAILURE); +- memset(real_args, 0, sizeof(char *) * (result_capacity + 2 + 1)); +- real_args[0] = strdup("sh"); +- real_args[1] = strdup(commandpath); +- for(r = 2; r < (args_len + 1); r++) +- real_args[r] = strdup(args[r-1]); +- + if (env_len > 0) +- execvpe("/bin/sh", real_args, envs); ++ execvpe(commandpath, args, envs); + else +- execvp("/bin/sh", real_args); ++ execvp(commandpath, args); + exit(127); + } + +-- +1.8.3.1 + diff --git a/0062-setup-sysctls-before-set-read-only-path-and-masked-p.patch b/0062-setup-sysctls-before-set-read-only-path-and-masked-p.patch new file mode 100644 index 0000000..5449152 --- /dev/null +++ b/0062-setup-sysctls-before-set-read-only-path-and-masked-p.patch @@ -0,0 +1,74 @@ +From e0c8855867b71eb0106a312e84389389cee395d7 Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Tue, 26 Feb 2019 17:21:18 +0800 +Subject: [PATCH 062/122] setup sysctls before set read-only path and masked + path + +Signed-off-by: tanyifeng +Signed-off-by: LiFeng +--- + src/lxc/conf.c | 34 +++++++++++++++++----------------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index c2f3cf5..e139dff 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -3039,7 +3039,7 @@ int setup_sysctl_parameters(struct lxc_list *sysctls) + ret = lxc_write_to_file(filename, elem->value, + strlen(elem->value), false, 0666); + if (ret < 0) { +- ERROR("Failed to setup sysctl parameters %s to %s", ++ SYSERROR("Failed to setup sysctl parameters %s to %s", + elem->key, elem->value); + return -1; + } +@@ -4201,22 +4201,6 @@ int lxc_setup(struct lxc_handler *handler) + if (ret < 0) + goto on_error; + +- //isulad: setup rootfs masked paths +- if (!lxc_list_empty(&lxc_conf->rootfs.maskedpaths)) { +- if (setup_rootfs_maskedpaths(&lxc_conf->rootfs.maskedpaths)) { +- ERROR("failed to setup maskedpaths"); +- goto on_error; +- } +- } +- +- // isulad: setup rootfs ro paths +- if (!lxc_list_empty(&lxc_conf->rootfs.ropaths)) { +- if (setup_rootfs_ropaths(&lxc_conf->rootfs.ropaths)) { +- ERROR("failed to setup readonlypaths"); +- goto on_error; +- } +- } +- + /*isulad: set system umask */ + umask(lxc_conf->umask); + +@@ -4238,6 +4222,22 @@ int lxc_setup(struct lxc_handler *handler) + } + } + ++ // isulad: setup rootfs masked paths ++ if (!lxc_list_empty(&lxc_conf->rootfs.maskedpaths)) { ++ if (setup_rootfs_maskedpaths(&lxc_conf->rootfs.maskedpaths)) { ++ ERROR("failed to setup maskedpaths"); ++ goto on_error; ++ } ++ } ++ ++ // isulad: setup rootfs ro paths ++ if (!lxc_list_empty(&lxc_conf->rootfs.ropaths)) { ++ if (setup_rootfs_ropaths(&lxc_conf->rootfs.ropaths)) { ++ ERROR("failed to setup readonlypaths"); ++ goto on_error; ++ } ++ } ++ + if (!lxc_list_empty(&lxc_conf->keepcaps)) { + if (!lxc_list_empty(&lxc_conf->caps)) { + ERROR("Container requests lxc.cap.drop and " +-- +1.8.3.1 + diff --git a/0063-lxc-ignore-systemcall-load-failure-error.patch b/0063-lxc-ignore-systemcall-load-failure-error.patch new file mode 100644 index 0000000..6403557 --- /dev/null +++ b/0063-lxc-ignore-systemcall-load-failure-error.patch @@ -0,0 +1,27 @@ +From aa6af28e14e024cfc31b8d77516df9899eb480c8 Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Sat, 9 Mar 2019 03:10:06 +0800 +Subject: [PATCH 063/122] lxc: ignore systemcall load failure error + +Signed-off-by: wujing +Signed-off-by: LiFeng +--- + src/lxc/seccomp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c +index 4a5b3d0..26eac90 100644 +--- a/src/lxc/seccomp.c ++++ b/src/lxc/seccomp.c +@@ -543,7 +543,7 @@ bool do_resolve_add_rule(uint32_t arch, char *line, scmp_filter_ctx ctx, + errno = -ret; + SYSERROR("Failed loading rule for %s (nr %d action %d (%s))", + line, nr, rule->action, get_action_name(rule->action)); +- return false; ++ return true; + } + + return true; +-- +1.8.3.1 + diff --git a/0064-lxc-Reduce-seccomp-processing-log-level.patch b/0064-lxc-Reduce-seccomp-processing-log-level.patch new file mode 100644 index 0000000..3e297f7 --- /dev/null +++ b/0064-lxc-Reduce-seccomp-processing-log-level.patch @@ -0,0 +1,46 @@ +From ec896c711806cad0fa852ea1695361441e840132 Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Sun, 10 Mar 2019 00:47:05 +0800 +Subject: [PATCH 064/122] lxc: Reduce seccomp processing log level + +Signed-off-by: wujing +Signed-off-by: LiFeng +--- + src/lxc/seccomp.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c +index 26eac90..7f10777 100644 +--- a/src/lxc/seccomp.c ++++ b/src/lxc/seccomp.c +@@ -507,14 +507,14 @@ bool do_resolve_add_rule(uint32_t arch, char *line, scmp_filter_ctx ctx, + + nr = seccomp_syscall_resolve_name(line); + if (nr == __NR_SCMP_ERROR) { +- WARN("Failed to resolve syscall \"%s\"", line); +- WARN("This syscall will NOT be handled by seccomp"); ++ DEBUG("Failed to resolve syscall \"%s\"", line); ++ DEBUG("This syscall will NOT be handled by seccomp"); + return true; + } + + if (nr < 0) { +- WARN("Got negative return value %d for syscall \"%s\"", nr, line); +- WARN("This syscall will NOT be handled by seccomp"); ++ DEBUG("Got negative return value %d for syscall \"%s\"", nr, line); ++ DEBUG("This syscall will NOT be handled by seccomp"); + return true; + } + +@@ -541,7 +541,7 @@ bool do_resolve_add_rule(uint32_t arch, char *line, scmp_filter_ctx ctx, + rule->args_num, arg_cmp); + if (ret < 0) { + errno = -ret; +- SYSERROR("Failed loading rule for %s (nr %d action %d (%s))", ++ DEBUG("Failed loading rule for %s (nr %d action %d (%s))", + line, nr, rule->action, get_action_name(rule->action)); + return true; + } +-- +1.8.3.1 + diff --git a/0065-Storage-return-true-if-storage_init-init-fail.patch b/0065-Storage-return-true-if-storage_init-init-fail.patch new file mode 100644 index 0000000..fec20d5 --- /dev/null +++ b/0065-Storage-return-true-if-storage_init-init-fail.patch @@ -0,0 +1,30 @@ +From d771f62e77e5d122178b171a06a821af4103e48d Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Mon, 11 Mar 2019 23:26:27 -0400 +Subject: [PATCH 065/122] Storage: return true if storage_init init fail + +Signed-off-by: LiFeng +--- + src/lxc/storage/storage.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/lxc/storage/storage.c b/src/lxc/storage/storage.c +index 18f754a..88ed788 100644 +--- a/src/lxc/storage/storage.c ++++ b/src/lxc/storage/storage.c +@@ -610,8 +610,11 @@ bool storage_destroy(struct lxc_conf *conf) + int destroy_rv = 0; + + r = storage_init(conf); +- if (!r) ++ if (r == NULL) { ++ ERROR("%s 's storage init failed, the storage may be deleted already", conf->name); ++ ret = true; + return ret; ++ } + + destroy_rv = r->ops->destroy(r); + if (destroy_rv == 0) +-- +1.8.3.1 + diff --git a/0066-lxc-Pids-limit-does-not-report-an-error-after-execut.patch b/0066-lxc-Pids-limit-does-not-report-an-error-after-execut.patch new file mode 100644 index 0000000..302e3cd --- /dev/null +++ b/0066-lxc-Pids-limit-does-not-report-an-error-after-execut.patch @@ -0,0 +1,28 @@ +From 5c96085ffd6f219f92bc210c057e9d964c75cd84 Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Fri, 15 Mar 2019 10:11:10 +0800 +Subject: [PATCH 066/122] lxc: Pids limit does not report an error after + executing the limit in the background + +Signed-off-by: wujing +Signed-off-by: LiFeng +--- + src/lxc/tools/lxc_attach.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/lxc/tools/lxc_attach.c b/src/lxc/tools/lxc_attach.c +index 8856934..acdf8a0 100644 +--- a/src/lxc/tools/lxc_attach.c ++++ b/src/lxc/tools/lxc_attach.c +@@ -378,6 +378,8 @@ static int do_attach_background(struct lxc_container *c, lxc_attach_command_t *c + if (ret < 0) { + if (c->lxc_conf->errmsg) + lxc_write_error_message(msgpipe[1], "%s", c->lxc_conf->errmsg); ++ else ++ lxc_write_error_message(msgpipe[1], "Failed to attach container"); + close(msgpipe[1]); + msgpipe[1] = -1; + ret = -1; +-- +1.8.3.1 + diff --git a/0067-lxc-report-error-when-remove-directory-failed.patch b/0067-lxc-report-error-when-remove-directory-failed.patch new file mode 100644 index 0000000..723dc40 --- /dev/null +++ b/0067-lxc-report-error-when-remove-directory-failed.patch @@ -0,0 +1,72 @@ +From 6942bba7a61f9fe55d5d819ffd817ea4b028d040 Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Sat, 16 Mar 2019 10:06:13 +0800 +Subject: [PATCH 067/122] lxc: report error when remove directory failed + +Signed-off-by: tanyifeng +Signed-off-by: LiFeng +--- + src/lxc/lxccontainer.c | 3 +++ + src/lxc/utils.c | 9 ++++++++- + 2 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c +index bfbf223..3fd1a66 100644 +--- a/src/lxc/lxccontainer.c ++++ b/src/lxc/lxccontainer.c +@@ -3148,8 +3148,11 @@ static bool container_destroy(struct lxc_container *c, + else + ret = lxc_rmdir_onedev(path, "snaps"); + if (ret < 0) { ++ char msg[BUFSIZ] = { 0 }; + ERROR("Failed to destroy directory \"%s\" for \"%s\"", path, + c->name); ++ sprintf(msg, "Failed to destroy directory \"%s\": %s", path, errno ? strerror(errno) : "error"); ++ c->error_string = strdup(msg); + goto out; + } + INFO("Destroyed directory \"%s\" for \"%s\"", path, c->name); +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index 91ba493..480e6d0 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -88,6 +88,7 @@ static int _recursive_rmdir(const char *dirname, dev_t pdev, + int ret, failed = 0; + char pathname[PATH_MAX]; + bool hadexclude = false; ++ int saved_errno = 0; + + dir = opendir(dirname); + if (!dir) { +@@ -153,6 +154,9 @@ static int _recursive_rmdir(const char *dirname, dev_t pdev, + failed=1; + } else { + if (unlink(pathname) < 0) { ++ if (saved_errno == 0) { ++ saved_errno = errno; ++ } + SYSERROR("Failed to delete \"%s\"", pathname); + failed=1; + } +@@ -160,6 +164,9 @@ static int _recursive_rmdir(const char *dirname, dev_t pdev, + } + + if (rmdir(dirname) < 0 && !btrfs_try_remove_subvol(dirname) && !hadexclude) { ++ if (saved_errno == 0) { ++ saved_errno = errno; ++ } + SYSERROR("Failed to delete \"%s\"", dirname); + failed=1; + } +@@ -169,7 +176,7 @@ static int _recursive_rmdir(const char *dirname, dev_t pdev, + SYSERROR("Failed to close directory \"%s\"", dirname); + failed=1; + } +- ++ errno = saved_errno; + return failed ? -1 : 0; + } + +-- +1.8.3.1 + diff --git a/0068-support-record-stdout-stderr-log-of-container-consol.patch b/0068-support-record-stdout-stderr-log-of-container-consol.patch new file mode 100644 index 0000000..3d90132 --- /dev/null +++ b/0068-support-record-stdout-stderr-log-of-container-consol.patch @@ -0,0 +1,1244 @@ +From a31be51b99331c80b66f587245cae0ca5d84d4fa Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Thu, 21 Feb 2019 20:27:47 +0800 +Subject: [PATCH 068/122] support record stdout, stderr log of container + console + +Signed-off-by: tanyifeng +Signed-off-by: LiFeng +--- + src/lxc/attach.c | 15 +- + src/lxc/attach_options.h | 2 +- + src/lxc/commands.c | 15 +- + src/lxc/commands.h | 2 +- + src/lxc/conf.c | 33 +++-- + src/lxc/lxccontainer.c | 79 +++++++--- + src/lxc/lxccontainer.h | 35 ++++- + src/lxc/start.c | 67 ++++++++- + src/lxc/start.h | 5 + + src/lxc/terminal.c | 351 ++++++++++++++++++++++++++++++++------------- + src/lxc/terminal.h | 7 +- + src/lxc/tools/arguments.h | 14 +- + src/lxc/tools/lxc_attach.c | 7 +- + src/lxc/tools/lxc_start.c | 22 ++- + 14 files changed, 502 insertions(+), 152 deletions(-) + +diff --git a/src/lxc/attach.c b/src/lxc/attach.c +index 9768897..c979c85 100644 +--- a/src/lxc/attach.c ++++ b/src/lxc/attach.c +@@ -1052,15 +1052,18 @@ static int lxc_attach_terminal(struct lxc_conf *conf, + lxc_terminal_init(terminal); + + /* isulad: if we pass fifo in option, use them as init fifos */ +- if (options->init_fifo[0] && options->init_fifo[1]) { +- if (terminal->init_fifo[0]) +- free(terminal->init_fifo[0]); ++ if (options->init_fifo[0]) { ++ free(terminal->init_fifo[0]); + terminal->init_fifo[0] = strdup(options->init_fifo[0]); +- +- if (terminal->init_fifo[1]) +- free(terminal->init_fifo[1]); ++ } ++ if (options->init_fifo[1]) { ++ free(terminal->init_fifo[1]); + terminal->init_fifo[1] = strdup(options->init_fifo[1]); + } ++ if (options->init_fifo[2]) { ++ free(terminal->init_fifo[2]); ++ terminal->init_fifo[2] = strdup(options->init_fifo[2]); ++ } + + ret = lxc_terminal_create(terminal); + if (ret < 0) { +diff --git a/src/lxc/attach_options.h b/src/lxc/attach_options.h +index 7b0a8cb..71c1739 100644 +--- a/src/lxc/attach_options.h ++++ b/src/lxc/attach_options.h +@@ -136,7 +136,7 @@ typedef struct lxc_attach_options_t { + /*! File descriptor to log output. */ + int log_fd; + +- char *init_fifo[2]; /* isulad: default fifos for the start */ ++ char *init_fifo[3]; /* isulad: default fifos for the start */ + } lxc_attach_options_t; + + /*! Default attach options to use */ +diff --git a/src/lxc/commands.c b/src/lxc/commands.c +index 46b2805..f0c95df 100644 +--- a/src/lxc/commands.c ++++ b/src/lxc/commands.c +@@ -1064,21 +1064,22 @@ reap_client_fd: + * + * Returns 0 when success, else when fail. + */ +-int lxc_cmd_set_terminal_fifos(const char *name, const char *lxcpath, const char *in_fifo, const char *out_fifo) ++int lxc_cmd_set_terminal_fifos(const char *name, const char *lxcpath, const char *in_fifo, ++ const char *out_fifo, const char *err_fifo) + { + int ret = 0, stopped = 0; + int len = 0; + char *tmp = NULL; ++ const char *split = "&&&&", *none_fifo_name = "none"; ++ const char *cmd_in_fifo = in_fifo ? in_fifo : none_fifo_name; ++ const char *cmd_out_fifo = out_fifo ? out_fifo : none_fifo_name; ++ const char *cmd_err_fifo = err_fifo ? err_fifo : none_fifo_name; + +- if (!in_fifo || !out_fifo) { +- return -1; +- } +- +- len = strlen(in_fifo) + strlen("&&&&") + strlen(out_fifo) + 1; ++ len += strlen(cmd_in_fifo) + strlen(split) + strlen(cmd_out_fifo) + strlen(split) + strlen(cmd_err_fifo) + 1; + tmp = malloc(len); + if (!tmp) + return -1; +- snprintf(tmp, len, "%s%s%s", in_fifo, "&&&&", out_fifo); ++ snprintf(tmp, len, "%s%s%s%s%s", cmd_in_fifo, split, cmd_out_fifo, split, cmd_err_fifo); + + struct lxc_cmd_rr cmd = { + .req = { +diff --git a/src/lxc/commands.h b/src/lxc/commands.h +index 0c64544..6b64849 100644 +--- a/src/lxc/commands.h ++++ b/src/lxc/commands.h +@@ -127,6 +127,6 @@ extern int lxc_cmd_console_log(const char *name, const char *lxcpath, + struct lxc_console_log *log); + + extern int lxc_cmd_set_terminal_fifos(const char *name, const char *lxcpath, +- const char *in_fifo, const char *out_fifo); ++ const char *in_fifo, const char *out_fifo, const char *err_fifo); + + #endif /* __commands_h */ +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index e139dff..a6b9797 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -2067,20 +2067,22 @@ static int lxc_setup_ttydir_console(const struct lxc_rootfs *rootfs, + return -errno; + } + +- ret = fchmod(console->slave, S_IXUSR | S_IXGRP); +- if (ret < 0) { +- SYSERROR("Failed to set mode \"0%o\" to \"%s\"", +- S_IXUSR | S_IXGRP, console->name); +- return -errno; +- } ++ if (console->slave > 0) { ++ ret = fchmod(console->slave, S_IXUSR | S_IXGRP); ++ if (ret < 0) { ++ SYSERROR("Failed to set mode \"0%o\" to \"%s\"", ++ S_IXUSR | S_IXGRP, console->name); ++ return -errno; ++ } + +- /* bind mount console->name to '/dev//console' */ +- ret = safe_mount(console->name, lxcpath, "none", MS_BIND, 0, rootfs_path); +- if (ret < 0) { +- ERROR("Failed to mount \"%s\" on \"%s\"", console->name, lxcpath); +- return -1; ++ /* bind mount console->name to '/dev//console' */ ++ ret = safe_mount(console->name, lxcpath, "none", MS_BIND, 0, rootfs_path); ++ if (ret < 0) { ++ ERROR("Failed to mount \"%s\" on \"%s\"", console->name, lxcpath); ++ return -1; ++ } ++ DEBUG("Mounted \"%s\" onto \"%s\"", console->name, lxcpath); + } +- DEBUG("Mounted \"%s\" onto \"%s\"", console->name, lxcpath); + + /* bind mount '/dev//console' to '/dev/console' */ + ret = safe_mount(lxcpath, path, "none", MS_BIND, 0, rootfs_path); +@@ -3158,6 +3160,13 @@ struct lxc_conf *lxc_conf_init(void) + /* isulad init console fifos */ + new->console.init_fifo[0] = NULL; + new->console.init_fifo[1] = NULL; ++ new->console.init_fifo[2] = NULL; ++ new->console.pipes[0][0] = -1; ++ new->console.pipes[0][1] = -1; ++ new->console.pipes[1][0] = -1; ++ new->console.pipes[1][1] = -1; ++ new->console.pipes[2][0] = -1; ++ new->console.pipes[2][1] = -1; + lxc_list_init(&new->console.fifos); + + new->errmsg = NULL; +diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c +index 3fd1a66..8a3724c 100644 +--- a/src/lxc/lxccontainer.c ++++ b/src/lxc/lxccontainer.c +@@ -702,6 +702,40 @@ static bool do_lxcapi_want_daemonize(struct lxc_container *c, bool state) + + WRAP_API_1(bool, lxcapi_want_daemonize, bool) + ++static bool do_lxcapi_want_disable_pty(struct lxc_container *c, bool state) ++{ ++ if (!c || !c->lxc_conf) ++ return false; ++ ++ if (container_mem_lock(c)) ++ return false; ++ ++ c->disable_pty = state; ++ ++ container_mem_unlock(c); ++ ++ return true; ++} ++ ++WRAP_API_1(bool, lxcapi_want_disable_pty, bool) ++ ++static bool do_lxcapi_want_open_stdin(struct lxc_container *c, bool state) ++{ ++ if (!c || !c->lxc_conf) ++ return false; ++ ++ if (container_mem_lock(c)) ++ return false; ++ ++ c->open_stdin = state; ++ ++ container_mem_unlock(c); ++ ++ return true; ++} ++ ++WRAP_API_1(bool, lxcapi_want_open_stdin, bool) ++ + static bool do_lxcapi_want_close_all_fds(struct lxc_container *c, bool state) + { + if (!c || !c->lxc_conf) +@@ -1198,12 +1232,15 @@ reboot: + goto on_error; + } + +- if (useinit) ++ if (useinit) { + ret = lxc_execute(c->name, argv, 1, handler, c->config_path, + c->daemonize, &c->error_num, c->start_timeout); +- else ++ } else { ++ handler->disable_pty = c->disable_pty; ++ handler->open_stdin = c->open_stdin; + ret = lxc_start(c->name, argv, handler, c->config_path, + c->daemonize, &c->error_num, c->start_timeout); ++ } + + if (conf->reboot == REBOOT_REQ) { + INFO("Container requested reboot"); +@@ -5085,11 +5122,11 @@ out: + } + + /* isulad add set console fifos*/ +-static bool do_lxcapi_set_terminal_default_fifos(struct lxc_container *c, const char *in, const char *out) ++static bool do_lxcapi_set_terminal_default_fifos(struct lxc_container *c, const char *in, const char *out, const char *err) + { + struct lxc_conf *conf; + +- if (!c || !c->lxc_conf || !in || !out) ++ if (!c || !c->lxc_conf) + return false; + if (container_mem_lock(c)) { + ERROR("Error getting mem lock"); +@@ -5097,19 +5134,27 @@ static bool do_lxcapi_set_terminal_default_fifos(struct lxc_container *c, const + } + + conf = c->lxc_conf; +- if (conf->console.init_fifo[0]) +- free(conf->console.init_fifo[0]); +- conf->console.init_fifo[0] = strdup(in); +- +- if (conf->console.init_fifo[1]) +- free(conf->console.init_fifo[1]); +- conf->console.init_fifo[1] = strdup(out); ++ if (in) { ++ if (conf->console.init_fifo[0]) ++ free(conf->console.init_fifo[0]); ++ conf->console.init_fifo[0] = strdup(in); ++ } ++ if (out) { ++ if (conf->console.init_fifo[1]) ++ free(conf->console.init_fifo[1]); ++ conf->console.init_fifo[1] = strdup(out); ++ } ++ if (err) { ++ if (conf->console.init_fifo[2]) ++ free(conf->console.init_fifo[2]); ++ conf->console.init_fifo[2] = strdup(err); ++ } + + container_mem_unlock(c); + return true; + } + +-WRAP_API_2(bool, lxcapi_set_terminal_default_fifos, const char *, const char *) ++WRAP_API_3(bool, lxcapi_set_terminal_default_fifos, const char *, const char *, const char *) + + /* isulad add set info file path */ + static bool do_lxcapi_set_container_info_file(struct lxc_container *c, const char *info_file) +@@ -5168,18 +5213,18 @@ static bool do_lxcapi_clean_container_resource(struct lxc_container *c, pid_t pi + WRAP_API_1(bool, lxcapi_clean_container_resource, pid_t) + + /* isulad add clean resources */ +-static bool do_lxcapi_add_terminal_fifo(struct lxc_container *c, const char *in_fifo, const char *out_fifo) ++static bool do_lxcapi_add_terminal_fifo(struct lxc_container *c, const char *in_fifo, const char *out_fifo, const char *err_fifo) + { + bool ret = true; + +- if (!c || !c->lxc_conf || !in_fifo || !out_fifo) ++ if (!c || !c->lxc_conf) + return false; + if (container_mem_lock(c)) { + ERROR("Error getting mem lock"); + return false; + } + +- if (lxc_cmd_set_terminal_fifos(c->name, c->config_path, in_fifo, out_fifo)) { ++ if (lxc_cmd_set_terminal_fifos(c->name, c->config_path, in_fifo, out_fifo, err_fifo)) { + ERROR("Error set console fifos"); + ret = false; + } +@@ -5188,7 +5233,7 @@ static bool do_lxcapi_add_terminal_fifo(struct lxc_container *c, const char *in_ + return ret; + } + +-WRAP_API_2(bool, lxcapi_add_terminal_fifo, const char *, const char *) ++WRAP_API_3(bool, lxcapi_add_terminal_fifo, const char *, const char *, const char *) + + static struct lxc_container *do_lxc_container_new(const char *name, const char *configpath, bool load_config) + { +@@ -5274,6 +5319,8 @@ static struct lxc_container *do_lxc_container_new(const char *name, const char * + c->init_pid = lxcapi_init_pid; + c->load_config = lxcapi_load_config; + c->want_daemonize = lxcapi_want_daemonize; ++ c->want_disable_pty = lxcapi_want_disable_pty; ++ c->want_open_stdin = lxcapi_want_open_stdin; + c->want_close_all_fds = lxcapi_want_close_all_fds; + c->start = lxcapi_start; + c->startl = lxcapi_startl; +diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h +index c1d83ba..c3368e4 100644 +--- a/src/lxc/lxccontainer.h ++++ b/src/lxc/lxccontainer.h +@@ -137,6 +137,15 @@ struct lxc_container { + /*! Whether container wishes to be daemonized */ + bool daemonize; + ++ /*! Whether container wishes to create pty or pipes for console log */ ++ bool disable_pty; ++ ++ /*! Whether container wishes to keep stdin active */ ++ bool open_stdin; ++ ++ /*! Whether container wishes to detach from container stdio */ ++ bool detach; ++ + /*! Full path to configuration file */ + char *config_path; + +@@ -244,6 +253,28 @@ struct lxc_container { + bool (*stop)(struct lxc_container *c); + + /*! ++ * \brief Change whether the container wants to create pty or pipes ++ * from the console log. ++ * ++ * \param c Container. ++ * \param state Value for the disable pty bit (0 or 1). ++ * ++ * \return \c true on success, else \c false. ++ */ ++ bool (*want_disable_pty)(struct lxc_container *c, bool state); ++ ++ /*! ++ * \brief Change whether the container wants to keep stdin active ++ * for parent process of container ++ * ++ * \param c Container. ++ * \param state Value for the open_stdin bit (0 or 1). ++ * ++ * \return \c true on success, else \c false. ++ */ ++ bool (*want_open_stdin)(struct lxc_container *c, bool state); ++ ++ /*! + * \brief Change whether the container wants to run disconnected + * from the terminal. + * +@@ -875,7 +906,7 @@ struct lxc_container { + * + * \return \c true on success, else \c false. + */ +- bool (*set_terminal_init_fifos)(struct lxc_container *c, const char *in, const char *out); ++ bool (*set_terminal_init_fifos)(struct lxc_container *c, const char *in, const char *out, const char *err); + + /*! isulad add + * \brief An API call to add the path of terminal fifos +@@ -885,7 +916,7 @@ struct lxc_container { + * + * \return \c true on success, else \c false. + */ +- bool (*add_terminal_fifos)(struct lxc_container *c, const char *in, const char *out); ++ bool (*add_terminal_fifos)(struct lxc_container *c, const char *in, const char *out, const char *err); + + /*! isulad add + * \brief An API call to set the path of info file +diff --git a/src/lxc/start.c b/src/lxc/start.c +index 816b4a2..cad0d76 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -635,6 +635,13 @@ int lxc_poll(const char *name, struct lxc_handler *handler) + } + + TRACE("Mainloop is ready"); ++ // iSulad: close stdin pipe if we do not want open_stdin with container stdin ++ if (!handler->conf->console.open_stdin) { ++ if (handler->conf->console.pipes[0][1] > 0) { ++ close(handler->conf->console.pipes[0][1]); ++ handler->conf->console.pipes[0][1] = -1; ++ } ++ } + + ret = lxc_mainloop(&descr, -1); + close(descr.epfd); +@@ -788,6 +795,8 @@ int lxc_init(const char *name, struct lxc_handler *handler) + int ret; + const char *loglevel; + struct lxc_conf *conf = handler->conf; ++ conf->console.disable_pty = handler->disable_pty; ++ conf->console.open_stdin = handler->open_stdin; + + lsm_init(); + TRACE("Initialized LSM"); +@@ -1244,7 +1253,7 @@ static int do_start(void *data) + * means that migration won't work, but at least we won't spew output + * where it isn't wanted. + */ +- if (handler->daemonize && !handler->conf->autodev) { ++ if (!handler->disable_pty && handler->daemonize && !handler->conf->autodev) { + ret = access(path, F_OK); + if (ret != 0) { + devnull_fd = open_devnull(); +@@ -1325,6 +1334,42 @@ static int do_start(void *data) + "privileges"); + } + ++ /* isulad: dup2 pipe[0][0] to container stdin, pipe[1][1] to container stdout, pipe[2][1] to container stderr */ ++ if (handler->disable_pty) { ++ if (handler->conf->console.pipes[0][1] >= 0) { ++ close(handler->conf->console.pipes[0][1]); ++ handler->conf->console.pipes[0][1] = -1; ++ } ++ ++ if (handler->conf->console.pipes[0][0] >= 0) { ++ ret = dup2(handler->conf->console.pipes[0][0], STDIN_FILENO); ++ if (ret < 0) ++ goto out_warn_father; ++ } ++ ++ if (handler->conf->console.pipes[1][0] >= 0) { ++ close(handler->conf->console.pipes[1][0]); ++ handler->conf->console.pipes[1][0] = -1; ++ } ++ ++ if (handler->conf->console.pipes[1][1] >= 0) { ++ ret = dup2(handler->conf->console.pipes[1][1], STDOUT_FILENO); ++ if (ret < 0) ++ goto out_warn_father; ++ } ++ if (handler->conf->console.pipes[2][0] >= 0) { ++ close(handler->conf->console.pipes[2][0]); ++ handler->conf->console.pipes[2][0] = -1; ++ } ++ ++ if (handler->conf->console.pipes[2][1] >= 0) { ++ ret = dup2(handler->conf->console.pipes[2][1], STDERR_FILENO); ++ if (ret < 0) ++ goto out_warn_father; ++ } ++ ++ } ++ + /* Some init's such as busybox will set sane tty settings on stdin, + * stdout, stderr which it thinks is the console. We already set them + * the way we wanted on the real terminal, and we want init to do its +@@ -1332,7 +1377,7 @@ static int do_start(void *data) + * make sure that that pty is stdin,stdout,stderr. + */ + setsid(); +- if (handler->conf->console.slave >= 0) { ++ if (!handler->disable_pty && handler->conf->console.slave >= 0) { + /* isulad:make the given terminal as controlling terminal to avoid warning + * sh: cannot set terminal process group (-1): Inappropriate ioctl for device + * sh: no job control in this shell */ +@@ -1367,7 +1412,7 @@ static int do_start(void *data) + + close(handler->sigfd); + +- if (handler->conf->console.slave < 0 && handler->daemonize) { ++ if (!handler->disable_pty && handler->conf->console.slave < 0 && handler->daemonize) { + if (devnull_fd < 0) { + devnull_fd = open_devnull(); + if (devnull_fd < 0) +@@ -1789,6 +1834,22 @@ static int lxc_spawn(struct lxc_handler *handler) + } + TRACE("Cloned child process %d", handler->pid); + ++ /* isulad: close pipe after clone */ ++ if (handler->conf->console.pipes[0][0] >= 0) { ++ close(handler->conf->console.pipes[0][0]); ++ handler->conf->console.pipes[0][0] = -1; ++ } ++ ++ if (handler->conf->console.pipes[1][1] >= 0) { ++ close(handler->conf->console.pipes[1][1]); ++ handler->conf->console.pipes[1][1] = -1; ++ } ++ ++ if (handler->conf->console.pipes[2][1] >= 0) { ++ close(handler->conf->console.pipes[2][1]); ++ handler->conf->console.pipes[2][1] = -1; ++ } ++ + /* isulad: save pid/ppid info into file*/ + if (handler->conf->container_info_file) { + if (lxc_save_container_info(handler->conf->container_info_file, handler->pid)) { +diff --git a/src/lxc/start.h b/src/lxc/start.h +index ab72e6e..0298991 100644 +--- a/src/lxc/start.h ++++ b/src/lxc/start.h +@@ -99,6 +99,11 @@ struct lxc_handler { + /* Indicates whether should we close std{in,out,err} on start. */ + bool daemonize; + ++ /* Indicates whether should we using pipes or pty dup to std{in,out,err} for console log. */ ++ bool disable_pty; ++ /* Indicates whether should we keep stdin active. */ ++ bool open_stdin; ++ + /* The child's pid. */ + pid_t pid; + +diff --git a/src/lxc/terminal.c b/src/lxc/terminal.c +index 602d43d..dfce92e 100644 +--- a/src/lxc/terminal.c ++++ b/src/lxc/terminal.c +@@ -432,7 +432,7 @@ static bool get_now_time_buffer(char *timebuffer, size_t maxsize) + return get_time_buffer(&ts, timebuffer, maxsize); + } + +-static ssize_t lxc_logger_write(struct lxc_terminal *terminal, const char *buf, ++static ssize_t lxc_logger_write(struct lxc_terminal *terminal, const char *type, const char *buf, + int bytes_read) + { + logger_json_file *msg = NULL; +@@ -452,7 +452,7 @@ static ssize_t lxc_logger_write(struct lxc_terminal *terminal, const char *buf, + } + memcpy(msg->log, buf, bytes_read); + msg->log_len = bytes_read; +- msg->stream = strdup("stdout"); ++ msg->stream = type ? strdup(type) : strdup("stdout"); + + get_now_time_buffer(timebuffer, sizeof(timebuffer)); + msg->time = strdup(timebuffer); +@@ -472,7 +472,7 @@ cleanup: + return ret; + } + +-static int lxc_terminal_write_log_file(struct lxc_terminal *terminal, char *buf, ++static int lxc_terminal_write_log_file(struct lxc_terminal *terminal, const char *type, char *buf, + int bytes_read) + { + #define __BUF_CACHE_SIZE (16 * LXC_TERMINAL_BUFFER_SIZE) +@@ -504,7 +504,7 @@ static int lxc_terminal_write_log_file(struct lxc_terminal *terminal, char *buf, + // Break up the data that we've buffered up into lines, and log each in turn. + for (index = 0; index < size; index++) { + if (cache[index] == '\n') { +- ret = lxc_logger_write(terminal, cache + begin, index - begin + 1); ++ ret = lxc_logger_write(terminal, type, cache + begin, index - begin + 1); + if (ret < 0) { + WARN("Failed to log msg"); + } +@@ -516,7 +516,7 @@ static int lxc_terminal_write_log_file(struct lxc_terminal *terminal, char *buf, + * noting that it's a partial log line. */ + if (buf == NULL || (begin == 0 && size == __BUF_CACHE_SIZE)) { + if (begin < size) { +- ret = lxc_logger_write(terminal, cache + begin, index - begin + 1); ++ ret = lxc_logger_write(terminal, type, cache + begin, index - begin + 1); + if (ret < 0) { + WARN("Failed to log msg"); + } +@@ -541,14 +541,20 @@ static int lxc_terminal_write_log_file(struct lxc_terminal *terminal, char *buf, + } + + /* isulad: forward data to all fifos */ +-static void lxc_forward_data_to_fifo(struct lxc_list *list, char *buf, int r) ++static void lxc_forward_data_to_fifo(struct lxc_list *list, bool is_err, char *buf, int r) + { + struct lxc_list *it,*next; + struct lxc_fifos_fd *elem = NULL; + + lxc_list_for_each_safe(it, list, next) { + elem = it->elem; +- lxc_write_nointr(elem->out_fd, buf, r); ++ if (is_err) { ++ if (elem->err_fd >= 0) ++ lxc_write_nointr(elem->err_fd, buf, r); ++ } else { ++ if (elem->out_fd >= 0) ++ lxc_write_nointr(elem->out_fd, buf, r); ++ } + } + + return; +@@ -585,7 +591,7 @@ int lxc_terminal_io_cb(int fd, uint32_t events, void *data, + terminal->master = -EBADF; + /* write remained buffer to terminal log */ + if (terminal->log_fd >= 0) { +- w_log = lxc_terminal_write_log_file(terminal, NULL, 0); ++ w_log = lxc_terminal_write_log_file(terminal, "stdout", NULL, 0); + if (w_log < 0) + TRACE("Failed to write %d bytes to terminal log", r); + } +@@ -601,33 +607,57 @@ int lxc_terminal_io_cb(int fd, uint32_t events, void *data, + /* isulad: delete fifos when the client close */ + lxc_terminal_delete_fifo(fd, &terminal->fifos); + return LXC_MAINLOOP_CONTINUE; +- } else { ++ } else if (fd == terminal->pipes[1][0] || fd == terminal->pipes[2][0]) { ++ if (fd == terminal->pipes[1][0]) { ++ w_log = lxc_terminal_write_log_file(terminal, "stdout", NULL, 0); ++ terminal->pipes[1][0] = -EBADF; ++ } else if (fd == terminal->pipes[2][0]) { ++ w_log = lxc_terminal_write_log_file(terminal, "stderr", NULL, 0); ++ terminal->pipes[2][0] = -EBADF; ++ } ++ if (w_log < 0) ++ TRACE("Failed to write %d bytes to terminal log", r); ++ close(fd); ++ return LXC_MAINLOOP_CONTINUE; ++ } else if (fd == terminal->pipes[0][1]) { ++ TRACE("closed stdin pipe of container stdin"); ++ terminal->pipes[0][1] = -EBADF; ++ close(fd); ++ return LXC_MAINLOOP_CONTINUE; ++ } else { + ERROR("Handler received unexpected file descriptor"); + } + close(fd); +- + return LXC_MAINLOOP_CLOSE; + } + +- if (fd == terminal->peer || lxc_terminal_is_fifo(fd, &terminal->fifos)) +- w = lxc_write_nointr(terminal->master, buf, r); ++ if (fd == terminal->peer || lxc_terminal_is_fifo(fd, &terminal->fifos)) { ++ if (terminal->master > 0) ++ w = lxc_write_nointr(terminal->master, buf, r); ++ if (terminal->pipes[0][1] > 0) ++ w = lxc_write_nointr(terminal->pipes[0][1], buf, r); ++ } + + w_rbuf = w_log = 0; +- if (fd == terminal->master) { ++ if (fd == terminal->master || fd == terminal->pipes[1][0] || fd == terminal->pipes[2][0]) { + /* write to peer first */ + if (terminal->peer >= 0) + w = lxc_write_nointr(terminal->peer, buf, r); + + /* isulad: forward data to fifos */ +- lxc_forward_data_to_fifo(&terminal->fifos, buf, r); ++ lxc_forward_data_to_fifo(&terminal->fifos, fd == terminal->pipes[2][0], buf, r); + + /* write to terminal ringbuffer */ + if (terminal->buffer_size > 0) + w_rbuf = lxc_ringbuf_write(&terminal->ringbuf, buf, r); + + /* write to terminal log */ +- if (terminal->log_fd >= 0) +- w_log = lxc_terminal_write_log_file(terminal, buf, r); ++ if (terminal->log_fd >= 0) { ++ if (fd == terminal->master || fd == terminal->pipes[1][0]) ++ w_log = lxc_terminal_write_log_file(terminal, "stdout", buf, r); ++ else if (fd == terminal->pipes[2][0]) ++ w_log = lxc_terminal_write_log_file(terminal, "stderr", buf, r); ++ } + } + + if (w != r) +@@ -670,6 +700,41 @@ static int lxc_terminal_mainloop_add_peer(struct lxc_terminal *terminal) + return 0; + } + ++/* isulad add pipes to mainloop */ ++static int lxc_terminal_mainloop_add_pipes(struct lxc_terminal *terminal) ++{ ++ int ret = 0; ++ ++ // parent read data from fifo, and send to stdin of container ++ if (terminal->pipes[0][1] > 0) { ++ ret = lxc_mainloop_add_handler(terminal->descr, terminal->pipes[0][1], ++ lxc_terminal_io_cb, terminal); ++ if (ret) { ++ ERROR("pipe fd %d not added to mainloop", terminal->pipes[0][1]); ++ return -1; ++ } ++ } ++ // parent read data from stdout of container, and send to fifo ++ if (terminal->pipes[1][0] > 0) { ++ ret = lxc_mainloop_add_handler(terminal->descr, terminal->pipes[1][0], ++ lxc_terminal_io_cb, terminal); ++ if (ret) { ++ ERROR("pipe fd %d not added to mainloop", terminal->pipes[1][0]); ++ return -1; ++ } ++ } ++ // parent read data from stderr of container, and send to fifo ++ if (terminal->pipes[2][0] > 0) { ++ ret = lxc_mainloop_add_handler(terminal->descr, terminal->pipes[2][0], ++ lxc_terminal_io_cb, terminal); ++ if (ret) { ++ ERROR("pipe fd %d not added to mainloop", terminal->pipes[2][0]); ++ return -1; ++ } ++ } ++ return ret; ++} ++ + /* isulad add fifo to mainloop */ + static int lxc_terminal_mainloop_add_fifo(struct lxc_terminal *terminal) + { +@@ -696,19 +761,6 @@ int lxc_terminal_mainloop_add(struct lxc_epoll_descr *descr, + { + int ret; + +- if (terminal->master < 0) { +- INFO("Terminal is not initialized"); +- return 0; +- } +- +- ret = lxc_mainloop_add_handler(descr, terminal->master, +- lxc_terminal_io_cb, terminal); +- if (ret < 0) { +- ERROR("Failed to add handler for terminal master fd %d to " +- "mainloop", terminal->master); +- return -1; +- } +- + /* We cache the descr so that we can add an fd to it when someone + * does attach to it in lxc_terminal_allocate(). + */ +@@ -720,6 +772,13 @@ int lxc_terminal_mainloop_add(struct lxc_epoll_descr *descr, + return -1; + } + ++ /* isulad add pipes to mainloop */ ++ ret = lxc_terminal_mainloop_add_pipes(terminal); ++ if (ret < 0) { ++ ERROR("Failed to add handler for terminal fifos to mainloop"); ++ return -1; ++ } ++ + /* isulad add fifo to mainloop */ + ret = lxc_terminal_mainloop_add_fifo(terminal); + if (ret < 0) { +@@ -727,6 +786,19 @@ int lxc_terminal_mainloop_add(struct lxc_epoll_descr *descr, + return -1; + } + ++ if (terminal->master < 0) { ++ INFO("Terminal is not initialized"); ++ return 0; ++ } ++ ++ ret = lxc_mainloop_add_handler(descr, terminal->master, ++ lxc_terminal_io_cb, terminal); ++ if (ret < 0) { ++ ERROR("Failed to add handler for terminal master fd %d to " ++ "mainloop", terminal->master); ++ return -1; ++ } ++ + return 0; + } + +@@ -1082,6 +1154,26 @@ void lxc_terminal_delete(struct lxc_terminal *terminal) + close(terminal->log_fd); + terminal->log_fd = -1; + ++ /* isulad: close all pipes */ ++ if (terminal->pipes[0][0] >= 0) ++ close(terminal->pipes[0][0]); ++ terminal->pipes[0][0] = -1; ++ if (terminal->pipes[0][1] >= 0) ++ close(terminal->pipes[0][1]); ++ terminal->pipes[0][1] = -1; ++ if (terminal->pipes[1][0] >= 0) ++ close(terminal->pipes[1][0]); ++ terminal->pipes[1][0] = -1; ++ if (terminal->pipes[1][1] >= 0) ++ close(terminal->pipes[1][1]); ++ terminal->pipes[1][1] = -1; ++ if (terminal->pipes[2][0] >= 0) ++ close(terminal->pipes[2][0]); ++ terminal->pipes[2][0] = -1; ++ if (terminal->pipes[2][1] >= 0) ++ close(terminal->pipes[2][1]); ++ terminal->pipes[2][1] = -1; ++ + /* isulad: delete all fifos */ + lxc_terminal_delete_fifo(-1, &terminal->fifos); + } +@@ -1168,59 +1260,79 @@ static int terminal_fifo_open(const char *fifo_path, int flags) + } + + /* isulad: set terminal fifos */ +-static int lxc_terminal_set_fifo(struct lxc_terminal *console, const char *in, const char *out) ++static int lxc_terminal_set_fifo(struct lxc_terminal *console, const char *in, const char *out, const char *err, int *input_fd) + { +- int fifofd_in = -1, fifofd_out = -1; ++ int fifofd_in = -1, fifofd_out = -1, fifofd_err = -1; + struct lxc_fifos_fd *fifo_elem = NULL; + +- if (!in || !out) ++ if ((in && !fifo_exists(in)) || (out && !fifo_exists(out)) || (err && !fifo_exists(err))) { ++ ERROR("File %s or %s or %s does not refer to a FIFO", in, out, err); + return -1; ++ } + +- if (!fifo_exists(in) || !fifo_exists(out)) { +- ERROR("File %s or %s does not refer to a FIFO", in, out); +- return -1; ++ if (in) { ++ fifofd_in = terminal_fifo_open(in, O_RDONLY | O_NONBLOCK | O_CLOEXEC); ++ if (fifofd_in < 0) { ++ SYSERROR("Failed to open FIFO: %s", in); ++ return -1; ++ } + } + +- fifofd_in = terminal_fifo_open(in, O_RDONLY | O_NONBLOCK | O_CLOEXEC); +- if (fifofd_in < 0) { +- ERROR("Failed to open FIFO: %s", in); +- return -1; ++ if (out) { ++ fifofd_out = terminal_fifo_open(out, O_WRONLY | O_NONBLOCK | O_CLOEXEC); ++ if (fifofd_out < 0) { ++ SYSERROR("Failed to open FIFO: %s", out); ++ if (fifofd_in >= 0) ++ close(fifofd_in); ++ return -1; ++ } + } + +- fifofd_out = terminal_fifo_open(out, O_WRONLY | O_NONBLOCK | O_CLOEXEC); +- if (fifofd_out < 0) { +- ERROR("Failed to open FIFO: %s", out); +- close(fifofd_in); +- return -1; ++ if (err) { ++ fifofd_err = terminal_fifo_open(err, O_WRONLY | O_NONBLOCK | O_CLOEXEC); ++ if (fifofd_err < 0) { ++ SYSERROR("Failed to open FIFO: %s", err); ++ if (fifofd_in >= 0) ++ close(fifofd_in); ++ if (fifofd_out >= 0) ++ close(fifofd_out); ++ return -1; ++ } + } + + fifo_elem = malloc(sizeof(*fifo_elem)); + if (!fifo_elem) { +- close(fifofd_in); +- close(fifofd_out); ++ if (fifofd_in >= 0) ++ close(fifofd_in); ++ if (fifofd_out >= 0) ++ close(fifofd_out); ++ if (fifofd_err >= 0) ++ close(fifofd_err); + return -1; + } + memset(fifo_elem, 0, sizeof(*fifo_elem)); + +- fifo_elem->in_fifo = strdup(in); +- fifo_elem->out_fifo = strdup(out); ++ fifo_elem->in_fifo = strdup(in ? in : ""); ++ fifo_elem->out_fifo = strdup(out ? out : ""); ++ fifo_elem->err_fifo = strdup(err ? err : ""); + fifo_elem->in_fd = fifofd_in; + fifo_elem->out_fd = fifofd_out; ++ fifo_elem->err_fd = fifofd_err; + lxc_list_add_elem(&fifo_elem->node, fifo_elem); + lxc_list_add_tail(&console->fifos, &fifo_elem->node); + +- return fifofd_in; ++ if (input_fd) ++ *input_fd = fifofd_in; ++ ++ return 0; + } + + /* isulad: add default fifos */ + static int lxc_terminal_fifo_default(struct lxc_terminal *terminal) + { +- if (!terminal->init_fifo[0] || !terminal->init_fifo[1]) { +- DEBUG("Invalid default terminal fifos"); +- return 0; +- } +- +- return lxc_terminal_set_fifo(terminal, terminal->init_fifo[0], terminal->init_fifo[1]); ++ if (terminal->init_fifo[0] || terminal->init_fifo[1] || terminal->init_fifo[2]) ++ return lxc_terminal_set_fifo(terminal, terminal->init_fifo[0], terminal->init_fifo[1], terminal->init_fifo[2], NULL); ++ return 0; + } + + /* +@@ -1245,48 +1357,67 @@ int lxc_terminal_create(struct lxc_terminal *terminal) + { + int ret; + +- ret = openpty(&terminal->master, &terminal->slave, NULL, NULL, NULL); +- if (ret < 0) { +- SYSERROR("Failed to open terminal"); +- return -1; +- } ++ if (!terminal->disable_pty) { ++ ret = openpty(&terminal->master, &terminal->slave, NULL, NULL, NULL); ++ if (ret < 0) { ++ SYSERROR("Failed to open terminal"); ++ return -1; ++ } + +- ret = ttyname_r(terminal->slave, terminal->name, sizeof(terminal->name)); +- if (ret < 0) { +- SYSERROR("Failed to retrieve name of terminal slave"); +- goto err; +- } ++ ret = ttyname_r(terminal->slave, terminal->name, sizeof(terminal->name)); ++ if (ret < 0) { ++ SYSERROR("Failed to retrieve name of terminal slave"); ++ goto err; ++ } + +- /* isulad: clear ONLCR flag */ +- ret = use_unix_newline(terminal->master); +- if (ret < 0) { +- SYSERROR("Failed to clear ONLCR flag on terminal master"); +- goto err; +- } ++ /* isulad: clear ONLCR flag */ ++ ret = use_unix_newline(terminal->master); ++ if (ret < 0) { ++ SYSERROR("Failed to clear ONLCR flag on terminal master"); ++ goto err; ++ } + +- ret = fd_cloexec(terminal->master, true); +- if (ret < 0) { +- SYSERROR("Failed to set FD_CLOEXEC flag on terminal master"); +- goto err; +- } ++ ret = fd_cloexec(terminal->master, true); ++ if (ret < 0) { ++ SYSERROR("Failed to set FD_CLOEXEC flag on terminal master"); ++ goto err; ++ } + +- /* isulad: make master NONBLOCK */ +- ret = fd_nonblock(terminal->master); +- if (ret < 0) { +- SYSERROR("Failed to set O_NONBLOCK flag on terminal master"); +- goto err; +- } ++ /* isulad: make master NONBLOCK */ ++ ret = fd_nonblock(terminal->master); ++ if (ret < 0) { ++ SYSERROR("Failed to set O_NONBLOCK flag on terminal master"); ++ goto err; ++ } + +- ret = fd_cloexec(terminal->slave, true); +- if (ret < 0) { +- SYSERROR("Failed to set FD_CLOEXEC flag on terminal slave"); +- goto err; +- } ++ ret = fd_cloexec(terminal->slave, true); ++ if (ret < 0) { ++ SYSERROR("Failed to set FD_CLOEXEC flag on terminal slave"); ++ goto err; ++ } + +- ret = lxc_terminal_peer_default(terminal); +- if (ret < 0) { +- ERROR("Failed to allocate proxy terminal"); +- goto err; ++ ret = lxc_terminal_peer_default(terminal); ++ if (ret < 0) { ++ ERROR("Failed to allocate proxy terminal"); ++ goto err; ++ } ++ } else { ++ /* isulad: create 3 pipes */ ++ /* for stdin */ ++ if (pipe2(terminal->pipes[0], O_CLOEXEC)) { ++ ERROR("Failed to create stdin pipe"); ++ goto err; ++ } ++ /* for stdout */ ++ if (pipe2(terminal->pipes[1], O_NONBLOCK | O_CLOEXEC)) { ++ ERROR("Failed to create stdout pipe"); ++ goto err; ++ } ++ /* for stderr */ ++ if (pipe2(terminal->pipes[2], O_NONBLOCK | O_CLOEXEC)) { ++ ERROR("Failed to create stderr pipe"); ++ goto err; ++ } + } + + /* isulad: open fifos */ +@@ -1581,6 +1712,13 @@ void lxc_terminal_init(struct lxc_terminal *terminal) + /* isulad init console fifos */ + terminal->init_fifo[0] = NULL; + terminal->init_fifo[1] = NULL; ++ terminal->init_fifo[2] = NULL; ++ terminal->pipes[0][0] = -1; ++ terminal->pipes[0][1] = -1; ++ terminal->pipes[1][0] = -1; ++ terminal->pipes[1][1] = -1; ++ terminal->pipes[2][0] = -1; ++ terminal->pipes[2][1] = -1; + lxc_list_init(&terminal->fifos); + } + +@@ -1599,8 +1737,14 @@ int lxc_terminal_delete_fifo(int fd, struct lxc_list *list) + free(elem->in_fifo); + if (elem->out_fifo) + free(elem->out_fifo); +- close(elem->in_fd); +- close(elem->out_fd); ++ if (elem->err_fifo) ++ free(elem->err_fifo); ++ if (elem->in_fd >= 0) ++ close(elem->in_fd); ++ if (elem->out_fd >= 0) ++ close(elem->out_fd); ++ if (elem->err_fd >= 0) ++ close(elem->err_fd); + free(elem); + } + } +@@ -1617,6 +1761,7 @@ void lxc_terminal_conf_free(struct lxc_terminal *terminal) + /*isulad: free console fifos */ + free(terminal->init_fifo[0]); + free(terminal->init_fifo[1]); ++ free(terminal->init_fifo[2]); + lxc_terminal_delete_fifo(-1, &terminal->fifos); + } + +@@ -1647,7 +1792,8 @@ int lxc_terminal_add_fifos(struct lxc_conf *conf, const char *fifonames) + int ret = 0; + struct lxc_terminal *terminal = &conf->console; + int fifofd_in = -1; +- char *tmp = NULL, *saveptr = NULL, *in = NULL, *out = NULL; ++ char *tmp = NULL, *saveptr = NULL, *in = NULL, *out = NULL, *err = NULL; ++ const char *none_fifo_name = "none"; + + tmp = strdup(fifonames); + if (!tmp) { +@@ -1660,14 +1806,27 @@ int lxc_terminal_add_fifos(struct lxc_conf *conf, const char *fifonames) + ret = -1; + goto free_out; + } ++ if (strcmp(in, none_fifo_name) == 0) ++ in = NULL; ++ + out = strtok_r(NULL, "&&&&", &saveptr); + if (!out) { + ret = -1; + goto free_out; + } ++ if (strcmp(out, none_fifo_name) == 0) ++ out = NULL; + +- fifofd_in = lxc_terminal_set_fifo(terminal, in, out); +- if (fifofd_in < 0) { ++ err = strtok_r(NULL, "&&&&", &saveptr); ++ if (!err) { ++ ret = -1; ++ goto free_out; ++ } ++ if (strcmp(err, none_fifo_name) == 0) ++ err = NULL; ++ ++ ret = lxc_terminal_set_fifo(terminal, in, out, err, &fifofd_in); ++ if (ret < 0) { + ERROR("Faild to set fifos to console config"); + ret = -1; + goto free_out; +diff --git a/src/lxc/terminal.h b/src/lxc/terminal.h +index 0c9653c..9bb341f 100644 +--- a/src/lxc/terminal.h ++++ b/src/lxc/terminal.h +@@ -115,16 +115,21 @@ struct lxc_terminal { + /* the in-memory ringbuffer */ + struct lxc_ringbuf ringbuf; + }; +- char *init_fifo[2]; /* isulad: default fifos for the start */ ++ char *init_fifo[3]; /* isulad: default fifos for the start */ + struct lxc_list fifos; /* isulad: fifos used to forward teminal */ ++ bool disable_pty; ++ bool open_stdin; ++ int pipes[3][2]; /* isulad: pipes for dup to container fds of stdin,stdout,stderr on daemonize mode*/ + }; + + /* isulad: fifo struct */ + struct lxc_fifos_fd { + char *in_fifo; + char *out_fifo; ++ char *err_fifo; + int in_fd; + int out_fd; ++ int err_fd; + struct lxc_list node; + }; + +diff --git a/src/lxc/tools/arguments.h b/src/lxc/tools/arguments.h +index afab9f5..d03f8a4 100644 +--- a/src/lxc/tools/arguments.h ++++ b/src/lxc/tools/arguments.h +@@ -51,6 +51,8 @@ struct lxc_arguments { + char *log_priority; + int quiet; + int daemonize; ++ int disable_pty; ++ int open_stdin; + const char *rcfile; + const char *console; + const char *console_log; +@@ -62,7 +64,7 @@ struct lxc_arguments { + + /* for lxc-start */ + const char *share_ns[32]; /* size must be greater than LXC_NS_MAX */ +- char *terminal_fifos[2]; /* isulad add, fifos used to redirct stdin/out/err */ ++ char *terminal_fifos[3]; /* isulad add, fifos used to redirct stdin/out/err */ + const char *container_info; /* isulad: file used to store pid and ppid info of container */ + const char *exit_monitor_fifo; /* isulad: fifo used to monitor state of monitor process */ + unsigned int start_timeout; /* isulad: Seconds for waiting on a container to start before it is killed*/ +@@ -179,9 +181,13 @@ struct lxc_arguments { + /* isulad add begin */ + #define OPT_INPUT_FIFO OPT_USAGE - 7 + #define OPT_OUTPUT_FIFO OPT_USAGE - 8 +-#define OPT_CONTAINER_INFO OPT_USAGE - 9 +-#define OPT_EXIT_FIFO OPT_USAGE - 10 +-#define OPT_START_TIMEOUT OPT_USAGE - 11 ++#define OPT_STDERR_FIFO OPT_USAGE - 9 ++#define OPT_CONTAINER_INFO OPT_USAGE - 10 ++#define OPT_EXIT_FIFO OPT_USAGE - 11 ++#define OPT_START_TIMEOUT OPT_USAGE - 12 ++#define OPT_DISABLE_PTY OPT_USAGE - 13 ++#define OPT_OPEN_STDIN OPT_USAGE - 14 ++ + /* isulad add end*/ + + extern int lxc_arguments_parse(struct lxc_arguments *args, int argc, +diff --git a/src/lxc/tools/lxc_attach.c b/src/lxc/tools/lxc_attach.c +index acdf8a0..674050d 100644 +--- a/src/lxc/tools/lxc_attach.c ++++ b/src/lxc/tools/lxc_attach.c +@@ -77,6 +77,7 @@ static const struct option my_longopts[] = { + {"rcfile", required_argument, 0, 'f'}, + {"in-fifo", required_argument, 0, OPT_INPUT_FIFO}, /* isulad add terminal fifos*/ + {"out-fifo", required_argument, 0, OPT_OUTPUT_FIFO}, ++ {"err-fifo", required_argument, 0, OPT_STDERR_FIFO}, + LXC_COMMON_OPTIONS + }; + +@@ -201,6 +202,9 @@ static int my_parser(struct lxc_arguments *args, int c, char *arg) + case OPT_OUTPUT_FIFO: + args->terminal_fifos[1] = arg; + break; ++ case OPT_STDERR_FIFO: ++ args->terminal_fifos[2] = arg; ++ break; + } + + return 0; +@@ -460,9 +464,10 @@ int main(int argc, char *argv[]) + if (elevated_privileges) + attach_options.attach_flags &= ~(elevated_privileges); + +- if (my_args.terminal_fifos[0] && my_args.terminal_fifos[1]) { ++ if (my_args.terminal_fifos[0] || my_args.terminal_fifos[1] || my_args.terminal_fifos[2]) { + attach_options.init_fifo[0] = my_args.terminal_fifos[0]; + attach_options.init_fifo[1] = my_args.terminal_fifos[1]; ++ attach_options.init_fifo[2] = my_args.terminal_fifos[2]; + attach_options.attach_flags |= LXC_ATTACH_TERMINAL; + } else if (stdfd_is_pty()) { + attach_options.attach_flags |= LXC_ATTACH_TERMINAL; +diff --git a/src/lxc/tools/lxc_start.c b/src/lxc/tools/lxc_start.c +index ec48701..183fafc 100644 +--- a/src/lxc/tools/lxc_start.c ++++ b/src/lxc/tools/lxc_start.c +@@ -73,9 +73,12 @@ static const struct option my_longopts[] = { + /* isulad add begin */ + {"in-fifo", required_argument, 0, OPT_INPUT_FIFO}, + {"out-fifo", required_argument, 0, OPT_OUTPUT_FIFO}, ++ {"err-fifo", required_argument, 0, OPT_STDERR_FIFO}, + {"container-pidfile", required_argument, 0, OPT_CONTAINER_INFO}, + {"exit-fifo", required_argument, 0, OPT_EXIT_FIFO}, + {"start-timeout", required_argument, 0, OPT_START_TIMEOUT}, ++ {"disable-pty", no_argument, 0, OPT_DISABLE_PTY}, ++ {"open-stdin", no_argument, 0, OPT_OPEN_STDIN}, + /* isulad add end */ + LXC_COMMON_OPTIONS + }; +@@ -166,6 +169,9 @@ static int my_parser(struct lxc_arguments *args, int c, char *arg) + case OPT_OUTPUT_FIFO: + args->terminal_fifos[1] = arg; + break; ++ case OPT_STDERR_FIFO: ++ args->terminal_fifos[2] = arg; ++ break; + case OPT_CONTAINER_INFO: + args->container_info = arg; + break; +@@ -179,6 +185,12 @@ static int my_parser(struct lxc_arguments *args, int c, char *arg) + } + args->start_timeout = (unsigned int)atoi(arg); + break; ++ case OPT_DISABLE_PTY: ++ args->disable_pty = 1; ++ break; ++ case OPT_OPEN_STDIN: ++ args->open_stdin = 1; ++ break; + } + return 0; + } +@@ -381,11 +393,17 @@ int main(int argc, char *argv[]) + if (!my_args.daemonize) + c->want_daemonize(c, false); + ++ if (my_args.disable_pty) ++ c->want_disable_pty(c, true); ++ ++ if (my_args.open_stdin) ++ c->want_open_stdin(c, true); ++ + if (my_args.close_all_fds) + c->want_close_all_fds(c, true); + +- if (my_args.terminal_fifos[0] && my_args.terminal_fifos[1]) +- c->set_terminal_init_fifos(c, my_args.terminal_fifos[0], my_args.terminal_fifos[1]); ++ if (my_args.terminal_fifos[0] || my_args.terminal_fifos[1] || my_args.terminal_fifos[2]) ++ c->set_terminal_init_fifos(c, my_args.terminal_fifos[0], my_args.terminal_fifos[1], my_args.terminal_fifos[2]); + + if (args == default_args) + err = c->start(c, 0, NULL) ? EXIT_SUCCESS : EXIT_FAILURE; +-- +1.8.3.1 + diff --git a/0069-lxc-killall-processes-if-container-shared-pid-namesp.patch b/0069-lxc-killall-processes-if-container-shared-pid-namesp.patch new file mode 100644 index 0000000..4f99776 --- /dev/null +++ b/0069-lxc-killall-processes-if-container-shared-pid-namesp.patch @@ -0,0 +1,207 @@ +From f6877ff5a4ca2bb0e7556b0b17690290888021f5 Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Thu, 21 Mar 2019 15:48:02 +0800 +Subject: [PATCH 069/122] lxc: killall processes if container shared pid + namespace + +Signed-off-by: tanyifeng +Signed-off-by: LiFeng +--- + src/lxc/cgroups/cgfsng.c | 2 +- + src/lxc/start.c | 160 +++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 161 insertions(+), 1 deletion(-) + +diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c +index e513218..ab7ca35 100644 +--- a/src/lxc/cgroups/cgfsng.c ++++ b/src/lxc/cgroups/cgfsng.c +@@ -1056,7 +1056,7 @@ static int cgroup_rmdir(struct hierarchy **hierarchies, + + ret = recursive_destroy(h->container_full_path); + if (ret < 0) { +- ERROR("Failed to destroy \"%s\"", h->container_full_path); ++ SYSERROR("Failed to destroy \"%s\"", h->container_full_path); + return -1; + } + +diff --git a/src/lxc/start.c b/src/lxc/start.c +index cad0d76..1c9eb0a 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -2494,6 +2494,162 @@ static void clean_resource_set_env(struct lxc_handler *handler) + /* End of environment variable setup for hooks. */ + } + ++void trim_line(char *s) ++{ ++ size_t len; ++ ++ len = strlen(s); ++ while ((len > 1) && (s[len - 1] == '\n')) ++ s[--len] = '\0'; ++} ++ ++static int _read_procs_file(const char *path, pid_t **pids, size_t *len) ++{ ++ FILE *f; ++ char *line = NULL; ++ size_t sz = 0; ++ ++ f = fopen_cloexec(path, "r"); ++ if (!f) ++ return -1; ++ ++ while (getline(&line, &sz, f) != -1) { ++ pid_t pid; ++ trim_line(line); ++ pid = (pid_t)atoll(line); ++ *pids = realloc(*pids, sizeof(pid_t) * (*len + 1)); ++ (*pids)[*len] = pid; ++ (*len)++; ++ } ++ ++ free(line); ++ fclose(f); ++ return 0; ++} ++ ++static int _recursive_read_cgroup_procs(const char *dirpath, pid_t **pids, size_t *len) ++{ ++ struct dirent *direntp; ++ DIR *dir; ++ int ret, failed = 0; ++ char pathname[PATH_MAX]; ++ ++ dir = opendir(dirpath); ++ if (!dir && errno != ENOENT) { ++ WARN("Failed to open \"%s\"", dirpath); ++ return 0; ++ } ++ ++ while ((direntp = readdir(dir))) { ++ struct stat mystat; ++ int rc; ++ ++ if (!strcmp(direntp->d_name, ".") || ++ !strcmp(direntp->d_name, "..")) ++ continue; ++ ++ rc = snprintf(pathname, PATH_MAX, "%s/%s", dirpath, direntp->d_name); ++ if (rc < 0 || rc >= PATH_MAX) { ++ failed = 1; ++ continue; ++ } ++ ++ if (strcmp(direntp->d_name, "cgroup.procs") == 0) { ++ if (_read_procs_file(pathname, pids, len)) { ++ failed = 1; ++ ++ } ++ continue; ++ } ++ ++ ret = lstat(pathname, &mystat); ++ if (ret) { ++ failed = 1; ++ continue; ++ } ++ ++ if (S_ISDIR(mystat.st_mode)) { ++ if (_recursive_read_cgroup_procs(pathname, pids, len) < 0) ++ failed = 1; ++ } ++ } ++ ++ ret = closedir(dir); ++ if (ret) { ++ WARN("Failed to close directory \"%s\"", dirpath); ++ failed = 1; ++ } ++ ++ return failed ? -1 : 0; ++} ++ ++int get_all_pids(struct cgroup_ops *cg_ops, pid_t **pids, size_t *len) ++{ ++ char *devices_path = NULL; ++ int ret; ++ ++ devices_path = must_make_path("/sys/fs/cgroup", "devices", cg_ops->container_cgroup, NULL); ++ if (!file_exists(devices_path)) { ++ free(devices_path); ++ return 0; ++ } ++ ++ ret = _recursive_read_cgroup_procs(devices_path, pids, len); ++ free(devices_path); ++ return ret; ++} ++ ++static int set_cgroup_freezer(struct cgroup_ops *cg_ops, const char *value) ++{ ++ char *fullpath; ++ int ret; ++ ++ fullpath = must_make_path("/sys/fs/cgroup", "freezer", cg_ops->container_cgroup, "freezer.state", NULL); ++ ret = lxc_write_to_file(fullpath, value, strlen(value), false, 0666); ++ free(fullpath); ++ return ret; ++} ++ ++/* isulad: kill all process in container cgroup path */ ++static void signal_all_processes(struct lxc_handler *handler) ++{ ++ int ret; ++ struct cgroup_ops *cg_ops = handler->cgroup_ops; ++ pid_t *pids = NULL; ++ size_t len = 0, i; ++ ++ ret = set_cgroup_freezer(cg_ops, "FROZEN"); ++ if (ret < 0 && errno != ENOENT) { ++ WARN("cgroup_set frozen failed"); ++ } ++ ++ ret = get_all_pids(cg_ops, &pids, &len); ++ if (ret < 0) { ++ WARN("failed to get all pids"); ++ } ++ ++ for (i = 0; i < len; i++) { ++ ret = kill(pids[i], SIGKILL); ++ if (ret < 0 && errno != ESRCH) { ++ WARN("Can not kill process (pid=%d) with SIGKILL for container %s", pids[i], handler->name); ++ } ++ } ++ ++ ret = set_cgroup_freezer(cg_ops, "THAWED"); ++ if (ret < 0 && errno != ENOENT) { ++ WARN("cgroup_set thawed failed"); ++ } ++ ++ for (i = 0; i < len; i++) { ++ ret = lxc_wait_for_pid_status(pids[i]); ++ if (ret < 0 && errno != ECHILD) { ++ WARN("Failed to wait pid %d for container %s: %s", pids[i], handler->name, strerror(errno)); ++ } ++ } ++ ++ free(pids); ++} ++ + /*isulad: do_lxcapi_clean_resource */ + int do_lxcapi_clean_resource(char *name, char *lxcpath, struct lxc_conf *conf, pid_t pid) + { +@@ -2510,6 +2666,10 @@ int do_lxcapi_clean_resource(char *name, char *lxcpath, struct lxc_conf *conf, p + } + + clean_resource_set_env(handler); ++ // if we shared pid namespace with others, should kill all processes within container cgroup ++ if (handler->conf->ns_share[LXC_NS_PID] != NULL) { ++ signal_all_processes(handler); ++ } + + char* oci_hook_args[1]; + oci_hook_args[0] = alloca(strlen(handler->lxcpath) + 1); +-- +1.8.3.1 + diff --git a/0070-lxc-signal-all-process-for-shared-container-when-con.patch b/0070-lxc-signal-all-process-for-shared-container-when-con.patch new file mode 100644 index 0000000..2944b4a --- /dev/null +++ b/0070-lxc-signal-all-process-for-shared-container-when-con.patch @@ -0,0 +1,400 @@ +From 44f3d99c562ab88670f1fe91a1d16474da8adb98 Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Thu, 21 Mar 2019 17:21:44 +0800 +Subject: [PATCH 070/122] lxc: signal all process for shared container when + container init exited + +Signed-off-by: tanyifeng +Signed-off-by: LiFeng +--- + src/lxc/cgroups/cgfsng.c | 2 +- + src/lxc/start.c | 332 +++++++++++++++++++++++++---------------------- + 2 files changed, 175 insertions(+), 159 deletions(-) + +diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c +index ab7ca35..5ceb06b 100644 +--- a/src/lxc/cgroups/cgfsng.c ++++ b/src/lxc/cgroups/cgfsng.c +@@ -1056,7 +1056,7 @@ static int cgroup_rmdir(struct hierarchy **hierarchies, + + ret = recursive_destroy(h->container_full_path); + if (ret < 0) { +- SYSERROR("Failed to destroy \"%s\"", h->container_full_path); ++ SYSWARN("Failed to destroy \"%s\"", h->container_full_path); + return -1; + } + +diff --git a/src/lxc/start.c b/src/lxc/start.c +index 1c9eb0a..b14e46f 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -941,6 +941,162 @@ out_close_maincmd_fd: + return -1; + } + ++void trim_line(char *s) ++{ ++ size_t len; ++ ++ len = strlen(s); ++ while ((len > 1) && (s[len - 1] == '\n')) ++ s[--len] = '\0'; ++} ++ ++static int _read_procs_file(const char *path, pid_t **pids, size_t *len) ++{ ++ FILE *f; ++ char *line = NULL; ++ size_t sz = 0; ++ ++ f = fopen_cloexec(path, "r"); ++ if (!f) ++ return -1; ++ ++ while (getline(&line, &sz, f) != -1) { ++ pid_t pid; ++ trim_line(line); ++ pid = (pid_t)atoll(line); ++ *pids = realloc(*pids, sizeof(pid_t) * (*len + 1)); ++ (*pids)[*len] = pid; ++ (*len)++; ++ } ++ ++ free(line); ++ fclose(f); ++ return 0; ++} ++ ++static int _recursive_read_cgroup_procs(const char *dirpath, pid_t **pids, size_t *len) ++{ ++ struct dirent *direntp; ++ DIR *dir; ++ int ret, failed = 0; ++ char pathname[PATH_MAX]; ++ ++ dir = opendir(dirpath); ++ if (!dir && errno != ENOENT) { ++ WARN("Failed to open \"%s\"", dirpath); ++ return 0; ++ } ++ ++ while ((direntp = readdir(dir))) { ++ struct stat mystat; ++ int rc; ++ ++ if (!strcmp(direntp->d_name, ".") || ++ !strcmp(direntp->d_name, "..")) ++ continue; ++ ++ rc = snprintf(pathname, PATH_MAX, "%s/%s", dirpath, direntp->d_name); ++ if (rc < 0 || rc >= PATH_MAX) { ++ failed = 1; ++ continue; ++ } ++ ++ if (strcmp(direntp->d_name, "cgroup.procs") == 0) { ++ if (_read_procs_file(pathname, pids, len)) { ++ failed = 1; ++ ++ } ++ continue; ++ } ++ ++ ret = lstat(pathname, &mystat); ++ if (ret) { ++ failed = 1; ++ continue; ++ } ++ ++ if (S_ISDIR(mystat.st_mode)) { ++ if (_recursive_read_cgroup_procs(pathname, pids, len) < 0) ++ failed = 1; ++ } ++ } ++ ++ ret = closedir(dir); ++ if (ret) { ++ WARN("Failed to close directory \"%s\"", dirpath); ++ failed = 1; ++ } ++ ++ return failed ? -1 : 0; ++} ++ ++int get_all_pids(struct cgroup_ops *cg_ops, pid_t **pids, size_t *len) ++{ ++ char *devices_path = NULL; ++ int ret; ++ ++ devices_path = must_make_path("/sys/fs/cgroup", "devices", cg_ops->container_cgroup, NULL); ++ if (!file_exists(devices_path)) { ++ free(devices_path); ++ return 0; ++ } ++ ++ ret = _recursive_read_cgroup_procs(devices_path, pids, len); ++ free(devices_path); ++ return ret; ++} ++ ++static int set_cgroup_freezer(struct cgroup_ops *cg_ops, const char *value) ++{ ++ char *fullpath; ++ int ret; ++ ++ fullpath = must_make_path("/sys/fs/cgroup", "freezer", cg_ops->container_cgroup, "freezer.state", NULL); ++ ret = lxc_write_to_file(fullpath, value, strlen(value), false, 0666); ++ free(fullpath); ++ return ret; ++} ++ ++/* isulad: kill all process in container cgroup path */ ++static void signal_all_processes(struct lxc_handler *handler) ++{ ++ int ret; ++ struct cgroup_ops *cg_ops = handler->cgroup_ops; ++ pid_t *pids = NULL; ++ size_t len = 0, i; ++ ++ ret = set_cgroup_freezer(cg_ops, "FROZEN"); ++ if (ret < 0 && errno != ENOENT) { ++ WARN("cgroup_set frozen failed"); ++ } ++ ++ ret = get_all_pids(cg_ops, &pids, &len); ++ if (ret < 0) { ++ WARN("failed to get all pids"); ++ } ++ ++ for (i = 0; i < len; i++) { ++ ret = kill(pids[i], SIGKILL); ++ if (ret < 0 && errno != ESRCH) { ++ WARN("Can not kill process (pid=%d) with SIGKILL for container %s", pids[i], handler->name); ++ } ++ } ++ ++ ret = set_cgroup_freezer(cg_ops, "THAWED"); ++ if (ret < 0 && errno != ENOENT) { ++ WARN("cgroup_set thawed failed"); ++ } ++ ++ for (i = 0; i < len; i++) { ++ ret = lxc_wait_for_pid_status(pids[i]); ++ if (ret < 0 && errno != ECHILD) { ++ WARN("Failed to wait pid %d for container %s: %s", pids[i], handler->name, strerror(errno)); ++ } ++ } ++ ++ free(pids); ++} ++ + void lxc_fini(const char *name, struct lxc_handler *handler) + { + int i, ret; +@@ -949,6 +1105,8 @@ void lxc_fini(const char *name, struct lxc_handler *handler) + char *namespaces[LXC_NS_MAX + 1]; + size_t namespace_count = 0; + struct cgroup_ops *cgroup_ops = handler->cgroup_ops; ++ int retry_count = 0; ++ int max_retry = 10; + + /* The STOPPING state is there for future cleanup code which can take + * awhile. +@@ -1013,7 +1171,21 @@ void lxc_fini(const char *name, struct lxc_handler *handler) + while (namespace_count--) + free(namespaces[namespace_count]); + +- cgroup_ops->destroy(cgroup_ops, handler); ++ // if we shared pid namespace with others, should kill all processes within container cgroup ++ if (handler->conf->ns_share[LXC_NS_PID] != NULL) { ++ TRACE("Trying to kill all subprocess"); ++ signal_all_processes(handler); ++ TRACE("Finished kill all subprocess"); ++ } ++retry: ++ if (!cgroup_ops->destroy(cgroup_ops, handler)) { ++ if (retry_count < max_retry) { ++ usleep(100 * 1000); /* 100 millisecond */ ++ retry_count++; ++ goto retry; ++ } ++ SYSERROR("Failed to destroy cgroup path for container: \"%s\"", handler->name); ++ } + + if (handler->conf->reboot == REBOOT_NONE) { + /* For all new state clients simply close the command socket. +@@ -2494,162 +2666,6 @@ static void clean_resource_set_env(struct lxc_handler *handler) + /* End of environment variable setup for hooks. */ + } + +-void trim_line(char *s) +-{ +- size_t len; +- +- len = strlen(s); +- while ((len > 1) && (s[len - 1] == '\n')) +- s[--len] = '\0'; +-} +- +-static int _read_procs_file(const char *path, pid_t **pids, size_t *len) +-{ +- FILE *f; +- char *line = NULL; +- size_t sz = 0; +- +- f = fopen_cloexec(path, "r"); +- if (!f) +- return -1; +- +- while (getline(&line, &sz, f) != -1) { +- pid_t pid; +- trim_line(line); +- pid = (pid_t)atoll(line); +- *pids = realloc(*pids, sizeof(pid_t) * (*len + 1)); +- (*pids)[*len] = pid; +- (*len)++; +- } +- +- free(line); +- fclose(f); +- return 0; +-} +- +-static int _recursive_read_cgroup_procs(const char *dirpath, pid_t **pids, size_t *len) +-{ +- struct dirent *direntp; +- DIR *dir; +- int ret, failed = 0; +- char pathname[PATH_MAX]; +- +- dir = opendir(dirpath); +- if (!dir && errno != ENOENT) { +- WARN("Failed to open \"%s\"", dirpath); +- return 0; +- } +- +- while ((direntp = readdir(dir))) { +- struct stat mystat; +- int rc; +- +- if (!strcmp(direntp->d_name, ".") || +- !strcmp(direntp->d_name, "..")) +- continue; +- +- rc = snprintf(pathname, PATH_MAX, "%s/%s", dirpath, direntp->d_name); +- if (rc < 0 || rc >= PATH_MAX) { +- failed = 1; +- continue; +- } +- +- if (strcmp(direntp->d_name, "cgroup.procs") == 0) { +- if (_read_procs_file(pathname, pids, len)) { +- failed = 1; +- +- } +- continue; +- } +- +- ret = lstat(pathname, &mystat); +- if (ret) { +- failed = 1; +- continue; +- } +- +- if (S_ISDIR(mystat.st_mode)) { +- if (_recursive_read_cgroup_procs(pathname, pids, len) < 0) +- failed = 1; +- } +- } +- +- ret = closedir(dir); +- if (ret) { +- WARN("Failed to close directory \"%s\"", dirpath); +- failed = 1; +- } +- +- return failed ? -1 : 0; +-} +- +-int get_all_pids(struct cgroup_ops *cg_ops, pid_t **pids, size_t *len) +-{ +- char *devices_path = NULL; +- int ret; +- +- devices_path = must_make_path("/sys/fs/cgroup", "devices", cg_ops->container_cgroup, NULL); +- if (!file_exists(devices_path)) { +- free(devices_path); +- return 0; +- } +- +- ret = _recursive_read_cgroup_procs(devices_path, pids, len); +- free(devices_path); +- return ret; +-} +- +-static int set_cgroup_freezer(struct cgroup_ops *cg_ops, const char *value) +-{ +- char *fullpath; +- int ret; +- +- fullpath = must_make_path("/sys/fs/cgroup", "freezer", cg_ops->container_cgroup, "freezer.state", NULL); +- ret = lxc_write_to_file(fullpath, value, strlen(value), false, 0666); +- free(fullpath); +- return ret; +-} +- +-/* isulad: kill all process in container cgroup path */ +-static void signal_all_processes(struct lxc_handler *handler) +-{ +- int ret; +- struct cgroup_ops *cg_ops = handler->cgroup_ops; +- pid_t *pids = NULL; +- size_t len = 0, i; +- +- ret = set_cgroup_freezer(cg_ops, "FROZEN"); +- if (ret < 0 && errno != ENOENT) { +- WARN("cgroup_set frozen failed"); +- } +- +- ret = get_all_pids(cg_ops, &pids, &len); +- if (ret < 0) { +- WARN("failed to get all pids"); +- } +- +- for (i = 0; i < len; i++) { +- ret = kill(pids[i], SIGKILL); +- if (ret < 0 && errno != ESRCH) { +- WARN("Can not kill process (pid=%d) with SIGKILL for container %s", pids[i], handler->name); +- } +- } +- +- ret = set_cgroup_freezer(cg_ops, "THAWED"); +- if (ret < 0 && errno != ENOENT) { +- WARN("cgroup_set thawed failed"); +- } +- +- for (i = 0; i < len; i++) { +- ret = lxc_wait_for_pid_status(pids[i]); +- if (ret < 0 && errno != ECHILD) { +- WARN("Failed to wait pid %d for container %s: %s", pids[i], handler->name, strerror(errno)); +- } +- } +- +- free(pids); +-} +- + /*isulad: do_lxcapi_clean_resource */ + int do_lxcapi_clean_resource(char *name, char *lxcpath, struct lxc_conf *conf, pid_t pid) + { +@@ -2687,7 +2703,7 @@ retry: + retry_count++; + goto retry; + } +- ERROR("Failed to destroy cgroup for container \"%s\".", handler->name); ++ SYSERROR("Failed to destroy cgroup path for container: \"%s\"", handler->name); + ret = -1; + } + +-- +1.8.3.1 + diff --git a/0071-lxc-get-cgroup-path-according-to-cgroup-mountpoint.patch b/0071-lxc-get-cgroup-path-according-to-cgroup-mountpoint.patch new file mode 100644 index 0000000..febd361 --- /dev/null +++ b/0071-lxc-get-cgroup-path-according-to-cgroup-mountpoint.patch @@ -0,0 +1,126 @@ +From 5c369714d1a1d74606e6ee44a3df4e1d159ee702 Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Thu, 21 Mar 2019 22:05:09 +0800 +Subject: [PATCH 071/122] lxc: get cgroup path according to cgroup mountpoint + +Signed-off-by: tanyifeng +Signed-off-by: LiFeng +--- + src/lxc/cgroups/cgfsng.c | 6 ++++-- + src/lxc/cgroups/cgroup.h | 2 +- + src/lxc/commands.c | 6 +++--- + src/lxc/criu.c | 2 +- + src/lxc/start.c | 8 +++----- + 5 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c +index 5ceb06b..62d58f9 100644 +--- a/src/lxc/cgroups/cgfsng.c ++++ b/src/lxc/cgroups/cgfsng.c +@@ -1852,7 +1852,7 @@ __cgfsng_ops static bool cgfsng_unfreeze(struct cgroup_ops *ops) + } + + __cgfsng_ops static const char *cgfsng_get_cgroup(struct cgroup_ops *ops, +- const char *controller) ++ const char *controller, bool skip_mount) + { + struct hierarchy *h; + +@@ -1863,7 +1863,9 @@ __cgfsng_ops static const char *cgfsng_get_cgroup(struct cgroup_ops *ops, + return NULL; + } + +- return h->container_full_path ? h->container_full_path + strlen(h->mountpoint) : NULL; ++ if (!h->container_full_path) ++ h->container_full_path = must_make_path(h->mountpoint, h->container_base_path, ops->container_cgroup, NULL); ++ return skip_mount ? h->container_full_path + strlen(h->mountpoint) : h->container_full_path; + } + + /* Given a cgroup path returned from lxc_cmd_get_cgroup_path, build a full path, +diff --git a/src/lxc/cgroups/cgroup.h b/src/lxc/cgroups/cgroup.h +index b6116f6..edbb1e3 100644 +--- a/src/lxc/cgroups/cgroup.h ++++ b/src/lxc/cgroups/cgroup.h +@@ -129,7 +129,7 @@ struct cgroup_ops { + bool (*destroy)(struct cgroup_ops *ops, struct lxc_handler *handler); + bool (*payload_create)(struct cgroup_ops *ops, struct lxc_handler *handler); + bool (*payload_enter)(struct cgroup_ops *ops, pid_t pid); +- const char *(*get_cgroup)(struct cgroup_ops *ops, const char *controller); ++ const char *(*get_cgroup)(struct cgroup_ops *ops, const char *controller, bool skip_mount); + bool (*escape)(const struct cgroup_ops *ops); + int (*num_hierarchies)(struct cgroup_ops *ops); + bool (*get_hierarchies)(struct cgroup_ops *ops, int n, char ***out); +diff --git a/src/lxc/commands.c b/src/lxc/commands.c +index f0c95df..c74b8c1 100644 +--- a/src/lxc/commands.c ++++ b/src/lxc/commands.c +@@ -481,9 +481,9 @@ static int lxc_cmd_get_cgroup_callback(int fd, struct lxc_cmd_req *req, + struct cgroup_ops *cgroup_ops = handler->cgroup_ops; + + if (req->datalen > 0) +- path = cgroup_ops->get_cgroup(cgroup_ops, req->data); ++ path = cgroup_ops->get_cgroup(cgroup_ops, req->data, true); + else +- path = cgroup_ops->get_cgroup(cgroup_ops, NULL); ++ path = cgroup_ops->get_cgroup(cgroup_ops, NULL, true); + if (!path) + return -1; + +@@ -655,7 +655,7 @@ static int lxc_cmd_stop_callback(int fd, struct lxc_cmd_req *req, + * lxc_unfreeze() would do another cmd (GET_CGROUP) which would + * deadlock us. + */ +- if (!cgroup_ops->get_cgroup(cgroup_ops, "freezer")) ++ if (!cgroup_ops->get_cgroup(cgroup_ops, "freezer", true)) + return 0; + + if (cgroup_ops->unfreeze(cgroup_ops)) +diff --git a/src/lxc/criu.c b/src/lxc/criu.c +index bb97859..5c77979 100644 +--- a/src/lxc/criu.c ++++ b/src/lxc/criu.c +@@ -332,7 +332,7 @@ static void exec_criu(struct cgroup_ops *cgroup_ops, struct lxc_conf *conf, + } else { + const char *p; + +- p = cgroup_ops->get_cgroup(cgroup_ops, controllers[0]); ++ p = cgroup_ops->get_cgroup(cgroup_ops, controllers[0], true); + if (!p) { + ERROR("failed to get cgroup path for %s", controllers[0]); + goto err; +diff --git a/src/lxc/start.c b/src/lxc/start.c +index b14e46f..9243a6d 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -1032,17 +1032,15 @@ static int _recursive_read_cgroup_procs(const char *dirpath, pid_t **pids, size_ + + int get_all_pids(struct cgroup_ops *cg_ops, pid_t **pids, size_t *len) + { +- char *devices_path = NULL; ++ const char *devices_path = NULL; + int ret; + +- devices_path = must_make_path("/sys/fs/cgroup", "devices", cg_ops->container_cgroup, NULL); ++ devices_path = cg_ops->get_cgroup(cg_ops, "devices", false); + if (!file_exists(devices_path)) { +- free(devices_path); + return 0; + } + + ret = _recursive_read_cgroup_procs(devices_path, pids, len); +- free(devices_path); + return ret; + } + +@@ -1051,7 +1049,7 @@ static int set_cgroup_freezer(struct cgroup_ops *cg_ops, const char *value) + char *fullpath; + int ret; + +- fullpath = must_make_path("/sys/fs/cgroup", "freezer", cg_ops->container_cgroup, "freezer.state", NULL); ++ fullpath = must_make_path(cg_ops->get_cgroup(cg_ops, "freezer", false), "freezer.state", NULL); + ret = lxc_write_to_file(fullpath, value, strlen(value), false, 0666); + free(fullpath); + return ret; +-- +1.8.3.1 + diff --git a/0072-lxc-adapt-to-docker-18.09.patch b/0072-lxc-adapt-to-docker-18.09.patch new file mode 100644 index 0000000..7b72afa --- /dev/null +++ b/0072-lxc-adapt-to-docker-18.09.patch @@ -0,0 +1,66 @@ +From de35b7df30fbdbf10c0d55523b7fa3a15eb17623 Mon Sep 17 00:00:00 2001 +From: liuhao +Date: Mon, 25 Mar 2019 18:03:23 +0800 +Subject: [PATCH 072/122] lxc: adapt to docker-18.09 + +1. adapt to docker-18.09 +2. fix strlcpy bug + +Signed-off-by: liuhao +Signed-off-by: LiFeng +--- + src/lxc/conf.c | 8 ++++---- + src/lxc/start.c | 4 ++-- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index a6b9797..abfba04 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -4382,9 +4382,9 @@ static char* generate_json_str(const char *name, const char *lxcpath, const char + ERROR("Get container %s pid failed: %s", name, strerror(errno)); + cpid = "-1"; + } +- // {"ociVersion":"","id":"xxx","pid":777,"root":"xxx","bundlePath":"xxx"} +- size = 1 + 16 + 5 + strlen(name) + 3 + 6 + strlen(cpid) + 1 +- + 7 + strlen(rootfs) + 3 + 13 + strlen(lxcpath) + 1 + strlen(name) + 3 + 1; ++ // {"ociVersion":"","id":"xxx","pid":777,"root":"xxx","bundle":"xxx"} ++ size = strlen("{\"ociVersion\":\"\",\"id\":\"\",\"pid\":,\"root\":\"\",\"bundle\":\"\"}") + ++ strlen(name) + strlen(cpid) + strlen(rootfs) + strlen(lxcpath) + 1 + strlen(name) + 1; + inmsg = malloc(size); + if (!inmsg) { + ERROR("Out of memory"); +@@ -4392,7 +4392,7 @@ static char* generate_json_str(const char *name, const char *lxcpath, const char + goto out_free; + } + rc = snprintf(inmsg, size, +- "{\"ociVersion\":\"\",\"id\":\"%s\",\"pid\":%s,\"root\":\"%s\",\"bundlePath\":\"%s/%s\"}", ++ "{\"ociVersion\":\"\",\"id\":\"%s\",\"pid\":%s,\"root\":\"%s\",\"bundle\":\"%s/%s\"}", + name, cpid, rootfs, lxcpath, name); + if (rc < 0 || rc >= size) { + ERROR("Create json string failed"); +diff --git a/src/lxc/start.c b/src/lxc/start.c +index 9243a6d..2fca4e1 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -2186,7 +2186,7 @@ static int lxc_spawn(struct lxc_handler *handler) + /* isulad: Run oci prestart hook at here */ + char* oci_hook_args[1]; + oci_hook_args[0] = alloca(strlen(lxcpath) + 1); +- (void)strlcpy(oci_hook_args[0], lxcpath, strlen(lxcpath)); ++ (void)strlcpy(oci_hook_args[0], lxcpath, strlen(lxcpath) + 1); + ret = run_lxc_hooks(name, "oci-prestart", conf, oci_hook_args); + if (ret < 0) { + ERROR("Failed to run oci prestart hooks"); +@@ -2687,7 +2687,7 @@ int do_lxcapi_clean_resource(char *name, char *lxcpath, struct lxc_conf *conf, p + + char* oci_hook_args[1]; + oci_hook_args[0] = alloca(strlen(handler->lxcpath) + 1); +- (void)strlcpy(oci_hook_args[0], handler->lxcpath, strlen(handler->lxcpath)); ++ (void)strlcpy(oci_hook_args[0], handler->lxcpath, strlen(handler->lxcpath) + 1); + + if (run_lxc_hooks(handler->name, "oci-poststop", handler->conf, oci_hook_args)) { + ERROR("Failed to run lxc.hook.post-stop for container \"%s\".", handler->name); +-- +1.8.3.1 + diff --git a/0073-lxc-support-set-additional-groups.patch b/0073-lxc-support-set-additional-groups.patch new file mode 100644 index 0000000..c5edff8 --- /dev/null +++ b/0073-lxc-support-set-additional-groups.patch @@ -0,0 +1,247 @@ +From 5c599c0a93b66eea1633f54ac61bcd99142758e3 Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Mon, 25 Mar 2019 17:17:00 +0800 +Subject: [PATCH 073/122] lxc: support set additional groups + +Signed-off-by: tanyifeng +Signed-off-by: LiFeng +--- + src/lxc/attach.c | 8 ++++--- + src/lxc/conf.c | 12 ++++++++++ + src/lxc/conf.h | 3 +++ + src/lxc/confile.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- + src/lxc/start.c | 25 ++++++++++++--------- + 5 files changed, 100 insertions(+), 14 deletions(-) + +diff --git a/src/lxc/attach.c b/src/lxc/attach.c +index c979c85..618f2f1 100644 +--- a/src/lxc/attach.c ++++ b/src/lxc/attach.c +@@ -903,9 +903,6 @@ static int attach_child_main(struct attach_clone_payload *payload) + goto on_error; + } + +- if (!lxc_setgroups(0, NULL) && errno != EPERM) +- goto on_error; +- + /* Set {u,g}id. */ + if (options->uid != LXC_INVALID_UID) + new_uid = options->uid; +@@ -1017,6 +1014,11 @@ static int attach_child_main(struct attach_clone_payload *payload) + goto on_error; + } + ++ if (init_ctx->container && init_ctx->container->lxc_conf && ++ !lxc_setgroups(init_ctx->container->lxc_conf->init_groups_len, ++ init_ctx->container->lxc_conf->init_groups)) ++ goto on_error; ++ + if (!lxc_switch_uid_gid(new_uid, new_gid)) + goto on_error; + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index abfba04..58fc059 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -5184,10 +5184,21 @@ int lxc_clear_init_args(struct lxc_conf *lxc_conf) + for (i = 0; i < lxc_conf->init_argc; i++) + free(lxc_conf->init_argv[i]); + free(lxc_conf->init_argv); ++ lxc_conf->init_argc = 0; + + return 0; + } + ++/*isulad clear init groups*/ ++int lxc_clear_init_groups(struct lxc_conf *lxc_conf) ++{ ++ free(lxc_conf->init_groups); ++ lxc_conf->init_groups_len = 0; ++ ++ return 0; ++} ++ ++ + /*isulad: clear populate devices*/ + int lxc_clear_populate_devices(struct lxc_conf *c) + { +@@ -5294,6 +5305,7 @@ void lxc_conf_free(struct lxc_conf *conf) + free(conf->cgroup_meta.controllers); + /* isulad add begin */ + lxc_clear_init_args(conf); ++ lxc_clear_init_groups(conf); + lxc_clear_populate_devices(conf); + lxc_clear_rootfs_masked_paths(conf); + lxc_clear_rootfs_ro_paths(conf); +diff --git a/src/lxc/conf.h b/src/lxc/conf.h +index 93cf15d..11cf596 100644 +--- a/src/lxc/conf.h ++++ b/src/lxc/conf.h +@@ -418,6 +418,8 @@ struct lxc_conf { + /* init args used to repalce init_cmd*/ + char **init_argv; + size_t init_argc; ++ gid_t *init_groups; ++ size_t init_groups_len; + /* populate devices*/ + struct lxc_list populate_devs; + +@@ -498,6 +500,7 @@ extern int lxc_clear_namespace(struct lxc_conf *c); + + /* isulad add begin */ + int lxc_clear_init_args(struct lxc_conf *lxc_conf); ++int lxc_clear_init_groups(struct lxc_conf *lxc_conf); + int lxc_clear_populate_devices(struct lxc_conf *c); + int lxc_clear_rootfs_masked_paths(struct lxc_conf *c); + int lxc_clear_rootfs_ro_paths(struct lxc_conf *c); +diff --git a/src/lxc/confile.c b/src/lxc/confile.c +index 3940b32..60e6c46 100644 +--- a/src/lxc/confile.c ++++ b/src/lxc/confile.c +@@ -154,6 +154,7 @@ lxc_config_define(sysctl); + lxc_config_define(proc); + /*isulad add begin*/ + lxc_config_define(init_args); ++lxc_config_define(init_groups); + lxc_config_define(populate_device); + lxc_config_define(umask); + /*isulad add end*/ +@@ -245,6 +246,7 @@ static struct lxc_config_t config_jump_table[] = { + + /*isulad add begin*/ + { "lxc.isulad.init.args", set_config_init_args, get_config_init_args, clr_config_init_args, }, ++ { "lxc.isulad.init.groups", set_config_init_groups, get_config_init_groups, clr_config_init_groups, }, + { "lxc.isulad.populate.device", set_config_populate_device, get_config_populate_device, clr_config_populate_device, }, + { "lxc.isulad.rootfs.maskedpaths", set_config_rootfs_masked_paths, get_config_rootfs_masked_paths, clr_config_rootfs_masked_paths, }, + { "lxc.isulad.rootfs.ropaths", set_config_rootfs_ro_paths, get_config_rootfs_ro_paths, clr_config_rootfs_ro_paths, }, +@@ -2230,6 +2232,43 @@ static int set_config_init_args(const char *key, const char *value, + return 0; + } + ++/* isulad: set config for init groups */ ++static int set_config_init_groups(const char *key, const char *value, ++ struct lxc_conf *lxc_conf, void *data) ++{ ++ char *groups, *token; ++ int ret = -1; ++ ++ if (lxc_config_value_empty(value)) ++ return lxc_clear_init_groups(lxc_conf); ++ ++ groups = strdup(value); ++ if (!groups) ++ return -1; ++ ++ /* In case several capability keep is specified in a single line ++ * split these caps in a single element for the list. ++ */ ++ lxc_iterate_parts(token, groups, " \t") { ++ gid_t *tmp; ++ tmp = realloc(lxc_conf->init_groups, (lxc_conf->init_groups_len + 1) * sizeof(gid_t)); ++ if (!tmp) { ++ ERROR("Out of memory"); ++ goto on_error; ++ } ++ lxc_conf->init_groups = tmp; ++ tmp[lxc_conf->init_groups_len] = atoll(token); ++ lxc_conf->init_groups_len++; ++ } ++ ++ ret = 0; ++ ++on_error: ++ free(groups); ++ ++ return ret; ++} ++ + /* isulad: set config for populate device */ + static int set_config_populate_device(const char *key, const char *value, + struct lxc_conf *lxc_conf, void *data) +@@ -3947,7 +3986,25 @@ static int get_config_init_args(const char *key, char *retv, int inlen, + + for (i = 0; i < c->init_argc; i++) { + strprint(retv, inlen, "%s", c->init_argv[i]); +- } ++ } ++ ++ return fulllen; ++} ++ ++/* isulad: get config init groups */ ++static int get_config_init_groups(const char *key, char *retv, int inlen, ++ struct lxc_conf *c, void *data) ++{ ++ int i, len, fulllen = 0; ++ ++ if (!retv) ++ inlen = 0; ++ else ++ memset(retv, 0, inlen); ++ ++ for (i = 0; i < c->init_groups_len; i++) { ++ strprint(retv, inlen, "%u\n", c->init_groups[i]); ++ } + + return fulllen; + } +@@ -4836,6 +4893,13 @@ static inline int clr_config_init_args(const char *key, struct lxc_conf *c, + return lxc_clear_init_args(c); + } + ++/* isulad: clr config init args*/ ++static inline int clr_config_init_groups(const char *key, struct lxc_conf *c, ++ void *data) ++{ ++ return lxc_clear_init_groups(c); ++} ++ + /* isulad: clr config populate devices*/ + static inline int clr_config_populate_device(const char *key, struct lxc_conf *c, + void *data) +diff --git a/src/lxc/start.c b/src/lxc/start.c +index 2fca4e1..ae92c13 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -1666,6 +1666,20 @@ static int do_start(void *data) + if (lxc_setup_env_home(new_uid) < 0) + goto out_warn_father; + ++ /* If we are in a new user namespace we already dropped all groups when ++ * we switched to root in the new user namespace further above. Only ++ * drop groups if we can, so ensure that we have necessary privilege. ++ */ ++ if (lxc_list_empty(&handler->conf->id_map)) ++ #if HAVE_LIBCAP ++ if (lxc_proc_cap_is_set(CAP_SETGID, CAP_EFFECTIVE)) ++ #endif ++ /* isulad: set groups for init process, and before we set uid and gid */ ++ if (!lxc_setgroups(handler->conf->init_groups_len, handler->conf->init_groups)) { ++ ERROR("Can not set groups"); ++ goto out_warn_father; ++ } ++ + /* Avoid unnecessary syscalls. */ + if (new_uid == nsuid) + new_uid = LXC_INVALID_UID; +@@ -1676,16 +1690,7 @@ static int do_start(void *data) + if (!lxc_switch_uid_gid(new_uid, new_gid)) + goto out_warn_father; + +- /* If we are in a new user namespace we already dropped all groups when +- * we switched to root in the new user namespace further above. Only +- * drop groups if we can, so ensure that we have necessary privilege. +- */ +- if (lxc_list_empty(&handler->conf->id_map)) +- #if HAVE_LIBCAP +- if (lxc_proc_cap_is_set(CAP_SETGID, CAP_EFFECTIVE)) +- #endif +- if (!lxc_setgroups(0, NULL)) +- goto out_warn_father; ++ + + ret = lxc_ambient_caps_down(); + if (ret < 0) { +-- +1.8.3.1 + diff --git a/0074-lxc-only-add-valid-fd-to-mainloop.patch b/0074-lxc-only-add-valid-fd-to-mainloop.patch new file mode 100644 index 0000000..2a0e250 --- /dev/null +++ b/0074-lxc-only-add-valid-fd-to-mainloop.patch @@ -0,0 +1,28 @@ +From df20c5c153b342c2aa49ebafbef8c1e334668e9a Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Tue, 26 Mar 2019 16:11:13 +0800 +Subject: [PATCH 074/122] lxc: only add valid fd to mainloop + +Signed-off-by: tanyifeng +Signed-off-by: LiFeng +--- + src/lxc/mainloop.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/lxc/mainloop.c b/src/lxc/mainloop.c +index b169aa6..9603d1e 100644 +--- a/src/lxc/mainloop.c ++++ b/src/lxc/mainloop.c +@@ -85,6 +85,9 @@ int lxc_mainloop_add_handler(struct lxc_epoll_descr *descr, int fd, + struct mainloop_handler *handler; + struct lxc_list *item; + ++ if (fd < 0) ++ return 0; ++ + handler = malloc(sizeof(*handler)); + if (!handler) + return -1; +-- +1.8.3.1 + diff --git a/0075-lxc-add-timeout-for-attach.patch b/0075-lxc-add-timeout-for-attach.patch new file mode 100644 index 0000000..38dba02 --- /dev/null +++ b/0075-lxc-add-timeout-for-attach.patch @@ -0,0 +1,278 @@ +From d108c60ea9bf1c0a257659d07531e50d09897e48 Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Wed, 3 Apr 2019 19:54:36 +0800 +Subject: [PATCH 075/122] lxc: add timeout for attach + +Signed-off-by: wujing +Signed-off-by: LiFeng +--- + src/lxc/attach.c | 79 ++++++++++++++++++++++++++++++++++++++++++++++ + src/lxc/attach_options.h | 1 + + src/lxc/tools/arguments.h | 4 +++ + src/lxc/tools/lxc_attach.c | 11 +++++++ + src/lxc/tools/lxc_start.c | 13 +------- + src/lxc/utils.c | 13 ++++++++ + src/lxc/utils.h | 2 ++ + 7 files changed, 111 insertions(+), 12 deletions(-) + +diff --git a/src/lxc/attach.c b/src/lxc/attach.c +index 618f2f1..79049c3 100644 +--- a/src/lxc/attach.c ++++ b/src/lxc/attach.c +@@ -69,6 +69,20 @@ + #include + #endif + ++typedef enum { ++ ATTACH_INIT, ++ ATTACH_TIMEOUT, ++ ATTACH_MAX, ++} attach_timeout_t; ++ ++static volatile attach_timeout_t g_attach_timeout_state = ATTACH_INIT; ++ ++struct attach_timeout_conf { ++ unsigned int timeout; ++ unsigned long long start_time; ++ pid_t pid; ++}; ++ + lxc_log_define(attach, lxc); + + /* Define default options if no options are supplied by the user. */ +@@ -1145,6 +1159,59 @@ static inline void lxc_attach_terminal_close_log(struct lxc_terminal *terminal) + terminal->log_fd = -EBADF; + } + ++/* isulad: attach timeout thread function */ ++static void* wait_attach_timeout(void *arg) ++{ ++ struct attach_timeout_conf *conf = (struct attach_timeout_conf *)arg; ++ ++ if (!conf || conf->timeout < 1) ++ goto out; ++ sleep(conf->timeout); ++ if (lxc_process_alive(conf->pid, conf->start_time)) { ++ g_attach_timeout_state = ATTACH_TIMEOUT; ++ if (kill(conf->pid, SIGKILL) < 0) { ++ ERROR("Failed to send signal %d to pid %d", SIGKILL, conf->pid); ++ } ++ } ++ ++out: ++ free(conf); ++ return ((void *)0); ++} ++ ++/* isulad: create attach timeout thread */ ++static int create_attach_timeout_thread(unsigned int attach_timeout, pid_t pid) ++{ ++ int ret = 0; ++ pthread_t ptid; ++ pthread_attr_t attr; ++ struct attach_timeout_conf *timeout_conf = NULL; ++ ++ timeout_conf = malloc(sizeof(struct attach_timeout_conf)); ++ if (!timeout_conf) { ++ ERROR("Failed to malloc attach timeout conf"); ++ ret = -1; ++ goto out; ++ } ++ ++ memset(timeout_conf, 0, sizeof(struct attach_timeout_conf)); ++ timeout_conf->timeout = attach_timeout; ++ timeout_conf->pid = pid; ++ timeout_conf->start_time = lxc_get_process_startat(pid); ++ ++ pthread_attr_init(&attr); ++ pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED); ++ ret = pthread_create(&ptid, &attr, wait_attach_timeout, timeout_conf); ++ if (ret != 0) { ++ ERROR("Create attach wait timeout thread failed"); ++ free(timeout_conf); ++ goto out; ++ } ++ ++out: ++ return ret; ++} ++ + int lxc_attach(const char *name, const char *lxcpath, + lxc_attach_exec_t exec_function, void *exec_payload, + lxc_attach_options_t *options, pid_t *attached_process, char **err_msg) +@@ -1481,6 +1548,13 @@ int lxc_attach(const char *name, const char *lxcpath, + + *attached_process = attached_pid; + ++ if (options->timeout > 0) { ++ ret = create_attach_timeout_thread(options->timeout, *attached_process); ++ if (ret) { ++ ERROR("Failed to create attach timeout thread for container."); ++ goto close_mainloop; ++ } ++ } + /* isulad: read error msg from pipe */ + ssize_t size_read; + char errbuf[BUFSIZ + 1] = {0}; +@@ -1510,6 +1584,11 @@ int lxc_attach(const char *name, const char *lxcpath, + } + } + ++ if (g_attach_timeout_state == ATTACH_TIMEOUT && err_msg != NULL && *err_msg == NULL) { ++ *err_msg = strdup("Attach exceeded timeout"); ++ if (!(*err_msg)) ++ ERROR("Out of memory"); ++ } + close_mainloop: + if (options->attach_flags & LXC_ATTACH_TERMINAL) + lxc_mainloop_close(&descr); +diff --git a/src/lxc/attach_options.h b/src/lxc/attach_options.h +index 71c1739..5e279ba 100644 +--- a/src/lxc/attach_options.h ++++ b/src/lxc/attach_options.h +@@ -137,6 +137,7 @@ typedef struct lxc_attach_options_t { + int log_fd; + + char *init_fifo[3]; /* isulad: default fifos for the start */ ++ unsigned int timeout;/* isulad: Seconds for waiting on a container to attach/exec before it is killed*/ + } lxc_attach_options_t; + + /*! Default attach options to use */ +diff --git a/src/lxc/tools/arguments.h b/src/lxc/tools/arguments.h +index d03f8a4..2fc90ad 100644 +--- a/src/lxc/tools/arguments.h ++++ b/src/lxc/tools/arguments.h +@@ -69,6 +69,9 @@ struct lxc_arguments { + const char *exit_monitor_fifo; /* isulad: fifo used to monitor state of monitor process */ + unsigned int start_timeout; /* isulad: Seconds for waiting on a container to start before it is killed*/ + ++ /* for lxc-attach */ ++ unsigned int attach_timeout; ++ + /* for lxc-console */ + unsigned int ttynum; + char escape; +@@ -187,6 +190,7 @@ struct lxc_arguments { + #define OPT_START_TIMEOUT OPT_USAGE - 12 + #define OPT_DISABLE_PTY OPT_USAGE - 13 + #define OPT_OPEN_STDIN OPT_USAGE - 14 ++#define OPT_ATTACH_TIMEOUT OPT_USAGE - 15 + + /* isulad add end*/ + +diff --git a/src/lxc/tools/lxc_attach.c b/src/lxc/tools/lxc_attach.c +index 674050d..2861ef4 100644 +--- a/src/lxc/tools/lxc_attach.c ++++ b/src/lxc/tools/lxc_attach.c +@@ -62,6 +62,7 @@ static char **extra_env; + static ssize_t extra_env_size; + static char **extra_keep; + static ssize_t extra_keep_size; ++static unsigned int timeout = 0; + + static const struct option my_longopts[] = { + {"elevated-privileges", optional_argument, 0, 'e'}, +@@ -78,6 +79,7 @@ static const struct option my_longopts[] = { + {"in-fifo", required_argument, 0, OPT_INPUT_FIFO}, /* isulad add terminal fifos*/ + {"out-fifo", required_argument, 0, OPT_OUTPUT_FIFO}, + {"err-fifo", required_argument, 0, OPT_STDERR_FIFO}, ++ {"timeout", required_argument, 0, OPT_ATTACH_TIMEOUT}, + LXC_COMMON_OPTIONS + }; + +@@ -128,6 +130,7 @@ Options :\n\ + multiple times.\n\ + -f, --rcfile=FILE\n\ + Load configuration file FILE\n\ ++ --timeout Timeout in seconds (default: 0)\n\ + ", + .options = my_longopts, + .parser = my_parser, +@@ -205,6 +208,13 @@ static int my_parser(struct lxc_arguments *args, int c, char *arg) + case OPT_STDERR_FIFO: + args->terminal_fifos[2] = arg; + break; ++ case OPT_ATTACH_TIMEOUT: ++ if(!is_non_negative_num(arg)) { ++ ERROR("Error attach timeout parameter:%s.\n", arg); ++ return -1; ++ } ++ args->attach_timeout = (unsigned int)atoi(arg); ++ break; + } + + return 0; +@@ -478,6 +488,7 @@ int main(int argc, char *argv[]) + attach_options.env_policy = env_policy; + attach_options.extra_env_vars = extra_env; + attach_options.extra_keep_env = extra_keep; ++ attach_options.timeout = my_args.attach_timeout; + + if (my_args.argc > 0) { + command.program = my_args.argv[0]; +diff --git a/src/lxc/tools/lxc_start.c b/src/lxc/tools/lxc_start.c +index 183fafc..af63f58 100644 +--- a/src/lxc/tools/lxc_start.c ++++ b/src/lxc/tools/lxc_start.c +@@ -49,6 +49,7 @@ + #include "config.h" + #include "confile.h" + #include "log.h" ++#include "utils.h" + + lxc_log_define(lxc_start, lxc); + +@@ -113,18 +114,6 @@ Options :\n\ + .pidfile = NULL, + }; + +-static bool is_non_negative_num(const char *s) +-{ +- if (!s || !strcmp(s, "")) +- return false; +- while(*s != '\0') { +- if(!isdigit(*s)) +- return false; +- ++s; +- } +- return true; +-} +- + static int my_parser(struct lxc_arguments *args, int c, char *arg) + { + switch (c) { +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index 480e6d0..69eb3e5 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -2069,3 +2069,16 @@ out: + free(pid_info); + return alive; + } ++ ++bool is_non_negative_num(const char *s) ++{ ++ if (!s || !strcmp(s, "")) ++ return false; ++ while(*s != '\0') { ++ if(!isdigit(*s)) ++ return false; ++ ++s; ++ } ++ return true; ++} ++ +diff --git a/src/lxc/utils.h b/src/lxc/utils.h +index 73ffdd9..20407af 100644 +--- a/src/lxc/utils.h ++++ b/src/lxc/utils.h +@@ -322,4 +322,6 @@ extern void lxc_write_error_message(int errfd, const char *format, ...); + + extern bool lxc_process_alive(pid_t pid, unsigned long long start_time); + ++extern bool is_non_negative_num(const char *s); ++ + #endif /* __LXC_UTILS_H */ +-- +1.8.3.1 + diff --git a/0076-lxc-delete-unused-variable.patch b/0076-lxc-delete-unused-variable.patch new file mode 100644 index 0000000..96aaedc --- /dev/null +++ b/0076-lxc-delete-unused-variable.patch @@ -0,0 +1,26 @@ +From 5a3c172215974dccf41e456b39c8174aaa580cc8 Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Thu, 4 Apr 2019 11:19:48 +0800 +Subject: [PATCH 076/122] lxc: delete unused variable + +Signed-off-by: wujing +Signed-off-by: LiFeng +--- + src/lxc/tools/lxc_attach.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/lxc/tools/lxc_attach.c b/src/lxc/tools/lxc_attach.c +index 2861ef4..440c0bc 100644 +--- a/src/lxc/tools/lxc_attach.c ++++ b/src/lxc/tools/lxc_attach.c +@@ -62,7 +62,6 @@ static char **extra_env; + static ssize_t extra_env_size; + static char **extra_keep; + static ssize_t extra_keep_size; +-static unsigned int timeout = 0; + + static const struct option my_longopts[] = { + {"elevated-privileges", optional_argument, 0, 'e'}, +-- +1.8.3.1 + diff --git a/0077-lxc-set-negative-files.limit-to-max-and-fix-bug-of-s.patch b/0077-lxc-set-negative-files.limit-to-max-and-fix-bug-of-s.patch new file mode 100644 index 0000000..103b251 --- /dev/null +++ b/0077-lxc-set-negative-files.limit-to-max-and-fix-bug-of-s.patch @@ -0,0 +1,117 @@ +From fe7032c4ed978c38beb00804abb46ad691c0a83c Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Tue, 2 Apr 2019 23:59:20 -0400 +Subject: [PATCH 077/122] lxc: set negative files.limit to max and fix bug of + setting homedir + +Signed-off-by: tanyifeng +Signed-off-by: LiFeng +--- + src/lxc/cgroups/cgfsng.c | 19 +++++++++++++++---- + src/lxc/storage/storage.c | 5 ++--- + src/lxc/utils.c | 29 ++++++++++++++++++++--------- + 3 files changed, 37 insertions(+), 16 deletions(-) + +diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c +index 62d58f9..cc08737 100644 +--- a/src/lxc/cgroups/cgfsng.c ++++ b/src/lxc/cgroups/cgfsng.c +@@ -2259,19 +2259,30 @@ static bool __cg_legacy_setup_limits(struct cgroup_ops *ops, + cg = iterator->elem; + + if (do_devices == !strncmp("devices", cg->subsystem, 7)) { +- if (cg_legacy_set_data(ops, cg->subsystem, cg->value)) { ++ const char *cgvalue = cg->value; ++ if (strcmp(cg->subsystem, "files.limit") == 0) { ++ if (lxc_safe_long_long(cgvalue, &setvalue) != 0) { ++ SYSERROR("Invalid integer value %s", cgvalue); ++ goto out; ++ } ++ if (setvalue <= 0) { ++ cgvalue = "max"; ++ } ++ } ++ if (cg_legacy_set_data(ops, cg->subsystem, cgvalue)) { + if (do_devices && (errno == EACCES || errno == EPERM)) { + WARN("Failed to set \"%s\" to \"%s\"", +- cg->subsystem, cg->value); ++ cg->subsystem, cgvalue); + continue; + } + WARN("Failed to set \"%s\" to \"%s\"", +- cg->subsystem, cg->value); ++ cg->subsystem, cgvalue); + goto out; + } + DEBUG("Set controller \"%s\" set to \"%s\"", +- cg->subsystem, cg->value); ++ cg->subsystem, cgvalue); + } ++ + // isulad: check cpu shares + if (strcmp(cg->subsystem, "cpu.shares") == 0) { + if (cg_legacy_get_data(ops, cg->subsystem, value, sizeof(value)) < 0) { +diff --git a/src/lxc/storage/storage.c b/src/lxc/storage/storage.c +index 88ed788..fa79762 100644 +--- a/src/lxc/storage/storage.c ++++ b/src/lxc/storage/storage.c +@@ -611,9 +611,8 @@ bool storage_destroy(struct lxc_conf *conf) + + r = storage_init(conf); + if (r == NULL) { +- ERROR("%s 's storage init failed, the storage may be deleted already", conf->name); +- ret = true; +- return ret; ++ WARN("%s 's storage init failed, the storage may be deleted already", conf->name); ++ return true; + } + + destroy_rv = r->ops->destroy(r); +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index 69eb3e5..7b82d06 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -1873,20 +1873,31 @@ int lxc_setup_keyring(void) + // isulad: set env home in container + int lxc_setup_env_home(uid_t uid) + { +-#define __DEFAULT_HOMEDIR__ "/" ++#define __PASSWD_FILE__ "/etc/passwd" + int ret = 0; +- char *homedir; +- struct passwd pwd, *result = NULL; ++ char *homedir = "/"; // default home dir is / ++ FILE *stream = NULL; ++ struct passwd pw, *pwbufp = NULL; + char buf[BUFSIZ]; + +- ret = getpwuid_r(uid, &pwd, buf, BUFSIZ, &result); +- if (ret || !result || !result->pw_dir) { +- WARN("User invalid, can not find user '%u'", uid); +- homedir = __DEFAULT_HOMEDIR__; +- } else { +- homedir = result->pw_dir; ++ stream = fopen_cloexec(__PASSWD_FILE__, "r"); ++ if (stream == NULL) { ++ SYSWARN("Failed to open %s: %s", __PASSWD_FILE__); ++ goto set_env; + } + ++ while (fgetpwent_r(stream, &pw, buf, sizeof(buf), &pwbufp) == 0 && pwbufp != NULL) { ++ if (pwbufp->pw_uid == uid) { ++ homedir = pwbufp->pw_dir; ++ goto set_env; ++ } ++ } ++ WARN("User invalid, can not find user '%u'", uid); ++ ++set_env: ++ if (stream) ++ fclose(stream); ++ + // if we didn't configure HOME, set it based on uid + if (setenv("HOME", homedir, 0) < 0) { + SYSERROR("Unable to set env 'HOME'"); +-- +1.8.3.1 + diff --git a/0078-Run-pre-start-hook-before-chroot.patch b/0078-Run-pre-start-hook-before-chroot.patch new file mode 100644 index 0000000..809ef89 --- /dev/null +++ b/0078-Run-pre-start-hook-before-chroot.patch @@ -0,0 +1,70 @@ +From ca1c7f86ddadd194c2347e2ccd6b216f1403e273 Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Wed, 3 Apr 2019 23:36:04 -0400 +Subject: [PATCH 078/122] Run pre-start hook before chroot + +Signed-off-by: LiFeng +--- + src/lxc/conf.c | 7 +++++++ + src/lxc/start.c | 6 ++++++ + src/lxc/sync.h | 2 ++ + 3 files changed, 15 insertions(+) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 58fc059..a9421c5 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -82,6 +82,7 @@ + #include "loop.h" + #include "path.h" + #include "utils.h" ++#include "sync.h" + + #ifdef MAJOR_IN_MKDEV + #include +@@ -4186,6 +4187,12 @@ int lxc_setup(struct lxc_handler *handler) + goto on_error; + } + ++ /* Ask father to run start host hooks and wait for him to finish. */ ++ if (lxc_sync_barrier_parent(handler, LXC_SYNC_START_HOST_HOOK)) { ++ ERROR("Failed to sync parent to start host hook"); ++ goto on_error; ++ } ++ + ret = lxc_setup_rootfs_switch_root(&lxc_conf->rootfs); + if (ret < 0) { + ERROR("Failed to pivot root into rootfs"); +diff --git a/src/lxc/start.c b/src/lxc/start.c +index ae92c13..10f922d 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -2204,6 +2204,12 @@ static int lxc_spawn(struct lxc_handler *handler) + goto out_delete_net; + } + ++ /* Tell the child to continue its initialization. We'll get ++ * LXC_SYNC_CGROUP when it is ready for us to setup cgroups. ++ */ ++ if (lxc_sync_barrier_child(handler, LXC_SYNC_POST_START_HOST_HOOK)) ++ goto out_delete_net; ++ + /* Tell the child to complete its initialization and wait for it to exec + * or return an error. (The child will never return + * LXC_SYNC_READY_START+1. It will either close the sync pipe, causing +diff --git a/src/lxc/sync.h b/src/lxc/sync.h +index 5c0fb34..787911d 100644 +--- a/src/lxc/sync.h ++++ b/src/lxc/sync.h +@@ -31,6 +31,8 @@ enum { + LXC_SYNC_POST_CONFIGURE, + LXC_SYNC_CGROUP, + LXC_SYNC_CGROUP_UNSHARE, ++ LXC_SYNC_START_HOST_HOOK, ++ LXC_SYNC_POST_START_HOST_HOOK, + LXC_SYNC_CGROUP_LIMITS, + LXC_SYNC_READY_START, + LXC_SYNC_RESTART, +-- +1.8.3.1 + diff --git a/0079-inherid-env-from-parent-in-oci-hooks.patch b/0079-inherid-env-from-parent-in-oci-hooks.patch new file mode 100644 index 0000000..53a8040 --- /dev/null +++ b/0079-inherid-env-from-parent-in-oci-hooks.patch @@ -0,0 +1,29 @@ +From b19fca11de19c05c4035fd98842810dfb102aa7b Mon Sep 17 00:00:00 2001 +From: liuhao +Date: Thu, 4 Apr 2019 17:21:56 +0800 +Subject: [PATCH 079/122] inherid env from parent in oci hooks + +env: LD_LIBRAY_PAHT and PATH + +Signed-off-by: liuhao +Signed-off-by: LiFeng +--- + src/lxc/conf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index a9421c5..20eb840 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -4420,7 +4420,7 @@ static char **merge_ocihook_env(char **oldenvs, size_t env_len, size_t *merge_en + size_t result_len = env_len; + size_t i, j; + char *tmpenv; +- char *lxc_envs[] = {"LXC_CGNS_AWARE", "LXC_PID", "LXC_ROOTFS_MOUNT", ++ char *lxc_envs[] = {"LD_LIBRARY_PATH", "PATH", "LXC_CGNS_AWARE", "LXC_PID", "LXC_ROOTFS_MOUNT", + "LXC_CONFIG_FILE", "LXC_CGROUP_PATH", "LXC_ROOTFS_PATH", "LXC_NAME"}; + char *lxcenv_buf; + +-- +1.8.3.1 + diff --git a/0080-lxc-fix-compile-error.patch b/0080-lxc-fix-compile-error.patch new file mode 100644 index 0000000..9a0787d --- /dev/null +++ b/0080-lxc-fix-compile-error.patch @@ -0,0 +1,35 @@ +From ff3a4e1e01afe4cabd6dfae8400b3bfa5803567d Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Mon, 8 Apr 2019 08:29:46 -0400 +Subject: [PATCH 080/122] lxc: fix compile error + +Signed-off-by: tanyifeng +Signed-off-by: LiFeng +--- + src/lxc/utils.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index 7b82d06..fd6075f 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -1874,7 +1874,6 @@ int lxc_setup_keyring(void) + int lxc_setup_env_home(uid_t uid) + { + #define __PASSWD_FILE__ "/etc/passwd" +- int ret = 0; + char *homedir = "/"; // default home dir is / + FILE *stream = NULL; + struct passwd pw, *pwbufp = NULL; +@@ -1882,7 +1881,7 @@ int lxc_setup_env_home(uid_t uid) + + stream = fopen_cloexec(__PASSWD_FILE__, "r"); + if (stream == NULL) { +- SYSWARN("Failed to open %s: %s", __PASSWD_FILE__); ++ SYSWARN("Failed to open %s", __PASSWD_FILE__); + goto set_env; + } + +-- +1.8.3.1 + diff --git a/0081-lxc-Change-the-range-of-attach-timeout.patch b/0081-lxc-Change-the-range-of-attach-timeout.patch new file mode 100644 index 0000000..2ed2601 --- /dev/null +++ b/0081-lxc-Change-the-range-of-attach-timeout.patch @@ -0,0 +1,78 @@ +From d2711e184061fd4c03413667e4e9b44ae741d901 Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Mon, 8 Apr 2019 16:42:43 +0800 +Subject: [PATCH 081/122] lxc: Change the range of attach timeout + +Signed-off-by: wujing +Signed-off-by: LiFeng +--- + src/lxc/attach.c | 4 ++-- + src/lxc/attach_options.h | 2 +- + src/lxc/tools/arguments.h | 2 +- + src/lxc/tools/lxc_attach.c | 2 +- + 4 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/lxc/attach.c b/src/lxc/attach.c +index 79049c3..6480eb9 100644 +--- a/src/lxc/attach.c ++++ b/src/lxc/attach.c +@@ -78,7 +78,7 @@ typedef enum { + static volatile attach_timeout_t g_attach_timeout_state = ATTACH_INIT; + + struct attach_timeout_conf { +- unsigned int timeout; ++ int64_t timeout; + unsigned long long start_time; + pid_t pid; + }; +@@ -1180,7 +1180,7 @@ out: + } + + /* isulad: create attach timeout thread */ +-static int create_attach_timeout_thread(unsigned int attach_timeout, pid_t pid) ++static int create_attach_timeout_thread(int64_t attach_timeout, pid_t pid) + { + int ret = 0; + pthread_t ptid; +diff --git a/src/lxc/attach_options.h b/src/lxc/attach_options.h +index 5e279ba..9744a2e 100644 +--- a/src/lxc/attach_options.h ++++ b/src/lxc/attach_options.h +@@ -137,7 +137,7 @@ typedef struct lxc_attach_options_t { + int log_fd; + + char *init_fifo[3]; /* isulad: default fifos for the start */ +- unsigned int timeout;/* isulad: Seconds for waiting on a container to attach/exec before it is killed*/ ++ int64_t timeout;/* isulad: Seconds for waiting on a container to attach/exec before it is killed*/ + } lxc_attach_options_t; + + /*! Default attach options to use */ +diff --git a/src/lxc/tools/arguments.h b/src/lxc/tools/arguments.h +index 2fc90ad..de02aeb 100644 +--- a/src/lxc/tools/arguments.h ++++ b/src/lxc/tools/arguments.h +@@ -70,7 +70,7 @@ struct lxc_arguments { + unsigned int start_timeout; /* isulad: Seconds for waiting on a container to start before it is killed*/ + + /* for lxc-attach */ +- unsigned int attach_timeout; ++ int64_t attach_timeout; + + /* for lxc-console */ + unsigned int ttynum; +diff --git a/src/lxc/tools/lxc_attach.c b/src/lxc/tools/lxc_attach.c +index 440c0bc..854b3a2 100644 +--- a/src/lxc/tools/lxc_attach.c ++++ b/src/lxc/tools/lxc_attach.c +@@ -212,7 +212,7 @@ static int my_parser(struct lxc_arguments *args, int c, char *arg) + ERROR("Error attach timeout parameter:%s.\n", arg); + return -1; + } +- args->attach_timeout = (unsigned int)atoi(arg); ++ args->attach_timeout = (unsigned int)atoll(arg); + break; + } + +-- +1.8.3.1 + diff --git a/0082-lxc-fix-memory-leak-cause-by-setenv.patch b/0082-lxc-fix-memory-leak-cause-by-setenv.patch new file mode 100644 index 0000000..c626eb7 --- /dev/null +++ b/0082-lxc-fix-memory-leak-cause-by-setenv.patch @@ -0,0 +1,150 @@ +From 767d1b2f9bb323de16658a080b314c5f8feaec67 Mon Sep 17 00:00:00 2001 +From: liuhao +Date: Thu, 11 Apr 2019 15:27:31 +0800 +Subject: [PATCH 082/122] lxc: fix memory leak cause by setenv + +isulad will call do_lxcapi_clean_resource(), so setenv at here, will +change env of isulad. + +Signed-off-by: liuhao +Signed-off-by: LiFeng +--- + src/lxc/start.c | 107 ++++++++++++++++++++++++++++++++++++++++---------------- + 1 file changed, 76 insertions(+), 31 deletions(-) + +diff --git a/src/lxc/start.c b/src/lxc/start.c +index 10f922d..87e07d3 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -2635,44 +2635,85 @@ on_error: + } + + /*isulad: set env for clean resources */ +-static void clean_resource_set_env(struct lxc_handler *handler) ++static int clean_resource_set_env(struct lxc_handler *handler) + { + const char *name = handler->name; + struct lxc_conf *conf = handler->conf; +- char pidstr[20]; +- +- /* Start of environment variable setup for hooks. */ +- if (name && setenv("LXC_NAME", name, 1)) +- SYSERROR("Failed to set environment variable: LXC_NAME=%s.", name); +- +- if (conf->rcfile && setenv("LXC_CONFIG_FILE", conf->rcfile, 1)) +- SYSERROR("Failed to set environment variable: LXC_CONFIG_FILE=%s.", conf->rcfile); +- +- if (conf->rootfs.mount && setenv("LXC_ROOTFS_MOUNT", conf->rootfs.mount, 1)) +- SYSERROR("Failed to set environment variable: LXC_ROOTFS_MOUNT=%s.", conf->rootfs.mount); ++ char bufstr[PATH_MAX + 1]; ++ int i = 0; ++ int j = 0; ++ int len = 2; //set "LXC_PID" and "LXC_CGNS_AWARE" + +- if (conf->rootfs.path && setenv("LXC_ROOTFS_PATH", conf->rootfs.path, 1)) +- SYSERROR("Failed to set environment variable: LXC_ROOTFS_PATH=%s.", conf->rootfs.path); +- +- if (conf->console.path && setenv("LXC_CONSOLE", conf->console.path, 1)) +- SYSERROR("Failed to set environment variable: LXC_CONSOLE=%s.", conf->console.path); +- +- if (conf->console.log_path && setenv("LXC_CONSOLE_LOGPATH", conf->console.log_path, 1)) +- SYSERROR("Failed to set environment variable: LXC_CONSOLE_LOGPATH=%s.", conf->console.log_path); +- +- if (setenv("LXC_CGNS_AWARE", "1", 1)) +- SYSERROR("Failed to set environment variable LXC_CGNS_AWARE=1."); ++ if (conf == NULL || conf->ocihooks == NULL || conf->ocihooks->poststop_len == 0) { ++ return 0; ++ } + ++ if (name) { ++ len++; ++ } ++ if (conf->rcfile) { ++ len++; ++ } ++ if (conf->rootfs.mount) { ++ len++; ++ } ++ if (conf->rootfs.path) { ++ len++; ++ } ++ if (conf->console.path) { ++ len++; ++ } ++ if (conf->console.log_path) { ++ len++; ++ } ++ if (handler->cgroup_ops->container_cgroup) { ++ len++; ++ } + +- snprintf(pidstr, 20, "%d", handler->pid); +- if (setenv("LXC_PID", pidstr, 1)) +- SYSERROR("Failed to set environment variable: LXC_PID=%s.", pidstr); ++ for (; i < conf->ocihooks->poststop_len; i++) { ++ size_t cap = conf->ocihooks->poststop[i]->env_len; ++ size_t newcap = cap + len + 1; ++ if (lxc_grow_array((void ***)&(conf->ocihooks->poststop[i]->env), &cap, newcap, 1) != 0) { ++ return -1; ++ } ++ j = conf->ocihooks->poststop[i]->env_len; ++ /* Start of environment variable setup for hooks. */ ++ if (name) { ++ snprintf(bufstr, PATH_MAX + 1, "LXC_NAME=%s", name); ++ conf->ocihooks->poststop[i]->env[j++] = strdup(bufstr); ++ } ++ if (conf->rcfile) { ++ snprintf(bufstr, PATH_MAX + 1, "LXC_CONFIG_FILE=%s", conf->rcfile); ++ conf->ocihooks->poststop[i]->env[j++] = strdup(bufstr); ++ } ++ if (conf->rootfs.mount) { ++ snprintf(bufstr, PATH_MAX + 1, "LXC_ROOTFS_MOUNT=%s", conf->rootfs.mount); ++ conf->ocihooks->poststop[i]->env[j++] = strdup(bufstr); ++ } ++ if (conf->rootfs.path) { ++ snprintf(bufstr, PATH_MAX + 1, "LXC_ROOTFS_PATH=%s", conf->rootfs.path); ++ conf->ocihooks->poststop[i]->env[j++] = strdup(bufstr); ++ } ++ if (conf->console.path) { ++ snprintf(bufstr, PATH_MAX + 1, "LXC_CONSOLE=%s", conf->console.path); ++ conf->ocihooks->poststop[i]->env[j++] = strdup(bufstr); ++ } ++ if (conf->console.log_path) { ++ snprintf(bufstr, PATH_MAX + 1, "LXC_CONSOLE_LOGPATH=%s", conf->console.log_path); ++ conf->ocihooks->poststop[i]->env[j++] = strdup(bufstr); ++ } ++ conf->ocihooks->poststop[i]->env[j++] = strdup("LXC_CGNS_AWARE=1"); + +- if (handler->cgroup_ops->container_cgroup) { +- if (setenv("LXC_CGROUP_PATH", handler->cgroup_ops->container_cgroup, 1)) +- SYSERROR("Failed to set environment variable: LXC_CGROUP_PATH=%s.", handler->cgroup_ops->container_cgroup); ++ snprintf(bufstr, PATH_MAX + 1, "LXC_PID=%d", handler->pid); ++ conf->ocihooks->poststop[i]->env[j++] = strdup(bufstr); ++ if (handler->cgroup_ops->container_cgroup) { ++ snprintf(bufstr, PATH_MAX + 1, "LXC_CGROUP_PATH=%s", handler->cgroup_ops->container_cgroup); ++ conf->ocihooks->poststop[i]->env[j++] = strdup(bufstr); ++ } ++ conf->ocihooks->poststop[i]->env_len = j; ++ /* End of environment variable setup for hooks. */ + } +- /* End of environment variable setup for hooks. */ ++ return 0; + } + + /*isulad: do_lxcapi_clean_resource */ +@@ -2690,7 +2731,11 @@ int do_lxcapi_clean_resource(char *name, char *lxcpath, struct lxc_conf *conf, p + goto out; + } + +- clean_resource_set_env(handler); ++ if (clean_resource_set_env(handler) != 0) { ++ ERROR("Failed to set env for poststop hooks"); ++ ret = -1; ++ goto out; ++ } + // if we shared pid namespace with others, should kill all processes within container cgroup + if (handler->conf->ns_share[LXC_NS_PID] != NULL) { + signal_all_processes(handler); +-- +1.8.3.1 + diff --git a/0083-lxc-free-lxc-handler.patch b/0083-lxc-free-lxc-handler.patch new file mode 100644 index 0000000..faf83b4 --- /dev/null +++ b/0083-lxc-free-lxc-handler.patch @@ -0,0 +1,41 @@ +From 6688394517b79adc2ea1b2d65c66cf9af29ba251 Mon Sep 17 00:00:00 2001 +From: liuhao +Date: Thu, 11 Apr 2019 20:34:51 +0800 +Subject: [PATCH 083/122] lxc: free lxc-handler + +free handler if failed + +Signed-off-by: liuhao +Signed-off-by: LiFeng +--- + src/lxc/start.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/lxc/start.c b/src/lxc/start.c +index 87e07d3..f1cd7fa 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -695,6 +695,10 @@ void lxc_zero_handler(struct lxc_handler *handler) + + void lxc_free_handler(struct lxc_handler *handler) + { ++ if (handler == NULL) { ++ return; ++ } ++ + if (handler->pinfd >= 0) + close(handler->pinfd); + +@@ -2761,8 +2765,8 @@ retry: + ret = -1; + } + +- lxc_free_handler(handler); + out: ++ lxc_free_handler(handler); + return ret; + } + +-- +1.8.3.1 + diff --git a/0084-lxc-memory-leak-of-lxc_grow_array.patch b/0084-lxc-memory-leak-of-lxc_grow_array.patch new file mode 100644 index 0000000..5d80c50 --- /dev/null +++ b/0084-lxc-memory-leak-of-lxc_grow_array.patch @@ -0,0 +1,28 @@ +From fd9efbdd077e8cc2a7b825e6f632b5bf4a3473e1 Mon Sep 17 00:00:00 2001 +From: liuhao +Date: Thu, 11 Apr 2019 22:36:42 +0800 +Subject: [PATCH 084/122] lxc: memory leak of lxc_grow_array + +fix memory leak of lxc_grow_array + +Signed-off-by: liuhao +Signed-off-by: LiFeng +--- + src/lxc/string_utils.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/lxc/string_utils.c b/src/lxc/string_utils.c +index 0d7538c..31c4340 100644 +--- a/src/lxc/string_utils.c ++++ b/src/lxc/string_utils.c +@@ -523,6 +523,7 @@ int lxc_grow_array(void ***array, size_t *capacity, size_t new_size, size_t capa + /* first time around, catch some trivial mistakes of the user + * only initializing one of these */ + if (!*array || !*capacity) { ++ free(*array); + *array = NULL; + *capacity = 0; + } +-- +1.8.3.1 + diff --git a/0085-lxc-update-json-file-from-isulad.patch b/0085-lxc-update-json-file-from-isulad.patch new file mode 100644 index 0000000..75d6c2f --- /dev/null +++ b/0085-lxc-update-json-file-from-isulad.patch @@ -0,0 +1,1089 @@ +From c378f6d33dc28604b317eb93f040ce371ceb152c Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Fri, 12 Apr 2019 06:06:12 -0400 +Subject: [PATCH 085/122] lxc: update json file from isulad + +Signed-off-by: tanyifeng +Signed-off-by: LiFeng +--- + src/lxc/json/defs.c | 38 +++++----- + src/lxc/json/json_common.c | 160 +++++++++++++++++++-------------------- + src/lxc/json/json_common.h | 2 +- + src/lxc/json/logger_json_file.c | 50 ++++++------ + src/lxc/json/oci_runtime_hooks.c | 3 +- + src/lxc/json/oci_runtime_spec.c | 32 ++++---- + 6 files changed, 142 insertions(+), 143 deletions(-) + +diff --git a/src/lxc/json/defs.c b/src/lxc/json/defs.c +index 38df2f7..e7d9a09 100644 +--- a/src/lxc/json/defs.c ++++ b/src/lxc/json/defs.c +@@ -15,20 +15,20 @@ defs_hook *make_defs_hook(yajl_val tree, struct parser_context *ctx, parser_erro + ret = safe_malloc(sizeof(*ret)); + { + yajl_val val = get_val(tree, "path", yajl_t_string); +- if (val) { ++ if (val != NULL) { + char *str = YAJL_GET_STRING(val); + ret->path = safe_strdup(str ? str : ""); + } + } + { + yajl_val tmp = get_val(tree, "args", yajl_t_array); +- if (tmp && YAJL_GET_ARRAY(tmp)) { ++ if (tmp != NULL && YAJL_GET_ARRAY(tmp) != NULL && YAJL_GET_ARRAY(tmp)->len > 0) { + size_t i; + ret->args_len = YAJL_GET_ARRAY(tmp)->len; + ret->args = safe_malloc((YAJL_GET_ARRAY(tmp)->len + 1) * sizeof(*ret->args)); + for (i = 0; i < YAJL_GET_ARRAY(tmp)->len; i++) { + yajl_val val = YAJL_GET_ARRAY(tmp)->values[i]; +- if (val) { ++ if (val != NULL) { + char *str = YAJL_GET_STRING(val); + ret->args[i] = safe_strdup(str ? str : ""); + } +@@ -37,13 +37,13 @@ defs_hook *make_defs_hook(yajl_val tree, struct parser_context *ctx, parser_erro + } + { + yajl_val tmp = get_val(tree, "env", yajl_t_array); +- if (tmp && YAJL_GET_ARRAY(tmp)) { ++ if (tmp != NULL && YAJL_GET_ARRAY(tmp) != NULL && YAJL_GET_ARRAY(tmp)->len > 0) { + size_t i; + ret->env_len = YAJL_GET_ARRAY(tmp)->len; + ret->env = safe_malloc((YAJL_GET_ARRAY(tmp)->len + 1) * sizeof(*ret->env)); + for (i = 0; i < YAJL_GET_ARRAY(tmp)->len; i++) { + yajl_val val = YAJL_GET_ARRAY(tmp)->values[i]; +- if (val) { ++ if (val != NULL) { + char *str = YAJL_GET_STRING(val); + ret->env[i] = safe_strdup(str ? str : ""); + } +@@ -52,7 +52,7 @@ defs_hook *make_defs_hook(yajl_val tree, struct parser_context *ctx, parser_erro + } + { + yajl_val val = get_val(tree, "timeout", yajl_t_number); +- if (val) { ++ if (val != NULL) { + int invalid = common_safe_int(YAJL_GET_NUMBER(val), (int *)&ret->timeout); + if (invalid) { + if (asprintf(err, "Invalid value '%s' with type 'integer' for key 'timeout': %s", YAJL_GET_NUMBER(val), strerror(-invalid)) < 0) +@@ -84,14 +84,14 @@ defs_hook *make_defs_hook(yajl_val tree, struct parser_context *ctx, parser_erro + } + + void free_defs_hook(defs_hook *ptr) { +- if (!ptr) ++ if (ptr == NULL) + return; + free(ptr->path); + ptr->path = NULL; +- if (ptr->args) { ++ if (ptr->args != NULL) { + size_t i; + for (i = 0; i < ptr->args_len; i++) { +- if (ptr->args[i]) { ++ if (ptr->args[i] != NULL) { + free(ptr->args[i]); + ptr->args[i] = NULL; + } +@@ -99,10 +99,10 @@ void free_defs_hook(defs_hook *ptr) { + free(ptr->args); + ptr->args = NULL; + } +- if (ptr->env) { ++ if (ptr->env != NULL) { + size_t i; + for (i = 0; i < ptr->env_len; i++) { +- if (ptr->env[i]) { ++ if (ptr->env[i] != NULL) { + free(ptr->env[i]); + ptr->env[i] = NULL; + } +@@ -119,24 +119,24 @@ yajl_gen_status gen_defs_hook(yajl_gen g, defs_hook *ptr, struct parser_context + stat = reformat_start_map(g); + if (yajl_gen_status_ok != stat) + GEN_SET_ERROR_AND_RETURN(stat, err); +- if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) ||(ptr && ptr->path)) { ++ if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) ||(ptr != NULL && ptr->path != NULL)) { + char *str = ""; + stat = reformat_map_key(g, "path", strlen("path")); + if (yajl_gen_status_ok != stat) + GEN_SET_ERROR_AND_RETURN(stat, err); +- if (ptr && ptr->path) { ++ if (ptr != NULL && ptr->path != NULL) { + str = ptr->path; + } + stat = reformat_string(g, str, strlen(str)); + if (yajl_gen_status_ok != stat) + GEN_SET_ERROR_AND_RETURN(stat, err); + } +- if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) ||(ptr && ptr->args)) { ++ if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) || (ptr != NULL && ptr->args != NULL)) { + size_t len = 0, i; + stat = reformat_map_key(g, "args", strlen("args")); + if (yajl_gen_status_ok != stat) + GEN_SET_ERROR_AND_RETURN(stat, err); +- if (ptr && ptr->args) { ++ if (ptr != NULL && ptr->args != NULL) { + len = ptr->args_len; + } + if (!len && !(ctx->options & GEN_OPTIONS_SIMPLIFY)) +@@ -155,12 +155,12 @@ yajl_gen_status gen_defs_hook(yajl_gen g, defs_hook *ptr, struct parser_context + if (!len && !(ctx->options & GEN_OPTIONS_SIMPLIFY)) + yajl_gen_config(g, yajl_gen_beautify, 1); + } +- if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) ||(ptr && ptr->env)) { ++ if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) || (ptr != NULL && ptr->env != NULL)) { + size_t len = 0, i; + stat = reformat_map_key(g, "env", strlen("env")); + if (yajl_gen_status_ok != stat) + GEN_SET_ERROR_AND_RETURN(stat, err); +- if (ptr && ptr->env) { ++ if (ptr != NULL && ptr->env != NULL) { + len = ptr->env_len; + } + if (!len && !(ctx->options & GEN_OPTIONS_SIMPLIFY)) +@@ -179,12 +179,12 @@ yajl_gen_status gen_defs_hook(yajl_gen g, defs_hook *ptr, struct parser_context + if (!len && !(ctx->options & GEN_OPTIONS_SIMPLIFY)) + yajl_gen_config(g, yajl_gen_beautify, 1); + } +- if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) ||(ptr && ptr->timeout)) { ++ if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) ||(ptr != NULL && ptr->timeout)) { + long long int num = 0; + stat = reformat_map_key(g, "timeout", strlen("timeout")); + if (yajl_gen_status_ok != stat) + GEN_SET_ERROR_AND_RETURN(stat, err); +- if (ptr && ptr->timeout) { ++ if (ptr != NULL && ptr->timeout) { + num = (long long int)ptr->timeout; + } + stat = reformat_int(g, num); +diff --git a/src/lxc/json/json_common.c b/src/lxc/json/json_common.c +index e339ab3..54b7b61 100755 +--- a/src/lxc/json/json_common.c ++++ b/src/lxc/json/json_common.c +@@ -111,7 +111,7 @@ int common_safe_double(const char *numstr, double *converted) { + char *err_str = NULL; + double d; + +- if (!numstr) { ++ if (numstr == NULL) { + return -EINVAL; + } + +@@ -121,7 +121,7 @@ int common_safe_double(const char *numstr, double *converted) { + return -errno; + } + +- if (!err_str || err_str == numstr || *err_str != '\0') { ++ if (err_str == NULL || err_str == numstr || *err_str != '\0') { + return -EINVAL; + } + +@@ -133,7 +133,7 @@ int common_safe_uint8(const char *numstr, uint8_t *converted) { + char *err = NULL; + unsigned long int uli; + +- if (!numstr) { ++ if (numstr == NULL) { + return -EINVAL; + } + +@@ -143,7 +143,7 @@ int common_safe_uint8(const char *numstr, uint8_t *converted) { + return -errno; + } + +- if (!err || err == numstr || *err != '\0') { ++ if (err == NULL || err == numstr || *err != '\0') { + return -EINVAL; + } + +@@ -159,7 +159,7 @@ int common_safe_uint16(const char *numstr, uint16_t *converted) { + char *err = NULL; + unsigned long int uli; + +- if (!numstr) { ++ if (numstr == NULL) { + return -EINVAL; + } + +@@ -169,7 +169,7 @@ int common_safe_uint16(const char *numstr, uint16_t *converted) { + return -errno; + } + +- if (!err || err == numstr || *err != '\0') { ++ if (err == NULL || err == numstr || *err != '\0') { + return -EINVAL; + } + +@@ -185,7 +185,7 @@ int common_safe_uint32(const char *numstr, uint32_t *converted) { + char *err = NULL; + unsigned long long int ull; + +- if (!numstr) { ++ if (numstr == NULL) { + return -EINVAL; + } + +@@ -195,7 +195,7 @@ int common_safe_uint32(const char *numstr, uint32_t *converted) { + return -errno; + } + +- if (!err || err == numstr || *err != '\0') { ++ if (err == NULL || err == numstr || *err != '\0') { + return -EINVAL; + } + +@@ -211,7 +211,7 @@ int common_safe_uint64(const char *numstr, uint64_t *converted) { + char *err = NULL; + unsigned long long int ull; + +- if (!numstr) { ++ if (numstr == NULL) { + return -EINVAL; + } + +@@ -221,7 +221,7 @@ int common_safe_uint64(const char *numstr, uint64_t *converted) { + return -errno; + } + +- if (!err || err == numstr || *err != '\0') { ++ if (err == NULL || err == numstr || *err != '\0') { + return -EINVAL; + } + +@@ -233,7 +233,7 @@ int common_safe_uint(const char *numstr, unsigned int *converted) { + char *err = NULL; + unsigned long long int ull; + +- if (!numstr) { ++ if (numstr == NULL) { + return -EINVAL; + } + +@@ -243,7 +243,7 @@ int common_safe_uint(const char *numstr, unsigned int *converted) { + return -errno; + } + +- if (!err || err == numstr || *err != '\0') { ++ if (err == NULL || err == numstr || *err != '\0') { + return -EINVAL; + } + +@@ -259,7 +259,7 @@ int common_safe_int8(const char *numstr, int8_t *converted) { + char *err = NULL; + long int li; + +- if (!numstr) { ++ if (numstr == NULL) { + return -EINVAL; + } + +@@ -269,7 +269,7 @@ int common_safe_int8(const char *numstr, int8_t *converted) { + return -errno; + } + +- if (!err || err == numstr || *err != '\0') { ++ if (err == NULL || err == numstr || *err != '\0') { + return -EINVAL; + } + +@@ -285,7 +285,7 @@ int common_safe_int16(const char *numstr, int16_t *converted) { + char *err = NULL; + long int li; + +- if (!numstr) { ++ if (numstr == NULL) { + return -EINVAL; + } + +@@ -295,7 +295,7 @@ int common_safe_int16(const char *numstr, int16_t *converted) { + return -errno; + } + +- if (!err || err == numstr || *err != '\0') { ++ if (err == NULL || err == numstr || *err != '\0') { + return -EINVAL; + } + +@@ -311,7 +311,7 @@ int common_safe_int32(const char *numstr, int32_t *converted) { + char *err = NULL; + long long int lli; + +- if (!numstr) { ++ if (numstr == NULL) { + return -EINVAL; + } + +@@ -321,7 +321,7 @@ int common_safe_int32(const char *numstr, int32_t *converted) { + return -errno; + } + +- if (!err || err == numstr || *err != '\0') { ++ if (err == NULL || err == numstr || *err != '\0') { + return -EINVAL; + } + +@@ -337,7 +337,7 @@ int common_safe_int64(const char *numstr, int64_t *converted) { + char *err = NULL; + long long int lli; + +- if (!numstr) { ++ if (numstr == NULL) { + return -EINVAL; + } + +@@ -347,7 +347,7 @@ int common_safe_int64(const char *numstr, int64_t *converted) { + return -errno; + } + +- if (!err || err == numstr || *err != '\0') { ++ if (err == NULL || err == numstr || *err != '\0') { + return -EINVAL; + } + +@@ -359,7 +359,7 @@ int common_safe_int(const char *numstr, int *converted) { + char *err = NULL; + long long int lli; + +- if (!numstr) { ++ if (numstr == NULL) { + return -EINVAL; + } + +@@ -369,7 +369,7 @@ int common_safe_int(const char *numstr, int *converted) { + return -errno; + } + +- if (!err || err == numstr || *err != '\0') { ++ if (err == NULL || err == numstr || *err != '\0') { + return -EINVAL; + } + +@@ -385,12 +385,12 @@ char *safe_strdup(const char *src) + { + char *dst = NULL; + +- if (!src) { ++ if (src == NULL) { + return NULL; + } + + dst = strdup(src); +- if (!dst) { ++ if (dst == NULL) { + abort(); + } + +@@ -402,7 +402,7 @@ yajl_gen_status gen_json_map_int_int(void *ctx, json_map_int_int *map, struct pa + yajl_gen_status stat = yajl_gen_status_ok; + yajl_gen g = (yajl_gen) ctx; + size_t len = 0, i = 0; +- if (map) { ++ if (map != NULL) { + len = map->len; + } + if (!len && !(ptx->options & GEN_OPTIONS_SIMPLIFY)) { +@@ -444,7 +444,7 @@ yajl_gen_status gen_json_map_int_int(void *ctx, json_map_int_int *map, struct pa + } + + void free_json_map_int_int(json_map_int_int *map) { +- if (map) { ++ if (map != NULL) { + size_t i; + for (i = 0; i < map->len; i++) { + // No need to free key for type int +@@ -459,7 +459,7 @@ void free_json_map_int_int(json_map_int_int *map) { + } + json_map_int_int *make_json_map_int_int(yajl_val src, struct parser_context *ctx, parser_error *err) { + json_map_int_int *ret = NULL; +- if (src && YAJL_GET_OBJECT(src)) { ++ if (src != NULL && YAJL_GET_OBJECT(src) != NULL) { + size_t i; + size_t len = YAJL_GET_OBJECT(src)->len; + ret = safe_malloc(sizeof(*ret)); +@@ -470,11 +470,11 @@ json_map_int_int *make_json_map_int_int(yajl_val src, struct parser_context *ctx + const char *srckey = YAJL_GET_OBJECT(src)->keys[i]; + yajl_val srcval = YAJL_GET_OBJECT(src)->values[i]; + +- if (srckey) { ++ if (srckey != NULL) { + int invalid; + invalid = common_safe_int(srckey, &(ret->keys[i])); + if (invalid) { +- if (!*err && asprintf(err, "Invalid key '%s' with type 'int': %s", srckey, strerror(-invalid)) < 0) { ++ if (*err == NULL && asprintf(err, "Invalid key '%s' with type 'int': %s", srckey, strerror(-invalid)) < 0) { + *(err) = safe_strdup("error allocating memory"); + } + free_json_map_int_int(ret); +@@ -482,10 +482,10 @@ json_map_int_int *make_json_map_int_int(yajl_val src, struct parser_context *ctx + } + } + +- if (srcval) { ++ if (srcval != NULL) { + int invalid; + if (!YAJL_IS_NUMBER(srcval)) { +- if (!*err && asprintf(err, "Invalid value with type 'int' for key '%s'", srckey) < 0) { ++ if (*err == NULL && asprintf(err, "Invalid value with type 'int' for key '%s'", srckey) < 0) { + *(err) = safe_strdup("error allocating memory"); + } + free_json_map_int_int(ret); +@@ -493,7 +493,7 @@ json_map_int_int *make_json_map_int_int(yajl_val src, struct parser_context *ctx + } + invalid = common_safe_int(YAJL_GET_NUMBER(srcval), &(ret->values[i])); + if (invalid) { +- if (!*err && asprintf(err, "Invalid value with type 'int' for key '%s': %s", srckey, strerror(-invalid)) < 0) { ++ if (*err == NULL && asprintf(err, "Invalid value with type 'int' for key '%s': %s", srckey, strerror(-invalid)) < 0) { + *(err) = safe_strdup("error allocating memory"); + } + free_json_map_int_int(ret); +@@ -506,10 +506,10 @@ json_map_int_int *make_json_map_int_int(yajl_val src, struct parser_context *ctx + } + int append_json_map_int_int(json_map_int_int *map, int key, int val) { + size_t len; +- int *keys; +- int *vals; ++ int *keys = NULL; ++ int *vals = NULL; + +- if (!map) { ++ if (map == NULL) { + return -1; + } + +@@ -548,7 +548,7 @@ yajl_gen_status gen_json_map_int_bool(void *ctx, json_map_int_bool *map, struct + yajl_gen_status stat = yajl_gen_status_ok; + yajl_gen g = (yajl_gen) ctx; + size_t len = 0, i = 0; +- if (map) { ++ if (map != NULL) { + len = map->len; + } + if (!len && !(ptx->options & GEN_OPTIONS_SIMPLIFY)) { +@@ -590,7 +590,7 @@ yajl_gen_status gen_json_map_int_bool(void *ctx, json_map_int_bool *map, struct + } + + void free_json_map_int_bool(json_map_int_bool *map) { +- if (map) { ++ if (map != NULL) { + size_t i; + for (i = 0; i < map->len; i++) { + // No need to free key for type int +@@ -605,7 +605,7 @@ void free_json_map_int_bool(json_map_int_bool *map) { + } + json_map_int_bool *make_json_map_int_bool(yajl_val src, struct parser_context *ctx, parser_error *err) { + json_map_int_bool *ret = NULL; +- if (src && YAJL_GET_OBJECT(src)) { ++ if (src != NULL && YAJL_GET_OBJECT(src) != NULL) { + size_t i; + size_t len = YAJL_GET_OBJECT(src)->len; + ret = safe_malloc(sizeof(*ret)); +@@ -616,11 +616,11 @@ json_map_int_bool *make_json_map_int_bool(yajl_val src, struct parser_context *c + const char *srckey = YAJL_GET_OBJECT(src)->keys[i]; + yajl_val srcval = YAJL_GET_OBJECT(src)->values[i]; + +- if (srckey) { ++ if (srckey != NULL) { + int invalid; + invalid = common_safe_int(srckey, &(ret->keys[i])); + if (invalid) { +- if (!*err && asprintf(err, "Invalid key '%s' with type 'int': %s", srckey, strerror(-invalid)) < 0) { ++ if (*err == NULL && asprintf(err, "Invalid key '%s' with type 'int': %s", srckey, strerror(-invalid)) < 0) { + *(err) = safe_strdup("error allocating memory"); + } + free_json_map_int_bool(ret); +@@ -628,13 +628,13 @@ json_map_int_bool *make_json_map_int_bool(yajl_val src, struct parser_context *c + } + } + +- if (srcval) { ++ if (srcval != NULL) { + if (YAJL_IS_TRUE(srcval)) { + ret->values[i] = true; + } else if (YAJL_IS_FALSE(srcval)) { + ret->values[i] = false; + } else { +- if (!*err && asprintf(err, "Invalid value with type 'bool' for key '%s'", srckey) < 0) { ++ if (*err == NULL && asprintf(err, "Invalid value with type 'bool' for key '%s'", srckey) < 0) { + *(err) = safe_strdup("error allocating memory"); + } + free_json_map_int_bool(ret); +@@ -647,10 +647,10 @@ json_map_int_bool *make_json_map_int_bool(yajl_val src, struct parser_context *c + } + int append_json_map_int_bool(json_map_int_bool *map, int key, bool val) { + size_t len; +- int *keys; +- bool *vals; ++ int *keys = NULL; ++ bool *vals = NULL; + +- if (!map) { ++ if (map == NULL) { + return -1; + } + +@@ -689,7 +689,7 @@ yajl_gen_status gen_json_map_int_string(void *ctx, json_map_int_string *map, str + yajl_gen_status stat = yajl_gen_status_ok; + yajl_gen g = (yajl_gen) ctx; + size_t len = 0, i = 0; +- if (map) { ++ if (map != NULL) { + len = map->len; + } + if (!len && !(ptx->options & GEN_OPTIONS_SIMPLIFY)) { +@@ -731,7 +731,7 @@ yajl_gen_status gen_json_map_int_string(void *ctx, json_map_int_string *map, str + } + + void free_json_map_int_string(json_map_int_string *map) { +- if (map) { ++ if (map != NULL) { + size_t i; + for (i = 0; i < map->len; i++) { + // No need to free key for type int +@@ -747,7 +747,7 @@ void free_json_map_int_string(json_map_int_string *map) { + } + json_map_int_string *make_json_map_int_string(yajl_val src, struct parser_context *ctx, parser_error *err) { + json_map_int_string *ret = NULL; +- if (src && YAJL_GET_OBJECT(src)) { ++ if (src != NULL && YAJL_GET_OBJECT(src) != NULL) { + size_t i; + size_t len = YAJL_GET_OBJECT(src)->len; + ret = safe_malloc(sizeof(*ret)); +@@ -758,11 +758,11 @@ json_map_int_string *make_json_map_int_string(yajl_val src, struct parser_contex + const char *srckey = YAJL_GET_OBJECT(src)->keys[i]; + yajl_val srcval = YAJL_GET_OBJECT(src)->values[i]; + +- if (srckey) { ++ if (srckey != NULL) { + int invalid; + invalid = common_safe_int(srckey, &(ret->keys[i])); + if (invalid) { +- if (!*err && asprintf(err, "Invalid key '%s' with type 'int': %s", srckey, strerror(-invalid)) < 0) { ++ if (*err == NULL && asprintf(err, "Invalid key '%s' with type 'int': %s", srckey, strerror(-invalid)) < 0) { + *(err) = safe_strdup("error allocating memory"); + } + free_json_map_int_string(ret); +@@ -770,9 +770,9 @@ json_map_int_string *make_json_map_int_string(yajl_val src, struct parser_contex + } + } + +- if (srcval) { ++ if (srcval != NULL) { + if (!YAJL_IS_STRING(srcval)) { +- if (!*err && asprintf(err, "Invalid value with type 'string' for key '%s'", srckey) < 0) { ++ if (*err == NULL && asprintf(err, "Invalid value with type 'string' for key '%s'", srckey) < 0) { + *(err) = safe_strdup("error allocating memory"); + } + free_json_map_int_string(ret); +@@ -787,10 +787,10 @@ json_map_int_string *make_json_map_int_string(yajl_val src, struct parser_contex + } + int append_json_map_int_string(json_map_int_string *map, int key, const char *val) { + size_t len; +- int *keys; +- char **vals; ++ int *keys = NULL; ++ char **vals = NULL; + +- if (!map) { ++ if (map == NULL) { + return -1; + } + +@@ -829,7 +829,7 @@ yajl_gen_status gen_json_map_string_int(void *ctx, json_map_string_int *map, str + yajl_gen_status stat = yajl_gen_status_ok; + yajl_gen g = (yajl_gen) ctx; + size_t len = 0, i = 0; +- if (map) { ++ if (map != NULL) { + len = map->len; + } + if (!len && !(ptx->options & GEN_OPTIONS_SIMPLIFY)) { +@@ -862,7 +862,7 @@ yajl_gen_status gen_json_map_string_int(void *ctx, json_map_string_int *map, str + } + + void free_json_map_string_int(json_map_string_int *map) { +- if (map) { ++ if (map != NULL) { + size_t i; + for (i = 0; i < map->len; i++) { + free(map->keys[i]); +@@ -878,7 +878,7 @@ void free_json_map_string_int(json_map_string_int *map) { + } + json_map_string_int *make_json_map_string_int(yajl_val src, struct parser_context *ctx, parser_error *err) { + json_map_string_int *ret = NULL; +- if (src && YAJL_GET_OBJECT(src)) { ++ if (src != NULL && YAJL_GET_OBJECT(src) != NULL) { + size_t i; + size_t len = YAJL_GET_OBJECT(src)->len; + ret = safe_malloc(sizeof(*ret)); +@@ -890,10 +890,10 @@ json_map_string_int *make_json_map_string_int(yajl_val src, struct parser_contex + yajl_val srcval = YAJL_GET_OBJECT(src)->values[i]; + ret->keys[i] = safe_strdup(srckey ? srckey : ""); + +- if (srcval) { ++ if (srcval != NULL) { + int invalid; + if (!YAJL_IS_NUMBER(srcval)) { +- if (!*err && asprintf(err, "Invalid value with type 'int' for key '%s'", srckey) < 0) { ++ if (*err == NULL && asprintf(err, "Invalid value with type 'int' for key '%s'", srckey) < 0) { + *(err) = safe_strdup("error allocating memory"); + } + free_json_map_string_int(ret); +@@ -901,7 +901,7 @@ json_map_string_int *make_json_map_string_int(yajl_val src, struct parser_contex + } + invalid = common_safe_int(YAJL_GET_NUMBER(srcval), &(ret->values[i])); + if (invalid) { +- if (!*err && asprintf(err, "Invalid value with type 'int' for key '%s': %s", srckey, strerror(-invalid)) < 0) { ++ if (*err == NULL && asprintf(err, "Invalid value with type 'int' for key '%s': %s", srckey, strerror(-invalid)) < 0) { + *(err) = safe_strdup("error allocating memory"); + } + free_json_map_string_int(ret); +@@ -914,10 +914,10 @@ json_map_string_int *make_json_map_string_int(yajl_val src, struct parser_contex + } + int append_json_map_string_int(json_map_string_int *map, const char *key, int val) { + size_t len; +- char **keys; +- int *vals; ++ char **keys = NULL; ++ int *vals = NULL; + +- if (!map) { ++ if (map == NULL) { + return -1; + } + +@@ -956,7 +956,7 @@ yajl_gen_status gen_json_map_string_bool(void *ctx, json_map_string_bool *map, s + yajl_gen_status stat = yajl_gen_status_ok; + yajl_gen g = (yajl_gen) ctx; + size_t len = 0, i = 0; +- if (map) { ++ if (map != NULL) { + len = map->len; + } + if (!len && !(ptx->options & GEN_OPTIONS_SIMPLIFY)) { +@@ -989,7 +989,7 @@ yajl_gen_status gen_json_map_string_bool(void *ctx, json_map_string_bool *map, s + } + + void free_json_map_string_bool(json_map_string_bool *map) { +- if (map) { ++ if (map != NULL) { + size_t i; + for (i = 0; i < map->len; i++) { + free(map->keys[i]); +@@ -1005,7 +1005,7 @@ void free_json_map_string_bool(json_map_string_bool *map) { + } + json_map_string_bool *make_json_map_string_bool(yajl_val src, struct parser_context *ctx, parser_error *err) { + json_map_string_bool *ret = NULL; +- if (src && YAJL_GET_OBJECT(src)) { ++ if (src != NULL && YAJL_GET_OBJECT(src) != NULL) { + size_t i; + size_t len = YAJL_GET_OBJECT(src)->len; + ret = safe_malloc(sizeof(*ret)); +@@ -1017,13 +1017,13 @@ json_map_string_bool *make_json_map_string_bool(yajl_val src, struct parser_cont + yajl_val srcval = YAJL_GET_OBJECT(src)->values[i]; + ret->keys[i] = safe_strdup(srckey ? srckey : ""); + +- if (srcval) { ++ if (srcval != NULL) { + if (YAJL_IS_TRUE(srcval)) { + ret->values[i] = true; + } else if (YAJL_IS_FALSE(srcval)) { + ret->values[i] = false; + } else { +- if (!*err && asprintf(err, "Invalid value with type 'bool' for key '%s'", srckey) < 0) { ++ if (*err == NULL && asprintf(err, "Invalid value with type 'bool' for key '%s'", srckey) < 0) { + *(err) = safe_strdup("error allocating memory"); + } + free_json_map_string_bool(ret); +@@ -1036,10 +1036,10 @@ json_map_string_bool *make_json_map_string_bool(yajl_val src, struct parser_cont + } + int append_json_map_string_bool(json_map_string_bool *map, const char *key, bool val) { + size_t len; +- char **keys; +- bool *vals; ++ char **keys = NULL; ++ bool *vals = NULL; + +- if (!map) { ++ if (map == NULL) { + return -1; + } + +@@ -1078,7 +1078,7 @@ yajl_gen_status gen_json_map_string_string(void *ctx, json_map_string_string *ma + yajl_gen_status stat = yajl_gen_status_ok; + yajl_gen g = (yajl_gen) ctx; + size_t len = 0, i = 0; +- if (map) { ++ if (map != NULL) { + len = map->len; + } + if (!len && !(ptx->options & GEN_OPTIONS_SIMPLIFY)) { +@@ -1111,7 +1111,7 @@ yajl_gen_status gen_json_map_string_string(void *ctx, json_map_string_string *ma + } + + void free_json_map_string_string(json_map_string_string *map) { +- if (map) { ++ if (map != NULL) { + size_t i; + for (i = 0; i < map->len; i++) { + free(map->keys[i]); +@@ -1128,7 +1128,7 @@ void free_json_map_string_string(json_map_string_string *map) { + } + json_map_string_string *make_json_map_string_string(yajl_val src, struct parser_context *ctx, parser_error *err) { + json_map_string_string *ret = NULL; +- if (src && YAJL_GET_OBJECT(src)) { ++ if (src != NULL && YAJL_GET_OBJECT(src) != NULL) { + size_t i; + size_t len = YAJL_GET_OBJECT(src)->len; + ret = safe_malloc(sizeof(*ret)); +@@ -1140,9 +1140,9 @@ json_map_string_string *make_json_map_string_string(yajl_val src, struct parser_ + yajl_val srcval = YAJL_GET_OBJECT(src)->values[i]; + ret->keys[i] = safe_strdup(srckey ? srckey : ""); + +- if (srcval) { ++ if (srcval != NULL) { + if (!YAJL_IS_STRING(srcval)) { +- if (!*err && asprintf(err, "Invalid value with type 'string' for key '%s'", srckey) < 0) { ++ if (*err == NULL && asprintf(err, "Invalid value with type 'string' for key '%s'", srckey) < 0) { + *(err) = safe_strdup("error allocating memory"); + } + free_json_map_string_string(ret); +@@ -1157,10 +1157,10 @@ json_map_string_string *make_json_map_string_string(yajl_val src, struct parser_ + } + int append_json_map_string_string(json_map_string_string *map, const char *key, const char *val) { + size_t len, i; +- char **keys; +- char **vals; ++ char **keys = NULL; ++ char **vals = NULL; + +- if (!map) { ++ if (map == NULL) { + return -1; + } + +diff --git a/src/lxc/json/json_common.h b/src/lxc/json/json_common.h +index eb8281c..218a837 100755 +--- a/src/lxc/json/json_common.h ++++ b/src/lxc/json/json_common.h +@@ -27,7 +27,7 @@ extern "C" { + # define GEN_OPTIONS_NOT_VALIDATE_UTF8 0x08 + + #define GEN_SET_ERROR_AND_RETURN(stat, err) { \ +- if (!*(err)) {\ ++ if (*(err) == NULL) {\ + if (asprintf(err, "%s: %s: %d: error generating json, errcode: %d", __FILE__, __func__, __LINE__, stat) < 0) { \ + *(err) = safe_strdup("error allocating memory"); \ + } \ +diff --git a/src/lxc/json/logger_json_file.c b/src/lxc/json/logger_json_file.c +index 4d78103..6433b04 100644 +--- a/src/lxc/json/logger_json_file.c ++++ b/src/lxc/json/logger_json_file.c +@@ -15,32 +15,32 @@ logger_json_file *make_logger_json_file(yajl_val tree, struct parser_context *ct + ret = safe_malloc(sizeof(*ret)); + { + yajl_val tmp = get_val(tree, "log", yajl_t_string); +- if (tmp) { ++ if (tmp != NULL) { + char *str = YAJL_GET_STRING(tmp); + ret->log = (uint8_t *)safe_strdup(str ? str : ""); +- ret->log_len = str ? strlen(str) : 0; ++ ret->log_len = str != NULL ? strlen(str) : 0; + } + } + { + yajl_val val = get_val(tree, "stream", yajl_t_string); +- if (val) { ++ if (val != NULL) { + char *str = YAJL_GET_STRING(val); + ret->stream = safe_strdup(str ? str : ""); + } + } + { + yajl_val val = get_val(tree, "time", yajl_t_string); +- if (val) { ++ if (val != NULL) { + char *str = YAJL_GET_STRING(val); + ret->time = safe_strdup(str ? str : ""); + } + } + { + yajl_val tmp = get_val(tree, "attrs", yajl_t_string); +- if (tmp) { ++ if (tmp != NULL) { + char *str = YAJL_GET_STRING(tmp); + ret->attrs = (uint8_t *)safe_strdup(str ? str : ""); +- ret->attrs_len = str ? strlen(str) : 0; ++ ret->attrs_len = str != NULL ? strlen(str) : 0; + } + } + +@@ -59,7 +59,7 @@ logger_json_file *make_logger_json_file(yajl_val tree, struct parser_context *ct + } + + void free_logger_json_file(logger_json_file *ptr) { +- if (!ptr) ++ if (ptr == NULL) + return; + free(ptr->log); + ptr->log = NULL; +@@ -78,13 +78,13 @@ yajl_gen_status gen_logger_json_file(yajl_gen g, logger_json_file *ptr, struct p + stat = reformat_start_map(g); + if (yajl_gen_status_ok != stat) + GEN_SET_ERROR_AND_RETURN(stat, err); +- if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) || (ptr && ptr->log && ptr->log_len)) { ++ if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) || (ptr != NULL && ptr->log != NULL && ptr->log_len)) { + const char *str = ""; + size_t len = 0; + stat = reformat_map_key(g, "log", strlen("log")); + if (yajl_gen_status_ok != stat) + GEN_SET_ERROR_AND_RETURN(stat, err); +- if (ptr && ptr->log) { ++ if (ptr != NULL && ptr->log != NULL) { + str = (const char *)ptr->log; + len = ptr->log_len; + } +@@ -92,37 +92,37 @@ yajl_gen_status gen_logger_json_file(yajl_gen g, logger_json_file *ptr, struct p + if (yajl_gen_status_ok != stat) + GEN_SET_ERROR_AND_RETURN(stat, err); + } +- if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) ||(ptr && ptr->stream)) { ++ if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) ||(ptr != NULL && ptr->stream != NULL)) { + char *str = ""; + stat = reformat_map_key(g, "stream", strlen("stream")); + if (yajl_gen_status_ok != stat) + GEN_SET_ERROR_AND_RETURN(stat, err); +- if (ptr && ptr->stream) { ++ if (ptr != NULL && ptr->stream != NULL) { + str = ptr->stream; + } + stat = reformat_string(g, str, strlen(str)); + if (yajl_gen_status_ok != stat) + GEN_SET_ERROR_AND_RETURN(stat, err); + } +- if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) ||(ptr && ptr->time)) { ++ if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) ||(ptr != NULL && ptr->time != NULL)) { + char *str = ""; + stat = reformat_map_key(g, "time", strlen("time")); + if (yajl_gen_status_ok != stat) + GEN_SET_ERROR_AND_RETURN(stat, err); +- if (ptr && ptr->time) { ++ if (ptr != NULL && ptr->time != NULL) { + str = ptr->time; + } + stat = reformat_string(g, str, strlen(str)); + if (yajl_gen_status_ok != stat) + GEN_SET_ERROR_AND_RETURN(stat, err); + } +- if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) || (ptr && ptr->attrs && ptr->attrs_len)) { ++ if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) || (ptr != NULL && ptr->attrs != NULL && ptr->attrs_len)) { + const char *str = ""; + size_t len = 0; + stat = reformat_map_key(g, "attrs", strlen("attrs")); + if (yajl_gen_status_ok != stat) + GEN_SET_ERROR_AND_RETURN(stat, err); +- if (ptr && ptr->attrs) { ++ if (ptr != NULL && ptr->attrs != NULL) { + str = (const char *)ptr->attrs; + len = ptr->attrs_len; + } +@@ -140,9 +140,9 @@ yajl_gen_status gen_logger_json_file(yajl_gen g, logger_json_file *ptr, struct p + logger_json_file *logger_json_file_parse_file(const char *filename, struct parser_context *ctx, parser_error *err) { + logger_json_file *ptr; + size_t filesize; +- char *content; ++ char *content = NULL; + +- if (!filename || !err) ++ if (filename == NULL || err == NULL) + return NULL; + + *err = NULL; +@@ -160,9 +160,9 @@ logger_json_file *logger_json_file_parse_file(const char *filename, struct parse + logger_json_file *logger_json_file_parse_file_stream(FILE *stream, struct parser_context *ctx, parser_error *err) { + logger_json_file *ptr; + size_t filesize; +- char *content ; ++ char *content = NULL ; + +- if (!stream || !err) ++ if (stream == NULL || err == NULL) + return NULL; + + *err = NULL; +@@ -182,11 +182,11 @@ logger_json_file *logger_json_file_parse_data(const char *jsondata, struct parse + char errbuf[1024]; + struct parser_context tmp_ctx; + +- if (!jsondata || !err) ++ if (jsondata == NULL || err == NULL) + return NULL; + + *err = NULL; +- if (!ctx) { ++ if (ctx == NULL) { + ctx = &tmp_ctx; + memset(&tmp_ctx, 0, sizeof(tmp_ctx)); + } +@@ -207,11 +207,11 @@ char *logger_json_file_generate_json(logger_json_file *ptr, struct parser_contex + char *json_buf = NULL; + size_t gen_len = 0; + +- if (!ptr || !err) ++ if (ptr == NULL || err == NULL) + return NULL; + + *err = NULL; +- if (!ctx) { ++ if (ctx == NULL) { + ctx = &tmp_ctx; + memset(&tmp_ctx, 0, sizeof(tmp_ctx)); + } +@@ -221,12 +221,12 @@ char *logger_json_file_generate_json(logger_json_file *ptr, struct parser_contex + goto out; + } + if (yajl_gen_status_ok != gen_logger_json_file(g, ptr, ctx, err)) { +- if (!*err) ++ if (*err == NULL) + *err = safe_strdup("Failed to generate json"); + goto free_out; + } + yajl_gen_get_buf(g, &gen_buf, &gen_len); +- if (!gen_buf) { ++ if (gen_buf == NULL) { + *err = safe_strdup("Error to get generated json"); + goto free_out; + } +diff --git a/src/lxc/json/oci_runtime_hooks.c b/src/lxc/json/oci_runtime_hooks.c +index 3aa134e..43ff8d7 100644 +--- a/src/lxc/json/oci_runtime_hooks.c ++++ b/src/lxc/json/oci_runtime_hooks.c +@@ -46,8 +46,7 @@ oci_runtime_spec_hooks *oci_runtime_spec_hooks_parse_file(const char *filename, + } + return NULL; + } +- oci_runtime_spec_hooks *ptr = make_oci_runtime_spec_hooks(tree, ctx, +- err); ++ oci_runtime_spec_hooks *ptr = make_oci_runtime_spec_hooks(tree, ctx, err); + yajl_tree_free(tree); + return ptr; + } +diff --git a/src/lxc/json/oci_runtime_spec.c b/src/lxc/json/oci_runtime_spec.c +index 1f6073c..4ccb635 100644 +--- a/src/lxc/json/oci_runtime_spec.c ++++ b/src/lxc/json/oci_runtime_spec.c +@@ -15,7 +15,7 @@ oci_runtime_spec_hooks *make_oci_runtime_spec_hooks(yajl_val tree, struct parser + ret = safe_malloc(sizeof(*ret)); + { + yajl_val tmp = get_val(tree, "prestart", yajl_t_array); +- if (tmp && YAJL_GET_ARRAY(tmp)) { ++ if (tmp != NULL && YAJL_GET_ARRAY(tmp) != NULL && YAJL_GET_ARRAY(tmp)->len > 0) { + size_t i; + ret->prestart_len = YAJL_GET_ARRAY(tmp)->len; + ret->prestart = safe_malloc((YAJL_GET_ARRAY(tmp)->len + 1) * sizeof(*ret->prestart)); +@@ -31,7 +31,7 @@ oci_runtime_spec_hooks *make_oci_runtime_spec_hooks(yajl_val tree, struct parser + } + { + yajl_val tmp = get_val(tree, "poststart", yajl_t_array); +- if (tmp && YAJL_GET_ARRAY(tmp)) { ++ if (tmp != NULL && YAJL_GET_ARRAY(tmp) != NULL && YAJL_GET_ARRAY(tmp)->len > 0) { + size_t i; + ret->poststart_len = YAJL_GET_ARRAY(tmp)->len; + ret->poststart = safe_malloc((YAJL_GET_ARRAY(tmp)->len + 1) * sizeof(*ret->poststart)); +@@ -47,7 +47,7 @@ oci_runtime_spec_hooks *make_oci_runtime_spec_hooks(yajl_val tree, struct parser + } + { + yajl_val tmp = get_val(tree, "poststop", yajl_t_array); +- if (tmp && YAJL_GET_ARRAY(tmp)) { ++ if (tmp != NULL && YAJL_GET_ARRAY(tmp) != NULL && YAJL_GET_ARRAY(tmp)->len > 0) { + size_t i; + ret->poststop_len = YAJL_GET_ARRAY(tmp)->len; + ret->poststop = safe_malloc((YAJL_GET_ARRAY(tmp)->len + 1) * sizeof(*ret->poststop)); +@@ -76,32 +76,32 @@ oci_runtime_spec_hooks *make_oci_runtime_spec_hooks(yajl_val tree, struct parser + } + + void free_oci_runtime_spec_hooks(oci_runtime_spec_hooks *ptr) { +- if (!ptr) ++ if (ptr == NULL) + return; +- if (ptr->prestart) { ++ if (ptr->prestart != NULL) { + size_t i; + for (i = 0; i < ptr->prestart_len; i++) +- if (ptr->prestart[i]) { ++ if (ptr->prestart[i] != NULL) { + free_defs_hook(ptr->prestart[i]); + ptr->prestart[i] = NULL; + } + free(ptr->prestart); + ptr->prestart = NULL; + } +- if (ptr->poststart) { ++ if (ptr->poststart != NULL) { + size_t i; + for (i = 0; i < ptr->poststart_len; i++) +- if (ptr->poststart[i]) { ++ if (ptr->poststart[i] != NULL) { + free_defs_hook(ptr->poststart[i]); + ptr->poststart[i] = NULL; + } + free(ptr->poststart); + ptr->poststart = NULL; + } +- if (ptr->poststop) { ++ if (ptr->poststop != NULL) { + size_t i; + for (i = 0; i < ptr->poststop_len; i++) +- if (ptr->poststop[i]) { ++ if (ptr->poststop[i] != NULL) { + free_defs_hook(ptr->poststop[i]); + ptr->poststop[i] = NULL; + } +@@ -117,12 +117,12 @@ yajl_gen_status gen_oci_runtime_spec_hooks(yajl_gen g, oci_runtime_spec_hooks *p + stat = reformat_start_map(g); + if (yajl_gen_status_ok != stat) + GEN_SET_ERROR_AND_RETURN(stat, err); +- if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) ||(ptr && ptr->prestart)) { ++ if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) ||(ptr != NULL && ptr->prestart != NULL)) { + size_t len = 0, i; + stat = reformat_map_key(g, "prestart", strlen("prestart")); + if (yajl_gen_status_ok != stat) + GEN_SET_ERROR_AND_RETURN(stat, err); +- if (ptr && ptr->prestart) { ++ if (ptr != NULL && ptr->prestart != NULL) { + len = ptr->prestart_len; + } + if (!len && !(ctx->options & GEN_OPTIONS_SIMPLIFY)) +@@ -141,12 +141,12 @@ yajl_gen_status gen_oci_runtime_spec_hooks(yajl_gen g, oci_runtime_spec_hooks *p + if (yajl_gen_status_ok != stat) + GEN_SET_ERROR_AND_RETURN(stat, err); + } +- if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) ||(ptr && ptr->poststart)) { ++ if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) ||(ptr != NULL && ptr->poststart != NULL)) { + size_t len = 0, i; + stat = reformat_map_key(g, "poststart", strlen("poststart")); + if (yajl_gen_status_ok != stat) + GEN_SET_ERROR_AND_RETURN(stat, err); +- if (ptr && ptr->poststart) { ++ if (ptr != NULL && ptr->poststart != NULL) { + len = ptr->poststart_len; + } + if (!len && !(ctx->options & GEN_OPTIONS_SIMPLIFY)) +@@ -165,12 +165,12 @@ yajl_gen_status gen_oci_runtime_spec_hooks(yajl_gen g, oci_runtime_spec_hooks *p + if (yajl_gen_status_ok != stat) + GEN_SET_ERROR_AND_RETURN(stat, err); + } +- if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) ||(ptr && ptr->poststop)) { ++ if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) ||(ptr != NULL && ptr->poststop != NULL)) { + size_t len = 0, i; + stat = reformat_map_key(g, "poststop", strlen("poststop")); + if (yajl_gen_status_ok != stat) + GEN_SET_ERROR_AND_RETURN(stat, err); +- if (ptr && ptr->poststop) { ++ if (ptr != NULL && ptr->poststop != NULL) { + len = ptr->poststop_len; + } + if (!len && !(ctx->options & GEN_OPTIONS_SIMPLIFY)) +-- +1.8.3.1 + diff --git a/0086-confile-add-support-systemd.patch b/0086-confile-add-support-systemd.patch new file mode 100644 index 0000000..9bb4620 --- /dev/null +++ b/0086-confile-add-support-systemd.patch @@ -0,0 +1,150 @@ +From 196510dd784d195dfc131b56249a5aac0b9eab54 Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Sat, 20 Apr 2019 22:40:18 +0800 +Subject: [PATCH 086/122] confile: add support systemd + +lxc.isulad.systemd=true remount systemd cgroup path to rw + +Signed-off-by: zhangsong +Signed-off-by: LiFeng +--- + src/lxc/cgroups/cgfsng.c | 16 ++++++++++++++++ + src/lxc/conf.c | 1 + + src/lxc/conf.h | 1 + + src/lxc/confile.c | 30 ++++++++++++++++++++++++++++++ + 4 files changed, 48 insertions(+) + +diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c +index cc08737..b1f56b0 100644 +--- a/src/lxc/cgroups/cgfsng.c ++++ b/src/lxc/cgroups/cgfsng.c +@@ -1567,6 +1567,7 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops, + { + int i, ret; + char *tmpfspath = NULL; ++ char *systemdpath = NULL; + bool has_cgns = false, retval = false, wants_force_mount = false; + char **merged = NULL; + +@@ -1711,10 +1712,25 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops, + goto on_error; + } + } ++ ++ // isulad: remount /sys/fs/cgroup/systemd to readwrite for system container ++ if (handler->conf->systemd != NULL && strcmp(handler->conf->systemd, "true") == 0) { ++ systemdpath = must_make_path(root, "/sys/fs/cgroup/systemd", NULL); ++ ret = mount(systemdpath, systemdpath, "bind", ++ MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_RELATIME|MS_BIND|MS_REMOUNT, NULL); ++ if (ret < 0) { ++ SYSERROR("Failed to remount /sys/fs/cgroup/systemd."); ++ goto on_error; ++ } ++ } ++ + retval = true; + + on_error: + free(tmpfspath); ++ if (systemdpath != NULL) { ++ free(systemdpath); ++ } + lxc_free_array((void **)merged, free); + return retval; + } +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 20eb840..8cdccf1 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -5320,6 +5320,7 @@ void lxc_conf_free(struct lxc_conf *conf) + if (conf->exit_fd != -1) + close(conf->exit_fd); + free(conf->errmsg); ++ free(conf->systemd); + lxc_close_error_pipe(conf->errpipe); + /* isulad add end */ + free(conf); +diff --git a/src/lxc/conf.h b/src/lxc/conf.h +index 11cf596..fb3c156 100644 +--- a/src/lxc/conf.h ++++ b/src/lxc/conf.h +@@ -430,6 +430,7 @@ struct lxc_conf { + char *errmsg; /* record error messages */ + int errpipe[2];//pipdfd for get error message of child or grandchild process. + mode_t umask; //umask value ++ char *systemd; //systemd value + /* isulad add end */ + }; + +diff --git a/src/lxc/confile.c b/src/lxc/confile.c +index 60e6c46..93936cc 100644 +--- a/src/lxc/confile.c ++++ b/src/lxc/confile.c +@@ -157,6 +157,7 @@ lxc_config_define(init_args); + lxc_config_define(init_groups); + lxc_config_define(populate_device); + lxc_config_define(umask); ++lxc_config_define(systemd); + /*isulad add end*/ + + +@@ -251,6 +252,7 @@ static struct lxc_config_t config_jump_table[] = { + { "lxc.isulad.rootfs.maskedpaths", set_config_rootfs_masked_paths, get_config_rootfs_masked_paths, clr_config_rootfs_masked_paths, }, + { "lxc.isulad.rootfs.ropaths", set_config_rootfs_ro_paths, get_config_rootfs_ro_paths, clr_config_rootfs_ro_paths, }, + { "lxc.isulad.umask", set_config_umask, get_config_umask, clr_config_umask, }, ++ { "lxc.isulad.systemd", set_config_systemd, get_config_systemd, clr_config_systemd, }, + /*isulad add end*/ + }; + +@@ -2433,6 +2435,18 @@ static int set_config_umask(const char *key, const char *value, + } + } + ++/* isulad: set config for systemd */ ++static int set_config_systemd(const char *key, const char *value, ++ struct lxc_conf *lxc_conf, void *data) ++{ ++ if (lxc_config_value_empty(value)) { ++ ERROR("Empty umask"); ++ return -1; ++ } ++ lxc_conf->systemd = strdup(value); ++ return 0; ++} ++ + struct parse_line_conf { + struct lxc_conf *conf; + bool from_include; +@@ -3210,6 +3224,13 @@ static int get_config_umask(const char *key, char *retv, int inlen, + return lxc_get_conf_size_t(c, retv, inlen, c->umask); + } + ++/* isulad add: get systemd value*/ ++static int get_config_systemd(const char *key, char *retv, int inlen, ++ struct lxc_conf *c, void *data) ++{ ++ return lxc_get_conf_str(retv, inlen, c->systemd); ++} ++ + static int get_config_tty_dir(const char *key, char *retv, int inlen, + struct lxc_conf *c, void *data) + { +@@ -4491,6 +4512,15 @@ static inline int clr_config_umask(const char *key, struct lxc_conf *c, + return 0; + } + ++/* isulad add: clear systemd value */ ++static inline int clr_config_systemd(const char *key, struct lxc_conf *c, ++ void *data) ++{ ++ free(c->systemd); ++ c->systemd = NULL; ++ return 0; ++} ++ + static int get_config_includefiles(const char *key, char *retv, int inlen, + struct lxc_conf *c, void *data) + { +-- +1.8.3.1 + diff --git a/0087-lxc-adapt-to-spec-of-oci-hook.patch b/0087-lxc-adapt-to-spec-of-oci-hook.patch new file mode 100644 index 0000000..bcf1ab8 --- /dev/null +++ b/0087-lxc-adapt-to-spec-of-oci-hook.patch @@ -0,0 +1,41 @@ +From 917a306cfab2e0cef3a666b23bf7c788bcf466d3 Mon Sep 17 00:00:00 2001 +From: liuhao +Date: Wed, 24 Apr 2019 22:22:55 +0800 +Subject: [PATCH 087/122] lxc: adapt to spec of oci hook + +poststart failed do not cause run failed + +Signed-off-by: liuhao +Signed-off-by: LiFeng +--- + src/lxc/conf.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 8cdccf1..a1d77eb 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -4782,6 +4782,7 @@ static int run_oci_hooks(const char *name, const char *lxcpath, struct lxc_conf + struct oci_hook_conf work_conf = {0}; + size_t i; + int ret = 0; ++ int nret = 0; + char *rootpath; + + if (!lc) { +@@ -4811,9 +4812,9 @@ static int run_oci_hooks(const char *name, const char *lxcpath, struct lxc_conf + case OCI_HOOK_POSTSTART: + for (i = 0; i < lc->ocihooks->poststart_len; i++) { + work_conf.ocihook = lc->ocihooks->poststart[i]; +- ret = run_ocihook_script_argv(name, "lxc", &work_conf, lxcpath, rootpath); +- if (ret != 0) +- break; ++ nret = run_ocihook_script_argv(name, "lxc", &work_conf, lxcpath, rootpath); ++ if (nret != 0) ++ WARN("running poststart hook %d failed, ContainerId: %s", i, name); + } + break; + case OCI_HOOK_POSTSTOP: +-- +1.8.3.1 + diff --git a/0088-fix-lxc-build-error.patch b/0088-fix-lxc-build-error.patch new file mode 100644 index 0000000..57b617f --- /dev/null +++ b/0088-fix-lxc-build-error.patch @@ -0,0 +1,29 @@ +From f6ddc6eb341b7eca5616be1ffd6b403db1b83b11 Mon Sep 17 00:00:00 2001 +From: liuhao +Date: Thu, 25 Apr 2019 10:12:16 +0800 +Subject: [PATCH 088/122] fix lxc build error + +cause by invalid print format + +Signed-off-by: liuhao +Signed-off-by: LiFeng +--- + src/lxc/conf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index a1d77eb..14d5d80 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -4814,7 +4814,7 @@ static int run_oci_hooks(const char *name, const char *lxcpath, struct lxc_conf + work_conf.ocihook = lc->ocihooks->poststart[i]; + nret = run_ocihook_script_argv(name, "lxc", &work_conf, lxcpath, rootpath); + if (nret != 0) +- WARN("running poststart hook %d failed, ContainerId: %s", i, name); ++ WARN("running poststart hook %ld failed, ContainerId: %s", i, name); + } + break; + case OCI_HOOK_POSTSTOP: +-- +1.8.3.1 + diff --git a/0089-lxc-add-get-container-processes-pids-func.patch b/0089-lxc-add-get-container-processes-pids-func.patch new file mode 100644 index 0000000..db70b9b --- /dev/null +++ b/0089-lxc-add-get-container-processes-pids-func.patch @@ -0,0 +1,177 @@ +From 4241f51abad788017ca5a0da5946ccc2672bdc3b Mon Sep 17 00:00:00 2001 +From: maoweiyong +Date: Tue, 23 Apr 2019 12:12:55 +0800 +Subject: [PATCH 089/122] lxc:add get container processes pids func + +Signed-off-by: maoweiyong +--- + src/lxc/lxccontainer.c | 18 ++++++++++++ + src/lxc/lxccontainer.h | 11 ++++++++ + src/lxc/start.c | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++ + src/lxc/start.h | 2 ++ + 4 files changed, 107 insertions(+) + +diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c +index 8a3724c..fa13e52 100644 +--- a/src/lxc/lxccontainer.c ++++ b/src/lxc/lxccontainer.c +@@ -5212,6 +5212,23 @@ static bool do_lxcapi_clean_container_resource(struct lxc_container *c, pid_t pi + + WRAP_API_1(bool, lxcapi_clean_container_resource, pid_t) + ++/* isulad get coantainer pids */ ++static bool do_lxcapi_get_container_pids(struct lxc_container *c, pid_t **pids,size_t *pids_len) ++{ ++ int ret; ++ ++ if (!c) ++ return false; ++ ++ ret = do_lxcapi_get_pids(c->name, c->config_path, c->lxc_conf, pids,pids_len); ++ if (ret) ++ ERROR("Failed to get container %s pids", c->name); ++ return ret == 0; ++ ++} ++ ++WRAP_API_2(bool, lxcapi_get_container_pids, pid_t **,size_t *) ++ + /* isulad add clean resources */ + static bool do_lxcapi_add_terminal_fifo(struct lxc_container *c, const char *in_fifo, const char *out_fifo, const char *err_fifo) + { +@@ -5373,6 +5390,7 @@ static struct lxc_container *do_lxc_container_new(const char *name, const char * + c->set_start_timeout = lxcapi_set_start_timeout; + c->clean_container_resource = lxcapi_clean_container_resource; + c->add_terminal_fifos = lxcapi_add_terminal_fifo; ++ c->get_container_pids = lxcapi_get_container_pids; + /* isulad add end */ + return c; + +diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h +index c3368e4..608f815 100644 +--- a/src/lxc/lxccontainer.h ++++ b/src/lxc/lxccontainer.h +@@ -947,6 +947,17 @@ struct lxc_container { + * \return \c true on success, else \c false. + */ + bool (*clean_container_resource) (struct lxc_container *c, pid_t pid); ++ ++ /*! isulad add ++ * \brief An API call to get container pids ++ * ++ * \param c Container. ++ * \param pids Value of container pids. ++ * \param pids_len Value of container pids len. ++ * \param pid Value of container pid. ++ * \return \c true on success, else \c false. ++ */ ++ bool (*get_container_pids)(struct lxc_container *c,pid_t **pids,size_t *pids_len); + }; + + /*! +diff --git a/src/lxc/start.c b/src/lxc/start.c +index f1cd7fa..2b0d43e 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -2638,6 +2638,55 @@ on_error: + return NULL; + } + ++/*isulad: init handler for clean */ ++static struct lxc_handler *lxc_init_pids_handler(char *name, char *lxcpath, struct lxc_conf *conf) ++{ ++ int i; ++ struct lxc_handler *handler; ++ ++ handler = malloc(sizeof(*handler)); ++ if (!handler) ++ return NULL; ++ ++ memset(handler, 0, sizeof(*handler)); ++ ++ /* Note that am_guest_unpriv() checks the effective uid. We ++ * probably don't care if we are real root only if we are running ++ * as root so this should be fine. ++ */ ++ handler->am_root = !am_guest_unpriv(); ++ handler->data_sock[0] = handler->data_sock[1] = -1; ++ handler->conf = conf; ++ handler->lxcpath = lxcpath; ++ handler->pinfd = -1; ++ handler->sigfd = -EBADF; ++ handler->init_died = false; ++ handler->state_socket_pair[0] = handler->state_socket_pair[1] = -1; ++ if (handler->conf->reboot == REBOOT_NONE) ++ lxc_list_init(&handler->conf->state_clients); ++ ++ for (i = 0; i < LXC_NS_MAX; i++) ++ handler->nsfd[i] = -1; ++ ++ handler->name = name; ++ handler->exit_code = -1; /* isulad: record exit code of container */ ++ ++ handler->cgroup_ops = cgroup_init(handler); ++ if (!handler->cgroup_ops) { ++ ERROR("Failed to initialize cgroup driver"); ++ goto on_error; ++ } ++ ++ INFO("Container \"%s\" 's clean handler is initialized.", name); ++ ++ return handler; ++ ++on_error: ++ lxc_free_handler(handler); ++ ++ return NULL; ++} ++ + /*isulad: set env for clean resources */ + static int clean_resource_set_env(struct lxc_handler *handler) + { +@@ -2770,3 +2819,30 @@ out: + return ret; + } + ++/*isulad: do_lxcapi_get_pids */ ++int do_lxcapi_get_pids(char *name, char *lxcpath, struct lxc_conf *conf, pid_t **pids,size_t *pids_len) ++{ ++ int ret = 0; ++ struct lxc_handler *handler = NULL; ++ int retry_count = 0; ++ int max_retry = 10; ++ struct cgroup_ops *cg_ops = NULL; ++ ++ handler = lxc_init_pids_handler(name, lxcpath, conf); ++ if (!handler) { ++ ERROR("Failed to init container %s clean handler", name); ++ ret = -1; ++ goto out; ++ } ++ ++ cg_ops = handler->cgroup_ops; ++ ret = get_all_pids(cg_ops, pids, pids_len); ++ if (ret < 0) { ++ WARN("failed to get all pids"); ++ } ++ ++out: ++ lxc_free_handler(handler); ++ return ret; ++} ++ +diff --git a/src/lxc/start.h b/src/lxc/start.h +index 0298991..20e667c 100644 +--- a/src/lxc/start.h ++++ b/src/lxc/start.h +@@ -188,5 +188,7 @@ extern int resolve_clone_flags(struct lxc_handler *handler); + /*isulad: do_lxcapi_clean_resource */ + extern int do_lxcapi_clean_resource(char *name, char *lxcpath, struct lxc_conf *conf, pid_t pid); + ++/*isulad: do_lxcapi_get_pids */ ++extern int do_lxcapi_get_pids(char *name, char *lxcpath, struct lxc_conf *conf, pid_t **pids,size_t *pids_len); + + #endif +-- +1.8.3.1 + diff --git a/0090-lxc-remove-unused-variable.patch b/0090-lxc-remove-unused-variable.patch new file mode 100644 index 0000000..6213607 --- /dev/null +++ b/0090-lxc-remove-unused-variable.patch @@ -0,0 +1,26 @@ +From 83136d88470202915844a0bb0413af70fcd18efc Mon Sep 17 00:00:00 2001 +From: maoweiyong +Date: Thu, 25 Apr 2019 21:21:12 +0800 +Subject: [PATCH 090/122] lxc: remove unused variable + +Signed-off-by: maoweiyong +--- + src/lxc/start.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/src/lxc/start.c b/src/lxc/start.c +index 2b0d43e..3657d4e 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -2824,8 +2824,6 @@ int do_lxcapi_get_pids(char *name, char *lxcpath, struct lxc_conf *conf, pid_t * + { + int ret = 0; + struct lxc_handler *handler = NULL; +- int retry_count = 0; +- int max_retry = 10; + struct cgroup_ops *cg_ops = NULL; + + handler = lxc_init_pids_handler(name, lxcpath, conf); +-- +1.8.3.1 + diff --git a/0091-lxc-support-namespaced-kernel-params-can-be-changed-.patch b/0091-lxc-support-namespaced-kernel-params-can-be-changed-.patch new file mode 100644 index 0000000..7536a3c --- /dev/null +++ b/0091-lxc-support-namespaced-kernel-params-can-be-changed-.patch @@ -0,0 +1,118 @@ +From 639248d8b9bcbaabe789f7d12f28191a4e65752f Mon Sep 17 00:00:00 2001 +From: liuhao +Date: Fri, 26 Apr 2019 07:13:53 +0800 +Subject: [PATCH 091/122] lxc: support namespaced kernel params can be changed + in system container + +support namespaced kernel params can be changed in system container + +Signed-off-by: yangchenliang +--- + src/lxc/conf.c | 77 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 77 insertions(+) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 14d5d80..0f227aa 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -1516,6 +1516,66 @@ error: + return false; + } + ++static bool remount_readwrite(const char *path) ++{ ++ int ret, i; ++ ++ if (!path) ++ return true; ++ ++ for (i = 0; i < 5; i++) { ++ ret = mount("", path, "", MS_REMOUNT, ""); ++ if (ret < 0 && errno != ENOENT) { ++ if (errno == EINVAL) { ++ // Probably not a mountpoint, use bind-mount ++ ret = mount(path, path, "", MS_BIND, ""); ++ if (ret < 0) ++ goto on_error; ++ ret = mount(path, path, "", MS_BIND | MS_REMOUNT | MS_REC | \ ++ MS_NOEXEC | MS_NOSUID | MS_NODEV, ""); ++ if (ret < 0) ++ goto on_error; ++ } else if (errno == EBUSY) { ++ DEBUG("Try to mount \"%s\" to readonly after 100ms.", path); ++ usleep(100 * 1000); ++ continue; ++ } else { ++ goto on_error; ++ } ++ } ++ return true; ++ } ++ ++on_error: ++ SYSERROR("Unable to mount \"%s\" to readwrite", path); ++ return false; ++} ++ ++static int remount_proc_sys_mount_entries(struct lxc_list *mount_list) ++{ ++ char buf[4096]; ++ FILE *file; ++ struct mntent mntent; ++ ++ file = make_anonymous_mount_file(mount_list); ++ if (!file) ++ return -1; ++ ++ while (getmntent_r(file, &mntent, buf, sizeof(buf))) { ++ if (strstr(mntent.mnt_dir, "proc/sys") == NULL) { ++ continue; ++ } ++ ++ if (!remount_readwrite((const char*)mntent.mnt_dir)) { ++ fclose(file); ++ return -1; ++ } ++ } ++ ++ fclose(file); ++ return 0; ++} ++ + // remount_readonly will bind over the top of an existing path and ensure that it is read-only. + static bool remount_readonly(const char *path) + { +@@ -2699,6 +2759,13 @@ static int mount_file_entries(const struct lxc_conf *conf, + int ret = -1; + + while (getmntent_r(file, &mntent, buf, sizeof(buf))) { ++ //isulad, system contaienr, skip "proc/sys/xxx" path ++ if (conf->systemd != NULL && strcmp(conf->systemd, "true") == 0) { ++ if (strstr(mntent.mnt_dir, "proc/sys") != NULL) { ++ continue; ++ } ++ } ++ + /* Note: Workaround for volume file path with space*/ + mntent.mnt_fsname = lxc_string_replace(SPACE_MAGIC_STR, " ", mntent.mnt_fsname); + if(!mntent.mnt_fsname) { +@@ -4254,6 +4321,16 @@ int lxc_setup(struct lxc_handler *handler) + } + } + ++ //isulad: system container, remount /proc/sys/xxx by mount_list ++ if (lxc_conf->systemd != NULL && strcmp(lxc_conf->systemd, "true") == 0) { ++ if (!lxc_list_empty(&lxc_conf->mount_list)) { ++ if (remount_proc_sys_mount_entries(&lxc_conf->mount_list)) { ++ ERROR("failed to remount /proc/sys"); ++ goto on_error; ++ } ++ } ++ } ++ + if (!lxc_list_empty(&lxc_conf->keepcaps)) { + if (!lxc_list_empty(&lxc_conf->caps)) { + ERROR("Container requests lxc.cap.drop and " +-- +1.8.3.1 + diff --git a/0092-lxc-add-output-error-when-create-unified-cgroup.patch b/0092-lxc-add-output-error-when-create-unified-cgroup.patch new file mode 100644 index 0000000..1787d8b --- /dev/null +++ b/0092-lxc-add-output-error-when-create-unified-cgroup.patch @@ -0,0 +1,45 @@ +From 548054179d5e5b43368491822ebed803c9a03a36 Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Mon, 29 Apr 2019 04:13:52 -0400 +Subject: [PATCH 092/122] lxc: add output error when create unified cgroup + +Signed-off-by: LiFeng +--- + src/lxc/cgroups/cgfsng.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c +index b1f56b0..2bf142f 100644 +--- a/src/lxc/cgroups/cgfsng.c ++++ b/src/lxc/cgroups/cgfsng.c +@@ -1132,7 +1132,7 @@ __cgfsng_ops static bool cgfsng_payload_destroy(struct cgroup_ops *ops, + return true; + } + +-static bool cg_unified_create_cgroup(struct hierarchy *h, char *cgname) ++static bool cg_unified_create_cgroup(struct hierarchy *h, char *cgname, int errfd) + { + size_t i, parts_len; + char **it; +@@ -1187,6 +1187,9 @@ static bool cg_unified_create_cgroup(struct hierarchy *h, char *cgname) + if (ret < 0) { + SYSERROR("Could not enable \"%s\" controllers in the " + "unified cgroup \"%s\"", add_controllers, cgroup); ++ lxc_write_error_message(errfd, "%s:%d: Could not enable \"%s\" controllers in the " ++ "unified cgroup: \"%s\"", ++ __FILE__, __LINE__, add_controllers, strerror(errno)); + goto on_error; + } + } +@@ -1260,7 +1263,7 @@ static bool create_path_for_hierarchy(struct hierarchy *h, char *cgname, int err + return false; + } + +- return cg_unified_create_cgroup(h, cgname); ++ return cg_unified_create_cgroup(h, cgname, errfd); + } + + /* isulad: create hierarchies path, if fail, return the error */ +-- +1.8.3.1 + diff --git a/0093-optimize-isulad_kit-operator.patch b/0093-optimize-isulad_kit-operator.patch new file mode 100644 index 0000000..eded542 --- /dev/null +++ b/0093-optimize-isulad_kit-operator.patch @@ -0,0 +1,424 @@ +From d37fe422dc56c4904c138fdcb2c721a3cca2f0a8 Mon Sep 17 00:00:00 2001 +From: liuhao +Date: Thu, 2 May 2019 11:23:50 +0800 +Subject: [PATCH 093/122] optimize isulad_kit operator + +parse group add start container + +Signed-off-by: liuhao +Signed-off-by: LiFeng +--- + src/lxc/Makefile.am | 2 + + src/lxc/json/container_start_generate_config.c | 245 +++++++++++++++++++++++++ + src/lxc/json/container_start_generate_config.h | 43 +++++ + src/lxc/tools/lxc_start.c | 58 ++++++ + 4 files changed, 348 insertions(+) + create mode 100644 src/lxc/json/container_start_generate_config.c + create mode 100644 src/lxc/json/container_start_generate_config.h + +diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am +index 698f8f9..4ec2081 100644 +--- a/src/lxc/Makefile.am ++++ b/src/lxc/Makefile.am +@@ -45,6 +45,7 @@ noinst_HEADERS = attach.h \ + storage/storage_utils.h \ + json/defs.h \ + json/json_common.h \ ++ json/container_start_generate_config.h \ + json/oci_runtime_hooks.h \ + json/oci_runtime_spec.h \ + json/logger_json_file.h \ +@@ -152,6 +153,7 @@ liblxc_la_SOURCES = af_unix.c af_unix.h \ + json/oci_runtime_hooks.c json/oci_runtime_hooks.h \ + json/logger_json_file.c json/logger_json_file.h \ + json/oci_runtime_spec.c json/oci_runtime_spec.h \ ++ json/container_start_generate_config.c json/container_start_generate_config.h \ + json/read-file.c json/read-file.h \ + $(LSM_SOURCES) + +diff --git a/src/lxc/json/container_start_generate_config.c b/src/lxc/json/container_start_generate_config.c +new file mode 100644 +index 0000000..5ec8311 +--- /dev/null ++++ b/src/lxc/json/container_start_generate_config.c +@@ -0,0 +1,245 @@ ++// Generated from start-generate-config.json. Do not edit! ++#ifndef _GNU_SOURCE ++#define _GNU_SOURCE ++#endif ++#include ++#include "read-file.h" ++#include "container_start_generate_config.h" ++ ++container_start_generate_config *make_container_start_generate_config(yajl_val tree, struct parser_context *ctx, parser_error *err) { ++ container_start_generate_config *ret = NULL; ++ *err = 0; ++ if (tree == NULL) ++ return ret; ++ ret = safe_malloc(sizeof(*ret)); ++ { ++ yajl_val val = get_val(tree, "uid", yajl_t_number); ++ if (val != NULL) { ++ int invalid = common_safe_uint(YAJL_GET_NUMBER(val), (unsigned int *)&ret->uid); ++ if (invalid) { ++ if (asprintf(err, "Invalid value '%s' with type 'UID' for key 'uid': %s", YAJL_GET_NUMBER(val), strerror(-invalid)) < 0) ++ *err = safe_strdup("error allocating memory"); ++ free_container_start_generate_config(ret); ++ return NULL; ++ } ++ } ++ } ++ { ++ yajl_val val = get_val(tree, "gid", yajl_t_number); ++ if (val != NULL) { ++ int invalid = common_safe_uint(YAJL_GET_NUMBER(val), (unsigned int *)&ret->gid); ++ if (invalid) { ++ if (asprintf(err, "Invalid value '%s' with type 'GID' for key 'gid': %s", YAJL_GET_NUMBER(val), strerror(-invalid)) < 0) ++ *err = safe_strdup("error allocating memory"); ++ free_container_start_generate_config(ret); ++ return NULL; ++ } ++ } ++ } ++ { ++ yajl_val tmp = get_val(tree, "additionalGids", yajl_t_array); ++ if (tmp != NULL && YAJL_GET_ARRAY(tmp) != NULL && YAJL_GET_ARRAY(tmp)->len > 0) { ++ size_t i; ++ ret->additional_gids_len = YAJL_GET_ARRAY(tmp)->len; ++ ret->additional_gids = safe_malloc((YAJL_GET_ARRAY(tmp)->len + 1) * sizeof(*ret->additional_gids)); ++ for (i = 0; i < YAJL_GET_ARRAY(tmp)->len; i++) { ++ yajl_val val = YAJL_GET_ARRAY(tmp)->values[i]; ++ if (val != NULL) { ++ int invalid = common_safe_uint(YAJL_GET_NUMBER(val), (unsigned int *)&ret->additional_gids[i]); ++ if (invalid) { ++ if (asprintf(err, "Invalid value '%s' with type 'GID' for key 'additionalGids': %s", YAJL_GET_NUMBER(val), strerror(-invalid)) < 0) ++ *err = safe_strdup("error allocating memory"); ++ free_container_start_generate_config(ret); ++ return NULL; ++ } ++ } ++ } ++ } ++ } ++ ++ if (tree->type == yajl_t_object && (ctx->options & PARSE_OPTIONS_STRICT)) { ++ int i; ++ for (i = 0; i < tree->u.object.len; i++) ++ if (strcmp(tree->u.object.keys[i], "uid") && ++ strcmp(tree->u.object.keys[i], "gid") && ++ strcmp(tree->u.object.keys[i], "additionalGids")) { ++ if (ctx->stderr > 0) ++ fprintf(ctx->stderr, "WARNING: unknown key found: %s\n", tree->u.object.keys[i]); ++ } ++ } ++ return ret; ++} ++ ++void free_container_start_generate_config(container_start_generate_config *ptr) { ++ if (ptr == NULL) ++ return; ++ free(ptr->additional_gids); ++ ptr->additional_gids = NULL; ++ free(ptr); ++} ++ ++yajl_gen_status gen_container_start_generate_config(yajl_gen g, container_start_generate_config *ptr, struct parser_context *ctx, parser_error *err) { ++ yajl_gen_status stat = yajl_gen_status_ok; ++ *err = 0; ++ stat = reformat_start_map(g); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) ||(ptr != NULL && ptr->uid)) { ++ long long unsigned int num = 0; ++ stat = reformat_map_key(g, "uid", strlen("uid")); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ if (ptr != NULL && ptr->uid) { ++ num = (long long unsigned int)ptr->uid; ++ } ++ stat = reformat_uint(g, num); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) ||(ptr != NULL && ptr->gid)) { ++ long long unsigned int num = 0; ++ stat = reformat_map_key(g, "gid", strlen("gid")); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ if (ptr != NULL && ptr->gid) { ++ num = (long long unsigned int)ptr->gid; ++ } ++ stat = reformat_uint(g, num); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) || (ptr != NULL && ptr->additional_gids != NULL)) { ++ size_t len = 0, i; ++ stat = reformat_map_key(g, "additionalGids", strlen("additionalGids")); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ if (ptr != NULL && ptr->additional_gids != NULL) { ++ len = ptr->additional_gids_len; ++ } ++ if (!len && !(ctx->options & GEN_OPTIONS_SIMPLIFY)) ++ yajl_gen_config(g, yajl_gen_beautify, 0); ++ stat = reformat_start_array(g); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ for (i = 0; i < len; i++) { ++ stat = reformat_uint(g, ptr->additional_gids[i]); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ stat = reformat_end_array(g); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ if (!len && !(ctx->options & GEN_OPTIONS_SIMPLIFY)) ++ yajl_gen_config(g, yajl_gen_beautify, 1); ++ } ++ stat = reformat_end_map(g); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ return yajl_gen_status_ok; ++} ++ ++ ++container_start_generate_config *container_start_generate_config_parse_file(const char *filename, struct parser_context *ctx, parser_error *err) { ++ container_start_generate_config *ptr = NULL; ++ size_t filesize; ++ char *content = NULL; ++ ++ if (filename == NULL || err == NULL) ++ return NULL; ++ ++ *err = NULL; ++ content = read_file(filename, &filesize); ++ if (content == NULL) { ++ if (asprintf(err, "cannot read the file: %s", filename) < 0) ++ *err = safe_strdup("error allocating memory"); ++ return NULL; ++ } ++ ptr = container_start_generate_config_parse_data(content, ctx, err); ++ free(content); ++ return ptr; ++} ++ ++container_start_generate_config *container_start_generate_config_parse_file_stream(FILE *stream, struct parser_context *ctx, parser_error *err) { ++ container_start_generate_config *ptr = NULL; ++ size_t filesize; ++ char *content = NULL ; ++ ++ if (stream == NULL || err == NULL) ++ return NULL; ++ ++ *err = NULL; ++ content = fread_file(stream, &filesize); ++ if (content == NULL) { ++ *err = safe_strdup("cannot read the file"); ++ return NULL; ++ } ++ ptr = container_start_generate_config_parse_data(content, ctx, err); ++ free(content); ++ return ptr; ++} ++ ++container_start_generate_config *container_start_generate_config_parse_data(const char *jsondata, struct parser_context *ctx, parser_error *err) { ++ container_start_generate_config *ptr = NULL; ++ yajl_val tree; ++ char errbuf[1024]; ++ struct parser_context tmp_ctx; ++ ++ if (jsondata == NULL || err == NULL) ++ return NULL; ++ ++ *err = NULL; ++ if (ctx == NULL) { ++ ctx = &tmp_ctx; ++ (void)memset(&tmp_ctx, 0, sizeof(tmp_ctx)); ++ } ++ tree = yajl_tree_parse(jsondata, errbuf, sizeof(errbuf)); ++ if (tree == NULL) { ++ if (asprintf(err, "cannot parse the data: %s", errbuf) < 0) ++ *err = safe_strdup("error allocating memory"); ++ return NULL; ++ } ++ ptr = make_container_start_generate_config(tree, ctx, err); ++ yajl_tree_free(tree); ++ return ptr; ++} ++char *container_start_generate_config_generate_json(container_start_generate_config *ptr, struct parser_context *ctx, parser_error *err) { ++ yajl_gen g = NULL; ++ struct parser_context tmp_ctx; ++ const unsigned char *gen_buf = NULL; ++ char *json_buf = NULL; ++ size_t gen_len = 0; ++ ++ if (ptr == NULL || err == NULL) ++ return NULL; ++ ++ *err = NULL; ++ if (ctx == NULL) { ++ ctx = &tmp_ctx; ++ (void)memset(&tmp_ctx, 0, sizeof(tmp_ctx)); ++ } ++ ++ if (!json_gen_init(&g, ctx)) { ++ *err = safe_strdup("Json_gen init failed"); ++ goto out; ++ } ++ if (yajl_gen_status_ok != gen_container_start_generate_config(g, ptr, ctx, err)) { ++ if (*err == NULL) ++ *err = safe_strdup("Failed to generate json"); ++ goto free_out; ++ } ++ yajl_gen_get_buf(g, &gen_buf, &gen_len); ++ if (gen_buf == NULL) { ++ *err = safe_strdup("Error to get generated json"); ++ goto free_out; ++ } ++ ++ json_buf = safe_malloc(gen_len + 1); ++ (void)memcpy(json_buf, gen_buf, gen_len); ++ json_buf[gen_len] = '\0'; ++ ++free_out: ++ yajl_gen_clear(g); ++ yajl_gen_free(g); ++out: ++ return json_buf; ++} +diff --git a/src/lxc/json/container_start_generate_config.h b/src/lxc/json/container_start_generate_config.h +new file mode 100644 +index 0000000..e1dcf56 +--- /dev/null ++++ b/src/lxc/json/container_start_generate_config.h +@@ -0,0 +1,43 @@ ++// Generated from start-generate-config.json. Do not edit! ++#ifndef CONTAINER_START_GENERATE_CONFIG_SCHEMA_H ++#define CONTAINER_START_GENERATE_CONFIG_SCHEMA_H ++ ++#include ++#include ++#include "json_common.h" ++#include "defs.h" ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++typedef struct { ++ uid_t uid; ++ ++ gid_t gid; ++ ++ gid_t *additional_gids; ++ size_t additional_gids_len; ++ ++} ++container_start_generate_config; ++ ++void free_container_start_generate_config(container_start_generate_config *ptr); ++ ++container_start_generate_config *make_container_start_generate_config(yajl_val tree, struct parser_context *ctx, parser_error *err); ++ ++yajl_gen_status gen_container_start_generate_config(yajl_gen g, container_start_generate_config *ptr, struct parser_context *ctx, parser_error *err); ++ ++container_start_generate_config *container_start_generate_config_parse_file(const char *filename, struct parser_context *ctx, parser_error *err); ++ ++container_start_generate_config *container_start_generate_config_parse_file_stream(FILE *stream, struct parser_context *ctx, parser_error *err); ++ ++container_start_generate_config *container_start_generate_config_parse_data(const char *jsondata, struct parser_context *ctx, parser_error *err); ++ ++char *container_start_generate_config_generate_json(container_start_generate_config *ptr, struct parser_context *ctx, parser_error *err); ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif +diff --git a/src/lxc/tools/lxc_start.c b/src/lxc/tools/lxc_start.c +index af63f58..4069204 100644 +--- a/src/lxc/tools/lxc_start.c ++++ b/src/lxc/tools/lxc_start.c +@@ -50,6 +50,7 @@ + #include "confile.h" + #include "log.h" + #include "utils.h" ++#include "container_start_generate_config.h" + + lxc_log_define(lxc_start, lxc); + +@@ -213,6 +214,57 @@ static int ensure_path(char **confpath, const char *path) + return 0; + } + ++static int set_start_extral_configs(const char *lxcpath, const char *name, struct lxc_container *c) ++{ ++#define START_GENERATE_CONFIG "start_generate_config.json" ++ char fpath[PATH_MAX] = {0}; ++ parser_error jerr = NULL; ++ int ret = -1; ++ container_start_generate_config *start_conf = NULL; ++ struct lxc_conf *lconf = c->lxc_conf; ++ size_t i = 0; ++ ++ if (sprintf(fpath, "%s/%s/%s", lxcpath, name, START_GENERATE_CONFIG) < 0) { ++ ERROR("Sprintf config path failed"); ++ return -1; ++ } ++ if (!file_exists(fpath)) { ++ return 0; ++ } ++ start_conf = container_start_generate_config_parse_file(fpath, NULL, &jerr); ++ if (start_conf == NULL) { ++ ERROR("Parse start generate config file: %s failed", fpath); ++ goto out; ++ } ++ if (start_conf->uid != 0) { ++ lconf->init_uid = start_conf->uid; ++ } ++ if (start_conf->gid != 0) { ++ lconf->init_gid = start_conf->gid; ++ } ++ if (start_conf->additional_gids != NULL && start_conf->additional_gids_len > 0) { ++ gid_t *tmp; ++ tmp = realloc(lconf->init_groups, (lconf->init_groups_len + start_conf->additional_gids_len) * sizeof(gid_t)); ++ if (tmp == NULL) { ++ ERROR("Out of memory"); ++ goto out; ++ } ++ lconf->init_groups = tmp; ++ for (; i < start_conf->additional_gids_len; i++) { ++ tmp[lconf->init_groups_len] = start_conf->additional_gids[i]; ++ lconf->init_groups_len++; ++ } ++ } ++ ++ ret = 0; ++out: ++ free(jerr); ++ if (start_conf != NULL) { ++ free_container_start_generate_config(start_conf); ++ } ++ return ret; ++} ++ + int main(int argc, char *argv[]) + { + const char *lxcpath; +@@ -358,6 +410,12 @@ int main(int argc, char *argv[]) + } + } + ++ /* isulad: load extral config for start container */ ++ if (set_start_extral_configs(lxcpath, my_args.name, c) != 0) { ++ ERROR("Failed to load extral config for container"); ++ goto out; ++ } ++ + /* isulad: fifo used to monitor state of monitor process */ + if (my_args.exit_monitor_fifo != NULL) { + c->exit_fifo = strdup(my_args.exit_monitor_fifo); +-- +1.8.3.1 + diff --git a/0094-exec-load-uid-gid-and-groups.patch b/0094-exec-load-uid-gid-and-groups.patch new file mode 100644 index 0000000..a2acb22 --- /dev/null +++ b/0094-exec-load-uid-gid-and-groups.patch @@ -0,0 +1,197 @@ +From 900c2f8fe30d4ffdaef93f2c01d711705ab8cff9 Mon Sep 17 00:00:00 2001 +From: liuhao +Date: Tue, 7 May 2019 12:55:03 +0800 +Subject: [PATCH 094/122] exec load uid gid and groups + +exec load uid gid and groups + +Signed-off-by: liuhao +Signed-off-by: LiFeng +--- + src/lxc/lxccontainer.c | 69 +++++++++++++++++++++++++++++++++++++++++++++-- + src/lxc/tools/lxc_start.c | 58 --------------------------------------- + 2 files changed, 67 insertions(+), 60 deletions(-) + +diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c +index fa13e52..e0c4de3 100644 +--- a/src/lxc/lxccontainer.c ++++ b/src/lxc/lxccontainer.c +@@ -74,6 +74,7 @@ + #include "terminal.h" + #include "utils.h" + #include "version.h" ++#include "container_start_generate_config.h" + + /* major()/minor() */ + #ifdef MAJOR_IN_MKDEV +@@ -5252,6 +5253,65 @@ static bool do_lxcapi_add_terminal_fifo(struct lxc_container *c, const char *in_ + + WRAP_API_3(bool, lxcapi_add_terminal_fifo, const char *, const char *, const char *) + ++static int set_start_extral_configs(struct lxc_container *c) ++{ ++#define START_GENERATE_CONFIG "start_generate_config.json" ++ char fpath[PATH_MAX] = {0}; ++ parser_error jerr = NULL; ++ int ret = -1; ++ container_start_generate_config *start_conf = NULL; ++ struct lxc_conf *lconf = c->lxc_conf; ++ size_t i = 0; ++ ++ if (lconf == NULL) { ++ c->lxc_conf = malloc(sizeof(struct lxc_conf)); ++ lconf = c->lxc_conf; ++ if (lconf == NULL) { ++ fprintf(stderr, "Out of memory\n"); ++ return -1; ++ } ++ } ++ if (sprintf(fpath, "%s/%s/%s", c->config_path, c->name, START_GENERATE_CONFIG) < 0) { ++ fprintf(stderr, "Sprintf config path failed\n"); ++ return -1; ++ } ++ if (!file_exists(fpath)) { ++ return 0; ++ } ++ start_conf = container_start_generate_config_parse_file(fpath, NULL, &jerr); ++ if (start_conf == NULL) { ++ fprintf(stderr, "Parse start generate config file: %s failed", fpath); ++ goto out; ++ } ++ if (start_conf->uid != 0) { ++ lconf->init_uid = start_conf->uid; ++ } ++ if (start_conf->gid != 0) { ++ lconf->init_gid = start_conf->gid; ++ } ++ if (start_conf->additional_gids != NULL && start_conf->additional_gids_len > 0) { ++ gid_t *tmp; ++ tmp = realloc(lconf->init_groups, (lconf->init_groups_len + start_conf->additional_gids_len) * sizeof(gid_t)); ++ if (tmp == NULL) { ++ fprintf(stderr, "Out of memory"); ++ goto out; ++ } ++ lconf->init_groups = tmp; ++ for (; i < start_conf->additional_gids_len; i++) { ++ tmp[lconf->init_groups_len] = start_conf->additional_gids[i]; ++ lconf->init_groups_len++; ++ } ++ } ++ ++ ret = 0; ++out: ++ free(jerr); ++ if (start_conf != NULL) { ++ free_container_start_generate_config(start_conf); ++ } ++ return ret; ++} ++ + static struct lxc_container *do_lxc_container_new(const char *name, const char *configpath, bool load_config) + { + struct lxc_container *c; +@@ -5309,11 +5369,16 @@ static struct lxc_container *do_lxc_container_new(const char *name, const char * + goto err; + } + +- if (load_config) { +- if (file_exists(c->configfile) && !lxcapi_load_config(c, NULL)) { ++ if (load_config && file_exists(c->configfile)) { ++ if (!lxcapi_load_config(c, NULL)) { + fprintf(stderr, "Failed to load config for %s\n", name); + goto err; + } ++ /* isulad: load extral config for start container */ ++ if (set_start_extral_configs(c) != 0) { ++ fprintf(stderr, "Failed to load extral config for container: %s\n", name); ++ goto err; ++ } + } + + if (ongoing_create(c) == 2) { +diff --git a/src/lxc/tools/lxc_start.c b/src/lxc/tools/lxc_start.c +index 4069204..af63f58 100644 +--- a/src/lxc/tools/lxc_start.c ++++ b/src/lxc/tools/lxc_start.c +@@ -50,7 +50,6 @@ + #include "confile.h" + #include "log.h" + #include "utils.h" +-#include "container_start_generate_config.h" + + lxc_log_define(lxc_start, lxc); + +@@ -214,57 +213,6 @@ static int ensure_path(char **confpath, const char *path) + return 0; + } + +-static int set_start_extral_configs(const char *lxcpath, const char *name, struct lxc_container *c) +-{ +-#define START_GENERATE_CONFIG "start_generate_config.json" +- char fpath[PATH_MAX] = {0}; +- parser_error jerr = NULL; +- int ret = -1; +- container_start_generate_config *start_conf = NULL; +- struct lxc_conf *lconf = c->lxc_conf; +- size_t i = 0; +- +- if (sprintf(fpath, "%s/%s/%s", lxcpath, name, START_GENERATE_CONFIG) < 0) { +- ERROR("Sprintf config path failed"); +- return -1; +- } +- if (!file_exists(fpath)) { +- return 0; +- } +- start_conf = container_start_generate_config_parse_file(fpath, NULL, &jerr); +- if (start_conf == NULL) { +- ERROR("Parse start generate config file: %s failed", fpath); +- goto out; +- } +- if (start_conf->uid != 0) { +- lconf->init_uid = start_conf->uid; +- } +- if (start_conf->gid != 0) { +- lconf->init_gid = start_conf->gid; +- } +- if (start_conf->additional_gids != NULL && start_conf->additional_gids_len > 0) { +- gid_t *tmp; +- tmp = realloc(lconf->init_groups, (lconf->init_groups_len + start_conf->additional_gids_len) * sizeof(gid_t)); +- if (tmp == NULL) { +- ERROR("Out of memory"); +- goto out; +- } +- lconf->init_groups = tmp; +- for (; i < start_conf->additional_gids_len; i++) { +- tmp[lconf->init_groups_len] = start_conf->additional_gids[i]; +- lconf->init_groups_len++; +- } +- } +- +- ret = 0; +-out: +- free(jerr); +- if (start_conf != NULL) { +- free_container_start_generate_config(start_conf); +- } +- return ret; +-} +- + int main(int argc, char *argv[]) + { + const char *lxcpath; +@@ -410,12 +358,6 @@ int main(int argc, char *argv[]) + } + } + +- /* isulad: load extral config for start container */ +- if (set_start_extral_configs(lxcpath, my_args.name, c) != 0) { +- ERROR("Failed to load extral config for container"); +- goto out; +- } +- + /* isulad: fifo used to monitor state of monitor process */ + if (my_args.exit_monitor_fifo != NULL) { + c->exit_fifo = strdup(my_args.exit_monitor_fifo); +-- +1.8.3.1 + diff --git a/0095-lxc-don-t-use-the-unified-hierarchy-for-the-systemd-.patch b/0095-lxc-don-t-use-the-unified-hierarchy-for-the-systemd-.patch new file mode 100644 index 0000000..4fa4a52 --- /dev/null +++ b/0095-lxc-don-t-use-the-unified-hierarchy-for-the-systemd-.patch @@ -0,0 +1,56 @@ +From 92dfbde544492386418f02469af5380d7d5e7c00 Mon Sep 17 00:00:00 2001 +From: liuhao +Date: Fri, 10 May 2019 11:05:42 +0800 +Subject: [PATCH 095/122] lxc: don't use the unified hierarchy for the systemd + cgroup + +reason:don't use the unified hierarchy for the systemd cgroup + +Signed-off-by: zhangsong +Signed-off-by: LiFeng +--- + src/lxc/cgroups/cgfsng.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c +index 2bf142f..eee7ed6 100644 +--- a/src/lxc/cgroups/cgfsng.c ++++ b/src/lxc/cgroups/cgfsng.c +@@ -1571,6 +1571,7 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops, + int i, ret; + char *tmpfspath = NULL; + char *systemdpath = NULL; ++ char *unifiedpath = NULL; + bool has_cgns = false, retval = false, wants_force_mount = false; + char **merged = NULL; + +@@ -1718,6 +1719,16 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops, + + // isulad: remount /sys/fs/cgroup/systemd to readwrite for system container + if (handler->conf->systemd != NULL && strcmp(handler->conf->systemd, "true") == 0) { ++ // isulad: don't use the unified hierarchy for the systemd cgroup ++ unifiedpath = must_make_path(root, "/sys/fs/cgroup/unified", NULL); ++ if (dir_exists(unifiedpath)) { ++ ret = umount2(unifiedpath, MNT_DETACH); ++ if (ret < 0) { ++ SYSERROR("Failed to umount /sys/fs/cgroup/unified."); ++ goto on_error; ++ } ++ } ++ + systemdpath = must_make_path(root, "/sys/fs/cgroup/systemd", NULL); + ret = mount(systemdpath, systemdpath, "bind", + MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_RELATIME|MS_BIND|MS_REMOUNT, NULL); +@@ -1734,6 +1745,9 @@ on_error: + if (systemdpath != NULL) { + free(systemdpath); + } ++ if (unifiedpath != NULL) { ++ free(unifiedpath); ++ } + lxc_free_array((void **)merged, free); + return retval; + } +-- +1.8.3.1 + diff --git a/0096-close-inherited-fd-in-hook-process.patch b/0096-close-inherited-fd-in-hook-process.patch new file mode 100644 index 0000000..dec0378 --- /dev/null +++ b/0096-close-inherited-fd-in-hook-process.patch @@ -0,0 +1,34 @@ +From 7f4352c61de6732d41285f6f949199708e459ac0 Mon Sep 17 00:00:00 2001 +From: liuhao +Date: Mon, 13 May 2019 16:45:50 +0800 +Subject: [PATCH 096/122] close inherited fd in hook process + +close inherited fd in hook process + +Signed-off-by: liuhao +Signed-off-by: LiFeng +--- + src/lxc/conf.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 0f227aa..6cf86a4 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -4560,6 +4560,13 @@ static struct lxc_popen_FILE *lxc_popen_ocihook(char *commandpath, char **args, + + if (child_pid == 0) { + /* child */ ++ int inherit_fds[2] = { ++ pipe_msg[0], pipe_fds[1] ++ }; ++ if (lxc_check_inherited(NULL, true, inherit_fds, 2) != 0) { ++ SYSERROR("check inherited fd failed"); ++ exit(127); ++ } + + close(pipe_msg[1]); + if (pipe_msg[0] != STDIN_FILENO) +-- +1.8.3.1 + diff --git a/0097-lxc-report-error-when-fork-exec-error-for-hooks.patch b/0097-lxc-report-error-when-fork-exec-error-for-hooks.patch new file mode 100644 index 0000000..f3e40c5 --- /dev/null +++ b/0097-lxc-report-error-when-fork-exec-error-for-hooks.patch @@ -0,0 +1,72 @@ +From 474a63f9c72ace7d1d49d58f6b844dc18f2b6456 Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Wed, 15 May 2019 00:53:49 -0400 +Subject: [PATCH 097/122] lxc: report error when fork/exec error for hooks + +Signed-off-by: tanyifeng +Signed-off-by: LiFeng +--- + src/lxc/conf.c | 21 +++++++++------------ + 1 file changed, 9 insertions(+), 12 deletions(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 6cf86a4..341fdab 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -4559,21 +4559,12 @@ static struct lxc_popen_FILE *lxc_popen_ocihook(char *commandpath, char **args, + goto on_error; + + if (child_pid == 0) { +- /* child */ +- int inherit_fds[2] = { +- pipe_msg[0], pipe_fds[1] +- }; +- if (lxc_check_inherited(NULL, true, inherit_fds, 2) != 0) { +- SYSERROR("check inherited fd failed"); +- exit(127); +- } +- + close(pipe_msg[1]); + if (pipe_msg[0] != STDIN_FILENO) + dup2(pipe_msg[0], STDIN_FILENO); + else { + if (fcntl(pipe_msg[0], F_SETFD, 0) != 0) { +- SYSERROR("Failed to remove FD_CLOEXEC from fd."); ++ fprintf(stderr, "Failed to remove FD_CLOEXEC from fd."); + exit(127); + } + } +@@ -4600,6 +4591,11 @@ static struct lxc_popen_FILE *lxc_popen_ocihook(char *commandpath, char **args, + if (ret < 0) + _exit(EXIT_FAILURE); + ++ if (lxc_check_inherited(NULL, true, NULL, 0) != 0) { ++ fprintf(stderr, "check inherited fd failed"); ++ exit(127); ++ } ++ + /* + * Unblock signals. + * This is the main/only reason +@@ -4615,6 +4611,7 @@ static struct lxc_popen_FILE *lxc_popen_ocihook(char *commandpath, char **args, + execvpe(commandpath, args, envs); + else + execvp(commandpath, args); ++ fprintf(stderr, "fork/exec %s: %s", commandpath, strerror(errno)); + exit(127); + } + +@@ -4764,8 +4761,8 @@ static int run_ocihook_buffer(struct oci_hook_conf *oconf, char *inmsg) + SYSERROR("Script exited with error."); + goto print_hook; + } else if (WIFEXITED(ret) && WEXITSTATUS(ret) != 0) { +- ERROR("Script exited with status %d. output:%s", WEXITSTATUS(ret), output); +- lxc_write_error_message(conf->errfd, "%s:%d: running %s hook caused \"error running hook: exit status %d, output:%s\".", ++ ERROR("Script exited with status %d. output: %s", WEXITSTATUS(ret), output); ++ lxc_write_error_message(conf->errfd, "%s:%d: running %s hook caused \"error running hook: exit status %d, output: %s\".", + __FILE__, __LINE__, + (conf->which >= NUM_LXC_HOOKS) ? "invalid type" : lxchook_names[conf->which], + WEXITSTATUS(ret), output); +-- +1.8.3.1 + diff --git a/0098-lxc-make-dev-bind-mount-from-host-tmpfs-for-system-c.patch b/0098-lxc-make-dev-bind-mount-from-host-tmpfs-for-system-c.patch new file mode 100644 index 0000000..c812c87 --- /dev/null +++ b/0098-lxc-make-dev-bind-mount-from-host-tmpfs-for-system-c.patch @@ -0,0 +1,67 @@ +From 94b3ad110dc17ecad2f86ef166065293cb278295 Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Wed, 15 May 2019 12:42:08 +0800 +Subject: [PATCH 098/122] lxc: make /dev bind mount from host tmpfs for system + container + +reason:make /dev bind mount from host tmpfs for system container + +Signed-off-by: zhangsong +Signed-off-by: LiFeng +--- + src/lxc/conf.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 341fdab..3780966 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -1122,7 +1122,7 @@ on_error: + * error, log it but don't fail yet. + */ + static int mount_autodev(const char *name, const struct lxc_rootfs *rootfs, +- const char *lxcpath) ++ const char *lxcpath, char *systemd) + { + int ret; + size_t clen; +@@ -1147,13 +1147,21 @@ static int mount_autodev(const char *name, const struct lxc_rootfs *rootfs, + goto reset_umask; + } + +- ret = safe_mount("none", path, "tmpfs", 0, "size=500000,mode=755", ++ if (systemd != NULL && !strcmp(systemd, "true")) { ++ ret = mount(path, path, "", MS_BIND, NULL); ++ if (ret < 0) { ++ SYSERROR("Failed to bind mount path \"%s\"", path); ++ goto reset_umask; ++ } ++ } else { ++ ret = safe_mount("none", path, "tmpfs", 0, "size=500000,mode=755", + rootfs->path ? rootfs->mount : NULL); +- if (ret < 0) { +- SYSERROR("Failed to mount tmpfs on \"%s\"", path); +- goto reset_umask; +- } +- TRACE("Mounted tmpfs on \"%s\"", path); ++ if (ret < 0) { ++ SYSERROR("Failed to mount tmpfs on \"%s\"", path); ++ goto reset_umask; ++ } ++ TRACE("Mounted tmpfs on \"%s\"", path); ++ } + + ret = snprintf(path, clen, "%s/dev/pts", rootfs->path ? rootfs->mount : ""); + if (ret < 0 || (size_t)ret >= clen) { +@@ -4130,7 +4138,7 @@ int lxc_setup(struct lxc_handler *handler) + } + + if (lxc_conf->autodev > 0) { +- ret = mount_autodev(name, &lxc_conf->rootfs, lxcpath); ++ ret = mount_autodev(name, &lxc_conf->rootfs, lxcpath, lxc_conf->systemd); + if (ret < 0) { + ERROR("Failed to mount \"/dev\""); + goto on_error; +-- +1.8.3.1 + diff --git a/0099-terminal-do-not-close-the-master-fd-of-pty.patch b/0099-terminal-do-not-close-the-master-fd-of-pty.patch new file mode 100644 index 0000000..2246157 --- /dev/null +++ b/0099-terminal-do-not-close-the-master-fd-of-pty.patch @@ -0,0 +1,28 @@ +From d5d48aa449d782dce754ee87c6a3ee1706c1f967 Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Tue, 21 May 2019 04:53:16 -0400 +Subject: [PATCH 099/122] terminal: do not close the master fd of pty + +Signed-off-by: LiFeng +--- + src/lxc/terminal.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/lxc/terminal.c b/src/lxc/terminal.c +index dfce92e..88653b4 100644 +--- a/src/lxc/terminal.c ++++ b/src/lxc/terminal.c +@@ -595,6 +595,10 @@ int lxc_terminal_io_cb(int fd, uint32_t events, void *data, + if (w_log < 0) + TRACE("Failed to write %d bytes to terminal log", r); + } ++ /* notes: do not close the master fd due to if we close the fd, the process may ++ * recive SIGHUP and the exit code will be 129 (128 + 1) ++ */ ++ return LXC_MAINLOOP_CLOSE; + } else if (fd == terminal->peer) { + if (terminal->tty_state) { + lxc_terminal_signal_fini(terminal->tty_state); +-- +1.8.3.1 + diff --git a/0100-start-add-check-save-pid-info-file.patch b/0100-start-add-check-save-pid-info-file.patch new file mode 100644 index 0000000..155b02d --- /dev/null +++ b/0100-start-add-check-save-pid-info-file.patch @@ -0,0 +1,139 @@ +From 5f9953ea9fffa99ca3838e3b59ab3ee170e62795 Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Wed, 22 May 2019 23:00:17 -0400 +Subject: [PATCH 100/122] start: add check save pid info file + +Signed-off-by: LiFeng +--- + src/lxc/start.c | 72 +++++++++++++++++++++++++++++++++++++++++++++++++-------- + src/lxc/utils.c | 2 +- + src/lxc/utils.h | 1 + + 3 files changed, 64 insertions(+), 11 deletions(-) + +diff --git a/src/lxc/start.c b/src/lxc/start.c +index 3657d4e..4541793 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -1850,14 +1850,10 @@ static inline int do_share_ns(void *arg) + return 0; + } + +-/* isuald: save pid/ppid info */ +-static int lxc_save_container_info(char *filename, pid_t pid) ++static int lxc_write_container_info(char *filename, pid_t pid, pid_t p_pid, unsigned long long start_at, unsigned long long p_start_at) + { + FILE *pid_fp = NULL; + int ret = 0; +- pid_t p_pid = 0; +- unsigned long long start_at = 0; +- unsigned long long p_start_at = 0; + + pid_fp = fopen(filename, "w"); + if (pid_fp == NULL) { +@@ -1866,11 +1862,6 @@ static int lxc_save_container_info(char *filename, pid_t pid) + goto out; + } + +- start_at = lxc_get_process_startat(pid); +- +- p_pid = getpid(); +- p_start_at = lxc_get_process_startat(p_pid); +- + if (fprintf(pid_fp, "%d %llu %d %llu\n", pid, start_at, p_pid, p_start_at) < 0) { + SYSERROR("Failed to write '%s'", filename); + ret = -1; +@@ -1883,6 +1874,67 @@ out: + return ret; + } + ++static int lxc_check_container_info(char *filename, pid_t pid, pid_t p_pid, unsigned long long start_at, unsigned long long p_start_at) ++{ ++ int ret = 0; ++ int num; ++ char sbuf[1024] = {0}; /* bufs for stat */ ++ int saved_pid; /* process id */ ++ int saved_ppid; /* pid of parent process */ ++ unsigned long long saved_start_time; /* start time of process -- seconds since 1-1-70 */ ++ unsigned long long saved_pstart_time; /* start time of parent process -- seconds since 1-1-70 */ ++ ++ if ((lxc_file2str(filename, sbuf, sizeof(sbuf))) == -1) { ++ SYSERROR("Failed to read pidfile %s", filename); ++ ret = -1; ++ goto out; ++ } ++ ++ num = sscanf(sbuf, "%d %Lu %d %Lu", &saved_pid, &saved_start_time, &saved_ppid, &saved_pstart_time); ++ if (num < 0) { ++ SYSERROR("Call sscanf error"); ++ ret = -1; ++ goto out; ++ } ++ ++ if (pid != saved_pid || p_pid != saved_ppid ++ || start_at != saved_start_time || p_start_at != saved_pstart_time) { ++ ERROR("Check container info failed"); ++ ret = -1; ++ goto out; ++ } ++ ++out: ++ return ret; ++} ++ ++ ++/* isuald: save pid/ppid info */ ++static int lxc_save_container_info(char *filename, pid_t pid) ++{ ++ int ret = 0; ++ pid_t p_pid = 0; ++ unsigned long long start_at = 0; ++ unsigned long long p_start_at = 0; ++ ++ start_at = lxc_get_process_startat(pid); ++ p_pid = getpid(); ++ p_start_at = lxc_get_process_startat(p_pid); ++ ++ ret = lxc_write_container_info(filename, pid, p_pid, start_at, p_start_at); ++ if (ret != 0) { ++ goto out; ++ } ++ ++ ret = lxc_check_container_info(filename, pid, p_pid, start_at, p_start_at); ++ if (ret != 0) { ++ goto out; ++ } ++ ++out: ++ return ret; ++} ++ + /* lxc_spawn() performs crucial setup tasks and clone()s the new process which + * exec()s the requested container binary. + * Note that lxc_spawn() runs in the parent namespaces. Any operations performed +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index fd6075f..dc0e6c5 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -1909,7 +1909,7 @@ set_env: + + + /* isulad: read file to buffer */ +-static int lxc_file2str(const char *filename, char ret[], int cap) ++int lxc_file2str(const char *filename, char ret[], int cap) + { + int fd, num_read; + +diff --git a/src/lxc/utils.h b/src/lxc/utils.h +index 20407af..4410ff2 100644 +--- a/src/lxc/utils.h ++++ b/src/lxc/utils.h +@@ -323,5 +323,6 @@ extern void lxc_write_error_message(int errfd, const char *format, ...); + extern bool lxc_process_alive(pid_t pid, unsigned long long start_time); + + extern bool is_non_negative_num(const char *s); ++extern int lxc_file2str(const char *filename, char ret[], int cap); + + #endif /* __LXC_UTILS_H */ +-- +1.8.3.1 + diff --git a/0101-lxc-fix-code-error.patch b/0101-lxc-fix-code-error.patch new file mode 100644 index 0000000..ad97aa3 --- /dev/null +++ b/0101-lxc-fix-code-error.patch @@ -0,0 +1,8983 @@ +From ed19b6f4c950fc20be79f630812a3a8cfec847bd Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Mon, 3 Jun 2019 05:14:46 -0400 +Subject: [PATCH 101/122] lxc: fix code error + +Signed-off-by: LiFeng +--- + src/lxc/af_unix.c | 28 +- + src/lxc/cgroups/cgfsng.c | 263 ++++++------ + src/lxc/conf.c | 575 ++++++++++++++------------ + src/lxc/conf.h | 28 +- + src/lxc/confile.c | 897 ++++++++++++++++++++-------------------- + src/lxc/confile_utils.c | 42 +- + src/lxc/json/logger_json_file.c | 422 +++++++++---------- + src/lxc/json/read-file.c | 139 +++---- + src/lxc/log.c | 48 +-- + src/lxc/lxccontainer.c | 239 ++++++----- + src/lxc/mainloop.c | 8 +- + src/lxc/path.c | 584 +++++++++++++++----------- + src/lxc/path.h | 18 +- + src/lxc/start.c | 194 ++++----- + src/lxc/storage/block.c | 3 +- + src/lxc/terminal.c | 129 +++--- + src/lxc/utils.c | 159 ++++--- + src/lxc/utils.h | 11 +- + 18 files changed, 2019 insertions(+), 1768 deletions(-) + +diff --git a/src/lxc/af_unix.c b/src/lxc/af_unix.c +index 24500a8..4c45946 100644 +--- a/src/lxc/af_unix.c ++++ b/src/lxc/af_unix.c +@@ -47,7 +47,7 @@ + lxc_log_define(af_unix, lxc); + + static ssize_t lxc_abstract_unix_set_sockaddr(struct sockaddr_un *addr, +- const char *path) ++ const char *path) + { + size_t len; + +@@ -96,7 +96,7 @@ int lxc_abstract_unix_open(const char *path, int type, int flags) + } + + ret = bind(fd, (struct sockaddr *)&addr, +- offsetof(struct sockaddr_un, sun_path) + len + 1); ++ offsetof(struct sockaddr_un, sun_path) + len + 1); + if (ret < 0) { + int saved_errno = errno; + close(fd); +@@ -141,7 +141,7 @@ int lxc_abstract_unix_connect(const char *path) + } + + ret = connect(fd, (struct sockaddr *)&addr, +- offsetof(struct sockaddr_un, sun_path) + len + 1); ++ offsetof(struct sockaddr_un, sun_path) + len + 1); + if (ret < 0) { + int saved_errno = errno; + close(fd); +@@ -153,7 +153,7 @@ int lxc_abstract_unix_connect(const char *path) + } + + int lxc_abstract_unix_send_fds(int fd, int *sendfds, int num_sendfds, +- void *data, size_t size) ++ void *data, size_t size) + { + int ret; + struct msghdr msg; +@@ -196,14 +196,14 @@ int lxc_abstract_unix_send_fds(int fd, int *sendfds, int num_sendfds, + + /* isulad: add wait timeout Microseconds*/ + int lxc_abstract_unix_recv_fds_timeout(int fd, int *recvfds, int num_recvfds, +- void *data, size_t size, unsigned int timeout) ++ void *data, size_t size, unsigned int timeout) + { + int ret; + struct msghdr msg; + struct iovec iov; + struct cmsghdr *cmsg = NULL; + char buf[1] = {0}; +- char *cmsgbuf; ++ char *cmsgbuf = NULL; + size_t cmsgbufsize = CMSG_SPACE(num_recvfds * sizeof(int)); + struct timeval out; + +@@ -229,10 +229,10 @@ int lxc_abstract_unix_recv_fds_timeout(int fd, int *recvfds, int num_recvfds, + out.tv_sec = timeout / 1000000; + out.tv_usec = timeout % 1000000; + ret = setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, +- (const void *)&out, sizeof(out)); ++ (const void *)&out, sizeof(out)); + if (ret < 0) { + ERROR("Failed to set %u timeout on containter " +- "state socket", timeout); ++ "state socket", timeout); + goto out; + } + } +@@ -245,7 +245,7 @@ int lxc_abstract_unix_recv_fds_timeout(int fd, int *recvfds, int num_recvfds, + + memset(recvfds, -1, num_recvfds * sizeof(int)); + if (cmsg && cmsg->cmsg_len == CMSG_LEN(num_recvfds * sizeof(int)) && +- cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS) ++ cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS) + memcpy(recvfds, CMSG_DATA(cmsg), num_recvfds * sizeof(int)); + + out: +@@ -254,7 +254,7 @@ out: + } + + int lxc_abstract_unix_recv_fds(int fd, int *recvfds, int num_recvfds, +- void *data, size_t size) ++ void *data, size_t size) + { + return lxc_abstract_unix_recv_fds_timeout(fd, recvfds, num_recvfds, data, size, 0); + } +@@ -265,7 +265,7 @@ int lxc_abstract_unix_send_credential(int fd, void *data, size_t size) + struct iovec iov; + struct cmsghdr *cmsg; + struct ucred cred = { +- .pid = lxc_raw_getpid(), .uid = getuid(), .gid = getgid(), ++ .pid = lxc_raw_getpid(), .uid = getuid(), .gid = getgid(), + }; + char cmsgbuf[CMSG_SPACE(sizeof(cred))] = {0}; + char buf[1] = {0}; +@@ -317,11 +317,11 @@ int lxc_abstract_unix_rcv_credential(int fd, void *data, size_t size) + cmsg = CMSG_FIRSTHDR(&msg); + + if (cmsg && cmsg->cmsg_len == CMSG_LEN(sizeof(struct ucred)) && +- cmsg->cmsg_level == SOL_SOCKET && +- cmsg->cmsg_type == SCM_CREDENTIALS) { ++ cmsg->cmsg_level == SOL_SOCKET && ++ cmsg->cmsg_type == SCM_CREDENTIALS) { + memcpy(&cred, CMSG_DATA(cmsg), sizeof(cred)); + if (cred.uid && +- (cred.uid != getuid() || cred.gid != getgid())) { ++ (cred.uid != getuid() || cred.gid != getgid())) { + INFO("Message denied for '%d/%d'", cred.uid, cred.gid); + errno = EACCES; + return -1; +diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c +index eee7ed6..67c7a0e 100644 +--- a/src/lxc/cgroups/cgfsng.c ++++ b/src/lxc/cgroups/cgfsng.c +@@ -149,7 +149,7 @@ static char *cg_legacy_must_prefix_named(char *entry) + * The last entry will always be NULL. + */ + static void must_append_controller(char **klist, char **nlist, char ***clist, +- char *entry) ++ char *entry) + { + int newentry; + char *copy; +@@ -190,7 +190,7 @@ struct hierarchy *get_hierarchy(struct cgroup_ops *ops, const char *controller) + if (!controller) { + /* This is the empty unified hierarchy. */ + if (ops->hierarchies[i]->controllers && +- !ops->hierarchies[i]->controllers[0]) ++ !ops->hierarchies[i]->controllers[0]) + return ops->hierarchies[i]; + + continue; +@@ -591,7 +591,7 @@ static bool cg_legacy_handle_cpuset_hierarchy(struct hierarchy *h, char *cgname) + } + + clonechildrenpath = +- must_make_path(cgpath, "cgroup.clone_children", NULL); ++ must_make_path(cgpath, "cgroup.clone_children", NULL); + /* unified hierarchy doesn't have clone_children */ + if (!file_exists(clonechildrenpath)) { + free(clonechildrenpath); +@@ -722,7 +722,7 @@ static bool all_controllers_found(struct cgroup_ops *ops) + * be /sys/fs/cgroup/controller-list + */ + static char **cg_hybrid_get_controllers(char **klist, char **nlist, char *line, +- int type) ++ int type) + { + /* The fourth field is /sys/fs/cgroup/comma-delimited-controller-list + * for legacy hierarchies. +@@ -809,7 +809,7 @@ static char **cg_unified_get_controllers(const char *file) + } + + static struct hierarchy *add_hierarchy(struct hierarchy ***h, char **clist, char *mountpoint, +- char *container_base_path, int type) ++ char *container_base_path, int type) + { + struct hierarchy *new; + int newentry; +@@ -903,7 +903,7 @@ static bool controller_in_clist(char *cgline, char *c) + * @controller. + */ + static char *cg_hybrid_get_current_cgroup(char *basecginfo, char *controller, +- int type) ++ int type) + { + char *p = basecginfo; + +@@ -1023,7 +1023,7 @@ static void lxc_cgfsng_print_hierarchies(struct cgroup_ops *ops) + } + + static void lxc_cgfsng_print_basecg_debuginfo(char *basecginfo, char **klist, +- char **nlist) ++ char **nlist) + { + int k; + char **it; +@@ -1039,7 +1039,7 @@ static void lxc_cgfsng_print_basecg_debuginfo(char *basecginfo, char **klist, + } + + static int cgroup_rmdir(struct hierarchy **hierarchies, +- const char *container_cgroup) ++ const char *container_cgroup) + { + int i; + +@@ -1085,14 +1085,14 @@ static int cgroup_rmdir_wrapper(void *data) + ret = setresgid(nsgid, nsgid, nsgid); + if (ret < 0) { + SYSERROR("Failed to setresgid(%d, %d, %d)", (int)nsgid, +- (int)nsgid, (int)nsgid); ++ (int)nsgid, (int)nsgid); + return -1; + } + + ret = setresuid(nsuid, nsuid, nsuid); + if (ret < 0) { + SYSERROR("Failed to setresuid(%d, %d, %d)", (int)nsuid, +- (int)nsuid, (int)nsuid); ++ (int)nsuid, (int)nsuid); + return -1; + } + +@@ -1107,7 +1107,7 @@ static int cgroup_rmdir_wrapper(void *data) + + /* isulad: fix return bool instead of void*/ + __cgfsng_ops static bool cgfsng_payload_destroy(struct cgroup_ops *ops, +- struct lxc_handler *handler) ++ struct lxc_handler *handler) + { + int ret; + struct generic_userns_exec_data wrap; +@@ -1121,7 +1121,7 @@ __cgfsng_ops static bool cgfsng_payload_destroy(struct cgroup_ops *ops, + + if (handler->conf && !lxc_list_empty(&handler->conf->id_map)) + ret = userns_exec_1(handler->conf, cgroup_rmdir_wrapper, &wrap, +- "cgroup_rmdir_wrapper"); ++ "cgroup_rmdir_wrapper"); + else + ret = cgroup_rmdir(ops->hierarchies, ops->container_cgroup); + if (ret < 0) { +@@ -1186,10 +1186,10 @@ static bool cg_unified_create_cgroup(struct hierarchy *h, char *cgname, int errf + free(target); + if (ret < 0) { + SYSERROR("Could not enable \"%s\" controllers in the " +- "unified cgroup \"%s\"", add_controllers, cgroup); ++ "unified cgroup \"%s\"", add_controllers, cgroup); + lxc_write_error_message(errfd, "%s:%d: Could not enable \"%s\" controllers in the " +- "unified cgroup: \"%s\"", +- __FILE__, __LINE__, add_controllers, strerror(errno)); ++ "unified cgroup: \"%s\"", ++ __FILE__, __LINE__, add_controllers, strerror(errno)); + goto on_error; + } + } +@@ -1248,7 +1248,7 @@ static bool create_path_for_hierarchy(struct hierarchy *h, char *cgname, int err + if (file_exists(h->container_full_path)) { // it must not already exist + ERROR("Cgroup path \"%s\" already exist.", h->container_full_path); + lxc_write_error_message(errfd, "%s:%d: Cgroup path \"%s\" already exist.", +- __FILE__, __LINE__, h->container_full_path); ++ __FILE__, __LINE__, h->container_full_path); + return false; + } + +@@ -1268,7 +1268,7 @@ static bool create_path_for_hierarchy(struct hierarchy *h, char *cgname, int err + + /* isulad: create hierarchies path, if fail, return the error */ + __cgfsng_ops static bool cgfsng_payload_create(struct cgroup_ops *ops, +- struct lxc_handler *handler) ++ struct lxc_handler *handler) + { + int i; + char *container_cgroup = ops->container_cgroup; +@@ -1302,7 +1302,7 @@ __cgfsng_ops static bool cgfsng_payload_enter(struct cgroup_ops *ops, pid_t pid) + char *fullpath; + + fullpath = must_make_path(ops->hierarchies[i]->container_full_path, +- "cgroup.procs", NULL); ++ "cgroup.procs", NULL); + ret = lxc_write_to_file(fullpath, pidstr, len, false, 0666); + if (ret != 0) { + SYSERROR("Failed to enter cgroup \"%s\"", fullpath); +@@ -1316,7 +1316,7 @@ __cgfsng_ops static bool cgfsng_payload_enter(struct cgroup_ops *ops, pid_t pid) + } + + static int chowmod(char *path, uid_t chown_uid, gid_t chown_gid, +- mode_t chmod_mode) ++ mode_t chmod_mode) + { + int ret; + +@@ -1353,14 +1353,14 @@ static int chown_cgroup_wrapper(void *data) + ret = setresgid(nsgid, nsgid, nsgid); + if (ret < 0) { + SYSERROR("Failed to setresgid(%d, %d, %d)", +- (int)nsgid, (int)nsgid, (int)nsgid); ++ (int)nsgid, (int)nsgid, (int)nsgid); + return -1; + } + + ret = setresuid(nsuid, nsuid, nsuid); + if (ret < 0) { + SYSERROR("Failed to setresuid(%d, %d, %d)", +- (int)nsuid, (int)nsuid, (int)nsuid); ++ (int)nsuid, (int)nsuid, (int)nsuid); + return -1; + } + +@@ -1415,7 +1415,7 @@ static int chown_cgroup_wrapper(void *data) + } + + __cgfsng_ops static bool cgfsng_chown(struct cgroup_ops *ops, +- struct lxc_conf *conf) ++ struct lxc_conf *conf) + { + struct generic_userns_exec_data wrap; + +@@ -1428,7 +1428,7 @@ __cgfsng_ops static bool cgfsng_chown(struct cgroup_ops *ops, + wrap.conf = conf; + + if (userns_exec_1(conf, chown_cgroup_wrapper, &wrap, +- "chown_cgroup_wrapper") < 0) { ++ "chown_cgroup_wrapper") < 0) { + ERROR("Error requesting cgroup chown in new user namespace"); + return false; + } +@@ -1450,8 +1450,8 @@ static bool cg_mount_needs_subdirs(int type) + * control/the/cg/path. + */ + static int cg_legacy_mount_controllers(int type, struct hierarchy *h, +- char *controllerpath, char *cgpath, +- const char *container_cgroup) ++ char *controllerpath, char *cgpath, ++ const char *container_cgroup) + { + int ret, remount_flags; + char *sourcepath; +@@ -1461,16 +1461,16 @@ static int cg_legacy_mount_controllers(int type, struct hierarchy *h, + ret = mount(controllerpath, controllerpath, "cgroup", MS_BIND, NULL); + if (ret < 0) { + SYSERROR("Failed to bind mount \"%s\" onto \"%s\"", +- controllerpath, controllerpath); ++ controllerpath, controllerpath); + return -1; + } + + remount_flags = add_required_remount_flags(controllerpath, +- controllerpath, +- flags | MS_REMOUNT); ++ controllerpath, ++ flags | MS_REMOUNT); + ret = mount(controllerpath, controllerpath, "cgroup", +- remount_flags | MS_REMOUNT | MS_BIND | MS_RDONLY, +- NULL); ++ remount_flags | MS_REMOUNT | MS_BIND | MS_RDONLY, ++ NULL); + if (ret < 0) { + SYSERROR("Failed to remount \"%s\" ro", controllerpath); + return -1; +@@ -1480,7 +1480,7 @@ static int cg_legacy_mount_controllers(int type, struct hierarchy *h, + } + + sourcepath = must_make_path(h->mountpoint, h->container_base_path, +- container_cgroup, NULL); ++ container_cgroup, NULL); + if (type == LXC_AUTO_CGROUP_RO) + flags |= MS_RDONLY; + +@@ -1494,7 +1494,7 @@ static int cg_legacy_mount_controllers(int type, struct hierarchy *h, + + if (flags & MS_RDONLY) { + remount_flags = add_required_remount_flags(sourcepath, cgpath, +- flags | MS_REMOUNT); ++ flags | MS_REMOUNT); + ret = mount(sourcepath, cgpath, "cgroup", remount_flags, NULL); + if (ret < 0) { + SYSERROR("Failed to remount \"%s\" ro", cgpath); +@@ -1516,26 +1516,26 @@ static int cg_legacy_mount_controllers(int type, struct hierarchy *h, + * cgroups for the LXC_AUTO_CGROUP_FULL option. + */ + static int __cg_mount_direct(int type, struct hierarchy *h, +- const char *controllerpath) ++ const char *controllerpath) + { +- int ret; +- char *controllers = NULL; +- char *fstype = "cgroup2"; +- unsigned long flags = 0; ++ int ret; ++ char *controllers = NULL; ++ char *fstype = "cgroup2"; ++ unsigned long flags = 0; + +- flags |= MS_NOSUID; +- flags |= MS_NOEXEC; +- flags |= MS_NODEV; +- flags |= MS_RELATIME; ++ flags |= MS_NOSUID; ++ flags |= MS_NOEXEC; ++ flags |= MS_NODEV; ++ flags |= MS_RELATIME; + +- if (type == LXC_AUTO_CGROUP_RO || type == LXC_AUTO_CGROUP_FULL_RO) +- flags |= MS_RDONLY; ++ if (type == LXC_AUTO_CGROUP_RO || type == LXC_AUTO_CGROUP_FULL_RO) ++ flags |= MS_RDONLY; + +- if (h->version != CGROUP2_SUPER_MAGIC) { +- controllers = lxc_string_join(",", (const char **)h->controllers, false); +- if (!controllers) +- return -ENOMEM; +- fstype = "cgroup"; ++ if (h->version != CGROUP2_SUPER_MAGIC) { ++ controllers = lxc_string_join(",", (const char **)h->controllers, false); ++ if (!controllers) ++ return -ENOMEM; ++ fstype = "cgroup"; + } + + ret = mount("cgroup", controllerpath, fstype, flags, controllers); +@@ -1550,13 +1550,13 @@ static int __cg_mount_direct(int type, struct hierarchy *h, + } + + static inline int cg_mount_in_cgroup_namespace(int type, struct hierarchy *h, +- const char *controllerpath) ++ const char *controllerpath) + { + return __cg_mount_direct(type, h, controllerpath); + } + + static inline int cg_mount_cgroup_full(int type, struct hierarchy *h, +- const char *controllerpath) ++ const char *controllerpath) + { + if (type < LXC_AUTO_CGROUP_FULL_RO || type > LXC_AUTO_CGROUP_FULL_MIXED) + return 0; +@@ -1565,8 +1565,8 @@ static inline int cg_mount_cgroup_full(int type, struct hierarchy *h, + } + + __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops, +- struct lxc_handler *handler, +- const char *root, int type) ++ struct lxc_handler *handler, ++ const char *root, int type) + { + int i, ret; + char *tmpfspath = NULL; +@@ -1583,7 +1583,7 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops, + wants_force_mount = true; + } + +- if (!wants_force_mount){ ++ if (!wants_force_mount) { + if (!lxc_list_empty(&handler->conf->keepcaps)) + wants_force_mount = !in_caplist(CAP_SYS_ADMIN, &handler->conf->keepcaps); + else +@@ -1606,13 +1606,14 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops, + goto on_error; + } + ret = safe_mount(NULL, tmpfspath, "tmpfs", +- MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_RELATIME, +- "size=10240k,mode=755", root); ++ MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_RELATIME, ++ "size=10240k,mode=755", root); + if (ret < 0) + goto on_error; + + for (i = 0; ops->hierarchies[i]; i++) { +- char *controllerpath, *path2; ++ char *controllerpath = NULL; ++ char *path2 = NULL; + struct hierarchy *h = ops->hierarchies[i]; + char *controller = strrchr(h->mountpoint, '/'); + +@@ -1676,7 +1677,7 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops, + } + + ret = cg_legacy_mount_controllers(type, h, controllerpath, +- path2, ops->container_cgroup); ++ path2, ops->container_cgroup); + free(controllerpath); + free(path2); + if (ret < 0) +@@ -1685,7 +1686,7 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops, + + // isulad: symlink subcgroup + if (merged) { +- char **mc; ++ char **mc = NULL; + for (mc = merged; *mc; mc++) { + char *token; + char *copy = must_copy_string(*mc); +@@ -1710,44 +1711,44 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops, + // isulad: remount /sys/fs/cgroup to readonly + if (type == LXC_AUTO_CGROUP_FULL_RO || type == LXC_AUTO_CGROUP_RO) { + ret = mount(tmpfspath, tmpfspath, "bind", +- MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_RELATIME|MS_RDONLY|MS_BIND|MS_REMOUNT, NULL); ++ MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_RELATIME|MS_RDONLY|MS_BIND|MS_REMOUNT, NULL); + if (ret < 0) { + SYSERROR("Failed to remount /sys/fs/cgroup."); + goto on_error; + } + } + +- // isulad: remount /sys/fs/cgroup/systemd to readwrite for system container +- if (handler->conf->systemd != NULL && strcmp(handler->conf->systemd, "true") == 0) { +- // isulad: don't use the unified hierarchy for the systemd cgroup +- unifiedpath = must_make_path(root, "/sys/fs/cgroup/unified", NULL); +- if (dir_exists(unifiedpath)) { +- ret = umount2(unifiedpath, MNT_DETACH); +- if (ret < 0) { +- SYSERROR("Failed to umount /sys/fs/cgroup/unified."); +- goto on_error; +- } +- } +- +- systemdpath = must_make_path(root, "/sys/fs/cgroup/systemd", NULL); +- ret = mount(systemdpath, systemdpath, "bind", +- MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_RELATIME|MS_BIND|MS_REMOUNT, NULL); +- if (ret < 0) { +- SYSERROR("Failed to remount /sys/fs/cgroup/systemd."); +- goto on_error; +- } +- } ++ // isulad: remount /sys/fs/cgroup/systemd to readwrite for system container ++ if (handler->conf->systemd != NULL && strcmp(handler->conf->systemd, "true") == 0) { ++ // isulad: don't use the unified hierarchy for the systemd cgroup ++ unifiedpath = must_make_path(root, "/sys/fs/cgroup/unified", NULL); ++ if (dir_exists(unifiedpath)) { ++ ret = umount2(unifiedpath, MNT_DETACH); ++ if (ret < 0) { ++ SYSERROR("Failed to umount /sys/fs/cgroup/unified."); ++ goto on_error; ++ } ++ } ++ ++ systemdpath = must_make_path(root, "/sys/fs/cgroup/systemd", NULL); ++ ret = mount(systemdpath, systemdpath, "bind", ++ MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_RELATIME|MS_BIND|MS_REMOUNT, NULL); ++ if (ret < 0) { ++ SYSERROR("Failed to remount /sys/fs/cgroup/systemd."); ++ goto on_error; ++ } ++ } + + retval = true; + + on_error: + free(tmpfspath); +- if (systemdpath != NULL) { +- free(systemdpath); +- } +- if (unifiedpath != NULL) { +- free(unifiedpath); +- } ++ if (systemdpath != NULL) { ++ free(systemdpath); ++ } ++ if (unifiedpath != NULL) { ++ free(unifiedpath); ++ } + lxc_free_array((void **)merged, free); + return retval; + } +@@ -1767,7 +1768,7 @@ static int recursive_count_nrtasks(char *dirname) + struct stat mystat; + + if (!strcmp(direntp->d_name, ".") || +- !strcmp(direntp->d_name, "..")) ++ !strcmp(direntp->d_name, "..")) + continue; + + path = must_make_path(dirname, direntp->d_name, NULL); +@@ -1779,7 +1780,7 @@ static int recursive_count_nrtasks(char *dirname) + goto next; + + count += recursive_count_nrtasks(path); +- next: ++next: + free(path); + } + +@@ -1821,8 +1822,8 @@ __cgfsng_ops static bool cgfsng_escape(const struct cgroup_ops *ops) + char *fullpath; + + fullpath = must_make_path(ops->hierarchies[i]->mountpoint, +- ops->hierarchies[i]->container_base_path, +- "cgroup.procs", NULL); ++ ops->hierarchies[i]->container_base_path, ++ "cgroup.procs", NULL); + ret = lxc_write_to_file(fullpath, "0", 2, false, 0666); + if (ret != 0) { + SYSERROR("Failed to escape to cgroup \"%s\"", fullpath); +@@ -1885,7 +1886,7 @@ __cgfsng_ops static bool cgfsng_unfreeze(struct cgroup_ops *ops) + } + + __cgfsng_ops static const char *cgfsng_get_cgroup(struct cgroup_ops *ops, +- const char *controller, bool skip_mount) ++ const char *controller, bool skip_mount) + { + struct hierarchy *h; + +@@ -1905,8 +1906,8 @@ __cgfsng_ops static const char *cgfsng_get_cgroup(struct cgroup_ops *ops, + * which must be freed by the caller. + */ + static inline char *build_full_cgpath_from_monitorpath(struct hierarchy *h, +- const char *inpath, +- const char *filename) ++ const char *inpath, ++ const char *filename) + { + return must_make_path(h->mountpoint, inpath, filename, NULL); + } +@@ -1921,8 +1922,8 @@ static inline char *build_full_cgpath_from_monitorpath(struct hierarchy *h, + * cgroup for the attaching process. + */ + static int __cg_unified_attach(const struct hierarchy *h, const char *name, +- const char *lxcpath, const char *pidstr, +- size_t pidstr_len, const char *controller) ++ const char *lxcpath, const char *pidstr, ++ size_t pidstr_len, const char *controller) + { + int ret; + size_t len; +@@ -1952,7 +1953,7 @@ static int __cg_unified_attach(const struct hierarchy *h, const char *name, + do { + if (idx) + ret = snprintf(full_path, len + 1, "%s/lxc-%d", +- base_path, idx); ++ base_path, idx); + else + ret = snprintf(full_path, len + 1, "%s/lxc", base_path); + if (ret < 0 || (size_t)ret >= len + 1) +@@ -1987,7 +1988,7 @@ on_error: + } + + __cgfsng_ops static bool cgfsng_attach(struct cgroup_ops *ops, const char *name, +- const char *lxcpath, pid_t pid) ++ const char *lxcpath, pid_t pid) + { + int i, len, ret; + char pidstr[INTTYPE_TO_STRLEN(pid_t)]; +@@ -2003,7 +2004,7 @@ __cgfsng_ops static bool cgfsng_attach(struct cgroup_ops *ops, const char *name, + + if (h->version == CGROUP2_SUPER_MAGIC) { + ret = __cg_unified_attach(h, name, lxcpath, pidstr, len, +- h->controllers[0]); ++ h->controllers[0]); + if (ret < 0) + return false; + +@@ -2034,8 +2035,8 @@ __cgfsng_ops static bool cgfsng_attach(struct cgroup_ops *ops, const char *name, + * commands API for the cgroup path. + */ + __cgfsng_ops static int cgfsng_get(struct cgroup_ops *ops, const char *filename, +- char *value, size_t len, const char *name, +- const char *lxcpath) ++ char *value, size_t len, const char *name, ++ const char *lxcpath) + { + int ret = -1; + size_t controller_len; +@@ -2073,8 +2074,8 @@ __cgfsng_ops static int cgfsng_get(struct cgroup_ops *ops, const char *filename, + * commands API for the cgroup path. + */ + __cgfsng_ops static int cgfsng_set(struct cgroup_ops *ops, +- const char *filename, const char *value, +- const char *name, const char *lxcpath) ++ const char *filename, const char *value, ++ const char *name, const char *lxcpath) + { + int ret = -1; + size_t controller_len; +@@ -2189,7 +2190,7 @@ out: + * we created the cgroups. + */ + static int cg_legacy_set_data(struct cgroup_ops *ops, const char *filename, +- const char *value) ++ const char *value) + { + size_t len; + char *fullpath, *p; +@@ -2228,8 +2229,8 @@ static int cg_legacy_set_data(struct cgroup_ops *ops, const char *filename, + ret = lxc_write_to_file(fullpath, value, strlen(value), false, 0666); + if (ret) { + lxc_write_error_message(ops->errfd, +- "%s:%d: setting cgroup config for ready process caused \"failed to write %s to %s: %s\".", +- __FILE__, __LINE__, value, fullpath, strerror(errno)); ++ "%s:%d: setting cgroup config for ready process caused \"failed to write %s to %s: %s\".", ++ __FILE__, __LINE__, value, fullpath, strerror(errno)); + } + free(fullpath); + return ret; +@@ -2239,15 +2240,16 @@ static int cg_legacy_set_data(struct cgroup_ops *ops, const char *filename, + * we created the cgroups. + */ + static int cg_legacy_get_data(struct cgroup_ops *ops, const char *filename, +- char *value, size_t len) ++ char *value, size_t len) + { +- char *fullpath, *p; +- struct hierarchy *h; ++ char *fullpath = NULL; ++ char *p = NULL; ++ struct hierarchy *h = NULL; + int ret = 0; + char *controller = NULL; + + len = strlen(filename); +- controller = alloca(len + 1); ++ controller = calloc(1, len + 1); + (void)strlcpy(controller, filename, len + 1); + + p = strchr(controller, '.'); +@@ -2262,23 +2264,25 @@ static int cg_legacy_get_data(struct cgroup_ops *ops, const char *filename, + "driver or not enabled on the cgroup hierarchy", + controller); + errno = ENOENT; ++ free(controller); + return -ENOENT; + } + + fullpath = must_make_path(h->container_full_path, filename, NULL); + ret = lxc_read_from_file(fullpath, value, len); + free(fullpath); ++ free(controller); + return ret; + } + + static bool __cg_legacy_setup_limits(struct cgroup_ops *ops, +- struct lxc_list *cgroup_settings, +- bool do_devices) ++ struct lxc_list *cgroup_settings, ++ bool do_devices) + { + struct lxc_list *iterator, *next, *sorted_cgroup_settings; + struct lxc_cgroup *cg; + bool ret = false; +- char value[21]; ++ char value[21 + 1] = { 0 }; + long long int readvalue, setvalue; + + if (lxc_list_empty(cgroup_settings)) +@@ -2318,7 +2322,7 @@ static bool __cg_legacy_setup_limits(struct cgroup_ops *ops, + + // isulad: check cpu shares + if (strcmp(cg->subsystem, "cpu.shares") == 0) { +- if (cg_legacy_get_data(ops, cg->subsystem, value, sizeof(value)) < 0) { ++ if (cg_legacy_get_data(ops, cg->subsystem, value, sizeof(value) - 1) < 0) { + SYSERROR("Error get %s", cg->subsystem); + goto out; + } +@@ -2334,14 +2338,14 @@ static bool __cg_legacy_setup_limits(struct cgroup_ops *ops, + if (setvalue > readvalue) { + ERROR("The maximum allowed cpu-shares is %s", value); + lxc_write_error_message(ops->errfd, +- "%s:%d: setting cgroup config for ready process caused \"The maximum allowed cpu-shares is %s\".", +- __FILE__, __LINE__, value); ++ "%s:%d: setting cgroup config for ready process caused \"The maximum allowed cpu-shares is %s\".", ++ __FILE__, __LINE__, value); + goto out; + } else if (setvalue < readvalue) { + ERROR("The minimum allowed cpu-shares is %s", value); + lxc_write_error_message(ops->errfd, +- "%s:%d: setting cgroup config for ready process caused \"The minimum allowed cpu-shares is %s\".", +- __FILE__, __LINE__, value); ++ "%s:%d: setting cgroup config for ready process caused \"The minimum allowed cpu-shares is %s\".", ++ __FILE__, __LINE__, value); + goto out; + } + } +@@ -2359,7 +2363,7 @@ out: + } + + static bool __cg_unified_setup_limits(struct cgroup_ops *ops, +- struct lxc_list *cgroup_settings) ++ struct lxc_list *cgroup_settings) + { + struct lxc_list *iterator; + struct hierarchy *h = ops->unified; +@@ -2380,7 +2384,7 @@ static bool __cg_unified_setup_limits(struct cgroup_ops *ops, + free(fullpath); + if (ret < 0) { + SYSERROR("Failed to set \"%s\" to \"%s\"", +- cg->subsystem, cg->value); ++ cg->subsystem, cg->value); + return false; + } + TRACE("Set \"%s\" to \"%s\"", cg->subsystem, cg->value); +@@ -2391,8 +2395,8 @@ static bool __cg_unified_setup_limits(struct cgroup_ops *ops, + } + + __cgfsng_ops static bool cgfsng_setup_limits(struct cgroup_ops *ops, +- struct lxc_conf *conf, +- bool do_devices) ++ struct lxc_conf *conf, ++ bool do_devices) + { + bool bret; + +@@ -2404,7 +2408,7 @@ __cgfsng_ops static bool cgfsng_setup_limits(struct cgroup_ops *ops, + } + + static bool cgroup_use_wants_controllers(const struct cgroup_ops *ops, +- char **controllers) ++ char **controllers) + { + char **cur_ctrl, **cur_use; + +@@ -2537,8 +2541,8 @@ static bool cg_hybrid_init(struct cgroup_ops *ops) + char *cgv2_ctrl_path; + + cgv2_ctrl_path = must_make_path(mountpoint, base_cgroup, +- "cgroup.controllers", +- NULL); ++ "cgroup.controllers", ++ NULL); + + controller_list = cg_unified_get_controllers(cgv2_ctrl_path); + free(cgv2_ctrl_path); +@@ -2559,7 +2563,7 @@ static bool cg_hybrid_init(struct cgroup_ops *ops) + + continue; + +- next: ++next: + free_string_list(controller_list); + free(mountpoint); + free(base_cgroup); +@@ -2658,7 +2662,7 @@ static int cg_unified_init(struct cgroup_ops *ops) + */ + mountpoint = must_copy_string("/sys/fs/cgroup"); + subtree_path = must_make_path(mountpoint, base_cgroup, +- "cgroup.subtree_control", NULL); ++ "cgroup.subtree_control", NULL); + delegatable = cg_unified_get_controllers(subtree_path); + free(subtree_path); + if (!delegatable) +@@ -2710,8 +2714,9 @@ static bool cg_init(struct cgroup_ops *ops) + + __cgfsng_ops static bool cgfsng_data_init(struct cgroup_ops *ops, struct lxc_handler *handler) + { +- const char *cgroup_pattern; +- char *container_cgroup, *tmp; ++ const char *cgroup_pattern = NULL; ++ char *container_cgroup = NULL; ++ char *tmp = NULL; + struct lxc_conf *conf = NULL; + size_t len; + +@@ -2730,7 +2735,9 @@ __cgfsng_ops static bool cgfsng_data_init(struct cgroup_ops *ops, struct lxc_han + /* isulad: init ops->container_cgroup here instead of in cgfsng_payload_create*/ + if (conf) { + if (conf->cgroup_meta.dir) +- tmp = lxc_string_join("/", (const char *[]){conf->cgroup_meta.dir, handler->name, NULL}, false); ++ tmp = lxc_string_join("/", (const char *[]) { ++ conf->cgroup_meta.dir, handler->name, NULL ++ }, false); + else + tmp = lxc_string_replace("%n", handler->name, ops->cgroup_pattern); + if (!tmp) { +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 3780966..ec1667d 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -351,8 +351,8 @@ static int run_buffer(char *buffer) + } + + int run_script_argv(const char *name, unsigned int hook_version, +- const char *section, const char *script, +- const char *hookname, char **argv) ++ const char *section, const char *script, ++ const char *hookname, char **argv) + { + int buf_pos, i, ret; + char *buffer; +@@ -407,7 +407,7 @@ int run_script_argv(const char *name, unsigned int hook_version, + ret = setenv("LXC_HOOK_TYPE", hookname, 1); + if (ret < 0) { + SYSERROR("Failed to set environment variable: " +- "LXC_HOOK_TYPE=%s", hookname); ++ "LXC_HOOK_TYPE=%s", hookname); + goto on_error; + } + TRACE("Set environment variable: LXC_HOOK_TYPE=%s", hookname); +@@ -415,7 +415,7 @@ int run_script_argv(const char *name, unsigned int hook_version, + ret = setenv("LXC_HOOK_SECTION", section, 1); + if (ret < 0) { + SYSERROR("Failed to set environment variable: " +- "LXC_HOOK_SECTION=%s", section); ++ "LXC_HOOK_SECTION=%s", section); + goto on_error; + } + TRACE("Set environment variable: LXC_HOOK_SECTION=%s", section); +@@ -429,7 +429,7 @@ int run_script_argv(const char *name, unsigned int hook_version, + ret = setenv("LXC_NET_TYPE", argv[0], 1); + if (ret < 0) { + SYSERROR("Failed to set environment variable: " +- "LXC_NET_TYPE=%s", argv[0]); ++ "LXC_NET_TYPE=%s", argv[0]); + goto on_error; + } + TRACE("Set environment variable: LXC_NET_TYPE=%s", argv[0]); +@@ -440,7 +440,7 @@ int run_script_argv(const char *name, unsigned int hook_version, + ret = setenv("LXC_NET_PARENT", parent, 1); + if (ret < 0) { + SYSERROR("Failed to set environment " +- "variable: LXC_NET_PARENT=%s", parent); ++ "variable: LXC_NET_PARENT=%s", parent); + goto on_error; + } + TRACE("Set environment variable: LXC_NET_PARENT=%s", parent); +@@ -448,7 +448,7 @@ int run_script_argv(const char *name, unsigned int hook_version, + ret = setenv("LXC_NET_PARENT", parent, 1); + if (ret < 0) { + SYSERROR("Failed to set environment " +- "variable: LXC_NET_PARENT=%s", parent); ++ "variable: LXC_NET_PARENT=%s", parent); + goto on_error; + } + TRACE("Set environment variable: LXC_NET_PARENT=%s", parent); +@@ -458,7 +458,7 @@ int run_script_argv(const char *name, unsigned int hook_version, + ret = setenv("LXC_NET_PEER", peer, 1); + if (ret < 0) { + SYSERROR("Failed to set environment " +- "variable: LXC_NET_PEER=%s", peer); ++ "variable: LXC_NET_PEER=%s", peer); + goto on_error; + } + TRACE("Set environment variable: LXC_NET_PEER=%s", peer); +@@ -466,7 +466,7 @@ int run_script_argv(const char *name, unsigned int hook_version, + ret = setenv("LXC_NET_PARENT", parent, 1); + if (ret < 0) { + SYSERROR("Failed to set environment " +- "variable: LXC_NET_PARENT=%s", parent); ++ "variable: LXC_NET_PARENT=%s", parent); + goto on_error; + } + TRACE("Set environment variable: LXC_NET_PARENT=%s", parent); +@@ -600,7 +600,7 @@ int pin_rootfs(const char *rootfs) + * honored. + */ + unsigned long add_required_remount_flags(const char *s, const char *d, +- unsigned long flags) ++ unsigned long flags) + { + #ifdef HAVE_STATVFS + int ret; +@@ -728,10 +728,10 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha + } + + mflags = add_required_remount_flags(source, destination, +- default_mounts[i].flags); ++ default_mounts[i].flags); + r = safe_mount(source, destination, default_mounts[i].fstype, +- mflags, default_mounts[i].options, +- conf->rootfs.path ? conf->rootfs.mount : NULL); ++ mflags, default_mounts[i].options, ++ conf->rootfs.path ? conf->rootfs.mount : NULL); + saved_errno = errno; + if (r < 0 && errno == ENOENT) { + INFO("Mount source for \"%s\" on \"%s\" does " +@@ -781,9 +781,9 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha + cg_flags |= LXC_AUTO_CGROUP_FORCE; + + if (!handler->cgroup_ops->mount(handler->cgroup_ops, +- handler, +- conf->rootfs.path ? conf->rootfs.mount : "", +- cg_flags)) { ++ handler, ++ conf->rootfs.path ? conf->rootfs.mount : "", ++ cg_flags)) { + SYSERROR("Failed to mount \"/sys/fs/cgroup\""); + return -1; + } +@@ -832,7 +832,7 @@ static int lxc_setup_dev_symlinks(const struct lxc_rootfs *rootfs) + const struct dev_symlinks *d = &dev_symlinks[i]; + + ret = snprintf(path, sizeof(path), "%s/dev/%s", +- rootfs->path ? rootfs->mount : "", d->name); ++ rootfs->path ? rootfs->mount : "", d->name); + if (ret < 0 || ret >= PATH_MAX) + return -1; + +@@ -901,7 +901,7 @@ static int lxc_setup_ttys(struct lxc_conf *conf) + if (ttydir) { + /* create dev/lxc/tty%d" */ + ret = snprintf(lxcpath, sizeof(lxcpath), +- "/dev/%s/tty%d", ttydir, i + 1); ++ "/dev/%s/tty%d", ttydir, i + 1); + if (ret < 0 || (size_t)ret >= sizeof(lxcpath)) + return -1; + +@@ -920,14 +920,14 @@ static int lxc_setup_ttys(struct lxc_conf *conf) + ret = mount(tty->name, lxcpath, "none", MS_BIND, 0); + if (ret < 0) { + SYSWARN("Failed to bind mount \"%s\" onto \"%s\"", +- tty->name, lxcpath); ++ tty->name, lxcpath); + continue; + } + DEBUG("Bind mounted \"%s\" onto \"%s\"", tty->name, + lxcpath); + + ret = snprintf(lxcpath, sizeof(lxcpath), "%s/tty%d", +- ttydir, i + 1); ++ ttydir, i + 1); + if (ret < 0 || (size_t)ret >= sizeof(lxcpath)) + return -1; + +@@ -1122,7 +1122,7 @@ on_error: + * error, log it but don't fail yet. + */ + static int mount_autodev(const char *name, const struct lxc_rootfs *rootfs, +- const char *lxcpath, char *systemd) ++ const char *lxcpath, const char *systemd) + { + int ret; + size_t clen; +@@ -1147,21 +1147,21 @@ static int mount_autodev(const char *name, const struct lxc_rootfs *rootfs, + goto reset_umask; + } + +- if (systemd != NULL && !strcmp(systemd, "true")) { +- ret = mount(path, path, "", MS_BIND, NULL); +- if (ret < 0) { +- SYSERROR("Failed to bind mount path \"%s\"", path); +- goto reset_umask; +- } +- } else { +- ret = safe_mount("none", path, "tmpfs", 0, "size=500000,mode=755", +- rootfs->path ? rootfs->mount : NULL); +- if (ret < 0) { +- SYSERROR("Failed to mount tmpfs on \"%s\"", path); +- goto reset_umask; +- } +- TRACE("Mounted tmpfs on \"%s\"", path); +- } ++ if (systemd != NULL && !strcmp(systemd, "true")) { ++ ret = mount(path, path, "", MS_BIND, NULL); ++ if (ret < 0) { ++ SYSERROR("Failed to bind mount path \"%s\"", path); ++ goto reset_umask; ++ } ++ } else { ++ ret = safe_mount("none", path, "tmpfs", 0, "size=500000,mode=755", ++ rootfs->path ? rootfs->mount : NULL); ++ if (ret < 0) { ++ SYSERROR("Failed to mount tmpfs on \"%s\"", path); ++ goto reset_umask; ++ } ++ TRACE("Mounted tmpfs on \"%s\"", path); ++ } + + ret = snprintf(path, clen, "%s/dev/pts", rootfs->path ? rootfs->mount : ""); + if (ret < 0 || (size_t)ret >= clen) { +@@ -1220,7 +1220,7 @@ static int lxc_fill_autodev(const struct lxc_rootfs *rootfs) + int use_mknod = LXC_DEVNODE_MKNOD; + + ret = snprintf(path, PATH_MAX, "%s/dev", +- rootfs->path ? rootfs->mount : ""); ++ rootfs->path ? rootfs->mount : ""); + if (ret < 0 || ret >= PATH_MAX) + return -1; + +@@ -1236,7 +1236,7 @@ static int lxc_fill_autodev(const struct lxc_rootfs *rootfs) + const struct lxc_device_node *device = &lxc_devices[i]; + + ret = snprintf(path, PATH_MAX, "%s/dev/%s", +- rootfs->path ? rootfs->mount : "", device->name); ++ rootfs->path ? rootfs->mount : "", device->name); + if (ret < 0 || ret >= PATH_MAX) + return -1; + +@@ -1294,10 +1294,10 @@ static int lxc_fill_autodev(const struct lxc_rootfs *rootfs) + return -1; + + ret = safe_mount(hostpath, path, 0, MS_BIND, NULL, +- rootfs->path ? rootfs->mount : NULL); ++ rootfs->path ? rootfs->mount : NULL); + if (ret < 0) { + SYSERROR("Failed to bind mount host device node \"%s\" " +- "onto \"%s\"", hostpath, path); ++ "onto \"%s\"", hostpath, path); + return -1; + } + DEBUG("Bind mounted host device node \"%s\" onto \"%s\"", +@@ -1350,7 +1350,9 @@ static int rootfs_parent_mount_private(char *rootfs) + } + + while (getline(&line, &len, f) != -1) { +- char *target, *opts, *tmptarget; ++ char *target = NULL; ++ char *opts = NULL; ++ char *tmptarget = NULL; + target = get_field(line, 4); + if (!target) + continue; +@@ -1401,10 +1403,10 @@ static int rootfs_parent_mount_private(char *rootfs) + static int lxc_mount_rootfs(struct lxc_conf *conf) + { + int ret; +- struct lxc_storage *bdev; ++ struct lxc_storage *bdev = NULL; + struct lxc_rootfs *rootfs = &conf->rootfs; + unsigned long flags, mntflags, pflags; +- char *mntdata; ++ char *mntdata = NULL; + + if (!rootfs->path) { + ret = mount("", "/", NULL, MS_SLAVE | MS_REC, 0); +@@ -1430,7 +1432,7 @@ static int lxc_mount_rootfs(struct lxc_conf *conf) + ret = access(rootfs->mount, F_OK); + if (ret != 0) { + SYSERROR("Failed to access to \"%s\". Check it is present", +- rootfs->mount); ++ rootfs->mount); + return -1; + } + +@@ -1540,7 +1542,7 @@ static bool remount_readwrite(const char *path) + if (ret < 0) + goto on_error; + ret = mount(path, path, "", MS_BIND | MS_REMOUNT | MS_REC | \ +- MS_NOEXEC | MS_NOSUID | MS_NODEV, ""); ++ MS_NOEXEC | MS_NOSUID | MS_NODEV, ""); + if (ret < 0) + goto on_error; + } else if (errno == EBUSY) { +@@ -1601,7 +1603,7 @@ static bool remount_readonly(const char *path) + if (ret < 0) + goto on_error; + ret = mount(path, path, "", MS_BIND | MS_REMOUNT | MS_RDONLY | MS_REC | \ +- MS_NOEXEC | MS_NOSUID | MS_NODEV, ""); ++ MS_NOEXEC | MS_NOSUID | MS_NODEV, ""); + if (ret < 0) + goto on_error; + } else if (errno == EBUSY) { +@@ -1626,8 +1628,8 @@ static int setup_rootfs_maskedpaths(struct lxc_list *maskedpaths) + struct lxc_list *it; + + lxc_list_for_each(it, maskedpaths) { +- if (!mask_path((char *)it->elem)) +- return -1; ++ if (!mask_path((char *)it->elem)) ++ return -1; + } + + return 0; +@@ -1638,8 +1640,8 @@ static int setup_rootfs_ropaths(struct lxc_list *ropaths) + struct lxc_list *it; + + lxc_list_for_each(it, ropaths) { +- if (!remount_readonly((char *)it->elem)) +- return -1; ++ if (!remount_readonly((char *)it->elem)) ++ return -1; + } + + return 0; +@@ -1873,8 +1875,8 @@ static int lxc_setup_rootfs_switch_root(const struct lxc_rootfs *rootfs) + } + + static const struct id_map *find_mapped_nsid_entry(struct lxc_conf *conf, +- unsigned id, +- enum idtype idtype) ++ unsigned id, ++ enum idtype idtype) + { + struct lxc_list *it; + struct id_map *map; +@@ -1918,7 +1920,7 @@ static int lxc_setup_devpts(struct lxc_conf *conf) + } + + ret = snprintf(devpts_mntopts, sizeof(devpts_mntopts), "%s,max=%zu", +- default_devpts_mntopts, conf->pty_max); ++ default_devpts_mntopts, conf->pty_max); + if (ret < 0 || (size_t)ret >= sizeof(devpts_mntopts)) + return -1; + +@@ -2031,7 +2033,7 @@ static int setup_personality(int persona) + } + + static int lxc_setup_dev_console(const struct lxc_rootfs *rootfs, +- const struct lxc_terminal *console) ++ const struct lxc_terminal *console) + { + int ret; + char path[PATH_MAX]; +@@ -2069,7 +2071,7 @@ static int lxc_setup_dev_console(const struct lxc_rootfs *rootfs, + ret = fchmod(console->slave, S_IXUSR | S_IXGRP); + if (ret < 0) { + SYSERROR("Failed to set mode \"0%o\" to \"%s\"", +- S_IXUSR | S_IXGRP, console->name); ++ S_IXUSR | S_IXGRP, console->name); + return -errno; + } + +@@ -2084,8 +2086,8 @@ static int lxc_setup_dev_console(const struct lxc_rootfs *rootfs, + } + + static int lxc_setup_ttydir_console(const struct lxc_rootfs *rootfs, +- const struct lxc_terminal *console, +- char *ttydir) ++ const struct lxc_terminal *console, ++ char *ttydir) + { + int ret; + char path[PATH_MAX], lxcpath[PATH_MAX]; +@@ -2104,7 +2106,7 @@ static int lxc_setup_ttydir_console(const struct lxc_rootfs *rootfs, + SYSERROR("Failed to create \"%s\"", path); + return -errno; + } +- DEBUG("Created directory for console and tty devices at \"%s\"", path); ++ DEBUG("Created directory for console and tty devices at \"%s\"", path); + + ret = snprintf(lxcpath, sizeof(lxcpath), "%s/dev/%s/console", rootfs_path, ttydir); + if (ret < 0 || (size_t)ret >= sizeof(lxcpath)) +@@ -2140,7 +2142,7 @@ static int lxc_setup_ttydir_console(const struct lxc_rootfs *rootfs, + ret = fchmod(console->slave, S_IXUSR | S_IXGRP); + if (ret < 0) { + SYSERROR("Failed to set mode \"0%o\" to \"%s\"", +- S_IXUSR | S_IXGRP, console->name); ++ S_IXUSR | S_IXGRP, console->name); + return -errno; + } + +@@ -2166,7 +2168,7 @@ static int lxc_setup_ttydir_console(const struct lxc_rootfs *rootfs, + } + + static int lxc_setup_console(const struct lxc_rootfs *rootfs, +- const struct lxc_terminal *console, char *ttydir) ++ const struct lxc_terminal *console, char *ttydir) + { + + if (!ttydir) +@@ -2236,7 +2238,7 @@ int parse_mntopts(const char *mntopts, unsigned long *mntflags, unsigned long *p + *data = 0; + + lxc_iterate_parts(p, s, ",") +- parse_mntopt(p, mntflags, pflags, &data, size); ++ parse_mntopt(p, mntflags, pflags, &data, size); + + if (*data) + *mntdata = data; +@@ -2248,9 +2250,9 @@ int parse_mntopts(const char *mntopts, unsigned long *mntflags, unsigned long *p + } + + static int mount_entry(const char *fsname, const char *target, +- const char *fstype, unsigned long mountflags, +- unsigned long pflags, const char *data, bool optional, +- bool dev, bool relative, const char *rootfs) ++ const char *fstype, unsigned long mountflags, ++ unsigned long pflags, const char *data, bool optional, ++ bool dev, bool relative, const char *rootfs) + { + int ret; + char srcbuf[PATH_MAX]; +@@ -2269,7 +2271,7 @@ static int mount_entry(const char *fsname, const char *target, + } + + ret = safe_mount(srcpath, target, fstype, mountflags & ~MS_REMOUNT, data, +- rootfs); ++ rootfs); + if (ret < 0) { + if (optional) { + SYSINFO("Failed to mount \"%s\" on \"%s\" (optional)", +@@ -2278,7 +2280,7 @@ static int mount_entry(const char *fsname, const char *target, + } + + SYSERROR("Failed to mount \"%s\" on \"%s\"", +- srcpath ? srcpath : "(null)", target); ++ srcpath ? srcpath : "(null)", target); + return -1; + } + +@@ -2315,7 +2317,7 @@ static int mount_entry(const char *fsname, const char *target, + */ + if (!(mountflags & MS_REMOUNT)) { + if (!(required_flags & ~mountflags) && +- rqd_flags == 0) { ++ rqd_flags == 0) { + DEBUG("Mountflags already were %lu, " + "skipping remount", mountflags); + goto skipremount; +@@ -2335,13 +2337,13 @@ static int mount_entry(const char *fsname, const char *target, + } + + SYSERROR("Failed to mount \"%s\" on \"%s\"", +- srcpath ? srcpath : "(null)", target); ++ srcpath ? srcpath : "(null)", target); + return -1; + } + } + + #ifdef HAVE_STATVFS +- skipremount: ++skipremount: + #endif + if (pflags) { + ret = mount(NULL, target, NULL, pflags, NULL); +@@ -2352,7 +2354,7 @@ static int mount_entry(const char *fsname, const char *target, + return 0; + } else { + SYSERROR("Failed to change mount propagation " +- "for \"%s\" (optional)", target); ++ "for \"%s\" (optional)", target); + return -1; + } + } +@@ -2416,10 +2418,12 @@ static int check_mount_destination(const char *rootfs, const char *dest) + "/proc/net/dev", + NULL + }; +- const char **valid, **invalid; ++ const char **valid = NULL; ++ const char **invalid = NULL; + + for(valid = valid_destinations; *valid != NULL; valid++) { +- char *fullpath, *relpath; ++ char *fullpath = NULL; ++ char *relpath = NULL; + const char *parts[3] = { + rootfs, + *valid, +@@ -2469,9 +2473,9 @@ static int check_mount_destination(const char *rootfs, const char *dest) + } + + static int mount_entry_create_dir_file(const struct mntent *mntent, +- const char *path, +- const struct lxc_rootfs *rootfs, +- const char *lxc_name, const char *lxc_path) ++ const char *path, ++ const struct lxc_rootfs *rootfs, ++ const char *lxc_name, const char *lxc_path) + { + int ret; + char *p1, *p2; +@@ -2487,7 +2491,7 @@ static int mount_entry_create_dir_file(const struct mntent *mntent, + if (ret < 0 && errno != EEXIST) { + SYSERROR("Failed to create directory \"%s\"", path); + lxc_write_error_message(rootfs->errfd, "%s:%d: mkdir %s: %s.", +- __FILE__, __LINE__, path, strerror(errno)); ++ __FILE__, __LINE__, path, strerror(errno)); + return -1; + } + } +@@ -2510,14 +2514,14 @@ static int mount_entry_create_dir_file(const struct mntent *mntent, + if (ret < 0 && errno != EEXIST) { + SYSERROR("Failed to create directory \"%s\"", path); + lxc_write_error_message(rootfs->errfd, "%s:%d: mkdir %s: %s.", +- __FILE__, __LINE__, p2, strerror(errno)); ++ __FILE__, __LINE__, p2, strerror(errno)); + return -1; + } + + ret = mknod(path, S_IFREG | 0000, 0); + if (ret < 0 && errno != EEXIST) { + lxc_write_error_message(rootfs->errfd, "%s:%d: open %s: %s.", +- __FILE__, __LINE__, path, strerror(errno)); ++ __FILE__, __LINE__, path, strerror(errno)); + return -errno; + } + +@@ -2525,7 +2529,7 @@ static int mount_entry_create_dir_file(const struct mntent *mntent, + } + + static int mount_entry_with_loop_dev(const char *src, const char *dest, const char *fstype, +- char *mnt_opts, const char *rootfs) ++ char *mnt_opts, const char *rootfs) + { + int srcfd = -1, destfd, ret, saved_errno; + char srcbuf[50], destbuf[50]; // only needs enough for /proc/self/fd/ +@@ -2603,10 +2607,10 @@ retry: + /* rootfs, lxc_name, and lxc_path can be NULL when the container is created + * without a rootfs. */ + static inline int mount_entry_on_generic(struct mntent *mntent, +- const char *path, +- const struct lxc_rootfs *rootfs, +- const char *lxc_name, +- const char *lxc_path) ++ const char *path, ++ const struct lxc_rootfs *rootfs, ++ const char *lxc_name, ++ const char *lxc_path) + { + int ret; + unsigned long mntflags, pflags; +@@ -2631,7 +2635,7 @@ static inline int mount_entry_on_generic(struct mntent *mntent, + if (!rpath) { + ERROR("Failed to get real path of '%s' in scope '%s'.", path, rootfs_path); + lxc_write_error_message(rootfs->errfd, "%s:%d: failed to get real path of '%s' in scope '%s'.", +- __FILE__, __LINE__, path, rootfs_path); ++ __FILE__, __LINE__, path, rootfs_path); + return -1; + } + dest = rpath; +@@ -2640,7 +2644,7 @@ static inline int mount_entry_on_generic(struct mntent *mntent, + if (ret) { + ERROR("Mount destination is invalid: '%s'", dest); + lxc_write_error_message(rootfs->errfd, "%s:%d: mount destination is invalid: '%s'.", +- __FILE__, __LINE__, dest); ++ __FILE__, __LINE__, dest); + free(rpath); + return -1; + } +@@ -2665,14 +2669,14 @@ static inline int mount_entry_on_generic(struct mntent *mntent, + // isulad: support squashfs + if (strcmp(mntent->mnt_type, "squashfs") == 0) { + ret = mount_entry_with_loop_dev(mntent->mnt_fsname, dest, mntent->mnt_type, +- mntent->mnt_opts, rootfs_path); ++ mntent->mnt_opts, rootfs_path); + } else { + ret = mount_entry(mntent->mnt_fsname, dest, mntent->mnt_type, mntflags, +- pflags, mntdata, optional, dev, relative, rootfs_path); ++ pflags, mntdata, optional, dev, relative, rootfs_path); + } + if (ret < 0) { + lxc_write_error_message(rootfs->errfd, "%s:%d: failed to mount %s as type %s.", +- __FILE__, __LINE__, mntent->mnt_fsname, mntent->mnt_type); ++ __FILE__, __LINE__, mntent->mnt_fsname, mntent->mnt_type); + } + + free(mntdata); +@@ -2699,9 +2703,9 @@ static inline int mount_entry_on_systemfs(struct mntent *mntent) + } + + static int mount_entry_on_absolute_rootfs(struct mntent *mntent, +- const struct lxc_rootfs *rootfs, +- const char *lxc_name, +- const char *lxc_path) ++ const struct lxc_rootfs *rootfs, ++ const char *lxc_name, ++ const char *lxc_path) + { + int offset; + char *aux; +@@ -2743,9 +2747,9 @@ skipabs: + } + + static int mount_entry_on_relative_rootfs(struct mntent *mntent, +- const struct lxc_rootfs *rootfs, +- const char *lxc_name, +- const char *lxc_path) ++ const struct lxc_rootfs *rootfs, ++ const char *lxc_name, ++ const char *lxc_path) + { + int ret; + char path[PATH_MAX]; +@@ -2759,8 +2763,8 @@ static int mount_entry_on_relative_rootfs(struct mntent *mntent, + } + + static int mount_file_entries(const struct lxc_conf *conf, +- const struct lxc_rootfs *rootfs, FILE *file, +- const char *lxc_name, const char *lxc_path) ++ const struct lxc_rootfs *rootfs, FILE *file, ++ const char *lxc_name, const char *lxc_path) + { + char buf[4096]; + struct mntent mntent; +@@ -2790,10 +2794,10 @@ static int mount_file_entries(const struct lxc_conf *conf, + ret = mount_entry_on_systemfs(&mntent); + else if (mntent.mnt_dir[0] != '/') + ret = mount_entry_on_relative_rootfs(&mntent, rootfs, +- lxc_name, lxc_path); ++ lxc_name, lxc_path); + else + ret = mount_entry_on_absolute_rootfs(&mntent, rootfs, +- lxc_name, lxc_path); ++ lxc_name, lxc_path); + free(mntent.mnt_fsname); + free(mntent.mnt_dir); + if (ret < 0) +@@ -2806,8 +2810,8 @@ static int mount_file_entries(const struct lxc_conf *conf, + } + + static int setup_mount(const struct lxc_conf *conf, +- const struct lxc_rootfs *rootfs, const char *fstab, +- const char *lxc_name, const char *lxc_path) ++ const struct lxc_rootfs *rootfs, const char *fstab, ++ const char *lxc_name, const char *lxc_path) + { + FILE *f; + int ret; +@@ -2880,9 +2884,9 @@ on_error: + } + + static int setup_mount_entries(const struct lxc_conf *conf, +- const struct lxc_rootfs *rootfs, +- struct lxc_list *mount, const char *lxc_name, +- const char *lxc_path) ++ const struct lxc_rootfs *rootfs, ++ struct lxc_list *mount, const char *lxc_name, ++ const char *lxc_path) + { + int ret; + FILE *f; +@@ -2966,7 +2970,7 @@ static int setup_caps(struct lxc_list *caps) + } + + ret = prctl(PR_CAPBSET_DROP, prctl_arg(capid), prctl_arg(0), +- prctl_arg(0), prctl_arg(0)); ++ prctl_arg(0), prctl_arg(0)); + if (ret < 0) { + SYSERROR("Failed to remove %s capability", drop_entry); + return -1; +@@ -3025,7 +3029,7 @@ static int dropcaps_except(struct lxc_list *caps) + continue; + + ret = prctl(PR_CAPBSET_DROP, prctl_arg(i), prctl_arg(0), +- prctl_arg(0), prctl_arg(0)); ++ prctl_arg(0), prctl_arg(0)); + if (ret < 0) { + SYSERROR("Failed to remove capability %d", i); + return -1; +@@ -3076,8 +3080,8 @@ int setup_resource_limits(struct lxc_list *limits, pid_t pid, int errfd) + if (prlimit(pid, resid, &lim->limit, NULL) != 0) { + SYSERROR("Failed to set limit %s %lu %lu.", lim->resource, lim->limit.rlim_cur, lim->limit.rlim_max); + lxc_write_error_message(errfd, "%s:%d: Failed to set limit %s %lu %lu: %s.", +- __FILE__, __LINE__, lim->resource, +- lim->limit.rlim_cur, lim->limit.rlim_max, strerror(errno)); ++ __FILE__, __LINE__, lim->resource, ++ lim->limit.rlim_cur, lim->limit.rlim_max, strerror(errno)); + return -1; + } + +@@ -3115,10 +3119,10 @@ int setup_sysctl_parameters(struct lxc_list *sysctls) + } + + ret = lxc_write_to_file(filename, elem->value, +- strlen(elem->value), false, 0666); ++ strlen(elem->value), false, 0666); + if (ret < 0) { + SYSERROR("Failed to setup sysctl parameters %s to %s", +- elem->key, elem->value); ++ elem->key, elem->value); + return -1; + } + } +@@ -3150,7 +3154,7 @@ int setup_proc_filesystem(struct lxc_list *procs, pid_t pid) + } + + ret = lxc_write_to_file(filename, elem->value, +- strlen(elem->value), false, 0666); ++ strlen(elem->value), false, 0666); + if (ret < 0) { + ERROR("Failed to setup proc filesystem %s to %s", + elem->filename, elem->value); +@@ -3255,7 +3259,7 @@ struct lxc_conf *lxc_conf_init(void) + } + + int write_id_mapping(enum idtype idtype, pid_t pid, const char *buf, +- size_t buf_size) ++ size_t buf_size) + { + int fd, ret; + char path[PATH_MAX]; +@@ -3280,7 +3284,7 @@ int write_id_mapping(enum idtype idtype, pid_t pid, const char *buf, + close(fd); + if (ret != buflen) { + SYSERROR("Failed to write \"deny\" to " +- "\"/proc/%d/setgroups\"", pid); ++ "\"/proc/%d/setgroups\"", pid); + return -1; + } + TRACE("Wrote \"deny\" to \"/proc/%d/setgroups\"", pid); +@@ -3288,7 +3292,7 @@ int write_id_mapping(enum idtype idtype, pid_t pid, const char *buf, + } + + ret = snprintf(path, PATH_MAX, "/proc/%d/%cid_map", pid, +- idtype == ID_TYPE_UID ? 'u' : 'g'); ++ idtype == ID_TYPE_UID ? 'u' : 'g'); + if (ret < 0 || ret >= PATH_MAX) + return -E2BIG; + +@@ -3303,7 +3307,7 @@ int write_id_mapping(enum idtype idtype, pid_t pid, const char *buf, + close(fd); + if (ret != buf_size) { + SYSERROR("Failed to write %cid mapping to \"%s\"", +- idtype == ID_TYPE_UID ? 'u' : 'g', path); ++ idtype == ID_TYPE_UID ? 'u' : 'g', path); + return -1; + } + +@@ -3347,8 +3351,8 @@ static int idmaptool_on_path_and_privileged(const char *binary, cap_value_t cap) + #if HAVE_LIBCAP && LIBCAP_SUPPORTS_FILE_CAPABILITIES + /* Check if it has the CAP_SETUID capability. */ + if ((cap & CAP_SETUID) && +- lxc_file_cap_is_set(path, CAP_SETUID, CAP_EFFECTIVE) && +- lxc_file_cap_is_set(path, CAP_SETUID, CAP_PERMITTED)) { ++ lxc_file_cap_is_set(path, CAP_SETUID, CAP_EFFECTIVE) && ++ lxc_file_cap_is_set(path, CAP_SETUID, CAP_PERMITTED)) { + DEBUG("The binary \"%s\" has CAP_SETUID in its CAP_EFFECTIVE " + "and CAP_PERMITTED sets", path); + fret = 1; +@@ -3357,8 +3361,8 @@ static int idmaptool_on_path_and_privileged(const char *binary, cap_value_t cap) + + /* Check if it has the CAP_SETGID capability. */ + if ((cap & CAP_SETGID) && +- lxc_file_cap_is_set(path, CAP_SETGID, CAP_EFFECTIVE) && +- lxc_file_cap_is_set(path, CAP_SETGID, CAP_PERMITTED)) { ++ lxc_file_cap_is_set(path, CAP_SETGID, CAP_EFFECTIVE) && ++ lxc_file_cap_is_set(path, CAP_SETGID, CAP_PERMITTED)) { + DEBUG("The binary \"%s\" has CAP_SETGID in its CAP_EFFECTIVE " + "and CAP_PERMITTED sets", path); + fret = 1; +@@ -3451,10 +3455,10 @@ int lxc_map_ids(struct lxc_list *idmap, pid_t pid) + lxc_list_for_each(iterator, idmap) { + map = iterator->elem; + if (map->idtype == ID_TYPE_UID && map->range == 1 && +- map->nsid == hostuid && map->hostid == hostuid) ++ map->nsid == hostuid && map->hostid == hostuid) + continue; + if (map->idtype == ID_TYPE_GID && map->range == 1 && +- map->nsid == hostgid && map->hostid == hostgid) ++ map->nsid == hostgid && map->hostid == hostgid) + continue; + use_shadow = true; + break; +@@ -3462,7 +3466,7 @@ int lxc_map_ids(struct lxc_list *idmap, pid_t pid) + } + + for (type = ID_TYPE_UID, u_or_g = 'u'; type <= ID_TYPE_GID; +- type++, u_or_g = 'g') { ++ type++, u_or_g = 'g') { + pos = mapbuf; + + if (use_shadow) +@@ -3477,9 +3481,9 @@ int lxc_map_ids(struct lxc_list *idmap, pid_t pid) + + left = LXC_IDMAPLEN - (pos - mapbuf); + fill = snprintf(pos, left, "%s%lu %lu %lu%s", +- use_shadow ? " " : "", map->nsid, +- map->hostid, map->range, +- use_shadow ? "" : "\n"); ++ use_shadow ? " " : "", map->nsid, ++ map->hostid, map->range, ++ use_shadow ? "" : "\n"); + if (fill <= 0 || fill >= left) { + /* The kernel only takes <= 4k for writes to + * /proc//{g,u}id_map +@@ -3498,8 +3502,8 @@ int lxc_map_ids(struct lxc_list *idmap, pid_t pid) + */ + if (use_shadow) { + ret = run_command(cmd_output, sizeof(cmd_output), +- lxc_map_ids_exec_wrapper, +- (void *)mapbuf); ++ lxc_map_ids_exec_wrapper, ++ (void *)mapbuf); + if (ret < 0) { + ERROR("new%cidmap failed to write mapping \"%s\": %s", + u_or_g, cmd_output, mapbuf); +@@ -3525,7 +3529,7 @@ int lxc_map_ids(struct lxc_list *idmap, pid_t pid) + * Return true if id was found, false otherwise. + */ + bool get_mapped_rootid(struct lxc_conf *conf, enum idtype idtype, +- unsigned long *val) ++ unsigned long *val) + { + unsigned nsid; + struct id_map *map; +@@ -3609,20 +3613,22 @@ int chown_mapped_root(const char *path, struct lxc_conf *conf) + char map1[100], map2[100], map3[100], map4[100], map5[100]; + char ugid[100]; + const char *args1[] = {"lxc-usernsexec", +- "-m", map1, +- "-m", map2, +- "-m", map3, +- "-m", map5, +- "--", "chown", ugid, path, +- NULL}; ++ "-m", map1, ++ "-m", map2, ++ "-m", map3, ++ "-m", map5, ++ "--", "chown", ugid, path, ++ NULL ++ }; + const char *args2[] = {"lxc-usernsexec", +- "-m", map1, +- "-m", map2, +- "-m", map3, +- "-m", map4, +- "-m", map5, +- "--", "chown", ugid, path, +- NULL}; ++ "-m", map1, ++ "-m", map2, ++ "-m", map3, ++ "-m", map4, ++ "-m", map5, ++ "--", "chown", ugid, path, ++ NULL ++ }; + char cmd_output[PATH_MAX]; + + hostuid = geteuid(); +@@ -3671,8 +3677,8 @@ int chown_mapped_root(const char *path, struct lxc_conf *conf) + */ + DEBUG("trying to chown \"%s\" to %d", path, hostgid); + if (sb.st_uid == hostuid && +- mapped_hostid(sb.st_gid, conf, ID_TYPE_GID) < 0 && +- chown(path, -1, hostgid) < 0) { ++ mapped_hostid(sb.st_gid, conf, ID_TYPE_GID) < 0 && ++ chown(path, -1, hostgid) < 0) { + ERROR("Failed chgrping %s", path); + return -1; + } +@@ -3700,7 +3706,7 @@ int chown_mapped_root(const char *path, struct lxc_conf *conf) + + /* "g:pathgid:rootgid+pathgid:1" */ + ret = snprintf(map4, 100, "g:%d:%d:1", (gid_t)sb.st_gid, +- rootgid + (gid_t)sb.st_gid); ++ rootgid + (gid_t)sb.st_gid); + if (ret < 0 || ret >= 100) { + ERROR("Error gid printing map string"); + return -1; +@@ -3722,12 +3728,12 @@ int chown_mapped_root(const char *path, struct lxc_conf *conf) + + if (hostgid == sb.st_gid) + ret = run_command(cmd_output, sizeof(cmd_output), +- chown_mapped_root_exec_wrapper, +- (void *)args1); ++ chown_mapped_root_exec_wrapper, ++ (void *)args1); + else + ret = run_command(cmd_output, sizeof(cmd_output), +- chown_mapped_root_exec_wrapper, +- (void *)args2); ++ chown_mapped_root_exec_wrapper, ++ (void *)args2); + if (ret < 0) + ERROR("lxc-usernsexec failed: %s", cmd_output); + +@@ -3820,7 +3826,7 @@ again: + f = fdopen(memfd, "r"); + if (!f) { + SYSERROR("Failed to open copy of \"/proc/self/mountinfo\" to mark " +- "all shared. Continuing"); ++ "all shared. Continuing"); + close(memfd); + return; + } +@@ -3918,7 +3924,7 @@ out: + * pre-mount hooks, and mounting the rootfs. + */ + int lxc_setup_rootfs_prepare_root(struct lxc_conf *conf, const char *name, +- const char *lxcpath) ++ const char *lxcpath) + { + int ret; + +@@ -3967,15 +3973,15 @@ static bool verify_start_hooks(struct lxc_conf *conf) + char *hookname = it->elem; + + ret = snprintf(path, PATH_MAX, "%s%s", +- conf->rootfs.path ? conf->rootfs.mount : "", +- hookname); ++ conf->rootfs.path ? conf->rootfs.mount : "", ++ hookname); + if (ret < 0 || ret >= PATH_MAX) + return false; + + ret = access(path, X_OK); + if (ret < 0) { + SYSERROR("Start hook \"%s\" not found in container", +- hookname); ++ hookname); + return false; + } + +@@ -3997,13 +4003,13 @@ static bool execveat_supported(void) + /* isulad: setup devices which will be populated in the container.*/ + static int setup_populate_devs(const struct lxc_rootfs *rootfs, struct lxc_list *devs) + { +- int ret; +- char *pathdirname; ++ int ret = 0; ++ char *pathdirname = NULL; + char path[MAXPATHLEN]; + mode_t cmask; + mode_t file_mode = 0; +- struct lxc_populate_devs *dev_elem; +- struct lxc_list *it; ++ struct lxc_populate_devs *dev_elem = NULL; ++ struct lxc_list *it = NULL; + + INFO("Populating devices into container"); + cmask = umask(S_IXUSR | S_IXGRP | S_IXOTH); +@@ -4034,12 +4040,12 @@ static int setup_populate_devs(const struct lxc_rootfs *rootfs, struct lxc_list + } + + DEBUG("Try to mknod '%s':'%d':'%d':'%d'\n", path, +- file_mode, dev_elem->maj, dev_elem->min); ++ file_mode, dev_elem->maj, dev_elem->min); + + ret = mknod(path, file_mode, makedev(dev_elem->maj, dev_elem->min)); + if (ret && errno != EEXIST) { + SYSERROR("Failed to mknod '%s':'%d':'%d':'%d'", dev_elem->name, +- file_mode, dev_elem->maj, dev_elem->min); ++ file_mode, dev_elem->maj, dev_elem->min); + + char hostpath[MAXPATHLEN]; + FILE *pathfile; +@@ -4049,16 +4055,16 @@ static int setup_populate_devs(const struct lxc_rootfs *rootfs, struct lxc_list + ret = snprintf(hostpath, MAXPATHLEN, "/dev/%s", dev_elem->name); + if (ret < 0 || ret >= MAXPATHLEN) + return -1; +- pathfile = fopen(path, "wb"); ++ pathfile = lxc_fopen(path, "wb"); + if (!pathfile) { + SYSERROR("Failed to create device mount target '%s'", path); + return -1; + } + fclose(pathfile); + if (safe_mount(hostpath, path, 0, MS_BIND, NULL, +- rootfs->path ? rootfs->mount : NULL) != 0) { ++ rootfs->path ? rootfs->mount : NULL) != 0) { + SYSERROR("Failed bind mounting device %s from host into container", +- dev_elem->name); ++ dev_elem->name); + return -1; + } + } +@@ -4077,7 +4083,7 @@ static int setup_populate_devs(const struct lxc_rootfs *rootfs, struct lxc_list + static int setup_rootfs_mountopts(const struct lxc_rootfs *rootfs) + { + unsigned long mflags, mntflags, pflags; +- char *mntdata; ++ char *mntdata = NULL; + + if(!rootfs || !rootfs->options) + return 0; +@@ -4109,7 +4115,7 @@ int lxc_setup(struct lxc_handler *handler) + if (ret < 0) { + ERROR("Failed to setup rootfs"); + lxc_write_error_message(lxc_conf->errpipe[1], "%s:%d: failed to setup rootfs %s.", +- __FILE__, __LINE__, lxc_conf->rootfs.path); ++ __FILE__, __LINE__, lxc_conf->rootfs.path); + return -1; + } + +@@ -4202,7 +4208,7 @@ int lxc_setup(struct lxc_handler *handler) + /*isulad: move mount entries here, before we do lxc_fill_autodev and populate devices */ + if (!lxc_list_empty(&lxc_conf->mount_list)) { + ret = setup_mount_entries(lxc_conf, &lxc_conf->rootfs, +- &lxc_conf->mount_list, name, lxcpath); ++ &lxc_conf->mount_list, name, lxcpath); + if (ret < 0) { + ERROR("Failed to setup mount entries"); + goto on_error; +@@ -4244,7 +4250,7 @@ int lxc_setup(struct lxc_handler *handler) + } + + ret = lxc_setup_console(&lxc_conf->rootfs, &lxc_conf->console, +- lxc_conf->ttys.dir); ++ lxc_conf->ttys.dir); + if (ret < 0) { + ERROR("Failed to setup console"); + goto on_error; +@@ -4369,11 +4375,13 @@ int lxc_drop_caps(struct lxc_conf *conf) + { + #define __DEF_CAP_TO_MASK(x) (1U << ((x) & 31)) + #if HAVE_LIBCAP +- struct lxc_list *iterator; +- char *keep_entry; ++ int ret = 0; ++ struct lxc_list *iterator = NULL; ++ char *keep_entry = NULL; + int i, capid; + int numcaps = lxc_caps_last_cap() + 1; + struct lxc_list *caps = NULL; ++ int *caplist = NULL; + + if (lxc_list_empty(&conf->keepcaps)) + return 0; +@@ -4384,7 +4392,7 @@ int lxc_drop_caps(struct lxc_conf *conf) + return -1; + + // caplist[i] is 1 if we keep capability i +- int *caplist = alloca(numcaps * sizeof(int)); ++ caplist = malloc(numcaps * sizeof(int)); + memset(caplist, 0, numcaps * sizeof(int)); + + lxc_list_for_each(iterator, caps) { +@@ -4404,9 +4412,10 @@ int lxc_drop_caps(struct lxc_conf *conf) + if (capid == -2) + continue; + +- if (capid < 0) { ++ if (capid < 0) { + ERROR("unknown capability %s", keep_entry); +- return -1; ++ ret = -1; ++ goto out; + } + + DEBUG("keep capability '%s' (%d)", keep_entry, capid); +@@ -4420,7 +4429,7 @@ int lxc_drop_caps(struct lxc_conf *conf) + cap_user_header_t cap_header = &cap_header_data; + cap_user_data_t cap_data = &cap_data_data[0]; + +- memset(cap_header, 0 ,sizeof(struct __user_cap_header_struct)); ++ memset(cap_header, 0,sizeof(struct __user_cap_header_struct)); + memset(cap_data, 0, sizeof(struct __user_cap_data_struct) * 2); + + cap_header->pid = 0; +@@ -4435,12 +4444,16 @@ int lxc_drop_caps(struct lxc_conf *conf) + } + + if (capset(cap_header, cap_data)) { +- SYSERROR("Failed to set capabilitys"); +- return -1; ++ SYSERROR("Failed to set capabilitys"); ++ ret = -1; ++ goto out; + } + + #endif +- return 0; ++ ++out: ++ free(caplist); ++ return ret; + } + + struct oci_hook_conf { +@@ -4474,9 +4487,17 @@ static char* generate_json_str(const char *name, const char *lxcpath, const char + ERROR("Get container %s pid failed: %s", name, strerror(errno)); + cpid = "-1"; + } ++ ++ if ((SIZE_MAX - strlen(name) - strlen(cpid) - strlen(rootfs) - strlen(lxcpath) - strlen(name)) < ++ (strlen("{\"ociVersion\":\"\",\"id\":\"\",\"pid\":,\"root\":\"\",\"bundle\":\"\"}") + 1 + 1)) { ++ ERROR("Out of memory"); ++ ret = -1; ++ goto out_free; ++ } ++ + // {"ociVersion":"","id":"xxx","pid":777,"root":"xxx","bundle":"xxx"} + size = strlen("{\"ociVersion\":\"\",\"id\":\"\",\"pid\":,\"root\":\"\",\"bundle\":\"\"}") + +- strlen(name) + strlen(cpid) + strlen(rootfs) + strlen(lxcpath) + 1 + strlen(name) + 1; ++ strlen(name) + strlen(cpid) + strlen(rootfs) + strlen(lxcpath) + 1 + strlen(name) + 1; + inmsg = malloc(size); + if (!inmsg) { + ERROR("Out of memory"); +@@ -4484,8 +4505,8 @@ static char* generate_json_str(const char *name, const char *lxcpath, const char + goto out_free; + } + rc = snprintf(inmsg, size, +- "{\"ociVersion\":\"\",\"id\":\"%s\",\"pid\":%s,\"root\":\"%s\",\"bundle\":\"%s/%s\"}", +- name, cpid, rootfs, lxcpath, name); ++ "{\"ociVersion\":\"\",\"id\":\"%s\",\"pid\":%s,\"root\":\"%s\",\"bundle\":\"%s/%s\"}", ++ name, cpid, rootfs, lxcpath, name); + if (rc < 0 || rc >= size) { + ERROR("Create json string failed"); + ret = -1; +@@ -4501,13 +4522,14 @@ out_free: + + static char **merge_ocihook_env(char **oldenvs, size_t env_len, size_t *merge_env_len) + { +- char **result; ++ char **result = NULL; + size_t result_len = env_len; + size_t i, j; +- char *tmpenv; ++ char *tmpenv = NULL; + char *lxc_envs[] = {"LD_LIBRARY_PATH", "PATH", "LXC_CGNS_AWARE", "LXC_PID", "LXC_ROOTFS_MOUNT", +- "LXC_CONFIG_FILE", "LXC_CGROUP_PATH", "LXC_ROOTFS_PATH", "LXC_NAME"}; +- char *lxcenv_buf; ++ "LXC_CONFIG_FILE", "LXC_CGROUP_PATH", "LXC_ROOTFS_PATH", "LXC_NAME" ++ }; ++ char *lxcenv_buf = NULL; + + result_len += (sizeof(lxc_envs) / sizeof(char *)) + 1; + result = malloc(sizeof(char *) * result_len); +@@ -4541,8 +4563,8 @@ static char **merge_ocihook_env(char **oldenvs, size_t env_len, size_t *merge_en + return result; + } + +-static struct lxc_popen_FILE *lxc_popen_ocihook(char *commandpath, char **args, int args_len, +- char **envs, int env_len, const char *instr) ++static struct lxc_popen_FILE *lxc_popen_ocihook(const char *commandpath, char **args, int args_len, ++ char **envs, int env_len, const char *instr) + { + int ret; + struct lxc_popen_FILE *fp = NULL; +@@ -4684,12 +4706,12 @@ void* wait_ocihook_timeout(void *arg) + + if (alive) { + ERROR("%s:%d: running %s hook caused \"hook ran past specified timeout of %.1fs\"", +- __FILE__, __LINE__, lxchook_names[conf->which], +- (double)conf->timeout); ++ __FILE__, __LINE__, lxchook_names[conf->which], ++ (double)conf->timeout); + + lxc_write_error_message(conf->errfd, "%s:%d: running %s hook caused \"hook ran past specified timeout of %.1fs\".", +- __FILE__, __LINE__, lxchook_names[conf->which], +- (double)conf->timeout); ++ __FILE__, __LINE__, lxchook_names[conf->which], ++ (double)conf->timeout); + + if (kill(conf->pid, SIGKILL) && errno != ESRCH) { + ERROR("Send kill signal failed"); +@@ -4702,7 +4724,7 @@ out: + return ((void *)0); + } + +-static int run_ocihook_buffer(struct oci_hook_conf *oconf, char *inmsg) ++static int run_ocihook_buffer(struct oci_hook_conf *oconf, const char *inmsg) + { + struct lxc_popen_FILE *f; + char output[LXC_LOG_BUFFER_SIZE] = {0}; +@@ -4771,17 +4793,17 @@ static int run_ocihook_buffer(struct oci_hook_conf *oconf, char *inmsg) + } else if (WIFEXITED(ret) && WEXITSTATUS(ret) != 0) { + ERROR("Script exited with status %d. output: %s", WEXITSTATUS(ret), output); + lxc_write_error_message(conf->errfd, "%s:%d: running %s hook caused \"error running hook: exit status %d, output: %s\".", +- __FILE__, __LINE__, +- (conf->which >= NUM_LXC_HOOKS) ? "invalid type" : lxchook_names[conf->which], +- WEXITSTATUS(ret), output); ++ __FILE__, __LINE__, ++ (conf->which >= NUM_LXC_HOOKS) ? "invalid type" : lxchook_names[conf->which], ++ WEXITSTATUS(ret), output); + + goto print_hook; + } else if (WIFSIGNALED(ret)) { + ERROR("Script terminated by signal %d.", WTERMSIG(ret)); + lxc_write_error_message(conf->errfd, "%s:%d: running %s hook caused \"error running hook: Script terminated by signal %d\".", +- __FILE__, __LINE__, +- (conf->which >= NUM_LXC_HOOKS) ? "invalid type" : lxchook_names[conf->which], +- WTERMSIG(ret)); ++ __FILE__, __LINE__, ++ (conf->which >= NUM_LXC_HOOKS) ? "invalid type" : lxchook_names[conf->which], ++ WTERMSIG(ret)); + + goto print_hook; + } +@@ -4801,8 +4823,8 @@ print_hook: + if (oconf->ocihook->env) + err_envs_msg = lxc_string_join(" ", (const char **)oconf->ocihook->env, false); + ERROR("Hook script command: \"%s\", args: \"%s\", envs: \"%s\", timeout: %d.", +- buffer, err_args_msg ? err_args_msg : "", +- err_envs_msg ? err_envs_msg : "", conf->timeout); ++ buffer, err_args_msg ? err_args_msg : "", ++ err_envs_msg ? err_envs_msg : "", conf->timeout); + + free(err_args_msg); + free(err_envs_msg); +@@ -4810,8 +4832,8 @@ print_hook: + } + + static int run_ocihook_script_argv(const char *name, const char *section, +- struct oci_hook_conf *oconf, +- const char *lxcpath, const char *rootfs) ++ struct oci_hook_conf *oconf, ++ const char *lxcpath, const char *rootfs) + { + int ret; + const char *script = oconf->ocihook->path; +@@ -4845,9 +4867,13 @@ static char *get_root_path(const char *path, const char *backend) + } + + if (strcmp(backend, "aufs") == 0 || +- strcmp(backend, "overlayfs") == 0 || +- strcmp(backend, "loop") == 0) { ++ strcmp(backend, "overlayfs") == 0 || ++ strcmp(backend, "loop") == 0) { + tmp = strrchr(path, ':'); ++ if (tmp == NULL) { ++ ERROR("Out of memory"); ++ return NULL; ++ } + tmp++; + ret = strdup(tmp); + if (!ret) { +@@ -4866,13 +4892,13 @@ default_out: + return ret; + } + +-static int run_oci_hooks(const char *name, const char *lxcpath, struct lxc_conf *lc, int which, int errfd) ++static int do_run_oci_hooks(const char *name, const char *lxcpath, struct lxc_conf *lc, int which, int errfd) + { + struct oci_hook_conf work_conf = {0}; + size_t i; + int ret = 0; + int nret = 0; +- char *rootpath; ++ char *rootpath = NULL; + + if (!lc) { + return -1; +@@ -4890,32 +4916,32 @@ static int run_oci_hooks(const char *name, const char *lxcpath, struct lxc_conf + work_conf.errfd = errfd; + work_conf.which = which; + switch (which) { +- case OCI_HOOK_PRESTART: +- for (i = 0; i < lc->ocihooks->prestart_len; i++) { +- work_conf.ocihook = lc->ocihooks->prestart[i]; +- ret = run_ocihook_script_argv(name, "lxc", &work_conf, lxcpath, rootpath); +- if (ret != 0) +- break; +- } +- break; +- case OCI_HOOK_POSTSTART: +- for (i = 0; i < lc->ocihooks->poststart_len; i++) { +- work_conf.ocihook = lc->ocihooks->poststart[i]; +- nret = run_ocihook_script_argv(name, "lxc", &work_conf, lxcpath, rootpath); +- if (nret != 0) +- WARN("running poststart hook %ld failed, ContainerId: %s", i, name); +- } +- break; +- case OCI_HOOK_POSTSTOP: +- for (i = 0; i < lc->ocihooks->poststop_len; i++) { +- work_conf.ocihook = lc->ocihooks->poststop[i]; +- ret = run_ocihook_script_argv(name, "lxc", &work_conf, lxcpath, rootpath); +- if (ret != 0) +- break; +- } +- break; +- default: +- ret = -1; ++ case OCI_HOOK_PRESTART: ++ for (i = 0; i < lc->ocihooks->prestart_len; i++) { ++ work_conf.ocihook = lc->ocihooks->prestart[i]; ++ ret = run_ocihook_script_argv(name, "lxc", &work_conf, lxcpath, rootpath); ++ if (ret != 0) ++ break; ++ } ++ break; ++ case OCI_HOOK_POSTSTART: ++ for (i = 0; i < lc->ocihooks->poststart_len; i++) { ++ work_conf.ocihook = lc->ocihooks->poststart[i]; ++ nret = run_ocihook_script_argv(name, "lxc", &work_conf, lxcpath, rootpath); ++ if (nret != 0) ++ WARN("running poststart hook %ld failed, ContainerId: %s", i, name); ++ } ++ break; ++ case OCI_HOOK_POSTSTOP: ++ for (i = 0; i < lc->ocihooks->poststop_len; i++) { ++ work_conf.ocihook = lc->ocihooks->poststop[i]; ++ ret = run_ocihook_script_argv(name, "lxc", &work_conf, lxcpath, rootpath); ++ if (ret != 0) ++ break; ++ } ++ break; ++ default: ++ ret = -1; + } + if (rootpath) + free(rootpath); +@@ -4923,33 +4949,12 @@ static int run_oci_hooks(const char *name, const char *lxcpath, struct lxc_conf + } + + int run_lxc_hooks(const char *name, char *hookname, struct lxc_conf *conf, +- char *argv[]) ++ char *argv[]) + { + struct lxc_list *it; + int which = -1; + +- if (strcmp(hookname, "oci-prestart") == 0) { +- which = OCI_HOOK_PRESTART; +- if (!argv || !argv[0]) { +- ERROR("oci hook require lxcpath"); +- return -1; +- } +- return run_oci_hooks(name, argv[0], conf, which, conf->errpipe[1]); +- } else if (strcmp(hookname, "oci-poststart") == 0) { +- which = OCI_HOOK_POSTSTART; +- if (!argv || !argv[0]) { +- ERROR("oci hook require lxcpath"); +- return -1; +- } +- return run_oci_hooks(name, argv[0], conf, which, conf->errpipe[1]); +- } else if (strcmp(hookname, "oci-poststop") == 0) { +- which = OCI_HOOK_POSTSTOP; +- if (!argv || !argv[0]) { +- ERROR("oci hook require lxcpath"); +- return -1; +- } +- return run_oci_hooks(name, argv[0], conf, which, conf->errpipe[1]); +- } else if (strcmp(hookname, "pre-start") == 0) ++ if (strcmp(hookname, "pre-start") == 0) + which = LXCHOOK_PRESTART; + else if (strcmp(hookname, "start-host") == 0) + which = LXCHOOK_START_HOST; +@@ -4977,7 +4982,7 @@ int run_lxc_hooks(const char *name, char *hookname, struct lxc_conf *conf, + char *hook = it->elem; + + ret = run_script_argv(name, conf->hooks_version, "lxc", hook, +- hookname, argv); ++ hookname, argv); + if (ret < 0) + return -1; + } +@@ -4985,6 +4990,39 @@ int run_lxc_hooks(const char *name, char *hookname, struct lxc_conf *conf, + return 0; + } + ++int run_oci_hooks(const char *name, char *hookname, struct lxc_conf *conf, const char *lxcpath) ++{ ++ struct lxc_list *it; ++ int which = -1; ++ ++ if (strcmp(hookname, "oci-prestart") == 0) { ++ which = OCI_HOOK_PRESTART; ++ if (!lxcpath) { ++ ERROR("oci hook require lxcpath"); ++ return -1; ++ } ++ return do_run_oci_hooks(name, lxcpath, conf, which, conf->errpipe[1]); ++ } else if (strcmp(hookname, "oci-poststart") == 0) { ++ which = OCI_HOOK_POSTSTART; ++ if (!lxcpath) { ++ ERROR("oci hook require lxcpath"); ++ return -1; ++ } ++ return do_run_oci_hooks(name, lxcpath, conf, which, conf->errpipe[1]); ++ } else if (strcmp(hookname, "oci-poststop") == 0) { ++ which = OCI_HOOK_POSTSTOP; ++ if (!lxcpath) { ++ ERROR("oci hook require lxcpath"); ++ return -1; ++ } ++ return do_run_oci_hooks(name, lxcpath, conf, which, conf->errpipe[1]); ++ } else ++ return -1; ++ ++ return 0; ++} ++ ++ + int lxc_clear_config_caps(struct lxc_conf *c) + { + struct lxc_list *it, *next; +@@ -5299,7 +5337,8 @@ int lxc_clear_init_groups(struct lxc_conf *lxc_conf) + /*isulad: clear populate devices*/ + int lxc_clear_populate_devices(struct lxc_conf *c) + { +- struct lxc_list *it,*next; ++ struct lxc_list *it = NULL; ++ struct lxc_list *next = NULL; + + lxc_list_for_each_safe(it, &c->populate_devs, next) { + struct lxc_populate_devs *dev_elem = it->elem; +@@ -5315,7 +5354,8 @@ int lxc_clear_populate_devices(struct lxc_conf *c) + /*isulad: clear rootfs masked paths*/ + int lxc_clear_rootfs_masked_paths(struct lxc_conf *c) + { +- struct lxc_list *it,*next; ++ struct lxc_list *it = NULL; ++ struct lxc_list *next = NULL; + + lxc_list_for_each_safe(it, &c->rootfs.maskedpaths, next) { + lxc_list_del(it); +@@ -5328,7 +5368,8 @@ int lxc_clear_rootfs_masked_paths(struct lxc_conf *c) + /*isulad: clear rootfs ro paths*/ + int lxc_clear_rootfs_ro_paths(struct lxc_conf *c) + { +- struct lxc_list *it,*next; ++ struct lxc_list *it = NULL; ++ struct lxc_list *next = NULL; + + lxc_list_for_each_safe(it, &c->rootfs.ropaths, next) { + lxc_list_del(it); +@@ -5449,7 +5490,7 @@ static int run_userns_fn(void *data) + } + + static struct id_map *mapped_nsid_add(struct lxc_conf *conf, unsigned id, +- enum idtype idtype) ++ enum idtype idtype) + { + const struct id_map *map; + struct id_map *retmap; +@@ -5467,7 +5508,7 @@ static struct id_map *mapped_nsid_add(struct lxc_conf *conf, unsigned id, + } + + static struct id_map *find_mapped_hostid_entry(struct lxc_conf *conf, +- unsigned id, enum idtype idtype) ++ unsigned id, enum idtype idtype) + { + struct id_map *map; + struct lxc_list *it; +@@ -5491,7 +5532,7 @@ static struct id_map *find_mapped_hostid_entry(struct lxc_conf *conf, + * existing one or establish a new one. + */ + static struct id_map *mapped_hostid_add(struct lxc_conf *conf, uid_t id, +- enum idtype type) ++ enum idtype type) + { + int hostid_mapped; + struct id_map *entry = NULL, *tmp = NULL; +@@ -5528,7 +5569,7 @@ struct lxc_list *get_minimal_idmap(struct lxc_conf *conf) + gid_t nsgid = (conf->root_nsgid_map != NULL) ? 0 : conf->init_gid; + struct lxc_list *idmap = NULL, *tmplist = NULL; + struct id_map *container_root_uid = NULL, *container_root_gid = NULL, +- *host_uid_map = NULL, *host_gid_map = NULL; ++ *host_uid_map = NULL, *host_gid_map = NULL; + + /* Find container root mappings. */ + container_root_uid = mapped_nsid_add(conf, nsuid, ID_TYPE_UID); +@@ -5538,7 +5579,7 @@ struct lxc_list *get_minimal_idmap(struct lxc_conf *conf) + } + euid = geteuid(); + if (euid >= container_root_uid->hostid && +- euid < (container_root_uid->hostid + container_root_uid->range)) ++ euid < (container_root_uid->hostid + container_root_uid->range)) + host_uid_map = container_root_uid; + + container_root_gid = mapped_nsid_add(conf, nsgid, ID_TYPE_GID); +@@ -5548,7 +5589,7 @@ struct lxc_list *get_minimal_idmap(struct lxc_conf *conf) + } + egid = getegid(); + if (egid >= container_root_gid->hostid && +- egid < (container_root_gid->hostid + container_root_gid->range)) ++ egid < (container_root_gid->hostid + container_root_gid->range)) + host_gid_map = container_root_gid; + + /* Check whether the {g,u}id of the user has a mapping. */ +@@ -5648,7 +5689,7 @@ on_error: + * there to start the container in the first place. + */ + int userns_exec_1(struct lxc_conf *conf, int (*fn)(void *), void *data, +- const char *fn_name) ++ const char *fn_name) + { + pid_t pid; + int p[2]; +@@ -5686,7 +5727,7 @@ int userns_exec_1(struct lxc_conf *conf, int (*fn)(void *), void *data, + p[0] = -1; + + if (lxc_log_get_level() == LXC_LOG_LEVEL_TRACE || +- conf->loglevel == LXC_LOG_LEVEL_TRACE) { ++ conf->loglevel == LXC_LOG_LEVEL_TRACE) { + struct id_map *map; + struct lxc_list *it; + +@@ -5729,7 +5770,7 @@ on_error: + } + + int userns_exec_full(struct lxc_conf *conf, int (*fn)(void *), void *data, +- const char *fn_name) ++ const char *fn_name) + { + pid_t pid; + uid_t euid, egid; +@@ -5741,7 +5782,7 @@ int userns_exec_full(struct lxc_conf *conf, int (*fn)(void *), void *data, + char c = '1'; + struct lxc_list *idmap = NULL, *tmplist = NULL; + struct id_map *container_root_uid = NULL, *container_root_gid = NULL, +- *host_uid_map = NULL, *host_gid_map = NULL; ++ *host_uid_map = NULL, *host_gid_map = NULL; + + if (!conf) + return -EINVAL; +@@ -5866,7 +5907,7 @@ int userns_exec_full(struct lxc_conf *conf, int (*fn)(void *), void *data, + host_gid_map = NULL; + + if (lxc_log_get_level() == LXC_LOG_LEVEL_TRACE || +- conf->loglevel == LXC_LOG_LEVEL_TRACE) { ++ conf->loglevel == LXC_LOG_LEVEL_TRACE) { + lxc_list_for_each (cur, idmap) { + map = cur->elem; + TRACE("establishing %cid mapping for \"%d\" in new " +@@ -6139,7 +6180,7 @@ struct lxc_list *sort_cgroup_settings(struct lxc_list *cgroup_settings) + /* Store the memsw_limit location */ + memsw_limit = item; + } else if (strcmp(cg->subsystem, "memory.limit_in_bytes") == 0 && +- memsw_limit != NULL) { ++ memsw_limit != NULL) { + /* lxc.cgroup.memory.memsw.limit_in_bytes is found + * before lxc.cgroup.memory.limit_in_bytes, swap these + * two items */ +diff --git a/src/lxc/conf.h b/src/lxc/conf.h +index fb3c156..26bb70f 100644 +--- a/src/lxc/conf.h ++++ b/src/lxc/conf.h +@@ -70,14 +70,14 @@ typedef void * scmp_filter_ctx; + struct lxc_cgroup { + union { + /* information about a specific controller */ +- struct /* controller */ { ++ struct { /* controller */ + int version; + char *subsystem; + char *value; + }; + + /* meta information about cgroup configuration */ +- struct /* meta */ { ++ struct { /* meta */ + char *controllers; + char *dir; + }; +@@ -435,7 +435,7 @@ struct lxc_conf { + }; + + extern int write_id_mapping(enum idtype idtype, pid_t pid, const char *buf, +- size_t buf_size); ++ size_t buf_size); + + #ifdef HAVE_TLS + extern thread_local struct lxc_conf *current_config; +@@ -444,7 +444,9 @@ extern struct lxc_conf *current_config; + #endif + + extern int run_lxc_hooks(const char *name, char *hook, struct lxc_conf *conf, +- char *argv[]); ++ char *argv[]); ++extern int run_oci_hooks(const char *name, char *hookname, struct lxc_conf *conf, const char *lxcpath); ++ + extern int detect_shared_rootfs(void); + extern struct lxc_conf *lxc_conf_init(void); + extern void lxc_conf_free(struct lxc_conf *conf); +@@ -465,20 +467,20 @@ extern int lxc_clear_limits(struct lxc_conf *c, const char *key); + extern int lxc_delete_autodev(struct lxc_handler *handler); + extern void lxc_clear_includes(struct lxc_conf *conf); + extern int lxc_setup_rootfs_prepare_root(struct lxc_conf *conf, +- const char *name, const char *lxcpath); ++ const char *name, const char *lxcpath); + extern int lxc_setup(struct lxc_handler *handler); + extern int lxc_setup_parent(struct lxc_handler *handler); + extern int setup_resource_limits(struct lxc_list *limits, pid_t pid, int errfd); + extern int find_unmapped_nsid(struct lxc_conf *conf, enum idtype idtype); + extern int mapped_hostid(unsigned id, struct lxc_conf *conf, +- enum idtype idtype); ++ enum idtype idtype); + extern int chown_mapped_root(const char *path, struct lxc_conf *conf); + extern int userns_exec_1(struct lxc_conf *conf, int (*fn)(void *), void *data, +- const char *fn_name); ++ const char *fn_name); + extern int userns_exec_full(struct lxc_conf *conf, int (*fn)(void *), +- void *data, const char *fn_name); ++ void *data, const char *fn_name); + extern int parse_mntopts(const char *mntopts, unsigned long *mntflags, +- unsigned long *pflags, char **mntdata); ++ unsigned long *pflags, char **mntdata); + extern int parse_propagationopts(const char *mntopts, unsigned long *pflags); + extern void tmp_proc_unmount(struct lxc_conf *lxc_conf); + extern void remount_all_slave(void); +@@ -486,12 +488,12 @@ extern void suggest_default_idmap(void); + extern FILE *make_anonymous_mount_file(struct lxc_list *mount); + extern struct lxc_list *sort_cgroup_settings(struct lxc_list *cgroup_settings); + extern unsigned long add_required_remount_flags(const char *s, const char *d, +- unsigned long flags); ++ unsigned long flags); + extern int run_script(const char *name, const char *section, const char *script, +- ...); ++ ...); + extern int run_script_argv(const char *name, unsigned int hook_version, +- const char *section, const char *script, +- const char *hookname, char **argsin); ++ const char *section, const char *script, ++ const char *hookname, char **argsin); + extern int in_caplist(int cap, struct lxc_list *caps); + extern int setup_sysctl_parameters(struct lxc_list *sysctls); + extern int lxc_clear_sysctls(struct lxc_conf *c, const char *key); +diff --git a/src/lxc/confile.c b/src/lxc/confile.c +index 93936cc..216a688 100644 +--- a/src/lxc/confile.c ++++ b/src/lxc/confile.c +@@ -270,7 +270,7 @@ struct lxc_config_t *lxc_get_config(const char *key) + } + + static int set_config_net(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + if (!lxc_config_value_empty(value)) { + ERROR("lxc.net must not have a value"); +@@ -281,7 +281,7 @@ static int set_config_net(const char *key, const char *value, + } + + static int set_config_net_type(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + struct lxc_netdev *netdev = data; + +@@ -296,7 +296,7 @@ static int set_config_net_type(const char *key, const char *value, + } else if (!strcmp(value, "macvlan")) { + netdev->type = LXC_NET_MACVLAN; + lxc_macvlan_mode_to_flag(&netdev->priv.macvlan_attr.mode, +- "private"); ++ "private"); + } else if (!strcmp(value, "vlan")) { + netdev->type = LXC_NET_VLAN; + } else if (!strcmp(value, "phys")) { +@@ -314,7 +314,7 @@ static int set_config_net_type(const char *key, const char *value, + } + + static int set_config_net_flags(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + struct lxc_netdev *netdev = data; + +@@ -330,7 +330,7 @@ static int set_config_net_flags(const char *key, const char *value, + } + + static int create_matched_ifnames(const char *value, struct lxc_conf *lxc_conf, +- struct lxc_netdev *netdev) ++ struct lxc_netdev *netdev) + { + struct netns_ifaddrs *ifaddr, *ifa; + int n; +@@ -339,7 +339,9 @@ static int create_matched_ifnames(const char *value, struct lxc_conf *lxc_conf, + const char *link_key = "lxc.net.link"; + const char *tmpvalue = "phys"; + +- if (netns_getifaddrs(&ifaddr, -1, &(bool){false}) < 0) { ++ if (netns_getifaddrs(&ifaddr, -1, &(bool) { ++ false ++}) < 0) { + SYSERROR("Failed to get network interfaces"); + return -1; + } +@@ -353,10 +355,10 @@ static int create_matched_ifnames(const char *value, struct lxc_conf *lxc_conf, + + if (!strncmp(value, ifa->ifa_name, strlen(value) - 1)) { + ret = set_config_net_type(type_key, tmpvalue, lxc_conf, +- netdev); ++ netdev); + if (!ret) { + ret = set_config_net_link( +- link_key, ifa->ifa_name, lxc_conf, netdev); ++ link_key, ifa->ifa_name, lxc_conf, netdev); + if (ret) { + ERROR("Failed to create matched ifnames"); + break; +@@ -375,7 +377,7 @@ static int create_matched_ifnames(const char *value, struct lxc_conf *lxc_conf, + } + + static int set_config_net_link(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + struct lxc_netdev *netdev = data; + int ret = 0; +@@ -395,7 +397,7 @@ static int set_config_net_link(const char *key, const char *value, + } + + static int set_config_net_name(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + struct lxc_netdev *netdev = data; + +@@ -409,7 +411,7 @@ static int set_config_net_name(const char *key, const char *value, + } + + static int set_config_net_veth_pair(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + struct lxc_netdev *netdev = data; + +@@ -423,7 +425,7 @@ static int set_config_net_veth_pair(const char *key, const char *value, + } + + static int set_config_net_macvlan_mode(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + struct lxc_netdev *netdev = data; + +@@ -437,7 +439,7 @@ static int set_config_net_macvlan_mode(const char *key, const char *value, + } + + static int set_config_net_hwaddr(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + struct lxc_netdev *netdev = data; + char *new_value; +@@ -466,7 +468,7 @@ static int set_config_net_hwaddr(const char *key, const char *value, + } + + static int set_config_net_vlan_id(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + int ret; + struct lxc_netdev *netdev = data; +@@ -485,7 +487,7 @@ static int set_config_net_vlan_id(const char *key, const char *value, + } + + static int set_config_net_mtu(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + struct lxc_netdev *netdev = data; + +@@ -499,7 +501,7 @@ static int set_config_net_mtu(const char *key, const char *value, + } + + static int set_config_net_ipv4_address(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + int ret; + struct lxc_netdev *netdev = data; +@@ -596,7 +598,7 @@ static int set_config_net_ipv4_address(const char *key, const char *value, + } + + static int set_config_net_ipv4_gateway(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + struct lxc_netdev *netdev = data; + +@@ -634,7 +636,7 @@ static int set_config_net_ipv4_gateway(const char *key, const char *value, + } + + static int set_config_net_ipv6_address(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + int ret; + struct lxc_netdev *netdev = data; +@@ -700,7 +702,7 @@ static int set_config_net_ipv6_address(const char *key, const char *value, + } + + static int set_config_net_ipv6_gateway(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + struct lxc_netdev *netdev = data; + +@@ -738,7 +740,7 @@ static int set_config_net_ipv6_gateway(const char *key, const char *value, + } + + static int set_config_net_script_up(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + struct lxc_netdev *netdev = data; + +@@ -752,7 +754,7 @@ static int set_config_net_script_up(const char *key, const char *value, + } + + static int set_config_net_script_down(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + struct lxc_netdev *netdev = data; + +@@ -782,31 +784,31 @@ static int add_hook(struct lxc_conf *lxc_conf, int which, char *hook) + } + + static int set_config_seccomp_profile(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + return set_config_path_item(&lxc_conf->seccomp, value); + } + + static int set_config_execute_cmd(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + return set_config_path_item(&lxc_conf->execute_cmd, value); + } + + static int set_config_init_cmd(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + return set_config_path_item(&lxc_conf->init_cmd, value); + } + + static int set_config_init_cwd(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + return set_config_path_item(&lxc_conf->init_cwd, value); + } + + static int set_config_init_uid(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + unsigned int init_uid; + +@@ -824,7 +826,7 @@ static int set_config_init_uid(const char *key, const char *value, + } + + static int set_config_init_gid(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + unsigned int init_gid; + +@@ -842,7 +844,7 @@ static int set_config_init_gid(const char *key, const char *value, + } + + static int set_config_hooks(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + char *copy; + +@@ -885,7 +887,7 @@ static int set_config_hooks(const char *key, const char *value, + } + + static int set_config_hooks_version(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + int ret; + unsigned int tmp; +@@ -909,7 +911,7 @@ static int set_config_hooks_version(const char *key, const char *value, + } + + static int set_config_personality(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + signed long personality = lxc_config_parse_arch(value); + +@@ -922,7 +924,7 @@ static int set_config_personality(const char *key, const char *value, + } + + static int set_config_pty_max(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + int ret; + unsigned int max = 0; +@@ -947,7 +949,7 @@ static int set_config_pty_max(const char *key, const char *value, + * noticed when the callback was called. + */ + static int set_config_start(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + bool is_empty; + +@@ -986,7 +988,7 @@ static int set_config_start(const char *key, const char *value, + } + + static int set_config_monitor(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + if (lxc_config_value_empty(value)) { + lxc_conf->monitor_unshare = 0; +@@ -1000,7 +1002,7 @@ static int set_config_monitor(const char *key, const char *value, + } + + static int set_config_group(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + char *groups, *token; + struct lxc_list *grouplist; +@@ -1039,10 +1041,10 @@ static int set_config_group(const char *key, const char *value, + } + + static int set_config_environment(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + struct lxc_list *list_item = NULL; +- char *replaced; ++ char *replaced = NULL; + + if (lxc_config_value_empty(value)) + return lxc_clear_environment(lxc_conf); +@@ -1072,7 +1074,7 @@ on_error: + } + + static int set_config_tty_max(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + int ret; + unsigned int nbtty = 0; +@@ -1092,22 +1094,22 @@ static int set_config_tty_max(const char *key, const char *value, + } + + static int set_config_tty_dir(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + return set_config_string_item_max(&lxc_conf->ttys.dir, value, +- NAME_MAX + 1); ++ NAME_MAX + 1); + } + + static int set_config_apparmor_profile(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + return set_config_string_item(&lxc_conf->lsm_aa_profile, value); + } + + static int set_config_apparmor_allow_incomplete(const char *key, +- const char *value, +- struct lxc_conf *lxc_conf, +- void *data) ++ const char *value, ++ struct lxc_conf *lxc_conf, ++ void *data) + { + if (lxc_config_value_empty(value)) { + lxc_conf->lsm_aa_allow_incomplete = 0; +@@ -1124,13 +1126,13 @@ static int set_config_apparmor_allow_incomplete(const char *key, + } + + static int set_config_selinux_context(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + return set_config_string_item(&lxc_conf->lsm_se_context, value); + } + + static int set_config_log_file(const char *key, const char *value, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int ret; + +@@ -1151,7 +1153,7 @@ static int set_config_log_file(const char *key, const char *value, + } + + static int set_config_log_level(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + int newlevel; + +@@ -1176,7 +1178,7 @@ static int set_config_log_level(const char *key, const char *value, + } + + static int set_config_autodev(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + if (lxc_config_value_empty(value)) { + lxc_conf->autodev = 0; +@@ -1193,7 +1195,7 @@ static int set_config_autodev(const char *key, const char *value, + } + + static int set_config_signal_halt(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + int sig_n; + +@@ -1212,7 +1214,7 @@ static int set_config_signal_halt(const char *key, const char *value, + } + + static int set_config_signal_reboot(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + int sig_n; + +@@ -1231,7 +1233,7 @@ static int set_config_signal_reboot(const char *key, const char *value, + } + + static int set_config_signal_stop(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + int sig_n; + +@@ -1250,7 +1252,7 @@ static int set_config_signal_stop(const char *key, const char *value, + } + + static int __set_config_cgroup_controller(const char *key, const char *value, +- struct lxc_conf *lxc_conf, int version) ++ struct lxc_conf *lxc_conf, int version) + { + const char *subkey, *token; + size_t token_len; +@@ -1317,22 +1319,22 @@ out: + } + + static int set_config_cgroup_controller(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + return __set_config_cgroup_controller(key, value, lxc_conf, +- CGROUP_SUPER_MAGIC); ++ CGROUP_SUPER_MAGIC); + } + + static int set_config_cgroup2_controller(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + return __set_config_cgroup_controller(key, value, lxc_conf, +- CGROUP2_SUPER_MAGIC); ++ CGROUP2_SUPER_MAGIC); + } + + + static int set_config_cgroup_dir(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + if (lxc_config_value_empty(value)) + return clr_config_cgroup_dir(key, lxc_conf, NULL); +@@ -1341,7 +1343,7 @@ static int set_config_cgroup_dir(const char *key, const char *value, + } + + static int set_config_prlimit(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + struct lxc_list *iter; + struct rlimit limit; +@@ -1434,7 +1436,7 @@ on_error: + } + + static int set_config_sysctl(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + struct lxc_list *iter; + char *replace_value = NULL; +@@ -1502,7 +1504,7 @@ on_error: + } + + static int set_config_proc(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + const char *subkey; + struct lxc_list *proclist = NULL; +@@ -1552,7 +1554,7 @@ on_error: + } + + static int set_config_idmaps(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + unsigned long hostid, nsid, range; + char type; +@@ -1612,7 +1614,7 @@ on_error: + } + + static int set_config_mount_fstab(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + if (lxc_config_value_empty(value)) { + clr_config_mount_fstab(key, lxc_conf, NULL); +@@ -1623,7 +1625,7 @@ static int set_config_mount_fstab(const char *key, const char *value, + } + + static int set_config_mount_auto(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + char *autos, *token; + int i; +@@ -1633,34 +1635,34 @@ static int set_config_mount_auto(const char *key, const char *value, + int mask; + int flag; + } allowed_auto_mounts[] = { +- { "proc", LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED }, +- { "proc:mixed", LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED }, +- { "proc:rw", LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW }, +- { "sys", LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED }, +- { "sys:ro", LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RO }, +- { "sys:mixed", LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED }, +- { "sys:rw", LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RW }, +- { "cgroup", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_NOSPEC }, +- { "cgroup:mixed", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_MIXED }, +- { "cgroup:ro", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_RO }, +- { "cgroup:rw", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_RW }, +- { "cgroup:force", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_NOSPEC | LXC_AUTO_CGROUP_FORCE }, +- { "cgroup:mixed:force", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_MIXED | LXC_AUTO_CGROUP_FORCE }, +- { "cgroup:ro:force", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_RO | LXC_AUTO_CGROUP_FORCE }, +- { "cgroup:rw:force", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_RW | LXC_AUTO_CGROUP_FORCE }, +- { "cgroup-full", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_FULL_NOSPEC }, +- { "cgroup-full:mixed", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_FULL_MIXED }, +- { "cgroup-full:ro", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_FULL_RO }, +- { "cgroup-full:rw", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_FULL_RW }, +- { "cgroup-full:force", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_FULL_NOSPEC | LXC_AUTO_CGROUP_FORCE }, +- { "cgroup-full:mixed:force", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_FULL_MIXED | LXC_AUTO_CGROUP_FORCE }, +- { "cgroup-full:ro:force", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_FULL_RO | LXC_AUTO_CGROUP_FORCE }, +- { "cgroup-full:rw:force", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_FULL_RW | LXC_AUTO_CGROUP_FORCE }, +- /* For adding anything that is just a single on/off, but has no +- * options: keep mask and flag identical and just define the enum +- * value as an unused bit so far +- */ +- { NULL, 0, 0 } ++ { "proc", LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED }, ++ { "proc:mixed", LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED }, ++ { "proc:rw", LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW }, ++ { "sys", LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED }, ++ { "sys:ro", LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RO }, ++ { "sys:mixed", LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED }, ++ { "sys:rw", LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RW }, ++ { "cgroup", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_NOSPEC }, ++ { "cgroup:mixed", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_MIXED }, ++ { "cgroup:ro", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_RO }, ++ { "cgroup:rw", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_RW }, ++ { "cgroup:force", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_NOSPEC | LXC_AUTO_CGROUP_FORCE }, ++ { "cgroup:mixed:force", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_MIXED | LXC_AUTO_CGROUP_FORCE }, ++ { "cgroup:ro:force", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_RO | LXC_AUTO_CGROUP_FORCE }, ++ { "cgroup:rw:force", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_RW | LXC_AUTO_CGROUP_FORCE }, ++ { "cgroup-full", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_FULL_NOSPEC }, ++ { "cgroup-full:mixed", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_FULL_MIXED }, ++ { "cgroup-full:ro", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_FULL_RO }, ++ { "cgroup-full:rw", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_FULL_RW }, ++ { "cgroup-full:force", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_FULL_NOSPEC | LXC_AUTO_CGROUP_FORCE }, ++ { "cgroup-full:mixed:force", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_FULL_MIXED | LXC_AUTO_CGROUP_FORCE }, ++ { "cgroup-full:ro:force", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_FULL_RO | LXC_AUTO_CGROUP_FORCE }, ++ { "cgroup-full:rw:force", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_FULL_RW | LXC_AUTO_CGROUP_FORCE }, ++ /* For adding anything that is just a single on/off, but has no ++ * options: keep mask and flag identical and just define the enum ++ * value as an unused bit so far ++ */ ++ { NULL, 0, 0 } + }; + + if (lxc_config_value_empty(value)) { +@@ -1696,7 +1698,7 @@ on_error: + } + + static int set_config_mount(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + char *mntelem; + struct lxc_list *mntlist; +@@ -1721,7 +1723,7 @@ static int set_config_mount(const char *key, const char *value, + } + + static int set_config_cap_keep(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + char *keepcaps, *token; + struct lxc_list *keeplist; +@@ -1763,7 +1765,7 @@ on_error: + } + + static int set_config_cap_drop(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + char *dropcaps, *token; + struct lxc_list *droplist; +@@ -1793,7 +1795,7 @@ static int set_config_cap_drop(const char *key, const char *value, + lxc_list_add_tail(&lxc_conf->caps, droplist); + } + +- ret = 0; ++ ret = 0; + + on_error: + free(dropcaps); +@@ -1802,13 +1804,13 @@ on_error: + } + + static int set_config_console_path(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + return set_config_path_item(&lxc_conf->console.path, value); + } + + static int set_config_console_rotate(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + if (lxc_config_value_empty(value)) { + lxc_conf->console.log_rotate = 0; +@@ -1831,13 +1833,13 @@ static int set_config_console_rotate(const char *key, const char *value, + } + + static int set_config_console_logfile(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + return set_config_path_item(&lxc_conf->console.log_path, value); + } + + static int set_config_console_buffer_size(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + int ret; + int64_t size; +@@ -1885,7 +1887,7 @@ static int set_config_console_buffer_size(const char *key, const char *value, + } + + static int set_config_console_size(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + int ret; + int64_t size; +@@ -1942,7 +1944,7 @@ int append_unexp_config_line(const char *line, struct lxc_conf *conf) + linelen = strlen(line); + while (conf->unexpanded_alloced <= len + linelen + 2) { + char *tmp = realloc(conf->unexpanded_config, +- conf->unexpanded_alloced + 1024); ++ conf->unexpanded_alloced + 1024); + if (!tmp) + return -1; + +@@ -2007,7 +2009,7 @@ out: + } + + static int set_config_includefiles(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + if (lxc_config_value_empty(value)) { + clr_config_includefiles(key, lxc_conf, NULL); +@@ -2021,7 +2023,7 @@ static int set_config_includefiles(const char *key, const char *value, + } + + static int set_config_rootfs_path(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + int ret; + char *dup, *tmp; +@@ -2064,13 +2066,13 @@ static int set_config_rootfs_path(const char *key, const char *value, + } + + static int set_config_rootfs_mount(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + return set_config_path_item(&lxc_conf->rootfs.mount, value); + } + + static int set_config_rootfs_options(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + int ret; + unsigned long mflags = 0, pflags = 0; +@@ -2095,7 +2097,7 @@ static int set_config_rootfs_options(const char *key, const char *value, + } + + static int set_config_uts_name(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + struct utsname *utsname; + +@@ -2121,7 +2123,7 @@ static int set_config_uts_name(const char *key, const char *value, + } + + static int set_config_namespace_clone(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + char *ns, *token; + int cloneflag = 0; +@@ -2156,7 +2158,7 @@ static int set_config_namespace_clone(const char *key, const char *value, + } + + static int set_config_namespace_keep(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + char *ns, *token; + int cloneflag = 0; +@@ -2191,7 +2193,7 @@ static int set_config_namespace_keep(const char *key, const char *value, + } + + static int set_config_namespace_share(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + int ns_idx; + const char *namespace; +@@ -2209,7 +2211,7 @@ static int set_config_namespace_share(const char *key, const char *value, + + /* isulad: set config for init args */ + static int set_config_init_args(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + int ret = 0; + char *tmp = NULL; +@@ -2219,8 +2221,8 @@ static int set_config_init_args(const char *key, const char *value, + if (ret || !new_value) + return ret; + +- tmp = realloc(lxc_conf->init_argv, (lxc_conf->init_argc + 1) * sizeof(char *)); +- if (!tmp) { ++ if (lxc_mem_realloc((void **)&tmp, (lxc_conf->init_argc + 1) * sizeof(char *), lxc_conf->init_argv, ++ (lxc_conf->init_argc) * sizeof(char *)) != 0) { + ERROR("Out of memory"); + free(new_value); + return -1; +@@ -2236,9 +2238,10 @@ static int set_config_init_args(const char *key, const char *value, + + /* isulad: set config for init groups */ + static int set_config_init_groups(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { +- char *groups, *token; ++ char *groups = NULL; ++ char *token = NULL; + int ret = -1; + + if (lxc_config_value_empty(value)) +@@ -2252,9 +2255,9 @@ static int set_config_init_groups(const char *key, const char *value, + * split these caps in a single element for the list. + */ + lxc_iterate_parts(token, groups, " \t") { +- gid_t *tmp; +- tmp = realloc(lxc_conf->init_groups, (lxc_conf->init_groups_len + 1) * sizeof(gid_t)); +- if (!tmp) { ++ gid_t *tmp = NULL; ++ if (lxc_mem_realloc((void **)&tmp, (lxc_conf->init_groups_len + 1) * sizeof(gid_t), lxc_conf->init_groups, ++ (lxc_conf->init_groups_len) * sizeof(gid_t)) != 0) { + ERROR("Out of memory"); + goto on_error; + } +@@ -2273,93 +2276,93 @@ on_error: + + /* isulad: set config for populate device */ + static int set_config_populate_device(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) +-{ +- int ret = 0, major = 0, minor = 0; +- uid_t uid = (uid_t)-1; +- gid_t gid = (gid_t)-1; +- char name[PATH_MAX] = {0}; +- char type[3] = {0}; +- char *replace_value = NULL; +- mode_t filemode = 0; +- struct lxc_list *iter; +- struct lxc_list *dev_list = NULL; +- struct lxc_populate_devs *dev_elem = NULL; +- +- if (lxc_config_value_empty(value)) +- return lxc_clear_populate_devices(lxc_conf); +- +- /* lxc.populate.device = PATH_IN_CONTAINER:DEVICETYPE:MAJOR:MINOR:MODE:UID:GID +- * For e.g. lxc.populate.device = /dev/sda:b:8:0:0666:0:0 +- */ +- ret = sscanf(value, "%[^:]:%2[^:]:%i:%i:%i:%u:%u", name, type, &major, &minor, &filemode, &uid, &gid); +- if (ret != 7) +- return -1; +- +- /* find existing list element */ +- lxc_list_for_each(iter, &lxc_conf->populate_devs) { +- dev_elem = iter->elem; +- +- if (strcmp(name, dev_elem->name) != 0) +- continue; +- +- replace_value = strdup(type); +- if (!replace_value) +- return -1; +- +- free(dev_elem->type); +- dev_elem->type = replace_value; +- dev_elem->file_mode = filemode; +- dev_elem->maj = major; +- dev_elem->min = minor; +- dev_elem->uid = (uid_t)uid; +- dev_elem->gid = (gid_t)gid; +- return 0; +- } +- +- /* allocate list element */ +- dev_list = malloc(sizeof(*dev_list)); +- if (!dev_list) +- goto on_error; +- +- lxc_list_init(dev_list); +- +- dev_elem = malloc(sizeof(*dev_elem)); +- if (!dev_elem) +- goto on_error; +- memset(dev_elem, 0, sizeof(*dev_elem)); +- +- dev_elem->name = strdup(name); +- if (!dev_elem->name) +- goto on_error; +- +- dev_elem->type = strdup(type); +- if (!dev_elem->type) +- goto on_error; +- +- dev_elem->file_mode = filemode; +- dev_elem->maj = major; +- dev_elem->min = minor; +- +- lxc_list_add_elem(dev_list, dev_elem); +- +- lxc_list_add_tail(&lxc_conf->populate_devs, dev_list); +- +- return 0; ++ struct lxc_conf *lxc_conf, void *data) ++{ ++ int ret = 0, major = 0, minor = 0; ++ uid_t uid = (uid_t)-1; ++ gid_t gid = (gid_t)-1; ++ char name[PATH_MAX] = {0}; ++ char type[3] = {0}; ++ char *replace_value = NULL; ++ mode_t filemode = 0; ++ struct lxc_list *iter = NULL; ++ struct lxc_list *dev_list = NULL; ++ struct lxc_populate_devs *dev_elem = NULL; ++ ++ if (lxc_config_value_empty(value)) ++ return lxc_clear_populate_devices(lxc_conf); ++ ++ /* lxc.populate.device = PATH_IN_CONTAINER:DEVICETYPE:MAJOR:MINOR:MODE:UID:GID ++ * For e.g. lxc.populate.device = /dev/sda:b:8:0:0666:0:0 ++ */ ++ ret = sscanf(value, "%[^:]:%2[^:]:%i:%i:%i:%u:%u", name, type, &major, &minor, &filemode, &uid, &gid); ++ if (ret != 7) ++ return -1; ++ ++ /* find existing list element */ ++ lxc_list_for_each(iter, &lxc_conf->populate_devs) { ++ dev_elem = iter->elem; ++ ++ if (strcmp(name, dev_elem->name) != 0) ++ continue; ++ ++ replace_value = strdup(type); ++ if (!replace_value) ++ return -1; ++ ++ free(dev_elem->type); ++ dev_elem->type = replace_value; ++ dev_elem->file_mode = filemode; ++ dev_elem->maj = major; ++ dev_elem->min = minor; ++ dev_elem->uid = (uid_t)uid; ++ dev_elem->gid = (gid_t)gid; ++ return 0; ++ } ++ ++ /* allocate list element */ ++ dev_list = malloc(sizeof(*dev_list)); ++ if (!dev_list) ++ goto on_error; ++ ++ lxc_list_init(dev_list); ++ ++ dev_elem = malloc(sizeof(*dev_elem)); ++ if (!dev_elem) ++ goto on_error; ++ memset(dev_elem, 0, sizeof(*dev_elem)); ++ ++ dev_elem->name = strdup(name); ++ if (!dev_elem->name) ++ goto on_error; ++ ++ dev_elem->type = strdup(type); ++ if (!dev_elem->type) ++ goto on_error; ++ ++ dev_elem->file_mode = filemode; ++ dev_elem->maj = major; ++ dev_elem->min = minor; ++ ++ lxc_list_add_elem(dev_list, dev_elem); ++ ++ lxc_list_add_tail(&lxc_conf->populate_devs, dev_list); ++ ++ return 0; + + on_error: +- free(dev_list); +- if (dev_elem) { +- free(dev_elem->name); +- free(dev_elem->type); +- free(dev_elem); +- } +- return -1; ++ free(dev_list); ++ if (dev_elem) { ++ free(dev_elem->name); ++ free(dev_elem->type); ++ free(dev_elem); ++ } ++ return -1; + } + + /* isulad: set config for rootfs masked paths */ + static int set_config_rootfs_masked_paths(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + struct lxc_list *list_item = NULL; + +@@ -2387,7 +2390,7 @@ on_error: + + /* isulad: set config for rootfs ro paths */ + static int set_config_rootfs_ro_paths(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + struct lxc_list *list_item = NULL; + +@@ -2416,7 +2419,7 @@ on_error: + + /* isulad: set config for umask */ + static int set_config_umask(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + if (lxc_config_value_empty(value)) { + ERROR("Empty umask"); +@@ -2437,7 +2440,7 @@ static int set_config_umask(const char *key, const char *value, + + /* isulad: set config for systemd */ + static int set_config_systemd(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + if (lxc_config_value_empty(value)) { + ERROR("Empty umask"); +@@ -2673,32 +2676,32 @@ signed long lxc_config_parse_arch(const char *arch) + char *name; + unsigned long per; + } pername[] = { +- { "arm", PER_LINUX32 }, +- { "armel", PER_LINUX32 }, +- { "armhf", PER_LINUX32 }, +- { "armv7l", PER_LINUX32 }, +- { "athlon", PER_LINUX32 }, +- { "i386", PER_LINUX32 }, +- { "i486", PER_LINUX32 }, +- { "i586", PER_LINUX32 }, +- { "i686", PER_LINUX32 }, +- { "linux32", PER_LINUX32 }, +- { "mips", PER_LINUX32 }, +- { "mipsel", PER_LINUX32 }, +- { "ppc", PER_LINUX32 }, +- { "powerpc", PER_LINUX32 }, +- { "x86", PER_LINUX32 }, +- { "amd64", PER_LINUX }, +- { "arm64", PER_LINUX }, +- { "linux64", PER_LINUX }, +- { "mips64", PER_LINUX }, +- { "mips64el", PER_LINUX }, +- { "ppc64", PER_LINUX }, +- { "ppc64el", PER_LINUX }, +- { "ppc64le", PER_LINUX }, +- { "powerpc64", PER_LINUX }, +- { "s390x", PER_LINUX }, +- { "x86_64", PER_LINUX }, ++ { "arm", PER_LINUX32 }, ++ { "armel", PER_LINUX32 }, ++ { "armhf", PER_LINUX32 }, ++ { "armv7l", PER_LINUX32 }, ++ { "athlon", PER_LINUX32 }, ++ { "i386", PER_LINUX32 }, ++ { "i486", PER_LINUX32 }, ++ { "i586", PER_LINUX32 }, ++ { "i686", PER_LINUX32 }, ++ { "linux32", PER_LINUX32 }, ++ { "mips", PER_LINUX32 }, ++ { "mipsel", PER_LINUX32 }, ++ { "ppc", PER_LINUX32 }, ++ { "powerpc", PER_LINUX32 }, ++ { "x86", PER_LINUX32 }, ++ { "amd64", PER_LINUX }, ++ { "arm64", PER_LINUX }, ++ { "linux64", PER_LINUX }, ++ { "mips64", PER_LINUX }, ++ { "mips64el", PER_LINUX }, ++ { "ppc64", PER_LINUX }, ++ { "ppc64el", PER_LINUX }, ++ { "ppc64le", PER_LINUX }, ++ { "powerpc64", PER_LINUX }, ++ { "s390x", PER_LINUX }, ++ { "x86_64", PER_LINUX }, + }; + size_t len = sizeof(pername) / sizeof(pername[0]); + +@@ -2769,7 +2772,7 @@ int write_config(int fd, const struct lxc_conf *conf) + } + + bool do_append_unexp_config_line(struct lxc_conf *conf, const char *key, +- const char *v) ++ const char *v) + { + int ret; + size_t len; +@@ -2793,7 +2796,7 @@ bool do_append_unexp_config_line(struct lxc_conf *conf, const char *key, + } + + void clear_unexp_config_line(struct lxc_conf *conf, const char *key, +- bool rm_subkeys) ++ bool rm_subkeys) + { + char *lend; + char *lstart = conf->unexpanded_config; +@@ -2835,8 +2838,8 @@ void clear_unexp_config_line(struct lxc_conf *conf, const char *key, + } + + bool clone_update_unexp_ovl_paths(struct lxc_conf *conf, const char *oldpath, +- const char *newpath, const char *oldname, +- const char *newname, const char *ovldir) ++ const char *newpath, const char *oldname, ++ const char *newname, const char *ovldir) + { + int ret; + char *lend, *newdir, *olddir, *p, *q; +@@ -2847,14 +2850,14 @@ bool clone_update_unexp_ovl_paths(struct lxc_conf *conf, const char *oldpath, + olddirlen = strlen(ovldir) + strlen(oldpath) + strlen(oldname) + 2; + olddir = alloca(olddirlen + 1); + ret = snprintf(olddir, olddirlen + 1, "%s=%s/%s", ovldir, oldpath, +- oldname); ++ oldname); + if (ret < 0 || ret >= olddirlen + 1) + return false; + + newdirlen = strlen(ovldir) + strlen(newpath) + strlen(newname) + 2; + newdir = alloca(newdirlen + 1); + ret = snprintf(newdir, newdirlen + 1, "%s=%s/%s", ovldir, newpath, +- newname); ++ newname); + if (ret < 0 || ret >= newdirlen + 1) + return false; + +@@ -2935,7 +2938,7 @@ bool clone_update_unexp_ovl_paths(struct lxc_conf *conf, const char *oldpath, + lend += diff; + } + +- next: ++next: + lstart = lend; + } + +@@ -2943,8 +2946,8 @@ bool clone_update_unexp_ovl_paths(struct lxc_conf *conf, const char *oldpath, + } + + bool clone_update_unexp_hooks(struct lxc_conf *conf, const char *oldpath, +- const char *newpath, const char *oldname, +- const char *newname) ++ const char *newpath, const char *oldname, ++ const char *newname) + { + int ret; + char *lend, *newdir, *olddir, *p; +@@ -3029,7 +3032,7 @@ bool clone_update_unexp_hooks(struct lxc_conf *conf, const char *oldpath, + lend += diff; + } + +- next: ++next: + lstart = lend; + } + +@@ -3117,7 +3120,7 @@ bool network_new_hwaddrs(struct lxc_conf *conf) + } + + static int set_config_ephemeral(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + if (lxc_config_value_empty(value)) { + lxc_conf->ephemeral = 0; +@@ -3134,7 +3137,7 @@ static int set_config_ephemeral(const char *key, const char *value, + } + + static int set_config_log_syslog(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + int facility; + +@@ -3156,7 +3159,7 @@ static int set_config_log_syslog(const char *key, const char *value, + } + + static int set_config_no_new_privs(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + unsigned int v; + +@@ -3178,7 +3181,7 @@ static int set_config_no_new_privs(const char *key, const char *value, + + /* Callbacks to get configuration items. */ + static int get_config_personality(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int fulllen = 0; + +@@ -3206,53 +3209,53 @@ static int get_config_personality(const char *key, char *retv, int inlen, + } + + static int get_config_pty_max(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return lxc_get_conf_size_t(c, retv, inlen, c->pty_max); + } + + static int get_config_tty_max(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return lxc_get_conf_size_t(c, retv, inlen, c->ttys.max); + } + + /* isulad add: get umask value*/ + static int get_config_umask(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return lxc_get_conf_size_t(c, retv, inlen, c->umask); + } + + /* isulad add: get systemd value*/ + static int get_config_systemd(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return lxc_get_conf_str(retv, inlen, c->systemd); + } + + static int get_config_tty_dir(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return lxc_get_conf_str(retv, inlen, c->ttys.dir); + } + + static int get_config_apparmor_profile(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return lxc_get_conf_str(retv, inlen, c->lsm_aa_profile); + } + + static int get_config_apparmor_allow_incomplete(const char *key, char *retv, +- int inlen, struct lxc_conf *c, +- void *data) ++ int inlen, struct lxc_conf *c, ++ void *data) + { + return lxc_get_conf_int(c, retv, inlen, +- c->lsm_aa_allow_incomplete); ++ c->lsm_aa_allow_incomplete); + } + + static int get_config_selinux_context(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return lxc_get_conf_str(retv, inlen, c->lsm_se_context); + } +@@ -3266,8 +3269,8 @@ static int get_config_selinux_context(const char *key, char *retv, int inlen, + * 'lxc.cgroup.subsystem.key = value' format. + */ + static int __get_config_cgroup_controller(const char *key, char *retv, +- int inlen, struct lxc_conf *c, +- int version) ++ int inlen, struct lxc_conf *c, ++ int version) + { + int len; + size_t namespaced_token_len; +@@ -3308,7 +3311,7 @@ static int __get_config_cgroup_controller(const char *key, char *retv, + continue; + + strprint(retv, inlen, "%s.%s = %s\n", global_token, +- cg->subsystem, cg->value); ++ cg->subsystem, cg->value); + } else if (strcmp(cg->subsystem, key) == 0) { + strprint(retv, inlen, "%s\n", cg->value); + } +@@ -3318,21 +3321,21 @@ static int __get_config_cgroup_controller(const char *key, char *retv, + } + + static int get_config_cgroup_controller(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return __get_config_cgroup_controller(key, retv, inlen, c, +- CGROUP_SUPER_MAGIC); ++ CGROUP_SUPER_MAGIC); + } + + static int get_config_cgroup2_controller(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return __get_config_cgroup_controller(key, retv, inlen, c, +- CGROUP2_SUPER_MAGIC); ++ CGROUP2_SUPER_MAGIC); + } + + static int get_config_cgroup_dir(const char *key, char *retv, int inlen, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + int len; + int fulllen = 0; +@@ -3348,31 +3351,31 @@ static int get_config_cgroup_dir(const char *key, char *retv, int inlen, + } + + static int get_config_idmaps(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + struct lxc_list *it; + int len, listlen, ret; + int fulllen = 0; +-/* "u 1000 1000000 65536" +- * +- * let's render this as +- * +- * sizeof(char) +- * + +- * sizeof(" ") +- * + +- * sizeof(uint32_t) +- * + +- * sizeof(" ") +- * + +- * sizeof(uint32_t) +- * + +- * sizeof(" ") +- * + +- * sizeof(uint32_t) +- * + +- * \0 +- */ ++ /* "u 1000 1000000 65536" ++ * ++ * let's render this as ++ * ++ * sizeof(char) ++ * + ++ * sizeof(" ") ++ * + ++ * sizeof(uint32_t) ++ * + ++ * sizeof(" ") ++ * + ++ * sizeof(uint32_t) ++ * + ++ * sizeof(" ") ++ * + ++ * sizeof(uint32_t) ++ * + ++ * \0 ++ */ + #define __LXC_IDMAP_STR_BUF (3 * INTTYPE_TO_STRLEN(uint32_t) + 3 + 1 + 1) + char buf[__LXC_IDMAP_STR_BUF]; + +@@ -3385,8 +3388,8 @@ static int get_config_idmaps(const char *key, char *retv, int inlen, + lxc_list_for_each(it, &c->id_map) { + struct id_map *map = it->elem; + ret = snprintf(buf, __LXC_IDMAP_STR_BUF, "%c %lu %lu %lu", +- (map->idtype == ID_TYPE_UID) ? 'u' : 'g', +- map->nsid, map->hostid, map->range); ++ (map->idtype == ID_TYPE_UID) ? 'u' : 'g', ++ map->nsid, map->hostid, map->range); + if (ret < 0 || ret >= __LXC_IDMAP_STR_BUF) + return -1; + +@@ -3397,7 +3400,7 @@ static int get_config_idmaps(const char *key, char *retv, int inlen, + } + + static int get_config_log_level(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + const char *v; + v = lxc_log_priority_to_string(c->loglevel); +@@ -3405,19 +3408,19 @@ static int get_config_log_level(const char *key, char *retv, int inlen, + } + + static int get_config_log_file(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return lxc_get_conf_str(retv, inlen, c->logfile); + } + + static int get_config_mount_fstab(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return lxc_get_conf_str(retv, inlen, c->fstab); + } + + static int get_config_mount_auto(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int len, fulllen = 0; + const char *sep = ""; +@@ -3493,7 +3496,7 @@ static int get_config_mount_auto(const char *key, char *retv, int inlen, + } + + static int get_config_mount(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int len, fulllen = 0; + struct lxc_list *it; +@@ -3511,33 +3514,33 @@ static int get_config_mount(const char *key, char *retv, int inlen, + } + + static int get_config_rootfs_path(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return lxc_get_conf_str(retv, inlen, c->rootfs.path); + } + + static int get_config_rootfs_mount(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return lxc_get_conf_str(retv, inlen, c->rootfs.mount); + } + + static int get_config_rootfs_options(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return lxc_get_conf_str(retv, inlen, c->rootfs.options); + } + + static int get_config_uts_name(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return lxc_get_conf_str( +- retv, inlen, +- c->utsname ? c->utsname->nodename : NULL); ++ retv, inlen, ++ c->utsname ? c->utsname->nodename : NULL); + } + + static int get_config_hooks(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + char *subkey; + int len, fulllen = 0, found = -1; +@@ -3578,13 +3581,13 @@ static int get_config_hooks(const char *key, char *retv, int inlen, + } + + static int get_config_hooks_version(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return lxc_get_conf_int(c, retv, inlen, c->hooks_version); + } + + static int get_config_net(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int len, fulllen = 0; + struct lxc_list *it; +@@ -3604,7 +3607,7 @@ static int get_config_net(const char *key, char *retv, int inlen, + } + + static int get_config_cap_drop(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int len, fulllen = 0; + struct lxc_list *it; +@@ -3622,7 +3625,7 @@ static int get_config_cap_drop(const char *key, char *retv, int inlen, + } + + static int get_config_cap_keep(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int len, fulllen = 0; + struct lxc_list *it; +@@ -3640,70 +3643,70 @@ static int get_config_cap_keep(const char *key, char *retv, int inlen, + } + + static int get_config_console_path(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return lxc_get_conf_str(retv, inlen, c->console.path); + } + + static int get_config_console_logfile(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return lxc_get_conf_str(retv, inlen, c->console.log_path); + } + + static int get_config_console_rotate(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return lxc_get_conf_int(c, retv, inlen, c->console.log_rotate); + } + + + static int get_config_console_buffer_size(const char *key, char *retv, +- int inlen, struct lxc_conf *c, +- void *data) ++ int inlen, struct lxc_conf *c, ++ void *data) + { + return lxc_get_conf_uint64(c, retv, inlen, c->console.buffer_size); + } + + static int get_config_console_size(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return lxc_get_conf_uint64(c, retv, inlen, c->console.log_size); + } + + + static int get_config_seccomp_profile(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return lxc_get_conf_str(retv, inlen, c->seccomp); + } + + static int get_config_autodev(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return lxc_get_conf_int(c, retv, inlen, c->autodev); + } + + static int get_config_signal_halt(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return lxc_get_conf_int(c, retv, inlen, c->haltsignal); + } + + static int get_config_signal_reboot(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return lxc_get_conf_int(c, retv, inlen, c->rebootsignal); + } + + static int get_config_signal_stop(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return lxc_get_conf_int(c, retv, inlen, c->stopsignal); + } + + static int get_config_start(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + if (strcmp(key + 10, "auto") == 0) + return lxc_get_conf_int(c, retv, inlen, c->start_auto); +@@ -3716,19 +3719,19 @@ static int get_config_start(const char *key, char *retv, int inlen, + } + + static int get_config_log_syslog(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return lxc_get_conf_str(retv, inlen, c->syslog); + } + + static int get_config_monitor(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return lxc_get_conf_int(c, retv, inlen, c->monitor_unshare); + } + + static int get_config_group(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int len, fulllen = 0; + struct lxc_list *it; +@@ -3746,7 +3749,7 @@ static int get_config_group(const char *key, char *retv, int inlen, + } + + static int get_config_environment(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int len, fulllen = 0; + struct lxc_list *it; +@@ -3765,43 +3768,43 @@ static int get_config_environment(const char *key, char *retv, int inlen, + } + + static int get_config_execute_cmd(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return lxc_get_conf_str(retv, inlen, c->execute_cmd); + } + + static int get_config_init_cmd(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return lxc_get_conf_str(retv, inlen, c->init_cmd); + } + + static int get_config_init_cwd(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return lxc_get_conf_str(retv, inlen, c->init_cwd); + } + + static int get_config_init_uid(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return lxc_get_conf_int(c, retv, inlen, c->init_uid); + } + + static int get_config_init_gid(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return lxc_get_conf_int(c, retv, inlen, c->init_gid); + } + + static int get_config_ephemeral(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return lxc_get_conf_int(c, retv, inlen, c->ephemeral); + } + + static int get_config_no_new_privs(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return lxc_get_conf_int(c, retv, inlen, c->no_new_privs); + } +@@ -3811,7 +3814,7 @@ static int get_config_no_new_privs(const char *key, char *retv, int inlen, + * printed, in 'lxc.prlimit.resource = value' format. + */ + static int get_config_prlimit(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int fulllen = 0, len; + bool get_all = false; +@@ -3840,7 +3843,7 @@ static int get_config_prlimit(const char *key, char *retv, int inlen, + partlen = STRLITERALLEN("unlimited"); + } else { + partlen = sprintf(buf, "%" PRIu64, +- (uint64_t)lim->limit.rlim_cur); ++ (uint64_t)lim->limit.rlim_cur); + } + + if (lim->limit.rlim_cur != lim->limit.rlim_max) { +@@ -3849,12 +3852,12 @@ static int get_config_prlimit(const char *key, char *retv, int inlen, + STRLITERALLEN(":unlimited") + 1); + else + sprintf(buf + partlen, ":%" PRIu64, +- (uint64_t)lim->limit.rlim_max); ++ (uint64_t)lim->limit.rlim_max); + } + + if (get_all) { + strprint(retv, inlen, "lxc.prlimit.%s = %s\n", +- lim->resource, buf); ++ lim->resource, buf); + } else if (strcmp(lim->resource, key) == 0) { + strprint(retv, inlen, "%s", buf); + } +@@ -3868,7 +3871,7 @@ static int get_config_prlimit(const char *key, char *retv, int inlen, + * entries will be printed, in 'lxc.sysctl.key = value' format. + */ + static int get_config_sysctl(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int len; + struct lxc_list *it; +@@ -3891,7 +3894,7 @@ static int get_config_sysctl(const char *key, char *retv, int inlen, + struct lxc_sysctl *elem = it->elem; + if (get_all) { + strprint(retv, inlen, "lxc.sysctl.%s = %s\n", elem->key, +- elem->value); ++ elem->value); + } else if (strcmp(elem->key, key) == 0) { + strprint(retv, inlen, "%s", elem->value); + } +@@ -3901,7 +3904,7 @@ static int get_config_sysctl(const char *key, char *retv, int inlen, + } + + static int get_config_proc(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + struct lxc_list *it; + int len; +@@ -3935,7 +3938,7 @@ static int get_config_proc(const char *key, char *retv, int inlen, + } + + static int get_config_namespace_clone(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int i, len; + int fulllen = 0; +@@ -3954,7 +3957,7 @@ static int get_config_namespace_clone(const char *key, char *retv, int inlen, + } + + static int get_config_namespace_keep(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int i, len; + int fulllen = 0; +@@ -3973,7 +3976,7 @@ static int get_config_namespace_keep(const char *key, char *retv, int inlen, + } + + static int get_config_namespace_share(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int len, ns_idx; + const char *namespace; +@@ -3996,7 +3999,7 @@ static int get_config_namespace_share(const char *key, char *retv, int inlen, + + /* isulad: get config init args */ + static int get_config_init_args(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int i, len, fulllen = 0; + +@@ -4006,7 +4009,7 @@ static int get_config_init_args(const char *key, char *retv, int inlen, + memset(retv, 0, inlen); + + for (i = 0; i < c->init_argc; i++) { +- strprint(retv, inlen, "%s", c->init_argv[i]); ++ strprint(retv, inlen, "%s", c->init_argv[i]); + } + + return fulllen; +@@ -4014,7 +4017,7 @@ static int get_config_init_args(const char *key, char *retv, int inlen, + + /* isulad: get config init groups */ + static int get_config_init_groups(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int i, len, fulllen = 0; + +@@ -4024,7 +4027,7 @@ static int get_config_init_groups(const char *key, char *retv, int inlen, + memset(retv, 0, inlen); + + for (i = 0; i < c->init_groups_len; i++) { +- strprint(retv, inlen, "%u\n", c->init_groups[i]); ++ strprint(retv, inlen, "%u\n", c->init_groups[i]); + } + + return fulllen; +@@ -4036,10 +4039,10 @@ static int get_config_init_groups(const char *key, char *retv, int inlen, + * For e.g. lxc.populate.device = /dev/sda:b:8:0:0666:0:0 + */ + static int get_config_populate_device(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int len; +- struct lxc_list *it; ++ struct lxc_list *it = NULL; + int fulllen = 0; + + if (!retv) +@@ -4050,8 +4053,8 @@ static int get_config_populate_device(const char *key, char *retv, int inlen, + lxc_list_for_each(it, &c->populate_devs) { + struct lxc_populate_devs *elem = it->elem; + strprint(retv, inlen, "lxc.populate.device = %s:%s:%d:%d:%o:%u:%u\n", +- elem->name, elem->type, elem->maj, +- elem->min, elem->file_mode, elem->uid, elem->gid); ++ elem->name, elem->type, elem->maj, ++ elem->min, elem->file_mode, elem->uid, elem->gid); + } + + return fulllen; +@@ -4059,10 +4062,10 @@ static int get_config_populate_device(const char *key, char *retv, int inlen, + + // isulad: get config rootfs masked paths + static int get_config_rootfs_masked_paths(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int len, fulllen = 0; +- struct lxc_list *it; ++ struct lxc_list *it = NULL; + + if (!retv) + inlen = 0; +@@ -4078,10 +4081,10 @@ static int get_config_rootfs_masked_paths(const char *key, char *retv, int inlen + + // isulad: get config rootfs ro paths + static int get_config_rootfs_ro_paths(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int len, fulllen = 0; +- struct lxc_list *it; ++ struct lxc_list *it = NULL; + + if (!retv) + inlen = 0; +@@ -4097,28 +4100,28 @@ static int get_config_rootfs_ro_paths(const char *key, char *retv, int inlen, + + /* Callbacks to clear config items. */ + static inline int clr_config_personality(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + c->personality = -1; + return 0; + } + + static inline int clr_config_pty_max(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + c->pty_max = 0; + return 0; + } + + static inline int clr_config_tty_max(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + c->ttys.tty = 0; + return 0; + } + + static inline int clr_config_tty_dir(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + free(c->ttys.dir); + c->ttys.dir = NULL; +@@ -4126,7 +4129,7 @@ static inline int clr_config_tty_dir(const char *key, struct lxc_conf *c, + } + + static inline int clr_config_apparmor_profile(const char *key, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + free(c->lsm_aa_profile); + c->lsm_aa_profile = NULL; +@@ -4134,15 +4137,15 @@ static inline int clr_config_apparmor_profile(const char *key, + } + + static inline int clr_config_apparmor_allow_incomplete(const char *key, +- struct lxc_conf *c, +- void *data) ++ struct lxc_conf *c, ++ void *data) + { + c->lsm_aa_allow_incomplete = 0; + return 0; + } + + static inline int clr_config_selinux_context(const char *key, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + free(c->lsm_se_context); + c->lsm_se_context = NULL; +@@ -4150,19 +4153,19 @@ static inline int clr_config_selinux_context(const char *key, + } + + static inline int clr_config_cgroup_controller(const char *key, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return lxc_clear_cgroups(c, key, CGROUP_SUPER_MAGIC); + } + + static inline int clr_config_cgroup2_controller(const char *key, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return lxc_clear_cgroups(c, key, CGROUP2_SUPER_MAGIC); + } + + static int clr_config_cgroup_dir(const char *key, struct lxc_conf *lxc_conf, +- void *data) ++ void *data) + { + if (lxc_conf->cgroup_meta.dir) { + free(lxc_conf->cgroup_meta.dir); +@@ -4173,20 +4176,20 @@ static int clr_config_cgroup_dir(const char *key, struct lxc_conf *lxc_conf, + } + + static inline int clr_config_idmaps(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + return lxc_clear_idmaps(c); + } + + static inline int clr_config_log_level(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + c->loglevel = LXC_LOG_LEVEL_NOTSET; + return 0; + } + + static inline int clr_config_log_file(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + free(c->logfile); + c->logfile = NULL; +@@ -4194,19 +4197,19 @@ static inline int clr_config_log_file(const char *key, struct lxc_conf *c, + } + + static inline int clr_config_mount(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + return lxc_clear_mount_entries(c); + } + + static inline int clr_config_mount_auto(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + return lxc_clear_automounts(c); + } + + static inline int clr_config_mount_fstab(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + free(c->fstab); + c->fstab = NULL; +@@ -4214,7 +4217,7 @@ static inline int clr_config_mount_fstab(const char *key, struct lxc_conf *c, + } + + static inline int clr_config_rootfs_path(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + free(c->rootfs.path); + c->rootfs.path = NULL; +@@ -4222,7 +4225,7 @@ static inline int clr_config_rootfs_path(const char *key, struct lxc_conf *c, + } + + static inline int clr_config_rootfs_mount(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + free(c->rootfs.mount); + c->rootfs.mount = NULL; +@@ -4230,7 +4233,7 @@ static inline int clr_config_rootfs_mount(const char *key, struct lxc_conf *c, + } + + static inline int clr_config_rootfs_options(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + free(c->rootfs.options); + c->rootfs.options = NULL; +@@ -4242,7 +4245,7 @@ static inline int clr_config_rootfs_options(const char *key, struct lxc_conf *c, + } + + static inline int clr_config_uts_name(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + free(c->utsname); + c->utsname = NULL; +@@ -4250,13 +4253,13 @@ static inline int clr_config_uts_name(const char *key, struct lxc_conf *c, + } + + static inline int clr_config_hooks(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + return lxc_clear_hooks(c, key); + } + + static inline int clr_config_hooks_version(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + /* default to legacy hooks version */ + c->hooks_version = 0; +@@ -4264,7 +4267,7 @@ static inline int clr_config_hooks_version(const char *key, struct lxc_conf *c, + } + + static inline int clr_config_net(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + lxc_free_networks(&c->network); + +@@ -4272,19 +4275,19 @@ static inline int clr_config_net(const char *key, struct lxc_conf *c, + } + + static inline int clr_config_cap_drop(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + return lxc_clear_config_caps(c); + } + + static inline int clr_config_cap_keep(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + return lxc_clear_config_keepcaps(c); + } + + static inline int clr_config_console_path(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + free(c->console.path); + c->console.path = NULL; +@@ -4292,7 +4295,7 @@ static inline int clr_config_console_path(const char *key, struct lxc_conf *c, + } + + static inline int clr_config_console_logfile(const char *key, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + free(c->console.log_path); + c->console.log_path = NULL; +@@ -4300,28 +4303,28 @@ static inline int clr_config_console_logfile(const char *key, + } + + static inline int clr_config_console_rotate(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + c->console.log_rotate = 0; + return 0; + } + + static inline int clr_config_console_buffer_size(const char *key, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + c->console.buffer_size = 0; + return 0; + } + + static inline int clr_config_console_size(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + c->console.log_size = 0; + return 0; + } + + static inline int clr_config_seccomp_profile(const char *key, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + free(c->seccomp); + c->seccomp = NULL; +@@ -4329,35 +4332,35 @@ static inline int clr_config_seccomp_profile(const char *key, + } + + static inline int clr_config_autodev(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + c->autodev = 1; + return 0; + } + + static inline int clr_config_signal_halt(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + c->haltsignal = 0; + return 0; + } + + static inline int clr_config_signal_reboot(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + c->rebootsignal = 0; + return 0; + } + + static inline int clr_config_signal_stop(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + c->stopsignal = 0; + return 0; + } + + static inline int clr_config_start(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + if (strcmp(key + 10, "auto") == 0) + c->start_auto = 0; +@@ -4370,7 +4373,7 @@ static inline int clr_config_start(const char *key, struct lxc_conf *c, + } + + static inline int clr_config_log_syslog(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + free(c->syslog); + c->syslog = NULL; +@@ -4378,26 +4381,26 @@ static inline int clr_config_log_syslog(const char *key, struct lxc_conf *c, + } + + static inline int clr_config_monitor(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + c->monitor_unshare = 0; + return 0; + } + + static inline int clr_config_group(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + return lxc_clear_groups(c); + } + + static inline int clr_config_environment(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + return lxc_clear_environment(c); + } + + static inline int clr_config_execute_cmd(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + free(c->execute_cmd); + c->execute_cmd = NULL; +@@ -4405,7 +4408,7 @@ static inline int clr_config_execute_cmd(const char *key, struct lxc_conf *c, + } + + static inline int clr_config_init_cmd(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + free(c->init_cmd); + c->init_cmd = NULL; +@@ -4413,7 +4416,7 @@ static inline int clr_config_init_cmd(const char *key, struct lxc_conf *c, + } + + static inline int clr_config_init_cwd(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + free(c->init_cwd); + c->init_cwd = NULL; +@@ -4421,74 +4424,74 @@ static inline int clr_config_init_cwd(const char *key, struct lxc_conf *c, + } + + static inline int clr_config_init_uid(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + c->init_uid = 0; + return 0; + } + + static inline int clr_config_init_gid(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + c->init_gid = 0; + return 0; + } + + static inline int clr_config_ephemeral(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + c->ephemeral = 0; + return 0; + } + + static inline int clr_config_no_new_privs(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + c->no_new_privs = false; + return 0; + } + + static inline int clr_config_prlimit(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + return lxc_clear_limits(c, key); + } + + static inline int clr_config_sysctl(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + return lxc_clear_sysctls(c, key); + } + + static inline int clr_config_proc(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + return lxc_clear_procs(c, key); + } + + static inline int clr_config_includefiles(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + lxc_clear_includes(c); + return 0; + } + + static int clr_config_namespace_clone(const char *key, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + lxc_conf->ns_clone = 0; + return 0; + } + + static int clr_config_namespace_keep(const char *key, struct lxc_conf *lxc_conf, +- void *data) ++ void *data) + { + lxc_conf->ns_keep = 0; + return 0; + } + + static int clr_config_namespace_share(const char *key, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + int ns_idx; + const char *namespace; +@@ -4506,7 +4509,7 @@ static int clr_config_namespace_share(const char *key, + + /* isulad add: clear umask value */ + static inline int clr_config_umask(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + c->umask = 0027; + return 0; +@@ -4514,7 +4517,7 @@ static inline int clr_config_umask(const char *key, struct lxc_conf *c, + + /* isulad add: clear systemd value */ + static inline int clr_config_systemd(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + free(c->systemd); + c->systemd = NULL; +@@ -4522,15 +4525,15 @@ static inline int clr_config_systemd(const char *key, struct lxc_conf *c, + } + + static int get_config_includefiles(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + return -ENOSYS; + } + + static struct lxc_config_t *get_network_config_ops(const char *key, +- struct lxc_conf *lxc_conf, +- ssize_t *idx, +- char **deindexed_key) ++ struct lxc_conf *lxc_conf, ++ ssize_t *idx, ++ char **deindexed_key) + { + int ret; + unsigned int tmpidx; +@@ -4624,7 +4627,7 @@ on_error: + * rewriting the key), and call it. + */ + static int set_config_net_nic(const char *key, const char *value, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + int ret; + const char *idxstring; +@@ -4657,7 +4660,7 @@ static int set_config_net_nic(const char *key, const char *value, + } + + static int clr_config_net_nic(const char *key, struct lxc_conf *lxc_conf, +- void *data) ++ void *data) + { + int ret; + const char *idxstring; +@@ -4703,7 +4706,7 @@ static int clr_config_net_nic(const char *key, struct lxc_conf *lxc_conf, + } + + static int clr_config_net_type(const char *key, struct lxc_conf *lxc_conf, +- void *data) ++ void *data) + { + struct lxc_netdev *netdev = data; + +@@ -4716,7 +4719,7 @@ static int clr_config_net_type(const char *key, struct lxc_conf *lxc_conf, + } + + static int clr_config_net_name(const char *key, struct lxc_conf *lxc_conf, +- void *data) ++ void *data) + { + struct lxc_netdev *netdev = data; + +@@ -4729,7 +4732,7 @@ static int clr_config_net_name(const char *key, struct lxc_conf *lxc_conf, + } + + static int clr_config_net_flags(const char *key, struct lxc_conf *lxc_conf, +- void *data) ++ void *data) + { + struct lxc_netdev *netdev = data; + +@@ -4742,7 +4745,7 @@ static int clr_config_net_flags(const char *key, struct lxc_conf *lxc_conf, + } + + static int clr_config_net_link(const char *key, struct lxc_conf *lxc_conf, +- void *data) ++ void *data) + { + struct lxc_netdev *netdev = data; + +@@ -4755,7 +4758,7 @@ static int clr_config_net_link(const char *key, struct lxc_conf *lxc_conf, + } + + static int clr_config_net_macvlan_mode(const char *key, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + struct lxc_netdev *netdev = data; + +@@ -4771,7 +4774,7 @@ static int clr_config_net_macvlan_mode(const char *key, + } + + static int clr_config_net_veth_pair(const char *key, struct lxc_conf *lxc_conf, +- void *data) ++ void *data) + { + struct lxc_netdev *netdev = data; + +@@ -4784,7 +4787,7 @@ static int clr_config_net_veth_pair(const char *key, struct lxc_conf *lxc_conf, + } + + static int clr_config_net_script_up(const char *key, struct lxc_conf *lxc_conf, +- void *data) ++ void *data) + { + struct lxc_netdev *netdev = data; + +@@ -4798,7 +4801,7 @@ static int clr_config_net_script_up(const char *key, struct lxc_conf *lxc_conf, + } + + static int clr_config_net_script_down(const char *key, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + struct lxc_netdev *netdev = data; + +@@ -4812,7 +4815,7 @@ static int clr_config_net_script_down(const char *key, + } + + static int clr_config_net_hwaddr(const char *key, struct lxc_conf *lxc_conf, +- void *data) ++ void *data) + { + struct lxc_netdev *netdev = data; + +@@ -4826,7 +4829,7 @@ static int clr_config_net_hwaddr(const char *key, struct lxc_conf *lxc_conf, + } + + static int clr_config_net_mtu(const char *key, struct lxc_conf *lxc_conf, +- void *data) ++ void *data) + { + struct lxc_netdev *netdev = data; + +@@ -4840,7 +4843,7 @@ static int clr_config_net_mtu(const char *key, struct lxc_conf *lxc_conf, + } + + static int clr_config_net_vlan_id(const char *key, struct lxc_conf *lxc_conf, +- void *data) ++ void *data) + { + struct lxc_netdev *netdev = data; + +@@ -4853,7 +4856,7 @@ static int clr_config_net_vlan_id(const char *key, struct lxc_conf *lxc_conf, + } + + static int clr_config_net_ipv4_gateway(const char *key, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + struct lxc_netdev *netdev = data; + +@@ -4867,7 +4870,7 @@ static int clr_config_net_ipv4_gateway(const char *key, + } + + static int clr_config_net_ipv4_address(const char *key, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + struct lxc_netdev *netdev = data; + struct lxc_list *cur, *next; +@@ -4885,7 +4888,7 @@ static int clr_config_net_ipv4_address(const char *key, + } + + static int clr_config_net_ipv6_gateway(const char *key, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + struct lxc_netdev *netdev = data; + +@@ -4899,7 +4902,7 @@ static int clr_config_net_ipv6_gateway(const char *key, + } + + static int clr_config_net_ipv6_address(const char *key, +- struct lxc_conf *lxc_conf, void *data) ++ struct lxc_conf *lxc_conf, void *data) + { + struct lxc_netdev *netdev = data; + struct lxc_list *cur, *next; +@@ -4918,41 +4921,41 @@ static int clr_config_net_ipv6_address(const char *key, + + /* isulad: clr config init args*/ + static inline int clr_config_init_args(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + return lxc_clear_init_args(c); + } + + /* isulad: clr config init args*/ + static inline int clr_config_init_groups(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + return lxc_clear_init_groups(c); + } + + /* isulad: clr config populate devices*/ + static inline int clr_config_populate_device(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + return lxc_clear_populate_devices(c); + } + + /* isulad: clr config rootfs masked paths */ + static inline int clr_config_rootfs_masked_paths(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + return lxc_clear_rootfs_masked_paths(c); + } + + /* isulad: clr config rootfs ro paths */ + static inline int clr_config_rootfs_ro_paths(const char *key, struct lxc_conf *c, +- void *data) ++ void *data) + { + return lxc_clear_rootfs_ro_paths(c); + } + + static int get_config_net_nic(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int ret; + const char *idxstring; +@@ -4982,7 +4985,7 @@ static int get_config_net_nic(const char *key, char *retv, int inlen, + } + + static int get_config_net_type(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int len; + int fulllen = 0; +@@ -5002,7 +5005,7 @@ static int get_config_net_type(const char *key, char *retv, int inlen, + } + + static int get_config_net_flags(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int len; + int fulllen = 0; +@@ -5023,7 +5026,7 @@ static int get_config_net_flags(const char *key, char *retv, int inlen, + } + + static int get_config_net_link(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int len; + int fulllen = 0; +@@ -5044,7 +5047,7 @@ static int get_config_net_link(const char *key, char *retv, int inlen, + } + + static int get_config_net_name(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int len; + int fulllen = 0; +@@ -5065,7 +5068,7 @@ static int get_config_net_name(const char *key, char *retv, int inlen, + } + + static int get_config_net_macvlan_mode(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int len; + int fulllen = 0; +@@ -5107,7 +5110,7 @@ static int get_config_net_macvlan_mode(const char *key, char *retv, int inlen, + } + + static int get_config_net_veth_pair(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int len; + int fulllen = 0; +@@ -5125,15 +5128,15 @@ static int get_config_net_veth_pair(const char *key, char *retv, int inlen, + return 0; + + strprint(retv, inlen, "%s", +- netdev->priv.veth_attr.pair[0] != '\0' +- ? netdev->priv.veth_attr.pair +- : netdev->priv.veth_attr.veth1); ++ netdev->priv.veth_attr.pair[0] != '\0' ++ ? netdev->priv.veth_attr.pair ++ : netdev->priv.veth_attr.veth1); + + return fulllen; + } + + static int get_config_net_script_up(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int len; + int fulllen = 0; +@@ -5154,7 +5157,7 @@ static int get_config_net_script_up(const char *key, char *retv, int inlen, + } + + static int get_config_net_script_down(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int len; + int fulllen = 0; +@@ -5175,7 +5178,7 @@ static int get_config_net_script_down(const char *key, char *retv, int inlen, + } + + static int get_config_net_hwaddr(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int len; + int fulllen = 0; +@@ -5196,7 +5199,7 @@ static int get_config_net_hwaddr(const char *key, char *retv, int inlen, + } + + static int get_config_net_mtu(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int len; + int fulllen = 0; +@@ -5217,7 +5220,7 @@ static int get_config_net_mtu(const char *key, char *retv, int inlen, + } + + static int get_config_net_vlan_id(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int len; + int fulllen = 0; +@@ -5240,7 +5243,7 @@ static int get_config_net_vlan_id(const char *key, char *retv, int inlen, + } + + static int get_config_net_ipv4_gateway(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int len; + char buf[INET_ADDRSTRLEN]; +@@ -5266,7 +5269,7 @@ static int get_config_net_ipv4_gateway(const char *key, char *retv, int inlen, + } + + static int get_config_net_ipv4_address(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int len; + size_t listlen; +@@ -5289,14 +5292,14 @@ static int get_config_net_ipv4_address(const char *key, char *retv, int inlen, + struct lxc_inetdev *i = it->elem; + inet_ntop(AF_INET, &i->addr, buf, sizeof(buf)); + strprint(retv, inlen, "%s/%u%s", buf, i->prefix, +- (listlen-- > 1) ? "\n" : ""); ++ (listlen-- > 1) ? "\n" : ""); + } + + return fulllen; + } + + static int get_config_net_ipv6_gateway(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int len; + char buf[INET6_ADDRSTRLEN]; +@@ -5322,7 +5325,7 @@ static int get_config_net_ipv6_gateway(const char *key, char *retv, int inlen, + } + + static int get_config_net_ipv6_address(const char *key, char *retv, int inlen, +- struct lxc_conf *c, void *data) ++ struct lxc_conf *c, void *data) + { + int len; + size_t listlen; +@@ -5345,7 +5348,7 @@ static int get_config_net_ipv6_address(const char *key, char *retv, int inlen, + struct lxc_inet6dev *i = it->elem; + inet_ntop(AF_INET6, &i->addr, buf, sizeof(buf)); + strprint(retv, inlen, "%s/%u%s", buf, i->prefix, +- (listlen-- > 1) ? "\n" : ""); ++ (listlen-- > 1) ? "\n" : ""); + } + + return fulllen; +@@ -5375,7 +5378,7 @@ int lxc_list_config_items(char *retv, int inlen) + } + + int lxc_list_subkeys(struct lxc_conf *conf, const char *key, char *retv, +- int inlen) ++ int inlen) + { + int len; + int fulllen = 0; +diff --git a/src/lxc/confile_utils.c b/src/lxc/confile_utils.c +index 9049ce8..8c5208f 100644 +--- a/src/lxc/confile_utils.c ++++ b/src/lxc/confile_utils.c +@@ -46,7 +46,7 @@ + lxc_log_define(confile_utils, lxc); + + int parse_idmaps(const char *idmap, char *type, unsigned long *nsid, +- unsigned long *hostid, unsigned long *range) ++ unsigned long *hostid, unsigned long *range) + { + int ret = -1; + unsigned long tmp_hostid, tmp_nsid, tmp_range; +@@ -223,7 +223,7 @@ struct lxc_netdev *lxc_network_add(struct lxc_list *networks, int idx, bool tail + * allocates a new one if it couldn't be found. + */ + struct lxc_netdev *lxc_get_netdev_by_idx(struct lxc_conf *conf, +- unsigned int idx, bool allocate) ++ unsigned int idx, bool allocate) + { + struct lxc_netdev *netdev = NULL; + struct lxc_list *networks = &conf->network; +@@ -252,7 +252,7 @@ void lxc_log_configured_netdevs(const struct lxc_conf *conf) + struct lxc_list *it = (struct lxc_list *)&conf->network;; + + if ((conf->loglevel != LXC_LOG_LEVEL_TRACE) && +- (lxc_log_get_level() != LXC_LOG_LEVEL_TRACE)) ++ (lxc_log_get_level() != LXC_LOG_LEVEL_TRACE)) + return; + + if (lxc_list_empty(it)) { +@@ -294,7 +294,7 @@ void lxc_log_configured_netdevs(const struct lxc_conf *conf) + char *mode; + + mode = lxc_macvlan_flag_to_mode( +- netdev->priv.macvlan_attr.mode); ++ netdev->priv.macvlan_attr.mode); + TRACE("macvlan mode: %s", + mode ? mode : "(invalid mode)"); + } +@@ -348,14 +348,14 @@ void lxc_log_configured_netdevs(const struct lxc_conf *conf) + + if (netdev->ipv4_gateway) { + inet_ntop(AF_INET, netdev->ipv4_gateway, +- bufinet4, sizeof(bufinet4)); ++ bufinet4, sizeof(bufinet4)); + TRACE("ipv4 gateway: %s", bufinet4); + } + + lxc_list_for_each_safe(cur, &netdev->ipv4, next) { + inet4dev = cur->elem; + inet_ntop(AF_INET, &inet4dev->addr, bufinet4, +- sizeof(bufinet4)); ++ sizeof(bufinet4)); + TRACE("ipv4 addr: %s", bufinet4); + } + +@@ -364,14 +364,14 @@ void lxc_log_configured_netdevs(const struct lxc_conf *conf) + + if (netdev->ipv6_gateway) { + inet_ntop(AF_INET6, netdev->ipv6_gateway, +- bufinet6, sizeof(bufinet6)); ++ bufinet6, sizeof(bufinet6)); + TRACE("ipv6 gateway: %s", bufinet6); + } + + lxc_list_for_each_safe(cur, &netdev->ipv6, next) { + inet6dev = cur->elem; + inet_ntop(AF_INET6, &inet6dev->addr, bufinet6, +- sizeof(bufinet6)); ++ sizeof(bufinet6)); + TRACE("ipv6 addr: %s", bufinet6); + } + } +@@ -448,10 +448,10 @@ static struct lxc_macvlan_mode { + char *name; + int mode; + } macvlan_mode[] = { +- { "private", MACVLAN_MODE_PRIVATE }, +- { "vepa", MACVLAN_MODE_VEPA }, +- { "bridge", MACVLAN_MODE_BRIDGE }, +- { "passthru", MACVLAN_MODE_PASSTHRU }, ++ { "private", MACVLAN_MODE_PRIVATE }, ++ { "vepa", MACVLAN_MODE_VEPA }, ++ { "bridge", MACVLAN_MODE_BRIDGE }, ++ { "passthru", MACVLAN_MODE_PASSTHRU }, + }; + + int lxc_macvlan_mode_to_flag(int *mode, const char *value) +@@ -595,7 +595,7 @@ bool lxc_config_net_hwaddr(const char *line) + return true; + + if (sscanf(line, "lxc.net.%u.%6s", &index, tmp) == 2 || +- sscanf(line, "lxc.network.%u.%6s", &index, tmp) == 2) ++ sscanf(line, "lxc.network.%u.%6s", &index, tmp) == 2) + return strncmp(tmp, "hwaddr", 6) == 0; + + return false; +@@ -644,13 +644,13 @@ bool new_hwaddr(char *hwaddr) + seed = randseed(false); + + ret = snprintf(hwaddr, 18, "00:16:3e:%02x:%02x:%02x", rand_r(&seed) % 255, +- rand_r(&seed) % 255, rand_r(&seed) % 255); ++ rand_r(&seed) % 255, rand_r(&seed) % 255); + #else + + (void)randseed(true); + + ret = snprintf(hwaddr, 18, "00:16:3e:%02x:%02x:%02x", rand() % 255, +- rand() % 255, rand() % 255); ++ rand() % 255, rand() % 255); + #endif + if (ret < 0 || ret >= 18) { + SYSERROR("Failed to call snprintf()"); +@@ -740,7 +740,7 @@ bool parse_limit_value(const char **value, rlim_t *res) + } + + static int lxc_container_name_to_pid(const char *lxcname_or_pid, +- const char *lxcpath) ++ const char *lxcpath) + { + int ret; + signed long int pid; +@@ -784,16 +784,18 @@ static int lxc_container_name_to_pid(const char *lxcname_or_pid, + } + + int lxc_inherit_namespace(const char *lxcname_or_pid, const char *lxcpath, +- const char *namespace) ++ const char *namespace) + { +- int fd, pid; +- char *dup, *lastslash; ++ int fd = -1; ++ int pid = -1; ++ char *dup = NULL; ++ char *lastslash = NULL; + + /* isulad: add support share namespace by path. + * e.g. "lxc.namespace.share.net = /proc/PID/ns/net or /var/run/netns/net" + */ + if (file_exists(lxcname_or_pid) && !dir_exists(lxcname_or_pid)) { +- fd = open(lxcname_or_pid, O_RDONLY | O_CLOEXEC); ++ fd = lxc_open(lxcname_or_pid, O_RDONLY | O_CLOEXEC, 0); + if (fd < 0) + return -EINVAL; + +diff --git a/src/lxc/json/logger_json_file.c b/src/lxc/json/logger_json_file.c +index 6433b04..409ea11 100644 +--- a/src/lxc/json/logger_json_file.c ++++ b/src/lxc/json/logger_json_file.c +@@ -8,236 +8,236 @@ + #include "logger_json_file.h" + + logger_json_file *make_logger_json_file(yajl_val tree, struct parser_context *ctx, parser_error *err) { +- logger_json_file *ret = NULL; +- *err = 0; +- if (tree == NULL) +- return ret; +- ret = safe_malloc(sizeof(*ret)); +- { +- yajl_val tmp = get_val(tree, "log", yajl_t_string); +- if (tmp != NULL) { +- char *str = YAJL_GET_STRING(tmp); +- ret->log = (uint8_t *)safe_strdup(str ? str : ""); +- ret->log_len = str != NULL ? strlen(str) : 0; +- } +- } +- { +- yajl_val val = get_val(tree, "stream", yajl_t_string); +- if (val != NULL) { +- char *str = YAJL_GET_STRING(val); +- ret->stream = safe_strdup(str ? str : ""); +- } +- } +- { +- yajl_val val = get_val(tree, "time", yajl_t_string); +- if (val != NULL) { +- char *str = YAJL_GET_STRING(val); +- ret->time = safe_strdup(str ? str : ""); +- } +- } +- { +- yajl_val tmp = get_val(tree, "attrs", yajl_t_string); +- if (tmp != NULL) { +- char *str = YAJL_GET_STRING(tmp); +- ret->attrs = (uint8_t *)safe_strdup(str ? str : ""); +- ret->attrs_len = str != NULL ? strlen(str) : 0; +- } +- } +- +- if (tree->type == yajl_t_object && (ctx->options & PARSE_OPTIONS_STRICT)) { +- int i; +- for (i = 0; i < tree->u.object.len; i++) +- if (strcmp(tree->u.object.keys[i], "log") && +- strcmp(tree->u.object.keys[i], "stream") && +- strcmp(tree->u.object.keys[i], "time") && +- strcmp(tree->u.object.keys[i], "attrs")) { +- if (ctx->stderr > 0) +- fprintf(ctx->stderr, "WARNING: unknown key found: %s\n", tree->u.object.keys[i]); +- } +- } +- return ret; ++ logger_json_file *ret = NULL; ++ *err = 0; ++ if (tree == NULL) ++ return ret; ++ ret = safe_malloc(sizeof(*ret)); ++ { ++ yajl_val tmp = get_val(tree, "log", yajl_t_string); ++ if (tmp != NULL) { ++ char *str = YAJL_GET_STRING(tmp); ++ ret->log = (uint8_t *)safe_strdup(str ? str : ""); ++ ret->log_len = str != NULL ? strlen(str) : 0; ++ } ++ } ++ { ++ yajl_val val = get_val(tree, "stream", yajl_t_string); ++ if (val != NULL) { ++ char *str = YAJL_GET_STRING(val); ++ ret->stream = safe_strdup(str ? str : ""); ++ } ++ } ++ { ++ yajl_val val = get_val(tree, "time", yajl_t_string); ++ if (val != NULL) { ++ char *str = YAJL_GET_STRING(val); ++ ret->time = safe_strdup(str ? str : ""); ++ } ++ } ++ { ++ yajl_val tmp = get_val(tree, "attrs", yajl_t_string); ++ if (tmp != NULL) { ++ char *str = YAJL_GET_STRING(tmp); ++ ret->attrs = (uint8_t *)safe_strdup(str ? str : ""); ++ ret->attrs_len = str != NULL ? strlen(str) : 0; ++ } ++ } ++ ++ if (tree->type == yajl_t_object && (ctx->options & PARSE_OPTIONS_STRICT)) { ++ int i; ++ for (i = 0; i < tree->u.object.len; i++) ++ if (strcmp(tree->u.object.keys[i], "log") && ++ strcmp(tree->u.object.keys[i], "stream") && ++ strcmp(tree->u.object.keys[i], "time") && ++ strcmp(tree->u.object.keys[i], "attrs")) { ++ if (ctx->stderr > 0) ++ fprintf(ctx->stderr, "WARNING: unknown key found: %s\n", tree->u.object.keys[i]); ++ } ++ } ++ return ret; + } + + void free_logger_json_file(logger_json_file *ptr) { +- if (ptr == NULL) +- return; +- free(ptr->log); +- ptr->log = NULL; +- free(ptr->stream); +- ptr->stream = NULL; +- free(ptr->time); +- ptr->time = NULL; +- free(ptr->attrs); +- ptr->attrs = NULL; +- free(ptr); ++ if (ptr == NULL) ++ return; ++ free(ptr->log); ++ ptr->log = NULL; ++ free(ptr->stream); ++ ptr->stream = NULL; ++ free(ptr->time); ++ ptr->time = NULL; ++ free(ptr->attrs); ++ ptr->attrs = NULL; ++ free(ptr); + } + + yajl_gen_status gen_logger_json_file(yajl_gen g, logger_json_file *ptr, struct parser_context *ctx, parser_error *err) { +- yajl_gen_status stat = yajl_gen_status_ok; +- *err = 0; +- stat = reformat_start_map(g); +- if (yajl_gen_status_ok != stat) +- GEN_SET_ERROR_AND_RETURN(stat, err); +- if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) || (ptr != NULL && ptr->log != NULL && ptr->log_len)) { +- const char *str = ""; +- size_t len = 0; +- stat = reformat_map_key(g, "log", strlen("log")); +- if (yajl_gen_status_ok != stat) +- GEN_SET_ERROR_AND_RETURN(stat, err); +- if (ptr != NULL && ptr->log != NULL) { +- str = (const char *)ptr->log; +- len = ptr->log_len; +- } +- stat = reformat_string(g, str, len); +- if (yajl_gen_status_ok != stat) +- GEN_SET_ERROR_AND_RETURN(stat, err); +- } +- if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) ||(ptr != NULL && ptr->stream != NULL)) { +- char *str = ""; +- stat = reformat_map_key(g, "stream", strlen("stream")); +- if (yajl_gen_status_ok != stat) +- GEN_SET_ERROR_AND_RETURN(stat, err); +- if (ptr != NULL && ptr->stream != NULL) { +- str = ptr->stream; +- } +- stat = reformat_string(g, str, strlen(str)); +- if (yajl_gen_status_ok != stat) +- GEN_SET_ERROR_AND_RETURN(stat, err); +- } +- if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) ||(ptr != NULL && ptr->time != NULL)) { +- char *str = ""; +- stat = reformat_map_key(g, "time", strlen("time")); +- if (yajl_gen_status_ok != stat) +- GEN_SET_ERROR_AND_RETURN(stat, err); +- if (ptr != NULL && ptr->time != NULL) { +- str = ptr->time; +- } +- stat = reformat_string(g, str, strlen(str)); +- if (yajl_gen_status_ok != stat) +- GEN_SET_ERROR_AND_RETURN(stat, err); +- } +- if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) || (ptr != NULL && ptr->attrs != NULL && ptr->attrs_len)) { +- const char *str = ""; +- size_t len = 0; +- stat = reformat_map_key(g, "attrs", strlen("attrs")); +- if (yajl_gen_status_ok != stat) +- GEN_SET_ERROR_AND_RETURN(stat, err); +- if (ptr != NULL && ptr->attrs != NULL) { +- str = (const char *)ptr->attrs; +- len = ptr->attrs_len; +- } +- stat = reformat_string(g, str, len); +- if (yajl_gen_status_ok != stat) +- GEN_SET_ERROR_AND_RETURN(stat, err); +- } +- stat = reformat_end_map(g); +- if (yajl_gen_status_ok != stat) +- GEN_SET_ERROR_AND_RETURN(stat, err); +- return yajl_gen_status_ok; ++ yajl_gen_status stat = yajl_gen_status_ok; ++ *err = 0; ++ stat = reformat_start_map(g); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) || (ptr != NULL && ptr->log != NULL && ptr->log_len)) { ++ const char *str = ""; ++ size_t len = 0; ++ stat = reformat_map_key(g, "log", strlen("log")); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ if (ptr != NULL && ptr->log != NULL) { ++ str = (const char *)ptr->log; ++ len = ptr->log_len; ++ } ++ stat = reformat_string(g, str, len); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) ||(ptr != NULL && ptr->stream != NULL)) { ++ char *str = ""; ++ stat = reformat_map_key(g, "stream", strlen("stream")); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ if (ptr != NULL && ptr->stream != NULL) { ++ str = ptr->stream; ++ } ++ stat = reformat_string(g, str, strlen(str)); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) ||(ptr != NULL && ptr->time != NULL)) { ++ char *str = ""; ++ stat = reformat_map_key(g, "time", strlen("time")); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ if (ptr != NULL && ptr->time != NULL) { ++ str = ptr->time; ++ } ++ stat = reformat_string(g, str, strlen(str)); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ if ((ctx->options & GEN_OPTIONS_ALLKEYVALUE) || (ptr != NULL && ptr->attrs != NULL && ptr->attrs_len)) { ++ const char *str = ""; ++ size_t len = 0; ++ stat = reformat_map_key(g, "attrs", strlen("attrs")); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ if (ptr != NULL && ptr->attrs != NULL) { ++ str = (const char *)ptr->attrs; ++ len = ptr->attrs_len; ++ } ++ stat = reformat_string(g, str, len); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ } ++ stat = reformat_end_map(g); ++ if (yajl_gen_status_ok != stat) ++ GEN_SET_ERROR_AND_RETURN(stat, err); ++ return yajl_gen_status_ok; + } + + + logger_json_file *logger_json_file_parse_file(const char *filename, struct parser_context *ctx, parser_error *err) { +- logger_json_file *ptr; +- size_t filesize; +- char *content = NULL; +- +- if (filename == NULL || err == NULL) +- return NULL; +- +- *err = NULL; +- content = read_file(filename, &filesize); +- if (content == NULL) { +- if (asprintf(err, "cannot read the file: %s", filename) < 0) +- *err = safe_strdup("error allocating memory"); +- return NULL; +- } +- ptr = logger_json_file_parse_data(content, ctx, err); +- free(content); +- return ptr; ++ logger_json_file *ptr = NULL; ++ size_t filesize; ++ char *content = NULL; ++ ++ if (filename == NULL || err == NULL) ++ return NULL; ++ ++ *err = NULL; ++ content = read_file(filename, &filesize); ++ if (content == NULL) { ++ if (asprintf(err, "cannot read the file: %s", filename) < 0) ++ *err = safe_strdup("error allocating memory"); ++ return NULL; ++ } ++ ptr = logger_json_file_parse_data(content, ctx, err); ++ free(content); ++ return ptr; + } + + logger_json_file *logger_json_file_parse_file_stream(FILE *stream, struct parser_context *ctx, parser_error *err) { +- logger_json_file *ptr; +- size_t filesize; +- char *content = NULL ; +- +- if (stream == NULL || err == NULL) +- return NULL; +- +- *err = NULL; +- content = fread_file(stream, &filesize); +- if (content == NULL) { +- *err = safe_strdup("cannot read the file"); +- return NULL; +- } +- ptr = logger_json_file_parse_data(content, ctx, err); +- free(content); +- return ptr; ++ logger_json_file *ptr = NULL; ++ size_t filesize; ++ char *content = NULL ; ++ ++ if (stream == NULL || err == NULL) ++ return NULL; ++ ++ *err = NULL; ++ content = fread_file(stream, &filesize); ++ if (content == NULL) { ++ *err = safe_strdup("cannot read the file"); ++ return NULL; ++ } ++ ptr = logger_json_file_parse_data(content, ctx, err); ++ free(content); ++ return ptr; + } + + logger_json_file *logger_json_file_parse_data(const char *jsondata, struct parser_context *ctx, parser_error *err) { +- logger_json_file *ptr; +- yajl_val tree; +- char errbuf[1024]; +- struct parser_context tmp_ctx; +- +- if (jsondata == NULL || err == NULL) +- return NULL; +- +- *err = NULL; +- if (ctx == NULL) { +- ctx = &tmp_ctx; +- memset(&tmp_ctx, 0, sizeof(tmp_ctx)); +- } +- tree = yajl_tree_parse(jsondata, errbuf, sizeof(errbuf)); +- if (tree == NULL) { +- if (asprintf(err, "cannot parse the data: %s", errbuf) < 0) +- *err = safe_strdup("error allocating memory"); +- return NULL; +- } +- ptr = make_logger_json_file(tree, ctx, err); +- yajl_tree_free(tree); +- return ptr; ++ logger_json_file *ptr = NULL; ++ yajl_val tree; ++ char errbuf[1024]; ++ struct parser_context tmp_ctx; ++ ++ if (jsondata == NULL || err == NULL) ++ return NULL; ++ ++ *err = NULL; ++ if (ctx == NULL) { ++ ctx = &tmp_ctx; ++ memset(&tmp_ctx, 0, sizeof(tmp_ctx)); ++ } ++ tree = yajl_tree_parse(jsondata, errbuf, sizeof(errbuf)); ++ if (tree == NULL) { ++ if (asprintf(err, "cannot parse the data: %s", errbuf) < 0) ++ *err = safe_strdup("error allocating memory"); ++ return NULL; ++ } ++ ptr = make_logger_json_file(tree, ctx, err); ++ yajl_tree_free(tree); ++ return ptr; + } + char *logger_json_file_generate_json(logger_json_file *ptr, struct parser_context *ctx, parser_error *err) { +- yajl_gen g = NULL; +- struct parser_context tmp_ctx; +- const unsigned char *gen_buf = NULL; +- char *json_buf = NULL; +- size_t gen_len = 0; +- +- if (ptr == NULL || err == NULL) +- return NULL; +- +- *err = NULL; +- if (ctx == NULL) { +- ctx = &tmp_ctx; +- memset(&tmp_ctx, 0, sizeof(tmp_ctx)); +- } +- +- if (!json_gen_init(&g, ctx)) { +- *err = safe_strdup("Json_gen init failed"); +- goto out; +- } +- if (yajl_gen_status_ok != gen_logger_json_file(g, ptr, ctx, err)) { +- if (*err == NULL) +- *err = safe_strdup("Failed to generate json"); +- goto free_out; +- } +- yajl_gen_get_buf(g, &gen_buf, &gen_len); +- if (gen_buf == NULL) { +- *err = safe_strdup("Error to get generated json"); +- goto free_out; +- } +- +- json_buf = safe_malloc(gen_len + 1); +- memcpy(json_buf, gen_buf, gen_len); +- json_buf[gen_len] = '\0'; ++ yajl_gen g = NULL; ++ struct parser_context tmp_ctx; ++ const unsigned char *gen_buf = NULL; ++ char *json_buf = NULL; ++ size_t gen_len = 0; ++ ++ if (ptr == NULL || err == NULL) ++ return NULL; ++ ++ *err = NULL; ++ if (ctx == NULL) { ++ ctx = &tmp_ctx; ++ memset(&tmp_ctx, 0, sizeof(tmp_ctx)); ++ } ++ ++ if (!json_gen_init(&g, ctx)) { ++ *err = safe_strdup("Json_gen init failed"); ++ goto out; ++ } ++ if (yajl_gen_status_ok != gen_logger_json_file(g, ptr, ctx, err)) { ++ if (*err == NULL) ++ *err = safe_strdup("Failed to generate json"); ++ goto free_out; ++ } ++ yajl_gen_get_buf(g, &gen_buf, &gen_len); ++ if (gen_buf == NULL) { ++ *err = safe_strdup("Error to get generated json"); ++ goto free_out; ++ } ++ ++ json_buf = safe_malloc(gen_len + 1); ++ memcpy(json_buf, gen_buf, gen_len); ++ json_buf[gen_len] = '\0'; + + free_out: +- yajl_gen_clear(g); +- yajl_gen_free(g); ++ yajl_gen_clear(g); ++ yajl_gen_free(g); + out: +- return json_buf; ++ return json_buf; + } +diff --git a/src/lxc/json/read-file.c b/src/lxc/json/read-file.c +index ad0eda1..70e73e5 100644 +--- a/src/lxc/json/read-file.c ++++ b/src/lxc/json/read-file.c +@@ -16,79 +16,80 @@ + + char *fread_file(FILE *stream, size_t *length) + { +- char *buf = NULL, *tmpbuf = NULL; +- size_t off = 0; +- +- while (1) { +- size_t ret, newsize; +- +- newsize = off + BUFSIZ + 1; +- tmpbuf = (char *)calloc(1, newsize); +- if (tmpbuf == NULL) { +- goto out; +- } +- +- if (buf) { +- memcpy(tmpbuf, buf, off); +- +- memset(buf, 0, off); +- +- free(buf); +- } +- +- buf = tmpbuf; +- ret = fread(buf + off, 1, BUFSIZ, stream); +- if (!ret && ferror(stream)) { +- tmpbuf = NULL; +- goto out; +- } +- if (ret < BUFSIZ || feof(stream)) { +- *length = off + ret + 1; +- buf[*length - 1] = '\0'; +- return buf; +- } +- off += BUFSIZ; +- } ++ char *buf = NULL, *tmpbuf = NULL; ++ size_t off = 0; ++ ++ while (1) { ++ size_t ret, newsize; ++ ++ newsize = off + BUFSIZ + 1; ++ tmpbuf = (char *)calloc(1, newsize); ++ if (tmpbuf == NULL) { ++ goto out; ++ } ++ ++ if (buf) { ++ memcpy(tmpbuf, buf, off); ++ ++ memset(buf, 0, off); ++ ++ free(buf); ++ } ++ ++ buf = tmpbuf; ++ ret = fread(buf + off, 1, BUFSIZ, stream); ++ if (!ret && ferror(stream)) { ++ tmpbuf = NULL; ++ goto out; ++ } ++ if (ret < BUFSIZ || feof(stream)) { ++ *length = off + ret + 1; ++ buf[*length - 1] = '\0'; ++ return buf; ++ } ++ off += BUFSIZ; ++ } + out: +- if (buf) { +- free(buf); +- } +- if (tmpbuf) { +- free(tmpbuf); +- } +- return NULL; ++ if (buf) { ++ free(buf); ++ } ++ if (tmpbuf) { ++ free(tmpbuf); ++ } ++ return NULL; + + } + + char *read_file(const char *path, size_t *length) + { +- char *buf = NULL; +- char rpath[PATH_MAX + 1] = {0}; +- int fd, tmperrno; +- FILE *fp; +- +- if (!path || !length) { +- return NULL; +- } +- +- if (strlen(path) > PATH_MAX || NULL == realpath(path, rpath)) { +- return NULL; +- } +- +- fd = open(rpath, O_RDONLY | O_CLOEXEC, 0640); +- if (fd < 0) { +- return NULL; +- } +- +- fp = fdopen(fd, "r"); +- tmperrno = errno; +- if (!fp) { +- close(fd); +- errno = tmperrno; +- return NULL; +- } +- +- buf = fread_file(fp, length); +- fclose(fp); +- return buf; ++ char *buf = NULL; ++ char rpath[PATH_MAX + 1] = {0}; ++ int fd = -1; ++ int tmperrno; ++ FILE *fp = NULL; ++ ++ if (!path || !length) { ++ return NULL; ++ } ++ ++ if (strlen(path) > PATH_MAX || NULL == realpath(path, rpath)) { ++ return NULL; ++ } ++ ++ fd = open(rpath, O_RDONLY | O_CLOEXEC, 0640); ++ if (fd < 0) { ++ return NULL; ++ } ++ ++ fp = fdopen(fd, "r"); ++ tmperrno = errno; ++ if (!fp) { ++ close(fd); ++ errno = tmperrno; ++ return NULL; ++ } ++ ++ buf = fread_file(fp, length); ++ fclose(fp); ++ return buf; + } +diff --git a/src/lxc/log.c b/src/lxc/log.c +index 91fb7ef..e598a5f 100644 +--- a/src/lxc/log.c ++++ b/src/lxc/log.c +@@ -157,7 +157,7 @@ static int isulad_open_fifo(const char *file_path) + #define LOG_FIFO_SIZE (1024 * 1024) + int fd = -1; + +- fd = lxc_unpriv(open(file_path, O_RDWR | O_NONBLOCK | O_CLOEXEC, 0640)); ++ fd = lxc_unpriv(lxc_open(file_path, O_RDWR | O_NONBLOCK | O_CLOEXEC, 0640)); + if (fd == -1) { + fprintf(stderr, "Open fifo %s failed: %s\n", file_path, strerror(errno)); + return -1; +@@ -174,7 +174,7 @@ static int isulad_open_fifo(const char *file_path) + + /*---------------------------------------------------------------------------*/ + static int log_append_syslog(const struct lxc_log_appender *appender, +- struct lxc_log_event *event) ++ struct lxc_log_event *event) + { + char *msg; + const char *log_container_name; +@@ -189,7 +189,7 @@ static int log_append_syslog(const struct lxc_log_appender *appender, + return 0; + + syslog(lxc_log_priority_to_syslog(event->priority), +- "%s%s %s - %s:%s:%d - %s" , ++ "%s%s %s - %s:%s:%d - %s", + log_container_name ? log_container_name : "", + log_container_name ? ":" : "", + event->category, +@@ -203,7 +203,7 @@ static int log_append_syslog(const struct lxc_log_appender *appender, + + /*---------------------------------------------------------------------------*/ + static int log_append_stderr(const struct lxc_log_appender *appender, +- struct lxc_log_event *event) ++ struct lxc_log_event *event) + { + const char *log_container_name; + +@@ -227,7 +227,7 @@ static int log_append_stderr(const struct lxc_log_appender *appender, + static int lxc_unix_epoch_to_utc(char *buf, size_t bufsize, const struct timespec *time) + { + int64_t epoch_to_days, z, era, doe, yoe, year, doy, mp, day, month, +- d_in_s, hours, h_in_s, minutes, seconds; ++ d_in_s, hours, h_in_s, minutes, seconds; + char nanosec[INTTYPE_TO_STRLEN(int64_t)]; + int ret; + +@@ -313,9 +313,9 @@ static int lxc_unix_epoch_to_utc(char *buf, size_t bufsize, const struct timespe + * digit precision. + */ + ret = snprintf(buf, bufsize, +- "%" PRId64 "%02" PRId64 "%02" PRId64 "%02" PRId64 +- "%02" PRId64 "%02" PRId64 ".%.3s", +- year, month, day, hours, minutes, seconds, nanosec); ++ "%" PRId64 "%02" PRId64 "%02" PRId64 "%02" PRId64 ++ "%02" PRId64 "%02" PRId64 ".%.3s", ++ year, month, day, hours, minutes, seconds, nanosec); + if (ret < 0 || (size_t)ret >= bufsize) + return -1; + +@@ -343,15 +343,15 @@ static int lxc_unix_epoch_to_utc(char *buf, size_t bufsize, const struct timespe + * to make it pretty. Pretty might cost you thread-safety. + */ + static int log_append_logfile(const struct lxc_log_appender *appender, +- struct lxc_log_event *event) ++ struct lxc_log_event *event) + { + char buffer[LXC_LOG_BUFFER_SIZE]; + char date_time[LXC_LOG_TIME_SIZE]; + int n; + ssize_t ret; + int fd_to_use = -1; +- const char *log_container_name; +- const char *isulad_prefix; ++ const char *log_container_name = NULL; ++ const char *isulad_prefix = NULL; + size_t isulad_len = 0; + + #ifndef NO_LXC_CONF +@@ -377,13 +377,13 @@ static int log_append_logfile(const struct lxc_log_appender *appender, + } + isulad_prefix = log_container_name ? (log_container_name + isulad_len) : log_prefix; + n = snprintf(buffer, sizeof(buffer), +- "%15s %s %-8s %s - %s:%s:%d - ", +- isulad_prefix, +- date_time, +- lxc_log_priority_to_string(event->priority), +- event->category, +- event->locinfo->file, event->locinfo->func, +- event->locinfo->line); ++ "%15s %s %-8s %s - %s:%s:%d - ", ++ isulad_prefix, ++ date_time, ++ lxc_log_priority_to_string(event->priority), ++ event->category, ++ event->locinfo->file, event->locinfo->func, ++ event->locinfo->line); + if (n < 0) + return n; + +@@ -405,7 +405,7 @@ static int log_append_logfile(const struct lxc_log_appender *appender, + + #if HAVE_DLOG + static int log_append_dlog(const struct lxc_log_appender *appender, +- struct lxc_log_event *event) ++ struct lxc_log_event *event) + { + char *msg = lxc_log_get_va_msg(event); + const char *log_container_name = lxc_log_get_container_name(); +@@ -643,10 +643,10 @@ static int __lxc_log_set_file(const char *fname, int create_dirs) + */ + if (create_dirs) + #endif +- if (build_dir(fname)) { +- SYSERROR("Failed to create dir for log file \"%s\"", fname); +- return -1; +- } ++ if (build_dir(fname)) { ++ SYSERROR("Failed to create dir for log file \"%s\"", fname); ++ return -1; ++ } + + if (isulad_use_log_fifo_flag) { + lxc_log_fd = isulad_open_fifo(fname); +@@ -685,7 +685,7 @@ int lxc_log_init(struct lxc_log *log) + { + int ret; + int lxc_priority = LXC_LOG_LEVEL_ERROR; +- const char *tmp_log_fname; ++ const char *tmp_log_fname = NULL; + + if (!log) + return -1; +diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c +index e0c4de3..e32f524 100644 +--- a/src/lxc/lxccontainer.c ++++ b/src/lxc/lxccontainer.c +@@ -111,7 +111,7 @@ static const char *lxcapi_get_config_path(struct lxc_container *c); + #define do_lxcapi_get_config_path(c) lxcapi_get_config_path(c) + static bool do_lxcapi_set_config_item(struct lxc_container *c, const char *key, const char *v); + static bool container_destroy(struct lxc_container *c, +- struct lxc_storage *storage); ++ struct lxc_storage *storage); + static bool get_snappath_dir(struct lxc_container *c, char *snappath); + static bool lxcapi_snapshot_destroy_all(struct lxc_container *c); + static bool do_lxcapi_save_config(struct lxc_container *c, const char *alt_file); +@@ -551,7 +551,7 @@ static int do_lxcapi_console_getfd(struct lxc_container *c, int *ttynum, int *ma + WRAP_API_2(int, lxcapi_console_getfd, int *, int *) + + static int lxcapi_console(struct lxc_container *c, int ttynum, int stdinfd, +- int stdoutfd, int stderrfd, int escape) ++ int stdoutfd, int stderrfd, int escape) + { + int ret; + +@@ -619,7 +619,7 @@ static bool load_config_locked(struct lxc_container *c, const char *fname) + static bool load_ocihooks_locked(struct lxc_container *c) + { + parser_error err = NULL; +- oci_runtime_spec_hooks *hooks; ++ oci_runtime_spec_hooks *hooks = NULL; + + if (!c->lxc_conf) + c->lxc_conf = lxc_conf_init(); +@@ -755,7 +755,7 @@ static bool do_lxcapi_want_close_all_fds(struct lxc_container *c, bool state) + WRAP_API_1(bool, lxcapi_want_close_all_fds, bool) + + static bool do_lxcapi_wait(struct lxc_container *c, const char *state, +- int timeout) ++ int timeout) + { + int ret; + +@@ -833,7 +833,7 @@ static char **split_init_cmd(const char *incmd) + + argv[0] = NULL; + lxc_iterate_parts(p, copy, " ") +- push_arg(&argv, p, &nargs); ++ push_arg(&argv, p, &nargs); + + if (nargs == 0) { + free(argv); +@@ -1116,7 +1116,7 @@ static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const a + keepfds[2] = handler->state_socket_pair[1]; + keepfds[4] = conf->errpipe[1]; + ret = lxc_check_inherited(conf, true, keepfds, +- sizeof(keepfds) / sizeof(keepfds[0])); ++ sizeof(keepfds) / sizeof(keepfds[0])); + if (ret < 0) + _exit(EXIT_FAILURE); + +@@ -1176,7 +1176,7 @@ static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const a + + /* isulad: open exit fifo */ + if (c->exit_fifo) { +- conf->exit_fd = open(c->exit_fifo, O_WRONLY | O_NONBLOCK | O_CLOEXEC); ++ conf->exit_fd = lxc_open(c->exit_fifo, O_WRONLY | O_NONBLOCK | O_CLOEXEC, 0); + if (conf->exit_fd < 0) { + ERROR("Failed to open exit fifo %s: %s.", c->exit_fifo, strerror(errno)); + ret = 1; +@@ -1226,7 +1226,7 @@ reboot: + if (c->daemonize) + keepfds[4] = conf->errpipe[1]; + ret = lxc_check_inherited(conf, c->daemonize, keepfds, +- sizeof(keepfds) / sizeof(keepfds[0])); ++ sizeof(keepfds) / sizeof(keepfds[0])); + if (ret < 0) { + lxc_free_handler(handler); + ret = 1; +@@ -1235,12 +1235,12 @@ reboot: + + if (useinit) { + ret = lxc_execute(c->name, argv, 1, handler, c->config_path, +- c->daemonize, &c->error_num, c->start_timeout); ++ c->daemonize, &c->error_num, c->start_timeout); + } else { + handler->disable_pty = c->disable_pty; + handler->open_stdin = c->open_stdin; + ret = lxc_start(c->name, argv, handler, c->config_path, +- c->daemonize, &c->error_num, c->start_timeout); ++ c->daemonize, &c->error_num, c->start_timeout); + } + + if (conf->reboot == REBOOT_REQ) { +@@ -1269,7 +1269,7 @@ on_error: + } + + static bool lxcapi_start(struct lxc_container *c, int useinit, +- char *const argv[]) ++ char *const argv[]) + { + bool ret; + +@@ -1390,8 +1390,8 @@ static bool create_container_dir(struct lxc_container *c) + * storage_create(), it returns a mounted bdev on success, NULL on error. + */ + static struct lxc_storage *do_storage_create(struct lxc_container *c, +- const char *type, +- struct bdev_specs *specs) ++ const char *type, ++ struct bdev_specs *specs) + { + int ret; + size_t len; +@@ -1400,7 +1400,7 @@ static struct lxc_storage *do_storage_create(struct lxc_container *c, + + /* rootfs.path or lxcpath/lxcname/rootfs */ + if (c->lxc_conf->rootfs.path && +- (access(c->lxc_conf->rootfs.path, F_OK) == 0)) { ++ (access(c->lxc_conf->rootfs.path, F_OK) == 0)) { + const char *rpath = c->lxc_conf->rootfs.path; + len = strlen(rpath) + 1; + dest = alloca(len); +@@ -1454,7 +1454,7 @@ static char *lxcbasename(char *path) + } + + static bool create_run_template(struct lxc_container *c, char *tpath, +- bool need_null_stdfds, char *const argv[]) ++ bool need_null_stdfds, char *const argv[]) + { + int ret; + pid_t pid; +@@ -1515,7 +1515,7 @@ static bool create_run_template(struct lxc_container *c, char *tpath, + } + + if (strcmp(bdev->type, "overlay") == 0 || +- strcmp(bdev->type, "overlayfs") == 0) { ++ strcmp(bdev->type, "overlayfs") == 0) { + /* If we create an overlay container we need to + * rsync the contents into + * //rootfs. +@@ -1535,7 +1535,9 @@ static bool create_run_template(struct lxc_container *c, char *tpath, + */ + char *src; + +- src = ovl_get_rootfs(bdev->src, &(size_t){0}); ++ src = ovl_get_rootfs(bdev->src, &(size_t) { ++ 0 ++ }); + if (!src) { + ERROR("Failed to get rootfs"); + _exit(EXIT_FAILURE); +@@ -1654,8 +1656,8 @@ static bool create_run_template(struct lxc_container *c, char *tpath, + _exit(EXIT_FAILURE); + + ret = snprintf(n2[n2args - 1], 200, "%c:%lu:%lu:%lu", +- map->idtype == ID_TYPE_UID ? 'u' : 'g', +- map->nsid, map->hostid, map->range); ++ map->idtype == ID_TYPE_UID ? 'u' : 'g', ++ map->nsid, map->hostid, map->range); + if (ret < 0 || ret >= 200) + _exit(EXIT_FAILURE); + } +@@ -1682,7 +1684,7 @@ static bool create_run_template(struct lxc_container *c, char *tpath, + } + + ret = snprintf(n2[n2args - 1], 200, "u:%d:%d:1", +- hostuid_mapped, geteuid()); ++ hostuid_mapped, geteuid()); + if (ret < 0 || ret >= 200) + _exit(EXIT_FAILURE); + } +@@ -1709,7 +1711,7 @@ static bool create_run_template(struct lxc_container *c, char *tpath, + } + + ret = snprintf(n2[n2args - 1], 200, "g:%d:%d:1", +- hostgid_mapped, getegid()); ++ hostgid_mapped, getegid()); + if (ret < 0 || ret >= 200) + _exit(EXIT_FAILURE); + } +@@ -1915,8 +1917,8 @@ static void lxcapi_clear_config(struct lxc_container *c) + * arguments, you can just pass NULL. + */ + static bool do_lxcapi_create(struct lxc_container *c, const char *t, +- const char *bdevtype, struct bdev_specs *specs, +- int flags, char *const argv[]) ++ const char *bdevtype, struct bdev_specs *specs, ++ int flags, char *const argv[]) + { + int partial_fd; + mode_t mask; +@@ -1940,7 +1942,7 @@ static bool do_lxcapi_create(struct lxc_container *c, const char *t, + * existing container. Return an error, but do NOT delete the container. + */ + if (do_lxcapi_is_defined(c) && c->lxc_conf && c->lxc_conf->rootfs.path && +- access(c->lxc_conf->rootfs.path, F_OK) == 0 && tpath) { ++ access(c->lxc_conf->rootfs.path, F_OK) == 0 && tpath) { + ERROR("Container \"%s\" already exists in \"%s\"", c->name, + c->config_path); + goto free_tpath; +@@ -2072,8 +2074,8 @@ free_tpath: + } + + static bool lxcapi_create(struct lxc_container *c, const char *t, +- const char *bdevtype, struct bdev_specs *specs, +- int flags, char *const argv[]) ++ const char *bdevtype, struct bdev_specs *specs, ++ int flags, char *const argv[]) + { + bool ret; + +@@ -2140,7 +2142,7 @@ static bool do_lxcapi_reboot2(struct lxc_container *c, int timeout) + if (timeout != 0) { + states[RUNNING] = 2; + ret = lxc_cmd_add_state_client(c->name, c->config_path, states, +- &state_client_fd); ++ &state_client_fd); + if (ret < 0) + return false; + +@@ -2209,7 +2211,7 @@ static bool do_lxcapi_shutdown(struct lxc_container *c, int timeout) + if (timeout != 0) { + states[STOPPED] = 1; + ret = lxc_cmd_add_state_client(c->name, c->config_path, states, +- &state_client_fd); ++ &state_client_fd); + if (ret < 0) + return false; + +@@ -2252,7 +2254,7 @@ static bool do_lxcapi_shutdown(struct lxc_container *c, int timeout) + WRAP_API_1(bool, lxcapi_shutdown, int) + + static bool lxcapi_createl(struct lxc_container *c, const char *t, +- const char *bdevtype, struct bdev_specs *specs, int flags, ...) ++ const char *bdevtype, struct bdev_specs *specs, int flags, ...) + { + bool bret = false; + char **args = NULL; +@@ -2300,7 +2302,9 @@ static void do_clear_unexp_config_line(struct lxc_conf *conf, const char *key) + const char *idx; + + idx = key + 8; +- ret = lxc_safe_uint(idx, &(unsigned int){0}); ++ ret = lxc_safe_uint(idx, &(unsigned int) { ++ 0 ++ }); + if (!ret) + return clear_unexp_config_line(conf, key, true); + } +@@ -2312,7 +2316,7 @@ static void do_clear_unexp_config_line(struct lxc_conf *conf, const char *key) + } + + static bool do_lxcapi_clear_config_item(struct lxc_container *c, +- const char *key) ++ const char *key) + { + int ret = 1; + struct lxc_config_t *config; +@@ -2344,7 +2348,7 @@ static inline bool enter_net_ns(struct lxc_container *c) + pid_t pid = do_lxcapi_init_pid(c); + + if ((geteuid() != 0 || (c->lxc_conf && !lxc_list_empty(&c->lxc_conf->id_map))) && +- (access("/proc/self/ns/user", F_OK) == 0)) ++ (access("/proc/self/ns/user", F_OK) == 0)) + if (!switch_to_ns(pid, "user")) + return false; + +@@ -2359,7 +2363,7 @@ static inline int string_cmp(char **first, char **second) + + /* Used by qsort and bsearch functions for comparing container names. */ + static inline int container_cmp(struct lxc_container **first, +- struct lxc_container **second) ++ struct lxc_container **second) + { + return strcmp((*first)->name, (*second)->name); + } +@@ -2385,7 +2389,7 @@ static bool add_to_array(char ***names, char *cname, int pos) + } + + static bool add_to_clist(struct lxc_container ***list, struct lxc_container *c, +- int pos, bool sort) ++ int pos, bool sort) + { + struct lxc_container **newlist = realloc(*list, (pos + 1) * sizeof(struct lxc_container *)); + if (!newlist) { +@@ -2459,14 +2463,16 @@ static char **do_lxcapi_get_interfaces(struct lxc_container *c) + } + + /* Grab the list of interfaces */ +- if (netns_getifaddrs(&interfaceArray, -1, &(bool){false})) { ++ if (netns_getifaddrs(&interfaceArray, -1, &(bool) { ++ false ++ })) { + SYSERROR("Failed to get interfaces list"); + goto out; + } + + /* Iterate through the interfaces */ + for (tempIfAddr = interfaceArray; tempIfAddr != NULL; +- tempIfAddr = tempIfAddr->ifa_next) { ++ tempIfAddr = tempIfAddr->ifa_next) { + nbytes = lxc_write_nointr(pipefd[1], tempIfAddr->ifa_name, IFNAMSIZ); + if (nbytes < 0) + goto out; +@@ -2476,7 +2482,7 @@ static char **do_lxcapi_get_interfaces(struct lxc_container *c) + + ret = 0; + +- out: ++out: + if (interfaceArray) + netns_freeifaddrs(interfaceArray); + +@@ -2521,7 +2527,7 @@ static char **do_lxcapi_get_interfaces(struct lxc_container *c) + WRAP_API(char **, lxcapi_get_interfaces) + + static char **do_lxcapi_get_ips(struct lxc_container *c, const char *interface, +- const char *family, int scope) ++ const char *family, int scope) + { + int i, ret; + pid_t pid; +@@ -2561,14 +2567,16 @@ static char **do_lxcapi_get_ips(struct lxc_container *c, const char *interface, + } + + /* Grab the list of interfaces */ +- if (netns_getifaddrs(&interfaceArray, -1, &(bool){false})) { ++ if (netns_getifaddrs(&interfaceArray, -1, &(bool) { ++ false ++ })) { + SYSERROR("Failed to get interfaces list"); + goto out; + } + + /* Iterate through the interfaces */ + for (tempIfAddr = interfaceArray; tempIfAddr; +- tempIfAddr = tempIfAddr->ifa_next) { ++ tempIfAddr = tempIfAddr->ifa_next) { + if (tempIfAddr->ifa_addr == NULL) + continue; + +@@ -2598,15 +2606,15 @@ static char **do_lxcapi_get_ips(struct lxc_container *c, const char *interface, + continue; + + address = (char *)inet_ntop(tempIfAddr->ifa_addr->sa_family, +- tempAddrPtr, addressOutputBuffer, +- sizeof(addressOutputBuffer)); ++ tempAddrPtr, addressOutputBuffer, ++ sizeof(addressOutputBuffer)); + if (!address) + continue; + + nbytes = lxc_write_nointr(pipefd[1], address, INET6_ADDRSTRLEN); + if (nbytes != INET6_ADDRSTRLEN) { + SYSERROR("Failed to send ipv6 address \"%s\"", +- address); ++ address); + goto out; + } + +@@ -2615,7 +2623,7 @@ static char **do_lxcapi_get_ips(struct lxc_container *c, const char *interface, + + ret = 0; + +- out: ++out: + if (interfaceArray) + netns_freeifaddrs(interfaceArray); + +@@ -2766,7 +2774,7 @@ static bool do_lxcapi_save_config(struct lxc_container *c, const char *alt_file) + return false; + + fd = open(alt_file, O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC, +- S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); ++ S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); + if (fd < 0) + goto on_error; + +@@ -2926,7 +2934,7 @@ void mod_all_rdeps(struct lxc_container *c, bool inc) + int ret; + + ret = snprintf(path, PATH_MAX, "%s/%s/lxc_rdepends", +- c->config_path, c->name); ++ c->config_path, c->name); + if (ret < 0 || ret >= PATH_MAX) { + ERROR("Path name too long"); + return; +@@ -2947,13 +2955,13 @@ void mod_all_rdeps(struct lxc_container *c, bool inc) + + if ((p = lxc_container_new(lxcname, lxcpath)) == NULL) { + ERROR("Unable to find dependent container %s:%s", +- lxcpath, lxcname); ++ lxcpath, lxcname); + continue; + } + + if (!mod_rdep(p, c, inc)) + ERROR("Failed to update snapshots file for %s:%s", +- lxcpath, lxcname); ++ lxcpath, lxcname); + + lxc_container_put(p); + } +@@ -2973,7 +2981,7 @@ static bool has_fs_snapshots(struct lxc_container *c) + bool bret = false; + + ret = snprintf(path, PATH_MAX, "%s/%s/lxc_snapshots", c->config_path, +- c->name); ++ c->name); + if (ret < 0 || ret > PATH_MAX) + goto out; + +@@ -3033,7 +3041,7 @@ static bool do_destroy_container(struct lxc_conf *conf) { + + if (am_guest_unpriv()) { + ret = userns_exec_full(conf, storage_destroy_wrapper, conf, +- "storage_destroy_wrapper"); ++ "storage_destroy_wrapper"); + if (ret < 0) + return false; + +@@ -3056,7 +3064,7 @@ static int lxc_unlink_exec_wrapper(void *data) + } + + static bool container_destroy(struct lxc_container *c, +- struct lxc_storage *storage) ++ struct lxc_storage *storage) + { + const char *p1; + size_t len; +@@ -3154,15 +3162,15 @@ static bool container_destroy(struct lxc_container *c, + * cannot be removed when restoring from a snapshot. + */ + if (storage && (!strcmp(storage->type, "overlay") || +- !strcmp(storage->type, "overlayfs")) && +- (storage->flags & LXC_STORAGE_INTERNAL_OVERLAY_RESTORE)) { ++ !strcmp(storage->type, "overlayfs")) && ++ (storage->flags & LXC_STORAGE_INTERNAL_OVERLAY_RESTORE)) { + ret = snprintf(path, len, "%s/%s/config", p1, c->name); + if (ret < 0 || (size_t)ret >= len) + goto out; + + if (am_guest_unpriv()) + ret = userns_exec_1(conf, lxc_unlink_exec_wrapper, path, +- "lxc_unlink_exec_wrapper"); ++ "lxc_unlink_exec_wrapper"); + else + ret = unlink(path); + if (ret < 0) { +@@ -3182,7 +3190,7 @@ static bool container_destroy(struct lxc_container *c, + + if (am_guest_unpriv()) + ret = userns_exec_full(conf, lxc_rmdir_onedev_wrapper, path, +- "lxc_rmdir_onedev_wrapper"); ++ "lxc_rmdir_onedev_wrapper"); + else + ret = lxc_rmdir_onedev(path, "snaps"); + if (ret < 0) { +@@ -3245,7 +3253,7 @@ static bool do_lxcapi_destroy_with_snapshots(struct lxc_container *c) + WRAP_API(bool, lxcapi_destroy_with_snapshots) + + int lxc_set_config_item_locked(struct lxc_conf *conf, const char *key, +- const char *v) ++ const char *v) + { + int ret; + struct lxc_config_t *config; +@@ -3270,7 +3278,7 @@ int lxc_set_config_item_locked(struct lxc_conf *conf, const char *key, + } + + static bool do_set_config_item_locked(struct lxc_container *c, const char *key, +- const char *v) ++ const char *v) + { + int ret; + +@@ -3360,7 +3368,7 @@ static bool set_config_filename(struct lxc_container *c) + static bool set_oci_hook_config_filename(struct lxc_container *c) + { + #define OCI_HOOK_JSON_FILE_NAME "ocihooks.json" +- char *newpath; ++ char *newpath = NULL; + int len, ret; + + if (!c->config_path) +@@ -3466,7 +3474,7 @@ static int do_lxcapi_get_cgroup_item(struct lxc_container *c, const char *subsys + return -1; + + ret = cgroup_ops->get(cgroup_ops, subsys, retv, inlen, c->name, +- c->config_path); ++ c->config_path); + + cgroup_exit(cgroup_ops); + +@@ -3578,7 +3586,7 @@ static int copyhooks(struct lxc_container *oldc, struct lxc_container *c) + + /* copy the script, and change the entry in confile */ + ret = snprintf(tmppath, PATH_MAX, "%s/%s/%s", +- c->config_path, c->name, fname+1); ++ c->config_path, c->name, fname+1); + if (ret < 0 || ret >= PATH_MAX) + return -1; + +@@ -3597,7 +3605,7 @@ static int copyhooks(struct lxc_container *oldc, struct lxc_container *c) + } + + if (!clone_update_unexp_hooks(c->lxc_conf, oldc->config_path, +- c->config_path, oldc->name, c->name)) { ++ c->config_path, oldc->name, c->name)) { + ERROR("Error saving new hooks in clone"); + return -1; + } +@@ -3623,7 +3631,7 @@ static int copy_fstab(struct lxc_container *oldc, struct lxc_container *c) + return -1; + + ret = snprintf(newpath, PATH_MAX, "%s/%s%s", +- c->config_path, c->name, p); ++ c->config_path, c->name, p); + if (ret < 0 || ret >= PATH_MAX) { + ERROR("error printing new path for %s", oldpath); + return -1; +@@ -3661,14 +3669,14 @@ static void copy_rdepends(struct lxc_container *c, struct lxc_container *c0) + int ret; + + ret = snprintf(path0, PATH_MAX, "%s/%s/lxc_rdepends", c0->config_path, +- c0->name); ++ c0->name); + if (ret < 0 || ret >= PATH_MAX) { + WARN("Error copying reverse dependencies"); + return; + } + + ret = snprintf(path1, PATH_MAX, "%s/%s/lxc_rdepends", c->config_path, +- c->name); ++ c->name); + if (ret < 0 || ret >= PATH_MAX) { + WARN("Error copying reverse dependencies"); + return; +@@ -3688,7 +3696,7 @@ static bool add_rdepends(struct lxc_container *c, struct lxc_container *c0) + bool bret; + + ret = snprintf(path, PATH_MAX, "%s/%s/lxc_rdepends", c->config_path, +- c->name); ++ c->name); + if (ret < 0 || ret >= PATH_MAX) + return false; + +@@ -3714,7 +3722,7 @@ static bool add_rdepends(struct lxc_container *c, struct lxc_container *c0) + * Currently we only do this for btrfs. + */ + bool should_default_to_snapshot(struct lxc_container *c0, +- struct lxc_container *c1) ++ struct lxc_container *c1) + { + int ret; + size_t l0 = strlen(c0->config_path) + strlen(c0->name) + 2; +@@ -3741,8 +3749,8 @@ bool should_default_to_snapshot(struct lxc_container *c0, + } + + static int copy_storage(struct lxc_container *c0, struct lxc_container *c, +- const char *newtype, int flags, const char *bdevdata, +- uint64_t newsize) ++ const char *newtype, int flags, const char *bdevdata, ++ uint64_t newsize) + { + struct lxc_storage *bdev; + bool need_rdep; +@@ -3751,7 +3759,7 @@ static int copy_storage(struct lxc_container *c0, struct lxc_container *c, + flags |= LXC_CLONE_SNAPSHOT; + + bdev = storage_copy(c0, c->name, c->config_path, newtype, flags, +- bdevdata, newsize, &need_rdep); ++ bdevdata, newsize, &need_rdep); + if (!bdev) { + ERROR("Error copying storage."); + return -1; +@@ -3770,7 +3778,7 @@ static int copy_storage(struct lxc_container *c0, struct lxc_container *c, + /* Append a new lxc.rootfs.path entry to the unexpanded config. */ + clear_unexp_config_line(c->lxc_conf, "lxc.rootfs.path", false); + if (!do_append_unexp_config_line(c->lxc_conf, "lxc.rootfs.path", +- c->lxc_conf->rootfs.path)) { ++ c->lxc_conf->rootfs.path)) { + ERROR("Error saving new rootfs to cloned config."); + return -1; + } +@@ -3940,9 +3948,9 @@ static int create_file_dirname(char *path, struct lxc_conf *conf) + } + + static struct lxc_container *do_lxcapi_clone(struct lxc_container *c, const char *newname, +- const char *lxcpath, int flags, +- const char *bdevtype, const char *bdevdata, uint64_t newsize, +- char **hookargs) ++ const char *lxcpath, int flags, ++ const char *bdevtype, const char *bdevdata, uint64_t newsize, ++ char **hookargs) + { + char newpath[PATH_MAX]; + int fd, ret; +@@ -3995,7 +4003,7 @@ static struct lxc_container *do_lxcapi_clone(struct lxc_container *c, const char + } + + fd = open(newpath, O_WRONLY | O_CREAT | O_CLOEXEC, +- S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); ++ S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); + if (fd < 0) { + SYSERROR("Failed to open \"%s\"", newpath); + goto out; +@@ -4033,7 +4041,7 @@ static struct lxc_container *do_lxcapi_clone(struct lxc_container *c, const char + * snapshot. + */ + if (errno != ENOENT && +- !(flags & LXC_STORAGE_INTERNAL_OVERLAY_RESTORE)) { ++ !(flags & LXC_STORAGE_INTERNAL_OVERLAY_RESTORE)) { + SYSERROR("Failed to create directory \"%s\"", newpath); + goto out; + } +@@ -4049,7 +4057,7 @@ static struct lxc_container *do_lxcapi_clone(struct lxc_container *c, const char + c2 = lxc_container_new(newname, lxcpath); + if (!c2) { + ERROR("clone: failed to create new container (%s %s)", newname, +- lxcpath); ++ lxcpath); + goto out; + } + +@@ -4122,7 +4130,7 @@ static struct lxc_container *do_lxcapi_clone(struct lxc_container *c, const char + + if (am_guest_unpriv()) + ret = userns_exec_full(c->lxc_conf, clone_update_rootfs_wrapper, +- &data, "clone_update_rootfs_wrapper"); ++ &data, "clone_update_rootfs_wrapper"); + else + ret = clone_update_rootfs(&data); + if (ret < 0) +@@ -4145,9 +4153,9 @@ out: + } + + static struct lxc_container *lxcapi_clone(struct lxc_container *c, const char *newname, +- const char *lxcpath, int flags, +- const char *bdevtype, const char *bdevdata, uint64_t newsize, +- char **hookargs) ++ const char *lxcpath, int flags, ++ const char *bdevtype, const char *bdevdata, uint64_t newsize, ++ char **hookargs) + { + struct lxc_container * ret; + +@@ -4331,7 +4339,7 @@ static int do_lxcapi_snapshot(struct lxc_container *c, const char *commentfile) + * created in the original container + */ + flags = LXC_CLONE_SNAPSHOT | LXC_CLONE_KEEPMACADDR | LXC_CLONE_KEEPNAME | +- LXC_CLONE_KEEPBDEVTYPE | LXC_CLONE_MAYBE_SNAPSHOT; ++ LXC_CLONE_KEEPBDEVTYPE | LXC_CLONE_MAYBE_SNAPSHOT; + if (storage_is_dir(c->lxc_conf)) { + ERROR("Snapshot of directory-backed container requested"); + ERROR("Making a copy-clone. If you do want snapshots, then"); +@@ -4601,7 +4609,7 @@ static bool do_lxcapi_snapshot_restore(struct lxc_container *c, const char *snap + flags |= LXC_STORAGE_INTERNAL_OVERLAY_RESTORE; + + rest = lxcapi_clone(snap, newname, c->config_path, flags, bdev->type, +- NULL, 0, NULL); ++ NULL, 0, NULL); + storage_put(bdev); + if (rest && lxcapi_is_defined(rest)) + b = true; +@@ -4714,7 +4722,7 @@ static bool do_lxcapi_may_control(struct lxc_container *c) + WRAP_API(bool, lxcapi_may_control) + + static bool do_add_remove_node(pid_t init_pid, const char *path, bool add, +- struct stat *st) ++ struct stat *st) + { + int ret; + char *tmp; +@@ -4865,8 +4873,8 @@ static bool do_lxcapi_remove_device_node(struct lxc_container *c, const char *sr + WRAP_API_2(bool, lxcapi_remove_device_node, const char *, const char *) + + static bool do_lxcapi_attach_interface(struct lxc_container *c, +- const char *ifname, +- const char *dst_ifname) ++ const char *ifname, ++ const char *dst_ifname) + { + pid_t init_pid; + int ret = 0; +@@ -4904,8 +4912,8 @@ err: + WRAP_API_2(bool, lxcapi_attach_interface, const char *, const char *) + + static bool do_lxcapi_detach_interface(struct lxc_container *c, +- const char *ifname, +- const char *dst_ifname) ++ const char *ifname, ++ const char *dst_ifname) + { + int ret; + pid_t pid, pid_outside; +@@ -4980,7 +4988,7 @@ static bool do_lxcapi_detach_interface(struct lxc_container *c, + WRAP_API_2(bool, lxcapi_detach_interface, const char *, const char *) + + static int do_lxcapi_migrate(struct lxc_container *c, unsigned int cmd, +- struct migrate_opts *opts, unsigned int size) ++ struct migrate_opts *opts, unsigned int size) + { + int ret = -1; + struct migrate_opts *valid_opts = opts; +@@ -5125,7 +5133,7 @@ out: + /* isulad add set console fifos*/ + static bool do_lxcapi_set_terminal_default_fifos(struct lxc_container *c, const char *in, const char *out, const char *err) + { +- struct lxc_conf *conf; ++ struct lxc_conf *conf = NULL; + + if (!c || !c->lxc_conf) + return false; +@@ -5160,7 +5168,7 @@ WRAP_API_3(bool, lxcapi_set_terminal_default_fifos, const char *, const char *, + /* isulad add set info file path */ + static bool do_lxcapi_set_container_info_file(struct lxc_container *c, const char *info_file) + { +- struct lxc_conf *conf; ++ struct lxc_conf *conf = NULL; + + if (!c || !c->lxc_conf || !info_file) + return false; +@@ -5263,16 +5271,16 @@ static int set_start_extral_configs(struct lxc_container *c) + struct lxc_conf *lconf = c->lxc_conf; + size_t i = 0; + +- if (lconf == NULL) { +- c->lxc_conf = malloc(sizeof(struct lxc_conf)); +- lconf = c->lxc_conf; +- if (lconf == NULL) { +- fprintf(stderr, "Out of memory\n"); +- return -1; +- } +- } ++ if (lconf == NULL) { ++ c->lxc_conf = malloc(sizeof(struct lxc_conf)); ++ lconf = c->lxc_conf; ++ if (lconf == NULL) { ++ fprintf(stderr, "Out of memory\n"); ++ return -1; ++ } ++ } + if (sprintf(fpath, "%s/%s/%s", c->config_path, c->name, START_GENERATE_CONFIG) < 0) { +- fprintf(stderr, "Sprintf config path failed\n"); ++ fprintf(stderr, "Sprintf config path failed\n"); + return -1; + } + if (!file_exists(fpath)) { +@@ -5290,9 +5298,10 @@ static int set_start_extral_configs(struct lxc_container *c) + lconf->init_gid = start_conf->gid; + } + if (start_conf->additional_gids != NULL && start_conf->additional_gids_len > 0) { +- gid_t *tmp; +- tmp = realloc(lconf->init_groups, (lconf->init_groups_len + start_conf->additional_gids_len) * sizeof(gid_t)); +- if (tmp == NULL) { ++ gid_t *tmp = NULL; ++ ret = lxc_mem_realloc((void **)&tmp, (lconf->init_groups_len + start_conf->additional_gids_len) * sizeof(gid_t), ++ lconf->init_groups, (lconf->init_groups_len) * sizeof(gid_t)); ++ if (ret != 0) { + fprintf(stderr, "Out of memory"); + goto out; + } +@@ -5314,8 +5323,9 @@ out: + + static struct lxc_container *do_lxc_container_new(const char *name, const char *configpath, bool load_config) + { +- struct lxc_container *c; ++ struct lxc_container *c = NULL; + size_t len; ++ const char *tmp = NULL; + + if (!name) + return NULL; +@@ -5327,10 +5337,17 @@ static struct lxc_container *do_lxc_container_new(const char *name, const char * + } + memset(c, 0, sizeof(*c)); + +- if (configpath) ++ if (configpath) { + c->config_path = strdup(configpath); +- else +- c->config_path = strdup(lxc_global_config_value("lxc.lxcpath")); ++ } ++ else { ++ tmp = lxc_global_config_value("lxc.lxcpath"); ++ if (tmp == NULL) { ++ fprintf(stderr, "Failed to get lxc path for %s\n", name); ++ goto err; ++ } ++ c->config_path = strdup(tmp); ++ } + if (!c->config_path) { + fprintf(stderr, "Failed to allocate memory for %s\n", name); + goto err; +@@ -5534,7 +5551,7 @@ int list_defined_containers(const char *lxcpath, char ***names, struct lxc_conta + c = lxc_container_new(direntp->d_name, lxcpath); + if (!c) { + INFO("Container %s:%s has a config but could not be loaded", +- lxcpath, direntp->d_name); ++ lxcpath, direntp->d_name); + + if (names) + if(!remove_from_array(names, direntp->d_name, cfound--)) +@@ -5545,7 +5562,7 @@ int list_defined_containers(const char *lxcpath, char ***names, struct lxc_conta + + if (!do_lxcapi_is_defined(c)) { + INFO("Container %s:%s has a config but is not defined", +- lxcpath, direntp->d_name); ++ lxcpath, direntp->d_name); + + if (names) + if(!remove_from_array(names, direntp->d_name, cfound--)) +@@ -5584,7 +5601,7 @@ free_bad: + } + + int list_active_containers(const char *lxcpath, char ***nret, +- struct lxc_container ***cret) ++ struct lxc_container ***cret) + { + int i, ret = -1, cret_cnt = 0, ct_name_cnt = 0; + int lxcpath_len; +@@ -5680,7 +5697,7 @@ int list_active_containers(const char *lxcpath, char ***nret, + c = lxc_container_new(p, lxcpath); + if (!c) { + INFO("Container %s:%s is running but could not be loaded", +- lxcpath, p); ++ lxcpath, p); + + remove_from_array(&ct_name, p, ct_name_cnt--); + if (is_hashed) +@@ -5741,7 +5758,7 @@ out: + } + + int list_all_containers(const char *lxcpath, char ***nret, +- struct lxc_container ***cret) ++ struct lxc_container ***cret) + { + int i, ret, active_cnt, ct_cnt, ct_list_cnt; + char **active_name; +diff --git a/src/lxc/mainloop.c b/src/lxc/mainloop.c +index 9603d1e..a127a13 100644 +--- a/src/lxc/mainloop.c ++++ b/src/lxc/mainloop.c +@@ -65,7 +65,7 @@ int lxc_mainloop(struct lxc_epoll_descr *descr, int timeout_ms) + * mainloop. + */ + ret = handler->callback(handler->fd, events[i].events, +- handler->data, descr); ++ handler->data, descr); + if (ret == LXC_MAINLOOP_CLOSE) + return 0; + } +@@ -79,11 +79,11 @@ int lxc_mainloop(struct lxc_epoll_descr *descr, int timeout_ms) + } + + int lxc_mainloop_add_handler(struct lxc_epoll_descr *descr, int fd, +- lxc_mainloop_callback_t callback, void *data) ++ lxc_mainloop_callback_t callback, void *data) + { + struct epoll_event ev; +- struct mainloop_handler *handler; +- struct lxc_list *item; ++ struct mainloop_handler *handler = NULL; ++ struct lxc_list *item = NULL; + + if (fd < 0) + return 0; +diff --git a/src/lxc/path.c b/src/lxc/path.c +index e917dcb..45ab4c3 100644 +--- a/src/lxc/path.c ++++ b/src/lxc/path.c +@@ -10,6 +10,7 @@ + + #include "path.h" + #include "log.h" ++#include "utils.h" + + lxc_log_define(lxc_path_ui, lxc); + +@@ -29,6 +30,10 @@ bool specify_current_dir(const char *path) + } + + bname = basename(basec); ++ if (bname == NULL) { ++ ERROR("Out of memory"); ++ return false; ++ } + res = !strcmp(bname, "."); + free(basec); + return res; +@@ -45,11 +50,15 @@ bool has_traling_path_separator(const char *path) + // path already ends in a `.` path segment, then another is not added. If the + // clean path already ends in a path separator, then another is not added. + char *preserve_trailing_dot_or_separator(const char *cleanedpath, +- const char *originalpath) ++ const char *originalpath) + { + char *respath = NULL; + size_t len; + ++ if (strlen(cleanedpath) > (SIZE_MAX - 3)) { ++ return NULL; ++ } ++ + len = strlen(cleanedpath) + 3; + respath = malloc(len); + if (!respath) { +@@ -66,7 +75,7 @@ char *preserve_trailing_dot_or_separator(const char *cleanedpath, + } + + if (!has_traling_path_separator(respath) && +- has_traling_path_separator(originalpath)) ++ has_traling_path_separator(originalpath)) + strcat(respath, "/"); + + return respath; +@@ -107,160 +116,373 @@ bool filepath_split(const char *path, char **dir, char **base) + return true; + } + +-/* +- * cleanpath is similar to realpath of glibc, but not expands symbolic links, +- * and not check the existence of components of the path. +- */ +-char *cleanpath(const char *path, char *resolved) ++ ++static bool do_clean_path_continue(const char *endpos, const char *stpos, const char *respath, char **dst) + { +- char *rpath, *dest; +- const char *start, *end, *rpath_limit; ++ if (endpos - stpos == 1 && stpos[0] == '.') { ++ return true; ++ } else if (endpos - stpos == 2 && stpos[0] == '.' && stpos[1] == '.') { ++ char *dest = *dst; ++ if (dest <= respath + 1) { ++ return true; ++ } ++ for (--dest; dest > respath && !ISSLASH(dest[-1]); --dest) { ++ *dst = dest; ++ return true; ++ } ++ *dst = dest; ++ return true; ++ } ++ return false; ++} + +- if (path == NULL || path[0] == '\0') +- return NULL; ++int do_clean_path(const char *respath, const char *limit_respath, ++ const char *stpos, char **dst) ++{ ++ char *dest = *dst; ++ const char *endpos = NULL; ++ errno_t ret; + +- if (resolved == NULL) { +- rpath = malloc(PATH_MAX); +- if (rpath == NULL) { +- ERROR("Out of memory"); +- return NULL; ++ for (endpos = stpos; *stpos; stpos = endpos) { ++ while (ISSLASH(*stpos)) { ++ ++stpos; + } +- } else { +- rpath = resolved; ++ ++ for (endpos = stpos; *endpos && !ISSLASH(*endpos); ++endpos) { ++ } ++ ++ if (endpos - stpos == 0) { ++ break; ++ } else if (do_clean_path_continue(endpos, stpos, respath, &dest)) { ++ continue; ++ } ++ ++ if (!ISSLASH(dest[-1])) { ++ *dest++ = '/'; ++ } ++ ++ if (dest + (endpos - stpos) >= limit_respath) { ++ ERROR("Path is too long"); ++ if (dest > respath + 1) { ++ dest--; ++ } ++ *dest = '\0'; ++ return -1; ++ } ++ ++ memcpy(dest, stpos, (size_t)(endpos - stpos)); ++ dest += endpos - stpos; ++ *dest = '\0'; + } +- rpath_limit = rpath + PATH_MAX; ++ *dst = dest; ++ return 0; ++} ++ ++char *cleanpath(const char *path, char *realpath, size_t realpath_len) ++{ ++ char *respath = NULL; ++ char *dest = NULL; ++ const char *stpos = NULL; ++ const char *limit_respath = NULL; ++ errno_t ret; ++ ++ if (path == NULL || path[0] == '\0' || \ ++ realpath == NULL || (realpath_len < PATH_MAX)) { ++ return NULL; ++ } ++ ++ respath = realpath; ++ ++ memset(respath, 0, realpath_len); ++ limit_respath = respath + PATH_MAX; + + if (!IS_ABSOLUTE_FILE_NAME(path)) { +- if (!getcwd(rpath, PATH_MAX)) { ++ if (!getcwd(respath, PATH_MAX)) { + ERROR("Failed to getcwd"); +- rpath[0] = '\0'; ++ respath[0] = '\0'; + goto error; + } +- dest = strchr(rpath, '\0'); +- start = path; ++ dest = strchr(respath, '\0'); ++ if (dest == NULL) { ++ ERROR("Failed to get the end of respath"); ++ goto error; ++ } ++ strcat(respath, path); ++ stpos = path; + } else { +- dest = rpath; ++ dest = respath; + *dest++ = '/'; +- start = path; ++ stpos = path; + } + +- for (end = start; *start; start = end) { +- /* Skip sequence of multiple path-separators. */ +- while (ISSLASH(*start)) +- ++start; ++ if (do_clean_path(respath, limit_respath, stpos, &dest)) { ++ goto error; ++ } + +- /* Find end of path component. */ +- for (end = start; *end && !ISSLASH(*end); ++end) +- /* Nothing. */; ++ if (dest > respath + 1 && ISSLASH(dest[-1])) { ++ --dest; ++ } ++ *dest = '\0'; + +- if (end - start == 0) { +- break; +- } else if (end - start == 1 && start[0] == '.') { +- /* nothing */; +- } else if (end - start == 2 && start[0] == '.' && start[1] == '.') { +- /* Back up to previous component, ignore if at root already. */ +- if (dest > rpath + 1) +- for (--dest; dest > rpath && !ISSLASH(dest[-1]); --dest) +- continue; +- } else { +- size_t new_size; +- +- if (!ISSLASH(dest[-1])) +- *dest++ = '/'; +- +- if (dest + (end - start) >= rpath_limit) { +- long long dest_offset = dest - rpath; +- char *new_rpath; +- +- if (resolved) { +- printf("Path is to long"); +- if (dest > rpath + 1) +- dest--; +- *dest = '\0'; +- goto error; +- } +- +- new_size = rpath_limit - rpath; +- if (end - start + 1 > PATH_MAX) +- new_size += end - start + 1; +- else +- new_size += PATH_MAX; +- new_rpath = (char *) realloc(rpath, new_size); +- if (new_rpath == NULL) { +- ERROR("Out of memory"); +- goto error; +- } +- rpath = new_rpath; +- rpath_limit = rpath + new_size; +- +- dest = rpath + dest_offset; ++ return respath; ++ ++error: ++ return NULL; ++} ++ ++static int do_path_realloc(const char *start, const char *end, ++ char **rpath, char **dest, const char **rpath_limit) ++{ ++ long long dest_offset = *dest - *rpath; ++ char *new_rpath = NULL; ++ size_t new_size; ++ int nret = 0; ++ size_t gap = 0; ++ ++ if (*dest + (end - start) < *rpath_limit) { ++ return 0; ++ } ++ ++ gap = (size_t)(end - start) + 1; ++ new_size = (size_t)(*rpath_limit - *rpath); ++ if (new_size > SIZE_MAX - gap) { ++ ERROR("Out of range!"); ++ return -1; ++ } ++ ++ if (gap > PATH_MAX) { ++ new_size += gap; ++ } else { ++ new_size += PATH_MAX; ++ } ++ nret = lxc_mem_realloc((void **)&new_rpath, new_size, *rpath, PATH_MAX); ++ if (nret) { ++ ERROR("Failed to realloc memory for files limit variables"); ++ return -1; ++ } ++ *rpath = new_rpath; ++ *rpath_limit = *rpath + new_size; ++ ++ *dest = *rpath + dest_offset; ++ ++ return 0; ++} ++ ++static int do_get_symlinks_copy_buf(const char *buf, const char *prefix, size_t prefix_len, ++ char **rpath, char **dest) ++{ ++ if (IS_ABSOLUTE_FILE_NAME(buf)) { ++ if (prefix_len) { ++ memcpy(*rpath, prefix, prefix_len); ++ } ++ *dest = *rpath + prefix_len; ++ *(*dest)++ = '/'; ++ } else { ++ if (*dest > *rpath + prefix_len + 1) { ++ for (--(*dest); *dest > *rpath && !ISSLASH((*dest)[-1]); --(*dest)) { ++ continue; + } ++ } ++ } ++ return 0; ++} + +- memcpy(dest, start, end - start); +- dest += end - start; +- *dest = '\0'; ++static int do_get_symlinks(const char **fullpath, const char *prefix, size_t prefix_len, ++ char **rpath, char **dest, const char **end, ++ int *num_links, char **extra_buf) ++{ ++ char *buf = NULL; ++ size_t len; ++ errno_t rc = EOK; ++ ssize_t n; ++ int ret = -1; ++ ++ if (++(*num_links) > MAXSYMLINKS) { ++ ERROR("Too many links in '%s'", *fullpath); ++ goto out; ++ } ++ ++ buf = lxc_common_calloc_s(PATH_MAX); ++ if (buf == NULL) { ++ ERROR("Out of memory"); ++ goto out; ++ } ++ ++ n = readlink(*rpath, buf, PATH_MAX - 1); ++ if (n < 0) { ++ goto out; ++ } ++ buf[n] = '\0'; ++ ++ if (*extra_buf == NULL) { ++ *extra_buf = lxc_common_calloc_s(PATH_MAX); ++ if (*extra_buf == NULL) { ++ ERROR("Out of memory"); ++ goto out; + } + } +- if (dest > rpath + 1 && ISSLASH(dest[-1])) +- --dest; +- *dest = '\0'; + +- return rpath; ++ len = strlen(*end); ++ if (len >= PATH_MAX - n) { ++ ERROR("Path is too long"); ++ goto out; ++ } + +-error: +- if (resolved == NULL) +- free(rpath); +- return NULL; ++ memmove(&(*extra_buf)[n], *end, len + 1); ++ memcpy(*extra_buf, buf, (size_t)n); ++ ++ *fullpath = *end = *extra_buf; ++ ++ if (do_get_symlinks_copy_buf(buf, prefix, prefix_len, rpath, dest) != 0) { ++ goto out; ++ } ++ ++ ret = 0; ++out: ++ free(buf); ++ return ret; + } + +-// evalSymlinksInScope will evaluate symlinks in `path` within a scope `root` and return +-// a result guaranteed to be contained within the scope `root`, at the time of the call. +-// Symlinks in `root` are not evaluated and left as-is. +-// Errors encountered while attempting to evaluate symlinks in path will be returned. +-// Non-existing paths are valid and do not constitute an error. +-// `path` has to contain `root` as a prefix, or else an error will be returned. +-// Trying to break out from `root` does not constitute an error. +-// +-// Example: +-// If /foo/bar -> /outside, +-// FollowSymlinkInScope("/foo/bar", "/foo") == "/foo/outside" instead of "/oustide" +-char *eval_symlinks_in_scope(const char *fullpath, const char *rootpath) ++static bool do_eval_symlinks_in_scope_is_symlink(const char *path) + { +- char resroot[PATH_MAX] = {0}, *root = NULL; +- char *rpath, *dest, *prefix, *extra_buf = NULL; +- const char *start, *end, *rpath_limit; ++ struct stat st; ++ ++ if (lstat(path, &st) < 0) { ++ return true; ++ } ++ ++ if (!S_ISLNK(st.st_mode)) { ++ return true; ++ } ++ return false; ++} ++ ++static void do_eval_symlinks_skip_slash(const char **start, const char **end) ++{ ++ while (ISSLASH(**start)) { ++ ++(*start); ++ } ++ ++ for (*end = *start; **end && !ISSLASH(**end); ++(*end)) { ++ } ++} ++ ++static inline void skip_dest_traling_slash(char **dest, char **rpath, size_t prefix_len) ++{ ++ if (*dest > *rpath + prefix_len + 1) { ++ for (--(*dest); *dest > *rpath && !ISSLASH((*dest)[-1]); --(*dest)) { ++ continue; ++ } ++ } ++} ++ ++static inline bool is_current_char(const char c) ++{ ++ return c == '.'; ++} ++ ++static inline bool is_specify_current(const char *end, const char *start) ++{ ++ return (end - start == 1) && is_current_char(start[0]); ++} ++ ++static inline bool is_specify_parent(const char *end, const char *start) ++{ ++ return (end - start == 2) && is_current_char(start[0]) && is_current_char(start[1]); ++} ++ ++static int do_eval_symlinks_in_scope(const char *fullpath, const char *prefix, ++ size_t prefix_len, ++ char **rpath, char **dest, const char *rpath_limit) ++{ ++ const char *start = NULL; ++ const char *end = NULL; ++ char *extra_buf = NULL; ++ errno_t rc = EOK; ++ int nret = 0; + int num_links = 0; ++ ++ start = fullpath + prefix_len; ++ for (end = start; *start; start = end) { ++ do_eval_symlinks_skip_slash(&start, &end); ++ if (end - start == 0) { ++ break; ++ } else if (is_specify_current(end, start)) { ++ ; ++ } else if (is_specify_parent(end, start)) { ++ skip_dest_traling_slash(dest, rpath, prefix_len); ++ } else { ++ if (!ISSLASH((*dest)[-1])) { ++ *(*dest)++ = '/'; ++ } ++ ++ nret = do_path_realloc(start, end, rpath, dest, &rpath_limit); ++ if (nret != 0) { ++ nret = -1; ++ goto out; ++ } ++ ++ memcpy(*dest, start, (size_t)(end - start)); ++ *dest += end - start; ++ **dest = '\0'; ++ ++ if (do_eval_symlinks_in_scope_is_symlink(*rpath)) { ++ continue; ++ } ++ ++ nret = do_get_symlinks(&fullpath, prefix, prefix_len, rpath, dest, &end, &num_links, &extra_buf); ++ if (nret != 0) { ++ nret = -1; ++ goto out; ++ } ++ } ++ } ++out: ++ free(extra_buf); ++ return nret; ++} ++static char *eval_symlinks_in_scope(const char *fullpath, const char *rootpath) ++{ ++ char resroot[PATH_MAX] = {0}; ++ char *root = NULL; ++ char *rpath = NULL; ++ char *dest = NULL; ++ char *prefix = NULL; ++ const char *rpath_limit = NULL; + size_t prefix_len; ++ errno_t rc = EOK; + +- if (!fullpath || !rootpath) ++ if (fullpath == NULL || rootpath == NULL) { + return NULL; ++ } + +- root = cleanpath(rootpath, resroot); +- if (!root) { ++ root = cleanpath(rootpath, resroot, sizeof(resroot)); ++ if (root == NULL) { + ERROR("Failed to get cleaned path"); + return NULL; + } + +- if (!strcmp(fullpath, root)) ++ if (!strcmp(fullpath, root)) { + return strdup(fullpath); ++ } + +- if (!strstr(fullpath, root)) { ++ if (strstr(fullpath, root) == NULL) { + ERROR("Path '%s' is not in '%s'", fullpath, root); + return NULL; + } + +- rpath = malloc(PATH_MAX); ++ rpath = lxc_common_calloc_s(PATH_MAX); + if (rpath == NULL) { + ERROR("Out of memory"); +- goto error; +- return NULL; ++ goto out; + } + rpath_limit = rpath + PATH_MAX; + + prefix = root; +- prefix_len = strlen(prefix); +- if (!strcmp(prefix, "/")) ++ prefix_len = (size_t)strlen(prefix); ++ if (!strcmp(prefix, "/")) { + prefix_len = 0; ++ } + + dest = rpath; + if (prefix_len) { +@@ -268,133 +490,19 @@ char *eval_symlinks_in_scope(const char *fullpath, const char *rootpath) + dest += prefix_len; + } + *dest++ = '/'; +- start = fullpath + prefix_len; + +- for (end = start; *start; start = end) { +- struct stat st; +- int n; +- +- /* Skip sequence of multiple path-separators. */ +- while (ISSLASH(*start)) +- ++start; +- +- /* Find end of path component. */ +- for (end = start; *end && !ISSLASH(*end); ++end) +- /* Nothing. */; +- +- if (end - start == 0) { +- break; +- } else if (end - start == 1 && start[0] == '.') { +- /* nothing */; +- } else if (end - start == 2 && start[0] == '.' && start[1] == '.') { +- /* Back up to previous component, ignore if at root already. */ +- if (dest > rpath + prefix_len + 1) +- for (--dest; dest > rpath && !ISSLASH(dest[-1]); --dest) +- continue; +- } else { +- size_t new_size; +- +- if (!ISSLASH(dest[-1])) +- *dest++ = '/'; +- +- if (dest + (end - start) >= rpath_limit) { +- long long dest_offset = dest - rpath; +- char *new_rpath; +- +- new_size = rpath_limit - rpath; +- if (end - start + 1 > PATH_MAX) +- new_size += end - start + 1; +- else +- new_size += PATH_MAX; +- new_rpath = (char *) realloc(rpath, new_size); +- if (new_rpath == NULL) { +- ERROR("Out of memory"); +- goto error; +- } +- rpath = new_rpath; +- rpath_limit = rpath + new_size; +- +- dest = rpath + dest_offset; +- } +- +- memcpy(dest, start, end - start); +- dest += end - start; +- *dest = '\0'; +- +- if (lstat(rpath, &st) < 0) { +- // if rpath does not exist, accept it +- continue; +- } +- +- if (S_ISLNK(st.st_mode)) { +- char *buf; +- size_t len; +- +- if (++num_links > MAXSYMLINKS) { +- ERROR("Too many links in '%s'", fullpath); +- goto error; +- } +- +- buf = malloc(PATH_MAX); +- if (!buf) { +- ERROR("Out of memory"); +- goto error; +- } +- +- n = readlink(rpath, buf, PATH_MAX - 1); +- if (n < 0) { +- free(buf); +- goto error; +- } +- buf[n] = '\0'; +- +- if (!extra_buf) { +- extra_buf = malloc(PATH_MAX); +- if (!extra_buf) { +- ERROR("Out of memory"); +- free(buf); +- goto error; +- } +- } +- +- len = strlen(end); +- if ((long int)(n + len) >= PATH_MAX) { +- free(buf); +- ERROR("Path is too long"); +- goto error; +- } +- +- /* Careful here, end may be a pointer into extra_buf... */ +- memmove(&extra_buf[n], end, len + 1); +- fullpath = end = memcpy(extra_buf, buf, n); +- +- if (IS_ABSOLUTE_FILE_NAME(buf)) { +- if (prefix_len) +- memcpy(rpath, prefix, prefix_len); +- dest = rpath + prefix_len; +- *dest++ = '/'; /* It's an absolute symlink */ +- } else { +- /* Back up to previous component, ignore if at root +- already: */ +- if (dest > rpath + prefix_len + 1) +- for (--dest; dest > rpath && !ISSLASH(dest[-1]); --dest) +- continue; +- } +- } +- } ++ if (do_eval_symlinks_in_scope(fullpath, prefix, prefix_len, &rpath, &dest, ++ rpath_limit)) { ++ goto out; + } +- if (dest > rpath + prefix_len + 1 && ISSLASH(dest[-1])) ++ ++ if (dest > rpath + prefix_len + 1 && ISSLASH(dest[-1])) { + --dest; ++ } + *dest = '\0'; +- +- if (extra_buf) +- free(extra_buf); +- + return rpath; + +-error: +- if (extra_buf) +- free(extra_buf); ++out: + free(rpath); + return NULL; + } +@@ -406,13 +514,13 @@ char *follow_symlink_in_scope(const char *fullpath, const char *rootpath) + char resfull[PATH_MAX] = {0}, *full = NULL; + char resroot[PATH_MAX] = {0}, *root = NULL; + +- full = cleanpath(fullpath, resfull); ++ full = cleanpath(fullpath, resfull, PATH_MAX); + if (!full) { + ERROR("Failed to get cleaned path"); + return NULL; + } + +- root = cleanpath(rootpath, resroot); ++ root = cleanpath(rootpath, resroot, PATH_MAX); + if (!root) { + ERROR("Failed to get cleaned path"); + return NULL; +@@ -430,7 +538,7 @@ char *follow_symlink_in_scope(const char *fullpath, const char *rootpath) + // particular path inside the container as though you were a process in that + // container. + int get_resource_path(const char *rootpath, const char *path, +- char **scopepath) ++ char **scopepath) + { + char resolved[PATH_MAX] = {0}, *cleanedpath = NULL; + char *fullpath = NULL; +@@ -441,7 +549,7 @@ int get_resource_path(const char *rootpath, const char *path, + + *scopepath = NULL; + +- cleanedpath = cleanpath(path, resolved); ++ cleanedpath = cleanpath(path, resolved, PATH_MAX); + if (!cleanedpath) { + ERROR("Failed to get cleaned path"); + return -1; +@@ -475,13 +583,13 @@ char *path_relative(const char *basepath, const char *targpath) + char restarg[PATH_MAX] = {0}, *targ = NULL; + size_t bl = 0, tl = 0, b0 = 0, bi = 0, t0 = 0, ti = 0; + +- base = cleanpath(basepath, resbase); ++ base = cleanpath(basepath, resbase, PATH_MAX); + if (!base) { + ERROR("Failed to get cleaned path"); + return NULL; + } + +- targ = cleanpath(targpath, restarg); ++ targ = cleanpath(targpath, restarg, PATH_MAX); + if (!targ) { + ERROR("Failed to get cleaned path"); + return NULL; +@@ -512,7 +620,7 @@ char *path_relative(const char *basepath, const char *targpath) + // Base elements left. Must go up before going down. + int seps = 0, i; + size_t ncopyed = 0, seps_size; +- char *buf; ++ char *buf = NULL; + + for (bi = b0; bi < bl; bi++) { + if (ISSLASH(base[bi])) +@@ -543,4 +651,4 @@ char *path_relative(const char *basepath, const char *targpath) + } + + return strdup(targ + t0); +-} +\ No newline at end of file ++} +diff --git a/src/lxc/path.h b/src/lxc/path.h +index e3a04cc..5100941 100644 +--- a/src/lxc/path.h ++++ b/src/lxc/path.h +@@ -13,7 +13,7 @@ bool has_traling_path_separator(const char *path); + // path already ends in a `.` path segment, then another is not added. If the + // clean path already ends in a path separator, then another is not added. + char *preserve_trailing_dot_or_separator(const char *cleanedpath, +- const char *originalpath); ++ const char *originalpath); + + + // Split splits path immediately following the final Separator, +@@ -27,20 +27,8 @@ bool filepath_split(const char *path, char **dir, char **base); + * cleanpath is similar to realpath of glibc, but not expands symbolic links, + * and not check the existence of components of the path. + */ +-char *cleanpath(const char *path, char *resolved); ++char *cleanpath(const char *path, char *realpath, size_t realpath_len); + +-// evalSymlinksInScope will evaluate symlinks in `path` within a scope `root` and return +-// a result guaranteed to be contained within the scope `root`, at the time of the call. +-// Symlinks in `root` are not evaluated and left as-is. +-// Errors encountered while attempting to evaluate symlinks in path will be returned. +-// Non-existing paths are valid and do not constitute an error. +-// `path` has to contain `root` as a prefix, or else an error will be returned. +-// Trying to break out from `root` does not constitute an error. +-// +-// Example: +-// If /foo/bar -> /outside, +-// FollowSymlinkInScope("/foo/bar", "/foo") == "/foo/outside" instead of "/oustide" +-char *eval_symlinks_in_scope(const char *fullpath, const char *rootpath); + + // FollowSymlinkInScope is a wrapper around evalSymlinksInScope that returns an + // absolute path. This function handles paths in a platform-agnostic manner. +@@ -55,7 +43,7 @@ char *follow_symlink_in_scope(const char *fullpath, const char *rootpath); + // particular path inside the container as though you were a process in that + // container. + int get_resource_path(const char *rootpath, const char *path, +- char **scopepath); ++ char **scopepath); + + // Rel returns a relative path that is lexically equivalent to targpath when + // joined to basepath with an intervening separator. That is, +diff --git a/src/lxc/start.c b/src/lxc/start.c +index 4541793..ccdd844 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -93,7 +93,7 @@ extern void mod_all_rdeps(struct lxc_container *c, bool inc); + static bool do_destroy_container(struct lxc_handler *handler); + static int lxc_rmdir_onedev_wrapper(void *data); + static void lxc_destroy_container_on_signal(struct lxc_handler *handler, +- const char *name); ++ const char *name); + + /* isulad: start timeout thread */ + typedef enum { +@@ -136,8 +136,8 @@ static void print_top_failing_dir(const char *path) + ret = access(copy, X_OK); + if (ret != 0) { + SYSERROR("Could not access %s. Please grant it x " +- "access, or add an ACL for the container " +- "root", copy); ++ "access, or add an ACL for the container " ++ "root", copy); + return; + } + *p = saved; +@@ -180,7 +180,7 @@ static int lxc_try_preserve_ns(const int pid, const char *ns) + * Return true on success, false on failure. + */ + static bool lxc_try_preserve_namespaces(struct lxc_handler *handler, +- int ns_clone_flags, pid_t pid) ++ int ns_clone_flags, pid_t pid) + { + int i; + +@@ -243,8 +243,8 @@ static bool match_dlog_fds(struct dirent *direntp) + } + + if (strcmp(link, "/dev/log_main") == 0 || +- strcmp(link, "/dev/log_system") == 0 || +- strcmp(link, "/dev/log_radio") == 0) ++ strcmp(link, "/dev/log_system") == 0 || ++ strcmp(link, "/dev/log_radio") == 0) + return true; + + return false; +@@ -252,7 +252,7 @@ static bool match_dlog_fds(struct dirent *direntp) + #endif + + int lxc_check_inherited(struct lxc_conf *conf, bool closeall, +- int *fds_to_ignore, size_t len_fds) ++ int *fds_to_ignore, size_t len_fds) + { + int fd, fddir; + size_t i; +@@ -293,7 +293,7 @@ restart: + break; + + if (fd == fddir || fd == lxc_log_fd || +- (i < len_fds && fd == fds_to_ignore[i])) ++ (i < len_fds && fd == fds_to_ignore[i])) + continue; + + /* Keep state clients that wait on reboots. */ +@@ -377,7 +377,7 @@ static int setup_signal_fd(sigset_t *oldmask) + } + + static int signal_handler(int fd, uint32_t events, void *data, +- struct lxc_epoll_descr *descr) ++ struct lxc_epoll_descr *descr) + { + int ret; + siginfo_t info; +@@ -427,14 +427,14 @@ static int signal_handler(int fd, uint32_t events, void *data, + kill(hdlr->pid, SIGTERM); + INFO("Killing %d since terminal hung up", hdlr->pid); + return hdlr->init_died ? LXC_MAINLOOP_CLOSE +- : LXC_MAINLOOP_CONTINUE; ++ : LXC_MAINLOOP_CONTINUE; + } + + if (siginfo.ssi_signo != SIGCHLD) { + kill(hdlr->pid, siginfo.ssi_signo); + INFO("Forwarded signal %d to pid %d", siginfo.ssi_signo, hdlr->pid); + return hdlr->init_died ? LXC_MAINLOOP_CLOSE +- : LXC_MAINLOOP_CONTINUE; ++ : LXC_MAINLOOP_CONTINUE; + } + + /* More robustness, protect ourself from a SIGCHLD sent +@@ -444,19 +444,19 @@ static int signal_handler(int fd, uint32_t events, void *data, + NOTICE("Received %d from pid %d instead of container init %d", + siginfo.ssi_signo, siginfo.ssi_pid, hdlr->pid); + return hdlr->init_died ? LXC_MAINLOOP_CLOSE +- : LXC_MAINLOOP_CONTINUE; ++ : LXC_MAINLOOP_CONTINUE; + } + + if (siginfo.ssi_code == CLD_STOPPED) { + INFO("Container init process was stopped"); + return hdlr->init_died ? LXC_MAINLOOP_CLOSE +- : LXC_MAINLOOP_CONTINUE; ++ : LXC_MAINLOOP_CONTINUE; + } + + if (siginfo.ssi_code == CLD_CONTINUED) { + INFO("Container init process was continued"); + return hdlr->init_died ? LXC_MAINLOOP_CLOSE +- : LXC_MAINLOOP_CONTINUE; ++ : LXC_MAINLOOP_CONTINUE; + } + + DEBUG("Container init process %d exited", hdlr->pid); +@@ -465,7 +465,7 @@ static int signal_handler(int fd, uint32_t events, void *data, + } + + int lxc_serve_state_clients(const char *name, struct lxc_handler *handler, +- lxc_state_t state) ++ lxc_state_t state) + { + size_t retlen; + ssize_t ret; +@@ -516,14 +516,14 @@ int lxc_serve_state_clients(const char *name, struct lxc_handler *handler, + } + + static int lxc_serve_state_socket_pair(const char *name, +- struct lxc_handler *handler, +- lxc_state_t state) ++ struct lxc_handler *handler, ++ lxc_state_t state) + { + ssize_t ret; + + if (!handler->daemonize || +- handler->state_socket_pair[1] < 0 || +- state == STARTING) ++ handler->state_socket_pair[1] < 0 || ++ state == STARTING) + return 0; + + /* Close read end of the socket pair. */ +@@ -532,7 +532,9 @@ static int lxc_serve_state_socket_pair(const char *name, + + again: + ret = lxc_abstract_unix_send_credential(handler->state_socket_pair[1], +- &(int){state}, sizeof(int)); ++ &(int) { ++ state ++ }, sizeof(int)); + if (ret < 0) { + SYSERROR("Failed to send state to %d", handler->state_socket_pair[1]); + +@@ -558,7 +560,7 @@ again: + } + + int lxc_set_state(const char *name, struct lxc_handler *handler, +- lxc_state_t state) ++ lxc_state_t state) + { + int ret; + +@@ -587,7 +589,7 @@ int lxc_poll(const char *name, struct lxc_handler *handler) + struct lxc_epoll_descr descr, descr_console; + + if (handler->conf->console.path && +- strcmp(handler->conf->console.path, "none") == 0) ++ strcmp(handler->conf->console.path, "none") == 0) + has_console = false; + + ret = lxc_mainloop_open(&descr); +@@ -726,7 +728,7 @@ void lxc_free_handler(struct lxc_handler *handler) + } + + struct lxc_handler *lxc_init_handler(const char *name, struct lxc_conf *conf, +- const char *lxcpath, bool daemonize) ++ const char *lxcpath, bool daemonize) + { + int i, ret; + struct lxc_handler *handler; +@@ -764,7 +766,7 @@ struct lxc_handler *lxc_init_handler(const char *name, struct lxc_conf *conf, + * again currently so don't open another socketpair(). + */ + ret = socketpair(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0, +- handler->state_socket_pair); ++ handler->state_socket_pair); + if (ret < 0) { + ERROR("Failed to create anonymous pair of unix sockets"); + goto on_error; +@@ -829,49 +831,49 @@ int lxc_init(const char *name, struct lxc_handler *handler) + ret = setenv("LXC_CONFIG_FILE", conf->rcfile, 1); + if (ret < 0) + SYSERROR("Failed to set environment variable: " +- "LXC_CONFIG_FILE=%s", conf->rcfile); ++ "LXC_CONFIG_FILE=%s", conf->rcfile); + } + + if (conf->rootfs.mount) { + ret = setenv("LXC_ROOTFS_MOUNT", conf->rootfs.mount, 1); + if (ret < 0) + SYSERROR("Failed to set environment variable: " +- "LXC_ROOTFS_MOUNT=%s", conf->rootfs.mount); ++ "LXC_ROOTFS_MOUNT=%s", conf->rootfs.mount); + } + + if (conf->rootfs.path) { + ret = setenv("LXC_ROOTFS_PATH", conf->rootfs.path, 1); + if (ret < 0) + SYSERROR("Failed to set environment variable: " +- "LXC_ROOTFS_PATH=%s", conf->rootfs.path); ++ "LXC_ROOTFS_PATH=%s", conf->rootfs.path); + } + + if (conf->console.path) { + ret = setenv("LXC_CONSOLE", conf->console.path, 1); + if (ret < 0) + SYSERROR("Failed to set environment variable: " +- "LXC_CONSOLE=%s", conf->console.path); ++ "LXC_CONSOLE=%s", conf->console.path); + } + + if (conf->console.log_path) { + ret = setenv("LXC_CONSOLE_LOGPATH", conf->console.log_path, 1); + if (ret < 0) + SYSERROR("Failed to set environment variable: " +- "LXC_CONSOLE_LOGPATH=%s", conf->console.log_path); ++ "LXC_CONSOLE_LOGPATH=%s", conf->console.log_path); + } + + if (cgns_supported()) { + ret = setenv("LXC_CGNS_AWARE", "1", 1); + if (ret < 0) + SYSERROR("Failed to set environment variable " +- "LXC_CGNS_AWARE=1"); ++ "LXC_CGNS_AWARE=1"); + } + + loglevel = lxc_log_priority_to_string(lxc_log_get_level()); + ret = setenv("LXC_LOG_LEVEL", loglevel, 1); + if (ret < 0) + SYSERROR("Set environment variable LXC_LOG_LEVEL=%s", +- loglevel); ++ loglevel); + + if (conf->hooks_version == 0) + ret = setenv("LXC_HOOK_VERSION", "0", 1); +@@ -959,6 +961,7 @@ static int _read_procs_file(const char *path, pid_t **pids, size_t *len) + FILE *f; + char *line = NULL; + size_t sz = 0; ++ pid_t *tmp_pids = NULL; + + f = fopen_cloexec(path, "r"); + if (!f) +@@ -968,7 +971,16 @@ static int _read_procs_file(const char *path, pid_t **pids, size_t *len) + pid_t pid; + trim_line(line); + pid = (pid_t)atoll(line); +- *pids = realloc(*pids, sizeof(pid_t) * (*len + 1)); ++ if (lxc_mem_realloc((void **)&tmp_pids, sizeof(pid_t) * (*len + 1), *pids, sizeof(pid_t) * (*len)) != 0) { ++ free(*pids); ++ *pids = NULL; ++ ERROR("out of memory"); ++ free(line); ++ fclose(f); ++ return -1; ++ } ++ *pids = tmp_pids; ++ + (*pids)[*len] = pid; + (*len)++; + } +@@ -980,8 +992,8 @@ static int _read_procs_file(const char *path, pid_t **pids, size_t *len) + + static int _recursive_read_cgroup_procs(const char *dirpath, pid_t **pids, size_t *len) + { +- struct dirent *direntp; +- DIR *dir; ++ struct dirent *direntp = NULL; ++ DIR *dir = NULL; + int ret, failed = 0; + char pathname[PATH_MAX]; + +@@ -996,7 +1008,7 @@ static int _recursive_read_cgroup_procs(const char *dirpath, pid_t **pids, size_ + int rc; + + if (!strcmp(direntp->d_name, ".") || +- !strcmp(direntp->d_name, "..")) ++ !strcmp(direntp->d_name, "..")) + continue; + + rc = snprintf(pathname, PATH_MAX, "%s/%s", dirpath, direntp->d_name); +@@ -1122,11 +1134,11 @@ void lxc_fini(const char *name, struct lxc_handler *handler) + + if (handler->conf->hooks_version == 0) + ret = asprintf(&namespaces[namespace_count], +- "%s:/proc/%d/fd/%d", ns_info[i].proc_name, +- self, handler->nsfd[i]); ++ "%s:/proc/%d/fd/%d", ns_info[i].proc_name, ++ self, handler->nsfd[i]); + else + ret = asprintf(&namespaces[namespace_count], +- "/proc/%d/fd/%d", self, handler->nsfd[i]); ++ "/proc/%d/fd/%d", self, handler->nsfd[i]); + if (ret == -1) { + SYSERROR("Failed to allocate memory"); + break; +@@ -1140,7 +1152,7 @@ void lxc_fini(const char *name, struct lxc_handler *handler) + ret = setenv(ns_info[i].env_name, namespaces[namespace_count], 1); + if (ret < 0) + SYSERROR("Failed to set environment variable %s=%s", +- ns_info[i].env_name, namespaces[namespace_count]); ++ ns_info[i].env_name, namespaces[namespace_count]); + else + TRACE("Set environment variable %s=%s", + ns_info[i].env_name, namespaces[namespace_count]); +@@ -1153,14 +1165,14 @@ void lxc_fini(const char *name, struct lxc_handler *handler) + ret = setenv("LXC_TARGET", "reboot", 1); + if (ret < 0) + SYSERROR("Failed to set environment variable: " +- "LXC_TARGET=reboot"); ++ "LXC_TARGET=reboot"); + } + + if (handler->conf->reboot == REBOOT_NONE) { + ret = setenv("LXC_TARGET", "stop", 1); + if (ret < 0) + SYSERROR("Failed to set environment variable: " +- "LXC_TARGET=stop"); ++ "LXC_TARGET=stop"); + } + + if (handler->conf->hooks_version == 0) +@@ -1252,7 +1264,7 @@ retry: + + /* Keep state clients that want to be notified about reboots. */ + if ((handler->conf->reboot > REBOOT_NONE) && +- (client->states[RUNNING] == 2)) ++ (client->states[RUNNING] == 2)) + continue; + + /* close state client socket */ +@@ -1287,7 +1299,8 @@ void lxc_abort(const char *name, struct lxc_handler *handler) + + static int do_start(void *data) + { +- int ret, i; ++ int ret = 0; ++ int i; + char path[PATH_MAX]; + uid_t new_uid; + gid_t new_gid; +@@ -1351,7 +1364,7 @@ static int do_start(void *data) + * https://github.com/lxc/lxd/issues/1978. + */ + if ((handler->ns_clone_flags & (CLONE_NEWNET | CLONE_NEWUSER)) == +- (CLONE_NEWNET | CLONE_NEWUSER)) { ++ (CLONE_NEWNET | CLONE_NEWUSER)) { + ret = unshare(CLONE_NEWNET); + if (ret < 0) { + SYSERROR("Failed to unshare CLONE_NEWNET"); +@@ -1390,11 +1403,11 @@ static int do_start(void *data) + * user namespace. + */ + if (!lxc_setgroups(0, NULL) && +- (handler->am_root || errno != EPERM)) ++ (handler->am_root || errno != EPERM)) + goto out_warn_father; + + ret = prctl(PR_SET_DUMPABLE, prctl_arg(1), prctl_arg(0), +- prctl_arg(0), prctl_arg(0)); ++ prctl_arg(0), prctl_arg(0)); + if (ret < 0) + goto out_warn_father; + +@@ -1413,7 +1426,7 @@ static int do_start(void *data) + } + + ret = snprintf(path, sizeof(path), "%s/dev/null", +- handler->conf->rootfs.mount); ++ handler->conf->rootfs.mount); + if (ret < 0 || ret >= sizeof(path)) + goto out_warn_father; + +@@ -1474,7 +1487,7 @@ static int do_start(void *data) + ret = putenv((char *)iterator->elem); + if (ret < 0) { + SYSERROR("Failed to set environment variable: %s", +- (char *)iterator->elem); ++ (char *)iterator->elem); + goto out_warn_father; + } + } +@@ -1498,10 +1511,10 @@ static int do_start(void *data) + */ + if (handler->conf->no_new_privs) { + ret = prctl(PR_SET_NO_NEW_PRIVS, prctl_arg(1), prctl_arg(0), +- prctl_arg(0), prctl_arg(0)); ++ prctl_arg(0), prctl_arg(0)); + if (ret < 0) { + SYSERROR("Could not set PR_SET_NO_NEW_PRIVS to block " +- "execve() gainable privileges"); ++ "execve() gainable privileges"); + goto out_warn_father; + } + DEBUG("Set PR_SET_NO_NEW_PRIVS to block execve() gainable " +@@ -1550,25 +1563,25 @@ static int do_start(void *data) + * setup on its console ie. the pty allocated in lxc_terminal_setup() so + * make sure that that pty is stdin,stdout,stderr. + */ +- setsid(); +- if (!handler->disable_pty && handler->conf->console.slave >= 0) { ++ setsid(); ++ if (!handler->disable_pty && handler->conf->console.slave >= 0) { + /* isulad:make the given terminal as controlling terminal to avoid warning + * sh: cannot set terminal process group (-1): Inappropriate ioctl for device + * sh: no job control in this shell */ +- if (ioctl(handler->conf->console.slave, TIOCSCTTY, NULL) < 0) { +- ERROR("Faild to make the given terminal the controlling terminal of the calling process"); +- goto out_warn_father; +- } +- if (handler->daemonize || !handler->conf->is_execute) +- ret = set_stdfds(handler->conf->console.slave); +- else +- ret = lxc_terminal_set_stdfds(handler->conf->console.slave); +- if (ret < 0) { ++ if (ioctl(handler->conf->console.slave, TIOCSCTTY, NULL) < 0) { ++ ERROR("Faild to make the given terminal the controlling terminal of the calling process"); ++ goto out_warn_father; ++ } ++ if (handler->daemonize || !handler->conf->is_execute) ++ ret = set_stdfds(handler->conf->console.slave); ++ else ++ ret = lxc_terminal_set_stdfds(handler->conf->console.slave); ++ if (ret < 0) { + ERROR("Failed to redirect std{in,out,err} to pty file " + "descriptor %d", handler->conf->console.slave); + goto out_warn_father; +- } +- } ++ } ++ } + + /* If we mounted a temporary proc, then unmount it now. */ + tmp_proc_unmount(handler->conf); +@@ -1611,7 +1624,7 @@ static int do_start(void *data) + if (stat(handler->conf->init_cwd, &st) < 0 && mkdir_p(handler->conf->init_cwd, 0755) < 0) { + SYSERROR("Try to create directory \"%s\" as workdir failed", handler->conf->init_cwd); + lxc_write_error_message(handler->conf->errpipe[1], "%s:%d: Failed to create workdir: %s.", +- __FILE__, __LINE__, strerror(errno)); ++ __FILE__, __LINE__, strerror(errno)); + goto out_warn_father; + } + if (chdir(handler->conf->init_cwd)) { +@@ -1636,7 +1649,7 @@ static int do_start(void *data) + ret = putenv((char *)iterator->elem); + if (ret < 0) { + SYSERROR("Failed to set environment variable: %s", +- (char *)iterator->elem); ++ (char *)iterator->elem); + goto out_warn_father; + } + } +@@ -1675,9 +1688,9 @@ static int do_start(void *data) + * drop groups if we can, so ensure that we have necessary privilege. + */ + if (lxc_list_empty(&handler->conf->id_map)) +- #if HAVE_LIBCAP ++#if HAVE_LIBCAP + if (lxc_proc_cap_is_set(CAP_SETGID, CAP_EFFECTIVE)) +- #endif ++#endif + /* isulad: set groups for init process, and before we set uid and gid */ + if (!lxc_setgroups(handler->conf->init_groups_len, handler->conf->init_groups)) { + ERROR("Can not set groups"); +@@ -1834,7 +1847,7 @@ static inline int do_share_ns(void *arg) + * setns() will fail here. + */ + SYSERROR("Failed to inherit %s namespace", +- ns_info[i].proc_name); ++ ns_info[i].proc_name); + return -1; + } + +@@ -1855,7 +1868,7 @@ static int lxc_write_container_info(char *filename, pid_t pid, pid_t p_pid, unsi + FILE *pid_fp = NULL; + int ret = 0; + +- pid_fp = fopen(filename, "w"); ++ pid_fp = lxc_fopen(filename, "w"); + if (pid_fp == NULL) { + SYSERROR("Failed to create pidfile '%s'",filename); + ret = -1; +@@ -1898,7 +1911,7 @@ static int lxc_check_container_info(char *filename, pid_t pid, pid_t p_pid, unsi + } + + if (pid != saved_pid || p_pid != saved_ppid +- || start_at != saved_start_time || p_start_at != saved_pstart_time) { ++ || start_at != saved_start_time || p_start_at != saved_pstart_time) { + ERROR("Check container info failed"); + ret = -1; + goto out; +@@ -1973,7 +1986,7 @@ static int lxc_spawn(struct lxc_handler *handler) + return -1; + + ret = socketpair(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0, +- handler->data_sock); ++ handler->data_sock); + if (ret < 0) { + lxc_sync_fini(handler); + return -1; +@@ -2044,7 +2057,7 @@ static int lxc_spawn(struct lxc_handler *handler) + pid_t attacher_pid; + + attacher_pid = lxc_clone(do_share_ns, handler, +- CLONE_VFORK | CLONE_VM | CLONE_FILES); ++ CLONE_VFORK | CLONE_VM | CLONE_FILES); + if (attacher_pid < 0) { + SYSERROR(LXC_CLONE_ERROR); + goto out_delete_net; +@@ -2057,7 +2070,7 @@ static int lxc_spawn(struct lxc_handler *handler) + } + } else { + handler->pid = lxc_raw_clone_cb(do_start, handler, +- handler->ns_on_clone_flags); ++ handler->ns_on_clone_flags); + } + if (handler->pid < 0) { + SYSERROR(LXC_CLONE_ERROR); +@@ -2108,7 +2121,7 @@ static int lxc_spawn(struct lxc_handler *handler) + */ + if (wants_to_map_ids) { + if (!handler->conf->ns_share[LXC_NS_USER] && +- (handler->conf->ns_keep & CLONE_NEWUSER) == 0) { ++ (handler->conf->ns_keep & CLONE_NEWUSER) == 0) { + ret = lxc_map_ids(id_map, handler->pid); + if (ret < 0) { + ERROR("Failed to set up id mapping."); +@@ -2157,16 +2170,16 @@ static int lxc_spawn(struct lxc_handler *handler) + /* Create the network configuration. */ + if (handler->ns_clone_flags & CLONE_NEWNET) { + ret = lxc_network_move_created_netdev_priv(handler->lxcpath, +- handler->name, +- &conf->network, +- handler->pid); ++ handler->name, ++ &conf->network, ++ handler->pid); + if (ret < 0) { + ERROR("Failed to create the configured network"); + goto out_delete_net; + } + + ret = lxc_create_network_unpriv(handler->lxcpath, handler->name, +- &conf->network, handler->pid, conf->hooks_version); ++ &conf->network, handler->pid, conf->hooks_version); + if (ret < 0) { + ERROR("Failed to create the configured network"); + goto out_delete_net; +@@ -2245,10 +2258,7 @@ static int lxc_spawn(struct lxc_handler *handler) + } + + /* isulad: Run oci prestart hook at here */ +- char* oci_hook_args[1]; +- oci_hook_args[0] = alloca(strlen(lxcpath) + 1); +- (void)strlcpy(oci_hook_args[0], lxcpath, strlen(lxcpath) + 1); +- ret = run_lxc_hooks(name, "oci-prestart", conf, oci_hook_args); ++ ret = run_oci_hooks(name, "oci-prestart", conf, lxcpath); + if (ret < 0) { + ERROR("Failed to run oci prestart hooks"); + goto out_delete_net; +@@ -2302,7 +2312,7 @@ static int lxc_spawn(struct lxc_handler *handler) + goto out_abort; + + /* isulad: Run oci prestart hook at here */ +- ret = run_lxc_hooks(name, "oci-poststart", conf, oci_hook_args); ++ ret = run_oci_hooks(name, "oci-poststart", conf, lxcpath); + if (ret < 0) { + ERROR("Failed to run oci poststart hooks"); + goto out_abort; +@@ -2402,8 +2412,8 @@ out: + #define ExitSignalOffset 128 + + int __lxc_start(const char *name, struct lxc_handler *handler, +- struct lxc_operations* ops, void *data, const char *lxcpath, +- bool daemonize, int *error_num, unsigned int start_timeout) ++ struct lxc_operations* ops, void *data, const char *lxcpath, ++ bool daemonize, int *error_num, unsigned int start_timeout) + { + int ret, status, exit_code; + struct lxc_conf *conf = handler->conf; +@@ -2560,7 +2570,7 @@ static struct lxc_operations start_ops = { + }; + + int lxc_start(const char *name, char *const argv[], struct lxc_handler *handler, +- const char *lxcpath, bool daemonize, int *error_num, unsigned int start_timeout) ++ const char *lxcpath, bool daemonize, int *error_num, unsigned int start_timeout) + { + struct start_args start_arg = { + .argv = argv, +@@ -2571,7 +2581,7 @@ int lxc_start(const char *name, char *const argv[], struct lxc_handler *handler, + } + + static void lxc_destroy_container_on_signal(struct lxc_handler *handler, +- const char *name) ++ const char *name) + { + char destroy[PATH_MAX]; + struct lxc_container *c; +@@ -2607,7 +2617,7 @@ static void lxc_destroy_container_on_signal(struct lxc_handler *handler, + + if (!handler->am_root) + ret = userns_exec_full(handler->conf, lxc_rmdir_onedev_wrapper, +- destroy, "lxc_rmdir_onedev_wrapper"); ++ destroy, "lxc_rmdir_onedev_wrapper"); + else + ret = lxc_rmdir_onedev(destroy, NULL); + +@@ -2630,7 +2640,7 @@ static bool do_destroy_container(struct lxc_handler *handler) + + if (!handler->am_root) { + ret = userns_exec_full(handler->conf, storage_destroy_wrapper, +- handler->conf, "storage_destroy_wrapper"); ++ handler->conf, "storage_destroy_wrapper"); + if (ret < 0) + return false; + +@@ -2846,11 +2856,7 @@ int do_lxcapi_clean_resource(char *name, char *lxcpath, struct lxc_conf *conf, p + signal_all_processes(handler); + } + +- char* oci_hook_args[1]; +- oci_hook_args[0] = alloca(strlen(handler->lxcpath) + 1); +- (void)strlcpy(oci_hook_args[0], handler->lxcpath, strlen(handler->lxcpath) + 1); +- +- if (run_lxc_hooks(handler->name, "oci-poststop", handler->conf, oci_hook_args)) { ++ if (run_oci_hooks(handler->name, "oci-poststop", handler->conf, handler->lxcpath)) { + ERROR("Failed to run lxc.hook.post-stop for container \"%s\".", handler->name); + ret = -1; + } +diff --git a/src/lxc/storage/block.c b/src/lxc/storage/block.c +index eb75e70..8998923 100644 +--- a/src/lxc/storage/block.c ++++ b/src/lxc/storage/block.c +@@ -62,7 +62,8 @@ bool blk_detect(const char *path) + + int blk_mount(struct lxc_storage *bdev) + { +- const char *src; ++ const char *src = NULL; ++ + if (strcmp(bdev->type, "blk")) + return -22; + +diff --git a/src/lxc/terminal.c b/src/lxc/terminal.c +index 88653b4..802bf39 100644 +--- a/src/lxc/terminal.c ++++ b/src/lxc/terminal.c +@@ -113,7 +113,7 @@ void lxc_terminal_sigwinch(int sig) + } + + int lxc_terminal_signalfd_cb(int fd, uint32_t events, void *cbdata, +- struct lxc_epoll_descr *descr) ++ struct lxc_epoll_descr *descr) + { + ssize_t ret; + struct signalfd_siginfo siginfo; +@@ -300,7 +300,7 @@ static int lxc_terminal_rotate_log_file(struct lxc_terminal *terminal) + } + + static int lxc_terminal_rotate_write_data(struct lxc_terminal *terminal, const char *buf, +- int bytes_read) ++ int bytes_read) + { + int ret; + struct stat st; +@@ -310,7 +310,7 @@ static int lxc_terminal_rotate_write_data(struct lxc_terminal *terminal, const c + return 0; + + /* A log size <= 0 means that there's no limit on the size of the log +- * file at which point we simply ignore whether the log is supposed to ++ * file at which point we simply ignore whether the log is supposed to + * be rotated or not. + */ + if (terminal->log_size <= 0) +@@ -397,48 +397,49 @@ static int lxc_terminal_rotate_write_data(struct lxc_terminal *terminal, const c + + /* get time buffer */ + static bool get_time_buffer(struct timespec *timestamp, char *timebuffer, +- size_t maxsize) ++ size_t maxsize) + { +- struct tm tm_utc = { 0 }; +- int32_t nanos = 0; +- time_t seconds; ++ struct tm tm_utc = { 0 }; ++ int32_t nanos = 0; ++ time_t seconds; + +- if (!timebuffer || !maxsize) { +- return false; +- } ++ if (!timebuffer || !maxsize) { ++ return false; ++ } + +- seconds = (time_t)timestamp->tv_sec; +- gmtime_r(&seconds, &tm_utc); +- strftime(timebuffer, maxsize, "%Y-%m-%dT%H:%M:%S", &tm_utc); ++ seconds = (time_t)timestamp->tv_sec; ++ gmtime_r(&seconds, &tm_utc); ++ strftime(timebuffer, maxsize, "%Y-%m-%dT%H:%M:%S", &tm_utc); + +- nanos = (int32_t)timestamp->tv_nsec; +- sprintf(timebuffer + strlen(timebuffer), ".%09dZ", nanos); ++ nanos = (int32_t)timestamp->tv_nsec; ++ sprintf(timebuffer + strlen(timebuffer), ".%09dZ", nanos); + +- return true; ++ return true; + } + + /* get now time buffer */ + static bool get_now_time_buffer(char *timebuffer, size_t maxsize) + { +- int err = 0; +- struct timespec ts; ++ int err = 0; ++ struct timespec ts; + +- err = clock_gettime(CLOCK_REALTIME, &ts); +- if (err != 0) { +- ERROR("failed to get time"); +- return false; +- } ++ err = clock_gettime(CLOCK_REALTIME, &ts); ++ if (err != 0) { ++ ERROR("failed to get time"); ++ return false; ++ } + +- return get_time_buffer(&ts, timebuffer, maxsize); ++ return get_time_buffer(&ts, timebuffer, maxsize); + } + + static ssize_t lxc_logger_write(struct lxc_terminal *terminal, const char *type, const char *buf, +- int bytes_read) ++ int bytes_read) + { + logger_json_file *msg = NULL; + ssize_t ret = -1; + size_t len; +- char *json = NULL, timebuffer[64]; ++ char *json = NULL; ++ char timebuffer[64] = { 0 }; + parser_error err = NULL; + struct parser_context ctx = { GEN_OPTIONS_SIMPLIFY | GEN_OPTIONS_NOT_VALIDATE_UTF8, stderr }; + +@@ -473,7 +474,7 @@ cleanup: + } + + static int lxc_terminal_write_log_file(struct lxc_terminal *terminal, const char *type, char *buf, +- int bytes_read) ++ int bytes_read) + { + #define __BUF_CACHE_SIZE (16 * LXC_TERMINAL_BUFFER_SIZE) + static char cache[__BUF_CACHE_SIZE]; +@@ -541,9 +542,10 @@ static int lxc_terminal_write_log_file(struct lxc_terminal *terminal, const char + } + + /* isulad: forward data to all fifos */ +-static void lxc_forward_data_to_fifo(struct lxc_list *list, bool is_err, char *buf, int r) ++static void lxc_forward_data_to_fifo(struct lxc_list *list, bool is_err, const char *buf, int r) + { +- struct lxc_list *it,*next; ++ struct lxc_list *it = NULL; ++ struct lxc_list *next = NULL; + struct lxc_fifos_fd *elem = NULL; + + lxc_list_for_each_safe(it, list, next) { +@@ -563,7 +565,8 @@ static void lxc_forward_data_to_fifo(struct lxc_list *list, bool is_err, char *b + /* isulad: judge the fd whether is fifo */ + static bool lxc_terminal_is_fifo(int fd, struct lxc_list *list) + { +- struct lxc_list *it,*next; ++ struct lxc_list *it = NULL; ++ struct lxc_list *next = NULL; + struct lxc_fifos_fd *elem = NULL; + + lxc_list_for_each_safe(it, list, next) { +@@ -576,7 +579,7 @@ static bool lxc_terminal_is_fifo(int fd, struct lxc_list *list) + } + + int lxc_terminal_io_cb(int fd, uint32_t events, void *data, +- struct lxc_epoll_descr *descr) ++ struct lxc_epoll_descr *descr) + { + struct lxc_terminal *terminal = data; + char buf[2 * LXC_TERMINAL_BUFFER_SIZE]; +@@ -684,7 +687,7 @@ static int lxc_terminal_mainloop_add_peer(struct lxc_terminal *terminal) + + if (terminal->peer >= 0) { + ret = lxc_mainloop_add_handler(terminal->descr, terminal->peer, +- lxc_terminal_io_cb, terminal); ++ lxc_terminal_io_cb, terminal); + if (ret < 0) { + WARN("Failed to add terminal peer handler to mainloop"); + return -1; +@@ -695,7 +698,7 @@ static int lxc_terminal_mainloop_add_peer(struct lxc_terminal *terminal) + return 0; + + ret = lxc_mainloop_add_handler(terminal->descr, terminal->tty_state->sigfd, +- lxc_terminal_signalfd_cb, terminal->tty_state); ++ lxc_terminal_signalfd_cb, terminal->tty_state); + if (ret < 0) { + WARN("Failed to add signal handler to mainloop"); + return -1; +@@ -712,7 +715,7 @@ static int lxc_terminal_mainloop_add_pipes(struct lxc_terminal *terminal) + // parent read data from fifo, and send to stdin of container + if (terminal->pipes[0][1] > 0) { + ret = lxc_mainloop_add_handler(terminal->descr, terminal->pipes[0][1], +- lxc_terminal_io_cb, terminal); ++ lxc_terminal_io_cb, terminal); + if (ret) { + ERROR("pipe fd %d not added to mainloop", terminal->pipes[0][1]); + return -1; +@@ -721,7 +724,7 @@ static int lxc_terminal_mainloop_add_pipes(struct lxc_terminal *terminal) + // parent read data from stdout of container, and send to fifo + if (terminal->pipes[1][0] > 0) { + ret = lxc_mainloop_add_handler(terminal->descr, terminal->pipes[1][0], +- lxc_terminal_io_cb, terminal); ++ lxc_terminal_io_cb, terminal); + if (ret) { + ERROR("pipe fd %d not added to mainloop", terminal->pipes[1][0]); + return -1; +@@ -730,7 +733,7 @@ static int lxc_terminal_mainloop_add_pipes(struct lxc_terminal *terminal) + // parent read data from stderr of container, and send to fifo + if (terminal->pipes[2][0] > 0) { + ret = lxc_mainloop_add_handler(terminal->descr, terminal->pipes[2][0], +- lxc_terminal_io_cb, terminal); ++ lxc_terminal_io_cb, terminal); + if (ret) { + ERROR("pipe fd %d not added to mainloop", terminal->pipes[2][0]); + return -1; +@@ -743,14 +746,15 @@ static int lxc_terminal_mainloop_add_pipes(struct lxc_terminal *terminal) + static int lxc_terminal_mainloop_add_fifo(struct lxc_terminal *terminal) + { + int ret = 0; +- struct lxc_list *it,*next; ++ struct lxc_list *it = NULL; ++ struct lxc_list *next = NULL; + struct lxc_fifos_fd *elem = NULL; + + lxc_list_for_each_safe(it, &terminal->fifos, next) { + elem = it->elem; + if (elem->in_fd >= 0) { + ret = lxc_mainloop_add_handler(terminal->descr, elem->in_fd, +- lxc_terminal_io_cb, terminal); ++ lxc_terminal_io_cb, terminal); + if (ret) { + ERROR("console fifo %s not added to mainloop", elem->in_fifo); + return -1; +@@ -761,7 +765,7 @@ static int lxc_terminal_mainloop_add_fifo(struct lxc_terminal *terminal) + } + + int lxc_terminal_mainloop_add(struct lxc_epoll_descr *descr, +- struct lxc_terminal *terminal) ++ struct lxc_terminal *terminal) + { + int ret; + +@@ -796,7 +800,7 @@ int lxc_terminal_mainloop_add(struct lxc_epoll_descr *descr, + } + + ret = lxc_mainloop_add_handler(descr, terminal->master, +- lxc_terminal_io_cb, terminal); ++ lxc_terminal_io_cb, terminal); + if (ret < 0) { + ERROR("Failed to add handler for terminal master fd %d to " + "mainloop", terminal->master); +@@ -879,7 +883,7 @@ static void lxc_terminal_peer_proxy_free(struct lxc_terminal *terminal) + } + + static int lxc_terminal_peer_proxy_alloc(struct lxc_terminal *terminal, +- int sockfd) ++ int sockfd) + { + int ret; + struct termios oldtermio; +@@ -904,14 +908,14 @@ static int lxc_terminal_peer_proxy_alloc(struct lxc_terminal *terminal, + * that the real terminal master will send to / recv from. + */ + ret = openpty(&terminal->proxy.master, &terminal->proxy.slave, NULL, +- NULL, NULL); ++ NULL, NULL); + if (ret < 0) { + SYSERROR("Failed to open proxy terminal"); + return -1; + } + + ret = ttyname_r(terminal->proxy.slave, terminal->proxy.name, +- sizeof(terminal->proxy.name)); ++ sizeof(terminal->proxy.name)); + if (ret < 0) { + SYSERROR("Failed to retrieve name of proxy terminal slave"); + goto on_error; +@@ -1253,7 +1257,7 @@ static int terminal_fifo_open(const char *fifo_path, int flags) + { + int fd = -1; + +- fd = open(fifo_path, flags); ++ fd = lxc_open(fifo_path, flags, 0); + if (fd < 0) { + WARN("Failed to open fifo %s to send message: %s.", fifo_path, + strerror(errno)); +@@ -1491,15 +1495,17 @@ int lxc_terminal_set_stdfds(int fd) + return 0; + + for (i = 0; i < 3; i++) +- if (!__terminal_dup2(fd, (int[]){STDIN_FILENO, STDOUT_FILENO, +- STDERR_FILENO}[i])) +- return -1; ++ if (!__terminal_dup2(fd, (int[]) { ++ STDIN_FILENO, STDOUT_FILENO, ++ STDERR_FILENO ++ }[i])) ++ return -1; + + return 0; + } + + int lxc_terminal_stdin_cb(int fd, uint32_t events, void *cbdata, +- struct lxc_epoll_descr *descr) ++ struct lxc_epoll_descr *descr) + { + int ret; + char c; +@@ -1533,7 +1539,7 @@ int lxc_terminal_stdin_cb(int fd, uint32_t events, void *cbdata, + } + + int lxc_terminal_master_cb(int fd, uint32_t events, void *cbdata, +- struct lxc_epoll_descr *descr) ++ struct lxc_epoll_descr *descr) + { + int r, w; + char buf[LXC_TERMINAL_BUFFER_SIZE]; +@@ -1559,8 +1565,8 @@ int lxc_terminal_getfd(struct lxc_container *c, int *ttynum, int *masterfd) + } + + int lxc_console(struct lxc_container *c, int ttynum, +- int stdinfd, int stdoutfd, int stderrfd, +- int escape) ++ int stdinfd, int stdoutfd, int stderrfd, ++ int escape) + { + int masterfd, ret, ttyfd; + struct lxc_epoll_descr descr; +@@ -1602,7 +1608,7 @@ int lxc_console(struct lxc_container *c, int ttynum, + + if (ts->sigfd != -1) { + ret = lxc_mainloop_add_handler(&descr, ts->sigfd, +- lxc_terminal_signalfd_cb, ts); ++ lxc_terminal_signalfd_cb, ts); + if (ret < 0) { + ERROR("Failed to add signal handler to mainloop"); + goto close_mainloop; +@@ -1610,14 +1616,14 @@ int lxc_console(struct lxc_container *c, int ttynum, + } + + ret = lxc_mainloop_add_handler(&descr, ts->stdinfd, +- lxc_terminal_stdin_cb, ts); ++ lxc_terminal_stdin_cb, ts); + if (ret < 0) { + ERROR("Failed to add stdin handler"); + goto close_mainloop; + } + + ret = lxc_mainloop_add_handler(&descr, ts->masterfd, +- lxc_terminal_master_cb, ts); ++ lxc_terminal_master_cb, ts); + if (ret < 0) { + ERROR("Failed to add master handler"); + goto close_mainloop; +@@ -1625,11 +1631,11 @@ int lxc_console(struct lxc_container *c, int ttynum, + + if (ts->escape >= 1) { + fprintf(stderr, +- "\n" +- "Connected to tty %1$d\n" +- "Type to exit the console, " +- " to enter Ctrl+%2$c itself\n", +- ttynum, 'a' + escape - 1); ++ "\n" ++ "Connected to tty %1$d\n" ++ "Type to exit the console, " ++ " to enter Ctrl+%2$c itself\n", ++ ttynum, 'a' + escape - 1); + } + + if (istty) { +@@ -1729,7 +1735,8 @@ void lxc_terminal_init(struct lxc_terminal *terminal) + /* isulad: if fd == -1, means delete all the fifos*/ + int lxc_terminal_delete_fifo(int fd, struct lxc_list *list) + { +- struct lxc_list *it,*next; ++ struct lxc_list *it = NULL; ++ struct lxc_list *next = NULL; + struct lxc_fifos_fd *elem = NULL; + + lxc_list_for_each_safe(it, list, next) { +@@ -1837,7 +1844,7 @@ int lxc_terminal_add_fifos(struct lxc_conf *conf, const char *fifonames) + } + + if (lxc_mainloop_add_handler(terminal->descr, fifofd_in, +- lxc_terminal_io_cb, terminal)) { ++ lxc_terminal_io_cb, terminal)) { + ERROR("console fifo not added to mainloop"); + lxc_terminal_delete_fifo(fifofd_in, &terminal->fifos); + ret = -1; +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index dc0e6c5..9ce2473 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -56,6 +56,7 @@ + #include "raw_syscalls.h" + #include "syscall_wrappers.h" + #include "utils.h" ++#include "path.h" + + #ifndef HAVE_STRLCPY + #include "include/strlcpy.h" +@@ -81,7 +82,7 @@ lxc_log_define(utils, lxc); + extern bool btrfs_try_remove_subvol(const char *path); + + static int _recursive_rmdir(const char *dirname, dev_t pdev, +- const char *exclude, int level, bool onedev) ++ const char *exclude, int level, bool onedev) + { + struct dirent *direntp; + DIR *dir; +@@ -101,7 +102,7 @@ static int _recursive_rmdir(const char *dirname, dev_t pdev, + int rc; + + if (!strcmp(direntp->d_name, ".") || +- !strcmp(direntp->d_name, "..")) ++ !strcmp(direntp->d_name, "..")) + continue; + + rc = snprintf(pathname, PATH_MAX, "%s/%s", dirname, direntp->d_name); +@@ -155,8 +156,8 @@ static int _recursive_rmdir(const char *dirname, dev_t pdev, + } else { + if (unlink(pathname) < 0) { + if (saved_errno == 0) { +- saved_errno = errno; +- } ++ saved_errno = errno; ++ } + SYSERROR("Failed to delete \"%s\"", pathname); + failed=1; + } +@@ -186,7 +187,7 @@ static int _recursive_rmdir(const char *dirname, dev_t pdev, + static bool is_native_overlayfs(const char *path) + { + if (has_fs_type(path, OVERLAY_SUPER_MAGIC) || +- has_fs_type(path, OVERLAYFS_SUPER_MAGIC)) ++ has_fs_type(path, OVERLAYFS_SUPER_MAGIC)) + return true; + + return false; +@@ -650,7 +651,7 @@ uint64_t fnv_64a_buf(void *buf, size_t len, uint64_t hval) + * multiply by the 64 bit FNV magic prime mod 2^64 + */ + hval += (hval << 1) + (hval << 4) + (hval << 5) + +- (hval << 7) + (hval << 8) + (hval << 40); ++ (hval << 7) + (hval << 8) + (hval << 40); + } + + return hval; +@@ -792,7 +793,7 @@ char *on_path(const char *cmd, const char *rootfs) + lxc_iterate_parts (entry, path, ":") { + if (rootfs) + ret = snprintf(cmdpath, PATH_MAX, "%s/%s/%s", rootfs, +- entry, cmd); ++ entry, cmd); + else + ret = snprintf(cmdpath, PATH_MAX, "%s/%s", entry, cmd); + if (ret < 0 || ret >= PATH_MAX) +@@ -820,7 +821,7 @@ char *choose_init(const char *rootfs) + { + char *retv = NULL; + const char *empty = "", +- *tmp; ++ *tmp; + int ret, env_set = 0; + + if (!getenv("PATH")) { +@@ -1141,7 +1142,7 @@ out: + * setup before executing the container's init + */ + int safe_mount(const char *src, const char *dest, const char *fstype, +- unsigned long flags, const void *data, const char *rootfs) ++ unsigned long flags, const void *data, const char *rootfs) + { + int destfd, ret, saved_errno; + /* Only needs enough for /proc/self/fd/. */ +@@ -1368,7 +1369,7 @@ out: + int lxc_preserve_ns(const int pid, const char *ns) + { + int ret; +-/* 5 /proc + 21 /int_as_str + 3 /ns + 20 /NS_NAME + 1 \0 */ ++ /* 5 /proc + 21 /int_as_str + 3 /ns + 20 /NS_NAME + 1 \0 */ + #define __NS_PATH_LEN 50 + char path[__NS_PATH_LEN]; + +@@ -1377,8 +1378,8 @@ int lxc_preserve_ns(const int pid, const char *ns) + * string. + */ + ret = snprintf(path, __NS_PATH_LEN, "/proc/%d/ns%s%s", pid, +- !ns || strcmp(ns, "") == 0 ? "" : "/", +- !ns || strcmp(ns, "") == 0 ? "" : ns); ++ !ns || strcmp(ns, "") == 0 ? "" : "/", ++ !ns || strcmp(ns, "") == 0 ? "" : ns); + if (ret < 0 || (size_t)ret >= __NS_PATH_LEN) { + errno = EFBIG; + return -1; +@@ -1452,7 +1453,7 @@ static int lxc_get_unused_loop_dev_legacy(char *loop_name) + ret = ioctl(fd, LOOP_GET_STATUS64, &lo64); + if (ret < 0) { + if (ioctl(fd, LOOP_GET_STATUS64, &lo64) == 0 || +- errno != ENXIO) { ++ errno != ENXIO) { + close(fd); + fd = -1; + continue; +@@ -1726,7 +1727,7 @@ int lxc_set_death_signal(int signal, pid_t parent) + //pid_t ppid; + + ret = prctl(PR_SET_PDEATHSIG, prctl_arg(signal), prctl_arg(0), +- prctl_arg(0), prctl_arg(0)); ++ prctl_arg(0), prctl_arg(0)); + + /* Check whether we have been orphaned. */ + /* isulad: delete this check, ppid will not be 0 if we shared host pid */ +@@ -1770,7 +1771,7 @@ int fd_nonblock(int fd) + { + long flags; + +- flags = fcntl(fd, F_GETFL); ++ flags = fcntl(fd, F_GETFL); + + return fcntl(fd, F_SETFL, flags | O_NONBLOCK); + } +@@ -1797,7 +1798,7 @@ int recursive_destroy(char *dirname) + struct stat mystat; + + if (!strcmp(direntp->d_name, ".") || +- !strcmp(direntp->d_name, "..")) ++ !strcmp(direntp->d_name, "..")) + continue; + + pathname = must_make_path(dirname, direntp->d_name, NULL); +@@ -1818,7 +1819,7 @@ int recursive_destroy(char *dirname) + if (ret < 0) + r = -1; + +- next: ++next: + free(pathname); + } + +@@ -1850,7 +1851,7 @@ int lxc_setup_keyring(void) + * information leaks. + */ + keyring = keyctl(KEYCTL_JOIN_SESSION_KEYRING, prctl_arg(0), +- prctl_arg(0), prctl_arg(0), prctl_arg(0)); ++ prctl_arg(0), prctl_arg(0), prctl_arg(0)); + if (keyring < 0) { + switch (errno) { + case ENOSYS: +@@ -1913,7 +1914,7 @@ int lxc_file2str(const char *filename, char ret[], int cap) + { + int fd, num_read; + +- if ((fd = open(filename, O_RDONLY | O_CLOEXEC)) == -1) ++ if ((fd = lxc_open(filename, O_RDONLY | O_CLOEXEC, 0)) == -1) + return -1; + if ((num_read = read(fd, ret, cap - 1)) <= 0) + num_read = -1; +@@ -1929,7 +1930,7 @@ int lxc_file2str(const char *filename, char ret[], int cap) + * Such names confuse %s (see scanf(3)), so the string is split and %39c + * is used instead. (except for embedded ')' "(%[^)]c)" would work. + */ +-static proc_t *lxc_stat2proc(char *S) ++static proc_t *lxc_stat2proc(const char *S) + { + int num; + proc_t *P = NULL; +@@ -1956,33 +1957,33 @@ static proc_t *lxc_stat2proc(char *S) + return NULL; + } + num = sscanf(tmp + 2, /* skip space after ')' too */ +- "%c " +- "%d %d %d %d %d " +- "%lu %lu %lu %lu %lu " +- "%Lu %Lu %Lu %Lu " /* utime stime cutime cstime */ +- "%ld %ld %ld %ld " +- "%Lu " /* start_time */ +- "%lu " +- "%ld " +- "%lu %lu %lu %lu %lu %lu " +- "%*s %*s %*s %*s " /* discard, no RT signals & Linux 2.1 used hex */ +- "%lu %lu %lu " +- "%d %d " +- "%lu %lu", +- &P->state, +- &P->ppid, &P->pgrp, &P->session, &P->tty, &P->tpgid, +- &P->flags, &P->min_flt, &P->cmin_flt, &P->maj_flt, &P->cmaj_flt, +- &P->utime, &P->stime, &P->cutime, &P->cstime, +- &P->priority, &P->nice, &P->timeout, &P->it_real_value, +- &P->start_time, +- &P->vsize, +- &P->rss, +- &P->rss_rlim, &P->start_code, &P->end_code, &P->start_stack, &P->kstk_esp, +- &P->kstk_eip, +- &P->wchan, &P->nswap, &P->cnswap, +- &P->exit_signal, &P->processor, /* 2.2.1 ends with "exit_signal" */ +- &P->rtprio, &P->sched /* both added to 2.5.18 */ +- ); ++ "%c " ++ "%d %d %d %d %d " ++ "%lu %lu %lu %lu %lu " ++ "%Lu %Lu %Lu %Lu " /* utime stime cutime cstime */ ++ "%ld %ld %ld %ld " ++ "%Lu " /* start_time */ ++ "%lu " ++ "%ld " ++ "%lu %lu %lu %lu %lu %lu " ++ "%*s %*s %*s %*s " /* discard, no RT signals & Linux 2.1 used hex */ ++ "%lu %lu %lu " ++ "%d %d " ++ "%lu %lu", ++ &P->state, ++ &P->ppid, &P->pgrp, &P->session, &P->tty, &P->tpgid, ++ &P->flags, &P->min_flt, &P->cmin_flt, &P->maj_flt, &P->cmaj_flt, ++ &P->utime, &P->stime, &P->cutime, &P->cstime, ++ &P->priority, &P->nice, &P->timeout, &P->it_real_value, ++ &P->start_time, ++ &P->vsize, ++ &P->rss, ++ &P->rss_rlim, &P->start_code, &P->end_code, &P->start_stack, &P->kstk_esp, ++ &P->kstk_eip, ++ &P->wchan, &P->nswap, &P->cnswap, ++ &P->exit_signal, &P->processor, /* 2.2.1 ends with "exit_signal" */ ++ &P->rtprio, &P->sched /* both added to 2.5.18 */ ++ ); + + if (P->tty == 0) + P->tty = -1; /* the old notty val, update elsewhere bef. moving to 0 */ +@@ -2092,3 +2093,67 @@ bool is_non_negative_num(const char *s) + return true; + } + ++void *lxc_common_calloc_s(size_t size) ++{ ++ if (size == 0 || size > SIZE_MAX) { ++ return NULL; ++ } ++ ++ return calloc((size_t)1, size); ++} ++ ++ ++int lxc_mem_realloc(void **newptr, size_t newsize, void *oldptr, size_t oldsize) ++{ ++ void *tmp = NULL; ++ int nret = 0; ++ if (newsize == 0) { ++ goto err_out; ++ } ++ ++ tmp = lxc_common_calloc_s(newsize); ++ if (tmp == NULL) { ++ ERROR("Failed to malloc memory"); ++ goto err_out; ++ } ++ ++ if (oldptr != NULL) { ++ memcpy(tmp, oldptr, (newsize < oldsize) ? newsize : oldsize); ++ ++ memset(oldptr, 0, oldsize); ++ ++ free(oldptr); ++ } ++ ++ *newptr = tmp; ++ return 0; ++ ++err_out: ++ return -1; ++} ++ ++int lxc_open(const char *filename, int flags, mode_t mode) ++{ ++ char rpath[PATH_MAX] = {0x00}; ++ ++ if (cleanpath(filename, rpath, sizeof(rpath)) == NULL) { ++ return -1; ++ } ++ if (mode) { ++ return open(rpath, flags | O_CLOEXEC, mode); ++ } else { ++ return open(rpath, flags | O_CLOEXEC); ++ } ++} ++ ++FILE *lxc_fopen(const char *filename, const char *mode) ++{ ++ char rpath[PATH_MAX] = {0x00}; ++ ++ if (cleanpath(filename, rpath, sizeof(rpath)) == NULL) { ++ return NULL; ++ } ++ ++ return fopen_cloexec(rpath, mode); ++} ++ +diff --git a/src/lxc/utils.h b/src/lxc/utils.h +index 4410ff2..2406ee1 100644 +--- a/src/lxc/utils.h ++++ b/src/lxc/utils.h +@@ -229,8 +229,8 @@ extern bool switch_to_ns(pid_t pid, const char *ns); + extern char *get_template_path(const char *t); + extern int open_without_symlink(const char *target, const char *prefix_skip); + extern int safe_mount(const char *src, const char *dest, const char *fstype, +- unsigned long flags, const void *data, +- const char *rootfs); ++ unsigned long flags, const void *data, ++ const char *rootfs); + extern int lxc_mount_proc_if_needed(const char *rootfs); + extern int open_devnull(void); + extern int set_stdfds(int fd); +@@ -269,7 +269,7 @@ extern int lxc_unstack_mountpoint(const char *path, bool lazy); + * @param[in] args Arguments to be passed to child_fn. + */ + extern int run_command(char *buf, size_t buf_size, int (*child_fn)(void *), +- void *args); ++ void *args); + + /* Concatenate all passed-in strings into one path. Do not fail. If any piece + * is not prefixed with '/', add a '/'. +@@ -324,5 +324,8 @@ extern bool lxc_process_alive(pid_t pid, unsigned long long start_time); + + extern bool is_non_negative_num(const char *s); + extern int lxc_file2str(const char *filename, char ret[], int cap); +- ++extern int lxc_mem_realloc(void **newptr, size_t newsize, void *oldptr, size_t oldsize); ++extern void *lxc_common_calloc_s(size_t size); ++extern int lxc_open(const char *filename, int flags, mode_t mode); ++extern FILE *lxc_fopen(const char *filename, const char *mode); + #endif /* __LXC_UTILS_H */ +-- +1.8.3.1 + diff --git a/0102-lxc-fix-compile-warnings.patch b/0102-lxc-fix-compile-warnings.patch new file mode 100644 index 0000000..11c2e2a --- /dev/null +++ b/0102-lxc-fix-compile-warnings.patch @@ -0,0 +1,84 @@ +From 1693410ec532fb2197ae8f7152409ee4c29180a3 Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Mon, 3 Jun 2019 06:19:07 -0400 +Subject: [PATCH 102/122] lxc: fix compile warnings + +Signed-off-by: LiFeng +--- + src/lxc/conf.c | 1 - + src/lxc/path.c | 5 ----- + src/lxc/utils.c | 2 +- + 3 files changed, 1 insertion(+), 7 deletions(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index ec1667d..e7df336 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -4992,7 +4992,6 @@ int run_lxc_hooks(const char *name, char *hookname, struct lxc_conf *conf, + + int run_oci_hooks(const char *name, char *hookname, struct lxc_conf *conf, const char *lxcpath) + { +- struct lxc_list *it; + int which = -1; + + if (strcmp(hookname, "oci-prestart") == 0) { +diff --git a/src/lxc/path.c b/src/lxc/path.c +index 45ab4c3..92692de 100644 +--- a/src/lxc/path.c ++++ b/src/lxc/path.c +@@ -141,7 +141,6 @@ int do_clean_path(const char *respath, const char *limit_respath, + { + char *dest = *dst; + const char *endpos = NULL; +- errno_t ret; + + for (endpos = stpos; *stpos; stpos = endpos) { + while (ISSLASH(*stpos)) { +@@ -184,7 +183,6 @@ char *cleanpath(const char *path, char *realpath, size_t realpath_len) + char *dest = NULL; + const char *stpos = NULL; + const char *limit_respath = NULL; +- errno_t ret; + + if (path == NULL || path[0] == '\0' || \ + realpath == NULL || (realpath_len < PATH_MAX)) { +@@ -293,7 +291,6 @@ static int do_get_symlinks(const char **fullpath, const char *prefix, size_t pre + { + char *buf = NULL; + size_t len; +- errno_t rc = EOK; + ssize_t n; + int ret = -1; + +@@ -398,7 +395,6 @@ static int do_eval_symlinks_in_scope(const char *fullpath, const char *prefix, + const char *start = NULL; + const char *end = NULL; + char *extra_buf = NULL; +- errno_t rc = EOK; + int nret = 0; + int num_links = 0; + +@@ -450,7 +446,6 @@ static char *eval_symlinks_in_scope(const char *fullpath, const char *rootpath) + char *prefix = NULL; + const char *rpath_limit = NULL; + size_t prefix_len; +- errno_t rc = EOK; + + if (fullpath == NULL || rootpath == NULL) { + return NULL; +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index 9ce2473..e674947 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -2106,7 +2106,7 @@ void *lxc_common_calloc_s(size_t size) + int lxc_mem_realloc(void **newptr, size_t newsize, void *oldptr, size_t oldsize) + { + void *tmp = NULL; +- int nret = 0; ++ + if (newsize == 0) { + goto err_out; + } +-- +1.8.3.1 + diff --git a/0103-lxc-fix-code-error-in-conf.c.patch b/0103-lxc-fix-code-error-in-conf.c.patch new file mode 100644 index 0000000..14d1efe --- /dev/null +++ b/0103-lxc-fix-code-error-in-conf.c.patch @@ -0,0 +1,109 @@ +From d3f6e8e611dd6b3160d58159e99565c3686e6398 Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Mon, 3 Jun 2019 11:14:22 -0400 +Subject: [PATCH 103/122] lxc: fix code error in conf.c + +Signed-off-by: LiFeng +--- + src/lxc/conf.c | 21 ++++++++++++++++----- + src/lxc/conf.h | 2 +- + 2 files changed, 17 insertions(+), 6 deletions(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index e7df336..127ef77 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -2446,7 +2446,8 @@ static int check_mount_destination(const char *rootfs, const char *dest) + } + + for(invalid = invalid_destinations; *invalid != NULL; invalid++) { +- char *fullpath, *relpath; ++ char *fullpath = NULL; ++ char *relpath = NULL; + const char *parts[3] = { + rootfs, + *invalid, +@@ -2588,6 +2589,8 @@ retry: + max_retry--; + DEBUG("mount entry with loop dev failed, retry mount." + "retry count left %d", max_retry); ++ if (loop.lofd != -1) ++ close(loop.lofd); + goto retry; + } + } +@@ -2799,7 +2802,9 @@ static int mount_file_entries(const struct lxc_conf *conf, + ret = mount_entry_on_absolute_rootfs(&mntent, rootfs, + lxc_name, lxc_path); + free(mntent.mnt_fsname); ++ mntent.mnt_fsname = NULL; + free(mntent.mnt_dir); ++ mntent.mnt_dir = NULL; + if (ret < 0) + return -1; + } +@@ -4378,8 +4383,9 @@ int lxc_drop_caps(struct lxc_conf *conf) + int ret = 0; + struct lxc_list *iterator = NULL; + char *keep_entry = NULL; +- int i, capid; +- int numcaps = lxc_caps_last_cap() + 1; ++ size_t i = 0; ++ int capid; ++ size_t numcaps = (size_t)lxc_caps_last_cap() + 1; + struct lxc_list *caps = NULL; + int *caplist = NULL; + +@@ -4545,6 +4551,10 @@ static char **merge_ocihook_env(char **oldenvs, size_t env_len, size_t *merge_en + for(j = 0; j < (sizeof(lxc_envs) / sizeof(char *)); j++) { + tmpenv = getenv(lxc_envs[j]); + if (tmpenv && i < (result_len - 1)) { ++ if (strlen(tmpenv) > (SIZE_MAX - 1 - 1 - strlen(lxc_envs[j]))) { ++ lxc_free_array((void **)result, free); ++ return NULL; ++ } + lxcenv_buf = malloc(strlen(tmpenv) + 1 + strlen(lxc_envs[j]) + 1); + if (!lxcenv_buf) { + lxc_free_array((void **)result, free); +@@ -4837,7 +4847,7 @@ static int run_ocihook_script_argv(const char *name, const char *section, + { + int ret; + const char *script = oconf->ocihook->path; +- char *inmsg; ++ char *inmsg = NULL; + + INFO("Executing script \"%s\" for container \"%s\", config section \"%s\".", + script, name, section); +@@ -4990,7 +5000,7 @@ int run_lxc_hooks(const char *name, char *hookname, struct lxc_conf *conf, + return 0; + } + +-int run_oci_hooks(const char *name, char *hookname, struct lxc_conf *conf, const char *lxcpath) ++int run_oci_hooks(const char *name, const char *hookname, struct lxc_conf *conf, const char *lxcpath) + { + int which = -1; + +@@ -5327,6 +5337,7 @@ int lxc_clear_init_args(struct lxc_conf *lxc_conf) + int lxc_clear_init_groups(struct lxc_conf *lxc_conf) + { + free(lxc_conf->init_groups); ++ lxc_conf->init_groups = NULL; + lxc_conf->init_groups_len = 0; + + return 0; +diff --git a/src/lxc/conf.h b/src/lxc/conf.h +index 26bb70f..e4bfc48 100644 +--- a/src/lxc/conf.h ++++ b/src/lxc/conf.h +@@ -445,7 +445,7 @@ extern struct lxc_conf *current_config; + + extern int run_lxc_hooks(const char *name, char *hook, struct lxc_conf *conf, + char *argv[]); +-extern int run_oci_hooks(const char *name, char *hookname, struct lxc_conf *conf, const char *lxcpath); ++extern int run_oci_hooks(const char *name, const char *hookname, struct lxc_conf *conf, const char *lxcpath); + + extern int detect_shared_rootfs(void); + extern struct lxc_conf *lxc_conf_init(void); +-- +1.8.3.1 + diff --git a/0104-lxc-fix-code-error.patch b/0104-lxc-fix-code-error.patch new file mode 100644 index 0000000..2e518a7 --- /dev/null +++ b/0104-lxc-fix-code-error.patch @@ -0,0 +1,179 @@ +From 6068ac0d2ac11c158749ffda00135cf5325207fe Mon Sep 17 00:00:00 2001 +From: tanyifeng +Date: Mon, 3 Jun 2019 11:27:34 -0400 +Subject: [PATCH 104/122] lxc: fix code error + +Signed-off-by: tanyifeng +Signed-off-by: LiFeng +--- + src/lxc/af_unix.c | 8 +++++++- + src/lxc/cgroups/cgfsng.c | 10 +++++++++- + src/lxc/lxccontainer.c | 2 ++ + src/lxc/path.c | 1 + + src/lxc/terminal.c | 16 ++++++++-------- + src/lxc/utils.c | 8 ++++---- + 6 files changed, 31 insertions(+), 14 deletions(-) + +diff --git a/src/lxc/af_unix.c b/src/lxc/af_unix.c +index 4c45946..1fc8ab0 100644 +--- a/src/lxc/af_unix.c ++++ b/src/lxc/af_unix.c +@@ -204,12 +204,18 @@ int lxc_abstract_unix_recv_fds_timeout(int fd, int *recvfds, int num_recvfds, + struct cmsghdr *cmsg = NULL; + char buf[1] = {0}; + char *cmsgbuf = NULL; +- size_t cmsgbufsize = CMSG_SPACE(num_recvfds * sizeof(int)); ++ size_t cmsgbufsize = 0; + struct timeval out; + + memset(&msg, 0, sizeof(msg)); + memset(&iov, 0, sizeof(iov)); + ++ if (num_recvfds <= 0 || (SIZE_MAX / sizeof(int) < num_recvfds)) { ++ errno = EINVAL; ++ return -1; ++ } ++ ++ cmsgbufsize = CMSG_SPACE((num_recvfds * sizeof(int))); + cmsgbuf = malloc(cmsgbufsize); + if (!cmsgbuf) { + errno = ENOMEM; +diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c +index 67c7a0e..46f13f4 100644 +--- a/src/lxc/cgroups/cgfsng.c ++++ b/src/lxc/cgroups/cgfsng.c +@@ -1688,7 +1688,7 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops, + if (merged) { + char **mc = NULL; + for (mc = merged; *mc; mc++) { +- char *token; ++ char *token = NULL; + char *copy = must_copy_string(*mc); + lxc_iterate_parts(token, copy, ",") { + int mret; +@@ -2249,7 +2249,15 @@ static int cg_legacy_get_data(struct cgroup_ops *ops, const char *filename, + char *controller = NULL; + + len = strlen(filename); ++ if (SIZE_MAX - 1 < len) { ++ errno = EINVAL; ++ return -1; ++ } + controller = calloc(1, len + 1); ++ if (controller == NULL) { ++ errno = ENOMEM; ++ return -1; ++ } + (void)strlcpy(controller, filename, len + 1); + + p = strchr(controller, '.'); +diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c +index e32f524..72417ed 100644 +--- a/src/lxc/lxccontainer.c ++++ b/src/lxc/lxccontainer.c +@@ -1208,6 +1208,7 @@ static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const a + reboot: + if (conf->reboot == REBOOT_INIT) { + /* initialize handler */ ++ lxc_free_handler(handler); + handler = lxc_init_handler(c->name, conf, c->config_path, c->daemonize); + if (!handler) { + ret = 1; +@@ -1248,6 +1249,7 @@ reboot: + conf->reboot = REBOOT_INIT; + goto reboot; + } ++ lxc_free_handler(handler); + + on_error: + if (c->pidfile) { +diff --git a/src/lxc/path.c b/src/lxc/path.c +index 92692de..36d5e0b 100644 +--- a/src/lxc/path.c ++++ b/src/lxc/path.c +@@ -31,6 +31,7 @@ bool specify_current_dir(const char *path) + + bname = basename(basec); + if (bname == NULL) { ++ free(basec); + ERROR("Out of memory"); + return false; + } +diff --git a/src/lxc/terminal.c b/src/lxc/terminal.c +index 802bf39..a8a0dc9 100644 +--- a/src/lxc/terminal.c ++++ b/src/lxc/terminal.c +@@ -231,7 +231,7 @@ static int lxc_terminal_truncate_log_file(struct lxc_terminal *terminal) + } + + /* +- * isuald: support mult-logfiles ++ * isulad: support mult-logfiles + * */ + static int lxc_terminal_rename_old_log_file(struct lxc_terminal *terminal) + { +@@ -242,10 +242,10 @@ static int lxc_terminal_rename_old_log_file(struct lxc_terminal *terminal) + + for (i = terminal->log_rotate - 1; i > 1; i--) { + ret = sprintf(tmp, "%s.%u", terminal->log_path, i); +- if (ret < 0) ++ if (ret < 0) { + return -EFBIG; +- if (rename_fname) +- free(rename_fname); ++ } ++ free(rename_fname); + rename_fname = strdup(tmp); + ret = sprintf(tmp, "%s.%u", terminal->log_path, (i - 1)); + if (ret < 0) { +@@ -253,13 +253,13 @@ static int lxc_terminal_rename_old_log_file(struct lxc_terminal *terminal) + return -EFBIG; + } + ret = lxc_unpriv(rename(tmp, rename_fname)); +- if (ret < 0 && errno != ENOENT) ++ if (ret < 0 && errno != ENOENT) { ++ free(rename_fname); + return ret; ++ } + } + +- if (rename_fname) +- free(rename_fname); +- ++ free(rename_fname); + return 0; + } + +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index e674947..9db762f 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -1769,11 +1769,11 @@ int fd_cloexec(int fd, bool cloexec) + /* isulad: fd_nonblock */ + int fd_nonblock(int fd) + { +- long flags; ++ int flags; + + flags = fcntl(fd, F_GETFL); + +- return fcntl(fd, F_SETFL, flags | O_NONBLOCK); ++ return fcntl(fd, F_SETFL, (int)((unsigned int)flags | O_NONBLOCK)); + } + + int recursive_destroy(char *dirname) +@@ -2140,9 +2140,9 @@ int lxc_open(const char *filename, int flags, mode_t mode) + return -1; + } + if (mode) { +- return open(rpath, flags | O_CLOEXEC, mode); ++ return open(rpath, (int)((unsigned int)flags | O_CLOEXEC), mode); + } else { +- return open(rpath, flags | O_CLOEXEC); ++ return open(rpath, (int)((unsigned int)flags | O_CLOEXEC)); + } + } + +-- +1.8.3.1 + diff --git a/0105-lxc-fix-code-error-warnings.patch b/0105-lxc-fix-code-error-warnings.patch new file mode 100644 index 0000000..a7f9bf5 --- /dev/null +++ b/0105-lxc-fix-code-error-warnings.patch @@ -0,0 +1,74 @@ +From 2ec27dbac6d9e6e9b6aafb7eef205d4e89e2950e Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Mon, 3 Jun 2019 23:02:50 -0400 +Subject: [PATCH 105/122] lxc: fix code error warnings + +Signed-off-by: LiFeng +--- + src/lxc/conf.c | 5 ++++- + src/lxc/lxccontainer.c | 3 +-- + src/lxc/start.c | 2 +- + 3 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 127ef77..8311723 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -5325,9 +5325,12 @@ int lxc_clear_init_args(struct lxc_conf *lxc_conf) + { + int i; + +- for (i = 0; i < lxc_conf->init_argc; i++) ++ for (i = 0; i < lxc_conf->init_argc; i++) { + free(lxc_conf->init_argv[i]); ++ lxc_conf->init_argv[i] = NULL; ++ } + free(lxc_conf->init_argv); ++ lxc_conf->init_argv = NULL; + lxc_conf->init_argc = 0; + + return 0; +diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c +index 72417ed..a09e066 100644 +--- a/src/lxc/lxccontainer.c ++++ b/src/lxc/lxccontainer.c +@@ -1180,6 +1180,7 @@ static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const a + if (conf->exit_fd < 0) { + ERROR("Failed to open exit fifo %s: %s.", c->exit_fifo, strerror(errno)); + ret = 1; ++ lxc_free_handler(handler); + goto on_error; + } + } +@@ -1208,7 +1209,6 @@ static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const a + reboot: + if (conf->reboot == REBOOT_INIT) { + /* initialize handler */ +- lxc_free_handler(handler); + handler = lxc_init_handler(c->name, conf, c->config_path, c->daemonize); + if (!handler) { + ret = 1; +@@ -1249,7 +1249,6 @@ reboot: + conf->reboot = REBOOT_INIT; + goto reboot; + } +- lxc_free_handler(handler); + + on_error: + if (c->pidfile) { +diff --git a/src/lxc/start.c b/src/lxc/start.c +index ccdd844..2380581 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -2421,7 +2421,7 @@ int __lxc_start(const char *name, struct lxc_handler *handler, + ret = lxc_init(name, handler); + if (ret < 0) { + ERROR("Failed to initialize container \"%s\"", name); +- return -1; ++ goto out_fini_nonet; + } + handler->ops = ops; + handler->data = data; +-- +1.8.3.1 + diff --git a/0106-set-timeout-to-1s-for-cmds-send-to-lxc-monitor.patch b/0106-set-timeout-to-1s-for-cmds-send-to-lxc-monitor.patch new file mode 100644 index 0000000..84ebf12 --- /dev/null +++ b/0106-set-timeout-to-1s-for-cmds-send-to-lxc-monitor.patch @@ -0,0 +1,31 @@ +From b3df22c4905ca0ad208643a015e01405ae395cdb Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Thu, 6 Jun 2019 22:48:38 -0400 +Subject: [PATCH 106/122] set timeout to 1s for cmds send to [lxc monitor] + +Signed-off-by: LiFeng +--- + src/lxc/commands.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/lxc/commands.c b/src/lxc/commands.c +index c74b8c1..0802a16 100644 +--- a/src/lxc/commands.c ++++ b/src/lxc/commands.c +@@ -127,10 +127,10 @@ static int lxc_cmd_rsp_recv(int sock, struct lxc_cmd_rr *cmd) + int ret, rspfd; + struct lxc_cmd_rsp *rsp = &cmd->rsp; + +- /*isulad: add timeout 200ms to avoid long block due to [lxc monitor] error*/ +- ret = lxc_abstract_unix_recv_fds_timeout(sock, &rspfd, 1, rsp, sizeof(*rsp), 200 * 1000); ++ /*isulad: add timeout 1s to avoid long block due to [lxc monitor] error*/ ++ ret = lxc_abstract_unix_recv_fds_timeout(sock, &rspfd, 1, rsp, sizeof(*rsp), 1000 * 1000); + if (ret < 0) { +- SYSWARN("Failed to receive response for command \"%s\"", ++ SYSERROR("Failed to receive response for command \"%s\"", + lxc_cmd_str(cmd->req.cmd)); + + if (errno == ECONNRESET || errno == EAGAIN || errno == EWOULDBLOCK) { +-- +1.8.3.1 + diff --git a/0107-add-log-for-failure-of-rename-file.patch b/0107-add-log-for-failure-of-rename-file.patch new file mode 100644 index 0000000..040184f --- /dev/null +++ b/0107-add-log-for-failure-of-rename-file.patch @@ -0,0 +1,33 @@ +From a3e02850527e08f396f8050c41afdd5f23d836b8 Mon Sep 17 00:00:00 2001 +From: liuhao +Date: Mon, 17 Jun 2019 20:17:37 +0800 +Subject: [PATCH 107/122] add log for failure of rename file + +1. add log message of rename operator +2. if rename console file failed, reopen terminal fd + +Signed-off-by: liuhao +Signed-off-by: LiFeng +--- + src/lxc/terminal.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/lxc/terminal.c b/src/lxc/terminal.c +index a8a0dc9..778a0ab 100644 +--- a/src/lxc/terminal.c ++++ b/src/lxc/terminal.c +@@ -293,8 +293,9 @@ static int lxc_terminal_rotate_log_file(struct lxc_terminal *terminal) + close(terminal->log_fd); + terminal->log_fd = -1; + ret = lxc_unpriv(rename(terminal->log_path, tmp)); +- if (ret < 0) +- return ret; ++ if (ret < 0) { ++ SYSERROR("Rename container log file failed"); ++ } + + return lxc_terminal_create_log_file(terminal); + } +-- +1.8.3.1 + diff --git a/0108-check-calloc-input-valid.patch b/0108-check-calloc-input-valid.patch new file mode 100644 index 0000000..612c5aa --- /dev/null +++ b/0108-check-calloc-input-valid.patch @@ -0,0 +1,33 @@ +From 6c12aebb600013e2eb8b970be51bff4d4bed6fb6 Mon Sep 17 00:00:00 2001 +From: liuhao +Date: Tue, 18 Jun 2019 23:16:09 +0800 +Subject: [PATCH 108/122] check calloc input valid + +check calloc input valid + +Signed-off-by: liuhao +Signed-off-by: LiFeng +--- + src/lxc/terminal.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/lxc/terminal.c b/src/lxc/terminal.c +index 778a0ab..6b117de 100644 +--- a/src/lxc/terminal.c ++++ b/src/lxc/terminal.c +@@ -444,8 +444,11 @@ static ssize_t lxc_logger_write(struct lxc_terminal *terminal, const char *type, + parser_error err = NULL; + struct parser_context ctx = { GEN_OPTIONS_SIMPLIFY | GEN_OPTIONS_NOT_VALIDATE_UTF8, stderr }; + ++ if (bytes_read < 0 || bytes_read >= INT_MAX) { ++ return -1; ++ } + msg = calloc(sizeof(logger_json_file), 1); +- if (!msg) { ++ if (msg == NULL) { + return -errno; + } + msg->log = calloc(bytes_read, 1); +-- +1.8.3.1 + diff --git a/0109-add-secure-compile-flags-to-lxc.patch b/0109-add-secure-compile-flags-to-lxc.patch new file mode 100644 index 0000000..ebf2bb1 --- /dev/null +++ b/0109-add-secure-compile-flags-to-lxc.patch @@ -0,0 +1,104 @@ +From f6b39a07c8622c65bf10f484a455ba79f53b15f7 Mon Sep 17 00:00:00 2001 +From: liuhao +Date: Thu, 20 Jun 2019 17:46:40 +0800 +Subject: [PATCH 109/122] add secure compile flags to lxc + +add secure compile flags to lxc + +Signed-off-by: liuhao +Signed-off-by: LiFeng +--- + configure.ac | 25 +++++++++++++++++++------ + src/lxc/Makefile.am | 5 +++++ + 2 files changed, 24 insertions(+), 6 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 4da52a2..a714779 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -44,6 +44,7 @@ AM_INIT_AUTOMAKE([-Wall -Werror -Wno-portability subdir-objects]) + AC_CANONICAL_HOST + AM_PROG_CC_C_O + AC_GNU_SOURCE ++CFLAGS=`echo "${CFLAGS#\-g}"` + + # Test if we have a new enough compiler. + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +@@ -192,6 +193,11 @@ AC_ARG_ENABLE([werror], + [do not treat warnings as errors])], + [], [enable_werror=yes]) + ++AC_ARG_ENABLE([debug], ++ [AC_HELP_STRING([--enable-debug], ++ [set -g into cflags [default=no]])], ++ [], [enable_debug=no]) ++ + # Allow disabling rpath + AC_ARG_ENABLE([rpath], + [AC_HELP_STRING([--enable-rpath], [set rpath in executables [default=no]])], +@@ -200,8 +206,8 @@ AM_CONDITIONAL([ENABLE_RPATH], [test "x$enable_rpath" = "xyes"]) + + # Documentation (manpages) + AC_ARG_ENABLE([doc], +- [AC_HELP_STRING([--enable-doc], [make man pages [default=auto]])], +- [], [enable_doc=auto]) ++ [AC_HELP_STRING([--enable-doc], [make man pages [default=no]])], ++ [], [enable_doc=no]) + + if test "x$enable_doc" = "xyes" -o "x$enable_doc" = "xauto"; then + db2xman="" +@@ -692,18 +698,25 @@ AX_CHECK_COMPILE_FLAG([-Wstrict-prototypes], [CFLAGS="$CFLAGS -Wstrict-prototype + AX_CHECK_COMPILE_FLAG([-fno-strict-aliasing], [CFLAGS="$CFLAGS -fno-strict-aliasing"],,[-Werror]) + AX_CHECK_COMPILE_FLAG([-fstack-clash-protection], [CFLAGS="$CFLAGS -fstack-clash-protection"],,[-Werror]) + AX_CHECK_COMPILE_FLAG([-fstack-protector-strong], [CFLAGS="$CFLAGS -fstack-protector-strong"],,[-Werror]) +-AX_CHECK_COMPILE_FLAG([-g], [CFLAGS="$CFLAGS -g"],,[-Werror]) + AX_CHECK_COMPILE_FLAG([--mcet -fcf-protection], [CFLAGS="$CFLAGS --mcet -fcf-protection"],,[-Werror]) + AX_CHECK_COMPILE_FLAG([-Werror=implicit-function-declaration], [CFLAGS="$CFLAGS -Werror=implicit-function-declaration"],,[-Werror]) + +-AX_CHECK_LINK_FLAG([-z relro], [LDLAGS="$LDLAGS -z relro"],,[]) +-AX_CHECK_LINK_FLAG([-z now], [LDLAGS="$LDLAGS -z now"],,[]) + +-CFLAGS="$CFLAGS -Wvla -std=gnu11" ++AX_CHECK_LINK_FLAG([-z relro], [LDFLAGS="$LDFLAGS -z relro"],,[]) ++AX_CHECK_LINK_FLAG([-z now], [LDFLAGS="$LDFLAGS -z now"],,[]) ++AX_CHECK_LINK_FLAG([-z noexecstack], [LDFLAGS="$LDFLAGS -z noexecstack"],,[]) ++ ++LDFLAGS="$LDFLAGS -fPIE -pie" ++ ++CFLAGS="$CFLAGS -Wvla -std=gnu11 -D_FORTIFY_SOURCE=2 -Wall -fPIC -fPIE -pie" + if test "x$enable_werror" = "xyes"; then + CFLAGS="$CFLAGS -Werror" + fi + ++if test "x$enable_debug" = "xyes"; then ++ CFLAGS="$CFLAGS -g" ++fi ++ + AC_ARG_ENABLE([thread-safety], + [AC_HELP_STRING([--enable-thread-safety], [enforce thread-safety otherwise fail the build [default=yes]])], + [], [enable_thread_safety=yes]) +diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am +index 4ec2081..b24fcfd 100644 +--- a/src/lxc/Makefile.am ++++ b/src/lxc/Makefile.am +@@ -233,12 +233,17 @@ endif + + # build the shared library + liblxc_la_CFLAGS = -fPIC \ ++ -fPIE -pie \ + -DPIC \ ++ -D_FORTIFY_SOURCE=2 -Wall \ + $(AM_CFLAGS) \ + -pthread + + liblxc_la_LDFLAGS = -pthread \ + -Wl,-no-undefined \ ++ -Wl,-z,relro \ ++ -Wl,-z,now \ ++ -Wl,-z,noexecstack \ + -Wl,-soname,liblxc.so.$(firstword $(subst ., ,@LXC_ABI@)) \ + -version-info @LXC_ABI_MAJOR@ @YAJL_LIBS@ + +-- +1.8.3.1 + diff --git a/0110-add-doc-for-lxc.patch b/0110-add-doc-for-lxc.patch new file mode 100644 index 0000000..e5fd45e --- /dev/null +++ b/0110-add-doc-for-lxc.patch @@ -0,0 +1,31 @@ +From 4fcbbaad8e41594629cda4694e0f2b4b5850f398 Mon Sep 17 00:00:00 2001 +From: liuhao +Date: Fri, 21 Jun 2019 17:20:43 +0800 +Subject: [PATCH 110/122] add doc for lxc + +add doc for lxc + +Signed-off-by: liuhao +Signed-off-by: LiFeng +--- + configure.ac | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/configure.ac b/configure.ac +index a714779..5963fab 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -206,8 +206,8 @@ AM_CONDITIONAL([ENABLE_RPATH], [test "x$enable_rpath" = "xyes"]) + + # Documentation (manpages) + AC_ARG_ENABLE([doc], +- [AC_HELP_STRING([--enable-doc], [make man pages [default=no]])], +- [], [enable_doc=no]) ++ [AC_HELP_STRING([--enable-doc], [make man pages [default=auto]])], ++ [], [enable_doc=auto]) + + if test "x$enable_doc" = "xyes" -o "x$enable_doc" = "xauto"; then + db2xman="" +-- +1.8.3.1 + diff --git a/0111-lxc-use-safe_strdup-instead-of-strdup.patch b/0111-lxc-use-safe_strdup-instead-of-strdup.patch new file mode 100644 index 0000000..51187c9 --- /dev/null +++ b/0111-lxc-use-safe_strdup-instead-of-strdup.patch @@ -0,0 +1,752 @@ +From 3c466cfdde64c75addc902f6e367666c18040ac3 Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Wed, 3 Jul 2019 23:41:15 -0400 +Subject: [PATCH 111/122] lxc: use safe_strdup instead of strdup + +Signed-off-by: LiFeng +--- + src/lxc/attach.c | 14 +++++--------- + src/lxc/conf.c | 32 +++++++++---------------------- + src/lxc/confile.c | 32 +++++++++---------------------- + src/lxc/json/defs.c | 1 - + src/lxc/json/json_common.c | 41 ++++++++++++---------------------------- + src/lxc/json/json_common.h | 4 +--- + src/lxc/json/logger_json_file.c | 1 - + src/lxc/json/oci_runtime_hooks.c | 4 ++-- + src/lxc/json/oci_runtime_spec.c | 1 - + src/lxc/lxccontainer.c | 16 +++++++--------- + src/lxc/path.c | 20 +++++--------------- + src/lxc/start.c | 18 +++++++++--------- + src/lxc/terminal.c | 18 +++++++----------- + src/lxc/tools/lxc_attach.c | 4 ++-- + src/lxc/tools/lxc_start.c | 2 +- + src/lxc/utils.c | 16 ++++++++++++++++ + src/lxc/utils.h | 2 ++ + 17 files changed, 87 insertions(+), 139 deletions(-) + +diff --git a/src/lxc/attach.c b/src/lxc/attach.c +index 6480eb9..d7b16e3 100644 +--- a/src/lxc/attach.c ++++ b/src/lxc/attach.c +@@ -1070,15 +1070,15 @@ static int lxc_attach_terminal(struct lxc_conf *conf, + /* isulad: if we pass fifo in option, use them as init fifos */ + if (options->init_fifo[0]) { + free(terminal->init_fifo[0]); +- terminal->init_fifo[0] = strdup(options->init_fifo[0]); ++ terminal->init_fifo[0] = safe_strdup(options->init_fifo[0]); + } + if (options->init_fifo[1]) { + free(terminal->init_fifo[1]); +- terminal->init_fifo[1] = strdup(options->init_fifo[1]); ++ terminal->init_fifo[1] = safe_strdup(options->init_fifo[1]); + } + if (options->init_fifo[2]) { + free(terminal->init_fifo[2]); +- terminal->init_fifo[2] = strdup(options->init_fifo[2]); ++ terminal->init_fifo[2] = safe_strdup(options->init_fifo[2]); + } + + ret = lxc_terminal_create(terminal); +@@ -1562,9 +1562,7 @@ int lxc_attach(const char *name, const char *lxcpath, + size_read = read(conf->errpipe[0], errbuf, BUFSIZ); + if (size_read > 0) { + if (err_msg) +- *err_msg = strdup(errbuf); +- if (!(*err_msg)) +- ERROR("Out of memory"); ++ *err_msg = safe_strdup(errbuf); + goto close_mainloop; + } + +@@ -1585,9 +1583,7 @@ int lxc_attach(const char *name, const char *lxcpath, + } + + if (g_attach_timeout_state == ATTACH_TIMEOUT && err_msg != NULL && *err_msg == NULL) { +- *err_msg = strdup("Attach exceeded timeout"); +- if (!(*err_msg)) +- ERROR("Out of memory"); ++ *err_msg = safe_strdup("Attach exceeded timeout"); + } + close_mainloop: + if (options->attach_flags & LXC_ATTACH_TERMINAL) +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 8311723..1dfdaf3 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -1356,9 +1356,7 @@ static int rootfs_parent_mount_private(char *rootfs) + target = get_field(line, 4); + if (!target) + continue; +- tmptarget = strdup(target); +- if (!tmptarget) +- continue; ++ tmptarget = safe_strdup(target); + null_endofword(tmptarget); + if (!strstr(rootfs, tmptarget)) { + free(tmptarget); +@@ -1376,9 +1374,7 @@ static int rootfs_parent_mount_private(char *rootfs) + continue; + null_endofword(opts); + free(options); +- options = strdup(opts); +- if (!options) +- continue; ++ options = safe_strdup(opts); + } + + if (!parent || !options) { +@@ -1417,7 +1413,7 @@ static int lxc_mount_rootfs(struct lxc_conf *conf) + + // isulad: bind mount / to rootfs.mount. then we can do pivot root even if we use / as root. + if (!access(rootfs->mount, F_OK)) { +- rootfs->path = strdup("/"); ++ rootfs->path = safe_strdup("/"); + if (mount("/", rootfs->mount, NULL, MS_BIND, 0)) { + SYSERROR("Failed to mount / to %s.", rootfs->mount); + return -1; +@@ -2225,9 +2221,7 @@ int parse_mntopts(const char *mntopts, unsigned long *mntflags, unsigned long *p + if (!mntopts) + return 0; + +- s = strdup(mntopts); +- if (!s) +- return -1; ++ s = safe_strdup(mntopts); + + size = strlen(s) + 1; + data = malloc(size); +@@ -4026,7 +4020,7 @@ static int setup_populate_devs(const struct lxc_rootfs *rootfs, struct lxc_list + return -1; + + /* create any missing directories */ +- pathdirname = strdup(path); ++ pathdirname = safe_strdup(path); + pathdirname = dirname(pathdirname); + ret = mkdir_p(pathdirname, 0750); + free(pathdirname); +@@ -4545,7 +4539,7 @@ static char **merge_ocihook_env(char **oldenvs, size_t env_len, size_t *merge_en + + for(i = 0; i < env_len; i++) { + if (oldenvs[i]) +- result[i] = strdup(oldenvs[i]); ++ result[i] = safe_strdup(oldenvs[i]); + } + + for(j = 0; j < (sizeof(lxc_envs) / sizeof(char *)); j++) { +@@ -4869,7 +4863,7 @@ static char *get_root_path(const char *path, const char *backend) + char *tmp = NULL; + + if (!path) { +- ret = strdup("/"); ++ ret = safe_strdup("/"); + return ret; + } + if (!backend) { +@@ -4885,20 +4879,12 @@ static char *get_root_path(const char *path, const char *backend) + return NULL; + } + tmp++; +- ret = strdup(tmp); +- if (!ret) { +- ERROR("Out of memory"); +- return NULL; +- } ++ ret = safe_strdup(tmp); + return ret; + } + + default_out: +- ret = strdup(path); +- if (!ret) { +- ERROR("Out of memory"); +- return NULL; +- } ++ ret = safe_strdup(path); + return ret; + } + +diff --git a/src/lxc/confile.c b/src/lxc/confile.c +index 216a688..8262d1e 100644 +--- a/src/lxc/confile.c ++++ b/src/lxc/confile.c +@@ -1011,9 +1011,7 @@ static int set_config_group(const char *key, const char *value, + if (lxc_config_value_empty(value)) + return lxc_clear_groups(lxc_conf); + +- groups = strdup(value); +- if (!groups) +- return -1; ++ groups = safe_strdup(value); + + /* In case several groups are specified in a single line split these + * groups in a single element for the list. +@@ -2281,7 +2279,7 @@ static int set_config_populate_device(const char *key, const char *value, + int ret = 0, major = 0, minor = 0; + uid_t uid = (uid_t)-1; + gid_t gid = (gid_t)-1; +- char name[PATH_MAX] = {0}; ++ char name[4096] = {0}; /* MAX dev path name */ + char type[3] = {0}; + char *replace_value = NULL; + mode_t filemode = 0; +@@ -2295,7 +2293,7 @@ static int set_config_populate_device(const char *key, const char *value, + /* lxc.populate.device = PATH_IN_CONTAINER:DEVICETYPE:MAJOR:MINOR:MODE:UID:GID + * For e.g. lxc.populate.device = /dev/sda:b:8:0:0666:0:0 + */ +- ret = sscanf(value, "%[^:]:%2[^:]:%i:%i:%i:%u:%u", name, type, &major, &minor, &filemode, &uid, &gid); ++ ret = sscanf(value, "%4095[^:]:%2[^:]:%i:%i:%i:%u:%u", name, type, &major, &minor, &filemode, &uid, &gid); + if (ret != 7) + return -1; + +@@ -2306,9 +2304,7 @@ static int set_config_populate_device(const char *key, const char *value, + if (strcmp(name, dev_elem->name) != 0) + continue; + +- replace_value = strdup(type); +- if (!replace_value) +- return -1; ++ replace_value = safe_strdup(type); + + free(dev_elem->type); + dev_elem->type = replace_value; +@@ -2332,13 +2328,9 @@ static int set_config_populate_device(const char *key, const char *value, + goto on_error; + memset(dev_elem, 0, sizeof(*dev_elem)); + +- dev_elem->name = strdup(name); +- if (!dev_elem->name) +- goto on_error; ++ dev_elem->name = safe_strdup(name); + +- dev_elem->type = strdup(type); +- if (!dev_elem->type) +- goto on_error; ++ dev_elem->type = safe_strdup(type); + + dev_elem->file_mode = filemode; + dev_elem->maj = major; +@@ -2373,10 +2365,7 @@ static int set_config_rootfs_masked_paths(const char *key, const char *value, + if (!list_item) + goto on_error; + +- list_item->elem = strdup(value); +- +- if (!list_item->elem) +- goto on_error; ++ list_item->elem = safe_strdup(value); + + lxc_list_add_tail(&lxc_conf->rootfs.maskedpaths, list_item); + +@@ -2401,10 +2390,7 @@ static int set_config_rootfs_ro_paths(const char *key, const char *value, + if (!list_item) + goto on_error; + +- list_item->elem = strdup(value); +- +- if (!list_item->elem) +- goto on_error; ++ list_item->elem = safe_strdup(value); + + lxc_list_add_tail(&lxc_conf->rootfs.ropaths, list_item); + +@@ -2446,7 +2432,7 @@ static int set_config_systemd(const char *key, const char *value, + ERROR("Empty umask"); + return -1; + } +- lxc_conf->systemd = strdup(value); ++ lxc_conf->systemd = safe_strdup(value); + return 0; + } + +diff --git a/src/lxc/json/defs.c b/src/lxc/json/defs.c +index e7d9a09..8a052a8 100644 +--- a/src/lxc/json/defs.c ++++ b/src/lxc/json/defs.c +@@ -4,7 +4,6 @@ + #endif + #include + #include +-#include "securec.h" + #include "defs.h" + + defs_hook *make_defs_hook(yajl_val tree, struct parser_context *ctx, parser_error *err) { +diff --git a/src/lxc/json/json_common.c b/src/lxc/json/json_common.c +index 54b7b61..bea9b14 100755 +--- a/src/lxc/json/json_common.c ++++ b/src/lxc/json/json_common.c +@@ -381,23 +381,6 @@ int common_safe_int(const char *numstr, int *converted) { + return 0; + } + +-char *safe_strdup(const char *src) +-{ +- char *dst = NULL; +- +- if (src == NULL) { +- return NULL; +- } +- +- dst = strdup(src); +- if (dst == NULL) { +- abort(); +- } +- +- return dst; +-} +- +- + yajl_gen_status gen_json_map_int_int(void *ctx, json_map_int_int *map, struct parser_context *ptx, parser_error *err) { + yajl_gen_status stat = yajl_gen_status_ok; + yajl_gen g = (yajl_gen) ctx; +@@ -522,12 +505,12 @@ int append_json_map_int_int(json_map_int_int *map, int key, int val) { + vals = safe_malloc(len * sizeof(int)); + + if (map->len) { +- if (memcpy(keys, map->keys, map->len * sizeof(int)) != EOK) { ++ if (memcpy(keys, map->keys, map->len * sizeof(int)) != NULL) { + free(keys); + free(vals); + return -1; + } +- if (memcpy(vals, map->values, map->len * sizeof(int)) != EOK) { ++ if (memcpy(vals, map->values, map->len * sizeof(int)) != NULL) { + free(keys); + free(vals); + return -1; +@@ -663,12 +646,12 @@ int append_json_map_int_bool(json_map_int_bool *map, int key, bool val) { + vals = safe_malloc(len * sizeof(bool)); + + if (map->len) { +- if (memcpy(keys, map->keys, map->len * sizeof(int)) != EOK) { ++ if (memcpy(keys, map->keys, map->len * sizeof(int)) != NULL) { + free(keys); + free(vals); + return -1; + } +- if (memcpy(vals, map->values, map->len * sizeof(bool)) != EOK) { ++ if (memcpy(vals, map->values, map->len * sizeof(bool)) != NULL) { + free(keys); + free(vals); + return -1; +@@ -803,12 +786,12 @@ int append_json_map_int_string(json_map_int_string *map, int key, const char *va + vals = safe_malloc(len * sizeof(char *)); + + if (map->len) { +- if (memcpy(keys, map->keys, map->len * sizeof(int)) != EOK) { ++ if (memcpy(keys, map->keys, map->len * sizeof(int)) != NULL) { + free(keys); + free(vals); + return -1; + } +- if (memcpy(vals, map->values, map->len * sizeof(char *)) != EOK) { ++ if (memcpy(vals, map->values, map->len * sizeof(char *)) != NULL) { + free(keys); + free(vals); + return -1; +@@ -930,12 +913,12 @@ int append_json_map_string_int(json_map_string_int *map, const char *key, int va + vals = safe_malloc(len * sizeof(int)); + + if (map->len) { +- if (memcpy(keys, map->keys, map->len * sizeof(char *)) != EOK) { ++ if (memcpy(keys, map->keys, map->len * sizeof(char *)) != NULL) { + free(keys); + free(vals); + return -1; + } +- if (memcpy(vals, map->values, map->len * sizeof(int)) != EOK) { ++ if (memcpy(vals, map->values, map->len * sizeof(int)) != NULL) { + free(keys); + free(vals); + return -1; +@@ -1052,12 +1035,12 @@ int append_json_map_string_bool(json_map_string_bool *map, const char *key, bool + vals = safe_malloc(len * sizeof(bool)); + + if (map->len) { +- if (memcpy(keys, map->keys, map->len * sizeof(char *)) != EOK) { ++ if (memcpy(keys, map->keys, map->len * sizeof(char *)) != NULL) { + free(keys); + free(vals); + return -1; + } +- if (memcpy(vals, map->values, map->len * sizeof(bool)) != EOK) { ++ if (memcpy(vals, map->values, map->len * sizeof(bool)) != NULL) { + free(keys); + free(vals); + return -1; +@@ -1181,12 +1164,12 @@ int append_json_map_string_string(json_map_string_string *map, const char *key, + vals = safe_malloc(len * sizeof(char *)); + + if (map->len) { +- if (memcpy(keys, map->keys, map->len * sizeof(char *)) != EOK) { ++ if (memcpy(keys, map->keys, map->len * sizeof(char *)) != NULL) { + free(keys); + free(vals); + return -1; + } +- if (memcpy(vals, map->values, map->len * sizeof(char *)) != EOK) { ++ if (memcpy(vals, map->values, map->len * sizeof(char *)) != NULL) { + free(keys); + free(vals); + return -1; +diff --git a/src/lxc/json/json_common.h b/src/lxc/json/json_common.h +index 218a837..60aa5fd 100755 +--- a/src/lxc/json/json_common.h ++++ b/src/lxc/json/json_common.h +@@ -9,7 +9,7 @@ + #include + #include + #include +-#include "securec.h" ++#include "utils.h" + + #ifdef __cplusplus + extern "C" { +@@ -94,8 +94,6 @@ int common_safe_int64(const char *numstr, int64_t *converted); + + int common_safe_int(const char *numstr, int *converted); + +-char *safe_strdup(const char *src); +- + typedef struct { + int *keys; + int *values; +diff --git a/src/lxc/json/logger_json_file.c b/src/lxc/json/logger_json_file.c +index 409ea11..842d35b 100644 +--- a/src/lxc/json/logger_json_file.c ++++ b/src/lxc/json/logger_json_file.c +@@ -4,7 +4,6 @@ + #endif + #include + #include +-#include "securec.h" + #include "logger_json_file.h" + + logger_json_file *make_logger_json_file(yajl_val tree, struct parser_context *ctx, parser_error *err) { +diff --git a/src/lxc/json/oci_runtime_hooks.c b/src/lxc/json/oci_runtime_hooks.c +index 43ff8d7..41ddb67 100644 +--- a/src/lxc/json/oci_runtime_hooks.c ++++ b/src/lxc/json/oci_runtime_hooks.c +@@ -34,7 +34,7 @@ oci_runtime_spec_hooks *oci_runtime_spec_hooks_parse_file(const char *filename, + char errbuf[PARSE_ERR_BUFFER_SIZE]; + if (content == NULL) { + if (asprintf(err, "cannot read the file: %s", filename) < 0) { +- *err = strdup("error allocating memory"); ++ *err = safe_strdup("error allocating memory"); + } + return NULL; + } +@@ -42,7 +42,7 @@ oci_runtime_spec_hooks *oci_runtime_spec_hooks_parse_file(const char *filename, + free(content); + if (tree == NULL) { + if (asprintf(err, "cannot parse the file: %s", errbuf) < 0) { +- *err = strdup("error allocating memory"); ++ *err = safe_strdup("error allocating memory"); + } + return NULL; + } +diff --git a/src/lxc/json/oci_runtime_spec.c b/src/lxc/json/oci_runtime_spec.c +index 4ccb635..fd342de 100644 +--- a/src/lxc/json/oci_runtime_spec.c ++++ b/src/lxc/json/oci_runtime_spec.c +@@ -4,7 +4,6 @@ + #endif + #include + #include +-#include "securec.h" + #include "oci_runtime_spec.h" + + oci_runtime_spec_hooks *make_oci_runtime_spec_hooks(yajl_val tree, struct parser_context *ctx, parser_error *err) { +diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c +index a09e066..ede4c88 100644 +--- a/src/lxc/lxccontainer.c ++++ b/src/lxc/lxccontainer.c +@@ -1055,9 +1055,7 @@ static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const a + if (!started) { + size_read = read(conf->errpipe[0], errbuf, BUFSIZ); + if (size_read > 0) { +- conf->errmsg = strdup(errbuf); +- if (!conf->errmsg) +- ERROR("Out of memory"); ++ conf->errmsg = safe_strdup(errbuf); + } + } + close(conf->errpipe[0]); +@@ -3199,7 +3197,7 @@ static bool container_destroy(struct lxc_container *c, + ERROR("Failed to destroy directory \"%s\" for \"%s\"", path, + c->name); + sprintf(msg, "Failed to destroy directory \"%s\": %s", path, errno ? strerror(errno) : "error"); +- c->error_string = strdup(msg); ++ c->error_string = safe_strdup(msg); + goto out; + } + INFO("Destroyed directory \"%s\" for \"%s\"", path, c->name); +@@ -5147,17 +5145,17 @@ static bool do_lxcapi_set_terminal_default_fifos(struct lxc_container *c, const + if (in) { + if (conf->console.init_fifo[0]) + free(conf->console.init_fifo[0]); +- conf->console.init_fifo[0] = strdup(in); ++ conf->console.init_fifo[0] = safe_strdup(in); + } + if (out) { + if (conf->console.init_fifo[1]) + free(conf->console.init_fifo[1]); +- conf->console.init_fifo[1] = strdup(out); ++ conf->console.init_fifo[1] = safe_strdup(out); + } + if (err) { + if (conf->console.init_fifo[2]) + free(conf->console.init_fifo[2]); +- conf->console.init_fifo[2] = strdup(err); ++ conf->console.init_fifo[2] = safe_strdup(err); + } + + container_mem_unlock(c); +@@ -5181,7 +5179,7 @@ static bool do_lxcapi_set_container_info_file(struct lxc_container *c, const cha + conf = c->lxc_conf; + if (conf->container_info_file) + free(conf->container_info_file); +- conf->container_info_file = strdup(info_file); ++ conf->container_info_file = safe_strdup(info_file); + + container_mem_unlock(c); + return true; +@@ -5347,7 +5345,7 @@ static struct lxc_container *do_lxc_container_new(const char *name, const char * + fprintf(stderr, "Failed to get lxc path for %s\n", name); + goto err; + } +- c->config_path = strdup(tmp); ++ c->config_path = safe_strdup(tmp); + } + if (!c->config_path) { + fprintf(stderr, "Failed to allocate memory for %s\n", name); +diff --git a/src/lxc/path.c b/src/lxc/path.c +index 36d5e0b..c545887 100644 +--- a/src/lxc/path.c ++++ b/src/lxc/path.c +@@ -23,11 +23,7 @@ bool specify_current_dir(const char *path) + char *basec = NULL, *bname = NULL; + bool res = false; + +- basec = strdup(path); +- if (!basec) { +- ERROR("Out of memory"); +- return false; +- } ++ basec = safe_strdup(path); + + bname = basename(basec); + if (bname == NULL) { +@@ -106,13 +102,7 @@ bool filepath_split(const char *path, char **dir, char **base) + memcpy(*dir, path, i + 1); + *(*dir + i + 1) = '\0'; + +- *base = strdup(path + i + 1); +- if (!*base) { +- ERROR("Out of memory"); +- free(*dir); +- *dir = NULL; +- return false; +- } ++ *base = safe_strdup(path + i + 1); + + return true; + } +@@ -459,7 +449,7 @@ static char *eval_symlinks_in_scope(const char *fullpath, const char *rootpath) + } + + if (!strcmp(fullpath, root)) { +- return strdup(fullpath); ++ return safe_strdup(fullpath); + } + + if (strstr(fullpath, root) == NULL) { +@@ -592,7 +582,7 @@ char *path_relative(const char *basepath, const char *targpath) + } + + if (strcmp(base, targ) == 0) +- return strdup("."); ++ return safe_strdup("."); + + bl = strlen(base); + tl = strlen(targ); +@@ -646,5 +636,5 @@ char *path_relative(const char *basepath, const char *targpath) + return buf; + } + +- return strdup(targ + t0); ++ return safe_strdup(targ + t0); + } +diff --git a/src/lxc/start.c b/src/lxc/start.c +index 2380581..d6c706e 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -2795,35 +2795,35 @@ static int clean_resource_set_env(struct lxc_handler *handler) + /* Start of environment variable setup for hooks. */ + if (name) { + snprintf(bufstr, PATH_MAX + 1, "LXC_NAME=%s", name); +- conf->ocihooks->poststop[i]->env[j++] = strdup(bufstr); ++ conf->ocihooks->poststop[i]->env[j++] = safe_strdup(bufstr); + } + if (conf->rcfile) { + snprintf(bufstr, PATH_MAX + 1, "LXC_CONFIG_FILE=%s", conf->rcfile); +- conf->ocihooks->poststop[i]->env[j++] = strdup(bufstr); ++ conf->ocihooks->poststop[i]->env[j++] = safe_strdup(bufstr); + } + if (conf->rootfs.mount) { + snprintf(bufstr, PATH_MAX + 1, "LXC_ROOTFS_MOUNT=%s", conf->rootfs.mount); +- conf->ocihooks->poststop[i]->env[j++] = strdup(bufstr); ++ conf->ocihooks->poststop[i]->env[j++] = safe_strdup(bufstr); + } + if (conf->rootfs.path) { + snprintf(bufstr, PATH_MAX + 1, "LXC_ROOTFS_PATH=%s", conf->rootfs.path); +- conf->ocihooks->poststop[i]->env[j++] = strdup(bufstr); ++ conf->ocihooks->poststop[i]->env[j++] = safe_strdup(bufstr); + } + if (conf->console.path) { + snprintf(bufstr, PATH_MAX + 1, "LXC_CONSOLE=%s", conf->console.path); +- conf->ocihooks->poststop[i]->env[j++] = strdup(bufstr); ++ conf->ocihooks->poststop[i]->env[j++] = safe_strdup(bufstr); + } + if (conf->console.log_path) { + snprintf(bufstr, PATH_MAX + 1, "LXC_CONSOLE_LOGPATH=%s", conf->console.log_path); +- conf->ocihooks->poststop[i]->env[j++] = strdup(bufstr); ++ conf->ocihooks->poststop[i]->env[j++] = safe_strdup(bufstr); + } +- conf->ocihooks->poststop[i]->env[j++] = strdup("LXC_CGNS_AWARE=1"); ++ conf->ocihooks->poststop[i]->env[j++] = safe_strdup("LXC_CGNS_AWARE=1"); + + snprintf(bufstr, PATH_MAX + 1, "LXC_PID=%d", handler->pid); +- conf->ocihooks->poststop[i]->env[j++] = strdup(bufstr); ++ conf->ocihooks->poststop[i]->env[j++] = safe_strdup(bufstr); + if (handler->cgroup_ops->container_cgroup) { + snprintf(bufstr, PATH_MAX + 1, "LXC_CGROUP_PATH=%s", handler->cgroup_ops->container_cgroup); +- conf->ocihooks->poststop[i]->env[j++] = strdup(bufstr); ++ conf->ocihooks->poststop[i]->env[j++] = safe_strdup(bufstr); + } + conf->ocihooks->poststop[i]->env_len = j; + /* End of environment variable setup for hooks. */ +diff --git a/src/lxc/terminal.c b/src/lxc/terminal.c +index 6b117de..970db69 100644 +--- a/src/lxc/terminal.c ++++ b/src/lxc/terminal.c +@@ -246,7 +246,7 @@ static int lxc_terminal_rename_old_log_file(struct lxc_terminal *terminal) + return -EFBIG; + } + free(rename_fname); +- rename_fname = strdup(tmp); ++ rename_fname = safe_strdup(tmp); + ret = sprintf(tmp, "%s.%u", terminal->log_path, (i - 1)); + if (ret < 0) { + free(rename_fname); +@@ -457,10 +457,10 @@ static ssize_t lxc_logger_write(struct lxc_terminal *terminal, const char *type, + } + memcpy(msg->log, buf, bytes_read); + msg->log_len = bytes_read; +- msg->stream = type ? strdup(type) : strdup("stdout"); ++ msg->stream = type ? safe_strdup(type) : safe_strdup("stdout"); + + get_now_time_buffer(timebuffer, sizeof(timebuffer)); +- msg->time = strdup(timebuffer); ++ msg->time = safe_strdup(timebuffer); + + json = logger_json_file_generate_json(msg, &ctx, &err); + if (!json) { +@@ -1324,9 +1324,9 @@ static int lxc_terminal_set_fifo(struct lxc_terminal *console, const char *in, c + } + memset(fifo_elem, 0, sizeof(*fifo_elem)); + +- fifo_elem->in_fifo = strdup(in ? in : ""); +- fifo_elem->out_fifo = strdup(out ? out : ""); +- fifo_elem->err_fifo = strdup(err ? err : ""); ++ fifo_elem->in_fifo = safe_strdup(in ? in : ""); ++ fifo_elem->out_fifo = safe_strdup(out ? out : ""); ++ fifo_elem->err_fifo = safe_strdup(err ? err : ""); + fifo_elem->in_fd = fifofd_in; + fifo_elem->out_fd = fifofd_out; + fifo_elem->err_fd = fifofd_err; +@@ -1810,11 +1810,7 @@ int lxc_terminal_add_fifos(struct lxc_conf *conf, const char *fifonames) + char *tmp = NULL, *saveptr = NULL, *in = NULL, *out = NULL, *err = NULL; + const char *none_fifo_name = "none"; + +- tmp = strdup(fifonames); +- if (!tmp) { +- ret = -1; +- goto free_out; +- } ++ tmp = safe_strdup(fifonames); + + in = strtok_r(tmp, "&&&&", &saveptr); + if (!in) { +diff --git a/src/lxc/tools/lxc_attach.c b/src/lxc/tools/lxc_attach.c +index 854b3a2..7d51ad7 100644 +--- a/src/lxc/tools/lxc_attach.c ++++ b/src/lxc/tools/lxc_attach.c +@@ -309,7 +309,7 @@ static int do_attach_foreground(struct lxc_container *c, lxc_attach_command_t *c + } + out: + if (c->lxc_conf->errmsg) +- *errmsg = strdup(c->lxc_conf->errmsg); ++ *errmsg = safe_strdup(c->lxc_conf->errmsg); + return wexit; + } + +@@ -353,7 +353,7 @@ static int do_attach_background(struct lxc_container *c, lxc_attach_command_t *c + msgpipe[1] = -1; + size_read = read(msgpipe[0], msgbuf, BUFSIZ); + if (size_read > 0) { +- *errmsg = strdup(msgbuf); ++ *errmsg = safe_strdup(msgbuf); + ret = -1; + } + +diff --git a/src/lxc/tools/lxc_start.c b/src/lxc/tools/lxc_start.c +index af63f58..e48e5b3 100644 +--- a/src/lxc/tools/lxc_start.c ++++ b/src/lxc/tools/lxc_start.c +@@ -360,7 +360,7 @@ int main(int argc, char *argv[]) + + /* isulad: fifo used to monitor state of monitor process */ + if (my_args.exit_monitor_fifo != NULL) { +- c->exit_fifo = strdup(my_args.exit_monitor_fifo); ++ c->exit_fifo = safe_strdup(my_args.exit_monitor_fifo); + } + + /* isulad: add start timeout */ +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index 9db762f..e6e8905 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -2157,3 +2157,19 @@ FILE *lxc_fopen(const char *filename, const char *mode) + return fopen_cloexec(rpath, mode); + } + ++char *safe_strdup(const char *src) ++{ ++ char *dst = NULL; ++ ++ if (src == NULL) { ++ return NULL; ++ } ++ ++ dst = strdup(src); ++ if (dst == NULL) { ++ abort(); ++ } ++ ++ return dst; ++} ++ +diff --git a/src/lxc/utils.h b/src/lxc/utils.h +index 2406ee1..0b33f69 100644 +--- a/src/lxc/utils.h ++++ b/src/lxc/utils.h +@@ -328,4 +328,6 @@ extern int lxc_mem_realloc(void **newptr, size_t newsize, void *oldptr, size_t o + extern void *lxc_common_calloc_s(size_t size); + extern int lxc_open(const char *filename, int flags, mode_t mode); + extern FILE *lxc_fopen(const char *filename, const char *mode); ++extern char *safe_strdup(const char *src); ++ + #endif /* __LXC_UTILS_H */ +-- +1.8.3.1 + diff --git a/0112-fix-secure-errors.patch b/0112-fix-secure-errors.patch new file mode 100644 index 0000000..86bd6af --- /dev/null +++ b/0112-fix-secure-errors.patch @@ -0,0 +1,278 @@ +From aa6bea319eb9d86b296589e17219f96f6d0e3ed1 Mon Sep 17 00:00:00 2001 +From: liuhao +Date: Thu, 4 Jul 2019 11:08:26 +0800 +Subject: [PATCH 112/122] fix secure errors + +1. use snprintf replace sprintf +2. use malloc replace alloca + +Signed-off-by: liuhao +Signed-off-by: LiFeng +--- + src/lxc/conf.c | 6 ++++-- + src/lxc/confile.c | 38 ++++++++++++++++++++++++-------------- + src/lxc/json/json_common.c | 12 ++++++------ + src/lxc/lxccontainer.c | 8 ++++++-- + src/lxc/terminal.c | 31 ++++++++++++++++++++++++------- + 5 files changed, 64 insertions(+), 31 deletions(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 1dfdaf3..996d267 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -4543,18 +4543,20 @@ static char **merge_ocihook_env(char **oldenvs, size_t env_len, size_t *merge_en + } + + for(j = 0; j < (sizeof(lxc_envs) / sizeof(char *)); j++) { ++ size_t env_buf_len = 0; + tmpenv = getenv(lxc_envs[j]); + if (tmpenv && i < (result_len - 1)) { + if (strlen(tmpenv) > (SIZE_MAX - 1 - 1 - strlen(lxc_envs[j]))) { + lxc_free_array((void **)result, free); + return NULL; + } +- lxcenv_buf = malloc(strlen(tmpenv) + 1 + strlen(lxc_envs[j]) + 1); ++ env_buf_len = ((strlen(tmpenv) + 1) + strlen(lxc_envs[j])) + 1; ++ lxcenv_buf = malloc(env_buf_len); + if (!lxcenv_buf) { + lxc_free_array((void **)result, free); + return NULL; + } +- if (sprintf(lxcenv_buf, "%s=%s", lxc_envs[j], tmpenv) < 0) { ++ if (snprintf(lxcenv_buf, env_buf_len, "%s=%s", lxc_envs[j], tmpenv) < 0) { + free(lxcenv_buf); + continue; + } +diff --git a/src/lxc/confile.c b/src/lxc/confile.c +index 8262d1e..8a082d5 100644 +--- a/src/lxc/confile.c ++++ b/src/lxc/confile.c +@@ -3802,9 +3802,11 @@ static int get_config_no_new_privs(const char *key, char *retv, int inlen, + static int get_config_prlimit(const char *key, char *retv, int inlen, + struct lxc_conf *c, void *data) + { +- int fulllen = 0, len; ++ int fulllen = 0; ++ int len = 0; + bool get_all = false; +- struct lxc_list *it; ++ struct lxc_list *it = NULL; ++ int nret = 0; + + if (!retv) + inlen = 0; +@@ -3818,32 +3820,40 @@ static int get_config_prlimit(const char *key, char *retv, int inlen, + else + return -1; + ++#define MAX_LIMIT_BUF_LEN ((INTTYPE_TO_STRLEN(uint64_t) * 2) + 2) + lxc_list_for_each(it, &c->limits) { + /* 2 colon separated 64 bit integers or the word 'unlimited' */ +- char buf[INTTYPE_TO_STRLEN(uint64_t) * 2 + 2]; ++ char buf[MAX_LIMIT_BUF_LEN] = { 0 }; + int partlen; + struct lxc_limit *lim = it->elem; + + if (lim->limit.rlim_cur == RLIM_INFINITY) { +- memcpy(buf, "unlimited", STRLITERALLEN("unlimited") + 1); ++ if (memcpy(buf, "unlimited", STRLITERALLEN("unlimited") + 1) == NULL) { ++ return -1; ++ } + partlen = STRLITERALLEN("unlimited"); + } else { +- partlen = sprintf(buf, "%" PRIu64, +- (uint64_t)lim->limit.rlim_cur); ++ partlen = snprintf(buf, MAX_LIMIT_BUF_LEN, "%" PRIu64, (uint64_t)lim->limit.rlim_cur); ++ if (partlen < 0) { ++ return -1; ++ } + } + + if (lim->limit.rlim_cur != lim->limit.rlim_max) { +- if (lim->limit.rlim_max == RLIM_INFINITY) +- memcpy(buf + partlen, ":unlimited", +- STRLITERALLEN(":unlimited") + 1); +- else +- sprintf(buf + partlen, ":%" PRIu64, +- (uint64_t)lim->limit.rlim_max); ++ if (lim->limit.rlim_max == RLIM_INFINITY) { ++ if (memcpy(buf + partlen, ":unlimited", STRLITERALLEN(":unlimited") + 1) == NULL) { ++ return -1; ++ } ++ } else { ++ nret = snprintf(buf + partlen, (MAX_LIMIT_BUF_LEN - partlen), ":%" PRIu64, (uint64_t)lim->limit.rlim_max); ++ if (nret < 0) { ++ return -1; ++ } ++ } + } + + if (get_all) { +- strprint(retv, inlen, "lxc.prlimit.%s = %s\n", +- lim->resource, buf); ++ strprint(retv, inlen, "lxc.prlimit.%s = %s\n", lim->resource, buf); + } else if (strcmp(lim->resource, key) == 0) { + strprint(retv, inlen, "%s", buf); + } +diff --git a/src/lxc/json/json_common.c b/src/lxc/json/json_common.c +index bea9b14..5da1e6d 100755 +--- a/src/lxc/json/json_common.c ++++ b/src/lxc/json/json_common.c +@@ -16,7 +16,7 @@ yajl_gen_status reformat_uint(void *ctx, long long unsigned int num) { + char numstr[MAX_NUM_STR_LEN]; + int ret; + +- ret = sprintf(numstr, "%llu", num); ++ ret = snprintf(numstr, MAX_NUM_STR_LEN, "%llu", num); + if (ret < 0) { + return yajl_gen_in_error_state; + } +@@ -27,7 +27,7 @@ yajl_gen_status reformat_int(void *ctx, long long int num) { + char numstr[MAX_NUM_STR_LEN]; + int ret; + +- ret = sprintf(numstr, "%lld", num); ++ ret = snprintf(numstr, MAX_NUM_STR_LEN, "%lld", num); + if (ret < 0) { + return yajl_gen_in_error_state; + } +@@ -399,7 +399,7 @@ yajl_gen_status gen_json_map_int_int(void *ctx, json_map_int_int *map, struct pa + for (i = 0; i < len; i++) { + char numstr[MAX_NUM_STR_LEN]; + int nret; +- nret = sprintf(numstr, "%lld", (long long int)map->keys[i]); ++ nret = snprintf(numstr, MAX_NUM_STR_LEN, "%lld", (long long int)map->keys[i]); + if (nret < 0) { + if (!*err && asprintf(err, "Error to print string") < 0) { + *(err) = safe_strdup("error allocating memory"); +@@ -545,7 +545,7 @@ yajl_gen_status gen_json_map_int_bool(void *ctx, json_map_int_bool *map, struct + for (i = 0; i < len; i++) { + char numstr[MAX_NUM_STR_LEN]; + int nret; +- nret = sprintf(numstr, "%lld", (long long int)map->keys[i]); ++ nret = snprintf(numstr, MAX_NUM_STR_LEN, "%lld", (long long int)map->keys[i]); + if (nret < 0) { + if (!*err && asprintf(err, "Error to print string") < 0) { + *(err) = safe_strdup("error allocating memory"); +@@ -686,7 +686,7 @@ yajl_gen_status gen_json_map_int_string(void *ctx, json_map_int_string *map, str + for (i = 0; i < len; i++) { + char numstr[MAX_NUM_STR_LEN]; + int nret; +- nret = sprintf(numstr, "%lld", (long long int)map->keys[i]); ++ nret = snprintf(numstr, MAX_NUM_STR_LEN, "%lld", (long long int)map->keys[i]); + if (nret < 0) { + if (!*err && asprintf(err, "Error to print string") < 0) { + *(err) = safe_strdup("error allocating memory"); +@@ -1184,4 +1184,4 @@ int append_json_map_string_string(json_map_string_string *map, const char *key, + + map->len++; + return 0; +-} +\ No newline at end of file ++} +diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c +index ede4c88..3b2c5af 100644 +--- a/src/lxc/lxccontainer.c ++++ b/src/lxc/lxccontainer.c +@@ -3196,7 +3196,11 @@ static bool container_destroy(struct lxc_container *c, + char msg[BUFSIZ] = { 0 }; + ERROR("Failed to destroy directory \"%s\" for \"%s\"", path, + c->name); +- sprintf(msg, "Failed to destroy directory \"%s\": %s", path, errno ? strerror(errno) : "error"); ++ ret = snprintf(msg, BUFSIZ, "Failed to destroy directory \"%s\": %s", path, errno ? strerror(errno) : "error"); ++ if (ret < 0) { ++ ERROR("Sprintf failed"); ++ goto out; ++ } + c->error_string = safe_strdup(msg); + goto out; + } +@@ -5278,7 +5282,7 @@ static int set_start_extral_configs(struct lxc_container *c) + return -1; + } + } +- if (sprintf(fpath, "%s/%s/%s", c->config_path, c->name, START_GENERATE_CONFIG) < 0) { ++ if (snprintf(fpath, PATH_MAX, "%s/%s/%s", c->config_path, c->name, START_GENERATE_CONFIG) < 0) { + fprintf(stderr, "Sprintf config path failed\n"); + return -1; + } +diff --git a/src/lxc/terminal.c b/src/lxc/terminal.c +index 970db69..b9b65c6 100644 +--- a/src/lxc/terminal.c ++++ b/src/lxc/terminal.c +@@ -241,13 +241,13 @@ static int lxc_terminal_rename_old_log_file(struct lxc_terminal *terminal) + char *rename_fname = NULL; + + for (i = terminal->log_rotate - 1; i > 1; i--) { +- ret = sprintf(tmp, "%s.%u", terminal->log_path, i); ++ ret = snprintf(tmp, PATH_MAX, "%s.%u", terminal->log_path, i); + if (ret < 0) { + return -EFBIG; + } + free(rename_fname); + rename_fname = safe_strdup(tmp); +- ret = sprintf(tmp, "%s.%u", terminal->log_path, (i - 1)); ++ ret = snprintf(tmp, PATH_MAX, "%s.%u", terminal->log_path, (i - 1)); + if (ret < 0) { + free(rename_fname); + return -EFBIG; +@@ -284,11 +284,21 @@ static int lxc_terminal_rotate_log_file(struct lxc_terminal *terminal) + } + + len = strlen(terminal->log_path) + sizeof(".1"); +- tmp = alloca(len); ++ tmp = malloc(len); ++ if (tmp == NULL) { ++ ERROR("Out of memory"); ++ return -1; ++ } ++ if (memset(tmp, 0, len) != NULL) { ++ ERROR("Memset failed"); ++ goto free_out; ++ } + + ret = snprintf(tmp, len, "%s.1", terminal->log_path); +- if (ret < 0 || (size_t)ret >= len) +- return -EFBIG; ++ if (ret < 0 || (size_t)ret >= len) { ++ ret = -EFBIG; ++ goto free_out; ++ } + + close(terminal->log_fd); + terminal->log_fd = -1; +@@ -297,7 +307,10 @@ static int lxc_terminal_rotate_log_file(struct lxc_terminal *terminal) + SYSERROR("Rename container log file failed"); + } + +- return lxc_terminal_create_log_file(terminal); ++ ret = lxc_terminal_create_log_file(terminal); ++free_out: ++ free(tmp); ++ return ret; + } + + static int lxc_terminal_rotate_write_data(struct lxc_terminal *terminal, const char *buf, +@@ -403,6 +416,7 @@ static bool get_time_buffer(struct timespec *timestamp, char *timebuffer, + struct tm tm_utc = { 0 }; + int32_t nanos = 0; + time_t seconds; ++ size_t len = 0; + + if (!timebuffer || !maxsize) { + return false; +@@ -413,7 +427,10 @@ static bool get_time_buffer(struct timespec *timestamp, char *timebuffer, + strftime(timebuffer, maxsize, "%Y-%m-%dT%H:%M:%S", &tm_utc); + + nanos = (int32_t)timestamp->tv_nsec; +- sprintf(timebuffer + strlen(timebuffer), ".%09dZ", nanos); ++ len = strlen(timebuffer); ++ if (snprintf(timebuffer + len, (maxsize - len), ".%09dZ", nanos) < 0) { ++ return false; ++ } + + return true; + } +-- +1.8.3.1 + diff --git a/0113-Malloc-parameter-check-and-judgment.patch b/0113-Malloc-parameter-check-and-judgment.patch new file mode 100644 index 0000000..8416812 --- /dev/null +++ b/0113-Malloc-parameter-check-and-judgment.patch @@ -0,0 +1,575 @@ +From f53063c9edbb851756c4e0af0840a0d81e0b5276 Mon Sep 17 00:00:00 2001 +From: liuhao +Date: Thu, 4 Jul 2019 12:08:17 +0800 +Subject: [PATCH 113/122] Malloc parameter check and judgment + +Signed-off-by: wujing +Signed-off-by: LiFeng +--- + src/lxc/attach.c | 2 +- + src/lxc/commands.c | 9 ++- + src/lxc/conf.c | 20 ++++-- + src/lxc/confile.c | 8 +-- + src/lxc/json/container_start_generate_config.c | 12 +++- + src/lxc/json/defs.c | 8 +++ + src/lxc/json/json_common.c | 97 +++++++++----------------- + src/lxc/json/logger_json_file.c | 6 +- + src/lxc/lxccontainer.c | 12 +++- + src/lxc/path.c | 8 ++- + src/lxc/start.c | 6 +- + src/lxc/terminal.c | 2 +- + src/lxc/utils.c | 4 +- + 13 files changed, 104 insertions(+), 90 deletions(-) + +diff --git a/src/lxc/attach.c b/src/lxc/attach.c +index d7b16e3..ac4bd39 100644 +--- a/src/lxc/attach.c ++++ b/src/lxc/attach.c +@@ -1188,7 +1188,7 @@ static int create_attach_timeout_thread(int64_t attach_timeout, pid_t pid) + struct attach_timeout_conf *timeout_conf = NULL; + + timeout_conf = malloc(sizeof(struct attach_timeout_conf)); +- if (!timeout_conf) { ++ if (timeout_conf == NULL) { + ERROR("Failed to malloc attach timeout conf"); + ret = -1; + goto out; +diff --git a/src/lxc/commands.c b/src/lxc/commands.c +index 0802a16..fa02a4b 100644 +--- a/src/lxc/commands.c ++++ b/src/lxc/commands.c +@@ -1075,11 +1075,16 @@ int lxc_cmd_set_terminal_fifos(const char *name, const char *lxcpath, const char + const char *cmd_out_fifo = out_fifo ? out_fifo : none_fifo_name; + const char *cmd_err_fifo = err_fifo ? err_fifo : none_fifo_name; + ++ if (len + strlen(cmd_in_fifo) + strlen(split) + strlen(cmd_out_fifo) + ++ strlen(split) + strlen(cmd_err_fifo) == SIZE_MAX) ++ return -1; + len += strlen(cmd_in_fifo) + strlen(split) + strlen(cmd_out_fifo) + strlen(split) + strlen(cmd_err_fifo) + 1; + tmp = malloc(len); +- if (!tmp) ++ if (tmp == NULL) ++ return -1; ++ ret = snprintf(tmp, len, "%s%s%s%s%s", cmd_in_fifo, split, cmd_out_fifo, split, cmd_err_fifo); ++ if (ret < 0) + return -1; +- snprintf(tmp, len, "%s%s%s%s%s", cmd_in_fifo, split, cmd_out_fifo, split, cmd_err_fifo); + + struct lxc_cmd_rr cmd = { + .req = { +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 996d267..3ecccbd 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -4393,7 +4393,11 @@ int lxc_drop_caps(struct lxc_conf *conf) + + // caplist[i] is 1 if we keep capability i + caplist = malloc(numcaps * sizeof(int)); +- memset(caplist, 0, numcaps * sizeof(int)); ++ if (caplist == NULL) { ++ ERROR("Out of memory"); ++ return -1; ++ } ++ (void)memset(caplist, 0, numcaps * sizeof(int)); + + lxc_list_for_each(iterator, caps) { + +@@ -4488,8 +4492,8 @@ static char* generate_json_str(const char *name, const char *lxcpath, const char + cpid = "-1"; + } + +- if ((SIZE_MAX - strlen(name) - strlen(cpid) - strlen(rootfs) - strlen(lxcpath) - strlen(name)) < +- (strlen("{\"ociVersion\":\"\",\"id\":\"\",\"pid\":,\"root\":\"\",\"bundle\":\"\"}") + 1 + 1)) { ++ if ((strlen(name) + strlen(cpid) + strlen(rootfs) + strlen(lxcpath) + strlen(name)) > ++ SIZE_MAX - (strlen("{\"ociVersion\":\"\",\"id\":\"\",\"pid\":,\"root\":\"\",\"bundle\":\"\"}") - 1 - 1)) { + ERROR("Out of memory"); + ret = -1; + goto out_free; +@@ -4499,7 +4503,7 @@ static char* generate_json_str(const char *name, const char *lxcpath, const char + size = strlen("{\"ociVersion\":\"\",\"id\":\"\",\"pid\":,\"root\":\"\",\"bundle\":\"\"}") + + strlen(name) + strlen(cpid) + strlen(rootfs) + strlen(lxcpath) + 1 + strlen(name) + 1; + inmsg = malloc(size); +- if (!inmsg) { ++ if (inmsg == NULL) { + ERROR("Out of memory"); + ret = -1; + goto out_free; +@@ -4531,9 +4535,11 @@ static char **merge_ocihook_env(char **oldenvs, size_t env_len, size_t *merge_en + }; + char *lxcenv_buf = NULL; + ++ if (result_len > SIZE_MAX - (sizeof(lxc_envs) / sizeof(char *)) - 1) ++ return NULL; + result_len += (sizeof(lxc_envs) / sizeof(char *)) + 1; + result = malloc(sizeof(char *) * result_len); +- if (!result) ++ if (result == NULL) + return NULL; + memset(result, 0, sizeof(char *) * result_len); + +@@ -4552,7 +4558,7 @@ static char **merge_ocihook_env(char **oldenvs, size_t env_len, size_t *merge_en + } + env_buf_len = ((strlen(tmpenv) + 1) + strlen(lxc_envs[j])) + 1; + lxcenv_buf = malloc(env_buf_len); +- if (!lxcenv_buf) { ++ if (lxcenv_buf == NULL) { + lxc_free_array((void **)result, free); + return NULL; + } +@@ -4759,7 +4765,7 @@ static int run_ocihook_buffer(struct oci_hook_conf *oconf, const char *inmsg) + } + + conf = malloc(sizeof(struct wait_conf)); +- if (!conf) { ++ if (conf == NULL) { + SYSERROR("Failed to malloc."); + goto on_error; + } +diff --git a/src/lxc/confile.c b/src/lxc/confile.c +index 8a082d5..a75e023 100644 +--- a/src/lxc/confile.c ++++ b/src/lxc/confile.c +@@ -2318,13 +2318,13 @@ static int set_config_populate_device(const char *key, const char *value, + + /* allocate list element */ + dev_list = malloc(sizeof(*dev_list)); +- if (!dev_list) ++ if (dev_list == NULL) + goto on_error; + + lxc_list_init(dev_list); + + dev_elem = malloc(sizeof(*dev_elem)); +- if (!dev_elem) ++ if (dev_elem == NULL) + goto on_error; + memset(dev_elem, 0, sizeof(*dev_elem)); + +@@ -2362,7 +2362,7 @@ static int set_config_rootfs_masked_paths(const char *key, const char *value, + return lxc_clear_rootfs_masked_paths(lxc_conf); + + list_item = malloc(sizeof(*list_item)); +- if (!list_item) ++ if (list_item == NULL) + goto on_error; + + list_item->elem = safe_strdup(value); +@@ -2387,7 +2387,7 @@ static int set_config_rootfs_ro_paths(const char *key, const char *value, + return lxc_clear_rootfs_ro_paths(lxc_conf); + + list_item = malloc(sizeof(*list_item)); +- if (!list_item) ++ if (list_item == NULL) + goto on_error; + + list_item->elem = safe_strdup(value); +diff --git a/src/lxc/json/container_start_generate_config.c b/src/lxc/json/container_start_generate_config.c +index 5ec8311..3748973 100644 +--- a/src/lxc/json/container_start_generate_config.c ++++ b/src/lxc/json/container_start_generate_config.c +@@ -41,6 +41,11 @@ container_start_generate_config *make_container_start_generate_config(yajl_val t + if (tmp != NULL && YAJL_GET_ARRAY(tmp) != NULL && YAJL_GET_ARRAY(tmp)->len > 0) { + size_t i; + ret->additional_gids_len = YAJL_GET_ARRAY(tmp)->len; ++ if (YAJL_GET_ARRAY(tmp)->len > SIZE_MAX / sizeof(*ret->additional_gids) - 1) { ++ *err = safe_strdup("invalid additional gids size"); ++ free_container_start_generate_config(ret); ++ return NULL; ++ } + ret->additional_gids = safe_malloc((YAJL_GET_ARRAY(tmp)->len + 1) * sizeof(*ret->additional_gids)); + for (i = 0; i < YAJL_GET_ARRAY(tmp)->len; i++) { + yajl_val val = YAJL_GET_ARRAY(tmp)->values[i]; +@@ -233,8 +238,13 @@ char *container_start_generate_config_generate_json(container_start_generate_con + goto free_out; + } + ++ if (gen_len == SIZE_MAX) { ++ *err = safe_strdup("Invalid buffer length"); ++ goto free_out; ++ } ++ + json_buf = safe_malloc(gen_len + 1); +- (void)memcpy(json_buf, gen_buf, gen_len); ++ (void)memcpy(json_buf, gen_buf, gen_len); + json_buf[gen_len] = '\0'; + + free_out: +diff --git a/src/lxc/json/defs.c b/src/lxc/json/defs.c +index 8a052a8..4bf569a 100644 +--- a/src/lxc/json/defs.c ++++ b/src/lxc/json/defs.c +@@ -24,6 +24,10 @@ defs_hook *make_defs_hook(yajl_val tree, struct parser_context *ctx, parser_erro + if (tmp != NULL && YAJL_GET_ARRAY(tmp) != NULL && YAJL_GET_ARRAY(tmp)->len > 0) { + size_t i; + ret->args_len = YAJL_GET_ARRAY(tmp)->len; ++ if (YAJL_GET_ARRAY(tmp)->len > SIZE_MAX / sizeof(*ret->args) - 1) { ++ free_defs_hook(ret); ++ return NULL; ++ } + ret->args = safe_malloc((YAJL_GET_ARRAY(tmp)->len + 1) * sizeof(*ret->args)); + for (i = 0; i < YAJL_GET_ARRAY(tmp)->len; i++) { + yajl_val val = YAJL_GET_ARRAY(tmp)->values[i]; +@@ -39,6 +43,10 @@ defs_hook *make_defs_hook(yajl_val tree, struct parser_context *ctx, parser_erro + if (tmp != NULL && YAJL_GET_ARRAY(tmp) != NULL && YAJL_GET_ARRAY(tmp)->len > 0) { + size_t i; + ret->env_len = YAJL_GET_ARRAY(tmp)->len; ++ if (YAJL_GET_ARRAY(tmp)->len > SIZE_MAX / sizeof(*ret->env) - 1) { ++ free_defs_hook(ret); ++ return NULL; ++ } + ret->env = safe_malloc((YAJL_GET_ARRAY(tmp)->len + 1) * sizeof(*ret->env)); + for (i = 0; i < YAJL_GET_ARRAY(tmp)->len; i++) { + yajl_val val = YAJL_GET_ARRAY(tmp)->values[i]; +diff --git a/src/lxc/json/json_common.c b/src/lxc/json/json_common.c +index 5da1e6d..ed2fe83 100755 +--- a/src/lxc/json/json_common.c ++++ b/src/lxc/json/json_common.c +@@ -445,6 +445,9 @@ json_map_int_int *make_json_map_int_int(yajl_val src, struct parser_context *ctx + if (src != NULL && YAJL_GET_OBJECT(src) != NULL) { + size_t i; + size_t len = YAJL_GET_OBJECT(src)->len; ++ if (len > SIZE_MAX / sizeof(int) - 1) { ++ return NULL; ++ } + ret = safe_malloc(sizeof(*ret)); + ret->len = len; + ret->keys = safe_malloc((len + 1) * sizeof(int)); +@@ -505,16 +508,8 @@ int append_json_map_int_int(json_map_int_int *map, int key, int val) { + vals = safe_malloc(len * sizeof(int)); + + if (map->len) { +- if (memcpy(keys, map->keys, map->len * sizeof(int)) != NULL) { +- free(keys); +- free(vals); +- return -1; +- } +- if (memcpy(vals, map->values, map->len * sizeof(int)) != NULL) { +- free(keys); +- free(vals); +- return -1; +- } ++ (void)memcpy(keys, map->keys, map->len * sizeof(int)); ++ (void)memcpy(vals, map->values, map->len * sizeof(int)); + } + free(map->keys); + map->keys = keys; +@@ -591,6 +586,9 @@ json_map_int_bool *make_json_map_int_bool(yajl_val src, struct parser_context *c + if (src != NULL && YAJL_GET_OBJECT(src) != NULL) { + size_t i; + size_t len = YAJL_GET_OBJECT(src)->len; ++ if (len > SIZE_MAX / sizeof(int) - 1) { ++ return NULL; ++ } + ret = safe_malloc(sizeof(*ret)); + ret->len = len; + ret->keys = safe_malloc((len + 1) * sizeof(int)); +@@ -646,16 +644,8 @@ int append_json_map_int_bool(json_map_int_bool *map, int key, bool val) { + vals = safe_malloc(len * sizeof(bool)); + + if (map->len) { +- if (memcpy(keys, map->keys, map->len * sizeof(int)) != NULL) { +- free(keys); +- free(vals); +- return -1; +- } +- if (memcpy(vals, map->values, map->len * sizeof(bool)) != NULL) { +- free(keys); +- free(vals); +- return -1; +- } ++ (void)memcpy(keys, map->keys, map->len * sizeof(int)); ++ (void)memcpy(vals, map->values, map->len * sizeof(bool)); + } + free(map->keys); + map->keys = keys; +@@ -733,6 +723,9 @@ json_map_int_string *make_json_map_int_string(yajl_val src, struct parser_contex + if (src != NULL && YAJL_GET_OBJECT(src) != NULL) { + size_t i; + size_t len = YAJL_GET_OBJECT(src)->len; ++ if (len > SIZE_MAX / sizeof(char *) - 1) { ++ return NULL; ++ } + ret = safe_malloc(sizeof(*ret)); + ret->len = len; + ret->keys = safe_malloc((len + 1) * sizeof(int)); +@@ -786,16 +779,8 @@ int append_json_map_int_string(json_map_int_string *map, int key, const char *va + vals = safe_malloc(len * sizeof(char *)); + + if (map->len) { +- if (memcpy(keys, map->keys, map->len * sizeof(int)) != NULL) { +- free(keys); +- free(vals); +- return -1; +- } +- if (memcpy(vals, map->values, map->len * sizeof(char *)) != NULL) { +- free(keys); +- free(vals); +- return -1; +- } ++ (void)memcpy(keys, map->keys, map->len * sizeof(int)); ++ (void)memcpy(vals, map->values, map->len * sizeof(char *)); + } + free(map->keys); + map->keys = keys; +@@ -864,6 +849,9 @@ json_map_string_int *make_json_map_string_int(yajl_val src, struct parser_contex + if (src != NULL && YAJL_GET_OBJECT(src) != NULL) { + size_t i; + size_t len = YAJL_GET_OBJECT(src)->len; ++ if (len > SIZE_MAX / sizeof(char *) - 1) { ++ return NULL; ++ } + ret = safe_malloc(sizeof(*ret)); + ret->len = len; + ret->keys = safe_malloc((len + 1) * sizeof(char *)); +@@ -913,16 +901,8 @@ int append_json_map_string_int(json_map_string_int *map, const char *key, int va + vals = safe_malloc(len * sizeof(int)); + + if (map->len) { +- if (memcpy(keys, map->keys, map->len * sizeof(char *)) != NULL) { +- free(keys); +- free(vals); +- return -1; +- } +- if (memcpy(vals, map->values, map->len * sizeof(int)) != NULL) { +- free(keys); +- free(vals); +- return -1; +- } ++ (void)memcpy(keys, map->keys, map->len * sizeof(char *)); ++ (void)memcpy(vals, map->values, map->len * sizeof(int)); + } + free(map->keys); + map->keys = keys; +@@ -991,6 +971,9 @@ json_map_string_bool *make_json_map_string_bool(yajl_val src, struct parser_cont + if (src != NULL && YAJL_GET_OBJECT(src) != NULL) { + size_t i; + size_t len = YAJL_GET_OBJECT(src)->len; ++ if (len > SIZE_MAX / sizeof(char *) - 1) { ++ return NULL; ++ } + ret = safe_malloc(sizeof(*ret)); + ret->len = len; + ret->keys = safe_malloc((len + 1) * sizeof(char *)); +@@ -1017,6 +1000,7 @@ json_map_string_bool *make_json_map_string_bool(yajl_val src, struct parser_cont + } + return ret; + } ++ + int append_json_map_string_bool(json_map_string_bool *map, const char *key, bool val) { + size_t len; + char **keys = NULL; +@@ -1035,16 +1019,8 @@ int append_json_map_string_bool(json_map_string_bool *map, const char *key, bool + vals = safe_malloc(len * sizeof(bool)); + + if (map->len) { +- if (memcpy(keys, map->keys, map->len * sizeof(char *)) != NULL) { +- free(keys); +- free(vals); +- return -1; +- } +- if (memcpy(vals, map->values, map->len * sizeof(bool)) != NULL) { +- free(keys); +- free(vals); +- return -1; +- } ++ (void)memcpy(keys, map->keys, map->len * sizeof(char *)); ++ (void)memcpy(vals, map->values, map->len * sizeof(bool)); + } + free(map->keys); + map->keys = keys; +@@ -1114,6 +1090,9 @@ json_map_string_string *make_json_map_string_string(yajl_val src, struct parser_ + if (src != NULL && YAJL_GET_OBJECT(src) != NULL) { + size_t i; + size_t len = YAJL_GET_OBJECT(src)->len; ++ if (len > SIZE_MAX / sizeof(char *) - 1) { ++ return NULL; ++ } + ret = safe_malloc(sizeof(*ret)); + ret->len = len; + ret->keys = safe_malloc((len + 1) * sizeof(char *)); +@@ -1149,9 +1128,9 @@ int append_json_map_string_string(json_map_string_string *map, const char *key, + + for (i = 0; i < map->len; i++) { + if (strcmp(map->keys[i], key) == 0) { +- free(map->values[i]); +- map->values[i] = safe_strdup(val ? val : ""); +- return 0; ++ free(map->values[i]); ++ map->values[i] = safe_strdup(val ? val : ""); ++ return 0; + } + } + +@@ -1164,16 +1143,8 @@ int append_json_map_string_string(json_map_string_string *map, const char *key, + vals = safe_malloc(len * sizeof(char *)); + + if (map->len) { +- if (memcpy(keys, map->keys, map->len * sizeof(char *)) != NULL) { +- free(keys); +- free(vals); +- return -1; +- } +- if (memcpy(vals, map->values, map->len * sizeof(char *)) != NULL) { +- free(keys); +- free(vals); +- return -1; +- } ++ (void)memcpy(keys, map->keys, map->len * sizeof(char *)); ++ (void)memcpy(vals, map->values, map->len * sizeof(char *)); + } + free(map->keys); + map->keys = keys; +diff --git a/src/lxc/json/logger_json_file.c b/src/lxc/json/logger_json_file.c +index 842d35b..6abeef4 100644 +--- a/src/lxc/json/logger_json_file.c ++++ b/src/lxc/json/logger_json_file.c +@@ -230,8 +230,12 @@ char *logger_json_file_generate_json(logger_json_file *ptr, struct parser_contex + goto free_out; + } + ++ if (gen_len == SIZE_MAX) { ++ *err = safe_strdup("Invalid buffer length"); ++ goto free_out; ++ } + json_buf = safe_malloc(gen_len + 1); +- memcpy(json_buf, gen_buf, gen_len); ++ (void)memcpy(json_buf, gen_buf, gen_len); + json_buf[gen_len] = '\0'; + + free_out: +diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c +index 3b2c5af..5a72483 100644 +--- a/src/lxc/lxccontainer.c ++++ b/src/lxc/lxccontainer.c +@@ -928,6 +928,9 @@ static char **use_init_args(char **init_argv, size_t init_args) + + do { + argv = malloc(sizeof(char *)); ++ if (argv == NULL) { ++ return NULL; ++ } + } while (!argv); + + argv[0] = NULL; +@@ -3378,9 +3381,12 @@ static bool set_oci_hook_config_filename(struct lxc_container *c) + return false; + + /* $lxc_path + "/" + c->name + "/" + "config" + '\0' */ ++ if (strlen(c->config_path) + strlen(c->name) > SIZE_MAX - strlen(OCI_HOOK_JSON_FILE_NAME) - 3) ++ return false; + len = strlen(c->config_path) + strlen(c->name) + strlen(OCI_HOOK_JSON_FILE_NAME) + 3; ++ + newpath = malloc(len); +- if (!newpath) ++ if (newpath == NULL) + return false; + + ret = snprintf(newpath, len, "%s/%s/%s", c->config_path, c->name, OCI_HOOK_JSON_FILE_NAME); +@@ -5276,11 +5282,11 @@ static int set_start_extral_configs(struct lxc_container *c) + + if (lconf == NULL) { + c->lxc_conf = malloc(sizeof(struct lxc_conf)); +- lconf = c->lxc_conf; +- if (lconf == NULL) { ++ if (c->lxc_conf == NULL) { + fprintf(stderr, "Out of memory\n"); + return -1; + } ++ lconf = c->lxc_conf; + } + if (snprintf(fpath, PATH_MAX, "%s/%s/%s", c->config_path, c->name, START_GENERATE_CONFIG) < 0) { + fprintf(stderr, "Sprintf config path failed\n"); +diff --git a/src/lxc/path.c b/src/lxc/path.c +index c545887..df285f5 100644 +--- a/src/lxc/path.c ++++ b/src/lxc/path.c +@@ -58,7 +58,7 @@ char *preserve_trailing_dot_or_separator(const char *cleanedpath, + + len = strlen(cleanedpath) + 3; + respath = malloc(len); +- if (!respath) { ++ if (respath == NULL) { + ERROR("Out of memory"); + return NULL; + } +@@ -90,12 +90,16 @@ bool filepath_split(const char *path, char **dir, char **base) + size_t len; + + len = strlen(path); ++ if (len >= PATH_MAX) { ++ ERROR("Invalid path"); ++ return false; ++ } + i = len - 1; + while (i >= 0 && path[i] != '/') + i--; + + *dir = malloc(i + 2); +- if (!*dir) { ++ if (*dir == NULL) { + ERROR("Out of memory"); + return false; + } +diff --git a/src/lxc/start.c b/src/lxc/start.c +index d6c706e..00d478c 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -2383,7 +2383,7 @@ static int create_start_timeout_thread(struct lxc_conf *conf, unsigned int start + } + + timeout_conf = malloc(sizeof(struct start_timeout_conf)); +- if (!timeout_conf) { ++ if (timeout_conf == NULL) { + ERROR("Failed to malloc start timeout conf"); + ret = -1; + goto out; +@@ -2657,7 +2657,7 @@ static struct lxc_handler *lxc_init_clean_handler(char *name, char *lxcpath, str + struct lxc_handler *handler; + + handler = malloc(sizeof(*handler)); +- if (!handler) ++ if (handler == NULL) + return NULL; + + memset(handler, 0, sizeof(*handler)); +@@ -2707,7 +2707,7 @@ static struct lxc_handler *lxc_init_pids_handler(char *name, char *lxcpath, stru + struct lxc_handler *handler; + + handler = malloc(sizeof(*handler)); +- if (!handler) ++ if (handler == NULL) + return NULL; + + memset(handler, 0, sizeof(*handler)); +diff --git a/src/lxc/terminal.c b/src/lxc/terminal.c +index b9b65c6..1fee651 100644 +--- a/src/lxc/terminal.c ++++ b/src/lxc/terminal.c +@@ -1330,7 +1330,7 @@ static int lxc_terminal_set_fifo(struct lxc_terminal *console, const char *in, c + } + + fifo_elem = malloc(sizeof(*fifo_elem)); +- if (!fifo_elem) { ++ if (fifo_elem == NULL) { + if (fifofd_in >= 0) + close(fifofd_in); + if (fifofd_out >= 0) +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index e6e8905..656df4a 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -1945,9 +1945,9 @@ static proc_t *lxc_stat2proc(const char *S) + *tmp = '\0'; /* replace trailing ')' with NUL */ + + P = malloc(sizeof(proc_t)); +- if (!P) ++ if (P == NULL) + return NULL; +- memset(P, 0x00, sizeof(proc_t)); ++ (void)memset(P, 0x00, sizeof(proc_t)); + + /* parse these two strings separately, skipping the leading "(". */ + num = sscanf(S, "%d (%15c", &P->pid, P->cmd); /* comm[16] in kernel */ +-- +1.8.3.1 + diff --git a/0114-lxc-fix-code-errors.patch b/0114-lxc-fix-code-errors.patch new file mode 100644 index 0000000..d755933 --- /dev/null +++ b/0114-lxc-fix-code-errors.patch @@ -0,0 +1,155 @@ +From 5797a2ceac0c911adf3edbe3e50a9c9c23858ced Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Thu, 4 Jul 2019 05:10:00 -0400 +Subject: [PATCH 114/122] lxc: fix code errors + +Signed-off-by: LiFeng +--- + src/lxc/attach.c | 14 +++++--------- + src/lxc/conf.c | 11 ++++++----- + src/lxc/confile.c | 8 ++------ + src/lxc/terminal.c | 6 ++---- + 4 files changed, 15 insertions(+), 24 deletions(-) + +diff --git a/src/lxc/attach.c b/src/lxc/attach.c +index ac4bd39..1f14eb4 100644 +--- a/src/lxc/attach.c ++++ b/src/lxc/attach.c +@@ -841,7 +841,7 @@ static int attach_child_main(struct attach_clone_payload *payload) + } + + /* isulad: set workdir */ +- if (init_ctx && init_ctx->container && init_ctx->container->lxc_conf && init_ctx->container->lxc_conf->init_cwd) { ++ if (init_ctx->container->lxc_conf->init_cwd) { + char *init_cwd; + init_cwd = init_ctx->container->lxc_conf->init_cwd; + /* try to create workdir if not exist */ +@@ -933,8 +933,7 @@ static int attach_child_main(struct attach_clone_payload *payload) + goto on_error; + } + +- if ((init_ctx->container && init_ctx->container->lxc_conf && +- init_ctx->container->lxc_conf->no_new_privs) || ++ if ((init_ctx->container->lxc_conf->no_new_privs) || + (options->attach_flags & LXC_ATTACH_NO_NEW_PRIVS)) { + ret = prctl(PR_SET_NO_NEW_PRIVS, prctl_arg(1), prctl_arg(0), + prctl_arg(0), prctl_arg(0)); +@@ -958,8 +957,7 @@ static int attach_child_main(struct attach_clone_payload *payload) + TRACE("Set %s LSM label to \"%s\"", lsm_name(), init_ctx->lsm_label); + } + +- if (init_ctx->container && init_ctx->container->lxc_conf && +- init_ctx->container->lxc_conf->seccomp) { ++ if (init_ctx->container->lxc_conf->seccomp) { + ret = lxc_seccomp_load(init_ctx->container->lxc_conf); + if (ret < 0) + goto on_error; +@@ -1028,8 +1026,7 @@ static int attach_child_main(struct attach_clone_payload *payload) + goto on_error; + } + +- if (init_ctx->container && init_ctx->container->lxc_conf && +- !lxc_setgroups(init_ctx->container->lxc_conf->init_groups_len, ++ if (!lxc_setgroups(init_ctx->container->lxc_conf->init_groups_len, + init_ctx->container->lxc_conf->init_groups)) + goto on_error; + +@@ -1041,8 +1038,7 @@ static int attach_child_main(struct attach_clone_payload *payload) + goto on_error; + } + +- if (init_ctx->container && init_ctx->container->lxc_conf && +- lxc_drop_caps(init_ctx->container->lxc_conf) != 0) { ++ if (lxc_drop_caps(init_ctx->container->lxc_conf) != 0) { + ERROR("Failed to drop caps."); + goto on_error; + } +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 3ecccbd..e22e13e 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -4790,6 +4790,7 @@ static int run_ocihook_buffer(struct oci_hook_conf *oconf, const char *inmsg) + err = pthread_create(&ptid, &attr, wait_ocihook_timeout, conf); + if (err != 0) { + ERROR("Create wait timeout thread failed"); ++ free(conf); + goto on_error; + } + +@@ -4804,17 +4805,17 @@ static int run_ocihook_buffer(struct oci_hook_conf *oconf, const char *inmsg) + goto print_hook; + } else if (WIFEXITED(ret) && WEXITSTATUS(ret) != 0) { + ERROR("Script exited with status %d. output: %s", WEXITSTATUS(ret), output); +- lxc_write_error_message(conf->errfd, "%s:%d: running %s hook caused \"error running hook: exit status %d, output: %s\".", ++ lxc_write_error_message(oconf->errfd, "%s:%d: running %s hook caused \"error running hook: exit status %d, output: %s\".", + __FILE__, __LINE__, +- (conf->which >= NUM_LXC_HOOKS) ? "invalid type" : lxchook_names[conf->which], ++ (oconf->which >= NUM_LXC_HOOKS) ? "invalid type" : lxchook_names[oconf->which], + WEXITSTATUS(ret), output); + + goto print_hook; + } else if (WIFSIGNALED(ret)) { + ERROR("Script terminated by signal %d.", WTERMSIG(ret)); +- lxc_write_error_message(conf->errfd, "%s:%d: running %s hook caused \"error running hook: Script terminated by signal %d\".", ++ lxc_write_error_message(oconf->errfd, "%s:%d: running %s hook caused \"error running hook: Script terminated by signal %d\".", + __FILE__, __LINE__, +- (conf->which >= NUM_LXC_HOOKS) ? "invalid type" : lxchook_names[conf->which], ++ (oconf->which >= NUM_LXC_HOOKS) ? "invalid type" : lxchook_names[oconf->which], + WTERMSIG(ret)); + + goto print_hook; +@@ -4836,7 +4837,7 @@ print_hook: + err_envs_msg = lxc_string_join(" ", (const char **)oconf->ocihook->env, false); + ERROR("Hook script command: \"%s\", args: \"%s\", envs: \"%s\", timeout: %d.", + buffer, err_args_msg ? err_args_msg : "", +- err_envs_msg ? err_envs_msg : "", conf->timeout); ++ err_envs_msg ? err_envs_msg : "", oconf->ocihook->timeout); + + free(err_args_msg); + free(err_envs_msg); +diff --git a/src/lxc/confile.c b/src/lxc/confile.c +index a75e023..0537ebc 100644 +--- a/src/lxc/confile.c ++++ b/src/lxc/confile.c +@@ -3828,9 +3828,7 @@ static int get_config_prlimit(const char *key, char *retv, int inlen, + struct lxc_limit *lim = it->elem; + + if (lim->limit.rlim_cur == RLIM_INFINITY) { +- if (memcpy(buf, "unlimited", STRLITERALLEN("unlimited") + 1) == NULL) { +- return -1; +- } ++ (void)memcpy(buf, "unlimited", STRLITERALLEN("unlimited") + 1); + partlen = STRLITERALLEN("unlimited"); + } else { + partlen = snprintf(buf, MAX_LIMIT_BUF_LEN, "%" PRIu64, (uint64_t)lim->limit.rlim_cur); +@@ -3841,9 +3839,7 @@ static int get_config_prlimit(const char *key, char *retv, int inlen, + + if (lim->limit.rlim_cur != lim->limit.rlim_max) { + if (lim->limit.rlim_max == RLIM_INFINITY) { +- if (memcpy(buf + partlen, ":unlimited", STRLITERALLEN(":unlimited") + 1) == NULL) { +- return -1; +- } ++ (void)memcpy(buf + partlen, ":unlimited", STRLITERALLEN(":unlimited") + 1); + } else { + nret = snprintf(buf + partlen, (MAX_LIMIT_BUF_LEN - partlen), ":%" PRIu64, (uint64_t)lim->limit.rlim_max); + if (nret < 0) { +diff --git a/src/lxc/terminal.c b/src/lxc/terminal.c +index 1fee651..32c69a4 100644 +--- a/src/lxc/terminal.c ++++ b/src/lxc/terminal.c +@@ -289,10 +289,8 @@ static int lxc_terminal_rotate_log_file(struct lxc_terminal *terminal) + ERROR("Out of memory"); + return -1; + } +- if (memset(tmp, 0, len) != NULL) { +- ERROR("Memset failed"); +- goto free_out; +- } ++ ++ (void)memset(tmp, 0, len); + + ret = snprintf(tmp, len, "%s.1", terminal->log_path); + if (ret < 0 || (size_t)ret >= len) { +-- +1.8.3.1 + diff --git a/0115-fix-compile-error-on-ubuntu.patch b/0115-fix-compile-error-on-ubuntu.patch new file mode 100644 index 0000000..ac4269d --- /dev/null +++ b/0115-fix-compile-error-on-ubuntu.patch @@ -0,0 +1,371 @@ +From 7fb5e2b059486b8bd466e2bcb9294653cc62c6d0 Mon Sep 17 00:00:00 2001 +From: liuhao +Date: Thu, 11 Jul 2019 17:42:00 +0800 +Subject: [PATCH 115/122] fix compile error on ubuntu + +fix compile error on ubuntu + +Signed-off-by: liuhao +Signed-off-by: LiFeng +--- + configure.ac | 1 - + src/lxc/Makefile.am | 10 ++++-- + src/lxc/conf.c | 2 +- + src/lxc/confile.c | 2 +- + src/lxc/isulad_utils.c | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++ + src/lxc/isulad_utils.h | 13 ++++++++ + src/lxc/path.c | 2 +- + src/lxc/utils.c | 82 +---------------------------------------------- + src/lxc/utils.h | 6 +--- + 9 files changed, 113 insertions(+), 92 deletions(-) + create mode 100644 src/lxc/isulad_utils.c + create mode 100644 src/lxc/isulad_utils.h + +diff --git a/configure.ac b/configure.ac +index 5963fab..dc85f74 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -706,7 +706,6 @@ AX_CHECK_LINK_FLAG([-z relro], [LDFLAGS="$LDFLAGS -z relro"],,[]) + AX_CHECK_LINK_FLAG([-z now], [LDFLAGS="$LDFLAGS -z now"],,[]) + AX_CHECK_LINK_FLAG([-z noexecstack], [LDFLAGS="$LDFLAGS -z noexecstack"],,[]) + +-LDFLAGS="$LDFLAGS -fPIE -pie" + + CFLAGS="$CFLAGS -Wvla -std=gnu11 -D_FORTIFY_SOURCE=2 -Wall -fPIC -fPIE -pie" + if test "x$enable_werror" = "xyes"; then +diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am +index b24fcfd..27240cc 100644 +--- a/src/lxc/Makefile.am ++++ b/src/lxc/Makefile.am +@@ -50,6 +50,7 @@ noinst_HEADERS = attach.h \ + json/oci_runtime_spec.h \ + json/logger_json_file.h \ + json/read-file.h \ ++ isulad_utils.h \ + utils.h + + if IS_BIONIC +@@ -146,6 +147,7 @@ liblxc_la_SOURCES = af_unix.c af_unix.h \ + sync.c sync.h \ + syscall_wrappers.h \ + terminal.c \ ++ isulad_utils.c isulad_utils.h \ + utils.c utils.h \ + version.h \ + json/json_common.c json/json_common.h \ +@@ -232,14 +234,14 @@ AM_CFLAGS += -DUSE_CONFIGPATH_LOGS + endif + + # build the shared library +-liblxc_la_CFLAGS = -fPIC \ +- -fPIE -pie \ ++liblxc_la_CFLAGS = \ + -DPIC \ + -D_FORTIFY_SOURCE=2 -Wall \ + $(AM_CFLAGS) \ + -pthread + + liblxc_la_LDFLAGS = -pthread \ ++ -fPIC \ + -Wl,-no-undefined \ + -Wl,-z,relro \ + -Wl,-z,now \ +@@ -375,6 +377,7 @@ lxc_monitord_SOURCES = cmd/lxc_monitord.c \ + mainloop.c mainloop.h \ + monitor.c monitor.h \ + raw_syscalls.c raw_syscalls.h \ ++ isulad_utils.c isulad_utils.h \ + utils.c utils.h + lxc_user_nic_SOURCES = cmd/lxc_user_nic.c \ + ../include/netns_ifaddrs.c ../include/netns_ifaddrs.h \ +@@ -391,6 +394,7 @@ lxc_usernsexec_SOURCES = cmd/lxc_usernsexec.c \ + file_utils.c file_utils.h \ + string_utils.c string_utils.h \ + syscall_wrappers.h \ ++ isulad_utils.c isulad_utils.h \ + utils.c utils.h + endif + +@@ -411,6 +415,8 @@ init_lxc_static_SOURCES = cmd/lxc_init.c \ + initutils.c initutils.h \ + file_utils.c file_utils.h \ + log.c log.h \ ++ path.c path.h \ ++ isulad_utils.c isulad_utils.h \ + macro.h \ + namespace.c namespace.h \ + string_utils.c string_utils.h +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index e22e13e..d9a7aae 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -4934,7 +4934,7 @@ static int do_run_oci_hooks(const char *name, const char *lxcpath, struct lxc_co + work_conf.ocihook = lc->ocihooks->poststart[i]; + nret = run_ocihook_script_argv(name, "lxc", &work_conf, lxcpath, rootpath); + if (nret != 0) +- WARN("running poststart hook %ld failed, ContainerId: %s", i, name); ++ WARN("running poststart hook %zu failed, ContainerId: %s", i, name); + } + break; + case OCI_HOOK_POSTSTOP: +diff --git a/src/lxc/confile.c b/src/lxc/confile.c +index 0537ebc..01fc944 100644 +--- a/src/lxc/confile.c ++++ b/src/lxc/confile.c +@@ -2212,7 +2212,7 @@ static int set_config_init_args(const char *key, const char *value, + struct lxc_conf *lxc_conf, void *data) + { + int ret = 0; +- char *tmp = NULL; ++ void *tmp = NULL; + char *new_value = NULL; + + ret = set_config_string_item(&new_value, value); +diff --git a/src/lxc/isulad_utils.c b/src/lxc/isulad_utils.c +new file mode 100644 +index 0000000..66516a8 +--- /dev/null ++++ b/src/lxc/isulad_utils.c +@@ -0,0 +1,87 @@ ++#include ++#include ++ ++#include "isulad_utils.h" ++#include "log.h" ++#include "path.h" ++ ++lxc_log_define(isulad_utils, lxc); ++ ++void *lxc_common_calloc_s(size_t size) ++{ ++ if (size == 0 || size > SIZE_MAX) { ++ return NULL; ++ } ++ ++ return calloc((size_t)1, size); ++} ++ ++int lxc_mem_realloc(void **newptr, size_t newsize, void *oldptr, size_t oldsize) ++{ ++ void *tmp = NULL; ++ ++ if (newsize == 0) { ++ goto err_out; ++ } ++ ++ tmp = lxc_common_calloc_s(newsize); ++ if (tmp == NULL) { ++ ERROR("Failed to malloc memory"); ++ goto err_out; ++ } ++ ++ if (oldptr != NULL) { ++ memcpy(tmp, oldptr, (newsize < oldsize) ? newsize : oldsize); ++ ++ memset(oldptr, 0, oldsize); ++ ++ free(oldptr); ++ } ++ ++ *newptr = tmp; ++ return 0; ++ ++err_out: ++ return -1; ++} ++ ++char *safe_strdup(const char *src) ++{ ++ char *dst = NULL; ++ ++ if (src == NULL) { ++ return NULL; ++ } ++ ++ dst = strdup(src); ++ if (dst == NULL) { ++ abort(); ++ } ++ ++ return dst; ++} ++ ++int lxc_open(const char *filename, int flags, mode_t mode) ++{ ++ char rpath[PATH_MAX] = {0x00}; ++ ++ if (cleanpath(filename, rpath, sizeof(rpath)) == NULL) { ++ return -1; ++ } ++ if (mode) { ++ return open(rpath, (int)((unsigned int)flags | O_CLOEXEC), mode); ++ } else { ++ return open(rpath, (int)((unsigned int)flags | O_CLOEXEC)); ++ } ++} ++ ++FILE *lxc_fopen(const char *filename, const char *mode) ++{ ++ char rpath[PATH_MAX] = {0x00}; ++ ++ if (cleanpath(filename, rpath, sizeof(rpath)) == NULL) { ++ return NULL; ++ } ++ ++ return fopen_cloexec(rpath, mode); ++} +diff --git a/src/lxc/isulad_utils.h b/src/lxc/isulad_utils.h +new file mode 100644 +index 0000000..852d956 +--- /dev/null ++++ b/src/lxc/isulad_utils.h +@@ -0,0 +1,13 @@ ++#ifndef __LXC_MEM_UTILS_H ++#define __LXC_MEM_UTILS_H ++ ++#include ++ ++extern int lxc_mem_realloc(void **newptr, size_t newsize, void *oldptr, size_t oldsize); ++extern void *lxc_common_calloc_s(size_t size); ++extern char *safe_strdup(const char *src); ++ ++extern int lxc_open(const char *filename, int flags, mode_t mode); ++extern FILE *lxc_fopen(const char *filename, const char *mode); ++ ++#endif +diff --git a/src/lxc/path.c b/src/lxc/path.c +index df285f5..7a5dce9 100644 +--- a/src/lxc/path.c ++++ b/src/lxc/path.c +@@ -10,7 +10,7 @@ + + #include "path.h" + #include "log.h" +-#include "utils.h" ++#include "isulad_utils.h" + + lxc_log_define(lxc_path_ui, lxc); + +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index 656df4a..1d2e9ee 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -57,6 +57,7 @@ + #include "syscall_wrappers.h" + #include "utils.h" + #include "path.h" ++#include "isulad_utils.h" + + #ifndef HAVE_STRLCPY + #include "include/strlcpy.h" +@@ -2092,84 +2093,3 @@ bool is_non_negative_num(const char *s) + } + return true; + } +- +-void *lxc_common_calloc_s(size_t size) +-{ +- if (size == 0 || size > SIZE_MAX) { +- return NULL; +- } +- +- return calloc((size_t)1, size); +-} +- +- +-int lxc_mem_realloc(void **newptr, size_t newsize, void *oldptr, size_t oldsize) +-{ +- void *tmp = NULL; +- +- if (newsize == 0) { +- goto err_out; +- } +- +- tmp = lxc_common_calloc_s(newsize); +- if (tmp == NULL) { +- ERROR("Failed to malloc memory"); +- goto err_out; +- } +- +- if (oldptr != NULL) { +- memcpy(tmp, oldptr, (newsize < oldsize) ? newsize : oldsize); +- +- memset(oldptr, 0, oldsize); +- +- free(oldptr); +- } +- +- *newptr = tmp; +- return 0; +- +-err_out: +- return -1; +-} +- +-int lxc_open(const char *filename, int flags, mode_t mode) +-{ +- char rpath[PATH_MAX] = {0x00}; +- +- if (cleanpath(filename, rpath, sizeof(rpath)) == NULL) { +- return -1; +- } +- if (mode) { +- return open(rpath, (int)((unsigned int)flags | O_CLOEXEC), mode); +- } else { +- return open(rpath, (int)((unsigned int)flags | O_CLOEXEC)); +- } +-} +- +-FILE *lxc_fopen(const char *filename, const char *mode) +-{ +- char rpath[PATH_MAX] = {0x00}; +- +- if (cleanpath(filename, rpath, sizeof(rpath)) == NULL) { +- return NULL; +- } +- +- return fopen_cloexec(rpath, mode); +-} +- +-char *safe_strdup(const char *src) +-{ +- char *dst = NULL; +- +- if (src == NULL) { +- return NULL; +- } +- +- dst = strdup(src); +- if (dst == NULL) { +- abort(); +- } +- +- return dst; +-} +- +diff --git a/src/lxc/utils.h b/src/lxc/utils.h +index 0b33f69..1c9bf41 100644 +--- a/src/lxc/utils.h ++++ b/src/lxc/utils.h +@@ -42,6 +42,7 @@ + #include "macro.h" + #include "raw_syscalls.h" + #include "string_utils.h" ++#include "isulad_utils.h" + + /* isulad: replace space with SPACE_MAGIC_STR */ + #define SPACE_MAGIC_STR "[#)" +@@ -324,10 +325,5 @@ extern bool lxc_process_alive(pid_t pid, unsigned long long start_time); + + extern bool is_non_negative_num(const char *s); + extern int lxc_file2str(const char *filename, char ret[], int cap); +-extern int lxc_mem_realloc(void **newptr, size_t newsize, void *oldptr, size_t oldsize); +-extern void *lxc_common_calloc_s(size_t size); +-extern int lxc_open(const char *filename, int flags, mode_t mode); +-extern FILE *lxc_fopen(const char *filename, const char *mode); +-extern char *safe_strdup(const char *src); + + #endif /* __LXC_UTILS_H */ +-- +1.8.3.1 + diff --git a/0116-lxc-set-base-cgroup-path-to.patch b/0116-lxc-set-base-cgroup-path-to.patch new file mode 100644 index 0000000..b1eaa84 --- /dev/null +++ b/0116-lxc-set-base-cgroup-path-to.patch @@ -0,0 +1,34 @@ +From 575a5f505195e9282b0cbffa3f8a446613252861 Mon Sep 17 00:00:00 2001 +From: liuhao +Date: Wed, 19 Jun 2019 16:48:50 +0800 +Subject: [PATCH 116/122] lxc: set base cgroup path to '/' + +reason:base cgroup may be started with /system.slice when cg_hybrid_init +read /proc/1/cgroup on host, and cgroup init will set all containers +cgroup path under /sys/fs/cgroup//system.slice/xxx/lxc +directory, this is not consistent with docker. The default cgroup path +should be under /sys/fs/cgroup//lxc directory. + +Signed-off-by: zhangsong +Signed-off-by: LiFeng +--- + src/lxc/cgroups/cgfsng.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c +index 46f13f4..7c92abe 100644 +--- a/src/lxc/cgroups/cgfsng.c ++++ b/src/lxc/cgroups/cgfsng.c +@@ -2545,6 +2545,9 @@ static bool cg_hybrid_init(struct cgroup_ops *ops) + if (!writeable) + goto next; + */ ++ if (strlen(base_cgroup) > 1 && base_cgroup[0] == '/') { ++ base_cgroup[1] = '\0'; ++ } + if (type == CGROUP2_SUPER_MAGIC) { + char *cgv2_ctrl_path; + +-- +1.8.3.1 + diff --git a/0117-pupulate-device-with-dir-mode-750-and-set-uid-gid.patch b/0117-pupulate-device-with-dir-mode-750-and-set-uid-gid.patch new file mode 100644 index 0000000..696a933 --- /dev/null +++ b/0117-pupulate-device-with-dir-mode-750-and-set-uid-gid.patch @@ -0,0 +1,53 @@ +From d17249766b7e2de7246b5c2bfcd30dca2da6d38e Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Wed, 31 Jul 2019 05:24:11 -0400 +Subject: [PATCH 117/122] pupulate device with dir mode 750 and set uid/gid + +Signed-off-by: LiFeng +--- + src/lxc/conf.c | 3 --- + src/lxc/confile.c | 2 ++ + 2 files changed, 2 insertions(+), 3 deletions(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index d9a7aae..0b10a2d 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -4005,13 +4005,11 @@ static int setup_populate_devs(const struct lxc_rootfs *rootfs, struct lxc_list + int ret = 0; + char *pathdirname = NULL; + char path[MAXPATHLEN]; +- mode_t cmask; + mode_t file_mode = 0; + struct lxc_populate_devs *dev_elem = NULL; + struct lxc_list *it = NULL; + + INFO("Populating devices into container"); +- cmask = umask(S_IXUSR | S_IXGRP | S_IXOTH); + lxc_list_for_each(it, devs) { + dev_elem = it->elem; + +@@ -4072,7 +4070,6 @@ static int setup_populate_devs(const struct lxc_rootfs *rootfs, struct lxc_list + return -1; + } + } +- umask(cmask); + + INFO("Populated devices into container /dev"); + return 0; +diff --git a/src/lxc/confile.c b/src/lxc/confile.c +index 01fc944..3a02e09 100644 +--- a/src/lxc/confile.c ++++ b/src/lxc/confile.c +@@ -2335,6 +2335,8 @@ static int set_config_populate_device(const char *key, const char *value, + dev_elem->file_mode = filemode; + dev_elem->maj = major; + dev_elem->min = minor; ++ dev_elem->uid = (uid_t)uid; ++ dev_elem->gid = (gid_t)gid; + + lxc_list_add_elem(dev_list, dev_elem); + +-- +1.8.3.1 + diff --git a/0118-fix-sscanf-return-value-check.patch b/0118-fix-sscanf-return-value-check.patch new file mode 100644 index 0000000..de4ff9d --- /dev/null +++ b/0118-fix-sscanf-return-value-check.patch @@ -0,0 +1,55 @@ +From 0aade3f699ec02ead3b4707be0e259ded5c1e9ec Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Mon, 2 Sep 2019 06:24:07 -0400 +Subject: [PATCH 118/122] fix sscanf return value check + +Signed-off-by: LiFeng +--- + src/lxc/start.c | 2 +- + src/lxc/utils.c | 10 +++++++--- + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/src/lxc/start.c b/src/lxc/start.c +index 00d478c..c1e0d5d 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -1904,7 +1904,7 @@ static int lxc_check_container_info(char *filename, pid_t pid, pid_t p_pid, unsi + } + + num = sscanf(sbuf, "%d %Lu %d %Lu", &saved_pid, &saved_start_time, &saved_ppid, &saved_pstart_time); +- if (num < 0) { ++ if (num != 4) { + SYSERROR("Call sscanf error"); + ret = -1; + goto out; +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index 1d2e9ee..c83c7a3 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -1952,8 +1952,8 @@ static proc_t *lxc_stat2proc(const char *S) + + /* parse these two strings separately, skipping the leading "(". */ + num = sscanf(S, "%d (%15c", &P->pid, P->cmd); /* comm[16] in kernel */ +- if (num < 0 && errno) { +- ERROR("Call sscanf error: %s", strerror(errno)); ++ if (num != 2) { ++ ERROR("Call sscanf error: %s", errno ? strerror(errno) : ""); + free(P); + return NULL; + } +@@ -1985,7 +1985,11 @@ static proc_t *lxc_stat2proc(const char *S) + &P->exit_signal, &P->processor, /* 2.2.1 ends with "exit_signal" */ + &P->rtprio, &P->sched /* both added to 2.5.18 */ + ); +- ++ if (num != 35) { ++ ERROR("Call sscanf error: %s", errno ? strerror(errno) : ""); ++ free(P); ++ return NULL; ++ } + if (P->tty == 0) + P->tty = -1; /* the old notty val, update elsewhere bef. moving to 0 */ + return P; +-- +1.8.3.1 + diff --git a/0119-remove-unuse-binary.patch b/0119-remove-unuse-binary.patch new file mode 100644 index 0000000..1526df1 --- /dev/null +++ b/0119-remove-unuse-binary.patch @@ -0,0 +1,33 @@ +From 787c3c652d02b6398d6b7fcf2a2f8c9e406552fb Mon Sep 17 00:00:00 2001 +From: LiuHao +Date: Wed, 4 Sep 2019 18:01:39 +0800 +Subject: [PATCH 119/122] remove unuse binary + +Signed-off-by: LiuHao +--- + hooks/Makefile.am | 11 ----------- + 1 file changed, 11 deletions(-) + +diff --git a/hooks/Makefile.am b/hooks/Makefile.am +index 5ae73d7..f55c4a9 100644 +--- a/hooks/Makefile.am ++++ b/hooks/Makefile.am +@@ -10,15 +10,4 @@ hooks_SCRIPTS = \ + squid-deb-proxy-client \ + nvidia + +-binhooks_PROGRAMS = \ +- unmount-namespace +- +-unmount_namespace_SOURCES = \ +- unmount-namespace.c +- +-if IS_BIONIC +-unmount_namespace_SOURCES += \ +- ../src/include/lxcmntent.c ../src/include/lxcmntent.h +-endif +- + EXTRA_DIST=$(hooks_SCRIPTS) +-- +1.8.3.1 + diff --git a/0120-remove-unuse-unmount-namespace.patch b/0120-remove-unuse-unmount-namespace.patch new file mode 100644 index 0000000..8127da7 --- /dev/null +++ b/0120-remove-unuse-unmount-namespace.patch @@ -0,0 +1,25 @@ +From 14cba1d8fc2139afeb0db68c969540c3315768f2 Mon Sep 17 00:00:00 2001 +From: LiuHao +Date: Thu, 5 Sep 2019 11:48:57 +0800 +Subject: [PATCH 120/122] remove unuse unmount-namespace + +Signed-off-by: LiuHao +--- + lxc.spec.in | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/lxc.spec.in b/lxc.spec.in +index 7fcd811..2ca12fe 100644 +--- a/lxc.spec.in ++++ b/lxc.spec.in +@@ -259,7 +259,6 @@ fi + %{_libdir}/*.a + %{_libdir}/%{name} + %{_localstatedir}/* +-%{_libexecdir}/%{name}/hooks/unmount-namespace + %{_libexecdir}/%{name}/lxc-apparmor-load + %{_libexecdir}/%{name}/lxc-monitord + %attr(4111,root,root) %{_libexecdir}/%{name}/lxc-user-nic +-- +1.8.3.1 + diff --git a/0121-optimize-log-when-root-path-is-invalid.patch b/0121-optimize-log-when-root-path-is-invalid.patch new file mode 100644 index 0000000..8bc5ce9 --- /dev/null +++ b/0121-optimize-log-when-root-path-is-invalid.patch @@ -0,0 +1,26 @@ +From a466acb2c1e5d54822e9a7b93f75e9ff93ad511a Mon Sep 17 00:00:00 2001 +From: TanYifeng +Date: Sat, 21 Sep 2019 06:19:25 -0400 +Subject: [PATCH 121/122] optimize log when root path is invalid + +Signed-off-by: TanYifeng +--- + src/lxc/conf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 0b10a2d..5fd65e7 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -4881,7 +4881,7 @@ static char *get_root_path(const char *path, const char *backend) + strcmp(backend, "loop") == 0) { + tmp = strrchr(path, ':'); + if (tmp == NULL) { +- ERROR("Out of memory"); ++ ERROR("Invalid root path format"); + return NULL; + } + tmp++; +-- +1.8.3.1 + diff --git a/0122-lxc-fix-code-reivew-errors.patch b/0122-lxc-fix-code-reivew-errors.patch new file mode 100644 index 0000000..5feefc2 --- /dev/null +++ b/0122-lxc-fix-code-reivew-errors.patch @@ -0,0 +1,210 @@ +From 2313b7a2a444d841e57dca83814e7b17e67354db Mon Sep 17 00:00:00 2001 +From: LiFeng +Date: Thu, 26 Sep 2019 07:47:19 -0400 +Subject: [PATCH 122/122] lxc: fix code reivew errors + +Signed-off-by: LiFeng +--- + src/lxc/commands.c | 2 +- + src/lxc/commands_utils.c | 2 +- + src/lxc/confile.c | 4 ++-- + src/lxc/json/json_common.c | 15 +++++---------- + src/lxc/lxccontainer.c | 6 ++++-- + src/lxc/terminal.c | 8 +++++--- + src/lxc/utils.c | 2 +- + 7 files changed, 19 insertions(+), 20 deletions(-) + +diff --git a/src/lxc/commands.c b/src/lxc/commands.c +index fa02a4b..7d6cf6f 100644 +--- a/src/lxc/commands.c ++++ b/src/lxc/commands.c +@@ -1083,7 +1083,7 @@ int lxc_cmd_set_terminal_fifos(const char *name, const char *lxcpath, const char + if (tmp == NULL) + return -1; + ret = snprintf(tmp, len, "%s%s%s%s%s", cmd_in_fifo, split, cmd_out_fifo, split, cmd_err_fifo); +- if (ret < 0) ++ if (ret < 0 || ret >= len) + return -1; + + struct lxc_cmd_rr cmd = { +diff --git a/src/lxc/commands_utils.c b/src/lxc/commands_utils.c +index f48f118..56ecce7 100644 +--- a/src/lxc/commands_utils.c ++++ b/src/lxc/commands_utils.c +@@ -144,7 +144,7 @@ int lxc_make_abstract_socket_name(char *path, size_t pathlen, + } + + ret = snprintf(offset, len, "%s/%s/%s", lxcpath, name, suffix); +- if (ret < 0) { ++ if (ret < 0 || ret >= len) { + ERROR("Failed to create abstract socket name"); + return -1; + } +diff --git a/src/lxc/confile.c b/src/lxc/confile.c +index 3a02e09..3eaae4a 100644 +--- a/src/lxc/confile.c ++++ b/src/lxc/confile.c +@@ -3834,7 +3834,7 @@ static int get_config_prlimit(const char *key, char *retv, int inlen, + partlen = STRLITERALLEN("unlimited"); + } else { + partlen = snprintf(buf, MAX_LIMIT_BUF_LEN, "%" PRIu64, (uint64_t)lim->limit.rlim_cur); +- if (partlen < 0) { ++ if (partlen < 0 || partlen >= MAX_LIMIT_BUF_LEN) { + return -1; + } + } +@@ -3844,7 +3844,7 @@ static int get_config_prlimit(const char *key, char *retv, int inlen, + (void)memcpy(buf + partlen, ":unlimited", STRLITERALLEN(":unlimited") + 1); + } else { + nret = snprintf(buf + partlen, (MAX_LIMIT_BUF_LEN - partlen), ":%" PRIu64, (uint64_t)lim->limit.rlim_max); +- if (nret < 0) { ++ if (nret < 0 || nret >= (MAX_LIMIT_BUF_LEN - partlen)) { + return -1; + } + } +diff --git a/src/lxc/json/json_common.c b/src/lxc/json/json_common.c +index ed2fe83..ec20c59 100755 +--- a/src/lxc/json/json_common.c ++++ b/src/lxc/json/json_common.c +@@ -17,7 +17,7 @@ yajl_gen_status reformat_uint(void *ctx, long long unsigned int num) { + int ret; + + ret = snprintf(numstr, MAX_NUM_STR_LEN, "%llu", num); +- if (ret < 0) { ++ if (ret < 0 || ret >= MAX_NUM_STR_LEN) { + return yajl_gen_in_error_state; + } + return reformat_number(ctx, (const char *)numstr, strlen(numstr)); +@@ -28,7 +28,7 @@ yajl_gen_status reformat_int(void *ctx, long long int num) { + int ret; + + ret = snprintf(numstr, MAX_NUM_STR_LEN, "%lld", num); +- if (ret < 0) { ++ if (ret < 0 || ret >= MAX_NUM_STR_LEN) { + return yajl_gen_in_error_state; + } + return reformat_number(ctx, (const char *)numstr, strlen(numstr)); +@@ -400,7 +400,7 @@ yajl_gen_status gen_json_map_int_int(void *ctx, json_map_int_int *map, struct pa + char numstr[MAX_NUM_STR_LEN]; + int nret; + nret = snprintf(numstr, MAX_NUM_STR_LEN, "%lld", (long long int)map->keys[i]); +- if (nret < 0) { ++ if (nret < 0 || nret >= MAX_NUM_STR_LEN) { + if (!*err && asprintf(err, "Error to print string") < 0) { + *(err) = safe_strdup("error allocating memory"); + } +@@ -541,7 +541,7 @@ yajl_gen_status gen_json_map_int_bool(void *ctx, json_map_int_bool *map, struct + char numstr[MAX_NUM_STR_LEN]; + int nret; + nret = snprintf(numstr, MAX_NUM_STR_LEN, "%lld", (long long int)map->keys[i]); +- if (nret < 0) { ++ if (nret < 0 || nret >= MAX_NUM_STR_LEN) { + if (!*err && asprintf(err, "Error to print string") < 0) { + *(err) = safe_strdup("error allocating memory"); + } +@@ -569,11 +569,6 @@ yajl_gen_status gen_json_map_int_bool(void *ctx, json_map_int_bool *map, struct + + void free_json_map_int_bool(json_map_int_bool *map) { + if (map != NULL) { +- size_t i; +- for (i = 0; i < map->len; i++) { +- // No need to free key for type int +- // No need to free value for type bool +- } + free(map->keys); + map->keys = NULL; + free(map->values); +@@ -677,7 +672,7 @@ yajl_gen_status gen_json_map_int_string(void *ctx, json_map_int_string *map, str + char numstr[MAX_NUM_STR_LEN]; + int nret; + nret = snprintf(numstr, MAX_NUM_STR_LEN, "%lld", (long long int)map->keys[i]); +- if (nret < 0) { ++ if (nret < 0 || nret >= MAX_NUM_STR_LEN) { + if (!*err && asprintf(err, "Error to print string") < 0) { + *(err) = safe_strdup("error allocating memory"); + } +diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c +index 5a72483..9f9cbfc 100644 +--- a/src/lxc/lxccontainer.c ++++ b/src/lxc/lxccontainer.c +@@ -3200,7 +3200,7 @@ static bool container_destroy(struct lxc_container *c, + ERROR("Failed to destroy directory \"%s\" for \"%s\"", path, + c->name); + ret = snprintf(msg, BUFSIZ, "Failed to destroy directory \"%s\": %s", path, errno ? strerror(errno) : "error"); +- if (ret < 0) { ++ if (ret < 0 || ret >= BUFSIZ) { + ERROR("Sprintf failed"); + goto out; + } +@@ -5276,6 +5276,7 @@ static int set_start_extral_configs(struct lxc_container *c) + char fpath[PATH_MAX] = {0}; + parser_error jerr = NULL; + int ret = -1; ++ int nret = 0; + container_start_generate_config *start_conf = NULL; + struct lxc_conf *lconf = c->lxc_conf; + size_t i = 0; +@@ -5288,7 +5289,8 @@ static int set_start_extral_configs(struct lxc_container *c) + } + lconf = c->lxc_conf; + } +- if (snprintf(fpath, PATH_MAX, "%s/%s/%s", c->config_path, c->name, START_GENERATE_CONFIG) < 0) { ++ nret = snprintf(fpath, PATH_MAX, "%s/%s/%s", c->config_path, c->name, START_GENERATE_CONFIG); ++ if (nret < 0 || nret >= PATH_MAX) { + fprintf(stderr, "Sprintf config path failed\n"); + return -1; + } +diff --git a/src/lxc/terminal.c b/src/lxc/terminal.c +index 32c69a4..e81f57e 100644 +--- a/src/lxc/terminal.c ++++ b/src/lxc/terminal.c +@@ -242,13 +242,13 @@ static int lxc_terminal_rename_old_log_file(struct lxc_terminal *terminal) + + for (i = terminal->log_rotate - 1; i > 1; i--) { + ret = snprintf(tmp, PATH_MAX, "%s.%u", terminal->log_path, i); +- if (ret < 0) { ++ if (ret < 0 || ret >= PATH_MAX) { + return -EFBIG; + } + free(rename_fname); + rename_fname = safe_strdup(tmp); + ret = snprintf(tmp, PATH_MAX, "%s.%u", terminal->log_path, (i - 1)); +- if (ret < 0) { ++ if (ret < 0 || ret >= PATH_MAX) { + free(rename_fname); + return -EFBIG; + } +@@ -415,6 +415,7 @@ static bool get_time_buffer(struct timespec *timestamp, char *timebuffer, + int32_t nanos = 0; + time_t seconds; + size_t len = 0; ++ int ret = 0; + + if (!timebuffer || !maxsize) { + return false; +@@ -426,7 +427,8 @@ static bool get_time_buffer(struct timespec *timestamp, char *timebuffer, + + nanos = (int32_t)timestamp->tv_nsec; + len = strlen(timebuffer); +- if (snprintf(timebuffer + len, (maxsize - len), ".%09dZ", nanos) < 0) { ++ ret = snprintf(timebuffer + len, (maxsize - len), ".%09dZ", nanos); ++ if (ret < 0 || ret >= (maxsize - len)) { + return false; + } + +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index c83c7a3..31bcac7 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -2041,7 +2041,7 @@ void lxc_write_error_message(int errfd, const char *format, ...) + va_start(argp, format); + ret = vsnprintf(errbuf, BUFSIZ, format, argp); + va_end(argp); +- if (ret < 0) ++ if (ret < 0 || ret >= BUFSIZ) + SYSERROR("Failed to call vsnprintf"); + sret = write(errfd, errbuf, strlen(errbuf)); + if (sret < 0) +-- +1.8.3.1 + diff --git a/lxc-2.0.6-fix-lxc-net.patch b/lxc-2.0.6-fix-lxc-net.patch new file mode 100644 index 0000000..684cee3 --- /dev/null +++ b/lxc-2.0.6-fix-lxc-net.patch @@ -0,0 +1,11 @@ +diff -up lxc-2.0.6/config/init/systemd/lxc-net.service.in.orig lxc-2.0.6/config/init/systemd/lxc-net.service.in +--- lxc-2.0.6/config/init/systemd/lxc-net.service.in.orig 2016-11-23 20:15:59.000000000 +0100 ++++ lxc-2.0.6/config/init/systemd/lxc-net.service.in 2016-12-04 21:55:24.149093437 +0100 +@@ -1,6 +1,7 @@ + [Unit] + Description=LXC network bridge setup + After=network-online.target ++Wants=network-online.target + Before=lxc.service + + [Service] diff --git a/lxc-2.0.7-fix-init.patch b/lxc-2.0.7-fix-init.patch new file mode 100644 index 0000000..38f771d --- /dev/null +++ b/lxc-2.0.7-fix-init.patch @@ -0,0 +1,46 @@ +diff -up lxc-2.0.7/config/init/sysvinit/lxc-containers.in.orig lxc-2.0.7/config/init/sysvinit/lxc-containers.in +--- lxc-2.0.7/config/init/sysvinit/lxc-containers.in.orig 2017-01-23 18:45:30.000000000 +0100 ++++ lxc-2.0.7/config/init/sysvinit/lxc-containers.in 2017-01-29 13:00:23.934781187 +0100 +@@ -2,7 +2,7 @@ + # + # lxc Start/Stop LXC autoboot containers + # +-# chkconfig: 345 99 01 ++# chkconfig: - 99 01 + # description: Starts/Stops all LXC containers configured for autostart. + # + ### BEGIN INIT INFO +@@ -11,8 +11,8 @@ + # Required-Stop: $syslog $remote_fs + # Should-Start: cgroupfs-mount + # Should-Stop: cgroupfs-mount +-# Default-Start: 2 3 4 5 +-# Default-Stop: 0 1 6 ++# Default-Start: ++# Default-Stop: + # Short-Description: Bring up/down LXC autostart containers + # Description: Bring up/down LXC autostart containers + ### END INIT INFO +diff -up lxc-2.0.7/config/init/sysvinit/lxc-net.in.orig lxc-2.0.7/config/init/sysvinit/lxc-net.in +--- lxc-2.0.7/config/init/sysvinit/lxc-net.in.orig 2017-01-23 18:45:30.000000000 +0100 ++++ lxc-2.0.7/config/init/sysvinit/lxc-net.in 2017-01-29 13:00:23.935781166 +0100 +@@ -2,7 +2,7 @@ + # + # lxc-net Start/Stop LXC Networking + # +-# chkconfig: 345 98 01 ++# chkconfig: - 98 01 + # description: Starts/Stops LXC Network Bridge + # + ### BEGIN INIT INFO +@@ -11,8 +11,8 @@ + # Required-Stop: $syslog $remote_fs + # Should-Start: + # Should-Stop: +-# Default-Start: 2 3 4 5 +-# Default-Stop: 0 1 6 ++# Default-Start: ++# Default-Stop: + # Short-Description: Bring up/down LXC Network Bridge + # Description: Bring up/down LXC Network Bridge + ### END INIT INFO diff --git a/lxc-3.0.3.tar.gz b/lxc-3.0.3.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..46ba17b1315fe4ca36638e8246030bb858396114 GIT binary patch literal 1263371 zcmV($K;yq3iwFS!HuqZs1MFLQbK6F;_rJoYm@s^is3%^M?d(dc1QZELj46`E!^exV zFa!)qlt6$BfU=Z0@3X(|IWPl|l5@PcYHQ6ZThqVp>FMdYdJY8lZuO|vs2$ax{bj!f z{Jwqh;#uQmv+?q<34eiXG#D;^&zeU^-@bTx1pj{v__s$#FP@PX&;E^mvLf>DzsWDi z+P^iOTnMze9$Y&;{+zO?^e{_CDyk#-cXqS#6OD6ARJ zzWn}^ero(X>ol6vu$C-7^Zb9%E*{KI2(EfBPml37e?Z5DsWa!wY0B1e-BWLZ}aXEc=ee2_WRK)|90QjRz!( z$sW`d?2k#b!i*I#`hf%vSSNGVwz@#o)FXb#)GneGRBHhWp`suBARsrCtP?t02M3@5 zWXYQ@Ea%e+Y4zWcH?7gA)t|gO0a<7m;Lc|TMezYSi;@(@uUZ5Gnr5Tg zJZdz_blftGgr=l=Zx|^}AOW?3sdo81r8U=aq400MA@Pz_<5_`WfX!(X1^&;JeEdl0 zJv4UHaNHnrp~lrN_#~Y9bDanI7u3Oyp9fL004<$cN~%@I^QucfNqq2DwaUD#adEVdF(9zf5W!} z8LiO!l!hstSnhNlu9g(}w5A zrr|7Y+fVFyxVBlRIVHc4YlC38#lxPT$!>WMGxx05RlaY3AeKUs)xwc6PiDLx`Ac zbhypqd8jdpx(+BPmw!o}curHntNw~j&(#w0eTAHyWYm6zPz>@dzW(u=T<`n@ zPE>WcNlve?^-2|rdcTUnn=`WeU&(d2OG=vZygNUV1V&CNsh7()3I6*L|0DPx6j`s& zOYgIWRIcKk1xmg3S9S(ukH!)BH7Jx7yw@y23__6W=j|#zZ9&6X+8Br92CEvN$++@Iyp9bet=R*JRW?ZVhorGWuj7Rd1Z{?;scwS!HW!INqS+tdz9#`_?50gjPs#iVQ0OfLSc!NE1tfC@v6I17Qi#{(3#pEV>g~-MG zgqrER_yOi4K=*RRoQ5Z2fIl{6RVqr!Ev2h@gj>uFJ-5F>&+2v#3%mpC4CF8GiFBoI z4qNS4tqWL=K*A5*VC_*Uq{xCCY^tRUPj2$*J#{r1LF#g7uXPb`K)kF=4o8EF zQR`}pur4)jkGjLjHlc2RJZbfM_NCS8SR*DOAvB_5K<^C`m_?S1C&CvyL+#L6(u&a^ zjILTeTVw^%V`Dh7@-(c}IY8u@_KUd+2hH)zzTS^vSZdosK9)ldKraTQS5yIN2O>p1}=JBaWM1TS!K`XSMqF zdADbc$!Q*B!F9%JUD>bgVOG~WduW@8nS6ppdV|@q&Rf&oBq!7WDHhXaNRtgSrvJj~ zYf6ABl!3?=fz5J|gC&_fs3in7v$&L$%@a)s3+H7!sixUU3nc@v$=)m%7_3-DvI53~ z>8Q=z$XZX4BMWu{^%0$5Dx>e|c}CM^`o&IZGuQwL;t(JDa*II6$|J6rO8C z{#Y4%S|JnMt+mwS9U^<1GvXd=5 z`J%u{@OJWsy3RVG=r~%N*ABQ-AygFk2{tQPva`S&02fY-mw8J(N6Y5oJ16#?8)$ye zGGhmGvl)%q0T&NLlRCe=^TFTDnI0_6u*F5giv0(jfps|D5&2S6um&CyZThf3&;pY>a%mN0+keh$pUct7V8oc4^i zpx8np)~V?kOkI4Wi8Np6J{hfGb@uY{6CWR#Q-l;Cp~o_k)Q6k(7Uxfvw%$%gEmm+v z%s_#Y`geFM$^8vQHBR5JK6v6xB4G}Xu@RDke_rqX_|N)J``48^o?IMUHxG7|7z`3F z#boOH2Rbuw1hckZ&$Mi)xLK!Cu)fcPKtu|BSYQW~$A8e4U~99awKTW$Jr7m{TO7Ak zDI!^A2sxDv~BFtFV?b1QSTBkk%TV4aRsZ&)AzdNb{_i zZ#o&^)`8I?&CzV%VJeDq@UTQ2%0M3tV5o9SqhC@aUhb*o5A`R%f3%2)p!(d661|CufvqTaw;h6Tt zXfPexAUd%|eI~M%!*YxTe~i>ns$?lZdcDbDz**o zJGV0Ph$b-sdYi5s!!&vwWcE6k%DR_G0@ghfb>k_9fK%HF6%^wP&VCpR7?TW>0H>~k?zj{$iI+RZXyZTM7MIH?1Z)a9qRz2 z*65v`<=cco_H7&b>g8bYN|vhwjGt%foNm86Q5-=rPF5yQGHf&$OwPwwgK2*vSQ^44 zCf3!k2Q}uWAwnn*=Hyh_8p0&()>&7uFqvWYRqKbrNaJuo<9ETT93KIl-!J4xfb+9? zM>oHKO3Bw&PYD1aaEP)-18gQat8b!Q5(ca_!hJ4ocBNnr6mq@6S*vI3>NJSUOvf-i zcH2229m`8~&WbXfGcF-cza?9cIi7vi8e0Vch83hNKBpA1yi~3&b6`PEZ_^xDl$h!Vd3Dku;4yo51>4n1cQ~;S{D!1I90|9tepf z!^Hg0Q-H|Q2D}vZ=jHPZdHLKl#8m}i*{y|0*k@B*4F;o$##Nw_>$k3S1&mf)oO=5g zI-es-0z#Xj3IQpZ>8PjkfmA%LKNTR9xw2J+p(xIgGqp@3s^7+No{oUTs|#)9DoW?r zY6;l@b8>S2D?ldRe4KaRG8Rh#GPxWLg|)iZ}EiLAaFZ5pFi9}AXl8`p&G;%u}>|nar?N8rol8Qzye_X;j@}bH2 z(&BLkO8|`vKBF-KG@lfu*%`$+uqt%$QfXoNXrmq(swlUqF8Y_Ex6K_tX0(owJDMui=!yj za6tm^=J0;$gbe3Nz#`crc#0#bCy^9t>D~EKhNVmcF9PgUOlST*yLV9}zbaK%r0n7} zbC9A0N4Q6(1sW;gNJ=W#Xe98`Wgv_bNz=$(%bSWq&MeAcmNd1?Yz|AxG_q@ZlcyM> zF6vE10S7MwWsw;na8Q}%coHxTXavFFDL`)FkG*0LPnt#q70XpB2bjjnSqcVE0piUh z!cu@_%_UoE`;|MF*v5eziBy^}o$)%<>!y*Wk*ML5$nnEZWA!X~1SGNZ1tEtaziXmdh_?w6=TO_C)#wyj+ws~2ah}Ax@vc8 zrd@txwIg2l0LEUo?eMdzJ>q)emR!1~f-g%Rt>Cf>6`aKshLom;@K;~jL3i1dr`-4g zup!R4`ST%mF2-Jh?QFaf+)=NJcH|-04m&s7Ri+A;aYN<7Q-xHk^Keb{m*?!uzCD`;flPleR- z#$pB6{1H>x%pOub+)z8F{P`ALX?Gt_+Wcor;8kLM!7!e5@$qBNJhFEiHXeLT$N9G# z#?Bvhw=`&@#N$Ut?jJ8J_r4@6p!i1R&y}!Ea+J521$Hq>Ti%JtTU+GT)#KSBlzh4U?XtHh0ct&afCB(-6v(E~^RO+Tt{ICmt zV55?eK1~RI3BgN)NeikAAsG!*^~J2~ff7IDUl1(WJvYAV+{H1xo84^lN170pN9(!x za59@X(TIq+3n!fOyW%@1SX1_4t@x~>8_kqvh2b|7H~1x~`nKf*u5#!X<$%fw z+H_bU5q``2!N*T_S5A^JT^>z*ytkJ1QD9gGKym8eH_qy9gMX5D7SbaLVS$ z>~VblajbeDzk^>N_yOoX-DTMxXu>COaSf&m@U@t;`TZ5F!>OH68j6?aJKPL$orU9^ zU1TM775dcc>>g`}Eq$f3S<03^)!FwU-^S|{Sit0cyMA*GQH-|4Nr@se3mh;?5)U|w z_whSoX)HmLVmFfSoyA*smZ>C)((WP!gXC{!*#ek(hdq!MAfHNwqe`-ns2G0jtT8(A3Se?TtSLw%!%vDr<_?z`5 z`RPuH7hf`rZs(Y6d0HW3w#S}kK;K^8`W{Ss-44`+Kfy5Y!NW1hzx^`sH3SC@CIF@# z%NIcTx13w;z$xUORRBgZRqqneRnQ>p=>3nRi_r-S}EJqRkk&fa;|jC?X}D*S_^kzFPvHrMcCwZ zS^cmF?-m^73|>=_)mJnqwc*n&p2JomHDCxti1V32_5K3q$J>bD^((6bYmD`4tHvUD zFV{MF)v6)WoHL{I&DGS2tQcK$Fu!^GcJm#c$$#GCpTMNE;fbkhox$|Z66RE;yrVdp zM^{otaklunX2GW#8GKg;HP{=wjzuiI=g+e;1kGcW=Edf}3ClG@O{5FX7g{XuRg3>= z|9lL8(~SooDq?|(%kko@abyhNiq%Ax(dw%Cy(gA)Y?lfw9#1LxgK66#vlz^EJ&rfu zysN(X|NYPZynVa=Zu2etd9-=)n9nE}buJ7GJC}lEvt-;mCI4gZ8Nb*7k}Ndc)fO{H ze6z0%8R=VP{S^NOty=xu{Oz~>WX(_|UB?~H=5Og`#m_9h6D_7x?~LkYa~;=1u20LJ zWs{}qu5kxfRy^+Gp#9N!3V1#HTi#wU6J#39-4r}y zNY_-H7d3~pPkP7>&{pU@(@3#zm_-c>aE{FXSl2EhfW#^(mLN@$u!N{z8j75XAsuqqH zj)C04sTX+zblzEm%(ho9#!-7)vL_XC6?iEHoCX!_rTx%W`R$%oahY2#%kgT@%k{#t zs~`~dyq9(GTD2X`%zM}EY}NK&GnHIlwpH!TwU_JIrGZ#uU-`ah>79;Xh!wj{S{)*Y6c)~w50u4s%G@U8YQUU?{OSO{W)p7XEBJT z>O-J4y%2q`V^7rK7Et(1Y(ZgqZZ=yEv~6#T7vzaS!U0;K6VK9LBGe6Ps&mTXx(^MU6aaq#u&>yzfsb3SJ`MAn_q zUkFcN(GroIE^Ed6aqj+ibYHA-H16{DMqaq3#e3KV@9uL?yBA+Y9`7sK)^rcRyMwl| zCn&FGCvU=VGiN;W?e|xa=Wbz#DaknLTkok$sa@;r(u~8t^&ZUytzGB2JJ5CA_nf`v z;)25yS)b{(wIf@&3}a>k;pau0%H9jPdj-GEZWr7ro{R|w!ULc+R+yvr1wybl31WGx ze$Y5MYa9M}m9Ec2s4Z7KvG?Xl^_xFco>X_Al<|fd;|WvHIyn7C;{;gr2`YrJ0ez*7 z*WV}Va@Y&J_$E%mp+|8By%HY7?VI=qjAspFiIXy&vF8}8uN#IvbOWz8PwGFRf&Jd< zzkK}9VE9?{KRivvf8W{K-F=Av`8odNnNB`LMgDJ%|7;mieYX9-z5C7XjuroRhxY%s zPagLF=lHX^?xhyK>Pb+2G?k)ADRvYt6&RSK%vbSxW_1;Stevu5H))VL%m>Mv)itc~ zB_?C&d*ZrH9~{yRGM>2Gs8~jGEDHILrd5B#7J*fH?Dc1(F6E`MppefpO4IGmVo<%X zI|w+p4W9IWJ8k&~wbK{qUv$_yIelCqOE~y+3qD21fBd>P9z9MnO&-<{P

cf0y=O z!MDv5zghngpf!GITYXsNi;~5CNW-{GKic=ukM^ha1Kasq9Cp#m$474hR5eY*csu~X z1ic*mVA{QO7im$il=~UFf}yslRd1gh{lLzPeyw%z`qpy=m`Fi){b{x*t7K1B+?h_R z-fEq+{Kc61U2o9uj;fc>J;~rej93Qh(aVFTzjzFP3rD>nDv6Rgo2cGAJZ^UC&CX(Q z{h&)hf98RESvxqWx7)R4z=6m)7|nwP7=F}T3<%&{OfRCIKaW@dtXHj9jl(5Y0Rf^Z z=X_{Kjb?o*Q1R@1JW1vQ0~YM$w6herB?8_VXM6aR(=P9BHp#ei_pB$>~wxUtuF)fZ|}pKZZeoNmcP`0KIj}R zaq0w<$2##&X=4D-TuljBJ^nj|-K`gd|# zZ=QC3USc;ySL4J-=hr#VP8&a*bbO2nvIM{>X*eYzOf?o%6_4e9ix z-T2Al{jHKsky{3^3)X7HS;*GDCo-#C_<^4~0Xq1)-fDD;zH%xpO_TgMOuE6S8?x)` zykSc-z~&v)ng?}`N3$3c0c#eaA)w7NI5>p~oO`ynYR!UkonjHPmhLiOPY$y4`CHrt zZWB6{gj2tpe0ZFJ***aN@nz$vQwMIp^V2dkIYCEg?2@5)d!jF3m5P)SGydj`W4| z`g2=EpiqylK6Il=p>*z`_M@!JsMBZ&+r9~K;@XPx8IpO!jGzawx92a51y zoafM>oPJidM%#bUIB7Nx%rOavqmNN8$PCZaL>Z9O%fZm|PSrUE#Xy>zw3w*Y|JnPhd@(=4T&R)HOvy47#Vn~&7-n0az1x`}eVx((e+^SjdCdgV&Lw)o(97zvt zxOsqbFyDoNQ?3#cF9DAa{2Ykr{t@2{&k+qT@m74<9!jLQ9FUh|fH1)cOV3~)oU_(Z z4vbq2O~QJmfS4fWGP+10b;r2LMhV){f&7Ny);DyVcpm&nE()f?aX7822yG;^`~Tlb zqgi`#w3tfOn(c;nP$(+`5k8PyBDu8PaGrpk$!t1`(Nllwt-C-J=jk5+CH7CvUXrAO zY#ssgS_5hJ2_|L)Au0O6_dH)leFEc?i6=1vt6zGvY*{$!MSTl2+E=*XdEUetQO&_H z)eL-=X~r%~H^YY^QUSNI_83S_6sMq*#BNEr$F(L%HEq*WVTE+NZfmbkz2&KZ9rHa$QFC@YBGDGs~KY=ue$lmsS(?Y74TcD-?L3Yt-HarKc%cYF@+lP=2 zzC3O;8$a1N=2J-@!REp-u~w4w-5QB|9R^#l6dvQWS(8M;$a^sjW^f*P-*r{d_vc(x zjm9V`<9!-X(gQ|IhE#Fg)IUR!OqjHk~dRs<{N|qWk_VFtnmq_!&s8` z5ZCcaPS4XBhznisDC)u?YPiQ8OzVtLCip(SF2C7^TEXZ&$b?=SSm6+0yo~w)|K(sjo>sgU zV-TX@i{qNNwX?mwwXywVYuh_(*PI1a+6Gb~o`*2|Fs4Y^K@Df|0IP4V8kS2mlK$(} zFPS~Di=di>mm$sd7-ZYkRb=F*zyU|Ugnr@)r7bbDUSa9OQ%_u}yuYfrw$DWWM|fM{ zs|)|`?@IrlY;WysrRe`t`13&jKgS<~p}}+#00M-lRJ9Nnq{`9QE#iyusGnczBhnPS zl6(5RS15R-+fLu_XI@Q{IWLvU)p`N7H$&w0GsA=e96L;aTMqm79J8sW3!`zSh;Ndd zGP!E8%TRMY&JI;;V=bbwrmQm8tg_L-eI~70s*1CF;gu#=O}ypvTb-JwR=T9bZpx*S zzAp)q1c*?%R1)G;hAL(6Yp;29+_Q;1+ec09?I!s34{QWjd4v(Bke?JevCXe`vmM*=cx#uJc~*lDi{dg}1 zBaR3E*?10rWA9;g(+G%2n*~A(Nf4}sv@l#FI9AD7MyJ&*_~mhs8pz;aUbppP0C0F; z@n}|cdsLLS<_?fXbJuUQecX6-qe)R|OEL}cXBLf;KLQs5Jqya^H(T$@-m_=k)`vdD zWXV?8eh1rd>qB=->iu!6u({)dY>UqOvm;q}!h`N*L#BZG#rnE6v( zCN0hdP<}anzVuP0T<-`|Pds_-F<@jNk*?!6{$K!X_6ua- zs~1&ZQlZDuIqI31^6M)FjwpfR1G2;6psXJF)WomoX@~c@7&w$J z0%Ca84~Eg;rb54giBHDe@n9bv3i)+}A$P(L`?=r3B*F=8zoV5SQ18i1v?BFjo^q?v zwCp^6x4-&vpS)#Jvy2@d-C%!HL-FEZKU1j3HyGr+1Zm>xX>R$hceTsS$~(a$AMff= zfoj@!j$^E60H!}$2f5?YAHgEhc1<0RUXVqv@H4h_k}+^IbT*a{%okpxqRt?Opth z@k(8R?OU@m>x0C&I> zB1)WTf_iEp0@0D}UCgii>()o1U(vpduq0Br{?>c${Sk>YA1r!8&HHDW_XG>dO`T2e zk1`c;n3Q-H;H-n*N9A)Awqk_gUv+k)iJZ@4+_DKgh9rQ7 z5CWpJBg0&l(?@~S3>MeqlV~0Pf=vSds4Z}*gcV+mXI`swjP7Pg(2ziXIe~Ev1Mk(r zf!B+Ii_tj7xtz@6%c6IHZDX`NS=;y#sB*Fq44`BU(1_Bd!z5VUMPcYtZxS3eY^Xf$ zoQA|_k%Hg|9@N)pk)h!VQ+fD+r41VN7tcU;KB}ooC|M8UaEZEF28XIZ0!B$RnuR#A zup_Mn&dOOh6ixhr(ictgcmn4DhyD9i%^#u`iSDo><=&whgFRV2&aDU-Gf*wyqSaZ@{SlR!hPa;>wAO<%rj;52>Ljs!6C1#npjbU zT)(NLWz7oL6BS4nI&YuU#7QzQ4VCMBbg|VM1a6UfyS*oS*Brr*9I$-4aG5@C6%Xk4 zI;W>rZFk)(=9#8=zp$S#S|_zb6yxXh)W_4zKc9|+p50-PVLnHHmm<4nL{g~m$C_;3 z{=yd6b@vTPPQh6o%Dzpk1qUBxKP{dtqJ)eP0*y~$vVTPQ-Bxfo@*$-UZd|Rs)kyz zV1Ra0H`$L+o2w1WqG=x>_G!-46I-&fv$u3nFXf^?Nxg z9(|WeS~92wfOBpsMg#apw!IQ+fx2|@Z&Y=1Smr7``R9mV&vX+N>lLq#dSl%kL#2-f zvh)pAJ_a<_6a;_7U8$trFm%~;T%~N+;jTV{e^RBQ8Rt%DJ*sNOB2fYq*MNUkN3L>E z?s}c~6Hky?Xepp)Xo|i@GSg3O}WG+Yf zsGw;W21zSu=Qjzb$xTHtmal5hXMKZ57AyyG9n~W$NsE+?@{YCAxC@n*ADVgd$L&Au z5Nj`=GOLHjyaEc zZ&5j@$|4Y);;%ZdOO`UrrxD8mLQfW43t`Ky@|&)M^e3W5b1%qN)J9P%0{7TAr%cZ1 zQKm|bUak6ljy`ZkA7nUg>IFe%6!Hho-{i@ z)*79%QnLeS8H)q_-Y;kvfgjDPOmJ;OK$<*d2=s`0`)2yi=qvbB$GVS++^_0xA%hVL z|6#awRt6X*ZsAAdY^mgjET+1+s$?f-EV}0kfyBzIaNi@@namgFf4SqWp@Ve=A*n|OH*B6ZKFnT3%P zTt)8EGEqMmU{Ysw7UaIBy@1=7?X*g#nmMd^?URGQ_^sNHu>0xf!O=Yamd+~ItL!|b7X<1Mci%j=@dTQ9^- zwa-afpiRN!MLAR1G3FYb!FfHg%>q(y$$;Vd5`$QjuqNRP%j6S2p~WOkNwgE8`V*84 z_l2m4HVXh-W|jF3BL6VSBPd=0L9vAhchl#X5%^?3Fvq~)kuMeoA~h0K(h?(68gs6u z=p#ssXU+C0Zhh;gIid3jVaBpUBYi&dIfr$2l^+>31}#w8LLZ!49Av6WF&5is^$-#L zzd8Q9^8b>Mh@Z#*_sNs3t&IQg)&*cB>`s|ht%HGb_)*rnN#v~c_rg+MnOhODf zfl?GMm;t%M>|0RgC*zD2;;8+S3is^ zY-0}$zBs=k6!P+oy5j7KhaskCjS_USmB*R;VVg1m1@iV-vdj}_{KermMUU$6LCr23D z#;Y|Cp|lCS?~Aj}Nvn-u)@p6|c#Ynnr*!?NQ@l3zPFh~$`1Gg&@Wgq#QEykgM)Tn4 z?6A>%Rq+6Z*F5PU5DMT5H9IF2YC8L+ck(jhQjJZDPc;H5a;x@me20zp!BMSoTtBQr zAD~^Y{zJXl@!GFzM@QHuZ8bgOlOLP)7LLIluJ@u2J;jJY+!l=Xu+gd?bZ}Vm3&Fq` zVIHBMM<7A~2hzYFAdtYIYOS9u0=A7B3K(1M$UCeZ*IvOGOJ;Tuj!cj>rk@m`&r9MZJ6>#ZLe2le*8cXYxt0~OEO^$O*9pymMzOdQmJ-!IPE z4RT9wG&>*^pPhCZC(Saf`HwI|(9;@xdPpP%ru(Ex!-n}fY5k0FaXx4@D&CK;>rmdp z>7`k#;l!|@WL2a7v|uc)jx}D8u3jBAUe%iib$ok*fPQSW>t$HHMjI&^oKlEXd`LWS_*=Ry{^C}(Jeo9qZWkY)65K0r^bQ97O zDBpFZHK+IMmDDpZs@CVbPZt5$eVPUVCBLUb`~&|7{GUYr{$$Vp<@mqd-KQD;@5zJz z|7ZE*F#{+IzUN&~&`b1f3^gZ^i3@{F;`X2Z^v4SR{ig~tj87Lt=@1yT88CO#n0T?j zqTAh%VKh1qrx)ILzrf@7)8IU+PA+faYIi)C4bP*X8un(-si8kAARMbhB`UaW>==T; z@naSQk2yl;&uJ=*34N|ZnZ(OSj@kFZ2w5otpaalUw^fS*vw}Qu30PW+FF2myr)3X4 zYX-=IsV}RmxifKxFf{iNhvw4)(coP3tme)4oPad+(JkW9EU}*Ghik>9k(pg4E)BuS z#HP7bU>Z9z4Th!>RzdLvKVh~7i9shS;LUZKM2VW`WBNXy!>E?NEpuqVIdMGt-BB_~ zN6vr~HojYE3*0}^I4+87QNWnE#nHISU9#9A%#?jt|KYTA{FAq~*$b~WC&}=`8uKAS zxIDVHSPzCl4Bg;+i}fHL07g_Knhu+6DNkwctGA9nCY4pCQs=iIB%vzMTZbQ{H-%RO z1TU1RKfo2e+h3In4%H|%2doJcbCLIq`d4zs0L-!9I{dL!-j^&}B~|&Ex3OJTU9s;C zq}~PYxk)1R%ev~t7!a}#d%{$mjRxcH`{n9Rl9*C$O-pJZ)}0^zF8rDXtOiLR@zA{A z;79Z1pws!;j8ZB)gG|8#bpGk5pS(72=j%{z0zHas8haRk_sSDwF>S*)%Ka*AKK2(4U z_`jX4Z!-KJyno>T{w?DFRVDu4_p|faD47A@HhhQ!_z(y1zby`+Nik@va-7ly0mSl| zqKoOojv9#Uh9S-+{2K})Vp5w4dV*tRzX1-b|_3K#i<*Q=-xfxDpkbmsdDSZoH5KE#$Gt0yLtwMO(7s+;AQto z-aK#Z?bg$+wW{}Hh#Q<&i#|ruc6}L+6upDJ1uqh&FSMU}p;WsJCX; z6Iy1ns4izLFKM=mY}WW`iUwJ1V9y2Dx?pt$x}}`erjs{Y?@&kb`0d-rXhR4E+gz}v zo_F~9DLxA?2c=I`EipHSCBdPS7q!;x-CxfBiMI{@8m=mc-Dvub+8O*tbPH z72KjH+g4AM@=AAT+v(8uHg^cfL#8`#lh4tg9k)L_+#e2{lAWTrqdWEq3QRjcitjIm zXN*D64!yT;@xhA2h;|+!CXE8hGa#f2x(dBJ=$KrN871cdNOa8p4zjt{p2Y- zjE_WDTA1Drb5IR|q$Xa%33qU# zvMh!vjcUhLsK-f<#J?Jk^06nOdvHfjLpbIT5|IFM<;1{0bk2@2X%?O;^^=$QOzK9j zga%9faNOVQa{)SIUxwZHWhYQ3(@~JPRK8Xa%P`-Yw~i^9f}xhoRK?-M63zNbSq;BI zIQ9O@euD)xnz$9qxS#; z*LxNy*>AsjcF~u-FS-+6BsfM(kMO~OO29B|9;$Kq)VmH+HHC(@+s?dcfAYinX& zjBv_od|y9P<8r|-*LE+O{&N}@x2=Cd%fOSzw{4lvdG^=F7T_=#^>yoC_3*znbRALkX($yh(;lB|r&HvJLuLamBAX8-#kLZ^)5ji(>3Hyo z=9WGlVNIZRILB4*_~fuo2Q~}zf9vD*++#kpWEJ$P*y%=4^mY@FfOO2B7nqKY14|?A z#$puE0p0PSB`ImGyM|){nUlK8>E#D(NXo+JDuwIWJkiQkCXQ<%eTZ>XULGp1s_H5S zIT5`jHYkAt5)7kRqK@hF5zZhiK-7?*=t@d5Pf2}>DFm!Aol>vjnZG4MglXtK~ zyCH1OCpM!(Qw!$~&76Fqm-qm0@lci_{GdxxWi@MMcc;S*X#z$PDA+0}U(H4*ZSQII z0}bq&mlp9-fye2RvyDDmS?TjNq7-1S9XN4tLjh)j!8QJp5p5G7^`M5*4g)wbz2j!b zB7WEdkeXOIfd;}|%%A6-oOY^g0?r(nokLYb@OXC40-9mJNUk2Ca1U}Ca*f=r#+G-~^w%*$}R~^0;i+?9${7cf>jF-NI)%WdOvcM%1wt>9w#j$jDR-&-Mkr zEnBo4et!Km7P@4N3EP9$&x8IyC;wlNd>;GH9bo6v`v0A8AM8K>J?{S>^8Y>D`~NrI z`!BGVjIz3QrAXJBd=-=yvjtk}b)9^5P3O?ElLZEeNHjf{@rm^{KPNX(X)TyZ7$Mt( z-pR_(et@inm9POSey!M}*yeFnIc02s-vej|;CLI}p!~o){AZs39J(O$@?QgQ@ z|2Gf*zyBQn-!A$8?&6(M3qASN?fe{PUm~6A=q7b;4^FND9Dj72G9<6jZlB0e4JB~c z(RCl*b0Cc7?(Wvs_QuxJjf0Kdt?fT~rL}hbGjZ(;>I! zi26^`zM`0f7oMeqKmDmJt|`=lj77DAT0J!!&XtBq`A~tVTIV2V$#6pP_qZ`VA*%kq zu1@|h!%21&nUSbM-6Omeb&IK2&r~b??j!vz>Tul=)f<7UUXd(i(q=>Pt;^?w#4Wozl+%v7eKaq5N=2(9ChV{7Zg zFhtaF)2>bhN)_q4(Xc*f+<+fQKJl{mXZqLM@V31@6%AJ9TBUAK(<&7M7P-f^eKjaS z=^swW|K|I@&l3M{dw2Iq=KSA&xc_@N{~yl(hx7km-0zpJ?`lr`HdB@n5%gzscPHK+yyJf4Kj7xc_;$|9QCodAR?1xc|usID#&Vsc0ioG?(!Z zmg3e|FAqUi|7+xb761RU=>Naj-ugBx|3Ae4_~-C{5ApvW;{QLy|9^=8{}BKG_l^I5 zySTi-#Rb!g#a8Bd;dVK7fHD=L$Zq~1+ige{{P0)c4E4d{P(&(l!vOhJVMS!HqWx!ydYO2T3Mg|?r!^BMp!mCC>?{huweoms_RB3q5Qf}uj<&32yxzq`4~A!yjVNo6e% z_!2-O9%H0h>;vj6@s!ia4XW8x3El*Q^|22)&v0(q18;rwWT%oY8$a2xv$&~dyb*Sm z^NPZHI)NJCRTb;`-5EJULxqj!rr?>I+o7zI_5C?LRqDl_=RnxEn-~Tk+$N~tlbQes zaxIx2^O(oX6FD2;wW&!e!KuP&s?9XJlk;bGl#;6pchzAl8%?g?x&B&x`w`? zm2P~20gf@$$~e6gV|VHSsIxZD((|EbN~S6^QP2Y$#J z9Byt63{El)(b|6!hcgU|2x}<`4mhL1B#0!iOS5)dClvxlXd&36V1NeRm}!AfEk=v@ z@sy(1z|??%cYI1;{Mcyn4`CNB;rBqo%$|>vON0UpI%z&YIBLU}RK30nbjl51+y@sc6>@tEZEH_`an7$f=}rfcU=31M#1z{a%>=q5FHE|2t2% zwleqs-#*=WIRF1G?7trJKRnoh{TJJTWdkro^w9^TQ(t47mDR)F$>?tHVWUp3nYhdYdXc zU;IqW!&bWVtZ|4@s!idmmQ>wIm%f6kPwYZePP}S)+uvA9z54&E4s6+lou5zZRy$Dg zm-^2~b-SBT=3~hd1MT$3EU?obU!I&b?M|Qmi2Zeeo&I=QYqx(qWPqj=hx^oe#xZ?k zKi3aV+W66~Re0EFVbQl%QTuiM=m-n{XcbcT|75!Vs+H~jt5&-EuUgseziQ=mpAvvr z-G9|Ot{)#XJJtwZwS4ZqF5yMWc7)5*o#E0ZwBNS6!=>rfdD-}>^r4KY&^Df5O#Lsv zL?xH?u)!f^zorCRt13wM3|P4f489j6IU!iIXX01bmnf9Gv) zo$Y&He~q84tl<0YEua)1pqY}chAtJt=YEh#nAA2hr@l`N6^4ZjB)VU}IAhB?4#5~= zsH80tt!{mN7!J+b5kF;9xsaY%`HJXRcNo|XzKHj=$4R8Ls8<}*69o<(oaVIix>c_o z`t5q>pw>L7AGJHRPMtsK#;Exe3gUxwz%d_j*kMV1$Y1$~jW%9sRlG-Cj4h+o@;u@D z`&Jx13|FHpQ_MV6yneY13$Z29hpDq1mbuhNg)GrjZ;wNnt{@LlqG=>YmlgV{0-dg0 zOwCWsKL?$WV5cis@6Fb`Hv{ycc_$OHvVwtL(C`RSVdQ1_qw=7r~i}f0#49A}i3;1@7e~GC6DApkX0Z%c~Hb9vR1Cc{@ zL&bsps8))w4c>n7#d-`o1pbFF%ccPdR)`J2Zo$g9sc13aH+E&60d(2DnS(T|0Ie0q zX7O|8Nucj&&1uPLnXzlB6?PWbtgp4a9~mGaKLdncxYQVE*^@27ql~2h1WO?WW}rDE z)zeq;1mxFWNAJ`exl+&rnE;7!E+t5OzXme<70}y#qP&~W_@@q^{lOx;6Q`@TERUq{ zay*6S*~sq)!)S1$C?b|jg5>he&Nl4rj})mCBa7Ew`e)6?PZe)%^D3BbPG_UdQQYkb z7qy0Q$E78v=f01x{eR5D=}k!umBKgM2L12D8&X%$TT0EfO4lsLr%$vQ$Tix2fr?7^ z5trozkvX#(!=S@&gr}kS=oWKUq2B0g9TgIcdgQWqW!!-u_w|+AFuu5iNr8V5WEKAP zqcQA8hEm%uj3c_BJ=kiBx9y{=>+Vs@E_&dUHZu_H53;a>dvAg5W zN0|r0RX^tBn?e-;lW^L2S^y`eH+vM$7j^?DC*9J%k2p`X>#PYv0DU6Cw8W)Tg#qo8 zgTMHkXTbZ7pCn8%Z!6kD@FgBktC=YKOv@=8MUV2N_A%J^bWKH%zA43vm2 zUn}ym?!5D!rx(h6(N|3YwvEDWLanH!!2uCoua_U;zj|Tt!9G_v*S!XbZFJ*3dJJN= z2bfRcr4haHqC1WxP)OjdVZ;v#*t>=rv~_h8s|=2i%A<)9nTJha8$=iy8fh%P0igU9 z$0=5+8A>2}@fgBhS=NFQ!Ej<3lz8bYrdDJm1>*D|?4$gz!jF*Tjb;Kt9I_r!av3m* zd*;<^2M6^w2IVkC2Pe&DtNxPAiJceClX|lwoQEQk1_Af2(7b)cNbt#n{E4-cF@|`K zFKBHZ!4Hr^+pqlQNxSi?Svx8#1hT&s{OKcEFR9oY6>pmvB4^D!#cy+VjA0a0NM@k) zymY8|K*KMdT$)mz$svfuz}~zM2RATbWTqDzt2#V00{8@@xhRmmDv04AoC^RY=JLWr z+hfcHgi3>|SAzauqpXi3xbd*sB!uz*9TrZOKZphxMy5=UYNa%DS2lc_Os8-LL?U@n zB+_-Cxjj0><>-!JQd3mO+f0=JCEyP^t_mFV40T1lr=$BE+w-67luRjq^^rJCp*-7$ ztt1MR&VZrNr`|Z(&kpRP!4+$G>G2>b)MHTnxB8v!vejK_Vv}goj};z@K4H zz;Jsi^1B4-K`Q-)L#BCz7H?tq96b=F#M+}+GmD4~-vkz^~*t|rlO?9AqR)iuJ z-@Mz)ZgR+{q_fW{oC%jmA`qQlbbPIC0>*86#^I;~A_JPKuLgme3% zMAaP87|7d&oqn7+>WatngcF0o)G1)QB{7m12E|{XtTdcRg6$I3(sCMn`P*+Q4Eq=A z6RQ#lP0w(B%W50hSuh;@QL+in4?@9#z&zoh!9V%LaGpDdjaFGF08tDZOaS%e&yE&s z&(ePFTOUM}r^96@?f0}OxM^5#qBG>AVn%FPB^OgP81}6f1R16Q;cRbPFc7T_f2GtB zb_ybzXr4UinT#z>0V$DvMBEZi5dM7boi&;r7y>b$LVK^YknUiR&|8L2k_h*eHfUMr z?CBF~Su8oR;>2vKS<*RzOu-`}y84Le+u8<=&u(`<>ikRA?30G;o&B|?Zs-oeU^JWf z{ld>hH}?+b$1d0UIR~_Jl;i_1iB)4cuaW0!Tc}E!^4Iy`37^u3o>h|-knijxPYaibaXv+b6I5f)>5(eei*5>tmqI0myTKIZX{mu^;~9o@!HPY zMI|PhQkf)3K6o_On8Jl7nI)rC)6 zJXUDw#S=wheovfP&sLGPE#;Y-KthqPZ%1pCz`$ASG*G4d({h2Nz%#9WZSBr|d@UM6 zVGf``vdOtBK!hV>RBs}qX{L`OY^ZSDF4ZrZar?+ks~LH6T`e}p&dlng?OM4rn^8Pl zb%1}d-`h$}y}DL&lr=}QY3{4s)gvwaZO=l*{5kBRHOzcg5y$q0o(_vmT&7)1-@3Y@ zU+=A^B-a$DjKA(#@p~I(FYi7hHw zs?*OZHrZkg$TWJoShjh@ms*eLWO_vO_>qxsM37RFg%d2cq%TK6Ty|+QW;femd^AFv zLd{mK`KoT+fN1H7h~+b{w7m=asDvyO&?Y#k=rsSz+uqG=-4e&BEeows0E#C97Nc%wH&MV%K{syX7MXT+MFUU6=J1}T+1=*&*cj)gY^!F}) zvdBL~oEb2cCaR4m!8EaL2oJm?HpZ{6a@|z%9sEE(%?;#Jy+H2C38Y{uZf%D8>3$&h z;s$aTFOd6i0=Xw2kl)z_E1iG))(wb9A~4lcaJPaxp3`v|GXnrh&oOH^GMr(nEW0(%bz-_5G>)MJ1CLc4F~N zedQ$rzk&0y7&V-)FO;h}=VPmPcsfxGwB|CEIoVq#b@IG+>dnL4cAQkenQ1A8_qx^w zcqgZ6cruZxWV+rhvgul_K7@bz@8JJNVKR#SsE-CB@h9_ui~N6|e3SP7dHQts!T;y8 z{ISm#zgh1z+kWF^?eMVGPMtBCmr7pt{qAHii}8O&Y}O9eyk9L^r30IU0f?pPa3CC? zBK5=8O#**1%u;1@B;vhe3=t@3RrI$CUFR zTXE)}Psc$|Am!KSf$YNXKgyJufrZFT;>cnO5Vq{tP~Q^^M}&v4%Heu;(D7TH=8=EY zXri@Xt<&CpYND1TqXD5ef4}?Gz{1mY5Qjxo-HNoKke$*y6Oqx(gc@blnV(c`nH8t5 zlxaSV6n%{CC{@W+l=8QMVb^e$_$6>^^FPA1o?r-~_{olX*VA^NxQV@WDvo-7fZVmE zqO(cP#}s!$@r`om6|UmLalhdFho{Zo=V<&E&iI1!pN>m?{(t)|oc~+jZo~Qi&BOWs zPgs8>K=%~*b2C-3MDgJN!+XwyM=ZyaX>%Qj^v*jI(M;QAuoGQ(S_{E~4(x zFOK19I;o<5?_1LH{V^xT%V98rBi1_#f9VFJvG-k%o~r|S4ieJYRr}NDw)gF)gm(F~ z$S$86*ySEndinG4@8?#o!n)j6pLc8T^2Lk!X;EE1O{3>JnWtlTTTbIyM{;zLW!7e{ z?>NgyBl4Nd6`z2h=e_(L+{tavaV=zZ$D@99fzp*Fcn#cVI&)C|viL~dZJ+FpZT6T0 z$&fyae%M!@&PR`=!p8H_;IiU1DM0#P{1)tqI^BHcH^@dAw{4NXa+>5ezMM>hi(%ls zIyiuh99)b5Jzx(^X7OdwI}qn!SMVwXH6VQc#Cda>+&OS z6bLLeZJLAUkIRqbb9~LtVRPmZonG$VyG-{8+hft?%&6zyStH`(1S)7S7HGfb_Q z{}w=B=Oc^VtUDa#qL&>NH)TduT$S5RkG}{H$CI>vKD`va@z=GJ76S9IVrODr6=UD# z5jr*<)tj$6uS@(;J8HaYDu-XU73^ObZCLQFF_I{y`%<>MA~qyQPF;_?kFE@>20)e` zMTqA8N{mKHJ@0$}H8v4h{vT)JmvDNIBEaJK|GO#vf9L6whx~sJ{Qm?0|G@u0@c;e0 zM2r6v)_xL9gW*z<-18ZJGDdV6{O))-giRW!OS7T@`DVC9gK?@3kSn)fI37hw`ZF@k zOc&vZ{aJ#jhVlkL@&UZhvtN?4uYv@zyziJo_r^ZI^v=D=@*v z_C9lH=1Zus@f?FPnCFVOrq~YZ&sv51UGaE2)fB3DB>+wbEf6T-hscIVM#S}2>!ej$ zdkK_UEMUwKbeXu)tD}+285lal zE-^Cdzz}Vzr&poiWEak%Q4*J&S*sXCHDAh>CxMXP$w#`bJL`6A4W5#C5QdWy#Txpk z%&`$NPi|@XO?``jylmC$e{D2hm1QRujzU#*1|dU8ks=@+IUB_q&}?+;A?3H!4+e2= zQxErO|2gtskR(C(@;+~X=E{HD+fR4DP3M2x+4<%{{(F%B9^}6V`R_sgyS@CE2`9`K zL3zo+CfB_sLIR_CS#ZBX<`AYeSz7j-OuNZoxl5?IIm)hsC{;Z-T|%B*`yC#R@PAhk z$duR{^nuZeKDYv>9Hy?+8%)x2@U0}~#WFON4Z=lIbUfUI|1+ZX046n47>6+MVXBYA zpgSF>i=q*1f>cH17~@IMO?7D+0ISYRl^Um%`qxv8CN)jHRcR>PQX|zH!@Qr{{%O6{ zK55pFf}u&Pi&g-741glcb@W_YlBKi)yog#UunFfHZ&r98V8A;j=P?r${e;IvJex3S zl|uyR^OOt8RxQZ{0sP`a;p>sS0+haN?pPF4kU#-03`uHJX6{XE*QPR{$UPD zGJ`y8`w}KV-4wyhVF0!G7ssz#Jiqx8XJvl(>F;Mc#NsCAQVn{*8BBt6@nvJHO_5ti z6QDs!za$;3csV`9NT2wA^Q+z_&fyFt>IugbvLtp2>I6TZKg$E6!}pCxzK-Ch=Sj!V z(*3|VkV<``tFh<|s4JrX0Ud*Apo$-}s4oyq*Z|WYhmhkLk~q8DS|dSISJrLPQ(<%T zF)A2_A)L`SYwVcK*W9MJ`{|gMqC^2y!2zSlxNpLKso2ii4_;$~8Wha{Wzn-WFfq`B zQC~truN?%F7o*;u_tjwV0cPV7j$`AwUjG{(Er=bR1OTj`yhNvZ(NL&xKdPfBMek?h zez`v4d81dc&kzp7%uM9e!Ok1+9P6TUWlXx9@sJi(MUGo)aW|d=>GlV~d596S@i%@2 ztPq#s#x5!BrRr#3I|4Q}LKc!Yp2SAg?=ddrhQSrsGU(AywzO@E&9!eXTk#`!R6X01 zc_M_`&tA!DMJjD`x|ub58>iH#_Dl2keK+}_$x^hhRCQLADAQLfIuwOPO+LsFF&2OX z+H|8}^U69EX$9O*0Wa$>YKJeC(ntp8j%YGVQPt&!MKegv>9xfkxFr_d(*x5i2@ja` zQK|?#ldh$QrHc&ZMFh)T8tmo1=_IR|HrI(=k4Aosk)rfD?`?Pomtpt4cYPUB{^;a- z>CcHBz9ql`yAw-y|j9(rJ4D^ksL z5`(p1FRR`$#*yugryPco^sM8N`-P;rray>x4yYJKMi5x8ac6jZkbDO{+#JQ5BGO2d z*6c(eg~*)@$(w~4yuE%;1QY~iYUGaG!-$(n)EB;kW~y4)KCj=r<~Qn%<`0-(dSe?| z9Ow;a;vILpGnla+=R&dWN;2qR*otjBRQdN#>gFWYo0~9h8#f!&r-vPR;M0H<+Z2!x zgu|Y%0#GR@5a^L!n z35sHh(62v{p<)agny&N(%c3uL)R#L8zJw`UV)yIFuO;qIHBNy2r4X9jiYlNupjM@b zXVO%Hg0js%=o!sSXkO1i2sEz{cBEHVYo1`N+Spr5f7Ccc|sBdxDRv7mEp18umqQH4|N)!YP`jXcqW(LwKjWtF*)Vi?dgywHh_S z&E+*RAFvgqcx%p@O+(U?pp;B&L=l)=(M)0GY!m|-4NC_{C(XLwtpC_-=iZm*O_zM@ zQDbH(Yq|HM2(cF?VHdiEU-kUyc%1a(QrWCN0ix?+l&fGe_~&ukr`(R-Z}_u?5%lQ_ zdCp1>gZH7g=}jrQZNLREfwCn7RNK7Ep!wkH4X;X!A;B~!~oc~^8___+bGd@H%L58awK`FH{_F+|ahI<~}mAkgfzaID1a^))FL zTpTG_H|{K|t@^RMZc7p@y>hyTY09%K$>>eT6QC8*ReTF+s*Apug8)uW_(g`i@>@6! z)LHtftW;LHvbquu8o&3xduAYDLFP0_$>$y%;oCJ62?+vg8d%vSy?r)|-o3G~8{ zxalv;l0d?;fy&0TCZKj0Yng*9&VdH&VU1Sjo1g}-)EAjPvyuXqsW+QIHU1>OlL%6Q zQTn;adoHZnib|xG`D|l@`m#Ewj%wH4F)OlZRH$r@!0L<PWW=Gcd5~6eq20#b3^J%$e!+i422703*Yms=x0+9dDxWL=ulp)bQsFo=2J?Fw{%W z+U09Sq-9R`tN>4q zdso3U3eE?Lr&E}bk8&p2%Ie%%r}xPHF}H_p2Kt%?v1s3mFT=qgrt~D?hp;=Ccraq> z;W_dpBS~tbF3F>$LRaZ3D-yy3!Z(|qQ&uFM>+C=!uZ{WpvHphc=rP}o7cfss1+u{v zwxhlP)2|S*V+fK)3B^&&wloQV?9T=;rVAcUFNE>9I)yLvMp4m;?M3CbkX@O@(@oUv z4>n^M#-8=8AI%H;!H@9QnqK(Kvfp~qKiaJDWX7G;I>~2n$gCByzPD>AhY4(mtN= z6jYs#FMcrOUmaAc9e^|7z_;o|;4gAdD`!g!#fn%AY1uVe38vSi(m=BNkq z(gjME#DJ1?)Ei?Epx&4)eMr|FSNSb&*%fQ8Ot-A{Sz=`-_rDo4Y^t^oRcs{?ugNtL z($b9dNi$0;f!9dPENWeoXlp0YB#hteyfatGP(X3g&GoXmGhF_{xI#IBkS02p!mxIu zPz=Av)AvB7`$$JcNlsLFIva6*D=1-G<}WRcuk(!An&Vx0Xav`jMBAUDkrW#TuK5C{=$jc1INX=@z0n;!%M{g%`0 zqjke(^>S5hvFiZl-kRb#>A?&;5;yFT9X*_i*X|sioOOIeqvlD`fYY0T?a=E#HQ>Wq zOpoggh zJP=Q#0g*?dZFuuV$5}XtkX6Mqjg2>hBp@!CzTz`a3~?!ib2nOC&v(U7D5OZHH;Y=@ug=BGe?<{h0hU-`$4rpextdc_HIGehD@i-Qp=?TAG) z15_DQHI_2FQ)bApX^HR20UE!LCK6t7Pf{<0-7y^cy$FVQfp|f4DQonYc&W!JY!x-p zQ(KH*dbZOmX?4-gmQ}FS91ekaDq$Ujy%KJfKhyYbO`gsi3v_|48+4e(eiAZsRJ{XI z7IoA$-zqfNVmfPX%g_**1To-#N?9{Mkr*reBM{&{wrsXFtz`$ne3LY-F5dQmamYFH9)U+*T0UK`4CuNbLWdY0;!#jn_b!HPRztH8MZlAe* zYwJv&{yUjvI$z(}oDn&x@pOo88$cQ`Gh4+A`~9$+z?oX%dwr7BkOoz}evD`Lctp9G zr=pt*&QZIB-{NGOb2QIX@+=}dNo2bo(PAxU7U?XaW%i!1{-V7xXx3b&69miiLECuyMUH zJvtTCbx2-6^_KN0;j9WtdvbWPM;X@H?*)Y5F{Z(Y#fm({uAw^+ISa4?a~89R8e^Ux zEG?Clpbr#yD8i?qF)U_>3Eef3LBD;+WE5KK-AcY``nvqgvkpJENeJm$6@e_tR~yeQ zdzwd{ZK*(~HXhnmWoexP8bfvKKIy1^T($^q*H)Fuz*r{Cd0_~fqQ%zPAveBPp+}}| zXkiv6iL>}$bjf?&XU7XaO2T0Yri+3SC@%@XI>b5DwXUJ9k_>I}m;8mL0nql-NH=id zh|N`dNigUo+gOX?UrY-TM?})@{^>=)}k=&FSc3E*)(-!)vt*`aEgp;{1P` z^;WLhgqL>Af-ewS!NS%O06HNJ2yb{2Wr#ySu}NHfEIktTQ}U2e2c&cMM#yDoa?B27 z0@dc=>sv=_uGDcjf4l%K`Kp)qnKSVz(lZ+S=$@akPPi@Q$7T_zjps*E9PSS zY=k5>^F`6DQLkj8rC)IF1a#!P9fV;lw@otb($L`ZCAR3YeWojtx!qm7LsBz}9aOtR zeoNcuDdRGb&EI#TAjaQ!xOtXZQL^KDMu*Xe+ElK2&Uc3wM+~W*3IWc zIZ+!BAkk*_@q1R&Gf}YJD9oT~F9_DN$>Sur8H|ITr))4MU7!6Og=1Gz*|y`dbTQ`G5(-UhKobP@Y(V>qOQJq^D(hPF3IB)@r{Tb(DL(Fz!wx zf~VXwj_${hEh{a% zLDsj7dX_f{L74=KQN&BHiZ@2h%ykqi%UETp2@gPFfy__C{s4qg%@R$b9^Zl)7o8Pz zmM%NTluUVvNp97TPtKYhk=%c7J4XET?4on;dor$=%3M#ZI$^@!vR2{k8cp6?vgCZb zwkB$SSkUGe<^Wh}klDSU*Nb@FWS5b&NJrrumt*SI5@Sc}M(azV8hBpO32M$itr*up zt(SW6sgGd(4AwfpR#rFxN!}-UEm*eu_Mx2m_;w3|tOjA50U&GOq|{wv7STQwjYTz#z*^)*-%2cR6G78HKUJo0JI>U4mE_@1=MWcJX$kWOe*6_4+BANGe--G9ad{ z2VKIzCwxhY^n-1c0@%14<4M`QVxD78>Kcr$n8h_#qS;r)D~U=V|#&|@j`m8<091u_+&A5Xei2mlqg>(N?@Cm01? z3CirEFpDwb%xpM8iwYtp=VfIhPZfa`9bLc~Fq;~EAF1znz{4;Y#o4#?Ex~~mH-1Uv zG)!paR95GWZQ{^{K_R7^#oV3CsCy}`iK?CtAp8RD|A|EgN$fI+9o)uK1-j=R1|Ek~ zKq(dW91}lUVP{lo3hNnkPqgXI!@jB@nC?0 zu41fnzFmSeXM2{EL8m>txw+`TkhF$e z`R2F|M8J3*=bl%h2l;hYx%i00T9E{eWO5mhGcu8-Y&METE8(}yduw3(X(YbL!hdDp zU%2ou((o@F_!kC#=`Mz>nwR$$*sI!VAEVn}hJS0G;2s45pz(vt{cBGk?G0VSNa@hEfnSK+0!4^O5&OYAlLmp%U_uy})zjQy)#Z zyg!rf)!Q>FW<_%|Q9_VI43d&Mm~zD0it4##V`t8S+s)fov324=y|-&$p{&J+3)1RR zIkyk?+J9D@R$G06f_%1fDtA;6@w4k~k61m@S2la99FD2j~Je z5`GAVlYyg&$>GMHF*}xh1E+~&aJp)lhwfw{xt68n{T%)e##+>*yy7-3lilJ*`HQTH zZ?;*O%c5rG6*p_y&=xn#UsSxb%`Gi6%|4^mphs&mXX3L>@?Os4YK!M`87N$L?%XT` zhU;qiTd|dNkM{CV*#>)f=&)FzO{Ad%+EN<5q|j)A5SsDZ!Fh$QWZyZ#%?_RY4=my84xlW#ViN$}yp9x>u~a66?3@YD?HX@JAYX zi@gLdqdpwU$qlWE3H_Qo=j^zw9>1ryU_~=VQNm? zIfL$TN;JEQHU5Rm?yEqryhwA`SZR$@$Pi9|x%7!*ci-y&kuB+vS80JxS~rGh1hO!5I{v$a++H{mTg*;f7L7uMdar8wN3yl$O|n zXksk|8_)SO*BNbJ%OvS~*yqf*MjE+opXr3Sb(iU@#XY8KZio5HyZ3hz-eHFEqs6_& zT5f0QySw)ln2cL@6(b>w&)VG1ay_@Z@~zWhm!d3Z%u`uar^y1tl!}+NOUeB>YaXK_ z6Rrmm*-I%)Qen_I?aeISPut~)Yb$rWdkrkYI`RncD`kJ=UcYjyrqM`gV(1rp&n|7Z zlef6)hx^(b)}}nyc0~RA%=>lgqan*d7w1O8WNpUbpuagn6R)5AlfPILG98rZ5W^?Z zos-<6shkNaoT5?M|G7B+*caLwaAn1qlsuXnIh&X|nb(x%mntshrkm0q6%%{BTq1ot zR4eGU(XkXq-&QSI0h(pu6wQK9DqiV)kj3QNoL9;nb@GKb*kr)SP zx?!dp=VQ&th-(%+o;!EKKtNVe@z~+xx@R)M-2sJjyexAAnW`(yY%EgyLiylT>*VaT ztfMR~<-&4&@ptYhy|$UTxn0Tiea~q}#Rgug@-rR#STI_m*EV>RNN$|qwVaK>iIKY?KyK0G zJ@fugAr@twkvR@X-&SGLQo3Q*iu`#EPsd162U(bYL2C=^ossn!lpP>@Do^&Pf%c|^?y%^mm3()q-!C&;90~*pzdvf#VT=;2RiKeiND7PzTPoSJ!a&4;a2{9bd*C^)_ zoZvdR!5{R{I6ggTb!yGd9?~~T@dhJ_(12W}2#CEQx|cEJkZtgS5jTgYHNm0KARKlm zrWQ=@IB54V#q@}#VVC@a@M5^aQQdh``j+(~#Q@RKe*t1>(iLc9MtiW*p&Pz>E0y8f zRgSAS^-xbrjt?4yHZMe{X!4bw$$g#lh3+*rQNM`j1j^$hY+8C-d6-ZewG^^Dq@IQe#X) zXjRPqQQ)ZY%KW+%M-gX0Rijq6yp1LPJg0unhoAT7O>eB`C;EkG!MoJRzgwnx>Fc(9 z`v&#Oh|OfqR`IIU>N{spJGUGZ2kd-r=Y@M0J~TS6K$9J-63SZ@(0F#}!-! zl<(_hqb&MkSHAr+dlYj@f=xN5_zV$`hSKRv|LEiZW2e(e(C)PAwPWu$=Ukw$;g&XW zLDY96#l~z)KMnsei||U;*|~Ho@m7J|FFCyKfqO8AptITI*}3*L!c;R%C&fCS|7?>3 z6VR&1i6nn0tAl|l70|+PK;gqiT{;tO%NTco)TxQL-P(mIurf1n@T%U3tq#p6VAl&N9JG?cV^ zR>g#hQgSidJtcTutc}wb1qRHuf#7B15d3Dn?hiGj7e>^ZqDqlZREZQLO7CRsqeaGO zHW8&PYr9tpZVCBst%o*-IcPf&_VO5XVzY&pwiNXeATWQlcGjzmZ_sTx=9K+(?mgEd z=YCtF0f;1{unOA6%^k)dSXFbhG0STiIC?bCE<^Xn6PP9Qn>7R0yJxB*F~d5of%wwv zdJ@ScW9*o&r+Qm5MX8MPEQ=Mwlkdn_!D^oRB*rPn9eAVMkt946{V;P^7 z?@^1SZ4yq{*JKb4kx4VLmUTQ|jNNckdc;PgST`=G!!IL(t4K8QO^hDqc70o%PP=~O zo8jorft(C1G0@2+`^VMtI;bG|T*dw1_C36lcv&o8rVI}BwgHjTT%0fLn}s9|#hTeh zOztJUn(3p^W~3D=VF+N-PmjIe5>qDg-1Ft2%4%T7Ls_Q%5!$d$9a@ADBOmcsI%Fn4 zmeaACQg5}Dmb&cc&f7-D9kf@>-3cgIppx0}sKOtZfT+xcXU;$t*z$ln@j!KulA=Xo2V69|JX>(J|MTsbDWeeK$s z=g|wT6LEzfvbu#HnurbLp_w5@(tO4{GtWIUC*wta0DKrgo_D75qtPQSoJF1TBIgV3 zSu;xJdvYq&cP81^yBj;z>?tSF=zrI}>5A7*bE~NtP>GP(U&J{m-J0c3Sin59UH1;9 z$a2@MMT5AVyl$|-sC1SQr;8>sy9dPP?~YeZ3$0q+8CYPTxol;$kj%UB`4QINge0)8 z2RJ4gNMa&J=EmvEVS%^jv;DCuV*G8=Cb2x9-wUH7{Zgn^ih&iNS5ws&|r@`tWi;16WE%g4huIuwQ=psdyy*lx%+oio;QQ-u-*Lhyw?bpxLEn)AQ-eNrUVTYD3y#| ztBzl-yROD_wrWgIO%O8;!5Dm6_POe9UJN;XQ%z-7WyivqlGM4O_?&viT-S}wmp0lV ziwwyYd|GQ^3i72j$OG~OPEFwF-3+RuMq>UH4r;>Me;)*EOihZCHQE6l*V=!vy;qER zLp4cm$j&(2cs?HV@FOed>#`}b(8wiG_qzx~CBw@fx0UcvY_Kyy03TTnU71akrDuR4 zB9zRZ>02^)w^Mqf&uNG$hNmE~tD}|gZFEE<^Ak2VUe=5Gq$SfYp=zTu*VZ;EB~$ja zr8g={Orx)F{qY>S3??AbDkpAw1OI_Ugwd&hM@VKP=$ssCEZ|sNgSJ&*1)@8;jQRtn zL?tB5L{K8JiI@`jr^G3%ylXNb2_rgadozx-gaDkaj+RMwpXehCGU;QYL?t1Vxbx}G zQJ>IiAsTss_se*A9$9H!J~NMk`U2!eigkRJDoWxTzy_q41#BUtp%frsDUWp>(NI=v8SdMy=?x^<+$=u%A-M548n|jTTQ|()~nplwLkwemO=~LY9 zw&k9vLgwboB4?z-Ib8SbIn;S6jHe4HEb}JUEdIEq>r`w-if5M|RBdn@y6Ak?HyJW8 z?*shWcYGL)s@V9`z<|&anh}V_OKa_PfT@|XsTII@Q*#re1X%Lh2mY&i=k!Ov<+mGu zty6XzSx;S?46`u+jsARlYv-u|#3bgN+gM&(pWCb%rTW7OoR&Du6U_~J`}Zqq#Hw^+ z1#RbNH=LPC>6>Qf`q4;b+v%AEM!?&_KT2zs=NFKw>TP&m%>Z>~`W{c`yq73<=Rn{L z0aq#O$#(`F41y#=0yx6^fT7B{z&xJVpIwe)ri#Wo9mX~cF%PVq1>JEkH0EH&s0=@S z%u>z8AUf|-#00cw;}EV^P(4kMEN7GJkfMYLmwq9pDom*Qlu-nk!}A*tU|eI|aG=O< zR4O#aYnYaI_Q68Y=AovB#4+cc2(Pk`FqsDZU6IO723a=Dzw-gXsZOrd29it~x(c?y z`FO2Dwt`T0y4`P0Vo@TUmptaWy5td(6sPcw-t*1YVilt#EQ(_Y$t z_|!k>Yx1PJReiDmvgVF!~oBY{aU*%ZSdzj#9_Q5;Q zWDQ8vG??DNd#r+KGdR26|NFn*&erzR4fyLD?;seBQN=#+j*?zg>egn-v*;1&mJ72ty;75 z^S-g9(WOYqyvg? z7Lz=$=@KZhrgfiO?8d;*s4K+mGOv>1w_53n*BEuH74MsEs1=Of!?y9-3DgG|FQY!d ze>oVV@5c)`?y>rD&D+}9-rm~SezLXgowaML5-=Q4v+wyn%FqX`#+m`1`4Pr=$X*KXB+4qsCqkEK(5sHg5ugHsG1UxrL z(14&ZxyPegWocF%#(Q|bm&p|>*d$m7(PPMNIc71e#j6#o|sv$moKb{8N zLHNKUJn#trO+12O5}^Bj`{b;3P&Yh+Df70~0cMy2Qs5ycV2b+PQ8I9g;8aX*CSmNB zj>2R!>SxL#Dj&J!XrAwu0Fwe;%#=Y>*|Kq_2$ytS`l zVz0i!TL=d4#@tAyF)r~a%aYF62Ijg_GptPk<&~hFuVPFC%b7fcaPp!cl!E3Zbv2JW zH|&cHl?Lxm?2!UH_sx8N@3WD*SW*G`tR7jn_%u5j^8AkRvPwXj+b@G+bT^78<+e+5 zzbld+cPi{r>UCa>KphOu*=cB&YD-ze_`+LW09lC;kL+YTgl?0~r)Alg zArqQ3q=>@UTKKXU@TTs-P53%xD^3pSh=rr^=o~39vQ2cCg>Te4A!ii^WI8G?`jU=` z9TLgA)xMAoD6$s^fCS;lM%fep$JR;n=x6UY_}M&ZzBoEL z&@t8emT?ANF46tv2rmEzVxI=j1d(z&hU{^>Gu^C^5_%BZGf4v>$2Z_ z{PXy$cy^9ff9J$tp%zD85h$7c;UXCet1?lAtR|kSTk3 zlgwAr5rs6o#>{i!WK}L}$uSdkC@?YA)x2fLVa#EyWd~rbpx2v%EaR=?58fWkWDmm8 zewK^I?jjR!X!{@8eq9qR|fXn+ACYcKt? zX5%O6IPPFLG*J%QTq}ED>jKRv;zZG#Z8W9$Bb)z(Bcg^>Rc&6Z@<+1Eq^$R3W)YO2 zhA?V2r^-tK?>O7E&6rYqw_r%Ifw@tzY5HvLlkvPT`gwDlgnOo|WmX@fnOpLjJyL%1O1;TyaDS$h>aCt z!2GqwFT>vaCC@~c_jE|SBGeKt5172#alLbLa&*#s<#IqBwNGKsx{VqMsPt8j$w7II z=B+T+J)VH!WPnC7-!m8cc8eCuok#XJdHisWbA1=BVTHnE0hBmg1421av4^EoRR{iB!yUs}t#r(0zpq^W>r3J-XwXlPfuWE!= ztwW>=)*z_=?8i2X2f!VaGB1JH!Gdnt=G^^72L46;S(}%i0MRT5amld0-^1fsnOTkp z=s>&~D86>iaq&*@{ z18tK57>N{zatU#+cRy)KhEpv=fE~j{Xlf;OZN-dXqBfhCJf0)KreVZ#B&-IO- zm#S9e`>J;cEVST9&+A3upOxc-qjV&#W1hOtHmz%p^%TP-&PHM{I-i&lP6}R#T$GP| z8MJdz80Q=*Q7^6%@gPczPkLfcPmYcnP474Q0f)Q1cV=GqwqV;lA~fEXl~BDY9N4@8 z+0tL(gy=;lA7W@l-8rFE%JB(sHYcq^A2om8QR4;Lg&#Irz_N%TiV{V8Ya~;i#o`W+ zcBv=@sdX27O^p4Io`kar+3b70AcQKO9m0D`+d^)tH#AAYui{+Mr{_~^rFj}nMyQAa zeoVrC&&uAw1wPE*n?|$K`T3NBDB;yfy@|71ey8&`z~9^CRwHiz>YV?z9{4^=||Y>B4)y2=JtaM2812Vi4nFv z{{-ObYxClJNziXO=3kA)6I81}*$;z#F1C%2v~u<5iBq8#kT_Aj)Xjrw;AJ%8TXqD1 zZ2^v?n^>_pE32!Mu*CCPUMeyg)?HiRbAk(=Gpjqx&+0(KDrrot!M_W z`yF9aS7NwppJmxnW{8Tru)?FsCfI(bL$$QshE&)DO6sR<+SSpIXCBfJ)+j4Y%QU0Zc%Q`1bm%LY>hDTe(wFM8RDxy>{ATTV{nqgmi%hbGRXzA!pjQWZGo4 z+B3?Ig365>XFxeiW+6iR?BJl@Zrg|e^gpJ+7;_Oz)mnsFWK~CoaXM1BWHG=%G2|R4 zSb$?y4!bZ4ph!K8o3fxElvT5glzG&HmCyPoL!HfDc(sWz7j-sog45a)LoSWuo+>Ki zbstj)gW72wiU_#bkLQcmNO^$3&xR5Q06h*YcDc7`Y=S2&rDCgjfm#<=um;?TveL`-4_RQ3i58LJAneYwiOjPv zTy=E{`>Uypf=+>AkYcA)lA@CRAT0LFG2Zba8>IYZ5h?f*xVpOP=`)FuT+{-<(qML^ z*jyOH+@day30j*Xn^LlbN!X40h~45Z5BmpLWy;+_fq0Fg0YChnE&Kjmp$Sy9aOnwV>?AmpPR+n!6Vlm~u#PIQ0EbT8R6%7c zV?ipFEDOnns!rGNEt1h<;CCs_Vwa<{Bmb+zjT2%Daw$~`saNvSbGkZ?t2gg-dY$Yl zd+YL}D6J=dNRB(Y*Q|A0r+X29G#j$5>9Xrem&XGY_U~U{by*74aDeQfCYJBHk^iE! zjU0gk1jF8}8`8l5BziJS{&n#~Jeiln5c-NH!pg;TXLMN}VK|i&Y2(qFARc!kop#SQ z@IxZVG?sKbae0WF#3fvQ4u2(#P4Heqo?rQUEJ?* z1)dvR-%Gv6!cXXKpE|T$&R#Q&vr*p+WHJq}qVX&q+@RLz7i2+jSk-i&3-@J9RD8GV z`D}EzzT^E{6ket0nGVETcA3*a#+=tFRcpDy*w%ge_iaa{;-8IrI%yf@-?CjuWouUL z#`7IBvk6q^cZX?LW{zokww+m^1xEAL*)*)?EvaetB20?>MolZHXpNRPN|=UzI1NW# zYDVGL2K9zLHypH!Bp4KC@l@1x5X5OP4N`bUanAb+%Qf`E?vAx2+Y3evC&S_qV+?l~ zF=pNZd}G5kQqL3K#HyS8gk5D-V2tv>jp_*@_6)gvcdGBNjTdzA+Tt)F@#eG#4-kx*~z&J7jvd(sPBWUG4v5=m@^g`hc$K3 z?aHbNKxeeWgH5K3u5z5k9pQ7&n`zdPZpeUZAd(hAnKqkG+Dn&L_su`KcWmGd+ zy$pi7yK1I-SC3n*xoLL}4}6&K<66f*t{t>a+8(9hkgRMtk*BT3Z1*YMl8>kFtE>&0 zU<|zl(_QhqIjHByrcu|t-WPaKCkX5wCk(p z$c8;Oi=1|^gdN9M%%pc=vyKwK-^-d283UB8ABri&FMwx3Re-X`RK{#30=}5OKY~)* z^c`EGOGxy!NT73+Jw!e?sfqCB82S%fP$|>t_Q{ct84Bx|V&=qe9sJN~9M?~n9}xzR zBUYBV^>ou&f6#)c8nz=zO1MUFAkdqN{ zxM+avj=?sG)76yIPb<8LFrdE3flg~8lCTKOZ>UR3$z>UmWVQrK1hA;gYpqj%H*Y89Y&>_7v1ces*p*7D+;iNbgywf=FyEKdat-Hqy0hg~*LX4Al@#5` zpq+)@tRBkgQbABu%#>-Yn0b-J6G%JoXh(W{KtBW#Gg3=K^OOHduUhIA`yLo`@w__m ztly75&)_it=pvjfrcMt}o9exY+M?y5C@r$Q@Xe#bUm>wq@ z@E4r4v^GFC@Z!?_4*Aw7My0V%{3<+a?X)3&%FHR>NNR9Bi0e>1@l-ZxR$R@n`@;~? zPA5=chZw;SZ^I)iN2*SEEXzgnO8$))^Pk_Yt*IGLqXVkHDMn^q00mx%lt+~Ig>kUT z6CBEko{)B1DYWCs^G8}Mj(?E0E&M{ed`ZRM6{o;J#MN-7QT%(IhWCh>yx)!U9ig9b+p~P}0B2W(b{KCw{yfJ+OKMhxps0CEPugO4 zJZa%xW--_8O!sst&$FD3Rp@Y*iw}AG>eI*N#I3Md2<3INH1CjBk7ema!TBQxM8&h% z2C)Ojvw(6OoE^6P+Tmf#KdLw1nH0o!{;i@D*NIOdp($LZ!(^D4N8{#kACj;W**9U_ z`jQnvk7=%JlkHw;zQ}7ydyea=vSYEQnX6n`Xx_CS@qlwVK)q!2#ucFKrT|;QYyRn0 zB7HbA6ZnIUGgZ&TL|5J}`jrj{@r5a}rl#IJIj$eeN|63Tr@&L{b@5WhAORW#X8vS$ zQ~%2iXKGOURw@5WtD3{|%HXo&kr!q(s(}69FrYPfCbVHny*dB4rgc`?SJXi|`Lq%3?H9FOO zOA@Q~dRh$Af|umXHAM($El=1|kTu%=tJ>9O_5Y(VA?4KNXR`m?+4=TKHvZ?gyAS&R z2m8+l`_Bja&;M}y&t|>z<4Nl;85>YjZmHyh=_J_1Fr2QYo_6kL{!KxyJ!t0opx{~{ z_X+?Hy|gK4#`IGgd0J)A?_PKX{7E>P4e^YYar*V+)6UNo^ZY}d{3F%laqZxTqgvA{ zIeqPn z9>2mYNq`;SV?*01fD%v)zoM~HolhTYFY4()WtjbKnGvVJ@%Y^l-)g`qc)X11@kW>w zEBpZCZOAX30g(~ij8)@$1pCgXG5o4k7}4}i<7KmU+;03;JGj$aI>i*2joWe1m>~{e zkN=v&dC#LwzMn0|9cUNBNj}9FSCoM*Q#`@EXXz$~L07ekP=T)tDRAgy8eNgn{3@IT z6(9>y?*g9C|1!Cp&TuZ4+f|dxo0yDI-04K#FAl?z3FCoykzSDwIUzf%QUp)4Ync2? zy-Xp1PW_c#Oa!YY!C4|5f{s!)Luz0=N?WbNWD>N?YvMv2XfRhUZI$NQ$gCC{=z1{`oI)fOFd(pI&1N6v1Zw$}@J zOK@wOS?Qek2(hSuV>!(j(i3h66I!VzaC!_BUI)&J;*L0V@6`~49o0-tgyUp*Rj6aE&OiRe7I|UD9M2ZPjrD1E z%8EoWPt|-U5QKs(o>=q1FAjX03Ipk_t6!3><9JMQh_!r^TqCEexs*7sIa!S%eCnUy z_=E^03n?i05(mO^Z&;(g+>_4-n2Ar!-`QZ5|ATWC99|1}9N1wv2$L*#IcGdQ`XaXj zbGvQ6%gluI<=`?HU9b*RCK>_G>B^M$bZ%G1gI@OP+6;XWyqv`wpPbM*3N>v zH7qgbOo{tfQO`n~Xrky}-W(92rFgdRmy5<3qD%x(^Di&K7n~pZAOUcX3_NyTuT8Z4lVK8cBZ6>?yH`g~hz? z@*7FK?(9OP2V3R<9$&@k7{eGE3*n5SuC*JOPl^c&*Ukap5#V4EK4j61Rw*)!Wk;Y zQ%b``3@SCnnY5whyJ0=KURlskY2#0VDcXRoVCBCp!`*hMiFHUMyubf&}(%_J0)i>0Tp1F7W?A2&98nm zgt6{1m!R6%iF_Q%G4gvjUkM0lJUKzw28uHZw1IVv-k=2_#-ki49n(RAlIkXEP`aoT z9Nc*1n~9h4C?;V@GkMQXYmw22j@C{FAdOAQOy zVBn&m8Gthl)K%Qblg7iIfKh&=uw7sYLb}QjCsYdeDTWF3*TK6gASWL^Z`NOb>?Hy35t^wA;0TvxqVaWqVK**fATUFk`cr1OBbf&ank1r zLO~HKUQlFEm3N+f;W*dJh<&6`MM$(S9qQ541=^_V9?6w_CZhpGb(>o8Kdsf_^JG<0 zQ%HO;$BZGwlSI~F6ynMRQ_N1umNjTjmW)+aOrW1;Ue@#yiD986t=6q8#11I`G*cs& zZpkP|alc1Sj?K1C^ymYD<4a7fu)v6uKRVA4wsr(1Q^gK$4w}6u^5SMelW8}OS z=>IMo%jy7DCYMLbz(b99E<>wA0M77**LOu!eHCZuS?cCMaZ_ZUH__4d8T4`Y{_PvXSDvLr(jO?C2Nlt(ggh zkOz%CnQsG1bR`1qN6XB@-n%LblZ@R9XAv2!Zt+M-@f!?%+-m}<0n%reyc?D2hHzKc zA?Fqbn7v=4Q3a#Jz%KcylRa4=_1al$Pv`<&nndEps+Bc)V<6nZLogU{Dlp7z5%#P$ zFouxd17_65FW&uRLJmZO2?~hhlw1g=Au)AwDFnPj0Ul6s&|`~N(|v1J(*Xm;*rRF_ zNLMqXHXvL2^f6C5f1|8mOgdtqAy+^!#xq*Iivp7K7`fAan4-#b6<|QGk0-Gn0<8Ka z42#VoyBE_j%!h4+=h86R!Jf`3k2!o&mRVPb**F3!+)8I&<38s`uc0oEvw2shP>E#11fkBvMi^gq4)KJfkX32Uy64 zFL3F3&e(nlr(@lXr3R!w#gpxJpXw`G82er4(=-oIZVhBrINwyttv&Am3y58%NbeK$ zH%K#<$SieL`0}9_^$V@~EVhoFfg3#=})m`jMq(n)Nu>vx}5Ob zGpvx?`!qO8@;de@cU{`}C%sjO!Op?3*` z)!2;%2Vd{5JB{i1S<*EZ@q9l&heAHe_01?(3uzcDzi z{G{AP>L*92<;P*rosRW`3RKIFmR_6-ropuz-^8dH)-B3at$s*C^Dv%*IJkM9O#5-V zuoq3!MT7Bpk}10yri(`By>!tSmVN+dZmM{itvN+CNxD$}Ehu(ZM7{jQ9ug{NQq_2t z{Of5jnS^G+Byi%uTHpjNIgsk%4_yyV)Ob_pu3D;V^02xZ^}R;hf6+K;HV)ET;p=BM zQbDW3QG%*4wU4Zq$Wu)cnAKH@%Ue|u8`=_m=#&M&A1@`mq)A_AUrh{l0B^qEF z?5ld`sL`xzurINoIUnXlm|%{hc`(~&FHTN7Ibe8_ElBa~9OzBXfC0*@)~m*$-&)w4 zi|Iww^QQ(#JO*5U_CKXTbPhkttE)%tV~OC6lxYwTH{t(k7Z*Sx>Ppe2TQq|0(WOq+ zo3$55b-#9cT5BDjv>b?EGe|(YU^;}o+_eTH-?i&7&1XO5eHMpw18=^9Ui(L|EH7HM zR)agtSQzBLV`;*MK2;jrjBXNGdYf@7nbK0wSn3v|wzg7xrN z={lzi{NV$p>mD>%&T1WNQaLrz)Go1`&26*reCjSdx=2n?r&l+7lF3b>{WwM(uue7R z1>7gY8FY&n1$6>;(`O;Si^DFizg6g*k@Osm=&^Nf`_av3N342^Bk30LDA~Gtqt4|KtnYqt*5sGeidZa7HOjPO>ury z`?S`1t*YVg^n3r+(aDS2k&h9^R6V;aT_1xpA2wR5syw>28ZYWU)em$n{g{T;sUM#n z)jD+xo>f#-8++AwmHvQB-EU4_nbGs_%;*p6FKcH<9p43-D$aa`Ha|c){KFUe3sY2B z+nHj!(D_0){i=0xcIrc~J5ZCp%YWs3-2xP79M^q4aJ#^%*?!Szs)?81_WK6V%w#S;4*LyinR z>7OiK#(JT1Ml=bRl`57{eLH|@16cN zUepc`p?m*RI;frEqZ!Ztlo$chrLrd3VqRw|UR^zpMt=LC)i~|6pV_Mob&hMz!?s-k zm#sVOA#!ifJ&vSa)FQfmJDc=?Ki=T?SybwroE$Oa)7A-EF||1=`UXqI7ClP9& zxJ83FRUm>;sx%%2llXF+9(mr}0S!yfT((5z>dh3>mQ0nRHCT3~H5$!d{jYiXF)-jL z#<^O>_~CgNVpkF6QmPh;(U{v~b#?Oo0=5v=O+%6SGke+7z&A!w*J4^M%7ELwZV#k| zbjz;vwbYuDWf=Z6IxhivbjTZ7tB|k@->XgiJv~|bnG5Vat4hq~{ysaoWWT_-2SzW& zx<2#D5)m=J^^fVVFzAyln1*bB_ z=Rq`@Dl_)9=4|;m)4MxuK1v#%2NYl2em2E(JQwZg)h+k3 zseC8o6V@mnUF7B6*28d|`GeK3)uFf)c{UrO~pSG#J{*N&Ub-G%q|#pFXNvoRe~;{XK+5I#~u z)YnFes^U#ogm>16>avn|pS_ZQ6}vK@(5!e1mn>(^Q;R87q`Q{}}r0(nxvvM8t4D6dm@TAws#EeUub zR@rctSu5uQOTmfy6kBD9O3Tx1;l`1pbx(mibUGl9*4KcHXveJ-u=b1LxHn_{pDGaz zv{jPU38xTm1Sku*jtAEUhTXdTLWEu*>sbSG68{ zb!9qS2yFqd?bVfTFR#u%&h}sgbKm!J+V*axZ_fv|jG|uGPAw|NrrJYCFF+P=_H~>d z0#;JXu<2+PF<*p21;UKgmH#QVju*`O`VzH*IRr1~YuGOIwI*rUiXJ865sy-1E>v_d zmqD)0g*gb;ma7Q$>@D-9U2-Nft zsA+MaCKIU%x-XosiPL1tylv%%XQC>xRBOjs0*Q8%%I4Vbj*?XHCQbwGmZ1Z7DrQrD zET~Mj$OJgL^LvU8wIJD~R;k(1p_Hk)Q>HD$^GcO`vo<#vmE6u{%Lb|NR3z~`1!xPM zDq!5v5;sSe#Mj}J=RH72D7kSg{?24SyTf! zifI^6#z=~W!Ht>#1Q+yr5s!-^XcWx=Yx{`s2LP`Nv>uNI)n_QCC|o8C4~D3r_(8#d z&cxt74oaswa_0%tvynG?)VC&=k}CntxR#`0F?p-=ghsLM9mX;nC#vI(h=yzJ3zc#c~K&oW$i92L#w0K__4mg)P#5%j_doOywq z_lCGR3<741l$cRB4jPb-0Z&d&g9W`A+^B083TL1o@{Sx1fyP2(`bG!#)NC}u$I^Jv zE2|p_j*ixy2JxldC0x(h+3bJMSIOfGpJ%3|#!$ib%M^+P)oYoU-mn}L%Uk_UaDmFJ zl;1G(f&3m)mXtSYGBJvk_lzQq=`xty_Q_HGofA0W8PRvNomi{bl{@v;aidu~@_%eJ z4_?31l@$s0uYvwvy5F=rC#Ubykr|#LB_B`Rnz+`e1$R0FH7`^&lWcXg6ZTIVhwoC= zITlRR%YMND_DKEo&i=v@I_RgiDyM zEq2%M(zPY{i2Fh9@Q`N~hTo_+JMZKJAOlVm7xybc4KxIOmxCIJ#HppOx8x#2HPn7b zOPviDgCA1-I-ss4z*Fz}GtWZPGJu_i$!t3E)*2%?M53NLIo9wid8ZH@{(ZN<`ca+r zYKu(c3B{-0!=RYRC)1%QXAb3+GTWWPY9LF7iNz8fW({{0(2|77y%Y9`zQC^I7n(hQ zvu2iTNn_m51jvum~8}L&JA@SNs}4^66*m_ z>gV2;&}@o7710q5XF2h@6vXm;hFlMw!6HpaG6H_ff}P|ffWt@e3rvSIibuiw)lBRNZtHv!>Jh10r(J$-Sh_%e#}C#<@ph9hdL*MBm^Oe033n6 z--}D!@*@IU@wTY}4#qO>mk?r^VpPF~Lr{QZWjYGlKes^!ZkE`Be^hb2c%H3Llgti2d*-1_MYC0J*E_h$)lS~nrkd8%%E#4} zPOElMFRdLoEgPX%b#JY*pa()^bSd^Dg*iMIsijbq4i}j46=zXJRm0F|wCZJVDw}%? z_KrmTL!LBAZcNfxVjGEbp_yC9)xi!CONl%F`cl*mlMpcyk5tYh%4}$#R);>_lsP4g zcm|*T_M3r*>uOEx7SAhp8}LV{fQ1$Kf-r+%exXWeK2~Jeyn6HGxPFY4R_d+RNz29- zH86uNLSG87W@RzbxQMX=xL^jc@tij;?BZv751E%R>A+#atJ6-)@0{V&4<&eMuhg-^ylfpwd%4-d8*w%unL$-NyYH23 z*Y`79eW^W41EF!)ODGuaOxM@mHZ@X`Og3eM0dMSz$euiYyY(3R;Gv28GSJIRoYZa+ zxb$UqyL|F)xdj60xim)wr{_Rxx2c>Dy2t5N+OkiFFP=GX^+}N#PUfg6Kq=?ExczYS z{>WwWP~oxXwOQ?v=8F__*Jn;G6Ttp!<(DY^a(yx92s)5}u-1lZ1>7z{T5yHR6Y4U+YaEKtOfsfsPFY0r z2_FOCvwWKGeFp>4e27>!U0J4I*d~;jO58`?c)G!g)Vn{e6d@qpA*!SRIVl#q zrJ0wL#QPrgVW`d4Uyo-AsuCiOC61XO`ss`YAlg!r0;6pFUUr)SgP*8E5WBB0qi!ll zI&ymk#O;(7^Nu`MYmrDC?37HOC&gF2mn5DWg}Tx}0AVl!6(LnmXWfWMlA>Vv81mek z41#Wm(YkrDWFA8X6(C|vf+^71*#M{^ifZv-Odw#E01Dsj^n0xFkH;2diGI$@?oK5q z4N;ODt5Cci`UcRY(m0lTC)~~%Z4zlfU~uTJDx-x7jqpY%>gh!gZYAP3>h25>iLlvB z)`+bH=o1_n`y>d7?gPObgu!SwDV3{MS^;d+(%bNEG?(j$;u;A|HueJkX88k)Z zsH|qPn%~m_CaM=Xyf_3tbo<6PTE1t1z#s=KsWkv1$}(6{y|m`FOiG4Six?Ok8&nej zMO#H@D=`9+`y3~(@N~^TQWfKpuUYA9Mn;h~MZy?6mS^G%v_3D-+Vw*`dCZH`#%Y}t z7S`zVltK3S=qTN+)yBqCr`)4QUV-W<-5xQbskMEH04EaOJQMSz zXzXMP92YPrRnKcY9^!exSu22CPw_ms&cqzogCd1@g-o2T(YB$7omCP#C!X1;*A5Qq zZJ><6LxtVTk(ePwc%zR8tE9bpEXjAQ%WfRrbUe^$cg%1%`18Nx^)MgKe8;M?Jvh=0 z=0|aIT3Hz-)YUgnXf&l0^gQUkkLl{vmHh3CzCB734?i;5DJa!Ql&I`2Sq^VG=Fad{ zpUzTIH|Hx0IIm0INN>5P>83%p5ubp=;DbsTv(y$x+B|2Mqjt7J)#=KDtBdli(d-=8 zenKtmX{S{xsm9B{Zft)nlUnx^>4T;4b|gidVOs+Xy(lS4p!C4_J=V+n9y94+N^fQ5 z5zmIg#`40Tv87H=hdd_PVj#4Oh^z;ZUF1Yhe3|w>1U70wmK+g%{y5=16QJE)7q)DA zvy`Z%GObg-PQbVXD3+LuUNtvy5)P}{Qp!q0MW0Q>0UPj%k_FS6Ary74 za#hr#3#5O>?()9ZBT?oW`uRL0>#q1ca%kt{S(0}GV?*{fLI=fLQ!>EwxfBw%oq8Re9E1J+x2R*9E6ITQ*hfLt8gzO6e-p+p5S}Pk2mwQ&ffa zSNrZO`Bd@qW+*E;)zF7A99gySBJZAw4Zc<4p1MFUc%2d~P#Ux;5~+A|KQ`t`y7FA= z#fWk{!j(;nlS{g6M3Ura`P6KGK?XLP39$3BshRwTeOXPDLYwTF1#aWH8EwfFqrCYK zb3ad!#%}Yqz20B&`Io*p(84n!qP>0^=jb~|H(deVs{3P=Ci2eI+gSby=fbh>u)sDL zbrgawSzV5*5V94ffFG7N`tn3NvTrTLb=H`fMqh{`(Yo97+(@WGavFIQHzGqQt~x>@fd)*SxmtelwuPTsVb&0 z_-$^Z{8h!%wey?DdqS#G(Ciy}Y1z|QL{zVbOL=vR`)LZzcaAfZ3b2(u`#n;0c(r$T zT1LWSq1Mg3Qh8>MHrlNgI~e|`o!N0%MmeJOTOy_?kmqf5bQ{m|y(@{~AiSrR6! z5N1;is!rUD&dFVx_ijLkV!AK0gt_&3TVZ3bkcl z1+ggGXudqj-*qb2xzxA!u6>6jCdH}U%zED*=Zp_OO!!9qMqDH-+SUN?f`TZ~ZUnO0 z;zV~YdB({;L1((Oajd<*v zi%2oDc;>Ymul~|N4)aswQ-`HN8l)QF3wf)#!kYUFIYYywAh9UfI`fJ(Ce0yAeMSdH zJ-!*Bi!{VDJ31){Lvb|f67r#Ms6uqUHe{ayM3L}Ag4BpwSMG?kDRG}hBjZ}k7niuM zNNDK$RD0KSy$IVOfc=1XjtHV;^hRZ&UQ~}E^f0awx>3#Is^hHi#S)VInk4*MD`#C8 zi21cZ=x&q+1|HwVBGgikBc_;O~0I{5$D(Q|{ zySV(bInZ03H|{7u|HxTmg=v zX+>UccrvZr(;&28mhlqE)J;1LP<$449aN@yljP?94KSfMc)Ltw-0tdawxujp&VD4L zJD%T)O62}2yL67b+?_VG7}-_w#0lwl`S;xBId=fdvTldAg%Dk(B{yq|Q&Y!@rROm2 zXG-m6`)lFabJzrQ#){Y>8tr`I8;ZIC5(-p_sQ}I~H8%^IGfsi7Vo$ljrJU`)OLgjO z6iCzz?b4(iYoWVek+*~ElvmE{1lzP(^XLI5WQV5Lg)K5$x$Ow5(tl-*&)ox%#4HYYV;|0pH=;8kHpWm*v1>PfB0N2rnG?9 zB4ZXWm7O>_(vL~(qzioLyV!T9%!;-Pl%hy4_Z-cmI-GNl^0c+_p4cC&Ern${+DwKy z=NhQsW(U73EoJ+CPijmI#!+yxu$Df3vT$jU5%%Z4a>2ImqVv0})V^p-=iaG0;#SeU ztSgh{-4@*aB0#tS7wr|RcF&lv!QLME<;rqE(gA>OYp0~|FnqZ~i{GHdCr5EI)x^8Uw1Ykp#_Ise9h|ito#$aN zW#BOOO;zQ9SL}XM(blO{jk~N1d6rdd3~OvmwSBWRkl2Z%+Tx(Q$6W(dcS0RS)^OFUQahIF$%wuI|Hi-Q?jg8yi~i=tR8O> zJx!B|yO?n-CCtndVQ`mkeatmDvjq)Umx=HANafh4E!^V^z!PNN1mnKE2Qfy8Fxu~_NQ}vovIpaf zTbyF9g^&UOb;cLBRC?iO^K@M}X%x+r9l4%idK?fH@nK)yP@ZFXfxqo?e;9m#ckB8k z7T9*UxvDdan6sa;)qN!W%rU^_ZBabL^6#T*+gum_xQLw4IE*G>0!$18Tw{-w}3(4TBHxdAgG^-J71Xr{N1NOTN#6V zifWL#>{SV4txEgKgnG`l$N54Pq$1ib3BWu;0MJ{H4MxF*TYuI8EE!*sgF<~BYeUXc==xw zs)eI1G%|Jcr!4Djc*F5k=+14$nJulo zzP)sq6SwsiN9#&PI7~a5f3mD+Ssi6V&sJPdM8yqBPgd^Nmby@VoFix5CHhllA#O`K zSC(hLGwW7-U$Br>w__S*k;zf+S==zM(QSCq{~)F|XZ^)kWT~ZILeffZ0HMP^HBnku zh*U=K`LHXwAc=;nuf6X1UE+)v-H|O5c6@=g#WGRIb1mGK2})jUVY^I>^0^+|%Y-an zkuHVCeIB+GS#+FGJz&Q0YW` zbK<4D7xR(@(Im_0$$h+hopT6jQQ-WIs`ZZJCjwnjl-V&fr(kqB@uYHyRGJD|u2*)o z5L55?WM<>7(?51a<}>orA7}vf{CVsAuX{+L9t_^h;E-8IOQDR3RPjwNWxAGVThPgY zruf`bsiorCe=#Qp6fG7j0{iw_2sfbm>G#J|KMa7R#X&zTQKuhe%u_9lsgUuL0#B3h z3|(9{o`(bSd9ngRA$N-Z_Nl9VV%|~GNum)4qrwC4eT0OaA(0Hu)3+%sD0LEM0=rgD zhe0w8&?~l`PW;_49RV%Ad8KuW3J3gld!+GXFjCT0NxoEsVzX?Yy z{0}b}Ec|xmx;Z-uDp_K8eth`ul^qVhg81#@w@U+Um^l!_1L#Qj~fV}-40 zBU?La*t~#Y6sAb5{gqihE^3$Z;)vZnhDxunxilv|LW5>RLe_e$%;8T(V1vJjxH3i; z@{jB;kZa44b|lZ5yI4V$?K!vHlCl%rpA809Bw4y*fGuz_8l&K+BS`8=Uc)I_G|Bnq zV42aBY^C7b$m6#QIxb=R)u`+c>Rjq#^;Sjk7EM=F*Bn+dfZ|x@!*DpB-gpKFwY*yp@ZXK~pOa<4sAp73 zX05afPfo0J;anu{vyCiUdUPtzxixSe=N2a;mJUTf!^=Yo> zk6Y{WWuUoX5|!v^$iCs_)GTQ1*4eYhbg4^#(Hw3`VPNR8N zFWP9VmRgM191igx>b8y82KAhdf#{gi_8wH-*6+LBBXc25&&q+S*)0OT5+!6J$_eR-HZq zg8A)}gTK@}_}f3Nwc7`+I`sJw)YSYD{9c|v3fU;yq@OdKSDfXS7Ixf`IZ#kd$sG1* zQp{_`bMBATF3+Mt&z#8eX>qq4O>%a_3IDGCxpyI*IrT(q*e&JGN**D%x*m(K$y}ntLb96|4OW zOAfOM1ij7idIf04#}t!t22;%tiJ^@6w-~R}!T`TaOK@2~m4=wl@S=9($1S{BVhf>aQ*P+2qZh z(`+`Ef6@H!=p_53x>bF$8Be>L@U%(VhHCd7+t`9XyHB6~VQY7LYj z$5&gs-~3_w$&+ut*?scl$v02_u(iFjz5VSUyg&Rq{gJ`wfB#MXXk+m`ZxD@UA3Q_m zBu~27c$W^!@NRN5jV>+|ukqp-o~Dzkx3jhNZ3X}SqsnGDOD@OLcn^Oc2BRn(ct_zc z-2iCocRhNp4&*uD=vUSL^m#$vdy4EIOE&g>%FT-*X@S>>fRaS#c;gsRGJs9aPCOj< zqCQ4>hC_!EBB1kQI332fOBo+~6D%ZqcZqE4B!;)L!tZ-wgvvPl{wkbOCcB;LwrWp6 zR?vT~1OtX4Op)zHu7QkM@Um>GzN{9^gBh+)QE&-|qvXldDJW662H~xOAW)k5vC(;b za@O%`&7VCG_FA=O=jVM276Ob4G4mX>Y&aR97axoaEnaV+?+D?z-a2>-duP-bRYQgv(`a<^-IYgZIyZ3t6!pBao=Qn|BiT+>g98*h}a0XC{B9OI8y}U zPM4uLpDMeFH#y&Zx^xmugJHH_yeJ!T{#fh)A=@r#{!?(($ zVG(P1;3x4nZn)+vcvx$lHJkF2s?cx#r1s)OS9{s2*Z-=2pZvAnBuJgtwI31aDvAo} z4BW<^yTG!=G9j1lp@9__JvYY1-iEiGaf2}?;4)VFo3k3*&GGN)PBz4s>4@0Wh^3zO zafHt)Lr?x}Gga_riv$3qL#2r9n!E^xg&@7?>#xg7K?wD`!-@GUdZ(;6>{uKTvZTU1 ziubZi%j2)&$7`0shnxN>J@5;V<8K+-EM@g%qN6$TTqc4R?DYXg_z8RLrIDKHsd$b! z4luj|F^65HipluB6_!wc=J#eM(hXVs(;bg_$-X}DLr-k1gT^=&GcnJwKhWzb_6XxX z$0h1R#dAIbr2lPAWxQnr9~ZCaBP{_cq!uZFHE?b}3R1R;iwom2CtAU~=6nE-6_gUM za1lzW#m%m`S`PAY2Eqx)xQeqjKj8@vo_g$TYRiqu^*hKQhH9Fl&p3-gyJvsjNiB@M z!~9oxAsNFzY$ik2ZON6-B|6+E7LB-!gD>x|rk0HK$>?fl5L-`>)>T07WKvQ~`dqH8 z)P?9=PaLI@Q$D=%2w3KL5QdY| zBc4-Zp@&V0_N65uZ+j-zqlv#U*JX!yo#1d@PC|{ee|Y%wpYkUw|0DOKeAwb@H2U4; z|DA34?aKd8zJ0p$Apd`kKVPnXIbZsR_gbR=5`;Uvw0@20U`D{v<5TsLp1z-*&qm3t z3fwpH?Vl*gfB7kb{Fk35$A5VrVtmdF+*XGF@>50lFYiHu|MJ!XJbd!W()*Y9BD{Zj zzp}epQc|ePnHqbS;a~!bt}S)0f+@yk#Z3is5Wzog8_=5&%Vc-n^#9C zFKS0*bNc=2IT~9}pMC$L(L8LlzF$p3SW&d2#zLswsUM#n0h>lI0XW_&sds33OXVa; zATRXnZ%EiB_C8W{;gSAEHLfl)@6UVTRdsMRtX^GkonQJfW<<%a2rsMn_HPfYz<=EN zKMk(^_$Ef9-1vU30T!J9-)!xEn?C=c?BV?XEa(5d>LTMV9JHw-3I%&N{UoXp855UL z5ay`%hCz2ac8eVJMpc~>!0`pzU|fX(8@>Q_O@|3Y5-LKurM3&E7gulI>C_eWt8jER zfmf_*q2yQ~lEa+Sl>5z=ZgF)*I#qItE2VF{SDR zj>%k>gx-jANwe7jaz=?x`$cI!DSii>(eF!T$=W%d;vkUqidDQMJq1u{sw2ayD4&4 z*_OCRkGzszu-|0ufOV`lJ7~GkX&ma(gV&9tLtUs1TkV$zM|I>n%{N&4s9kpSN~#yQ zSv+y`fUOZf`P0@1-!G%S*)7c!9<&;5C?tor6ToPwvq_(`@$^(u!i}dWT?j|okESun zAj+B^HrovIx9YhidwkBnhP#y_nuf^rn*iu4uO%#C+1b>D2+E>{C-ygthkWq*=#V$D zJ61rcE)MI_BdZk3E_a{Oz}T3Pjc%#(?o+^&>)#=MlauYjnbOhO^D4yTD!#@XSD0{Nee41RkUmCU_3bFM_vot?Tc} z^p{}z)YQH_(}T}RTvvj4=v|F5ZQmd)tqsRl-d8&n@2jsaw%?B4CYD($y?TPL##=eB zwmf>3{wnddKJ51LKtWyjVk`d@%;Zom zY}{H_R<6*4xZ)MjZ-yq>VmXJbOZe3py&w-S5t#5pl)%{&sSMR)JDsDmex)D59+(6U6b&Y}#w2lr=f3_;hk4+3L+nwAH6rS3& zrIwt2XK%d+`;1)D9dt=Unf?m7S8h` zm>zJXIQSY_MDEKB_7-w@610~(V+HM{-Z6uRzc!x7vytBqh7m|`&%D}8|E$^giR^9c zz`Ty@#^$=tBQ}EV+zq|ATN@H)fV`~~gGnx?9HQvB_7jEV;u7hL=>Uy8HE@io(K$Ie zI%&Qt82;j3z$C!xmmaw-!9a{RNW~MsP-Rbr>tdPdH` z9Mr*owQ~$_w$dptNk!nN9bs})L#9$iv*Uybcs2*0A2Gg&<(OVY6OI>ci-11&e6>#W zZ^pw!y|wD@7y8BEO&Gbwq_-2uWRKKt0&#fU??Y!z6h~|7&|yi?$otw$WruYG3g7Pt z$e0IK1|=!WV~N`mUlkyxfHjn_Vas*WHI`>{y5;t(sAFkUq#VZ{9oNJ~00z&f$|ioM zy~2$ku5hJX5_g|yKi3T`VpZxeD!}#J7rVaivWzqO5?Bd^6Iz_3sjz3J$5kl7USs#eMvVc_SwV@tG zs#J%x6i7_XgX8uqzkP~Uch)FS7t7}vYN*O~znxTzX!>Ye1UHf^dtsVR8bXtg`94_h?A@;<-B zz)ApP05S&Uw$vWT?t7+{Ui;wKZ#7=M?zGdNk5ns1_2!~!F6y@dCaZx=00G6Q6f~XX zil@dou}2lXl}(vqq+%lDmnqA)B@-f1^@FiOfdDQfH&8f`9LgDx>)C*r@+p zbj7K5(RIr?n{wjz&Z8`P2{dMIY*)N_Ybs&N0OX@bUYf9^C`&#J9Rny!)oiksg0Fc% zP1tapLV9%XGc;%}dOEq;ZnwYbAhu#-sck-Q_h$C2-gHauTvI&5rYS;%730>uE4c_0 zC@8@kRA=-83T9Gpp$aajfT9HQ&X;+3W9@L6G;FL~P7w;1c-&!gDd2kgZ*vklN0}Rd ze#YIs^Vx~fJnGF(qjuEZFFxTOVJn(!sV2=(DQTG|w|1!x#{EwvDC9P_=m0D}h53(cL`5K zJFzj2TBnP?F!YqNHemUME+?`o`ZmcXdW=zhE>JB`>0MDx|M;uk=2ty*VpL!&8c-^_ z8HF?~(n4fI>pWa1|0~`9syHh5cLBV>{`cFh?X>^T&hFOJhx^}$``?HA--r9(hx^~p z9sh%3ciq|IUQQ3Zl~w$+ip-@VX#JWBGOhx^qvl3_>HuImS~N%gM2=U@6}qn1f4~Uy z-u9MZ`xV&I{BUHp54}G$7jzMb;Ut~As;l%ERMaw4h1;MAnGz@Sjp^aLjGsIq9T1j_+17_N!J zEhCHGQBco>qeDh<~XIyUco{fNCg$wfGo6v1b=ah+q{YKD-i~KzZc!W6JKtp6=(V)bcb_R)z9INSB8{h4Ei>z@X~o@2>yZ-g>gV`y}oE{q)<1_%EMH z|MP|S79(1S;0;0|AV4sQ!2}uyo!Lh?COBr)zya zQSI}|dY^lV7?U>>chLLXgW~6YG(WeG9D^U-hvw(LR6n1n`>~ZjIocneQh=PmEH|3< zmjBx5fHH3^O$^HuDWy#~3?`Q_ml>T8`t@dYL!+cfIb;=*FIbXbS~kYoSSnEP0_bFS zGML5q|0?hyAutka2W!9pDZ_d-8X61vdH~K9$jF%JqjAce&Z!z6AOF);;{Zh=jYS90sBP2 zo=Kk77)Osmc*p`gAJTE{=NEQ28Pd~q2PxML>;!@q&nA=c6y)UyFq(2Q({?L>{}W~D zbSK~&f!~}B&)KE^ZP)r}U0ie15LhCFOj~Pr*Jy8>y9w7QGN$fV{%a^J0$wZ8j{j=;#~R|_cGqsWfX8xCfzNC zo&4UE45JH*XA0Xb^|h6Ca~}hEd_fm2l&!`@cT~q|bDYQlL8vZKA55SF)mn&SA_sps zTWhBc*%=i)1ySh&FA*FaF_?31HbIK4z+F#~w6bL~I~L2ozVGgn3PLAAIu{1lGMpqP{ zGYSViTAUS}G1N4^m3Q>e#GPb^$5h_XCfqLjx8!{L5)lclu8BU89(*=sM-z&k?Lgx9 zSY8Y-;&f_ocA!gr)N>&~!Q9WyrJX(sJj5*pC53X{dMuc?2%MVBxxlc}TzF>tOv8RS z4M#{?>Cgq_bEn^XJ3{oGOyTct!d#ewuf5gT9F^VU<0VGnED%BA+C=D)I=^iEbX?y< z529

|m7GIXO+Ll0Ro>06}xqZ2TquP!r~KTmvP*))37kJ@lmrih z0AmJWHZp7R>DlM%GFb1(R2=c-s)^y+P^hZ@DA7F3Hn~RrR^_ef1tG?;{Uv0*7cvZ{ zOu<-y?ipMshXiL~&ZiM@4TmASWQBO_AW^;wrklWekl^`0xZ^e@)Li%hIN#V>D+)jF zbRJ&MHzuvaeS5|{OEdG3g^;dXD= z`!;(T!Z939H@awBm4_j7TcNGfQsGtP^C2b;MaJhmB*Ds%7Ry(sBvIAxHuUs_OAe&F ztsdZ1JnLetnuQA{?cA!@$mIVLsxIDjv2NShKDBzQj&?4CYdlM*<6rP_{XG4gjqcD> zg9s|fP~%X^Y5H4WG)BPLOO4x&0!@Vho(+KG&A`M^6mDSp;;0w$ogxZunKPZkv;fvf z7W!Ka@Ms)JCT3vlqJBiVT^%AQfsvM9B~=~_5}!z@Lt>#64<^c7mL|5SP~btr8sfDB z$3|o607zIc8ze<6$tU5)0A|5wz=gBthRaif%bU|Srq8(Jq`_zj7f>dWP^caZm19-~ zG_uY3JQ{7{8+W>=7gt_wIt@sXpyL$b6jFRT_*Z}PNs~p{LFP;o9@R1o6->~xqX{lK zWnPJHG%)Baa4qG}FoV@<6<|_^l?{scm6|%QL`VN*|V3@T0 z1szXrxdlEEDaVsr5xxV~m6(8VHtHdt9IITay(ku+*04tqh%PHNEUG}3#!Y5%exU0} zMOZaQ>YXEsZJ|bTyZq@hf@APC@Hxv#^;PzkTh0@++ZZh{m5Y(13JN1mcXSkqlW=P` z`J@RWXg;)wZhgPUq&W@TdE#1fKRKIHL_uNxX_`( zC0sU()#OVr4S>-)DE?IPxjMDDA>Q0L?g^o`UGvk9gfJ1F&L^v(K2jcDAjEGhzB~IOvg93+Qn^z?qUV9 z^JxzJE;2!1sR*-8M5B8^1OR(~-2DNY4F$_Bx>uqrI-SRfFr1>(@>z(QVXa_g#cUquJ`Mjdi^v_0R)~Ops&rwnpY7O|MEt~kROmp~xS4Ap zI9l)@D-={-@c8BS&@H6Bhb{G=v!(upL~bz$b!Bd|t>=r}LHsEaH#a@_Tzj-YWN(GM zlgy@E_EaB**Ys&Kyw)t7pzd7#;TqeWnt)&zajm&s<4~DtJ{suQ zCyH;>qkAB|H8``z7bNkKs?!zI(xlOvhFgkp1xgu8Au9RIMDkRVbsw{I;R?BL0D<1& zhPd($NZqob^)MJvqR+Yzw$;0`Bw+wfPyi3dUddASBq-mhOQ}IPx&T%PK4B@<>0dO$ zKo3W{3P7cPl!kC30eMF2qMXfUKCmVwR{m|!lkZ^D&Qm#wS_#csOO#ZBOdiWtw=c)n z-XK6*+rXLxH8Gy%R#cCHWFa#UQPv!l?j=g3Q+W8Q*`fR=fCf=7oGNo385h+RQpCyb z#FU46nxG}mxpW@R^9xvS-Bf@l+~CGqx_A~P!8sJgWM067u&q2AX1<{*;p`@|CYXEV zVl0S$HY4lWZ-1k`+#YrCp6*t#NkH+rYSmmT1Z9DsOsjbl*lN^u znN}Ih??BUp15K?id=+~a5!yuunygHK@;Z~wY^-W3rDC|U&$kCaJ2Gf4O&YuNf!RQyOz=pbHJwm3569rRJ zF*#8F8?k1x+y-7Z!*z>!I(a+OlrI!KEL$tqzQwb1Q7c}#SKYT}coCVy*gS$n4TafMfbTN4gm=SA;|p@p;x`v<7-r- z5ddKAl!>I}J&99^w;PeR-eG>ehg*yYcyUJ(BwkbG{? z7o3Q?C)bF+%sri5U>8CyA=X@Pz?6>iDH4J)xE@!VAtvgNIzf$=ky8g15f)sa(q`aPC+#hUz zgK0z7H+Rl!@vJSVp}b9VZ*@;5++$#9d;ixRgu0LK82N!~LOtbqj^%{|` zA5&bdG+tA{;|2=+u_*1%$zcu}$86=!^)qH;7UMRVD~j@~aDOX>X3n>i{S}%*JYyK@ zUJ*nYg~= zFkkeoE_dnb+b-9(A+}{o(Vcnv1xMDK!Kb@V{X}8AVzAfMqUW6*HKlkXB{upsdr5M0 zcSib6G^&t<22e(`q1O?EbLAO{bR|Ixg~V3-Rb;nK#q!kF2wJJ&uYzbm?wSBRD-#Zb z7^U4F`|ldVZuWC!l^`QF*YwCsNnE2Q0?}2l<4mN0$vEtjUUyqio6lXN=_#A=M3%z>fBfFER^zyc>LN;p=Eh|9WVA(cQ0M@;A3>j)M%mFGS1kp13* ztMGN6RC!RiF@FmHeL?pLXDcjkVQ?#i*NE<}KoPbJj%}rPhBh0+?xt+bd(kLoGq4>y z8YfL=30+pDKZDJb{~aq;;5B}kjMLx29-H?aJ4ok$4b_7QW3c?RZW^{RFyQ0hamCxA zU+0h6ASjm&-*R@Q+LlE-(!C3y{Wl_Bg}}`~HX0~0NceCGd+$6{dJ>GBYVOZqd*!3+ zBAX4yQ=Mp#*G-gjvKsn{=9r&&qUPEv0w1=aT{J0r3{wExicyeW-Sp_mh)C(-Maj|| z0PPWd{ryYzgME^+H7CIhIx%{O$og5F2hc+YlJli9aI2h4qWkwOsge)k;BCMIB8|OqWvI(BUHWZ@+UcUPa zTxS-nucJaxjoXC_eO>Rm?00pD{j69p&!E>V|1HdVKO<5Men+eTbSN~u&9R18g1(uO zS{%=YNGFxD09OZE)-FC;SY`PhZIZc>R4kIW-*w+U-=xpz@3-HL-aeOlcoAgY!04YR?md@R+nEGqL8)BF?$ZrP`i@4=}|2#Ddt+uEoCZ@#iOM!uKAQV zNOgDvtBrQ@j$%TSc{~2smw~Pj!Q5TrADU_>lLRJE{e>am92~b%g6_Uc;^d74y)e7$+$ts*qU3Ux6>a|V*px)(Si=)R@CzSZS}_x3tq3wOR7R*goniDVcE-82s1 z#;d{;FYdHEy{H@6Jrgwua>G|)nqt(TD1s?_c!Slb0A)QJlQPVwHWHn*Mj8e{ZB1l- z3KxV8wqpyCD_JXi4rnFDW6oLA-L9Bb8&bGjCY6t|bnCGwot?|GEDYSqC(GUx%P5z2J~`wyPTj=koL8T+CqC_3P0hq2 zZ{hrzSQuB!CgK4(N>JX$PxGgyfe3WI3Jx@6%q=gL1=(my9>&Q?#>{=Ex`t#gpc$hO zqNGy0j^a@G9?k_L)0>(^_*`Y3yw&Awt=F^ALatTP_p{4m$+YXI?qY=$Gi0YSE;rY% z=~zwb5-}B_$6Q2cTNhOKr@@=$+Ks~e5uH(J@ zmreYX=Hqvpd+&4%?~Z;t*x0Uap^0V0aw>+LoxdGMVM0-Y@46lEYfnWmWX!i4H)DH(BFEqTHrG4Em^e@9Ms)@R8d1Eu5Z@VH)crx}N|!cJ?^d zrGxRsoz34oVXM&031r9#h1rOPMi@~}cDir#)`%BF&5{m(G@i&$>2W^RvLm{!;vkF- zta-VQbrYs7wE~%Yncr{9(-d?e51BiwbEYyc>I|C)!2yGw9LtORzf&xl{8%$S8f5!M za=o2}KJ&^-B)2V*mgbo6l^4e7V2g%epKsgl`Ib4}BuY6AaO_QhV2-ClQuU5!u|!Yj zI7}h`iZjC<_PmpkzJWh(ylPt+z5tbI4Ke=LYPV-ptVE4I`RJ{{X$AUCN3! zTI9y5OIS`e z!5Rb?bm@h}F4m!Ym5`cZpd}dKD9#sNeUynzR6Wrni8&l>@(jkHDLFictO^RN`3u0qp~BnliSF`)}(u@aT8O~Z=_ zO&?XnFBBZ9i)#Vj2=Yg3PV`)UzBoMU{0CdMf5@dUp6Brwx5-L3IMKQki5f}{JXJC)bb<%8vTvVhz8RP?A7a(~56^d%X|Qu}YS-TL+CMid_}2zf5|frCw}&=T%gx#__z(?&HWHgb zhZ&NO9tp*4KO1``c6Ff%Mnb|yS9D&LSdRdgQ-1#5Dg$cFj!?wozP`FYz;&ot6sRtiuNe{JG2t z8oWjq>SmaeFj)Wz(8)+y%u1#*`j}>lILIL~I?TRZ<9Pw(Wk#D88)6VZUDohvjVSdR z&CZ&HBcX2cEtxo#jYk_K9EzK#P;RYYX0H#55J^CNn4dN20ML8#HPRQ?QQQrtcmU&k zX^cw^(Z+^#1ya_7?N^m$e(}_+A#!hE4N2g&;vKDF$LLKof{~@uj^W!}{w&veLgk-R zCI+^B!Auf(S)oFmS=Bh6FE=?h(VfGS`!?QJS~yP^d*?*i>OdYj%eg?-AJw`Lj5g z-C`CqR%gLrV5=iA>U?bN1+grn;%u-9wg7{L0Gi0UY^j-6C1f^;wlK?UdsVBePbC78 z+A=D>0Jnl2xsL67e=;+i#t9|Mg)+=gkc5T;%ZF@cfTUG4PbyU;dsd5~7zIHR2jBlc zdw;sv){P_#p!3&!iW9YCiw?DVN!p6tmL=NJMBA0*EMJ_DO_4_w$J~a8w5=rm-sir? zeX?5{)`PQ9qLid9&ve9tr2rHP1)xw139RVgK%htC;rnizwHQ5LNE#>RO(SuP&Xqe^ z0)z&oj#8a9Is#DyChpBMrfh0{k zuf_D-w*K$*hNrB7gs#ibQJJ&!&;{Aad8}V5jniejthUWh8|B-&SgwBysLx~aObBUg z+%4N%+hV{co5x_Znu`jaJtTYLKZlCJ4X<=xn)=Qv}rEZaFXu z7!ArUrgEpvV9zvJKd_59PrsEqN{2FXjLoNid$86*>(U!I&4tzR#h}frtUcP&6JKht z82STrIz1_xe!RNAkKF;&S|xXa`9whH9n0B>b@UMjFy7X{^BYz;)~=^Ka!3Ioq=sRn zC@Pt8iZkbz?se&?fJ$`?C~H9`Z((^ZRADsH8EIn6O?7F%90IOUNr?TvR2@eVmY2Um zSb4539pYq4xe3~AiRC%Z4O+pI)F11k!IVA8>IqzKnSCK}hssra-Z!d-$Y5+FRC(s^_iTi5kHZ3@LmbLXC!2yqrEEZl%GH z*BET+OkE!djVi9S9O@d~q@i02o$&tAJ%fc3MU6&l)SD*wzsje|KkyCvtfKz@*X_T* z&OeyprH9L_%MVx3J_nWk2fgLieA`%se@`Ag`mfa|YpYMz*WmB!*N<0MDSdTy?dyk6 z9{<?;_vO|pd0t1-T1dw zb1;m)ZPWL1PrjRMl(u{}elC?s(ku-lZzEH(WOz3D09)z?J!`edpJcm>ce+yyM%1OZ zww2)+0rZD$bYTZ+e6LawNE5ZczutcX{YetYdoBL$4yUKRZVPMgc3bfvArbUws$OSg z+r+@(a8lr|M6d9`OAK^FHfgM{?xgF>YpOi~Ne7Tc7%&WBEKgTedX7hl$=JMKgz;d8 ztIfsE(QmEtZDP3?!)Pf80!0-+?wovg@a81i-2XZHar5YCbN}S$4N{OowV)VJf8^1< zkFKClwFk~;g9(M=0SJ5bqpk0t%I3?R-JO%4aRje+PWJ1^$I+{Uqi8ca+&ntj*?P0P zc@!PKIXXNzt}jPqK`n?Tl!kDv5sl~2KFV!S54zjaXSttYqD2%#4j#vGD~7{rTN&BS zG?^&XW38}>h1QLTVvS8|;w(huo6a;N7&Fr~I6kzNYtiF1DAgRig9U>^lsE<$uexV= zSccpCxE8$}CKD{aw;8RjudS^vtvy^_i{2b>($0#zh$rylT_|fj31*_#k6|hakmIMJ=)_CANLJWR z$W2FiotrWp0O7VV%_J`HiDLPD!AiroCno{6A^5JSGZLd`anK_xb3ALrAJP1S9-zy0p$rycgM3KB+@KD%^mtYVb;bP|n$asR4q6cGa?v9j!4@A+k z=;&m#0lj~H^4%gk&{ZWSoXA9MzR&!*bWU0P? zuvg#1qGLibw|BC+v+Fm9eSY+_%lwTSU22*@F+XM`3rhpRSKSrgdchr8l=ypuDJq=@T~IunP0ArO(NQO)WL zFZ_bOcrkRbMq%4rjQ%3MOD!OUwamUuAFda5q^l&>h3(%HFW91M&6Tp7UVBp1wAO=$ z9cw&mFV-_##&Y>h7dFCj-PNiv3}<0uh10mx9W(}Ug7>-NrqZkd{}!x1UQf=TtUjh0 zogNW`r>+y3BM8_JbGz&HQ1={v*lT@}7fv;&=dcl|Qo0{%&q+7kAPLo?zXk&(4X?CW zCGQ4$b6}3Bb?Ui3blZhj?VDDO)qrdu&dw6RvNv8IIwt7`gvA+n7M=idXNcZ+#$z~C zB4l8eNj&ipT0!AobXvm^ki+?E&MNF2I`{5^D=xj(5Z$(7Os0M z%R-}zTquOHS_N7<$8)Y=V^Mn8eiq&1zSO)N1~1%@i&X70+}C^X$4ljkYpNGQ@TwIg zcNZx0F#Nd;Se8&R&!Wv&js5z`?#}-APW}i8;u#+LtTc+UkZ^K^G#{Q4N#QvZ<`DX| zD08;-9NjP8BbKzP=p9Rd<*aSF?W^-v{pjf6i20K}NZ?h`1N@J7{-t!eAJCQG^hfizCHS%QoF0@n z3?G&h)!o@S-wg8^@jsWu)Qrx+BJC#qX|#^;Oe6TOkc%qF!%>_&3MxDr!(P=I_V@@0 zToQOlgZZV1WYEHR(B>2G!}YJ9d?SglOQaJ4{}$)bEg8nHfTalF6%^35xe)ZxE- zJZRl<{)BB-8dEnfb{ue-CXcp$@S0?l)}%%LDr`}4dEFH1YxHcKyE(-5-K1>ppDyQe zd>rm+*Ki;n=%TmlKB)S=!$D{Cu3)%AnP!9Z>I->vcn)woy+q&c+>>TXO}F&ui)Wcb zlA{?iBRD1gu!&M-4U&`)tfOJ(+10_%Y1OA6misq;UQlS6wWOenCr~k43=;7+E{>RPe zf8cvK%z1OvmA7}JRD8PRc!!Lz?ZP0T^`ZGvCR=k)brdO96Urpv8i|M_yb z@>X*&9FXsV-AP-$?_XWfBH4jf7TPyMK| zf4E`kZ%_mXI{cBB3`lRiLql~@2{vy}q&@$OJD^|9>k>J$QOYOs7@wHzF5O#D^Z6M$ z)Zr!wX3fKroF~b;%_`hTF8Zg#UZN^lF2ABTWH)#=f=ZLKi0%D=69fMPOn1omYS^Ck zVii!G(H14mvzQ-Vr0OC^9I8bNZzpU#34Gwo-=-0v1-1#)J%2k`uv$m1ve>1&VAO@1 z5is*r=63=E4Tu@IjUFbw)e^H|8#KW5ip2Z#(*B+PDtqUtqXaO!X3w$<*LMwO0PJ(`r4F9X> z{@d02WJf(5vO5@w;(7O{?bnT?H~S|$d-cZl&QWQ`X?4m<

nV8XinE=;eK(%P(iMFFZ z{)pr`yoyQB>6&cype-Wx(*5bbgA$FAbO-KSkAu&Lmjhm6uq(^%fNRk}KV+L0E`@?% zuSh)-O4#a=N!%wM16%$e{s3$Q39{XQWV5?kYn4lr&!fbUg_0U4Mynn+j4Q(ugO zNcy>!jq@abD2c7L#b*}S0o7259fr-cJS!_(ufhUD%OX9-o*83LiyVi8hP-kpy#<6z zBk3(Y7f}xe!`($m`R4w?e&ZO`Gbwwz3@AaNPhbwJ>fPiERgj@Ff{5GSp$?3 zJwL8@OKT3#s6g-ChNfI<2+lKbd1^P5$j`{C;WE@ZUlaty)3G8ljy#lVo}F9*D0+N>4n}4R@TF+I9w;(QxjFv9(h;!r(-?2q(gP zT5)?!dRGqO)*q&JW<*^kVIF1Gt3%PK6tf_g?7LH5oomc zPBT<@ZTKoeKWy$+tu=GThie0u$h7_wngJH_yww7h z7tO-+y#2>snKth-Oky-ld}eqBPT-R77Z&-JCMu7r-s}ri<&jkhx-w)H;<=fGRX|y= zeCgNz%YyaBOq<{1G#EJ-cpGhKrep>^QY}ZI+BOn3*J&J83LZA-U9b^-o5PM?m>K8kp&64#vs7x0!IpU<2m>*(p69xuHT%MxLwV)w`1R=ks_ zx;QwbsZW~9?m+^$vJgjKS}cjmJzG)|s3;s(S9QcOfy!Mw5MKlMPs5*Q$LX1+P^3lphMnjwxXNhVn8;K`_ z|HFT<|Az*hK6j2!8s8ax06Q`Ca_>ll(HWY4A4Vsn8?LAq^B)Z2kCRaPXdJ(1A6cq# z%tP5V6@Wu%bh&?TD|dd6=JF39-C4%|<7ulFEn}DQ=WHPKU2bO*k2$u@csT8xV=x19 z_k~*?1`Cq#%_=N;7f{}hK8Q!yr$U=4Ja!2x3WMajNFLPyMk8**ZAWF-s2w~JqMix= zyk_AbiKMRNq#8926LP4p&?x3>z#y(pNS))X)zYalc~ z4eZAvmBRE|L_IAtOHil$1aULzS*np0#>b4=DltI{Kmgwx`4eQ#rZ;UVxcI}FL*qw} zCyYF*r_>xY7E<2wXliH_bYtnFnF*rOT-G^Ft$q4XtG}Bl0S!A@A1MFJq`M$J!hJ}$ z-)y%RtK=HdPHNzugW?(@F`PtN@ybDb_HeK+HW?mLEi(K#Jv=5D?!6AfKwh-dcImi3np^~$*FG4raVk`< zVU$lA6sV?u9FE`NX_dDB(^!f1D4Ie!;>p4gtSq~JU{n53i-KFSva$;9<1{RuL|F|0 z2zBG*4|=i4eoskKh`0JXjC)<|gF?d&ZFIPJQp*X?MC2xf9O$DbS;MD==cZ2<%pbj% zWk^IxHI%2PE-b=}y^3jSuGXkTdZj`68uhE1DzM0l4&iTa##9xoVvb@^Fb@v(Xe}1~qktXON+{`V)%Km70J?7vo5AE)fU z9zK3@EC2mV$$xFJ?qw~+N*aho+aIVveb9*kTARL>WBhtC95-9NSV6lL8Q+SGZ(Rn@ zY(bV~^3{iaPtwU0IiRFpU)P4Kob?xMHUU?^kgQFzOhhj_CMNwxd;C6nfdA226t2rT zT?T(NM=%7S8BAeOlmuJIsguOS4`-<|7>-iKD-CjaN$arDSY(ZDtU5&3mwW?A`c@UC zIs<_CfV;E*>R@qU_jnJZqD_JBFeDxj_BbN#dMF2HccoyWRBh-$3`7%sxA{Z8v3Ur~ zZtviza)&V%#t8xt>M>Q1>$^MqZ+=oX5zr~LqtQ@OSh9d*)p5{-<#~igq}Yy1jaI1; z0!WGMo5r9~v7nl&T-A5o;3(2#A5k~F2%3a2k)#FK#o`5qrr~Jao#tuWqX3MfE?k+T zkp=k+J=LP6ildi7qq;BRDQ+(WjRlyIrb96!ilYIX}jZ!i-XGA~;yr z=sSgiy5I+@)&D|Quj9SVlM{5^`77O2MGIeHS-Zc4b+NJ94+Se|i>7}dB?Ql34`1e4M>x6CTq3Z^RZZQ26w z&48m~4`Id9LZ-65YT<&hxJY>>R8m`RBZq#I7##{PYNBkQf~m8VF}0Yg(1X9h z@vOwgdNhZYDc}ODqbkT`F-TRViz#b9X0no74cIZH7n>ATW^HbZv=MQyJZ1Yl`!#l9 zmZ9X#vO?)0rGyofvrI6wI%0zkrm)3AYvViUyZ{IB(gU*GzF`fJJme7W7j=zv9WA+^t2`Q5Gj?pA&`ANidT))fiXy{}-{|oX!9R`~Q>GM-RRI z|Ka-M+xVZi`~U6!f4l$RzTXAj@0dMnHtj#|;nsTj$eyU}o?QQPpBnyl{nh51-IK=d z=F9qSv@jhIltB!qlk}sYjJSpyCkIO>RX=%!N^Q(ffkq~gh_A?!7M0vk`BE823-P_c zup;>HDNzJ|0de5gj!R&bh!$Eolj5uxm#CoZ3Mzhfy12vuz%s08Q78t2#~4&3Z>zHH zJ<>PAz^H*d4+46BIFU6@lskr@#prV&B1u0ic$BX;-^0qmbBd#?E>Re>kl~&9)caaP z1^`*D$w%#@j;bl4G1P`?P_Qv>epsZJqI*!d8j}B?X?a{HfO|wFV)x6od8A0cYOxrO zM8NIoNJlusCdGjmz+040`?f<$p#k|?+vNEG~wXNt1ufUD`nm|*h~n2w2i zAQGl5Q59G)qc}P0Z*HeOhZh8=Z(B)}Mm^9zTQG9k5w6W^v=qD~TwBjbCf9YROX$qH~^Xs-+9NIA$KSrpiTVGh6sM>ECN}`RA8Pb%) z=d3^rB5IeRyZkTvWhwpQ7*8-ktx>gPwBXu(Rg5Q@1ykM&vPA8&g1$^N{aJEzl4~nU z{a3U=bhrT6U05g<#?w0zG?d#yG4v95L`#3cyC$m zSI4lnihegpcXly5!t^~0*sa+Avy}fU<)HZp01EVfAFVxF_3!_WRv+Eo|8M60AF0W{ z4gYW({^2(K!(Tr9!wky1*Kln&3BWXx*iC}-WCOZ_cito`n1gqrSIoz{(bM4)mSRv# z73UGoKe2bgXg1ZsM%41GJVH$4EN;T-CQiI^Y92N>8*o5x93CCK+S#pBNQxzWt6P#I z{z69a#@6fotTiY(^)pn_`s7D7K(}+j3I?u|2exPh}Ft znlgR_lIqYkNrkNVFdV|9df74BJ0m~J- zf~$HkB?($ThN-;Z5h{8LH_y%K=@BQl)a&iN!b`jyuf(dS-zW4yTciSVV-9J+n+|IB3PTq>i|~UXV@ncl zhEGY%6X;#e(#1_44+AVWUL?Iwf-Y0a3du}bBV0Wq1RFU5FjxGA!6aehR{4umEtdD> zNw*ymtQX4DVZjJy^=_@`R!0^wC;5Pl#1wCT{pN)VP0qLC4{`KA_`b#ysd1%ECAcGS zh;c>j_UYHwY-bsC)29V}JdQ@t3F?XT!r9SR<;bH3HZ!9%cnC12Dh?yacNBl&F#xVU z#P<;y;#*uXlN$LkvRI^Lal+hDJH)5n8{TXx6^5pb8&v;nlaEzx zz#yBo>a9k;={CwZ@U4rxrQ29uuuK{3Haz`zzd-ms$9~Q+ffMisXU_pUxL30qxC*ib z2S2!E7386tVycwQ_^nr>FY<0-)iiOt`-h2?_T%Q!KH6HghUi>x5*uEw%#PrmL4qs3 zlrGp7G}b!CW8w$6kt;Z^A<)hliSXz&c@ceRvhyR_i; zg|;Nhdn(jMbXjkO{;fajr7(M=$a*TwJ{M%a6=qn&>!WH)MiF=_bmVPo*4v>C{Pywi z@9h8Qe6CMpIr_g3*B+()|2(N(W7Wi{1?rs@x8d`|t!A`r}M2f!kxcPTG|B-$` zYu-nr%=6#FM{wACn2P`N@YeqOuXX;rjsJ6d7`#0U{@KQ0&GD$Y0_8kKuXY!86Wp|b z>KKK2b(1=`b2A%GcQf7LXJe?$Xo=s<9 zJaab{qm7qP7;K(3ApN7KGuRw?Dt@ibcsL!UH4BS%4JoY`2NN6mCS$V52~@GV;z~+o zQQ~!`5)-tW>3e+-+^P_%gZbBdj++hbSV$o?#|1t%|oww zpxx$ax7W?6bNush$x*Dr#+-(k~9E(WNZs{XCPY3dl3=Kj`qM+f@{Z;qo+H7ZXB5dIh^FN|Ea#^G~H|dcEL^G(eQRR|Ig0~J5mf?K&Fwix4FNKVbQIE zgQ1J?)hu)mhAw(mvycM?9rUbbA!jgjN4=Ug=E2Y%&RX_h#&OSTnhPG)cQ-xs42F2P zY)w>Ip~jP=ovjltYYI-g?Q|cH-|TEVeH?q_XsGcI>cW;T==4w(4D=BrA`x4O+=8SM z?=(Ghs8$u+KG@&=+3n*8x8Pb?5V1=D$~X>~z}cv!W}ju+wR~&sJGe*zUB|XS=K}>~z}ivrFOL z6s9LIXBzcRrGCit`R70E6YSU@1};HER%7eCgCF-p%)Qxa;E8(NZL3jZ@$Jp6#=#Hu zqobYex?h}*9SLl#t#hoQiXYWCw;RXx&7-aFbn!FjOFVXZgT-G#U+PEc&YUH1e{QFX zAJeXsLpGX)CJiq*R*S+F$>%#2KH`_ZW#OC-!K5fH& z0GXjP*QS&OM9DWjSU(=^oYXB~B%xK%ykdpG04FC$2fG$Hyp4{BJ+uCuf-X2=VP|0$ z_A11}`r)l(FJtS#;sNT#;y(3SV}lvrJ$S8X0*NY3s6b=X@Z_xWJ*L`aDpeBiAvqM%q*0%{lG76XiKf_2OKCY$3_#=kO;8sbZ z9Eh4>!lC@Q^Q!(6oHe!)F3He;#BY4vcyr8Y#>6JOA*8rz!oClE00qs%O4#4rl@5g3 zk*AyqD=ffj8Z>*-(nU;iAES z`eC@%>?%pz;`ehWk>H1lBRFn_zaL;9^jZY6fMu1`qHfK%`#+1dOxp@1BjJqjj~%ni z?zA?KWy6vB$GA0};Ohi;Qhd(Q;xI26oLCccqi8`!g2zP~uJKeSLzP%El5IKVo4r*J zC@&7wFyV;W5n_ytmf-I%-CsAN?pI$`CA1UT{Yz9H$(9gG6`hUGS3vGZo4dR9{Y92G zR|S<6Z`*^zeX&c3T@@C49_{SICcXKS9cZln>gCSs?5WUksH{d5Sr7@EcKl)`idZvX zmkRgT?=r0zCN{%=v6^PMYV)wF?jOKWCztYstZio$iUA_<8q55VQ>y>ZBCJ|uV@gP@ zGs6i>c%Z3=gqOhvf*l!3K1I}R0kzZ|?@ zTu{$&jgy}b>k9@GH3@l@GCIrjZVBMJfi^8aIgLKG^Kh9@n={b`JIzEE>3`@k&eFH+vmjb;KEf)v{y*O+7jkwK?I)lwXP_ zzS>eXF=j(X2xLn?ep&sMZFkcF-~yOMv7L~SR909Gp!HIC6~wBBc}R0waPz3Xe?pE|usMyt5CThK zQ1AwbOAnPBdnS%vusvxkfJDY(c{FChPKV4hh#H+=B)3>9!qWSAa_(VCmU2uRER|f> z^to=+XBIx|^&{*-jJw;l;u0E?(Z+IDnhzd*xSuugXj}c_6RsD&G~%;Kw4^Q#p;(`C zl>5qDEI8#JvS_4&k?VjPeq!_aqkJ7lJEc_p`c^Tsr#v=N#XW1lf#G&A&AnjxTDc z2|1wf+|k|NxyYxLWi;k`7sn%7ANXd5E9Z<2W5`36@`;kt%7hNpNd7oRqmYT0do~{S z;igOOFBL2@ujyS-3kf-wBQJC41?zk|X%9aPmZ1!=x_4BZJ#rcMSy3`XNP{6eM;r}% zy(x7K26~RF$^+8wl#tj02(tHI9h2CStUt%VO`&H9fqWW46X=Mu7js=bH53Pfl*aAk zbuj=r$1$KoC1%#A82)82h}(AIrXc&Q9W6e81{*3={h$g)-3e==BEgvnba*HyX})MY zYEgFcG~ohJ`4^)3W+DFx#Pyp@%GNqVzQh}P_H4b z7S>;P+}7yjZzH=FDQu%N)Wj?y-1=>x>1M*rO@T`>IP&I0(tWr6gT~fTee)#x1AZNC z|9Di3V5C33IX;3E_;m!oRBPhc$MWLWHt0SR3Rpzax|gK-n5stG!&$O?)<8=VqLWw0 zjpH|m^&=R->zyseuL$aom?(G!*2u3SFG^fIFc4ng`XpnI(Vi1*n&yP(CbrbS#MUzkxc9gATcn%9YbXgp~}V$gLyWPg9OWVIZd zjKrGlb^~3D0iVSm;%%$f?6`|LaSuN2n%w4HU{nuRe8?ceIvrUn_&qM+Q%G|m=`ImS zTZsJytv*a@yGaUzSixPB(8eMy$I~1NQPqg-sL^|tHmPx#mYf3pU;)l&O-_-TI(`1* znaSVCs=QtQA+IiEXH;dK)a<&PpV=-_NM6I3Z%6F$>ywTvqc2#W@;5RnD?R6&`l?76 zgi`0u1fU9pt1DIF%<8H@xVoj~n+d@xW3O&5;Ze7;$nZ!}z1up^w)pVJYZUD$_-C>h z_OB2rQ-{Ryz`*APe01U;dWXi>C0d-e4vIQ$_M4N|c>~?CZ#XGzN^!?=vB8>PekxjU z;By@s5PMm`$$=qbYJi{kh1rrgq4z>DTo61cO=fh?cm&6@B|4v>t|VKcpsnQcaT>%>w#r^6_BHdHH}cpm|17uvaz0cfx$C|j%gD(>9(5FL;!Rr_aSAPTp&?+ zlc>!Scm{Api5?Q(F9?DV5Mlrw-@_lAo`>rIkP4tP(BDbiv-#%a0R3QY!9nBr`sOL&f5KhYwmtNrChc9Li*R*{c9v1)&0vY-R$nqdFfso_E*|5+F2zl z@4IkPZuVpgxFOot-Ouh!RtIytKWDywZNyWe`vKx%+W#ZHFltWsLsJ)=&e^-4Uqk0! zl6c_q>nlKdcj4}@%hsLUycJVesOI~)-5_^K=}ULt+`9dHyF{5Xd3@8il2Kfu#b(M=+IzP>~cXB-L!`qt%6kYL~LRk{%ygtg$;u&A2k+z zLuWLdr$?@ecnczck-ic{=LpOha?PHBno=!+f9c_{yqq2js1s)~X9gjK>XY1zBaidH zzR3I1Wkqae7cM;+>J=;tu_RKbXCaK6$GOj%>*zdL@kl;Y*nmrfmSGwH`NoeWZ?P#vNsJk zS`*Y)HO2VEM&BUWL)9Vu z|M}^!4vx0S%;pZiP?4`md`laiMeGetaEM$7CyWJqT?}W_odCYj;0fQEB_RmD7tjsWR%+OS)i;gCn9CS<~)d7lBxKox6 zMvI$+Hbr+mk1w3aG5zjGlw__zqbnb3x}ggki3mSGj(Xiz7iGLkcKVcREmxz1lY{SS z0@qS$051Ga#I7F7+7d6%8Y}~=DS@f(0@t^ETQyPOtKKEM6AMd51j-SG6xBUT5i1&3;np`a2W8Q{u-RL|+f*Sb% zx`PJfVzosNO@4hh=8+HQi$XvG#Kc@G!Vq`ZTEA|a|4LOm`Z0Q%W({~Ecl$mANScKp zT*}eF^;ss1Loq9<*scHZEL=*T{=SeWE5IEwo5paIEIsEfGmxb=U&&IRvz$Rx73pHN z#O6Vlma}Aq`|)-mI}%ec2oIglA$`;kzn1ECPd=ju^260Ql$UUw=LV9~inQo7jettQ zrRV6iO4Qg`StgZJ4QjDuDb}*1UTy``w1Pw$Zgw0a)SWF2B!x#p7hD^Gko%}@k@ztH zhP^h<`$i}-fMqAknIU-ghvh#>~Upwfk#G&6&dpOH&jFmo=WC>I&*US|?#1_0n_U2I|wf zi~!9kqAga0ay6mwv~-L(qTry|##wia2U%9~VU0gL2scG*4=!Ge0DZuR>wCTa)6VgU6*kZu z{f`b_9V;Dt4#1bv4d*qzY`xT@LKQI2N!+&s7pnt&w$YIT(5dQjU0bo7yE4bBgA933?i`peyHF9%`?!wDDt)ex5zYu=Go;MI&mX_)j;s*d)R1F0I!XuVt;m=WHLNlx{$nXra# z-ym1S!G`r`0zA-Xn&_6OJ2)Fg4-gEpB|b;smsVwkk9HStqnNt%9Daw{DLIt&Ic&ua zL}?va{0-jcyWCd4`O&r#u{thZkWKHg^IQr3I}1Z4b_#XK@V@JiUbf|k4I{uVu`;90 z$n|8AV`~_*gIg3Cp4U&oqwcDFSM6xP(s9@hRNuKldkp0Up`fP(dZuUOlgf1KxUuu< zsQxmp)-u^_DF&#z6y|}ZU!sg^%4T-K7UcxHAo}WMc(8>RI=KVld2iJn zM{8Gd{A(U3R`bkI{T&8XzI;b)+JiOFEwarDg@kuX$}|$_$=f~ zrxhVjn{=;{Qq>ti_bEslC1_CqDHJU|4`3hvaVz-*>mC8LZuDq4n)b;32QFn1lYC(P zGSd^9ga?sgQ~UhA;xEp!E3=Bxo+OSsp2W_YlV*?P+C(n`d6r{J&T_cSTFAJU-v2VW zzw{jc>yT)aP4kx|dIQlsXLzR~YnNQcEtGtUTQI8b3rC$!#0drq9(1DVC~}V~5kEBK zT(kL3`KmkM=r$IlFMpeA%J_EwdBksxi%FG-#9L@8T&_AnC{IE~hX^_0bvFV!@Wsc7 zio_Zx4ZML8>RI8QRnT|cVc*V$P6&E)cU^b@TX>+eswma8hfT9*vV;CTuIK1M#L#ah z6EfCYs=wUaezl>}$uX~!%nL~3A}rpsYS*HBrjB|yHvgT$XN0U@>@m=dc~7(OPIJue zquMbB@5Z^MiE*hDuy=CuvtA_Jds!Zh@uJ;fYh}rNS?i>H=b^;78w1uzq=MFPJd8*= zIiA~KglB9Kw%XK={f;7Yde+9rNxaeWWYYJ7@{Q!|%+6#Q)Kt~Y`cN$RdU5le(orVc zoOaA+m8eZEv5t)7+PW^EwHvJ-xmsUz+k%@z3dNQ1kpo3vueKXoyKH*Hd=mNh4PZh3DZ?`>A5UVlNp_sIdr6BUN07RQ}TX8B25 z(Z`Dh9UJZ*!5ST*YcucUNnu%W?XDeDrm`)N02p&gUnAe1Pd;=z{RDp|Q@*m`FJ zL64#hO#Ee4U#Ro9$}+ToEkXKOJNae(*Nw|=aaeuzSLXd{+BZzrn$Dt0w0Hm=KTZ?$ zFFm1HRXi_HX%UB7lfKoWb+y^826@9NEWvjKS9`7CftBXj$WF8)I0^z4Q%HtV3|zls zTYU;YEI^~eB}5KqnlX$*9<=PC6jm}8>f#o{qj%o*Q%Af^I-i}sZKsazk&;f3p~shO zrcNK@irHrJb(2(h{eh0mQ%V%wXUCy-ME4;*enk4|usH{%Za z5mB88-8@2G)!ZwFR$TJ0ENfXCZt!XBZCc1myJ)ae&Wx?Pj!nGn&*Fh0f`%i~e^2q1 zi_fo3d4T{XhgTno8hTf*;463OfQXA6E*tVH#P{uU3OkDS#MBSCwGTV^LV;m7`B?&u ztfGrpd;?eu$(Srcig2|}@ayn15S7JKdB_bVWp!Y8YM#l9yNq6U4deT5+u58~g&)_-&<2a@NuH79QAI25(>?TM%+vwj&GBPyRComotlg)d}R$2v$($w&qUR@ zb69y#wI2#v+iI~_eSS!CKEn>vXC%$3`OelreGFgCLSo`^k}zQWqtn=o{D0i@;-yhI z?af^;_296+A5>&H>-KuyDdNg1Eb3q&D+g;#6W9pwRUl%8G-m{v%+qzNBOxwJE0|ou zzYcK9ZU-H^)S~~v^PQs_f~dk1oDvRy0UV`4yfHD)uJ)x@RzJU~q>n?bS1TvQ{**DeJilR@Am>AfY1&ZYCGV63}<&vb^uP6ZOmm zitMZEy{HvdvS*jn#bQ>?g=5T8bUvAklBX*xo$h3reNHS7$DNhY^mHX@^;bA7J!fE< z6*xG&Z}!>==PY9qdg6pX|LV4%J%0Sp$4^cl|FeDe@ZpoQCtpAOrrrGK+LQL_>Erd) z(MqZuTf9 zHH!I6U(Tija%tJ@$!O#iojXrjjN|T57*Lf$Q?va8S!A@-)6co8XD?eevOt>*G%O$u zM>yOYFFj%uw0y;f`pc=%xIWzq6bbqH=@kr~oSKN@iS{+b4k&r#8)rEyG!btYg*+0u39<;3YmY^OX-%$^r>6_httUIj7K8NGZ`h2Ad}m zcwzJmJdjDX1>#fjxLf+%EHjV(iODxqd*J z(MjS;)oRhJ#=-aY8QKIV3U!EK7|Vj?XzM&izeE$%vlhcvPpre@yO7NS&IIYg(#$lv zgYLu;-G6}vGQ{YN7@4ayVM>rFw%tqwwBq-Jzr(GbRu z3TU>oU*E0o8`r!8gaThW_S+rf?-!N5?eSqx2P(t%t?PN#r83#e6@$z6-dh_p70)Ks z);Y@VfPZEC-yLLvfGzz;R1}%^+H^u8zjfNT6Fzoy>F6>ZB&-N1wvXrouJtaa2T~G0 zvTfvPOn%SWo^+8`(120lGFr_W%|<+<*w`gdWVy{G1sT=*H4bu7;^w*|;9h48K*F%k zI0k34Sjd{96IAjU_Ikq)c+zU&w%+Q+O_&pOQ!s!@qabwR6M?@bG7;Z!q%55iw2zP5+(o1E1Voz% zRg7!mr|(c)&%`>%u^Z;~_d|2~5V#Lhq0^SWAerogTk zm&XnM#INQ1spv%`)D5SVY22QN1QLF6@<*0kMeGI$#p`Huv$uZ&_so;ct?$wzB|(kM zK1IdT?G{!~@hPPB4eJtNRJ8(}D8f(JGK5nqr6mu0p$08)ptL^r~OADC#c9%jn+* zDFEnvI9S4mp=dDepTg<__+$b;Ceq= z#QR&f*^9=_J_e02R;d&o<2a6^?O|(*F`a0Ete67H3e{PXGcW?8gyqRcc5>6~LBDZb z!E&HzCj;I;lkQ~7!c^(?{%{gA?L=YTO=(Kr?-bltnc3BObZ*dV4=zqXNaaFoURfg}H z^zJkwkI=F-@Nu2ZWOT=dbZRoQT#Mr6&a(7uWpI|P^e=cmsSQfPsWqOQd3KRwtJPyq zdrd%1&T)9;(&b_}C0bH;K?(e3P)kcBjdGf`KLi#VYx_D)6oXkayu8pSK(caY!Y?3L zxe+a`)huWi(u3gEX)B|Iw^3dfrirt} zy@E>gm5feWyCHRSI2~tn)*>U==iwNZvDp{(*n(5d#oy+H`3@}^T3bL9ONxzJ9Crej z3Rtqz^(EO>hTavYJ0ZVG)|N%szu)G8cPF$C-8yfS7wd&Z`|8nNUzK!V z2$EVfWqi&yuxjaU!wdsX8+4da?-sTOi6wkAn6fi1{QC0rPhnNBZoAQMj-m%=utVc7 zxbHOv38cbwk1sMpo)~Y7+NWu^ZKaZ`QnyVm>-Y~FXc}PT@Z&+(dUR18>2u&lHxY)2 zf0elmv618R;ds)TPTZJ{_xVt+lo#cOipcG@tyr*}pyE^QY*RSnh6yo57&Q+%fRZWq zMPH@UwO{Ad?x@-{*VcZu+7gsxeKbn+#c@qyVLnyDl zxOSrtTO0iSW&QCJBOK>MY$o~T@vo)^d*ck$guyIyP${DZ9HI;K-yF2!+Gx`MNZQ4# zPo6xf$*=X*g$>7yVKljDpbgWvntEiN@AHv`n~M}wexbK+R7rP0Pofc)vTS%nVTv_y z9>(g|j~~xXxgKE# z73_V%JP|XtgA+{sv)2R}ySXzX1O6hv;##^Qa0oBHEP+^%khE@Zz6e5HXQ&~vOLZ#@ z;bAs}GW|m%Dj(#dU#WO2G$^43Ce08#u#`~be99#j zYLQJwCRO`Y=QFEvs7~#My^Ps{+!-FQ0=*5!owu0 z$f5vDFwp-<(h7T}jj4uSYWC=;q%V@EH9Wie)*tFs@Nl;7S73 zE`;^T;WX`OzklJ48s&6GU&pW^MIBVqWkRT;Wnm^mQ|qeM5!Bc8u-yKNB3T~gXf4)R z0ahH%FQ%}kzV91@%%$fp&Z6|)(8;%!Abse!)%2V27pVMbPrv7^#eoaM;x}P4&h)-+ z2uj8{fs;MT3MuNH<9V>D#wsdpdD>njyYk6dmK?)5K$#zmnjr2?&46I3?sPA(Sd!I-~254Zp5 zs)({bA2$x`N5=>Io3Ok7-1v?FbwG;0aU!*F_gPvCd%(3DQjN^w+}5hkgI)djsM;>k)Lp`8rn_o|xV%eah}R{^NyHw~rIIh%Jv-|FT^aWp2unQb$4dXC06F@NkF zE#7yB)1;z(k*RV? z!STYTm_je6*Cc#4UHr0LRmvm69F(j)o;ZHNG~a}?#1tp;J#?mn9$~ccKqO{f7$pLK zDn%ZON+PD7D7zwrPMYt~!jqKh&x~6c8_&LRXMrmD6%Qzi@Emra3^pD4C*17~-HRuk zly%iiJgUzs&Z}Pz6-PFH_tKzik#0TZlRMpEOL^R>mhGx8Z|UV~hWb%B7QCLi2C;c+ znvGJeAi`wEoQ&$hjB&@%yCx=n6OpW@*!Kynu9)M|5R>mJhyTav?jmh@jSOQ z0<2?DS^wQOWhwWqS7h#K({Ephaw!2yz=GRbU{UHuqA?>~kg361qvTX@99s_kGjh}U8_xK|cd1zh0f@UuVb6!Cd%@wc1p}iEmTS8 zI}1C25|~X(cw|FQIfO1g9?fztib|e~Qs*J#)sYgM7wPmRS*b9oyRP?29X!@~b*xR% z44j-&j+$e%z$MYVM1Fu@wa5*x`9LD{$-^RgC*+MsVnEmr(rhOPK%xiz;f8jOg9%+= zz-WSvDulXNjd&8C7m#OjcsF*1bASq#AG)aTPrjH@Wd}7kpmh>K$wNaQW6#~w@X%u- zKo`#Qg}h2YiuQuY8sq~!4^sQ8u#P6A5~@|}k((cjA&2_OYT^$hP}H;N|6vY(xk0KP z=pa!}zH;H|xOr1yDR6wW`MR+p1nUd61uI-cum~fSi-@6>J~s)mVrEW6sMQ$2Qihwy|A4cgPuqAH=J$4TmF;zssJ7Kz;`s-#OcR3LaTXHf82sHc%SG$k@FZib z6oV!FV;){P@*S(vqwm2OveI4H5AFR^Z|1~ON#v8ds->D8I<3jHD&9Voq6 zGuEnFs-cx?IokztaF&vb=Wbb7n3WkgKT4A$#P`w zQ5lpN=|G}oXccWj8^F+wooblB;<&l6D80aG5vsfz7PNBe7~LC$4=olS?X|( zGBsi=5wyFBUJTAqtv}&VNn{lBA{nF$3#Q&{N7Totvr;{8{*Z>YG*cWo+Y;PN;#O&3!$ac z;#Qz=y&f$Sc;;`WnpiaHDJlm28pk~{I&eXFYU-9$2_^yU ze;px`RS~j9jKnzDz_*!pte$61Hcx(db?iikdk^QmsRpcqd@hdB_iD`Ifb}$^$6l6TU-!Yir{$@!_rCd#(kg>B& z3ug8)-mVE|U!y(D_CS!SWT2+s2mr*-dQn_sQ`2#E6{$h}OaC&)=V}BFK3275U-_uY z(q!qjd?7DIns=~gkXI#fjGu`&IFYfq%WM3DxK(_;5joqP`F>3fkLMIFnLvL5B3I2b{DMKsYd{tuFlF>mV73VP5`@<^=WAI zUUKT3);(;g;O7cux^c^@^mO@*(zvIrHKf80In}wpTp*|ZcKrvEJ)?VxJTOo$6N-he zaCL>X%wCXfOJ4I>V8f1_^NO;q_~swbsOihzw5IVG#UCf*ro`g5LM|*cxul^T_@R1K z^QJ+Jja5``v}M(9m6WRu*5qXSLbtZ^(&Q?I4=$uruJycned`XSnzezkt5rHCa2#&R zvt2pSCY-r$ZRc=bEP6=3ho?B--p_)0R-Ub~Vpfa1pACbRDWXOR7JHr*WhD+=X&gLMP znRR=(Gy7iTM1CT*5TO^}#S!aNDOB^9I%wtiv?_^LF&-0>MRUei&aG5b6^k|4IM2gm zVK~(Mrti$ws2e&}ixR1gcAyah+W`o(5!{Web@Ws%i%fB+<8H^8-9}_^;Je)^Lpf@R zrLR~<1#LlL2sN?z$>CYMJ6>Q$s!~X+lHWx5YH8hv=$_WXdm3cLEE!P72b@9|UHBWg z6QMbV@@;&_Y2W&$)+xbs7QfU9o4$~!VIut76*bWP)%Uxq-2qj!cMJIcMegU)^F9v) z){4|O-a1BU5rX6Dq88n+-M5Ob8^?qLWCy^SjRnDwecQIqha;3(l1(u0B<%V^Il{0# zH4?9Z%Q|TR;)Qyhy<3RDgFkhY+)vrpJr(=|#leVTSCs8eox>*W%M!8lbY=-X0S^!s zP2V`lx+)zCLE2u^lV}Tq>`CMuW&uz&?lsW?_1E^YBaO2fUeF^({F4V4CLJY1%|a zt>{zvkU?&UJ_ZI}TsU-h!a5je{f|4%a5~WzlFN=0fF9IH@r>c1(TM?4x3!qVDDGtN zh&$!j!<{f^$jA%u2Tuki$4lFeO=RdslBC513##6QOY1Gssv=~^cm}F-3}}($f~r&6!<}`i%-A$VF(i$K*K z#O9&-q8?ZHl74RSPaAT)ur#5AqWARfe$PmwJ*FN|@Nu8U0>G@79Q6iP3a~ALwZSS8 zEaNr3t@SO*D&SWg@1<>56G_KC8TVEyCfX)^3hCoJW}__^r!8GZgtq7~&1$M#`B!Y2#2K-Or;hcfn+ z`_-~>;z@Mtfw8P3%PC}qL4*aoMVfy2k-@m#^%{s7n|)*iCjw zKRi22tV3aQ`q7i;i*iS%y1$8Qr=D+x6=GAJ-te^9Yj8~B#`|V(8ZRzD#`{uaUJ;hPOG=#5J6x-e22B0Kw0X&iB zao&vvh2Vko_`GG>dRo+!v)ie;(rvP_^9}|Y>8jT%@f)KLeSszEa7f&d{JwjwR;2e& zOU}rG?@2epL4GB)eu-!*voM6*+fOcQP&>?Dg*6myIQlGw&mH8x!kYgXbhbkiR?Ns} zRNcP5`D0bx0fx{{()w(k1CnyL{7C#KcSYO(QulrBsrk|BKgkP)OHceK6?j*x1pqgc zGvb)Ek@;9gh@!VwK{))bR?Q*w3;%c=H~`y6o_qT6$tog|IZrGHj}u{d{?fVU$s)wd z3nMZ^E}=A3f(`iFcDR8k^zTw)5Zeur7a1E^7@f$bBRR$`@RZL${(=p4migfuV~Vyiv%`5<;H`y8d+dY8CB@dtI-?`2NwV!X_#&TnbApf!G?e+&Ad+xD6OlWZ>?bzkRB5*)-8#)U-ms1|E*<(V1_3A<+&*=&(JYkbob zc@|b5j+cRM{1t<_1^*qQSu z-m2TydSyDuWWqC^6{6BA@=+A#0JZEhU)zsVaItwo6B%l$3J-X zuE*l0R&(U2<-s@W;_^!B3WI~>Zd*rY=R8z|*T+gIkf5B(3QeezC@!IXQ<;n-S8%8d zBAX*^2I-6Rm)1i{jnKaJ?B;{gt#^N2W(D2UyP6u5U6gL%xB`9WJ6u>ZLUgRogb&LP z&t&AscQEbaftg<3@Xn0x)X94;sycPgE-H68v<2MNy1nkCOK!cD=V6J~%U;2wcLNNY z&^$%S6uMOZ5LZOaWN?2{Q5qocYsae;$9TOt)*8zc26%~sh_vW7wkX;j(2Y9qgh<;uA`?x z3KH?zTXfLHe2PtCgNx-xCHk)8;i$}Mru0Cqv*;ZIJh00Kkz#6i2r&l@*>$D^TnGc3 z8aSYv3n3i-3fmmFCcVYOqsG?e;Y-*U8{0<*hc!-aG{+row`!-XRyF5$5}mIZ<97kg zf0s`>j zRko1AIA9+@5$YOpwGSAkAs*TE*JZK(fRR80c_wBKx^oZICJ4odR^UbeNMDo+bXLnM zTY3!|+?HK;rbe0(Ev<)*S27mnn~a6&H4#{tLYm)uXchW)Kv+b5M@%X*w|?UV!GMN6<1yFOd}X73^n*&fBdm;<=`C-p+MKV z0B3}+?)JMA?}Vt+ICS+_Uv;bQNp2jIij*p)j&jCDqB1|Vi^vhKa_KV~1&(4wls=zP zEfs3QeH|g&STtrp7X&n-dxWtPkGFhuPpspO__vnsHE7_0qX4G^{dLdRUdNgkt7<(bW-L8Lg1_IP%9w7avn zbAp?N{r%*TG&~y9FcxV8qh7!iQ3I4N&z4qD%uI&{jI**G)H0A`vLqMvOo9;r@DCBc zD)9@4U@@&K6Lbtf!YLSxpqnH>w88#Z-BGHepF*(_ndFj-1X&r(B&w912yPqKU)CJkQ(Q2*-xSH#(rw zQLovGC6)x5Mq$yV=kH>(X?_8a5J@cfhUxCyh^$UVZsHzZSD=;X2 z6vBS!5QOTZ)H{#{>W-t1avxiQF7ssOJ<`w8*<&&Ct;vvu9%fLC4r0>sC?EnjE2Ao2 zTHu`Y-v`l z_3i2lLsQZfR)+&)E=%OgHm?w3>es(aXvQq1`oH)h@w=P7M1p-PxlSC5X65Evl*3p` z{0t*U9vvK>j*s?ACv%?>6=iPT;n%A;oNmr6RYYbmg6q?=Y04 z94($s&(7j;L)=KL`q|L1s|=dX)^AbitSqQG5Jz!54#EQp`gj4|O)he>`*4BJtWj)*3rjT~Wah?$_ucVu&=+-# zP!YKgW#p=}Xht^g$7)>X!{NK6@g7(R8iw(z_3zgEZ}u9Xv^24nSqRa)hnAAa!7%WH+ofjS{N=3 zaFNV@F%2L(Rq(Zxr_Mr@<{P#-=4V^yaqAs2YIM2BE*Ma!gdDvRzeo3rahGzpHV;wP z1sbcV-^k}-k31bt&Q&nr7t%zuCIoO6olOTVv7i$8=7 zAwIMVcDwQtGY+e=b`U{O+_F3SKWy$|SvVE36*{7!i-Df~u>y#(HC#WiZnq87G#L(i zsFaClZvfUB#!I{-+UK6pD+}8mG$xVK05P_88;+Q*`_CvrvH0*QF5pdM1Rvz6wHLUj?DBuOFfE*1@Jt7_5jNJD4lt zC5SE@jvf`1QX$GaU0GD8@gP3y^4r{ymvDPHJ)JCD9$hi?a<_91JPfwHD1J{S%^a|) z*P|+f7>&;X7X&BWGTI2j=+vX1eu*vYGVVE3XvBKvO{SyKa7??)f^x;NAdfi9(HoVfjFRC{E1;m@W;mUUrW3~|FE2W6P|MrCU*Uf?h&n|my8u_S7t~$UU5x%ogz^>r zSCxn;XU)pl**~GP(#b&sPycZ2pTgiCt~Vyt{Q8vsV;nWx?I;=c=|@+NGjuz4!*0_9 zHpSBcg0{lG;3acsdvEg)nvPB{CPjJ^jCBI({`=qS)zuK zB3bwXzo+`QngsYnGn;>+77zR{XXH}C?wfwcU}O68W?SpLi1>S&#CV%-4?h?|0(B3~ zaHn|v#UCAf_O9HKG$^UBuN$1&(WxCyRSXDb7jf{3$HiyB8soJKKY)`<>s{Q?VdcS@ z5Y+;b>FE^J8Bw1A9sVc}U)@21BOHt&oTz@$_Iq$ORF~#p0;pM3% zf#Xj(I8w}R_L{(P@UTe267r^V8e=+k3R$B>Sf>`SDtB8=sGhgNBP7y0mtL^WbD`O1)7lb7oQ|{ep{yYFa06&6>>_Tnt4zGYzKW4d%5OOec3RopOWe zqzBWPVK5d_pR;(PqraSe`<1!a7<}Pgoa!oFc38mREFZM|NQE)nK{YSSE7CGBumBLZ6#ry;Knvg#t+&)>!7~4R9c`Sm_ayzgL4=5+Xc_j*G=t_on9hC9KGa8DIN&K|W35-ch#Y3Y!+Um26SY!MK4Un#qbb1<2+v|6sw<%Er&m8(?O#(?87MAi{=JlUTSnw)$u+QxA)PzoE?S~~L$?}V%K&HSm>+K_EWtvb8kcAGhJd8^S6B%*hlvX-<3(Dtaw z*h@W5>E|d_5k68YE*lrG!U*7zmmS-W;Q`qL5yyupEm7SxuX9qcnjyD7;&0{r2QNV@ z$o;X?NbcYLX&+6hTZoLFjdZvuN#v`Y`C_DPD~n}J=}X;ThvdZXBu_7%p7 zYysbr{H>MhV4V53?tHk^hPG#?fu)rPxxSu+);Zi=Z01%dpL{iRh)M z@(Jw%2!OO)xU+KoC8VudI|NjfJIji?So}<`Ik7&K{yD$&Ps2pFr8G!K6e`}X{2 z0{hGm{MAB_m#3C^a_yJ3)zx3=IIwPhJ~TfcnV*m8rxrZ}c%5L43CV4ZT~DWIk?xBN zOMO0nta;z--uFZA`?307BA?obSv;B1FtsaG+V(yL`m}y6eR_1YK4wemXB617v@LZO zVjk_>mG9x<#)&z(Kg5--kBDcsw@9M7g-~cVp-Mb~5Sdnq3QP9nb!JaGm+J|m1cjDv zPc#yr*$z=@UKWj4FMD-W(@Ny5^iGwqTVEyx`c9VP{ZE#c*r_XmQ9?$PU5gA2cnICl z*ss%8>eP%c6L1XiDwhFC#mDbahu$%NAu*q+e^k_Xq@6M!uwFLMC)Sh0z-lV9JPbWkD zlAx)whN4~fit~X4i~!BrQgEm&ZnU3DCt7&QJEMsaL}DbK5G6Ddv3zoh3Kvsf&R0=# zIO{CTMLVJf>8`%2==)V9T)bHiOKYahtnjq0^UipbUJ3zfSeQOteJaHNbZsHz{ExV9 zw1&RCsq~jvP_N5utu&|+AW}pJ0VcPTa2#YKo`swa3KsR>%xV1E0+INs?ZILPF9Eh zn>nh-p;76RnYXa7t;4HoIu>N(tA@JEM-=WZQcM8TOG<_4Tu4lUnbPum0Ar*O`)po!E7Er?e!AbpT zw1BSr$=i9NjmubU;FVuyGZYk`i9*r5u4pib$WnN>nN7R@^PbyHj zc;eI65RL9xgSC1rnHHQ5Bp#2G#+F7ZR-=w{7qdr?wQRLs9eN10M%~deC9d%9j#2@B zMPMCBxSOI@>QMPg*OK&9SJOT_Bjdl+bW-}r)zfw%X|WfJT!~IJ=BI-U+^b)Ve{rMT z2sT!=g6yhz)||b*$a>}IxN-lav0Xpe-1<(L%4BuiNap~PKQ?>sP8IpH@h+6+jg->z)X4naTI23$f+res6TeV|9d?8%Hio4gI)x+&JFd{Gpy3 z{4sbA!H0Ue@GBr*EJf{aSk372^0MNTPTV^E)+>>RP4L5J5(fUs@s`R;(l}XF<2ug3 z(qUl$0P4u9&DsW@@_>&#Q1ss#7*3Y0YOQk$>Sp%PwWj_4B^j=dMlaIie;037OaV$m=y_^6!>s>!vUMl;!_ix?g5KDxby*4t@x20A#vCv z&ro)VL^PJi5GS?`h_pQ!h91J3VsR8X zJs?FqUVM-R>*&Kbs?;phOFG31Eo3j@z0V-wVVMU1`B9FVrunmWLxpI1lYc!?*895HZEMGcAE3o@1~wtzvL z{Yf;naXf-n`1LeH3&DQuGhu8}?#t8O%PXlnJU6Z{=gwO#GW-;2Xf-`O7<%21SPuBa zE!GKIn6ga7D|qQnSRoORMfO`$jA12N1A6hnr-4C&D%@-l7LB^^hwN1a7ed!~#kNl? zyzXT6=|EJ@`YY=?$y#cLd@<%5wT`FLg#t%^&br8j;k{v{um4swLKMc)Q36S8k)1Uy zXo_1<&mOh~tuxZ}sed}~DRv=eLownjiTy$nmr^aUH!2~Qvtb64O4Fs0422v{kw)D6 zc-%d^Xppsmpe9>17mnO^DXk~=v;x;zbjpH}x{pqN&A2>ZQJk){+svXEUaqIEXa+f< zT}`z=qel(xt0fej_a}+Yn|uC0#z~>()xL}87*cYi_ffrP2?KLF>UG0?Y);DyImIIm z(h`E*zaa*faofn#$O%;QLqnBW#HT>qo$N@4n-r>p54MdQlbt9M1p;vsA`JHlD z{Vex_G)K2j_&U(u1EDXSgWsV$g8mh_Cs=-LGj}9azZU6;6q&(TbJ;-7Lx>(ja@PJu zoaDSYIsVlacFWqKeoiM8;dIf+X(eSgXL)2RBuotku*L z4_pn5XmH-`wHtclOe}2QGlR2Sc9liBR4L-_sw*hXqi&E9T^H3Of41C0IEcYL6U%D(e^OH=KI8hxtheGa0_>>Dh_eWz*DCS3X+DTPPvd{z>{`%gpK$QKY{RJ)*0Z< zfTUpoqXDQao?_3e3z>#3hPCVu zKL{(Lhg$YI$A;->GmGNzmoc1GVL>2&f#a2m+@>Q05NnZ($#S$qm)g#>ImYVJ%~)St z2GE|kC7PU%(N_is##RfPELVqPGys+`!y+o34?~(8KSBf9E_(@_fhPrTTk57|dOzE3 ztMH~(YL^RkP09v4S7wtV3vX%9>R_&0W3=qkyKRbHmu-1898K{hv&;^w-}dQZ7WYS! z3%g;$5Ul4L&(fVJeDG(jHKmXZcg^MK73{t7a%UMYSIgbe`$zB}lvSa& zKs13pJ?U}C)nUb0e`81qD8GW`S4?^B?I)kVD$mAg=9-Qh5~y~y01ubn7PKE~D?WF2 zX{)6DC@r=L@&8U^d_u*8ER50!=pNh zkZpHDX-EWRiJpJ6K@ptBcL&D>z|6}*Znq>}Lms3eC?!Cs(`z;myb5gBe<*>VBHR># z7>;rw92^$l6{csY0LmfEPBElb&kd97LxDT^emx%qKK71>7db$-f$)wFes(m!%}!b7 z4TK=(y?un=J#fLYsu|wTm9)+RteoQ4h&7Te!SJ2!0>g|G0i<@9lwxv-ZP5Df#mzBs zfo>-ib5)o_79T*-d;Br{UPR&G6vCKK0tbWA5=c#zZ^u0-WHeqBvh0*PQk<)2g<^>zP^w{W?)2@}9r|T!jD% zc7;`C`B+|_JH6p)v)7mm-=WIm1O3p@<|Lym?&mamoSTWH8Y+}0{)-i^eCUqy>DVM+ zOZtrr*Q$F9P zBXM78{c?tD;*c7^Ed4Lh{mb<}tMjhQKi?_0K1$0zLX>3p-s~bgmGTN}?>_@w(eHCD zNL2>pJMK*p_j{a6ey6YK&)xdR*!+n9fmXSE`bk{ZzdPwGn?2J*g z+~;f^$teqBmgZ`hsRe?fUYfa)?N40D>ac^CV0Bn6gVk|XSym^dGgw`Th>2SCk6pKp zr}UDG&{^>ggC|=4lL`q=MO?JWElhABl5>boDZa>jD96zD8wX}NqV}BuJ5?t+8z4`- zBdCoxSN^5NM`R05_U9IfQ;f_UUFxf>Q`T;v7OuEVm5%^Rge1W~ue0l_jd^w+LmyLa zj%NuZ0sgX`7?4c|d%O~H7ZR{4=jYggQ~7lfuJ@+(d(NZ1HkS;WE~T?h@ztFiP6o4w zBMcvqgfo>og_VQBZ@b(LW4Xc+aoJo~+x%Kt9t=wv*h;n45By~K4>JQVleC=tzPD5d ztwg0S*6RD6A)T|V&&<_Q*gy$6qOnenEhMXjBx~jBuItL{*|qhH;hD45Ic40F zOS<DaZFL2i&l=;L(Z| z8#l0;>|7+L@vzs6$L_LHw$#M**xOIzY|ua*%}9 zc@Gy&YhsS$W?MPwpzffz(|d5tB}RKkN7@ek4B4pal}cO;5542E+Dy4<>zk!d0fXR5%!kUMV^@ ziMLQF{sSUNqeR8ZBWA=+Ws<*H*7l-?N>)p<6sbZD{hpbXsQXC$c-7_DP;L(#)Tq9= ze(kvzb`RW2-}<4(v?><@BcJUK6{#>+62F^ey42MTAAua$8uLulB^6{*k|oH4KgE)( zLMug!jzjQj*D50co1!&KNsO}WQ-)y^;LJ4CfOSnu?Kr76`Fdee zRD>ZpW`ug=@84pGn$VQkF-JDcUD<<@N8C1Dn`4!Z8D zm0%>9bngHxIX9ZlV{z*om=qg)$LnvWxWAbcl4&3pQyv1_DMrVR)v*Wq+#t-^YhE%;2UJ2{7XaN2Jfkj3;aY$d zRQ(E&-&>SG%&HMPrhq0!IJCM6UxZjqReSrFC}ZdZ5zPrn=X^45w%+l&Xp&3Q;aGyD z-^tvEl-HRO=q!iN6hc!N%|ofPzEWkw*hHQ-Ge&X{GCQ!qE{%A-VfyP_hW$voHQ-syIdBW;kov_jeJrVUN{tHZ(PudK9q?~rjDV-9bn!?mm6;w{|37+1s z;qV~EDSMx;i8 zsc?6sQ;Koih1Y*F$w9~ITrx`hjo?;QGz(SkIr+Yvr68< z!^3b|aT7yw#S$@EJfTCcY*~jsdyI$ur&x6<6zoy;id>?_18ug){d=wkKwnZe6V}r6 zC>i$A2>8@0O8y~-<37e-i6dYOHSyWbv)Asj%|FKTLZe>myooh?&B=snQZ%p_-!tCF zrkA=0_mhaN4CW7phR@d{y|1Pp)mG?=h8=p zh$!_IP>YNNUu?J1PXly$AJHv)M7L%0IFKRU&%RP`=tlxF`l^wW)M=ue67sVF23lUb zul--T54N`UvO0FAr4Y8=tT}fEj95`HzrHxCrG2p%x|9^ZmX z8{%WiytuTNo8yjt34u?16TnXWLUGdYdyT)>el;&80}LD2?U4(x0MlV-vt8v`99?vg zAylJvy6C*#)S`Pp`(y;w*suTi21cko(01E7wz>q4f+EC867I!9=7oaaKh)!g4A?w& z5WNgL4V=;*EUg~LoJU=h-GkSS-TDvp-3D!p(I0^sYUU6yz| z6oT6dzAd|U-F||yLqHRQeY@~w8%;AAceWL)i^r!T9K$HuOCr~k50=!~RUzH>TbC0Y z9tC0dr}v|$7}1=I5M<4qm5Eg zWI}Pq;t9!;(>+KeY>d^QAbvr^&bsuT#IQeeRkY^E+UW8{i5#%A9KTuK0&$6|hd_SH z%itTaIH?cx%4#XUgWeI37LljUp%$3>3cQ-?(eb0H862+u=d4nu*)#glqICe7iz-sR z3I+!yjGF+xoV}1T{w{Sk?e(s(QAOqUs({cry?qtDg|(*R+^x>u(Nde(-%GY!u;E^E z&qU8vNc4a4t&;Y&zxW;*kd?=Q0H1%h*e>uu!A%DCR9IfYH)C%dz&erF|2YW~7*G%c zobG}#n?79=E%`w}M4@8Oz~;2bbt$k&2)?{os#1UrK1_s5OS4=A-~S9&N=by|#G+f# z59~RI1?8emJ;->k@bdVQ8(%yik}qocwcT;)T4E)L-XmM-<;nz4XofoyKmw z=t1np-=OCDWOU_6kI(IqBI8}*YQp>fBw>5bVfA|D1zD$+vl>AzLf!7w+tY@ zl>uD041lL5Qvh(82d2N%yN?wT7vBXY=lD3YgeFaB`A2D}(@0MM%~2Pa+T?sVorsto zF!m1T+UR$RD;WSzPWN>@1-b5wno05jsNzFBuvBm*^#LUt9w>fkPN!%3H(gyNcmX@3 zfn5Bx;l#0#MD#y+kswE0Y#eVjUe`|!e{38zj(7f#6J1i5Rs?3MudS{>5`bo}k!*d1 zgzvECHQ!rDA8;bai~3dztB6L5F5b^-Y6L2EWTGqar#4L_i0UZMK{~gz7iT%nOj_r# z1_`0VF-DAS!5^}W4Bg`~Mxj?0`0kg$WX&DikT{MrthcGA#l(@KzAukHG#uk9hMV%VO;F{;6X>| z$3$Q@Rt+dZrkm|*Et)D-W%%7ui5;C-I&$+=Fr+!Mp5LjmxiO}q9aFgD7N$?81;Xi6 zJ7P$OdZmy6$@CP)g64z4aIZoSKVwKQ_I#w&1FUytM0>=5#4{+h-Eo~jWOSu`I9Ca2 z29rbXyR?_HVFOOCg3eVtLS^fGEYV!=KfSLn8iM&}(fxniuljLGt?-m~@&kl;|LrPD z((jDE`bx`8v^ySbg-4hc;EdKye@1R+z8I|s8e6wpTgT?4^n*ZgXZ+YoG8!z7)?qr| z4tO?3>%W*nziQY5l&nHA2;#Jh5!e9tq+tDR1_v26$FSt!;XznO5MumN2!$^X z3+ec-9+7tDMWmfuBK?mb(oQjvzAhlrPAMXNolm4z6k^4&nfs$qvt!wS87ftK7wOyx z-$a`%q0XqORPDI;Is}VWrm_T6iPm;ffKYoXP3KdW&O2c`xB5t0LE`h8qDmwr1FK<2 zIea;7g6e`xO{v(oLprQF`FNJV7__XeQj0F22@Y+-DR%w;x3bI&cLi#!$aYOhPwiqH zgofiTJ!6L%C_>q;zuJ7Wd(zlC*nhS2+Al9}P19%<&M|zHAtCKlixUE+J636us&-WA ziib`I*T%S#&L4Cq6z2YN+_Tbh8u)aBgIW+;py2BsQUvZjHkUgL3OjW<>+v#Wo=~a zj&amZFD7vkol-Cym5Gm8AG{)Bw&>vs+b_npS0Idb9=sQa&-Oj(KAGF|WuCgb6M89= zFB*rq{Cj3y2C$)!5inujG6H5A@z2`sQ>dOZjvYQ>)y(00dH;|R=m~4mTj}TmGy7_` z;50pgsWFeW8QMrb9{D!HL-yZw(S4@bTjvRkbdB_Em;WRc#Hu;%2$kOr8@(47gfdTI%#Q>oreeF{qP z6(j44|5e9qnpfzj%75MdGyibIeYm{3{BR{1w`emZVeN8jj%{FY_a~1Y{nzS~wbdu< zYw&mV>&L6Bln(zMu0MSAUuzE^e*O5#!-o$aKm4!Nwe_|2hyNA*tq>`L(SQFY|5hI0 z_6qa<6gc=``Y|#QPU>JSdrtjsRd^aa_;#oc$KbOj+r7sN=|3NeKWOz3D z&>Y7bd?ak*Vs68_A9qiuuw8Y@9AITgf!X`RHY&qYEX}rTW9a-UQIGhq_uoK&5`5}; z9m6o2JvdpM_PQ;sz1wZY19Xg#M58G^h{5^fl=i#m6?WxVx)QxY#z^dZLyo{$UpWb1 zUtUw~2}n8=FT#K?DD*jb$Es4mFO1zYRyCJ1@L-19R@(LF!x4uO#lb2ojcF2}O?x#2 zfiXva+&TH~;LS<2x&LznSC^yB{gaQIoYotA4jhaj-t)zaP#P7XY0-G=23L`=IHR?xV{`k$8oF>O(+fF zS|b{tcKW!hv}0u8i5fp%FOqXQ{L>X^9Jk``dps=i0c57hMBf2?xt~~Q-M~$DfY%jv z=Of1%XPOa=ndw@zGiWW>qQ`4csyTQE3kJ4&C=W1Rb#ta)?0b7G{1i^AU;v>D<7W9D3~y`j@UD%M@ghiM&OzTiYWa`R``Ve_upzQEV&=ss&8_bm2Ztv+2m8m3?<)TgDSAe>cS1zfxkQeLX9yMQ zwMM;Zg8x&em4&SZ*xUaB8+G>#Pl8_%etz1DESICvXb6bAV4GcpiU6NLV86h~O&cC_ zWPgD24KCN1;Az3?;rI3WVWYnPLk*5h(89MU3vLRn+RdOa$f~xrTi-mwdaBwMdM6Fl z`jpiXI89MMe`mEgN0!_qb8lS3@?7xL@4(){5A}wQL#_^ea7gdJ$^N1A?dQ z9hmOmh`zC4IaX83y*F`DUKg>ex60a-G4s&1C(&tlqWmrJ+Z%2lsU<=Ze^nZbkSE&o zOxL)+@aa>0X*@gYwz}f%mb9i%p@VRSKmh1o8u%!Y{RQ_qqW5$0VrwrZeyR)4@ail0 zC(L56nUGHQS+B`YiFlK{u*ZUogKocHAo4P3o2x@n#d}?9ixxx6>W?T*lT~gBSu0P7 z<=7Tjs@mROx!!JZOVjN!(0u?iV573f{RtRP3sBGy{hm&MAHkS0IVRz(ZGQ$tOVdvrji1+GXUNWOVj4hi!i#SH3CcVa3^tVQY9bG z(OWoekPRw3ENNcga)LYZaLnFUPzKRWXbF)-L>=KQ@B}BBj!>*pl_fu&8jgPqmtmS16#EX)rA!-FE@|UT;J`Jm@ocxE_H?ukrw(UP$n$GU z{Hcp;0%q-8aj}^s(>`Y60>nwK;eXet1^BT}J2(3af=gbN($U`%RvyB2o{tcyAcPH} z3X^UYwROl8gq{0y6}YM{6SD>2+QgnXqVD<_PI7cxJDZ3fdps#99I{*#kkL46Z}2`& zpLFE2&}J6~lsTnYn>VvKpw%f3-@)QIYoFwxl$thDO&WGY*I`-1M-e*!cP}J*JCei3 zwmM6>`<}4W@KHlu^1{cT{C{sNcYcrN^6xF1IWF5fB%Hk-tUzA+j8@A7VQr=YAR@O) zGxWmVKoyJ`L0B7w2Epn!r9rS-w~RpkEfPns7Ij8}=!8IYW&&ZDs)3Yo1J4BEuucXu zBQ9LtcPS8R_1g$pt<6N8nkQH=)@BC5e8K{;J{t&T1$;SCAeQPcH@9EaN`UyJPsm5{ zXdEZ7&*-Bo3cBcoZ`~1^?kyqjbZo8%zpL{STnsyKqY$Qurw>U{Ei59tXX_5S0*|Wp zme(A2-ft)&4c5j4I0^tqgsoE9#R^D#{6ZlW>GxSJ!HqKRozYmJHW~%`f*sv)bA5Pw zI_|t>e}O!{ugB5zW?3o zf8D4AM$urS!^xrUsp~ zt{I*%(y4GLB?CK83ytk?Ts1T-)|gIkLPP3lCZXSKjfZX$?>|lw+Fmz%y~c+zIx-r2 zKy^F5)*C_6T5s%^k!-vsJBV-wuY-#vNj1 z&4Cuz5O?cckn0kh6F$W^(Tnyu#Svxs0!eayi^u3Uqt{bTLAaNM10FpOJNgRmO@~JZ zCyk@}<~GvrA-z&2+5pc!KWk7VT z0+w-EpIoXAOj`EZ$_z~&8+~zdZTz2-iLNf)IwgtbX|wgtcAcu#BopBN?FO+pG@p|G z8MoXtt&N0TKp3-m@!~)idMwtD`|{iN1!1jBRe=6B*x+z+VOjZm?RKcU3ouu&wtZ)! zTvt2%A@GwJ_EdoJ3)-n3Hehmqbw>*;KE%dP^lw3%vC>e{WT(D=aQySJ813Y^^=2a+ zqSb{wCy(OlDOJBaSh7GYN3TS{j8lTe7PN=f1sv3njwGfvg*f(z^e)DsV(y~CK#k&? zYlT%0S$QLKn=^q!739p(vI7I`71@R}$sII~wh#7qe}*-datCYoDAXYY<8?xXQ%*%* z2R^5E%Ec-%V|;U%ju6iJ>zB*G1;yx`A(}^XV*ICF@hWI2Td=F3DlbliN#+#1;h+HU zxW2!Q4k;YBBnDFMC{+W2L53Vp8BbV_b1CW8!rRpa2{v2GNj>iDz_Mwt!VYJ-YP9ge z_UqD(B#z&ywpVM>alQUMDqECpp8zZr43;KYT(}@(W4xOlS-U5Y8U6n8Xy>FZUXGD( zAAh%bM2wy`*MmbiJwtw^dTzOr@i;y8+-6$gabUlShOsJ!plrq)H{hT&NyPY{JjpD) z9l-S2D(H$yODW>fwhp?sE!>iV(fB?3<&uyaa2_79{(sBL|5oLTogf=D@W+aBD5_?T zyoaWS%Le%NdSc?mlf!})(|3U!3pj*bi^M2D9c$I{S!QiOfCjY@3DbBkPIScFzwPb_ zZZ4(S(|hlp+Ev+mkEWt(HkDHO1sn6mk&i{97*$Vt>};SxU+3YS`?8z1@rHx2@wF|} zrA^B3jqT7Q)0Iaie=cUt<$ZK;zw?M5N?aq+WBcWZ{;3&vCOJDUC~W5xI&kWEd~0xV zEB__=Z~C%*&GO%e57*Xx`;UiT-`aoNko*_rVKDE_QCDPdM#}sD`~ODkt83pxTjyg` zmuU{7m*eIXWy9aLRMPS(C%u@SP6w0ea%42fE*OfK|-4WndGtv%7|w5!*sD|HZ7M$P?s0Y zE{7~K;HSFTK^Qyo)bdlb$E3Mb+=L zG}sp!lR%d_eL6#1l9*)Eub}8xJp+HY`9r<2yR-l1r^a3#MJ3;*I!)(b0!!&wqg0%zzkD)~(KbvpWjAb(%~dFy0Xd0XlZ=p;%n1C0jb zk<4{lef0EXN1aFgg!Mq$L+yn+mGvl4{4t)6WvGqD{*g4Qk6hRbrX!@i{kRj_a+mkTRv%pig1=rYd|meHY*DTXoCPW{)6;Sv4d^M?>_wINuz<-HLK056Fq$V1nb2;r{+hf_~cPx-L-!P z>Ndyy!iwKK4pnT9Tj#~Cu74eBHF@~Y)#999Gt_XmS&XT*hmQhP_jV4EH|$Ye$j}LR1J)l6*aIJ~)3qtPfkzJ?KO!(p z{P_U)%RqecaP6DY5CPzmM+E>MKU{OWsD9|b7AtXAQ;4D1C2A3`Q(l@I2(plm+%b%V z3R`MIvvY$Do9hUBKHT{M1!o5bCx+pm^Mv=q3AsRbA;%vY>}k+W9Ze^VVXy7;Spy@C z8k3I>@DyMLY(_5YBj-{B@bDumfP0(7lL7G4d-u}m4alh2taQ;ZL=+@A#71zUhpXRI z+;z67*l$*iM^DlKb^}@7l6;P`j z!OTj;0Za^%%iv)DI6QiQCXeZq0vLc}Twt^)B+D4*Kpsh@E)CI{d3#Z0z-WYk%#0^@ z(Cz_N)N$3xwUMBa#n}+gLsNBR1%zTc%ayG(Eo-*YP-An$tE=KiT1itCKT@ZhrOHgw z)lT77?Wf_}@pw8&)gCuTsot?`7%#C)PqSDV7QFO$GWL_ElWsru6O&LPK0!;`H;@E; zq1pcB(Ko+tkaeeX%2a57gtSb?F|jfvJCB=fw1#SuOQK-}d{+qA96();pyOHSfFn%?gvaaOJS+oYKf4o8*1!3>;&JNWRL^my0m*A6CmQB?z3e>0ru(?u zGy_3ADKpEkDgX0IlMHjb_Vrcf7^e8^Cs&$coZ(e}h68(t6xZ7aZ=aBi?0kZeag%qJ z(w6OR>pi-eB3AyMJX*QCfg&~D5Ex8jA6R*`5`AMGmW__aGqpe9NX0hlnT|x1(?+lf zFOm;+HnbPRc^b|Nv!6)b?9GR(n*$2O7K>NP*;2P1%y z_heM~UIg_6FGiKh3-n&IxA}b?rWyYIaJYH$9kBQpz&hI9@rz0mjws!v(HTrh6%ew1 zkKR@y+^HrpY|~4>MfdM6A^-|tS-nrwIiNC8bk>B;V1qvBAi-4zs!9Vd)Ls?TEX=9# zL;dJ@=U~5jA9rXgbL-8~_RdibEcATg_vx&Qe?QS6NzoB*Md+xbfk+plZx}HaZ8ZVF z-Mha}P;q-Ac}t&g`Wb8#{i_;nZ0N5C)hKSA52J-V;7=nmutZH|R!)L%I3{%43mT64 zx4@_~L5Ct^e8G zyNL8xyPL0%H`KJ>UG!+8>fk&L!K!XegCJDHw=wzP?b~18MsM%@3P?0#I8C0teQOWO zYwF*lF<|p7y8mVJc5pvhuz<3{)l7V7W+=lDCd>wLBR>Fy$CG>+@A zn{J*Q990)^oweE(bZ~?^R>^r|d-G&dI;+yE(NZf~>PK*9wo4u!9lSo;+zS-8OC4_= z?Hrzj3hnG4pWvJyLIdK?yG^6a?2w#_t!E7dyv|mw@}7 zt;WgGoB9i!B33MKtU;;eo1icYUics+W!?7t7~x1mf4Kqurgo zos%bzxVV$pc(u8E>@>aZHa!~C;S`{8y;ra6C%gMLBuv=ZucskBbRmf%tA+&ij^DgI zI1KdR5!9RvhrPtEoJ>z)ec9DtAHCk$ZXBiSKTfqQ(MYj&eSh=iZoL7Q@y(;XgQFDg zpOAune+539<32_g(RGgNtS#bK`C6(ZF=>rpjqJJoCTnh6vrTyvob^^NDdZvTpP5K& zWg~M|npj&66GbbJQf4FIwY4w>w=&3D&+XRM!QNqdDN-E4xP?CKaANu4+t75 z;~vq&PTOmZylGL1=Qgy>&`=%)pfx7}Xw69((q6-bv9wK%szSQf>-{$;yT|D|PfVTN zotIpy7;9gfT2cndI8=*C`R<}h+@f=BwNkk1*1oaZpfZ&gZ;tB{DUWuu-GkSGA^npo z28!x7p(lHr``hWd>qx+@etU(2|DDIJcVf=*HlwbXbm%(M5u66%C9YM;sH9R)4h~>S zm@ZDc1GTFjvnkUO`^>}L{_bM^r+WRTlWN7SO3(r|*;R_JW%b^wcZW(&CquGuHHB&D zRPCxZ!A~Y9;C$#m4IY+cs-r+4gg|ZKBp1=tQcA2fs z^p>*z$eNR7ei_OIS9B~X)#&5d&MUKxuHZ1S{$#ep#HAY#ojumSzSP;{aC6T&rMaKk zt$lM{tpySL&zTSl#LJg!d3CC6ZtWgy!4+}u5nVokIW}0TTwQ6l(9?Nux&Mf+-16Dz zKWen&QIaYyaeuE|_L5uWcA_9-&238b!MpmS9 z)z)Z1uU7i+M1}$lBx#vSyTYBeMJk95l2K5fki37_+gnQhNjTYb*?mPGWe|9iuQLZ-{(Gpt$|)L(Q^io7uI3i!C$Mr5OA9f0rKsG}TeHNczo>Q0LKVg%{%~ z^jV-OG|-DkDO9Zd^6T<1(Eqn@AN=v_%3Jt%Zv`-u0xdxCF=WI~As8Z<9zYC6Hc0es zMgXWuVaA3`vAUmWuHp}*x>4L_`_bgzQN@blN`(|wv0drA}{@87-q#r{VAf0C8AgOv!V#+rcpxdo}Y z=|GL0y3#;B2w4ulo5z!--{_?dOQ;9LKmLFMl=%hh6_^dR7W7**B%Xy5$0~6{i@FUZ=v{l<2RJx^)ONH`U2xuVdG=cEs@)XTQC0N&-lxhg9OhphZ658^kJZCR z!%8Ej2jJ`^LXo{=<5p8)o8m^V>1638(AULkRW*9s?dqkQ}v zV_o*|OXby1ld55HB|Gh$970ev_`_d#8fxiZ($v86&ZjdCka2g4$@u47oKr~DQwAWS z8c1Zp1ZF!B9dJ;=x&RDNZ@OnQsXCU0=scI#q-$!3Rj z7glwZa&A`|6BPT)fEXtigO;63-%fS;YZX!{=YER4?!sB7%5Q{K`%7BIIn#igPpB-t z{`qTi$*S3k!-;J7a_q@>=^Y|y%! zYH!vJSA*}iD%*REvs%?8M$M!iYlD>(p&>@H-)2?YD27DP;gaDNEYj4ClzFOEZ9d5w zucBcMwd4b>0{nFrU`6r{m3R+~3J3}eZ3^M_p}Ulp{i%xo%xYb&92drBXaxQ#NcSx}&k&kywuqK&~c)g)MmRUJ`+T#kLY&z#nUOI=eZEe0=lkJ4ZLCygIw3YD~BrHt9G0 z$>38QSJh`Loy!L}$W3SA=`E|8!c!pUeLu4np4ozx)L|{F;y9}!AJVd_snc0Oz9GqU zk>AeJROp<wm3~nurdpe)lFK0_1TV};oA&8C~WO+S6PT5ZEe|A)rVbR zcUvdwpGz>OFAAT>P%MJmMnL3YJv?XCzLPD{umO8A4aizi+5ROQhUnbG)vY%F7Bb8E zHhgRjKyY4CXMN1ngzT%J8MN33gv-8S>SoppnvugyK{HUxo;S1Z%FqH%t7=nEFCT+T zRMp*ecjp-^`#iBU37h$a)B(j{Ppt^yR{5%;&kZJ{KOkBE13X0Tc=98@`s5@`y!RhziMa;-m z@iE;tg}K`$Dm$YnQQjGsE?)@@gUH%Xw@U7AZ*FfhMdL3k$J=9g3tR3r-Pz{n%%Vwm zB;IeyblVa7X3c-@hGR=-)#j5WJS~)tT~-P-PjSw*=|ySo=P5dSv#4bRhN9-A8>Kt& zD8B;=ar5Xvc$0rzq65vzIH@8%Fxnmydjrk|N zGRHis={IT)c;;8CW82Po(mnB!^xuS3_4Z^|?=|^aDLM4S!WlbS_Ijdc-9IKS0+cbUL9BSU6IhC8L6-KwoFGe|sRLe#;E8)(AT)CwnxpE^{#HA14 z;L*u(N{8{sd1Y{i>fX7?!vb@{926vM zsh3en$u=j_E#z4gl`>z_2f!ye_Dks-TZl9OSK(!4Upi-<{fzQqloi$T&b&_)IXFGH z2+O2fB{N70a*FAROfPdNit?|Mrt&6`I~SZn?$-@ZVkOusGd)g@Q#w3FoL4wWVhfu+ zOHyDS{8Y6y13y)*UyYxp8`gOBvfT1P%&N>1s72f1Jj`PLd=N`5g@{=ixhnoV_!j!? z9H(>!@+hwmccR;ojXa~-du8mYwq_tp)%w-Ynr>L*)ys0r2QjNM3sK7>E5r{COZ& zS_+Y+G;%fkrQmDyxj9bhAo3)y5O-+1pN%=pod@2il@Qjbfve%ngRL=Ur&}e1*rJ?5 zT=kM{O!bm^;0am?VX4H?C?7`-T#X@E z(LGNd%7&x)U~D+bK-h3}Wqb`sVRQ{gKDLIVEMyH!NVjuQH787EA?oUQ%0N>JOPNS2 zg(Ky)DH~C$#5}O2TbqH+>GrRN&Op-|r+%JSBZys{TLQ)80xJ*0RA4>`=C)?SFSmYG z^!g23*mbhp@)@}0%wp6g@whR_Rvc6LDJ85K?0fknC`ZDu$?WX4o@1i4Zacy@>9< z*suzbp%Jy+v<;e?zClydF=%RL88kK7py`GAqy|*Mo&BxdH`|2rrJdy$9QI<|dI4Vn zr(l(KJVIrAYWVoO`YtK41-z_DIdP+ZaT+(qG5h3?N9^$BS)_il#kqV?xpwR-)S?Hi zLv)~(sa$+G^tSZuDoPu7)+(cmyedIs>%(5j3Ot5VrHzSsx$^D?UapR^NH14f*=m<7 ztRYD)gte%P%ef5~ z6gG;~#bt3DFD_-YlZ(qbdw95b5QAxh`oMIh4D55u@Fe7xP}cFKN~uBRmqp4cDuJf- zWeSyQ5$)`;L^xYWEDwTu2F)#0wmZslKev!Y1$o7YI&%xyCi+Ds$z(sbkQRpLmlFAS zZXs*QXlo>xsBzQ6gL6+g(gLPQhq%03z5XOs7Mi6y6h&mBwE(z zme6MQxur}~PJWP)8iI05YZ6M;&;;RD$gr{vbTreX*6*mG+weozAw~!w`voac5WR$yC}uO}+;Z>xWs0FE zkrKs}Uy%|;$K@c7ZAO$=Q28DyU({Uyc@=)kn;H+=(8w&TgR_5B`K&fX(L1j`Umk;btYVs7S?N7y)EBM3?E3m-7OpSPDcSW&(iX}aXA%5o z>8yf&%yxF`Bt_ZULJ`V#{nfGjb;L4NigssyZ|*g=4i6m<4*HXGeS5#k?up&p{9H_k z(*?)3NmagKO9XaKV)r>CfSUy;VJ#Bkc-qjSh z%6n?is=WJNZ_?l2w6%X|)ahSrolccNr$_J{n_hN3> z@E&}1jnpfhRmpyHk*FLt`DVN0w)~W3dAF)+uk!)FHCFvRPbXHf47+Q;M9{j}D-^Jc z^-F}UKmAf^gGDvyEStO(1kbk2sh>6!@~VfdRBQ+VQwtA5$e_T65Kw{fAf$A^?dqPg zvsX2w?i()B&MOntN3?rUNDwL2F}rp;$&(vLi!qkGJywouT<(Cl{d0h zbAVx)RS*cAHaFBgY<_PJw>M8P4)Ci3sCi@plMMbC4FA|asPfyO9dATM)1ml%u$7A! z>uU6T1*mUjFzxlC_2>8ONc5GAxIXCOUwQFQ`R*6D{3%!cmgjuS|GwirKj1U}+;xtB zUf$vTd6pY{*MYq_rq_<>wH~zXGb!a-i=DgE9a8yy&vxqWxp8;gqNhEzp9kEqyI$9A zr|imyc}bt@PUYXuQhvgMS{Yh8s1T09Gw3ZIe`w2B+te{UK?T0d{o=-hc+mA!o>gsT z#9tv}+B99tmLNlZq$*kia7ymP?S^^-zPo7Ev3BtjINoyLDE57Fd|0jgBRYzk?Wjo< z7!A*&LHq#+u$083<`{^lEi;fr80#dOoX1FCgLZS=1_~ZcCpCZp-x8)JhGmCfpjLvib#%WC1F?&0si)`!GQqV1~n_{2p~DaUTQCtYV;WIB!sBMN!Ra5`?m9CVY2x*o$wPtLoPFo+>1X^tUTTm6DS)I%ZDj~wcm;KvFd$u+-;uXOaDKp$L;Rf zSv&^fjU-q*d7>UeDZsaA1DwIc5>9=JL1f?0m(| z{)R%?bQd;oV1r14L;?O{;Q8{Y15{DQS(n?8h)CQCck-+MuGEo$p|>$~FR5(FSBt*9 zaBbmWaM)>`>I7R`rXA{z$<;v=xKfTb2DYjKxWO&m3K^$9?Il?M2{%RhUH|FiXj3*; ziD`$IL-~m}(38z0O2Hp=Bh{D6`q9gSKukaGO<-kXyhE+)Sr_08TP zV2l#^=Zi{x>$`&n;fa4q%DzrfWlnU;38cI}suP~*2YgeEI!d5lFDkE8iC0`g;*YCI zvOXbCigHQv?y!CE)6cA?^}_ysQ4x`ojMsc&&hg3S?k*?OPo37l39&Nh+vG}sJiCA- znKG=QW*6ZUtHcR>hhRAwFDfL`d9k~VzchKtPe|K&DP!YblmbZIGO6-KIR`KQ`&g3k zC#9(b{!-K;KXn=^=N(%a^o_ZP2b_9%0AKqJE(3qz3mF5tUsLFJ5-^_@1Lx4s7aYb* z_wvN_6Zq24L;y#dM?W`oy>v2^{b>tm^}BzngZ}4>9AuQ9pE%6uAWZilCWUwM|cs# z+n6foBucs6gO{7T4I7-5#AV(b1AE-rathgLZmI2;ewpo;TmrVJ;~mb2~IG*ui%?tBo<(P3gDW-%Tul4<+aKN$LjQ_q6nEjxGAQD>Vy4_x!at$jlVf=l__byG54gQ&Zg=&q@vO^ zCE*YF#tomo@dtb}Q&ip7Uz7v8!gk{gY)cK3@1(t`STv?-t9hDeHEztXzd4uh3o4Jl zILB52SNV3DDdoa2DNv%-XiXY?%2&TtDpQI2tx~Pir<3qP{DhNWfpX2KxGFV)%2d9U z#AW_>I-Ka*^zlMu6JwPMKVQhT-b$qpNZ0YvMI27~e&UPDX)`&;dzYZa`h+}+5KYPS z3sMlHlz>0vyV2}*n~6^4PnFjiO-&AbsPv&#VW>;Lj|c7H*yQlHHHJYhKeHi7pF|xDrEwrY`^cSGW6?3g=D>>FS)VT|iCI30T0bm%va7f$P(pJk#hFk<3yW2y>aQ0SAni_UQJ4J=-Wl1x3P9^ z^zFjX+kOz19Mk-=EF&0t+w%pcZulRh3*A% zqHlYlw;hI5cA2eJH81+M8+zM|#eExn`|hH}Y16Fp8;@82 z)B9dqP1jlT_k=ZnQ&a({C&{rp^`gQ@qP)WS^t0MT@&a>r& zs*Igxmle^kDkh&;0+WR8gsrNMA%I^c(SFDDt|rdE@)RDym<&oD+j z>|A1$WZN1uzFc*2PU#WRd z={CbF{53Xj>-2^_r(YN5J#FC(&*RrNbXUX#HU|YjoM$Nx@cf)oHYK z;6t8MuZO_18ZBt^Doy$d`&lkMa~I4Nd*GM@WO%&1wgqb&2!wpBUC&Ir)-2(OH&(nW@AS9dh(4mzY4E=T(e zzk|NTS2|vGrpH3Wk0Z{_DQCi)=M>74g63B8#frIw^WEC#R?QElo>4Po78Q2jpW8P6 z3w!u4sANlx3kzq7fs3jIBM1~!y23=@KR*CL4*Gp#tt`K~1ub6A>+XCfC@gF*s5I01 zn8VZroB|ijj%y~D<&rkL;X5gJwb>>0gGx@3Qd4p#a9B^5$@7hyT`OOBo?9~{O3yA{ zav5dDq|Pu0&hx;V9pAd-wvz*Z-!tVgbN2fF^WWuSkf*O4v)8^%+upW!mC_b=>L(26p<-!!|Db`70r;|{n?U_%3%dS9e+;f-hxRhoYnH0*d2?V0+7X^ZmRVr# zl-Z>+E337exf(KSW|Dtq4VTissm@;KpVgVLIO6?zo>*RdoZ+7HP#d z`j6((LI~p1iesPuG@s6M%=)vtR)R(x5%CYOeJe_=!MH(hQaP>$LbHq82}{0Fw1k>_E88@_vY1c{@C4dp2UwfSIM zy^p>m+48-5_wLHdea`xDj*c`)>t+;<)(DWjTL3idCUn9|TH~(U&MOwUP3JdmEKil^ ziaTz1mVo1qHj>)%gOyrsW3X|4U-2uRO?8Na+so=r4W1jWnp;%-J&cYBD-V#y+-a$?x6dW_OrWpA8wFu z6e`jFHTnVypnnv0hqBOKs6}n5-*#$~Cy>Rvch{q5a5%gBs4A^eDgAQ+>FDm7X61xY z4gCzDLl2^b6)g3r#zjA=CfIWed1^s7Gz_(BS8mr#Q=iiGFu54T*mo{u&NRl02~0HP zFJRCVp#}JSCNqyeSEzs{0eX!gGWrec5?mti-<@4?f!uaFP7WIN{U53+7nrVZ%M4$a z!XnZzp$2y$xIn4rdX+{u-KB-BE*XY!7Y~}!JDPJ|@|DVT5Mqlq8+@}r4@O8mWp6i` zyvX50QKXjsIV{5eTfCOoVvh=>L5499cSDJ_O@VV zpvsdERlJl=)Uua0$)S=@3)Y+omVCI>ow9Ql+&KPS zzJGdu9=+>`Wud)Io7B>~b*PF=DeTYq?7O3%P&a1cnmn|dy= zuviKXPuWL?t@BW{XZyunDiwzt9+Bd&b@&+?EfJTy<=GoLJ852jCbP3Hn=5bj=^f5O z{%>kV*KHnGa6pj$7oHF7aazX%3;sOVQq|&6?9mk~R3n9pg0A007lK%!9(=O-phtFv zobWPKmPuXw+=l8cqXs=kU3sSTz=ZdNCIa~6+0`b)Z)G8)l?6@yiut9`y=2xz3b%wt z;T9ookTWOb2&I*`|Il)_cOTM8CU*A6|NZ6vuKfDo?p-))ZbZo+E9#TJ;O|N@Y~T|q zy=(q)-+?e3!*HhmPOW$7O=`I-PWU_KDs_lJ;wQrsl%B7&1@+tTkaCA$l@Xx*B z)2!}=gFTmlOim=O4YFwIUKze+E0vFSQ&8}oUDE|xZdOB8LJgG|hZE4=vi?F`Wp~HHD%=IJzZ2BsL-?qj%wW%*BAwQQI|uCG*GYfcw6G z9bnO`+%lKGgz&}?En6oXSXn1J z)&V*?Tvon>FXss5RT~ZlREOK(c+{Mn8>i33?X&fl+$-S@hn9NzY!FHa^9z)f`sEm^ zQ`Ui*g<8xNL$D=dl?c-o=nBqPJ~TV1r?D`bH#y|BGC#tuSVo#py&&<{#M{YX(#tO4 z6Q65Dh~!6|vXhA%tL3`mQzF{l7hHq;ZFTWYmzDY@FVuEf2WIA_)b zLbuRdU=@M_;Pm4bPN6pLwGgJ$!jqSg4I^S1MyefuPSrf-woP`+?nHTp$V+oWjYa%^ z8)}QQnn*2|D=%5UQMGJuzR~978XDD_hkm7+?&4?c0G?B{)A zE$*jBy6m$mpEpn$;R(U=8cI1{x*}OI8q?fXwq(h{a)&f9Assbaq*REI~Qfe z{mDd}2!ZE@HHMc$nMj1a{z+;!vVsL1OnL3)p((cy*$6W3_U4Bq4Ks}>sL9De zSXLnyY3cTJ5m%;9*$8Ay+W8@m;H44A9;^Kha%v93LIqr8x$Wg5Dz6WD2qK@>^TZGW z455e|Yp451$+<`hl<=|Sv{`_rynf^$%01X!8cSiHpcdpS$vnCBa!*!HS?8#c^>F3q z&T^>9dcGYT!S_(N7aKh^rrDY=~knNzwX(taUnQdnxq&G+5LoZ1oqnG&Ifs|}Sq%s{e zSn%_Z5NtCO0m@JH+^`@3Q>aiOLA<`H8J)?Cv|!@!ZM0D2urn_hp@uFWFu_8 z627o>FDOYXlIj&o^vX-~a@x;9%y2YMybMPHv5nFyIH zK0@dS^e7)01-K}Sii~zM5upR#%ncg~VhSZX@Q&9%ot}-Hj3N$(QtjrUsjx3O2;%@f zbHo<`44{jn1f_b&$$7{MmGE%owwaHr+;|K!E#~YR%}~!mEC;%YQ9h$uP5glMZQp6R|#UOKLdANiwl*+s2bjGO?XZY&#R%wmGqF+c)Q&|9aQE?w9+ayI1e- zy{l@Yx>nb&Up*;z$+v837$BBrMwrvHuOD*>sF&OFxl*0an*P{LKfdU(b};JwEeQ)y zwc@>0wI9eBOIrVn@vH*ds=7nLmr<`g{1uLDD87^r=n}&;pgquTNX69JWMtea7R?Zh zUy7TtHmMiSOd~m3Maf?fu~lTkv)D80?(M~X?KhokH#AX%%?ee|?SSWF&PbN8pArdP z>CBVY2>G4ILpfaqViBfj#7;aS-wcxb=uk>h@{LQGVN+T&T2Fh;NJx9hFR)5MYnOT< z%dU`KGF~ZtFnCCGK8!{h(26MJfjYbNB_EpbEOsrJUPS25-C!;LMM8Y8?D=<#pgVHd z*;bW?cGIh%Ao9$P-Ll7NxxJRsozbE6r-_}j3PYPleTKE#%G+#k$3F|JY`fJZx41&iMU4-2lri zP2Py1s&s6>?m`fKBN zekr#!)6*FFy-fn(!jt{L?Uy}U<`x$2&X%FhU9o{i4*mSv#7-l-8~ApkUjG9}9tUl8 zGprJ7rpAw|>K?zfzScNRb(!O)n^k<=iM!R*g)rbGcXNpDlQqq-t+Nf49s1SVb!S}h zO!-wbJG%jmu)WOH8`nI_D_B=tNTS;|zLl+)N&(*VQ$*rY;w_C=LiFTYOYG9V!_qio z2kPWsLIZ~N=kvBIEP4%-rPUzUieFikrQp}UIE~)9^=#PAFOJhQNPLBs)`kc$9|I6; zbP~^Og#lQto17z5!@oH54ECyO5o=L9rYJ{>`hIcFwCn5hIsmjv5$#ZXDx-CIxu|UR z&uq8bc5Dh(&g_B^<-P|JtTq`A;8sbJd(ai4GMFr>krKAY%zxe{UC-O;+S{Lv@$CR3 zm%E<=`Hu}--7UmFyWfnh0%lclCBJ?q4kWfS(PG-l2zlcL>-<$s)*0_F!8|?CVoMYB zuVf%6^fPdT)XZTdEP2NzSOgFdNE~>O4go5YxH>1!Lg*sH`yXSUnify*!Y%7=E z4qLn4tN+aY_y`(#J(NQk9zCVhL5qxdDK*B~I1W2|zX~j|u9bW_Bi?;Dls?>@^-m^T z;R)pD?KMArdCP#LQ22qchLd?L)xCQLpZPxR9|8m&x-cA3seFylYEW&R{Tn>!#9b7- zb;Jg?B|P8rW-|;`ho$Q8Y;9~pU}B9`#0!Rn*B&&6Z{6-DFQrT@d~Kd4Id%NjxShy&?RLMDs! ziM_y^GA{2iE{c}*^d%7(dUuZfHB8?Ex=*-7^_vO->RbBHXW8U7gf_=KmDU+n4G@G= zTyNYkCjYfQ$f~z^i+<<7gOzRB`m3xHYr)yQ38k3rjE_E?TaxQ`;rmVdgFBViS_6Zr!I(8Z=9`UC0gcn-M#a)xuOB9rMr zudoJ+{|z6J$*=@6C6|=e38h6qj-=B@PgR`IgkBlHL~JyZ5mTm^{8&^3tHWY@*Ku_! zxJ{;;*Q1yRjh;l|4@H+jB9mqd{YOKAZ0XS#(egrHuas`3>CJeQd@PMX?hQ67G|RyD z!j?M9N7JzDo@rbRCcuxcE*!|%E10XBYR3%XNsHp0hOQX4h889C8h^xf9xvj zv}}j@1ZD8p-5b>bzu{7}-xrzZBDWCUU2nGbce}}Y)dKu~T7LMt26V3!`aqI()8|RU zhL63Ids7T}Img~$!amyn^= ztvJ?TbH?jj;}ko(E^d2+FF_k9hlLy#>63B-jfu9O8f6FmjXOa)Sb{!o=N}|1tW)Qt z(#fgMkvax@&Rk80I*rVXUn9___cCJOSg7M9t)MG|EtowAUTO&W?TrH=Iig5JV*R&n z1Mm+aHAq{eNtijRd_Hc{=zVRjgU<|75LrO*W7ALqr=oCa!moshw(l#c-=B+G{C*~~ zY4DjB5vWzousWfP%mo!w{l8dY z7=TQt|B7l#8T203X?oO=G3ZNpHP%mxmDyLXrY+hsZkBCn(?6vp| zIYk%Z8d59H8Bsldq_Loj3t6cL4Bp{{`^ijW<~11>N6Z?e2bcO_CAHGN#TuEhA&ZYN zoISH?4ikj2^sqN5#ZJA(a3PF|3R`vU;KG=J%POc>^$vX-CEe|~3k$1__URfilyw$3 zF7S!)$wHitP#gQ*M+f#i9SsS>Kpwn6V@#V7BQP?ngstX>(~A1KZ<2n{(>j|?_4bb$ z5d_8RblsF(N0+0U_*o&yuOZF%Tunz=F~do-A<}0LvqR{5WWzK<-l;}?&dG{A)R#`E zrG+5SWmqu_+ouiX^s*lcMu8TycoD~VPQr&el{QRAx#OrNnv;}C6QS4k6d%bKv>ASm z$w^s-7(cbkwwAME*`%&a43eBC_rBvIm`?@a8FHFj1+jj<%Tw>Id>;YmW85|>I4R2* zLwCG+Q8Jl|L(bfJQIX$|*3idth6KM$BrT59MbKtk%T1h)c7nkht4At}9p}Rs>4{>A zh&-$q5KXioZR;K^s+ti0cMZe|Cpk(^dZ(!{)&Gwv;&*E>k{;7oFasmzY{k?@P3W>xIHz#>z&F+1nC_%!#EqAOSnmHrOBQ?9muOkz5V@!11= zK5jFn-MFuNY+9>}+wdvPjQHBSoFr_RP+7S1N@!cb;~OVB_Wt9Ho}SbvMGlBxt}k2r zx7|D&S`|I(2>j)ALMQElj}#=1b7KO=lLs9+zBApcumVSxzMjQjZ0fH?QWbMDuT37F zeT#I7>F=RBRY4(_^v?7s4Y!iEkx3*tbi!%EX6iw8%B8N!o=V-fw@id+(+DC=uRT2u z-zfw1Z|&Ck%r?-73kzn=Ym`{#Xsbiug@^kJfSu>%P_`+%j4jn8V|jMa6|(E21D z-+b6#a!j9eDBpY;1xn8ADciWIMdTv=PXR^oxH#5^{0nkOyf%8j! z!Wugmk28JeeZu1m(=ArnECT8Gnv!TwZGk5elS2QVECvJ-zQInB)%YU4HMiH(=1M2i zN`c2rgS_YeiDI~;nh;EL0w~gEuf5`zq0F$_x{i)H!Um6d*K={(D`d(Wzbx-nF_$4< zc6=Jqh<=5Nxn9q%DhnJLCvbD+{^RM?4Vj6gerIz$nUlVh17R%@jq_5J=w`2z*OxiD zd0?s;qQs3Md+RlBvh?Tsa+1&p{e<)at)Uv$_4dAX1Ga))D{gwQ)QSnUmJ1TX7#@(( zleM(nOx_pGxeeUz>}=; zcj>=A3)w~+6&;XttmOl2{{migSCpNBxJ~~u6OCmir9KBZsfwtY0BKy`&!y{&4o&U9 zU!oaKPH)yI63Aef%6{#y`B| zOmp^0j-a%dCc0@#Knb$xaeA;(mfs_o!WaTywKR|GCi)4J2YLEnTFr>K2KWx;W020C zkspgV@!zPA6d3BoQ-j}6_!oe0I{C{TA7uyM-DKW6yGUBS8^;^Ph~0sJdY|%yFL7W_NvY=GM-xO@9Vq_bm)CZP&~*Ib z4tX=?r1wi+0?5d8wIr?4>jbc6b2ME7vs_;&Q62=-5c?E*kKcgJofu`OXfJl$WEPyy zV8D=E{KW&hMsFGaN6t4C%lG+AcLn5QYongp28uI()Sa*A^Yi`H@ov9;C}u%0ttDkZ zAD7MO@0`VkuP-OT&b_a_d!O0wz8ukH%x;OwL+ZQ)(9e%Er$3HvZ2OhHeIW{_J$0#U zJ0y`b*gvR6D$-Xf1ISYJhFRenefs;m^cr{6c(KVwHO(4SzOok6n%NATii$LeOjsvQ zRrUEJRf^14oxXPI?p!6Z?CkW}w2Bsid_>5@EoQed-JjaYNGZBwx;&l?be17M;D}f? zjdAIdbhC?X#LO651s^2q)JqXQUHy}Fa#MH}0fO!hM=<8oG6o+rZ#K?DuslW%vbLCe!}rR+#tW z`?p^80JQOz-%o4@I_Z3^Rc*}SzfF`c9aSPt1x_r`#f|HA);X_ke9hT>x`uX7lyy6? z%HBk5)&#Ece!iUDL7m!4CHtAxyMv0<^@(gh*Y^oy>=y5Xsq2j~IgL`#{TR_MXWw3< z(6$esk|*5x6`XOkWoeeQX)ja3kWc5ut8W-0G^lGBCZ@HC!=wf8Gt#rgs% z{ev5qLx<%u>Ts{RJEHPWitcE!_@hTt9$vQP4n-ha@}TZ0#hGiPY^w~TfrY77TK9=HL+9O8i@tZ0)eqhgz74Qe`hN^OCEhPg?IR9PXEOA685G?Z z4vx0}n07XH6%LW@pJZ6W5V|oSYaG@&#EhC{uzqG%hemj@Zvg#(1cp@uYBgm}^ItmE zXLCAVMe0q{{++lmtUIb{y8M~6KT8sNwgP^vXTvcLqkoduHRuUE6RH}iF%nLkgtSVh zCq zeh+lUTnA&7KD39x{bkNm^d5SfzBWIu)-q`j5_R`G>6XITDo5RyP`)UXl{aVXK|JYO z_8_U+|H=0G`ybgB=7(%cLLo)m!ER+Qo_7)BnbwTM48SIEHVv^gf4#bMSHq>WufK;^ z!#4H`92z^EzPPN6`)ZS;-wTM~z6QC~oPj4Qa>=~g=dPc$ME-XnY%0P1Hm(Sn;bS`d z&H#Qk3s(9;8sU=kZiecX`@iPq_DT(e>{MpWfrqA#7rB7eDV52sh^6&x>#9DxPgYai z6XXP`tNic9%YhVW(TdPZgO*LusV&1)HQ#ColQ=lMV8CYS0Vs#R3G z89UD(YATw)5m6YxawTG$iExNv)Emcl; zAj@-WQq^_gkS>hV*tqb(e+*)fBJ5qODS!+f9#Av_AnxO_S6vQ&W5B-CAoIm_czu2hU4Ga-e2e){Uqhu03e96QyOS;9kCY% zPWMJndg_hg_J}%LV3klEJ8+XhS3K;%(0?8tHks}G2}YFKkpejCol#) zW2L{(DNI*QPC}a=u~HIlAmlFA731Fuy%0NUpMXV+h0DfW`d`8Kw9TFyP}i0uWRW0DZt3uHy;sgYY^&!X-vFKJ9yT3DS@G#Z zfCk%v$PYu0S{GgX5_tFL*jzjy+;w~~#-hrCLB7|>AMgbSb|^#k+M;wLv1DS!%qJ41 zhl%}64~Eo&Ih0COI~E#k!&E8bc^gYJ91CK8A6ws5sP@}tB468B7`t$!HS98yvs`QU zUfn=2G-h^Ih6DFZ;Pl?VITev_NK*bl%~{8j;8=V@@nhQhM1ikN!aB|rlgQCQX4~z^ zP*K@xwVI$nk)Fg_B{B!`_vz;kmiM7t*;E!$=rV2srfFnS48ol3m`CIx*~*wuUjdZ1 z&=}zd2sr%teO#Ij9s&h@Vj`AvY~8|Vp#sBeEh$kXs3#B|rMLc)#ZUt-E&-qQ&wrmV z0?2DAeb|E4&Q_MzTH$~G{S9hoAhq20DRXD=nsC$AEbzka$3&`tLP8K{-a+@$5~!kZ zmFz8SpZ`oJR2O~Av;;sUeiq^PEMLT%Shac%$yw@b+pF9P+Kv(DLaPe3GGod#pi|1Xw!s_rrBM=e(gw73jV;Ydi@HwA9FVN>3w# zY0;=;STq^&u?29HVh8edkGAqbrFQJX|sfsgKa5SZ`ZB z70C`(5W$6?zcGH6=+8Q5|J}P+JGveocEE&1Ie>#CUd{5*^Ap9z0@ee9Arm?$k=UBZ#tXofVUJ&zM4)K7hRc*0dfko(me%@n&HCFYc;>CDe2SGRa%%`q8!@X zzcP?zB&NtjSUVMvk}gWoe|6w+hl@F?K}IC12%_HV+Wp4#H3S9KDj=X%6$$Hj!1L-W zKqxVq36L_ESgZPuvsyBP6FL73v%w==7mYcE#Ya;<8w{9I6emS@Q&2 zC4IhbbpGn<;o6vEFF(yKTKwc*+(6}%pkC-!_rdukFyz?D-n0p&yg34N3do1}48nS!Mrgr3*8g z%ST^fEUrEyc8#JQe9+`rX$yok?pxnkC3GUzUkEt19sjG}2lveOofROMFN_S(G9{Qm zBjK^kM-S?ZfRiVO@!l%J^2AiQKTCl(hRq0LH|9RLQ95Oq03Tjt`dh=l>`yWhwehEZ z_9?XTkg-J?a*8rc=@~{e%h4y_xEkr9Erm`E9oK;vHS0v|_xC#SV*l!ZIPSaryJP%d zU+)>8R!IFd)mcRT27IH#pN|M8L`>^My;~K!eD{uQ)vSbvnsX zB3M4I%wIoB%-YRqE7O_%2Zu+AG#djRel zjm{+;FT+7S+)}XqF*%>fXo39M9io41Zj*&I36FwLtQ`D*&Wo>S7sbA`BN1BlDB*ER z`=oXF$jjb2>q>2cv=9Pq~6lnvw zX{PrB8sU;z<$KM6`!@2+7T4F~f zDrxiKK+B_hb$aT0CrEX*=I~ZdHWOm!nMAOHhM>gU$PSy|_IPSqQ|M-n%AwnE6Xs(c zR;#Z|92ph`fgk&&de z0-I<92Uck*8a%B38VYpN$}~3ewVGc{lR~&eL7N8LfnqJAX8a_6)K>7ZzHH3C@w)(v%nwU!77H!-{VhbMs?TKqm7VVg(XX8>@)3QAhl2|9+d;qNG4-`uXzn=<5V|>aA0~q;ctwusLMI z#?Lba>jH3rZPczaz6;mvOV=HTqm=~t&?GmW4U3o@{9cP)T#Ony%)IRw@Cl4MN+R) zn{UL28M#1yYjG2eJICMpkOIL>s@S6@d8|usBHfdnmc8*PLJrb3m9}C0ZTUQOLr_@z zMo~+y8%Vn&)aagtI4&GcVL{iX4#(az(8o9vCFDs8(Fjc#qi{J!d)!?cQ!{!^(rWKq z2V>iLs((VfkUE;wx{Xaa&0P}klvy6Dddsg+;=@{PuuY``*NUMnSpB`YQ5c zS`by>iFp=zCxgvByvp4CI2YZJ7-4LGkf^R|p{tRpsG#>)+`W0oM1Y(Ga!60pF(E&I zuKYZ_gv1RnxGJ=elcMQVHWZew%PY|Cs~8PPwttSlJaLX;QeEs=xvFozfdP4zdh(^1 z<$gE!x_Dp3|H5-bt9`r)!M)Cw1ETY=+!fLFN14XQ*~g1a2OOVCVdu(T!BHaM4uc@G z>+`bZeyu)y)JW;~@j&#(gcjDXUAVgT+kK9lz8K}6;+%P zS9Rm(kvrwrqXD)L_DdvEmE^6T6?!thnuwXm<H;Nm0HMW333$P> z*+pfaJ!0=ZdH^siR(lWI!@w>8G!r1?@|94i>(FP24(Cls2{6p6Y}s+_?TVjC!71rz z^bkcm97m4(OOV@_HO^nJa=}qr43_WPf_bHuQW_~y1#ZnZ-5j3Zn$3~GCIAk2J<0^v zH)s_!4O9Gw+qtn*G$ZN?sMSp zy}dJAzaVB5olk~@o4_0h1D1{a)qBc37f`PwLd|hyG}rf&G;a~rN;~DimKxByQKnZ2 zEBKa3Tnk~OLveMchdYXp%lXhUNQ(z&$$M4R+1!Eb>a=}UasUQBgVcC2VzMKy)9F)T zJG?@6qkbivLTJf^zqjM=^^d(4d`^Rcq2jEwE&jzaS%nlznOCFiH6nOivZ%+dnv3Le zvitz`lIGHKFdrI@n)(J0X9;tvw`Aj>5QA)OS=>^jLSlK&=@O*f9x`dWFR803$FjVv z4h}xGp~vjsmrmt^Us1~eM)RFd7L-oe1ctVe6Cnu_O%2lvJ$btF$su(STDq}I!Mf0= zZ`4Jl`l^Kn$kL&p@S}}Q=tO52gn=b{0p!vKA`U074 zyrsJD{>E^`5OIXx9i!&>+Ny(YEs~Ym_;jRw&s3|ngNS$!h6d)5FGL||mtiiL#!FiR zL&(5M&9Z6a$J5m2n1dcR{0IoLJMi;ir6u@fXGThD-lx7$GXiJ^gSVrQ*AWDE1R8aT z(Tm*gcudiAV=c~!6?cE`H5V*d96O!SkBJmn?P4Y%BK2-7W$^Gld({j=VLh;fBmu;H zxWK9guLY>`LtVY4_TNaL(br8y)2@04X@eW}ML%014xpxtJJ{fiVGu~oNeydt_JHaK8kF>NlW<8W_YM;sO|x`{#$aq$=OLOQJp|OKL*X=&S!OzV zL^efAB=9GtOLa+FSI6s>4QVD}GV8B;+@th`i@^A%^TAJn4WE$s>(mVeV>Jqg+5X64 z&yjKh9n=8{FTjwoS4V$L1`ajU@NoOaKzmIyNN*k&y~?nW(Zx2Z4|~Caa{8_JE*!_# z3aGi@n@2d8Pzn@3P5yZ_B$f@I?%%bEtV!`dCP9Duod->H+4A!cgtzih`FLx~=PYEc z*<>l}cCi3ACUM24qg?A|>Ha=}f`~?r)qWbM0Tq@(a}mj)Ym+?qa>L)dTCfmd|NQX_ z2{Z1OLS+SV+K zJC}ul&Am&DDYc_v#O(>$5B~?CH{agL@-kK*or4{g zDWj`hhe7?8xrOm0k^!MUy&ImQAEa?Rduulax{R(Zqz~H7;K$l8^BE`f3F8Oj%`kqA zI{sVLBlr-b|Bzc(o5iSg{KS|=FV)|R1-y8W4ppNv`p4p*QeK-q!9~@P!NYM`Jh|e( zyn3kZy)a}& zjn(Vj^hio0f%L5fdjcfSKvrL?*2VYrY48^MK-gy)>#HymrLF ztP9jpIzr*L@He&cnQW}g`gJShT7*6H1bm|`f}kiGiu%*y9LI}=17j&X=Sc{wS_eyS zp}*xzQ^XaMruIyDE0uK7Oe^6aA3JMqhJyK>S9#S~YPjm16lV3k@CuSk3(eU-61ei| z9mj3x@J3MnTtsrR3OLp=1(1c3`2zNUrIm?BmDz z+Oo#u!e0eJa0oNrP_0om6I4OBU%!6+=OC=mT1wKQx>9>_{M^xQlK5B`L6Y`>FMA?A zMXX(YO;#4V8~O$hK0&Pf0Re5RJ;k`x)Xg{ZV?q45^o)}@*g1nteqpjH-Qgdq6+^vUgRCI>fPpAI#htq&!JU$oKnd?6;|Tvpr? zYq8aDrdH)NKMh_qw4ga0@~WG#G4H> zX8XsX`CuM5bqR>Fp1L?F@eUM{gNJGa%+3(TEq@T}QcAs;Wn$=Wn7ho-bPu|SXuUi< z)LaAk#f}i_5dDMYo_c=Y8`5s-QtU|rp#(LA&?G8haOHEUFq2OXU=PZH6VTU?bmq?t zmo>e3*_!0I>L?>clEfhpFn_WT`+9S^qU{~QFSc0+ub!bf=Y_{z24!1mY|=TSd7^g~ zWwkeHo>a|Avrj@(`9Lp>nKi%&X5>=X{0-ZFidhUd1mhq=ANXKp-1i6}*fML)`Nrgq z2}-62GDP<)9fpdN(~vY`@L>7r-y2~)+=)3_GOMl9mw)N<;@w|^=*_Bsz5dbD*tQ&s z-A48H!_90>=*ePrDc1rh@%}LarEUL_AznB=%B&KqqH?bv94_UOXYRor4X-ITjyXfw z4qYNP6!l99RknvY##F5kJ*~ErsOrRY`HY4UE<+d#>Bs0(uPmyXz*qxa0Xp8I@n_*_ zv-W9FV225eO?&jNr{~8@>{vsfk+=Xzr_%b?FH0Xx^PexeWRk;`I5XY9(X85;LpV`5 z#?#fJBP+2zSSRoV(d@Dccxj&oefDnic3F!-n-AH}dw!myO=i)2$c6~686tl60EDVD z$xMvVll;WnTgwXLp79H3 zT`(ZG@)^D1<`DTm9wM@jC55OWC}K!`mlMB?R6axH+>_*5`6n|CI{Z3e!JG8&^{*~+ zvNCn3BABy+@fE8asZaKj&%40V;6xmFu8#5My$=Ayy+fyfZNUuuo0@yZ;-~pOBWfZe z>dIi~3NH|FHLp;i{4tAiEg0z87`~jzI|K!$B4krlhwkw`W12Jaqt!d6rfUuSmaC%a z+by{D6LE-2HweF&Ro8_fOQ!;-J4my;DJTp`9erC?>YF+QSU)^t?zwiG>20#%F zZ1{sQhCVhq`N)uCv~Rb2QYG44>ZvXaj4GZik+3i6BU+E9jR4BXaZw@1-=F3?lk~4> zjg$bF&_K+p?aw1$GD!&pSF!CsPz6C6$sL&XngPg;7aONo5|P@8-7IC0{8Eu0PTFhv z(4|&N{zq}ZP!JPp#C)6Q;}=TMF^}J8zvcsRNvwlk=jz#eZ=SGDL+dw55<4WGn?4ONsH#6 z{K}-9hb4afxn-d-3-RRgrGfPD?@R$|^GcNd3j3aEx~%(N6yq*A3_8K_u$sOj#Kjd8 za<>Cb@AJ3HofF2ASEh!SD3S(X?AZxHc)R76?#g#_8f~d;cdf%%_5^-Vu>6G&f(Ur> zQDst{e`|=xK&{eBFNa!J_LLHSTlVy`2<^_dv#pn*_12lM-Dj>Jjih-I8?Se+4c6fd z?tbCTq8}@B!&v6x9PF5_>OaDcVKAVnz=wr-5OCZ|9-63{e7CY&$=9y*y zhK(9=b-_E_^7m#H`v0CH4mjk#6L2ylye^1AWwvj8kEriH9bOn_J_DcdJvI>Q^&f;2 zz{Uj1izO*yu)}LzZ4$#W8-9rqzn9kZY_-D;H*U=zqoI`1`5RrlZ_VoWyiru=k@}Rc z%I>f${TqXFJ-;8)G=Ee=N>fXM${H!k&w=qwG zkHJf>CvQjx9(R|{MJ(-7La7XRjKd6$bz&4VrL3$-+EkYWFe7`Bvi*8e7{B$ zeV=w5Gq#-C;>U2^TfPxPw`#15kDkH}i=7mAFsG)!2RbGduzvIfksTz7yfti`x1ZWmV>9R4*xNjYiED6TlohkldWW{oL_u87(3e&X% zz_+FYIe}hDb;pW!TP^>j`WpYMa=^%7t41mv*>LmE?|%-B2L%7IP8|MVbZnq;bZj}T zhUk<*RoHq5F7Pg7WD=i@%OObjt9Yemlbv8OBc$J>9t6OCOilPOKJs_1OKfBz`Mc>f z8iIeSP|w_8yw{esqIAt#!GM?ta3ePi<`+W_jJ&+?apm+Hf>rsM!I@)-+A)+U{!Hu;I{-c;4Hg>!x_>7x+@SCOXWYRYYq0K`ytW1 z3?H{QemP}4rj|&j^lePxsX`_OVts~vIIfGNvHsO>f8;pm7)iqX)ZgcWdsXTO>hDW` z6Beo#1Du4w$K1!<2mh{nwQt_m^q&lap}v!l#7)&ucXV zktP}1jHQ&EinQ1_j{lKpXjS>?iUEj$#=W&L0GcKgfWi080nlvUHC@TRg!I4_Puac% z_2B>S&VuD&=Fr@quSC`vYt*^%TQ%QxC!yjL&}(@4o0n;arz+7p287(F{Wjv-#k+K#$lmCA`5v$f`wSXEhObf(#3%c|C2!AV-x zlB{p1FHqN;5|%@t#lApRw%y5HOs=myDjQ!JIcTn__t6X^z-M3-ud4cQ48a39p&tw; zv_@8vOMdlh|1UUj0W21kd^m0D)mdWSRY;1vOZpD~`rkJsM~$Z6CngQ?DUB&%`4?|@ z1WvnsxS_73HJ|@EIug*7e;xB~$9kWDZV&If^8$>hCD+HHOAI>d+T0qaaV;U){LjQ@ z`^%PX9u~iB%fH?7fBnn1SWg>GaimC&yv%N0+;4m01IBW@6su`ijb|0m!e_wj7s-TR{j99nLUqB%d^vpE2b zv?*a?!x{f`%yWQ57Z!YFQ0wxp=jkf&F|(ZU2qr_SJG>kU_p`ukUmCjOmx2O1Z`&?U-BD2yNT%UO&4`A%RD$qfCsJyF76oGu3-M{Wt z|C2-`p3l@iH*nR)SCaepPeiniR>ek>35vjVQhi@Ikl;3l;}^XBx}yuNYm>@UCWX_o zbk+1}%5C{jSbZivGOw*tYVLhLEX+e@oS1SvL1tD~X5+sVmQ=%2gb5G99X8=VNZr;{ z%Cr9U2P;1zn_#>HF?Uq9-hifM+Gy9bRBYZ&9)HG~hN;W^GqW4XXEA zLw-7R!`V&opOV0EwSPY=##$U3AC8tmawBSs{vb1YY!T{uMcyO3xCWD<%my?1-FY~C zwHI`ni~%K;CZoWTcB{U}yJ!Aokroz3s~5rU+3`NjKlq=@pK&L5*B-(+dZZQ0Kv~<{ zCb2*OACJR#9wh7y@VNvX{GHFWL=zZSLT7mdIRwNwB#R!rnP3>HrD#$=ay<;TVUsL$ zCj-`WYch}ZD^EPMUnVQa#oriZq-L{8Aig}X2)evhJe}KgMCyF-dZU7^a-OR5g_wxu z?5xUV3-IKBknYfq8lz9bwxLzr#2|gdB4DVzl(Q*vON~+U5Y0d(oCC@ZgaI8zG|2_< z1!NtgQ7V~y2^2+^6JdS)^es(9)VfQ}JiUQfA@??4&NzK8pRI^%RfRTyuNz&;CfI63 z!TbA=Y_SvObBQ$H@8mnLFsFGnPnDImoda*FL)2rmv+13j%|xUf6)GXWPsyqKr-+qU z>entk(+_v7$B-RzqAg=yPbSY2&o^J*mTQd#vY-j1KsYI6GVW_t zKI%nnNjDKH`daS}R)+SE6*=x**X)DT4%XSX21wX3-4zvH_L@(4Q&OUD4-lwsAHEoD zMcM0W^rYJkGR|o#i$C+pEiPS;E<3@{(H&k|ZJm;JoD~8doPQY+DOVS*?q^sIX20Yb z`Pww6;N2_xWDh|KX*kF!dd#L(Z=m{A(oFQku`-6s2uQlVI zfjV`+{T1fNL!qF1s_2P3_dja5U4n(<(E8 zm#q0q#?o1nb@}7HLV?F=SZ!FV-}A0As}GM2{v3}%AZW*K^~AgD@SMLZxFhU7!K-T> z>vPTMm*0zoBlpoOL}2FQE?+v%YQlxq4|DUiM4zr`lQef*>~J;QmmMF%VO-kS9fL`n zw>x$bjbIMxnlb|&TaYfj$9{UQn0j`+A>xX_eu=1Zkttr--E=(rVh=IUEZj4n^WYlR za7yL@hL_de#C;-^C-t!3Me5g;Rsq=v3DK4P#y8~ELxFsW+Nw?|_*%Y1(FL&CTMIaw zI&nAGm-sH(cU;m;80Tnke26o|v%6q7~>CzN6 z_;~c**rjC^U}Z;GzRZGYR>nsj^?YefkNS^DJLC(nIPZa)3}((92YUj=0qVB(xq(V! zVwpkyvVGen3rux6>V%L5IaOtOkgCP1hmy2e>hoL3v?gvrbQhaCe=nug3>fFh31+VU z-IuLb3V-K+x;RT2FOf4GJE4u#oJ2JfB5)HGp(EVjn>fCik^z{srWZnICuRE#s_fCj z&=iCEOSz!cskiKQB@x94Q)r1-Sac9oEMx0T>rF^kH@C~x-A`flkXSz5-RYV4^yUA` zGPn7FVJPqC6(-K1m|w@i(FQWef!olwvi&~*UqGP0rJMDHOE~z*>)p!o|9Tc&!9*Ol z4v+UMu;hx2=Xvy`y&*T&cWq>ZxZebB9X+%*ip7P{b8{Lr3cXU(U z8b>#6!@c04u+r*yq4WqU-HH9F{w`#G(mKYFclOixE*Dtxa*~$!8@ihdRHfRq)1V5gx(P}u*SKJqJ}ieD(G z7D9K3vruO(gzhGY?s&PD!fMe_6?;)RhrAp2PGRHLfRPI zJ9pcBrlE?>a%WtUhy2#a zN?rJjghlxEq(wfD5vy7?q``7GS8@MJC8@y*MJlnFhhJFKySJi#m$`@fV&okC#t0nL zh;NTlWwlg;FLu3qm+Hg%bBfCKmU{876X@m|Ze0a$n$I@t%EOA@MKY+SGlEWoeIu{L498lrsj8$tP|G0OA!^PxPSqEiqhO+?9pTWiKUi4zoh z1(n69uXyvQ;F&Xkh#3!beje||n708N(FWW>MPK^`sW|!=Dvs_-#Zf~ljtmt?jj2c+ zdKnTnr=Lo2J-c0Y+op2kC`<)C(**ibC}<+AqrK>(;0cK96ne6a23?ya?*RO^jC%m( z+pIXH<2SGAnS;@v(cW7Jh846-EiD3=&K>=*|Lw`i-+HHK2j>@iXBQpH`l$@d0&fde z0M%uhAo#s+PtF@PVuJ53*^SpHZ;l(apyFLG1Ap($#mS3<@0x&L9{I+YFF(9XjBPSo z67tDuqw&;{o|hU=m@Q3P;3#X$K;J()IX-9tS_SxC2KWnDP-iDUYVe{A&`;J%uIH30 z{OxBtRvNv4v-#wc*+-mwT*M3K9@Jm7jrogz8-n&1nY!RNC>A^qw%R^V5#qlpQMA60 z><0Vu6qE9fZ-ZnC|7-@U_taLs+8Rfruz%a8TeqzM6HsUK*(^!(Xs}wTNV85Js?(^0 zVG=gj5v`O^pT!tT#+A}DTWtyPwTPK!Q4f=1wOng5yT)^w|EAY2JnP9ACx5?pcHCNh zGu4!IkSM8jnvsk>ZasQea_kmvJhm`BijI35QCgcF8`2x<^xHXc};crgyGb@AproZjYFF(wud zv*0GRQj9ZRH&Jk7@|TC>Gztf|2o0pJxR1%!uO$0=AKJVOv9kaPAAlQBqVNh`0Alxf z6=~Kvb@liUA8N zwdba-N8QwF)auiM4~{-L6cokwigDUS2JY1>>jh$53X2^dlsisA9UAwXOILQ?IvypcdbAo0gXQ!*IkyU3O+rF>s)i#b!57&Z4l~I zEa;L@w`i;jjW(9%C>PJ?Joi!qStnS_llRfocR5cb>Lklw zOB)zkNr4C%!m7!lYs~c&2pp2Zl=KEPg+nxKDWh?OPI~wWqzGj18Cy+BExR0Qk8x8$ zpGn%kfB?#riVPcIt3kIbkbv^6Ma1g_ikPdxPk7eCd8eu8xh7Me?AtQ^&UR_!+bQFu zM~hY$)v9ix9Ur=jZPVKBg2rmq=c?NdxS!SOMFy|2yO@<#?DGh=KI;?GlitxN z+01Mkb!U3pO?XT?=#y*L!LM+b6WHyNX)j9CBz0gF$KBoS?-$DXVbu+*litnX4l+*pSSQXr7{h1 zsWak@UeTqxP!dw$W91|1TM^NvF9jAtY*%V%79%6#|FUjOh1i0>;8ktSM9Lx)>u}*j zQdwU!@5c61E-uN8NxhP`vHR3b`G*|!~z(1nS?LV69`FBo0iitJiSGo z0}z3vv9O=d!!gNieb&ka(BufHtK_p%tOn~Q)F5ct1Sw8z3H8FhDOC){O+k{Y$^#&_ z-R*{gjn0Yl*{%X(iuG-NxYqt`^V3*{%-HcRmV<6AKM8;X} zWyn-lO~5LfUuL&iZYzeke}zV@l74L0pVtN)aSByJ&==eCtE6uC~9wxD{XWMsU`M*-%w#%KXAGbmLSppl~(E!Ins>b@JnO;L+O`<%sRDX2? zE=gKG&s|q(pT_GOvpsXu0sRYa@v$e5DnOC%+F(+-*E2jU@=5l30#{>SYPLl?%?{>I zI=?tOI=nbI+dDcsIBvOL+vPozBsSV5pVe2D>$fZ!3Y{<{0UWK_3`7ptynpE618gj0 zQML6zp9Rg!c3Fa?Hfd1c6plxKdtexk_wg*CJe(QFJ^*yauybJBH&>{QYQ-6SZ>^bD z9zAlRdacQR2V%g}ht79n<|noBEozLX$uw;7IFEKp+HS#SxYW>VnzTJw%D@b^N`8KVsv#!x%@0P7ZeLF-rD^eS}@2?o&F zUKIAPTF59|Wj3uvIX~(3jm7w$ZPyB7tCyt|#Peg8%+tO)fUW2c+?i*Z2NkU}R0l|Y z#6YfP+%-Qc-7rpye&Z8YNOf)(Cw@^?J~&V+?iH29DkU6|)dF*Gr9>7ZY}x{AnR+#t zmq}TcH-!LtT-v*fJj8g^se)H3EM0<{V#M;L9ou8R*r(mXr)A_o&WQ2L?wt%Zjb>v^ zf2__5zP%7DF^0X$9h1N7av!m6mJ)?jN;Cf5lPgthp6cWBd#A3s`>8k)Lljoz(#>W^ z!jEirWEEb2jw?-f#tp_@9NgkTQ2A$Dr94{2b1el}Se)dhW7aKQJB*g_K$;;t4sovGGd z#AIbc>q<>HZLug#b*oLoaZBXcT`)I`-m<8xFneCNSls5?-gGEyhAeTqzH`NS66>+$O4au~) z{v0o(F$lI#?`KL?EcpUX7PNo;E4W{%UfFfW8c|hRXlI56VbN>CE?DtSIgbA)1Tky9 z+z+#&i=8QbSZ1BagGo5cK9iM|wpSx39CV(T82n}Ogb2{?*);`BQ_etFVbJ&VFYFy{(S zC4o_&=0NbpcrKHIei9b=3)m_n%6KX?9V}H!iHCDyiPX>a=kY)?D;>V*UHo`@(0ge_-2uW!IQlcm`P^L zWz8LLlH|Q_s+pyNz;`;HNI7?j~cZ8YT4FDp4JP?zJ~GIM6=#B zw(}+L=H3uKUVfhN?aeN|Ey2ac$S=QC<_B98XM=z?PBx1H9?bp&9b4Fvkn?|Hf!n`pP$%ZX`nxWH09!{wfQm2?JRR zgUsW1_$%Y z7-aG!7=|gAqI(3U6lbmR{N$ju8`+^_6#=2h5W;sGw zj?H#zc%S4Szw7dmfs(`XZMS_dUROu#I@yGv;EBxG*Ho6a3W0r44=8q#c|zTxY9^A5 z@tQ7aV~h)Qne-2y1^=f48+AzXSNzwrDzd2qmDWZ14&yw2jeU;@`sa)zFq!6J{ZP_9 z!Y38=^=?W!~ ziaW>`W(IsCuY!I!>mfhU)!@ z5l}9?j484d?Jck?RY#8?cQ7l0L_k=4bnFO2VT;My3{%RjPAO!aQSdD$)ruOK@-k6h ztPm9Xm4_8tuogs}aEsYNCp7#8ytZ<+7)sfo>e;294UIV_F04VCeC~yXO)OeiSmtvq ztny4z*i@tTr0)Ja4uB0+>w-uZKQ_>?E4Qo58wD>1WT$Ro-KN@;kzc$WvR8Vt6UL*9u(ah7D|W_D=D)hG(C#A z>)25o771`LigNr$Ge$MuQiIu+rm#Gd;P~X?aQ^^}2L3*eG7OrEU0^aWe6@QDiICJ^ ztOloNhl8CbdeOpWiRzaUqW+RVu&f)LM>!d?78`{1udAujs~rQt%tZc|twMRkcz)6l zxkHJhLHpU>H2RSDW^jm3w+nPp)N(3TdWaTF-hW1jwJn;Sh8e1g=<^LJrfB4_ZH#!j z-3`v*6h|s9J&~dFs}`*gTT>&yNuCOA<~D8YHQIJPsQnY$dfHu%r7p#Zf=|ndC>qA6 zVM7YkZ;=OCxc$L^e#Z>R8pkELkEvD5dUUa0mG3AlDwvK<0r^>CHlmg$GfNK2EU~u-MoRzQ7>^7%^%goDQM^JM#l`nGNs=cy)v6-&$B% z+>8hcpU&Wi`l1}yO5o^J2t@z-88!Gw;Q_z4#fXS)VkR?kSKw1*2@H4MNTZeQV5Hye zC+4__f$aUUkndMCLd69i&WXw9JHE0i%)F<7M(7z~By)cfP5QIjs{R4?zVYY;JjOyg z?3}L{Hf2VceWj++TSf5oVCx;OiibZ<$>gvChqpe^j~=}XxTde|nu_l%B3A9D1B^D+ zAJ3sm!HFB5XPxS;()Ou>qU5#0e{o1&9G=mmvh2kZ#@o}qi*GSd;yY0QjkOh*tqOu# z@H@f92N)q1Mr{+P?Fv8CmbA_Dcpz2V%2v+m*KiuLHxd58M0Z?q{W&nga1s^$9PCejo_EBgB>(aSKbAL*Q0=^&6fxh=?#qS%PRjS0Y9C=rjZX@ ze4JC%1^{1V8($!2SyfO$Vn17MixcB+e*|K}iMbuG&IGhjt-en>{kc z;16nODyfMUx5I2%W!YT>Y~ebTDx3Mb4Ibxv2+TAkRF;kI=vojDGt#-W-AhgDOLff0 znq<+TR|e2!F43Wd-DfYiyw!XzUGtAg+4AiC~h zh1H-M#H!UfE?0yp8fe~mk)>V1vcs{!7y`RG;f$oME^N?sfhtP`)(8VXk_62asj928 zP-Ebw$?VZ1+4`+{p+y4A5x-PI1w$|=mWG%!TXW%Q8}dSq=z1O{t7@s+?9ZZumYxwJ z4K#p)w^*=zHXU?1(lvPwP0*r%tVH05qkn7GF+l*bbb*Hel9|_SkUJ5q$=_!|i5^Aw znF*{;fM$}?P~-SR^4L}#X3g=)1~*F+IE+$?7zZr($?Jf_H}w^*GvyQ}b=IFxlL7k>S|hFi z`YttENTW7_#bZ+mj1DDL-Hu|8W`SAlm0m*sEwVRBJq|@FR!ff(;C;3$6$UUZ`kqju zWVUyQJR)|k>_Ru{a%CH$O*1l+;3EMIXq2W?%w(jwf|Xr6W|H z@=vQ|c4+Bbf?%~+5*z(#b+wugO)Ib6r%PDsP2J0G4#D_H&Kg%3Oez}Yy-{D4m)S1{ zcRD!ZTU|blM_1Jq%vl*%vKd#(jjqRMyQjYuuEtHBf)F#!Tp7j;&d-kc3ByS+(4bBO z<8zULv*fB+#-M8Dx4I^%6OESy)9{Zq@$a%Gh{b)vB|&McKHEk?f$OtgJor#JzG?(M z$&%nsRILeJt}eQSnY#px15GgMo)P8`E&WQ(Ua8t>lA@Zx( zaMOrK!42tT^zOToVsMxy6Qv~qIJ?f=Fu+^FBN&g08OV(8Ltld$0L6Z<&BlFHTZ-(gZw1qc(uHB@eJHE51Bh~)Qd!(Y zL3Ty?B57H{=Si22{RVLv{5azlc~;6n97o)g#1UtVSAUwW3M$`6oQg6}@NiEE$R!qq z7`%xyAYMquanSws=tI<}t2B;B4hWLEVv-E_W)q7gz@%afAjoqkNVs1xnEm&`<*h_n z!Y>b>J;WEtvIxv&G)```Z5<9+z)E_;pBSDh*e*7t$p>(A}^)K(Fm0aE2X5ziE= zD{8qa1*jV^p-g5^j5z3okMZmKD1AMo;&j0|8WTwLlL?w1X8IbKt|>O(Q8(4QeiX9kPFIW@&sT>v&cu9@6PdGQQVtoOC4m)ei%GK-g_OslU(|ijl zAp$R~SQ$&RM!VvYZ0MI~B%g+lAl?4pBfnKXVvROWZC8)xUj|021|PhW2;TeS6w-%l zP5|OP)T!?nbxc92nWvkzOvVx#kZy>rQQ&FlyUrVE+<8L}_OiFlmf^iNdnw)+I#=hE zZp18ZR=HwLTsP1E6~NZuwrCkUAsEGcSU&OAN!bUosG1SQ{>4k;B-~CoJ-2Y zSjmZqz#NV^#_~;c{e8-NrmZpf*$inhD;nENjUye(l>0N8gj}{`^|BK@=(l||Wp7^e zfM}KdW9S>4@g>|%I`RjuMIT`jkkII&Vy>&wW|Cv+l6Z?RO{6=|_Jl~-5Nyv6zV||~ zKJ9VY+e7zH>J*OdG=a*b8Yf{Lt=!otcbaScs*u0xsCLN<53j!+w?->WZAVz-fMM5Y^(jA^q_iboZywdMC3+)>ww=THXUm|?5J-lBQMIUgsiYD* z(^k~0B5W1?I@sY4xtC_-+F=t8d-fr}6ZsV1GGuCdUMq5GR0h!)5HLk!@gzdo%(_Xm zh{2OS1mVD8b@&2l@SiXe-|l^PKml@256;d{j`xlZFMjNOt8MvW>#QE7q&Kl_>y%BA zdzCpO@$6^(iv|Fom1p|h0Q4ykx6sjnKomOCKi!fy>iU3^};X*}(ymdv!QEd^XE;UwB zBzyel%@6gszyS2BI{kCeURSnQS+wn7qwwbK<~w4*c1(#F#I~^tA5pLwRMp~lUA|By zu49|bS|x~O{3lvP4oiUwm5>2q2*r554)bV$DMhbAE*YU69LsOxP%>0ug*7%eFlSCD zt{xyG>h>mq^z7hy)UFPhw*o}wkSZ$V%*Dmt{Oq8^$vcpV;f0n69r|nX)u%fifC<>*5jp^{%7I)2o2FM z!~Xjl%;K zxutj{$~Fd-mr7<*to}^wzf%+t<9zZ2oaVHrh{iji6{|(>x;8)h!u&2 zp+PMG{(Meu7}oF)Lx8O8MCsb(io*zCn!!sLsR}nlkC6$3ffe?FITi(1Sb9a$rKf6{D`m?k#i_;eJ?700LEf*q}K}??+!c z?0~VWr1NWI#*f807zx)C1od1K&{$RG1C>NIl*vrO`blZ3q{g$%5>|Bog(|j1za1gU zqNJ$BG;VJ#*za~V16Jv)U~!<5jl52tiJs2auG27G!2j%Zx*<*6Gh$wYkHGOoWjePC$B%S%ov*6~GzaEpLipRR0yNA^%nIMAZAE?*=yJ3S|fS3yx zvH9ZSrL$64oho%L*==?)0M#vB*lO5@!3y$b-V3$dH!S`>3NV!}12OE^0F{v|@J-cc zryMcSXUb27k)R@Kq(m}PZC5f_w{;Km)1YGv3Rxalv;LiNqLQbn!Iiny6pv7Wy1k^B521OOmd=p2BT<8b=E zwKijUb!H(slZ|}f!2_kvt7wX$gFxskths>y1+jmKuC5#wh_?Hih?5iQ^8uYN=9gmf zunH_P9f!B8Sa+6287h7+qaj}C4-$z+$#sYGlyW)VBPTDqU)w4 zZQ@yav01W7)|ZD>XB@VjN=*e%-|v@QoP>kfpbAew7YL8n))iu%B6t?Fx!-M4 zWGL5l!S$dd6xDgP)10$bn$xO()hY5lG83B2j)6x!y;qj{fA*XLt7Pk|BzeEIT+M`7 zO0@P?VP}`6By@`$K&BLwxyc;>&+Zo`e@C zt^Q=t4nFd~pYE;vGx#L`{iF|gh!=2>yMa*VsRw8yNOwAvd?KMiW!l4$v!brED3)vY z=a23^U&dWr!FeA3*N3$QD~rz9Xy3;oC+Y05)U&3NS#Lz%HENp!vG=96VwL@-n1p6 zI}am&6LG?I(MJ$15ST@Y4t|+(F~@&q684dnwquY+xkFBl+$O?fWlJLW+(0n8Jwrll z@IgW9k+qI#C*L9vx}oqQ-j*PKXiisUP^ZQS@R7%=j9Ep^|(+NOId zd~d}^gNhbqTJRCJBN8FEz7q7m-#a^Qt$q^@gh#M;byaqg#eI|ANsl&&Zykhg#>33* zmYyPxb&e4-9HCOdBVa2Pwxti8^`~T5vm)TbAi4$#&M}Ns^3HVqx%3)nhmC{iZS_Qd zCL~NIRlOyf?`3>BR(pdj*Y9f^&90&eM$T{SW&0VUlWSx?A}G0r(IghRY4EvoEakEd zT$L#%b?Z9k5?Q2hX{!z5a2VVs^8j;bqLM6B2G#w5GlMFp?zkIu>9EhQyC7P}eK>8i;WHkX z@zhI4dpz<|tyb0!ZsPG6)d0i@qd_+~2iipvZX?U_Yo7vYK$!{KMok zj`b{pDT0Riq)%wQ4sS16JMb_I!pS9UYsnlP+NcFIUSKpb!QMrg5DUlXqIrwp$Yevs z{`gB9UlnNc&~$%QbOfki5jsg$!eWPU2oRQ4xr^2pl!3C#mtutFLu_Lb=By&HCRESz z>+dlH8pSk$%^+>CI)b3d^59a}up@$Cp!a7d=DLnvGw6{ede1hh8;z68aNHA1^|fNz zN^M0+3Sjp_>@!mLS>ZnFF2Vr|SKKocciCfNyLbKux9it?uMYQF%(MHTE-RVh+pFaM zTj*4wOxIgTwB?=aT~bT#-l!QM{^wb63wyPF=WYeRaKE;f>)5ga z@5+)|6qCQ;Q=J2==kTft^`=&MZxZEUw-6hD@l=in6U>+S84d!~JEY{%$a4Cj6DqlM z195J39&BxHZqh&acjwD5AMdP!NI`cs5lTvF#P_3kofKyBN!&283ncnHvR0q4VNjOWMl@O2j`9*C3aR-~(9%k#FFdX#Bf>{az!o3zuG& zZ)Y8zod0|XA1^<>zOgBu)cj&BG2PooZjSw`U9nR*64}jU6l!dB_2Z93_i>_OH@HVx z@PK{5-v9>%@gJmw^S_m@8Z7l`Mb*=@lYOqMb*hDLhd&&=cv`o}XKB)ZI*C6-16b@? z#91t)*|6(`+hO(^kxxYuST{>_fZ2~(R=)Kc2bKS$mUPeWVv1w*zXsEy;&aY z;-NywjYjIu1Qn6If~NBI_~iWbV80eqt-4WY`n#=~TiA1kSL%E%)CHq2Ae{+N5AXX% z@NSyId-(>|ePdd#BbQnVbW^Gl&Y`Y!Yr&VwaN01!Y(Li5_qB5 zSTPjU@tfClfc^I5M1%(0`}%WH7@;jD)N!#f%hakPwIMNq1I#=7Ixv&P4~sPlLfOzywX;yk0xCo zVK(;(XTBg)Yc4m>;Y4u#iyc}jX1btJYXujNrs24E6^`>?=Db}c;Q<1SO9N~95TL1&!W( zN-6m2FeWAOzoinFdiKl6)Y0@hPLnBSVf#EzDZefyt?vCYdWpZ@{87Tmi?kzRkEA~DX6 z4qx{Uk6#`hA71<@S5FedfQ%?tHNrr^g71g<)HY#@1h=xMh*f&G5K7C`$!uHI)h||q z)3d|*&J(SyGDPw8r|m>`_jUL_CWdrhqg$u($?$wFQ^^kW0ElAjCGG&A{M4eC?K4>* z##1ltRNRskiwrLGB1Nj{!S1RSJzNKr3Zce9|(R^@J)ZP_2&r5&NJ@X~t)*UU=Sru;rwlf01j&FNB0RWP%? zzz_~+J>*5p&vjm3rp8h$wFG#{b0yl@E;*Y&)slrC1L)+oU_2($1a}E%GuA9om8q3V*67(hKvvw`*QNX>= zb3-JV<3599T+xmRZJ3VHQvHX55fh%kGVWvWAb_9obeLdrF%E5w>B8EJy+y5hNcf(L zMSMq+FKdvn^1CBA_VBkuZ_;Fcz9~+qBg%sh1@9J(!lxb%4Hzo$y^4p2>Ox&20JBrZ zQyDpF5^eYRLrcF>hKEwY4fCXWTkoREbAcLv%QfCrIj0t*J5l~I701#O*opF_AW8e< zv{8JgYMX+hVW<;HNg03oL$!Ias0svBg#k@94-yPVW<>M$^H0=1#plV10?Q-db+xWT zpwK?Wnsb8$tyqsHz+7{*7RC~?9n2f7e1&2uD9}pj49GqA;==|lJs>#{j8K;-i5x4Lpa=9xpNdL&Ys9kWT+LU`M)q4Lp7e;ixFMxnRUy08yp038xDD2+`1YSkSqZ_`W@6ggR zpx2?Ol3)cSu>cNYPaJr%mhH{6+?1;Jpjm3;EK5upd^28L?SS%0@KF9A&2Xvp-&mf@ z6&x{E3a{=YmM`$xxZ4@R<9xB=dHpd6SNUoz!j0$H9X{F-g)Ahre2@>!mjBip(@iT*Fn_9DfAUV`JLp$M-5DxQ{?V zY_yu=;5S_Q2n@)=rg{64&XBShe$1S()aQ~sk+^e0Q@0{M zm2b-W!STuYkLNZXh01tUAFLr_Dto8AO*|J~<_>wmOXTZh&d_8@x zJ9|IQ2Jr~?(lt53K_{zPjq<3EiN#0cQ{roz>SOzq_dS{RB1~ayFu06H@pOu{l3_p- zML{8a)JOwCT11#f0p+P&v%hc_ZUTqtSE~Ryd0Z8=Kee5>Yf=uG#+s>PH82ZPIOX=| zX&TXT#dfd(j%V(s&1)GX(T$=LJm4v=8k6|qOkAML6i?#oyfRi`HJ9kkjoXU`y?8j8 zaDn#sEL&9WRC5^I+^Erl#XwMDewziFntgk(Z2}ul}~R2 zx^d3XQ6j&$65!xs`2Z=xxskFYO>evOt+kKK5K%^B!^7hXv@Q%NwGysL=-L!lO*rnh z@2%*`$poZW?_7h4XNYw?pIkzdgf%a|NUz5%xS@1Sm~nkLPHxDtV%4V9Y9H_GP*vfl ziz1w2Rj@NDCdE?=q-dUyi%&7IF(HQV(1gwM~rUvnrvvsBe=B^ucC zwfk__g!Mz5)Hg)PHab>ROC-!6uHq%QSBXSAyDlZBS8J>jSnYQL4^C|k%r?7yD<8=^ zdfn^+Sn8d%6jwB7x7{-15w&U39ZNoFr?YRS@2APlNB2|5IxK8(FcQuiN@G2{wZsLT z#99G-s?N%SyThx+T#~y>X^wG$V2UuM35*C+xk_6Ng0U;!7L7D3G%NLI2kau=4W>sB^$H$>A)39irm_zR^k90+euu^ORab9+wdZ1$YD^o6lxR#&Q~)vy)@>RbtK* zT}zPhPzkfS<9_YN6UN=TWyrmbn~ zbU6rg3JYl`7eU@ndycFtY^IsY3Wuqgz1T0<3&iN{rY(~;>3xz8rt#|L=e-T&@r@3@%P zNEOHXldkGgnCEF1`?c&+yN1oQhiBD0sj5HI2vgSxGwK(jcc%f*`e{7Nd-K_Ep>xFA zRS)Mg#*Osdg?9~9&i;N5;Gp|yRQ#W`uZUK;x908g{k^&g2ZN9IOZlX|WSs0C@|)#* zH_7Lp6Y?^dPGsa@Rt~5Xw zEeYzxn!9;wLRjio?OF#k9}#zc<5Op+V(RRC)YRGex12gVpL6PrnkZ5~O}xE-7o}4p zMMM8{YZ&^!glb__)^HZ`tAC7wp)mLS3WiUZaK#%MsWE4}d!WaP^}i@hdnuQYb(m`} zm#)1=UGQ-cSbv+8wU556n0OEzzI@qxbK0(sB|V?5E>Bdy3gh2*&f1h!%98sgYh2xw zwyP~q=(}Yn{P!TV(hx35Xz^xUlF+r9ti{2PK9=Hki-^K+W)K>x&{QhtdR3aq;VfW! zuTNea^iIzXzuUVw!2GzPa9hRtAQ6{SR67;FJ2>65Yh6dPa6y%C&JJI^a+W01vn;<#=T)h$RXLN{Znu~KyJk8Qy_TNFHOj}2&tLP~XBoxW`rX0B zx236CO?0$nTA(o%W~8j1{!&+76?$4#2!CxYKgcyo*#8NGtTnw2Hv~&Fd^bXSwZNY; zAl`47*p{lfA-Nsp^pXUxQbT`a-l5+`wF;$n#W@*H{) zuRq5zTz1}Ud@)y(2VNt8iH0#dSYa{{>fQQ!@ElG0{}QbJG+o6su z^3Eo{$dwzy`ZO7zGSa;u_TTf#te1zE62i)gde6va`m)U`iUI6Vd8-YuGv&>cp)V8q zFOhE+SzBX--*`Ib!u9d-v!+yKAFixbUVL;*z926<`wBYr|4c;pr%_WeuvgplthErh z8c0+(l_lzzl(N`y837I=yrB6(oHl_a(Xkf*lZe($08%8;MWlgUX8}3Lfowq;3j5jw zCk_O<04YLzL5mW7bkR_T`Bf9N=J_I=aFsTJgwZh@&>Xn&0@NvF#DX$|2tFi>2B!%* zXGxZ?V+^u|Ya?231P{uQbLxU}RA&7OT5nQtVHu5o{i+QYF4=S;B`}6YqsBNG;erMw zoaHB)&JtU2L7PkPIgU)X03L?(ThIXxwfBjJk*37Q^EV1ew}{(d(79$jmjbaZz)Hfj zxd6#@NAH)mnNIBvjsbOjqH{9|ym-!9Y_e4{%JPWOB{Qv$w!~`TNub@x3=3_)tl$iv z+2YD~0KA)sQ!!Ui*C-REYQ50SLw7!FR1EJbxM00b^WgQVN}*b{>7%{Pf`x-7APb6E zJ8LCpA?5#~Z7!cLD1nEguAESt6qPgd;-XKQLw!JZ&%w@6GdgoOQ20MH`#&-_DaK|FOBVwYjss1%Efc`f_uV-fwPhZEZf@`j4&0 zkH7kI=kepmUq1ei&8^2@ZhiG1!S9NY+?h@N_jmFihMb8nVcf%6d@oqT2p{{&?3O+6 z|KI-&wl}x_6zpH6AgaXSH25YB=hG++zV546-AjJ;*ZCzJE9M|CPo8%xz=Tr}uP}np zQ9kHOYZ!9~vt5qTaDwjlXqy~l$uPeG32T>f9rr^tN*=^GGcV^k$Zk2h<8LG>njFPL zic13T=F@=+2@s`|3_}9p!>i*r!K-LW5id{Ym*cn}9L4=;3XDu;LD=pD94cjo-?J+a z8!m6D@=HYLT+j(#Vk8xc8dHV7!4f480&$hhB8e`L>om;sECLqUK@dm0r17tuZ4X61nbP*xEJ~-R|7OL!hb9i)k z@gwGVe|dOud~kjqygWGz_JY&Bvx~$1H%EJC!Rec`)06XqZV;SDh*pFEYDhFBDns7~ zQ63^okdFTd1Cw1*bfv5CI)VY}NAWcVO`za64TvAY33-H|u$vr^K?u2v()l#WI|0U; zi7>!I-B@&j!)d=uwES`lN`=$+Ah!hPIg|$gn?Pj07%$@?z<)VTlC%?i14mV?@p>=V z+y>UOzV&!>D|mCh$AN3^{bxLcSu_lKJ>2BZFU}5+U-jNx93GwbzP?#L7Tecgh0q*D)PtSbh&KYJg~ z_>3_id-lN`gWfA}))Au$C?x~Pt3adZx#4fj8h~gvkps9!IC|6cvMawKSTI!@g@SJB^~jIC4*1QVuD~mmK!TD;R)0 z?7ufep{&hTGx4-XC70w5IVqNdSTXMH9ml6k{@Gc z_c10_pnxX8PVxZN5>JDp2xc6N0KU&tSnBw&L3HL=AA?RXnUC`rMhhYFC)87fFk-_P zzjwP-y(_h{WQ-i41+NokV0kj*m~qG}u?sPDVVbg2}H5Z^2C6_ ztG6J*$UY9k@GN9xVGGx>TE@0V1AT$DTBN4EwrK&ni(4Z0G_Ku)71x93$wz|u`y57T z(6Xz`4BVrkR~#BvC(i11l(FI|a$og@SYFqnrc!jt+~H!<0$>o+yrCz$q>$$9U4cMi zsL6OXA9J`q+(Y9$h7|w};ogVaHC;5f)^viY;k4c2%Vz-U6k6j_u&23&3Mh}#X4e}x`P^wx=cq( zV>P;Zw&5UQ?Izdk6+MNMI&a+N=2agg&7BQH;yv?IqQxhLw1~KsC3bZB2zRdk0F7ng3_omN~qr2_@Oz71#p@Jn^ywT zL?K{{0m0MG6F(&S)U&Z+YF&n;KE*)=mIJ$T@J%Ope+jZQ{C)LJH+Vt8fioR#H6vjF zM5zR%lVJS-PBpI%isMa_p?7(k^S!%f5;iZR_6s@=ck!ncw%9+|Vo zKP_NVe1BnI2({P-j z1FH%FYB!9p7qDiL7^Mw5fBh$nIY>%Cc;8tTN&Sav^na-Scbts6{ZFnMt=9j3x%n0R zcJ;qoU&5b1^uND|{uehr826_EnJ?jPnujs!c*pT&8m70R?`!S1EtT%!H?QF-oppol z&CRbm`0t;j;NCpHN>VDhV+#{MX}XM8E!uQfzmaKDYI#(&Ex;UnqXHCF-e22qR$NUX0F$=xm0o`CG2HntV!*o8D;v!^zR9Al!0 z)a+K!;rFLcMnV%weYF0RYURa)NwTofE(=+kXqOR8Nx}RP+U0_B8PM;YpS(HSKQKCF z^Dfwu{n=7DpI^M#?*Z{&@6jdj*~xi8Qq$k(G3Gl!a-NP@8(ljJ%ppJoDXLO6}(Z`n|Ekg)$^$9sSW4FhkjqNO!teft;hY_z3&cC z)H>Qf{n5D@pdWbiI_}SI2?~!t*5q0*j!s@#JsU`0@BQbTAj8+*#ojADVdObj1>w#> zgBkOE^bi&u)E>oj=nPm_$49kkI8Efa8|-D-e8O@5DQ`~1jCFh)^Q{dU)YH`iYH~R{ z%J?>bqLc7LJef~m#qK=0q%<*-S>Pt(H63DIt?{Rj+J0~C@nmN(pqbT!114q*B5NR31y&#WT+gCDDZqCfSg3#>jg!l83}79I zQi2rWc5PLL1a(SUO{dVes$-{T2QLqQpsrycRGfROyH2Gw>I9nP=qOsH&({;@`#ps( zQ?Ug>>WKd zCRq6805+djyWZk^M+avYh2r$iUwr@Uuvi*j`3qB~kRmE)Xa2&lqaGK^;wv~o`O6=l zz;1~VJpA9z4~lql1wXLE;9EjoZ@0%HGr@U~=aR8lN z&E|AYLtWLuvxMPw*qdY{+X|D``!!ytuF)UPTFDxXY$QgLX}=?8m-?bJ9c9{xP%0Mk za8Y5DWLj9bBk`=>nhK!`A#M z$>a@DmGa)Kf4cwNL^L?2>LS8UBwZMGE&_7pn)+q#be5SR&T@dl?lLewG4|$C^g%Dz zQx0YoYs<_4&-`XQ{S$y)-kB^loL)v=^K~GN%A@r~_C*%J|JLE3r})1C{ag)98Bcfq z;(Lj1WeaMpK3y#o6Vy@2EKR7d8Zn-bzN+%h6R`KQU>C`*sO#hgu~W{UNlSkSI98tdEe-?wOSm0 z(+z3hOxirgj5|?3Si@h+rGf5yG`vB03%lh%fDCDf*8%|Jmi~!Cx+b{o1d|zNy22kY zh*v`R0jk)c<`rf%gg^2K2b*~w!4Em^C=X;g0lh6B8`P;md8|{ERFaZV?{Ssqv+U`{ z##M3?rh}_^3V`zND9*3um)$tozynV&9FK6VTutCqm`}!ZXb-29OGu?YLLHK*ICN>$ z?F=YSqNEd|R`;NfbALQWtKh-G_k!+l_$Dt%9Gz3zwKhLjwP%qdB{7*dCT|yx4|I3j>#HHba31wB9-(CyNo6v0IRk2WM}iwU$s@XC42`b z#ebk2vI%SWAFzP`frm&ew$p~*as?|d6+m21hU)|kCRdx3jnMEEb!(JAkC2;R<|$e` zN%lJ|Zed3A*g{vMiZ|diZ+*R1SVOan^*X^_6C_nK$(O2X5mmB>qjjKP)5=K0=_m@` zg6#PC&wqYLJ(3iiYA^<>>053ZF<8g7B@}`&s4F zB`54s-8REu(Gt&GIix4F!`pu1@Zxm)REFbA9^;+su72T_ldv%Mwg0@h9K2vRf z$wv!b8!(G9;8T+l@`i{w#kRKILCv?Xv9B+q%Xg?W$)gFHTyeHFKoOSoSl&Mk-onsq zZNEcaqG{7l;8X|ufrBcy`Hb;v!M|SvsbNt+hDE*p=eD(m4Z{pkbwx`t#O!Wna%4C& zws3CrugJ^{@AS9e8+0)eOhd_XhC&WE{&nye1sMeM=uwF=(>Ou_;Az z+ADEVI(x*r?4`W$4c?j%T&>voE7f`ayk^(k5668p>x$HV>|?SDPueZVW1HT*b?Tm~ z65NtABsGK}AgcW`G1QkTa=?!(O_!Z=&+IPTwRfGWE?H>n4+?Pwc_HG+0~DY&=z`8) z{F+k5id{CP0<`tRCI`0G7sz)VbVQ!pC@HU=o*fQ$o^%2&NolO6SjNqeO^O8g2|IWJ zmM^p9ei|XEVf~=>Fz&*62%G|Giev%7o~@m)k~9a-Y;^;t>tkk;{LholPI+!3_xBdRL)q z)}$Yfv2Lr47n!4p{5B?ue1V)sXkdEHtBIs-(tpxjsfN)@Z7AwVSEaP2diBG5R={`M7=@2y!dOf^F?)A9AAWxGy-gL|} zVNw&a#c%Ba(!7RXz{xJ3pwrbV${$Ycr@_$=FAzUsZSOhJISvav+#@M|2+*d{4NirA zl*wkD&Zn8k0_sjJ*yAlP!vi@|ot{Psmc>W9@rAZv5YQ+XCMQU1FoGK{6f$c*=(JL_)^VFw#VFeNqdd&vTj0Lzu$T ze#EwP%>P)DP*o~!{&*nhqHY#ubTtR~_NmTPmZzb0AG?668(CFMSX{wyqK*48-U-6= zdk+)y^~L%*@B;1e1(P(z04OmN=01a_pl7gd@zij0l?2opF#?R0G958TfO=#QfxxJ7 z*-l|+oy#7eSwCk`zX96xX`dMIq2RygS*{(ffMX4r4d8swqA@MzlX+^cN;6=*8FpuY zsNvo+h%V>+aW+pe6)+}g7dDiW;f&^xytU-{Z8tdOjK>qnZJg1{w3#IoDkf34w0;t4 zWO=n;Gwn57AnF^(Z{ECod2q%zj!H*Dx(uZ7+tP)rQjScmC=#4Zh@wmkNHdg0I{D8c zO=H80qP9fey6?SurQln3+r`@>BL!5(76cDv@1xu$}xE>$U=%c?a! z2A%S)cPDrt>On0Ewf#{v3X+XBU`^CxTMHkg-)9Z~7wdm2Yx<3t;;3X-YBZ~XR^hMQ zMQzKK3?Vca-}MC>AA7DZRw^zJR+hgzSgE`^P*T{mFbq>Q$Vw)|0_PWJXt4DoDjj7M z_$G}-(d)v9!45Sojv9gZq zrH}r=BxOs90txW-{}2k)8J;L3mI8I~_5Tp+Xq%q`3F!U*5E_V)RE@P&o!wS}aPM5q|%F44~mER(!T`q}lOO`D789kiw zBUudH`+0ZC*6HTB)H=PbX`SzzKe}}}(-fPR*VXMy0Y3s>aiI}91J6JVYKLJ^H3;=H zLCKp03PYrg4gV@^F)D)1@1=%K!;I65Et^{A0_Qb6rN ziO?>h4-_Ssco=i^MUz4!QZFb0LL&X-Q^637J?rLE@5qFjX<5pD+yfD&~11ppp`s zf7@AjX%7%AHy+x1!nC*}d~TDl1ZJy$Zm{A->1CoDRz8rOyG2W?k99i13CIKodl$jK z;MezOC&x!W($Brq(}Uv|^mG5{38CJ?~ zEHIy=jlTZM*i$#41LVO1g*w5@-itS~JyG_&ocR*ZWzJm@e*u=GrV1=rGBER%8DdUJk2 z8o)#9ATsgudn-~M4Vuz5Ps zLSZ^0C{#dP@Sf6}hyMkX!q*Rh`vF(LfBy^nV;)p->@n6(OIgxv9olDqvki;gQBc0mTgj{$Ich z_7p@7O*d9I{>v5YH&)pKOj@pliYUw+LwUW+&8*os^PpO|5uS;KJY~?p|8+@HRMUqU zoMCf#}*oB;dPLXx2Eh1ydlT8$$I?9QTAs!qcZ2V_aaEA7m~e%XsbD;nR3XIrOSd__o=q~Mo1)7%W}-HQjl?c3$?H|v{$uVq;L@=`GqWki)gL^ zIC7>v&1z>^<=*X|d0MHBfLs%3b9yg`3fzQZyNbU`aVE9Ud7m7&^}|__c-#J3uVNRKGNybi-1xUtUsqHgGB`bE6H|kI!R1Ut4BD6`K?pJsinBI zGY~j)7~3= zHDV^w25ce}#DULHXxpL3j^uO<`IxY&4<70g+6t^8RkZYVm=}mu*phKq>=&*?i#VYa zAg>TV>j+_QW@@j)lQ+;}1O(DsS7u>40%2ty4_a;1XUO2eI!EZ_`D8G21`x;0KV;01 z#iz7wBOOmQvbz1k{qQ2NHbOivJT#fIe22zac=JnBLJV?A^i1#Eyy=yAFRQcEeV(Xn zn24d|ShAR7?2tjsyG|PYeI8}GgbCr(6U`%bnTSVI3{@gWWVV=6iYjd&ghB%63bG`R z`+BM17-Bc>Yat5nAzQ152%9Wy8M;=LsM+GI7$$_nc)d)#mQe*2I?mmDAIIVB1BTjL zb%;wNcv31Dk}2>JFOS&GPc~`g?Y(<%#TTt$fxKjtHKq)KDh7D48XVf~xnk|lZg>bQ z;K4BLV;oWmc(BOU0NcY+CI4DuAVXJWr-v^(2HdW@5Bdkr8NUKowz>C>h)H-8F0RbkXQ#R|&FtQXz??emGh)sbd zg7^?^DzDLO8m(HV@U<*a<5oe%Y0<7>#yvjZh^+cgVJHMq6f6Aj{FygWhjVT@oL+-m zEaw#^hmzh{NwwwE3*msX3QO$z$JOq^NcTVwsbxP^DGn1j9nKnyU4>bX&@F;fmk5Fp z^Fb!UGY=a2(5g!*y6G2Hw6hfXtd`Y%VU^)>6O*>p-_W!qd>YS65@2Xj;sr)Y0i>tq z8eW2Ep@H|dHQv-#*7SC!<$;n)qj>ULtIbwu7VSAN>#x>t7G(83YP`h7;KzVL<-~1Nui8&_!WDmki@cfisi-`>0vyOn;b6 zPf*NK@JrHk7hd7^Q4t5T5NQyL`a%u%dibSx6UI3owIu;ThFY3w-`KTaF(v;v?nd`4 zYax^wje|iac)-od){hVE!sTl57U&$CL2Q(cX0_5_1yjfRym;)p+WXJk#_a>e8#n~Q z7Eei4uvIMhH2C5l^FY6c2RL6?0Ly*xqQ=Bx!TkKk<9&(HWVgO2hw32dlaJJZ{oyH1 zj`q`B)mF2sErYBKjdH91V$fdgm;tNB3F)B<`VLoR*xlfux?#(#S4O%Ti|V^GH3i>C zji#V_Z!4$@t}XtVS2N$?CuyY$!osshE&*?3)xVM|{oDr@UV7ZG1H`fZ-cYAex*#*ei-%J4HgCiB z9SN&ayv2wHegInC;>U0CI;%r)s~Lh@l?ZMvLU18wK60z?yT#AaTl4*oY~R28{4c1b zqvS-NObN6o|Myp4?iBPt+h0B2`9uHn`_ljX`49ciANrp^^go|h|HC=*T=h*uoe)Ox zFT9FJ)6ksaW9ucuDt}6-{PSYNlG!rid^l}cPY8=7-dQ}5Os?Ei3ByjHTjxW| za2$>@KO#0BC{K2W=;tw%#z_X`aDe3Uy2!aeBOJ#_rp78OX|%V zSZ43AA$SX%9ngoR6$JZ7C&vf9q;KCaVE$gzHKc>LX-YsqT&AKM&!_|%|`NvvfWpZJ)yIh40{;EajRA6 zuI=cw7UwG5;o5+W;v~wr1%OU3raDJsrE>;qRb;~<`!aZ(PqV8~f{cgaQmi()NjOCj zOJ%!;{*SEK_P|@=0Fn;urr8tjf;F$aF~iEkypJ8;5;^|<9N#;ex*r^4l}1k$gA~4l zFlb4mV39^)R?{;I_DXj%oYv6fh`_?8J;!kAIXiBOE9g`Ou4PAQ%5WH2 zp)sB+AMBM?;CBC_Zu|?mw)V}=#Sl^BscWEB=TkVwj>&2H*|R`ZrmtDre;UZw$N1HJ z+prwp)jTYi--&^7Yd{v6fGhmZ9C1Lv5Q?{HRVmyAmyT+-qa2~(8AAkax6QIf30l^} z+js4M>XCBB5Y3r?-bG>a!Gi!-2>j%QzYswv&Bzt7d#tegs)*fA+hcghYkG*$ip|0% z@muAthu@frjn77F=5WNH^W;569-xT0io3E8tW7Zr&lW- zK3N8*Yri~eQM-IlVC+`^waP6K7IM<^?@Lryds%V$LfA&}SXz_w%`??E+aY7qubeOI ze^Fb8fz&^p4Pd?gcW39T?Z-v^FBbbl|NDpi-yizlKlHzU=zo{h^&%U0^HMKP-R;u_ zH%#4qn{7n1q@fO&wwI)dVmKU9;Oj!JZcp}Za^mph^j@6h+n3E71KPVUCqP8>Uu$6d zNV@ReO^O~TX#pj@u~ugZ=g@qo7eDsCbq4H~$VKW-^SayJP?^KglS7x1%;8p2?2Ci5 z*N4Y@M|L>(U~6;xNl9<6a4ec-+76DG=@x(F`7LI<#WBX&OnTwg8cZZH2k7N()L$c% z9;ytPfAxATK5Zhv1Y=ukBL&qsnazmzw{fyiZL?9$1BF4`wG`1XZsKY757M85V51D+ z23bBF6oM&8*RVV)y>GIAXrVC90PWir0cg8ErmS?1lYTyKNdp&$C;P9yKRiDFU!C9q zfbm+Da&!fwNghSi^Z?UzK=Zah=|sEWmI!}t>Aa>TPdk~X9f?ImA)#BV=WYqC^aZ*( zkLQyqyF9~Vn%v;I5ZdhCWIgz3j4kCIl&~as+c?oXM*S<>B1M0pG#VhUXL{%h1Dj{- z&yhb(kskOk0XaQNC0rX417A`Dy;+)kxK+^>`jbHsfkH`!XT9i|5GLNK22-8^(QJ!H zC6{1aF|1Lj?d$G6YnH>#*u&J@a5jTM*0Y@^QI1)i;(YyiG>#_9YrE8`wz2|J=O!Cr z_%j^z`j^^1bPhirZ}(U#Kqol9=jmU<-WPg9r4!Ew#*y_&NdkYk<4)cODX&|EAEXYJ zzl%tM7dwQ(BAadoXN+t4xxFB4*4L%-_VLfG9`ZZnJ_K0KIrov0c<=D|=;Y*7MP4x$ z&J4HiQg+n&NJPZZ#Q7bWr6R3nS)j!Ayi}`5H%$M7|)1Ng3%+UJ+k6gvp^`>a&|ME23wjKRK|`CTL39nWH5&L6tWs!}y}^LWK?UM{oWlrYqbc1E=6V8Bq8@hEG@LIS z40_1eS`Uzj(`10rJBXXPW$?gYie=_0NFWWzD;+GGidNl ziZmDN*nB^m2P=0aWmL2vFzS(>6vXEs*qC5{3&aEO4jGR>8-89LU>}*BU zU(v)*bZpf|{p99#oGabglT!>W@#geYuIQSRw=o@^@VI4MF`leQ3ai~Mnt3_pbQaSn zjxAftB$`jGps!G`6L>&33i@i}{PLT_S0)5fv5SOTvD?qIhnE`?Jf-l`o(==1lUdty z=CrM!oav`0k;G-xlSt2(+NsBmbj@a7M@Ow5(xF8q_@F5Iw|SJ&*}<;@!1m!Ez8}IA zwE^G8jH9863)f)k=*;C57lsbgUt=cv2?zv|UXeo7J%5 zIdd(~w0d5+!c-<4OtV8;EFJbZqcCH*V9=TouYklBP!0|sGcjqjomK8Zbv@vr#s`_p zZzy^o9FOdj!_sGaPBV?oVyC+fYLC_;wV5Sq5v%PPGjUjp(!!7U$b$#|&GBn3cNu10 zBd%D?w=yB1ov6bQ4qGbI$*y-tEXY!y3q5u6G7fab7b+Wt8$aDRfTf~cBEgk8 zF1elJyeW=W2P-82lbAgm_vd)QNtvQ2c-={Tq>U@bJ4-aAz_mk7Gf^#quG<84NHXBm zH5@OKyN=Z0=;-X7%DcLp5uBw-G+|z=*B+zZwJ5G)Axtr+G86+oPies`w@btG+Ws|I zl%eev=p+VMV&&G#U{zbXJ=4@S^*!ta9ljyOu>8|ulIHU%cIYzV)ZQSb6h#(v9z%UTi74p#ed ze7I_3;*ilUt6*VXl`!87JO2@ri=+8oIEZw*tL4yi#fNJC=f%x~n(uxlP8!_IsC$_p zXnHYIcWy$}HC?mlG~jQmZjM!w?-WQ0|3kKfe^RJJ#)<$ct+=P*9Ym)OHit+{c3}nd zg~F>pj`6^N8Hz|Jjm#wa0OO>yGqEa1>0MEsqdePN)Onr6Nu`u}W=k)uyO-dy#n*W1 z6FtC+(sBEM%pwiKWx08N%c?T@x>BiR^VOjk=_{TuR@w~;X1n5|;zQex%Koi5{%fn6 zxd}VuJsS>X`xF;dqNm@BvosnogFg4{v0}Lp6g#UD=l(gI| zleA9dVzeu|RXxf#c;-!w&B6H<2o8b{YBe-LFi|`dy?IJHbL1ZSu3oyXkMo?o4`#7q zD|EuAgp&3NpBwpNV0Ir5`B#hhQh$YEF9VXZGNn!LM*X@h&8F}M3#ZaDiqw0R^R{s6 zb6Qc%(9{#QSeVnqY}9sA-j7WAij)sUy*%Df=^hcPD&PowR2cdbL6~@IKIZ2r6!dHR zo~WRUyE|cu&>fv(l}&{gK%;v!B$-@eRMN_m4X11(@11Y0S{cFEcmy9YC1v0Ix?(qv z`6#<6qs)Q0hbD zXgDBQqFsGa^MQzjB>%9hFFE<5(+r$_=qO9~^o}=hTu{8LQw6$cvXoz#^eF$~-zv?0 znQytedmZ))>dtz3oMc*lmDwbQpTSx(9^iMs4qla-MmJcfXo`n-cg|?J(n{HAAs4F! zWjLc{M$bst3TkDhYMl`B{wT`Pj*&!J)r+Ru=ur{4+}2Yt@k%XpG<9QcVfLx{jKebG z!x$qn;*YMVt^A1B%p6%y<@zq4X18jEYHKXS;IH4U}26HvA?oX|6E2Gc%(wCvv)L=*@H7TK!*xCQ02+Q4$^XM!AcL%dL2K zCuEUj=I-s*ZsjJzEZebIYIaIlNE*d4PdJTOVZ`Vz$2t0;_{;mA7=qqYhtI`iENrKi zw!*R*tra-zo>`2;rv%WaKWqD1%*klOs z0>y3m=~<;G_dOv9th;I~ZT@3V5^n`HRS@!1y+~EH3d8H-VWPNBEon9W%&V^$@kbNW z3HW3B9xEC>BP>@|Ry^NKPK+wSmg^c<%gWomI)%2&UYjz~MQ04j$=cwsx8R_#;^a6B z^DC25y@EuNfLQVlyC01Ch3pj>JNfx5o-F@vdno*+o?nU5(VHggx)Ig~b0WsQ*?Q;Oz74U5u!MDJuhuo_@}E z%j?g5Ux(jfA-sT|Pa#!mfYd6)Ow6J!&g*++be<}wlu~OYN{BC`r^Tlptxi-@1{sZu z%7?C&$32bX(^9C@3Zs2<4cmZcGB-?7cu$KNomS?`CLg1$x!ajELPr0%k(DmXJ;s#U znCXTs!T6?SFrUm=uV8NPm7Q@@!+(kb=U(FDE3$Wy*}+Ag)m>D63hTcbV_F>o=0iV< z2Fm=L49dH;&HzMyY)ZOWE<^pGF)UC4GiQ=P5PnnSXl#7NAUoWCwdK{p;YoEG5lvK( zBBDH6?&{q$Hl;aUGc-k>DfSw+u?8C0$LzdT(!}A~cI>{rcmGCVUSw02^1RGLe2%cb z01{|D>{p`yyflBRGr?JkOI7Gxt6=$dyMpT5g~uoSDsUc!xT^}UHNIKeO^bp`Q-q{~ zG3pSw1VxZWgKDx{0lpDjMnf`@w*8VRZcWw=&dI#=hGHD0(I_Sogzk;ELPdHZ23Id4gS*dW%V!kA;Vh~NL!r50T51P4 z(|xL@X0$~hyukpeV>+rLk-=ZGHZrNC7Z)C5KPs$XQs9m+R)f>C!}-n=VR=JI@Q|Gf1`W2>k8oA=#hLCVi zPlF`^Iy=1ZMEh>3WVYT7PKhKa{zc{n$!Fe9@eaws029J{bqYXGa*t?)#d#9%d$1gg; z=FaA(M>${##r2n8WuoiDx!()AG<}?7x;dSf09Qh+H=C1{aR&j>bFJvPP_(ZS?|g-L z*UQ7wwIRpmF5MP>GTnZpVOX8WO>)NuuGZgQVo+=72tW&_!aWz+FA7@_e>UR-o`>9OEqH zD~u$?pk#haVx>vdWh@%v0yKRm=oVyMqv;YQ0ACC`lB~J{lxkcBBC{3><5Mx|G26g! zpsZlsR0`s`;!z$IuUsCxxfP1UMa2lVfHB+8FJ2rT_g)?z!N7C^cshA=p&r@dX$9W` z8RYHHZ{v6Eav1UYjgcbgEE_j)v2U8;0;B}&FBKP1$a()+V8{5WcT%c~Cg{YKe9-Th zAZaw8+>?hNunL9*oeO8AIoL7|Ns*2g5UGe^u7$yVo{k@d!QYMR4rOh(00N72S4A#SbVCpS{*V++ZUdEYRHw_0m${~^;j`lA-IdY{y>LA45ZL0< zaW5NA;7)MU)PeG@vs;HbT}Yd|xnM2=ds8)*uxOHbu3OL+LN^?<;$Qy?jHB2m9@J3; z?G{7~iDAFiHx@0^`9vNJ5&!9UJ78>B5ieSOB^IliX0rB42pPuuFkvC3s@Gy8AjOnL zvm1F3GRhNd%ItQ8&uTUP(>2BEAnznhhlQ&Vd$x*yhtIr~FXR^8S=0U{(Iokpi4Dqx z@Y3#qBHn`<>M1LNatJOvZf2Bc@u1}qW<-&2D)-5;u}P(rQ5YR#z%u`$D^fiWRxDxn z;!`ffwzTlfmus-kvku(i($8eDBo?R@P8e4=6R7-6g&O8E7M)D|QJNkUkc@xsS}{IV zh)>x9ckOt9WixZWZ}s;26NE~(9gkVkUg)e-y7{&`QsEXxx{L?Rht1rmI1Gut+V!WS zaa19k$>!d+h1Nk0Ez9Z!-f0h%HA?0<4L0x^%ql!9y{>7C`~>X@s=ip>mCJNOW=OT~ zqX>nn3(b7%sFufApoH?0=xSC|iLaIdmP1&si5g;DDFzND0w6PY!gBSe=_>u*Po~pI z1+Bp~{l(UQ4b;brTY&R535Z{8|5rcw`*TN*6zMt03;UvrcM-aO;ZQ!- zh)K*)+Z4r^UfCa?mU^sst+{K}-L*ZGiaqCQ4Z@fjm+2IkTbjp_x?;WO66$J5 zH7~s9@U-H=-f=Oac;9*}(`F*}h9EbUxJ&yo-74{C626ammI;?`uy_uZBfr_!-9!gE z%fbG|#g848nyl^9k=|SC{5ngcS(uW(C7xCwWlz7V?hFTa(DhhqfyMPj?tktc+S|oQ z91AQR&>&PvH)ZKg%tdX5wyXZN{jzGKqj;{r%bzSaunJ`3CbpF-O1n1ewqv!cg6*bA z)%B$qOvQIAufA1~z34?$l|%w%y{4Xo1yc+ATBGpE5wWYHkGO^ zXVIXSCP`kZ-)|-_5Fn53Y2kLI=4NysA=uaB)i4$%`K$S_od1sw9pk9SiHZ83J^$a6 zoz2Hz74rW*-g)vz{=Z)+{~zW6CNk6P=F=sqkPXFV2={%`qg7BPzr)D<{n;%+k>q!UtaeVvb!t15 zE~tHwP+-T;oFwSJ#30onYYw;~8when|h|-<>bNe7v(tYYky= zu5*eAgNS2@Kh8l%7reVvCVL;xFnCQa`Ik-UN1SYWHf_-}NO!?c`A?}%rNX7|YoM67 zTH4`LO;y*v!yNQv+lq@<+Xk*_fDh*nEok^+^w1FnRUZ2o^+vN9S@Z#{r@meL` zlN*W3vY6<~%OaS}VJTfk7AQkSJpznQ)fl`E)As-Z&goO69&9MM7`hERf`R*+^rPRf zBQCtk&frDY!YQVEhcPOgeyOTD6bh6)MIL39QAeRH90E&2uF+Df|AAr|?V6*>Ov8i8 zNZA~D7-}ZtYio}EwAn3Bu}?jT4u@8V=7iH|*^>#sk_kGznxUwbvlM}mx_{aX!b?Dy z!hL|e!1X1Pmc&(in6fda7=g+-Q0ypXi&l{DW*nnDTbYgjPo1xJ?-$KjF1vWna=AZd z?dP1eBxd}^Cv8=4C?EpjuZ+OQm>7ZgVUbIKY82_XizG(%ZeR#ZW2a)=P2tRu!u&(B zjKcIX9C1kac&H=acT|Rexs$GAP0)Shohv_0SKE{(X5p~N@LB^>z1ploixwLTq6^oW zCAUzGW~**ZBos?NB|%wU;ZJ*_z z+^BLGDn@1HOu_OoV;hio@S($|m3aR4=N6tuH~7P~;ZW_#U*{MgO_=-l=tC^Av32o+ zOEteYuGI2enM9SpJIZ+rL?N3ue_4MX&#s@;f8J54Q7}N5?nem6t@!USP8^@a^aEAI zAMjdf@ImUy4G{TCjZLSCfWBVS2fN$+g0FIMwn?vciY5eg-=27AMjxMkx1(ba(ReF1Pd~ng*d-387 z6?_NB?>g$!4t?6OzmcJ_neKY38{!cA2T|o8m}0=1$8F2^G#;u_P9c8F`4l+Gj#&vP z%1B0A^dQ7>M6|ygTDS0MV{b@5{ltwy@DFi!D$-4X>gAS@MN z0hYQfL#7&Fi<`t>TXk)21x*{I(u-RZs_GmUsxg%LIHi^F^Nyl}QS-ggCx%LVbP-Y`s5xu^8c|tiN zTe>gxZAj7=K~z3dTBp*`P>X-zKTm^I;H-SqAuwVD_;WQ~{6tX{u_gv0K*w%-z3@0_ z)UV?~-58vH`{Q}Jt=ZLWR!M#Qc$Z0p^%_m0QUi4zICy<}@ng9M#G+U0DjuI4AC&8{ zFPd9T9Q>YI7N2TFmFPgHD`yypGg)pPjzfoCNbNtmGcu6{Eu5;EnPD!u=p#xGhc93D z-kidmTb<8Van7lJ6h{z_&F`xi4Sti;q+Q$tMOh&Epy0Ox6m1RRLb&aOcrH}M66JdH8JjvgmDS4v1YNca2F}}44h9<2@iv$|y%-Nxkmp0Zv}a0GWc-e!tJxKkX$opQf-{6n~Nmm%CK58+O;A>5HM+$oRY zPQ@5{`%)gm9kU11naPt+fFitcH(HfP7{AiT7R&G1stAXhxE~ze;C|BV&wZ^}oAc6H z>bv*uw$5~=0i2JZC=rXA(Ie)(QWoe%Om^;q$<8Onr0r@L(+IC+d(*gIuf8ZLE*1}U z?MasqAnghUGf+y&TB0~7K$|N1pye!}qJrSQ(JA1`G@i1Lb_GoZGgglp*+;7rsDMwe zT3jne>1GW|S^ZjCXLM4oR=Iv0`RgfdE9B~FT;18y6l8@ax~>LUG$H|#Q`8p~kJ3Ne zU*GD9I)>0$LWg1$A2o6{q=U}SfnD$|+J^u09&SAU3|3L5hII(sFOU;g@Ab)xgWl=c z;dgr%2SM<2M-{z}W+9df3Pry=INhVSrs!oF4@LykE&9#b;fq%XPSIJIW%*S)U+okS z*gHSJ`1b4#7X5kG_Ej)l!BZMaxh?h&P4K?PeF|^A> za=XY%NHIxAzYDqZ;fvBo;R5l=Y?>l&Yag`$VYz5OF#hDQyZ&fc%H+82F4{`OkEaJ}UrWeJJ zvp5>Sg(;@P&oBVAin%WXRd(xw^1Lq5?6jqtw3@M8M6m302_0yr?XkLkB{daC%#t8x zrRn?+YdY)jf6|K2{VNTp=!uWf>+-0_QoT?|X+r+##Gk*4KG06Sy1BLe_{o<$U;XLN z;bngi4Og`pDF_^R1;+JtS~;@IJ=;5e(L1xuSb14Q19tDDAi;ll-#&fc&O^?Y=5pn{HY#9)(@w{A_8B`yI<_!5&r>o znoP3^%r?w8zWwu7q^7GYTR14x;Tu%f*zPd0)|wZ3(G@;ky&n$IMuu~w1PWi2j%22T z)K;d0y31D~uVgzxcxW=;5sN9Ze9{;HlrA1#MFW{C9i6f^9C8@pEWD27qr?~%?`Cv} z;g(U1Or!OA7Ip35on-gc5639RP@rK9=3(p+2qL3~b}LkZGnQhR5FueN#W{c=BRjwj z02>I<#vz+uW_g^8kIwpRjJ9TEj6e)@K0^by+L#zSIa@D zWn;oz-||_-%@KcMOo~5MpCI~_(?g-yUR^dE-be&n6l-O$q3E@kwM}7NEI4HIv8p7V z6+-D zt!F<$rC-DOc+6eW9?kc$GQ|R%>MzRlON{Oq{AP!t6V`wWjbKYPP0g;-E#kG^FKMx2 z2x&x?>6jYBU!!mTm@m~ij`zMy=X8YlU!{Ai94Nb{i^OW#xs8%~@TuL|%+$Fkg#yqK z=woK>ZNM~Ud0I%8(w9z@dI5^uoIyyLRS)bZ=%vEd#phD5ty~E>| zhsTGMcxi<};zn8xXSXP*5%*D>hXh(6%%0Ds+7Oo6N6Igh{j1kp96 zgW)26`(7tmfi}+SQPkx;>CNJSD?@zf)2AfGPnK~)p%91lb_3*EeuCt@NLJG_Ua37; zvv{D$Fm4rE1Y)EPC8(}CT>(L`^4IE6R1wFHlyQ9(`ptAYx+yhhMFiue(08L+nR73> zHi)@CA~8);NeITxB3S#j({0JNf{+kx+7RM?ALD%7s!%Sie%r<25Keu=Vcf?o!vQL? zVGA5Zl&(UmSZJ&o3|6&Ht#1W%SaFFmo9C^56?QyQ7|CJ^tCS{-rj#=f3e|m$hfBD0 zPA(iDfl5VD6C3G$3`>f}baRO~*i#*<41Eh?&Xh_~YujqnDztGlzb$?pPp_gBsD!;E z2a&pk#;Usf&E%?U z<)6X%;j3@ooYLjhD*RZL>ni?ocznTM;D`I=|M%vQKCR-9Ri_RH|ED@fM{b?HZ_c<5 z{&4ENJU!q#@WZY1HvzZ$Hvy-=oFBaUj=taz=ga9KgImQP&X>KTv)7CP{BXWtTwD5r zKb$Xb&d;{!3;rm6*;Ze+oiF>}9=)J1_{05j!X#bAA8vmxPENT$@WaLJ{DQyW5BJN( z;W2-KAB8U`Z{*9#8~GxqQ2ctfcd81)Pc8^QR6!LALX|%}xlp5fqGrU2o)M+u2d`Ce z_{GKHM`iJE-keKu_{GKHM`iKzi@&`*y3ka^hYnH=f2?|I>>s^Q?O=!-t<8W&aooU7@8KdC(as49Q@{h31N`!gP2_)$F_j^CUgs0qXmK!5(> zr#}b|YI^=C6B>RL8n9S3X@F4SHJ>;l0K6+IrkRyfe&>Q`B%RYyb@_lxwCgq(1;my3 z)4W%K1_@wVde1TY^)vQ_gW~qVkd9Pg7U8i<>UA)D%7=9jl58Efz#yd5?gXc$C%Zat z!XO^Sc}urm>WXSxp{xq-nor!yUvMPOE?)2b03rr|dMd9DkI}6aU#SQi^!d4|0S5?v z_qDE4L)4x*k!N&=3MbY|T8c(NYlF&NRv}3>bhn!#(NxnNegWAZ+Xq&Q){l3MsfMR= ziq{(3X2`VrshK4j7?dM{j!Y?dLIhJ|N}`gQT;b~ z*^^qAB>|~qBk~`A{P*wuUpfBYr;Gd7DE=S3+WKm{5dUv`>+x5A#Q*zc;{VBw+0$Sg zPv;*3qhA=umuZ;ZO1!t$e%lJ^clga~cuHs8V0&}(s}BDACn>l$&##g+dy2nbgwr@0 z2S?FA`r$MQz8=tXcP!6gPT~H#!}PfwPEQ(MIvOAX;DCS&q5&R785}hWap|zO4o#Oe zj|8|IL@`E$!1_9#V0TNkCm=DYP|$)7-(s+jWQH}{fcI@M4)MlRYIZB=@cRoZh=eAR z`e^+rqYEw`Oj4MdAcI2ICP4-fOexObM+6zXYm7nlv3Gv)V!sE(f4xV3jb|t4!Nyu} z7X5u5rEL_KQ8o*LV&nzxDJV zU*Cjrq40bPOM2i5?pO@v=!?2IPWpvFidtE=Fur0M-t+(^yxc7Wft0tsn-t?8r`e~E z%UG_tcTrU{%zZUadT0TuR|G$@GJaD+3~qWV9iO~}1N6!FRz>v+DsDb;>lMOBx?v-E z#{}L%d0K#-x#p(hips4;d+7ugvr`_P`4oVGH1c4E5n0srgaaUhfb%G(^0PwXOwSlOUL#HxfeW(0YuEK$|Z#%63 zKuM>Hosy22u#|CH5x$60qw0GZt6u4vL9AO^(i1%Y0#B0G+HL0o3<(}gZt>5qBx6eX z7L3pl<9&g&{(R7rLt%HdO@?7a@tR^#&SUM~w{1ie0gVwb-UVkH~x`yMz(6RQ^^qzm++v_$%|sKI7bS23`BMjiY2dco3*z#guhbeU~!oMvkwV zcqXeJw{<|Zu%_e#UK@6z7a0)mtst(Z3d{<4d1n}NC7f2=Y?u7ZuJINdS)8`|mUtY0*w>T(2ByAYd4O_ZfB;48aZMvdOdKy*2MHS?qLt#1eeC|i zNg6qAd1mrKUc?C~((t9|M1kmMl z9NwY?B8z}**3)PlhnJZ3o+j3C7_XBr5znd8{INdp!89wuI&~X?^1i*maKc zNJA^T);Zb?8Bt6b8#weR_O#;@o@^n>6&EZ?O7A2} zgQK*3tJaW_YMtNa-C_0m#=hOZfr4^P0d!+ zAYCSDn%v-#HBBZ#47_-rN85#QKm)z`){gPv0#2UhWGL#6K$wnLbiIWA*u4Ux!#@nM zw&xH-E{rTI0hDejY{N3guB=7PJs^WJYEauy=P4Ob<>Xc(z}Mt0f_NTmes~H0 z;WL9T_&{*W*g=v;Gq2~<S`1Z9#-(7Bri&UzDw@ z3PpYn{^FOB`(=bdoaqXVkTX_Jc9S++(VZaHqADTe z>2+)MhZnDUswRjzI;uYx^tUA6s@h=js{j}_H{1`iNISSd^KqI?CvZ}sR)ww>Zr{Sx z)d<~}@6L%7ODu-$2^p%p}Qv*Bu>x^XmA`#nHK~0iMqDakjyK z3d&*r)K70`IVo`O^(fdHU1IclE#AG5NhRn2Y{$jnsy#OOjB|FOK?=%;(KxwO*#a$B z?5l7qn@@V^8z$Z+=oxH4w9KUEU zvc!$vbNW|~8ZQkp7aB@V$;t*>L-t!3=FxZzf_yfuX{ZPr-oHiEEu&**W3ou$PUhEGXGbpXCwK)^Nb$PD-V-xQcl&l5717M9`yi7I zdTjk&(ag|JsKh-+NZTz14^FSW{iBnE9}f1bQ@knwx3f~v-h7aXr8EKT*Px1N zVacx-2%;meN}kdhz_?#mSosEB~x?8vtzE zWjlqEIBS#-JJ+B)M7PRIT-`5U$Uf)M@fJF;^^OJX9;Ur+;f~#Vxp#Q<=Io%YMeSne z(7&aob8d3oy3Sc8@6tJcSBhz|y*=Yz&8L@m^B0g`CizrwtS9A78joP}8>2JX1DpU$ zftRVw_p)fPh7elkuxQ^Le{*!Q|2Nb&z^hK6k}x+0ja%ZlwYqT`PdBowRkX9Cf7dY+ zmMqY6j%NY4wf&WHBkLTiA7Yj`l(RBrfPwNG$wX{=qZ%MMK)OENtn#@E4}9%tU?*RJ zp+|);(*%Cm=sp)=-p><@%%P(6mMP6`X|g(lW6HGEPC9gwk~jgXXp`aUmD>(&VZ2Sz zS%YUDoyb^Rcl=Fc%>K(3Y*7=Shv4k-vS+0=yB`H`aK9;8%=@w@#4(hVyA3Eq6#wH$Z*x#vr=hm}9AA zBGaZ6SOC>q@g!=o?Dq)I{45oDLXvRYE0$3V!xas|8 z?30dS+KYp4-n?q9zL}yb9~TG#ayo%m?c?!f*e3xP@qRRuC_vO1(Ye`jq7n@aDM50e zr~!nNeGa5B3s8Pe^Nx~oWT*gY@e5MTnUfU7!Z67+B;e9NM2E^%IH9FVajBA8>Vb4A zY_90$oauXYxl@&@)%L_#lSvJILbO{CI3&h{>>o-nw@=z`OqVa_0sRjnxp03Ts17}l z^h!|warr`@E=M@`(bvz2dbp0{%_GTO^_Isd~~M~AN?`n zy;pY|abmA{vp~6^Dz5j6dS!E{(lJe}>#6M0a|GJJ+~AxZHpr4mlwVQmITQ=fo^={T zgg__wZ_Empg|`@HezmJ5U0=Q}bra5dXi@v~P1A9bN9NLV4sr*aLf5wfx(N)e`_P*Z zx!}ZiKOL$;2$_ z=aC#s5sBb`KLgl;R$JPqOkn*!SyWFzsKgnMg1}@x&f^(Ktzx~s^CY+gxe-SYNFVpn z%OB_mGbPym-#bsJl5PlAUyFWxP44%P%+nL+=}UORg{fbB<$V5=TXnPT-l5_LD}2|B zD921&H&+p@gblpMC&LsV6B4$XyiMjfnG@EVjpu;kdO)d)*rX;zV@Ud}@IOL>!%_7Y{ygNn%Be5H%yk z0M>rGs%)5C{iddJ$w0_1=3LM4nSsm%F<8OWx|DHE2&S160fO~}^l6&mZf2XU($V;w zb429{<++emtc&ERu9#H9DgI+;ZxfK^~?QbGQ#5|=%EvriEc={|`>j)&K1iHL>JszqWa zN*xL4f__5yrlU4|2Nkht49BnwWF$$wk7qOX4l?G9h#Qp8m}9bl$1F1qC&R47F%4G~ zZrEXtSSRh9cviwmmuH{#lhf3znhzC%y>-c=Bzw(rxyZi>&!yRc16s#+*F9{PqIn_T zEzR3bu(ji~?4BLUoLLN8^%Ul`kR(PEYO5{>*XGnV6SrINaCBqkC#FkN3cBsy_e=_W zojc@2HpBJ9v$(@28#AY=2*44@#wb9;qWnDvHO})u7w&JW4SX z=`2k1ENBttY?}u|2AiZltg24x%Lu&#Nngr71HAcgMLR`WAgw?}&n3rVxB#>OVezh3 zJ~D@7wP{-Up?C5(XFAec(R-B@I~VCI)!Ms-xusqfRj|Yu`=e>r%jUBgNSV>V@I*EF zfW@ejvCY+B8}E-m%qEospEzNG=5TuF?ExLE(Ncj9j+YTCrN}XLW1giO@EvSpJKm9#zwsaCNZWyJhh(nqxnET z_!0hDMbV>O>0Cf9DO*F0qGiE~{Z-6kRS{3G2Cb}?y6t<));)9kR)v5nxT+zk=#SAYY4S7> zP;K+K#hyfb4K>egYXw>NjG(pXy|i1ZOK<|iV3X1-w0Ki1^LN-Yi+7lAa5(YbU0;ZU z{iZu1cS}c@1t5*G1hZG;0fUq!D0{K-nw$nEGvWhk-QeXJsxcyhflm7vr}Z{~UJurl zekY#N9j1hE$M^zrV>)0JiBZDis926Ik!5NEO7UJyHdqL|?@!%EH6-{GqY);}8%? zMx6U>X5L|?7;DOI@JPs7y+L9$avA^(c}OvTCHy^I5wf&2&ty!f7P%T@aieS>$L|53 zEV~*g6`dgeUkW?|qE(57NLP5GooQ5I8y$4;;8^qaRIvpTyh>7~%W`{eTWED8n6iAr z!fNBoRp9&$$^;?uB@K8(>@2|;l2yAcm zlvy0!5+!_Bf0f+eY-SEiqmV@-G_6P5lK?}U;te(hRSC?0Zz#V5pG*Zyw6h$JmCgs# z^C?J-frQq6%Ii(%%Ah9U{V2bpa%bXs7TTChh_^uj3A>~MEn++kDv zN}n!FiLV29NWCd_RQvP~5wR{250rWfh1Rze+pS8MLr~wcMKJSc39&k92k-MFs(=iO$nOF}U9G#q;Vp*~b(;pDbI{QH4M^yBp(iHD{hvcWIA#AFK zxQ*n!GnSNP4bkaI(=EOwXm}w`ZIQm*e;=-Fpcqp{PrT7SI{uq|qwN&NE|;89m~_CfA714y^E);aMYGm6TFc|{WM3L;+R8x zc|V({vn0bHD0qvnWmZc5gJLUG8Dgv_ldi|PVtkm9yjr9@8NtOvPNYhgesMZ1Ufu|s z)C_PM-RP?kAih*l#mp^9@GmP8j2auRO!j{mUFrK!g{Bt@b;tl0jR0Ju1gfW%2iiCe zN2!)TOwX!zxKbr1%&OcB0bK;WO8-zjkTI%)=C< zm#5rUK3uXzFUx?Wy6oYN)l(t}`|L<9yuo6L4#m9D6kCNsx=b)`oJ=I@7s4|30=48g z({oboBENv31jAi#Nr zZqala8FdJuR@!p^jJ7}lB`f5X*0Cjen+1FhR>yG*6S?<6Xf}T6n9fsOW9TWRZ?cSB zqdIOC>qsvPDK@_U_GC}OFRTYL(sB>1OvlN2i)4QWr>~_=!VOP*uEX^K8NpeuAj|+A zS-LG3yqU5#!X5+QIUOBnx^k@q*DHvA0GZ8$li(-Z6L7xBdWe}l4I((fV|A`5FvVhv zM~PPS72Y~eGtG!4AEih}LjCpiLiPn~{GQ>J;I2JTnhxz07-q~NoC#U9iQtlp%_4|>nV1-bIj0mz?j`h=vHhkEphKw;2R+)?O+W=T z8TE}?LKmcV! zv&8_jMJh0b-d4y$HqkMM^E7~e@z5T+Q|JDwEtXge&>_EUyzroOa+1PC<{Wjv+KJDB zBI8>zWHUQ*VrLuj?ZsSyv5?)^M47dBpTElX1I*)asGhJmUpj03th3L~dHZGMECAVP z{{{qc(z9T^eCoSx*-!aS_Jxo2CyEEmhH z;+jGU6s;IhmyHH8Wb{aujOLzpIN11lIC#zyJ2e3KqjBJu=qH81uk=GJc%^;MCPPZ9 zX51$z3OdMtH&Zz$kwGDFMn<2)X@_(UpRSW50|Dh;k?0oXxFyhzGz*T-UuS5be}#u~ z>lzYeb@)sXZu30sU#X*(!uF|cv&b5L#{Nnj+0;#=eMHM>MkZ4gnXO|~bNwVmJr+YD zQDKbEaJLp5LWknKg=Cbgi%JoNBL)Y3N_!`tP35wcLy>uo*CrL&eZ487eHMZ3k##A^ zSxnz-jUq?3;1I62GGqP3k&dZPKcj&i=p=%D4xcUw!#y+ZT|m9Nvt?-9bW4xT$PZE6<;~bfXq&x~LNC z!IqsPPoNt<|zJg^pwKXnrfjmy< zFM2NyF821n^=S5CcCl%KWgF&fAEfLsAWY!Jdot4Oh3}ppG|nodvKVoK#Hp?b^v=2} zt3qr>&poGwG}H?S!o1#++Pc+d7Z@8fkgHjINQegEzG(QcrVJktJc|V zOZ$P7R5pmNabGp&nS2$aj{WSEjU`t3*#G@mIeVm8^!p(yp6IM^Dz?i>CD}6^WWjte z9Ax(Ok9FHqpQ2L56u~3R`NfOFV=IzK9SzG>-4H9w)paA7EU4=SIYZhg0yxy?R)`NU zVI0R4Jz~~4n9Bq0QKBGwJU}c-Ng@HEkuBd3DsQ<^<(S2I{1_vJgGYqQ@q~_jidS#I z+Fs9-byz+d9BbgGO~9h{CFbSYf`7iEl<$-|LucMNJv-U&adfyI&@X81K%uIASi@k` z;yldW_Xw@5$9URaNGeI4xLKMgMSMyn1mBhrFw%o@+R#3m0Pb@9p7qQL`D|<%hYh7P z~M=9PE9zT!L=Bt83lu)w0o464B_Ec}iB@os$yp&~SoJmx}RlawsMuj^_$r(g6 zaq~&WAz__ca&i1Vk4N8(-#>+peB}wy&vj+f%hPz$gSK-P6=ARHkv$86!Wp5qO)0O_ z5biu_F(A%G2qQ<{7rqcXj-pQmY}fG|c+?+Id~|d1U0%2*4PpF%TDJeUBpiNrtm&gR0Lz8fd8Zndf3balaTwlR2GVLsQPrGW|2a=(Y z1&aYw76Hfx4vwL#t9T0CSY4{T*AKD9jH9g=t%ap~d_H*j&Ecz>u+glVFWbM75|0Jmz&R&_16dmB@Tl$ULt& zDe0Nupn14|&{}0*QHD{hsaEg2jPjcj$`X3zPAJb+!}DcPF4nXS{EXjaaE^Jz=-7N6 zP2&i|8t7%lmrxM}vO%qR45Hrz&Q+rkE(-0PNW%^zgAO$;XW`sa13r$k{Ovm(X5JL! zLil-Mph#7vUExir3GgCK$e|K5!eAGGk8)Kx?~EQs!pJ5S*E&XaP&oq;H-JAwXTWU^u+9g>h&%XxHae1owD z9L?%;=v1W7vA5KLo$&^{#VKx;^_jc1a;NC#MkQEam8+$2b}BdqEhz5V&6%S>K};_s z+##~XNk1Qx#EjQfy;lbpBBAU&!E+~!LB;x`i2jQ!GsmT@K*X8N;s5xD!xPu!MBAH~ z%ZNfY5V1TdtK0PqLsV!-?VTU~uLImy@T|jWgFK0XN>Z9#+fl(Q^vCe{t}g(vvan)}%!EGPm|Gj%a?pJUcj02&f9R7@$=^8G%ArK;I36 zCa!-<;TPH`1dD3H-ycv|f) z#MiT}U8C4Y=B{jj#?~yDMQ4bn91#s!H)v7tDAt&bG0hH} z0l;~fIv-B+@$EfHf0kyIS<+aThg!Gu{`=d2LvALQAlpmr6c&58?O3@PA&1a+ZaCC^ zt7Y>BWcdFm{98`j6x+w*@qEhXcQK^v!U;dj9}YNB8U>VN46=NVs(dotxxvs;sOY7H z$Cq+ds)MQl|HiCB976L-O#jr)!F4#EQ?4k?QrvZVq-Fs0>G1eM$1;%D?9C#>DN%7b zJj+~}`*zu2&sYbNdE`Sf#wR2tl$oBQ0Zp+;Vg*nlQG*h#Ks^uL6(Bg7kgD@(PXaHu zbP@#ZfC9gJe4@g#tu+n}JDj#vwDykJ?1ZUoU{>^WCkZJ1i=lIe0}ivEsU|Q=-L7S| zn6cYq%6GA8hS|x;*qswU z+hUv+#l+{_KUmg(_@NG4S6;xBrcrCtiQ#UVFoA@D8k_G5A;ICD1O%@^MO|t~S+-gk z@n5idW^t5#j_!{a^1wCLRSJkJ?woirl=0)rXAyglU?}x}!cy%d^ZaMZFO7M#Envbq z5Tc%yg=p&3OJAUP#Rt`vP+ifv!YFpHh*D+$B#d)IC5jVH-q3(NYz9%*Pvcphq^pfW z)4xcfOr|!DokC95Sc}%wt}n4ITI;EB>8nDvsuXl zN~5h+PSd!rqn`39GVUW|GkRxK%fZY5S#$6Fymt%&6l$Qi@XF}$B^+hoAcOj9S0U}K zm}MK&C}#x#cC>-U*9)@kkH^|1 z25dzbSFKIcH(5A3Fa!g#hwjain<(AZK|lj`l!OVfsiLOAejVd3JDca^Z=|jCINlP%Ree3j$4g;qz4)!j-JwJTa z;rBh@LUMW3wqI?w)op_F&UsS)DeeWW#G&N~NJ%;aK{gWixf$Dy$knMNp>N@ALlY9~ z{*Ve{<|^)^r5R7d7#2I=|F^@6+!R%buo_)`qZ&XmJE{1P95RYuT5i{DuQ=6butcBA zC_4z&e2F?6ofL$fvZ+u36%mSMPggC$%uyhv+P{LAFVqp(7<3d%JqZ4fT}-C56jG&p zliNmIvYBwTb|u0k`k7>*XbYJpN(Zj;-gto6pfur}MAIeapfzU*=jlBwyqv0I6hLksYTpswqJ@VP)p@4xS)^E)X8N-< zM>aOaEoVOKy^n73^4i$_zzg`4!g&lf7Wukcx{1XLcn+INp;1tNX2aYJ4lsBtC^fY= zrm+k&Y7L1*g!hFMa5@-AAv&q^&a5CjLs+<@{q5jK)QkUrCx^$tug=d8PmX)=?(FdR zRe2{{soBR$yBZN%wWp~s_p7Ym5DpN6a0=%W7!90DE0V?If@}r|$#x*yoDx8caRIs( zvH_DEC)E9kfF-YR0^93h<`0SSZ3>_(xZSLo3LNxB*)2#s zHBomkbzv5P{OmL0`j0>U`wjeup@trJH@lBFvXo-UZS=!g*1h_aZEV7SJ5Qec$L7w~ z=FavO{N4QO%gs%CkDngHx2?yIzxs0L@#Du|KK_r*t*x&fZ~sT|yCS4?M*sbt{3qeE zKlGoX#r6CHaRX+-8u-UZ*G3o!GHfG1^4Fp zRgz{;DW^d=je#v3MgQoB(Q5NXWktqQW*()JOeqLn9lrs5GT6L=R}pkG90#ZK z%W>St+DCDpJmQOU_}eQne$2N*smRW-X6bTHi=C@V7zC8*=LP~;7E1Rc)D6fzvsFnoV_@$Jc* zi(v2g#{dL_v%TYsA9n-sY-4peg$bO@#xcg-3ez;4=C=~~==H(b{B;#4#tV!hMQ9?akJg&d9Q`6iEgH}kDcyqo--b0vD z8Rq6t)GGUXr{}$I3#ul0Y2{PS@&TSXDU-5(y9xr+FdlWUR^3F+P~ECZ3wr}S>M%z$ zhP1(?8exhZqY(g#0M`eZ2IlQoFmXm?b7`7JwNW?=FXM5X-x3BOCc}=e%`tG#=naya zDNBgE-tY5S#n*6h8H1p=OsPd}nY_{d?-*VNe-+ATg&_HK!S^19x`^@?{-moQyygfo z#s$2v#w0 zE_LsQt(yqEX)Sk{OEqyx;6kL(EM_ovOCNYZb_-42eYV(f#dX}X3gCB~M`H5Zq-B*@ zS+OAQQheR&Q4V%x!`Tih|NH6QO6#A&lK=gLHyAKPm(jS_Bct|3rExfVJ-Sq+Kil|M z`vY(87GWD(do^p@yOprva7Q)TP4G5`_zSwnD7b{&{WK_8U1!x>H457{8E65vy`|A3 z;4XuRz5I&`U8cuGMk#nIqqU2re{Q=IZ9ZLQs{KADS`~%=hfTDq_4bQRG+}Iiobs1B z|Dyuuaz5<#f2s5TSKCi^3g`drCy&4UCx|jUwuk*|KG@p0-$>e#r0t}q_rx+(cILZgkNf!jDQ5sH` zKJm+OpJFl9p7<+{pZdJsfg?XcX?*IhLjU)7P^TdE)g<}^C-e%)bS|eLj{0aWgluv& zFQ3a1)ZLHf-NM-%5bvFzygA!HFh_IqF4$6=i#fNSU%c4w0li=Ep)uh8*~z(ehNgWA zkIv>52pQ^3?my={FXN>23Knkh9clF4cW`(|lOgx*dMKyp+p}-c5>D zm}%yIo#!}BP$i+xVgjVcmj!l;d->wpAL1V?L6MVmNPbPCiFP`AGL+bN))FR#-5EZ`0Pk0ZjfBE6dDAh#f>6r#kM|_=D$z| z@K^}nwA`T05&%iC2?qnbfP>MQwK%MTfwYD^>GbU6qIZ09e86{AulG)Sd+_+<>ytO< z!N2JF^z87vy^Dhm`2lE)0t@^zDu(7^2QU1%C|c5AHAbslYj{>+y%_5O)d<%!=8ZU5 zDp|l=H0U}-UkSWiU)`{w^?soLR`n&g<^P0tW))5b3QY>UgZJ409M8rrlY#=xhxoF# zfS}LAL>%8$tP?J64S~mMsRV;vRA>M-$t@5vf@cSNFJQRn_xERq7YAZQLj!a8!@&y~ zOO-%ZFwvt)t=Qv;CR+IN{=H^9;VIlF0AG^fv1P)JUS9$teaL-}%)6|)kA0@cy36X?q!V)a~b!bE1H z(&XSTH#DQ{a2+V~%J^sD6l38~Gy)8c&Dc3qk3JA>+);aoL6mY3vYefX!b16G8}NU2 z)#vyR%A!}gN!BmCjtHp|0msoW$FRq0EO4EmqjZY)1#aUA3)`((TSPlao5RE@;Da7z zL12_>9T%eR1b8G8zB}+Azp@f5)vE~${^IVVeni^(3uIK}&f`FR2 zc%}VL!htJ8h`b`Jnbvk8LBxx_i#>rz)hFSHcru>^p~SM)6C2@DR9Kgi_{!#xROD+x zePv~hW3pLzlPr(%7Zt|1?BPfKrXr8t7lfVVr`=q~Ak-maCyli6eQ zho0t_)BnK#v#0=IK%c*ldF(!w703ep&o;hu^*@id9`F32|M?Bue`r+>pS@APv+c3} zIFC}08NS8Lh*LO<;#2pEp8ncb5J+S6hxx}J<{$qv%|GD(=Lh@yC$CRSMj+0of}Td1 zd>|mQ`jC=EYX@QFy>a3SGYBJC!+*;b60}jPimVh`R8=3JR5cPIt18u5G&DfCp#?zm zZY%(}Oy>|3ea0t{y17Q1W5}BqI=Y^9`~It3R(b3{X?Fc`_MeZpzuYX_e{TP=|NmkC z`G)}ThXC;JCjb=8KTnQdmd!u;dzjfbUoF}tR;9eWJ|ise75^yOY8=e@$+wFh_y=3ONDh({l}G(be?qfJuo%;UJ0$ z-!Uu@bwO>_y5|0CREr;79Gvy`FMiN=gB%_s$oeQO#29I%*UvxfY5;743lnCNsARI- z(Rmtm!~S3Fn5WtNavl#T)WGUSl=nCI#j0IkR4g#U0+LeV1r@`*FC$zdu=+%Fv0K&d zS7{<~4!gl&P8p77vNY&^oG)l6?4gy-qCVfBp(+yh1!x+GmPZrLo2(xt9R#ONf@Q2f zP%#d&g8y+be&%39TtN6L7C^Gmm!ugVBu#k!Cx8HAORN z%6@~PFokImC(-U|U7aUb{l}G6LIK1=r(spqe0i6+C*2aBL2!)ODp;$n()i4xblpnH z!FfAW@;7q8@2R#ux?fCQ8X+P)P$=4Eud}(UVkn1c*DR zmnJ{zrRmHxO$$kWB5fL%ZlMQyh(Q{1H>IWOYP~dDrBnr8xLTK%!tWN;UU0> z2$uFOh?g%hZZId2pe--vlLn#~53t~~U>jc0PIsz1_tA&O|JbcZ5wc z)#(8_f2VvTgz^O8sN#Qii#wZwP#4C-UVZ$h#ILY6M%>15be#aC-jN2GTV?*@a^`K*rZe-otV#U5X^x zqGW%Z2pLlh*_=qq39oJ$kpa`VN7rzmX)~z^kW}R4S}_T0RxYf+UPjkF8d@x*@S-qx zIJcxL@SO_t_lzMjczIdFnc~B{lB#_-ex~<`@HlFy~z`Vr` zDZ)U%w}F1y5NHiK2&$$DLETvll|xN2F_N39p#&xtCp}%1vE3-297sEt&Een~QreL) zW4j4t3z%&+q~qTNNF1{_EkU8(KMFxSHkv?DSkftT5W!(w;@hRL4J32m^kMd%B%~SX z?m7gB5;gL9lO%iShy?JE@TRQe5;|OmX$;$N*3ki7IZ;VCj8u4)A{CEM&QA~aok{gg zv)Q_FgPYhS{t#hk{)mD#0TYI;0DXmO#!NR!tsOL&33qDh1odck$3Uv0rg$^thBDTf zQW#ok+GL6;WQp;vNr&N3D=)bfj0HnEITc*lwV(qDZ;Z0J1b)n&*7k6!`*_>d%a?`L zL~B4yTOY_^%e_jH_nGWo-=3WO4fcqG^NYQ+i;nZ^^~sxK`&IE7(Rp$3o%N;&iGpAa(41#5oYgOs0uHS-@GOrDt?2wZ@@cO>M%U#)B9!qHCEzthIJ6f)d%gDq#nnD|$3jH$ijZR!o?^&MR-okt9g$He z1ur=MEna}!=YW=WZY4fGk&kek^*E1rq^;!PJq1#;gdH@~NBJ*CAy)~(^E{*0*W?Fk zW#rR8jjn}{_L*7(yOm$IS;JBbgAX5~{^5YJ1$yv7i;jEcxKIx>l94GRO+4lLT#3#! zq#1TdrvuS4`P?HAC^en4qnZ2b><>~d`N`itbk*C+laJT=sCb_U5*-8uya$a zN(z9+rr5aJ_%nw^b7>+K`49PcNQlTR>Y=mDaF7+oN*_mXl!)Q>EIn$G+*F{%uz19T zwPllD7^1cXH6!+UhfE^)D^Uo>0HqL&47Y3722?5IE5+aA)P<8-Z*KA&>(XM!up8iZ zqSZ@s$rc65%pskRc@k7!nXD8pNdj%LVO^N8&kwA%{$$W2?(1|7XE+QuBLfY=X-e#2 zF~AAgj?*+ly%^mJvDqzBJsjs8=X4kAO1?a@iltoHV>{`!s>BSox*C7?RK#HRb*-fX z74P1zDcaON4Jt)ewQfMM_!xu|n3+@n-I$bNF-`EJWJK?g6ys#XWl=YU!SW-_-A8w- zT5Cm07aCEFt)E~pQQ&4ej~6Tpktiwlex#oi%mk)z8V?2-Y5!J*t47-bmMMd8VSQe6 zKv=dRz5x+b*r_S2t|EXkq#ev8Q#a*jCpak0tv|E)mY99q~Pz`Y8ESiEGkJge*sCdo7gg0e-qjfQ;a2@HWq zEhZQ`g)UJCtYx= zig9%0p%ipC(L>}5gMp3=t=9nV1Cp{a)S`T`DGRDH@dvhv$s{m6<}?p;`-0M%hi0

@>y)YNwR>X@e%5ruX7&|eqP&}voQ^njI0U5u@xE1H7% z+AcN3JB6v_x#T#W^UThbNlMV*&EboUSBEdeG-b-xIl=zP>(_h7FPN-s*a6VQNQXAw zIprHE;><}O36(j9uU;9M7o*tpV1VKIq0jNKIGA#`A%S2q!X|9$SMwZ$bd)D`G`or> zXh@d67jL&2EZc5y6y+fOAsygsh*B3C4dKeap}SgCza~TKwQ>?? zcY8d#(^*lNzhi@s1(cORehjt{;kPtbGSU1aSgIkju#m}%030i-ZL zYQ4zi-s(Eq6~M88pt2C5T{lmO7*xDjP}2{CU4Zd-_uNv52mOK z9l@I@lm;#Kzi>4mh#$F~;&IYL&8D{M z92%Q|_>QP}A?U%nKaRpw2Akp>c__1>mO42vQ&VNSE!A+B!~5u#(>BRTvI-s_=|tFC z0uPi&S(mUxC7$*TP_F_&6JnVbE2&jg!4l_|sKwji-FhaoPtLA3j4KeB$iPZ|_?9J; zMFi-kjvXA#T~rt9%P3e}H8+itWxeC9p zWGj?qWQ+!CDDO@#Bmu#u6UKH7cdi=dz6fgn3Ix`kz@|YfM}llH4^UK{ zvdXx(Rn!Drz(YTMMHQ!)4VOUom)*VZVnR`M!m^2PiDEh{m8pc z;9mdZd(PKl?XCC{8}z{j*<}`vNQ!OT#*9;?xC zjFx5no-vm!540Qys5!o=zF{@+09v- z0bjp3`0n5+*mU0g|JnQZy*7?)VHlo&;VRmiZ6gsO1U_WO1ZQK66P{r31{^2b@uOcO zwV(%`wps!+iQoHqZ{z)L>|3Wgc6Cb}oJnTmnb_*?s#R61s#dL9M^*IA*8hQNc^v+> zyAR(A>g{eH9u(ArxsNJqjVFy}CG2IaE_DW!p^1xXM0vJ9+GbOI6?=I0lQ5D_d^b*8d7Y*!eO#+w2r^b0A=0A z?a36)j5yc=O;+@lg4M%Fx|WX#TIBb&?I>9gYFBDZAs>rLEd_i(C- zDM~XY5_+Ks`B4bb(+xMvkr;Tz6Isb(IFJQbTss}Nr~L~upj$x{^vQ!$+EW2{M#C&i zF}C&!-`k)^3{0g#p|v?Vn`UMSqm3&TF6>VudJ~_c+u&HO89T-gx?18(vKo0uJx)`JYI}`_{J3tHc((f33V$GMB0MxlPJrsnm?$h?X!(JC_stvhRQdsA z0U{#h0%nmQcG7Xzv)e?26_K*iW#m%`y zs}m*_=v!3fFlOtG^`|wmHzy|)P3be5dk&m2akl~eWvzJtiL$NPWWZ2|ZA>G#wBKVHkl|6hNy{`mg>e=q;Pm;c|(|Nq?+0BpT(z1!dY zDJNer??Z9{3{s|V843FMw3FzU=8Cw=tALpvV-}ylGJ<;*QTP@tph3Wh7z?w@jm>KL z7U(W0&aFn}k)gPQ&OyHhNjq=koVVq3>t(>9ps&4jh6k~XZ{a0B4W|8;dO)^CI6MzI7T@FK*u;jSy}~9TZN)J>Bk2`w!i}7PK4_s8{Me1Nd*i|6!N~ zAY-GuV*qFIf9q@OKL7V@?cV=y|7O&Jv&Ie7{sHmW0%k)n`JgM5OmR1x- zIPE8}S6cn71Q2GmR6dIH0PS{6{|k_yWznXj8GTt-I!W((T`2=bH-wv_S1tuJtKS>_ z{Gs?i_|JspXn%43@A1?1r}_M!PrknA|NbcUKkH>_JZD+`tcR_BZqMl5lGD32t9KW? zUJw&EVD;{R*Si~L@7mlRRk{mi@2P>t zfzN6EBp>>5dpykMPDyqdr;|b}D#L3x8msafNuUcZ^SvseudG40(CKfnfu~XJNLpc z8vd8wuzl{nlyHOYOKs@xz2?}s?n{c|;N^{TY@KH$kK=Gz-mBp_J`KNIJ(-NVS@;tM z$?U~f!H=Pd$gT!${|)uJrEHIi^W2%Y0l?bXo3h14{rDflakaJzmGNKkRzT84zJ;yb z{nncwUhVwo@6Gd0a^WY)+dXQ%+&$Re-L?u_dk5yYPxf_O4-F7ZIs1!-I54@6j}P~@ z-~Q|@LWT-QXRkeC#F|`toXrK}_@PBkJVA?(Zq!dR3OU#v5Bqc&Z0lp#^3tFNUvF)1 z!%4VxY|Jnw7C3xrwR{Vg7R4ywYgVgeG%78MW#JoYXlP+u4gI+;Eh*>v(gkZD<1&iXPY*wwPsXNmxZMh=Ph< zixs7w7cvOzo+c`2S_?HhB{0-sY1;Mcwrf%0mx8WmreNxYk+7Q&#MiQ4T$mwpz-Lu; z7HYJSlOwhmo~_2`K3_#|e?L9vFoI_zH~IM0FJd%gmlhAB|QB z-nmd1_c+Rozo=v`=rBq?!O81}dyzO(F03{M0$Ti41!kU@P^la@RYeSv==MMi{zCvo zUqwr+OYrx95D8?DerlMzaIqXnQ+RRr)&)Qo=nEvoX+YWV8KCIYF! zB9e{WjbY#87}c|d$F2bUOyqDY>L!=kyph70o+Z7J1QFzDtWHd5Wv$yKpEI)jjTi0k zou4-B+AC>W;- zpN`2>5(><8Ay+gGolSM|6XvnU%M>OK;2donf!soH9Zw@DiV?^RjJm$Nq475K$89Nb zI_6m&P9nGj4Pj6cD6w!;tDS==xb*_GXa@hTY;eM9(+bHh3Pw-t9oMB<*Bi2d%?b?+>Hj;K%mf!Ol-R z+X^m}1h6#@`3lc`&OV@nc4z+>A-kZ}6OQ>aV(Yxo(Qg$xsTmPk0N0-HU&6iM&RI5Avk*n+ds5+ zegcHjul<*`4Z&X!())vVd#_$%QH4+LAR&;&$}G6{(Lzh-rt1vN$2fb*)FA$tK8%&{;Ng|p1;A}*)h z{qK<9SZi4Kn|{)7(VBz1*JwOMo{S@}2Pc(o+5Ks6k^-5O_}lCpvu*?Jq}h2G>Ts}v zA8kGklZ&pPkeo))p7!Fg;*2;dqLb7_N1#UrP0AeGjG<{9CKXPLNqjEZZS#XB0FN6g zka&MONj{nWDnB>sVKw>m9M*D#$pK*X6eD8);P`t$bVR_g#2;@vWSxER;+9{|r~Ytgbq63zJJsY_#=uH)6pTB~_NByzPWE3TAC$_o}rGO16TG zEB=mN3XBORh+!yo9xOUv0T!7#MfM%G=>YDtRnF(ZVtzb?PuRhUup3i8d04-Qv#!+_ z<&Gn{mEiUp;fn3lpwIa(PDjv%WW)MGvVQbnL6aK5CS_*iV&hCYI7aEAtOV*vrj!wM zW_M9v!5jl&96rQ@Gm%Lw=SnL zP}d;}c@59B#5#$9i!4Ac9Jw+AB}*sK8M+%bwPujRXVbos%xdJ(#m=sF$6-{6d8-iw z(SfswylJQXk#l*nBj3xO4}`z>*fAir585tGrb>Dxio9dNc>y$g|J~l6U0NcgOyKl5 zmGbs0s|L1-dy?^ud;n!ypH7%~sxNd@%Y&{>XS4t?a~6Q1KMEN2>_SqVSErZ!%y(9Y zHP&sJ^aA#0X-!9D4Yp<<(l%yWaxS~5)u-9^kn%M%<>?MF8(K;`FC%YsTu;Ak-oc;W z2omYF$5GLr-|#OWK-dEyZq-_->~DA7CwFzjbXRL$pWG7EvrwO+Um{V}xGTwmR?z4Kyph0x9at&pske`5i0I7w@+}EV98n#9)2kqb@6oK0%NtiR^BRDSG!e8m}+DBYA2p~>0i?p?oo zR48ZwnZCC zvQZ4e;P7*ivNX*^!`hiC-9rE(^x%^Cg8n+0c2#m#5&S5{PY#>Tmstq)z&M;MlsX;4 z8XOKdmLI1+qaKprB%ZjeZasP=T~(3@Rr-O5p>p6D6jE$>QXihrfpEgoXJh*Q{&4GU z3of@P{9x61cR-veC5QM$O^tk&kA?HWb$(q?e}18MsU|jT-pYg+rLvwGRl)+nD0cFO zp#Z#1e>r@zRQ1Yk+NCxWe6MxFrE2lB)w(+tC8weRjr%_lq|~EV~l<4o(I<8+8%=ZNtXs|MSVhU_n)(EM2OLv z(KW%GKrF$Vr=2PoC9{KtW8-ED$2A??{m3-TFFiKZP|dLsFoVNgFzh9`NV}bKJt`(L zh3k+!^kd8qtaPj43z)SJl_{|_g!EjXX+X{>fEP&7S2NU2>4E&?j?67zJ|KHMup*n3LM|I2Ujp>Q>Vq>v@&@bjLH>FDe z1F9F|%l)9rN6YZnY&5W$fx83R{f^VJ-UwyJxv(CFr-fz>VxO?Gvw!ev>v)UI6!s5} zcei({717XQa|i>)9Z7#QxvJ3ZoCG}%h}T>1_Krgkl+swmr6HACY{M=BX$-rr4U&}2 zMR0cy9H2%o&n`+f7&6H4p<(5KPG2Gw`UCr%UscxSE3{{!X7TzlyO(1TT1On_C?BPr zn@D~v!h`D!7m@~7OmS@@O1&|spH%kF2sFx6E0o2b^O-Jpjk&Q1Ni+{RCx@KfX_@t_s-Yi(Q+5Ap}l^M;0W`Xi$f@*S{1eC&}czHsyb!EH| z4_s05QYOYGWUPy7dJ@LsIJHp~d0`G#STt*y@M3$2@|=8nDI*|qMzDNM3#iE^hAmQz zkQZjF-5*)&#**b}OE4e#B6}kM&NnRF<2eZ%>cDggJ<1icWQ{`ou}BGzmEW0dyo$1F zxuA1iuWTWq^lP>VJ3td1e$48ayXXtq&&wDN_D-CjV$3|YY|xdJOAQ~x&Lp#W8y?hPKg=V2i3x6m^WSPfR;Bv!QKSG$MN zawi=d%?SHK(@Xeww7~;zqrb2+Yllx_{EI$Ql~uIQTg{SQcXbkH=M_bo9>CWSZrCoW zT9p<66!r>1VTGDuWQFcZIoNS6Mq;H=F?5%fQaWH_JEK~0JsKaW=VZ0xa9^-GZ{Y;` zcTPMX8^)@xTB}v?vnjee+xlrV&CW1&byYG*W9;vd@+gDfa(^3ONN}1H6{dT1rR{RD z+y(EO(G?&JqiDDAw^%Y&;X8GwGbHR`amFi}(^jR)DmM~+6|L9Ma|X!Euq)lF5mPHR zYt;t`fB;feJnE?f1o#7k`A8=dby5J=2!UP^zJeK?$bhm@FBNVSSW`y|l@8zyVZvA_ z6BlD!Dr3v_XnEwLh*m2PbJHk`9|+8xIL)zD=0a$YyrD6jvqv^H+M}x~cY`XDVX}28 z!-6^EdDX5vPko-Ixh90r+ccOZfm@0R9>m)rtK#aSepR9hwyjs-BdlDH;QJ$za zQRF6dwfB%%JNNj_urt)|{_$bJ7wY(M3$MD{@f1VEP^k^NvZ9p(-)u=UOha;~PEKO) zwt@#rYdA3MN2kSR%GR+d;jp4*`N8ySlsfJOb#v6Cl^{}0xrd`Ckr)^;Qle3ujv1xw zb|7%cLRzD)g{3~M;oL8j7Esf;peEH@4keYFA8SsB@mRWDf19)V+cf=MT_&q(Hpb$N z32A0*iX}$}O{Jtp0Rn@zN?8N#o5`Co9s|8iIZ>_w8YhA zQ&)}$SA5YVsSzPgr1)6s91VUXQH<3H+x_T{a0m{OOVPdPA0Nbj`*HN#ni+7O2VFHkqC<#E$PP7-UQFD>;vu=#ByadJ4pwt*goM5 zk0$u{v*8BR0c6fe><)?);iB;2F#%dxt4I8w^5XNPkmT>JCp^sQ^J3F03>QqM4E8VC zm6UDHNstY1@ZN&n(ezegQkm_kP1K=yv}xQTb;p#g;YmV5BFB5*b7pP_ z19(7rHX9irk!<#bl#kFfrD+k=8kY_l1rvv4f5AJ%X_vn$K+)AYZ2A2=K z(JtC!*SiC=%+gVC&@|$z1f~Fm26`i`>H|U!D_XiL=%f+TlAJQ&<)+W-TIt1_7l?o@ zG*lyoN;4p`#YyK+_j$?9)DmV|@vqiq%k%YKHCx<1XLa>hGxWXDXjsnK=%!-R32R3L z2PB@JvP$-c5t*P;KfDFEp!BbLLKFr!EOtyS6ucp-LD~JW&ZVWkWOYOGKu+i6f~4pI zk%Fzk)wj`ZCZPnEGAcvI*8oF5(7}WS*->gJ;Tsa=EoN5vw-E(+Aah&-4;7M66x&Dm z1b~X|oF}sKxOl@ z3EEXB0Ct*Tj1lTbI#I}%zGPF1bJU&odRKNs%7A;bnB&*ny<*tzU?!}U;m!qP2`$)p zv1V@~v52*>VAh6uv9!5TYTl9g0Job}#KnDJr%R`YB ztxFXEk^xLl0Z-9U+E07&xOYY8H94NzNoP4IW1EuedD928eGjk z0LCJT!uAmpgp;dqi5IgzqhIJXDlOT)Vfc=(`Zvl|eRu!$fqf_wIVr8ISdU~&L*8-(?K02tiVit#)7Mz2y2Rw`XPsFdjB4vpL{`D!JyA4BfNs((5xyuYKIm zVGH7vFO zim8;_EG<)vg!r>rYQb#Chtp+zm8mGaXUx`d#AvAMF>AtG2s^9gBu!t%# zqU6}6I7UREP$t8tufh?7$Z@%}%ZqkunBlZkf!KI!G9;S`YeMRg!sBIK8ErJ5aiE;Q z&i#|4L^*x|EgvUvVLK{e3rbbZtr2P^8KCn`$yL}&ZM^Amw9iAEXrBPd1^UpgkV=mmW7N> zJ>s8lj#@{1TR-mn20solh!VcOM%Vjj+_D;tvmS;6kA=!jM|aV8>^{%pb9)-p#Oj&d z-QPXtE*48c?oJG{;0ilzX1R1E^D`dT;ybRzcFf{B?4f$x$NbDkZsE*2s}$yZ#3|93 z60A7%PQ*TD@>u=2R*&@M(wj&bhC9YbwoKGgG?<3?#_Baw+D3T`rAzs6=f4f~_In^RNMXf$Z#7cr-kibuA>M2se6 zoYcsPXFKYsNH`kq4E0F4)jxHGF&K|D3W-9g?qFdk1W(jwWSx|HQ)d`j|g5*m|r&<1wytFLN`@grLvv*}Z1$H83Hj1_m{IY8u;er^`8 z+j{rlX-P1PZOzN=-CS!o1eNpOkuaaO&FVOig*T{UG=|mWdowPGiMXK$u66bOVF!!# z;|xuGr}%HR*=(+xn1%gw>m;PqJLS{d}W*95dCPF{IQ!0GzW~p0Uu4~rz%_lAR`whE`VQU#5PLcw% zeLr6>9>KUlHcY(k8d1ayVr6_|!9I}|@32rx{Pw8&Zt z00`TLvg3BGpa-a<`o*sZ!xZt9sUPl*HU&f34N7l zCIf}ALwUqJt$vipLMi_a*%}cr zyimw|;sl%9E8bWYLJ>U6f3oT6DLk~4IYZik&Q#@_EH#WvMT^MR^~xkD$%^7YiER1S z;4p}jI7>LXgXY>SWB3s+aAaE~2(``7L@Pu&#AtYVgxJR*)qw9&^n!ygqqdLZSxG-e zIW}01x$$(+g5^5ul@WeL=#4zV_}^KomwM67(-3{f7=pIWM0MD?2rv5D%AB&YP*;gQ z8J_8Ywyshmt(2KPQOm5Hj7VE3%0t#6q;)y6WU6oy$*Y0pkbm(eqnnPt_Y9ItvDo)b z_7@5dJaan@8x7{1$`_`DU)-SDJ;a|SM?9EQoaMFXWx6kq29vL9Xp>qrH&5~`@u;G> zv$bwGM2{Nrg<)!D&kVCj79OA=3x%R^tFm;ksE6D|#Zr=iRf}LSP3!u&HU@%oipHbg zqMUF%IGADqIcup|NUnyXwS(*`gyv7^L&P6HFUnt^J;x&^p?u_4;9#k+UojG-Pzg$G zCuO9Ydg82isxR-5tGIx!pC%nToH7dFOfjtGxUN{~ycs;%NN5fG3a0U}FHPBe^H(%R z$-gJgRdDdBTwEoEX~@>PG$*wT0>{KfZ3V2>kMa@+FFfdI6zMH=Wle~6(mP5 zR;?FEsa^;x)=(9`A6{bQ>pC0MNe5WzV=PcG5UG^sPh>_iBRWRoC}mwmdm_Ueu&Pd$V(yJVOybq#QLurc>?*iVPKP zOWBtWjiiQcCb5EOst~Pwxx4>reo~pIlZ5K|`-Xp+`&Bw# z3i2?=2d@qyvQe3iIR8V8L5b1C0&}e4YI>k-GHt(LoOvaP&2h@K7%ZNJ76n}`ttDY- zA=ffc_}bZ-j;iW9qs(bU@`b4hfNP2{)$~;z(;2Lw3$CQ5R7i7jm#jL~%FF;?L(jD|oi9|FvGfC9wG*Xtlg zUn&%0s0#`!cY_7e&PziE3zqaOhX?+~m{>E|@Cbvx{1l)=f4>ewbR~ll=?x*p>%y(@ zLcUVg4URDrcRHj-OFAp*z}oeB@`B#JPd1_yS{J=ms)&keBK;^H<{whH%|H2QH!>Lm z;a6Hvi?Xn@zM(40*InM!qdTQ93~VJ@`)FI{J5g=Kq0phmh?0dh=r)f1mPi5j*LtKWVX-(~13_L1SdT(T3{IU|r5Q){!j?)~$1B-Cro{ zHFF((08ix>Zq5-jQ6lbzi3lny?)+6YxP303|EMgo2+8Q6o5bz2Dr%WsTnl%EBi)SB z$;ykQm-LzAkpaQUyRKf?`(wQx`9roM4*0_^9ybm`0IftsJS!{x%0})JZ5hG!x)?R; zM(koU8}ttar*=I8;3!~kKY!Sps{bmsA|}Fxju_m%-^EcwZ8)nTN}V$5>*u%M6DjPg=+;1Wxnl!rM&J~+l|<55YxAub5zY2wndoGQbaaJ5`Xh@-9m8`i7!xrE_%$Da`EN4?tc zzdd#bby_m0)BK=L|8;{}mqDEd24!7?f{mJM8T0h4q5=;0V#Jb}dSsUmDP_cX+$?Z* zGSwNA!visvOJxymj9O)8pa@PdJ5x_uX0C+rdppr`H)pl@R~Y^GTR-l!_I6)>xBu>V??|F?p&cTeOs4}1^a0TNoz_L% znK zZk8nH)h=1|Qf}{^{a1mIL~P4Do%nf<$ZD|5;+Zaz#j4JfL~mzQ&$WKEb9{}~Z&`h1 zO_G9<@=71MUCT6+ZEB=Q7?up40vxN7Cp!)iranZ zm*$e4Z=F+wlj)xoWT#-vKKRgLR5xZ6o2w1S^7DyC0`Gr&>+W*?I726tvC=4Mr`?od zPEAZGv_NMpqLH1&YuU8V4theU)NYs~Opa)81PXFM9?>F7X&y^@rl*N;91b?PX~!({}Hvm3P@a64k}pamA^*E3fEEsLp z9;c&;B6j(ci)ha<^aJ?bTKh9T>R=jir_Msy}VHWscvtqB&~7XKQ(!x&F}&cJOa_U&PM zBQ(pKjz&Xtl}@sW6S*mS9)S2)Y&soK;2GqGqP?HCk9Xd@-P=0e**@5Rz588MSrt&! zu@H=?`Z9^)OLhu{MaIcT+f!J`R}m_N(>573WiTeGPuqgCmIrB~ri9*(c|Vq5cjNRl z70goYqU~Z+!(wA?7q^kFaoGm8i7m$#_?JhDZ4(;Xu3lIBycnQj zX5?%rC>#r-fEkwS@;xf;H|0NoRXCmz__%#}> zquIIo$~Nniu3b!2Y|9i>B2%i}^aAs`YH~)IV*j)K+>P9GqU>Bcm>_mSiKHPhgXcvp@-8k+wke6tO=!(|If*DSDRq-(nAV77-M8oait)OS3K^rs|>1O zi>jHp^N(q!gCd$1c|@pULOJU52(5`Ip8o`6-jQq-t;Di~bKkP178=+}s2w^o7zi06 zKeuU^K^z@Z*ti3~9;FQcy!Ydq=mO(ns?OpcY*I2G|0mLYMuc(h!f;vW`Q@D~a5`~T z9&#SI5_dc7`hdV|0CmcBkJeU%80|&oxD zx$P;22~Oi4yE0q8Os+v{ASMf$;K7 zxN(9O?pvW$timW7sfj2-#7&1f&Bws!DWzjlDbzlP6254+xCh}hD{YQJa@rf7z-pI9 zh|#K&OMx)*rUGWV2w@mkfPPsu+-P+mjZpX)(2gfiY&3QtTM;8FHinj z4$>hf2eb24DAXbMRu6&QG0fUh)F3~Y8Gc;z?q@f9^i=!x&PQ2hP1B)ET&epgm`8Ot zAD|dQ(LyvQh{w=M63x$LIvhKMqKUliG|n+?Z(?++;6Q@*T^HB(NkRl(HU)Oq9JT12 z!24LOh2!b@Jog+c*?&QgTw>(#!au!anXGZ=AzH_u0TeO<>mxBY3!V3AH2 zibX(n*fH7xQ_xC|Cru^MD2zNxVzM>HkeD`uDQBkMpDJvoL{LZL%74P5xEzkpGj48+ z0$U+twS-?7MN4%mMwXt;7{e2p8B0H8Hp7ltzk{ocmfUcJ-MPGFW_q<42a>!Gs+f)n zAE^BIW;>Gz5ArZmlT71t4=e>Z`qun>9#yJ?;UKB`RBlG-x1;zXv2$xlz#ods}>WtwYH`aWhMUW)&ny_c- z#8#?Vw#`%DxY_!qqD`BRWmpZzbX4mtr{~C#b-hL(PS;Rl3_mk5GWr+CJRbI^Jph*Sp=F{P6t^1@@6}i;|Nls@mt}4#D_C8oN z%Rphw)ee7ilk4@3?$)y});9_#l#eH5==~%|^6RP#GeQiNA9DEfSi2Qs0yom0Iaj+DnE=b2Y)09@Z0P+?g! zXXk0Jhh3;U$Ox*5-ftc5yI$=W=z`mN$Xh#=WGXf+omyoc(Q7zp4uh+euYvU$38KC1 zcQ|kg9eRzWAqjziR;IXMi5(`*r;{%p|II$U+4`w>Cn=9gqg%p?k`oRhEHAKwd|p^)@CdAxlQf}-Ls zAK{9dACkMGHpAP-3ke2Hh0e&88=p>&N#|Pu2K;ZP zIwO~7+5|A*!{ax*`_Wg?M_tB)%B>!0^LkdfTgdEldaz7xS(S^vWG!1UsF zr$HXhzvo$CEuEX51!}p34g=@f*Sp3|_L|pN`v$Axzy@NxT4718V6b+;*xN*VU0q%@ zp(NOEQYW~))G3ZcFioBeX$JITR|pt}3p`ge%@&Bql<-zbnYF@R5jiKwEa9NWiHhe4 zFxw0Vm^E=+b5a@(28S{AE%ygck8pC+Yky`WEGh$THism@kNipoIvCuML|4;6@@b@n zLa^kj!SG7%B0Nv7jME8rCV z=AOz~+)Y|js9%Lb7=A?CbtBzTK}c-L-1Wz7w9+|5o(+dLpPTus5Vfh52)1l_EC(Mf zkKh?x)!KG`EuW$kz)pBeq^E`;7F(`)QmN~tk)*v$76m$M&R+h)IEMT;M@a9&6OTz4E(q!363kk6?Zo#H(4YE?{sJ?g=UuPHz#(VeH zp&|V!t(8?wiL{y}z3%EDTSeu1#f{Lac6+vtnyvU<@j0`Twb^RVez^TG(S&h0vg)ZaUw*_h;ZPwX7Od zFyOuV`2pJfXaXX&?a0;-oI(XDnU8S3nHL0%h_M3MpQ1Iw35Lx_i&iT2St zsj3F*h$-~Jse8k(FUl>pis-B^*CgURaaGHT#_&_EW>$4=R)Pze#x@dyqGh#=AN`2- z?vbWuxz12=P&DBM5MjK;-COg|ZB%9a)&dBFa25pCy~%ozJ_rO}4fsnfhW72|maf)> zi3KyyJWhX_3kGRS7U!CGhe(u7J+7+dWipIK)$^RYIHNo(hIFV3H6d|ugm7U6A>+Jp z?n=JF686_D_EzC3o4?y>x9W{pRgoaolvVga&UMfdBv?zx>y+rIZ-P!KI8HLO_S}qS zcT&p>sKx`^3ybb({J~!LVqNyRWEj#7H(q&)tVuV9lYc(OL?pr~&L;-V+r%5~C>CzSU36RXy%oIpy%)eXvSQ4_lJjk)!1nSY?wqYD&Vsx<#bbCoYc@FyB9&SX|#|Or%o#?z%&pZG_-i-n6pHwD!UKUQ8 z$H5TV8Jo3N&(|jkqV|>X?-yV?;IwTEikDT`$jYP9&iAsoz+xduG-Qvl#y?sJ4k;B1xuHPuV|pG55Zc;&Pv(yv+(jJZyExJmJl*75hA4x%yWgm9;caER6wqCtD;~%XH3+`@sR8@2pmCM*J5M{W; zhI&+kE~NwdxseN3KD$HDih4vs-#|B>mGrO6F&$+zu|yqwPc1|Jp03uo=&|u zEmT-cONh0t`Kt_r`YAJ+2O)r!-mp>t%fvJAaA7E<5^1DFdobwjlL^clAz-+(iM_O0JA7;Sen&(~xv@@k}+LZ6U-yNA-Ne zyM5>=VfR;%d9NVFlSmhl;H(ufWWj5Rcc;*tnYDiM7mBxAhdcYn&mE;f)TISd`BHZX z-81(Jpyh2E|;H?oc&b`rEu_WY9BIuGiw;cp$&ANM=R7QgS!q#@Cg!!_J zp0$mepna{Xa9NJEVq*e-TS7;(FR&kJ2kenyUQau{V$U+m-iT&RV_2IRSmVg5*6OW& zk&TRMI|&)Kq)eW^NjsljEJ;8g{kFM8+wz#4&T;qB#i$3ji-g8bIu>MO&W4wg`3kX1 z5iK|pAV*-*uIT8^3}?jvCk9ZN*}J^N7R$C@m9$#R}+?!CqM7=;!_S0kWlOIB;&Pg&cfC0rX*z~*z3@kW{-Z(iv&EHTGg0?silLwRVgkQCeg1MM>3Oe^Rr>ID>-hWDo2{R;T40b|<~}Ie zPQGUYHYT_b)j-IVz{IKMvP$gH%<~S``ft{X<3u}|(&~}woX)FGM$m(J1kAyN;(j#! zoM}x%+d{F_HAp`QkDr@>(c^XDmw|-4ElJgOtyc9ZMmZf~V&7KO0QoqWX37U_*rW7K zeOLt)DyJv$<`gG1nD$R#B>^v_QKT)W&XZ&$pp?B-cdaC(x1{H#nA2H19(3WAid+Ba z!ikBxrj5=Al-L*VR2TV_#B8xs)gj>WiI+pdEUsm|c}&(n>RZ!0u?ALZ;S0=t0J}*t ziO~HvFlY|2%;z19Wzkp26FO9!TE+n_fs0yE8g_O3kzb#l2|AiZso?88?frLQzYb}u2x@=P5%3<=Cgs|@6-Oqz^ zZM=uXt-*E!(|woiYE_5`>)V!QscLu&o|c2w;j8zDHV09w6`8Nl^x#QFJisG7uAE7+ z*?=%Q2m(}V;Ef8Cq}wRq6OVoR#{GUglAPgo1t8jo2gfboe=r#?{eFMAd%RPR-oW90 z^!?W1&Z{~dbav7kg1kvZFhbMLtJ0L>qH)I59f~iH3~9>^(;cVEhvVd%R4bTEi0rw_ z$2k;1=S8Iffv%brU(@{r-iAml)Tv|ms^}}u9VrdKn_9FIS!o9dp>$?{wJF&qtj-CJ zDY;RVnzWH@VXh18$p9VVXv&?bTVbA{HZw)L0%789UJIQ@bzv9$Y;rhCJSgvMO@RWS zH%48ZGpS9eXchAgu-0+#fOz1b=8GMB`m8%~8Dvt*6tKa~TEI(?*hgel<6e*0)e`BI z!g{yiD z3Tn+wdSPNl$0xl+Cqv^IPHe{=7|?SiEm_crH2v^2*Pr!H))%-Dtd2S@{IId!bkw1Y z5zcWdAqh*HUR+pkM?RVYoe_nl<@#%3Rz0iETPXoN!}zl}YjrboNh-A?H#;kQQ$fiykDs{qyKG3JwzrcX&zau^~ot)rks(=F`0cFNF-- zI^Tr7WG;Jm|Mh_#=X;7eQe>9xQ!`WdPlsAq2NGjIA4vty>3X5gw@SlnQ)+ZliuAe6 z|Bh^<#!WmtUhN*zM=exF(K)t@09l?XBMC_*FslKx!dOxbn1#gYI8;M3ZrmUCx$0nT ztWdM0%p!P{f-5gNVlZB5REi9Yi>u`8IA$C$1F;HXOKVAW$nXYi2l_%BZavk3gmpA? z6AmCiqq7caQor|Gr&Fj73<*$#i>jc2*9)gcZee)gR(IO#i5s|zjjNiy9HV-EEV)D% zttc~v&+RBE|gd=m3ek=mQ#C!$E=pIizth8-U{>w)Cl-AztzD5q>q; z_d!)D^?QXjNF~_t6uni?8Fh2C>o&)gv61`WWBzLZOf42lvF1n2y%`6nDY3 zq*+QQ7e!DGX_Tf-Pq|qT>Ac7p-w$X~EX1r8#>s+)VC0z5QCr6X#eT1YSpCm50eYMb z`w97NB4sA&Hr$oc0X9!hE%wO!mZ`Py9yW7>cNdHrFKu}-kiBRm%HSdFh|bZjhQssh z!`@HZ-yaaQpcM5<#q$qz2@hDmN6f!` zkq#kQ81|B2k6^-%4y?(t%ie0r5K4H?R1>`+bD;%YYV93-=OD_jcl+)Eq>5tpcGwnf z-hHQzz3G61QR91KQBx6`UQv0uOJlC9u>Zg^3=(Q${`44{?zn-A#NZ0Ab?z7LLqV7$ zXPN*x-Hv??7O9W*RbTLQaWQandZwZShBiljQ@REMd5(x!gpfW!ilUrQc0)LBy`Nu% zS@Kt0JL!~F#v!@loVJOhv$!x?b0V1J?Wow+P6UM`yb(mp(O2~Ms`Xn6sD{f+Rg~oc zwEfKb{7X}`?~eEr8bz@r{O2_yZ=d16=CE0IgO>us1=bBnS|4?vZOD}{)H!XW^)s3*IY$a&8=Ulo(RHJWQbL0b7 zQ;m1>Htepe;+a?s*51= zqcGCH6s^sej1~$2=aj77aBfs#)rf97#trM@PO(6}gjCgN$85yDGtlI%vi2O<@kS5G zQu30_H8NMZQRWMTX_IRE(}kBsqtt)GkzFYB!5JP9Dl6p1wvP{p;TH0I-l9_)#0@VK(GfAD7K zjb*AA6j07JyCo+1)(KKFzX7XZ)+t)~l5}b%j1yR`6;%q`zm+W1yixhZ9Kn&xf{|G! z;Wzgz${~vvdCu^=ed}nMCz3a<06i8`=CH3najiYqJ!{Vyo;X3T5Ul{Gz?57YSu>K+ zUn4QLm8U7_I3r;MDQ=#Z)yax3Wp%OO)_2_=wGnQ@uhIOi+G{6xyUtzLzlt7naK7TZwlY4NZOE$)X@fV#Ynx+WCs@BK@Uscr z#Ni&GGux*FVl+@IYTu6#>@N~YjJROi-YUR?sKj{A{#tMsY!kXPhEc88 z)@UP7W#!Yb*O`^N`($3iO9e+JNT;Ly92EzE#2uqeEn#3<)+(1Bm@cI>HaAg8+Tm>q zGaUDuJrgY{F;Z@5D)v0)sXU7Zr%A_l92Ih*a;grcjGYbKSuAq}(J0)IHl0FwSaoAq#2bs?Rg0lcYNA-2xusvnqA#q`jWVJ6)?*CRDr8lj~h z%Pj=mAqsL}HS0RE1j1&A_!~1R^YJ$UXY?D->n#7*8_lipSuL7aaXP>GtTKT7l%5t$ zsqZyT6YDtQ-DrkqdXbmRt>Yo;v58dK^(bVA?0}QFWw;RXLFCKe=Wr9`i8maOy@Cx4 zrO`j`93Jf+?E5AUnE!)luG1NyZtehq&YBo$fOD3tWyah<#Z9B)C)4hSzcv5T*48l$a%5*J#1wtbn*;}@%qTbW)kaJ3qHII6zhbABidT!drD+O!u%9<->#XbFsv;P zpJg!H?Ly~GJ20a~WvtQ^&Tcu?v}d`kZVt|k4O=O?wDC7}Z^KKPGPY+0r@EqfSFm>e z0>+EizkONoOD|yldC2jBHZeNTH~a72w2+LW8PO5P2;#k{td20oP!hM#swpgZHwy;a zAf+FbR-e#>FU5l(ovge_dP#r7eC^67z|gpTHm<7D^=N5zsb&gJ`lFl$sWQf8gu<#G zCp}mV7i=98txy(tP9D#pEqJN-*m*IT(6f|$42$BNU z+S;7G$bq6B5gNZ*%Q?A(d?{>%@e(p|choVjCcCcYuE2f91H*x9rLK62sz-B|&4GNN ztGLdCL+3V!y+e{jb7ZcyE;$nSIy;O4n$NV@UqHm*+APP&bn_c>F@SHgM~$>3pm33R z5lH^oG6?4$yHN>}&v0}Qqm*)G?|HrqUYy*RY!>>X`!Wq4yP+4<>_%QbukO5y?yj6G zKM}>wAbXz%fv?zhG$Mbo=#4a`$&Cm{!Z(H)-sP~%)IKZRWut3)DkZK|j3VSBGPMzr zB_GH$lX>=6oO1jYo=1c%&1%>@a4C4R-!&%luDotbY7;^;z_i$dC~r;)SG@JZ6PtT& zXoUsSSL7%VfnJKq5q1=78-Y&<3lB=QWHXj$@vPWX0P11!8O)QHK#*of`Og(!@ry!T zxZWF0v$xrFVJ+lqRNz6>oax+`iv@vqh356#`#8%gQ&6?c#tGh56YXQxPLnL)?HB0t z+8lk(clmegvAg{Q$<*&!_y&3{_<_Vnw_Hd@G!%9SGR|yT&wf)!(Ob<+C|FN8&Vlg- z%jr5@BLVhkiw9SjAoVml9VT#_8xIGkb&imvB2f<5mB4tj=|Bly_>#h~DT=T1o%#rv z@HKj zj1`(-5IE=-oBR9^+LK{~M<~C|HpI}(Wx|nCIz#5I@zgt+jJp}D`B=Y4TzpG~%bEvn~B(4fYC0h=A&LVrZQ2uR` zgu>f<2m3p%qy4S7N8cYD6NQ8ZXj8DC9wLP+7v-qeZKPOl zDNzSS1gEAID-{n?A~DB`-)z`@W(kBu1SBRm9(1$~b3-CL&wD|$AX^u-oAA;OB(V`M z#8>%6TPP;#l<_drV=LzSZ7Y0tiE~^#oBKvpTC?Uv9Hb>`yiyz7yy+^j5zv=)3-I2IGh4F7<>D(O=<-MGF=(b@g3d zX(vl)3*fURBwtMjYH{N>g#sK?^K>ZDr^IP78%ELeJSwMA`q)Xu9}QN{?eMDMDgLV|z3Icgp4ZT-0O8~ixj z*>)WigU&X63=g{+jk8{Sp~Ib7jsocbxR%pKL+G$bXQi8rHqzm9hxnv7c$sU=I(}Xx z!8tJDG#qmyzR$$b2^^$A8!ja+0iXTcHfoRA5=cK59Ppnl^ZS_|+%(O%_up1T-*<&Q zIyC;=%|eIn?tEUa*>E~;C&hl<*K#87{!yIBySH&7w-!UW^SCK^^Dg{;PUE-hP?1kF zD>jtJgE~HgzPRksOo`xKpXR(f?wmVcZOQ;M_ruQ4TU@VY4wSAWDw(ub)v4=DZjJN5 z1vvb9bZxGVjKxltTwjO3ag~@dEH?7+W2WY_sZDiEE-Z>cuvm4;ZdgX$X4M4T~Bp5tQiiiw+;Vm>>Lwk9iaCG&IdcLh%BQvMByaF{3H5V2TU)@nJ%Itd8Eo zVz&1QoG$~;oxtL?=Zo32Go%PkyxLb_Zq}j|;LG6eELz$7ZKX@LQIY(!a`D^B%Ec*B zeEH{>MdhKoGJ=o2i_tjgrk^7HV`T!byBXzSkbk0;mk}mlfvHFICX0*E+6PL-k|vpQ zu>Oc|p`<)wpzq$5+WV);ggmX`8^)+ZNp+fZR+XRt-qp}3gvQlaL{8G4BaT~7YaDnX zHq+In)V^#)1uwEJtSt?ntKRd{a}=oi2mt4CTF`D#!C?B@l9o6y+z#tvKWxCA&y=h{#A$ zajmZW99GCrjcUn?U@18%PtoQL7oLe*X@iq{lGs-lAa^}ybU$YVqMPK;DT*}Y>L3r4 zC7+>k`R!Qyw-5*v2==TxS?&&dKDUgX*E@44ooYQVm&HoHXH540NO!+l5r= z=uOPf@(>mCtI>^viC)dBQ*-Lo%&|u6?zyB-!^;LS4~A(on%zLqrFpgI(nyi!Jm{t$ zB61odfh(jMGB9z_>R^cX!=0U{lFkUHbm2{Q^)788%8J^4$}86ZT? zD2*(&r5%kuT3AwrDP=i8a~<{j61IuR0g%u>c4%gAkhhlnUL*TRsbF2LvyGs^NPc8< zA#`>c;ZQ%msp)qj$t2g)2!}JR4!9 znI;hq;T)Ak@JSp6E>)@&htAYCt_*huG`7quSZgxn{kTmTl4s8Oo2_lk5o|{e9wd{? z;rJYPPwVWG6D`{l7sN2NOCtTaZF1I@;`kkRH9pCPJq!bgJBW>F6g}qfmWoor-QMtX z!;7A}tpNby;xlh~6EB(URR2WK)5SRr%V#G@p-jY3$caxsc`jS z?H8(!s$D%?e`Rd7=K$#}21bMOq{YnJb!lIDhCp9iOEr%mr_!vLFajFrG}% zjj?dw;TtZ)N8BWmlWx#PX;__IESBlzD89nXz)q#%2#aMHK~8?wBNk~da|yV_jmAS{ zd%{u5@_`R>#Ll(+F|NrnwnAe{ZzS#*bZ>LrET(k@q|S{wA&5aWFmgb1p+1B~C$`Rb zcsh=~FbVPi^!eh$M?$Uzu|4ef;{nct{0gWV#$~g>wHng0$_cStlNTGN2zEe!U#{UJ z&C{H-WOW*GCQ#AqR{hc_c_dsU@jkihjhHs+fsAu;8e29?+QQkJX2O|%F5W!>%nt;Br2J^Qe=2ss>pnaU<6Uy5$j_i)SJ0GUfbgGJNGc zEgk^kMxaC`=taN=r*2e*OsVR{`r=_mq7%wjWZ1fz73_f1K}vG6>?EJg)Kbr&Or5fwrV|cxei4sXd+7=K z3q>n0oM);mS4U4MtNP(dWjW4pAkfbZT#U%(E*&dnlOB1{^rWmms}HmCz--qrI4MiC zBXjUBOLVGOo&;=gCbFGicr3buA3C)BeB)h}rJLO(5?$G36vTpaPqSHWMlKygk_|M3 z!$O)^6LQsHP5C74qb3~x85;^P>BIklj&z45%4?+wSD3PWHH97hu-^P=1#-Y3BW5;TZk(_hJ(6zLq#eMUEMrkU(i&MMNJCO$(kzm2O}>okfHt%4 zS4lJ?OMk?Kdc7%;(2208#T#KgZ`3S%`#o;vEDN|dXuDl8Er2sBj+E~Ldyz}Xij1T3 zi9|0QFvZRpHpsqL(y2g;zlCp4x%Vhzk1(}@`}*apoga^Xe!Jt8f3x-TOWQ5U&f-8T zAJ;|EQa)0%HSC%RTah(vDOZ$lW5r&}Z&>FRlgyc|yBZN5Xjj82WdTG>Fnt@YlMkf> zVAM-uSo^Yaw0@1u#JcGi%}Mog!ufG3qf(7B%7-Td;|<^yP4xXU4ST(5baX zWnvezO@tWob(sHdx)HE_oswPu|wfQO1q6^U#}%p&}Gi)=b<$)}=m%Pd6U?`Es3 zXX$QBSvT0<^t9P8jl%h}7a?464mL=>;aj*9ajm-A;Vi3)%PAJVIQVg#1G8R!P0#_H1yf>cZv;U~|EMCJhY_f8J_~aJm$^C*TH3R5XPDV^ zFn{a_pN3uc+MuKXT?*bg$^Loy*nG@|AIZSaT z<1n3~yY8l#DG%r|l;`-mx3KaHjeXqGxu9cX1K)I75LC=bo@`%2bOL27#!T)Ik5(eM zJWNT^W9RBFxX?7+5TO711k7QNpY<|pWkW=~7Uq$=I5r>Zobskf8wSup=qA4RJ%ZK) z0~*NcL!1&hpyxXBCAg?DfXFiHH;3ISFVvbzdd_uoc5hDHfzn>8w)L9lHy^0&j}0u# zf^mJ)=gOF9k!a3ZgyaXgI<-KreAvc}U0KW8t27T+%UP|{FxT!Zbg05UeU)5$~);a9~uvT8( zXn4`OnA=T-#F)&H zr|e&8J8)a$Xt9mHcD_{@9zItk|ZvD2YG2!%GV^Pfg#B`EW$cB^-y3C%Lj)(dYgPo@y#WN#Q*b3u3F z+`Qtno}oRX4)l!{VuZhMIbH@f6||$a_Oji&T7y(C%o5_KBC88x#xw!a;$)LiRMA~U zP(48yed5D%E(Ew!uT|Tw?QpRH2?2Ilq4_OHY=K4bP-eM?>ufHTQGR)l4)UuHl;{nI zql$^PH>Yshm!jU~X1ew^8gn=c*KUxGgF+)G%X&__p<)r`M7l+`O=F3hkYDQfg~@^y zUQtyEn=Osm{eH1zMa-8}&O4#!%etZy9D2DntFw=BhYS>(LJC2VOSPS&QXi(bp*aO~ zh0eV~x{^y3rQ8kt#Iq%oOYQdg8*!sS5vV6IGuu`lnixmmw_cE9GVxd4N ziKu(i4&SoPjZ4a*`@C!LzzLp9lA`^Q?$+7?#orh?0M;SwMJ)B=>D!qv)Sxtd=xfy0 z7DEX_IN`9bdewP-=1ZuY8_c!1_}L8mb&Pin)Pf+Hvl*Xa(}>W-6%v!Oq+}kDd9#v* zG8fN`QGZLUei1~5iAy2=%CU!F3USttuLv*WVQ-Gyp(S0$T9YvV>vxK57i;+(W^T`| z&g45xfe;xl1GraI**X(%XK0<6&#hS3F{GGBOAG7}U#?{>Zcb&JkJf=O=!dT{*=0rbLmPMFO621bNUY12}ugwQj?3cjZRk`<)D}6dkYM{qR}{k zn;#o|(clBNS_XHHq;wT+h*uwWR>j#=&E|~_v?wzXIl-D1=lA|m0C2ZfRx9&Yq%@YQr&{;ueRU6s!Qg|*R6ve>Jhv>`uWY??*0$0{e#yBdwU1( zxeHa5|IeQC>7bVm&Z~|r((#E5E-mS%c0M+~y}_Zm(Xe1Ic}TEap~!!eS5rK=iu!4m z*+(aa2qK$^eo^*O_)>!6+y+z8F(&P;&#lBxB2nX;UBJ*gF?rzb~lX25X_s{4rPxQ+g} zvh*-+KMBI*Sz-66wR^Pv{UNLsomQ@v*Skq#Rd-&|Wi)!&L5rvHWgk{^KmNyXERbl& zz^ioNzEX~)k!t+q-VZly{N%=s7vS+M0sN?DBdsXu7;NRwNVivo3~GR7Bl9&fmYeGnC^*-!&O#8>UsIY@qXs z{qHf1G`>RLa2OdT>%JTdua5rVtwE;!$T2R27uAH3g{%18{@cUdA6q*IZ}$(5kKVm~ zTaQ|;*YEbXk9QCDTdf&hfdxkpnn380S%->5Ixi9Sd04!jtWSF)evva#U(yO9#r%tK zs$z?jAT7!wyERJ*rNCx~QoWAV#Q1;+`L z43`$eu|HHnmo*mHqUSWdP=?~+nH4ecAeq24080a`xxlxW$`@7yCoYM)J}!snyGjt7 z2Z%P(7QlQ^3ri#{7X1>wQA`P9Ko}T{xVYIE$18UiB9sn?g_()YuO1qHxH*1)Kyzf zBot141y2i7BE$dVXmoa!rR}&UcxU$pWKS`uVB{VZq*0DuPA43=hCF>xtCU5w3w0{vb$p3IG;u4`HfGC~f`X-4VkISLh=~16RW4kg;E^@X%)Kf~ zfXj3O>u@rJgTHDvW(D?BrB)=FN)T1~EmxT#tq9Q{kDvuaCAroy)4>>+^#m;^XnBRH z0?|E90A}}X7VUJBXV0djUin~NjDnscD6iv1JvZ4E=A*sV!u827B4A}_cmKz&y{MnW z1GG3v#tC1M6>6|>2g8YSJr_0Btf@D!Vg+W+#=?GZ+@z-*P6r)t@Nx+Y;7~3#K{VPx zX3c$2Y+@b3AtA2sQSD#7?&#dIW-NDfm7G%k0W;qz<=Slb)6;Q0DdB>rgDgEAke?vH z>RaM`sUi?Clt4yN1TwFZPHN_5-U-%+dmADHf1~zwf(D8@EKxU!0W(R4w2bfO!tbqW z$8$KrdeC#UI*X%|^z;q3bVLd?h(`32rHlkJbf_8UNlN`af%6NMx}5O4gB#_a z$#@7;*MN*5mttmXjEJHR`PGKczaLa2AvpZI6E#q_yqiaNOvcJ>e6?7ShI_LDxG098|vEN$}O zpj>-&<&@*URm4kjF{EQWs=^+muC~$F^v&*fhg-)xt+$6etyk~fynUV*mIOqk^T|lX zMtabqNQ~b3{-D)rkJD*uG=|IL6wS&==Asa?!I@0s^9`?~|B_B#r-Nc>rTTdNF2+4H z;JCU$Hc|Hb4WRseD^vF~lcJ@Jow2LgmRZ6p8?oR29QWwg$jJ zShk$u4QH8U*K!Jlz=_K%Hbq;@1;nMEd}yMhDf}{a7}t!;RSg6PDe7%!4p-B;$kueAi#OFvR<5>C6vO>4g972wQYBO zP6{E;C&mj~WouVMFrvh}?7KLNV}FqAH~ttL@m6<(`#9}S&XA$ZI9N8m%Sdgn1VNV^ z@7PbxZ3)~Ts5&#pBE~5Me~vi-xG2F5bjQStu{)s(&)W|yf1UoYxYI<>NB3J!R92g} zNufg&E{WF1oXy&vzIrY=q{yR3+Cd0|dFuG)PH5JWo?#{3ulafd{5R$imi%ZK|95jU zDh$&z?2mv;w~cOeG@W1?$Ko)v5*VBPQZO5W8f(q0m`)7)WPt3mGPb96ly(T`#&i?2 zpJ&MA()9s0*9mk?#YdH(_)yU}q8OhT^G-I*1gBPirpFCcTUi&`wdEa`!NcpHR&{>n zZ_|PQRlVWwc=`-`)@OO)d_|=~x05Twuce(z=gF1T zo_Zq~V;W}gM9=oOp8rwJ!P#^|v9wI%@<#RjgfoTdzMoJ=C-ZIH|F|ygT6DnnS~G9+ z<-B>yeKObxmOl;6E54L%U0f?rz-r4f9dg?;AFLG@DxHN&dwKbS3d(e-}#2O z8H@_xm6ZExps;-L%IC<1|0P@=>1J^q{L1w#pA1vndMS8wEu$>7xgXSi^-X^4t?Pet zX2vMcH;YUq6rC(8?|+eXs)a7rV%6_dzrCq(W<<&JHa&Tod(!rXr}=XhURsinwl)`W zua}&<&eG56^d2I_pj|;)L}D;pf5c^eXX4E2pkVUe4XS|#q({eF$2%sl1{eI0eiT-l zp4VZ$R8w2ZXlj}?#>a3mLJjJtNi?}ch7bKY;p%=8pY*OUPC*B$MAnBhS!I0~C(}$t z!|eBw6BN!1;ZccBisAiG-V3A*Fg+Y+6#W1?ImsH0#v*cPgc=lV2tQ`p@+%FlW3{2RENJBOEkggUvidqI&e|dB1X$d0G&<;MUJXE ze|_HX)Mo1BBBfV_9}_1GLXTJb%dk9c9A8ysJ>~kutAzpbO$zsU>m+8~Du2evJGz@j z^D)pLb55^VHR#=)>wuj_&z2d9ZNat`PT~2(Oq8m^PMu6AvY92`2y*;Mr{d)23q=%C zI5HSRr-KJV{n2WCF0`$z2;u^m%OfPO^0VTnU2Dvu2$br7jNu02)z&tO@gR${O`-DI z6fCi==#>~l3r-3Fdz}#I)}jnJUMm{HrJ(1k{&S0Dpu~bnhR7!DXir>GpGqv*mC_vO zNnXl3k5&I6`rs?p(UkW$gw3&s?@>UjdYM$Ic&KvQr*g&t|ir_;iB4JGz!>!XDBc2+|41k zU=6^CS`BHN8FYp&@-o-k&_NsGs?yJ2>-4}k2rKD z#erFo92}xB;_i>zXK++g*`;WyR)-JknnI6i{=ObrCj@{%bFoiPn#IKw_U(WmDyR*e zog*vnhlSgk<%ha3ioV+PR*v$S@j&5ptpci^rddL6c}+3weg52!X(gY|I*C;T*XY?DFUz zptJahXTSiHc?_=l7-LSOM%)7|;rnts9!PE5O12S2N0v2TXUIl-bhn3Z+Z5xJ4J^5G zH*OolK5dY;=36n^fTdgFt-0 zwXzO`+c)OP7RZh8ktrpNF4qF7J}ug5Y~9wL&tTGszlhT48$Ht7uxfUW$i)M%prrPg_#l_?4r zRQdvk7cAuYmfKqJsjU?hCt4(v(E~Gt$5!G>eb@86EuCFlFym28obc{=J;elxN4HlM~9sAfSI_S!4I(9hr2;3PKx+C+&5{Az@ zg09;Ht$O#BVfG0fUL7(&GLNRPGks)NZ!qaBOlMo-vyeXvy(KcWf`iuVB}zOAWtto8eR&JAC%bv_3- zh<`o>MiYSUE;Os}YTJ274PC{RrJ(2=Q7)!4EIWtJd2&T3h_cvxpmYvmWP#ri>|g#| ze_#|Vj~mU#%b&ljJ%0T4 z(`S$2@2~&TTw8BGUH?n;^v{GyH4ydhpM3r$nE9yDz8lm$d-9}U{@2#m*4NGaKYa}I z|M=@?Yk!IUazFoH{12-rVYZ(G%Q%>Rip=TWOHan}_zJ#bk?M90zKyQN>FL=d+I{&3 zp2nj_v<`b4b1OFgCIz>qle6JCdycpq#)U(Kv-0K4!8-#n|d_i~#z>PTIY~chf;f z0>`5_vx?0geYgJ(`jchw?Yjhq8TX>M)01A>#@c&nI~iaC%`6(>OA^YRTv5f>*p(yc zO7t3~dZ*~s1zlSPYFL(ELkAKDyyxu+D-#I#pULPDrThZIC z!{goUcY9lh(c5>2Zx4=kP~eax3ekkp5Uw?%@nr9#k`oOR(q5*<|1(UqM2tU+FEBn( zJ4w;cm-9njZ!#%7E2BqS`Ic%8d zXaeN{#_O~T@L%_a!*M-&IRw%P#oug2&Gogl=E~aR=34abXp6M+i+@eKur|9<3%cJr zI(T=uy|egNz7E>&qP4}pqAI!z6$b6zw39^NK;KW3LF4R&^)8!q(xLwfGaY#EuCi4M z6XCv|4q$0@@SWYvCprr>Z|Hum#N*Q`W?%tO73(!~LhifX(0ehR;55T4J>-M8$F2Q? z*51MP4^b5#08!uVkQugL=7-(AJ-5tyZE+FLDriS;)KztK(H#W2Nz2=%kMRn}uwHEc z7CjttPRZ)*Y+X10Di#oC38gY`V+4vz4E=FF;O!5%#9u3HhKH8IL)`#*3@nY8KG(6t zV2I`_p%U+<1SY6~jasQw&eRmBo>y=p1O=;vVyaQ(%HsY(i=tU4}AP(ab*Py zZ(=UnUk1M{;(w|JIjo6}T8=K+>_FMjc{%N-@XoG!z#cTwb9{)R71*m*0~nYe{}Cdi z!AjvV78a9C`Xj$XW#1EEnrJS|f>?S++NUi)DSjM-F*e}>WP(6sEo>eG5UPG0WeGIb z$$;*6k%Yo(?GQpnu=l0vIabBFSIDH_R+^ZY!^fP_p-OpqBQ*FN=$iNfL|Asz!2IAcQ5YZi6{e>fvk+%Xq&Q08cF=KXYBH) zV=Bc;wPn6k+n_nE7O6<`pR$c8wtqON0!jwYa}wGaXN(a0&NZ}WHD4x zU#NLmu!G?sp${?&1!-lyZts&@kR)=UQcmf{B^{^>y4zwU%Wilr=f(^)#*~u<8Z0+i zQqI^!SL1F%Sgev8-y^OsgVaGW9a||6-nrE-u2``@&zH0aj@?sncPT87q|7c)E6OYX zdC|(TCqm~wYzXuSMn60o(H9>+&T>~XU(mpj>={|lpE9%A(VCL z3c2hdS}BAI3-K2h@L*LgR9wCx;vxJZ-W=+STAuQ?2b^Ee`>fWr6d8@-F#TkeQS@5A z!*RrsdgU`cEAZNaK{p^F=9?ewfn&3jVd@e5%8w9T+Y_=gLML)X4|Eg>1zWwxKsf70 zx~x8{HAd?)SBH!?boiV6=Vwhz!l&^}+XVpz;Ze`CVPAXI>&Ur&pHOn^gZM_9M2J1& zuDHxAW`M(q7)0f|7lO|Fz=6ARj#sIriCh~xd}u1VeY0km;LOv^_+|}gO5?WB873Kp zE5Ycf3RBtaCWM@zk63QKI8CUduOGwRW58y+)@aVdO@&46_I9lYwutY)>ZIjBGaM(; zQ>B)3Dt5=n2d7xsxSk#)`PM>y$Bzk}$~*`~;ljv6j>~x2E{)9G_Q^ADtzH8gR#$8n zKD${bxh6*VqO@0lR@-+FF&pfP@l$lI`~C3My8{WGH?YF#Wz3qfJ3!7YFE9fS92Ymg z4YpOVL#o&S*^uWgoG~ab=*NQ*rWI5H0nz2~6J7gZ_0ca3i~O8*`0LNn{BKKly{-Fb;79piDVsE&00|>7EDxb zkA}}XsB6qXPXFZfMQia3bY~Xb`_m~v{+ItLlmDlK?(oaY|JR>9ewLU2KWW~}|L^7h z_wxUH`TxEAe}??Om-f?1meUEK1Y!{k@a z!7t-gJDUO@ZimiLIsvu_JWsB)HJ2sd8;n)dfTr^vE-J9`Ta>_E1P6B`6_oD4o#=dH zF)So(lMoI|u=62>;DKJ&(N2lGi|Q8)2Fme`;1%9X%@qyn`l3E~WE^nQ^z=dC=?GWQ zEWcs9I#)QDEu~w)pS|7kkKqdtMOQFvrtA4P7Bdv8>QAh|C`+g~` zNUGmdlO$Rsqyw%NsZ4`}rSW(jVZwQm+TojVpH&JJ&Gv3pOVJGVQX4Dq6mR~p^RuLG z#1!hTwgWTIW8(V=3sI^e<@ex2Oc5e(EBg;ZWCx+$w-jp_k5N(JtcTofnwZTyGICxca9HbnxQy@zDeQlSyQH0j8&LH08ciKFQdT}LlI?l5?-jn9RZT5 z7L#DV`AY%ba~h^OwM>>0Q|XDc;;C5aRHSfHK&&l5iZ<8>t@havBk2-(KbdwdV&6V< zGcl^TY#8NrB4N*Ii9j`yV89BmQq+(~@aBVf3?j^xHB1jj$u7V`+5m znk=Dfn0_2Mj}iHhaqX2AwuU{^K4G7|A))i6n!&0LsY=`${dE!d)Y%5z;8=UD33e&_ zr_T8Ug`yYHTJ+5~(PObzmk4hvUm4Y9J6VsK!zCe&O z3IT4ay7d)wu#Z-wwdU7wgg{f8vnAaP~fhTk%GOX(*6G9wQ5? za`4SJyf-*J00?7PZ#qM$elmSt*L_}wKEneQFYfi)j9%ZW%RiVduN8NBEzspPyUVjz z0Nm(cQ$Snpbix=|aBtRWU{T^mbXTsViy7K$l%8ajhF7-sBuOYlhVl_XM3Q`b0+*j& zRiHjf&@a8Iq>8F(BU@xBywPYw>gNG_hq_&+oh7hUS8WL*k4A4?i({dldmEXsj7c#l zDoR$KOBvOn?K%`5VAPNRZpNQlG(YV3FtMIA%2eitWxSH8x8dZ(NZ!_;KKm&C6jf@N zEy*|Nw|1GZ*9v)9!{^4sP6OLO_5};GU>@JFfVCiM6$*rrm}+hrYt$rLdwibD5Rads z(Tjwlc(T5uus>J|&XII%b;|V@F06`4bKP1xZ7X(A`X#*7HHN41AnEG>L6Tln9c#U!v==qzI)2(Zi- zmTM%dKt@n(l#owBotG!2H!$_gy0nTK6-e98cPVLT`65J)G3XABH{y0L&NA|bf0(V( zj>uqBWUFckyThcw?QNB>vdWaA25;b)wW0fX94j>&joAyA@!t~TlRq)WCwGSN z!)svNB@z#NJ&eGwC;ux=c&Wym{VG}r!wH;fxt`@aMx@Bh-{7 zJ_odZ>@<+cv^|=}?e?TWHLrF>$k4^a%$b zvqRpQ#8s+4jb>;WG}gNc0%Lyr?K_kRBhux4?yLw;nN?Bs`EzK-KF`ADN$)%zHYR7| z;bhWF8tJeF7aodkr?%_u@oQg!@ZcDs+y5EG?~37csL=AOL=@45$a{W5O0Pq76H*r; zyw5yfzG_2Xau(F2TGt|uj&Wv1M^K?E+CW33Q}yVn6BGohf3+Dsqsi?jeZ0%@5@=H* zbm~_7toGGfO%s!wlZ%(V^WB5Fr#U2~`jx{GJ2Brkymw-D_8E36f>2VdgTw;FbX;9u zTv_-gTK?N(y*qvQd)^dPdR) z9hk~Q&MfmT4_mzDV(raL&p>(LF#F(SoC4GD$YkOF)Dgt6YEIc9)wZItA!=O(<85y7Vj&k zE2hcBhvk}=+Xr9PmhBWR3u@VwG)uBhRS9`_iU%i=;QSpu9gs?mjvgS)4>J}SIT|2! z-s*@Z_I--CvQ}bQdsZLtp(9@APv_yaiU2yy8LviEv%=J4IrjsyuM#og6 zny~Bs*xm8RZx262A|>Zvu3FJeqkw2$+heE5^Csx9b6a;DxObA1o6g~LigS>B8uik4 zI)M-AfSXM^IkRT%JoejfL6;l})>7#3GsEL&9+#h)K0l>SKXZBgl(_u_eKafFp?{YHD(zqb^=w-o;0XDQr5Gr6t9@7}%H**`vNeQ)fAb6+e=T;Pgf{mf|@JecH7 zet`pu`z4mZv#fqY)_ZUuV|^SJa%k1%0Mj*YO=<;(ul2~v4Gaf*87#4?LST;E+5^e< z!htWpx;bglo)FW)qSUZTPu;;x$P0c#Topz%VC|{0=yFK+08%3Uk^8O(8p$t`#pNaQ zBGWUxp?P63gNRDS+Tm{}H=PBPrAyvRE5%;^EhqbNQNpPQ{q(=W+<6iDIVd8!<0TX* zqe&@1+wEjDVYl2h6L)fDjcCSnK=$#9?Y4kn$`wR6TC@;QEY3kiFk(7oIJCNy!QV-1 zkbQW({&54%oG1x-f0~hN^C|KD5=jHMUvN3${v0h|nD?s>$SPFzu@;NwRi4 zO1yqikOt}&cZgCFkIXD&1*wg#VJ3E;Bg>8~hhl0Vg%Cg5>0s1Wk5b}AFjNl-Stw--`KW4)bs9pPcJp3nR zmQXKHhiyHYM5*cxh5w<%tLlwT#cH;Xno}w=>5sbh=CW5LZP;FXs^XY%rc#c_(dwhx zD)ZRj&Hk91VoRh0&@+oz>mHZurE>cw`Bz7y(alFjajVfNn z8RZ=dqMQ8rh3%PtjVcsXpswB*_+AW_bj{E8B1p(O7)Xv|1ph%uXY)W(Rw`wXOt`c% zNOG+ZSjCWj+&Me~WR^f8)?r4Umi}j+(E+zWQ6=hS7$43FNijIZelxwfAW7bx(muVN z2a<%$sF$rL#Q5PhyCf7sYPui1M|st>9w{}UVme6%Ovg2{5yV9){{`4yb^tzJM9oiV zhva-vYr+&-LFYxQgp9#1uFd zS5BE{i;Kx8An$`nWt8+K!LvN^NIq=Yt=l9`%i7Xct-YMf-%tO8!fT`3`TzdkXuY}iEZROBqjyC-h+dB4DY66KwAHJ| z3BUSJxXkrVhMyY4@#zakC4n?x9QUuSni0JW!YNnH6zB=GVg)F3hEV2K&lGk4&! zDzMb2OgCU*!jhdN?THE*&_0ji32Dg_^e2g-FKmfA8#DS7LZ~bbRpk?anLf8VoPDwvTsz+_A2`@b2*4{{HU%ch)@@USd1= z@~P9z?%wgvAzWmwcdvF{@9sl0Uz>e!bg=zHYkTit=ck?R#lJ?9$lH0HlOL?}sit-a z;`V5QB*femDOw!jL)|1tEXtnhqOmOWS8+sNhP&vM7{8&sndZrIPS1y5eEH3l8i9A0;~yGHQhAnVF=jH zMag#`r4usIgb{9dKFv=~*GvbW-pMuv;_+ zKy|?)UGs9G>o z>S$D^nO3qSTZ(iNXNlzOvlXwG+6#dyC<1mljz<)3=~vHcA+V%OepEfPXmA^tY^4OGJ^Nw( zqbatWGb3Jc$n=aq!avz%pa^Go?hMg{Zh@NHEUmHM^r4a8$!FJWo~!$!UzbNcJE@6aoL8P0$4XGI2+Qn4?beTjY@{ z*vE>gtI;c`u3#8TRg1;Ue#jMTZjkL18cl&+3O0{A{AM?zl%r>HM)n1`G95=a_@K8B zkt{{o^0dk(@fo?h*+d!nQF~pRMfH}#Qo!7dS4^mG(f~)Sd3I2#P6<|;+X`y`jLDx( z7QM9(1~G|XQ2mMN85y#3)C^=&h(R_vgiE?brLWZ=)Ph^*98NUNvrtQwb=1a~;^*f? z)dU?nu8kwpD8NEtg$nxr_1~kfqFM7%K$etaO?bj$*|CFArt~|O(F%-T!spC?E))2*~JRn*HW4dD+2KJ6^qN6 z!25xMa_^G%$r2-6kZ*S?CL-BigbT`*k4uVOM!2Nh+9Zr38<0RrMseKBm6z)vmuEht z7)z%Lr)14iSWaIk?>60+1ZnJLCPX8KXB_;p_+jO(vd#M#eOOuHS)`vbQS_Uqf_@6N z>9=4Bf1k=FiHp-HBa+5^)IK208drUqs%@joL5+e>hE!f&dKTbBeQBkB*MFj^UrTyRYie;no{?@qX)V zJ=%JAd;p&gkL!gXzdJm5_x7kB?e4=qc)hg^P-{K=gg3O*^ZI|FrcVLf#vUNXUkwB+NSQ6RMI_pcmtNp0LSxH96QLFG8wQo|B-LWL)mbsAKpNXT5ymU=?Lr**p= z(Qql~h(Iw(Tiq(iBwI@Q@=z%J_qr;niMlFmgroU>64}?~o|Tn*rW@B{Qz-Y?Er-@; zT+E12y;4{Vjw^*7BTvn@iU*pM^M$LLUG;)Jb3AKA?Tbv4bcPzVB(cWZIM6V9taTVrM-q@#~$ zawmrLPFg?Ds$WRBD$%A$#chD& z(Q%=?SdF9AxN@A5{vjNvm(+q25YY3%m;7O(7V##tCJt>%1rlGm`?^jhB(b2H`v6Q#?8mI%|yJ z4Tm;M6LyOvNPUcFjXHsh4qC0XLTr*8TIHPunCFfy0*-+COmIxUu}^4Q6~jGlw@YvU zVUD{hR#o0=!pIX4LBZI-reD}SE4%1$AQ83u6s&>dNtb9mhFgN!B6vL=0IE9%&kcR+ z!XCYdI9<272wR)Csb~tiAQD;T6NaLv$-=S333_89H{OM=)C=dd9wh^cz6b+~^WqOQ zzcYN${f>gJ;kTE z*r%AKwh=`y?S7CSsSGIJ3t(|63({rcpf@MRf({PaSd1Xy;+7uA6IdZWt;GK?B&}d71P_W_uFTiaKPM6|+v(0v0BBnG2qo zD&{Ua)tgv#M(Kv!i5?Y2+T;7q>oQSd@+r4Hn)SW~h zc-2Yv5@~v|72y+cHB`v&YN!PYg%?3*#$&ij%MvV$MJs`5BL-ZRdT?vmKX|kAMuLFW z@VhnI$QrHs>WtD^1WGU-j3=s7laHn>`WPgiCTaAWGeM{aG)EW#GFG{&(@k-Bxm3D-TQScNvlJtL)g*95vPQ6o|GiuyHF zGLXd-+3#aC6?eJGis^CBaRbR6!s_qMn*Sb}?*I!62fiHU$fjN<-%5*c7iRM=Z2E#? zwBSq8#%xB?l6r5ZLEG`F*t2vy!D;rHOp48}UlQjEG}|mUlD+T(K#}b@L0*DR06IbZ zL~`u)00<<$g`3T2FOpO6vN=0Y=K@{GqEu~38ZRG9IkrVzue5AHh2=yg2L=?oOkwVX zd4e0zaBMo62QML_og^s_j+NIpa^;4Aj!KLPVv-IWb=|4auq6?xL>Md+!6#m1wpCJ zahJmfVpIiR7L*!NsgJA&s#GZ`hcbAA3CiEZOd*Q)D=xvHMzBSRKI__9bHErm4vpd` zi@Qk+Bj8kttUTg!HO!Oa1*qND#*L(eV-r8JbYF72wbaltV|k*v=@+?>x9`W2|11m# zgWYxrSY5g=Kmm^?meHmj8t_!WC1IdzV2wDX|O)E+sD;OE|-Z zH9Tu25lxNzb}~9zEe@k*m69KrrDpv}w2FUA5o;b6bkJhjK5W`*n}=$ou!yZ(;7D5| z?eybO#jFxrr3DZkQ2N5nO?_?g115XXn^~hSopAGj6gKW7CDaQ7wW*4Hw$8!tl7Laf zbJkvWhU`QacaixA`bYw((-?_<(qUc?&zm8>aFQg5JR(GUt;5gV55Cp(rPyy(y$`it z8}fzJN{lQ#i{Q*cISP51A)iVrE;=I5P$Ys^d=wK+2PttFbX@8il)fTxeavuI-Fn@6 zx4-*Sot=}8jt_UX-oQ=9c2%O=!zHW9$>K3^wOLs!CBLXZO}L}PD?36M)jMv&VM$O* zyrBUMw0Ed599@yB%z`P!X$vVWzkCuji)FoftC>IMg0z`^?z`ydJ-d4og;iVr_00Ke{_29=%p;{_K2Bjc z3NKlU`Upn_|EMfECR!bdXn27OTzp-%7vP7rk2O8sLnW{xw$R<6Bvv#j32~3u{D@w@ za?;TGZz*5Rx7hdeI<>^DF9f$&3= z?}1DD)UEq6CO2om(HQTVsMm&`VpP9w#)<|YY`{LT>{14!e880!D1lpgC+&7w=RoRl zxX;t&A*B#Y7AFdq&@sA_oWy_(x?IF${zgK6Ju`+~eXlAKVq+3ytVnmEbay&vlP^2! z?X~_Ri~FkDXgoaWC4G~|e0b4o_0Ky%Y-_qUEL15DgkcEd>BU!#U)%Mw&t^AKXrt+P z+)~2UV(yjE*O0JTIrjB|1~ZdNlfc-e4>Bq0`iH9tT~^`&yp=)N@?^ax;{hLp*Biy z3OX#T8zmWAq!U^vNk$h-U*^5w21P6vd>dSEXdc;nM{^>;X3fa^#8Qq>>T#q5sMjNv zh+u}IILIJZVWud~2o^%hV2Z^`gFtpOq?toYU<*4`hX$#)2J}4{Ou{!h&l7_&Ajzn- z>hY1QiNw1^%@%44k`zKViZG&CTREeI6tk`YlkQ$}19HmO6$fGW#qCO=yvIzP>6Jcj zI03vMs}b!FwPK176vSLtQfwJRBkK0GkwrHym1)OD$MfRkN1qps*2FanVI8@pY8Xt> zpnylJhlz12r317FDY{t{_u*cd(Y2qn!OUmi8Zs(jWD znv~*p!#VSpxi6#Cm5QZVD>H+!YPiXf6q-pqsgfiyvgV$u5>pqa-IDA`?lsw&Zzru3 z7O|9TN+wH+6&6Rp)QsC_V@^9y$x&IfCJI4Lj=ZRa7sfPnoQ!%XE8*y3{D0M>z`CKP z=Uq0}^R-_5)r6q1Yz)NwARWo5=|@5OFoa`mODc+JNPUCYf57oq<-t1MgUdClW5{l? z)toA*%;p3iDMs2T!pBVaS%U);ro+yarr$B4=hX1}Wg+=-q-1kpLBpI26?SPKA12z! z=X+=G-_6)KKXVXf^Fy}214Mj z0HvV;nu_q`SH$4|WMV(;(m-1*&*sF>KuIN2GgXDhCHNn557OQmmcXB1MNe3S#1Zq+ zJ_@gZaQ~#w3=}JBDvCsuaYa;A^-&0k-9?YIGV-(}mtk0Z0)NN9l>j$l39fKxVp$tc z?A=583Jf)w$8(=79Yva$4#))mGE-+>wMucTsz=AK4&auL5rg*+>e2D;!S;9WclVF} z8wE6(X3ify;sD5zskU=?c#~?o`?G4*qThbwYSqiEahbt-7B0{?RFmJjl#QV~2s?lX zBrqq;M2pTt76Q~KV{|BO^-JkRjPZh3fD?sk;top(yIAU_K|K}M4CTDf)kNr6;HDvk z6es^`h{;poHjVj>fU(k6QD`h>cy2Asd||he+s|SSRFD3#kv9m^0#IWOL`D9=Mg9Rr zEZFdZ&23fccC-&b5R`#Y3V!&9m3nSr0j4BASG?Ch@PpS`T|%)=DHbwwO9du6bE~=? z6&!2=Jb$X4c$bfBMyRm%DA~pXVJ4~ZfXsK8^`u%=D(`Wix~91?3<5|0GC3k(6c{8t z`1F+y{K9Z+n939i_AL!W4|NZg(_KAkh{A4V?X!h}e#i{_rZFn`7GD;jLX48pycT^% z;a189k)5G(k1|GkFkel@z4EGCztbiv@u)8(n6kyTRC<9dm4 z)g5cmhhMaazDWF)J6J`AfR_?)-KHktHXD%xm$5PRwiX{rMpsH5zu;O*|KaLvQ5H)ZwEPcmFldq$R3 zXW!B=0PRg$1^~TC3#z~U@mX0-+ZnS`m{)$+Ow4nYHF!BQN!kmJ5q*R#nAz7GgcGj} zv~TY%r&}MFHdTp&WJRhdi>D|ARV|fru(oTlsZmsmMi%fnaID22(ZvmB=74*V4c zG3H9;IN()10|l1wliXOT z+55(<)TExbhEE)hDTD%nUlji^lVqWA#;RJzUwORB9Mo_IG>iS2Nhdu9sf1K22UKpA ze_G9!G-%OJ7yZPrzsQ*yLMJ+5!YXxSpgJY}JS2IJep)oy>L+#-&Dmbid%RL>3uC|E z%Z>H!o0kFlO+AOl@{UKrn)CGBCi`C3Nq%(wzFTJmPyJ;)nz#2(-Fdp7J6rOrvQu)r z^sSdO+j5VXvgPlcGTOPDH-P+}ZwKVgp0alH$B*qq&aIorIXhsTOQmhwN0WG|ON;nx z?#7pKw4IX5D&rI{%sDg5r3ig3SW)<65Gk5j;ytp_QPhE6} zykTHU-&g#$a)+>tA;k1whhe`S7k)F2^158&b=b1&Fk81_oqWFOnzEfBH!}|}bBCOa z#mA6X{dSxTnb6#tF}dj(au-L!?MUqHXy%<0zZ}hTLrmN-f~=)XXMsgd>qo%r5lZ%~ zND8d9ODFBKsM@C0PLAeFYfETvVW)KYGZ#kC~5tW!&Qs}|Ri7_-mWYhhQM{6(c$ttnk|X3Y4= zmUWz9;6+*v@uHYjivD>p?Vq3pr)xg@Ztr0KJIbBD!WNNS3V|&e+hK0O0-ko=(!nwr zL-@vO1hw1dX{g-k8qv$C$?l|F(NqW0OrnjZgVB^V zXhzUY$07rU^+YjAu zM|#0h3v*7xN3tcgJIm^_mEk%m*_H5?V~Z;J7A6x z;o@S4JEJc$$Az4^HtUJJeSB)|W9<_PkHHN|ag5y!$^P`=Dod{eL_);<`6`yZQ8OHa zCzM>kjo(SJOiW}PR{^9Qa+Zrca-!uL{tWAkP=6Pe!Dz1rG@a-88OEM|<%Mlfe|ItR z&@VG%%U%wcM}ce#1LnnJ1jH*$1;FdGA*%TOP&5PyeW!XZ9<%bO`It~Zyi2u)w6U%K zM%mo5>O5o&f@T|5%uD5HNvY0S102-YL+aW`H3rd}vLCmy)3h6~c|zVO#1kr2HoSDy zeRd%De47K?HN*+hk+aHmoiH3Iju%E~&5#R>4)@k4t!9aN?C%*iKd|u_3LLkcbZnUz zQz%!-?)RJ)Zw0N_E74c*Lz%Fz{)a@7p&!J}enr#{Pb9SP=XgvU-swMndi5P1^~bw! zc3Q7?59f!3Hq8netT65?`gXBJD*11yCCbl%b-G2{turLkde7Jb8)3%@b7vHc(b`fW zK9ftPPh#UlcF)G-iJZvIqx1w`KPYeL0k-kPqzBtt-#8| z%uF==eweW<44{Xjkr?-WI5K?{a*ydVEJbGp zO0uFb(ZvQHWj3A7n9x4hbYBah&8z&U&bDS(f-VBJJXB0w|%`ROAh(3BDn&u)wD4R6($QUT0v3`^d! zF-IyeyG336md#qOadXTc7rteawh&;xcI_IsY+U%V`P$V?-26@2@x?W7B;-fK9!TgD zMGJihCh~Y02oCa51j7nSUIs+P$u5B61}rZFWTMX&!cy_fOTl2c+7bxQ=7I1m455Sy zmgTXtsUICMp|gU|CtOaz9CT)#1=ewR{Zj!uWju1EGWHiuBDpNuN18}G%W{ahfJ?f( zY|a-2M7ru8HI~zkB=Gaj9+s{0#}8QLqc#wqbuQf`)uv}gI6q*FVZsKz874 z?K_oEJ{X8iI&8%04nE>?*P$A4R|URb8dzB|b3Jf^VA&J$U=Wzn;=_4Hm*+a1XE&y` zw=-Lt<9MFkoYv9LY;KMNdUkWJ;C^PC^B&Q2%%K;rt$ZHmI;3Ye>L1gyTfW9IJ-d19 zpq}0GdpT=IQAjBm_rT7>vGa(O0`d;+JR~pANGY)V!5x67 zQ<0Q|vJdYdlxOonc@~6Hcx2ppX640P-dPlGZUk-SZ=^w`1@-Hqwk4N~rT+Alr3=;a z1m*&AM(b>7?rT%YtyUkw(ypw)V8c4>oXDzK@lWxWWzggct#cDc` zWGB$PodYJF!wT6=^}W}pymX_pi=^{l9= zXTheP6*pBC=t|zCGrd$EHrBfpZE;ppjToCUYQwiMmKLr7otO#@-ZJ_!@ZC&Bb_2@# z?|~IvV@AWBiZKAJnZ>A${G4@Y=UX!C0hQK&x&IUXgBc?qH=2#dtJ%0s63WSN*dtk` z#0_Y)Z`(!_{ycl~!-~oy@x+fo;+Lo%i80|Uq5~J`0?YXkN?tK zd$Rtt`IqQVg-98U{`XJvXLUI;Q@t3G2mJPMbj4BW|G)n?T5qncM@Px{G>N`PCH5ft zCc~%389n{y^kh1iOdIWC|3xEQc{?5qF(gZK=RR6xK_3cr#KyOYa! z3@7!~a7yt4$4Mteo%jjnQAkPEzB(Keg#NITcCYXy#TO#2I{J%cDu~>7`|qN?B*W;m z-z5XmL%xMeUD~GVduf|u9>-ZU!nfI3(!ntASo1Y@=14jdy+#crMKs%pk`y)a1mGeW zV?N1fy|JcR6qt1kw_S}VIEt}k?X8iEYmc&SNX^D#5EEv=I-=m&aFj@Bu!+)0VTiEq zv{xq>P&#_Qd;I;uyW?nU|L5ra*5TpS{_)Qn6zB^>gi}aeN`}%O^)PS8CE6?wCK&IG zK)l&G-2NWwY`xsw+dcjnhwys$cz@^UD0+Qx7;Qyww+@eYx8Ln;9Y$~89lkv{+G#|v zG7^Pr#%c)P8rR62Q7(i|g6Uc^!NAWj*%DiU0$hqINryDaqpNGqCm9e)d^3aD4c4Ne zdKX2ED)OK+(*(!Nc0Jl1v>Wy4=^7M^2j@MQjiU)v03ff^E;R7EHyn=Z(Mz~mV(~Xy zQPf;tTWhYYJ#MZ=(YvE9ijc7Q*R%^uv>UZx2(6=ocZb_Mi+`0&G1j|iZSk)dB(4h; z2JPOolfY)1bkbqt?1l3RZA9>$^^%lJpV}r4mh-tHwEV1se7YT#K}CkiB5jn#K`6ud zot+x=H)i=p7X8<#VI_EOh?$C1fK!~3PP=79-x>aR(n&5Fy^DV1;&esFcpYB)w$>m zxwWwDdi6ZwwbA?t`%c1|ssvV^7jmkTo)va&o?N(P{c;i>P*@Em%%#j6-$d)2jBq?a z3v&XBRt}XFT$;kl%i9`To9l28_MZTN6-;nm1O$=6D@4+HXgy{CQm+h3e!gmR&4%r) z={A_ED0SgBnRi!VPY~%8iK{m}iF;1Gsnkkor=mqoB^tW75crEuD&iH<(KnNcga?-% zv6Fc)<)qTp>peF(9}F)Cf$gEaWewC|GTeW=n?xD^uVtpUyaJT-|Bstbn(H3_|FpUO z_@4j&9r=Gf)dg38$H4gf|Nh_6Squ!zcjFjMY=I3qrC;_HAYAwU25^4^xW571=?$O* zgDScen0M0wtfbEMZVK9c11}4q3xs)xY=`$|=oOhxaFX%bp;FHCpsNnmsUs1p1uq=L z8864}_OwqS`RGMed5?^y6U7U5l3vhN*eW$nPT-ysE|*#5lzDHsWNekhdr7d+mQ^S{ z9l*A3NfMW}B7^-rvi+$gFN8`RcrmYREe~@-FrBY$T<;d{Ky%Ea?HZsEvLMwARTon+d#AgeQ(dre81+c~_+b#u3KJ z$Akc#8uAAWSs+Xhf~@(?V}L-jag5oYhl5TA3|SXDi1d7gobaF@c&CIlC`nat4O-L# zzwoIN$rpaY_hjphA4IwYucT>s^Q`HJn#f2?Bmg+*tOc87d{tE;R>!T;By=i{SO=GT zpH9Tak9-z(ne`%&$edz#RKnm~_F;-U4?w7<6t3&UMKRBh_%Lw3-8FIwdmz1}{Cld) zw*8$pzk?cn$W7IA%2JYGY8MzmJ(A%$@(uW~@&YEcPw3EiK?#TcWXV;m*7NobDrX4h zXJUUPIv#LIB@;&FNz$Vviw!QR?hE1rHMxZK+v%iOE$$)f*-c_-Ajv3IcdWhoM{y=O zztM0C??9bS#*gTCrQjiNO*4X^aK11>Xf}) zC$#VF*f96c|Ung_$So~mErAnlTdfp!P#$Eyw)S=A&aG)R^r z8_~dv8dF{g9gR9gd33KAk1|+}uxcjhsHc5dWsyi$ zlr_voic6B0Bbg9ocwZf6S$fh-8jS{3M6)Gp`Xw^5bhBO84_SD-b9i`gSgpL8V!BU^zQCAZk0DCLg+pH90Yfh-*5v0tIRNJD+2v)q4>ku zj*K8(U1ZnZCN}}59rE?L`0A_F4LrBeOk>}agNIJvp{R%Tspy2I;wr;VIKAfQT`xSG9A{2 zm88=N^opv@$fqN^wEVgiei(UPE@r9pW>$95sA-D;qd;80bV$XCalq(hVb%40OzeRU zCdsKQXq$5_)FbVf8e9~2G2P9(o9pHmndqi9%UURgxt;~oBPge3VMTeKxhtd@ZRpTc z!8r{$`NBPGIPN54vHIqi7jXB8oagm`)?QEY8hV5mtbpa(Xl5t1EMwkFeFul=AR4>y#jmq9MWW)Tb@Q8ic}ixopY1iq9x_9tuhh zF(=Nc?eVVVqAWkEJ`(Y0T?UK8Bw0$xqJezvDA}}RVZ;VfOo590csjwbMFVah5TX-u za0?Ao=unu9-+qhicR*NxU7uXZ#12oDsgx?D5*_0w0RJGiA6t#dwqr);|3y5sdq5n?KtfuSw&&>y-FFYV{iE#BGtM| zNxBk~^piAHaDipIjA@mJ<90$Rd$SA*LiN)#Nz^$U;nzhK8_e8*MKl078}^eobU`>kRqRioGxO_vS67qj`Mx81al=yRkYsn6NZ!Mh7$u*Z%OKcv27Mr0%Qz( z!}yXa7`ud0e~w{>+c5W$(Kox-3 zP|=8E{4_HF&B&S}Gr5yLO-R5^gU>Ka_|imYq9s!wR2<3l zUD1Ktkh;h40&$7&R614;mxpUaN|}Ijz&^ubBIJyRy=q&@tRzMGSW=W5dk_nat0uF0 zAX}{!rrg1`b)#^wrUg9?O|>=Sl;494M?kKiGhXtm+=U=16)cS8}pg zU2s`MY)A*(M}ObpC2ktj>A~8fm{cQsTP|g4eF?~g95|N+XDL@M6{{YE3bGJVl_`Ry zv_tuxZ|GqW7%Sv74`!ldy)b(iyMVF5(qyFg*^mp<%@FsZEgD8DkWEjrv;Q+%s0RGl$hM1^1 zR~lh!;*Ww#Vtf7pdaA>iS{u`4A&o*KZxh_M&4*Eh)$L8QGfa3hoGK|RV?c6VC^(8T z=pc45F4dy42r;di;*;SBJF4C*#$snY#u)-&q%rG=6)_JPjfVq${cQKn&(EOxqO5-` zy#A20B>1D@)I*YkBea8X6!2l}lw*ah7%ZF|2Fx1n3@g#Yj*S>mSSs`WnS`3`F)Fp2 z_`TVq)?M~J*g){KrPdx<$27xx2$1Ru&ZS?Z{&V&$m zVUKnxP$M2ObhvcmG1~?iUhRy`q_3h3*}sZ9E-F%AajPYK1nDGMwHtM&{SiWw+RnkK zZ9dGBNGDm+>-tPuIWtnsi_qS7j$*ZXj5Mq0s19)pN;57=9dw4XHXO+V;y=(t8)i5m z&1xr^jMK>!O*^~R7~%en*J8Y1EozLW6N}I8>QIV2xpD_HVx>TWQlInZYrlmVrN$v3 zlF2ZDSf`2|6T!RH!!0_Gy2aV3)tVn~V&IciGjF@eb@HMOg_KRkfEI878-i1FJe zkN?jii!{&&buj%DZCf%Ia+?r$o$7YY^6c4t`39cGqeiseY<^wGzyBr$x2BV`;W)#5 z_R*_&kS4uoFZm~&B*W;N4m~$|@*Gb{642<5Ur6O!`vl$2CFr&uL3iK~6vo31Jc4fT z5OgR0K-YB#;_=^wKhPby1KrLW$Z`g{3tymkJc?JL+{E?s;iMDJt8RNR>AA09;HSyJ zeFvac({AovO7Fe0nD8O)YS8aWvggx-OsGn>TcbC#K{L)+JO6yb^%&h!P1))ZgOQM!nU{eUnv(B zU7K%i>NB3Y8EF?&+k1tAR(dW%k@685pu>o1Oa9RBp{KQy8Xc^`Tf~Yh@k$A2y{mRr z)RD?%<~7zf+ed1%+(wQ+s6HKIZj@*O$9z1Q#O*V_r>=IAi&a_N0&j%yWMyu?-reIN zY_pj_97%c%fve=oX-8^z$u+6%R*v?DamS0lKya{xRBU5K>4~ZN4(-eJ1kh`xa5Wfl z`@d%a!u`s?_J*hV8mO-$P2SM%$u~=Ylg&IvA1qw1n>cT3XR;6(Ehm+*FSuo7SWqy}!A1`4te%SeW^T(|{0I`+fp&sD_ zTDUv&qEqldanlcU6vI9K0cg-~KvI4K3h^5(l8?N|kMJWb4qW!x2y>N+2|H!hvJek* zH{!M8dPqf4nU_>l;wi=7l(&>^C4&2&76tApBvCTIS{NLjU|l zorBw!SFKu}1$nCW@orfZI@w$vnsyX731wtqCNV# zp2ZO0<7^0UlomsPkFz1bxmpYXK7I_PFe{Ayem#~^nbLJT+6EWyqdl>%vaOpcmc>Kd_7Sk`AiM!Przm z-oxFYb@=LFfA43uU#FEI`v~Ply|{fIaTVN9q?ePbw0W%7MeRe%8(DnpVwm>Q3Gh&y z?QN~0KBARfG>!)y_=h@eI8nG4w0o)Cd8yjEuI6!hX!(}Q@wO_VSFz^fa81&(q17V2 zCgqb-D6Q)Lr{NHtl~6KY8CCB9c4 zPB*O1nc{AT4yF`)pbw1I_zGj%kyaT{YFlw4R;816&N_4qG`e|8$I|8;GB`wQpJ0#ll_6R@PeH?yBFfZ8m^1 z%o+SH_(z6J(7$MvDmC(ZRH<7wpX8@|d6v-K$J3K%B1OXta@s7G$Urt7jfP|Nl<5J& zdUgbkM)V#tsRHujLFPf!Xhkba)=LjjC&0t#&~-VT$V-XC(I81Xs#GX*D;cWA?sO3( zLUxQ7UOp8$?nb~Ogw;dwWqjq@9fxf+1?9WIV|KeJuAf9YYe^pId9d-hCDJC6Uu%YU5Ywm(CP6!PY0MV z8cCR3Y-oz69O|W)pie!`C$^El`yeH&);uJuV$Rt2hqG)VMt@U8gB1F5>ABpkRx%d;sor)S^3R2QHx&6J4-&6nHIis4W&4sdi&H z0c*MO*-{0&uJZxwqr9PJg#pg+*t1#mnx+XM`>^O+hg3w*{hN)j_dy5*ekKH3qT{i% zO^zL6>sc993}Y0;qXxpaOKg{`vx zD@}pQ?0+W1(H&U-%(DM^vi@|<&;RlGS@S;r?;p$l$B*j!Bsv(!a4&0w%ziGZ;LhL_ z{pUOM)JX8@KZjgNVg=uu{M?)T+?)IaO@7qJ*3t2+?G_;a&DL@2&DQqe!BIpG5v*J% zbiO^@oj!Yl!@%PecbJ9CchiHB@ zp;RzanBr$oD9dt;${hVnTgQGeK?7}-FNQ$nf%KDp3ka112;WhBB=2Q*87c~IbA``C zV9$ea+oLI#Yz^YUFbjQv|Hh&Bu-=ST!^RQ*NX8dHaaxqrbXKX3gCfIFAEY|P5e}N6DI+}^4i$7v+V~F^JW=*)L$t$+ ziXmn?05%QDHjc5@YQjHax711S^cJyoJi;Kd zB&;VnHX8N2@*HQz?2x*!+mX00IibUr`3X{q`O5rQrf6 zP~au(>hoxK^`N*I2Df{|`jNsinJM#CbaWYyii@5@(I1lWAn7Tsi!Q37X!D*D%%nII z{08unwUI3woYpv;hlF*utqvQ@cNghdR1_@}95_OiOg_IDabhhbw?Gnr0UakMQ5XN3 zw1JkzlgYRWd+2!kXzTUfyQA-cfC-r<$1Kqp0W@G1brd((4#aATqd`%Y1^l%XENof}+dppQ`tIC82JCt_C!W-GlA#-tX=o{WpvQ zN}K52DjH?>&&DOSVnqg9f0|2r2Nbl$+L zuyo6d8l120{?VZCOZZGl0Fg&7j@@Zln4zZ0#2tp7eE1t%{%}N3`!aTc7fe5VC%G4E zeHH#osL}Do;CIalkSZ@Abv6)Y^McN13Vc58^>}`) zAfi&5`d@@J%877&)NzaiWVoyk1WPVG!``$%a1s2Z`S)iE#cBN?^*oxL@Tto^R`jCD zXOAwpOtz>MN$mbdm=jOsOT89L5MH&dY}8BPGCAn9;JMG!wDikhNe5@8I=)I$jgw~> zqi@oin&-Svbuk22IH#uiT#saS6j&#hCStg>&j!p=v}A=N$BJy6N?ix!t#RxG>f%4R zi&*HxKcI*I&~e46_CMI|o>qzqis3D3sp>3iH@LYSr2_kp68sj0AFNh6+Us%+q0~vX zp9?&VHL=&Cqzl!Sbtu(Eqv!3d)#b(HQ`{f*$b64vFbxbQH<|R3h9!nsT=?7bW^{;a z>dE@kzw_gJk_Z3o@l$?0x*D{j^}nz4(^iI$PyW`FXO2klwE6cZiwoB8l15oVWVO7u z)_mOj`{S>l+08%xdvon?PyYVQ?!({K{?>f*H@hEePo6<@e_MZIcV_L$-yg4k{kN~z zRgcUIlg2}?3__=&vn+YJCdtvcZhcV~3#MvOF~JeC9wsh#K}zfs4&T8EXP3Ss;(r%p zMnM81lk|ayt`hP{B;tn0v@l$Allq1!&kg8^OGa!0=+H4D1eA;zm#|4kEbr~KIn-SY zYy|lH%BLmk9xc(lS-v6K7xT2l`kWa}g~o$nNh`Evyk?rAW=PbXBaUl+EAtUS$24I! z)zeGHzk6WUa7P#K<3bVaM1PYvG(hGVCMz!}$m9n977QqfyK;zf*giBHV&O`I@>;`7 zrhIfY^q`Q4eg+gOQwBwJ1?5nv-0U7H4Z|F;%KLThAgLG@mYdP7a|cs1K$Z8((SU?N zL4mm4o^X$fYELs3RRuU#8wP%c4OPM76^GCJMd|fbqNIZ=m372hMo_HU8cSzRpAOJLB)0;A;nruWR%nsXY{Y9fTyxNgt5f zKEc;PK&;JFaQwC3;PVZR(UJ|)5Pfek6m{&E0THcoAq;(>mjO|#=+EIZkr=(!8MI_{ zgbu5U=bUhZS~ITH=ST;1e8QErzh%+GwRPvO$ItLr6A6kjFQFDj+S{NqD)PertGm3J9Yyvos4M&o+N zM4s8GDl&(w#JJV)B^AEGV1xB$kJVIj2W!tWT29n9O4dx(zW7KU4qJt4FQPhM-t%8A zRtn*y!|Vh(@(<4*f84O&Q91gu-gLj<9tnP+b?<*ss0q9mT>D?n167nVC+#OF2f%+@ zbi-ZK;b)UC4dSF*4_ai#V*i=yai~x7Ptm_^*3& z;eyq#OW-Q>*PXf3aO{_S_4B2{YE8LKV{!8Os*>Xu?m{1}9zMJtYge#Bv9aGA-I3IW zQ{7ua>G2TrD__x8irbjz@wp21ig}1=P&O562q9{$cm011Inoy7k%|>7kJWB(7*A?J zh8L9>>d(w7bb_ub%dMHk>EsR-*Arx3IkT$oqG>s=r=TKaVI9B>Xw>RB%Of z5mt0X3}UVX;`&U8d0esp?9YKreUiH9GqQ^y!kk*`fm%gK$u9piXi;2G4l!EDRD>G4 z=6bMZ9zExOrbTmJuxid{ESvL!b#oqCI5gt+q(y1lC_)gKwQAF(>N4W3I~}xZ4%S?Z zu~e39tE*zqObny4D^-@vgQe$@f`=*wIchf|*WkIGFUCiVU+^SfkVvdwuAeW*E5R?A z6&1`b{i5gjqUS!)&pIQXwB$MrDJO1K=5?fr_4SC9 ze!w!eFUmr|o%)b|Y^b0aCHV*J!W)Zrng{EPAHl;-5?~54HZ~T6P+SLsyg0CpdyF#} znzfDNWQ<`Oac~5me09tFFsOEN6J0dHm=VtO$5O|7#W)O#ue;uk z2V^#jZQ@-{Sz(6LQVNQ_i8syLY3EAN>?JSvOE%SPIYuf4Gb%}%|lq*0K{cWU%c;OIXJx>!$I=MU2 zkzDAw8$@ceEgS3>Ndf6vBco;J;|;X`d>pO3h**cf*=~qiRWVm`R`FJ>ka8<(%nc_t z)M{<#V$G=FBFdwg46aWTm^!ic=gf`qg!V+<8Gv+|)med zv%#_Qb!-hsa20&S3w`D=#d1_tE*Pg|<+EFfI~~0%xiPkkvA1hIdZd>BhBkAZ*(HF? zU?dRF*s@#ChbOd6>h$hm=Nk-fqn*WS%5w}I>QE}A9Z+-yTU(*zGny*a@yf{382pu8 zWh6^E`)6J5l4JGE=0J2OlHciYl-0G=jK5e?J$`Xco-Zx8n9l4z99K6sL|PwCU(Hl> zLmh>6m#n%DidsKN+nA-!$liT;EZLN;!&b5}syB0GM;6v}gK51waGgUGK8ab?BM~1N zyDHYpaG_a8p*H;?`x^dArc;md2O7L&(27qWhR^SouN|@VQsni^r&&OOsiDt2#>qW` zIXXjCos6=MrYpyjX)#d2p>2)SlHjV1^f@?86_w5`2UHjy9B=JK4?E~f_YhTz&ce!J z!l|q#)(2Nvb!O%P5Fgt;$KVLXV zPD!RKb-eh=uI7wZ@kR0msXon49b`v{P_-iUBeV0^n;bc52fBe#SFf2js4QhrF2zoH zhMnstTTwv??kdj;PSQ1HM{}eYxM|>iPmuWU9C$xB)On(1=UdXgOl?2Na5in9xtXz_ zQ{3jzT|O6kJSf)Hv50RUKl&P7DUB;y)WuL>{p&@p_aNL=1pBZO;9nQY{@T5DR)M0h z{t__w(Zu-6&Uv`PpDxLC+5JyNe{TQfi{Agfe!A|*e|_@g$$kFk`}^Ph{qO$%cYpuu z-bte8K!DY|Pv=|^ueB)4^Ss%df1f*QD28j`+A62wmq^h}uaXIyk7x&^gdypYTM&E+$z!9+l)BPL{q{j$WN|d1jX04=XE}u6F<3o0mI>AMKmB%8vrg&asSvc`jPB#L87kPXSR~u3X{@tKCJrtfg=34A=IeVd71! z${O54%?BpWmSvc+%ex~{&!0`wbA9DKTn(M_wt|LP5u+g z@ADWg^5fGa`abUUt_E;5!>7g>J^knOWIC8kDT_}dTzNYNPB3l5g?tZgZnjhdk50G_ zUR$~&q8)@&F5M{*HE7ukFcTRyF$IuG27{oC7)B5|j~FH| zgF#R?7sE7eEr*#?=yDC!{GU@8B1goR5Qbphp{O%dO%z49E3DAMrPj&@@d%b~ag@uO zNLFBOi$l_@aP`U6l_JU4Gwg z9e>|?v-Q(QN#F1~9cL;*cQ`lqS&YfKM?m!PQq_jZg$ordCcW$^#hM?Dhm)$S)^y%= zk~~@TK;J1_T*1m}?FHSDU^@z;mq&|Isb|y&_fGbT5s5nou4kMv7ELo~ zkUTV#THDRB?KWoJ#bynehWjOkI_`JUF%ObzK6(_9Mg)!GclHl<_K)WuyEi9u4Zk?e zxRbq@c7`i1;Hz=Twb*ZtkEAiS`*QSu&yN3hxbk#q_6; zqRq>el$gM+xhdhIE)3iwf~sFZD!8B%kr<~Her05p{%aAg%4_zN-EaiIDy0eM!lNZ7 z$P_a3hasBX4yN=$M@9yA&^ml|u)p_n^c(!#-aFX&X=htOhO#eokbc1}BAxtkA0g)b zaB0fbhFnIvo$}57CO(H7F#CAIOmcQH${_^Q;+LlK`h**%>|~y_Hv7C`^NnoMqC`1g zp#)5P++3&N2iVI3u_^%~CruJ$im-By&eJ>>_$kvyv^&SndNxq-Y75$-Sc6Nn3NbO~}qu=8ZGOLxhCO{Q)wC}NjgP**Io z?cTn|UQAda9ZVB;!GigH4|nMybz3pAaCe@LGq^qXt{O;#W8NLe5X(<;F<-XMXNUEm zH9`UBJ8Xqi`$mge5u?0#ukfj12bC`}hbytOo; zu|E_D8lak>w{|L;c~`_gVgZ;&7AT7VDg{- z5RSIt_)FV=KYRA<>%9Hvx6^92k579$`AnlFsN7#P`4Iq?(p_)eu%MIi)+a1o!}!kQjmPY3yTXh3`i zLa}ZOs(o_BU$-&F@5k-&(0e7PwDXeqvLZWvwVWuh|H1z5@xkG%7V?SF-tJ2@etNZg z7*$qfY%9`0r{bEl!F_q6SOm;L6OiV~*E{qMD6&ibFETiGx@1g&XM1JOYxs{1giQMX z>yAzOMS>_paYcwEKKx+G-W=0?sS?S*nV6K3c!_By3F#c^+-E%d)Yh@+n^C2(jt)M7u_tmBAHlTh=o3y|e`Ux_ncM_y zp=wPktP-@&0Ek{Zc(G-rZ-_F?>1%;RQ#SS41y?X6E=*OHXQs z=nbXbkOgJQ+WdkJJzrgpFabFE`HbSr0T3TeNtjC~<9Gx)9kCjv6DLr_kThb{(ZXHs zMVg{gt&CjJyBUQ$zXxbSXrvntf?y+#Y{w)2$>MyU61CsI5(z8=LH4Nl*5W{fTQl(a8KRU)&v zO2p_OII&pPVQD$%QY&mAcn#Gq-MdGwlD40nM(`gUi|`c>3HV{kSlsG{W={wFM2A@d zeE*mepU@AOt2!}xVNI|Uy^G{*oJ@t`)#TJU81$~xoMEc~)Oa_*>C2sxENHf#Q)}{J zjf7Oh5(uVH0X;(lJ&y`{rVhGP2|bqr|$upo{Kl~g@$}Nms zaylxt5jVz}`J7*8#!QORhkERkpjTExB0emV0c+2D7V1e67kw2yR#akS zQhH(q_@eJ;{Jnsf23^NO>yGJ&P5Bvao#{>G|31wABVd5d`7EibBKQ0R6dx+O(dTg+ z!?_rt0Km#JNDdX&@`r}oL%6*?Lb`~mMDEAo&UdZ-gQIsZf5TrpKOOJvzuI|Kc!~f7 zqz%jq0R+((=XIUAKHybLV>_^$kQL&?%%RvdJtKHgw|nInI9LNm(~iM(B+U+_-N5$s z1Q6Bf02SjfP{d@-$RkWbV6(}K?mofAzIaWVkRu63_Cmsz)Vd~`(MoPSB`-k^9Q{<) z8_9gS8FA`W>&sYwQda|D$$D@jJehXwbaI3&l`T=H$CU997YP89NmUDkfGL9`xeoUa zbIX@b<9LAAYEkz&YhlJm(g#@u>bbVE_R-{VRZAIp3$>J0NfJn^drs zg+L*yFc6f}E_rUJ_9F`b;5r7UNk@c<(Ekq)vyUv7Q`P`hCrIRhCD&mgQ)^<6v9V~U zm~$FN+R?&rm-)u=le!-u*l7mMcZ!>Tj|BDTc~x-{#5xmW%(t{_OF+{{LS8f3N?)*Z<$^|Nl+%zy0yDzuhGFnFR#j-0XyfA%LpGrg(*Ai9~$tenK zyN!gx3O}9;<w5>^z4SJ5VGt(%Mk9*kK*%M~oOO^N~GLM?`p@-1wD$}+}sF(g@Y zg}^NBS!qC(0`Q34;*KVm0gxsD|1wa>dXz_i2o+;giK+S}LS0%e)ORE(y0=ccwRKX_ zMgKIJBvZ77G&=UUjdq~b(0yJ7Z?5H?+L3MT#qINmt0N&S5DUy9CAkmx`M*#kCbhf1 ztkcjOX*C-qZ4~g|CdB3+CBCQ*rs-07JL?`(^YZwZ1V-ZUUnfT9og6imr-hhmXv-J+ zu001OZ_0BWTO)LyTSK?bZZGM{-tN(H7z~}}7L454?Lj((J{=tHgn_98y^VH73@{G? zxt(BjyBjV`V<1>&F&ceAA4(OQ`pda>?&b5yAe!?DXU6%0g2fH}Uf)hO@o>+>*tcK^ zFJDx&lW$HI()`V}Eg05R6cyjLin|NQPr*~<<$4Q_*Ku63GIH9>%3DskP%}ctcIeC_ zwu!Pi=_|t=anJ6E?Z(lNd!)q@Lfrwn^{GPjr~-GVN?lpc>dGd$NDd1+05V*&oFMOo zB`Iu=p(xtwb`n5Y$7Ckaw=AOg4oSKR{;qx7@HlYYon_@mkk%uzXB>FLR+R8jrhQWi z76_JfBS05AgbjE`2!=8mM17>W=Q?$jd1ub;*0OO`U>;^s^6JmYmVB12JL9rROY zkf5hY+DC82{>boMKHijBBVT){mVBfX1$r4Qu=y(431(stOMS*SnVle@bYk!3@~1Yx zN)>=kX6W(9&~cKiU0f$gM=#El%r5R3R~we}aw79ZH&;b;k;Z{Il!%>p&_Ua@L? zc4{B6$v457itsutWuZJ9gCW;|+SERElqBs00S0oKVrOmh4Hn;bbi{D%Nw^6rOn@es z(FHvqM{xB>Oj0Bj15!?w8hYGTO;|_@e&+0hs_~~IGvxe)i_*s;cujL|Exz{a!6evcT_`KVCYzet;%s@ z%hN(vJUf05{c(~0*C+_uccL0C(f@wk{5lu^eeKD!d;RbKGW*}?P1-(#()+_P(fn@) z@`H*s(vv!tm4lHI9>`tB21yIkwJyHL@hx2syd4io<80Ow(Sc1uJhnL6uZBq^@3$TcW?x!VXhIao@s<#GLewu2vFT zM?^0{$ndXbTXZX^PEY9#kf*h=+6u)WHOV5|C z+iFg6|0UYijJylRfnxdp2@J3MhDl!Jm(QUjrKj7BcGh3+erKZP;1Yl)TP^f>qc?e` zdYZ+j35O{Ntw3XkK?@m|a%nhxmQ*gP%VauZVRwa31_}XV0LJ?rc88Mp;+3JL1YxYO zs(C9~D~f3ot>xEs-Q4waEq$n%3w)Zqwm?;+cKWki?|}Vf{*?-$B-Pjnt*j7TFR2+vbm&A}4!9ru*9M@jE`dL9af&%njT9P8 z`zOY*>kUR0!f1YYL&(VoGgdeQ3$ErL?@w_rBSBccB0@ycgGlz$*U$(AicVpp?i;Y) z0N($fy*J-$#7Lt0XWd@%KLW zHSUw$HSMu>Ny5gN4*n%bs@n5jd+jwZSkg0QE862B#iYu5ZR9w~@UG)oCY=_MkNIoE};r+9ipnqI>t| zsSURnhNXBGl~oO1qBxogai&Uu+ec#=w8KEM^ll3ef<6ZZ0F*y}={O&7RI763wNsM= zKT@oXz{KkQdf-H{0~3V9d5`8CO8Dn>!*WHj+kxF7!;UH|J1and+2J`93C1^QXxQ%x z!(s|j9{52I(~l##lLDZ_hE3BHv1IOKX#%`Jg398`(WbNdOc1i4Zr;$WYmcA2H~K=K zW8ztA2FWl+Is}S(QVS{+3k&UcP=j%i9Sg_c;W@%`a3vy*Yxb6KSjJCAmWwgfOwg02 zO2&}^PySH}j>#|xE>-A}>=UcTe9W1XH`{yEh&Fj45j_itt)QK*N?a7dJyHZKNj_6= z(5xtpz0ex>`*vwqsfe!oL*wXp_h8?u?UImY z(*L|~6*7b%Phiz5cs{A%O3e?uVsI&&ji~TiymIy%X`<<_ms&7hEH~Z~=b-kwTya~<~cf~(T>4j?h!J?)$Fw}2&=7LBP1FvM*LQkq^xw5{m!Gy z6obpK>JjyovJ6^5c&C8%c`>E|(Y!ezhQdGV^iP4)VL=yX2ttE@rLnHm3h996=K^>T zX0eSH)uNe|t6YdPZ{UQA?%j)&C52Bpk;6eU9`z}ZuCc7}s3=mEt<2B)q~)}h$Gsdb zpL9yQmPx7JTY)(Tp?Z5gH^<)}JlHTrOWU%)riL^$&(P4(l-kyd zVpqiG@Wxujd8~<16?VuvOogE|NyLuodpeJfX1-!uBq*z}B0T~dL!qU6qlrX`O~7I- zPozGGD`1%+zeszn!DvW?w1~KnEV-b-?NDjd?^G$S=shk7NNPn95q$B7Nrw;R}#WcA|p?xAsn^5jB-j}t?W!f_S(I2hm*A76b_o!1RgR$hQ>JXauCy5XvMvJ z;!2m;h14t|UC~YkosjmAF{PMgFk|o8hxAJ2m?SDjWpfifKaLCr_AYy`?R_~qSBYE| z$N=ebzi~o^paXGWS~B8!YImuZjw(vZ8u|5i54We)&j!u%`fpB-r_~>i^78tJyF1hB z53*LpmJ%1k&#TmT7G{S#k=ESFcvk>7C)RNEGuk$7qTHoYajM%`MUnM7_!&QDGVwN# z+Fv>Un<&7RZ^|^{>Ep*`@!!Z?Lfd~lefqbR)rXIsKK@(u_}2d8ci(>?CiC$rP%lg8 zUn~CK%IcHHp8e0`$4_tVe}0pH#=@X+a{T5wa)qxf69elZ5(F9=A~CmHU}j)Ycf>{u zqyC4~D7~2$K(kn}Qn*FCf5P+M{95P#F&y{e`M=Ho`5W5*ZS`71N^iBOEXi8^l=DE7 zQI&=QvKPzyq}2n~uZ>n_lm}$I4K>M_>U=aBtS>JEPqQ>`;=`r>@NAjiFQX0AGJRv~ z9~-{d!Iy4L>(5jgE4?S$rcOP(2AM=T{(EKa1>=DsAarGbncv8o|PwDSJ$SU#C zlt?1j3@Iu|?uTJXlHtfU8rzQccuAzkp0=(#y^7v+hFSAG+8L&(7mmJd@t5zKS7*I3 zd00K8u{@D}ye2=xZZY~IyT#}W?G~dOv0E%ziECRfMqg~X7~O>BVsw4W#pnji7NfA) zqPMUUY!|VK@(4T8<9|daDJ)tV9ik^gJvts^0}mgr*k+5^2wE<#qUGXK3a%5;IiA^i za9&G#n&-pbxZ`BbQqF=Xk}%3CPUZtVu|(-WF)E3DpoMCLbVpQ^w^_Ry-H{?Sdh&~o zn4xQ`Y*=~pKuHgy9Gk#WpHw%<`&Lz@n#wm8LRPJaaT*1*KZE1#DB4_Q>i4C&shl5l8r9 zpy3oC9op3czF)szb6TOXU^_Hi)dUX_V=km!XvAq@^M0MXSd7$D0%4qhswawS8oh1{ zE2+LuhGg-=Fv^*@WZiSvyU}F|o8&A3N@gATPmlIR$x4& zY?$i2^t?$$BJ9Myl|Jt9qDKEz4<1CT(Yoj?_1p;Vu&g}>didahHuj`v8v4v$Y3L(3 z<+`8LCR(F52VIkNf`HI8Nu64nh?$1!&>Vo`P>TZ%4bw3=y=AxlRPjGKw$0bh|FE|D z^vOyg|HGrFxBTC2{LkC?pSSTp|B&%NuMzCCH~RCXYcLPcWg88O0V zFx>KzBPrRrm>j=!Mao^AO)j^pdOpv316Z;0l50}3og=K4mwTwop>1b*xkpm&f7>d>zA5cUVA;`9oE`SS?oE4Z#feLClp&RU3nb6^dyZ6KEs7lx3;`3!5Uevkh z*4FKQ`DAbI{ot)Sx{F`~oeMS(;{p@I!pgtuj+kM37G^ca)q|jP^M{uKFBR>%})#1tE=XF@J3)|`7JUV*5Q`ibX3AM=C3&AFv zP}Oi28*ch>^r+@`gxBEa@$SDG@7}yGb_9qo=MbU&_AFgtYZ11Fv5)|lMsK3(>GKcY zcVC~q9G%pzH`>*gb#0uCjjczoYoC)kDj1mgCh|vpy?BGqtsr{{D74=t0r}ca{5~tV zX|VLjju@!!tCF%SR#`^;WhGawk{4%_O0L=c3$86I`_L*YFke#gkyDbOkep#+{!vwS z`fjbqRxLUHWgR@Rio&&8R_v)&Owe;#(Qn+M;dS^lA>`CGSq}s?D}43C_jL|Z1-%Ti zRy>N}uZiT~z=s=O3d&J1s^N#KvSfxwZ0%Xak<~7f3|78BjNv)G+proS15R;@!yQtc zP~f?$*YO6sq+w7nC@#aL2b6}mvUpxm57ypmXB>2DOq&-HDvM0(p_CH?3=51&r*k)t zpp|+gQNQQn$N3rfHjS(B?j(>601~4?D_c$g`6z+3A)&?ev=;-~zeGnyG}WD;g9V zFNiN#vYP8bB&bsFjUYt*TcJH~a*DXFYkHUFXGqfEEEk_65%C4nn_&~&=_$OX=Ofsw zFdbEpXQ6Oh$s}+XpFat}-q)LipnGr3>JrHE&=9ec@*#!{({Cn)03jLlx5>%tW>Ri} zb|*Q@?NEZZsVJ|LijwX=9b8;pLUshntwJ-Qa z{3^Ok5E#7ttSE9%gmIrC?!Gz+{$Q2Ysy+;b*%*IT|CM!rIt!ssl2ykdN-OcWmy^58 zy!N8;Z$}*=eDd1+v$9TjcvjXS_h)5~5QTH%4EchCtCBO}<#|f+7EnwyMvmbOl?o`i zN#y7glSTo|w3p$8F}nA7V2t`=w6DcLL$abXH+3h=V;XR*#N=2iRLufqAbc{`!|T~v zk|&HwA)?emGt)B&1QJkKTVtMzL+MPOq6$d5A7DGFL6ldz3L^OPY(iq=J9l`p|t)Ra0e>b)YN5V~nD@L)Xzr~C+ zQ>D+>g^n*qQ-Tq}|2BPbp~IHh^_X6F>s_2#^)AkW^)xHs)U@OxenC6d_JsL6ME&ow zl0y8OiNS*#CopTHfV4;c$=tT!{z8#7$N6DSUwj&cZBEU$=k z(%v04woV%Hf4|vnoNQS6cNlv+xo$LtR~)TiENZy!1_G!}z8(w_O1D?j3c7bg`KV`1 zM?J~@3*|{S5dM3b|IgEvHQ)c|;nUmr-~a34f8R#+zK!aA8`XQV-C5AcECV8^^ViKX zjn~lEFeH;UR4|+wjL5ES2u1;2%B_iVWoMOjQ#g>*47|RI*%7X8Wfr3%n#<<#3D8Zp z2@%$h@DFRpfc6>@yWsA zVPmHrk^9Q-{>yrF^k#pbzR)}TR#tiI`GM4Vanxx1OTHcatFd2?PF`)jZR|K^OT4?A zC$A3xIl@F*&Io0V06=?ZX=%RXYotp4V&%L!6rZJ{pIed{tM(RGzqZ~!x0Jd919k|% z395J*=_b%3{f-^HZL2NfY};9OrEY;@>O-F&=&=|19AROFY2{Y>K?NbSGyM65Rg#U+MoRAvM2P z1T@9}52Zf7|KFp>Yq#>BTlvqe{O4Bwb1VOuoWd>Oipb&Ur@JTiQlMSZ(Q@WJA6&LP znGmo!t*C;N4b83=EE(W zn2Y0?@y zs;Ng$eTPsuwI9ZV7;TZ9j#wN}k9b8F#$-}$&mNaAZs%^uB0%sMF3Em|%^;R=p0P=f zZCY;PH$$6b(!JrQ_C`RUS0S%hye(ruF1Uo0YF*k0hzL2H8WqhyL$GO$}Zq1drmG^P;#opG-<1&dSNmmJG zplw#9qjMw=WxcG{>w`D@C-vxXcc&h`IXT8L!5w>**p#vhm1bX2x-5aN%~uDLnUK94jXfav^boh5yDjm7+kEIoT9NRk}I-4vd$zM zOh@9)wb;TDFpNv)G5U^XP1RPP3=Fl1+4O<=F@Wb+jl9N2$Ly~72XPgfTWaYQp%*JRDu(uO>B0z!=$s6$rirMP zB}(Y3Qu1fZ=Y&doIXXDugDcn`Qx}qj$J}Uih27(}@Cx&rF_Lql6RbQyZu76K88}oy znX6Ss6=Yp-mpK)eSof&~GpR`Ks3$CMJO1goAPl4y$hZ;pooKrv$iz{NjdZ``@;{(kiwef{Vwq~cz=EnWCMH_)+QE7>`)Q;bzy87 zMu8lli+j$YQ*M-cgVUrqqE}l#G~(mNiNezOf;gpk|0uS)(2D}(KKg@K{Q~uf|1x#> zceYp6$#C}%0Jhw0xQf%_lB#uUiQV?7u&WH3iSAUHHG&Q!ruG^TdaW3+Zf}HF*)XqK zZ75XW9AVW4;K5E|7^X5H0(ul~M7h^6BjGvUU4uy0K97{y6&=AbUC4W*Vj3iQe%Xo! zmnjCX^PVoyR)+Z#GJHvC|FU6q$kYe#rE=p`lEJTiBez;)J)#fJ!3ByI|I z0su_F>Q&?8ZH#<=_%=R@(Wx2-ue39|v`W`zs;{oBJ(30uvXj?ZxdXpLgCMI&0A=W1 zt!L%#xI(Lnd$r0q5l%ll4j`UhT#N?k@Eq7xe2_~jU-Xvg`Gv9lZdU*@Tjsm<+%(%yNNmJ{s=Q;4)^0`BOxRTz+wv0U>=@#TtLW zWymPqA%c$Zt24}>(+^vPe1Ezd<#`c103eh14-=c+g0XoPgVk{@g{T8wbeW^kgeY@xq!`mem*ftciCMj0}ljxI-~YYKoCc2IEd5 zQNqW7b~UlAqi~X|hMuu_!&Fo`=;B3u@I7HH84LQ~I0aUoK3%a!aG9cP{Jw0F?vZwY zk_e%=`4W~I`}F4r1<9|$ZodKq4|~O_e0I-uLL`yP*+g(c#JYF zlt^cz`#Bl|wHC?K6Qib!+H}1ZUJPa|Ca;Gsv-0GLUJ^ZRl5;De_n@C=A5~i8i0Vc8 zcrd_(!J&oGO?y457lrh_0V$1@Kb7Qjz0s3Lu?XBasaZkJw_v_1>bfBJBQ>^^qI`4t zB-x!?+7s(3yL|ngc>#Uv;82k|gjIoKib$r5_m0GNraQ;vDa7rKdwq;UU3I!7`66IP zHF53fqaL_v3HgpKX9lpJNQB113N$-?N_p#d%5USTDtEgo(`fgi?Y)EjM!es6yMJ8c zG=%Odx&*vRo~KbtZDW?UF}D~t?(BW(N^>Zi0#?1tE;vpt9A-Sh2qJA> zuy;GTAL<<4p>DA7y2{WeRjey>wQ#?Lg|a~rLN-c=nB^SqZj2tjA-vW&j!qgg!5!-4gj-GjgUCg3yGbIAXGS6Va z(pHWlYbD=hS?Sjpth!cI0T-(~<9ro;t6o?`6tVqR9O8apgx;0vjPtb_9O)OnbZFYL z&Z2lUzFHFc0Ylm|p-}}cqw!)VhVeIkY;0?SrC4S1jVq3TF8NX-$(%^Gz}1UaALkh` zvTGFk6DsXsHU^Rjdcy7Hd260RPud7z!+y`~v3iZ%F?P&6CsFda21W3LdDpz2w3OLh zc&9fd9&>=kDdCg0K>#n-C%|FFmdw=O0STx zi&lT`Rie5LhIJIla9jy5qdAHI@#`~`%z05HR2O7oMtd^(0D5f2lEYO@usY@mk$q7N zM3bykb$2JmAd>MLRE!RA5E4@V67kuSl^6Xmu?J6zru+EIvc6)P@og-r)i)BXm+h z`_TaBiYO<%!l-zLlRH9XkOXNHi7CESFEo8sp^WEqTA3{a+VDoCf`#c(Y+6C&2$7tQ z+wayMKY7oi_fI-WPvJEk^a`B`=_7ogp(rm(n5&~#NEUVm)k=mT^W<+Q>wUma4lz*S zFzq}ijCGWbddT|HXcYbfgVqkjd9#- zlJ(JP+DtGqR5p@SLOEqL!wh4XgOX(kw_Xfi#r{7TjR1Xp_542%SBv)lYf${w{{PQp z|G&C&YyW?1|9@-$|3|R@|3W+btluoOh*tQcqV82+v+oH`RQ3Fonp>E z(QcnR|5{Nh$QG?1=Xg%j7!T={%6Pg!zkuly!FC+J!;-gKahAt} z(N)0C+)PN)IK@ir?I``#LvO;s!Cau`J2u|Ox^;9KK||s`d(6fIzf1CDQ^A@O(sQv>8a)bpf%iIV@NLJs7Mu(E*$ zfoSB;as5imtXgF*l5*FB$17`G61c&M1@B+ToZ+}E0@Rlm+*6Cg?&?!gdwmt}0*3n; zBD%a=TvXlzIww>^R4J4pTFdH`kHI1wppnp2hCNlb?_V6!g(9#ApnLQ1X!nQRy~fK% zse1xOeO5K?s0Wym7>xv|$9}G|5|=e&ZX7grL1MGjM}rz(iYqUk!f9zcdMH3g9vt0g z&x!SDd+V?sZNEG^c*Cia_l{pjRm9h)8DPLH%}WE$G|z_p@qj7~Q@pl`InEKjaBL$W zjXGB~Horl(ny1+GsoMQcr+!a*X^=J-ZQ}IJd_#iz#a!tA9F87u49?N) z?KJ4FBjbTEf!t5pMk>AxI%YUPx=UCz_pf0nL~a(Vl2Y4{865Njp7j;rh|`4q%hT6Qy`i?U_NP9=eWR!x6UgDU_ZJvnT~ZI(Yp$c-%}_a&njB!80t%O_rEfj71~aGFQk(f#!Tmq%*t$Ss%9sEQn=#6!Xu z^t2u^k_C>7onNP*X;p^xHbG$^aGi}MRg1pQnLi(P0xUAND>_crG(RBhDdY=S+?0T0 zA#8~Ebkb(9vfm{WNKHR+-wA}vH{Mwf;OEvOG$_!go7yj9)3^5;TSv^N7aCfnhV%t8 zu^q$i7n)f!%^*6ntP(;pn0tns$0@t4y@84uwD|1T$T7t#Gl9~Dbr2_v4c0&pO^GYM z^2qkw#E5ynLjt5(@+dMw4&~!355oB6!ZEVNl_E_d|18J6JJd$d-)=#_LQ<@{p`W~? zR^D%LYY!eMkA%yVrP*w|PKGt3R9iuF*UvW1FoEM1`*$@wL|6LlW>l3*53t;F^l**8 zEx}JJ|bzHEX-FV`C`GU)U^fU!V!v_>C}7m54}H0M9H3n(C^0e6q8< zA0rvCe_;2>K2v_tgEuELmxUuZp{(n@IHuiVW@rDeh^~Kt*u6eWg<#<#w49c$#syk|s zEHXYkI@pdWkOH?FBKfB@d~Y-QKh-d+pghB@Yq)m3ah^1eUhnR2Q9>ZEmL2Zw3;ttzkegq0?svLL?9EqiG43{P50{NTG$ks8s#~1Otv1FCI#kyB)8-GHX zrVu_-w%-d2HP0I$kULHh_uQ8^X1W%X{d@^s5^76_zX>*{nBTKLQWN8mokY)_YfUpq zaAHJ;Dmm(;>EXDiE??l1%s01Z^yg=TM#+0Oy-|{ovOD^O=4|$B-k#CCZFz0kVxsfG zXq;E4*T+|HcV8d|XzUPok0lfh^cJ6E-h?;D^bTr3z4g*uQmUh8V$Dj}g&M1EI8mhS z)ZMqnm49;kPjRgK%JH99A3iSR|9bT3HviXc{O4Qy&s+P?Tl>#x_MgF&U|(hcN}hQ) zZUB0d8N_}oyH2?RzlLF_3eAjlE~+K`etoutWWKu^&){-U6|5IiX|)v4UmcO3^w?Z6JtpPpq3;L5m6L0#0_V z$7V7moMKH_2#@PT$PLx-O#)_7|0}C9!QS6De%kzDYcJZ$(b74>uPnT=>T4?wDC|T& z&RU!3G%f#>DW+O0T3LKA;dnzcIKy_}sBFHR($34$cD~S_;SUz1cZxB?HNv*eqNTKT z{DyxQ`vZm$3@cl`C+In>hqWY(Ry~T_qbk-W#r~z>Q%O6GF(5!8`0p%ngwJMZ>uk2R z9E5A-=tEQ(_wsj$;P#L4<@=KLbg*xE3-EG!3xJBtTY#6-TL8RV-U7UQAJSb<&@z6> z_3s8{(q7hfxK+{rHv8QH95<+1hhGB;Qc8hQDK6^9yb)<(7+V27po+UF+rnF8NectI zE#)GudJ2f5{P?D31ac~v^o(<0JVx<<#(iLHRPad_lU`$ElzyFF=+#^pjPA(8U*M z09Eb3uHsM4@QambB@taXDvHx`#pq(V_di1VL`!h~du!6%p*U(Xbp<-B&BP40Ss*%l z{Scjo=IPC0lAr6O4%~Ago`A>#cIP7NexyDOvT?G714V%pwt* zCUmse==oxPD;kc#Q6b>QlyDn%3xOy)RW?4VdBHdAaj5AuDS~700>Klx#LS)wMeIy# z(w>}s@zl<~`qa*@H?=z^NGQ<}Eg&Q;6y2=(TitYN)IvlLgjuq7vc^ksXknDAbw}&x zf>Z#VQEr)@vcjh04$+W5YGtY6MsvK-IAa-0gp>ROlxT7Ikh!@JS*L@6-QJ?k_;~lFHwd2HL=BmR zVN)N`X5KF)9;<-=PBHGKPB+z+bj6n%9q-` zeDqzjx6~g0I~(QWCAbW4^*XnDom;)mbiGbUiPOot*(jeuu@hF}1oSeWqk&mkT897R z=Q4#zi?eppY7PDP8zrimQ1Z-c>0tO8@>MXzF=xmGOY}6y#2M_13Pf4f!h4 zcb?5`!gpBZUt7RY?=*g}1@IEKPkfWb3lzRVF|x28a=6!G@#zxs>x+|>3*1-m zjJrO_ps+`N+0hm$%HaeXcPvOWW@Wl9=D>=TC?Mq=vS>jMcS{^2*s5#+IFP|^dkYHb zR7sj+C1E$Z#q`KnjDs6iN`(X**Ma(VeC#WB;Qz%{V|)vA_RC>%N>HNw*Y!AalZ1$; za+Z!{Hr0FXYybd(H@R2Et*QM&^1V-`qddc0kERnV16*)`yA)ItFRdX(zoi?|8zV^z zorQGAw-H${@5nMoP6hL0@fplAHc|M+f_2zyb_dl$F#1&OGnGU)g;U9m znn%Naf5hII7s}**;tJjROL5#Wqix-13W@!D2~>gi|Dy<0 z^-vsvDqMVUEP5D!+H*TFEZ<#9>4V`iq^Rd@U^O2Un|>Rux$;_+p{%oPmIb3{88Ro; zL)exab6BRBoEPaJ4vJ8#g!%zQ5wu%ZsKbA``hFukx`znO3d=w()qpYWwq80-uDv%d z35?JQdsX08t7zm6j})%ff-Q&MFt~12r(v}%$!*faz8uu399fsC+iD4s9QXRINmZ5f z^A6{DE%o_rwGb4P_mXMMhJ^yGu|Ti5L_ooQ))FDi0ve+03Lw^9FD7|EZ@tj{=|#_n$r#ClZ=34T(kVas z4j6;ZY5(I=e|YxH5pwEyL)R4cili6YnJnxrkvwWqEs*LtwlcH8w`}--J{c`GFky*q zKsZ~{GKpldDI=AYg`7nyTNKG+Q=c!DUHXl}Edx*5ANZE>q--n*Z;`DnN_2ap8#Ukm z(m>5wH~o5+`?H9HVLyk-SsH7xa7a?@gMOc4|__)NMepI3W1@xQyo5I{GtUPaMkMX ztu)u>dkZ2d)xXDsK|0jGFf~gnGrv3iOMGidILAGSuuL)=>=rGJV@XiHvf;_DX|xNv zoDn15gqy>4T@O%1c}c8nsiFTq8~Rg86epCI9H^4RRGKUaP7FozUNQi*HwqQXRUr(M zh(TC;tx&NSs@PQbiKvne&eJX;&rqpUl_CfI^7(aDxznWi0g!;4nDPqG^+YI?(9{sd z5yejiWSoSCxnmb9Tj1~QLfs@7A^No{!>OhNB}S7%B`+^Xyv`5l6-jiRINS_*9O?iI zC{TN6A7*@3In8>MWapiAuIUBviNj8Eh41iae6IdSbU%n;jOGV5K0QAs^I;^SviH&A zek3OXo)02{`SHo-VzNqAReeWV3M*n*Wz7^+Hg;j-1&V(6-u~VLOiRUoE8HfJ0 z!X7zMRbsW)oY>$Bb4LDn%o~3px>%8Mgx52roa(c&7#DE!Zq>#9BPt6Gs{RGQe31n0 zu(4(D;2h*5`X=Lij^lLC)+Xi%^v+vE1VsU4q>&LeLYUMW;-G^ehXbpG3Ad7ns!W?^ zRmYD$K;8`~*%8O*rO>z-9lWK`VlH1qZXfhSjv@-VPdojlPE&`o zb{^(>BHQ zQik0JCOYc{AaOBrP@WyCT-_cxOg=;0a{q&3pQMe~YB+G6M#15{-r7ci;Si%wO&w7{ zoqt`OewjMo^9v(`%S}!U>pFdHMyvQhDXvJ_M>PnH^@HNY%fu_nzTsQdd59z}U_gf& zUI2=m(&$kLbDKQJKW+k)?uU4Y@!0woofz;$UiIl^zj3?mQZl)=5g<>nY>aq7LNDUi zI$J6v7@P^!eSSqWLq?(Pz0*QvV`uQEoWvCyisCXG9?aF*K5Te+mZ> zR}EG{C7tEdT<4Xg-Nrwv1@S`?ujRl1V~v|ihdQq_AeOFh-R{V$peIn$IbWhPE>cMw zINkCVyk)VLltvj`AB;LlvNPQ5T;=IOn)i^&GdHeDCD&$X+N zpj2qagJI&ea}^8#8caW;UqXfnLo>ml0Pre~u5Vp|ejXu{3RdNn8*EIm*qFs+W2()@ zM5B$FtTrZ?ZP-hx_4OvwrPjaxhOsVXFph14UUp&f?%j*-=)o}Iuo>+%j!%vbesT>L za0rAvU_~#`J0&UbWmcZ`&}#VI9Pe)(+VJ9ck0xVws6ozjkF}0p9h~@92a0eksfKaL zaj>CkK;TWN1ytVF&d$+BUgEh0{gm_{6&d zvTU5mXg8x+ArS>MB_IC`t|(lmD0}b#okqq02R)dnPrCXi2GGzgS*=^qIR4!SCZVznsNZ3<7HW0? z5nC+5sbG*r<-8ljr1}-`ea%8ey7S^9PLynzb%Q5V!YrEMKPbFEC(D3K*v{lJ4ZgX! z*eO;b&8?D}6`*3Xt`62_T>xdX&Wy<>e6Q4^2lGneu!h*5TY_%$VG~|j4^Ro>KH<}8 zwP0Q;pu}5+6K$C3clq*xl7@0ouWPQoVbND!6|Cb*(cwihpfK&bxtTb8S5t?t*5vt^ z^IQS@@)YTddO&T^H~Z*K_Q%J0c~+B_nQ6&}qE;`wqv#S8u|!_d<<{%a?@A@G@JKXe zL%n=r9wqWb zxe&0ave-3-OZIcG1jux1Xk$W3rt3*{XB6jJQe1Nr3?!9-x;K%e#dVsA#+2Ja$6kuq z#JjFVsM_~PdK+~I@#(mYRKN7IF=aDvB9Y9b^aA1RXgYJ1MP<>(dq_gfqDaEUih7Ge zgqv?0KY?g-DKUp+Q@z(p3O3KX{gySxm8VZvY&jH5#MzkNG#1KGHgD)p5%sC!1{vG) z6m-nKCxOFgH|DR9CDo@F{`sVb3S9&aXeiMb)gb{mPhCMhUJ{mYTyM_g5!yiq@2I8> z3P!9y>;oeY%;CTbfrBFqgu%hb5()>EmMHODR0d4C1MHHJxAP5zU%(qN6USDEbnY2C*=C)4%sTT3n16N$B&>8#vC<{Pw@bCSB>Y6u z<;x(ACcQ*WR_c*W5fo{JYl4~TJ-JA=D3W`|8P_Ilk0XvHL4J)6EaBVAHbD|OS0%Za zF7?~+6SeBWL(3@5M*}1yFYiTPLuh}Ey22J}^ z&wv_%oq$o1-@PhYSz)vw^gj4O69W~^)CF^iJTgij9e5mpFBCZFn&No4E< z?LBIsZY|K5Sz=G~=(HgQh{gJWiq3-q87OJUrG%je)e}VwI?5BPrXmtU*>FixZZ^;} z8KI>wa6cuq!50z-bm#V1D6nDuCYgu*K#4r;XDt1)pI9;?g_sQGginiJ3v(fdhfg;Z zO5Cvk@ujtny@z=jiaEY-1rj&>NHCK4z%45B+F;QmtEkx8G5nXsCwGdX{<>K3MM-q@ zm15Cr1X53n-OITzmhDnmv*z$2v!}>8zLAbL&oL(dL>OA8IJ1O5f3CxyD?fIUMHpWI zi)FM!v%pWwWuTo`HuOZ*p)cFMk-aEl_{i~CCMDMv3))Q#j1%*ZDlbtWK>UtXQJcsH zcj$Ysq=0CkhEypuMOc$UmODBmRi4N|MJFp&72;X19bOeiX;3Xj z7}XjX-MO?ug*Pd`IHtVEUD(7?P*@}p{!ST^p|1^#Um&O)g4r)=&v_6 zrxu-K++MSf@a%Qjwf8kQh_7Nk8z0FUEbXLxr)E77PvnENnYAUHFf)*r4VVxL9z?5m z)*4UTZm&FR8`SO_J%$HYrhSeo1>A#W%pIuQpHR70IF%(TQni#?L25HqM%UqTB-d)F z$e>)`t~F@TifEXvfUBA!y2Gg?B#@mDKHBxRdQbPk&E9ic6mA}G6(cv=@0^I#r+n&mdUhGp+(Uxv50VBi)6zfJNq2%kRSI)2UQQEC@ zgo*aJN6ri!CYprr33i4_ABdL5ny#NhZn^(u>?JiuuO)GNfCU|)BSQ2%W$EZ;D(hR) zuxZWrBURxz#z=6(WR}xWb6NY0ktu3Zgu<=yP&-tRWEgtNTKGt!jwmY(O2;bRmz^uh zU*4iHTcc#9g3G0xC$;z8dDd#By`|_?+QUe?)|9a=J!|sSptbI_s99wbYI%P+hShak z8JIdNNN_i>J(^XY$1FZ46jMcFi=3w9H^|{ra_xtXoro7L)l5Go%@GAtNzapu48v(ak?>_=;t! zRe-qx6f1Qt!>?>v5QwpM`shS)np)Zb<)d?XE`ex_2B1>nrvsaXE;??gF*@`XDd#CE z937}+iMJmWIA)8s4NP5EBNELb&^%qM)n?t%@amxi1Bm|qOX!#^DP6Su)T(^_q=K4O z616Xi!X94&N?l(5c?Hfw^bnf0wZ)D}Q9%Lh4QSrC7f@x5Q4v~u7RFGI_`FzR)tO9y z3f*@}JT&g2Bzk3KZ4Fy$Qz*y}IhhdHs$?z(RaAda($=Ng4by83@Fa-OckKw7BUoZaO>XWByPrdkmk5?bv#{c^b^S}7P{~kpr zS9r9xF#KK)SJJm5{JoUO@9*G3?Dv4p=uncErEnYDs!+5yYTX70ybTWcmk$p3W$9VM z;rM>*;CohtJy{1#e|vb;*m?8%Fy7fcimLbkmhfeR9Nogf^z_}~CvN$opmJ^-k|U(* zgqRDZ%H42MfS9qB**ACkxHaw$ydWd+7@s;Lk)7bs5k&3A?8kH6Sbr5W)kX3iDT_uY zf#xdQ=OTAnUVKZ6<7!O^=U0)n3l+JLBC?F3B10)MHQ3*5Q3HvI!?g~T8JIFyWa4Uh z=X65cye~^(WHxVl8Y3rOo33XaL5>n4tDXCS-0;>KW_0MBclUFZp#Y8b`O1K+_ya|+ z2OjrQS|sTiM)u;yvXNgeL75(>YNNQPHyS-|$Whx^re*&-l4pJe3Si})jZMV3ZnQGA zOXdE|f~pxVUSJaf-%g*69$Cw%S8$TX7*9jR&f3Cy&N18MP<4lBc0&1$p#m3(xB%DO zHiHmN*t!#h4vwN9O6(Y)xnk0!jay(Qgm4Wt?~gvFO89Q#6(vyk~1oAJ1mf>DG!t{rZnX;x2LY|G={?Imp&%1vvYtn9G@Po+tlD%BMWWIto(@`lO#LCGXjG*Hg+0@FOwOfA|v+@&OHv}?WejCHaos^Pc`IG#@S0mc?B z*g#gZNpSduZ7gXAHa|uDwha!B-$4N|0s!D78}#6QW;T0f=)XaLD}}BAB+dj+AvjR5 za@06JIXG&Rf<$Ovjx@t_-90HezcXyr#2q4K*A!%v;R?GcHSv~f3wE1@{EzC z>dj5%nYGwvwU|>3kw0$RI5+Osp>B#3k&u*Oe$Aq~=n|I{f*}3~-@oNkeOW zlhy{)Hxp&UmeGMM>nuhG*i6Ch;0ufn$mT$s9K@)d+uw^{8H)q+C}dSI&!_cG&bHPF zrb%?x@3%N{is-&5G|U+;2P||i9l~AP z5At?@@AdJ^_~pUD4wtE}E$9k0uha?LQPo~IKdVJm#U>7c=pSJSYIr0L0`Qdzq1`H1 z+}hiHxnJd{i_dx;_(UHLOaN_q*ot?yPPVGO1e=nUs^l~SpZN3v6?(OEwAa}8YVJ3F zJi(w@M^zk6p#hApLC?7f9u7Xi!6ZBswG%S0UMD^W6x0DQT<5bXzYx6D4&?pjhZLE4 z+B&W|W)M?m!DJWD;K~_r?3w_#?KEm$0ijDuK=SmsQWiaaVYb*;85OX^ckLDr&NEjv z`F89Es79XthpXi1A<%247-07_EmX09EBX!ru*22RUrS}9p?8Bc9r7#uX1!XTFD|9n z)RQ?qF|z4@44a3e#OiUc6H$-hSJ=&lq>6Jk44_K(%A17Q8Sz?B&$HZGRQO7(&b|zE zr{t64@1>KpEgxI(~8?43~Sgoe$q6ZDaIKv-vZ75^T(A(<(zf z5`_S&pYt(gRj8B2d>`qH%Pdc6@hKR$wR+X!(OHl$tXNc|sudQWfF z!x3Y;!dZA?z9L*Vq+yay)(R}UwcJ5OW9FV;Yw|2bE1!LFzQg7P%vOkr!097RJC5-~ zI_v?VO7q<%H>L4FCpUwY;MsJO9_3^^*I0mj+}nk1mi9kmZ3K0!7YF+V3kSq@%IXQpv$mdpqfH z`CG6wc|#MzzkrJayDAe5?5n=0MRuf|Go=RAhKXIecZ*+{yc!wb$YPB>>+Tfn0Z9!Mhj@;!Gj|88ImR0v`1Y*FRLqEd zWBbA57ooKgv&Rm>6(;cbZblj+ZSf{TWiG0liR_e)+&NRkGR#RMJVjHgL1q#;-T=OE zR;e1m3VhS!_+6J)u2Ed?({a0vfGg|GKb23dc#)?TUuly>Y9W8CMMq!P0^!Uf=1qY? z3ZG)-57h-ecd@yFDT~d%aJ=HoM&f8$V+%wteiRpf{BTXJd=HyS&&t?=ue!w2vkTZ} zKwlY_VG*VQGJYdkKCpzVPyPr?sDtaRK3P1?4CfJjN8i@fb5on*ZqduHy}qkYrme3Y zeSY2_mM%4~0dUl~)ZQ|9sNpMu=;tm2wmW$p+!>#yXIT%f!5onKdPKiuDmm%fZU~&9 zDE8n@+ncAdr{&Su`0o@c31ly^IQ+(u1HmTac9?V}bn_>7okcNCuSaRG^|=eeucaN; zhMAZ*d&{Dj=0oV!9Zh%+-o*Xspg>Xc2kTZe?E+N^#H^V^8v{*@9I69Fup+UklLYw6C$GJMU{*CW3EKJuG@)bx2IeSMDUh2W!I87;-f@b}A!KfivG%B|g z9YB*kC2+M*sutMD77f!u=j!t}VrlZysg(&Y;gPJ$u;1^}fbfV2vrD(V1l2(W7mlM$ zfG`bl!m6!fsEjiJV{FFjg~R7KBbfwW3|ms8#Z_SJ2vG*x$|C6L2eGY=bmK!6DR0+V zhnr{z77LwZ0?~pBJ!#n2dW%% zm8X-cybaZPJNNJ#Q%T;_65{%8?H}wzx!2KZ1nBPDXbW)ARTq7!^~#|Q$p zDghceoSt*!;;MXfFoll<7iVQdoBR~G`o2i<)H0zTOPk_5j-`aLG;NbdfLZ_@)fQ^8 zy$G%7&!@u-K!H9YTL%7lK#Fe;!Z$l2w5uk2G*K zBHf}2wuW5OqT$GeSaRf%KR1Oh?~xl8S`y7u8?a<4iW`0&IKfrV0JQ0w-W!=%lmwY`g>=sBz-@N?qD?-54!7Ug5OfQT4PBZZ<7@R-&XPh-Z0LL%-cQQfitEkTI zw(~)h4Q($GE|Cm%JSp~er2*bgB|dSLAxgH9f)69mnvkqbI~N|ktJN7Mnh|xwp)zGz zmKERZqwEDrw+@FNhidCrWxu>Q!jiSm#at)J2Rh#A$BZQayFf(0=OL7Zo$+1J7c)H! zrEDW9yq1xKJ5HfXKC9@ZM+6M^KuuI(dMgoXcTjMNN1I~i_2_m(atEu_eC$S*GQrvX zQx=2}LR(z3(3uK^DkEW*}eb<1*L_V&WjP_#6Cgt0n8Kob!OXTy6~GY5oY zv#!-VWCn;+%^r5sguwo1jRURZhi*cG74O;u zC;{jJd~}huRQGt#(3*Dedb%P4f>EIoTMOI}g{}bwV;r^E9?yaY1P=t50T9?4XNA^K zu8rU-78mXXODL&`!t54)(g(j*c3Pbwkh~154aTGEjDnB76-EaZ5|_5vxV)g&I16$a zEL^KOSv1vP$klejpv}$0*MhfJO+)YbptQvabc+D#?5gqLgZ5*8Vg0~*<*RYMak?wz zj-d!-lSdI+E4rdlwmSQA6;2+i9C|(x#h90?kZTeWW)#_q-b`3t9MX-f@9c9cTV)!` z^ku#kL*JnMR|%xfm$Ke(A^%-jTYKose;=+qUAdM2-ui#u`hVW~fBwb&KYwT(9q%6O z7lgm&xg(R@Y5dUGi@wuezjNNIO0T#6FW8{(3Xe)k@9q~$G!`!0AP6bt^J+j0tH~bn37^5oK7N?IHKYvjj;1Rbd%<=?>?ds>68iro5vwj z7SdlNuKepA7~}r&!Cs?oo}4s}fOy#2i{I|nW z;WUE2Io^iEns!^t2a(A}h^kgkTC~UlR!f{ukv^TCru8w5yij~Hg`pjy!5$I(A8bj2 zf@2xB&y=BelN_+34*f71T>;=tYyo5b{UQPXC>ETF{+D1gV`%5eqj*HW<8Ja%y{FTU z)j3Wd_2CMWc}v*UuM=Ow@i?#g>K<1CBwC@`MyMqjai9q-wZLq$lE>rT?Y%r0MBZIg+Ve6?Jo3~LH1YKeyHw?=c$Beykqs1(3$ zmg=i&K;cO}S;`pJN>{VikCbd?IP#iw_|q0rk!4HbN>BQU&_4-n!oGTvv}|j}2AzKwS)wAmv}bPMTWds0yJmKgh8NID2I2b}sFG4x za+Y&n{W#}9q^-|E_J{?}Xm->v-b zR{r-_*Z;B1$d~=8rv?_$u=@Kbg*tk(zt7+3HGkcDexTmJIBGQhrM@2g ztFaGXPF`)jrFJy=s6*#c?0I7gXennH0< zJ^D8)+35DBlv5k#JtqBx%U*JSN)M`AN|(K0@@BK%Y<}+Y9KFRZ zoK|S@8G4en^CgwCRk!+JGg`wsI7ZAL#c_YCH1`L3iE8NT#etv}I8Bzy^+dnOkJRK# z+met+jWN2~uP@QnT) zeM=h#-yS?DT|9dD@Auv^Ak5)3_74EDH>#BefcSm#7OLFMf3BG9O47i}``Siuk&4L?bU(LxyXiyJGV~a#_PkApJG(aTj`dl70QH*y-T(> zcpXa9hh;ezl|5L_%*53Y_||o*!&N^+t~%l9Z}b`1WhOkK*ZTh5{63>Ml}i9q2;RTj zx*u5fdZdA4K<+xhbh6f9t(gA~x`Y=v78vak{f6((drGLSr*FMA4~g+p?326>F?#f! zpL0e(W}oQr)QvNGcxg+7+@!+S86HJzPU@u?nAg%>kRAACN$?#5pH8kvpE#?zlcO!% zo1H#6Y?}EI0`ty!maDfW&$H}G91G_O5X7sYCw8x}9q^3v5qiRWYno<;*UI)aqy6U~ zL!IbvWdFJHa1EY${NEE`32*to--Q308uI6xX#0GKF3Z4pJs&1x_8W|9kFVPKfXeBKZ zU&e7A6l*36ISXr6S0TU}k-!(_Yg@8@~^d#9>$XG)FzgZSjtQDbZ8IF4)4ufIyU zD6$ITu=jSKA8j4|goU6zcm@x)p`T6Y$9_V-BJlj%X!VJeYRevQ6rVW5Ct5CCFy^0n zt-MG;aoh&h1j_WsXXnbrZOHzY8TP$?93>+)k3}zj+Yx zU{$JBH`C@>T1bwn6KsmnF{M;@B4JB;jw&zdCfZ3i>s(0!QWJ&yd_9yZ)ihwG!EjTH z7L!^*V}VqmSkHv|mWO^uu+Z9brb^eCTt*m-wa6EOHN|slHvgG`=^LK^8dN52E%hF?f)=FEc zE`#e__s{u)dv{}qgNy$8K z0t5m%B+DUTt_TTMCduMklStB+Conm3D@*uH{y!OwlIHnMN&u$W|37(Bu>W6sd>jAk zmjA!y|8M#KzdZlHb#k(`{i+}V(2rfaKD2jmZS@S!jv1`-2_}A)jtR{W@@n{kLJPzA**d)NoRr9#eXFx6}XuC##BKAqp?PS(vvJ_&%=%jbCwl;n`=!g9>!N`Q~i zrEV4n1BxKzyBMfwl$C3{BG64X**O6aU*Q2~KeQkA($Qsq_`&yU=npYTwEK{~8sf`g zGC%^S%)8<5u4#u}m!+j;`HpvSm+~Id%CRAbE@!`Stu$V3Q6RFTz3s!Ftgcn7u%Vsi z;EKlOS!rw^?Y>bKFmrR2wWXDc_wwcL$?lFW!X*L)4!2IWU+rOZ+PM|4h28!5#oq4A zS10lDo5RC{qZ4f9k=IJ&$CJhphLGDoIDy_yUSXkciasH@zhoq92@CNV5?eWvs6aju z=07KiSs##PpAxG8=pp7q*&cjNhbjZr*%=m8;m`)zAjJq|)D8yDq3l!`0SNj4{Cgqd z+d4`A;CZDr?hY!5AS=U^v|1Hvj7dutgh_KaEWpykMV&08o1Jm87p4v|K~;K@^dv(v z>i$?Ri4DqJr3z1X0h_Z1>x3!7f!Q^E5?$(Hv31nP4ZOfaFeS?2K^dO06s*%f&D;PR z#aZj!!?pJmZ;tBX8o~1@<76z$t@L79!jIIWY$;ueD)9QlgfZU*Ys; z(1@(yx+IV85NZ}2jh7WVlnB9mpA6+;%liHteMzG*3@Qu?#g~)yqPR?wu{t`<05k~4 zsU#%c_}h4CFGX+R%If#-kLKslj8S$Alg9i%i;KX1EK(DT-DD6Y<5BN=F?Et0ta9 zd9C91X}1dGlHw8Zb^q=U<8IdL55?!DmBA$s8-Jzz1>m3#(6^fEr9HCff3dsQh!)z) zTMH-f4&6kA`P0D<=gIya=9c#caF2~JeLV&X(z)zM=e2rNxeFK9=xPZW+e$ssBT&9g z*aS+vfBh93Maw|DK6~_t>xt^;KDwWfw&#kb0cRJMVm-Rsf)1b&@_rISyhY{x)P{k! zN!!VztPCsKy{gUKEDKH8O%p&7m+Ac>p3*L2ErQZSjJZX#-pX14oWQYS4kF}A1s~$E zgvl-eCBwJ{vlrnj1UmAZA=vYQgj?9egxUZqu#A09n{=O2RKsCB?WA2fxD>-|j$w(W zz)>eRH>1Y>L1X^}9fK^F6~}L^i4-3Wob=G-zay^n#YN-Q!SDiA1u2xtx-A>iW>ssO zDhIkiThl3B*iD3-YzU)t2MXF93B$#zD_^)+({6_Zp!BWZ9K{!_?;gId^Vc=_ic8W> zyLmdQ^6NSbNJB0^BJVr9&|0z3TCHXs10YU%?J71_x!YQz|6u0#WB}+@q`t3O-`C!| zM`5+*u9DyUTB!LotNAsn`L!9E2e5yQm_p+l0NFFj(==S->l!NSNkq>g-J{jis&Z5_ z1-}gzG<_moGWb<@>Gim3^|(5z$5pGx)nJc@$q0^Zu}6QBYgU(Qg)Y5@a>{y`{$~tK zcAz0RlA)GXWM9?z47`)Xiv(VXVoP$)$q zWNA3uF;ZSkSyVYTD=^=k%j7DjCSagYv4Re+6{%5M0=^lM@CdGj6fnX-G1b({GF*iK zh|81`Q*}ZYNiveTA-Vn`XMzHUoA$_xpM+01N@^!h$$~;!$Q9W_*MR}Q#b-Q%s(IvI z*lpu0%0rd*D%MRP*MO$0i6KR4S*n%-`27zkQTULq^K#?R|EtOrdo5aA95n}va4jZE zn6$Wv>$-@XW)444TfR8NY_HMJ)WG5*8;UH-a5mdxnCs#qx44)?2LlZF*35?v^Eb3B8O+@tA^-| zNVRYww1}_@YN~2+L_7rS%P>vOm7XOxYhU29cVpad%y{M!Fwi6oCV>6^q3Pj_g1h9p!Fe9hgLY!C4 z3}pHq!dULugF&{`9|6ZX;O-SzB3gd;%{TQ&@BL{Do648{gtdi1H`B#zh|sB`=jMJNP{%2!Vb9emiP^ud4)@Xn)i z7Zb)u#3WS~QSgdFLMHLe^BmX-*iH4glXp>KLF{-k7$n1Pf4F`Ls5=E1(d522_9wI! zbXl&vms^+Dn8HBVKQvOM{Zv+K%7zJ1HW~BpHFQ;Q;ybZz!IMVBjPn|LVeg}875-B zC_+QQN`c`ivM2^7s(O!GY*PG*n0?$Cey~U_z+S`EQjZjw#+>!t94{PT14=g5hT(FK zTeaz2-V(E)((N)Wt)Q=y48<6ZI_#O70 z=3_6cZr|R^ZN-qcQS?Rx)G6E>!z(LN432|f zTBw*q@)Qdo`4y}drp0C{D#Y1@qV2#-O}bsPo)C9|T04bjK}1ljSX>YZSk1w1I2Kcs z0iu`{r$*U>2Mlz=S|VFC?4xaVF0pUw(E@HE%R5y$7RN1&x&yjr3Ooj8ObGW$eCR!^ z8{s~R><5WxrHw0=6J`YYHs}-V<2{#Y?vi*)B%A8^gv54e-<@+ZUJMs9qEzT4D39=} zHgZ5#=L@NuuRcioqlGm2_R~hS`k=yOtcOnPa5oJZ6~noHhz30Y-A;p>(;29){fo-zNm%wC;; zg&<_)tRj#94J387Qinx#1i%Y5dy(rHm>^Hh>{MH2XaQTb8>q}Me5PA)yM!t`9k+=V zTckQy2d0Kvss(}8J*+1El2(YJju;T6ZycZ~4BNYJxH54sT*H2k-CC4+ z38Cz^ctQUvwdoWy&Bq&#BYY_isJt;5CQ28H4E>PCX!Udj1VJtg8ImB=>1~D?Y^UbX zL^{+U9CQ{}#=|NWgUg41*CPS~d&}&bu-%0c3m;OT#}_V=PMt)d5}u5Uz~;R}20;eQ6Kp`*>ONYwSWjdMCR~3(QpkE=kxnYs{p58Uyr*CQBUV9EVY*i;lW!(R zU?AXy;jZd3V zVKl+Ua2&I@M5A^VV7frt2TLOsulN916k-dTgUHl+%<57R+*%~6RRob~ z(k`&`OP8=PM#^rrGAx~-H_%)`^RK^cMg>YYga^Zfe}G7q0Lz5p3gs(BEk|WiAyIi) zAg&Y!3`GX$jTs@`?kk&Ql@SF)vEr5wV%%hM<6VUtAX zL6@aJNLHfEaCC@0@Wv2;A){&uz_+kx#7!4h%wl;7;3mvS-AaKeaVyr+8~d)jXoq)t zHA)rg{qz}^q?wUYUupP5C%7bum1YbU)O`m`ka*AGNY$*%>hsc1-)pUaqopZrjV2<& zvu9~GPsx!W)T%X)jrp4bBTJ_^ZPg8a5%PDUs!FW(F=jn0ce_vvGbE!Hh!r_HzP)Mq zL9`l-axc7h&8KRWa*2A-V*(5wr|52o_u0h35#);b5Ud~P-5h>m`fXs=v1=fdvLQ!xSRf0ZQ%q3ZN`VNWNEPeq-C2f65lv6T zfGLmKYby_*rcYWAA3b{9Za!LBQDrZ%GrB1;M!Yv!6OY?vwu2=}L}y`LT%#UyQ>ehc zvl-q0dF8&EIqw+@N71vQnxcHUr^L?!M=4qgGhUZ7gO$u#q4&&+xp?0mtao-(%al1~ zOJ?{WMwATR-2TF6w6tHEd48Fp86nOdeIFD}hsMI>ZQEc_;Qf-->mf0jT`b{GiVeDi zyKRPo&&duzmXSLzt&HDR8CKOsph7ON5o~4b@29k{#46PL-5hVo@05JS!j6{sWmA>l z7gO;j$x>)bE))ddKxGr0eZ1~SrwsFR$Eb!j9ZC!)ccEnN6wv91jRH`--rD|QZ)<-& zv}>E*uE~Yn>oYAxA&S~bQ=9^m=0ztF8*n*OGHh=o46rj?Z_=b%T3HWww{CPXFl*j= z;VI>|Soi9+(snZLjMf!ORT{m#IRp%uvL_8`=+b1^$I@vL>`a&F%`HUiJNh90aHaur1DhO_Tv#*7ogu2)Li}mhcE3= ztOm45MpGF(E5Tth1Wbv}dWEi7xqk|vgh4fsC_^)9RgCSh#pn8zhD5bs;8iramU1#j zHgY0sbu^TP|Fxm{(s@k{W>>7C|-kOw8~eO_5Bu%w$r~}nK zZ9`M@ZgO>s0S+k5g^mE*gjX5PiEag$P|{R>S9r3C>W|4qgO?+g2~@{`H=aDg$RmX% zBfkp{O9Fo}EQ=~DP#7cNFakC{OuCR>$IU?7>}vVK1|Z4|mRlYY%AP*^kQzgJ-ps{C zwE^GCmqnxoo;m)CXpZ*|Z-`$aWqwwn>i9*sAVz8YH~OR$NmV`kd(r=S(bzh91E}M5 z<8_QVfWEgM?rr@G^HRNR9M_NvU9p_=(61ArNJ9%EZ*%%D(P5N?JrtNCAHgQFnM`z) zw#T_RDsylt5D5KRabElzx~#R5T#tkCQ;$RGz$|dRx!TvE!C@#A!vz@u8>1G4(bNRXGYRv zt_d#XsvFCf%3muZ%%MIFLrd@wni&=!w{)bd0WIQfpK+?G?>5U<+>5h>^J`9vo;zby?xCQG86q zXuG9Gz9eH-Lq~6z9D{}cr0T0h%dhW`+wIoo={#V+`$VpIv_vWMj<(kxI4y>*ch@T1OWCNDlX+6 zrysLXwejOFkZoJLd$8Xkr0b14ofs&ob}O&SBT1sCa3prXN2fH4-p^F_=ZYM$U}uhs z7h`^q7!1|mT8*uUX#mQ_Rf8mUX%}$%AA0@E9xU$_Lnfc=rKrKdb$BJ|jg;57b=@Wc zc%h|ut1n9nV+PFDA37zu9Vu#&9K7~StE;luh%O>4foG@#?3nw~#{bfk!I_)U{|O#d zy@CZCxr{E?93n@~sK(D5IIWQ!zz%>#37-BxVe|mIz}&3jLO=0ksB7K{-Q~Psjhhev_edi8U><&V_#?FjmH_$7_eI7tkcrI_$0gpoVq+@+LhR} zK_88EG9nO#(M#M}0xab!|6_tA>?muFJBg;`O>C%?ge5&XIz)(GBBrEuYo!-yr#~P! zft)7af@7skd0WFi-^q1F&9*7R$0ZhE;vY@%lhG*c4%94oNHSK{V@d}WmIKREj2s!> zK1_5Sk-wVU9p>X5f)_4s!ml~)qmC-!Zhg-RskIbIPT3S=Ai#NGB&y0XR_>yqGTaZy zs8QT54!^x55%S50nW$r*_7;mxd7>Tlk*&<%k+qve8qW*aFi7c79%N$awM(4@s5Ot? zDUdr8shvQ3MS7;3Iz|x)-Ds7XK(t455b4ko2K)x-ma`e;IjEdB4@ zpH^OM8Aj+JVPk&FLd&V$)w}Es{AD)U-C2(=WZa8iFzm&tqqh3x5E=x0vvpONv2(R~ zhKS)Ns5dAWzW+)qJ8QV^2VWu3(YRF^vEvHb(o%(emA(C(OESzmeHQv~nv}yu*8z#q z>3CIK0)WDGNtg{Syd(G6Wo_^hM6*P^2<5^;nhzprb%Qxjzy)pm!TBDXyOXF{*lxV$ zkWpL;UQ=*AmBj8+fs&k%OLpR8H`E1R4*-to7|@g(4dJ!ioMf)=EXKsU=1$=vwMSAb zR3t&r+mx9gT7z@=pQLikZt3aeis*npqRz;fG%wM#m+RPP(3G>f)75qcm7PKTPFTHD zsu$B*A6x08crOe#8I5}+I3Q`TOa-+CQT1+K6VnWM9OGD#0EY?cp?k_Q((>DTBFZ;9 zE-u`#YRGw}H84t9Sj6)L3O;Rb!?5fu4H!dDl>xIC9Vr~Fg<6Dj#YjNw_Qge8wHBkW z1id<|%^(ck2n6w`3q~9g4=87h>H2Q>#s1dow8w2(zvq=;vqOhe%SQz|MU zaDo`;k_lpoxR*vLB96BgEQ0Z(Ku~K-+>P42QRYQZr8i!rtc3<_-NWa`j4|rM2U)*4 z>Qr%mPj(Ns_YY1^eiBYhlaYa#dd@D4#DibRw3hOQQ!ufq*IR)}Rr~H*xR`!8F1*^4 zl8}f>n>KH7hPn|{`=(u0SWUvNVS$-;$EDg%90SX(+^Qe9p=4};T)x4;1C0vs7QD$N zi$Kgy)Q;<~8h0p!6%|MLwgXs|4NOyRg?qUfY+T25)J7!~EOTlfe0f3be&-^^tarUM zCilClNpol4Qog+7P0vVFsWv$nM)?5v<#y(n1WcGEq7@NHAjEI)9W;JyY|kpNnbi6O z$xV69kbtHT2CtucCiHCM9xd>v5=t0(<&v@fbo@v;Yf+0aDwV8<#{IJOJO?t9Ken>q8wzL<=Ha* zO^-lRtD%S;`Wa_=e2Od~PaZeUEq zZefvT7=R3-pD(dJ5WtKQ)ot)|iKM-0d|KoMUAXL=B2O@yWK(@N?jD^ zsVePqP;NYADq(Iwdn3tN!s*PivqnniGHbOuEM<7HqmUWunJ65!3PL?d@|@M~FLsEP zhyF#$g;b60y+MI|FC~&SHz2AD#1l(gi&a?UISmM}*#ok`8D%|s5x;Dlyx1`uCzlSw zn3NT;lDNoDdox0s_;PPX|HrI_IS(b{JjTB3j5}*(13b0{SeX&*959g(5kWvv@w9P6 zO(fNtunJ-p1H>KkCbambm=g@dMpXCuEao1&XU`m*vIA9m#Tl$+cyi%yvr#8~x3=== zoA+fharML8Da;;RigsAUYCX?d}T{_cwOrW~|wM zi8_?4fta^g`uJq)&0 zB(7u&$ckh19E3n+0nNQ^hRl_Fi;H5Z3={9YSLU-u?nFH*&J>wU7}8zXAZBOQf9{d3 zYG93&0qc}QGQpW4V5z-~BU#SVPJ0=n3N7F5jF+3|S*Hce6oy%GB2UyL^F}p}_m5)o zNN?3RSBao#9?yVjjz1iR2-G5ow zKE|54L?uuGNvRb{Vd04Or;R5Ny-5YFLrV8D$)gV$s_0l)jX;@n7)IWnG>%>$@4nQy zWCpYq(zfz;;d)R8425zW*^S1c0@!w!*I*7vh2*q=n~cC-Ful_jLY$TZ?J% z=;Z|_^f6f!##JU`2C^ki1{rSqaI|44lP1MGBN>Q_LWV=oX*4o4cPDX30?(51=!&f_ zh%UnCTn7jv*dg1Pn2a{j`UK{KK5W`Z!vrw%rLcJW84)c0LX7nec^whqy+=_!2ifvt zk6EI54>d_r>zXI2rS@ya9_d&>8@R(Bn+YqVjSW|9n1NG(@2ClB$m`c?*VuePwemJ8 zC1f9PZ9$-7HBHS@0>o3`-@`@mH3CNXEsHq?&3Hk2_plP?{fdk4~_PbW6fkbId;vpCCH$9(gnxG^r5oICoHg z5Dy_L2wG;iDK>K8t)?f9nW7}+;3S`!O-6}ha8OZxsx?j_3ZJZ4FdBoX<4X(GCGn2j zVmgwGXWhNxNYp0hvth#NZfhASeLJ)ZBO@K0s9F21Q{2etVf|#}_wv&zB0ySfxK{3J zNSctU3m$rKkq9dda9b-xQh0z0UR#nqZpHDO)mw7e)ptC zmxZK8A&O##%s)cH%KCAH!%96e;fHLJ)w}P?i5U3ebSu5m`B(Zql_oA%Y11C$$1SET)Y?IGyPD@KuC);c-m0WHtJA0#FGs($n%gOZFuZ zLL_0H2dY9D-?->5a3IPTJ!n`OlEInwN~CbXZhgU=tqV!ifP0D{)3U{&l#N7di>sP^ zQ+AD>$Ze8ra*7;M`$uuY(z)3Q>>>g(iHin>uNvwCQ|PDxWeo6LAVJV z6p^rdC`fya`<=OP4Rf%ac7d#zLM}`u5u|ZNbTsXFryNPER_OCf`n#!AoLLXpTwJ!L ztZVXyT$fG{P%o5YgP3ON`$c^4y&cU?5iR6`Lup(SbRx;m4VNGhI8p{p{kYUTHn0g3 zH(;vC*5p0#i9v;(dx*$3?6k%+(ucFz2~W0^_B>_Ut+EtsZ1F+^oWb5WNVKxeu9oby zTMEZJ&qP7>8Ll|9HhnEB*Ynj0bU{g#$*#vlqWO(MssL`rGZlKm9*A+KUgDR+b(v z=R=C%vMlhpbbe!ftiZn~j~@MP<;m*GleJa&TzUFl#?E88|VLzj7O>T%8vN-fsw`=fjaK%Z3cAvk7 zU&Fytw6?PHw2ptjk%C*}(RqKEujBWfq?e_gXfOSrX430N-?r%YQb&F#BXZJRY7d`j zujVY*_RkpJ2VO^czdgE4hUrFh)gP15^Du2?n0MuLJVL!6T1PMU$9aMX4QfJyQaA1!Kn+UN?@mUqO|v=ev8mCqLl~UhJOiH;#{^7Y9etR&=;^bh5ksW^d~#I(&0< zcyQcUib$C&3r$NJT5G+~6yy&t8?+f0KL)Jz6Ku3Zp(58k^#0E-&`%PS>N|UUR7)Jzj-UN$&$3nCN%}<)MuiSsU7a(dqYr zXn5X-8x)Ga-ilV%R##URS0ApdMsJR{$V=nzS(~Dh#W8yRygu09JvlgvU+J8I{&T3% zYj(!1H2Rj}h38A>&#Y&tiFKb~0tJeFReU_|;j?*kJ;EWRy>S=mE^@)i&)CwUZhix+ z)`!KpvK}Gv6k`ah`uwLzJ!BuW4b<0Zz6GA!O>+?nMyMDMim1B3^}2z~;)7MiE>dhS zpf8YWp(ul_t)t|nbT!3!zxjd0i%zN~C?PzhsOg{-2GEbky=VcyV7Rw%gYB%{pU|Mh z+{HpBXGSD4HT^iw|A!TeK$4T-dSE&vmmFsbX|JUWTdXcw>&$7TkiTOVF4Z}#0>hiu ziQce4M>tw*Lucv4TRND;Ai3;S!*wLS$H71ljZ{L?zMDefUY2(`mWQ(GZyKK(73HF> zV(Sr-6CyOB^ySU|5UABbzt@t$S=b4pwNXA#A+?xMO4v-Qm2yHR=no^XvjV+NQiQ%D z)!z!hm5JuMvPW#*RZn9~-Dl0#ZDN{FSx zSzcrPuy|EDjCq)10sef!I?4pIZrbO7CbX#d?+X^zRKM=xekUW5>gpHV7ddc#y%xpm zL>^25zXuY()8@o7&`F!bNJ9#i?ie!c-En7>4LW-8`NWOnP?KeQnagI#fbhM*2)wVq#r8sIOl=xq~+c5idRCSkh0Up*PTsl-2(T@-i z$W`Hi!u;Ri!hwO^vekcP{y%9B`!~q_PvigBR#%=r^!fkQmDOAR|F_})kso4UOQ-zkyYcC`HySTB``u?tCCy;g%d81Z z+TN(;aJq0Ep8>yeZH`~q{dx9vp1|>!u%DV=uLH}Et<22zmks~V$Eafi6PD-(IP{X1 zi7&^d3~Me6ISXrEJVUk-JVuWfBJSYz#aeoOYBt zsI^u4VZE$6sVrKgC?W!F?RM0%AIH1LCqErF5HPw~o@*y5go|w@(phrFE2@&Ued1XX8ynXTdgjB*+dR4Or11K^%%{tjA<6y|DqwTH3`1q&ecx&hN?!NBJ zc^a*)>Xw{pjguGf=~m)r(Zg^R0KWL(hsM#-?oPw0XTOLZu9a3U4pTpk9zHA^=9}Fe zf0XbjdRkWgWwAUwik#gY44b2ly^@DVF_e7{W#gm9mTACy9<3FJX%*QyIyekf#plu5 zBYOnf92bP3DCwSN6e~n+^A&kP6owaXy?(yi*gx^QP>-WWPfG@;N&pDra+K7Ux6$gf zR*trIj~iu;(939TS{r)@ZyQHtZP3f;;j}ik_ZnMA@z&m6Sv$Hw^eEKUF~!ir=mPQK z(e4k&b~FCF=;1e^CSFcx;$@+Uf7lR!f&oBVqZIhn>DtqkLR0(4FOIzy%p%IiU~t zt?uPf+c~pI2Ls}cQje`ik(`daPDUw|)D$ykL}wXNP#7-v44r3CBDjs@g4}sXKhSM8 z?Dtt7d4KUfwvj=v=wJoSo^je`?k}f!JlOxwE0kDpNz;Px-zi1#MG+$bR*OjsHP_w! z6TE@qlY{v9&5QQ>#f7!8=z9+=WkxT0L)15un+dPk#TO~ zpCWiCw{RL<8mRyJ^_d=n-#oz6nu>Xq121T1%+^{ zk?Q7YNjYaF(1R|#4s4P`>o9E*p8oc8#h`dIbhE7P2`Tr@XRpcL@$0P<8rjt4z}Mf% zlGsgbzut*=wobN)H>heZVIf-MwWDzNt@HvIO6RiKJBVNGZM_8I`_0J#ksqen!m9vP zvUhNB7;m5K5%KWisL`;hdvD;9dbIt`ntefa({5Xb@2c73dToM~=oYPK(ALVz%IcfK zc(4r6PX}*-Ald??_0p;Byx}(1-dF=-`TU#Ry&b?@FXMy#XfdMbqv&%zK*b0!RTQF@ zlc1{POmwGxrysAYh<8$oh2#8;ni(p20EKi_xtXjiP$td-qhTe7p?PHb`bWi8_z0g`7oi&^HDPaG&2_tQ$mIZ5K=miwiTKVl+JI!eu$!kQj)~q<5c&h8nTd+hVncbuGDKPx}OI zg+9n=`z)HGjB79!N}N!MV@ieqf6wB6FBY>+7#z_^T(O(xlowXgxd8dr;uy@7+lDe0 zaOMQe_)w3|Q)NSmscHbW+bJO`bdT=0Bm$;k{tpgMc3PNps*Zqey(lsWtK@}uu?o0z? zDl9l<@+@~teu^Xy)ryg$sCA*BjIfAkC>BRT3; zG|!{ee}t=IyD_xx)zpsz(ikd$(Y#~7KY3VIhZ;qyCeRl?4oGbs<%M2{ZZmCa0Fn5uT0CtF7(l?gTLzC$|KZ;3l%JnXLE z3p1c66I*@sBrw?t<0>?;S_1IM0vx+t)1&C=gz`@w1!_Eb6q0ftoxJ8SoYwHHXVEv` z1gpICW@J5!{t*x_?Y%yJ8Iw1FK^Nv3inxj-ss&3VXxln5&=z_b063@E4~@gEa0B=z znlggtN4q;OO9sI20%X5C%&p_&lUGM?N+uz1qi<}=e`_SVKceugjajx=T<9L+Sd;-K zE0zenwkV@O-P1X#SI_{wKZ&9L-Ix1~ooI2@uMI`&-m}BvqZfrIz*^PG>T(&ac6(=| zbIJ~Tnj<}i+STkM5M^B?&sq7SKG3!jJy(1VaO=$u>OXdlh$j|`q*@J`XVz9~i_h{g z=ltPojiZp-+|zLpu=Jy-y87+6tKZa$n<~Li?K&I{wYrMQ&{qEutb?f%fq-hv6(ANQg!HWZA{j7@W5ma1x z{{e6KYwI4<+Yb%9@C?yE7U_GTlFACTWPmYk+2e!XDK-vXGJoI-k z8Uou750RWULQyOXb*f`UkONfM<;OLfFfy$J*y;|t$;WtdFDSpeR!1Zb-2VZX>zx=i zUOrs)_I6JiN5HN(_KBR66H%#rtW;{0h}ABPRscVFML$Y0 z+=SQ3$E*w3!$`nU5S?T0$QEifIF)cB2`%v{8YCc(d)6-;)#Jwg4#q(u`O3=2r)~I$ zn=ZQ^L4S_!8|&X1PyHqBzc3JA(re}Mc!cI2=U?0YYvsw~wKdQF>(R>E!(02WKZyO; z)0?sXdU|XBb!-3iC$syg5? z_;g-dX(u1jSP|YalWpRjq!V-2mH!a{i9mM0{=lelq967AQ%vT9pkGhu)p>#kz&Kfj z%H-pAJNwAy{~V>FD>cqkz+NU`kJ2+Z5frhqmtHE<_YPUwwDl3O^XL@SkAz5(`jQ)YT3a+44bk6`&)mDL_nth{oRa(a0F4Z^Jw8hN`@J5j4@UhZ zufD9Vsei(WFz8|C>P}RHnEjVS75lC6FeA4$d1!eSa5eFd3jI5hSL7ui@u;RPk^1*- zgp@OiCK^swCD((a;BQa_i+~r}1h_1C!sYMuINk?bQQS_4%?lS6LqH-hN!Emk1EAB^ zrj2mN;2nZw1FF*+5=brp;z;&B=J8-M2)*^zA)=uhkdoJ=Rhiba!rFgm*wNcqRWWU> z6)6LPq$U29QdA9QtJMnOB9*G^3lP!gZXa|FgI)5gD)eR_`XF@K{eLFf_?o*PaUF5D z3~jW(Rl#j0gfJne92b~~FFX{X(6{|>Tch;CX_lK>q$q#*OT)j#sWpDcBNYNoWO!8$ zNsx4EOGu~BfI3ipbsgCGEa1WL+UBT~VF_8&Yg{eS6q2We*zu(yJ^}dW6N?o2e^Dnc zHGdobueG&Dj~=fTg=v}Yq zxz;Z{f-RlRnJt422mBCtfthY+4x>}%{DvfF@oB&T5BZe|esW4Ww6wG=-*Jz6d7QOT zWtzJ(q@*3Aa@H3t_1eWJ*_rzc6-7$WZ$Iz!y@KKuZa-3lg8Q)J{vIZmv83kmx{#;w zjP06s6?r5w+Q_qm}{f?c(ojQcd6Y8iK+a?_{ z=Wb0;`+buqh#P>->ZGuAr&lcSq~^WY=CBBMAYnCS9fMRoz<|Q|{YUy&(Xqa(gw-cHWxrnl;Rt0s^2Q zH={*95_axRKcFx+5FsE&KUePNKUYX%%wH>dIdw0^@u|qNWE-x6&71=rOd5AZivWgH zmN3}&%Exv}Y1-ukllR%MoisVXEN7DM01)KShcq1sNta^|GrJ`mDjI%|k`Jlh4K>sk z+kF)ydRapPWjB@tzA-i(pI@S^WoQo7^;eW5^w=YW0bt{1e%{hfUQ;cT&Dw%Hgg{OL&Q^iojLCJM?$GzruT=bYEVIv zBh-^FG>wm|K>Mr`ujAzM0WP!3dv}>~#9>a_+f`=#ylUD@p2HgRsutS{$h(S#h*M#p z>!~osYDFh*z*=DgzI4SWomBe__v<3UQgaE01ed~pHos``Ght4J;ezQg4fMRf~2aLa9! z51PS*@*~iC6gsuDGz5F{clH{cnGOA9rT$SnXYK~+F_#_%am!*ed?7N!jwe=HQV8MT;X5Exp4HHom(dW%=U6j1Ryh8*>AvVN%P#P zWMit&m^8PjrUwt?R#UTb<|~sc08z;t1x&W6i?mhVNm;|691=oyd_4Gqdk*(lhA|$@ zfaUEi8V@+kpoH@$T0I$_UA)8eFTc$5IuQv*%Z9(4jgn_PSNTD{BDh)vv^>}0xEFIz z=pb@o$ZMmt_bBf3e*Z(RBK+5hgOl8H{@CFq%^Mr`>E>E^Cvh2e8qeRntX6gn57gqb zfor*p%Zchby5Mp-KOO~E7tfifh)?FNT!{0g>veba)s=Ba(tOUqT3E#Fr&3-HNS=#M z()$v2jx(gB>CofP7Vwz_za^LqANfuD$P2{o_t_PXcylNlTDdQRng+yBvGXr3=Ze|*iF`EB7*ya;xu>a zA&jOrUbdSg%bIY{k-)+G9>I&qL50!W{g(>$=>Y2DJsIBm`~=LVHghJ#c4Ju05ie<6 zHYeR8&As|09z}d=d!wPGNSj3vH7g3d8T{uUKN6Qfvv*sIMBBS8q~5Cw%!a3@_Ta&_ zaAa))o|}T?CXDBcL?$V+GqVi|PWsZBZfYNDUdsX8h1 z0!xBti8w7D+AsHCIC2uL1Hca;U z=HySoo_}TOmNhebAtew7x5Y8YEORQogwg>uB!hLPZF-(rl;&gD8^e=RQ8#S!F=;Kx zS|BK?^={q37MIPJZZ2FmUzF=jP3NpGkfLV9D<;w8WKuGkNJbj`!SrM_jh6KCi#vDu zEC?g*4n|jB3uDkcs0Vc?*@&VDb}Jiy-G%P;d+C>~b9l8vJx8uaS;J4E>0X1+QN@7JfV8mZ$Qd6nRc=T6Vu428TR=r zV!*Gq#$UR?Q#<&Y)GsZRB7i3!-M{)i{*E-mUwBo<8!!DZrLLpFs>bmt+Yg;G@(M zGQhzKB{YC@uuBL47b;6`e`k^T>Q`lS@R9(<#oOC+x)i4|$maz?|h-$}&aD?#Vyfu_>al4b8 zX3s%Q=gH6>~h&WlfariY2)w1*dIm3~4C!|ci7k(k1LfPXnE^J{AU07u(55wHT$CDaH99Mebo*}LnVoa2?8qa)s#zI1RS)K=jjmYoLGShO;Msw)pyZJJ7{SBJfFJu1| zg>MBjd7(AtA8qf%8}mXh_! zQfhj8-L#8|@l*vGpw}XAPMb1XnsTeUTs`6`TD^EwiL)2z8mhL@W7xd z)z7<3B)L6e9_O6r#8Ya^ra~3wH|Hq)^M)hORz;yMj0(^cp(4F#1{*P$yVR3)#)m1E zSF&_K(_W2&@})rJvlkXYd+XHfOFsKv+vZHGA}8YAd>68 z>R+Z8NEh$!zS-tdS?{9Xxkxbx^(o+Wa`3`%-5pA%(TYe=jGZMN{G?{EV?yPqI3IUl zvU#7R)EG?s-*|zcw+P<76!-d4Ns(ceFr7X}4y;zPOJD@(idW|z3fKez;#>l4d_D_2 zSrx69o0|$VvHm-20e*k?a0PYWbGgFV^b`PyG{+2Ob93p(wAmTRP~|UdK&2j;&9CId z?NsROa9wQ4Xk7(dYHF$ijg237PvRF_yL)er8a2y$qX_SXsWDuvXtkt(Q$T|^;fSj% zi2z>^2a-Lj6A+3bZ%SB!LR#+PVX)51LS!EVmi`h6>D|}*xGRdl9PS2%@}mM_J&b$n z-eJ8o`oO0rlp^Gdq> zEDTgBq!(~Z2!oX3gITdb@q`x78e4`G$7*nHKr~WD2gp&a3nTM~Kd%nwWN;Ll#Nazj zeFfYNet))UJm9>e^}qJm|H0)p6J#uEv%_2Yhr${jmG3b#McUmzki;G8^>IL6>dy%B zGt(@kp=TG)?W`@`SZQj4fto2 zS6lv6W=CAH@3pa^Fd+JcIMM!!AORH*9Ry1Y0&j#J{@M5-1t0geuxswa2SP!gNWpJI#}Y*6i$aMLD$)876p7{Q>yCeqS70tsmI?d zQ8$I5xE-J_ncl93-i`5we_wZb;mSTY68f3ad!boWVoWXk;G}-tdmbM2FH?;mmxY z&K%$`T7b_DWmJ;1Na(wXs*_>byoec5uG~t2+@{d5IuVn0Y4&uCnGNyMIO8banD)>L z@rLQOF=E*$?TNKI)oy3Qe5B%}MO6fB)cjJkJ~E&uD{y|>WmE1%HDGMA4Q!xJ(nB!{ z3)5BpnIs*ioBOTt`!#r3-jP(2drORH!cr3MB+ctOX(<93DnUEurP>jEsF4w8M)E)z z6SCNMfafsg0m|P8!{n@+L@&3uqgIxj_4+v~lLq7byzE^DUxu*nmBqKsBp)p%9e7fi z=hTuMiRdWJwN-x@`cQjAAVg94PE&+AnxX+hjE|T^gJH@EO9jT3s2s*LngB%_#uP~5 zpkAgU8c?;DejL@J(`3}7L{!6cfW`|}@~k;;Nr%k~Sy6Lol{&6dcNS_AWWgtLl;v%X z`Unt-8ZUKENmo|7qq#Z8CjK<3G0A_)IN{*?D#5Jkw1$KS4vD=h281@Tvy6;9@)S44 z%auwUa(oPZe&p0_+Bw?9kIF%|xC#sKhsLY3saFd{Y8I6tfT<&DaP`G!%0<>Si4m8t zNfS~e%)x%+I+MckYEJg;!b4E%Y}J2(SklvAQy`aE)AA~B(S{>5rj8ciQ{^E%g0>K& zaJO`sLJ@`_y`t76@WrAGWUsOR^5m7u@hGb zC1&F7qqmU?#w2hm8ubM$%DrV4q)4mLk}9{%U&usZlq^1jKY9Z=RpiMV-MNZVc5jHt z5C=+Y40URv%2!HCnJZ@glBsGxZz4J73h=}6KyXcH(XsLU#*Zi7I&jfX4#0hnL9`UW zaY)ew+E5N+D$aGrPD>rYi1WNe3JT8?M*91EFW{bf{buiEm#8@OGhCWC%VdF{4X=Fd z-IHsMs&j-H9Nb>N{{f@jG79-P(w*wKrsOXL^e5xrCFx6OA%Y)T2N!`TuSAt+R}HN; z;l}6>_>yBwGQ8=4Oh;R;I{t2Dt=@gO@G^w0-WBfCxHBSMJbGy(qzOv0?=&(d_zgs_ z%5^j>dq7vxThZdJXyJdKXmPT6EZ}bTv;K{gE7uk+x9;V z&uDSQZOjfz={L6OX?x(&+6^jS6%o>dTO5PE;^&%tKKw(XsnyTGQ-wy>{#U7e#la?s zsJ4$9m^VlLZ2Y*r_b0LEFTx4|F?FBBr|B6Pjv;aCpevQ<-STjUS|OYMNqS|Kxm|+Y zRtm_E4$`!-=%nn%o2cDs>tR^X`&Dn5*|qX?5{s~$#6UNCbL7cvOnSXG z`SogT<9b6|{X?1y0Bwy%v+F?P4}rp`I5EY5Wwun=4)J5(CEWy5ixuyedZc3}<>&n& zhg8a1g?%Gi;-o(8FZLI}Yu7u2X z7x7NVrL>`y)xXp=HUUfWT&EJ_jP*b3GAk_WbuKe>Uau85<|b~l&~V19Pnmt zJHa^t5cy2>Uz^6q;94q_R=f5ZTK7h=@^$YGthXM%BJkj?2QLad-lexq30vevxt#5G zAYll`4!m(`$Y1n6DC0u@cS>BmtKc(aE`N=SU^b!5P22<5=V??Jlc29Noqd|v^{)l* zUU1cA6QxWXdLVv%umfn8hEQx^%H{BB{st}x?|ztZZG+dtABd~4yaxwEzySGGjxw&8 za+f*x0=x6tPsq4MUj}X05s(6Pw8@9gI0GNVZ;uZ4_kPm;a0Ty5iqNPQ7H=vVNZbP) zG8$GfEid(2SLl?-pi?Z!iPNo!pKNRL%zJ5eb{@n0KVG54F6b3TQ>1emusF7&o!~^@ z9c}?*{(9@j_uANoPxu`=;=6DmMfdJSg@;c{ji-wq+o}sVw9B}2lprHnF6ER z0aX>2F=O~=RLKSxk17~$6TUpDXg9DawRowL;ee|0uU>0VneH*JhV9IB?fLFY%jzfq zh&*Rfn?d)h)a^>e7tNYo?DxtH#c4XOq}JVhE~~bBbwVHQ_6>F7iG`uji*z_bBCV=u zvLodss5zBYi=sQMs==Go5&-&DbVo<&)z)5PU-ZvSXj&D1@Ic)eS>DRdGB}fr z_F*>)9b( z%`v44-$DbAHoVzPn9Hx9F_~XKcQ(I^9y}-jP7RTFbT3+Y`1C202v}Yk(@?{sDzrK=V(x&_QQ@DekG8dM+eJTX0Z&1v zioc(tIg^F?qy#;c3o^xg&D!1(>MCPLoAtrx!uljPrU;hK(4jnlkUf&L7c)vwCKKz0 z0#CTa|9XE|o1+ML$4%lcX5}chc6N@K3`l0>Cwkk0cFVM;d+gkv?e69p&ClbxYCUC(T$H!mR$n&Fv zt)1JF+hkb7|a7(ex{>c*ByKZEP=*Iy;ZyVOi(t@(#`bi{>pF|)?T9%2&2 ztZ{MSb(a^USk1-Z9@bU{YS#UrHmh#N!eA#o$jVD2{&XHqn~pu3!qd~w9Bg5%0$6-? z*h58oJ~p{Bhcl}7hxR#>bk$aYEXPLjv^T051HfUwJ1^l>&N58!ZJ{@1cD594QMjp5 zihdE@{_sj0xY~Iq$v8OY))JU=pKJ)xRBZuG7OOd0l;_bHjH%AzeSpzDX)?}de$ zg!H;OGiIBP091$$4`d1n+wBk&AvXm@N#HbmGNFt@2pW`@Sc)n`(WEA@r z+5^N_op!CL;C1d@aA#AqE^ffhuSb2b5#xXizu7jP=8Qr8#d6WM=ACZDI?aMLXt_Es zHm#QVDjQ0c7_O>=f@qqi7%U^_OYB?8{=1iru7LJUn;$sBovdb)y_`-lWRgIA7xS{_ z<6$b+r1lwNBYHfh&HiwhHsR=>jz`i8np|>RqpT-&0lrh)(iCTfOQ?VaEo^b`)eR}e z!*+UM9RAzXw%Kp(OlaY$sgMtIzM6-yuen>5`aw& zQ4FPZVKMHt(`twbuNW0C1dNI!r?ts@U2_e>(MEWhDe)(dLz!eb8{l35^GxGjTs-5t zUwt7*a_f2ZyLeuS*A=<@e3s`Gd0o|hGq#%ts2f~BB)8M7`NQ zrAsiMC8P8*xtc}de|9-VfM0H-M7Uu%x|QAkuaVu;@{wkGG#klEKw`+%p=XN&?I3^I z4G7=Wn^AJw;St0qThI3z@$0SKee1oF&BOcS?SsQc{APdmhsM!y!zwcvLXXXUhl-)J zI)2V{y6!~Hav!Usn0$i}U8R+_6F_2>s0GAi)=MZ-KcX#Fvz3nw=XV|D0P@K%VISUZ z{Zx<6E+@+4w^}Wg=Fy70LRW6u!}Z~KDwxI*NJ)hKMY?PW+Zy^^k#>R|6b3Fa^&z3s z?hB1|{^+9gM+K}`ifjev8B}Z6EMi+IUc5`DclP8Oy*&wZ=c4o>EMFQU7|w##TV(cj zi`Q@Q`dm;`AcgRzSNDeRF*TzJvPIR$8u3{Y>Qg$HT1-;weR}8toWl=i#j) zc5SiAsgGZ$bok`DJw6F`dD;gE%JR5>k;kXQtaawvc=999tWnvV0eX(|Q)NqbI&5V_ z$^o*r7Cq2*>pH{O%BO(oqOMer3bpE?JUl!g+loMAU?4jMu zPyP1q-HRl5_+|tswXuIL~{uE4fALemVCo~*vpz5l*SB* zp>4pl!1NMxo}1>XX@n* z!9hyc@Iik#iZPpnuw5t|AeacwXMz51M#}C_rJ;aQix+uw)WLic&JXBj5&PiOdimlr z9+vtAGtnvT3;8H46_0g-yuk-x+Vf}0njzcWX15i?VFKJ`TkwXbjeqD`gwG}J0~SH= zCOyVI*^Fp2t(=9;ezyyRNY(VFZyWQdCMgQbwnp>BwR_l=p9mLHTAkY9fF&n^9ngcYZn0IVS6$4RLCdWaK=6sT)*G`B;z8<3Kw*bM`jq$+PDervJge%B;dm z(e}CF)n`u!!?wltr7pLmm;R*)vuYW1U*faD5@18U93O0dA0M9p#r>Mi)u*{{@FI!Z z8!F&oeU{+=n6FsXuU;4fNWLQ++lE_y9KPRxL>@5Bzth+LA`>H=yG)lcIo8$AGWnVH z0cntr$?@*N_Vc5yogE}u??D~x*B*n#cKI$RVK);S&iK1Tlfj%-M7!s+CTz8`qnb>* zp>(b~6?rI+tDUhrl$=#3Lk?wktrTin*;p%>g|)(ISnX-cglV#v1`QyCh+X{6hYl8% zxEP`6==-xMuq+nHDQ4WwFkr1J{(WDv6@#ROpOl=qva-7N@X_NZPrv!c*7NP1#*3G) zcK@&M_g?QG9RByw@yVMX-v0R0zbZHWrd(DrYngH~#i-L? z_79*I9N@)EfXMaqW0sF{;wg!+RCq`{J^r4xTWLFbwe>?IKHA#fiH|HN4@yCtrj+0g zKk+tzYXHAisW|}Vzmr-2{2XESntqK`ExqlvvbKxa^h8T=o7xl6|Dsl1RIHSt%@1J8 zw-m3>Svry>s@~%-b-?j(2&=djwO?q^pMv+!@lVHvs|T73bX&2}2oIK!2#vRw4l#}f zu0x+=O6SqIH_AGw^C4vqfHzw%wt(J76%g&vl5L?zi^r~#xTh-?7Ls*Vc#-j;T2Tih zQcgE_?=i!qm(j)OnG?5iH2!!WUxc7#PDV+29@UY+`NzZRJ%oi?bXV`ayr(py zwf72o%G;<;u1vrsK^H%n>5*nu4hMd!1iSo$Ua=yU%?k8{??6XrFm2v*(l~OzRC-~x zrp&kbN@f`cwZ=sYsVx~)QJA1$l|K=z+}$<%$^$7JAkO=#(U*FmshAv|4`N`SFEGdV zc^{bk^GlKi2+~0uzv|K~czKgIW{5!Hmt|M{&dVd`hL_T1w>;l{n!Q&9w0qYph^`AC z!6SAJWNZc=AC(XQJe*P@z`n-0C|~6-cVE0B(*Sds+jb z*72Y{A*NL&6DWOAmiB2jGZ0wQ8jJD#H#KS{-jnt`3Y%%6_@beKX&cT~s0oewi>#?y z6Utytw>wtUD^!^`VTUWWFNC*J!oODPQDOQ;v*f_W72&fm;V084{N!^d{N(FTxX7fd zJnVRg-T>*gzq=iy1SHzqect%7vAwf<6jhdC_W1weI0uZ>%bFEm5W^vCG|@lC%jkkd zN*?!7j9>r{mAgC5x)g~ySz#UO`n=!&fFhb<4(G_D{JBmONJ14G;q+>RR;Pn(khWXz z*52#U4$xO>Ru~iC^qO8wVN*i)Lg+Vc>8@SRuP&XwHQl3$84*&560; zShapZ%CtWoeFB^V3{or2o5O4X_qp6L;WX3bH{2a7>wH1hWE~e5Ke+-Y+n;?x10v6G zt4w?Y7=@ESad76 zk~AoV!F{Tg24GpV)Ugq?I#G9X`Hv_W`U;~|XjsX36$VzB$Zb@o3#lzsytHh7^iSsv z#ssPM#+^>Bq8Fm1Ce2@z2mbX_kBUz!Jf}+C5NUcQ#VLr~&7X>@XpgC0Ot`Lq^7k5E zVL+j?je{G*CObFtlzj2a3lSj`k_C|~*dm(L_Swo9F$_siiU?8f7LQ6#6%R-w zL!g8B8Z?1%)E&TeC*A?1M zIZ_7Mtd?=~iVk4ZrCH_i>6}{JbE1A2|H9XJSXG-@S+Afzo{1u@3Zdd9%BDdw%w4#Y z;f2YDZrY`IJkFV1agn{a5V~cAV6#;X{`8cdAvi;}Df{a4W5~mElPB#In1)eRMt;v5 zW{?yUqlaiw$d@1m#o>w~4u58;`H)#SONSL%tl;>pjAUI(G+5jX5Em9wq`P?a*1YA@d z7S>@#k#bE(-1nS6Vt6?ouu;TCfu{F_J_u#gj5@?VxysyO%dXxbf zt(4LPQ#F$X!Cf3I!l~#eD zSHufV$@S%wy?cV@>LtCyt4G1t*f^PpQIdAknkA_tG_4k-mjgf%{c?;X%zFbsJB{aW zUREpHNe`(O{Qqp63=^P-;nD)KoM8x6h5fdNP4gw28+o1d#z`k?c2f8w2r-yFcPsALlAK z4Hv|aAe6zL44RBryAXMPFswVi&|tb6ebZ3PXkI9HwPE^13^`2k;)zeMVpols&zJ=(8?!Z?}&2U2M+ehE`s3Tt`}fyDeMiSwSXngu%zMQ3ha4^^~g96!Qlc7?d`P z(!w%qt5rG(>DbY~P8r24!yq3kJd9%Yim>A87gS2a6w&27d+**W%%NHia*FW3lPn>``QxmvxjSns2PeYVJmWl{8T(^dN zg%rd5Px0)LBN8#eWsWDt_NC&u15_+3^IEX2=hhgXY4xgvh=_ZC}O{z3EsM8X1+ksxR6L*D) z(wNY~liD;Ql!?MH*M4?xiY!xg?~tZ!>uCqscg;p-B290aAQf4vew}pVA#AN5eRF0? z1kcSvM890VN6Cja+3P9-$nLWjI)qYE$nocDyQ@GV(mI^US z6pm~7igTI|N+0AU*)rc8ByZ7UAbgp9lNqy}vOuXjA1K;x56=v4c^sb}-f?|L}P z?qYH)yBPG8qIr1lOePba6-Pge!Hxu&-Agf*bHfwZGZ!OoMc2RmRN;*htQa{iV^80O=4J8Nbs1#g!zS$xhE3)P~Pj%9CJ_khdS%gru&`<(@E zx5AR&SXlCvg(MdD6n&w<#Jw6mUwlGCa)c+>8sC%w1`7VMMJyB!xQR&VLptoiVk$ly zf%zgEj!;Hx93nY{h~=Zn;BT(?ETXEp{iz$R ztAocgqSl==Q~-OyYGq)rmu``2Qlyrh#t(9c7>Dork^mQsk`D6E_GKg5vKHo@Aa_8D zdfS6pqhciO8UIqNj-I1+BYhV6GgnHGTHLiOfC&+mB|@2O;$k@Fq+c@pGLrfWo6S*#qrKD+*dTV1J4?|biBFK$uDs=dyIGzC(TK3O z_u~%GND>4n%iUY&FCxM$9C_lZ9G&;g!oDLCv|;zR6+sqck6$M7{%qlzCrz7C=r;K> zgcGsD$AAQsmIN5d{3Rdj`%#@Hm_JOrFu$G@TAd7cwEXEjl zOd(tpr}o?XZ4=8#$$Vn;b5fxu>gpLqlhR6W#nKWlM zwlY%TY7MqhaZ2g?O1foRHX46$7?aS%JqMB9 z47RxA-6$c|#L;xsgn+V^J>JhtSZ7ZpbUj4|lQFaDF&u_1$ZwfxUQ2_q8lZZ@^j3p2 z+VDXMt1Q$hv6*jUR)QJmao49EdX^V|2 zQrMTO-H?l3F@T@~PS@Ki5Cd@0HoTRll$|m~;;{ny7;juNRTBwZ&3#IgL_dU5F?`ah zS!p-q;Bh!k5w3C>(g&>2A9lGNzG18|h4WggSKI_xeED{sw%*+1+w`ne0(ocxKCvyhJWVa zsmczoSprGEt234Pk_kyn7Tir*J`O-*r!Do6ou~38QCMo<0?{PJ^$h4n2b=l5_wR|` zz$dfq;FGc)d=lJ3e%jT^wRJg_m>KmZ`soer?UUbWZ^^-u_E#?ZtQV8VL9Fj4hwpHy zE86KY{zC8aoadOw+E*;E1Kl*oL!^&mZid1~@q6MMh@}je7iePLCu}&ribdq9++w>g zUc_$>%?`PQ&UjF*bov#e8Z*0D+|IK7~emUkJ2s)OV9hL{zoZ~ znHUa)!~)SACv9}cyo@-EI=j;?io@6<&_<2r3RoKyU^7G3+0Pg;lZ-{3wTxv+A z6s0`BnDCUeq31N;E+*3$q)nIwa0x0Ub}|?Y`)~}%ngD0#wo8e{Vgk$1{d zQNBV0e4LS;RRRbjwNwXq(%Es>*b4!TK8qMb8{>d#%F#y&!aZwD;EE00QYCvjS3JVAd=l^%*&R;09lmjV-qMNmSuem-No*3;r@)DNfGbc3@KT&d+Y->ks3&(nn7LP;*MU*5A=<_z>uTwNKAv+V)iws;i zMS&MkMygEVJ%U@Vbu%XUrtSjoBO1(oO2r7MO9nxesFX@At)kAtiX$^HM6m$o$s|##(_J%PG;7XwIQeCg8HS)=L)w=?2kPatApyk&Uk^M z&CYr_U?f8sp-dgBCq1+Ce3sf%I-3(bD|VAQtKIDFeI7fn*AIJ~cGLL;U(HIdej{u0 z*&+%5tXzL0I*a_YSln|ucGA0DR`Ko}aae-)8%A^%_eTAJk&uTPrRacK%nskhG~Zl$ zz?5nni6h{+<*5hp+FA#j;1)hj4oB@?-Pge{Pi_dmJo&@nmnStcec0W967L?gWF~b;(9O8*0XP?$K%H{}jB=|vHXT)<;cZ*_HmMClQ3U6R zq>-b%o+k2}yR#GfhbE*kD#mTgF#Yh|%KJi4qA&G&x1;OdoNOIPY#Wl2~cC^c%12hcuD00W_a6&gA!ue9bscSg7E*hC? zzBvp0{RSWdyv8xgj6<8_%b>N|Tbq*>d?UUh`Y9i*r6esIFIzuq+4tOx#@0KA`mRK3L3BBf(+Quw6v~U~kx?K5)gER`WYzNNl+a~% z6$0{8v56E0sF32`GtRGAeMyxaaqA6~bWeIOM?N9$&9Lz`Hc;bSuvE%9Ws~fuDRV|V9MQ}*2;#43VRZWL zJsaP4laKYtdkdfZ5}*z7lRi+RQ~Nx5wQ6uNRiQabLrjte$zOeRvK1eEU!_*DMZWEI z;G_H;{aXc8p%6k&LZGYJBgy2xiK8Wva`g_(fI?nyARG0ITe#UXJ_julgae#3empVr zn0RU@n9p`lCCZ2qXL^>>0^)C17G`Y+-4fE;LY3<-)Nn|IL$Cy=!OYq{Ovz1f9m9K_ z7*ju~4r|fR^K;e0_EohjLzV89nJyMsewEbSz2?p)UURvmF66w0zuTo}9R~*=yx#gz zB4K~E>+$yf`)%*Pm$|o{Py?X=B5UNYg|QNegRDcLsdg1W)^rTZ2lbYs<+LH zQtk2-hMuss9T5?ho)`@8lR6=5IWvlqxG?WxcrpEVa@#0 z{NMhP|1cB9!=;s_hs*hp5;!lzT{;{sHE*zw75Mk$(WAeuJXu|NvbGAJD^DM zAERyM1A>7_hRN^>-eZyKb`9PQu7=s!`6$|b{u+J_2TRe~%F5F^{{2P@ZjDDkb>{2% zeJAN@=oOko1Mpti6{t(_WrNNe-A29_Hu9)cXYvy{)6@@XgWT!Es|L0^ms1Ler9l z)>A9 z&srG?LY-$sb-0h(&EBZvJ~{)u;5-=gJ6@5&=p6ki+=s}tCSJjO)XMsWN3hoZGqkhv zo?Ye36wRpcvAYe+Y$k);dvZ4Hj|bkfezyxqFAqPB$0IyT-n(AA_#`_E zJnN*P21s7xJ}N7Unhx(t-|MK8cbDOR@8QR$_G~P?0l@!Ic$lY9qw6hBH)#(0{-dmi zhTz`QelHvOlQNDf?qe2fyALtIi~x+c1WcTHkNQBurpxj<@nvXL^DDqU-V^FNz8ofl z0bC&NTfFu%I;Zwi-7un|=+)K_jd*YO`S#YK2g4@p4?(iXHx%lkdT0x_efX2rxO`a_ zw;bwOYLW)5e-<;ItJ3;VlxF0?(vL9MUPL++xWQwb)UcHf9RFzz8qq?t9+BPz`h)5s zRH7%Xek_qsP5FsBm<`{hd)Nhp8uxoC+Azt=lCx2?fXXCO!P5A69YXDxapa_~>&8~i z@$wc^GP@Vb;}wtkgBWe40D;CZMkgG*lde_dO9k=L0^XhVXaT5^g+ZN}STgX?Ntx4L zRi&b#dv;S?-iXb7KpD9`&ns?HVs7g~z%@c$e1}Z4e1&&37%dbX0Oy*rB-DO_!p(&N zxnnMKc+0_q2P6j#l)6(aMe~9_7Y3-s!fuj_&45(P1Y=-{v!fBqHYKo zJwX=I+@S!+js24enP+uSu)DbvUy0kcvV|*g4_giEu&Liu^k_g+Y3`&mmUhuT+ip2G zP3x8q4)+gEj^7*}x@u^gJx9+guApvio#JLjobT^DSe4~ozWiN}9o^6_!E}wZuX3m+ zrlXgmFszrd#1JWUjO(RhF_I7GSfHN58%7e2Xgo}pi14-X^n@|afHNt^o->?K#+R9Z zd@^*-dPp?%v8u)$TXc_JfcS1$*Tr0~!^)4gaAjec;3SwpM4BA* z1Ap7CDz;`3eiweotF zjcn3R0cJ+U`u8M=YBBOX`;Zu_pR`~Fyn@t$K4}3Q7Kjn*6BGh{ni`Qy(*jhw-!|zQ z!JG3Gw&jCf8NMKRNA-Q7m~Hrl$C1us)#?nPQ&n_3ss-b>exIfTBpv{>HanP_NoDLw zfa%c@%=0A^mla`ORsc~zuD`Nq`wD=fW6@Hpv9zi@&n(cg-vfy8=O(&dS+=jzC%wcI zho3ONJ7&>5dSlMOrwV4R7uJs{CPl-5sa(J$D7#))_xa*8*o}5c6ArzADs8V+;ik8% z={sIs>V?{jK-CH{>XCJ}B3r6o>bP%MXMmnZ8s};XN>wCVFu`GpVP&+mTT(}Sg%2>c zLfXRs1sF*Orh=L#64DRQe3$$-iNi&vIXT5};82L%blc+|Y4ka8g5bS`LXWjuWPz^3 zO?Y>Pt|}2_6K(^DL5wQS0V7nD8Fi3&kTDOkYQlo*<%(cBP4?6!VjC+@4hqQvBG|hs zd_#j+0PlXM)lKpb1woFy$9LLzlv<)T@^?g+9q+z;{^l41pT6AP+oR9p#>*e*%iG=k z?N^^9{LOO|rK0v{c*W7S(vQt_fa4lw{c#?Vq*t}Qq^5!tU3LZtu!Ckb_h_8uwhtcv z#A9WohhM&pw8av4Q;U`(_sP2zKt@zraanp0t<;R6t``A5-%qsLHWCLlA<=H&USL~Q zSgH8=-of_wfS$NkB#k_yA`rm zdiHLq@KF7 zsc$HPAH}nPTpN;P@L@1eFa0=RM`|oa^h(K! zc~GL{SAwdy5r<+l0aSH!`USw!!*LHo3NVhqMwar-vJm5CMIs?!mpS;f(Q2H?&5sfp>dFMlimF{(j+Y7tMU0iBjiA3Uoo>p2Lp^o+2}rIwF8J>fOEDGDJrD(PZ0+xq5u~9 zZi`FeMQzGeEcjsBA~c6pcc>B!Y2ETDf7AQW>tFUF*^+gM^lR_Z=X0!cjZznvRLJezTFZ#pFg!3UWO1sNK@=U0`LfzkF zo&cn;(WYeBKON_z9!aEuk;Z@$aO{W3PBR`()XXvZAVcqaO7uNybeV`x>q&VLth!efPJ!$Lzm zZ^cSGQ&MYundE?V`-4H+s{B4<)fjHZ(Q0({6~`-L?2=IctRT+fJP+1J&j-l{>e`D( zf(iwP^RD_T=z26w4Wp7mb31%@O2!Npn!#XLG@P3Up@0S?4p;z6#d{lK{oN91OU?Gw zzbuKJyFBK~^=RoL>5Nm-Zo}_S8(Qdz0A*>7fRS<I*wv1L6} z7kEGXc+Y}BmTjmlp~bnY!Xc`)5klB3oR^+8v|IJa7ciAb_>6x%r4-855JvrAm)GpE z)cfBriwtFcX7A`kXMZI_4Rf_9PXW}EoTZ!{F%y4&mJfc&fH{y^(T&Cj8;L#*2*9-C z_FFlug3E~(zg4~8&ZFAKED0G5YGcE{7*nnm(VLBnrz)HyZ;xDTXJa=%W1 zuU~(ikF0+#GO@?{ZuPzByp$qEaMke%+S>wGgL3jQ%2sTAc<_s~Vz8gQxLau1}(ro!Ek^dJ^W~o^(=q zZe=Fn4;pNq5Bc-$~Ds<`s6oD7Lb4w1`)t5e-?cA72k&6D_Jx4b_p(v)S?DtYjx#^BiYgG+^C>v+-m}TkdOn@rVW7PmdB769cN62Ef zTNc8z24c(Q%Z8xKhV`svgHcm;2W3X3p1X;f{Bb0$mKI3glU*~o2q#weIzOz%u-I9XgZnLO#yQaWJJHot5`U(cS)(8xxpK6$vsBN0SC z1wdJ$h$Dd}*GmqWgF?gsyok$`@{HBvK`{E{_Pah`-ZU0>TeMr6*NAw%NOLKS;#Qxe zWGdEmpEwq}%vYv(dSPWzg8R5K6^rf(0acXoIZRZfRn%IO5eWu=jPF zwBsVGkWIlLae>j4vrIEm!KM_@kENq9FLhOWbC74AeRFKGg;)8RP#qqu(aTza)Zr~C zsiR`RZrQZM z%=Oe3SFh3HYM@1S7X%87jScx1ii?9q9DtMj^ZRf1Q1eS-7wbM!prZ?3wWv=k)%sQHqNe$Sl37JHP82ONgeWO_96DKQO27-eYgr3L8- zS0*u=GMvPuOMR)qrhUCWnV#4~^Mij{?IQ!KBgU+%W*cUzwdEe0G`Lcl&#u~qHlGBeE6YLs8ShU1|F!N^}D zbmgvYGJKV{G-2r_H<#jrct+(*ZSy>Da4B1T>_sv5guTX~U@VE)T+DG|-SIOFD!H z_Ksis3?o}svV*?ZL97#M#c5D3(dt@Q(nczJQzm;LZMtY0#>8^RuwKbf#esw`?*bke@sk^jz~B zWyJrLW`Z3CCZhb`+pF#cl^48%~d7On^U)EWZbNP zPwEe|(G_}9ae$+$dW9iisd%+k+X$giSetmS@k3(|Zvkm~8a_QP8@$sXEjO98sCGS! zO6WaSG0WWOnf4H09UOcg|Ij!(-aXjIm0nRREp}1UYv{fCf-55O8{WJ-*5Kq!1v`RU zuEA>SneRB~Dh<`jZ3+jN?U?8;tS=-%WiU(^i6fGM)rpdu(N$pFLx5Vs2A6b0LXE0> zT@wu2!BA5N$tfHc06musN_vrLi^i&{0JPy&LgE%>$%2+nQ{iP$R?tQ(TKMw;i6mmb zF0)+cnx)hXN?t*Bi6~{tRlQ5K$|JjNoOisM6KOOUx3UdxYvsz4M}bOeh0*A$K#DTM z(zbT>w3H_^4DlQd_`@Sq>n^>yBgA_C2m_K&6iD$8Vr%?-7$I3{c%Yf)f~3KyHOv4L zU1Q8PBUNZ)zF?6o#y$W@rtg-86D-@XK+nR0>aF6})e_CI(mi=Vv97{Eg*@nv8z--~ zj=#4JJ>?{7d^qnO9~qN*P!*7YuemC&5S;FNB3HKc{6KMK^C9L*x(q1<0xbPpK(;~R zK_~LCrG9~(`AmLY3$!_)4SFj~HJUbka9oymMv|ywxU-R>E(09-m~3lTOzYO^Sa42C z;51m52pRjsQVZ9ak!YK5j;K8zp|@4DlO{cq(zM`aIM15r6vuUxd|-)pLcs@Y^Pmar zHuuJ{yU~|J#0|+MQdst1+s37Erq?;#!`&7| zMVS<%MpeS;*MqTY6m9m|!zqkqLSL4P-s0+n;8`3?4lRw+t`1IN9JxNtzR=uM+;b&}2-^&)|CYXx5xhBTvqU(;p+0H2>s@)TBf920e+d3$iUTT&Ecu zND92(HChQVKxORD&lSx8VPlwb8NOHS=rkVKEiTrSgTOSHHdoi;Gl|$)HP39ztLs9- zG6snrB6g$j6Rtl_j={CBI2Mt^+(=kr)_svhF0ng!SchF|ED&(Tb3x3xws_kS{{(CV zMJXg_d-QO|xM!#7=rX1F7-X1PTV_J17GeAh3ZPLK7~Id}oYKY9q!fz>I|Y|))Yv}Q z-#==+cyrv?;TBF)tUzoZM(jqt-4(XN#z%9x5-RqYvb~#3`!#lIj#Xt?64TE|i?d^-Swu3b z#i=5hYu$h16mPgYBlIArSlcU@TTz~Ub0rwc?t`Np&3siA?y5OIyx7!>iipS1Wu5!L57gpV@;eb!?6V&pUGhcM2-Gjgs1i6wOp4!F0ig%NyWpKAJty}QjTjK4;-IC z2l;c-3-(@|7lhpfiu@wY+2IbG==YYQ<38uiAdH2KB7lw4loQ$LOC2eexC^3%r z1d!kBk2vToaQx#@Ah_6Urwg4eIP#h2EGmw@I7yn%u@@zl`Tyk?y zXvLHd(D$>J3rG;Xl&_4Z%mOY6%{pM zXRY{2w3%p-jB+oPyWS?K6`@5bI->3v#&?=3O#vwg*cz;kw1?;yxS6PxrAntjn2+@e zPKgxF2pP8P_@1uNR!RXsP$R(wBm<22u5o`6XGtP~eBDxU2o(#&?`76&0dBn{iI&xA zQ^Lkk*dRyc!KLg$0qw~4EGPqs#;^|qjP?CLDXULR&I`fKuF(m#q>iotsidf$IV9QP z5#E{c;Z6e}3fdq;7jDXvQv;!j3Hxv*3cf2z_cWuRhRGn0$AjvOR8)d1Ds>~BS0a-v z($l-X2@2qP0ox`FiPSjA-N2rH;H@T8RpAoMUYf{J*R-s+b{~%vA{p;U)k&Ip{L?=C zLF=A3hou>M{W;JC-t_WwG#K9AgNu?<7B@~rDWx9)XLq!O$(#s8&qt#{zP`MC24`q| ziW$2o1zqQ3YdOpFahfl${^RL4b~qecuIdFtuR8ty>h@Vfk4Lt$n^w+T0b`z!Q=!Ck zGXw+UzA%B}PkzZheEA(JS2Xi8bgyrYo2VlKfgOWWOo2Wv5Gi za#LqcQ)i`3o!Lzhlu+0@>;m6aX&7}T25Pl(sAtl6X9z4X$<1<>bTHz;yN{X`Q9p2o z9T*XgN)pz=-mtX6-5?`RFyl){+(C6ku(?Id7kn0e{WUWAI}S1O+T=ONrGk`5RqjO$ zq__2auTkg6aWXusuGZ{dD>W@scOE*wg7oI3wSBO3~_A~%v{+dcy| zFeA2`i5{4Q_{_~Ld31cql*y@6OsNx2WfYKY%|IA<83x1`hw9f+p+-UHk)XAsrv=WE zZSEM(I$$?F<#OHaMg3umJ#op?heH{Quz~1PB~c?1(~85(2ZiZV^y;8NStliW)xX5z zNF{fzTOtS2<%%L4G0{pbSfMR(9WY2G;#FWn#+_tHb~smVJ-u8tBEv6vBydgLrwP84C5(VoTD8oU~GR;C_0A-l^Jk>LDsa$%r+a})szDOh!Oq1D0$u~+&>0-{6 zdG>if$8x&ECE_Qjm2R5!M2OJM&V~sKa*0O6+p12PFcTu!fbBr`fZpW;xGP`_2V=fm znZl>Irc^cQjnbBV0|a9F088%U=43qT!ys+yL{13<>5B>3rX2PQmot_p9C4cKScSBd zuI#Xi`0foYquDGS%@9}B6K7Vm>ae2s8)lgN|LpzwdK<^lC=Tae@+wB~YYCu0aM9+M zl=Oz8D48b|sUJz%@sa(_GXw_YL;wcC0HkO~=YGy@oGbfk>vejtP?8fT^pn^`Pp{S0 z)m7ECj5@w6anXw27hN%RC+a)beZE;B^D zZe%5QkQ9&jj3h#3(jTJfdIHRKp9ISiiz}-G2#tzyQ`yc9#I|c$zv}REN}0zn{o8f4 zM!7c&nZR0m2zT?CSo=0n2$pe6Gli{1Z^GgtM|NvV9q6U+wz!8a?m{1QI$H@wh*ge= zNqaoOjKS1Lpnd4vl>~_rET%{V1{o@oJxmb@xbjIra#pOkeLb)4^uV1Mit}As? zSv_n`$=(7WtoYtgXGLK{wYPMj^Ybg=CkJCwF=dchoDBNIXggKwcw|F)0&hl>als18 zRx98YG#T1Lk0;jKjtoukZ#G=W++(vt2M`5_fBZlkQ+EiKIx_C1$G45JA@~%2>cp_Chevpn;QVg&kyttX>w*>sB}%O$kI+^pK5tuDQ;rg12=- z^oTa0h;e@>V~V`96zO+mmAz)#kc4BAvSW+FR_yb4G>236DCIm@2&vxyR0t;k(kBX0 z4lpEs*6^%Rtujnb)hsHHOax~pa#U0#%TWURaoQi|n1P;*YM9Lej)R3gK&3%`#l&^o z9}-!O<)aG~Uso)Sw&*%rsyHvX4H;B8_exVTTYoXDifK+Rfnr<`D- zd=`vS&lA4p5Zi7bwYf&C>PVO#<_$_P4gY_xX>m|&aAq<}-ZBgYQ6a#b`IVm%Kasum zxL^bA;C_(0vVGODFWL5mqagAs&VN%1d!tk1+5XpF7>K|a^XbDDl}+P={WtrkCyOye zY&}D6RAGVPB4rh;kt|3zPWnX_FHJl534y90(=IM_{L;nwpwJX!e1X|s&C}KlS3c^_ z8O_+&{AUOk&SYzv#61HD)E0W849~IL;WWw^IB;m2)PjHULrws|)9ZgeoITPH*K$#t zS8O|VUdqsc@eGYziGv~*4`0~OFiO(&;IjnYw3-d&=l4n0Sv$|Ps!uE|raj9niPgpQ z_ZF1#$;M-XcBB{v8i-DDU9^GuE6f?v<2_>o4LnR{4oEO471RF9_}%_XMK|>Xp2@R~ zG&(OedTkm7-+p+crZOa%sokFS-bSB=weF1Agb`J`qT{<#IwkMDh+cBcLy_NUcQPWK zA?qk8aUk{5u^yv15Ekq?X|L0P;hL51&TNB50bA;u^Mwxp^i3xD7!USe?C!jkQ@}~* zfnRH*_hUgqFnmR6={2Ul!oT-kz1rJ7-Tz^a`%%dmr@ehmV-_l{GdlUzU{3oCrqVaE z&p;F>F`V355wV*VdhorW48y4kx|4|pkP|YX_nZn?2D~qd7e&d_mu&XgXv&Y$%PJJ* z z=cqCfQ$8-}Cul8!vQtJNgT4oQa$y*{M)OriTmZh*G$c=7XDeO#&-h$HS%@ zv^X^f`Jv@zJ9WYo_EA}feEaK!Hjc+41n2(ER*G7|U&8E`rSP`$R-5-OQ~R~yCMRlo zM6J0UR7D3_#2?UfTAP-#m6iMPuI=t;W^ZN4UaERc`Ny+xTVlCPYI;2$)u@~ef32L( z^Di(PJ!*!l6X>C37|QVTU*&#gXun4^J(CVao+`LgWeug3|MT?5VjsO5m!jMRn%@XK z+SEty20cchvu?@Mz4C4CS@eG@M^L^!&?{v%EDWPo;jIT1RsBS2en;rvYTmEwT{qf$; z%NF+cVlr0g8ZVT~vi77CW`fdJB3U7YEWi2X)+o3v?2F$^vjG`JkrNbjsl3&JaRN4& z;lRsMOF^$T6mOX7=Gc>NB+N38&ixB`4YPBvKp3#C1kMl{@ox5!Gy>QeaN0n}Tu@r3 z&fWwm3SvLMOglPKi-It(l3BXKc#;tuwb2S7B@(?WSSJ>Ug-UdtPoh;cd*ZN**%&XI zRpQU^eOVdHob#q)kLUy-328c$e*YSIA>dxpPKKaWu8KGo8r$Qp#DfBsfg`EzkXgmP z{Lld{5-ZWgMSo%hY)}*EG38`pKm>aEwb^QPro){U_bm>yi)^Ci*LqN-T>#Xq*b5*T zo!bE*=n&2k*cgpVM&}FNCi8_m(AvjAQEE|bZML>T%5?i&|1Hl3>_tiv9dxw@GxZFc zq!rTFY$O^iwTl@;yFclTGqwZABc=@Xr6o_a!N8~d>xjcG{<>DBlaP$?9sw&k={r=+ z&CtWdR^G-;vik)nB9q%^c3cH?)UjyswyN}xXM${RcaHZCPu*zA9V-e3H*TNRm8*&6 zSwmfw0wQ7iP_7`KUX#ExOi;9phUo}Bl|k$S^hEhcqCF+W2R7xAV^e6EUMJDS$GK%P zb4lB(f>Bl)mChN+Bcp2~A_k-EIgBQQLJ>lt$i@x473~bjDveE)3N_=D&M7;75UDe< zu{-$$by8%uheVQS%=JCsh0z@>!GNL@4D<%Aiw~`+j`li^xeg5Y+vF3!)--}+^N@;4 zjM8q8({uAXBld9Ci*P!JjRCCWO`==~;102D_Zh2jFk)k&bHp#KmtNnY$& zi8k%L$oS!9bzE=Xs#A@wh@Ta!dqJ^r(MUDC79(2fwfTU+2rO0-jrC$3=m*%2vP!cX1e!c7OxarRcIWGzpBj>} zb59H$??o1Otq>SU-vun)Ox%9}C}@WbQ%gV61<6{`wC}L;VZg9ar*^=h#0(2VMWX)6 zT#R+@Vi0lOgYVc;RffqmS|7+{gTYloDrk*mVo)0noHwBB%$QUV&p@{OibYJ=1PNf= zQ~^*tXDT{0{e^_Q(Sj+V`&+SbT`C`^I*ir8pVffs0JTqlyt*!74k0?FHXM7 zZ2|v{xtDq{VsXfOkV9;RY*vSYMKZ67AQdH33W2C3en<@8t)6#KoC9IY=Bpg#e2HQ8 zxLKE#os(FSho1_r1DoP}pu^+%2BI*p8A#j3f*p?dcm`jq$a>mDZRsT_d@A$bd@|w= z6#X;p#_kJ~s=$P}h%g4_sJO_6I!2F9Q!qmNgWh!@j7k}jsD`l@%2Bw~)2DB!4kB!! z4WApSm_0BTo_1z#n==?Is&u+^;Sj`yhkVDA@ffuNqj)IpWp;rgTQs;O?ixvi6aFgk z`PI?!U$lqk4{!9J7-RiJp9N=xzrY^HYV$z`dEkl02x1#thcgG5x>zfAG6@jdH6C5V1)6d`T|?FaPm86wcm?SC5>%0Cm4t9szHEIt7rkroz(RBD!keiWw8Oarw5+egEY;NvSLaYnNAyE29T+jl zMJc(}5Q0r^59H;m{7#|EWt~*WzMR8%bI8k93tZOQ!Y?65RR0aeyTz=4m3Fd94v@^k zWjWZ$d>oxzDp`lXg=~o8=ql)r&A*l6417pk1Y0c3fIUz+h(T57bGf6t-IsVz4j|Rb z`q{V$ah}RdmGljb>An?wuX11W$6qfU-AevA#akmh$)Rt7Gh^8lCA)gP)B2+4mn-0v z?r~1J&b33kEGfZaF}(QW4kazTAUw5!R0PwO|z@gnfeNTk9}%wn)3!WzeM z;cJ$Bqi_3zt1AgMspj3L3B@`FN5_+oXS0w28C}vRmVM)c3-cBgxksrY$;DS+pLb8F zrBRGZEB*)EraosfmnR!YT~_1|azR52jd|#5Sbv7BXyNCJnTQt!x_cDYAR+dh>donB zQw<+KybE)~9Lt5YyyX3(L-fmu`Z2wS){rSXrFr(?{6_Y&V#QUax!i18It7uNegdUWd_B5kT*6pVF2v2>096mAK$|a^< zi5fS&!K{VdL>P4aQR}d*Q2_B^@+=WNR%T5J22|7!A$Kvqj42;JnpqLW<_^W4$_7W9jH=D53rV9o60&OUnCseE zrF1eV3~%f}M#c9IzK&K!_q4oXOYuFIDstR^D*1V!9Zwt!R2L1q+;pRJ8%v~>i1<$v ze3-6B-*^X`lc|pOfo_r&(h3pqcrfXQ<2ui8{%&y6$_>8Ik+T!8O;OOf<{FMu5xHv@ zwjmt?M8`E=3PeSCW+0*&ett5F>Ge5g>g##nSFC^=O5_Y~=n)Ch`VVqf_yyrHoseBF zs+P%^JS>|zF)7WnIYw7w+Kl!KXcnvuNOTYavQonvK}RFt9ihi%bZ%2`?R9H`mC;yF z=2vN#W3ir;xNiq4%zak}V?B{vA4_Pv46BRbI*7>?rLGM+?O;CgB#&|jniSH{y2*&6 zZLel6X^&VPE6Jlg%rl7b!5Up2#fXF~`xaQ|iF!>|crTqN1;=z7sk}x30ho*k7t_>W zlXm5 z$z_@L%XrLR>LIaG8cp@(8UtT{naWK;TweIW*w88Wd0AkGPl@=eWr|$;n+&kc~{1&dYOKZibP2Z}tsm-XgGk$JDkBq8>sKX18 z8U|ULwBQ5VVPc-FXDFXV*hL0-Taw^Z7*rvfmiSnD*{Ow6WqdY6T1rfXV2#lQx~@1- zPI?iF-;0fzT|}t^;Ud(F#LFDf zOE0Hp!O<3hJ*CB64M6=j^lf=ZSTi=0wf9A5Hky_$X@;0B@#Fj*AfV7s>D$TXXnmrS+O9VzZX4S4^?# zl&OHmvO#*~VzqOHlE=Lh2|${4vf@LG*A{$sVi=ovXOkg08q?t!BtzhU(V7V;uZWrM zJcbjXAr0TXzMpqUTpo4OVNq`@^C_KX*_zB`Ak&%Nc}S#@L=GlNEm|fHIM!s`o!HsE zSPm!ts}Fk+qmg2I8DEXiT5x11u#PlR)T*l2N_lPlng+8}-ug;u`OBb4=|IfeOCT;x zV8wpUF{V~bp;eSKrTh}|TLKADSOJF_l`n`8Ihivz+;$~e*ipS_AO^DJ$$6@05yA_v zNv)zyEoccMKoPG+qg{0U=IDjY?Y6{Mep>$1LjRzw`k=MmdazcE+8kaTpFnzPJQ-)b zqIL17&;Mr~{(1cH;h)wYZ>&Gw+<^bCKY6siPUY~=lLzY$|FrSo!IMXiA3S*Q=)s@X zHy%8Gxc;Z;Pk*F;WHI``e~^FB`#L*=eNTqjat*)2nhYpE3dX!h(SuxKIlMl67rjmg zl=1TIY;{9as`IQOq`Iwvxn=oPR!9k#ftn7)~%PEd3K ztU0^$WMl224I~FBO%uC7)zgprr{5pFJB@Y@e~NzGIX>PwJpE}~#}GlMGwKS}NT{QO z$&8Z0_!^doJ-pdF-u)h$?7Y}N*gyRVU(a9dpC0a=oJ6mVj-wsmK8`^Kd3UgL9KC&a z{PyT%uN7euHsu>W1w>tf@(43@0ObXWAPfHqHb&H6^awjr!I2WUPKMWW06#$|QjTpw z859j5x6wr&n2lz1g^>?bu7aw)Xh!>kc8g&7Xai~`gAYA`{mB^WLm#iQF7*GZmt!2z z7a;9mi#I#b`sT*Q`s&7m^^NG=$qonASpFvK0v2^aJRk=av}rroi{G8@ADqPBFMk7{ zFxp1=D>NRody`HYJuSu^yt-N!&#h7n)Y)xa)Vval*w&Wy5P(L+hStdC^Vj_YhecT;YA- zMAO0c!uwBKChq_XL1$6qp++df&NWpYg66h5_saCVxFK!&ob%!q_#K1zO_{e~^E_G7CVTo(L;ccwe;^|JvClbBi zP=}A5;2$3TqPkuXh-qV-q0u~dMhm8bsUuhS15^1pPhYmshOsEa5oIJAUtHl>(jWf_ zpruS0CZQYHN?YJcyg^tOG`lj5fRUi5&O;&Qxj-LxSE|B|c_|cu*@qdRce)WK$~#|* zUY5GXKQE`vieSD-kFrbCI-NkttPOkm*LI{ZF_5-1wie{^!f- zedg2uY&_X~@Wj*qY;HV!a;yLOee^#Pt#S)PK21JG#(bieonbm5k@xGn4NIl7|Kbh& z8Vy^~=KA^*bPrkoPAcw9#uxdh*uuYGCW9>PMF;7x?PQQgPdoIx)sx@JnAAP3?&!I# zPLY8Z)&?z8xB*lM&CmuNVBDsWrXPz@&{$A>+4Tx1 z12`NVPu1pX)l50sX9bEujv3`{5r)dqX;qvrB6S#@9T~!*PN#@AD1o4IV_KJ3pOhey zET69_j?V-OBMIWTBRC})zXT%NhFP8%2jL@10~lJm8}+k-+_rR_!Cg(| ztdl`GP+sqy9_%0PVWBR2g@uRK-nUw7^7opIL%6~DPvk#=NXg1)rQORZSS*%xJM?a- zp5oeraj)L(U}kMNJg;8DA1_r<$%YDCd&2xW#eE))u9azNCix54q<5HNOj)QyKiOQa zp`y>Cy=Xp6{ys^S_CSI(T*(`)#8_11iEgzXy#(Xgmb*D?r7gz{henOL1|Eg&sEc8| z>SvR#PG}E*H=6Wxzxo_QdWa?-Zw3&|GNgDwPvzaRP(i0dL&$S0I{a-fFUhFz7f19W zpl~>^PmCE16O76Y7k3kmT3Tzs2_jcA&OnUUnwUbu<;V7zVwa0~BRIjMJuG88)yjc_qd=LZ{Gi0E(u-mz4T2aK!{25Gmp!>#aJGLk0^W z2RiEJlt_;~aEU4UK+&X~Zk=#)e6rXw&>K2rTyIxjwzEtD19f_EqWOiB?|0&t`>*#- zPUC~U!`G+Z17q(<>levJG3isx3sKFWrpi)Oa$&y{E3J$o!hi&pXVr*&lo1an_$Sax zcd=Ml0It@NjSw74Mv}4KiknGYh%;$K7Ox}Qp%gk5s&CtqB>ngtV>+r>Ds*Q>hV~mr zs5{S0kn(wk=Ui?D8emNs9JTJw*m&<4syU&}!d{x>b%R&;WH8rv8-DxgZD0QSA%XH&1JrwMD#!C;Vv)zF0cJAEgrk<@|kiH&%(kVR1SibXt@X; zw8bMICiR2*#b59C4^JO#l5t+i^2Y7;lRC7dv5Ly;*Fl0Y8AbHx9E4>Ip@wwGKF++u z^h!}+n!Gv}V0Bnr#SrHU4RLM{ff@PE?I9e6A@X}b4U2J6;yH<22yJ+E_`}9d{P3558HC|pmAl<%uXZ1TSpUmyO5xfjLq0ZYE zd5&*&=z==4KS`a4ejXO3_Oz!(i08(X&!|2quVn0LS(9!WbNT>B%{pqk!=P1}ThcA) zK~cMixG#kgy^uvZI@0lP=gr9{ zx<)wq2f2?DW1Myz=0-mhdC5NI!oryf*(se$Hw7iH2hHcXK0Z~x|3%hDk?AR+DshIE zvV)eWnLJi|!TrnZS}VkbiLWj85&JSVH&gE`stN;J#k!@P{7>QgkF8baPb z7zm02lC%){2f1#RkX2b{(nfzy9A2qP`)MCAvZ_BgTI(%q_St|YPp^M8d-?-*4j0Pm zTAgN$Mo=-ID1!g>n7I0?!G2y}RZ@!RfbC&fe(nxvSUm^}PZ(0j$=Ia{%&DXZ3;m-z z=}!tyj_Qv|jyCwu&gguC!df8%D*BP@X_YX~!XA+k?2BFjkq=sZMRn57)8+k{8ryUefiikrW; zcCU&05A?%byT^-*<76!A_c*TCixf{_+G{i-=SoIs;=3(O(K%-n44#emwioKF&-q`y zyZy%9p(1C{kq*mU88xQXu`^VoKSQsmFpoMmIL)p*%O75gS%x!d>OlrMPFHmp(nKjS zns(<_-;4v)H=J=w!OBI*${GuZUqj|fXkeo_TfVL{^cV3If|~1;7x`gwo?^E~Hd7Ub z=f$rmSK)ur&hWaxSNeKIwK#Ylryy{mme7*;@ej;kURo((X=WPBPPA8BZ%JyB$v{E)0Scx|K(mx2%AvX?GO;ULfWh$|MB3-!#_ojZtXw*iTmF^?-n3t zw7;_b&&HF@hZ~Q5|F0(x9^Tsj{7c#Y`0iYf!|q(R_0LHUl}pEyXXO*#``=vdFoVn390dmu`k^-|&BhdC#Hgg!6~FaaM# zJpDW&BbnimZ;tv2rQs%>&oYN2#$?=hQZJGYM`|T)6>4jc;qIiUy5Usm_{vE(BcbY8pY%JZNV~ssF2y$xC6(^FGHDNE-SF0!B;yOdS+U@ zRiUzwVVF`rmi;pW9-HTGSua1IX-+1N`)l%F_oL#CGfz3CEdclDaI?}=>ylhC7%)}tcvhwF)Gztk$w0E9G1RKJ5( zCq#ruH^tX`ZqRVSR1w;212Y_$A@-lF8A7p`&6Tf_>pl@(`;V1Ya{ zvT@+uT2Y%tTePhT-mAK>P3lkHttD(pm7p6(Nk@gvsIG^(A8j@eIBa|-Q=)iy{wPqD zf@mVt%^SS>>f=D=wu?%*$$8iH+Z-!15$w1J%o@y)UZLaczhU3Ig)w}H8sy_%?ND> zqloI)_$utwNS%(r;aaNLJqk9!@ zia>S0k8U7Z>7cHZ$V*yf?;#yxOfw>1=jbsJkAB(*I$2i@nr6L7BKJ@Cj&}|Y_73Y( zO!(-vfxg0Zn~HM4fcC83^8_9t4&VEE{hqDx)l1_I+M&}*xfm3!VNEA&x<_#S%zOqt z*#Jj|OQpJ;YIdCU35%~%j^3|dZ^=ZCZF(d|4O#zmqGEEUI38qUTG0-MBQ7$>kBQCu1fRa5@tknVqw7($?C2liO*IZr}CosLU z?0k|>I0pp=_RsskuwgCpib`OjM=_EU+LIBfV};>pX#Nvuwz&XE=n_S{?4NUVh$7nW zG-fXp&G{fihkp&6Uwi>;@754WG89zDeH>ovT)Zxolc9v>+`a2l!GZnViCA@vTPaY* zP1F#zkxR#!(nne~-yd6u!`Om&BPgU1r&f-FW?g8ZOHki}4aH07g%6O<%30R*;gKP= zL_LMn*biKK@)WdU78K|1$<&)hNcD>v+@Edln#QKIx9(Lb!J_UJO6=i4{nl%e7_44o zARUj|7aShU6=>+CxJ}1{Xpr`BAW|_%9Yb-`5g9D$pUN`UeCi`G3I+L6Gv$o2^iqCjR$UByN`yfc7Fxlw3ciOa z=5!ju08Y;utZBisVKXYhQMI9_z1d4koVN1R;FaF9Z*4kKa|ScVr`+6yxNN)ze9g`e z!rT7ISU$ekIot2NZb)iy%`EDMo6o z^T%k-8V~LMH^lH4y0R*B$Dzt{8gLqD=4y@c-0Fkzk}CO(JI&u}wqlP#JLUyC6>3Xf zJ^}+aB=mqFZ}6Y&wAU$KM)C~N%k*BoG}b9k`tc03M|7r zjg4i|#@d?g>|N{X5~-5NF?Hzy8Y}OsyZG;BbeF-^Ad~Uc4aNd{|L&5lj?AeUaVzPL zXrmoWNX-)?Oxo7jB(X~f2sK0KS3&$V`2Zc{m}HC;@OUD%Lzueg*$2b%W;`Sh#s{1D zQhdgF&*-`R!Dc+R>%H9nAwE8Ocla`X_qGm;=rjN%^#PubdZ&S_Uc)~c=72-L@##@~ zaCG?kq&@(m?RGJ0^4JX*@9~Kp=3(6J;78M%5&Q&Ul<Od%MY=oa(QOY6Ot{uL7xbW`f`=1x zgl)M+`(mUT+*`e8BAZh9D7^VqQ|_Bv0`0Z?S1ePVXY%wJPFMvWCPE@$u>w6Sa%XrH z9O(Ho+0F&p3c+;7#=7cg(}(-_n~~|r3dX8%LC6|e&Iv{nqSDh0g;H`g|AOhQ(k){l zD`h|CdUYTB0_dwz{m0Rfb@qaeby&s7I!O)o@u#lgL-a=i@2p6Tv?l=neEMIs#>WtX$-0)bu2-w%b&; zUdP2EDxoF6h5({TO6+Q+FhQH;W)vaqu5K^Gg%iYn&gdqLwbTw!11o~Eu;zcuvq2rm zKr?b<{a8avfNd*vfZz#=W&PwM;+nFO)I*yD5pZNz+M61spaIrL+QxMa-bp#Bl-nD8 z`iW3T8z2?UdpZdD1_{L*_wQ5n&0zIaQ+<=FZ*p}8(*`9flP@@)G_<91D1RQQ#yIH> z@9WdZ>VVd%zsd;S_hpCJ%9<6OYdZu^r67UYo|_&giBcxFG-pfdh~xc}ql0+&?Yonx zM$eBD@?niNAZyTKEh{*;P0hK-joJV>R=77POA7hBn@zTi|C4@fTr)d9IVsT-)M*v) zFKE8fKPvARG}O0bPp;@rVlo2aZ)+bZ!g91!-y zA?Rgro;yg`RUzH3YCRVA@v`o%Y1F%;YgHsOW52WL=h_-&0WumcozzWT8Y7i98=(ec z8h~!&TZ%OsRvs@Akd>HbY{GetH3U*RZsC7wCL6H@J|ntx?F0aKR25!OIJ;KTVR1;W zMt30@W(J&#$0U<|o$~(oCw#L{e-Ik zZZdS@j8>zKMtOcpXu`N4ViRtiFq6!X^Lo(nX;EJh)TxNa$Zl%YoE@YvX* zj*zN2-x2aKqgHW@RM(yC95_%l1nTe{jb;fxOo3DuzFR!{=i||wUO}xBkN*tNBWn@HAxkDCl z*z(vc;a*8$p!u7dFkMD)BqLFZs;v30W~8MtF=tQ%cbA)(=+9%Bikb`k-gLtf#d_%vc(@k9Maiq4ZanW zSW6?nyO3eRpnMrA1EFH@oEOWH%#l5U!|ouuC;U>NeGz?2*N_5Kr5(?Pd$PhKN>pQc zq_CpH(DPFH9C+v*BnR`uW5&5Rlbd?dr=D|38cEjGwmc?%8?xmRG5n<>F{bF3=%A4JE#CT!X=BaAzkAy4rODahA+-8)q#bahtC;I z&=_1bBbhHJ{?l8BM#?;vI*Jv8t=%*E9VxPVi(5vC#9Z!lovm#2B^|(xdyQ$UrtIGVx#hE$xg*jtQf`)jEn%7RdzuC5 znc4!!&tXKxY{-cwtJFQQvl~iD@>vK56DREi^L-eyMkx~v@JoE*xy$Hdu$bBupwj?9 z+qGd$YMfedqEpsXX5!q&)f`9Q%+xjj?>A=47!r)2e6g19RP;%7U^sD7tg^ynq zBtn&)owp4i$5(mDO8_sy!toNYn&ZO{9%KoBLMFuIB$XD<5RSsqu2u6Rtpl5Opd7I$h=x*G*ZsL$gax$&5XmW%uF^-qQnR^vy zMckPT18msJg=1Y^<=u2Kk8{UG$h%_-)~NcvStX6NpzDX)AlHW1a)QxX$SIpb9CL7A zDxpi=&V*}~%goKe>a)3FP#S~m8-NlKE%zZ>81IBp`u7R2fy`E&r9glP80>7z(Tu5r zfEV_FECPPTxPjyga?R@IjNbTLa$~~9QU*9C(YEH`Lfx~iwx07>+LMt<7GK&Olz}~4 zUDwE3c~KT=Kw6+Jf&o-7rt&s=O5kHUjgLRfzTGL|jvxxwZMbRT4|CTF*!Ikzwl!&1 z!D5H6igaAsQexMVNc=>)IaxeL#*{oKhcfc$xKiFH=Pag*<4HH?SV*vu-2&AHDO7oY zd#*i+^?0jn6NJ_ITbBe+Ca2gnhlFKU=n2KZM1N*rB46-}hCIcvf3phnl-kfi`bZa9 zT5@Q1r&0FlLZ_~a>$4HYeB`WE3QTi&r;r&bC-Niz%IhHuwrlJq1DiGi8Hb^Ru<_@H z=2M-Na$2RGRe!GdMuS+#{IgA|RM29fE`t6*@zG=eE=sibGj3*J$$Z{w49Z}*PlH#@KQcQr2zGeFLuL4Ib0UY8pVYDGtQ`mZu_IN%s6o{^>mRF&9R z);TONROkh!oTipOxIv0&!vB+Ydt5V5j4&Gp3{GokPzrvQk!pDAiOg``$E zoXJ_1LwpyJA5bo*XC*e0BR;%C{^1skBiq?AQOf%gArV~!Ycj|+!yep@yH|Ev^H1X3 zZeO$toG$*?@s)BNjb~50L;#)WjPib985=ufMrcd)^Z4gMHGN^10n2m;yVZumlkU7$ z!eS$=H{1iM=LmQMU{<=cDQqc0n+M}pQ?k*WbQ{&sFEc4gr!!T9x?*&w;uNU@R2qGv zl?2psHY;ftoy)2`60B<5$5KMb@Oy^Xs$w%T`iB3yE?v)<$5)@Mi~E^HJ?xg=j0w7> z(sBcI;!q6)`KgAANc4|iLko}`UG zOw3SzUAwn+kA2-F7Z&{W^S}b8cebqXNG&hMy(NFOEk(>!tpJGSZ7YZd&s;xvxqdhR zdDterJp02E_*1fs((g^&4XjOLcgnU*zW#tW2V1WS+@JvrfaHxr64%SS0-u|a8bfvl z%G`~qynd;*cG0oodeGN)RXmSMRo$PFthdie6vzsTi1M!e*MG^LIT32y2n8x`)}P&& zSyM@;^bm6o%9Bb@rCD;>)_L2VJJiro(^k{Z?QI5<@%#zsK65@T`>T z!zcAybCG(f5$YQKU95A4eh7iXG<03Ag|iRO#h#2m8@YLOxlJvHhVvhmspNbYn&;PO ziykUsxWuxk))7|5u$Y@sQ5HrsLot+sAK6hAtcXi^Jm`TG6^|yWie8MX7h%Q7ET`d; zpRnr;Tq}|2TD5O5yP1fmTZKQc?G7ww)K!t#yY5h1d*AKw0fI~Zo$55&EVXhOkfk*p z%v;=oG2*p3_L780lp!UUuyie4Z()M$2&;ezHnyk^{cFh~5~du}0g}c9!^cntutEot z+pJ+IMC*j2F@kI2TxU)|=zLk|7OWE_(f#saEyZJ~xMb`r#^D<2Ybc~ia1tW!E6Gho zQK_3-OV@ts^O^vR_g|hIOjpqwU5}{$b{iwp4>vC8dUH^Mi zd5h{9p`#gPL9IO&qrM#`1%IL+t9d$vCH&2309M*OaWmYvovp~ai?*U~(bP3-!kw6n z8)5PDf2Mted$^7?xxtIn1Cd>emdv&y9!NT}#KQjxluhf?lB~Dn2_6CVHwIXnAZATh zs&3O4dZa+8wHa)GlW=#=00<$P>))DGI~W|JgksG2#GUkPLhMf^FC`a;;-ieJ!n#5b z21d0c$S0F@7)6GFe4$C3&kfCieXx*;Mh{@n2L^?7<;P_*KtTpR8;AQI%+$8-LdT#z>H3lI}j&jiBs z@DpiJpHt;>UCz`{(cX7y#{M{(j%|g^3T>^_uk1_diKh&9F+(q9$wBJ!ATXU{1m~X^)&7%mz9+Qu*><75OJ73E(;zee^< z(%ChM3os_;od382VPi?OTsLX-d{5jN3&%uB05|+w&vj7X)PT;xHv)8b^*N@~i|GU9 zlf1*AZUB8mwIx%75k)!X@ey`5(rW4=_R<57w&>(ss(+5ef_%Fp!j zEwttTH}C=h$The}3Y2C2w*IzXjF3^bOcJ@{2~BUp^D_TgaC(!f=}o-pO|0onW=&7h z>8-owuPRsqkXB>A3S#Y>sgv~js#T3lf}u@lX^U;rsyE#wsC0N^br&K#Aw6 zlwYYN>f z%5*YiJ}BzCaSAEM0flKsqa}JUtKW5M!1c&N|1yswwNR~^ z6=#hHa?rtFYcmX};Q6V#Xe1>`i8=Pd7g;ZKY>ut8Rr6Wdt3U_nO#_luY(D}JXJyAI zi+zV5e3f$FawIf?Mi@Kz%E}6jF(q7q#sl*zb0@5)3LEU-aV`AA*`d+a1l<~p@klzL zD0^t*WUq#dNmS%j;uTi_xoudP2ukkvrZA+M_0A`SzaTf zgNTE+?yDqb0F&-yJmEyueabU(m2i%Dk@BP3>QghN=QZjj9k*NT&?{PLsf?2-(mwQ% zwF{mO$?$zL)TTra+F)W?c{XE}!3T^&uX0@z2Zvj7;mHUd=PG9K3NP+!i51yYjC@TG zp(PA)9tFJ5O@n4Cu${sOH?kuNyf_S=TCWfKYP2c*ur2}M%j4DV*GhxVY_x(Q!oo8} z$lVtKeMSACY0jER6qpDZiO89;Lf;g_9_Cmsdz{>%%0ZVieY{naAB@w3zfG(jZme?o z>H5zlpPwpNU1b**IpH^RVNrLt|AuI&P*7ZuhZ15y3FhuJoMeymMd%vE5?5m`2?P7A z>{-H1l)*koVVJu_ZItC&QfZ6MT~jj6Fk+W%(pgyGb``;u4EM52HgOa^gK3ty$T_CR zOkQeyqt(3dpIUw?&CuLYW!FKa>Z){|t&0Cd&^OVaXszDJy4*~_cZ9XX2XbVJQ_?-h zFadO8bZk-Ja}z@>QcNEB4?n@!X~OB{3#xfC5oMKEA5;`iD2qiar~WpoIjD-W?c^n? zR>DF}MslI*5KnW@NZJ&QO8@{` zuB%|64dhEIbaprUB4{A0DiR~A=Rb$bGJMl)L7q%_X( z$AAC#f2*w3Wm#L~BuCcfsZAHP#Z+z{fxE(t$`=5Ebk0MnCb#PU} za#+N)WJ+1GIxLhO1H~1})I-TLM73NgtcH$_QVVxOrY7R#)72gj{dAnPkgVz}trWs> z%@5)D{+GsY!A_b65Qf-%GJzhIgkBnGln#4IJFVBgMgL&06Wd`!kW2H^&{K#6r5}e0 zXOa<=CO2_uTuE^q-hq0)A3Y+CYA>Y>emS05V2D=_4-bD{XGLmR2NSlcqQ`q9VhpeA zW#l6UL+Ucu*{5x0oOJ9cWwiSdKQTUn%}vhX(-s4UQ1)50vA*t-=+hk2-EmHpZZB(( zJs3H`geGHR87;hmZatR296wbZphv(8t$vGcFW72!(9}o5XNUoUWmeEhFW2xr4b2Iz zYQ|!ut2mRc42^Mzf6PZ8B+m+N)$85eCm@TTZwbGRM5A^w9uJGHwYBqhyLCR8wDQsU z8r1m}gzsd{s#jd(S228Owa>Hv$vV%TeD~jv|GTDm8tWlhb1*ka%TUR(1R6I>D4^Ig z{d79_ZCsf%A#^`8J}%Z|-r7dtWWR=PM}GrM$+q<~=Th~pUK;6dAxJUebUunf5g|Dp z8cTo*lG?z@+x8u{mep}laf$-N2aMv~f89q!`F}o`>e8fuiWR$C*?T&%CD9Zj*Sw&UIFNB?F=lKVXTLE6g6xi-ek| zP|5`~+$rW!DX6iVkpf##jbO$9S)UTKgEqQ!R@E5RS#*m6F+0lDLSBaU%O8+CkQ$x% zQ~Y9wUj{Kf1D#t1@{C2M5+u*JFW`?@OZ6o-nwr&BWGmgL?yc$p%h$nkKi?Mi+ZFdp zuT)mo*6-;LYczE|HNA|vCxoqeLZ!*romIVF=_Ca0i}TS?JAHD}Yk6wmm=3B?3~Djz zC9x;$;AuC5MWeB`Hcq48nBF)ieKxwKlj>Q*4=EuYpNF12d8ES^d2>ky>Ov_dXR9(b zooTyQ$nJ33>ZJHkkOQ%Os5r4LxgKK#+kQe$dX)4M<~0eX3p&~3T`o=75oPO5dHWR$sgJWkpdM2^M6mu`dxXAgh; z_+g++$y{3Ml{?_B>+EZ$s%8UxB1Er(f@8%Dq7De@=M81wD^LyYnRcYB_A#EqNJ-!x zBI!0;BvP%~a>EUkwjH2Q#lL)-&cwL^#Y&vn!ZYwEFb~wKAG*DGxO1*z%H!3SSkJuE z7+;`2@0SHKG{0Ro*Ob#5qY8CQN? z+|0&S7`nDGViFVJZ)}qolve^(YK@Y1eh*&)Da=b+*lHi<)-v*hCG#9(Dp;GLnzuuh zaBr)K1zRiV1lGyXApZp$5Bg1NqEi|;LbY`W`&f! zf*pvDk3xcGV75Etf%soY)VqcDU{#da3Oup~^mwg(PVN`v=s~e_cqyGG2hQQZCziv- zD92bCxDZJcdzKA4T#IfU38Vtln-f_}Q+up3qieFR5}0gPe+8sw6nfqWyOncWJIJtv zmvgGmV~kAxp#p`t+e^+16IOr{<_T9pUex#*(EiOy{9^y`r62mj-_+wH)GSneeY5}9 zy_byR@|uNHsFzmf{jO=}B${VEhvb^YCh;)2Rp%526u1z=BiIpS<`Pz z7S+g4Vage*&kX#mps}=JW}+&ttBvE-J}Amm3og~D9hEG-oLI8N2$=Z>y}BuBZGKpf|xuCsyj_Ju4DYpYZv6WhDcNykHsheSOqUD~C^ z&T&--FJ6m0;k6qXZFs4YWxuPU{}fDOj3Xz0)44c%IY37p8B!fYHqkjeI(fJMa=TQz z_t(AMa_P&xAN<1Oy@Q?8{Wp8m^UZI2i@}S+L@}DrG?~s_r-#mT*8;=w8ic5|a?lQBYgQbEO* z1X%Wn{b!62vir&g5;bIOWQa`5L;7IP!z5R+z251QS(FbqcOT;QrcYPqin7xpy!`Z8 z>XY`g>L}^c_B>pJ`D@RC@MepjCI8EvI;Z^aoB2o$8z3mzd7-kLX8>(#+AUlWo@NDt z9!z*pm^6*h>N4q>-{=Q`p-thwVlz(eBmJ@$Md4Ps#=3(CFd0&ii`|{KF;Ja&=jEII z!)8?38D(`A-~Lda^LMGbBP&X?llY%lTrpBs;jmAW)IfKpGEk;$Qs9z;%ku3WDFubj z2W3_}mFv{&Zf1ApoQm@dvr&ZCWS?YXxF^K$5%J=8l@do4NmoE2woJN5R0iYUA_;0% zf%#@)1=OF&D=2oFnE`H7Lo0!28|#}7*FQAziS*f%M~{$whN%V2Doaii^PAd)6(97( zv03fs9O^UBnUy}tlMLDSqa04S6l27ElIT0`RLi?(ZG#ox$dxq6wpX%bxJ21bM;?-) zOEEs2EF~Tkm0j>u>4w#h+AB-$f9zl@bnDxxNdg}N{twC($vV#E)6BEt2rdEEf0Ra= zK+ubl^GHM}yCObXxuhs@XpuxV%f_TCq&)4=(N!ufl_u0z1)>YsV1hy9TU>KZ1UjNx zQ+S%{J9irJ{AaiFxvE5fAj>js7G;#U!Jgi!P!7}8zA!4&nGZM@d00J5sRRE6jm1h9 zLu_L|q<5Fisi&oK4V;<|+fM_P-l9rHam7w4)khS`9IFkEtETA9&_}UALRrmGRpj~8 z1kTM825o%1B@;)Y%}6q$N6NbPH!|L|Oy!Ydg?20aUo`W6xqnPQMNQono@3o*7u72_ z`v&D?r826k0hCR$SX0|fvkDI+14^y$>eZhQU4nMV{Q%!&nN9ypLb%mjjpw7 z=(xj1SkaVfty&;;XZU83^)#bWH-gwQsUA*IUK8)~gd1kF(Ivpl|0Lc&0T|c0S_{WR zgQ!4t2L1hKmAk4?0$Xg^m}eX^r>?5%71@~g@pzPD3S~7jq-DalO8IN8$&PgfNu{Wi zXH>KjRy%D8P}HtF=X{?a8<^M z-`}#;4=248&9d|MuC~v!fUT`V{mq*jzv`|0{S07d9luF`!2oP??mf)UA_v)AYLfGG zo@j8a_ZXPyj`_q(6NIS*5;z*yPzA&14y?!m#@Bn`B(b>@SV^M{`Q;@XE-X8_@d^Ta z@l7Y~QZ|$CcYfS^8P)i|HLpBA*gK?Xg6OBiMQ{SiuZ`n3a41F3vD%1s@cRmb)T#tG zmLNy*7>KfvIc<(fNs>-79IH&4vvz1Q;9h6piIc?FSl$K1P=wQk*akWt4{+LK1t!Gi zMbOZ`l7v)wda90FxWaUvWYU@f@P0I{ttwH2(y{co#aZ?np*?Vvq2{o-u~sS~_EalV zD?;o~+Y_s?*_2=)nQrFfDZ$fcVWMSB-~|qh{>T2|1sg0UF_DrAztI1w`fy)4!Z{j^ z28?GrlB&q)mN+lZ9xAaUF;xAIwHtzCXOpal?v6Ml+sosTV{=E9G7T}s7;7e_pwOaB zS6MBfLtX(tKXTg6eh!2#CrPDVt@#fr)w6*s9F-~{>TB6T;5^+@K)Q@nOMSA$FE?#p z3{*O~tMneGbm~zmrvy_IbW)V;$W{0ZJ=~JfHD`jUpHgP00xr;D+Rm^&(JxF6c7-5|9zYRJ0oWh6++i0pQ~Ff@H0l4WfM1Nhvh9WY;90c9lhpf?S}jGx-N6mUXLy zx!?%z} z!yjWAi8jc!I~FMQ$Td}uBBpYfNh!Y?Sm08R&^$D56f$XPQG}nKmE$~Dcez{71>Qny zLd@kb%ENKiN=IENeos~t@wMg;99Crtg|$MW**@Bwc7tvl^d>iM*d{os?LXKo+o+i@ zWoN^n?`{RPs`FX37jF@HIJl?|98CsvbgTrfzQvrY6|fgDoorO=n5G1Vu!28Sar7o$ zy_0SnS1|3Sk6m{+dzY&dy1JedFW#N}6jbS}7V3peRVXHH#B&`1!3~PwxNhr(qXRek zI_{tD9q$~V%VTW~RXj5nEP^+Yy*uM$=_7)mwZhpiT~98?UuD$PJ}km@bxFf-w9-QZg`C%WdL zt{nz!0UVv`lBwg52apZV$XIUI1kU+j)ew3ePrZ!Sfi)`6V;$563EETk(P#aq3~TxD z%V(Bl$6}x3Yf7Ent@1q%of^ext1wQpgd4d=s-(`~9m1wI<@=-TvYg2-S)$Ruw(Iiz z?~bltl_ifUzxM^6A5F-;l0Q$t&PmQlh#P=S@UAucuxPHgWQ|$zh~⪙^k%jOEx@k z;IdVr^+J)REm+SXA6zKUUH8ItUpT&`Gx&5nP+>5?r5_xC9%Zm0I^TRfg&071mt)bS zA2D7EN)s?}3pjF;=MA}#T_e1S^s7-3gm%HRKE~i4o%Aw8eV;zU13G5#55?8$=6N)_`iMmorUM=7 zN2D!7{sSkMb)-I-Aoi2Lf#A{42Kk7BzTh`bYblxip01-)I>{%k=w%A0g9N9cNX!Xa zR&~4RbB~S(>3~mv9$n?5_Z(F`~*m3ba- zs`xgXQg+F8hM?s&d9CIgl3_-1w(XqmJqp60J4TRL8YWw1V5f7Fxi;i2?idI@>(0A? zn)wy$y!)gC-9Lx90R0?X1BV8jA!7a*$TtTp--+(w)_g-`GaZcYMOPGo_>2RN_FA?| zIm%g;ioqK3nJeck^;EG*YDa3zPl8N(Q3K3b-;)vXq)rra0V}L<1CSpRjN;M3REi+@ ztB+5k2iwum4tcgh0ZlONYdO=J9U2_#s$QT0t0c|?t+@yk7O^ReK2@+)lmC#T& zXQ(@uYA~K9vQNgAm9$==3~#Dv`&i2erZ}rKTID7x>@l`GQ&uq1-RLCVfA!`RQSB-l z1IJ(Q6SPPjjNe`y{AJ4+0pB~rq^lYdy4LRZ$9Ao@Q>&A9lSz*(W<<_-H!!x2OeMqz zBXfPZ`b^j?a%QmJhZ!9i^zYsIUoZr(aRi-H=29XW@NNIF^v%;|;o)sYkJeFaZ%5zu zCR^}-mVnrVjmBx}gIbQ%gkrr4EEw{G&j;jspPf%e{GdVy5*KZc_j3)lBKZhiQ20Pr z%GL0w7mXQn(V#lqd9!zVbaZfZ___qJB}=I@8E=K{U&`DYF>Ao%z^%zFS+vUUKq?u6 z|5{@6WoKzSnG{60^-F{OWKv9VJ;%_;*vaC8Q~4!!QJNrjFdb;`l zd;D;9L2|Y!0_P{>K9FEKbjOra$%&Mn1*}*X#JNe#>%4V>jBoxqUsBA zT??{WpUYoaxqNGK^|x>)S2c?Xa)+WYd}+V%a`82YSrcH0(4p!AF*lTgZ0dB zsr)k*eMJvNS<<4378pul_gnS>K9%DkdsU=qzYt@O$pFp|cNmk_u!5P}w z-Q7FEd*2jMd^Xj%WPpPj3LzAJ^bV2ttLC$<9S$|?$_mzn2AO9Ji(QZr#Hseg$s(YJ zz|p*6qS?cIvYn8{PmsO;4_vaUk{Fa->5T~oope;0Ge=Xxz8F2qW};w|EW&x~bQhhp zryCln*e>~`BN+todJcM}9!VA>STiZsbh;GgNz@CFOzGwnr`j}d8f^#?g(=3$OJUj> zCL)VpX&weIV3e$pU0-en{pZlM%=uU|?VwLT~v~>c#?yMx6&RqaCYai zxwM~#=RPihtPLidn_DGxwd<60+a}vlC7(f;%3V8ELDTL}U8UH~6uZ-EvQX}Svr$e- z!%zUWGG>27+aYV3zd;~y*NPKk;y0bQ4^#ED0kxa*_r&lgckJ{DP+sM#pt_J)=O*#A zDyQtz^1~D>y$&svvW43WlIa@r(?5&6xo|i5Np)@)s;+IBMpbH>xir|RV0p=Z`dw1f zksHm@9cj-(suIjkJV(g8oiQ8rNftBMU?+8YhOZcyNCgicWxT#h*#$H?Llb$11IppX z)JuXTPe$aRCIWer3JV~h7_)|KGXLChq;wTQ@8bGwlyzb>j$Fh5-DKTXj4qlvicbs_ zNlFICKF<-8$qLs`CP}%vjRhVj2)D#&RD7Z%Pccj=Cab3Uh4uqMVakC8JtrZ;;1cf@ zoas?~Xp@2rCUG%rR*At@;fGRLT5G~+%i4K|&3}X#Sd|bhtaRne@xQzFclIRnOwOkzn~)hMg1=4V~_4~`t`Z8GmS7hZhC3i|9Xs_ zMF1?@2PZds@Qm0=JIrz=m{J#`Sk)|Fg>J?4umia2LOsCcx5#{Er@6Ni+zTWXAhp*f zfFAL?ei#1@kY9aovtcs9Q+e~S=1DnqGl527Z(m{t0c78f~cN)Jt{LA6d zkB1hGpE4|y_fWT`UiV+^Q-qDBa*T~Y)Z=;kJ=lA_v-=a>9g*&LzGc#cDwlbq*?j-g zi(`t(wdibk8DALY)@#p5=au4Jk+r{R$auy$CFYx8h>Y5$_v_znLv*%(l zIx}G4(jafY_y$(KR5r=7nXWGKv}6~$$T}--Amkrln8I07VPX}Y#qDzvE7?= zDzc@^!9xzZlc!_@Kv8m9mLcs_fz^ARv526HMrbw00a(q;&fS^hv>8>QhkGl`U{LOq zI25}8=0*J1vU^q7@g!6%NQyS*uU0dl7R`2;QtP~_(5g;{A5=G`FNXIlbGXY+#yR>f zM1NT!*NMZ5S#*mS(X$RM!xxs-LE!UtAScx8bnM+)eEXMV zO3z>t7J0d8h(*iN7$^enl1%shRUj;B37U@364n{0_w(VkC7=AUL~u20mu10Z;Ny|Q zoYdC0w$|LvESEnbjO|{U3{Ve4zB}b!?O*q!2V_h@pd+)faUQ36&nGT&Q4O!FM{x_b zLUcv=U+#sN9{S;gsu^AfPMpG=MYT;fiC{EFXOe zi=eS_U_pjaS!B&hsbeA3bWYKpi@s<5LJsp~y5#Iz6(dx0g?=~a; z`U&oqWP8Ej?HCuJ%YiaCafx+nvB^fT6LrAYVe=ocHpxq=%mF!*n!8 z1O*&vUqqvXP?*twATiiwm~>o3*ZD+2pv0F9CGHC;oCS54muB*-)^1JVRl{QH@?!d{ zX)HqNiD?lcY}w#Zj`L+JA2)+KX46PE)T-CqJ=6D`&b=*H{Y5_HXBjlw!=$<>FK2@g z6_C8vOV|c2a-}xTfZvK!w!5uUZ`^aOSraLYy2CU_gO2L(uJ^LkM1IN2EJkLP*`VR3 z{PgZHW`Ji!qp>cP>DPpMUQ@TI`#i&g&GE8|<}ow3*A0JTr%D&vK->gB8mwMr9W5dt z6ENztkV#gPPUAVT!cMGii;yZ?J8c`LQ7<*YLyq|5{L!g<($9kc&%9Wj3-si&p zT$Dbm;Ap0fDk=A4Y}=oOY)t&^W_w)9tAV98@4I%Dk7^sO_13!oT|BLyxseY1V?vqo zo;f)Sy(%hLy`9#;-(3!QY3(W(I9G+C7oV2@^dI*Rx}iRRZF;a)jM^B&M5F~JHMA~1 ze~fkb=kddbe_DUMvHo~-1OB`IjkekJpFqU_J$kY_BnkDM&kSCuhB^jja!|b~->+D@ZL^SX`Kxc&~6OCo+}j6$OPu zUT$0BreS+U`!-t}YCP$(i4F{PSnxGP8YB6sL9T`v2Wn&|T@S&*EVrW`D1cKJy#y>) z33tGccPBjx?}st*Bdv2o1fm>tYQx;{_Hkm(%%dFMBqjP657*z!ixd;51X&P(2%5mc=>aZn5 z1a*K_uBgL?4OFMH9}(EG&SrD@Q{?c{F-{pR1u=JWdz1~wfLe%NNu;v!X?24j*`F;f z1^!-Dwpn&Xn8hB)MdWvJ>Jg)Wt|D2<2ISI550rqD$^@~Uuc|?1FXIqbU89 z*F7!EC`))iO4(;rg(|e-1nu>vEPLOO6^RV#Dip2My%7`NsJaHuefs*UM@O z@w$I%R<(*QSkJkqPD<$l;LrmpzPd;ys-+4n#;O7BrO%RBy`OzV*a|4%m~dbIWHE9( z?+&WKeM4{VtYzbu7x~-lhsBy74NlNE|$uOoz{G@de>+kBQu>{ZOMi6FE-v z)71OKHl21Qst}mDb_*~w*I{IJAb4X=DqN%LN3ON0Xx4R=;=D)}h_o8A#|q!k#0{IVTVpZvx#$VmaiUcm__ zk;{tgsdIxXY0blWO9BlSh0ju$2bkItXL-Mda0gPZ7G};TZaF$ zbu>x$yb5;!Qc;_9B4a~bgTF~|B;d+L6*Xf3^$^)lG>3WAnE-!;@idAST=W=Zx0rOh zSvyMyihZER2%-6YAAm*!{bp0PP+f5q2C$^Jh!y+-6f{L?MK5zY)yN*-sp!^nWdbID ziB7eBVG68%v}{#`7J6ZG3mpaqd8n4GZZ*sZ$k)gwandb^yufLn5x+;fqiLCNd-y;h zA%ay;7)w~Rl{l?V#`#~v(_mi1oki7BO7<4&&dxALvV#v%z|Ny;3e3vPI|Y0|N$_4D zIF8aTDn&e{q{1uknr%ZIlSS7PN%v#n&}j&@NW8);1z*vk`oMV^)4d4y(O|Fa!K&1@ zVX3NA;|no!v%!=PDlS`hDY~P@mSitQcQMbBi~?WrpDsU257+p%P+!q{)<)I40vvl( zYGYm2nKmlJK1|8Y+1S=Yy2{iq)f=fOaau$wYP%WA0HiTquxG0|E2SF?#owJ4!reIL4^j?UBQdyI!Sh@KYst93!Y{yaGY+Ba#n^FHZpb}vTgZwY+bi%~Mc!JoEO zQR|G0yf(M51-GvS|GBRP?@sp*PO9Dv)W$m*ht^LO>M|aE7{Tp+1F#Y)C=-u(|o?+xn zS+t?F9uCU})A!jpe65>e0Ah+K1HhvWv3$BvU8EN^yDT4c%O%;lTZXzC(GS?gz1*uu zp_{O1naoRa3=4y+tt&4MC~nNqK?O{}w=1m0=Tlcz8j!2M*??Ssc^3JT@NMu>rxlK~ zgVnR7m;I_)YkqI7N+j#`YFTgBZQJs)b-Fk-?d$P6?tmQF+v%Cg8_ML|{xn~J6XQm8 zY(H$dFIC)!_8g5C9EzXRs)h;~bli9-6-1_Dtf0Y%?GejCNxe27258P)YGYX;8>EB% zpI3qEhNTNewp_`^c6d62GIlh&ig0l%R2==_?BwKku)+>M;;|QS{m|Zg{H>fJPo;GW zB`@E``wT~hnZuuMcDEG_AThGy-QiF4Z-&|pH|Kf8-)IfghzocfY9RoiKwrODVj>EZ zd*KKe_Qy~p0;`>8zA>eaogYxmCmY+5Rei`<7~`aH-#^?xjZb!u-tI-UH6#)((x2Cs zXQQ$Bq9kF@9iO8Woy*OdPrJzDqm{~J#p-^zct`u|(~|E;umD=mJG zv>4R-&m}@mkrm^B&=-;q`$>D0yG6R?^6b|Ea;E1Zp#56k}T>Zi)+FyuBW14=X6SZ9`~Vj`PgY9iBTvPo0f@Taoi zYl4|ybvSyvDL*Etm?Ao)f{G`=?*dlf`5)t>zsyLQGGhUovlptlAI+_tB61`%h zN9nb?N4!J4IM=0qIZ_QhqDa&*FO-m#I2a2t&A_;3?Z#bC4sj)pKr->dtI*XjvSz8hYhG+!})RfQ>R#oX^{S zc#z6{v73c=#_xDW+>!vz`2)#+$*}kmuYPm;f79Qt{I~H0s@=+ex9@+q65XvtcPr5u zp^WmaxpJChig(Jo?ZJ2svCoKj?#tnD)aK^4e23STmC>U&X6nA^cxd05H6YsrxwYPh^|HGceqErt|T|{ZOo3_VUaC}aP zN8wB2P_;gFQLS3YdE25W z=nUWOv~E^143jvL0Kp#P^fbj0os5+ZXOyGW(z*PaBs*HDma}%0kX@;NvpeHx! zpJf!;*FV9QYGU?T?j;3v5qbEo^%~F$J-7-tUDhA=%p=wM7drA*CdVnq-rA(Pd){Uf z1l6`o5tf&i=7r)lt=CRaB8gyUpX~j^@Ar=Pfk{4?cDCopXgSYh<~+$}w3&l>2Y52| z#!#?!P=}{OJY)UsF=AG{^XA3=-r;GJOXFm8?tO`mclJ;A8rqlB)We;$+pT-Qs)6dK z10E$Aa{o+4LNv1yz&1@F5|hW{^y64IT`Q&KxN=nuZhsn*jNO5_I|UE&%IpZI--*7Z zG!WSUBuvRTLB9UwRl%-upE4h$x|kN&rMUWIi4ME(9zi1PGTif$;jd0lZ-jum2YWlm z@eXXI@}{lExiSXMbuGp#|&Hh)s8E!!Q@C(6r0SY)u={dzFg6N84BfbXPKZ_`G zn(g@x4jmXbT=9gQz%dO+GlG91>cW3Ghae%g+UZHw@o_xWHB-APmSPqjEG%V>KBw`{ zc_g_>ck_N92?z(+Kt)$UgVUj;{O-@fN+<>#_+l}H9KJ}t2D93iUywZJTdtsPO*l>SZWUvWhEOhj7s7?_wn z4crv9u?lvJPJ@~~OqlqLCfcaNE4F)uiq_=4 zgCgreVN9my|65BvfB z&3X~VR_Z2ge&@>2*0VEdvtsq~L2FYza&(ws21bV z7?a;%M|WXjWP@NbwLwYrkAGl582IB3TUwHVt^Pf@*T5Rwy-61BY@5nm$r-i?tu5g_ zKSazQCJ(#m0qf(8(^d4tGEoj6sYR z)y8P}l8x5pC|)3`I^NrP+4OkT27{IID>+xa{ILrpm=$<%)bVYGa764yC-g;-e{!R8(DFL6+*&Y# z=KwB4db00MdMdP;I@_4q2D9cMZRlhjlqfK`TzgEfYh;?>$`ktodIz%FGr4kuJw|(n zM=y6ycMMf9`U@az^0hI)ih&ZX`Ey+Y~@QN-YX zyvUVyFQ}7dJqzx{%-(wGz;x!%h+tRUg)R5>i}U&V#Hmf`k~)JMM0d8ry_xjF=ps^H z_9(@m)RmJZ_P#$E0HHx$(du&q4(Xp(pA+t_M4Jsajd6G!dLfxQ3iZhZg|$^waAgWg zgJ`U^2SV~QbsXXGt=?B7Gxog0a0=TwhapI>L`woa~*R?!VOI2EIk>AJ^A6h@>f%r`Of)_xlGg+1#Vt zm-~@A+nn85a9Z{!?1(2-)zJ@tp?~pupfZ}n`ufA_rl;TIJD=B<3%T*elyPx>2Pa-* zF674FO`G%^f5vZQx;SPVXou<2?3O2y_mA|lX?k%xIo$j4u-p%o zmiyVXS6}Lf9r8nc@fW+VO?UfCeZ4ykP6~>>Nj;p=(f-@rP)AVgb@bh=8J+AM2d4z( zPEUf_)jhq%!%^<&EhbR3JKCJp(c#`{aOd_;-Hsl59W6^v$R(mvCowLeseipWJT*UH zQsxIh-~0dwnjbKv`N6wwb-43aJ4c0+|7CzyR^6O5DE7-KzE~kED`wzrxCGLejhdZ` z^lBv)?ecVRDaD`E81Kz=ei7#+hFqr}$5{f>VBDY={WzxKHtU>#BaXXp*VC(h1V56| zd7~MrU+s&m*NH(QYJZ@xVJ7({{UaidTMr94(??88Dol6Kc{6IYS`GEwrx!1ifvLz$ z^dzjVn__BXcdEK1a~n=%vI6`|N2e$OrelQ3-rLd2xTo^~t+dD3dM#?`Cq-LT#B;(R zVxlZ!{SfXOT4IwVo3p5r=ph=Fbi;&{ zbJ^I@&nfc{HKrJvQ+hBy6NDv2aCE6$*tHpcElf2CEJ7!roQ*kCmYq1RC;14wNk8jl zfO5p4$od&5*uQXlV!K2pR%pMJ(CCH4TFlPc1@|^~C#RFDp=QCXaL5kraWV!5>;vqA z1jQ`e+?m*~Ec!<~ji&B@G=VA1>a4)7G_c$GXaw?Q&V%3xz<;5_den-}>8B`#d)ELt z*euFkIT@6O;qLTU$nNU;=aU2(*;E*082p;FxbUqN9nnGvW>KG{8I={2e^m{r$D)lz zQAEX1(8B>RNO7hV+Fg^xkF*!b732L1^rnDF_TBhJxV577Tf2Gj$wEioMEs_EIZww! zw1(6ui8>oN#i}x@xc$1$!+8c63#E<~d?SFe z{ztNA_P(3}z;yl3=H}zarT72Go44=(e=Pma#`>-P=T`r7tN&Rzqt7XNPaf_Zl=MH= z2V1X`ofB~mC-Si(E?~m-S<(2ktygV%*-eSaG+^5+?K%bNFozox8UN9?(_UR6S~A0z zX$oxyFv1&F?O)Nu%|%lKlM))gzkj=P`n{5~RBJMvq|vhBI3KA#`bjaC_i((N`RD9r zJhW;>zoe1L7|)~wS3*V+nlB||2G#UzQd~Q^w;c%JQx_SwTOV<20P{LZHpT55bUWr3 z98Ud{*VC0e&e0y_K#dCEJkvotRn`x9jxbUjBMNhiRK) znR6y!y;7vFV>G$N{+RrAa_C|!+8vL2(S2&K8^_e`{pjzK#+eOE5L%dBiJDUb4=AwU zxP4Y{w18ZYFt)mZ{{}Kgo?fA)P&b!Z0wf@HfnbNM<4*#tcSS1V(m;6(RLq0ja4;W~ z+I<0(Hxy7Kv=K=Mnj+bQ7r<>h6F9VR-6S`Lv0%S|zK|(Rbh7{Y$Nj_I?};8GFj}RA z>sN4MFVI5v$5FMBbu_RRJ9fT{LKPXX&K-g9? zXol(Jdp(`y$+!M2efHAla8PX)+Tf=3J37nIiC=}dF8>3 zesd1KLptckFiow9`emvno3Rw8htZ0V#U*3NzgYTJe|dtQb(Ef;(pYU7^_HCDA_qvoVM`*|Vr3vj8H(YbEmfaht{pnyM@**YI+p%23x&IK%ZP|_Tw=z ztw0Wt^^eYVD zdN_kLwP2WtL=W>AO!^J8U%R$aQuVvV3K`PU&@_kRYrZ=)$P=L=Ys_B^lWZhf9JGui z2J@xz5G3`9D97Ap-A>`EKMN5uY^zC~#-46UMc3-ULnf2nxWQ?>lePx@vNx@`H z0~Zzx*CZ=sJ5yIO8JgQgWu*pu85F;=^QsLt1nJ8?ldZnB_$=_3U9rbgzgW}Br{{o&x0d3_+C>` z0-|+}v9+g8nno@ot2NP=X)mQo89q&R30b1>JOH|ZQCMeq2q(U2!&oa)75tOQIPasK z7O_qp8sF6yYQrr(0@n%yzY6Lo;%~w3jy|{?cY=Op3jf*0mb3vVGmlbsCnJn9b$tF# zlYvIdp`~*XQl^bapfJ=7lSJwQ3F$nPRJVeIagntz6xHNz)IYwI;SSb*yw&bThzrF}Exg8_OMQn)M4Q~;h7l1Nr1E7h1J zC$t51TK(i>>kE>0L)GQ^r$pLyiFJYUyb9qlKAWVk(vBB;%ehR^mO}U1B>HY63txP8 zt0Bm`IjZaMwFBS`j6SNs&`@{)6NG{IycR*U5&~Zj=`sMT8KwEIS5aS>ozX&gGqPoH z{VN@T2<|swQO`n+9mNH>h%ql-U=HTV2ms0a79AtQR9i?4^*O(aT8xpP9fq=-jX=;# zE|aWBVl`AIJtWqP$bXa6Vi^rbtT6?mFq{GtR5d}5(UEFxHJ|G1?K}loPT!Ojvnxvm z!YfMqVFCF~@&Oqnm_TPT>}3q^u5$h#bWr&9bUy4tf{jpwOn^8il#SSKZ>^`Qn<(oB z#-W}}9eVUD7{oU7F!l0BO$6|K^%BJuR*CgH4oxF`#U&{`(;A;s;-amq9q~-wU)|SN z^90#R+r4BY*Q^*d-~rWCoZckmp|qNS(>?1wkfScA5K%85@<|4Uf&>k?EcV_W9UOfB z?yX!U7(Ya7R;EHt>26eL5ESDcY{p}OlQwQR!`z94S4+`UVSO&Ji?(rIxT}Np?*n%R zz@mVk8}cW}qq8sdaw{H#~uD`BKL zPA$l`(#5z%lS|H#hEM^=6hZQ@XGlpwa(N+QX?)b~cKEupYhefz(o;|$_3`ykc<)4% z)gWz>)x)1V#W>VKp*n!wcbW^*O8Y5n53PZD9-JeSW*UvRs4Oy(x{u;qZ7KbpuLCTv z8vdlC#UR616p!!lR|$X4Y`_dEU!Vb<8Sn38M9`6F5_lI08n24p?>N+^b1kxEgt zk6Lp?-KU*U|EM-UQxkQWhTleGM^AjsQE|W){wX5zJLkXY-mxY$a$gW@H>h&xQVJ>s{jYf1Oj-|XKV`MOh zv=f-3{sdseASMc@yHXG)>OL9r6CpmkP73vSfs!FF5BBF0#X{i;8Ecj$eNU>nJly9q zv|p^p#iqbtQd%~AQ zHJ4I#RWh43=WRLbs+_`BSb$#Wf}8(}3jq_Bl5Jsf;i)8aEaH|vF`~GCQUT zC5L^Z)0W`Fx_4ywWF{n~aoFcb$ig`5r_=6%dV^IT{L=G9$r$!Tmt!>kl84;{R-H-rE2Dhvk0?||4LK_ugG(!Pip*}P~+_#OVQ^}E!3nhhbccElP} zv>lRskOj;!l9JMCB;HdUfVJPUxynpMMnYsG{Z@yB2Y$kJ8-GYeS&btgxY)~qE0Hd? zeb#Us4xoh_orN^#hMlT-Ju{qFW7-1Gf8Pb3S1!<68Z`l#DII*NRZ1xQ-*27m-YC4z z@H+G|-Sv2tGmLMkLp2$vL4!Gw1iG|=jazKWcwzvMkz<<%>r+D@RLm$aX>CPDQE%C( z2nZ7kNq?L4LB40JNnp^8EeAh3m0=c^`1SHg)~AV6i4Q>8a&RFSJe>uj*yJ;`9+H6e{`<(I79Mp~6}%-$;pU{~#S-<)aTRxNguu zIKlN%oI_|3)ev-0qxC-frRI2t%{h#E-H=gAv&i5+`WQj))qsMgAsJ~VgdFI29Sf3C zY%Issm-72gB>)t&7F7(fTxnkS=%_g8#K2~L9IA18l(x_shtsYH$EltzU(&uA1flZ^ ze=8UWD-k*nn|@5VZKtDNo=oXUDXl8rWUcPCT! z@ln)#cNJ(1m(QC|q|Vi- zujrz`boS1l3_GY2BCo?W7XvH%O06N z-(-S|&d#e(pWOPFy-qgrK`JykM#kde3gf6%Og5x!(n7**jI{r__;08Y7@SKI-}cwn z|2=&4V8i$Sg@511fBRR7|NY&UiU0lGZT#=s_}_n=_}_EqX4l%alhc>GF~IxH4yMl8 zJw7_Y3-y>|gfJWY_IQ8t_#v)`r80^Jr*vm+RAjj7G>lz67`tVG6!3v`@8_eTTM&*; z4rl*79k^u@_oSo@1hJ!328*8^**uVWo-di|2$;MSN_ALKtW{JI2_aEE%qCM01+KRJk7nAhk7CAREx@s#V{eI_%JxUU``}QZR zzWjkVd9OXZrp~HtWX;sT)Y`0`yle9yZ35JhFa&fqOxU?Qz~0DV}2ieDK!zEU=EajNK6Gv zxkWJx7F)-NODft~pf5MYwIXjmm=+SQI!p_01Ip?odB8R#MY4#Y=P*qM0oUbnomA@% zis#FACSqC}W(LD7de9OeiY+B2p3W486RcBR24UV68CGW;y~DMw+>k0`wE~}jZjOo1 zF>h|6H!u31i2tZ#&1egOUTVwR@e;SzCwyyR)iFv!;O66qlXEGAVCg9XO1<)kXyC9i>T6$aZOtsQ;DN~7v5P!ELs z>m112gwvLzJW7W>IQec|qcrXGJkd_-At+cwWq-U#t|`8i0xpjGVl+2vZnA)mlG-PNo|d&dJJXz4xEF5cdY~(P{cP zKAI~p8?P64c<&>va)=)cZt5MfKqSa&!Da?%7Jy6%FpAWn0aa9>@iE>^Sx4;d`pAHj zsVJU^CS6TATCj4aLC%yyVe-=NWe9y5rF#wesIe zZo1IL@V7i0I8!dtp*LT|uA<3Gz6mPI3pBFpW*=z*Hjy_x)X-3F=+He0P|&dN0cwJ}?RPyoKrCASZU;T##%<%GHjT#GEOG-xf`NZF$y1JxQIPEs9Hk-D`T zW**2Y@)}l#bO2>K(KCA)_bL6VPyMB8ld1o7=8BRYyO3U5;v}uYVhgr5Bib(Mo2E2# z&7AbM8(b=)kTp&+t{$hN-ilML;_O)L(I6l7DP0e#w@bN5Efia6=lx+mKr7QAo|(_F zz8}@MVP2>U(^Qk(jB*f)VJ{okSvh`h?ViaCsp|(eN(0-Pn~hxVoH$o6b_uOq(i;nu=5D)qaiVZ0JNAHRrAsv~ru&7Zf4t2i~zDDA;=b(QW~ zPUAcS8nDX1!VvHjBW#pjX8B}}m11ILS?$7bptfHL7SZanXp`BIyl?>Xn-r2Ps8Xt{ z?4s6ja&CrBS^&3kk#(=99Y+w$n#>{F*F=fUA2cJO*C^0EQv#in;+N#~(%Dk|1*ilz zP>qE~>uX%Th53vh(|f&M1mZCIsBjM7E{7cg^slY0t<_MKsS9c?%{$y#u?BLkGc_R9 z(rnKXJr%=*ge#DUwnAu|q;+<(-a|Kx4kj7Y)I!la=~LW!4v&YHg5DxpB&@yvyFjii%`GM3mz!;%+#^rC| zSI0~FZDiR>vDG^Y^zI2L@@?^LQ9}SZI6>n!47(tM3Tr^jGL^hvXHInOo(00mY$FDD~}4UH14X?de?(g(}fO< z2?EArqh-KzYt*CwseBaYldnDIA`?tzr}f-LAAsj`W7 zw2!N+O;BhlC(lRlvKCoSXKQ)M!e3~i@VM$ORDe*Ip=#%z0$(95sSnw(C`WTlz{9J2 z)KQ|}it1OLe!$VD&PmcSnLIIPJzFj6lEK(qq_o&+NUX;}b@e9fAhuWN>R_v@wt$l+ zb8NiFCW54c4n;7d*&;``${B1m4tR~i{o)E(EORs`pH%DtWfhz#?ZQ0@wQ!Y3HGH&0 zZP;W~y9Yo*GKz0cdBh(O#05PO=V+V>O*p8L-Hu*>D@bzu_elix3aek7#by zVOS8+LD5@cbh=MjpG$5XVoLYo%3_3dZ7n)IdU+J>-|NH7^Rc+=V{aVNs1wm@k=CL% z2RNeW-nJ!P^KhOHqqxe(?Tb1!5v_d!G7mJ}Qp{{t(1RzcYnZD=yTfdNTMR$6?6|^g zY3&{^PJaA+Pk1t5#|^BB`(4u0T#?^Sx1W|nZS=~Ldm_S_COq#XJa3tVdv^7OpvGyU z=DvJ8+_iVJ;ZB}m9Grc5ay6P9{|%tgGi7L5doXjR_cy-YTtzNn4vAV4z?CZI^WkUF z^PAjG)f`w12O@^w{V&6c`Hb!tr3X{lugq=z2j#}(oshnvkoJsF5Xpm6^z)c-Yl#Z^ z9$CuFtPKw({bl&bgBmyKIU}`DsduXwN05W%exto*sa;e)%eP#l%|(9JLH*s?H0||Z zbtyg4kEZ$99Vk_$`ps4@Tzlx~rKv64ne?t?^wM5?^_)RcJPo_jpq5Osl+S{NR0^kL zZWfCu2&JFxuOxY#($Y%}baxr?BR^RanChy=wq6pJ@V zCwgQgy{MlR7+6PJWl~^be(>yFN1C(e%wsB|Uy)iGKN^$y9W^OFitHqBsNiMqj1!H6wU)$W{0@7TE)red9E9YwC~$RL)EOnSGJoP$ZP z$A&*;5@DOR*^?WmTH4*AUN{Juit|ZeQE1PN32(5Og%mPKJw!PLAOdcmc=Q|CNut0yRULSYxifq~7?Y;Js@2%eL-Ai8M=UL9Pm9g^djBddU0HX6bB{ z)gR75q&}45W67TjJw%nY7V5Ke4G4soyV6<&o}yA4KpTryMRSpD7i!x~Ar%CxAa9r# zn(wxzcihm`7w|&K7+ff zb5JQHPQ{GFQAwLL*l#y#-or2ttY-lHhESgu^f!Wi2>5>t=rh#%6OPD&27>`J4a_3% z`0I?$jj3OIGHO!5NXuRW%Gjnd({|xl0j3}$4X+iO$`%>e8@GWvnP;J`s?Y@JEeZWj z3NebX+;i&ChvnHqb(HD|!DQSB{2`zro8Q>eR9rrmHPxDcA1d4JoUn-NH+Tpe0LuTZB3rD2V9hovUB4A_^YM2lSw(_snfr&o->Fr*8dPLsAdxv%Dpz(`-)ub`sKcI)r^-tzGkyP_y2?ukp)fyF& z+8#AepL(iYIX^yUF z;}C1}r7Bv>nlIJ^rnAcSe@_vH09j%R01}_KWt)wOcEb=1WeXb+2dLFuL}kzT z)drwNEGz&3&TPu_kj)Isv9Q=-%S2&>1{H+90$+=Hm+nETJ%>1L(G*9>AgYNO5ifz1 zj*^Tb$76<33=t>%M9(7nWWH``j#fx(K4kQkvenfg89MW;4L`{bh%iudMkq_XBqZ#m zUBW?|xQYW~Wb7jBhtEtu6j>&LM3V-A#o zCh6igZ^3}pEm@iGKP&ILh7=PYX@vAd=2`}HMUyg*!(W^&%LW?Uw7xhFav)7`IoQdGcS< zM}DYb&@;=n!)>gt_6SvpFu`5&i#Vwuf1!WksVDM41^VFM26X%E_;0=Z{0ruOm>vJ^ z!REt9kG%MA8;>48xsCt!pO*h&H|>ltK3E#P&MAAr(_VT`fBo62cAL-PHlM?PLOusK zox{P=>ryHQE}I@2t|D$*DMlNHLd*K;98ub+tSI#u$RBZC&|PAesWH45YED$Mqj>k= zXz#CkyL!301mMKvwG`0oRs8bZ+gC43O}%munjTn_O8M(6dhrZSjERU-aj`U>D^FrZ7jmmqQ_qX8u=clhpP?F4F8-=Y?!pMD1WPqCQeCX_&TRDyp{3HC}Q2m6OmXNg>;qO(y3XTn`Ze)cy^ ztXEzQfA-db2C3)yNZE-A%3QO>KPAe|FnnR!=0C;>*|Al?X+{3WV%6n2CS^cFUUo{NIQy>#&LQo;9hetXZcqw@UG{%@X=e_(4lPY$$ zEuv$m;zbWWyh16p=S4zb zO5o`LQ<8M*GuEvBlDPRM@4V`ZL{$+>Rpr&^diwa_AD}TPxLUOdu;lZk27XrhObSfY z+V_XF5Vwln=+MSUq>Ip=&_pI996+M?lb}xl@15e+=bHB439pIfZ%wYExxoS*96|vL zM0(YM<5G|Rj2do+BfCVm3TkNTm@GC--cy4U1K4`()gSk?5=%%+d3nm(S{^l??wCo`Kqv9L}*^Og{eUSQ(b6$NGqKkBbwGJ8uH zqW?H1g_nsd!o?rb6klSg=IV2j=`;(ihT-=|6>$ABY3i0_f?(Q0M|Ww2CDnBGxvWS} znTKlFmC(IU*Jt5tNm(ylCL9QJ2H+MF9in+4=7|vugYrgcu0OQEsS*S)if`BN)7}u^ zKxqf?Iu(rr%ATk?;LNS8W>la2JC)1piC$?$B(5R)3H{H{%hQxqtXm;AYcTFMG1JO} zMngIYYygteZ@!_C>Q&kVH~tt~BW_Qb(~X894H5p)R6RRs!d4<)8IO)5{$>x)Pqb4c zQyZ+#4I;C`C<8RGIcV`H?QWY9NM5wP*v*$9DyElcWb>P@wA4~lSb7$j`843fV2Uwa zOU-`iS$L*RRk7P2FF_@Niy21X2%pqn^6AsI1uz?U6igVCXka2z)GyT=q$>D0>}Bl? zL&*1&(FauX7tx#3)sv)~ayv;TgRd5&6ghvv^ynmydg=IHfiEBU5P}a1`DCP9DODLM zvWk|O2^k z+qwpJp{b*V7C+k*#YQn4)M~FuA+~MUI2DSHpuc{yra6n!U~DCXwVXYf3aXrgR7Xu! zQ60{5C#n+}zMQnyA<3n#zWGKdBQ{>36^_j(1tIc{It>a$L9Md>N|E)f+IK6brGRQF zgjL-tAYlDPAZB4z6?wl~0f1&i!cXI7ZAt36VOx}U8aJFX3pzI(7)6|$4ot$$4aY^X z=BDG4Ky$-!Ns?(SSD!`IRh{`#!KC^WWn0Bq`VMI{W{?f0Kl1LVo z15%AHX%*>|dHS1T#)}sF=V!fWf^7`*dH;6j^m}q#TZ=e8Rqa&*%xOpEqqldV_G#Pc zWo02_gU~+o!M;s!rk9h!krf5zWFAO zf7pq4j$fa|G4aH}_(jQJ5q{`Ka^-G9dXPJTKG zQ0G|}F)rZ-*LV3I+n!dPCsz9wQ@hmk(uNq)!CN0zuUcM!xc_S`k0nbtUh;Xp^N1!Y~7-JNA+cHpS#5J)%35hdo-)hU0UE?``0*kJh9JO-tHUVQ>5RHbJL{oRY+F^- zQHSZ(hF*$P0}@lWgFU7gQ06l2QKu^$NrEb1VYtn?ZsYc=a{ytbi=>DzlU~*dR`sWV z#>zZ{ZpVF~>yr9VHw@YBovRMqF&uc{Ae?^D&4b1n8E1AcO{WaN-Zn)HQa-vgkFt)Q zj|i{-5&nP0I3FeF>DrfdjeGLwQHB2>yUS_+zb8-rw7#+V;L+nhMUQU%|Ne>lKPs*V z?N?jo}iNfU}`7e;+dVJ zlcy;o*HF8F?;EE`t|G7Sy1+y=@zn?|oWtrOk19gqXg@ z>BqFK`jv2Cu=5G~3$X5uD`IK1l8nxyXA%Bw!eC&hR0qSPx%oP7Fhp&<+f+OJx)~!D00C$-CMHj)} z2H2B90lkvB+u>e(xcB4Xi663yV5$`%)^oD7jjXn{Ak=v%xGK{2IHoq8c$DYkZc(=e zYgqC5h;Y?8-6;h}#3u(kKkWSj{y5&-mE)ijESVT%!TDm$)#&Hi+RrsiMA*ao ziN>iloOvS10B}P%Fgy(`2m-|&fhwah;?IDxFb41w{8z0hebTYwKjkP^!3y@snF9R2 z(F|bKdJfblO@aQZoWa*4Q!uzrbO}TiF0*voy6~)%Ud9-`qu6#TqM+u! zTfi+4w*i1D-jhYWicfT+XXr0*mx_Os&3NX$4jUjl@kXd9SQ$rd`g(mXBm=*JPK2!! z(7?cw=FnXm1yb(1j~KMVQ3|IpxH<$?S%z^-2F+y^J)#6);IQ#Or-nhTW)UvXa6#s@d@jPTsxUJC5J% zyx!kk{w7jxTBUDdNVER&zc)4?JpS&%p0@YLnPGQ$zkY|g0l(XJ$~GQj;l^XP^uZ>U zKG<|iIl18DhZZA?msFhP?Qt(wF~T`8pPLer{?+Xzl!zwqX`GLf9;M@`sDL3C)%Q=+ z#wT5Uczmu<^z!l4Sx~jYC}k_w$kpEe;>Hx@o!LLyJw1?}fjxOx{tTP<;)kPy`1RiD ztAm}_ClM4L*GsK|vOn_EapJ!kp&sAv?Cz0+0Cx6cxVQCY^z-sOHe6Ey-0&Ct>SX^V z1?G%49*6b@{{Wy(+ns*$G0r;SjTub(z}cpd|M`)G;PC{yc2mJ>J_n-HU(NBn%58*uyyyY|8rL%grEuAMU)JX9f?x-VAIg zR8C;y3xJ?<{V(@UPLGd%svi8&ml)g|{r`J?eDv-uoR9DKj`vUFlfBdUVE@hj=}A=I zz|84S>9uBgIzX$jHbjZxelM!1fw@PJ*Za*JN=nTYBK#mvQckY56=#lrr-u$WyudyJ z6Sw02-lm|UOOk!c`$pk2mV={leBk#;YN(EXD1CxpjwK5N_@Wk_CG8KRv|B{u3>fgq z833}Npbkp>E)>Jm$$&WntdML;I7?h<&1RxAC$`YF?a-LbM~`mCa};SZYF{WQgLHFs zk+m-v3-IV)0S;3Yv|9oJ1hI%@emwbj)HKB)Y8uBAf=`+fuSY#X-+1KknH6PVk))qL zi~4YS5ci&<(aA@vJ$#6*ot8r2A5G!s^elK{_bWxzE4IMK*oo{k5o3k}9Ur$t8y!@S zy6h$s1+kL)Rp?Cx*eMn0aM>666%-Gyg^G7F3JEmoVTVca0cYBz-gQOZQEJSy!O*`; z*02LU428@)>A~fPYll^xWoD0|Cf|ZmugLpplzxOoGdU)eivbeX-Pm@2Z+gEUc)uT3 zOM;BF7il8F$rakU`%pq5d*@*Z4tzuOsb23V*D(MgDFWy7WN+tq_j~qQdGYQQNk?_e zTY$;?IHtkW1J`IMXMH$NXOk`-tpw0vG)hPTBlyOvEZ|_KtT0IvT}mpvyw}UG%oUup z#~AS&w^4PD3x&Hl?R6x~7a#@OPQb!xUvbxHv-_!z3R^XGEuu`NCh&j78)3MMN|03w zY;^B&gKBwqHvu?b$5Pm#C^lPy@C>!LRRNq2yo(90_ z6yxh&8l98cjglvTkbI_(6%A}YZc{Tk0L+Q>kVP8j6Et8I1^|b#+q?G|u7nwB`881b z8u@+3f!B~vw$|Ir1|Q7NiS7=5oZCP8Fu3V!1meE=B^*DKU(_&Xk~~5&6Ke5@r-!dj z>_r%U!{iabkjGJzfAyUu)r%;+Y-EJTabz> z<#RRwhd_A0)+CdcqSOy05rmN?!M`fMwx@pWPyL$n*ToQyxHw!`e7Rme$_5+h&+Rb2 zsnugw9t((gGZ?wQ<6hR!#%@^=^Btnf5M}lIV+lJHA|Z3SUB#?*Mmfg7&(C333TD2j zNTTQCZ~60v5c^LBmp)t|AIY7A5*OVn1%-nJN}qJ`;%A{Jo&YT}$%i;(noykU)%pnt*_qPsUBEQ8V+anR~UJ4>Ni`B54tCX8h8M_Pa8p z>l`DnU1C@^GzTEE46rQt?F7hC-orcnLke7CuZeVtI7NJ*p&t5K(ND(2irWx^MNdH7 zWNCeXolXkMehyP1fFJ-+e8oNtz*_W@#P~27Vx^e5ev}5O6s7l=kc>V6>7*|7Q__;K z7tB^6%VK7Q3L)fYdPU9~mxw@&kvEA7EmSq{LbJ!E$rFmb}Rau+ptYc$GOTX zsur+-Ry4>5tG}kBoS>&4?D%{+_fbVJs>vKZ-Q=3er+zJ_ejUkI|3>}p7g_{PQ?7ED z-Qr?&ypIW8j*kBF?(Gy-^1GX}lCb%4FV8-#{c^U!L8UE#9PQSi12w zkb&VG4df0`6?6wL`0-cuRIoY=Q>-Btw*qRbSNq2&r|~Of&9ype^HD${b+A*aw;HU- zJ??)0?(i?n^85YDoSkcjsXYg`MC54aBhl1RSYUi@O6l6*hjxZCpbxE(bYGZ@nD-r>vrokQKQJ)B@jP&_I1j}1b99+^*1qdviZ zo#9hci!FK$a!oN@8}J2Wn~Q5|?~oo$*A+8-B&@yCTB`*C4-eq0!e9~Xulwea#i zDq;Wh_1K((oygQ+m@G}L>;BGXW9DyLy8z)9c!ER%OB>0i^^0P)IbCc=CSzvsZ;%&Qxo zMx|pE!|-gxzdzX>#==YDLxhpd?SWSC--Tp#1bLD>uuQbMhc94;zn~%hXPDyO&=_A< zy0AGug&uY+^5?X~7k$HGw)m>i9MTTjk-|&?v6%2P zXq?I4gwstc-;_@LGqK(VL-WFyZ0$EmM=|R-!>q6v;6W@aWOm(R2EcSpUdNQ$)>e#1 z*FX{a`DHr0nORGL>+~kXr^rDia+xhRR&EHN)jAXjAhbX}5ljMZ=J*hOmg9vpiy0mm zf=W}TvlM-vCx)2E{(Jdi{A>At^e+2fB>K}V|BnYx9>6!>|M%go|HrNW$F2Xzt^dbu z{HLy^k~=wlxf=uU-|U>mZ+3Q%k4`Kn4!Ac15t+V1I4Jl(={Aei6zf2oL2cmv%m zM3lt$(7~WW@u5Uj`ex^U9UaH}hw+=gyxjZ2k9+k2cx_saXpp?1QZPduQcCeNm%=3} z<+u|MiR~BcqRVrypm*sN0MZVIz=V0l-NKk#X=~C5MI1Cwz(`FKG?wAF9%m9jf!e^} zUn)UWR5UpEz7mDziBsh+)sIponN>hY8eGKt1ADFDVhi{^4tif`rLs zH!%2#ikQ^9WM&>e+JCQhYbpd)@3Isr$q$g^EllS6&sZ16h~a6gy~L0=czy(_B05)&D14VEHD#1Q$Tz?jRsXeq_6MVvVedO|b)@gtTb6ufAf(+ySOJy2dn9*hNdTL@IeLGd#(7 zoc4$08NjgdCrM_C02-j?@bBkj>%ivbw4umZ3BgP|XwYyEI&EL1ZL&=TzUp4V6CedD z&KZz`N)s{Vkj^4HjjBeG>%MqaWVL}R(_&1X8qS(2FqCqc(4Do!$Wfn%P97U7R#IN0p-L%L zaVD`ZIhMbze+tFv`<4B-YTwqPx5xXaO{$&MI0086XrBb@+k99NcT0fJOw3mFZKp$WjDuAI~;Lc-dh33KW3Smz7@56s2kILI*RFrX5kJ2LzGIKF3m)3P=ZsATlN5=`^ zZ;_eclot`QyQ?*qVYZN%y%NBeFMH%w=wF!d zQK3}%P;r6!xY7gyzpU`(|u?o<=)V?c2`DkRCb`vUB>Gn)JVh?G5joSj{M?~)_(OVA!>Ce&BzSg5Je80>#GzH1eNT=q#%Pp3g?V2 zY-okrSO@N z0v)zH@MDl)uzvu2$s<`AT!GQ%b0S8ANv~I<*y%Pa%UxQWERl0``e#0)%*A@t59$aP z%Uv0WV?x*lb4K)#sY- zKur!EO*^KhA!Mt;?rA$kfwwz9=fK5{4<5J=ot)T4(ga|n=58|S;oXZUmK8ZUpc0Xy zNJ|cQZ=o|l~pVBI-ZN?2e%D9j}&^TWU?aTGX^JDcL z{#(38(&;Mh>QTu=BQP$Nk0%3C96CQponBj=%%xOcp9a_|25B=iRepj3A%jh=lL~8_ zc-8MW*4KZTM^!aSheO>U-@#TskB79S+8#A75Zi;u(e!DcVVqimUEGzr$gD5(!ZYaSxyI={83>inYG% z^rlC~x{6&B)SRB^fOt3NthCG?Ak@-VP~@HtdZS~}DwdFL!<-{W`w`M;s7DB=)nW<{ z_1LKd^RD`f9{Ec$xDwE1xG$jL2tG`GWgW+Yx(yy!a-{&5&(v7m7C<-~W=5QVxpZ>L z1?##%&tZ7HyY$(?9_t!V<-7>^rk=pR$W~VH z2A{jDh_u)rK`*qmny46ZWT5c54~Y|<`i-< zX$na)rIjuxlzK*ZDw8rskyT`!ahlF9AN=sfP$4_BivnL~lwGn{I9&#l;V>TolWi%7 z+~hRD!&^Bgo(pM^5jy9+{4D9kY*Q1HyLG(=A6h6Kx6q2_QkV&qx<_9scq7Mu%dIGfLAN#5Y|7Rnv-nB1BT=YfE)TjheErLk@|mDl$D)^Y(h)tO z%y;EE(1TVEN2JISVS(m`7GZ}}4}q5xo~p$Z*$k1WHL1#sH;_uUNI!Pa`L24ySz21r zGZ7xhOpWN}7u#+<5al|H{wKPBUrM$j{zH2YMAH$%S<)vtrfQNmXNj>JMhK;|qOPc8 zDKW_5R@8fDS6&=n%AJ<>>r+WF!-UY%%nL9;KBco%Sy}K%XJaja2wWJF ztmYY0RD*nUJx!^i#@HOu@rwY?b2rfzBsIN>v zjvv<0OU@SVIRPCTJ@PK0cTevFw&ZMhyj|o!NK}zpQP@+3(o_O>Ff_xP0DlTEdzSz+ z$8$4v0YXBBJZRiw^aWEz{LMry-dIm}K4$yI+;;WMoTqSwF+7-T!^^!_JMRuoG0HRs z4N+MvtM6KqMixu9Ma29vQ`Kv&b&2~2TBAE*u9hKm zF(vWjQ*|S`0#?}n&@C!t!y5|`7Jdk`Nudla0Ms;Hsf7d$g^rw*)fF~;7$KEtNdi#( z&$bkC{!hyMd1Ik#YT8{(+!ANF8)aCu^D9~@AvJ)4B;S55^(+IX;hEEy|3>Lw7{6Ec zqU!qsYY=kZh*baUk>#5bKZe8n^v_nW>0RU{b5}vF?`-m=Bu6DqYHe1{Lsv`i@krY& z#P#%L)=kv@H(9WOZzD=hVIJUGTXq7VxKJ3h-Z-=WG83kW|mn*6_Vc z9EhKF?9$R(G+OT7H&z7r<01V23C!DAYXk*R{rL+DqL$GN3!0k6MdMo(jNTf_1-CpQID;JQ&u4-&|LqB2H+c*3Q?@mt3r6lLUb69H3_P0xnHxg zp{yN=^P!4%iGMu<_7_?DmgqO1MR)B$fldBMsBgZ}Px&z<|> znpI8K*i@i8VLsfnr{C%$5?1dMk02Ga9?`F)KB$h8L2T7U1)}u@Z7IoGgUdPUH;M-H zLL6n03V7qEFtqVY7}oe@8l>_2G&u8^VJK7E0F2Q*q6}24)B_8sm#1U#JW{b zq;Fv`(x)&S>C-eoQiW-dlySqL?BTE5gw^9}yGzAq$UkDW|38jmRzs}Dq{aVc_{aVQ<{aVQ-{W^n3 z`gI0}^y?J<=+`Rlh(5sI0Sfu671;NtSQ&sEDbT&=GZlAy8njp7Urva(%Gxvn>Q9UJ zWaYKI^jp-zA<(i5c$ivKp7&b3dv}Ee!(z1Zv}*rKW`S;P+4ewfe5v(o%XJ#44TxQ; zE$1>&oBiRMPHoMsH~rc|QK`PFEo3v$x74QoXV*s7MNM3H3}odFU0U>Q1R_({z) zu&9@NFW$Yj!qu>;E}IlOZzXyb)^o{S^}%-boPiSR*WV}U=(=9*w4pY88rk9=&p7v{ zk5`zc13FuM&P!@xnQ!^ZZ;ehhvPDp#GVupg2%#}=g+eg|HAghi5awykLL1pb4PiL8 z_$ozFRmk4k-qnA?mX=LCtmoBw@W5I-S7jnHH(ad15Z>WwlyH7N=*X6e9YQ6cYdG(u zfqppGU!4tJ)|=7vp7^zq$+NxJ`jeodvrx;Ont^5xSqQM5Tq9{9>|faqhe*)!lJUg| zruC4IQ!RBY5{o@m00qN#{PlFbOV z7@Z0u5V!1v-9gfWV|!qhN63|SReGAGuv?*Bh(Ixif;`E0os+8Rr(a^4!+<&{C2 zb_$HtG@R~?5fAd1BX3n;1wm>>tg0F3U{_$D>omFOZiE>wb`OpY_u`Yoowq07ADuQ- z)qZk)#tN8lgEu=ry$Ce>kfuWgjc~)i?CrgM@pA76w9aXiSB1Cg>T`7jrrp8fBFYUM zImK}euF)WKeB6(oVri$Y#TL0U~GPm965F+NIO zVd7qSgq41Uci_NGoP;*V+8ARg!WL))0|yIRaxz^qWx<}6yT1yE2LEHP2!Uh6S;~=$ z6krXk?7MJ^bja0vidlkX@$ry0Iv^%$PtoQ97}=Q(`J2QfV) zA~BDJHrSy$wIQVC%@B6U(`mYFkj@U(G*6__g(i%l`s~TxEzU|)xqCOF*K1_)_70Es z4o_tsuHBj4jj}si@}vGOEnyh%`K-=dLwDt#35Wj#2?QK3y7mx3)rHy8bOAOo9a-U= z4Mip;4_tvn033>|!d>IljfQu45>mG7khux<7>@FGik28eBsecOTRe~=D;gyfn`(SP zMlg6xuseQ&wg`!JO8|(Ssle|$&JTu#<}TDi$a|fN=>FW)obQC3-;uW@`N_Jc4&BhDL|Nswp+26is#eK*i<{ARh93`Xd}!vF%FLoHbT$hY;R2LEIJ+=^;-4BXb> zvsHPt5I-#z#O#WeHd%&JN{gv*RDlg-W_Kzg#;^@Hoh^50b_rn>N2D$;CDzFpYFipW zZ^)jux(-s=>QSsH0z8zgOf5{2JLON!5~PJ7ERh(6jP=bxg>H%YmO>!A>0)?xTX#k* zT}ktZG1#T&ud9~z$pX6IPib2?{8~vX$8NwJj*pC=lM%8dh~4ve|A#@L#XsbI2jW)M z1^(8-JQFTxb~u2$mTFE^7}J~7tQW!?c>w=jF$zGOS5XSSEi5PCibw?^$6$1wyTbvX zfT62_Fo6O^ZFW^tP7P*pGX|ZuT(z?#$JTmhrVV~4UL($lyj)^1XY|ebAXaMc3QOfl z)X1(ShK-`UQNZHJ+|e^aq-Iobn+K3+rK$V_*bajA+URb83hgxMpcf1aco^k5dXaW< zI1EJGOSLXt=?2IdLs%~=BVGh=G35PlQBgYsn3o@t<+Kx2Q*IFw9ZaRnJ;5 z^x9=ITI*$Jw$o7fmr$H@|RBh>H5O-e(zOl&+OcU>~CfYJJqjcQnCd5;31$3VD zl^$8PlzT>$oT1}LS(Tx+Ex?m!A5!t=oUQj?>{%=LruF$RSrUrw3@I6V=7=4PwjmL- z7O__mlNhl_p-^X~=P*ID@)I7fPrC44vP_x_y86`J2`y?ikzv+ZsX*~r7AgEG2nL+0 z2Q~+_l->?eXGt4{04&9`J{cjQSOJ6t=`kOWizVJu7@`&qOpCr^bR+v|*8x-Zi)AdK z-npt4?X@gFn0rIG(5_SrBmyIdHH!vBaaZ#t?Dc&D!a7Po8vT{IB=!#DH@9JJB4c`UVcSD4sNLT!vLIhsFAbLv~^$U0uaKRaEF zgx^&Y9jTUfEn^U*bu;eeGYUMWPNQTr&&6Qkn7LFM!~8w`7B}M&u0yXBPA$4hylN&o zqEl7QD8l5$yZwWg@r!q_dpNB;HI!OrWGhVwXAe)j*nwdHI`I(jZCWcw(qecb!y*KU{2erZ{I32mtg#A|iGtflP`B@s5( z?H8a(B7|LWYEm7Foa!g$u}eiFv`WeWH>;aQc;k*=;YnxoFIP7aZB5;ki|fJ>eQPFa(p?<_A72q{Bs<3cWp zg#|Oetel+OX4}ghM|~^hifKnWxcW++!|B-N7{++(Uc(_AUM0=7Nd=0R_wN};q&ofw zIXZu_&=}S6Kh__tKYHTD|9G&u`S3RW$8G$N+xQ>1@jw2J!?K-j zn1kIet?=`sT`tXtc3B#8X3SLGg4lBt$Do`HuhjR9l$@pdlbH=9Rz|e8V&fy??rp%d z{}}#H8SZ`U_-~IMZIt-Ghrj{e@_)Dd-!1=l%m3ZRf14ibEf{vK1BUAAn8V#eo*L5=c z33${o+ddf-+4+E?%flg}zS)J&Zot+s@@j<8RkQglVIn9;ELT|p%q>T74^y%a&PY61 zk%4L1Sf@J{K&Ka}G5d8LpztQk2fb?{+?*oPa@A6He}x;9d~>tx6*WheLnnLK1eM## z2e!4YyIH(YQ>>hc>@3i8=ioAKJ$If(dwYM~KRNyKX}PAD;#FDVS+myWcfR$VZ+tfy zc5r&o6%c}pY=}1x*=jkn`!wG}k!^vH_QnaOJ4lLg0sp!%DG{&o(T8p0-zIKex}rSF zEh*Ptz94IkVNiQh`Gc_|4vnUm1h)AoHK01{HDmOlN3@b1S|D^%9_qR`%z9{&y|}yX zB0XDx2%sq~ff@E`gz+TzPxp>@4i5GXEeF2YQ{tMRJuy8S%0<0o?-*K|YH+TazBqX$ z?T&FOwA;jovEpLRh2;Lc0zn0wtVj`mmSs1{==c zkM~~h6%BsT=`5EWCqOk_?fo|oxml3jFm$cdo91^JiZ`(YmNhJ3`ddkT%-mF7x;H@0 zBP1PY1ceugW>8v}o14hHUx4J6j<)#tcCkuHGt8pVVR|E!{?kbqw5YslJ z)g@*ogAT|h66no!gr&(i?_;3;-ZeKafCI-s!iv#Wmm(rxHXsJO75&IlDzy0|T#fmF zJHSThfnjGt13?XoCuo+7ODS@YhVB*7(O(D#AQ@2~+(FtOj;{@U!*$Jb>agBohi*3d z$g#q%=RSip-_jA}{V5+oDd!`If6h38s($4O>Ix`&hB!r z0KS=ky*E|v@5VKQo!=Fhzb&?Ccj%Mp)f?oCy1`G& zLlZMVSI8|#7Q8|%D&#mR~BF+&}#O$-F4@^IY@ZrGn| zTg-|YNl34q@Hw9biWNNxl@^=}m?s@*UUP;7s5v_=0Xmn#;CJB12L7FpyI>f6aRzPh ze+?+-G!e_*0*%s#5_>vraB_?h0i-V`{ zXy_H&RJtGB-u=#fY;@GIpB*5=5{hpUA%dGbVImd`5g|GOD^7%%L4V&jG?&nPsL$|+hO^s1`n zzFC^PYU0m*^YiBJ&g4tX-8JprKt}*V+46NMNuL5!Pt{%6>iTBbP!fr6<}eKK|!WOR|&_oweLyzi?2%k zfR^(M8;N0(hgQQA7{?2snaCgEWANZSEwIC+i#9#QI8h+8ed|#4_la)K7rNP5 zi~lL9k}cg&X*^5mbCYc7rB^tD;N$ro;QY6HPjmB``I{?Mt$_^cit{Hclr4I*QE~4W zi|U(bi--*V{gA}Pfmj2{=edK=%RfJ3`qk;^dGLT>!zWO8IbE!gCCr_mey-{MetElR zOvnA~&~I%HHOoTYkS4~QXGSk9F^*ng^p}vZWJPMu=rSxaxQEb`vfrPKld~R2+Qa9~ zb~3>G@eEB4`#D-1UZIf2f)5e`ir|x&xUg1qJf4poT6>nWe8aiSmmN-K!l8yLG}jCR z(Oj1l*IwJQ=2|yr&9#E4=&hx>D6Z*DQBlLULZVXC=jlzweH-;DKhPjW^E2s7)X2*J z*qF$b9UREe%H~bQCD;K(z&mwH8x4SYoLUt|&Tx}3_(=SwGJk8T=ptfk$JnZ!-KAE{ znyVH0k8K5n!+S3-_RS0bBFMXTd195Phk*hNO=a$H3VgIVEhvDAzGi}}hAOD&Yc?YI zgqLj5ED{l}uFNj+v-(@9UM%xT6+!d_tqp)2^{yrDKsJuL*{B$AEo)vA89$vIFIvsD zWx%ul`i=hl)TDjk68iH~ME@ajEr*#yy~suGxYzS-J{f+-U9QerhjKXZ*z(II02~-5 zeEhjt)$w;)mJh#fjEA3w4W#-K0+LJDL9gu9RWlioPPH?J|d_7x7Ca>EwR%dfjrMDuMpVX@o(-}S)FkOa9RxF21 ze3)5W7Ior4_fb(@Sp*TBLa$Eh`dBm9hxg{Ru)b+t__&WuQ{I?_DlgCR!sI4xt}jQx}^JeF`HZt#(2bXVOu{OA0E5UJNlMZ%-o&;ps&l?y}n z{ip;{_q@7KUtj*X>Un(DoYz+9%$**+JmQ1;W2&59+81g21G1j<&};713{&%{kS*lm zgU`p9Wdse$IbO6-X`vJ3_=Is1i>z&y!lzdUD5B{T92{|8h^`jK_!RPkRb&Nasp(tR z+^)@<)ld&1uT`?|PCPXQBPZE~;;C4|(!+dPn1SGL_24er4RxTH0W-V9%iEm2KJ}Xq zy;<(m^$OK|RtvSL06;9%$3S6Ifnl=>4x4OSPzek*4}pt7gW3p0_;grUYbg=G*#6hP z(q=m=QZZy{p1$iePC%9%wwti+O)oG%BRf*)eQ^MIZN}iQxp^6 z?XOaPYD_eXkrY^n8c~dfs#$mCM+x%;CZ}a_WMLmC0f?>VPy&Uq#CdZPzj?hI|FClq z{Ub8Bm%S@hijn=pS4TF4`1X=GzPVCKvX7xccP?vL4n0v+J5I-=>rC7c(FaoiVX5Gw zD6|@PlB}9HP!+8O=3A+Rt%B)Ogz1K(UB5Y8=KyT*DLi!D&JR?F+E0U*6Z)Gs@r^|G zU2vS~V^{?ACZkC23I(QYyroU!v*#Q=FJ7fmWK8DJWO(t~{^<$=i6YK3ca@DEE`?BO zGO&@Uq^=Z>zUXg#s#F0$A64>y zuz6Vzz&)@AP#HW>`ne5})^)74jZ)l9XyEAmiVX&h0~DS|6;zrkZ?zO6TVRxGT!wV) znHti9om;Y5DtVwwRMc2AF5#XvWGN!3f(2@S>|LA!j%BgB*x0_oMs9xgMs8Xg`M}!9 zO?M-U2b4~Qs%TNqg0qS;x~VA(n+jMEgo=U1n;kT~m#J?bAyw#VTFG9~2{YNJBn70% zg#R|nNvK7iFC*)xO+O-G**O?X&7s61d4DzOCN&Cf+nL8ajBVbt9t!Xxy$s6 zcpzy4OJw-0Z@V}i8zgT!2gDR=|0XGs)vl#G3;gII&UH=4`S9HU_fp`EEOD=K`PBL5XCi` zZ`38#!b(HMJQd zX2#kbX~u7~zE6QWyd_T1=u2~qZQ97t1_At$wNPLYFv~ky3nkj}Utzz>C|RRe39(MJ z6;~yb6j?*HH(6t3ca|J9_wELV!re7gSsN&s#^sLnky7HGF$1*pD?g&tK_Oa5Lc8L; ze3qc2_OGB9z$@i~2xkM|33VbaeR6Oi1N1H&sPFm&p<87y8Kd<_p91BeF-v-u&?94u zrz1w6GtVPdDn4XGHXlKSP@!HMc@G`!Jp#yN*KwGSQa(-9z_Jc6o4uJz8bui18ehvb z&1P97u`$mK!ZO1A89g-&9DSgIknHK)0FwGs;iK!!0*|gZH+1~rKNmP^`9^*a;4H&Q z+LEi@I%udmhXaqrOo?48+@!EfmcY@q(v6>z0T*RL>F{GYbd?M!vcciBLhS(BM}nzUh^M5c;t&`$mCus2Ljs-VMhlXPBo1&MmvI&U%Hxig84(_y#i z2Ir2QvJ}_mj3*ugG~-en7Y>eM@`;7GES8{Wb7h0{DqI~t@Eft>*3c4?w$bowWQ0Q^ zvR#Izlzv5KobZcV+puYwn<|E&zQTz+a`TK&Mwu3m7GV2?XH*QICo|#=qms-}G8sj{ zYKAqS$U;l@P{N=KurzC~t28{uh;3Nn@d$_nv19lOlooZ%TNS9_|h&2oI^tRLZsM&0kyOrg^71mE3T<^7B@#2H4lMur$#z?5@ z>O=t37TR^&a~ZjQrq)`X!HEZo*=#^091(G#tW=e5M7vPUX7zd6OZ(f)F3YcLI=Ds(`dM8?d2J>AgbH7ms(=kSDt!mk^qqcQ@yzOYT*(XJL&UMu&xG5eBaY ziL$!)c2CX2k`PDfu$Qz`8=BUVblZj>{wFXpsX=96$`4`>&i;Tt;sqw6-wVvqHs{Rk zlFa*+dik^au2`$nt?kL=BE7gmIAzX_;mzCfba5AT!x74mF|G~e(W$u9#AQw`-qgOY zN=)a!UIaWhRGjekq{)`yWk~aw;=Q4mLF`wCpdG`rXVKo_(aXIb8j&P{W45oKcP71* z++bSvLr-WP>R1{hJeJc{@Wb_AqW^IUHh$5UCjGPJRo6Yvv#e5JQxD^6YBtT-QmS-gUCb+#4^h9eHXP;cH4|TmlKzd1BD`zqJ}=37hz;HV zh&W39F8&*@MAQj(8)#&*y5XpxP$1+=HA2px$6BlV^T3G{x8yHr?mYnb<<3<5+>)XXO;C& z_ie!SKTQ1h!CB{b%Kx+ZzfaK{_o+f{_mFmyXF6G`M=xzkC^{aGlwUqFLz@A{+pfC_|4Al@zIIJ z52EES^Mg|pMgkvz4ts@LN~fQReg%^`Z+=Ou?7CRPhv#x>U;>i?;CLsHpwdrAS80s3e>PmA(mG6xi(gzl3LA`!5M7N%0e*BW>EtlmARs-}kqg!s`dw z{6H6FX1~nmOS5X51PAufGu2SV)*^o`PU5KanE)E~lXvI+#`-#%Bh-L*epu7)nW5y4 z2ueS*BZe2EIIAicM@1^fjdCVOvTQJ^93@P=6AnA*^J0P;5X9{ein93>x8MO9Y0!d8 z@fbYALawEvF_1N(LZh1H^w6GeQMyo2Lmw=`p!To`9o5B)Yk!k?T+7w*>h)+%rZGCh z5KBoFE7q+(bKNRcrxVTJEP6`t(i^W@a*%l&-YtHw{l=7*n7wU`nc66DE=Bg;!kgOU zIi+Y|`S2`he;~JuJ6ZvN(W}H&YsgHSu1E=tqwn)8V0tigMtZNKt=%yV4xH2x{b=VS z^q-MnIv>(>2%J_gE$#qQ08HUPN8GU^KW0UI*86~jgMvWH*28int`!j?GQv|ENF{gg z0*U{C?r`|C&II=^{@t+hs#OKcqAq|DA_9c#3q(h#NS(A{XQPqstgL!^reb>6Eo5#? z9MSoB-JYQz9;4hNHY32zO6n9!rX}D~5!RWgzubGZ^X}j@esvO`?EmjQ2dll?Sy3`Z z5`F#75vxjY)*vRqntBLih@NP5W%XW zayNmCq`sdM_d`eZEUj!nK)`*#R?jsz#YA28R8t4K9MM`L4~Or~nHQ%OH2N#hOc~r6 zTZf2#NFkyxYYSofw9x{=m;EdGM$wn&54SACEp#QTDc*S5#jgZoK;PBp-9j;wgwwxL z0ES;f6lr;h4~yMa4i8%sGbKWEcva8zar)C+>f)ag%lro6qupT%ra0E@(9z!5vuOCQ ze+&x#>jLz9=HozQqVi|tej~2*CjPaX^3Y`d?qmSs|A#vJ z{;C+wGPfx~noU#;o;eE0QBf6(*-RxIg_-a>8B6uMMZnhCjn&Mb?L@&k*7>?3z z_L1(gDfwY7nrbFP_Zcru+DVeNq`Fp|wO{aU5~t$>75Pv&jK# ztJY$ZIVafZe3XVGPD$v7Qrxf0ED6p}Q;^bjh%lCG7d`g#V7N}XoO?O%ox)Fnl8Q*S z_yp&hUlnniEOMv{kjOeQ=`4ST^D-sIm^BfoA`_ziEg(PFzB;@$<`Zp?vmFX&RhNO4 z&dkOznHtn=`epNFb(d<>x*erT%e&o}HZd0NsM5*DBaK)k8J!pJH_81+U7$FVPeRn> z4o7(&L_t@kXWw#!Fx8UF1E~M;yOZPSANbdg@RvHmHbt5e@>dPx(IGzplMU)v_3d{$N&4k(dPQblV~>?)}d6VXcVLIZ5jk;RAy905>rG^^9Z1A&HD5VwP6x3%DaK(hg-D z`-QIhiABpyEAn__^IB*0+`Ybji%RoQxv3=ZkmE@?!{0h=o$ zrj%?zbX*T>0Knx=%PQ6w7On;06lEY$V7AA23^AHz28+CoK<0IQT=1 zW*0F9{Y*PyNO%ita&v8FzC=I!$@N)E#vghVz2B%$<0k=i47{npUR)-v@Oo4 zta!5krmBi&*xPTF&cwIU_UOc1_S!S~zc1heHpBiG3Lkm=-$N+8<^OK&e{b!7Z|#5o z-Tl85)vn_De15OY+FciG923`J@6ZHd&55+jpS#iiN&I5}=x~46s@!U=$=}$91GdvJ z6xPVpv%ipSvR=)bllbNS@ySnzyLus}DB9TkF4W?9VRqm9Q8zI#}%dw3eZ+&kUb zHDEGD(PpUclY^Zf_UzuNAgXUfPoG8`|J?}B=V0e_|IMB|DK3+in;XHFC#T2zyQihb zRMPu)5%lZFKIP3!LIB`9A3e5{wZoVKNf+r@@)AJB z`U*8@O!Hlnij%o(3Xe5URaVM2zOw5e0_HqJ+N=%1X)*ZJLecq4wQ*x_&c)n0Z|={zfJ3K3FT4sGVHqyGDq64FgQ{hhCSr}K?6_|<>e3B{1a2o* zgW6^IVu2}xKam>&M^J}u@kA1`;M{^nz0C%Joft)f)iFu$C zXjkTwil!s=td+K++Echj;pcO_E^3X4XTSm65h*2^Zb6;pIGZAuc{qL7s*U{c;hzGb zU!@fH90R;#cW#I~98j)q3Vg}o%L9Pcc8nEN4n)_&dz%zvEz5>u$sBDv*S4gI!2q0O zX>x&_4T_z(aEiW{06&VHA@Up;sQyfznxF~25W~LF5{3XE_=yKwgI!D;yhkd2VW%hl zH4Y~KQ8$A{41n-L!@*fcUi3{X3CN;imUH58MkHds6jUh(TDUp*n@|;I1zj)1vo!d+l_noeCw$p zi-ct1`KVEQDQBl0F?tf`Nf~VTildEm2MG2@mZsjoY($p+|Ji%zuo3Amjfcse6TU$sa(4uQp5}2Ox?|r`4_@3++S6)?FB?+**XV#u+ zBvs`Z85tQ783#}MJ0knk09rwwQIvklGmE1X!?j3vu? z(dbmhNs|Z-bSuY zF-IEx5(VOa$^Ad(#%bM~YP3lI`}Et5Z2YfhU-Z9U^uJ&9zhCsfU*bQ^yxLch7Zwei z;0=?I8w)`tyW_|O0GBbWMuNCwC!IS3NmS{pFoEIpESYpCQ?cJ2_H0cRX|rJOBAAUr zOGF2ghYW2E?jcse-9r`JE>b~$pn{Z(NH`dV%!&C@&XQwgP8@<40)9*YC%NEJ#1p*{ z5RE@7>;UEhheuB&@_^T&|MNKWvo|K7(&nO`?PXqo%6)iiI;))LnPUb`-;}eP9Th-j zYPOr3J3c_ZL!e#(-`FKxI@?gU$uyaiFP2d0?dNLn zWKJhkZq}aZHac^;`L~Xm$FI}wDrWGTK}Q1v_`^#Sdvd*1#4FXL@8%vU;TQV3zSui1 z%b=9A>)bxBIHdW#@i4@LoBE6tdzdwga@ASCM*6#bDT2Db#r$9~1>=3W^^qb!l)IU- z_sbY;3k3g zG5K~-))gL7BQFjQ_J5O@JmL*|9P3-sj3+D*>Gp8YyK&w7gMX*Ln?b2O076)C{4e39 z^~01Q0P1}cwcDZCI<$3~LVB46$2?$AFJB+NIXG2oH5w;=~pc;^=gkmX& z)Lc|bag@q6dA?@Tt)|ikDnd7x-|?rWLlj%V<6r#e@v+O-|4LrMPj3Ia@$|{l#~J(I z$6wKPNKX}0t%CNc}4;XEVxJl3M@ZI0t&RG8=8p6Z0ZLkqfwU; zq+CHd=$N;|5k^Lc*Rj|kM&_ykH!@KG;cCc&jE&|wT|53o?fG@g_IVg?Wz?o%5ogJ; zhv$sGp}@u{Km8inU19ciyewy;Ewzwl;~0=wU!&YFmQ0&++!BJUJ)aKZ4(K8%XP-6yABTLs z>d(jaW5Gq(ek?y-v_fmx=g^~9VKkYHJ@Fr~ksYsSdSv#lF(W z;9wUL+|3h~jSLhlJ2gEZ3fP9GpkyGmyo7aoqcYB|R1MU}c|5@nyo|xmwIAv45dR_% z2%p%@+H;wYv4IsQzlxaXE!$=nAI-ppMahdN=N-8IwoRR@!C&dYs{(7!5mE)cvsK`| z^qvKsu&D&Fu`?Wb z^+MyJnTzZq|MaqpvnVFB=^5re{nYCvdy?a_7)Vgu47Eu;^Pd;%BuGC=5m*~7GyA1$}?=ezQ9lm;4O*Z)C}0>75&G7qFt)|am!1z>=l}lgqXKMPPL7#u_5KNa^0j)ku)}`IPaLv zVB=#^CInT&Z>S6n<{B!muj)VxQP7Leqt*=$0E0SAM;NGM9P2P0a&<&G(u$(3U}F?^ z$WClX0Km0gSzlqW8|0zz{uUA%e+8014_}2pym|Suc}yX#2=wA`#8K#-K^A)N^Pi+r|nZgo(|6-7s4T7&`gB_^VtH}bBVeaH&>lR4?Sdoy!BUE)>fQO4E z29TH)xY}xnPSpRRX#Z*BatkRj+byi}yNwlJo+ZFHv{$`~Nn#ldlcakFJGd7|Z3;Am z(MQHGMEn7pdlDz3sKt@M3>-~wTjud2COU{mVK44X!t+*HlS`F@kAGJxrruj!iR973 zTDZ?}VkygWU7l%*XV%W9v(B4^Z0LnB4|{DQZ-e-nJ}1KoUc(O32J_WmblM{Wcn5K;vjxy~a|L5YJl}$TPu}47Xl- zn@|5ZqDLV;A{cSrL2M&0xh%$NCMdC8OvY`;lS38|mVLKc7h{Jgt^_NlS12_jp{-5R zq9hr%x@5|r6ZE-RP721fw6w}&;%%>7?;HXo2(nULp*4R*f0ff8j09!RQpI}bEeZHH z8p3AZu4Lb_53Q*WV-e(FA^;<*2akep(eDrb`>S!CwY&kDZs5_%n2v4;x@$uHV3XW# z6hVQaWoiGBP#uI3!vh#3I-oVNQMI(UonEEPB1zq}YvBwd|0OkU;M0(hWaSRi z^WHQjZa?%5llc@W>gO`WKv3uc8rIWuKGLzp_Dn3Kjk6j~@ z*O}ctYMQ_9ot(~0vFCAAcd*qbSmK~-NWvsTu?TH7j2A(t^6gQ@#!@C#IT$m)cwt47 zl{1l|d^(F~BBU5=1Pj))WNo#w$Jmv!F_zABS8g{Bl(T}U$%%=+s%z-1s)N0dTq18H zF@&ccyF{P#p>!A1gxjA=A`NRbEwOpF7z|8em2YFjqC59y2F4Of?2bEX;Cv?{aNg3v z++h&Ke0fkx+ze${b7RLtg&STJZrHsQl8!!I=+bAJgZ(+Snow6j5q`J z5JQc~+&KZ#oCSy&_7Fl2p;V;zdskW~8kG~XheQoM8$UVHJw1Bl#=6n5q~ia-pep3ZA=?MdF#wKuG;s1ud}zm%E4>nQQVnF!es=j2S3+ zcbURfTg)p@EN2%y@BZUoG8SXb1+Vu$#^yblp_S4Zes+#)U(H8a;TO}&uDTuhkz&rV zM$IsuTBBy~Z-?HH5b#YxZi6ZWe=L#ngJe1y4aXQL(ug=NSDV@WcjAv9%$R^3j&G@e zqfWEb3-Qz{>O1S%{QPy6!M-hr?OswagFTzWPP5pH^4P>)EB=}o?sDTG@?4U-mK%z z+9Gm`MZJyKq8ipx3kI>ZOFDu}%NAO!Ft7i)Bx8@ITRrW%^a8Oqv$By_XVI|8i>()JdeZ?@$4nP90=52e3T}Ut zQe(`#Sa{Z%3??67j;WopM|8|w12)3ECo9BTFms>N6fw>FX@&70YZzn4%>8qj$E4IF zGp%HDO!X`d#Ut?xuXQVld|~s*tomqi14+aP1Fab_k}my*l8X+Y*ox{7HkNrScWW!l zyP8>g?JRNbF3eu2+-xqKg7z?Gp0poLS{K@*+rjb-Xq|p?xk?`fOVDw{QPGA>ms~vh zcrJ@}Ck56lZwD!QOYJMX9e3j^N`x2>%uO9iH#SC>mQ(abc9&iSpKex-DFfOJhz!YL zW!SL{t37L6zOC-r=pXN9)Xa3#*=zX7x6SB6Q}zndcrnKF?5s>ldq?4wZzc<;n)F44 zhi@7(`ryQ&p?Yy`1zDukG7UATS6sDsmbLK7dZ|)(kojg~M4nhE5#`nFjn&O9jq@{} zXm>Eqr;+6%r15a_A3w8ULM76Rkh6W}y61R7Lv9yuqWl|yZ2Mb(R0bMHaik{eDv1V4JCxOgD%H~?PDk`-NEw79BMlFG zG2?uy!QhkV`DWRz&dNZs$klqTP5FIT=Q{IoOmqL)jclzY@S8_2%%{w}4$tj!K^t4M zTf90*+v(%eDIsTgbGXOkr-}c0HW}Yj1gIJDpPtp9r1L*Ke){amm-tU#;y-dq5;ijOBJ zHq>07nVPBaRy0{F z`7+|=u~_E;&cc@OaeR2#7sIpv0gjHTA8;1kHtfm$c(MX=d33{1fTCavblkV<>ndbA zYCO3%>=O6odbEDF-h!4+CBp&|9Be~45%qen1LP^0#F5n!?(uYMRl5z!A$_Bp;>hqU z2_sKWlMj>W+10Se3_eQaopv>tK6^sBzPj?Ax>S*ItU#$jFs(nMY|~*XJPx-_xEyu| z!w~Z`PDd=qb0{FM_+P~*w%ZE)4V=UvWe>gpUc@pj&?uL5@hvEL=;ZJXls=>n)^PbOj@*GV*fp2=f zsr*SS^FNHg|*I#e!044{#-NquRv7yjBU*sT|tj?jaub@AZQWf z@d=0?3^v$dOL$3r9j}Zjhew2o%nhFo+iV0aJeEQL7(79Ma2B%w@YDanE3YHVPu znzBkp6H~IZUQ%UvAZFA~Ikz!EK`d)a`X0^02=kV39{4q}YF0?X%0e}}t<3b&)^qD> zxqu^51_$;+*-*D2T)!KHS4~xY`S~XVlOr=Sr4scjQ$VtqPzn^vrO|CWWOkJambPS3 zBynCcIxk(c2q4qBmwU%2r{T-vW-~ne;r}#uPxoHjo+vuWErB6ED3^Al!3q$ZcnsUK zPl%Jm(YSTtC~A1J2*p)RxGgfi<;z~&P2}WCrBZQ1is8_6AxZa*48%l15wQGqbP0o; zl3k55yrF8GmgfeJ-#%ZFbm$zxaBhr#hbkAUisIH*HxB90M+rM-&;XL&aH5j?@^gwB z!oyQ9^4H_!XlJ(>B5lWf%4$I*B3s*Y`!OpF6SF_30EGb?we#dB0Q6)EoO~@fMO`km zN*j~l!`#EPA0u;N77I=SDiePI{7*<^0%1xFVy#+MrFyy&a!p(*r^a{K5isr~psv%V z)40Lq=Sgq98p#qSLe7*B(Z`W)zhUEN-!e{3Qrxwuy_L(pE9@VgS zcWwYNj1HkUYZqB?3q$N^5pyn?ZrEKh08iuTGdDx{!pXsTHgm*wDGozcl=yp|urM@? zdk74J#TO1pW{!v1!Nuka@TKN+AL*|PV+wgLPI*P|k_Y*|7Nal|vWj|YhOD=Uy7w)L z$O(KzbQQNlp&v>})AE_;Ttzw3mhhzEDmkd3EWM=;XIL-xy^3c=%03(4GU~AQ ze>-R%9KLS8b~31|Cx|~I*CQP3yAI(a3lmibTXy>@AGI&bnz4nn4={}J!Jx}W2(>^ zoe!~`4%Xl1)o#n2 zHFhSqC!`XYx&9Mjb5@lp1hD=<- zP+Q1Z2{dSY@#MVQE^kx{tX8-Te%tUHIjM%m!|5m~1F~?4dqFE!7+K~Uy%@&Ag-aD{ zAk#SpGA$fPfph^=&j=T)eu~slDJpNcZL=Ep5XNDVgmu2+bEd4Ls`DnT^CFTHYk^Gt zOt1xx)9Z<~;0aM65T_6fFgRy!_zgz2l)*={hW|TJB^%>UvZJw z_DqvNp(R>ZIDhy}^lGA*mUxwc(nma)ButEw;dI<$Ll-y{#B*kjaGi2X+7HjC&~Z3L z^VzF%#pd&;Njx4TY+H(KLzyvPM!-%hHc9Z11Cp1DtCZ&T0xgW|ncWB3sGE5)5glFX z?S1+FIYXIdFJrPK;Z8YEZy)gbUN?0CzUOeHN_WEI1Rq42z1ULE<*d=8Q`g0*9aNX? zUYTOB9e*RRSqe5o%APvK0SOjb7-S^~wQ74IeR;0JJfj!)DaK_H4zsDA z(rnVax^Zc7Z*Ud$x^3bNtt?2!U(%<`uHRixo~!s%+BMzjj8WWGoBrs}r%Ok@#f#?2 z>G9!jmeztTyr978KAA%a&XRbfb_RC@(EO&&CSVB6u};*KN6)u`o*y-jUt9i@dx;%+ zL}hOvL*TU`5nN?eIPQmN_j4V$|Gnf>fjFQ@sW+^>Xsi{{E+p)>Kd3{ne`CF1V;Z)r zu}o^ZdfVXZj7W;GD0fM58gyaqSZM9}VA_YDj~-Qo)XUQ$K=y6-eT|JU0XEo=q2k@# z+=Kq{%F*sTE%WeQ@m))gbTr|td{&npXyAb8mo~wY9pI}{F`<85NGY={3kvxS(i#ou zj@)ie>REe&I`P;onvSM@3^}&tbo_SXeND8PM&X-!Zz4ly?i4*GQ$tb%-I{-#sx@|V zCNrju?5G530^6{O*C>^vayn`wT4+FeV2jSTfx;C0Uf2xYUoMizx=f9=z`Gz0Gp?JCq)apTFH{O90FZc;&-{{rjOcBj zN%>ed^O&7+#?m3{CBS&j>h0xwY3*Vi1S3VjZThWE9A9ys!QgwE1%?+@`k+MoJH8it z?&MM%L8_QGan!mX=L*XraoyRaATw}TfmQ3G+iQ<82>*<&iVT$)(|gqVjD{%~2G^DdIp*nPC+}F& z<(ImQZ-P}IQ`;;I*5G$x`HMKh4VPS`OVQZIaR+^_I$Omeh0%B5A)iU1JM46X0k)Y7 zL#%Am4LC)Gav7&HS7lIWV(-`38fAfAP2Y`Cfr|!8-47M%6Z=DB50Db!v8`AO%D8d) z*Us*4^F)xAsp2o_PAqPD80?Y|S4Xd4^92Cpa2(5erPbql{36qN1xR&{2*I&wrYqph zP#<~q6jn&!U!vY6204+lFd+{()H&d>gD%+0RUEx3+H@;2OCQ5QS!n9YA6p&L^odhT zI492K+H+wyMMlIY{pf?3wu{o_`0(&FJZ`=We`@}w%5(>wGJB`Z*Qr95&&-C^zV#So z^~##vIp97=yh^>o=F}^@vB@}sy_0Qg02^Tfz{2?08-IO1Npted zB`E1M7_wnKHTi|Y|BIT^-x%BnhHE%(6D9&#O%MZt0ZNAG`i?5*v2f_#%cSZz|v!G&!rN?;HM!|Nbw zO{Tzm+$iQB*1B)vSI!W891f{s)DK<+_sc*28@8NAXw*A!zS*QR;SelmaXgSo;QoiH z=@|iHVz5qhZnRIl&6HhYR&0{(P8~$h_06I^70sEG-Ht^;G zJj0}JE$7+V!{NN;X^ah8|E@IOY`<#wNUnv_O?(|(#Jv$U#$oSLTr7q^S|-!M*T_Z z{D1nm@g@H6pX>ZLXaE2Ezi`~wzYTWb2p@o00_XdrUGtp&yBA|Pwz_a$|1gfG*yMLD z^{95nkG`LtO$U={tu^dBJiur?JRe8>|Mfh81&1#@!2R(60@i=Z7{D#mc)AgCF*4;K z6*c#kp@QLT^hE3R1`uw+&dA0TPLIPIXV@Q8m`t>@k4NLXhZ>$Us_DB_W=c( znj@yLd!)LrZW5rRJ;n4SpDq~j5Bop8YMx@aj%QCa%GnQtaPRQAyz!yls0Q`=6Tb8d zCzZV5#Lld&AjPzm&ZfOf-l^#M9LH_4Q9FzAdXF}8zYnyM*+>)i7jKy`)Cj3eb67gB zx4GqPKCi1eD{)m6-zxjHj2dD+(yPOa01yMY-x)Z{PtsGe?z2}nkEJ_Qu8nkxOaKTF z8&rG(;*KW?QzJbxv`HXRDDw)2gWgRLb>Lv2e5pj`>Ap@~9;g^CoRw9#Q)gASBz2>l zbaa!`Fe4QCe0PKvJdgK}9MbKw8wQB{q!LRL>4DZ%vFu=`XQZOGbf zjbB=+HN^Vb)&q~@iN~&=jb|rY3j!b!MevA>+)UF^QI%R^pQoSYrBju&q(rXL6>XVcii>c(XTAC?r|zlo(cHMgW%g4cJ-x{ zHn7FYBUZ^XU{tGW*aRmM>}a%bwvBq2^AN*|+cWS(Ra-gh&JngSdkkKiZh~(BU;vK{ zI%vS*O+V_(hrD6Pjwaoka{5oX<1j-TO(s$6B0K}Ux&%6P1#Eyg7A0gNhg%UXg03+s z+;!YzcBvmn15~dwGlyYSv3?-+uQAIawF^85Y*hRWyu&hG+s5q}1Fi2(bT@SSL|Yz6 z9jCD4-o``DF1bur4vO0*q5#Mu9M2i*`iF27v^g9)+tp`hRW1mEq3_GI#WTKJd(I9~ zH5Jo16&+G+0y0I-&ivaH*o`EFV=!~&mTE+j9`nXr*|Z$^+`jcq9X_WUTDBzM`KpeH ze0M7I$B0$8YP5>DPZ6Q?{S#m}@BkB%3eIjOaiYVsp7k#A#tv%~T(D_>}D`OYn8Dvq_@h%F!%?2-Q7QI{@UDK$USjpn2PmP8(N6_04oBK6|~f{>9Uvy<`(9> zRzkv*T^tw{Uy2qu-H}cR<%RjT17(>aqy~IK=MUrRAq~lMx0KHy-$sV=2=>CXADzKz zO(Vf6U|_6vrK(avQ;voN*OP=YvK!-+mQyr6I1kDcVjkVh>1uN@86*`D>2T`@-&?(H z5^5mmx`Qh;W;%!RR0td2gcf3TLE0w7Tg8=QJ1M9nLXI<<@8N*i#0$=IP9HIfK$Ic@ zlj@sH6Ny!bt5@;s8c4Z=RCr@a=-o+*uBX|omYN|(OI!ratuuZby=}a=E}(%@vW4!b z+lJpGvT=F2x8Dp_J6cJZjDTl@zYY5PIJFUbRoaX&22}yR;s$iHF>+aCjkh)Tp)YH# zfTzXbPwTShvCb`%)s4ENxI9|au^nsW_*RpZ5HOmTWz{G?Dr^)>qsZI>F*`qS7B=%- zHACT>KtP*vR0Q72qqp_TR2KXlFZF!6^jZmc*O_ijvB1Rdt^qdn6No+-+m z<%bN3inepI=%Pc};5SbAt<2XXfHrAXC1bjbQH2ozcEn^@CXg}KX{fqU>~Rd!K>|n~ zm*E6CXod&PUk*-mq_YrbT5kTjcN)Ij+1r0}+|({$vbU*jJ7oT#Tv6`F9N`x?jO32s zudh$SlYNj_by#DGtX8mqWF5C2jFVn;B@3tRX4zm1RS313tf?DcIh+nI2gB3+(duRfyaC%-M^SmY{1$z@ZB9+b03tbk!kV9XBm8pB1rsHoVV_u^A_}LvZRB@Ly*BK$ z9dK6IEjGL@KAzFyW4FZyn;T+fI(&%)0)pV-q;v={N`j{Sy9ip=^OHAd&VHiM$6G_J z#@fTMf7wZVS8HT@@1DI9%l)!r!hNhtoGo$nv24At80 z>ZJ*wolcZ}Rv_e4z)O8_Cd|w^eP}P1F(R<2~D^gW?|S(Wc`(ted+9x-d{_ zE$9pxUECyeqtostm(b?l;{J3E7-3RRf#e-eS^-}Iq5UUmsCrj@Y>=~%SmJWcNp{h@ z#8b)74rW5o>u8J6cB!Jh8gv4VbXYpv!AhE#2=WFZe|iY4sdtN6N9dG zhG9q%J+hr`rJizk>8H{YCBfp>wy`}NP))*?Y)kwSiMd!4ea?2ECqR#-C7nVT%YS5p zUfOq^?to3vO^z616j%#+HpWXdz<^e~DaFUhgbdX$Vpvitv<|DkZmK6$5)wetVH5XZ zdkU|pHeQZl>hQJRFlyt44fNeXbqhL!s7n?d0#hZ=>LfxM7&e^*`{Fd{D!^rG1S;O8 z9CfKTAAO$1;;F)oSAfBA9uQG*U5=v`a=q$3`uo2O4}bC;NKAPUwXtLf9f#?|BuczBB@(~hUsU9c@*Ppvz3g71r#O5 zd$utK9US3BB5~a)O4l$k;E%)W_zHDui9FNSm1Izk-A@xBoy!5=8{lOKVGA!PWm&tS zdtazBn)Z6C2hOdA*O+W)Uu6#qY^Oa$_X*U^5#)xw9%8xJGiYZd7~y#;fB%5mZ*f>Jnm@dGRW6;fIwi%WuRRwIomScrm;jv#s!G8rbR>GqvB5}BV`r6 zy=6w34ND|r>B$|Le@InNRv0b63sh3FOUcBiC>TcSy$ad&T7qY3`A5E07XWTPY|Y6I zLvWNeS{BL#nX(PLGC7_ABk`CvS2H>3v7p@CniV{CS&kq}w#I zfRo{ns8SI?mT)$2;itLLViYEI4%5P@ZGpsU(`o{`T)yn`Et3i) zXRb}S0g4={!o2x8(G-VR_<0eF$MqDUPu#_H8ePguN7Oxr&~gvu8B#4 zQl1WgOW{b6=wd3|E^xV=Hb;P#t2B zV5~>YiI1_%8gZ|CxEsflZfn|$##K@S{*I+22{Z6SAeYpHSGB-9$pY4z+{6!2e+d^x zsWKTDrrxK3H!Jy@zQ#h8bcblBGP&S@AnLuX8HfjMo1~5>Lk#+iCm+12LdQa*@a7i= zl6d2Fs_PQI{aN`YS*bD;2y~zmO?wl1f%-JxNhK<(ZgSR(fKuX+h@iqJJEUU&t1UL1yXgmRm1j{Yow$RG=^$&PEqk6~nwaB7w>ud#81^VX?sg^VJRF}MTEB@pi zQcm5zTle*>>G)eYcUyTiqm`NMP2BcQ=Wfr}auJH)O|8O{)(R5H0(@B|B=llU>K;*L zYNg)v)!Fa5 zg?ZCYD$pwj;hYRH-s|1jnP7a}(H)b)=mf&I$On@%oaxNrJV=45%mxuTUZY$_fi~Aw zRx8rJctd{i|1|y|#1LKFmup0U|L5b4Z`1xCkDt_^eewVJ;{W-@|MQFg=fArD=lKf zc9shVP%)`M+(;_fh5!4)|9#>AzVLtl!u;RdzQ39`JUM-_8v^iO@0^CO zcXp2tPw-$qW|th!mvnTzhasxb+HWc%SAB!RMv)t`C< zWV&goKgG0=6ttqJg%55Mzpbs|081R#ckQ_|Vr>H`bFm}H6G*IpylT+}vFfeC|upru3jh&adux09Ek|0>g z4U*sAHlDmsQ6tR$is-;TSGj4Fv!qR;Qd{XGH6{uoO5SBLqNjh}_`KV+t8o|`4vqtmx5hN7= z%eDu|?K`mKQ4>!Jj`m``JdGpu3lhfkug)yI60HT|mFwD7bN-86DE{roRWxQ>e zBb_5Sy5&)p4u-I#*#}IrYbRUEVLFOfi&Q?j`2w)>SB3c$J^?*9;t$8@Hc5uzgNY&dAdTwG4urgGgsm?yW%qF7C9Uim) zZb#b|s~|@#+z^ij`}2t}=!&nr=I5Z&Un}!kW6{A`d^41j`oK0f)(49+8MB%GM#BlI zFe{P*7r#aL6gf`48ylFzy$(iuK?_4nw?eWW6+@+}3B}V#jA~agZdo*Ci|lT~7S~t< z1GYgOjP5f;lfrIQ-AjXK3AcZOogQL(tYo{b%cJt)43pzh@dl*`g4&`bG zda;wW(|v?pEY(jn@R*0$4d77ErpZm2LUK@CJ9$kV4p~3(=$PTXGOT=yCw|VOJUreZoHREkFLsL>*xl20xmY;O16?z z)0J%HR!cPIQbtAgrI43hH)UxQ=vh~T_INmAf{j!U1E`>QFfuWRxOpo~<_H<+)sf{V zD^71Z?vlhrwPZa2-Zyx=*EP|`9O*|#?99Z_q_PH0RB)~?hcNP|NqmsOOCAd;fc(9< zF&MWgw2CW~Li4E*k18^w!d*|WBD3}xojwog=|%=bvJz^Zh&*odqM9OZ(`luW8|;ikCrw;>D{&8O*0c5j3VCf>lE<@-?P5 zqUQCT^HRmRXi38nZ!eydr^&j=ePylLA9fyg_qBn zb4h5s1n%I66|J`|rVb+_5YDh!eQR36NM4-Bc208Rv{p!XY~5rNBdel!AO#kij&Pz% zi-bKnSBWOVBdWG0L7#-R3C2i>_~^i+M{;co=qPFuc_3cEkpvy6MRR~gsN*@yGsnqV zV=F%vBZFq{NQ`MH=yBA+>WUQXWB?+s}3;%W0Vs zr8!#_{V&bX66+~!trL|u>7E19hN$37E`=dWI&CW~OJeSHFrZP?>$JlJqhxf3L8qN` zi7Ir@D|qiS%n_v*(tM|rPyf82jjkt1AeqG%g#=`iK|$c~f_ z?O;eTY@-ZKgg@*b?*4>veW+1(1l~3QFpWbmBPzMABck%e*z5qizm6uYiW~b zoq8dmFy9IiWjqa}I~`4disbi-VLwf$own|E0?qikq+O0;UHRxZJZYYWM=zQ?r$54k z;UvQ6c+plC=-Q7qD$G4NPn=(sY}{{`k^u>cDO5Br0gu=RrM!T}5>yG5DqCABBe)73 zoM2S)hloS^z9GkCkA9Uy(B0yC>i5EbbW$OUC_foV}p z9SXEYk_=BwE-@)c+knQYMk%5Ro)NGKHpd!rdU}xV{)h+uWW@A78`?#$Cel+)=9KSh{ zBjC*l2m=5M42F65FEd&~9+TYh&m|^2ga=~ZpG&4vU>tLk1 z6)YBN7?=a$wh9J3E*z5YKRT2VDt^|O1~c`g2SS1s@#Wo43?vSy>>N}8a;#Ggbj<3b zy%*^y=5u6+DAbE+#R4(f^$o2~aKnhX+#VD|b`KR|wA{?}t;3jR$(c~I;OtHd?)LC! z>TO&pS+A5uO$+0{Gag}439iTe1PYb3aBN3_H}PM#E!7Xu1AMpT34bn~5m(zyU=9Ne zrOi!K=uplr;OTMZj%kS)Px6CsE;aqTuo6o)cSTH`LM z{A+<^QwZv7fAuiq-8PZl4XnmmBJ+|X>Mo>;v(ms=p{-Gna+0y6BRg7!M~~{W3R}^Z zMzE|ab&d%%0%E`N*Ohc}`3|qwf)!M1rS{`I`a*@+EsFNI%?-=>!_U48o|+J@h3YRI zQ!MGl@kmYwYJ~J&R-n`u`s%)o8*ez#5))xTdEW`9@7-z~M(1>krOqbx7SgJ~bnHeC=T zrQ_2#M^)?5?%~19y;pCJoAyIkpi}>w-B-tlsRrl?$T}xK?)b`v`+KiJMzdcWH+NqA z#)EMmXCBc&JkRN%B~3VbwZ2JI7+Z`J&un1ALN*W&%Frh{i4dyFiIP-&n8_Vg(&a1w zgH`zg$1`!zx&pwz>#g7|8L|RnfeMsED6hOT^y}y{E+|g7I@vnFH!WNT`YD)4en*Q| zIs?kmjmNjHH+y30*8Yo0-(C5?xYZi=NB3m=H=FB;nZ;1$J0rI_9nNn>;qz=2bF7*#|-f6y`z)nei-WcmuxTM@iiCls?aT41DG%CAQ2HQUP$^H-r(n9?c)*e;PQ0*1iCo-F>K5~v{1d{zk> z7%!T;`{7A*clQuRc=FrHE{qT*qQiZ7d9d@kNl2$K##Vr$!Z)HEMdUtLMzgNR4L}oq zNT{$*>6n5k+QkO-XTcd}x$eT8$$yp3M06<@Dk@-;25Rhd5A?Eif!VJ}E&VXq_|SoW z$k`B}C@+Nu?@xRC`p^mrb=B2CC^hS*$QV3I|S-gBa|@m0^hRPi#ibkl^*LQ5R})uO)>^=Q`Sfr82)7S zI4sEyX^B^$=p+W-VzPoK>dIL!YF+YAScN#zvFy)cIQqK7am~&%F)&Fn8Op{0L|wd? zp*id02JlZc#el1#(%iI#6d|ta#IzZz5IhQ=YRVAj5r&)$X6))rkvdqUCzBr8H?B32 zn49{i#%Ms5@~6j$mYSZwJwnpL#t0qf0y`qI+Y~lI$t^7duQvnWZieRrAolIlUNrvL z8Zb6o+-3vyvazH*-eq$rzzbL*%T1?)kWpfM6P0 zKyKp?b~GNsb^C!BMv*!%Y2i@^4We){94Qw8Usp~qdZgwF3?zgmE#oTRP^lOV>Fu-k zjz>avJj|@9>cf$f9>y}BOJH{p^5cI8O_L%bunIib&Sr+NDv4EPkk{<~slVCp3R>Mi zo!M&6V81IG?EcKbHvhxl>~>MJ&HtFy?5mv7J}+wa)y&bp$^q^3qE=^u_Vv!mPt6y( zpmH54Nk{ZCAIqtIy&8)rZ@p&jDcb9Pt}Px*Cmo zH|SjdY=MygEu!X%@Gf8bAo5UnB(yXXNFTPj6ud+W9_f>ou46h$vZ8$0x-jP)ld|x`50{m<@*z~5fo59-wvM5HB^Re z(SS+vk2-P43sZ)XJmigUtaE*lMN}RuwHX)hsh>3io~xt2w)su>L#UED)3x#akeDxr z%+3cyO@)f)s5ZjdbA|4TQL9LznKJhp?+q{X4-)XOzN-Y`7gfuLiIguVUYu?&H5a z^F9CYxZ!&o_1nPK_+E_rIgkD2N26B3i(Z`b%J&$R;d#&feej!se~PTV&wrEOB)-dO zGw+~<-DiJ!mX(^kD7D32oWlU{2zK~*0J0iU!nDlh_VD2^&%$R<=IDd) zFeL&Gvh4x-U43gQ;EGxt_vdI2i^2e_!MAg@IL{ab;pb~p3eVZ~&i=id$mi_0>Tfx0A4sh7KwB3rj)QLSM=BaNs|3coe-Q z_ij{|-rc=P!6{o8TIq~H{*`vUzLxUW26Eu9Oe-{_GHv?2zC*&5SuKqF-ugSoudT{* zO>Di!zt5f&w3;(6sc5&YuGUjs93AaGd$Qlm>q7Ruw-c#4ZzqLa|PN-V8`6VHQ*4>Hdo5+oF^1-^1CtF-E;nYGNRPe+-z=~av zi+?BoNfEnQ z`*;O?eG!u(I3evfZPf0ROweQaSBiSbYu^MQmM5qe6J1OnwJvFdsybECBeWvtFbySd zNmFa8udCC5A>$SsEH)T676AaXq^C@gpg-kgmQ>*Iopw8(qu*3teprm-{_rZc@R%9R zozuOan|Yw|NKx2Gz*032jBE+K2Z3Q@9&Gt}2F|*AR!@g3oHmd8#DG_!+f^am9 zDEy;ro$u@6^k_YrEG6rm zC133}9G?v~D!tmgjZ%k-H zJmK{5Ds5W3EYf9sd2^7FY1nhauZ9@>?VQP&RN||a zZ`#h)u^t)j-uoY2Kkie69@+g>ygHD;EAog?h*a33oJOrQE~ZicZW*mJue+ip-?ZOv z>I>oWH`8kHO|R$t#hu;NLHw;|l|s74_l>GVnJmcZ&vbx6Jm^YiQt{Osj&40w;%rU>^)no!~^_9t_DBJ_X59A*d6@x75RAd z@eW(n44*xjukw1niGAZ9P3*U9^GKiSur(bk>knk8m~jk6@keZ!w)(YrzhVue1c+4c zxOv+MImg_OmN~_K0iK2wW(_gT;r_Z96mtqE)!WDKNs3MLf6O+i*Bn8|aI*aPqf%yi zm>NBC%15F#yf!@Kq{y?s)%Mfef?@wuo{h+u(J};KMQ?g>fibPRaVcimsFS?4$uUJ$ zafGRfoVu`ljY>KlkIIQh!Q=!sRq;bWw=sPJ(|tF_3@9~H5vOQ3u$`mtXDmuL=DYmnD9^J%BG(jHP7@U>V&BW; zU6Y$*+kYElm%v4<*)(dy7#uuEb#E*W&Z2hCJW>lLHzrO)^_lbFYyCS-qn=-jU^cpBPvV1J@B(Of()i0Rtm?K7eJqG*g)%AW#} z`DXkUs2unHe8_CwtKR~hjSb?T455|b!7Wf)Y%V`9{nq+yzv%ZMCHr}=MPj-#&xRGq zwMZzqeN-X8*BsM?6IzQV?45K*$tY z1VVqnj6d+PRxn{!2h5)H2dCVheA>!by=daV@64X{&i;OS%JVT&G+4jfy0nx#q;Wqp zr1XG}U*BpC#{Gr%rjeIF+mewtfJM;@MAsq!dT==l!doKp9|9GH$g>TZ^Wh@K%(EaP zE!_q-(!=M4j`7Wy37?tJnF}_zhRh!Tm)TI60h2i(a!YtDLW=$v@XY`otCaGg$7+FD z0A#JhZD43?s6H1|xX&4fs@Ct!K3cUJ>7NS#gP9x^mYZ+-x1ISS`{$2>)Eq!UEyH|( zLRH3Xfn`)+pL6=y>zp8%d$)+5>Yon~^X-|qH!m1&4}nE@&L0J{8Rw7q_v9ZyGLp@I#HQBsHQW?tTBi87@Y#HqJdb2uLa#&TnkW0!nh%* z$RHI8!Xh=Y{OM)2Lduo|tJ}sTWI0b7pWDT@5anDd$_KBi$J9k)G0g32VPad@#?_)m z)L<54Gb=&3&*30##KPJxr8xFz6M3i=Pgh!p#?C3?qoIu=m9vT%NNUSSG>kNMkvZd` zW@<*OO=W#{k~L!{sqn*hUGgAnzN2!i=RwNXjsvZwAa&c}0Lud{2V4|AYO(;h7zPES zO2cd}pjr6hy_&ffz|{)@SO0?mSO0W?Yuppy8Y#e~u5A{A+rs-Z4{nV+!;L`4V|yKs z&r$glXSy6O|5%xlBLt^QP$~> zF=DhkpVG3qm@6pt%InigOx*3p(@mF{4?_+|%cZmz{FVL{r;GBb>Y8mRjWvI`y42^he4o=*O?+dBBzv zksoioKXU#6%r&+^9I#utndG{Zq=thc%q_;FW8f;9L-E-qzCVwRatV{8K&0FvdePu~ z8o>sU>@&-p)?1MjY6B}I!+spJyJNr*IJ}c(mHnIJ)hi#1=^6Q0N?2XDI42DPc}S?p z)YJ|I-G4X0Abe8Bb|J&q`xpaNPoEwB~28x?QxP$`igjx1$E@i1jXk&TV0TDEYI zTi1LdHevPPtSk%~10TZwv(7*63=Rjqn?S!*IEkLBY7vXOb$cOHNcHf7&_m${rc8>_ zM{QQa_I#{RR_XjN9mUN$ASL{S z20q1Y#4(tol$#aBzwQK_{HCpwTenm~v6>FkO>V=sJ0aA=mqAdk=|*KI#)IgrXJV*w z3_C8|sAa~0wN%UmRg(t-FD6lPY42q6UbALy0{odh2=J2qU9e?++nXAfp@eEE;_L^T z1+z*S-#=I(%E~^92j$W_X0=>T;$CMR2Rg;5YNfFjIUaO8`QrUHP7jNXoKlW;Do6r! z_ZLU|rv|H2WqWgh{6*&ixpEmawUw_}zeN007BHsqf`mFt9dh+7cQjA%fCgv#fuGEQ zKczf}RthfRj?Hd+M^H-;W{tKYAbXX%QZBiJ_*&4hG_T{VN_vUSYdxZzFZ1}LY8+M3 zlx!wCor0Z8*mz$_mB`Q81gy!gzy3;Fiijj;I!{nQcC((4LNde1rvpN{hMQaJn0t_^ zs1rT8@`9%klm?9Hs9>NkTCXp#l=s|&8G8*VYr!wTs|*J#li(Uv#$5`|0*h275(z&E zkBR-Ekw0DKRIqFz|(mI|slK)bg$Td;EY~aPgh`Hd6Qm*&l?q@y)*6gZmL22fihYXcQhSiMr2hV zsf9EF4fKX0wiS{LN`;_O52E6;7hlD_GSI^908?x4AHE9rn?E=ALsD7Ly&r2;3A9j) zD&!Qe(B&vaj*u=oZOp9T4M4;b3rC%nZ_Ann)HT=tK>_caqG}B={pbMUe~q%GfQZ6* zn`^hljmD*&)bd!cEg5yN9n{Wb5HOj%WiG^!`v z$$R|jsDm=qkIUKo&qPjY7x$bRIY0mN#^cBJr|JC9^?LnF{^vh&{^z|PUc;~P2s1x# zd|So8fAQphei042Kw0+V-!a{D@LijJ*Lw0hnox%4T4($v0rZyy(EnQ!K=()N86Z^En@-f4tcopDjrzv?l^3nRmyf+S-d5! zI*Ddk4?7&+$gQgV4iC<1KquoWz$QW#GuscA;*O}&*|gJ%$LVTec!5&-2iOFIK(VD% z6L2Gpqt*o}vC7%*tu6wzf;o#?Dz4bAx(NIIXq4^8a%c4Rn3@l8HPlW8&?>?NyftPX zCS&y&x9TLi#C$+wLc4bxYaGuOv-4v6sB)*RjrcdfG;}>lIJ8Dl_9#1@Bs5BhAoA94 zqX2_Q%%CQhFPSzE(jEyviQ4V44ujQ;2j`QEDyz81xHa%wrx%?k^0m##0Fqvau4Nq% z&S26w=jk9d>o*CJW|$ul@qP^Z{6=7dv-<_YT6N!^8cY_y76wYiB=nUVZacj~8_A>-VN2T|s z?5`NcZxXhKZ6|R!be4I>C6NhDmrOt7l4s*f`(f%Qmw~@6=P?GXrB~^P(2v{gRkj>H zOqE-WrXQ}H+(_^{MDEUh7=Hjpy-hjF6`X}jw0U*p7SDUbv#6&p$T>x?RffqfS%f0j zXz`lB$KtK)q&w-UtiJT!FqdeRli8NIo&VMNzfsg*zkk-~+ow2y8txwMXH#T6gH`4t7+8>gUEtLR-B#2i2FUREo51U#eeI7?uXi(m^BsTHF6h_y(=*@-rnT0v|J<&z zdohO7z6(73594TxV#aqZ^{95nk5YB9`Y(7V6d`+y_ig8BaZqJ$4n~hmKROf;6Wkid zs77g>kB8GyB0f{d*iqenL}p4+yWd5w1N9Vp6G>f=1ZP9w;YMf$%hfwca8;-4{M5rn z6-9*W82XFohQHta0L&>TmZ;(l);MOfNxVEB4|_de?*o(@s0cIh5gxO^TB6;s=?+`F z=mIM{Ze4(IFl-U)8I;$Nd+H?XTy*_A)9`b)ZKTA{+zCqv6dBzN*|bWASid0Civ}(l zR9KTm837`jPN9F9Jqu)T;W$i2ajV+_seyzIDhR@iT@Wqtj7kb)x<_JFT2scV+_mmb zNiii{tM#wx??y>mlCf!Pf{~KY*8|$H3)W3RHejs=@uZ~$ijx}{Og|A*40N1>pKJyq zKWP3F841lUqRU!B3aU1a@i8goKv+nlhz05z2n}PZSS>164SwN8x`R7H^sc)!* z=2|GCV)bCJgB`WI086w2L^%;_VWM1wb1zB=8Y5u!f^w>xidCJ=qo4)ZoO%|pi9itT zk-cDaHoPKml&wV_h}|xA$=XCUIE6zArr^C8_Sy-pzm4&{4~a}fNiyw^SYdh=v*mIN zm~U8Q(p3C{LKlgelVKPl5(?Y_=+vXuCdkm$GTB=N)`+dBfkYvJ(z)1i41;sr5|=SE z*9dhWf*)X#Ao`yv}N1RIOSWZ6f^4H61jKTunvAuz>S7)ObI_weYqy@OY5j=<($T41+DT9C-YlfyU1 zyG*luZ1F^D-q(=Lt3PqPwFKd*1C}>&70A6J0s$P=rX5xoDpz8iO3B5 zDC*xqlE%kZo$NzE$2ml97MoDmHqYp`Lkr>Nc|U56hwh_XiT!Bjb$9~*Z=Rg&9Uj;t zi(6ATg>KeEk977l7Qj*Baf>KvN>Rskw8S zR};Z*)s*=t<~Sq^NW7wmqkfq`(6V>jk0#ZiR;yKl8UNlbFSUok--EmVgO-*$BUpe* zM~|fRO|lt$(}w@xv!n+WqM1oE4Ds9k-T{46O)P~W-YfCTpLfEY<5wqPSlODR`;URx zAd{JE#RD#~JS5_TyNz7ac3(lAqwvkaPX~v;9B>vI{q*(Tugw=|1aBT4y*X}%KiA=5J^io& z4;xjhNz|n5?dMA8=*>XBR!_U*Ez9AP^zM`{3br@c)(T!FS&UWqkgPAW8+z;iNwvA*$kW zcJZ($V@^`@!uy+0P6mR3Ow9!WKSa|-!+n&EQ-vu=P8C=V7{Ktn+jg{j$S~q8+c?E3 z@~r3l9X{N}VRs6!*UrjumYTVl{Ds(*9NjmGKkI~ z>bn>>Mn)#V@Hyi?aJOY`Vk5d}&o&0cy2~d1$96Dd4-*>5-s}!C+tYO*RApuv8Ylu$Lgr3(#Z7)8odswCIPnD?{dw z)9zkyzMRE)A($Xu`^X5lTTBDYDnNU!(G*h}8Y?G5rSU{hO#>?+*#w9HOl_>;j*aC} z8rr5S96EfZ6-y(;tj^JAaqLW(!IoMGESa>TQOr(pnPwy>T!i}%5EVv~IMZPFw|=Po zY+|dCM26U6d-Z2t!-nK))2QJGWC&h7%1eAm6RJ+$*^9&#f&qpG;R%d zUv~;QRCkOdREv~i3dPT}r*ZDF?vS>tdX~D;9WtKwp-~)br}I@yC97Rk&8q50*39)Y zbXRGe}#E4=2eX~x}S7QrYST`V8IA$`iACXsa2G-d=Y`y zg+(Deelc;RTBZE8GeP=tA)RS`JRDBu@50y6{D(Lc&N;?gxeG?p1oNY09MUd(nO-xT zTb=z-Pcnimx;f^N?c7tMk$*}w{y9zwbgyhprg#U(H#lMrIK)UFXLyH%R~Q)5Mqg_N zKTId)4iGKu*^Uv_>M%1{{yyC%oyDzan#6L2b%UmmDpZaIKax z8-CiYw{pWrd&!%j>+N{~veKB7teD1cMs-Q&Z+>O73?SLg-N=r3{pWKaU8lPLuK?&6?SHwS9M!j{r zR=TorMIzJ$yL@k~U6N=Um(hMVMz`t+sC0nJa~7(zQa_DPL~aKfcrsOO@zF$UIzyA~ zF6{Kx*ve(ziw87Mj5HxXu?^eBUB`6ERN3CntD~ZyoRL5Owbe5_!?=#Mf*STSXC!I;35n@bpdiUQAA9l5{I9W%NNy!HVVNow|#$T)V}XfNr@G z3Wvol;4Ko}^bkH(oJ40T1`CBxz+r4E2E;2-q$Xzv9- z+j(>PBi6Z+kvP|L*f70}(7v~MMN~?Ac3YI&h`zC8DG;Tp|1-691H4Dglz34*V$rI%LaCKsF-v zM)o)Y3VZei%6goViStF?hp6etsbr&jRY}X6jpPR-#j8-7p8Rk_dtq1kvAiTCgrdV` z83AYJbi;ZP5GzhVFMCxVk`h{mp<={Ib3_i+2p?@*^P~WxCT5I3ZYH#>R^nCnii|SV zW(NF=0=)1v-mGoI5lbl`L4p%hzKsk$S$&bL#j%s9DDmSMNsC@!VT4aDcwuAqvCwMt zVH&jK58}jw?XeBu+GMzfR%+79nm9})RjLDBi-9Nw3%d@YD`=LCBH5ga?a?mdc%%Zu z5N%COG8-Rq=IyUVe|TiuCU%aLz_@GUpuD9Xyj5l2Z|Q1}9?_A7HK|aBmau?O*4;e9 zNSLcC<$w%{j>vQ`xamxUS-t-1b&3u-3pEP|wgP0KgJe1u2R2oJgf+nvwu55{48*-u zn-0VmzY$D>U+;3fn%N@OK(C8$E%jnng!x}0uQY)^-S5a4lnNmOUxY39rsx`S{ej96 z%ItvHkEQ48+>%+;n5l&@j!DHKCh+PxGF8CaC2#T98m%ufZ3ANRlDBJX@cg~z<9J-J zaj6VhRo-`MWKFa@RzK+!B4!4IVaC*SmH_*#1`OLR000`Ba9AHRH(3~=#F)0^VqAu; zOfygvRSJ0MDnmy#uoj@ABjNZ(&Zc1!Z_XWcLM0RtGND%$sr%M}nBFCcinE36AX)dq z*v^SwGFpkHCPjMu4usR^>srA_AuNG-CvlCg1lS@oBhuvG7#LWN7)(}VQ<%0nd`3Q@ zMa@8BLyowTH5_0Q>rXg7%@4Kr(NwXEYm?|g%gie4yam~j`rgs67H?#LMAq4ZPP3b=Q=15TA^ z!t0jDCCpeNJru;+P@0oU>Qj-nMcIS%43@DaS}4a~7NE z!1E(C)MRywOoUE8o(4ImFEZ@eMtHZ`as+R9Vo3?a1@R!svq)*@k(oPZ;Q(c>3?(eG z>T!iKD$d8X+RH|=;%cR9zhvcTA&?bW*p zSeu(tUFPU2XIqL9g7G~9J4tYyroja7Q(o*H(@&+ZRYCGEE_!F{!$GIQFt?2T9MQVkb!&bHwU=JtWQD(m*Qc zE|F@S!i73|Pdhu>Nw{|c%LZh$maxrpo|-g`7rG~fy1KVzrPrjbX^%)nxaJlVA{b?> zHQ)T{w&Pyxs$DgteVSJd1Dz!Xx0Ax6&)B!xrdo1sFDSO623O0i{8HT!l3&$)66$;g zwOIjm0hv_YNP*1R$_kyiBC0+qEgvuzL!%sSmwY)hEK0r|x0+Q~pNb=q^WbCD$OwC* zfb~=6SR#@ZbOCLizz3X0ggYZ64nl(~!HUjm$lS6k2|{_g89}5NHGEaE=BPmmS}LHV zJ4e1ARc<9ejuw_5`I>|HF+fIJYBD#%l2E`FO(=l?m#zgTm)(&{+!AbTZm#2{_B!1( zd0m9Xc^4`okDEAty%^gVn-Z@U`&IdSGDTshO|qm&y=J4C+H%$`cTvL|mpLd(u;SCi zmNGCZNV1?$`n)U)td6y{u?D+G4b5@qu-q;JbDJxh8637#mX72;E{(oUtwyGri_I8- z8S#Q}!toC`0heJLfE+op#3|?W^>O_udsa&xmLL9k8Gg64b@VD}779ZtM5k>i`P3TB zl1J+|uw?_u2Afy*(k<)DqUDRCuG2OMz0`Zt!u7N-ve{Z^=+-|ZziTln;Z5p<3ZQ^y z>P<2|!!T27bFlQnDv2_)krh=mYfezOtDGEE!1|s1c7hWVr#76M3Q#Ue5;_kuo5v)3 z@x~j-ssLx0YPiWQY#WFqylR+7PHjhtYskPlyNUOr@p(+?q(mS=#WTi|>vSbS8-)p@ z<0%Om|Ml!ijia!kN(bcC)u6Gl*6yBnQT^XPlbaaos8vl~W15*#^^5 zI2@pTh_~(3gGa$*qmXx$&2A66V^kdEcIQ4&xs_+v}Jjw@{)t41ug-j8Nj8RFIpjP&V6O zcoCpxd>1||d|8V^YLv9vosp#k*eFVrCDlyIELUsS@)tr~1*8FQOtPX3;DuP_vk1P0 zY0O?250z1KoeszgpOi~8;UR!`>~INA<&1gmY@q$ZA+S|=6=>k^^=ji|W;T^tcG9z_ z?8jJr5A6k;qn|w@Lw6#MSrLt5!DwDPuASH9m)HlFyv*Dz6MA#9BwIFT=ZgD|c&#ta zlOp;0S;fN`CHk!r8z`TWZZX9Um3b5uVT;PDWtK!Z+l!q5NGDM-;(E#&A|n~2!4iwc z80jYsb$Ux;3+^F4%Zkh!Zsk+GnEiuiUr8Twy@qB4?)!oL-mna}(p)V&@}HOn`6R%Z zW*0GMmn@#m+%1`MIY_Tc=jh%XJ}{o>{Fqv3WNlko!*)t>tdQ6anes+A35C-lj|h;X zn6?s6*co#4F}kd;f^-u@k;llBsDMzW!!=@LsJNoa=-9xl5;je_fM}F7B#B#{u&0HI z2u8uR#Fj@FX8j?8h}hIP9hWLK49`{P9X+6enVLsSH&c8Y8Zm`Y(#@yWOWNp<3Y8S> z@IwEob0K95Un8{Zt3TZ;)NhJ@$Q^;JAX-SflYgO`((f$0niz|i$s)??J&Z_Ss_uA| zfv3;1#x=RH39IJBRn&A5pT1}3&DtzZe1^-Xd*7?^g%nn+AaWvl^+&nr1w>`oGYh0z z7d0NO5)|->Uwl+zZM5=`oWm2!EXKB4<*fdBf|&_bAEJYXXK59*Z`G;l9oOAXJFB&N ztvo}GTS{AOBs}Mzwq{Cca`o-cV;U;lnQ24(f6OJmc@o| zF6!vKaLgwudkM#%v@Ixczt^nX)BRyG!E>wA!IbsF+O8qc+hokd!9sbJm5L7oP=zPE zheu5y$EKUo;;#SJdb4w-)~LB`6Q7{SYZ!MRD1)Yp{KE`M-&#?X?}Btw*1lsGL2Ej8 zu4mK6_O>*#v?@=KnrJ#<^y;f>nDXLd>VB2@nCJ|>EF&GM(!RyA^u&7{eJ@EfMx5D0 zMb4dYawJQoUM4}MHJVo8zo^xkRH|u4g!DkHZ@20dMAhXM5GNF!QBI<~!O2(|=uMm? z!FhyynF{%qQIE4(J6oxDCsuPudoSv`GR4s~_3P_}I*Y|TLW8-&9~7uMU?sP_SJHmz zObpDiTBRZ-9i0WDH5+L0D{G~;1IO{0URwhf>S&byRKPeP8|IDs%*yJ@35?!b^M_Zi z<1!Vy?@KXZ#V57W9Kk=C7Oj<7%=&)rKJy`A0U+`8;W7;tQgj-YWeSmC=SM&2Ge zOiIklv=EZoXmMtrNiHvnCJSdR#&zmlc89rp&Tim@y|||ddv>3Zu;K1P%3MRiv#sdN zNsz?&mxk0GT%uyFPf^Or7yNuUgaNnXNP;uN@(e|0AqQM9h)|geqf5~MS??N8hh&#r z8n7?{z~+i*z}y6&@hJ#EH8(1cOBotpC_^q~@WnG&kW4f@WTG(-nb;cyZzyzrP=8X} zc*6S;XP%_PRA0xO+-PN8f^B!(HU5ShkD^uAB%b#Q^G%Xvu#YkRF@(YdUA|CTXc#6F z)rvzaVRpr7QihF$J6d^B;g*guB*P>oKcEDk#8J{ED^Y9>8cBu&i_W!%W3-+ez<_+0 zC$|d`<#64u6i1qZcFuh=b$XVv0nO7Mbq9(wQ~Vp=3>x3@62rev6`GY!x#05D8<13Q+0; zFD*vOoqU;?z_m4t{Ub&Z8BNdSsf>m!BhdGb_FmkJ`(&@0-E1qr zz0{v;x242lGX8`&W-%=I>n!P73xn0*KX#q^3mT-V!qwm}Mi=85BnZa_4x?@ibb_2J zDENJq91q#a!sITX4CN84ff4p8=GzOv^4i*{VgXU}{R!;d4!1!z&x~v+oWnN23U%MW zu__QHc#UQm71}b{QfH1uw!GMMP4czxsHM9(5qk^D0Kmo$uHG#?>jVeHh=>ldi-=9}9kCTG<0KGRhYk97OPcp?7&Dgixry(#Rl5a2DhS6N?!cLkY9Ot0w2k2HD;RP>hB>0@GQDu$ zsJs+_ff}`PtyG|qykTn?2nHLNY-|PV>r4)DPr-)B`bgP~!y`38B#oV_hWQkotZla` zN;o0v0(GPk?sk*SAcdAX??&ru`NkRp%8Q|7QF1(tP{em*b(2vt7Aiyp2v2m}6MS#`HATNsS#s963+RiC91ez) zc$3F0S#(NxMl;kYniFy}(}{wH z>4h2$0<``M@YOiE=qmodt1e8EB7*W+V|;!-c81QhodHH_&^1#x919LpMWjQ9L;xU4rNnp-kwX`CALk)CssR{4xFOBZf)^DN#Nr`#ftHm(^mn$ zl36B5lo~0=H(TrDj8Xf&5$zOUB6Hmx1h$Qj15=7nC4j9V+kPEW3`R1E9>ikzCG2$# zpDMbF&&oQQItAC$&T2ZQ6-Jl(W#{-{@8A_6p%vVVTKtB%_;1>qoW=${zQj+E{&C|9 z1LYfmJLL_g=brH`+Z86r>d6WvmTlVj8!KaIk59mhc!Kvz$VnuVAtmJFU|C(Q*6>|` zbiMKF3!|U9UNA*wic9H>$Q-X3+n~b4J7SZHBHtR*uwydrakSBQ+op=w!r1Gqqpd(P z{yN55%W8Kk(=c5idfkm4iv7XEfwn?g)Zu3}Ww&Vnwv^S#y1`WC@=b^JAhQ*egC3|T z81y9TgOlxY9=jRW)(W~$0&Ieo2RUo3Nza=R?_-+i~0c3YzBVn+>} zaxrv=Z(dlvq(dgm(W9$b&b!}tZuZ@F-)_7&qq61qMTSKnvZmx8D|sEHR0J7X$7CsW z`)Zjxyek2TEr|)JO=tOE$yx#_Y7$z?lQe}6)Tx<*OEt(jrD)*Z3r@F<+y)G(SFT(R zj4u^rGj9g=n-mSn4~s^o2N?L{%DvpBquG-_m07o9Vp(65QZ8VBu5bB07U+zY9&OgD zdznF=gTKTpSFz?2=$LD#t`a3MUn}lj#T4^^tkYLh<~yVgxsHk9#i(w04v#fRDI;2U zqH4;3(DaZm5&>Xm(OK_?1Hy5!b+S-#Zg1wQju*) zN_(fx^Na4FvKzd3Un5sXC|Xip0`}(iZR2#I@~Q`G9I?2f@nhGU)V4@6mo*mV-C9cL zel5l9%7AQQAdkE>VJR*0dvr9u`q|~E2BwNp2Iz(J-VN%QvWz%RsBQ5+^`MlO#dN{@ zz33oQQMFPos1l2cgC-`xx&+-0$8L%yP@+TmTyZz*=J1j-eLGK@L+Cse;y_YYEtIQA zd2j$$gn-2utzHBMN&9#5=BRlbzTSDYw`)gB)-hJ|DmL!^`-!KobU@K72fT*b0ih3XNL()5KY z8Cs{03GcwP#wdFT;I(^4^xbTx4`|fxlIo3)GezzwzqKgywVrAP&qO@f;_)QvVrqly z@etDsB*TCNST^gQbo+5_SrJ6fH0D2BmX~bH>9p%V?rvrOgMm^fiAhqga?z8JkCRSF z8GwcX`le+Z>k!wJznVZ&3wC-FIIhomKZs)%wPHF}_65>;f7+XLM<9IR)bX|e+xsQE)2>I@8J*?90PG z)T(;u+}t#dPl8-RHy4q^7SOape9JoBapHt?y2fV%;25sE19PCb`{oQ*k?an2+ZAPpf`X{@Fu{(T;azR^wH>8BBB%^t&IRf8Ld3P;*V(4B6p2 zk!i+p#zMF|He7-|1I00r{eF?HJqL^;=SF`I_HYYL_`R{EX7J16d|@ft`LZI=hx~XI9*F;I@Uf0+8@?8um=l`OftPMJhtLN zHGG4rFF2^if`iJ1R6$Q~4t_c~{N-RPeVf%hK88+qNjrt&U7L5M?o6XDjmB11%E@SV zmhP<}_Oq=WIOT|j=n}Qw@1B#b?UW<8p(~U`WJqZXyz!dm$gp_70W$ozDVhhOQNY?| zn4hd>iY`ww`XMXSs7J?URY{wN=R`lV^laN672=kyh{K7xb4sbl)%;Ue!XAYyUCWMo zQH%W(BR0$uzK8@fQKx}0yfV=jwJ~Sv&;&Jz&LidowBFR{hCP?iqW3hbpqK{3HYjzc z|8hF3ue0vUeQGxQwdYYuIY}TppOl<;uF~&8HX)U*#Z}k23y*x((0yaqgP%mnr5<%= z*b0y?9ov~qP^Cn1$JL5@_c0=da8>+X-)u`{JiUr03bS?ZZEIr~gi;|7ZdnY-i{pBS zLA#xrNV;llo@8Gi??fc$3Trn;Tq6XGQC}4Nrf? zGzh;yM9yIuRQyg-rgEa@)Ey!Slcawb$4R#xE4paSRNU+PAZN2qmIG``Xw%+s09*N@ z+iQ=}mK|F{-q_?o#B;M7^}4?sAGKu2y4_fFFYTdaV|I(EYY%28rPlEY7eiY!d;y=0 zLD>ybT4!tD1^0%=Fzjw6u@6Y;Y6dFKb(Z;)?b`divFJ1!x0*&Snc`u2!>6T(Z0{rO zN@;$Zm?Fwk=)B7a_&vF;q$we)O;L{kr82pEl@aKwrD9k;cegG^6uE8(BXr-~N9O1Y;l+TaI%v!kd1x4;kC`xJ)NDTgP!;j8B9(J$dK<&6wq@BFGxC|#OV&L~*v z>h+Dr6KN2SX!hHc*TxuS+R66-!sGCI0H@x#%rJRKlM=rgX-YjcF<9lNwoakORA88l zc56;SH*6(9n{d-$HKfCU#nptQ%q3ao%oJosgBOWK2+2ew|-@po3JCA5OyhZ_(-uf z59O7e7$wUKmZcQtt{`}AlS-bYXzSfMzsu8;`9Q|*KR`<<;WT;0!w=4Edl>~-VUsIOk}G(EeyL=U zG(tNV6HO--i)kw`2~2s@sZ88>g}*c%B;9kgiY5n4)!4MhjaS7=fUl{-AAZ!C)}1k~jhj~-P6(~!k1@kts+9ns5ROyNtr16znWs3(HE7@9_ zX2^qzAD9g&MfDEEKFsdp(w`+EmST2D@oLkzs%s8hcba7<1O>Vt3S zaU=En(VB`p(N?F4FPyD95AcMQV&yc+_M8y%pu3fE_=fQVT;HaKjKMqpzVXq@xhDtQ zwoBAaa7iIqR)k4$82|!Q?rO3lBrWBV&4Z|>0f!L*exJhW&^3C#{NT8$%C;uZHD%|i zxCXI0LL93HJ^45uO1-Lp%+AVT+_yEgq*KkInX47u0Fj#izC3cdn6 zsIH8zqaH<|y+9A(D7XT-w=L_!MqOz0B~rT0R|t^Q0pD^?c0QP?bSlOGk52^?q)Eb> zT6Ey#a6jBVdUGOSQrq!Ww-qN6$Y~vFtape^#lsIApOY=pB?U-^p}4?L*=Rx? z>xsiwVre3QPHF3j&+!|!Os@;uv5mZpt#sDYv=EhNi!P<=Y}BQIC}8x3v*~%QRtwmG z(Q!w{(P8dWkA8G-z}SS%Z`w)qY&nfRM2RRMxKY!sJ4YeS9Q_5U-bmKj)bPXB zC>xj?AB~Qa1Vt6`YkQ4kiuEZLsh*T>hb_!Fy~uDZ^HPb}05$s4z8rv*^#aGk$-cS+ z4M|ZtvC*qRt~8<3qm|*Sl0xg%PoVRA2dAhqKsWPBc8JT_3pHySR*$aETu0JAFC|Mnp*hK^&>a@aABKAWdr-1>e*`rABCj|p#vUM;_wQ|Ox ztuaEDtvj_9lxH_=X@$lyWNZA3_D7M3*yMf9(YGkeXJBC%*9APE#)+}PB8a9ajf7zJ zf@K$aAfIT~)?%8%$TFu=6BqkMG(6?^T9}zJ_ne9AIrA(IhGfPZ^wF$|HMGWm!?IQe z+#zr9BvG1sL%q!2vXMv|TuVX!4pXqm>@yc(6f}HWO?n|tv#feU&!3_mGmujX{x1mk zCq=k9DXKF(i=xU2ou;T7I}Jspl7^zv&p9cop~q5@lXb z$hvc8VUhWER4b*46PHHkiNmXRmv4k8xS54)GXpj}^USC2vGq-m{PNN)0+k3LwZ7y2`&Mz>l z*=1K)30ey-Fy-PZSWAoKY^In%X39lT-_bYYx8VtyU+#Tqg=`G~Gd65tHPF(h3f3cY zttu9K3{d+p{(QXHS%g^l1iG?D(YPP7y-|=yd zghvOck*Kl)U&aaUGYe1neQ>^+p5y7sQd)c^&B zOb9DC;nqbeWucs}rHaQyFw<@pyDwaG!IBqdX%igJhW1S1;Z+r*s(rU83Gy`M+u(fK zrOOssxLr|5zWNHD4VWib2i*XalVvw@68kNXAT+xtE7y*Kk4qRlb1Ky_`;cXKZn2%$Q+3%rqCI^9mGGr;8k0W_2v*bh55vZnlSE{}S-3 ztiZPM?bD~U>rf2UwD(m(2VeiTNRW-E*lwha?|SE|1&-F_w(_MycLin}brtt9R# zsn#Sb%bvT6i+-B^g*P}Ywoal!Xi z>}u3+O1eTjoqeu1C;47uir4r`oMqQ}OuY>7Ypqgln%-`XKm1HYQ6V)Y?~BGlM(h z)N`CS@l`sSGc9nYl*hv@o4a&b{B^Y$ZnD%&I5~m}{nb(%9ZgAlm`DupqC4OjVnF-p z*_yZ{so2XcwY%UuaX$)joC_gPwegSxH~?cgh0fNxz+gIIM@PnP72ywhj$b1 zAo|j6f3RaTqFp+MzTsF;5htSH?9rG{bJ>c}m`FD21XwqqcrdXD#G!stf2tW=2PS!TbcEKYY!P-saeia7R znf6@7Qi0wxNRpy8RUh%Ob8Cv;+-*jT?k4F(W}bLadnIpCW zBBmSSSca>f4s`xcPU7kn0a9Cyc8(K1CleGXd;2k9YKTkhGX|2y$@A$ZatTL1G|D$r z9;b;^XmSkzM1` zGe=N(hK*Bgk*M%K1YA5Wd>R~f93^GF$k0o9po>g&zf9gFx9wtHFOzDwkk{Kg9}LGa z#}0+_Ey+X)S5?c2T`104EmtyxR>l}O z8D&<^2;91?riE5d$56RFWy1uuEGbOG)~>oyO5V*8Sj%@2N%MmTV1AErd=(l&6J`_| z_CTSVo85rLVEglY-;t41od1U$u?DaO&Ax#9VAY#Yl^%PQ;HLpxZfiR^x7^wNR6xRyjeaJJ=%le(9M@+fdgDG2J>`6r z6=KrCc8U%kSC9}THo(P2gHGCMQpxYE|M?YI}8Bg9Y$w19A1t&3vEZl!c_^)1xS zES<|->J}c6t8%d*uapy+vv^VE1RKdTvbu@XvjWwG9Wv3QHxQ-7tdW`+!Csw2kxJs@ z{jn}H^%34sQ3V=_#dQ()rboD~8o`xjEzJm@lwQ?{cVoIrtBlgblQBgO*&Gc;dNm!7 zEJr~xGgKDdwUJUm2{l7D@A`8mu@eQc*iUV z?y}wI=t$X2dJ!RO7x^!T5*ZYL({X~{-onrSA;^##!{W@6WM(*{FFOWI5x{TBD%mT{Pe%>9_FjzclMpRA$ z?EoiH=10(0AKF;QWgo!V9dSm1$xw2jcN4NLPvw9@i!8bmre1PGr1^rdQ=Mu7 z8wWvUZb8Xxt@F1>JEuRQE8Tmxz_X&c=`0)A&~we(rUGHK&Z~iHqpC~@zDd@YSA=mkM55Nn=#t8w5uxrEX;y-z1rl5U3U#jpx3KioV(1h0>|Z0Ln6@3Cy)6)>5Vl zpca_V5lsv^{TUe;QZ7uRezg-hbaU^HIG+`@B9uPK&=sN}T*agbRkn><&d{pO%$s`- zUvD%}mZFJdRxtn~r|T_$p!6?ko3NugWAjqqzt98fs~~( z9vU+Tg_$obZeB!e-{$j%$DVta^4)zd14iYxtYVF#Vm$bl0GNQ>ts^!rGD*;o@wi=x ze2P41m6|tLzGcMhBM+Y{t@`Su&#AkqarlwLW8oX@0E^=fzWJ2{44+o4Jkp*%^_gN9 zu+lnirCz0Pee8FgX|I=d`^Yj7700bI4cIwx0MDIvVTwV2p!#{RpizJYjXANPai3W5 zzXA;!UNp#~W0`gI$N2xyounfCXDg~$|Gqac2;@TWph@~6=7SBBIKgbdWqc+oER3TV z^)ITV*6Q@4^Mt=fWVe z^Kc%j!mcYNmVdBqi|n2>D6C6>GHZC@x(Sk+L>4*66bR6!H}gqWW1wRd*$ENMxE_+0 z<{<@q&l`kMXqr*@&=LWjr3lJ(X@-t(X|BL4iKz_!I;VD66S5 z5y(056;vx*3uhh7%w0^OU{3_k0}e}zp49yjKD&Cm@gBgu)>4j$O5Y)&qlj6w;|5cm z`g;mkud?d0YsN3J7-Qn;aV?gQCHPS?xkDXe>G;E_*KKttJxrF@il)S~sk}52HBY$_ zlc@+A2PUZN&iH?*;e{NuyxijWRWjd{b9##dK+(`D`6^-+>2$3X3`ckXR#6p?_wdOm zZgo58ncwbSb=!b4ZUR;^9>8!SE6~MCO0%4e#BAa)&(QxN5&#aOSpu!g_}Z$R->xNt zI=X+eb*+mPm+}&>ej&a8I;1zBj_e)mo$l@I@BL@yF1uvpO7bKVc_;)x!hQW7j`d#bEZ#eLfZr3{F=Te!X;Yr7M zCxNd)@aashL4eu{ZiZ7bSQ*FdE)shXp)gAt9<}R3ab0ZF0W}fBb+TEB$Nhw@R^s5* z!5bJ)f(+lQ7^VqF*wOS1j%2L8uZ&%iV1y5o3-;E+iln+ak)Z@HQE@?vtF0jJ;wev_ zJa7u45Z0*GRe#cC72|Q0VZt|Ptjou0g^qTNgELk&YdLT*(^W<~!NqVSmhCWE3J!P{ zivxR=e3U@E{AKU-$HON!7n?<$2$k7zimNbSRr^Dqkk#+;RDlw@s+MIY1&|d zfy=Ok*UjVIAEC<54}1H2r@!G0UhbV9z)2XqJUk9|;A}iT-P?V$zjGWMy*WNQJZaW~ z;3SR}pb4ZtSZhFcD0sk_w0>xgq~`w{EVKkTCky9s+={zb92Wv()hx7_lx7Gg&1Opi z)-AN>2d1Vf;aCPLfHxJIp+SZqm4PY0dux%-Ta_1s5zbWSIT&d%deGzKQ#c{Gl$(RBtrt5Su9 zm(|Un+LXyga2emQ!4Dz!Z~y`Wze(&^IfqB5A)wr=X0Y+04kwcH;^*cuve-e{l%l}& zy3l{TIXrEa`%!B=tOQ@tr~B^boqhG%E^Cr4ba( zZ__RuFd>M2(>~=c-KYjDgB5L_{jsX6Uc|kTsX7>1mG~c4z3^6@CegX+)?d}Ej#E`o zRx0OLRjX`Og}KF(8NIIj%{yS&EU5jL$~j;<@>SiaIvyygpYmwK`iUajmQKrNlr?Z9 zj3>@2mIj*_e;aQ0Hjg$-gjTfXYD@{PGS_#pVO82l>4KJp`!@*ulxhq?ZudjV zi}#hS^tLeVNHe@8YKoEs7%1A>GthQTg9kU8y%hG?X-kjB$XrZ9pi-CUBBpO^UheHT zgHmoKyR?J%Hs#VfI&7>bajzq`-Wb_#TrvSB-RnFt5QgIr zJ1RfKzt!L&hrFg>-fMMZ#Mfz8Q-*wKh|=JQAtq)hH?p#6lA1n9Th~E(HaZ>yC+H_ANrUAg5~{BSql!tUoN<&E%^2EajJoZl zRMGj@+~G_9Ih?>Fjvcj+>5#c%Fq60a= z2v(zJM^Z2l%~$(;C6`F~4;`js7r8%31t+B=5u3{{I^s)M#qx-B{i6)M z@sbidQ^RcR3xwKy(_WuM$t8YTacxJa#2#h+N9I8}|0*wvaEi?F4ZNn25=he_inr^P zP|Kf{PkI&l`k;do?5Oagv?Q3FJse@ibcN@@_YR;GrXX#j`{_efglJIx);j=3H15Iy zgsY)9qlG_9)}VP0@B!r_k{-;KQ$Rnj1}A&3e%fR8HbFcWLnT@Ro>Jy0%;tz3_|a75 ziCtbANV+uG6PM1>7k`MgSD%Ajvf=}Ui37)h#a=z?b70eB-Vjr|(P;=4y*@Y%Uo=m5 zc7OCZx0z#Bst#zNwtudtwA=|I%T(5!jPNkRy=VuaD!MP3Q(5nIV@(P|K-3~04?c*^ zILF|W*ghsB8sdlSd(m7;-kbm`>X0#3hMcvCu|5>cy0%LT+IqPHH@0uaFOMYdVP)y8F5} zL7|gN^2I=X2g~s)aRjQiIIh-^qEun2NXp3d?wEqvOPmPg@078D(9iC92X+bO#d@f+ zTcsA>4;o#)9h=&;$M)Qt)?2o6(tP#vJv8%!$xS$CE22ILp*6~V291O#&C}OACqDtn z4ej*s=>A&!X%VnVWwLP)IY=I< z-L{?8k2tBp>y)`JIDnq5taY%>n;%$}gpoH{r7-`ScwxhXjBAL0tXk{3`j7@!qEh3_% zRjmb&8`RX}$21gZiL0}=sqI?hbWxIF)WqXV{iF$5zj0pLFG?4}L0g4>vKxUx=&z5n zl9FC^K3p(=A1=Igzn#hGW@WU7Mw@#FKkw{UQhp-0lr{j&=W0y@9+BpAyp-Q0Q8$bT z+wYT243hD(!dZM&h_fuKcH0`$#&I%XC4MKG_9m(GLc*=jKv+Der9wz8z@!a)7G3tc ztb1yCcqqL1Fe_Ynq~I@J?i-IKRfd{JyM-KKshDY%Oacmu!p0!n1fU>CwcnLgXcy#$ z6nkn3a>d8Zkjc~xtX*v6IBppswmuURH9HLzlWv<4Q66=Ntx2zZa{6NLAVk^i;IJB; z?j7!)?4F+f##!R@Op)ce8kH?}ifw!B2YQkV$vN1vEw!e)FdP;Pgc++P;!BlaU&18x z>!^Sm_K-1GB7X1>_2UG-R9>(g#jH z52&G!0>q>{>BVKbvnZ($5&JO)48yk=9m{4D2gB={%k8OSaHtQ!o&Dq2_sS!skT!#} z3$Jeu#uhQn2SW}lHtdK|mn4?Jmn$puSM9#7G;EuP05adhkrCeo3n@&yGaaZEx`B3H%EAtJRH+C zIUClIBNx%4-Y{ybK>JC+_g>Sn9N60Ejd%hU1FoZSo9|bL1HMWXCcyNKO~JuaRfcbP zaSb?j7M=C*l3TLF#~fq}o03TOyigqXv`d#sRyj4~_K+AI&JIm7oXQZut?Y5kUCeHX zxNVu?bt#51wu}r4X5>?*+F~#qkNaI50Ra{!C`^vJi0=ZzfN6|GJzm7C{2Bb6MaGh=T(pr8MV1c$Hwq7T+N|W9u{e(-OdMib2x(2|795M&o{&RiXSS17@Uko02wt z4j}p=<_B0Vyc}?4p{3-HIe~RoSba=~M_m#IW^>sc9;wXI6e|;4Rca6w)^?ZP>t2+V zmJDG;9X9+ZKV;gePeiLk9&5h)koaIVpziHhS=0dV z#^fAsk?k^Pp+=W2ITMKar}*t6s~#fO+9O%BH+4AQQmhFZd$y?EQ$C?Tn(mXp=8 z^>Vnc=zf4wkzqRRe4Nms}NJT}wg$-Oafe6n>}&z^dIa#1n(egWXF{SnrVT z_1TWtck_&Qs(6KpT1`}IX0YT9*5AZ=uF=`{c5U#FwKcqe-agoQ-Fy!ZF5m%L9^m&i z>W{vOS-|^ugLg2Sw`+fcVuX+Q_6UB+E%o;Pue+!MelL5N#=0@b)TD!y1D;HvB=-W) zxH3FQH=b<~XJJ~(z~bF<8X6WP;Crxp`1Ap~W3#P*t{)sOQiY3zMOkKFNZSb6qdN zkiVXa*rE>pJ{*IbJsJ)uZ#2(9TB)htl>wthC1@1@d(OJ6&U7s7zjj^5nzWNXE@;3p zxAg{Y4!K#wZ~#V5Xl==t?w}oiP!|@Z0;uLZ?g7Wn{ucJ%FH8pNKKhA zyc8axUUAN8C4aOmiDPB3LMJ{qN72tv8is9nzLjO2R)#AczICPNefl@MW!_Z2ASzt= zXhj$g(sWJ6aOk2T9c5LGlQNHpPX}&Lwpr0=wH?+bGjS<8??ABP)DlW))pLlbDZKLU zD^?+*i$z)#u5&T7j`Bydbb#o)6d*^@>P20S^_?EQomNbwVECya$3~FJ#Fyr1b7( zG*PQ5Gc~2l;B0Z>s zwsQR^H$K0IQNI5NIz#}mi@hx|XDJbhOG;{Wma{67kuJN}Y=zZ(sP z0}u{+WDpO9>KkkD=ds5DYeEb zFYZaWkqmuEEHErZ8|5X&M-!t8Mv8Ta+eXZO`6w}L>w*d*~NsMLT0;(pnR2jGE5aA4+{4YWs~r@lBB&utT#N# zko7g=)LY|D5`O?fF(BasPkR_l*hxEP5Q|$*+rc|R|CHtPZxU2Xpq`-*Q0lhV`q3zP z{vJj2w~Fn03mjEYtG$0uY65C$%QPgck@^V|%i+KgW3Wo~dR2san`4N93j02Ap!KO@tfM$rZG~{So<~ z=!0ENqzCae!7Uj@t)elgvHIHJ92#>qLsQ)hFsn@;&z3I7iHC`0Djf_bP?FA>(Rg@1 zj`}$F1V;=2g&O4sD-7Ymxq48`>3b&$l4r;^zJs9#gViffv>7W74aRYkpOq{2@F5{|CrLn@)@D?c zVXK8#v*Y2=l6;X8vu;I4c0tdmO2w5K?b7i?0$FUx1$m~dvc*kcTyc4K|L~w09yEVB zI4N4d3~EVz&JAnGhhLt>RymGeNVVD_&a;!0E4E<+HC4tzqh-Cs3IRUnBs|&Q`MC+Z z0KOhKcMHu`auALpr@Skzzbggfqz6o2$%%oqR<{%)Vn?FwN0i-29w@}rRt!W+TtUo2 ztoAdWh;+_kj2X1-xr##|JzMD4iG1NJO7O&On+->{zfAzS+jrjL*d3${AAS#O~;zGn#y={>B`pR^r8myeJd^D9bG*&tOp$fjlCeqO;2agkW8h`@mHqhGq zrq@>gp$7qt3_fMl5A`%2(gacwo1S<#7T>?a>y@(=ypb}$r>WoPE13qgncD`Nxiu^s zH>Yt1Pxrms;@L{p_K?9!k%=&JW?2mU1>64l4=Avx=!lH2A^x$kSZ$ zO`Yx-gK!Oa6m%sGVzd=Y%$WI*z0`F#QCW-8!k6+a!gt1e^k2l>m>Pz7N~Usz@_8Gz zLz%5b#X4{tS?pLf9n9FcnwrSsb@Aj>9%9{r@dgXF8GEE&@_T`YY9TfA6G)5LLATmX zi)Z1uX>|t~`ojLQ;z6kbSLJxMCcjs4VO_UYv<>(@_->m#Z~yU+K&6o6Ivnv0Ua=b} z7Qh#8;mLaQ^e$yKkew(d`RQb9cjIM#^cy_!~Xq8IY`&F7o z+`UOq%~K9fc2SNx`XxLLPxk(^Nq%**fpuwhgKDbRHyTf*L94==t+53k5)(16 zDjs908l0`D+h%!BO+ZN!8j&qKsE<}e|I`t{ry5FXqO2 zdAjXaw`-er0$CjqrsL9j(0pD;$d zN)jrR5<&~1nDH0nJWD9m(!=BiVY~6R@${K^z*g16y6<7bdZ@R)T1>pm<)|;E^|S6^ zJ-HBZliX^J0u)L(CiY4s=q3@WfE;^nTa@)W<#yWZD7C4XXwO{rpi(T-`n5Z#FjuCR zVS$H5@wn<{T=n$0>XpSrZ8a>w?iz)UgYz0>SQ(>UvJK-}Jl7B#W{8dS5F57~BAMss z4Y83PB8^fXeH5tHI`-^*gJolI#k9e91{T3v)Wp8n-UEqpV4EHR}*Gmu8NT8?Oei zC7x55>&fElxp9v@GlOT29YKxsKw}46~i&l-^gX>=!t2T%9i-?15PG8hxW8SL>lSz2iQ0C1{tN2O0o1b;k7e8|I zQ*qo$ZRtJqdp71AqUHuG4T~I56k|s{g&lfuBGTOfGlCRZTTbmxduVV*huwDK>IFvL z6zDS}MzNlAg!dpQD6*vCEa37iy3k0`g}INk*+d~&;JlE~T2YsLz(`^f_oQkNhQI9O z__O8?&T$(Oh|D_i`OPo*>g06i^vy|G9AxOGJKz3O+#1_=j{!cz{`1+!({I!EpN%Ka zzSw{Msp5Yd^UweHf6?T#5gd-A7AJtug#Eszg3ZA>@Q2^E=~perU*8Y8l30CyG1B~E zr1`~2^FE9;2k~UR+sQoZ((}PQ@x0^7|MW+n++Z^v4Sg1vz@B|=<;qH%b4t@%r zJy~8>YD_Ltwh!?tl6VRN+&zb74)NLnv+1M^KJ6+Y(CKI}mFpF4sPcjum!KeYTY}fP z=qyelfUJNBwu>Cr{9ZZm$iGdoM}#M5F*18nFQ!ZE?>pVju+t9Q(rJbaiHRcH%SgAWOEl@>jJ4gYR zd3Z)u4Y2iP>vmhM>fduBU$X%uEt>pL(3YR8dKmJ+1w!UwYcO%|*NJw7Jbe1=#LV^# zRX(@u+rz(2DfO%M#6fzTK*+&W%bpfj;ftMDw$lR&74$CEg#%Te9c0#Ol6ypzN*SJL zFSn{`N-MwhlZr>GG53T{PyNfmuwAy=Itlk)?!7z={(;|)-<%xtw_o5JhgV7mjo|nP zsKEvi;^dSi6raT%_N4bd_85GVl&pDpEd^=Lvem^9)*39E!>U2qWwor7tCyTL5(!RP zJiOjztryB|`^)f`<9)J=rKi^yG1}m42Pe(uPiPpcUa;pm-`Udx9pYSURmq;#nv59M z?qjH<-lfFfRs$iC5<)YnO=;=8>}7o;u#z4^KPe&ncK;SF1`t8&rxJzI_;26p!4P| zsV+@q;I4gRq9`*0PAAEDNE0MNNJi77?K$2%g`JR5TaZCohmtMBd7zrp#@3cmbk>5A zx^c-enKY`vTh41S3GB3OhjF<>#mHva#zf^Y*TA_VI{c5L8)GW&Wm}3PdiCQzEyu&m z@G&N9>e-|EdsLH_vx5)T07RHMh2m5ZTBRy)yr;X$Y}K{3!hM2R(3Dy*?j(2^G>;DV_xBD=*nx3Nr$j)N;FI@! z;n4EvDRJ1OhZFFi;e*klVuH>Mm7tT%(5Nh?DZwlyPdFhc{(`14vdHV5y@UP3!y~+} zI%!(hGVWl1d~;MuBZj*VY0nA9%RXk-VAh&2f4A6@%w7?pX;sbtY|UOJRbbjevkm-% z&tQyj;J|?J0hulehQBVgmka|IeaGK!QvIFrWN+crt z5i*{0>zln-_B0G#rUdAj1Y8mptH*L1<-1nF(FAb5U>KSXA7VM8V9Cm7GT$god@unk z-&nbo0VuYpwd8GjJKeT(W#KR#X!Pl2IyCZ|vnR+u#fY!;-gjhaN4u?1O)8hX2$fo@ zEN(q|^xlF7)MBY+r&vaZC94GoS|ZmHeMU6zQb1I>MrDsfO%FVr4rU@ZhJiSbO~rdz z`$o(J^9^9L5T0LP#o_?naX1|yl*dYLZ#(R!@Y2+_hnIecH7hATS=?V#?8E2`dW>2V z(wl`O*kP?&G94&M6o_Sba(dj{d5x0Z>G7L`U7xdKu7rmz3!0Sjg-fmT*``^}C#BHL z=a5ozp?WXCBx@oYXh@8V=<2+(8JXg_&4DaM5|*nY@oZ_ICIWxuqAj;kBtp%x5?W@O zPhN6R180!MSxe|m7xdx@Ph+707-2eBMiv13B=Gq~HQGlDjLVjX(h7j|yDS~1Lw$Q5 zJ;0}uZ!|aEO|j9*c>w>x*R6SkAiw1W4)h_nqNN)CSxLDUre3C~*)g<9HV*6w-5CZQ zqHhi@%awT+TKXJo39sy%JF$%2i=WpK&tY5exDaK7pJ@cI6OGrJ9yJ9#4MX{ zxdoM*$@SQpyIjV{M(+g~AM#!nO}rYjN(Ryqg=TITvBhSg=-Lbhjv1hPo(A__cz(~P zUvuuMa9w>z$3uBA=4C7?tt8=6P2b;eEYrawKzP-u~-SNT1dMd^U|h_wGdD2 z2(?NgKtblGdK-F=6ssy}SmbjYYUW!kMv~DYOl7~GwKzo=Tm(>3y zc{&=$oi0WRb*=-{TNPMyL$zVYTU6O?4T-^g>up6nCGRM%jCIYsY%_dzs)}lmLiKEpnk=W8LiQ>JpaFP4-mql{ zS8b~2%7{cRqyf#alt~O>ZX2l+SJ?bc-?`~Jss#%`|pE9)51!TzM}n7FI> zkc*o7i=F>6r6emd_0O?8*M|DlAR=s!`Jnsg)^V2y(+}$d3i5R6do`XE zyhKG?cbLrOHUQ7UDBXRoJHb4mpC@fpN!_a}0qPR6Pbq<@Cr~snWuMROAU96*Om_hQ zFp5d;Lkb8nudl$o0iYH3|G4vW6R%>O*x zYX;&C(#_#K<7z;vU%W}G6r~sYCQ*8azl)IfG59+w7vTehK=_Mj{V`zu>)+4D-S#=Y zgMm^hPK(QtyYjnW<$JaZX_W)Mdt~)^{5Mx$d8e-QB5jQo+aT|Doa;M zOGXTOgXhb3!};@Km)0n z5?(lwi8#L-NRa@q3eF|NZ_%BCVSJF`(Z z)xr7L***Mlm7eBop7dT>UXtN3hNhyN3j(SlGf4>Ii}A6OS~}e9S&Z@tYKv1Dx)j22 z#$CI|Z97YQ3b!=aGI2Nwu4rp2&FGD!s}xT|!dJ!0zLdEQm>lK8UU*tI2@n9wz$9e_ zjmSr;4W_9g#Q`8CO)WQ`KN^Ej8PGAVAnf!SJPPU+7lMrTi;i#(sB+Mw{DI3Ik{N`3 ziqn1L+$$UG(11C8ENnMSb)5vtNpe+~O)^2^sO{$9HN{s4 z@rQ}eW7;Z$8UqkxviPAjc7CZyVZrbZfn)A$lrA<|OW8#1zqUcnndDJKB zWzL%PB+Mxj^%gpy^J!kx(@An=JKCXyAE?(BwT7SSczJlp%_0hO3H@k`>gZmzxrJ)g$1Tr5vwU=NFv(?|^9C-_ z8Z(1t(3ZJF0l9w6Pq!>+QRkF52ondLvPz-TJ)e#vc5%c0&;X&EOz2XgN5L{gL5|9t zP0^_ngGSOeYdSb|1EpD@xI*7EQT3HrrtG~;Ky=IpOrdb2GeS6tuQ)jc8gHOaSzHT( zCT8M*Rmwb{ zoPL4{lxCoO#mpH9MJ>*YR$XE{e$Oc--1?Hp!Fw_j-K5+KB1NU^TNWHL2A(8iZl!Rv zgwFsDPpNeY4P_)O*lxT}wV@Imq2u9b+{H5>VJ4WI5iu(hZo&@Uufalg6E2^`(YSR{ z3x2^%L%^u^(Ck-^y*iFn^=Lo|SD=etw-ucMq7ZrccRCvrIP-Ll}OMrUv8olKrd!4}LA%w&v z;zJzQ&TBz?O1jxd4qdkR5g1())MQgbp$)S7C2JXuQ!^Z51{^UP3&hL?3uzb+%;?ZC zjm)zvJjivO+}mYz*kc1+X{?-zn?-JakRY`g`Vuq&khsukMV8Jt5?YqTI2~#FkNs0=xO)LnwiN%kY7_ z^W9*DwgR!Hx~C+sm+QrPdC*PHdePt#daK;3SBex)q*5!BSSzji#|N<1X{J?Wh~$T8 zbZ?z$_?zi~`Q47Mta>CjtPZaS=-$CUC`yI;aT&)W6USr~k!{!snMA8!*A$qGPA4mt zyq*9+O2#gMx`&|#%A28ZcH^{7K~DfeYIi|(=dw$KNa$LK?6vmaYz?n z;;nx&65(FkMe!oIzKAKP4p9^wm|P4cnt7reSO`~pr{Bxs*m zRL5$>3nMv&R2&S|G!rHJ%;o8&*VtZEWy-r`fj6)x0mtXorv$A!X@vD<>ma$^CYIyR z09d{46>#N2K7jvda5{*}KqZ5ZKL;?GW?I0+2Y*svdLXIL6KHC;^;r>=B^JA@HJ4Q8 zG>r9t@G9ExZMz@$Tcew@byidZYxtP!jkAlHvxKs}nN%q1=s>ejQn-9T@z!q9#B7(N zQpNNk{@?Cd-luRvlPl#bE@vVh0h@kIp+#g&vGip;YxjB{7I_k3OqEF-UI7LOr+{DU z>V(H1jeM_Ae674Hq#oDs-HmX>Jdn~@%FPuX#Q@`*WKC38>6SB+BVlqhI9CoB7l5|G z*$p%zWVRo*C;$Q8wIKKWp%b&G1*;I)WdhynI#EkpEu!9abdvMBPHy8s5sFvb^yMu_a{?JGi)w(+aE|P)kgQaZikS4G6dc<{@^I~ zuz)YrgF7D85tPmhg0Tkop&Cb5d!3>X&uPCjzq{Ik_l6Ut31ZAH%`OVQInPA30z;^} zdqKNRs&=ZH_K>L+Di^w~d|yXRsA!dET)4>ofD*(4rF5w&uV-gujqJ!q3IpV#;8x>f z1#|8QOL?1C%8_LfN^@p+WN4ECteS{-gLpyL#2?%lQV47ym`n$QxR(bzOYecWQyL5h zajBwp@^rgn$On>z$&|cqF$*;iVxGzpKHb*a<7})21bp#a`{o#WYVA9$VI~c~3esKW zTtcD7KnBLqs(7XNYC^&*Au8MJzhnZ9p^v!a$eKCI#^)Jjqi~cmQj88dnPBE!ni#DM zYl>-6%slvM$c1U49Y|y+k(vYJ6<0^Z`i2e{o2>H1>)47*=8U`TZ0D=Et!!kK2Iky!b9VmwptBd3#U6LFrCZ` z=S0-iT;Zg*>;tC0zG0=VP$loXrAl_tAU`s~vJ7aGy`}|lYGptG zDy_3nye9?NAf*GTHjq(pt`X^JYuf9DlEztwbIIPI<|!%d#6owi#Q5T ze%zrLg*f~T%g6+EG58)0VVf_CrxC+6$de|J1fpUHA~}2tCTMf@Yy>7N$iIQRH}kOW zM(k=v{g;)aK$#4&?-QEDMC}TBrvtTY)Q<; zd7hi|^zGn%&00MptES4ZY+ImB1X)92im{(kc$C8N+ES02dcs8GXf|7~FLMAI0YlV-xVM%x&DLlEBTN?tewp!q6I3ja~ z(eRAi#v|J#0Z9vzNj6Xe_T+)QBu-^u+uc}<7J_HMRx9dqn{V=&3lJ7r0y`-Sp>0R~ zphlpuod&>7ekvZvGF>A1Qxgs&D&B#wkptVy-4wAmcja%qmX`{uS{Xa%LW`k!$ zp(vC~08_-*ix5UwEtf z`0^|LD|u8mW!||B_N-`6^ z=E0f$R&@eTo@}AY|61;fl})CwZ(6995|(MCdXlRup4%)ljg*S|t3i-1F;M>}L0wL1 zoBXON%|uo+IdhEXi}4y#4{}_rSl7Yffmz)_BQ(SD0nCeV2g6CMj7}s)78(R45^_)R zhi&DrPvm=bRiYTIuIg)ocN=s;@gTt59toK=q2~16#u^50=nk-v2hN3o%Y0g=!y{US z1-MJq5RG4Pma~r*>8S982|lm*{O3gt8Lf>RsI}8pXaJ2)Jiaq(sC+GHwE%L?))v+F zRn{yDPbz~{#>hy_u{C5;-U4zKw9mqJcP#P;9wRAcQrv(Yt5k~OXj4k62Sr9?GmSK= zY*9P*&Jz#(@(A#3fG+J;348!mN7BTIIr`=3Jn9ZMwJfqaB7>_DSyru+h0Tbi16ERw ztaDGv|EnW?0c>)K;e>e%8{a;CI&ZSDnfITBi3$|b^ZH7T(rC3jLZMrVNJM>_aMn1C zmOgGx$8k80*_Lz=4p>2H-H{D@ZC6yhHm(gMS8xgnb-&5C!QBqt&Z#vY8W-;o`A*{B zB<`V7Yf2BslpiCZznFYOp$M}ejv%4*uc#6Z8TL%0R^9NQEFs}FDV$5)4&64=FNBL4 zfQn#k1$ZNVUq|X6jbk7cS1|%cRjN`X3e9af8Q1)ZY_x<%x{}qcQ^2{7$)3$UY;T6rJ~8Xur96MwsAT3Z0v~`-cb3@Syq2LGv_~;%iB8W|0AN!xeShdv8!m z#ypb$m7JIhY-oJ6_d>2(76N^uLC=uqzZ(kyy*(a|0yF@MKy|-FfCuLkZCDJn4g5WG zU>AxuEex(!pdQdYUS`3v4Zwua6oaNb7DT~wbPvrehL`yAf2REr8-Ir#l<$>UGg*Nr zXu)j(pdyyi6en}qYN4Gr2511%eM5#JtX3<)tjUm@xQcpHPUU)oo-OFH*Snz*PsUtY zEsi}d+ZqM!s$d0xgjyCCY#>yVaGHuPrOYCP>T0%L3eMrjO&m}_rPG_kKg?e)B&gQj z%l(~@NNp4EGgXYSgl;BdOgaPOqdU%C_Y$z-I}Vxr97qMRED~Rdfj^E%J)Eu4cWEPh zLH20i_yf?0$vP%D8KS8>-G`Q-M`+&;KPo2>uC!2mc>+^HPjvHKD!bN7!XnC%r&vUN z$|DGu=T77qIN65xp<_mPuMm*O+WU2TYO%E`>DKX7 zlq?80l%XO?LaM2_d!Ia(ylt>oVJ=UeYSOk>{xdLv9)YNcL5de0(;vzsWp?w7DJv~q zQVn2PfoL$kebW|XGd!l>+7BxEj4HTwUVm)+I6S1xdk$8J8%+kVKGaEr`wfTZ#;t-o zNQ#RbjObet#Hj>{pKkK33Z54HwpDF zYE$wGi#XA@&`S0^TYC^&n>w*5)tTr_74H5MN&VRk{m&v_tM$7d&LIQ41qbv+F8=e$ z#iu}HwY$+ZdvY6k5FkD9>rraKDfxh-tM9TnL}OqF?2LnHDlh1>2qkah%fWmSCr26$ zlcamrgVum`yJl_s+(W=F35Y2BG!G6>Pu?7*8=_7YZ|taf{Mz*n$-mJk^@h%EFNVC5 z(NN$kt}p89|ILz)hJ}|Y{8Py|zM*=h8(T0@=f##JRM~Ie+mbOlyr?O_ z7G&8{Ilc(41lt}a&>aZ}7Pnx<~IXc#jKHd6$&0$9>`fEM$TdPz>4gyNyD zjfcZY&7!%u&EQPCD%)Ax<}z5pir70h3#g*$O%1W>lBxTS)$f zl=Kpd933CRpS>61%NOB(^WeSm)jk}FvYx02>Cq2ETsh%!h@BvJR5*^#;ebRfduuX{ zdd$61T&GGcctK%o#_?!4o=9S;!BAabi7pG-?;&2zN0(f=J77&d>TT^P5i}OQ){qQl z%nI_=0;P>cUVwKTvSFx28;$5nf#bFaYes&uEm#Py&iXIIR$4~}=Sm_I4}&0UROxxLcFMa~yYg z4Wb+Y(lbKl473D2bJQtS(a=fuIaH}WS#g9C>UyWW&Ox&5F6J^hRQ3Eo`o13iZQb>@_RKSs!dKKf;xvi64J>u>YGERa}ZNZ&vQt#_%3{hu1|+|~*z$i2|tOf&a1 z;yDi(KH<`8bzFb{=6-`>$~TEtXmX||(c>fZIUk{9a4;AD_ja<7Dhw$T3TOla^#kw2 z@>FpSMtYExLrh9T{+ToG9Z7U+C4Hv^bg*@dfhEc=BS@GyJ$p z*mpz$&4DCGXeih8h1#jAir=aHc%HqeeH(OHyO>M!<%n~2#WfN~24jsM|> zn;3VMtiKAqjdIb~tgtJ`DTmC^vaNQPIB$hD>*7@Rv&765DppNAW{mEw01q?Ar5^db zJPI=OxMf5ShHPuu+SZ;%XR`RV1`Ew+1LB2+4WlJ?W`bwgRRSD0aM|LnrQ&&8#nS6y z_V&z)dUNUMlW9QyKgbw5~1jX@!)66b~?@@rzYaSa}u{p*}sTT=P_8-ekN%=(35`XHBYr%CT2{>Mipm> znq``$uvKm_Y3uxaq?BD{?Hs*SVyIy4^?cA~m2c?)Jgz&&gH#3Ak;DxFZI574o3uh? z_=U0^a;ghB?kHBvDC&+m+7bZ2J7!BBI^$4(F&R!V78W{-Qy5jKv9bB>a;}671;P>sX@o%xtc6k}KuWRx0GOM}qiUyhu zzWc6u_;UH{da!o!kF~XnxHk&kuC?GRW8M2@{@iqv_oZU)W12t0)n#l<>`W;-4qg_0 zmEzx#*;N@K61fx|UIB01t}Vmi@HY7RD;VhCf{oz)78$Bhi!|(@^!492K9=YK5;N$a z(_LOZJUZPwJUH3@8iTeEM=(!dtT!)$wKdGXB!k_o((KmOu#xXSmMY6JFx;e+=4a9h zG{4MVJ9M)NLISWYzTWSnCGw zme=B7C0T!0e*1QlqIzz=Uw!}XA78D$tGq+Ew|6zX#popX(=D?7uCo5FZWpPM>hSUU z`N}-)cH3b;8WpzNZDWaf8yroFM>(3@ysP!24|6v-feJ+pP8MwtI2EYV?v7_Si-qQG zHi|;nOQdEiYBw5Z*kp{D| z3}>LEDzn(IFQVQg>7EawUh&Ae2o;|n)bSZWa)H*l!u%kIlWKw1vH1LL-z2@^d11Tw zUX`1-St#3!uj1b9hPl`R?dH=gtJQ_Dt~=;XLSUtf&lM>24($dOYj)b5r&%nuP_yTA zHG955v%PM=TTI+WV=gmqi=u$T-|uQrs@*;BPN)<;>5i_Rn8u;-yT|XI0QKk4z<2M% zX?gMHa>0;lZw?wv98^5WS+Vv!EseTY!$~d^Fjo_o{p7r$`cjGuL~i^g8j$sFszDoV z;pleXD6=sy4htJPjFigs!nw1)f)=1>1yp4tgu02;8w}@+Cg;;p>V+5(^**%E#v7@3 zcp7e#V&!x66i`=n7LFbP-+cP|2(w#(B+KF;W-%Eqld$;lU@!R^=<3_*amXynt zY{`1MD=uG6pM=E*ix=C7yQ{E)Sz@XDhnr7@<#LVZjt~GTihnBw)LS_4j>_G2OI3nTDo4+AGQ?=d|l5hJ+IQg=d6()S~chm zqc+Sp3vH_m*~nVuV2~eW1H*E3G)CIpFc|9x zZhrc?dAwcv?xaX`Q&RwpOMz6pIIFucipqm=HUXhq@ggYq2T{1TCVp)A% zOeUkv_4VXxP#g8yYotr94aeu}*d9J!KN}CPVVLXZ=x^GcjN9uN-0#x-{`YZwwOwyK z`|Go>_8&LCwf9mno*G>Jx{NkXglu1LR5pVtkt)ZX^wNXQKz1KC+@|aYe9Ykro0Tki zDHD(46l4F%8kx0akX3`>*zHcH=vE)cs4DGJ251tP_I~1tlg)jVlg@C0XcV$#Qkdd8 z9w$}Ld`cL(ghJcgq$;@^TU+dJ`Wgw;PWTSXJr7)Xr)uCORy~I(`Kd~pqG(b@=V&K5 zpALTSf*d&c8^|;Y6B^I;ma$fZxRl?CO~J~z)56y~|L5=+wxI6_Uiq)Df_*~TRTa2;quOdve!H>u*Y_Z%(dXam)y7Bj{qe`zDoAS>t&cFM^tBlU9&e?F zK_Y&$cW}?+Yt)|Ac#MB)8Y&h|wn~Vb|Kw-~*eGOZsH&;|hHrU{Epcu$Z%$9bgOgPC zy-{n9s(VMfP}S4>QMWxub#(CYRwtwJIYxd0kX1v6B^L(OeJd-D)?Mr)G>EUKbZcw# zMX=c))>YA^&h~$&%KkUouF+XBMYQTz*n}7Bj7-rOLmq5eeTcoNVO0)SQppK zR1i9hToskJhkw4n@Xv2K{PRVJe_k|v_`kvIw3T~4f;Ug?|aWYPR-1-({m~NlMRq-GF45ALjyM_to*?nx~HhjIF{C0BMeEkAn9i49f zw|}5o9AD=JXqW!mI--0nd5$WBCpEoR_^UKZF*=mk)VD2tQJmo ze{8>looW=zoM5lJNh`&p z{;UksXW_!n&C?&{4Xdj7uGD4vUPrB~UNp#U>G81jQ5QT$yLI{@2^}O8MKLz~R zdGRx{6))WO2c2+2diPWps`^V13{HVH|M^LN7p6?6?LjmN(N(AzB{aIe?&-|_L z9bx6uo#R))`Musb`HwfvC>|LdL8-5u;7TvPhZ@jQ1#%}#s;x)OXtfdR6fKK^@ z62W(LxOag0KTb{$kDGo#zWj0L;KhDE>d1S4<>t=-y_YX?E6e+w%14L$`}tMzt-s=% zgS}tF7kfLe@ZHwM-n(63&-$IX)3dWIce^`Io><{Ekq4)xVv+- z^TXc$-sxWRWQ)&nVk}hu{t=MY&pQTWKyZ9kBLUw_IE_$2nTMD4w5rbLLW7F43n??q zX7EGY!Oe$vET}$XBO%roSA(13ltNmxIC4CQudXs(nqsGhO{FnjM~(6NWGHtw!Pgr~ zMEhdGanJT2s6q&*lWs4mweHU}qQL*_@sp?DrtCi+*PqnC*nfPEf9tD3uX_gT9*w%o z!74`Q-W`r^#@+LaN$~&vZ_wDN{{>FgaW|QCVb}gJj;82=^<7Ins-5wp@26)VpiOIV z_&=}ZG!qSmgKjJ81^W|<_NDq8v+L`t!8afmXe%U+y z@$k)QuygQR@XOBe@y@~NZ(I8MG`^CESQzG_i(yTp@i-bxZeWVo!t3VoE-)IWe4zY> z0jgf^ogN@Xe+k0rPH?nye7d*$W`E~6IC^t@ba>LN1;I&7ety_M0f;&TWte+AosV$8~j6WY%PeuVCE%M`H{c)^JU$Su4y9SkSc;F`RoC1zLN zT2zC*L90fvd|HQ6(crQNus@kVd1&Khw*&3J>g*e|YfbR6d0rB`tc#NM%%bzo zbC9;jL-!G91i)t$dlN$d(87e1VTjF?(SK$lK{)Y&_A7^{n8QpGG)p2hQstQJAQVj| zYPUn3$qjZjmctJxm?s5A4GGQ|C{voFU^P}Wrm`8qVff3j4uy4k{N`YngJNNjfG0mdNn)%rWLJ4wp6rAaDHygf$3IXJChQPm4E6UMvm>4Rb$i))#tkRIs<#D70_=9Zfxq4LK}FAt4{%KZ1=N6JB&Y!;?`sq z(A_P-bznb1x$LZ#=ib74MsCt~X{G2K%1}RhNC+JuFBtlm`m^7u-Z>L3Q6fbm0FFQJ z>~FcP+sQx_C^^6!GAJB8%{?I)ARLQ=~jfIQ@NRfCi5+>0n6Vdxv9U(iIm$ zct%SYQbl(m2dNd)sbB0^>%6Iw-+3Jg4ui~^h5+vPL)3T$VRB8V#Kjw10^P2cxoT5?^pJs4@?Sgq@oNFKvTRoOs%4 zI1|0jiRPC>A+SwFAi5?JF|WLZ+?@ngJprh5fsh2Qfc}P8QI9|*O_n>!+Vf7x4xZci z)2dQ2RZPcr4CM4KEAG++*L264oVk0iljz-d<`F488LRNO1rVrL4SZvF0yrxqx$BTS zGUiVEen%|3*V%+wfZISGJiWX&d#1Uz}so9Zyn;Bo`O$lvc`S z-cgG{abJ-$8PL~Z2gq%(3Lgn7=!#_zkHkcWpJ`XMNsW26FgmJrmZeYe^fNfqfARYt zv~y3^KgHEZzW*;@m+1SSZ@>Mwje5QD?AgBsPruy%{2}X)&+ywCeu*ZNsCDrP*T4Ss zY5iHo|GV++m;1lZ?*9$zy&2F21=+H5u*F{YY#fbm$Ul5KxfqUh{it zPu3C;(NyZI6=1-_r`1aD|6?S%zwqWCCOo+ zy1u8Z)m3lOA_>T45aw?%?E7$p6)O}~1;wnfs_BKmqIZ>F-Sw*StGnG)B7_l^J{T9= zS3;EqE-PoQAO-a_SC#_Ld9Exm`ceAQ@(wqaCaCIH!NK8abCY+l+Cs7&C`u1*kD*%O zgpfMmV)z=61>IoU(YQ^D7igy)^WKEr&gfvJ>cPg~OLtO(0bA9aO6;4|ru0g*U!CeI zg`|w34f}imxX|V@=$kk0cPaTdZ+bH=Xe+h3DMKbw6O2_coF+jZ>I~boEp0Mk&A%2j zYv(nNCdL0OxUCHU&667p%Zg>m!R|ZDx!$H@6d(sv&SX+VqyWM|Jdc5psWEZB(XTB3 zE@-eERf1mJnGl-Av`*!-3fH#As52;a0L5#RgUVfee2&4Bg3H11T5af+1a>pve;3Ac z5#bNms}b5MV=#S+DUKwGvZX?ExLSfrE`DU@&a#}e5y17VLbF)JmP z#inWHD8Mc3&uc-OyxtOA{aCck*bNXTg+dl`4caPGSgNc6J!61{0LcW#6u_cCcUpw@ z>>^0vW)uMl!&_uo?Z*&)ZI=c>s&7im%jn%g?p?-BO#;iaKeP&Fwd%S@<5B}$Cgb6a zLDB+&*pGkjs@2PSR0#S>H6v% z9>rsff)}?f&W3%BzbeMxLd-3|S;7rOivLdHzX7!B8yo-4QRBGe_SfYZgj25)LPfxe zhd%n6jb+qsz%YROC3knOz6jTCprUZ@;_+5w0~yKfDOc_(b06mv~}=G@he zp9cbV?~5Wv3P^W_!}Hs~0jZw`#jODF{PqASL&OP{)b|M(|s{o+-7^+5gyt$5G}?rh@}iPefm6G;~V&B=&Fl#~Tf5#(x>Pe_b{at;Tdz^_)YV(7!e z#)?CmDil@W^C97^0o^waGGZ)_gUrnn+W9ceYH%K0n~iBKZ_J5n_lRjycTO7j|Fie5 z3vC=rqv-yNo}wcYTXN79uoDPg#vt45g@FTj#rbT1@*s_1f;6MdNXD$#`|o*-^LxL> z+2_GdRrO_hW_m6H;W%0HTCp{KsjjZB?yjz`u9}U{+P7h}8}Eg=sBjjW|7^U+D%*j6 z=DM)C8>b##aS0WRWD|bgXkl^Z+(mtjGl7B2*-b>>{1FlJL0rn9py~4=pQ#B&xLP*p zYT4Up&CFzf0{Pk*^!xXm=-18`$(9{=9#T0Sl)_U-$}GKuRlZQevx=h2@FUvsWn3a5 zHFOQ$n2g2^yaVMP!684E2PqDqm#`X?Q+5hz#ejM!`bxN5- zN?kpCeJWlnc8-tb?nOY`9LoYk#*PTnHozI(LByh8P$2r`@821u8EM0zRCPi+05-pZopM#K0_`hA|G>Fq4Z(T zn4k}I#2*wvJY|Ga^ll{)bL;PM|BsQsWdPycoUTUG-+wmSYpuBd@6|_-n~VG3uk`*? z4Ry-<&(-kZCS6)#8GaMI!A@-d+-5H^qKC_V4)6=(9Ko0V9(3{4bMe&kTYT!NJ-u|i z{MVTHIv)O0hi`ghiT5PXQ+l?+gIh+-QMoayu=Ov$#sVAc`+&T3v9|yX4gB8Ii#;Al zSGwSnM&Bc7itOkt|Gc*%z{2m3Z{HJWy)^+&*tf5+hqUFDmdNlIR&}%q>EFT6f1M1gNy z6v)})!|bUG1Kp2F3KSwUAw47n3f(nBG#M=z@}&>uUPAe!c=aoV20(=dF5IoMl15No z;8q*qURyyCMLmtdg3~}g4;wrE?u5bL^yJOItW@Quj%mt*eoSxhDrGEEHonr5Rkp&n zpP%gBa9k;eh9s~P$G&Q~JC}v=1|{GQ&bzllvJ5pw`!?z(q)%A!NImu#9HAR6NF zBKETxd%h^&;T3xnAUiH#r}tgFq8%fp<51|8#V>o$u?L;q3dgKkW$X{uXuuM}FI`BJ z;CepVOkJZJZXxM#wGloR?Qby6DhJEs{5z9%Nc!n^DOg-L>nYtYh{(z5_UY>riA-Us zGgW-l9>%Iyffcjd7a3oApi94KSd6`K}6C ztbK$AG2Tm;i;$IGID^F_&@yQu)vBeQ(?UfQJ++GQlKF(ftpmA3_=zJMtq71@qWR<` zq_Y2J2VFh`3T3s>3h#3OAS1VaW?g3WNwE73I#PJNg@!VFu=#B2+e4e$$(lfa_N+;O zMSIfd{O6AZ##VsgL{NGW{Q*4Xu`hhC50GKIh^|QE>4c7!e3!w;aQ_jfLeu$Aun&HG z4gK%hqqX(;`S0=Cqs94easFGJ{}$)J#rbb>{#%^?7U#dk`R^}s{#%?v{z9ja%=iDn z^#~8_ckKUR?eXKp`~TI)i}>$f^Zoysg&qL-d*V+sx&kO@0}_4z@7w3T9grAKPe5_9 z0K1)eC@Uh<1*KBo@p0B{eGtZLwf=|FKu-~$?eM!Ku93GIA1$8(Lqh_4U- zF@J0svEw>o%ksLqHbAp3s6YahvR+#fhG3!?egkrBSzwqbH%L!yt7KSH$o@_s#;xv7 z_FlYveT4s@{T=*s+Btp&1rgV&D_)8UZ;M;YEr30BF?jnDE;?If{JYG%C!SpDozr?& z8#0WoY_poD3N(h^Ibz2_;m!k~-m+!<#@G`CoIjZiUuLGkpRiUl_FgjrSD5&5m}uO$ zEW4$@`wJgXvSsM$hVnGYRB<{_)Y zB8AHrEEy&9Dw27xZ=(>vuIvYJJRJredX|7?Zs>V3uH*_WtfVBn^4td#a_xZ%G#8-R zeeJa)z_Z-zD+?Aic6zvbhz(p}J?jirWfb=ng9+KgLFo>LZx$k#Mjz8l5}uj4t-KMU zLfP5T(O8oa9?1)bc0wta%l{9wwwhC)`}bNX_7{r%Z_ma%8M-GDi)RFTMy~39Jh?zG z`_V+>Re*?-lM@2y+=f%aBzCosWn4~f$vF~u5L@5WGk~HzbY8%foLW}jKAWC%ZIhPz z`_z#-s7To%SzCvxx@Eca+s(E@J^f}WT2knQxeq$=Pw@6VRDm<=AFM1oP+p3tbUL>koc=z`m?djj(H2DZPfHYDheJBk46Jss{C2;FMLPuWFz#-Jn2? zk*YxyS2bKuE6e|g8oz5;!N?V;v8!ra*u$}^kWu3wvPN@7{vQ**Y?_`j(3KGmUqbgO zUNR_EVYrE~w}(fkdxr<_>-G9O_Z_-1l30~@ywND+4Ym=@Wvuqw3aixwqih|p$e&X& z0k}&iZQG(dj|iO1KNVOLtm$yF!PZwO7Hx}GMHg2kYyqZlHG!Ceh=u$Z!R>&@FPJzZ zTVcnyEtnNyYpo>I33XTS?A9dOT{-0dB4QZ=5)&{9u8-h|q2sh;Y?tOYtfK+i_V>~I z+vExzz;QhhJ}yP&MFQpsVG_%4{Y)OH=`R@DCyc$qWZ7eJuOWPltq`;oCUg-=Tz^Nn zd?`x&*`>pP^lO3s3Aw|E1dv_cVO-@Bf0X+(o>7 z8}OON@9)Gq%$XUNfq;oiUyV_U@hJNmOABDGjakXC6?%^}; z0#zQbhOLG%MfkSC|87OB7Y*dtk!}F_n{}NE;wFCL0K=#p&x*!=jSPB~8jCKY&mz%1F!)rv&z9`mad0}yfVE$T);!Xc!LV(&MJEdnElWeFnP~J4u_%)@&uT&C}}nk6f2Tw{H=qN2QZ6m1iXQG zIYlltLI_G7#TpOkME$UVMfjPSw`fL0EQ%q2k2n=%_eBO0Ku!XzCnV)qVN8ve#EvNF z9DBU$U)P z5=ZEH13EvlJ`MUC-*a;@zRHK)0Qr!gH1zOEC4G+Zm{G`7n~v;mym8ff=ab!=l8C`K zT~7Y+Hcaln5@cjJ)ZG4!xBD9qN@l~CYMi+0?Qiev>Z}Cif7^^?i6B`D^^%&8YK?xv zT5493^{)UY&Jy=UIe-R>1#T!Sn&xJOi5(lH7ty93H&mbLF}PK3IjAOn>dY5YUyF;3 zi?1dUsD`zb;!ANV79z%P9>@$wAbFFV$FL#_%?UMgXP`x62gl zZh}-~!PVqIigHOS)~5K-7LbVOA!Sr4eP~Ubyx!UAoSgh8`|J1`_Mbun@!NDX?o!l- zTV4a_z5iO%u#CumK^MiN_q}@J){L zZ_5u#2w zNR$b_I?Zn)AVf%evk$W8M@PyQK@Qa_4xT!E7zH@cyfw-s>-gi7r zh^!hd5*=pmkUr$)jaEn-HGF*iEt4?HSQ&*G9)ha8BGP1I2})@vL*5o$%*=qu1-+a? zkH;byS%?SVbW2puZ-UDCouJYi`m>_~l~@JeJV0HAi@0&18=xeamN zpec>q_n+n9;Rf>mE9=sx4Z(5eCK{*8|E))B&9>(M;St$?w$~T_AHL4}FQ$z)EE6cH zO}O}LO(z~bQEAm%kLoRu%)L=q+8SX5nWu8L+g-;UPbW_)@SKwTD?3%z`st^&8p!`Y z=E!d8LY>6k$vf6AlDsQy9=E6{UEwS*|AF@? zAlmS}+7}%BcfvXSKdNkVQ+++GGGU;f0el0kG;JTPiukq$-yf}^(=RJH%3z4MEG;n~ zByoAbg0bBL?#9=4Pwuxjbr?K`q`=P(tRDXb+c(zVay|YXSguXj4u;lwu(iC5M1Q`& z{o-U(4*PN?#uL>D&65zc>e?^}f-3krB_F#LEG?tgo0{rhS{>AVwXtL2bFMm)28Ip=K3$%LajJqz(){tnh z6pXtQAH;aPORaFE|B(DPJU5^Qsbw9JR{i1fa-#t)Q?)OmO_;<`5^1x%9PKWKY?N$H z&m5N(V!*Q3uwKFh`6Gs{x+#$jsBsXjs1ewD__Qz3^TzFO<;#Q*xK8EXLt0znhxac|2$324!J6I z0G5{{(;M)Sa}@zGesh_GhmkV*FToX}7Uzj@rR)3GXy3WTDv@Tk+)XjT)0V7iH3V{L z+v9T&ue1_yE(^dJU!KDjZ{d5bEhsI1R~t`{ws-!y{Q@>5C?S*-vQYRLD>rn`WEuW5 znU7v;v@+sTFNX;C@XBmw7dOH!n5cjJ*U3w{>-`*d3%E7PhNho&}SATjGDkB$#t9B;oe6xK_f>>TeMotg^m9h{tQ@9%eC zcD8pr$5cWlArce|#tksOEaeFSrmIrBWb9KqI6Qu}z26m8q3A~G=(rR8hMhW+AnLq6 zh}VjxV7+M4+0+^KyEwUqbi{i~2~SHH&P7kg@291worCRX`Uf&sviR%LAYBhN2hfuh|ME`DYOPOot3-Z{QSEM6Rg zo8zzIHPn^yELBiRf%=3R=@VwD8F;gouMNHPS?X}TG99^#SEJkS*+}O*(;5Y+uMMCw z9MuX})f_?2PzPW3)~tRXSbF4rEZ!Py38~7`+MxIvKAkwjkXWX&D(UcWKeGj9=dX{!&7tsT_@&a*-My33y+l$NitGfKgUZQ^;u z%pw!{axSw_Fg>^Y>>|R3B)ic6^3G61oMh5&G9+wFc_6jbtsXygDvi4uEW;pHA$jNU z;Q8K**Kp9+>e6F4EF;Nt+5Q}30`$3+vA z!)O1qvvZ2=rfmNj+~o?E#=Soq5)D>H5p(_h-R<37s!hL)0*0xc&RyxQ2H`Jl)5Kk8gH~ z!Ly1Cny4ER8mbw`BvCLvBGCe-x-*W3s1+NF1kt0!AZa2&3Q8?N4qjU$2Crx$NW5r_ z9Fgo~z1c{?>&!$5(ssn@K#BQe;B~{U@oEMl#0y4g5Xnu{nu!9u%1i{{3Y<6vcxpZg zMD4I^qN0HaiK0;|M6;9iW}<_rGaDhKYAQhsnNffo3P$eQ9zr$I$^a)uu6PM!?b(Q? zs?A0>rJzd?PIoVrN4XG6KIuZZCfb=G#fXuQsoy*>5PC4r^Ar>viWsdUXktAiK&bK=KeuKDk4{Vi9Zv2j=#UNMH^Yk3+)yS3!c0`wE6#_!c!Aor`u#4yKur=kR-g!}<1h;l zJl=|t?3r+v;scOUIuqiIgAuPjk0Fsa&GC_t>G=boAcXW$l?`+?6pxZJUcgj$Cc>#& zGf8{m%HBX1OfEzgsvn^WRW%bORyaWuJ>O7sR*F!inFvB}ykgYAw0u%f&9G}!$v}iy zu_y)f%y^xd`c5@w>$o(RNc3K26d-|uk-IvDP)#&4z=;tmUcy*=Hj=4ov(b$kjU=eX zlMB#H)YmviR5cMMQ8-4HXuhH5Y$OqtW+KSQy6y_Am^e|itbD@gaB|s6hissm8CH~b zhB7G-W}=~9aUNS484yWj2;S|*iJT}fqllesAeZ{dCJked12-mWq?XQvIMc`^tIuP6 zeCvvuDksS|57R=03N z?jX6__a;@Dna2`gpYqrBNG}x|WRo)NW5EiMjv9E)gm9F<5+#haXX2-@+Dz-E`7XNX zJ#^ycIQ^nI=aM<~g83$w%jS#aY(j+ghjC(rIr#+9pyV>E2G>9@Bcv$Jl10q*XQG`} zZypO0*=Tm%gj^@nXHn%USRp|a7!w7P#bfk~6)@GEjdrruY@Da8QjidHmzl46aA9KW3-DEFx8!nX0q07(^}YcCkP|b3lK&^&$3mY`;$P#TO`sT$Ut#}p;I zf5U-5dlfJXtvR?Nvbf%Wfy{A0QTj%56SZcdD6dk4Nk5Xt!Rr48^q)+}+#;F|D!wz` z`oQ1WD+^couKGdnxeot3fAC>53I#8n_@mo#_~bS;kbPKX0|j(>96r+?dSXuN%2e+&4(d-w43`^G!?bH4$UNq`nW@!|QHKRZXYAw4z^DY8k=jKdxPX%dvt zAtMNN*i3e$x|!c5i?mDq=3~NQEwj&?JQ&F8s7!@1O97lvS8(11yieyxBuOE z|8RMEl`VHnaZ<8t>c&1Fq2q;6Y|VYHsSvz7r~4^f)7? z!yn;8_1eG5D*~2~&Kf>{h60rN9jo;*8)}u6-;eJw{IMa?mx-H-P6Uaw605Ktp$#R- zhX{r7#sQ?ZS-Dz{_|4#>*XvjHrbOs(UPbv*_)_8zwL@!j@m=Ls(MOuq^HIzu`ly@8 zOj<-AkwG*MPAyYf^rV{LzvvujK;SFZ1^|FSf4`;}3MAXX9Bk>SAQ?l*JiOBK(@m`q zSz=S$mTvKF#Vx+Ah{d;+X7O!ti|?o5Cp91o?j7vxzuu)?qPACm%Ds^Iy{GVHc!N;t z+hcsLLJgn1?4WCA;{y#*PIxuAKC|(Xkz6F$W6l$JJIjA^^_lpfa^y-|Y+CpP;Rs(K zXv(W2Pt(PP1tQ8SC{x$+EKAnX6T|lc@#5S-J6VO>EXPU}`&}cPYBQ(i0)Jm8Q zCTo-Bo3X00>PlA94Ur6WL(`df)udrZvbt_}5UZcOAx~CUm%OpM@|rVQgD(DJrNi4U zL;0wb7Oxr6ry6U^LDrM?`;cU%q`p2@J>0Gs{*A0WRr0S9{)Sa-=jez$ z42cI=;U~{kAL3VO|5R^ofA1N-1Qez5;Y<}{2U_P_J3Bm0l+fFVCh<6aTjFJ2tP50r zre5e>;7`g-y&z-(#c)yI*@>I8$;z zH|bB@s?qG|6DrZulvhQOs*!g#@p{oWD3N-JR~d=AiRTA~5@t(!LqXl7JBmlry4g_O zV3(UHl`tVqmPoUPjF&Xn<0Xrv*p$T!#x0#9y^mS@#Ovy|FOhl)+mJ-fs1Zb@vcVo8 zUOn|rJ6(Nrw?TF+F<@TARH%=qBTSknB&DWzz}vz?S0iH9Uv z<>K!vQp%=15ik}vo3)#ZW}0f7s-#&Bo6BaIz?y0pEi_XKCM*_BZY_=(nsfO9O#8|S}%ucy;Hx@PBBby5vZ&S@hQ*H>2g-!Qd#)77MpOk{; zdk|CMqz<3UY(2|GpNCTG=ePqe>PHsjyw^v&+o$Mc@A)CrJPtL{?q}Egd~jG5o@zA( zvvkE!BY?G<@KRA_Pw?E@aHqo|Yd^WKyLlyaKo~v;%1dp=a)mo@pv^?vS585S<&GCf ztlc{~s+R7tV+k?ktF8FuX}=nr~10#+rj(meb`z+FkBcVdj0+_!x6j69x_7iJ7Z z&UKPDdb;6ZL`DqOUVBBkX6{eNL-fpS2X)5wuqyL>4F2K-0OFzRO&;oAnT2lg_o*|u z=6KEahm4Y?AU0!a!=V9!$QY~4E>sKiln8>Y4eXE1x zMKGkc)geV7R(w$64!BtWYba4f5-;$kehE+J>CK@~_#M-Ls~F zjfAu7=k*m%RBL35`lQokBXY)lW^-!`7@`q6vQ~ThN6U9`lS0}J$TRj}VEg1@ntOo^ z@RG%cQb2E^*TSf?MAJCOATh8HTMzgI(6iC!GUoFRZGFJToR}J4X~wy(m-MzyS@;bW zHzGhkau3Wu)ol!ANZ-3c{m+qz4u17Rse=p**xG4hUpxoBD9d#2CmiM&CH(Twr=@3m z2e^8{C;#=dw6lGLM{cCSQ~4WGcj$Wuf9-aTULEdsc!KzVbnXWl6X_SE939c;(GmR) z^TlsS{q+U8i}{6;<;T+!dOsCtiJwoE9(m`*@!{*EE)+fO93M~-V-D3g5&0+hbtFO3 zFG$(nM=b&+@t=@(xFbu^FGxB0_0{XsJzh-whSb-uj(}p6$bUX9b#`7Jc8N~>mqyUNzPAq58wRC zFBhKb-%m?IizNCRemyOP{$8JopDInd$9<}Qhq<9k+^4amu#9qu`!t%Ol{kfO6Rb$a z(-LWEp6>7BFU4NsC#3B?6Mf^qCJuU0w$Mg)dwfpiifg{E-CAe<6MOi=U8os$+Q?;tA{0ufzby+sD6l zRlQ^~lzp=Uy!!I+@Sn0>J%RG0nR?FN!QN?@Bfcm{waI@{+VSDx>GP9Uhp!J#MV6LA zB~Cl9j`pF)+<}xR6itkj3)|LGs6==B*`CP4pDL~UYWsg49&0%~LCfC*tRnfCpywaN z>SF@WSL=?Bek@g%{8wi`EC3%OoqL^wVUnwQGL@Hv3EMeFffJ=pSum0)%IzOM+urZ$ z;It%O=Jg3Ik9#|jLV8-X)b6u*ncZi+gm9}Zv&Cm5ulsEKq!TMZX|YlrzNW;}qNO5Z z8A*(l)5kQD7%z8VfXBxdcS_veF@%KgE);j8y0I zZ284=~j^;i3TS~}i7fFGF7e?bbYw0o~Q3O)V%Y3U>s{!XOychcFx z8!iopXi8W@;-G(H?k-Q<#oydldss63##|n^hUdr_HgwfbN%#Z4al@x?`~ly5QIu$_ zFUo;kVHdsCpLWCiNZQkq#$$@Ntg}EFA7F<5&2#yALFTF8I`CUJT#)&CT39LyBTRu3 zy>4&PP=K_`gkhz5WY-> zpHIaRUQ4A9NLLO)yDF&Q(?sIa(wP-p;JHhXMf-$2@&QT7^y?{)JD|lI;Bg47p<@Lq zm4C{--gp}3z=urtvl;QKK40zIZBr@-%cctfh-j$UAF)8d)x- z^PiCBNsi#Zc*>+NQzp>M{zpfapH! z5kQ`XUyy@NR%MgwL!^^JP|uSIPfIWeB7^^eluP)hJEkQ5^J&S0jzu~ZNqAZsTO*Od ze?dxrAXDfUq^RMNBV~@|!AqEOphh5p1_aZex_aNV&!?pzoIZh^KU~kGSBa)T3AIAW zl?iQ}V6w_o_4TwQ!o?`=(!U{Bu7Db&#?!P?0)BMejINpbdTFpqmX^y2`{RP{Qo}2? zJdd%dH)t6SOH(e>a{PLl@7A)NV5Z!(<@k+Ezj(`cvY2rdSHRI={_R|fKfO%D`m`Io zJTGurH+r)C_9}8QutI-2E1KM4NdXTK$?J zGsx6S< zl-2aKoa#bBENhC-yf&lyQ`KxVISYucZ;rPPgH4#K}!G?9oiKdteU;*B%d z&t_h#WiZ#oWUt%gxHpprOjr&iVD?NwRiyIoBSl&8Ot(PJ3J0IXF@;f-i0u;TqI zt*KHL4HH5cGfdM&M?KNxT3P0C(Jr1M1U4--B6)=wnn0x`n*Cc+W<=J}QWLU^$_s@H zJ&6k{Duv4u;b$l#glTg3*HdEq=TbBVeTxLYXDwUezy-CDC4tMe}QQKU#M198$ zlhsxjCaFD6PtrH85T=v`N+l3sHW(TwS))>^e)9VH^Sw8nlMU@BL%C<@u{!?$?6;E9 z0%L=v#Hx``@gk9Os->l;WZh!(m!tm><|a$R(&~Y+(gSX6wIl-VLK+2{7Ll0fg<$MO z8NT}C5y-{M02Nxg%B)chxNrcBc)>Is!2`s zah_mTWT|NY<0l5{AK|Dxj1&pS=Emb9$ryr)lP?BQJQ%D;k;M*9d2He3rz*a&;mIJk ziOR(Jwk_~3@n`0xOcHOT1)oyUq`GJ}@cJYgQL40bV{%J`5-o0|&f=T56^VMK8i+^E zx?KwVZ0fv)E_ohRyN(uiwAPy;GQAs4?ovGN7BZdpH%r+Up9e%q|(2N znag3m>?qOTU=#lrth{qq*ot`2zm($xVH5ocsP7h8x-Ow5ZGUTdd3BS_WT`~|J^Ky{ zRF!vwa=*O7`l5b6Qk%O=SYB?Er-bFTs`OV7`dH{kJS_0V8!4)w4*)t~z{(9QwYI{G zevwV+P7)F>5~y;2C2Z45V;ga2;<>*RFhYY?=^9{*)derW=av|G{Mn!aiUqK4 z((3_vDbTm4vKG!=%*<}*;9u3mqsQoL#+28MVu?t?tSaXRrU}YDC6pE3Um2xx8cN}U zu#8flz>db8Px(?wd7g+Yi~2IC0@L4WAtX$>;d23>DTJw<`WG+>|2uy!KM3VQS{C9n z8*)DoD)9wb5vdspjmigxVKq+oh=JRad0~z_#3+?|L)&uWM9(L07Rm}KPFl#2ZIW$$ zoENk)6I6=BC3HT_;O8c>aeOF_U#X-WZJl@!?v0dpy3)&1N_I5(S7OhOE49n@Slv9mOHP%ei=^c9%4G=H5nwBqnom`f4ha>}s_A+@9v)l-f_OnKXAa z76;LgmD5#YsbpVcIOKLVAFuT8O1*1Jj}xH`&AEB~PAO>UdIF#P-WS9%od!zJoI-?T zNWzrtJTjz}G|(Z5Q$8UIPC*gc7;9<@LHY^v<(;u1D@m%P&ZQWYJVAMDQw1i6XdW zQAE34N+pUZxL!t)eA1+sHd4ogV-W()h<7@f)LmN&iITzbQnK?%lUC9|mLyL3Bq@w% z1}U5=zY?p78^$z}q{gSqDV9s3oEj!lrQ%$GWH;?cDhaiFSTpTRapuzUbEuVGG)X2C zUb*y{1=kFU;2m_$>i28>4myo4Y2n|pOXboiyMl>QY4{eP*UkEnN;`Q+ZzfqH%$qSY zhd?Ril5|Pnl1q+a_+@n-tr1fD9tr1W%FFM$p_sAb5j=|YI~TXqUZa-B+~r98wnRow zXANbNJ&m-T+s$lz(mN<^NK$&42)<^{&FgPUK|`k#_~iGzAdcxY;5IWU6o|!HGv(#= z-dN1g_ZS}eJuiS;YOhDubxjzhn0s!Dl9raALxJ?7Nh+A|%B93CxTaEs407b*5p~{X zx}?V|%Py5eqr3`9N~PnQORt;uAx1mp09lVeR^@jw>fVXXe}-CQK`sWWFRmxlC6S$J7a$ zb-|KxX;JKArQoH?tQRWzc%^nXGy*ht*$|Q}B|E31xS|FDosbx(hG2m8!D6`<3P8ebDn?jU$lrCdt9x=@241|c|l23#}_@#GVST?70 zJ|2n7n3>mkb2&rj75+jLQ5rWKsZz^HP z3g1kTXt=9nP7V!Bg_50*wx8SUJe*?v)NG){>zj>uc$$2}P+9b^Y!^!4qCP0c60^Rt z*4qlBXEn;2#a^^xU#lzah5ENM{froSUTo%>en!p1go)A|>^e8^%CPf~LZ+Qz{H%Uz z^enQHTrwMQV(6@XByd(g5;iNvezYI49{noDqqnji%`qP}S&;H6Je#p+#NIOwU`Er- z4BJe(E)_D(%wLK$E5933NEkFuU_zk=O|zrT$5a?*V>WrnZP%CUR&EJA>& zjV%At_HWokECAM=T8T%|x&yF!9IiV6FN1l_AG8byHh;(}rq~^T)}oT#0dzgI*`0t- z1V_7*Rz!rgJA*A^wA~5(XrQ+{XhIJacNgFd@#f~=Of+KMUBFL!p{G~Jx>!)Ln)p|U-BwPL&x|#}55g<}I{5tZIgBe13zP*1E=`#;E1E<`dA29FiH@k<2@TU*h z&^bdVL0hiJIJjrqJO4b{-#&Tyv;cfgr7cA+3b`qwfZ&G+rcyP)&c^pC4=)dyPpdj{ zL)!7NKKt!XM*HlyI~eZ|P)mk2K~3q;4?Zjy;HC^)%9AbmbY)sASCa2doZB0qf%5rPAK6+*KkGv7}?2w1`^OO*Xo8 z`q0?kE{qM2oK?a&RT~WdMi)vLy^4R8N+NAT#%PP*IvEfM>${%`+?P!9AVyMmqB%YQPp`}YDh3l>1#~{l)D5uop zW7?C0%7c=Lgi`MY<630+v=Q6UM@$X`A^91@sO`vJ@5Fl@P1rH?TJde^1$9btTHL2p z#G4JWA%~y@wxstdnSYM-VKoP`UuX!xXkts{QZMLvV;j%rKvDIZ=p6Y>nWNbO?Uu+b zRd^X#R^F-JzIz8NK5PL0*x)~_3>~U(>18#CQyd?+=D|r`SvvVwmQFc3HN-VW z2%kzMI9%R#AU1j#{busXlcWP9qGMh7bqH@9h_BU(Ns;zoDWg$hFOK;?C%?XezbSGE zU&gRHK*iyB_IhtW42FknZFa*Xs?eB*zc)lQJsztPjs%>f7>IH#c4&Ptl>dge@9S^> zdwKcYyNB-^@8Hk<#<{r6fnFP7Xlz*sj^wEjJLw4wvF~cvQ53_`a3jTU*Nomm%E4!7 zRl~FK`Sa$a9Ptgp%S5}=_#7Wrto9+~a=f*Z*o98m8V{@b?fVCH&#lUqIfCTqm`Kxj z*Jym#2kGa(p-C}b*jljC5Mt8G$^*R;oX}Zq`oT08LIQ;i8Ycy(Sm>ImuV^T)_Ur0y zUonO0Vjt`E8ki2Bh6a2~qGa;(O0klA;v zHnwrPJ#IFk*-v(l^)5zUpG|-8uRgIqzOZ+js%`D2Snr+|RFg;sYpmFH`*^djQ74LA zZwz!EA14852*+-I^&9;=>zl$$javbX^i?rjSChzzB2XQh8K*R2C?07|TVG53xg#!L z!c8V6z}_X&OFVglN$-h3aOEin9l=R^9dWOW^Lv9&7PK&M+!PBLV`?~+G*bdeu!zwO zrG~u_jc+h{fe(nwpEz`327c+e7|$lm#V^cN*W?>4Gz!4=KK!i+M*1M*MiFZ>(Tap7 zNUneBDAIbl5s`agHK))~WN@ISMH(J4M^-2l7(-816~}}@Yl>8gremX9wLmkT;lTK6 zsu=y7M7C`3Beq2)F<~ntdpXi8kgE05+qv!9zSG-~2e$A#6joH)QcV|)x$DcF{m%A* zh=_F-ScH6^Sbu!+Z}0f^kPBCK$Idx+Pn+^`8|hBZO=#mu*VpE|zH zg0bCmtRdsx#G$@#ll)OH^O1sOk8mPsUHp=1n&&VU!JI`- zAb#(gRw{CJn^q``qoNn6#v-OWP-DUDNfEh;G?xf36I1fF`@obEkt;oOnebN5oF87S zrRD2)W2%gDr>!ql;UdWr)_yFp!EviZ{fJ(|@PDxSeRTMONdLm#h|%^o82(M^;>Sjb zV(g)GH1LGbL_ao4rIIEa=FB1P39Ah|zpu*8nN*sT`3)nd0=>{j3GZe>`p zqS7`?JB37U;b7^D3GdPGXujM54F|#aIY1m0N+nv)QAIad;hG_(AL7CQX>D(FOp4r% z@T(|wLlq94LEwmp7qY1^MK%`|L8J;Fg%E;35&_8`QUD=&Lkb;|W;z-1BC?RU5K;T+ z)r8oh%PBFLC89yntHw1-gn3Nth=>__BFak<1(sG#v5KZ5 zOw2%58{P}NYeBA%{HA77MERF8?VxhX%sV>n?Cc%B zJ_&WFr2;V-W%#AY=Y_ia#|g6`9eGE0soFz5J>g#kvP<{asSVwNg)?wKd|+=^>+3(Q ztkxf`R+%?oFAiQajOc=@5!ahA`_mXNLy!_5E#E<5C8z_C!^ws1UpaxzECym6?9puK zjGPIpppNF`I`|i}CJYb`CRI|voY?@YXWM<)IZE||!_J$d!{gJ9(*Ice`A_+SJh@tL z)>j*0xF#7abY5*V;m@PBwg1t4)M`Fzx8UFAzsR4)!xDSQcD(Vm@0?#u*#G;#SsUojPHg|&W-nolxpvvl0e;ml z=HU#+*YVX78#>J%(kif*?!tS%PYpVDhQ8^K)u;(7YwZ!+7#H5KcN#hJD1 zE!my`xx(ANwEo!9%@$L#3! z@zLQ)r_O*WY)NP$sfpH#&~z_=;THQgNDr`EivIr!0}bbl>9Ef(;OGMb-m~%S0-F{H zo7b}qCY`p69QyXCS;_@mJfd*>1I(wbp90#a^Fm1H4A*p0HMDKf_c3nV^30L`y^A z){7;96xNR>f!G2CW5t|v*BVCCY~Od|(14NL^H|!oTF?{ec&8pDldmj?3Wv$%SQzVa zDZ39qzUik%YDS1p2_MJPIlY3vDh~&4werz(`s`tKh4CM~3uo9z{~W!`6})z0gCR(S zGS~9YS3oMOS2s%~Jc0rTVwt`tbWs&mtXld5h2IH49QD~2gCwYf_qP>M6f>$-=`dhW zDGz{gfiwA)6qfkDU)^Be2k+eS3V~T+Kyw%g&#%yUR1u9O-=0i;mo+y_Um{3p9=fQz z1OR`)_!4%+&eYRx;QZSLB-ffhJ=!cS@lH?$?(82Pbh-zfUyk;6*=KgL_hRSe{_YC9kCfSz#G0_5S+mOiFj9&@ zD^+Ar9c=G+b}OPS z-VWx%AfRbWt%V$*S|;wpeX9qH5gBaYz5z?@73?G^jq|x__W=_cd}GVMoOX_1LDRBT zYzPNE(n$`9_B6+(WeN8OYy(#>H1d)};B6(FN@F}+Xr*hou{G&k(5xVq!<%IGaDa|B zVApXgEuO{HtamRO2@eUvllyFoR?s~IxfAb`z% zP#Hk|@6i>={f`J_0L&8Dm4VJ$nxby7r@U*-0YPY+yz1uxJ zU>hkp&!5MdsF~Wp-z}mY_6g6uG)-Zl=&i8ch2_&a^6~9^wUo#?#$lfW2&Z46(Ty?i zt7!oAnz|@|V3gx}YzXBDiinL{h9Q$Z5Ji%0{EG4iA2eA1Y|c8g$0GkIt+SvbBdB?3 z=u1`#(N~a|QQV#+aLWc!jYtH1EiqzN7~TcYS*%G`5SuqeyLa3ua9DV z#5F34ULI}&9&~ov!&CQ-uxZa5o%Rj!dAYsMNwarwdTU$|*bVVGI{c+`j5B<0$Ph#V znLtTa-5w4JD>zJ8AfrlV)z{y@?)l#s-29eDzhl7d(NA_pFHN|p2_heH2 zj3+&XJ#={HeX4u@IUEB}(TT@2_`k)?;DVm-j3;zfJUZ^4bWXbmhbVq_kB;~LbyAWQ zwBzz@YJ+>X(Hh*lozmdmJah&I3e2i7xOZE9!M!=C3+~OVEr2SwRu$Zvi>Bb-d=&*H zd~jE@r=LotT{vxRHTfmNbX*~ksn=%>I0?cUEN<=bZCtN~7YJxP>Q8Oj-rllhtPOyE zXHE8=8yv$v$BizZZ}07w@rw-1$rM)P9BrSRlu^W;_|}+-mRaY`-l>o)#4d{e;Gv~d z8eQU@Ty4x6_M}I*AEh2}+LQ3RZx5{La8k!>4fgZTtaJDrU1ru@djeYvS?+HEOHVGe zR3IE4Wg+3rZDH0#~=6+;7RAQt9Oi6{*!| zW3E{~9M>iw>P>yST7piK=T2@(!D^@#xN?V{)t4l#;adl;&tx^9eX?D&L#J^XrTlT04jKxSndI1PS8SsU=0IU4!@Lwp>2=ZdO%ok zgB#Ub9Bsd5yC1RV7OcC|ai1u2U8uCYeyd%x^Ingxq;QtLv~k*cz3IqyK_KdT?gLoZ zZF_{651mU`uBUzIw^Pq;MeRlS2Dgk{_Vdrc8pvy|J0|OeUbaHbs6EqFT}6&|+(2H) zdhg)C`p$g^XI41g*>t|EqI?Ha^D^9n3wH?-AqE3DT;_*wMnkmuVjCZ}X zA!q=+Gy6I)?X&C(A1lC00ShB6PW95k!BMyKdT&?oZ59H2Y^QP-Ni3=*TBFL#5>y$g z+pGnmQMg!%)d}V)pEBN9wsCpOUXWr2dqOX-9DIpqn#QKYX5&HH%#Kg&J0sJLX@nLC zC;_37euyoS>?Y$bp{dn!4!xKs&c#N#X&(C2QJyam(m0;){jJhBc>Yrse!ck}jneOb z*VZ3DUW=XoR$GtSi}T;tx&K8`7`VV1JK}=wo4*VeXF7zFeXL74Yp7${3LNYZO5w9z z8v1{|J6r^iL83Wa-ljmNgBXGe&tig*Mb2W$lNf@!`C+UcySBxh0RB^wcJvyw@ZGHG zrZ@k-HBujDsdNHPhbba%_0g0NS=9&EqrsJvFW_{9gm`T+!{J=(>? zV7%;MPh1KO__Yn5ExULieSO@490K>T^|t+fg?((lZLdGVAFFTM&9xuj%bS!+kDm=g zu(*3y%82Ht>wkkVe(-vKzgk7V@AQi<8wNsTM~^?gPghMF{Hl=Q-4@U)hN`$f>~{C} z4m#cLil7MHJK$Db(Q&VeyAfD2J8zCUJ8(pPy|V+;Z3Cg!(cm9O6aL|>{m~jaef)cB z*OAHi^;oa=1SA$|HIBP%1xQ?u0>E1~GAV49#r-6r&96Ai0%!enXis7osN1D;5AtC# z3GWB-^0)Tnya)~-VS#L~uN&`uHH4mPm*l{Zux!P!*x48EFrme@^?q+Ou3($0 z@7f)g)?P;ZK>(FAT3TEG@>cDn#~y~iZ#1X^Y&ELaF`2aC1$syu7old z3ZLJY!sm0N@cEo6d_ETnpXX9oo-bbVzR-9S&KFCK1{^6zo(tk0-aNq3Zwzwy zG_cMwCXG01pn0R+7pI7!?G_od=_IIQBY+7tTYS)PYe|NCrDVH51C!{0ZqFqN#OA^% zQK+|DSV+k;1GSRv=PoO)H5P3k^<0?6)M<_0Os=_E z$f{mo!5~SKX7H!{bhOd-s1zY2548J#W+vaDnMs{ohbdYsO_ftbU@^ zfbHbm_om}Oc$2t7$u8MOvGah}n~!9NknTiLr*{~)UFz|S8*dcKJdRN@tmdS9(V@;^ zU(F|#fv0k1wB`*JF6LHls*Q`!9Dd(>6TXOmnGhFMEkZi4Bs(l+WK=-{I6i>A0+^cmw0zi zeMs%vH;1{lWYT;0A@SMSG`K$VJ}HwVVVIR`Mia`2ZG6UID9!XAe}27vNvzu zu+zicLx!*M1p|{UO~75q!8(m_$Rma~>@!hffDx;d9sM^({@nTAv&Qwl?~T=9tTvm` znZ7Q~Yo5?5Fx#}3;H!M9VH30OBC~YjBdq4FJL$mPqCJl_)`)AC`FYwxJGTbDnmNDG z@_wexh;X+PSNemj_ z01>J^CrmD`tbX4|RGQ6=)}xJ8d*jn5{{I_b#-Ys#HBz)9JUa-ucA(y_uhwUI9fBZk zFDe?*F-_!bjawAd%~fsbhcW}AvmDGQng^nWhJ=nCd_BtL=qjxNy5&-M>Nqm#FF~$h z#D}*faRJ6W2eItRy4D!8y*?{zN+5G3bcon(SyY1hT6CO=S^pgR&CaNbh#8D}b3zyF znArQi`dh*bnS)gjsW}T+&{bj2|7~?O@f@I-aFw~zXU>*H&Csv!?Pto3riS2n<+XK?lxVSxO^SbzX-M(lyRSNytIfdDOn3I$vJN0G_J-D>gx*kn8+*Y5w$x zHgKoZ$!IE@R{1kbu*nJTuRXfv7kK9P}qIv!XG}+nan$@M-x zZ40%NY_{tJ-C#P#Kwox0d^}uGy7O&{5cW>hdsjvuwhExor%inkWdIs1gk?UGuIC2m z=cgc|eH*=X3PfdHj_lOEHM&{ipEt31`lU^hpYT_aiT5kZwa!EN`CSsyyK)|4Q6J(` zA~QJ?*WKp`PcyJ?0H6)gJC12wVV$COC8Cf|n*m?*xQFsg|KD8m%R6^>@xR)u?YRH9 z_0`s+h5xs2+y8elr*Jt=zv)3Su-g>s*IcJ3eSs}Je=j_L|7|^g!@pY}MwhVckJ0~h zV=@{ygbTLX8~XF1G}tOH2Mxz1pW5Y8)J1sAIk>3X3;ly*yitF^mII@s?~?G}y~tg@7F!^-a8SB|hn^CI>s zOmMqj-elaDD*C+UrG$H`@*;fcE&adt&M7kbSBn4HYOk&~6Y)P=t;PPo@c+8-|GM!1 z`Yri?rMH>E&Ej=_b)T?Nfanr7<|$Svvf^%HqX{sxM=H@9VD$Q!C#3LW`&|*^;O@G2u^9Dbt za00Qx)a^|uFgv*bf((m^Dw-`DpCC_pl?_HdX~c90&53v}OfIs{!C59^rw~QT1c7R% zK_GrjgcObAU+JNTE#bKr0ONkXf>AA(7}K)|os~!u-4keDe%TfeFPY-%mvQSV>DTum zkjx%pb25dA@3%+Wr!Tv&w%`2Fdav@xy!0({1m>V0U`*%+u(X7!VdH!}y52aThQx0Q z6(?9kG)6qq_#Ur%ImQ3MSBSWIc6?Z7g$eS-Ey)D8mUUAxASA4e82*GprMMFZ zMB=b9p$Y;X7Qqaq($NXJd=B(0y=n${71R+#-(X?_+!l%+H4L(2qkfkZ*_>*agW56P zLsWZm6`7zN?#BPNMVwE^Q5a;tNUH;&)4&5Acd0uKa5)&+uxnn|QIhG> zW&xnP!f6?j_n4GfuU69tzV5V-C*IVsZWv!pL=vbgSM%OZZX}-+k1sl5h zmmMSh6#yTU^7`tdA0Ib=YPC_XoJJnNoaR*2LWHySlkbC{WuJ^w3TA{4GXmvB4}^aQ zqZsq5W`3WE5keyB95)wcC>wjj@x_?Hn7AR_#_5X+u45Z%_RYAwZ>Uh9MJ6udFp*M$R(h&Gw5`ja4q)^Hl29&KL*U5% zHR?i2Z>vB>F%r zq57S`4x99_QzotdlfQj3X+(e?de}PPb2ApGailstn%7H^es_A;~u3 zSB+wcg^%GE4D=^5P>~pu*^wocif&2QdaywrRQG7@PUCnL#T*LsB9n7_q28xVr`w}Mf3jAk{F(!|XH&?^! z6&{g3nEJMY#|=5J><4|294~D>s-Zg_O)l`@9w3jlGf>rmeGjvUyOxPjCjxPWwR61Q zD3!3FYTk38a9l2|K=`|%JJ*WzbrVz#80k$I5CUZQ6Bwbs!)u=|RwA8|+>dt-51#M6 zcn(0+!MEHft8H4?z?H*`GPLaz{e*v3Gyqu~0l0~dDF+%uTXk|JrI+yr43XkcBM!w> zP!-i*@;bxyfMJ5BWX>j!9M0@fi*`i5=As*Q_zkO@E}@>;c2VEBDTedK9whaUm1WS& zu}4}Z<4VaFqBuoS+rzZoqm|hd_8IBkXK;*x<5g`ycP@Z(vPtcVKIM%>blSG&JZ)P! zk4Ylr&O@N5hFf(%qwC3qj+TBa=7#8-SpU;F1GY3iVInsU0+q82Okfeib0i+c@dOHF z6V(gvK>=@=P7~Vn#M>UZ6k$}@)5D{q&aNJ<7o-iYRA7O19njfOk^mS-R6uSA#L%Vz zmAYio0O!+FI5Iy_8eD=E)$)!kQVUxygRKfqmRyGz=GOq~1I{C~^sTVpron^&1>VS> zI3pV$7XiVh&IHb`^-Kaf?jXdNep~f8hPMU3Urv!L~k{uBH7yAL^ zDD0%=c6j_%x3^J2Ut1Pub0L*zA$QVdaQ}C+u|HC0K2zYkK;Mq_IgpJ|l!;cP^@^xn zPvt815BP5bJ=O{Q%NdkPxtJ?LF#Q3c)d#u-V!JhCmcs1Z+neR^BcL5{ksY=K{wda3 zH0HrVU7i}Tz6s01lJaW%4Mxs5?PNQRhy!Hjxch(KH}6rZg%u6Hp*#BV;$gsr7ZK1f zMDn3D@6b!r6?R^y10h2pfgBW%Q14c8wwjyF`B_zlj~{+W={-t#f}zxVV+U9U0KawK zS9NiXw?*3^iVW(8wvT*?gT|GY59oT$bL|IwU%b(UZoYrH2)prU)gea3`AuSgRHa*T zaZ?HP;Q*e$IAJ~9sFCoTjsigL!W0Z`dtAY{+(lOjiQ3Ip2~qpDt3;wz+#8}|ivAXr z2qXAP8-~zE#`GRlGlPh$77M*l)gP!X{(SxWKi`>ldlz=^vO9o%8xH@sy93O5|GWP9 zaV!4*xAnNWxc~b`?*AUM?Y{4TynSq+!Rqj{<>S9keY+2$I)CK5xYS!*>V0dMdO2@m z!lyj3%d_b9U+irRE|7Gwb~_!m$Qe237zMrSjbXnX(Lb9xHe;tKTq6a=%FJk;=0;2d ztA_@mI1F~^+^Fx71VMqSwF789L+eqFEdFJ)`U9(pTMIJID?g7P_rgxUi$Z)?){M@C z2OdoyWw5P`G)BURW=NEPPO~>D1GyXo3LK$Eh|`ZEg7eW}+edr+#7xZ0)u#`7qy7V> z>PCT6lt!8J_1?iLn!T^E`+N{rQW&U9 z9t4-$^**1AoKs>9724`yK=a7XZsWwwfm~`s(X68z4Oma zHKH1^UhTa&hQn4@mfm^U+4<*8ltc3L?X&55NS>4H0G+5L6e#b?38dbY>*Z>E__4P` z>)+QP^q%8^u2@I+xBu(c?$P#(&dImb(-5m7T}AG>;W&p4vCm&^@DXM@ZYJdDw)M6= zBi1Xaq%VSjs(o_=^q~wfm`8tDnO*}fm2vzt8r0S1$T?H@()F%fxmav+`($)_Vv~LH zqcxcoNV8vIsOtnuV4^#cdcB^ktelV9gQBZ zucz66K5DNg{69Tnf%8ReS}o(n zOu1Q(!|EI#A0BV8S9s}&Si{uuJ#P{P#bMP3tbvi88i73=G+gvLM6Y2KMBx}gh9KJF z7JYKFtcmPe@7xVo#dd**dUmy3;u2D^%6dIS43FB}!xnX?=Bh(&nLWARmc3klC_j0h zV7G_P;uCdVIhex9s^$Qp*z)P?lg=?ZvA_qcw)>G?OeSMQ>(lkt@*m;HM(qn_1(CcU z%oHH-&zs#B_#o?a?^UO}yLY_RfYuxMMyw&mM>Jby%MTH`-NS>>IT9m-?nLrYz#^j2wzB zQ}xi@*_3ZNwIN#;`0B3E@VzO)4-?0ixJ)9UVg#%G6c)nU4;aM| z>WN&Z7qEss=}GTpnO5_^Rn-lui=_jYvCydeeeU$RzqaE6TYd?{$x??C*?Nc> zB7p?Ow`>{57uJj4nKrjMt3D9y8){-;BsLy!?p;DJaOGt&HiD%^y$&1;AVZc!{03TC zS+0yTrYtl$FcX$w78wfjvPat|CuQVE?qe6S`8Wf$-5&Xl3z~Yhxa&G>11ev@rp}s= z9zD{_%4PM6_6ykmMpKa01KiNi=wv{T2PqGiB@_`*VxhH(v6tQzY=J&nKf>llastR7^z3~U@`aoogMdAtDi6X^xE=fJ@VOA>fBZq5W0mqDh6i*s``(wkM0`sW`0b6(?tb z{qf~_95Km-RC>8WMQSy=d90y3Vh6qc!h%tyWjD&zXkHYV4{}0c8LQuy%wOU!$!lX? zOgI4)FwlP?6FXZQI{(BxQ)iv1gah(l?IZiCg>ruFr`AvKht;lP31%!Cb-uw8CejUK zB13FXlvLD3BZe~I%3SC(rE`|qVpCWbIBpCvi{zch@~|bKBb@MS$D#`xg1%u-(if;i z)%2pJUS9&n=}C;n(%yz=ac= z%T5C+mcTzFa{lZ$0uK(?YMmt)PPlL^S9%~ygV42st6y6eZa9eQCQNd?5kH#-HQ4t0 zYDW0>7-YIyO~j|!n!3)X4Sce`m5szZ)Zx@>$PZg1;0CYXCA~GAeSnY9iLYAsgRm|v zap(0|Ze8UzyUqFzr!#@)S0@|GeI|c#T7|<@`fK!wm?X1Hfc9#8BhEZ}s$!wPT=!oA zw;w?liV$E~@7+@0b8R71D_)QF;i2GcJRtPTu&R_}1)%rnvH*??xVR&ZfU8Y4&`E4x zl&jOj`z~w`L!g?=OVhI6!euh07=fYV4wMjAbi68Gu)pE4$UZu(4X{Egin_y}U|m^r2xi&Eu%OE0IT|F`|-IFb-C$XI!Cm3}Ank zXB^)K`3d#bfsph`{Xmimofm_!!~hT3-Z`0Il|6hejhiaFXqsNyrWs}bdT79t)v7xMm%(%OE za(cY?th;l#+d&IY;>~4W@S*G=rcgCC#QMo2^lPjJCOm=EYBys_TV%kVrAp|)?IPlpy>S(xapbRUT*%qTI1k)cs^6tipS z!BX4^E-ark(>^B7)vMj@k6wpwt=R5iZ1y1*Lv_!CzT@e2p1)+#=k2sPB;Ms)G$oXvN*4^wp< zN8uL-kQ$2U=l+u?k=Il{W1i#aX`}I~_x*Ymw`@Yk+=P~6B+(j|A zx(@Ui6+07Tv)12{yX;Rrdp!BGdFz|m)k%TfT9|`>CHrrBde9AQA13oWqCn)>e?M-w z68@i>>yH=r|KE)L_s)e6XErnef96|LoZdh8WK#W%C&fKMEeygJ2I1eVK{&nOvvU0_ zjrk+?nA4>mu+Yt1KpD)?jUJ`0gNARP;T6!VE~IW`%Py?scxStoe;zR5!$%}JePNc4 zkEi)lGV-$$@Q6#B8K&-EHcKUR3xuv%a96qVL721s3QvPEwscc@9fgPV_ZGu4XuYOc zzMV+_u>6r6->F1p`PLI_*Pf^jkO3S|6IcUi{*4dTE~XPy?^HyJs?PgcO}1}nmh-v< zC255j${+qaG}@zx6(w}r9K$izs{EAr{)3f;Az&Gw`Jw2APmU2c!Khub@RP>+!V3@g z{ZP>D4n0I&VZUvLFi}$MLWK#s(ov~$tb(_#rWT<=A3*#onw#m(C;r$WwfOCJC5CvZNU4p@#v*x@i-Ji1on?&CePw-P{kcZnmh@m~n&u%mpnU~CDLsU#p z-U|?fl)2KM40`RDi6VGnNjyR}K9nwi%EkKO(Ysyt z8~d5H@L&0|Jb!sbeGu%}A_%WoW`85dxt_hVd(Tg_Gj!kFeDr9reoOYTUIni~Y%_-ZM45_sdBB`92JLMQdPaHZ*74(PjjnUGjR^4}yZ{`|@Mp9>Eb zaXj$NCkAMq|L@1Gc>GWJyS>o={H66jCNK+6;0qnm!V~zdJ%O9_NCxfIpyy78Nu`if z`-F+p36AT0<9mjCh}qS67+7TCY<%G>dKPEn-xBBiHQkLb{EeFxp97$;ljT!9*P#pM z483!FIwM_>%P?$j#gp`-?qoFXJAPRcv%7ETPr3R&QzIIUzZu4N%L1vM!mF@=d?pCx zD!TW^+ITmwK^$1aKsoqx!ug^dG!uG7tnJY=Ripsj`bU*&;#8G1@#AjDGPTUPcMC=R%hIg{ zthwqEBaM-rX!u#B3{N^hX?z=s>t+E=!vSqPvU3O!P~XwPmkUcVFElCcPE%Sw7F7b>FNSce3c4MgH}+y zte{!|QhdbGJML@>vI)kBgPS(=Xan#mqRwLx1x>ezK zuDFUd!}9nJRjVe`tU#SWDUpXexEC$vlIjT9^EUUGu%N?CwrONOP~%T=Q1{X5HtYLMx*hd zTI!AU>e!5M`;wAeKeH~8Q95pbF*8)mXdq{FTZ(+K+CDUY?%QKl`#piLa?n@d(At}%2qK&y$nk23i;Q3pM@HCaPIuj=V0R#Z+S(R`h5y8GJ z+64V;jPH%sdfsKg&ONWM+}tOqRXdMjC&?G1o$!nwr|5b)vQTjJ_go5u!@_pNWvWI` znvf`MVYZWC#u!qih?AoDWSX#b&1Dgea$Nv z%b|C^f;^4V=ft|iU~%pg<2n!2ZsPWM)Hv9G?lCxNg8T>vL2F8ei((?+AsfS~;*f&y zfkC&>hN(a835gEG&B1UQ5L;>-iqH6*;1VX@0L3N@?>E7#AaqA==@+WvrD?r{_z>q@ z@X3g&x#Jb!n6%o>ykUbPSXf+RW^v2Z9===@KP zcKPagm*;=@OvL|vw7CEKn& zKnHelg&_or!s4Y_S^Ud^E%5Oz~ zFw*g`ccK z6REvO38GOSPlox#$70YB7LJgc(q|+y+IiVq%YWcMjd}Z|9m-5!~sFqSX zHPcIS?PO8iV^}Rq>8NWQQ!vb-<#MRQRuo;&rf7T>_|)R0jZM9+^70?il3!rIEQ!et z$6Z{A2ZTe=ct}n1HOI6R1kwjsWqD97^PST`ZrCXYk8UZ zjkvUQPfk=4YVQ#p)mvgdYt>>bc3Q0xpWQ1c+o4D;XZccOH`U9N>JP>Ep66qbwy-GX z6p(*#)N8=3tKP||O+yAx~{(rvC zADAeegY9Sgo$hJp}r|q5`zCPaR zoS-jNm00iTMMXqut)LYtFqv4r3q6|>^dhjAI6bWded`5!=eSC1C3r%l2(H2OODiSQ zA_YBHc*WOCs>E1PG^P7(IvRH;*4faG)`;fSdrbLWiGT>actuQ!wL^vQVR)h-rl!K? z`wUI$XiY66(vmX#*Nbbf0raBIv`e>9T@m~>QYD^gMo}!Au?DqNy~V!$5l-}7SirkH zfM%phEKjd^ZcpHBt5ZOv#0rs7WV93|>BWXl1XcWuWP82KIJs3?q#%F(uNUJfdZCfU z-^uviP%EgV>V;vR1-9f#T)nj_i9GXg_|_GlC{eV+bf`uFQYOWUsaOxuqFM+DQwNFQQAXjH z26AA+I;HJb-JR$A+b>SGYPg8=srs(WgI!Zu5^O~w{2k5h zzSuu}w!Pm4Y4f=(rKd$p?;Y%&Vnka}P<+N9?slGUzurHk>U%E~&}gz&M+V|ni0TPp zxji^;OuTUyq%1fQ<=gESXk|(v%h!n`i-%c%oCO1xY#{9K74V!{VKvoAW+o!oYi8V zYq?yoFy@g6Vag%V!IZ%z24jwt5{#KjFi6RTWu%5eK#hceltQ?VXJpmT!;Lvx+sBP1 z)Yfgzb*9{)q$YN0Qz>mXHfQ6`i*ZhCeCIV468mjR7HzVoJltK4>2gOkW(vnThAh}Q zYhvd#Wz#Mx2aSCH7z)9r#96|anaZx=u42r^t)%7#<~+G)m~+ET!k90124kMs4pQ=z zgJ4rWE%JQsp6nd&9i76|)u#XH;o<&CB=-k>W=|&`4_jrLyviaVZ8E0Qk@I_czU$Ro z`w9&bKN@Mxbw0F?k@4JN_w_Sa&0nYXge(?PR~xxT)lxf4vv2J2h{3_cGfzPr#J)W? zv&Z#_)PtrmqIl-U91MT%^u!7*)?x8a=gsNyb{D%J9<>wBodHQIqerL|u*#la|M)8U-?e7K|3kaEw$T56BmN&&Z{z=Ab>aVE;s4=pzcy-@5w z^!z@yX{)T&FzdK;avG`D4qdTRWT1(E-JN(s)D699 zr}~FTb1N$wiaPPs+&@W;rF8xTONVd=Wqj04wk7&|a`MiU@^Jb~Dcjp^I}Iy|4Dz8; zss;kD8#eYQQDC;t0HNmvl`c&$_k4>JNjuE2k7<;|W=#=8E#7HCZr~rU8za_A1B)w)BosERv z-DdGMlE7D3t$ZKk4r|zC3i4)`A8PRBP^diJXNThu)brjPMyTnP|OS)tOj2 z^ZS`K>Aep3!B@qkCtKXV-mKK3eRT#}iSEJ*C%Sq+IMY!pFl1^al-8tHZ!#s1nH;J9 z4CuJRaktzcP=kd0b3c$sx#&f+7+J6~+H5IC4`#pw+mf!rr4vb#9Gd0oOjNmmb@UAW zLl85x&pn53p})|dUG6j#qd8*KK0F;%?#l><^c6(i=}7VktrRVF9QPF^2Nhp3q;Bg5 zQ!#;&+QUO?7RE!GmE8aj+J%dXYTxz9o(=wq?qKaaRP9f2=0asAIho^uaNDBVYx~7FHx^09#&fc9B1Yy1z z=}&ZbZin5$H^jO?(AGDF_E+8&XlZFD)|U2SahYXtX`5D;wzj;?CXLAX5%SlK7n!zc zm1*B%nYj&4$oc8stqd}}K#O98>Ta~4N#zd{hL?I@L;u@cPrUzKU0r*;(El#{|1R{u3;plH|8JiEU$tJF^uj8$eLMHSLaC=K z`0)2?sO*b*4=$#pOF5?$)7@q(YnOTi&!Tli?sThxfatN}WfARLOfngHB) z@O_-;Uz0;5WLJKYNeb_zkaWE(?(KsIclkJ?)I)c8&HA2r>^TVS$Dlw9{qrEK8t#)m zJ^2^#%Z%SzG$SZ89gl^W6IK0)^To^V@p(93p|t@GP>6( zzVv)4f)4O z-}mf5M#&98Y6&i#@tC%Pk0U;_WRuE|w6XO{VgWOQe3_Tb5|vjx>8vFbTJYc?^hm_NDg6O{IDid8 ziVki<-wFo_3!m@TaI?{aj^&S2xFF7~9nR~%0ZVj%nmKeux{BwVShDQrs?g$!j<%yc zZGXj{hDn+IHM-5`KyDgHY&DEN9b@*@>g|MkRdu$b1y=jBJoewc{!du_&s8;+5&x^b zy4H;8|JrNqh5hHZqW}Am?OgbH`2%a$GvAuxGXHZ=Ce_b)Qm!WO$AuwBf5@gTobD#WJw1nYZ z@yVA1^OxogImWJ+cqCWNGN;x`?@5??@_J_nc>h2BYVXGTzjVR!b@qSQ>mRk^`~RcX z`eOh8X5N1s`c`jf%avdG0EXYYS5&a$o?}ScK7G|~{Ceu~O5_B1vDGiO`fqrvH$Lk~ zzSl6`{+Zrz@Ko-)CgT>+EG2}A!l#X%Gz>-!_>Vsh$rC{aFi8fC``kD^-rqU;Rf8mc z0P_B@H@>E3#1n9Nhj=R9kHDXD_y(B==gdSTR~VJJ zcdy(1*LHXN_{9m{46y-4JE(AJ1!{c}UQsK}s@_89_&B=-W!m(8pOvvGR!%kYo&^W_ zUIwL;i4fL+{?gnTeI`pKTT02Hb!HDkO+b+J8?^mj! z-t#+QMTgm_GpSTDo_uE?UA9Y;ucZWrJXDHJj@{AmTbEnGF)W$KM! zQJ~$W>s`4FAmJsP7(du?`h2vx+zawBzPtzt#G}KT#99&m{R>TJ7IC_R7P}FDItkVi zzV)!3@F_?oUpA3*hJ0x%ycbhl4Ww|8E4506gw z4i8SG6DmCIND`peRthk~{X-z*aTcbX7JC6pro5Krhdo5E!f}kf$>4KSGBXyD*Zkk( znUX6zmn02&=YciIu=S^qlvzE4d ze0bE|**@Z;&t3-)c$q*yM~H|Z4-S7(I%ecdUYwXRmH(vX{C>14NI<5_BA^%(;Z-|g zG~0^2MnR`rVnp6H->(RMSz-7*#v4@lXSLSKY>ga=n}$oa*;Z{5H$wJ%X#2st=7Y_M zfwr2z5|L`OAt0pSv5^yutO<0{{xpUS%HFC7uX@;XuZ*sTJN3gI8UCnte5ReB%^~JS5(B(hM zJ!^t*@wAN%(DEC?kB-pie2K0daIzY~*{F-V3jNX`A?Pn(b*TZ`eJd+X$_&?N;ZI#j zKA6YhufN9>H_ve5J$m})_b&X3MBu?Y_knDbil7+vP!`Uq%W|uh^a=mf7MVX|VYx?g z# za9&6M@Sal%mwGvoj+{Q~etg);|v<89)>=yN3k3#P;&|u+^;~v?;?weV zO1yzpF@QsZLw*VJ6s9i!vk{FgOqU4>u`g^SU*U#Gz~D%AnYwtNq};r7lQX?P+_-Qf zG&1aSXObyhkv@_|SL7!wo>vzRP&|Cp5$`E`%42mC87PX9xcmuw#tV2ptw40AB=n}F zPAwAlmSYk#(G~6UX~3t<=(6wlGGm2dAYJ7*O1e_P$b@)>g(ec6&YQiH(`r;N z9X{3}aHyO9UN~{#U;#fe%%~6?p^%n_oh_w@mPV-)qx}hg)-U@IvoMvYfb1}_+=*jF zoe6M!q!nnS=`X@Wa}u@qmM6y83^Giir9$|IEq#X|)FY`$F;7IYe~K&fy4KdrPotMT z`S>$WisDc4+rQq=9vScf*XZiu6?sVY#OECfr6BC8_v| zC)YB?-8hmPk*d)16j{kQA(JzY<;^;&bV!?ed6J6fO4isAX3BD%{D=Cr!OB02)$K`H z^*Oe{s6KGE;n?e*ro>oPqvr#;XU4@yPTaiB7)pjA=i{f3c4SjdoSuudK!?lRCQ`04 zlPyb~gqX64*5l2i`q9|Q2nvKlN^4qQi#2ENalAdF!pS&8#5p5&f|$XRUt({;ND=U# zJUK`vdn*o-N8QP24C{Ycn0R%0wBd5~y-z zJ?j^yZga7{zI`@5uasX0xGKCW1C%m`0x#NJ*eShXetLA|0|InzPtwnpEVaoK3GS8x zB2tI;M=~TRpB``Tbjl)i?8AQe36uE{$n@W*4hw^I|lhW+6N zDYtDl#Se`>BZOTk?t21&c%U*6=BW|uQ*N?>ld4bNJ4pwHFQ+t?KkOdw9vulXDoXU+4N8 z&!8kLiKb_^7KZxVUO2~Cc;61t)j-s26)G#k)u6bY@FuezeCtrU7aAMaTe39)aRoIa z6>Ea{<3n1kSfyCSxZL@&X5B=ASq+Zw-PYdt-tEkdk-|tz6OA*Bj-kp77RR|Gh^EJy z-Lar&5xZlIT^_eQzJ=Mb8d91BAY@EOc7P9pU(%-#>_6jds@Wu|96y5UH%Y3h7tnDKZ@j z{<(mOGX#7@ES*3G#2#MP*&eb2Czeev3J{$@zUKwFJ@tHEi1^;e3@F74Mwv?Vwv|Qk`=xO4|}$AczoR1IYsm6e|Ar|k6(07x6G9q z{po0QO_7kws=EEj?y;YqFbY1Ofb>OcXt#3;xt-leOUo6MRw;TDa09o0T3&7p`i-Bo z0l&v6%F%QjZ}xsIEHvdbPU~>2m~oUzRyAjdxhvUROdaLFLvgs6NNOI@^{AXP8Z;gk zOeN5?2h>eO`clTjMH+$C>cC=uXf0@}WLOh$S>PIe*S?xM{gE|hPa1vuW5b=obZtMm z-$I*?KNw$U9;i|e)a471VB`e2l$6<%`|VBMN(-$-cr5#7>7NIOzZ`UrJNupOlg`Oj z8IGtu2UiOp7OZRb$#xxBsIRTdOB+7_4Rp9Jm&Ev1=#0|qvj(cC@Pca8r>IqQQB!l# zt3~Y+kwisjN|9Ei$oLYMqS{n0s%-i6^-1R#*4Cd?q0$mwYu6n10EJ&Jlr;JeSOehm z@WoCqV067E-dgY&diF%C`QNJQ2GzyV0f<7-s{DQK^h-Pz*YSWYzXT5BO(3vF3_mE? zw}<2jiKlRF8f*?oXI8U+*LMc7HK0bLEOZ>O4=llmi=3nFlan&)mjuZ;rGshTL+n+v zGQ^neeqq5|!9e)GfUvNEhD7Zb-^(gP5}Atp4~2_ZNI%!}{aP^Eh)$Vo~Yk3Kgl<$X=ml z`MnDVRU1>^uF_1I_%J;LU((T@o$S4M`T7X|**l=G)6Vg$5;~}=*;ClM`;v(FpRlmy z`}dg~NLb=(B2H=z@s}funfOLPc8BjawK3R87?Vwb&Cg$c zXO(Y{VN0xGd|)30^{uJveA+<0&sH`P6e7M>Lw?vA0XKO4E*b%&9A*(jU!%Vc8{EdaeAz_A&mFkI&mN5Ivl8ZcLu z`=VT(jzwMAVunC9mzSnxy@ktUN-+ZS9nL%`A)bixs^U1JQt@^nv9{^C)E4$%OKwc8 z;4%<&;73Mjs^QzP?*-gN1Bq>0P;#LfFqFSqaLIk4rmp`xloeF+U4b_EXof7 zIMzO`YgmW|Sk}T}rpV8G&$>H@yB)kwpiy7;#R$s|VhUB$h=&j7iAEUimBL9WyOo~R zyC7OwA1!BySD{i4V~Jf9i{cQK-r~qNK3aZ5r8N|2!sZ>J&>Q2hrxlEY)#@2{Lmh*X zE?10;G`Ey*z+xA>8&*1}=c zjy&N7BX1$R*#jU5oGlZE)$*peT4UmjXl^)>C9abd;Yj<+&mhS@YUh~}@mX{{klkv5 zEOG#6qmr3MZKP2;dD@aZHziFwLXFg8TOo0X4jzWASWUWxSzG`vE&%^SF92_&MaOqJ zD9U#a_I9?)Pxtqpp%VoV>YqmRgE-U5rKrvwwU|GkCcMH;;FRblHh~%!LwTNjEfL8^ zb%D}4%4AZI71X3JIRmaKR6tS3iH8kyUQ6bk`Mt>ym8@sJUNtp`P?d5*S?}x_b`lln ziCY7`LwI*UAVzT9fz$0|G*%s^vE|BXy^29y7=cK-7NI59GfGR=9hA6e3G*%{behv!C8KcLtkeH6wv|!9)$;E|_*vZe-0sFlzLLgMqh`JwIa`?T zP0kA3o0LnjLyFKrW8Ho^s?jg&YT+}XfiAP;+C zA6$8*i8loiGRJ%-agsF^=lDgow?uz3jCGR4=8^A!rTSvQiBNw|G;Yn2#sYs_Cb5-3 z;Y%JdV4(n%znd3hw2eql-5A;f$A<-*lpQ*<^TcGe7$#yU6R1SSowQ(ynO2|Ugjy>y z*pmy#H==rSG39F*T>xPudvY2~5KS=|ON~pu8pu-wCek=0Hd`Y;(-$}*PZo(9&@##}3eo2_zQJ_=uIm^*Y zIH{9)6rQY;H(6mF&G!n32%@I>xl62)lm_H=*q2g?DsMrLrsL$@4@ha*T~v2FMS2=3 zY!u>>)g*$hC#;x+gmWU@HH|M&RUm1=bw^vIB!h{ePMA@k4PLCIzjmr~2E{UXyj>PW zcx%yobfOA;xG{1*0RSKk|3&9oSuZMt8u~SM`dc4#Nz_C#lt@1SV{U!0t}a>a`3B%B ziO>EJE=HGE*_Q|M%^-jkqx7K!tHA)L`&N^DOzA~XmNXA44w9BBjB;ia{41rlOI>BPpcKw!qJc68o0NBv1JnVaS%)mf|ugSgN(jva# z`frx&ukM=buNGYY*Wh|YS4iIlf&67B$vs`rn|01mrLQ6KXbrK&B)ZE<)cS_Ej#;K8 z2lUPEHk_gFTF{cMET+ugeac*?K>Nn||LUvo|3dEii}3%qBzMh!rqFBh_fo4$He8F_ z-_-kGyu+{e=6E%le*fECYpt%w?tfRCt@h&n_iOxVJj8o67;$Uti109I_3Jz57ZdjX z{%_WXktlf8TQ^tUv0Tq}de)HbPx^Jy23?4Xx1KX!35yHi5|3$@aVMN|QK{~9SC|zb zl)@LoY3R>-p9>&vd7%psZgr!J05V9FyvyYspW!+;1v1^@BB<~pR}iwuMQ-vM7eU?p zCbv%Eg6=tPZ#eDS>}PRprfw|i7ihttvZpQ#bRQGLG_;tqhOx9s-|=Eeu!Et|c92ZQ zs91^mFe~F}_=F;wM$vjWjyx_7d-W??Fq2G%i+QUYW{HRvpQ?B-{0F|!7?4mjs6cZ7 zX@!-)?{CNu23_WJ-jnv1bQAQ#Sm{tdbgFv?6`eJ;is4ncaAX znB{PgeMUjazd_#6>KEnAb3u_nbLpZzRsv~P2BD*xA6MVDn`=M5-&BD@^TqmDm{8-9 zgko(`>@4AkuA7Ls79LkPbQuj85NPQ^EQL@L6_SD5MkFLhomF5|ZG5^?CUKF6%o1`O z?vIsTEFP$o*eFnz47X+MP#BLDfFT*rG2rBYJV+pDR{6ePjrB{$<4W(82>5Km@Z%~0 z_#qNP{<|##S`^JR#I)GUM#Po`=(0phL~f=y_3vB?HtOS){kU4)OzTECG-ckKHf*xS zFqH**g71o&)StO@2Nz2O*}8GZtnt|LVZEJ0-{#hHWyxp(}K=^mph8-k}VF zze7)^lfOkbEYS zDZ)+lU#usngarucN?3}PTRd2^|QTW_@z`oHGdLjU)T=>JyPp>Or@Eh^7f zZ@}UA?iCg6xaWB0?bBD?#;>OyuSAc)7fQc{((fBq`sLjE8+3w3C7wwqnAHEFQV;cW zk!$;s^(Ep{%3^cFAn~}lh1=Y{d)@B8w!7QMFHXAMq@@7%6c_e&_f2$$=eubjUV`NNHQwA{4VIN&!A=yDTCMfJqM~p>C80HQ7%$#Q=eIbIE zsMpXa@3uyPBuPuMX!AW6mNdytQUv6rK_A7p`>HJbRHK`-)8*GSZ(Enz+N0G_Y#lCS8rHxj zeB%)~N?z$ZeRL{f90XtstVhhDuR{V5p`o)0Z#ZQ`AbeL8&r~DV8^Q{u4JV+&)v-cr zLpM;t!%+$NOM>95=>~TeA}7UQ>h@6R5Mt0%>D!EL$hal+3GxT`MXtNh)4U!~UGDaP zVO?^ICS;~?A?F2vq42_nrk*rrE0eQa1VS}4fKVajqIVUP^eg!I#a)4+c`8!rL3L3`@Ayjppg50{WRaj4)pvwh5SWJX*7~XkKyfIf3;FoY) zBNGZ>sS|o6CM1iUES1ZM5;d`k(n5Qe0-HhjMd08 zm?J9+3rB6lQERliQHqZ{Cbv_yNtkO`IEz>gsHttjxS}(OIL-jkg+rurT#$=OXhwi# z-SZLVw97Y#FEw*Xc4|JQCle$E3W420Sn#G zLa?|spl_df-ehJg!I&LjRH<2x=Hg;cHiAO-=AG@r9v(2Ufr})k4;v=nGvv0K~2CM7KRedFgGd*?cb(yepE40Jf|c$;Jo6n2B=j+qLFTk5mpMo=pcT zE!_mtK(~kV_ZCCM$!HL2_3g9ic_n;hPY*H1Ru7de)M){MuKhr2K@hbkiu5GO1wtg@ z;&_>M=$aeU=)j$4!7BqbZ2Y-c5A4I7?SeN1u#NQGgKc$Mu&7zjHvVNUl)&V9St@y+Q?k#6^16|F&O9Qi|U;s&P z(n<97O3FcU3< z?sTu<`5@j-hSy9qkvs$omFNfKG8=QBz8lD(KD-_j)EC$^ao*yG8 zzZq@?oN#)tu;22}<9v;ZoXPn)orWcnF7dP`6Tdq_dkSAml}Gj9ZL9g-e16BjqPZzg zANfLnp(45%y6W|DC*7rlcH+rBebe1f_8DAbTyDLhnfw+%fD2xaoKW@iNO&ICOk_Nl zSH}yY`5nk5DuoW_iQeZSc55*`VhYB`&FPAEGMtYKhB^0XCNyY$iXqvuyFrzTQL zNlsoU8Pb`f$~jBYmGf)mzLXRlw7NtJllULIrCMR)o(jZ!(PGpXlMYH`jcFWpZUs35 zS);iA=7F%SBPwOfq6o;6-^B(+G_CVLkS=jsB}}N*nJF^h9FLTKBfoQtIXSaQl0JF8 zv(q^_!Gn}uqu`M$UwnuitYTBsc#z5iYC2BE;p(Dd`oldrWLr^URHJiOVt}Se9P`2Sj11}!Xu7XE(=`2P))20eE& z%yS8>8TyM2OtT$Ekwz)&u;et5UcR`|50}h>eY`Kb*NpAJ z@|_eW@uvg0E$U4PVcf1$?(8cibEmc5%vdb zG+>44lOl@Z*SelR!sR#3KYc$ztBl$inV+u6t#L+CDqSn>T}%ku1LQlZXdbNn9$~^HwKArQpbM)9O<9h z&4?e!CtI1GWWMJ}i9;<3g%_yr=dS^UXZD~lveN2`Fex`_5fS7Iil8qsKbsBZ9tnhK zICW#h1(JB8)rL3Fe4WDzTRu5GJUZ&^mUCDgWJ-_(`SJLBytwtydYFmY^%z#rE;oz~ z*gxRE4OYe@MdH3E&W|ZC(u%OZXghFP=YY(Z-NgEDItj>rjdnfn%*!O1z()oG z(Cg>UPC_KQM#41U{=1KSY=8%r!^v0WQ-K zIQ85)9!2%dn>U1K=3p2wO&tztb|fj$>HHV)Ha@mQ6>lsP$%I+63|Iu2TMSvjQ7NCk z-2Mf3sl*#xe7g?<=fJ*TH8z?KCk`C*VaE^H$onX4>Uf+(2Txblm}@5ntVvZlI+vjY z8(as7M47)@uZ>xm?Z1(MV^n+??)|mVmM?dac5xg_Jso!J(%j(NTd)J zCsj=hiun?@L{iIG%?i#ms~5|~pSi~Wbb`s;oPXxW|6Ff9dK|m|Yp<>@?*G2t z{T~i@s`F2Ee@7QCp##v3g4cqJ8^6Vk-?!`w;1;2LjJJgekC!;Vy68*H=tnE!F$*sU z$zzuAds%si^{SDIq89yrNItd#TqZiP5}^;;K&2E2_PVxtn$LvZGuH-JXhRO zgm|=55V=nsmGUPP`)&)G!5bOT%rBOYnof}193MvkB_+*O_X?b-p?&pypU7G@dB_B6 zhlXA04$lamw+>!e#Jb8}c!s`yuM*@d zqyW_L&Y@nC9TsGp`LGN1`EfVrth;XqK=s(E3o5H~S5W+zyUA<^ANxafbylvoWNQNA z3LZEsaK639CrREID^>yNYlfa*eOc2;fmzSX_ilS!zIVIRGEx|6X`*q)nHj3gaA3|I zK|DEY$7Vs#BFAQck~lcu;?%5$l-o)L!IaCd>@`hwhMH?Q`hsLzvq1(LudN+w!Ms=j!MYkdSt<3uZSfr2$l1E*BNhqvx@ zTp=+H$HhT5`w-Z_vleSNKWwtT$7LyLPReS0$$^y!n_6~2-lDq?cM7c7esaHscavyQ zP+IE4@>0sEoL&_qLckv;a~C&Kj-I=<+$t@Nwmw|-SZ&C3&$SH=D1LX*|s{ z_=BtV*>a10dGMjM^p-7GD(=H}wF;#Foh^^pdu&wDqg0yUEu#3Mhb8P}@5Rg4NBGa) z0ezizj$f5Zn!#UfqMlwy`^gI-7uSL~32F!WXRCzw99zv&2GM{b`g{R1%YFAsYY3%Kw%%&)c8; z_-~IB_dl)2Ym57zKmYv~-2koK?D?0dyLkPzxC{E$?}A_soRY99qOgM;iXm-sABIJJ zEl(#%DfFjoc#M@7IZoa!B_3^&9>%iDv3n)|x;yc@zKv#M;j5eUClkdVGW5bnD~b07 z6w4(ZHzZYiY6xy-O(s_FqDv#(#iIb>4pY#&MssSe93{2rz=gTBB{KjXMxKLYQd83t zB9LAxSZalpuax=FAgc4fwgayBU0NFOcvIZ2Z!j26gA3)!N!f*TTtw>`#!W3_Z=a`=pOJ zmalEF7;guS$nD`kS{K#W*!C|#-h)LG0eVARCNFK@wTJb1te?KurP0C0xM>2k6~^b%{b(zYkn|3dLPx=f$|-~~vR>%NMT`+etmDj}oVW1L zYOPhQVR}Si9>92zy+Qb*N?a_FA-HTGraV+`SNY>Ye!&w9I>uL9e5KbNpi2k-3=kR< zQDOKpqxx3ej3x1qd=bXN<2s*Ls2stC9pe*Ry+t1|f3R``-w5}Ha6Ch&J&mE)aNwZp zSV0-@{e@E>EW@Wa+HO)1Bgmv!V(4c-1|N=n*Bm@S&?-;qP~E+-hp>Re8yEznzp1%0 zN2@p*H7L{hwI$1m(GgxkD^~+M!V{~ z*Df;okR}&Bm>cn0@knCAF-kV;Z?fRh8IPqW4mlI#m~&T=+y#mR{UjZQ(;$d}jJ`Y)g4HmOsM%RSG#vo>Q9gh=icr*2tUa$fLzIETi zUw#2vpz2$O55_8OlY zJK!F{)L%1Jh7Dy9;L8L?zp~@@&HL$KhaPt)!}!G|ApN~$Y>P8TXiU;Qd`M)N;>x-L zC6SHP60NBHMdtlKJueu0(BB$JNE6SuZ>$=7yuO}x|KDyuYR2?`j~4g;U-$l>-~R7< zc%^5%v_#-PAp?-DnqUIHrS*JgS`Y91@QQ|CZ_#Z-%~f8~%IwMgw!Fz%ekecjnxRE| z9bW#Fmn#nJ#nWmT&DqM$a{LNN7<8yUaeb!1Dq1f5EQ_T|BuhXq;c3LD#xMPq+nj@tf6ZQgis3UEqlWD!|X) z6oB*}um`L*fRjU+`oqzH#&k$!R&Lc->#cIMV<-RIJKBg!Hp)uD^;iWKmn+|M&#Odn z`S8i^*P|DpXq2`U&Ri%OyV2vSS{#^VvW)xunc7W!J=uchL=&^l! z5)0Uj@!4or@F#AhQ`Dl4C)psEkgjvu~ z3f+VUh0MnMB8~Btgc=fq>Wwupm(lCYfy!E3OMZ>}zp>L5@dtbJ+8Q(L{~oQbC;UGy z_Wwov*Tp^G;-2p-#(y=v151W_E$RW%;F;0%g6wODdMzBI<%R)J&z}`WWp)H8It878T1`69khw&*D|@K(0(KF;*`dD< zZU+nk0Un6xR785z=@>TC2La>DD(paRe+bJ0K){P^v{JuvV2io3`GyPm=KznG3O1DC zb)8B!@X4AMI6={j;Dd!9nH!z|$Ce++ixaxXy`>r; z`~1JY`luDR|6Omk9xcxQf9dnT3CzM4c%dWsn?!;zo$m_kZnm0fB|;bx7D+KPY6v1u zm{?In*Tozy&Mt!DZhknt6c_rMdsPD}yepc~Bz{(nCX+@?&yAQ${8Hl&NRnzcU&23! zL@4Z2Bn(;n%p?39v9kSXZ1-@%q>7Sa{KA>X*o$SARaJ3_$36hgGQaPUo`D>HNLwx} z&RIwiPWCd=O&OMqcUAFKXchlm(y~M^mwvR@75gkb?a#2N<$sP!)o56ilXIB0*(!)%Sh>?D5kpkB0N;t5i+7lbY1NQBY*~X>? z49Hr_fb63^xhSWfM`IOIXIp-Q&iLb6-Rk#!IKLz0RujbeHVE|XwLfaWRbJ#wv ztZNOAc5x(R<=Y|gC?p2$1?6_Lxw_Fm`*EYS(cEaa);3!0)wPX*-8|b^UH|D(<56Kc zJ(?4p9))x=pt#X0j?WxOMh^%O^mJUPU0(hc4PpRS3QOQO3pGgPZ_ysk#QNBBd}?%P z6>2oBbc>cRu8?2kAg{MK*4H+g&5a+M8;`Ax^?o5l1dLl?F`7&fB=A@>TKDgA$#-1X@|}L(I?w)4%C&4eVJqklW?1HV1G6+0vGsB$G!0+YT1rD1*hWl}B;(LC6qLAfNgXz?>IhO> zX(y6Ot=iRlC@ox~Tesot@lOp(`kiiwKGE zw{N-U^hAnQP26xuFQDED%SXF(<-pq&%~SYx{I$aFa}S~SImr8>1?lwoKDD9r4N~)g z_hA|&v5Z&Q=g%ds4Nwon=;q8&GD#Q3(x)ONXS=j4c{x>Vvuewp-A zP(q_2*K_%!cq)1Wtj7GY6j!S@n-Z;p*vQ&*L}(Hsv^FC)le@vD&-Hu2r?tNQ@dh~c zrLJ#2I7w$x^|9~KJV9aJrCE%&ue0Ho0CpFMl23xJuv=BjwaXKmqK}Gq6uXYX+eRjl}>S9cszC_ZJ(DvmT)2LoZoL z2-X5AUf8}3-9Y#0x_Dh>Xg#kUdh{;5D>wSO_5oT_`EY^&dXs_Fl}%MCCpe`a=mtl6)f(wwtX2edxm;+v@8x>$L zJns@tz&3XQqYbi_G}BCp0lXt@<1DEq-3;5gvnD}~p?Px@?*={G5x8PUAQ&dhj-sqP zZzN-kd2^^Ts-M^mP;Dyz$&|8+#aVE`p$*bc30qYR?;0ik}jqDL-dNk=L9z zdg2*oh+vp7JBqUIJau5!xZd~qK!eEG9eMrf&}O4c*Xz@BVhr#DaC~cK;ZcE}GrE_y zeOKrb=y{^6`CH=(ad+13I|AYkP=j+@^z0WV+yqTod#)Ph9v0Dc_hQZD8I2pD8;3bh z6@IukCKUGEI4DPJKmYAeK8CY~lbhTl=+)&mE_}J><_!)^CIquReFINT+ghQt|3@R@>q4Z$ZU7kamBYL*`(eXWZWb^ad^TWffXWPfK zqNPKbBXa1}rQRF$Y0s3Qg=ZXE1!LZLfvk2z8wyo@-YA{l4yE(?qGXRR>=8cJzsZaY zE6))l*F$Te?$~!e1~)+}Qh%Nc{&mos49VoI=lOOWmI~_=EEUvnd;QU@8$c?!d72UV zUa#(Xqi%q0bglkxob_h4CrW~uE0T1-4g)7eZ~m5JRvaTx3gDM~DwN$yc-beyr(zv) zmmx3vy4r2uoF+pgMg_gJijZX{>&W?`)K(}ZPn-Gg(e4DL)mS8t*>GCD6P(t7XDG-t+X zUe`2Hl++XNp*1r`;dAd>VWi&3L@^U=4yT7c=Pr;7tVwju(q=;ugd-ro8sZ=AvGv!( z`pkFw=YIieM|=kKhSOkT`-5rkGLCuS$IdZ-0`r_~LC<%_a5&L!PNrkS&36GTLr`~x zW#7AUwVMg}x)r7bZtl2BzYWabvtd?5b^i_X#8LO^Fe^^V!^53S9h{x~P}@#Sm!h*= z0+~D6QoYp7O2eebnmMESNJmq15VO&`39gUs6xUP-L^q;p#L3Rwsj6XGz%$T|NPPz# zkl~T|jx_u<%R;2pEr?ONgREZBLot5~cy-|oZTXb9XzMXwErpx(?cZ#Cr7rv=a68(m zPd*~^+7^#qXSrvWVZD+{shsD!iA#0~=}vKMr{Wj}NxeOi`Ho_|iN(_|ZCcut@0U~* zURkbn9@>G6f1<;zn^{Mikmli{c$)R~!02~7+CvrndFtXJgX+#U2LvmK0dfc2GA>3U1HCqS;CXXc7E!7liW8}C*D?`t-+&;(u7 z{QLNpMnV%wO|+h;i|PEqB;PbQ@-&TL63(V?;b~e1qZ(ig3=FmWW~Y1FIXUgV?3V8F z*f_D&sP|~}$})qOX$4coPUr#~+19AS|5-u$k1RmHUawbK?w@z1rM}1hV7LGCE)q_e z9Vn!j>y`h=nMR){XFhWDp|_Hp5ERndeU``HW&f_RFnFmdSeh_;M`uQ7py*_p~Yi z-F9J5L^pE!(t<0|A_mGL{!3K;=P{VOR=+Qz$KPrEm*(oD)p-2(wa1U!3;F*m#edoD z{A+Kg6B+IlnSYI))c?=_ZT)}$&(QMOp*ux^-a3bmr>*AHpPLB3i0ZP4>T*|+Uke6g zF-Lz9JM_W!s}3tCR!Q2E%c>NgR^qX*bY_U>JhyjUp2?>e+hVOOzhY?~wh&LVhpmLD z_1d-0hBPFO8%%%+ooH~>%J)GPgjSNl5UdsuFC}bgM%2<)BvxetmmRE+f%76BK?nuL zmA!eGq=)C+j0exe9N{-L3#St-dn=q|tH>{cbzHAcm~l>#|E8g^-R~m;-v@HyWTGKq z=Ak24_eK~UV_kvM!1qS;!%D_5OdAYuJf6#7Xu%E5P3`gmw`z>f;3mdD%m{lZHPYlm z@arjpP4b_3Sk*<-|K6NLqjdSN)o!h?$MwID)))HUzjpk;g%r4u0>3pWP$^eWPIq^@ zK)zSor`=cEJI9A7*`fUgJ$Dk*xxzkSiq1FR7=Wg*ei#4{U4_paEwFHK!@Q7xH*$xI zD8pa4sgU2|Oh>uV9Jv`W_zyD4D|z4R@>^KgT1kGB?sZLGb<+govH)J=59D%v(HcF` z>d}rhc=Dn-<{4Ly-OSmsucQy7^W7BSv>x&Lrs&jTC4ImGf5M%SVP%Fqb~YUh03v!d zt4Bgik$GJw6HW=FWxYDi)_oBxlIDi6Vqn}VAZ-i?XuS@3>GBXSJ08E1! zfN!rpLGt~|6n2G2Yu!neN28GWkcR`esRw1ywi+bsefT%ul#A8abIk%xps%k`GzNIZ zM^$RL6=cws+0YTyjEHrAtYRj7UuH+gd(%g2JpMtMkq=sa{MH(+lN|>U59O(7gc8Oc z>SS7>3LtJ-)%f6AFnKRpCAr!-qB}G|VmM=4P&kYQ zhfE)3Ir4lMXCFl^jzz6=aJajDx@`)jkUPF%FgbNdq`0pcIH=NzG@y*4?>qpl>7zgn-0*)`>fLgzEn}Yf00t1Q~eWjP2i#TdNJs9b#t+NWGx^6(S!dV zwX9``6>y^Z=Nx%Jz*|hbzaQ!UMqG~%W>4lwdI4|2^?yIo|K+$|Gm(*Sw-dChl7r@e z1=C*74uZjy`zJSX)_>j=Rm%NO4S&^ml)<@NjXYjoPksNp+G@q`f7;E~;{NAr{JHm? z3er$2-OIiRf_!zobB{f@-E+3@piX%JKOg=0^kQmV*$%(TfdX`YA?nV4k8|%f*EsiX zcZ+jx9+x-<3e0+gbMLknIQQmoe{*l<>l>(Y>${tKsaH3Go`tS%?#=h+riA86HTzSk zgvNC4bX=kB4O4%xX*a4#Lz9}zV#_G24QO|K%a)H`Zl82eGAZ}bUp{-kiMYGC)AcSq zRu&Z~u7GfF2n@ojmBoI@TBW6dQ!>;Tqg#-EneT9{37cApYHne$x^ZdZTVp2hr*{&i zQZC}CenmS=Dk&_?YZGN;o~$FA^u4Y~;CQNcwBrj4##VNTn|y6GK3aYQ#E?EYo7T+tgCr?yK>JzuaGV}wanyn9*=(q#VNSraN zz5Gz}y{%?xblG=&*1-4}jb*6Wz%uX`4GWME3bjfw{ysvoS(Ck&t$Sl5>`O_;t3qU) z18uG%w7GNAT&0kv1*9Q|iYZk%P(dA>L<`%ZIm&-t?~;Da<@Il_|CdMY$8q^@b@kEu zLjLZS_(b@&VR0(>C16+t&DNe+9foE3G7kmg64GZRR{R1d(zoCVXGj%qHTYV zp}S%d6}yuwuZw*RxC>*nZqc6JVh(#aG+4R#NMU6IgDK;;?f3ALjAeS8N((i%E90uP zFeZ&lOT9edN-AWv%Stt^P*jn{O_r^GW&F1Jeudrdt+1Bn9eimlluTHLtByi=OQbPc z8VX&VYhPjixQVoIbWOqwQc&4Pe>W76lg zekNjH!rsd1db0Q8pL_fXKbEfuI^#F+OTfod|7yM$j@hR!=O^i>eLS70gfBOAc%ZGI z@HesoeMKiv_{ck)F_2zp(jY%iU0nYAh4`9tqMAGK7fzp$_X;&Su`caMtE}>UzZz+J zg$Zv5Y3)mDV@GFf9tP${tw%?dH*6e`vaW*wu(6HyW}{SObRupt&g5455Q8Jp4!^~Y zUmxIx-aXnreaXsPM*@H&N|SQz$)T){i_V$8&V<)uX8ZwtYW92nfS)hW{V1hrx{C%1 zQamPg@Hb|01n~NcU)gX~);kJ1A#Q9IZ;8I%{SUW`?%nPAe{JniGkO2BzVQG0ZNL9n z#D7>k09rf%`dd5z8c#0pz?}aoXui(PZvFtsq=LzN6g0AWzL)mwC)9{=i;`ey1sCX0 zU#Ug7G=^6s<;HfS(RkKq>@;>89hA64=7a+@g~bvt`XU!=lOPJLI4D6Bb#*+SE3P?2U)watdY|RK_q2 z4HsD2oxE!TE|qom18cY7ugCCTt4fMSHNjsUoF1HX_d5r?+}^?I>90qf?&%>+{bNY3 zkjky9YHKVCtEAnVbYb-x1mapyQ{OrNw!5$!Z0aY{RL6Lnb5VwWtD*E>RB>Eq(xq!b z3X?`WEt^6^H}-Ha#w>nBhL5)RP!o<8 z54?P&X7DUiZvDvGYpl7^ddwQE0gDFnuU1?ym^%FxbZ-0+{b-#$8bTz3|6ifVb7g}Z2x0@w*y)7(E&(h61@s7~1a@xK+&z^ka50(wh8Usuo_e}pn<1NII4 z@1x}xUea2)fbcp%boE0u))qv6lq7m@JY9kRtX^+YxV1GC;Wa>_)m72z<7BHYI+Gd( zEBNo&cf7()ubY~VLlf<bXlY%v^i#4W6eIo(=ar&uJvOx^ zfQZ%}@zz$G$<{_ToURJ5SFImSjd2*Ft;eFRRA5`_o)vEFCsShrh-mFc(OTQc zr)Ydvu(5VCg+&2|XiF?atA>S$he#+q``Rs2V*&_oZLKLHvyUan;zGf+N~&GZm?Hh&7#fToj{K zxkc>W-&$?2jL-e?R%-=oz^1>|Tp2koK%aOhn^>RZ&%T2%2?Q#ud{uoM+sNtRfDwgt zl7Ap~5U79Uvbna#H|y2MaK@&`z?wD`m{w)5LP#-_yq+8Wj%K^+6w8nIS!elmR zf{ODR3-%^M^{;|TLi&#zw0xiwQQX-~P*!omejI?P$EBja#W`VQ1(zUqK7PE?4}aqA zCJw{a+UnyK$HOB6%s1hN7Q^;x4&o? zD6Y7e!1K|HerCf%A!liOI1p#Pa?Eoh8Z}nV&y(SgJ6@$TWl{;%va{M^|;?7ZphNTg+jVh@xMD4h-+YsiRtEcCfjB+C2Lr4g=Z z4`j20yzeOI7@}%Qv;1aP^oCn;L=Uk!h!IqAD+>pI>3{pxN%y#eZ*}3v(ed8Dwof}z z(*q6VsM|b5vH?dx5WXfhhOw+?yXQ1w#?Q#u#>lz^h5{)X+MxL3EfKy*4kQ*WMo7V5 zu)vNzdZ0kwJm;>X2OOrRKC>=@_*fgF-1`^Eq z;fK)rN?z6ibtytCbt$aiyw{DGw9bc}=8AUik(%`FvA)N^g|3tnq~N}kmj-;&<9KgM zt`K@6sa)F3AR1oP2i!*}Qjc9-z~bh5cS%H{T-5ss#Js)cLg*=xVraGCxZJ^cY~b48 z+`zT@z_s;(Ypa0^*JZKb>6@==QeUf|?H%lS4 zj#q7~s!|kqqMMU~jOYe3D`tdg+|>gR#(Ed*%<5h8c!@?aD0{14GHc^;QY1wfDVq$0 zePHCxvSvgV_qH3m)e5YE-9^{>;blR1LjY2hbMDf;GIT;}*xl&}uz#DpoKPP6->2W8 zRD`20L^;}i8AD*#TJ2TzeePDP(&}y|7}5F(nVqA)B3EPnS;du422faGVK-hw7rU>v z-xy?gA-hN6%zB$tX(oFhF~lCA-)t9)Xo$?IOLTj5SKX?0j<*k9bh0})BVEccuxqPp z>*W|}L~;hRG|jALfRzm=lX1^Oa5n|9dVYHlYwPE?0dd=2+_nqzz#qtP+b-M|1oYyT zAkJ^e2+@HwFZwBK{w-GgTdhoAcdbobYUj4n{#gsHah;v5Cw=Nkq$7I=-^9QW8guCm zoTI*haVboad2N3;-u(<c41=O zrj5eHnvquT%G>XFBlL?}<7q`(q|(M#)8?1scJbYdX7O)s#Z(0`tYDC}iFg+L_I>q_ zvQXZC$ygY^GeX;*Gq~+kfUx{MZsWhd1s5;%24?EL8T@tugl7Z?BZ_w%^9B4&arDm3 zDe!E^jP%JaK|ejFf1ceK^%pPyr@4Xu+Ix+le>px~fApBT^5f&5uo+RMy!ZOQe*EdC z&A$2dzsxl29G~));Q0UgrBnHdsQ2T4U0n9@*JDD7*Db$3-1{%e->O!sIv$aUI7VBY zE`~DhlF1Cm#H6$mhkGt7bL~J%<#Lnns<{DGX~q z@6}BGTl;bS@uN9|&*|dnvs+J)(_16KZcS%)S965jzH_&qCG0Mz3A_C~VYi1{;$`2rz@(|>yzVFSPH({E0lhG zinnY(u+g^N5fpSe2(97%*(flhUw?H}&^6Xr5+MEdJWE}_}8npi}lDEt#< z;d6T`@yG8;_B^-A9bGj-Fj2>B_9m=j2@It0Y9c-r2B@ky{ZD}D_k9TxZ3)h7pVF!- zP&^cMlB1MH1u}?Jz7jM0A)UXaje`uN^&Cyqm8~@NL{vm~FVW5w7@#6potz#X-3TkJ zcq6R3sX=o>XN0D(E!sRuS%9ReVL_jGX-aHtFjWB;$<&-VsC1(NY6POPkVz(+Q%M=G zl2bPHNVVj)p|TAO5xOt?)&kC${C@=((@EdEa>t9w^kGWzgn%w3;$nV z<4_(0DH|rt?DOx z*b7|-fsCMD-c)+xmQEE#U#S(|v=D{qo{fH`dlV(HhhC1#;M`%`LQ)Q0xN_*yMKDK4 zJXL{-p(z=9wI@!{<>csBdesaBz7H5qD_ogyLR$E=o2sR^ZD{a2Xb}%uV*dv=9aVbV z`L#GR;uxdY|IwaYl&gh&#G(%asC)&dL59_nzG7pTGL4Ch@v&_=hqmPlnn9DC zj6)AjhcYcZ4MNTptj^uOWshLP`?rmm7&R$EObVw%w48}(JPJ?NM2R5}`}!}itk6P^ zkBR8~iR-o1zotYuVI2K(OwSs*zw&l7il~qR5!Dvt6+;s$F|3t|YDf!jj02hK@IC~L zUcNJ6rn8KQYn9C}d~xdALz|*1%|Pa_z6cq;B}bQ2-FGq#wdfDvDP1-5RkaC(1IXf0 zUJtG75`DoJX*w0<)p)oajHeSmH5UGv|H}TKcMgw!-8*=3M@OUd^WUS@M{Dia`LDU! zTEu_)Dt}nw54qEYGeqZ@z33ctj<@&W@bGMZZ->Euor9B3iJAZWEA)E|(zku)Pw{Pd z>!+W7DwVWjVP&U^iBJZ!a-{pxOrpIm+jCF59XRS;dmt*~DFaT2&SWBl5In5FX;M46 z;j!=x{m)>gW5dCa4l@*Tk{@0AUT-==$8dCb1G(Bg$L#`Ea)(P8uoin)HXL$GZ>6U~ zJi!bcKS05n+|TvZ@l!g77QTy*_ThB4hd=_v502G~MbcUT8@R5-l*7~Yi0z^;Pc`XCz5yerHa z;|ZSJOa$J@E(K$|=TLYSPBjd!5H>!xdY9->3J|;=qviz4ac}GnCUO=irOh1buZP~q z(T^5-V`o2}qg}S_nec)Ycuo+$7Ls6~VYZGA_~7LI0sX zx{yOv34*?If{W@V*E8X_(8mCfso%4C$RE!qUD~-lDLE5W(ZZ|4iB=WMh&dUV3Wx;` z2q4)bGzkhUB=!|YSg3D;O)9G3@o5T(W3ZM;D}4|6#SU!ZsdF)q}Rj=N&thFFgCCO3N)37IM#xeY59=+7xJ87CS=DFvLkMCyfdhz5DOLYsZa=Nol*D#YkY*&3jiQF zp!eR{Z^$a>c_xsG!muwZ&|rv~&?HlH@I5NU8)DV~!!JOua4q0-KtWYyfVZIqKmZ2X zJulG;x($g6$>74fq6P%Zadk9d0!UoCJlB!D%~vYh#P*yN7MomowP0e8*$4*JgY#ph zRVBB_N}9rrK#>bkthA|wH-M#0u)n@nU0pc63mX1_kAZz|4ND{%1tcB_*=R*)wTRYT zCrW(g+7UG73QL^A!>qz~&NEsNo)nJ%kn**&5IrWFwjk`p5vA z6KW3E-{S_0A|E-0L6V4*Fbat=mKU0A9GVj6cf~WbW(%>7Z)Oe%d$9fsIV!?pD!26i zv-jtFZCu&HF#P`O`n?yiBP%ULYXCeXfhcVmWSb7tgTQeff`7+hCeN?}SJ8OMo8)RHL;H<~a^^%4fg z999uff{48FP<7FEjTRxEBiYl7Kn}-P1ojYgA&98`uzY|5(72K6AmRwIQRqRZE}SBw z#H|$u2A{q+^d#hmBQcb|sEc?2*q9M89MG|x*L^^-M1{bLVY+~F82AKXoR340D}vVs!0(6ipVrtSESUj8;KVFE|S1Vs9M5;h4t7~T!ofstKd@VqEjZL zV+t&JG*?+t%Of>yyp!M#N_H;Qu~DeG6nxKz)1P@ zAI^cU*Hnf>2;d?*fSDJg6M)FC3s}E_o0XkXRXzH`l6Il1dqW_o9AlK3IS4uEDbdi- ztXYD%I}{J2HaB(_milR*iAlY100C1Kh$R64(UZK8IWyK9Pu{^m!T^(#M>_n@e3W7F z*O4=(b7oIX^}3f)N|5`zFk=;updpL_1DLD+#BcZ+7Qp|ys6(6dLrqu0vX%z;yh@O& zURO%mzd?9q0pYZoR`|zukUkWCLErpDP&n%XGZnb@!aSznH0p-Tj|9CKmI7v{6(dKC z#xlexI7P-Dwi_cspWM+*XM9@#5+TdbB^ zY1t;}gKpDExnSL9CtJ4%cLz_Y-wIlWKv8fcGThT4jWv4~uh2|JfTlvmneSot!jTn0 z)psZ+o+%e_IU3gHfHgU{&jQXnp)tW>_J|0GYAR_=R>2KG%MFUT+!bLw-aGo>4Xn9I?<7&)YOnmTObzaL~Q1S&`xlw z&ti8*oDF5@9~gEf=|4;Qe$+bLZL8+qmfGCk+uAY#**Y(0%d zm1S9(zy~;iE2QlIJL(Y{f-1vn5v$8V<62i`t-YA`T)YF9Sf~zX0)Qw?ot_uUwV)Le zeMRrIThX91BBl{0xd41}fw#OWn58w0Lh5W6)-5~2#~oru>ufd>p^-4py>J@BkVRvn zJCm3s`=pYGk$WGFkRc^8uS3k@Ovv`o7%y1j;U?|`Sq$2ixLdp$sk$?_WLi>J(d z8d+eEB-hvu7-|@+9+KxH8bn^-gK%^{1DXhiVd(|n4IuSU+*C0junB<4#n7u~?Ei=| zkk2EtdZcOenDw;g{c6^lv+r!`fl3 zj1-fG-)dRz@^>C^s1>me5fL0^A9G6p0K59$V*fDos3)S#lf80z^Uhyi>~? zA(C;USj1!PEppjlSrXB1vuT3*7vkptdL+ykP`HT0;6PvrN$MbW*Q`jRvcfT`qm+C!)k7%6yw^Tt z%%^z83>OsIa55S%*NAP`gUh>gGQ-(Lpb6pwEqF7)kPM>vGhaN)#~kEtewxqK8q2AX zjJRFNo9aU;333;An0VS1#1^8T8b-bT3@A5Yxq4RXgM&K;qB@=>18xQ&^hrFP;39_< zF*?THliXBV8#uX~Q&SFA=}mVK_J>RoYLV%NdKX1wL_M&i%s%8|!q^Z7U}DNS`iU}R z0xLXCL`;Z%3oPi=AiBoBE+jX|uEFm#D`rYaoyGbHBjg=lTqk58&YOV|qgKsvT@_jj z*8;^4p)A5~BRke)Hsj6cN|aiJh61RUDX%rVPDHRxAh~0c{NlGop2e z+}&%#8Ml!b|8*SLqyaJGegq?1B56<7A3(T z@f;yKtstb?>N%h^>(av=!AnzeNjti^?O?voJ?EI-5<;(st7sH60A7`NXtT^}!n7!^ zfZXc^cF{`{dS%pV!Lkm!s0X~(C$<>|y@DJf%aCkLjUX7J(Xa}n-=w|CY|Q5Wr`IHh z%2I_EB{C2kIcZ15J=DU408Gxwibd;1DBy)#hJc{;%IJOk4o{gW=D7Bhf1x^$;~pAl z!e)=oVDXc-!Qopg3`X?y6k#mYdg65PM57)G#p#TR9g&LHK3FrTQDLrJq}V7zz#Yh; zK~XS96G%5DuovpLHyyg$|;qp(?hODto4KaXUc14x~LhO=RD%p(gV8835H1tI>73aMdgu zca`z_B9cjyD&{kBu(YisL9F3mUF+Hw&0AjtCOjMj0*AzhER&WubV$N#Z9Da9$ogmk zE+>?>gt4AnkIP zq^d>(s@c>O2>b#pw=`hGMDGkehQh)3lSM>eMIlKJik_xm7>MTE#%( zJ{A!PpCk-8Y?v!F?vkn3N)D=~B8S0@Fes5tm=KXpnYuNJ&XEU0aT^jx7qPlTav&h1 ziX$jkaqRWzauw0S2CeHohT9y8EXQz!$mWEIJEN$FY&2v@?E)OT*H4L_*ibM_7g|a$ zRS}aK08c()$(gpfaJiVg!FDxF$o{h6;k{mec@ziqc^g$1eCSsI=b=H*`8ke~2CMm0 z>IbQ*a{vVy0ppTpj~5U;Wqc3S`*<)LvhrDB#9LCLO#J>a9c^*T=|rTA5nLxmZU;3<`GJ| z9O40SD=XBmxlP9Isic|I(4i~Rc zn;~@21RC#jJ4U^H#;1?KQ`An7$soxb@%Wo~3OSM!C0g&0uZh~Rny5BO?*g_c>ErH? z2XYz0Y}&Le+&_8PqQ_d0oI%Zrkv%RxIE_Jpw((fp-pp_We6f>wOlNm%oReoEV^E4? z^w@>gA`azfgU**$$QkeiyO2ojRiPjpb;!yEvfzJi#&P7)dDNI zl?yE>xkawl-eJIfLXxY|RP&3hdm(Ph-4UqP@Vddq&!$8_(Q>EIx0(vjqA@|$p)#iM zEFRJAVS9a2M$@$l=CaYiBD~bdmBr&D*Ls+zfu!RjAW|nJheYOT2uH^RxinPV@s;@* zSwvmqc4B$1T*?sgSe_QNT3fDu`7FHj87Ajian?6(KuKNYD(#N%+2{=ER*JUFoK*4EVM=F6HS*TH% zM^^2~`sSGPDCS9@6TGCEM12g0l%U9NGzcQ5Ct2r}iO&eaWbl^thWI3}fcJ zefy}8`A@n~$V*)_=wzHEi+D~K*lypnrxydpjRK>V;Cnz;CDGIby`76&$a*Tdh_ugi z)0%2)iLq7%(Cv>)l$7YnHmwlri@E#(fyieI%A`fh;y;gAVpKv<(p$KaGX$9qTckiR zGKhg@)J30S&EQe#&cy}|g>UmX7eL(QP6w90U*q5zBeW$bPA^k78EG8}2_&X`&cT=h zHi&zo*l^9^P_}38>Rd!tt4*RZZ8wmJ5{YM#z<4JYV)7AQY)hC)L$c|V4G8sZpC~N> z=f+qIL(>7LT0ZwkM|Mo+kjbpiz4uMe)iAXE_ySUng;9;1PG^uq@W|$z*>a$6KyWZqWv&qC1Jo>8ixcAQ;+mE z_mgCKTNMs28FTztA3n^utFmkCf2*6fa&hbB^BPHcqg3i>qP203XzsX<6wP1kGO6| zu-Fsf7DRRG-cE7ULyyCXrXko8NYtCa1fz+p-by3cHOZ8%cPCndO}N`-b37eqt_nbq z*=^DZgfdq`!CL%p~@4P$3me53l z4e#U-g26gvkt>c%+3v_;_%G6X4B^ZtM872X8Cv}=nv9}>@L@<@lnv{YGWv#ZV!fCe z3qY3%iY|$f67i8#WtdXg=I9;5FU=e#TdZE7@Y^7ce&R{U*v&x?ST}8mOf*v9T{K3y z9}Njx0!33C4SPL`AdB`;4{8v4C@9@)BVBSDz-kw?4;1k{3gGZeJB@k7t<|_?BhH1p z9Oa35eB~oEJl|Q#GD{E5VZrKr(;>QRuI8GFDimQ=Pp_+NMu*}Rw2&LP_a&rpv|_YU zk!4d(WjJbc1V0&$C(&cZM&0(RZI;O~D%rURQuiuI6Ht1kx-E8xr!S_7$Uq0ijfvPj zWTfG}SX0%P@hz0KF;*WKl4yF7a^*<4lz0y!XL8M&;Mn)f-mSVuk3V64(<6Pa@s4tK zO$YfLvNb|_KA*A6?WOb#Zx>m*QcKzT)3hc$*NTfgPY?~ur$xW%UVL23|F1{mVNV|Asb=xPZu zVQfFVNT+&Bmp$JFsVyX{KOwQXbE}?J_U0Ngeqj$NX&(>HR#v{N2d&+KZBJr@Y3#YT z@W-#FJQUU+vSR{tIWU{hts$Sz8Kpcjl$0@x5fmxdfYvyS$^~7Zs0IG65)Uk_OI8s& zo#|@59PdUs=^c%uTw8XvK1i;tuGWCd5i%H!zetnc)i+mRrA^hpX1#MF=J;ZRV@tzc z34;FU4B4MZXF8MV5hkv`6AXq$t+6BmB3k*q${Seq;-KyX-P|?Pp_p_ zbh!)~Zf)!) z6YG$XsvFJ*ux%qYlV`JTIAG4j4BDdXz%^L6qX{T)%ICgQOtdJONkjrwFU~nzF(i}e zTGs!L_D~V%9d=31LrCw$?hGdJbvT$_^Bq-ZuV=4MA~IwI#TR_Wm-Qr^g_-E)t!q5dp}J$W|4L(CYj(IhWuKAM%~ z=+GVWIe5H?1}K?ei3hq~81cr8*ans66>T?T5?@h3GP7C$r2R>8jD%JT!AetNI*42SK$HE_LYtR7Q&J!jP zcQtJEWPJ=Ebwq~p&wHUujc!OR|$V$t-IO(tgfnM!| zx}PrGf_KG-O0f$}%!Z^>>ZCO3CyM8;Z3Iw9}+ZF$*|_VTj(d z+oL(zu@t z)f5#Jp)2EPOPypc2qRV`iGhF7D~E5Uq%yMu!I)!~1YAMXV}}sDo5dl7(|#cOW7xnGwlpE3 zkZB@%CO8YU6j^jp;#47LS|8NN;AO6FND{-y#j{EDzEAgHc+N-BWgtTDB<-7Yj$aa@ z1(3MKZ3VxzfP_rw8PGt|p)cT|?<0=yqZMd>(l_3zwC+JW)(X)63fsxo{S`Sc!XOlc zxcO!_Rbl*Rv28Z2N7DEb$!$gbV)hx*Ou|&ppzAo}zCTo}W;OJ#2$&Pcos@NU;h&|1 zF&!&VK5&BqB8CCE$q)#Iit-#nnhR{=|3I@shPHO8K-pgUT7%JzOte9pSCtpkBv=^K zB;9xCh6mg0s?ZQU{!mye1wd$;)Yn<~7S5ep!Q}VDnkF8#p{uhyhIc1ldJ#zYw9t+tk(jr9wh)TuOfaXXi}Y@ZDw7lNB*@9OK`u?> zVT4;P;nTqg=o4cX#r{eIJkk>5ehxMuto)vB3knC%V^V0G@fMuC_q@=c;oFRzA3=F5 zB4FwCEbTN&j8z8uI^n#3d;2Ch4&k^*HTAT$**tEy z)X|HU+Sz`3*gX7IZMU_Lj4k!-u+>ug&(!9N=Hc^J1@j%YFvs40pka~63p5O9PYo|-tzlYXttr% z1rsR9v>p1^-1{~7d3$fGqFUPosP*dL5M76CDd^btE;P6WAGh~5caFEnE67uTu(y8% z(4k|H?P#AyCXl=uIyMI2r^5@O8 z=ugf-wHEvw| zRRKe47iaV7K90dt{7lV)hQNRXI7M5{-RARF+gSuuwRo1PsP;i?a~mJvJ1jkz>m6ub zu(=PL=>Ht!EJA_+QB9amgn;Xir%d4%#I?4k*9g=t+tN(ulC3+t{?yKXn-<$v^Qft) z#qj&I1-XO6)*g%(ZKvku=J6qHEzE%>pf&Ad*lgQ-JSn&UXftmgZkhdr;~YrzLfv59 zD5!ZKh7dv0TC)?<-hXxk`=C{>&>B$N&w}>x<_noU1nN%Q3z&+hEy&i~dbv$IkL!WG z(B76Yfh2?w$T-eJcFc+DqC0EIKn?YG>g|AwTLiSWznWt2`#qnNQ`?obW$aEzY zbWRnD4%w1!=1Nzb@;65Ug#cqsCVVB$lpgBL9N`BVMz)Be3nznLlH@}<$M@6v{wy^wFp;<~uXN38~O0#3sDMe7bjy?8x3FMj^q;#3}r; zNG1VV&?5IMF7-vsHBuLR8jwjPI}yj#7va_535MMi57=Y!Z{9~&2hK2&X*v36rxg~# zl*ZQ)#+()o%-ppXmTDMH$~dE>r%jOM8?b16ME>9DA_$tMTUn0vRZ}n)xULnSHoZh7 z`9geThNu@G4`BQ9g;}~R3!9(K7=Def zZ=X%#(-LejYjS}Nyc8F|??&-yQa1K`P{lv74eAgEG#;uKVfS4$p_RuGAnA4pEU}|& zKw$Ccr;1vIGkVe=V4Ry3JV*FL1>>qDeeL(*C9F4;0*2F)aly~SKyrj{fj~>m7|4ZSLO#G+szWaYxR^jcz|DzuL760i^jQ?flAJYbLHyqUZqdz|W z*XpD1zI&94|MlSEcWZye|N1lj-T$V3+8@=Eiy*kKHV0%{z@GI88}7W?v|&2o%tues zwctMHO~rZs9?rD?-~V?E6g-@;lMuzEKPJ<2dUAtA=N8?(n4oYL2(_n^aE4X=*wsn3 zQ%>@M0GKbN{qBDe>39DNDZl$)hw!`q<#gZuFDCo$e+{bd{$~(<_rC(ocmL~B;= zrp=NW8W_dKNh-Bvqwe z!yu?Skf7Z;{Rl%L`P0kwb+8U3 zbzfh;prj!(73Yyy>Y_a!6d6#F0fv!*B0K$rog;?t0iCdK06O3NLPIJv1e`;6EwHX| zdSTp>>2%H85C|%GMg`9j-1q5XbR~^V1*Q|n5vG);AtAO8#l6ZuKBtKzwM;DPZs+df<#@LD<@vq4>b{b|%P-dLZvqb&Kzl#fC$Ro-|C5Lzg zqF060qJD&DD%w=|iW_%{F31o|H%9$_*)4PKmpPwX2G@>W?P>+r7wn;L4#U)^D z(F0U9Ru{wdvvphmxHu|$($*_HJL?q$yI#S5tyj1g>lNDt^9*ePC{@@KPYPwT7im=o zik6I84PeVf?_t^qd1GE_5a3_NN$Y}$DCR_=xLQDC3fwByi;ujb%ZjgE;tGaM#(+0? zNApCNwJ_MA^g?kB&_i+o$BSAsd9h1gUc$opdAZ|dn^%s7+}y*Dc2ksa}Q=c^yn#1`Dn%vz#$?bXZW27kW*GECYcZbjv<=n=Oja3Jn}IZFox#o;87q` z_H28nr8lTMBXz(Lftgao86Qm6n`-d`R*;%m4^&R(KocIhFl)sRF2Q#<*qK764o%nC zyaildu)dB*80wZS)%ft>yqvDB2>4Thb|k5z6v`@Mwp1a@*qCmA1?jyve1{q5?mRoh zjrw#rcH|z#B77dc1K_GU&g>7FS*Lh$Nvf*$$~3*EYplTWd{H6VtO3rbUHzL|jQHc9 zS7&GLhN-VLlVPbDLM{Fyrt$=`G1bFPEV}jn2W>e$g2nzv+y8X)BADD7^viM7VF+c$v z3vD_2k#T-|Il;4OQjsc5z?g10DouqE=X(wMzB&+m2|y!j*lR#V{ca88sgc)H9Savw zaV)$S@So&L;grlorxXGcsE9!qPp=vPvTqcT3@F`3dvk5&`^N#UJeY}a1j`A}8h?Vs zA5s-)acFP#YWz>LM)~-*Yt&E+FjaxKaqJh`h2v>br=8pex^1jU$g}?WY!b>S&ile| zxIpn}@mDN=gHwhU>^FkZY>Cv0^|lXg8{C7ZbTJ6_r<}l<7RbIzAHlRV@2l3;6fL5y zd(UX9{p^HD!8d$Fd+SV4-Ly2~Gv|(@zWP z?e%<~qbfF$hi zYR@DZ#_!2dfV(k*MI&!EfbHK0X9E|U=lg2UgX_%g{Q1)G7fqRy=VsB61x5&mbPk<% zd86Z?H=2gUv)LWH>4oehqFymmub*AUpQ0tg&xVty}ZBm!Ks?45u@0G^7+Aj0Kl zQ1*AWI@`by7eBz?n*bjR8wKJ7*)iWpWn0AKKpi||;U1qxUgsc(py)z!UvIMe&VIXp zUa*BTxp8LiJCnRPH_yO*Z#ov2NQsxFXe#v<7+QQSh4pKy6mhaV#xmN(hawh1%@n$) ziKbJzpoUjp$&w$<#(?o%E6e?9v^_%=0n75414UbjO@OiAR&})xhvgu0satnxM$>K` z-8j{urW)>Ccd1LSO36pv81sN6Q_OAoSh^i3ue`ZCjlHQ>MUq+0;&^++RjXBdp56k6 zY9-2LC77fCMbSQ%{YvWJTlBvV*B*ZN!0LY=lm7R?+M~bpzkiDUS2?pS7Wr~xfp3_< zi_~gu^>J;L_ngTc4w1EZq7U1s(;tmz(>E+cspa$s(Q zvRd6m+EsvXPB#>0BYm&hcZi@}o7X+J8R(`Nit4-XTIAz-l1w=jV=htbAm#Q%)U$nX z0g9Pw`yyle2%_02%fZCN1ff~&n=kdmw3_u zQTQa8bb;M_5`@D}r=N7rN3#yCnuhwIPMET$tF6_4t5R_ZOOt%4Tw-)adC)h^0K?^- zkl@S|8R;T$UbK%=MbPo@f)X!VhwbhCy>bapTIb{D@gbZ$3t$2Jo@vurAAfJCli0hC z#Ov$ehM9k z&FX@IqyH7SW_`D;lx<7NdQSsF{%>m=E)1=0;L%9JEE%&j#Un z(kK>j(4XxzpSL&kv=^6BYohFpc@~0G+?fU$Py^o`$>o!i*C*=a-WwQ1+lSMnadP5z zDpl26((seAf+wC3_9%k`%dqYc*-Qp(`-+AhnnoXe@uMR$=%}33uSD%iHC2uS?so z_iSy@0H+8P_{VZ?5g+V+HqZV-u={yn_tRhp**t@VUt1VX_@+D`$m@R| z&HZdw)!Ydv7QO8a?a_M`0cqV<1|E{y{3NSFO7WVon65XuMn|Fzwd7UP7;VS~pNF!_ zWeWsDQ=Z32tY_f7y91o@yK@w5qgb&4x#hWBe{#^={JHrY&Lha7xBWt&I)AU-6qoQrr`>|1w0X3D2oyZBe7!(? zm3ESg4&8R*#_F`Ps&>)p00?F`=fUCr^TXzDPG&b(d-HJn;3zNC_Fns_xwF%G(Q4u~ zCd{Feuo2~eV{W2vGW;g=OUI;kNb4Nz;hnvmjueHg>%qZc%YTQH+Dni!$9w5gsT3^d zC!NmvgI)(W*C4`m`GgXl1Q&5Kb(8V^2|6g^IkOylbCb0vyAP>X(|Fura;01c29Q)e z!-q7N^4b|b?DV2>lF80=E|ijG1?6Dx+{@2&)gftnN8D3(5Dnj{0Qz9MOYSlHiw%2= za>24i&GEu4Q!!0goGF=|hm*xwv_ay+O#h$w6rGh!7mnR@K&{F9224gR?DEbtT!)#g zoJlN0GRr28VYO|w4)8+Z-sX0zUFQ1j@+b#*)v~j>zq`A?NAPsr4#Ok0I62F~@SSWl z$ed(1UN7JVxcd%!MhltXLp{>J+J(-%xzlRyu>c85Ad7xFORi7jD|*(pQOf8m=_&5^ z{qjViYbZ2q?@=(;348zQBqW4vDDEYlUyZk-r`288R7WZKScCtam)>spP@udVNn?8; z*^z^T=*$2ujx7=M@i!nrY{m7DA00A^Nipg2ah!v{;okzGuYa%fhDjAZHKH*648gi-~=6^mdxlQ_|d8)lrWxotr$0V#vc zh8)CUqb<=HP9VG6FO&-&SIM*2?UmiCsEjURIE@>3^9ovpt+>@{A0guo2vnc%v^4`J zdfJRz^(P^P+U20R+j-eJFx%#R=b-Zh)1EMSitm|^Tdil! zzETD4{o}(;IzQ;tv#&Ip;Rxw9i*m+}$DR<>oN0J|9`$&4P?!14Z6g^V4adhL;PUxY#J8R8_5qK< ztposKRFmo)$~EfKJ^!0Nq_d^;&8ln}IKd&EMp~c!u>?SX9*%46qNAG&rgD<+k3b;;FX`A1e?u+&d&Bz9D^tN8B#ateG{L6oXw zEV*B(L|eYM@$Eo^q$fz(**V(ZruwwWa7 z6~0MU&iSJG63FlUSHCireB!=83D`YIOZscyo&=T^d?Jq~O>@pq+;{uca?4LrNj8t+ zm7n-2PL3mZ&x7TCcoOVv;m4gVd@{>R9-p8e6zLm3Q3?#|rcISM`m+D@pKVFTM@rKP z{H9lnJeoA*aN5oXddIH^`hhGE&(`gvP>xRX>9%~rN0ZjsZT@rr(D}j%&i8F-mG>PJ-0yp-@|eKi z4c>8^pGws^U$%B^26&Nl^fI)M)11B5~87<<Mm8-=#C7tHy^5)V@OyzUu)Jsg~ z+slE+^NS}X9`E>BKV$0N_A{V{I~o&s3Gf}a3X!}|}0bZz@w3;jHPXi^?Od=iLw6w{2PR317{kMT6vKRj~2+C-ZV?Oog~ z_-?-<>fL+pe&-aM14x@R2uZSejt_U-@9=8BIqNBvgn4#5mcp=a{6%AG{fw!u1em|M zDUjpm=g!WxZ|;|lJwh^xUOtWgQb|ux+WKt!6@8*7NI80O2;^CZDJuKse6juXQfv;> zU+4WvaM;{~2TbQDNC8Z{z1uR)bKjo?ZA<*MHTBnSZQ@-5rwx9J&7s@izT?*|PTa!h zo$bBjS58j*j$c`$&0n;3yZxfYbO$}aJ0AG-jt}t8NKrT2ywMjp6}C{2eblkvy|gER zv&PKY3QrRw7Q_$kJAY+fL4PxPcX)P1iu${oW^?&4YzpM)cDmCJQ~CN?r}8S%&pOqi zKD`971&}aM_|?Ahw?P!5*WFGpp6c&T66Yafe*KkRo(P*a(W&tGL}VjQD!o9u5tEC! zn7*eIp9H62a)E++85ZXizLD#7N~WhLtdek45v-yJ2mLTHsr;(Hb;mRN1zvP|>=cMi z?)TBC7f2M&8 zlgB54rwV*x-|)*>Y?A5miK9T{Wc~IeFsi~Q{6r~MIrzlB!58G~b(Q8t(kY6#`%Nc2 z3GlKKf8eJle1D=drX+rR62#CkuTx&alVBVUC!Wmujb<%d0(JJ zqJbs^6N9EXeRE!)1c}`~iQYdP{L(Grr$7#ap)_Vnt`pp>I@P>A2}F}@R+sw@Uo{4F z7HT@p$tCc8yy@di7hk$k$UJ@^BZ^F^a!!JK_b33QtI}~3S+(P)po#~>My#V@ay1+V zL9KoK49@dbdp*dNSgor$sw^##^%QC4;NBAssm%I=e~9VGJ(1{@atoDMsCQ3{5g?6> zaqh9;m*m7Lr5DP6*-8t=RzNKo^P92?ht(>^qljQPI$#tVsTe!2GZcriH4z)LZm`J^ zTRV^m4vCZRWsI8cStE#h+6LktNn1;{sWN2TP%X16t7`RpG*eki+0q6}^R$dR1B9x* z3#33ltj`re`uaoB9g4T+drxGd{$Xcj*~?<*=CkKT52FQ@9=;SrqN2*G<~J5QIAi;Z z;uB*7a(xt^%1y;_|sb82>ZXh2{bOB zR=-v$e0k+?!hBlQqO zeP+w~I-0VvGnl^v*)*Zx%*g^Ug~ed({wyLW>a~4@hxw4n70KuPFwEIGfgQ60Xi-pT$8hys+c6ga8%jyW4Shn z#cxge)9&hhhjXC0x zd=f>95LacN*G1*d_5v_tpKK-O7>Uu4!Wo$h!=do*1V=9&+d54pW9vK4qA+(;Q|p4) zzP~W6AzH>pZ(~}pi^t^gyHo#|rX8>tH&|>!Z0jt8f~JDbIcaPLZQcSmkXT_FnmSsg z_27K@4XTv+!rGFGF-sGpG%18G2&=QV%Axf25o-s?R+xL%@`&N~czQ(e?{(mZ|D@ zD=Sd#Rn%48i(%YTv%gO+uha*?dK;#02b;UyGsK4snYJr~e&gxujE>*9?ij{-e3%8` zG&qHk-Bb4u>ziqpnYTN%NbWG*vnSnIZsQ~i6vt}Db1KQn?$zc{X8~E06Z#TC5hbiE zogQ%Vy18qKl)9#`9m~6Q-XLNWxqyDP+r>H3^`Lkpu$UC;mP%!KosADqXq9HU1 z&HYLq{FM8KU(HdpuIzz~INd&*LBUfw|1e0^nW;rXlVNq=+$IuETzB{ix&lc$BFhOH#!n#4ERnnMgtV@g?!I6 z9FP-3DnE&cHmDVNgxA@RAnhsrq|>CG%A*gJJ6)Pq6Hs=JaB~ZdX#}h8S6i*hOl*MK zE&%qv&+zFNRsbrO))oGxba_}0NTsw+VL1df(8GEVq_BoXR%r&o$%<7wFCOYLO-Z3A zCxsj7zIhPbMq3+OTfpgrm*5nDMdG}TduO&Zym*EA-OZginG-*6;$<}lSa$uctIUed zo9>)U{t8j^HipNvtY;RS|L%X+OE!n=2?81`Jw|41a7<(@^cc7YmwSw5mrV`PuX}bX z@92RH2QT*beqCoj$DD&5!RZ0!jj(XXA?77IZIqpqf2g%W4YKOTy$0;rw$2-;M9`V#3r>t$7W0aoS9?IDqZdsV*)aG!O zzrPdQVtj#U-mH7nhEvSUsC#oFy~Z*Bymjxc+T2x*WwQ$#m$WQvSjfDVm0lrc@nT_j zT`ykN2ZycA?fv7nB~Zyn(@_L~Okm;H4{DEos641Weo#iI7U<%i17@?6NO3!lbsL{f z=(1!V-Q!*M$w{O5;3j7wY6*|K_I2{o1V}5>S$4`%RwE4K9MtyqTd&YyZ9VvZ{wMrf z=>I1i{t5nnR#sLYKTgMgd9d>EFaJM(#y^*hYh-K~{wO1c|L3oN|KahU9F^uD?f(n* z{KM4#f4H`?`q%#dZx#RP;hp0@{S~_Duh32Zi$XWKH>xl&lXt_a@U=oa-B(-M74z2q zFMB)t&8!C-#yrR{P>5J$B!SaKHPlTY(0DS{r8(| zYtJ6H)>a=oWq0rr>^4Qy&I0xWSD9qIq3~#m0P2R1x`Q?cY1jc*Q=gG<7|dT z;o{wRyW#QhgU)lRHHi=utGK$QQV}Vc*mKhLKh=d{r0I=@=a?UR@ji-KeAZ zfax7dPu0D!_U~6}b6T+e{fZN~;}4B|b|0|PP~&$KLLiwR+Qpm8xzSxxxlDkUOEi|2 z_yhtQQFTZ0rS<4{^`LAVIYX_OpMoEGF;q+hCNJPvU}H0_VqKb`bOWAH^b5BUs(Pdz ztWdx+oW%qt#%Vpz7==So)qRC=eHKL3xefT2z&4R;9#CAFQH+|nbZi-?|6ffTCTejLoj5dJBpMTohFoI4_9j1rhBzn=;fqw$7oje}JZ>-KTW&vexHI0f z2rBWz=!l;S`FEtVUxq9pL-Qj8%)n4NFq(=tEety_GS@1cPB8+Dh;YVnlJrjp(Kk*> z8Y|ukW_c$4b9Z%m%a)^c(c0iCPe&zkhg)Oh`Jue0sjCaWXDh;=VGbqi2lRJZK(x}xV z8y(E*>^HM7zLDht!-lLc;i5YRmD3TTY@m8vh8}`&=iugR#9;kz6@vADZUk00{_5>P z=P>*jG8hsp2z04Zw}zt2WmxYVlWtDw+k(^m*M+M6oJh4naHzvY`c?M` z5XzO*k3Ak9(P?CZkI#L%5nN5{}O<0 zDj^@7f(uxFh6QIAMyRD9f+Qy!Bw8>lSG8KrSGF+2>uLsk3dJW)^)QQvk)LrDk zr-Wthtxwj&^@{-_JVZY06~Qs<6+|BE6$;mkXs{xCf4y=Na7F7C+H>@yQ=IKkah7+* zS+!oM=ab++J=pW$BOe20pDp(UphTtW0LP|e?<3>=R7n!<=EhK-d^EVe?9t#X9L+5g zeq>~ys)Pj3`GJ~c9#aL3kTSOnPj5Lbnh^P2ZV_4=I>vKa<~*;2ttU@Tm|MzOab=Yw zjAfEOGdV8ub;^07_WWseF|b?GmBY^|`5zHC{J&>xZ;~Vamk0QE8x2Q%@QEU)biliE13aQqs?IZQ#_&@;=1z>iu97Z(PvTuq6D>engF)TS)aVWr! zy4XefI*ySmt^Q8svdtq^p|^+h0DVfp^$fU_xKsyWH^xWBB1T(xbbIslUGqh{g`ApA zy!Nq5XU7=sCdT_MEq3F+>j`V4oy9eI6%aN(xCND1Ok%cJ-nz)g>i1!9^{0J6rvE0! z50Z>fo>ix4jl)bb;O#4a(QUO}$%j6Y^HJ$LHb!XBWe#|O2j?RROSKxC1Y zDFsN&3qh!Rv zXRGRLO`SbZXAjlcBX#!J$c8g}-Jo1xk8pRKt?~gkCyN&{I0MW@(Hh=b23{)HVvriE z8+Z>g@Z2nmfyr=s@E&I1rE;Y~(y4RyD18o{J*Uo^LqU-{IRuSY`EIE^M@ciMlChhQ&qmbkCb$}FS| zP3MNPUsqa7!)w_qoswtIB@i+-h)i`Za4EYGeuls>%5g{bI=2Qaof3?jQ_VyzC)P82 zq%jf2Gb4nQ(+sOvc*??r51t*|O`V|P;a@jrZ?+6-S#Rn!H!ruYIT*y3)Vf3zzuGF( zQ)p-d!AQg{kSWR$w4;+RJOoE#>f#{%-xx^m`KK~sRo+GTCG+{87rl04swlI9D&EYI`hotn6l2}4stTN zDydXdZ4zi-m*-e?EagVx)@7hnbwJ~U(1J(k@z6S(hb_EaddxE<7NEfZ zY(SI0EtHyX`Ll>-n?r;^U5hM(HqqpNRGPB47L@)>yL2khrX@kpY92Ya@N{BYxte!^ z)Y;!JhRS}!zF5t~2%?@}LJTlI_(PoAJAwpk&e5n0zg`q-hHIv0Slm3ueGss&m%bG@R6~{++j_QyK1pD6)X(;ftJ1 zP6fB%jBMdx!IR!I*fT=Z}aB(=9V^G%{K4J{IYsfkVCAM$X+zeHm)O z6|v>!8@|7N1J|%{&{tF+n853^S~^UKC}6o2;2e8X*d|v3M8G(l{q^rDQENl zv=C>wgFl)hN*B&P`{|opSvqhytU{2hd4ORsCU<{Cp~t&ZVs6!vTskUONMI~-*~GxW zE^1pvSX?8uqAuzB6};ETxk1>%o4hhL^F>mdwR-DLswygVrmGpVn>w=N?^Ad;szkm}N%jTT&LLkM^8X zz(WxW3^{Fm#Si-VMpdfFdt+Al*}fqF?7M5UMmU!lGOOhWG{{q z%8eSv8kxW(@qk1#uS4A|KZm&#G4iEHetfGAMz zo<&4%rh;Gj=vu{Or{z?8ovCzAec@~x-=VT5Eb&p#H62TW4>`Jm`^puO`XgBoE80TQ zPEaAZQ9u2(px$23SBqE4nb;ZnC!%a~TCr(t15^2(wm7E7bB4t|FB~Qzn^Q}#7Gr==fQR6Wd1m7_=|?x$uqy#xOdHcYVwcQm@_&K#-c$F z7S3LG?4}oTrz~5qpK`O2Q;d(soj7Krp9uH84H^>66;GNhMV`~ZJ%0(>lN6avrB zZ>B+3^(fKMKjQZR%bM^ir9G%a`OKW8X$8DGV zd7Pm)2BThs4~`0@mn@8<~T$x`3CaQB`ik zl(W=Z#;zb&$&v;`m9n$^zr0R;g8wIu>+v1?Tg$%Wr}_WMAzgzQZMlG&xkH-okveD=JN4`bH^JH$vap_v6>CxNKpU!-Ms|?3`O@s6*1!%UVZ=&3$H%h#f#S6 zJY_BNxAmv`-^pq;g$S)phvRvW(%JsHum3;!zCQ3POk^XgEE5YSHO9$p;9Wv^{hh8r zVY7ODIFeD&|F7RwwTm-|ck|8_3`Ozxf-2R9;i!KGS(4YV2ypaj;Rp~MBa>Poo}AZU zr;nUV&veY!Ceay5mkJcg>~{`ZQRC`3#tBf4a3(~fUWw)V(nf99@vkHv70SM`02j}d zfk720ravP!0O245L}?6>a{6*#?Y}b@gslCKNJY7>3h83dgOwHZGDU-DBmtQtO@HtM z4sSy@di^_`r*3wNnp2z5y<#PL6e(IlBOUmu~-#AAXNjyi_5kz8OGXCo2DMm=2BQOaM? zeUwB04m&p6adA&t$m^lq9K0Q{6Js+YW;$A?g|FZIqx7TI6Nm^4^_!}6GAb$fAI?d4 z*vmrM9QN*5+?mp7oSw}w3dEp-n?m}=RVFXz_6C3jzwV6~0+mw*KvT9N-`54!l$yzN znn`O5o0>|Rw9)%J%-S8MX!JgJ*R)3OU%$zYZ`o`4=zXT?yujaw6QYA*l?}r|E$Aom zC~b!C8fWUm2$F8N3+CkwP%p}mGMR3XLmonTLCS3wpTazjfblDIy+3CV;TwF>jzv;~ zqezb{?`w4PB21FYo|eq&uPmqHZcRVRY5{K3Bsk65rv z#SiACUSF@Po3gIA;e2|%@@Boda-(TTGf!AGX7UUj*D*dpVs0K&j5$#R-uX+Yuw@%4WWX zFQVF9$3ioLGn)+5kMPHMP%#ZapCt2L`VjR?Ze8?~fnYxAYtfVF9Az8V;^hU_e>~}- zrx$*5oVUoQOu@gr&fLZ8%qRG5nXO--%NFv^0<*tf(UXRbRd^Q284G({>0NZkp4*jA zcDiESuH41(3amjkcP{WFUU(<>#rSs6Y`1^eKiq2QZ~mnZow)U4^T1r0_;L@)pX3W> zjw_hiN7`@f+(P%UxR&*op(mrP^XUP|%dF>1XEx)LmswA#1KGb_l65+Qldt`8_=9@~ zFC}JN^IL9Rl$c@9%jo(iab_hitLvO3HOULIpQo}v&&}?;C0Xc|9$ zrgHb^T1V}nuP||HIlUmeGwfTQ8I)~6pwdyxj z$V#4Dk2wRV7Lss}Vtb?*9yG6hIDx%2y}*fzh(t-$EQhHTJe7LDQCER$hC{Q8EOZs) zkZ0(N?Y(FF>lzXoG@{910`wA!aj_Vgfs(^oHE+9R{DQb{K}@&!Tb{!Ye-YWm?sy_d zf5=y%b(#$v}Axn3|Frx*EsET``i8i`!6h?nHO&_NT~#!{hBPN9Xo&A)lr+G_0` zZNp48?7}$|^EWRnKnk-s3nc}_dA(U@n7W)JN?FVlJ6-vEW2stACf#Zm@Bw*gb}Nvv z`h=CgxZ=5AAAg_ItUOGWJD*>pT1J<}4^AUqKY4Rwx=okH3a~EM)9Y}Z%o3(J_=AzE zCfO#6kTUO9jVr`73;I8zH)NTzz?OeeBS{;VyH&E7Tr7XmAF_5ow+MPnm9%!Sl|Yar zw15|tTr`@jRIFA9@p&VfOn`Bl@pT7a^-Xm&uGK2Dm4$i3nX4U}3}r=oHtT#%DV14l z-3wU@cbrdDACj>k^Ffw}&rXA|rc`h&U!C$n+O`<&lA$yzsMd%5D`4)E>qMTqELfqJdGG>9QY`Hrz0Ym< zqJ=S6-RShzkw~L$GaIAMX%#E&e*977#JZq$Y+$UH(>9THyebusGFF7PA^j2ESTP3H ziy`E<&!==heV+<3JiixA_U*k~TnASqo&u1-RLATlaik>z>bR z9UDofbAEB_{#yxUK{ZH6SUB+olWv=e!o|n7n6Q6?S~`vbP~?6mLI!1sdmaqf5nge%Lw>? znGtZFipf<${jtWue_50M540wo=R14^G|6DlkrRKZO!ul;8iGQLRpNAzW573U1DKGJ z29Ptbv>Sz!fbEXXk{j#+#?Dc08W20)`vqEAy9xN~B>+8|ey59hwVs!ZrswXvEM_k) z$;*^U#PRiuT_@iAaOAfT{cF4L@54!b5T9pjLiuWahKkT`dQi|qLMAP_7lOU7swUxZMGuBC90u*gGQ*DlYhgUrH;72%nJ}v=^Ph;ns64xMan+s7>2)V%qxE z`U?Dy9_##9NOY1|ECwX@o(2v+=yJ3Tan&PDH@TjocKH@?jB@LfZo3dzR)K%76F_%8 zeqpfHklz^D>1xsO6bh{oX;^IW@Zo~Gvgl&~j6nB7!ABV5NiyYI2;{gbG$_Et$D<-> z#0FS>9Fx-?LST5koGAV2bwwQZ04Ut!{e;S(IheRTy?tQFMZ@|!3FUZ#AbnV050iJ)LvPlxZAgMrcsGh20(2FC0q1vX|nG1g4INF4VtRW(*&uQyQ??})JWNs%n^ z&cZHZ#f=S)6h4YBKb|5PU6z%~MYMk%651ucC$N(ui}EsFc*mR_>KkaEHJ)9!=jBZs zke^QCu!o|=bS36Px*qePQ816n&7Z0Vy{&|>ye{>y09WFT5@vw$8P`vWLs$kbtjySb z;!q%HJrwWzq0$9%=R`MI!v<^@;sre-Iq3vVB8u^-KcPSi*BSIE9=s=Uy*aA;cu+$| z;7QWwFqw#OusUc0uEAU=a*)zmA!{j-kTHJA#V5Be;6U#KEEFXi^i%t!i53#W{_RJ} znGxyDGmx<%yvhBkE>1TuuM0WX3TW>WL#y)&YcKYpIm>~bxfvgbDR{gWt`ETKynCBTTIH&fJ5tF_f1YRI`PvB#ladW2GhuTr(T zZ3xA5(M;ic1NWo4LOnHXmQ^uOuoP`s=z)kvir5aq#%#;rSFUUFrp=TPI-Yh2JBJ$L z(7|3vSXNiihcFJ%G@f-Y(#L>!6(TrHanRAsfKJJIKJb_3Ao+WeZlJw#k_#VpTra*X z1SvaWTvHv--;?YsePxANOuNh0JeKnT?m5GV|Aw@?_@%@0g$(fx+s|%Am`+RbJH<$c zA#Kkm;nQcM{}sWpSeYom=nM9|!2cv?s#x zIGhYo5CwD<#dMpBAG@n532Sg~qK{GhJR%ZyJ-Cm}&?Rd?TM-k~aPkB}#>&7oD9ANA z2(sK5vcQHH=8#p|_Z;$Enz97`78utABJm6UxY0tRuWiWatbBT zZhTkbcs(1r!T!W?Gwq=b^D)N(Z4RT!*_HedgE@&S$YU;MCygj6SO6Rbwf-)ejG{q3 z0h${q#%qTXto!me%yptalgT8!uqUUu|8CL(I9ue*=k*y!B%){ zkI*?|r20MFw?MR}#_TVjeSeJo5AiKP9DFsme|NS2S^I9~QOf>j^}*W1zwCeh6#E}Q z?J)D}ij}t3dA3+Ukh#s$X4$da*?zhUZ=3pr#_v{16Bt~Kom$;@DIF{uEb>#pE57-K;c`o~j#A>-t z-lJSlo9pQXArOGB{1!UB^6iIzoJGBO65f#f^C41^m^cBlo|3-PDG9WuBWsc~udS{G z-<}WRQy6NmAFIK)tk+c7f{qRw!(VAmpCZ30z9SO-r8^;j`_IBOrbTU0eZn5y%;pI@P_>RTcxbBAbU-Vo8GX#lwEv;dqeNKoWP zE*WPd6yJ4-s>OCA_l{y@r0OYvdvBBs!{m2C4vfap4ZgP?kQawFL7GBCwc#9$`-E1g zz9nt4(~Cy^a8S<7#*b?Ckv|zf!d&S7b*SH7gR50ct4bO%ehu9{r|X9YyTk!uytMH} zSU<&hkCQGo%ml;59=zmPS;sEGHb-JN83M_AflkN6?mJ{lXXEop*o(wTEy1h)gaE5Q zO}g+O!>hp_7ZlVVouM8p!sF^)hY*B>oq$I<(>vc3ZO*4eGu-2 z=tulHu%0+(QF4DT9_?{36=^b!Uf~KoOLkti4%^%Nd!47PqvjKq8UcN-*9*3;0}WHz zyndb@j6v<&4?6!%YTaR+FoLsc#&!=y2I|Q{bMxos^VXBVjG$jtvkl+OP{Zu%D%SDZ zhEwAWeEY_H{Pu&cl0G0xy9tgDch>bl(sFVf3BphYZ8!wG(V{FSHf~b?mf4W%w;%M5 z)Qy9&xS@bF=l>4cv*8f1`#PY1k9bMQ^nx#+ql3{Tcuq2CjAf$z8YlHO?bJYy4gm7} zVCVhX-(}0A0R@amXF6mTMmbHYl29$M*a4ACk^rlhT#veDgPujrfYOlE9~{03~&(5MwvXl9ORn6oo&mYMJ%*87!|!j z@af&2;U*#>TcHgKH$uFv6qK*{=|vwdv?1Oz8;Of@5xsn1NwQg0BSmrXrzj_{F%5uuzt%ofba42flQ zKLrDY@2K4hd3~>1gP9!d3yRWNJY` zl)oNb*fsC_c#M&C5}fGEjKL~iOE|C?oQ8CN5r+dBG>C#;2%Q+ozS1K}YzX8fT_hBb z;831Kj!RLPwqC)ED0X5R2e1pZ$iEkz&d!;MaS%34oHY6#t|Wtu@3qOHfZ=6m_-WM$ z#uH?G?;ayy)v|YW>pN5kJy5%=f-69r;~`BwX3{84?f0cR?ZrmQxK8c8*7M>w&ELY; zcuX2m(}$eaJNcYuoArKAS33u_R~!`O^_83Bc9yq)rneVSh%_OOFV2&0tu?I;dQN8y zbBbqWY9c2QAbSeXjRM;0NG(2qgKzoh%fC@Tw${qN>wt;N#B}>%&URwLw@? zRWiiDD$dl08&%pULCxe1CbwRiGQiKRkz4=)W)iW5ra4fL^*7Q?oku|JcjE~#)zg7N zZ>)8oi~Cb;3gVVe$8TYoty+f%a(@Z~nxREhb(g$OCt~I@iUG}&l|8yfETG0vf`8$z zY%_CPKxO*39lF>Hqc}y+!}V`zWZd?6IspKPW*t`8{4EkcT84tY7qmEGI_aOE!yXA! z;mmN%5W%xC9#3D*L=x;Vm5kBC5BEFmU)y-M^@(~Dklgy7v6j!vWv`=CB&obCb74HEfo)&dt3Xv>RYw;=yAE6lLRGLQ34%! zD3*qU#JxB3TaiH)AS<`{-aQU4e(xR()jd|0-9y#&PipaSv1%JdOnBP+gN4F7x$6%N zLV4jO2Jn=SodDrPWOq&y~$erSm=wDeD@ zong9g1f6We$@#?Oz zfgy85(pAwDMnk~a^$-MNGACtgJ?xK|P&4%;!ZajBE|IwOYpDh9%<qX_Ro#N+M`D`{ojiD_RId^&$i4;eeEHC zLZ22L*nZdy{dKKko*uc`cAKvd{DT4o5YD&nl4Xu$!@I}^x5eqHa)4D)4RfDS1uR3T zNQgqCKk7ymBc4Y9B{a7shZ>Dx*dMG`R?#iQgWBrKN(n2$$#M6eDp9r)Ox;P_>^}tZrl2o|1&{^PsS^8fyS`I~YyHJ1F|LZr{D9x>=S@Aq4;V zC7D1ci$*+NzYxwSO6~{-c1R7DWKDyiaW>MB4;?gS$0G2%ikp2omG~$x@jFiBD@EBw z{_O|URI=Q}TkI~Fe}(yVa{8k=>EC72-^KZGIQ`L_bPdOh101IzeecEH`m&dTD3DUz zA;zF`9g3zN;X=j@Dgq!3a88k2%jszmK)2?T=l(h5mH~CuFEosrY19;CO)Jz=-{z%1 zu^(98?l)o5g|#F1z3{A9{F!KWBl2RVox~b*v1DS=B)qY8GQ8B1xRy!@-B+`LKlogg zg@df7o3)P4tCIR`L|dC|BpZwtWEiO*d-PU|@a;)V;d04IimIwr^v6|2H4f>*)`F@!>t7K^p(bOz zxHCodKT61wI{98qAWJeH09QSjh3XWwgpdh!WH8mpOo#+3fM)HY2p?Fy)fH^k+TEMA zQv1HPB5lDjCJi=69EYl8Cg6K*+_lLvPLQmHU^eOj&4+W}3lWHo28|gU;fOI|^jP{;#qpWMy;+xq6|PVc zYkoHAtAEabuzG+suVjs4tb?3%3vjy7U>BDco4cH8lH0aM52KNK%6DSm0$Dt};Y6)H zL?fLa?&_z9+VGgh;83E$cf)ab+8@w$f@q58YDEpi@f?{wPtl1r%b~Q_aHL18kQ>St z^qP4VovPKxpVJy#G|e8$HA#DG8if58a}ImWm?pjr6zV^LU|)Omx%C}JIJZ6W8%{&6 z!8T{->H!%(-F;G53FJ1ccQn68)wkA3bBuRD)z&t6osF8Jb-uSO0!wlMSEZD7T!!!t zcxgTOD)xWdd+np<&dwiX8n@8?@6k%i{%_^M%3uD!{*-^)4$4sYGMNc~v^?)$5LjD4 zv35YoKtUt(53&L3JsXHW z0roOrF2KI6)$tY_9D}vwVnfyHM*O@%z6H}spn`o*Y9qi;R`kR?P06Awc9EwE%FJxG7>SN%P7{VmoA87 z)o)E>OVWF>KZ2tR<3bX4KA)j5N3;-tY?1m-jX0yXKyw^ zIU+I>eVz;G`8L^2CBgIpT|5X>oLLECt=^)GEbLebRiaUdMhJau0xEh%9cDTN(1zhP zix33@UXs)1LT_sqB_RTYF2n|<+Z_;3*JmB0QqTG$yZ}`}gH48+7*`ZBOfr7xiFP_m zN*s*R7`)C#T4{VXo06sng;df!y0FgX0pWIn4^W4L5VGC)vNOCw*<{lx{yEMHX_q*7A)n%eZw}fIT zlmfay)#^3m+ANis(n!MhH2r8Yn$YD?m{g=&QPn|9 z0oE@Hp~pCA(gWxY%*-YS*Fe7?qADbtUoE7DqT>mg%T7@v4_}9g+?(xo`#8}dYX_h{ z+?42aw|gPfsEiMb8nrwgh@;tveYBB4pBE}mfx8YXYRncP7`Td@1hBFSCg>u*^mbd9 zaRuEny1a;3K_Fz9R^+2_6*_o!Mka&a))t~kOIkT%iYzvR6%xvXGdK!PN%xHQ7n8_F z*&^Ypv98nIMqFb>{~QO37v(e{7K8(a`YXb!w)J!(s9ubbQM5YeT@;N;;vC>+oe+77 zT?1xo%4l2glDqa{xN2dSMYB#)e*_DupBQ5b-d2G-#;_zpTmk2kaA=k>qIAqt5~(oF zajGg{7F{irzSA;Q6mFZ)Fm7SDE*>w^Nm}FZ09Ke&VL*lfv=dO9cL`(Qts}>hqz^({-izj5&FU~{E=wX>myCkHq`-Nr%KhpA8t--MO zN_qo)VrytnuE#PeZ=EB(tyrt6BQ!^Ni-bsN4pO3=4{Az> z^CN1oH9sj|3WQAX+$z`DC;; zG8hI;W8$H5(UvYHvC*dG%mW?D1SeF8)FV3j-=T#Gpb0F1E`7@0yOWX5O*c5_?=bG1Yl0(uHRo})H%exhi zBQokTC%D|8rj9!#DdKi?^TG&(Bq9E3A|#)|obNCqd3XwkdySBRhfd@^en}`Xx-WzJ zKich@c#S4gn6i-{yV=mrjA!)f#}nRLb$yXVSb98V1AubBVMNaIPmSQmAqm? zE6Tr2rpQ}FW zDMsy($vO1`i^DDnCs<-7-4b^CU?gj_Wn(s=n2m_|&MtAP%qAisFoY!~+yEXI=H_{j zI_mu+IfE$)2MIe2+oe|GHU10H=IGX>YP(#KLoW%>7<0^Q>|Hm(H59@ggeAlBLK0R!TS!o z+{i4L`_l(rU|cWQ7UDiiH51pR)1`{Ha!9_b=z@vGqnNJtVrf}Z7ECqAKML5M7aoiD#9gILOuL)%3AvfGi19Xj&jueMA zqU7~=KAKg-ga_)Xq?R=K`U*~wQ4c6GzL!vDdO5JN5N2+N(g@^0>_C)gE$LP{<|_pO5lnT|bM z30%4%eXQ&5KnJg?Qc1!a7+Eh$HfSfav3X^i*aS84LUnenNgufhf=pnrhy-K)1y==n zE5t==_}kRrAbIV`&ivj76d0H;o}$1EDcm8_u5#(0xF=YTLy{5tCJ;E<`yxNCbAggC@yNuaP65lgruEoipbCRTyZ`TuDe{*`MmZ zv&0=MGrfRbRhS9r3u{v48;p&kUk}Uc`+y?DLFa<{vKBWCzzj7Huz7G?-Q3?jXzu-5ZU5RnYVD$TDx7S7 zqvjCDNHTfC73@!7m}nULZS`~OaIdvf-EUKp_DtZ3!IRl($#Sf5lJxOzv>Z49n22tQ z06`~t;FarBlxF`vmle6ONwzPAlid|)IWVz&>1pvK#weca(7eEmcC475u7NR=Hi2eW zyPC6cMQ?%Ly!M!2HeTkK%sGtFwO;6A{Y;WxT;Rc2tQv^k)uJNZKrPcm$37jLWNeOU zXN4E6X3-M^16C^Ni9x(JE*-V(o)K^7aO#sdio<6_woFj?-1H4|v9!jf#F z9<y!3-rCWK?kKIs>Op%cApK82^?@2k5Tb$N^e| zanqTm5X%~`e#S#2`c332g3gWh&2#g@rrMuaqDg`m25&j&W2e1+1gkVpn4!hB=60qK z3_M=Ubp}ms(!_oPP@HuxZiQYHDw(x!2?+Hp{MVP-e`6ANLD2_b+lobnAM7#0!W%IB>?I_7Lg2loh%L1;k z1O09{2#C_=Gep=k+#c|$Bu6bNbmWxTv>0@0Ho}O-EENdERc_B}y)tu$s?OsPER^YN z1iO=!{B*^vdok+&K68{Hbh(W7j9$qvT01)>m>68SL5Ma(ti*u{LIvb8P>}lK2M9}R3P$xS^(+F9Q8C_K#{zy5hEzA>0B4?xJL?VmC{eMZ>of>D-}Yi zh*D${>bv%+<@PkAxK|*jb%KmzVs37fjAl$!+0+cwb918!QdP9>s6OY+%|SmDJU?IY z&LDoD^`j}4ttOCTM327sV~}XBdLcK^Z`b>wq!z0);Rp>T zEeIy#;X3IWf_vJ89WVwd9u#nixg&x!x6bR@6)>NyDw9XY}Rvs@%^MQEW<5On7$t~sY{ zPKml$LwK*%9{)g4@d7@rIdcE$MTHi7^0lflB>%oj7mRMP6u)nMs9JJJ81Sq=*+o|4 z0EWdXpKCXM|2|;V>_2t?K7QJL2nUy30_p!-ESdS!yi(}SGGcn}DUhWjGPoE+Q4Dmq zb==(9Y_?mC)eR+KesvPYP(z!CpW8qJqfZiY077vtKK$SI3+)B)@4&;~6ws~zQZyuI zTadk+_5h+48)->Nm{LcTyz;7|~u|2+CMn)tt zMqF9_J4Pb^wUoEn#kmEf%?dEkL^=3w!&W=R5mPk?v?81>y&uT+h8-qR0qw*^L|Y7ODRG7$j<$Oiz}})OE#C6kEzG(S28sg<>9v9PcC2z((*YYZ$0l|&9ESbG$?5O^_~n;QGLoW zM|ebx9UtCDIpK(>gis2Sft@*LC{4huhyAELpYm| z{pqw@2hGFg(f*+vPv0~U^_o@W=b_VQiJZ}u5M6GNjnamCX8qG)m=|o`dgf%KFzPfQ z4uthjg7ER9Oi`*?=*3N`8$J#0tLS;lwKy<`*Ep~==VY^wdix8txxc&H+}kPvnEuE(98DsbAp*)8mNTT6-KlbR@Kw?D z1kZsh_W&|8fO|rhAWwM(r<5t7k%{|tokhOu*2)9vZ~C;MCJ}Z=+ggRENj#W|oj92w z6ch(H@IDnkB#{J*1}|)z)gO4{LfcLwE5TQ9P}^mkR&eZEo+-A6emw4p5q-tCQk~A{Qf! zj1!BahIA29MW|fEcga(>9vX8Iu9umePSNr{XsA!nmap~08KKe0Sx9lG@3T)0vVNtTqNsI^#}z_y{n0F*B?G+IR%MfGVwLm` zt~vDB6&#cu7(Unp9pGdkGar&yfFz;qdMCQ-KmP6zVt)C?C^jsl|7AnsSN{^}J$H?^ zlW6mVBhrhy*m*G}p^V14|jOWMT+*8utxRU=yK`AalSW zepwZ&i^$CnY7K<|o%4H@pg$?DPh z7OWq4gURt!rQ=C0E%6EUe)(z{C^-20Ud}0CSd&Ke{goV3sbopL@=|qPC(Q|$9RXeD zE(O|on8`!CmLn(6-$OXtqn=TE!~cJu^~nv)Bpk*4UIo2QcOw&`9Zj1?dS*`X;^}?1 zy(1g>5Ox6FNq>vYDb)f8x38?rWmcR=v-bJMm`bf-#NSZzY}6t2vi9haCQte7b8d^0 zs-D*1I6MzI>kYwSCk3j4)gQyKCETijEvB{!a5HDLHFXd{O&AjfSWJV2)DzF8sg^j8-p?u zS_QBHvlU*OV-X{2<3e18jaD{WNw2+3wYZ?Hp}O3MW6~MX6%yjT8ZIkMCus7jUUM=SmTn%lE`D&Oh8lwd0G1K8Hec-jY2w;HO)6}9c2dNj zd4KPk&&f>!mpV%io;fduHpMjlV!7#)!mATUE-FCvN_Zvj1$A;FhdoSBs-Q@6=N2vd zyB3iRt#Bfs^ih&0d8Gpg@*qiU&z$Qh(HJN5Z4?JY&=^|3n9hQz1t2h;U|L}}Wqvc9 z3hyBFKop9!c7xoar(_@~9!nL_x{6ftmq|-ZBh~{Wf;EkR6aJp6qvTaCp(DM;(S%S| zM_e{*5*}?RbZ@Vik2yjcL-cXuauMRi0xh$VcS+Ft7G2pO*HM$A*mf*p1vFBle1{49 zAYBrH24ydp<>n>VfRrr2!G##^-aRHieSt@Ycr5s<4Y&qIYK_pX4q@gmL(dx26v$tl z)FkTBof_qw2%p+24xqgjaOmZGibY*U2F_8nowdLVlH>(NoydeoY665L_eP)6yrI{m z|CfwC*L2r`XC5qf)X(}z%4DT{G8S{$4$ImzTfn%|%@epW%m3o$|KjHVQ@DA<$D=gX zUF7-a9*U{VI`^w3`wy}DnCM`1+TR)(P@qrE$%yZlLr)7C5XOn0EXQpTb&KPD?ZBtt z9nTq}P)kQ0VVhsg_Q<)|TtQ8=a`nx0M~%$ z`F?O$U{#EtZnUVFQKi-i(3-J|0p1hjmI%fcZ?N&AK8>LEK6-f|e;-3K6pGRAdUI!c zbAM<5u=8yHaI@7=&ktJ%o&AF&nB#UM5DBxF$IBATvkUUfiP|(2&t{{p*oDuxC*pF# z9&`0Cn}Am3;3QXMzvgT|i z+dgU@9k+uy4W_nWgr4F*aO632#T+kZ98O9%%>gUz6S+xoHMmjP%58&awajk{#@f2- zPaP+pH1oPSkvPu_F$z&QRx1Tu%mtE3MFoYY#&N$sV_vTmFnkca-r^*3?K`|?Ttf>y3H(vlGP{uWa(VD!oGUj@Q4{-<*`|b$Y=6mg~#Kk~;Z_7Vg;s_4-K}b1lxX2*631 zKGs}9)-)0a(<$;%1g||+s{iIR_oRN}G#H+X^$$#ECs6%rou7ZlpBwx`g|QGfzP5bl z>~{oQz71qjha9!~hWfqqR%R}{W*uF;Xya`@%fcphaThpLoVzA&EH{$c4zj!HI0al+ z5JFgNY^~vgE(1J)MG6`XIOt4!Y=Vu2cgGgu*CT8Y?0&jrrk!+Y0LCW_dr-`QFR08i zS*ryjZ3S8u-#r9oi<B_wQwILqIiBBKBxX4;U!=RDYqeCy_{Fa9a`b7`{|Q-H zh{T6==P0HYwR~f3!|3Wou?}SD>e^hP6iaBm@rRjIf`sK*|9j)4h!zt!B}aU;r~u?I zu1XmoyOck}c7*~}1$}NFKF4T;d9#f)2vAvg%b)TNBOEKNWhOVk+57}RBz#dbnZ^_M zzNNl!eP2nWbRL%hPrX0!DIQcVKC}3T?AF4`Ik{3o+pFO$K^j+$nMQ(->;$2>v{Ww3 zozd~covnO1^WCO~2Fe*|?nDED6@f)8=grQXGGcoOT%o~3fNQGJ?`rjJX2K9g;Gh&j zO-%8q*5Tp)p?b~Iezmjzyz^}9&3qh_H@W-FDiq$L1dR^H;>ufN-9r@=IL0xM{S$Iy zE7joubCqb8MAkPXM7?u(C(ZK(8r%8A+Ss;j+qP|OY}?kxwrwXH+uqnW-}iU#bN`;H zo|&pT)$?@sIhEdLed7_Ql#Vn2zGU%x;PsA=(lhs0tv8%pdZNS_H%q^v-(b=0%hwx~ zqpt}8*x^!Sf2c}SzF_hO5_s535z`1+%!rq0adx8Za&sdspUm1s0|e*``n?VqHim(cu({pqn9WP~!t)JKpT+LORu? zf46ly{ze`j{y6&!B>|y;IFMeP&?!A;Ph`CdiqS!zMKR3do{11JpW^~C4?r7@QSw*^ z|8w|J_+9HBv`2ye%_mvf_?)J``b{UflCv_ecu}`S!J21h*PP4iU;jCq=kE6Wg!naU z_J~pF}Y$_kG+pBTwv>5>sV8Lc}w(FdMQdpin z^?C7j&HhFZE&r+5y0-HO*mF?#_o&m-{oH#e;JBrwk#j+HfPWZNm92QR;@m~k#*5hd zO#fQZ$JlW&zZjcIU5Zl^xu|hAi{m zQrfiytaf1n#tn0WoP0rUOX7=C}^NRMvU&99wEEjO5RI-G>)=x6g zTET@uSj4sBWqgz(3#mEEEz#$OZDx+6L12-_w;7DjB&&ga<^}2M>P~`SOpWBmk)La% z)_*#+ER}S%?V==|h$J3L5 zIyAkAp+$LU1v?t#J+8wO3Wk&a=A1JNJ^iPVV9e=^1`rTE>5A#T2m@oPG}5PnW&?OQv-FNYt)S zH5~9hG1b{qH=BA2{&I-rIKcK)I@yy8Q)CZI#GX(eqHAk863!V<{E!e*)?x0K6TCr$ z*H;oK{WlDb30|}ct0PWzXL4FzT%jUlEH9NhinLii?r=44jX~EsL$^rligJ35i7r!h z>hhPw)z1mu^KTY03`ZSy@m>K#f>#Bc=xo4J{3XWZ>ss%o}Y%JzOP97dI}PDqzRrE#9X zV@+*cdbJ{xW(?FU!>$+T^7$=RXlms!J3**;lySj~Y7q$$bC27_*f=(4A@f31-A^~G zAKvsHW{R;-0Y_;iM0pk@mn*6o(Y`a0L|KxYJC7Y8{DTPO@NL61FZ|=FkDR!7OQOg3 zQ+t&3*S62b>rT_}K$K)4G56TWBl=V{>6r&u!SCZsYST4FDrT3$~pmi`pGK_h?l3<@1}dsNE}} z*$N;n$zLM<2zZVtwx4Hv;{QH{5D1eXx|1%zqFb=@zNBsHe)g%a`9IBZ5TuhGT%%VN zo0O!@%Bso??FDZ)KH5p+{t~%h1rQ2b@@(xo?&q{Ou5Q`_TlJi$$}A|}Gmxu3{E)m} zW9rVXiUzN`Pm(oD_;`86WY50{v*X$BUK}9x>l>N>?TUBX12z=|J)kc%C9VeykE|ZN zfJLyezZ&dmHM9-~W6WgVg;#>MD6+wxo5_y}=1b&sI$xj@XMP2F&HF%KeKl_h$`@VD zz;@V_-RqINx=ds$_{DN&(}jXm*ih=|t_fWgRZq`EsX4>03A7G1K_)gjCI!kTopt4^L&Q@O>p zZgXwh;^u(bw8`Y`#PJKky~VvX4xj%)Dq~1yB-=)=G*7$N4*#mnlVsS;^Qp_Vsqw@t z0gwg0y)i2PjMz0{Q<#SA`J%!m^^b{{->0X0nN#Lyv4ZX5squJag^`qx2~UdqdeQ3=Qe!& zoBVuzIOhVsm*8Qe-r^gbv>o;MmzVq}JL*{*-W#Ww@C12wH{E}CzBRYAM~haj`w?g$ z$g(=Abls(H&*I(`cZm|EIBSEi{>^5``=~eV-Zi|m$#~P@$?)Y}Evyr% zeM|m#eW#deejLAA!ADr$c_BXbjF(+i>$m>@^;T^g-jFx!L@j1>!S+9b?Ab;1HbTfx z013BgFkD(^I`-7xT;sNCj$8lwa7@gStcfc7m!X2V{q-e>jZdmb*0dxx0J56pLnmT(ZIl!;Foj83@+a=2irEH0k-&DMThHkKuiRxkt zn~c`@xGae7&xoJVWXrQ1TLCFsa^@*2+!osJwSFP+$PfE=_UlEeP@K5~a=P9}RWez} zD?}B3q+AJ1Pjag@p?ebk+{MjTrY9u$@-Q@YA?CM=VeFVZP3(xRz>oL@eJuD^UD?ke ziW&EUgOlj<`u`%kre?pD90(5z4$6L~$C8%i9Y@<+mnPyf{dDz&OwSu3auNW zj?oOLzQ4TQ34euLLcaHJ(-~wH8B~5!Ushk?4SSL5KaJp%#N!!OF+GyMLx zzq*_w|Hau7>y8M*ak&m8`p*C*ze3>q+6H_!UL-7~yJQ2Si6Z0+XizG7S~DDb_wKk< z`06jqc4yXH?bavl7f0lt^4w-fQ<=bXt2>bMZKc4jIaS1K$U|V#3D7EV6Fx=7Z)hq@ zZY0h*-0ga9?GI`kOg_Tel?c=?Uqlscp1qT64>3ew&y69Pk6)fI;LP)=O_c|1e{muD zK6$q6?Fl~5N%tqE&--jx;K?6?d#80Z@*f~B@xT*Khm|o8ix3*j1@F`HKyB$r5X1~0 z`wO?%2!*g>HwQmY!lt)=Z#Ug58O%j=Z$MZvTHq60F<;5W!C~N^KA;jb1l-zWKEts2 z9}OO3;6Iowus-fXTi^(G_H~`F?4JGg>8SSS?%Z&&;kNgF4|}S9o%Qw2?XkI?JLaNEky6-CJ@#{O3@no*1+ z72202E@@4|I~|_KzY#bj@N{kU0*ulxa9qyy%pGM^*%C!coq`zXt@n zQkG)iOQczjV;f++KpAu+rOkV7akUY?1Yt=9w2-zr2ve&h*!eG0J#GnPOSM}LxVcY| zpO!nZr9-g{H-l>|9p~xgk6al<_+!j#M>y#yhjTt62?*}^Za^dcmkP5KqQS;&0k#tq zIj9bn(QjMX$=ekIA!{7cI{7C_9&96EF671=A*zOS>6Oki(1>{M=>fb+%l$r?*C361 znE#x-@GP30BswcL;>;t)kaR>2b_o#aIbW>!s20Z%`nWVJ!>a4WS$>9c19T1r-d3reRuQY#xL}TUt;T+3u8i(`bf(4Nch{m~lk+DVq z0d+PuF6*8eAOiMN4qig+z{Y}WX$AW6x!+8xY0k3G>|p)fTkO=6-6(;;0z#W4s(Z+buj(mhYL$6bg?`%z|!{7uPM}Yng{ty(II8RBLidRWVt`N)4E=wv+7=}fJFC`Qu#(S(pO|(FK z66kS4y@79RpRHc%VtDx~z@`Vc7emdFEUH z;hYrZXUVy7E|8Tbc4D+l%4D_!wOtp>;;Pd;ndG0pdQI)CN&v2k;upGZyY2KdjlL}M zF{Yt3N0DZ5vf7jg;HFQx4?!QL>*f_0TM{rP?KZ%ivrqFp8D^RSoVJaE3FUvg)Nf*V zh`6BtvwaivdmX*0EP*Jllq)YiQt4cPu5kB|ZJwFj?cw;J;Ta@vG{SHqo+v#KTI$9W zz)4u{%!o?@RxR1LCGN}OESpE=%}2|vz{CDJ>N;j7?J6>ePqzNU{d?J)+4mwMg9b*o)Y*r?E*8-Nl}1&uL{GcubSqH z6_Yazch2yJF#=+|zaH;mkvdjN>f<`e%zzB(FDI+i`LgZzsr`7vx-(Rq&vQXx4Su9M zcM;bncjqIXQcc|&sN&9T0a$ZjG6@}IjdxuiPsJ}O{=&|DE8VWhoBW*~G$29x;$yIS zC@7dNR4WV4F*RkY#z)qOi@2I6M|XTH=;jqwk&7PaO%>-zrK%!{Z9uo!Q1&EajZ^fO zhLR}6gSQ0#G3leU1;IR3ckp4W0d&N-e)f30%6%rgaVetkV6#H}zL?;UeOZ8x6yD^` zVJ+a~|2&$};?!=VO{&IuvPz#T1YdH_8$%n@mMND+>iKoqcAjLzoZ_-ZR7v0G-R<<0 z5>H8<3!NLbhHm&X0YoDoPig)W4a(2+q+TpBY!qUa&5N|K8XpyRkYY0UtN~i$jwR(YX)~G4i70l7GR)sC{>w%!N~GclqF@cT0`H$R zxwj$6De+`v#Y2%;+txUPLCbjl-)omL`L+I-^S^w$QSH}o8|5CUDE}`Tzn9PW%i8jC z%-_o)$151@vn4!8Oc(yk%`lhN_VR0H>Ecw~y6vp@eVz^R4G+3(TTa*_3jeoxp4XUU zn@zC#44w>u9pZrUYICB4aL8i|+wDcYer&dm4qOf4?8rT0DysX1IQp!H2*l`Uq$Lm?Yn|%>j*+uTXS!FdfCo55| zPS|qcL;Ysj*D=>wY=ET?3!XSeZ-$M9oHpxlrb|-RT)O+cb~}r`r<8Dw(JX-hO@{wJ zM1LH_MI|2rBQxGNfG+*h)}_HK6^!#7v$Lgr~ZFE(p3(i{Wv8Rhd?0>PDAZ-HY{QzfRD(Esk{4^+zI4>aVoc4OBY$KxTPDQtgR40h0EWYMp!Md7dmZa$Y#W7?;gS<0Yr% zwx_Um`K%qr-g#55d65(RNU*=L|W<7^h{R_m(?$QInZ6 zktQ#87o0dHH)oHJ00EWc{VyODnkPz3lQy??mwo^9@lT4#Y_#jhX`?Rk-AM9}+5hp4 zSnL|IR5)Mb%OqdSC+X$wHSXCl{|twg{QkL4|9y&OT1hP>{lD<`*&=b%hNU`Rno?Z+ zuP9bgRN-L(fmZ`Pk^%Cxg2CCNFs1~oOj(u(b`=^y@JW~Onm@o>p(fmiBy-TdWPOXo6`L^~-dQ%>S1*RY`e z!`gI`wu+xJ=y|K&$TGW>_RN{NULp4%x&MnqJm~oB{(l1@4*4)7T|SeW*Sve_Wrr=D z?qOgx_FSbsTbvIrWowa%38ne5$p6e2%C_koC>-@-|NjJ3T9U+B$YMP@Mta=k^#kx6 zM6dsl{Nt*!7QVCU=1Lv8W{RBnAJA;22vJ^}|5TPta%QuZsJkAt}{|^YyJFMbq z$h#z#vQPi3bw9=6l&|g9+3OD9IVyu0ZHjM0{C+6E*|o_TGpeM0Cf)1j9%ur+w>N6r z>Ykc_M3A`7;kdl~*)ouC-lo@mu0wvsEP110ezi1t)W_k>4;SJ4hZij~D|JA(?|$I` z(>FX#>z9@ahoZi}t|qYeqgBCPe+qGWuan|Yidqj-V9tMq>DZ;S0o&N?=i~eN9WGVT zIqhtwo!qA6|L5bG0PiEKs9Ftun;+cr6=iR*u3dSlvZ~t_Z+88J+Y+v4Y8f^4HDjYPP5a7;p$m zXd*i&C$@!WiWCdw!JW;Z8Ut#~+YRq5S-j%(K28dhojKThK!{j5!l)mG%95oRRBF}# z@OKrQn%4H--JLg3?F349!#pB6ik1XU4CAncd81fn$B}W#8JnK6aCx?TTD3O+oDaXn z|M@Q;xmol6gJ2?x-~X>Ww^Bbd%zMLoc9qg6S-@~eL>+|6XhE4#r1Z)DI!D~?&kIM# zqGeM)qZh+C0Ge0!XU@gm0x7R~Av`$;G3ihoM$|MWevKEu-Y0i=TmUFKBpKXw<0*G3 zRyUj|<&5Tf<#?&ebv-m-J)yb@QmcpFvgIzSUg2$3@;le8jodEG^u|>qt|;0d%r!b- zBV0GFp%%b0sah-euv*L)`=O|$8=aUT#}4>5N8lAu$2{#9M~Dgjg;4VrGDPWIW%YH9 za)04nJyrA*DJ&+Hj#Z5Ep4}yBbC=&Kb$FReei>qqb^z3BY^o1OlD4pEEVx-2ebW#b zr4AVx)?+oWQ5ae8zLDj7TLw#)4}wPX4(K9csuIa5EJ{ky!KyOld$+PaN1~ypf;Z^2 zYSdhWPI{1HEgEKwW%eU&A>=&~>sJgqEm5bd|4{LUD+ z-G-fFcNJ>h_0_4r7}{tJ;AD$6;-r6>@SqR29c&$mJd3)EF*^40DLU0n(uZ4#_-h5+ zey0UW|EE%!x1+MxsYbFC&jDfZVo{=Vf0}kS_CCi7Ltt>X(WN4hXTfb;F>r-}yGLb< z&j1OPzv#Z53SR?ObVbU*p2Vb?L&r7yW`T5RQtyEFqrRSgs@-{wSp55zL%_TWT#phq0D6Sbc6XORwDnrZ z5B?TUK|fi7L#5EVN&ivi3f#%^R)(iykSSBP1Nk*=ghR=`$Q5(1Cf^k&KA zTDbe$WEoiZ{p3`HciOZIY&y4CFSG7z9yZV{a=7(3AG)k>(I3>tp>xrlw3;YmFsbU} z&c_+eNZfy4sMJUwiJ-HBYzv`*i)e7unnfJ-&PLaYB%s^g5n58q`Xj{3H}p2FKKNuO zF@bbQC?{o&Dr55>(EFs4l$tKT-+O-p?SeIDnNzljYsj3}y*LaIB7f|SMd4{2vY`cf z|Ms1*2QK*t@uxnZC_3Vt@!;$&8T!n}^#fnIXGV zh}<*mLYs{@T+)Bvm&oJP_K1>?STwzPTdzQzkHZXvr&4UJU$54yxZkEcwuc|2YnK=N zCzdQCKuo(j*-;&uyC|F`KU>mE#9MYi;jz?g=2>Nq2d(_aQprG%dl)hM8zQI^1pcL; zM4{@my`8d{OR0%#czn(GJ0hPMykRbcs;IqK83wsq=Y9SzYp=0YVk!q)i^$_@v?lJ| z%0Jw1HUUuhdmIx1EQlnEMB!fOlI9EVeTI;q0yJCup)g*-LZ7SX7Bf*z;cpy=n#*K( zcN?boy>A4x2EQNp)p5Iq;?ERa}9IE;Gr*3zB%cAw8~qyJ?X% zc$f=)0Y$*&Yd1RB=wFn4OZ6pdgq077AgM0DH69xU1}PtSkbJ0NG>B+Ff0VdTJqqt; z!19bWT5~(}cY-r9g=)=Mg6a!!lwC~a8KD+(-Gjf zrguso3z)rg@o^d8C-Kz7v%% zPY-nrgEnNo-?%cO;suB;ciyZqJ)W#&E8AZ@MRGz$_bDG3{{bo5e`}_yU!+v7s4~)( z?psjpeLTFYD0Jd4$ou6cP~sP3e&{BqAR|yvk)460DG*)YsL;hT5u%akk=`~$QX(Wy z+>Z@BYt-9EcyHw2stO|W56&rD$phJlk?byCNJ$+771?gE%NMSLm6%KfNy~pP5gC=t zTydX&Ns{x<1?5qz6lyfeoM)VNyc{0^WEbcjm;@rw8E+Dp=qcqjq$IqlZ(WJwXg*1w z72hzJ28Kcv{OuS-9DMj^5vf3#7I;7F87kj!6Vzrx(CXw08&QuPU#hH&TBJi4p-Z$n zP&llht;MOu9wFJ0MQ~At1RFf~1P?FAD?@N5L!S_((-AQOvO3TyEJK<*jT9Fu3uRTf zCDpFmRS_2DK$jss~(Bs-PQzT2Co!a1$>B3?qR2gs4^FJ=T4MlPfrokmk! zUP+(ii^HpfxCP~+{~g>kL_0~yJmsAQU043JN6voRSifN6PTA-Nx3*OF6!dst=Q_hQ zQ1X2jUmkD+3RSfISMOhY0?Ap4IxW+FD(J_x+Ki^aHar_Tfg+(==+cZTp6)c$2BkN; z=PX77Ly(uE27pt>AS^l$7yhiu;9V7lhU~9~uO+9ovLvkZR`W|G(NNj<&%K~dD=1y? zO9ZQ4-tM#~aV7IfMBjDq-?`11;-g`-d2q|A_-_X&oFiZ`s~#K)^fAb~U^3*rb}Wc_ zy^2^IwS-ut`SzPkGDGU)rp!bPJV{N{1oB1kgVK$P^m-WP#q>CpAq}gj1T(t7ssLRh z+WhmX2jpISl9a-%hLgX+JcVI_#t^}PlN0&Z^VGoOqb$65L2Il4s`IQ&?xQ%oL;`y3 z2!4Lse#AYGBKoKJ(_B(&X1C)7{6fOf-daC`GOpyj1}|RrdA5W zWV0;}5}py}FhhQinCrYs7fu8Qz2HTTA%DZQ5l8e2{PlPHAAw#B5j6hLNS{a{5`mHAQXJxi{eUeW0P3 zt?4b{DWgh~lJf+%ordh|8ITQ+r>TDFbw;GQ2(pZ?ohd6|3fqRli!zcr8 z2P;?D4!&mYlj1vKEZ7&JYcjEAf&!)URG^D_kUAnx0OU-Hx9y?Hv@c-dAR`t}SpK56 z62@A8C556a-pr=Gtj`NLM|Y+GZ$%I$SJ?l{>1fiebZG-7Qnl3oWQK>u{eq^qm@%Y@ zLVL;&aoKEJ6Z%<6C2nQWcQAVRdAKJ&)o{AxiYQNO-*=_g45ABHg~w> zj=Vow%0*Gqi$Rtsk~91I?hn^h$8Nr)riPgMRonAZX^r6nCRKqbvKM;T#_MiLbtKS` zU4*Na!X;YR(4-gITtkRxA;BY{b^xkAr)^!>xjmA3eF|_$ovM@&&;h#*+3}!(LIzn* zDCxm4T8w8DnT2AR&93Gic01r=H!73f`AVUn0PYDdhL%8PF~A4OvbbkB3=R{B7>0&Cabkwh78LN1xAAr z$viM>e2R0@?b%yHJG=FNGgu@|SZ2Q-Ey)IdM8HNX((+llGy z|G2ymQuWu#&x^kKs4A!5j(5K0h&a)+M=Q2%zRQR47K&6RWxriitS`5^zS{EJWM^dB zZ2J&SL|*PH`5?d)m-};pksD|Pl{sdL4?L4#5DtZm_)|Zo6qR_9=09&H`2wOy`lv3IkNODGx!Wrchg;MA~2B1 zSE>yrYP^x36&<;Q(E|4Db*Q09MvRpHK>7-a7hgA1YhenZJ0$wd>PnM%R9i2KHc=pf zqV5V$)6Kcx1xw^CHHiSGJ4^RmQduIuZ-y2vpW* zsBIxDZL6x_(?KnSw=^{La^eHhnOkO!qA0Ze{Q*l83!GOV5wxD8rI=4>e_WND6X>_) z^SwFvg1ycWNZeKJ0)0NNip5&a2>26y_k5RCLbR#{25}94!9_U?RZRq^3 zf79mLx^Z{VuY4QJCSH|>BcY4+-sE%>zPQOr38-xC%eSh7Qn(8$kcNj!B^Nu zZZa0n#0Soibzd8gBwJ+RamwlMT?4Wf-(eS+O03b(ypEd^(<^#$*W=cqM`dWVKnok# zdv>;(#+uwr-DKnPTN@5iamPNZ`9+?l&#(;Wf!Zx16Of`C*{X9FT8i21K6saCTTnm_ zbr+aY>>o4&XqeY{+HD@c$^X>Ol^oJcBlPeTG6_7QG8 zNg}3PI+j01r2NPUOeQ%_vh$P0y^+;lr+nMK8gQ@QOP}vAYY&~Z!pch0R{uN|E#dV4 zifY^SK_y+pt`ObW+%!Ku1-+V9E(=^c4rR&}2Mmta&eN__M^8ZbW{E6f)s6L4MuuSM z-K4vADlQF5lXy1MrvxF|(8TROC~i{tG0ZLtIW{{O_qs|D%t`cOC_@9;F%8+Cv!WbT zsw?+c-UeW>HwkZCD;vWIP0=K1^7+t8jI}0#=<4u!PV$pq5(0MyY$Voh_h*TnT(iGN z#Fw*WuZM1eA-`vX<;D{o9e&qdNl8Pr2AtW}p1iBwMlPZEtp~{KvEo(Mdt? zYd0J44IErQ%miK$_GXksI17V-luz1KZe-82hbh^$htR+(!oS0eA)4s2ak>*jnx53f zIuca6;+bqHziT^-<||AZHKlm6m!7B-I?nYhOvm-D_FaBnGL>3H)6c6tY$YH}-YWFT zTVIe3d|3S0Te|~vE<{`VYE)A#@CU!Mu!0cEPK6F(JU{jBg{{d*G4kkNFNj(|)Cd9+eI6Ebh@CZAKw2vpxPHsbc%pF|mBm0Eh}S@CSU( z)VWZWwwZvb=2b6n!l%E%czv80B2|RFb`%Bdn2D77p)rSkp^ok#IfaU+KSGvKkgMn$ zM+oBtp>Gz~cQAiJvvnfPu4%>)-M92cq7h#^_p#|EbX!1eM5sWwy#{3B60X{svFP$i zvB&i?q7Fb-ESynDJ(#b6^_5if=Dd0s8|h%#@3d#%brUPP8(42DZ4v5e$+o(L9K61f zect-eRt-$+d1oI3_naF&gUatL=((h=F#cHC)o^mCD+ns+t67LyH?Gdbh${GCZmv?l zjqb0@XT}7)juYR)E<^>!^_v`7wKH#Fw7PpN>c7I&mY$O*`0E_b8DI^e`>e2(ttYS_ zacWu=2R#f8O2&&6ote*YrCp0fk?WqktvmabK|@Lz-kD5lrt`1974a{7Hg0}*BvGT$ zr)!gk<*vJZAeQ(MLTZ-X+5E95HG1*~6Z^>0!nx2)zi=)Gd&&zzXfmi<5x?v3h--Hi zj|nbsYl$V7U_sxD(5O=kqB2^s?ro!LwQmqkOyu(=yljriqCW-nM@s0(Xc4ylQzBya zEu-7SO0;88JY%5bV4u`yVGabG;`^sYwi#d8gWj1Q$Q-sNOjzw`DO`}e`L2-XO&6Yh zj^?btN8I*Q-AN9?ND#B#+eF?hZEpzryuOf?`^1T#7d!lFd}Cz;<{7PFbM1$cK} zAo*jDea~ns(xrZ!C>J;#Lpy)|&iG>ayww+~^y3UVsdw<4lGG9leonroAr_hpnoUHg zAj?Q28;a<+ywWq)fUs$oxyCam){hRheP0}s_}lvJXheJth>SQDmg0CAg?4}JOSN+C z*7B$q`DtnzOu|?GZ73Y0`=TuFb+A~X_|(ExF%H$tZS<>mg_CQRKGnigh*q3gatskG zHe%56VZHY{vsKO?*Kdb$Xa7YWJq(yHlN#ZE*~7n-BYKX$!+UJ3+o?ov3`shQsuimH z`q#fV)mV8!G@GOS)I( zn%(75zPI%3dD`iBr)o&r0{9)i0X?YH!Ylv|%nbWOugn!9UZc+b^xGw)8&XaI*ab*+ zUxDWIod;41$|4O%lV8M`0CxSlrAsIzOrvXNK2)a>>=%LD%HCg-vyR5K^2&;K^HJ}t zLhuhbs~9Qk<)bainqOtS{t24;Qf7kx(6?j+dExb3g|w#?H*<#Tqz)r(Lu!l<9G{6b z0YZCu2AwXDgm3Y|c7!NG{N_%NorQY1DslQ1%gcUt5zg87hJd_+RtL4i2N@ihtDJqU z-_xiktc5k1`(hl5CkqUQ8p2FNlgO`v=P`9BQe&uhY43dT8fE|N3uAHa&6|=IS;|!kDuC(~bMr<5E|7tC5J(yln42%y~s|;s6Xwi)gtbyKwiR`Eg?JPoU^6(_*S( zyZ}LhWDU_@e!!)^ZbXu>opErPPpbBnWYO?l>>WUGz|H5b1*3)B_){n!^uL>7h{5#s+C(UqbMEIjML7)!O;m)m-NV`kyHO49oEO^!dVf((C`FH3L zGy(b4(i<<;ajh`C0Q9+vAp|>s0P5*72~%TSt5lewK3FIdFO!7So_}IX1M=q7UiE4G zhcaemk^pysRD#5}FejZ3&l+*6TOe+|NBalt5NU>R+O8$=IF^zrrb^&-Q+U?jDnRfI z?r#@$EU4yh|JQ`etH4@Ps5^G%CMU|XZ=4zVW)&UkG{eu0ZlBfeZV9`8;_R7Py2rNf ztlGI5phEKcf+P27(cw>S=*EPSWsK-`4D!$JJrYA%{aPSNr_@CF-ZeQ!Fv`Ax0YuI3 zas4Wo;9&XgV`nj7(Aw`5GR<0ge`r@PxOgy4!4fBC)ngbglzc6rU+n!TS0}BG?2ns; zYON$eVtl!rmJYOCv@a0uLApGx*S=*88{%Srw;7%Py%NE1uUJA!95T&9J+>A;y}1+z zYb=Ohkd5+%&;CfGdAIX`F%OV|^+(ycIb9zb63pLlHFr{m^UWg}LbSwq9E*Q2(?#dO z>VeA$76izc6(QeSJ8{+u>44Np%jL&1pImRp<4%NFNV9~DY9ZOkQ-&uHZw*L?@Z|dx z)e+%Bn{*yI5z<`#sIcJSj5~jYhB%rV7KiR93DmMh3O@d96B`&1pE4j{8M{;-Z7nBt zdP4>|L@u;X>GE}Sh1D291G6k`klusnOhkhc#!UF>5Ox&zyuEJ-^dMH``$?L9jXkTH z7r7U`IGIeyY%(Qvrbuowjc-kKxleZWmdFU;*U7&ZbpSAx&t%SN4K}+jdDHXTD)_)Y z(iSmk1pGw1{2|c&CI%S48>Sbwex)zF({(MC@zlNE8W8rx)tsNqv$V^N-M0j!y}E4F zor&$DkSMG@oyl{;Pvt>e9r2of94>YdX7BWHV2Rum32wiPmvzPv(1-KsX~sIOm+?Ut9Jt1=<5i&pS5xOG>YvX5!D|E!r+?YU(S*wDtDzS+N0<}6R!y}h%7jm)s`HD_ zW8SiL-X(Lu(FG0*$X%Tk^NWp+=Zb~)-#)w~vj1<@vJ=g3(@z(oaQRrEjjqRMEtV98G+aAsnQh!Kk{HAEFP|K=3d zAx~T>ffY)-O_Su-KyXbU;D($MSFz(DzA;QFE=yd^X;b6w|K%>MoQ_!S&%{|PPRVXk zmBN`xv^>FsbBAnZf-i)3ZKM2$0d8%rT75T>=n|W@8TI)xgSnu!8Nhvir)U-yXr%n% zY;SjXZ?YB&yv%4<*?XW4<0`!N@xQ(L4`L-6kJPmf3-Xo!o!(NA<7{LUbd#5wl(SGf z)n9*wC9$lf4=L9BlO}hlU!lTJ-!%=E&t^+0SL}VZ>=*}< zusG%|82rl+_1i*yIeWOr@KQtu<)r>&&6g9A^XY?=zNwLszM5H^r8_&d@gg{Jdoj<# z$to(5pRZ<-&nm5sZL3E&!e;nQU_y>E4&rNayiQBQ?N}BqHKkYZI>XgfK04>dkit{+ z7_NeH5V{1{3@`Hd>uEWu)#F1{HVpLhHNMda2Pe~b%xArAoVuQ?cjz2Kx2_;Pu$U`j z>eLI`viogOskX2qhyr(dq^>ROART~+GL#Ir@D~+3QknL1TFN*gFNz#av~?v6X!oCV z#I5KUZ-Rt9D%b!F>I_slw%R^J{|MavOHO9O*g;RTp*Wr#^le~UGy0_W5_`0<3l3LL zcoVr+6@pw(y}Dl%BE6DHIxg<-P#5e1Y|%6i7PZ|z15p%Da?kZ`B}8lL)5j`wg$$I~ zRC7fTNWzYzAijQsWU zFBAf^!KE_B`Pw*5TX(aeOyJwcvdxr^g;Q0N4MC_-l&~Zew}|uTx6;rjIJm;k zt*9C)cvU^zXTd@9HZP&6Vq8~X=x5NP=)9Dx@^Wf8aE>v*V`#nDucVtx6uz(MmRWQ( z%pP2p_C1*3C-MTxSqlH2K#{c?MdGR?#N=j9$?b&?%~b%uJFYtOxp$heRp}|Q5ZH)? zmnZ><#B$v!MBMQ|+iAL{H?S-XP&1i8pzg$K}RPOO)GBO;FjlOK!`tc2gu8(GiyB}CK-~TZ8u`G0R$9lURZmF)y%L?v8 z4d1XlF*Vds@WwgMU>WNh#{8d<`=86_)~ux zAgEXKDOAQC?wSdWn^-2>=mTd-?^=U(YdM7moEd0akwR^*887CFT($ZdGCKS^5$LbC zL`K!rrsa5?Q=sY)+PKuJGk`Pj%R%k9_EVUA416h^=e#M>Oli@-^Wp47_LeNaPXZm2 zaBs>BPE4K!erj<2yS=^R{9AJ31jw2I52WOvZ$Eez z`0?T8)$qdL`*tkAY=IAQ_iis16lNQy2FaG(NG`xmE@^@^0s^x#sw#Wz$>vXl$=ej4 zwZd*lVmWp#8cTmsNVrn@7vLZe1)#xaj$(~q3{Ds|NBT~EkHsdeba2IRRCiYy)BV|< zn$|QTxy?yxx4E$)PP=#agH$eA{TInq18s!u%Rl{rOts++FF54T1Y2qR>8d`bELz}S!B67 zY2IzsX3)s!eWM`UqR_#_p$`|D;>7Xbv~+q7TM^t00*i(By>g7>***d+#o4hUYzcnJ zkQkz(=nQU<_;r{);BHn3;V2PHyW7#?I-3fNZO&NC3`R9;u}LKq5n zfIve&1~5IR1dJMWEq?tuHaa$5JG$>K098y{_STmT3+=lB(3A_}r#NICON%BAa5QJ6 zO^9;)h0J2>wUeHaN?oqr7CofbiqSYnn7xv`{&sR71d0Z49u#jPR?YzF!WuC{7-Iaq za!jvR_Ud+)JAJllPNO6CqQ@GAVPgl}t$;PYZlB6L;asFE?P@&8blm>^i+^|C2HG%T z&L9wZV+-Cvf%Z;vu&xa(Zctv1>iq)Ee_3QYA}-5rN8=$W3s|M(QKXQfkCJDk(}D() zU2~|eIP#H41v-A5=Ix=G6+yU!nixS{LTg&?hgYX3yl3su*CSr^jE6}@zrnb;#&CYdWU_!_d+1wMzzt;W`*A|*ZC z^c#*~UMibtQi6EU`&qTtKa_o1Oc(u5&xpe*vC47)8B>HS8tEYE;Kdu==|m|Ss5V)7 zM|*-uwWL9U%H*yv2-5>xI41pHX}vy+H-^Q43v%pC5&n+bc=Y?*micXLp9A{Mk-VWp zT#9er9Jyms`;1}MTKT*TdMjBy2}JWfD)*bKb^Nw>!vU&!Ly-6H$D6J8cM@7IGjT2MWEZJ)|A~_V~?p{d?1&=mivsOMT$I4g`;F~ zV9-|r#&3c!Fs85&76AgJ;=a{C-n`b7cllyO?g|IyhV8D$=Wnoo(#w>a7mW4CCt(nl zO%k2hM!Y4;Il!z`AL8aI`ZZ21Gqv1=r+7SCTgTA@al%ak=v6C zr}fa(;}|Ht8ZFVpfeJA>%jrNSpxhKzKU!`QcT+IyMimOi!=q~xu~U>w|L{ALBQZUz z%Y_G0KyY|~dTsw$Ve~jPF(gqxPjI0PzuPF$&2-wNf~zhuJ}@yv0eoeIS6T*g?&qrr zRm$_Q;}tG3y8L1b<#GPWe7zoqBGt>O2nz9v`0OU}jV{8V!@biuA*a3D=oZl8Bt4pc zN(QnYlJjP#gCO_H)#Ge5fiPxVieu-T1&?R~VHGy)6R^3{3jC{N$3duF264a%N3Yu! zbEJKlde;HjYthzCr1eD(z=jl#DtOAS|J>Au4u8t=ND5YCwkZRHpIlj|;0S@8fRUlh zF2^X1E!DWBaY+}rBN)i~kZ)ZDlp@kjSh53+p%i zcI37cg07{oPT`D*4&SQ^ze-=hfu5F!>_%Tk6(Uryp1fpQS6Jl;3aORt4R3zEG+3C2 z_`C^PTpP7r(7676$rkP|)uT#YmK@t3-1DJk)37O@EPW=mg=tY*Av|9xCgImXK7^CmdHZx^hybnyN^09HV$zaINW zqzV**WRV)vZ`vy+-kni+Uttj4?lJju0FwH~>k{5{bo?lLBa|6UPaL1dPC17R&5wH? z<)60qI&c(phW(L_4cJ(z{ZL!^1R00H@lF(SboD{fK&V*Ys$#mP1;@pwg7S_Oqw}=c zZZ$ZXW8i<;ZT@rru<;<3xV;C7E9u0|!~IlF4HJ{LS}$8WScu-5Pqzj3s*^x)AG!$$ zbHyYyR%;Jy2!bM>&aUVH3;dAHvM5Y=<+>(f^oiv~3dJL#k0GlEgKBb-I-GP3l2Ip1 z{!VhiTT8MzaDXQ-*z+XF3sLG6sC}i1Yj>_Vxj-EAWtB1vC7&}DI}$CA*p=cAg`1Mk zNSp+UG;T+dpJGcnTCC%h4=+E!>46@Y2I4!(7<|u0vt$+ylzY$32qQZf zx;KHDTYX%@)$$A%VW`gI*sMj(Iq|iXu~=uRO~X+w zoxwR0P0F}tfayZ(R2#rHOc)qiBfu)ZAfJgC{DEy4NPIbo-=T-J341n^P~HP;IkAq{ zCa;s1imZO5SrtWBXcN5mDoL1aHrj9V7bh=zdp_KLrP8^Zn3hT!_Rm8Ev1uz3cVYaR zsM9!}o(|&fyM(;D4dU_m8YQdUL_j`N=60_XI!$^SOfQZSy5kv7-YL1k1;bedesBwv+ilSD9~Q4_Lzz6*adJtiD$sf zK!LNf0zlet*Vk}gvMat6qzkey(HEQs*G3VFdf8z(n)bT@qLyxe@Z*U6MiF2GDCjsw zAR+bHBp%v=fc_Ad98&zA^qLgYRl%V8;}B>BBr(~9ruLZ}e5jtbx2n!^6!5oj^z(|P zIedFYZ11&?nmarCfJk%yQvUOp{{ITj8kTUk3oIz#S{_F+P6Z%ug?A~YlaN>$l?=k< zf>j)3QyGaPzFJ^zwje6B_LH@``UrpUZ~b+5^GzM)6=-`#I~`vvLNIUUlb>w2mIfk% zk2qPQUm5hYTx7q^pJmF-XKIGta%gm9Wg9pi`|W3|bey&~_tpN^5qkY#yBnBF81xtp zQ#{hxPoZ8gQh3YYeTz(Zj{sQFANQvgJtfoG8A>VC1n`u=I3;(8Xg}!*KX4b}0H5of zlXPQz)WA0EEtSs^m)yI9v;>=wCoQ?>-x#KrHp~wH+u!&ODtVpmCF5aoehXOTI7Glp zQMMXduz$Mmt<$L;W2c7mmdBvQMSneke z41XNHLsXN6*gv~%RI1$tO)R_}U-sVCUAP4^^eXGY90BA-&qi1aifIbXfpNFIrvG*- zJ&~YHVq@VL5Z@tXS$HQ7o6s19|C)=|BF}Rkv}9$zl<(6P0=ogXCKGuFR}xKcvIZ1_ zLOr>mCc_*#80<}?GX^N?0PY`{lZv5T67*WZelE1CS+FHrHiiO$3`PipNu~PMbEtU^ z!)8>>J!~Q@&{S8WP#SBZVAVM6z9Y|3Hoyqihy#J;tTXX`BIWtMcaK=PK6@A8cJ~YMBADEGaXZ@c&Pjm1;U8Ey#1ybwo)t0MQ4%9uOj}AHsOM^yevhOQA!& z_yIVQDs<@v$+c~YLOFVuIBJ^i0Qom6f$rK883Vb->t67y1sUq7b8xu-{II!8dRAr$_6e|*FOdqy4@A|o6{ zckstIx2#8R8u}Sn{O~MtIAxkT79-%wB#-r{Nj#WMBVtjoE|&?X^{J4;LyKXyY$M0U z;VGO2K+TKE3M^*;Uqe=NaMmaVB_`_#LrcsIpq@?&C-+Z^Cx1IBp&<@teIrCuT1X-d zpWilWnQyNzxQ^*b>EnW`Pt?i1TdEfzVu4l?przbu10>y439w#?Wf{1_8Ck{F)emfn z)6<9tUK_Ykt`hQc+WQU~W$n&Lc7Cm@JF=m)e|GD94snV0NgX0Pemz9Hj? z#)I%0TF{^L)HzX|CQ8B(ICXT=PS!hI7MrmYog2pv?9edDWG95oMM|zCqTs%rqjHTr z!r}Mc;l)t#x4lDaY$uMkjM_IAYEz_$u6F5^K~c;(pt!ff>VJHW`F6)sig?URxg8K{8O;C}BDqsU zKK_CX{}4j|tYTRgU`Q%T-$NtW7RJWFn=gnch*g2A$R#|MHK5rII#?$ zu`IU$Lo34Z)J5g82rIheD8+=I1*W7IO~}>~(JIL3*c%#OhNc z9igiwZS+V5L~Emx4Jh zb}hl@v{GAz7fnTlw@6I1uErsmbr?N?L~b!O5gXP3M6K9*+wJ)}D5PYO0<)Hl0pBbTb0?r;H30H@>F}MFFj<)qYYPpbse^df>04iW_#M0t{=}utkis*-v_8&Sk7uLE!Q_r&Gqrz!!8niG*RT~QNdG|= zm(T<9w{h@!8W(S@365vm>ebNDIc~L`tTFiiZHAKWNae4<{{Xv4md9~3i|K|3i`K)Z z%kX5mq)rNx`d?$pZ940(^r=i8H}5tK^VtaHKM{X8-Tw+$#DSKJOWeWsbN_``=HnG_ z)c(VeiMM_7+Z^1!L_W)$+OD0fCAItQ&o!d9HT(9{GJWfR*-q!#PCE-ouNv24+Qk?i z8rOExMp=TXM%x0U`;w*P%czsBCWYX$&1}#%G3-@Iz|NZC>iAY8o4i8vO>B05-r7Fw zI9nraWJ4hSWD}cImU=v%)|0bKG)wt%w5m-zcx=w;hmA5m&y>ST`tEMZfs#z)IP0F? zm~U@W@f$;Q*Lf{#yi44jC5(%Mo*QS={vau<65HVTd2aiT!Z7{)VQqD}Y~miJ*F|Gd zgH0(>#*3qL@sn;8?^f12AMu;{?WtPb4g<{aWQa|666Y%2c_HVk++`Q|*CWi1`{T6k zQty8Yt-Ciy7R$k$6uv<9uJKR$9B|TE^`17&3NPQOA^sWRANY?k!(v`t0DKmAE@l72 z=;`J!KYs-}8ldFT&ye2WuYb|Y^XX+CCB3%(V@PFeR?%-}Fn`uRee2S)NNrn5`-8b{ zmFfhp2v+>D1Hvx|0Qq6J`E#p^!pIvuBN7E99VV6U5&?2VL0~>wtNZ`s?4EI0y9(1-x`ZN;F{=&Qxs*!{N+cz?4}g*&w$beRFkL9rQJas;XW*ZPXkUmiM8dku>}n{fgc}Ss|hWF!m;}N)~fCJj?YO zl6cp0#7G*!tfd)6GcvHY^V{D#x_f#qUEtWs;@u!=rn~y8uBxuC!w7z9K zmW>oQ<@h$$-;F_PP>qtVep5145K#%4Lqv8Mjd(aC0iMa=Z03b-c&98-rH%kjOfo}3 zqtw6c0AS^xUm^#6z`EH}9z^L5j8q5HYeyL&QkfuRWN_B>DzgAGH^W32JG)1xyE{j~ zaOAhDMbz7{L-}ZWi{qQ2%-!Ol)< z_=o+Sz5SOG4*$r3#O}#d5!*XFIXIPU7Qbdx!lp4hoJC#=2e3oh4%(ShKFAw;#2NR{ zU(4+SR-oA^`K(Jd5YUNEWQQTvYv0yx$v)X3%0NeK^j3y?2PzUgLPp0}uUo;5j=so$ zzYfD;uvM@3T}&-|<&A6p=!!BSgG^Mv4hQ|ZnyC85+WJOy?Qiu#aJ2^i)@%6syZb>| z-;_{DL~LQm#1*MZDwoWNgQzs>Nh1@MB7i2?qbrcBSI}f?=)>H$`pl zO!l@88IY4XrUig3Hsi%fWOMSNOc5@#(caj1fsnYrb9}M$l3LDPn15l8L}2lOG`2*S zHF5x_zTBW!!&Y^Le9nVwItlgIH(jQvr6h?yG>BncF{y|f;_0bCO~Zr~-@|7W28)gz zG$kcyrSJPg(&}K&TR~}%F-PvT-{oMiGNCU{l8`GQ#z0~E6FkT=f1cRqA?%f`PDTYsrcwjnt%8*Qr|{BC7IJQn!1a>ZU74^?Vs$G3a9=s_)DSiFYH9D zt3ba77%oFCHcAaD1OeF^1#S@;LIG zYe0d!coIH7wCzgVXZuAWG?b%@;=*7$+KTiuhY_-T7_gSSgm`BF%5Obp&q%#U)a4(> z9ey0AcW^uEYoAzuWje8nVXBY)3`wT)LpMt2PL!ZVJA*c17sx;5h_R#4J0foZC#VVji z{y63J7a^MrrGt5}3e-QfTtIt#nY1_4s5F0}3Tl0L_l=w?QVC5RHO{3EDrtJd0s|hx zMx(o0?g=FFvAJ<*U7{8-oKCGEL*!U_;dX+tx0zH8hz}p~V=Z9=Q$qNdeO*A^!+x1k zd}-t3L@(I=B2oEr!g_EprOO#$X0Hs@ zmotJ>u}!-Jvx`ffbcd2ye0hw?nbuDvo@HFDuWj*$%nEq_03r zAhybzAG2_9?e;>3(&`MyjpDle0dhpwAK@i471<4jV~%Dw z;7AvdFCu!QUQgeWQ5$kQ z&b=Wc2$`Ev+OsXX9}#-ac2uuYyO9>@9-EN?XY56D%JKWGJCVxr_M+L6`;fl>zT1$R zoVW{RiD(n5DryhP-;=iB-u~I%;mZaqk<1IQk6mYo_KH!MJbAc@$Iep^QN_T?s~_&l zUESJ{P)dghrQn6r^W1mv6QRY314-2^T6vw?;4O&Pg5_)TI)-ES$g>+ogpe4fMA>-{aFco|#c^(|6zUX{c7y2A&!#ekBH%1qjFhP83b$~?8oSPLa#s)}2T zE*cue?+ZGhLb6v)ph*o*lF6yFb<3R7TE8gs)i!U|@3$@!Z6}Qo(125j(%RMpq$-t( zHz}Zjt_G8-UYS^>afFpQH1bq#ZBBQI10kng9K%_Fse z7kG|>RYMi$UEe8Z$BT`uByjdt)uOI0z^&d#ZGTMhtK>@+>nG>FAE+Kief2tbRkSo@ z@-yk$KdR7D6=uHuc{^I!!*B)=&8vKs!5Fit_Zy{U<2F?n!l&_aeA)G9&W-d5yi%_^od@wr1vp=r z1?=wb0~o;W?q=G*?(R0|-J|tuzV$23Q5L#=F@~_v!(yz%h1|8DpR*u#B=`wG`g|Uz zNn{Rjji6W4h{l36;>#lmYS0hnVVXl8^yC`l9!bSC$5NcHFN!`ydnBW;g(>K;s4Hm( z-7sJL?oOoGY}|ts*XhxFG|PKbp$g%L={KrLK}3mT!a5s^?OO4eWn#uSB=gFA4xGe7eN6DWgklC+`xbw$U3 zR0ba&gG$OT=EGQDk+OZtBO>yjvaEdC?%P5&R#1(>6lNwQ2h*LV6g*bs#9Gl-pW zp!fB$&j9tvgC51t)P~PSxeOtJJF{cddrJHVPD{qXsg{l9^ ztO~yA0kvx!XlVB#5GF(D64ktvrjdRBszl_4oS(W*XuJI&ZdAxNAZH{09a2N`>vPH1 zhJ6m$`9(SaQH!<0B7DT?aV*n0Crc?t1_P$;0J1Gf9DVJG7R5!Yz7y4-MD(2_GeqRXvj)-c{}6ZHz)%zZB}LnA6NCUIX-~7YeQy76vxp z?F!ISq}zx$oI?qkDtuHv;kbh6wBI6AQ{sb6qN0b1G7`O`2f`-XJNjGep8x9@z5)vt zZ89Q6r^wNr>E!B(NOaI{fK{I*(F(>97&%wyy2}tbs~bnImkw%O*S_*NsT<|+Q8*Z| z?+`ldA_1UY;pPp;F1bxDBl@t3QSBZ!wMdo>!b0A;GZ@ciRf`F((lDwey*^{{s^mM< z@EE3SRpGXeH;|@d&LMafmQ#<8=9+qu*%rEg*Ka+m7Gs(YLT0&}Wza4!doBk4S}I+HLu9 zMV|wENT0wtxRxsC^WXM=R7zZEQ4rBoou(O;KXmV`DA|W$B59N)ZDf+tn``!`Bk!@n zm6cs@f|7p{VrZPwmML}u;$L;6w*EwB*^<7X@<<^q2Tga+OV2NnyS6V)so@l>Js$97 zg(H04xGK3lhdx7_eX76zYJdOLg}|H^C5{nbYiIPD86p6MLw&T1^#}09<@7#$x|GT4 z4bODtn0@V!!fMAIb;fQe{jzahaC2$;CdMAe4ha21G%2;*9S8?H-h?U$jHOXM79{tx z@6y7O+@`PX_8X!$Wz4gtHTpPJ${9Z59u?6ZhmxS9IW@X9qqhmv>^LJ#1lYgh{3*4< z5*=d{F{rI#1F2B949YYg7Ey{jvxv%cQdnXn-HuWko5dQJ&h2ny&ia-pz5b>4X0^G} ztkqVVWuVxYH1pvI^+E6lHy^$V`z`Rpuf?w8Q2IZEXx+1Z-7>1gc@}eS}7V3NRBWI)Q*B z*!TUn(3{b?7v61|R~&Zto$ZAfmBH^(+bSG`Ot6_;FkG(aK}4c6*9Mn{)E(wh6pVYt z9@#CIvdsLL4@9)*VNcrW;~2Y*Y3&+NiY;|SAvXU@{e!5NGEJ$`FX%I$5&!l#VHq-w zbf%S(UbInzMb3wdsye2GUYy4tFYhd=NRc62$vm(V)s-_qhzW!XDUz7Zr1ePZxe_(y zwuo&VmAS7v$`k5MWBrIuk${*yCloWz77I?jBw8%JE1a4#*_m~cisCF;?oTPheMZ^s zuqWCeXNgPmuu-CuntoKGtZJ7sgiA@R+&KL{h-YmOkKW7p27#T84C4gnk z-0t1gjq6n?8E(`9g?C>j2BTwUh!wZy)G*~@&!N1Aap+}=iQA_jPd5~6p2EN^i_6iV zloGqL4^z>xNotC|bXiQ8Lec`_j8wN9=dLWqt*QGLpygC-3y3r3v&^I%Tf!*i_Bs1F z?yN;v8wJ8ORZQ7*bz#SGB?x7@jz=%q6)&OeQko?`{3Q5;!8iE*Lny13mG|r4gRtxR zwd?N^>Z^mpqkXa31LD$yZ3_=A4H{KU6=B_2Wk4^f-|F$ouJp>dv3i|8s*3Oz8STuh z3`;AzVy$WyMtzpk%pIspcie#r2L2c^W?D2YqmTL7(s#20G@F$yZ9K!D` zEx?ay#HijG6-EX123 z^DG2MpjvZ99)!&NY}tpOKbtmi;#tb1Gs(l$gPfsiMRR@92by~X;$o0F=c(u=kN(3Hq_Ou2omre7CX?tYLKr8EfPgU~Y_yOd!cjXf*j_uHn<>IeQ9a#=*>1;4NfeA> zR*2c)=0Cf~{XT#?OIy=WStyIc^HZ_=&9~EBMkZ99M&>);e7i8AkAop!X0?{=v-8l3 zbbEA#n)D3idJvArAc^DIZ5u%y`)pWC?m&LO@86JI2n_}#CkCP4hoO=W>&xA9@wE0g zOrJ99kbbci$krv;_85=ZXdQBkXF{pG7b~lyPJr6`vRE-nu2zK69sCJ3%i9I~<#s6M zt5|i!$`D>~E=c)ob;!puYRTOO;-~4}@U{B}NnZ>GCXAvl(37jO`XSq^XrL7|BrX#) zeiUFc@9Y+4%MtJ74}d%h#mc+N5U(8s9)Pc?kMIuW9p50>vMi2kweqfPkmdmUhjV{= zejqk$YhoAE)ch(s9aR34IXq^+##OQVXwy{PIXOQxQi9+e0$J1GB=p8!M}_JSeGJVU z(DhUh!s&~Rr0}p+YTo|vLrGjaw?-^oSVFuy4FfWtzPNTMrwCqkViE}dEgS68@otO; z`r+8KL#KaNp*vT!lp_?OJc*dlhfF`ZL~sL9x-D@^9|NykkMBkl*osVaQw98_^w`}l zn;cy^M7L$$9UA|@@1o(|?s(+-;{ck2A+4>I{?dSkV4^4$5U@6xRta^tb{e;qVq!u%UNjU`NDh$#+iHdMYDxo~o2(2d5L%Edr=RIgzO2n#QLpdL0Mv%ulS zGme2b17f8g^fqz7bGxq@plCG2n)qIy6e ze~mBgGIkv&+Uz`*B|fl1`>+DIGe+~vTiV0CvDd|We7UmPD|0csy!|nHycHr#vt5v&;K#e|gdnAE62%H;gMk7Su}1fY z`2F?T8-Z%6*z5J^HBL;fASN|qNF~_euKH`=_OANx`VFA$z#5DPHmoD>i)LY|x&z`` zb;lOfz19zBKfY?6pZ@rAci)1CuR8d!wg2j3{{%C>owr&R+kGnUI>~4_j`@gK`N9$* zvM&i|PPt4e_@wVx3?xUiy+vEOxX)S6^|W-Qk^`ed@Uqz1ZSC&t{;=QrY3E3)bTgYG zwc#!ElLZX?JWg}wbkml8u~#TZu=)_jwP0&wPba8Kww8DmwI;JBOLupXF$0VBC2J}t z3c9j{>KQ3O6ApxFB+&6}@rZ@KaewAuw14Ws-A`XL_PW5&LW+eCgGMd}V+j2#Dl(%E zXEKnyY{eQSTmF}S>4i3SQ7R*{R2#hw*yfI;64GUP(rY!KK=mMK)~Movmdk*4Vk#ye zrmfx9X$6(UU0?gDi|_^$S}9v}l!d5%WN1EeC|^7XOXvx~G8FlGxs(n~)O@ybWkJcW za4K6$J%_E_v5S{99hL!dQmY}=Uc^KPEf-nny4cuOp;YLGFDLRnZ=DoU8{1;TU{yx& z`}rz<^7!{43ur$_<(yzJNV6}oa8Q`KFR~<%5u#G_%lbnjT)ez#mrnB;%zhOf11Cb) z1z3^$B(664k&~u6Q6i~ANta0&9$`2JpIy5p-jc6_cHJS|Brl21$Q@ExDBL55ua5V( z@VtdCLL(m!$3AqPaeQ}I7JEKcA(;65MC1Z~;n@N9GVG-h3%7U~=BWc79!|&$NkZ8X zeQ3ZLRY6uC2)sLErzFm6NlEZ@LOx1>IcT9^N1?7T@L;?Ic zF#{q(k=mKS%5&2c9(j$k%JP44WR6u6y1&UFSCs} zCtp`~;?gM(j?tX^m4Nx4_~ESj<16ahRi`6!lp|kCcg2=bZ?x-1SCsbPI9Jt7vQ#~W z2WSQr2x}fp8WVd5cE3SXM;Y)~l7_qSBLmEt zYffY(Ch0~}u7tt)n^03|4@DpI2$_gUiPe#qbo~B!;E8Y6#0oXjEK`623FIc`J`D6% zMvs(Ro5ljT(z%wYjC+*qtbHdFM-h-H_@r{w1bkr;IwVytlS-T(2M9aiK}AR(Ol@yI zu!oxZNSvseS z`WPF?nQy+bbcV2k8I6?kE8(PgCOjZX9L5K%61TY z@yMz2V@qF$^Rag}^2P4gUmHG+m{yJBB(Zmu1au8e_lX^XC|9beEbt0rC7CCz7GkF# z_!Y*!Loamt5{Ak>4ZylukY-F|G7dPxOhsZL&JGaLMr_)O@7emQ>VMRQ2Cg>_sHg>k zW>MC&jKEb9VWEd07?d>%5UQ&JL@@y4qbV8L9U@4YeDSQx>PB8KT>wckk;;Tqm`nlbs&9hEw1G`>FzRM+YX}4F-IPhwIY5BfeJUsw%MTU8&#KPzdMS4kuQm zZSUM7^L6oZXXN}khAul@HGmnDR5iqHbP8Ka42ligqvNKIMy$s>2;O!6CO+`zAh-+o zyBmz{J{&yc8+?&i7bDgR%0X8n|1ItX#zN%cHX$40GhuWQ+|iLC;NPNGuU|>?(p1KhwV}5crcMJ=x*!L?WYie)VSyRM#^%N5yyo#vsbU zn5q<0`G7bLbBJUa(Vq<>eNP7wVKaz;LQj(*N&%xOS-rpjc6fOh5e7O<*{E4uaWK>a z>+yc3JKQqtjdO|_!861Wy7=Z51a-Vxy>c`t+64jL)!M2PbQqKQF0m=x3i@)RrfdF; z1c~ETRFBUpG`zpn)`+A0t+vit>}}eHcs;zOD+(;Sg}3ZlT2VvX;&v%u6!!%fRcRYT zNT`4qMEF1w?;7OAQBkOn&H$mkq6mi6qi!cJW?R?$+4Dq=2g}*vmR|0Pp>?^g&Ym! z)Hj7NT=t0B=ToOsF|gU4HRIWm^mw3JsWrI5Gtz7 zk@2Ug43Zg@IFn>nJ&terc+-{4yM9B*wXr7y!wq5Ej(jvj@kbMruurHLQwc7MQxE0z zfW_(1MI#EDbGE0jP3=NFe)id!q1x-pCy_DY*;ykUi`p!a3hI7#wwU6PY3Lq{`*hd| z^vRq?0%r))6}2(k%n&H7q@5IQ1q!$vOIuXYP=db*Of1`_h=6v#3YZ9Q>U|fO@o;F# zLs`Mdph45y^504ghBV-a-XI?#(@|;Aai=2R;VBbO^w*Bv#gM6}_95QKCQ8IWVK0&# z&aN+GBJo$ynGV(GFx#RBgzK8!D65J1fmG~_!&m&h?+)BBs9k@DGxB#k2%J%fzg+Z= zIKSB2ZM6g)SJ2|83+=i}WoA^R3%fuNkN45)&vEGf)Vwv3?Vd6Yo;a^ADyV3Kxdpsb z$_0vYJyQ33x^5{zYbEF!-vA+P7>WW?`o(6c##@QVLXOz2`XlK=RYk=qJqE4^@I7DF<)e z;SdGmMAPmB6D(}n?a3hhY8b{m>EXonQgJHYKsrxC7qfw4{B?%Cv#zv|phlc1nT&y- zsW?`T1p1LcKN9Fi0{tf^&|g%*toW%zG>IrTEx8#0U)}JIv2;Pt?mxM4$zonlq}U<; z#5XDdnF{gM8(TI`3qUyogj^peJG^ea0L*^?3lanqOQEBIw!5% zfBWWJ@m&;U&h>D<*l=Sj%G`%+G*&3_%YYCLq;6sGPQ;&zWHW4ilLOZ4Cz2$UaCCIj zoi3D`OoxjXOZ2t6BBO8&P-H7t(TXDm#2f%#48s~kieo^FNY{%gFGZqo0#xF1BUYWU z&>oSsvRWGPwOChCoN1|W%peuS0%}F2t5+ctt7y#!_HA|TW8zBWIi(RH`%9o>XaI^f zm2OBEf^QwzjTp3AQA`^|s1Pq!)p=+t+GT7->_|iRv|y;lm&N+p>dMA1>uY85Y$6LJ zl6hb!IfH;1B~WZn-Z4g5;^HG;UrS|+OQkU}1MvXn31fX?v8t4(h8#&Ty^nNT;)!`$ zoS0cF!2=Sr7|RhhF$ob7%#N~&)p>}flI)n65p!iuE-3M*dt5FgMwa6uW4faB!-oNCZ@7BG2Ey7t^Oc+v0(ZmKZr+$)bsq6l+L>EZdV z*r=`5HiW{-^pxT~(C;#(YE#^AO0m12Z$imjAA{|9;&9~NRySdCpQ5KG&Z);yS2}1f z#qm`z@me2mCfIALih((5g(+dZb&IrTw>}ApqCTc5l%`s+GAkuf5`PtIw`&In6u||) zZLDEB6&d*D@ciiX=lz!}ow8Ud*&x9+1bzqBj34l;^xu+E{NnV-vol%TsQSGq?UX>? zTEQPx0f5S43n7&Ctz5djCf~=cG%V&E5ySF^I>P%D2~>6Izn#L8df6MRrkP=6h*iVtNgE=NvwL2TZ53e3>` z`s=b1PFJ86C=vAi8wZP)D{AWSN4c;BjfMVrIOMlz5hw@6?^*1UjAmmtrh`^xlj9st z;Vi2)$zVoKEeh@|t_HqG`J~$MRHDX>3tBQxWJPVq9%KdvEZk47GRBi5SS3oNgP-Qp z8UvU@9=gE(VSi_D|K+(@2Y}y2+neba-P<3&JbWdd)}FxO;x4F1F}(nR=m(GvTe9-L z+X*RUo;>JFNeew9SSW<~y1pzZ{3DrBl}<@Nych}qEwFA=zLXR&Q0Ynw z7OoO;CR(bdb=xc^YBtF^h4RB0v>HjYxh$GQYYJeD@`s(D_OnL^tngB-tF1;$%T~|@ znT0SlY}h7nD(RcU9=M)+TbK8z*H&Uy>1~VOwytv~!b->7$*FES>d;IaAD$e(GNns? zz$U#W|D)&DG~92Uot_`6$W>|N&#$qr>TJwXhdPr6PbaX#JShcJA!S(ogqb$kbB)`J zN8Xwqm}Ukjc_$>S)C&C;S8BBky9Ywv^1(TH`!KOu9kezH^2#0g8EnD*1-OcKT0$p-?(1%#&|x&yXC&~&gpX#Fhgdy|1LJy{UY;DDyx0;) z3_8+gbo?PkF6sB#wD#uOg|QE%7j+XGZ(in^u-zZ(#^5dP8Gza{UA8l{ceX6;!? zJ{>vl+}PvTzkY}a$6+#M_#}Q*3$AfWpWB_cLEjFp-5&Z!hPIB+D&yL4++}pigr^vu z1v?J2zAOW*R>>KrtL1e}5W~>`TEVy-gpE>AZ?3$yE{o0Pn`XJ*Y&O^HS0!xw+#Wa- z=%nqxlPT0ekjH7F`hdYBmo(&LwCs2t4D7(IX10)S0Q-eS+;FS{ZFil%ea9|3bn%9P zjXmK69eaqSuW@a3!x$n)kJN0lq(=-rLWnI@$LLe^uUJ=~3wI2fQl3YuNq&}`ic+&w z!auTU`kCLV{mys0cpKq%9WR6v%2nTQw>dmA9a*3b<`;4TV!H*;Z(#{zl&d(lRcc~? z_lMI)srmc-D{*s0{G0V>%4;sOxWC+Rgc=ly_0!$tV#O2Qam28>K+hdvTomP5ru?DX z$i*?7QRq@?dzqd%@|Lq+U9LzF)e(k%s(PYq-f>TNZ|B=LjJ5fOsCy)@phF;JI8g$-APb zQTSeZwr~@G8<~yB=Vp}P`CEY1O9GdVVljT>{}#Jwv_+uevS~gZj$p+oJ}3o!nR4+s z1B8i|Pv`r4i+io=3w#bG*$C?P^ndmCw10I5FExG1&`9EMhVhQkIL82|@7Q~R}Wy9h08FLRTdOn+$IYur!2Cl7Di`vB1)sb+UbpTqHT7n&`R+}%`98S6 z&3DOeuXak2;rD@hGK1asLCo&^V3OVULAKrZ!T+Y+ckhAiz7HPA?)zYNyYGYh*?k{m z+I=6)W%qrMFv&fL+kGGWx$V9WX0rR1bHc0j=MgmyejlUnYz)iVe18&={{!xFG18%3k&HrI#sY5)*ff_R2e$h>JY zAM-U^LGq_YzpML$m(>lKrPMG0gj=b=! z$dKaWVSvW21fifqox#*ya>ASRj3^sk0F5!>O3k(Pr=`nS!m$})$VxH_Ee|XbV&rIc zI5Vr=4*dQ&bZ8x9Xy@0>X8jG`Jbu5$Un65j6jPjj*eKOs|5AU0|E<=WwPvke(sX>+ z_I%In*nP|ci9#Sk#{Qwa*YBE<-*6~W8LT>Jfk2Bwdnxz|Z$rMSe|1&5ly#V&Co50xWJaB(B_bYD~jAv z;T<{zRB<>)w>@$&bS#@azmTbJgt5&uz|}ZBH_(|SB-Fscfc`rAI9<6Q$^-R9y33Hw zJuSo3MokdHL{}baXB%~*9lqFhMNzWfow7~2P;7hZ*er`QiU#L1H5?U;HO`S3i|_lP zCih2s4-lo}$T-deY+}Z4FPL!d(MJyRO)3FL!waQ z!y#@a45LoL?djs$!#oi^35sK{%Z$|3cTv>i=OiuBTRsWh$OH~huO1#O9lVUR&7 zY%WCemUA~Sg|w?=?q2RwklM1m*$^9Z_E+}K(&!uwMrJxx`i1m+%G9UMTMHdAQZQ54 znpuKYz+}|vV)xZzK0n{9Vi@@2a|)*jVnkae*`nk+h#lSlfk1x0pge_L&ITkGuaF#^ z9N&|VA`Lk?HV+N)X47m({#~R{0@Qf)I2P?{ot4+H?B7 z*aQAC?zG9N&ro7!${Vvt976DbBGEvPF_HI#qz-_Q7Vy00W|;-h$6QFEnG^J ziW{XUeVr%Hgdau(2AiiD-)Mpi9C zgBHGJ9oPnb<(}iWROg1tq#((jp+&eV!7%b09$Ng~Xqp>mX)RqfK@2r0>myJy(s@Ql zISL|1+>#+FO+Tl}0D)#)5DuL{moHfO7lE}FCA zjR!-Zi?t+c*!%JL?D^q|Y1BR&d(szilQ@kYPU3<}_C{DJ@LL~y%B%5g7#Jdtn)KpK4>E0J6Bgg#YP-9Ml5E{=v>4~>ssFKVf zrS7$oNlP*}MyOX=y`Pbe$(Zs}XxM#-))z>nVl(ytv?>NKlVZi!C|To?dgW8EjG6ng zh*o0z<#oL<3&t#VGgl&n z&6Z|ym_LKE+ZFDdV5?l1-_4KjkEj83KJ2SBvB)|x&nVJ6y4nm!?y&EKQ$73^0Z4)D zV?#n6n^vKj^An%Ng1W_zChJnM22l;}25sy>Rpwrpa$qCX`0nY!fxfj&NnmN1Ry?I= zs_It!y&MnsSmDMNA3IX}gpVA_p+>|Ek1&96cw!nXtkfeNhpBl3uw@J`;*5HBXHwYu zDK+!dciy0-%Phu~(r_9Up14^3#e*m3GJoJ`H$;l(qtY?Qym*BSlEoF9R#QzJPnIM< z?4;YYXhO=ml4ZQK64_15MhFM(Sj-f7T8k&gqSA+xxZ?3FnM{y1E` zlkBHs^d$xcg9$MhTzk4^FM<5!j6AzvTa7JEDN!rhr*Yk9YSE9+mAI$%p2_fI_fR63 zZRKbZl0^vD3yTLa>3f(%mb~_62v%a0j%~K1lNK}azSjy2^B;Upie;*J4}N@?j4UZE z`RJaUw<6hx>}rw?r(SEGyv({6$`@_lx`XjR^d0XiBvavznc-Dsjtv&1m9v7MLO5py zlSf5^y8sOkTb)6-1uz!%hI7d(ma_DaCvIcs`R-mp+y0o!Ud;C0^@Hwzu7*QxQgZ5v zz5jc0c2<$;%@NV){W+7e|^~W0|Y8$x-JB@f{HWg)veR} zI=3CiA^rLW2DND4VVX&u%)LGC_0&OPtjv?TDifIBj-1Ca4e~yw<&xL*m=TKv63#Ks z7>KKY!;pYvE+=J?*oRJ08h6yMhbl98Tc(W9T$RT9#>O|_Y)hNajenAMzKt|)n)doaYMz_|kE%Ivo>@es;ZY zZ|leV=6Df{0z{)~m8Kk%P&wUzFMdP&t)oWFllqi$#UqADD~t%QF~dB70(=0u+zVa1 z-@jAC{@EV|j?CyLs1Fq5L5i(ay!~+BIe@l%dL#e8 zj%SeqcuXo^N(dKTlXC-=LdCGd3FJ8KwzPwwTca^{P7hYBNVqV)yl&BQZajVVwycJ6 z=z$bw1HOPzT?#lc+;HrLTSB4;&JNQYfFgm698Nv;x zOMJ8b?S@$KJ#lhT-}qA75p?%UwnL^;ALIG~J2fM$Icmd`{L&ZMrVmijlQ zM1|(u8Y_hTnWw*P7tr+zH%QkW$vx8@*;g1#@D6`qaMpIv#jlfYv}Ewu+4G1Q9x35zpH~qE1dL+TlAJ%(JIYpFCSyhV`T4fed%X znjqK%FiSz)sDB49ce-74UblM=aJB!c%dMP#VweymOeS86W?gJvE?jw4Jh?QmhG?~W ztJnW$N8mj&ZDJ7Nf$eTQ+gRV+ z2O9?VIp$t6_cM@<)ARb&9T5ZE(}4FzHSq)RbFu&St%Ji5XBheym?e|30PpRQ*xQ5- zP9Ny3=XQ{S$Q*#2DAduCg2OCQZT=e+ok&^MbqOn4fKe@Gdr)Q_`%jnfHF2o8vEsRI zN9Nc>dSEsmphCHiCfyubhBz|1yS1G@=X}Ka2c(WBw|p3l9r&J!l@n!*XHUM_WGMMt zmqs4jTdXWeln~WlQ9SG9OoCyDD8%YIU+HIZf01K4C>0^l+>_eIyQixYk!)>ab8XG2 zbQeGk)Y^3Xr|+K8H+ZyJ+Zf*{?0d^3pm9mwBs(u(w2pUPiMkVZC{Sm;)2nssK{)oD zSP+)G5T(N zP5TX;|FC~_)F{5E&ua1g?&-Y|s4Q-a@k z2!k=)DdClcRhljhDse_7V-QzbR$klvo{|&o4$7>F;%slCK(T#E33vi@rWW(cc+dTP zb?JETREU$zsfl?jUSjY=9n6J7C}mf|;5SKE#lQYl)upD_|Heq};uY0;eM1~SH&)zm z(G%uUx(Yd6^lQAl&l00t+LvirS@LGIQ*z`u4Aeata*o;zTP8Lime>+jZPjAu+Cr+I zx*Izz-ndtu+jC*TLM0mXV2%BeK5*`S{dJVkT8i!+G=w*BCkQY&o;^TsMzW;`*~vw- zHoG4kJ=JC$VsTcD4CJv@gJP>=H0LL4Uq?Dr%JUSi7apsX97pm_?Orr#<1$5s*>%!P zWiWx7-s7SxhdgI0A2UkbQ~l;SX`P$rn2I)Y8ne40FCx&YYxk^Sb>Q&cvp&-A@YOM(c(HM=K4jQJn@8IOvw?|Ou8*LO@4@ca|^RtbUqecnZY_4st!JqYw62Cb) z+BiRxZ`PmU3o3&DmDt1_LxnA?u_SsH2aT~`F^*gk@CZ7OFY&*UVYhw{J8>D|Pa2v^ zEh1ZE;(Za`3rc@U)G65E^k9KAgUVBvhJFi6k&!53>Z0+u^E^F8*|@IdPDU;}Mk$ml zI#Rn?}e#cqnh97*QJ>cTM)BI+SATh<%@Yv(j<6XL+4^ScB zMGgS_s&Bz|qhPl*>w$SDnP<3~xF9i3RV-!$T=)Vn2`Gn;W)m$X zLIRWECXhigvbY}^T$Xt0kGigh8LbR!j|y^B6IW`5?56Y3gMN#+n-^hRSi6 z#q753gUT^L`KX*Kb{|wGTf?J0<&OfGHgfvD9dj(1mSk{h{XAstcUxS#g-!?eF%^kJ zYLu#@(tQjA;^1Q6QoYsn}ofbC$gINCTV- z4+eO#yDRYT!O_l(b2y;+oJ~m-Z~7ROIcLBL{n0{`79U1jexAu0W3p{>(wz_*CA;QD zY?X6hePOoCr_cWn?cN^1YFR?cv{#nz8d0f78|8c(o>D#9Z(#9^GC zB#1sAP4)iPD*+o^)svg)0kpj%r{iCF7`d(M3>^=X=b&}x$R4@Q4C!DdR?j;jLQyCa z$V{CBC%pE%_c;orV;J9LOI6_0mb9PYMukM~N2R0*6|j%85D?@gm5LpqcS%i_er zq!&I}d2q-or^Cjr+DQSkx!~=rvbT$Q-~$M{U*LJU(=*kq1Q&?A}oa)HSITacJC?YCTfC`pEvMeGfcxQ*{SqKdFI@T(_Rk-i@j4s?u znmBoTNOk$%vwbH9Hrq#Y`X7=ks75sF;`Qs1bLHH=c@wW`26!c#UN=y-vBmhBD~l)!ohgW^bzv0LCMB`yk;Nya5u|RFP~V02xR@Er!!Wd*)QxXp z$lwZom!v&ufW}A5+JN7fLbADC<+MGkWYbUC;i7x`8@!DrQzclaS|NQ-x82*Sp6Z+7-17Q+s0K9T3cWcru8X7;4BD8vxSu)z9_23%d)zRF%7Rc~S1*z94lk`hk zK=}D&187~_?ee8E8&Bv=OUfn&kxM6yn|Tg?x&7vuz)*{*9CZh{AwSTwy`!W2ktRDP zFX;+#T?`N6IU)r{d8uEi1 zwCUavrl%y?NvT56#vYpIAps%h3~sr?QQU9s!4OSyq(K1(v}6`q)l6T8##mu(cU|P) z06*9o%(DtwVp$gdW4O0mTqS`AdmnzySTF^1Ob+d zih8@yCK-U^7qb6`LrW0)fK{tyy%Uc1)Wz|WjSs69{1sLiCyM5z@ni#WLRyx1T*OP1 zIeD@n3q0Gz_s=$Cub*v3AdJTz`ovXfIOfdGP6njo&H&wu+K#xwwWCP~<5+|FJkR?Ug%R0#9zJJIq^U_kwICIod_Y{%1GhvE^JOy&sJojO` zWzE(tqaW5(!6mM?Q9X8@0kFOWmSNagppqdYg~Q%_TSR$A&RjuTl`U$Xl+{L#ky2h! zwiz=P1fwZ53aEo@c|LA%df@p+bdlV+)fpB=Y2B4n^aR&F97;iqLHE6=rHPs!A(H*N zlYs#Yv!3Kwc$?ch?dP4{?w+&XJGgpr{eye>pZ|ON&;HTi*gNr0hiAY3ztPL!JiHkH z`0l5hpKo8?{p-K~7Bc5c)e%-uZ?4p8&2l|x)?YW*->AP=+x06e$BTrsV#c;uF>B)$ zGI3?X!WmaR+3Wh(zluzlDxFLAzfWMl)b022=Y!ZUNmyT6gxI5_i__Dihlmi%kg_Ah z^1DV<>d}s1LWEd7TY32S<%EcpT`i`&Uzm&?3xtSOsFMs48$JJg_Dh-AAL^x4ot#F2 z?m=+AO!^X=hKGyoI)T>2Cq7x@k?u^5?W$((iz7CPEtS{v!Yl~0aA?;YB9wajyW216 zwiEGM)p9=CFXhK;V43l60kVao!2k=(I|b{n=%h{i;~!wpui;{5UhQLRF&!zgh$>g}s8 zT9CQDyDEk_=!EeoD)}?QzF>D(IOY~0R|}X&%N^jMDK8|;Lcm(En*Fxjd7GtVP!=h& z$d>X0m9WL(xzMf7vdomS^nsKM`OV}-DVSJ+w!oyWPXl7mhe<5~$(TAp^PG1RNeArF zW2%&FL3QWl14ySkFEd5botF)I_b7bk3!gMcUwTFq=wvb0=R)rC&ri1yK@yaSAN{V0 zPq4{pIZu*k9^&f3(@c8vKb+F!L1>BsHQ}(U_70bOq%zZvxN5$>#LOiL5~Cg#rr^Y) z=h+ORW4`#^6O_crPi}4!EEPZI;*vg|aC1+%3abc}bS@H%Z3S=a(MS2UMIPym&S?Cx zP`GafUTM5M68|_jJla>D9aE@lcBQ<7s6A@geE)i%gJ%SVGa~E!5O69CYS*GF{{HvY z&hGx{f%qwEN63{kS zz|oy@H;K|`8{?q`$Vi=GCd%jsVPs$m0|S_i60l|zFL-q+l)Wl$i+`9^acz_(>wEZL zR$h&!m9zLwI!SSxO^f3h8tFNrml*q#Ucd-~&<@8zqxgMcW+L1yeh-_!s4FXyOC%zC zOnFqq$3(i_HBohbWojd9M_G0EJu+FQNRbK+d$!xh$nJ2^Z~IpOHHv3bD=fv6c$iBP zo8-dMpJg(ajCu5&ta;R-F4LRqANr-dYc{?lW^y$#fk>`Y5p=&WbHHRxe`=fFN0kr_ zAxCu(FTgelMy}RIR>4S`lc?6h>_n|#=yV#2JY~E}0n*_DKgk6+Dy1GKdGUao6(@-TICG&jAT+LKA27WO@I(M^}?08`kKFm*dB)TMsjeh$1uDLTX zJ(Nqw-J3>X7A7cPBKU72>`m$UYT5tG>V$?kJuI*KfM^v@-_n2}t^Kfqe{3jF*2UGww5yw8<=ZseLAsnWP4~+{Sa~` zgZjc4!^@qMqr>M9z!MlyCOhC)4PEAu3FI>YJy$u1_{DGp+0kOE?}dqIF+U4XNRyyg z(c{l2V`kxesFqOna2mx~oWOjM^u(Nk2a_}>(3aSgC(1w4nQ6kNnzt{FxWqS7PPYp) zV9KHrXAaRxzWm)~PStc==v2%2D0OB^ohBY>j(H;V7^qiPj*cQHv&Ms1AC9dJVDBoM+# z0>t;P1dP5SK>ET!clwyFdUqGMK)yVqk|nFA8_+2l(Jn=yLnf)BY5^Rm-{#!X_KgVc z25rC3;Ceo`MlrWw9P$mCBnod(TR+8o*=T=$b>!9mIyY*Eh@`vFgooaTl#DLpy* zS=#*;kFYg#hYQ^%Q&bEm;P_yH?dhDDDmW##CG`&udPqA#&g8)xv?$n6&+a(nGJbrH=folGCR6wI0<-4gB`qF4yLMo13*wknz{HP|Y}dUL%#ELjCke@Lmlk!n+N-o&m3w&w*hEUOQQ zcsm}-UI27sUvZDRPN(0x_WidFE3;iZFO59WYGFa#o-5scpTU)Zy4#quZCiE?;kA%^ zOacf}ebZ{LH{p1`LYanF%VOfZ8Bc!IvQiOlT81v0#IZiO^UU5<#?E89+O*+eBgj8 zWm4um(9jh^!wME-)6pzw+_=aN0$|zfu8(4j=X4H+L5Z^==WUWeKZgk=~4GWQ0_5iYkJozKYsH zvL;a~AiS(hD4u-W)}`ye?4BMRi1U9PKR-PZ7dy|7_UrFqlq-~9 z{2CUf3|y)2z>?vQ*X|p$@;L)l*`sT#%b2UG6Vz5$hAtdbVXDgY_f*mB)tkn8tP5iG z+#p%2TcZ9x81~(81v+tpwidjW?Bzastl9-H-qvBG=y! zN5qA!3)tU*TTxZr3io#fk+Yl!0(ol$;&4_F*yX?cR^KO11_-p;{7`@I0kt-p5o=$I zA5Zr74}^LL&-eixwSM{VrdeKHDW~eacY7-|nQ9)(B3Yu>Xj*$s3jktAeycZEn&lex z0pDEUo2alc$#$jQ{P3YUs^cuvV;d(pFozbrUVrmj{g>DO`2LNWm|g`R(x2^QU#K_{ z57`hE4Pi0=L5ry%gam;nmcGZQR>La^eA4*Epe$B8G+*8>iHqg6)z?enO>-s1ADU%+ zf&Z-qSZGq`*rD#VMO~(rY}SLH9~^AQo5NxYZB+dbcF$C98ZWmxIH{ zc8bJ|)leZ3M9H6#Sm5&(Jx5FULeeaEwZOLV-=*wp(L(;{qJ;+S%PtziLti?>{y4z@ z3Q{n$b}jL~uu(Yg z(Lm|TpbJF?`nrF|C?81|3C_0?c=i>>LPzn$z#@Ew`5KI_a@^IDx#NqasPEq;WAZL# z)WPjKxe}8nO^Y%J75eK$IS@Evv`m1|cETISp=>NDq1OhR6&VZyKU;i~u3fWai!cLr z^#LNJ<43f9K0JA{AwGPFp0sxV^#Yz^AleU!a;=|t_pw8JI~O}rD3s#e-q8`}PZ12R zV`Dy>Hu*gSAX=+r6f$y0L1qK(*c{9P70^SFcR?&iwpAtC-|v$$>G;TDFvteUqh|MD zzG)mJBTa2HaPrryhL`L1} zJK{j%yEGn_3K`g%fv!Bk4!{`>kq#&%HBRY)p{n3yP#jmDi2=0M1qC+53~mGSvZMlgV%3Fqwt8*drqW_4U&Be!x zIpGwK(z=H(!D%DQHb6X<`6Ec3=8PmU zKrB3XxxWuDT0ft@{O8WgQxMJz^32E!z%9WH8*>U$$Z(}ht0esdr?0?vB=1ZVhEhn6 z{2zO*cngNd;Uw2s1{g-JS5*)WjAvLHx{132y2K_YM~BbP8%6w^^;X?+@+X#{@;R_& zX>|=+q$%^Sln^y)d43DkCcrc~sWetvTyn!H$r0P|)n}6!)M`jeAefwp<;BEyj3~QA zY+FriF>85@sV!zNP+^J10_k>Y0S`jDPRa?BA(PpbV#qL>CGFD3_48|k2#~BCa|$$q z;>Lgg*Ar7jJOzs&X*hC)5Py*LZIN>)@G^CYeq#q)QC;N(96RRlO9G4X(#SX)sok;4 z2d_QOXr*!xWgOdN)+v{-hGVKLl}J2VSW{M1u{mZtyBhXkbhQvOyPPEecFyrM~ysOagvOw0VYNx=L>o0j2)IcDt(9Ci~{-s_89D?%X(v>Z8qmi|#H zkQ7GOohq7G6mMFFqb|Mv#~bvXFQp~qJgAWq>EwTlnZm+Sk9>cc>%S}&v((T=D=Lpv zwTkj&RhA`_97=&`&hdLJ(vn5K2EO_c=NLW>YYr>|l)X_j%Wf;wFdw2Ogr&;?F%9d9OxOK@KDY=zj?C!?Sdj_;i%1==xjg}snv91)Kn~CD~HZ@XblP42~TobcP zmedSk0PrGwY5h9(L#IW`G7kDJ!Fm3NQmJe_VDR&sdB$5$*d-=kK9k=0()M;VLTl*n zg>^wxi(9ONQ#SFv=`+8z+edEdI(`SGC=3BcB#JHFIZA8Fu3o#by znqPIP4JamOcyDj3QQX`6nBo+Bdod&QXe2E%hi=edh^Zd=KAzk`62H3E7U(6)Wq7TR z<(#+C?ohfo6rWFaj`yoahv%r%_>5NRDkfI9yRAa-EoQGSjn1QaYQ${Sv7MO3xT=zA z<8H#SP(=YN2g3B&!DULlZwC$3N5Ha#jdk&NW0eiWz}v-*4A#>b3{6?q#2BoC_8K^K z33P6xI+2AVTLmq57Bk-Km_p(Sl`_rc^Q`9MIfaVJewoyKD`xnd8UZ6Yagjuvi)acq z64S9*z=~8Svuy2?1tcX~I3R5Z5_ty|C?LL28eByOs^v%|++)l`BB%8ll_X)=mZ!0q(OR`AB zt4X4?`<-zgF|X5UVH{sP4c3G>f9nn@Yq)3Fe2?tm&>69gjkEr;*+i|tQF9{*9O+4s z^$sQng7rfFv1(Zc>6RWO`n`^dqhddO5Ua17&H9_@cZV=Kdci--DibJCG?3>z9bH8K z9F9kB?@m9LKVwy!)z#Q<_(il*Khi!Ql3ogt9D9q`NExYEYIv4PLSqGA)mH0YeYGuu zuYO@WTD$MsLG`PzKords^Z_t%sj5`RSJAvbN8aa>Em^XKC3D1nE=huaMy2h@FGYs! z$tXljGUGX^UX9=sx6h5#Q~~TkP6)3-OSGOL&}8dAiagQyWfI;A&yW4et)!A?RP(l>cHvuo@}&(0R}Qz zA}m;1JzgGs{C?A^uRc3+8Yx|tE1y#TnCVBEPDHq~Jlp{|deXH1o{A6sFt zf{z3{ZlK>aJO_QjXj=g>k>I>@JC1-326lN{$&mv}LxKZf2q3)XcTL7)$IB@^+VCZu znu$koFL%57*%T)(mjeUJ+#zMYs7-D;pm{C#2~_AoL5s^En~R{RO|dj%|CVG2p}v$a zmogfCveDuOpv@(2kPm*@#i@^GQKBJ6Z{>!6wh8C8c$YI9?+=F^DrIE?nFT~91f(jr z(`&b|T)ZNZpxGL3QCXul&qWrSxi@NX`5BQTA3)YD&$3XkoG{HAFk+h6?3Fr7N?##-#sPY*K=oteBxqST3|!Halc>fIY4MI zu{EhUUG}*=-}z}jX$6xqbYWoDJlE7(zp7LyNYsr01lY$w!p&FCPOqG&qV05ARH}uA z7Squ(gK2aqRLyYMC>3|l&IJCUNhuW~9)a(6MYSW;gy~Y5RvT0mnWC)cXPDGvfGQsC z<-jESCJkAeBf*ANp>^UOV0teu#Ivj5keGciBu36Md}Q?XM{%pB5Q^-_+1X(kFss9Y#WI$=4C}nw-t%P zfK0lu8Rf{l*l@oGX%u*=TxWe;tePvY{!Nl&qEg0ng^~zng%(K$nc(#Kn707NqJZ&k z)Hc@9ja6Y_3mV%X#RVS@fi(ZfrhWs8C-=^V^PTqWR8A1OBR?ryErw&*aA63GR4N4+ zg{n&x(uov|A)rtcYwX!3h&Lvo+o&0NMEsoAvlVP;SejO`>DH%9Rcxe#WP)x@g3ODU zPZD%?5I#u2*+KY)1&2J|IXOJoKfh=_P>Sssyv*>Bu@a4BjmH3y`2ix6Gnav*Ure~j zcwdWoqbSURJoAe?37kp@I;ppxFI??}?Gh%|JKpVS1Z**S^~I5=jEQ)#5Vq4vRn{_O z*M1~h)8g7DX7Nj+RhheO@&F36~pk3+PxW zZn*iKNZWc&7!~T~j5C&b#JY!ODcw+xdMUf0TH7oQQ$`Iv&Nv2dMV?5RA(LUm*Y+^* zyLTAfF%~NL6Py^k!QEgSy8Q<^H!5IXn0U5#{;%U7FAg61mi6&qmwB*@ zW0iqQ=5a1TSdv_zpkio!0twX{I9>N)?llpHB|W!ue1wq3q!_inBO@`6B6wIRy_U zdrqJ&u_;fKf21?hq)s(&Um9_VZ={@V7iPeeMP9~}smhn->%#<-r zJkrQx%9kKVg&*`Jl;S`#Fnqwo)82H5y_|ufJ;c42u z@btb0g{PS&gr}e1{P{G?>{-sq=`3c>3lo$tk$xD%e=tGubc%8FY0Rkkk*>@pE6Q2> z!iY(1`(*dIFdan}6&Oz^*eRcWHv8n$EW6~>M|ZMejoJp`;jNp8k^d&Y84=Y~g(3<$fCu=;?otcD8oVhQK*d(@8 zUe61&Ak4kQ%?u)xdi!}qPHa0v=)~oG6g%_9PK8bp4y8m-O-m94e@Yr6Ar^^-MZsur zys(!Ces|n=bhvHI7dM$M=U2@0X|sngVHi^BRVGVB%l?n3$!a=Ln;HCmfdog8`QeRn|bq zd*_aP4^xUpx$YAk!P=hhRh_{wyc5z*j-uQOOkRqCEh(N)7o+ru>Hxaws{U}Obc8^` zt0<~^jZ@W*dKe>JyU}&;;Mb~3H%F<#eP8B@mZ7oMw=r)|Xm=jWh=6lG&OI3* zO@4{xyd<~T7})|y1r-%a#f;Ph1xZC_n-#OZrGtBYslfH$?O5Qh021=;sMm@ zwm6+Krd?J@i*l|iXzs)$7q52AkZNW`wT_w0c8+Q)GN94s&P(88;}{FDjmoixrj*Tq z{&MH!=GMhs+D0Ta%&Nk+n8&h6Tab8AXS3cA@0(Ya{VE46z57#C-S7K1t+59j)WrjIsd&?` z>YqRxZ~7lG;}di_D5;o=3gYTa(17NKE!1oVL%V}HYG-X=wTxK`=&N{IyA{3)K)H;l zJQ{l_)x%ShzqF7r4Gh5<7sq z{pJ}TJpk@z5?oY04i>>-`I^}Cy;3Od;Keq_V&~iP%NAmaUZ`a>&yzzNfQ=a1hk^Hyg zAx$~9MA-4VQkwVx=cSdhKJ^6eMaAli6)$4@y-rI~5^8VVRQv4#wVNeL(|Fm$dWZm!+VH8vT9BUD)|i);HGHe(~F9N6I&JhJu< zU%uXgKX0}y_$d!=RDs_Kd}py)P4E?Hop)ER*}d$YCm z8a{Wn-r(O%pl1a2Y+Cm?g0`9j{)g3fsQS)qy-JQv16OsS<-RS$cN-%vWa5!drb%@C zwz#2~?QJ<3@_2PCdc@(j*BebsrlN$3G6iKRsBhIp{i<{+n#JOJ(@Mg*-CE58goVWf zXlX#JTltWhX;4)Mq1B*PyP(y%9tOjg;dt)>CwjCFO+DN92jDgft9dDC|7z(IsbC5`6 zpm}vaK{LYvt-F06_6nXz3p(>?3j~QL8}O>Ho=5+3GoS|7Hs%nSnERB=%$)Und z;^d7ZuKchj#LsleEI^hqvtALYkj%gz1uEJ)urE@~xV^x8tpE}a-%@(^ zXwY;iyhJq(fD~MvXa7|Z>fm(aH$(HAnjq5W$~?U)g|58VHX*0?m*mN5faXovB-9D* z(Cth?9V#QM1}q7K2xLmhsZMxEsQKQZR$`FSYJi2%m#Sks7umnGF=5dUg<2T@Nq`=4~QD!ICXma%Qq(R=OW?F(KuUm{^f~9+fEe=cPBv zDSIHQlL8yVH0EY4d(^oGOll3BK^w%jVCZxjMz-@xTx7uorzCWk@Wpm-Uq7vW`)0L* z>%U;GG&};*QPab7r0f+cC`b0_PARL%;K4`B!FO)gnV3Fp0eG=Hl02FWgRKTW+brgj zW+>I-QZrHLsQ7j^F@^#kf_J0M4{blZE*G-T5YlFjED4I=3+qSkt>@o((cXZerbb~I z!vE9EEHdhbC(+YX*A3%Fb-R?Di+kKJC0mED+Dtyxv&<^8`1}g%1e}zzI^%sJ)fc>E z^-;2DEX~(}&-wm#4qpLo-67hN84e&VXE(H^!G}a!xN}AihgHz@8sOFbYhm2oa&o<##MS?+11Ql=x!&njgUBS5l0ue&%{ksYg zLu~GFfXX*<;Hrd6%VHn42W8)-3{J|%BM|PDhnK;p&;M_K_X16n_ChF=x>hcvu@^Dh$kAj7i5Hj$PTEhCwGV9Qk<%W#eWGkQ zGd$OvW4Lg1_#938Q0q=C1MdM5&Q2fDDcxn9@LOL^pti!CN%I zPCwVv)a93YUd*mE=#^?>Ssb5N_fF42gmBovlrAC!rkf|IyhgdO=r zrbR>w6!-%NZ6*V8ZF5q_zB34T?vP5o*u{*k{XP)L4dvwk0x6PrtV(c3jvdI$H=yi+ zwBO%7Jvu^ibh2~2f1YX9$v1PVO-@B_dv0)zlBg|)<6e)%oq_+BXs|*UY=Jn?`&b*v z-4*Wv-#PG=O8kvM!_+mzi@x6mfkkyR*edvlVhu?yU{*aQBBuU?h*4j#oWkZR0nE*> zV;57ri&D)lX*P#DQ7TffByP?X=eFYjH8?*1X}1EfSnT5@xh2HV5|DlPz#OJ_p+J>V|z-p6}kl-uJHdkyG&%!7vwsn{Ds{c89H*6?>aEtC;Rm?$cSTri$Cipg@) zf`NF@sRyFN&>7*)3?HmWO2&EUQ5H~X0LqVHqg?x4wW6?@!dM=a7l*s8-Qzu(Lq+~- zARM^~@d_H~jMQ37Xs{!(NNZqUxgFYP*bVqC318Q{k!8KybcZH=Fg^dsLx%HU`AR z#_Va8^{s3GNoyr9j?4J4Wwx|5d4DWfQDtGV9fARFY*B2q)L(Y z+suC9uo*)o1htA+5aqr_)Gbh@_gIw7#{xZ1#Vf(k)MjH;qC zA_vOsog^v+5*Qy!T_dOCUwQ6-fh{A9i)%+pL3r~Wt1y7GU(a^?EZ)mnsjd(dkUxTP z2aSN~Y`{(>y`CdoG0F5E&U+{lDCimhHA+yrbQg_>#?*M}R3>GZfH}0ZAIitSWDRjx_sgQL4j`K>k8Tq5f~i(jm_GMkwc<~A@bnUJ3O=m zcR>h0Ve#xMpiQubbv%Xo1fxB^s>-hY1DJcwA6*r+#UpJ6GSM*-=W0b8x$s3NHK}*Y zARzHw5T|#BWQ0ePX&WYyx>Iq*d!_BvtTmOg(|GfVor}$L-GAe0s4_-5Q?P?Y8TSl) z`jIXFf!XrBT=P)J8puvJiAi5Z%kAAzXtY9+o>nJfQb#$}f; z6cj!Oosl~X3k9_ZQi;KSS&a_GH5d*XrQ+_{nZQ4!yeQFgRyp9iU39}KDvuCVD&^;e z1E#9D6J$L<%Rwv+O1qh)U;uqUg1^GlK0nuxl^z6DK`IPG{3%se~>n0)RGN!Q`NQ3Mt&*sC*4Y-<18E2(j5S-OyCZNeeFR@paNPN zdaj1Sq#ylm8|0ady2zHc?rn&*ZEG@oau!Si$A<>wQsi$W9llrA%G)1H(Iv)V4^5_b z^<5BMqv92b+jH@f3U4KLcWVXKjJ?N?D(TTaX4WQWba8_&)kz?<@&rh#(B7-B2#|Gb zAEgS?zkx>OuyaDw&>bqQjcS@O9+3hzKw{@8Pv*e&I_L}`t{gOY2FiOga>GzviIJl; zUM?5VvjTP)F1xQFOU_!VlTEC8cfZYOwu!F$8@{~s%a5E1M@GNSx0lSLsva()=BL&(u zkkn-Zp0BbX6I}%QBL=dvQ3j^b^XbNn!mb&fI+h-pMIl~Ro|Kiz9GpIC4B-U&$EP8K zOat43{`aD5V+mEX?atc(x^xZCkv-APalnxD{c*o<15&|Y#R^?Hi|e}~AV8U-z)|bC zF2S`w?sxgr((y;=IMlzBow|r7#l<_p9uPJU-B#YYHo((@3-D|k1I*AGazv%T;gLlv z2*>UysFh+vl15X!0rJ+^s_`U$Y`$NstT#W3t-ltNSRl3ll}lzN@%k6>W>w8|vnFq~ z%}RewRVrqb+A3XQffeE{++TE7kz|2ML9ANSqU~LdYFWlxE8!$vmKz4|P{)Dvkj`@* zj*}$ScC+|B(AuH~qCLEU9;{GUm*`ztd&pG-c`eC1HKwNFb=G8v;vL})Bg!m`CJuc2U(61f0%tCo_kVxHij8v<$<&VWyc%#+RhR+tTA2wV`Aeu_8wE~uzhB>Q|jc(#{5j>+XQi9kqKP4pwHl2bm-O=w;2uJ^c!h;XXth^ zo=X3Lf*CC@Q~t?rri4)yO4+X^=#unRDHZbl?8zKeTb;562inC@NGG7xXNSABglg5b zrNJG6>I}z5Tr{luRG`qPg^KLKu*LC0z5t66gA*=a!j#GGjvWwuHS=a z-@HvWdT{vacz=tGLeXLp^_UI{3D3S++gRg;z_Tn_24<=k6Yyl%HzbRt>VTlI^(BHq zd#2&Yc}HHm1e2U|y*oTmTuB4WN&;fveXC$?u9a%DjGx%QO7q!Tt>W;rJGR_(AW9{M?kEPYuk51z|;T zbhwvlvH)W!INE{k}FvcS(Uwssas(NE7vs+%p5IwgYJlDz1=gF^gN$pi6qbQw=z-p>SNT z8JjwU(pPNJ#-kC?bIFhKoB)#p(p-pYXF@_!G?TexzYA34uJ34IE7fY(4ak4R9*2I_ zB}3t|p;w=X7<+q1N3H!=XQwYOO6g5%5+6#*QLDvtu|G63tjc)zl zI6yOE3Pg#3@dH^09w0F|%)kLEhQ_YrE>L%n@iCH2>Vi!{qdkMSP4b?uO95siHzn0m zE?%ZAO|{Qhj?=Rm)~Xl!xaC)W^-L80e$>FB?k692px|OZ-5vfKeUqOaC!4Es>Jc&<+AKDj(wZNOM_vyQ6*X^)>x%efF)L zD_%uH5(zg_+KNOiU0;b@TE?1D?D>GyWMSdw>wo9W4TvUzQr#)fzMPq6d}1F!?RwK5 zdtJIu-~E1y)Jp4QbJR8IVUpyqlg^HFF3}40u=-EXkRf9~kf^@cST81?n06O(-}r3Dq(l-bldg6I$GU^Q`r3Q-$c_!=B_2Fv~Qa znhqh_$z1SgLh>Zxf3hSzT_u&GQy@@*{Ht6c+c*%c4W;pBfad(g?ye#Cf;hUqrX^Cl zL*7Hw0n}%}abTonU4Tq$57Q7XII!M526kj$J9nBxd{bN3c+&g!>4N>ylH`OgWza6o zy_Ry=*3vY7wKR!Q%_3Puoe3Gumc@bH9=X6qo;!Hg1hgMnc_|PVE-d7(7AimO!bSZW zUNOE5uX=y`oBZooe&Lym2?A&EtdB(c1xSKJ!$o>!6^QdHk%}`1j$z{go%XZ| z2u=d;ONa+B%AmXJ@;_J)if-&I>qCFEp3G zPMgbL`5T@JN(tskg!+=~-F{*VlMi^eDW3j%N%qF8=VPxac7a<4O|>iO{0h%k)$gWw zyn_9+;Z)&gCs!wF_(`5lK4TAH8PAjMefb|)B(RG_Tx%ko|5Kl8Q(ZU4kK9eB2 zl!G$#28~B~#0ROdls|C?s{c=(>w!BaI!IC`}R}!h4Ib6b-)&4*|^rb2X9st z?aP^#7?8;naF&ZAH5-bMHJOs#r}1Il_%mloTNO_fw>{@3@PlVl^cnv&&Q3Gazdxk@ zXyVn!3}P*k?bGvv`g#`GUPPE3b&X57MF1#~_fstK1esa#d&%u3uMftae2(Av6@8l^ zyO}g*@*zsE#w3J?=KNrD%96(D+N?^2xi<#sDscwzv$iq5A%y||dNMoGeTqGMZ#8Nu zrbjI;a#?Nmg|KJrxwkif;xtPg|4D6wpTqa3@8~3Y3P-#jPYz#w-pPZ0b|!7wseQ;- z)$1n0NjS`77)CvtpJtaA>YK6W(6%E(SH$t0lm=4YVvxo~U1QJ{YIRR4aqxnKVz37R z+DWdO7cAKZBDyn^N@eTBxminrV5R+nK@qgxTr)4_oP{Ht79L@8?b*yuF%;&5nVRCH zWzN~dSwi7;!YtNLvK$RQb8+)(6$;Bbf*nlgz`pkQSYV_^t3jPP z?o#e)yR18rjh@t_S*@36fi*KCwW#=mq7#GsEH=xNHvgm5@}t%Aqt)`G)$$i_wH%Sq z-_>4OH#;k@j!MsNqa0N;=7HtOOwz5+ofa;ug>eS7A_%@_OMp2B4Z5NkG9rv za2F<}AB>Z{WwAr~eCQ66;x}vcI(y;Q`o1Lb{?D!pOO`{QYD@@ekzAZDV@#KTy!;3qne<)Jdx{Vb=mMGs(!37dQhOHXd%N!DpB zSwx@6k}ao8&T}$D8koshJJ$ohE5={nh?-7S9Y3e>{JuEED^VjF3|((x2rWmalDwln zx-P{n3+kvg=Gvh%;Ake4-NXxB3UyJ?QRKR@ij;sEx)1}licdMDx%pgm7oWw8Nb+5) zWf1;Pc^HM6o=IAe>p@!*6RBmQys9ZtP)gwI^J18PsS7`E~=vvrRiMW7=L(C@#2P^e-JQ} zd>kk#=B6l7Csd3H5keSK$2guu;Jz2}VLSTTHU$8j!`K=?z0k)vtWnj;p#J(4H*XTg zqHWKQjS++t0>)n@vX)8YGRiCxhWqE8mnVlOFSY~*?kq*3fUSNqHf##z-Gzj}1B7zJ)(GEAs)hG8fDbJhzZ_~%@+No%^1`?ut+@P|Sa8g%q;LT( zPGI40@?Uc0KoJ>C~VjyQ3$_Itkwq4PaQ48{RR(*UFcMn$J98OoFUgMr5}I=Sc6gxF^nSs)`d_-kTQmrw|KDlUa-7;ey=as`V4Q6vDRx$cR}u zYb^dP8&;VscDsy$D$woNBRewO6%`dm#2x9ZWEic2jdgJ8dj*w~Qnmzb!*bqS4o?S>@|-46Bc1i1+SQg|4_UEvvboCk%G zJnXJUUO~-Kh@xd!V=kV^g9`_I5W4&Be@XDJLlgRkT5n#paAX5bitoolrjK;wAFf@- zm7}=nA+BRs;T&TAHaJ8O)4sOJH?!?vfMk+(+1I=8!#|8s>wBqq*~&JPkvNX)<1SJ`mNs!#ZNAo)j%iWDJJl8?JpV8)nwLAnM+O@ z2Fq(nGOCcFTl8R|_5a|ey!MAqU3Uu>9R819eYl}WLGsPFVx=J`q+Ce0q>gIT2DIJ zOja6s zc1xGxF(mIwjTuT?-Q+~OTVk~YM#>;O1^Ow+iCG|-K>)%H-4XlssG+-kH@qWX&CHPl zefYt@!7W`u`ibwQazgPJZUrH<>C6*ALlu?5I#6o6joSLRwWq7lEbunmK)@-{ltv!K zQ9Xu;4^Yza;F1X=%sC#DS)y`9JlYf0cjSu59*9D$HbrvVLhf}o4nw&C2NDu%(eO+Va13x3l4KsDuEXj$2Ls1IZ)0 zO-i~IuTIW>V@X*s{@|P7)JXXGQa4`(2)ZNOfIb`K8?ay4(z!U&BEtA_a1b z(e}LpL4LKI-v;ibXjj4(Ut5>{$wU;^V8cg0*Vk&a`(gPyB+Y8d_ji1|9)ZDMwQrx) z)@mC~F}-~N`0|Ip)t-o2t(F9`0YKJgg>nqcdxYABZ)zJEz*O(qkQX26A!x!h(_BS? zwU8z_h?5eL^AGkDV@M?f%K;+?_EtYT+pR>LhZP9G%b`?&+vFAu8-MJ6rrlz}~zc1d!UJTOJ>d>XG#4K*T8TG2^v z06s^pBRDrF_LHUW;JU> z^8E1hL=*@1fBexR5MJ*8bjTn^&N~-r*lbXCUJCfHrHqH&wqDcUiZ6FgFeV#5_-&=r zO#q|pfDt@VeX>!GFX#mEqIwjQDN;3*%FM7mogQ`Aa3szZ8McflO7hsW1uW0$_p*eC zrA!5^sjCCA{{Q^I8D5L$P6r5d+XhDY_y3IAPyW%yTLst--_gN=1xZOqN!*9iC!Gqk z5Tu(?3GTWeHICjnvaSmz%`kpEcY$)cQQugdX#C>&@4hs!ZcW z>-7O^GwIZYNDUsbr-Txgcd24{y z^q5nx8oNk$p_d9hnf=a46aKce7RQxxeY}G5pJ|`*~4wUJewG$o|PC z*OcZqBFa&?pAFrgc^J?HS!hNU6I_p++mHue>#{{GIh-7hKW&t7xJFsK&uzp<7l$rk{7&Dwu- zlr=3C4q|2uB?DLj&U*>yBT98OdzN<|?7zd_jE5Ws#+VYjANcCB2g4(apgnqv?gC^n zQ=2Z~43$g!Y_bmEk}0%Bf?DMgunOd{_b+!&_D+wh#o|ZtmDpVS_L-=Q4bfZ`8_zb@ zH#f!CV*SbH#`@p>w(-r{Wl~bg?_JCs@IcO@QPCZpR z-b`%#(@c>fBWM@^bX!{ugu~wSP~(c+p!0v%bqqSAI2FOG;yY-w6D6eZwR!1MX0S!z zT3CthWHfXje%sqi%SoVoDas)h5Zw{CSN?*p@kX#LZ-x`Hd-lP4e=dccXhJ^?qiYa5Bi!ehjzcDE~21Z&JG@f$`cei=pWPR&atL*Xt%QJ0tCUn;uvt`W35|Dup}OR-DF zOHNnsy+f-6Q;pNKny_wNpNEVm=B7pOn`C`Xd@(AG0XhJ@tkeZ8+#qLZpCYn zbor)r$#|c>2VG*k%br#?379cF_fqEUK~*N;->yY*y8pK(QdEyUe_+c*)=L=lze1@X zFjT(&QC?b>NdzK&OZvye{lLzJgq%3v@|K$7?$4vzjWJw z-PwJkqNS_v6e^v5V4fy3TDl62zS4ExlT;@F z`?uIlY4%Ycv9s!cNL^>`K)t!XU7x5BNde|g;i;>?C04h^$L;y*f7&&{r*fXFL1*L+ zLwcLvxwNSPS{LRBx-!Mdq+@h-q%GSdtpE~iB)ULK9%a1fsT2j0jGO5$6g5`|?xd+q zAbq$el9Ne>YdPC?Zlk}Y)F~5%^?W_LjD97r2GqhOH`UVo+iB^O?4(b)m+rrtgt*sa zC%4Kh`(%l>h{*^uF0N*|it(IK8p-oFz~$IU6_%f-r`6g&I%u`<%!jOYUsUzIs(STZ z+At%HkETo=6L?DYZRo=`M%y{9+Mpr{bWc#pbb$Osh6iGL32GG)Y9Ge{CLGzq#)WYk%5RbSk5FJEH-sIJEmWiM#TcxU z><$S?WP3<*p^DBBGaoe5JjUD{02~29cY+EXqRAjp8X~654PhQ1(0b}|C(V9yt#eRh z=bbP!Q>1cGWIKuI97WR%z2Wy$_+6fRi@r3>*%BLbIC2470g(azv)Z@owYAz4<$T8m zyVGri&v#Eh^G=Pr{>AOrB|1(?`4Tf;1Wso>azpfiv;l8}icINx?Ot7zXC#~b;#~|i zjT6CEXbc0dc$Dum+0U`N3rf2gGs}H5+*BFJ-UYgt(BMPZaCE8R+(OUTCz2{fM)E>D zA7gF~YQSd*Bj?w#3&V{%sqUiCSL-gkCa0Ji7ml;$70?hiXH80#4@JKg@{w8k#D*vN zQt(4Gvk0YIQe-YA8A@4lj$}z0avdha8--#x9y!&}xea5Ip1wMsEb%FF9257FH?z@& z?zF4fR1TX*run-w&A4MuGA@s*8&}07!fQ<4-_x$tXLkBZC#dhCV+beGcKB?DJi+fV z>tL2w(h2J+2pc;bl_$CtMH#*BWrS=Pnq^`MBKkZgA@QSEdw(mn{1;ExH$?RZ`rAI< zI)AyJ>6wt(Vr0{Rk?^+Ixm(VhT3ng;Sw_V|xd0~r=`_Fv|BBpr`C8in1Cjv+xhJYM94QEPA(=nuuEU&4s}BmK zapRzVx)dUiYx^C!ly!ZKaKX%<76bi5m!Mzd6fA9WBs}6gfMSSWEvZF*&L{_z&+}W3 z7mn_9FrA3vkQp@l!L#!_ZaQyJVG&GqOL~yOpsXsaDNBJhtXC`~yiIwA<}v>4c!Vc$Mp1Vc)zZ^Yix~h=zlD`7cwg~+i>&|KHG2jB27c|QvTUm&V6L`2zao+Y)z$AXpq$`}k*eRUeutya zsBZkD){Wm%9*{B{wS_TSxUZ^{E5Y@s=9iOgWr3b|VAL3mY)WG@4J@~HYAbj*+N`Xq zHMnnE6DBb!YNIH$S$nEN}$dGkioD346ZZBWeF2WImuu84?T zHwYrx5wlv4Wj|gbwHM{&1{7Slq97T9A5#)u8uLOF2pHuc!b4J=e#p)^T3&=D=%k5} zD}#OEs@7(k!E}lxy)IV9U0F)-Z087`@W%7$w{hvBk02CatB=ZpnD#89k!)?j2G*Dc zEMz&b-$fm(21B!fam@M-2EW54Q8Ar3B$`h-gF@&>!0{B+OxcQJYFL<47mh0mY*)F95lzKQ z0i@z(sS!5I$w*wL$j*ldTq>KQYN%<*IA>lc%?HmTG(;Wv-oM6&a-qR#31;nZW#ff zCttI96qg~g$W~+|>s4_VRq3fJa%s}!YEPh5S5z6*21JWMETzPh$=B*61KZN?zatE6 zkuJtarm!S5*^cPs$iaR)UENoFy=Cfiqq2TKUTl&UflXcjX>56+(nEo4?8%TTu?rfK z!6>A4^qK*XW}Wvv#rTX)l~N~*5gr{5l9g1%Fa#8Mqi!)z20)ToS1si8@TEP{?+C@y$P>3i89dw{t zX>kSlr{O5~CsQ)>3A-7(x-}Qzj_FS(I&j4X-{% zS3Sm?Mln@bMV2>m9T{(1i={bIxj|v@LG2nA?(ctZ?d+o2#CNHLL-kdP1059yMz&fn z6hJsApkISnDHq=3ra^gVmqC)TzL9}5f-b5H=Jp4aNM@Hjz>Ysq-`mhLr&W;I6^ zINgR?wz^4(&sngjS1^H!c#j*q{>z&DMuY->q8*6}?;=)<_2znAy&mG1j}r37lFs^M zHr}}Gj?p{!hm16_vCIofcj%GzWidSl>ym=ja#~}gz_xg{S#86v=0lNGe90J-#E{h0 zLCuIOs_tMC{WLEOCye41u#N{A2#`nk|7d`6A5p1T!kQTFaLOLeW|Y-YYXNEx;eoM`C4}=HTW^SWR3Cv)5K>u9YbP1em|r+E}G5TZ7CwR`n;&tEJ_s zdoiu0Om?;O$fzC})gz<&<1wnGd$TCkl*}Tui?q~U;pz_{uL~g3DREu!;c5g&CY0Lq zNW3m53(XL@KhnCBVhy#0tX;=E8&RZmd4S6a_AS-$b2v=Ku8H&A6Qg79vNS_5tRZ9` znBkbTQ9#f9q+*>IfV!!e)<>g9#^Kr2GPgL7RY&QUvV|E=ikD=W7~7cR)BILE{^#D| z%Lye)3YqZU$nN!MECb+d?y#?QHUVqRf{H>qeWs=)kAWFco?_O=+&u|tG1(uyKtg?) zl!6i*+cL}ntl%r^S`#RAMZ9S?%U^L9n$7jEuB^*a@^*@&TPIG?2?V^5={y2=;9}-d zR73kWq@yuZS%9He8@g=oucEYe&xnhZ?ze&6hNffsBHeFZ5fP?OELTu42hO04Hg&K;YyR&v z-RBoC56=+I7wzY7E6F3p@?VrU-^#?AWteWgZ>~ozc{a$el5>Pv1`$OaS5mK@Y*=`L z+0OKsEN3`f&Nyy&Fr0#`YS%2h{tI_3#Y-p+6T%vzbWdsl~gLilicXp)^Oa_j2Q8X-=Hl7AXvI&zs2$Qmf&b=y6 zaCA<@u%gPtrY%)<>IHO%jFycg7PR zf!~GG%O>D*zsuJdSc;79xJW;gSc4?DVg2Lu$BVNcFa8lnmat`@mn?X3dV18#D$Oh` z2G{hwCm&HjW9P$aZU5DN*^DX|^B*-@HyVxuMmXu>$<7wj&oU~;`hn7nIVg3G+~RZn z@y^NN!Tvd5I?RIM!`5R>tD`?(^`(X?=G(7rs-1K}A-_s=_Je5eee6M!X= z!6X(yE4CyV!VjD!{8Wa&bFhL*XO6Btk|&1IwLJ{{?j2w*-Fjqcp0kqOCm!mlmB*gh zlGUdZwRYZNj#jd_Y~fvpNf2_i=$|fnB6Y6Mu`J7Pt77l=BPK7DB3JyFf_V9 z7J6I(9ba1@IPfEoJ1__g+nm7DaX;4QY5lCW;Z5I}slOQwW@_+I+gRcd=_t83)1rGb zA-gw~Fs#BZsEFxb?!3dJXjno1TBK%%GUGnnaWJPlY*qY z5Y_8ski}VpqAZk^Xi8)hV5cL;d49f!VT9QaLnSj92b_MDBL{W9{(2Oy)qJHy-~IY) z%Gv;I8G|oKU{M&SgE4x8N4bcV8%Ink;M;QBLnU0_?SNpYnvwAIg(o@4X|oIVQpFf9 zc$;_yf+D~ph1!a(lD4veFq#U7VPD1d02ym!b7qDztG9YE{C3cV(N9{o`6Jl~W$RE^ zLz-n7U*;|2!l7@L#g88Hps{C%4$e4;Hy|nLb%8n37@&;&**OnaOFH!@rs`p5YL2m{ zmA&)h`4hsOD{^}rq1YIpURGaJu*Xq$nrJxzD9Ck3_7!G0xtk@2Sri*Se@5a&>GR;q z^>BRqZ7Oz1mPgmrdlX6H^0I&2^uKP?HIHISJe2#SF#3%;Yu#qox1@8f+onV4;N7Hl zN|WM@P8ciVe_P1)Et##C~Ba!@SgM71>m3DegVavyJDC?J&*T>6a3 ziwKPP6J_)vE)m2HKr!EtjK(C7du&}bm1NAAd&%4s>uXuNLV0Av#;9c4UCk6C45s=z z5soW=Z_GtJGSOG!Xe5N>pz9oj+e{E+2KUOElDUv>X%fCIWue;AL=WJlsY}1K0Fo}v zho4ImP&1t-6OnIyA>>Qn_AgxzhxRI_3CV~RZX#zACFj6A=|#!eNTxJ1c@K~sJ5D8s zZk)dl_iX>ZdoU+5_af`k{^U#2{&Z`=hK{ExsS`KF`g(0G$`qu;Pj&?iQA~r5-8mtH zSoz`X+l|eqPpWI{VyA{x*J~SV%C);9jMvZc^{d*Gr|W-vTE)N5YA?>HBu&73ZGVq` zBSCB6Y!%z$AaN3 z5RWd`YA@z6kPS-;c>zfDEfpd|MaU>*hs|iyQC`jtKn*bCuT&c$^=TpT!pqML^Kgop z;=Hr_0-uqpc;h?M0KFXDO9UAv=jMe(Orwm3z%ner$Yb+YieSc8+cLm!PjHO!jt@t| z|Ee%~%iaB+FuFNC~syB+3TgbV%kCC&mq~ z_5CaD5vhDQwDtWuB80+BBzsqYzykb=_Vs2Ggvzkq+f=US?$>nqh#W*qC|iJ*^hk;lI-CP4#EhMAV{* z%H%yT^KRyFC|jbK-Iw@w)(Y~hVzh$`*$VYkd1L-&r@Z&&K6>gurTE8A8A&$xdBnkq zjP*mr{Ia5*OgbUQgo#X%b4u8mr5R2f%;4siJm)Ou3=fZc>apfAqEzvj>#*$;jP_G@%s2 zMh2V(K1fkI2dq8q->F~=I9#PT=et?-yWktsHg_+;nImsEys5UmtFe8BH`4(MVPfcv zsu&oaL=6FZ!IjRF^UF>**A8_S8`VL8BwM#T9cLH@skxdUS}g)DPx3-sZY9btCVgcK zSWDRwmJtIbi6h1LH~o)2-_OHE&6UZS?IFBGF{~vvxPrNrF$$)35EXMeh$<$ZHLFBs zVv=fRDImC?(0Nh+%N8c?AxmTpCP$vgD@wSzlr2+a)|oAN-JgciM!Q8)#EGd6(AOe$ zxvv%8Qxix{ot|V0uURK1J}c&wq~~KMw(|fPCO-FA;;TAi#;Z)znUXilEn9XzkXbd{ zt_R%54O;}kIQ2{j8mMF_&J(7SBr%r0K&Q!LD1y=Z5tm+15-QM2s=ZMsUGR6xv7_w*Pdq~7n=0zY*)&Aebp zpA;t_1I@?@mosjNOT#($p||v0^1{r3^RmfQ(kA1xVNb;j;yC^OMtOif{A|tHSxpFL z&n)K$kqyd1wm#_#r5W?fq^yrK$p|YfrLPX0RG652r5tks!bfpWACq#uLhpVnEJ^svMFL$Eo0clmv?eBGjYHVE*b&D+9$g%s9qo&g)06Wbc3$r9 z%?v=gB~35x3~o_xs_{pvZ0lBQ54}JXJZVxWHCIa$r2lNQ**~({H73tz&sD}meVSSN zQgi}e%1PNk_Dz(*;q&Qg8BVo!z#AY+lx250{14t(R0lwjgb`2iv+s{N)n?THFZiZn z!3F<9HW|(Cm#u!oTNM{?>@G9->?OHKQHp_{u)Ye!S3$GsS?TK{t66keM8OOz=;1B> zprX1|(W+ik2r$binsWc1IO(wHt_NdPi%!-6Da=kS&CH7+#juB+d)Z9%X84Vv zB3ksf#Ok*AxE+6=y#uBU{5ZY^7M_X(a;EJ6IM2vWQ4aW}RZA&z1M#%BX0gG6T+LF3 zN`sVoIet(JX!`Q>L7#o`gqS$gXqp!oc4C=gwjQyKl&Mg<*X+-#kNXnlf6`#*p8ts( zWr88fLJIX9?Qv#eW=)FG53c(34Mn{$AJkTjzz}>tb3ulG%6xSMt0$e`;b9x2Z6Plj zIsOQ(U!{=(+kgbxaNIN!EdfO`5VTYi0)2nGZqR`tVMt6JZk8}p1EFMTaC#s2Rn9H6 z6`|y-)Hqpzoa+=jfs5|e=R7>IQF|s<2KHUsfv-<%>))5t7ttn-qQgzk2o zFck?_mXP*JvXr5{%>@rNbHFl-jDyR|X+OhNT_W9m6fykQF~-Bw@!X;Pu0JwTg8Yb> z1xu!K;Bm4kS+646PREwnHN)!>x>p#Q%gX{<$7JeVL@PuX z3=ML2v~zrP_*|9%l=#m$h~B;!`9W|@-rBYN;mk3Hk%J){Obj&L-iq=yLMi2#VHz=S zmIgkE%0Qhy`BZzpSU#4G!Q^-tVlS}o0&=n8Sl)NE^#d{?hh2UL``XE-E2FWeajSH+ z*LwNmNeeACON*dk?a3$iBhTqZ{w-USo;{<(tH)>Q`_(SruX;{r!j1ldt2yB+)?5i= zA&fd^3A&$+TTtX&(eXgXHx%s=e>^=MI^K^bhp+U5A3gW>XJEyDLvQ*wwb$!wZ&o>S z*6j^Grh*;+Np0gD$oWucWAn|V!yoa>3KH7Vq_d}9y=kkPkEHjr;ze##d9X8M60}6T zWPs=F3vwfQs51 zM-1Gn>ku9UKr$ld{B8aS{inH_U2^qW!Rr3lRwzaNGb%RS2hK+#e; z(kE6xDs(&76wNeXX2wy8Jzr-HrKqxjZ+#qMqF0Te}E&BgAXHn z(Pe?+_SLm&p6syU;00evY{Lj#I<*}M;ur?c#vonxySwT&%z_hj37*Tjtuw0Xl&Lt3^@eFMJ0itYGTUPqLk(E5|%L2x|7xf-Mbbrh*y)4wtqL@ zkh#0*9%j7#>tE5|vqhl+RSYzk(SqSY)-c`43W`INw7# znq=#?m_;@%ocG%gx0qy`5=6;Blfc{zR~oy^^gTC;Ogvm$#h^}=V$62HTz+1B6Q)9f z)zWVzgL}(hh{&bkc*22ud|)tej3G`;DP^h{#vj=+t06j$=00-eX_uQ|FR;6&r;S!} z8NNn1lYwUVQm5pzIzvMOj0~Ltrm*Q_n4N2z9A-PjI-MT6ctG76a%FsN_u;hLy%R%J zG6eW4V#C1ZK?vwlm|0354{d4?n3Y}@UED({zOo6Nq5MNL_$5sTlIM+-g+hyYBcW0? z@}6Bv`EtwEoZ`++O2GHTyec3|O0<8Wh*zGxT43}@qc>jTK z;1Q~j#zCX_y)nQk>(?xP4_m3ID_gQ1+H28cD1*LC2}g7zN4GDNyz@(Z1mq$48+l73 z!vP6jE6Ikh4Jfp4+za@I61%ILr;GydDxJHjQGLgaM{G^^R2S*)a-8bsnc8_i>NQX0MsPIi@CACbGN|s{5a5J0Jsaa%77NUM=TLWZs*m8btl!6b9=F01x z>c8#kf8T61%O9HSAFdM3r)tzc)O8`*JQYK068FwgGCQoT>?MP|oIr_d}cJwz9+NJE15n1$)vJqM~K`9Z1heE-GaiFp5#oI`+k zi39pp|IqZT?T_L;w}DX_;3*}bB3^Wrv6#8R57z)1K*ghqSn9uT4|0xaw^KG2-c4}3B5Gyo5KM{$L;W=DBDL0 zWYli8Y7{G&pZNDVfP$yPI)p4}|WnpwEwgk2Lq?q{_ zOS52x3JX5eGo+r&7_~q|2g0E zaP@&?GxAs~HJO;SgOlCz5ndLGIWq=+A(euNo{YWtGqkG-uH!%Okcse2?XU4uW?zQh z$-9Zh*n0~s*(*pR=T>+(bl_A6L_#TIS-5UkQREu*IJOFEqPqPlQ)LzSR0Cz%TT3^p z)zz3LyQS37g=G|pJaOlbF`qPPM70rih!=PjwlNAYT)PpJNM6{PM%w_3ZNXVs>^r^4 z91VooF{TO)3T6wsbMP;P;kJ9rHV(1rq96&dN93Iy#hdrWb$;9(k5sC54^5BS?iC1s zJzIvL&%l{dGJmq+ok%w5;~q?+PU%^*QTrcX@}tA&WIVt-|L~P~LTXG9U}eX#OVY-i z;wPcFA;Sa;%F`)~38%heO9iERnxUfvrNk#zoVVAT)oXMtn%40?YcR(%&XvrrbAkpsc{W=!8ay*CSe|0Y&>U;{+J}T);wNgdh zvtxHXpmnaUp+VayBHxnQT7!7!^!*{F1r9uW2#2ze0=nYl0KfDpvHO$STCFg_)E00U zFS781>}1UEHPejfJu4SW%kaI`dU5jOF2)HF8yN6>MLz(3y@9ffd~keta{3a>HN>}n zE0f`u1Vb7N^T9IAhubTmYB3`Y1D5_yq@t2+B`o^WcU9@D&Di}K+KJ+3Jmf_`AbU@k zYpK2xoZK3YZFGDVz_0=r1D=HOyvuAUN@-Fsh)mZcNU$QYECzQ9c!0|f+ps2nzK*an zj4+8J%ptb6(VvD+RCq#ClwP{ElAefiagb563>vVE!p}Rx4V9FUN>O*loon5R8b)Ph z8OJZZvnsAQ@s*<)C$Ry0dqBa`Z1o4-on)>^(rX$2P_WjM{_^-*#w` z9o$_i-yUL@!jc`L6M}XNX8ChMnQbM~*Ab_KuJaW$F26^rMw|r%Rw+cuA4q|L7xxOF zWVAFSE^Z){sD2kiuY$pe$ZP=cyT$ljDdKnNm-5!vw7?WtR)EHw`8N(`aGNapMX9}6 z;l}B7SY%RSnWAvM4Eja(32GnL#M#Ji!#4$iRCDRpBA%{95NcmJQp5c6^*lmo6E#8K z5ZLy;ag@;q#*PLFWu*Tj+o;*b%$<^VC5|p7oRG06dqiQl(0wP+u8+%jna_rG8U@s> zt}yFCO&V?+jC4IJ6IuX_zvFy-hetLA2#;uv-NpS7y|>8}z(JDh521BDVDNU~Bel)8 zeUah7-4L@)QM=iBeIDZAFoTSmls>gsfXm?d$yLDqBH^8|3^?)j3QvFSr*gCcKRd{W z17`$;3?>XvHe!~zmy+|KRl)!j)+Vx71mZ=D#EkSt&n_^xtOcHDJ~6yT?9|0BSo5BU zjCn*}RawP(?BP|fW?k7cXsH>*xm!`N)deDxf9gohFIx-Z$y5xWrIL9MRQ6I^C?%~a z9@6%fM^T`iqX>B?X(VEvO?0uPHarSN6^b&0Bp0UY{725jhq;|BWIF(0v?{Z_5%EYH-ZDzv+nT zvgfEO#PqrtLMC3n#W&@(BBu|wC<$*6&QS6<9ZjwnQX$#t=rKK2$)WVG*;^ zX^-tUp!id^o3V>3pMpv~AoZQL8Ck;jx>=GM9S!E%rHI+xzTTsmTa9-bml6@W^Mi#q zP7a`avZ1L)CidHLnz7R9Mq86FW{yr;=NO_=k0cw#1HU|Jt7cBy#GTYtq)u;gV^=43 z{M1cu%RRop-Ua$l%2A+XYiJ|0o&s#DE8FL=8tKdsI8z|b4?D_I;+%|E|8ERp_r}`V z-^319KRpNe0i?W+OQ#^Mw3J71Q-lPvf&vm7@F_KGB-K~gVig2k%2mIu$id0U>^hnjn9B7{jtmc=fg&Wvzsx-`%oI3JPB35Zn>?gG5k zPzg4TdzTWQ`PvjmryrLwsUudmWeJH}pYAr_!8E17K}0u#h?Y!R z_yVn^FcI!sN@F!t&s0$@E2f1+SyGF3$_eXw;CF@n^=)1O!!8NC zUz7qRevdNUneQ-c9Q;Tm?;vybSfONt1W^(HX7T%NeZ^ENT)<6Q{ODOZcD)xrN0VYI3TYnX1Wh`~-DkkDP7-;Hx`scE~hU9BuqHf_;{ zH}_n#?1My7t@^X;!DxVaf$*+{E41vbbo!bkpV%Q@5gniZw5v$7Ip1uQ^vTv?DkGqo zHg+6ePAARE%F~cIGV3Hi61NvLiiZd1@-cjCl(w}KFI$*u>r#w7Bk4#K*#)Z<4RHF! zvN!@JzIS@AGmYV$n9cfXw!!1eD^$*WQ+pzU@UGAIgxZ!yca}L(M_Pcg^`~)AAn(!v z$ldi_VPUtwqEMYHWc>(7h=0)PeDz!4O0(-lH@a?JPlV?bCQby78%M@m2w=@lvmNzBFb3OBwZY>b@reA^N`m zHZX!wymbUpdWyF9Y;} zAF5kXTl~!8H?2Bg0gj|LeW%W}NeoJC`gX)q**;JkQ&vIS4rwQEI8k;DI>@#SBh$l2 zxP5!gn-PYFS(&ijdvGjBW+dIbk3#z zNTDKC#+rSHOqbC@fYpVDZPftq$M)P{fcG^NVhm-`nql2uz2(IP z7FYM%|6vitkX!V##$~$PrD;;0sSJ_Be7*66q76sTa4?2%a`XayS~EP`V~8f9R*Slt z)<2r%5}l}GBFFOQHIQ2DLOQ(<^wZ>)F+?0S?1vn4*4xZpCd>wuC)Sjmk%2>U6dTHj zeiklIP0ET-$OIqvnS20PAfL?+FxN>W)z$|3u_PN)51UcZO&yavDw%q=SzE8ICyKz6 z>HU_dFs<8cT804&H*3!X=5a^aK+~TGn;zpP@7i|Xjz0_Q$dyi{p==8S`a0yG`$yz5 zNl9Z0a!ix}+P)vwul<2j=Nmni0q7~8xQquJ4@(ILxtKs}KOEnFi~9h-tgq>B>yq)k zAR~5VM@*;?zyYvpSi{G?&y?Pzi+6K<#ECIR*&<6~8NSoL!aKTPv?cL`U6L<3>&xot#B=IiCI1gN83*EP&v(3c00w1!wi$ZmZO+>P>5?clFhr8CheLZc4`KWFMA-fe2n)#ggMXtArxf(V>%uwc{0AuY zzlzc`;Kk71SZgW7=yU?}p;efI6}e}`RK%BTj96gV=U7jST`#_-@FXMW*Rea2u`byu zBLV0Sv!-$7%nxVPA77!!5r|cGMp_j?-@k#=-k1?N<;s8_3IjCxc>45dMX;Vft##y^ zeJG-nCN85gwP(BNe>KKz;n(caqb6S1p+7)RlKve!q$zOfbqm{U06@vTfe1Jw_xAOZ z&*iE8hmgvW%DO|IHSwf&D=moD#md=!h3|9rj}FQ+nMq9(=O)TsE_8rmrQ?@p_{9Sm zDD;O?iIaJ9H;Ra4_y>Mr+^eLr>u~ToiV4XfZFS`8r3XSA8SpO-4hM*_{$iVMM)aD0 zt$!DUOqa+*){JG;D<5BQ>N<9%!I(u~Q!IetVJa3cGD52jHaQ^_+W-2Vaz=%c!HpYs zu1WkBM|+GJ)h8PtRxS7|tPiWz0iK38+QGmb;#1?NunZkVvSavcU|+eN#*>X|+YJ@k zRXv98#lZtO`6Bip-2^;~8abhB0ND=w(2YFXL{PwRRTIxP+r|L+R~k4}h=9Wn4g1-q zIfnA&0ecwozdFF^{7E~HS=1`U_ZsNOxle}qGDuOv6!9N1NmV_bYK1uorZtVSVYUZ@ zVQODeG=n%I8shi67-bpNjpPvC@q4{mf#}OBy~EwXKe0^o3kzo5YS0{E+p?0^9rifw;XJG?Y3h4V?j&vHmO1o8S3#}IiVhk`f|%IYyD#}>eWPKsMhK*pSbY-NICOaAMV?xIcr}RiVoLaaMs}LR0jlv~ELRxwy$%wDLT5nT zx2t%kPz4r>Km4KNscfwB8T@^e-R^JUUiIcOa-U3cBP@qT#v#h<{VqxULnQo+=NRg0 z?*fyANT5cX^$GA73%5QMtWq$Oy_bx;(NK{vqc=Q74LMZ>Z5V9H7j=q4chhe)t*jX1 zO%NKJg(Vf(qk-|bRgjNj?#^jimK0w&5HuyHxfWIN_rJGxcK1&Y#CNI4@by)UwrLcv z0dKC;nWr$Y(VDJYc#jK(On2mjiZx(3f(|whwmf$N}*}u6u1&&ZU*IG9viX7Y=D$&&B_b2Iz{{ zK@u5@mz@z4UU1C4bZ65s_OYBs2opV&*hvUsU`MO{OcScv1o%VZUN z32=NTKs^B60C9wgWf=&it3Pb$~)WbvkRci!a>za5p6sX)mNhWPT}q^ z^%4eX0zugg#eviHM|O0vEyt*&z-OD4g3NT~$vjmuVw4`HO@Uadcw>V>y(kzMnzS3BzB*`CCRXse3s`l3+{G9IDhxCm${xzC2n_4_7kpHf7R1fsnl6K3`Ag#O$sWcnkCtnz_4;=Gm)A?;&Fb|{#~$Lh zdUrdhzuu}Wy+Lz5_}+N^OXJOI5sLD6C@kbFs}3LaUyAi^2|$MG~>s5Z^|f{Fn$K5BPR21v?o^u08VKVi*yu*TD>=I^#vah|H#*+@C57RBitjB}6F* znk`5<3j>pL6g%EpGAs;*&f)lW)vBBVnVE~Mka@zeS0iWOQ-V2)a>k>Pfzh!X46M%c zk%*8_c3(LEwG1gZszpnogi_B5`DU6V%xux}o?@c*8!f(<(%VNo*edz$qbV#-Eh|Mv zqnzu@6)RAk}GlIgwN0S$N;e4YbBQ=E#A+0w+VEHtj=03I9s$@Sy2Slt4vGh zPikc{hloB9vGiv-v$$f{;MiY|kXql;{b4Q`X2B1-`n&Hreu^^2b8Z4Zc=m+_z@7ix zc<))l$ykL6qA>TrdKs3I@bG`k=JDakU%v~pXK*0Ya!5-`kT6H?RXzor;l4a?S+o@R zUtwL&NFOgvBZTz2YD$w~I7j>S6H?Me>FC334nNpX(Hyee3?JAxosx^3*EdLlA`uWR zy@XAE9~=!qx)ejC7sp!_1QLr2s4s?e@(fswVI%Y@g1#9o$HHs_j zQlr-|S~L=RAr z@t@-0{~+%Di#qqSYyW~?LK9{@$4MyZA;grYM|ox8b5njkP4f$Q`iH+ao>QoqeCcO| zN|7cHaygq-y`=k0+5?V-)+>MZd0~ zJfpMEz=tIO>NmA~wlC341IlF*r3`^i@`+N07m&uo)#EclKqEaH)%7rSo5t}6L(iGR z$JHj&h}vRWoD_iBa<=FQkT_*z%oTL}C$$az{pmZh>BD#lH_!rpKZP^#k0*z(R@F{l z9p7wZP|%M5nfcovg0sy?izjT4ggk^l8EbQdDxtQH))7nro&->ul&ePLPx)T)VEDAQ zl;Ny7-Mu*C?%}W}-G4654mdI%-K11QdvxW5oT@{JGaZkY-{PQPG4!oO?SDk#`=o}# z<1kCk`k$8wNS{05*g>d2e=6}fv{d@=^lM60O_a!^Op~c17zrvPcT+(Hp$aHKQ@7Rg zN39WM25DI2i&KnEfhZahiZwYm_9W27{Fj(qtF`}Xf46n^a{u7)mDoK!K07?xf62Z< z<^oXiMBNFrgThWI)2AHb^fi?G81*tg;?HC-voxJ1aygA>9eAgKq7E$MjV=X7N7I$@ z75e*Aa-ED?%D6$9gHYhmpfhrZA*R;pW8U)uA6UjCr$vshF#ypaJfk-S%3VxBt=v$i zBsjWgo&W1R?%OpOdsj#nuoLWgshcFr4S^)6KrxN6sKZTA`k?&Q(V{BdmW7?-6jWq6 zUqwFw=S&hjX)XhN0NG_BmhL#$bPprB7qoU1i<*SUe5q(r)X+He zDG9pTcgmaumHxW_p6^wiTR=11A%?-OY3Ji{hTRA>mqY4Wi1Gm;!=t+d9b$tl#W1gw zYEEWgi;>m}+hY(E&T@`+UX&fm$V-3Yhyl85u?w?ISZBnilFOg~sZ=)7m$DtDCz7`t zcTQLh{c78(Mlf{nzUAfkxLbhZ7dtP0+IhL6rywzgax@v)Q#JtEAZQ)MGi4sBM0IS$ zq6!Dncm*?6AZ{rf)8UC~ac5MCQao#koR+-Yde$(;NVFKr9wvnngb~;?%#WVknmZUc zU6+%+0ZEo^sup8Ov25=yyr$+bpIx7qQ(rylVyaOBlR(8}>tjzFEg?ggU(`qdOvxG< z?`a?FeJi<*5Rg(x}H#ryye5H`%RF&T3oK0l{0ndb%iYGDrq zg~vU&3J+m&56@4vgR*x=S$N6y7$ZZ2uo3zc+DS88Agq|Go)b0x2&jyA_uBFk?PQsi zk`tXw)=2jI1jg?HdxR#iG9H_NBCGg#Fu`G<(|{XIt7OLH1vwm&dIEaB?BYN~tJN9y z#{vFVz#MhZlC^6UI4y61Iw#j}rM#VRFpxbn-rw8fAOja@HySIPd=0eXleq^l{$%6T zVyrD=1S$5GQ%3C=&enCCU92H)?=UM+!p9;;Su&^!?hBse403eW@6Jy@rJsbNRZ4Fb zd837F3y&!bapQ1)2^bn@*1b48z~FH*y`&qK$WubP0;tTSa@Qm@amuDy3s3|C&j#?F z#=m!dDg~!G>27+c^0pxsgi~QUBMlxKBU~32NC6bP3BK|Qa`GkhG`+&{_fu9_l~X%r zG5W5cD5Bk+LgG{9CsX;Z9?mBv^xa2FKOd#n%a}{+VnCJi~{ziZ6-1oEXAjY+)ZvmDYj4{N#~*?JU9AH~u~vGh+VmOcbY2;NN< zWRk@vkp+DJ=?Me2@<3s2E-&$n z2cA^BepW z@a}FL5C&)n1rA>HU5c_G(>c0mA%R@RH4$<}U`mzk3Xo$Jcf^Vq5E{wAXidC~%Ke=X zx_14YqU6Ra^kVbzmEr*}FOK$FFOE*1?;I7D1)ADmKcG{4NBneYDOQ9gXc^}kYwsNy zb+c>7im2MzMc1eZby@WsSnSUjCH_uZSC|!#cK-dZ*6GXE$?4B1XUIJD7{f-;bix#| zc?M-B^V!Nt$Eu;|KrTj|A2?#zw?j-lQj`4A!{H?xi3Uz{f^X8JG0MxiQ{|%3>)DGy zOaKxq7XgX&MfPqoq-04GmeHvgtbAz6l5uGH_126kyx6H9`fC~+a0gd=@7%y`!>$hR z8rN>O>(Ko^+KW}p$S7o(agA|Z90!FZSaq9C65`ni`gbI=Qm~-ALEG;KGFp@tm*il& zATzx<`Ej?^LT0hDvZ8-B8sbTr9?D0@hbJ)JmiP`|l+k%ID*PQjLUBs;Jb#3`Vt{Lh zm~ea?I<3~qN;JL|OPaq~5=KDU%w7Amk!#wiKibdUo-Ye7eI6zHRx3e-CzAr2p z5LX04Y(*fG&?1VwU5HST%yx!j3=!4slMD`X14CT;C<_5*b^D#Z55;&$+qm%f=A$W| zWPpg|UG54Ay^^R?*Wbhci1#xeM$S*HxM}4u<0i=`D3>)Y3u8qgzZGJIfT&j(R*oLS zZ^d)IHyGs4wwtYCFWRWP(#pLsnu2CZE_vn7G-S5 zEUs=1%`r$}@3yF)N4^fX39Kn+->xb*s;EMQ7_(N9sQv*XW@p`NCem6Fj%^imB1;fD z*zyQNwmaQP*P})Nzv!&8%3}8Xhl^ArsdGhU2{sTjoyz0Ezs=$?_wo4!-c)I}cxtLV z826D|85D-%<1kp=drGo%z?(s~l_UKuBCfJ4dz5q^CEZ6!_fgV)lyn~@-A76Hk1Xjb zjy}J@JE`VGxmQ(u81XlP_UWZy+17Mn*eFPnoJ_SwpOJDorfZ%OCYyD)(Vam`bDmai zQ%@KfV2wU_emTpHAft*(1e))3FjLcV5~lS)Enq%?{Qe~T9E@&h-wWfP3Qg50_-N9l ze=UAiAQ(f6C9PxH0B=<`v@@Izra(xZ2O>AP^NW{PVVB zt><%}SZAD*gm^GFc+XEl=O-pXOXi1q_(pPfH1dd-94h_>6TT`RLAKYwe= z8X&V8S!vTz)l{*f4h$3RW*)-pO_kI!>JsKNmTtW=&vCqGJQ=ZZRyZ^c0Bms-j!F@~ z!-ThFl5ORftff|%uL_i@++hNS?d_$drDe5@Xm`;G(V-vuT?>4Hfgs6?)~Fl28*Nrr zr&g8oCS(|e1dvGFFs0QLIM*X^wuT1qZyYJ98>!h$S}7mSzsnN{l-S~_w-33$6B}l( z{hg?r*x$?I*nSH;Z;YV;U8))z3As$0D}mzC9Xmx&+FlrHG`4_j39|UCXN&%+w>;~7 zkT=0ii)TJoX&@u!8t?k5V1e7;cX4eP&VeQd@0uTJS| zylGsT(5h~5iB0JaPlB?Tohc=}0U7{OVO2Ie#nLpRMxL!HGMrWm%D1?@8rWjjF>=k4 zS1>RONYyBy2EgcfE!LqGzlV-QL+$T{YYlZt1XJ?7U)nLnDSZE=l?*O-pZ zT>j61%89wkMdSF0C!uhnJA6l5#C*95>%xc2VW>tj#J20x%ONDG|wssnmT5u1@q9)y$44MX> z#hy0&jOBk4J%B!Yff6}bggI@D+3d;ie+LFl^;IE@+AW^Oq$$V;WK)~+Oh(Ou&tlay z#&l+7=nrStzIW!kBNcgm9(J`cX0xje|5s+$R9_Xcs|`1eT~m+`$gb1IHHTfZ;Ir5@ zjWL~F8T!N770<>Nk*y~DY*wX+;C}mYv^p&!zim7zY{pp}a<)2Nk$ zHN&u_F+QBF(TgQ?-+Bulisd5CW^N1Z@4(;r9azZXx$U3E<@pE?$mqER%;fb#tXb?{ zfH>p)ckGP_(SPSY5YGdph1uP}nUm82<8Q;{W{*whZ==;SS=)qtXs$MB&&SXygt>Ux z!ugbJJa)tWWT8`E8)FW|nc)8p44mq#V%6Dd@l@T}hI~ln*`hpKd(ME*RG(8AGxTSI zegJFQAYNF>NaM_5Rg)Nh3(H!%$BM0Msa8+5u%%%i(#n>iJ=@ZjgD}(Dmcf}}ag*>5 zVW{XYByJP%d5jeOzlESRx@d}lqCc02HNYO!IMJV9xZ1F@4HNyj#p|Uyw0g6 zmOK2NxD|0Is;|~3Igg=`gJ1YL@Hbp7BDP%e~#AAg?eJI^Ux* zvhi}%qsiH16i;qLHyY!)Os(|j5$EFdhL*hR(7+#!!FBH})cMg(L?HBVH^s&A!=?(9 z0Z_5`_QFH-qOLL?nS|Nc;k2%8*AN2v)D~a(?&T{ zRzj1+ry-e5sLa3{5?6CBaF^dVi^V&&p~oz{La*6jB(lj_bmI-j2`c4LIIFbAcp?Lqq^EMaa<-O8Vpa+l3+VPD^v0t8yC|#5Cen6if9Kfg zZXN9$(nIAxYk`}|$jID$R2I7h*m^aXSxxN9!df18_O^>EN_n&Dnh?mXu0dnY8p}b? zukp!Y_qcs@oLgg+H?_tVfozR!8dT%O^%JXMDg7jsr&ba*V$D+JDb!722?<{m zSE4!a&zdqv{9vCZ?wyLC{Jr?Z&Y`<{1fqYbN=ymYono{=kiW11&^(5$YH7QZFl?k?RK1_!}jryS`=7`85xj8;mMzarMhf8=+PT3e3^Y|=#Iwjg$MdZ zVXyUr-t;~LfVq1NVAK5tNiBC0bAOex{RR0+Z{e0DCkyfQ#<+j>4)A1b*> zf>>yl46!jYGR>}zF>8{Vopd#oCogry?9@!Xa*()Md3YJgp=(u8Dd6m0Kkm26r{#LH zx$S~r!_ZprdAyAh@)^L3pTB9WHk+OOQ;;Lfa2D1&@oX z)m0;KBR{I+KC=;o7fo50=JjyUeA@U{{l0DhT`VVGNVgAnrpRY^?4yj1rVD9+Le7fj zmedL%Ev{AiRGF=SiUhZvZ%J?h8;GCa5?wGh(b&E z@o6$L&mdNL1^0BIabkFMm~hEkKqNI$&B2$-qDBe2K=dcW;f+wZ8(1__Y*n7z(;8Ee z6lMr`1y*z1_!qc6jZ!42d^x?)Z09iTJ6)BNi@!f z4hBhbN))vZ8HzfUd$VLHJs`7eP;1@Qi?)`EwuUl~WSpi}knH>lE zMF18dTzI=_)k3Ei=@vGkrCg+N^|o#dI_)qBr>%JmF>B3Zs0G$MM#!#toSwJlrEzIs zX+;ws7KqAqo!+H8y6|wS(vdK|WSW#Sb$ywEJ?$}61>HTHK^5Z>vs6Dt>8o8eYcjAuY;`5lLrB+f{1knJ4FR zEm-YC(DL>UjBokyxT2aCoV>lcrasU#4vNO5e%MQAvkr~ z`oItmwmL95=hBTXopU#eS-h)4rY;TBP^Ya65-*MZ5f=qHe4m$ug_eZO_!h1RxsVUI zAQW&+{%TMJ{8wEH3fePe9hibqya*H`6|DeLRAuGA%$O?u4Jno@`(NyzfIv=5ewkV% z_e~^A>RWiWTqS!z7C*&@#H>8F@~!P*FuDl6fw5gGbDNq{0A50h^*VQ|gUdW*@|ic- zt}ExS%;*&1rv^sPgw*cu*I*)s6B5r9d!2*}FLW_&c|PJ;&9@9a{2a1t_Rf9YDOz3hHi&^)QYzZ5#NcN zzGsj?b8i|Xe0tX)lcye~NEqr|g!`~<15_04$-tFP=w7iH)+J08;ZrcDNpK0`*ytZo zfUEKQEWsC&;Hlv)l;1gU4=BC!xg}qC7r_2iWp{parikuhgks5Egj2LvPy#BuSx`As zcMFE>%HJ-4G~U@id70iXsN|vzgN0`87;Ma}2VM?=`)nCx!*Am~JQD&KLQyC+WVi&Yf#B7%=` z2oj`DVlWb?W#B}~8>eNc%bj$ET$%^lKrYwt2E?~44)D>G6-YdctnnTblvWZ*}%NYDM;N9 zQ&6mqd89DaC}Wd4M@I)onXx8niaS%xs)b5EOMJEVMpu#jmFF+^zU81_@?&v0;fn+# z7?~SZcIocD+_v#RH3k8_2Mx-YkB-iRV000c9!XZoR*~5PwsVi>x8m{kBgcBj%FcbP zb{g|TtaWM|@`2X6&l|kY8@$gOyw4lF2iV}@Jo)~6W2UHiQhE#t&=8L8giU72EY{Rm z19p1$$;tQWW#Xepmg1yqRKmLC>nl>HF;#_!)>=LegCRlzIfM;Ho(97m>J^3_zzmZ1 zq91q>#+AckK#+h}AuQ-1_@XN>EFJ7_Cze=cfu+R5L!B%?Ib(NQrOPjw%+@z%Pel>F zG?{WqW7fIlWxcjwk3PtPB6tx1@w!w42Ga5qhkro#yhi0pNXh%%7v+@I{=Aaw#Q}Za;VT0$YsxetDd1#RrYh_D@F5&_- zr*vQ;_Tbn3jcH`gs$_~(k{M{skcu(W)HJE6X~qFu+2sJb)IIYDe(VEp7CHl%P}4mE zOvt(20!*Z|Z-ALM)j_}n%n8VHKcNjo(cc3vr1n^`o-Mp{ai%Hah+rapL?s-G`K*91 zrhr?+S*U<#pdL^GPxD8<@|}VDt18~Ry!Zq7}P>Ec>hZu5LUHEexg+H$v zpI42~tH%F5tH%5$8rqBGm}hW?-N!WZ5K>OrOCF13Y`jwbuh5u4$NJ*Ji(`^gNWDB0DoU^Tl}5u2fL8D-`?vu?W3(9X=>^cbZ_Tc{Lp4cerA)9 z!z_E(?r=PqX3SF%(+znFYHlN*LP#6%RJwlgAZMGbV2ZcMotN#s!`)6MCXY@p+AQ0M z){Z%atD>=Ws7@GCd5j7MC|l5r7_WI+rw%8vcU|v$XOoKy#G2Z-1ng+wxw|-pm+t9Q z_LRpPQjj^_zISrmd5LeFoxFIlv;RVOdpbSS?YW5D?fJMl)`~nD0 zs8exa8F(ar`+n&4;vl@4vS%s8nQ|`%aS+9NW=H$c8@VkT_CNRr16H%1bi+NaF{CK` zxpx`NF?dt((o#98Y(z2OGfnt2E;*PruVhlSIFAnwvf&Cju}E|pD32+gVRooCB%%=VhJ_>NwGx8oD$3Q zX?>_*rkukZ?CrJpw=+Gd(+f{zEJXWQ#>Q1$s+Vu7RxAwp;P z5EG~9jg&uy4MDZZvLPiFvSET^v!Q`yzmq0k?7(#tIZ_@g;e(j5KlE@d6-!O{RV#d_ zPlDE`yrV|1$VoV7%42HwyL={s{T`p0)2d?is;X7HFSke!bU_-00s&U!eIcbGQVyEh zJXqJ_32a_(U{?}^AiN)o<4Zrnrxj$k^r2#BH)Qn#`F?|1E zs6k`Zq&9sq2+m-JvA{C-$k-c=!bUP0wRKt}8H}npS0fF0yOBl)Hqu-)%~2_ACca}c zip0o^uY&MxPE!k8N|=6cW>Y2H{B1Q6?8cfo1+C?3d2wNb)l`?XMBj~FSovqSvwt>E zEBj{)wXuJe-@^VGwl6dLxtRbE>GmB3L3|z+Pkk{AfB;PSa01gGFA{<CG&qY_Im!g-{akDq39u`xs4K`s>)K%%UB_zwRf`ymd* zc;NOtEC*+GB=4BY(s|koewDLu=eansT<_x?bq^5`zE1aDrz?F5)&bZBR6i3fs{oq0 zN`+Z`cacjjv(G4mqFxf2R}<2JE%qI?9v9@zB0Vs+d+?%bJu#Th%YA4tmq7B|U_On4 zXC9_k_>p98%;O24v-02R_Xcx-(<^y!fr3K69GEKs0BEK(Q)SFG>lLs)-*q)Xh^4E3 zr>A}AdW>7hDByMIe3BUIB0h}jygWo3V(ajz^L*zeB|Sen*rT*^WgL3v{&hJyx8ejk z(`(6G%A0wr#LnB(s^jvz(OEyRC?mXMxIZAUBFSwsM>Tk$V zJm4RZqn_>T=Wx`SKl;p3e@~9$0sn{`)y-$A=rd3KZF#Eu(U}V5VCQ9LD}V7r+|R7_ zw_O0`z<)&U+S%XQJ=yN$aF_Ho`pjK_Pwq+v{$nnPzjkp4p0_4y6X<8|`a3R*df-3i z%J_22+3q}VpX?q>Lr*c6kx5pLG@UGbX1l-Rl9}O%kH~)8?c;WiWW$4*&tmQG$zO8F zKc-AO*lO=$7>7KS%rYQb1lKb=!trL68GT0_@lL1dC&gcgy3`z54L_>uS>|Uzl>^kqWS={Kuo{&m%rA( z9M-?=S8Jac^KYuMS$y+xc@&R=)0~+;#Qn@?e@{NcvH#c-aQEO@dzbbexm;$ry?y4g zzpFG$c;F**+ex=`w7;`e%xYz(vY0lsrpeI2GYFync4oXrd*2$J}$!@9UL4#@9rI(>>uaKHpA2VGr#>k`ORQ~ zkIQSvoxQ`|d=sxcJ)q;N*c*-qF7(W2hWmRmoWTd5hT-y0Nll((GstI#`+GCoM?V{d zvVJ@`_-TfKy9|Q2pM~4sl-K0=e_SSewzFTrXNhyetdea5xC=k8SpNO}k;3`rPAp!xV!PltA z;UQ3s6A{3Tq-NXM~!Qksrl)#iiPAT;R4y_tFK<7uI(|VKKt+$?psOX}~;+F36 z$DtElzA5ECTA`wx8{ub70u%v2mubh4y@{Gp(0l8}I*cr_GO_Dv`TDeyLO$i#XUU!T zIpe?^4W)pvxee@%$8U^~l?CzO5Aj8K&x!`mPdeEn*2o5Y=gDG?xjUc;;;|>TFveHN z(Wveh!Trn+M)Fy@8FAYUNGr_51H?&x?4OS~+<1F``{-b2+i^p6Ahay3VtmgZ-VYzwWDOVy?D}q^UZZ zMv{_=p^*aS$QfyPBkapUL6^twaC%e}0GK-z3c#l0pFq--xNVSI9JTGRy_b&JhDk*c z+cdZpuPwnSj<~8YjZnS?p+2C#7{_f&pbv(aE6fLjZV3LXLX|+iicnH|^yra6pI3Dv zTW(Gw9c~q%9w{0adrZYRdi;19f8I4CuQv((_@<1Y%=re&X=RDwYc?QtmwH-MkKJ{- z!iX~9=LlqW>UBnQ+;l?zON^;8OF>(&E>0gXLy7yts^A}H1@Hd=Hjs4O2@;7hAe4N~ zgV=ZKN>Ye7?G+G2N+W*6mq1Vie0~XJp_f21!&>+nNG{|9z6g@XEBUX2fdZ=hy+|@lcTFuzhY6;-|t_nbngIl|G?Sr`~t*we(p}|_dNL7{ohSt^WvwNJ){!y3l!?6F9D2j^zWg2oECzq} zbuKdN?SY$-* znMg>wQ??^>U>9vljE8Uu)46mc#{IS>4`N3%g}7|b_xU=w>hskVvHEb@cX6j=_3tUL zA5#PW5G}j7$_0A%bOih5n3*UbibjE)zKc8rJ$#F7ocjheW!>}nXN^1inZUjF{~R1S zJNwSwPurcJ^WOw48TN|8!pttf0bisW;D1B67Y0#&SLp0}c87((K$moX?e4X=jt&Z* zN-WWtpA~91Irrh$@gi|P8TIIy8l}`=0;)8T7mp$__TL3Dd4glYWe~;qj-Hr|qDy?I zAaqB4ho@B(hakFoJuiw}`IKy5kT&G>LJzikwlagqb{S0u%ci9sKc;FiRLhj^!bnO1 zq0_!%{RFcgQaMT0IIEiEoW?+x(U#VMl}tUt+YsBlh^*riWb$RkfFDbl9kGFEdDaV$y0UpsIhvXCPJmqOPxLlp z(pUMqe|j?L8fq?{%8ogmMZ9gKXFDVfaqkDHjn?I`;0Gv5x^5}fnMX}3!YxvgQoZ3I zv@^bsf~3TKAyHHsOvi;O3<_hSheUc3Jb?CLt9_F}o>M+Phoj&Nalsq`pGidnO zxzSWVB5NTIDJ))n==-h9Ac#D1=EYZ@9?-|yXcb?=*wSOcpcJ^V|IQoWQ#-uM`Sf}y z(W2AAh-5mnRFhF_E4~!r!77b*bPzw{WPj(Sc-mM+P9E^nJy10?iCzTZ4Gu?a(+R>M zOrc9R60X@Es-8KUmRFPm55D0=J}8>VbnG|4ZPkVbrq_mOE<~4X-1jc{{iT2(8p399 zFDaztWDPZ$NOFOEb<`GP>kqhb$(=fnx@2~sL}U35G97>!_4>+)aCw+gU}58)B{ikaS-Wa9(-~! z4|@1nWPzZBhduc-I;r5q&xH8Pp7a@wn0CUK0-JKOXF=XqWre049{+gMX>S`UD+PqM zSW9viTL#lAx*NYckLK0S2{^5sb7G-pE^+R!mbZ_8e%^f;og7;qjJ?q~zF|2qiT%M0 zp^<@~CNwbLkr*FQXkam)-6a-tmr&za=p|tSJfMg)St4IVS`dF#5otDJiik{u6^lq4 z@&iQV$??u^u6(3fG(|WnhJa1La1;k)vgQrxQF@$3@{3L#(Z2WDROe;7@WP8P!VAAY zuL&rDw^tb>yX; z&LBTs-KVex%9Ocz0)aCOL5aoOz&Ibk3Rr=8_yFND9Z89Wy_lfbU1(s<8hftY!UO*i zD?4SdqsbYF&$)-2!7~FclZ%I3;eEiMcTb)j93Iaz>RB|rZ@rsdJeY5I8P*fL9!^>cHx5>2pZZi>#ZnJQv z4zH@%V#E9K>RB|r<8a^){W*oW1hxlQB^HdZ#<}khA0F-Q?Cs1J-V!c#KSU-L+z~NR z%zGjh*3@yFB^7^+_)lVLTd;?Vir3B13OM1c#xVJgCIwn}c`w=MIPN z$i2HWgId~ab$%|&?E%9cTX5i>M6W3EeGl(CZuRh^Hy*dDm94`=f&Y2F+kVllQaZaO zVcwRg_aK+@5~$261KR!x727KDg1qC2EUC)wb^%SY(re1HQlWD(nzUqB+o{mFYppE= zZ}C)xW6De-j42cFks#lWmaYJo;@l6TSUD2;5%9V{h>+MM& zRjfE4xEGOF@){QnboeB)QCw>P_6|AuMqE791S{aPa}XUR5&O8Kn=ALG zfi-@PRig8J>dp@TOfiA{{C8svf)gl{7#1ipa?5FW0Z{H;piF|3${%1im_2usF*(4o`TR;vum zQ7#4`(g;K!#ejUCBM)+N;wkC6ZrN2M$xYQTAWB9|rBn?>s?|whvIb@^h*W*Aar%Dtd>a(Bk?*9xc*Xm@<9TRhV>54Bd%AxLkzpP)=@a1C9z)QG57-ot=V9iWj|UL zOUNF0?>ed_yaOXcu?t24_7!_P12%TwJHI~xdCr}G9t;M-6@@oaHCq?$otI+C;BnHw z&b)IJRGPDD$i~pfbyS&p7~f5`2M3hG?Va^Dl=Jl&4wUcpHJP6hZUsX8kGUeH!U3m^ zL+>4~1JDh?WD`@(yK-sFa9Svm>q^HHOR7e)HmptRqA{YO)cUkeiLFv&w9ZlLnisvE zSdyXYB*of_c-GzK98~=Vyl|;J(l&Lo@ZZut48*$l@en3N=>6O4#SwQaO_=hTOZ6C1 zW!}`|stCr&Yh|-OFf!d>0P{BDf(??e4-6DtLK%WQ?@mVI7gQWCgE7D?4P8)6M}r$y zZXx%etH$3P~4UZR>apPhMH2~YFc3Qtx=2MPpsh;VqZo|3)rPQ;nqPxN6!(2EB*8#MV9 zIW^l>6d@&CaeixdB5eogtI+|4z6_{k@iqKq0%h61YDo5g{jR=wft^L-uLlSxM>BH3SM$_0_1xm z(rD;;XHkE-mLx$<-l|$YhiqVJVe`3I8dE6GkoRd?jPdYy_YUj0Z>bp+2UfF>m52kW zgi=VAvP2AO_LI)f6d3$ZUp6ooQ!9W^gP5{Y+vd1}Kz+UwpOFV;Bp zjPv>wd&X|#&a*x7M-yhb-X^=^99H#7=+#MCqbs}Es54L9wj@_OTwfsBAjPc~q#q=L zUM{lGR*Zd@Y=m8LiP}GHWPMaJ3`!%uhuaWKph)!t6fM%60_ecJ!6b~l!8_Uv<1F-U zV0D3=0Vq$s*r3CU1u_<0T$1~3){;c~a0eSQ83Bud!VpvCVH+Pcj1GE;Et4tZvAti& zZd`H>4m!7q{s2+<9@-ITYpmazL+d_Puw_(FAr_fU{=oVdmaY{L((!2U_bn z3<%4B*)eF5fh4;_l3A9lB7*<78R7lf-O(`nYle06gZ%`sVUES4j2Q`hWrhslh2r4nI$2384 z&99%q>R{5sR-g(3V~rd6kq5#K^n+;9>v?#&aB08stg%iyCsu@2yP+SE9V#KCWK<8D zHNw!*ljw2<`#E%JlDhhCk-!`KxX9nIWFP^wVvvHGUg3I-i@LeNa-}Ko3I<)rnkM2X zA*#>-tf1L6+#Z0Qfnos5N1?~zduyl~Ln(+Piy*t6ef5#=UCPMPYUr+9GVCd`7RVK%)zB)2mno zs3bAfa1B|}&5~Q;6}}7_06r}@H00^&i;K@=w6U;KC}(*;M^jQg4kLc$kCw$PYYp(1 z4j1qvh|cj(GQ)F*nU6ZCg{^X;^X4zzu75ob6?Nj;e%{HaGY64+J zIfEfVSoK@0`X)tgc3H1}1trxK>$HJMu9QlyO$uAE!@Bt4LvH?~Srw)*5t`$&zX_gm z$LJbQIkatRx4r-3o)?U=gw$1j5J0%YW43Nj;sDnjRw`lAq79Km7S#|{r7I7OqLDJG zS|+)iS^kh}5G3V3@ec}?7@H(a8sd`6$0QbgIZ636k9!b&1U5R=bqp9gXm_|!ypAc zT!c$Sl8YyII-uNz*UkMT$t;M!)AA=8UkTjwAH zq(AZV7_^fLy?1`(BLzGiP+Jn3##FwkVQ^s)m2YpZs1G76`) z;=-{*rJ6Df`gjDQS4+0*R3qfTp69>Ag|Jb}w(H3{s;l-&3q=9=jo7BeaV6QS%77GX zOS5Zp;l-&o$>y@*oAzj+QVwumrj0siGD@hpJ&afZt^P$Rg+K@cQes^|+kEGx4hV!d z#6XrpJe!z(qpOS7EVbWE7H75-CvhjZl{!{tLdU-tp*6|SUGY2Y*I}6OZW<%VV=w3z zvwPDg8LCd@Qtnwut_~^Bj*J@p7+fLSuB7J|j6X9whEGE?cYrDqq{_LgH|r^#d4(7c zr{KGw$M$Y@fFLc0%EmDYUTl-9}mE8qEU_w7KgsqHE$j2gYs`NlOM)+8}j>LYl*u0=>RR#~)ro9rip4w1IaR z1~6BKq=ZU~1{yzteqS1J)vUv1nmZgiXc*wZ2?`KX0?}D#Uz~^T(Bor$rSYyL#}d4I z!EG0YDr4Kzgxh4$GP{3?*{VicG%`O)cr|9wWqT;m)HzZ{2=TToS@6^j8lQ|H)tTKe zK;^I|b(WCyVi;j8HIz8mpa7P<5!-%1&By5hgsyOJ1w%%Q#`%qK4O-Y{?gn2rofuHM zXP7M?U!o?@92wgklr+6N>EXFl)C2uL^aCUcD}Lw=F&s`PPb|hE%A1~-&jg)!9u^)< zE-uM1E4SO4_o&86f6KFKs`WU;V`f9Fsad$9;^vHyZ}GIykIFZ9Od)pK1w+7Upi*}eu|zx<|<-V>yi zv}CE0IN#BhX^Bc`!9V1FPO9Y9r&gZcS%tn{yk9|KkYM2XI}A>>D(e4-Cre#T9?-FW zftfE;p{he*raH=lx-q|qSFNY|ru&pYfvn<7RMR#=FY%d9V`&EvDITF>61y&$tuBRI zs-#4`&vYHpy_v9DJ`-k99$*Vj-d3(ZT0+mP+I#J)be~um+3H)Ym#zPQTq86ee7q>i zAJ=(H=%*q-h_~kUdzxpy6&L{_U&cvE3zg}sR5@M9!g66S_WDqzwb;8<_Hy5Ix zb#Q}C&aIMiHMG2@0hVi-t>Mg)GS06iVLmT7_hDho7)LmIT#@}G>#mm-_KwnXGsb_C z;dY-@@^N!IY2?*1srT0?^(g@Eu(Ix9bEtLuGtDBEMOeTD5V?#Icykq$he z;-s3V{UhnT7`E+tSE_uDC~i7?c!n?qN_f|yKN${hQpIoJI)&6*l_&R%3s;d8X1LEQ zu%ak%SaZjefmFZyZM*cdgCkpMm%XM>Ri>5P%EN@g+4bVYdnQmm_~ciN+5uMqYDjDM z&hu`o0{__%^o8$3JKfG<`>1_s5IO)~|Y|wzDr=-lL`e&8!73i#X^r zrpU?i&+;hd$@m9Z2$f6wIDKKEK3H%eT#(XS3!%~w=3WSGo%iEhUVDg(XXXijc571Z zr8@F5A9RsNw7S`1c`YgC z+A}^5_}GX{!t#kYX=!Sh&c45R*{hp;X-Z!LBm2D>;YT9Ihv zu_f{ga^pC3&_T#LETa2q7~8!Ux__Yin>?aPuEeD1&2VH(H6^)6BhI}mg<&3C=m7~5 zpFc9GYEODRwseK<$H#tu=)~5rI~a{nsjdk|$`6cA7J5ED=-qfw$JXR#wPwKYZSM+O z3RiO7ehM-8-e77GNt}U%x)dP2K+1)L*vF%&6ujH*_XJ&5l-`hJS`y1{4P>VaE5vG^ zILgCcraMkf4jE~ta!L2Jt`lkz1`M!a^DXQp;m<~4(e{upeHCA>h}9KgRYE;pHk|^_ z$0b6a16a?grLXXF4h(ayEG<+qjTwxWR%-${aRXWJuXNY)fiD>TN8a5`IfiP}YH8LL z&g|7qQl;6=?`OI8$va;-_oMaFyfyi2tn}MnjNS=&oo*0B5nV6&pMxEGv7V;Ce>UNj zPP#>(>~D9D+gm?&wi_RKRUIe2>CT=MH$$Tu5UZ!17^g6+iUM1?`)+{6w}9D>S*eN=eJd%8S^^> zJKy|Hp?x8(N%PJ@$t!#`=D7WS{tOhe4*#rb6l)|oYEHHSN*Vq@YNabEe^h4O(nppV5Ka*DNeQIBGhIc?ct z`=x6*wx%x}eNnJ!o4qJyuEyD(7}rgVRfd}W<0SyOUT*gO`=7V`$60&w-}L#;93 zba3hcaYbU?=V(~r{)Zh3C!O{Hr@=FlHXh(qs%D?(B>!wdf?#wr5&W7A9c7?wQ+6 zy*Vy^pEI|sKjekZyowaO(pdz`7x-D&zjrf-FnXa!z{kIKJk6NI_zXPAeuXvGuB5Iaq9NrqK7j}!`@H8 z6Jx?o66IE_tU`P=maEs*@$0!# z=0e#A?^7py@+Du)7vJw*8;bvH4L)SVg|C_{uA+KztQ}O1s^B zLubneskYm5T({|-x}r;WF}0T#-6W4gko)9rHHpWQc!s(-2Zcg`;>MS-kKewp5HT)? zMZM4;$E~R8&i>atoAs|*5{4iO_MiX!-I$g-HpF|Q$PFJ?2-Z|167*vhHEm zUBG|zAl=WRldMwIS1rqygJoG36@`#%14^inQlWjZO%(zo+8Th=+mSc$WFU!i>4ixn z)+pKTw1{h#!Xe(?q)M*W)tz^gq;JslybPFRYqsZOD}|Y5ne~m0l17A-xV37}+10ft z-#q>HyMO%mKgIWD&BOi(JBqzt*U8kRS0xK5^~<0T569fs!*{|?73pGt?zoWbXppk0 z0Y`lQeGWjn6O#o6XQcR-jbc_cn51X*tyJqt6!_=oA_bfxWiNd;Ix`xmnRNR~4ubd^ z#FV^rL4$&=gY~y$N`wTuei5@M)`L5Auj{LK)}h5?@eHw0GmZj~(&380$%*WUVU^x` z-k41N$#QV!;o5D)J($W|*_np5Xz5y(j290ci?!9|r6<3wt=4G&O<}72(HO&Fdl=Mx z$T5m=vpzx@R?;V1cB|J`6Pulu%C@@Dz~Jr%e+gr3ggIJDDh3nSOlh8 zTeCZAqX(^>H47YaDz5y1TNvm{d_#a-*^onfDhxeW2AXwB0=H~DNcAnN5w@%w2? z$Gfwhv;m0BU5^J)xRo=u|txHHWW%n04pTIYT-FSo1FYhS5L2n~$TMG)h2R6?0wsa@ zc{ala{k-qH7o#8oR*34oU=W1!#QK?wP?0~1ywAXXG!6$4aU2uhA^iL3@6vOFN+7Yv z!FHuVy_9uH)&Wd%I^tn$1}XdK+zu?$=G9^yne}U#8}mWtsOh?m6>wX)QMSH3`Qc z@oDFOevkY$ML=$M&MO7-k^g#vAh#V0$$~-(i->~)BC{nz0YiRFp#U5Fxb6=8i_v{W zK|*0c0f2}OA%5a%Z?yR@I@y!1n|q2ID1X6;oz#A@>1^XIG>J{rIi{}3R3CG~Mseu( z;<`TGkM28fGlUkLzKriA_@8(dXFK9AI+-&aIrp5-V*UlEcBT=F&G20Gg(i9qg*oPX z4*Pw?X@3qVvP6(EF1{Xg-%Wd#(t^A8QQ*ifQv^QowmqjW{-XQ#Y*)^`anC{h3+~*r ztypa9o{zuK-aU`R9Gmw%Cj6KJAd21I+j?){MwcXXJc@d9Um=iBZ9zdmL>waGBt$;3 zFevDkzob4{_2JDKXko)^P_^v*wAInSlF*raoi1W2Ub`Jbkk z=l958b8_Z(=e!d(ANj90iF4br(8MmJu*hUDATnD36foq+wAE9UTgjoG3{_h1d$1)4 z-4Bov^N?Q9p3i@iqf1HAF(`gw3;#Ub_ZPMK&(Ya)p90K7>o0gNFh{c%J1Llx;6i5y zbJ3jRG+{1Qw?x$k$SS;#f%jQWf$|58${-Bp5Jyw6r%N0e!W~5T9}a;(q&Sh6Uu?cXmFJml2=;fGYZ>mFGSejNyz`8}=b2^1 zDfZ%)T_N8MTv3nWe(Pd1Sz9Zc74SF=>J=@bnW!<33Rc^)45Q7r-_$&-*O^*fUi*mL zb1%LTS8gOO{CD1{VZ;M?FALT|;1Kld$cyi=67bh(HiN!%2dzpT)`n_-US<+=GTUei zFek=$XaD)Z(N@P%p)lLeJIB8|$44ifR$=b*_HMV+sy?o&N=+exP}AwCAP3LsEnE(Y zfRc?u9Z>u`ykO*Ak6pSo$suj;n+@n7js#7pjQ|HUy z?s)8m!yqiqaL*!&+=jO{oAf|HT?Vc3LIoUoFuNw#86szHbeW$B^-{m_J%9`lCE}Z| z!Dwn8&`GKj6+w)=*vjHp%KQ10RVHqst)G+MHgD;vm(BnS{wGuVRx?bm@la#Bm?`B)3QfaW<9_Su&%4Kq=WPu_E)mHN{lMS;rzL^R!zPu^QdI#D{K^EGi2Htg& z`)}879sJIlw< z%k=aVlF9b;mWk#Jmr0pPF4ME~TxI0;x;@)vVqRKy&g+cSv{&i*GhgLqCclx9p8qn- z76F`?n$SsNt{{-vxw614-^-R`{w@*7SZv%UN!0){Ip^~%nL*}IChf2E`@UiK+P^lQZ)}r`z*GCTHe{Oi#0$Ot$BTOf=_*Ov=m;nVy{=DkHbo z?fD@S^U|{OLuaJshf2@P03#zk17wyx12{3o#z|uC43OEmGr%n0%a&vQE}8+5WzT@i zAb4vmfBdt5*&Fy6MKVY8O_H!KXOrmWEVxdk_Jga@Ai!r3tz^FLZl{4#E27X)H1P*y zWD~H7$`9?I0h33!y=SOh5|)%PK5E2 zxU5Nt!GEZtBAkryT|;_tlGz6XtpM7M3N}uBjv+kaE6*EQB)Gtcq6O)6BpIz>NR%Y4 z3Z)ZM;cKpxSf>g$fXEI-7Q(n)&{yY^0ak}!C*%6yyOBE-fJkzGq+4_oOfZ5;H3l+Q zE^=N#Az@Z12Os7Pym!=wJszPQ4y_{Gz37AK--^cB*bWm-vQ*iFl)T&Up}2wGAT@OBg{5DoCNU zYT^nbu0prVpyYk%@+-8;JQg@N&;}B#v0st>v`nbWstls9$hcADUyLY38jjd`Fc<_^ zNadY7n9%E$>dhczD$fA8g6;#BxeEQ5OI5uw^dk<-52NN?q4kiS3}u2VKnEl9TzLYY zWI_s~fZl3%Ly7=H+==g3}-~&hjELcTliyegZ1X1S253;OaJ0hocR>5 zE5!+u(SV*eRlTd21?mV@!ARON<`*O&`kN&hSq`H_QE}=cQH`3voi4p{>wmQC|LeS# zAFK6$IcYpup|^K`8_uD;Rnz$la<5goKnD-|YRO5SwfEd8K?5X)rU9S!dEdkzL* zXaE8z^38H>{un90w2$_8_Ft^aZqXJwMO;r+R}E6uU`*uiN$JVPT@sAk2t!`jLI-+& z=Xn?YOMOz)LC^8uvv&7Kr+xI|XUL}S?!n2?R;R{&F3Ghl6zVK1TLr_Dzta^|zhq_k z#Wf*J)-VSXEBRM7|5p4Y01>W0vuZ}LW2!=5HDR)gFDq-qix@%Kp(qg)Op*Q2m^ z`+ZK2)&X#Wc5M2oX+)E=DE8wC3%CiWG2#^dVE~{2zEFYe1qaIU~9DiDRRF0a} zW)+dE)#k-U=@DeYG=O>FV3T_x=oq8P@HO#cI_(su1%Nj2qj`F|)&fFLs?D(q;*|_f zrv2Q!q}>>~OFtoYb|dIjE$WPZK>d{TNvaX$=5O=VwPjXIkGmY=2t;0~Mn8~hl>wW- zB}+u}49~PU9oD^pCuh1?H@;bb{MI6Qf&KF8{oQNmom!=-&KgeF%##I-;r3NiQPl-x z=pY5?UPN!5KDm<^>wr*|!G>tA;-Ln|k*m;eGPIXPqOcT1Pu&pdw>++F5=MYA7N)a`d}=9Xck;8A>es;yN(zO0&#@tul(scZcO9`xD014F=VzRYd&BX#mAd(eVW z(!>lv%HkpcvVB5!$~E6fQH_Br!%ZRJ$@l`8=9t(Xc0EjTh+>Y{<^D{O52_1-Bx{@qKa)D z>_6Xm;rv+Qmn6=Dvwue|`i}LllUB)$GP_PO#t)wTPZzb0;T*nWkh=>hw z#40u_Kst&kFA0?s3Wz_z!^Rt+59&5Px7#S0VQWDTI<1_XHkys*27ESxN>hHE{Tn{3 z4D7ew*kSviLaa)eQEcB(ot`wrVd#y~DS%tEy>oiG>HQofbUytjkVPT zl1RWmr9h+Hl=>a(ia~gT8aZrqWM2t9tMA49FeSaO&?xB;nPaL)G6JG3PAl(qX?N5X z=m6u;znq61Ps1-)fxsZBa=3n3tyU!|wN%YmK>aL$%}MAH9~|y% ztK}U{Fv22Z#!fA1fwiy?1&&Bs2&pt~iq(+L%TDLzu@NqL=s29FkKc`?%$a){oDbSF z7<9UBh4_5m-rMdR64D)oIL>4d=ABWqROn9_C>=Zev`jdsWpaTSd9alg@&&y{=_H!q zdq2F59eVDF_gh1^7X}1R+i`#NE_h4vLp9mKO~Z~F3azjkfek%(amP2_+RAT?4YF9H zEZk4tI1=jHoo74k{rskx0E;!u!2IOR+TQ6NA00R+&rbG_Px2dPgDloG3-^;ZZfAez z*y(N^?Ht0NU%Nl&w=V;=SQFFee|9U6JA2!6HIx89sI5rhPi^kWVfVOwbUeGc3h@5T zl@vaCb36RL_z?xs&uym#u~-95)IY0b+Xq|E4i0{r+BOAquhvQAPu{+ht}gq@%lziq zAd9um!u_)buYI_KmFP|#Jq>iP;ZxXuUK0=7M|%fHGny!Y?%71f{>bW%AH&?UeT4kyXxy;q9`9`7+jCp( z!zqfl4R;Uy+amC1jb&jQjr@C!;h)&1&dc`R;cjQTc+o)jYMsLV_2N1>0EBw2ok`(Mh`LntY#e_9L!kw7~)fJ(&5{83Xcl9B zZq`HU$Va<7dppx4hl03|uFR;PTlP^}_TAIjZ3CG5x9+>ApWF9Q+NZ*obdI;$`&*q| zwBt`xyb2KR)AC$OpS$5t?1t{~(eBpauT#&77~)r5Kbmyn5j?TI34_d2q z$#?)IbI>aa07nkrMq&y^UP4Y1M8zt!ynur^Mh-y7?i7WBI~Y^I@x}!}Sxuwc&^9QA z1?*y2z+1Z4XTYzO9)BS!-5)!U_0>&$q;qVJteE-s+0`tC77_;hhrj_Dw{ zKwoe_7T&cV#dtNB&{`CGkwz_YkTo zgORAbU;DaT*(~3!h^tG#cS#g{zQY{4;SKT}v=>;#z3>`BZ2J*iLt>@`PNe(eAfoWK zFj2n{RZX$ls^Z@&T_TKwaV+)^oEN(X&z$bbv+l9F5kU9D=mN5+2Q~9jLvo39c^pLk z^>U4xPUHYqP@=x*rE~Ej7v1Bc2z_+*v{fxt6=zXG3A@Q3Q7^b+5MbcGnBw>KLN~&= z1l?fZhS0`;h~^{;n`i#0IYx~0MoG$v7F`ql1plhKL?xnT{aqMABNF?ZV>njv7H_Ik z*ao^X1Y?0W{)IcDTT~$~KHMWHUM@m+i2NkGO<%J2<4e5H0&5HPHOzzPn;C5S-< z{)jFc_WDU~5^`Qtj5$)4u|{!{@Wro}Z>R#IjsY(98t{hVMZQ!&%N9?WYbp<-L86+Z zJEJ6LL|NVdYH1gIF20ODs8}R$I?5{+bM&PdeaH0Wn9~{Z$=?f$LD->$O(CV{IU}Ror>4G^SlfH{ROY^dAJt3Jy3IE_l)j? zj=U=jM~#Zl2rtL>{KzA9*~I`TeJ_L+@c&E#5@mkG5mrLd%K-Qts$v+#B?v*pg~5nbAwBv=|F zwJ)OFbwRsPjEOSRt>ml?8D5C*FhjG>qF^wIWn`L>JLK>vB+7uN*Q8WBq0l5r5FMIx zSDp%YL9^8*UgZt}2?iR*MFa|Sa9gi0~X04S-tv{Z#@ z0#g(P1BlcMQlp?ek|urBr@n1GX{k0=y7RP3Sh|3S0{qVb}S3_F;FeRjt6%b=ZBzuOg~3CN&P4`Yw)ZaHn(&TT36ntzve+xst0+AlgrhD@R0|* z1CabSZ6R_e*f}~nI1;aTmoIh?UO3OUUzhUta(Vv%^nmxtsep14 ztEqwEzGQL8lUyXuPGZ8~o!|HRD*~g@sU0{4AD~JD6^36Cq-lGj9!hK`*TB_z#Dm81 zuw=+InoZnZ+_xjf8tH{JO+a+4k_gsaLr)6OY-dXhDpAZt6`dyP-tS^nN<9g-W~!T& zrzw?@4Js|uxKgfsQ@%^`9D4GxmHu5xB@n?mjW%)+Do;>uRGunDC~K~<0G}jwvuodM zb?Hu6Tx4(+u$t-`?&@MD!r)&xd49n0RO6y{JGjfic-N&2Svf57k%!8fQJDnFU~{Z` zaaAC#BRNIx)GRhZjReJuE6T8!9}8IFfHTUpd*(1WG3?|t-ykJfKLq*O(>-W3pt7a} zw^eyeNvh40_UHCdw$ix4 zgsTP*35MMpN-L9G)?AEWC)^=)g#QN+LY4;!d=Um$FnqYn267l6gbae*q-cfWlX$MK zQ+zY_G4SN?6St41zn&t1D;MgbsI9sFJFFXpvePSAM2f-^^>3NQKbo%O%F=qWp_d!E zHo!Ww_9Smd%eE+_Q?>ek3FBM6PolzA*1m3?R&Y+07mY?EceIh^yb$K(P!R0U!@j~&CcK^ptU&>ZNJa{a(ax7drj$As5V{zE;x>?L z=75LZ9(Wq`NQJnB$@eY*O_1y!B;0XFJHe5_?Za>qQMf-9Vo;zVK7v`cv{b8cxIx%& znxjPna|-z&{=bI*0a#1SIW*K!Mn`iaT1cz{%6TnsbP90f_PMf|#ESw^i0jGPo6LYA zjS_|PAS@U5&DGN-_q0~cS@BCsIWNEDLRR758lu29dkMxE(8#p$a#gBs%B%vwE&Pws z0!m}EvkWM*q!;*lT{Lr54pq7Z$x-dtq|&rbW)xUUeHi8IJi88ZC-MgVqYHRr6s>nH z(8^|k6_^W<6k77HQMAfQN~TqkqZFAG@2XY_v#xIIc=KFeTv;gfw{&YJhm=f zd}Rf+{UdjDfl4t)+8e-T+zX>t)jjLM0&;Qb|NHG=I10wUhfzFvcXfU9M^%FEc8-rb zN8MJn{cLNy^Zdn+JOA_3?%w{v;r}`69-sXD%gbN?SA$Bb6|0bnMMr}6{R=;a@>kcM zeDn0%@BZ=M|5QXM2%sXdYms22QmM1`gP9By@Vfd>ojndqqw#l8CVO-%?{nJN%dRs#@j zSOS*=d#nHcZ`x|Xc(iw3itie0Z^ZY)3Xp{V%;HPZw6{^BYRiUJ>!YgL$s57cDi!&s z;az*`6SuU9@w%^)VeaWkYErjBjvZIK6@5z zNP1O1o5k(9xC&7v2n7dp$7NIz+Zk~kkRcWXfvelL`k14?nmGDMw4P*iOsXQHoR@wvU zFrd!HM6&WVWu~6y+AP>NDuV`+cT%BKML?R?bs!~b(T}T3?3#5Q?6{x`bRKb9<%;}H ztGvBYw9L>9+^T9&T@k$tQB`a-AsZUb;s}4)G!iY>u$`#o0Os`bo!!nj`WFFD3)n2ct+#>?H<$X|v$!q8)wB@btQ--(p}rfT!`m*erYGE3MQ;yc(56?yFx zxc=Z77M+U1UOnYe#HQA1oEdv*^=!ALDV|PS z%F`)@0-f*5;I`^0rR~kOd z$97!tO=Gq3jdVvsxYC8`8~0-WM6@SyK<|J(X?*uje0*c{F6g<^I!BL`kV%b@@m+GW z3GlC_M}m?Ph#x!cZQykiLMA0JyF2?orKnI+0-<6)7!WE6&DJ;~mCaHqz-JdOgD9rO z7)Ex&tMaI3uX!{j)_#9eDkm>t=tl&s2SkChm&>IxXbosBz0LsO;kkbvZ;13;q?Kj8 z;Ym}zgptPQE2q$wAUV`!j!D0W!>2JgKe5UdHS1XvWTGJyf#$VFY5Mc3QU^|rbh-MM*B3quVOiX3i;w| ziF^?Bvqbp7b`bLWEWs4_Q6WzF^^jP;CK8og3h~Ud8uxwpDy@I+qis48$89p30;^({ zQB9hza--EKl}@lt>&X4D4i1lZ4)$N;hVm7l;|I>u`sE5p-AivUmYa2Uz#>;eOkH8S zCY?0^^v?(_og5Qrl>m#ynHO3Q|8Va}7m3KGhX2&dKStRWYO4I-vHagBK00UA>+IvI z1I`=&ZE2Vx;&{qoHEm4 z+NG^bq0xG&VovlljGWsEluSs&(F{+Z=w}*6P4NUwrIboXyo{22ft+AtxAzv01>})% z*hoaf!eWpG1DDz=r((@(k8Q^dFCw+S#0Pvt6Lu3(^VR8TxqSNOwDP)%d(E$!7u7dq zNmI@k5I3i#ph4eRV}lUzAr$g3ltAG63bDR?Id)0`~6shJ4S&(iSXx zt7}ih^U(7|H#m>4P@FtR7Z*ACc1FDhYY=t~pW<)YjbW~P_4Wf66!!O1_O1c? z?c<3eUi08%L~;ex&+o8kzoGL>x!dVE=zOCdh=^M2CANjI%KI3-0$14+ieJ2&`p05L-1ce$pv`s!U5x#ML}%SBUy5}^U-qs8V&vW{T6A5dx`-Aq&H zDBMJ)vq}S*{+keB1;}^-NlRZWDiClkg)u;YaAAd^U zOl_&!$lar@+^Cv7LBQpI;P+zvxTMriaXC;uW7HxUCUt!%e&q}TfQ03RErDM?J z;A>S9s?uEux>ke_%!WhO!OOZjP!{(xvEyaYRG73W`SlwG@_}al2Kp0P0(1uoahmXN zI2n<9ym=R}B}+f8EYnrX#I(ZMRnD&_w;{}I)zhFwZO+q6Q*&*-J`y1?In~xt0d>sltD^2nEadTt5agG10@>S4h2QSgMcqE%GZ+c2Y zB4(y1Hx!DdW4xex@8QPhUGbrYy0$|-E+xaJW;*G7Ik zte?E3i(x1L=}kiE<)*gkcz}6s^ynk% z+ja`RF@;Y=rl7Kk0O$?e8%G(W6VROGYKbmM>&;U2O$Gf0V2rGET)8UU&Nieo74~W{ zi!HxVv_kKlpG!<-%t_4~aXsl7WP_NMz921h6zt{DqVzdwjs2bjdnV5yqmmY@4L)h) z$k*Ajbux43q|03b603I!+d!CsXe)AX?_-cJ2AZ=JDXla?`aLHuq8O<7XHLxY^(Rfk z&X|)L8mJw*+-p!u5*MJ7!e6BPAX9iSZ^?LdwV!E#k-7+-G=+ug5M(PbcPjwGo42fer)!o5 zKj)VG*G_NPcR+`;#J*0Qla79i(V&vN&p4-az4mMZoG>T$AeL_U3BF32pF;QW$^NcQ zfs*E@u)q7HduUUjr1>fI-Z^pLkXXS@H4cPLF9%>z>TwVZrc$>6=A<5agTU=O=L7e` zAZes7Mh6OxvUD(YPCEGD=gFQq7&2u}{Ju9H_-Bzr8xmM=^y0rJUV&YbkF+)?a|0<@T<=%sSzq_@4hi|;BJbY#jx+7a}%gC~e|5`sVM zo+}2Lvy`@}o3xMS#&VwTwqJBDTuz!-awMYFc~|J;qaBm;>GzztNA3OH zoo5CzC(MZ*fFdytFuVq7!0Bn6m%Sk6$!G>`8(;zIO1I9TYi7+WZ3B=CCN9|}=-k>A zxy4X(mb0~GklWgt7c0%TTZ?dQPeyby@Kw^h8l6?`7jxH}m#F9_a`^HSd=AfGu^Rhh zFSC;6gMDC0usrtqUT-i*X$thiOZ4&7J)W;fhJAomI_LuAxcxr52+Y}B3+JKhfX{R5 zcib1Rj)A^V%|=7m(8peQ?)I`gW@gSw6;Nnt&J+2Wy!mSiJrD*#ib-VRVj5yN8TDL9 zKl4Xf?a;`aSGJ!0o6e#WiAo7`V(+zI>})w0P%I&!)8=m%y1F<@NP!mP$S_iAg>@F_ zeM=l$2CTg7`%=CdOe1_XxG&v|)vW+xA>OhHz!ovXU>S&cXB8fp;Bsn;sw8o4Zrk5^ z-sv7YDV^0ypI7tk{?>$%I`XcjZ7?jD`<79_v{T{k!Mz1syC5a5L=izFcV3%j z(4P!46*N*8qmy5~Z05YYj1%o*G;u8Zy^%U^?_tmmXEKt(l+#*FUiQ4}Xi!WxlQ-|V zi5vENK_AuHGrS^|H-`&h?pcP81~;V)4YOz&e4d;~nRD((&r#9IiV16wMN1g^qeW?nH(2t!EYhw_!(&yGsMsFRo zE=dcprK#9ibI)ZAd+Eqkl6S9`EX>PaY;~4MSv4k;J2zdtC#@u)P1DMmdxVPUrE=yy z?GHT~jZ}lp zWF$**q?tTFCA=9#Hn%8;UMh3mehBiaXQa+8Vfau$^;6mzC^vrr8BuU5anI9^sV5!x zKIOo$anWU(oRPX19lRr*rGu%9uJ-;Y4xH3#n$4V-V{X{g8+o{kaA{+4)AaIkfEU)n(&tsFoW(2?{XsCcJWZ_h`_OVIc5nef zhvN<3lWL*YVHReAeL7y@LftU6Emz6&a(I@?f)q--$9Mu)!9P{}AeD>rODrJU zo#*Y7-D3*9+ZN}O5petKzXv`IPZ#(leNEsi&rt-DZC?*N z0nf1@CFO4cDbjNSzKR_lAhUf$|6xZ2_{{ndV4Kk=0RHmvK74F#;eQm48gg!A;bH2O zY<2oM9fVISXOOXu@fLwK)KiUSp4dTR=EO|{nnzunIQ3*G4`l53@{+Fxd8sT+bn%&k z5Ui{|&wwA+nFMl&JX|1l#d88=*_}h=_yY+dP4UD)+9VFYiY&Cqh55EsgGDU6C}Jem zEM&eMQxvu&$fgyVfO7J*>4s`=Z4n_QwP{q-%N*n4jS-H3q5bmDl=6x_7?>cr>LZn_ zl_L0M%6cRrKXn{0x~F#fhN1Bvi+B7gmpS1Sw{-MfK7FGvvb~bm(%xV)K)se1M5QP# z14|KNi^0kas>zo%W%z~_1b>oHvvU8S;0k)wx|^Y#orD3$$vI6~(G> zHakai{g0g@bx&nxFZCc~lAoPLCUVX-pZ~OZ=Jp(Sa_w+nf#gS(gKl~9Z5Eeb5E;og z-TsI!WgKfSHm{PK!N-G1NH6_y^a{ucgUQ9Ej$lu*N1*D#xj2RT^xUx*(G{|W^@iPP z&Leh7_{!W@-zY{KKhv}I6Fv}8t;jEqGb(98vi#!YqdiDD+T$Mqg)FI7=r8mI{=0vK zgpz&tUdQK_uXLntjnd;YnX9B`{DT|}s&zREd+K@2%W^GsSGiSAg`5%=xZ;g6D7PHX zsFsd5l~B+Ts5G!fhY60Z=5t{ySdGlJX?k(5sp9%zQbLR(VI`C}R#pMlx{+RaPoXv_ ze#l)?-k$r`!}=!$&=vNi0KU<#!ID;9_Zs8g3^WO3A(2I5HX0i)Qr$9VZPUjfK@!Ag_GhkO>KX`|#4 zgkfHQ7DA`V;DZqh*2_l8C5R$B7~O|%8gm+XXiqYb(c*=q@Mje@^5XlIfrz=pL79oY zVgEk;ltGQ-+B>tC-CXD`#`=g0NRVtSpN{QE~6?J3+Fz(~Gz_GZ#^q zUEE>}ok7hlU@|5FOFUyQyE6;Opw23Q2JrrcBvMz;(|nT z@QO*ZKwF@{^HJw2pwYi~OA4qI7mGV23;=tdhFQ49MFc&+@d4eJMlUW1!=#O(dlh1$ zrVF^43>O>^3nQaq-9-1&Msx6rNzbhs*(k{tCYXDQTA&sIckC}h!~(Ynp}2D6*zH|5 zqKn~R4q9o9EV)S>keFJCqK%Xx+Pi=)`gjqFCPtPV9*(F$iVM(8qvaDG2mUBtn6819 zCA)Z4r`8fSEWyBAkY0k4LvVbv7&Qf-B}L(r79wU~WXSbB+*&VGISVC+AnJ9C(MvEg z?LtY7i|#NI_@Fz;cDJOfN#qLdg(}M(#Me z3>KQPHcpo0qVjK=?2F=Hycn&ZNbW62shH4Yv^byHI5{Ngka;nR21=G71%|$d?94&T z5(l-WKJt4D(Y0`LNsc0%-HQ@6u`*<@Tz?@}OyJX`SoxiwlmVYdiZ_(^A)3L=kmv3A z!n8AJ`Ge%e3y+Xj)TfKoE<=E|cSl9bos(7`mPI!5JO|%zo|m8vZ;`^=z~|8-%4!oBlk+M*&(N=G&^xKrSu>_IB~j2b7b+ zFD`0)d2_!q62vJZ;l-Et8wrhAOdP#c2Hy3(=v%l}5&w1<;d~Q1O=j_(Uk*|((M9)v z`FMGx7uyBqAmtKWd@oppSxA1N9bo}tF7bO+dsdAX+a2a%<&&L%kC;KpCAiQ|F$XD+ z=z{yjJgj`Oi|iV6kn)HwxOdFM$|Jj&W}kzUM|6>WWCkUV;QYJE6ha=c1^1MBSb1a@ z-C5?MaPH!r?MR%OJX!(Q}+IQw*<&wS6?z0#-w}=Jzpt)#8 zgcsY179i#kUt~X;LCGPw&?YZ~Qb6z?d($b%d4=3#hgyVLID}q&pYiji^!0)@%_DQa zJ!=7Cn)sqS*9?k9@NKY&wrxVE$t|$C?4pJV`MYQbpD!NuuK zCAX-yor{)Fcp+^&4=b1Kf~s&XS`p#JRN(@|JmQO}!Wontf(vPr8I%Ho_fUnWAmA`3etPV+=e@^HM*Ceh7Va6LCY6Q_V=Ke!s<#lMAUYNP_9gP`XQ7NW=)1>}OB zzYsBm*QD^0&YS~bfm#HB>LNre@C+fGYAQ@XG$%D1CquF)y}FJ4$DD-oFbm0BHlGCx zuyHd*$OuK|y{oBY6L^ahUVMud8LAXQ4l&Y0;EScL-21qENa`5V7=wZPPAn}W* ziys8|oN5pb={d>RcrDqDBL8B9RTF1k&qV~hAc#-E$Dud$1~)+I%>Tm;fiONh8;nGE zGCJsrr;WA7Hx2a`r1i3-z8^`qD9e@i=J@gzO3|XLo42<%E7;GRX9&o9g9RkiHN*5P z=ovC}X|I3?-|w@ZNY4;Zyj4I$Gh^lnb-WsicQM}qOBm1ICoc)&_yE#7Zv<;1Y*YnZ z{R1{pPu$b9S^~z#145BM#AmM6$eHm`U{4;wSh*K2a+bJs-{Iv?po1`ccNQqR{k~66 zkK;{Q+{PmiKLq|xJ;59Cz2Ig%9E%=sMidM^isdV~)NvS`4SkKZ4~EYj<_&_b!=Tbq8Jf0D@EN%oDwV z=Z?JoI?!{^VSZ4l+ze>?*#v>k>FrcV$G8g64H2Zl)MCE(`Z)F8RG?|qMyVnnR=%ZZ zF_6~6tFibOe}?W@RPpgyhaY8cRepfvb>s?$T5lnpJG|-qo*Cu~e1w@Et%3}C>>Oqw zZ0nP>4RMF>Khm4F6@z%GDpqx&Qd}X-T2-uxCt~dzvG#504%)rN?~uA;DZ*Dsy&Bd# z#ZQ<*1KB9)mc3b;4BhChSpCO8umZ!k$c$9o2HnVgN&i5;K1rUdd;^ebE>Od;1*JP- z_84PVDs_C}W&2+N9q9cqd*ac>~P`1X2vD<^oH^Y`OuS+)gsU+$v1y5>HS?Ufdx4T zYP@JJ-Zaz&XC7Fgt~*!lYv$Gxs4kfE8@yrb4Mj0}DQBziX& zFkw~%-qED#37sZRsTzLY6K~$g7Vx?hdcRNTPQL)|?}gZaXE05!Jn?pfSLV;Li2*iP zK6-k^ZO3Yet6&162j(5Q_6VB0egq`QqPhZt0SRFpP%OAqB|jR%_`(krktu0*`I^?) z5as7}@`Nx-3~u&m<+OTw8lGZkxDr3*>t4O34ym+%`AJltbzbc3!(`)FP-XWtJS&U4 zs`!`r!fL|4Ny!zH8kS#nX%_dwyR+nWzf~mGq+0R@k(bWlR*-0?aZ=T)itp7tZ(`(y zwFV%RaSo}A{Q9X~E8%Ui>b%z1-0nI|f#JoxK z_z`aU{6c>TCrSK5;A#e(O-e2;Uc&0`(&8^QGeY?^XKMWGU#A$v0_S!zOJx67OP8gn z`CGI5s@&WVQS%Gn_wwsjvotPUV8*N8zIeU-MYCC2hY=W*Fun);iJH}d~$saa$l8CPhU4rPrqtjV5z?~x%3JojUWq) zAC=Cyu=SZp5(6u&3Z)uBRo1yy(`)o(Dsd!z#DENo@goPc^;eMe8Ybf! zfIRQw3h@7wOVAW-8z}uA&QnssV72xJ{RnmZ@xYIlFmpvv;)*D5mN5(t$vWtw7GVrL zoaOM}i}-Sh0AH=WuBoc{koROm_~KuRH2nDb>za5^Qxj|2V)C#2*DA>(3BNh^4v2{* zt38T{5U_|&unk>Gmx;1nRNGKCWNih>)%MG0iK1)@wH_PPP?JxK=zI!kUZo`7z7gSCeuaA!S|8Y*GN7%SAnNDYz{ zth#4j7}YFIlxs|?Xv0(h-;H5>T2&BzkHqU`sseqr=)WKeQDB1*MESaoe<;1e-|MHk z3)dm#f|FE7>Lk^fD&e>FWumygjO*1ktq5EmtOvXtyeLWGODkVX)d%74NL{|i>;Ptc zT(lvXy`$10o$kMTU!?kFNd z8kP^3QR5PAa{)3Pu9e&~;*CMHx&rKY=Jor~6)tXxH7L)ckKN*QLmfH#zpGYTnAH+uKyv$W?cR_db8q_ z2UeV+`<_d?Yr-QdVw5iaFE`h|zyCM-7p&0;X6Iz5&3`;6444fiXjrE>FPzHP?hTMB!Vuw4_|(>4ir zxDPswiKXe!5;OHJMINqE+SkT-En&*i>)X>xttpJ{#VPME%w2^WUcjD0(4GR7d-x4o z2hoCpAD5MK4~0-kKmzlhuyzlEU`?icgDI?DXHleX&y-ihlUf>^=-ugxVa^KXKY^Mp zK_wm|28*2*r2`#O)F~Wxc6Z@J!PoMqsz*)K#hPlQ?rb8e_b`tW3C5}*3>ef2Pr#xH z$Z;UVYnX?f(;yt)Ey${rd05ITvbKk^0I@AU2xa75$La2RERJA1k0m|kZX=xo&u}Pa zreN&^k6Anrp^+QjtPlsu+kGpNh&-^Nh?yYVox_9f&P%6zaB{TOS&?TOKm@8QBUY0R zj22oSk|dFU&szlhz(mp>t0UVc$02>MhxT4ru$h|h?(F_8koUa#KZcl|9Bxa)(=HN#X8;_h(|>y^lQEE86|!YqDx_FO^DUWX3bQmoVML z`g38QK#TPs(<%X^?Fu{Sr&!+->BHu7DZ2E}W2FPd?nNqWDx`3*)b&@-f85;yc85fI zG)CrbkYw~n6E8VpHt-QNOXv0S`f`on*LRmej;?QELg6_#BJ&A1eC3>LBhA0D(#(R~DDmgIR21+n&7H&^fT)kyew z`Zoi~^RhEfY#(&%QGA0k2uZ1PVQ!5&R%6{!yjh3M(jz%d&RMa>hfQuFG2IK8@(LDi z3~$Y9JT(0gH#{N0+t{Wg^wn3Y&#ZKbh+Lw|GTC%ZAOC?6!y{@KF6vC>lX0HIuR5Z1 z&IpR-)9SJuzBj1NCPx(K>hz=x8b`A#BYB@zK_4o=+1M~iausPm+E4KkNRX z_*r^`9$k%KyM;m;L~D%LK0RvkMvL&OS_%>ekO-Kd;Wbu}RyCHicpxKZ=+!_@d%+lu zIO;?WmP8Q35pT9(Kh$5BSn#j8oNNe%cp-Pb+S<>bmvHdly5%kGxS(mt1tWp13|FHTeFkZ%Y~Me8BHE?pU7q zveWmyNgRTt{ljBlA6RU9mo5eorY#z}@(?%B7+|;2>j9*4kV!zlE|73@s)dO0c!>kC zpMHfRfBE#5|C}xhWpgEo==I5uNp_n#1=77HZWW$9Ql#MaU){bY-5nJAD$WX3Y%Pa+ znxq-+y<|;Iy?z0u_4+zheI3NCZJJ>*ONLSWH`O>Q-35|?F{FeQc3y{}SJlF;h97d* zzy~>s)a$}vM-WuhZ`b2cyfo6+MfD|a!(RQ?d<|Q%CVk-lmYd6!syMxcsz1uXXf|OF z2VgTmrjj_VQEtOL;?@-TZxQBFCo|znyHnBib^EpX#*G2*SELS1bp1St{x@1N#D)MUZQy8%mXq-0DVxq<2H|%j*FJrkZSkLc_Rw zh-FYt{;)1TsVZ%y3ZmFbmoKYs_sm9KrTA}AJ!B84k;M)206OzsL8&=?nOl=ty<_7} z@1&+tNt1&NC>t?Vm7;ycbDZ6eX_^{)L`u^bJNvM^-Q8sjsVCb51vDj4OGB&PH1qOW zZ^0+KtG%DLcaEIHRz-g3+Q{EiYQrTrxok}*uWUstDf|A9kZ2ESb=M#{dm!gC_Y9w9 z>ASIu!NFi?Rs<}#<5+l%V&mtbTjj=#Es{In#CTWPa5B? z@*zb+*Fo&ohDfDGo;PZhq*9|YTGdk10AdRsE-SyIA#fA3@aV2N#vegXf8#|<{e$ji zc={*00@HVu1q?qsRF<~&Q+8@FD{)%ZYK`1BuB`?q(%R^)9221tO zzqlm39NiUgVHq=KXM+fcRTyCCeUXC%>)2OpxTaMI{Ypr)f~Th3c0@$p$e~G6iNq z%~TC8mqmt>KXj&Cw>VS&;LJ+SEH0ImMYwN@U*e|Iaz0=jM(ypTNWkioR30G9Z#E2*Ib+M~3HkK+Sl1v) zzt@*rNLlUJ^Go<6w}ktyG0ADT3j*id3-M$d#SJb6>g_vm`o^egwZt|zy?B5Qp&t&# z!}9@pJ+N;;GzmRvw37gHuTg(W&2Wu_{$y{NyMRoXY3b32bskx5bwxe}KP)ur^>mG)zQFduaEzP&q$8>kAGMRo z$i4vCC^_!Xal?z2(Y=@y#qMwnYRhC4qyHaN0aF<(hmLmLVi{t=a_7l%aD9}Y>xng* z{IvA*p*lHTkvC*zt)!C0*JACBNZq>Sfug&J2uTJXRWPtw)}X8NQU+a}KDR+Pg^_2_ z%>kK8VjhET(ty9ELAOccSieke&FUmewI-N(05%)zJJvsvrq5_tN&qHs>)hpZ7L4vb1)@7=>5zkW9Nv)P zB~6vl%@AuZPv2dEkG~5mg<_-G=Tx$dQot42_Mi+sJP8sWbuZ`TXUuFCj&)Eq7>Rns zZA*w)3t&oG$O{!Co8xA|_r{_=E=18_1vho+eS5mNKE5gBjLa$~=k!)>0jA|ZYvuv0 ze&D%?V`rd{Dqg>u0H@>kj~{{eF}T6Rp~nl zzlP{WB%O#Ji!R-G*?TT;)u7+UWXyhq*x{s+1m}8PktZlf#XiZy6m^1E_wY=9y@9tp z=-7^yL5w|nLb`Y$Ng|Dp02L0Hnd8F_K9faH+NXCtJw8=z6OX^NmDvfzEB-vwPnQd)4NZ zdR_GT+_`ebSi5E=%$l&K!4#Dur9O1Sw_e!n%Q>n>EkPByuiR_@)IoKxF3jo8i$6dt zed2;^STM>BDjiiHBREV!-<*Q##9;s!IH^3xfzcT?w2q>YfEF7fN&8+ivH)g*!1Kha zY28{tqe5kF9oJs=uN+_XtLufjR1q*59n;ET7vlt7;@WV9PHk5q-Ws!4)S+6D&O`Tt z)S$#Mm)0-XNf`^1Pzw{f!Gdxhdi8KJ8u2aC#3P;;S)x>hk@6!{f$BNyTUBsuMO^yz zQgVjwwF6RKNk=C-?2y}g>t1+b$sL?|FiuJdizZ`I7G~DE)+lv7wD(Fw)*yfyAQs-( zM|}+Ri^%qFB`15@=Dau8pAA?9QQJw9$e{M#l6D4=N=u+X(J=Cd=SdE5nvoOsC?~nQ zPx08GaZzLVwxm>NP>TotSsVld)QZ*qtIK=iD|VJqBL&_4M|8;%sIU<1S{dR}hApISW7>{Th5#Jm=41;%g zr-U^~JS@ij@)<^As%zIL#r=3y$EO>GkHs&cAIGqFfl9szLJ(P?dd7eF7jI$OtcbOL z{_{J!mnZa2{VF$2`YfKgIG|5j&%vz88#bK)^@>ZqRPU zu*#gvy{Hrn9O8^G?#NhU`v*Ym3NK!c;+qY=|N0JhTY$OOIokTMy?@+(wzIo){44HS zp6?v*ce-8i{NPBm#bNvCcxUTmw|yiIPmT@`x*h7S7yBn-muEpv6>owGZJa_61QP5H z&d_`dtOA_fBoWZ}&+$GxB$0wEJ!QgSq&5mjpV?s`4ku>=5Hh>a<0Fi<1baVBi7v^f znBxZ)_9if?Pum3<0uneCijbv9k}J?`x?LY*%|kguYk0Yo_izdsMg`#76uwRRI(yeW zPs`QmHDAH03IzZOqgxU-#fE|0qL_quz4;<^hqR4kHe`VTz{rkq37zC|%#D#)p^nG! z2XeJHh$sCFo93Zs)`2Qdolhko4fMZPw>v@#%|nd%fZoTv*IXgeAaiKr ziK(gnyHVm)YDn#!myHrbIFhErG#!+(tx9oTNqcQU+fZm-@ny4j0hx3-te*_v0SYPV z8LbMiA8Q;a%SXI#QQ}q!xtRJ_hZDdd>TLaZK*;!^W*_;JMW}DOF*aMuOgYRP%e{m^ zPPYTHsC|5JL^SLqMePz46pe*H9MD8uV29+Jk~x7P0+k&^ii}-4vz8=e{NN0kq!>_x zFts*qBdyNSeylMlxjj6!1vx#QfH3KHwz+dV+Z;lr&loTWW1OGDeHUQh;a-oFQE>t@@WO=;*NGLf<1h*S?2nYUCXK<1@C}5nt?lB z9CZ$rxowKDEqqK&qrAvziakYkeIGK7c*ey)L^C&16T+jX31d)>NnzaL2B zCmFH)W2|ES~9D~{u;_H(dsP^u@($8>(fpNQ9?!v)$e7T_YP zckK}>|3$pSVC%^lnOHR=yrK=el5(R2&7@CiFnu9%JPAj96`ljZsIVS5oe!Vv^K?e0 z!yg(!0Wk`rL;vqS=^iQs`cdMzG9Zs)SiN}O@If4{s(^b+lZ)a>yTIdd;Lv0v7YFE5 zqSkxoq|=KC6HQz)dY9-MYLKOMB!{e(E?Jl5KOXX(f$G(t49Cb`2haXz`(%$BD8CVY z4|+c!i+|6upQ}xKoUB8%ca^eQt}%@gz~P$Y5VkWUYE(vE2I~*RgqBFogTEWAodlDLO{HP6+q=6-XlJc*Ln`V-ge1RH-R(wE(8Ei$Y7jA<4lE5-gR@YP!vlVb z`i(zSj~8dF0y@uk+b_BjoPU_3>G6dIf56g` z4p{;jO06Gv@*VE zp0o#cDWIVe3H~gh>NXCr=7fj+6;Xa(hK8Pu3gPW6bH$MJ%7qoK$CvN{M{8qrb}7S> zApj9ns#B8Ls!Yk`4&0)9WH2Pq_q)eiTU5QREzHE9I+sooBZ5f=c}oxRF&@m3;fwSH zin}}{&Qu}1Ts`KH7rIw+==czBi)C@6gpDU`%)w zYitXHiVWOP>cKWG5W_vpo?4&+npr4LRBAD%sHW15fe{DygH29=npI9Ue2fkr&#DJQ z&C`1BT?~yMV%Ykz>xX%bcM!^vP&0eMg1%=hSg3;JQDIsr1dZ4C`ZMcCn^biLbCIeV zi01BE>Tk)j6phko=;&WY8D=u6!1D16y&IA~(tM3lMSI}g^=V~)j|kI(VT-s-s;VA3 zQp+$osOQkOoT%k2?khN(7#59O$)cZJEt3)l`Jc@h?1Zn;&Ee^68C$|L_plFGjUBNSn5proPN$0X4x zpw$;hpR6&oR>La2*M70Hqe&N zo;c_V*k5mVf89Gd-jUja{9%%2k7dDA1QX~+mX=QzvHiWy_Rg`~%;0B19nWD1m92tY z7`VLM0^_%u zG|53xpq6}ge7csVKFJES&X6aktCd2f#YjB#1OVtLDK9UB;_J$59LV?h3XhE5mj$*GY5Jr zO>xqo24%H&ur0Tbjy-B>8cRefAw|s9CkN+&AvGl(ZD}-rk%p8tb)oeR8p#O`{%Tds zUpX8C(h|FdLm#R3H%gFeit!_dLJBjwgp35&`bqCP;b_Vv%=dU}Ii(5akD>fB@PS`h6HKSwpk9Os0$*I&@=c+a=PpH1M#{e4^D_FNyh{})?$}g$jztg!c8?gp=}^-PhkiuNOKzR2 z*OMs2((p@~XvW5^HXsU3T9^mg7;NX{?EU3SMX8dqk|=lQl-V^E(brq0871WGw(@sc zncW}^vmafO+Rk!KF{o8A>9SgbK_dfVC50KkOMH%4Hj>IK@-Pu=5AtH5LQiXl5qU)p z-9&Lx((xIE3%m@jM!Go6Hj5)ySli&JPq4y1-F7yGg|wL&Y@onUw+-a^L^e(K8}10} zB(vE5Y)S`Pf&%x-10~})$zbJzOcKxJ&P%?UqeTm|POp;UQb$x46dOOs1HT6vL(T~o zxpwp?WF%I>y3sp_SGC!PUwIYC0W$}&KY(592qlv~+-sCL(UB?o_=b~nuwkM|n@ChZ z3G}8E8A{8i#fMd-$dGjG&p}al&l<`s${Q} z;%b_+oz|ee%O@JU+lH-5nzwM1?)J$V9wY{Jz~KxBjUt3>{8o8dA{f7OQ?WO!X`IxWNOk&D2stxbUmCD5H& zRmP+4m$9zQLAJT72);?``VEsN`sfICqUjP`9>o_+YgDYC|fLPHn8DDz0Gs``MP4Jn9K%wD#SENo+&FM!7b^XnC6ju7RX4STB=^E zco&?ru~3s5{gX14WUQokRbP#6WFX7&PP>GnzO9KA19otK%la zhc?PcBPOcjNtl-QGcGz-!b1Zk5;!lzF4h}?Fzk^tM79)KRn^V}8m9;I9l$$^W78TGlV zJYu}$ndwHRaP2jdTe!|uukk=flyC6z1GJA%V7GUUngETv?o;I>|WPX=`C#Qkejk;R^|&EbSkR~Pj}l#!v-8pGM19waTR0NLdgzd??Y0f=$w)i15O z6nd8;gNaky=p)}Jq9<46mNwD{Q2k7oII6Hr-{_p;PNHySyV!2xm7>1EoZB#0oA!~jUEm8VrNPm>j?QkA zGk);Ka_fLhPkZk~a(jlNUcQ*^oAXnbY&1lt8I8E{=m{RFDuad?Spb1Re!uoga!SoP zhe98nz_x6nks8fSAYgph6!D(e`e}+FWrHEPN2___F0C4bU4ai_8iOR>In;6O0L|SNGX0226W%N+0l zOC4e5Oy8%LuGwSWd)h^j*SJzdR+|%8dU&J~l!tX^e>>w}EidPo_jRf=t(v;AWBF-6KiS_p-Z|Ls zf?RDMb+*Z!Us63e>L4&~{2lZX_t@k{d=9dAr~PcVLk_e6RGq}ox2LO7FwHW0}qVd+WFggIs>K z4*z+*UM@XWq2<|el=4t;zb@-b5Wt!wnMh4n?Ls>1n$TQy_?d<*8Gt$@GKa6%*I&Wk z_WEo5Z!Xb8qIx*1dVGydb%G3fheQdzJzuTTZPUaRu6!JT2E=G_DVL9yYNhu{5R>c5 z6BWARTE7dRqcE)}Nfc?Jver5+zp0=*w*bUjK_12!cAzOR{y(Tnm9^7yn$Gq5avmWB z7E`EY2`#S|Q##F(;*bapz-l(DDnLSp_LP=Ml=a4PmOw#Umly1^ECmWbaYqK%EqBmk zzkps(-%Q8rIB)$ig*+G~Rtb4-%&JQ-1dX^ja>LH_~t2 zB>B3gvQT`Lf#TdGzk5BmcWGqs&zjH=u?V{K)az*w{c{XTC9DZ5UH-ICPwUIpZ}>%F z!?Mr3$cxZIq}%SWPTG<~QdZ3?tDz}JU&3&I`Q?U)zWmL&Mo|Cq%kmpJE^1AfDa(yT zf;&^*JK)ZA{p)WezwiQbT5#i&0%PDqUu1Km=oqlxf(Rc*Nz{-RpYj zB@vaJ2;2y7OY*H-b-Q-!V0X8(b?o3ytP6YecYYX*=sbskG%mW z=X5(T8U}B@UEA1UrFWo?UQTVST*%6 zRf^U_(fIM;lOIyiHZ1IL^#Bs^#wGf(Z2!-T!$Wc5#Sz^HBa@JSu7cw5!S&F;hSaU2 z=I(QvX}izs6iJ6Y>|tv981Du#(MghC>!Gp67ssw+I#gc4t9|T5Ik-_i?-5f#@lV9n zJ91Pv+4WqLNQR&B`e^3F>To=itIHeGTVbDojX@7r=_`R$gCFEW)z!-H7|DQpscdta z3TbeAE0$E)ES0D3F7y5E;X6AQJ_9Qnl*SKqY_;Av7r_W6sxom-^e&;V#Mjpvu$0^; zmzV4)#u6r)VgJNqVLY!^QgH{c?yD;BGrq|^@Z1q8lM!)`@td4wWN_Vz6#*KbaOVc5 zqZts43ISxi17yXPPDSt4FZ53M)-lqMZrn)-fR*IwYuwjHsYjWTSAOMF$7H|4eH<F^aNZAy&5)wo&Rx*Z>VB9uVDQ`V-XC=tbqZq zbazt2uRMB5m(hpHlN)NQZ;tYo+jw8RG720%Bcs$w`@9WEntW4(K}hx-QOkwX&{M%52RRI6p-Q= z>P8djdANk|_sRIEP+NerLW1n8ujqwoz5|C7n4)YcpB`U6yh+hg*5sapXz;UV)b+{y zqUlSPI}Q;LD}Ni+bZbRsQ@y7p7rMGs{3jEyKFTU`vUdv!OCL6KbNn9Qa87+b_RjPXt$S@fBF-8$828l-QIJyjQpbJ4HBTS;u1!u;BTRoO_5I*j|kN}6?x0sT=@ zlc^NtIQ7?O0fH7C)<=GCF2GTQyttkVSn4EOlXdJDwe^MeY;9qJ8J`0Z>G+e<0?fsx zDgQup9$t!S0EDRyry>xU&XW#eOFE>#7)_3MyGh2yXc7-dZas5pClq@ZECv%8RNYIZ zF3c^^bZ*pxCK1)WJs!K^5cym|yD|lHK?Y8)K~WjI^dK2XNMp>5RD_MZ9(F_mAQLdJ z+aXG3-T)IyrNj0f)dT*@6Yd0P><+1WNm|+vkVSV!wu2s>QF4nBTE1>=R8*xO!=3 zgNrD6!^Y-OOE8tMKo;r%(TD^}Dsz@1Cr|-_?J7yShs0@NW%L|7-1=Z~pP^ci(*T z&9~qD*Xr8pKb}7MFY#Z0rGK(9`tM)l-!s0U5KYd8KA&?_B&RWjY=9jfUwsD!^@e@N z{0rD2)r0f%`q>S6=mz1?Pona8VteaAohT${W{oCn6ONB|o}C#OE5UUaG}P}CPUb}LfLz`Cy))sokmigRGhrQCfdxS21!lT zxG=)dLLk`jLM{gB#1l=FJ$N|>u`v!&wBBr9K-Wyp8X%3EKoI{&Me?y3!i&Xm=Ev%qe|-Dxoa6rwT>qbbxB6e=+t1_w$;W?) zFR6IF@MavJ)6MmdKmOmYe)}|~|2mMWHMV=X6? z>0E(Kb9!LG_?>u2GKv4h_?_6p*q3>IJSB|hVo^M2j$kU7r|i!SdMF8FdFq3q%-GV6 zXFKZeiuiU7fLx5ZG{T29JP$}b_s@a+^Fa{6=HOWn#R$IF7OPJ{!>F%)v$`fux@|qA zC;`>Ekh%y!@{kxL4)W$gU>RgkSXilQANw!2%zYD~66)G=Xg_LuatfU>}l$wKp zPa5hXNb{W=qE9xF|9!2g$kr*43Da~NV)zyv}EqvC<=?wpYocnB7w(h zbmrHV9VZJf?7r&nYt zx%Nhu;x#x7X9da<-)E`@sS@zKAz8T|C#+l#^taRV#~>qHE^PXB+FS3&IlGCysI~T8 zl8P0VSNmF{Bw58gmCl?Fr3WSi_DAJC{P%9f_ypEC3nD+hX{{Cw0}&|5lNd;-wg(8qqDh4{`cwc1QsKK&?K1OwX z=TUJo{%uv3cw+3n+;WZ%4vwF9`N}yzlT?l5I8`hjYgTI|U`meUZxAqEi%JNv9IfCa zL%b4AcRcj0ND^;Ka>|YVvu9n!?z&8$m89FuXKTsd+5W?dMD+W_@7Md@S$!M^*EjVZ zD4(PFqwfE{f!$tu{|8^6_kW*u|M!>ztVu_u9%$zr4__@3w5dV|Pn$v1^*FM6(;~p} z{*!Iw|M&kD{B8%^;{z0U;>7^O8AE>1e)0pK#L)XeRL+6O+gop7UvMM%r#$4q zJ3kC>oqot+p1ogo=LeMTzxQj%`*DVjWbEixU=;tY-oMP3jDmikyP%B0DaYO1=D6e7 z-gN03$kGoXi30~zc;BgSXYnQzH-M~SG0KXFCcR6@TQ5Dfc8LVk%H1R8H=tBP?@Dyq zx{(eLCU!nf6IxVv-?^85T_Kk!pY)Jc(~Elug8yq^!yEnPx2q{qCEY`gftpr5DoI`m zUG8WzWF(5$#xqUETL71`*HA(cTwM(K_0uo_z0r+5HA*lliqS6c_^zQH@y%ksr)SPH z_2ruytR0~<9M$j(s$;rWvo&RR-%(J=S@J2dB)BMs*Ms?SDW74risnk8s~~8unbK=e z=F68a*Fi2zPQ&mgcnInJpgI;E851gHtHS-D*D4$FqmmG#7)ym1Q@dp106iM> z;sfrRfFZqPEcH{~;+?5->jT+(?$%*jc<@;ndI))QA znvvJi8+i?c_u^m>jY5O#(OeL$foGmv&0)y35{xtMDtsPi_%(Eu#fP*_o$#jC+dp@lZs&NvTavHX`6E;#!>{xH3Z;O~55t5Pw1EKPJI?-*LvW=>p~tT~-9#u#mXfR$!k4%k*b5l2jH700 zFlQ9i3TZfbM4&4l@mRG)XaAu4Yj;BvsIP6P?zz+b#CNIWiPQViqaJJ~#WIZ622GDi zi1E_~d{LE7TA`yPP(O+{)c1Kb1^#ZMq!H@d)P!VXD zkpP9-3Fi^~zAGg|C8;?uR~>*}!n-{&7rg8`E5iJJ=1_TdEnMh3t76MF*V#xzon@iU zoTRf^YAl^mjbW9MH7AL1#fK?Dh>8&Q53%b>BLC_39>$VampMTY<7G%p2U!eXG6R(o zO7uAf+7+xcw2FDv(Bs!UJQ)$EA(nV2J0#_gsPLUo&~vCjd4GV{h#HIVOs}#s!53*| z*XEBQ=V?xX-csY2bkY|~Qm8IbCzY`pp>J(gb99(J8Nfse!wWCHm&=s$Y@>Z$KcM}P+Y1B-IKr?j{ria&p@&2vML27sqN!Sg% zB2UMKcsj>IeCbIoxqB&tw@_c8VcF_C%e0lAX~~61JQ$Tp2<#E-BdOP z6&U!yIodwh-~AOO6&4OC{}QWQHcKw9OiszebD++u&k|7%%Zkbu!*eEq-OZXuix+03 zLz)br5K+}Yg4&o>>Z7Ymw81PbdDQ({;aY+MYh0u~93$@viD0GVn6>nnGW?@tNLm7i z_|YRk$_^j~`o|IEs;!8rBl(Dn`~oP|@W-Qz0N;C^a45^3162-h2u$;ftSPinmj4xJ zy`p-5{q^e&&Y_hCvRSvoj;Mb>#6>DX?Y5?&SdyioK%yid=aI+(kxO*a0xl6m+83Iz z{&5~r`wE%|jnRrQ4$+2YSZPLgD5XfQXXq)0Amn;I!?@gguN!i8&dZYP zbY2#%*w~5`Q)Xsm!lW=WXbA#INaD#2FM2C-aao2R@3a{5SG4TvAsbs_$rL7u*!ja> zu|$u#ash==q(uSGLo6KT^HUrzxy)k~UOjmY(-m~vat&{btLZ+5Wh6cawui+YcDCg& zqjeD5Xf3A6i7z6I*;2dva*H=@Dxhd|Is#!rv{zr7)AorJ7FZjz2H#)}a5Jo`V9j*s zaP*w?p*c@s?~V}IlnwFq*S-`i$eU_OCW<~%gicteWm(Q`)hQA}d=2z4okRQZbi31X z7lEhr#YinudK-xY_|ETp{i5c7BbyHk|G}KA@yw;T^aw=G+{>}K7Ndd2Ts}c_dPG_> z^PyZUmdZrPSRBMHd~WX?b+(QVj`$aDXq2><*#DZ!NT>#KyGSjeBG$#17ULuv)g_u? zHM1+9rn-_|-AxS#h1ML=D<^S-^?#mOs%bRD*;P+LE!2cm;i@snUQ^q{%O7`|*}!kj zsX}`J=lt zer+k0I6^e_Os-Ty@hi2`enld$HdmWNtzJ{4h3JDvm2kn{~4Q52L@FdCu{#{8c4yw&+Ls-+2@DHCPJ}dw@{Jc_vF#JPGL$pDq`$cZj z^c<5b+aJDM@u*hR`_ibhWJ9bVmnFQGugVdA&UWjogq9M;vqnz#n)uQhGh@`!)iXyi z2&L9_Csin8<8Ia^Z#B19@6X;_4}bngjz74s9KXcNc%}2BL|N^ z`ue~2?b_3C((C^}*1r3^{(r*tpMq39ek^v*Q)d%r9)-{3#UH&Y@pxaY8QSxd@)2LY zlZU}*=_r95XH^>6p(4FN%1e7FXUQ+YyFv=OXbOGnC1xwSCM2C>l|G^@Ti!aN;=M_` z_9)>g=ShPe*P-~1VhJx+R%?{;O+&gg+`tmPR3)l1>uEzY=pv?iJ1?mUzB++{*Hp7R zIpLBcu2Wi$uk$+u>S+}F2BgL?E*z~3jUnAt`O2n*RAQY2t6{j`oaU#zY86R(?;hg< zqG^kx^(U1gM-=&-jl5)aUi!In^z5JuI!LR$S}v7%QwO_7>Csu)EQ>Xa4JqzQ6km(- zUO|RNEQ|Vu2MKFs@fvNNdP4^a2dw5Ba^s4mkP2=(C6UTwQTKiqtBhxYaa2wO$EPgD z4p~AGOU9tYxLYTfwk|5~S06uKZr+JkGQ{O;YHpq4nF;-^-#f;xNRIZ{oVBVUVEpFb?j+7J$lZ#NQIm;@L7(aeLxJ>|+%AzD1@wl! z7s>W)tHyxpC%t)rLq z`n$3Lf=aK1P|aUop(0i;y}@_|JJ0X0ui(Ul|Eg{V7`l302OW<`Nws`^C27UFytL<; zC0=+jl;_|kLVm)8qWmPMRaxR6IJBtqmenlKp}sNvVqLKrWG8I}n0lS=>O-<_AEokq zf0Bd+uBou!6fVlF1yrh4`5{qSD@nSV)G6(io=qUBgXO$WT60%6OL?yZ!O2J;d2kAv z7x{`TOneX$`lt%Tgj9Hqe(X)cR=Es|&~*%djf|xKF<*@fe)C}B7mhUyHGawwZLKk9 zwN}kCXpkKkWCsViwMqiIRc4)wIT25KxL$l(#$pdvI_e?)CWGJ#gB0D6b*?-qCodw< zD+A>Uz?97g8)%rfZl$!U$ttcHPbm<@B|sp%)ad#bxO~XnTSEZVbcg1ao0>MYOc!U`*1b(6Q!OKNUvU6>suwLYxl&p4TtaGHR0*p} zf|BJ+4$qnYG}GjF!_T*-1bcw08iHi;%9^tvzrK^(L|#8YZM6VgyspU{&9CV@>RFPc zHIXPZm8GT1d;Rn7>$O@fjajcLCB=Sk#CUOpRyu-79v~@k4@muGjrEuJ8a$a~tUDz{ zxihp}TT3+16>$OGu~czTv-|Pj;HMgpU&ohQ67=M39)I1L(hk)cr_b`ER3Mc}=G0vn zHC+gXlP{CfTh7Sq$5PY__bhnl$-@HqBn4CN(j)ISP199N{Ab#=Wr$E;QIa zt3}G9H>>V!cC=A)>dX^@)p|K?Qyfnl97r!K?O$;tzgxgYYkKb6V^eXp!i}!VOK|Gy zT4Kuk1DeFEV|Id3a1vfQD@&7!-@kzUwTueW6ZQYDp=YDK#;0lIN!pw~!4px5lP_C= zY1JnO!KvdbF5H}Qx{zXqNqQis$CCjzwl5qJRX6B+U21da#V#rH^OUb`%~|ZJH6hNe zD?R}MD_QT;)g!r^DHVo%&Ul|0W^MrQxKKrj*30T05c3~diD6`#zg3!j`MTN4Z!2}N zQZ>r7(C!M_U$R&H$`5(sY-Z;qdqmozBKe&DF&I;S%RLyrz70xsB%|_>{wV*{<;&b< zyL&5YH=94vNuvgSZ&rwQIgvXm!CKE#i-a)=#?Z}-QiZ8t(WsU)>TPNP*S(+H_C$W{ z?HnB)9OZKf=e5do;kMaS@09Zfgd+O#XL(8)$cjqEDi`*Z0iroYZ{Lkq_e>d>kq_B_;mcvT86nu(d9&an7YP4zC1mJ15h(8sX{aUlmI2W;q$Kxd$(pH6kwxv}`2 zo=7yT*jQ;YGei@LB+A*yDFO|qSM)eTdQ=mb-X%c+%zN}1#Ov6C9_N9+%*^_!Luo7# zskxsT)Pi}R7CcB!C z&_wcCRpzP3KH1m2Y}r0aa>S6*qJ>t@4-bj!av# z%e+JQX4=j`(`reGl)#o|gSB#I_g*gBdn)mbq0#&2hVvLI>WL~$M-LQ1F=HaA8cYiM zd&)5WSkt&G%XbS?5O+8S?PWAm>rA2LjLwLAK2#j3?NX^o?*?+a8%=K3&hf*jSn}5x zsB{?$UUH#i*2)ix7a0O0torLBj#^Jqn7~#ocF#T^CI6MqfBTmY5%Fu0_z$b!ePf>g z{sZ7(6Z>TK^ZD+0iQ56!!2Lj2#Q5flg>Q;_iUS0=n1dD^cC*~XA%`asDPs|1=dX%$LOkSt~Q;Dxi>`MI-uM@!>&=h=x; z--=+4kJ?+ERM?%QoXUII{JW&@KnFGB>Fn%3KUf#P$oE4Pl)$GtF`UtRP3^8hFZglX zAirN+0A!X+1J8}TDV4zN2>Lxabxo?2K6U*UE>ho<%JE(roIv5d#oHy&wRaSaD|E+X zpVJMHkrLRLR(4%_sSYg=lM$)(Bd=dZb)Y>SxAE;PR0cRMX1`HVRCL9F+hNoqWO|iX zHnf~R?DO#MJI5|)M)KXRrh1r**ME6huIiE;fu(dGDlE6g&?k_2XDzE7a1@fUCsgGe z>L*?Ok$kmt3613V6eF(xUR}}u@o_`Je(OY>dg<0-!XZx->ib$b0udAq}Td1M` zJM=;=tH;TbzviL=T9&D{h=yTEvq{-7rtuV%{C1b6&m4pAQLYP|azYM2jHWxl*4*Hu z#v|bE6%oDl$78askx`VKP^4MLVDlUu$DAo$74pq24H?a)z*HOzj@Y}=D5TCk!#7zf z?`0po+I)Q{>UE%xmbG%y_jGJ(nq@0XYMg7Lz6KObAp|tW=XR&n2b7@aBql+>vaD=b zf)TT#b4%>8G{=m0+2)8R-+#5HM$~4&U~FtQenCqa@=+HyLaVUKHvz?;|XxTbDRQ{TRkSz?Hob&`q$TT zD4S+aqc-Mi)UZ>A2R!L17!1O)R#2d#?h;$##}#^WH2rEjIW>aZ@dO_DmFc9z>Hk#NyUt63#!{6Jq6 zYpz;_?v^&Ho#+%x~)$vE;NxWII?tc3~)@zKxlm=(%i z6`OWh2q;|mxCBi`1AmCRrWku6#plAi`vF_$<)t#~rrCts;IUanOi4E+dD^7Xu(pI zsnfZSfA6S~*g8ipeGWY@&YrW-Vg#kNu2Ol=yFZy%zf10s3GoAJ`udk%)~69)XE!Ch zhv4zyqCa})4$vv$G_{i`%YCP;RW)0eYH}$R1 zdp>Ys|5d4Ar$66qzvynLVXrKuc%o+Yd6t5KZVZF$P)*r12SEu6i(QD|$qzz|L z>-5xYRH~>qe7{{(@%B3UIV8mG?&QZ_%2BgYIg9Xrukb$t{{uxfn-}FbdLWaoVrCJf zlsn{}t2+%u!PtpI(6rH4Ziy@XUh&)DBByGQS~e@P)>y7onoTH~(C%cJcwKQoTi8m) zZZ2+T6`SKUfP7UkVA&gxmoP!zr)n#m*zg>9!yX4&iXMU1@@>5i-LEmsj;}B8)Y7f4 z?!eqjN`nd*D1h+8axRKZ_8<#$FqP~<9@&F5*+CX&FqP~ekLY!6@8iiy1X zpX0*pgsTb%pi;4>H`GVXRV1W*RWtO^p1@y{D;SI3icS11@ipyFFPf;6b$?ycXyL-8VJ-wb zM3@J99ABc9ei{@^r8o!%Q$b>R4QV=1G`VoY=^*OK)~P`MpWrMCfQzQ~T|A)LHtQdv59_CF+~043Wx%-lN86>kYD zbCXqMtu&1m0T%+~;qGp?x3>wCzG|iRp7XOah;^^LgCEW&rf%{`Q9?F*yYsw#vU_ZU ztpZ%V9^uP|agvJt#=p?Y?zsJbW7z5mjs(vR(#7Pvt7Sc9%KF{L+XnpKMfJ^wO$DP` zvU)W(B7W!@2TIksCR!OM3i<7CpiUHKAuRq$N?@ zVvKo%fhKv{RwO;L!J+?k3o!0Tx@SzvWYt%kkZnk9V|JOsDwo>LV&Ula8DmD43mtuvgAS^UdSHBo)md9kw(8zj1?|Ek<5 zzeZ737I!+WQh9=D#t#r^P>D6g2pD_q>#s)=P_^0^(^|59eJ`X#bLGj3L2^SVbi6EY zl}mNGlLTNr!FpjRI=aZtPdrC8Nfpu*Rrq`@?y58>=8&k4tX3*t>~Bo}Pt-icCv`8X z#sE~O0!oRk+D=t*(6%V2!~0}QLXHd+q9#(?a&*Dv%rD4Sqf!B^vbOMi!N)(D#84$} z=zbzf%t~Sj)N-sgK#;YFj*)NxscccMl`RVik6y1|GmGM*CyAnW&37eM$yvbi;w4k0 zxI8q(;bBTx9y*!Ktf)LBNlCUUow7#iGtqz1**A#5uT&YBk^_(}2XnBbP1$JzDU-bk z&teQ9646w)Yc2(DdMR+NrNAv(3S3?aHj|%JfCAjv-`YLdCZ(jl)7WH-Q`p;tUpZ<` z33M>jfT`f_kDcA!TE0>(;p7hX<_vbG9&d-eF>?hdLGqJT0{MgB`d)Tx4&FLEBtw@} z5R#vqtAEI^((bWY-0se^RV+w^Q4y zIuWE><+$Ul8UBFe)?uiBR2>-V3$O1eF;ZFLjTnuMYAk#n!x-^qiUw_`dsr(y=2t0P zL2Gqzj$xDV8JT+Ija@#v8Z~woa(ql5`dcn2=qO5kn&uen3~WQI%5%WX#)B=)=LWUj zU}1hrgVstZt68Kn`DJ-HBR3<^e{=@JKlMh4GSmTw)V$S1GzY)-rqn?O#t_6%y{NP$ zfA#2B%4U&o-M~ugRPAs~6Z6s3MH?wAO9d<^hHXUsG^bhTB~E(!hK=)4TM78CYZw%x3b7bMS~trSl;y%q>dz z<)_Wkvz>jETJV#r{|q;ApgE&KwVWA9+Q!wK>Sr1K#gCejzA93Ilo z!$bN`^5r+A{`!JUKfh42`mtF;)3U6V{M^)v+t!PtgOfw_??3Jw?Gs3D4qHfNRa=gP}@*7f5_70)PD3L!mOP#GB4;<y%?id2!UCexeWfO?GBVps&r+a|Q97AztjC9Pf7ZAQ?X)Pl7Tey&krG@bXvI z<~PmXnyeN%qwG87TyD+}S(ag%-0hSOVFJ z7F<%ckwOqo``M1n!cU#%?6v>r;K<0~1S5Y3YGvhPf|ZzDOf}EYInPW1h@V~AF2ZQ^*(s4zc)+WMEUC~?XTO}Lc5Jo2RkK!P<1eWW9~L5ZsYgv&i=_u12XxI zx$G3kIm$thY-^N+AMhI&eEN+a@SBCAs zhWVRwdB33YwC5sxo0dYAZ>A+sHjN|&AbL(Oc38_--zt^4M18ANL;JK6q&KB}z7}(n zpPXkLII4UjiD7=9V9hO z{3NFgl}ulo?9^d6bFh<#JMi5|r}9sg*Beig9QdKq0|Oz@&>UwY$>HBJSJg$2YT{P3 zDL*+4uksk_@+ah-J-HsbBTDB_NDCB4@E51VeU%bJEBo(!1w&t(C3Grs#vyEVugOxD z{A350#Ic3kU33Q}zhsW=9`!9#g9JEGkV)4VKOrw34rJxz=Vr-rrrJz?Va|D=lj(EQ za6#f^^=q@Fovk+ci&7Hzs?FpVB~DQxbn} zmI7#))hH`rvov;xGK0S$rGKtc=xei-43`?Id`BsU$jbqYND+;QW;hv{Z8LsumZD_( zL~8!9eaS?zQvgCsC?%QXvlA*+|Jp1`Up&oS=5NSV63}4ObeaJr>DzMCmYJr!RBj&W z9g5)@lC!h14$;UM_Q-m*2ouO8?DfK%aeN+85N}A#ylsGqspth}5`IU&PyBwp@0|fc zaD7uxaz;3f-BPL0{#@X9BE5p7qgkz#n4I#C2q_>HnwZ^TsnqD6JO|aI(_J?{1$wIt z0@1+#Kl^tn*N(O>3cQEZS*GQ?R4YB&Bpap2NAEvKqv0cIFR$hzRoP_zNcyBg8u?^D z;^PrIVoe>$;jt+@>&w#%?S)+v?yz15_6j`^DFzwAzRHH_va+e{mUP`qS}ob>l?;`1 z68k9Q+x{r=g?*%4VIPsPvzk;@b{SVx8Q$>tSMjo zAZnj!N;fT>{F4aAO%Bix$!IKFAjz2AdpuP4C8W~bmZB)nSsQj`v4InIzpZR)7vP+e zR<>wQt@DSLz)fQRoYK@TUN3S3)P8*q8h=i@wr?NEsQY%es!*oH^}^YE|FSIqLtQ}H zhw;No$fLNf!wsxYXYu?Kf#M3y!5K<>sjGEIc^9tdyBt2+tSs4n(3qyqW3mW%(@0)F zDyQ8ZZ*Tb^hxpI9#8l?fnzFty^GIF4#ZG3EL=6RTzCUHPyrJZc2A<-4i9rSB8ybMc zr#p`pa=m&aJ<7CuHC|C+ry%+6Gd=e?7UMM{WD4*KEyQ$>J4ssO`kQA`(#_2JMp?hE z4x}F0)j>D9@kX@LSZ=PYY>YN8t4fTpgI#0!wsC8vjW@0}e5x%Qz+Fm_t6^p($yW`f zKG@&D|BF^mM=N4Q`b9mO;YzlFZdv;G8l74`!c)d&OH4x<{LOoq!&^uLx>1&qp zG$Z8xN>bEamLKTZ9aQtA*OXE-lEX>mVbu~1$qN_)N{&2!HVHtpfWGBqIggREm$_J# zjr$LBqB@=ZpKBTS4BPLbzz;(TkSxub_8}{rs_b=E)|LOn^(s%TS0WlJs0GR@(&%r< z;P%>;FDpJxNvSV(JdmuU+Vko596qU3aU~NjVRrsDdy-cZwUOjSddfpCUBP>lmf5<` zRui34`xq7p>|(b=T-v6{?zHP+sYHP}az|s%exKG1T}SS2$WWz|Q$?CxjKP#Wm!?Z~ zdb5CUab}fyGk^U`8J|4Uo4>{!t5-}L81mM|_hLGQQlZn|B1I)=MTHhnEzQ1Cus)*& zITs^}iz^l1uUgOb}nI)%Y>Spr`CSx(b zhgN32LXkV~czwq)Dv)Cvi3eittrA$LhCvh$Zdfytp6Ad7bzV4@jSF`wEwu!iASDdx zQb;Ox&lY77Z zkEtweZX*}5MewocPlm&rs`$RLS&!Ku!*>|~5>qOhr4p8w!HlSd#b%-Bw63v zhW{PH|DFr7a$|{&<8eUu_Nmm$zo4mw1a${k$jPt6AUmQ7mFMl+`rJz`-CcCcK)Q(H59w)J%b`8JzMFjA4>C7v zX6Gh-$76l=?~gLtXaD{Pt7~C2SMyC z5P6UWn6)&c)kt90Wlyw&Y@a3)Y6sDROAMuqN}dZE>Q{bKkD$m$9kpcJMhpQ)WkGekp%pc%IGgSN`Q#QDKEy^|;O8~|Sr#$Jjxc4dcWlbD-UL-4 zVLc2hiAQk1#3RVNTSI$bQ1Gcl3d7YE343Fgu>~7H{gi$mrFpDL>94t*5MFDFN#<8T z%4n6ut3&?N{&g4rCACr}V^|%a;&Qw=-rg~mQi#^sue-7et*QCFCQYr_fDx_)5B5o6 zxuoDN6Ad$ASZFyH9EDS+cS^wkd*89{uw>YmagF7xdFJavmPe5Fao%}L;4YtL! ziq+m3EXNDK>YdT;K*uE3^-FswF=g}I!G#5R%`Vo_2SyLLpWmQKxn9^>T+vQ2qzepL zDH;J@Pu^wi1v5dW!OTs;GiKg+dwLF~WU!`1gBmHa2z@Fw86`sw{v)PZQ{rRaC!UUKSkmqkA=odSde3=;nj?cqdNR zb=#Jp$sV3%X-QM2yjZ}vQ7~xDj@!BJ5axM!m{sO+EmBpICe<@x5Sj&-Z z1ya0=ND@N&v6jmvXrv*{srk-&?Xl`(f2SI2=)z(C6^Zk+dm(jSp6~r{!;E2p%6p5YX ze!KY!r!&ZPa+Auvo6FJCs3p-$flDB#UQM~pD%gxe3U#xeDs#CSo`W_MBOD$83LL!N z-}`k&^iEWlqP2&R& zP!0@6!=pg?2qK3C8}Q(;wYj~2+&0&q9K|~E0lxHl6^oN6wP$~> zJgGf@Qby-Wul9}w1p)yE0%Mi=A23uEZAtA631i6Y1E)T^2{6oY?{HG^RALBp$5&tP6Lt~l&W+Q2S`JZNgndSALNLhl}nr*3>Rinn?@w5}~834X( ze7-+%xU~frIm-^Tky0W3et^I-#>dcW&f{y|NZK-#QtA-zWn@g|Nr6f-xuBB zZQZh1h2^OTir%*O%l6iGQ*7=Z!fD&YFp)K?KynCnU3i-jukALPV7Op0@|}QdG71~i zr!Z@`m^2B|yCgbS9Q&g|EZtHPAF<=d7@qnS#i#3wgUNXx?mLTOC+PYiat^=-VOo5} z(a>f^iCY(bfGh`8m#m9et*xlmB*Y2^MJoZ{0sSAzNLpp+GzMD3P^K!lMCKHHy^wD@ zq}$AZZs_0go{(-?0o{aX`@WiDoXo6A)>BMkrD%i!nt{LV$2|03VR_>#3LksrU86c~ z*AK4I{Urz6d&nA6cs+{3H?}5}RHK1^tcaUYF!ogpJZE(QN-~^aMLb)9LSFd34@=M< zLvaA{GPnTnFZ)q6s)!eGU}5pyrdVEGSy`^GJXu~5$L(e=hng8xe}X(N<9+9s?e_MI z9gNuV%QjH_Mm{f=qS4aS?CU7#<)QkkgJU71w8D~M3~cnO8URm^XhK2iEBqSad!zns zEoVZwf6Rtm_Qkd7A2q54L67@M@7Y`tc!489K(gZUcZD{pPbj=E+S6= z`KPJ_c~?hp@&yBbu{-H`9f|(3vlK3R^LVRi;^(Sx(TSlPw*K#U`>@r)!d%Ge8Dik2 z*S!^(3wZ8b`fGq~7v7{l#%0HwL(jhs&|@owX~*voVA}{N%+Naz`oWmIr<%aiGp3P4 zTFd4arY$41p`#{egWWpZhEaDmn+Lr2w&mm}L1&c927i*AOBJ&a3b@i8ZZ zviqVAJaD%j`~8bLaK)X0H)J{>;}~GrzL7tkjNpj7qgs}U1UiX!;@V#Xe!mw3ugMw> zm@hsF@8-QI>If7oY&o*Zf1ZfDq8%naUtkzSXqLsYc)I%Mr+h$Xj4|N~(CBm%j)<(VBac!Oc|?s7Twr_=AT{{g+AjEH%aUV}yI)1y-&gEuMz7loe@o+fs;opICw zw9`PPI@F2|u1$&2U-jy z4r5@`V3x0I2i_?5U*N9BAjnbQ3omm+OzWIO;_T^N`857?^a<5yKOq`^I)Z?=A6xq`bD6Y{qQ@hL2bcX^ zt}WmHywT-k0GHHwEeG`H3N~l8dgb?l>a2+aq7cNWQPKdNrC<7VPGHw+x!gW+%_%t5 zFsk+=uUCB!tbdHKwpc(o2JRV-dCVggPu@7*!zT0lcu$y+#1KJ9)~TvqED;DN5m$h< zVSq74p2_-QNPH zinbi3Zf&=l$Wh3}ZpiJ$d94@6uNqu=YqPoey2T&p+gK;l!+#@}sHDabe*${AXga{S zk=)f}gm8_(G%vh$p-sC>FywE5iRypoCa#=z<9k5WWRPDd zF^VRaS9t2wvKe8!6&#gpg58lhVV4Q()q$5PhP!z14lr(F9qPX)5uB@fx{1_sWQ zoOoIHh4W-bZc)M3y~L^;kjKwhB$L1sD1-U0Sv`Nb{dTuy_q;n9VSJGOt%ySS=O!Ax zC&k}M2;BKK(4$Kj5xRMqJ$1UfS-s6BIO=}(jb_HVXzeVz{Kb_RuqqVNsnzCniiMIXD{;SRo z`m|?cq2jirDWlBMVRN&U?jF+ni@1Z_g`!IwGJqUbFD|V~`2+rkxXzXtAFXQjZ~23s zC9KlWUvlV*%DzxTR=&$8I^Z5=RzbPSHQ?v+)>YWWk*3Wp4SX+*U4AJsuj)`rPc3=b zRVNvTD9)-UkiV)gE&C^l_E6B1W7s9G$9N$|7DwoHfYC|&r!pU z7%Xcm-6K`gE9}bCX4S9PD|G?m`OtWH%fW92N(yICe4v8PoZ9X-e5?FHSuNy*abXA=6QnG zH@E@YkgUVO>d$x3xa5o*PP=92P<7AEyD5~~gBz}p zNV$7kX4=_E0^nwG_XDA$-JjkeddEZW0A2${jR`p(b_^2l^5w*Fmg)%a851puEO7-$ z_{v(mYppQ)6N+!+I!lP^u@5XWjIHhsfx{X^qZDV(0w!`T6A)W2WhRr5x)1{Q*c=X< zSQo?cvB1YnYWKj$yDK^wRcW7&hCWe zUihOsO_c32R}_#54v8<&|469g`~mu3Pgb9=CiTCbJY8LV)c^Qn^gk^150O;HB8hMi zPCnGcmKTcGUjN)5jVo{^8+ETLV&%_&{vI_rkB2>qJgSR})!NC*>KSTcych*g^Dl6X z!wu2zSHxeuaDs{wQ2WnVdoL1~kl=-5A0KwlQQHCK$~CcF9021TMs(Hl#w;9V?E}0} zQ&RvS^v8HPhQq%`5BAa6kJs?ma*eOkay0M@-D~tj#F`XP?>z3QToj40Vg+g-z)TFQ zfBt^?$?|gox>5tWEd{GRq^Lw=_|{zfh3*#{E%gI1*i|JH4^r6s0Ods8~Jf8fF$+$$oHVRJ$&)y z`rJot5kJONX&#B@&JNBr&gb7z9&#CB4XG#7i@G?QC`lNFa{YoKHv`2g@V#-o=>h=>@NLCJkp>@4}cY-Q3Y6WoR)L<$!U2c){ z5im_%FCJsqS~+H*{=rzu5!AZLwbo%+2NUQ8DXjP~4qPTYJQnq+m6G8m(Ab{OO%J`8 z@q;@46hLn8wooUBo+oHJYhp;VO`@cWzIO?O1IVy?c+xT$oacBF4`J=12~L`Pe<-YQ zl-d{>0G^y@HPL4LQ^5|P1ZrJbYmMz;A4z{?97T92Tt|IUFT&;!Z3w$yBSpfy@or(a z1(zHRchX|z70TRdq6M7CE#P@b`GnXL8WZ${UeaYZs@xBnmghB;35u7192D|+ z5MBEmDS<}Z^D%mcA9hhTrkk%((KzZuSsxpv>pIl9^iVp)OTb5^@ZtO&MIpXQX>D|B zxfl$Kyh-}h9M1QRABSJQjDGdU zq?#5C8>IeFM-v%X4WiPb?vK0m5lvGK=glm$*4?`H`V-phgb5Q#-IcN&TO`0v@Aspd zIDs6nyP6^F(i?Gr`Q7&dbw~QO9K~DUW+`5Qewm~=0K&>ao{v}QF4@<-RU`CoI`h@4 z>0=G*?O>H(q+(n4QrGQsVRQdK>v2-VX`YF|#B?6n>u%3>LrXSc-=H#i62HYX19Qk~z zAQ{f{sBmDZ9yu3@RHyOshVci~qCt zvcgod44^_uY_;oW;w)=Qnfe9m_l%93!Vq#LuqfX9{!kR*tSDMQW2YMVMhQjzx6_-Y zlfCflr0JcV><-ROTK?HdJLbQKqqCD=uJ!NwP!z0g+(%LtcrMX-hgHN<>!a)c6*ANm zAqIHZuK93z{xD^k@nH^rjhKxyJzbZ;=a@Vdl80W0;sN^C$?-3g{4x&6px$}BEk_&+SK ztx4IRwb!N}2`LaSTT?;IBEGs@!-04AZQ-LHb&zAeonlR$FWo7+4_6Y8`+_}z(=g+xPtM0Y!-cQo?7I0{M8h!3nq zb*~YxQ7(krmohL+`SI?j=HbES>(=I9@khJ0w^g=qf|W4wnywS2`q05)YkP0|$S#bs z32aD6Aqt=mO6=j@%W6Fy8Vm?Sv(J4S`;;7;6mq1bpDd-K5m|smuwh6V(|zxcV^l_u zFx3LVS5<5an(?~h32K@0Nl+8jq#U#KgM@92o3ecSV|g-w~U zXvUdHlA2C1?8t6pfwtR#ppS0lJFRkGekmfIcY#J%=B4PhdX-a#KAw3TQUfb zc=7wS@9Kp_(w$`=VnAadEy7mt*1pq8%tWM0WC5FJF=vQnbg9l@Jekg-GPAOKbeu7m z*>n-Ws+qH!x=YFk`2I$6%^ROLFmqBD-6v0Vs;elh0v1~~pgVvV>v5|V}iY`+GP*O~HqVFp1WJGq(cblWIyVZlI!wNSs; zsw;OAFwOUZevc;*`VuA~(#?xtX;#O=YubaW&z{w+|2bXYX&Oeb>eX>nr5||4hklpd z*yXNMk6GLaRZ(v~N|n2h`*p`CW{zoNpeI&;`qK)6;NdMSN{nPvQQbfWa8>3y@RAML zxO{5$PtWRi5(f%8=`PhLJ&&~SbivewS?g9R>5uPL%4In$E=Je1g*1ma9|Mwc93{yz zq1U{;OY9Fld{r_>@MUoAhw6nec^)TfTL)J~(qZu@S`@m5@EYL*)z?0}rxE$&uynN7sXnCvCs8g7EvCNqm@91JJtoa5w%#6WAGSWdY;NxWi@4Kjwp*Xt zNBalmug3lUdziEt9n&ns@61^}WXjyVW_Xx~@16g7tXG&TU+w=Z5S5QEbrXbpE#859 zjETA5nMM6-?CFD8(+9Jq*(~W7v!m`R1Q*Q2NgW2sDe3i)Zd_eQcewy^to`LhMaQ-#Hg;*GC$Jdth@v6Ai$SfMT$5RLNS=6vmEOtCr2 zCd1B+7mPbtrSU9hKeuv#qEhVtLoD09aq8Te0VdvEc{sFw@l|x=jz{`u+1syfHV+TC zTZdB_Gfe|B?fcV4*Rxbf;Ov1$S8~qlWiExD;jKU;P+wZ02#i(&ufmHtlaIhxil@7_Y1?r#vD5|;KNZ}(ux3GW%xlLiaHpvMx+N;3KZsYz_ zLm~}ocO2*rdGwy%bP{0D&!vY5U3)N|1#pBuS05Tq###NRpM=K4Y!sy3FkR|7*ZQFX zb2J#Dx;Gw?P&@+?IWUB|MLl+FrQ+nu)-rY7+|BDORyjj8ER$(LLQ@2S#cJNr>0t!B z^CD8t71cD7`Z8%?CDsL0=xCZZ}2p<~*o9=NGl-@=5J^ z;_8_kyOd-Yd^cB&xS%J)h#^*}7_?)DR z*;A!BID7Z7rk#`hMKj4}JQ>@|ov|KW){-5nXLaJ9>2hX-y{bqrhyOnR?@Du`7KDG0 z|L5iBPgb8K{l7nhq(}R|KidDZaeIqKrFi9%F31~s+dX{JNHlMXYcCefYp#Pq?$U8g zPJ0UUZKtJf43NfC1toT+K$~DhlI1#p7rQQ%eeNZ${qGwa8QEX=G@Y_dE_K zQyn@M*D(3oR2!8SLvp2D%PAMDt&eZwr2(+8$(nLT1)Y1yVaH8cJ2*b1w(1tq>^9LTn_sDv(|*T>P^ zDnDTr5x)jT}jLQ3a8-3HkW1)uuw{nep)u zM-DqSw)oX5z`q0vnm2QwM_+|D7f>jvbuNqQiZtq1LWvxK>ERf04eOd(2pA1D{*lnC>!E=w8ZOF#v9)m=gk4`b+hjKe=r*Ct zcF8fZTYj%1;b3(#`c=_0IC^l;=Tjsa#l~5F^xilPCD&en4zAP?AAF}&0=v5|B42|PNhag77+4N8?&7yt6 zV!#G;ugB3n`B~FEaN_*OSCcV%I;beWycC0MG8Eng&T}*w!AWxM$80POI|(<9+N1ZZ z1+kp*6+V6zhwm{O2B2sx3I+O$28_6&$Oz=O#L-=J{C%_Sl)Yw1$^JlhozlJNlSjXu zj`K-1(YD`CIlYDrEDM+C5rqvoa71b+7jRr>!mJSMnHt(3etG_%ivPCPdei>>uEw+C zzu|S+x&JSJ|NUe9w?BIQ*(#_0J59|D`H#E)-+%xAEkm*8)&EaCdtCoNe*NK4M-M>t zf7|*$NBQ6C_sfs#|8HG?9SHQx1;O|DfBXJ>*z9`!pQHTu>FV=G|8IYc{8v~DEhy+P zIr}-k72aeVQT*PO+RF3V3hPf;@nO;3(uVO#7=**gcq8YA5Zo-Io42P`iXb>GARh;8 z%PD_Dc8AjO1ZPF|0|=;A6N^bmuGe84sH=fdo7Cg|@K#116izrojKN3ZM#xYR_b4!7 zz|NG=HCarKt?)0YKEQP>V7-Uoh;8M2W(>nobUE?{UpE+FMY*f=Kj14mk8LbhtMA?D zV1WQ*R=B`>g9SqUjBtUu+(x@~)WKNnu*|=poL)4Basn`GeSB40G*osb-euG0rO+TbdossdM=_EDk=UIJ&-koTZ+ z5v3Sb=H~I?*7o5HSh1h((?x)P?`V+x{>wL^4$gRoLy=GvSt&az6h5*rQ07(daP8Ig z_h%IR=r4WCn+1H0Rc$bujz1bjBmBPh`WW0V`F@|5Vo2GmV!AIyqn9Eti53iXsp8py zixvO6@?xytz*t`R9ebfqy+tLGxKSwJq`%y0zG| z;6DQYfhOzq%ltdNkY=hFSp>;wIw5RUGiexNzJpPT`WRBD#GU@A@U4HD(KSfT+Z|b{ zEfos&I@AQ>3bE$)76rP%2LSrtt-I?W zThS}fSo&10!u0DJ_QY40w#&&;7q?;Wnbx2KRu!o5^HOFN7wmqz%>GQU`&nT3lVJPl zGX0rg`&nT7HrVP(ueCKeD^CY<@|UBj*#@hoEY zF-{mt*BjjeJ%ZGd(@Y~=mm7Q<$tsr(5OgiW+Gr^_@8^Ise18ciyoc{i4HV+??{a

T@E|k?LmRfEeb#h8};Mg+OO5A z^Ih$(P{NE(y9GyS^JxFDOrZ?By_}3x(uuD+Tg{`U?5s*FqfoRu5Wq0oC1r5)jKX#) zmN;h>+TLp)HFtJ8uUpNn)*+QpN!W>Uj+|msfHcgL{7XltcG!o^-u~fkbEhM#LeaI{ z!C}k&hLhS!kadptlC=^kSkFy5p9KA02RB#WN4(sigpC~eP_dHndm|T5zoPRv zLOrWl#m0T=O;#S((P%u}YS6gZFZ`LE$*P`+7O(%M zUgzcZPOB{%ZX)sCI;*+c`K5E9$A8^9=xkux2Gd{sPGxSjUN(<+j+{cvP>NVyow7o^ zkl?>+?O8zJE71m~WE4oZgE`pJ2J^f^AY@`&QNnK(!p6C6Z)`#K#)+08A)TFW7c!_> z^GOY~_m2-ZX&Pxo%_m`)7vh1`k*gVm7m>^4Lrcd8KtGWJzT5|-I5a17_$iD&?E#;{ z*9dh0!||-Jqe=j)Rk?A>NmB}o2j^bnJ7dS|{k;?WBnLIW)f4G;S1H{c*m!}U*}EH0R8L2>*3K+Q6b!~|Nw z#g-Xr)yIDRR$BsSs-tQT4ZIIf=jk#fh7sEJNN8#rh_#+;D(WX^wG-(7>FLs^v-&Cg z_oq6{ObWCFid;3v^C;k>ByrMaM%LMxwH^UXO=@Or$n>tMP&GY}^7{R43a4EfH?N6E zv@AZY=Zm5)YD=f}`ZqEDfdAEjm93nXFtuDi`K^8i%wy$rrBal@fEvE}YgrUuv|erR z!JPnUUVM_T<AUYjSx}AITGO(*vFUizh1H4$ za$TtEVtL(dm-?dgYk{I;zhK@*iefB?b z{WPo#z#3}-iZcsRbCXbwox0LNX`0*)9}O2ys$2ysp>CoS-`0p?a?8H>^mwe{t^!t`Evu#t)u24rQi?z zHb+wH@Wp-`#cq_HPKVN573&=z?c>o;-|{!7YF=W)d~puSGE_PX>tIt;!kfQt+bQA@z9o0A`F5`R7KiwfTC#L-WMHWXhgSQDu&F z$`PczI&9HA(GU23+X8f=1p2j+d#OsiNLDZw5<&K z#@vH_PCeL%ue}bJfxqyDgaO8Mq^93V!2DNAqAq_z+L7JMBhycyOTQ8V95xSs?dW>x z%3^TTZsacmMGO?nvzU&OF3)lBqqw)Yw9E>%k5>r)x{@TdF{>9S+ljKiI zlk}f|L5gZ^pIf0n&!6g)=TA3sQWA-2S|}-hbY2|eX|R8IWaXMfQ*N)hYXhKflZ&Kx z@0Fd;DW(LlHc1dN$&@)h+_CfF)8twBlt{udyB)(}m@m#zlv@49R9o1}d3Fkv`0Fcc z=bA4&r(=$gRH9Q((Z58}1`0M`Zoj20`UNRRuMdGe>o7-UzN{QGPAA2b(BrkfH*$x~ zJ@|p?{0mZm(r)jzbocDe{IG6wOgCO@*Y@ya8pbP)d%|rQ4h)O*DdBd=m&h`fluG~1HQE(86_ICGR%QfVGCu(M;(*zq;2FZ9Mibv zoyS`Eh8gxZ=kjGi<>@DG_-zaBRKA^NO1Ush3Y6$}y5kOW`RcbyWh_y@RjS2(ItlXG zoyF0VYd$%z?|VIbQ0YZum2V|+nSV^8v93)Y8}bG=QmOEBL*8SpRQiB)EsT~zS;|i) zZsgF&5XIqgTC7jV3qqAlzcyI?xzUWmo?@t@@C#RtafR!#kA@6+k!@vtEoqs}Fq%eYiamu)-QpPaK9>xXbGW2VM z!i7qsVv?JhPksq8FCg?Tq9@3F$s9R7>bFddOyNkCG*e@JLf&}Lmz|S8H*(Ia+lKkV zoQp^&)6Wg-t%{S?*G5ji%5Cs3N-^(n8|DjgP{6O6)E_b(J(M|lDq$msR)w6wzaRyz z);dE<;-4G22nOa1%1PMB4ZVTP;9ro^yHF|g3sUrQsg=rpQR5O>IZz{3Kx2YAnuPY) ztj~>HY_?CV_D_7}jr^Wn#Z7?{nnEec6yL_USyih3+Q`XATa8`zH{>b`Xd!Ac%_=3~ zyL8i~nKr#N5+hqcKz7CIkTD&UQ@UQ1bc1B!J*F(xfAg0(-i0@VdR!?2nT+f%HwE)J^^ zkZubJ`W8~!LJLN_U_mJtEReXdXu2w=j613%RAo`EUWOAfMFq9E&M$RJ1etl_st}Rm6S{Nvss@dr-)gl&t4%lp$1fPA`=jadn${X+gTjogjF00 z8(Pic_8k3}uyTh#WLbG}{k}ebX$w3geh|vdoZ_`O03BMub{oqWU4n~csbEA~hraj}8fkC>A z1wKZ>KI_uQrut&HNc;!81!*}{3x|5RZ(ba4@0gb+Jn6ExxU53_iTS-IpQ`u?4Ce8{ zFX7fhI86l5oJ<%Ng`5kHT2RwFb;@AxJJynsBY@0R!yN0qdqG%_?I}Hk^>N;CCc2C} zocgEa*@M-%!%`i>^v)dcs19Kf3#}Jn%I3L);jVG%42$TZ=3D>0Lg& z%SzD*@O<)4SSO{TG-iTKgPA0UXN+v5DW#|9P*S0qCPNx2EE=RCVZC16sVip|w}~9S z%+K3<${yT1%~V)$^VVd@`fdZLKpke56V>r8Y@{B(Z=>;psD8h^EZEr!hx40!H@f*C zKHiDbb=|feoI5;CgXNT|w{sXbT0>j2<94n)gn1qwrU6(TmT%tpKqWOjwr|{IYXV7G!eq3v>19u_nyn zh~(V-*7JeKWcE3bXfxG{f+lCw{<6DBncx#IBZg3^PfY{Ybp`B43mFY+Kd{ zkydD)Rmn}qMjO@G>?8?{iKWKl|H#hf6Rmezd%rZOBqlV>wC9~sT?7utPS$xrcTF+r z<{LL)B5k2+aJ`gPDP{giYVc&`D*!cC-!bR@Cov7MrItDayj==zBwipr2UU{;kQ$<7 zPp4dhNteSRhGf8q;=95;#mysj9GrAx<{8DzG&!yrX6c{K}h1h~x zo@aQCeV)*sQomH1?5A+@U914g5*mc10=`Uaa z%463A{!8id$6Ai0ut)+2L%!5f#eW72zvFL^3afs)J%ZYjB~Xd9`$L|aGg9}+_F zXtD-~TPb-O+ndI!F87RcmQOv{sXta-(=|(vJh3x`wJ+?tu)c|XVPU?z3G8at61(f^ zuop>Q!-7DXph?W0it1R=!qs_k8L?PmGD3g>@jw)EXq0u>uc?@PaM;@1-al>|CNxJD z-aY`3O8c=mc~X1!=gO1X^CxArt$ww4Odg`~I6;qH{s(l}M96;ajRN#i8KdR=KE_wM z3DDV=h;QSuKM-WIE=qW=wQu8J(1|Cy;~JOg&^kxE@2>Cn(9XQJx8Hh;${cIC-^u?2 zzmNPe{(qh){Qtnm^0P<(4}XaNheh#YJOSovboUS-84QO;~(p)$fI+u z|5^WE)BL}9gWr4quRxx=|DUctdH%Tn|A_yLn52>Yu>KWZ)*pA-f8qY;wfiH^|7TBD zo~6$J)$bqo{~vPx11s8Y?ckDQlpy>3$G?ZKTRZhlKOFD3>-!@Qm~HXA_6+&gZQyCg zz_kv?QgVW~f$lir4O%)Zic!_c8$^?Ej6AZ}MHkTk#ES(m_mglq3a;U-x%7MFQMo3L zBEjl^B=iX(ZOmSmWFH4nZ_@YIa@c+1w&8|dpTwg&sW@pQ?)le#Ums;evxdVQ22EiA zq8jK#98)N6qshqhzZjG2dfpn)nh;c6g2z|}WA>uL9DHZ8CV!09pj>CX7B8=LpRZQB zKRmB=SDr0bx~r={P*W`qDVJ)FJqk;K6?(U#=#YMo8}D90Sy4SS?M3H*_q$`+9(gj( zZdBAMcEUKSa|_f7m}PX#VR3poz-Eu#efeJZNp6bi#pIGnF0bcC5nzp4WP$my_((O!R()}|p3A{KwId~srFXdne%|q~ zVZ&ep{Egny%~u>>b#N}Nl-syF?sqsiK`I%B3INXiR0akf)oJ6w@WN`+ge0Ie3hm1H z#<$Rq=noo^j^=j~@~*wpMaSJ?Cyu)BVHqj*5~>^O%t1Rq4g_PXg|Wg68@9Ff1ieYcNmSS6$&Zj^TRlXiTE~6{ zkgqnWIu87va;!%YKB$oBUXG&4u!2dqMB`9Sf&m4b&RGPFi1*U^wCq0mOPO7ydo{YR z$a()>D2UnjmAMEmqIuxJ4w+s6<&m?R(90#aCoB~#r2OcRc1p}UqMUP}Fufu8R2DHd zBj0L4!M_J@WHGxG1{zuGdPDC#=m&uHA4SjWcHl%9je?#}A7mZC!PdkD91H;*_QP%m zcE@{k0N?R?gCL||NJuEm8zK-T=n&=jHS%td_Q?wP>l}_b`Y|5gDyxLM#5inf$w+oH z3UFIFg)~uK%O-ufZZz@<24q7^As)!M23SikgI$OQGqnWL(CiYhm-a{i$dMv1Cc}C# zMA!Jk^u!N6?5FB(mjZ;!uMX-L#2JePvlt8?Rs}jt{)#ACa-yorb3x>KNUbKlVC=4f zI^&#$m{Qgpd`{`d>)e;$|IjF>{`Id$5A*-L@@(b#qyOiB-}-+=;om&+zvYzt|LL3f-~TuKzf(y2 zN9XU4&fmYf^Y^q&gk8ZJHx+-ddw3GaJi3T~bP+!VGbM&RI+1^LBLC<_{?Up2|9}&D z%XgsdMLtdc{wQDaRw^k#KRTCxbT0qsT>jCy{G)UEN9Xd7&gCDS%Rf4oe{?SY=v@BM zx%{JZ`A6sSkIv;Eoy$Kum;VoOE}znX-LTYOJ4c7dt&OQVu#Ya||3h5HJ6fw>=r7)Z z_2?}A(OLZeo6h2azOBv1?zG5z;S2ELt9z$+sJ8M^pY=d6+f#i;4c95T^Azzl9oE}` z@AX)p>c#)8%lawPGKbIl>^Yj|v_6eL_qwkC5?uK`JlH!^_2|O>(S`k^3;RbG_Kz;? z|4UrhJBP)i5BoE5b$zq9+Kr+cgNz0U4!Pxr3l`w}1Tav;2RsIQMJ1#+c>*cX?$c;s0m#+0#e=KYz%7oh$F! zx7=0Y%N}X$chKP)z7@x%vP{DNP&wzYb+GemqXbMb`DX>nC8}?blO{O8g#zcCFLWnx zH!X`YRlUm@p!7sMH`Mmg{=q?OOTgXZ@Ca4L4v+Wt@GoWHkLHVg&Uty*YW-?X-7_C>jYeZU}Ld`X?rx+{{!S@`s+c+WJPd)@b_C=-vP(fsY>$=<&PVj4w5 zaXubh#NwauztMRQC}=#M*`hpRI-%1Tz558Lgnmq}b6K4z>%deW;rCL!BOcrsHleJgu@CO*<}AyB}V>uG781Ald-<8Kgj|vmngk5eG20Lp*e6t z$5TM_w)=zTcl__2-tm+<(A)jXrufAa@a~rWgQhzA_fB>6@7c}RYm|#X2Sm@m@FxAS zsJ={WaypOLx$^@nv5Vq|R+3JfA6Bb}u9BnM2iHPRxDTwv4z3?s3mtI%^P!dSV)no) zgD4DO<2h~@`WXM^@&5OpdjF$HGsJ1hcrzF`RIKH4 zad#99l?%`Y`ueXfKdCN%Ut4~%E*8b{(Pm~?fIrU_767}2UhYHma(@&J#L*}k__yN6 zG5y`>-d={2xCZ_Gsm4()6At(j0R%9NB?skmA^@nc0Oa-m7Qh5@u;fL5jIpa!d`r}U zctw#C`r=@6-VeHB2aewml^vjEOo^|^D?fml6|Z1j_yOukC~XU|T0vj@C2!1uL8bp= z43rw8hySrDnmyF77i&Pr5||lD007(*~Q53`oT5y%j574_bw7nCq;6QaS6>7LdUi*5X~!af%nCaSL5+8UaQw{ZfpupJv3ufaFIHgsK7E*;U#BxqJoP2u*d+yLPP2dX^JBvp*#koY7&Pe;FCQx8iqimW}cFs=|(J$Ql0$Q7ZO< z;0(QS_X>4jBdGJEDp!@sx;*qF>^F+JBKGGEMhk@Y9t^(0`nD7kg}5siCPfZC$2|ii6Rwrm zB+Qz3>DO}GFWZg0$mbUdVLzXv@UmzodfmWIVzAMUPU6VN97D42{qvScXLyYvkUddg z#}$+by(y5726Eet!=kGuE-c#FkU|&Kos34%VHjN$!awn3NHGP)n;`5(H?cqnaSail zLv-S*(~@0scQpuuIa)BM}771%;nZK65|0@cP~qPj30 zi4nss^dkjM==+VrigunWO@@etMX6f-_65J!!3zTUf*i4q#UFuwgoGI8uz9@pGwpElsQ5O~|uCHGYR3TM%M*d+*horLwYR zQOgRjE^jyyZnE%q^Ve5zw)fHn;rO~?NUCJI3>5H93Azp|OPrj2CD%3T6?B4%V3#T; zwZf1Q26eB_-!$v*x`Upm*Ef|(C)>r?lFWMkw1h5SA$6%xKV7L8-zjK31{d7zCAtVk zPxg6bVfD!dp4YW;bWUAN;L11mRkj2Kme_#4@AS^<_B%Zr)l(3Zv)=+c z5it>a(3A@R)e%aq*YBg9w>_(>KNzt>ioCF+$tp6B98%=0jpGq-x7<00^&EYC}d7wY^zgibA zKMUO6igwIWSQUz%FV!NTpi8xrX#ecw{KeVH-~Vz})>f2BI+)&Tz?eb33xRojX$u-)n+ynOmZL z!f_Z>{+qr$-C>_Js5YeBQE{XT!3CZiKpkMG5SgwNsa1*^<#E_3sEJ0Vj04247F1n{ zCDYHL0z#ouM3NRV0Z>QZay55;W&pOPiU;V-{z`i8muj#{ao25b(x2{!5B&M|EpNu| z=Gk}OWux9oa($~u!)XWykQx4P$nXyi=r14y{YB@A^jCiGzxWINjn4nBiNdsAWa9qR zj?6PH2}VhtPh3KuBMw=$R>9?Ctfi{rms3))EM($Cy|J@%%KH)oI6sC(BO$;ChS7j-!L__t`RPxqIosD%&hUoSE0}$# zzf_hnwZ`JdA5UBRFLTFuQ(Mzy|AZSk!yob{b0(A%>67N+tM*wg_n8v2Lw^um15-`n z_;_54ihPqqs1-VVR6|lmftTe0UomsAPvI~P$1&e~;BtpI5-bB(&mr7C;lT1g4E^qy zB2sRXoI#-EX*{~cJ1U%Se2es;rx6SlW5vVRS^U7EElE1V(mE+s;8Sr;UEWz;=M6bMs(H5 zb@@+DaX7@^%;Ih&Z=*RIXZxrp*oCje+ANB8ByN0;Z%5b)eJrvZ0XhjEh%H_yfTjVu zK@CaKT}DW;K~PGvDLneZYSy*aroNHIzgP^4z6CF6$_8{8yz`J(R;KI zN4nq<6kwDw1SqT^EY}SQq@W`73DAs$T+lltk|gYn1>9__RlTPfM2J+fFV~-ih9vXC z&D)P++{cQHk&yffC`{j1a!~?N1l-__o*DzvnBgco2NwU94hn#0bqE+11`)ll*+)bU zW*F`ldq~Ej3klnoG|cn|r84xUS<7`9fs_lIuI<8wog$r_p4QJkeOedrb>db3*{uHU zY>mF_r?qaOUW-tEf#NX&DJP)&9niy^9z5h70MR7oqr*cnve)nXeWv*}^ke$oa)49lMkxn4pVVMKbui>p zt(RlZT^uD>(J1n1ii`pS%%@^g8LFkOt-O``zCQ#OfHu>jc)9&{x3wllC@cl4)e8tK zX_BE4n9q@TAN2b%Y>V*?VjH(hS5Kh3HH=(16!{VPO)aY46xZe158QxQ6)Vqhtq&(W zqY|ZRIl?}m&hqQF z>HYudv+q})JX?N>@BdGqJb8To|3lvYg%u{WiVsbaZB&j2)KNtbO>D_u6V;`vdRK&> z^eijV@B7cItFXWo0slV1r~YU6KlKayvHw*xf-^$wdgFfvm+$>xTp_6DlMY38Irw#Z@6}mFob2jj?dkpVb|ksH z#7xA#&sO!sH>hPA?JbBc{#G%n~8;iYt0Hz-J*V)4ZzW-y*&w1(3$rt_|iB11y z>KNFBY(>A@NBDk}RMD8Gpz(*Q2k2+4Tg?z6&xeT0Y^SvnX>|Yt+{`nvv34ImOD$kA zjRX%=R6#Wre9V7TRGF@*GDA=0tc?2*2oPf7vme9`2I$^CB5yD7`{1y3*!sVcj9`M? zTs8F{(Ir-MAl92WP2_K{NGX69R_z;1@?(i35^PPjR`jM++;623J6A z0pX$7(y3ZcRW<)Te^NdxpP8l#tMFN-86+b9y0!V&4tl}e!iVGgW-#ET*IEoLj?-69 zzW!-NpGi20CwObWf~#B??{?N)rd!8JWnG2gP468`hL%pn63Sps7o;Sux!Kumzv{p) z+B4JAi+mRTk+a_$^aDhwXQ{J5=LzgtSo$MbR!4kF4rXW(2f|?!g(Yj&{ z>@OrrEIe7QJ%_o4qY!m>khowTy4ypMXuI>W)jYyr-ZW+e29=Jt4_hUKA)WL!kKbZ^ z9u+)|pkdJ$E!gQ$vapP&Ei}K=goAf#E|8joxABXKRN8xbbh)*6HjYcJ}t)V8Sj;)^=xif9rUsRhICu&(b-( z?(z_?_;&30iZDUqNrll42u~n@-9n0R<7>x-aONvifI-uM*PQj-Ig*%UcD-B)t4RC! zRr7FG0TqdDMv?s&?fsqBQOhlpTv0?n_`BQOmIZQ{N{;O%;?wU&;iC#WfS*;VU3-VS z1SjIa8v#zskuiuCpc;QGwds&M;-j!<`FGSr_XdS;Avw-+B1kq0{V_fnkd|Wq z#=DJaHxbiv6Kb|!)gcF-?4>{HU0N0`;+$TA;5s+PIG6w*)B0n*rxz#*qGdu5`a}~cSbP_d#fw8rvh!V zfGy~eH%{0m!FkXR#vt!}W{Pf?yzAqnA(!$#7>f5HuB#T8%14Qqj%%bQag{^mNbNfdf>PAr2jMPT z#v!TSXn)#R%IDXW-i3N^Fhz_}n0!XSml6`bo|%+x*Xv$6S)5R|t-Q#SVb?086NZx! z+ySf{nc!4Etu8s=@Wt_GQg5H~u~R+Ym}!9h9s{XuyenWdT@>l@Fi|#Iz)*Dg_}ki2 z{o8NhV)gBB1rq|R`t7&*cey*l>S>FwIR%qe+T6@OBav6w1}2zz$8(>2MUJEd96jwB z@+CD;r!=Y*yrt7vKmsL(7y7gbLV#*Ch80y|;a!EFGLaEQR{9d%&;o|gWFT7cMB#g) zPwzH(UIiByJ}R7wf$zcLkYrVCoF?WkL1fdYpQ6}UaI3Ys15{@#JC`;lg+zV0i*v;$x_ECCiog&0rOsUu9>dI<)>tJqS(q$m$AYdI_;*roKbIT%PIz9qUpp6(u8krW-(&S=Vz^| z%G=wW4Hv^ zEi&gN?aC=|6qqdTHj98vzt=F=E3aZxO451(E36oBV461N#V`{v%-msXXTP~MtKr?| zt8KWswvJx!Z_Vx??Efub%{ng+_c4m^-e2KkddvGeTb<_N=IiZWTGI>3(AVu>cVF!9 zOc@4>s4&(x1}C2m>F5w9qj}V_D2<5*OdLGlD1e5d04lgp&&Q)lNMuet zyrliZ*D*fr>F$TjJ{bwgQ)YZMiYAv=T4FXrH6*y#MHk`}_@k~jgaaO1uH|eUl+(h; zzqMbh+tGK>-kqhA0-w;b*xRT1;R^!3PQr=lD6)JGjGS3fjA*@mm`hFPQ4?b%?;ZgD zs%tj$s4D&_@Tgw!;R(q-;3l;F7WVVN#}~vHb~K69V9yLj7gw2_=hw+B)Snq4$IIqEH5>mx0SSN-VRv%EO3NgXBS zTpg~VGUBFGKt*+Rx?A?;)q@rNVspb6#hOyvy_z8Se0&wD6vRf?6!Z|L}ry0 z=aA^eP#0P*mTMfUb=>fBIb5O6WjN{ddw9F;bgw(OJTfVV!Byd8X%sd$`6q?VfKU3H zqs;^}>4mV{mGAb#D!0WYwi?iP zldMk%%GF=gY(B&KMd}I$siVozvTt#21D7hmi!zQ?jdTO;`ql~Ry zFrfunMZM5p4KiNg4c7CA7;mpb&^i(t>^4$m9e9^Pm-d`xi=Z<)-9Zmk9g3!%qJ_lz z_@LYjTs?;NH#MWBJQ}#hkn&lBfxUC#-;hR5JUNfY!FXbnwNNb;ZW5?q z3UmZ*GXBA)inS?%gajW9jQ65=;dS4~eGm28ZV?qcBVCp!2nH7!<2wwb;{L_m7oaU* zFPgwEsZuQO9w`TgmvGU8&T@S34t2RvjO(YRlau_r!s+SR*=ZR=tF6>8$t<&tcP}8m z-g$KG)ANo}m*sHbYAXVE(rvPfUgf#n>^3r*NX;E8+x9&vo+9}_KA(m1Zu07pk00=$6BIOo6b6Gawc)8t zy)WDH!rL3~Hob?9*jc@nL3YWyJJWjyGVpi}$Ve`ouq3z^U!7SuiA;{u47O1$n2#bX zF9T^5XH->PbQ%5&V*bLh~&L{smP zaG*$8A7Z#aWsIx_QA?}2qSKKR7%$bB*JFZZ~$cf@0XANTj1Y-f8I?4~Cb?CDB4@J8=r zr3%F6G(bdrV8oc=1tHcS`I3IdrI_^s+?iUyNO)TM`MPVyPC}cV*0_%5%`503dN+5&*K6k6?C*S;B zJ1fxB8T_vXQ^`sdvk1JT|59zdg<5IJ@!HErHVFiO>>R_N zldV>J^KhG9X9;K9Rk$>~YHj`e`3Rd<3(-BmwbSbVsHvz`#h69NywjlmpBlWZkD){T zGJ~Oa<3K6CEA>vhDvVTxU|OySQi)k*&WB$0NJ)#?a>bBxZ?F-3uFz=4g- z>3jdy)WZx@M@}6%q(m*B6w=FoS-po09_NNl1E$X>vaSXEDYZ5~u%6FLgl31B`1HXY zg64o{x%7KKV~W+4XZU@~GZ{vb-dltYF#Mrg<4ZO}5*K9i*gLaJ^|J8v@{Gt~C`Bwa z2{3AnEu|CZ%|;GlrB{Z}dFKlStu|(PS@r%EGE zrSo4#e4Gh)J0On%6!5^DFVghZ82jIkMh`UC#mG%g8jyNnvNz_sB_W|4#J z!Ksd^Ee7ntIn}ebQwNvmNjXK9F%I<~NS5v92&W#f2D}I*O=`&OSXWMw3dpx1ldW(G zuoV8&v>|JflU;=Lzehm`RV&j`n{Ipy3k%t&9Sx%*61}kKlYK`zY91Z8>40tG`?Xw! zxmN&+{U5P~o)MbTM&+vuaFD2Khw?69Vv}OFI8w^~XpMs-@kYuZnJk-;ZzMGsZB8r2 zWaOgD5)J~>DSM65#;wnKBpxBux@RQA67Mort{&MB zDD5JC19Qi1x1$6lNm0jDs zEm1R_ekzLnG0LblR-(vxU<5PDDJWXQG!MxLE*i19qqq*}4WPs7hj{-DQF-6vD{7J` zCFW+zdO2uG+^bJQmn|F;%4JRlX8%D#7X?AZH zHV#N?GW$^(at=mOZ_@QG?6po?+RRFRGmCU<{KI?iP zM$@jQ>BAsN=I%cRsFx+AO|xj=G?JkJJm55QE*SF;K$@>4h5@ZZ<1Q_qliAFW4*{5j zOp7n_D;@R2wa!bu!e#H2Homu+=e?eCsD+M}owJ*r+Jr`YkLPa8cBTe@N#Tk4BRoP_ zk-(Ou;%fkEk9pV1(GNcUk-O7QdieXh#_Kv1U#x%!WF%OQ!3(yIso-A#+ z%oUQR2YJSgqM^-lD|o087tonmA?s)JSjteXc|=HhbZTrFZ!UN;D#L_YHhX42>9Er8 zFWXzK&i2dJPMcM5rPUrBY-q0|-C8ReBUJ&AGEpb-A)eIi$uBj@$<<2l97zyB>c+m; zLsHh8z}33T@6iD%S&Hb|9|`Z0tUALKE6os;e+SYYX{C(&NoO^R zrdUzG`OGoVX!GsIV{$CcZU~%dQcx7Pb>-lXYbOze=xr8(!esD}=N#_rC()VN@^P3= z*Rp8J=RKI}cW}1$^Tq3f>hW9gKE9%%9_+VKUzN7%a1?}N$$XD4{jp^(j5-J79=oIn zF2v>*StKBG_~TlxGzn3AlvB$|FHNZ4XBWt&^|%U&lwzhPRv|-CYKnSPAuG90AWN6=Rco&W^ry8&igc_Pg1_iYoKyY7@RzTYBBCd{S7d3$8fOSm zy6fxr>3pM8gpbeA@A`2}PF*nW$;ekO25s{KG!PAqpa=bDgkx>QiAM=3nXxAmG7s{# zxez-Ok;9==V=^QMDiw+(63e?DIxZpOLk3b@{H6%!%ReTloJ$J4>>@7N{jvW6vn~U2 zG}M$3D5eU@11mP;NQI@nJ1YUOsuWGoI1*a1{XFVPw=S%LXC{-q87WyK@(eVwc*Xsv zKZ=B8xmXikO-7e2ZBc6m8b&RfTN03>AF5J3>0Xi0Sq4Z6;`b!Mfl}pK&eF%^!`z^Z zyl7cGYz8)+Rniqp^uRS|b=QU#U`eHK0Dy9X6I*}-xx1})8y%_a?7!-~+){;L3z0w= zj<%rRSkB=w_ETX6kFsVP&Mf2z-7+h=#cu?2juv7Q0v5cuGXM^#u$p6!2&V~`2wd$h zCk;~=2sgwnbJM5O+lGO#30k`eld%1_7FJgy&yizMYpgG~fX`74kS)S8xmk3elAS~M zY7q6rcOOJy#fZP8SSD-o%1Z4uV`-#M6s9kZF|73Kz$i+FT5#?0Mu2n{*Bo7BsQQQ! zZ!+X%HYI4IJ6*<*FLa;;hPMeUIlSejni|3F<74z6*C~s>L9uPH=KX8ZM_{c#zRO7m zGJE?++naFl(rUWqejs)0vPkGj-W1ETJp%jYR4%B<&xO{~)srxuoEtN(E(bPph0yqZ zD3Qo+gU|_hFhBr&w(NIeXeAs=C;CZ*;r0FLCpFyYl36@p_uvl{e6jzwbaE(d@g%-O z!*}ARKc&FrWQ%CE(a4|Xid?=Zo!O!yID1!dMoH)4)KON51Hpp;miJ;ZB7G~f%xK)k zE31eyJLj?*0RpUz{%bkq`@C?nd?rq`2cNSXIZUref9rgVs(T156(&~rc8mU?u<$Qf zSh-hHh1GXB8Jy$I)~WFitO4W;ZXoQPL255zMKZoajr#!}ftSPxRC`#V=buk5Wd(M# zO&-OJHwLlCTlDA zGWhbIkzCH{6=XU}GHoZA8-P`{+DC`md#_;WQtkp*?sFH&US(8=wc7iG{3zzgk7CM; zqUA)fVtcM54uo9!0d2zhmJWrP7=P1%!7iS$_j5KbJ6SnXtggW)b_I`rei51nWG}|f z`sJnb-(|(~N&IEU|M=%ByFQl6sLaTQwR=>%r)yJAW6cz0M8=~3prTbKH2jlN{-G;7 zlxR%{7Dq=WlDf7I5BCpCCzB9}VRRV=|3sPOklpm+6y-P|0`A(GAraVHmt>x20ayB2 zp95aISV{OwFWBSMR(=_Wv=&UD>93^L*|c0{-X~a@4MZIXQ%^Fof0d`$lxA{DPPSZD zjcFdjZZ4OzUGk%+ZeToQECzGRupyk;ndFZxK*912JIEaIlLwj_F?*Z=f^BG#rHRo@ zd~3f=j!8`smKvfc^1V+EpraxCTh$!|9{RQPE>FuugkTFB(o0kk{>6n)hJnDhblG>j z9whgK1el7QSE>P`H1f;XB4Qhg+buR<_W=f9QwQ~=i}#<#8gp*9FeAvjF*YI7mg9{? z_3#M-P?&b;=OEQk`8^)B^pB#l4 zfIOuDPNJ(SKFxWs5Q>os)#WV7R`T7G^l-9FX*Dx437v<3l!4%_ZXfxNn*bfI_If0m z8#O&r4o538ix&U_@uax65>zr}P@l^nhKB_5vm zm5fxwR+QPorh0KAfJ%2vR#5plsTT01-W(XrgFHIa(jn7k`C^#njzNYEVyV@|B}dx$ z$e!srmmTpJ4tK>V#$=!(r}>m4ek_WGbeVk43dJLR6#}`o3uIq5Ig-pc=#u7!zIuvM zL2^lDQIMlVyVL!n)|%M7Vn0>`k6*sbokLkF04;;_k0L`tkF<#+`7%BjMb`mTWUj1F zXQuSITP5cRxSUcA1|6@D6on>bo>{@w=wDrbb5Ub>d4_1 z2b1uUOqACIT)@#f{ns{vJZv8RO4juaj9DNdcJRu8giXT20dWXR5>_uRE{YeeSKE8Z zSNLiA2w4x$5>9JxD+whh7v08#qD(6$Fv01K_9-LS;R|^PmQarmTMSrP!S5dL0X1e9 zL)-16+*D6(rk``cmmN=e9T7tN9no>7reOD1aZB>moRZ9RN%AmJ~Rv2Sv=xhJuVh3)tHcys-Lve$D`8M~$1Fg_5YOsL;ecWHzgVVEllc~kgDk?t@^ zs`4&!QD7_h4|t3cxp1@c6lpHg#v_Msc1(l` zGD#c);;oK`Dw!lro$}=j+Llor5u9Bc*NI8U8UNQ7KS6UX53oj29c4vImZupc%U_&) zxC<$VyZpg!dx|`XMd_DRHam^o(f0d_BD3()b(Jzp^9Y5S6vD^S^hLiGLEI$`3DQ|0 ztyJF{7v6hsrex9oet;*>CX| z{HOVL>&ZkbZN-!G0kYLSsgm05PdNSnDq_LGigW|RD`=nVP|@@aj^j5dh~~!AD+(ZAHP152lhzHcuw5Pl0Zadw9aFrsvqhy# z3Jg2-BR34ta7A2pyO&Yf4Xp?nhLd#euU@x98q)00+P=JM&^U4ieNy=7mcOIM&Zg&- z+2t7g|MdQ3G(?s49})(Y*%RWTS`_)4H;O|tl77bKbrzmccZzPL_PzS{ttKN0x^9sM zr?lWe9CljStxoE;Ga7w~MBi@I5dDlssdS=IOe?$9?`?E5(dOoiCO6Y9ZrTlQ%Jz_t zLJb4*(*tzoq#D1lshM5ZId$D`E@aI$WhEvX)50-} zc-#iuOx1*wI!`0+z?~+XEMWrFOb35TMACdPSaZ;ZoDUlfQUF*WHp6sakhS!DCR5^~(LiX3hxqFvZd zc(ZI3-6P9!*_-wP?>Gpzd|spCFUi|CwWsc;*c8SEs_PGB=Ha zBIGVNH*2gPjgsEY%_=#rz00gk!v)rL=wj@1)*fjFIB(H9%GmpRdyIO6h)Oy)wB`DbRQCWK7Z+ye=U0nsM)&Gnxn7 zkB;m|2Mczv8+q}QQ;}+s&MSV&;(1o%x77Nj@pG~MTcO@t7xmx7(s%V<(E{d=M!63A zZ(uEXYt9<)P#|X)eV4=M8kMqS$%-;o%h;{${dLZTbe55wNI!fLvEK9rO!wyNFCX?` z-nGNBU$SsKOY zj!IwZJ+bwsdH9mmj|9xaIY#P5jW1#GEzH&@q5VrBgf=(eGvT~(T_&V)8KgI_Gq64fZ( zhB(btd$+&}1zr5AzUfyIlV}>qXQ~V@JhZ(9)Qg?7NjP?#^F+xV@m!G+&#KRz0zoCR3%+EHmAunX9&4fm+8dEj1JxT$WGh-9K~Jf|N48W+J#3dZmG zey=0Xhz@z6aVVKft@^!AW}SJ<8PbMk^GdGVP#eV2>g~w)a5E}^Bul7@d9$@}(`2?; zvFj^yGP)1%{neJ`uzVe^uZPWDJXB7|if7@z5s_2K`-`Eg&fJ0?uswY0(#&;&f4ab; zMqV%Tn1M!3iHxN%nP&b;sn(_|KmI7xD>qYDsMDiLey>y(ABCi{tLt};zK2%AP7u9n z7s;J&Ai9@qGO!1LK@NNx7}=-hArOIyvtv99*vyXHQ+JNm51V^C+b>)QGn>q+Fsq&W z77=%ly>`oUuAO~gDd=`HwAl<+RciJ5$M|)d%03R=!*I@H$=YODXVP3`T288cbm&1% zJuwnp=(&AJn*6K&WbN)-ZEVYj%LDpML3;SV#94y%vNwUvYT1=XR_z|#jue42A!zTt zK(5qIPL@|z&$N7>9QSx54vXEHge>UpHHw9sepP>p!pEEb9X|b|;Zadpb|{!jb3p^z zIwto`95j9Y2A0ZVQT`OqY9G+KwtN&u?6dTR;cD@W0&TOe5DtSh>_@l6Xe$p9QcG0B zklt$Gaw4CzE9^90eE8uxGjn)lNrE%gU9boa%h$vf*HSY7$j6*Rltts@R<}NMJq0 zNO_x-@2LQtrTIN4Dp_o73u7sQxPCu?8_{IMk`CUK30Z4)AIQlKy|FqX*C~?1veZ42 zZo{OA2*bw39egJ5^t%;NSSd3%YL&zot$01_u(8xVg|qki!G9s*C{^wItNEb-VSM&NLN2a532Ij+~^aE6Zr;d4NyNa zkQb{Ci~jV4XNICVp=Zj6KtY7jyJqg$EvndpRt*y4qc;~B-*5_QBq%w7=Awlu#9qt3 z?fB!8eF6LdOj`OBdYAA6xBvwMqi&jboBAxsE>S=e0sC-BVr9CHjg*o)0&8#{#qvD^ zc3i_jh2#X=Ta(A1KP^BvY;n|SA#1jfUq3ByKKu(S8jDjERT6&b73UYrDyq-ny3o9x z7Dl)o>!*b{k_pJtkb@pkNS|#5n~vs_gW&TnHHQ28T|I}KzCTz0XLmr&BA-BZM@YXv z{`A|Y&ZnaI5x|<$jb!paL6Uo{olZH|{`H@`F7BZ{*IH%IRMr2gllAox;NFos<^Zg! zcamVgzIh0jH^)vLiRydbA9jYL;2N$I_*ChSLRi@l*zz8YQx3Q~@Gz!XEixniOsujY zeFfCYn8<(E{`#Mp&3jQ5Ra;TUX^vj|80|6B6k9A9M+KLxDw-qm^AFqPHMifE9^e&L zGOIfQdSUg%AP9qj*Vl?D#IiCYORrGc+m-ZcN}2<=Flht*@THhNZP6)kf@=RFWHixo|bD90U!h$3b=|OXlCGGK;vV?3N`J z3qEutf1Om^$iR~OH8*SR#zEJ;dS^lDz5%>fi@w9aE zn>brKEsLc>{dA?SvWNKNPC~vrE4mwZ#$X!ndXvFWR9|c19Ba1tXa>2OR%C%o2^`3D zRwYK3e@BLoM(xKF&!1NDJ)IeQX~NnIdMPBYkRlJQ1tST z8Gu8e)K!PtcMyI)Xws5l8tv912zJayZoZm_(+mca=5wZ!a(fq`1#JfnY)dD*Pus7n zoT)>UCL7D;ocPn^ZS_TS^RMllX8ZL_|M)KvyROi$GW*%Spm4k)KWs?z7gpmZe=KN; zM==_PBOov5DvUZ2<`6wEj)U%`k5U49G}gvKtF`CLT4GBcAbLGA+}2LGbsSLi$-*at z@&1$y-6$g(qoxLL59uaYzEn%!wE&4-*NT!I0U3`83_o~$~$;lT1@Iw`CQXY)8iwHfx zxRGU`Rbv{TfBUW^K_E9+MY2$~$;G=o97}H@^-q6d^K4bkuEc&?leO}1DcukQUJR>Z zF=rl+6vzwlZTuMkvD#@^ROjEKIF6-_oA#qjfy|XdWaX^n#=DJ44T5}+Wcy4O;$u$x zaLw?WoOYYcXBKxa4YP>!iDKm1aw~6iS*!8ZypCX7^BibbtLVn3B1o8Djs2k~-Ql?~ zq=RQ6RE(jeJi2gZSq>$U5Qk^XxYs&twU2j>N++DITx8MLltQq6s#v-N%n)a?V+6}q zw23}#j?kMz`}ozXR$ICr%}OV)HZ$D76h6LaCOyND=Kvc2AH45%lhgP0{Y6YUa(Pl` z4W^gY$GY-KK~B>thrQWkZy;yWDCY_|M^pE(TSFS>xVndQjA;vlHW6~^;ec)w0b(z? zmZ2;@0b=Qz%z(ibjGclc?&?NFdlNp!q%Es~w8<238&RL3g1KEZ?kaDV?O%f`c4 ziX=-*8xNNNOUE^%C>ojOwEDxc33*8R&noEWr>X+*ESkk+lL!# zKW#9h-6jV(#8JXM7#)j+>Jk*luxLQEp^7NUOQ5>T6l2w$9E)4!DKo#$Yp)SqNBXhObELbeM;yJHmw1kM!Huu~2yh^COEtr&O&SYcv_V66 zlyuWPlkG@~nrh^u8Pr-ejP6p~&E#vV9&DIVfD|Xu?$cl-`&!PxOMZIiD$!(QA*?hn zKlg(ttdYo{xO*J@UlZ^FA?6y_hMW{cg&R2Xx#k1VYD7Mmjyj4?Nx_@yn8**3XvaH4~TOGKx?blkmS$%NgAgJk$dZE~QJ=tKsAW;i0@M z=wNQm7u)1N#K$4q5vYuHj&bUSZh{Dg^6aL?F=+2A^{9$?b_DB1TPI6dkI+trRXaNT zwbMcoglVO0?PnUoJG%Ov2Vq_MH&5BG=tu&R-de*ro!uklOlHKkeFGOfb%r{@eit$SjrCVZ{o*!`L^iaGoK z{HZFH=r!Tv45ZA#aAUyj>JlKz*Vyg`S^Kk*5Zr7}W(8b&w%XxP;l`U&nH@smF8pGF%#d){5p_CV4xtK;0aW?fP#50gGAUsQ7E=BXaD3Q#1hn(+{8jg zqfb^l+yJz>zzxdKKbgg;k9JYokydZz_Idsk*jKm9nT_{{!!DJ|X9AfAL?#5>qaW_C z-NABhMcmNyHQb@HR&Ab(ETa9zsKMpuM2_hIvSxXng@WaTY0j!WPu*nIspNDPkSR;G zG*1U+uhjjlH1X1LH+oWAy?!RC{C+6foBLuPE}3nAgjDw#MG&Q1QuQ3|Sb+ed8aGBT zs!DCno;F}bYQ?T0rJd2HvM}0I22;we27%>sX@esmm}CY@&S%XHjDuKGEsl%^ta7(2 z_4zQ>I3hBR$~L9G{k_&!Cue6B{HLsKnjF}yYM7Z5MrT$d1a$wvd8JDz-8j{44&SH- zpm$feyWXNRFtJ+up|)HR{$)27D>Zrq3Vp!Rbv#sPUC2c1Tybk^=B;H=c)<6kIO@Y% z#eW=^`iC7{hBn#u1F373Ip<($bYa^x#FT&z{tQPAY!o?bnzO3f^QiutMWjqAO-#*p zpBI|h_L<-`E6E6jE@5E2tF_e?e05ao*@4DZiN|L?3Rp0Ho59Gv7si=k&9+oHmtnBjXmLU1}ay#0f>)mi_@T#8&gL z;f?O(&kpbY?r3tCkT-JB>lGzulsavrlw4B5(4}9JoDBUt=s*y%vh)*{vKLjb#Ri4m zlkzbs^h5=LQO6s1C_W0w3X`eQN|eI#l9QO}sxQ2PC-NaWbq}*?PCp)-&^gf9cy!w+ zqLpPq4LMYgV_r?bPBd_BI;IYSWl{D2!5&;VsDYEBjI0zOQEnZ2jI}|#o?=kEeo!GDgkeRjNy#`V22mE7 zbI`BGTJqTtQ!U42(h&@S8p`t@-~QAtH;uBHa7B!~kaQQFW;v7E<)5jBIoWoVaO`}X5MChQa-Ne*#kkzr3nUgf2 z00m%F_y=`ri&SA4;nK4LELUQ0^v|C@RTWIZN$3Jlb(HIp& z9pOcaNl9i;@`bGAf1N60?&?^a7U*!|e&&t+*O!2u22&oQsaa-tcG6T>sEUy>D~@L; zJZL*ML?C=4kF-jRsmmN?f$FGp-9^%@(PR2*>cGricDt;0=ckI>)4&C%?E`xBnzjoP z4~o-=DPI`5jW_Co#VP_6K$6ucF+zl_EUe0gz9s2d%JUw_ek{pjvLb$I9&RHOR7LgP zil7}<$t^A{oUl{*Dl!Nh6A>#`+sB)mP}fR%+1%baK5We$D0v?9L}A}C*;~GO>7$zr z>mMbw5)z|)NT8_M8plZxTzfK}*-SVrIO1YyUE*5Ig5g)yP6NL9-BQ)#7a;zWzS2Sjs; z$+C$yLt<9|Qd%vm0Hq$T7il?;y?~6|^Lhw*asX9&QWjFa?1#M?Lojk@%OfI&%tJYc zR@anJZKW5w0&`euh9vbSdr=>5aRLV`N+iz}SGPl;^JR)>N3G)m$cK4EG5|k9{S3Y^ zi$(GdEhmK{yO7pA-rBAM58!DpSg?Kh)tn>KkbaNPBQr~-^(kzRk5b*3w2#Q-X|2YS ze0TbBxw3M4C)WN{NG`WngA=Q0R}v?vAbz%_X8N?YCQ{Y@l&V(9D7983HI5Rg^Kp+) z^QRn-YfZjwIn^-!dj>;ZHc;|b>3qUV2Nl!Iu5{5cudfO

E$!3qJ$AdU9t zWCAh_w|_S-V8+Ssyvt>t`_8cb@Kb-Pqq4LQGB}Vk&-j#Y*~|l;C=-%SNHrH?z+e!hH2lrX;LWC zwD5DOAr1aBsh&&sjQqw@(wRva9p}InLb}f79zr#r8mjm-i)tpQszo)OJvs-?Ozdfq zvC+QAZ`!5 z55ZtE5Pd(q1RfOw9ZI7l(j3x`*3(8V52?*c*p_`GOW!aaD1g9wZU;b+-(`vn6*QKm zEdg84G@36qw@e&Ny7lUd{~+!~aqsV!!=b#;(>o=_W~}g=89M{RP|;{SIvJu>&3JqZ z3x**PdlR3nb!1G;AS8jL1XV(Mzy|PoJb0z?eexH(y1cwB&TlbnBN_6(pI4?nCkxRuqvk_*;zitvkywMtk6e=oy{p3~#72kqdK(d)^mXV0t* zh$zppp0;UH{#_*iQgRstV?|c)Lz=Cfmc`7 zt1WX^*}4 zz8W!4>N5mCK@9QOUfkfdxEvuUv=Iqm$N`2LR>OV+Cy6n1-0$f3X6`E$98V|? zvKp)?Nw_e*yl!SWSD!t9Usl7|=D1`P$R8JD@pn|1A5OyYnl>jV>v|+207U{(0ZU!%l zz*3C>&EQbM_|OJbfD5|u&D83!aGo=_)(T;N9@1YUah6h6{5A3};dt+pS45@J13yE5 zEPuJu=|zsRr{n8+qiBMf0)*dBet7<(y;Y%@*uDph39t*nd&KUG$q4C4BF^{+QIGMd zA3EM0yL?Obh~C-dQPK`vSXcvE1BKq@5?(Psu=js8<~lv%<4AB`r@pVq{- zI*rwti^`|??nMW(-F%D^$3BLxW-%eV4vB`aIpKIyl;tH_DU&vjCj)@nSUHo&c>d&v zrwnEK)}@hWSuwaJMD-uYo^_{8!aG|ZXK7`rJoWUSro1m7ryOm!sRLVHeY(7CRl1F# z2HK!?qi5I8=@%qDt*uUO6!yJm63}=@dNF7j1q{2W`{QmMM_BJ()OvM%BJxuPac*o% z2`E1gJ)(QQsv&LUigCTRbaJvF&d%!f;+!Pu$?Esde@IQ%%t?Azx`Y5|K$pM4p=Sa) zSTs==vqqK)C$Ejzwb88cXKE?UC9BOfJ#&%4FC>K4+%Ae;331u!^jZSoy2;DqxxLIs20wJ*XNKz7}saD`HhV5l?|3eJ;KiKdiH6 zxtUve*D9Fb)=ycorw$h($ga3i_(*@Ng^w!qH+_;KUVL?Tr@Os<;oKIKO9>Sp8}&$w z{k~Cdl*3>dtGU%W>}>74+}yiAf~8&BQS#&r7+$Y`(G6=? z9J8JO2ZgrxHg}GnX;WTgRQ7va-ea zv9Wx!WHODrMy%1J%hNNpEzn(w#wDitFjFt zmx`4kA70pR4f(7&S)@z6d{VY8IdhBBi61AzjKsC8JghN{?KP_T({MYlO}QT>2K|&< zgkv_i$XQwOxEDm2h4lfJI6T_f>b%<7f6?5*WoPyaH{#X~r!FiwMQDZ=k-fv(TRT?W z?AlHdRXe-rG8LgNtDe`F@M1ae@aVs$%Z^=fr}?*EJNt*7z5O@JY|fE3k}EiVw~&So zf#r&eG%%nVdD2qSrkYr)edwQQY{30my|@lyNw*tUL9geNz6|QkIU&PH zEPX^R4VDuMngQI zM^crvyS)eF?TDW+qfD-lbm5;ci6b3_sJm1u16*$mY!Ps;ey39^nemnK@;;s~m&@yV zDxAtX#?I4KU_5p79p!(DL;y>q*whfcK1%LHX}Mx=zE8suU0viIg(nupd?@I2BW3xJSeLRWSfZ5= zsdr3n2!!#vWqd2qbl6GQY3Q6ibpp!@y!yp|@n3CTXV6`qE|%@JV^o%;%1OFR zD5cMNH;?xgTBf*W#d3bwK!tvDZ%74d^WZ?4!OLI9H>A3bqGI-S=L&;Fk2-W~>s*mk zTvyKP+M>E;U-$C4-0VoEH+{N=lIgQn(!J@k*Hl#l6|J=bp>)}=f{5veH>XZp+b^&o z_?Nxb;HNvsw1k3+$yDm_e3dzeI7o|;Y4z-Qb_?R=?2v>>w1{}N+KCT*-tNuE|E zjIwGFsVh4nQ?vbeS(V)9iifXCsxW)jbFQwhdtIGWnZ|9mKvMw)QL*kui#gcYwBY@4${@g)V zv<5zTH6^*6avD5l@ zPqR(us#yiPK3c=%J)GQ-{ZLqbqV&&mC#n~W&zUb2#zyFb)^UY21Js|MA+bur_}sRW z0SZjMDxqRF*|7ZS#s<{{h_iiOS1qG4jx9xD>FS|oO)I6#fa>fej>e18s$5~5m{ zyrWxw)bJc(`I?l!S$WX=lJ?bzDtH7qiDHx75rb;ik7CrrDT2ov_ABQ`ZE9}$bCWuM@oCB=T(+h9)P$Y5nRskX^3U!QPGS<_Y>mJPJ zxH^ui=YG||&??4@i}%k%Vhql7+*=uKFXPURvs%iol)EWoDXALDM$;l7^jGiZS~5yz zCere}+Al^LLG-+$x|vxn{VtkBBEli;DRd#8uk~Os@O!|<`_8GUdZ1)s)PRZai{Ww4BdRC1o#5Vc4S%PMvNh$YStjIidr0ZBmq+06e1&LQ49m~dvo^R~?F7jQ&qm8N(l$LCyP{v7@6*9lUNb{p6$H~KS?bT70*VO!_el#|18gGt^d zA!80s$|^lo6x(`r*g`kk-qOU$LYLc8!y&0@Z=7iIPxO9F zmK>i%0lOgbXfRJe^H~A|;}_HJ9|3eaoLAthlvM5c=ab941Hh>~wc;e?8)H7r^50Ul zKB=Pla{KLWOH>ipP*6&j&XMo+Srw!rw3<+iIwP2a{>Y=KXUtOW^U;_wk&YlGJ%$hJ zMKgPD+SY?-dSD5~!9*GDr#-{OZCcSO4_wNNqw1i(f^1rjNGa3cSjt0lCG`W>QE=*zZLM$A`Qt(KHH>5e+H zaon0Gi6~+L$*6ABH!T%F zFupVk!p>FD77Xs>$Vst{6md>$y@$%+-gpg?^1z{=tl{NgEw5FVrL7d@VN}Soybkd@ z9C4gJQXW&|LO5$0&|Gl5VKx{jbwFSa&eqmW;BRy74FAmpdO%PQ?&}`=^;eU?|6%ne zRd3GMtK`@;a8(yt?t3z*fHmS=CLZbFxvZ+X(f+its%`m8BV!y&4Ampe0_vzf>k+NLAIAfwpKJAnZ*BV!CQVk&jxdFiIiqG?D6TG zMf37d=9edo45P&k%F~GwppD_YLAg7@*VRNRsQEQGDD!1O-j}p{DQ>ODf6I zSX>pH(8OuQ6(uo<$NmtCj>!I*)ZiD1Ye4rjHRK4;aN)6*WrhM9S?!m8wx}iDDD}H5LW5k2nBbVk(;p;=jp7jWONmrZDDPOOdUn+4a1#Mb-9Wpe!Idh-F7JRzkXw@Al3&`xDb~j-?PB6a8 zipegdym(AQ5P~u#Q_O53>G&y3Pq*8P%#KShB@17pi+OVim3|oR+wN1K=H+=%%)My6 z+TIf%58HU00`U?r=~w;JX_#NXBcnX1e-V-BDZefsbkI8jBrLDX6~@=v0220Il4)}w zeiCf<98{}iY1xN*DFwR8aXkQfTtZW`3Z? zYh8vB0sd18F+23aDUTaS!%zMyVyqYZEauR;j!MqOS0n$!m}8f~g&~&;kdn&^^#TV% z5MQ|;cuzuj)*FZYnUWZ5^FE9z8$@Aed^^ODSU@b4T?Vt;Ky=h<)1@Y#Q&ZLJ-!oZx z8N>|A0;*jEA9SNyRE!c|HpK}eyo=E@5W1a2XJJ%Z_7CwB74!#M*koJSv!xiEiDOkB zz0<0YV)&TkUySu*iE&43x1c+R7ZCI}h4Ou+_q?@Nus)SlFrB(6( zr-a!&FT@1kOKdvMj2C=(LI37D|g_FWyi^T z6hCH=F2;?L+mKJszXScS)^9AI-I0#i+hAr#2})506NPy@IeA+B^V!+goxLQUk}ivb z9F&rQwye6Nj{d-V{**OaaIL$;iThTFGx*FXTyHm@vv0eHE*{V9!}oM;y`rNX%rO% zsgGI}Brx(lMmyGWBgncm}$L2JOY{Mp+$m2;$oBM?>=79EaWzZhI`{#mRv~IHG_@Pio7xoEz)YIxK|% zEPjf775u54oGh=vLGFCjmaL$DA7y+~^bKM8by#&BJpd!Hii}d)C&Zt>FBi%1iNTOS z#75<)fWSAH*bfD5W65VD&ylRA#pen!m_G;Q) zH_QVtAh4sbg(M7AxP!e5WK<0O5xr!<_EslBFVa4{VTRD%8hazvVjLx`F`l7oqS=ol z5(UT|EkVffLuYa1qz;BFWL}D;<36o8E}el@&qrgmGE#m>wghm!RJVLUyBojXC(VUw z6=$~!o3Y9#R3p9~Jtfd;N{%9>(+1_Iqn|z%Edzh1kh(YLsA&bmsr^EzuOprk)Qa^O zrCeA5XAPySJyYS(O(QE{q?styH>u?&VF(?_QVm==6qm^0Zovw1GQ&8lKnqY%qsH2?XOaW!^#K7qJaNrZc*K(EO zjqklLiue94n$wuMvj)i!O_i6Oo&Dz4{@%{7j2^&AR#>lzo}@`9%Cs4bW$@}4-TlZ% zKk3I$9rZ*f*fB6*z`2i_g4$U*2?Oc0gRbi+NM6Vxkzf``n@TxCn6Tq!_MspF%EMNA z5@PdqjZmWclY?G4>ome4cL2XTjNg?4{)T>aZ^MzN#VDddu;`fo{M#H}LhRtSSv9J95YaqZKqpc{l z>zpc5@9J|n&A%IW)o?f%Zn+{(2+snS>g^8fk?fcsf~}!Q3Wvtqpjd{eVv)AWFhD8IDIfq<^_Dk z)}bgyodO>5ATbAA1%e#*`o>jnI_|I~$A-~ko2X$Z)JG#;JYRQbKA)>ov+_iak%{KH-r2S-(N=XcfP_3XrmVBx^oG{BjL^gleRq7dS z3as;&39#d<%gf)Z07Jl20Qc7oWHcu!(3Dqmo3&hIN2=NrGCL2@+m&BbYxL%@~y4#QRdurbZMYF zaBpHw@lasY5`03DvuHo^6!|WAj>X==UAe$!OZ6qIWm`Rg5K*?*ct;3@l0P(BqkVR6 zv_(#f#rWIbYD@I?_FMhzZ0WRoYQPr0Jze=03js_tR@I%XXAcNU#c0EohaIfTnhjha z+L2i^zb+nJ2X`;IGg#qGS4^oGAo^=xlr!iBEl8(k<6dxb^7Ps7@^In2 zQT!YB$HPxY`vtRz)6~eHl2Xwc#q7z$%*vQO61y{=rcw_UGoEm%YT^<1?aGSzKv~-; zIOl|{cU}WN^Vu`20jKt&Bk&}|sZnGbua8m_rAwCT44nN`TXp&HIVG3WH@n7U(NJWS zDsvn`6cbEh7Fgz_)RC-5r7=!b`7w%p*Pv43ZANgzw3k%}o1u6wx`}DMtjFyh$;Z>^ zn(^|c52ja}o0USh+dE`StNf(C`3!8*Us zoJyvH$gY7%md}dqdI$f=hPf?WP$?Q=2C8WRiDYB%>QJSrqMBb!Gm5gLX75yxEpjsA zefMEn0ZSnYyI+t@CH^*kX6!sz1^h?^5GECHr%ImK)*k2 zQE(MzF90nm%@Xyc-~X2mW(+5zT8QLJYxebM`dgvngP0fyN5=Fs#$B`wY z#!2SwMF#YedqW2FV%>by?X3gAdhwksC26>;(0_7LJ3FgaQLEIP9?p?q>0@JDkrUOA zsRX((ElZQsI#3;N8057>R>}Bg##|*o1VQ-fjhQH0ut;+wCvDaR@5?5^=_V0P(>eUK z7IAoU?;2(ixcioJc=N?8nSIGfieldcA&dtOHDK(Ew#Vd3x35X{o`;cU#cunTO+~Wp zIcM#t-*GMOJtAnft-a{RhgPUoz7Ls=rYX7h3@+kEVf$rUCd02ralL2-RYSk4O5qjF z@luhvuu8!Kr!yAC4jk|3Z9^Nd>6p+`C6J%IP=xbC?TLuTw|#zH)Ot9&vwTK%rBW&@ zq$Zrb0O1t%`liTZx4)%ea3xa6gbT(7t|p)^G|eTO6J1DOL>*!Tg1&_uDFg1-Blk{S#fAmF1nzC>U(UhGmBN&Wh7%Iv#O zx)0PKFy`9(*a}DX-WPZZ^hU5<>)kr~vpj76Yh{fSS#6m$r>1tK}p~muv-Wod| zP#Z@xYn4*LE~(APLD zlc9yI6*006kEEqWjA4D`hQVh(4G6 zR@QVrNIaH=;!3)v;g>sITfb&V!z}4b@g42OS^+NX6PWadsNJ#$PQo4(+vDw-e#86) z=kGG_aG!sF(~>Z{zRi%N72Wc}u_sVk;JwSqhkuLy_kV?K^*%8v&fvw!_s`=V?yBC% zyNtq%K5r|GLyzAtfnBg1o};p0G#O*e9$+)-tYk^5pM9T{p;5np1&o%amUb(KuRMQ8 z+ePG1ZNFt0#vKYFcJ#mrHb`3ZOM__-|6U`n-qi^iD9IH4~f0VtmxFzvh^;ax;6G zP&-ftWB2Th3@nnPSXD~-^PK(Eq^$TvD)r-DlSzOFI(2@aQ;kp3?X8l9OsYYhd}@l5 z%|Z1UnIM?b8L3ZeE47tGAxOEu{}L_k>prWjjiP~gT6-?g{TlKPni_qzX|mn|ue{*> zR|5}m9;44y)S31g05Lcy|;M%t-*-8)J_WFnulbGB?<&^1x z4(-QU-m)T{hYtS5lQ4?s$E7SK4zxqlq{ZR`wU+XXT{4}s*3aGd6ViM4D%qBxD?#yH z82RBffFbu-q=6PF1C)QuDfu~Pq+)2`vV_`suMdvjcF?@9v%A05N;ssO{!FdjIuH{9 zlFJKcr{)t-GxksdY|@3@oc($JG^;<)pFXq$(&W*0kasm4dP~y~w*Q3)+n)nr0U6Oj zr3z=_v&x+>+OMJ1|EnlH2VM-l)#Z*tjBYo!6Z5%yuwv?+G3BZz8zVkr*&nc;VFb(h z9r;y}o~uY$$L4WK#Q3jSQ&)KN`k;FJ7Fmv1EU}@}l8F1!4cz@EjL0by3AB6|pvuUz zXU{5v-vZKdN!AR2BGmgLHHOA=UeKplDI;_YP3pvI;)OSk1{~3BjpBhbIF;SOHX8s? zp58zN{1MuMKl!)Wg8x_WWl3?~HqV=QQu`ovkXA(LpjF{lpVrRH@?45m_c3%cIj;aZ z@C^Aa{P7%rgun%jqoEY)WZvYhA|mOrf-|hwmxb(DnG_-f(4f=T&X5-tz7pCjuqCt$ z4hNW9xCoqWHz#^Me69ZwgiM#1hO8OOs8`-yaOygCrNNj*KU0SQ!`s=yS7)upRvSEJ zpP#5j9EHl%6-vf8!MJ(NlqJ2R?Ko&z~YFIC51J&!3)K z1K_VTaHwE_!-t0b{HZ;L^6UYJKHyAs;K9TuHA3bQvJ^gQpmz_x8&2m!3KFJpKOA0F zCEu&ZISXd~KFWrX_^cySTdJbE#17Gr2;)sxNR~?G=H2MxqLw52vP5~fJNOgJm@h1t z_3lA)gl)@8VQ&-#z4U>Ij(zZjiStRciypUC4~@~dqrU(99EA@#%96^$UwAr6Z95s) z6UEm7$+(5><=%Fr5PIFNKV-w?9EYeQ7v|(5LU|izU+5G&!#D=80OmNH{RM}?3$#tL z(R0pQ|rMXj*fv9FQq{2kpTTn@pr-!4b z93Fi`&O%OW5$9z_o&4n8^c$ziP;$wD>4fg5z%QQW7P8}}&%J3*^LZ5r0Np)zwqLe( z+U(_dr@8m4!wMw3=(+#otgHi8oiy7}v~(g$1?ig^6)03lHV$Fy1E!Q6bv@WjBOf>c zxg@nEITv>P2#zj&|D03g1F3jBJ)F6kb87)|I#&8D@P&JO@ZUzW7sYmu?$hkkmZVDL z<3a6E@+?B6cL|CuX=+X3%#C~9zML}mSZ1lxvGX~DML1v7*MqveTT=-b4TqV^2 z(PF$=)0+zWgIJVqOS=AuLID%usOw&#Dake5(b+Js%W)>CTG7y!JyCrts@Dp^eybPJ zof0sf!C1WXd(p@<565zhimQ75v_jC(jf+5EO61>{y03=mjkPyDbi+mNyHLFp3H&); z=`JTImpH#=ufSwANnuuuL5&W+P@?FwVYff&p{2j_2yOZ1vtOct*Yn5Sx&dSfZ2>|1 zM2$yY;~lv}t^Xzgi@NwI_}!rtlg{l$iR|3~*g8e?{niOwm#>J^lfv0*xx6mo_rR++ z&|d8hfS`xZZ!oDWb$7AcvMvR`?uz2aWG`KfpG9=Fzh3|CWI>!QUEOrOA^xiO*5mrg zT4mu3)#TuJ%=E`nC@+#=3 zoPE#n_L7cV$k`2hrK?uu6jXT#6&X$pwX8f8Ne+NW_EfB|obg;v} z4s14e>MWML8eFBz2C4Pi*ME)Jejfaw2emJ~8{Z?~2>qKlil6_7Ij(*9-Rp~I2`6I- zCWyS=|0B%MMuf!w$Mg!n9{KC{VD_vN2qgtlTM@X-QE)k(0?zRYJ#ASuC-_g1e>W$6 zd}lxHr`J_enhe!6+ONMOCH-7F`gJx(6t5~T3t2{fU)f@uVvV%xt0v$m>Q4!e>@8&c zSTu0Z0pETwL4;!R!v~j&lvnC^#*GaO2fD*fV*d0e?M=hUV2Sv3qflZ~7QKFE(TJhO zXxh~>mkv#7W5wB>K&$7XS}2u%0F*0yT)e(3m$`CHbYxXoEi7EWOKk1gELI0i9ijiv<3C!mj!0`NL7>mql|1!7r%R>$C?=idoDn|F8 zYjV#9_n&EY9xciyTi0+-{q>>6bW_Hz6rdnAL^O(U@ z(q!Jo*BD-a{?`8E!i@X}YynF(<=O|{bELG4;xH)B;nMPc3m92awSRcLXOsnvr``Z< zr{eOQ<}`x{mH?>Vz2&p5b>H z=iF}HYO`rX?enBKDFE|DTG754amq+RD(*&4YODJ9vuo0mLr(=a&;tJ6hdc4{-uBxi zwbPd-H>(*Gv>W}K&$s`IlWk5~JY#z#_#ymctewJC3AJ^!jNl&NNdU!J5oR?0l)uOq z3*XijGRz_GH{ms>`*?UEjcSe#Ub4SBdP%8{z0svV=HMDa9B5CuoQs2k#n7)3wf{#r zzTZ{(b~4W5v;Lpw2uPkg8+!0r*vC+>=Z|P zq9=bZ)(%j!dUoygCulS8#&DxREQwi>k!}^~;kn5Gnaio5^(Bf5KON~YcSUKT{i2GA z8#sh~?pUnM!(cR28+)o&QF?2UtEnFL;T{0U8I4%4MThSJO5t`ZaTsCJvg*rLWCBP5 z1Pl~i6rbf9_Ka@A2SN&~V_3Jqu{9hQvpla(!MrRs{4wj0_^ z1r?(`qLwHH$svOhRua;@5Hj=+ttsD*&3R!ole8|FZye|LvLb$_XV88Gk%%TvUa|`= zj_gA)NaQO~AOl3=lyxu`)`KHyso-5y4w$N!QZ~^=v(M!}| z(|yPC>4q{b#+)V({LvtY3FFCvO`D!wkN|+Hdt-{Gcac&YO0}1iY+>4}YHE{J=g3nZ z24uRx;6ceIyhOmY%qCnh`u&aQ^7A)iNx-t;$68&B3zD~Krg{o-ohE@QddA(;wAS!} z!9|E>Eb>-Y@)hBKKs8Pr0FW0{2IHghV&u^=D^C`Lgxhm6mWE;&H7>dd(6kH%VM$IdDv|Mt%j$zR4RL9*)5P>c7#oOJvGrlt54u72*^dmIylB+w8n8Mp&&rErn}F4}eg#Ui%_`Kb!yK|0 zm__aYkM{R>B-dKP-(|?GPW=x$FgF;H=yW`|2vO`MS0F*X_Mmr4yX#!U_!4QJj}{i@3nM z%~vq!&D|}4&X<0jg4h0&lhf1s61r;<7 zT&c^#U1&+dB|Yyfpt-d3+jaKc>iTTV!AuC$U++x@gIh#4bh;P=mW;;~F%`pxAZZE5 z)VnHbRQ3Z{2-=4=s(-NG-hNxd5X7UNRToaJ9@zt;G5|)O#v^Pp9!}_#q{7-&Zd@Tq zNI6ia`j)a)5a4bxpb^kcIP5I_rbXuN}k z7*T|uG?2Vl6E=*~Qf=w9oPURatPy053yYwlBfezYV?ZayrI(%PlP}i8tPeLc6LcH*}V(lU2Ho zf$I`d=@d6oAqa_4VJt1U4B#G;m`;>Tft0a0HBqY(j3ed&@k&OFo>c*3`=Z4@8!Kdz zLg)%XL6@nM?v)OlO%}Ppy>*$iP^?nPj<~!7M_u&B1jWSXPK}qYwJJ0Pv!62FE5%e+ z*F=P3>v}^s$mjzW432VotRzMgBTA1VxFZap%X_%#p_`ap5x3EVz~JaPWU)5YAaAi; z4O5}yNFAE6c-|$3F$;TjiUCeA&L@{u*|m+!a8ip#mwY1yOyI46^mIWR(ORBs&tb~m z8%HV933di)aCd=Ala1^O&Vu{4i?io-vY{WY^vjee=cEMNEf7X!6p*+agRZ0)uLW^( zEV)bngEzqN?$-LD$Lqw-J@+s1<(ZbA2t%F^RK+1A4`XBx_WOLvSj#n!JI$T#W}9rT z(&x6wKF`Z^Ja}Ca?^jo9Pst7U4PX=-0|0KH2XOG*u2Dh59ZYEi06JU?%}R<>nV&oH zlKcsrKRy3q5?cHTwSk;TCa+ZZ2xkDIsgyw6aR6%Naxrmk(`Pwn>q};$l))Vbx7?=e z11hs`^K`{}MKNf;#%~qy{|<8SY~uo`l$|YS^3}vE=g@RNmBvG8F@mw*qOgiT`5tWX zg9aqdHKZT5{_lAEkd6G%zOS>nsX0J9Z?n0#zqh^F-08gDZy()LsD;&e(cJuNd#Blc%>}V9&BIrnH`_znP)>(~=+!46&+MwMq(~(A7)0L&p|JoXN_wyw3VE!{GuOemoh4%FuB#gez0bF)28P zvK->O5-BUEdye*@e|n~MP>ZL_E6>pcO*{d67fwQqP#z}yg!uir9^Esy7gLS1 zBr$coW=9)oWHi{?P;tF^UsQ z0FjJ(io{~Rc)3-?YpXhgzDeRKE*kUdN=t%0P-(=TtA@S-%w+Z@vL_aC=b=KJivae+ zj(ZK*N$~$W(;5GrdpQ0S;gY3Vhll%zr4yJ$W1f#|cM(mG8$SGT_CT|lNcLFXe8C52YL_td@!G-GsM z_QKA7b8G5l4vtbZOhUgPQn*eRh(*}?)v7qyKRnuPvAYV+iAfG2-)qf-m<6VmSXtAF ztc4{pGt6or6F-F;Fo1!cD(AnmXWwuiwv_GxWogS$*>K+4Jvz__KH3g%*&H`bUf84Zx1&1hjY(VF!r zs8-%4!$*h5dz;OpR>u3E!ilbVJ|B-JVHa`KLmyZ4&>IZ>48p3wW4q@{pvjZN8Wk+hO+KrWiO#pZm<NP4A70D6mS&L0jO^r;_{~p%=#;$RIG-Yo}GrRqt@2#5nFHO`MeUQeDQz z^IPC&*$I*#>jyomVLkGmoX`X7*_m4t!;~t;Rbm~a0;bl?L1j}Mjf~V0E1`Yz^;h18 zQIH!7{{xE1P!9&%#I9^#;L{!ly`pXvQRI)vike0t+ABD3f4H^byEyXYGK_qHawD~g ztSO}T$R&30v_yObJvW;8oc!L1uamG)wOpE8_0Z+{Q|(z`MW!pnCHS#x_KKrJ%=FDe;vLD};G;I|2$9gi_CUJn(|B z7GKRj6Tf}<;kj1F3g2j&yn`z2~JS!5u&O=O@iVpbs7j0%+5sp9FfOFTxV`CWB#-{h&!>;2WRWD{i?$ zyA_{y(Z88;*2eN^Y39RJ0){8O@s;?!vo6Y(^C>A>w;l3*jWu}4D(G9(qWG)t52Y4? zHwI!&N{{hv*fj?z>K;L25>V|Sy{CDQk$Ou*KUk^;Pkwk_sx8roP%#8Z&6>c(^3R`! ze$^WdsyFDq4nJU+)#p#kvxaH>iCz?KGemRmT_gm+0nJ8%nrQpJyg=7-pEW|+|Jo9& zaP|GvFd?)2^Yo3A7|V>vq4Sf#sZkOi;y_Jgc~HxW*#uyh05wfy@I85&=(9vJ6tRyU z3Zo0M0YyJxC|@JdxCcuRk71#V2z|#N7h@$_JC6W8S=D+VQ0u<09f)@OKGEgLu;x4# z+`ERQmoQ7vi%+sQpLEE!ay^g%I$&5Ol6k_dzx;F0Ct@`8E|VS_Z;MXbi8XdkfoTQJ zDZoCQv=a+?8q}8FWrSz8ox;t99(u2s7;^LD6^9(FttO+6%{A(K!hOxVYO#At%Riq0 zX{&BhSvV&)@7b!r;8s&;i**pYk*BN^IWzLp$^4ziu9<(Z+b5!GrIbs^c9efEiIbgO z;5*7cyTjm9ru_3s1*$EHgJ$(`yS*u>?rDww6wl@!o(y>;$Jb9irheg~$ll4%(^_(6 zoXs;&e^dRm%=R-v>nw_c?M<@QKuRG!q5}E1qRCW<^)8~))~)z-TJwk%`P3N(UHm`_ zbk$T-NE@Ai{C0Os7_VLvvPpOml4`LQC~`QjHlOZ>|CkY2;DfE4#*o<@|ZUdQI2 zXzluH{wlUJtOwNk8eT>o)?Csb(G(9nu8W&LK;$5H6E(#z^37T%+>@{6%-Ox8=7k zUS7VsdL3;4{V(tT+TR)MhI`Te@ZcZ+H#&^l{Zi^=+RyhiyXf>Gf$N2=9gxdhuEO-CwBD$)EusGOCy@zL zsaGa!Ewaiw7Pq@>rlp^Xl$0UkX@$gf4q1pZ414Y2J1r$FmC3Fn(`2k+8++wvHG!Dm zv>}xZNcK34(9K5R_2oOkXE&I@PN%__SuL@Ct%dy$Xj(r3reFJPYlXetxvUjD@uIy| z#g~iSc2(({^`!@7^yZOix3IT6huuO-N#fp?L@6AUjoui(>hA5@TDPckxVLNT;m_7+ zthsuSd%F#&ZYfBHgU&eO`EI0)Tf)ITCMnua?hMkHYKESctppJc@`^*GSJ-i9JQzX= z(hqjaYE9vJwT(0Njg6x*JbU5x<|OdPqhJ9!@cWGF)eGK$1{j7d9ER4(A0 zgyJ$MruCHtZXV`?>1gTD8RH0)`TRiN?9)dA}@l=5Z$?8nWNF<`O{*IT{0d~>HX0hclfG= zj|10UKX3$S2moJhP)h-=4`ZtmjCk*Ory}@K2f&X}fhxvCe8lw!!||;$yk&P%d^Rsg zYZ64FbJWE`9!P6JgoAn*k?aml4ilwJF7E@%4V0R;{7NNmB=8~?oSjC^*bNrR++%RE=k?NTcOS%LA zOF*>0!@|8bE>?gF3?e6i?i795K+PoxV%ga2eaAu7qjP6)BOKoPQ2JaLz zgb}C1$x>u_QEUZ0)GlC^yzrKWkbPiO=(V4S9KJ6B!Kx)`Ha_;e*xr*3i?y77@3`mO z(5xjMWpvh}xna8`0V3s2_{!mGAXXWp_3v zl7+zL{>zuz;z>ek0rDyH15*$laDC$F;gO!0$dRTL3%N;bZdp3?Y-9C{ug)g`^>VAMf#j{idB7Ik8lWwUNi2OnNXvpYN00V)#p&s3 z-Wdy$;SXa>o}-rtAhUWt*=u{sFzV7*8w4vR&*-bu45}AqHv@>zLdjz50}B1Ter?HF z`eFjg3~9EDRJ(0Ot2E!|Dkv@`OizF`-e-Eko5$kLvrJDi3VosJ2}7J}dZM!({lxa` z=3#4VXZuCx<>CG=`R9R;nI3qOI*aJ;Vnkj5^oEy?!4ekk6zwkR2IM4A>T{tBq~Jov zx>F@PT$ADl`VPsR z+*ia>b4)9y&1FQfD8@IDWyRvE8^xLWR_j!+2P@n2C6`XD5K9uYB1+dAdW6yxBNDc_ zoVc7ht~mj40a_i>$^1?|4^{&dcLW!=Rg8Ah9XqeKGiHRedtm4|W(=!C{v;_t?fH}^ z;Liirfs0EYw{VtNQE9ZvB5NuRq=YTD+d{XRo1-6OvFwTyXO+GWp2agvFGRe=y?si# zbDUOwn()bN7UdEzy;qWQm?=~(;lN{W`(>+rM2zGt)odilVBO~BJLh{Ddu%J&+uF6Tp1CK z&i53D;x=2X{#?vYIlnWC&SpX8=Rgc=u&aiA1RZ|>Ly$3QE7)6_8%PXb9WWj zvV80~cq3WwU1t%~E^}NIR@e_D<_;sz1FP$wN>~b0M%KW6m26>_$=8 ziZwv+B1r-8OePgdM{APkAJRQ2*P%S=5Y%#$obbG-yNBBYha{y|kcJYwcP#7=1!oD0 zk$hS##`WJ$Ff8)fQk`OdVZLZ%oGWy{LGq&;R6LA_z}MLo>%X0r*3kjk5{5@sHTfdu z_knj|;S7=#pL_t5;w_4v63w5MT5pjfX`g$ z6)n2VgY(RG&X7mt{ycSy!)C3#%L^L?^h7F2GtxU-&I~_|J;?xFL#BNps%jY$l6(fm#i_qpJN{ttl_`xiq+`h|b`KgjzHw{feNmRQrRQbZLyE9?KH>0{#(D zkeqg?!+UxKC|PzL&?`fD$ThbKUaje#t~7LYQQ&p@62De1NXrUcJB#1j?;IW-ZI@1t zny<(=aQXhLK$6`~z{+B=0lF?Hg$FYEm*ye5`5^0U<#ebMM&yEj9E5Dq411y6$jx>N z#5mgRc65M2;v2(jZ5;gI7K@_#Ry#tfUW8FqmMJ<+TXRm@`~b&gl-GRo*L0>WkeHVD`?xX7pb6?Z3C}Of^7nG&owH|g??$lDmBkJh zQNJJEum`VAl|z2W!$B?WzSjad^hQW7_I8yQPO4@07{7lcJ^h}TXcPEu?Dad`W{2!U zVbyZ#Fr%k8bxHC zI?d|eyy`zuZ%F=R^`X-;HMB*t1vwQ}Eh^FhA!?b%c0`8V-XF0}7!cOEWFA)KCe(hl z-9CDwAzUeaWp(_Z9>0ETM)iI-_>==mPovR7L~ZD_GW3+$ml{SFnPvXZE@W#N+6A`` ztul7NDXWk*U(8XhDh0ynh33&mOwDbwp=1*;_u5Ctx(FYMWb1k3qvfV_jJ9_S`&;@s zLjh9&+l!n&d+1%-L24;i0-Ue@V#G<){L-ZG;E)l)bjGM-rG?9+fMCg&Ej@`>=moGZ zqd)Y#v1j&BBu(CovP7D^jH3=0YUFW?!DR_=DR4#E7PTemZn;oDU4gqup4w~n{*GGd zNHfoUAd!h3KOT8uEX|tn>GH#5D0>0Wt=+~w!l*Z$t0;Qk$Y-|elZak)IusrUHf;$m zhzzbwqFQmfvM#%Z@F+aSEPz6MJk6i3oaQT{bR7jfRNG&^tE51nAc?`ClL8kK zUCF8e^{4c}dMJ(Q6$-l$;}Ilj{d_B#n%wm4WDizGG&)jih{_AF1VrvN`r|EBHYt1&91FhM!`6*eb zaY&#(I*=MgUiYe&n=ubGbcN8cf(2(fPIDSJjxvx9-vUopN@c<;t877TVfA+@qppLJ z512`t^T1h=-(Igbf}?NdPf;LidzF&lf8!i&)g96jy(&+>7PzlBvOCoG!Xej z`L&F7gb|e%6BARLe`f4hf0>h{Ho@;QQ8P(~nX3oQc$$p3ll~fJ3`of4;m%7GrV)=K z*c1Gf2PaiDgt3p51jbe*GG1wA8R^Be_~G>9a%JW8uE7%V}k#F9B@nLh?M;nhXeL zTj!?E;+k^T+mEHH(dKvGQKe4j0`3uA^!lL)G%?=0?O&jXYFKK{jlGd{Gr56cwV!Q6 z_v}jz+~MKcC{7sd@xPB4bgC2kG_Z#JyDn71X+b=>Ti2!Qzo8P1;ESy|YQETM)jz^8 zO95ib6|77djwO=H;>SsFW>;=AP`E3Fm(c0j(js~s>&CUE(lCH~BFt5}{*fx$y*g{G zI9(7+ZHs0tt%>?aia}C>&MsHtuyUGTJI$A25J4lJoX6u)DGo6t&T2UU=je7w01%Vw zAIbTXIL#ly29JY^sv1(i5*Llr{MKn60Afe}RX;7AmTS}p z%sIjwQ`nkhuTnq#^yzd|$62Oi4<|UbhZdi#oc*i*+sVeyXKG?DDws(BtS9?I#ff^z zhN$Qm7IT9ZQ$ZLL1fE#>?M|(RhbpKS9~!?|q~$E1Hc^|lPh7^lw#4rQr=`>xaa!gq z`MO~>S76duV1iz#7bMA(j4xdv@7b)gvXzco9f$@w${a`aUQyCbM~_#BkfUlSw1`#I z+5RmO4NUJ)I)z6~y_(7AytHPP39^z~3@*?!S_f{>{Yi}f%Si?;znK>wbBlfmtY(h5 zHPph!S2m!B>p40}RSJ?=I$O(AGd|vBwRNW&KrF#$yi)n2)l8%471teD<#qP$URo}% z-{}A$e4aEnJ4c7Vc3LPTGRk6Q=k(Y^T@Y3l)dDR^vY8HtctNyvftA^g4IOT>87f}l z^plvq_<3>qlPFLVWvw}1jiDB$xlS#a5s2Xo!uvKJGjP5C$0WG8RchNTHLDp7axAQY zu{_`(u>LCLNNJ1@u34pAChK3y$1+9aVQkWcjDD={-!2}-MwOiLNT}B($bh zMbfmoDxZ&Sq$(6m-%~E~7BcD}M$E31j470%rC49GoYb)4zIw5SUckXl0uZs2-Bo&)-(tT;yV{IXngTmz#IY6Y3RU$9_UNP3r z&1B4>Pz+;#(u=C{gy-SNPKuqQjX#YyI$JxyNOU&$_u5CWd;9iafh)e~bZ`V@l&>EX zrQ5Y`goF$=nTY+dyBNp-W^^LY)o$$1D)Ilb_ofYP9NGTx|1J6o&znl4Oaqq0Vmk{C znP7o!ZrCp1#2MtsjnqJoCAHEm8HjN{`*W76>Z)F(7RF9yZgTG!=&r84PM!64xHd&y z%91%V;}Fvdm0#D`&C)QBF68X;IZeEFT=AWGDtQ~%-x0wR-)HxvTglnEIa`+}8XaVY zL!=36!y3Y2YzWD6J#!`tZsl=j1oI%|DiFP2!V1tTMkHMVwo4)L36O3WH`z3fHuu`l z%~vQiA{4FPl`{~Zp1yu9HY!-}d*S>b3;$pVhT=oboOYS@;qHR8Gvj0@Q{9?0*U;jM zCC^qqJgMlN&bPA{5kR}AQ(r-g67oj@gfn@-z4+{CdmCP~e?B<+ar5W^7{iJbSa=Dz zB{HSyS%s@_xUfj;#Mhvhz6MW{OLpQ7oZ0$#O=7RrZG#?(6uL)yAFhzRE0CVWqrUM> z#;xGlfG%+$#qQ42;|(I*_ zfn}z$Gng^-W1^I0y64rr@f&@w=FdQ7PUXg9Uoe@MjzmxM4y3R)bqD77Yt89gXO4@>HEoF|4D=%IzuFLXfQ_S!8 z|9EV=nMDT2thVnGv*TNg5~y(9a+rCE$G(d*o7 zVg-|Ire>L}0Y-gx>3XN%cm)|Tc<~C7VuWuOrB?ljP)TE-1L35nMdNN}A1Fkz!?>X- z_3wuJgUcCp$RMSBoQ-Uj9GCB&p8oLqHG1f|A_uTJzh3Nr;$xU+o)%Ng*M>Xp39{FA zHr4@SsLJe>lwUgL1hD6Z-Y%9ZH(~&+D5L!4n$#<^Owu#0P|S3Xa$4sZJ0|yoncXQJ zNeY$g38^!c!OyVu^}WHEAbceU>Q9*?OFgbyF0D_WY37>JvcaEJP}LfY9f6h~mu7Y(71@@QN(a(q4yRSmF}XC{5OtyYFs>B1LrR7` zAU_mBD4+}=`|La@3LT6x-h78U&C;HHMP7V|oPlz>x6UMH=c*@t_9hh?2AvY6m@`!_ zfGTM-xl1=+QKnATUp;t`#1^5ogeQ^OP*q^B{810zSLSV#SnGA0~H9mygR1OVxkBrp$WV?6VrIU~Vd zAiEa~Iw1O@#)~enE_}E^YLZLx>hrHDhqbokC9vF!4TC12f%bw!BY8BGm6TyG&@C9| z2B{u~QPQ3y1tV4#_PRiVZZt6OyjZB$yX?nO_r{~JuKaeA)ZudHn}qjy^M9mc@Z4$1 z4YY;P3mi}3zRo%B2>}#>5w*%wCQPoRXwzK5&Ld=ne5mQd{e-!<2tQmVfk;v>0?i2r zdYMpC^Q0##ti|4o_SP>TX7gP>Bas}07;_J`yD2b%?!PaFL!-Z2|MUFtFi~(yT9=_P zNRJfMS;=154JXja6VKfXEY>j2jxQX!C=OFE{~A~#nIv8V)HX_V%;Es7zU83c%B-jf z<}IfPK8MjQ)4`BV5OJbkl~B1zsT)QO!03718fV>*A%S_5D;3`o6tDrUJ{E0?M&;jtN7R1+XABoZ9VE);!NG2OYv)K|ZXQHu z4Np|}e%jmCkDE>W(ab!jID+7spgOM`al>;g2%}_L$}?JX_rYV$-4}Z`SH$8>34JPN za*{deUJzw2*eIxLe(*qnR+Vh)MsBh>IGRiV0Dxk z$|Rk}hj?jyt5Yo4$rcLdtJy3wTPaC>ZYEJ3nMybV@2`3vWNsQ+gGJH4C?IL&C;7p@ zWW8*(QB&>xnM2IpymRKodn+?p%&F__!N1JwT|MW4B)ewj8A+;8h-oD@qT~q;@`BD4 z-+Zg!1L3c|WARfEkG&q9jDWh1Id^PA|5IBtxz(%JPB+ zG+$@fSrWQi7?_8$1n(5QFRs7&s{Pd?jYUZ^w$ACt6Wh4|)y=2-v#TAAkp}ii^(bpe zN_Jc+0|1UZXP!6J_~0AZQ>!Z^gQ8QA$_!4M3*DIez}<$vQp(QPD`U6VnOnDFB#6YcWxZ*TP7zH~euv_#Xq)!_+k`NxfKXS={n8g=&_ zTy~ECSBly|s;BS`>6`3ka80%cLw5P*o459Zck!e<%s5{qr{-tTsj(P>*+xs=xy3nu z3=K%0(&Ap#7LybgAEml5%moEX|1wO(-I)cR|09zhIU=cAa)@hksdORyh`9DCvC!C34oI1Nn0Q@A@8%f`IU@o;HbB`KpHK28JGJMYO3`e8X`g|;d zW|O|V58s?gZUWr619d2_{fN zerhKJKH)P9k@vfcb7lcS8vOpGf$f{yV?P`mgFIb-`3j#4n5&hK(~(VBpm*2gDLIo> zq2mqO9Fxnmi`yN9x{3tio6uo${7y^=t3TE6_B^?7&yyn86J-jKmXW_* zPyUNtPyVBQPyW(AApb|b91rJ?To zKr%5_c-)1nq;~^-%z8}e+US%qIug-eMxj-XRxtnlGCQ}BN0hTZKmsV=C6CoGGbw@p zLtIh*94DxI^?)&0`lQJ6!i%sA}$ z{gPvM40zjetrR$(r9Fn`RVI%F&Qr0GmEpLp+a6Y;W&v?l&ovQx9aZ||Ed|*l02k#;JFu0lKge@<_@?# z8eD|oqO2eg1~{as4?x~LHR&a@4aRz}aJ!<}8#nIW;j>w>5<-Md9^-cs%@lB3`Z z7y(S%=o3xE`8`g=u7?QY>hk=iv8u+=JOB3aC+fcz5@r}e4sF(qz+3?bFgNSfKR1&V z>@L=j#QvfDo}YPVQ2;mcQ@Dr`wc1Cn%8kWIFhD5#=In#{3>(QXzRHX*!;AB;zm~sz zyP|%1EPvsZv3RzWN0n+Y77I&onJuv$8__z)eNrr_0yUg8rb9h~TjmoC{D|)nC;?ik zKhe2kE8l%Ec^!jWyTk3G%`#}f&oj(?+`VFS^tz|~rTFK$c9`PrE8V1;=qRA3r{LR?>oe<%NBpjpG3)Xl%i2P1?F$jK#E=WN+l*zVGc%By2l4k|In<2N< zvbj3*H_g(s%;*>YVja$SPb8ghn#Aj|cKO{>HE9w;3b| zlM0tsJ=m)~=|F04v^zT#-&HI4(Fd7~Cpe=?LLU9s!@D1fKZ7RSyB)~23_2r{we%F_Z)sPpA#}y^6K^C zYiT>wxkl1ytqJigNx!E!5REs;uw`Z=3)zg^@Z~3NMq?shizyAj4xiW)@X8 z|7qV)nS5G>kzo2^tHG;YZc|siq@@=K1}&WiJkxE!@)}T|BIIH5iBdUv@(!`o4RC@&kDw2ju}qiEbqEr+IIcW3{{!VJGgSF72^j8iw|$jOhAQ-|N=)JViK zk7O3#t_d~d)x^aytISgb3q-drpUfJQ z;Q2nWqgt_+xO?c0oc0iFq_8us*3-#*(@AtECErbhZqm!W&HbHc+s81~2M4?Pe7Spae7BUmlN0*pBq}bM*f*1jSGgYGv?tqMF2F){cWW_OhV<;isurMt z8e5m$5)=@9yVLK+$}+sa2PYsn1F95b+XL8dfj{VAdYo!*(j3YQ;I>>hUT!RjD`W8tT}+wEKRwEgUKXX|ylvE;t4 z9& zK!ddp)u>vy_i!7aa{;<-3NIGU&yMcvCA!5>)B`r?insm^P|PlJOLyeK>{-ql+=8Sk+Z3k#U*YfWry z2P=?DMHTZ7fyHJG_tV=Y!Etkdc&>m=1T#6Xj8Tt?z8 zTr=Q;y1gDfNb1PR7H<036>3O3y*!;lF4cG2`!9EQ+dF&c&jvT{ar0>B@Z{j=Hv0%k z|8#V}d%x=BmRuae;`Qrgy#MGo+RB2q@^WjHaz-sbky-EHaT|fu+eRUJ zD*sA8SpIc~>+L?lwl;S#*LKp<3^#3=c|Ube+pizwUbx1K_USXebLruw?{(X!I#E45 zX~Ukm%{*xbMA%>F>W1Xs`QBQIXO_u#BP$Jb1bECLLQ+|(rvlB+UxDF~ouhF}mMj_% zhTiCsGV0kZ5jhdJF}EyT-bqrNOgRkoYul|EGh!BHPd{Vu`R{pO6c$TT_Q35Pw^@A6 zZ_$e0XyX;FL?9WqQqWU58Y$(_*eO{+UU&XttSk(*i`Fy(q3kE}V0wtUTsMdc=Py;L z?VZJ8Z#?p+l!h_G2a~5QT{!lKm<}Y2CKd*=KaShGQ`(O&p;EQ4x$JnLJtOUpf&nn2 z!KfW!`TTnG&--}rb`V|-?4td!JMI?b()*ksmw4t#8PFm*@KDh`6lr1ETxIgd#w1hw<4FTc_dET#sxN&>dxos?UfrH@2WCyI& zn64*VJnOhMs?Li!Nun2%hpU_*GFr$?CGb_30=e&3x-~+Jb3a2_%oFdtUZ6A5bMlv( z=z~ZsyhccV@$-hQWx+dJ#0Wr^%uun-3CLx{W}p-fF@*u5L6LlegLA6K*dU0fa}6i6 z6O1Tx&pAk!KxMlyV&}OHpzIp9Z4BqH zohXdM^N|4$szq!K+wnyXZigW8oU#s@eSbx9seav*jX@&f{Uf>2PPAFuND$! zalBpx2M^w&f~H667Q-Lk9}qRr%Ax^0f2X}4`GnFkqP9y0mxSl%a_x;Tbgm}0PK2Y& z2B)Qi(=Mka$@;`&N~5$GGia{*L>!el4uD5R4eeu~(sG=aNL}e#f((e{w5?i`@%5Z$%6Z)dYMHQ&{$y57Xd_wZ`hV zjmMaF5N=dFU~p-pL8OEFH_rJj(Y3S4A#lS1Cq(H7Lsp$9bBrXkp`B@Ww=n-Hs-+at z;8IJp7NCnQ@f5b-DCotl#g^*LqJrruD0F(d#@fz_<#f1u3iPLF$z{^aTqi&LcH(y# zKY*O=Q&53pr3c?R7pDAzl2a^pw`xQNnoZ1J1@8?Oh#=nhfa4pAd6ED>Xx136;%hY8VSIyC&6QIRP&TTj7nkWJFI&rymxwOKE8TNXK-WCst$^&WYZU>?LVJSuK zM25ObyTna($dVdeT_)4~1g+>aHeO$Z%A(Wu(Em{qB-khF9ZKxj<}iaex50xm#OSz0V^1y5sgu8~ZvtSUc!CN3*THj)RcD-EI{u*eR8fz^vy$^^l`Qq!wL(yn7(v_@1C97p?*#kBqLL>J#jkTQ0RPWhX zf{*kNGJQd;xUpM&gL%h4AO2 z@E5Zph|p%|IA8t#A8VD$($bRnnQzneR4-}?yw-Tgb{hPPFVY(JG4iGOkF_v)8j)Dmy$8WtFZEP^mrQl33JA>Me4+=OGQMP2Afppp1z?{O#z za^;P*2Zn+&ilAUBFH@>!t+BR(Ry$(;$$r-lyO_fgzQ)MolNUPD+`|ysy1jDen3tS~ z^$RpdvM5<2mG3!XczKMcLNZuzG3KnT3TdHH(Fwu}d^Z17EVr!E(WMw7Io*kVPO{F4 zy}QjmGZcbOmO;9p>Wy?=+% zU1~Vm{%MD+i2Qc}Qo(YyY#s^tUz^gV(+ub}|D$@exsTu&_~4I)PB&E1D2206#qhUKrVCNYQ+=Z;mx)CETMZ9&mRQ=w09uqTH$|PWFS3xBC zpD^}^m*T09P|jx_T+QG8J34##!x<)9hvW4<2|dgJOFB)W3P{!@(P-vOw*{n=z%#nQ z?MCl>`E3BaQ9J@#Kpql;RTOrY3r_zaWU6*g$3F`gley3eXk$tBODYG|!5{i}YbO+b`{!G`K`)E)7 zks}W%Q33brAC);-zw&)THoWDiGA$>M6ECO%E*i1-a`$BCaCckmAM78$*gV?aDqVp- z)YFRl{cAMy>K!Mq(q)I}(as^esNE-*9Ht zj-OQ6t;`^G{=Grc#o<~z53c!~Ik-2RKazB~s+JAmyrF%w`dj*Lcw?lKwCghdLe_1y z>pa2Kw3#+jmfS4b5rgmrN_@|&Sm-4kLDwyNJG_m|N+e+=DB(v=Vvf+i-dAm-q+X=)pTk*-O zLdANKJBLDg2Fc!2DAOR)=73D+TCJo<1u8BFf;b#O9L~bZ_38@$C(dqkWzv$iNVa(e zS>2VvLpP+m>;*XaI?t#lVz`!BdENK>VU$z`rQ>m*GbnV$dE{N7`Vs$DT2CQPLgBp& z1IEy&IT!|=w@_;Y--P`{+FpD7mH07u3W9BLfpHMVSkC;>6?#srTt8Mr!Uk8azk2qp z$$ySWTdON0ux%ms!gtu4@lc@CmoTP;Jw@1*hY)xoK8xNitSz!9R%3RaO$8p7gm% zdhMH)Hxqcj;@b}Wgq-;H*W323ljZ3PxN@%Mk9!<@tQ z@G@I@Jy7h1tn}QhlrUP;)uv%Y%T$hPeyFUS^gcK@VPI(oi6N(;RYk#n1i1R_;7B}fJT&xLnYs~L)u?{X%(^=v2d}VkB^8L|Lf7|t zOrWoO=fKeb=dqYOrr-K+?qpo}DM6+%(sJH)i?v_OCt5nXUZXwa_$^IW^!yCw<6EHk}D~ncGOJaQJ~dIF9@A zDpgG>(r%GOo<~kbX1wyPcb~P}DCr_Aur2D^(yd;7KhepjU zm9tmhZ{tKRvI-z7k~%Ias+|SBOrg#y#m2joC&SZcTVk!%_-2|T*InFgF<3_XYOOWC zX)LMW62qZXQgh`^OEpaJs6FO!sWg7%&G*Z%B_adhF6=j7+bBW?l)`s52keh6aa{r`%|5kMN#a*ae6EyIY}Z&bx04kf1l3U`7=}|L zRRcNON+;WlD=p09r}5AB?4ujZ*_1?WsI3e;>`>g?`Q{;yIPSl^pWjVBw3nQ%uYfjl^&q z`Sp>1J+k;!?T9d$Z&jCo#k5Yd;^(@1l``XJ(60Z!>i_ary&Y_)BywpMEUe2`n57_> zW}`>5x^LV$95kCN_#8vSILD~Z5;5L+;W=N8e5JcOcklwr0UU(5I5E^PH&?>_JNf6k zWft#JJczS6NZA7L+4g#7`<*;qT@&>e^zYf;`ti|rZfsI+i;4dYf`P0v6os5=wPR!+ zOQKC7@ky{)yE{+m-exbDD9IATVc}MB+y=pUz;HM9-Nx)5uW1z(qHt*AdHr_|wa-Hw zHu5^}`vEax+%q*gEf@Rj7Wa`IHyA;bsBVoz|FS<(Alfs-~ElyX|Ik_tk ze~0{{aXy(Y)$*s-fzhwyM-IHN4MK;qVV^a;1^hP-8$T@ymG1)PYJCvaM0%k5b6_SM z{v1f3{?GjU21lRsx$z&hZu~9z2+06aTZlZxeN~-Yh%ci?xR`D$uj*L`Mvc+PrZiS+ zV1=zyTk*T-QEf@B!N;~WVG`3UKC(=Y5ESa+>({r&?~SEfVx}HTW@?V-sK2JeOrUe=T z7wn;G#L`VBlv1X-AtH~dLq^Oq_PVIS*45B#Ans$&NBB@&5`|aC5RyPD5o#0q5i_2P znki4wOc1q9h`eF+Ok}b;mM!mg9p3ocZd`bsktg41>=P=3;J_P zi910HUygCwE9r@UAplGT-e7$aJ;FGdp&n`BL z9)w-DV551`gm#Xs;&>oos4SBlafdkj#%r#CY$r^M2+28-ilu5CQF?s_Buwjs`bo591piE^S%zB)v@t1IjJUy2J4{FgE zy~`g^eznZ4uI#HkpM1R~{tvPGZj%(T#k zP^Y@jR}$(cj8P$FHRsEGg``ox6LRpj7Ry2!PG)*;lMX%*E; zo_UL;DpR|{w9aJ;ur}K8UCXRNs#JC%jNO-J&1MTVMdlB-RHE<(0u=kcO3kX?vkDbg znCsLEz660Ccb=|=h;vfsYXNCU(6E5Kk@#ceFXEWt8&l zour3(<)VQnNUBE@FlE+h>T@1?B;&I=Vu5(?#TqGR&wRKH8Rw5A1637qrBXi&hg;=! z)q%STRIMZ;n9B_%j>z+3%ZHin6O#I+2EJ9d0DBeSi+5gcjG7Fjv5X}?Fe)KbU4z4K zSWcD4zZ|#s4z^zIZgXxvIIxt4Zn1I)#5UTFvU}_DGFW%{49dq&WhNJRVkc&?DqZ#5 zswD)u8N28kE8T3~g2)||ikEQEL|Ras)NSie;1IvzK9~~PdMmAE6Rvp|SyXsB(Vclo zj)YnZ%1sWxuP-YXgi>46ss9d?1D?lDf%kT1<(w8SojFR!ooOXqr~&5NT1&^xGjivy ziTZxxIym~;_^7ismwU?Qrkt<2dp}vs$Ce>^B1`jX{P{glJ8Of$`sETk!B`lLxZ&`&|^^OSG(6Kk`^Y=^rJmdk1~`1(R~?h!(Nj1mSrSpR&Hv|0ipbh5^;jnPH6Bf&6?z;eIE4S zh2PECqMS4#atzay6MsovYoT$fhG2uO#V@%Nt=8(77tR|uts!N^=M;yN+QKI?okkq= zgPun$*d@s8$YUF#2<&mn^GoqSIVjepJ>x9@oT5^WOYjfYeTE~*CHBbzPQJpm+ETdH zf(2oUm~k4(y$jM_Bl%G&Rq5}VgM*Xpw{boUPIdYse%g7*jWm7Y`2$sP-|wHHR|(L8 zM);YQjyNueB$twP&fESz>Up-QMU*^@r zH3wP2C%KVci#fq!CC44~hg0^lI#qXG|2uaqb9+(hDfEl#_J)y{S;6`X_b!O~<<*UI)2x_3 zxa{+U0`UmJY)Ji%IcgesDDaz@b6NrCNPhv34R8GG(FXh|{1_1>&5z?yf1Lreozuw# zmEi|v9GvJ_C{%io#63*K)_L0~70ysX7n7#wiqw;y9@f8B-`P6^La^>sF%Ye7)t8`0 z_Ifx|&L6tZ8}28>!zM&*C#~s$Cxyt;&XXL3i@XsTpTJGv6a&*)HKvfZMaqNm*X24X zTI!6Ty3UC4-(^AgL~(m&b0)I3#MXwTE*wpX<#v9UFc~=7yKabz=_zIG4K~qBF`iUW zB(Hou-ncn z&6l55uNjR@5o>Tv{M)6*_N(nh6Q9hAW;0qh8n!FOda}jSovmh{<$P%M134peP)bH# zXPw60=KjvJ?PHi(m<1z3<(wl_jCT6KNu0wwCxitZNc=eu{n{^BWyHSoj%F(g7 zA(LofLJFWg>ypgj51d8(sl4+(;^LYlA9cM*$}-WVH;lvXjU^{-Z65u+v)|s`+5d4H zgvIU6lb1)^#|uz(x}J;i^(^tp&qe(*jp|f39{Il0Rg?)zhP97;|LO4-;x0DGBTr#U zk7Le7$RGio2M?mrN+VR-Fw6^%;MuT;Fs@KmmLN7f8)Fz#lB!er^I2P(4RhW=r*+rO z$ojPHgS@qMOdJPJVE8ne6)u1(LVYB6E_f<~A$xY9kH=`#Qz5RDFr5Li7g-8Chv9=T z4WplBnP(3=7s`metcG}(Wj`vh?DreBJ}+Jl5Jh!7@J2qa7@S=o3wm8)j`a>w-d^l! zj;k%B*-}&eX=nO==4N`Xmph)bhqQMuCgLjCa`puDWs6%vp5s6D|KAtnMjzvg5xp6#bxF-FmXqwOxf(4d~TNg zJy&LH&&?F>GdJ^Ao4doInVapr%*}9Avib6G^RM1%^JmSZbC<)Rw}j~UCBSFR!;wA` zGwggB&cLAjGd4T`&h@b&%T6bpK#6kkJ`aGh}Jc6 z`WpVnK5z#aDFP4S>S|*pNywqZ3HIq9A=?Zcz41p}#lnljZ`U3@epp{w6`KwGbhWXz zqGG;k!g&1@U%zTRe7ySg<2wHPRpa>~mDCd?RRIT-(r)1t(KBFTlBN;t=XEU$dj_lg zE(LYdKBK9Hu_m9K-hB~1a-){*!F^t2uNS%1KXKHHIS2Hwd9h9;8MnE|xG<=57TKwY ztQKGHGe+~y-GP_nqdof_KPy)}Lo8v@CempEqu`oQVDT3MfgPY;EF2n|!;g?f?-fSx zO%g$Zw3i}Q$u5$O8L7wqNTJPB70CyjZeu*`dLzF8ra)Q09r+hQj9!-6j0JJnRtsPv zNY0BBC@z6la8+bNc)u&HYZ$Aq;GSUSf|1q(5+} z9SXFF0vSlL*=#pAn=iK8@W1Ad3#V6?K6M4F)RECr+wXNc{%{m$W4~qtzv_KB55uAb))C7Twjp4McyG3Mo^9_QZ!hpgBTn)0 z=Kk~c@xjZZrhaU`X>LOC(s&M=9Sp+*3-OQjG#k~!>x!;!ia8X@(^l9;WAyFw;a1g$>Ossl!&9%mB zE=^mC>%3z^m;V|Pl8zhuLy~F?- zd34SKpw$-{k*I#IP2(7cyxi+H;&74_UP|X&Ao9*8zv?djE}SfcH;AvObD` zE8S2L_IfSr68W(?>+hm5$irs+^s{}J!D+&H_v|xaoa?4?FYZFq&4II^wP(EZN|9NP z0g};2AdNDy{Za+-L5&~8&i>BH&i?Vq=6-WqoNOQMsXr#=vx6@GQJItVD~DwaFKRie zOv{;=bk43}^JG)(z1%(7Io#bA`v?2SFE)?1w@O#QPV>jpi~Id+I0ni7lwO6)4n-I2 z41&>#AN8H(Zi$xh1pEsfD(nC1L?im;?(PZG`yKR$$@wZS?9K$&|Mvz-6(2@$7_a%9 zIk-2RKaz_})v^Ki7wwzX-_p{Kd0*Le8GoVE{A$;Ef;24CW~yAviI;!nT#(h}c58L{ z0_N=x&PSC^A8CF4U$liykJx89uD3?zse0ebia)e5;KZA;-B}!H(^t#+!DIHr&?hMjgK1|Mkvi`eB9-Ay38s;*d#h>1f_mf;T5kXlB|>B%~Xr4)!CwK{jz z-~JWWXVTzjUZ05vZGy+ueH)Y}SvPXiSn8{RQ*%Fl{hDwB>_?3yBUqkopeGcOsJvPu zSY{dE3lGoGn*{IE$PXiQij^)w>;M&O|8>(9)di|&Y;w0D1Y9r(_1=N8A%vm^K&9QS zE1?80k$*n!sXQU*C`HNTsBvUae#mf$2>r>*7!;+^u3!iOs@U7vHH&(=M(du zn-O?a5^_u_fKi&AQ3iWdmXOYUvQ)kWU~+R%Q$aI)joZ~1Wih^k`8<{ISVQ{xzl{;^ zOamuFf4X60K!U%--3Uvp^89cz3;A75ocSG3<`ElRMi{*t3@9y`jCgHOhA4`hXO}sS zt`7zQ!-_WGJO`MBocTZWoGTX}|6JX$vy;CW?b3OfpBY5uuHiNJZ9w_cf=lC@_}!x% zxINxQ#GAx}V6iL*au3W#(VU2RBtaA!EWLRVgW#Y4{3o5Txj69q{(znG=jR3V2Giem zaa-etMfirp-Oat-ou{${Y{7qzypF0+ZZDsk*G5#!i_5IVAZV-z3J=qzU>;VF{#okR!kxh)QeM6)y#>YstZh%ht`E=7v zjP34jwU1uz6Uw-IAIG5a@Xv&6nAFYkmhB{cZ_WUh_71Z?6kYbA82FtTyo&C)TV`;# zFjv}G=*pb_&@7R5=E(5^D=>@m#Eh>9s}TQqd@%F}FZXv|=?5p*7=`((cIkM zKRBTX4XN2elf{)U`oYB|X7i2%Oj51*PMzsV*QB#BAoLOAwJ;bcMON@v-rzhY1Y-CP<3&snx{|`5W(SBVzv=mN+&2HaSH+BJcOU}-rdwMVHW(POYmII zZR5TuOtE=^zvFZ$pNBThn(n1`XKUNXrhzQsXqLK>|E9Zt)7^4(cRVuW{r^G$vAnSr zxid;(Aju)B^&f+vNcWKzY7JE!GJTT0d(>DnxIYvE6yJvmxEYT+B^QPguqATi0%(ol zpVy0(&1QS=_<8$i`}pPV$--&1a1x-b8F5@#j*NL7Z_p-CKk3Iq8SG8vRuZqw{Wc?* zx#ZS%b9aH_?HObde_O$S4thGvw1~&&m?LM)!+@y}KK=h)66 zpRKDAhxxTh&6+}))zz-OW`vtlsV?o4u9I@|(Ff!v;oI4TIE5eQ4@xD`hAFSiR}iHY zFY|#)lzFWqK#3bbZsVU&j&_)HT`hAbI=Bh1Z?7>|Zv}61iMI)yjuATQb@{R{or$Po z1BMt^N3Cl4b(v>_PsSv|qE5_``-f|=dJ^*ySvru|RdVpI50X8xZIqX&E|)=S8auvb zRphZCl4@3ag55VmUA5lZh`q&`k2QBF)yyGlEOkwAd`CWl5Z8MMkap?OUg!{?<)34Q zNBFjZEF8Y}dXevSZ^RJwgfYHKcsAe(;h=E-bjpDZZR#p8xwb4?6tQcsYib8kN-GTM zl);>@%d9sRN3%yK9Gv5VFIDCwem7JS<4pMqPojcQrSuo}HM>!N$DK zT`Xj*OQ(R7IhV|pns{i}THm++u_{_ByrkvOHiRFoB!oh{ZC@=+1u3sk!PGu@oj!kyT!n|fR;lc%v+gyRw=+Ak#WCz9}uSUGeaM^)p zOgEp`U?JMG#alHAcoZ>rp?p0a-Sm9T4;Hae)0-+}szF6aj5=RW4k z;fYtroRes!`rDY$i8B2)1ccl@D0B2^QbQY1s>1ld=gwFT5x1&;M#l;DeiBqVO~SY# zU4xm4`;5Dj+i*rZR?w=C*u@>fgUL3MS8<`-oYO$4af+1BA}2TX#91)Fo!%Ws3WXki zGM7pCGJRB7GCU1PySNur1xC7a5NyiyQ0u~q)|Dh551H%>*mn+lSvpMVX!hY9*FoFu zVvMQRCbrB}$hsVkeYz1G;0PQX59?C5c8)Nv7qgKW5n8Ev(X+^!IZUBS(}-j-@?#W3 zpb$@KiEimY-an&%QqOI^Py#Y=%s%YELFYzgsB%#pi zw?vO(gMxSA;q@tk+@ov3faDDYl?^Zu1xM9|8%*(V_z592svT_fi0VN1F{3Q0Wb!(Z z*2w2_my&yB5=mTvr*cl{G2;ASmSE#Z74pPZk@pw?V3@S+Tv0)7(HU*`_R%Ai!HU37noFHHiX zdXQJWop8^dD48w=i;xN*L{&siz$!Tagq-l8*6yIEbZ`i6cmq3-^gej|!kNa`nTAJ~ zsN@0x`aDOF!7nDuGW@x~&y_?09eKStZz7-)X+5q~D)K48wY8fE`_FcsFPuVm;FEb# zFZd5$Z4YA1{6SlVMVrBSa50V;h*1IL#f+#Ynu+K`a^g5Z+I9o=NN%lxJd+>$#+O`B z(MO=GDrqlvn0t!jz5+bO7@r#8fDx<|QC4%DIJ-}#yz>1x~iD*hg2o;DM71r); zbnvSKTB^LS#5ekS!GQj-U@H<5p3cAKUV9Y<*+s@mDFt1>|`x#1up zA1ZI#YLUc-Sb5@1uAiuTx^g}VUs+fZj=B|Ou?42Ls?tr;ueFc6L;{Ai$1w*k&81jh$@{y9V2ZJ%2N!6#X z7df-k{=s3RqQ(BL?Pr@WcTZ?5K&`kl#FZBzC5V^LLM%fB3~yFBA+&}#>mjabJRl;*KI*XdXu7U~7$sVscGQQ2AZ3B1g(+FZO*j^B2jLZL zT91OkpsFjR3itvixErEa)M!++9~%a?sToYH9M){?AGD87PIhFjChOJVPBZUuvwe{F z_!<1$-aTmkcx=42h@kQO_?P4M)-NC^>@;PW>_;y)kG7fzTTm(Urm}?kdiUUPd%u0m zKv~q2y{$Iolt+J7vLhY&6hudpq!_}{4J(8&9hgddt3=}p*(}fkNfwKp{pW;St#~LI zlo#hI4)vGXcA2(1qWvtVer?-Px{ch*O=D-eVzO~s%11JA5-j*YZ0@|OWz_^^gVH%O zkH@oSr_af2(~KRi_X{ znlmCQkm)@0x;0XnqyVaHv$d#J#ouAdm3CNhO4=ZgMoTDzhD(fqnVXxNx7DZU@q}?c zGKrrE2S5~(Z{v5-quSEcPnFiN@AuD;6xo%)_v!V)3e(jA@x$soT^o6~X_zA0)-P=U z@?rYiSkqSe(4_YAYc?eBVOR#SPZGD-svOC#H8`a0H*Axgv}ZBJq%|k(1ywW?Cc&Z z=HZwb%V~^f`aLN|tfZw}&Z1G!6{2PfnpP8mkdJBCFNg(tcLCFCyc2KmLH(UD4UrTD zy9is2ztrF9N*5QCq}Q;C4v!9KI+}-v6`5+fjm9}|d~rFVdGezuWT$Z0b}4T9!Gpz0 zS@UK&^K7})>#6FB9L*{@jG|=+%ByX%Yf_~|=tyaF!-BH;zG9W~j+m9H!A=D&=Xjc# zkaBsSXw6z)#W}FIb^*hFlkIxeu97X2?_N3{Aj3PTOwEm2O+T(=BZ~~Hx$&ejDFmr% zJgH3gCa#o?n5^6ZVhVY>i6SphhkT)TI4mpnW~!J$@ZAqZ43#2gv6gO-TO85#z`;zM zU|0DTb^Vba^~r>U7m~aSfL0k!PUP{8rX3V*1Ps4#UNx|7;DWbi5U)VIfjZ+T;_HV~ z8<6$T8xDIn(%!8biP2SxV(3tSgbC@_unypmNlG~L$;Ev<9Purt%m*Z)Ay9J{zxOap zMO}7OSDlDr$Vw3H&ZEi+_gG$kz}_~qYY-;4VdxOd1`4$Z0Y=M$WE+X4)6>_lljH%Y zRuCUtZck>RM%I!ubfT9V?!1wAaRKdHw|=ZYy2Tu)aEaK{WqbcO>c^SAiob~tcYu)KQ zc;I}%Cu;Rxy;AF^&bwUaT)h^NOZ~dpY(L#R-bPa?>I!5jmJ+6@Z*VLA>`VX4D{p|9 z&x5e;Ut`V_(ng^Qj=w`<#9VyWrwl7GCnJ~Dz&%F7d@x|_31zsJB48%!0{Bi#(4FLU zn5tU?`(R(?3zoU{dflNuB~+H{?mT9)7vrH;Xrf1k%)FftAQf|>IDgnN`upak-+7A- zsV|9~NyiSEEQzoLdN<1Yk*G`6yt6I^83TD&unFbNNAhAO;*s?RvDBR+v2GMZ#N;I1 znvj(w6~tj6I4ivRK^Tv^6f7}>zx`ob`Ap>mPoQSSDpCqOGKEGs1N!!#(%k~s?ukiH z@`m;?0C=;8SxJPpx-4UKXdWHC&E0@JTMU%1M#}1Dv&L{frlWR$IJz+^cm<5w4l+&{ znMh?j-hc}B0^sUAX)x`LI_Gt`7C5ebM@0@86|v#|9qi`d0xxX@(U5uO5#?U=!^m%l zg}uEbfsY9_WYpvhIsqEg<-zF&U8Ip3Os!5#d0pwKfTaLNu%W+4L-jkahv2>#*hHXp zbtFP{@^tQX-#`_Yes4(PIouTJTFdUlE)X@Va#wsW(y1wO^8`(l6RI>$H`Q?qVa3&D zGF{LO8WeVx*7YYg(z;#)gZnUm7IK0ScL2Kkh`qPyyTCfSfJ^d)%1L z1czk9sJspc*D&8fhiAN4hmQI4^zz9ay8!&};uM3|q!>jN7hC}QWf+I7=qWgv1WFWz zLqC$^QSorpmAoTS6doxO*szQxCu7YiHs){#4+dgq^Q%WS>0CyWM9!sfZ3^j|&l~aV zMv*mQxUVFqZq=s4!$J(&ACadF(%rzkj;Px?79w+m0^Nm>@8B4l4Aco_<_X(yCq_41 zr07y8Zp-R9#iL0z4jK|7;&Wy4$;@1kt1|{LT6Jvhyb|oOu3UMM{MOH+QIACZu)-0Ta7E z2x}re8QFTsVNY2G^?znPgiti89^*eY2^#gVl}+AZcI#*1=#qz_`o9ogMvZVW-TK7F z?mT#Eo<={V`Pl|v*dM!fHr1*nytmfNOnsU{BO!RyI6Yl^`1ZtCe)cms4%DqKjr7hFrhaD(bZO2J23`5e>QrD9EDQhe5ux{O7T8TF+? zc<_F=s8`Y)2<~b zG6?B!*AzPp7U5^4l7uB-`D`Z?T(Pk#@CNQ*ylDs?$K<EBo8?8sIf*&A)G_h0MJQ7RjySBD_|)^ zI11mA4!zfd@vaf4uMCkAEA~<2;R6n+=Q4CFBZN#}$NVT{xUCjT31eDDpTJkJsZmY@w(oWH~8SBYX;maZ2A@+Baz#jq6!PI=pOA!FmFnr%6Gd zufaYsLB{Zqg4=UvzC>!Q->Qiyke%lZygRt9jW<(u3^b6Rf*1z737k#y!GoIkNhTb5 z+;~irhy?8MF8#W*Sw|(rQ-9=%hvLZZ`5vF$d7x+ETjDkOihtgqDjP<$6o+U)#4m&DUbFz)hdUFb$?X4dlZM!y~nOU+-$?UqN*2_9eCR;h1IR&{` z*p#kmMM1Q2 zGZt%BWiY959kVlzhQY)-iN}_3$v`xe=Gjx%cS;kS@J&wrxubRSD3;1-`bnu_VKITNK z8t7nJhjDKDIh^|xM{sTik}I+_x27uicrrUzHn|tyrHWLR->CXa{aFbwn7Oow$YD;z z33YvKQ0{eA;CH^afL5W+l!Rr1;htV+ZT1-^Xo((FAq z`k7+JX2CHldnX+2VVZ|D;lP9zoSFBJ>fVotNl{$FO*Szak-YPBngzmKRBo-5--QH4 z#6aZDuGuuy4Fs`i+DG@%h^w_JQu{pU!7IPJ;l4>qt#md^1^xJX0_JrGMr+>G8>yPaL{lT^n;#9yy9heMPh>?dtsa-#!AJ6^}zcj zsY8oa4HofG9g9!DKc<>z9RF zEm%;dx7%q9uL+KN@M&0N@zKGr?dS|oiu|bFS89k?d;=boId^h zfvT7T3W=^X!q2oQ6#t9I?XLa&Vv3O(dum7dHwI)vD`aR#T3@NyO{tIP#s7q{KfDxA{SGjhXI|%0eE09@?BNe*=$r+_;(N}RM2R9K znI%{yRKT&CQ8RM7y@mvg>-w=Dp=Fl7PJB<{qJ$#kj8rm%CHmWW&`7yF-4mRk^Rn(` zJ)2bWJQZku8AjvSFom!IrPFC+U=lSDn3@?jx6j~iHMKuki%)h_b#5-Mf&p5#K;*i( z!e5404+&nreg=izbkpSzE|2QOM}dwb zu#~rE13g5^zmna(fj^cUeXy*(!n$WEijtazBu@*`P^0T=JPYY;sa`;r8eCaHOtb}6EH@w~ zg-mbPvSG(J%G$O?{z~NL=?x@tNcAC&up*o9T=v5*aJ7#FhG{G1r17nVFDF0hjpSS- zS=n%YICyz-`10h3^c0WU#b1_F3+yss7-VYY&lRhEd3s(EuI0N2w`MGRrzknHJ6k!BZse3iiPI zaF?FLJ13WT*%gVpD$UiTN2=?BqfJlI#Q|f`*Yk=q1j}_W607OeL2kIXqbb6Y%3nT@ z?pB$@HTk+PWG}cLgU7fp_QLilxLZ6J^i~D2ePU*XdBi)?9qG?dD2X8Lth0kuf#~t4 z#?BP5CbSMT3w1dF@4~Mm%PZ=yU;V^F6QFK5ZqYGT--_`M{7k6KNJcTfNe#8crV zPmgQLCEklw9YOpg0iLTNt||Jm3%qSx!j4r)l9CmMv%ak_H=F!hP z`wD>J+4kni%cE_^4K$?QFkVZgA)AF}mUHx)og!w1o++efyZPckIKW#TZ65t1s_%KN zzBG{2KZu?Eos*sYPj(LWMaxm8 zT8@*qzl-YFJlPa`FLzIN4tKZ3{=xq7i_N3$tr@D&XL9-ne*YQ{VsZkc5oOsS;<7Uc zMkjvMcb2=QTE~Ol1zie#Y-ny{Cl4id;k>lJh)Z} zkg!FZKTHouRnrCrbmInE{Vh%5-&jTzyFTMD6mM6%&J!kXIc=xPwj2H&x|(S?7l~O4eTaCTEgrlN+UbF}^OZ zMfE!m9;m>j*>tJX@6MEfcX8RdPMUfi`Tjt>2zosZ_Epg2pQS6GWyA#<}d>ZJS z`jA2DM&3m@IPcxqVbW0G>G76$$iWQgqCiZ&LPWr)D&aN;tij$N0MpgA28mz_=-xqK zTP22W#>*sqz4U^&$w~9%2qvM9q~}~-DN36oVG4|dEJmE!6e`ub$o?wI%Nq`TcB3MczblU*BVjF&Xe!r1l@tW{ znp9<}gtmn3KoA}Fcw#G$GKPE&DNH3*n|4N(vlxdOz4=DQ5Tn?+Q?JDQWlY;-8S%0-aMgY-w;no>G?Z_imQ4tR$P(-dXcVj zk-tTG1a@-ucjw6yv7}$(A2}tEjd((l;7>A6-&o3Vi%)*)*q4f1{CN71qk~i!Xa8M< zBS&XX}2Qj$}pVBBdo40-O|t19MBjOP9WoN{81dm+-%H5e)Mc-I8NKOE{8*J z>8nRew-|nqF=D06N(nB*otc!JdacPe)?`x0Cv|(Kc;@`#IY`-)*n$~5V8fN%F%15m zxVX9LEZkff{%z7hnu)jj973y?w3OXsbM_81ph!vxGtAIk<_IYFKz-djh!c4LKC+Ye zfP#H+)fs2<6ZiXm`doMeezKk?kTM^~?9SZ>mpeC&z2yR`+($CBbN9o^&fNve7Axf@aH(@MFfK*c@m%&kUaZW`!2Ra3xb^eHo#tmEqc%y(Bd2$F7BCt0 zKZVw22lp8U_W1~MdUy$8PCV-E=z!UHiZWb94(L^Z=nxDLc=P)7^r1pZE5WADmFG?8 z?t&#<%e8-(W9aAR#S5?VcAYRVd2r%kXN7_bv>&bWhTt;ap%E zjf7GA7FI;%pYB$)n?`Tu^I!mwQ~K{vu92IlM^#zJ!qkV zCig-@h93|4>NJM$_2N*W6(B6Oh|i+83u}vlQuQ^a`W%>Q_~dw(Qpm#|GQCL>50cs& z*hi75zCYUB-#XZ(c0?QU$1?$^2UgK zC}jpmPRNOGf4yzrI$1}ZVrOC~^2a?6I|l*2HnH)0pDj&+0yv0|(N=`Nd{y3jX$oJ* z&v%e6&g?3OY)PHMYcJsV--qv#nq>L&O@inEXO;o6$Qw1q8r5T;7(fEdF^a;BjfY*J z3hl_h0PYEneQKHFu&rcV6R}@T%%;L_G!jnZ1!6J2l)3xN*RZY>aj$A{aK60AsY$dx z_#44niM8E1+IeMV*HeK>ffg5%gxVuB9S+^MK%%HUowS?Cr{bTrb04$OcKrI(Oj^9o zAT88?KC0EntYqv-@3meRm-VwTqIV%?pCJ=O*}X|$o7)qrFn1`v&umgCQ)Zver9mzJ z56oA3@QNqPiK;BN2T$bUK1G_2yO@J>^6ll@vSFO#YrF&AE}`Q<9S#!yf$^|$*aOxo zR?pzy@>j%<<{k0l7}*`*SvKQ1>>%ZV>D(D~8e-wc&7DQt6GeXnn~h>z2y#P$VG7nxUcJ2SpL=`0ls->9J;tBm*z4#xiUZf2+LA6*%9Pcyr*gOVSB#Q&g4{X<{ zk8xJ{AN&>dk#_>LO6w!;BdgW@GVM> z)65z|4#9zs#Mg~gETIp%7xe;4mcrq#-7cS1Sr;DU*zdj5hmN)}<0$_m(_kA(1002o z`gOyZ(XOO9-%p*+Zf>qT6ym4u)LoL+&CQv%JHn?mb`+*`@voH6G5$B|58DBp#f^y; zggK>gPs+QZ9;k!vVw-cOW_N}~b)BlJ6cGeJ8j54)1-zdQeB5Fsb63^@`7c7f=ROyz zo~5uDUVw~)NF*1X;V|QAdWhg>}|aUxYb4fx}abTByb3(-070aP~gntE4Pbt}SAuO~VrIMir~P&J4u zZ`(9}f|8;$EvWZ0JKu&zz*A4e8^Z5a^%EYxXe~8Dn3)*Cd4L1j-(5RCeB-z|^HOk^ zmYJJrlXIup;j5aG%@<9HNW*B+HJ|rs`MJqyN;nY=E z(1ol%e`+(OC;a1ifEh56|6Y|(yefCPS8cQN(xSlzePyuKXz9H2y|*PG=ce1?K0RwX zD^&OA>*GBv61yPYg{#TYnn>Q%x;~^wz-#Cper{$2)Pnva9t+yO{-y*#_#aSk$ zH{fOJQB9W47x1&?Thd%HA<1yE5}j)!W)U^R-fwp?GJdAx@YfO667QMPXF=&cqVYgE zifrs|wU1uz6ZZJ*32Wp*xMS9u^~&EG&Hn<8=FDl4rT#LhC9N=2Z!{t{s_YkjZ7lV= z7$x6Y5cn(nQ$^MP>hfR9|MFE;_x)AucP&-jHGxyYUf^HOF0OkC@!NU2CtmHc-ee#S z51Tc%X>pA1-39PZep3~Z=HL2n45*TT6B7g_jtxuLG;#=fa&YeTUes5hYJrN(C%wESmtq4Aq zGhOHG;yGRjW=~RUXt+ksC5|8&J+7R)$G;islH>89C7Ov!WM04%(zZNqe4De_g&8I4 zzhn9mcLwhJd45)r`sF8dLoUy1e8%3*#BI#Y>?ct_vI*74F~n)kmT!mYEOPyKgG0W( z{k$Ak;Ki~PQTr=cV+2w2Ve;?Z-X3)f0g_~VR`Nj+EL81CXT zU*;au2_6c$2WxIzqx&Cgkkcl)>jFnQMJ|f`=z{x{#ey;~Edf^yB4-pv49Zi$qiAYyRt6XV-t7IWZ_&|%98 zEGC|y-QM1P)@~!OiCbq|)HRo_UVT3WV?SpXB7){qI`EX?`lGH71_m^)wyPdAxiKq@ z>Cv=^=X4-FA6rz7e;{2%y-qF#!@m@RK+~X8}l;7c!-T zLh@Ca;xK*LGDu)?I5~Fx<5ptEu;;lyO?hgvwI6L3)zkgEaNZQ3?2E`BsyA<(DZsU# zSxH;MsjXO-Rx-9|7KX4&gvOm@{&jVkTsDkFm7s~CV9fF=KEJo$+-#C9B=FK0CD+y?>HlRYstNXvsS)l_ZCxP`{T{Ld^v0P7hAY`ALAtdDiMHlGbOafYcW9ez?&R(@f%V=4WT=u zbK!g$i!b9=Yv2f}eupXKg2HK41J?gS7bpb|X`QkvU!^#%OS72qNnYVUZ}o612Log; z-S+q{fpXA z(-<~$xiP~v85K;40Eto94be2<~!c-OH_YPxn@dn`;6wzY_^Zs{LydiUb#9{16G&x|2c@Q^NaS2cc*f z-_?wCN1Xh43`h9U9T7^Th3`@0`m+epJvk%B$(gWnqZc9qUD@Y$>s4dezN$SfYf1?87 zanc0g9kOSMb)RC&{;&nL**#g0rYk-R4OUhJV;CEpp*$;VjnmT=jOU^t1^ZEBX)%R< zI>)JB^~KnYf_EwhEId5JXv6yYn^<>cNX!0+mA@@K;~O?EV~GYgeZEcDr3_AhfCMh&%twFr7Wi6Mk( zmu9cK&SG_UOY(oRz^oWp^Ew}o?jjk$)G6d+dk?a2;Z=x}_`9gSzv_Lk{30=#Dg}xu z3B}-K-Cx&Qjjs#ysQzW}r7kB$HvK2vvBfcS#++sD+M+4=R9Ei333>M>=9Lok{v=T^ z7nY6kO2dWwwbYT)EJprs;{b-|)}Om#|KJ3Ekyrv4DuC)zvjV&?&cmqRnCUP+|NHb! zKYh>tK5n1>xIO<=C+$4As~YSmPX(4``{!oh_$iP4+>9RX@}4f>tnHiJ=CHFG!I>06 z@lE{h(bD*8jf8plEWt7^|OrGXzUXWJacpmjTs&ebK}e3AHPE! z<~fSn@Ylu9AgFBaPp0W2iPn0V*P7yaPkas&@zU;=6yH2un#Kv`G`(omKh>bU2T zP7|Hy_zeEQ8{8=90VdsK2gNWCxI3^CuXp9$#3UYR6PUt9@B7{$7XL=^$vXoAj+nek z%Ser21qA9vUFn1o`t0^@K_0?$cL=&p{WjMaLRE?s&7-Q?; zS9ZzvH1rrLIRdsO$KulW-rdwMVc0%(1RlvLv~kYMkd<=z+~p^fvLSX0!PK)rN}mqB z|EM-ObA7&j#$C6IPk_Un&1F{}HK=_85uGco-v8t@^shlhOY3h=(f}?>-H_&9U8g#& zN+;7YCQ9(SB^s3lr#GCg(aAIKf1aD;FLZYp5kKjR19i84zr3Yo-?XsohlAr$IIO>X zh0g_CJS+e8wyAg5S7G$_^O`F^Ph)n{yv=5N@A!H9X#4o(?#aSwwXl}g+&L3MzpyO% zD0I9*`)nN08{GETjY_Jc&znsdV)6XdtMtp=E%|PDi$9zP0d@1I?adRhy?1zWaI~(T zvO`!9W5+;x@rLoZ$4LZ{i;;@$^APV}WElEhCkmmb5*oAvSN(;r>cXOM$B+h}ts)`( zKgPgb1#o2g2)=~=UqXg=jRzph#^NR%i?@UDO8D0vvMQ=N5{2=lM=om^c+hC*kskkY z+-*1kp3Cpf19ZUG4lIgZ zIas{e+^F_|=y^aZn@xN`Lb~yg{)QL3Tg_LmXba%)NdbEB+^pw0Rb*n*>Q}}?C<0GA z@7lyf$l9$Z=@LmbnF3LGA*=0NU+Zd;r+FpwdzDNUB2s)orwc#zfPo#gp_6Stib9+` zIIz2$`_J2l2Zxo{i}SoV_y7y>0#qs$e*Wy`ezSdia

@>$=@;?mvSU_1yp91(~+U z!4dC+c4u&oUXJU>UYUu>!Y#j*v+Uczac z$Vf(txHCRzBJwYMXbIT9!0W;1a4J#V;717Y>&2I-J^~WhL8s0*xER2n$hE7gy&GMt zCwjiuMbp|moVbx#fM+ZM(4|MBOdsU{m}v@E^03$<^tm$6W;L7%A|GgC>tbf6j@Lt- z7!n8I`v>(`$2*G}@E8Vd&t0v8?xh`nDE&{v0cEVxwxY8e(SIb6k5;|8!FL!IIUe!* zj#5NnUBF>u3_g_A&Z8JXDi}4RQRzPd1{=DtaGJmBuWP5>K@Ydi(f0qo+&S9jf?M0o z-S+YJ7LfMztHYy%=WTS2Za>`w8nU~2`~phl?2v`U%KM6BCw@4-{b7yy2-HlaN`nwM z?xE8vdt77ThlWS#m%rkZ)i1w%BH}MGYKm%WRloewc|*4rLIQt8mFeo}3j84Qw!J=A zIp;?mtsKgI3ilS4gNZ6SW%hx4MhlD@%(Sxf#&QT|*;;Bi@n|TetW?6H)^viZ6po@7 z#cY>Me~PD5D)#8THY3AV8e!YWmNrO&`H1gK@4f7_yslMFp^P*;$Q=ro)60{cUAS?! zpKSu;ar}BQZ-eISWGXi=w#?~4ckiCpLEMOQ%uPlpi4^OXAb!I;oE&>T8sw7=goLRLhUN2zgp#gzjSxE{Hx@92IKaq#=uLb{ z`k$UZ628~Dq>o14g~V}(ZwLMrcJiO_AM4?h{(-a}Bu$aJ1*<3WOC%8ofSeI*mEaus z(AC#9af<&#!_4=F>fY;6{N;Dw;dE{vJgdOCg!iOEsq)UlP%PkYi{d?WXhW<#5g#h5 zBv!{2!(Cab?oQ7G-tJi#0+Abz&w4=zdCq6Ktqh~!oj3Bafb7zTCpk?&`}*rrO)C$^ zGhj1EIKMD9m4L0!kqfY71K-I0c;QD&kAx?mcpEE9@9dApk&^CU59IZ#`3XC9w=O+z z{!ghs@wy0JD%=2gAIZf~D*+F<6z!5TFVgErUEno@Uq9rp+4F;PJ@GnkG5;b?3f?OC z%L2AxY(e0bk+DPd8Bhk3+1-$qstVnujtQ#cpmWarLS?BX>gT;t2tVOAl%F};!gW3f z>+se=DUXU?U53MGLScHJ6o-RYXCIOJus6O41`|Hbl%;A|uEZmLmn#RqD|hJx=P0Xwn?Lxhy5x&{CbjbS~zJQf__M6|O5sL&K== z!Y>=uT&C92gu&tz)OnPt^Qdf{y`nmMnL2wV>oj#~upEW6v{BIXhS@R;%Di|}+csNH zC3-A8N6Ds2&INni!k)wv!Rkj&e-mL?y{03I7T|7=6=T%F3iaajnmbMoxM;pDIl!FXLRlf1O+A-|W$l@>-dQu19LVH1 zI^LC(B6_I-Ohgin`Q!;6fr|mo+jC$_c25q}6)B6Wq6zsWEeh~s<35UKG8|TlH?X~FNu!Tjqf#-h3S2j4;+j1l#NqJ} z_ZDZu^BSm=@fsi^SE%P2HP*B)cHj_T@%JGErUSiA1Gu&&S=Sf#S+cg%1P927wCuGanCQ9R{3(`)aSeIjR)xDFsMxR zE32j-SF-L~$quR-Pb!l<$EwDY%5-1MN?DJ1Yts$rxJa-^veGlqUppFusL=P5{aisM z**JnLgX9_D===ehgpu@|1I3|(8B>wCQDKeo#yNg>V8}uCcanf~b1Go2al=|^ex_!f z*~$t!Z2>_a#3V>5e-`AzMnvJT+E}I9mHLM+@ODw3Qt~2ct+0CXnMpU{-)~VS!5@V zBFo%{)5=;+MnzT-r!u8w@`uhgYg^lrHl+xn8#LPJjr!;;p)7DQ1tsD38+jKOe%HRe zNa>VB6=Tr=d9;zis%zgPt{G(R4l-eoN0(5w+E1?K#}FJgNG1v)O*SdAyAlZjjYfDRQ^tK7IXl#n9zh zzEp-nS~~JIUu-vj+}Q_KDmYL4L}Ydwn@0ndS332jodDCWd#@KO`E4iz2TnegFKWQ# zPtui>v!F#Yw5K3Y$${A1c~#5QOY}g(uO<(br98&9#|=O>2Z~^j^&u%jVuKwRv0ugE zPP0+Tjlq&e%i#K<;hAZr4YImz4TQR8dR|%!$XQe~_5@*Gm>W*j{PT~N%Dvhm*kCiI zFmzc;>HMXu)3j2Qq{wJW63w}XqW>c)`fIFq%$UveQRUJ$G(J2}*3f0#I8@eV&*fSb ze~0x@ccyYrVMGgzI)?%^_=&n2#F>yQEY*V^MysDSfa+*Pq53X<7d@&iP5VrR(D(iR z8EOxW3gFxHDq&^mx`F}K<>{&@eg*-$RnS{@KDAOfeWI+{n&CL5cDOuF^I}iaVn3iy ztOn5FXblmm^^G4lD${l_$P)J4pujL`Kve4W;v~;rqF?{lJbV9ZU3YVQZp(V}7C5<@ z?AHYU)MMbTG+#74amAH3dE)$G&h( zSs_kOU%y7q_T3_MRJ9s36xJ*8NBA;GxV@+n>=Ya(NkLbdh;tk|qVHYNmqEeV?kRTfDkB`xoDH7@U1S7wn`4{=PTwaBm(o@!srQgyzk8@VPF| z@b7!`?|bvV@7_Gfy*7_Nopl`F{~Qdu7`}%HuXM%yrSH$9=9K&Ms5$HXdDP6mKch~` z`!iF)XTCq(*rPA@wt)e9Pd|1}w)ced4;b{&sfpE_EAtxo99-?wSm z+mx@;Be+R{LU-Z(C3oqJcWB{dXeWlA2zkM{p{twt(9W9s^A=G#{$xbLptD{){gMBX|aNCIt6)cn$mq}lyNe9yxsTvc%%z(P7*UysI ziB}pvBYP+QvO%3yjd4UHH%QToaFl2`iH8DmEQHj6I4&VaXp(Wuu4CJ-WFWSWwj~;5 zlqviy)gmmUA9+2&iFJ+7aBcU)K^-R5N94)6-vxouQ){78l_Q%oqTxxD35?e!P8@ia ziay0WP`%6bj2}GxpRJdB_q-`E`R}-YkNZOQGJD?Si<)Y(CeFQH>@ONyKo+50Ab;Ob z9kiE5x00-+w6U`PpulfvZIWqK->Ac`yS%l#i#^QYjT4qwmeGu>W;1f8K$gu;fqVgi zRIi6@YR(kMA~Xf^_YGM(H3hmAIR)^yjEe>yQ=SWJ{OW_u_>Z@@Qe#IZ@6zwQm2R-- z<6iHku3%B|1OOi2(r_)L|sIL2C=?DjByf;Kw5;$XMhw(Zcf|aGvYM>>+))GO%p!|i^ zMU{Y4kT+a?V8l}EJ?U_@zMr$FKrpg@cT#yGZo$yDptlAom1> zpud-WgQWo3R)Ul4JOdUS{&^zkH@pg>_=(u>Vv zL*0?(YSL`gs6Opq#ie4@{J~TL?Xe$-Y1LIMH>xgUXVMS)Co^SSP2aoTSdqVXfOL-F zFOWUEU9milqvh-2#iQl3V6aS!AIk$bx)~ylHIN*lw&>+5GlL?@CZ37pQ~jk)*EIrD zvL;gYPmej%2RY}o*k2$FjxkM~Dr`}E_a%Z&Z9>{XYSU6==>pwStGQUcjkjSO0ap41ap1u9^EY89SG{nN?{ z@e)L!f&n6U#y(;m^%>p?!HkK~OVt_}9Zon1#gyvHGTB zBaK;g)i07qa2##AkepKUqvYj;9Y8Ce5CFIfR3YOdgQ?T_?UpMYKLxJAWzTU&mfxTbq+6g*cJ<7VQ+J1cjK#- zCt^H6y$$}kNDhzJ!Dvx@pHK!Q6?%)nVp91H`d2}W>8B(UC@7_b-&F7M_Z9pnJ9slu zyF-N?ma;3-=WY9Gb8DxGv#@#G+}UC9D+YslbvuFy6K-pDWz~H{zRH`6=pl~H7uPbv46k zTEh)s6+`N^s4YNf_d$~>(7ky!iTDxa??6*yTvry1l(ru)>jC_ZZrC6)U8Rp};jH9n zs+ybo2m3qC&E58kgX5E2ZBC2tnEnUXu>o3DAQmxSB0nf*d)_PWnp(d|)9B1Dv zVDQb^MBA-}*2l2}OZBBX4SPu}8u10(o{lasOJRIMXEY|ZuMdaBWL$IF+@J-M1L3Fm z6_&etxR!PG$EG?r7gxbR^=PKL`P1UsssGxXT$7<+VrdXu&)yh(RM3)kvFAi1nK6CF zS>}fCeWC{-FMg)^%^yK(imBo8fEBh~#FHGwL_vfzz$4Og)G4P~j~6R<8?FKLnE9-l zUtNZm$}eWAgEB9f=;wV_OM-0p7N3D?&`o|P>VxV-V4;J-Gzx?TO$szGw?r6qg8`xh z5_P8fFrRm1EfX0ubLuHtq0d3yrgdZjc{BH{v5V{)tNASz?;@*MdKcL*&0UmwQ(_kt zEWF8J6!Q@O@9+Qq-2Zylo%+MZO5@=&b3n`N7SV_=@2?G%tiO8n=>M&JwYu`v+A929 z`TFt73O!$4TY2==*I)m?)rSusJ^p(2;o}u3hx(PT|DX7en#dLYPyhT6`EULUsffEo z=eVr{RLhI)t(_B5mr3f7z+dMN`D71(mC1IYHvh3G)*6o*Um+$n=QNPb_k!OO;MY3!0IeA^LRiFp z^e!ORrg`ymg!Y30_TV{ODIjL-d86Nhi?@C-65n0GqaQ8?1iFh{a8GUd>)cy@3kHpSuQ(aBEpG3I2XPXvz2i^!;vIA4WH$_@!kfhg$|ubt$Om&;J2x-lgq8MwM;<$99I zm8|b4U7)_x#E+C8D;imppJe2-orPY?UhzDnHb63_t}?h^hC^wsfn`<@7Ob_R9GG~l zc1~U#ygU(``@e{vH;;~BBmVM)wE3tcqfLr6k#G(bt33=of{*XAb%i*Vrw96vqsZT4 z=d?-DpVtS`z8CY5e}T!7ItB7oi2RNZJY*LZ3=iP+t!vvW80tgLsX$iI16VV`&zuJ-iF2KFL!4#6bu36h6(55;sUdB+YA^%9;z(|h91K~E76~V37(OB%# z)ZuSDM&6|~Qcn8G^qzNOC+zn*L)E}if-?CkNt!vw_`M3 zQvM+wvp;=lcJle0u?GM>mM*UOVym^<1HC-*o)`Y$T@Zx>43p5k zLLPy!+Bg!8wysRo;`4N9CW(`17T&Vzex(bA70yA-PEHeURyp;ASx0wK%wxf<$)i!v zXMRlverPjvVt=;0AfckC+;@s~!%4uvy9-K{RWm|b7;;ZK5hlKPDy`rbmCDx3&E4ka z@%F|l&{9Ib6zY*+QnB~rG4wc?36j7!N<6rS5uGkgG_duI*wkTk50Gnv_fm8j#`5^fUs)4fo z3`R^=L*iY=d=SJI!?egnW|KYo=)n5H#MCc@t7~*OT>OdFT^Jo)8gS3HpYI+#WzPv^ zb!Q9s0&_}S+$ zBl4c^;i>A4$;!)Z5$lOppiGJ0RcS}t&k@`zYLjz?zkz?p-np;;#)X7ua2&8M40WM@ zUV^wHcAM?Z-Cg|AJo)92{%#)ZVo(zPx(Dn6lsaZNJWdy@_5z2Sw47G;eU)pc&CtpM ziIESQEVI$7%HNCv>RprItau};Qt%`-zLulwYPG6Vc}qTdBIq}xbjy)7m@|^p(3D>o zZ}E%sz+o>M;XgcLUfHi82kN&bo84vV_lgF)W(s5@|a+Sy~|9wq=S3V@&BZn_!Lt=rNisSa~&hZIH zW0J8(oZ>XTu1uBE(?dDtWM4>AB>U~zZt%ca4#NQphKa``@kZ_3tW0D(0 zmS;H9$*Bn~7G5uVd}LFP z$*)!Vn8}xUPTeWeQeXd|y{+L3<=id1VmMXP$3~rIXd|Zy6s=4?1QDj#;TFXW!vu`hsjn^U9AX)%BI^EXyoW(s84 zVybuA<5oP>1*MO>^{f6RclRWFC%?;1axJMut%FdWdm_s*`6WspHtrZ~m=+%$@%=xP zstb z(GcE3zm=Y??|TE%hoVr+I0$h`nh~`E1&M%N0#}0$j&cu_hjhN8+*gN_?%!iQRP7`V+W3 z`$0u-X(=&VZyi(007)7r<=bz6GkoUR8Qg9XDSY~9;+G5PD)YXQC3dU&PDtV<5Yjss zjLt<8Dv=J6P;m$A@?=&NZJQzS6}1nTc3mcWcAP;XTzLHh1a3t*@(pp?(3#}(&ZRAVtS7?G;( zt?v&-FAU!*MY}e)B=k1Bf%0ydO5WYc!3?U;l@$0hMrkZ9to^#WvN%JeMmkm_nGq{c zLthS@oI7{VSUYUcvzCy=ic03b6OIZcb8^oW-45$kEK?=Z2R^72p^<+#$!nw(IhBFo z)95LN7-@n^@kTRJR2^vlK8K`Gg)`EW0=Dx%j@019lqEMl7q4;x?D_&o6ll01On}9@ z`#1ghoBm9rKXlYC@LwnY80M28g2$LhZvGVeKZYL-hkistkVZ*h4`gIN$#PG`EJwE= ztFRELDX~JJg;JX4vu1hCWqZAz%mgoO9qi#l&{4!72WYaBNMy+vmDP+TO%7yIEV7PG zM-%8kVUG1VQk2LuD-+4U-#pxKfWXw1!5>3UHyla)zKmM~^_&)t$*-ty%csw*r_bcm z-Tn6QhSM8}dMux?3xRYWpa(y0?Hs|Awbd1qE6dP|^M)E(#zvMeCQJ+}+ej_Veijr^hFA(0{x#o7 ziT4GW(YTm|v+3P%H*jyY<+C<@i-SFV-8lUf2D{W+ehs7j$L*wkNH28k%GJX)Bd!e1 zpFmT{>d56#aY#6V7(FUz)yP)}yN-8^RSwPne%$efes?ihWuh9JXlS~DR&Xf^zzqqD z1T4T|(VMohHEw7P;lCyL_x9om>`C`C;~_oB#Xu9 z2|0_X2+UV|`tSt;_mlG*Dl-f&wjmw#Qu-}PUQ_%HpW3oUpN zJgmCr+0o0(xvOGQ@xj;2|7f);%NO+MSAMou)z!#S|5&E?EjV$q%zTmR#+1{{hc&3#2(Hqe zVCbq~Oa4kcgqzB0B;QHvr1{#qn}b0x3eaqxIFz_Y3I!ByO7DUWq6^!!!(LPLj{B0R z%E<2oY2*;PicU!6wID~STb96y(nOBCxEI5@A*-58Ahu|1B;tDIk(ZWseZK43b^K zje<8Fd0>)`R4KLzb2W_K;+=-=!cK#wY=}*a^9_*^M#W=I`;wuH8AACIzs6v#hG$1I znXr@d9Ze)hhlVA^(MOq+0>6a zhZ|piJ*R8>`s>`9JW{C+eF?&YTSGd2HWGwT$HR%i7YS%v-UtmC(t5B@tk#bUl9ZT!2Cq7xJ3(^1s>qVoCF@R8&qNx|7NF6%m z{3CQz8!kBzNX6!RG_@gg=;_Mq52Ct6>U5Xu#^&q1%j&ozD@h&I_xks`vksgms^00% zI?mD48)MKlpcI2Z)~A?!t8b*YuTmA5?qnR(i#SYXlU#j$Li|=`aOjxh@pnH8mG7TY z^{cg{THw^v9=t+<cA^a*KQuNsmn2 zyu*;$8IU84+7mVCclRnt;QLSI!s z-~v)s;YwoMEwBvJ6v$dN@Rw8} z6FInJ#8<(iC}H}had0OVl)l3D^Ulu^af+P8hQ35F&)k*rdPHi?Tpg((G#&?%G;fHG zrEmsEKH;nn{XtiH*8w|Ir?dum(CRD?qZ~Yh>xR?Znwkw6J^~$VccU9jvM9X-@Ch)3 z8kq+FhU@DLI1Tv(9WS8$3wGUb;n=#=Qx^!V?@H?j8sKU)g+CrSG#PQ}}1$GU;8jxE`7X~8VwmZ6G8}e$AK3g?(iUwBhMgxMQ z&6on+iQ#Z@oT`@5&CrisihDw8?yBe55m!+0br*m5J#uM<5vW>8S5F;2_eLOE!^Mxx zJh|W^TqjdE^kR_xVNYt#w~V4ReJ1F$WLV@7qNkw^v)$Gn2{QfyJ4H(|3iVL!j>+{w zCSVNP2u&0oF~?TlJqD+NdFuuJU_`N=5;l-rVG+E4#5aVSopq~u0(B>&1j{O_okk@y z*&EoCX$q+viKB!EFFD6cxg^m=&{^Z?49>-^Pa&}pBqsX|28-f2Mgs&La`)2N4;DO< zYUHdTcLDtU=%yfz0=7aDIU(>bTA-MG(ou7n9BVBb}~=+LkaPx~RN9YTtQ zB0ujD$YjX7MNE-;!5IZ9OP!A7?b9-rWYH`kQ^I5-s&RPc-)KI7_ap5_i3^0UlgKa( zi(nmvmNaXmvWYm(!W$XmVQ*~-17^5r^AW}FlH*o|1U{Z3jLCrG)(eSd<$KsMpRYIm zxi~{-;1Qm48PyR04hbF}!I;V%7AT0s4KgdvJ8J zeY8g#@8$7!dvpJIr%jKK^L6$V38yPaBI0T=r5$ff`Cm`~qM@Dx5db=d%oV!LUl86R zQU)J6`m>}Sg=$9Q5S$jIqw|E&H2K|z26&2AqM0ovj+@ z{0-?p!C_-0LB$JEUq1rG3&az=e5&V&5PfDUs7q zFh(AlIVF!EQ6qIY4*N9|U(^RS6p;ccQb_sp5pR1=>Eb=~B?rz6HRchD%>i8I?AeT5 zEIEwG`pM`<^)wRSaF5yNpEi%+f4eUWJ=gIrQbnN{)Gmz=l>SVHrH-UaHCETCP#Dh7 z8f|;TfjB@K;Kt-FLgC%K6V!MZR?eUc22IDy0i?(mn?C{BKiUD2 z_TX^CxuHZl>G!YTRya63Hea(`_h3UxZ_w2%@;MkqVRzhNr8o`ZVPn<6vNAiFcmkiU zuDxz7iCZYV!v8A80DJW617>#Wa2IZ@|4sEe3txo+71-U(XAFnTCU#;|iACaVsv?yV zH4!Zi@O#u2PCg7hh|Ea=`gQh&QY1%sHA+s?LIl8MSZ78G*mOX*Bjmw zas6P!5ofr1~xX3Gap(vTrtFNOOYEJ&{nnxg zR9{n3P^=NTQIct+#JcK}pIHyp{|Qq;rP;{pMHk5Gj^IjhsxkwUv1%>Rs@kQMle)E- zpQL$SsL4IZTfgxj_^ssXC3gvaH1^A0DK%~3K!F#Cr1Eu7bP5X8gLFOGX@kFqHX1@a zL+2qDmX+#1GYq9(!>|i)K*y!d&*ZDRQX@H31>MJ_l}PqrRaJt>?^Ej$4r|y={~=VR z;49<<_&!91s8;>SQVYaiNIM-F38appt0U@RQhHF9%ylI5QU(NskU8MpnDXl`dZ zLH2s0vTHzdstXGs3p{}TEiO*Glr+0B@lMi>=8`U&gK0Fw9Qy|Lu(|}@%b`TG*QU0` z4`hC@>58(T6bDqA3#3XLYednN9QlXdJ1o3I_Ode10BWqtg;%;BdYfuUBJ77MWiLdxNHTst0*uazuL(bbWV!$Nk@4-9%S#`sYi4lQk`M)@A7)U5@p!tG@@z`X>YKvBXsg$1 zkzGy=Gp~c@*ORPei6``{YEC`GU%rA$Qd*$=Imy$onA9xitK|Ad7Tu-uW1Me&gbGQy z3)}k4aVwaTRUJIp1fQSH!^7?UEwO*FzqNDJKH5Iq-E3~}ZSSAV7A;H&N&Vqi=H69J z0PVz96yVxGN)TSRs~WawE#+R&y8>mlv^YM>MmQp>zf9E~ivE@qhZiVg5txCXf^kove_J?uj46QF~F|_Z`Yop6j(j+gg~l0fj{WL{-Z32#ESuo;a^CrNeb!)9dyYX zLS_hqdb(qDqw_{~TqgshAp@7UBkj#K^`I7QRq~|SJbIqb%%BS(7O?UN1Ahs(6UlXk~52JmYoLC(K|v*CNa=;EkPP{MpY;CCi}ePWV#RxVA|WO zVrT!^&a26tnY@BE%T<=Elje99fN+Xx+U*gY{JLG`Hp5v%aF3(w7G9}TfjJ=6(ZbD8 z%`+ycZ9-pfR96wkBRC%=k1=T>`Cd?o1hxQo<3@Uwsm!`?iZ&k_RDfZVhMu%JB?+P) z4~RXdfC|zC0P(mOU7EXd)L|;2EDa9-j%EP)t5WSds+4*`8g^A4$d3FKwcL&!mX_F> zsKu0-1D?SU;CaG<$YQs`;6k!a_Rbr#4mrnW9sDS%C%&!f#%^yf^!Fd^6O~kEE{yXg ziAYXW?8di^TXB2gz5&k35%Xx7W}rHP$-^m`_*6vizsul_xXSq7)~qs84emOHMi-m~&e8y=$xkzsxFFDCn;}6u_o$H%|_Z zeyI~!*~GnU`LeQ_9X)h3D3V>5<%}dZuWEG?hp8Z(ZrbcQ_rm>v!m8Awr zI`uOJwv!zg6*=Yv zw5Ni9H2~mX+evFe?*@@S(F@S1BSw_lK*gQHKKMevtWs#S0X3E)u<9CH zz`!zGsMDvL$Hb6K#0XS(gJ%S!C0n1S_=>zRJ9I1=1(3!rBj${ZF?zw7wIdCAEGVET zfj`HI)KIvn%tBm~;GI9H3Dsd0_n{Rm90KW$%sEYscGAs+We{lGqt$OHyQfA62LveBG^&ha5E) z$qk^R`JINNcnIh%I;O{{tj59}L`!C(it>}w$QIQYpzMSSYz|Wz%2Qy(V8K_C5~K!F zNDk&@4qCiLrOO}L?9u8L`L z!d-TSL!o1iT`GUHRl5d-#-qMuOG!2Xs|;7fm;hiuecy78QGvzr5IsxqrX`jf4m+@` zy&GKxa#`9*gjZiHAK2nLAVWyk@T$Rk9QI1mk1Lti#_PWGfZe|!mJH_|Q62DZsdH5H znSbfM3&L@vCU1FpdC8pgmxD0|oKw0!uADIa+3eZDm zkfb5S+MbBRgX5i7Xvgv+#J^Ot;4Uw_Mm_RYRK7!^Nf~MxAV`|=IV}R7LTR4jltL!c ziV@qQ32fo=@!nH%V7(%ahT2B)OE%6#Q3){Tj5petxQVPCznn8K*0gNSFr(IoM}Ci! zwep9slgK!oa};uqES-ks;$xWWe<~?U)1dYe>^UZ9N#Nth=jXJ|8B9!uLL#)w&lpFC z^Xy3-?YxEJjD44cnJ1gp7)b?5u2D?E_3*vUrI1v@iFZ))prpg(0EWTJ($+U+BGheK zSVW6xEyKs2WWNlpcl7fV1y5ciG+T;`5;f1z1dtYl*zPV}j~M*#kN%lr;g*S=E$(%O zqa*f4cyR~j+SmS>bT=?%p=;als6rj0awkR@nPgvSh0pH=U63~2Oxl47R5v*)8VOEV zhF@v$o^82~NJf3mG3c?jJQ@Z6kjjUk0Sj;IRxSOg*OzoF>i_#sX z*dAYBs0o)=6T!s*4Rxr&PrfpIi5d;NxiS|r>W48442T^Li21mg%Ggz>-Cz^e!xlP56jVOdreDIWMD&~DMx-3ZHTNkH+-|Md z_@cwyQ4mY~DRe>^b(d{oMkgKKap@rf5M5}DOcEHXO=T5IFfC*qC=JR;7fLMSGZF`0 zVHiKj%mpVGV&`KWr9TQ~6;}p22y(Zq)mk^FIFc7WD@Biwnke;d9iPCD63$Mh8Of?C z<4kL?6?|l6Q)pG7)*6+Z{!F&+<+WHSRB+ymf^SE?;EXg16ZU0sy=%qwo*_)kZ`@`Wm7uYCT2Uq z@N*Id(!?!Q4NLey&^L^N=IxxKtrPmPl-rpE+K^`=-Je9Db0*a7pt$Eum@lXFIHyQ~ zc}!5=HqY`vlg@;7#{}i3+L}-6Hk~k0Q>MW>WrcU?v>8x~k~0PK;svGE;+Szl4w0gS z#C%h{=@(^ZuCZLa2-E7wEPL+Wv1&;#h_zZD-^~JMprVB7EA%q$aNaf+pGo3JD7i!* zOH2YBDb(pHkj=^j70HBMJcX7|I4tS5mM1iptb>y^Eax_1@2w15mV4DHt}IiRrDerg zwsHyXDAJ7AJMZk8R0avR;i_Co#{JnS7{qisk)E^$&RU5Ty6YMRCY;3NerkrQfPiH= z7mi)iG1uEaZSEqUI6bm(XCQMWYY?%K28X;!;xkhrbq#^aCTU8!lK8+-8-bc*2*^NJ z#ctlX=NPk)Sv6pz`9Mtys*>hqZMwFE!+=;Xs*^{WS~4@us97dgo~<3xiS0?XDF*bJ}XP-e8)< z*Vg4ZOC7SF)7Db!pLQ)}r>(e5%FWcAxi_hX($|p4&FfT|+_SLPO<}{C-UX;=rkq?Y zph0ioe~yb_zeYhTNf+53PBu@r7pkj^;_ztur-ka;qR4qwe$>RzDT7T6TA?Mxizy@I=e@-&44RncI;=6w_Gx z$cFd4#0+I8_pK!f6HJtNGs|=WMP5k+J3^a7KsgKp7+K_c9zovVRx)6m2{jB=K9^82 z=62|z`SuL@_|_lc7$P){8@4hGpO!#lu~M@Tiplv6>djSfNKd=#5WW7RHQ)NR^$(!i z3$4Z0`__lnZR<(vyVm!uf41C~XwAJ|x?O_*nTpd1+q*T1khh#%J4%{2LcobOxw1}V zi!{~(D*K?MSO_G8v`85@7~vwpo*~S@6x@Jn#Z_71F^(O9nAxfZ)8}`gvLm^v(D5>i zIBu(&)8QmK_nLim-z;2jJWhHw0`0_V&<9))Ou-6FlVJBwR3`gF47_PWUojC>7 zDS*bL_UMD<)>~X{9`{8!m?ZhKRXt?lQVEW+Nw)^#sxqDX=Nsgi#%ruv)~0VEipg4y8~v zVdFBisl?oxHx|zr?~t*c*h*cUyxSx$kM{nSXU^yz0gD-i8s1sFJ+|3(fkDUITs)YX zYEY(kaTP|2%=SY6-HIjEAL~DSo_9RV{r8}N>^#UPMHoY7HqdfJ&VTrv3d6b?4;kVq zTNoa5)y8`$-NL_Hj+3dH9@7^~)*ENZ$?eP%mHi!aBwg35Hy==}a(>@Hxep$+;E8JG zR-_)!yiPSfkCT=Qn-Munb}LG(SJ8?+s244mIc}jwE}z)r)(bttP}fku3Xj?Ny~O9;dN#kYnsC;#lI#DO*}b6|blJ_Fv#cIfMl7BR&OC+4I-~#irAm^p3HrR6QTZlLn(Aq*8 zrqLVeSX72G!(xk#JH}vab66&m{H_$W393JC}C>4=q~Z<%jz#564@I!=UF(q z6g+jmNH|ZbBqtRJi{)O7Q^JYh!o=${K~6{gPo7~ag~?O!@_p{}c|1`cX8-O>q?b8? zp{1shwKQwV&DBsiO_}Dk8u+0VPZodqYjyR@FCF;@rb?@>wW{#sjft-IQI)1Dl-es> zSVb@jzCW6KTjCUhu-n_O4qulDv6ktP6Av7W{fWlD#M_d5K2*zTLI*YSU*fPF^otHq zAi)jDA4yO*Uw$Ej4HeWIhc;p#$qR>%zv?Yx`N>cuYFt;QL)4RjPKr08G)Fr86`Mj< z0`|~a-CcJ-Oh9(5X_kYlF;O0EXQm?hnm9DcxFxi}DXa>4#hZ0=u6db;DD5>0_tQWs zRJn+v8*^OK0!QBK*Nac+4>e*ZjS2lBXUnvEVaMzFGwz)KybZ*0xGZ+RL-vJ-tt?Yx znYS{3az1*u*)DGH^O+6FENhTad!HD)kiFw3-0&aD?n6xHD+gJbqfe%8&gA3RJNM2;*bBW)_o z2UP!kv;MD@`nPS;U`0MgkAZV3LxoM@up1Ku}+~!uMy&U>GX@Fi-{RDGgKP~P~S{$y!>lxfof|lF1K5& z%dUKU`m0gza(ns0RhCbAYb}Z5#^l*46k24yqlwO{<$P6PsZ?di#}mgUXH-3(?4znm z{o@~omny-aWc?^Ixq(W8R!ts?%1$&5#wOeP{Xp7i5F6Q%DKIvwyUop$?dJzazm%JU zkDUVXGZ&$>TU1CVG(Qh|Fibp9X1*!ay_$y5Hx%iV^E3cqHK~kC=|M>dVyUQ?1R<3! z78RK}S*Kz_e$ zFaYWuBx@imyy0;8ta=D96In!^bCx)*?q%jB-8-Wi>SxtV#g({;7g3NnjOgr&pSF)y z@t?JcW;++li~3KlTG$JJz}dP@T$Xv|w}i+T{yWU&6tiTD%c63c5_EkO#NmMOCuKHL zmD}DMQ4}186~|(=@mPF^|29@+HemJqQR9(EuO8Kh4?SrLl+d}9C4wMxJ3ikM5-;FP zn^#FH?x7=;>J|A>jbfISyJI*zXn$0(CXE$xu@A!$T%+Ewfhn|byd09$rR66-F1!w{ zoS4LPUFqZ%n79C)zbcfdK=dEAWe3_kEfU@gXNB9aSF7+eNaLdWW!xIz|6BvONjWv$ z3SLFHx9e}kYHf9ZKi6t&^z&iuA^m(*dqh7U*B;Z)uWDb>&#!A=)6Z{e-_Xx*Yu^rV zM=1y>?jX9$h~~?qqY3#xBuoJ^w|M2#C%Cxy8F2}LN(D$lyUdeiQm6DTHnBuWwJTZM zfXy+qF{DP@>?}gj`S0*ohfyIh-nz?wD^)G_y_tOtYnUgH{Ui0e1@Dke)K zIf>QZ-pIqbi>zak)Cw(ccrULrqbBp$Qg-Az!^IJgzAo_iA{)6b7QAk^eu-JqT?Q?z zBXcjGkW(F84gDcn>yp3f5?Xp)IIAnm+=|?o8(*&9)W2L=>*GJ&2K@8l2}ahQG#$GN z`t|p4fVh70?e?GxBltorp9OsoUA^@m`j*ztlG@Aji>hKC_pbtv==`|Mb1wR@sl^cxb#3s zg0?7gYcm|)L}&pN3(ZA(TE}jPXBaVY9G;J^aHl>)-+zzu0`CkujY^WJd>8>?xp~6LY(b2pFZZ^OnlCo@Pd1B9vvPWZ#Q&WBE>?a`?#)i69WMZaAnTM z3>5;0bD5OUT_Bwdc>u$f>BNymiWOwe^Zl3NIbRLp5Pi2hVi&0JASOaQ#3!%{GA|K+ zP&}P}K#@jjr#w_m$oep=A=I(JDU~C+>Wd72M{0QaW$wU}@oDDd5>vFR`-c)SocS_I zlX5lrdFSNC!OIh|x&Mp!dGqK9R^XQ>I=Y=!2WwL464c_c-S;kQMs@<3V|c>UYD+=a zAE6F_hWraGro410P6rd>1t{fvwDG2|7(!!^<1a~KR`y~E_&lo7w*KyNG#aiiFJE0< zH7*9@Mi^Zz_qdLD`FrZjVUI$gL3YC%2q-08w36bYt2wEQ(U1=3@dsH+!_3Jg6K=gE zfMF~9mYH&kg5?n`P9^H%Jir`&tP^AjW12gh-!No@`Li%GqRcT(lx!2fBR>NUuS4leSzhPAP*fBDYG}v&W%O2G z9)-(zr@$y1#Ur4vSo@)`-)y7JaxJ1oP5@I;7R2wMClk=%EqR6s|Nrzcj>PMr2 z2`_Q{Mv8QjaL6NGUgzg>O5A!~_Qq9|8@2(46V{USyEHlQm@{7E^~YL_8_BkfI8K*b zh~$OOen&E&EuwRo={FUsWP->SpWH^(Bbk7;8xy&T+C{8#x1Us7OlrV9q zlYqj=h_`XAq;bT-g)*NUrHxg|=P@HJ32y4fQ{CrYYd%SOZ;={`qe_`4UaYAJm8u0- zCxN%r5@tvR<-Rhf5O0?x&#%^SC}A~;(4}us<42BH+6@XPHtB$LiXz+}y1yA$O6PJ_ zryqF`g*c|zngl5uX@Z8$!Ph-1#ys;W;bbL^r&mOES%{OCoFaBR}t;1+~{pc7bk2!A(KIl@5ul7`fhL5|z@1LRDlciW?7aVd?rp=|DjrHNg#OU~oR?Njo z0&cd&rl}!R!|nilMJ0aGb;EZMPqCu7V+=(vT}}npmR#xGR?o0Z@Q(EUh=Tv<-Kg3UQj?59 z@ykMM1vCqdek6EXD%W?kH&9cT*c7dt`j0=1X-Q$@5*uhOt^VF2K`coJKq;l!2ZK+e zYt6Tt-4t>!RIrgY{+_H&eyO*Qh$>vEi3US}4e3+(*d z2-{7SCt{#K(5prPs)Tw+CJ53GNWwvL@xq)Ynn&_frt|?^IG5-&Dy(V13D|H>P=DCc zK#)Qa9m^+3u4Mz7EzC@BQt}t50?^lHxg7P=liDVkOw@IU@fHLtM86Sa8{={cR6@jj zHxsQxf07QuVgMnamq_*q7tJFLcb9>7fda$-tA=U{WtA^Of+Ew|)LHbCQXlaPSS_98 zXD|1g?a8h>@Mg>J^gNYeUVp-b7h9qs$h!tvL%b5$@2K0Qwv3OEG)fJg?#1N5Na?(! zO1IA`c_6x0nHlG@ExkB6__2+DmUKfplD^TYQBwY4U6Y96diz(2|k&g#*T9R>}ZXP{*;qjFMD$L^~^Is># zl;DPHl0_VZm;?&1PUzB=M;5SAbR!LG9YQY5=hjFk!uWxxh%gY&Q!_is`64n3N=N5U zcz%?asArhY&!Ff4LI1EMwoM6QxtmW+6POHLIJ^@)HnU6^S%k#-Z$WovXQw603|vGLJ|v^#P}uVR1e zm|nYi3%hQ+gCxP4)l^Asnb%LWmx0|Ro#7llKynARAX&gONKQd(c~CY74xcr&SA#U` zL)~HdnQXX{7_$IJEPb9+rp_%u)mlee*5%zW1L80Hz?c%o?~Pu1t+4atCsN$QZpE=o z4@pQ;eHn5(9w->`t|44tMEQ5vy5DW9_S;AZzLyi~)?^%1*V0$%$SG8#4p^$8vq^nI z)eFsq1m@rzGRH5QP1F>R5L{JF5Vq|~q92L317LiW{#scZVIoYx2yA+Cmnn1-8^&>4 z`D@56*y{zqOPwdqstns>rnu*yqg`MWjyso024z|vIm3}mqQxC1mP*3)@qnbGwi23I z?XsIP;0e*c(fY@s%wR*$-zVWq23ed>o?=AINI_reYoCwaHA571FePlwtr zU4;?ZQ3Yy!F%m0ui5e*`VIW3!z4kP*I^V>HQhF0~W945?mk}-RvDk0K| z{uRYl5Q1qv|7#eDlXtwb{YbCOeNC+~NjT4TMy8zICXZX0xg*D87L(Q9#$nbNry4IO zCQ*3SNNAs2*SV;gqf{Q%jgqS;`cuq5O2kXs_|lDAv{m+p+}ga^=xa402FQ2jdWa@^E)Xo`J*WtZo3Z_9 zGK)X}V+6Q`OOR4Q#=$$k;h3$Lx?<$8thvaHm}>nc9J`kNZiMLF1MULZZ-mViq?OVj zFhriMj^;}QIX^PWm;7DN?RbEj%zmJ${uZ=>?vrlRP&Q$*PQZgR5Kd^yTN%{ z&5&=s&ce~9>b1^WS~yC4{R_LaZs#AI;<}o^k~Dax*R!DeJ?-$kiqHB6Vm1Pj>wnL)dUpE=fKXO zu9Tdq&`T&c?2!G#i1|a^I6Ab9!ePDVzw>(vBhPZ~NK{dX|JS?nZemTdVwM=~bE*VB zS(}akS%~}#FX~bN6Mj^+hQ*jEiy9Zwep`Ix42^@Fze*~4xA@MSP+j(_OdrXlb2*2Q z_h2bXbGZld~sT1*)1}F)D<_PEep}t3R2>V6ORuem2x6_yTbx9#1_<{bU_8PYI0 zNQ6#M&<_?AlK?z(1UkQ~REY@NapbmsjpDT4X&WvjQ@C~uTtbX+Ir240zzs)~pOSDj z3cgJNf8ffC6F!!TdZ&}aM4T}NcQr~nXx-Ijhl0} zwg)zxYWhDjux`SBncOR~oqozGv3i*{+TO9#i_hvlCl8k>HWEI=T0#Ne54tmYSutzk}RUVsC(A9Oc)-2o)u@!JZhg<1t5JLZi?Oy1AJi7`gIsx^I>I9#2u}rpueU zU65mCjE(7XjSF4>nbP?YRsg~eHB$LmGW-sOTxYqUTxQy-Oj4(02AD6$e#}lwH&ND@ zkT;#{sjNLufyGyO`_u@oD7i}~@~`|Z<5*Ntx6tq-tW^Wa$%>XcmG#<69n}$L~%yF2>O;8_AP_iB8MOD^pGCRV7$~ zK+LyI?ifhQ+7<@I!Ya%OQgf0G@-XK?hC8JOJ9(H1_p2>huR_~;M}GYC43WT2!dO4|r6mi_qT zXlH*4(7w)$ndaI#N-&Q#&jhGZuoc1V%cL2yWfh_3Zn)$E*r+5a^U@HWlA!~BV1YqA zuQ$Bqv*pecQ#JS4gJKOj> zfuk!a>R>#H8?hV7JFzp3(;S|5B>Ond5!&XD38fN79^d{t4+Krqw&h>N z$?!>%x%fk6?y@px75>c?-!WDeMS-UpO!KVPps;&3hGoov26RD?6#?o3m6)W{`YxUPlrvmNmWIA$msSZc5lc{wD53;h2m%}EbI17i3X?&$!=OV(lLD;{*xIL&gcpS`0^vBsZd}Ox>YU2vt;|`W|mS z9R7oK_FKl^Kde)|*oITFQZMFIoCESY1)x{0hXpP`DIBD#>vshIFjhcVpifp)$s#by zRFqwXshFw-Afi07>>#Yjz<5e%pwbz=ka3;1XDhi@tLOteT99W&I(&4;5yO_G9PAQ5 zp@~Q(;uJHz)TN4c2HcViY{)^%o>H%O2q-6IhLB(s9TP++AzcN~BP9Vy1{iwQjc)3Q zOJHUTl`2`8Z6?+TbqwIgPC++>vSai>1Da(kI`iV7lNv)2mylgbe8G#vW! zbD}d?ppxgLqNl)41zG=@Fg%h^RIqftJ08Lm4r7kK8_DQT*e$@E;#q>TK!_xR&W%Kn z3Cyt*3cVf3$MsAM;nSawyo-&K&FAJC;AjgLT?X)b7XrR1fO;`eSkibOMi;C+aRnGK zQ;=XLK-t^{wMIk9sGoJ*{uZE2jWmsj-zdG$;aHo;?;as#K7o$1QlV|Fyj;-}N_wej zFs^lNU+naJZ(yMS(YBsKS6UA;=ok90s4Lk-l>SPqEGntbn z3ns2z@^4)bHwAavqK~lQ-db)}gui2;Jd*m>_)>j19@tIF1xVUswB>>7iEpk$Mcoz0 zczACl4Iv;&zP|8%Lx`VM?6^b(qPRJ}n`#x;AcihEY+#(u*;&N+*z|?VFDW4dI%AEE z5^_q>GrLhCSfGp;Yqh{>9Sk&39Fh$+NZqbfsM~zPSqlT_0&#Q+sgpm!uCl&|b336^ zxJon0xUdxo$7G)XlfWdW;WCUzb%^$Z-A0ktweXCKRjXLo9NY&9i*nc*?j>?e% zvkGhW9sE+4XHsFSe&47Vq691r+DJ&3kcZ|PFUx`m=c>?RY45RW3#&?Cg!5{+@JCo4 zzAsX%^uo1J96bG>?dC~+l7$D&jvy_@WH>j<%cCsZMlW<3{{313O#v4(qVf{p5u-bq zQp$pG9I*Y3c)8Vr?_1U7MimQOkCrRpT2H=^kMM0TT&~c_5)y558y#0HAn2mfk}gsW$x^AslbfxcS|V#6xy$K1*!0wzvZW7D<&2uz z7y%E3$X&0@Jm(~aLAGHnbXZYZF}pUo!#P#C@olSd`fKC$QuP)Fa;vqkY3sMmY?jNb za*y_KyLrr6go4}z1G)WyX3waEfvVd$Ia*4z^r%1+HOz)l9zn` zj8ORO4sezfOF_v6>^ZC?4lfcZ(;PKky)tGK*n5e=YM|O1)g~j3{5EAg>YQ)5zs`e@ zJTIPZKi}EM^K^1>uTGHT~04Dhj}2sv(9Xf zQ!zsu)CEG4KwFYO{2ANXQjKU4R0t5vp5|qpbVwza1|fbzaT&>w-;t0zGqDqR<~rp& zky~8(KINKN3pZq8|zu`DWSsra|=)Ey7p4)kmSf?cSGln9i>4cLh?65VCXQ%gZ8eGELkL>I$c=T7A9~#( zToM7@aqe7@oBLk$mN|sNkqOakY8*XdROkWw{Al|Sj#x62j!CS9!P2jN|BqFbBak)( z?yL<*?J;Bg_#PHj<#x;vX4tz=eFX-MTb5mAi8qE;`Ew0>jTjOt-WN9eyAWnQaS{jz z1~MT*Q_IiEs6exg+As7$*9pw2IaWks9wp$mtS4N7dgL>jD5F;e6h*uSl*1p!>sU~3 zM<2KI8+CVJV%Vy+SyPw58~T*r~zl*wEqb9UndG>qE98jNsw!;Q;MO36kN^Xe4><5Tu8P< z2}M%30ZbpP6spEh7eU5R@daKF)Pv-qbv+~>|FnH{ymPQ`eWQ%5sZc$gGW_>xCGp6O zFsGjQ?z{HxNqhU?Sw#!z>v#dM-8hJOP%{0Uc1O`Xqv~EwrVjJXY7*0lj(~@@cJ_Bp zP}^YWjo^y(BQ?zpvkC(ZKk}8rsza$k8?cCEuHlvB$}$}@E0Z9~S}!2H3lF_T)C^dg z_^&usNnO_J{`oVe&#pCf_dapztcc8!s+m>G`7JrANu~CI{HR$i?x|TT^eQvTl5?Jf zdK-SqdppN_nY!nkwctm9`q7o^>i#1Yf)< zsEBSa9QuQeXJ58G()N|h!@gMl#?fJC&rHy8C_0rIB%Rl)C{fqy=|89e6%_xh?gdK))Os>w7@XZU~L$BYFZ|dYGL&WG<%S`V+ z603wAMsDdh`ejfY=WkwB#n1I>{cQgKN{7JN4;%-G;@^foR)RWWU3`QRv|dt%Qb9Tz(ZuS2pUl7CS5 zyS#tZZA14M$anZdUl)tk+~oD8NrC~81PF|yFKp_(_IA%M1gHQuYs)$~*Z*1r7jgj^Q=mG;lPU97%-l_$tI2!E2JJ{=cBGq1U^@yp%*14B z$uOTCyCavUpINF&BX~^3NY8DyVo5f42miQ#{Exyu8HPq$9@f*Kc}BKisce)cenr%K zNYShXmfEBoi6eopP=`}FwI{eA>ttHi5}2byYzvOHtiUnSSCQ>J;RENzaoF>sAYMzd zzoIXZbU=g8(FaaDp>-~TWq80oj}7?ipYYel>Q|2*uO&O!XB+Rjs^p^6(G@`P--BMy zTSmwJHvC1E1l^6t-+ukgH_EEnxw*Is220{rEcIdKuIRVn)x$OVrQ<`5^jj?ZPJe{( zbI~ADY)GT*V*_$vm#*w8^-vWK*N9x+Q9DX zbQql|S4TBh3@WzBR+X@U%l|%ENNfAk9$h!-L!JfA4DCkGg)a(xDD2?(yyDu^Atz2g z&tJ)*ARYOL_Z@q2<4JxSz>2WN4V{yn1le@Ui(qGncno8#m{_W#Zacn={Oi$1%c=5j zctqls@$tccG9R!Gku`BK2T>cz(WNxauCR@iNlpXra3M#}hN_ijL`h_6%bO{cXoRcZ zldK@FY}>%`Q~qp(S|V1z|HoRz6i!kYC0QicCg(#^fHI~-nnzPmPc%RSjcrRCG+@X7 z4QgAyFmkIFIZ^A;7v@^!;KfRw(r!GEh6OFGkt@jbJFbX!Pq^fAFR%>lFRGYsu|rO3 zW-6|HFT&gwh6YQe;g-{c#6~+HSLP}4gv?Y1yk6%m=AFpT$56>f4Yo(BF@rM!XELY^ z{@X*F5>5YnPMJ#Iy9hcP?w4PFxwrXzr>VVa;DO68+pyh@0^6^)?Lw7|M-H4M?K1$k zQ|B^xhk)P7Ga!C}*V|a3wkgf}ZXovkG@FrrYS_UF$~*WG%0oZEY-+{yo3KCNlfiSW@;}AA0J~1dT>zB zpfZf@F^B$aXO}$Ll1Lx7(eqq00ET_1rOz~e-%to$>DicZE})tTv!Qyd*-XA_&e@Im zAOEnNJbm%#H-2G-E{F;9nwgyO02ADNx;auHB(Zj+;R&MH9&^MptdbKK$|xGRnSd(z z5y?F4RE>!lPGpLEIKnl~r_5nSvE0*~k)hKI5lkK0s3f2KrLCEM$VBU3Ri72=T zun7tQQ{g=!C4Qr1Avi;@uzlY{H=-IjWI?sG_*ZnSJu&bv;7)tztF(((!wq!x1s5tJUIaGA^hSwk&bbaw#?``F1SBQpwhlHy2QH zj8v{l<X&Xpx8&;hg zpxx=f|2GV1Ma1A3(red+n*)a6Dy~(1Xl0Bl?19b3s}AtPWsK*7N6XdscBAtB2dFW= zly&B=#Ozc9Z^A$QbQB*6O=UO`>UJU>Amz0gFut=rU z=E2_H=Kj`kgIRbKO54r7Et~}cu&pseOKkFZm;^atd0m(@PkY@uX0ncLXcdFW*P;P@ z^F<}w??QhCRN%FP^Oz7(o)8F$`-iLJY!D6>bwjIZ1eAEFP*WsdjuJr2sltzzV-=JQ zSnyz|?2@k2q_=ab@7L<@Rnj~I6N>TNY)Bnvn#gasNa&qO6&QrRs3XAo$Vb&&f?m;DQ8nj!Mrdx+ zQx3FW#t9eG(VqOy>$nbJQN)vJ3^yfAud)BDr_CwCTp549?-UK?|uD;i=sj zP|7av;(}7LoBCi19mdO-R6H21;k|?FfoMFh2E0P7kSi}ny?*BsBt5tX0*?cd$eirx zD}rPcmDNgWei3}EKOC_fDdE92@`1!tLbgObM0rwHhhzp@Wp8!qUoIm>xq=4Ul34%4 z32rs2Nz@naMW-VOFex=Lg~Z5GIqSK=Z(>8{!)Ol`O=D@Bn@!esb`^Xpaext_&QzOC zy58o@97bF^`3_r+F4Wc5O)~sI3IBTNA(YICcJ?p-8Fm$%~W=ztirrH!JTn zGjMNu?B(y(RP33l@Jr(PrbO&XO#`uAW|*71JhcaI^>-H|rKiMtaal0>-s<`mD(euxuQ zkpqXAa<$EU{E3%?RU*NI3 z@&+UQrH*9&T|HqpmLxTxp;RO7nN+P2^P_`n;}M?tfNrwbSGj26uFvZPevG8=960DM zM@q^p$YV?{L7~1ROypd@_^ojRYpky^;eyOrv5KkNYtBmRI3B3f?m;2z;OK9xU}v^# zqU?>=Eb(o_Mb1$c@y1#zIomk}+fZe)jjQwRN>5Y$tblCo>7qT~%G{ zsk8phD6P?}W~<6qoX~4-WjJRl-as&`34>G(K-i=Eth}3sDKT&1g)(|~ghANT9bdU>V9csNJ$dru$^N5+@Mu+M-n4<38)#nU(Bp?slE+WZfa4UnxFKr@zd(kX z1$iUHb7;r-wVFA^aMQtE`55<_@T5z@78p*;%|pjVrW#10yLe01n@cDcbGvu{X; zlp`!==Z^4)-&sBJB8+lKKQgwYX-ZJuBh?mP3W%LWlPtZY*Ujo0>#C+{Pe@z4TTD7V ziEhWGT^q?W^pKe^&{1u4+p_cR8VcvCAi}fw&uli4QS~Q-j4+OGG`Tj4&(L0<=a_kS z;g9EJmz|I+0Nh3$5RI9Mp$&wtye*N9r7fd$%|$P_z#=485KBr@1bSx>eB^LW-N6s+ z-2XRP4f1o4#*?MrvmWi6f*tNvfcWs28VDJ`vKPBu@AbaqUuf&^FN1rw z=4TufeRV5f@Q-mie3SLi6D1#|=ty*1dlg=y>vzlAa)~)YT%f`38uhDjYKtpy2Wm?T zwl<*^Ez_qHT1#e$KYp?O7=IB#S&^w+&4E$Q=3bqzqtnU=*>|wPkT%6 z4dAy5;QqVDmbJ!5F5<>6Zg=hD9;G|QZ`ESXv}+TSrGPhU&u0+~XZ@vEzprIzGOn-w z+TTrT5AHBaMOYU3#kVq=6<$u5!!9|5`Ib`yAh!JiD7a&45l5OL4$PK8iKUkz8SeX@SB%Kx(*oACr*SMjoC1 z{nTfv4=jn_{M!8Dd|UXiRjj2*$^gw2mf; zu%UJw27*m<$7Ki1DaF)IGgxA0Y|E(vGCcQdzIeG)paF7(4#+1N36b>@q>InhMa?+* z$AJB>3%QYN2_@aFMH;7p4>1`DPK1GX$Odi_3gWxfNk{wxH((c~uFaLxp+-f-Up8}947Y&Z%(!%Zh5`8xaU>)&d>IWU7M zD%FSQq?X5YE_M=YR&P)v&49$VUYXGWH&KJ~v&oxmP(xp>EHhYm81L5c?^Q|z`UNG) zz3&Slqq*^{A$c*I_E1vK_iFk3`p*0M{rAQT!`lPi4KMWh>$qm8>=Pxro!A%ZU&oX= zWhbuWG{R*$p3_yJ{lFvk_zX@*^8Nn7U-9S3;nU;f$;lC3y^lB!J}>PSsd;85s|?kJ zDaYz+t2JK`O*&tSrKP1Cv7-{{ee~S08_PHB#!}zW)DrPot(UzEoT|cR?`yNJI2oHE z+!O@|t+K@{4)J46GD0Pl9y%r($1?MYCK)tByqUZf`L9v;s3USNaLqP|(Fd`I@WXHp zTds{_rSi)RpkSrY5W|QDEJCI`_DHyIeI7Fp#23S07Bq2QpM=L$?ry{In9+U|`w-p5 z#n}``acA$iMZEEmDOkss9Pj_f-&q%Ww?SenK&Oo0*ePYE-B0R36OJSGY;D6adl}{w zS4>hfJlZtAWvVUB22JWU`Xama=jm&p5kyJtMB2fYlY>_Me#`h3w`z5-!{`#;GOz(< z1G1nIA*N!XH5ZVkyt%S1;(nz_FWja|81ymX`{~A>-qH%I<81ksEH>eKEtjx{jL)t8VABPix}YcFB? zVpFzKI$X|Tmus1q3!=UkaZ!H2glMzklK#gp zpx=wnx`e3wVoy)2-Biog4SUQcH7H$k^<1Q{dVmygoUv%L$ki(BYGx!yPoMDHm+pjD z+Ist%did%$Ty<|Y%Lvu*?b?e@YQf@?|GF3=4rNjKtn4NUA)H>Atwf#TM!6elw4MHq zk9ow-^ATsg+(zmq7o zE0Xc`wuh(o{T(PjPvdeTu*BLr!3C0iRKf(G;TMxte}?W->#?zhknJoITlJoLZZA0plVNJ5RqidmPz~avILS!hAcm-FGWaAd^{#12 zc&#G34U)}svh^0V#72pXV1?uwE{4z1Xo>d{jt6PdKoT1HiG!)im|fg9NMpCe=M;~@ zZe&Y7$JzZm(h6*%tSiQ^VK<^ma+@H)lop4;jBhy_T&91UCjzAJbA;&|N@C~+S8s?C zn>Q1NWMW1%lI%;ThH(t>TjT7e^eZ`f)=~h*&4dctM#uq?CzLtcDMk*?*h4_V_lEOc zco+=o6ozIv>YlQ~oS-UaOM{ux+H^7;!`Esy9<6xn1P_Z7=OLr%Kt9lfwJ3aLplP;w z5-|WQRO)o9VdHz%@?NiDCkU$)I1eXWxVY~memLwU)9XS{i<_=A)YT-!DUgns2F|zc zexmZtqff=pm*2u70;eJ?f<)6#f4?wutH=eU-JUX^QU{N?%Y zqo7$aTX$2?1XH-23p>fKCvP(21WI`bS9*c+^kJgogeK2u3Iw15ZDa(MEB+No#2;90 zPF;ttIV`@>dC;H_Hy(5v57ZHTJh0x8lnXGEIv81p@hk{;7@-Zj@V~gUN%Jzlp6=`| ziECda3iZUL? z5=EJRDnGxDEYg9`e2UP7yL47|f2*w;wdp#_vi7umx4inFyyaGC>G+N))6)4n?yd?t zarloZ=ssS16L$E2%?@4eC;#~q`qoj=%Nah}Zv^>uL3wE{iDo|IfiLD5?bybTsM>vWwo7oV?;N znm-T6gUL;vJUl*zeFLQ%20Z$&8FU46I^2%?tXsuw$562M@bHJ;Q+%ard?~jkZ zKiNO|d$-x$#73k7bQsZqOr>AtSG9H1k%mG9Wl`*<2g8Xe6bw{TI=jRmtKy4N_%Otq zm^%<>tXkDzZlW0&!fk;i`DnTTQ5=tv&-(a!ugV>kuexpkIaa$XM>gR4W*C1dZ%r+to_g>x#{m zg{5E};9Cl!60f1(ckA*y?&p5LpH1haJ(o3XI{-U~1ZBobxJ&H`!5i5-M36SniCZw0 zijXZVm_bpt zCRO(~?|2fg^jy)Sn%?BlK7;c@04mvAj#ImwP*^i7?~|Ilv1+t4Ddmat84bZ=m@2`- zH7AUX4%v|6($CRwhQMK{`=4?D{Ir@1b}4g#+g)($FBgorn_3`y1TJ1&c5sA0_ghHXldA-#Y^)+aw{e9XYviFQwn`ns2>g} zk-=6+|wR z2H-{i;D^)U#dSV;X|OoAI_V%qlxO&PE-3t`hlIqpZQyEVj(}K-cET-II?EVY-UHh zGE^ku#O*Fed}>A$O^YzOKd~Qqkl4oYjmDIOyRW#Fg^jQwV7e{+Ey)soL%tX8Zrkes zG}ps1_4q%!Fz9A`5Mcu?2PmurkknOJcFZm*hJG}aoeWm;*CoQGnB;X8AGD5`h#0>o zOifcOxZR*iK|9Dv#~ZRd5j2J{ZN!bNEN{6cQ>W0^0QAsiICT=N;Y>r5^Z9MCUpW-+ zxuH845BI$8*Hkgq2*E&{1l`D1d@oqCjTbNfbK{q-cOM@7`P;wL8u-6T@`ugl`&acB zFB@(X40g!Lqm!EKf4=Z__nELk0bdn>E22OM_;2BJYAcgrP%mrSm=c4LTF(E$2%e=R z^ewa$&2Pbi4;@4-W3pXHlhvwE(|vxD*!{vGr9^bG>n0*A)|8AtWc)!CK`<{GrA6~k zbKbc#X5)->S;+D3(WJrQ<^S>m)!!M+z%WwLtGTq2&8+%lZ0wS#;A#+ZQf-!{qZ&aX zk_3`l6f!>1gg_?rYJNKv`PF7q?M-qeEH-he$y=&vODCMBl#`b#;WXz=;KU>J&z(`| zEl#M`vLU$$kU@C7UvPrhDbBQH{JhTQSCc_4z;jSM$3AmCKGDMKR-7VG{FxBI$dVr0 z89qoy{l!S}m`(Z_;YV21*SQ>CSkPTWPO56p%vbTwr^~$^od=Upwcnfg;}e`!JTwLx z%`m<1IWo49fB8#iYx~PDA0+vg-Oh_&Ixn~CUw+wm)xnJj(wbhelm2UFb#1F1d>HOX z=c6jYXBljID4J{XE~mL*=8h)>(uaW*vmx=oz%EG|nG4O>0qtcPi~KWjNL)p-(r7}U z>-2Rd4B+@Ru}kTj$q>`IAS^7yz>?1!UZ1feYdh}G>jG|qQ2{4)H1@E%@i_7rJ)jW> za-O4=e@=(g7reSn74a42(+$L@l8;c!bU(zQhm$XTMxws7(_X?f(>28#mhI84Zf$KP zhbJdbPFhZH2wa3S1k0_E?^a(SAgnFpfvHqE0Bk^$zqWilpq#%VPp4ysjhjloP*f?+ zZYA3tFCyp3tJ?fb4tOl<))iH@Z$i*1=ZU~A4d)u-Qw6#{^G}v{rW)^0np zl#Q5_=E){)&GtW`Cf2>xcF`w>8mIugr zD&Ml$(WMNZr~3WXZ!6^T?8OWMzw*x(W>``XpjR)w#1o^(z}!@wk3yve`YBlYrvu#OT zr!Ao>$d>5Fr2D3VDFYB_kf%)V@zw3s3Mr!5r0^OzN=gOhaG14l6vSRSM@0vLK-HK& z$F3XaSLbHDEF;DMQNyd9*tU``nUq;b(No&N%8*vNjuN@yEARb&&6<-&)xO!1S41a?wV!H*g~6PBTU5E@Oc7PGITDW=_DWG zx7!0kmO(wGcOP*%5NOxCgyNE~TQ+_LGwy!Z7|tmiS4{9)Lgu4Xej_=R z)v`oG_+DTr)~=tt|pKB%pEu_X3l`6wRjU$@D>Zj=A=+vJmOio0GE zpY@(tClyP1&KhgYs)Z_2c|^b3X?!*wO*Ah;T;qb!epse3smjk6H4YU=Eon}lMP!4C z2*pS<^bg!MXA7J@J2*HzJw>k|nh#Rj%4ASKl!jwpuz*nt79EA^?{>aI=vT_JVqa5} z#)*iON(%Nd80N68Zxbp)`B^c*S2TH8SuQ?BbY!IePN!?CG?+9Y-bAjhZVm%2weSzFv&x!|6yC9}k)9KqdYGFf!aBhV4|L9@ni}Fc*e3{7g}{ zmRK09vA~h*WQ4yj|b^&(C~7C8FIk^@pc>1j*4soIwvMG z{P`{G5)}g=mIIu;zHP%IYUYdcd_J5n=34bYcRQJb*dGIC5_l}dS+53$doI(0LZe9| zdRQeN`$rO9sjW%nlNSgE|B^`Vz6SFW`NI>VePfS)8Y1!ysnV)XIH7|PW+6}Xd?w-) z>d&^x)k(!<)3}{-zn^FFakoG`6D@RgG82?sAl=-TMiphWoGCV1W92R}X!%N|EFx|q zLCm>LiNZOS;SL_>BO==BkvN#<6sQq^-$I6K~thdWr$1- z?{(nJog*cSKM23-vEucgm#kT z83<2=pwVsv|J;Ui(9krTLz0b>e=JBg9TS!TqC?+!KA$@I(MgtR_{dq7+R4%5)3g2K zW9JTr%`ER+9Ouc*o1&naGF0Bu$P{+iTh^+Rm>i14d!ALrVU}h}8ff768vSX*BO5-p ziZnzS)WYuYfy#(o6Q_~UEmINv0$rQKw{6%I$#6YMx-uIV`DGG%Rl}gPEZd!Zq;~#oHM#N!a;xPl|{^ zqP)83!M#mY@MM^#xFxBkjnTdw%Aa)K4NyUq!+@^OCnGvcqj?W%jV3AFZ9RF8jb(39 zN!8Ysze05V5ySSf_)E{#8~8{LDnCo9D6f&I%%|_B!}@@AV3u=uifz;a{Yst++y+v-l=cwPD~~*zBdZ%)>4V!|et$3;(M7<^NjXZ% zV-|N3#s;!-WSl%X-M*h}j$vdM7o>L>OXkHVr&-< zPK6qP3uC4*Nh;t5&d-TBQO&b)E|XM{-k0BA&>dF*iFb{fY|A_RnV0N=6<>HCQ5MA-b?*5O5FJDH#r`tv+!=lhbOD{;7XGA@5r=)A;9yZs$ z$x>vDzBiQ5qXqIV6i6}ov>w$BS&Duf*`YW^` z*y6~x$dwbLOj*B0E<}wS9Qe(cMuH}Sz9a*Xec;FD!9lZHMchOt6GriAnO{P29CPqL zMbk8z%q>%>`T*rOXz5lOFabSe=HeqvthxHMf`st{(GSTc0!O#e8Kn(uv+C4Xx_evl zHBq6?oP%We-P>xwLrQpzOUDV9QhOjmeoxbNnohXKSppRx$nfueR4W=4v`s4|=0NM~XU zoTX!~3(dem)2MSPhOd@=9>-4K7YAV52WIl~ScaSK|8(q&(Eppv7G*YyBxa+iehwSOR?|01xe*t`@tbrsgtI-(BzB0@I}Kw! zYj`dCF;M6bHL#I9CX7>5|749f zNLGPPkyS1=(x2=wq=+r#)NaIvhX!YK1V9P}e;5m;@p4gX>8`O);_Ct+sIf!3=^;IP zFMV%3LCdH}5&rooKExg^@{^f-J*nU^7{8X(B zf?&@2TdlctGi{p>(8e2J1Ug=KovlYt9v+&vX68CuLbSS@FMdg0Zgrbbbo*h(Q4FGB z?e0+HyW0(g-e$}AU#jRM;Gtyb^c7Gt^u-dC467ydZhWhZCBi3`?(2cVU<5%|h*5jj zSS!)=nE0xn;A42&M5jSY{$zN4oehSmgPk*(sYz0tB&fI(?Py~i*x$Qbt@zQ4+@l7) zZW!>>gk2JJD-CCRUi74VQ;8h#8BN)RqPFPexA|;>SQ>SS8g~4?gEBU5ej_;`)Em)6 zTfH|1WsPoqs*Xwn;PyK5;Stc%^WI{drxzJHFPrg(@tQhfWB}}dnHC3)*Qiq`SvpWl zg?pjErw1g!?om)QKI&0U_dWHOVKbV}0k(DedN}1V83v|AB?YZ}zSjIH<61)g8R$}G zy;H(q(@p{O!*;QN{b8aZbt_)VYVQN5dSQ4K&?FH zw*WU_(q^MjU`b_yFRo}+H9Td#XXyEU^PxTybn4{N}Ox;5W{c3Iio$TxiVE*mMm!TCpx=nuqw zl>WLiuvG(h*sl`va9WfPrKKR!YWh-Bd&4pd;>C>Lw?5VedM<9QOC>^ut7L5)B@D z=42~46Akve*HM&=e9ya;V(?4;&C%W>bb}EiAix1=CT53iHQDJIaWAsmm?wwg@nvrX zdnFiK4$>0773R{_9(UE=3;{6-NHxQxpgo)oN;5LLb6d&;R5+c&9&z1759IqugNhxn zQebH(!rr>)Kho2(DhB)Q6GtKBEC}+)Hvb=?vDi(q3C(JT3kj6J2ENY*$v2mPwBW`u zqx27lN)qDx8N_To6rV)jVvV&sF~3*u+yrO7E8;c$5}fGBNv?3js+c^2c0+G@jU5E0 zkg$sk6)Adl1`)(-bbcc_5vQ@n_vv~sFLWUjDkOol?l-!YCMssY3RMh*A zf299B+yC(}IX>v^A0Ok7gR{RsrN0lJ93StW(XWqSm{97}h$z}i9V;%tJHlhC^B2AX ziua*g1ECRq@z&q|BSm4Y+?o&6CMAFKb+6>Rf=_{4%nI)>hBa4$@-80CE=)>Sph|sF z+2gr(MTCyy@kEI!x@PUwsTqWA8m&qsOFVY9i1pa@r5zCt3&M^(FO_u&Gem!bV=sTC zgX`fK3gr%v9^(8Vik}EOHK#8gfj9egz{82gg2>k>&K8Oo_pp)2{kgRbB@G#Tw@?7= z27@zSFbrYH=EB?6{C~wB5pJi*FRC8Lh>YBH>5cE5>+(<_emz$ysTOR0D?D9hZ!NBY zQ$f`gKs>TR52F-%qv0I=5V%t9RiQE5uC;s{B=My2vfHeCAKC8iY+pX`xS&}5C}|;0 zqsoM2s6;JrZiie-=7ro0&l$`Irpu9TRTGA=9pd|F8>i$fc0O1qyodfg839a5J{M@x z>e&W1y3QNm{CZ0Ks|3hmObh(|YIz?kZq{{YiV~gS_KV{anC3m6*~CsfKdDh$Dy4m! z)VUYi@S{CS@#*y&JTLxpssv(!9SL;f-N~a5Gt8w!C2R383vcH!0m1I(`a6_Pxp`h8MVM!VY7y5g( z!D^aDt-*XwtY0+VpkH*+!af^mcc>I~g>EwXP}ggsON>|;!y@tncTyD;LcdHm6SFh9 zAoVrasWxo!5LpUztYIcOyCuIqbQwY`)toeF9UD;d>tYDEA1r5t75S|Dflp}rv;0%@ z+B`M_>lNJm!2M-D^7n3SjV&pplNbqlUaJ;~fvVf}%N$vTru!Lu8<&k(Yw@FG2aij1 z@0`b+So~2?LP+-dHWF=1Z2PUmC=10&5p67TO_2@GZ%Z|bbY2#cIWB?%NJcS@(`%?x zPQ!1E5Re9o86z!-0~xAZCg?APUJndnDoq<#HZ$$(@Za<$lm#Om4Gq6iBg&T6oJJDu zE|Y}eWLz4)N_~REc-I~|RqoIqnZD({0dZ-7KKDJ|hZKI>!xc4s;}?747Q)Ok;U0IF z)b3KWq1okayY6)?(-6yhvNYP4l`~41!U$Aqmd+rBYOX zgQefSNVcEHg(zrTEM{@!_Uul?^Y3FMV~5L)qCiJC*{ zR1Y?HnysWi8)fhdJN)1PH~$Y>?#Cdh)NE5z47Kmn6sUFUZeNKtp7>1`GzOpl29ULi z$4An}5pH3LY$YYiL@PD76=W-YvD}aZ6Dd9u2$emRaFYCrrqDq2vgmHTQ6?8AsRDhZ zhuWBAGc#Vlt|!Cev!)L*MPa8mt8L{uGi4VviSgT0We|-E5 z`imD$BRAH_K+2U3EpYH~lWlR0t!A?O;6VaEE>d8m;a9UAJRMF9<#*^q`bJQNr2Bpt z0!`IkEsiZ@I4OcI-ccju)$n3o(7U+JxwRZ)pJlq(`yR=#Z#Oi-1qFWz&%MH^ELTrQ z*<=_*W0!^Wwol2Na4jv#REtMlcdOgDUJyw9b{!kwi*C1@Y`^SJySV6DtUuk`byd3V z3)&blh+rq|I2ELOg0 zJ2TzBXp&4*xAVMLWHJ+Kj^7?+m{HQkATONIKU}piy$1nPEig1j9ZD?c(()^ z{i6#X##_RX7_Y!Z&(`onw3y-<@MSct?+9o5?m6_EzzgWTFP!LHsIRIIuwoW5UXBas zM&NxSW$q~`dRBS13QN}=v=$%!pn zhWJN(ViR8pI4sNeM45)@pJK2n(_Q{EO8DGK9kaC?#ZWA$>AsDBX{}7_TIxdMG*c@> zb~;6pMV!1zl9i8AV2VuagVRbhKUJdv0z^ZHXK$UdWDu@R)%R=hz7>RscAQN*(2wD^ z5lU~YWAwMT23V9V=lF~Bj2%@1US}C|P? zQKUP0V4|*pgZXurC|yK5&R}tUeajZ+{DH&TDbjd-12+8SJlPS~mxxOccHXfGnBI9Z z2j9Um6?zW?`?LKLt=TX3+y9Za|M_y4pEQf`_^!{EbQaZ6zJ0vHF#J|NE9otHq-dlZ z5+n7%u)YzDbmL^@D5|$2OxRt$5{!{hd=aFXwLKD)Kova_IH1ECtS%Pw#Z0vv@=Vf| z_zz2F+S-pr&FnJdouz(ms36SV&ebzPVqF+YLWO8uN*w^0izb zOFH$iZIX51^;S*Q#7T`$cZCES4|}dqS3e`=>7W^Qk%(dDj*VkWXrIfYj?*>&0Nkl( zg{skxEpg-HBnC^I&Xd~w9ukSI)UtPUbz7d+*iAS=$;WyPi8|BIqlEc z?S_RV3@V}Hk0GJdeGZqr5p_{#FhWgE*;fejL*`<;(?NAnvMF16blcKoV6)dWh)fbt zF?t|0n@=#efWVV*GQe??-C_Wzbwp)m)ma->Rhe~JmXMBq?5d}%vh_-a2$IRU^q`21 z#WIE+S5!0%y4xLB8bo$+D4=jbxnux6vw7Rd-eWXl70yWEku|dggKck&^!b

gAY z%K}nF*j?POmBa}2pXaO6C=r3sYl7RM_$i)u$1lx*0~S9gYuYGXRIZRTx(#U;elci6 zs8)YtUGUGdi;3O1w8C>Ss#v>f8#B(GJ7tT~Eq5R^mB#D+yht%;4@&>N6@X zNznMYmhj!L!#RPiZfd;KDj&{-{wM%SvGb&V=SX!4w8wTGYq+}*F|m(*m*v}rk=-`k zHp_)DjvQstprNR~r!K#kE6GiKQdye!L=&D=ERUt1mCDEs0iEikP3?sFu0G(aN-rz> z1e2<)Xu9{2P3zy@uF%?nnu(sGS4qLm++7(h6gV4)%ub z3y#y2Xn#!e0bGCH(Ml9HHX0}GoO1Baazwmm&{eh&j>Zkad4k2fyqe3s1+8ck&L%{l zUdhAuMUtGdEsO0A@C^f0fUpKL3gk@M7cFgvGwq}!_^H}o#Fm&{g_U}AphzaU3dmy)9e*DO_?){(~Nq=*v%y*(lSYr2?0i?oBn41pr2ED`=I*b#nDeSb$JZ&*N=^;Ld+>jlIrJSRAeN9nD_Pbdm! z$ihq}9ZB-WP`FkSv9`ge%*OE^PVs1@hfd_?u#CKTn{s%41et?J}Lz(LlE17k636lv!i;+ARE%bmgT0mn4PxczEgyenTb_VM);4E*jpK7BGpN@2(!qfz7QRQzjFm z>Oij;?UC^2;-BcBOir~I2t?tek{iCa=*2Mn`=qyjNaSzbZuvt5@yOwV*h9;8`^Fqc;1e;U4Ng#uk zDpzC46e`yEtRwIzrabLg!MORcP)%I(R zJF3HAGkwQkK;M1Y(Cij;TQ_Kb*@hhldUpyVE*ja}DSV=3jP=2%VR9sLpk|X{mf7UZ zS3cNZO@woN&68cXZxZ{al44W^r{Vv1P`*)}ry>lY@w-3IW)MtA|zahvs3dS-3VmBKNvze+LuybYy6}P#gQ$-|`ZA3Duf2kM- z-5sk|Ri;bu2Z^Zyb_)U5IUn)%BA=1gL}gim3Dn>a2Dilq&>o(SZ*S6DWgA>ZxaBYr zVT)TW|}OiD^ApX(%c->^$k-fMLU+u%uf1&%k) zIrwTj%OETj9lEO71i68xpc@sN3YmK%>2(4gzjzqp!PQO%b=P=pbrDYRTU;cNT*GU4 zV4MQ+T1*)^l919Uwb6A(NzFBj@o3yZzXCKrun>ne(T zvRwLoN5+jsqD1w!D9;vjw}tPzrINZc2KS@I5Xd_z`J5pK+C2RFGL2r$g>GCh85iB% z90SjFc74vaPTbudrWiZS2aPpies6&VJj}MrnmTeH8Iau$6}=1NeBqrh=xXTQQG<^Z zJ`sjpH`o{6OGaH+kb)k84ww-IZ8btSsghuQCzM+kaY?v=7Ky|gs2I>Aoafx(g_6l^ zc!^pE%(XM@_oh{h^P_A@K7uqsRtvD5RruH6*`_|6b~u4LG?6A2;+mUDNN|)ehp<1T zkq+0lJ(q9WF%M0z_v-icA@zT+{_g8G@y8#`b22{KyVa}jGG{M-N!$P2Z~q5|#(dc$ zmQ0%9e(ptf;$TFRQn&MCBO)|&7u3#17fZshA3q9c#pP&n4zd_e9Sm%0iM{Pj{hc>G zF#r9cQ=>3ptV0}Mkh*CgD9*IX{He%d3vxM+X^n_p(=mUbeD|A|Udk@Vb-&YRucu+& zM?X{6@G1DSn+!}Q9Jr=2CqA=D;^+qP=A<*eu11I~npU{+`aAmh;ne(g#@;|r(^>B5 z8L6-&W^!^hshI+Ld_F6Xk+EHxkP%x}GncR?-8!nnQVPGnn87P)ItFk)g; z5H4FP8OsXsk=^5e<=qhu3fbLvm`5B|FU<6$$Y|LyPu z@rSWabz^uj$S#szuRk3va{RZ-h~P=LcF?VXw6cMo5f@Z4QH1ec51Ksa^>CkWZf=@C z_x6%+n)FZ}Jvw^)#n&}k``mg9dBIz0#Au+!l_c4p&4T|BS^XOcE(@IA3>vTBApFIxA z>s*Q25;i`jK!GXo#`*Kn?4tpY>Y#-&#cnq#bb5Aj`2RNZomP_HZzh|t7y8#z*mOCDFmA%LChod>P1*{F zKA64WUQ0*uAh`h0cxbv+*VRl-7Cwnr3D}SYx$ro!lfFX)g%2v9QcfB{N+u@Ls$t4FdnR^jxsENAx@^YwNRi9WHIfPrAxX z;t2k3HZa*LDnT5H-!X4^{;LA3;qVzya>a}g)8RMhjkBiMzc5>k?O)szU*8@y=yAUN zOJ^(TZgx=jgBUK;MpA41*`LK=JZ3fn!;kP?1@jO7#%@$evjBx9m|sYf4xc}La&mSG z-;eMu&ddN&t~KHfH85>-p~HBfRySC2psOp6mLsN)TfR$c>Z;oyfSi||7hAv7Uv`_@ zUHoTf`_jz)cCxL%*WrJSS|j;$tp7{952b724(C&Hv9ezB=TAN`CHr9IPN;l_O;Cxi zzYge*O_VOYQGw#kWaKisnyi$jchj9O7Sn{|o9ae2>1%qsL{DZ15?PS-7Gr}^G=*`r zZb&yaz8Y;Y2cYLVq`Gj4yWudj@KE$kjcQz$aHLz-rj`8S(P>>_CJU`0 zJZs}g!ei=iqyiA5(Xc?+2K$W3eZXMan6+wmK$v%fH|8J?;h+E(xn1TTwkt@7cN zG*ujzZwU%)ZL!;7=^AMVqU)sG5AoHzNxUKxynr~z7r@t{9+26eWvuHd2IHAzRtz~8 z*$QEgcmtJo!JVHt_ih(y9roS3Zh^<{)=IhTZY{b0?e-vhvpq(9sW{L5KG;usgKr;! zTnc;7GEDejeBIlAm~21DxAE8BHr(PN(;nD8aS3SK&wcv3=B~NxZ2z~L-xbs2`pu{> z+sbLV)1-W!Dfw+D)|47 z611}$Y5>-kG(Sd^l&Vp#(i6YX+dt=QAEY8%jEBE2h8MRALC@S=M|xa0T>)XoV{P9% zj0(1wv|lG*Cx5nU`s5T!3OQ44oYMTsTO69t#Y{Gca(KT+gr)wCyx)4EhcwMs)ylNR#o0WskNr6 z@gx3_x7!N6XJT1fXP{Cv7^(UF$PG`SF@3vIMb7F-gvOdqaoed%SJYn|w1s<9xO&z; zqKX)G+WCC8=+7y;4l5`TVLaKQAPaa#oZ?nG7y#kOA5=e}QkcGt-F={1@IXiDmZ`!Y zWVKfFwXH?!-_io_{U|4EUJ=ymf={F^OrOZuE_$=vNF zYxN!{3I(st2QtU)Z#hWitFQQP)+)SHJsjKKwmVzf=FD%B1~=Js>$iY}|DjuJHchLt z4$!YnUYKUm{lgy~Y`fd(XpNn}_AD~Z|4_5IJZo0`3_Bv(tG-L#bpzvNx7M;B1;XOAE1QD^eSU-A=2XY<8$vq>~=2EPNrTJuIt`GM_$#(6>v1=@gZlBH68??G&43yXRe3h2OA&7^Qu$N|@(%u$(ah>b>B4cF;_ z{hY`OrM>VbTY}ZiG@manH8nE`ySdGCOZnFk&4)5iwnvy}Q3CQgiII3O5|Sr@={`L= z(6Fo|`F=tEe}tw&af%AhV0(2%)<=$jrVh*Sq4pW4LZm&By@idMo1tsR?|1HZ{zSLi z5M$`yvLCU&{kpS5tk+h1t9=2_&hx?j&enV9&#yc8yuY*21wN8P6<W%cELdR(Q~Cvd+#RuwYrT~a?jJHYI(r>Y|KK=CS= z4SJX%c-@8me0p?Pf`{RK2IKq?NX_e%hzgwlLG$#HpMzu!mYwW+8#w$KMV5L*heJir z4i4)6$J>2`1jEoO;LmA_>d{H`JUN<;Ae`#}a|5bdpNTHeY_XL%`?!QCD$O-K=Be}h zS&^UjC0IIziZO<&JdhJ30ZxM{9AG#~ zCOllu+`>Pz*@S{y7kRRIcJd6aCE(XKuqFps{`mMAy6G?G!%;2)v%aRjlbmpaP>Y%z zPsU!WKkOf$LbE0TwRm(!J1lOUzEfvRv$wO_qr2=Y^Xn;0`Qt}Pxq=TTJ}MEAUnQ;z zYsDJLX74IX2R*^qyVw5r-pj9gFVexw(boIe!`=|-U9(P(qOLb|Xac2|1=*P9`W(TyZAet#g?7Eq41O4&JOC zuGdd#E(ys~$$y8PVPMa3GMNq7qrQ=)^M(iPTisw$1|9Sk0%}H5Mx9pzVGxbbh5nEd zZHbZg`E)q9F0d`eP8lE;Ic=XmeUqF6XGqaaL*)Jn^Ap`AP639;mg~s8!j8?*FO6oe zeVo*HTm?NY8gpk}arP_TN@rb#2JFflc6C{RHy203A*MK%*F<~^ovOY4KY!AOq#*l1 z)79vHhFa|_7`w3+Q34be-UO;roKCYOyPUyq({xViLUleh0dW|01rI?C?;ZSfc<|TW zqx~O`Ft^>=Pfs2iJbv2u^(Wu|--pj0k?#o1l0}_s?A-gc;hQx~rXL}8G`kGEl59@1 z;Z}S2_5bi;3?suoV0zkr`Ub=U`-zCx_xKtp zB#iO`gDS1#_oGw9#+t&;sWoj(b&Sps0eR2L`to}QOI0h%QS(}kuW=8_5*wHU_gxSp zWq75#Qm~5K=qp|qAX~5`(@75eReOJh_36FM zJ;>}ltoQP0DnEaPpJJ2xfYHjaOd0OUp&r|1;YMLQuXh?;)P4D9c|AT1wPLR%sDMuv z5I}*ljkgBx-GgW`3FsW2Q+gDnkBT9S?tnF0szw++olZ5J43CUJ!;en8ng^qsJU#3t zN3fAc24#0e=X}Up^SAt^9Ael=j5!#LMkJo|W@r8Y$~+yVb3D9l4NbNef)m>TM*_;a zKq=@ckmmWMKP0)`5FG<30_AlF z({-2MU3|RMS1o_I_|nr3_0$^!bXhWnb%yB2U;h){c=G$dwFJlw=B2u!kS^M5jvy1C zdQr7fJQ+g{^8E295Bpb>ya4x8G7KnRHjqwr{iTZT9JnU?SDN6`3VA#0rNOipHAV&I z87~!8uhs9@A~!YL#kPMrm;l{DU{@Hr)@#)2UUzDZ-R*Zq@_kAW2G{8fh3RzeCI2zR zSfVgt9%x>rWkowjYuq0E^JxF%ulRFYUQ89*TWnz_MGfVQ8)wKrjv1+Sh=x{Rh(?p~ zrDhKQ=Ig|!Y;Ga3mKKmmr=y$nHb;9ratwrp#3@j=cVASJms>8sGRO0%pV#x5jxTv6M6uj6LBHZF%{VM$7t-&*kT?^X#qJINkB~_GOrub$+Fj zZ_4=}-Y(S8>Y;DuVi*6_B&R=fTo%&C4Wp#8N^pAfpYk^L&lN<53 zq3D1XvD$FBfX*Sb4NgqUAiB=c8I-R?ZlLd+L=v&4)7b=e5=!WLGVz2_a&kOfTGDKC z-ke15fHllzFU_@fC;2H`%!U}uwu>2yuhGbBY7>~mB$xU!4BkU1X=Kp7f!#_f^=a*- z(P<=`^00+ADdfN#s5%pbXM4YlVGGd-p?g>cuMKya67I#|Lug0igheBR$sV2+Y2x17 zukYR0cnlpv7y3-YHU{ca?xVhvV-$@_8^bbU6Z zp}bZ@I8sS-zEqg@x_OeaFr7;=EK;ksU7zUSmN=6BswfQOftU3y8VqDM_%PAkBnrcko?R zT@>*`51mOzV-I?QKg-^+_g$q7+ORG3Q|;$;NdB34&P^53Eiz+*pi%hQDmJ*Rin1<1?PyQWxrS2xd z^lnGG<(QEQ=Rp|C8Rm!kmpW_JRxmVE9F^~v?HcCTYk;+SJRuptJ=1{ zu0_+(hT%C{SYGSMm&Jogncl+mL={d~cusenvD>7XvU=ITuAlLrs+$(kh03`2!mSBR zgHtol;2s?%UnP`vAbc);rdm#DjqUAdUTCWw&gD7C_^+2_i7F0buNE7d9g;h<+nK;ynn2i|kdw`P}=a=TsB+MicaS z6O6q;*aeyURiTN!7zjZ~3eTg>WR2kiluq^jVlM2ZO}f+k#AHHniJB&1*1^E}nK& zoK9hrv}YHlU*f>#>?)ePni*_)xCec)=nD=#(+0RHZImqa|vCzQ;RE)u<{_}g7BP*w}iB7^o6LO zK~`SiSGUQ56rFISAJ#hANs>p%AUt_|{C7foVlZfm>g85+u!Q(WkhBggKAT(!HY!cV z3)1idc`>lzXdlTW>FIFH`XF%|VpYm$;bf2f`DFj;)5DVN( zGmcK6vI&tVE#5qRjUza^NE#rWH6*__c|5=Z5CjX&4EZ0Sx-icd*KWF6lU?nGQv$Ht z%A8QWhIy590SV%*lgl+wA%(Tao z4;anKJVdv;@kPSekGS>36E0G*9TuG9cjL^(KN>liGxWpo1EiuK_qKfaNK(^4Qc;1 zcNu+ z_V@cN`F^sPjTtX2oexnh>F}$l2zmD(r$6;%LBE2-_@PTE5u1$5hq>6ACDE-(V#~lE z=+buZ=pm(Q-bnrLDyd_J?H}F%y-zcaE#xWhi`6CM;^a90m?8fpQGHH0NHuf6wE9z`ulyFZa zkDv5@Jbvkwz?ScZ0PNjbRnKKMelwg+#@8Nd$v~5w<_rx-M+{F9UL75?FL9xwIg-1W zIuip9`46)TO&S$yh=6AJ`e0)V?lN=X;O1PGf&vcGb=sdz^l#iQVa|+3m_eeUn`a~W z87~-2_JYTm5LhVUNvI!nu%+P5xR70@;cRY}OggwWR;+ZVL$Q%{I=+a`hak6O#e3aa z&Ea1xNWVen$Ir9U;#d52FOI~|iZ{J(@RD{6L*mT|SH5_1n*2HAiR?}Z@<|Ao4<1~| zt!I?-qzV=lpG9K&^PhXiXZY3L;gcV#-TF?|`5UcU*e&ih^`5oy(7nH9u=_!D81}{f zgZAQ_C^Gv7@Kbii+Dw}!p91qwu2o2`m{ziR-sF3T3{1cXnNV&lF2$hoHeW{Dno7uA zQrniT+V*Ena=jB9!kKH;F-5W&ZuXmWWsYJ1%SW@wtC_(J? zVl1hN$ierGodN0yId4=2=U)6kn|jaUVqz22%lXYj4Q|+RZe%y19*|-d`wP|h!Qy(_ z=IQ82LwL~+GR!KDM-a2@!X}}@c#WD*ij7m9h8Z)G`bNuWcb{DO=b5_O(AOGyQoqOS zW6QO;_t-U!HF(NZgm( zl%}En<(G}_E7Poy8E%L_Afz_dHs+=@{pb|>_QOZ_jkDUg9YYcz)5zc3w!i<-t(kJ9 zb-d@hInpdTa;NFjvoYL`lgsh&p9Dk;rDPZHBG1690?b0P^X(t*`(N0JI#Q~LD4rgY z?GF#aIdH+~>vDaa4TiMYcdMSd&~6d44LmYVM6v58SlE@{cf0lDqsNDjpX?T7$P!-N zj!46Lo*8;=w`GS10ip{zs`BB>Jw9R+gFt5DT_SQCToO|_FvIg9uywb}Y?G`wYgQ#c z6|Wn?(A$G$p7kCBCuGkP1~QoQWY%u^OpLP|sP^WC-6Y)b%iV+?!C$gzf)96J0S7iq z!g^?WpxsDIOmlXCwqrwksIMvN%+!@YI539_S4~obp3q~*rLR^kYWaa{S9u{rMh%^s z=2jF%0SRgQD5Z;lZi^}hGn0skQK0ZUW(KBTHUF@8ffta(R_(-(ScQ8u?Ko!4G>`w( zWdg#(RoovQ@9q{BV<;y*pk9}Jz-ysu{Ijb@7xiB^7u&z-L~O4y3!&S$PJ$T~TyZAt zJbyqNh2OUPZVPGr5OReR5CZz?G-nBM9%rsb2Y!=s^To#Me%vLx3x4mHucd#l^^t`s3tH#4DBiM4`q^}2a$jd#*O;sz?9 zfW;mO-{B`~PDR{x#Ad{lpw`Y!+G2NAODK-N89vCJMM(u@&b4lV5fV`%Xo4E}VJKX# zBXzR+48=@V%Z$iKI;3nT_#CZ%4wt~|9ZSJWFs3YaSpIfm_O?M_vtr&psqX^#ex{-M_^8t2;ICfnOn?jak)T@u1| zjCEY{39U8mt_)nfkvLT;g0rQlP_z?`N*!4I@mv&}{i}3*nYlx8#mKi^O=_f)<6GOy zFi;A6XG@zM`~t~r(P2Sc7R=gumEGO$mXP1Kqh;Mt97m*GI(a?=SzJZ?!PV<&xw>aL zXKihaCyf?RyMD$RdRMQ@Y!tfK4hAIfQ+PSck$qvza5+{futoYV=zIfpz^Z2CblhT+ z3D3Qbq+HnSw8Ru;-)RK9Bs^lBV0YN_JG~j0sjg}OJm+_#9O6W%rMNE^*)M2plk6eY zq&MSa!q#&#*`Q)ifm`0Azrq>v3xxi1XoU3#&s~*HNa75mFVoXO<}s@U!XAyY zewOFz-x{!?p?)>Y*W|w!z!MZ_P=gj$C#^2dv}DP2@hF``7Htz20Xe=(>9{MNgd8Mg zLZHrAtK*N+s!!9)9f<-6eKh* z!w{JyGtOZnBL>#TU-tY@fy_p)YbI6cA=_loP+>;jdy~#&?pTG25deBXg})dDx^0VN z+OXMhfPMmtF*`+jIn}&|gLi1V?afwCgC^P0unL+77`)$jRYDP*M`*vXAL-Wpw@NcX zEW^d(R7$zZgq%rfNHac~jN5G2A+vGhyR6XFcp$96mT`>K5pY3@*CCiY5c|H*o}4Bp z-$0E)wBIgE5cb+~2HU&4z({Xz8%A2JY(WPLCo*J*?rM9Xn6U*5uN*97%;Gd-xL}SH z8f3ogSvlJkwG2^pf)oUPk4j@K47!OB3}2^O6y_!6aU()s8a9%Ks=MO7Y2?fi=ioPS z8daSmE}v3@GN} z;f$!v%>$lYU`bK<)fzX`W}Zc~}ljnf|jr`i}aKfR2rWnY-wZ=cAyp+k6`XbnxlNCE@du z?!kTaLt|oyYDR`JV@?YqGn6}c=FUQ2@h;Z+SA^q zb$7V8fvLrZM<+1NPxnvu&z?9t*n6Bbwj1^p&5rYKw-L{08_Dzf==9-}(;&@j@8SRb z@##~3i0rO?@#OS=VMk#7@ArYF?jbm2@AU7dXNQlzVbcOO#<(@07_YQ`6tC)*wWr9VRdoioJ3^af*Gzfl;5Gm2QdW*EAQqWh{A zp2^;m-uFk3_fP)rFkkw}IhT6xKYz4;eEj5K6Pbw?GUS2|wn?Jkf#M{DAgXjvY zqhPsjfh!s;rUZXMRIAE>{bq)6W_oj)#RtN9XdRD%V0I46I1edKiTbe_CNnXuVF*Xh z;qtwb(q~f`{tGQq;tDkGd1a9%qrF489D+eAYZuE(x&Bp#?ug3^nlZwB|1+H`Lj@0f z#tDi;X-#rM3&rk_eygZ#Z1Hju;EVU}dfvi&)oF*~wAXLp8uiPUnYQAkV~_=yj7in% zuV86e&IeT}Y;w6o_(_KAbf1uKo|#IhhPi5B>0u82suZgvo_y}}bTHr%&nG>o=yYH) z9e^;0YuGDt#N|B+suM!R9jfzRTT@Q>+smiv%~&_a7J7lWI{_U$M4PgS_bRL)ye2W< zkvQ>hBoijv{GXF={Pgpfs~+`+L8kgYCx2{O;+RQ7@zHJX%`hKQ0?7&RY(vB-@foK` z(Oxf|!(l#0-B)jOvseP;CZ{je;`?0%z35Q=)lNp}r_)NVOo;)R} z#-}HTKO8+bJ4t=lV|UGHu1*l*j3)`4_R3m~-dIR%#RVCoe)yl#CX$-tdR>b*NcbbR zt(6U8d1wmxiz+&zC7XC}!JW`o{S0{tz7+Q}zB1T%@SkYf#M0tR*neP3%z?%zlVhK< z$-!uosYLl(%_Ao*k_%n%kR4~=^bnX`J2ON3GBBj~|BYNK@zIce3z$t+G#S2f(_sO{ zGqTylR%NtMN7!|(+ftshNfU-XxlQ^M?94Y9<&hI&7^TXQ-~jZwLSu-;!=jZOqbpEZ z!fyJo`4KrB@A2s^si?>3(4#tL6B#klZmHjo)P*O|afwtza|k1*qptblBEwY8j1RZ9 zZARALyJynS4T+aehHy>OiYCLazLFGl)k4NOnx!Fp%-_Z!l~mrj8tO;}bvG}JB#VJs zl?~#B#nwT{YPH1}6ON6D10cI^4&@k~$?kB`Rc-FHjI`B!0A#)rq&+VZgGy3hdid*2 zswr^wFhP|M%O*gN9gp31%omZIEasE(d^lcYE7~ogGEEyh;C_q<;tkpyT14(tTmXHJgA~kNUggq+p#bl8f8*IG^VSQ!^LXsuvIW8KyzIyF2_@V@mAt3&oELANm zkMLr{v8Y$wxRO@nW(V#Sjii|M6)lFH_Dt$-cVcB31)mB?0a+QXse0d})VuA$mnohYJwFTVOp2-r(FUWSbOEqroLYC(RIx&>=vNGnr3Z(;GS^ghIUm6# zO|zn;hT=kvx)E&EK;yHldW%>-GfgGkEuF29PYybAPe|JvYlMv%ePiAP5ZGV)FOAbZyl_oBcQZ@0BsWnl$fPc%XQ>RD*(FN** z{IF@e(<(pXSQzu#xP|S9OG|9mBD0_u6KvWXu``heZAl7)DJHx}c9CTu+LXZW48+58 zelzUL{TVE$*_-zJh6q6I$4|~gpt|yQIe$B!IEN%Sfl4U~gIh{>9zH4k9NuI@aaPOC zx81#~{DBc%BZtEoeJk;f%FYs^T$nayaoiPBNvt=?9bt@Rv1V);S-illyOm6tqY^vO z<`lkwQ+GACJUjwZROt(Ev+Z>bJ5x31VIQ@XC$ zEGCpXW1E>OSWrSeX)74NGE)WHNvOha1w(AEdx_W!#M!sr&0(xqZV9H;M(uKs)h?<_ zD{5Zu(i1(9Uk+Y+9U(4V$c zOWHgBq~qyJha;BEVXw}J!9u4-E03F|6$am?C zLY-AfUs*w;Kd6zv8ng0~N}Au}O|Z$o0)3OB>d z0y0pz0ij2{m8#2p3#eyONq}(vVt6vEc{XDbrcP=T8;5IONfLduE4TRv--DvM%x{5J z_JNbb1K+)4i6a$l{?pgPX@WLN38cdU-VMEhh zjwbgnxKlh#tFhLS)WJ=br~i-x$^4dFiMf4*(}U|32t0Xx!e8n%`rh~xzE>Z_rvD9^ zK@;_1Km0+>NvqsiXc`@(&AkVoGOfY)e%o1HGO2oX$e`FiR*E`PZDzGF(=hwZ5~}@y zd^%4vMz*D+K`KeS4T!4|#k>Y~Cnk+C>rF>wQ=0TCyu#MvBYnYIqZW}Gt9-?(4>b&j z)JLjJLhtA|K)4w6MI3E8Nt4Zcb4>vYLax?wp)%V7zSSeN8QmM+4k|q8VH&RoDtwY{ z^n8IG?d z>aFXXwS+~9uvSJZn+(!h6|OGwnOokTCPS{?=?!DQS-d}-;gMmlvc?!HYYxC!DQ^&! zk`YustiNVB*5Cp~4oN!s01r#B2BT0jaN0MhaKfCces)D)7x?V3-*y z>VZbWlH_Oj=I}m%?_8=JO#U|Bj-V1o3BZeCMn%y;*zT{`(gQ4;{EBl`smLY?oZdILe#P~Ksxm{;2sMd(sX7Tji|u6EbP7=3!98q2 zk1+6wzXG%Ot2h%>obhvWbj?&MoZ%SdEg~7@*Oc@ZGqmtKun;iU71@wN|4?hxa-tBL z*4Dzp#tIHunqm26m&`3ui=Ri=%B2;xnebF8BMeXEop;=%hk;5}tNRL4J&-z)n1Cg_ zCI;MTlWLnLir;)8Z(gdVNqF+G9r%jVjaK521I;q6j!&|5YYgmDhBcMyks+-+pjE?J zi^^3>NL(qQ=8W9dErJNiTOyrplIlvq(Ujm2fpi0GW7U-!*?C9R98Ult^mxD%YqDtIb;hnF=Rul8P;UeS;{+reu6k?H!v zt#oIVq18;$8ksmpgI7V9p*CMoOciVpN*P8hA^En9Kja$7%J(<0(O%XUWh{E~w#JEUMJvjNJsn{duc zT~qEAPTA7QVhnVKvN(`nCWODYv~RtbA68v4(+eA%zD%qydMQxw zJFSf2v>!Onp{Vm5Wnk~3f}d2JTXbGD*HkOveqbLAC4~>N(E;71awu{=H}B*VZwlX_K4W>e8Dw`horeUoDOwVpAv%tN z0gTguz$O&!y~u-E!JaB@DU0pGd;+FSH0sMt=ai>+*=)g&Wi!^I`~@_&;)IwFrp!qd zztdqaJ6Td^+>Tz4U|!sJO>cXBO6Z%vxriHZR(@(mptekRp$?xPo%Md$KRSMPa_G-U z?T7ud{o`73{AN2$c?gj}f@(?NooCrVqXr18wM{J9tSxIR8kpxcwwV(z15csV+9s86 z)}VEJU-AjvikZGMTa48oI`nICA4u6*G@5HEzOsaFyaUW>r-zkKO3uz!X zc{;jDZ*zA4P03xRMfU>^2lhoa?%y&@(-%%?v2||x*`M%1TPf4aA=F4K07!#JUz7v zDxG&>6!iA-v|mE!WFLNpP);WdW}Mw{4ZR6$8@QF7CWBj!C)&Oas;yP%>ufngYT&Odzql|?YI6h@MQ<1JlOBOy%U5Yq;J2;jrKkl~>|EdhUq^BQZ zYT@E!TGw*(MTgCBwt+*PJ}S`n?qn+XOcQUx;l-_?Sm(D6V&bO}FWKZI?&J2>U+jjD z?DgQJ6n)(;9kSGHX><{OaJf1e26vgv+GMA)~^3)r$NNt!N%Iq$8X= z#$aK#OtKRKC2S-O@o9#MCDZx=<2@#hA0tMP54iOTM@N}Lx1s{?aMi`Gs~ zDOm-j087sW)=>Au0Dbc?3D)%xze-_k94&_*m{Vu53{SKzC;^9DG+)dJJC$dP(?s$_ zpb!TFPp!i}c{a}SemceQRJRZ{!hr1q#cIb+0$)fS8qPT3S9Wm$2L!X7N?>0)_j6N9 zd#xld3|WUl(>g|6PYK7fQ!br!bKY1TPGoFmnqkWG+wvT=9ooQJ(!ptr2TDTGEsHA{GjVT(P#J&eF79n4D+@2@T4E@ANLM^+CMo> zYTa75n{@Bp+kt=Y!@pm{zu&;We}sSk1poe9_ukGu_!r*q!22C|zXR`g;QbD~-+}k{ z;r)Ghe;?l8hxhm4{e5_UAKu@G_g};Nui^dI@cwIf|24e-8s2{m@4x=HTA_dY2Z!3b z|KgrWV0?86#EPqU^P}bI!oo6+`^iu}HxA$+%^j>(i_a^en`En|_;d0hrqDMIaufni z&-!ZZHy$D4281_Uc;R$xd^q(h7W!U@cz?POVmELo9j2S0!@J}wp$Bw{`*YFF5~@hB z=Yy&v!|+Rrz!A5YYDGr^WnG3IH+9Xr84%EzG%-D&z1Fr`u@lh@oe@w<)Z~<8Zroea zklDITN26MCxz$SqM}Q~BVa{;$eFDsaD%NJM?;)$l9SJb?}34RzzsCkEMv8hc%B3Dy#Kqcpc#8%M2^2t zFsN`q{$RX;=t>lAYxt*6d%~6Xjc_z;oEes%# z)IwVre1aF9n`-ET8Ga7`fv@EAK`%WY!qYFlAh7uZAZp3kPe-Q-NLKa)M;iLLf@X1z~TnSd$z)fBwVq{*R{uXYY@0 z#pKtDBeQ9tfN|y??p-Fet@m5qqz$d^0iX5aUi;r)(to-Mynuqz-#sYMfBW_uD(^iW z;UeL4)h2O27kOs-x;LKqIbN5Qg|iq*2x}MFrUyU(^o~r9eY$*JoQ$BH-BTfa-rHQC z`p5L<>-$^F5`R(_IbL$usyQR_VOSLPj?$>$@+)$R8f01y(98zL6f@*L!9Ywf{{S+b zXi6cc1dO?w!@n5DGD#Q~1>yK@1EfJA9iyg5=cOmV2Dlw4LHK~{Pt%-^fA)4hOHC8F zo2h6<*iRZvJ{-T9aL&h$DN4XIJrt11mlv1Ty!+wk`J=;Kkc^?J`C=@IsOKir^>j9Y z8M@AG21&-z;q2x!JO!pL1(V@vq@#6}VpNto5pxDY%s4O>#3))|kYP<5v| z0IIU2+pKGVe&rX#Y|wJxVkC)T*lk^baQ+L&#q7UFT3QfUy=Rm3J?zz;2Qa@V~Mv!K0o|%@Ld~rsIDw1smXOyEKP3qlv(%rhBZ8rzT zK11ompmKhJ_?DCwrl+I?$5%s~b_&y@{*#kQPocdyKT%Cn-B3;$pn24`(!5%=!mUoY zWm;j5<)~InPSZB*E*UJ`(1qXHip-4-G%@v$Go*@BxhX=J2R0fTmBF$7ClsKpezFPi z{CbF_%s5NnaE;K^vUz4H`O7{qlA}5g>fii(?dg_>PLNK-`}iHbZZB_3Rm~PxQouT(d}9(?jPR6{Rln9#BJ#oG*+F$ynQ#I*7Y4rG6dDlY=MGr3{V3T=kN4h58 z{t?xov&rJ}Dzq>eTqnsyeyx1cO)89wlgPPN-v9yPa*p~5LuimD*LMm@xaA0`TI3Sv zd_KQzEykj*t>H;lv%s&^ieICrMFq>)Z5Czd@xWt$P;d$w5Da9?=5pd_x=QeBQh-XN zzMcsb1#48a)T2_~AC3zq?EvD=uuPT^$m`3YEbJ%*asmWdy8SqYvohtJ~hgqj>O(j+vnc$k*5w)9*}XPEDf zbV(TUmGt3a28<@+=rrx&@?e!w$1+G~sETP?fOS-4)kQvI{Z*y11rv;fzB8JeR#E#z z->IO6&|Mc(w@{}>QaSQoIcEPwt}{iS5>o#M*vl0oH#>_}I#@^GV~!*c09Ve|^=S0w znyPLj2cs16g>}skqw4thZ;w>X)Dl=aR6B?($Y7ZF)7bzuiQGh^O${cz{0bFJ3X8!+ zZfw?MEZ|DX!15PO1hqMfGJYb8$)C9 zHKSY3tE)O6t!(W-)U#2FDuBfpCBfb_n2w4SY%yTg7j;46NBHm)^ytB*fIEf`EIeh! zFJ~ncR)=G`eHNG7p^WmheeGNSOF;?rZD&&Gl=#CRVkLrh%(#*W%@LW7AZ^L@ZE~Tv zJT5qsAw)Q*6c3aXdX8=@NxnF@;oru0M%k&3&IgpCW`+FKw&7oF?kycIw}|q5&YaPR zz6b{G3}=J9*>H~$kK*=-P{V~=$xT>phpIWNS;u}jtyeXSefbR(&2_O%{M0gf-!g28 z-(KmJ<_z8xl|x_gVcz9|*e@L(*gp@f(S+^K-9Vk@TvVc}mJlwh8o~PGoFw^C1j1~Y$JPK9#6(?ztQ6EE%z-ytSsu40M~ZDc#!WrK%`H!qs# z*!8j_0p z1-0CpT~xdgh4Ypq6e;>{4+jAO_19B>Bi&EM6+DWq6YEAErmOgTZk5i0GFr>IJ)@#0 zZqL!!ujFBk;@*l5QC)<41?08js>o4Cozt?;K4p*B(pWVD2wV3p$RBk4KLJ<*FL?SLxv(gg_ zokk2&UkPU?YZX4Bo=1(hz2pmTKjIT_mw&@3P2($;U(FQwh<_!OYVIZ_G9gq^tu#yz@Cq|>@$z@UxC3CCNo z$WG(HxI0QQBngo&7IVxdRINnr=CI)g2fvV6GD`>qSkb{bkrbiHW)~@01-u@j&Au%* zd+48U!zbNkbYw>1PFsinDk;jso)#5>uCy!^@{3zhD_VnEfvL=tJ*+E*^HHHR$1K!@A zWxp7@ZI!4%>@RU?q>012tPeKg0sV{hpv#ld8w4cF zXOqdibWGKX74d>PM)+FFdh-TAF&bBWIor)^4=vy~U-i-ci-}%PCr18O6<7Dk#pq?X zY(hj=ImkE+JF~sBlCSD88~81rV^-r+`@!ys*(}gu_LxRkBPUYJN{d`F9E~_C@QSu7 z`{HOv2*Qllz?j^9UW7C{c{Y2KX-P)1AEP@bx+9Mk0}M(OY(X8_kd0~n{Nps0tpPmQ zD>txsOn+%Ho`_l?`UIl6>q&=AV~xl>TUzlcp1iVW#MJ$&et7WH6Wv$hncm2^wxL_~ zt!*f^)p%v5Z8u2Itk&Y%F4o_*!qV<;Gw>S30xC%cN=Bzx!Y$SO>00$|JD%lTu;te4 zi7j7?7%t1n=V+_xUa+ISy;RMe509^7cWuE~c!#w<&nCIM*z)))9ll?>*%@hKh*p!}VW>f{UvUOpL^ zUa$#xr}N_8&i$9BFDFt8<_2#%XBmbPxh!n{DSN>?tW-gRZwL{W^(?~6S2FKUzV6(A z^GEF~{Qbu_f3h=nfFeR3IJx(F{rT-Q`>4r*ee&j;&i%!W+0XdId>=E<+`!=V?+oevV!E<3nj(r zw^Xd!kW^c^tO@NdtecGz44!*Q3Fr*tLPq@b7K2TIS2_6VE7L}Qgdm7HBUZub8DEYx z3Plodqx%~9GQo2j>hX{cBYziLZxbvj$=BYO#h;j53gKSpZM=v^AP{@Ykoc5+xq>dM0nQnkc3rg;KXMemNsPB#3lT~HAoG^ zo;fB(7kRfpNgLxy`yvIAS>g|HTH#MO9HF$Ht@0VzOyk!SGMy}#Q(A$mwEr3duP~HJ zLQ*+^mAsQg_8U0K>9{_wq8w5aoDh@38E>eqlxu~PuL6u4BZ4jsE4GFkjfE<yNBQG)Wlwsdaw7Ew@v!)oDeIOiLw~#(uOR$;wzDl3 zUk$-5wV4^Ic**8Bp*KuB7(*z>`@U_W0Wy*7E4m`Q zCekyFMp)4^+9afI*TlLQAqmS1Vvrl-Q^?qaRR_a?$;+FP`vzV(tOg;c1te3<=!kcp z=_FRaA(ZQLcm|~QO*%p?F*)^jNuaT`UM~3?|b>qR6rp~Uh|Nq&*^`-bbr=enyROBs$j zoJIdLKhTT=DaS<3D1Z)3^cW_M1t}DLL`g})F^)iWcWo#C^i2zTG@RyyMj;+nW6Hns zr*BaFC(v}m?wdv?HFzZC46oIXzJC;{e~n|9zxd{lFX@-Jc^_tc z%M;t%JUQYGzzzO*aA4c`VVl?$?;m=CYC)S3+iKwQRssSKUYINe*`}t@i7DLB?RFn? zv=YX9`vO)48RYgB-Z}Uyfmp;la{*uLzXr~FGADb+76B>4qr^NasrnuH$p!yF0T8wF z>12$CO|p`kPt8Fv56eHD%;qD!?WZ_G$$@Nl6=TD|zP7EX*28Vr|0_gQCu^&S6sJivu=wW2rzc;)7eR~T3zkF{u-+O28y>I`p z_5M37KE+SiWpi450xvG%Us{;=x-Rb{%ksXsQQw=Hby}2_dGAi0<-k6gD0>a8P#DF^ zmguoxCzn2nu(>)G?gD;I=ZFNCQh_%04cdY^^vl&pEzY^nS1M zf=5EhRA~~#k}Zv`5NGt|(PXwrX*gM=NJ)6gQYVd-0c8?)bEgo7b^+daU5g=*LXRCb($Bsg>?gUJ}HvS zi7^gC$?X2K?ss>JCgTcs2q%k8W}!!So*^8A!#J!LOh(fhizeei-GLUbqQG48P&hSEGg$e4caCz`JBnz9j+$REIQ_5K; z18rF9a_W25F1hE>>@duY>lB_K;q&1;B%g}wd?A#YLpPWz7-8dA2(ue?sS3Nev zO2ZUp_$r$Z`@}R0-jhaRn0y@=hojgXoln$VTEq`DuG{Dvye)66qaM()d_J5ng4`$; z!pK4wMNpqycK-7@aTpFrgGPA-+_7moqa?RzXsZTbUmp+@vAN1dAb{YA8g+?E zQh#xEO7H-$B!nsCH~k=z0E*3jN#b@7kBKkYQ?wPXUbno4$qurY%O<94~-Rj zb@|Jmf0|!|k=ldh^Cxw~;6gec;R!lKu!+{M>#hX7@Ze6nue$6wjj?ck#cnO>zE8U3 zNZoDZ+q>Jz_GP!xWpq?0YhJO{s@d^; zLAHbUY2%=ZJHu;g_5Sc0S{9cSe$lI`9t6SWicFBQ5+3aMIJ?mk*}v_1&!cxDa>_t# zaR=^=CzJ#rBL@8@Ys@T$CVG9kW?2hc?;dSfVu~Ww9`UNT*R4jqf;#LSM>`eeh!j?F zRWlC#*2AO}915XF19`6R)eyx!G13x^uO?0^L&i+5s~lIiqLa5}>QYkCJeS~j@I_%y zAA;*OM1E{=pk84tyZnI&um^jV2(?G*jef<#mYPjaG3=*(1hb}pFqAo_*fFs0{D*~o z_vb3dK68(Y^JZ_J#I0oC*lUH(CgzNwGf9OV+RYNKwyx!nKGIUoF#a&7HBqupcQoe$ zOE52l6J5+(r+th(I{~Ru;!rxK^oA6{!?~oiK+Rx3!~7qa+&UkUtSgG^smJjlYtXa$i~+bcd;7Qw|lwE!v{}vt$bStNO)?N6Z}hr=KRq zCU$2k_AqZ91QI5|f<)SvGtCggie_M58Wjn?$Cl|Rd()ODUp_p13VihGmo;OssXb@l z2{>S8Mp5DY97rh$r_uml+yPmxMZr8G6KxOOvW*B={YX*>k(>Pu>bkY(z~)LDKJmkC+v!GM z7u>arv8Lrvw|^~Nt$enqtB;Pm^6AyeYs5`aQzX~H8v_U(T=TX<_$p=uD0Q>Zy<1sF zP^qjP@)c}gi?e+9xG#4@S1hVB8_oE?Az%{6jr-&I!W)p$CDH}+MRc&mL>!HFF}_KY zC2WgPCK3!RT@8J%M;d%$m%!28#iCADt`Ga!VV4HO8Sasy96+bbe-M)~v3?TMkBN5A zeH3iCyLaFYpOLvFKS}uvs~pWo9Xf4F^|H6biXj+(9TUcJs7lfS?y-~F8jN#A;i`VN zE^~#5h_PosNB|GGP<8vQ(1U_tu5ppgLDDzaBV0;b*TYCA!nf-}je4|@j4zx3B)MM( z0jWPxzNXr~l~pOJ>s;gwn9R|24w!SDKYE0{BOqL}#TcDOb39mew@G$bY-v+YwxPj< z;I@obf%H~6arev^qY6RoGco(Xnq3Oa@OtGI6a~)J8`3UbFvrbm8m?!ebJnBONDSsH z$xtZap+)#KtPh`h+0F!JUUzEHIk7GBCgt3`qrLiwe&?liVS#`{9o0B=-f2tv3G+`v zs02hwxKEP4Nrxl!DOcoTZ;M5g$3%~7@c)hi7?09Y^STtkGef1e-HrwD)oWd!70-oz ztsB&wjJsT-MfmDswZbRj^chb@L{($kDZZ@vsMZ0lHa(^P*o*@Xd+4SgD0-L3M-k^0 zW8d;DyH?X_oC4gLySY1mb9W9WNCUEDX+HnTxMa3?(~}~;4JUNVMG5)u&L^&#!T&YP z;qg|}6;7@Cu%g<-b*6*nf>dTkJSyUweB{mwImP25r&ua`mw~Mne2I#T*%}Tbs-YBh zq`NQtxd;;YtUR6myy@A}wvATlBieSU#P30sj5q0j|5fx<*p8HQysngE^)o>6^e7b% z9g@RiIC&?bSSIwZu&Sky0iQZ|t04#ZihP7Ag!6?cbtTwdtP?piQH$~L*M;W-(OHdz z?MC!3MZ$Kl?m{H&%^S(FN%m&4 z^hyTVoZYFsgrI1PL1Bc!7mO@|G5%`tVmCD}b+Xh#T_`#ZA%ooUwRWWaa=K8ezzfz~ zi3@pO_EMz%%5J-`%`!{9K1PM~uCw{oWWX2bbvozc4#E*7zM_O}^JK8NzP^oDd?48o zv8Y#F@bo!WsurzVOLpPSPSV}%Y;~KMVu{zCv8;^)kJRmgWN`o6?Lqctd%PHp6bo_Z z-meI!$tlN@`r(f!hfkr^NMCBnw~49lasBRu?OH~dZhzc%Jx1TD6idbvbD>D=lr-PU z`d27y38drJ)>iT}Q^#Gi^T>PM%Q|a(NzzNC5@gY-`K<&Q#T`KzWnJB6Utq1(SEh(2 zOZs|7snJbldGZ~#T~MN~Et4>Zt#KQlNMW&+8rwo z7~>5|Y)ZgJ*qYy#;~mO|VIXeVIH!DPO6>RxLkA8TCn8U-5mR?G%)&Nlh8Xz!ALure z2I*C~z>)gsXp%Nme{^c0E+;A61#!H=2wz4M{>A?==BW%OFkmx?wJ_HaU3R`t)#tdN ztlM_EHL?%`}jrNl`&VI*atR$&+s$A}#XGi43N+ST28OmC6T4*@7|3ncUdz>Lg|(>`d|s8jj2azH ztLa80I^-&8V8sTm+G5PfVF#AZG~|kvh9bca-|i*N5*A5WKYLR#N(XB|c4O1E-Vb88>m{L&xgTwZY{QYVw2(}43WpT)6h z{yZM_4##jAenNQvNA^f9#$r*HD)!CWqe^_W{U}jGZoHGZnI)67$j%-1%VYN+@8)th zgMvi7^Xy2P#oddU^^RM!RZyyu?Q{qZ%n0;1v6FL!OWM&luj+B4?LmOwZMMqVpsw9 z3pINpb8vAl|Bt-l6hQR5mjuY$Yo_=Tm$19#0ixC#wOB(q8~Do*R~s55VNT+LnSE@* zhQYAV%PTB&J-obvL!X)?_Tji)d$fWBhn}mvK%;a?%qV5cQ*jlgq&F#S$S^LC{B@L^ zV0DLZC|P!CYM9RI3z42J^fHr@Z9@TV^zVhcG}{pp8BT2=WFxi1w10z+YZNkbX3|92 zk0`-DFFtnc=K*#!7x!C?zUD>prs^u44f=3D_l#zh#vcfbBvxt%!kP40sE?Y(HRlCo zR+~nVO_2=lNX}a^7z-N!MA6dboW*9;9Y{$({MVnkKa7Nd1j}j;_7a-=&`e3&s{w+0 zgI0iUs%mAKQ|Fpju|<1WqGT+dD(_DAJYMg>1ZvolTtL_9t<$45u5Z_(=VW7|OHw@l zG=&I94H=AX8vWD5_QT_26*{(@EDAP-f+T5bTE*ruqv4V6CSsjX3r%3afq6sF3EPZn z?2(7JIO!xBjOTEPpCONc;YO__8+_7aKebHLO*+B}p;&cF(B07oM$=nIgC}h2EtH^2I>pCQRgESs)6N-M%=qcwJt^$GX%SIdB8ZHx0 z7*eE;tsf;vUHd-5f)?%ScvA*wW zq3YURte$oc=8ZNvLk6f)8~YxYPpi&C6d5K*p;lsBU+tr38O$=xu_~O3;oL6dqE+bm zVX4L{Dci`Zpw`!lxXT*!WYS7CFe3~zLO~=XPBRv3<&*4H@iMV5IB#$$D zEf^LPkyC<6_={2d*Zo=jc;5{BaTOgyhLTVgZ1Kr#JC!UKmKzSd-?a3n`NywRsJme~ zp;kQ>jB^LodOQ|lE#10cq1o*mQ(+ko#XX`Dh$`UIjWsBycVh(y)qo(sQyq7y&e}QE zfttHqEgtB(-4@CWQXl-_F(;hMY&=)3&$+=?fQwnB1ZmwoB}c*S#rMp;lVh$D9c;We zb8{c_CX>Y6yGzZ!wsK-Clx;Shrk~2@#sIjUz8+3JI5mUZBitA#|HVvLDbOHFD~8c+ zMwGT{j=)K^1S-tW%t+%X@lutOsdskh)?C^`Vd}ybOrrI;b7sWj?G8g?&T09O3@;HM zQ>2N)m&C@l$#rJCcHMqZdo)_D$!77#S|l07X9wKoLm-dJ}-F5gabm{R7c;y7$C+3B(d%RmI{VgUqU#1*`-<*`aXXqCCD>vpo6D3KS8+aK}d^5M8x!X56oe`?#9#R_j^ATp& z;I>(;C73o2Wngp97sQXyJ4t107;Tgr`5Db#9M;7P4-TqGtZ=CM555=H(n1t@?#`?e zYwp@?ZBxag<@v=0qE*yemmS{MLkZ$;uJYs0-e&y;x!%Wo_{nTaFJ%Zt_WRQV1xh}m z`_=h?Y8PTr16rX}2N0yyDA=1&=UbHh{>8xji-9R;V5$Wv2Cppf4(_2=zL&k7=C{|t zkz5bLopmw1L}q>>`Bw7@XGvxt5fjnmU8C}r!_U-e#lxf(Dpo zLfP2r?j8$0BDhRVD=cx0hz6>P1$cm2%ypzS6AO;+UhwbmdfJZbs5)siNCBd>7J@(&z~^X;t2uTz{ys9@WE){i z1R35M(sHBbHNsbG#*2X%?8P;zC5`OuaGuov(kSNP;n4|<(CX1~IWw{cOGc$Q+vs!S zTR+)fZk^#QCv=f<$*`_HC5C?2#ubp28F_OF-y^R{*zX=H2l+sF;}0AQ?WB>Exh{RK zhCmeo3!%~p^VY0?Mg?Di@k$2>v?Q9IJ^PGfI^?fCL#EkFeqfn(A#TPOrq4L)>NS0R zoehS#JKnnqpqimMP9zG`4D%=!wF3L#nQhd?*OFC~Q`%eYyg&K6bN|gBJNG&-?%n@} zoXuo7?c=(-nrY$N{LMF8i<|o^Oa1W)T*S{FA3Z1PtPe3KIPj9$zrnY5UUpvW+#`24 zjiAMH3n+4fMV5Yo1rD-^%I+H)(!wIoCWbhx?9o&kzUI+l4>wcU6LyC47RfkBeH1ak zFxBa7G(;Z^W{7hO^|QUmXWQq)@iv88wvXYm84Qy9PS9`i9!gh|I>!j_CNF;3h0&ic zFfgi?d>aoA4#XT+=J=u@*g1*OmEZWI`|MMP z+3jOMJVCIi!Dy<5?VPEpmee9}UeBS}EqMmw;>@I<5-nWeLsyRgF;xuIP=PIpkE^U9 zYxJ}TMjk&fDm$CNt}OE2aR4df97H-Ei}56vEpN$--S+&cihm;HptnbLd-pHvNi_Wh zH|l@0tYMmMhpLSy(*`Wv*Y!j7pZgj4nqZQZ5&rZ8E*>&BrR5Kc*7IxC{)iLF>`lm{5~Cu0)K zc-?Bw{c7zz3{^b`S-%$WZGPS&cjPfFzFi}kn_|9QX4h|HcP$y+6c4+wyWBLmu1?7x zpt`~oogZ}fm4-rl4V5=i)_}|4#`_fM%j!M^-;P8{`I{^j9^s@A9cNfJ1h0qG0IapCTxTwmP-kuxZQRQb9DGa~s?AKOuxyW+F zWp4m8dx2uIaCBu`CqGdT1^i$xj)3^QU>fxE7oZ6musRNkA1b1~8;*+=f_a9PWu?2H4cd zU>XR&3p<_DU)pd3F&eVCX(A%LY|AcB_Qf&{hd*6G{A@``>k>y!6_4-e#A&LnaNsO_ zRW^PinvJzT8`g_{*WVFK93tGU@i?Lj@K^$M#`vPt8zXd`K+-g4v@TY#geF7dPNB`QCIm zbu=WRtFs;WX>x=4s9LZJ0H57$pT7O2>VfQ(aTmU+IK=h|efx^yv-Q#_ zxa|5@n3?m^a?Uu5-o1yiiQ6ZY6;-31bc#@9`QV63^ z67Qe&!cmgqKX-~tF$v`LAN^=4SaT9ov76>I1zRkMexYWUP_m?QUTjtMJV^ z_3k=hQa-)g7be*8MWbwbehg3O$GkrJl%wY>34oG4Cq@E(=MWRc@?N^j3SmF{`{oQ$FoJJ@AXf#QY?JtrUd1&$#1ztQnrxvb6s)i|l zOp7JuZ9$s1o=kp^9RTZ3&YnCuCVvAd54$hDd7U)gL1#7}pCo&G$^B;Xj^*R}&I5Gc z`S79fDn{Z%ks|U*KfibEpC$eL(>GpEKe4NhX@7Y>z?)HfaEqJ+`DVbMv4QQH1&X#B zU}1U9uGlatR-)ppeJ1{R z8B1%VDEBVLL30R=1M&_0CmIyww1gpU>&`0QRle?<~6E{jOag?H4)KD zs<`SO&b?YaJgpWVw)_hp3l(c}!J1zRQb>`hE~Jkw#VB%M45BGyHH$Z=goOa*M+&%31O**6W@!knamK+DFV1!;$#=tbeQ<^4xo0PEL%-DOdD0QhP zndUhidsXiUBY<{m-8vR!KXp81Wpb%jv5RAJ#Xrpk>DYil&c*yg(aVJ4M|m$fA!f@_ zva4c))To#zbDZY$TTc#|On?m|U4Po|4-qMnqaeKo&S#U?*;t&sH_RA3;n)?45ilpc zyiWZdn;V7$17X%~lZ)(z^ob*UWl_DR*G`@{ccHG5TFk^tQwjCL}+Hbt7{OahEo?QYtrY)j6TIxK@IGiL}ku0 z1~W{O186^;G47p{;{mniSA@gG!YxWQIy-C*M};)!Lr)!4ExXa+YucxfBJZ-D9Y+J} z?5CDMqh_)>^|rsUs5U)w6WXj2ax*sIU=l`5W+m#LKf8nngdagjBqFfhT#r(s+0$Fc z;!0fD=qA0*`Q))?o!0_-;ndE?1hYwJ@5W$0q0W3Jfo+m);W~rvAbRU4y>$TJP!Ycv zYh<3u!7-l=`>%5Y5#mgMt;=SB_RphMJH$QGO!qQZX8*ttY<;3j3pS`^ygAZQCuH&p zN}5uzjkOLbpUjF2zP|(-TV1kNHmw}|dXZ>)LoHJuYWr*8(1cUA4l+r(-nR%cvLe3j z4h@78KzA5kTNrJn6}!Uy$QFUOmJg~LnhN*i>0+E593&hBpVJLL zPcIpg8RV3AM*OtejNT-7HLI}m7jHckA{BjAhi|t3mfZjL4?DoJB39EMe|_bvWVfJe z-Q)mfW`leA)mObQ;dw zuv|Y}o|N25eQ`D)DbSE}l*5wj`FPL1OIry(nM+!RHAnPwgr%YhN-9+Y!JHt~*78hK zm;r(+U}=(nuR4pohL>%bomJacG=x1L%CzdzzGA*fd^#BoDCcApMU)zGz!tm|UV=rR zXQK-<>0y#p7B@>Xt=0_Oh@!g-)EnQ^4C^Ov+jk@0vE2**1TT7uV<6>@FXX3{j=y=ht^> zk%MW)3ndT!)Kr-9uW{M7lwJK%bXvQifO=#)ZJ;UnkfW;rrINTPIIR8w)2LXSuaxPH9<=nyftJMKA=E(yeN zRe6tdb2!RiyKTJ{(A^adYbQ65UiNlQq3u^Q_>ID7k>65ia1@^fm;`?HXHPL zJ*MXKCK}r4PV|;!x|@beYC53SG0ix!Qw<1iHDZAD;S%rY()_*N0ZS8tb-3^;Y9o~` z&Dput=m9yYBAm4pcn*_BSM-`2B|z2UCTe_kNk?TXr_xLH`GtACCiM$BV^XhlW(tT9 za=J|x-@25ftrxl6oDSL&z8@mFTa|Dh1smPn_>buH)V$9Hd`R(wWt>P!+m2Ty+GU=m zGr`?fw`A=2?3#mUG$$#{IhkID7jXL@{c!pqf&U;Vuyb~3UXpwGKg@nfh&))Tt~I@3 z{aY{~_qK!8Nv_i|B2J;9YED|XN#f6~WJm2wR!rm1p~K)A7wwyvU@vhwH#C1L8*6Z5 z!(hc_oVK&3;uJ^NIr`ttxu)?b#}hH2RM5a^rO7#_=s|@gHaE+za3{k7scI%8nw%c@ ziR3ugStP>oqn-fo?6{AHV|;Yqc{I!33~_LK^{?rKD3~3p#Tl%gjtQ$rZzjoW0!(kW z5m+u~KX|U9SnCP^qz$XHHg!j*QVt{G7icrUwVkuGC`>B7!zStXT*@aj0BwYQ<^{yY zb z^B;qSfvXrJaX24d!q6{LG|-Vojl31!U(B-XJRh{-8hK9@-%s+3_X5TA9&W#^={l@2 zmXf=W$yfGooCHxl@?=NhmB`cR5}1-=HM{7+E^wg@waY1x!}q_A-@Yf*gl6zzw~r-_ zJ0HgW+;cyItA)eQ=acE;?SJVUIPXUD9(JrZ9QS7#5~~u($?|Y_K5k{_~S}VSFnS% zI(7G!+ejYL&=L?DG~987F($)zlq+C`gZPX=qBm$ zi9MY>^qBP8BbQ3~y}XniUQMS!K2`P||0BgOls0dzBbeM;Cz8$jMyM+olMW7w;SuBX z5@tIR4&V*oH=V2Emm|>>%lr2mPH?%2ib)v|1BXp(x+g>0_0NNO?4Jg&CE!t;zx@HE zPa>C(%ug1xkoD?>>Tt_=)ppIC z->aFW2f_Xhw}z>f_a`4!&8QGQ`j!%%iLj*4a@2`85|F#Elo5xc+Dh^vDk;?lctaVd z$C63Gs)gbI51*VS|EKdcY3DS@LTBB>u<9(dEuEmwJF-s+O5PoH1-_&|B5a31@hTAH zf|{QVTB3JD&l8g-I88+7+X>PKTGez>e{Anz6*QJyk&YxG&Yhh4f=pS&bJy;{#-w8} zz`_KPJXjDK!mkU=)p2P(gxOf2KAae=N{*OF6EMSsIx)NAPEmnl-`?xoi|JkhUW6>3 zGB}S7aV0F5?Qr(Ae8J?YF-fMq#bQgGAjiuaJiTJyK+zbpTcOd^G0?Q6fAmf}*edI; zT`j-c?p&#i$;upU?=^_u(ZZZ#I_XY9356R9x#S#yn~(1f^WQAxp^qTlyIL;6xgadYDE;$$OV&YFw? zO_BKTvB6o)HGGdCwZ!@aS%N$MJTt)g1CAG9!54SN)1w15TEpyeqv(LXhsLVwsq;X? zuL6tX7G{zlS2zv~@hU0r!i08e19duR??wjlJ^X&z7mcy!5gb}J9S@iHNtxMmtNfkb z1RWX2kZaxuzTW?)KTW``8>+|J6XI>6oJ=SwJsCcf9E1FJYt zGTyJw#eOd zpt-eOyX_Y%Z26w=6&t$Amtv_+oDHXEvvi!3Q&nd)k@EvrM@N2#!vGD^v1Ml$8-Hle zHpUu0z5n=FgAQxkUHwRXd+-3+?E4cc_W1bz>C;z{**qK#uZLsQi<111VQL175OL$? zq%b?2A_6M9_Dec26Cx*tDq*;q+wH)iR=b^lDeL{A#=#D9lTnbSRZ0vz9t;xC+5oz4v z*Nd1m5pO5gD^lE!Mt#u*l8K-O46xaDN8O_sS>18>;pH4xGO|=kU@o`^ofVGkQ7S*BY#wBYxF* z@8G-To&7LjZZSb*d#ml_h=jjvekk~3dh_*t{T-7;$*til@4Dowwe|b z5^XM;=8##kv_D^v0}A6GCI%-h*-Ueal52k933kxz>?)n+lfkWih9%D(%z|?NrTN;4 zlu8avljuFdcDz%@jx<5-MKB>twz;eu4qppL(aA!s@QH zgSpH`gAT~HLyTyCn+-Z)n|LI#Q5mEt@6DKJ>E&d6F}ig>N-_@cv!lfz<8O*^y~s7Z z6Q6G5e|odR7d3f}Nix%){PE47><11ot~U?-_@VQ!nweN1lSrmWFFG%t<* zZSvdLkBOZLJsq>zJm>Mq@~NJcZUnLC0k6)OSDtEA1xRVA)~M^d36W z?FlTjaf7C3@)rs)#N*3j`OC2>%M0_jn4RUZ=)ZuAXk63&BN_~|g@4acfKuhRw5*Fa z!noTba#MMY_4TzVLXgQ$7E@jE_9)pL;*ZPg=^vY-6k-xWy1)4Z+d%GQ$hh7&!+wSz z&}rh2{>2P8u$rsNgb^zwHgqtXz~T)s$cp5AHxShK(I)DtuG~#mEVt?}4-OK#c8C%3 z9NCXsHt#rjX0IvipZp|7!})xKq5Z=*IG~?1c`3u@4{+5RClRvJyzDJOiNg0`aRh}{ z0S44kKFKe>PX2&Dz9HSAE~WSe;))_3A0h(_YBlQM&{RjACw2ne@J4tBDasnUjs$1I zM8=uax`RoG+aAwUPi)FfX9CDmGKc+>=N!;Zfd=9WOu5e(!W397^!OYMF9|1pI2Tt! z6cIo?2e#lAW-$Zlh%?dVl%|mo=J}&8zN!Xc4`rCH1G^qN94FRzduy@^T8Q5>n-HsH zU0f^xo0S@uXK)M0QU2shW5AaJ={W|o+um$3M!vFs@(3B53!J)6pKtMb@~!hM`SYI- zpZq|oH`pWBFo?}&@($fs7qfA4??LjRD({!ItvSVy&khdgzds!B|9G0TC#Hn^$-049 zu@n$S&||rB?-l%Riodd`ctZyyECTyEbYbsC6hR&YZ2(~)s6`A*Tpo;5qOo+DrXEhb zCfb%T&%BUYC>n%mU_zZ}%K}qj4}wNg^4+rM0{r`_g-YTxD|bs+%mdA%8hn5p7#-E`tL*J`h7zCI5w&DDsdcuz_G+)lhhwosCmx77Q!4pg}i=B}6``L6(C=+gQ%dk^(+Wov(;-4K%{A19>kI+MX2qe?R z6~`8f?P(JDG;!&8G8hgBHV1KX6bD{scR1jL2RWwgKoU@Fl`vmrQ9MjdBE{+4(Ej8y zn=7)nV1N6#-UUlbP zBUVNci;{c@Vi1}Lca`x)wDb(GwzRqJYYf*5Ah8rqw=(s^9ET`pnrskhU&)1~rahm>FsQOy7>QMGF+U`;J&rIKc zGYbD3(D=`nGa}aFr_p)pHIU9&%fwDch`mqeaSqm?^*$1)**&qHV|Gn($9w_g+H3}L z*XA8USY393$gX%qf)7n1XLYDm{nV@1oS#a!0kr*hn0P-AtKwKmOeYpcadC2;g{_&? zD>yp_ij0&P=Z>qJ7NgIA_=8y)Zo{_l{Nat0j!;bIPm9yGv?b;?7Er}GfhDPIKF?+} z>7V&#WsL}yKvgKvkIP}7^*05AW|cx&ghmoE68kEfFCJAMd^5Ko2+p6makOEr>C#jgUxwTd!O~;x=aWXM6^{ z6++!iZ#=-lZoD?Yr6;(kWhrLaTZT`axH zo!-cs>12*do>Y8YUX5Vy42^LZ3%=;IUv4G$t=V1~jC#Sfk|Dm1O7z%h|S^iWz1!&vSsaAe_(j?*ZFHjIXBN76yR(H$v%QVb#0r&fD>9v1l2X9wsZ=3K zRdH{fPMSz61(q-dviLsDwAdUefb)hN}IV zd(r;W?tJI=a8~Muz2upS6FC?o7VsE84P*}!w$5;c7UMxD+3a*W6rYcuqy0)>Y1Z89 zwzO@uQH&+iCa#XbM8 z<(@wuqq&@yE92wtz`zwb2t-fLD3c?Su{KjRW~iVgdjlq-k92R^nw=KgAWVvX%km9N z*Q?2^LCPh$Wh2KVe$n3H)N3ARZ#ytJyL<2c>(>3(t^3KhF74Pv_V0h$#q0Irf5qKP zQ}f;c!n~KBc|IkK`x|-*JCLnbqCrog`t~;5&+zMui9ChuMgk9uf2-t1es}Ys;R@` zi!ZvBF3d|aOdM@PyT)0vR+?>BJ!&W*#iq7R76MgKs~-xxJZV^yW;)P(?43wL`;Yqu zZz;}pU~|O>j%2p!ecGP=QOZWirOk7O2e}rs$-*rW$1URDoj7FQZA=}j>egku6DrQ+M8pmpeYxPB#N0!jQ|x6`Dml2xcEoWs z+2*4g!Kl$w?96*4glBgQWdhBe|$#pVpBFl_^N#1VOI22`MzB{V|au=Pv-Bi)z6XsJ8bilbAX2p zetaTuC0FYu0gnPnmjx;E5QoSQXk1+NlC^?~T#OWz&2w**q1QT8C3H7^3U6+N2{ zU8AGU#LW^jM~I-wyj#lqwKsZY$sVtiZEs_US+cjC?8-wYqP;>c&BC4&$G|t=7gZDV z=G=#23cZcw40C3X!*V*l>PeM98;XWFK6q=@cNT>Y(hO7eN`UMS(aXEtENGcngZ4d!>U%wGn>XM zR%4E-`n{lht&C|dBv2_P2@jILxGAVK{Zz?-OVUmSF=tMtAY+u<+chi22jx-*&IV&M zNeTFmEPh);Py0@U^rjDUPJjrRSWlZBo3g>lVC@9X&O-avu>&eVaGE+`>Cf14SGoQn3UoHBeS%U_~cHU z%<-#&n=6XZza)$~RQZLo=_>yUGcBKTHFz5otb;C&i)#xZDgm%kuVW(`%7DB@_H?z@^DiV%O$V$QP z_5yJiV=Uf-V;pQhi65S3v+E#`UA>bF!R(P_fL`?=nB8~1;|>lCc-HCSJf9Ee3)wR| z2Ls(U7SffP?^G*mADQG2e~|B&miEOyJvm_^nNqUoSQ@i@#cEcUSh^BE43?ckuT$h( zqfv?i>ftmZ3TI39{AA6xQCGq0;g;~KVUFe9ny(7gF}t1KYcSR8*4?L#2MH&DO1uHu zIdBq{=>*d7z0}yfnV+&={X z7|19o$FytwTGO)QDj^~uGEgAx4NUGJMlQSM$k1V5VSLDXHtaL9mqIayI;^vWX}^SFE!Yz@m=z>L z9VcJ4_ZFima>|FE4=)L7j`Bovp!IZyH@24woil9PuUK7O4cE;$wn{2$r*5#blhFiS zGuSEBhP{)>7THC?S{Uvn+-u@IL7BV5HjM7;gCAjFU^Soec$W?{poYN~DL2$ayJX>k zB6~fuooR=@$!6!6N~b1Je1uU*Rk+hgP#fkTk5bJwvgXN`gC7qGk1hjluyBEB*YWE} z@~6gsHY`H~C3lD;!YVE=tyy~%qgS-m6y zARQP=D^SrSF%y7J)*^GfkDm~|UiiR&)Kt<|I@6a*Y1e?~~Z8 zYjn7RmTtbj4<-In#GN@Z05r}XkHZEo;e`$#!`mFEuv@e4W+NadHJVU<2!D&z3BOrM zGtuN3baRA(%yN% zCzs>~N91;4_;AQcBYQgp?(Q$J$twBlA=*{s;O$+ct^wW`#R@AMi1tnnZ3%KjEj^#2 zQ7RK0WYESQ;0{*4KzRmzE`hF^6;<2Yivu{qXFB6+?T@?dygr$a6-HDqRJ8ppyXtMb zKKbb@rc3?tBiQkn=#hGYAKUe+VO;e2Kj@6RlVP0uqN71!5! zk`Bmv>|mF2I5>+mIQg9p`P>Da+ojHYPfmo0I+dlf(QS+Ij&6p?OMB%>3wq8YAmMhB z(C{$&F-=C44TmB|p z5rND>ly^%RE;4VWm&wEZvwi(=jXNX?{W9iDS~pJ6XjE3{!qEibn=ZJWM&3}OlB-v$ z09(Ux9dM-dRf;iQ9dgS+XFUrojz(?GorqqHon(KMllO;CMUwYZf<<0Tvl)^tBp23= zMzURLci3shNlBIbV=^3X?lf({@OaqI$h(2PR2G=%YQ8}9Rz`3K34z$MG{FXP@_WaL=jNW(MC$!Q(8OxDIwXn%R!hFTh3tYO#K=vH?v zjzwds>%{3-jHE~8OT?HFow^|jbvhOi$f(H8)dUy_wUk){kWox~tgWWHB6PpJ$5(Gq zmZU*d2!$#L_VRKd^-VehvNNjkiqg&I>ZuIW>&e3>yW*;c8OpAQ{}dM*C`qYJwP|D= zq-m*LGQzzQ<#*YHxFacHWQ{gjUt!dug1whD+^sotw?dWX`B#C^JI918!5MgG5zarn zE$%c$tsme%<0jO%iDSWe9<`sj7V>s^u~`SwKH7|nO}zG43w(i*un5|+m!}t5a1Av7AbZMFeWR*wL`KMLPp##?Om z2LbWJX&}ACJ5?@!ct+2FB{TYF?`^X|?J>u1hVyXZrA*bt7ka}+vRsJct-lWZkaQnq zlxHb_C-s?U3Y(E-WZ)H4xpZR{^kA`4ruaVaRxE3=v?*=F%{;OG0F@4`Kf*{2zh998 ztH$VhNW>d+N4XwTO0Brc7xP8)Hl~HqcPkVmE7T%7fxB)tkX3T022`og$*`BnbeQ!s z6bJDQCnwXU}{0o+4LHcSr($uWE zIMmG(?nr~{>SQ0kW)Tz-Yc9+^T5{K*Q;*wGdJ7|ok?e8u*%C?_K;uI3yB33PLD-dofPyzQ{8Loa?6fcM>_;d zvOuFa!${kKWM^;tz|2UZCBdH49(WpVmz%Qc>VJMJ&%iuLR0k&KD5h>pl2!UP9*#|r zRaBX<-fA*7hvU~pwxEzU5ktm96upqwBEM5O9~~8*nS>A*JQ?>>=Wl3SQoq1KPod-t zp3q;f_jalUD(TM4Dg}pmZ9rTwn(K1B=#6~e>y^60(fBnV#+W(5==0>1b4gc|XZ)WV zM~|OAJ4-ejR(`Vj{Ftgw^+28qC93iB;M>ZTeyBz8zU+8LP!Hjr4~wi+aF+JWEufQJ zu1PH@mOpB-Euc|RAHD8kFI{FKOG`AjSa~;GVpImcjjgT$4@emGQulw+R1lY^0zIBK zfv^H*UwGf}w%qTz!#?vyl96`9#sE{ zmC=6}*e?E#$90vlO!^jH+>2PQ%*#FGnC?}raqk!nY?C(z`<#uqj(}|-@@+iuQkunk zs^WH2OcP#8P06QI^1%C*En&;qLB|KwOX9?>I9+tyKwWOoPBiju z>F64RCzLg85qN$o)wGIu`q5R{@sP!Kl6Lkhbnvy0CB|Q5_*>fjYIc?U9#dp!CX3wt zLP|jA>@~-Gh1mufn1X?lWyiUGi(AWw8DkIgd~u#*gwJ?hw&6LF$AUyTJ`Wg@P9ZOx z2rkx3vx=}A^!~4vcez`4{{ByQ0RPz~iPkjIt+|+ImbX~%Fb4TeUvm;{VoRd?@{VWS z;e712^G|g!8^N);7e697wDFb+HPU`5bK`eO6269OLP`J8}o|Vs__j0 z!o{kMW1A@Mpt7CgBs^3GTlWDm*zP{@Hi=eUW7jz(c*(YlQ)KTpv5opy$r^h)vW-LF zhE*47F%nZYr(praRpp(}MYYLP`GI^7;+NkYeP{0OJ#z>DnZ&67Jbr@+mng~|;*EiG z9A}76Mf|4i`Wd#?${iE&@>zT5R6c#ne5krA_ZV-zg4ao%G=cF`zZ-5pVJZ~w!&!^m z(JM3V5DC~~&zJ0YYq~(O2b7(Qm5xxfy?$K`fgNYRM5V2mKpDmIOVLrZ;HsU^Z^hfe z`VQ3$3aSubQ_)vjC)VpGs+JWm3hBgX-b3Z;Ui~js@*OyVm72`5QvEQ`*wAH(mZ^rJ zBb!No5IVYQVos(8u!(Ap&iBlJ%hr0U5w1~+PyVZxH2H?X-AX!Q8BZ`3WgZQ8acL+a zTK|LH8BAE&Iu!YHcs(er%zDnEpVj-J^f-K)2ZVR6c~i99)xomdpX%;VB%Yt-@*v2& zpT+Hg+xkqd56azty88pS^ch?r#8JA;4I;`^{JyRb%b2#iyF=W8uM(Gt@+tU?ZV{HI zF}o4r&is4LSTeXkr|L*it|MVV3+(CEJ({`PPt+vCKLLjYUiT#YW*yR>hUucOMP>awppU;fC!ZsS~ zU1<4S?xm>b-gCB#3oD!u-C?^;y70P*Oi^cDkqE3Ppx^0Q&jSMX8{Znqo`8p@%*$tk zxEU<$y-Bg_^nYE)lC|7QRydV7*@Y_~?@_YWG3GeU68XcEJshEfnc8W6JgOEW4Va1) zWRikBV(yAn0*MW0T}vYQQ0gG!Ng^ayyTXWM172GmagXG3Zx#G!nN(t!;!?q6wNTcYF{F}SxoGo?Dv2R^x9#hnJ+*x{+MhX797VC&W^zP)*2SmP>6J8K| zD!L+v&yUV}r_T-!4o^=F!8%}V4dqEtJvv1e+ZbYvfu$*7G-e5W)f1`1aCZfn54B`5 zPRtp>X35^<4QZO7N5_wQr`~6r07umn$miN`&&}Tw`T}bSZ z5Ni$|UgBS+9tZkd?nPFsmLs zVA&R?u33%fx+Fopd$E{~k0-oP1GsWW7pB9sL^lk}nA92qy4Il7qkY`q>4=G8^(Kfo2@TxD~O^_Dmw1tZ2iQn92Q#@n(iQ zmr9s7#u8(82<|ayND6CnCBR}2Vah~-JsFwceZ_H#D$dbDD?PI9JaKuzDCb8|q-f+M zcdXphM0d7PraPjv?#~LYc%v2^)52hQaRH+In9MsY);v8r*v5H=pNa#THGm?i8`ogL z(4@8zR^bzi2i?#KP_qnlimg2ITv$|#tagz&797ML0Uq=CAwrB$UiB8|${P+)o@)O* zqIs&?AoRF*8V)BK+v}AAjC;+Rtwi3O4S~8Qx<*$x!K)BBo90MFk4rdf zJw){&Zw-fPF9Bl1wX@-|wmy;(+lvEhU<3Np&gZwrMiiV;HG~|2_UhqmYj2IY9tfkuzls%#51;2C;Rd{#5g+1{A-U4RRHFiNFkyRH zaILVVF*u?&_9cEgWsljzxCV<&+;fDj4)@GDEB@|t^~Y=tpo_yX6deu{|5n9G0hW)h z0D{0s=QydrC8KBX1|qQ$_vz%cm@@&jNX%HSj=f20Bn%T=|2(~(qPEi9${Qs@aA_4U z@S${OKU8A`*n;OMUpvSyQgmP^<`!Rjaw2l$oN&Xa2zhs*TrpC7MRSG1bXhK-;yXAP zt!8)vkTa3ZFN{Iu4qHFmN6R+I>g^G>Ryw^ZO5j>IOCW3o9;X>*KWYFS=)mY2p(~+J z38Gn$uwLw%{T!^brsw^9ymO(&x@h>Y5mkjsdW}}_lhN}@oazYL83)jixGn$PY%BN zN{w( z$Ks`zf!2k){qE8J!IRVHy@!WSkDvVg(c$B>-r4@ikB4V%X!za-1K$!oojOhKjK)F9^_uUDu`s23Zojwul%YOl4 z7Z&fo12A^brT^go+2OfyfU>J=QHbz(Ro5dBg)N%J};w{r1`i-9#K(zOhF%h>-0W&OC%y`m*CRm2YjM%4KUC%5JeH zj{30+BEpETT(z@@Xli`(2OnWu|GFjCLJG|u`vE|n5j4fYV z_fGx@obWrL>$6Mu8ZhDI5aD!Y6d62OdTIi@pGSrFB-y|xQ1yS2@qdx=|8g>JHsMFo z^LYI-!v6m+g5e+VfMWRJF=05kufi^*0|Rz=mX32ubC&uEb1e8d+2I06^o|wDh3mIh zV(?-u@bgfHu&sq})@d$escECBeX2JY5mdBlJH;R6yQe2lemvQK^j(c1DJ?sWPKHE? zrUr3{piQD0Z7$+FPsa4eUcn^_fs@#Ln%wjxrLFY>*6)gp?n+bKCATAYlGK97TWrHdzTC18SAZSR$F740E4 z3|sY>{IcoPw`WhD9QT|erH~K}&6gJ?6MhFAKRLx1vraG80MAGZ&J0}?b2zvz$fp{5 zz07z?UVUpd;@erBgM*JLey%Sc0N;(i7R_M5|I0Elo_M;gIg&{M`sE_Y`_6_AGvq+d$zKB zKnv73%s6Rg%~<@&X|tG4dNh3P2T!m=nzi56icMMnTgm1veT8a+#SDwM^HTHD@B&ZV z0>aQNPL4OeaCV9bHG}CX@SZE@IC`SHb@b0bwxUarRkQ;w&rPPV)_BtVuUy+gcYuOo zK<#IrQ~ygbZ|61Xt3rW%8j%g~dPrnu5>e`XZM(F>1)B?&e<*x4nzx;|o`}B|iH=F_ zQ94~trDM}kt$bFpT{hz%OUds<$KxhR2OuV76qcf+SmYCJ?f+o}o&ss&&8wDU!f%l4+;c5O)oA8rc*!yfpUTbJDkkeYz!5MmopW6 z80|Lb!8_3uI3ZI8gAO&{7+U%c>wN`Wf8cAd-3q1$z`Ey$6gV)v}s;^KNNhV_%McGtZ(?nI;_5es9T_;*pta zeBT6%RifW-Eyna{kkl|-?bY;V@T$;Ivqs*bKKb_hqs?fTO7Vn{XDTo<3-UxApsE=* zan7E*$gU&qejqr$vIpf=&N^uj%imZd7q^T zI%5J0ba63!tBC-}UlR*WE-nZo!sPR|5kshp$EtU93|;CMYE65U4c>aBXC&R9fi}K= zlU$_3QJ&mvPq_2h+j%xdkI=key0xmqrbeq~m>3o7x#5XRdM{+!cAf+D$_GG33i*yR zqSBsuN=+yE<8VeT!@i2Z4<|MFf5+=r&*@kp^OsXha^$+-a7*=7%{W=i`k9I1aJ{6Q z%alIa>HAf~N=`{L?{tg%-?D!TGz9zsBVJbUf$QA-!~W6nvy;PGvXk6TcK+z)RJb0_ zds+$l(936i^hWpFHG$b@&Sm9@c5sSN&pQ_cay(zWpn5;Fv;p0$!?^{I;iBw`N4FL+ zIq0@Tdh)i`HTrUNAZ;W%FoldvkLAPC+#N?~D?$f}DvSMG7qG1k>1>WH<)lcQjDHQT~mvt^XEl$N`zk>BS`pIlH%nLfX00E`AgqSLH#!Z-9P7=R9 zo)1BSyXBf14XI6XXycgDj3%4?#SG*95bkcn*8^jSxzv?-n@ty(T^1#Z^6zr$WeEQP zb6&GBo*)Y3D7eax_5zsH?Lqctd%OTX;r_RO*l9)+>`<6xtv{LGl9x#~f}@ZPd_Zxt zwx)|Pu@|tMbAzt`+4j7axqgj4N>dx0X!ES-P2x%K`kqycTSA zoyRD8d3@Lv9T|VpINxDNiPFt4_`c;;-IkI0c<<2<|gWPQPM-*>u4;<8h)#U z6+MlYK5wB*=1>4To5|%E)m#zO!INn^o9AT!P!Gl? z;mTjuy*>!%ou4y&h2v;Z%pMatk(FiXV@gxU*t9Wsx#qmwFP8o-Pydo6<#{X$G&IcK z;%OgNrGjB9yBl-TCs~5f>2<$aFl3Bmmy~y?H@nQ{b{CtJ3(ifG6~MaDgIpZ>+OnYNyhI|Jf}& z5yKdQUCgK$vn4W`pO4{S*iAukC^6#_CWcd3bvA)PG7u10s*PczZFNSedIpO-Jjx+^ z<+v}#X&(FORx!7O;O*Si3i{C|OB)5WuHABdtL5)&v;26A<;U48^$4u86$VDjwM>?Q ziEw3K;$bY-G``X>9`?#LaGw5jczg^?Mm{yHa*E6q%-i+2?Y%!l)6T*sah`9Sq!9MFy3?&O}o=w#{ zyTmYiK~ZArtOdtzJi)GoV5-_%Q?xv2PKxw2T+_RDN%-=!5|$*e?gg(PPGAap(n zob-uOT9gQrf4~+(@Ih_}BrfC5e=E=sl?ZG?P{>U*Qvgpe7?r6Bj&tOF0X0BLd5Ia6 ztHEEB5o~A>%x06x+^elX_8hKDzBXg_p4t9I9&kiLDoMQk>#|_th0u) zE_GYeSu<7p@5NS4U#_`u3UfD2^BgZ&1Od~a9)-CNe54LouJX(2tEJbu-|kA z@3!UQ+sJH{y4SQXp}Bq) z<;Ngda(2@5y!N{umfvG^?t;e$xMUfbT?@P-HWKE?7#AJ~+n>zvC}FtAkUV*;kDTbs z;8EJ26a1W??uoq>`t%IFlgJZ=;DWFXisU9ABW_2q>IF_L<$SrbL7OUg*g_^qe(1VO z<=hOX>q+M(_S1`3;1-M=3oYplN7lcm`)5D3xE;(=1tUV#=bVg#3<(Xr%F=v@&Xd_Z zn_Z*&lRig=VBk%sFj+&^AZ?gaYb0NFc~rBd9U;=EC#OU@Ij`4H<^>jfgbXn1Bp)Ox z2Yp>n(37eqVtAI0ZRm!~AWwLfJU!%Q)Hnwv5SA4Q?n4m1#4C)vONc~HL`9A>A|FGe zF{k@tH_3dPfl@lDdQQPo!gQdUBsmYwHLU>uv=D*lI@FTw*0QokOHv-R>So`G$wYh> zTU(=ah+!eE@uaoY8Nm097i0V#hnN@NHLY^+2yM1)9tzOa%LR>@k~J)7&Ihf;MlTE) zcwm-wqA5QWIz}~r!oZ>T8?fmTQx`~5wi@0MI%mb2aszEU)9Lt3!99%qBE|Uy9xB2o zgoApOEoQ?UQDC%{<{C;VKb@!?eOIE=*i>i2Gn>;fT+pCC&}X{XP94&Lp6q+!tV8U>3ZOfKm2Q6B>{Mk!8g-eP23C4ZJ_ZCp2p=-d z$uHznn(xsKZU1g~UlZ^`-@BkwbyaeWy7L#+#=yR8#*lG_0OIw3IU%2Hp9}9)hhtdr zA*v!MtZF6*>kpe z+L76(v&oy`fOmj9p;au`3nx_{a`S(a^aO~yizG|09;45!ibKU-U4E&imvDUGKUK`H zj+GHgo`1s@$*_Z->0`q|7El5HQZ&ebJD1qcl1zibDFP*#PLpM zx6ab)iA0A%b;@ydL%UUBTN?ps;@r;`k)l;l7qvWq3Rfp2G{Ykrf#RzhD&V>`KTINs zz$ZVkRI+fwsUpT-5ym5mbvo*p?{cyrpEA?T@x$Kn(f23&Cx7qZRj=kBmLUjsnb4SZ zke#@`zfqd-%7q^Y(+UCQ^|4&Mzr6H9MIX=-XHl3TU8G{(Dr0D0lGI8aXBgrKHLUM; zzN*!~t9_`VS`zk^eQ)%0cv*HjooejWX0!T^dJ8n;d~u2P7GA}ZN0f8`I>3IZ%vzJy z^%@qTpE>9xKIleOo#bI@4C6M>Mi`UfxpC*oKhQxPfq=5PW2=B$2q@Buioopapm(jaXM3xx zxQiDP;87{}@0BuJCNydNll+~Fwk#Gvud>lJsohQ%?C8%inwTXGyCRb$mZ8}-L%o^# zAkPE_8c?ywX!&F%I55$D>zf1} z>7RO~;KJo90LS`fcf5b*(E6rdcf(+>GtQceye7^UrG`Xx0%C2qfDn;u3P>uzOk3YM z;{cfllhFrOX&g^er(RaPL>|1^WGT3rsX*llc)h;cE(t=Uuozxw?%<4~#_7#lH0P(( zD7tPTQ%%V6b{J~1JJ#uckbDTe4}pR~Kego5%97SITgvf_?3&GCSoT3!#w9sBh}<#; zDQ=OuHS2O_ExLUbC2Kj{+SA*G1dh-b;I@ zwIXP~t&QS#5Jp{G1ZSAOB1xY|dz%fXebzO$N4)apDjV*GZf0?Oj#D#?l za@LpNfh=8?i3YwqXHM@U<9_~~;dwT4?D>;U} zr<$~9L%|{dR(irzeaWg6VgqUyYib6FLc|O*33t0DSDettOFB zY#MuU+Ex30w*O-eHwvc3LNMS#b}>YcfPB%vG9~~{Xp680l6Ej3&KK14>V~t+1b+B@ z0+-h7Au7g!thl*xe+0>FYy#TQ+_#bRuO`EO#%RQs6IK$b8NkF5Qb#ne3*j@626>dV zs+5?wpIJL2s<^OI6h0WDu0gSx>FGcLAgUWSCrz5amW*=r(aFr9L=f-q0=?naBpQ)h zxYpdk2nmi-8}4Jsx1?K^kC!q|s_5jx2sZ`&&m}b4Y-%Y!W$H)YC`x zU0qdOU8U|r21x^Q0&ov?LJD(3JTIP;8%MS*0r9H2>i$%DVB|?8fW?4xCt*(fi^)hD z7L&Jpa-52?>alx)J-fhJEJ#Picy*>cd#QONkT|swpn`m;aVfc=0>1vWN)eS|+C?`~ z&!0aRubXeTcg4>3Yc!38YgTOT?Y`N5TaUHTNq@#3RrX$ovq!>h?ruE>>f>8MU5VHC zVTQ2)JP7mrG;|QGt&vq4{6OW?H99&zJhrV|H{MqT9l#DhDoJkLc}^In9s>U9Ni!3; z;4X_k-Qm*&)oT#d9CYi>pFa0r@3vE1Dpg8LWnKdErxZ@k{`95(Rp8%?m6bnLR;!iO zS`~ibvr?h>3PdfhRQ^<5T6(dvy0o;ky7Z??wYE}O{ge39f6~7S|I@$!A^)ELSC>4I^MrP!&X(ntKiu!e%hMV^iYQSFdWtTBZ6@ycq%K(F)GTH+V+9 z!TTwKQ4rgM4j>8byLLT?`HK}OSCbda@*W&9*Exa-C73mV=Q&<^!4CJ44?9Eu5E0x$;l9A4zgBW7Ah zV5j?ZU@3xpNmU`?;ahruu>eT@4!tY_sQ}sX^t^-}Ps)-d(g~n$TX%D&gIX#?4%_)) z9czQ5a3q~idIePD0VqFhAHLf=IuwoFU&K$1gM-HI;V)~NtweQ1RxR(7+6Uh7j^K>L zSAS6Wee+=R9h7Li-rm_h`~^?aH`|B1%~ngi**g#ovEMj2+}=FeX&i|Cql5juR?||b zfsxh95Q(upr`aKDMQYDrpMQbrl#(XW69PimgQKcT#tDXZ56>CEa7mFz>Q$N{T$4`; z3d92c{c=1WhV^p!=H{k!F_@Hs(M7q(Fv9Y8+?odR$3!R+q1N$e!j#NqdLs&06-=@7 z+?q6_&Oz%6NDDTdpk`S5l9a5V8$WxM9it0dx1=!{2bils`vBi00UgzwbZHCFdY5Y! z2@BH}>V&8DrLgQoP6^w5WML8}LU|<^kaST~kAqYwFgg%uVA~IA?ek^}Ju)0DUI3T} zr>+d{5MH#gr=TXjH6lqzQ3Q9^8#x|q@ ze*^=+!yXXa*szc9h8`ld7Ai*F@nC9~hsmrsw>T(Lr%IAx{+KVcpo**d=R>Xxjn_Y{_W2 zX_YZa?yBCQ0ptWJuXx9c0G5oJZ8a58LEjzfK}CInU?Nozs5gwdh>JkN6vl^00Nb>& z;WM!Xi8Q`B1-=HB)iap2_Tex4&EosU?$MjZ<{|LB2gSYp=0W3dd-rX-^-Jrp`5uu7 zi95moZK~j0l9N%?2u2k$I8%#+S7(F$p?R>|+)0DZI(9cB`Iw(*c(Qmz$2xDQ^SA+L zr|+$QV6!mU3YrbZB}}UEh0Q&9FAJhrB;kbmr;vjml5j*iWF?FFkbjK%k?1NC z)ur=a4^+WK*PL_Hg7JyUI9feWz6b{?RAJe+7#*|FSIGDF6c3wK3)_t%<{`Bo8Jl@tfGjDt&~^@u*U zT@??fm1nztXw#8g_jzz+O5qnBf)}o`9)@^vbMO5=GA_8D_Xs&E_-NetDis(kZc)D1mzx2$hRtC(@ zI7Z|CRdEnpyK)o2m>2cnQOube`kl61`cIsYYFYZDphYjoxk#g7 zs*6m*7pby18C(s5n}MlX_U>W83@KYy4Tlwdj4vbXf_%A!#ZFn95s%X;i?y^^EEg3p zytTxPYw7~WY`*8u#f~@5h1OQVQv)wCxY7{uAsfp@oFFebP{TvMR0;!vqV%oNjyhRS zw$A3R*9loFSzM}CD&i&>U9k;Bvbu)FP4z_40RoxednzDtM-R0?O2Y{ZvN2NMUQ5T5 zO{V*ilH9SpSDzKb$zTzdDL?AmAJOYfIAME`mCpJe3HXVezJx{7W6fE^%c(yz@osoob6H;@y=}W7sc~u#>^vAetF!#z&U)^@JX#R}K7f1{-NxCfn(MRP#6w|>%3ACUu2fp+Q!_d~ z)K9&<^6}@!>(GxsI0GW`;VPi?WUSm37jH(Ps_Oa{cT+f{C?JQ?B$P{=S|=kOEHmn! zMaw|Mj6#?Gp48GeE$;S8ak|t@N2K0+Q}FrAZKtdP_wg?T%iI z+~K8F|L1n0cLyYF^~Foo5Bv^7h=^oZi6*Z^5~FDdPxQXMviP05CHHPz=hJM?zOAG?adrM<|_-uqIJnLS7QvbrGR~ zTB(ZGA;nqDVT6_XJ_e5~WTRNV1I1cM7@_DQ==)=o`jf!HQfIj1ixPE9Aw_(FRPr-ZP)?Qu75GvZQE(;xMpLsF`j#(^3zaFBLm#5})Wz~dNk6)OiVaHuL zUVU+D0b%eQiUGn10}8()z*d)I;QC8T?OI9oVuVL2{PoUMM4ux1$7j7$kAvQE@9dO= z*T*$kHHMcUY^A+8hQF$s>yekg}Q*-5r1C3luNVk-u{LW zXZS}`Wswh}{Q5{zJsIeECO33dhiTPv0Pgqe${7CBteY!)h#po&*Xf5^eDKmCUdj$&dseo>fKkGnr-dqIxCb5q36v zoDzdHzFm4HOi(8cs+Ag-g3yxMO8wy0R||41f5Rb6ABP9skVc$-Y5!12;p~A=^d3J3``LX2nbWPML{LxWEK6~hwQ#o{Ig4Zhea`jdP zd)`EH(NfdZThX{F&lSk>l z2;2YbWhF_NMQJB3TVv7=dzmc4y-#FanUZxSk##ja=W0A-4{-fG{sH>o)oHQ}%~mnm z16dRfxN4OTy339VRcks%hr((NM{aNpWHRm_m@I%Ze8NB>H9H7Q%`c&5dB#>~m9L)4 z&!z8WwM%r`_g5GvT@xj6v$~=r5B;#3LP3wCqvJdaagkjx9X7t4(Aj+(c3kpk6e|t6 zVuO2o;f}pe?fCp!|{ABLTrd{ocR=|9MvIn1QU@`Y-i zM5DP--);a&kC%1mdJ?Gl0*a@x#6m64PT7J{S7aotj2M$i67>8Y49*eanRnsyyM4SR z!8d>YB5$>qtL@cgdIdFe;D#OLWa_!tlg8W6`5uw_fzQ8e=7U-U)hrg_e>h6SpKTA) zv<*%^Am4V9tLr-}jEPFIPjV#9)e_&XsN&VoGj>LD7o4)ioA;F2iH>)nRFiacMcAiF~e=PxQ; zKk`l-7|GTF|HQwyW~C4hMX|(1>1be&I94-L`V*KaJB$pK{x)MKnJV>(yOeSvW5t12 zDgext44C4`U~%Mc_K+i!rNTWmRXuB}kkwLQWVR>+@>x32(`%o(E>6HRp&}0j6|=Nz zg5TFvP;V?gP&oSKOKvT)YaBo#jYG(b=`xyY<1~wjGg*eAOhlGV2jyaBwoM1E-Vp0% zf61Mx*tcjBb8J=y#lpq1A=_r>Vm2|8txFOeZy6|;QFOsla> zX;lHI7tKYiUoso=da;bm{@GchW0^9L$oc7XW&?F{-`6M(2&zS!=~G|C&(BW8eIQ$q?HJ5YhwvtkM0Hgvc6tc=B@FIIHXztR>)w8gh zY^}dUH&v1YgelQb@Nb8m)a#)NL(tGu z29B45$%O33rGK8nQzBpDqEjkQ<8T zSZ6CPPR*#U4r6LlMtzI5w#w%25FomjDZD?jlANYS@h-g9W&8`e62sr(v@6BfjA33L zM+|j?@WEnOt1M;%!G+3TZXX2#8@{Xnkdn{zDWv3-4$ESxyD(YOn$}TTKco8=^Qi1$ z|DS1F0HfpMIk}zMlwnUTFvunIpSeAk{dUL7FqI?klx4B*9gMLm*mFBq!2Kpm5>Ff* zYf>qU6--+oRPL&nPod$39lfb=7 zL30pEnqCSEqmrCjgk&@OAu%NlDrQuLNUN>bNs*3rs#51Iu{%_uT1uhXLxq;oN-aHH zY&osi@`J@*rWJcRwHRyB{WERs|2b>yNg$L`6$^?I#ri{CkZu<6CvEXie027_-nlMI z`iGOjRGf@CbY?%~3o036S=4ys-kyi4HFGXhG_*j-@}}^VqS11P%QD%@uQZOY6bRgNPh%|Alq$>)a5J*8|#7lB9 z?ASO!N;(dsreM?_3!`RW^u~COFUd=CsYhFke{;SQWk`q%Xti6a9Wv;MDI=|t?aE)K zoy0GrnbldmqzdA~PdQXq?L)O|ZL01+FNP_%M*fOjpdSKBLOE5b;cbm(6@Sx~kK~xo zCOt(Wodw~oReIWzvr5?g@>VL9YhZ;>ryppMg`N$vQf4%C9YAfa!{5s$1rCnjmoiy-a9i;|L< zM`piVs;pE~_Aos>LB(EmfzKmz;g1_|kE0dWG>(d3CiKt8Mkk?R^26U)Uh*h#9Lk0^_As z{G~3b?X`|Px@=ZAS5)>9U|-_ZW0jy%|?NL%zCbcNU~kZJ3fM%el2`VE18RFJ&^igr7PSP_o<~7p+-<&Gg`khCC|!bvW}R zrR>)#_rUF>+z^oRO-u<9GO9A25s<)XT+=eN2~tyzMt*D$ynOj$SO#yq;hk7{K~vC2|qW|m8sJaVe&e+W_~Y^msd{H%e|ac4wlp1tJSm>jB0E6&`>QW%4)FI z;|g&`Rar0y$3Z&3h|^7%#J?F;U(T!w4^yP>sLn!9!Sy@`MZAah`YCyJn#vq{(=+Qd zoq04P^C+JAdPe5!c;?#~nQx<+gW*brHEV+5YNb=0A@T^W{4`zzReW&Y3D)+ZEtmoY z--5)BsvulWTVKh0D9R`ck%Wrh9+8Y{D#`%*V5)2?2&dhGM=qKvn=CSPl@#UEghFVm z<{}tOk%!q!-0*%wWH37E_06Dix!AO+{7e#ec-Eap#gE6n&U7|qbgevS!Gd%uR`5Dx z8s$sLy2z`Svq%M%r?@yJ*VFF-VMUL9BI$=KXbgw`tkNlW3xp?X0{L!dX_lPa0s|Wd zAz}Gde(2(kFMD)z!h!bUEONwxD19bc7E=o) z05jSMiJ#O;V6)Q!0-v2|6R9YPY1u!qetVqYYxYQyx@bzfqNAn2%or~!@(C>tr`^?9 z>o8piv65hPhDHoA>XHf-{yawTF*3|11|PmavI`J{{Y372)IY}O6Vn7nq3`uQeGN7m z(@w;n)caLbO*X?7F1;ds#iduNH#QU>&3!Ag-%iVaYZq{9uWD%xpQ^AJo>kMksrBlk z3y>7+XP1b-wtE(Ky{RRD)_~-M(nIL^(?;LZqD{}&WRTSSnzAyCUKr)QTuJK!L?^ae z==Z}w*=b6lu}I|_k`q>(sPHg+@wm(Lnl3RJrPVYU#oINmP3Iva3`IB|p=X&XbgoQI zkz(k#pRCA@uRqfkAZBm#}->Q#g?Ykb~U4} zrD=6t&8TTPwI-(9r&qO{T2*Q(yRP)Rl|-@V1q${I=Ma9TO6Ma}^+3xMOd_*6;M3C$ zw~HRE(_~(}cTMT*6jX)J7N+T;g?IhFHy+(Rh!x`6qT{7B3AubmI<>lSnx5QvhMpX~ zhAKs!MI&|m5wRtl~NRK@LQ$n*%O$146{?6rjK=d)l1XI8Y9htID;tGrP?&U zo`k1VV0b?JWTPsE>S%zo>oK}J=7=K;giF)(*zYD9`}NhUTLerXv!~eXX@au7|_L`|Dfyf7*sTU#e7#=aYZ><4~;)c^plb z?xV!Osy@-heenQ0N3((ZnlW$Y-h~@HSIF8LJd)H6V7sSU& z)9?|FaEjaq-xgX@I5Q8Hoo2G7$`6W^!B*S&E1I9TY^_NX*h1Rp_tE8maRI>YkbGX(BKea((n~$IvTH9+35Mx!>^(qW2eU$=ZVtgXu0nX8qR>Bbl1B_JKImWDUbz-N@o%vFl&>W3sXTRFo)7mKMvfzztGdERtdDE*frrI#68}z;@0oT&o^; z#%xX6{VXasBdHcB6XvZ;!?B!_Pv>XwsJlg9AjY^Xvb&|)a_U zRk3KHoR|X`xhi1rXh|S;h?p?-$Fef=fL9RiIXc3_{G;U(k20ADM~?(-)Vp&jZLGr# zQHT`K7nSvJ86;gf`~6075olvJLEZ`2AbY6thHSRomEWDgm9kY%lgR-*r50^~sK?CJ z4%l`&UjET70oMOh%V}ISALMHjW*UU zgG{w?=HNUANhOSAK>KvyhK|PZVWf+HO1-`f{k{wldCsGXuOQeQyd3ZTb*!so&lm%E z(`gzx>`g*7cN`dvdGc?0h9iUT%fVF6EObD2Oam|Ou~KQ@YefIgI?EZHg(UR{=* zvV5QvW1d%RU~!i##i+lPV${7#WFT*c*NmAw)&8NU@KE&(OuP1HY&d}7BzZy?#JSN-ebLK5)~@R4;C7XN zUa+eTUe8_9)Hv_m#d>{pC#$`5{VQGN$&Eqqld(VqxYn%T&p4((w8; zBAJ?@?%&xw*))yv!8phgx1Uf-D=HsHc`ITz83Y;bWht8oV@Dac(g6pl?C{!p`EnE; zHC!0MjXGy<2|b-nE+noeQjL>hXC-uA@6Q`aLR|RLPfK4CdAu}HIgNKco}Q+203zBs zCbI4BL6&=}$?9Cxzf(RUl2x&hyt7AeDiO)#$;v}b0e zb?@(bJtTfDN}nTC24jjQR$XVTu=qHP@CkZXu&*n5&#b&(=~TWjkL!ubG}ChkYnpz4 zAiFOu+9^j5J(>=C0vM24)wQu=QtgaJ`h`k6@)fi~Le9CLX zBA)4~2}t0l*8(X^=|zYuNGl^<$&&xK4!KMqHlk?w2;xBUrd3`F%T!E%flyRW5Q@8z|0gGAsbUM-FbsZjUlY-O-XyiQgt@i28go=&%Fl(nIHlJL;R` z0V&8SCkG4AQ;rR{(=(Ic^V0#jQ&^a+r6cG#d@M$OS2>RUP|OMGDbQHMg)~^xrSvtP z3(Jwa_>^Zb};#vNIwadh7 z;J{HTG#Q~ppm&F^E{CB&b6`|)0EtrG;`t-XQ!m61$tg6uw!Lxh3JLkR2twsnt*fCZ z2;@I_HyA7T^W^V5H$s2HK6}p{kM0b)l8LzB&9DeyA%toHOa>32OkTQ*MQ`Nf(gb06 z(t{(dN;EWqx-?^0-gsZ=q74sB1@cWfb+)S!eu!>}+@!dyBy2z0?C0eyxJK{sH$GGu z`WNWWT)XFnhO+0khikyQ395r^Ji|)J^>8y^qi;)ewH-*O^e{~0k~3A78L}bOd{WhA zI7y3MgtIRg4fI(9ssiPm}18E8xYLzrJ{CaOF=)xg6$` z77rHfhY0GSfm$HSNc5sKUbu*Q5Bx0+@-5mXXcnzElquxrBDzD&ry7-m^?ae%=!Mld z>0vRA{9>y}9o9Kxf_7q@3|vW9jvBvA2Cjyxo>|$Xu1>U+@n{gorZs4TN$<9S)%t;s zCgHFBaNdw+*CszHOs5W!zQ0S-_lwfZN?J;Ip(hX}%_g3;J=18^MeUF>Ie^NPxzxx| z2F>NC9)jDUX}HlI0DqR0vX75KH8Vxd3Bdu|vOeMMZkSh0kuWtt<``K2wtbyFIB z(f3RVZHah&CIQl6N)bfEN)|bqhgHpV4!ktDrz?a=F1~r!xz4;e7&6(Z)9Fqjl1?@v zbUMozXJpWpZ%n#=*Q7HgJ0q=~=^S)%5y{cLu+!;=Ba%+r-_F9MICtQ7J!m`|NdA;_>)-q zPZ~(o5%v3@KmY72zJ&25fAE<@v%0)IZT@R7R%>SdSC(M@S8A&(e-eM1&;M8dhe}B- zwu(y1!b@P9NFl}T^)LrKlWt_h$!K;9~6PZsO@&q$|;5dV6H}fm-J%VcnDCS zA9N?IE7KmiH-6yISwNb1mq9ot_gQ`@IzSU&pb&Q;Iz6PFu_`>eO7sbpZNMb3ecrOfze%)|bTS zrf-V;%Nqp`6*Jxp7&6xYP8gF+`oOONG)1q1l&^4 zf2cn%qlG4qEA=Ygy0ETulTsXnpTsG8psrqhQIMi~}r5 z0PB7K7PiiC6m(<|b{mJRA}nuO7iCB+pTqy5RX9HbPf~-^;*pgVXF%5%f+1ghh>ECS zLtmo-cie4SGZF~Vp7LsemnOKQLiZdQOK6{e4fH4Ma_6~?3$clz*Fj#t1bsjnRc`mg z=KKAf#$j`FZ}-ji+YNP=%FIOiy5YEYhx+TC-h>>GOA$Ds;ZU3d<39@&9m`$Dv3yj-21|KF6IQ;a4+l!e>2ZQHhOd)k_|F>Twn zHEr9rZQJgDXLqy7K5eqesiZ2Y_glI5)OSw41Yv&NLpS>zL-c*ae}-uS)iCeL?d!oy ztcZ*@7rBcn-@K6+5TmP0^F4R!1N-3S)|V$Jya6#jIV?6>q<7Z+GabyQ(Ylo@f#pN<7blz&V!HBf5du- znCwMJn58beysVN!t&+2OU9>R~nuz1^+m9(bnlrozKGdDmOQoqU1M{DCH#MqR=DEa! z^?~o7byqq{wF~%bp8S`nuq`4_v6V>cr(2K@S#W_Gm23@i3?Dp_P}^OtGNbj}`Q#td`eKl8OQ|gdmrE7VR9hpF0Zsaj#>>cT96(CtqOWDZY05uV<)kR zh>%ww>@V0b742G^51{1H;jwFz%8D?9d81E8U__aaOlF(H?1WuMBinl7u{l7K@0;E2 znG&0uAF?1j0s>BFSTCAZ4Va;73^K9m?ub*1*UfaMHBZDm|KG{5>#HL3I9`xkN1w3b z)z6du6JGx{kM8b9-#1vdkLj0vyT)Y{`xgW;(1}}41cX-3I5!+fW5Ah_U+r@6%WvJ4Fezh&a)|pV98|t!j~ZaL zyvp89oGJ5kO~i?&NQc^C!S--`J^1xa^CO#fubUA}#7Bz8t5F0w5Op@aJKwY4E)B1T zri+4Vu7j}a{E_6F&bLN)yFdNqHy!MfsBysw*+53}De~jIWs>-%L~`!9$GndtKeg zgbz~RG5x$F2op`S3qM|k1ojKN=_^{vecg(3;LjQs_G?`9*wj&7%+(LCiSRLjN8n@i_Y6$C9n@`xh2h)4C%r zvq;2Y!da}NGi5$$R-O^*o9sG35Sq=!v2NScX;X+>ZWg-1 zVy&C4&fBrB+cbAauI}HSAJ_K2ZFB1)@1zWr`)722$+WSuR6&RXcYSA$pji_+o(uHl znFic|6HDrdLNkPJ*k-_}dK_K=-t71hVl3qpUfYZf`1AtVAygC7 zVW86|D_%c--^bIWxBgx9kUm>7UR0)Ejp7k|a`kamjR1jSF~Pb1VN8*ikfUue1TIV0 z1L^PJzW@b*&h1jgW9!1`6$nL>t~{3vZkRXZJKRm90;X1u100+RZAr@2X$rx3Rq8VAX3-vxfK z2fKn*;vcKawHJTeuiG2^F8iw{GvzTI_ZP&>d3&x3QsjoIdAlw(I*3W}q8W-mwVNZ; z;CzG&IB50zd(RR0F}t`5TnUdjr>5B>Co?+~Z2R9Vu6B5En{v%ZlXhicJWwS+EbwRd z8$HJc<#V!5roU=)@v3sQJ4iM*j)l=QvVQyZV;fXQTf}a+N!Ccqf*KSZxp{zEpNJ}I zOpu)rXPWIx)}6Iveok-KoZOtaHKv??Oh1hA>TcG-aK7&J?rxHMRN6(|CNyhtKPmuZ zZaByAC|(U$_aW9c5xpfYGxkLJ8~jRSQ#_r^*4KXbuJ2g2SgPAF_tc3$lAOJf^CEu) zH>jp7eno?jR_X`1;M{Hsw!A*K>9@Xa;$pS-r{ngbM(9p+#uViYN|nMKkr-=_s#yV0 zzFMdCVWE76FZ$Ax;l{m~z-=~+thJ$n<-lsk?5edh>YV;=;_Jq5J64;AOHoi>hJaPB z_^5!_bQcB5<4EX0pFHM6(@EHTj+%egIo`E+h9^PN7H~cApso?F=H~0$`GxhRFC5pR zLocpj|I4oycdhlkymZ=X4fqIpB+}7i=qDjaONeIS0hykN8`YQj(el*@&|0SPTH{xo z6@*iDqBK4zG6mYBXhbP|7V{U)Si@3)h=9RPYXc<{*kD2LL^C@x`i*xzs2x$ZoyEWQ z0~rc~yM-9|sh=;MVWu{O5pN9pf)!z`TsYSCreK&Jwc+m9{7!FRA&Ln_)cQH=Cgomv z8OV&Bkf}qjSU_nKebNI4=p6IaiV_k2>fgr7)WE%hfahNoY7`x`-vYpF1y;2A_}M%1 zslhaCc9E!0J~0uFz%Z=X_DX*>H$ly*iK4e8!{DPw;(=MrnM2FNgVrm@;Y2>%Tb*NV z_&GIr_~{4)`1#Qfj*$t;=8p-(XZQ`|Na-bEC$JZ$$s-zBqL7-1mUfzj=q2Kh*YfL? zg)hl|pKv4BXAXbsP*6@3HhHKp0Jw*MzBD0PN*o&e>)#*lYmZfp&|oN+MHE1SoNvnr zA4pz1-rc-0-vs%#2M*<^onfwLOot@#)23ILWu%WRJC**2f#YrW^9y9_cmMT}& z%AgsO=76qFj!#7`0qkV(Y8)F7CstM!SDewN3hLj<*%Q}yo%?N(0FoC1XR3<9Z+_GK zAwkf2|8XUnB5*Av&s+>{l>{5FY^X#&Dop>&K66n7lu+OpL%vby;tp|&ya*_Nj~AZp zE`9VAW$`AZy`pYU@^esK$EtN6F>G8U?nnrWjZlvAqV`;^$|JF<_i?r;Zt?qdhlyqSInHmPd14So+uDxo=dV@$_O?3jI=VohnHF>D$->C%1BHVJ zz=;1`+qS+a7kmJ%!R*6qumCS)aq>6u;Ch`AgOksMdqK#^gC9>3#RwiOT<1@BT3?gBZRoKRP9#~LJ(QLXR{ar7DD1QXrI z&1(U{nBqoW^m$7bM=-#WlPD&Nctx3WLG+SI1M`U36P7uPy-6;h!{e%TQ9f|*AiltI z@*J>UP}$5Vdt%)dFp#!9P_nwD`JkR#lnNT z8uW_AEXj#JaF#nosPXHY_*xS#orM^23vU04Mgx}31R9AW>;9@ZN0w1CR`UdMA}vhH z1MIO`;a0;Up7U9#{y{#bgMKVp^^fwfA7@g1L2U3^%K;zs+1Qwy;;L*)FHKgb8Ob7- z(TT<>Rt`e%g|u8cU|KHgcFqzcC70PhnGJ)4zfd+HX(Yf&6_$p=3cPf9ln`K~t9DgEqf-Qt3*@)fD^BI!XCFoqPyFj?F!a&O z8*^Rp?PxBvaedAH*0xuotG-|WsZ)A43v0vr=3n8lb_)LT_vld`l!6hS`VsKGxm8^& zo@5&Oc}Ojm5>#&bSR-ms;E;tNRzR3K*$nC~`sOg@waN>a`euk!3-fPeV+U*8vH#&F^J^-^oLL)nuNP;pN;e1Gt(-Yi_FB$HG0Ci z+ysI6g733H1xYS)%Or-xG&!>Q|n!v+PfAopE!?I%!S@>Xx%)PA1f;DFe#I7 zFSosWxc1Hew(;AU;4Oqv3~sJWl>I9KO3tsUiNqA?0O4ALAk%F?`v;cZKWL<%@wYw$ zHoT|bPH;0#Uc3~&J*x2eycn;UxBKT@@ff4bysK0E0m91*!fw;fE&esZ1Q~6pli2d) zqU+4HPpRF%LlbUos~HM}tKO&YA)z;<28^WE`Q}`u6pzH(d1w6tR{uH9?b>wQaAme2 zhr1laTl~F{8UEEi8+CPV^l^6GuPjI^X0iH$39N|ZcefVR2Z3t-EXiZW`%CD8T1!>Ss8nq7avz@bItJ&hM-is-MxK2Ka6_LkE})vkRG;VN9xhf6Z9A!5zKr z*EBm%r{yegNJ^2gBr5LrYArz+DDpve3shfes}LT!QHQ_EE!g{L)#woEQebDySicIXL5ldY4^*+!u$2i zg0}2^L`?(e2(1Ke&1==PBM9U!22#M+1gHm_y3+iTQ6@n37wqjf;wA+@O6$Isja)7L zE8Ws+S-O#*GtJ`~jeHfg$Xbt=`ng;7IC{u0Veb@D5+ubJ z#h!y^zD_!EhHfpL{aPiu%Gsx_&^lI06;JiV!~Ue`u>J7V!i~n~pa;!70bLqpPaa31 z&L^R1<#R+~!ymzHYz6)EXd6cG2(r#W>^x)d{;|i3DJ$3taxgySZ+$dKXIl#_xeELC z8I>D_7RzTyzsHD1V*-tAhbI-Kc&oNwwtyog_7DM`OUAx10g97_x{X#KBCi^_e25DX_AwP!`90@~?AYZ#j@;s^Xr& zs?LDo%lE^}?uHjFuZ9+}S8;HOF-xRb5BdnhR9cqPJcmV7qWZgKMy@#+p_qb%5uL#N z*$|C9*b7A!8YRhz6tm?LZDmB|0%P8GMi(UxpIuJgSM*f4GmWEdccfgE zXhgbH)IkudYK`9wj8nK?$y>p4(veDxV@c0*UOlR`Y(ISZG>st$J3QQed82VixZ^PGAm^3<~|M?hgcouWuen` zO2k%crNWVqCI0VoSMeoGS8zx4vDqqOc;oGQBxBzfnmn%`PsQy`-a923~9^`-4iCJrZ6Iu(Yn!}FA>aj@Ds1k!cu8N2vXXU_hrKbDZ zLWZb%Qhddy54Ds83*7aPa%-NEipk3*mbV{SL+;XxihKn403tP$Zl=jQ^44}vZ;Iqf z_$x{b;^TX=+zQB~$?A$hi8N0ocZf|gL>am%&0n(%OJh(jPY=H3I$Qc_l8)}%R5K~8 z7ZdvKkW}CdqgVQZf&9*VJ^qiY=!6wy?KrJ9A}WRIEyR`|UJh)O^`zQWBCG!pS0 z@rocaTjs97OY+Ek?#adZjkY7y$c5BuqATz>B9p2=S#|sz;8vq=#42@k3kuRPKPT{u6F`1yJSbvnJ~Zf zS9w{N%&?M~oIhWCxwLWF)4!y?TqlJzx4a!{%jCgV2`1B&3|uvGQi{JUNs+oDen2FZ zAVdyHxdx@s^Z9JKhQVUeXO8%LH=%O~1)j;;`)<9B~b7f_+3 zmPfdf=RlEO+Oo+q{lz0uxQmxgNSFX1E%(rqUiN5~RxccE&_WED3o;RByH(kG`YbAen*8oGRBsFUsU7-?tbDRgWy2^s z)1sDYmNaS6+n*h#AFg~LSS1h|D2dMa=>wuP(h!qPA;x7$%rR)MikI0@WiJFw!dab8 zM%q|wNn~^AdSFo^v1|r&m2*rkfxj6xS2crn;-&2zP zWq1+Kf3YxaV{%4CFb+Cz6Y*GLOd>{x9pR)!s`Q-egFE(o3dT|F5#P$5C%xZfTbq5# zrNn)*V^<|Nc_pkcHQhhBtO(IC&wsfl5QpgrfCze&D5T#Ov1>p*ShSHFyILO1Ny z=4&fatb8zU3m|(eE1*6Ut-8T!0_kzC%TdInGdZCYd3-er!AlZd^0F) zEuc)+`lL^WG50rts;68Hj9(l)wT{qb_{hE}OZWa$(y^iRawR9q?H}}9NVGIpMz~iQ zehVkZ@{mUq>vUfj#edo8os33i;?Hr7gkGRqQfcnOb5Zze-k! zAw9EnvdL#+aLMp)LjX#YWxbnJ6C_M!4l9kXH<7dLgfu|!STAYg#!6_VaGIl*^?}E1 zZ@bA%7-; z{>qWrJv}7w!n^@)IZ|L797q?cbR=gq5g!$j9y+FH%I`A`&YYrhsEZ$xTZxrjd8?EB zR+*L>1(tjo9R_gIl_`D33(i&#@mf&$cBIm51 zL>z zG@G(7)H0_tEdN?^YuT-=)_EH!wkn~Hqk=QT)v)}sPGC|I$!i|>Rn9XDC#wI0;_29O zB~D&?-8mNH!@un&^0Y!ATxLX_;M91_#THwCzjzpWh>lOmE^u--v|+w8z@q?N|Hn5| z9?UsX2a*auM9B%Ty>r9J8u=jVh;cMW_|!}MYyK!HssuGMwO1x?e;{-mM_wt1As zCevJ7DDt=Juip#dA>}vi;WrXCfQYfu#;AJ!JZu{p5ovAmXSvN5xxyh^>eFqWfmN9VL%ZmP6 zkv}M|S0oOphh1I)@@4F)>wLMSm3!?wYmas1?DZQU;0hqwJlInRh)bEU9sod!Oz|qlISA-tSbMIZWCa+r zXci%g&L*KZ6B3*=e#bwpJ0w2x0K$}sg$Eg10Ap>n+Q}zC_e*wSe`S&2c*-Y*^;vs{ z@K}H5D;<#hou{S@kooLwQH!|-sE23W0_=|f_C|ORa$9;H})!bJpZTam(xRJ=2QqT{KQt%w7 z%5dsfk>{-)H2}pt|dXPrR8MJqL%>*{N_wF%I_YG640v-$8475v>=(*B)i|G;?hlEKH_NDsq8!|cMVc?0g{2SI{C zPlM9Fp7RuDe0nM`xosRD0f&t6wLga&HsF*lx0Mc#ln}y<2RZ+w|JR3ha&b`B9VxRxLCFW^?SOX=3qSM~J zU*dfd^NldK)?a=ZBQpb-`BC(B`%u5`W%#AD^>g{~Z*evN8h?&|>PMd@@3F#f|2Ggx zd;ONWNSRpAO5A;^U95MH`V#(J zHc`g*^Ar$rc*oe-DIVCA9m>x%5*}J#-yQMt`F4lUipK|4;ES-!Xk(ZU9ul1(9Az$n zn_U_0%v~<3^@zm$(K&E`2B-7!%b3h8Ru8!L5Xvv6f=G~bbOW1B`%GR-#R%Z58+?$w z_Lyl=+G?NZ{ogj2rGXmM&sE=U&W+uYRh48f30^N?*!+?vYGCEJZW3dH!1MfPcOK{L zKfFj^|3;Kq;A-RBJ63;+!Dr>y)^}`gS~9I`a1Qlzy2{mQ7>73_cHxJVrEO!jWM^-q zdJT=_+z$)=bT7PiOH!*e0-7BpO|ZIGg`ukG(EM%z2X?iW3q6teGMk6# z@Su(O#;~x8S{?!k^h1C*?e*CFLe4X=-7pry@@Is!x)NUvg zj?tEv5Z%%A&%~%``%V$di}ohpbM+PEqpe>u1HN&NA@j(S5y9GTRKjs{iaF+9`1%^v!5+q--DB>C7}En!JiS& zo&$(wC>tXddDnn8d9!4CX@;S-aalDuX1ZW%D>=jj*J|AN0K^yzBm+_$Mno6_@2t;( z+LWMU)pnmmZ?-aqCK#^9LM?lY0W>|D)Y#i(KfOr~%7PBhLNkB6w3jT>U@Y(Cm&aWf zcWU=y8yf(AeN&Vb2HUUMC_-!%myGlVo6=?p#5^^l=)zCg}L~b*O#J3 z5mH4zRfUq&NBQ&Kzno%bmyGf_@~wc*2Av9Z;}=4k_+JVDU(}D=*+QQa#EE_KJu2?k zLaO2f9Im%ya#1TB6h}7G!K!FsNMDz>0w~}x41S?MIgV#szbuXrQ|{AT*}k-@>CkBz zWl~Dm@AdHT?MgSoeV)m16HSP;iW)woAR!J+!a>$h8v8T05#P)2 zrDmQ}y*5!llNxh(k$L?;A*tp9GnpaEDNQYar|6uMZ3Z5pJtz8+nn7~)VQ;W>xf3Bi z{LPD4VL}*qE;U=oD(J;$noyyE2pZ5b%qdmEQze7Zlk=EUT@WF}Xz9wBkwA%E-!ap> zk#JTnBW3&gnWFF!rKq`7*WFHoRD*-0&3VYXEhXy2hG?@7!I4Eie{x4kpRlB~eqwbN zp_GHE?KhRg#xc;z9eKNv!L9fRTa&eeGouU4f`9DuIn9IS>15WSmSD|H4$wC=l~HTp z$K}y2*Nf=XyYH1Jbs6T72$99kXbc|Is8e&su=}S-yQoSMLdDpOoU&!`_*u#8gqxN-j#V!-_$=D8*I$r zM)d-|i`!pExM8+oYyT!}Giy3V0=IuEgm@YM+2R6%m~}*;07YL#!5UpLMNc$6aDj<* zF{VP1DCBN?k?i;HVz6BI#E*IK6m@x)iv-by8Ogzl+nPZi7#>2w!Twbm_|weg^Y@wg zmx5Em$Vr`)!;4~hPSllSdL$5r5C?g8JX&L1F;WQWf#m?Rz0u-2ihCf@D37qC zQaJ5U^x==vDgV>QpwUsRoPb{9kgsFFP#X!Dt85_PPhxRpWC@upJ^peVtR=Vg({Kqr+68CsX!u* zAWWXNu@+z0zCw_evg==*JZQcbyL{O|d#Ny-3OIP5PcdI=Fx=wyK{J)24wT@pHKP>B zDsvU0Cp#NLCN_&dF3p`X=ia$6k$e;wGf8ht_xhE&;bTX*)q?g;g20jLI7QdkCn%o= zkuq=)6ItUdZL#tJ?p z!6T;jeBV``Ej71 z&m95Rlnc$}vu8_mkA!xkz{A!x-%g7J)hSw6Eu$d!xYHzG8MRROhauDM6b0Lgnkinu zUBWkk7co#psnwcR9|dMaMOVmiODJm#DIArE1hNU}C!!Uvju#SB%q|3r8Wt+S%!d%1 zO4U(N3X6Eb*Bxc}V!$npiV~4MwZkE?LrQh9uMh3H{k<0#{|w{` zV~u3pz~L}P0rL`kc|t_ui=W3D1zL{YD;vMl;=rXINL)LKQ@0$`slrG=0+U9fUPG3T z_To_4$q6)G-@@P!9#~z`OD+}r>P+a$>qa})39bt_(~Q=0PIs0&y`$n_2iN( zX#3tjq=;(%x?JCdei^;G1p^uBTj(x!6mK9aH5o;dp-Z&byb2!!*1;6KXpEM{M4J~; z5thc8-zKwtHA_+JH9A71{|ntfgx!QNXjQS5GLbs zpU=5s)6hIIb`ssBRJ7jxysajo^7J^Z?`9a$pfts`KN#Mw4typpjDz6AQodjLS^`B%k_&AnH!GDCf zzJf;)nfM)+gh;>qfG=UN+rS8IOuY~{2bZNFUZ;AEj1Q)QhQm&YrZBAvm|{gb>vC~F z$a*RN4n-*mIao8eZ2{N$MlG?V(omGAxL5-{QX$4-WwAfl0vpctbJ)*LgC zl9>(0Ah-4kB`vOEcrQ?pc+ri*PTkF!iLWa=GX|$IFzzyx3iR5>v`tK!y*|`_0Sx)f zfp{2y8asA8nY$NTyJMHPuUBt}%{?FO{ZO-0Mc(cf+v081YE=2d2NaidJ$`WyAj^{76i(x9s9OtUIY@H)Cp_5cFYvYp zVA1_KOpp~5V(D#j_cK>hJvD)FB%3=TRsxTNtVvCUhU38>`5^`~JusT>+6@Fi$>yUy z`_PFe%n|po^=%2k-+r8#Lh7@DeBGM@y_LCZ5_uk8uB4uI`H(Z3==GgR$)mKS;Dg+_ zhr74WqSwe~o{1%wPtR`9+niypU%O3TR~p|jcJtER4xHaEB%z1u(I&7>o3jG*f_U9P zaGnWtuww7CV-4gV(7nuQsq=?Gc=(RT_08X>amK6=XXp9}zwcUZ0bhjGIZ0>sg>WP- zf=r@TGF8`wlwv1=bNb$oU6n@3caz5`5<@;IGOmX@53WcgGeRyE3y|nmcp9Ps zo*rgbloen=iib^nheY8m(mJ7o%RhDL)z+igj%>}!`hbJA!Y7G!@~+bvk>V9TE6BY@+U?r7YLAbjY@(rTz z05pv=Vcy4qb=M{u;X{3qPg9hdGu?!X^1CYkg}@{|FBDv#q~%xdmzyT{Z?|Q0X)*om zf34hXhHIQY%eKXM#TPqe-vGNJhjHTC=H^wJ(8JDLG~&a^WRaqqvECObD2G>*0g!?4 zo{3%pfDWXBUa~m1Mc4XRv0iHW=$6%YvF&Np{pmrcR8XEQNJKU&yl-4wbB{ML9J4g8 z7EN-(0|fCgJe-UyK9**={R*jwfxo(EHH*{qJuv122mQ4wO3qRNiY;29E*`pBM5X4( zojze|<}V5)#rI&l5qHrg(vT9E;-dDRt=AI*~^Qa}?w~=L+faR>T;zdN-X@LJ8bSl8>P(#@3+hRZphGtcKW! zV}A4LyWwA#e{>5^k^*1O}LJ`-C1PpyTh1p#_E_v)WbAxirz~(?wy>;iDtv z`9SW#HLc`il!Ze+>j*G;UXW4H)3U?Zr=k#KIFj8|83@&FiQ*WrJOfF=DC-ins<{cs zOm@jMW3sm*VRmC3umxxdCx;M^7>W3?w3l>nc&Z`T^A`N(hdCmY3A*yXfcKS z$68@VVocSR&1+u|r$7*k4;nxwy}R>5rjV8LLFm;tzwG#gtBk_HSgJU_kPoIP;rSV~ zRn+9KojX>sIN%8w^bAPf>vL9Y&nE^YI1>zlJ@G58O8(q!W-n+E9Lo0Sk+#p21I*n@ ztPlY{4`l-;p=(JrFyI%947zLte8o!QM1nY<-_m4aQ^wV%4~ z#W`)XQpO6z%IO^XTG%+HoQJu1t@)BQ$m=y@P3SGh~}DlDWYXmGa*7FfK= zKQ_R1Cu{Nd*W!ADbgw&HQkZN!!Du3M(}@Mwv&s8EPA{PV8F7Yquv9yw^fP-m(YC*=8>d&2bf}fmErJ95#qdHT znR>zLM~GJ1TnTgL#I4uW073osQ-??W8KODSoe1%+@0mN| zf^z|ReoMUl*mTn6G9@pe*k7q}@OJFsW$7FcnxtC!C1)a)68OOSx}^myaV?mv=$v+^ ziZcZ)NVi(GGcoe`xl|(AK&eIRfRZU`_4#ge7~Z#&5FF#Gk>k3W$b&x&4nk4`{i;>! z0c@pk7sbT=TxuZ<_$AV&znq6wyJF7GIEm*z)Ran8#`8@BiAAmoFr7R-gSQGJ5z6H>q;DMeLut883;Kgn@ljs3+_N zec($gP35_PO*_9JG8}C%d+E5TWOx|vLhc1@7#3<`dcbf4ml?DTEsGI%8c>w3cM%(s zDkY3bl#fw{mqhX>DHt|2YFPF}2^eo9G!4Q7{^$k9mIksa9qt!A5H5{+x1_12U|LGP zbLtOgZfqfqbzuitCG8!!-j4@Z^te~EN_q3+BZWxOD6Fq(Tp@|hG>jz-YSswCF8OL_FhpW8Fi0#lGwEJq7b2< z)on#04=x~SyZ>5=s$m|>mIYEEz{U|F2m&DdgE0;FVEmWA)EL2%B95}$<)Ob;rB-?= z#6J)XQGEi#d(Fv2GA4gPD9`U1GQh^eWeDR0OlAMJiwv3W{iauBeYPV+P}|klPc14O z=j?GM1;KSiVblWm;d(eKhbU6Q2H7h}Uc${|doT-MvPQJJ|AAj$zQO4Z6vgjja>T#I z0g1>^Jy7i6Ud|*y_HntzY8O*MoK0xzG>?s)J&^5U#|x%wJrV!;Q%GgJav#VJqqZ#t z3>NF@nn88P?iE;i+~@KuJ>RLP<*Pi4W}*IAY`Z)=9P<5_wz7L@^%zJ+Kfg4^6IMYy zX-_oP*|}4mWEZeUGRv17pSZ1Ut1MkbzptD}njAipL%R;~XXpI}o#Ns{t#Q4cf<#mj zYH~Ius*)W+9KHmpzzM;gj-Y%;ZZ;B1-o6A&`FZ@Sx|~w?aHOygAl{?#Y9Waaq<{7S zX#dE+kfL3N2wY0ctrVsMJFPJsG#<(x5Snxagr%~X%?9|UNro!BQMmD zAj~K?3cupclELS01@1kvexSJEkCBe(_gF&IZ&N0@|kVkV~ov83XdroV(FibMgEl9S~rdog73Qn+INWs*9b z^v(Y!e6d5tgq3MLPh5_4>QdpP1Dy(8eP&F^_~@m7$1#wiNYO1q#qcN8D`NDrY~Z3E z{NV!DFOtpkU2Us=Ubj>n^*!&162u)d^gJzb8lLv>#Wk0c8te~NF?9_Om|CC|8{QZDZ60Xe+Qo{eB0oBrM+~2be6^gdU;BbP5ve=f3Kh8Bh$%@ftjnq{^Pii zFq&R+6eh;gi@%qp`}qwtQ{{s|WaUUr)Y`xK+UJy**H|5)v=q)LKvzTGx|s1q$-e@{ zG=dr8W>{!ioCYjILO~VWXNh5TIeM60!?*>DMm)JmXPif81#k_2x;!E>TP>EWwEsFId0O|jApCObR6F@uHVxZn}_yWI5I z1omiQEhF+^wGN^0T1i3(nQBJK8QbS6eLP3)7kqM9yi(#TBvdbq*aj~pZ50Fk#noDH zYvlo$eyY;3&^o5Uk90ea+{{>a{w9d4d>Oq>hxz!_5!th7I=}%x;xq_oT%r`~x<{&; z&^$V29~iAz`VeFYJ^I=kswm+tB#TIJY_(MiVfWG3!w#|9awW>jkz<_%Ozn6#7%+*5P$ zOV=~MY%ih~W2AlV-42yfvhlg2g+Dpd)K|3qEuf3RNf0yYX-m?L%mNzr96l5k8M2Z} zK+-kKN$5m2TjuHWC2Pei)N~=v!w%&L^%?qEL<}S+!9=;Nq?@gNQhX z#l@UAdOq&+EWS1OqdP6AKT*z?R{rSke0b7CZ-L|s5AyuJ{@*T$6nEdN!<4%oGm=2K zVz`ogib@lOGQ?e2@!ZugDnZ~Ay48w9b)=q=X<#HzTBxZ7AXPKhc7<41G<5!P$*vpX z?m6{?zE8tt@B4qDPk18ZII^p13*8tzI~FSCLH|bO)e}DC1;%PpZ^K|whGMO6uouXi zv)YGcp!l#4;Zol9V`U)xm~AanTu5j`cTGBIC!_&*n@$%6j428Z%y$4YIV<1+=TD1n zvW2u+_<{)^n9N2d7@hlnbOYl~KgiI*lP@~CB>bevE&`>i%QrCWvn^pJ{N?d#m~D6v z++SuaHps=Ldm^nUaYtSvAMil+jpJ&LCuwbZK+e@cH3D_YOXd=6;fK zR9~spmK|Tn2%;cVmq0M@d<+AdV{)AVk<&mZ__;nDQuaL2DIlMj*<8_Qs)&ItxbcoC ze@vYBw|jdc@E~_lz9oBQEXcftTsE;00P-%^*^%Et%Jp<^HWI7rLJT9P z2W=`ot}=cY;t^Ts^@f(<{!-;G$~51zR6sy>^uTNV>f zt#2!3Oh5ELyBwkW_B&@2VjM*gEqx=s2cMoVv47C2slW?g>PxUnt|<$uF9Wuvyzh%6 zKOG|1u4JzVs6hmIHh)NdoSgox0tC^DMB$hysFS*!3Kfo-r}E$5=`xCyl+R5a=281U zu*D9bTI!yWPdwHsCVccp1m{Kl%Rn&+<)cF*XmU%&>1HWO#x#~!){wtzuuV)|!v`8% zH6j?CTJe_R89rRT6`nNpmxyLM-Mn4v_uM*%WwCG)On_yOrxho#)FNm>qUH$;&n+I+ zi%(@-iTFt|npo%Msx9E#e^h#De@av?5A*Dxf4ZWMi~n^Ns)-)w_sz*u;TB<`7sxnE z*@=yBoUi@10lK?oQ9bq+fZmRVrY4+LfME^&>_3N(^Cuw7wi?~_J?xDNlev!T)out0 zs;@tt+`=g!{@vLVF?I50008}<2KnBwO@Jjq`_g0k87SIzN zV1JXsbK?$PX?r7N^k3TBJr)vz4ax&$|I8{O6lTLkF(-M%>I7tz4{J`YaAjIDe*CHr zqdFNG?DeGX;ZNjjX!{S&-YG`2sBPCRblJ9T+qR7^+cvvw+qP}9%jmLgyXvh~-})E+ zgPon7o!rUHJevnI86#ud&vn@+qj0-rpkbFVZfqoY!$n0-8!?S01spO;_qwwpZWE^K z>ZV5XONeE7mmLEoRIT5xU+JPHY`Kh$=3zNChbv4p9|VM|Z{a_5dAf$_Iu%}~R`1^T zj(>YTmW}y`wT8T-K!`u4=Y-|#Ur=xK49tHVUlWZsrUmI*X~W<6jG^4~jmf|xK(=|u z+@uuKaOh^YBZ#^0b1@b}BMQ(dje*lA5cby!g?N8b*2#ZSj!S85gAW=aT#*s!Mv~j6 z=y(MwcaKg%(?FM?6%tps7)f){*#^kAz*;;(>5F#aG1o`q_bsjG$NLOS5PX@g1|Li3 z1+QqLX@|dvScN0H+m#LRao%{gX`h-5uBK`4gp5?m!qo3(FE6Pr8iW-|k@gPUN4FH= z8e|erfdh_Du^N*=ujlT8#}|bzwD=&4va~RPP;2t!=;unIVTWlkASpQ|OACt=D}AbA@NdenCO>+aKNO<6EcCDqnA zAlL(1P-I!m3%6^y_5$JOzrgV;xny1frKz(Rq1w-*A$I^G*@1tP$|u#aTd!NT<#~`f zw2NU3p+{i6Mp1c=)eo1^b}V-hsnn;=5~H*uwLGTV%}r}8Rs$@0UFT7N3(IOAsyS>% zx_`ard46D~Q?A>9REYt;uv+pSEL%B=#brseH_#8*Fh~oxAH`OTiK2hRw^z7k^Rbn5 zsgx5cf%8?*ki=I^x*U`Z(K2cyN^wCjGF_Qc^sT1WoR|=h8`IWReg00L>FixS#XSL5 zn9ouZtp8<-{q2j{6>fqX`!S{#mEY^lXzt&UJzh+%L?KyF^~b9YzRKG<*mvDvLFl!3 zU>NymEc)0yX6Hacj4M`Xcq{cW@)@)-s=Y64^mLiCJj?V;9LRl6(Db6!w6~ZA(=P-! z)qmunLpM~;UQD#_jOGP6u6b{qAbM8pnqd#h;2c&CN>&V=Q8;2-&!P#YTpX{~+=;vJ z&~3aHJi16ZmuxU+OF*pA^ifadS=64N%ROp7#Hc}q6tDEcmEAxN7PLcu_T~ht-v4>BV%pGs1hn@V&zwnA=N zw(9)9Sa%yVf+-2vllF-Te1IXy3Zxq5RskJ^t+CK1m4 z=qTrh(h6hciY8 zGr8^|8k6m^j;c~`xZuDA`-h@L4RSQN=z0stw=+*ggmm6de;v6Qv&7?CMl0}S`-e>6H=^`wwS16@b%UH8c#^2&PSy?eV<@;;u>jb zWt-phbSvuC9^YNv_l2F!%7H%1CDJYIKiv=Vmp;)(LOez+7tI*VyKq#5O6S7l$UXEZ zaY-P88D|K(Ry$|+BtSJP<10u|9iwK={>Y8=<9X6#nJxhOE~(?eH)=-EpEiPE zUOSzKu>G&Q0~sl1Ug)1lraa^XY85$*0(r)2#ilmkgz6y zq?Q^ayj4Y#oPy#hw-TQiaJC%#b}^)@%g;fjV#YYm9@(CZp}nAQ#NV5WS8P!|wd{{- zN(BVOTkNQ-{MZsVE1Xwa>G|uyyBQ+=UoGqZp{{t4s3MNVFAC^$ z*5)27Jiz~3-{!LEv%l=!vTWu082lJL9?)}ayX)0L#1$h5e~O9&oSc%=;Zjs`(s7QV z{>{5m8TVm#8QVLg#bq$5x^im;x8(yY(*dfKKKrEa)ILygc4C`5mw7*(&CWZGk{Ur>$B6|D5s|?&VQ3iE`IXmlP$Xp1eZ(GEx&^=XG#xcL|GG znRsojK_!q_w8RxnO3xlWut6K6)!~^w=?cmfVL|A)s&*<#&jyn_;?0J!4ucEj2!R=s zMqtoUGfw~e&xuoitW2|u&3?lkKb>6=!aj0NsT>ZZ%RB7V@xA#ejeAHgwLs>U(_fdS z2lHW6wXS-`&k-{VWXq2WG(t&E9tc1?KjvftMR0Y^szaxhpTdsMvr!|`^*fIVdLCHu z>zAq|JM=u^sUklE)@sWlI3t}%OGJW8KQ2zXh5g|vA=a52Jr{&N=#ZeGFz4ml0T`r( z))5H9zdsMMbaiVY)`UhG=G}HRe2&>Q%@J0kOd2psB5W1W=t@w;O3~yqQd+}i1oAnp zWwL10{8}Q{VUuCT-{j66+{SnWcm`+7E_3mM-^;T`rfpSa-?l%UDUS#mEsTx`6#)3p(XC|vU_6!#s8jzc8s>bWmaaCTkHks1kR zG{8^*w9gyIc?3&7w#ZTE(Sz^-Rt^jm*&G}{AmJK}N@|cv7~92XaNkfiwhiRj!Y*;E zGP(FU1Z4L)pj@+h^+bz_3K8#xj=8AfW~}fpMzUI1Bi%0TP5Lax{`8$h`43F!Pyho< znDNnFV67n10^FIeOq4dSZgFAFzieeUJJaBSbv0zCE~5)uKZ?WubtEd^|(2q*;G`}#*5sN;3$L1Cgph1ps{8S=zB zov3~;5HNOU(?hzn?sqFDxW`*7ypW-9Vg&sKPd7fDgjI1bYpcIq+cRPl9U(2ZtR+<5 zF^b0;5ziSyq2Apm*RgjU+i-CL=9-nQg6^?5YB%NY>Bq%1!m2XGWmTc<^3rikOE`jq z0H1D>P7&rTi=+en#fr;UD#jdxjm-@!KM+f!7Ye;K)pvHOSY+3d*;A9Q3YKVYSDYNt z6Z{~Ln*iV80ZZHpGoZefrmuGgd;7AUmZr9yV$bkAZmDrkqor0Hd-oS@MYeYnu?;&- zOxK)85zfbuBWYXSH$Cm1=qUBUN#=5C>S=P|)Z$8~Q6?b%vV+t^VM`HdZ!3m*awpuu zxG7Kc`3k1>FQK{xlMit8ME~QV2yczD=+HG;EO1BKv;_X(OE8c0FkJYUf0AyqWAJ-A>q3xYj03U0SzmdcxVlc8u4MT4DR8v0Jl>(m}i% zVLgD51jh~=hrflfJ_a_O$tcYJ=2eIuv!}H=gg?xxU-4S0*{1hbTusr-2bj;%_D@|~ zUHr>#BHhcfd3;o+sO35oo<6AN_;_ZJ30@fVltKz}5n$0@5I#yTF0JPyJ(Uk8+nPW) zdE04Y2iqz;VxZ<11wUun+*ul!#z%6?+)dAe1SHUHQ26y7){l z%h!yQ20Bde(}JCU7D~FeVRw6RYvaJ-xpMce5eelop3O{oqHC?Gy~?`LwH|*wmP6!# z8B?rxY<^&rh_$CkCS!N=)H}4LvZP3KsHYUO^ZggN+>B4%!>^$1eV2r#1jPY`Me&wM z41tsTH4pm-w@FBdz%=T&lMd|!zuQHi7Rshga$yv%_{3u?HVU25U-fw*uy2UlhwgEM zdK?IQ)3p#|F%jmv1&fv)HuvYiOPG44o zbT!aZlpk$=+$|MjzsT#T32M##ckFEda~>PClY<0w)*ze62JXrDNY7Hp>$Y}*w%aC% z!zh6jlDht*%ocf|JRWb$yk#h%oC%m0 z!17Cs#WRC^$&x~hdy>O#YckBdrFi~w+K*|;ET!x}YszxRB^xn@m9Z|NBbYg`w@~5; zO{gklEEb4tbO;y!Sa23(UfS0%lK-z+3R1+Z4AUzLG?@4vRb{lpLuS z(?f8Bj2KDZCREWyy650($38_gU8~P0*TbA8ND2(L!;}&g*9cq*Gb0 zuv@JHZ>Ok8?q_;XILPr>5Z(Y90Pcc#Y}llTf4 zvuC8dM2(z>h`)og{0B-*g%;NoW!X0bg&5iA!QY5or&DA`cbzPrhgF~i8%1$Gw5c@V z2(Xa9nUwd|!UWKyaRCj6(p;~`Tnh-k)%ss-4XgZ57*?|~UIC^!ww@3>$L>$IOOcvw z*XGb`;TF&eYed`<{eLlm+{Yhgw(n!06A(YkgIqQtjEjH>v7&fN zh!qq_K)Q9?pS!jzeuX?jyZH=s*5%4q4XcCCeDKAN@VR}d=46g7;?(czbr27MW=~v* zXSpThG5NG7=9`zwBFr$L8;Q_Gk}b?ws+S-2vm?Mi!$+s)k#pt8L;!P6m#uq| zNf$Y9jc(ey;FE^Y;6%-V#;mY17F-eFIP4dvvIS+qd;LRnBteOhsvFZbf|y264h^EF ziz{?fY}=a^JRfE;C9YlCmIT9mtaLd@oG9dLOpEox9nuj85js(O z6_3W#`#8Yqw}r> zz+KwzqOq99W5=c0wum~J6+@Xeo16bL>)A}BXxa439w;m8hb-u=BiCpwIJ@pN!Vf!7 zy(=JGnTq9xiyx>T@e*eAPiRiXf)HmAa6 zn03;S^EYgbOIteScmudb?6Unn2$1$!-sl%fN4z}nWz#C9(>3c-rA+NlE_5j4a<2yLGG#h%bdM6S{BNV@Bwn=XXfi6P z$*`lG~p{^#pLQ zQi?+pSc+fmEchVSN2*qr^U+~_mjX`d$rjL3A)&0U{zWeRolE5!lO z&Rv*Ae}q0y?xHvBRAgEFm2EbiwFQe{hoW{3spP@m{F_jmQ!BU2&LSr5aA!%1l6RQQn|&h;;Pqf7E{@VHt1 z6f_8#)#4l1)_?82*8b=z1)MppLL-f$z_sS4fKGr@yAowsjHGk>dexBxCM`?*1&bV3 zo*5I}!;e*pqa?L8I{gezxxct&DIIIJxbP*p@0yjl}V1>(n^h{w*6i16pEW z+ZLn26~cB#v#Q-}^=RqK9Z?ZcXCP2XG9*Sz# zZd}SW|9FV{H_0I#t>m)EhwJ*KQ>g56yEVcA&(qfQ3?=EZ2jJ}Oe8X37B=-^0O(G|m z)RRZwdvl^jc#2;qfq(}=tL~iWTCIX^(l-arkI0(%SAxTCk``ti4O2IGVLR&AoGJ4b znhjORwx;x$bkA<+c2J^$P-^PWm}A=GdJMb2;jx4F$AV~PRi()ejjm#*$DoyHi)u}Z zdSub^IgBkz?@-M#k|GxrQ10ICH}+?3Khie{7(A$D|nMYg$#9L-px$}7dxKM$HdWdoE=*T=bI+PLBPVI zXt`_&mklY>VfRv!4-HS-Smp3Tkdz<8Xk_zZ_T9vJ*f1wjj?dDiY+DO;&hoYGLPLu> z;<@F+W#ytAEi2=}AhBy7=6Io%=eKj9>fhNq3;D zmDvb4mu;_L?yWuHUkvqxARMn1oX?RolpJ}vI+f0p%LB0{7N^bwIHK6^n5fp^`%^>| zq#gHAtC5dx--3!3&)O==@2pBw`hN2EeqJxY9Uu+kI)v$f3tmw{c9oV-?UT zO+4veAQaK;{;pJNLRSWzuOEk7?DltZXb`{fXdVCF{dXvksI!Sh2wUsJ2O4b0r_E%s zoBPWseQIu~ffunZ&^U3c%#4DW)dhUHNOSRMDvvf<-fvdk`g~$6$;Yz6N14uCwa#eT zA2wYaBsviarS?l_Jz9UaNKjaIE@O4G>4uA)kg2^XRrgg;V|xDngSqwW@MRU-N7z3P zUdFZ4#1)fL%96-ID357OP|OpfALa7u!0JidZ!BE<0wj+{#)FjP$Z^BHi&d6rTYwM` z0wz0+o5-cnMcz;AQY?X4{{Vo9&IOD6!u_$HAE(^$M*_ErypCwrI-`t<3}G-sT}+(K zM@4HEecK)dV`S(Ltk5~b2j>zcso$gMXfH@n-CV>=7M9J31RLqYW2Rnmsez(sZ~_&M zM};Eb(}I!e!B)Zf{875;7dl;Q8$-k@FV05zNM9<0`La-*>=P^dS;p6M*8bjrl1g$- zI7dv5I?FjG+Zqx!{iUq9rVXp*8PEl{reKmN7(hisE~>On5P91Z266(nzcBZ>qCg7Y zioWejq2aq6e#4&hTg>uCc@RKCI(yW&GYlx=+bh&u+K2R9;PrmKoDan>!*=tTD>tq} zi5}Z0C})ap%K>#~1lTiOwj078d<5;8bQ@}U>(=&qpk)Mjn5U?~CkIJ^>dQ}YM=pid zo2s=eI9Z~_W;{kiOcS&naFIL{k&%MVbCIw0@&9sGr9E-D9PfH2nSXEXBP2e8E)-7t zD*wZE@0Dv*R6=8~>1R<7wYGCpAO%HPi4P>AvFLpG#dg~#a65Ly5Qkm%;cx0var3QL z4FagE?RO+nKYsn*Vg0TiQw6k5e=D0>@_&B=-o}OlIq2Vl>O8;ux;wRFw!T%CvH>6D zfV`3qb0rsC;y@7Rpx)fI)wc|M8a({VmLsrt@zD-9iJ}Q0WrSEagti@yjq=|1z`r32 zyMkkh-dX+O`0VgmIvWu2r+KEU*=*X?;t+q$9o|7r8SlG(BecwmYMVkPhl?Q-%1;0J zyW|+FJugSz|mV_^(N6B-Xmm-lo=^I>pPirT1`|NbviFHm0T~=t;Ka z4^FY_QTx{M-iP=_*psZSX-P4l>a;oU8QyPBjQVJuxy+_#W7D31)vW=Exj|hq5RGT? zV{{hMdm@t9G#ro8a^%YXrnkkrz2&91p(je~)Y6umnX)W&kZt{=qO`{x@mx=D%A5)N=``Ta#*pSm@Je@$=Ymv$B1 zx3*4gzyHr`P5;Z}eI4-+>m0qYPoT~ZRSdYVjo=}QEn!yV^_jt+ijJA}&v#m%N!lTY z%zC~>D>*>?$X*~d?LiT~CqAEVf7h%&9%EC=pK_D_@x7ZPa0?m~ynmV*P=5dTIe^x} zlORIK3FXPWN5=1`?2LrG zo7>YM(nwl*RzmR7WifP0Ga#uzIUYA36i zLPRB0bOISFA?A2{+_}r$;uu}cmBo6Ysv7(v5A@JTBiZn8G7ldIERr49dcDAD_iv9>9z#*}A*DH@Q^*wpJ%%9yRIWSnauljUrhB=)}4AFgmT3 zyETL(_;w2^<*7DgBYjE8y%f7T;W%so<_jp_8yv%?8P5g}QM(?QZJxl~N*X%WHU&O; z%MWH&0<79xP0y^GpDGl0F7ZB>I9H_uKcp1@D1{O?pK+8POUT97adKc9l{k99sbmw;`1E^5RM91y zDpRQ^#afyK*&)9!0KFm4YG=cfUp(vnXX9}a4l#(F)3Mg(Uk8^;p%65 z=)D(n7eV~a*FF$p0{UT*lTH<$&Kh&DI&Xn0;W0bh4(f?F(Z9s@kgzDR6F`lAww&XH zQUR{@#F52r_}tmhYujJQDFrL6`ckJk9F;fIKF&WLHNxUQM+f405Hqs{&s;fIOgc z*_;7pSkn)097cjAPUbp18G`-+G z*uXDJe(xnXP_rgJG_%(~dnfna2oBz3)snCd;R6|ypu`=YrfULJ@QCOW><7PA-&MW# zn+Ru%sd_cDP*D3ZtRKn*{YZW9P$dUWgc4mw|6vrc;mWsbHo|is*9%^pBX}z9R>VOI6 zzO`$rYlpAD)vaY1j$izD9svmB6d&8O-KksSyzhF5Q0CIUJw1QP&WylfpuHP450!6| z7=9IKitx+f!!!x^oyc?*4e`0MfMe<3T;cVC!S?MSiwUKQ(~A$7VD2CMfyzo1$EyP7 zKE+W8-Qk(dvmLy57h4!1#-J67#hbmFJaO|)qqTbD`-*W-v9OHTZgUNS!sSs6PFmU+ zh^KQQyx!tlUo)Jmlrks1p-V8A_j;(N(>%IZlJzTR$|p=aq!2wIl^uKZ=Nl4(W~Hxj zmk9eI(O%iHxnuY3&b7Y+4c~Y#By{7eC%);+kGlA)7VargValme$>({Qa>l=(x-0X- zk-6{(6Qusy0M!X38s(59vO3awy3-CYIv^y(>q*zS-KzCO3&6T zbYfUL5sx!5EnR5!pzqe++$chd&fch^r* z@&(YNmcefT1~}J4S(tfDMs3{GA>te`Lk#|;DZT27RB$dF{65N4(a#;3ml*Bk%}tC( zOE>>zfdD`1#7wTkGI@rwq}UAx6zx{7IlpWXxcgUz0;p9kGIRxCv1y7Y$67#nqMs;W zf?K74U1L#$k(Ph^;d{#Y*y~QA`^2A7$LG-3ZlM#Gd1?&&C@~2M7VqZpJv~sPY_RF-8>b7 zJ}zt#I1M^>Ttthc7?B)MCS;a=K|n9Q{qraDq0h==6gWUJK+{kXbWQU8TJN@@p{qp+ zaMI%M+aHPD9%|1e-KxVz^?ivmgOYeXSMq`E*%4KvRpS@MzezIZT40y}%;XD*FNENx zDJ4?#P_%q&#!i7nQGL&rA;y(7x0%6q&bk+BV0H~?kmVNY4 zD>&k+RvT~7a44kTX#eQIeBYk>YEB||Xr-l(4nkGD#aOIlo1gjQ`EH{z1m_4`?Mq0d zU%F}1s?mrWoffa=x*(e(qReXNprLF@nTJf(i_5P* zCdA+mV(k_fmndr)ym4YFNZpskM&1DWZsi{HWhjm?cNz-fnMI8?MTzT8`5HkYM-gg+ zAhTeqOT5bz+qywkP{py(IpBD>DMu?@=a-q)P~T5GRtb{)=2k(%UGS@2tkf$|DHO`Z z27ZCzxqDROR2~jwECdU?^;*tS8x91BiE&;@TR=BvVZV3KVl#4vubozHj|69uPq&eM{$_lOxaX-Hl z#)A!ag}p5q+h>i--_U#RfDc491fnmV~>k#XODly3O@{(9{}L@ zQo6Cv^`Cx>BFLp56DXbFNcO}yECm+X4>^8ZwGy;4fG4rnWV#X_%2#WQ3$~y9Ul&W# zam{ON{B^|2Dd>!$+K-7PUSwMnsda#@CD^AYb+$lrOL~)+dv%>Z9hl}Z(U$w=?uEn^ z*?T25&D#c94_ozjS+z|#=Lb)A1ID&yDVo6kX4S>q&4WYfdEH1iZ>>3ST@#RhfZ2$6 zkwNgzilC$`3zQ5yR;^Zs=k$+$1;v627rkwT>}i?}C$zgdxd`}#Ka740@oyah2mpR7 zP@;w`)#U%9eWjo5xQ0JFAix1|m&-jz% z7J;c0BLl&Ucv|t!C{VlZ)6g3zYZ(^X;E!QeaR_6oQ6SD&m$rRRRC1}1&8VGZOLO{k z>R&|`v=7P)(I7g$R+O9=Hw-PUmMKRZ!A>hoTCGPBFr32|O=~oij#BEm|KnVt9lX6j ze(uM>XnVNRJ83n%$ym<^R!5?|{W7vjpj`d&tn_3Uye#xzj|@B~dU~-8JTLS=+tiO7 z*g04EXXe2lz7m9~Bu!Ulas#i~n0SkLFX@R1F8CNA<2QccCRPcj?z0&({&sf>n;g3^ zB2u1yH;}WtwWOrU;}ERnwf8_GoJ|dIeuCs2s)FI%`@ICO7q-cq&0s&yF^!WhvR zF=bAxKP#Z($(b%IffAyQ|7LkI1n%A$Z|DqzFzC8k-uJD4k;Cl@P=8PV9ggifn1_C1KBd9rr+7oX+}x;bIHCewR}G@ zxuHEUl1b;C{L+_-4xDLKj{Vf@4P%;0gUSUt*AWw38X5@MC;=z-_S)a$V?W>F(&GtfuvQGwDJfPO3uX0Zqn(a4#TsS@VP$Z8Y$VcWS@(I zRHe09XX;c)D;-5~be|^z+wX5m7ywNHgPFxZ@U6`cmRRJVOm|4ixGEs<6_3%eGTpY( zB`CE|4;9B!GDW2a_TS_n{oetlYB0d&HKNhBxdNi7ZE5X#U z8juNI6?D=gXbwQFFr&7>D;ThNN7FLph-LZ0x2ir<^Tn$wh2Y4X)dDxQ(*TrI1#r{A zP>CD!v_-6n&I!S%oXiDrtmsYnKAiQK>*2;^kvj&LIN^xiF47lj5D~gmS4TQQ{m&sVK@8?rXtArsom+ zy&Dc0)-Ze~zw6JK853*)?P1!KGY;D=ypV?mV3M4eq7n%Z=7RBIN)d&x?Uc=a`9f#8 zV1=&gZzEqlpomq)!9lFytkGfxb8<0exp+q&)4*pzbS0Cqg-AD>c)|2Nqy5J)F$2%d zQ%DIfyt!REDMl1-`E?ICb;xR(U>wHp*$G1`l7zS8oSt^~w#BA^pGg0WS9Fhio-PvZ z={;BMSP10vy%~HYiiEoEuw9O8&pEcSRWy{7noD|tvS6Y<^HzIDGB@)dON6BT5MUb! z;N*N_QAPD(-OG+UG-vyxc2N1e3H`EFhMVm|iemO;9qU4hY51wixMNpK4u&>0g+%b^ zU@rXqkzLq*v|QqZQG$cJE)GvJNU#0WS5l)#2}dd*0m@Zk;I6oh6m&F!y-cqDamFt% zyVh;fp1T;mHYL)Lu@+jw?>c1FX+q&V%{rbI>z?76sqH}U*bsfqt{o!f2lM}PwD@U!(=WXTN#l#7jV3h)$>YnRj!(k*`v9-&twA&8VeB|| z0*HW_zmTGeMYP47io#~~7#M%nL%b?FK{CVM{DzHjEhd>MD z@WSF5yb=&RZrnbZtk!%Zg^aTwtp$uz7-f{QHG`Pee;v7|V*_yox?9|8-x^ick0GT* z#qX&;F{0K5GtRQE@~9$&5uIPJfySHIRaB4vN;7>$52xdH_WgSab)H)d0UC9NG@{kf zN44JoIBAEzT2r0ZEpLjF%&FrPGLeT_1%1U-=-_sQ?B!f-73I}rALFRJ>HV;G@mw!{ zC!N7V_jBOCKE?pQvf~dhE_8eJqjI9PD&qRCvY#ci!;NVhd)aoF7o?sU{`s1&n4&3X z_4S4~)WI)bxZ+HrfgTzbjFsCLvh=8urjCzk29mnxabyBH(J8Z@m_+#N7 z)F9nf$T@4DWKb=$I2L-iE>4a92S<6;aAaZZXTo?>`Jc?$-8kII6dZ%nB>j&bVl#eL znKDxt$EU&IH|4EZ(8j}-;@Ewe^ua0*W%u?ho;#hPSwHa*BW#K5#Nx@vGvA2=PUeMd247ziN zu*T2j{ZyK4!cfs5Gdp7jXv!jN%oCL5X>Jq_MG%hsp|JgskKv?eei2o>;qM^F=J$1n z$B-THFv?NgJKOX+IKTSh$|VAv`7l{-IWZefUyT|jcp=#Hoz^hakpVc0fLJkZw1`!Q zP&<8c2S}sN6Y5Z5#G*2pY1MaAyc0>8K;!}tY~-nV6N8uO_e}@kCSTze|5d5(-=x@} zT&$tW=@S-TD%F5>heO|bz2DCq#niArx3wPGDKdj``_q&&&37dUt)%pt(hK*YsHdbM z(TjB^21m>DB0BR|Jn|K;kKpnbW>we4k!j~flXOXmdE(dY_cKj!sM;dw!(TfxPqF68 zpQ$o*$;MEdEESAEj>U`*(MQds|6;Zz3d&R2DikTfn&Z_ICScn1X$RZmcvr2_F$W?^ zwJ|PmP1CCHidf&JY9x4AlNWZ(p+<_##g+Cl7F0aM3+J;fD{-0a$`d7z#2P%9(!;UV zt2@}x*QwTAK(Lp;N#kRom&&9Oi_(1W3lU!ak_Ka?sJ!%Kl#NKDv*_gUs#qDomA?jz z5+W}rW0Y7JHw2;l%N)0}n2zaUspGrX)E~yV7n8QTDq#1wgWDwQrE@WZcl2EsYwX3c zE9yQhN9)0J%k{l?r~)Ums#e%q$;wDm#$F)&mqQ6sJ*#)x^y_R9=OtWi zUvl`P`JK$@yE<~YB!mm^a8EJMiQ&nHqziGmaDcO0Nq4p+RZvW=q9;>IH)!t)H>D)U zz;eLs6`!++jXtkJf{1gAR$=_Wkm)LvE=@}%T+uwwmB?IAN15wipiinBot$Egi12o# z3QyO?ee`K=_rGCbad&cBVj|^coj{U z1BM^O*TTN<89y?QZrAdg;SuFNb)E_~XqWYCU%dk}W%!@&2jAy@wl{1&u8SLL{eJ!- z>+5ST_O51e_k-jT??}DMN>5+V+%q%iLK;`V zMO3|eZ0#4}IzBJ|h-4-*X%_tN*R^UyHgKA{i}WzaTCl$o^x_a{Rlu$3BAY+lI~h1w z6SiIEKO(w&S@Rko-U|7Q&=_^^(-Ln>&S|`J0&1)E7T=H%m^1 z2QlZOo)F?xbD2mA(E=CP4`~#OeAi?y+R)_?AZ7Lad!we$s5uS1P$8W)x;>;&5imvdS&7)UI zzvfcK!XFs-I=fwtVI0z%DQNh$ycAeV9rQ{E>n(C629&DCn&szXR^MA&s8=bJoeXcm z!)sxSbW#*~ba2e4&gVS~x2Sf;&LC+=;ZmjHOI<@vB(69v+Lx>x$n8UMUN19r+dG)4 zwO#j;-_ZVx)(=)=N%mB2Lge(o{YFT;u7THV79bl^K|vpfiIr8FUW+f{37PgtRgEFG zjud^=c_gXD)!2Su@?z>W9M-(mfnfbls$|!!dLaI&2yK@p>OaJO6WzFT*;ip{RDD%y zMLHX|`HoA7-%M{Cr^o7_@agt)E4F(sUEZ0$5=2T>OY(O-z;%jHY;mzucnI)Gfi>Y` z4NX5TzpQ*0uNEGj!_g<&IA^Ck-E-GDGr(*);paDXyvV55NLsX5Gesunf_sY@Lx|6X zM|g05uh@epSZO4;mdL7~z!5)vnk6)t^=VRcVW&V+(JmjVs+iio(nl#MTI4_zyCenZ zyHQWN$x-_mR`N%k4`xq>FUe`fLFZ1Ll?hePh|)o4;%a>SwIe1P=^Qbb)8X$FZ@^z* zYKmWvO$UG@zf@RZdiKyJ+7pWnqpxV$@XM^$Hz<$TiJ8C`|FlvV>Z}@ z@}Zn9cMuRMof6gURM1oo`y8-GkMPlCw)Dm?@tRA^Roa%8&;XJBTVpNz?nwtp0_IcZN4?{Ist)GZ?@6cx3U(fgGKB30`_I5v zlrg!MDKtbj;#ZpCy%Wt<9i&ayvbgOMYP}ayL_Ksrbwh9HmUGqbtp`a%K&x|@`Y~fB zN3_YZgr*blikOj9*|fWK=?|T3(M>$qwt_-k_mL;F_MZ*(&H*Q@x>fY!>TddYgQBrP zp6)YOD)SAQX#evW6>%7X$*O-_+XqaJ=l!NJvmgp+H=5Zs7wHaLkeFCJMAT*OA-@s4 zvKX~uV)nolSsSJ;RZE=(PDPJsBiFT@HiV>bUHN`FJ( zWHL0G6lFvi^l5GCE+NpL0Yc8s-Z$l@<*H$qq8>m})E!~}jc`xn-)ABQERWqRcCwY& zVp9FNj`wCVfq7+rSuoUuLjX5PB_nC_CQQ4Vu+jB4Z(6cbM$< zk||KMt?p~LU~czq9{NSl_Ko({r%~Cmoc^URnX~czM*iI!3mEdz|1!Vv=ajDP%O<&1 zxc%A4;@V`5YXH=g!Rv zF-UIykqOt8L05&&;(ze6xa7G6dJ=#y;EjLQgE)0C-LP3oP#QRehqQhi51zkv;Din( zX&$Ck3~La*+T*a8UfGEG4RK)v)&~nNvjw}+*t#!~quf@F0`dEMv;N9zVx=s{a+db2 zj!uw0Gy07g+c$sx^bftC3J&NeBO>!QHyGkOmKW}?=NMZL)Gd{hjKog9S|WvsX%Ti} z*MDI$`M((H&57kmNDvikTDggxNxjKW-26KI*#Y0g_=5QT-z`TNGLGK_RWeo1pWn7$ z{=5(-(d_LLUalP>&zbIi+p;Xia#}oT8r??cMwXsp-CktWYCls3MQ+SmlKH}a&=M~} zfVD9dtp%kype7xhpsYOry7i@~_}m~nQw3Vm%o{f$!6kbi0V5Av#A<377COBcy5X1O z7ZApEzWCxSU_(@%+J~MZfoJhb*AMlp2;@NxInhAK6*@NkdMULLWDT_H#88^G#Fa)V zfia^abl$~!akrb5N&so4>esJ2LUDYThY$lWTilEWD>xhDgHC_LW){y`qYt4cCi9~c<4rdgtAty6SJJOOwtmHDXOj$vgSWop zxx1xT(_zA^+2$!rF}e>t^%;VFHGJ-zXaeQ=0vKx4^+_-N8CH%zcQ$|69)K5ue?O1U z|K|`aeYT}S&cX%!m9f5opzd!&LLr))Bkz*5Le`i%lRH3R*D=%kTJ&=;mqdt>E}+_`nRFu`AXBbRu$Rh zclDCG`ti+oU&R-Jk}7%tWZ76X(3RIgmVwI=0=;s~cel^@YaAG8%|920?y-zlqNR_P zsn6ldcONnl{yV!UisL+-n>UbAZ?nt;tZ^iPBBVS^Qi!%uiu7GiCphO1o^O(8cR>2d zHwN?Pm*mGzN{aU7r@nTD`tiwk+v^Iq@bm>bUzT{*O=9H@v>3?X+OW4zuLj`9b8kNX z6}R#ImqA@a!}z%`_2(-;{O!K2|6g+<_1t%C_MZR_rv0X`ynU@d^dRJRk+nAj5?eyr zuWELZtbRqn6yJC@jxJBPEtVE~CXwDcJ<5 zV8|ZE&ZB4`$zbxS<*WdP>4`i@CC`45(JU4cvVwEQ;4)iP z+Et1Dw^-fy6ch?ysgf7|lF;!!q@J{lo_c`MQJl+%@}Z)58cK!R(o+9H z>J@sv8})QVjK;7qxKf?3%rPvUKQE$sf=IGYvXnib0f!Lj;fP|O^m8LO340yM zAn>*umF)MD1as-F!zZ6;v*`8V9?ARnK;SPI1#&3EW+&?MKPY>r;9kPFO*b}IY}>YN z+qP}nS+R{3+bgzhn=5wmoBY4o-_-0~Q@d)au0H8L=!5Qq?)SZ)`?`N1$T=ax3BN;{ z=gPj1iAV5aK9|APe8Kf^ULRpF2~P5GoyGfD{qE)EYE)GFpT=7=WFq)$s0bd~{}^u- z{>tB*rD&qc{|U<(4{z&DiMda~fOR*XO^qrYZVXTUX&uF?iai#4=!|9A(mhaCF&6Mn z;`n1;&2{XqjrdHs&Z`-Mxs63;#dHZ&%A69+Fu+_YD_WiUe-z&~q0{MmRkY)hE=ELJ z${~t2W3@m^5Z7e0U6fzA6g5$8%T+?IiZy3xx{zUF&N@#dR(zSmCt_zcF0-Z%n{p88 zLL=6|cBP8PgM5G*2>tmxJ)Ji5e~EwV`obtpoy}qH$$+W-;KQ!n;Db!oO^(jh51+fO zYj35r>eOiNc1m0rF#6z+=RSpkH9ocQ?9i$S&$$qXY)%-mXTw&IyIJp`E9(Ci>8LM| zP8_F?9($;0z(A-lW$Ed)%Jm&o{SP-fTp=-hQM|67$rW83YYWbNgxOO9(|Z!3PBHi{ zRRe{)V|6P|jzcu{U>N8{9AbTVF|_hJK>8y`K~ROqIMV%3lhvNjYkvn`OehNE?;K}& zpmIc-Iq6OT9j(^OwRA(JFogwUb{a|6cj`wvWVi)rMHxJ6X)O=LTqUy{=kXig!Ps@L#e6b+g zt$Pz8P;@K<10rN5dADam4o{kHG4H%k%n3{anCF&LFr@B-8I{EsEb&b}Y8X@)FVX55 z?stebT>-})z}I#TLI$tF`LuT{Vyfw5L^|E5=bQ`jih5QlqEFx|n?aOEY21Mf7t?y2 z2xziUdRHVZ!WYHNA z&}C5;cV7EHWKH`lSBe9>$PrrL#}vuE2c?z@~0@Rt0w02?Dkd)Ia!EdYo^Zn z;8!yeBrc|12y$Q`* zDhcBr8Zw0c&CN&jUv573W$7wil%@Z#norrCU-blH`}Ds7Xux+0Y)YQ4{UtTBx@-H? zo+s9>#`|?06l{Ik?EXENX`&+U9YTGYwWKTy+K6t~I{#<-G9}1kF%2A;^b(C<6`7bv zZQbOueuDHe$-xy}QTYifd?6hCH#%rOasw+~fOB$`MiiiZ{cCSyQSlO0>Yu64&YrRF zxWmbn=b8XM6PsHSZVVM}W1&O&<5Y67z>*Zr<6Q{o0!YT`=2WY+Syso&eV&EuUv zdbI{w(-vLi(kQPxIx|+T<3!?E)=BoyD*Lcl$au;{Wj}FzZ{}dQY1gSg&dGmK_G%Z| zu34YC&TwkgFZg8|0ZTjquKkTsO^sQAxhi3WMA$GIY@RHU@N~}5PBCa~ z2n_uu_2nmI`Sxr>q~a%-!nuUZ5g_Fg5Zw|&s;;|+9e92>6u6Oh`eai zLwv@$DLIU&)F-Gmriv#p_wtMEd6QqKS9wvG8Xq+A2)_mcAr$?Y*W(O{YE>_K^4&YjhWKdTx+YAV+Zw0&>qg@NEq-g+1)lZ%Y0CLX)%bx*QJbj33fSMIT zdV4^x_RkO6CpzFDZ&#)rZtR}lXjo{Jh3O0mMBrAf19YqUI{wI#0JAPcL@sU|O*Md4 z_LNEA(bA54*0{Aw7EOT`;|UwrZgVlapzB^xD+Wj<sg;Y94{FGbJ-| zJd%~sVb&@+O1NUdWqP+^RFveka@1E9=FEDZg!DZO11BUIqy zr-E+H@VkZ!BMx4E`^trV{0(d8hm|kWveEiiL;*iFJzhiG$h?K*L{^WELz(S?HWx_ zWZ&1)Sl5BJU1G2<1$iE-(79@ob3yq>(;>tvunqKUT4X)JC*g);L2%jnzFMVm+Cn8T z_Zwk&HeSPb-HM2F5PJ!XZisJ)2B5LvtR2j@)deXYgtJl7PZxzpUNhPm9U6&XLqA|D z)W-#t{7e~)h^R9WvooSr)Y(A{vilXbsSa_D&`x5ipQ|2Xve21mhAqaLOx4F4ZB9qx zjAj^N4Wi1h#V0X_1)(#PX$^Xgp^7hQi)XRLMpDIAputhvG90F;5d3_!I99NEE+)uPfXu!}^%KX*yO;cG>L1Fh3*he_rLC6` z@CxwUp7n+UWI$)W%YOH+VNQSU5?p=tk_~-(KO3Y~RaHTMFg&~fc25jeVR-~w=2Z6K zWIaZlC=O)=filxLI&X(~`fxlz?_Q94rPCi<=A9t>`$i>H`ZoO2op813&Z;e0u^zi^ z>L}uEWF~3K6OrJU@|gENdX*$_ajzFpZl4aN-JX`5y8BxQ-R6o1d!FEWqQ-7Tyb%*o z-hYEkp#XK_ylvM;sAf_69LjfG=63zYr&FH#_ICJ}$hx9aMCmVV|7MKZCyc&t#(3@) zW`C%K6iYGqFZXnoJ&6gUki&KT40vHCQn-VVaNL5YdTNl?S7;7L;VbUnNzZrYs#y46 z99f_yVPtt>x}f-&D;}@Ff%Mld2_7CeZ8m5>F*%6H*z7j@fVGFA;49U?^3x^G{ei){ z_qb+{v^&uQB}S|!^?Cco;Mfx@KMBp6o_zPVES@+6M^D|p2b11^Nw@>0qg|rT2ZhM` z@*{J(IJTH@Nz(n6v87m8UPR5m%7f|9cE?G;q|bbz1Zbh>MODCP7^f6vI7F+!)%|#T z6yYq@8tW8`;zhB${|5W5Z3=AdY}!?VGeMW44&!abF*wO9#)ix7@KZ$SaNHQmB6K+3 z8p_3+vg7iMkr{MTIc64R_rHZ2DA}5}qcu*rVGj)U_`TXEJ+SDn+)wB9rE+&^u~sXR zmwIU&$D7{Lz zn7tdJgoO0nbD!4@>z?9*TrmcryY$h^r!|0LcOx1YM>>b9yX3X`TJUbt4~J$j@G1^k zrHQcom?zjx-6pav^=G8c_qp)|i7AntoABf4Cf1^BVU7VBqLQ)7wP5~M-%}9-6>hDR zglEmnpB`g_mMCQjP#h46iz;1zW6HfW@uq*45E}g*e@@Cj z&KnvbJ;P$lgPpJsuDyk<)#6d3J;Y}y-i<4SCw^}kk?uCf=nAYx8%-Lrp?b1c;gdr0_CzFSDc4xV4yb2fQXfH2tSyVo$kND=+z8gtyN#7>0O zP&yLU{YfDY6R0I7d#MM(_t9$Y$@?Z(lsMXQ<+V2Um!>E?J>&E58L}TmvN4pOZL7e{ zygrDa=fR^lK3lPBG>McoaAtu~YI7A3GyTjhNNp= z6Sj!B%VktUnW?-7U~~?k#Q$kC2S{DUaC#4L^RluB-0cbjVA;0Ak=MF$f%UFHu|I$# zmuNITdqS9S^a;FziE%UaD=(RF3M#$~IYn8iq#kfcIg%*uNOX3etf&GiZn zO2bVid0Q>Hq?ToK)-4jYB*60ec0 z;$c*_(RO+?!LB8RcPos7RPrqb=Grv`1iZHbSib>c@XvsIYdg2UfYVPv4j}&l;PM?X z1DJgSZ~+8P|8w$3t9S~i(I7R5_^zW}PCNV*K+RYL0MNe)%07M^fqvu!1?PUE+{g`q zt7esfg@%#6Ej5t)jVdw;L|UHz3b*YDUx)P&2SB}8G3YG`O;kK12SxraM~jd)RV zm~!?zED>tIloIQEvz%jU6qaeQ2N?f|9-~G#3ZS`NCw!H}|JbF2S$H-b?_k9Py0B@Us{x86R z7+o#k$@u3OT>}{7EJPWYTOl=0!SB6A&TohMQNDDM;v9o4UyMVeB1OqbfQFamgu?{( zBQgXf@ZTzG0N0nn*7d#6dQJQoTov5+U9I z&K&*V-|K$XqflOYmnVDy0Wkry0A2nE$m82zX(q<4m&TB0Npbu2K~CDTx`JE{=upKk zL?noycTSuR*L1m0j-P4`%f7g8{~!EPE^E28=FIa^^fgcCsIj$j z-gp_*?2mvg zz~v7VuK~F{f&WLoin#;Tcn`LKuYL#!16`9CA2)vuC8H=8!Kkm={IbY)KI ztqo@Rr_dVzo!)y!vsUqlkTZl`#?l%yQrzc{-L21Lg$GD8SoG04HP7{Bn zw8{37#z8s3J@HHDo4XH2q)g{K&rAw)`Kuuj3I9dAZELvGiUb7Sw|SK{5fDkkZCfwA zsra&ujr>FSBR~)74Q|*59QG(nariFPtVG{>QUV&N9^`-J_IL~v6^Z19!uBd(Gm51e z%0=Nx8TA5o^s>JwX!GGFK-A;dfIBj=N@FOOJ*=g1hMAptKJCZ28XdD!)mJ+_US1M| zegUS$N7i>*4&nh*;Wa2pBxoIFqfvxX4AV#IWD;DFi{$gp;#sPQV&wTzj_D&rQEI8E z5*DS??&D7X72W%TrSpkfxO|T_I+k_KN)|jbyKVGCfSAYH{APUx2@(xmvf*yw^tRdT z|0Mw6ZL>C-z8%QREwWdFAu>(Ec;(ml&j*C^PBNrRgq>9cE6%=&>H?@dL+Ch@zhL4 z`Hn+*s-X7)~xn@?J2@{{#HpiKGUevR223zVC zwP`V6Y(jE`3o!#a(09_&|H-^0t?h5r%plT8C{@4ZEG(?)4FbZ#ehUeq9`SuNL8_vx z+-4aBXuK_aVEsXNU2R$~Wm}Lapxst+4c42ssR@zgP(jjzE|3{kvr;!1Gq)+}Pt=>a zjP4TuD8!lfQ;ZKTeHZcgb3gd+2w#tVA2++81y%Cl=aSEvcr*Sh>yXuaE+G`L%1AgZ zMm-yOT@7K9VnXC99sdM!+ZAsks6&2Fi_XnD-RPk-gP~r^lJ%p6H=l65EY^zc=nfS( zVo9-~Bx}!kQ98d@O$DO~VxzOjNLC7#BQs(j6Ax<)Yc+@z=+rysb5$Sde{u^eX`es2 zg)!Ct&Mjy%lNfhzmfK1`J16|+fL*2%+q1%^f2&~8s9e=t{cDOL(<8`58c!BKBL-b0 zJU`Nl@ZO8+`IT@}ac-jGmxQ8bvD#R`f3LL(O?7 zU5>qn!f!(7u@rCYN1Rzh8`q+^OE{yP2uLX)^$-)yb$*{-?OoTd$8NqNv3sc{7MGpe za&~$1paacmN9q5LClvSi(5xef@q*(~L&e`G*NB2i?$Ts!DL+*`s3&V@G(qV%HPK=V z#u8 zV)M}(+EU~}E?;(wu`0C4a@{rSNiu~XZNXy_!!gBFelolFt|ZHEnW9FG8=g zi%f9^FBs}<3;(GyTLjXXg*Ojua{<=k7(V4v?(+4Wud;To0j69>JZHNqpz)*2I3VIr z$}0dxRzp(MUL9;BCwjpByupUAO6cAt=jV3mYpb_Mtf_vf_#7h%E>4L;FhG?N?L-$L zto-%zpQ-(Y{)g&rsuL#9naf}aXpatHj;oKv4H=BvU0hW!QvQ9$F58 zHz?a(vELdAgv=#UIQHGuvu)5GJJm0?jC=c?*`buwG~Z2uCiKkOc$}P_kZFTfDJUh4 z_)@Z!-i)|xUeZ&}P8da3?t#>%pVL<#t*NuP6Wb7nRj7Hj-~q4%)UXJ z(>qh5VtU9v@K+PZ(0^wbB0Vft{GQTTm)UyKMse=4pbu#>U$XQqqW9~t;C=r{)z3n< z+<_bMDdX%zLyX|-yEVy1^O>ucVdIFv3gBOny`fW~j>?p#YJ`<8Tqxt)U3PEt{W1kW zKuNJ$Uu+l2sc@szZYTZA1BQ=I`~4i)guVURSKmJI8)=>P7p&xb>&*ZG_*`ZE?4XnW z8?Z2jm_EieTbdz-)*d?bTi`qFCdzv zzUsIwk9u$rXN59azy0O-bx6d&1;(vk-a+FH&9iq`=nen2V0{7bKLU`me;L@@$nFAY ze)cVYyyVI)%s+{VxGO+SKu3UM^>{$~Ayd7{@%{9)+_^C$6?kz>W8=Pt_+W7RM)XaE z%ejHibC!tn?%P0|@W0&NtDEb#R-H#8(ZkbL-|l+Htu@iz(BW&2VGbXOE}c*In4@$~7yQ&VL_IhI2|O7){*+Cb=}DQ#FGZ#(Je$15olD5 z+x@v|p>{AibJt4$6Tk=LqPd!z6D+ z+4Q0Q38gAxgb}=lsQpD5_tq!%*w~bpWRpuLG9)pDwk)j)1-D9lB4=*XS3e)=h1kb7 zZ5%`qyNWUel&!o^+lbJpz!I}boY4J(td7P~5aZ%^X4%}i&tt4HsHtxGhN*0q2kC~w zgO}m^CA0PvN&cZG&+=%ZqYWf>I>}dR_ZfG#D2%N5QZB&9PJCy!e$Nu?m#ITIuDVnB z5wJ(GtqLpLZtfr{EfAbEt8(nE@r@VzH1G9O;%Rp1fC&WY^tLsg3xsQ!yt_5Hu@j&U zSWrJJc+)dv(jLNF?MQKvnT);*nBdLfOMjOp`b&(I&O9kABXRS+;6$>Xa_-GCa5EQ{ zVs5C*-p!}=462=yH64U+eD+Pi+UAa3_m0&BKgM=LBR@<9(pMHULVKu`v(W(+44)6w zQZGaOxRN-_oC#s~z&RQiSX3H+^gysIPgpQR=WL21zTF5 zKIMEGgbt;}e>=X}kY zsQxrw39mfxS^vugB&_Rtq34+rl!y~qo}M0v4aETmX+~HTt~|wUVY`o7tcgP}G;Ry1 zIFD!E`vdWh{LjA6u8m|HtHTcNHz|4|b7E*e*Bq!Q*3mGC5miPv5dpfXH73&XSTEE) zcv#2n>NTZy(8<-kY=H8ja8NDrxo%R-`Uk~P2s`M)!=8l;h^$n>ZI?aei_MXcRRC`6 zjr7@f`W(|0M6hd6c+xBd-vzAJUD(P3M-H8Z{V9yb7?9!%Wk#qgeYo{Ne7GL-pI9=S zKO@>!Ph<$|X*{<*d7QUA>FwLQ&V{+x(XrjlFpl4n- zhp$oi4wW=EHp!Z&{9B?An%=*=1^$4fuUGO8QJ`e0mOCiCR9+8E42YuFD1Lakb>-4Bxk{!0xh4V zW?|RjRW@x-{hhdd!df+5bnJCUWKR1F&%9G2j1DByB34tx4R8FH;UaJ+fL*cyFYjA|U zL`Jdt-B02^2|7F&$}V0gU>u-Qsr?RkuR?v$qoY$9vwVnHq4wMUW zk{iA|s&CzC2fN>)#5xBHPvejN{7WBed5>M8?cUxUkFf_T_C@ZiJwQPyE%e}Ug-)mnX>6wK&V}T1cuoRAf}bR zLfUOjGH*;q2b$%B84We``ph_B3blfklBzs6Qjazt%4jhI!3w`|WYy9ep<4|8CHO=r z2e;MHE*Sp%PkMQ~==%^;QZy7U9>)zH7m#O&+yGaEn!aNCXg5ftj`%MEzY^qew>-nw zq_~F>JVf@8>=`(g7HL8>DV}!X2`tJ6#eaTV`EC+b%ey0*Sx_t~LTnRLHA^>3C-2qJ z(77S`dEIBa~yrehi4Dw)_d&(GOmhoU|lY7dT7BU+4_9DhDTWOF7sL-3aD z)_;n)`?393w|=HoU#eWCqI*!U?gLaO>i0DbC-C^=8n=Jau7>;qr-zVaPJdOL@=S4skUq!53=;R{Y(_m zeA#C62K7n%_2h+-76{t*r1)Bj=j)X1!4Kv}NN~}ltWzk_>!AmpTb47b!Rg7|oOFpH zz*FFH2Qetanj)F9Od&_m!BIrQ;TKLi8_VhtoGe|@ylX72gjdcT1?Tu9F=JI z?lC|7e91~z5vF8eHQK!|zX7v5UF>B^xUhq7f8Nk~s(*zN3vx{Aqh1Fi zwT?^o0Uxy_lnj$#N}+&?V9t@X=I?&5lsd4$LDltSAMrUi8h3VfzN_o$ZU2y6gbdHd zPZI!MQZ21s@HNa9GitTcRkFx2sD))}QbC&M_weMYMsTH=pH1Ce^+Q@pbTQXXj%oo;AhxThP`7@F~Ri zAOb@6VxiO-u7dGj)9+?ohO(=B!P(|u{@Be#mR89H`|1)IDF_t7JcMBePQAfSWXBan z#F8E*Wh%nfodrMlwCjgcaE@eM>BBFCxvIOc&WIR??qn{+WW(t#ud4D2BaVxpr5{@IO1-r2b5U zQq1$=D{YJ|d~>h|r^;$6fOn1G;_)vaHM&KNbhTrlpcrD5*(IVAoCpS5%Kr9qn-O{R zqj?@!&nqktU}SFv(os5ieG9}Br^fJlnVyGCHly0HPA_fp*jh{IEa=1jB^!2R2Xp-3 zC5aPeahU8$t!jU@?*2?vH6m9z;j*Ou`-daVQGD*#e8S-Lk?{Vvt2Jzep37 zVy**&P$Upi5pN{7^(qNjdcNS=rQVqE+U+v_Z?$tj)XK0g zGg6Jo)2-+y4Pvn_gS;-$E~|O5%TCf!6LZf#|Ir)x%PTxpt=prbl0u`R#?}$zB%;RF zo}FHc(p3aH*+%}eVX!u+STun{+Q*#l4A|xL+~uzKCoXm${_7QDO8L!D(co_}UlE}! zu2gKb>M>W&0ldMRP#DA*3SOipHJy9OO)3uTXXECF-Y50bk`3!1dH)9FdC6H~VLY1G zT-&x5`5vW8w+!K!EtrgoMeV2Sllb^p>W*MZnKFVJIuFr)O!Z#Ul zUKfqyFq+bNWY8prhk+Z3g|}W9*4T_$QaD%=^5D6NFW!bf`;5{zkj64;=^JkO8`wQo zgv7zepr$+`SPx ziBJS-Lbn8#tgvUXva&X$a{DT0)76MqYC-&srF%2j*CxOyt)G)SH*!r=eAX)UYdvG6 zEm5DbmP$|4(w>2lnK>{VQem)^LFy~$-y7*NNB5n;KMtF{pMn%uNBb?)3%~U{FZM1- z@>ku``CStAn0WzCtQK@KXlHr>Rt0+mfA2%YA*sZ5_V+6sJoIA=I0I ziTQ*W=o8AGFxhw5SoAGqVlN@Cb;wer^C6D_;z63$a~6*gx^$jp^^$gP zff_+vdFLcDdyLZH7H&h@Sc^*gJ+zD6l9!LaB$QKyR?myQt5;XrojFu>xo<+X0Y%Md zgs2cA)UXvoZ7eGRJBF+wAic4TLoV$Yx*LutAmDD z>(Xfc2|ik9W#b{zgmNaK6qP1oAyJa7+FuqO%F== z)f$c`5EZyx-qWZmC+v}Tj!-)gpS;aGqp3KY)|FgvN8SCJNiFEHj0;cQXUdoz}Ess+t<~VO}U6B=r;GOV6NjTt+gMY!;B^4bW zBB6U*jzJfPxEJz?;5p=5+S2Hm;Pz=^CEAl>q_so9d-o`26E0NHR9XzbG2*?{DFv?m zlFXXckJ}C!wa}JE-el|=tX4nt2D01ogf*OSYqVUS?p0U6`6|&%7|`%b8#FOwB~9IY zV-b#Ag*8W5@EGgyNoVEe4+%ZzWUjD)9w+H8Y!7xdl?cCrB92MldrhH*LnL&KkQQ*o z(uw1PS}h85TS2c?X&nh>9&3{7Iw{6cWy~a@n1^6ib0{$UqD;98{eVly$J=-zAU+fZub=Evus;E8sYcT2Z8;kld963q($ko;_qVR zvXw}1j;b%!cfV_-%Mvi=%gq?=PzbwYJTD5|`FnLa$%qCoC~ER{r^0LNfBV zR`t{z|9~}3R zVw%)mZ%Y@pEVqjGsd0PaW8XOEJ{`1!(OzDYIcsGv=E~tXwpIDSCkI>^ za_~H2;nR{u;tv5{h(>GK!07i$#xd!N=Gp0k;pS>K+enRhrMW5S=T9*T(+TZHS@~AT zqy9Hy77_7F8d|LaMP@a1W^MI}Fiiw;W`6J28l8oDEoRUe@=Oc&zHjN3nHk0FejYEI zwxHcf-=jtKh7Q0Rh#ivoSwo~GwM1xuaujqx`hsK9$y2=Uq}V_YmepM;d{^`OKx1rL zbf%9WST+73cz`Nv`N2@GCeIn;H8&Z(B?+oZ>p;PGkp8<=Ts7Ry{t)sC3(Ll5G1oNa zkHXaJ-`xbH5pPpos>2G;BzET%Oh&x2oVh!)l)dPtEgP4eFbRB*?1E#gHaZoZpaaIj z@+MYS6xd8_+xC)xjmAsWJ$h2^QRtKfx=o1G1u_b;9DR$f+DdONgw$8Fs916`oyOjo zm!t81<(?@-hdcWNb(|SU8XMA9W^lfiR=r}aWEbl2o21Z&rKe1D|HsnPwK1pJbFKeENDi;`?tjfR^d z5BK!#x&VFZFK#Ux_g`a@d~4v+4=sjvg0VU#A4&+|Y9Rj4r|2Xb9X0`(TegwY@W@n1 zg3JjjeMxQN)hKe(AGw)16~pQ?))TdD&@Fw%T9f^1l|4P$QHyJw*@YIn6&4@_r?BL*Jwp z$Jq%$i8OL8zWkYvv)hO#y+n5TX+-t-jaUwYi`;q_Pt@vpDQC7r)v`IwASky}5JTrv z569Uy-6hHYGU9olKH>2DIR^dF1>?P4L@-Psatexcr#WZn)eDr@OTt9RWyX9k#2UIW z;f9wMckw}*)M2P%n##Y2Chh6o^u)2R*wij4;c9w7SFT)^$9UW%dk9ZWU)^R*9pIwv zpb@_^bCP0Ah0dj;=f5{q=txS32Rd08;jB&=N7hmmPS&1MU8LC+{pu`O6GeY>N2Ox# zj&`p(xbSu|^}JFX0q5Gay3({BDUWX?W_vw2TvWDPky2G^ve9Ja2mFWKD(a?;bd7I# z3IpRRP>e;=EP>ng(fojhqEx#}JKkYzxUJf9|5+#8tOO|e)TpQDYAy+Hz()?RZPmwg zkGHWBoof2?oY5#gmo9=eN{h3Btm9R43OR<6AXhl~G?5`!)H7i{;+&*X@dG1a1_Sm_ zN&%g})J3LTp4s|bnQ=;;SqD;@12E-2A^GQc`uM+=rjA-;#h0xCfjT=9R2-9rTN&yl zlE!~Hmj}BsD5zP;eu{6#MZ=%o5grOxTtxN`FWb0suTH?6CMi}>G`;c$NM0(#eAunIGpXXaQ;|wU^20(e~hc643(>-A4ah>;L zVde{~G#`jpn_+pO7KqFj3$g-G{IU`*GqJLM7^)g8T)lr8_2Y?OgKKw*9|y`r8+_8OQ~rNFomBa+C^S^94wTW0Bb#ydd?=Qu=*%;l5S zN5!|yb%nF8cZA&GyI>zdJ$SK=b~^T_c{C)ehbE;ZK3a%jsI-I)kvH6s3YCK=UxyMz zRig0WeCfX&!F{p$F(os5=Yav_xt55KH^ zJ%i)L(1A2ZzK5p^OigUV{M@Z}(Yz|)3r0uSDr81=Mb1cIpl&QpnM=alLr`wDb`W>d zeqJ1$`#J47l?aD}f&SNn1EVzM24sG>sCDh%BA!Ig_O!3P3R%QsMk9GiH+v4_t6aWYe=C!p#q~Te&lW^KGbsnyO1W z^Fy86x$9s1s6ABOY0V~+COku%fzm%2@BI$w`hLM7_KFt~!zcKGgue0B^wgkJVkBL&k>RYkFP{ zgRRY3$ESntJY|~}M$s0%1@IJew5lx(P#DDp2fVO`H(9RgM);3wQ+~bO5L>z++q!pgDl6Pebw*8{XQioU-Xj=Ss2QtAAR`WOq4a|CPuOFGzQ7xB& z8-XvK+-nDTULBW#if@t*Pb9reCTY9wBS~x+DPI;X@j6XcKtO;8l^tMvT^FPPUWAQL{^!xd62HaYw-*c zM3oh*FK?@eG;MRK=Am$a>gP(YJSDcEin~y&^JP`l8}E_qIR7LssB3>eM}~Uwve-{~ z(FrFUp*~vdKe>INH%ywEPU^-w=D9CImw7(N`fsZ2u#;7)tMJ)c4VF9Y@+!t>S$jnw z8fem2D?TQv6k9*^^1q3;d{MT1@~r|fiw2Ud`J$~3zo+w_s3k&TrhJJl0vu-J*mc?3 zK-D!!27UO7N2z}qiwuK#TSkl-B-5Bud!@_67Vo?QGprFrwn(x=4*GHRokms5jv&45 zc@$W zp2e+;_4P1m$m_LZ2w;>`>}Ab?(t@oGuTGt$q)&Z!m(u4I3#74Q*`o;Dys+cbbR$w< zrNxDKta?+NE#40$u3Je`z%6^MS*ezo<`+=5-mk*_3mG{DZNP}4&(XLbExgEISw;|ec#mgh>iDiu7W<~MU^wZ=MHjzu@ z`iO@$L|QFre|>4BW{H6b|9Ci(0~xasM-1h~R(!(*CrY}bmk<7ig=V_!{46J4$s2Ql z8nSz{8$=e^$|W)z?t-qxE>)3B>YgAtX4J?jH!uoshlsWJ$(LYMc2qI zq?{@)3B~PB=NJ4Lmsw`Q^PlJk)Gq#eDOOd~cV-hWTMGYISfG)0b}?pIl_7#!FdJWl0R~ zQB^sbrFXVa{C;?NQowj~d3{OeZJvU&l1hO))N1gs>euc@0bQ3@KO`A;yl60fR_;FDr1AMpXCedHqWQCM`so?F$eyvWs2K@K4zK^$ZDI|ki9 zvT&t1pC1@R%pYB2*`>G(purVlv-S5EX^qv8Pl5R2T z-_f@4j{n?zuy|;si<8fe4=j9cC!~CShhs;R z`T-xkw(HfYD2yuvE>FV5`~_O@_Hf>)WzPD9I6IdD)s7AP)N-XhUVTDnK?#tOloLUf z*AdwO5`ydo>qCU`R9AZ^z=sSwz5t=uZdwdole2{%W}w(I8FspW_~dmE%-uzD#_ zvSM%Dec>i2CZ5aV^3TF1sMl>NFBbcG_q+SIki^Zd169 zf2BocjK5a7Xj`b6z=DVCscBUX>M7Mr7)bgs^R~;84RPzz1QR|mETnUGn6&*!n$`WF zFJvX8f}wy8oGRv`yD0@?WV-QF)R?l#ub94-ewJelscBVFy7ZU zmlJ!oi%2-Akjq|ZjwMcSQ7uBeo9u?M3;L^4vN&V%jR}Xi&N1N!LpjBzte@f(eF)MHZJ`W5KPRv|$W2FGr%;(eWA~`uFhJ3q zW*^L+=)~qR1Rwcmf-e%$OfIm3FyZtJXmnk(O0j(jb9#Y5l3Tr%=ZBjH#mdc6deauZ zwNsfZy5Xzflp^~T&FTj+eTMo-KKW}`Um^|nRSP`3gV1oJCs^$`Gl=xiL?F9on0VzD96X+L_-^ueQ}2XhRa3%) z0>|2y^PJbG)%`_F=@9j!sVMam2f7#4*H0hOL^*2b-&}F??iU@_Asl%-Mcv+>)PzAj zPPVNsxYbID(Sel?Dq=ZIj6XQ+D+0Z|#o3}rpEd?3La=+olr<3J$E-&HdoAd@{;;no z#8q|Lo?jXg6zm735h`eK=rLlz%*I5R)Ko*?t~#;&Ln(m8ju0FL{?oVFwe@$DV;X5D z9|#sz;ub@MoDV!xkj|&=??7Q)Q3#|8o^R!JZ~3$;%8|$~7fxXb^3EVx$&s-WrQKiH zm`8#}S!E5uNE}#?X8T7L^HI2CXmU^{wIJ|ivqf&P!-i!I)cb z8d?{Dp~b~Dk~tu#c#k+!$e-Yeh_{Pa$dNy<5fEC8Dm4ftH;D%!$tx^j4-I%BL*Uts zGGD6i+6bl;QzEgds7Mjl|Dfz0qa%C!b=}xDDzueHzEV?1A;Q8nvR%~^BSb^Y$U5b2^*XP^{4cL)9Z4f<)g{eaR)?yy?J{z= zj)wT!$auu!T!CPriLcbto22oCYZH6C0Jg89HZ{*bN)<^fWYiUvfo@FIk{so`3Akm_ zxoVR8r4b`=ifgwfZB=zlgp572zs>THord#{PCmva-`jYcGoHi8b$$;=_>2v_`nQMq zQC8L+<2JP1=H=;OT2qb?y_nh)9MW+0zel9 zoCqazjn=j*Q*+bl2+C^DJ%EqN!~=|C0IvvG1n)KKk+p==)NSyvuKwRTI(K>je@|d3$m-i_71jI|vlg)u=|l;dg;%d%g~CJwW?`jy+ZxC-M-80~ zLl2T&vC^7Gc4QYzNKo6vfAY7Kt3D!?lV1^Jn=Sg=8tF2h()NoFRhQ#n7m<6NF0~*K zgw-{I8w8$4B!#KNy6cJ8Cf>^|sUoK3yXR=?j+|&)p5abazyFXONVu!FN-6H@NR zobQ7|sUj~&gy9~>IyI2_Sgto!`Rr!dCUF5Hr$O4_KI z!&I}>M6s0(ORZKq$43t#;lpY#m#2?p)|?}PG^vomI6l;Chf&O$U=yLA%hAW+SgY_H zXC#Fk4*h1efJwUk(RO*&xR|b;_`8YCmM5li40i^tg>p3xO=9Q%U6GUBOa{%&rJCnO zsJXFP`?5gxVg}TN^lv}AAFXN)olxo2(uYW&p7LoI>>f(|fM#>#>Z+xJp-xoliiFHf ztZ<@2-1Ib1W}3`CXPS}N$!tJ(p>qcqF-w~h!ALX{k6`D!M}v;&NkjP%AX zIU3v4^b<0`hAT%!yVSXMT3z;uHuO_<$nUzj`x9(#koE|8Fd&+KAO>I^K@!&)Q+h#| z2y!e&29d0m)V3=k>P0ssdSme*dV&&ukfK!#70xpz;h0JS`UToJpb1!thCA_%AKTyxr0&m&JSyDyoP5E6SsbssycQ2 zlOF?|DGnv;{e^AkJoKY%JQ&@NwKSw@NW|=ht9Dn`^=Wqn{?!s~jL0DoW{4V|JyoUT z9hb53xobB=aRQL)<>hc;L$XK=c(S(q3)d=U(LX3VIAt)0cQA@lE=EMYU{{T*FY^>X}G^*(6 zL=}cTV6?1w04@jW<9~B`<6^q&b8G7_bM@lSbb5?+I6KA_zN~lQK44h8gR$xhvt4Y4 zQ$=_QG4WK?{l+NZUFhc8=6k@9n}t!xFZwa|7POnEwY|YHN(xls({lkT>CF{h2)+QH z&EA7r`EN`8kDAae`~^_2PJSfmy$j;@BuuNK6Pz;ta4K{iB9{X9gu!i=xtX!qOq7;@`jm&$V0$T6@MqP5N1K7w^lu%JxY=*eu4i17M;UtBB z%hAc_2_Np2$@D?u6YSZ$nzY)Im83Y<4N67ix9TX=xQp~wC|Fllu;atZ_ZS%+_Z5RI zJOdV}}Ji3cU!_Iyl-vEc#1}+zeNqxyjatKKUVd5wm z4RJ*ZSM8BDse6iqpf_?qZY*i72veayVj$fMQBUz3^f<8YYdYUcj{2X&Mw`vhBM2SNoSNDDh4%IQaR*UJq9f%}kZvJ*cE_@iGbmZqN%5n-~ z>*t0}AnYLcr+@C~{t5cMt1Tk1q)=j$2Q>tDTN&ovB7Qb8^7y=J8IcnG#>?w(MCl1) zB%>f*?8|-?L@UXV6q?b#P;8GBXb9625#|#iq|TIQS!InBrFJrV#bGPg0L2LrdKe2R=4KnYlq8-Q+ur5 zHl{5lhMn@yMH*<pMHBt4FZ9k9$LNYgC38B^9e+P{Jf-6 z$?PV@HMF|!!l|ldogoU`FpfFFyYvv5>0GQ;+rQ0Rvk3VZ_65hNWGA4>TTdb#k%)+P zI>nRXlsAz3Tb5<;GP$b8lAXo^m9$W+p2Z$V79CZW z>!I@8Lna!Y?_xtl7H{l_L*I@?zof9`>9n!X>S{fmvZ!Lv1GQC2#n0ArVRtxY9OFa` z_;rk;_y7w|&n13;wGow^n|eVS;TJJ&!V^j!lp@L}J0veU)Z1Jg9D16Syiq=Y6Xhte zZT)L~9w`}X+h)j2`52}~!Z+j*BIfefe%DWCMlq$;_9WX;aO4U^!jAJO#1Eb=85J@A zgvBH5+c`@paMF_n;kWLp;(q16`?t^i5Id5Z^v%f&mZZ#L<>RNjL?h(W1cT$m5{c#c z4Q72P@PUhm#=!9x?Od-ak2}MrqrvZm>zV?L(5x0f z@&dpik}%L6+@=!t@@m?6{(d?h8J)}_;l+lZkf`2Kk%_8z1dG8zq+`r%blbSJhUkXz z)ush*e2v-}O2IdSFy)Zun0^%q8rE{R+_=G9XNd43(P(T_Vo@cg3CGC#ZwS(8*ug?J znWe=oF!uPW*;1~GjLtlcxV#;AsO@kOAFQp|_fdY)#$VQ&rwLyV!$xFZ?TRXlFnMl& zl*!1Kxa+fm6dgfhWvJWsb;=Ed1W(g*4_24CGJbXwjO8t1&Uh7+nbq1=YVZW+XyN626ggnZ>q&ZvC5NP0eBP(3q<*TnZoJp~jqook;Iq+2RwfR=AIci~hZ6G}E z8m4*q=v^ryrHHnv=#1aO9#3WVhHQ4KPvFNC0Ia?W0DR*ecapiR;g6T~9FDOt`lK>m zrt!t%7Fw*9!>j!$eFJYb53B=Cg9iPx^-*bU za(_8uEz0)Cs4bQy>IoUvc;AB&Hnb|?-$61-Q7NhMOC}{6W!g=oRU|ZerxWyqtu$m> z%wWTfipXo|m4EN1$3>27F{OpINmLBsTRdoYIy%Or^%U97nk!!Sq*h?vF~Y_sWiBsxy;y!t}esgRMY$_{(i$~$c{YSD(ZceoKUt?A3&@RtZ> z(&k09cU%!M{PF*1-<9>xKD&+Zf9&(7SajWR73~CPZD%OF8C1fjN2#zO82(6qag7UOrwfz4ZZUK9Zi3 zo?8h$={QTlEHNczA=te;gEa?8?MB1Qm?xsY2ae_P<#cT3Db7iukC&_#c=sfPe1T?I z!{Jf%B|}Mn_wZ-Km%f)gznG&E1K#)%|2s;$?vYorLMh>xFuvAl+{X+%cw%H zIP9Wvgw#U75PD`4zYK{P@EjV(FQC=?W;7iNnOltgxep*#(zNkTiC0V|1MedhvKC3f829?(GO&pY)yA+H5F1tsSzeTau(Oj&axk0Sn72_ZLhx^00_bxH|-y$rQ66N5n!i zh(PFrpeJ9PK)1Ibn2~c}k<*pnT9DvG(1=T4&3cm4b92N`Uo2cEW<(VNDK}=-zHb6# zuu>?eWw3aCnhohQxOhdV1$>+?rs9DoY~p3y1&7$v&_;!pbz7CI(SD$P;JiNjlOn>b6!ePz@BK_&v8!(8z=@oGGq?j}q+}kFCwd zxH6xM-jW>hs9A5VCt!;nZjabu!JqM`-Hu7X=5M=vCdEE)yS-o8Uyh6dTQ2HmDsO;e z)4;=Kz-9#O0cN7G_mHzJSKYHCieUsB0*R!^_SNmC?Y$$|(*6dG;a|J^D#^bV#ju+S zVI`ZwUZ~tjppdr$3wv_9s-Ry!c$!j$SSM;>-z9XGBT$MD=@|Ijit<7*8k8#hUT_b5 zeqlNW<|%y=eHPzr=Oc}5=%65P@a)VuiLN~Rbf_zBOBK|2;uu%B z-PFgL!vP;HA4BtB`{pE>yxHPh20PqduyI(!CBA%#dq%K6J&nJt({rgFDsIYX$8{Imffmlx<8eSKIt{Bp|dlNd zEo~?c%m4h779=t`7SGiisc!!SNnN5eOHmW{83}KcY)SdVMA84O!qvHNJaFqr+r$u= zh0{XT5BhDh&sWzDNTdVQQ!@Ife-)|%@~ylECEW*s2%Z3greC)Mcjd1R%hDLMeDv2R z9WD-jKnPNh)oPIFiet}!YkxYk7ho*J^PYa%eKGp^kJXj9pN{S2NlXVQqm1)eFIQl2 z`vYfO&sU`_Q_;{3+oyeUKRHO}vW_cMkHQoQ4;KDPU)C({5WNxPMs6*)CP9i2N%g7! zX*jENQ2E}2-j|*`qgwajD8?gpe@V6FJm`@(zIEE=^_F?Za<#J8{XS52RkkhX#qSxF z27TYo+<%j2!0g`Hb6zY-q(#fOJ!!Z-1T0 z|4o2c{Y7$4>IH^!%tGi+PT>6Wwh}?8WT@mJ-XCCxdIKgv%RE}Z?8Fb{fHBzaxPA4F zo#26Kgr}xu?;o!JUfYk^C?Wg)oOKb97x~~@=F_cGJjWy-#EifV=oCwmojSU!sd*)d z3s}B*C(al_&ymiXQ*BJu+a$(UUuxHL{dj*r*UxXzpAU=v4)-5iU&_pShA!pP&0A1@ zFON3YyOrlf!9(6B=H(c*2jeaBDaUP z`ApLU_z#sEJs@w1HHg9*m)7_|5$IiwfnW_xhV6Cf(|xy+ZGe2#?VQ7EFW9`H`~{Ipbe5;3|NP>1hzT3!VF&>}%HR1dk_ z*>|~IN2Vs0`2)~zH_16Wt8V*usw>BFf;TWPRZp%?`D>N+!y#-}A+*u71@2q!c%7gB z=JN2y{|lEd_=n5m{1;sQ7M7kQnf0XZd9vfb!}7@uxuR^UNx8%>*?hye)ntBYgpD!Q zFUd(Vt$|&nB{jnkJ`}7|dNBc{TtmHXxI?0=yd?T9qVu#yQ#{1t=I1*7dO6JRuP&> zpzq?S-(u!tH+?e-r0i!B!Y&xHMeIWUH@baY8sMb)SuCZTDHuRhwn_|kL)Cw35h3vffqVFP9JFv1zCP!^9F##)_>-P@A1P`*rjNY5 zf&{Lzj>I9j*iQiLFLd~}W^e(Fu#v>kw?Xd-oCe# z|G?XIm6zxHD$+AMQHilCGKnwhD(gqLZh~&d{=*c(+_|+^GhUP);SF&Nrj$U%Ju!*- z_8F#+-R}!2Yam-}KF1NyS6Td*@RqypM=cDTnSI&pyd;5W8`54sQ@Ap-aKZZb7c!9e zpl?5N_o@2VJ!$?_ z+H5emj@@N+#72umG8ipsvtWIn9%V28hcLh96e>AB)(9_e{2qXSHB$ef+8Q^0IE82q z2W-Gp8#9x}MH_=|F$?wUB)MFIVNTSND<1oZW1~>K!l~;;)vf8R4JIrm7l8n|u{RQB z`9kitjj3ALkdg<6DjkDRS=NC(E7h z$AH3Jdu68|b=u(U-p5YMk^_w~5(|2M7GrF~#=*AeR3su$N3A~gV`B5eI`0_ZB(pMO z);N^IEV8OKPT}iaC;%%lki8?Vm2nOdz6!I7WL#qirHMYAs%W~;tmSr$f4*CNk{&HX zcp0!dEER>Q(F5}jZG#e(I^PGN2VdZciEV1AFb(+m^xbtOU+icu8Z^F!we!MU7;ytWNROe>4H?N`EW6WE$MWXMb z;J(1^7FNrTA@98D|9^06Y4+oP0k>m@sQ(SP{nK2qfU{En)LLX5+AU%I1IlJdnJXD~ z0%wi?R8JH<3_vZv#ID&W?W8j`I5Ag>zLvcn?8Lg+5ka3FEkxEsg$UPUoTGGTxf=ejUQ{_ho zV~cs!-S=%G4;lFonqR`9B_gmUvAs?_H`?nL~N>C z;S_gAbwsAu7&7tG7J5$OTU3Y9^`0xx{}k=xUc_!_%TrOx-fiv1@;`v%6!8S%WJP+qOjdc^WC16v1&bgD%$?hmmBkresS@w+ifn&IY&n|{pI!^ z@Su|2LWj3qpQZOe&0Ilp|LwfBNFKRPN?Bg$<4{ml!B%=Ck5w||*J%8>1biH3{%y&T ztqM`MpuR7GKk+%Z3tmE|yf3hcHOK);pJEqv>|e-MO61kPG7Mkx3)#LP!BlRqZ+sVK z2@d};!usm#3yT_z_UCrCjc!+MSgUkG4i(BxScX*H8^1%_bh+CK zo1DBL9Q_r@xk!$JZ2dF9&W^5JQB#A{GB>9mwA-5Pu!3HFjlOT2!3I28`Xsj)ZXAu# zqyo|iPBY_TYZqGQEaK{98jXFqz;R zLbkLzD!HzR5pU9*(~F&{+@ECqg+yn9WZm zG)$iCCsO7zVBB<)OP5~9skffuHZCb2l);crT#G+6PYouVP{_oRY7z4!B=0Q`l=(Lv zb%49jeuRX?Y;<%%xTiq2XZsfe)!L=ZWDFOs?L9^P`M|==B~_bRk8vb(tX;_VliIeq z{$C7~Hruk)bEx&i0{0>{FiSu2x6L1s$!uN;q#4%E8q14XEQ;7cmZdOzYj1rtGnNXT z^Zy2da?YpDUSXwI7!Pu@n>J?Dp8iVL+@u%FLP${c5TYY7L>(Up}8)bzb z|D#=uHSk@d-gXZ&*^|!vU>gyt!(`C$FV*=Hh!uTW{??CzNJCjF@jjFN2KscQ)Mo;t zCz1G`AjN=rn+fhe7x2H@MFYFCD9`mLX+|B0iUa=GP~ zvqC4n$3+uT+aoFS=8#)-5*$SQqG%&;F;nnFlRjyco&p1G+e`rCs?;+Hbcz8F4fCpLB)mmtcIA{* zTDU|Co41De*t{#ZORwm@5> zACKy>KN=B@?|?cUDc0Ick{y#S=Th#^Birm^v{2HF1EqqwsXX7**!VzdT!>SSN5n4T zOigRGO_K{4Hdk(jYg^!Y^DlWT&qHf2rI}$9#v!V`fNHupCsB))t|2axuIxpkLj1=lxLFT8EasqI7aJ^aIuZ}nWg+-KW=llS88o)a8-Q}1M4w^%C0 zjdm9I>}W;-0si2wcbh@)jKghe$xaFd`VszSrA7)@D($4({9)NGDL?P~enU>Is^;!x z@7qntdQrr2Bu6O96QV=k8RY%#2|#Y8^uZ*J zbSc$gmJqvA$M-nFNAoIHRW^6eN3@B*XXb$JL_CfjqCFH4vLf~jB~V;?v?LRW^^xVB z*LUV4a8HkFDSMq}R2rF5V=Jwd#5| z>XRP_@~SGRtTr*Blrxy5bo%jha>K3&DFHE~$wspKL)@&sCz!e?;pt7ppabtdi={g;r!AO^cUcQ)f=n|vi<~Hm|S4>Wia!S0rfs{gBoGP3*8*msXp?e zDlsSJK`f1>vx_U->uZlbfXK~P_}xywIZ9-B7Y2V!SV06qbbQeP60i#A#EnaaEh^@` zlAyBKXz^X-_pl^*1!$*#wAM0)!*Ev$V{At(gn`W=Lsvn5W6V5lPaX zTl<}01bqWc*#6$Xe17F53&haNj~Uf)VP@h!pMho7-#bR&b?ju_yCuxKrH%6Z9iZGi z#8Ja=MHWDXzhmfO`1*EFrjLY18QZi%a9?g7Y`Rs0gkh5gZW~f20~$4Mu}u(&qWyhj zO}HeO@dn++hBnv69;?xJOjcUID0v=@=Bsuna`xnU2!)6{^T-5}N0T_oTI^ikIUFj?rtO^imw*_yq>_7;Ug;EV1;TYUDxjnH~~^inw0015iPAd z&z%L&2zrsf%D3>X(epMO_bzyp3FTpX(6YRV6TVf`+V37vo0(5$6z4V&9@is9ZOWS9 zdCU)1*$hJWS6q#2ViZ@R8Dv~-6PZJ{{E@ga1g#%PQYvFn0~vgrzA+q?Gd9k#p}l3Y zoy60tr89(fUiPHJg3(?|o^cgMOT^KmVom~__h^3tS#B%^~0KRvmJzR4d%r zda01fC*o__)`|xupvUIB%Cho{xlW$uOg`s!)*6D4m{x=w_g7bi%(it2(zMG*fcA_P zoSP_53!=XfDB;s(_H6(d1wQnF z{4r{Fd5~i_iWPcqUffgTGWx~+&OO^4;M7-nx8w@zn0d8|f4u5!qd)&nIYp+F>E!LJ zYW-q)gdLsfXWUqsZ!)nNgCNF;7&| zF1cUF^#F*nH*K10k{=@u4TN@n zt=;eCfA+o|W^EtRVK-s#VtHkJq;IS>EK#sj#_@2z3T~QSCiPjgXUkX__Ucsxok!hf zIw8I^ZYjx`2_^mn*|TLqHy{DJW0Scb&0)Q=42P}eKqD1tZ#Ym()N>)@XKtM zh`AdHUMkK>L@lAN$6c$Dn>EDErBN#`N^0XXSa^{kEG;sI^9mp37?(;|;Re1y90g`k4S9Kso0LC4;l^7Ae)m;W#w@gH@M63SI5&$p zJzf8i5^JTr&ZaXkw{$FnrS}#POD$9PZKXRS{aSxcF)Fozz$MPAxn^J$6KIBO|T57V+;U<3HTeq(s`k8_{`@%+oBQ% z^=nIjCzeEAb&8pU(vg-z{rK_O30fjD9qbBKB#9@IH2-HY`#U~DaMDW#MeD~-8x5CW z;}gcd2zMwdqlFk_lm`m~7JeE29Vt=FsI=uRWVIE_VM0*)H!g3m^%T#y@kQ=sv=AN@ zx7`Y{+?*&wCZ1m57;k1t?_p$>karNj}qO`j!a>LtUJBi5IIG-Jeb1!3m>*u~$iew3qi7JpAXc9{PBDeqg z3C;TV#gH0Owsu0*vKVLUnV8o8aL=a9B!Fm?+5(EJL`4+YTcQmnJdDQO8JKxWm!<|a zlGIExezJW8^9>~7ys4zq5a;ysf`nnqUHz4&^|$-(<{mUVtNSZXk>gKFa8>fB5RB!e35s5etA)9PGDyN9=B)w-xieT9gCV^DGRkrad1IcRY zVoRp_Na-BqJ}=3ru2^xRL^b4QWeU4ttfhqv93&=9%lhxu3t7~hALJPNL+HM`yT1wO zMUp%l@pzc&b?U>brj#-PqTm6>ltI0l(HPF}z?=ZNFG|bMA=W5-$y}NI#Tx@o%q#h%5){~1w$k!LE z{KNYelChX;#(A2N^kRP8>0{PY3Yi)=wEoAtzj37=73)qDfH@IA_wlHy^M{c@T`k?~LpIn59$3IFXlmzFMFxmT-=^#c#OW%cEx%N^rjn$7$qX`N)T z!ZyPRSL=)F6JT{jo*xjG->u$XDfB^e1C2_uYG2($v^1lTo*y|_L+MVAg0=Z;aXxF# zIQgeGih=q_Y%N>{a_>t?vkCV*@I*BDo!Wgk_^$LOpp4)e)g8j=)qV-##VcIAV~B3( zR({V^z$QzY3poP;h!Ec^NmOL>5W zG!@xAz_z@ugcHkTU1})~^+N1airMLo=dAeNW&d-n;mIgCz=?o}F>LF@MrXgp$ZZPE zF!peqw@g3Yx=39x6qjBvz&!U`ENgy9H$A4KPa-(Gi|2-m)t*9Rbp!LbM^7jbR9?ieFQv2bmr>%*1xqVBsik8SA+zpt zkDd{g$jT++nLEx-K5qmVaMZW`>(lS;<CNbmHx%Fr*wTKt4?H?~fBHYKzK8eK^S`=O zottMNd=NSUvs8em({Vr}Vlh7ftxLhkcaO36fuFVpUX8 z%KzUBuYG$crzhKKK&xh8j?c~Y(=D+3=fk_s29V8Pa1HoQauxJ46!PEQjM3MJwQmmtWhB3ccNL>Exw^-*j;EEUCk*ctYUOa5ri8h-&SQi2HL{Z{Fy5 z@1Q*ixOp^Jbd__{7qu7UcXjg7CuIE&Uo%98A2e8?2jB;f+-nz?RV zpN+teAc#9xG4{D!j|WGfG2vF1hwMk-vk6yM&(8t80!tJIJRtL*R7Ag zDOf`B`_#!W`X@wE_wz^<%Lmj_3=V_<5RRxv4E09{RqVY#-g|1(Jacw1QY-}^p=Ta{ zdl$a&J5u9f58>XQ>yiv5rM2e`2(ngVcd8$-!|eC<6#?`xc+T&t4t@1SKP0Lj72j2D zIpx|OyAVAdPd1h2O;b-fQ+k%Yt{ycOLL$A+Tns;re?5U7AQjc(D<1pwq{+6t<56cK z)r>7a^3~o?*>-8#v<*-Bs-+VLl>M^TnyMW8R$-mbiT|JpNvmbAv0jk2IG0g+SD|9t zhXq|a&cuyP;5C2pY;xqweSxwBh)&ww*f|=y)@VQP6ZiE%L?_bPQcq;FIh`cgfpIx_ z6g$>OnE%6&Z(f!9pL~OnJlPhFx>Z)2o2nxH2d<_0NeC0L#%RYeWoul|+{?a{val4v;Z~7W$ z(!VoL;H$2?0;8$bv|vP-W!Uzp(cVx$;!TQfbEgBR=~{zt9%lRMDOX=qR8$ammjQ1r zt`;?Q{r7#NUY)+?={|eH?ez!n|P4GqqQKxGXp?uV8QpzYFkfjY63DsE}?VcE?8L*}QYPfkOhM@j&Jk|FM)>BOrca{AqJ$%}iZ2w*4|c3eo)@;$ z3;25{u1RSY?SI|9;1LXc$mT9cFJg7SgSY)L>NSiEq8Dg&J0e;A?skGHFBMFpMfg8u z4CpHB{5xaddBgezhH4NTr-}&J{-8U<8#EJOXfPD5SOdmpQ*Gd6smeXuDInD=um$VH zEA`D&21|2*mGlqhS_nwM+NeGISwrr(GzfG28VyHH{0s7O+qz{&0wS+}n+en?SfqO( zPe@|Pq~Nh>r*cwa6IWLJ}cN1Z1-yYYG{c=MxUs@--CNj4sX13YC zVE~I@z-(gYKM@4b1S|0!+5dY4fgC_Qq}=VSYEkA$p|a#G=#PziEDT-q#>ln&zRH2c z$$bZb$T|eQst1R8oFvggkVdtRI5EZ)I0-CF%Zo9>p}M(&7EHPP>3400OFijqo}&vz z`pHZ3Og0e9GON1?n8_6gnlR0eR-FpVazc&)OGqr3y3;(_N(0;8@2#L;XZ;#W?sKF! zO@w3(0g{OZtX#6QDQL(@C%SSkz4FycyC_#$h{7)-L&$~w)Qo2CH3<|7Zqb>+u?bpG zq0FKT;>!P`Gb=IZ)1JG zYbfGEyyx*a@%q`9gN`2sysTT4*t(9_X3It~tj_ z-JpyjTudOnZBAwmH1yerD0i~8)xQzKU3@wY$)?Z~;%jr1rugKuJ-x}4!j(-?Rp zD$XZ#w^cpQ%#A__$6HA+#_lnmb8?Roj+w;pGNbmVj5ki{s;LZ#mScD00pqG-=hv{w ze0CcMvXgjFC@UqjQL7nmcLkcX2e@ma2N7m#l<5J(q~>dVw*!})`fz-@qW8=#7L%jf zoUjTP@>bHNuPZ)Tc|ER~R|I}vVMD=3ZlAW$+`dbT*`B{0nZx}245SIFVqm~f;&~S< zYkT3Ux}~(fA{87Chtl0BtiV~6)1iZFw&vKZ&7Kwh^imfA_K)yC2h29r!*EQ)1q!a_5O_T*w zd!cnSndPslx9_}j>YOE=urI_$;w>?lTB#wA(^Tv+cnzB1)fE$Z5^B^?oBkwJ{G-^O zG&5KT@yNnL${uQVTI%`-R;U&F*;fCGdpLFcSKNc5;D3sH$il?P+(uYFOD~0WLAXq! z<-P(AdG&@=D*j5GH%a&|7UTi+g7ux;23<+iHE>;8v3 zbiR-APw+!RLn#4glVwW{4md8LXIbM*9*XA-PqUUFjh($gl_VtE$+Bd6fo(i3sl^XM zg}`gGFaAnpco^zyC&v+jtpEY2ZjcIbAUsj)YC=S?{7|v7E<-BOjdJ;mElQ13tmv@( zjtVl`r&{U$rA|3?r8}r8W>0OSg0subco7shVj*-mP4(9_oIMn2^l}F8mZf;gw`n@$ z;oz3y6i@}BP5bIgNv_RZ5KDHsE^y$Zv0An8&m3$I!+bu zxa}o|cu*XBmRLav1qMf`4GWeKaE9nN@O#)0L}uebC(ZbAsDPXdlQeXdo{c*p1Z!Y_VyItOSUJ)jpE>ms?cs^^N!* z5@plidu6K92`(88lxldawKV(KQi%Z zkFtUOTD z1g&6}f@;rZd6C$FwYcv)xKyr{hyfDq+KJ6sw0Veh& zV|#<_J1Anc_s|G+s$e?mPivE=P&LkQT?SjT+9*x zDsr7nvNwV$`@W4leSk5MH1WGE<}R!{*5nR#?tra>nMpkF22s%+vPVYsG6IM`078oW zh?72c<~1g3@9B>|Aj4yN#v>k21!l}F@Q*`=tuLC>7YSF<=cik& zIT{HTDUztUAAj>ZEREmdK36PjhHxmxv>T%n5_ff-rLvk z<{yed!tQE2!xsXdYYJ+VjmXR+MFkcf>roES{>}t;u&OwVZ%FJL4w(jFxU}x+#~;5G ziKwxrF%n89!Y_$HHvPpKO<=xbCg!sK>If)d5}LgVTtTg6fF(DhphPObv2g{N(d<3N~of?Jv=HihA0{ac&a>x0em-*^?Qk^e|6Av(;`bAsomPiN$XCQ zqD(%y$#1ZKUF;!oNoi}8KCZ6)y=zoEq1|c%a*FO=5Jm}0^q;Si(1P=(bvY44{2}Gp z2-yTl&wUmRTvh5`;eatc;8ph$Zrl_8dyiF#bRXT zUm0V49!}mFo!!h&1wUR!0>cTg0E?+UWD{x}Wchi;OWJr!`VVT4w#52Vq+#eD$_QAh zs3-#nsJnxh21)_*5v-o$U9_aYR!z!9qIO;HylKRm^v?x%7a$+Ai7ZkSGn}w3yZ;h; z$tt5;V-JN!|ISix{F%1&3&iE_TE)*`6IitAv-;FkI3{zn4yV1fw77Y7dPZ{wdU_6P z7Pv(DtB}l8H`|c0HHZ)9%brM*v)>}Do<>vY);Hz};0&IVrm%~Yj#>9eN0%r}z86Zq z#K*;mqmZg(z7;w(=+lZ^^2eenveeE`R_b^U-?T(jMff3Ehd?#e5HyD!zqxXLs$1ZU ze5s6l^sM(pwo^;j!u;uPpB}yDRq0?18Kkg~H}%O@(B>Dc#10BW&H-S8w*8F5y$Yzz zB~q(XVhWYQDI;~&ywGjXg^LK2JZexhBCN;Fq0@NM0iy@>2(m}>D{SWkjR0>XA}$}M zr1}5e*AiiYaMOQXyk2X2eo{@pIBmDv&z-9+XDu3@E7LDxTD?^+hyAVQ^moQ#Hi1wD zC26Q>rTE}nkxr3(*+3*t|2H63J^fcEpU-~Mn29t2fj_{BK|IhUq3!b%(Bj;dQJ7$GIKDJ z+^&&yUC5XTczT;pJCO`>L<+7xZ;w!%s=4PDS8Y|1>P4pL`Pi2Z!B#h&8>I}TQtxWY zVZH0A1GGuUy5E>SSC3N71C+x7l}Rvxo)#VP0L2e0ZC(TNlaxND)+xsk&<%6K&iGkg z8uV~U#=A%Gn(lx*Zx7_<>Fu9We{G`7vU_wo* zNL~J!VqXGH?tcs4qRQD)7bUUo>fbZ*XhF*9boAnA;&~>mYTL9_?TPFIgp94D6f6g! zZU&V0L@Hw4q8QxGg7XmZVnkS1?66G+m0yk>dLF_X;!QDWIOM5AYX%S>WO z7=@Od)hpZ7V&g0Ot^tAHy8%4$f1Ti{hmCmePBqxp2{AQ0t4wJuHwK*d0F)OGv6UIi zgSzM4FQ9OQnL>lGz?t-e4y`Zr9p#bsW}_-#o_nJXLI?jf>sqpmze1PZu zPPshFo%y1EwIjd`P7U(a%d#5D(~_e5IJxB`HbZMN*K2T?oNZlM(AgY4*1 z0T88Iua?Ah9X!Rugjekxw&VB?;P=lk z4Yg~p`ig&gch z5UPU=B{5zzDvrEq&yDOf>CTXu;r*l%A*%>bfr77P1vZiTLX;{KMQd`c9{3{=XM@K} z9#qM|ba%gN=KrHLJ@r)O6{h&ipHkB4yz4FDOvEJfOaH~hS3;KwH^$}F(Po;VXE3xW zDE=>u=6njaF_k`hgzQII<7mVtM>=xwE8x!&f7BM6j-aUs=2o5#m$=kho+1y~8T2z% zl4M@Xn4*N|a_!QRRiK(5a`f&J^~A>3|AuCoUllwGL$v-6Gqb?SgGh&B!bIHnODo<- z(hP9ec{HA)7g_1G6Fz5Qk=!|@G&s=d-lgel$fy7FjgHpWq7qh&R!EVD*J!JZ40}^N zVPLOduJ}O}W==OGZdMO@Hrcib-$w7#v%% zxbVn?Og=5tfNNrZb6g@FvQlC}zD?}Y5>A^Pzh924ym59y!Pp7LvHqVAWVyST!NMG5 zZCLF4sS1am*1Yg>i=ExuVfD?J)=ol4H>r!4?Dc#0<`Z|@g@^sh%m1}uvGpYU9F=d< z`}I+cw85RP)rG=jh1HgDEp7d{%VykTJnfxueY&Hd}>I_c(XLHNh-xzh1O%hGN3uq_Eje`_}+3L!h=aCm<5Q(2KS#3Ov`wVKL^fb3A{yecE?>L`{GE4+||PL+%jY#twKUR%C(Eyr&1 z8OJyGmyMuKABiiL&oci4VM22B=Eh-=Vn3lFj?{!uc3LFaj>X^L9Mc`WukTA^D?;^K zDAe1Z5FwD%9bRvaZpJB8YKW{WW6puXQG2#%8$v=EpC8YcIC~i8^v_i9tHBn90)KayDuY}PbT&TX&vIt zd-!bP`FOdxG)61ck-V8HYZIiE@}Y~Zov?Bo-q`f61t-WJCpa9Cc(l*`T2w-~f-|*l zMCRBl@6bu~7W_50y0F3FQ|G}<0_|SeDb)$_sDWkB}?^}6Uw?FtkrYI#E z8X3c@RTrtEqcKeS_NsHt)P^3)YY4z^q;rVqEga$3Fmf*{+e2!-sll~>?*2`UJY&Smqcb0J*cO8IDOLGrYs5-Nu9IbOYcZ+=0>hjlX@pqQP zDk;|%(rcOuZ58H|(KYFoLeE4JppdMnR7$Fn#Lm5s_g#cO0@QImUX0^G%Sx5N3F!t}@;+ zwYI3r6i5xgSVsJYfByg5q06uhwE|_j0dE5NMveekLeO^A>zr<1pZ@Dle8*K1+njm zEWqbRL#GJ5iM}=JWDZLxa9UO;IVjavP_vV6Y3{<8cfU{OJU(>M`TgMfA}Y1BFZ0& zJ%w!W6OEWo&V%bou|bqjdS4hOzueN8Rl)5ORrjRTW#HQsh6giCM`Ed28XpDDaLR<| zX{YpZ`qXE5Yk*ZL>iEJ(Bcr3^@W<|D%|Y&y1<=OA!{tQ$=Of^eccMp>h4NARiKaW` z(ofCqQk`r1H^5l0BD9dHG+VC#mf%tfK zxi@?f6UcP6AD~}~>^ReV6%9NMk;t3PC0I(X=A$+DkWJj49PiALX}0Ft16)2C8zTMDrB+D=)M&4MRl+yk8+e zST=&@0&c~S6p3J#eo}FQB35xHHsx%lWlOE?#1Um$-bM7Cj29^Cfb9GoE5_%c9VkR)4QPhl3o!f%4qysp#J5WOMlqr_ilrpSV# zm7u*HNXwe-jCarjHk`)73&BdXTC`Jv)s0WH4XFh#cM7N;&D9g7UH*lWJSpReYP(_s-V+SYevWkm2RG%8fBlio zKo2}26+*Y}Xux$)5*(+j=+dl_7e-k9Bt^yneV&Qx?ijvoQBeC6(gDmSbYsCY44!kl z1GmkULz3Xlk57{q4%a>SvueJT=zaM;+hbyebK;OF<=;dhYFrhF(k{Z)t7PHZ9xZqY(7-YBVJKxW2Vd3~U%3ASs49%NneBS_*FjH_> zNmSgV?D?Kl%5Zba34#bRA;0%8#>pB7WAsl51{UI|?fw%*az*rgA{+iGA*eNMd5!O&s z{2hw3rH-NJ%LydBJ7r?T0dFN+yI%^v^XnL2jIQ8-NSY~zBb;s7Gqce2%Cy%S65k^C~h~r z0ZnLm-{M?eYLtZN$VDDW5I2ZZXzDqIOt5aysNh^TstR)+)c;cQ#EtOd)45e4uXIb+ zF7=bf_u)W;e(Ea2iN$+K4^P>&HR;#R=?J?fn=@YR{^-z3j#Q1ep!YQlkmRW?=VQ|i z^lxgA9r+%$QBNzs7V-XvcK*~ib+tTr zl74@W95+;z{3gK+e{MMAz@8Xzw|5yl82XA}ss~Gd?h2={{|Mr`WEJiqST7YsQ&vWG zSK)fEYF~%Ngz?_$iZh~N7b5U>K%6-*OcP?dM!>mG(bHNTOmUxPIlQ8A?i4+3ACPvw zd%BSBIii|+&b?jR_)vqa__hka-|*~wb-_9(ob8k7T?(nN@ z7Ng_`LOk)S+Vv+p=JZ@H2LK{F2MUx!FqvRyJ7wKG{sqItn+Q6R=1mAB<93bv zA`0Pnx8chKl5`GwQKZVL~fxx5)Gn4mLk1 zkd0)dB{I#+-x(4R7Uqo+p_Qd1 z^9Aqs1v4o1MRc_C#L3p44iYrncd-el(Vg`n$6#)~I;zVMhwInOB%1D?jpQg!S7=nI zBDhbEg>@bjo~jyBy&r04*PK*Dc+aZs#LZY?>B|r;h{OAW;P9j_#E4aA<~ba3zNU_f z6{5!m3s^=}nLILRwgG3Z^jTbqu7=-xMbb}8&9}--9A-Mz`vL=z(q>AUO(%}&Mt1O! zOUP&XW#gL=E*G`ah3Edb-}@?}^X&zm<%J>R2#6Qt`bN9uTCENC(%kU33MvfUG9q} zao?{(f|?mxw9$(u3iHYOad1HNJ99Pw)CF~A&y)EZZ|W_suRAHh1M6ckzSL zXmEz(MyFXV?eHN(g#H!yy|qB3eRuh3k(}Zvmp9TscJ&tdNq5d(FFttVv6w5QM_{km z5Re?e!0jbH>U(c14%-1Z{f9RPs_9)|2CyBm6Ogy-Cyn=%@zuA^mYifsJ@QCQX9;dS z{wFoh_d_z-Uk5bC`@gTix;y}qjHRW@$iY_Ew%TSfCIh6X!kOx78kx{3X~B0?mq=P_ z6e7ahB(zf#Eyq^DrIk#9gN^aoc<|p(I#HO~E_B7Gp@yB@eB1P-V| zL6zaV=%iEUA?D8&ue*TL?^|G5%}WqHt0qZWCQuHu*!t2*u0#AnqN6DCj!3yKYYACc zPbeIpv7({wHg~U_a7Aij*ugGgW&wM&Qr3`RI$i#wT=lnU$ncM-s3)mT=v6M{7MZv? zwzc3;U&bK5D1^5$x1 zBM%yM4%d$gt0`+opVrBdkF`zC?&_lL1x z7Dhe`7>us8C?4kEx}77jN4j2GGU+@YbhlMW6ttrz+EsiQ-A0U*?KuWvc`u z=ZLdBH6u8t(me!ijnDZFfCJAQUpR}F);Hd8Gf%V4#sP_dKK?u43vz{SuOr@1?&sDaYLiu3ZLPNnJ9!^rPVdYdQumZT$!`29f?L|~DS5`SdMjt1THj-~nXk(Z$+ z3$c(b1}17#5H6b-6fxy2TpFY8?^YWl)Dg9Fg%muI`}@!q7UD&#(@7T)q@+OWvbAPl zyCCEq-&HO!l~-Yk6P{qCO!gcDDk_}RvoLl!sP?t@jU%bx$=h2|f|I3Ec|e>Hs}|~f zC`V|oq?U)UlXxEASFcp-b9V-W`i^+v1vuq8#S}C+=;p1za2mgfE7j>?m7@|tLMX`q zQoMI^V#^3&_VmEHf{)>VQyI4MaA8fqM%X1HGTG6AQrELm1)6zq>GUCdPRgUvtvl|5aq1w$8N4L=hTHONO%vXW%p!N|Xbg)fe2 zSZ(L_H!fNau3<)l!F`-0YWY|g?2)l!avB4ox!e_}Y8bW_H7m{7v>_85;nl7uJK zhTj#L_RS>rqrtX`>q(T3f3ei!KqV$YjW~U2ec(3Eo!$HpHt%6%DJ&8|!wqC{CSEpw z#sV&F>^`e>2QI!U3pv&?HGAAoEK=_+89xSw+(=rcWfl1et8z_$YfU)}hO*7~w{#b` zY#O_s;jYGH;nONPzfq|E1)xHQ{rqc-x>zY+5i15wpb8MJk$JYnqD6XgA3AuD8=MFkjKdb?6dlRJIss%^}`9_Soh}+p?0YFS%Gy{ zO>zsO;pX+eRb=6!J(nG5zdpTFUuaYw-k72rC4JiblGTO%%UKm-XZM&YDjX*pH9|VH~n_Wb60dxYJmo!eI&`f10=v=$Bu3(x^1}22?-0&4( zM9BCbXz5-cEWT^Hnft5}ftg9AM!R%`M>YQnwFvI1eUh&<50~>g0M@hiY4~B4=`=7m z?z&Cq?nK(`*83t{*AnEf9*xR2d90Mv*K#PQ)Q{LSY<4B-mewhYaPJIhW|D_%^)a61 zfFqc2nucJcYI4i)QxSewoAIu~UKtSUlR0VLhJoKwBG-V%n9bMkJd~T;GbZXqAlQLT^$k>GFpmn7XuUHQ(v= zht)@LgM!>Ij+FJdTdb`m5wRmD`Y$tJ`YWiBjEbB;3NTejNXyo+}+b=rWq!UZ( zu#pQ?LcV+WEc?u#6KrpILLWun98afD8sl>=X6!F|!iKB!@(gXuHiC$$tDJ!T4J*y_ zvIgccL5>_MK`gaM!dW@mX!Xc4%F+!!${l_FH8Z=qbF@*hPMDQ|re0q{e_n>;B#aYi^dw_)k zcQ4vx%5|dNeh*$lkdKgtzb!f#zK|E4f^z;SQ&)hhZ>K(K);W`l@6gDs+2d?D7o$Q8 zAj#p~8IQ5uUnrut$T9UchLus;z6@{r#j|#8NsT{NtUDZZE*eITwwX*6;HF5%ziQ+B zbgNQ8jq6(Q|JlB30Qa_*EheLus87i({+FF$y6ALJmQ9;--j)?^zpkyCBSzzqIq|&z zekuGg+C_#tu6QI|radU16m3*KKr61~O{swG#b1sq!SD}9fS0Or1I}5(JSr>b3e_y) zqz%_FT-c542fx0ODr}gJmFb<%x?;2NP>1kih8Yf%%HpA-X`XjTvAxK?kKE(d&RC zaey_G?a0&)X(7P_BO4*jUU42E!z`Hm=ewyxo2^P|$Juov_n{adAup}UPTJb|HRRTr zm8UN!X%mXbK^cx_T77Rw-k~dk+}}2Md2E*eEylV#bQwTla=yIfo|D&d9r-isBtz}T zp0B)qq5g)_WsgWILG^>1f5Q4&0E4!JgzhN+_J-d&Huc9-r~{$$gw@5~h4AH^;Y9oBkGD>x(r+V@ht?tgv2S8l zLQ$W}ZQU5X53= z+cInoLIt^0J{u6+vyzEK>cbfg(^O!5QNn!*K=#BPHP1az+^UrP)bVwB>un>$fOEvw z-LmrgSzYCni2I)BPsyF8MC;W~USIH{&Y6G7pigpfGOTG91ZUj_%@%$QRdq%;9>OSy z5du@0p{YB5Wi)uRR?`Nxx#)_E3AX3h`k{Ud=I(~SEW>L3Q)kIToif&*1t9}yZG-&S z_4MW@SZ*UP{4<18i7B~YN9QcNa}EUXx{W!!D+18HI^pkVPwxC4O1FoV|CDfO(3H`^ zyund*7Y%f5Ic>G({aeWiGm>s66bA))eulD2yg1uM2w&@lusih|KsV+xnX=~5GS16b zlsIgzZd^IeGP>Y33+?>u#+iZUAGxj|XldrMwL%T!o}RPg{wvcDqN1M`+JxQj0H(LN zvDMqq$V~#^&3oe3Vh-4E4cOkccFzHmZdw9ds$VZ&j;m$D-7h|R;GncPvhSL+#x9hP zxiqN&Y0SaSv&`xo2SZWKJ@an!sRKJb-}^&enM#Tx1Id285uMCUyg&%0^+dMvXdf_j z=c%pQFAuxOX?MZ{pWKcLG-0-0BNXmYOX77E?Qskg=5phF2Oi*QM<3nY?_1f6iiX$4 zD;@%J#w$k2#^FrtY-U&WhQoufHZ_Gg$+=T(Rv8tZ7}wi~oAPzLT`8-Pd+WaUUb1XG zUmZ~26>3BExrN;(=ooHy30qTg-DE=ZGhy{q+QrB^@UgY2Y)$&{a^NU%RWg9**?GR^ zNm{qfdC|}SRF)b1EPxJ5#+J~(D7>NV&bgr4r;FbFO@6;!n1KtDpl$g9+De@nxuTq7 zWodP3$Wu~~4p2Hxbwo=qn2x<*SH4h*Gq7%)SbVFB{lvq2A1s4n^L%Ky zxrWeWi?JPPjF~>he>mEqQ(X6!OY%sn(7Z#WVAHc~thfC_n!tnkEjx#tCOx#&27_HB zNpTNyw2TW(+-N;=facr;Ccog>(1PNuLzGZ_o2B9D2{W^y*ehv9yBK%DUA+bxKjt$S z3>HL62xX#0jbwm^_(}%MaWAgdga=0!A(qF@9Yl=a#$OUs&hylQ!B_@ps~9dLtzfDt z%RhNetZ`TISQn{qQ2o(aOjs)t&uZj z_vJEX^)-G493%3;$VVv({F(l#>$g8_uYku%3o1DtzMnjLK77@e2tOv_cUg%{MNS#6 zQH)YBg*t_o*2wPS+BgQ#k!rsla&%7E{+cnbA#AWkVt=tsD{bK6;L#w*b1cutn^z-< ztqjuPaI$L>@#xkknUHsum+yX~casPyK!R^H>hi4gzkslc0*0ahABe|hXzZDA?3o;WLtEWATR#eicElKOzy)UbxeUu# zf7Ep{O50}dMf%T)S9PGOBtpV0?smzWL+A$V$;kk6%7x_x0pZG~MMj#J0eHI9kF>+f zzxS4dtsMzm$J(tdXpBs9MrF$5x=6iCs)U-)BvLPnHR{N(%h){&%d|r3BP&j~Q&{(F zgn-xu!e%5v!>I>m22VB7209)|ciOUAF9EOwoX!}NKZ^>G|57iYlrh{oEOb1Zjr^A= zB0{zx=w8v3afALyG$hP#$S7V?;IqcMssTZ7ey|(L#cY!^Me7)vhyhFph8@F~?uB`t zFqbYd9aqio7VizfgNzLr7-_Nq69m*Wb$dlZUdIm&E<&ZMjN3ev*g(x#@qhZ0@JOt6 z&XxVzW9aK~u#`xU92$mz!x z7O;lvM(rKwQD9_L49OO#(W{;2`XsR`nGPw!*i_b4MQcmak)F<|I3xe?!MQlPe@8Lz4FQ>m8-F8^V^rF}+ zjIB7It`?!2*8;_K)@Wuoa^MtNLRj@DCTB;$6hfo6g2R2|>0uk{UBJQa{M{BFFtljw4ic z3(>F_bgAjAEdc_)6i+aXO5wda$#l`DjA_9E6JTNX5BCZ^LpnIko4*AYqvD6250g5V z96GVb=M2rWoHf^-y{nI;XS}SB0dWH@l(Mi(Zhk#_KbOT|#oN^93XGFd98LK|u)gD?oy;50RB?GybIM{VgCPVe71>-hEB^wg%RPs~f z2GF1*79laK5z9RM1#cpu3u}i&Cx&{*Lsb||Ec4(OG`}%pxjL=Izp>&Vm&8&8{AE#LM#Wr2Gf^E)XAM5Y74!&3{P&tSPy+N#YOT$4Kzzc>=h472Bz`oi$aeV%ABqs%z8F6xQYBni`US>^VH$-=G zl*aE>x-h11*Cg!qR9xyGMlm~isdJFUM}N)|ClWO@NS_*#QiPJhhsG{eejkFg$3cLMkIZkzc>0{X3fCM&s_f@{wJXMMZnodxbT}>a zoz;nvU?TXdz!cT{_!ykrDNj)q$`eLQKk{#w&9N)z2VK$A?r#ADkd$I+x;_vZDbdEz{X(#`2j&gTox3{#2+PI z-Su@woA6JqJn)pEpr*T)3&oLR6KI3ZNnz*9zRBJ%i(vM^h2xN>aw zu7_qq0+z7;$;am)s4eB5BB=OwIqadi+fL4 zQjC~hYvPNU(r6q^>T2hMrZRnq%fd5L{^ROqU9V@CZ*Zu}gOU6${q@qtpJvweQ-g*V zyq}K??t6v*#y-xW-LaQ_GFYhmrgaa8R$f>ME2G-iLY!d<)etV4bviNlT~SKz`}5;t zAEY4H<(d$Mk_|j3;FL$^u}%s0{VeXV|8x$pz0x_n*TVZaw^#&{FlcoiaNu#r z7&2+OS#-(42DfZ;jKlFki>%+O`v9OiAk8EawVa%BU|Op=cCeYt8GwFjkbm}}eWjTKI`|T9 z%i^ST4i-b{DirHKLFZDI%|PPsbswGSkxa_*Nuj{SuNT@{uQF{S;kEQ`aJINn%pY9J zlH?5O3#l0|crvC;7j^A;qW;a;_K!a)d((xlf&m`wSrvX3?4%D(WKA_pRYj~mG2+0` z=3HP>DuX2MAD!*!Ik`!M%&*V7-7>e_Kuf2ZGLOxv#7464WiOc|K{U=Y!2aS{q%P{7 z=c->$E|(s0zlk!9VX(%(*8+VFH{pgGrqcdyO$l#2?&$p3#2Yl8t&YF3GNDO7hg21O z!hVil&_Wg#J-g>2J9p{bXe$0m!Li;x!EHNWI?soG!L73x5vb8n6Sit@x`-2nAf8LD zP@)oqt;#!?7Q~@v3$x7C7$#aDLEDa`Z$X1*?#{|*9lAT^fPk@Ls*L(2XGuG^C!3~6 zmC(o3_%>KvGMXG;qeyMvXn)C9anH|egw!+!2PZEaiY?;FKm zTh0)HM*C0^n;I}GS#c%rkl{B_tjD~+JUb=3k&?Y^Rt#_ciRoZ>>xTjJ>WQUg$<1cF z>*y75Z9a!7`JNpZJYBB0uW#8{E=)^fLZwO*Y-%*Q)|ovXL4~ia;S&(d=9#8nK=;n; z(_4)SgjE^(Ly=x5K|;T4dKrayLpn}qbf9p9x%sY6+gYAvuE6pn0EQ`AYAp7MWsI=H zHgQZli@ziC-bJ%c@eblusfy{AMpdTh=Fr5J8{(AMfW#3sq(AS*c5O-lXE26cGJ#AT zeXm>bRrc-vZ1L^CJ+~W1 zjtpcIx3E=20`qK@6_msIz5fB8cC5 zqTQnB9SO(Va(oLuFZ1ugsQ~KQ!&P_k*^AxEBS-piWXJXqtG@PQ7JMF)3*1KL-(PD` zmc&_Ydm*aCHXkEvdb7w=>w^e&5RKgZw;-&|$XXND7^fPPjp_R`o3v&m?jyI+N>voq1HgpdR zeR>&A2?*m70l{@kdNq$FXn>8NS#1ONw+I(I0Qy%H*Cy*U7=7vLZ=*E_DvX{x_ z6phC2kabqE`3x*PZ@Z-A1fCE9*`8Mo7YBf0fOw2>!8f*_(Dkcguxf?%qApViLu=FR ze9|LFG|)&D7^2@}#Xu%(VSP3h7j9AeTRbwpRuC#vAQC1ZzK%&H?Hp_xc=)o<2F_Co zY|8KaB5{*c33z_FR%89FgL)Cp$FF`LP`Ic)2 zE#H>`RQR|IaTe@U3caY4ryA$xhFH3emXB9-7fr8@lC6GG*me`A?$&)D-n-zu zj&B&|xdNA_^Nmkad!1D!#J@oLtSw{RMT=ULMk4_+XLH7JGGtlZG2HfaM{Nh)Hrraq zCnkTiL(3N(2W^7KQN@D!X9&;v0KDYlINw5IYd`?9!)Ml7S_N)$6l~bU+r1^8>ae=A zm}bMX%N;o$Z_bS5oD0x3wSrjr`DE|+zihv^1v83i?} z(6ZsW&i6o!L@aHU(|tyJYdw$=kj_Qmc|6NsG@xV;N@+y&M9beBaGvI{OsK_njC7-i z+5vSP)FFX^=H3N7tCM^bvidr`6YSt$h3enttriuhZmph?chZi4b34<0EUX(hDLAjz zqz1sQ#_gg6lfMxBEYEz}JtXX)r+a-Jk5-CSe8kx5tV57SK<%ktpMi9g912a=k!$3d z*|OQSU=l>;C+ek}y&pc6GovlxmQn``vRV3!e}4+p5-E!88GG77^|(N9z6iBedGDZ& zOgMe|gY!okY%FzVKlLJKc|v;!6Kvp>q_l_iM~J@rB1XDM*`q#zw}LJQ(DNG&g)R(i z>Z12x!~A&(4w``QR-r?$+aqnDcwWoeF8xj^PQ!+5}8Pl9dA-(|_;(aY5ie{_rzK5w$k z^!-yKRI60M6w$S|%6p1BFj^Io}~5hYph$oK02@GVNX z9T?{UTaH{-!@L&z<0sa~k5G}N@dP6798ddo^MV~luQ@RFX zKN>HV+j(9!ylxH-rf7+^CL*$R?-{PbTu;^Zd`{SYI!R75b-x6#tp{TiF5a7lma;4m zxaw0Ya}(nUUuR>&lfLhWE@_UkYsrMU)PNOfZilcNbo3=gM*Jp{R|XPW*T?r~!PJ~~ zZqt`F&dubx3UYq3vB49RY=j=xwa&YNvDGF?fvB%8vL|c+IofUC|MYXg!t2D0n>3x3i92a@Hz4e`j;|)3D%AKWBO{fK`enrI)6v zq?xK1hcI&Y^nDK@yqHPQj8dp=eUaQ&H*Sgg?qmbw!FpW-uAx=Fc_$x2o(H=JzEek1avMZH> z?L1-++K`}rB){g-7Gb|@(U}^RY4+Ff>9Vf!a+=kvCwq2mRBxw#pHa9pDPta;$|K%} zNs=0-mV>Q@u_q#Kx~D1QXEyq~zFM25VGhLUyk?Th{ToFKeVq=irr}c%u(OSE zhK}X>no+N$XiMOJNetm6lYr_U*7HoPm{hyr*(#u-gsfup_pv!!BMNjBLuv!n`wu!(d!g0k* ze4^g5xmPM}P(D0C-{vzm_mE6WS!9a!7V)=b2{t}P@SH&<^hr`se^9CQPum76^j%jj zjtwQKl&6<#P~{4XzA(Gmh|E|v&3IqTp^s=tW;2f<#DAQh<1%Q8ux$d+!^vP*po%`v zHrS(GaJ`uIPq%_Dg4B;vl$TxKTSPSJJVyy+;D@)#&GOrQ`)#!DA{bn(uG1@^Zq(0% z#T>T07YDmzRt}cNXD`&R>7@_=cx1O%VSy2x=Ir&H;c?tU`n>jL8MA+GH9T4Z$Pq$N zuDakhaj13Rx?tu^6VKE-HKm5N-EV(f!LZ$HNigyjctLCaTYt^i0jd5Q@sDABV`mF@O*K9%MjVFDPTO|A8-TXNQaG54H7A)u-<$S$B5m$PvB2)uJar+Bu5NDBD*_&^CQFH4?6J(pP?iC)X@cxpiVEiX9rS4d8-k z$9Rt=Rh#Xzbft^$L)AC)$PyZ!cBa8wS&Ng09kmLvjVzOlJ$A?kB&;{&zzryqA%`^=VXy*XheVx#Is)Cm@R1a@M3t$$n~+}d zy$8Mm*N=B+M0-F&2mja}13Whs@IWeycp8rj+~UXtX5pO#lS1Jg{My(@D(AVwB=ktH zJ6^}%v7(UbhU5T|8G^9qjeg%z{G@HcmV_uT$Ha=+;!f^~HM+gkpue&~9s^S;{>VLc zkOS;j5k1l6uO76pJmD=(76V-1;ZH2!9lfTp3}wKO_qBId zzwtG-fO;D_fa3;szwYfba(sl32Hy{>`YtyKdp^)K6DSur=^mMy!c+J>=MH>~P(?lo zk{{g#0f}Qh6zi4`v^T5P5(cKfS7AZi}a z=RF-GYPRU{UtAG4UZ<9TItLn9Aw?Tn!c_keKlw6q#ekWUG{U-Q9$03jbHjR4o!ogc z2}fL;eF3ZGmSZPiw>(-wwwounqOQBJS{t!kJnb03f5c)bp8islG7d&x0 zHLz%cW&l9+0lwexBTyxy$r2}dcq<^8_tEE=5EFRGf*B&Y0TXW^`Y4u5 z#*AIYW!6N#1TOoAAx^v^q_+RNp{=r7gi&YBH%(_teTCJu z8p6GGa#)b+re*b%w!Y@LNNAWXpz@vXZU|6Rk!zjpY8cF!oN$QSp(J|xQG^=ldF#@5 zR^K||68LQoo|Jmo9a|?(jq!4G8zzLNK!rC>?h73*tNl)|3dtU9A7K94hx3XL4h@WM zIC4}k)Z1CLnM1|u<53-!$5wkwvp3)aPP2Disnwuf_<7HI8pU~_fy7RmG`q*mjYfwf z%*7dFh7Th>)?BhkW~hef*#R>JE768((KH)l7yMXpyS}Krm?1B9kQPE93y_*ao-f7_ z3?O%Wc_(0Fmezqoh<+c~x@iuUPp-uXQZ=+v#fi}EHf!!f!ctQfxj1hwK^KI)gqB^y zVNX*LV3_2TKHM32Pp4zA0)5y4VNV4*?UbD#X0x8p3M_W+yaRHfBG5J*mdRheN(Y9m0BFLBXZ!dn^iTUYt z=BLfj(iLHK9($C@+bqr&^NU~;uNa1X0k&P~(s{oVR#twA&|6w=?9O(MD+3mE7<$CF z(;bsPES&P`uYY}BcI)xAUG>Qx!#>o&5#h7klfO6Sge!5u*Nt5M;ub!S?>$nA7Z29uF4upnar21sR;p0Tjm6gvSoCRr9>3ITq0&@b>DnAM}ts!b* zqMIblS#Z&?*{*?%0*hd+$X~zqnHuUk!g?{Rw|-I04;8P}B+!BAS3gmYTznx0#v1Wy_(D@s07q_$+; zo+U9W+=0bRf}BQjvpR7ktgQ;pQl;>CKtKz~lFJSnFGsGZzLS_(NNzadbi#yjQMX*L zj*QXJ06@G5KpRe7J=L?htI)|5FnWO!v3dQ$bseKpEpiAp(V!3_LMCcxk`O3*MBo-L zEx_Qe1w5Jw3A@Z?YXN^PMHd2^1I9>d1j?Px&H4U1ll%IxbtP{}-$lP0WB+h*ZEVOL{KUPEbZtL47}U3u;XVs7`~{zm zpU9t9DAx&e_tLb_8sBhjSmdZ^Uau>|DeA--;r~9W=F15$N*{9Y^kqNm_w-A=`-mbGxzl{6YNbj*A9-D~nz!1qftCxVM^48aBLP8uzMea;zJT*C8y&`2)IQ|M{U(jQWZv|nQ~#0~ z{Wx;o1@o=>7kL-_DbZ_m!2L}ckKZ62#Ye-OS|GRY4whQ_t{i9`>V~^ndX>NxI@t5L zf@4_SpGow9I49@Gofs@hyDih5g@0SFj|A@8bm~=HtvoF>Q!H&q=t)kQmM{CZ1gP{r z;&JMv*>926x4d6(byIOxxA9C*;77mn=J6}VZ0#KavJuKrP2F4NsdHB0scqcU&eK<3 zX%;Ub(O<|Y1U|+nHt5ji;-zL3IILSQYN3{C*Qr>z$x8C6)39YKhv6F>4fvq!Hro3$?`v98$Qm}ecbL<=s%*$ z%?z4f><%L<+rqz*45J-p4MN}X-AX5_A~*-dsBm-;j&|I3A5TcL=sm5Ln-|55*!R@^ ztPmO%&t@76#Mn+chL)AWpb(!-FuSAC`@IxSzpYln5b1K&N ziG%sdpwx}3UmdrZ8n+>PW&lc$`2 zDY_AlxdRUdnng7GbH|4RmH#`QJOjnK-X+_$f@_fxnGWjswHwDNgi%#8$Bz`v`M2)k z1(-W-SI|%SbGb*B0*hbCRiN4NqO$Uh`%rp}cY@mh2AHgQ>fExi{i6V#f_20I;I2Zy zw;rB=?o3d=v5{bf{2Kv$=;X_sZ&ceE9;eE0+%*5q1*&7O;bKX;bNP%an&&SzO0Ogk zq_3u&G!m&+?oc^BiIyCZR@~pKnf*uf#4GZIs}17@v##;ET_Wb((Y2ior$Sh@sVo1b zrP15a`?9*o;KL2+hDXmnc__9qR3_Ai-~{KcJK#}b|9>L&92nOVfV^_XCQPBD;4|1d z;AM_8vv0K^*>ho5++>OqC~w(g=-9>gGsS8Q_<*6EXw~u3458pwh#>>NgtEDn`QB(= zOc?0(GeEv~F!CNC%wpWnhG(^DcF!?y%|8R-Qk8)6#{U?~kMqhcC!?qm8K;uVYre@~TR>D8f=D{dG-K`tW3IZ{1xG(QawitLTK&#ZyWC zm$@8QflmC@v&#gNH-Xl?RU}s|5gDW+I(>CNyD$N_r2(0p258@=>!so20(I%CY@uu^ zmaN&PX<@?dH-Lu;?#9G<^gafO>s0-(yt5iLZgQx9l069Cu?WzSo$KBc4!sx8U7dN~ zxB&jGER4|(#qq6GvBE`HHIBOawOa}#D9JwLBuSRjjuUnZ)6^DcTy9cHi5^a7f4svL#ulhi08*O0Mq2xI$6{*F$ZR1KrbT$lBc1S0S?JU&@?i=7vPP z0$g26IM(ieyhpo!D`zhs3RDzKZCJ!gmdpTod1@J_=c5#bxxSz(^Tt^}k7J5ql&E)*sRV46g_+h!NfaqV#f&;}&5v6S zaV+(G%7^HGmRfPLHv(5vRqPf!`LR!j+0{YWZr-S8QUbCeD#Wug9pw~qDi zeLjP4?=tll4(7D3tmwvJM=`jQ+3X$C6|?v@8{ADZ z6aFXF3`Xwftoaf~a<^m*4cb`ZhT6zn(J6u{w{r|bQm8DGrFm$EXj<)BE`jjbTbmwF zH8tP~?Y2YVi3Yctg|d*{e8GOFr0&bCT#5Q0VS964-hR6wh*0LgV!5)4|645AI;h|s z%sjo{wioTjGNzM z=arJfnll33o6VIc>8)@r%6^g({()6sw}G_)K2&KCyb{Jo@YMozB?9n4%}#|nAT|2^ zr>!|otNm{k!Jvflu(ysU@Vo8T71#3ef0%8nzWci~1(D^I;K*1FZ`A*!a+@sY;4;-4 zcxi|E!Nh80qZGnJ=0fd}s>OxpIC%R<4~ReKFaL96JV`DG^nv_^DX_|+6eYf|FDW1g z08%MlM$wNzf!(JoEzx!Rg;DXh+TIAx8s$utlwLSgB1cH z-ad^n!{w5Ubjd6~8WOm9e$WM!jt<2TgyJstBCIyPX-tD)n8PN(y()!RoRuch#TjFS zgVPws2u8CpFrjstFf$YFpcX?l#6%JYZ7A~51O#KC;e!Pz`d|s^)Zu4eI%0uK^cTBc zuAmpNJEM?50OaR}L)G*|Kl=R!696i+chPUHGKF4Mob^BVF9QhPBp4`ver0Q_7S0nv zKCcd}`W7wc!%&j`$L*s3)7v(mu`1MG9V|Gl?y5h)G-Tj!iufB(5ahJZ-F!f3zE9&D z8Gvw7WW)mV`v8-cFR=+;@u-xC%pQ24YbE^j&kWV1Z_77kKXz6d}G*rE`uZ$}B8Oc7no>w)m@w%0%7+TNSea zAt--bKaBA?JV5N#N4q+^yNN*t!{`kr-DuIn@xmqK3GUsWLG~487#^ZQUU_JlFfu@6 z527V@0~Z-T02McCgvG8cHGey70D^0>u2Ws!;k^jE`-+Df)ouVrH7PUzK(u8c+gW`= zZ3k*xyPz9&ah{hLz~gp_kpK~Jv`w~FX1f2amP_d0^fnU)^k22y0X8xh7!VZhS|kvx%&nCS z47dq(6|}9&V~mRb6Wqpc6$*SH?*$q{{2YpxkP{%2pV+Rhu|KUm-6d2uV+j?x;JM1k zAixh#3qs(;n}anLWD;eKdrz6|B>;z7V2MEuZXL^`hbHHXl0CewHWw6WpD*rv)M$*Y z!l?Sq*5Xg2zC{rnv;Q*}L~yq2Yf8rz!!Q}75#tYBLoLZy*=F>(w3hC-sn(L6Sp}4} zCPJ&x4IB>n3a1aGl2@^cJ<>}ul;JdE;<`u_j-g3bGLfy$Gxzr6m&CeF)u>RYvta?t z&1#Lf6o7vMX|(f(P^MQMF!^S!5i;dwAJCA*Mz?V=*Qja!-(fr$>8NODOslT&TFs;q zZe!ZUwwY&6YfJuT`bO|pCL@JLLmC9tBtRg&WZBGuak7KJimS@#QPY|*r3C$wjO~*J z?j~jqp^$r>$fVyK?wD2xbE(_-zI$LSPCmGa+L!UW2~VJ*=Ly?Ow57NZ)wVxlWRaqY zFrB7))o#)hzG~Du$id$HMKllV=dEa`PtLYq)udh~uv)}ScvgsvcA6VgRh%bRYr5ll zB;E@rbx&KHN`R>&%_Qzf4^Pc#LgO@nZ`GFz2Z;g=`!qnw>vs^#fZ0aCZxr{a>+64+ z+x+R6k#OHCN?s}0pv4Y^-IZ~wp9(@q!F!OC0-TYNq8am!%%~jny~Hq*{Lw}lekHH9 zG{v;AOC7+J*0{QvX7VXyxI#rrACju(iyq`?&M_IF*d+#;J;_DPTm|N1vL43bM;Ex_ zb8B1-rAcp#-Hn8cA>d=vai;<`s+0<-hYHwdx(E5uF9#5H(~hR&6kE$Dfk`WT zAYA$P2PN0;KL)s_NZNe51a37E4Q2imF^sJwr~Ke$xy8LZz|KY(6Mss54?~N+P;T$U zgIhWU04)ob4}H~|!WhN^KiPn=!2oTjP!J){R;c3lVI#o2w1EV^4CKPoeL`csi9^!p z`NV7Z0)B_%O%sv9oQy^c;er@5!e^BpP|oOl@e&@M(}4*@f=_oFH>v(57EoPDGqpIU2ihSnnx_a{BO(Ulk^P+bh#`dG^D$r_J`EP!hw4n=($PZ;f|L_!y2uP`c`jr0gd&4J z#gfx*IGY~LR1(BqD>$#MS zuP}dBpR+?t(X|;o<)aC!HHM|Dm)XQ*awV~TM>0eW#KF4HxbXd-tfxs@5|9ZsyQ@brgZ#7q^ZrDmeC{LP={ch$V;dXLn=qb4(*`tFLcy*l6a`YPz zUX@r=98){W(ev68{Rhy&$iCucKS6YvG<(V7ulem5If^8)x>elBA~F7m2xr?iIlqD6 zS~aFR>0A}AlkIAMfDyj)o`wGfB(}?IBe1I%I1v{p)X@Oy7(*%o>VtwqP9_q4%jDVd zKjd$Og^+Mas{c>^?yLGQ`MX2?zm>lY8?v+!m^-rnSlb$r3h$X-7V;~qJ(=dw``e$>W zxs|8huy9gVvSN?h#9tBH7rKSoTq2;l2mO@)7ks{-+H;|2p2| zi?#a0hy7!!@Fo*B?EN#tiNED7h6+ zuWg-I!@ilae+2?Iz7-7Ye4o0tIc95f)XerW^s?Wmvy68aSm$>IFX10g+}EO|HDzXK zvnzMM5V14ETrPj7N7p%K9o~W6<3)VEIjc}}7Q^F-9;|&v7{OELTJvefKp5rks{ovs z2~OU=&O_KWa^luyaC($=gUo{-*#dyGuh7Ydiy%ATjuLFS_duBn|5~yekJn0I7xFqi z0*f`AIKu1p>i_Ru(7WIU$*raqfesaTbWX_kRXD=YOkB<&*kJZ)4AF@GR2F>OzW+w` zc5DcX^I3`#JiHvn^kCO0#8$5jV{scXnQfphOv_&9xn4LBGTG&Ip(aUS~VQfq$puGmR?%KruLc^OtheMHL z)T{8!5EFH~^|Dw&!~cMpYiD6Ntzrpd0-!3)uHfY?Uu4}NYANNd>Z_ed^C|V}_dqnV ztXa5F!%vB)0w+Sb9CU9n^!caEn=kTR>K^pXsmZmGkjf5Q=5blw4yf*2;-FO%kYeX> zXhJhAzFyTX>fl_W3D$VSWn2-dQdLu&?idt_M^3bppX}8?mN9UEAPXKK0(A+_RoAR+79}O}(h3 zOsJhK-yva;zJ?m4V%cB2oJ{hFb$dTx9{9)=IS^aE%~Xs0yLi3AI$W_~z2DV+tx5=N zH8#E=)|f%3T5;NtoPgB&#M})4D^yMkRjHs*@(km&Dc(P3vP+}w#!XM9}qLL#pQI1qy?U1 z_pdKhl(0aG@ViUd1QRi`s1g2GcI;flDZ*FRwtv!hY7&bP$Fs6T!(+yiBnsau8GHU_@vkXcf2!U?vv zgR@N}ZSrvTISUv2Rp2g$+=r#(SuBrl)7TM_O8`Ir5#F z15~EQZ6P+hKe)}YEINP03V_wp8kHvsM*DFHv397&Ii?4@xW#LVvJHL+u8OkHCzb^y ztALzcR^|4R*6zvn%XDoDc>tCW6pxzp>-VcZ?r7&4<`|-^KYk$bs41PUPUy^2=K;li6u_y%<;{t81FLJI-f@R z5KhRraUkxViZU4j>O&kML*Fa z!}AxZ&{4Y@>>(jh>2Gk@yX=AdJ{`c5;GpinySbicAwzNTO2ID|C*Zlxm*F%k`l~Rb z@!|3`3GJVQ4y1+9?UhcZDSc6H1!@{Rfs2ns=u(l*)}BMm|4f+wKGds;$X^3_a_bls zgO+=2k0Qk|1@Bupo0o%mtB@!8FD#zPcUe>uS+p4V?mm$&XgZ1*ob|OFA#E~ou}_23 zt>g&~2$h|bAyf&n4P1bX!uvx}D7_Bn#N{TnO%~6;bw?0v@z7dF-(3MI`AHPmJx3_D zE~!!nRR35LSk7Iuj^>)3KR=!r052vCCDtPp=_oKC@a**h4#4G+K`t_Hl__>p0$y|F z4OcfA+cHE2Jeg%xt@~Iz&`Sq(XeWi6q&%pVsa zi9#flh(wAR0Hv2D62zdAide!$EcrTZDm>Q*77#1Pau?csOmJCtpOq1^0!C6EQ@W%c$%!*L|Gtarz%UcXz$-U0U{Z5PnyUOC^E1&b zJkz*C{@P3W_G?S)ow>wH|B(32%wMF3FW5YUmOhTlaG6~ zCMFL}8d`qPB2R*guz;K6t}Y}mIUQpT*ywS>7mO(~MXtmYh{6cEhn%2Q{f%(nQt?)= zk}`L)ILc-mqE!~QGK7g>#F2DRliZox8P_Gxz)i1AGw9+x=-bm$by(`T1co$)-hRp)yS+jZ)P1wTY+lUqLx?oqEl1H4xO? zT7AIprV?l{oGxHybXK=M*ht~7dq1{Nz6#F$Ygw4_J2PA9&8QKLRMnBW4Zy~f2Wjq8 zr#UInk`N!w?ah@S1?R*G@}Nsw5w?H!RRc7i6tyOwc^|GKUM^}6!Q%$n4z8<9Q9?5w z`v)z6X|LAHYp0I5H9Eyx!M`S%&WU8AUQr~L1IxxC<^DSY*&u7~Cz%DtS`@#)0=K(F zI*NATYRo&DRzAB(NZ}{F6`F(5hBl$0t5LU)`dc5)aKl`l)pm0Z;x&FaUKjczo1xxl z5hq&W4b82neXOY-`v6O_>Z(VnGNPU}1YC+GR~@!6T%0W>g2n<%ZU|jCnS(_GN!^A* zi;)Z|k$MrDGwqt7YnaLRQie%#d%z9r%OQ3vL0n*0-|8dGhXS5lLP1ycaJmGy4L4?U zE3#-aV(41fFqdO7yA_fFw{;I35v;W%IC*716z)*44IUB1`V2!_Xr5c}IBbPL!p;Fo z{4Z9#YRYwfYjDCqi?9R6ozjwRi&PCBxHRVp$(a;EiGBssS} z4yH@l;w%x@`JIRQw#!Sm#g2ml7k1`% z!|L{?G}n1Xa^XL#F~QE4YcT@p<@x=$ho87EK0R|{2_*l!uT;-SoF>!YO-=y4t@=BE zf#$ViO^~f;Ls7aSAeIzmtYl;9jqmLfub7(`!=Bdr3M$CkIp&6gZQR0fVy64Z=;-K! z{0d37pQ@D9loaK1ZAB5_i#P;KTpl13V;6x!aVm_r6kH=u$?JyAA~3cxgj zD<97YN3gu)+mV8Jj;jV?1X5&m3BSBW5VuBHu>uQ#3{8&Wb?ciR&Cg2VAV}k{FSO_I zEQ8c=n*dO+NOEG=Y$L+C2k|=M6^Kh@RtC&ysP|)%TJ~CZa$!0umoi}SZF8Lm7*x3r zoq1zaA;ebo+)yl(;f}r(v^P}1E`0k;6R-Gwk>8xBzquax6L)Htjzp#iVqLZ^&RD=# zcdGO;LO(%+ehp!(y=EJX)V4!1X*1ITkmk(NvPS4j-C#$-Y0|#??X&mb&_!ILE+KC} zr`z<{Ky-HxwHXc#oUX^Eho@JG8dGr|?e{tMXDZ1TcbHw^q7V4XN`JQJ8jQL^MSr&@ z|Fd4{N_O<5$;b|glt5%Rgs-rE?Qtnh0S56i1L{u4xXcVLdW4GjnQ$qDeaCLRdROJ1sHw~inJAiix<(f zpe=3$R5qZ!`kuqYJ%f}&INl15dYGfd`OCJWG^aQ8Y?daZK<||G+et3IYHDf)HQ!o= zBfwlPTRCbSgr>-VP-w$9@ zO|jp{(^Xw{rX#%F_YCa}dDY{ASW|r>q>AcNoAYIV&r3>Po`jZ0h8{4r`%zcFU1!er z7xR!ehIS`xQv_S6ms5O8p5ow>dd zw61G@m$39fttG%Zh-P@Y)V*Yu@^|IlpUo4PZRc;#NsSP<*i^Oa?GcgChuj7Tf8;eQ zo36v=Ic^-fsM-PFPVX97uUjje?63n{{5F|YLT+U5(URVHAG7x*+Kz?OoQBb~Z;>q> zO)6xcGLKosO2VaiI=+&Al@|Bf?vAz=BjMV2!{|Wmcim{qlRrzKj$mw{E=jwf+@LXd zDD-I`rk95vq>6sIWP?M6Nx&wwU%qi9Ulfd2!o1_ij*+dJpZ2XmITMvG;;+F_bb&@q z>M);B?!^>)$w1lvqQ?Yu@<;X04Za$8z1Mc^HR=GxHYebwnQxBt1D30#H6R&5yxO`ni92i zM?eES5q5=2?UPwD2@=S>a4BCH!{01G(~N?H{nN&h+BmkYD2<8N`V!d!HZVMg$-QN0 zox7VhFw)wQx|CyPs*ARwX17k~@svB!k+sBMs5i>i zNl|OeZDjn1nd-A3r`!}bnFgGHOICxYWZcp$mzMq0?icb?;fGsDv(Ei>$9QXRF;*C| zrn%Iq`EoN;;W84;IzBPN{KqclLkn1zu}7d|I$ME|FZfNowQydyd#a4eC(d2~WppM0 zp2dxh4|Ii0<`974#F|*8SDSjWVNZs#<)`W}_p@_QL^N75eDLJCkhv%T{nQmKh#Q`Z zXOpX+1zz-P)Et|vNxRX~B^77soI&AM?#~Z9*`@RegE@N9tZ;v(1ZV&IMm?8F7ge2bLD+MfsuKNc($a z$Z8CNS1K5`o!YRODNSf0m(rqR)Cz~yh^o`(l1EsuCYA;<{PLi^jad_jmkVR082iLK zyAaybrbCcEGIx;xr(5oSpl4c^k)UG@2niZ*8Z=C-kgGVXlA0&5C!iC2wWC`2^-rupo@kHDqCjifS zrJyz`_iS*d)45a*dxmUNLd5O|+BD#{4VjES3i!t~uH))YUJFtXrVaRQyY9ylNV@n- z*b8J7p$A+faXV4m0EINgdgUb!RdLFuoui#Qb2%xPgA8#6L7mFdHm}z5?T##UeC62&(OWo> z$}Vh2@Nv3TD`jf6=m&MvS%~F7i#pC%j9pNA$V#WGG$@WAhgnX0lXf#)8#hBWXlL!x z77hdYS#RJui5cL4p`JC1g#dan+!YTP==~iX_|pe zfgL5I!IS9OarWn8?NkmEjG%hx_etv0W((_80;G1dG-&>rJeR$T^Z7HG(3e^_^=baJ z$F0NouQvdhbj?2(BKgtVY@8^-4%6+=6ckI=oHPUR#gX$-&} za6Gq@Jn5tO)+Rat39RojFtvJ6J5%zAgfI$!-xGv?#T~@P|)_X)aQC&1*H+uiJ z5d3SMG`7mZw;w5cs`u7MOdvs^0d&UyD5D%t8UDG!5z%v)&hK&P>3BEwD(vd+>T1uw zRb9BUgGS8*f@}C1E@z9TGg~T@$Wn>J{HNS6r2@ij-$B3`voBfbUZc>tL%}|JTB9Ssf*OS)0;v76?n)$gxtA3~DVXR>(l>#q1TDiAY#lupKd#aQ ziDL@23{+uODuH5f98H<%c2mG`+?+O7lNU25!Y;W>HH_5M$F;agA>-Uef+yVg;uG!g zA)8p{Cz=|KLtrdv`p<>rkI;;pBRr#h;#oM0Ql(kD6F!g{mS@DcoH*nyl@R(UNV0rH z=VOQADdU~)%WPi)mnI2+7$a`fIrBYf8Dv2so;?{m$L8Kyd=`v-i#$WDj+=gMP`>bF zgSQP;e~_Mo9I*?h%)ju$Ql3+Pe@Kx`CXzx!=pbnm5i&ef!_&M#r$_@t>JU{NqFXoq zIw<(Dl%Mz>yzGbh>Wp>_?@{gkaC!8FrTN0E>e@oa&n|n|*=SJ-KU};Ao+R!cAC!*M$3Z$s?N{LsxL=@%nntnyh z=y7Ao;-1@`yCT3Al$ng?U&QuIAiVf{v$f*e!@|V>$Jy$3CQ4c2{f#RRDkKh$Ek$u{ zt`-{8Fel1GM*P)w_-E@o*QRXX#RdtbX$V>eo2P3L?4>*VC(cU>KDGY4=i0C3=SS%B zXX$+913o;WJxy9vqENS|v$HB2zO>2RTX&`T>dBrn!XaB_z~Q9eg)XCReU{JUHknbV za9pj!>!Z3F&4;4tyT0qLpzRKN_;y_{-x8SdtZ}8LeTT9lUc0uM zR|{kBEi%=J1vMrNMDR6>lSx9!W=uC57@Tsq$u9)%XJs$7J%f()K=2OueW1$gk=Irnm9 zkQdcp1K)!dDb~!py81ZsyA0;3Sflu=ty1jN1xz;?9P?;|`j_5@M4>PC69PxIXT9w+ z;Whd>|K!b||A}3^5?u%c5@6CJtyd1RGu`L?(>2BE0bbI(9Ye&=F zQ%TZRGQ^Wd~$F3c2c>4)^Nl8sr`tC`&@qPJu61)5PS7^^f1T_>1l~v_gJ=yW>2OhpXh#YZcHpN;dwK5z4ML9P(0J!j^dFK{oF4=$Y+1f$c)L z#GfnYr-=>FP``zOwFx}06d=|I>vb_<`P;HDzWiL0E8vQP^pn#s5D&A7hFgf$&;X)@pM@TAulZX+Y%cKMK#o+|YgH*U~{SWdS#_huJGNae9?2(BvrC zD;Ou_l{I=D*^+;rOj$zbxRr|e$ZNt#VLnWLOG*}v5|Kj-AU|%=KNO$f8C4CM5sS4# zLs6ibJ{#CgVYO~od3zfqV4v4d1~f}V#9sn6E#Dq+mhqbQh#LR4DA6ulV%5voubC?U z2uQ#op1P?O!p%2W?HHtYt#G(!*csVp;QPmGGfk^TAv1fNJqvv$BDk%X2`F z-udBAPc~Ot9)qAnZ9ju~KkAC`ueS+<<-`u#sD>==|1qG{aq|X!giu89GF1(WlMX)d zPE?`OBA^IlkGs3i33zx0vlq3SnKMd=1)=Ymcxw83iqTun9k>G_Z7da~H0Dz}dhb%w z3H395PyjeiN|0;83BwBm!p?L@=+AC=-Sg9;e=L76x>9mT0LpI4u&@7ze~p_YkzKq1 zo7L)w)Pa|e(w^0COPL~Yj5-f^s>`y%mI)N9g|s!zt^r^7~Hf=BnoSn z8NFi#_`Np1ju_x#Wr4w%<-}u#JY&EMza;uZ!ox0Fm0<5>3GOD`v zPRNe85UT0uXgM2hg8#rVGBHGOxx6~YA>Ys2hjK9ka{P}#g3%jsW~HG>;fPAO^3n1& z==Zz6&x5m}k&!F#bBU{)iGifZu!enQBw)bowpukYEoWgt5W_HD5fkz&=cm?1;$h*& z?g%Xl;l2cP69sF>m{42ppKej6hvIP%$Xz_||5>_~8_~qYJkF&)aHlkvLOPr8nWQcBbzB&;=ww0-_*2}yacnUh15`w~?y-^!cFoQzb&E_6y-C@Pcl^GNfoLja= z5^ZYGLn)p1RaED!X-B7+p*1%;JW44&bzi$Le^%VPbEMM0Y~8#sBq?&l8HgKrJ-E)P zdrUOmr9&u3M2y$yai*&g7S3mcb#$f=lv-=j@+fu=2Z$;lnhwYf4|s%P)%?%!WprV_&)p} zKr=W4OL~F>Au)uIc0Dd7UwgOAQIpiyF^58V%F>8fNMc3hdiKiGdoI!^;7{d%Ox3+7 zqS6G}_~*ruq=bLp*!Kp#iHhgCcXt!Cnx-N*AKfApd6|i(e6F-+U2CAlv>2d;t%C+V z2+PaY-AF#lVwdZ2qctcTK8ntI{=4K5;G6i_`Dt6fRjU0P34lMBK&SpD8fh#?GA*>S z_=5c2NyNKyfrLY;FuZZO`sc!R;oA?%)5<`5pvr+XzlE)U<@9VCYyQ0GTCH^${4>&6 z!cuuKT2Wq1-N{Kw*%hbG(WvzPDwxsFp`^8sq7;X#wIA}%p-0bfADjWzsn1{X=5OB@)mX2L1qf+=*28k+t$z=clz6Q<*bDZVg^>8Rju%o z8R18fGYY!+7UfVPu!gyP}yseO#d0*+O->^DtfV3XDlv^eeNAlO|P`!UMg zS0gS5eBC0a&l#bh&WH-@#eT~dsa}i2t<2HnZks0{YnDH0&(r^2147z|jbX_}{x%cF z%R6t54j%m-Mf56TgB3P~jDVSCDqXCn8#)9#%bcdQx)16L#SA6m(-*K6QvgOHFh^rvSCMgD`; zin3#J`PzyWAQJep<1lIq=fI#r8Zpe$WoXY(3tvg9+hEJe3$M@XX8r`rx-6A#S>uzd zB0TJAm{}4m;D1Lf!Rm)~9L&_1rYGa|GQEx@&gr=4iF4m54RpV(UTH&#p-8O4ou*} zCDUGf2F-z^5Zfx?*B)H^hScW$F0*dms5~A()&U_nn0aLBpum?4x(eD7{Yf{G9@I=E z+x@a1Hqu3@cf0d3iyM$xS%DH)9~H*e?No6-KA*Ucabj)7_I0P|^I9YsCwXk1s^sl` z95lZ+$VlR&?AO6pSjF*Tk;!VWrZ^%>VL16Hi*IXNj~C8M^_X8shX*pMq3OfiemTx1 zBUoe-eMnaRdG$n8SJOMZ%mQx}WpGGFC1P^!MrBK;iK9qnKL{oXHhAV-0KI%;E~|lV zpVjqOgVs@a0yM0IG3WSRcx{>o(A{MV^9$<8^Mu+F&eIrZc_Z_w(@>pCDSFs$NXURP z3dptYwq*K^8gF7`fUl<=Ch;oh<daP_tCjB4RPhuF z17pT>I{x%w7?Xg9#Ra@+MWDU)D};Kl-DS_vVkb@CuQnHFI0{ty0vwy(-^<#=xfqOG z{Oa>%_wC2_swK0dN6@s%GZHSdEcS>cf}Z=Qi;W1$l#W8PAV>O9K(4Wb4CEMQ6uO>u z5_hs@RD6o6SGztz@$<^1`WsPCc9yeS`zIW|>VYvn=bTHKi{Ahe7x-4LP8|v+$WO^z z#5~53>#Yrpn;izcco+V&xxf3kZ=nl~%1hpr6<5+prOM5@HB32`zOs&AoM2Zg+k{6`a-b@^puLrc!#c=^#zd@Jt;_Ooeivy_4$i2y%- zI_^77yobQVFPHb_<*a2YbtnG)oI@hSuh96bPW0uEfRwLb2FxUw2(g9G+`w@k9qQOr zJ{Ikm-QG$!n8fdeULW>$ai)^Kg6rF%bRsuX_%g~H!$Xe?~H zmrWK~uc<|s87Ml(vqd<9;}1b(G00#3H>oo0&y)ea)u1!Z5oX%^Z`X5st`pLU50D;; zNmAYFVO%@M+Y@Ruka|u%D?o5kD@ot$HBG&|*VSWke@k`*S2pc3t#&fd}Pp=3EJRN}C?v%d{J=650~m1wU&-I6T)Y0}y|>;JuX;N)>H_b1#`7~W-^C_2*tB1~(PcN_ibiLI~6`-_K zsV38ubednvn@cY-RnDDLFEL$iHwPZiFP@Zm4a02x8&h|;o;8uX5lY}CKt662de&T% zpKHM`5wP7I`~~avkiYQPS^)bOPY+CzpOhx_pMOD$Zf%cSp+67qnUn|j)&jW^Vw%x? zkss}+M|c`wFix9m6K%QO^&J-gecN0ly}Qrdd`__?fVD}3kR)5?=wRE;hfka5tfy2G zmf2}r4#R$Nj;7T5H>SEeJ)GyJK#5>*HIkul(iY;OK>wK>T2kX1=1Jn5zqyVMe+G!f}-0!uZWtqR0=KfmE4YVh5 zaPU)X35|pMjk%kgxQV~Fw|0+SIwkEl=CaB%=VHs+aFfCC((P_M(fLjim-)vOeJ)EbeXNNj zf2>pC=b8w?omBdObfW+z3OAIWPFxF4!{h>mi!vsjsyVL7Pfi=h@x)1&Pslr6c|Qn; zl+HgPE!Hc7e{ssBt5YV>%kI0LEymb8oKMJ`4Elnc{9Fq><<2$xg*kMw=4AT0=BPw+vi@2NjPmCi|DqJD?zv{a zAP1Gobd%;o(oy5e%hL&K0oqY>2LD>)D7EboCGpR-Acl^4o$?aaf>Ah-4E_Zv-7}p+ zzaYg-m!7G7#Z4}emjg8t4KyK`H z1`%@ox2T0xWmT=752qv$Ur6f+%&&tr7PMo+B?o|GIJ00C?H9BRbiqZ+c^ArWL=PKd z=;D^DN{!8~ALt*AnQwu<>Zhkr3R5F<@K-zFcf2BY*rk8PMPjkas^-J8V?C>c9=Z%j zGh_x$9<+Qg7~4==6kMG~_*_GF4AIDW+9mK`7cQgEDr3RiVQtLRDAtP0ZIsv?wS47e zTn95y!~Mys5y1@5jhVY|?!rfO%7LdcZ6Kx9uIGW`>Sg;=Q&|L_2doh=ZEDP4p?PoF z!NRR4HqfN@cFoBf`R6ovn^*Mfk@|x7`OiUq&eQkpaGn2#{xwkZUfI74x%7km=b#t3 zDqv!((Fhi*tc-T2){lcAH*ng$T6Dc+lr**_8^9^dV=8 z&Qi#;?)<0@KU^;4siYD_Uw3Du@$0UN)(!^XHv7GxHFga0z;!SDI%LCXa|8+Aa@psyCRHP))%e`!j846a&?4J z^E#!K?CMn$#=Y_CtYLX%m8f!+Rm;X)-}t~TVd$V!Hxwj#7~o9`7{XBmm(pkmI9|n5 zau(IWnA*J|Tjmc)3lQxiOUMk^IK6D_IJp?d)AI}VA7HpHL?U)Q1HTLV(}+T22^8yT zk}L;s;b2^vE(gNYfD%-uTU;*FIwmkSfEBvjg#j-4ELeqLq*KZBkWz~h^%C6^uyPI4*Vo%8wAIl`?x|<@jf#FfqZbd#Kf?`^ydsq|f4jOrauXEtsK3 zTE=CGe#i`sacoD8k!jf_G*}v7ua>CVRV0k4s7|;Am~xa{($S44?IenZV!^$@XlVWa zHCd)f-CmsPbzY~$H&di+%{N<$je%A(%Dlk!>Ye4@A>pRu@Wr}BI@8=XC_pS5Lgo-W zCO11A9A4WEi_JJy(uBp)Uy%&uYx68{UQOB#B+ z=rERo5FfOBZWBoQFt7p8NS<*2cINb0cZ>QwjJ;0JYSQay&N1Yw z$3ydlAlTY$s2s&p%|y>qT!pngc-untiTcT4Ujs7W^(kGzF!jTv;|I;rY@{AdLPIG_M)tw5T>eiw>G9OSxJ zIkgSUQoVM8pm8Ne$np6wTzouhZ4?%ji^V&7{S@*#<#2CO3VS0O(Z!+}DS|);2?BvD)7sr`OPLJCqg)uyR=*J(m%rr>YFR9z z+jee;>@GF$f`~be1?hrv%vUp(y^kgZOX5u#zdNY3>#r)T<}mT7vaGSQLU1%Nb|eyx zQnW5xU<4Nylvr8T(U!IQ2ypmlCkR?gDs`)(?^dFC9n&{?ThR`XZ7_FF@`&Nu&}&AI zp~yOFM%ZB%g(K;3Y&oE*x>r}<0x+g2cVF@g?)Ba6+#7RC$hQ&E_5B92)*_~zjM2!$ zjM2#W@;#c3ynbZbHl6dk=U8XakZEgF=r`IjIHThu*BQY$j}Ec`9E8Q{)V~*eR2W;COboZ?<<4taM3OaAruYjWw1uz=lKIUJy~L;N0SsBTGL z7I{tK)RdDEg)aF>Og8d>Jo3@DCPrnGGmI|vsQ@6^$l|(&9D}a%P1|tlWZTg;*(eRa z!R_3I1(TKnUr?z$lm7a3A>AbYmpva>86)%wx!d~(5VmfUm14LO^6WM0ZOf`7*v&vDW4i^Ye*=5IhxhLj zdKnT{IgfuF3n5cg+17u`0=ReYo~m-B`DKp~hChyPP&-9EZ&nGLzP2PCpWQ>ayib@2ivc2R`HldRp8u#7ndjAdpt ztET{H>F8{p8t?Lc4!Yz~mv#u3=tKO{WT&G&CI z0`GsnRogHB7n{TW^RH?(`lR0fp4a>LH)$RU{;z`odw=?E{a|-%_jyAVS`w=5%yn9f zu3ROE3I_)nM+x#+_~5{_Lc4$MN9SSZ%6KF$>B1!r(E-2FA3?XqF}gCXZ&?q;jC~ga zR>bG*&mYZ{wVUXb+LFMyeh4)Zd1Lm!HyAS1DZAm2VbK}m)=NCft4HkH3<}}l49TrF zGgiLYZuU2lTw)zaXdt;jn`iuwRJv=;eQiU=4@YD6omO}^<3?l##MRPTqcp!od8d;X z3Q_=;HzY)bqY+}<4Supy?2THhwuBNn{SYHV{(wHW&!-_e!;bJ73*B&QNM?!9lUe`F zXhx8W?EycOghLK5_yeNDFL=fk2@k#86gBUv?OKhN+8rUzTC-{HLg;p~*07F$2-;AO z9vP@WZ#7t<$yoqUW)6hD!HbD(wtjye0`E-Ld<|5yW}&5 zRca~}Xwya&h)~U9^kG9DUg zx-ENqO~chp9jhpIJH~kxYA5)@UB4-j?s|9lza9Urfx<)bg=oD(MZ&-3+MF zq`1B#Sxb3s@Si(o_AcVrG7Wj#Yu?Z=esCb-C6uQPayaJq(!+=Np+%!byIu?Km2FPn zMA>B3uk4TbXTnGg@Ml6v@icSi!c@wZa->q9*m;WanBvxaWNwR}>;lg%d81X629Z8Q zZv@1;Qm_k%yv+%*v2SG(?sXpbv9PwNMcjsaGdv`!ab0D2bBeIaXQ(U1vYY^mv3mJJ z?H)_C%PEoe@&)~y)NA$C`Z@g`(ZBDBEEkKTlKgmI%5j2$x-w4Si~LmqJPOUU)ek8( z4-WPY8W_i!beLjN?}|Tm_2RarGp z8JW~ZMQyrx*uSFnMUM6~BTuKk87#&~=@)rf)Ni;~c|KI~r)us@!M0?!$!G@3;M>_`B2+390W3~DaXJ8=UQVMB#NY_>o}%ts9fK{ZV`mR??oa!pQRXT z#p#Zsl71lYgxy6WnI`d|UfEfn$ARm6+2;G6m;=|Lvn}MiceeVeja*;H28c7RsJuFt z|6xQhVw2k@KE`?^bcW|<(BDUe(?FtT}xbY@-=`OJCU_-YinIpEz=L6FfUwH*-8@*L_`G;Gl|=Wv30 z&0S(jY;{udodR=hDgyE9Mi{&y5o$@|lR*eXJNn18hv9=UloZ^%(d2;Yk0YX_wE~ZD zBkkW-k38;H4_)QiGkDH&wUUHD%<+!vh`wfrS}2=R#y-x1viOMSSs%HK!3ArhyDBFE znpHP^pZ1hSbeQa#8z~?6oXYuVzT8MTz2{V&?@_80xg?cWl~v?->LGHuuJXMyeq%x= zofPgyz6*W7lwVJGFVDfgU&^lsYu5Q1bh)W1b)8 z+blx5>Ug1PP=~@>{89Ni)+ALziJjC@XU@H`EICv(5r+R!!4{nMA_f+f?yp+aEW+k`6&fM!H>EF?wxVF_*jPXYKj@gXYH8 z-cieOHV_2b%#pmfTX%T#tfCEp$}Sjw#M0Lq_f{mX=E^e*c-}tBbt2Yi9~uP4TXTa% zFY&Z=P;feogLA7n>;(yuiBN${?C=W zwFh_0XdL!@_ejwLByeCT7m41}gD4KUu_i;yvpsE>1()sQDw#wBMWJ)mBC>+5tK?S& z3?ATw){DsJonrXeP84;~KYeX?ulW+ado{iX1pjxB|LsOs`(xvO-@W_L#{a%g@xSlG zpYQR%|B(3KxBIVpr%K8VxLWW7Lq(5cjOxHvtt6dd$*?X36lgS#yVDNR82eC{bl@tCuT2;$FLgV_q(WnQc+9gbdJ!v_8|OwJcbf?XP4*=sl*%@z0NqE3*$7Jgizr4 zq?|!9Jnb1Imdm-hg225Qx!m|tUM{xjHB$3{)_fpY7cB|D0KF>+O_3-SKX^wBug&Fqg1IO9LpE1KIU zJ$**u|$O1KW&+LzPf zarHOk->Sb+$anZVjH}4i0XqHOqF5&}PYIXK-kG|L)J6CX3HC6$RMC*!7D$AaagCAR+27i3wzr-&w_AW4ByF$n zKG)LN#pC1P2c{qD`G$4k3patqHa5D^ZmT*|=n zW3;8uNgd+)G^P&ki+(m)s=qg;>cIj`&Q9xjo8Gw=k3R!RXzi?r3q;?cwhw7>x_iXA zg)yDnj3%%UGs<-}6Ao&ch{&0}L7aut{>0bXL#;ju?v%s>ffH9r$b1GDP`)+k_{D+r zlk|DEcAqaElc!3zao!bhhid<}b@*bD;Z@Xn3%23*zW5r3omNF2rpno?>?s?kp+yZ} z5yIQO;q<+)Hi%w8NS@SCd$2&^9yX4;7vZELf1}|f8jr?s-J%Fz8;XssmYZ zQc-777m_Nlm(f+mIi>=7-RQIz4lAT}0D1ke^Y$_vqc4qqIEc}uM!ySx;!!k2k^Z>% zF2uxfcM2dA_|fSjvK7=)rC&8T>uCL;f_pzXMN1Ew@|2Ojv3e@}UZfc8JR-EfemBd@ z$yt5lLaX+YH@I-jN}UGRJ4PY zU)ko*0KgNOUzzh}ROFe@ugG~bDz>Jr<_u)%i| zf}L~4&M&r%OO=~qhKdnp)0uQ>2x@m zejJC%2=@dG)B@+?@wO^wT@63*8ge=|`QrU{wNSKvaO+aO0Hq#13Kp33eat^oJ~Ea0 z$TZ_4Q#<)1CF}rv)KmEpX~joeQuyP}N7^3nZ}$r^m!G|Jjr*N>0A*ZnGZ>_NE$9A0 zvvsr$tcW`s%t!;Py}5M=4BPtl;xUJ(X+GUrr<)1Q{rf^@?%xYJLxZrqY@Xto*?Q^= zIT%RjjiaYWyN5>x2jJsoHR4}4wzqbFY3aL!P-Q!c4JVyt$UM}am@C_$M+4G69QGz! z=!=X%mVL@AmExd|F~7>f92O2Jg_nUmcFHNb_PDXOdiZL;i9ag%qf)EY)*4UN@P7!1 zEtrlEp~=OBWZH}gRYy+CC;t7Zv_dyRB~0_}A!h3h(>7A!2tUNoD{>@%#iu;4Z+U7&Q_FALY~_G|Vx?c>~5 zXvmyqm~6~0TFGL@8^jQ~kGxp3AoOfxAqat)(c}7t?x@w+8{#EBxxkm3B*t5IHy)NIYJl?7 z=}2uoYXyt&&uXE9>V=;@dmk6VFAuC$Ern-sv^C!mtcf3OI~b*}`j z)P2VFG_NLHR!Q!)X%tuK@+=r2f#^we<>aL7w{o0nmFZz_BgMs{6WFF&)o+Tcd8Kvh zWk+T~s%|skYpzSF*(hLW=ep#`U+=2wRF26+=cX{qZQAT%@t0#2H92+^Q5&$LO4nK5%oRYQ%IxZ^r6aAD_ecB#ReSVd+$Q zk1-bQ1AI+)Ssu40^E}Y2f=H0!&U66h63c=X;kGjh&(R%Ls%PD}GrwO{KpoSIIO=8) z7~2%up1M&HOHOPIDWhGas@Hd zU++nW1go@llAG=Pu1;bsTL_Gt&oFSL>g@t7v-&p$0YR$$!Qk-;b-wY~L!%wchb~p& zpc>`-ZKUI0_lL`4(kZOqw|KUoVm^Bl_B}s;kV>D-s4S$JcT?m9&nIUp3OLZLmz=Fe zYi?oTnrX7g`$wBU>b*p(vjQu5ir&5AX}?Qb^b}}kJRNqaG3=y=AW#(2Fs7McdLo@6 zGBIOIZ0>D5-P`-c-4s$w2vy#Zb<{EyS6a3SSY8jh?>2hYhQgEQv!s|k{Uf&FX zi^10h_<6XAJM$@&SHIq^E!FGI-Pf?Fd1Aa;d+V*OmS5xL&i3nqdR@4fOh%1*{qpj% z7KceMsUlNci^u16!KMCw(68UC-PhmmYXBG9!I3n>OReP*i}n4j44nu^JtPImd}861 zB9Z~Ha349~uOl4*1D8ZHhkocHvxtbF?@Yuto>%u(VLFW;rty2^M{+IY$R9; z&rRuMqOP+k*!uqd`oRuAxMo&^gQ#<~KOasHw_E8UJ|9je{cEhn-C;{4RCaj)~A z+67BL{Jr@qo~pqVUxP(c6Q8_fr0I!19w9XZPO9@3m?`8Y;&C?`qhv-N6;W~FqPu|fiUL)krKEP z=y=Fqrv?+`>5-G~#KZPDytJENw?wNnop{YEm0+7W%hbWntkaxjY5?S|Q-M*JzqeSa zdbGcAsXEh`8NHjY)Gt9s-%6dJro2`)YI?CEYJ(BpwL91@(Dz9+&aPc5b=}&PLT2qI z8u*RZE|s6VcBzEJ+o)N~SCG-aNDSw$Q*J7?cscRf#Y-_|a~H3J-W(!pAVB{~AVP@m z>}?)xH(NMsl6{O(dQ4B?|M>!wUhP!i7OPy(%dHpItU*@kQT_w)Fe}^!_|+?%vBGlr zk3528Zn&s?-|L`iN+%qZy(bPYtHK)b32L7r)@Rcpg~4J=9#KW<_Rh}G@{tVCp%l7# zg0kpfSQk5uP}q`C#1}>S{%|>n5)|a3tXGBVavYPRsN@p1;NG^5tPD40{!!q>{e6=x zKRIK2Q>V)>NrsWZH26~pG(`Aiz!U;gv&ub(6slD1L;njndiZu^l(ty#MG8%<1GY#4 zz~kfIa6*P5i)Hls5lyD!A$kt_baDa(@U;ZB!`j?Nn@3l6U{1zx<|7=2wcA3Ro^Gsr z+b|2o+lmf7nOD-GD4We^Tf5B}%`QXBFHqghTP{L?T_FR@+xX^_Cw~A^<4meM$9BSs zc0D-rRdnWEPg+q=dLcjx&u0iA#`=D}C`nUyH*Y?P_e&Z&|27&AqrTV1jcLAHX%69c zi_N>)5?#VssNlaqkSBO+=~x=?wdYZPFXx&gAhqshB01*_AP~9S%T-c0kgje))_MJX zA@70&&mFmM+_-);5FOIX3-*P08JPui9!)4-6`2TlOYB`Q#Dq46_Ql-Aa?QZY?UOE8 zQFd$dZidrj9}SXPq>qAgv;K5z8)m)Psw`J{m%9*7$}}!c2keQ2;OuEc6oGjyCL$Yf zSV1F)&4c#F;mg%!b_qGbx4mg%G-&O?ufkDJJy})DwWZop{;7~kP(^(x>H=mo@WmWe zhC6UnGppC`Oo&g_|2zIc$KZKv7>g$-q7_UqHk%vUEpzy{g>!6=qa^MFQAMF{8+Eg8 z1T~ku;aTjdb4KsO!Kk05TsnO|)v~43v0kz|&C(~N1zGZ>%gLL`406zXxxTXxtXmFE z&;Zhcj3$%L?iBU|tZu*xcn^%QneF9Z3Rj3~H#(i3pF`RCoy`=jjt-kIQDx@n`E$TBXLM3vW)sZ}DCc-?AMO6n z(cWQmGp|KFq-m^il&Lvo2d7L^u^W@;p16-R%Ge)i6G@cpwc5X~!*<=$wyQxg(*49yk0b~ecb;1Z2myb`1EA(uM{@&>qhdNtceU0Bp#c*1> z!@jbY7J#ZQL-GZ})>`aL*s*d^OSP4s96Y_cSxi&efz}KN@x%79d$ z=`ijcsEb_^9r!6JRTu9Pt6p5Gs2FB<-0R|+u!uTP9M~3&yj2%Yj*E9sjtewYEBXj< z*ND^r$nDO%_6dIarFgutOo74Nr+@ER3{J{F_=6lU+1MkUb(odYFu5QHEayxk(?kRF z=TizUp^jM@J`L|W!ieSP6UC?Nt-KdotavSR#B~{aU$>0#!~>)s5t_!+7IHG)h%I7K zED1%hoA6b&6%jN0m5}m;Ld7qq792|-tOntyI%c(PrCPU;<@JkBeNPtSq|2rB2lbSO zp7*|uTggsv(i2LF^Ji3w=qb&Id)>rRq4_h51{-;29aT*qbheMc(*WD2QOaIJB>kEz zh$-cEGX?s(KI(Gwy9q4R&id|VUQacEbZ5=>r1Gb|VK~mYaAD?kQ^`e4AK|kutb_r3 z%@Iu?<|XKl?3*k)=qMZ zuCh)OWI7Fqe$t|}-B8rtNw84X+$O2rNR2kZIWA$L(g}BE`{jl*!OImEsNl^*ob&bms-q&=^DQUYlx2a6GxHR>Sy5$mcclc*@Y??&l zVWNi7fJ4SFfC=5~`Cj3%>ss`r<`Qt0CZ zEsXO!*gd^r_qZUhNbaBmduB(vr__ziHs;o7^80g$l>z$fu;ym58&iOc=j<9R66oyLM zE_%$KPzx$qm6F#H46pF2Q)%H?w}o7?9YU^=WN8Maw>6~W687QGhRALh0R8x!W~ipr z(<^;sRB%10BGjR*tP#O)A__u35PjSU0LDbmbFkw(22EQz%Tiz_=2fBgb&Q2yR^e(- zH>#Vu=IFJs+5kY#;1r*jTXcrT7T-k3TjTcLbLYs;heAiUKDjfB3Ny+Y^)2og=J7Hu z$WC<5h)+gqE2nV!?1;~Cbr)QPS6;V}bCd0+i`l(4irn?7mse(i8l-Ter7``a*J<

wzJ0=TaMV$GNPzy~hwA2gqBy{y1UvMYb!{=NL|Eetk?`Mj&s`A@fY zB_BArocxw8kmQ$u7Md@c8@3gETFxoAwY#x>wAqw$B6`bf@l^|#mTuG>8<}>=+rqPT zSh=zm{qjV>)ZIkqOtatQ3l?g9t70n%SZTmbGLZ_@Y>LL zvqEmz0hp>*r;`r+iyy0N#Sbh5)TN{2I_rRZ5Y4d5OO7}E(ZrQL*mIDo| zYe<(<IW-QOJNw&qdSw~V%9%uPuYnOy=2WxG&aEj%g4t>> z_V#|sY3U-4-{!RfJI|?MH`d%rX#R2SRs?$OEfGzB(&Y|dB)4{&ZLhG){1hC|B4#f> zKiE6k$2x~F<0wul<{Zrh-~S9UNLma|XIT=f&bT*KXr_~BE()c@XYgy-VU`L9L9FQ5 zV?svuDtr6{v6tTkL}{Ohr3tEq59WBH)(UCELL$L{*RUIoyZTY_A_}{36$?_&WGy&8 zNXKV7L~nPs3&o$n;$mz+^NlVCC55d6@tmf={+rf5dmeCKwD{rFN27+uF9gMT(6~zK zN!)oGP4G=4)u#~OScXVVHc&`0Hu8XsI>IUNb@GT@zKN$4I5Po>vmuaO)o#NQI@sIV zY_|iF>NiNJ%^?3Iu0k}Q(o5Q$!Ox#wO4>n)$(j2)zSU|!-9mpcB5!xP@_Db}8AB_l zf#W&28P4+tZ%3nWFrOi$0_Kf-gpP6J?zDg1%Lo*lD|Fdk-^mfVK&@+qqEwSHHcS+= z?E}La%`o}mBCBjf8;kCs`tS45kO-F27{2Vo2ci>aS-5E{hg}1b}Z(> zVjrQ=BPh1JVcqPU_0bP1k_lXu<(z8z#TjYctP1u;9Q&_#0RL)-Q$%QjH_S+qHC$8# z!UZbHKIOb~=ML_4+#fjqq;_AU7D>qM=xS+jz5wVw5Krw@8s)8L>zkVgK>R8S z6>Q7y`IIhT^tLS2^7UZP;5HKRgK-~tq3KAGyRgM_ot%T=-|%hJjovNNbTH=ZdoGX7 zVXcY8XcIak{Oo9VgA^<#!$ggG@8Suu)(R5PF%?;M=yStQ;QDUT+^D(GTB+y*{2rxq;107sHXzycz-b54x6V*ZQ<9D$C*mDO^&bZ|a7t*uQR=n4q+ zEKGiBzS=n4o`s3zYD@%F`5IWWFd2=>+xIL~_7AqVcD80tl+M=3XlUi@z+HpRgL~H? z^x)n#C_#Y~QUJ4jJ9L3gyd#fLoD$Ad;YMAsarN)zCzm0r5DWoU3jB_<7S)$Q9 zYqLD#$w@B5=13V{>S-m(Q4_;R5(B>2>BpV7ZDJ7y5i~NM%$LQuiVUQBg-%Wn57zat znDkb2ldXy(aR;llczHESm<_yBhUZZ&K-r^=$aX70gmp|^mVMw=2=1_F-ClS;1lFh5 zNvfT=&sMT&t=F7laAT<)i{o27pl87Utv49;d!62-3KQA~RMBs3ZWFmBZ`w*Hq>wDY z|K`KC`8S1#ev3Mj>S!EKVsxpKhYDu2yLvvHE-x2yj7`{0PFCbOV>AkRzI=q>CE-~#xw=Nz%P)$OL?FQ=cXu*W zY+|mQ!3~UrcdQ(CokE{50t98I#@n+!d9pe+ zVicAmd}mEWc|kl9QY5p*<6yx==vhFOoKc7WqRvAQEQn)5TSgMJkAOKj;c0@}>~v$S zli#hXc{nzuwYhKx461C-NX1A!Isqj<*((MTXJD&(lt<@`3AI z8b@~DHM79lwI#6inT6iX832<#ua{n-Oh3h8no-u8nM+8{E|EbHmGCl&<}Gqw7Eg=c zR&H*sI}gkdHWzG^S#aV`uQtCW)=%?uucm`+o5r8&yex`7g^qZfLiiPqdZ`o~>~I2y z5Sacu({)Ylt~?3rISbumP*7Z^W*p` zlZs0{mB_h=N&O_1027NUnW@xd7><&QINkHSQ3XCaJ*L@|=`a^T z5g?{hN2vLbKg_t;s>5CqdU@}rfK+>~xKr%8rP0~};KvF$|AZb~eAQ?GiLFeSpLW(#@YHnf$2hFnNqnqqKrdiUGZe7Yg|`J}_eBAVpXaua6K5Xj3TBX8r>9)g72 zJ*3lf_K;*{_K;4`-9v6>dJpNmS#>gd$YgkXNT;Uvkfdk#kjY5xAxY2fA<4)rMM+QX zAxZW2kfdezkYwcSA)S*y3#mOMskwZ`y-7GZz0PfF{w9(9 z{7vFw5lwPxxd}5j3FM_W32D+fdxXEc7oC1D8cv`<9`|k25UJB?a&;QNPbYWd%V9qb zyXkZiIHnVUv4*xVZkBBYzfjpPn}R*I&yFU!BR3;wM`klUGHJ8Lwzzg7Xpq5Gs%cK6 z^#;GRMMdDn0Miy~i&_M5QaL_8;eV*y-qGRy(P3683Qd>Z^`gt56He6Q$EvyaEC{M| z{tKRJ5wNNPEH*0KMx(+*H2Q0x(P~v$V%H#ZSI;oeDWd6KV`dSie{-Q&YS)-qggQMR z3e&&F+#;i^hPZi{RfNdm+=hfgHs%&VS~(Yrkj;5em=4W_g0%FS9>JU%kKQwi2%VjW zi>A1ZIYne4%!2|H_ZoDa60?eE3f-7jgh=(g9wGV7#|3wW*rCb>akqs-CR_xJF|5VG zB^ix51yQ(R=V(qrnWt{!x`O&Zx=}$spBlLZgXZvEZyXQN4NL>aMJuvFe>OHS!Hv1l z@M2$Jt{1X{BY8BuSOHjwTz}gEV&CPE&JG@J27713oTn)pcUuN!dO^?<^+0t7yLmcB zB^aos{kq!HTD*w4S@%lLoViYypsct)u>~Xn^TgSon@3W~AlP5uAv~eHFA|jE*dJH|@08?KeBm#bRX5H=`URL%Z6`2DM42nM0@X6Vp>3 zIc$lPXAl?$m|mWc?fBfW$MRQ!Z`>3Fhpq^nd(Xmk2NzeS4NDh}!tVjTZyf(S>=27p z8{GRAp|NMi|6abobZ_OZjsN{%8RLI1FMp5!{RhSWM#G9R8fTHmoB=w(BP)5dgy$up zmTSuoYRlQ!-^7iMuExFdi-}s?D68e4e|}J1Sz7){J%bZkwc@i0M#)ppP?wl!OGRxB zJGDR?-;-@U{>9>n6sK3ZnGm2VdRa`=bV!Ol7>GF<4|+)=5jc^{LuW{J^5!U~69zG@ zKvi;S0~z=?o=%X;8e`m~f+08hRRMS;~37L0p{9vy4r2P zMLfcXKVZw@2qf2Fr`j$N5kWWSsQ3?zy;|RWrG8sKI9T63L`@rZA{4zRy+rEU1mVJj z^uxhs94)KZcOzkueHeLWk_J8&YJN<0yaJSiNsb_l!Y8@lD zuOA$4Z5(Z{AE^DKgZ;f$lf$vIF$!6#$o*tzedAycqoI)YF^2}94i}Hx{Qj6Na#FU1 zW`W7AyjWZ-lZPT74-A5gWo<}lU}6vvob5&YvA@3Y%lh-C8*@6ZUYT9<5cEaHahTsi z86d3G9{hY#sRY=7#AU%3VH4;c)`{IeWG1Bd2iB|w=wXioDG%w@S39G^3DQMtN^POH z%`1f-1K0sRFFkcW4RJon*ek9DTW1)wmjS}!gEMcCP#j;X%{F0Z?xj(3o|YwC6WRrg zqyAMbIE>-Yhb_nE+vKHc9CxBF+SY4sfEOL*u?N5kGI2s5N{IhBBCiWI_Kb%PrABYh z;Ru1_c_-|QWAajlL}U_?e==0n#fNX}tEq;(XqvDfAlPj^q&>@O(Uz_*)mDD4Etjzb zm9q5b|NDQ{%F@z3)#}8PiTdww03_ld8Vq6l)Z+vb*M`v~fsKN1i-RY%y!y*4NWSi? z&2Xr8dz}lo4!~qR?w$^7fcGR>J0FC-KGioUq-jBlmf`etLiF6>5hG2ZhyYy?AV>rv z7jZb`3G930K}n?h&K)V$2vd>^nk@n}k9zgOYf-qbu=%J;*pM<3^DJ401#L~(6cL&8bnPS(l#mV{I-e%aXg)&yJD>#> zbqP0`NS_Yg^iuuw8Cy~Je^!SPIU3q0zYB0TnIee0cb6*aX$+TfD7v#wwU<_a=c+E> zU3yqiN3C_+x%C9PK|U)&bhg-uMkdnr+&)zhZ&*GA#98^4c;dzrFJxDP&Ot#0*m~g`FkvN^ zMiYhRu8f<5LQNe3bM!V+IWG3ly$Vn^_GXMD|X%O4Z!mv6B*v2b7e@*w1h2CFnD-dAB>73YON7IY~O=W@n zl_9r=3nvO;bQycSo?y2mP~#Fiml`C5A~TAmB@Pa`gB143>z(jkFd&>kj8n^HdiaFY z3>30B(jqy$gH^Mbtw+8hk>RN>i=Re2cruH6ITV+1#4g~-gduYR_Ym81k_CON!uD@x4zjMAd6DSUYa0e{aey%M+I)QI>4be$nLSPULagPB$%*-7pCv?C=HKC$Y7J}@f2W@ zrFIn~%z8jwt=O=GZcL-$J7+f0u0$-M@t5NifV>o;hseyJIF44`ked|X&lWYX+UP%Z z&>Lz(w8}ILpSiU6R9e`MivjCB${Bfg-xzX~297`gAwN86IH6iqC@c4fne}IdC1iEm z`N0Qmn-t@bVv-%7AQf^cpSPLPUU-`?w_1m-MTsCncUV;It!_Q5KHEFm-8}JszB;0P2x4qE_5*CvwY)JI2Oy;t% zj*-m==x{A8^v((u!zk1J0cBXosiap0MlK}}mO-AAWiBHwn6LM-JZsaczx+kL4#WZT z!O<@IDT7_=Z6}^t_(2m><%t0>%Y~D&iKy#sa&ki5&`im@un&Aq@h<7M(L8w~(fjDFeTilS6b~L7%hwsm9ijoVxVkZWWHm85s<(PgyBAfzx|o7Lb$G z$7dVW_#^VX4FASMeRV(|T7ko_rOr@q24L*W$SEZbr;ksH%d3_!Eo{#G#S91+`+MzrFzq$5r)t@>e-HmT1-3kwDu7MLs5MOEw2xXv?fC zx6*V7ce1FPqL~?5NeQhNdk2T?xT2*)J~TJ4TLu1{cU*$j^LRBec1!SDKem*|Zo4^1 z+-L^|w>YAJp^_bxR83Y~+X=na!7dq6Qapj*aYSBBj#WLjiu=(*k6XGYk5|??Q*gX5F_=W&GNAY(i^Y|)x{SnQ*C3iS zf&f}{+6#h>c$oAkAWHY|Q!-OZ2|DPam%F012-gY)^|J={K7>YxRbyJtPQPlhOKBgK z`DD>!O3vc)m#m!q?lG5t$C^1#&(^oLkAVIK$A|t75_xepq%__vdU!RDF=9+jsT~s? zur~>MiJ`#0MBR*MdsXQ|VIAx-H5nC8a9%DDp<@8;ZVy)$VRt00m0{-rpE>jd*6 z-6P2^$;a?!i0|vd3m~CC50RmO6*EcXy_M+;Ui0`d(*zb|mkx?mmb&=*1a(s5A+y9W zC^fO-M9SDT?H*_AOW*nYo*CKJu2Jxu08cKHi%TazC|s?2jOJV=kzjV8BR6 zQsbNxfh)jC9aa)fGt2!J*UE0aV!DC38%3~p_KS!tH@ASTf`6JDhkFOFu3PA-#rx1o zzNe=^@+Z?t#L{6yqs%n}1AT;?N$>PlY8;9rhZiuqazOjsXb;o zJ>?sFI1b^cjK=A8WrtpixTnblJuo4OG>Z9J|HYMGIspJodnK*Lk^;jA68U8a^!3>_@wWQVhrB`kY-RUH!ss zmKpdj*>^dEaLxA1t#QpR%vo_WH)Bp&yC?H9zkF+ECO625FKGBa&G1zepOICQL6yGQ zqep6^+sBQA2=5>7%r=)mgQ?57+5Y+^85L27vbpoQ6b^m(Spu5dM?4H}747iaK!?GN zf*htf8w_!nQ4C<3Wf0V(<_D?wY~tJETdvv;K=wMO`$CK|jo0tXP{=u;Ci|vi3@X z$hz7v6Qd_%we``jDUkMvx^Hz+C44kZNbPSd?3gi)ymGg&*?m_{&3JHlN0^^TSA5M5^qL{)-pzDaJk8WK$jkv#R=lu zV;!4NU4~cso*^O;c2hLy4SR#>z^EuHwU3sCI2HqaGv{?ly_C4CdV#a1yTme;cM^1G zyMBnyl{RA<4Z6b=msoQa5XSHk25W*;u4z4EcBs^rZn^r!H(eFDEVLqi?uwvs!)~po zBHq@V5O-l}awl;NLvuu@zmb8egcK{!(8}otVP?+Z+KR#+#=t0#0dqiwfdM%m#$#C! z)@!!^@RiejRuY#TgRZhSjt&l*yN8+SzixPFfHrVSX04sP^n_NzmA-G#z;?}mX)9qI zIZL`()i5>RHGlcf>j@nMIpjgFI;)ue&D7p=7vg*^__CR$^`n=lJtKim)J^}p-fRR; zhvol_)8QFuGsJ%f{t^(O-Dj;MWPI_(BSvLBGiXUP!3~M}JK^+w8@X)2w^U5V6xs%g zm(Yk{$e!g)0~Jv=Ah~4>0CbH~#a6D>N~rPeCSV$m_1+oEO~sG3#f# zqX5Hw8TI>Ry^Te+Jv>d~KF%HBIF9=Cii4BL{5}pk%=kroX{Ai0$v7PnE=(|C-X;@V z55pKw%nEDT0gxV^92ke)MdTl(SUnw16PB9;b)23$3SbSbF*u1w7y_L9=-V-YLUpnwLiIsHa zjHlTO-6pS4favy@6hFCngblrF%ksIVoh%$ZS(RI%gU=7Yl3R2f&^o3)cxLlA^Q-rAoLr`6ds;n26QHIDX5UjoxN{P-J(X8V*?a2n#SU zdqJZ{W6+Axr!T*WU_oS^s1ZEXMO*8-X~hZaow0LZAeJK@$|$4_rh7q?=TxR024j0E z0^ReM4Y$< zVQh*!Tdfvc!GU5>gYtMmjl>?wV4lhqJB#YjDd_0<>Nactuze9md==KMCfrma5zd?+qH~O4r12tnk zQVY_z6_=$+-_$clvyPp}%#;Z^ndzdBbuDn#_nS^PwU|+L>azPLFnpGTAyT*a??yb< zPyZP_R@)At`-Q>RyzkvjDv-HLz+y}y*UE-eL}`_i+y|}-=<73m!I36eWR}Um)@NlQ zBI(Ir#J|AHZ#}CX9vqS0BTB>88O#qi6?#F*Ek5It3t*IR%XB%a5yGdfHlD)96>l_3 znyWZIiX{sn2?DTTIfi_wc|tVujKVRldz?7aN+pysJuT@T6 zrSyQZlvrPi%&`5szJ1heNDJk9B4zqfyy#|?JU&ZB=M(ppTw$a9c z5amkMV1?Epsj|wmyH;ftB};#8$dAH^4le)7K#IN($B?Zer|NQVjMi}RM z$KGAvfu&97ebuDjcsD^g4yiO(GMMviv_xJ~a@QKb~Kb>HGvbxoN zsJvsB!XaTHPXK)T6?4T}aKt>mNb7*JORTXUm8WwB<_Y-uuDhc8SG5zetT`#`IGCyJ z`}2Ro_T{5k_}x&QMVEMCra)e(kb{bLmsYW|&pP?4q$8MYY?ScD^9QnbC0ma?7+1!Vtr@6ba)oc+-oJ|2G0t|{uur;G3jFMkbLDX-kohw$TC)Vf( zg>Z2~3mY4S3jF)>CH~oa`rjM+FQ**sV*&;veGXYQj&3}G8$M6?B)QDjUTt33A3s+fo{Vz$M)ldGWH! zF7MXtFm7y=AK6PMd;CzH-k1!djN}PNiI)pM92$#JdT^I}BwU-K&O}^!OoxuJAJ-uY zc2Kl&g(57AyJwq_LN0TwVJS5f!8dqK_}y%FHfe#pGGsKjI0>^QQhja#0E9t?Hhz(3 zO7HmFz*xWvV_%Fq9Sq5_QDBLHUTtmkys>KEW2D;4mvm^FYOtPePz_fe8D~m0T9Mgm zrSnebu7ZC`c>t(s4+J)T3m~xSJ>+p0+yMFK8~^Q9gYUd*IqjxQe>4C*x$@eT$ersO zFPi+Si+)MXK2IiBeSVcDIN3(QsR836P%bR7s__>$A1=Se)-$C2p86EN7RFZQcPFIi=v)8W1m z!Oo%*s_t|!xZ*P#<56~1X|n|M*$4!<22yLwN)ynxHzccdZ zGmS>4n?>w5IZ{QidCG4mG~3SNVu`RPBi52P8k32F`|pUvQ{4zdEJ1~Egi5I-uyVl-MH-dOMHK&Jcn4Ob%4x z*-+4n@Tj*Vqrc_#k$})4Cf59J)Nfodgr5gupm_xzI)dO$3NHv4x*%X$aLvwL#jw|b zH4LE{^#};X6LRemvn1vXic_jXbzDm7fBWIi>&4@+`ulqIf0wF1pWJy}E*I;sm+Pa_ ziF&MRby+TGodL`}L2FNkJ$&X4`>PbYkMHNm&$;Ic>rWAvR}g9iKVUq5SY*8JyjE3I zhkEV)DyJGi5s7;Ah-*Yis3{(wLEoy4GEN6Fa{v<8B!bM0^dlfsR0kQg$#jH!fZrR4 z1s~wEk~@<|9?i-U8df4ONQew;7|mgU2^yb!JA*u6AvNp7{pnz+ep*tC)XeKLaWw+u zGICW%Iu~(_Otzsd)E8#I(US~pcM`3g@k~jT{GjNLJvJetBt!AT!b`nl<`NbF+76XWz{mpCP9~*duT;Az zl+=@4pok)CbQHX1lS#1$)f5k)+&i7z<=O?mpJ^bi80H?jy1b<7r@di4xu|)F)$hn5 zb*Em+Hbh0cOe3TQ+^KQ7OMgBo{`|)j?meHpj_k*7Rsn!x*5E9#3xdsdY0yj6PKn5H zsT!AzQeJ{=fxPS$x?yrLNG4sN$_0Ue3y^*8an$OV=%jGst?6(duIC#+{%DtxaZE58 zqobp~UQ`#*bf3;+1?@9qe`!~&oHMkl`Jz|h)rS_yeSsmWI=HOx6(gR~OFFGYK1a;k zudG5G9iZf^-mn!v02A7Ld034l!aGFrjLNzAJfgd~wM6HUJuuvj!CS|h(4q2Ut z3lPOfNbDs;g6cAenjv63s)1`CUi2s&o(V*$)yI$I;0w^xHp)WxhA|$Gd^%c8*3Tx9 zs2WVd^9nFNsKDGy1}vN>^|UKGSgTyMqLq6}{l0-hYn~m>b$Q!slN3lt1+s`e-}p9< zHeQ}3gKc~OKvoTV^xiRhOm&J)u})#ny$y^_q1WF*@~-nxedND`p^Uy}+vw*@%!98%djR6~x?|i!d>8aM~bo02PPb^?h zN$Xn}i1Tm|Swc_j3_c@=Z_W0>2VYU0qPJvEgRnOkg&k**^-7+(iqq>jy;_D*S<(3F zBs@0*nLp{ws#)c)^(}=DNPh!$ggaW*`@|N9`gqu^rs$NK3`V(GhmdC~7fIM`Ss2YA zz+@G@&ZX$Ng`kx6z@S#1m?F`54A&%G>KtwyX_B5s_=$1>{bhMh^#`9(-HhBVDi%MW z?4XJlxlgK^;C+wjeWsG<00H=U7(*n>xcuROL4uFO2ybgc@mI;}Ps9n6(4?0nQ}ozM zPF(FqAQhoOIDVU`Me;96#8(1>mSJzOssxYFq>IDO61FRC32Z>oE=cg{JJd+fZICr2 zNhyQe+i0ulnyL94xyU1#P<3a&Lfv~I4Aj{LhC=WPyo!5bR|UnVzyY$*Z_BSt^fmgcw21KDue+b{WD zw)Az8MzoZ|v822O{_&$DTHp#EIKOz=-zs|1sKz7ZImEch9Y>Q5Qz?g#(;s4V`084l zb?KJYZ+y1`z$azzHDz{I)Lutb+N+Q$(dek#Ei6=#T}_Y`wC9w%%rl7-*x zCG#6dMx>VrH&a;HRg6;4f*g9=!!_LWVWmToab1qlu@?c~4Hi~$3I+1`%OJsq$Ra8U}+*cCh7hrvQkp% zG`H7?P@-o&;t=*W_ZprLKpIaX74$Nzb+K7Uj_q_J))5WIEPb?r#n-L3{D(`%6E8Ld z)MjIy)M(rYO;*j`F9M-4=z{I60+woRweCX=JF!$bC={O?_Zg~1}KVZ zki?AGI@Es+iHS6lNT2{XDl1F(e$tm(oaJr_b^iHXhTd7py*GKGu_C#9OG`_Pl8Bj0 zN#$?hpjwq1TLQyYd082ilpa->^HFpR@R))F;M6bu@`eCgS*!={Hm$sAOX_m1EgluqeJ3(j5gqblMFg7>Vd za>oN#)kj&!#lHqderLS(P!^12q+DNgDc?KCEu%($iPwwEaZHbE?!Fo5Rd+TH&xy1d zfvAZ;GvmxU9HXeFsvUG&;|;x)2vTV-S5nfK6I2}0%LPp)#BmQXCj`d{d!ZJ?{%O>k z7{aQbe6GbB4FUD51eZK$W76kw;C-YCB8=aV|X(P#eeMbk5BkWvrte>KIre z?55{|Qf)sLNpWqz4?i=jP(S;YVB3=bmo(<%F@@uZ?HcwU<*rx;%&V~*r7joqPyhVj zpRyh0++sfTz5h6ld}pD6`}JBDLkw6=a=$bixqWL#mj-1!#GM$NC&;RUyh2Clxc6Y_dIoXTOHPz zYdxw{%d8FU)VFHQzO}TNuU3?eM6kP8g*~*j%Zlz<`|7=YysouwqXzG5_p<>vO|dl3 zezmm8u;ICT{GJ$N{3O(QL7Nk-x;Pp~CO$-UrFMU*T(M7@rxE#PxL|L>5h{1Pc8`eI?m69y8yEW9Uk(P&mAHrd*RR@M@k-pBOWMCuAumT*tZ`xub1VZuh* zieFa*@DP}I%P0b~hyJx4GgM^kS>2y?_px;{gwx}NlE6^gGg?b5tj8o1rL-Zmb7_FG z9V0pNCY6qHJTha>$a8m6q}A(qM$h`eeZCk|{2Gn@Wr!%^yBu%_WWE4!i224H^jqXU z2vNQX83U|P!u`N$M_r&=UI+pJhrtg{ekA8@#avCex#r>73bLcbtBP-?P(Vu}ZDuDn zMC_0G4gGXQ=45YSNArqX)prZ;#u0>7+bEq(Q}5K^~>)*h%Z1S=(XuQ9t*}vHfzmRN#TMS)e#g zM7M3zB+Idi9(URfHwXM9dL}E-y2oPzRfvZLvBV?$TFv3X{|AD$zJS4^p*u?FiXxf% zCMFxNo>Pd0-|SSOTwKZmX_L3%lvvyRc6wz%t(HvnOO$yTxwkEW5Ap_KJ71=Nod0}K zP_QlZkkp%)I975Las0H+9w|>ud&vb5vB_lwiwgE`m30JJW$seG$SAz#+Rd!U*4^A% zf4;ki*Zmj`=b}lJRw^W$hRJ1I70Lpqe$^9>$a65z8JJ64lQqZNymmI&mL}0%5P{JBc zy)*3^LOXuIyCk9!zdb28a!WY4Vj+^t#%~+&yQ1Amh~<<<$@+5?t5(8M^B_0_+BvzI zgZU#^a?m+kr<-zV-k6rM=$CX0BoWi;UEFq~2Z3Kx>#`UCTK6j+i&g|_!L(DFzfi~T~C-zFUQJD>PfC{KBtizplr=PBAN&9@YoRIfYZM zVfK?RgR*>2pxC`hN}}x%d*NG@fx@#quv&WI-#t9xK)8A2&c3#4q6Za! z-P(jB;~ATudUrHzA!8S^h$^yWojdD#r?Jbu=FNg>%?xLvMXIy2@Pf>_h)LyHm|^vq zV6VrGZA4}vN4fK`Gu3CH#{gzSz8Qk^#!vFELvsEoY9RCATPJ7fO|`X+SDXWm&SRs* zifsmY%i-Pcg)VliEt)Tz&6kICBcaG?;&`-#Ck^M7d^__qG40>khqe!-4C&thS=F9> z*cq$V6}X5+HVI9)Ngn4{j>0hpf500ESsT`78J1!P$(89ieh2I_SvTci!%yOQ8W}oY zBz_d)htmpnm@#7aUTfWsdxWPG_Vmv>?kHqX*GWWy3pZ0tM6QxY{ML6DnTT@WRNleYoJ$kFowWKGWJwG>vl6gPV_f z@|P9$_;CsLYbn@^N6DW83`0KlQH3=RRNFK|qN<|((^@}I@YYpNvE>k3jO!P20)X_r>4&^i*yLB&624Rt^%O6H` zkzUj5xE=L~`>~-3)g-Anj#3d%@*FBMdJ$p}C8*KPVEJTxIqb(_S6;Q*KQ~6V?!fe5 z$WIa-A}b4pX(t&QXnt-W!bYn(N{pdE!*b!5mzRbI*Dn}#1HAqOaM_}DV@NS6eMW5Y zlHX6Uw&Mo^_MeAh{DAP&(*?8##lf?p7OB}273le?h$tGLUR}pjvgXoKwJfz^ULFtg z@%XCd2+RyuFb;e4j5dreNtLwc8a|g?&!QX>y5Bn`HHHe_I0#Js6^+G3F-vr9GbN}| z(qbu&-7En%#M&V1*p(he_ywqzbKE@m>E3cJ(7_8|0A~Re&`V3?7eOJ1Eul4@ z@^-Y5!`T=HGB3OAa7X#9k-R&SCbTEKH5x0ZA;J=a3i1u)hjKdVicJ{eIv73i`#w5n?V7IZ2j@v|sG){h}7>Bo!ATWx*H#^y7FW0R{ZQ(a+r21;#z8h@KIW zHH|&KW#g&kAkXH}p2FG;tWda#Z@7aI`4L<$;ZSy?_hgaC=(MHnTF^#cXXEqL;xhfD z7TcY8I-IO72PhrDR4$!UA9b}!Z;CCHys|`TiUJ>1S>$Kqj?(rqo;8R~P9wrD1&gU< z^`lyT!WoX^^@iM&g8Wz__ z__J__mzag)dXy}=E+wT%HMuAic#+Mmn_sn{*QWP$V%|l@ z?Bsxa4e(X9=GoaZt_4(iV7tANu|lr_EcA+Q=gq$aCTbC`j1|XzzJe;wW%Nsv*RXEa z8KS&a0VeTM98#QOHe)nOWS{Vc3P=glRvQ|t`fP^#SjH=cv6^;A9Hr}KP zcwxY;SEABVW6s1mUXLv7#8=4&-03mUnLslgC1vNaRPcQn`8Dz?a9F66ml9ot^<;i< z#UIW9QY1gV&r#Sa$pC(l^O!H015bEq4d zG(Xc?S6&24BPJsfflFZ!!ksfj-*O3gef#bWG)H`TnIEH9S_CGzs9bDDW}5D^*k(bl2Et}Gh&@Vk)RD7f|Ger?)c~dxEXV9i%>S2 z=PVuz7FqUP+W0cwJ;xRN>q3q*_}2xWZ@-}ndFMh2q=R+w$Y2RYl;S>|s$Fn)z*q)H%q>UH?j)(y^?T+`y3y z-I)#*!vNC0DlHP?>RaTD*`XqhI*ihl--p(s{GCV3k$>Y-92P4Xg&nvSqRkCyvZA&O z93}4~{Q8NPFlJ|6<4RXdOJ5-%BPpIFiQ1$XZ+K=%MXkYD0NpzL*>qa^lG9ndJ(v>P>&O)y zwO%Y9ZdvVM>rAkt31oQNold*cjzyJ1nnRiO zVUsNIH3H1lEgs7?;0ID!;PB*V$QPr-7c!BcIYvB469PXdupQjWI&AU$EXKDZ-&ZhC z4|xeS9!J&W5@+9aut)WclRcQQGtxDP9e;Eb9G#V@RW0Tv&Ms);ign zX>%BqY0%T4cJ~ISO^m@8QMf~{g@^zPlyxF8(YQJRvIT?j-h@svFHYtmlC*E&?g(?L z-%pVVt}rCeB!^(gs6lz;V!g0SG9C(&H#YbRjHO%-R~JE#%_5NIt+%&NTVJlO@l5Sm zLyy{fyBm(SuBJ)qI8T{#V`HY2`#(p{sQ0gEq0Qh2AoXC1p_dk{5>+grQM z-8~FWQBY6*0++>|W~+s2|4_dDjMNM8N}QL6_W8LLOn=yxeMXC~i+@$C6uXHF&u*WF z%N8s@QlC;H^MN^BjDj2cD|S^bkktx@Y(D$lO4eJ?uIWP#d*r{fxMmXbq}4NLfcWPF z_IU(n2YN&SE(={9;VF%;(qe5U%IqeZ7qSiXG^Di$01mz$p&=z{CGvHGNo{zlBYZe9 z1t=C+|7^7slmZe^kg=YKCXSC^zkXeK{ln|x>%Y7%y?#@qvL`1ZaqzWl1o7Fp5oRal zM~?!MKCn1M2N#^v-fQ)GVSbwegtXlnHmay?iw($2aK4m`V{XWf2VS4(fVfREX*}+uTtw5A2W^!P6*^hGa}I==X+iAF=rWzx#;~oXe;O zhY`B7OzaU4i&v3>LU>r4$Lb}T9FM%{{Gl_Z!4h20#gexj9GNj;N% zK_i6TS%sZC%TsYhi5?9*03`*uZXt@sQ(yh`%p)7N( z%NUS$QVZjqh1!Uw;{|UAdJOz5swowa02W}T{GH7chQPuxsXC&6Biwn;!4~l@LzsFz z@B%_O_lB&7=%9R3o;kZKw37S@`uNehnxU;8{X?yIR|wY!qXzne`tPYF2jWo^wnQ{i z%f|J*-EDj~GTy1@;Dg!az}^$~-V*SJmanELBkC<)$PW}`y z_u!}#BSq}IWua^88R-gr^stB?=_l_w>Su+WYxT6_607=3!O|)RaSrDo2!Le{L{R+U3}H| zPkCar^6)3LdC<*f=e20`D~5bKG|hXl3Vu*8=RfpziZ|JifdVPR<^2>bt(pBJ zUuBQ%F|X}6I4HW37Vw}aRcG+J#i#2B#l>ICtm>m^A6YOIIz z>ni8-msz%$nzxM0CaNXXE#{R;gUT=DX@(*&<0&BHgx2J_>uZb*9N!8_YT-@y&A>X%F~_z`F=Y`WQ9PNOia*zVDy!9+ge}^(!`wDxt9` z8v(NAzBcNaio2?W+?$^EhOmXA#If~@s21H+Q2IQKuXJqtahxPomLFr1b7@E_V&-5( zXr+W(V3SoG^S2S(&Pe^l)pCV8QcbIt1R3L@-)|nx9ZE;vrtR6^$B>qoJQ- zJb?&v6noNnvDJIp7m!Iq+{8kPER^6r^gGtKunq4)0uwDTpnQ9FEFwd4dS${vmgg$F zlOK!hqg}2;47fBfu4wxs14NASR07me7e-N6%*jghU9v`VS5nTt3OP78B@oGVU8qB7Y&UWt+bgY*bbK9Ir#M@(hy6DGf#`-?&Yl+K?sT{UnQ5 zoEP!C3?2<+*FosC?Yg9+z=q7i;H=a!=oBy!SEo^_<~%p0YLghkaa)c@Iv(cj!@a%j z#bcR5bxcDBKN@uH^JZATV$$o3)$%Xni(NG-I5af3+RS&72md+G?*1|I>-xbKGUC_h zPoSaw7zv`|4v&N~%n;LCtp){)WKI8G!!@l<<7>TPHaY=nVOtYC<`+_WB`(575%6=m zfxVcX_In+bpwcK=SZ7*DUthe|wbqK)cyZ0M7r5Xc% zHw2x&Jli|iSwEbkhBbH0arL2XJe=JOh>k(}<#_bMr)Fed-#sip<1c@4+kc{1qq;W1@XFUZEXUt4TQm-NkSVY_o9&pHA1wSaq|AlH)7fJ6&=91#C zhGJ{3pg9gYC;sp7w8E(0E}u=|W2IZAD9c`t-iQFo?@nAp3u4%mk` zZ-?7T-|z*E(t9bm->d{mh4u?jbI0dOkT7u9u#aBm#amS{YghU)+wZd zVY1Crxb+Djg*a>}9Wr`K449DI3*a9)h0ft0C&X^bT29w7UU%VG0+z##`qs5Gtk0r? zQ;#Rnmq&}=zfqj@-fKs)aCy6+GpppBT0Y$N7X!|L%V(kk7*E84A5&AG$u{07XZWh^=>NX4{?#Sxp+{UwIXQM!6$0-DmKgwW0ETC;xRYzl( zKlPEhsVe;c3uI@;2nAqmZ z!ZJZZOPs}N&uPLbBZRzgk>rk%JOpHti9^63OFNOP@q>yjM(f9=YjTZp3t|_@&a9{> zLfNRY#E;KK%)Fr|%B|%ct{!EzWBfR$nN-vxF+27;WlECXfpk7oDvw^wRw7ULOyqO) z%#{7aRdX7#33bZ!Hw%Q0c;C>M$HGsW^2I0sqV7uw_-@2T!)SVe>J9a< zBPq4PJ#l)TF7dui?iY1v&NkX*U0)g%+O91+LTBt@cV>}(?-U1UcK$?LSj{exOwYsd zoP0Sn=9Kt7`IxnMJ5+Zx!u4Rk3weXpg26nP8y|3JL#H`H1x zB*0p5bg3w=T9zI+P) z6Zii?bA5BC`K`9by#0^cCAI&Tm+yby|9|ZKcjHd|+YQab`}c1){|_J1{4cHim%9Ib z{{P_lPok&|ZfE`8Vf z@(mX}e4(wKjh_SoJ={t&Id8Y3fJ6dz=kZluWCMC|y}|^tAQwAq3mwZ8jG{kDE^u)cfv z>XCVlCMhs^W*dz9J$$GN$K!BFVZ4H!=E24bD8K%6YkTYP6{7uY>u|T(YT=8mT37q) z2Zvi5N89TMYX9h9f3JleKU(}Cg5w(Gj;kIAlERXg{cZ${34?x-qiuP(Bw@@r>O?(^ znG^Ce`_1Q!p4COC%8ueAaeGuzY=$jwN8W4(Y4w4My1xuX!r@z3{1~S@LRT2idS?Lq zSwD`)74?=CH?qt<#5RI5)=aPW8>oh4CcviyWZ4UZ?iNk4jm zgS8H%^l_cPSzz=SeG7!+@QH{t9(Mp&s2>d{2+`jcHOLA|B#PYX70#?dD8HH{HJ2n1iV}Ww?$v+*3 zc=S(3A!4sK|MXQkMA_0m8H+(Y>`mhFKN$-&iuz|y2gUjLCnM2M{>cbn#Jqnp3dqj= z{?FbP)8W4a8sTITb}s(8NYqf$eM1!PUyp)tG!{Qv&n z(M33f%i1_Z{~eE$$vOR6o1RXGlPS=d!S~z!_uKvdf!qD#KW*-99KPCbDt+w1h&|oj z+E8miFT0cOnmWc(&D}#B=_HC!e5zWnT8GUYRahenwr+2{=8IMfPl6MK?wzHN0U~m3 zPadP5>l1u5Yd>%9HV@Vho9#{bXYFyFavs-pNiBXDz(k1j!9UY2LC>7_RC+egLFE~) zG=lDgy1jR{9ZX2KKxu&~GMbJ@aS~|`0$RYRk6fO1vJ-Pr-tB~|@GBeGgn$;hTn*z< z(n~B-ok3S8S_zAHd1pj*nl6I@g*q28 z%S>=h5Y?t?#@zTns=(5+~2Z??1kx$!7>v}%MqvMGaK;SXcZ<=WNX$#l= z(vJ}!P#qtDJ1YDiYQCRM$;^fIyeN93j_T;vt^1W9*V8RLuKWGCN$*UTfSy&WxFA=( zCCW?1U!qdwb9+o(#+EdJmyjK)$^MqT&Y9D&!)y3!&FgOz1DAl}!83}+sOef$d+6P* z1RFV}pH2<{(ac+tmkf?nEnejf$+DxYQCG;8BQ&dW?#a z42l^$RNEuBr)n5YP&3kl1S1H;jXw3r&)z>{Fy(L9mmOq2zux$wI*ie-m(f8Us5hKF z%D3;oN%N@Yjp%RleTeQ-zLWslLjzT8N6WO7NN*DZL&i%t7{AQuZAb*f&;_Iiu{U(I ziJ-mHFrk3o?7|OSy`h^v3rwoTL*rGT7JSQ9CgjwGs^DN)Ee% z7a|0TqcU3ll8)VICH+OX;YYKV72hdyxQ*-`GaA5E<4Mj<^KqTC@;M62_7XQ=t*T$p z2O0ZD=D@Ei)X{Of`WPc!>TOhgvlcB4ypl!@h5UPf|5W2aZ!!tb8x#J7`_I_@9`uI2 zLGSknWq*A8OB%zT)Mf7yRf_WC7Ld9aUvoIA!hnw&D_#=Z076{~I!sA%hdgCk=;Gw6 z3Kx_r_QmF4G+@{Q)d}jonN-s9t9H;bDbA*&Jt=|VoaV6Gpxe=R>Dm89`QLPyT)?{e ziUPoEJ$RUw|J}d;UH4X zliIhGM;ct`2_(nSKMGH(i5BWGT3P8Mr{78jS)C$Kba>!{!<5?rdVzrOjzPj8513B9 z9l#y}?44!7aoX*GbrD!Mj0PwbnqPDWi;g2QU71~$rbOoK8%kfV5x-_u51oNb``MjF zYJqovAVw7SMZozhT{|`x=_UEC>Y-9F%`vFZW)cOuvKx%66X?LGN5^hLKr3_r z8z*`Rx30#a#O4N6r32Qvfq+7CjGK`#X9p|eD7o-)U59a*$OTtWdK-<0QD1ark}CE(^(%P_K(K)Vc6!n(@X4v=+$E zx9Z_%oXWTAsd$GmEy#TYyJp#{A&yA5Q|I%}MxQGUA-nax({cZM$=6coN1 z3fpzwFF53zC(ZYVhU<%~2%#<6p-~F&M}zRn@yXjuxULSFqXyIdq=zvKDQpY{s6w<% zvcW1Lv{E$X+YP_Rh}~vXH>nQ#S6dVx>=b=LKbg1|!yMe~l-}Q5n;Fpa{L9=pj41c7xQ@Gg}Aq&BtF_8n&vxi=qQGSDgQI;jTDn*<)8NW1_i9hQqc_8wEQHTk3D9Hn z?!Vw1ON;%O3R2_c8mk}}thA7`U@{~wNWz4U?o#{aJe{KQb4}O!%41=Bzj+#u_Eub?uc-+}MglU%1a5$|mYmbZ7zuvsjD08* z{y?QGHyj8$547wE&?wdJl%(I7mD&nU=nV;Q?#>zNW!w46Jcgxa8}DI8`n8YJF9SkS zSNGQsU&!gFC(3lt$RPDopA}Ftu5@hB>ma_JILf=wL{06&odLt2P_!vL90iQiI}>dy z!JDF%OB>NA!b$XbsvXA@UHvqIiOTWk>N_pi~i-8Q$$9P}eU4nfDlip>g^z`Du zwQDB)9P>)Z79b-jF6|l0bjb1{ec_ex%d-c8f;kUwD>+p+)06gif=Ay#34g(=n(J*= z#ZW*Kh$hfIPxYJmgb6thzTKk$v4-RFb>!?RbV~sJ<7qf9eSM@k7)m()hR7eE zot^-V{>r#(T8DLs(w#=3+S4-&Rfn9H2QQp<`@lNagO{e-UuabI zMbATD#Y-Bna?$%QcZzn6He@4c1sdBP%@3@Z#;rNNQLTNIiwBBqqXydewTw(z>v(G4nzaJLSp&Q zRp#MQq&&4Xd>8h6T_Z>-e62Aq9K#(7P&vUFY*S;6pC2?b4XUa-gR_mrHfN#$5c30g zV4heD*%1mTK&M=0(a{9l$Iz7IF+(`a%T$%904 zLD9wo6PpFK%xlSoiGC?an(6GB@a6D-jIot3pffdkVc>vw7)X+YWqKn0c1UL& zXM@7!$+Hi}2BHjFBpL-+jBjC?Rd^PX7_L~IeiYKCM0CedFG(n}UOzAq>$UEHH~yWj zdW@jkxIa+c0YJ2YB0LE?BeUO#j_66MXAqZ!03#TkX&i%E{S;_-G8u;>40=?nn>CG} zggE@oQeX$U?{=`??SGN~b7GhOQT!hyEiK)*{NDrQ|5ld1zyJR+|NY>`t5@gr% zP3++1+VX?iGLubHIvik#>@`Dc+P&duI$6txa$o-W=bMFc*OA;^g#HZ!x>FxSGwySq z_J2^b9``Hyh>zZ*^o9F2k=g2pm*(*wV9a~|SJyrNL;V~DfFM|FH4oc6>%TPDf?w&8 zXH~5w;|{()2N<@lm$c7^(>5)dRrNu=4xD&_zpGMl5i4&ue{F7;OB^wf$|yxaA0N?2 z)HhXzx=Q=SUh6PbWip=5t05tx$|XGfoXm}*gUzjjIk1u_i_=*T|9+xQV(;3*n747j z<*goij72#}ZSezp!jin|C!G4%B6<32Sv`7WzV4Jcs$*du@CNJ24#PfkefUj`b-}>V z{}sdsmta-O;!?5##e#bBmz75@4AP!o7W^>qCjYt!6Rf{FjQKkWhY?{*5wuo|MI7{J z+w0F;kMy(`7gKAZ?2UOAf>Yg@1{qKT-yO+2uU{X(R<9RMU=VE|PLtKwuiZ|intDUA zPR~^7&&lgy3FD_4;QnxaRQSGJNb1GnX@dVd#(xz415MWJ=Y=^Zt zY6lGn!Ke+4TCWddsTLXO4|=`z&vQ_N)Pjr1a_vsBSg%9NRPB?r30oLSQsCsG-(8G( ztd}`O$1WPgV98zqwS*1wA%(4uwEIXmVCF$uF*C4w=VP@B!*6Q117E$fRZjQ1v;}+5 zwgw0|RiMIO@8nkT!R}?t?9Bzcmj`w)4Yr>x)1M2rp9i+@f~_8Ro124^@@yc-|9vAK@9l*_DAd}iCs>hO_l@L43Q zT(&^oM$zaz#!FKM&f6Qn8NEG688HU0U4_!}yIj}t0N1dDjo(Lw>}RSR2Lhxr{4<-6 z(h#SNe7fZjVYtz)s*O!N2v=dFe)!+k3w`SRSo>65#Ef>U2`B0L;od=+Vh4A+fn2}Z z$pxxhtqZa`4WoFg>OcX%?3Tp%uLtWpIfdO)t&M}N{lmOMTf42p_3iEUi{|=f^MFd| zBt)Vd!0H_)sQf~C!oIXkYMab%g5AA?o%QXuRE46AVE>@$f5S=bB}kp4-E^%~3fA+J z=rY~L&DD=^U9zs*T7WA5ZZdwa1#3sGW_xpQV4Z_A-?G zd#K*V!CG^7{pohIy}rMNNJv9RA`n>tfhn5jB230QP(NdG)`fZ4Sfoxs^v(pIMWhRX?w;1QYt)%H*j3 zv+8OQ`)5_=fEu4y7nMpsuVz2_yn0&m@3Sf=!*G;b#GkpEzhD<*aHY?y`Pmh9q?FIC z&2Hm9t1_y2)s_QOabs_1XMK0G<=6DUIYjrK5M6#m$)h1RfM+`bclqkD*ZCplURo2jlJDxThEVx{n>2pH+MIiyBk~0R+-zk%cC4@ZUH}p%WiL%;OVv< z0i3krlq?5>x5D{B;Uvomb^}JhWdyNj+KQlDhjyfYwF_N%W4pP&+kUpS-E8^%4Qf=R zcos^6-Z-p?Ddn;kej>9BUfpytIo+KEII-;)pTaH#eYl!3PGlSJ5OgaE2{dKsyfR8v2@Bsz@_qlr@xf8^M(D9<{@Usxnd)XOVa-)aBa-Zy*bU3=4SKR z`qB2GS7-@JkqFPEEYq!m;6HEfIzZqn)dr^I6v(!NIoQ$~%kY#!$RvhS#kEIHA#9x6 z4kr%eaFS{n60+IZb|HhBwV%{LYwze_gNBi)g8e*bZXChY^jA24*AJdI4{;*{Rj7_( z3jnQrhpr1?AG+TO>@ZU2a}r_NJE&*nBz52QoUeJf_(LP#k!Ik^j9vlS+RyH*JIE+8;?v+K5twlh0%4*RaBUP=+aamSR$j!(QV_2*_ z`HL$B=5>Zj@$Int_jVFZrXxUwPbCt7t-j$cV2&y+wk#zdYw&;Pr8kd!C{SOzF|t_O zlMWC)GeC2@BZsA0P~4SZQ?o3kV_r$A7Dz+$k0-ua_$&0R}wKZ@-jP>1p%%)~@=%#u>+jTHyrnE)>)! zlU6LQV4Cw$K$=@z)(fF`rWSwvaVQ0Kubnw9+c$#`isbH4eWl`ne57=Bwe-kumvH$c z0DzA}ywLa;*B1;Ol`RWYNYhZ^=ZX4MqDgV5L=R-CSp3uOqxt_N_1D9?f>q;8KxuA4 zYR=G@HlfnS=UmwiAFLd>`a3;3U70j@6G)kKllKEDlFoP->>lhrdj`qFaeQ_b z!0oc7%e3*M>>Sz5CfS1)UrOTl<5i@z!R2Geo`D(MEK9S{F zT+HwgwOAqdw{ykZaQ|tg7NMdNt@J0OHOt zp4@Tu3}i$9W7<2rV$BQc8WT?(bxlBrK&S_!$rY2ZPx9c11|3MsmXMSI#dJz7>rzbA zkc#TuvLXCLhi^>!cD$JoXgwv=K z!mR=a4qZl8tSP7HPLe+DfYeLSu#`1#!vU&h7=G7SH~^G0()G}WM)IL#}N})B9^^^yoC!J0^>(d-u!7; zAj;71$#Uj068_|u-vmwC2CFJU)-u?TFJjh%l$0P}o47-O;5&=t?$ovwzigeWNW%PnR=dRBwIHXv?Ql~MsAW{%oU>KG~ezi*Wp^o_GebNPeIte!%iLGDiLB9-hsYc>ko| z&6kG<>qKtK!cX+WN$(x{?qpgD?Jcdo8C`Zog(V?kIz|GURQ~pQk*)=BJ*ersfh`6H zAeW*t^*a?evmZ((+%yc742aX|L>H{z(KirXfXzU(wit7o%LRvuGoI#BO4-i+3+_O= zGg?8%QhwsAF-QFg_|96v(}v0`hNUvaX#7?@6qd3mU>6H->YTsgvC=&J^Q+4s**~=o8i%AU!m72Q^*97Pr4} zC0w^ITr92n4eSpnzN-7C--uASCqLJKNe0fCQt$_UTajS%;OSlqwKyp|n+~P9D%LwX z+(XeTeaml7HSYmy_KR~+H%_Os?k8}WlyNbnby@^1 z`3Y$}?|uR+o;NZH=T$4pA%pOCh@Jl{P!+-{jkay}tXigL*p>%ZbF=gU_tFJE)N*MhCxjqRh&ru5f-tp!$# zXH9;ZG_CZs=6>5;tLU_rO0s2)n$wz};*>aq?>tyu##*qwiJ9A*_{%IW`3Y%TPo;1C zi&9`vH*BhWQO@4e|87Y#{-iXWz+ZZ`$WN1oZ-Ff*gT66$e~(l5_uy-{&1K*(d?8_g zJ{{`e_YyGwxz^B@pOALwVtHusgtPn=Er5gdgI8@+FPjWyUv9u!eX+Oqi*DCVpnN~m z&Dq-BId`xijcT@E-f%6UBanVnu>XN@Uw`~FVkaXa(4)$=G zG*!>0a!Jq4n=a`4e&cf6dr#N5+b%dKiOXPwjNPpbuaKMOm)d-qF0=WRONg?h&X!Lv zul;nr)l3zjv{b1k)0A|YU&@-CVo@Yh-Z`xj3SOp>3JCiI_wL5gl|k6WQX5AKhbaHK?Ek{n(og(;cbCLA!K6mpu#g+ipCJjQ8Y?-5j zZ8sl2ZJx89Qb|~5r)@b5`^7n$QtRKC>MHMYo|^(CetGWfT>ItbwCxd+N%YET`j<*t zLq*wVTQ4b#enHCNivwWK+RRbeFDJ+L(@U`>On;s4wcucV7k*$m|AG{tv|Bq(gP!}n z7PKt$*V5cytGNN!#C-<`KgE{NIJn=KyUB^0_x`y02R?Lq>{N(N>37kv8;@-ce@m{$#muU;XIPV;oHmZ* ziIXm$kaxQB9-SUwI{$>USg#2F#VM1nPMJV2yYG6s4E=)#qlAdnTd`LQZCUf(2!dk%3d6>b!AmuImX^$w0f35{Fbj<6N zm#`L$!hvM)FG%U0=@j|}DQ3F#Oyyf>aEZJesF7%(3Bepshi>1T&$S@2+b7ZchhJLU zDt-!-FceBtrsOKY&8kz)*IFP(KxTEh-;k>*ptDfZX-+AD@6%16X1esUb%f_HJ(h?^ zMTPt9EYWJ4Vlh(ozgI*lb9QyIFCo(rD+DE>=R#I|t5Y4ZEGCHurXXL3T0ai67ADJb z@8>D*-Jhj}oo8^JaMdpNVUHz0RY19Yz(!1inSdSyXSYaKlU&ZXIE1i8;n4K+i( zRX_TB%C+TSVU3>jBGys)t4L=TL?^10TdBkfMhjvw2Wez6y1)WG(nUxq!lHfwn-XI$ zfiE;RqGc5hFy<4-q;$Y2wxo1k`ig7%nGdaMm*kO;P4Y;1NGb~p8Oz%RYpJ)OC4~zl zTr62sWyly&EuAZ?YV~|LRjxM&5^gV84T?;4YH&V`K>ujWcsoq%5$l&0pbpan=1eB% zuXZNxctz}deD+-Ep|haULzaR_JYv~+Oc6}5gHtvPEUp>j#H-V&J&xEUG8#FLzjJZ^ z(iXT&ti%?~9pc6;9d)C0-bU%rQOj364;DUqxHUqV78^5n?&r7VDaV@z(hBxp)flbKl2jqj!UK5@g@gZ;4C#E&j{Vah~sQhl~I2{}m8P=?UBto2-_>S3=2Z zC42@(o=U@4KS( zVUkjG`5LGg#hBY-;%d} z1y6JCc6g+f?!E>xR!{G?xOf_VUjdbjM&K;8THBAq2g*?elZeOh4NNNc$$}A1&OpW=&jMo(I)+J#L{}Ex5Fw&OZ6))<7o1^ zYdHFfYv(gYEx-}vUJWYmb* z9G|HgBqgei|LSL`D%y`VJR7cswc?`hGz-(vG-P?T#NtEzSV7woQ;XBB7P4cPM&d@t zp=Ckau@XrBv+_pDef((T&RTq2Kv5WLmXuLcp0#}|6+~KWip?;Q)6mJ_a)B*_9MhL& z&u+9QHlvReSxld~I@W}<)%;yhX;3Sx(lD6 z7%O*^8~KraG;pQ$#gSmqT@_J%chws4)(hGeXF(Zkx@-^Y+T@DNo~$z$v~BV5QBtYh zsaGnGMvpG&_v;#bkShD~$?;P4XFY2sm;>vqg_r`6|xllpw}97%^3-@rb0_pGH}lh3-k$dMM)dW=$Rr|GJRr$S$L%N zuC4UFkajhPMxXR5k-z@x+=?tiHvRPLi+yS#e_={}yFQEfM8wOg=Rc_A8Ea)$nKrmG z*1BaL#>o=M0Lrd!4r@^9IA%%g*1VGzg!Z?tcmb>vVwVmP@OQA3ja3 zh*;%PB%jC-GOKSg)L;fNz$KZXeQwp2S(8G;F>m94at-@s>wUY8_lAeIH(t%3z(>|> zFV_gW?4BX_ztI_T{|`7r?%(VTx&JSGhTQ*mJVWk#OZonP>=|I`=5D+ z+`r`+a{tz6$o+q*Gvxl~oFQLt@qV8ujgrUVS>z#0jPVRr;uzuv|hT^16VR%rrtzS?m9K%QYti$v5Dcs!*4@qU*Ko~1<^^qKL zPIv_qhoS5pb5I&!ua>CVRh00`wItLO;DgpX(Yo=ZokY=4f}AWc8rr|!nymh$ZZ(4I zbzY^U5n3p&6^urx^;UHU>Sg>?-6kxuhJ;PhBFNY4mAvTZ>cXw4WYxp2C#k zGSZu8E=!*0086*ON6g00Pl%5k}* zRhehGY=X5tc-sStd$zR+ePP#30Y!&azTeFNy(DpBKm`D`hV}*K`)AI@14+nx>HzHI z$oe$Fp@In^mrSTkO+J~b+N^4hzfETtrL+!{k^-U^3cBS2bl$JlQd>4teO5(xFK6}+ zAA+-YOYSD9NjDlk7iOIW>cVw$QuXnpJ?n5l0oGc9nLMux#Uc)J-K$)f!BJhiK#)7V z=$%cxg-wf(XRW<{08>{i-qGu)kk={a@*t(KH{uJdSTuv2A{oWv52|`jtcpu3%z}|0 zdaL3-@)H~s?bz|SX-sk`$rr*;L6#vu>jfR&S}DK40sA16bS`wu?RAq`bS7@Yoj5%o zny^WBS^sc5?`5uNYGPM^ruYpp(*k6*v8pWvDN*9QMAtAw4_*s{(UOnJ^rt1gsx z6!+%Qm6WqQ@9N^frxKae5hI!}2 zqg)uy>bwygmnCEDv{?*d-EzdQAh>1oAk z4&RC1mNa(OA_;v?I}#_ypOY?IU<4NylsMk4qkH4-BftTgl=;Hel1klr7jr9NeDUh^ zP2OIx17sVVAt9ooK-V~>YsOH-Ml~ZhGK<0y8W~7fuUq%(YQ`0Iuynt!nh=1GPbk6ehDD4bLYR9HYohhy4@LrKX{>V=?1~Z28+6J#)-^ zuj`~!bY_3y7|89M&dBSam*;dc+g^G08g;iNN3lSz0>!StX;4BV9Rnob+=dZx(IDY_ zlH)|Zp>hLYxJ3{KpK!9>Z|8MAU#6TZ=+@-V+sZ|=@2K;FSR)(cBXEO_*nB_qNZ>{= zv4#A2CRV83$PMmcfH-r2a_{^l=plkp#oacMPjrKmG-iYh5)x<7r0hSVY{7WKRNVVQ>?*6(;B{5;u4tv4t z6V5^hVeVV`(Syu#_*Nrf)TcSiPe-Tcg#+4dJ z|Csj15r;ny`wCThss1>ki$blCaeMJ>eY@3M6D432nKpP58tHHgdU9|>dp%N~2C;HL zd2t-{bx)w@1a2^QPveup7P74ZdC05^<==#Ho|yR!O`X=1|Y>uExBeADLy9DT|Znt~E7l_j(%jjr=$z zzScd0&Y^WGM>9VNXdF}HXT}Z3%O58_KK1~{*1YHD)a!F9ciI2E?|;Gs*YKce%nDXw z4{qnorqdT{?!VaEeKn^lM{r>A68!^}g;QWQjYJtT<-GTAOn0!RD=lOht3PzV+Gag%~QhPoXhfev-cV@q0@mYJ= z-FmrO6YFMoC+f?i$Oh5HB1jjg?-mc6J1GaP9B zxwfnt>dzd6a+ZrLaj*xx9SqmHeuJ@ddn5Sq%B#(+FU7qNs}@q-wi+&6nuFw-Nl;_y7J= z|HHj;x3*NfTSsqiS*J2zqm3o_@4>x$|F!gBdFjE*GW=b7cze;_F$G=Qdb$H&<55kmEG<2(;J-fw!TNM^5s#Bbuo(_}QD1FGzjwl6tR8pi zyVjR)AV}y_qINcZ5(IR`muB#ak2xxd&nB1QII{YL;|Lkbaqo0Gi4>5xaM-QKW4K0i zduLaeFdbr~Jk*q%MB_msA@+!lZbwN1dCy5Budnu}r+v7lZ1+0R5a}i`DwqPNN>`m; zQLSf)L`#rR&td=`;#u)XMLi_Afsk#r0%ToU5_lDb(ea>*fcaSQ5mN?quT&ql)L0Yz zTDIr5gBUoFU|s-!&Y}zGA*mb!`JN`x*|c8?prrb3>+r?i(V<%3eWiX|KR8(5J$&`Z zs8>esB8Jl&jQTxPMGVK|a5%XFoP(X_!Nv_6-;IVnDx8rB7BEh zlAQ=HJQ!UOy=mQI&iWYY54*`qqcVz*@XZKL%Zj=j_a=09W@a<6vsqDF!%nTD?k_`; zaQGG$ziLgOFaUVgI|Ja)`f)t2sHec{V)31IwY0Llyi{GjyR@v1TI)ejt->09{3l=n z4qxpzp+{%Ya02tWfAn;FYs2_pR>xSXxqFBs&FqJ8ABz2ptAce5oo8%ccw*}VtAdJVEP^}|kt{M!?38gZ~GkLyq=7XYjU0C465Um$AJ$GEaRV zr(p*bW?`p{ZwaWHk4;t9|4d*ohhE2_sqS@Sv2`{B$s3XtyNvKk%1a2Qqmn{jGb(zL?NW-) z!fAhEz+e{vg$73C#n``5Qo*hCPW46|n(_gh)e}WNP%~?dH#=|ancI9%lMwef(idoy ze9AC!DkjKDx$qd-$S3%O_n7GrP~VEGim$I5(_yI#@ah8aF}8w%lNmU7hh7R>{+>+F z5o}KD(3vb*dgIA7?Du}BLJWf+%4A^G*>u>!A5dt5Ry)X(d2>}G9Ar!ZM~j<`O5Gop zn-A6m2TPOkn;kc|8LN^8QqtQR7|Zd5NCIx_ko>JDWC>Ive|ow+*JtW4ymbP*x!-5H zVkvz^G*ZrM>U5f1oyPAgu!2u}A#B{Us2h*NikhCn0-Yi~NRo?gjcXhL3pCcur-=`c zA$4y2F_+@8x)-^(C&pP*spvhd4~jR=xWjE>+L^#&kY?BWFls~8@`?IayeH4ls$dl2 z_KSH)&>bmRKbfgvXrfsLWr($e-HY}}NPm!U4vj#mbocpIi|#2dy3=m-?&hq?trndNh!!4dtD->~oNT2EEVOq6`V+?^{CheX zpP@Nf>39A!KJAw1epotc8+fA8A*^qLC(k>iE zm#8iYx2GxaJu*Ww9omH}7Vg09SX&}`U@8h_2DHJ+bTLt5;FdeEXP`pW!4+v2Rv}3X zv>`Mz!o2|d+Ln~H0)yg>Bd%iJ3p6S)obaVi`*G*3V&}|$H;IDi5jl&oOStOJrem5y zeN{$bO!y9HA}*vx?yBp*qZ5GtET>i;8*MUe0-Uyg6+KA20y?|IR5mHI)>1{0HK^ze zC8-G|_B4axyK};j|D-T-nL(73GMY~ zEfm|#UnX2eYhjx`B6hjkzgDhU9k?)}_mg|G5J@mBdTZ-{=c0i_x`=my6dLqcWFXuC zljZ0B@#~*(xf_{JGcAe5`_C-~6L zVoNv8NxqUXcW>*KJnCV{r-aZiA~Xk2H!*zX+{HzdSqL*zL#cIx1(iedX5mBoeSdFn zdp-^E(8-Vr0&tT(hiw0?R|7F-vK&y-L8t-0SwTeNF)$nzIl&pm?|7EOvf~3C<_^x| zD~|{BSg3Eu`rcBAb{n>r_zW5d@=@OtCp%>Soz&&%>^a;(u0&B;xC?f|Ir)~ zWG_4)#?WRbC4sz&d_wE|^GZ1M_F&jYS1?z60Z#M;n;PkUI$|QeNAjK?L`f2!LemZ_W2f54VNOH<>gHN05K(L9jb7O^#ZIp`hyBDAxQZq)G*2tVEG@$n z+V+g&49%!Iovphd@4ZlRuh+oQZ2vN`}m#k>m)#3#bR&JASpmnT*53Er`kxmT$Q;i3`$s{~)O!$+8 zF3vZcYP|s*?ilon-!hZNuqSoH{$+TTR4E#)TR`ge$c0Q527T06@sh~OLP|l8DJkv{ z0kP2K0H}5+UAoHH9MqkG3kF;7np9HbsdfN#KhCB{kij=1%4rU}4SMVQ&(Qx!g{}Ga z`X6_f?mkTGf84+OUH{{|{>OLykMH^)-}OKK_4PmG$oQ5DAZ`=$H9*kQ8p?3pN77-^ z>w5fZ?OQ5^7+n7Vt&r}wR~unCiTb7aYW3Ik?OSSe$Qb;qC~{=x2G>jCKP2dS*LFiM zEKdxgH9yR=1e`0^O!76V6k9_7lV~y>}I`OzmFGg|B6Y^*rz3au(q<^JlOy)*r z6+85mSzokb=h~L@BJDg28U=%4oEDU6Js4@W;)-jWw`x&NxmKmbw+KZG7U&YItQZ*{ zoN+h`|CshVZ~J)iPKTX~e3gzKQ3|7O5e?t<#_UGt!eohLsGnR2O(Ku>G!(9h%IO+p(7L~g9fmcKtmH0 zo;aL%mziw#Ez4Se2tCu%GVM>a zIrcw)lGhVl=lquA1J3|8HBw#9>c+mkNF}y4haPkf03K9-tdOY z`P)hDyENiN9B((A2h$WKY^{W>UJ zlX<#H%RCD4urwh^Id3Rg#%2;TQvzg*WXOa6v+pRV|1?dmZvB9AnBuA&c=}ubhLDuI zLVbK$PJ~}YL`;H_h*9=)8lB;$9Y^eNTuvDWHfkj67a7zOiigqnCy(z>9^aolzW;ao z_n#SYfxp@N&)ucF4<4lLfA23X-~0al^Zotj`}@!L_n-e;??3;F?>8xuf88_A{m*~K z$!lr;YYueL;dE!1*xl?M=QE!V5Cc(lyo~z&>f2#_$u^r8QTVRczaqbgu#o%lWwj66 z4u~I7(zK8s`2I-`HJ`R7?9Whz9W>ZMt@x-PkBCu)J7*^%n#xTeg&M~sW||~XAKgb8 zOXnV3dtiS+es@YDFIR${pft7LtzP!J&}1uS(@h@!ToluJCojEiqcCg)@O;u zML6yv$-3Uel?+B%lQ#<|Ucp`-olzxNVYA z*g<S1%>$Sy zBnd3ZtQ2*HVaN zd(_W+wt_Kg!VVEoT7o;A^~j~4AJI90mB0d$YE?kc%ZVe0J?l*-vUu^BqJV%jErlNn z7&dVX%LeB+3PrbpCt9rxHA6?ambcGk}zB(B1aDD90s);Pc+ryVSp~f zY`wRHB3)U|L2vmCqe*SaEFZ<9HO>6!(|dY4zkUrZqzn-K#GWk%ll0aW%PG(sy?am# zyIt5fiBr%r67-DDPo8xDqdORmdG&l8($IVT&f5gSDX$pWFf+y*Zaq()o0=qk&L4N# z3O>SEJ7n;L7hJ=O0J}5kjVNv{t6tcRR>AA8IcJn*%dAP(y!(K}{y!zikbt4Tz@9p-PdbvFLS<$(MpKghxAvGsFQA86GZz5y$R2H@S5Q@kE# zAh;V&^A}PU?-vvj7+C=I;2tI#c+4#j1wQM&kJ7KweD~IuG#~_5n$7Sqn8XHP7rKe} zSlXy`RCVFriTjy-C7@DT=Phsz$se-`5YKPB1Fo6PYnJS+24b@#9Any4A>GgSKRw8t zT5ui7)#W7|uu&fcjy!C>M*?Zp!HnVkA$x-xuU)|6__o_ada1R$u)%-DU2+he zqCcdsy-zqK5JH|wovmt?_QLb|tMRaTu=8ch(eB^`t8VQc&eH(;R?Cvd>9g^z^K)+y(8i2S~aY_BMwY`0tHR>)>1I*A)4e_6`N>Q)w z4_%|A$oDU}LbveDHoBqnmS_v#1h@yr3&S)qPi4;GpJk_#KjdK4R_mQX_v_E?`e_pP zQTc@2DH0o*8l+Ypp763|CclCXr`yBVhZfv;$ z;38YHUDK{}rY&MgWJX3tMnpz@@g?!p-tLl2bh@{@iKllmHpLg#*1<4Z>9ofNV3tD~ z$NvuFOkz@|DW5h+akN2@sCYt1sS&6TO29=fN`#oroCAcH=yOCgYjP+K_~2?BQr?FN z9!P6Ah)lT{)j056i3Epk(9X}$=dd<_xU~fIOCm>5UTtIBYxVUio^ry!pN!3?;XSbV zsXN#9!u@!@{m22I-^YO8+~X(!o7zAmS#5X|o z*mx2@jp1R2bl2=jp`#=z#Do!2_-Ac}dZ8z#Bmt%NtN);6S8_Q&eM{7=u1E=N9 zYNcwBGK|Mq;ei_$3{4y*Upu3~WXmB%yKsDbnV+Wf=&1eHZ9YR3DuhQVx#;; z?Owc&3ssqNi&5u4QRoY{R>K`tg4{0rM42*le>s}zjn<^Q!!OLlu|S8gz49*Q;!es# z-(bwWq&{n!qyv=vgZb_AgY5D=wKGkSV5&BXIgZS8Ei|I|tz0o%yh>Epu*Sr8j)EMW zR{zD~4cN z8$2lG_`xI<3}U9(yy=7-WhR@zK3J}Lt9XpKn%{KRhE^orx_E>@Kk*8O8+KfghbbaJz&BEV$gUVa!6Y)(&b6vbg7PlZ zWvi^o<3>J`mxA#myD2aeC;ijz%+MV11QEvzw9oC$AKD3&NLC+wt#OcE4(tZ1PMG9g zR#5J#TM`Vl2?pg$4M@`LGZIf%2;q20el^Sd{)Gfeg6s$f=k6v^vZBg1ODFC&7mcig zT3MvZM@p-p@tQ&+5glaYSY=&B%{jVKY*Ycqq#}%KVKkMV^!p$UOSdB7t!4jGQWIBWF-@UrmWlyINEpdNCK@ zR64KFT+Q-Xek^Ure!oCoxmHHuf(R2W;4@KpfdY+<%V25<=aSc%rxi-|er$!GPbZT=?FY;tm`^#$3Z%teu%f0$C83xlX(3m^ z#9tUr%R7WiXWcXqJiADy7F#{g862~|PhC_no?J5q-46vRstG1(u(+r3)-A6U=yQgp z`_^O!STF3qQTf2F{vh(t^L$KZmmljRPQXEj)TZZ&EM?ikYv1HdK0a1?M#Ip)>efL8x1iTy#}FW3gsTbL(FBh#_LW-ci08Fb2l zXeHL!nev$ALKh`H9}R!1`@^G z3&0c!5!7yIa`c2?%PwBq?`H8S&PfgNBE~^lAZR@H7+6pVMJs&=Zy-6%X!$UAbW@_` z3ZXbym!Le}Q*losj-F6OR%kZg6=%+5)d>M`1f0~TOO$fkvup-dgRVupy`ju@Dr=-N z;tkUk6aiqts&^d-$efIwVBTLL_n7lXEF~J+n2xv=WWgEov>-EuB`pb{flW%cLghiV_{8Vj z4uk+sK(W7vHD-{EaHc8e9Vwq|$;KVc?r+()7h2#4sM*<`-n+9Nu|-?sh}>F5EQjP< zrGCfIVDv0jD8l>#ooQ!&h}(81e&xq|ZigfPJiWi8PM=Xn*g-ppwKrBd>Xw~k)%EGb zo>PM@3gV zIw699GLHkt&78}3MaR7$E+~0A^Q4%f&_KmNI3IRLRH-II;3Lc^-ue@I&pT9J(T%ZC*T%ss}Y#4xY zNoTJz2$jGfZhM|7T@5n*qSy#XuvLI*xSy>CzNG1jQ^i2*qT;v#5T%0E)6oMX3Zu~3 zCvw&PK#+>>!tibw6%TjEU^>6A-PHbG%QnX>E*jrAYmLWGYmHi?`Eawj_2tdhIWQ4$ z`KO&NE5=v8Z-oQTlF21=kfS=&+$DOgl0Oh7{X31VWsN;0G-N{QSNYh}ES~9Q;?#XP zBLtrF#iW`f;TWUtRWG%3fo-i>Mvb@Trv+Vq32$H7`OUhDbrE>5v_ysq(QD;{McQ)o zl`b%fW^mqpo~knx`;=^%1AnpG%%fT}#53qGZHYYoWCHE+QUYzZVZ2bFJ*zQ`iwMBvQv>hP11%aJw zO_#z!X@-Z&b~P&_e_^gBK{U{(qpV5A!#OHUDfwy`S4Yrwl)Qo@cZX1Z&^vEHW(aoU z^@1i=PN>;K{?IM5lOc$9GQgAE$uzS-xR{a{WfPxc@Rg5b?M=@;0+FxHYKJSfNdzLl z%Dz8|lJENygo~S@Rni`Y1vT*anf6;4XzI32kQGj^zeF7kx7sgTOOr@TNysWw%<>S? zc8K#=#q6tM_EjW_OaleeF%sU^wjSES=F2 zZ%xX!jl)c@b6hgIqzE)}6J+aO2ydH$hz3sxcys|6^xm*oFGyFi*A+wvxyV9Wkt8<< zk2mvsQiPs%wCTjg9FV?nx)EluQ&DJRsZ`7XMj++AMBLFT;Z9)--gz7>ht&7cD@DFo z>rFB2x|YHYde^JQ05)0aOTd506d@f(VGm0Iu<1kbHk|*tF%HIY;w~Wcr%Ok@u8W$i zNhcIlaV=PXFbkC3HM2FN1(~ZF7y?lz0*vy;JnN9^`M7u{l;xyK1J}rEJ$T9XK?tm-^K?cL#snA!eRiiR-smh9*IEiu% zWE|0<$%-iO0O(GcRN=V6P$cgs!q%s6OhBkm?Sp)N_v(+YQ2#%m|9$gnwdSoEhCqv) z8%`BGzt{6qPV7`gMO^s`J!;gOTQwUu9>3wecme;0>SOftAXHzapKsu&D{EUCQb8rm zV?3FL6#!a=@2zw|NmE(9q-OD>`Ln>)AA73|kR%DJ!S6IHwe>H-v7`jj=afVg3J3f} z+oDc7K^Dq!x+V2d$>goUhVorFOn3`lvUGjJdGbX`CqFkOHg&?l909egP;v#uOaWCC zN~*|->SbvUDH(j0jJiX)l$)_3%OEdj#M*@XK>4I+`CnH$d7n)@RdT90)~QRimNgF9 zF0v|2MQBV#FFkVu01a2W&>td>gN^hu0l3~A}Z3nPliXOwVe zG5ka-HLdgE(Q(EYJYX#hf>D4~zt|x+Nn+5`$7C#1%o9q5t2i9km`O$7gI0YV?qyV~ zIi90=jJE*kDEDe%OZt-7mdSnhT&o>~vCL?GZ=b)lFT1&)5<79#Aj~d}yw>qvNs?s1 z9By?*+HxJX!2hFx?wxi+l(-8hWtN=Ds-kido`;Cjr4a-~RZ!0*K?`mR=U7S;UCg} z#RY~!`_pU+a*_dmb3mufL9!*}qk#pNr{?N~i0vhMA!V4~AY<`?YFRWZ4U?8pl@&8f z+mp5^hEE6dX>f&j5X{EUqkiWzs!%oGgx5FqmX{DR)dnF`nF77`QpGc!bTxI~)1{_o zH$5+R%y=l-r>$y;OQU6^scm7fzTH?Lrp%y$s|2)FUT{XjVk6(NlC>d!8w zsRQ_k8h#P_>2vxWg~nXa9Y>9h)X*V~uLk{>2n6 z=~_M;-9}Nh?E5N1E+9;oKr9ejGHp`$ljJ-tk3s0-gJ3~y|2iU2#vu*?5$eywD-QCF zIEZ8nO<<8r&zzB{b#AE$&vE3q`~HATxCtA;rh4)DroQ({jz+TkIvTO_4V<|m+YDp$ zoj{j)i3VTRnpcpGlN zLF|x{_6S@eU7MZAYvZ_)=}QiRLaP>oT3dj{o2DW%f)=??!yF&lY%GEg6)~k9N-bEh zs?HOC5Tx#Eh1HH4FW0F`I8aMLwwWj|Q;9^)gttbp?q$mi`ek)V;NMx#(3MUEvQbqx zPMy_nXr$>r<_@N!p3p%&BH`YQd+|t;h6M)A@(?T}?J^`aXzY1XGOit|F;m!b`E;JD zc6(~6B>|SOrq4*4uOq}&|EcfkClf-0Fu6}X({KyV{Y>5{K=2t(L9{W$BTl7rTQb-- z88BCwyFn)4#$qc99rT6r+bw4Xqk^JgL$(^b-j#fMXaGB#@_^iKI-6nO&2jTv`sYl!FNX zjR%;1Jb|0bE}Av+xU*0DQN4c232ZBELl7yjjJ8qvJ~v1M9MK<2>Oy)H7*6Z`YD8Q{>yhKjIC-IbzOTA*^c}|nop5q zCh=rCQuekmP2Qt2b49rva_5jHcOW4TXo*c?km%{+x*B8aX&sd88fpe6k2dr)7yK^D zT}|{Ar$Oazx5AFf1rN>(gA4aC-J3DVdZt1TWo_%~S~HM*^EFV79juYPH-oHS^^m-{ zC2n5CW7pCYsQOu|3IBL-c+_os8%C-bNfJcqG?D#T5W)TAJP_79s_@Vtx{60+Gol)){XVSXE9rqDUJpcYk|0{^ zxEmqLQdO$1*h4v6TdzEL8((8?eYNOh$YT#BsSqP|lqFJpDi6XmH^?L&6)>aeaHNWQ z=LPO#G;y1MixCvkR$K~RD+0watC>BH`e#+SI3np^#Z}GbyvUoN*FD4r*KE1Si`R649R5+skqnjuWbh^B zTcUG$wcyDWT@_Vdgd!qpmOy9H;|dH?>}I#fX^kUib%1AOaXkC{N@7$3&HN84pjXu> z#(XCDC!K=M@#3dGKXxfcb)RC4vsU#Q0dXK&Ep)8H~`m26Doztb9}@QkbC` zR2AMrjsd8l;V2CFRKExFY~bTzJqH7;xfBJ@HKMu~pcX9AH;R$bYD>*Y35kq#cdexo zD=KzvK0;tEV1$m*RA;|u;*Nz}$QNOP!wG;l*M{lY6|9$=NwA(D3c4FP(q~FIEM+k3 z&-<{HLH#I*4Y{puvGPHKAoaz%SbS;h25UR0`f>3C=Ln zF*YHdF@6EZUo1T7t^4#!Sc(`hXo4>0I2y=Ns!uREVrk?Lno@G0lRzvS${xV(PfjW{ zsMG0$fraH;puPC#QvFPA)k!+Sv!Fu#fkbpd-h=(Y0F})o2<*B};u9+?vt>xCOe|y0 zFz)cs59t7e8&M{>S42BCO|e1sV&D`~Nb9d%!K&JK=F54)Nk|J+nBR7(K0 zWpB?oc0hNztn~6if&B?3gM-m?4>jCS2hkCmmk5_Xl4w%d=d=csr>Wz$vg|&rNaf#n z15gL_Z8{#eGZ7pO-Pi|KomIWhCd(8@otI%eCn0iHKBQIoAntFE!}o!yyFm-tzOV1B zZhfs=aud&MC6W)tXF`30CH*RhG-EoRd}gu~U{@>si_6DOgOGnUnHahXa!}j{%7R zZpD9jmPyUDGt7Tc#l!#by-jgSZVCq9CKlH~5}`3!`|M;&jHLWnO8l7@0FmOB{6B*f zAIkoBIGX->5>F?&B~UiK2VzU|IRaLPbcVM%OgFhL+jUdYj#1f^i;S}wF_0+?5ZEgRT~i{KT%WTDk^nr2}P8`xtsLx={{y6R*d;))h?IiwsK<_^M2CVQ-H1 ztVd{tQm{jSR;2caaI>kwxCzUo9jp%o=`1*tnFV?5NOY>m<58tgu8xt$Uk0}=*xr_% zH(rV8t-r}An0ofY`$Csp694P0Icw6tF1Sz4XSNb$rs%fHO6h{LmRG5{rl<1!hOKlb(k5|N8Q-E4rwP`2mPuyatAI39R5nYs zu`guO|AmCh^;hBYnfT1I=26$j3V-TgA}O`wC3r2JKaFz!US`%9UvGeaa5%?K>-enm zYv-)Bd$4zi;6zgXyn0(9XTsgT2=Zb~8gpiy)moW+c0j$0 znLFqQ$B1~d8O_>!$Q>m0qGy|vygQYS#>a!EF&cV)6*lY-cy>dollEMD3CR?X7QyxmPgbY(Dl+F(q`yh^<4rmCex>IER{ z%#5jEs5w(MOVFd!9!P!Z{XV5UD&RZ`owUH%qS6eCIaw5+fBpZp=&9ey?3KR3r+fBr>SFyU2_C`JcX7ixjHB?l>JL=>?5o? zwEiV=#=n{@`fBHYR*t(vW4|z=pU&bh6O4Cg_UDnbONjk|f9(zD^P~#Mk8Wm}ovI}a zVlt@_3IIomat$4(Pbpm}V%3Tfl6HWw5|0$oh`~~t@qL1m8VY=?YQ-}CVJXxW$2`ps z8OA!%Dn!dHI_KQj>TWR@+NPzQn^(EDTUTL;QUT#!Y0SN|UwUh}*(&*{W-!NiB@ur5 zNlW!IHIPxl48p5$FfAl_Sw5BOlEW)E@vAfNW3)oPZjzBe6Nr-mBR>%?z7OpptDyZ2 zKMPp}r#&FlwBX+VfbeS{CDNye!0yN6F(=jdnY~?F$&5I9Uy8qD3QPf%41wC%U@&853Daoz<%H|ZcFCb5|NK{GcP>p|W5i2tJP0dkriW=8QO{Pe`8%TB7|{n0ZR3yahAsB&v|ZmOsg)!bx_BT~ zvYG&%adrrNKz+O73Qauw<@!<$>un`&1@TY#w6qJV@3VW(xIVfE6(`gT6s+QRYxV~) zJ!RzI4AbpRtW1z>Z-UM1L_JrEoMwGl=EWjSUk+F3$tcnxHdTz81K9WZ6>phNQ6^O#+22@D2^xFoB6rRg3&1T6lgnfQR%!F zU!*i7XwwF1Gm5o!=Zi?&5}uZ9w!0R-lEsJ!I{j&qhF6FHh6jPSk^jtgglRMhuVUPj zYsS`x#w9(S;CncGvZVg>t+dPMqVWAdA3Vbjf`Ta5K8?x=;vZ8^5K|+%v1B%ZjP{i& zAog_`gtliT@E6m=J}4UJv%LCBq?3T;Ie2%FrD^9+w(Nz!(&*^Vbfgj+kFcZj> z8*ezp3RdQQO@>dQ^osxcH;2*ix?IEX`vy)4YiW9;;N0)ul$%xBS5UKg zQ1zX}G463F*8Gth;LnfdB@~|lbg4EU%?&6OW%N(^j`uM*J0HuF%`c8AIlP5&!@u(7{qbe9#<&KWO7Dd?zS$5DEkO+#M=)2Uo0X`AOgivZ z`i+$WL}y9=xz5eBC!ZCorWlOmOrSxkUd`K!4RiTo^0?)YiA2)*i|vo=i&c z9GT^~Tyw?ZD3F7c=ZVMVU0o`?|Dfl8;7$9y9J_D~_OOF2w|HJ~s`y{l4{CaGCehKpbZA~4__bHK;P_{0jHG^|Md zru@Mb>|6RI;^1iabiZx+uuM6T0(udw@3V0{m}04dPH;!=fWE`rAL0;rvb;l}RxF)r z(EX#BH4esrWl=v0{Dce}WEE$kXE~yEC^7~gAcjlrOW5pTePMN>PrSY^F+#j#aRFs1 zHlP40<*XwX^Rh;zPMpt#hDE0eS9>dnEVELqI2}ZNa;efOeaVbcwI%11_8b=BdaN1s zT7}R1BgD6{-1ih}f=uHV^cnl3UrK#u9V{__gK3$t3SG4tM?Ub@Y<|-Z)#$E4p)jI| zcw@#(4y&%ynF=1~7-!s!_voqGZ>Edk0BdMrD2=hV)<4OPHj4sxRW(wUofYI#qE(Z% z!V1tpmZWG+mHY{q6w5Hp8GtH`p0RfYwY#bPEY}*2q2{%H=!}^N!df%nV%R#a7v?j=xeo!U*u9-=y1Wpdys)zV21W`HZTeO~6elSOt7wi+pcA$+f zt8&x~S@Ky|Ul_rbhv6(qJT8;~73^Y3juO*GRbF?OC2d^!Md>tHSfC%UD9ejUf4W84 z%>k0nm{HQC-8!cjY=h&~)pn@5Cx?UD@v8wQFZKE4!q2R;`C>g=Cb=SbUm?evdHLX# zNiEYcc97wbQkCt~4_%np+zV=9xn;SihgRWV*juSCWjJv79>voryu?#Tg__9fG$Gv< zB6lSM@?(2b2w<1^%v59?lRy(s#BHTK1Qv_6ruGW8=ELUrjLIU|PZpMO{<{nW`-O?b zrPQQ57L~q5m7FYu+2M)@W=7Ci$O3V;P*~7^RXS2nSuXNYs?Lb*XDK7Lu%&9oV1D?? zoyxXb$Onfd^?)6+sjWkbU*8o2sNj1TRauE~`D)b*YUj1N-+`6%VypR)f@nEXSn*#{ z3H+|9AqO3mnTa_|5ClZ%i~hq;Oc2XS?CzIV)dnhqscPHlJzpxC)7^XGF$@}Y+Ef)e zOGvx)w^0_qz%OlnG_m)rfNVu|M^2zM%!gx2+)!aljx0ggaCdY`cm*=zJTT?c)FO_P zMRh_xddu#?&W75W20zyU*M+l}`5XIPZsymqRlbAjM?@B9y4xzB7}_ptCMr{~bT_Bf zu$q?d>eG~pxw|%8Zl}NJ-Tf{CoCCpprs_va92BJSkS)LqT;+-TdPxqN^7mX|u~o|! zJ&iO!+YzqxJcTW?JDZEusa`6J$tP&&%&MzW1YQjMR;Q5^(ptq1 z$PoxTK5a)QdxS3HB+21?Z>z=I`qVc03 zH;CWp^u#$5QEwCv3Gs}CPDSLA!=u-GGY>`3Mdn=o z_ybr+zpB1sR(bL4SJfP*&-f;r)?WVx%tkA}QfVt+IdSqumfq^zr2T9(UqtUHQYfDx z-W~@Tiq>M1#itO6DfPPcTd_Z%KsFXXYKg}#ks! zGf>k!a-TAD(R>%?xfpl{vtA=-gGu`Hv(k4-AB=n)NvbQ*Mn;hY2z7yKgU#%y!Pu;ngy6F7zn`?9x=|v)0HnXtKzBCe%}1$|8DT? z25C4BA}g?SI)OI>e=H)fh82;FeN$G+!TwgYl*AIbTWR)WdG$Y9J9 z@{6!^S0l5Wteqh6UhcNKt=+womz(hVW(qS4RKUM$S-|1!k%}t^9T{xx8%dhAlC$hu zrk})o38eqtDNw6|`hcT-Z~ZeA^M_2N(5tJG`Iif)n$Az@_bG*) zNNnZ3zZ3Zi8yiF)ZWjMg$6h#3ucuWFLG#3N?brEfMENpMg|;YjcCWfTvb^47$C zHwemyC)S)stXD}Az_=n*5(S6=l*CaSgNBC(liRaqs#H8SE4lD6`AuEIbm%D7rK^h~ z_P%yR5=Zy%4Dbt!P$X1|G%UcNqMTJ|5xK1sg=~5!B~kBSS2{j9>$LIk=IpTj^V#vq z-cOzRdy+)|qRc9Jmlod@mWK}dSHapk?k?jnm8^YG(11Y-2A4hwO$BNa>`!KEi7`ao z6W^!sfF2&h4^SS;K~+hvkN!L@>$RbsFbFaqv>G#=8Kv57?Cq8m`^3A9&;_^0@c@hQ zW+GXbIqX!3D2_IUpz(0UK)ACQc)YgG-Ny93Ah{|y+5LVJr>UmgY@dGFtcT=59no1InSlkM z+`OG9ej>uZ$CGpT1LtLc-insvVuC+A?UAjQewti__$&&p&yY9M`;#%(7XckCQ_NTi zVac+!j#PteasFo~pq17j2q0XJz!G1GVSI|q2sj1UJN;nQ7lW}psc)W-E^%tD>Y!kD zd4~i2?V9J7=0-Oq!!!F6dMz}|qh3q^Wh57P$ZOW|Kc&4A7@EPsb2}22x@mfWX9a@f zpD{WbVu?)cm=X7rhYAzeFGMI+oTLa0^g+9U%w#M^F<|cw5`a^dfdo}zvSQ)#0zuIi zm0iG(^9vwF6-iM>ESp{NC7>ETt6$}JKgqfd2Qa|9U(m1Psm5Lqs|Y37RX8B4;x!pQ zKFYlW)+B}Hg(ca1tJ76Hit$#@;omH_>WZ_Rpc#PsW&->|B^7~2^Em_1J4E|fa%9>5 z65gGYfZ*lVRUXAL*RF1{uzv_6BE!xv--*T zbWG`7P9CVihf=2m%4^MT0kV4JRdu3~N@SIS$wgb(bV@%=8z@VjAi4^ZIHK>X=})=m zPU8kQ_W3MOZ6ht1veq;+{FIQtyhe55?T#R6tqIQaDo}8B{kE-iY2m>{l9Po`;FFR*DZw@3@68!T4Q}gFoQ3%HN-@sOI3Pddvu}@%emv{`dMqEcRtM!E$m*zitGq7kGkJHp zxOGH>_q3s?y^;Xmi}RMFWgO`>B)g-)u=gx4ozKMorrLbq- zmV%x3PIvF0(98K(g`8kU=U=Ee ziss-$mht}4o3s7)PwoBff}|eB=iVr|!o&XCw|m$+K#`c1%Kr~(@HcF+bKKf#dwaX> z!|vYez4pmp&kj4=Eb#J0AWT}^aIncRzT^in`;>;nU@>P}y!0WYKRG(;zDBs7)5C6Y zi_zfG3hG>gkACQfj$7Tg+bqQtD3J>*?2*M`D%gYT4SI^xsvFK;sP0(fqsJx+>R_<{C2{m4+8jGpu)E zm2pK0MDTCt=M;AY>#8?Z@}k%PLB1*o3x0`#T~%U_KglTap3f$A1Ef~Kb;@PMm5NTz z)NM73%@ywGC-H!kF10&ygmh!ldpVd$Yw00v0v>MySD`;cTJTbL+H06lQ)@#q9~o03 zjW$1WdCx397-yHF(NZoTEZdMaBB+`Qt**pZnnfd z*-7-s`&F$y*@}~>OPu=Ss;Ev|1$EU?QXR`|xL_yt#PrsI&w8MGSI{W}emcW+E@Ym& zgSAyDWDB+9*1RGhtPV z={n+Y8-S85Rx~!PfyoIG~_xnA)xE}$FtB_7C?jfL8m@`%pS8lOuGsEWm zd1jbpmffUPa<0ZB4D?j7pQ6`K{;Z_Gr$Q35NN+FCp)&>3Os1jam|7G#jMk)6ZCp1J zexi)N6=CT%;FK0C$EcQ5MPU*)iw&8MAeeK2 zy}k;{bTQBS_8*F3dGlJ6?Vq+%m3v*QSVp1N0!~p8bIAULD~nW~4cr+%qu!%qkY=hq z_Le)HaAZ_C9)rCO>M*&hXyNDt`3EJSMN5^H{bJ|nbIU%9+T}I2_}p2oeY+8&yC_ML zhE|4lAxG-cA+yv9*vfy(DZCHd_oWvYg{+gkibpqTS)Tdq!_)ErL0OI$g?LWV@Qef7 z#wW}jAe%@8`&_tO2Iz1T)f{w^tbN*OJ%vUm5vb*n39|q6u)Pv5y(WXg3dL{g?^S0Y z0ef7ik`QS)5P`ZS{$%Qtk0m-KT5C4Y-bX;~xzTajNiEQ|=G?$?5-B_=4mHmQLx-1k zwZw6hZ9AtNjpmG6jDH%76BfwEXI_)H+4NwQ{b?v7JiB3iaZs#(t!8PXP z@Wx z#6NeOq1Uz?w?8Q-{K9GkoZ1EE*6h%tG3IU?ok@FSDM8RV zw8fN4nb0{8It&8OLg~cD?c0?<3ONkiLSEDWdEM?c^yKcB2kITrdZ9#}3jRH1NN^N0cqmE% z$3dF<=Rq-1g~Bo8h{7@~hQpcqO^sy3oJ9Wh&m*RCQEYcV4R4V-HOH35$CXCKmDTk+ zhbGcuY`)gwofCQtKA-TRcy$KaoRtP#guM(c>{kZSMZZ-(<;X;k&Xyav`pg+Hiluxj zN=P~UH2f3uQ|D;^o|bfugYe8pg-8^fZz0#hJv`mt&uch_%mym|ujVQhPvX|yV%mSs zslZS(jO_VzQ-YH6qo!s5&r0%ASL&V8n~hkKNu0Pls|pEKh$EA>htX6;4|r$-BeWv1 zKvwf9U9P1v=_!^sr}C)8H*!*@5(vf_l!b&FohnEQoQn0*EzV>aD^Sfnn)-7x(EY8~ zWv5x#O4;0Hr#!|_Wm8`B<}!2jXBMw2nDFlB=?EiE^|I1oi8XIe$CH+aBXTg}pNov$ z*2$Z8_nwJpLUAk_uHe;`1%-go*MzPnj4WA6f*$Z~;T4as|H%k%QfTgi_zyH17(oGO zxGoU*R*nGTUP&-2<=s$bBo`Kbkc;mkOL)kD1L!WcqS!D*jL*EJJ!(s}pqq5tGI7a+ zSnwRqr#`|t1neeP?-yQX1a*cXQ|?QR#;3ym(7CQ!5S$caQC=1Is;m*!HcVO3W4Yi>k25J zk;B|KaIaFsi`649MY(=itK=uuA?vGHK#~;7k52N?5u12LKsieB=_+}Dc+rxrQf-kW z94I%B`dTlz@UOx+k#(RcVqjhKHZk&>DkhEJM@*hxpxPh6+IAww?UYpsX&}d%<0}>) zlZH{N+sD5aNdvT)x8%OAC4z?4fvBDta?rFMJ`%- z7+1ZA@Bj$N5Fg%xzd^i4Rqqk}MUnqi?=k$@PeO`&t9nmzjrgNLAv`{X2Zw&iuUVO#nN?8Pa5JsuV>ARMK!*mEr5L6cw zEY4!VXRo{5MI|6tKZXm<;AAI5Jk)}H1fC-OfnQpuLm0xvtXk3ct7&=ZMX{otgbyYe zY=AU{UqYp6Wc&NTvg#@zIc?=CXDza+Wh`DNSU4p5QfQIhr0~z3SJew-pVI`u1RVNQ z4a4>ElwRd)Sn`L8#nUF@e!vpUwwN>+mo|uiMQbTt0IxXh0lVue;Ghdt<;VeS7X~2k z27WL`)LS$UM|JtPA^$dAFD+erDEGGH-$%KBAIrZ_KJVFkt48*u5zB%E6Mm8M33Z4L>cto$YN@`Re5P(98|A1W^4@R;$9vPX# zaTJ)IlHdcud*ITDvUKAS6%!LA7^T?`LWG#^5!7JnZsV2vfXu^zQefxZn~6V{LIxOi zw<(?XX#7MhE~q)U1=YQ^csS&&rw05Tt$zt3iODwzM*hux9PwOx1Sf$q+6O~zEsO+5 zG+i$ZmMWa=C_c^wElNe!_gOJW;d9cFR@glp=o=kT;;>8;5l$ux=>%k;+6*;BdJC@^5XR*e1hc3Q`0onJd=t=)sYLxanBW8)g<8rwBU z zFL|(fCCFj}Z_NiTK2POn*CVt~{x)yz_9`T2dm&2FithiS)EC;jI*h^hDvsx>GXm3G zKsuz1DunZfm0*H(gtDMwM6m$C`4k>w6QFw?s|R(pdo&)8A{|4DM~D23N*8mMBYO92 z5D7~DQacp(NKdy^2vuNo-1WqZS{?dI09j5uLcpHGIYrw)&(|L18_n<&MExqLL;D8N)toF zalqkmi0-b%w+ZHA=y`HzDNy;6EkGq4wn&k2R1>CjT2A1qnR_=jOES2rgduP9G||gU za(VGo&+drkZ*R?AD(eEC%U|^^{^V|3&CO)|+Xwks;e88>h!BD&qI)WMg!14%Lfp-5 zz~sF*a7fizXf6hUyq60Oq{_zRPC~#JlU|0X7Z?)H`TGb(u8>v{o5Zo91ADBxikV3h zw@VlfP`N|DIXZh23Pq!(f{imOI+Fl5D#4Pr${9pyh=;e&MAP6}m_>M28ZAo0XjP!6 zL(9WvlPK*c(_T*@*U_U~yvT}Mbg0G7y~;dbom7fq5%`~Z`zkapGfh4dOfN0veZ&ip z`B|NEo!FY-MR&TZF+3y1xMD{$P@+aDrT{T%n3A(sAC1iF-hMrefZN0cn>6ZNh*2q6;P-VXRFgb`Kf*KqVavR zRE{j|w`NIhB-8a!(|IApJQ>3~WWZW@5hMcuFfSWV?wVAq=X zVPe6nl4eEQ83szE7{)yrP0ev&F9`?d0sK?<)@B5?Sf`w#jl`}>C#4k!W7sItEJ3hI zvf_-~0Jh^=8*&C9{kjU%uq_2pqw@D2TkkdN^@rPo-qY>Ic740q z*xGJ1A8u_AgL-fK;iK=LROYSu+u*=&zA;$v%d$2tLWF3?Lg{5_aIxm0dBgu;jWD<`&aVXq^xReeJ z{|idJ#6{_L2#LfB1)zct9I00I`jaVw|KLBmej>(n_~$x(K%Jw&GwQGcAFq)Q2|@5< zJP-Z5DVL(ZToqxEaAms~INY|neTT{q8uG{@ks^nQurWW+hD$We-MDZbY) zdmE>TD~-wRihIbLV#Uv@1@GW;Th&0fQKFp^&Wd+5P6qA6DrQp7v^hE!?`m*IWr=>+ z=HL$DQ|t_1uI#@}1CO>IHlYC@8+iJ(&_F|xZ|wK4Mt)TCz#IxT6a`DS&&F&L4oV&_ zC*c;5aEXUOF>XA5T7#Dw%||m|S)SC73k@_Cr6w0QY02F=WNIoh4W{GqO}*s)EJ6*3 zB@dSq>T%hqo3|NtGsj?mc8Sc-l9;LuLD==+kFv#Nlx@o8vXAzC7)laPxQ6E07>q-#>_`>f zP#p*dD6-EI|9aMIuz1fTt}VFDcC?f|huPGvQ5w5`bgY19i*YCW*;tx0@~-`(qbcyJfeYEbf+Yr^Qt{ z-u#a=2oTQm*=$B_O|y$QDLL-h^`kHtdHccN`+gLA&x5faj(!->)!K-!z8oe&P#ePQ zeAj3xPDjje@yEY!YBIj>&7Ifb~H*ShYke`xxqDyo=ivEN8dvrRU>O1^;Iw z9*0@xpKoXU6I8pz{*9J9f-rCR8HcVw8&N3lvYT?__i3Ct56HVAd4D%R|C($!ol65h z^VL%@V!9OfDP+pDF42t}gKV&YV=;Gv_lQ6?*noaoy`iY4jXp+A#>MLa+@NOoPCFWG zS2i|&sQlX<{)fT34?#V8xCx`#JOF!z@^bz09exAN#m8G)|5kt8s6TEt;NSX_NA)^g zhyR+78e9L?c=+(iqsI>)K791>-|CHK{ZaGZynp*M{U?Lb|Ncq->zuyY-8<=^YN}j= zlKQv1*Xf?kyzTwX_by{Ft;0$s9D1jn_Sx>y&a0!NADh2a)LVaf!H-oiL10J^whvpc z_S;ZiFUFCt~>53m3jW=~wY$bK+b?d)s+561?lys{C zlJ)GMb%NK&oc5ht)<^8?RE`t1NBh|))~CBiNBbS~;lI$AQR?{pi&{fo z;%n+q-n}gPn|tjd=wGt^T5@9&hf%(fvS%gfId^e#lerW2`&$JPITzE&pMdPojkbh}nEd5lDO{LFWgU~SA@?GNzSSBm!Fjh*O7C$L&-G$4oVGgSvwCAl_12*{VD zJp!d)4!tbbLo*W-_+BJrY6S`JP>8j{pK-~rbFca+NmCCO$nG$PH zVJAt@4??W&gkJZ_%`N6kmo#K+QmFV$@J6bXBBVjHoY}0H*{phdQNLF89yQ<*Ke`0w z_c|Fo3=O;vhtT-zQH=R-uRt%u#}8Uwz1e8gHyRJ?4bXR66|%*^wgm-~s@5rk7bx~> ze{aWo2@(|y!I$1|_!O3*07~-~q|!AyzjnIq18?PJZyJsUgD`oyS+Ym1{9xV}>%Qzw zXD5Sq{))Y`tZ=ZYNIZF^84+MsF;D>l37$@N8 z<5;LQ>vi2a^+5SfZeXg?Fg3mEj|b|aap}!Yd{vM5$+_3Rh=GM)tR%tjD?e;R_<_mD z?+57R_yNC+T`*UkZ^BEZ4FGRI14Fj~Rxi&uIqx>@^b75vWpKtC{q36CFK=oTpWnV) zgGCR#Ui84k?ad?{d;oP)@5lD9FMew6FM4oi(E}S~OKkiG2IC*$r2oe>OaEHrfj^*| zx9XvAn)MWLpUb4|n6p`VrfYClK!NQu)nY94JdVdTn7XIj740##c|*EwUsQ{=tgNaz zGlzY8!O~ffp}&{eAp~U~^ZWfc8MtK&?TEt!7DqfyM>jfFKn2-W^tpo=&pKZoi`J@0 z+>+2M9mS{uIViU!4>y-;&;|Nz)k*yiVYTT(*Ho=?0UhKE+&?U6W#YN#PBBtXM>VMF z;#N!!Do2kX06MTEj$ZJ<6l93%cAlqJHq%}hZQ`3N);HA$5D0KeiQ9IxbwRl6_{`Zy zH#XlN@phZzc{k3lQX19yK!Q0Rm>A9tpx?#@XTh2P&Ic-P^MMtv`M^b0Ihp1|f3Vt= zB-GZtR$78a9>x4F>04Qb1>GoWpDXvp{r)r|43rB>I2An-^mLtNP+dXSrEzz62`&K= zTrUI*5Zv8^2X_tb?(XjHF2UX1or^p74m01pQ&S^V``0;jTB=U(>grzmS+W`|+-&pj z4up(B(sEQiSe|EfQWX&ClU^r<`Xx6Am*hB9jCVJQg>)DODxQ{XpfheO%Y z-v})v)TCO{8zClYs7*@vYx;fCr^UyYeUr|xDKB%mWmX$t((jGC%JgkC$U;jtNuku? zJ0y9W%56{pmk6~$kwXBrVIfMapD|(AFy@yTDHt!NuLx4u{819E^%L3qOJCHgwzjP= zIvVQ!u8-I(fYCFsnvSlm*l9&Y%1mxPP=$&}vzS6ExFH{ZbSCVl?#>@lRs)RM)iS8n?)YTyZ+0dJVR(B@3c)n4Bu30Q|u!vX(Fl))T?s0zpA8&@Wc|ccJ!(R`|zaCxf)J@{A4U_ zJ2<$A3a!4x@y8svUEPqF3QabKsv=8VIy7Iz-yKrF+#M)5eT6?rhw)`R`p4YykG`?F zl83>&WJY%?>#J9iezE2d*MK?WONpD(K@PEceeh*u4OO4zuB&Ro)gu#&LYBvw|9iG0 zSJe{T_3Ww1{Etj1UG`y=-fTuG=bSx#TA|E)pzj`)Ezs?Fe)83O9;M>%7TAdQ(naXz z$82Q8=*$6?Tkh>G;<)m6)z(Be+jLQZn`k~5eU9Er<)I_)WzZ!2q@<8k4Yk6Q{m?XG z$~vmIhUfJp2)-45BXRnV(6>r%S=-x}%%auIX8##yrJtFPiN9?zqyyuJsr2qD3kZIU zqdLD#QXBY2uOOn)g}&qb7tOH@$4^yg$&0X{= z=q6v6pJQrn$o2OD-NU|KQQ+sjeZWGpeGVnX6!($j-`@N-TDP3e0EK8OYMQs~FT%eh zfm{d&*yQKpoQC7<+ObanX1l$3M__l1?XKLT;PA(qrw5^wgI>5nR2=0WSZqGlTTv{NE3lk$h^U9v5lfEEBw&MnOTBfTV*a_v7N(1j(4+tG*^I7H_~&>{>99 z30Uye66{_5vK*HCWDB;n;e7-fH-pdRyVt-udp))SR^?re-`l=(1%IQ%gpBNzsJbDr z*6p8a{vK$RWZRj-_jt%0NjraG3d=&I59xtMwC&r|G+W7?J=IvbiZ{SL%G}Ja;)FE8 zKAQ(yO)3y2Q484Tp(XekSL~lHnM~V(E-+G}5Ts71!7_`-@q#~Sk*$&>=PbJ$yzut}o{GLe`_o3?@Twx;O@-DZLv+$DYl=+xhX zC{@vOS=(#~Sc$q~u=2`~LESa{E^fGITi#KhzpeU3HDzA-s$7}gadm*jX+tiio#tq0y+5GJ`rNRUE3b>?#0C) z>rEu`mHZs6%?4e6WCJi%T5OeXKg}+DJde9Puhl8?2}N1GZ?3WgOE*eDX7Lc5AzNo) zscrF!t?m7*$`?}NvLkyve9z3JEN!AB z`sqKane3;EZ9L0xbq~PliJFpWhf`O-h~}`|_I|rOqV-DCdn@t6USbmnYkYasc5R)$ z{;9e`k^;G*P70me1!<3nd_dl|Ro)wHb_VT1cEIETr|0!FG7J~1-(!gFv)|G6@LsC^ zWN?{QBLZKkz7qs~(>-PS(;zuy7JbC!sj_sT*uAQFlQz5YTheqg`r)NMk}u^<)T^0;>315%*2A%b`pS)&yE?3>kMx%?t?nX_HJ z8`U63+&riDbYha_u=Eyyq}oarH8qEP-_~5%aJJUoGW*0eOh!NPm@q;oX)C7%PlLWL z@9ZM?7~Nrteo5-mUiIA*B}k9Cv4n9+u&Iv1fiy=4pl5Nrp}h30W3N zKNk1M)6az!(3 zNAg$jpkU<86M^kM8-X^BW66K{Ddx1Y2&g)I6P=|-h(zpIH? z6Y|6Lluw7V+oOkV&sRTAVkm)81#Y*#58NSwK*Ay}zA3om)z-S2eeprlMlHm8oFU;Yd6E# z&)Rd})Lf4ydR=GEj{-O_(CfiByRC{sjRxJ=$ioJY*vYAs_`}6WWg7q@#!CFWN%(!d1J_(<($7k@I*q}Cdyz}0MmSXck&VUwgo!?s z3Rm7QYnrxm!JiI0Pb2!=+kL*^I>bZ(VxdH8a2@Twu=YTFW-qP5Of|ton5e z>JWl~OZCSgYn(u-gw5n>`!^i$Zd@H~4R?iF!nD9cySnd@Ps;19yahxv)&+jB7lm(7 zCID6&tp#aWrQ-Tnzst9Ju5d*;9|4i}wTE0N0}MDl>M);&uCAjsaJ~w-Z?h;Imeb`G zrORdx@g+F)-3OXj>|u{VfcDYd{QiLWFAUv?x3p%vaawtpJ5oy{ra7`oX)rsiav_Xc zb`fvK{o32U4I&oWdNQ3eMYH;w)c`bF0OG(>^+xYkdC!|MITRWDmd(@r4tSNdamON@ zxxGsBL;mm^&ZPjsW0BdYy2FVPKI~uO9uX~fXx)^1#NdnOEho2#LH#$+EMp(fTZup z_wxY-n_T*_*`w}V(RhAvTCrvo2&U(yQNQ`Xk{o|u^sr!a7!m5N$0i~ZlUu|LPl0rOX6 z09xOH#rXi^Tmsz#fWF!qzirG^sN8#s4)22c0=uqv5wiMLW@DJ#J^VYU2=zh?|D+}* zY56Q{`F${BVE)QSQa=6x`)ah{{a}4bK9u=oyrwd@yV17?#@N#g?9}pgpR-3#EzT#;kkaya3)zqGfN=f?A?QH9b@U?i12kfqGF%c4j z#nt^v`H#xq^Z6xfKn+wWH}dVpEZ3|?eL(JY$-jRD0 z*m_gj!{4W1JHZlJI{$L)s;r*stzK7)epFq*6*}LZr}@;l5oUjw!n-|O&d$c1bv(kh z1GgH17o=CtlcX==uJ_z8^6f4TP7B_fygYn@7h_+~kpyRL$Vq?$p{rgAAsZ1>jz{ZD zxE_0z50>(Oc0U)^s>nGYMy`_ItFOHWzRTfiANCDoc;(&M`_!~i*OAjvp8a0dWlQEq z?m+4inLw3EOS2fE{vt&OQWQLa6TfwQldREtGjnlVqVYLugx<5a9dZBHeI(TM#t5Fc zV)FTs8G6?I?sS#aW$C=u27jV;RmL@*_|EynV8)Ua(RO^n>&$YL!~c2baE$LNy|H!E z{7PIycGU%^dihHV>KJNcr0B<1aLVoR_!uQ(?Ev&U@^jO8&vi`-u0~I*=MK$FLUq{t zanDZp>l&tS5Xil=s77GRLlZNGRd0Su|7HJTk>LtXl1}%$y3IVB-J?HK*@pr)trnIMbFk-(4Sd-yP~&8n1u%RrP2x3^Ju~n$032d5vva$ zON!EXKzD1IqwqJgWI6w@26i^39VkvY@L(Z#6GI3 zwbn`;Mf!@&#?falzC??A8riIruo(VIjlo=E!A`At<{^L zJy7x6O9U&EAfQY5PVt}7N1&%+Ar3JgpYEUwnckeTq7!jnh(;xSbj}4NKqk@pDQG(BqK48`FoyyV}0c{6# zV^_VzWtJR8T$sHxL>UivrZk-6bgJhe@vrcYOjo#WKV;}>(&jR7@GIKOeY-0E?Y17V zym4=+V$B#WymOv2SZpU{R8KS>9?JZ!w*}8ZG39RZo@Zw^>$gX<3;D&Y&KAgP;&+!- zuDi06c`NYjrN14-#~h*$9SLahFlM|p@``3`%bwfWOc^&<*ghs$%#6TuR}+m3t!$h` zy@O~xGE#hkrau^yU3Toco?*XMNwPDg`Q&lfCnMnO*K^u=1eW$&hUO*L z`RZ+vguYJp^B;yzL2MiRg*jc1*Od;D_a%u;ShfZmgj4KB`*936m+%TTq&1rwJ6TBl zsrdvYS+&Cic@XYWj=cf-2(@A^NgI$H=Lb4@szMPwqtYoP>6gm%YNXNDf-%&ND;w)f zN#z=jZ0`p`&+^5(A93nzRgHrsM>Q_w@z6 zQF`&M*hJIMqrP@^NB#)tOoz&a7FOrZC0SM;8K`J1WLmG+rdMml9Ka*80JYFw)dbDW zVD#+DWjLY=aClZ+Lm{g=@t3~AvNahhi1fj();gP!JNge zHZ!FL{#KY0l}ywVmygzUIiB^kOTPGROh7mL%jJ{H2g7P7pj*bnvqx9ox@rfFNBk7K z~)HBQ-EsG2G1+e&5uahcm-o&S0gJh4|dNY@7E+~Mcdq{+$Rj?!7y zE|^iFM=N`seziDa-o z{|=SRjS&iRkc>ZeSy3^akgT@-_SY%Y>r2}%%nJUj{E{ zm?%*vo4r^D(=>I7Fgi32kB`g(6%aiR#Mfz(wI@cVqffC#;}IedmZBgyb8olj=S)8w zKgi(g&MWO5QC@+Pt27(O2rE&aCIOGIO}MTQqyIiV@k|%VI4-WU`puZbkInsCiXP*j zw;IQk2W&#KAPU)Pu(%|^Wuc}q=G5pN-37H;m8}d#hE}wrM(*iR_8o??Ede8;=RBxyQL57gKgrDCAseBdW|-t#VS%wqjT5ropWo&G})76;t*Q*UH)^_-tHu zbp$%E+o{x0M??phgqXXq-7&a7@94|bhRBk`Oa||M+Si~w;P#k>j?D3{6(TiSP;D&zPa*|*xcs4n3@hV&##eMq&qF7(NXxg1vCDq5z&@z?p)JC9e zS&&ir^nrEwrZ)pb)8+&G*w5MOFneA1u)Df$w8o1s!{8y{PNr`x-FK-5K=R4Ug`;Ya zCM$5einblso%)=*Yv)VG7d{D>B+vd)yT}xPs@XTAWfxMqZN1|>{d$R)$Rx5SYd3r4b(3MMf z(~m6rh-;=YFf)70&;z)zWg6Og9~MvTcr+Nee%1Q+HRypJarkRT4N<8*b@l2S`1&`e zwQ1^v#g-3JB>@13qA2Pef_k-}0^@Jt1m^gkrg#Z0WoZ+>b8^IU;_i(hN+~ znGG=%LsHjo9KT?uM##8=#M(xvV+24 zOf_EEEf1_7>km8Xlq)GYK27!3m`BzU*p6x1#i34vsJ=FXE(igmk93sarBXQ2V^fd~ zAWI9qJ{R)C=$Ntsx{GWzk(LU}kp1O)vC_Z48=k(TCil0E1f5$@sXzm51n%Zid=Dl9v9| z7(+EB*Xx4#Vj}(b)sW#39y z+2zWG+Ksd8$|l1eWXDWx;szMMCdN#-x&BPPatS?P?N$*?j6le=iM!YA-m0lPQJW?Y zk+$EIV+?M9`I58BH!mkLW%8Ux*T-l%ehKa>3~Q9+Zz+kL3vZW(m$OfcAx$Ib%b2yW zii(ITur35*NMfbjY){woM1yF%ZqXRIk9=Z@DrGUpm>AJ5!P>gVv>%9=HwKX>3jpnH$}JMeXBUjhy6d45wcqJPsPgbGT5e5ZwA zR!x^ksT}2Bj-~n`Hl>0t^_RnEmK>hKUoGGwzdQVxq{$+AiTe3$1O76DrN5&0 z&q0-&2&$GkVl^C#Jl&EwjF_L*N~QC|-WoXy8-d06_SUP9=Q$+^m;h`E5k1edb7)c> zIIdM%L#|Q$)csH>b7yE@iN;igq(8h4T#5isU5q=rH?6I0xYN;FnnOgoT0UxDJ`%=y zre3E>=ePD>x5sM0lIX;fHRoVtZEz?poj@KQhyqc>bd=S_m!pkd^Wyeuv-)YvVAo^& zb>{(e@;35$oRug3oCA8^I``!uLeF@4C66Hoytjh@L%zE+k5cfCR^Vx!$ zTd?x`a;1)bAR#ZHi}{Amyzi8$Vv7^^;!~}15hKC9MbKrIf}nBXnU>=ZN#K~&N9@G? zFiQ^0`ovoJi^ZR@qPetsh`zhpeXD}FQZiHtZ%cQmrkc^jSOMh!Nyh%^tm-RWT{*Rt zF;zoq9#v7PYE25^YpRsK?SMcmx|JM*>=C?gj z^&4xt4B9w#?n%y!azRTuGIJm)Xko2Ize?4|6MTQOx?k1vxueq$V!TyjdoKSW9>%!u zM)c__{V^X1bnQo&JoXF6PHv-mu8%M3E?_ z+8>f5ELw=%+!qq5E9ai|({B&i(&@#}@so5c!8*~H6UX0aZRGR-T@LdZG zWM2i_HyW;k_R#6m?=XW~4w%6rY-8^=$j`nBpp^N0pz#O5QedhIJfb~W^8gTv1C<=( za~)RD0%zL&)XrW8epy;U$q&v7mzmQusr6`@t_;Aqy!!~GM^lyS=V_UIjehc)MVBgw zBT~CI=V?^sDhn7Mqx?svfT%W-q9~wYx>+|yX{rUJ%0h8QWOfh+Y(qW5Hj zy~99YbQjRE0C-TF63QXBDLM^Pcil2nMiRfTKqAAHdU1pqeHWg{0bzeGo^_ z!M?qnUj0Fs?^w#Cde@tLEyyth<>?sgy;6!l1t$OFtqaa^29MNVaDZROc)VgP{WASj z1qD+3jXZL>rx8#-h3XddVuF6n$qP^(qe{}fdpx<4YE-7iGR z4?Qd3`Bv~<&ryNoWdFb(Fe{Jn(4Ws>AAh>xs>U-h3Wa* zSb@i(V!>^xru%*EEdt+t>FtUA;cUWKK}nM2wmR7|Qw(v^$mH05NYaRQ(#XvANYaQr zV@!@3nXkUPQjLIxN;U_RJegXywQ9CNxxn9DfieMiE%#gRLyNB4Mn(6vN&#;T_jXnH z*V5a2`$LAvM~lPLrzGHc5|B6vn2`h|SL@y`_X3wfeaAW&e-cJ1go`aeyDxET$w1!|1k@W`;g!vu&WuoSqK_jd|gmd{7qUKsahps`CbNN+9ea-ylhDN^* zF~{ZCj7sqbx^x}lmdmdjm4c04``VYM>6!$i4N~O~L>jTM8QZ`Pc!!t58QOdk!ibxU z3cc4+7zl^a35jD1F-k0a2ZzxGsbUMUN-X>|jBSGFhW2wCVvXDH88z1j`rkIhE4Kj@ z5gRmWs{gR^0izq*?>xx)89#UPUNH^>S|T=F)YJ&LUlP#23vLAK$#2QoC?+Jaj|vd) zW&>Z$`@J{}h0@u`Wm98lCnOvGMj}o3{r5)((0{=J#|Hm-b<6&p!=6JRL?G%{lund& zlvh+F>VLi`|8hRy_@5U3uZAbT>QG&i{C|7A!(^d#L;HV^=CiFA0(DXW`2Y0uzm4?2 z`tkA~$IcG;KWFj3#vnB0jPhU8`Cl{q&%55umKQ-5H=UbSq1dqVe?!hD`+T?dq=aqJ znL3hc)l{s@x>M3>_V&i~ChADr@icP4FXkG9s`&UX&6r7&BLYdZh8 z?rd_!=io}Z+7bP(D+yOa6|zh|t2D$NJ9_@_(AngU@7A4^uq!%KPg1Rhs%ANE^*qMH zd7tICvtYme!4EE7q(D*ngmsMU? z4jhikVrA=_Y(&Vk#D4Q&V7V88sRl2+H56U;6uWWj+=w zas`o^zKa(9NJY7Yjl}zu818&3sX87LcG6t2ta`?fhl=nL5c+7P&9N z)7ghSZ%#2XuNfPu{405gJe92jy#nv5s}Dy1ZV%drmboQ~q_j%~$;_F?!`Oud{ z62D)^L*_SNhXok>lRKRh@Hjf9?biKZX-ghaAkv}_bVgs#ihg=M8MJaAsYXpQ^hOT5JoXmRWMvzB`NcCx+MHwJtnYiFI_ z2MUfej^LX+%7~L|V(~Ea($IH<`sq%L!~yJSv0&GC$${xb2p13_leMQ7SB{C1?51MO0>+Ax)t!puN6a)D3^M$JA6>t3 zN;G6}L4Tn`QNjpP+>teh?^B@E+|sZ&)NZnLWs-LiMH&d-iIR1$b;Z?(zgij_O~CX886T)6%us|FOlRi zMVu6?~qS&zlsEHJ3plv3gzFKu=Eizg(52u{j(leX@&^cj?SM&%}^~4 z0&z&?2G~($$ziC#{1v`3%U{5H4y_9xvY1p-_(F?YAC_b4L%z_#I7SA4huXjrX$LQb zf>%g01B`&OEc1ndZADyItMy6L=eyBD7DAW87K8h?9@jYXWIpdVYz~XDnQAT_vR9IN zAvXN|l@s9aBprTupcb}pN3A`4ELY$>gALJ4$=KFKz`?C>&_oY~3MLY9eoy40Hh^5j zI4yZ5K_%v5R%l?zppg|lfv(tMD4i`0c)Z+l!DdWcJL*l#ezut8=?99Z0Mftx7B|dG;E>>TS%KIl48HTa8zwBaD+&Aazr;XLFS`e zlI%F|0k!1y!$oxr}D| z*uh@>`#A>Qw2!tNw8OjG0jRMq)}AHnpR(-N0xK}>X6~!kBlPX3g>kMKF-0Hky6iC) zW%Jm73A0OhFy`9_yKVj4TSc0T?@3`E{F@s8UK<@TCT*>ph|U+Zx(WIbFQ9B&NCw!{ z%L4krA?4mE$oJTR{Q>c+O;&XG7FyF0)& zk{HvUFZP$aX%9lafusG3syyETa?54Gdl!|9xr-(R@IJlbf2+NVNTPoBJ`9OM0Ek2b zRLp#OZH?(Bl8!U3l`Nop>1Kp?xG)O6$z_6d{MHtyXZAW}jnmdOk~e$3Cas}{kForn z1u}HVPlIsJVO}9Oaum*HVG*wMAfTrBqVVi&!ALM@nxE*?xp1j-b}zp@av>OI0&3L) zHzOHpJIQ|OVnieQ+foGym5aYh!QEPP_O%laXYGp66&XA%8y0SN#6yIs?jRbiO>Vgq z%j@hMDeTNH0yIa$h@UBxSAsL8vPdMD04Z51s`PLHIViCa*MV;ud64dq?=nI!Az3a2 z)PWswn<`)H(WKP)REYc4^K{{WeqZ(DWG@ZdwZ~^hEeN&3{lXA_LhG&^Mi!a(e6(bGgM;U<}b|wr0-hI(#DgyT)Dq79Jkquw1xkA-Y z1@cpWyMs{}Ivw6ftu^}`uIPOKHg>OLR+zK0?nTv=z6>~CLLdm)W znu4C^EnrcW?%0&zp3M@c)3~=HFM7@mkO8;_cj8M-Jh!MlYJ7>luqC{VZ|(`jPu-=V zI+-AD`NNSAIs(4&DTuKVX;)x7R`x^EvTVSu_p|~mi1htrnXx>~H=}<|D+!rXAqHFC ze>gL^5ZNQ%LqKXpM|0#xvl4u_-L**6fnqw?44iSm#Ul-kFryn-?c?kkyn4*T_MeOh z;fk=ahczj;5*KTDCbOvAh+Iut`Gl{JUt-QxC+E*IlLatFNIh^X4ID#pr2bs}w&dc( zAFlS>&BPJ;3_zm#xSFXebU#gnF?zD(!1ZFflx9Sqt)LB00Arwmwg7W_d|NQ?IfrhX zUtGX&-AVnoSB>HNi+3v$`#)By96omQ8(+>Ad@3Umr|dN#?baAuwEEATs{417pw8FP zs1vNvev{KGJDQ1$hf^}d_UMP04Cy+?Y;R`-Pz5hc1PHLiel_#a(hGjNo?TKC0uzHQ zydJ=x8^-?`yPwMxO}NW!qXazt+VAy5PH?J02)}>%O3;k1rohu%`qzX=ywn_bgX3xM zL-|9u|0To)5tiAj5Zf*kmBu@K+A-aTjxfo)OE*HOIg}#*kEh#VGDxaEQnC;CddWca ze6ei3y3MC!Nm;zl=?5eZEZ^gcNU#H( z8q6`52P;mS{jxQNxzv=#$SE;^QRj<{j!^~CO=3Xhd6{)@rd{8)S-5ZvdLkF=I45(4 zSH`cfE>kinNa-3XOs%`K2*bBdrFRP}cP1MnjVX?`I1gXkVrGYNN&D4Pk*1&34*cP0 zXq^Y1*oekasHK$^D05%zXL=xTIZ3B!9_+Dnf^IlCao7AL?!qW@0~rw%apJ?r*^(Fh z;XX**v0%K^9F+tHzju2T-G9TP%9i&dr04atU?UwYBnXKElrxZT3+EQp6jP}*{2Rwn zPwm9E4%Y>%=b=YAJw?0lZ3?pQv0a%_S=GW6PAbIxQWrnfi`9k4GXDvk#48C)1W(*K zqT#M`G=Uj#)6pA^>Gya-3b$OZmRth(hHYsK#lKmS%aVKF-%ao6v*3I|9e7239%pu2NEeaw`396uXVz>XkJ=q~t`7 zKo@W%{`w@dTg>+b9C#t@~BD`(vAolbti3l^(;dP%R{j3|xFsccj6&{WnRI!SLppuRdQ6yci zU;r;<*5DoNi@2moz~7~g%z|4X@$s6X^JI;Qi75%uA(HNHz>Q~K=*YX?#e|axyQC{V zSz&Q~IqG3K{Tv&#-+Km>u=k~-6n2_M`9;OFjiP+To^;?>u1pvM)V-7$)zAdB2mdwq zs)^WDcSi>&kM|LuV+z}VMjpC<9k-Io8|Jcnnm680o0eB`YFFK6{W6*G$XO5%qGAGH zY18A%W$fp1ib<#`;oUR@5K`y}ob7{})H^vFD`SQAJlL;>5cn}s5_N~@rl4^XW2l*k zFFL+7sZ^uh?lMc)5Gd6gn0M)omJDcEjoSgIef*g$)_)s%6MYh2Wjr?wsfWen4$j;t z@Lms)0-QN6N81sV)UdGyf}y*@f6`eA4|L9dZJIf;M{%9~jgqZV?@zZL#!;ILLwtTO zo+*!!3JoAA$k(&1GHjN`g8qAg&@m=EV;%gdQrO@#EaBCqP{ocsCG~Ccz3Ld{t-|-;w zmy+QjNplB)JnQ{=Wb0-M%b~bcm4qaV%;i`*?Gx3y@e%)9t|Mz;NyPJyXb?*>*Mdck z8;w%cb75rX$!^~XRCR&h62aLKzK;`GsSS%laZU5bfHt!Pg<>q@kbm@m68AU9fx@D#oK3cY0EWS|s zotu_iwSaT6UX6DT%c0tVGv994U_O&p5FaKdIPtq)MkHQ}KUNbc_YM#|8|e)YSewoGL&G4fzC|ElJZq zi4Ue==t%OY%5LlTDlMWQ1iuN^$2wa&6O*kG#uelX%YH9SbraS|{mBu$P#G3d;`LmK zl`={7$M~#nL+unJ{L@BGtahEQi#3HYCr4*i0vI#a0=Vf&LLU=J1@?Fy_^HBTQ?JhGgrXbYsJwD`_$2lsu zO{7d%7N*DJu_tjj=2!~f_>sY5^}=#fHm_@D(@s>I_ow@`gW`r14ygs!+ldSY)4JnZ zWN*)~F{BgX&8(lpSebcDs5}ZOKo^&$4lx@SlvG~f(pszN-5FJCrzXR}=S* zML>}GW1L2$L+wY}>4`k5A@@m;kCW>roZ+4goTe}KL_j6iN+GL^x{$}u0KZHGA3Po| z0G$SAAP~_6VC8q||WJb%xT3ZdMhCzYqj)dL0qg zdsG&`K3njSGOdqh+OI*#YogF9rhb1%TuNOBl`jS|3QH8O^;_I@ zQtcr7CQ>dSzV(#z@pMgm$M~^gGJvVMZ$HJqZ=vS2=Cu*3EMIvTL;MmsbEEmil#Wc^ zPk2IvX7-#hLF$x3DK9Ymy{fLP@Yx8IP$8r{lc52$(_0Y9kIz+_<#ez+QbqHZ3PtIO>cv%GNE~hyno4uPw%gmYi(x>DePbF@Z$uV zB;=(V?1%i#soRg;UQ2)TP|k53~l9#qtP?L{;A`(f-FPDzjJUE z5H5{l2xL_`37kWtWAqX+f%NC5ZF_2lunVIyu*6hnGg=8!%q26wsDTs|m%}5RK z`v5z^g-ZOWlVKoJ)R$abEpgP80;r%bEZpC~x3%LXSn(EXkjREqc#R!XJ02n<2F3*? z|E`1jgEO__rJW|a4R^-p)}6X8T^Pm5C9FE^SbQ6YpJ2$tJ`)Y)V&baLoo1=Bi%(T% z;+9b@qZ9_MQrqM>wXA1FN>rrPV%@72cq)ZctJtJm`mL1$#u*u59w?9P98L1*~#PZN7Y&LV6YaUO=Y)?X(rbi(@^7B z?P~sTkn|d%pesz?GV`vqJSzsV_Vm{Lild+F#vV1^Gh9o(YS2kz(g+dSgPJ%%(};5@ zVW@0yv2LZ5sK?0%oog3c(POvZ&Iy&&hc{QJTRpTya^7(BU@u`EljX|=b2gekMZx~y z-LB1NCRx78`U>x+=Uayf>3 zEJu5fc}JaishRoJ7yp)j-z3*!E>qwxPk*YoB+Wtm3(C9KmY$+S$0mQlt}+K-4v^+M z@m-e1IqZ}O#vks-{tb9b;lcY(V2WeXXUJB2795{k%|CHcH4*uZud}Yeq1INF{5LE+) z*jhTqAoT;mE6hv2)_Pis4^A?czor{b)y~TlelM#m96~ zo;H^`E@JM-Q_#z|>}mIgd(DQvid^@Nh7 zP?dp6#Mc29jro&!HaofU+B>~>x0~xFJT36Sf!goWmvW7BesD`jUWD=uZ0EGEGC}br zkgw1=@>Drs^~M|iLNUKJ((g1aLZPhe-KukR*YeL866{oIEH|1)K$kn?ap*B6&9jjJ znD6;7$5~#x)*mw^lUr2qq;W#T-OY9xgz-@TePy<4ZNux zM^C2{r(wXt09l5slpPAd!QSk0*R$=It9xzIFcyVF+h@EzWm1{2SfU z*d2PGU!WxQz^2$f))fc??|AejGt@ZiID~X8(H5V-kFI=;%`^gDz_&?!mz;b*(D72i zrGBzh=XDYO=`(sZz$p?Gjx2lp%n)6@;AOAp6Gbxc&FJzgtG>^N*?mMJKV*-`WB30E zP?3PA<$9}pPxf8Zi(Xf>fL1n=T}`&Y{J1;uW&^SqZi_+9!#w$#enTpa4ZZ*Kx8MUPav%1z{V(QPtD;wLXR^{!EFZoO z{@d~BA}efO{Z9vx7U_z>wpg_ydQ?pMugTxzpYVqQ87zKcppbD6Un#d`uZq_x$)q?a zIFbmLgyrbkeL$;XwrZ71s=Q*A^TDkkemG>*dfO^ps(P=MYnZruPFQ^eKh*MQM~P~p zj++dfVP-u3GJbB=1+5YRoLf6vGCqcBz5kW@R8obF>yPyai%2`oL8jAL59t*I3o%1V z7%#{WX3s&`!{nC1?~VMPDKp)#|Kq)Plk2u&IA))E7wzLbd_{$S+_$~TS!;&V_o!uo zG!`n&uB<;c(mf4Iz4_-4!$#ncu56jizwuQ=cTZ6-o)$VcY^~m5?gEc$I|(mwee$e< zCF)3TBx!DK8^2iukd24U=$WV<gjh%-uhp*lW3&)qNkqZ(uo=clzrsY9Y8a0r>{U*YiVl0QfU{vU748{bQUS z_-(veJ95%rAbfjn%ZNk3mF@DZ6V1F|T7&y&eCg+DO(`Y7aZYscV!id&C~g8MMGr zvrW`>3N~ReeCTs#PDA~BVO*Gd4q^)FfO(Yam~x5odawR^_?@=TnlPK)yCE-O|{jP zz!;7>1<8ZRn;FLVU)sNZp7BFuCs2s+AnOv2^)|%HLu^Zm!3QB5VVXx79E5~Y5bE?D zX^S@y{3?Ff;0Tjki?$rc)y(OmQcJG{biJbC1N7qF^9hi4DbffkV4E#_Q&6Lq z5FU%G)pg3^jIh{R1moLHNjHG``-mPAi783{b*x$*R{crl)<)6DiO_d9!}&G3I$3!`Xc0=0 z6nCWfWAnkR`>66umt%&i7{mt(ErH>cFkb`B;}YI9PTdt*J8hjPSsdK5C&8q3D5ik{ zaRj{Ty4rwE0y@E>$o%($_QI!dqvz>9rIcQ!LOEXtms^^r(0ABDt&3jQwhENwNr18em`n2Yp*;U?FracM4V`qqM%68&aGtqhahqTsnlf)x`qdq-abu zvOaFqaW5hMX*I_t|9dKZoON|xep2vlWS=~H27s!shz7R zfO$Io_r7wPH;}c={l09pJ3u1mSWREVa9E9vZiTXXc>-=ptRd;Uojpk8{Ne9|<^crudG43yvPO1bU7H^dnTjQ*jnX`I1i)MdwF z=KY>k(O~*(FNErjgkuA_RBweM8!Ht{A8s;Dh}To)%pmovbV~jh@_z$&K#0HE)3{@K zOTqr{4bLwcH~ML{0Wr9n87e1C&Dq3_TqbsAV?t;2 z*kfs?i0~iZE3745amsM)%$6vojb*tgPVi=rYhOal8axI` zGSL)#ew8sq39#5eMgV;&n^d0lGY_qISt!1{cN%-t+e7$D1wA1%SMVm`Eg}dAEyBRH z!7sUQXfx}#%ujU=G+t1zXz#y&#wUR3APLpVE_X0ZCLlntKHgkq1 z=DKBq8o}+a#1YbBMIO5qMSfP4wTWtWEn+1p!64jYjCzVBcBeGUP!*uK+n6#-Zt|YO zyu5hv!fWVKD!w;HB_k;~_==+>Vrc$QwWSoqE4*XAQ?gZ}Qzfz`T0uBm0=8eVu0{VjIkr*iMAc5U{8b3*415w2A#R!iXfV2T*Z z7$FuLh+teO?gC~h>b1B6y=@gT&C_y1R}CLf3q@BwDPk-QXwsLNaF!Q7oiDikv^t|X z-&@OR;R3DC-?cnS9(UboaK@szrG)PYr;!5c&A`04Zy)cunw#p%r{3^8nw4GlkaPll zq+urMb{qB*U67J#9M|{zG`#XhRR3jT-5q?MHP=yPS$o4+Krke{Xx85KNqI)dj!Ywzw~%y`+>`i} zJiM~vX^#6uytb60>cr_T&|CA-x>m$)A#6>ec8kGl#eiM6S6?G`zeeo-FNy#4C*kJ( zgvLI3^k_!>FNe$O_}?c_{;dv=J$m?W-lMPazn@|L5B$pjS7OZ{-yvyc$A8!B&3YdH zrTMt=760Xv{MY`ad(t}F-RpF{7v66C{)YCYN;ve|hpkup?X%YL-r4TaPN#B_jYr$& zkp~0#>l}0=*weycrBXY7dvy5gwug^ZD*i|$yShL}vvR5O;M=v6gLQ8s8S>q)V)zSM z|7wQsc4^F9{|_h?G5~}c;NHT$F*X%mhRZ*a^VG>6=R;$~3gMK|iISk+t7{rWEBJ`m7 zTm(orggN!dT^0FtSrT+n0|q~6-Q74O~3dJX1%^0J{|MaVmPcX zXHXUpgoK;k?MD^sg5i;iuneMpJdk3B1Li%d5F}v7c9;)zl5MkZn4WCYvqx41jKVig zyRSE%T3OFHZ?nIIJO&NwI#mj&f@+|Ffu(BTap!BaCUMeZ%d9v6+guL2Hq#;zJw zs+e3+g4q#xoe2VLw0rc+udnw&acCdz9PREMzG18T1wT-c_m5AG{T9OBBg@9sb=<2J1Yj zvMM;CnxmbeDUn7*23-U`C)%K&=aj2NAq&KADm{B@j_Z+m(CdKR9^0hJy4ng3pREBn9ftQ4qxdhn`!LUhi7s|OLwJvDR+6ut^6 z=Z#N`c#zOwUkQ>6=scIQ@{|6BsjOzk=#ng^f~{2cN|NHJwJ1yCkvf?X^4TNfKI@U; zm`+pmE%nr^lfCw98W={RY}lf@I9 zLOQO)iQ`jtW*$1@xC*I2nGdb~J`MYq$Wp#k6(#%_P9m}@T+#$850TR&kGwk;33zZW z34T_G0qUXsqc=wm0aOgUPnEu6B7Z-Q^f44yHCFp%fx}tSsgU%Gfb%`L`_!HcAJ6fy z+#NLZ=#e)G-v=Y)5*6g58n_Mz(Ba}c&3av4GSW`qZ6-JRW7t7~I+$h?jM0@ct2Y*z zhypn>;TVoiyT_+pux(D@siTu$m7LM1yH={h8f{ZJqsSAzG#*W}V4dK9pfwV)Mk35& zbfpkrQeqZJbhD>h7Vslzk5*maMiA@AWWXbd(~-C$rAb};sZOJS_Mx#+FwDH($d4}V z6E{OCJD(I6Sb;1`bf6BPP$zay+L#~MIei7sbrj_=@d3K`Yr7+P9s_6QC>-0{s(=3& zk(KxFu8xRE+ld23!< zRW#06ph-BJk%+_Th!5k30qKZ(c)oWr#l_D>A7d0|)1=Qn+_cIwg!{)d<3MESW4==g z7Y6qVYiej&ko><6vFf0YJ3cnWv9k!Pr3#LwdV40-Tm_EI+Aa={U_NuxXts&NqueUl zZymllZM|vFTO`0^=Tnq|6!t)8oTCwK!S*UJBgg6oLP2OzuL@_mb5(kp537(cogqs* zDsTot#xlheLQbyGr#pt!I956f*S0_{VB2dAlkn09rKsw)5+C%Ps`o1K{~nG)KdO2= z=#-{EF0ia|p#MM??k4^qdx?JC88ry2figZ@Il+dwzWz>cfl zYuHc1Dk}V8#1FqljSv2P6W|QPzex~WR=u~==p0W1FkcxuM1TCJKk>Os>aUF;!p43C zMG_z2fAONX?`K!^(qWuj2j}$X0qXp5M1LRS=1YIX)JY;%l1&;;NmA47_uV3H#JocbZ(%wbRQ4ERfLWGyI>zAS1l^U^cS~-Hde7 z?5H_b9R)U<>^My`hK7v!9WiCT$DaQ<4;go8VTwCjo}Xepsj1 zAcVC!ER2$5iOoX3OUQ~tw0cm(Vv|;dIopMs3tg&Osh4mGOJxj`*mT2E*noIIt*TqL zUa8yH7x5@iT`@6w6wMuhR!2d<-%yh^??`QD)$&eREo_7-X-P(hQM1lwH-6v9aeiy< zTV-%z#0~BjeX8{%5&KqDvY=v#mW!rdcC)^XyunS-%B_0l0w}BJ2nu1Y;3~%LCI}X&7-jvoR16v2 z-r@e7MKz zpS?agI-m#3{2e3)r5N~zf)%hrjTzP!+Ut3V4;nbazGCZ zl!P8;8y9T16h1*6F6$t&ykjz^g$b!K6XXm(V^xrdX9eBTzcDB}C%bu$(8?yd)b!rX z6Q?klv`0bgV(Au&j;e>~MCAQ+JFQCnd{Z=V^$uj&L5__Z8WY#vk1^E~-Vlu}6Z+-( z!dU{qH+iPWdkL)jdxtw8%s4d1Kur_~AbpIUSP)9S+IPgE018DaJ20&+MK^1yVF#4* zs-u7fLsFW{ZKKSx#ZAy|RJJaizDLrJh8Eh}w6&oV?@QJ7Z(P$*JjSY*%pqEJj?l2f zO?u*|sjgc``Wy5lAuUPuV`GogES#y+Q3G5IX05^oI{n7k-3 zc$@)L$=8jfO2x_RdI>@)%4J#NDTTU6tJqk|m?s`Zxl=1Zpi3m5w|mqftBf+sc6K*l za0_+=dx(y{>g)#p+4`x43U=$Xdo)Y^FS=|fmkV}=Ole(oDnYK&HO{a#XBC4uTW9_i zduAieZbk--S!7C?2H|WJtQER#h>RexFv<@mawWm}6iulA$~H(uSzk*rYI>TAOdzL= zL1Xn^vd*cpO4!d^*0J^Zq%RV+jP(E2{TQlCqQN%{ss3Nt9D?V`jr4K}u3ukB>oP(^ zd*!5lH8(*Bi!Z-``kR~oj_Y-Eb5ql09q5ndQyKk9VyK;?r)*^&IZ-~0 z6V?C_PuZL*io2UToA0XIMM`xov%kg3z%DhUj*ujz%8IB44wd7Tj&ry-1mX|UFRuc~ zk-t8gRISmDkJ!*6853SGEJ#VF z5T#j*534ywY9H1Xgfb~ok$vt)O-c&(wD_LFX-t9*<04q(b#VGw;&o8_S^Ky}$b8}! zIc~jaFX?^<1C^3xkjs&+=)4NoBRSK#?`4v>L_v{(iloS?uej%JlCrRA3P{?a2cWQK zi}tkAVLI!*+j@1@+53O(Qe{j;r^#oNXorwXMfbFmnf)&*^DlP-^8?vcfKR6Ar8aN( z5gTln_~&|34=}`fI_8(Ry+&0ZZK*4dtL`wjy)8ujRQ-4Vd*N+4PNw|Gl&Wow4PC*h zQhWV=#$_x>-lj7T@mdkTM`>S~gr#5{3C`II>Zin@1f1^U`2+MP!NnB}cL@mB>cvZ# zd9Q=#scpKDZoi9Glu}P6KS`<}M3|g-s-57SX@$=6Uz*?R=9Jv&wNi@&HGjC7wp=*XjL0h%m*ehQYb}AHhd}L1%!e(B?re|tK;fk zmI1N+G-CL|#$|9r(G6Hpl?=wU?#@0b>+8sDEp@}0HgCmD+Dfft(!3Q~k1xWkKib}= zzso0yPg~3+IqnndZ3X*}e7v)d=SQ7x$?!X}4v&tzdk4VlXX3qoeROiRQ`~$Keb#Q3 zCiiyaG>wkrfDpL@A`*03b(iBGb(T%Iv$zKmUOfuC9ik68j8s(`iadx-r3}k1q50BC z_^M1YZ_OI(kNi*CV0h zit3OcxTnw9ay5VS9$;uAeo&Ri-M_?;mnwxwz)E9(Nk5*bH%4)MX^8(J6eUWT?V~_Y zq&WOv_oQ{WEJ0zA7)6D8G*j|6M07Y(T3U8Uc3LG!jHPuh>s3JB#}j zHdY854udk(Ck$mSNXw=$yNxhXvYCBes(p+$NO0pJshpvUm3pNd8Y-mE2@S<3U#Jx& z0R$c$3#F=3x$aI?LLbcOdusb2c}S`9IXK7e+uq*pewBm+|8Iw^1YC+c-&DPwDjF75 zZ@20lzdf#cM?K^jAP3f#V>wb)>|5n|cNV`gv#f&$wq0sr)R!3o3Q7xdVa*Dngs-l1 zg|phwJii0&*-y#)>r{_^8(mBzaS$D8U&dd#(Vp0b$z#zg@ zde;I%Ch3Ej4Ca7-N#YC928sfsl2X{?ajV;HpB#2fREH>NGCs}Er$&b57KOe$|e0&TtLKy}c`ocB}Kniad)L;&xV6zO()_$Lk zJ;$X$%N?@;@#1ZkJF;%g@eE39uMr)7e=?)X?RgQFWClfuSK7WqM$=muBZ|els zFbJ>0!4!QbWSzi7!2j1FP~QLXNbZJ_8;XyeM@293&PQ>Ne8OmeiJJkPKw$F!Xc#=E z9c4aE3vU%|Yvc=D`kn5+K9*xIPnr$3xB2*{%0I5?P=fW4b&~ainAYsIPltV$Gk(pd zB}f7r*k_$>c=(1=zwp>G0-}h)eq#zFq~%^3%ey}cGR*;WuB2ly&`l4cNCe1>_Xp#- zPw~7y%>k`ZQh+o3pazVNO|DrqSbqjhVVLeTE#C9~@y~VfZm|OheQabpuq%Z&1+pvR z(a7(`+(C*1M3ZeST#F!NqbqkZNV;esV>)2P*mzJz7U&wUPWSe^d$69m`}X`>ZXz}J z2Vp;nG3*^ILD=^;clP%@vj>+)=GU3XC!-tqAnd@aYH1?8@@ zckD>^C3LzpoOo+#5TIpm1^Fkii6=cjx4T+Vs*y{lkl!A%^ zAum;lR@D%W8ngaEsGmzOq4P={V@3w9NR&}Glc2_W2!l?bKvY%SXp_MOgc4GpVmsf7 zZm#_sT4fw0Fk_u97WOb>XU8W;$L*8uuhvZ4!d~2$1iB%LgO!_+b9k!wCrp7o*?V=` zZJ!YYD0*r|HZOF&CV_ISl!Ty|6CUk%=6PlCpOBz{OzsXRgXB<)1Qp6))}soCoMXqr z2q-2V>GT5IZ*9Q6T?J3r& zd94xEkU*H7{d<=?kDm`piE(9x2VYQ9qXQH!ra16E|te(@IZs|k_{jC{sW`ZmclG4Ka zh`|DaBNz<`rH|z>F*)>D-EfMD!073$u>3?ouRnCWmCUa4uCr21VUKcHK!yWJc;*bJ z*>xQlIpB$r_ESs#s6!`Ko$=Ud9x*JYT*O6qI0Slki;srWYd){D?aAp z!!!UZ>;^t3A-;4LDIqxI?C0}3T=u>`*%0vO=!zq;pzD2%PgY)k_Jd3$m>P$|EGL6n zl|r~Weo74%Bj^HhQTK74qu@%FA@n)MX90(ma*uoDnTCHip@lc&Ud+C6SaW^9e-YSm z4lI55kB)wXU3#ar^R`WgjV4)>Ua+DNKzSyci`z}5A_ltxG{8PBUf`;boO@=gBWa9k z1iHVjG&(gCYM2F9Zj>9J)o zXqsb{gJkJry`Yb0J}H8+CFSpd^^8^@aBR#~8L$0RQhEbTKbnwG5sRP>LQ?NxSpK%x z{O`5Kl3K#k^qHy*!u{OHlc z$EcksYP1|kF`wc)b6P0{p_!piQ=P&(JqMYY$wqd^9iUZg|GZ@gtEHk9ka2moPpX}AP&G+*hybF+q?(|0|X!7RC->p zYE;K3dq06Lh4N&=hXo)f)y+<~)!o}MSqgR_u1X3rMk%?FOcGRpRZAl}6zBZul9(NH zbW34HDyWnrUk2<+__=j*2pV)D5_qn3wkK_NkY%0-#p(4a5QlvnC5Z|+Zg!?xS=h6T z_l2ER-B{4s*3OSsVrQ2(<3trIIOh0Z#GBo#rlPm7d9 zD&oNNfZ2TH;96Q^@B-^tG{2xdo}Y_sYYypuHvejj49f?!GE@m(ajk13X72$e9BFjH>~9@Gz(0GA95%$>#F|3nZElEWU7Czs*`Mc zA(rIjQF4@i&70P z2!VuTed#VH?iTBgTCefUL=vFB zVQ-Sg=3PMJ66$$#X*|c9wG@pNC5y=?h-=du=>#|4k}pCSd(ywS$-5~8Lc&SnTZZBV zB9f|dhh)?;bp{zS*`Z8IjFZ6aOG(2=VOg2K7{`*OCM8% zaJYsxd>tewC~+K8ip8bT+ps~Ns1Y3qI;#XnHw9*JpCAE+h7cdDot>lOTTB|AMcQT#s~lm%Y0#1$4#P9Ljzp&} zQUN8wq+lW~rF#^HQp%;Bw?{u?^5gy~%E7(;c4w&!vk6!F;|OLa{!H(RS}N07GEMs2 zG}}aBzCJqHX^W~WPcJtt8jy6HvK3XVpMnY%P|MPRBvxrsdMCZ`lZn>@ zb@(!vm%u~QRods-FbA)XW+o%ijos}Mh2o(YWw#1PhdXsgrZt_Ii9N7&`0?f za@&;IEl~t8gfK02Bp4n9C}xsFwSorZe#qwRTYia1DXQqKk1gV$B5#y&5C@gaf-9M` zu(XlJQDl4&trRZ`J2A^g*uKaB_FLkJbvPhQ^n5S9a_kY!UOBIRwRZX$Aw|OXw8iOj zeHGA;n;j@CHyb8{hQ?8q-7r)*1LW>0%ks>%&Q54)pY+C_!oR_Gs^TJ3ZR^x25?`1( zmviVF2E!M@6uz;v*Mh23@XQxmf|(hGN~cwD5qb>VKe=pAKIPG;*-}E!nUu1r>z?e9 zm;I=Fbav3{?!3jo95YfCrA_io*mj8F>>P_N@p&pViH(knD}kh$abGKhHH8YA z1QhS-OZ2ZGcZ)iQL6R}GtRmQQ4o^FiS2vxX3k_TXH7O0 z%+!G$I{%KIwGw>Gl)^>YPO;~CkUM*H?N0aOMi&r_#B!sL< z{6o;3dW>$f&kqk2@_o&LO&zp;0jq4UyVu&^`+uOWp_x{2&e`zUCVhM)_k5*IOSx2` zDM@=(NDilZ?Dvz{+Z2_C2u2>HAq#g@nsVxI(a*syIH}5tfv#5O0VQncPT9rV1r6E4 zwibtocS?9wy2Ews1$knvkE9l=r;5hmp8C2>LSWjk@{n{HJ(@Tgf2s*!g)#~B{76;T z@ZO<|$Q~z<=pFXU9lQ8H%Z>CTIQNqQ1x%<)4iZJbRKQFFYsM6UW**ilW2}s4Kqfq_ zJ2BbldpYd@^BFf$3Dm5~YiI9?L2LF^I8ZOnFxycmU2dNRDvE^8vP+y|^cm&w6;QOi z8;Z~u)e_cj)msaZ{K)e{)1lA;;z%#7fZ5m7-w9>DOK_biXX99k9P=Yo0n&im{TG!3 z*oy|idm@#-@tV?1y>1c&h>d)WhB4MhQ0r%Xsqs2PoikoixcOl77K1+2wglx@tFaeG zZk}6q_>_a=65vCIZw;$#kEBf8pTHo+bXxe)Ew6rIU^+mn!~``8A|}_3N-I#Rsj3(f zUB#CH^K0hd?MrD3gSbN;ur(9BiWHC)rk-_+V65j-^3}Ik*{ANoo)x?g`jpY-tzCtv zbWgy_h}PEEU0@F_tzg&QVE+@J&0FU5mj}pdcmPz#kRXqTq2AqNj zn6@PcDBiV?du6OjFl6q>RVgEbP^|h%r;xPF5Wv_8AeC5+jgeTq8cs)7P9Ux}1Tx^R z217j-6l#P`Wxy20;``LS+WYayIu*3%+m3g)#*)tlk;5^&?-ILe&_ykvOX;Q#W-0V0 zcTUXdkD$u9SksmnZF7*x7b7IjU_8mNP>IcBWra$1_E6*Bdu44-GuV)DA0!pO7xsiZ z%=kpU=s!wkfK7RMtFs-W-* zSm#K5Mhu`BP)S^cWpf=~hLd0r`c$F{e{H@Bdziy(g!Wu~sLH_;?U+^7WS=0^sjL!j$YY`nod^SU-u1&w)OHxUN12s+rR$kS>m$cU zHlN*XboEYIJhhIt##%WX$*U4+&k>m)w7?Vt(C?$@8|WLSd+kyi7-kVOi8kY*%6#Qs zn3GVW0t*zfyARn?9n@U@P~LNmp7k+%EG-jFf6FHsKV0CE;-(A#*&Zn!+`Pm{)g%-~ zOv%e;%x1(vk^q~nAq)cixtCRV+K1it?s5sfid?u?scz$nEDP=eLfCQw+Ju+ z6LXB`o8we`I}%d)swrR0e%11q6ORqzXcZxTXd6qkSV#8`rc7y&mn4qP=cPWogftW? zDGNdm9Uh%wLg@h}N4qtoG!74&2M((k><+Ok@>v}ir%4`~LRyEUhKGrBWPp|WaLJ=m zjAO~2cohSeusf1kK{Vkoe~r1J+b+T~s+eh0*Us;ysx0Ge&I$|kE3w_^nb$`r2d!?I zXH2x;c%Fww>ujr;W_3glLo3zZ`4hxp<*;_YtUm~E3@9WVhP!xnS833@0zkUE#x#Z zxx>uVbc}o0D7?cqWr@`^8^M_fw@q~0W}2y)mRWQQR2Cm!ai)I%=*?nlOrhe-*e!K~ zq>{b&nhLmfUA|oL1Y>i`L-xLi$}sPYvN5XhsjhmTQ`cfAt+o~KMZ4NNJU;EtD-9<} zCDCA$P8m$qKRc%15-gb3X=S>waf$5B1xYQ9nNVlORH3@opG-J~+WrDPusKbW%{1w6 zj&F30&5p_(HyzA%PND(j)ZC7#&@h5{&WmQ;jM|E{gQC_?r4^Y>B?{cTiZ|!KT5S{l zKlXm~p8ikh6(qHb+rCP{!?%0O&oaM%aVD%)yI2O;mZ+i1C!3aEc#`;Jy1 zM_+wcyC7H=m}F!Dr5NzkZ#YFSohqCK+3OVh(jTOh`~U;Gw&AN){51dX`}bAu2mOQa zmEYC=MgW)J)k3PX2>b#>^#ogt^qpGOSR!!e6!!I>=5Dap7Xby!B6c9?ed)Ak zi%nethQJ6|`iXw^kjM($?B zXC1H`sWlY%X^3t=ew$-m3{7r|F2@WHH#jywiDObM%mJx(uIeS6_iE+}K>10rKJbEa zPZ-WPWmr)rUpaiaChuA2*8{{*EO$Q=P;Z_q)RvmtkF{TgkqW{-!AN5At9KfO@0}b3 z@v^Pc^J;ETAgI|Pj#`+-mm5K8Al^sHPW6!w6Q3BO@Lq+j_k)Bqc&48WHO^HlE`T1H zW|<$j(%8WB&$0WNQSFJloKjtcjLPVRih&XF83S?bi5ptD@(RyPM&Nz7iH~o7XQ-VM zGiChr>S%vyZ?@oukj{rEq9&TrLJ86~v;yaJ*LQJs>vI$_{>(>IpL`Ci^xVKo#PLDg z!KxIm=ce?$ey7ynDr1qcQCaiaOg&)C)}evDY3)$GFNF7}zqYrXyZZ0#?eDq-%JIo( ze(`Lp*(}a>ix87$mQ5>}>M~VaX^G0ZReb2y<0#2qSyKmp?@V5ZxPI12Hdy`3Nxw3| zP#n+F@)4}FD+9iv||e@6_Y3rT5s;2xx=x00HIFC=A_ALKBt^aeBb7B ztDB{JJR2CdiGy%VHm&cO=m+6T9qeExcXkkiyd$6B^Kv(up){6Zn*`!>e)|XSxrsvf zf$nfvgT7x9*H9QgyZ7vtE19&8v8(ygR0;;^e=S!ja0-HXC=eGKj&#S-!x!%Ii501lxs-@ zFY+L0_W4>EgzTOKxstUcsEFB>*cJp0_R+GSMe^Ham3-Ch}1WBb(kP|2nvk93YsG2e1V#%tAedQutBaA<(>usORE>lWaY#Ut`+ z&Vib%4kV{ubcUb~CmoO;l-@~vod$xPNoz&=|LWxE=MGcB^nMW*Wf=)_`;z;}GV8!} znRr001T&d6ucaBA&x}-I6B@A~LQ_E-XBG{DF>5X&UXaw<7iPs9I{i>B`by;Wbr;k; zepka%DX{&;x~K{2nYqJpEO+^T*lH-f@jC5K43g11&v~GWevSf>*YmiE!+TK zqsQxnVu4+L6J~FxJvoR{_}vE3nlR#l^+}Wv1S?Iga(pTkK{m8XWd?~p!?}oX8m&#@ zrTc;V%dPa8S>Hf{y%9P`va; z$Ho^Ih0?%-C{PyT7chlS_%JY0RBy?2`7Os^g5UJ zFy}GUPjxqPrk$>2TtiBd~pw?4dFNb)#3}KOy+h+(i zj^#9wQk0;5gF%tx=OtD(^91Zw);VU*851$0BqM?Rz*C~wR=XG&&=jR7408#8uphrw z2-ytM*t{(S=^h>JclVAvb_(#Ch3dP`RJlO?iS-ms94l1RTEGUS#-~`>ES!idZ=kc; zY=vHhR_RPwlzN3K)G8R|QY$4U7Fbf2-I7ll^jT-^sOmn1w@&&Cp(b<9lTqxeBVW3z z+)Q2%RwE-Xt8yPyCU26tX(uMecEQvvRPN^K+Ggv~(>5bG5EYlV-PW6#$OKMcb!urC zdJ^gQH;i;*I?>GtZ3)M@z<{E)#yZWlT{J;$2&&$oVH375q+~d~FE1NC^3CDtYN`_p z_%(R&oPwR`umx4d)D&qeJ=x~>=*|v(L~VNR_$r+G1`Y0;rWFsoF_5V zAr;MH(^k%Qu|&~^x5x3{64pZ^oZ~a=?28waIGjE! z7GKAb>w_l5`gm(NqS+HvGk#{yQ#^uwb()4AvECpCJIv0bo&8rNKPCFRQDy zfBd%fs@>gVJg(jLFJ)dLD(!7`jJjlMI;%Pm#=NquFp)nT+CEe{YpMVnp9z6g7fakv zzR*rpl`~OT+CzT{@Z^$V72;!ej`ll<{YcMRW1kbLWwOZo@n|}ZBwgP`rj}621)`aZ z!mK2bxlu@DZWgncA1xsRN(P>n17+hT+B_n@P-ur%5ju)2SCaAdvkbn(mp!|opSFN@!rolalt-ND4TH-@I|a@ zlRM!S=RZ&0$fWLy0m@Uyy-e?h?CxMbcc3e&RJ{G%muS(L6!fhH6&&;i;&f~|%nN$O zE6rcVTT(oGR@5yYduf`0Hg7o%Jl0U0XI}FayNxS{iUi)XThW6-u15KXM4a_RL)do6|PVX^Xk(c;F z2B(fRRBtz~iJPI<*JnZ@{d))oiv62LO@prWQye!KWeH2n*KGDk9!cblb(Eun7P#UDF+C8M1= zb&~p%aiKp)tfNDVh)-F)_7phY7M^;rCQ^M2PK=+#J@oUifENB(%T4CGaU4;R0Ky*N zGIl7JFs3t5rO-c?#jO69vRGl1^B66%z0|~XsuX>Z?{ZwH1Ktc?h}IZ#yS#-$rv>y&GX58+un`n*y*bYY#P#z~sb9G;q{)p1Zo%!U#7D~wr`7K~C=Q9gd)uiBY*NZbw}LdG z;zTMulJrrohV7o2lXhoJVjxpkY9QK#!PTv#H=mZf6}H?)s6f$-mQHoZ@3&xDp;7hU zq9>@;Ywv!NlVXc@9W{g}DB2;civCzlSfu6DWEGQPV$v|L8*5aj1U3@b*b}AW^V5wm zeP&g>k1V870u2;}M;8&iLsqd-NnBRhIodxuq2ZprJ#Fi_YmJxGk4JH$v@>U$+0~ie ze5^hA+f*Xr=^Y&;ZS-eW=KTI8!a);)EF*OE`*9+Aqe8TxCTiZ>Y2fDXP|_9r|8s<# ziO8J<4}$s`jHmfu-0mut6$~s3j)DWe7&b4eV_r zL8yi`s9+eVVC$nt0w2ZD101^*<5?GiRm%65qBJyBpmd{t_mu8%p8gALd={nOv#J6^SMH`x)Yk@;GI1 zbei|nUY2Ns%QMI}wWn39Vc=hT1zQg`YfWB=_(7#%pvuG6uqJQ`w``TL%U03<{`Bs- zg*gGZSP+F9~+yn1X&HiW`!ouW4pf|whs1oTo~jT zmdtinZ>6ctv|qyjMc+b%GARjcS~a~F$6B2Qg#fk!u_ zPLb)uslx9k9NWY&oTHIHNdxr}Z*YUr%k0;}gN+1%v0SyE8xY_ERNu*sK`}pIQeOol z2~f{?MB4C{hg5)wQp8z6d#7?(DsqUw?Q zEK`zB%ktk{s)#xKcYk|tkzw`Tn?H!cqAu-j=>fMLA%;hPGsB9V<*jfwCF=nco)+wC z!D{OLLQx+N>B#z=UmPIM#S;`CG|^XK5=Ru9>L6vvW3Zp%4jI%yylzsI%jSD*b923_ zW633K8CpB)`~rinJ@VG}gBYaoVBLl>^>cCyMqZtB+<;*}b{(@B2HeRsV#p}e2MSsm zo}*z!!bto2^x+mVT4KK}Se7QPR|PiNjr@N$_rqS|CpVkBib9*63s{wd&0TwR_zQL| zQ}O5*6MzG}KOhj&jNJ`MHl47Sb0P7Gl+a`DQi^m}9uzu6`lj3xxlfs%=j#IIgS4Fk z{;~mKg}}oA_xe^IE)B!f1cR7M7kVHxz*ryoa-PpF1ijH0xGYtG4(JaufX0-PrJ^r= zRv;qEkYWx(pbU^v>uQ-%!J&B@q>}q)mEyo|Ltr6cp2U3l>~*`ntE<~E`d0ZTR~*8t z?Suq#CMuE%LzqV4@6!Oo>G5byoi!EfEo5GAijby~oMJpSK8y;FWbh@7Ki{CK6)zWk zuja4|hRJ-rLo5 zFZrCZvgDoP(^va@oww~1eCuXcv6yK`r> zcIZ~5wff*pYMYW=Ovg~f%`7_39Ou1`jaTst&lyiyz{=b9{_&#PYHICcr#R}>(j!=8 z8)af!BAYHS>_Pq6SAg*R^HLS+(2ufKr(&h3HVQOiVi>>$L1rg)fv>OmiVi{{zS zadHWaI+2KF2aId1-k?1$h&HC_Cg#_nEwagF>{1NQc>jOH!HZ_2@$l)oNAgHY*_w#i z;`i*pKIC@jbz-`Wh+jdHQLvaB?Nb(2D|PAA4kFDBtXTTBTK@tu|99+L4qOAq-P(}o zG6e7Yr)z*Xns3+jf3?E3{Ln!Va;y05Xt-CKN zp2~_O6&>cjO7%^9jK!^z8M%iFGehE+IoBz=VNV&=Hz}_ zz5Fzaj9z#J0EwNq2McQpIUPIGZMz5qN03D>d^QLF`H`mGr*_bzTKgky4@v0w?=VapfDVW8(m z;(ooN*E|qlwcvfQPRGmfDGg^xC?iMZo6yH&Y&{x73A2|## zvQh~y{w|2^5VM5Xx`my$djvjh+_;#+4UGw2CU9J6Z2=C@gSUpkM^a9VPja33)EtP( z*iX^Pfjlfy4=az|<*FxCLRIxc$IOz*qW z29Urrr{TZezHxWFJl+pHvh#M4&LI3bPiy#HN>H&LMVf-yeZthnlPtz>Vby{jrC@ea-v2q@OAA|{x6}*LYidzUfoQwjD?7*NHc~if)X=<6} z&5qx*4TULEx<*|35fgF6ZEY~TFg7-4Mxd#?n1LKMc?O_uXZ;_a?VNTLG*P}Hc$L(t z!VEB$On;hY@z?-O@n-fRgx*mty%s#652rJCYQx}5t=|PD3na=(4f}qp+m(DzmvA<~ zmY-!w*qfryL!(%6&;P}U$;5JriRY>xNK83jmqEbxE!0$jyNp$u)=J36)bd)UF`}CZ zp1Kv~_`4gXYj;AqB4upKy}7;Z3KT>w2bys89M=+^X@};NqgcU77^SE7`^Ci4$3JHH zZ)RGPd6lxgv%h!TX_xyRZ*xis3Q&B`MvKM;HO`zWLw(?~M76WsABA|fPI~xcG(8W| zX%v$~K%K>5j4$1hn!uM_%unaroBU3(>_yK9m2t}Fck-30${%vM06*gkeTA8Znl+&S4d2qRbi9JKEco5<-Yk zOpzWKdyHdIG>$kNAZ7qsK&8LuEgeBR;E_x|uG9R9oNhML88y2l2P4LvpJ=eMQil2Y zf}FL)FlzSro;py`#AMv)g%d3_=hB9hyTn404y3%c4HKkK9MwzoJOaT{B#Iuwz3GxR z5%ZMJamYfQa*y%m2t!W7J~;9wRz+W>j%T^0Hla9NSe;`G<>M6WDClDu9~OXi$>LBK z7FIs*P!jLp3kgzB9ZBr&b+9J;>_qu|**vW19z?0~=6P$G-%Hmq-X^0X2^F+v<;k>6 z=;z^)fC8ntewuV!N+Ra5aHfa>-yxTS_J{M!b_5(PU|TWK#Zs@rb9M5Ho`7j-cF|@MY<`y(bRDr z5Y8lm&tRa#I36H0r!)&+RcA*S{KiLCpp*50v9W|<#u1)F$*N&R#W>Cs_!Ag?%CfPd z^jR4!&qrEUp?!oC$AGt`d1+=5!4gfa#F(m++vjG9l^*6@`1b4i93BtWIPDC5CcYqh zbC^yZW{CWOIdq=mlcWDc4HGRKM+i`~nxE4E zD6oXM1Cr3nB~*QyeOxc>V&xZ%j{B*#f7}xNwOTw3F1Dg2=H7Xca9q) zf3KvB5yVm$E#p0O5VxHq0Sz3Dd3snE8xgDM~yi@@3p4(Os-er{%H( ziqYO%A3ZarWXGA=vUGoBQR=RZf`?1Cm@{vcJk3oWODi>f5>X4J9Kb%lhDf*J`(Tu6 z*Di@Cq?ZA%;Z>D#=yk|e}?OH(mFR*cnRaVj2AkPS6kkD*? zhNXD)v)Y{JAdMh0zKzm_AQo6ZO^TXO{oR-Egdb~D%H%8*nfGad zc^}nF0+K&^#;{E1>3-|%_0eIsv-khnnsXa0L9)sQZ@VIr-KJ2PF)RCI`5>d3Q z$6WL~r@iQzC8T|<(1)1&FhR$MZ?FVc?urD&Pyj4zG92WI$eJ`A-d@{#T&r`<0y>@2 zk4dD9tG*OUEOAl@a!Wq1*k*=7K*e%%JfN0Z$w`V~0LxltrcBw~3x-2&wcS^yi9L56 znLInwM5CPv$a$;#_CH&{ST;ivkf$WKDp|EV@Ux5m^xu>GH|{%%)`B~K^WUTYZe64{ z6?p_hJfO7*3bWBiwV}=*Q`@6fnfPn4t@3?T(ZX!(Ptux^Dq`0RC?S^VOMNz8p?G$uErS08JjWT8NK-t=yya4A_*ic6FON>N71-_ebvg)j__uDW!= zJ7Jg^W!aNCKvZ0+?D7e8GJEPvjxb54sv%kXzH4flzUi|>3OloE{&2t+4N_WD#8uTf zHQ_MlBj*>U7-@^MHiKxBp+q;O83Haff$b_R5RVBJw2Mj)OhAMpEjG{wTGPlu3c!|& za@Y>s9ZNj!_SQoNOs!*AMpB8AJJ}H?t>9eRhdyvnM7$X^KyB z#g<>__7_c^V%k!Nb-wK2tle!P-wF}Z3@cw_%eD`*q#U<&w)VGF;Gf*==&A~F6Gm{F zL+~0L0ICa_F`PJiN@lZEMl+%{?!>u47{5WSwyAipWL{mESs4R^+fl^OZZHC30=*7{ zjI4A)JHq7y6W_l?(?QmN1n;S`7sf|Pxh_l{?=A4@6>=&Aj-(k^yU#k-N-8%z^>pVZqMv$R3$DCyD*4>qsO)Bcd>{YAN-aX?PCEZZ+$IvCqZc&O~X1_9tZL3m}E}Lj=sh7b` zFZPqcGi0j2O~(^m5y5Z(#^yZt$(+UKfAId|b#MZ%6`MLYH8^6bf|!pa29T$gH6Pwn zGzGB?-%j^r|A(sgytUu`Ve>if?LW}eVe}wIR2w+9T<@q8{b`cYJYOT_s4r?v`Ycr5 z+@EJ6%VJ`d8qKMCk= zAJvPIMuNny*yY#l|qATPA%P_#tT$FNXj*)&04P;0q$$7NA~QdJF01h^0N%IkEtVI zvsaP#iY%2kZS&-rw+%;#-xZx(H5K?o=j}00j&WybB9dezzAF)N$Y54d4os&CC(tnM zxjE=_2z2j;&!vROG=I1;mzAmzMMt@foy9|T3+r^kI5suUPEYnNUr^jrR+i=5+v66X$V#L4&2 z)-V1f^dnbud{5U%XOvnRO5gnA7&yS@DH9b)*Y5Ch#JPx5Iq0+nq-HtEDWm|2 zvVFN+q^R}sXJ&;Z*?{}4-3l`mUZ#ByGe%Q%Krp#2 zRYi?+pn)OvFd0h}IvMG}8U<8KdmbS^+W7E{y4h33y?xdN31)I&z(UEjnBP_<>V$&* zRAQjs!MP$U&Zi1hBE6Mr?mTI~)vqvWfftK0}5cYUIIBm3|_ zzbsvF#O_*c*^(pti89@R?krt$gg^e})EvP{dw(1IlnIe%K8FalflBSWq}n;yHOV`3 zLjRdms+=2bgrvmNfh6kXgVKX&?NdU};_>clVGiq5I%MckeWGS1Wnu6vpNzUk?Zx9v z7H@b|s*ha+L`z~0i)aDmKmjE?_nl6PCijdr9i1fJ8og{TKCuExiNzie}YQE%_JyP zLlCsfgvz(gJUsTdytQVd?!EV#-#_ujk9fbT9b zG?tFZ6tv!K*a&BHQze6FBq1KNQ6Lxl!8BU74noiw(r$lW(5t+LtjZKoEMNfAL$jf& zK7BlGbA&6TL9>Kgri2slYD#%jOdwS?DNYJ`V0wq96<)Ke?&J>J@%Z>ABjtGtHi+^I zC#j$iPpG5{P>oLmZc!CR)qN7b;O&cfz(O(~Ny1r$f5fvPA&!##rb~Jp$tIaEilS-| zaUjqof-TWm38h8gAz=(8`FF`8(N$~>Ts~{@8o6{F_!Qi4m80P=YuHJjo4F)UbZ?^x#$dWc{wR zhC(%^+?rdano@4fS*4VgS#$FE>@{bKpMZw;@k>rhAT7cF(z6Bpe@7EhC~K6Ph|g0j z#L@Q+EWBGb#EkYsN@_rRA5~Oi9#IQrHSFYEuo=$Y!ghW_vDjs4xn`p+<`+p;H_BA8 zE*SnUl_LOX-CL7*%(OWf3<(8wFeIIPomn5B(MT{9ILFM-LF~CSC(9;Tw@>H@Y}}Mx zXHAuedMPP(Vviv7Dwoiv#Ar(Dpu=q1*yI!tyTqVzcXrY_L!EM|KMUEN=h2vV#Yu7& zJg#CzW zpx&!icjxWF(QbPo`4IUD-+R|XR051;;c(8e1>2OD=0Y+WkH&e%R6VtHV(&5tCJGoD zHPWFMBncL^i2JaMR-N*NZMQ=Q-n?-}E;7_7GklN#;W~u3b zJZ41!$@a;S38|DEKv^q8cy)60bEkdsDM)J*ZHBAz)!r-430>spVO(iJFEVOd4=njG zK2Q9~#f{(`gDxFL5hALhMG^!-rfrwG^_*UXJ)}NLk#~KxQXEM2+4Q3C-PsD&^w2Am z+W$O`^ONrDPvthpPc7>-H{DY30OpD(0(cz$T~wZ*V^FBSf1=%9D6J?zB#UFt5xL=o z$twq%B9n}YuWtg2Wbq;_jEXagaz7T_S=uj;t$aCN`6L_OhP$!zdET}L@4BU+?GlIR zd|sI04&{0KQ#eD*NMw(FHtrx2av_k2U%HJ6UYOOi|3GgG9ii|Wk%aX>|kD;S$}Xg$$$Sr)hW|$)Z7IYVsbba@{KES$tIV7`m9oAqT$NeG)WL**(IHy}r^dL2=%%hd-cbj^FOZwWFsi#8_z#G%b+P+GtaWC`?% zG?#RYPN?!f>|rTWzpNcR=zqveVQ+*w-DFx~l7ng*8n(b@%k{-JTiNpWb) z^KJp4Y0TT+4P{uVG0s(ME9^h^3OZ z3Iig^q-5M|CapcZ3woPRTlB6yv=$#eHA4lWwN#=jVnuNYmLPLI%v8Byy*kk^ZJ`|E zD>`_Rz``)Pk8mAXZX59qygRZcZ!Kl#Y3j7cj%V6k#k;Lu)h}`&hvbT~KX9y9s`7DN zD>wL5(*0vDEym#xRKJxG&F)BZnKezW(qapu&mi@Gu}Znzv%tqsEi3S?8~_8HK0(N= zRNNX0Ficm{9RyY>4762l0e)U_I$6F!z@4Qxh+j0K-xpzuE*CoN&>+va*63Zvm3U!A zq0Y|Rwknf6>r4^bPy4V${i?X<>_;)mno;J$0lR#enn}us-S8sDP zoU{)1_c~pyy0KvC4k$5`54g`0 z9}%GuHJO~LYi41Vd2tC8B#F~>Lm9v9+ttR*x`FBc#metBPF@$kjrxPe8K^!$csvS% z4kUq63J?T|)3S3d-qpFzETZQqYM<(S2GPHJwDaod=*Leb{?+G}-2!&weh=M^#PTX= zD!1PB!^gX?mzD6UA4Lf-cb1m&s)t2M&%^icM$)4TLY25$B zB))v(6EUqy2x(2T_zf`0uH`uSM4a0??H<98v)%UV+bA&7V@w0H`b+^oa-iZ*5%4>z zrNdejWb00)z!}Pph{1*GjuX6rX-5n=$|x!9(G1>Cf+VC@MpDpFK{zT4XB^MRJ8@T* zO{dSP(;f#2;hjxKpUjzozQ}{4-R0TC?xgq_7tH*!YOZtoSvvQ3Kl5t%rOtP`dCLqB zGR74Ewq4&knGzU2(T`J&*$<>r4F-~8;3*@|-Xs|2{1m;U^Li7B!hS&L6|7F-I!Os^P4-e!JS7eGVu}WHB7v)tdZ!cb z9MCvQ;KK8RjBIOlY!Y+gf6Y6RfCM^vxPWH_vr0&2hH!YKa;XLTa>01Ucrs6?QG)qE z&vGeq9143V=*&eWsNI=jw`eA1jtU_=s)B(ooj|o1jLW-#zl&>v7`;YM6613Q-UM{y z@V%;`C_;imbLr5DohzzCm{{>s>jXRYdheI~lp@g){(DGTcUJaQ3wu;yDqx7KUX6n| zT19#zfG-CrlgEdqeKj>hyh|#(gZf+l=3&_Y>^AG=R2HTe9n%JwR!^Gimg zD?>CisPifg!VxGsom}D{NeQDH=)*U`>JH3{%0@GiZ0S^MGtxXIoKZSwCbdoY|7p_S zR6RFWM(?Shohn7G@TpW=c!-M)Vj_D-Aw-vv3s_>%_Y+(Q6V%EQv<)dp#j+Mvmbu`q$hvuc`vt<*(${rrTp9A#twnis#CyV_d41Y*>=ptX;vz zC(w`v25s8e{>TL4@=a@2zyLnCv8y7Gv4leH9LIj%?@KtppPZAGr3+fHFz|J0I1zjb ztRME4Z2|sBr25ed6Z7G%MK~0@B`8QD&CoSFt{Ag|{_Jwt*yWLo=Exj;(ogep(&t9J%?qF%XGn&jr z(ekUQyNGrA9~UGbm?jl8N8(ZdF}VzqEKI%Y_#=`d5lwRxR3()$5_FU41X!Bl2RH|j zkHu-P3Zj7u8AyY1*pEkO=ys+y2B&iY6Kln;a>+ecBHsO_$(n^k81lYYqBeg;3KPkn>Q#tz7I@*_4#c zpZSe42F?mM{Q}!-uE;0&kc93ddlNj4&{Us^Ao_5RuweOo1QQ0m)06#F1CZHi)B9n> z*+cORGOoCZ2f9X7PpM7QRGs?inbX0oZJ9kL@)(^*A{G=(5oh+A!yo!h@kED5U8UiQ znS`U^echV5FqIJczHddqSjRW2vX3%^X`4!>5m&XMK5+!7mEJ+;N}|BPm*_*-MXbo9 zW~=0sm(aa@tAe^+hh36#O(`R8D3?ygac6Xrt%s<#JO`4_*6_oOoQpEUC391KtZzO#KzdhFP@JAEy1hjEByCbYtOZ-yEOud zd?l#6x@y-R)?Ry!ztz2ezkr=`Mn$19g7*l+4&~VmLV{dK5tJyfui`cdnhUl#s4kmr z26n4;4DUv#6D`LQPV1G!eMb(}9UYbha|}=D{%DPL4zM+zIj?FWo6YjDfVwAHlim4* zEJ%6VAqmS-V~D1w)*hiaba*Y!C5}_IP1QS>ILt#PI)<)|gWYq`D#U=5sCDk?Ni-jU zcc2_3Xg6b109iYLIe@Y3T9F0z#1`T`@X(ePC*)5vi9Y%}TW}!lm8jG{6z1FEVQ!|i zb!r@vapRLQ+Cl^;;5M$6!FKQd?tUix_I5*@NB<1* zda#;E8u?E?l?zgpqwREedrJ#X6vt#m$$ zYA7yPX`o8X80Vv4%J>GX zM|zm_eB>b1gg)G}AFIRnTZa-%zJS*fTSnLc-8s)Rtpltz0Oa7$K1V_*WRHg2CEh*o^8sQ$j5_mhguE1F z0S0D>r@WD8SMb@8*SHii9ZJstFNNjZr0ZAa_@ijgkJZ|;j+{jMIMGf>_A`Lz3=X_{ zxTkwxzm#Pot1@Z^EzV<7n+*)SbK)FMJV;dFr51T@SMTss6@MXbp9ke|if zGZd7^1J=d8hmJ6n!_VMS^4^f=ip`O;?qa-X=(eq~x{HmJU6czKk1R7+ORlJ@6e_J= znz@Tj2;?6V2n72nFSm^5S5U~eDu=-WM^n`>QCuQ^4}F3PkW`HLb)x_#7OIXaC3+dq zik&_Hty!VIs6RugiwYga#L9iF$Ia1-lzE_}ITd+q<^c2t`DTzG3rhveG?e~ydW1Gn zS?@oc1qF-gYvs2^cWYE;3$kNDIZXR2U1Kqy#;!dwRLPes`o@)oH){YDVr&Q&#l;e1 zswl3Efrq70@`FXw+vBx^w=b`jXx#y8B}DZyqAyLTh)qL`2rz_8ns@aIf;c$ecGy5X zp+T(T(2>?_Wgx~D;smbOEYwUE+-d{8Nn;KVobReABhAZd%#rPIiwV$7vODx@Lx3Tg z2u(*CB?zK5PCMyIyawbCu?INdHwjz(i!Odh86riQs%3o=Wbtt5f~;%nlK%04TdCDH zaYFUkssR`DY5^S9)L=it_eu}mFjy_CcEj*?K|+wmdHDjC&qc8kO_G4$o+nPq_Xlf zzr;C_gLS6(B~1yhoY2al_E0@WjE$f?TFB_YMMhaIBKf=sgHkwrIjqr4?SSD_G=s1m z`3Zc4q+=qhoIinPt8@YJpqYjjj;NxwOgSf^AG_UqpqB)=mwS8m?*po3vol)AW+)g) z_#Ktl4TZ)c#X1OYm?SH8x^uUFo-GZ+1S+65khv*-6$=l+J8W=5)dh}R5*$l2`Hg}{ zc69s?Js0?MGw- zsR$?VGlyay+t9jdA0ckVsIJBfZARcXL?S{W)KQS5wc65-u{yT22y#Jo*y?t*V)dkW zT$vuJ02ZuxLHW#Fyz1ddNm>@lN@87>Xi9Agq$a2^d`cz^e=#gw;2vYn-_=K=<^8?FH zXEF0UxiP6;x+kDJQ@O)Z1@plB!92~*o2ZOH5$Ki_J|SMBR2A2OF$nfVCGDu%`P_TYuKN905j?pa>^j=U&Q%oyFke&K9$ub>>8OVBjdXrg3PGM`ityH zkhRp;?0HPGrS~4_ex+yd<-WrQx(8~RY;UR_W0~fo<++ zYy`gwgDW%+u1|^<*6?%+-Z3a;4ii==WsoQ7T15YAukaZi3#n2GyRo;&`_=#SnrVf3 zd1nb&M__Ff56Wi}j^38Uawo<7NUQh9BKv0qBKV*0G*r#Vk|SAOkUoh(i;8PYI3xu-RT_tqm6d4SBRwfH2K|f7maD zWGw1~pkzgD5S>S4uq-Omd;m@=OL=`+xQ*k(qhQBgr;`{w!@&{P>h$P6IKcSl-hp2B zJG?GwXV=Tk&*Yclb$iUHPE7PiA%Z>1iy3nfqGg5SR^xJv`#}HR)f{&&N-uZZ?9te`n~d(c zmyHgm!2{jD9X!~#FCikApFqMIqKr*w*%EjmGVzL=&XmPVrd?Q1YDYgeheek26*(I2 zTPq~8%mmZ4$X&-4gikPxq^lj-85XN4vNZ=}G_1`4@5XAVP>a+XDjd@-T+&T#_n6iV z%cg|cOev6&#-&1`Ol@kzK`%GNUry-b;r^u9oD0(pJu3n0Dk`A! zTyF7d!2l{HQvht;Gyg(N_F#5*NC%r>m9#0P*13K41vtPw_d2#7JT@T@6SvdJfY4mm&Uc~qCS zc|k@Ggv12}g3E|`%Az?~ESC&FQDh|^<(Wx3wMM$LOcmMagy8Fvw-v3XBM?2Dg9_3~uE1ziovm9QNk+#({X0~@np1zrl(xyc@KacI)ya&_?O&lmVL(F{kG zYluu&H-N%LfhvHapA#P3F>tv1VE>`+!#xMhAS4YHgG+Thv87yMV}-gm81e%pkinls zC2|QmKm`9G!P1~wfm8ZC%nuZ*--P)LM4~CY%^=8;xUPVvLj>>6Xx(05sR<{)ah${;!EQ+;5ekKb=yUSr4ssdfbL_Un$ifso?Bi0ff3m?ykf%6v!ePp4 z!8xLo9^V(>=q^+u*dN^O;g>*nQo>i+0K#o3hIR!88*9)BRw|gnz59E*4<0#GZ(evB zA9;zugaYM7$~Z7ds#5ff0l(=}w8lf%#}qTr{cPjEXYjx5v2@$ER7YxCJJVs>{bJZI zfNfG?ewE$LeLh-tFgrlk7?JoReS> zv)uMHVIE3xq6E;UUi01-uk%;G+TOOcqw|;E%O$24_ZNoC<7mJFp$diFR=0z~gymL*^agRa zBoj<@OAGu-G`Z2H1K+>i0naB_%e;H%vUSxkH4Vde*+u>H%1q; z7&yreO(q7S!{b2D;k~c27Q0{S-QPR#It=>d-hqQX{r%p{eTThnF#dKQ9_ZbBWPkTz z@6eIMhx+<^*x>f`_Y5HR)Sjl-(D1a|+Y^=2Ob6f73FGG!ySxbP*&%183zk-=B{`Uk8>%B4!J zCtmA04A#t+E#A+6uK&3A$l-mxhikOOWcXO0hC}%KUpPn@-5@XbHwY6x$OZ4+cq=B( zKlj{!Qo;rQt?j>H>8V-I`(G{I3opoTzi9D-^k~7`T&wXek_;e&4~q-JcZ5&gEZY(P zZRV*SyjNS|ec7VoX*YW>{(S2TdKC>nm!SlQG1^OQO`2c%6ob^Yd z-OoJ-lm7Dl?pOL>5X=5tvqcjv#+=7n&>q*8flsJxU!Tce{Qmd9`@Q%3O@CmMsKzi9 z?f(7m^+8#$`VXw>KJ0DzAJOmgTfEI$*jtZ=#lbw=t7_61BPb3s1vAXDx%8T;)Bh>xEj!}q8oRn#??`9r7tcM{ z-p<~PkNp>aC)>j8PMDkLo->F00vO^snZq_>|;sQMPoUy%Gf5cvehP)xB zvmbS|2iY0)iBkoCifBS{x=d*TblTlsv+fZb7?pN4x#O@F_d47}nYTcI&hr~VfG5&jSEJ$nj@UQxP z(BX83-LQ8b9E7{sM*YwKr~g%P>io~te?8X>KMeNwu#>cVpzm`>?A9*8D>A>cliIkzpE+{Se#*K6&zYBoDq%J= z2%9S#0A23E3wxSI3sG6W4Bz)OMHRlTT#;$&-n+jK;wlbo$1#-)#X%BQTH5_IWFBQx zx$U@;{Oe$D`(P$0MzPyT$YoD)qGHdnowLb()3HG;Uoc3hi@_i;;f5Z7qH&GfU4*Dy zKU3>2Mzr8{ta(eBTefQ76jet2Qtex~MXUBr|F-~X^Fg`h+?BJ~8`p14!$|pQ+ILdr zkc;J5#1?jWZ{NX}dtW)iXl-B5p`L^LdJgXG?dfl!_bc*fY1-Gzh;MJ-fdhR9u|4r_ zP21sb(e7+%${pp~jNKf?w_T=*I-u`57#Wf=whwT6G@R6^xET#BysG`g}w?E@oV@4=V*z>}+v`vJq83{6jWC(;I6Fv0jL>gxyn6Mv3hXLr-1@Z6DsKG+NRoqwjQa&zrb-{=>R>cw@^TDyPq zYrOEAU+-yp2}*b4bM$FX)86hwgZq15f;reDKC`QP@%vu*#MlTHLB|XH3%gEw30%Za z?8>1-`1Q~s{H%WGpV`&dU%}1%8@w#O>}i72n0JeRWY_q_?4@KQjvk4(IDf$>`uXqu z@a>Rj545OSkdQ?COyNhuDnaMf$j>sb}x2 zeSj>y)5o{neKSy;E{p-{c@4C zuk1H|E8WR$*uQ<97}y^D`yLthP2*MH_B1K^V-No*uL*H&kN#c#szkIs)+Ke16wvmV zSF}3@*mqZ3#t(a%_V0rq_wR#GlDzmwcCGg%J~sMkYE&QXr1_x`u_5*&0Uk~-s)kA&k+rdG)hy7*WfHAN!4T$MCF2L`v2-_0>$gU0O zy&O>eWPIs$B!I)+hhHC*&&4mZdw;u^(dw&xeZLm()i2=h=8yU>y$5>-)Gz!S{vzK= zAMx7ZzP^E%`w#RTIXJ+7(yrhgBAP(ha9i=eNWTj?t|3_9{boS;&=U;y31@sU14{m2h-(2lJdo8ah0eC?Et9Z)>o z1b$Ut={Jap0@EUdi}2sIOLWhlDiBS_f5k6*xCT}dSJ_9pR>^Bu@e8{ytux$8fxp`q z_cRUp(J0u5__SzW*>9LMiI?%y90(9w!oG;>1?_=?yn8Ij zX9^|t3w`ImioVEIRhHO2{3Bh1$Vlxv|H^(F+IkFXD#3O7$gULxMbIa@QqG7gWj4yp zSSaqnPkWlc4m(KIf6$PizLHH)*#gl*C?`mLKpq7EMDT3@(aJtnk*Z? zi3@w0AcT#6pik_|QTAuBh?nT&o~8mDm@z2h!k(t0pW{E!Cw3(>EUw@uc113iSShz{ zneK4?!k&mkqY<`Qs^s;tX=yuI#Owk_Ib9I>*yiV&no|8oUS_9l zPk&dF)6~=DCD=E)Db2L5wlr@#R|1j7Q$-#_1?2Z@6i%bqM z^va?yb5qREy-E4SHVL=bCNxuSQC;OzMjaIvr53NPZ6sgu?AWO-FOZFy+(a$$Ch(>8 z+i4OXy4-fVm_eBvlYz1;5nDUHNdHT%$S;gr)VeHtO~e$crtGP+T15G##Y>r;g#lK` z9rxTG=@Oh63Inv0ZtOIh^*t*xL*qqYiVQi|U=?W$nL! z_234F7EjEHcJF5D;3jxIPEGso+uQ$J<^|RV_Da59@V2P6{dfPT{SWN8YHi)3KLn{7 zZI%DGfxE>B!O=G~0LyY#SR=ZwiWF(T3{(kc1Qy4FLk<+QW30 zkQvl>*d*4qO>JUPH%lQ-3(9E0{Yr9(^LNoeis@*^8UGhAsbMX!qek=kT}(joLn?P% zYO@ExV=OQdT_mhQ>SDf3)d{eWjC?%e$h({6gN!+30tnWL^z0)@EaVA86hQ1}5!(Qt zF9mpXr#90JGme3Mf;}ZZiEF%{o*}-8Z@@`Bed&Z)#hX>@1sk1J8m-R!%NyChIY{vBRBKA`MV%qhkDY~gmWe4NX`w+ z37-ow2l^4lzNUcN>PMw#oHXo)L$CH7d>s!se#ohFm(FH+LKD?nTMeY>#NDPeAbcE@ zBxBQ{aA5BsZK6e+T;70P#dj8N8F-viCGHflU1Wh2$FO1Bz;o6%()W$Ehm50Lf7Cwe zIkJthTa4YIKWudswuZhJtbL(BS&YnmV6LbkS!j>RMbzU8Z7PQQlPFuKODEmJvvJY| zqUD6kNR_D76NDg%6&^N)uhgN#J$rlmj`S;mu*tzi2M!+*OjH^z-8XF#)e9ua!(&ZN zlG?=ujexsAH$Qx!1$BS=^}l-qfGRI@t$(*Iwc}T<+fqBXAz1b+2aj;jEMC^~7$)Sy z5GATMWViJJXu^1iHAksd1p(B0&2WPDPeiW)paknlRBo|hcT-KNgMB@}1wV6F)3cKQ z3Ev>!?$1Fg8p&l>DFw84{%6OItLJ^tJE-=KOITlX%2G^iYd zB4Wf?*!Q85Uz%uYf-Fvz)7ksd0rss_OnF;7I-YNZe}CE3)Lki$7C`aa=jX#9>+KKz zoc8ktZ&wDtr?ULJU&e&a)Ntv=rY00n`D+}ho}xxWDKK(1c>-q>=4Vb|eTIC77k`25 zc?m2F+k8J1P%n9}U}9_5J5(9Uvh#m`m=5w0!VMMSN;Il43zL#dU+{tu_(2orD&E#q zr+5=@uN5*Wo7oUq&qZON77xJ20kT%c!Tm1Y{M*LoXncd79csU$~s_@xDq15WV#7;}N{Xnxp z74ia9grYRO&C0#rPB#pSexgBKlXLMm)+1u7z_mte}mxpMr>< zZ8sm5ZDR*`hoT9#R8bhIPNj1haZ$W-7gw>3j*4sI9=|jKXrGLRcW-7&^yU}a^6-XY z)=wkY|BLWy=!3eltDQZ>U)yfI7kg{;PV_iPmpl1Gv<&+KDuKz!X;(X68TuWHdo?r& zKC6+ORyma(PuOdch9zE^LCrjsO;ArrfMO=R9cBB!k}rqY>I82D*sfjzY}6lD+}Y@7 zC7&?evS6WY0wMlMb;$j4dX$%2AR9=;#BZqZ>iN7GEF=P)N%lU)mxHEGE(A?F`}%WZ zf4@*;RYHFx&sa;CwiZPQprDWOYjhQ>snS*!4)9%Y+`TxU&o*Q8gg1pqldNsHLp=bE zKrM7pcWN{w!K1Y|x9cPb-|hbGYBxvD zC#gL)OZGZ&K3QW0NMez*uV%uQU;?IWWnVPqm_1yG+0{Siz#(aX_)Ys!H<#*27l=DSmj}GP3I1tA+&O=wt4v?n*;>-S=Kz!~{BzLe zm$_sSb>&0;te+kCC!#itaMN$#&qCqfe3_}LL9uJAaS4s{{4T;sYZKU)s&$S#)W#0K zHVj^nzks3@1(`NbE!9=j;@Z-z>1-i>JzzgzGxSSOKGTIK?*?|y+US270QW0QtfB%~ zNB`ToV{1(R+p%*)|J%_2HuS#@{cl76d;0Z1eq^kr0;s>Dwg$-WM7k0x$XaTAvS+KS z@>vZqdSDF<*SjHla!O-t9>hvSTCHcVF!V>j>!#<6rCIn z99ti4t(tn5Q|;PB`W7fWyJ&y16>0U_+OUM)u6BNn-N)6gO`5*7$yBs@hjjvlBY3gt-7-cnRn9rjFY`*MN?ONk4JYz;oga^%T(uS_LvP$B&nH4IR4 z0Gs*>)x9#_lJa`XJR%6qZ$ni4y{u5NgJbNy1nLV)oVTe?SC)Vc{dH_Pp%7#B}Cm=vQW#*sx1%*d?ApyF^U?PbsMh5((D9|GRZZXH5U! zzHRG<{=Yu>zqqrbvOnZeRbJfXKnVCXML+HKQtkMuiI+ElbV$tGqYB9Y6CUQd&Lt@b zo2ir|p5QkYmda2%LzEH82W6;eg*E6RD5D6a_J+NqA+a2h$AbD=7gk2_e!+BTrkk<< zx~LEgZvy2OaXjEH@G_{~mti6%6jV3l0%%JA51`k)TqVNdF1|NZ3Nr{y&)%2w(_>k7 z_SATvxW)M@Y}*qK>M{*%WT7b+^^?(`6bS)>HH~f-(TcFaTCSslQbRf!r!Zs#nc52UX38-%a54thGv!M$h#5B9!yMcOkZQ8D@(0 zfHzkz6jItKX&k%RFZKu%CYkpeR|8JbNiT*3`Dtj`pqF z9sS+;bo6(p*59oi9oxDxL%;0m?CR*++PS@}bL+P4UBf}gP}jB{zuMXKjQS(u_J6iz zOKpsDSI+@Z`~2@@|2=P?|2sQ3?Eg=x{eLf0GxEs&_Lno@1nAtRng9C(s8jVSu+_Y` zD}rySQT(>2GQ{MG3X>{x8>asa)BlF)|6juNFHVcKwEY|JsBQe;i^3oki7J=!H^}Vip!0-(e!%U;Df%wB9pD+Ju(teiYm@wTMVftwb zW{a-?DgYq#SHesi7IYNlT9CD%6wh0#4iO4ShJV}$GvG%={3 zXt-`5VpGj@O z7b4p62#!=!$)NZj53Iw1Q;}(UjHty!HF!d7I@VT>J(R*>l}k+NLMIS!#Mucb)PC*y4+YFi(X5rQO5p%LnQwn-1~uf@PDUO^daev$RTdHj0OfOhHC*lx_S?o~41W z%YwNNp`|SuXH9C`7Bv18U(i+{YlPc?3^yp-sTd98JIOPhvF5QQaL zO-{LJj}7y-Wrd=pISpVta=2ia(nb#gcO@_BX<3s|-&y7s0YDXj+Q$})jF_@xhybhu zN&?gJ7Ti5>Ev8{8bZU61q+Oc8(eOBzh+jaYI`TxCD9QBz*`bxGr=_TLTr@4vPE_i41>BDb$+yWO#T+pTK9j@>q9=^|4a8|G5Xv&*y>vbR{a zHV7VId#8*$k}2ry?sAmUn4@vKNL*#oA`f#mevX-fRByLR`I$PG@B%|1c7(s0k)E-k zj0Rc3Tl64Dsm{>@x_-w9zoht)mPM^S&nTCTpir7fHJMS9Nxkg$hWsc@$NQ(sjx(00 zjRPzkSh+jQ=^YpG6dsppw}91zB=?LKZjuJ06ni*eTo9cCOt%fPS*;;@kK zyV}!+gO0Z?}Z&w??CL`!~@R3HifQ$bC^>DIDTGm*( zB$H+uAO*$jHPQuVh(=#pGm6q0-!7=1$2=mG)sLY(5XUv+F@t= z(MpkV^ztYLo&&G*M*I)I*DYUbhVPm+|EYr1Q|a@W8NG%)I=+R&EU zm8G+mrPaQ*pZa~f#x!4|9k%VpLKM0Y=3_H&%7NQ_P_OCf2}0YYEDh9{GZOwZI=Ca>-KFM z@xSZxU#t=sqk*QT{v%N5QB_BmU(E_szi-;~a`*o)RX$d3Y6^!vj_A6tZ|_TeeZPhx zV}l2}5BAfIKxjNtqEmjalndzoRF~3-xutyvL|k5S$GnK)4%#*Qos*(VyTrsq#D6+|;*hq(0{g`H<-t>Vn8T)~=Yd04d<=oAE_p zp6OSxoSAl^2$sOujL5)#<4Qh)k*RCre#kpQ7swy9!&Bch`Bq)mq)T~G$aZvr-}rn} z)Bj-YcX|Hc!7LnHR$<&}-TI9r4AUVR?4LDzlCj znSPx5h4%|Kj9;)h`~_RU=bFX-ZfRn2YB;%B`}Qs_RgK# zHqQTz{GSc~?}q>Psr3I2K#AI{U*W{@2|8@Mx%8a*Wu4LmCwY|y6)DjXnWZbWx0dpAJd&-v} zEd8)5^y%@3A1$8!ZsF#w2PeLGaN>stQ{Oz8oO^KM!h;hh9-KJy;KV#$oL`*#Wbw^Y zi|^cIzdpKor#kokgAc)c;vnz36qk&NKVng2^-TvFcyML{f|Dwj_Y zV@g=d2{PrO$c2^{BH_9yOQv3W4TdTsx=uVnMr2E1(*WrcTOXBQ6JL%-NAqBE{=xA{ z*Wyh-{PBZ@GjBeaeDA^3`Rc{_M<;$mn zdjFFLlUE;1-iIC@pK3gE013qmqX1GtVyx{r)Tm`Zxv7|jfY3~gIp-?ba#+lQJ(`_V zLB!6weBc#PM99O*$4%6QQcibgsb%xng1n6zM{NpPqK9{nKl)@EmgW1;AKpC=_e`C6 zFnQ|14nQ*;!ihWDPVDKv)Njho_sKQ10O&CVCw9`%z0c`_KIn9 z{%X7KHujEu>|FnMx?DOH+?-e#Oo? z&KH+-!od>!guh;8J8<#h{e}0Y7U4SE)$^3zh6g9R=bsNwe29;qu^I5%5UF5ltGha} zgt1X)jxVqDB{J+}-k2%t}97alN)qy$moHIRpuiaJ+S5E)WY`g1)vu5 zW+`+niA{ib))1v_T{9xn5)B=h(up#R=k5=ziuNY}10uH3S-aG}nrTqv* zb3Z>JTha)eH-L%5fa`|=bK`y~L%Rg`hTH}Qk!!6{rf?~PaJp)T;4vQfC2iwWQHaLaCGL-)wdM zK8X;5;$XYzQq_Y=CS&{^|Gk0Y={ejDa@*-!ZSLXSPZqAgfhbzzJXljKr+FXXpqzns zF@acbklnBpos+4roXv}^L&M=#hskNumQX92eK2(q7=WWc=WM}R30*?{`uHE!H_u>) zvH!`tUue{z&&7=&tQ$;nK#}13B**PWu?7XW^^DL zS;*G`42DtuqvLOEWGiok3;t{Qe?{!fI{ANhJl`4f|8Cp4;s1R){l6RapEjJp8&2RS z?F9ap1e4_F&RSwg>aS?niM-#hvwLT;a3}z@dT#jPC7S?aQC6nmRMlio!K!3?Bcch~kqI&w?!iS%uRl?jrOwGm( zRL6y$ux-I=C-1T}`1;*M!HiD1@5dm`A^fVZ4pxN=AM9j_b)-%e-IB=&$6|iTRiv8 z!W-u$Gh_6|ZYQFcx&*g#yXej3Enj#2!wV$f4&htmjwk_Gso;DqI1aBp6O6TsoeZv~ zz(*rcSdL^p%&~U%zMp5yFVyYB&qvBHIHIoVb{&GDI$$9M+b2utO*Y9(eLWbIzyA!E z7}>rlF`45{rkn;Bc4<_FN-^P1W zFmX)%2UTVWh~%m2v+W!BLxp!)w23SVvE7gFBK>{4*d&lR(Q z(Gc%~T-G7JtbXL|INZxLfGz)LXp7k)+rw>k-m@40qem_5r#8*aVZi0zkWxS6z7-^D zhkMx$yF&Sc^>*RP>FS-UTRgn;I-DC9-sQ5w7WLaqoff6@n{C3_grP&L_DJZM`2sg1 zIr-+rWP0`?vDx>MT73Ux?0B7iJb8EF+(#>* zuGOxFORBgmiAy2P_t*ir;^MfvcAg3Hj9`{qd06rBg9V&vL#ZcPE#aAu6>sx}%E+jy zIN%Y)x+kj%N~+fQaI2+H4h3KYjr3nipPz1&=bv||_ zEY~LJM1_lV8W&A->ERRxJIq!uFbNxDdT-u>_;w@o;2OBWYcNfVF!|v0ER2P-#}__0 zD~$>CPWB`X-UzUWbrV&*w>5#DYo}r-u_4~FmDDF)7kI<>yy1IZAOEkNWy}5+;>;y~Js*EXl z7#`5&(WfiJ7kbBY9UwBj?P$I*PWJoJz-KxJ<7z|aCzYQ^a|jhr2_Dpup9+hDCs6k#f7L|*`XrLtlY&AK^%TDC=^AI{AiFZlARWK zU4Z=r$+J+2v?;OOs^Opck_UbnYs7_lEX_^)946=}bL1a+c=yWU<>`la@36N#K7HZQ7n7iqeek!% z%eNOVeOdkV1bbI??)syfKWNV?3$SSRE`%ri{nN$iIi`1D?E4)uOtDvp5m5m51-2uq zr{JFW1TD7C?o7)CiF)L@-E?$1sXBIa)(i?4u(ys4h8VFGO}+Hc^Zu~mMv%J5!;@5a{5LAjF6pi zM4+DX97kcU!VV;!Nl0RZU&_GQSA&cn-u)g;LEj>|o&xH#eeY!Y{{iFh!JsOl=nYCi zN9}zgIyOEaD{!BkrQmr%Ys#d6N$=+#{qz=Vg#S8qY2o6V5AR=7AGmppy_Zqqr?`oj z(*HiX?>I;avhplr7TAut4^9#OxaN_!d6Q85$ z_y>_e&m6x9&Z@^0wD3-`N5`{qSw|%r~5GO?{7q^tH(Fy~AxY$0rE^ zkgVK{wm!p^&=we8{5?9hKF7Q^V1SZ=EdG-{@)Ou_Aob-MaW=@`kVc+m@eMrZc+PE< z1ewnyV;ryVD`)b1QZvL%UC5g%wzgj z-P2XUcj#LRd?$LgvAwSDr+BOi+AYzUBkq|(oPq1WQ6^^v=Xg(r7Ks?AnvKti2WK5I zECxg3c1Dw+XZ8FuZTFb7+CmAF`q-zdKfQs+c}!MtwurfApYTjBCT{SQE~_ga;e&TI zSpZ$oz;8c9AH^39FU<8Mp{DW8*UN-PrVZwyJZFs7qXHK8Ag^W=5L(HR-hG7Y{|ft% z5`0w1kb;{s6^%*7KI;B-s^hQFKY@*;U?y=x zLI=D4+Ihj@E{Owz++GejR38AUJ&wI^4}f{?jmk<5NPN zyIDPd84{P7LU`-z#eaNRlSt=q6FoTbzBq^A_)&_4n1mzPmz$m-Hk&x+YiuV^cq%`` zxp;r^{w)rOung(Yw51RSG`6-6YFUvmwJcK;V@f?LypMXP72UE+-HdXL5|Fl3R6pYi z-frFmR=?4(o`yrLWdm)38VZ6JoiLmK`(_o)#KV>e`i;`O$}_b`*mLS><~^naHM<2-YD(uffS%l; z_zgLZg;7!%YbryvpHCSGR5Ecsb{pHXN7ZeP8^Yq)&Xk|YFu5htZd7)o0th)&@CyA# z=(~X}*fvt~aVI(o8ah-qJc+*LEEpn1&vIl7jo_8q0T#;Gs^hSNhI#eC>zYOldgK^RCW4_j7_KRRo{FI;&j10 z`gdUr{U_LPsoMhCQ0{t;iTC7SAyEw@+!w~NnHmt-=&3qNWGNt@m^u?V7LII9Vd50X z8R*w^$as{p;^&b}=@NT#NW+sU_!+KaNW7(1iI!uwXi4AvWTb#J*&x1ytiI?9NoOk= z(i-J3O`9=fRoH1iYQP{9aF_ld)-Tw>xVJCcpC|6 z8uk&Wg>NNBRNC>1u876N5b^dnc{NN z5bB0BR>EE5#Xe!>ef=$3Xt=Pa8DX^WkS`nDwsi;`&aoEs<49Ph_`TqG0Ssg?E&1Ng z?L#Wj%Hwt>4x)T4h%B=ex%h=QksXs0!a!y8pj?m*X4o*nGmgg?>Rg$^cpgqW4C@^Q zsI>G^eT!w_Mg+9aQB8!4 zpWun%=rf|r%|5*UVfD_t;;iNZEN?-!Y#7$R<4O=1YGC>v{xr96=d(n+(Au67K&tD0 zMAX^i_3>2AePB>d0(I5l@o~<&gpn2GStS5G{E~gHi8(*^%bhV5(7q?!*}zS#p~0Qo z>)z()GTL4B!Abe4bUS7&n04ZNqj)n{1BURa9sO#arOP->Uu9loKB(J5H`ltp3}D<-J6ZyPey@<_s-WnYf_l-r&+FCDD`p{rk*3W=8Q^c#dPeOfnU7-O8#+DAI_bf-9a-oMIM=2_arQAV!t*)_Arm?; z^HB}Af!H?GlEFZcouLUCd24;*)dY3kU+#m@`l5NF&uM{-Z@XM4=>9OC<*K<{RdDy< zE4WW2VQ_I33RddZz5DmqSb9fo9GC_Lp}cVU%j%u0PA24nZ!qS7Q%Ve(XHD5Z(JPb( zEU)_s!1sy(_<%mFy9S(*H1^rA}qtk)iP@-2Q z3Zr3U@!=Kl;DMgQ2Uf;})wvbHqrC?Q8fC)TtXtHxJVyHO$;;S;dyOP;uN6-tYJJjN z&9!H&ryJpH$t3wqF*M{@{pCVY<5v`uUY-14;m)V)ChM{rm~@#Ahb;M3lTNj0&=oK? zRZ@g8xCXXmjIrsQO*SUQOwnS4tc~Vc;EvQkEjRdGlVpu)Kr_|&t*<$6JT5&(~E+`XhtDLlj_aJGJktJeV|ISv?)Mby;mxHTneh&4#X z(Sp6w@f(%9=jytesDfibx>62O>0D-A$h>7v52d z={$|;=6^%;8x&^s)Oo}6XuM2VVl6^)>Cy}W@}Thzx^(9=alnJvD{CD=nC=KERnd4@ z79|@Id__FXfsBdCP~5ypmNm|>x>KdF#vJ(?Hc`e;J04=ocYw+&q|#;=cqAXMvmJl8 zj8R+P^OKm`_>(w1orGfwFERRQgatLe(3%{RxYkdb)Y!XE35=7|Gy-;UIs5oX@4j|O z&*5_}wx%XAVhlP2!jor3%B`3Q8`FuxXjC7^PqkWf5Z~#sMh-c(N(SGQu%YCu9mEl(bIsSYu_W zl+W;^502I@Xu7$hr4_Q6*xv+3BhI|){b>XYwc+;pB8hG~xkn*%%!zY@y3 zm1`|>$tZEJ`Xe}*7H7{J)#95HMAqu@8)DKapH0pB+Ot7Muj|4FkC=PTC0Zp4RvIy_ zflRW(2^?9c34Epg1U4{*udK-wu87SaDizX8;N&82BtXwQhEXSJ`i%%lbofzQW<<5_ z=AF?*X{=Cfm7;l4mH_B>>UVM?(5U-|b&rHJ->)LI$O)x>kO0J1TLhv7$!ItS8IGOU z4(+xdVjS8g^d1VG?rMPkwRM4@`Faa&WJe^0&lomXGnAfUnY6BZBHVDcdgtBh2hwgg z#fvYy0u3MDKi}0rU}vc?Qu1@SjQJ6J+>$y9h1_5S@MVL3=8xWPud~B$I@__EdN z#PTMz99m|CU4l$sCa(cjU~OAS>SbHCLseD4G%dC(e^MqBR9z|k7k_mWlUX_`JeB78 zgFG=2LwW5ixFrVkiX=xnpm($|&MP3$?`*lp!cw{7XTv|Ew@|iXMb7Ds$|pElN*c0d z%3ju=(EKax)|8PTDv<2mt+c8VcFK0hbG!8F4Fx_Fa};^@*f8dD6JV^%XWAc(A$Q~N z)gR)?pMC`HBVL0~Lnpv=GM!;zHZ;%cWR0eQ!Q6V{Ggc4cB}jm)EQgB`i-e?NFz$y54)+n7|hHPj@P zQ%yz^I%2WsT%)_e0i_@u;WB{v!S(OV0qXg2x05Okpn`f4b4Aa~9@c0df$RRsZ!nXN zl3c`?1j;RbtbNc^&)$M;+{VYnw28aNv6ELhb{X{f3lM7DWl=)6t_n?OmpJ;a5vClkrN_aG+N)!o47|*NMSw7GBua{MJKqUV2mgQlh z&Mb)~!hY~GnGoKH=TAoBhs2VXl2WY*SP=-)p4(q2zzM()F*95fUSpzP09*|d&Q&`K z2_)&kPWOW{B4fOuBI&KB5E3a151E##Feu6@PDR&ZI(7E(M4=fyF2R zAfA`K5$(CVWF-f?fk4=phe{nu%fvf?nDp#@br&BNn}{OIrsRJkDT1aI-FxVlkOPRP|a%4r2t?7m(-)5eypBDb)N%Io|cu_Tq|ms zniU9yOVV*_b$VWMgY*wTVhvKffVl-UY5{C{6>EJ7JUdrMQEIwT7dJpOYfqH97}piP zjaU!*>2 z^M`4!;a4IoITpsUp#ah!Nr_sdG@NvA10@;UxG>@Hm}E|u_3a$f|x-KXiG_L)n(8LG^8QQIOyC0 z%BsHc6_!6sJSlAwFjDj4b2%CQU+H3Jn@mh zlQ<&|E^?Nljar0o2u?Y#`Baq>%WY+sFFr=pX~gxwIFM@}J)Zn&@y-fG7t8#e{eY0a8`tHNu8T(LY6W40*rktqg|D+`68vM^dkTE^^LTw6WKQ-M{2GNVVaR5`~uW0FId88MY3#}Vk#8x8cm z80II(qa#&vQtn zAWCaNZFswqQjLTIR zuKli;WI%Ci(tFdRg+c_fho>jg*A!IZ>Y3S}Bo9O@E)A1X5Uo6nMk#9(MjRt6AP49V zRAGyP>=;zM5VhpW0ch0D;n?jE#FQ_{D(y)Siv|f9XfFk{XH&D+92`prMZJ!Lj3`PF zcMyM_#wK8bBaiLW0%DUFO0xWi)gFMh7xGa{%Mt2{u!BLS*=^*qceNVH5{=`1G+grVDL5umvn%FL0x}v-Y(gE<$QJKyb%U!hEqJe z$FFPdc`Ob!dC^24Oa|j|?|vIdpU89@^IYr#$s}RfO zyX1-zq@WJ*#$QiR$_c&-uQ{=x3H279W@70_MuJ_e`VOJ?FTQzd@tvT1O z?~I}FI%H;P0BbnZZ!PGwp=qjdRIQ~@pYzi(;^o&|^cxdrxe4b9(Qh3m0yNGClY)BS zwjUu3A_r~5oxF4u%>xSUXlW~8z<4DO@z#N;++%Az(x@(;FKCdlm0~dvx&duJsEAf9 z$EFr~K~^>~Dh@*CKwcjUihf?!vrkjR~fc!-!_ zE$5Bb7X&qjv^oA*Y?=ny4_-4@3R-G($r!)ZpL{Uxy~dT)9-*WjDwJ&7X7|WQDHwqQ zbzbvpJ%_qmcpFgrIf^Q|AX1gh{LCL2na7+?To)?^R_DxjoKq?npj zD)^bSAG7cB-m-P#^*bauo>~j6Cz&l2GF(yBQXPcT+u|Hpb_%AH&nOLyzY9jnl;7A~ zWLbYpSU{HDoSjJNOKnrJSSYIzs1X}xIE>#=FzSzmY;l>&CyS%-32Sr@>w!QTox+-= zprUgwh+-4U<`3)~iZ^Ot?C=9jry4Eg1Z5{2h7Ueb1X_m0wvVwU^E5efLB+JPX6>#R zYsPmSp8zT`$n&gWT%zqHyB2B2;ZtRI=0xkYEB^jj>Knk{Sn)rN^Boq6q2I=)@<~*>S&=QI;`2!bEeU*C&F+ z9OrjFxxcQ{FVw2ag0ioNo-N118J99dA6F{hac_emtUpUdtsWnL|KU%cNOcUcW<+dI!iZv_@1oDz zQrL&Tre7L|uy)%XnoeIDVX+>ZGHIM&}0}~A(5pKaM3vo+I*`v(=yj# z&hC!!D_9I4zj5I)FECWgVwfbHIq6P>Ye+JgbFi_*!E*M-t3H8?4E@2z;)|k#h9}cW zK~pu)3Rqaq5)$vZ>zKyllZ)5>!SD#m6$A6Up_UmfEvb`ThSJ(6!i@Rrw5t^4MTF{8`de2umZHkcv@BlQ*? z5$~yAhjpv!F<@*NjL-o@uL<@kL~Au>LW7$lBSVOU%{L!U41v(0Aiz?eff3DZRTG3X z6Ob%$cardsm^+PlQ{G6xKJy@=RxcPyL6}}gs}a(Jj;&JQ=$FYEVgcUErYyoxU~HIR zd21a1j=%@2DyEj!>8foAiHwiV{Ed(XWC(*h859Ekub{B`9TK?+ub7+`!aV8akmBj7 zXkeUDkIJ&OI8oMWm^T%AS}n)#b{iKF9SnSTO%ktrC$DUi4& zHPlkKYdMy}%{OtL>LR9n?r;brZR^HbVtpuNvCOdEDcIH7FkJ?J1A1b{{fUS&9TL*U zKpVbuRA~CZ9cXclOK5VBDAy=6tk@34sQcHFEWK3<)HFG2#9ZsYzzs{&#&q)2qGQ^qF7g$kLL>K{IYi}HIe#rs@$HV^Stv{TT`7o zf0^n`b#C3(zIFS`H>-f>1G$He@XgIx;i&xnGIRyP($p&!5A7BWNfNii74~v z=DUx6`jYGcP}zHG%Bt+WA=W&jV$Eu?@+e&ji{(^heTuAgXEFrdqUVbjh0|NeB)&(z zA`hk21TWB(;Q(fs0#A@=8QHMlCxRWg;MfE|Mfe#wE*dM%A*!)Y{)5MhG0L2}$fJE!v(M`Q!tEr9^%R=GegF&(9$*n_iaKJUKTFo8438caN>>X$6r}cOu$A3 zn3KH0p47?Ng^O=KynjvitJq!I1!N8)wTVMnXD1}jzJ~>Z24C&#`}N?!>xX)}JT)lE zjE+xjsT8+BP@T600F1V{L!_xH5|MA=C^VLq&WPJJ zkEl63{XW4DGE@!;0i2Uv-WGl`ZE5wk!11-EMNx<@6DcBr3=fXb!KBqN6CZ^kO9?c8 z%x!DNaXlud*bV&txQkP z;n=!7IPs1JbFsvw!O?mu6cvHr<1;TccX2M5DM!FcQ)59XVi$DzZ`wqQH_`}dztA-k zYF}c}X4-IzAVB}GgzoHL z%)_|8VDlSZ9l{>EA(HSo7x)oYBFK-0r9wUz&-N9N)Dax0kZD^QslaWKDb=tgEC%_E zOc^CRKw-Fs0`8pE6yQ(6;!*(xSP63o?(ElE15!iK8}EqO5!@4%JmdzHY-7t!FJAhx z`ss=4jk9ENtNsWG(}pxgi1H9!V+n1Ldr|%2a-9bo+|_gBd&kIs$QM}n>K<%bO--XH zq*Y@Pm?u(q@Yc&a;?j?!*_t!Og(>G-R!@=WFEa(qFJ&NIxmYPH{fh4lK$Iwq0O*tt z+hnLR;$?%eAe%~RCn%K)C4sy~k5X(7N5xM2#d4*TWaC1ynEi@5)~J;*!i~(fv8uPx z>qaa_)=cw~uM0QdTex?ndiq}V+%=#;8X-n$yvK9kPTYAgHOEUjnyWw$KbX3S(IG#` zRuUeO7>!!MoKlbG+^sP+(&!?EmmSALR8*EU!bZ4h{NYa@R`0xP<>y#Nq^HoH0Xok! zXVKtLeY{$Z%ZMSjl>^jvO^p~+mlhen`RtsI1GZtc*sxk`SS>cJ78_QJ4Xee5)ndbH zv0=5?uv%tdavGqcrNM$8<Y4EvPa?hii-}MDCBkFNo0^9yN*CXk;I;_I{8x`D9JY4jlA{3j}6ll^+JnGxNqCoWyVfeZ?syzEf$EnR@$r)s z5dZM*U(x4sT~|c;^iiO=qZdn?LPrbpkB`5Pm;>{$_MQ?q>+N0GWk-XF@d6|6EfCed zMK1*E+Pfx&8jW>s{bgf>$KT|{E>@&Q?RiU`pSoklotyLXv{(3{ zs1M-3ue`J+cR%DuRG=-#%X^!mE$dNd$JXt@Pgw($2DIhZLtDJv zyV>7RybQk{2*q3R>nrT5xtiUwB)BN}4EQCoEH;~~@R(NCi`N#|aul0o1B+$aU{7Ea zqWpF6CtQ_OOG9pECsoMZd5KA-Y*XqarZ8hc=$+<&#y*7h3c|th5(Pe&IX>oyuq6C2ZRG zn1F8*>Ih?h5`H9J97$B%=BUa@3h-h+6|njQp#AXfaqvE${fdVPh^JeghR_coRy}3% z6r%Dl)`QBbEFuBi#p27F%nv3*QVdiMpM?(M8aaCk9?~rFiYf6o@)D-hy3t@QF{@G0 z0DM4$zseMM62+{zXoVJiH81WSV!h8KNvpne6=zM_A=b!r+KF$rSOf-7EFrHkw;E_) zTAjS>WX=~VxRydlZ5le%oGwu`EJH0>Zjx~*B85=vZCq#)2H)hqLP_FyxAba(Pf~KS zcIhyeYAkP~zIj$pf~q@lQp9pl$g0UvlI8rXNl`ETYe-Qs8qxJ50xWsD1gWFzE=V2y z7Z9ZCZRg%$Fc3neUTzJ{h2#&^qz7I1%X^tHI!Yy*Xg|k79_k8FM5#93VWTFkdZ#c} z8u^TTlRTuxK3JXhgPRXdTqiG~pwsgTzuzi{N+n+Fj#E$at~V@C?mGeyq$50joIOpV zu`SW83!XU>&&s1Dyy5wx%+%u%OdZVpnIIdm&pZICSSk!< z!7U+hLf{M?D`05K(1e1$i21s>?bX=MxNcF6ker$%n+&1hcr>O>G>W4k_N{W>Ut^Nn zg-7?9PP2!2zPmN}>7Z{xl5+UYqhtcw@v5v-N{ zmRU5!02mgfSxyOnij&o|=N`XzL!1Oqz#F7AI5!FG^9vMczu`ru(kfJUtWN05mDABqAfFPZnc5A`~#BnHG+ zwXX2C%&<(xb+Z}SI~h&j@cLuTObi+22u+1jI1)0^T2&I}0`=xp=Vs3@LLeezpbgi8 zSh?D6NY}*{jwLtx{1TcKLJO=0noEH-+~gIXrY>P!CU;?V5LYkW z0N&wHA*npn35)k368lXqvT%%Xi#g8HDk!8Ps9L90Z@_{sDEGew!ZJv(=Ni{XJx+$> zVKj;-UjY=vF^KYXTEH+CPn^c_V-in&F4)EiRy&TNsxLdaD|tfiro%ZNirUao?L3^F zrP8CP=WtfUIh|m+nlX>u>DcLXo1cn|DBu12gUL6ks2Lt{jZixT`#rpS0YS5GJ0B4T z=~Z4*Z}MaE+Br_Vl^u89`W|*TU6-E9V-BSAC#DeatO53!0Pu7Uz|{d8ezIKl)1$P1 zHPc?ckPo84Elmm^0kKE!Pj3q{)mmu%hG>j8Cv|uI~Ztezj*QFCzupBTO+1VyhDG#yN-wz zd7%pQ7y~--S6OG+BnSk}BiOO`wA=)WzrKia3eRQ&*i-XS0O7Mc6l)zx*+WwHETbdU zH?~43YrJprF4fNz#mT4 zOb~TT&`SuN9MGMm;HwLUD_IcB8VsnE4aEa1lLIQVekGqC#o9S0+bCV!Kt92`R~O_LL`k0`d{X^{y7Lo6)?QPCdHa383mA5%Ol!m<=kZK^%UK*3Cu_>^Qy-sv^vxTOC;!U* z&Sy@+slofk&Iiy(W7DG!%ky50wmdwSPa%iDi65?_`uqvD^}TRBUs`@$|X5 zc;g=4b{jRPv%vPhy!-IGH(&+DZHwQ12>{}}iusabidQPkm)9|wLtkJ z_NX7WYL4W*=ct1bSB^2ann?!HL~f{%_0ON!XRB!W2GA zxDGLCR`7sQkSmOlvd7ER8A6ljKlVK#Qw8QMArxII6e=H@F$!Km&7oDzFj;)zt0`5~ z+SqVhqXAU*sW0%sGxAPt=Xi_%oL+qAtE3F*Cf&OoD|pwylAzhC=8||d`|6S@2##Xv z?;Q3C=Ys3PaQc14Pd^UOegY5rFGYzt&@HQ9+ypZg6J(M-Q`#GElb%##SI8hUZh4g1 zykG^lf~MT|Z;L?Yg}2XcPP}Q>vN#Iu_$n81rlu(;+Pcj((N|q#{*X&LW@}!vcn_zf z7EAhCJ(56)h;{G-0m(nF>LDi4MvX_ByJSDREBn#F!rh)BU+NSDRJnoJGNC^u@Ia`PiQ9( zLWXFj&j_uZF{@No)miY9v#bn}9BLVo1Od*Jj;2#L^1;`naz4%7dHjD?e8&V}L zRd?5VeFNen*_|LvzETAFikBd^hoUSsg+h54DhBrs!;Gb%pRf#M7ei>CRubB%eunTx zBzBD&RH7@9J6nKK5HTi{E3zLOWn#@3WliD2J32a!QiUP#@nT_PFBj&+oKIN+Otl1i z1(Z_~oUF-qM_|o!TmXn(2+?MU@@UyFarceE7vYocck#W=WJ}C!<{`$L;hmdt$szN4 zNEioMFBt!%vhL+D7hp|h87SOjIyd54QDpB9-ndZ0G~=smtD=IAV_-gfRh9D*uexn! zE;$s!&_%+i!GIg!rn4T~XC7@dkMA^(wwlLN?UQ8+C3O+godiMs(dpZ=5;O|-F3t%p z-{cY)xP9l%rs6gwA@1}QU<4%V&W=JUoYfN$DzsYy?J=PGSQgU~| zac+s3*P%Yl@kxFXDHICYb|9WMuwG8#)oX?g=!v|7xfZ81TRrpP!UvX~gqRXvUZlsk zF%IKZ?6pl;4YlPs4hEGC=R1$Erfd%mTNiF$eNPlvnx)JT<2*!adiebn2xJ%Ss6b%D zf_V<5@7qbsYOhhkQAWNo4()2p(tHD(Rzp(NYGI)gtEmj@C=A;@TvK5<;0S*J=tihk zg(4m^82BU4B{(69g<>Tu9P<2-u-}ll56lxG!C2Lxd`eVE^vC7HX-*rC-TQ^UQ{-)? z6bmsm3wJ&RS$68Y3agROFKml+CVsZYs?4@K8{I!5S4=lKQJ>z7Sc91Ii|Q3&1g`BpKG{AZrKV*alDYWw%%mgQ4+f0IFdg`&(Q3nFV4f+Ygz7Y zT!Dj{V~xuo@T(X`hLHkjYT(am<_OI^WeW!n@8iwrXM)Kl?G5G|Kj4JNHuQUXwv^__ zyU~!_rv`-|>>KFu+LVN?q}m`KRZ3iUC(>YSY$Pa0+@cCRQH#6P498KSQc5c~KrtwR zmIAKzJQFubUQbpaS}{lq;vXsO3UVLvV}&gGd%-3xLzu{4Ammyd`io2UC@DAho0=L3 z`$J4iu9U@A)cea5>y+O1YGE9z6t~9X1x(!i;jk3(iHZy(3mQzCG}Ksg0!oFfkhE3P zkoeIGmhDkcyO1W@|5ylGO}j@dDk}ooQHK!)*~zc1B4{DcyV+z~c4|CGI-57pw|8Km z?+9NP#*QFRKx1^pLPUJY$hOhO#9o{sw&|M+v}bxWfH&brP}9hU_eV$;C-jYx(K4z+ z`XQ?GAu?HXc_gPvGp)&Us`K|BeFZsPi`VXgT?M1F1c#Xud5d3T)lh9SVt)1G$y?Pk zr&TBxF%yAgCB@&zR~S2b7n4vXYfGkjh?2`>bkcI1qag?mEX3WQ@VU=aw3^7u-o@WGM6AJis9<|J<<%{!= zZl1w&6P#EYV&FBLlaG_lg)?<*_-|hTmza@na9c7FPJwLw&b*0d*?SGSc-B-0LB5z8 zW&-=ry67Rw%Zo8t(!m=`wLwFSqzT?ZMI!`3-Kv?H91#$7*lBpxDP6#&!(DX&vk~%+ zte+elx{#F~iBK_2&lds###y&=HvyM!(`-}5GJg2&T;LUMd39cZERZ5>SP2E%K)!+6 zBLY90!Y$8pXKIaEbQZ_fAGXp68<9#KVzG!JRHhqBjL^VtLwuc?Qe#|*~EH}?UQVPCEur}7OubZ==-80hKJmm}tA>X?FURg5lUn%YPO>k;w%IfmR*uV*H_;4+>wtl6&!&yV}*4 zScQvP??x{QN0$nY6`7*JUN)iPlpD!iOQwCe_z90HFm5}UOq$4n9YHg;iGCZ~i8mIn z%?Y~wO!%YE8mk2g&9kx?`uRcBln`h$FZR>>5b*l$Ul%_GxF+p<)#0QPV|t%pf*VPY z_|!Uwb!cWq#{NqXHDAbQc(N;COyxzEn4L-%VNw7}h4ps@-R%;U<{sWXj;be5^mX2o zY?)I@EK5R~^1K6uQh>3F;8lz&#bTjUj>L473Ppd!rwjyPPbo!NNJuN#$+IPHge60X zpUHrAw-f}j-k&do1)gS`N=Tg*Zd>JT$)M$S*bg!9gc=cUeGe)SB{fA(+TD7T5b$*C z=Ola;4qzuD1j3Tn%pQijTT~Jqk&G}z3uARce}vqwdPCMTO0NWuihqH6{eR6iwdP0@1#6G9~Gj3G{uPUJghXsy$Dm#izHSNh_W>iw&Y6a_M_ zMQkdA*xrPgt$c-TJP?Z8kES649FjEAn%*k6kFEdgYIil)FzyHJbS4rJN&)Wx+py35 zrE(k4cdV4T$vXC{}>vw61n3vf@Y_)}uiwA7nX3ELTCL4ag=4 zBSuYgfwD6K0+2FHdzU|B_PkzQ!f28t?Z@L08>Ff+LiI6iS=?0`B%C`F_R- z3W_`8C~l(>yN}RWtLIKrYckfSI``eeyKl=7pGIQa6PZh`vb!~kPbSu$6qE-Wq$?L5 z3o?qiHfz!c{4RfKi5Dn#P?j=8YC#j!j+Pk$W)MHqh6(*x!pzYMq<1*lX=j9CWtq4} z7=Nhrr?zq_92p5p`s3IScS%uxp z_8rI=M+2M+cyEYradNzl77yTub*9Y<`>#Do!ma*2q85CPK7dnj)PsG}u&2lhTTH*j z4Kaf^Q+P6Z4(RLTO!d@-Mlwulnp$d=$6V>QD2+?XZZw?L4%$eJm`MD}J^;ACwVo1UyfTZtcW|s1&Y_389utxCkk( zu*Psic@)P^dTQ6aR9N~JTFSDnJIl7$g!_tDlPx~Ii@7p>n6Qk?WQXyEcy_p9dZbjS z6fK6><$Az9sRy__i^8;-DrU}0`*74wuh1iW9PKEhkqED%3W}oO1ir-4Aez&J$xO1il&fBP zL;J%?2dHNA`2P6zaDyv}2y{InW%7FUjhpD%V65%0)vs>Y7*esI8Z#sILmA0QkE6mq zD<%`sBxevH@=8OEnO&9JahY_m9L_hOWhS z5Fy+O6_0uiJ31=*BC?h3aK^S=$}q(%$PnN>c!ChrApjG)bUahD61opkW?XzK%=@K@ zct|U8I2t=lI%9`m`0j*7dU*GHlgCxhURb%D}BL|+X&Yi^%27nx&5MJKKir0X3^#s#9ha6{G z=ajKDF`SC~AiT0kedD}_D1I(EG~x+ynB}M(HCL3*bBGY1C?m44^Y~VNwOU7aZA!08 zP_v2l5uTA(33h50vZTFYW1lcs1@ zlx$epd?M#x19qU=ho7028`tzEXCIyZ8oA7U1#|@nGE*)KuY|X+3AKX#m%Jy*Yl-Q* z(A-%HpIfd8fDJ~N03f96@rj!VfhoJ{N;rJddw4@Q7~c>M{zZg?@eSeNDPb&{KeA?o z-)$TLpU##gFdvRD71iF*JoVURqgSDm0em1hg1y~`2K!&{AMD*C|xfX}az%p``OsN8INwAYSvZfE_Yw z#RR%ZjU`KxfgtpdP4!XlPZcZ{!zho#y~(s#S@Nb9!(Co?PzW#x+IT5fXpF|0fWz&I$zC!u_}1lq!}41vlg*Q}bpqRxj%~)$7v|r2F!`Md z17Di*CTCP)9O$~ydGu^b)VZr1*303uyQvC;*6zR@LCz$5`OMRT_pj`p6wCbY zdTji=x+XVmdgkqou?5^XGM)-vGXBgQ88OGDsQd>YQLS~2K%kKaQQ9vCR?uw9YsNOA zCU%nXB?ig}bzn`CBS!>q*%hGJuAld`U|}L5&F{&&6l8~6ff2Bdx=gsh37~+*xId9< zS+$e%N%%GO?P=?9j+j=0K0WzW_4K`j9LBg`(?$^Xn(Nt%sb1nIgw&2bnDOelLQM`J zrsFm*3Im3Q_qoCf;jd?efyKmJpFA&M2dBx5EC&O=+=TJ8JY`Je-&PfClK z@UAAA16J;0weS#+u!V-rV*OI<;xJEzk zgl(18IyvlxkV_G%3ZORRA;Sb(z|5#nq3uLmNZ?qF7b&@@aQC@VP6 z1CAtQdrdh3p_5DLOiOvNVK7Op#DFOLW1%a#`8qoxzy0>%cVD55cP&BErBiUGQOu4d zqd+olC^1!(OkpHIY7`O&7S)MaFP+u2bcZEUvY%xdPZS4!iR*@5Gbolq{1b#?@dgK; zki1j3P9XAdD;J>(>;A&=HV?fGBhS)?^VgbC%0CDu;oLLVX$8;f=qap%+S=R=%T4OMJKcwXb$bXv< z^F>Ar?CBwZmko!PL49EqH(5KVC&pK|lqF`2h$bNN%v4Z>_N_*;P~(8@FXN!C50F?l zPS?o~T^zN6xsdS8(k(p?(&^-EqxOJ$vByko5kUM&JJ&#rvn+{P1+3$f)#K+M9DhU0 z37+$o?z*Od@hIvqr?76-&3I^Xi+*7Nxc7Y=h zpZ>zCoMROgi#>Id)}paU@M+g@P)wtG{|%0A%{ACl0!H#wQvJ4-p7}kz z#8Q1+vxoQ3cQx?ZT3G3x2`}gECV+0X7VdyE=j}{y@CXFNGqnl3bBR4!0*cRA1 zwFYQ=3N%!`{;%GZP>A%JrErufuc#u%x)`g#P4Fs6VM{JZSf6GZgh-@ngHR&#*D8UXU#ecbqRBbaH6i;wGWv^dUzXPYB)^EZiEcJBA=Nj&VxnH+ge>>m z0MKNEgm^44(ovgPK|)FEx_0DaATpxraL&ZU_Y4(t7SukBnhtMf2vEoKL%Knn-ox!B zO2l9{b-|aePF=jvYbg3Uacd=75O`R7L=~KY5@e$kb&b6c?`|@+07zFv>~619ds^rZ zexwa8eXm@C;)SULwQGNbzh6V<`C$^dc)Xrt>KhKnvUV>6Pl}J%OQ|! zjV5(6(*oQ%t*W{XS{vCyq1e@KuU@b2P2-ofzUWTqCcZNg>g8y0I;+zR8C0Wk^7{Nk~_1U{(BRZk;{TOD%f zs_wlmWoBvitFg-=9zOmuS)W+cDi)FPY-cZCzAXx7yoDT?tltWPU5!I12@Si(YqNs* zz*xWR&T~s;a&4Q$SJr0^?jFeD&ez&f>e)v1JZB04guAb5u>de%L(Rn8fGRfJ9nq`NF#re`h5qUfkJ#1$85PJGta z)YM46=H;a(rx!oHSDk~>W(#NDte(406Y}uhd2%B^y7@y*HSQLcB6May%`jo&(b;)k zVGS4+RR)@+5{v9t9#t_pk7mk?Rzbq2h-vZ4KkLG_f@9^9Z&n-vJ_8OHvm~5bhe_UD zAQ{xGFfOtSDN^NRt;mJdT%8qJ_V)5(+T4u2Bx7A#e-;3usRSzN$x*xxg|PHADUC!J z@uJEQx72xZt26phdtB9hV)|?PsL>48?Mj#P>ikgcVQ>O>H;!_}H4{dDX3S^Z90_!z zA+(+e$}kQH2{5`IluCsX_6z6;*Lq`O>Lrjms0Xc(@P zD_Z`rng*xAa&Oq5wD_Xqjna|O;fsn73H%(U5 zNJvynSO#tbMe|d>LxY;)orptbr>~H&j zySEiK=7P~7?P8*YKkF7FPz5jXa{ zMI$@{T*PEju#;Q-@VrMizmnQ8zjNv&8nB_#boB?2UOb8xoldB6=`1!oEh1&PN0nTY z=0zUEM=R+W)r{ENZ(S!)v4{6RtloLIhO{OtJU6;-o*5v2dkOW48ae-0hwp5aj7MzN zr;zs$8V8yxH`vb_vY)M~T#y3{|Iu({v~m7Zz3}eCyT@Z_2#Wn|ZJ7Q1d$A4od_NO> zBc<2BTo325H_{5MrW{Y;a}V6x?d2xgc+}N! zSc;TMj=-G~i+TVL$#|R7ott?mAfZDg^q;8^K4=B}RdLkN&9WPtt>N$_KZquT_9`V* zw0Jx482qw19`Twjq>)o`*deql$+uHK@u<^yYzXK-u}DBEdMM^h8II%VbJGXz;^>>L z*fx4=JMVbAHT~@{p|*Z$qYt4qE*D0To>wFS%sEkT4oxbf)l!kMWyp(+bWbAm26a7h z{P|?ZWTzKI5}4DztRE?@x{!NC|tGCWjP`cV2o|ccq$XFI-;rH=<;1HNu ztNOm7LM-f*sD5yhpMKKQh?=yRp!wxcy<9z`GRxc6Dpuco3k$!`)}1%ePpTV#Qq7M% zXzeCY6W6AAI&q4P@+}KDZwXKAXIjA(?r3F%xNz~!I=L?^IRIB45w}-lOMy!rqTyWW zL`yZQ>1~Q&w^E^4R4iE&?}mw^7V?Vev9C-n#9Clb7`%bVH}dm(Y&jmk_a?-O#-$*v zn(e9wjF?-lVKdoJ8%YZ~6V9GP$TDFdpPYXJp>M2LDVWdo*KuTO9an9VR+Sx7wgkk^ zt1M_Qd2||uDD+2wIpAkag2B)gCNV%Zmfc7IohGQh2-1fO<5XHW@Cd|DDoNnW#f*`- zxM2;1I>WP^DUlKG*bJe|o8h<|4v*QnBuovFq0I;S_8r;ZqebD!fD}f*ai7{?u8^r@ zgOt}FtdfgRpS<;8_7r>l4HYn?tdB!XBpuf@Z=8fS;C zB6vh()W$DTO={M>X1epOud#2SBlDCO2y;qIzo255Oo>;SCuM}y!gI7*KK6tUwRWlR(k(rt~bp75#H`I;Oe+lXX^j8G>|_V?hAA>%sk3YQfHj!6*ByJkpJjjaSYyPo z021jJJqgM>|BcZh(C0h}kU)($OPJo_Db{cf|p zEoMct{u#Erh4-ewt%n?)Jfri(BjgVvJ6|^%;%3uyk~*CS52L-kS+_;k7|*@%?&A5s z5x>FsGZ{7@*h6yD;xJB*nR{Y7ke=O+Th==$kN|+ZmZ11_D+~ca+G(KkjMuC)9C=d; ze^vF(m1KpSAmJf{SG8ccKjeI<$g70s@UGPFR2Rbxn?ywGP_B{|x29zx0L;^{JRT!5 zb*{njG3rGwQujG?i0m=!d;RAc8=~hX!!^~{lICRX&KhyjXs{Lz8#B6A$QYR6rx3Rw zHrcsCq-1H$vD>-z6Bb9;d4%pJv^A?W7*@*b@mXioQsn@|9%EplVj+*60U8sLFl8ow z`6aU**E&b=`X~tU{2*;g$S{Y@#r8wJ``YtHaIh->Y&?jEX(Q{&{bpWpte6d%j0Y%9 zK{7>d0gZL*-sEnZ_<`uX-R)lM9#+Q+ApfKOM>bMJ^-VE^BOd*U^}G^W=Pj zVl;>63S~;oB%if*gXFI_L(3BuE^b4Pn=2P?zPE7iiuCc*JJ`DyZ``Zic@w$9ZLluF z$@`@ysk+M~H$)CFfA9X4y?}yGg@x1wqQhZMbobn}9`hs4TXoo)bANO3;(Z*dw8Kt= zV!-PI)H-sP!CeN_-uLpsIE5p&vX5mX+_0F|b|>2bjWWjF6!8e{ur?BK+~Q=taOF#! zR5Mx;thpCZ7K6{dhxU3FX){7rR%{K7tnrTNI_=XHXrFMJK5Yk1m}iO&K!%hGW`ZhK zKxBIz-B4I-g?qNbvg;&5!NNX=j0R(8(lX8=qd{>dt>ZbQ!!*`dWHgN$4-NsK35=Hq z6SsO{DoAleK^+1yfLbVN3M}@^TDqvw98MBVxtQ=Y1-T4s>#~%?h`cX!vQ*zVfk(zw zP^BO|^gDuPSp4R_g|j~qAM~2#o_B3(EQ83nzoR9KZSu%3;Vpo+TfDkQpx%{#qa&~p z+Cwe)3I^Pr5E|uo1P5tYKW!8|iOYBc-smbN0xB~+J{Mc@pTNfS&HLDMX;-~e{o&i{ znQvqydlC}lDxQhBB`_s8C_}IB)niou^^rn?>`k zS#vwTH@UN=Z*d6I#_;^bHj(h}MZ$kDN7T>ich zkmGP1S&fF z@(m#gJhGHXC1kBpsLw%A79pD{lfp{j7!xQ)I0BY#i!79uRtUJ}iV|)sU)SneKRlTH z8gqrOqAos7H@o!m`=~O^TLu!W^$XH|^}=NJ44dxTJQ_9@pWIOF)mrM^Lrl#B>nP7} z*FdCW$u70E^QCCyG4KmMbtnkV2pPeW4~5P?pQx=HIq4Wm45ZFx^y1RBcmsfW%~bgD zf}m$!?SL_U#p+FEnolu}JRUDwBDXGIi7EgHWBNla{eGo7{p3G!f82=e zn`y8MZ6Y0#>-!wg3_C ztu4G}?s7%Nt!eO0v4j+n`W^mxLdoGKb*j8@h>oO7VPpo;Fy0x<0n8Tingf&PYAZSn zLKN)tl^mn8w8u99H>(-rJA$oNByzuTev z#!i$&L{$NlM{L=hh#pUM+j0*o+bVEia6GYvW<$sbytm#EG-cVYq6nUPe!FbFN0NzyCDtcatxjQk3ly611gHX>3 zdDix+x17xdKL00}+nB9#Jp`=?=O*>L_&}eG%oXp4CU&7LqJHtm{4fhs;o0@106uoK z5Cs@72B#oat|j*qq`9XO%eH~Z0xI0nypX0X71~V7+Y5>a7)K5k@@?t|2MjAbt<~Hj z;2yAhw2gw#1JO`w_;*XlWacFtfo#oj zeVKyA2(ZZ7&QMHTK7x{Jf*O4BGM*FBDw80fL`{;fqan5}Lz0`~ z@kmN11n3F7xI`>7v&mL$P@zeYX-c4CGs4s{NZaJoZTyb5^hjRIFjfErNH0fK;1<6!154Oo1&vQytKiA z#b%l@%TUc|Z;IFNjw7Glf14Z{0yUc5d_ij>Mz5|qvNBa-#)Y~zos^g#gRzcP)H2dI zW)ceNV%+K(GXr5Mw4xL#YRJqcX`B$&6}d#LP>S!%br%ZjF@_jJh$F8t_K-p+yQ&Dr zVYFP#q>@Jlk!S45wqQiT60x+1>`yg7?TwV*vhZ`X{Wpsz+j*%PRxe&fsR@rtHy{?@ zV6rM{?6xITy^0qubdip?TbtWj1qPQ?4%|s2d^Jl!j;$`dm0Sp3Go?`sdlQ9LiLp@8R`XIU3K&^C9(ie%%R#mTIL1C|8Z|A!gBFm@GlO$7-c_&Y4|(q`sQq=^Q@!+=9S z#>jmH(DZH7vX4mhr5utBmg71Kh!@_gg>k@z!YvUw+qb=L^xp&|7r?aUg1mN+xvEb4XQ zJz;1gAo)2C`E%oajzMHRI45~I=53sM{Qfn#`TDojpZ>Y&K9g z^4S}vdam4+2~7*2Bt(U)Iq!HNqP+R=-Wf0j+#vt|aaFWZ^VUMilsn(nkRX%z+LF#G zrVk8f{SnX$I=p5s*R^Omkd|rzqzdM!SUGzRtSs~mu4+KKU}VxgZ9;+T-0DRI9(x|! zIwS1&2z)#Ka2e|d@ha{@i zx0;A|HEc8y55#RI_DG(*$wbNbgPO*w^eF0EF7Wd_6Gqw*(e_?uV=iJO0!e{lWLmUf ze-L&^8%6DD;Bb0dV-h#)QaAOdBUHB@zk`Z zDB4(KbBcV?vaKn}WW1)vlzPiAL5|NU0fIfnC)m+hjEIsJ5>+$jf(p8Chy<0vpfsJVfW$qg^MWj);U<73J8a8e8kmG-Emu1}k0sL#d11H(2h9I=a$Z zx2}%5yb6bFkcPw0s$&L6EdN3Boh1Ra#bQE*7|fxEOF^ariI*JHLOO@-^AwT_B0z4+ z7W@nrF@Xwl*fC*)fEaja915|(Ij5R%4h^3{e2t-CB+QErF>M${>UOGCS++7X5ifJs2;?>v(nYb3P^9FLoc2foEPvKK z7*J)uM-77*WPvZ1!YmmD>+er(&ut}3BHwE{e*z934VkH=NLUgu-@Xyhe_IJqv|*FO7v7A}ntWlbgx|$e zq7}FwO4o#7D8WM2>iEJ4-fV>q9}K-^@8wzG-a%GB2XPce-O!t{SBpDs1ta#Xirg_`VkN;NC4Y+Jy@LWE76d)L zh~)ofb zIjLTh+c3fhe$Ev#?CoKhAH_txI&OZxkZ&8Vp5u9X}atR>J<$#=s< zSQ)!4Vtxz5>c$wVzsjm%IvzX!vl%uny+|Az^HDYd&{M=YZEm4%Ly@?kG!_d+_S2<8 z6v>%Oj(v8mdWaEwSlQbNr?%Btaw|M>yx6|=(c14#i6Nr}WRm-$~7dp(NcPMm6#1v0X5$%ZA zuX`$OzA%^%#s`5FN9!sDjE@GG+KNb4j#WZ`ua?vql<{p)>4bmqKw?aB>5zdc zR>Dm_YAag#0p}4!;uLBJ4l$t9i`SeKew^8-x0>J)I06}$XGasJ^dCXgE%b`RG`xfQ z)|abetOd9t6bk@|+=7dMQ@=?Iv?LT(io*>vvWqDX9R=u9We0C71oGi)*bVqts7}C+ zc5n+acI$#2*wk?~2R@_B$c9JI)LQu-1?90d~n~GML3fE-m z`w<>uvxfJ|N9ox{jn7)O&YKW8z^w#V5t}9BpgRo-=X&+aDV|E_h60&cl8G7F^G#K% z)h6&-ez?7m0PSPi4Vbp7yUD0`` zZ7@_ICk{)XT1UQ8i}NR|*ZvM%@{7rZucj0N3mo{DVzc1TmyA-m$@A}~6_{(tI~CLm zK`4Sc#V_I~$D*unqGgz2dvjgR-4SVw-sepl>7Ge=3^FQ_}fxbf8o!Hvm_eUkr+bK)An`<{JD z6o&0;Yeu`W#hAhu|kX? z<2U?tX4$R)Q3Wz>%qnm{tBRYr|R*_e#`7lFqVlz?so{;0@Nh&T`t51~OXubcQ)S0jtBR({$jDb8yjUVs<~J0xs+;qE7vb}sL!{%{%N^C?j6BYe?W419$^Kk@5~ zYC%L6EnfPv`soQU3|#(l@t@O+?|kLBZR%3>%mBJTMZb-OD|ZB~&4I9DVurdGOywg= ze=P6Hyqcz6z*@pT2N_e0(WMNcM$dxJ^(>YFCvXY@-|%)9-*Ptkz3#X3no+!*^|r8K zZE5jDz!1`Jv!5OJCnEk^%3J!&)WWOy4zGC&8l|?NeQHaw6trPnJe-%e+1bZCF@SOb z+i4hsLrG%dL6CyfbIa+OO-je7cs)j~$2urXn<&>ft5ZviAm_QIkT-Ex`{^b>qWB{Q zVMk>s{2PC@lTq5x>nPn%euV#OV0XIJjNsgLh6tb!cQxo;P)}ktb8b>?ZDY`)%d|+{ zit$OVkOF_bDK+vE@+2qXM8e9pVo_WsDwceWr*LLvxS`YnpxVu$`WZhPu9Q&rRgZJT zG~A#~2DmK&*hX4CL^kQv4@ly|N5Kr93Fv?<7zLZqu>nCdwz#_`GH^bD!OM`Hu!PjB zx1;!RJ*wT+?&cIR2uH>ColKibdIjYqPK}b=oX#1Mv3@V?%5F1n<7{mIZ}$%FedS>P zVE1pj5BGFgV!=#2A74-F)=hjwa$G0CNDpPt)Qh9(gy+olUk1OxLG&Gbx%ZVpK-aQI z;S7o6n~S-+WK!0U&gpKcbcu&6mtW&3{%u~Yb@F<0qo zuqebppwSJnRso}=qY@MVMtX~X`TRJIOk)%jrqv#wG=}6QU}q&@y@DU}>6siMP+feZ;qD?u&Qi-@;J zAu5WID+MNA5SBv;bk=WNRmNIM`$H}lEa~fX3!E54kH1oWsqhh#ZMqfQkFQ= z0rRDowdKoYzUX)G zrv5|SdwaazeLV*UdSCACIsAvggZ;5_TfjOZ#|l02s!r5!rrlEsHuZH3p8FLAE5_FTsg+I5&_tD0kuPah?sX!O`G> z$hP8X5UmW7QEfnMpCm$`2JhXrr0VGiQOWL)f1sHibxgKqWU!*4PJDGQ}=1pHr1 z=KO9uLF4xAeo=?2P$?HHWrZD1M{bCx-3WrqF!nW65hq`~0mjY>m=XjlN)NSStc55V z;TOw@T~5hzvH{f1*mbO;2n-Rz6eF|MazS08jwZVuEW`hKIw`2~RQ2?|>bYw`{xlYO z(8ErFqkm3#+T4tv*RO&tdy5IPvblt3;|V|-Zi_}-?q;VhnVp`+Q5{GACTcSp4iUl} zJNNLX4;gbXf0}P7C1Q1b?9TIG?Og2x1vIS@=8CikhA2jQBu0*fe!?k7N0iZCr^0vC zL|XNd9M*P_c2BE>DII%A&pu)}MVK%m1X*dY1Wj=qxnIc_YM%xCuN*irLnnz7DIVkp z@;x}vnJg{dnOr*#|gh!Ze&1ZN-czhUvsG2@lti$yM{LK07T%>(>MvWtp`Os*?JxHKk$a%N7N6ZV(R8$cD+6rmQ8 z>g>fnINJF84Vx7yt`4LE45v7y00)`)VLFtIMmmxjd0USUmu8NIE8i`AeHoEctTS`g z^%l#hp>W0JNhY3}t^WAcj zEgdXG?5FdT5D}*td!wr2A&E8((@as@Fq1ex9gbjjlp@K4JMYE4$ccM+J!0P1Mw*0; zjj`+NgZar%;(|cU301(Neimx^k%`cINl+k$Gw zAoqIs;|GxF1GJ%A5bW3+o^@$PP{+ao&A=;3UC%7>;G92E;?bq4VS|V&Wll(rL`!ZD z0rWY{%LFlp1oF@< zVBP^FQyYsF3>rA1FrtBK0GS|8W)YZD5ApSyeL$W>3xm}f-wDN1q3Dlb*IPI|W-y^N zfJ(Ulp>?R_V3mtJmb0+h8joXlMxzzhdZsX*U-B+XHYr**>=|QwX<`4$VrQlN(FSa2 zf6;kJraM&el^t+y;q42Ub|@1WYNj@sG5!nhU#(vJRx8SKy~cP=c5)jJ&Y2pAw-O6^ za>Q*FXJ<4uuW=xdW6eVsY$#rHoI=1}iK&rL9;?OGiQ5voMI=F-jYULHqsa4_s6l(2 zcMF$;AekPWzFj?knaXzwA>s#Qxu4=wSD*b;_32`YnwAJD&MsB~imGIVz=~Qm?nz2t zI94bR!Y*lG%iHJV^uv3nG$hy=xtCR|JS8>;I$M(~Jo6_gu;5HE_Dqus)ej(C<@^Lc z{m3Q-um?64b0uGcwpvYRSPZe=nl5km?l_z>R#B^ziiJo8iHI0;@Ek@_h=tm{Vu8+e zN{6vpX=m^8$b?=fO~m~AbShRNkxRpSW(x>K3O$1?0X+RPgln%=Ur1S&HMR)t@rG1K zLa;4Cug3zHY02}R`%f`rwl_yk+kfdcBI|K!F;ezHDFBFBgkmFgnLyojONbq^;bRk6 ziTM+rESi~tDVm1#uzGx_0kOiccg!tbo5QmXRBk~88c_b6X}EX`YnsdndSYiXso2tt z;GQx%SsfuiNXA@emp%@FEV44c=fHmU&iul~f7nonJSL~HW^L?jca{R{t%Uz=j9yK% z5cfbWUb_qN*<4}2xt5^05Re0*}{; ze&*RG!>3Rr(FiJ*hl}Jz8D!!})*C^Z;<`OA5#uWJ&eQsMhtvsZcWddkB_gyKCseey zDnhSi1}A%y1!QYw_Q~Q&jil&4EA(3^K3xnH6IjqC2%*c7t6XSu3XB_;inH6%7>XEL zWmIgN#>Mkia*#@>)YE+2JYMFEi{@A-(V>dMKiap@B}}+y?gUFN6AwXqjsQM64JEcY zix9KT-YMVLDjl3L0QLz?C(T0D1`wsOTRfx+`@|-TZ9W1J;ki!EMEqT16fdf9Lnv-2 zFDo%T6~iP@kR&ori!>oEq)_w2v&pHT*$p8mZHU0|XrT2bmoIl20g#QxCOy0|4KRw6_k}=yjzeqPx6Q|g)2M$9{Bc*R_pjJ_@sjG zGV8eEn(tc0_fEayyH(eAxJ|EPX;j@Vlrs#_P6!^#kO zdbHTY*JP}44V)gpM-|EIx)E?mXpOwMMq#){Mt=^ z(P~gJlD-E03>8Sr5-M3H8$vz@Mm3v#8}qXvK}%+{M#Vd<8;58NSb{QL$@-;MY=B}k z;bF^LK#>Dvh*pp_kN^T8WtH@3E5;nqD>D@dH(kd{WQBI>WUZCs(btv7UU7VysY?qN z-+Xxgnj@576s)YCyM;ADl(o$USr8aj4<^r>Ru6k)Na%f)K&`;|w%1jA1T5JGq$C>x zd970zL_FrYux79XuosdAz=5fEBnpNrSri>0wFYtgf++Gwf;eC~;yke}4QZ+x2Z62k zJ2AL6m67p>x}pbk%&BVw#?c#JF?C30&T<;(5g#(0_7hy$?`54|WRj;i{1f|n|0hPX zlJM*I@~J-CEwqqzp`TZQO-kPBgc@-IjMxd|@ZSh)B8nr=N`s)0um)h1Mal_ljjLUD zS+-bCAdqXJl%Y3d3u(v*@bk98Ttiq(KEdD|P#HULK-#T{m&!%Nr*jlsUyScftR zIw7VDSnb2_uVBuAh{&Iu2lELx@IWf3G$2{$(4#NT;}PyL;$Q&R$X4{@OC&*QVORr~w)uOFMYHYdabi{#5#*hV;vWPR|+ z{{6Nvu4X>1W?o%|QA6dw@|sZ&b20O*5q~Ul6%&bmb-Mkm5EURzKpOZHB`%Ny zRzzU?*NJ#YT37-J?SEFu!x=ZS*0ezm9z0~J)RVJna7gaw5ZygPkZd21SPNBNrqt2u z2p<%%Y_;SP2e?;?u&PC!0u0cII8Ff7w22`~%hDC78w)4^*3>SmiL+7eg|FMmEM0B?#j^K!&dU z5VN7pilT6}$+kg?dzPgK0YtJc)Yb>sK9Unlq>_}^E0KHL2qlD1QkNJKu~ZOf$pxsU zJQ#7X74l%$Pa%Ek*La}&@GCt7>%YP(vt3)@&2V)y-s3yLN$G^Gl)+^Rxr>`i!4TVL zu}3_*UY{xwL64J&qJB__j-1R##ETh2J=7n#J67ExhVZXJPYPsrRcXp3r`};Ipx7$l z6_`+_0TD9xD*%8HY8T6MAP8?$90USg0mD?N5dxkxs0+Z6pr~BlBDU6~XENH@zT6$b z;iWPKUI}xg;zJ?KfI_{R5}|>~`4Hq`J!I{uqd_STAb*~~2dU_2{v5{$y2ykrl}Dn{ zzQck`X=r>mdmacD)^wx?6HTxA=qOQ3IMXoQlT2)i$koR)BDE^C_j~`dHUoG4CNi3SlF? zB&(ten=awtKtq)xdr%ChSx<^4L!cNT?XAl1TT<-7Ef_WlMNV6IEhPeIw4ML~Q4FsjZrQ^PHhaV_ zR$JJ___FdyIoyMprBbuPSgfczFa8cwip51w@Is?gcQp~{EwarneE7-3@4rFM31NL* zjfX=Tg_c#C!91UA1Nsb4T?dF+yit_H1qLV-)sQo$A%hxak7jM4(`ML}7$+sx3-%r_ z9?O*jECPZVQ*Y2Y0Fjm>A`sVb)%)8|AaQkO;yiEw;*m-u5nOL6NjMgV@^G{8= zHvgKU?lG!OAsw#=Z6LDw`K+yRP&p|!CKvem2!rU1hS**hf;?ITcZ6fljyCZ+yxoAb2Lbw>>?7XT z>TUIQTexq-g;sAHyMf7&A>6#3eP%LfzSY~oJ|QS&tGAPVOqW80q-gb?w;J)YL8(lq z*)Q3R!+zP%ri2JBSV=2!8k{4}8%)C{o6j9yGrmw@Vz9Z!vlA~y6uC3R_yCHqba0yb zmn-G{4i!=};RVsesBae!S4mvkWv{1m4HHY@8QjYf<26rfjH}J774~$z z3OrBG36=%GplDjIk5cNER~y~bs)E5d)jp$?7q1z@tq^^YWGbJc3Hh&J1~9??g7SEw zbQJe|X&Az@nK;kxLJI;t)Pg~~el{!i0bSl=?f?t;)r6#_ox_wxTjuvn~--? zCsFkvd%`@5UGsv~lMKbCdPZhJb2I$$$?D_>3wJ){(PB1?o(%cF-4e&8oyNNNUsBjO zGytch-GGf+%ZCg5P9WGe23)&R6=r4U5eP8rbR40qBwbq~Rtgw^<{=tqo16`#F)pb> z{_uQ%bf3|{aYLwhYUVkbh}fTXnCbq2>u7Rv0ihY+o&xw$NQo2pvzipZPPj0S^0WC) zO$5{B7b%w-g$K2DM4o|fHQHm`Cd`KA30_>hm4}BG@?_@e@-lvqD=^*o|J%v` zZZ+eW@Y**1+jjnUhxPaQC6W^FHJDf)!@k$58^q;nw6fHlBu|OQ3dLOjUGkIZJpl?S zgDSDWgY3+lnmT#NN$3M^7pgONjm_6iF>h4ymYw16BilOvbVP;g#+U9&xqxZ`tSW&) z5%+J%{6b90mu(15EUFZX1@=AXmyW_7;?-Cs&Wa*(74^&-X)_$+5Wo+@AjHp!A`apO zIe$VXwKByJ429)FA*+s7N)82B;}YBu9AgY3kM&^+S?H0dQ7z1z88&;RaHxXKyF#b+ zxrysXB%&GjfE0Kw<_Ns`_~TQHmv3w6pGgK3!tJo%G*3p+6DI{A;`HLRe=PjC@UQ|qh$0QfawwPQ; zGt$-N7OdvoN#DM1@m8Nbt#sWpLDrvGrx4?D59?ckbmfOkAqW9L1p}&+ z6fyeepj2?eMhHJH?^8yvC=-?4NH{#;F#K~2499Ecx0EV*%s>OoK8XTtwT5YFEvYze zj<>h_&|v@T{e#{64)h*`N;LiuiMfpExPQu~yM5eJ&zkCJC=t>wH8^A2fK0-q*g=K8 zih!_QvmBdO1Cfl~31`u4GH}7PmVyrWV`4eH7|z7odeRyZz1C&rLL$sIYbLpi3fxt1 zqX=~hBr4Wl4$mX-*i4g`IAouy;}reP>y(C@V}up9Q6Z6|!GzbWL(t%lMX+LoY)`dd z`evnE6V?C$YSdR83Ty+gh2s};8)3}GklhTvwAp98WF+DlG!R6=zP0eWONP)KZCY z5;f3h5qH&~s_c0^zODre$1B2yGr|MjuacuVVKenLU!X6*&HZdvr@w*mg18Y2p@ZKA z+%SE43AzNi4|I>fL^lo~2qn@BG9tpckb|K|a<>J1^H5)S>zfOCiZY|yn%tYhJR9b< z)ZiJQN`ug5t6zO&MHoox#*E#Ic*A8;0?_Sc&(Q1DNnvjPM-694$Zm-Y5hiE9Z)j42MtFAbynud zw@_6xOv^AZ6_z#}mJHFwFS8bk7^eo!AQ|WqFf?ka<^&;22?>l8y<7lftQW@}c99E} zk|F^`N>(yuk|OSOJwPY@Uf3|6r73C%IJyfGi~GUP;vJ)fJd?U~9?#`4K6G9xinxMQ z-;8|G5zOL;y;LccOypkezAzUMAjL?SS8|}jBw(GWq$$iHTkvHZg(XXhVg=o(g&KM# z&2;3R;8wNvCd2?Q)&+o00jWB;(2XoIneu?!FkYcGsC7iL4X@ecKx7FKZ}m0$q;6}? zS^UK2D3r7PPuwzZQ|^c`av%WJBs-d}FP{5m;SIF88c_e!TEMI-HM8)+aVE2Z44AMj z=P=LvYaXU3V)UGI6bpU4o^VQD6)rS`8Hr!#ZTbguGH7#?v#J5dacXZ0m>k1-Yez;d zUcArvVRiogqpv>U*u5};q8OH$YpY520AxVHkUWD{ho3XcD?Ix9$B!<2i!%6M7w%p& zQ+#HVOd5}`oUhKDkDD|ePrgz8{u}%4j;UyDEvLnMu1X6F5tu%N`9_x-9Nh5}B1S$_ zRI%!$*X%fR=33&VIt0;9UE3HZP_ zIZWl9H>-DM1zOBZ9L%N#;9u%4K83yBLN@RNmT8-&_E~F>kH1p`LvrC3V@h*gGeV4f zjs6=nM4Y$+W|G^=gHJe{TmTg%-@d-NaPp$VXhHBbB7{RVGChfNWlOOFev$x-zZdCh zNyX}?&1ss|&JxAgpq|ZdOd;69hDL1RUD|GadSF(;3!tUK#A~ zIs97B;oY6T+M4P}ZB1?8YIiQNC#!1OkzYIMtNLaOEqu`s;f_t_Qsj}m#OM+EqQk+s z7l;Ny7tEvGWW1H{XjH4ULoq7kgaJi9Mh+r75}qC1d-nD1-Pe0~PrJC)$qz(A!tCNd zzI*unc_C6O*foH-0UY32G(Vo9WF~^*A)bN1PRCz|#&;+3ypelQOF}%z<0CPt#|}MQ z!qht$aTG8y49sDsLJlIB?~Mgaqb&NNGCpJiw0fYb38}gfAO#k)6_tTAR0=aA0sGV8 zH7DeoYl%hNQcy6>EfhuKXL3w-h{~*|g%Y}I)H%SmP`Tn~W#lOD*H{>ZuBrx9TZr<4 zG}v}FypHlf^erJv#n|tnP=er{tM;(IshN?FlTxyJsM4r)Eh6 zqcGmX@8=evW3fP2eH1Yq3IXOek5fyfm~UevKcL#@3OKbg9FjO4u+B<3N+IgqZZ9_h zW*zuq+`;I9F;K+G-;I;+_;onzk3{TeEz?x}m<{ts*>7w)9Y6AS!`K|Zj*c_FR${+z z_q(?Ls%!f;`1ko=bqx(WZVroM+f#5qC>T)cYinv-YDfFl?fm1`9Xs4l?bM#y+R?GC zD>L-VuFkHGuC1NhyE?aS+uk)CbPRQE+wrUCn`)gNOVd%0Fp2S%-hE!qFBW-vp}548 zB!NucaU>fGj)cuP7!Y!I)~q)KSyqhilu%jZhVe{fLyS`LM@QSQ*njbT&JPrLuCoLF zYwPU5JGJ7XsX9B|C8&Ra)c*~d$Ca5tWG*o!CnLI~(i|A8&`dZKo^SPv<6UTT=a5;J zutCBM%p@aiuYa-Zi)Rn7L+)UglrY7*J_!a zj3%=o0hF|Q=^~?{ati)HXmPm|LTqsb;4g(;SA-U`dqn&$+@2z@cd--}AhF}mfut?@ z=2m{tL@6wz%jou~lqc9LQ0^Vol^Jn+J&OAjb-~*rjZ+2{DsUaMBbf52NhdXej`Rru zjd1S$#rwCUfen84B$9#xPX$XQS9+^wzIpuKn~80wM6dvi#OfsLb~C%D#jBpYU47#W zs7W=2b8~jZ!TTNFJ{LbgO)YgL8;4TJQ~F%(_BvWS6KsW1(Y$*-w*uHHmYruyFe)-E-1D#^}a(;R&>*pOe)R@6eF@sK-wljGOGme|xQ@EW? zVFNe+YHO-<=Py(2q0X&45+7-Ns&~d3*eYhKI64tIeyuT0Tg5bGD!JT5hvWC8i5ebu z-0YsHovu-DUCOApS_Jm2pK5e3GV#_qH}IuRE&h@zT2V%hm6aEaZhmsulKXq(3|A_h-4?k&(<{5G}D+ z&o|nuUF{lGS+x1{CCZC{lTBpe!k%C z3UYp!eKCVqQ(3yYXSfsuso~PDcKTHbEk?i8@Zk%*|JOlKBxEokB(TzRpcTktonSt|qqcgDx)`$z_}1pSD6SESLR}t}=aPa&Sri4%W>aQ#0HAGG)uLHu52V zmb|-df2tJ9#tr=05S`|2Ojs>;Z8a`s{IW0ZVk5>&g*0Zvs@6GtL|dkuX@jw-UxH&$ zT|U#s`l6ENG-0BKN&Uk}(1*bM#Blh1TDfdKupjsN~l{sTOmZA_Nk*3M|H{f~Y- zM)!~|1^QkJs3jHVSMm-pQSIEm{bwCJJ3Dr6?PPyDp5M{Yf!8}aI=4T+me2C%R6_rQu)1Jx@ z6Ywe^hB1bXb_V_i@bLi8XS)7y889GUkO4)dKxQOEqz zJH6lZ4!qiTWWeh__`3I-?!$+>4-UNk0{Zp}?AKt72SKwFJqxx>HXOjmoPZ#%13icL zzRK?JeyMkV@4)NO?U#E84)*l-doTAL_PV`8-G>Ky_a52beb_s6GhcS$*6r_W2EI>mJBdaB>8AjyuXjwIjFYp2ftqA!c zi;5Ym*`!vp)$7ftQ?1^PPIil*Kg#Id>o2pLSpzSJ!>sX_vjsp3dZ`eV;r0XFUdPtX z&W^UuZ5^H7k^XMBi0r`#6J#h%;(s#{EgwWd6QiVGcMtTv>b>qqmElS*^mZNfOF17z zkw5x>{&Nat8m1to{#az&01jIwyzJ}SJMj9U9#2R#Z029u-@Dh_!GycQgS&bT z4#0|WX$%4o26_&7oA(S=!fb|VJA2yMPlNCqa_!A8HvIuwHzd7XtVMwGcySk-jNrvR z04n=R&%vI<-2**?``ABwcD3U#yV}K_Lh8%01ywF@P4Kji45wULLsG{3sd4@$boYj1 z>SZYJx?Y1nC<|$^QUW2!g^($uza7B_F+@B6uaY|KIi$ zH4kDzJ1^TZtUol2pqj-}IL0oG$XtSWo|pzVSaVj*g3C2K>_kD~FM0goM~i2_Tex}4 zE@{Sdgsu0~A87K+8cI%aILj!^B~oeDL0Ot zr-2OnczH?8S$_Bvq0QE;X!2yzclmx8q>c1M>MaRu*91V=rIvWMw_8HBIaiIOCssvQ z1PZ)@p1d{QV%*-$nB=-F_g*kTGDZrw!yyW-X-M?kg_z|j3mEE=Bbu`2OCvI z{Oj##0)7L#*1+^i3s>gX0_~PcYTVLx^+(m|d(|_iF<5L4BNdR3#{+ABysU*mCt}sB zGPQR7*?1qO*D&3A#S~S9B*#*IU8w41tY7JYq6gsW{JPuNle&W2x*|E;Y73XNy1|VI%XHK2*tZAcqEP?!=L^u_gFxv<4vwPsPrY^9#va zgT+E2yYABrZ}#BLE1zT4)GAN#igwBW^K$=s?2Xf+u~Ed&ve!F5lT`zolVc9W+`(0nc31AwMZglbV!810XknYKlx<5)h(b?OB3^6h>+q(z%Sd zs8kYLVC7R|!Mg17OCw%-w7@pu?#+y>Jq`dhPZs?$wQi^V2xsMw_J6AhA@uvu&prix9Pg<_M_Fo8?I ziTptj77m%1Jl&oj!`AX~oJ+Wmshf-*%OGw*6T@)krwiqI?)YU7y$mRXl;TwK z(;y3MscdQWwv23nvv}GaxK4%$!GS zdUE|G0iZWW=5%nZiv?`O<>RF@Wg!$u`?9(<4O!c*-Yf9W5lqy+>G6bZnYfH2{zPkR z_VJZZMOqjZssg{w93k7+K~+J}x%uQ7o|A*}pck(82uDdYq-RdgH1s^&aUWqt?a2^; z3^e{kl$cG5CDq=*2SD0n(sCYQFmQWXKt?I3P&*Ro(dDXf$T5= zp8dsK_lWH}C`+Be{Wd`fFcH&h_>JN_JRrn&+6-JKh36`;QFybF0=;DNVMi>9zTO^^ zu*i`nUQ-v>LO(et&fHEA~#AewUZ4MCHbrYU3RzUP+*2asGfaKFf#FD#qak_5_{;T+h)8@VX96b^qxN z0O@i7EZj!^JPkGVKq7g|z&}@t{c)=Ag( z=bgm-`N#0Ysif{pmc5h(Vnn`_WvM%sgf#W|M%hHzs3jrcf@KV#P+B#0+rW@g=W6G# zI`Bro>fB`D4vrRZ$6;J1`~Y7;apNso`%1$+?OM{D<-DP;jxOkJS0{bz?4nMw?{Si+ zZn0au=d@U5_Xg!UK&0k|juU+drc_U5Z|U`@F|Y?ZQ%#%t!+biZ@f^&liuy(5ZVYjv zcZ&IL+9W{)wKu}d5e_Ppd(P0@BRG(7dQK? z!==QxvBQ+s-NI}o4kIA%)NT?wyF#t5x*I1U5*-L8Hh#dj3 zc@qgPkc+I(Zz-T#piYEQjEfsNxoo@za9~LTfD-kvd2u$O;w5`HV5b|nPN9HSkj?6q z+W^9{T=J!l=4dd1x&&AWM5S8iO7aKdY0m6Z(lQYwH#o4qyohkCwN{G2BPj>=@#Niw zb02XHA8z;>v1I=yw%XjnUvE}F7nSF2PYP7)s^4)_p=1mG?xP>hS_QCTP0xy2o$z8Y z7;vbFWTIMV;0O>qeh>dEWWSj$m1Exs{R%T!)t{Hr|rx?^{b+$fc?Bvj*m7rq4^_cngSlF#~vp)-~PpRr018p-9B zO&P%{W33oQqaM>(E%1ybpBpQO(O40bM$K{~Pa&YjGs2CRmY4M}#fq0Y^i}4=PY{WA zBWrOZYjIgwiyMiG8;+}u|JDruwJkjwq>qx6wf6Y0>|1AN4F7fOM*inI`v2;A__l3$ z_%=Lz8y>!YXAhr#D6D1DrTvG*b z4{oB4P34y^pbj{V4}rsrm)yL)aO*k*TS3^~KOda!HAz)FhYa(#zYUKwwF`E()n#9i zM`r!^+3K0k_1bH?{VXZhNo%wD(ao!=S*5^0$|9^G-rwtRqhKXRqM9{PW>m*DJaPF+7Z9%r*uu%b?Kx*~{1Vma3WQ@ve zkZ}knCD>m#pt;X|v+xGfHtsSl;PK?Qi! zX^PASaDJl1CY}~Eg*iRA=22sdK16T~!Lbm6MOuj=Q7j5$)7S>@VSc0zo|DxHSMcbx zPFaGQW)XXzl0h#qQlf(9i~pQ@c<+=$L*^(?Cs0d8Kn}g2049oG0CoAt?;xmf_B>+D ztklra0P53laG?9hf2kM1(TJ8b9F&3U*T-BBT4Xmqp8zb~WK0{n06GR~d`x5~Yrd28M)1x;2 zioJvjA6&;(bZ+PS0MaI2w>U#v`x7@zO@otKAI#+EhFI~!8rv^7DZ?dh8g~8+7YZIb zMGhZ1c(C{2E6!zdTP@ji02ht`4=wL);SFp7X6#rC%h<^0ep-8uuLLmD>kIEqEkaGH z83$M0v|5zym<7?Bzw{6E9XiyrZ_6so2VlsF<~YSJdx{7P3b@0(*65neTwRl8ElDBt zNAgUP57Q_p+`PAN<<2q?2ThB+nKd-dlu3Z5z^KRutnYQ$4TdQT)G^0vFo_1VRuVx# zAEF20WHNmuc&F}wp$~PKQ-Tx=G*G*Flqo*Y@M3Ys~)ZSIPxM8eAPCaBchV_Rg)_ci8b?J32S)zw2xNRf}#L zd?EhJiV52Y2ivgqZrFO)*49hn;L6OsMjOjF`C>E6u=xu6sxtZ}7=9)1SzZ>1X#;jx zfn%0n^M#r@IKd?BEKG(Cv@?<^wjYH(3yrqnMI)WKhM4{6^zG{T%L0Z`W_wLb_*=_9 z^Z3g7>dg7}>f{FtcRt0JYNE2;>zMI4!F-%#LUtG_wP~}g$%)wiM-7{C;%)mIyRFpN zZBb*l`HkJy-Pmm-rVVO@SI14XpC>ldm@&&}DP~GfFs8?JpJl+6G!i;ipKd&eYy##V zC2bXC`ix@rG7*>^%G3Yg*@;)k;s~%lF{plE=wXL2xY*OUdP0mS z1|@bx=Zw5!0)>Imi~7d?@Gv6^69%CfZek~GDaZz6Oq^(C-Oe(-u*F&?dQW76ZpN8i zU5WrZlC|E97Ye56=7`nPUo5_P3L^Rd{_>>D$}M3afw8*yDLPudeQ@G4s)PIB#PJ7H zU%+k0CxLhXBJ$J)&ZMUCaU;EEiDR!`ynic>pKgp?75Q-X0ZKu$sXc%B z;g27%w&BL9ivY;YX2Rug@R~7zQlHvcYuRY}$kjOVx<53!x5-FH;G z&l3V&qUD3P)BN88pC<3hP4v&5t21&Z`9UvCLwa>?8u|0A`}ongI&%IiJTrm&`ELN^ z)QuV9rnOzY&gB2j#w5Z9o%b~gP1h_oomg_(EscpPwXWf=T($L!*!l@R z`E;&eIvX$nT=X#oXRV+3n6cfZj;6Nz2>QiJR2-uN>IfyZG!laSPDteHkQwE!KIo8# zvj*p4m``j7ZDdSp2n$Rk&@71{#RgcVOF-;3GODBaTwGjP9zhce`vDK8+X?*6LD`%M z9-pi?-Qbr5r1&#X?Bm7^hB2KqAo)$+ORz7*JbASbXQ%3(hX93CYtrmv*}RxxhK#3_ z_P8R)4NF|ZYb7gDu@qX`hsn|P0|AV=cut^JLdF=6DKBAG6^6rFD^RC#MU==ihsW<< zQ$~QvdEE$Llr4FaG1{A0_|F#KxpjpT=6$kf2usPFQ1?;5u4TV@dg-p*nh<{|rGIz) z;S(oLjAi7Vl(CFFl4#T~W!k{0Q558~nmn!g!?)El-;e`?2RVvL_lh# zK?1KF?mKemsU?8DU~~0E_1TOx1C!H&U=*`VCroUhnVWGUa=sR#z-hE;LjpQ@WdD9@ zx+R%}&`nMgIykKsuBTR;7;|u%@Y!0+swE|AmO!6eZLhB2bJbAYeUC;%h4YiQ3BNd_99?}M(IOPGcLScT4r}xX? zjJ6TJu!)WFd4`}6CR(u*k!^?Y7(_A%Oz^Zxv575ZvCuLel3e>?PY$88g^g1i9gKEa zN26twvSqd}(d_gC$ow3>fc^SWb^2cQ%xSb7DWkX7?5>Zh_K#2%<{Z{3Fq+-K`ljcI z9?W-7YaLZ4tCl3TDuFO#Rzz7f)*0-NUA}-qf&Jj)goFxlUJ`(W||Ck^PDt?ZtY z44#Rj-DgL;ueAB6;N0#V$%Blh7zC9KhNBvF(S#6`f&k{v+Gl~dt4bX%A^ic--^i3c7aMmAz8ZrD7#7u!ia$xcZ zo|_s?X?{6gbCcuIE|aJX_x_BVWZ0PqjPFa6;sk5+p`z{LKbf}p6WHWHExo4kqgk>7 za<{%fN5|5Pb4mX2b)rY(y5%Zas$-^Ggis(8;Ar_TfeQixcZ`i`mf{hvgyn?w4A|Kv zu0ReU8VXc)2)%`VI_zwKk-~k!Mk@=B(S-sOkPu#8Uspgc`vFj?AmwUW)+Dt`1Sn4uWaY4bzjhiH z2~}SAAWI|l!Ut!o=f0~>U$J*BWe?Zu+1$gs$03eGWSNQxjwJa&$ff4^>y3{3pX6D_ zi>J`wbV|nP;LRUmFFwM50FFR$zwNAA+D_bpMUB917csf%ndZq%!BWk^c{LPZ3^zi+ajlv%qYG#s{r|J~r|nT)*SN>v3gI6ipHd0Y zn0>%_BZF+~gzkW_cmB2yS*lu+Rwz|fYE^;dP40t)8yXR8C*VG~MSx<--i{NDF@BzV zJ_?isukKg4qnYjMs!9#UNqO(ssUtCT@~V~bGKyrjszNAP#RT}gGx+q0YVPqJ8i!2`#(0-0<*zj2 zjltmjl3#<(>%YP&Qtp_7(ci#e&}GtHUiUv)OboJ#XOQNJVYbR@P+WKh-@*BWomEY7}* zv!zG3n$Bp41tTXtwgo^zHtZi|cRwX*_MK2?!ypxF@3S^0sUf@W5z-YLR_Be)!}+Av z&cvFNF3a+VEB}6T9;aORHO;Ufj?h>$aq?5#C(F9FuWTBJ1=@L%@1$2`h*zADh)&GBFQH*VRw)yV(#IO4x-+Vc3O z4*tu-_~)07vEa@a!En@A{=f_81iW^eL+ ze01NyuLpN!o;x@&{H(Ln*%egt2qBVjCypNVgQH`m`cWd9oz8zbFTyG5!$F79HNCGm z-Rn2t$9o5#8{FH|y@T(WFVaam3P(FEF8%-^Kz>q^pB#Pmz~SN0C$(xl?ThCI4;>yl zu)n9<`PHw?m%EP~+B0-0rLMq>_G#3||NemniK9DOt(QuEY3wLYxBy*&5o6K33l*$i z|6g!b81ri4UGE=o>0cDm$A9!VJ9emFkM%fSe!T3gORIc4`@~`BzgMl6tN0s)Rll%K z)uYr;+_H3~?2h)OTkEaYIZys-(+;x^M2&R%MgP3O>R5Zh+tKES33p074V>7QG9C zo$J@*q(8lP;F-fa~#>Ws1?}x z*vZ~rn11zzIq|)Z4fTXa-8}?*PqzjgFg}3~{^POOPwZ+BM9UmVt@c1%wFko07Ncc~ zsnr(asx6w;_P$UU+%xe~PjV$M{IB7}*P5yl7hwH*YkNa~=_+X$R9 z@csG?;_sfmT?Yqt|9apVIF6u%U&sqy z21IA&vmU26@AOVMATOIG4<0)3%%OpOF@?=ihj$+uIyf9xXlVc8;eow-k3Ks%uxIcP zm5`6H6Fr$4;+tWR61@}R%Te|8D25*OWcD98v~OVVQSm7h-JUskXwd!*C$;rJd~;-f z_^Z$p{LX$v_+&?Ma}_<>u6&Wn4D8-}U^g_pZwn2nR<0an zS*54X&C`7|H?f5lQv5tRvE^vNs|1naEaSpgf~Md**f?GBgd+S`3# z-@XI;sXp1ZaoG{A7$ti$6UW3ZgTg^{*A+6{0dv#g$RzAuPam`+bNh|U!n^kl4(vbr z^w8eH!|(-pgVkzoew?8BoG3agj)q{ESwpN!g>!i8hZSJNp>M;*fG%LQ%m$QN%G1J>^u70(SvFa9Y1>T=q`M=i_dQS z9eKHD@acggdxxz;8=(|km(-Jf;^0*OGlTn$O5j(h4SW()AleST!IpOMeaUgKX1ek? z>v!!i3Sr~iwp%l5c59)Q;X(9uv|V^X&FY`jz~KW&4(+CCB(9);9vXy8=Ha2|29FL8 z9C~JO7&kI-h2AP`0pOL#Jq4;@Jyu~5eS9+k0BL@-b6vUgS55Q4yNXy}+lcn;>{ctN`rGXT;K^Wg)&XLpG zD~`(^=gB_ck$t6lvFL1i@>k}Ko9V3Lf(Yyues?tR(BomJ!>1BmHg^7&w}3jTuZR8oKe@-CHrY{ma!$A}!#7(t(!)}D1o|v$lhZ&K>6WIV?}e9gFF^la zeDSf9FZI0$|NN>CW+qa#s1)ze6}~~^PNaLYo{=4NW6~plsfo;tSu;h{O6C$BNY9Su zZ8}!FG;UrKC)BcYa>u%Er_aef_F`Y(F9Q4n{?`W=*X)ZM@M%xq3;(C@CAcbPU+m9z zi^@O-dj8ivPWMxT&kXH%{)=o;!3*nh>t2F>uUqH*K|Nc)eiJ@3eyl^DyS`r%f=%M>BYnZtQQ00* zD?F36!k;fWf9R$~F_%P6WcT{@zu3Pc{a-=fi={pXsK!`;?$mM@sVhfObuPBU zf9X4S?<=I>!4gvMbn+w=pqIY@0TN%sSL>7t6CRGnJ*>)yJJdW;P2!;30QXMpHk2TB zDBSXTM{xnEZD(E2I!gt}tCuhIm`%|)@)M;N`a@>IE%nR0GDa#OH^FD-t`_n!?9n}g zhlf%9N@e?byM`Zc<;TFe!*90Hn~W$EZgOiz6bZlBmf3&kz|&8|<5IOeI-1!xu>Y_u za}`=SGe2+2zV^y^@d*2{HR|?St$|-@?5_m zB17~+V63C{8xvuOj8Q>(1`%afVU#x|{wDD}!UjnHK-;bth;% zaMX@@1txl`n6EyE@ir#pBm5IyHs$iXjiG!$%e!JzQ_nDCWo!;6Hd8AaYe$gQ>Y_|52aXhoFV*Fc!T=^ zRPk7;Tzky4>4**e`?^0m$yP2J8Z%Fvb;&>xmy@sqh=u(@D0k5h0$JHcWM#lHjZ*!x z6f-sCqVjEzWO6>TII2UkIG=VOe%PI1^PLmaW$2%nyr5jK<~`0uh+X$`+S#S#Vcb6^ zBN*}WF5D_`;=J5gj$N1n1exLQiIF-JWXdCiUl;S7xf5sxQ}V9zTYy?99hyHn>Q%`; z#ag7Gk74_LOlgOc$>7H{r(uf0$-pt}>}H}gU!%aX z8!CzD*QS0V_G?315dB(dE@D3|CatKc)`g6Yrn&_uzjH9~vNb(<9`GqFeKi`>%L{mqL3RcmB3=q9DwL0Ws4m zGT0#de_q@`*8;d6`PHHw{%wq>7PxO&08XOx{3bffM6+ zxJb)9OPc-b3@*<7RF_hEZQQ@$4kQO7jiH+JlU$8&oL_+4nOkRBp5uyPsYo%JzfD#b zHb%RELtOXUK7PN+5~X?i(?1uJq{m=cztu$8-PqK0CgO&Je8Atf}U3$vHn)Cv0oitm(TlQtq$?ukElfshQ6 zF+IUQ@V8b84jy{yz+v>5q1VypP?|r*?~V)~K-DY#7Ju_oWe?b;fAJgiLy*te&jzGS zdhq11P;^WD3D3mD>?Rbnqfm5s@X&rL z68na}I4s^D#$N|zmGl=p*}Hf6zyVq*@h3bxuv?a*zu?K?-|RawJjBJs-|+OvzJoAh z^pOADl^NXq?17^+PyCm7vR^%sWro$0VR-V)p+TA_`U8Id=OD0PdO&~e$~-MgJk2GZ z*?(ks?_sq_#!q-BigL+k2jEh+=fHpdhV|vU%-_2*L;H8{J+fy|j935KmC+W{UE)vm zOd6PXnZNa0ZB*VBdZf!JlkzV6iBV!0e#g~iz1Wr6y9ZzH-GhHA@)Cc-v!SQN*!VAc z0+YI1KNY{|&4H)>*J1G(|DuctOAM?ZE^5^xy&bwf`uWf&aoU zWDGE-VLAQQ1APCC^oA3E!n0wsm&3ZBaF+ju2;k7bq2C-;-$fro+5g-PwEFCU1HYE- znh)r`{nC6hw0~$=zY)LajcSwsq-Tc?92kE3@V)~__796!#uF+rJh<=RUKlZ3lSCo= zp;b<|Z9Jh8M+cr760h)2_3Y@rf&X>jknx5e81ILmSJr!cV7}iU`W_$fd&PIm?uVYr zlFtq9)dk>(cn(t5p#!)~lB-9ba!D&Knk;DNO5<{S4?H!n_o!K&@rcVDISlM^Xt!0! zd}f#0^HjLZo~O8ka7>Y}#ZT+q(WeFu4~7cRvrwr)<|*N4b}4Hut%sp<=9*d$!{zqJ z)W_?KCnbu+_*(vrPxlW!JqWV1qiGl6khkpUR4)ZVkYgY#L zFP691pnv1;E8PQ0JlQ_d3=j{^7xir8R12Q&y+)v_~YnPNANT_aA??gs~_re z`v>-!70_?}7FqB9XUzBfM3(^3CR~Mhq{|#RwAXwOKlM9jN&mIEt>?liA z`j_!WkJEahOQ`W0zjtL04eWO9M;0$VJZC`9^4Jr#Dhj3 z>?gW}?1T9m-|pdud+_hQL;H{Xr%_V>#<%SE&2OX+_~B;(c zx79Ct1E<0s^!FM*s^44Bc4Z72Q?%ud1j>O1Uzor7E#I=`JLR4Zf1A!X^1b;?m$K{7 zPoPBpXufuorF{9fe9BZJ|CUb;>C<{3T;|!OjNa;>{7%5k9xaq>^1bnh%TQdGd`mxe z2~B)eK7~Jb2_?4ilzzZ-zROqY`VIV$&&$RKWmWpPS1OdN`VIdUZ)IQ9s%qcSUE)uERxOun#&hu# z-i>T}dBQExbN&;al_f>+U;Lz2kWXqb%EED9mZ86PWl%YFv{Lm({g=saMgL?kM(w>w zK8C&UZ>3!W54%O&F8z!!n6G@v@G^^!R}&$((}80QakWs($Ut2%l?3VCHXlE194{tKnxxDN(=8I&HRT zvdqIr@Ce3JML0_7-&%i3`pT}S2mW`i_Hr$g*)_O-;HkZM|K0r*TxyOEA38F)OPXt` zY;1`x!%otlUPu{B(#r{>Ns~f`<)np@Y(8mHu%+6BEu~qh%4D-5Y*RhN|BW% zy^yrFq?Zy_i1b2adPy%*44M>>c9`^1${5q6SPN7|mYMV-%}XdVO|xQbu4z)rve`5# zD-AcziwXNodO@<&Bo|5flr1bHf*%s4Ehr*rkJ-x}>7Ni);hkx~pQ!xT8|J-sAN4j+N?8DDa)kQ(f8zDpCWr z*|eIB{9}8913)+!K$=V8e6I(va$<@8L$AkURuR1_%U%&Vfx4>j#D!|4i(ZeDvpb6e ztaBvQ`duoTYjVUpTJ<=F%&Qn49I1U?X$w3g_C(F3PVx4nKob=?auij(M-JQ3Bblyc zPq*w)q{Z!t`*-yWlDpReon)d;F>UrG>`=4v z?ifBe?e)cW-dTl?gq(fa>`l~FXqCF8U5l2{Bg-#o6*{!+=~?ZWF?^=l?uqGbwHjR! z4qEN@L;H2DLMOBzSexCj9LQGQ5!2_ay`F@;)mEb`%Db)Io|tZNEANQuN!MOaLOysa z?~38Z)?QC+|F@NQMEM7{*A3IHaOIs4Ziwx5LHjPQyaT4YV|%>_IZCd)E0$wrdwmJ} zWUfMImMNdCvTUN{9MmyWK+ZW4CcNMx4aqDff zLve1wtI#dejkwJog*=c~r!$66a{Jw}9hz6(A>{+zURO-l=@oZE`$4zW3Cn$YRXP#& z=x)0^F)raN?^xJbyuDtqMSM8V$~t5P4Yb~s zNUXt%I*~D>AqC3J_DokV2ZuhEE0!~v*q7B&CkKxL=P3SL+LC)Q2z0v@h}pGk{RSIl z2%lkmSO3m#Rv+SzO&B1izT)RPl)wlsC3T~L0Ju&Dqf?dqpH06Na%v=?{dOb zZHlc*s$PYwe97tVdokDlg4_EF#%1(Xcox~szUvQAj3YGA4aBKv(}Ah8UtbZuDC`sp z`@&8giQl(Q2Gn&qsy77=YBvMxh31|@th*#YKxs#i%{|ta&F-k|7^lBq%)t+eN9lj* zg^j)cQ*=DrpWX3tx3&!sx|`n2 z`@bZu!O)DEppZxmCnuDO=(NC?@U4inz%p{Bs4lU5B9MCB4jDY5weRb~*jyO7O@@hh z`s?FX1Q~Mtw*9>bGG7-@nBsd)pXz%LtXps7V!a-@}s}n!`X(T{IZ} zq?rDcNs+7m}kh=H9AAK zK7=!5Yino7)<^gZ+4^%lL$+F^y!Bu94B5KEGi2*O;Tf`ZnPHqVf)ZJ!}qAE`5B z>vGPJ)!TTOvwKW%y52fW54yH>E7&RqP_K)Olx4Acw+v(G$?K1N*e8hckws z@B=UFRNR2GwiUdoAd&vT+KpN0X}H06Rl9L9SuCMB(g$uaW^DL<}N|~L7(;u?(1VJC6CZ` z>vyeF9-$g??lJf-0yg(pj{?&&BQJWo9mDfemI%L8UbVQb1-N<`Y)hS|u%t*vG8ci! zLqQ)&7HAwy;)P>Fv(WZcvqQ-X#6$Kl6ce>hHqz@($hytLE57hL`zQg@G(3DohteD$ zVc15!Jz7o!!b4up3vM4%#)##xXw0RuHRz-!t$~K5HXMd|TtV~eGMS-0+npHPH0jNp zgu4c`J#owjjypQE2gbtqY8gu0=Gfr58H76HhZ!mWUE3}J{cMo+*nS`jd6@+By~BrK z@@|RU1UWH`?Y0!A5kF<&K0=y1c~YNsIH6G2u5~QrSwmRA9w)ia`gmP}MAei)P&ys= zM{5>g6Y=q?9UV9XOSgXgW0HQ>#SO~1Jcv>_8Ug6He!ZIH5X)G<{+CYg7>Oz-uTTUd z{*YT0_mTa;=%SuGo;TT(7*4Xn`a?B~DIfJSdEQzfaPJHQ35w@jsLk!w$|@QQx7%De zxgL_SiPt^y4|DMLgWWNMS6n3X3=K+d_;6T-WrIX+pf1Wu0T}ZA7|xH=>%;43j1H`0 zs$ZAUkm}oG;ng!n2{FwvGn$S?DNke#JuMIB7hZg^?ZcMBdY95V_Qot@Fbn6&C!?lkn#UZ?OD3a55~6Zt946KU z=L;>C^UNXs&*9(fgMSm`0Us&?P!^ZtsUt&sHS!&4He%071A{iB|K2X3^B86pM7*{! z!wtxA-Z|w;Y#j!5wp5QPl5y{3SPb_5sJMwyMlZan#$3ht?ih2W@?sI&chuHdw<9iN z52x>BcvAv0 zPW^vWPrU5>*B_i0cc`}2;OyZUc(^oWQfCR{Ml3~RcI?jOD=^QML(vM14huAKTa;bn zv8jHkb!(wV5iyMTYP54wlX;SwsU$QKQ`~CJ;IB$+6TY#nreJB@Z#lc0A+#7f#2$gH z)huc2nwu03EjfWW%91+-WMo_=JM3<2h|?bRrsSPCDn5iN8RW59L&)r8W39Gfd=qU) zV(p`URSOqNvo2V)Q1$Da&^z_~#TVCwo5X*(+Y{yEo~m^_J*2#XMXxkg8|Or0=5tIm zPM4bPPIN93Zpd1`O&FOGkkR&fl4;c3mYj+Pr3zHL zf}}wYwuck>WcclNrQ)JVLVJ>t31Pbvo5jW~f_3l-C$@WgsT1OL%CU-W$^NXZyk6}) z8ocP(_GqS_jF~Y=zqj)TWy~~0x{#feNGr9s$7bkJl^AP)dhd7=v^s)mn9Vj(PBb$N zZBNKIq?#lFX}fjp#XCQOTp4+UQ#3gtbWLPGu^^c}YDYvD%0(}2;0LsQ{>{{hPFoJSRTZVQI(a9MPBzr?J?O`)ZJ5IGU!6ORbUShs&MRE zYzCpdw%gg)=o#^8!q(az%Erb|`8|g5Z4aeq$k*e)Gpx^T#&*QKc}tJwA(^RmN_q5*XhEv7ZFi z7wS-t?yl`=nR_B+6)B60XwsUKw0kX&`t9+_hHS5UtU89*IWeC3nGDTiX#Ui^;e6Ti zBE+|YQRvKEtP9<^RJ+u88@5qltHhW z1JdWjaUBk|bc+52NX#2hsy;j!Jm-L{4E;v`G8CCdJg6)0c?C=zm)n0}@IMi_dwb^J z9?gGn-8Sbo<~H{U{IUqJz{=a$2>(33Wy`;9e7t|-#5RVE=EN=LZfQ8rVPln;ptq&^zvNJ^n8=Ju4QRarZbn{pCH7-!bDSf0-HD%{otk73-SBS?4#LcgdZilB#la&_?H$^! z@Wq`Mu+-rGVO%jjV#NvTFm}GPPJ^Du#h|ZyQhyJ}F`mY8Us@+MeDf0aPIe0Zc3@MN z^C;gx`2-?*JQhcc;I(dm8@#^}DCfHC})1?$qqvsrkFppWZ$F&fU{D?oNMw z_w?<%)Bm`8dKQaK%{S(+-2Y^T`_pH4NcES-B*qv_!r}*hpvRe?D9DFu7(yFpj$J;I zMd11j*W)s5uAS?u-tX5v*;~Q}Dn&Q%p%nBawv1iSPoC(5k76qTYJ&pKk0#7$9P_cVc@e9kCoxu6^;BR(5H?X%^!QIUY z^b$}|?+YcbcG9opPu6R}OHmp)3Ega~hl0|KQb2t+krHWJq%6tX%h&qFN6ZFrOFDbJ zAP+Zt+J&&!?%(+9;=6x*qE9diE{@rvWA<^{UcgPx?&PHC9);sleq~dQ7?Al;as&KY z@dNR-stsj}CYvhCLQ;EtcWR-P&H>+9oOz=$|Nh;nOLwPd?oM4H#`G8BO=s^;zkT=A zRFjS+)nPF=W?y%w-nlz<=kC;dcTY`=1=p*Qv@kA({eXy`{}9{~YH77A5IW?SqloGF^K520`oD(MH}rD!%Q zA`(X3dJ&{H;4rcr%58<1Lt^SrbSfAtGPM9JV)WNuu4$U#i%{zRwJ&i+PQ!|Pa(DXk zyQk-{rqgfTJ$?P|=}+iz`H>Et>ATZV>-oD=@7|rBf=`z2TvzKTDw&#V+<}gKc6aKk zxw1$d)8F4cefsX{GjwvD#=|ST#CX(Uw`5&2b{kjkPQ7|}>IVF~@$ugpZ=T@+-aY*W zb^SW_8)~1LfAIdFAAIoX(z(AczIGlOzW2kAOMkw$JbDr{Y9H&?jf!kID&yHL2* zLA4-$F}uZEKHqL>E3n2MOHh?LtM7UbL?vxxS-AYS@1FjYGNBXaAggVZm24Nl|#L=$aANmKXcft(_h}5{>tL`nrwM*{)q-WLwx^&8tMjo zfz8fD*)Gk~ZQ8@|&3ipWFM{TQo-`c^y6LlNvvrDn8Yy-Z2nKP?QA}B7sufBT-9ip7 z_^cp6|F3LFu;>!(6>kBGL>YUYNsx-yt5p~htv@o^z#l8Y#aNYxcHr)>ybOUEfC!>R z6q|LoNW8Q;Idz>)!m~13KilySdf$A^k}`5$3LJ@ z4Wp}3*|^*-H#L9n`}xJw-!x_}1F^FZx_JG{{nM}-^HSQFS5i-m)Q#r?3tkDUmp(tj zX)7`>aH7J!CP4OM=za^V*5%;rDn?~fC2kSn3?^A46}ifYY6OQgZcBW{U4xLJ zYuuQ6tl11t<_6=cvh?lD(x1NuHq_%Z&R(EXF>`qjQo>eUcW46(P7J-!)q7aij)GxI!~e3K5SpBE{n?R zr6TfIE$^yPTNk>vHhSbJoU?={6ph|QVt`vv+@8L72LvpjrLXj;9jXJy3|FZGO_o7L$Q&5sYM|t zeewCcXncNl@zPgK`bL8E!W~|C@!hG<)kU<~ya0JfsUww<$U+NY{cYk1NsUW~YK#(P z`aE_LE~_`sEq-v5E{_j^I(JJhQ7i{uFS@6V7J?NK;m{~q+iBkygsq@lWdI((1R@hu zQph^gAYtv~oY2Wdv2>xsE6X7sO_hfnK7_Xfi2+ludJ=6X=j<=nyzMpt{OXq*w`|?P z|CZ_;+qgi+dy?`JKMYM@5?P0ddg<@)EuQ^RDDH>`EItM2;q+&87%rf}5>KrkQM>!) zyL7%Fc?_@x3KCUAuewf-oqZULZEHzE8nb zxQ*Lm>F={4I5_h>?x@6{;AiX+e`DGEWMe`5*}PW-!Aq}x za{uaO!M9FL$u%M#XRuGyw=PIV710B)@doxQ`JZ3|mz<%4yC2@}eZ*;>CZjpIuQ4Um zfo=Q*to+FE;fKt|6d5!=_7<-GI~?SL>w`?h;q(+O?x&&M};JG0h)( zB9C}zV{@t=`$z~4w6#lxVwnWE6HXbiH`DfvshJH~V)??#hvwo%tx zuklYH&#L)*!Y}y~{wp445@(P4V0+0I-?~NM;6d;2>u?n}3y5!h!sUevrdQd%$$CW4 z6`~Z3m>!k$bsUJUUAX@A7HWlF9E*N~(M5q*U`RCelmeZ4VXwKxa`d?eFQ^)RGgvBY zCr|N*5dRZO9l5sgKbyApZ`&A(|Jl;Nd21*B=bt_P=df2D^PFehVsWzMJQ3ip+&KS& zV)c=FsaDScyXZs;bs~j2kwTqFAtO>qoKR~SD`Ym&amk)2TwFnamr=j{c!)Ui^` zCu>)SPui>KS*%Fj_3g^!)AlO#u|j_|S{*-YGn~lufaJX<5kt{wCjU)ophGK`bdySCG_#s9 zh2sF`*@1>!@I$`)aZxSzZhnudB)DRe%4g|=`K9;a%h~iQ*th0})T&917gU7za8?st zB+b(MhF6%?aO37pEN|T5?cvTEcY8fn^Lj76|K`-f3s+mR+zI+%eM8((mg>>swj%-SUm4($oOkE!O!@ZtRf`vy}higYoyqQirSoRCr(*hEZ8G4fa^ z92bXni ztfMNhhIOG??P=nL_9^-GoyPDG);-#qeu{s3i(EL~A^z|=ag4W-hhf+5Wvq8dM7Lh3r7l_>*;X;xAM{0>~jc}3JJ>ev4r;(Y@ z;T%n$qczfj0hZ!=`b)7!aNK@=cJYJ1rHA&!uUa?;B+hzmAA%p>oqEe?@*Sw*-uIW$ z+ayF@(qu!OCRI4OrciY0v=9n@{D^(Fsh4+%B9uw#RiqJltjkfw&DjP;#`mwi+qn1- zXuQQuXwl;IH9FD}Z6QNjLhJNf+mKdujoX)&{(NoeuUEN4_r8CZ=1m&_o(x$4)-Il^ zjmyz0Inz>OoX^b?bcK96;(?sm%+eDlYFT3C>8nJZe}A}cvdg$2u5406_GhWc!#UMa zERJ&kZ!xYAF8on_t_n719GaY;ujT2F11Cwd@#6H$MngOy>a<24?7#|sT>S8C@t#|^18j)@DYQ*J;Zag0P4(jnU`dLRT!nw7Rz zxYCp5$(g7ZYkmcN-2Dj_a1kS4KUTdWFz9kfq-w`1`#E_nazw!;3QWDtff5l?np>Lv zp3JM4&}y$@6(a|bvq6l#XZZwm|MNE%FMUNEx}^?=duQD3xT?knf03;l$L{oW(`=TJ|v63tnK>vH>SI664z+PSkEaY0jG8d%fc2z zghwv${5!9iq0~KVIj6SLY=xV?j*$fd;Dc9}~Z?dv&iz z0_CT224o5(hqTGpW7v62ptl)=qOl%C&$FuQS*za;34MQ&fyig9_+#U_vw=F^^KcJ` z=I#+G>dZk7Xd~SRh|ZQnM1&43&$i(*FlG0I((e;oD(U-BiHN?R=!3OEp6)$*IkUP# znDw!$J3-?tjhPE-DDRx!K%Mn{h+Hw^2IGbkNw|`(q0x|F5r{jvFc!Ks?yiW3=X}9r zGDH?J0=I6Mup&$td{8c_x-|Wnw0HlF8~1Oa77P2Rha1wb5w*>7=#zB4c~5BZrWOcg z;k+eeCu23N&7|pVG|g8Z3}?U&iGC9bMA%zRUzNynUwtK?FBn%P9B1R=g~fM2P6U9k z{exO0J|;Y6XA+u}tW)vf96=65Ja1*xw@zOA;c9e}_V~KiC=vB6RWCqMq%@}X2>gp| zy3j?ZpZX}UpGdbYbwOHg$z{3*M$sT%^?GSESQ+zLo1R-48c#=Wjr36bFRChS7?nUq z2y#cq%O^zaHBJ!pnRQS?v&E_LEWKm=*3qJPL@)wUg4rP@f#$D|!k$_#DQGpwMaTBuo zjE81{`HwsjR2?z9VkPu3n|_jx)( zNK+QCwqy`!-kKtlUkY{xVn>*rS?CtXbt2${t+O2FGzzn?9cI(Z&DxNcaEVxNY;Mt>OF++ctOdKRjIjZ?WiMZ|_YT`?ol|foGO{iE_9dYY6S~I-56Fj?PgPMO|_h8L1XjUYIvXP9EHT4{4J8!Dr z6~tiU(nWGjJcAC6Qy&<&vT&~=-rWiQ-AO*)F|ML=PC|~}iGIjM%lSB|m~DxLiAwQ{ zj&V;;a8Qoi50>Gk92++qS?AO#A}a7bhDU}1HgLCs?>5jr@Wxy8Y5|>gc*hpW#)@!p zKITmZ>^%mgWz_+ayMNp-)PX%xAz{GttL$u;W*AEEKi(hH2vVA7Zt#-_AHTNr!944} z@7+9g|LUx~?(wAm1L zu%OFX&nQZ2o4a@|m(+S5+Nu%8V5yXv@`+T%l3uFleTNlDF}I$mZprRsN4eBdEm~){bV!^Yd zOe$mEgfUqYazG#<|K&|tI5hE;fREup;Eyouy(C+_>RY56NO!paP6=eO%zP*C9Qa*5 zs1arxC(<)vuv?r6I;*6UG<2go_gJ?Ww~=Dc?3^(jzKye8ackpxy_!V4N7pyT1zmb8 z@P3TBvo-~8M33lC@1BNAerzn@gqBO zF@Cr$Oty`btueu4^868{nSLh##qnq%#B5u$=_fq z4SNs4nyN@0bUZhwx3@QbQj@{gTOd%PyYuW9uEUMEzf*G@`YPcmLKGB-mCqhlGF!;~ ztLGbMUZ*WJBR8aU-kh3afO@P)gqOAr_pnN64=sn<{BK-@-`D-xiZh8ElXex!)C(dd zB}OH9h~Y5iANSJE3K1+>cCbG=M|zRtrGw!EG-OQHZb+qa5J5W=D42n0fPp#zoU~}m z3Gle(T$oNCu2-d6AQL^{VT!R<0;E8q4ukk#bT)53|Bn7 z&EWkP;RzfWx>ql;i?P%M3j1RUm&3dkr8WZnIFZBDU+CZSX*HX9PVD)!qQl^z6=@hm z#2rxb;@8s&Y}Ise)%8s+JUI0};kYaqA*>6OAn|j`O#BUp%;Wqn&6?3=?+IYyC^F3S z+l`A*(OZp+mql7r>AE?kka!wU^=_r(gghOE-vv{D9^hTN_+O=AdkfHhMhAy5QajV^HK1*co zhL)Pn78ZKcXYGa2k(WTUT-!-gIqSPPP68yYF`u!y=~dCI;Stt7+Ktz=?vd`~sl_rD zraY9^bG&%@jmDRV4nt_~ccQs2e%i@iqlvcfnaOjPbRAfmNomSee_9~=6E3I18s(hL zYXwIyn-K{~Wh}bPq{WyQwmS=zG$91}kL4oG&orr?km?u`PT9ZDG4Pxbcom!1dl}I0 zD++E#E&V_-D2GTP@F%QmY94x^mAYLaZEV#W^IneVVY>_^?6!z69%=f_TC-vts_9PP zN5?kbF}Xkb_J4$W>Mi;CRdN7mV*lT|Y4hV@`~Rl?j{W};wg20}AQ&LB*^CHD#Psh( zgmg^*9n*iu^q&CeFOHlwMf5k@XxaF`TO_jrK~KO3yAD)BaKa^lKpV!ejT%4p!)hA1 z(i&m288qiyc|S%`buGW`gasO^sjR>OIXkfO#0dJKOyp1C zzlq-vyF_$hU<3a|Ef{DXy>Zwv)S1vRxTJa3% z?8$~V7n^XxL`o){)>c*PT}1$eW!rhXadCR-wONJx-+1fx-KlRHZ^)3S7*dVHgGLo@ z5+2e#*{sRDHFcc^bD6B`r|(WtJGv(tP9*8E`u_unrl08)aErp<|P{W1I2+OANKf|-u&)?`@B)|ML2g;$#< zCKoGgBx*9za2&*gS~CpOrt;DX*C!$XIM|3zm;rowcfE>g!y??)5U~`oiX6rxRzZYN z>UniF!wRy50A-vP&}m@o9;5i-;ep@R>ZOubL`7<)?4x28?vCOpA$(L%zY6nf`n(*9 zeB;9{D-uTNG!gRSiW>yt+D6}7fUHeOsws;|;ebRsl$YVu^wPyUi|SyC=-7+QSBm4_Up33kY{J;o^;mg(8Ji5@i&nb?o1)6X(^^`h-=Y( zn??SL-=Z&)TgscVCkWLe)s3dK)r^0(BWzn@gt>~zsYQ}|W+h#CczFO?xfrf+Jqupo zS1r7F6aU`?h9)(k^tkLY1!&+D)@1pkn3ziPzhujH3{dnO>|e20QbkDNmJwz^;0({do2!fG`wH`=Vg({^|&hF`n2 z_TuEn>?+2p<$5J(uZrFhrwQL_=N~J zqnkfe%~^U4T@|umE0(-xW$ybe$IB`{x?HVd1l5s@GhC~=K{ilWH%Pl?2s(3T>yhBZ zJ-Oyts23<*@n@*(MO~hKqD}pnvNblygTYa(-_dD=Dav_u^5!AQ zvM|5>h)n%x7I?5*%1^H0+#f-ufkUkzj8d^aQR*FW(FedrDv6){`=7n`;IliF>Yd|~ z=Y$j3>G!mGi~&8!Yia4v*M9O@eOk_HFW*^OxyP*8^zTOL+6g=?imDP4;0a|5SAt+{ zC{dSCdr`k*R|f5;@?$rj_bON$IyLHqyk40EuUKh)ktI6Itd-A7 zExX=;e`(CzYMgn4?3nrzPl<8E$V9TLOKfSCn9A4Kb}Er)ZfKD8sRhhP5B-jy*G$bW zeR}KujSDiT?nMG+x`ZxFKM}Q!0k!ePww257L#H#*H5jP|p1?fL!}*~fv#lyJ z*7iz@y|B+;_JLCl&Z3)6(L3%H13@6jqDp9uuqw1bx<)36H1JbbRtHxui3`}|PIdZ% zOcxx9PLDgS8@DeBzh2@4xb$DXlK^dnF7*~O(`^B1{gqC#Ipf<$fK*ymR;`3qx?+ih z(_DrD80D@9YDm@}*#K$$k6U5$i?By%7KGYdCOvUTQ#i-L1BZwH6WWEjDtHB}rf8=K zF%m6gq{;_kWKb+5xN*KdNS+a(Lryl&2kLD?a5~MdgJQN8&wtXm z{cY@LVTw|NAY{RJ{|I|x>HSv)I3s4>d0&9c{rE%U93J+eeWr)A7MyiWbK1ABG351h zl!V@NXEn>Iqq5$F&`6!4(%*VYQD_?a{90gCgF7e7*e+SeuN>b(QXu^CIMRKUGP|}5 z@Y3q76m#E@>M;r}DxKt}#O?Rg)X+ib8zFX`MLr9))3e9zXHzqlc$k|1W)(D$YE^}r z5S75~!0qrNMpTR>h_e*M*nL>cmw=Qg>L)MB(zV--(--dD{4%;KFyD`YI%r9YtJn?OjSDEc5C{l#{ zDR7$27<-=7y)L60qOIRUW-o3=@*Kg1I5-I`zl2prvY22|STmMw(rej`73?0b;w;0# z^HkNX#{>m7UOSEKIn;MV`?Bx>bl8s0i%r25r%AdMzUU<1d~lP3lVs+ZsXIbWLVi#}^jRSD`+>n%{s-wK?chKQHGES;*cdJ!pR@rGW+8yDy zn3pedBm80)J{~E*oGVwyr28VH@vJC=O~>!?pU&?w*8dNczN_c~*v$WL^X5qY-z{6W zcKrW3{(l|+zmET3$N%qN#{Un`owf7;RQ0#)1BhP`9g!L*&!7&{-t3nGzu*x83!a&p z4Td7FW*g@(VbGP(-oHxP;7>`~h5OCdWKvQ}-FddAuBAsHPf1g_mz8IXdA?bJYO?|% zGZw1dfzh?si(}2b?aIf1*S1g$B)DUbB2bLIqQFf?%H>*+b@D~eC5!%ey#@zP`9z71 zD;%vlOU?aT|%>`cwn4 zU>1O^x*o&eYV|5^eM*jF4`&q5Is8V>GkyzQ5S8invgUb?!SE4uTRHgHy&0Z@Uk~lw zi*ta($dhU5-;U00)hI5L9=D&#>W{7Ax zCZ5y)mqj4FKzEw?=vw1Fivc8zAAcKg4y?E1XZvNf5Q? zivES1Tg?8UPh4CV5d)+eES_Um=CpSCsl@uAS8sA=62N zhy5tWzT8YjZjsJv^&@M(sG2V_meCGhA2VJP*VOOO4?`ZU>Y=DXO0gnS8p~UGItYQc zRJ%m6ZHwl8!CZGd;XQda7cnz+f) z^WYSG{3>N*N>1@2U`U{{CTkxt6wNf|XXsQ)U_;Qf#dajCoMvwP`Qm%i#9HSUKRng= zd{(4j7yRX&Wx!3XP6$G#MW^>_wzpTvAuCK1bx6sYqQ0<<+02bS5{9KFU6=#y)3PaA zMOVDBsrj57gE=92WaXg%hg?ECqGWJF@?(#bCh~aJ@C8tnQJ?5m;0DKnM3@qv`C8E% zbMyM+v|Tphjl0MFvav#;)k%}B5(KNriYXamRwQr&2J!A6mp;8kTQ6BqR2W|%1_>!K zCBqYCYa}?=FF18g6Ula7Y5- zE>t2?*pV|wQ<6x^r#AJfNS&zjEaGxe_i;lKo-A_sFC~uTyztb9GxdYNJV3wtM2gYz zfHJCK=HAT<_s>EtH)LybjvO;>@E<>1`tr|&&WTZGDi}hCn@#;FJ;mRlk^C;0>9QAgDkYM z)&0p5?&6v>?t3>JZWWi?5I$u(+gZ3y$&`LQ4oiH_2JBvsv$p4c4Hib|F>U3hk|S3Q zeavy5$MqK#E9I9+wSLkdr(_#hnJgUz|>qQ-m)s|Q*S7K)I%$tpKSE4Q|YwO+H zzw${LC^=rW3LK=I&m#(HK|p)9Lar@M4mqC9Q6MpSm`=?sy?1Nr&kudBHmzNTHHwgj z-41+4CR-C$tkyE7g#!5&?4)NR%PR9$noZJ>a)$C%%Zk>5cWftL-oIqNyw?1tJGtgM zZgic0TJitOQ_S3|c>p%a|F*e5lK*YAfGPSq&Ac6}>R#KUsS7^|f^S zlk>2qj(^c?ZKUSyEsy*Tgx|It_egc~D0<}a z$F;Isiy1c@ECPKO&6*xxoEb)slP;evj?tH{hYEmU2d8T};RkfqW2;`RiT7A!5n}zb zA7*LVSZLK7A$fc4FV}?J zlfK4|If zkhYda<$<&HL*Z>i`G)=?jH-t1#@L4s-v49c>(3Ww&p$ZzG1^_{BbAGXs= z+qq@Zj=`0g=L`=zYQ*727;GX{*SA5hiUP!&CXblun>goaIX~lUFl+5`5XB+ZS!=B_ z^dz#rRh&3J$k0R`phKt1FlLN=4W`oY5yex9`RMA*YzwNgF0LJR!#|w~NLTK+VY-VrowDP@B^yLxRqQVv15C#N(=ovO^Vok-WB1VT zANsfTZ`&Nff7rCGWB+-0_8;5Avm2Oa$w$_qUBRyhf79OgL9+stW(E9a1r9eW@a!X)*vMW$qDPDo6+sp!f;id? z$Jsa0A%~iXGmJ!t7_RCz5gYiytDE7debs7n?BIMBYKG|<^~ai$?V2G?AFTQ%!APJV z^(rsnF^|%~OoXH8jCdTY76CZUsJ=GdI7LQNBS;nM9k#GjXfP|T-z-~4$U?>n$Rxv0 zI`TL{Dj2Pk3g~@`(=hA0Vx(P~YYJN~k@07LLM-Y4>4|i;Ye+Bu3-RcAJ;Qe0n9!&u z%c!%jJW8oPDmaf7zwpz{A~f9A9O4JgqceFvPM%*0ewxV}Iv5YE+O`}6AG7Ps12ySOmmOahy*lNv&e*Gy@s++eZ4F(b%&}Mvw|A&~ z`}O^6XOx7Px{Wbz^DP^({~H3axrrB~AHIHYh0di@rx#zF7f5(0lo}oir$4!S`cn-4 zl##j*-nb}b*Z5+MGk<^Z-kT`9pb_uOkPi&JB4?Tf{5gt=@6&iW*b^e!Vl4jg-3fskc4=K95&{nE?9Bd%4XwImdu3GD%`)$@JxaT z9>v`hqMf%J7pIqAn|*ZBG(C$aUa8zWUWf7cuXt;I`$<0XkZo4o6InP?N~%BPf;B-I zQLM^jb}!$!^Vn5|YFGhRyLamrLF>%izwspr&#zK&;IxZsrGA<(G+*wO65wnSw9Yv~jjOMa(fJAeD>#kzTF=$8Ostb!0U+OCj5aGPPWk<*d*sgL?^gk8gzi=JZ+Cy&L_t zU(OQX+gXa#eE0736s*Y7o$I_PLh+9VfoZMCMvq*tqcSy_=`fPOIs+#azg!-ley{YJ7UyNN{xtt!m`&v-sY$$gmyG ztWy0mS2_b%Wo2=3V zt&S1>AIU5fGtw7tj)1mBBAOmOJNK`hl0e*N$dY?4zL8MUoXGl3%?QGx^WcW;Y@*bR zSuoCg6qDeIJh-5?O-4=jidvd%Tkjr9j^mD$k9(>8#!I}1p|-F^IU5(;I1B2UD_Ig{ z2nvjt@@h?U1f{k&H1>_N7w-S~RV1xIWY&GEF_t!SMPm4zj*qa#>{0xVujWHhEMRt>sM%B zOXmy$tMPiQ@YMv6AbrM!D{yp;E0yD9l1yI9V6my&zJI5+;Rg9X22fiR%?-# z%>8F;30v7cYI)q;DFW zso50ROu%yEm(Lek>^PblJ+GJQ;=p^4a!|Ck1?kb?ykh=kWvMP zmB&@)_=_ei9`oLq5}UX_N9ETrb_cBb@bGUOa zK-iDc_}s>9VzC^hw68)Zi%y6_vLoeJVHYdlxNo3bvbtoY^XVu;T3$jF6zEI`0I8G5 zqa8?qjQ?=5SLxOzf_%D+`z5859Vo$xRvjZdd?4PxpB+Z9sF+x?NK!W`R)dS z9jT9iikhp`njLVKT&BSPQN+gk%Y5U)SAss^k}^GW@B1%c`^NAK-$6w9d|ID4gv^aO_M>$`dfAcBho~@&&wS9 znCATjB5UKzccWn{^z+XkzOHG02O3%nUS1Rwh=C(3^!7T46+z1t7xs!(7d~k#V?^(M z>XdgPreFN9y{=V6baz} z;bS0Z^PHp?-Xja6XxpstK3RCe%{ME%7t4+Y0m$GXaC&_5LcQeIUTSX=df~7uAJeL> zG@rbG-o3zeJ*sXXXpHL@0=PIu1!=%gH_#Q?QEM4kw5yP z68G*9x#V~u0(f+CcUdbhl+|pwlX*ob={g0oZ%~^RuE(M_gs)JKd+>IEUORAgjouG} z9Qu-r$qQn80~cA-a)RBk3Q$K(o)LCJO-dtV4^z4!zDLH@Ihl@`Q(?v5RLDHb+HupU zoMa_3fn3m7D7<9uko%$bZWJ}&|Mnk^^OsD#7iWWhkKW0r7T=p*dY`a!=G_|n! z)y<{9zaM!!Pg#RLL9ZJdMX<+AV-({HoxUcR-J-QMp)`I!KsPQdUi^T(+2LF zPN3W-1h|`C%d0FqAV3|JqKB~uI8>!8D_8w79}U|EO65>VDD>Tc6+b7&%SGw;TPR)?@kGD}S1mC;~1JHDwtB6gRXp=@G9QUFG{ zmd5-Hc_iPU>_%UbSIRfE-z^*`-g7F#qH*Efu$>JZM&^XmvE?CRCKj6~_VpcEjb{ua z-m76x7v1ekmOnr!kr`EeP6Un!j>gd>Do!P594tVIt~OaAt3-sQ84OMI$mSjezY4MwqB~+UrpZ4* zHzKOTd)b?)ptf2-5(5XT){DYMABti{+G@N;v)966#chCVjW=h={q;v8_jhCd+>GWp=9lAiR+>os=kcXLwo`^8C#PwB^g>gz^V;lU5yx;EKIp6sFa@#BW z{J1c%SYmT;*o|_u=#E*bR7ssI>BdNk(5e7z^^NoC95iSuU9Mbg|+DK&rQ+@TOc#t|4VHBW9il+^*2EQ?ep`?*xr)xwrRZW3&Zo4UeRFN`)r;GsA42U{Qd*)D z;<7xy--``H!{uDK!~G^lQwo*R^5i@^;eYTq6m&ng{78S%)=|)u^O+|=0pqu&8VBAn z;{S2qjbVfPBW$n=6~GBjAIm$7Vuq4a=MkQ-lxvd{#BTlBuqSDxPgo|jYZ<-Is?Z3w z7SO(lGMfbdTOhacZ*Y6!Jz%!+)(@D2HfCeCuui)T9v?js;y8PFg79d-Q*sWN3Z5&+}P#`1$k6YpD`TFP;wnwQ2&eV{DFWn)d z1%+S~j)K{T&4^a*p@38x)JLQPwD5m!Iy9DlaF*rOUR5Y_Sa4mG<08PQXIht$Nsf_( zd2QZpV{$S^hWg^9(VFn8VMNPtpXn=6_0GPan%~}sf=+mHc%zrfBn1iKB|5XwFRk6* z(g$)A`{Qj_usfdH&!DFy@+l-qYjI(Vxb8Mg^#{?2Bg$B6ny?U zNpR}kYj+4GQB&!V7<28|<51NtG~u|>*c@u`a^$&;o{5C`va(4&XB2x>WjAJSHO{<2 zI-uD|9-la|u9cay=4Rd$4^meO7*jKbZDG^LjM8YCRUJ+DVY)ce^y}~#A{*AxY7-lF z!9ZQ0Ae#GkZeu9TSJM>SFyEBl+OxdSK95hIO70Ygg-TWFjn(heiMBe`Ui0%&y!NR@L+6}dF)jfIFgP?wF1PtVxq%Z9C9Vwp8v)&hD>!g z9rEe7@HW3DV?30VP9;v;131LrC7HNkATbIzp;x*?tyR_WQ2e$zrcXx(VFns(3>OJ$7x zaHg?v=l<89#2{34nQV0x3G8VgFpS*A#89Qeaw$xrXea{H3KdZ^6PC700>uU8BHKA_ zvH(J@)!h8Jb_x-MgisqfXM-7$kC$-LXN*L_PgP1bXzF(YN~r}cUarTay<{b141ng= z3TcZ_S1-&W8hfeh38w{HZAy&;ds!)&8dxuau>8Q%17Y|vQn6KIjIA!n^(2DDgmGf* zx?01GiNM8#_e>IWObh!3_J~#6L)_9NwflcgQ#1r0^Z;tO~4yALZ!jpn5v$Cj*UBk8<#bqR=4R98WY+SLlZW) zLf~_S+Lf|W>AfCFC1>lOD(E_HYp#V$xe|FMl=*|TzjhK+l&SF5f8pg+i8O!6IZwmq zQqQU<#ooXX4NEpoeDsDy{vEf9Ku3Fk>!nMhQ zMbZ>TCr^woi#XEkyk%j(7U>dmhITG;-n?lZ>yHF=Om?*;4l@NDDUcgj(*O}{IGIf}VwFSO`)$;%_7M_B3n z7ERe#2Fr}gt1OO_)#7g}jE!3sM>L^-!+yLZ5)f};5#3aug!VGR+IHLB>&9Iy1&eOd z9du`%ZrG>zpW^We`cJuB>CRe}b&KBo|FAf9$kbTF$vFG7aevLIE%ZbBXG1*YvB(RovU5)4&S~-50 z76UQ;ExEhjid~j9m?tZubM1tQaX5u#F4LG;9^=w#OB&8GuTqO@rqvE;`811HKc4=8 zcLw^Kp;pjTFwPP*w9W+`m+N8;?^{-c`r0f^dl!d@Z+4vfwN;(v#%`=yd&jC4vgeYP zo0jJFh}beKooFqwqKV_|S}`Ou8hY*a*}j3@j$0^HjYJ)f##W=A5!T~bl0m+EX#1@- z491kuWQ0lM@O0BA#@9X)7g2_a!D5WbJQWV09Pv1wlY%Ev&xq*b0$59ajz@@uH_Bl* zaw39Nz0fp38pcv61QNdq%)B({ISltFLyidrYz`BUBPM;>Y=9A0+#pcud>Mp^UE#@* zRof%P4rcM5;<2(~LpKbgyC*AC%+R+oJQU@l4c$~{cTdh4e7RP2V>^%*8EM!eFu23) zGt-j_e;cXWvN9q@n21+dI%< zuWVsu5IcR}Q`6KPM1pNGixg_Ayn@-I*vw(Iap_|&ZiY$~Y!6`ff&EVpJ#+Nwp}m7f z|FcmFU=w&kE&B)dML#bW3oU+r_)tt0k{D=~fF?Pl7L@>MvW%Ey4xN#j0-rJ?#V*ys zf#GM3b`r8V8nL8dRo5J)todAFVz;y#4Zpe>GZJ3~xrCDpNgjfs?+HP#>YCVi>o(rT zV&Y!S7+qcC+~Uno)ZkQF9oX0G!l)3s!+Cu`Ai^i#)Adkrd%1b(HYr<>_Xxdl6I1gv z323&udjH2C8s|O^_fWMe(gKlz4h3iHTlvYnv&C7ubYtm*d04;)?_EglS4;bxv!QW1 z2ci8BDA&dzeo8X=C^T{vj0g+tSv?n(zJi5e361$BncC4&DM7Gee@rocJ*i zsSL3k0ZQFvprm$inEy#}n18B&V)37)MtPMmpwsc6`?o#5WpfDsc?V#eY8R zRmVK%S;S8QaVx-IxpDpl?592gvT8jC45|j1i%x8^5xOTYDRvRs2 zKOa^uWUb*prvj@b2Raif$y!1~>(M_%%)>lZBqdO*uDG<9LDj_f|bpl`Uso+XSX{nt^scGSHdP z#gHI`SqI5Ogh+|03&JpbM&v*`l3h$Y6oJ|*JH_NjpZ$=IEkXID(6T3-JJSlEr#!Cu z6Y|045VvKdwm+<#<0%wOx$4MK*KFV}E#jKWU|Y?LT2XdD^h-g_E#eS?m*eZ-5vFqK(s^+n80E(&+RL#PAg85{v*YP^RmL&UR*MkyF6u z45}tI7wMA8dpO}M%I0k5pVx3}!m}t*&*eDEQ<5k?oZ49F8C#$V={#+vY)c{wN2D`0 zmE1ztJZFI|rpy$ocd>hI(11g@N#||Fe1ybWnm9oa3{9Z&EOW^Il@=+?iC6e5Rk3g| zi}+!|SGO(1aJ|-usCL5 z+?8nh=A_~dPjSOT6ZEl6<*cKB!KO#cz+l|~AYRfH13U(pz^hNo&W(agwZ zE`{^ouAaA?x&f@__S}nAs(W=rK1|+K_B}f}j58$VMFH^EY%lE2Ms7l@Idg}hYEA8` z5#Nq{3rH?U@66^?+J>-lprt`=~Q-piP9 z*~hq*=X_V+gJ0}@QTI|^gGJaX!x@zEzM(v{1fds9H!XEGYLH12JBz%$E&-s2 zd>Q!;gjlm-w@K~O66sDnu86w9=v3F1zbcLyFMEm<@J?HM#zn&$?9Mirr(xrn)yZ+G{ypAO$d;M1laH-p2oq(9FoVm=(+Maj!?qk z3h;+zhbAmLA^j>Q0Jp8Q>{w#jYIkWvtZEM_Q+00|V;NjmGxPPJZgkRH94y*%vF zTqd*5`04bPK*A|Iy`xTFJ*f84rs?x)dD8e{!3j5iyy%v4sN8n?M*LFWh#QQr%Vdo5 z_|&L$yVJ^O5Lg+0;CCByTVb~ZsD)y*S!!-!r4)M30LqaHMaeKKE6HDpwsJ&!a2fj_M;e8O>Pq|N+TH*M}i7S zgX^L*ltJA)PtePGASJX~!0F|Vprgw%uUhho(znK`RK2SAduMx(Gf@V)yHYKWz}YgH zA(tFcR!EW35W*djz*e@2L%LYN=NW|c74mj2x)ujY&Jj8@oqx~uZzRi0J&=-Y{&?U7 z(1SeIT>!z@MOPvec}p2GYE;X|K_-WexYZHZBIL_o61yg#Y4fGm%LF)ZDOd(a`r{gAj7f&6$dAKda^zh^ZbisSSUoBi(r$;FTegPezs=h=ZR^N?4@LfC2jCoV7aGHR zfJm&0geEUd+H)%En>&By{wFi{Zhjeu^I%4l%`eS=vh?QbYw3?G2c72C$c}^K%{&WB zD|FL!3xy^n_6$BZw0p2gA&%sGSWb&A`z(ehT98hlXa|@?gm#+vCr0W-_ zu894u75ANGc<;nG?}!oEx@l$QVmp{&_L7FPab+#jh5PK%v6izKGit<$N_YZwa;W3W z=(ty`I1_MaxDp&c$@FO_*oMh|mtaBPX=ZT_yL*_rd-)_recxo_)NCnd;R0ItEV^lDM^PMA>%P91L=TJtH4p*@$NA=Z%oo=2ICTR|zK;#D!vL(VyX zFo4~_Aqk;N=X@Zm2Bz#RgOrd?pUfDf?e0@ETs{UjoZCu4iTo+1U-JJo-Tng60o6$b z4GA7kvO_hxM6mEKAw|eNn6y!%D!xMW!7qm(VoP2PRWKpka2UcUDvfZ%w7_Y!B~tCY4+ zU98RKi(NXeHog)6)xQc0=jTa?4@E>7Cj2O(DzS7IijD_G2fE`?(f`*=sH=U&dnouH@N3iK z5&Vz-O&$IJqly19^wd81RjnjIf9!EfzE^bidar<7UUr@+(C=JP{00_=w3QpJb}R%P z3qi+1uv`nlKPC8wJa^X8#$dJ4vXue$;R%Wz3kOmQR}U}7#(*IZSL1ZRj7RuAUn}p= ze%5&7!de;_^oUykPH4k|@W_A>L{QdKSK=9H!duFD^f#fiZV%P`fVnmL^DE5Zslpq4v(b5>aCsN1KtMRwEv!D`af*E|ssv0v@H3 z$?G4lPBKG7BT@0G)f?IFRU-IvggNoPk!mA0vBokq4Xs8Ytlo7wEFJQV*p?A@2?4Pa za?rUjcm8?U_x~8Vaito7CjNh$w>}=Z|8MKWfBduD|E-&U&L5fRxCeGF|DDUfefc+q zDm$MDa%0oGr}5g?4^F+Gg3x0~#_GZZ0xIB z_*(kgclW+OFC7>n88ESikPlAd^VtWduQkrR4quC& zV9iV7ROo@P#xPqR=kJjaeqZ;!+DgVcfhSJ6lsLG?8@C$gK0pVIb8j`y{QaSf>>%N9 zzMMx77u%hTlN_|*PS(=ck07r_v?TblgprAcrJfK5g`*DVOb14cIza5gt`wVmI9WIF zg)hSTF?NC>1xN_JAoBTwZqzX%@z-eP%QW-lF}y9=GtXHwR%_-D)N7SGg&11%4=odp zKzhTu@Unp11z#qwiAtR!Qlw13-K+_;*bB-}T^zfNR9CFk>J-K5RH}X%B!EeKh4v0U zH@J88mgulo!&!A?W3X6}wTWrcUL3KYst&}_EJDj5^gKCu=+J>fI5+$==Nyz+C&%4l z-QyE{JGCjxJUuWxuvdSQ)o*qm8X7iUSYLtUxIgxzP!H^{_8%A~C%~BRhW0;wAnCI` zgHIiK#u!x!qaa!Y>EYEIjn~dJZe5MgWz6&hkHfbYb=IF%D5c5a2Cp> zm!-RbH#&+z^z7!9>7p4BRnbRfjB|%8Uo{S1H97m>)IyloS=o^|&n^7@oogP)5-E zU%pFHi@{-x0{ph|<(neiBeI>_(#H@_#rx;KUcB^GY4FMf+laCI~}$Q((Oe!*N#;)PaUCP^I12gpHyW!9ES6rA(sRWx}d& zIPSZSHZ1j+bG1P~cb2}LS^D$WKzBV3QaRqo(byP;>65rzR}lIvcFv||7T@`l_!n1l zC4_61z>O1NPRU4Wn$Kcel$V1L#_1X{%3h(lYrZ{N^{yqvPTCAYn+WV{#P(4SOGIx9 zbpcJ^(xn@Xi~mRuYid`65HSPV#YAwN zG?)bOcS6EZo{*PKu0)`5NAK&nPf@Ree+zU@G!(-DtWq_JD(c9djpD4?PSWl~DNa=5 ziyTV`yl86?gao2fDe2@ZaORJCD7=eGqGszvuiO}KOT2FK6?5_QYmJY;M*Yv}t8~}; zyL>WZ=K`WUKWP6pa<${__A*&>XGN+W3JN7Z&dA-Y$>gBwIea;mxj~?}_rAZ3%EYLx zJ(7ZH`t7B&-%&M`U?_qPo}M`>eTjC4l!BT*A+ek9e9 z0ET$*X866yVIy;F<$I57Muh!pJqD(}nY#bRjr+Ie41jZ(gU>m6Q(VHO*?5=gR_BM~ z(nsM&OB+jwIf{xA9-lBlQI{#FrGkk7cq8KWLu`K#sPIoXn|ZTM$TSmCrIDR%FEBSM zCnGSw)%hn_1;@bsD(b-~Z1xI@|Bg^xTU;k1%}>c~{l?wtuW5g2Rghupy>fT@9Jy8 z8u@U+QkzfSl1W>C58*fu0@MOiLyf@c|thp+(Ojc z$7{26?(d7QooDZQGuOa&$BLymH6=$yPyv6rJAGA}gFX@<93nr!PXN{wA6C)zgi2SU zG?t^BZ5L;>W!X(4babiwCw3B?)PReX8v&MK2523i#V`y^U9$`W(x5AoNVIDkFp@qj z7ug|h0c*H`QY39nY;JM=x?)jOx@E21^2j2Utb&d*Q(kwYD5c7Cg)GquZAAbl6`?i5 zd9KB-ESL1ga?VISm>em;oCP*B;=6Dtje3Q0)y+DLm4Ihm5R4ac{KX--3@UJIPa>d1 zL=3pa9^4C8&pktjEJ=gvK9~$|Y}|l(eNt41Laf z#srd>e9W&n)pEHuD)L2taf@hv%1pNwq6JFV zGEIqUkf|c~UApoma%*KwjplVSvye6+j4Y7_<#R#%`?>h6Rf`{9Y210uNIDbl)8g#; z2dB^v;QsY*mj3n?izh7+lRz%PE>FL0$S7gEzm58ZJ_l#85KJB+fJyI>8^oW!p^p8P z48><6y}c-sUk#@VvzVbp$&*Fm~LxM(w@QIjB2N+ zL)ESs!+Q!D-Uz~DwS2u#Wq2(H3U-?f5buN8Kn~FjmzwS@(D(5P`cJuB!T*lbs-pq^ z@e2Q^I#TE+rEm9$7u34hEt0D?obW_tG69@$qcH_BTrN5)`Q~otr8I9?tm%%q_4KLA z`grZF^v5D9(&uDYl;VQ()J;|hyS{vaxxPf~632u&;lKLj#w}ZS@V}uy&Y=SbhMzth z;v{@wH{?w*W*J=>J8+;=p%_L!iIo)$jlPcKM9wQt5hHbiDX+r(Z@|k@HxhNXV=gWa zReFs0E=d%E2yl6FJtTFD6(-LnOKKM0NHh$_P}IxiOw@xKcAh@Y#w5uW!xSqjP6r`$ z(~*GL0E7C-@p7>amtV0~VqvUo;6)f&!1HWXlXcJ}K&MUKg(DI!CX))ZCXR9sH%!el#wX|prpKC5q-@?FoLRNxz%OT{Sk52QNNmP{>0py{Gg`*M zAtjF1tF)MAbb@;vj%p;S?a7CkIkMt$l2rIV{gJ%Ah$hNs8+3B-bKD)ySO`dG93 z1TxEVjz+FV$V+;yNqv#h*W+W0^ug1oghdx@Do^n}xf==ApDs}~z@eUmsG*>_6#9`=qBN?MyPdV3Sk z-B!i7aBkN)H(AnrgtaL5zWG5JD&1@SiBL|qy`Jli<;U15BK8i81l#Isp< z&lYr&hZq%n;)ZBd#^#`94ZErIlfXG!825a%+jRTCO?vXA;m68FDK!ZMTqM_TgwFf) zpQK0Wd4iYzN?R~ae@HrrFX&snUzas?X<`*}SE!S~c$3)$qR1wb6v|N%I^ot#GJUW%PJBIJ$ASwH{Wcl(a!1UEg=64q;wv zhYDsW()o-I3V{;?)sJUoKJfWCGFedPmF%`mwjHl=)2rSk*1Rir#aYm%TRE;eT@^|m ztCh+5&UH8|XV?M6;4gWvGEP}OP5y!;;6@4+eXmr@xrGV8lso24Vg!!)5m~>{R1CfS zjUYnP-$SbcBn@n*0Va_ejE;_=Lr?9AiQuvCMWl@o$_T#ji?3R^3&mXPoArxMh=T_X z>`lKKTiuG>fT@C3E|92w@1{P{#^{RK7Dx%!u4uBr7|$l8m>beEHe+Lvor|fZ2?d~j zS{Ugq9~zlOJ)+MKPjhc?`l3hfKi8m>a;4)A#S}>}%y;AON!E4Mut-NXdP;L7$Sp)f zyVZE2yyrF3f6M;8bq0IBDtJEtPq?dL+65m9m3x59GEbZ;?&K> zo1dg;)1n{Dq8xhqBl$Dr?ik+j_iup2^BwV;IblO>W70HR3YnWjg4A*dzXe3gM-2c~ z27!{7MX+)N)BzS>ByJII5t8s~OzRk3fKEA5Owx|+EMC`ZDn!+Ms~yBhI%iAAZ}hz) z0YtSJL;+N>dD^9FTPvH7k+@MR)TJFNb)$uVm4KNdPS&}oTdY3Sgc)4=9tzdob&gzR zNnD?rc5ti#$4Xly{vMe)4HnfKc)!$Jef6b_@to;%(KvH`>Ce}+3qe@zeM4qjnUTSv ztDG0AgBRP0XYJs{{?p>WTG3yt5&hdd|I4PwH-_VXw`}X+zjoq(JMq7r_}_n(_}?T+ z2`7C3_;KjM5x}yVu_Jjz^HTCnS17pFltZ-;8VR)RGNNp^g`#Xl?4#LCHq(CVks!R( zPV_Io6WWrK+!dg^l#a+6R;4?sb5ihN_m?Nveo|6<5!Bpj?I-U;x$+ZtfxY^@pSTxr z2M)@`pSl+l<&s}3SAXJOoN)c0nlAI?K=2cH!c-vqBptv=(x12s;bciaNhhM|oqm#T zxV4&_AOC4PAuNb3bzy7sE=U!V5^use<(A-sy$|7Q7L9^VRg{?Pq@)3$A$ z`~Snc|LfcR|Mxmv==(Q02dZwq=;h3d{Rt{CSQ>+i>VNi^ z`sILeJ(6Hrbdy>;BrREe%P?BvE@4;`;lf!%i&H*mhNrdk?br9Oosob%^K98#OL#5o z8kzzk#o1<>AWap#qC07u|LIYifK>rTO*nLZIzpjzW8 zYy!q*&qc@&F1+RAkd9@7k%i_9y)^sw-KjrwM9Ja@f1{wAxS$#{W~cdTqf?jg(V1)9 z`ICgu{=xR25iO*T-H1O?{x%e#bovU#@yuZp7ypR0;VTimFHHOBf%Ea*skbz&(WS4# z{t9suh-8B}2CscV^C;W~m%g38ck6W<;9d<0Dy5(yoXHyq$wUzL(Mo6{#S#jKcwI?* zH9MP}#;vR2`sIh@FE{hx)ay;qmVPR99^2=~biR-dcm+g0X!V4U?swW{V+D>v=7RwS za6*>hb5yQij>sptcOzcyga_g$uzLIt^V-1n$q8j2+AM2H_uLVrIsLZWo4CpkF8}Gl z`+vsZLEOBv(csXSc+kzf(`Q$~)n%Eh8Q^NRdQh*~Y97W8Snlfq@_7`CvQEBI#~TM- zYbLx2LX`*@RW3OOCYAw8=Su^=fzKVQ9`eT&hfXP*&yHj#vd7HhC)6zl5E$w^kQLp_ zTGc_Xk9pOSS2Q}0AbN=ALs&hL99Z3@?sWPSE?%dmb{{^h2XMNM;p5RN`BxQhs1pL%cn3Hu$j1iwIs4i1;gzDyu=Q zr?3TrQ>uNlKmdz#BK!}NBZ-*o#dqJpCg3X( z1gk%xy*U5iy$evl*|7NGDU5dioLwDXrL8mr4;yDb>RCmC3%fqHBUKDCav6C$-Z`Hp zNwh%PLWoq7L%%$ACR!ljX4y&hh%1RcJhFV+BPH_HijVayQ64MVjFTiei;2xSq1SPO z`8&ys*W|QUTh4v*Fjg1yqmjhO*}z)5`#udvS;eaoIBO}7hnO3n+=)y>9C3xR#}J-) z8ASmta`Z_==28)_eQu~g(Vy^ZB28Nk!)09kh>$^1GxkJC&(Y+j8a;jC?z)j`FO?0V zkzlq}4+H~ZVmt;3L;CA|-UJjc)+b6LLa|IBN}?UFkaGq^Z}SQo7ty6Wk{Uz=p=NeZ zRI25%syk6+oI+zXIkw*BxXZa?@ZTI&eAF);9ht-&b zX-@6cg_L5AGk<^Z-kZeHXJm+>26ly4B-t$B=L&sQ-=%GFhvH)1A;<}=G*Tmb=39WV z&6E($#s++ABL=S|vLDr_xDlw^eNrre)mPdg)TQf;L?RmvPlp`-!lSVl=&Y7XiU|Bk z92)R!ET~~9cH#bYhSL!Q_ET;owbo5xAQLqZs~II>ndU@{M7)8n6C}|Il4xrGXWfoK zkY2ebKok4_<}I5xh3x-ZH}!Y&e?46Pe|yoxPXC)W_HT1`yQOl8uAqBs1=BTP_jnZ# z0Jr2kRdwqq`#h1Ck8&gYXcuGncANw{P68dzf8qJxx~~CW9aon7%c^7fE(=u6GJF=K zP^O(05*!ySM%0SD7Ikg39T{R=86xfs(MAo&h6Lw^Sk)g_gcogZ%*{_?%3cSihj>O} zu9i4$iTp_9EFq;?<02-iY5eeMqLU{M3MtVjFC4q zt06^0Vy3WsT-J&dH-{J(h6E>uh@`!Y>|Cwr&{~@ZWRlR8fDa0y7po4NUXFQ_fjlC} zyP)|jS+!9r4od8WM~WzhwN2=_ezyWQx(bN!K*ESgZS}ya4SSQOIBseD0ym=BFd}dm z*4;6FS3LOmwWSXbGGp=c4=H&8UdbO!U2mLu18&)BlURkP<_M|u!s5jbEDVZ7z2fRn z0j&qA;tk*`H-D^NiL<4Zi-qP3FVc{gG+2Yev$1UhKn{efb=u|#w7*3xMv#0t)A;=B z#Y^un=M}2S=~rXadf)z|asHB_wL?|r(yN~^m|WY_Ya{pya8;3+F(G?cGYH4j)qvSp z`1AeSr`4n`o;^?FnN?#59W3{LoL~I%GpVvXAAgV~w${=B7*qStT-oj}eRGyQ7V> zhPOz8=vA)-n8spa6?lRIpSrOOhA{p1(x0!$O?pMsEyC%2C2Y`yJ&SV4b<_ad*e(nVb_l3XxST`^LfGE&G} z|8r1e^GZ%!$JCNb_&(|`5oMqZE%j>LmK6~C@k8p1A5+wror(dtYRfl{%g6ri4{z~S zItkYE5NSs?l4X%;y0230GJ04sx>2^kq-jW_RvNpz9WzY_%W4hnKLU?pwPHY<*nc)| z+uR?r|7_{s`gq6w)4_l0Sb;iLpnnnkr#3@QmuUlfv_n=E4$|6%t(r}=9J(q#GPQrX zW+AJMv*#YX_xW1Js76quGKmJ2kf{LMZZB$dv{`}R;l-1-9#9&YA-R%)fhz2jM}7z0 z5Z_m--f_QN4~mm2L8mwuQc=t#tZ|c|$7qKVk+ZEbvr_S6Dgv+AIdX1b9LMy{yVJ8m zaX9@p(_louCvO$09?r`Ni)-1NJuzuLCB0rD%sja{Yc)L_5!HGLv(RP{!oPyYDH&UG zRFuvTZVzLCIW;J{MytHD(R8k6m1qcw!Hkctv`XhYLVBxq^4HIB-spQbzcf>M2nDw7 zRNt8TaPiA=XFRa=8=)vY zkybZQR}Y6z?Ea{4<{@#3co}M^*nJEtJ$10R8xtAE7kG{>BWI1 zsZbA20lqA%bc2I_t~;J(Nb9Yx(=G2p%=CyHNOxO4yOPogOK_phG6 zJM}r`cTEddJV$|wXG#72Q7YCxWv@qugZ7ricRoc0y6A_@@p*?s2}sqB82@jeBl_9{ z^Cu$l15>{9PKsN52a>;|#{9|Dm~r~Q)x>^luK(M%W#h)JA^qQ`E!#GC^nV@wUq}Df z(f@Vye`^OhC!D#{m3VY&Ydu~Iio9kDyePIj)#wLCuN>z&vCnoL9N7KqfoBGfJ~w#i z@X&$%y9^g^8x8#fa+EM}AN)vWvxW-(~cRiksI+Lh%~a#dD|bfAS~k z2gVK*-v|L4GgWh%>Uq)YUvrE)x()yB`=$48fvC85~1#WyP}+k}AH< zyi7+v$Nu;v-V+`HCCXfy|77XS*ZCr_c>N0I=9+$c@#35J?tCBul*!3&>H4h)m;aPh z$%FU*{NRI66Dvv5;kBj=)mNOXe;RAi-9GycLc2ttw!9vX1kqi?UDcUjqpkGL-TMjEeQjp$X$GxHsq=C5g* zmAdN=Ipr)^Dpb5OUb#Cxg%`W|nZ|1bMP@G1)Vx@t=~pG4oFV9(+rpnxtQB1cO@BrH z{Pg>(9$RY{qq?=K61|!?vq~!uc10<4Rek;5t@B8aA0ReeLUy_p&<Fa`rL=c^pzWStb0rQ2+O|4M&zP~$l{r>kq2sn~cQ}@2Vj4*e9zV_hMpGi0W zBgMSW(*~bzT$pN{!4P<{LU{52=1@vRZv)nn!YC-EBAua`XjibOwx zDhYENlxUd*M1@QUa6Wm!DG*&C?tn1R8iYeO<$jbpZ63+J@4p~*&Af1})~Cjw?wcq$-#hu1@Ja(OLM2%;fwF;Vmwj6pxsoKfX6)G+P)E@$_?-^MpJ}?-GnQaCj*ScLJ4w@72#W(C0-O{y=MvS z@Lk}0rm5T9HMR}$rtqRhh@4NTi67Bke)Esy$S*&n2k5L>$Z-QqWwTBe_;yiwG`$n9Zwl2btooy@TkjO7H9 z18Ti+QT29&VxqniE?)J@V&{4`)TT{Zeqa=I4i4=JveL42T+}vna5pn@f;Ov^eahoL zG)n!FP0{2^@e!`9Xg3wKo>B2=Jk42(n+*JXv@0dgE8w|7IH649zSWKtQ^(ct%jMc= zLU-)7F8as3@KF;4;{{U+GGDS*7?D7;i8oyc(giKs#d*9f~seA-Y-UzBs7Y z%bKn|Bfca%PhLlrm@Al|s17j>b$@EecJbCsLJAASB)QVp_)s#&6D4!ryjtFzGhAll z?RXj8vDEK2n5e}Y*g*)Ri}aC&fhYF)rlpCcD__W~$T>Rkz9XyTYyyDiyk@1utzk>U zzi~U`My50MFB(24K9uBz3^p4N;+C+ZO^CA_Ev!$tE9&-6av?ctoL-=B z7f2WMqlhe>x@H#^QcL5_3n&8Ky4;w4PnyLq(n>Bwp@B6>o`^5i5lGI47TJTd^yOJZ zQk}p5$wx~!rcf@L`VrxX?O`olzeRzl(Mrv_a9&=&(71Kgq8KrZW(dawi3~Ta8=3^B zr_+075!zSNgtR|z&`T@WbFwrB^hM%xProX3kW<1JfRr%Pjf)E;z$203=EQZt{U*Y7 zbqAOqg=YhZFOh?QB$UEII3EDw1-^0P{;fHE^EEqd`!NSjZ~>zo;MYVW=62_T1#lX(H>bQfI59Q@>^^;DzNTM%=t{3@El90b1+9jn=g z%Szk14@>u9$v!4ldR0PATD6=dhOyDvs6Rx~P52OBC4Y#koA4pNO8ziNX);J@GYK`+ z^e-be{3m9eX-BZqjHfYWIH|wYa>ex925xJ_J#2NDN^h^hO2h-rLL?J`hl+K;-xkAw z--=DZ-b+x-SH2#$wgVcxp8~L1HGx`w#N4D&CHD# z)N5FnlZ z?&h}DCsMJs48=*TvMoVblG2|;Qc0q_5>ct4&n|phD8Gy_m~fFq+n4BOZ5&;dVl^!} z=lSu;|8So2@~*f%I)!qnyT;}an1Z~74Pq6zt$q=P5Z0ui4g(?hYvb4qsx?G`4Eq$z zLWILaNsy2+UhCp}%$dB+Mn~_&x?1rsH84BuSjnzG1vBr;}u-k6@pxX)EIj#Z_k9CmD?g1I#KX$izzK`@J*3! zyQr9ytbxrntzF55nSXj(+7!)OrsQA?#+99!Sp0qc{;AU_b;CtpTv=zN8R($!PE0 zIZrnVw7Lx)1frn{K1&DschTfMtrxFaOMa(!(ioHTrzWfPrN*O2EeO6 z*m9}gQi0eC5{_+YX4<4Uu3>00y-i1fuT17SMM}h(o~`wlP?Cc`aMkBRfE%G$4J$V1 z`ElV4X|Zx)%*sWp)nppz2y|JaOMQsWq?C}0y;C-%akc~Hi zJN;=_Po$gnf92dWxa|0MkH6jygwKNG9T`b&TM!k zsWUQsE`o?=M`ona+E9sc3(=;|5L(WOSn?B!X8#pIf{m|zH#QG#SgDEW-c$jH;q39j@!J6skT80!i^8UAxLgB0RuWI2YNCVZ%MqSeU|*X z$=8naT=MJQ#J-&r<3hLT{mP0$jJ|72cz>B%M+Absq$bPO7j zHpM?8qiy4a8;%@qqDn+E6>P*!IM_Hf5rtOK0jJIS5kNEyRiNPf5%M``D+Pe1@vWigz8EWRCkoS7op(zkGIeGMmzlxX!qAfL=HesGh3h8G^y(PQ@sG9l6bvn|?0 zDG3jrKE!3f@KgL@gp5YTH7QM8mp}Xao;WYqoZDxN5@Vx zqym8zta8YTAB61M@xzOT)=Sq~PS$1wqKCC9j+oAP8Deo}YU%IqFP@rh?xh?K_m2Ws zSe`nwk}NF4nq6itbk}1;XT-lpq{OVyjZ_5Nxl+^hB52T;)t1&pOZDA)gbst!NA7`Ud^!at-#i8KEL-uN4T~4&m)^U@Q)6UmzN9xn!d{HeMWOfB)$nBtgB1R@_{T3KZghN1e0%g`QqN(z zEPe1N+=Q)DE9TIW{kX<=z?Eqi#!0&hk4+r|!p0z$LxLY!pQ=#Ax*!etq+7tsMGS-# z&Mao(z3k=d7VFhQ=D z6*e#Rk{!Q&>SxtDW8o4K)G+`_eaSwp4A7&l*Oac*NDeN-lGNa}a>iH~uT)4=>yVZu zOKxBof=Zr-$#O|x=bV(Mw%`vs^FX;`H@I9iPMWTITBlQtS901XHJ@%WM2b^l8jACo zW;98F>}j+Zk{3d(AVufijNQF$_!8eB2jkB)Mt4LB6c$MmINsvTPb}wToAt@*F~ka$ z7*vP}(tRvcKNd59mxRB1IGuJ3TocF_LQ^vr>u}e6CT%5I{QOK$N0nr06rKX8VnIly zSX4xNhJO~$QQUzMQA#Cq?L)Dqx&*5q1M|3abgPsqWP{TjL#u0D#lfE@hgD|$f#8f) z2Dq=CD979ewC*p#uN<9!b>Fr(eKU@0rmK4cNyNaOyh~*4FT)OmC z$dGQajW{R#mis1sJ)$>;Q&XFqrEBvKKKTpAXd?L8XHwWJ6=I{(L=#z1D>e$3MPzj3a&SSk;RO%VTvO>-kuz(@VUMd^(I?R{-oJKAnB>V+FD0<(P!`fx1Ku<3&@E~T+e!;(pGTwD znU5kp=UO&7G)2=fJzfc~Nw`V~4V1j;Mp%xq=eT@$d$AS`JFXDF%zXn)q@Th|O66!( zfx$vjJ8QASFcX9e0(69WhT2+OoLqi_!r>TY2Ax>4rUy2l0o&AG{5RA9#zv5+^@o=AmowPq$>^VV!L}~NtqZ*=y z2W?RIYmBL&YKn-f@xmmI_?nDEzZPD}xNF|R%0#+ZA+I&3nP$FR0%zsH)b%*-KfBzO z6p9i{FvmNBgV0p$a#tyr3WN_#hJH7XoXbb7&9b~t=mj0&OhdqO{9qgn1t8>j#Ze4r z1TIx*MSq|wBer%7|0QGUlpqx0v&zx0;@2jV^b554lh2*T#S7$pJ0oL|Zdi9~5wQCy z#WgY8QOV&Vg((V!ATws=fvYpgnXKggg}3R$A3`7sEnh=1DnHCs=ilYt2^BW!Y` zFy%*Y?Jvf{5ri~jcW0K#P1o9FnCBP&`pME?{~FZ@irO2We|>lQqL31#W0#09#O?eg zCg2lbKf*(mVTMHob5NG)JTx~tfUiCC8Qd?+MWr|BtvQ=l*-mC*byPj?70>B&j+93E z&onDX1@c3Ef>U!RaSg^5x=csZ*YuNuG|?CO8_G9%gEs1HM7urL`1&tGQJ!?*8R}LH zWQBe313IEF%`uiY`#dKq)l5dP+H0p}(gp489vJ|8Fy6a)K^BU#EekknB*e>62qdOPE|0kwo9OEFP{BSAq;Z=dCMeq@ZHl?|Hxzw6at+Pf* z&D+vKM`UdT6g57dZG5ipn<4WbIcLvBq$!0hVTn~XCq6H)XEU+66`Js|V&L?ShMwU@ zSdME?I&(_Swos&87nziu_dmH77j4rPR}HCXN6SXj2xJ#noPz*N z<2Fw7L51oT7P!QuFA>gz5m_rAZd{~Y$r;BmO_s<;{E~oP8x_E@5xb>}+<*}uWwH^4 z?xTH1DfY#yRekR`u_3>j8rNV%gKIFykn;0e*v~(b&f%iCog?G8Zio2tRG!r*aZ=I_ z*4v8+y}!`EWk3Y%Ld@rJR$l#azheAad~{cnjYu{vk)?Du! zuL>~F?b#FCJ0SO!OMb0fZRR^g2AT5&TO$O}b~FZbJ_X`>VcaWfRm8+1+X2!BSTKwn>)|%eC^CMh(fuFNL9g>~R=tos&bWSDto}->vv5$OSsiRC)LT0MZtW!~* zEE+#&HJGEA^CWAKToPmp2-}D;%x*DieGT~Xr@gq!qdFZ7*?RMN4{@kqKgDj z!SG@$ph45c_U61d+V!Xr=HAUyq>s@aQ};iABSwHpTsGSo!m2+CUntx!?q9u#T>au5 z@*;*x-n#ewy9DeLrkhree7Ow3M%KX*e{#gFu501CWi7k4p7!Q67(C(JJKfMoH!=He zXsVms_Yz!IrWQnL^b(`eY?K17{<`$No=@6;%_iNrhG*3L^H9Xqpdz9@KBf+@tM#JE#@X+@sGovBjSc}m3n5oM$1E=p?QXQUq= z3EX)8YADvm8&?sGTZEpYSs~U{4VZ4@+y`v{e56tWcPu~dmd1dZ`LuweAs$x?p2 z3LEDYPlQ9Ge^BV;cLeA0P*rb+$mnx}rPu?9*ptYVTeZ&}GcLOZeVdhnMKF%?>^NhU z7$Y|<9HS^|1a-1rV6uWqb2iA$pU`vJ^{9p0Kxpnm$B}t0h#d4+ja^}!ITB|g#8$+9 zn|@V(HP?7^X7R%-8apxqv0&UlKQSV|V@@#P3P|FI6rJbq&s~OX+<1G&*>K=cj}sez zqb5b|VLIs85B5!gj0lVmK>@BRV{Sw-U?0mdH-W1(X#(dtEW0PO2P?2y{PRmmsB-y` z1CD_BiYhR}JnQHJ(mD{RaOhtd#V{Ms^8-V}M-L9|*}47~8LKTzA{r~R!aA|FkQ?K~ zB-0@@XH_~>E*}E&N}9P zsM;jsxK~(bMBc82HAUzw16B;O6Gm#RqoXpz%&$CXx8|D(7wlX*S)OCtF*(X;?5_-% z3wD)^z}DqdFW@6p9e)gyTk)!t4nV{wVEl@}Y%Z{qRXnzVP$=q%kxAhEGE{_YWZXh1 zZFZV%bRje{^xpgSO}fH_qg+#hp-{S1D`rDfphN+Ge?u(cEpfq*@Fcz5LW_^A?{x&9 zBL-!REj5#9QYz)S`!~KsJ;ue$>fYA){OsZff76%0raJI8PI>NX%sJ0THOHcObdMf` z|G3tTO|L~zACbWHlm-Y--w>s_(aRo_p8i(E%{m}E6pGqBk4cBJA!l77j1Y)cp-d_E zKys+LFFTZnffU`s?a-<|3x~BOw}x5|W#P@5-hnLpAf`tPM|fmn(;fSmm?Oj|Rn8&G zM`zc|A>St>U|pyP*cM^XjdqI)MW9A2#JJn3d3iK1=uAdaGjzz_U=cj-I=hfq+vPVF zzqxex^b~s-q3Z%;TGF^(AdhuDT1xo8T+;^<%9)^htlTtsfq2Mmq?to z`3ewkErm{m`GK>w zf77zYD}dyTT`4?$v{UbKw^;X~!kQ%2xw|7lzHpNFbv$CvZ_jna28qVvdsvwiX zc`Pc*%NMy3ezB`Q0^(jh2Rtgdy2D--E^^Nz+F?o76yUR6Tgxe|PeKck+LC@_%>o zf5+wjMv3Xp6G**V=DsEgNjD6qH3N5 zajPm03OR}|+N;sU8r^Ds+^!Fwv{#Xb6?sMPIBwzIO4UCOeHnx6t5vUl-d^p2oIy@+ z9-T*i-d?4LXf`=LTQ6LZdyy!cebjplZc4pg>3GwE`J(4mTPb-Q`vJH0Ud$F@jZ9v% z+8Y;lakVN76B-eFVjZv@>}|vMPIGgmU+wpJ!jvhnI|+MH-S1n@&l}mD$Y6rl*y-lu zi-nA~U3*#NX|la@wvj^SC3IyRm5L!P60}u%_TA_RDf~9Q2TmN`Kq4AJD^rse&uit6 zcyD@%gP#)B^|LMHENdk*7DcnSw5&#eyQvh<*Q;dHme5w5DN_hls6h{zWYU*KrI#(2 zj{%vW9Z8W>IQgP5@{^6RAPoIVQ_eyeLvv9tSg)RuQ3f%v=EAnGA1IwX$&D^KqUeE? zf&gSesD8pjrvpEjh|5Atk>Rb7M$=gKP?TwuqLYCw3@!S67|_W`br>b^`!{~1?2K0v z$yPdohrXOM75DKfa-C9F$LHxuUA%r}ah6XN035O$p5p#!@Q4-e@P`{jJCXqx8G zkBm`scy;6^81ZT+5Ni-O7!6cxM?8CMbeQIr&C}EXoAYW2!dWfQhZzRtkRJ!a%&1^< zUENM3G?-Y7V1#iU6JUm7$`}qoQiF;I-e0Z}M7GNqf8@rh;d`vUTK$acVRMO`rWH9} z($pHHHdG2~Xq1;q0&7cT1d>?D``*|QA_+y)Ex=6GxY)2iCc5L?meGjcQ0~uW=RH~` zF%`~Sa(Kf$JA5u(zs0~s6pKtLQBO|^lc0b!nOpqRU+>+%y)?J5_~D$hAv8PWU(`7J z-)Kbt;ZMZ8ZV1Q#U;Ka*ZW1;UrKM@gEwI|RZr`2yrtt>a_7t!=Pgvu%FVIa= zC-PyRbxfuv;9OsQy>a{NL|7OjCGD~(KxMM!SPpX)iLCx2v*6zDqjC(_%sGnQCvvdY zRrqyXi+B6gEB$K1qFVWr!@V&&(3tw0IZH%FKhmo!NV%M<*Z_Q9y!PJWt;-fPq{^?V z{OS<%@$E2;M-KSaXhx=tO2p-fTdvS_*z-;VG<{KSEI~$#-&|XK^`dmlxk&kFFOkc@ z^u6ytqhS4WJlD($+TH%p%*4 zT4Y>%RHAh~fjkQS3vXCOw>(XW_!jEx6BRx|X7-vVDi32`3wf)HBKk#o^@LmxhMrzHV&>Gf|iKf~h&bcvY*V-!=#2Pj1uYWV_d+)ZraE((WZ$mdvy zZ&{7d_!|l8CE{|Ib<^5_lA;D^@3CexJeeB|BzMLAdmJ+nbrd~VIv!mir24o?g$vR< zpOOddv<2QndAJStix41x=vsBf6JsMNO+}62+LMEyt=G$ zlCyzmYCLlBKvv}o24FzkM+iK~qMd=ug|eh{twNHNt|mEBx?)nK`?--I(jC2yk*%mhzElEgNqE?nK8g#TqOpC|5LW>4> zZbdw8Pnqtmg=)Ft7|oNDxKu!Ptw4i~xSw1>&0uR0rKnT#PAGdF?pD#LH&GdPQOggV zM1M2!3-_{HC@2MzZm&BK4&NJs9z)=%=_@)76(b<>Zp9t(h2RrbDzqi{G+ux0!D+-g zX;Yakbk-Q2!&lF64wx`NgrPZX>(quLTi^dIxY@+uh`IYe{?Iu0v9ScQ()W#p2%(Hh zD1QPSL_hmK(NzY$?VSy3z9;dTKOH~PuCO<+p?>VLNf#Xy5V#}|$Fe400)VERj-0uf z*8PNAqOfwY+Zcpe(WW<%<(RLEU-5bagrz1w0o+Mh$IAghM7P22XAT`Wa`5Ed!~4QE zm;nq*lg_V{$T{(I`_pWw$Ux{l!C6JCigW>ywOLrDlaN+5Ym>aHsfyq;KHURM9)O^j zaJu@(z2aof*+605FgZ>zIWbZ$nyIWEFMyh1D|3A~TX7?OF*;MIz9LV|LgFN^)3dxT zG|gg%hj*un$rZawqWs7pxr=e>8s4HKmXaZ#`ixxr*#cnTOGpiZisEjK8XPN*jqq!D zubXFiQwTdw^~E0u7(Vof79P|Z_Cl;Ri4!r~P`8iiM*sfcy*JsR99nBmoTz+ArOt4H zxVf0s2P@op)WqMv_HN_iKcF+MQjRsN)7J#B8V>j!Ii=^r{Yj=JtGdSROCTIA{q-vM zNCfeR^Kxq;p~vJ^t=&}(zWTgd#bb86dAqFcrsyLdsZ!@oucB755ZT!G@~W+oN&|VZ^S2 z?2j=QB7|tQ40DbkJbB47h>4?rx*Um!c@zUtKwH*`$V%x3^1dQeVEJmfWGKXd!>Ct5 zFkUbd9fVfm2%H#Xb{WH4IB?6Vmoru+RV2{0-2d`wt<*8g z^rKoe)r`?Jn&Q|(Su3Z=cS&N){=wnr4;=dS$)SV0mnGosJ8)$GaH@QFaA;5HeM~h+ zh7a!_*f*G3QKXBp6&)Tt!fWuZcCR zqbjh5s1%!i)eIj5ma&C%tu_%|XPfAx5(L^r^0#HLSW#6Wz}bqX8!WS~e4DJs4r#hM zvMp>1CwctSGb*8h704Jemf1eV@kV74Q67){Z7pF0=4J+#O=4NOF+_2T;Uy{YdOOI z&;%yAa!a+S_%C&36b>SVTyaYN>X#e0Y~A6hQ#041Z2I7h3($M3tt5rCKG3~ny|Sh5 z<`fZEK_0Wx$Xd9-sE1yheOLRRA=1k`Yi}b;@WWn_&_Q6pjFMrmOQ0uAW)h=@jT29# z6zO8$vV5^FGL~XcRnZ+|b!Fbg^rz|WM_n@aAdk)7H+?+H77qMAn3GUJPIF$Q90`Wm zg-&3uK@UfItu>)TB_f&>Wsnf7GNza<{zZZXov~TXOykWtB$#R88$n=?NjDY2f7|tH zj+;2jhT3G#1fH$Y_f$g=xgafFyhCoD^KmRU;XJr_Ve#FMMOqV`mS?tYleu%S=%Jo8 z5RqbI*Y02cX6bL}ZN)D4H0`PdzQ|atDb@7T z&M+f3RfN17E0wE^xK6Tc)eqemv`iY_y>4mpgge<}&?$z#MB2V7EK^$In-Tsxgk7tz zjIVxj|LWz3WneerQC7q-1pt8NB~YagmuJEPAdohxY7z((fx@9PE*K%l`4Mm2MK25t z^I@re<8Lu!HSpOd*u;>Q z3OU>4MTUnewj}*-80SC_cf=z<0F~HBdftSmK-}XhyiYkPx29#j#Bk^FNGp$`gDKj^ zeDPjfs$wQw;VWcy-**Cg)S0rqTCR<|iOgXw#i?^ag0wV*nZD09LL$sp@xV? zj%TiM?qj;~phd=}-$)L@HRq2;7~YB)ST9GYFPf*36mXMg2`pK`R0^Bp3pqn|3kEW z?IAg#EF&tkMe+`r>JK9noj#V_Vl1(WaE$<^(UL%SNFc3f23i41ufiZiy67$eFFt{i z!Mf)L4()tyVDFK^b%bm!K@#;>6ChFegih~+te4aF<*t})G7%5(E0J{uMtAo9Rgqgb zMAPhG5eGINxr!Sdr#OKhK5g8-XzBG%O)w8?G_^kl^SV>l8;mL<6{@ z#I2;qr9}}yFTWEW&-|A7nAPzYdtWr!xvdV=G!w2oop7ucdXwr8f$OqM?;IHe759TD z?;{>yqTGZaz#&45YJXep536fLz8m=bJmC@CGW@g`&OS-F{v z9859M*2?wEh*_0Ds;nbT%4RgT9FW1~jHh)p)ZsGuDUZrM_lr-dNN1fMo%7@fsXCmO;<26 z0(n_;0NZKVBX4Vs3m&-olLUI1uq*Fa_@m^&jRPu`OtV;mViM2-wrxp<|cZoO@ zJpYcD*)$Yb$(#+MPwGmvM49IIP zIk|tN)=y%np=9=pojFg5x|S8_xrk!Ft@G@&@t46n{)q;R{U{)Y#a{> z)Iw%ta*7&VI{2Hc)WJzzIbD*ykpRKV;D#YSk_z!w0`VDeqr~?f@>f=1*A$?}INX@m z*6xbk{cSWAm8xHk!L!+c2JK&Z+w??Y=Wj>;=-{ z>n){Qr=Zv?I)5o~FB%JL5gK1zq|a|eqo%F?Yq0n$?L_KEp{?Ib$W7l0B+Y)z(FKGF zqAq74Wq1M1a)L=lOU)^1qo_%32kDF%XSma$91?e4`jH!lsOgI}F3^4zESvPfvCu%u zGUXV-5tc{e0F+`KF`Bu1h>CEpH1{2efuy1PkBnw!c$#=~rsaMY>&eMMSYaoJWsRy8 zM;OZHi$^JDPEl#lLVh3*-g{G->Ga208s zyRtI!*XITcXO@>3!LL`))q+8^1od0IKO=F?f$36uWvt7tD26N~HbgT!9^3t53X2eF zRKcs1$^?vMu+$K{!6}66z(@4tOjygk+;f{OzBn{#h;8Ap9wsbRgrRN8?;vI`#~9Hm z5|z;8Ri;_f=!4JWVBI1flR{7tJtc8S z$w&mP(rZp;!DIh@3h+Z!YqU!NrOzs5lSA)nG5wG|kV`{}wa71~`E<2L6w#f>WJmZV ztKzv~0TGy42o@sf7H3#uX#DW?gDXF(T#v-N(5SX_?R?`F#viF%zjQhJER^&n3`Ns? z9Hh^&lF>Vq+In8+TVxcG(|;wE;Th5zz8ZFbOQSQ@MyuB}P8AZZyl;MmHkZ%~;N z>9WL2;Jrv@;ZV;+frNW2GCREMY9DBF)HZGhP5iSHrk}oToswdP3Y_uAm&j74K9<0e z(-I@X^4OMU@ns9Xd{9 zAj?9%Ham9(bv=Ka>>cKtc5%k1S(eqce&wHlp_u zx?YU|8v`NQFXei2&a>qcsI3+eFT#bJ+Q^rysE!flohq7JK(dYzZE?q}1k={cRgVsN zZwU9m*hGXTfau}}a5!AJf9E!(eHC$yat0X1`@w4$mVTJGkv(ou1#_kvFyuSj3`mnX z>=hjE^jCHSnvHI|Vz5`?hbH8})~CiCSqsx74WsAj^8Pws&+UApQCwBwsi_Aa{Y7F08!L%DA>TjJl(5&7oI1&- z*GfSSx5X7iZvZbN>FBztHy!i(h^w3~DGZu*dB8gogG7 z`I*hGP?>xfcdfAh>YAl-zGdBVoTZ*DIEl)PK!7ibN+i}N3D*edK`;P*jiNh7s^}a| zIkyxdYI!sSzAZJQqg;_c!AZ7@lPR}t)2{%9g4kPl7*j)9T~NNUK^F{b(kdel*iY`q50A=|?kdrytE=`q4}${pcf@|C0pHO4%>fRwV~$ zdj8M;E!(zi3+4aZ^7y80o&28GQ9GCy8+1~BDj z;FW+SgXJEo+(QGt^4UxjyxGrdlW_p;*WZ z*|=k#{z&5L5z426O`866Ei-$X18yO^=kl|9as_)rfJy_y&$gGNvD!3!X44du%?cEn z6?ppLC4p=?2V~qj8dNC~HhI9W&;eOrE1M)6%pQuobSO`F2*v3HjOL^fdUliuQ7)?Q2NaVcG z46HzFZF-X^^K}yQJ5RyS^DU4^TtpB4US3>j^Tlq;zK|I7^7O))xw9$5TQiy&HoOW6 zYXs>bOhI@s;+?+9`X(;cJORS~DDX=uC6%@4F`i)QxhWprY7#;yY^%x|t^qS6GF)Rz zArNBr@D$rL7uuIrJt=#%x=MTW9i1o6EU5#YT8I#j>68_|8;Q=1rWSa3>rb!)aPJxc zk!lS|V6a5CDbWyGrs`;c8f%)~VfUe-Ba9z|`uxTlw>b4)1w=1>Yv1=DDAI zClzoe87li>oq-z2o3FAXZvNO9yY_65&LiYj&8kQ{=aqAS{0tT95&6rpn~w>jx4f-| zwxc%%t7HfUVFo{oDS1V>EN(Wj17S0mC!JhN?Z7q@mtE#Pw6DZ&H#>TtjD8m=0O>8M zolnB=e0T)&G!hIt`tXwdR79hDkc%S;tD@B+4~*iXwM40A`Q-7)tbQ0LVGUstmLam+ zml%vn9W9p~5ajx56O}&mdb3LOwp%x5lN`3I0Fbm;7V1YjAz>ZLJw|)mw{;ma(_5kx zuI09HUmQmGkix;k;uqm1t3HHPOS)cF%M&YEuapUuSrL*1Yqc(X9a`hNQ1eZ^de+sj zA%N|tY36`*8*9hJ`V*K~W9@%vqj|+!7298P``^aLAAfvH$o>a^ckF);(f$XEz8%pV z>MuLH)j=nWE@A87&{O;1SG9tM!HwIp`0sx=%!6T{3)|ZQH?VNH=-383w!w~VuwxrE zY=eC6tfgJhXrX1BAb&#%9>cjoRqn7<3t=?QR;3hdym4Xa+c($JFepd7x<hcm@8NhkoPn;hxY3 zNhm}lVIjoNoJ=>*3HKNV1z0_?(h&q%ao~kJhR*iDY66S}s~0^Ljlk}`}SxP28zZe3AYCt z5^mm61PcwIZ#J+H$(HjKspcr*3x-Kj{ulIj|AHRgpqTZqq)FsW;YyDcUXY&gnDzPI zogW)#u9Gjd*<73#^h)(Cdwh4S1ZNbSzPOLB-CDf-WoRF@uWcE&G#;3>5o0w*S;e=4 zt9q9-XKAFVlt z=g7$UzQoLYXZ5Tht)iE9{G~gW`Bn1&T?6Oe=KjC^TQ+S9`~Pm*w6Syl@A&_A?)aTM z{!e?y@7&EFUBBHFXWfpM?LVEDt)VeUajRWDU)nZZR)x3f&&M_Ok@7_CxPGq8)AMKT zZ26Pw6kGI2{F(a?J}T~l{{&uj58sLICwE4ZerS)n1KKM3oBeFvxmLw{>nHS_ zVjW4xRjQ+1{h8uF;I9*|ziOJ_mi)iA^>5u8_W#%X&SQB5Z_LZ*oB+!xs zt*nV7{XM*w{TgK@m)Cj25lVDMsy7~%iZ(7$vCxBIM#&Zyqn$j(hiRH7L)Sp6cLS%S zlXTAhYTEL_Nrb5bG8grML!1aJ5S0dqlZs%lR4TV-d7NuFJ(#>0k0NV=#KV=$(DOKc zSvjn8xl~{p6AA2jbRr#C)g$2a+)tc4xD`D_+U&}`rEcAUbLhza{X_eoiJdS#UAUh_ zCW&tGMK^9MJuj<805M&ZEuK6)eBj{0!9Cr}=`1X4xBOl#?TY%}^s1l03zetcqvBup z6S&j;q<(CP`jw93T1U0g`Da!1KdYcK_H?n?dEGh-^EFp zK&DPiMp<$}1}(v!_uL690V!t^&N)Lhm97k3)PSGlJrMy$B4};ATCR_cQ|r}ok>kGt zBYBnjNarFr?z=|r+FUpcDMhQJ?*v)L^(O+66B!2*VB)|N&S<@qXD=R+IJYeOuR_!) zQ;f=O##2@v`5k6w;oM$oz`){)aRZ1Mog6=Dn4m-jgYjHeu9DJ;>f)R+%NsEzv7Nwh zLa#(q4nyS`M;&5>Wy^W2i~ALJS(y zhSFEW_c5J(gj(=8)k}l+z?Dh-Kg^>Q!+>Re2c;Sx#T% zQxaqul?-?FdUcuf@w6JeQp&pNI^F@(UkJ%qZe6iEfx}TcD7i5MGY@K3dX>tsS-nef zlk)DA@wq7fNcYmjEMd4FW-WcP5-BJZT^J%WT#EBG_o&vE7^%UmsTXorAVfZ>#1~l$ zr8Wh+U2y~4vM%N=#J){nI&4v&O8Y{jkj!hJEuWyIko8iCdvQiA)#t>Cc#5?;a_;O( zvP5!1>N-|}wob@==GZ&ER!~ftP)eLfl9ttD$`{&!&>Z=JQP4R!v?t(ZR31k?l0G2ID(! z8D_+rsKD((`Cx^6EO!$1Ti7l{-;tIjdV&jQT2@`{q*=lhs}W)pp~!quMwm8S(^VQI z_bg02Ck#ZP%a>&56;!Hbah8eQEUL@Gtm^*Mkbj_PLu{E(JvyG~YkVko_=%D^Z(c2L z&KV_@(r?GhXyQ}9(|Oyom^qJmtj9(J^1QdkDh~metptkPF4q>QaSWIfscB1NPj+Qq zz;W+_W6QxWURqBTI=uxkADONU|Iw8>+1rZ~$$u2Q(BF>u zEeM`If@$f}1%q*V2sbva60r*C4{VVB2%tIsV^XwV52{@m{2C~;i^fFtA}#VSU3o#h zh8C=sc5x^C3H|`0S4wT`C9RY_hf>GymI^wDu3&GpJ>gIY;NnFm1rd&4OInXiS7bf% zs3ZY)F_Ou2^}$daqMtr2)`vyB#%Pmp)YWlif$>AZx9J6wKi{lmw zRTSQ(hy|tV6{$57b8ScAA)^)YGMuyVd@XkWY>$#f`pzkMBfeV-?;T`W29a_hNv80U zsnj5Ac-9Afb<#ef0--Nc`Ggd~H>pbs3)!ZobrjZOGGFv80bJYpo*x&=Jd1>dESg0H zp?DFflUFTxrpvfQ6aMFFXw4E0q;duhPIywmfTsmS`+b*yUPSu~x{z>5cm*^U_OCHaV#^ zGi%1&Gz*I5YQqtBCO$!jC9zFI*K#TK!U>U;Axps5j3leZIY)9BnpVh#ZG=<->JsOp zVrf*luh?pDEx4mS6l*nP_lS;{myDF%Hmp|RAl(bvHB1{4Q?ir_(LnZ z6Hbo-r-JG|^2mtlUd3%nDmG9_j2E!3)?7nSQC)M7p;Tg2jWY#;Nv2EbMMzdIi$Kq~ zl_FUhEgLUU!#Z+;y8MOgy)ldC@Ygs}Ac#nJ5o9WK^pgKrbmqP6 zQ)<1WgfDE@Rcb_K&{5+A(bAZ1uT)5rMoCo6l2QguzNGhyVObob9@*uBeu<}`Uu-1c zJW&v2k~$Q7GfcQ-;)20lC(q!J(0OEObmfB)YhhVlRddeMr2b-Z48$VBRFlf`L^+20 zfk>O6K1Lm)?#=dO)+H!adTqYYJ1TbZOAaaw`bOMfT$W`iG^XSWs_0A2`CMp9hnw#m zi$~*dYay>kdW}~dd)RcGxh1wFp}iMbpAhS^A%ekcgKjd1{leRkcq4EK__BnH7T*PF zAd`^@aN)^xp`#!ve&LP0%(E+=S1>i;2Tw^nq{(p)Jc}>cMSO5*3{& zR|`Q_`iy8rdFt4R2_78UZ{;}>SyUXc07EUs z!L(vul=r3Cd04c5Qcjo3Mje5%R;k^yNK6qH@GfYY`hr3s&Sx$^L3SYaJ3)0w*3|i; z8my1!UF(IL%^fa3v{;3^Yqr^*@L5}~RaN$SkqSC(pgtaiH6-ew?$_A(oau`2r1Tz( zbIM{p$oCxd(qXMtrCcgdKnGpT-8?Q5L3ETQkA#lnZylJ<8E0-3-jYC?_RX3p;XvuV65JLKB zxmYZpU;#~B6O<$dpODgt%)-=1xFr~!tYSEaoD{#NmZ?}CL;dd<^easa2aZ`TsAY5PG-_l94~*$t4l-Oj7uWlInuGBKA-PCOmcv0hQKEbePsFjI+b>7`XkCo0UM%%^L=GQ6~|p zDdVBTSvWzErJk^GqWz}Uz8rKeDl_lzix5(AYNjvgzajAwwEvg$MJ;?aac z_=nsfLfmtK;%U3->%AnPakomcD{nKl>C0=4G@NQT1#t;Qk@ItlcPKt1B(ny?51Vk+~e({b5Awu}cj0$f%E&01R+3a5h)PTc_CMl30ceSeT z9j8_Ht5V?|yA~w0;^MF0AeW`TXNOZLbI_2vI_rIWR)F?bnaA!cgVcygJn6bCBj9Qo`7H;Q`<8EieMnW2{E;))P7vP_b3s~t)b%_Pag zvKP3h=o-c0nuhcrh$IE-!cBx>qz=GS9!*p(tom5J=;A0VXt*O=kTL3%%_w^Ti@Xl@ z;K>oUx-M>wyR1IjlWmY7x!OA2P*XRNV>i^-P1=MO`;dFAh32EQpKecjnpRcII@~|0 zPssvdE3Yn2Bv@e56xNuitjbHJExe;&Rq3!Gl z^7A;8hG%M?nY~gVbcms9b&3dw=1=u0Ciz1!j*NDkeG-h(8DjV-GLE25A~yOQPtu4< zHA)_We4Wq5NlDtI2#fYhIY1Rn3uL8H?&R(W#o0>JR$O%`Cb$Jo z!5_x(3f}dshV|&w9fSY4eAwwJ23A6e=!j**#vxvBKVZstW8H_Kv71FJI(F_{FaJ2r$cfJf@$l?yy&d zL-AR3MN{a20Y2L`PS2WrUHiY+D?r|!^Gwwp(R~SOWAr<<3#%0T?u3Ki9SVM@sBp&) zes@B_@6HN>-<@diyVFMSyVGXyyVG{?yMw{+&Z8UrZpVKgEBCEYX!N$NTa)nrC|p{_ ze{b9NZyWnJZtdUvZ_d_E{P)9Of8*-)kn;a*g@upg|Jm5d|J#ZG@5KLi;{Sg}`G0>6 zBX&!e{r7OaG&bUT&Tl|kej?x>xydq-f8b8w6OkUP10g9OB$Zxt?NB7mCR)z^`~PR} zU;CrFu6$8=zm-14YBf7Z-lY=4#-wHAMh4l@4z~@$Nlu(5OR6QQno?DzRu!PMbAG}u zyNSVV+y-0Nf|lFZ;Iy(MgY1YCeD;gyqnvlD(sy{qZQj(cy za(YpoEkICm1OICWivc(5cN>3rcN4{cZoC!QIM_LBI)KmGYgYEF({|8R%bLZp^=-U= zBW2SyzIyC6zkJ-hy0Ct8p>g$Yw!^VCZ?875%u~CctTaBk>okvz+M9X(=3?{SoCp8k zT)gRi2VSt+f&+B)=id7K>iR9{;Ns1-KQDOeA1$oU*PB;wHy0i^zF5$$EPC*g*SvED zTk{$>mK(PpH|xwrK3-e7{MLH@;bEH_7y&)#b*+)wSh+ zmC+*&QKN4!H9z~Nah>MU2AOow0h6Np1%VVz>>( zwke3yQyK3^f4lF6126Hvb-(2PAuJT7DisOKFov%g*gN@hLGd1RUfQgJr6)>7L{FeO zc<>Wh??kDJ0^&v7-6SJM^QA*$ex{gHHi8!QXQ>^X%BM@B=h%Q(1A&<0kVF(^KUc!$ z+|X1s=f7*dJCBROiwxw|{B+4#ETF$1fEsA?Mz;eJ$~VgyZxE;%2?O?dCB_aX$dUaG4}5NLhRk&)X+cIA*yb2q3+@Eyte)eUFO7(h30U?U!_Qh zRvcZRMoS*{C+iJU5G~98>|8KTsf_y}qD^!jaTEC&3E#!SMCkFy=o$=WqtF-7EGIzA zDH7O#u2zTcBynMIBSnnYD0t8Bb5Mg3r9s|~`6C5G0;9~y8%de5MNU{%wofr`r%!@M zC^)UFlIugHRXa@1NWhJ2bNH+?V~r1%8-G}$4fgNvHom-uo8rTIxwxyW$7z1$4I#dZf}6uZMH%w{FCxHl~Pe#l5zsW3NQa?A`H6A%`w}DSdLB!xi3W z-kQS~+Rl-;oCdhVosUF>ezs_Fho;z7>e6Q|O(5T?Y1t&SJ6j<%zB_Tqd-cZE`_Br}d$NG` zWTD?%$t?B)<1yH}b=ouU+-}yth11zXVFM53Pv46l)RAVJU#v9mEU~N*mB4ozpS}g< zpkaI%EviU2%d5>VmLqh7;ARd=VaxpUN-z~%YMEz#uzj9+Muw$7y{Rw?8Xo(0XmE>j z%{$k30r>y(0PrXJe{;cw{6w&ANbqg^zx($ed_G$L@8AnB?)rb9VEsSW#d}0mBK3|{ zbLi(CeBSc##>0&g0*!XPySv`qUGMJGLx|sI?<}7PJL#OYzRK46oP^Gj=Izy(w$`|Dqp^Gg4NLFe_10GA8ecE%q{~)~y1mDCx}8UMt1ewXmuvIH z(UCVskBqc==)~~xktgRH?$|XPooJz*P!mtS7$=@K?#O7Hr2P|hbwFIG@-ltdX4wtm zc(?H)bZXXfRaRS@QZ5DK%ds@8EvT>d1=L~*rC-IzBhb1x1IGj`P-_KL+lk4duvl+C zSn(Pk)|;QtHSS$UQ|w8$2=^YfWNiT(rw%Iz36{)`f$Cm033gvelRznQxftw(JB_1^Q72IR<1D43qlR8rO|h0hsIHWnr%tRVb^m+7B7NG~UlnN2EdG_N))2r*co zj@Q#`yuH%+eoox_&5xIxw;wypYM9)XCV8tC>22`Xxhra<7IY4j2Wj^as4+skl=gM7 zX335N^OGa z+DGskxGLpAXZN@>>&zdvLv!R#H_kIQW_FHZc=P{zZFOaf6WN(JeEZDV+m=zcYs}uQ zCi~Zy|3yj9EYNO;51?KC*S>=0PNnQ_DKzCpNa0#{d z_g6)E0G0nkukrA^=I7UU(tlu&wUrN{68vUsE&^`gsM`RB^=~X~tkUj*u-yX}+C9+D zi_!nuGw7a3T1Sf@6^b9QDMVd~N8Y7)C=#1ZwCK7-Y?NS&jw!HQOqjN2+}r&0kIgS1 zdqWAK+bYpxZFSjeF4Wg=t~Bcl*nuObN6+>i(cK$3&0|Ag>$9p(a9`v0V+!`ZvO+B{ z&o@3sbH0RIvl%QC9}Bx+bQ)O1qK#drDOkKN2A~MIaM3TrA!f~3^VS?C7hw_!YO;M# z##OUfUrhy_4?-(DXqHneMm9LZIwzyKvKc!gBUhU#tI`s#O&C)o$_hU^U&I>8J|oPM z7@$WN>LG2we(R}hV@|t2nk59~$ z+n$*t9hsHw2jSsRTlT-RUISADvqYp6B|el8&_dCMG$JQ<uGC) zr?>}P60?snyX%YF#3=8;vAT+<{)21Y)7&XJoIXxid{PIY!BS+++yHEPy;ZApkeEpO z-1#LZvnc~W5RHt#kB8=#wvKg>HI~1H1;hNg&sI>P5;vHAyn#@6dqpLKQ>wPePniAs z$qFY<_qp>D@15RpD~&rJk#n1N)>HRl_P>UNfjJSpG*62-Ob@b2OYbza{bT?KU|TYH zYK!_*b00hP+gXx_g5o{u4OC~!1GeI|O_XGmr3f+McgZ$Ybws2{KU$MWViILsCycb| z2uCD8Cpu1d(sgPtLFEaoLYmg29IM+j{~b-XU>Kz7EZepWPtx-m^)9e;wUv)y*8#ih zfZhFPTm8SaBEdU98T`-vFT5}q!~YySu$%w&pC13yMZG4x>n!74<72zIWV>GET`%&k z7dhrdmeXk`UC8z)I`$u*#wxsC)ep~eZ7775l9Gwo2D!8n9CijnsZqb%yi>{-NTjnP%K8h0hKg(iT5 zW9h0u0UWw}N&JRZJsHph(T*lHOLOdv3<%UvRcqH<5JpwblbjH$VlG%f5A`zaP{?2R zDn8|%5Ei2h0K3YVCJMe0bFN^!Q_tzZ0RbhPcKbS9#@g9zDUdF4)k$dtZGj918%kvs zJ_Kj{^8o_fDIlJSppDl*HqGR{e)wH;aRKpGI%6{q@>&Gg)cE+({_rI`*5AFxLE>=t z8-pL`;CY%R8vnLLurVAd{^@l@a%_BmW$ilzcUgP5NYHW#J!K=42Ay*{E4C*q)x2cV5ULqK?qhtTNqeH;%?iRCit z2pDpU$dH{wLvE5?ZwW^74C5p7CNZDJurVJzRKiVKBU-IN<~-amfw?1{0czuR?hj~0n{UOI3w0H;ueEKVhnm0^dLpyh*E;?9`&*Pb7GqPb0tLJd z=@_B<#34->lq>5u>b-CEAyZXAw7|>1USg(YM_aiF((9jIAr8#pE&`^!)t#^%o1iWI zXF8yJsA_(onV~q)x9mdSBri_~6vvgsTj3|LGNqoVa<7QN`_zyHg97u4}3^_HAD~ zOcm8~TF%Os*Z$?S6%>$e7A%BQ$5+tv(71lFN0rYmO^yNRuOyqhN?P#Km$CsKtP5;}ojTeegiexdQ;id|~LVk#=S zHI9+LQ}mh`ZM7*fJW7pV!ROvwiI7Zn&1Ek>FS(RL@uRXekDxbnHUvl)nojU?uqt6yMHUieGnk@#jKJ|)E^j~k!lh>bGsL{NsdeUjvT4onk-c27gJtBN1@K<-^ZeO|3I_wdPb z`YqwgwuxGbt+^AeGKQ6j{EONWJsn_Wb}kwX8Y0}lbFWt&(|u;?G8VQ#VrgwvI6#?K z`a^wa4~*xF1LJ-;ZD;#Os{@ZtMkIt#SE(mLL*EB>SIQ=H$#`;XAukvQWfbPD0CQ%* zBV23W`_PKpUHD(|cy$~Gd>Q0yii2<8zkr_h|gy#C2oME92;BZN&7 zymDfd>UN~ZWT*WhVqVCA&JV{0*CR*Hv?bc>Q93jzF>lc(@9B&V(fCjaLKG~DQ+kKM zzsTBlYIA}~CGP7&1Zzg}8gqO#pZPz3FN*NDtk*fc8}M8-0S~|H#4ixv;Mqyfsl1JLWi5!dWIA=Ll?cK z7dqGX3~tTsnlzV6HqOX_W;8-vm!(kl7PzPi^`tM$X=l2NDz>J_bi0R*^vv$fC&z;T zqmhUlgItz&SUQjH?%Fhy-aPl(FUn>sE(X(qW@w&`NJ~+Y!;jh%g9#+)$P>;s7vpR( z!g}glXtzGXZbb8L{O<%zX)pn6_k`kq_q}-Vz;68Sf5G_Q-KgH(sNUVE-rcC)SFAH< zC!>1pPjnpBOCgEyzcTEi37;_zieWw%*dS5amMBrS)9Cg`&Ck9OITdB`JNKVJJg*-3 zjzUCr2){JxegVtg=cmr0Ft)J|h2Bp`esSoH;bZL{?2mp>;$u@j_RK`f##Rk!kjMC*8Qe-v z23-|dha`QUpMOWWUQcfq{g!IW(>}yzPf(xT{oPL z{U6c`DkUjhP}L;Ka3F5NwTFw1uYd5?Z_Teg_#rt6xD(IwAqRsc2}y?qXS7w&PU- zHf6xu+N7re^I%L;K*ZyCi7@71*T68NMQQOOaGWqB4=Tt?1G3g)%ph>{v0)6MrisaX zC9LXDV3ERY`m|r(zhU<8WD2D6=~kV0YLC zl?GbBu3}4;KgUdvx+(p=;1B`wS758S2*61{go(N>$Vn#4mk~D< ztCPPyucQauweM4)gh(!k5P0*Nsv#2&pPoiuYqKV(K2<6z=!@-vo z45y(+`~rw;xmngzW8$PVBj=7Ku}aZ!YQmhly?E>z8L+S8FiU4fR&)jL1tp!Kb7rw_ zz=MEw^qTJ&hTj*j$P{fF?)+)h`2x8{Z_YP9xPeN;hxOEsMWw-wMS5*4{fcFCcav#V zb{jX?aEN@6v!L9s#lB?kHfwt+UJ~nTV(t;}?n(u8Oav>QmHkOwAeU4QbCUAK4tYy! z@@g{}N^+^U>9mUYdpHN036fKz{$;$JJSQtglP^-c%||Zjq*@tjeDJ^VQ22OdCkbma zvA11OrbihbEOOY#zO^SJ&%?Y_tF!DE#-vD6Bko)gXDf;-7)H6YO41XCnqh=9NC(Rc zu-Bb^iCp#@j!d{&Z!E1y;4+tQ#FNtvNaL*?(6LCei|xKuhF(1Ea`}*4w{X@~NGsr*{Hh4?gvmNwoYfKaq3Ac*=8yh%-wOv` z;(t?kSe4m5Y*jZ5pQNYu_L?^5fPxD28kcXQ_ue`a=P88h1FE?8&Smu|Zp3SI#GtM0 zrR0D_{>K>+CQW_Lr^!6UV2J=O@$vDEoG>Jbz{lrNX4gHrzR^=WifYZyn~0S_B|^w5 zOBzfkQ_loZD(+N_^|fX;O?Z7lYxC3hD()23s{7AT6< zyiJpCmY%U>aS4G%!6si6VEG5vB01(e5~RH`w8^7+f2vr54^NPkey`rRdVdoM+%DST zn2R79dgHZlc1yU1T}tn=EgjYelmMyfBKu0}Hr9cxXZiIADcWRXR01G)E5XOK4RW~{ zKRJdEM1zjy$!MyE2z_?hWi*0)wyZNlqlQFXlYot0EQqGSN27Z8c)?0|)E3RebTc|Z z?_C2e5f2#>IBj)rJ3$zC!tR4>K+Gzj>P^@* z3g3%-pDF@?7L_yJ_%+@m9=wc;t{~Q?gBf@!OT(&G{E73S6$6mii2&cD?_vaic!l7C zLi-{WO=c~54vxNR&j5cL&hZ+SFeK^58lfUx8K*_S=vGL9CWF~DQ>D9ZM`?iE#52%Y zuv2GiN#?2BKfp^F%7XfSfh-e>cFDv|MgT>2906sMC)pUU%wuvDeH&Q*>NQ4|(ER@~ zVNN_)j-iOHEnjxOrps=me1?MRI$0xSE{85~Ij6{noqWTDVJB=t8p>)r=q>!B;s%IU z@=3IG)H4O6*zP#og4=G)!sW~7vbH+po(pl8}j7+YMB*pcbsM+|}`u(l($3Yvlnpv_=7 zAZAR8A6_E8C=2vwT6Mt&GL(jDv0UghyXBF`BLBtrtF>Y=D4=mnY7obqrq)dFPHr=6t#xlPYFf$_8&GmN{Fom?{z%g7?Jlw;K!$|KD{2?m7W?oq+!(oPa8~bmv@v))zW<0P;Jb zo$KE^)t^lZJL$HICgJX2F8|h3^|>Qew;fQ($^}`9&O7s}+sL>-aXw$1qH4?=Yp6fD zH~q3*o_*(FEDhUGDWf`jrSX4+E?}fFrvph^9L`lP!I6c#v@*kgvm*)LliFPTmgAo> zk7vo!kVp9*EdrHx6erC{{y8$~&`kp~z}_miNhigt`d3wxL$6Z$!Zv=&=!}ucjx#hc z1!RT%Fv^kP@ip>ipq}@Y%6n7*)85+h?dF3O+r{Xlo3@?;jHXrwL>z*X&n*bPYDRnK86zFE!)q%&G<+s!rGdsV$0PQb))?6_B{(+Lwm1*zcO?ZH*{^0F|ap zoqpKCAPBvG1UW6qNop1@G4FRJo>xP89f(J1c|WOG0j=BToI^V=s0}U@V>G3&aqnL! zLz^}vS#z(hs3fD?b;{7V9ZN~VoRZJJg@0>k1iNdQwESi3wFlo&zDIi8KvHvI#{uBk8e228bYo=fnjsU!JfaxXFc-z(^IyhP5;u z4um);@hp?U)g-ezXMRT3&Gr_W9@==f>mM$m*_dFK z0(F)Km&#n)LHZt6E47I#5Ttx|xB$~w1me386lR$#PS$`Imi;RGBymbGzl>6s^;&Uj zl8S_gZm0qqe>WGPG$2d#Tu-r740@tfYN5{)feqn=V(j^RnF8M?C02^;Jgo@ddfy2` za#zulDq>&%AVvOkshP%WJDw1U3PO+ZnO2Sje&j6+#gpj^^?zaETP4@~AAHJU^;9Y-~~%>mc}G zG8s&VEq*Vi=XMFfs4xR9uVd%FypL%9%&xR1!TJNoJl(`$p|tufors^WZXr>*bB6XR zGPLnraG`Vcx+O#FFzs-!{Q=@_hz|f9U@zz+dow_>7iQ=`rBWIHJ6^3!hWN*C`9GEM z++H%b?i~-p>Rv`_=cWzZnQCk%@TEwpUyVpn6iI99A#n>jj>b}s*v6coybS2Z26+EF zQ4J;!SO(1cGzSn#wN{G3Df1bcQ18`FaEAVPr%#?7d+kgdz+pVFg+&>&Dyx?`@X64M z6Qjm*mMz_c3?XNgQ^Kx>Z3&w&|5VC#FVg>B&t6;}Dyo{ubMtCZ+)vrti_HubMwGi`7J$gB#psnJ=w1OKvEin_zr`kxh@e8Fw4fIyeDWe+} z{W45YmB53rcC=Kcb(%p=S>@AY!l%07m2kE=;pC;mtNm85@yNuN$(aFPlcQP+A6w%S z`hn?jW)vx#_Xo`nOf3BJ#tWs1^ROTn@)LnOU^=+e+)S2ma7c+Rh5!{x_WTQQ6eCFu zr6X?GBP(1WNreA17$HiIpH?{(-my2hJ6v4Q3dm6}n>dpcGRsJudzUCk?pl-Op+#RW zOi^F?Kasv#8($sj=+}7z#TljzZ>mzNm91{;b|NB8YTum@q&SyI?RRxLUo4kO2nxY} zw3=tVS)lJk;P_HMsD2mn=zGGl*gPDC{DTeCibyYXx2&(FE{wx*H$TG3keI}4XV3}K znuz!r5gyH!k}_b&-pI6}9VDCJQuT%QT?(-P;hE9@t7V69ntOGfZquPYJj-+o9rS7N z_15B|dtj2FxRH~RkI9%AlO)4vz)Y?cO`nM(a*8$R!T~U$uEa8!axlnIDnun<&V?}hHuyM3LZuoE} zp)S4FGoP7ys0WI)U7npQNd9NAUY-gY`CRs4LUL=Ykpq_r;}dCi-I5O%1ERzr{g`9Xj>~h1bWKGQSYfOBZ6j!h^A02U3nj>+_eFu+d0? zbN54oulJ=ODRsGeVxs8FC!GopLU+ohBny;?H*x;^B7J8i%9^!Jg4xs7&oFSLYEq|g z1L=2pbg@I8hUPLPm$}p1bVNL=H{buWu(!^s1YhlVNiDP-TUv0J()5T9tu3r8ODa_j zk3|Jv1Gc$Q%#e?>oX^F)*Vbm52+Gr0yl)Gwl)oK&sE|jDZ9g}YFJ{jNvlZxz{gOba z%S!!1h|P9a8%;{B^-vq35=KaT^z^Gou?k*G!IIQD(dJlVlD9e#CKL3c_B|sedFtfJ zW39Cdr(-cCf*R;V21k>my$#qPfF#h0{97+{<863&@p5zVib4isAOG7+>o@->W=c+I z^928CV>H1b0Sq>;dZyd6K@zEoVgeMJy^FR+EQ~=VcmgC2v82+x^A*@;SmxvKInLlk7(!JS z;p#%;!#ctCukNT}c!Ob5Tk=Yp1SIsvY~;h@eiHkj^7WwML*ZCvxq7U`u412TP)(hk z>5b1STd8px86l%mD<%Le3Rmo}ddhF%^-sr(4QvQpvGsV#1@!L1`i*Oium6vNTvT9{ zQdNU->cnjiI_@WT)gzIYDI-fE%L4_X+H0yoXr8-)5jy~Twom521}dXMOeB|VxOH&G zVLr-df-v-_@V`Ztc&bd87$}S$dnGcM7*%>3?a~Sn+`elz85O%oHA;+O!WNb25K&nZ~HbvB#5@f3^1c0A1P^bE~N|*ozwyZ zPRFB*37I}Fw*-WuWCZLn`V=aFF4lM~2iQg>Ua^CrcCjFLQ`(-Tl(ty@*Kz-RfX#15 z;#Vj6UxWKz7(B4gp({PFV(CrBhL=uwe!j<(El> zEc%v1k1~&_91;g-k_H@dEse?rv=yi^C~U4xq;~zSmzLa>F|k&79PrqxvRVcIqE7yT zHd>{BdF|4_;QfRIulc(3j&K@(zcU3CtYo_GiwW%ZKNtinVh@ zG>5!@^4^340IQOK{^Rxk*4w+M7hgU$^2W%qzP&H8I`$?VHIr~y!Q$c%IMdWCMfJ+L zpPW217I~#wskM6Jjgix5Mo*sT+w1-4NA}GlXHOp;J>8EDzy{qOs{mtNApp6m01iRqHp)2i_yMsdK( z070cvs^D+3h4tumbO@3}Nl35u#{06@L|F8Aul#8LOLiL|x>mhG>0c1~6a3e-AL9Fm ziY5LX`o(~HJ6V9k>(HJ(IO(q)8-D%FOKREo^hRi+&zbXh3)bt_GRTDL_U)N`?#(xU z`KI?~*RNm_%^1eRLvOxm4=VDhUzaN|o0Hz&{~o?s-0SsNjl0wNmWP28J>kHfJ>wz% z|1a@h9{vkHIWREQ^J~43W~!K2JPHXsSA@N4CJh)t`CPREA`;A{*UO#$Cq-|Csf4b< z)gHSegW2cy>=_tsxQ5fU;fXr)Z2!tQWs#)9%p+) zf7D*ZhP-i54$mjFhxK^)FQE!~i)q4ex?E)zi!>hcdY#W4D!wEeJdI`b^_fP_gP1>6 zLVH=Po%0>EQ$9b1k~aF+55d#&ci+I_Q^QAoI{Z2uNAN_xI8mtO0`-vj8F{XdA6L)t zpYi(`K5RWBKketR!xK4p;K)%t2oJ$V{ipxy%um#*^FOk`+tZ6T&Yc;7lXQ6O65RY9zLG%u>I7TBd14CjU_!a zdg9F3@Udg(eljwAbmTNWp)O%3`ns!_%ZzzNbWg;WbNcEzG!pc6pE!B?`0%lF@+v$! z)P3soi2EB(YUhHybM{2^t;iL8&%H!x$>(r$6#}G7&Qm_zJzWZ`_GSEixI3)Ly0RkE zJ$&TY$s_RL<1f&Vs-^NdmR0%&{0Y*fvNJExLdwr`GcTOW1?4dIILo;3me3Tu2OFm= z`JqeaCZ>al^XEXHErSqy4ta1#FBI~{^PN0hu1=$osnt_Jv(-|m(DIS0$_{V&P*|Jt zE3F?dX51QXn@yB@yHM`$h&tPJs z`Bezb-!r9RzFMj{Z>!*3^OQ9y{Ig`uhyEe2*NV~4*NWjZ=#$n3y9|bY4!+y<)}`Eqy!C6k zI%7AA`^0@+_zu}4od@Nz)0*`>l5xWGk?&bAL_V!9mvfWJ&zHl5r(;*5vt$}T&T8Fo zzvDCx??mRXR*Zd+4-mhIa^^X?i$ijCcc6{4rx3~nc9r zfRd|0>h87Y$m{QybFt5RWdNArKoL{a_P_EYTeW67!|aN4e(oR7AzpeJy28f~X%&Zl z&09d9NlF*o8@`o=|C`$T>zCYC;C&fJ+4R~RY0%M0-RPdOQ7zy42T%;nhX>wz%TjLX zEqL5E3(#j-^)e$-4UxIgD*hd$OrE%!9w5FzkH0F+` zV&Ip*%Kj4i|K^*|z4fbsH{qWj4ZzIAnwCaUSuV4xj60DOWHTc#aj8;00+^cE%-AiH z`%5vG_(1wzYX42o`7Vu{*Tjo_*?a4yp1t0HmwoQdfq}mX@ela_0nku0Z}#HVzJXu< z!@#dVC(OJ#nAt0hfw1$lpZ0lsUmbaU^aQB-hUJ^Btd-v@5n-ed!{#Q8gW^up+s<9SeZ_5Yi zbDGCcrgnG^ZRD~Y{>doU{l6tk4nCm_OmDpf575oO0Z9>W!&^PtRtXm;lP*@&#h3Iv zQA=`A_JV?m-Nra_d=1pO{z+Uw`nK28*W=jwc=aZ7efFp59rcQ~|NO3d#xD*kr5Jss z$W8E?y{knKhCO<8%QPaj^Tu>65R$ z2A7MK(&S|K@!=C^)HCPsN1t_MvzTNK?imoO3$qi2z%SYdw)?w_Oea8I(dTABz+)k= zKXQxaNB=s<){jugb5CzfhUkmkaC)k4W2?a>P|)LT_n}CXB%APCvFC?OXAkvxV`yVN zLjQ)9!Li~@%YXa*85$29wNpWkiJlr}9p?JK?h2?M$Q_HJzz#abt>3ZjA=lKJFPr8 zxf(;91Q-M~im!687eXTat@m89RDI5N-pGdjO)Wn;%kC^18Z%Fvb;Uq2VPmFTon;pG zJF()T+a6ijK4fLUF|DTt)lRPm!!%OVgJ6kf(BGxyUG02_ zRw!*>W8R3lC>&rczC6q~O(uuX(ws&q1}6i@aA+?RrF|QnGkBi|bm-Ukv3%t0)W;Ds zSYnp>9&s>;7y|Q0egyuhMIgGNjP!Emawpuy@B4N42yKHyUVx%y_YwI;!g_ba9FS}{ zAPKC?+(=O3@EP+!MB$G$5H|qC-?vNwiSI{E1L+SLQ$fO4+BIMq5t7~(i$e0d4ghWB zRom8(__k$xh`((cA`;)W%mVSZwTU9})k4~e+V+dYHyvX}{C#(|<8LeDM*L0tPV7C$ z1`>bQHi#s@AE^`S#cwN9M(X>PEhXN9HmoGQZVV@BccWI9*ay_d)K@Dxu#z1}7UoMb8X8m$7dae7OlKgl;9)#CWZ$9vpa1sTS%1sURZ0 zbrvB9do1?M{nXkf-L@1fP;S&?GP$>9_pNSG7g|u=&MzFp@xB=SUe4AL+u+ zetNk3)zK4ZO@g2N*WvCX!>7(28+{e|#$ok0Ts=a+kKkWNM@}6-d31y?$Pc*Au@HEX z{(>u~PSMX(r|55UU;c)xzj&RD!at+S>c`=3^Z-h?PrSxY zynf>B*s(Kuk*uF^Pafqbe=-c(*3pwc{{H_~#)FOZCYv|28W8I+Nc=yyvzIy5;{5o-tpMn3v zFJufbrZF}B&IP>xx{7C$KjGS#-ODl4PdLkeK?HDm`1CK%>G$H7;n|-b0b2dZ$&)`- z-?cB$efOq)XY|DAn7Jdr=#KuTKq}xh1|B$m^6ZH*xn*6UCse`)yNTo>_oDNh`L+$p zg-@ItesxrC;h*~2x#PqC^W=g2 z06*k9NLi;(;xZ|&9>2;@I)LWtK^NtmpF4K))!}33?B=XX{ES^iQa$8Umh5)xF-D&` z`YJymp(X0J{B-V}dv*BCNaO*!7I|ufc}nz}`;@bm&c(=c_L@2uqtBg4Xph$yPf8St z@wWOKubvovZ3JXz#R;4Xa38k{c{LBqpNG3o5Cc1L9RC7(9phj4*Wqs1zj%7!CHa%C z3IFH6;EMX%N&X7`=fxNFl^0()+%0iHcuj`{$sgxlJ&UKo$-bb^AVFF;9SK6Kz5+nP<+PK4#yCpXQ!LPmxRb%<*$Z!Z5%1j^fnnZ@g-UI`KXG z3Ow=C*R7pve%W`m@8G)ed`iGLs>`aF8w$xCiaTD z3V$9J>$G*1e!z7d5+GW~U!WACh(JC4O;{62M+ zf2w;E<(jzzKh*V-^+HKMeIY33N)>a5f6HCf7rm+``tz{-$=47-%DOH;;okWEOEZ3v zuJfO8t)wV||KcmvoVrqlQRXh>)idNHIS-4$;IPQdFXzAoEM^ z$n>bc8mFX(~dAPd-V{^vk zTsYia_Gjb<{{>falj;in1y}Tnsl`eTY2_!9?!X(NYBZ!aE489MJnQG-?$GR@P;DXh zqS&vvSKtZFq!e=sXG7et>Z<;AxLcy8HG$c`;jUtW7Oh6FSx-s(F6(sJrp+?XoW&y; zPZf!PGQW-elI)dTuMPjNZ1qyLyZi9SiQ!j|q5ga1RZwcqjh#L_a#;Cc>Dk05x-19C zVC#pp7o_!b;tgr@kmVBT;7Rt2w0W?j*2GED?y2%@yGPh#()uCgIcfJ4xldX@q}(X2 zpAz>%>xamv()y7?*yaJ{U}^o7_Oi5jtOKedmrLtM+CQQFFYO*1cx@iBy)&&Jww*Bt+K(=%ws@-5cMf)U!-+WL#&C9bXV08{4U~zI zGeg~pF5V$8C1zX&*fQcu0F0%LUHC>e{St3QTP zy!Fu#edXnbGrJbT%E=P_y;+avoJY*6Yvk3gSmXSrJ%@FU z)$Dk1t`cx&S5UUXEn4<@t6$(DaoA{g%PAg8OaIXM9Ouw%d-jZ*)6w0v>FHJ-ihXe? zb^mVuTTb4I{y;Q$WoutZYH_GL5?C_Sn$lZFq@;JR13KxBN3d+LFVX0it#`)?nAuog z+(?^k=tv|oXM??o$MtMemrNYcCVJ!q5p6?J zSliGE6STF#ZaC3iTknV+AhxldL_*89qboWTZKFN0W7xLd5j*T{V?Buk%x%3ZR?OMP zdg2DFZM`Epm~UgvnX;M8;q?d(Dp?41dtsJram>N0cq$hSA-qY)X?BF%bdKx^mm+f@;V?U-% z>9_d0iNm*2F3GNE0pRth6m4pf|Fi$s^4wc*X)~{~*7l&yiDRq!&@vrQ>)hKTmRbE+ zO7^E}opOo0IO)yG>Kb%XqVtjt{gOvu0F!o>0rlC$zIS=iruHW`rEHuMXI}L74!oHi z{H5RjTTE&gDDy0GjC$Aa;4w~bz!(azY;5$laePl%dXYOMmhs#nlb=4&qteW}Jl&fd zr+VAz=3*kJ#N#fNHeY-x%w(S%$YfqBzcfvMznO&}l*}>st6%Qx|2ye;W-#;8rM<=o zPdWFQH?#I5nU{d%m3O=ErPraEH;b99B#6^D_nvs^1YhFg)=W^MASPK8 zc0+txU`%*d(iHF+wNliUET5zo_q?Ps4~&_+Ckjo4`OM@2NT$C5{)&(xXEnR;OX_t` zGGWU5hCcV8M~2BN@A@y2@(^QGrg8~&B6=TBa%2ueGj;J4@wa69TTF^d>29?rlO{u_ zg16qJGzq`6hX1?nZiA;me9Pul8n;VvD`HlO9LZ%e)R{xSj&Xw&W`HCa<9+t4`_mSM zrlZxy|DBClAzN?fHr}s!YV(yt$qV?B$w*Da7wEIkkOMn(h8%bTXUKuh&X5Do@ELO8 zukj2y;E?ix|FUPufi0dP2mTYDAqO^jh8)=78FFC5XUKtP>I^xsnKNYjHeUJ}a$w_U z$iW>tLk>QHGvr`rXUM^4_zXGt*La2;bV&K&f7vtS;1 zRgEr0*UEOMfPeMj2AcHqg+njN5of`%Yuxre=a_@1q3uI^>9yG)WXd%xR6oE6t#hK~ zO4V~=5EP{-LKk;KK}Q}I>JJA@0Pes5Qz?aB_Ut*_qeCwZ5ZiO`UJQcmxjqdsWv4Cl z?e(k>OZ7zbrVd}lZ7ta1Q3xu1p2CtM87U}!DZ@Z7DHdoQOmf3>aZPCZ>e(Uee!0k@ zd@@lz>LdOBjB49HypkX8agP!pO)HdEI@Bt{5Qc5F+h^o7AUx#dyx{IJWsO)3i^g0m zIfG97q%+Wn)P}>bk1P0mPj~m|(IGDZO-zLir=gJnZO@#~1IL{lJqlxC)Uj@=$>q6_ zvfT&(#uvNk0qEM0g1K`s#uNL2EaVam0ITvDR3DrwSP()R!@y;N8|znzg)N|Dt!b2} zRau2dBZ^QEaSpn3=}{*xunoFnzZqZi1`~W5|`l3=XDxc!2QN-g?WN zbvU8W*5Mu&@|+>;*@Kfj;Jn(9gO*R2lpFxB^T8=&!_M9}eW>j|0Wgc)s((5Oyi z1IVln=3l<~=D@G;O#b^J{zU>;OY_p*ZA22Ha_t-@)&=JaEtdECY5vcdUmS;j6J7uxDgv{L z%kk>j(PIWSjw~CA=cI+q+HL+G65KfkUj-3w!${f|kT&m}QaP~=i#j`M#}>)BcPjq` zdw)(eF)C<r*akL|T#vRVUThV33*DSdc@y1l|OzIE9saqB& z3(-tH+ru5~>hc6rdH|8Tb1y+3;FGdm__Z)IVDR)NlA_JWxp^T8Ag5j_fg zjj!bN9E#Z}tL;XbC@iCqZVBJZ4LI*A!4-C}41Yk`Ic!DN8r-k7U~9G8V@-xO%Ge*k zeOOF<&g-wvmZ9q?EMQ4Qum9k_eICUvgGxA4%6YZ_QMq`@`={S|Z@#3ztq120&q9f% zDN{B}7&ihDTC?MJZlVnHTs|Fd!0NDIY`dcD4v$UuORrl8J&K88#8=~;QFaO4 z*%SRFRUM~p&y+3%y44}NNM-d3L2;@&&2_fy>sUjYl$s$gJ{Kt(vXO67MrLKxwi~4N zXzF<37)TtPx{)+M=bkml`1ktKY1H19T%ZM|3N*Wdq(K*kqUCM6`RTe-Ksj>c5xo_ zkXx$97`2BI>(=N-tTjNpcQOe&9l%(VA7 zqXMPcj!Y$Ua(-e+1*4kZMmy2hy83OEI97v>Jta~TBj3)4wm)5XVnyf|h z_EX*6G2^ZofK&-1FN89AV*!L>6&(#Zk{rzIWOc8Fpdzamf#>A{tW6ktVwT6s+%x{H zR|$So%U1#}m+Tij4C$r!D*-7A*`64f#B0OH&Ws$EAYe3^4)G!kMJtJ@#la2jjL35$ zh&`(*r$mWT_oVfNnj~8H)Zho^A@fyW4>79nTrIX6aj}Nnnq+j1_%s1i4Ml2{@m0Q$ z`Eo;%qGfzl-FLW?VUe(s)?MsEVnH+K8MjGcfYuf6Y;vJ9_bK;1HHf4#Xzo+)dozB~ z8PK5p!%AeyJQ=7fp;q;5Vq_J278lW`H7{-V zIuZ3l$t8H)sC#TWf!BEnk@?--G>?(_)ANS&<<66uA9DcX*Bp0q#QPk%JLvvA;QoXK z&f-Bclvanw9NgBKO{XusdFm%8PyC|At6ZFf%}ewzcv&O`7SqU-AxqACzhl0GZ`#&E zw$XaZMr+nOft5%NA-8dtzj(UH(1pCmdzjb>IZAjZ68rFEd#Slenl5A_v5JWH{R?@| zWfzXL6f2Hs-KQ=^IE2FyVucc|`-n!E&IYU(kx=Zt@3|Y^+TxKqi&2_!#5yms=OZN+ zJy-aS?N@v}Z4cX9FL7()yYbzL`_hv!!B}_zL=B3n^ya}9>^K;r3@QCS@K@UJgMXF%#@s*dHFUpy zrQYO59H}vF@TZUW!S*bc{iz`PocA2e*K@Ge&jFp<@tYVBgQF17ap?W>`Rswe%RHZb z@%cUse0lxESr08>D9jd1RnYv)XlKUFrXyuAs^+AMIq`gtQ!Twheg-7wUX-fO%!Y4x zAS*+^F}@5%=J5d9nh1g%7F5fgI63ljM78KTxWGMv%)-&f{dOsT-`^m|(W8UzIUwA(oK7D%l#Mm!h z(vgzEg@D`1&y)*!j4Jdi6~9=Wg+6y5A31&GC-D66tE0!T4ia?xwb8K?BWKQdubn*Y z4ST1CPmhfrIeTpQw0G+4=~E}qjAT9UOc1Df?M|FmH4kiUDOE5u5$LD@r%3lNU@=4J zSs~|5`xh|aaUuZS1#5sJ0@ViAtbhe6ahM$cDYN(zx_{sl%Xk+n`6``hvDNH0tC{ge zixb(5cVG}6@r&ny?!7Zrco-UZEk6m3zg8%fDjDxpkXrHaKk$B0DgpiTkL)b`fYl8B8N4D}puZpf_441q z0YCPOQzI}dlR>cxG;!+etH(xoFMVZmN6FE8V}s z)>WhMx97bKEuvoX%F8ej!7B+xOp;`GM^Y=!WGhC~xKR7tDw7LhKWCv0Fb=u2ssVP(BBjkfHIP zwPLxFzW~zx6f6_A;6W1?OO^AUpPR`Sao-U^cpO740RsK1rN*QB`umU8zQ5)*-(G5d z_D%E7_2%t)uTj6d{{Cw7^K0vum%O!=xyILc(`(l6HWzQMU%S@4{h0eU;C4>;okl1l z4ugs6pp2Ji4g2pM4Z;af;iz-aA!xhthj(8dka^|Du~=@xpkKzp&=kch&AdFIZ+Zyl zQ6Y0CRg(poF7!BD87@d$f{gCHEN0bLY}A;S2h>%sT<|A2`dCdc8ec1ucvYI>rb%0i zE((f`0s$9YgANDN_+lYxwbqvB+IAi0wXyi9`N;~kVJ~g-_Ud|ldHrAJo3~e*@84~F z_1J6NyVm&luGhGEE#oy87uIhsG;i0vwQpCw=9PJ`dFM*w>fNj?J}-}^Qe5c$dbzBn zJ|f_vzO~puNP4m54SThn^`_&5d~Jv-2sBM+;7qMh&6nXK?#Fx(!tqoLyfU5YMLevS zJ&jelE$+kb5Q;TxDYd|>UnrDpxx#`Sr4#+k6lltt-VtrxDKwR-wG zMoA=HAFt$dQ;Bzg360xrMS5X(qA`EH@%{}p1vp|EdtGR4{pO-g0ZDB{2XdH@L!bCi zk|^kB7%`Ye1fMRgtu8m~uyV_n%~B!(z(||7udO|NtSACzrtzm$+$XT{fB;&otuGlI&q6-JTcbazE9KB zYggtA&YL1xvHTjj&cm+YZ`e+Rggw zuX%5-`T6z6^@Z)Fa%a*NL)_kJ=T>d{4HBdpW$R*K>>!uHqtppFD8fP+@dc!h@yb3+ zWNE(`Erk(e!F8|kJuu$K`sl$$TfK(z=)Jkv(nL4d{1uXDpdmPkTXd9;by&^Co7CR> zU#;Jq-@!#yXW8~HDz}QdE*9AG6StMN9Zcm(f5z=+1Y&8A?~&LFjS;&eQeZkznkPTS zl$7DT&^Sr#-w-wM5|F5+4;7J1m?sjSq=#VF89HcwdOd+m%!9mY_TUW)}jXhmp9_d}APVUw$d z$jE`u5fy-hov$Lffw~vwF=dqOH(_vr3>g!Sl#eoaXo_zaef>Q33aE(np#&n$dZR^P z=|F23mJVO_i?gO$xS?ff0PR>4rCJdU71h#3zmnq(LEAu6yhG1cYjm?zK?@uF(3^oy z^1!dCCrEwvMkh_n*f569sittiWaX zKPPo_`lD%5tJ)$&>oFm0rSUduE%W#vr0;hwBmJA_)P|~i>+gNHe$(tLE#)^C9yk6p z2c(=)S`H{c)CehW_N%rs+5t;%zH=KCBwL~Q5HzdX)Lq=`58lCz?(Q5*Xo9XFk63%~ zL-VucOl%u->!iMsX6LD~Us(Vdzj1Ajc4r!cQFGMzx8EaMY2N#2?O|P=@%q@hcddEz z2k7rgeS;^4Xu7aMus%LSOD^HYJy6l zO*NvScUwOP+u3Q*EIN$#IMmyhSDRlfJ9_)eVSdKd{(zeqlU!HCmS)>3j5ZfDt94m6 zwZVu@jYs2rCbRL6Cm2e$+6$RyYeG7oWp*ym952oRUAl8j?H%=t`Jmt(3w{eMz2v=HFE%4RD=wrxEf^fli4Fxz|F(W1OEPVf`K~QEr24@3qp)J?2CC!eyk5ROY zff_(RMKI)%%NPIEUz*8-pfEL5<)0x8%l?f<$(j6b1FW~gE`e~Un3s3`!bN{J?57H$ z_5<>6oXw4Mtl{aOL;RCE1QA4%Uq*D!Er&S%qC z$xGco0ZkW5@#_KHpl0~aNHI4==I&j8>tBWcH&UNu$Nj%Az7X^O!hd%Czt5!qcl6cc z@T*cr*YCcA8T|K;EeCLv6T3VZIj6AUT_^Ca6L{ANycs7j$CpWXS&}O_ApouCm1o?E zEN4zTC-UGHoXGYkI(8x-^J_))Tzc|0(Kb?+F&gN~2r(D3WwrUs{q=XRp@vq!LYmYM z^Ue1_IlX!pw3Q9`i)Ufo!+dB4I5Cq`7h_H)XV6jakYAbdCZsxl}8XdrMK2*L>;c-X`=h}jcWwCZi7v8vlxwK@w+p4tSA z&z%UC>Fw#-F_*hoKA?xNwJKP*3s_tT>>4<*t{s{4BrnOo034AlK0-;-il!oqvhaL@ zZvuS>m5fnAuq8SX3PPNw2_jK)4G>yd$pi6R!Gf6z9`RTQ(b}(FYutX^_!C+UjG-=x zesQp9GI&&PzJC{W`R1awACUHLe7tK9l_yM@Ef&!3fc^vc7Ha;a>1#(k+HCBvp_c!} z!rGr#L4o&d%LqP5+lUM&w3DFi6d!!b+Ks`ym=(cM;i=DpNTF24X!P@F%bj&*KMU{q zRcT@dn0}}bZ%g~`bP z)i`W9V^Po~om&opATk!T%iwb$eklr3@`UbIoFt-41|Optch(A*`;)(*!+(Cs@k2bi z;x*r2YJBl0S{w2V+iL^OfBpN6B0GDzk(ORS6A=>`k(Sewd88-Z1A4si;EG=V`R1of z=&VM6wV0Ez=U+Wm9ldn}FO$LP>fL7jPw;Z{-l}R5{n*gbwfjhDY;7aQR`b?Ejr+_>eV=2&XUU*_J$szxT&pZ!BOU`$}4~m!1sPs zsJ_&;4?mi!z7$`Iwy)vN*@uQ~&F2lv#>>Q*BV6C^czkWqPQ3WfXn}3se4m@x@IYd% zZe+R62eacPzmoGr@(6?9)B<$($O6?ua)Ve@>>-e;+5*xJ?v3Bnfc9-u2<=cYlEs>b zjfew0QmqvJhwuF+c|qvJT>Pl{-UsBm1v&=Gv_3&s-$uJQlkE4*ro8pH?=~K;G(M*2 zDmZMLkLTcz^&54%gVYX}F$RfPlbGW@*ddLFtM~-$r)cL=*i+{g*^{DsprADWUGv>} z*CdkgWh`jU<<9po>MP18o=RJ_&npYQT7n;zvINiy_5cw$?G3F57`ww^&-nqV4 zIg<9u?^GXfx-&UCZu+wHaNgN488vPlthl24Xm1gAF^ji39vYP5aBfe;RU~5E>>a2t zo26U(f=#~oS&4P1mTVaUh-#nKTs2P{C5s8~0;6L@t(gwd7c=QoFK>*jx>Ld!BE0xVj?L$#cDiid zpDKc6n4cgHjiH$LBdTmCEZU8Dv(?*NPy|YeMiC~)5VmB!CrUKWj#kV>TA@>wQWJ{= z_^qSHft>keg{Q5_*rB(lciD*9rr!sex-+kg(|b6HL4b9U1GYki?(?{8T35f%kA zVJCnp(E^muVfc8ZRxF~X(88z2=4-Ec_ak&%*@C*)czXrK{`DJ}HQB7MN`C3idxO;+ zbl?m|GX{mgZ_z0{i49dIC`Hw2ie00GTE4LseQeRMOia7&;gt>gtI6J22rl3r?$@eU z=(cOFZ>;rD&0tujko?#@^7V~1dYWc4n8BF-{tz?)q|A0N^R^$BMaoLa3$h}MgCJ#hS8(YOZ1 zmOGdc!>wI|qe^?QS|!6JJxV9R3VJ4QKK7E_TWx|&P@L{ytwOUVc65MbglZ=i!<^X} zKr;OuQIir#K}b4}sXJwhMq&XiXktS&MHFwd>=H522_&|0N)z=WxP%}E-8z*rMtGhv zW6OnHDPUV6NtV8cIa6jJ#V`bE5t^R~utH!yoJoy;X+OPWJ=5M&u_u%Fg3NI(Ck@|S zpRYIXEJbC5-_Mhm!luRMO^keLd{~!|3jEgEgSqD0OUmH^&!tddLRf{g=jJ0dzgU6J z7{fT*DKmP;+_)Yzc;ETRJZ)JEKfN9a4Z+b!7{&bBgKM6hCDaMEpQ;2G@}*j60PKKJ zTT>*amK0`nMy@CTF)n2t$k3!8p;D0O5$TS%Mm)~Xj@VI()+CmYp^&QyzseChK$;qJyQ(pG-6&0{HjnOT*ERtS}nl$Fo=FrDawpJA_p4@ijiRT;L=yprlqtcG#y_n#>enR|5xpyl zPjTSb{G1)1c3XuaVF;Om7P>OuygSFZ6Q4wqOXn{)Km8;3`vdIY`>XH}CxtH7*Kf_Q ze_n69qp`c|^Q+D87bK9ac?Smal>)i|UGdv%PWa=W?*pT6E?%dBIB+`6cdp>`pRH_U z{!?a9PZ7mkE!H#CNgAU}eQb^!_paar_2mH!16;g<&8|Y1jLAFvTlp^f&1mcZ%+34pN>BX8TfL8s=; zdUO5?k=UnKIuZ_W`co*C!&^CoP0Jj&uhDV-B__jy)M<&7DZ40T?=-%ji)|kx9w(B) zqSyF8*EbwPw1FU^jYknhkZ(3+bl7MxMsfs^o9Ry-;7|+>1Lv~R`AW6s7xKTQhqw)n z4lfnty;_k%Ea9Olme8Jz%Dl!ki~P2$E6Ohsg6W;h>$iY|Eq~|%5d&>fP}uulsZ4VQ ztb^55N!8I9iY^z9ApumOONTfm3>yx^awP~+varn8Ikrr5xHNhBW&Eu3u|yVaO0^@V z@v=yV1qB?JlK>QbwD+O}MZtA+zt5d6&pw|hzMO#FP&51D8t(LH{5j8+o~RW%9sab+ zjNt}`v42?SFm|S78;rw(I-_tt))1{Zmso&JM~`$Am9zny*|r7KVdL=DL>1}Ypy`}P zD93_w1_+b{834EmZ3PI8V8XG?5gn2{%EaYQOa$esfociSav26yl-fcSB&TKr2qViQ zmkX+?d@)K$abgTJXh0YInMh8(HmEq6^)|Rp78|tSP~v&@(ncC?W>-RTeb#$*R_XN; z`69}`vjifQI+JWhYVXn3fiB6iK`d_rkKLPfI6_e%dNAKQR?yx%bMba8a7}eu=`$*Q zRk=Y6qHgWMJA_V^gxcp4^s}+BG-re>0c`w6uPR$1*~<`J0Ci&T5R2gf zY|*C9o!b%zI?9Olxk{<*S)ad%Wy+L=t7{8(PYj!s(wG(#ido&TVxo2%;og#u1~cVp zA8o_XNsK{~UldZA%W1oXlP@qqz&yQJky(ohRig#cP!Yd%!Y}*dc@Y_+x@()@wTKOR#H#Ag7!T966uMNKH|gt)!8@8J{TyCx;t8Ws-Z$ zEcZmFS@v@5Y~_v6_{06i$BU7D^vPc&&|T|*b=Lsf(E?jx@pPbKNPq8JeS*&0_`Xi~ zabGX7es9OwJIAF97Ac2OTN3&I<}SCUk>~^Q?n^?Rr1-_CV-`a-j(7!sJSa#?&H6iY zjki~0Jf~L=A5T;a^iH0_gr!Gu=HDKBZ;~ki{{DK2EH|KrfB9G$(K{prX{vE!xjDbG z{t;nnB4FRAOO{ICmk@~C?i@6X?q_}lPrV`gxY2njg}^^=?;MI`(PE+z4|RSki{ca* z5n@GVIpb8_#0rMh7C|1bQmr^TugF4;Z__PxDAMDYU#Ly?7=X=&OA+#=f!<2c-$!3W zh5%x0&JSkLbdcyCLJ+=63Fem46V$$z8jhec%1F2kH4xAifzLwI&WOk><%dex7gNnd zrBt-c-M|L)tuUOcNUzEpxwFI<`fM0I z_|VcSp5^$->n?M%L2=)Igr+n#sq%>xxbQC|f5#@mi>XD-q;-DP$jU-t zmzL2`oi>&fA~GolY(pe$&(-DTXRFA1>I)`E!DU4@(e0G6Vv~_G+h(}1KCQEP;jb1_ zR+{i|Vr1-RCr|(Mt zwAYbTCnJvsfMBu@4xIs2(Kb5m7pDR(%qsV!_ROi{qQvuS12XG{a%>xxO=B9ZhZPJ$ zC2I%anWEj%ad6>LR0<0n{UOID<(yzw$MXOU<+|svc zGYNdM()i?Vf;Rx!it>vrl89+rYdWOsCnjBPW@l{2rf9n#G9By#jVd8A92TpMC*3=! zvGHYd8h`@^4v_UXsmWK-WazG2O!6TxbHfljY&n$&I$;{bB9`YdfaB@{di*iS0TavbCt1wf z(CjI!g^Hdh)=JH8#welC-pZk%_^4bNeqSfdv^3WK`&{D#RBJ%%StSvkqJ)Vh81_M8 zz4gUr{gH5n=JG1=gcfiJZ3Y?hzJVB&pDLCRKBn8xAosFdx45_%jvtCy#@P132P;!qAlYl1kpe|AxG7^wBp-9QLP$X^T zUANy=0l?$Iw2y9dOj)C-K9$(EFZ*|W84pv;)a#UHbv`J}8hKrV|JTsBnDIiYt5CJg zN|I_{%mrbdqa86Fs50Y=uQlrFAV3PVdROpEDlmdmtj%zx`b`u?FE$0DzLa@GGFX5i zTbA9q^LSR3CaJQ5pUdUtzUUGO6RuOcGp6r{fCK8i5C(0a0)$0jT-z<+Xg@R_&PjO< z<40kW0y5e=_aze8649t4k_Oefy&@J32`^?3p+xNB?zlIHe$QSG1;YhqiwP|A`X^tp z#Yce^?#jSYb)ot1SGgDS*OBSUT=NQgyo7Y>d~l=j{S{ENBIH4R5NyO9W;<3I&zAVk zkpjhL#C9Ng7J0+LW`xa;ZYs6YRWwfGmSKBy(%wfMTRj%hkLE!nt7l`L$< z*qszS7H_Xadc9(h^Q>NLSWez*i_P1QiHfZ+Z)b!+q+D8pkh-xHvS<;zErHJ@;V1bV zYIc#L(ul}vRSe1REZlwEwHv{ZrrK9rYuPSo-4tg^+BxvLFK)Mr)@xb$u7i1Kr{}Ud z=BI|UJB{g#94o}VjJfALr?4Y)wF%goC{#s$1fzZZOLv3QLj+|UnxvBUyKQLRVO+| zp5WI}9K;>g^TzP$LvIWpJ3G>o@hsR<^Omk?OOUwPxc5B8C!|>+sfH0g*?8!bMT>EC z3LJ@UFi|tDE~|2gHj-xJn`K=bituS=v%0>SomD(`n081j@vSvVA{|s+V+$?++Zza~69f5TzM9PqP#>gI z8(kQaKE0}X91Hiu<~1TcZ9wJq-}=fxZ#F-c4Xs)(pvV~v^0OVCg?#b67gVPQ-PJQ4 ztQtIeFOm<9?VK1HJ2!mv_~;2IPzsGA3~J;!K9k%E#%#hsxR_Ug$sBf6UPiazhhc3- zIb2P$n_cg`S}GM#E}+V&g+h=U+S2+25yA_{^TmODnI|q66att~oWBiHUedfdd4nl& z*RIbFv_1F_ex8)NNA>kv3s~jx)(w+(*v6UT*zm1zR5WP3_pi_fWzr>2_4<_+>M$sP zkLEccg^w0Gm6jDas+0b>*;T-evgx@`!D4KAG94++l>KU+rvuk+eSQ^=Vwm0pfXD>U zaAm~6$hIx69t0emK45#cEFG?o6h39lEB!Hqm7ACgM=a-)@XrjaDi-W%WWvFWDQj=ZV}z2%%X7)lg3^&>zFsS zjFP`X5HIR*m!mcn?5FcXj-1D&dx=xGgOhEHa48Yev!jrOgx!`9vp@-uv!H9vgzChz zoqB4kjUzBhSen6d;C`{nIUB?W5L45ioP=TW+8eUS=xA$Gh9(E+=tQ+dzGMQwlUQ=i zNpdJaCiXpHnBpjm6;)3dLB1HDih+p&$h8CTdJ?KtEEG{rb?GU|4qBj~JpX=sGIIe( zzEh?e+S=k>3NdB&Vlk7RLsm`bhw6b^nhE?tAvNu%t23fVKvVj9sd439+;j*!vGouT zW%CAY4))r+3*^9$?{ES_Kp>9wPrhm_e@@YBfB0t&+g+@i zcRok#5+mq8TtOcoev04}I;NzU<`ApjPJ`f>Ja*M6$cX3!)r|}$1`WHj@}UIg1!tJT zq~|zM`qc%A4aEWsTv0>&N8xg&Jyl6aew!7i4lI7O_UFeN>V3RdZo*%^arH_x zhEF>urOtAEh_4!y-c>(}o!lK7yz^E|*mpn0C z3FS4R5eYrR(snI$r`~AO?N*((j>YUU38BApv6w%2s}J9F`W8cd%cKy7SW8hxN=W5b zu@tx$uO;-x1f;c#dq&rH-KihrZIIPUCoweS2MKbdFdNRT!T1gm|C~&kPFTfQi696; z*g?E$jysZ+w2aF;P8%|!uvB>JLOvJRGLYdZ8wx?~Or8VgQK}$#x&h(ZPhR8i}yl@cW}v)qMVb^-BbUa>dCq`{g%!m(VGF|oZ-z0%-S6vJsB zBM*BqM9tO7|+L4Bd9j&>CT1ViAJz+7!qBjO#j(Y;Txgm?9m<>?h(R zYB*31Po*g(=e9EMQdI(qrQnox+U=wwPrx1G6=7{$?NvtJv`5l8DlhQhiSsxXa_q<` z$kT$*xT+gU5Hy|PB)G)hwEpT0)&AJO|&I``z{^Rjs&1-x{F_b`hub?;e81Q2ta^{O!*eO3LT||?qD zR6&b_nENYeeg`=;*cNQdKm0TN&*O+C4%)}eVTYSEKgQCwq{-+qVlp_vrpA(B7UGzL z<{S4xwTO^+%4owd*8aT8h3&2|+RB!2Bo)fB-M!Ao@2!1*4IWUE7qn+#xxDuQt9QgO zKV8B!a?D&7WMor__TQEof1+TE_Mn%lm&DI0!q|WpTj|?YD0Hu5E67;&$>}V4R9ASR z&iZgZ*M^pz?k?1ukLKNYQSMTo$5+YjYYuaX`X-yl`Yj4hVbPk@3v_ziyn>jd`udh^ zlV@;;i0=(!t8ZTE*gTo!@+32Ts%jkyY@9|pwp>?;ra&p$`6^djtzf7zmB7)sils=E zc8xPW$qnUa;M^<+mBMTb-Ou!vj?{$C#{IU7s9PYhB>{Fe@60#;@E5BpARK?nBV;4V ze|%R#$}*s1uO3(*#fUz-kKU@US7Pb^sq4C1eDA+_@x566w}je3Tde`ty8heX^MlXt zkJNvA0ZYQ|)_?m?QUA@U{Fcp+&q(E~-QsV%#ou;|zj1jred#Xh9O9g_`5eylkx43Dz*_auH$ z>XAl){rIlL+H?O@jh&B|vFtF5AT~m{8=0J%I>b@!TDtoCjMqPnNfFaQp{yk>Hw(xP zT92i?sJQi0l{|_M9#RqzS}pXa0uQu!`Y&v`A`nt##xK};9&Q4PM1ViIDTz7FFIFT| z$9SI5XLc3DwbfM==G0wD`-?<`MnbxiQbszNp?(_5R;K3lyo8H7lhWBdDDU8=hS>2K ze}fe8n_3>t`I{f-44x(0u^t~7D9CFMAKO097}VzujqenW4|Z4CuTCFw(QJmtev*>5 zv56T#AUaI@DZrbEwr4p6@zYt>&s3&3Fj}nhh+R0`Vq4e=IG76Y#RBI+Ty8FY6af=* zAdGd}I{$EoX17GMTbe?#*qz% z7cNOMq4DR4a)@P#zma<;98#*(QG6J=`!7FkK6+9oyRN6}^0Ihr?^cg>3ka9I(3ANf zk_DO+_1xvTwK?sVIT8^miH@@}$jG&spaLo%>aE484n>0I)!U7S_2!-HWR-8-p;%#* zl%^;OZ~i9yCVThIYd}Md2M_z3SN?+nbeC4iuD`O=2bRY zBnQrsiHD$WQjd;hMY~>yT}Q(XIvRHWc_#mf`G1c4=L3@Y{F&`^jimd3_U(t85&zHr z7hZgR*Z=b*{z21kzTzG74)b4!fd;y}&zybr=;-M)-l6WJqi4p>nV;PwKOZ|id=9U| zJ8yP(y*B*6veiq~?ru1PM@|gCdTiv}(UV7BJ$dq{-O%8<Q1SRtPIjlrX6O(Alxq`hV>0dAYj_4!EkTdZw6Vm~@K z|6hFZz>AUd|M`Ol5AL4-|2g76oB%M60-+eN-4Kx75Rlyv5Do$P8<3gDesOBVQ*n#rUgJ>ne(t_*7WVegmt)X0f3TrCH=%{%jpGh-viy`ID4wR|B*B7DO6-}8!jUt&I! z-gKk{c;{CVpkmBLFGG(|)O`hZb~ShfeYfXcA2~5{dUy;(fB4tomj~$1%LD336GXhb7EC=3rxN_8=av3qyvA14at$vjyISPCY(=ws*E*Q^s9?q-6UB&P zDqdiRGo?q3w;Z0VR;ZWD6!KGre-*kzQd!?I=MBYi$3aFuk69?iYMxrv=|NOn7kKLg z^c#;3|DriWA_-h63n4$V%IeLf6&Y9u*gUb(afIzb(Htc63IXSYm}FTi1Uj{d6GTdr zruPZK>#Zg(ig)N10Co^mThcNm3g5SqN1`=)+e}NOviR*4t8B?1-o=y&8NF{<6 z$tL{v5~lC2J-UYeyvFJccxe6YM@|+QyB*CpBKe4vHuB{o<;HmbZu9Y6^KQMtSlyV{ zef#m+N}cNysp?1{EEAe1L&Ybgt8EE&^Jw0mD#G~#CoArgd-cZE`;mPTgZXR=#qGNJ zu>K~xbtmy;+!CgCm&)oe@T>99h>u03-r^~4sysN90m|=^Y_WkL5Eh|q_Qjfw6-A0V)jv-uklQ(vKDm$V78@uebm;hSq|IZ)X zcVJ&M|Kq^(2X^)UC#wIOMUN`{`}Yk#?;QaKP^7%zV^!e6M&CbE{r`P~5h0+uRs3-b zH3_Rz^w;6qI0#L(-E@y#U4K{C-t0Vpk)e3F$W}8OQ8k^&`&pT9``FY%3eHM?hRWAs~8CP;VoS;ozg^9 zb*OmJUV3bRtF#ZSE#E|~hkjUcWwh%tD?*ALA&9`hRW|T=W%fu9gO&Dhq zwZM2ip*D15*;-Qe3-NvOIg>1kZBS`Fj7Ba5)lgEE;P{{iGH~Y9syT$nbeh5anbGAC zEbtaNd|ApNpei^}{Je^lb{gS_a3!+9@d>;(M5P6edVCzt0qm$)Vk(3zheju-4S&i< zw0km7fxZBpuvvvJltPSJ#W!j+8if=^vDpQJ&!-Wfa_FI+Bp52_W0`O&bC!b&M(_qX zw=+^Wm)=JhLIuidO;9hHqb9K)V{ifFi43B-gA&yjSthA^i0GuP)bn-}fd&H;A# zP;jCJrozY#E6uxek)CMk5c}2o&H8$MnQcpgUM{9JXb?UbJp}C9kak^e1@^%)wx3^* zR|Au3g}UZCe`mp}N!Pr!+W3A>mkDrdlAEC+dLRtH`Of9IgVy9u595aH57?wp?$R<^A#vb{0k0QODa_&_Eg~aZPDAIdIrAz36+VWZN)mfd$gutav zGtP^wZ}=9o1BM)LFl|g#Z*27V2q-dk|J8gkKcDe0Xx%7nWm1XBq`3&9uC-;a%yY30n(pQPoBj*KP4-9bq+Pexj`O%`~Ou(+g)FQ0TcMH%5 zoB1bJV00itU6XBF@yp8gkEHqQr{nqa_N@fFe`+btgrc04On*P`4liDFGp+V!OMgL2 z&p`_gZ~t>T_)QIC<$T$>F&w9C>Z?%?K?_s9q5?c&r6%xaH<}Or7~eXrYHg-j`CFFs z+qU%!Vf_@>dp1{)A`dlZrkdY=>TAxn)_Ra(u2ba4sW5KCKFt3~YiTNvMlvP!nj>Rc zJX6>qk7f-|xqLCTAx85BvA>kd*ycJ^Gtk5pYFOJ&Ms=Rviwhr{A!u*y(T&Ds#@1ur zhTPvKVRe+WnO58l`vk#a{qholrh>X0 zKOM>UY76JyU(<#>4;zv!M9xffnUhaZQ<8GH+en{izY`&yc31 zlZgFWD&|5JtTOFaa+H}QZy%3LN3Gewv)^#{amK? z?6G6qbYD72jald(gmar-COx$cB?tSJDGFpE8~g-}5OF_p0{=w4DOFM%31-UGS&2T3 zb;QS72?eR#LKfakI)ktH`GR>48XgaFIcOwTsu8|7UoKVnlj)<9(TFMBol)hH9yd{* zx%5eXo!1v_Yx-#=%W%aEGgN^=Nf(nit`kNWz|0<3E0ix@C{6fPg;b9%_fN^frZy(? zjL{PyYf&kUnfxUMfy_+Fq1e=xkdi|_NJWEzH^<2-0pqkrhojvTgZuqsIJtT=eI!|Z z2g-GwtlIU(^>=RLxySLAj{P|8JG~A9kTIr9l%9=B1zU+0om=ngPV1e6K*KfIO$qkK zb#3=X(GV-WuPtA85fN22L8n+de_M)NH6C5jgM{ZF{0DrXd2dx_21JK@_r1oyQXvd| z>7(mw%M0cT8PEk#F{wDb9ke=Uhd+|XLe-n6kX2Qo!;BTHIefo>ivomaG_mFncN_Pv zxU1Iq!#9mDZmZASxsFvUzW5`#JLVr-rH>eUDO$n)ui<#|;dt_ma{3IMJ)=`alsn8J zft!_&8&a@RVh%R5SM@i@n!B{ZpofGPFJ38%R`5CqSI{spyv_f5gw|mofILk(IVYbz zLXa}hwmTe)MrBb*Va84I)TyfvM<`bYHY8*@clZ>OiX5AzA**W!1K*)1tG0}Bc}7*E z9j6`VdK8UzgC_f7<;kY~d4}fCdljwJXvDXoe2BNI;d^Xr-b`f0STt5XDZ0YVCLwvO zjD1Y7=^Xp{5m|O1jS9jZWVrAi72cH+&$S{_2o?2{XZ@;&ws_%7zAFM7`>r>NrM*5|*ndJDe(3BGZ;s9^&?UN<}2H9(k+pR-8V6sedFo}-j7!RhXhIk%pE(&HLv3lr84J+hc2r7k=DFBNc-92eoVDW~jGPq*` z<~a|OCpu&3fLe&hw2|V^#}+MmCkxI8n@@pwZa=NgXinnwMyx(Ga`j!ymFRKTod(-7 z89GDM$q}hckLhlg*Wcj-!H8rlatNYUOQ%-j{^RE2T+&d5ImCAEYN9rv^oGXbU6BHT zZD?#yB_2`i+gy~wO$46OXQAmY?^CJ3dNkUN9h{L3V1i8OVE*)qij`?&n~!!^S!FZ2 z!dcYnzj6g0QSg|iTB0lU!W2W(_?^3ToJL(Ql4J_#=cmh7j7cn(FgE4T z#f2vvG&7}^B-8T@X^m$zlXe*&A8#f$(XgM*Xnn#UVl-Jd;i^bhj#OdpZCu0K+MJ9@ ztzXJM{Y@=@!7re_xHLIruO^QLjbc4!K{sUry}cqOwwcjLoC8`Z+kbFJ72oZn{9G~2 zTnxrD8KHn@Z3l>G4&8L5cY8 z_H?U`ihp2(y?y$YFb8p<-I>iP!pW!uhEn4B!;CJFkVPB^9&o$3i#)K4=DhpQ7V#gP zbl~kke{7Hcxc}f_6#wzS;ETKX54-q}yOm=Lp_VM4S*Z^B6*27Zik)beWc zi{%IaSP1KDW93a?!6+>TbwvOdY$ud)J;jh0x-7_rgE7bj$~Lz@lj+|0*JBV|Ejux| z`A#GwPqi@g?|E~VOiwPO4|L`o< zZ-|^3?dmuj*nAy_q%U<`&jABrtgzEqdDs|kK1I$rrH8q^EtOy0K<$QYuY@p0*lozM zZNRo<`%WJPq_G=Hm$`Mq`^E!|nZqD$Rg3_i!fr889Y!!B(i7}bCt9u&guv=1f{;V` zOzmOV69ZCn7qF{rs1R4+Ot0S<(X*)E@Oz#lF)waluL$AeuC*3BV`$Y8VtIGaeo# z+#mfJ4WnX(i~4Z)qJAO-g#(|{fc|kTF8E?%Pw+&CF(Vg;UqEusr-8uol$HofgEbRl z8-jZoVPxT#c{*mzN1k6sw?@?T}g8R4YL(nx3qvt+-7hU|i+%;vi-MQZU{5nPU zMXO~bmCA66UwpBEQGfMiDVa^pnecvUSjEl}{+|PEVf8SIqXnD8?2Qb8SADjE5r^v^ zE;Vnj!e5+QF2lgY@`sDk2^E?hMZvIHoEn&b61r*W6hGPcYBhN%E+ztI8sN0AJ^T)H z2UX6(JmZH^@oZ?WPN^23Ut7PtB;8=RF9rUnz-1Dk&Sdc@`SA}wP!>nR=j|_Wsu6|2 za<3>URnItu#QfV5K{Hx!nOIVM&WR?Cg^^NFCv*&xDPdhAX=EWqOMK_+`1rzPX-vA5a+ELkr2TF!!SQp zOkx#TZ@8-JvNOM{RYN>MGghjSFbKYH^MAfl!T34q8h0XNz+thauHXEl7k5pXg}{c|Y_KD`padQPAutd>Q8K~21B$UJ zRc1^A)OlS)>5zB9FVvh8PWdW@?_4zm9iE`FR(SY-cI!XYOg}|?n zQU@e^Az!M68Zc7{1N5w@p?)=j=#@rM^Hw^#Jyr2Z!e?pE->tjR@QbUFjBA{<#?mS# zAtJZ9d52iw_qQlj`^(48`fVf@3?F=Ze*K-f#@mmbv>`oTvxw`;la+wjrIBUr^mt5| z|5qC$(E`nhgUd4G!xvT((ID3z{LuVtnMy**>CJQZ$(6+!#=U2Ir^*EEn4{X1?0p zg~)Osd*%`J0-7O3*>9<^z#5?l7(>D1iC1y>>JpN<(%&z%h~~&h{UimmzIeB`yVh_9Uq{wT~4+|CSAFc2u~Dm)CJfl z-(LZdAcAA;N-@-Gq9CJSCK7weq5_=P>+gMsBjMaQ+UoRm+UX*N#StJRvrd3w6QEON zASxk6@r@5}G3O`o1v&sHn0!wq=iR%8ALAX2XnwB197)WJq*-)DBFwvVPmDpvk zR+k$d+?5;?+%h6~e<$2@xH2&fpO~oDVA~@zy;)y>8zhzwnh)kXVX4CyTptooVCa9r zEV5cn5GHL+ySoeD^1bKxkCR#%ebr{JQX^8H?d}@S7h(JXAtU(Si!V?M$g5BwK|6N- zl1RX&4L0Y%%gih*0kO1rw=sPkMpOdQB4&)@Np}|}%-gw+Ahe$Mr-Cqr>qP`mdv@u# zPsEFfXk0J8(0EiQnNlaZv&Q%Qe!0!lb9y~ApNNdbehEnHCQfb|iYgxm92k`D{`twwk|13!Z9%{p=OjzZ73 zyCix1Q3(HS<8w#_JHq7J?25L`DVE8YLQTo+q=U}BK`c~3>!a1J%S|S_^y3%x%w(cB z^Dnl#3$LDg@rCsJ{!Grg-F7a3JR0wRMIyFAh`L#C+?hu?n3FxSPp|viz{@wm%zpx$ zkFYmkzO2Mng1PL3nU5L09#gFxwq#3Ty`=sn*cI_5SDW>B8SJX7C{5EOB76%$x@0`G^GU@dit`j-ZFdYLVsA*m5ZZ4f))&+hHAZzr_&chM zk=;g!&MV6#I(5(ijT*CMwWMB#R%w?A4z_M8M67I3qO%SLr_W<2KEeYQ4yGX#L6bmK z?A}3BIBC)kr^&q&WT&#;nbFrz{p@rG|9g7u_~?oMG5CV|G5quX!F@P;!K7OI{e#@4Xqf+WBfPP z)VT5=%IuUR_qofXd6@7M?nMOfTQub5%h(g+cu?Q3CtH=elK~%PJro;O{vq+X5MtuL zJ&rWrUY>5hkdpb?W_HBQV}E~6+IHPREg5OsJnw`IZ=1U^J!PkXOC-ro@pSH#MDBF1 z>t3>%uh6oB4Z}Wcfd|t>6D0}WwoNNZYaG|c<9W788MZscsZVp+6N^`?VkJ+7UF(LV z97}`=CveA9&ZwJ`9U140V24jCog4j!rK#IU2WJGZLm(97e-9KHAL$M7}pt9saQ1zlU(E2a|+Kk>S^52fPvFVWgpN9OPJ6ST1nBA zo|Uv{y?4~qpBVB6!ts1@0Kb{SL86umd{l*n=>;@MwG=^hH(>!?R$%qaRn&km$i`0y z(NSDk2lLpV7Pt97?M4jzm zvnDSod3lKA(x!wRF=MBP7q4Jl%(VwUK%>vxCLTSi_Ae2o9`fkX&Ftc{qell` zhbCp-)t0rkafWgFYvXJ#(p&_qq|p}0DbYl4*0i%+9w2vBn%hn7Qi@B}JCk0~LzPa) z{W!^k1=$0JX1QvpDzL;uA-}QuMiq~x20@;KyxCOl#@?m4Fg2Huh|%bvTgA0;;Xym> zmiY-rEG%BOaH^9B>F`CEpx%9b8Si!aZ(?6XS^##G^7zhkqFVmRaH6w@zPT7?>ar63 zZ;0{eE!cilZSvhduCm27n0i8M@cJ{h2Cr}D8f=}jkCdl_8A=Z$V^|%r`faYbWz7=! z90jM@5h5!6LSQ<$^pmc1(1Ao{m7P`q%Mx@IQ~wti*1la}p_rs@C%#QpvYM#{!gWRgP{?9?a;-*Vy=l0RrNkzo7mS4Alv)|;!}iB6(o zvN~!+`vqgMyo8GG4E6TvdVN_Ra>R;nuVP&d9h)XaTTIxb3yp6=avMvJQBUG1vsPbW zW5_2I^M2OQetM-M$_0eP}UsCTT94puy zXJR;KpblSAueRvp(1v{F#2BS!6o@Qe&Br*Y%YGFfqRrDHn7#dKuHURTK2~|MX-Shh zDU|Cz=tNRXa#;SR@!+O1ZQ0B;x%(J4k0nsP(y2_bkm}Tuo03qM`jLclz#JbfKO<$H z5@s+aj!OSI3_2+~RfjEiwyD(;6@lP}%({@;!+Az-$R(;v(^e#}ikjPNc(E}6i3Qt) zZc-(m2;t`ftjNTIel5g9%gQcP^zV&g`LD2~URF)|l*m3_(uHvC;5Qa}-O2v4~VRU?!c&~~S#OtDjD&LO0@dT!_SYT|D! z{xcP0zo&#>PkZJlhz!HJNLhQHTQ&^Z7Df zuM?fn7u^}y1TTx)K$NFsk8bV3JG5g&t6tbL@l%QE81)m(0ZZMKZ(1sq$Nh=(hJs=; zx1oU6A0Yq7m-i7ZVENk^-#}xgO7cz^+GYeR)sG87b=n%IuhkSXe87$bjVK@W{_zI2 zksl~Q7Eh=!pR*Ji@lvFD5mgShfO62QgkmSDf!=r}pPRB3u<>Z!Z+t!JP$}e#=dGF$ zPV%i)CXIY3{1HOosJg|`1XcqliRM8@9%)CH&X&nQFb!0}|cd=C5i_Ec@D_|<=Y}|fg2~Hq~({hz2TYt-j zaY^~^#B`|?61I#TXB}zBJsPAQqtu}z3Ud0BX8O@MCkQGAQ$Ed6g*f6ESs^)Ke-Onh z3BVTyqzb}`K4hHuFqo)S^3~|t0|kblOZ9brvPIa6fKx=JD-h8%dI&rsPqg38 z;!}1jqAz%j)oZAb-=p$ynBcClTj+57;6|hV=U(htpPYbR^V$cbqB+bpQre2sX?5EM z`NK+1rz4ULek?TW$EA20_QoW#GedFv0N(*UlA&1iI3iv?Rn$$?P}c{mM`7D8I@VYH*XG#5LPr&h_RIS&oQUPA=Y{F;V~yn-YmdG%MNT7<&y5@6l~#3c zt-KhMp_i2DLcvX+U+0;i#YygwSy3WWZpZ<_xv5I~cDO-J)oa^=V4IYBDLwMh+V|Ju z_%7dHaRjeO6h-6V3VLSVxh%7RI66q~5dMFlxn-nN5wd0M0e+9sbauRU015T{I(pK1gerZemX7p=bCcv#0kxRfqL$DP7s zw=4jiKw`gG&-fEDl9FplRHa_mB~YIjRYf~)Hzys=Vtpvntm;r`lNvt4Xhkwe5*A5| zE>TQKt(c!ctwLbj)O#i~NxfLIkO*q!a-f7!rhk6|Wr0Z9Uj95Q(rO&yJ~nx#)|p-Q zt@P7mDrfQ3olD&`OlozyQnNOXjApc$`hDsmi@qY<7110P6XEnsNj+Q?s9A52*JAT? z4sLk8B7VkX7pqIoz^(ou*4-PT4vi>v=v1kq4Hm;wQYzRSac3oDqsSn!vy6NtWTP65*)dpOx+rQe z7CVQrqQ!#;XA_S$xFZc=T}m%U`lO5x--j2bfVU!saJ~q$0neN-mM+?)g1tFDd;~U2 zu7dc#g6pPcUj{%tHCGD41VX7`(Ma4EfnOoxIxO^=u~Q8FW$D+@MyVvO(@5#MFc)WGhFm5Ib$J_5ys+lltIZmsa(AYhh;InzX`{IXX8sL$3ncH zoeMtkBVG0JX^TG{I3E&^a#kGK832OzLfutEuoHK#C_M;tS7`*{(AMAku6cDa8tzW! zPVy8k#KSL>?EAL2!MtkCU-TIL|K=_y9%t6|2$!_(#K}g`iQEL)o zs+{LdCoMJ&Jf-TKXMxRbq!=ec!|_hk^@ zAVoAV1I3_$#g81L1F4bkUBkiM0yXUq-(X|_U&appWr@NB*jtQt-o-1;JE~Z_+A!Q> z(&v`v*KbJ_1%b6LTO`8}4DP3+=eSW{4R9)wYZ9KUnM+(JSr9fV2%OnGy@($qSf1wp zb6u?c?nvg;08=;sG)loGm}`Vcg;=is>tz~}Oj5i-x=d5TZ^8bE!k&4IY)s7pZJ&FWf!Gjn zw{dkzX?DCv$Te_l6$1mm;2qe}Bz3-!(nUR9MWP?yC2(E(bRw6wI~$F-(2%-GM2qlG zS1|(UTJvVTdFuw*bSOh4gKwg%hc}Hph}N+8zDP#5wMNXtLE!>1FW+M{ft%L|MgUr0 zLddI(rUA3QhPUY{pleqob#49Tt>*jRNsb&y8r1G*H`cyeYS*Py?rVLMLX46KL>%Oe z<PGgCH0kr{Y#j2`IDJb_7h+ ztOR~;76e)hWFb{Wq!~A2C2tCSw6_-IwM3ul*6LhViu8HI($GrdPrxs}SZUr_QduAg zQ{GZ0Y6&tEk1^UzkkMqpp9;4<%E+haPKhPTl?*VH<05Lm7PftvSd~D@E!yyMn>TnR zFMO?RlPa=2GG#a>te-f*eyV4=2JZf-$QPB2%bE9b+a`iSj_b zDJ+{L-ew)q7))g`tYcrsaRHM-x)Lzzo-?An6WWw^+9m9)r~oa#xj72!))gjNsp?up z%*4YIZ$Ad*$SPD}>)8A$DuSS7Yk@Gpz(SDA){Uzc!;Xe%Li!>;wuGoCrHLoecO1=) zR4j>PPr}gKc|xDQh&HqxB6W}}m5DBu;w`U?La-3ADV7K!o1@53xD!6w{mh5+p|wE> zS|uzM2ol}y2JV(Zexi!@KI77nYDX0Dr;W9EPW7|RIbXi;qH01rD~5}+UeBc-iUE|? zRfJC^C>Nl^wC#Xn=1Mahi|%$;;e`ZT#ekQ>gV`=4;Cn|Q>0-%<(VC^dpe7rs1H;=Z z;sUe^nEc_N;eXgTswLWWY})ji-+u#o7gY;bT;OQCm9+=U=uH21nRnwSbnEST4g7!a zGWqFQdmlXo6UvR@UXATJd!M;mGNw3FBRFPQ3k44V@);(2a1NG?dHF_T?mDZ)?=Gz0 z0444Jh)@}i#l1UK$%$@U`MXnEeB@9kpI!J1N09O7`k^UJDdG&wmLB596^JBw?8}h;*Ya~ z*}?tK5A1&-J4R-C<;+kmNu9v)1l`Scy9#^IGC#zBd5__tdfZE@i+;-6H<8OO*94E6!`lS*+dpti+mR2!Sn3gkBdlc_e2J_f_l$c zqHMRie1uFIVaYnbu!opSNC{9H8M;<2#c`tfV~rZ1R9``Zx{vf}bx?HUN4gRRfHAW1Dg?Aj=6* zNQpr)ŧ%9q&~N;-;%jqm4FI^+YqO#0+~y#K{!`3CQ|*dC8;Z`^VY?I^Q;irK)K zS48T^0(I{{YCP0uY7~Aeg$vzYAs@n=*V{p`rtnXRnOx|zEU8J-^n?FsJh;-lw`xrl zIX_k@u|-X=x@*mFD?6q;a+D?Z8lvbFNIaXsJ!oRw-PVwIIgOuNaX{uDb)H2+elbF3qCWpCJ! zQ~*<2R2x)nGbdSJaUV*dMRv-ZbFzfSE^4VVRl}m29Kwl?WAnDi3f!?F%UVrVXVV9b z4Z}5C_~l;cPoFoO%jNMFa8>iATu=^*+8*Gxp+`PbE|g}ehiYb~OQrKKNljAI{lK=U zM{|-n?QTfs5xa(aZ2(WK$0C0@*F@1Fg$*gI!^J4MSITmgh4YI z3EMQo6*LT<+aaCwA8kMD4HvPR9mR=yy|`lixMI0J9bygByD>+pV>qL%cU^UO{c}o3 zvdWu~Wgu1x+pfLUj&6G0b?pHsuvSuP9_=4Fr`+siN|G`5ksS2ztka zU&exI(XEeM!h_2cmrcp`-R5hS4c8E7ChDO zQurGh@X^ry_BVQ6q95TV@C-*&Kc1r2Yxn83Ih9X%^L>sR%S7HnYrkCJu84j8>m{O+ zmB!-lf$9Ye$8CRg^~pN74>yE+5IdJ?H0mZXmM0`+hwK%rQ-84l0U=q`#WE{-3We(SQxCo?Um0*u1|m8kU`N>* z|I)U}JEM~rppuEqECssI)Dn!IHArJ`Q?y7uDCB4IRbPRcAXB2uPCVwJk=dZy0eXpGeHeI; zPp{~}l_){Hb0v-31@2SBVi=$}vB%XNa-zV<&%RNd!N7nR&pP?z33S+e(u%A^zrvMx zeP*wh4*bOhgjV6=#m#${JXumDZ-}bLh(`L6FTR;<`47D z_il8;OGYE$L7dwwgpxFsAL|um0T3f{wiXq=i8;lQ@92bzjs$xL~Gb*$sR?m<1&+ z=j}zP#JvK%h>U&K%jFpw()H@mfCOa{LsR|YR8T=&;1V7c`AK!SNf{mH0g?AreVaAjw>kYkZG{j zNKOrmxxccoe&>q)g-3OrCE}Sh5q$>U{s@=^Wt6d0dgngziH}$9yku@psV9n(SJG<* z5db!vbjVv8-(Y%*q_0L5U)dz6_5O+QybPD3vkb(vPv^H3RlSWz7!gf%8t80_iJJr% zSYHtiDFb;UCs(A*7aTZ~wSoeG@8CS^?us91Ug~*P@N311Y04TvS*9dm|2PO1<)kML zz>Ouf(P%j}$M}8`l`avtU%y6Q3)K#BdKZJySJ9v-*TH9|2on)QJ^f-rXSysr=6uo4 zb`T2?!YvB)1=SSifrs!X6+5Eso68IEN(HfNFCyXsVgCa;0r#28UtsrHk!@jm>l2XG$jS zjAke={b9ZN-Uo)EQoFZ7t5}Wa`fry&R^4WO^o$kKZm#ZZwyO zw5_}LiPnY?pXv#taIq=F1{pFcNzMt3=naqNH&FKI*w2qBRwaH0hDyrmMHqpi?d~Gq1s*Tsz#IE#N;T58OM>?U%oWxYuc(g4P`talY=Bt87{X4(o3r); zG&Uezwzffc7a@_kkHKP|u-U7~g($pXy$A$VD*F@XVMlqj@>IpoVTzq}a;g@9$VO6V zg}pio{nhw_*os-I%$g{72m(HOp zI7~(pYAnO~yP~`+pJDqXgImYeoq22}ohBR0AK_%dw393@a=Zb?rHGG&t`pADjT?={ z-><*7sEURX52B9UShn#CV21D36N6lhiHsRC`)#Bj;`P~v`Df7Fr3M_>U;j}O*P`jC zvHSe>=G%WHLz?8lAsTM;!HO#|nfNl+Skf1bykOrVe80(Jg*#u~r-ARJ6&X+MT)wgc z+P>k1%-~XqO$UTpd=RlP4F|Lg{qD)P!H`eqY^1YX$a%5NRzN@#i>jXyF#vmNO*0Ih zuGl^8M7Ok0Tp$UVc!YwS3@%2vv)4PB%Y@ZjzKH)W)vEZPpi=46$E04XyI)bQ061AKSa;a_lBx8r*~ zY)#1Zc;h~Xb@bpjduTl+h=N%P#*o@<{_`^4<~KppdDLAg3PVvcN{VSK?HIo`ZOUHprqOmI z@x^LdoOI&TCBsjZG1%c~5z+~8(L#%zb#7i2h66fv1eqhZiMiJuj zpR|_*oGS{Y_f#aXks>L#=V!tx6qHaz!ilBd`fw0H45si6m|~=HotZ%z3^k2;UGg;` zCR_bc7LA-KWAE)tKHcosbUlxSxV{6csK0Ep^@WX;7ELTG8YwAiZ$$i96tmc^C7Mu2 zG`1ZhTQOD|I^Y>L6DzX{vz=DA+p~f;25n`Q;0{bnk=3_ZoU30(rY=(CbEgRRILV;p zQXXSov3#>R+CD^FTKKEeD$X-@Q!2dJ^$Z!C^<6SIV|kY4%kV!XGqg%EBqL6|ab=N+IaMXeWd!6IuW zXjUhLScEb5>7u8C>j)zz?{#@I1+Wx9gOY=jWNb}XhNmlXM2M)8;310af)-ry#L2M{ zuit1>Mv)1MVXY#0s=R=35KaXGZI5uWgiEhWq#0W(S5?sV?s8B;|xlpW@y6qT0tNvz{@x6?Qz;P$~XGVFdi_%S_;6>Es*o&-~dt)b$jE$W zLI8wRI~w-h3GT7RgaG->$9&fk!d=h}AqOG;V5Sj<_m5aF9vfveBGi6UJi1>}yiY%F zy7l+IL+YmZV!heXy!g&#LRfz1GKKhY_y-0EUSCKwA~W>3itY zzQWCFDQU9bt)iZ`bbf2jHqF-I#YfGD3}|i1hr}=z7BM%Ps=I%;_TU?`w%>THigO8; zm-%jQbMZ>Ta3h1%kbDjfZnEJvp)OX|Y#v)-lDHQ~Dpu9ch=)3N=y1m{PDCVJTmXLP zLiR@y8T1~J^1RfysEsk|zi^BO5uzs1 zkFbBdA#V)!7qX^_>0p8+kpA!M!qIIGry^`9reryzxUc1~Tu3s9F<+ui z+D&3tZ_hXWwCXr3G^xKFf`%CYd7{khnSY_V{X(W#!h}5dPgn!_W}mmO`{e=kLRWf$ zVTW*kW?Q|fZ7UcpLAu%t5(GY$F|;w|S8@dm%!1u)&gy8SHqsO0qKF=>a}=;FPna*{ z1CGZY2Rb&jV?i_sa#lMb$}ktPq^p5Dv81R%sTffZlSz-(8y91qm>dl}!C={uT~pB= zd9^_hSOG!)y`+PkCXN`nA{GkeyerZ=o=onM-dO&&`RNU^7`q?!8ml)@9uVW+|G7@c z86YrRz0$ZHH)c1`dAT6fO;N=Elu$ykxCgpMlS4DzWVQAz@I{O zrTJ2R2E!CMim>9YJVj9Om}nd%%81wMeR%>H zIq2K!VCZ^T{a_uMI!YS4bumgV-peyS>J7!(%qu^BdBFULer&+~TBPzb`d?7)9H)32 zkXPYjvjzvK13MrU6`;}{Dt?zd+%`F=dL=eTN+4R5!T7vD!>j}O0HxXU3^e%cPNtU4 zR%rDdbS@%h*o4BP8-I8ghi?4$D#*buzPn?I@GNi8b2}h!ScVy3gcXc`Epci!Me`$; zTLc@NPE-*%+EW}oZGo8ygc(VHck5*TO|YqOv61*m++s+_K~<)}DfDw=f`9d5N!*m7 zw)><(1}b-^ab$2syGcJ!q1Zf2%9rgW)t*pIvGej!&MD$uiQabeT4Hs?m3KT}@p|E9 ze7aB9=9AS@Ry1X4YcDU&U#D_LMr=~yv7#(``xRcascHQE4e_&fB*5Nz@Gvq41xlLI=lvL*!myCr=@H6Z$`jud)gY!?hQqi^fm%EMnb>dA4 zqMPl0w^uvn&q`1a5^91|0J)^JpyBi`9G>3#zpRQN)dmtWw(B%q=}s$CF`Iq(a7&~x z_<@U#AfBT8rg~kHh(OaxS5mRS(!|hA{!(DomhQEfAKuq@`iAT#n8R8wMSj+bT}3(H z&-F_t7RW;O>llEV(7*stM396;%5VCsmHgCHP_f^mFC*Zg{Wc~mhrvV*IyCDI zIH@`+mAzc6luI_;Y19nSQprfszqT;p2`#11IMMIzAJ$fv2bv!*qY;m-E747nv7%O5 z&p#SDJDqdR;rM}UhfdP8l#J7-ST9;NZ(hNAhFqWnG!#&MK6JIOXx4vUe6k&VC0Z(L zJ9kLsqF$3BCj1senYstIL{gn}ZG+STi}YZHEfVc%W^1z#dP6)Cql4`NwAO035V5w} zEHNGvWiO%O6kJX@u1}JG9^M;}sJHULEtp2bcl66((EG@Ol!EBkC_8J{tR9~o7fJsMdey*E>q=&y^F(o}TH zNmEvMM;K|eW1Cx}o#daJo$`sPN~u?<&}7|_4orpv+=%VcwHq*+uX3a_ zC=5c?wtL=vu@Z1fHDx6FGdjkYJDZ6l zzNLP3FGCdZTjU^TlcshZXYE(V;&41@ieqnOo1!qh|%0GyWM*sg<{(6h(tQUy+L#pIalJ1#mdN$6$2f^Qal%vXji|B z=6;B3p46gDxGMiPPu^sy72m<@t`}81PPtWbluImR#EIJRC2n0`e;V$mz!o`=47;e^bL@_U| zPKRCr?qiCK^)|z4wBY`V%_^DRIp)R%Tu6aj`06do*@e$gm=VmBbL7a`#Ahu0=zw?b z6h&U#DT-_@{%oAb5@IN*rz^;#9$iBVo<`aso&^WPN7o}-4`tTss3BRQBrFbeonGr? z9q^;HZY*FwMy~tCLi2!MwimkFi~tO0i`N0 zWW}}X+0p9h#3KQXj)-G|LjwGR!;Oy&pE`Hu7iZ25A3Z*L0&z$E@q7W)u}sHo!GOXf z5fLfZ9gMp1u&#>ElC9TcpM9d$AS#Wdje%tU1vD_Lj0-mOvZuAh>``1EC$zavmjo;m zj_+zcMe&ICuBUJS^iS3bg}*jk!-_m6C@|BEV@PlcY($R{QZ@($#T;I)ty`Ix5Yeby zZE*Ik{`rnF8^ip8;C#d&d#!?tIj^ERkhbefTK$DMUa45fIX!fa%? zw7eNF+MBe+9@wKMeKzs@6a7aztXBd0jr69Nylx}o&cJw(uUZSBG7nm;fUEF{w+kll zy!V?LDtJE7jO6v|@I0kCCNsnx5-*eY+om)%WJpg-Q!@Y}QB_9rWo@nLi-lyQ3ueFV zlr{{Cy0uC^b?$7k<`faGsYZBG&l`{GYu{Z*jqJ{KN{da|nkM>2DRmo^eDvIM5Fxs= z88ncE59X(C{5U=n)lI)gI4n`|?C9#|r%R|W*16?J6nWmVi)3lMwJM`gl9)4hx1skd z5*D(-txv_L9irgT%eR@pFkSHr!suH65QMP%)(M;>Y?&+>H#3K1H=wH}3=#bo^2eIc z)OS~#-!D+e-ck!+?^8HqH>@Hjv5Kg=m1J>xQkrsnSZ$S)q#^y)>C7_ji%(-YW7@L< zW5l@eOuFoZ$6*kH6l@UQmF&_>jbXLLm;@6`fSUHhh+rMo%H@))I8(6{zvvkOEv|J# zCxXIc1_7?1YmO>Y^1>3dF^hE(`*xIaFD6U8TP4{|DAkx#VbBDkr?mxb?jDVe2cIHz z^xJNnSZ_k&O-v&qZD#os!+z;3Ojf=n+{{66u)<`Tw;7`$L4PI&zWC1yx8j=>m8i4! zU>Q*!O^L&Kn_KriUA>!@d^?oy7@h5;2A)KyTTsKJlkn7a@z`W;Ss_oFu`OujFAum8 zUu|8^3E>r^lWGs5R27zem8Hs=_BoZ9S)5IiTO$o(M4(BZMW~`6G*PXR`)c{H+?pWW zNs$>EQc+?86)#7=PXUPPYj_A?K%t=fM;fyf`(nO>7-!{fso!nhsUu@j#Z!q#(vo=w z{#FIfr`eXG@wqCnj~RJVj$@oJ-@Dvg{HP^_j-+K`)zqa`0_0eZ;P4>a?dtOSEyS5s z{wW>63ljC?#+^Cht_JAOZ80j_ZmfEdB}hz~=uwjw;y7rnRk!kjY|6C3xb!}0ugNk! z`UN=hLo1p!F8O%9C@-P;$cCnhY+)S?i#VL>5lc+v9J`EQWasi1^0}I?eHNB6DbsEU z$*NE$iomZ0@je5U0CHQYLWx@?3Ur4}4x`0_c?c$U-bxERI}Wo@+Z%2s$-_q$zB73q zI<0GFhLg;FVJj0p?sp4*3`gkadD$=}+|<3n;t%lJIA)>cCpSVcXyJ*fIrh58IN9E+ zj$T!^C8nrcjokmbVnG4(+=1+!Gpl3nl;pNZjB#e)0|`c|W+NfZ+JR$t^@eCcE8}1Vb^OKtE)g zU=~qh@e!haG9pj&_D6PZ{QZ=)h^M@nBE~fdQ&2;RS)bsDTE9lwQZUF4h=fk77V!lR zzI|pRii56rRA=*7G_I<3P%-70Eb6n`8J5n1XJD6irM?Rae6TydULqq9VcW*f!>)}V zgd>7T(?NCvC4mklexy>Gs`xV`7Z#^9k8~47yhEJH3X2sn;3qx@60gUxZk{U#>kh;} z+B&^uyC9HGtK?x-X$oPG64P%xMMA1XTa3Y^NGU{vha~kX{AzcXJj~@^>HQ9>KcoXT z-gZi;sLRL;Ne@~<0@V0xI|!*KII7!PQYf@a1H>j>iB}fD(k;t0Xa=v!GILXSBd!mH zM};RArf{no=Ft*(Zn=xp@Ury28aq2CAU*sJF=0{?-8$1e5fQ>!K=B^ZD)zfs{zkB~ zu_L%P6~%PQ7R5@%4F0Q#Y?1_DX=WVLVvFOsZrhH6-w_ShoNDmU5dIh%w8b799}PBt zlH-ii39VNQsD_lp;_O@afckc~YsJKnAcEQT2CcW1;OU3f(6WhLP<>DDImg249$2lg zS{?sx*8TwI;uieb$#7@@Ydcnk25RN9li_2vnDAv;7i(&Yp0vq(&5|x!v^*YA#h$pn zM!CYi<;#`Y3r;u{^*pg?k3Ces)?$>LHB7}2kOpfZfg02%Nzvj`2~K2}p0_L!|9Ht6 zs=gb|YD?>v{oG8gP|f4+X)!{Z>MakwY#jqNV6{;wmC8c{QDUkFg+fTl*htDm)`^{r zzesuK(58ZNpl}Fn-?8qb138jA)%F()mt0$}gE~PTTL%FHL_j_;qwp(i2gED~#6)0+ zsR{x%#iv~>x3Jap(oMLjoN8}u4{FU!D(4r`V1+LEbYw@uH)UeD!t91-7`=1G3<=yUB^44sVWCA3;99t*9u3DQLi24vKl zL?yR5f4A|V&NU)7Kie(Y4vrijP=IC&bvTj*@4}TRS~C~7(nf@%kXZ2PQsdv2u!fQg zdmf#!)G7wQmKQtL>P=M$7FB9-$ON~p$J1vd$1mw-8`Fc3pHSx%&Owu_g=ME44{eGWVE z@_@P)Gibo;X(o)WmWDu((-BqxYZDY_Eom~WO-^FwBMbZDD-(f3y=x#ylQ2IL4xM!H zdW!o|7N12#z00&+15<*R196tt{%nD9=+GqvOW>*rusNQQmGGj`w8GlX{qc9T)YBfx+=y_E%iX4^J%aH(2RkUbW( z4O+Eb(5z(Xf5RkeW%(=;ysyTgaB2iZJysi?*zGJZju5tN@Rq9LaISuFmt3x2KI+uk zGvPF(fUiZr4C8Pl$}rL0Wz0WeZCp$}p59$R8fIG=I3WSGWa#P&vZtb9rluisyo#S@ z+E?(~p`W|pL&v59vNK_OxuA+&Mn9+1%b-#zRnP}k%@<-3%-vm7T!4a@YgPRL-8yy$ zM2wkyRq7ecdXu$k4TEycP*bg1_9|G2*}X6$AYlNj>QhxLFm7=5nv0L8aZ^-qUIb@7 zaele{MZ7VQ-s=j76svYVSXsZk6fZo`BG@lhrh`K(`J>ofPi0YmdL6Mb@bNoeP&H5t z#Prthpkp@)pU8k|s2N$lzy3L)q)NFoDz4gzyQ{Wy)YdOu zdi~XoSO(n4mef zOD;)MdF@H0u92`r8#6yqrOHO*vj~=zA+XcH&!OWl7nFlyF4XllB~u{qagS+ca4cV} zT~dfk3jba#CIpF_R4bJVTgm3uM+pdW39C0zuHg*gf70SM5^R}DK8|g5F0cBpF*9bg zf%I)U7jM%*p(;f@6*9?0U6^OzmM+2mT3T&9xTyO2uB+UBN8aKxUlx^^3M8N;EP!t|BlpPHp3Avnl{r}Z&))%;5-Ob zjR28cD;+pdhylZX!CgJ6RZk&f`t1Pwr)u6)tv@LiBFK`OQKK1w;$naWI(TrV&r+%# z8&d(1_(TtShkLO4?_~ax!}yfj`1r}AXOE3oHfC+#wBUh({hymD)wt$s8ID;@rlez;e?e%zcg=-3RVB8cO3A+A zGJJ2QRKe&ZiqL>H*4MZa7F)SG5kk2(uy+yUNKBW8=5kUMBgA++b;A0peMvXcg^ef< zq`OOWPc*0KN8N~dva&>b?i9>+YMNQn3W~W=$85aZu@%*B1L%^hrHtON(`+M3zka)4 zp6H*LDq3d)NZD3Mlc=NlFqR?U`4{~PNFP{Pt@Q^iyI4YIh`m|G;iINZZAVs~#9{N7 z6)9SDo$AEWf%0gci_TIYVM6?r>?YMNe!~fXO)gh!X^OWWH*Y>hUg0OvT&y01TW~1J z8D^QY-H

My6&SxU+&P;zpL2%gSYv6ID7~#+@m?qoy`18)Zk1(004gi*80M{0#Oa z?yZt#uJWsiFVVqORHf*&egbFNhE6JySURJ=Ru-5@i+XpVh<2ND+~G)|0?2i*vHZEB z3Epo=V~eskZ2W24+1&DYNQzNST5j)t;tvJ1# zbrUrKv)kLe`%&}3HxVv#^NQr~a{x7k59$sfe`LL*uhXSV%IJyaxOTdbJhK}Q6y6NO zAREKEd=U@xLQvg4&JmS5q}HSgIvn>o+;9vX@#IOLA>Ro+X|iy_Y9&9x{ya>C%U4uw zF6S1@^TFgKdUq}Wc}<}^N=L8y~0sTx_eO0hZ(6B(N@*x3Li0-U9p zfTHFUJWCl~3H%v3@3UC_$yi$)U`)I9OyV{}i!>?*@DrU?YAl{VF_F&&n9`uy%J~@1 z+d+}*l#Mgzgl*|E>?;ggm{G;!NO#9L|N64G{@MMthmWm_>l|upI3Nqgj$CY4Bjd+b zu;4n{A+9HzHWc!rTTqPOmZU#D<#Ob6?N`(hzFS(KuUqBB^ckIPQ6+7G_&8<9QsIo$ z8KcCRWqSI(>*&a`ZRF%qpI>!ABsZJfFe;YY$$~$H0^~lgS0sr(OFWK%q%vlnw$HI= zLqP(FFj}Butq$ce;VX|y29x>eaQ3ZQWN;%yJEA{XrSMQ`tyTv9lnabnOdeL=*Cp;j zvgd^*2a47Ot=ZlLRrV@p&|_uI0oJeXz-KR!+vrKSaSgaONNTtq`+Bv=*e41l3#>vt zx(DR`(3GLv5G&}{Z+`LZ`X^U_%E{xO=;APEka$Y9ND5NMr|**3h_P)HnnDsdemmmx zfR8;|Y<_W#9Uf%g`+knhc@O45r%cL?^0=&?gdOPFWO}3>#T(?qdaAEh3o3fv@NT@^ z_fu75&y29259uhlR7C<%muOrcup+RHYOHF$y%wvUj4QFxUT>og+tsP^YNW$+mM#Lq zHFsks@QV^-u1!=)r9^bQ?98s-Cr8PEK)L!W2=ZN z#lb;g;z;OWDX}?~FRCtp_C!))u{JY~rxC~Kz|$3Y5(ayz_3x63V_=Mq?xLbrBYo z3lIgtKT4&0j{b}0i==SY7Bu$;FK6ft(jmQ{^xuhE1>-ic`W(wZoFrJ(i$9oQDMr>A z!xmIFBCy0N?J1E=taaz&60G;vP?SQ8kk_N%=*gJOQPi4Mpchf1Rm~f{UA;hm0jSk| zMEXefLXjAiMqh*PkN8-d&%F(O)gL5NBm61|yex2azHB`_j@px46>N-jzk*G#pp!Q5 z5cDMz!XPFk?d-$5tROINeT}b zD#PR8_9`{9JP#WJbNa2RhRtCkfSJPI=*hZINwpZ_g9s0EcIW~7x@hZITghW8r_J+i zz4`gI=Dj+%8}By7FTBU|LNCRkBT3F$z0tUHOTR{gqvMA1)?$?2p42V!-Jg-#p+voi zx;Gw}g~r2LPn1qJm7NeGef3vr1LMKs??Do|er6RXaLz?RON!ko_8#!)N@>*dPiO62DfwXyu&0D}1b zZoL}a^fipXFP6N0-7gQQXSS{d(7C*0-Y`FQ4vAQkAUhd^QIx|}+E_$SKp|{{p%{+Y zN%A!b)A$F8g?EJ$l0vRBTyTo(D^{O=r)B3;r_Y@k89R64mQ+g~C|`_S|_&?*+h4pew$v|#nL^?Bmzy^}_-%K&pg#nDhtwI9K@`bUpOGS^wstoAdQ z4BVb6oH9Yad4)QXfV!17wv zV9LpZ`Di#~z6g?BUZVHmG%Ms_Tv9`TuEChk!vqk>EJi2w_Hnn%aK;6d3qf?K{zRn| zhI;0roi_k@Nvocxc#;Bzs*64gC}PTD&L%R+Tl@Z+ za!r3f2U4EIUN*jBBosQM#cg9123JQxucO&#Yy!n|-=Ro4Td;n;c!d6+>+2spZalh% zRmZP#@heF*v@GOSuvcHVU5fhZeP^oJ6ZEK#5(3A1k;_Kp6ObRp^kqH6G>6?3l2c)o zgpW@`2Ew-7W^8gg+}^p|eD4GL;Idf`qj}*oC<9&NqF&NH*Jzfo>@kTJCSDVksH->Y zN)%Jp8qC1B_m%D3Ua)n*gpaqhpK11)#KD;#(~+121CGaOv2?B&Ts()|F){r`9jVrp zWa#d;!3Sq_DfIvqMB2Sc+njttR(yJ(F(%V6OEE~D`2HXvY2e`i3@S_YUM*PNw4LiJ zC5Ak;$~_*lpVT~E&CstS-)dlXNi+DmvxyYREPnMC7$VpQ~U_@56tTA&M}m*fxQwF7oMoqIVUBpv8l@D<;$3h3TQSqVIlc>l?<8 zLtnV)Q{A2lIa;vtNshg-ILM1c>M+a<5xSm%gxNxGadjGgOijaZGdSF&2_d5mJ`Gbs z59xRKrOqsG2J{bALC#~<1Vd-bd*9(v#3)(lpG9+ldMP17&&noJSx1XWrZ?wsqNgKV z7U^~$8bBQUExEyDputVBvr)TtYd|tRgk+Niom1~Wf&-Y*7w2H-8vsTs2V(lv!5fjY z*=YQn#cu%zMAm2YC>aT%-w$qpRN$EY8;f@_gMIzo>x~b@&iLsc(N>^S0bH|vY|b-D zla7S&I(!x$+~@t@LV-%G(Tkvn?*CTgMyDzpH#z@^)^)-r8Oa0`~S!!GEhJI8q&dw722D+1kFT_9PHq zJ|`l0C(uPA*rOkPxxQ&qpbyFr$4O(;=+-vzF^0$m;VF=Yc z;cMUpNr^{Y|N zl(7tL7>I(*;`cE=1-mS9OFtz&UZYHil0^nC!I{vm@Ac2$-GBfQZH;0F*}E4K-r+fVbKobJ%m0aBcHC&?Opwc(?iG zV}i5Qrxvd5Cm)fS{GH3|x4t29QBE>azgX(WWxjJ?Q5(|0<)y~gKNw^FhTS)kiZtQO z9O1pov}D{`YN1#5L(C9DEIpXAP(y>0gT}8+)iBUez2q?|1uHZ0O9*DKf4B{c9jZ|ugy>>>RM|uT;elM{0y?q_OK1NInCWoAo9KgJn z6ve&7jmwpQD==)J&EZ@w&*m004_S0H2+x&NUFNcsq=h}mQ0^Dw*O=*(bz#dP_~mwsiXB$+6ckE%oe)u_0XnSXWSo2!Bb@ok4qaoCxRI4cxNGyGU1glZ0{D-F&!=jYHi z>bxz{5_lIKBrM1gKa8{&Q~BabDoc$z{9E}f(XFrWr*GUahkAWEQdQgT!$yeCp%ZVT zjBwMmkiY^hc+SOCtTZ*|&9cFS*hv$eu;Hc+@3Y9r0L@|?#>3UPn77G!Vm=pbEz0XK zisujCWTl|oI~1c~W38s6&?$xFuCb(Z!S(rQZFH-?7BHW0D2B7{W-rGU*siK&YgGyJ zU<{H;G~2oSdZr43reDcn^8G6r0bcgi*ylS~NL2?`U%5cCIyZmZRjxxyVy)*ytq)<0Tk-kn2t4pzgM zla9mYg{z*Z0jS!&{Y?U&=a&^!8Xg_i3-{@TIR&nE^L=eta^AwTL@sbAM3?+}shhOW zmB!-lfzL~focn>*)g46cAt@El1TqY7U)q^S_9Yc=>lU*%77ycykEf?ptFvK->=UH| zro^Z$85Tin<&D=dfEIzn{4n2q?}q4(&HA@wV9?v0qi!4=RJT5F>==sJNm;x6{M~KK z&e)da-Co?@wB@xW(@AHUYgJil8zo7^LrmNtFFrbuBnVdFE^*O&(1-KoT7jf(%XDSh z0Hqq$N3>m09u+1$6elXPWeO6sQ~~ceQIJmG!xKo=f~7H8Ib6VmCJU5FW!u<5-NlS4 zVvJ73wGd4sWq*o#*(VuX!L0UM=rVESe?ZKUqJt`OF`iHsPS>E>T9q-@4Hbzm*;0AAj4X*2ovjf@rBK`Vm0o z3b0k}d`5;Z1JeiiSL_-5;09)#eOPyF{`BExkW??n)5dz^%gVJ5F_x>3OoVslqfQT! zbV2I=@|tp+a~(6C0Chl$zpjZY$k$8ToWZqa9`WS)g9XEZAtKIJ!c$*!1>B<Z)6`m^Q<3vPA<6c>@F;$5pX_hQI$DiQ4^!Pbny&x2JZ%YQcOOF(m`+;DtcDl=+!G|D>iP zs#)kc`JHX$Gr+J+bS9t0oK9+r5KE-()@!>OTo6{3c#<-Xx|A`g_9jJ~wys+W4|W?l zN@)jr@ol}WyEcdmW6R+JSD77m%a@PgTc}cy9+rQ6He=*pSKr zFpe`b;tFh%a;Zp3m-<5)1@0S|gy327*A_5!9}isWh&V;47e3Zjl-MtE{JBvaR(T&R zJvwk|^yom*DQ>0@>#PY{G4W&C%fjN1ncb@8&xHx7k>*I5D>|DYf8MT`HdCw)nLbSB z1_t*#1>!7Rr>>M_2GLz4k>A;*Nt;`n-U;lLlt1#8G?qW7t-cl8iKi_5iSG&u4QqTV zGoF16XgRZeHX50dZ==o^?~1lEQ?1g(`^jDfveJI?mw535jgBRWRBk+(!fF3uq4C9{ z0}SjahhC!ot^w%V)1F&u4j8Q&h=WldQQq4~NTx_Mabi8O7tk5+d(rA;eY{aMqE zK|`qaZ-Sj~gLzal=(u&%;nSP25ydzAU%Q=?{7E~vMhW&g1Qo@Ps*0$=MNEa(8yB%z zT%7APkZbKcZG~_hE0sQI!(2zJT9Mrp#mYp0myRjqohvB6e-^2@iwySRcg@8GMrR@B z##&2)pcexKXXKF&xN2`*@EbLj32;)*q)98gw{0_;T7$mT#6C0Ro? z@IoA)DOs%~?l}^mWJes5h^=i~w&PXhD(YlIar$z|59MgPeY@Zn@|;RiDA-8Oj7>$6 zZv-wkQ7ibB3^l;vZuoM7dan^vM<;}8GL5}r#EMDk?cNsOu280R)Pkn&;ho%D7< zzE#MIn76Qg=SoJsWb8Mo;9Dks1IZbM(RQ<`-76&OEiA5ocHc@S++O#zikR896CIU1 zXf#$A){uAUY zn%Q(7&PmobU1=5G4ddBc+TP*>XkrpcnZsf-mfRjia*BmkB6XE2Ic~a8n!waNzo@N* zzKLy4=kCZOHAFof9{P24hB%ZuxdBRT83z_gq%y1}!ECNVthg3MWBD5_bjCGNk*!z) zAj8rmq27H7YGSL8v&Aj;-2x^XFVs^a+HB^(5ZN`8&)lv# zbMn~s^2x|P!3Z1`5f<}w<+-ruiL=L!Y1PL})`XcXbCn9saIeWeFiV#TO*rht_{|xV zDlwhle?!S7U|0~7?x>*#NGnnq1G=gB8mCsS@8Gn1Fpt@R5hoXg2O7&LYpqzk_PuNA z2b~58il!-(-4ssEx~_`C{@e6O?$l#e8F4L3w`$n3(ld|+?GJeV%ll}vUR*WU2{IJN zU)$MqK06y|+qqz;)Gpgf8D^cp7vm1I=TC3SmQ%gK1JeG06F@=uC5}Uf$gC5xihQDj zUhWhuS5yCWC^Na$WFDp$E0h zrf6MuXS?xFwtXeXhEKmfGWO)xQ73QO%h-cgdl+mz0ftnaU$rVaYA}+$rxJ|A#)-Y+ z@%8p=uXCnSmR|DmxnpGCS!ofds~Jh;0VJ=u$>f9Z#rAQO&FJ0So~w5Ur94hD6+1sk%sfxT;JJ6_Dnf22)bgG*}1EyAxfhyuLPX+0pIY&TV5mZH|eV z76^hBK*#;!Y)ES(s<%`gni$hK&BG@|V8f2b{V)qFNbVoGx8d zv653$ipYDIpCL~(84z)|N$_;HReD^1 zrI%vD_GaP5y%e~FfQo$rek1h~+&55$Q^PB%M-Gc+;jmhFv;D;UOl4s&yB^|uXlhor zwM5`{1}Qd?A~rWX3iHMyMDFfxMAydv&R?c-O*na~`eTBb{w0|LAQkVdm2u)4NsLdO9KSHBoXYl(7%M6{8_H%F^I?1386bc{B zXa&!=FPr@_+?goULeS1LVmR_W#0;+}4?9;@ zn$hWpKyKrh_Ca~TcosyR)!shukXNlxz~~_SNe^bc{oWyN09`H_?|HZbl2IO?dIA0h z>8hCV4!~c;X)@l6@aIG&PdR@X@1T0yF9fQJ)sNwcNx$kBvPv>k`;!szc^+iLi6IOo z>wwowpXf7%;^^$4i&Elqyo6O4D}fvw?x`KuCzuOTVu8I;Vio)Bn@F~Z9`|FC4{kGY zF5bkOiFSkLmH%koxz1Vy?iY&Hylsa9-MOL|Gv+!-my#+JVjjeU6@7Xjdrw`nO)r;P zDZNT5!%|p&O5o(Oj)Z666p+%(MztL|H=OK*RQ`uD3Lmb}xp@_M#$^k>N}IUj^RnT> zh6cO&B7;?N>@=a{Ph+@+NC-Yh0?A!eQ~CX3P`y~HoTq(RnZz(f5JllOskZ!dABDzI z2{)!=zPwi`IFh^Xq6#p{gW^I9*qUs63FO3r?c!waI+?OQzXq47KyZE82*|ba|G&LA ze~;?A5=HZ?>aRG#b|kq=rHLUC;Fb^qs|^xY5_WuTU-ePdk#s^;oys{?67q0A94l@T zlN)@4W0HVFUYywOre7;qapSL@_rCAl{|1Tw;jLkhXQ)9)K$22-Or2>DYp=cbn%5u= z)cT4%Pp|Y_H>nC4C4t6O7wMwy6k#`2RR1SG*4YJyG2va_N-`kbdreNGGZk59^m-pD zHJ#haW*{9Sa7P*X_;uJdFtS!OMiLM0Uh@md1RW?i3eiT?IaI80j2?976kNCh0H&d! zmJ7}_Rjmc$U5^ysrHD5by~X1TJ2Q@X^Jvv&$IL8l28?MNQE$`^Y&=Xfzai4<=7noi zP-WqJ%qh8E1xt9Mj=4M}{v8(oj^wEk`aLS{9Txu{iT!&lEpC99Qm-VBjCgXm@uU09 z{lpK8R+Bd?UB(KW-M%mKyy~8)pu$Zm6Akp0&jC@*C#3<~b&9`XFNEFO*N`6sB7n5F zCFI(Kn)A3E8BK|JqEQdH;w!o;a_BipL2XIKyyIQfhGe-#(Hy7ZhL;feMZQN}Q(R%G zcHM(U1}viF(9JAlOWw8|9T`&g9muNYbB(~7p5m>1{NUM3nTas?xAJmmBR%gbCBV;Fu{ z`}g3_%m^dWJ4km@orXTaE(*U%MS|oYL>f{aM;fd7D7v;sUEh*db~hf&0>2onJCxEA zxenI{#?-Hhs&!F+YRqDy9Ev17BC?h)RnQ@3RHiVEy%zf6a2Y;0npOkCq!JIlzJ{oP ztltNp?);G)jvs7o_U&$8?SFb!m#Fe%S=|XO(2I~x5Mjf*y`qs2P1II~#fulHaWES; zY-7%0Ex#j4xY)+x;__WhMCfy}m|K{!8Yye+C`gT#XKR=^4!A`4mf%0grQ8hdXW=-R zEc(f#0Wds%JqQbpYP1T3@v)%7G`owv>4iaR_^Y&Ki7}PTWOPxy&Xd^c!iUL!GZ9Dc z^odu(MzzWn;x-(W`YhHO1wQl_k|Fob{)%$*)$$wW$<-cNx& zje4`fI=m;u`nO=wuRH@`g&(3^Q`q zbab{7JtQCR1i#J2OcI_d#996JE}_t7(#oV_tLZHu=II5nVB{`mIsl;o#&D_r_fm~CLf{ztP7a%nbxMvD9ZXKY7J4EJS>V0bXJGD z31kF0t{RAv8ZHHwnLt}u59EuKZXA{3s3V`Ps?-eVAE`WnDAIm;g zgDS8zCLtC~j+na72+t%yNk3K)(+UM)uBsyAxwPX24(@G$QfKad-~MvjY24!^pEo&dPT9+tZ@{e zUm1GlgcNv890F1fwthT3Sv!viG2A>XYlc?_a0nulKffguQJ%g2isVz-F%g zJE`eQcK+j=2V2+eY$uqe>i(8=ETs_Ebl1$?U)|by?|R%Jo0Cscygz5m+ugh`&Jjva z8H2>bU;k|97q`s}%2+h(qia}*O~wzIpHQ9Oe}_ZJX=f3QiYbYXQgQ>dks^b%FSZ+* z+C@o+Hd|^wPI^F{+(PEAOG95KGJZskNXj2H11TvrHVd5Sy~SdpkTXp|H7SjXukgSk z(3+rTe@UTwyzxb;W%}UA2ckkR9OLd^(gqj3{>WVUY$6)82bS5rbSe%-9`6PS*{I8jxKKbta ztMlh(&o0hS&AmJ|cXIf9BZZ;DNa65^8bGqs{jnIU%VECMSMgI^tN^2K z0vXb@?5#VVYz!rgDv96gd9l?bK`^Z)$|=o z38z@-z6Jub%rCFfv+&GzKD!R*269d!5rMePCf7t)oLgga_v@P?8%%aVj;4&#jPRa9 zpLN4ese{BpDO54?fIUG?N}}8{+*9fVkaXx?t_LVL|tsPjnv zQpBKSl=q1f5~M|qdQ_myHz%FS28!i)!H-}~fD}>Q(~~qW^EMWFkKjHQs?c}Ke)SUE z1W1{8Mf*5t^Y-dGkcSW+9CpVJe{byYDE{}@_r{i%&A0s8+TjAeh%7B8Y9A?#7LE*# z92P%EjvR@-e$;qKp@qbo-{J0DWiR0{u$9>3UVqMS5$2~W9Gvs&)04zZOgL?hNgZ=zZH$9}pJf4YCG zjPh(4l*K{_ITj6OQtEC^urrq%s5P`1d23!Mf__y`RPV-!<^dcl`y3;lcZxN@k9q@y92KbW4&dY^b-qFu z#KNtb?6!Qp2{HcV_QM-QM!&g>3Hk7rAZL)J9uFzGZVF0JV7_Xl@$?_jZk%{!>TN~z^+Lq^nyr#x{?zLn&s?MqymrcO)@PlTOhY9vgMS^`D zBl_~syPy1y4sAk!b~l+|($EWRotU7s_5q{G>@OdSb|gm<)!pKyyiu~l-k6vi}f;J(2Iq#Aktu zc~h@RoPz)p6nQE`iFWw&ZRNdw5R1c=Rx4QE57WWJRSk;4Fy zW^aK+JACxJ1$cXSoy2UR&LW%-djA@f1jyqA~Fx6evRrZ&hK_qH}l?~1W zL$|6ZU4}t^350xL(!^4jHCIofPxshhrCJ{px2xuVai!6$WQm>Okt9>;ICib2vM*;DLlwZ(xm5BU`Mf_q3q_c8X7grGy z%~F78<)~KEw0g?tIvjwmo7CnYzPpcuP^AC}>5S3U;_OTWDURA_=YTei(I382Ua6Y|`i;EXd%cV35-IuX@Ex%*q!Kqy@kF zD1D%!;OODQ-x@kPJalwq82%kPc4TOX?!(`aqa!2V8Xg@zcI4>j=;)ErZw(C}K6Yf} zTh3nDpEDP z6RqkfwKF(~c`*p*3?|(qsqwf7!OqFVP{3Hro*H2yn=$RYJlv0J{ z%=H9Iy6#L(M1&g|q#BeCJ)gs}o3BhSyf}Mt!I_wO)p=!NZf;^`;nm}0MhM`kwIz_-WmkL)22VLi+DA0T)74@j?;IJ1SKR6)kWrlZI=l=Gobi{T@iXNB z^ADT~qB_2Qe!>|V86F-Q7#Hzgq=cXr}aUi*H*o`}{;agKP3%FW> zAwk>a!qj=^(D+irFPDIGA0LEAi};La@}U=UZ(!>dvvUGk#5m~}P5>ah7sfH!+S#d@ zskw=Tsm0UqpYaoe^yI{#d{Z($6lzGXY;y9PbM;YiC9AC!M!WHKf0^M z7h@D^kTf01L2guoTI5H1ip5Gv-qZq$SvAL;wsKz*{H*;gvx#O8&H2{TqD-IA_U&$d zy7RB?d6~B!VN&*!vn=J*p?$r00HV#u>2 zF*iG|B_*mQ;r9`9*Uo~v>1@Ge9hAe4Co9ibjw0li4-}UIyX&5j8aK-mB(@ftDL}XS zx2m$xqTSwRvjOZa_uFlel-#v7&K-P?Zn?p+?db`2Y`B#R-a9TGPMG)ijPc3&t$?=J7W=5+dN2tQBA}W7U3l~ zTmktYfSq#kQ0V>e&v_EZSM3!ZXzX>5?RuB~ue=&(x4Ek-z zzdbqzLf3E0LyK@I6wPYUD)zySd`O9V&`}Q-V@x8(BdYG3udpl$l^!>S`CZ=o@$P&7DH2uLd$(sV ziiA{6LW(NE;v8Bj6i)l@N)@;t;OmeaU{LYrP02w!%ei2OO}bp^Vj20eHgsbx7IYzF zA(0)W#pZw^yIag8DsoIm7~r`?njs)0st$*D83w|Bh4`gg23lR(uy6?W{HsQEYU11| zM`mEEnQ0vpabsy{@;z2@oJKgk74gv=?<6M4c((-kFzR=5p-)blEH!564Efnr3T^(~ z_UHa``1eUH*#!rm^lP^!4YxUw} zs}}|+#AV>Ms#ky8uNB{J)T1|&IPf+Mv!f9TOxs8OZwr5=_BFuqYF@CDBU{fSzp}AL zOvt<`x4fk$6kls)0}%Zdo2rG1I5uJuc!dh@RvV*4fw;v0gm%wJY;ZFx2?A3q+pkA^ z-(=;5)9x_sl+v57o3Ytx&~=N&AS{W5iplzRhRR+BVaud|+WSl>)|I*i7!#E_FeT-Q zN_He?O&POeZ>r??qT9Sxqt6GzBj2MuzbOXS`4NuIq205=o>C6ovUPzsn#0A{@WW3>}@7 zS(H%cH3K*rIXRo|bHpeWLNE6$x1y^8QKlfwNmc-Ag&4t{qa$ks%cYEO(?f&Nl3yLf zFApV6K!~KoFxVM0oA3z&vI-Mgl+tZQF3efk#d=b;ZMV#lx>T6+>h7H@r2Lc1+G^_A z?LIaWRQool650>A(9k0qq2?O#EFh>A7DbE-&O{V@x=QM1{+6VodVM30NQarbs6uK` zEH*+?Hm_2(A0h35R0!mI1F&A#VT_j-l_edtTPQWzLQx#s_d7q^+WFVJs-Q}e_>0e| zejcLf&epBn_im$N_GdTnP(iGTS(RXtRGWcPP6%u^vfojXA8d}Cd_TN}$waTm3O?Ir zvujs&Ke&@p$dy|$6vC)2h8blf2iy-6RT_Ss5jIW_BY*LD-e(*WY60Ct0V`;d2#mVg zeC!AnMh0SowSBT)cZ;ixFs27_9jhq-35)!dDu{pTedq_1&i7aap_19;IzhFEKfjB_ z2G;J^+dIFwl|VRgIDQV#m>G$y{)uh*%gx>QZ%{UFc1eZ_P$jglekE&#>%7^RGZrp3 zugh{%@mzLX5{jy*ZDS?md)FMJV&H)wOAV0)_-)$BZOICcgiVvo1c@@%iUCsTOj}s2 z%}kfh^l46``FjF?lX}WYw{1QcOSpm;rca-Nv78hZYsz&&`QGk`x?J~Uk{PptK>vX) z2ze-k#pHT45pEx8No4lM3`W#Ui%IW@bZ#O8xF~B&%#ma_mm5_wZ@L^uO-i^uZdA&6 zPubHjEjAWPWxfu%yr2HTt^h$E1-~HEU!2jjb3yjlrTLlwCnb#&CnQ`(rawZ8Whg{T ztn2hifrtfZ*waIpX<1d1;PXW@f~Y3Ff2au~v+amSpMT z9zH;J`gAXvlb6|~b2>F|qHST9HM&6JXCKiSBa5@?2erwH#K#N_$YZGk?a#jKHCHA< z6qy%S~np;jsMWww|r1*Qs5LtjaD*N^IqWggBWp zLtFHrI!vbMBTo5;n_Gb6A`Z+h|8h_$d(KAL0c5{B(KPN8-pVrpyU)N_S=zZC>;*#{ zSxtG(9<0*#dN4t0q8x{~l)#a80y3OlB@R)nGBTAjH49F?#3%MI!mfZ&4kh*jyw?B)5+ zGed`u9OwT^Rf(+&Cu1@(SeYNjz?X%$39NnZ-QD+p=Im_!hBN|1dhn>y1>iTivfU@D zP6=iq$HKfH{F{{e+C7G}%UWwKJV>Y4KF1`j4?p_+!GGNpPPno@6W0!KIs_ysefI!B zAwk1PVmYx7YEKB$QPr!rXE569X0fVN^3I^NkDMt|SE$5-l!AD+vUeEldl066lNdjj zl}hx=AJdk?HvMWtlxA`OOWYOhI}(Kc3Nm?4uwE54w}scaXwnu%gwKPj%4B(=!^uE} zrj(?IuQqCfC1~4WQW81q0oEIVfq0j_Vxy(&c`Jz7<{-8zG>4c`&(h45nO@S8w>a-` z-mWda!R_~(>pP#^#KiKb8~Efpl7I(aZX&6`LVl1{cb;D>K7pNAb*3*&KE7@D#E=$e*&ePQ^g1_SH$MRi zdvRg@F;iDX?Xdb5+3R#%j#pPn(<#%hv($*ysdi@Pf#_~v#U{TlY2(JayYb|32tn8; zy@M$;DKYDq8X4VXy#ZCY#-=rtGUKyYMQnfwu|=uLGxmVAe}!Qra9S=kqK$(KAn{ey zhf&K~V4rplD>#OeqYOurC9plVN6RoYbN2|HqeycNf?(U?T|AIW=m2#**Zp{eN8I2q zLocj?UQG=+9QTDN{LL-1UY2x1cn^&#yT9H}8W}&k2I8EfE3$TjHM+qX-C&KUFaDz- zV$D!kIr#ja!-tO?N#_4N+Rgv@l*WG~vx6S)W(Vztesn`W{$8_#n#V<}0FEPj58z02 z({>n#u410z3Xt&1w2DGohVl-AH}>7TeL?3fi8~{6;zry~%41b!(C0NiH+yR0+#)7r z95=G-J1R@3e*b?CibROW2M{m7;MO1E{%%xjp}z*VR+JyT4p>idcaA|5Rc`GKF{=cm zv-9<4?%_|re(=?`q~8h&JS4!kKdrQmav4>+Ggm0XX(duVnyB9(dt>B8jp8bvLAI+g z(49+-nuFy!INtyepb(3VExE-@CA5K2o2?R$SAkMXUaJ0#?A zMWU@g?S6b?=NEE;l&$}YVS|f#{513SZC&ZjsxOR_g$anE#p+O{m)=z}V!Dz*72>tT ze4`#O{15xp+B8!PjenY|M`%`{*S@u|s&lL23C~47U13ZRSssw#z{QSh@Y9O%$~+?R z0`uEqNq4TZ@|zadZZ0lkr%BoAc}gDz+5*WJWe(iO1azu;BbWghouTzE)>bWaQ~{aD z4DTm%tBK9Ee-Lk@(r}wa70+_1!)8?#4`!o@I!HhPAIq{&qTv>(B)*PEBBfTr>c(7E zQWTggOXU3F&+qPh_MZ;MPJD8G_v3A+Z};X^XDq$fCq{M7y?p+FDaumGTPu{; zDuuPjbCR4ECkM>T0l}qF@kEJQWE@+swKym6>zyyZ+4;lgs%j)zd!B;rr2vY-M~k%} zC_i?%V$Tlt+&NJ7r~3@hN7@Ge{mlI1*amMdM+Gh(_ZSxp=Eg-;J6bFC6))4{BUdfU zKQyl$XjqU_EBL`$G%4MuzV5J$;9iGP(7_%o;dU~zBL_M%OMUay3~K-jz*oKcz7Oef zmLBZZb?Dk8_qG0CP}|tQ^lvTfe@BK#4v)t3za2i>&Hwh)+yBsvlAZ)^ay7)$+pRjM zLbrj9ohZs%g(Yzd2nmv+rQmWQzyvZ~n_$-_*tH3E)4{zUkDvoBH7MI}zs4YW`N7eTkPz7`R9YKCP*`DBMTe`+hKQ)nhov(HY5xxF{fEFv9#9~4{C-6<*lcT zi*I%|w3=uxIW%#zv*u1=b7+b~6P&QjS*_a7I!yOw=C^P4@=N&gCE(2&Ce2?yEnh}% zxYf(&<;xYf*fQxJr96ouVB2jt(4E&BRloj5XFwQ$b1t~#zyspZo7NWj+uaM?*3-Hd z7-Swc=hard3ZBZ{ozvYp-JSEdy>sgLa=lVpj`nqrb+T=`NdEM*N<6wb%BSST5a6lF z4{NWy2*6>ND;AU7a(RP8)gq@)ZC33vR}HFq5BH;RfGL+iYE6m<5muOS1n{EN(SQtV zCj7)Q*p^|-!RL7!1-Ey)x85$HYO%)D9 zKscTK35u%bafO};f<17!h@3YCBYQA{1)!Y#xe|gsUG4#<+X~_hyUSJPAU~|z!9YJ zR&g%6i~c;NVJW*CdD>)XKi$_Il)6boe4KuCg`(Qgdn^$mcOAV0L{?w=0Nr)S8^@|~ zBvP$V0*gdKAM)pMc7BgOJ~D@os;Y$H?jL-#5FVb|v9=NHigzHFyh^ z#IVh*QL^kAC3w7kCu=%32ybm-B4Z=uQ97*>^mUW${`8yc@$&4{^v-YZTHj*IQ1qzb ztWxRdg>Qa+GuF#Z^WuuprSQ1Aea*x$z%HGzBuS(kCr+yrrCJahrZ-CLC#m|Cxg+rO zuW!^yd7ap_#+JodqGDH!ZaK2|2xs>U!VPvcF2#IPsWtDiSE-?T6T`%r0ECUQZ~>6} z$5_6bvDHeV4bpt!XpC7^{&16W%Zf}6fTnpGHYOm%oMm@@f|;xTcvpDFalX6+`s)eW zYjqQPyKg$RWqEb0Rd{7p=*%s4XdoUtzFc-!EN?;563SzXT9Tm7J{hn9S$LEkzg?;% z=}cJ-8LL8wK)Q3w%&vKrlg_YlyrJ(on-cs`Hnr@FT*6e^P9`0e745L{T(sJ#V>XNe z0V9_PrB47udb>kc(Df2bk}K|E5~AeSr(<8cHeZzqHyajNu%ovW{7l&4kw`jkm@jot zlXV@EZrGS$543I%lv>7hFE}%^3sYm9=t(cSF*Y{YL@C|i_VJeB$QMBrbR4g`)fG7M zDsG8v7Sh(EPsJs4CXedhwl-bUHL-H*u{&tWPQ=|x+@DRTWnM}VAdYOE%CsV0H;(~w zJHNjB!5wPP^o`#Ah|*TJgR44iG$(d}L2u=C?NiQe&gBOMTiI;-M&_ob$j7}J2@dgy z|6)56SdufwAp2$@%1kwu^6LHU zwY!T+Ew23-ABr%8oiAY-{^AfT^6w(?BBpP~L=GKM(w2n7F3VdD94XzxvlSl=m}|b9 z0>haE6$zmMIHKrd$$%-a z_R-agJW}dG@9HUU#d+)g}*wRD|H6 ziKY(>9VV(W(KCChh;1ohvQAzqOJ2$W5nGI5UX5W`{k*z4f>-9Y8RfS|({iA-cMj39 zlEP#p%Os162gH(LZcJ2Be0CKCehmMSY}VDdD4xiE6(?%)Y?B45=tCh+E1?)$QJrDW z4{v_7`@wCB{(WSU-kR1i2YO!!mNEg78c^0~5>v%yzPiEbm8iZ_V&X=riDdAWENlJo zU93`a@2cVfYz0UQh>&u$HF?)-tJNEwQg9`cZ^sgYx7dG#Ti38=Kt|40SyQNaGYQ;F zY*-xN&d*_h-;k1tlM)jmYmRjH_Fu5p464F@{Y6VcYk{p(%FZkscDMVBE$o!T>{@l& zS)c1EecD;uJ0F3bHs#c$Fb#s{_RfEx0y3Z0D6yruy>F#0XMCKbZTy;Q4`7_)_7#~f zz7-Ns^1RzSpZpn9L32kq+O4}R7vlW)1&;vH8GLGcwzn>iLg|eSX64XtkH<&VARkP5 zR^|wURm2)?X4@joL!->3n7Vd2Rbs%Ge&7}BTviGd63q^$N=k-eEG-%2^YznO8g^zQv zRjMQ%8iiD>P^q4jBzbL4ua@u3{=0|iQQOU@$076wFul3Fv`0G~kA056%d+Vqnq?@7 zXt4x(AHbxdymsGcJ*^f&e~FMkRW+)$`kGU_3R{KMNTwaI0}G(lVBB1jZPLp~pP8{# zmMtmEau+jc>}=h{I%T%fRGXrSEwJB*YN*)UFFv)$ypfmZ@qILU)Lb8mV!l0BY zb_>Sy$SPT9HPyU)UBT&FFiP>DR7wK=QnKVP|B->B`U6ojs}0>)p}#p=nF!Fj$enz< zSt&a+t$CkW(%?!9EuJcUu=B}>AoYnn0ybjxA2epA)!RHUv@!~C3PkWDOOb)mh=_Go zGb#3(sL-ET!82aG({8K1LY|2lo^c${s^{4TegjTht?es*+a*FRYG+|~pU@wqSQw17 zIikQL3+4TQu%Alf@4gfkrRE;Fu&Btsu`M2%B}S9p3x8F6vx0k*m2%c-=@#m~J7o4c z-M_l96%PWL1B1<=x*3`2+hHsT4Y+U!Ra{0zY4KS>xnVVjYz#hnOB}`^z^P;SodPC* zQ3^o~GJB&YlmhuQy@~`|eDB)ZRPj4$J36t8vjLOb(S>%8te9HR)-5D;X2LP&R?CG! zmDwlcY?A_NopQ)Vf1?B)X&BTJbO?5p^!%@FdumT>&D6KO^GIS5t}9k;Lc1OycJ{ROo~ z8;J_;P!-2i7Z70}O>C+59DbN>O$tJJuAyNSd8B-QHq13YtVWV&sc1>&0c4(r+&%3X zD_5;TT575E%2(vbuxC#Kqxr|?Q;oIhNA( zafzx(+s5{yVxcG-YHxY04)@uWv{NgYTx`GA&I%8G%xl+~D3I{1O>>^L)vSgiZL`(f zZ0&t%yHi?zlkoyZnck+4X+_Oo#3!&B&reJ`ZmASv9q^}YKjP4k`+NTysc9bDR&1}t zQ0@BQ?STxlSrnIF3#9-K}5Rg zB>M4EzIF%|ej}wO<*W(A69b!u)DDP_3~;=-XYIAqiI47u(e z=1^vpLtigUqqje=N|55WGQ12KtG-@pv$wzCOkJ*rZt4J<1>PB&essq-2h9Vmg~3Yb zR&?b+5G$3&=WxN$7HQaH9-6t?*@ZLni|1!A&McVF_o{1t7;xQfRl^${j3XU3$F@q& zB&7v7v+R02SPwQcX`Q^1Iii$;0NAp0YZjuOQry}Tz;X!FXBW>*pPMqqpHE@{8;&zt znVC4B{5&X^+WdTeE~N>H3>Ne;$Csa^rgh-u_t2Pyiaa=x0rR2L=|UNrhi#^%Ye zv}Eud#ul{Rc}TnPAo>y6W69F=~#ZPk`mA!k4=q#s>oZ95sK_Q9tQKl&y$fi`bE zXbVP4^7ZD;2lqZlI*Bv62Xy$FGx}ibmQ9idi$nubkqA$ z#@Qu?(quD|IB$(iyS}MGL4VG}8=FEa{>kU~(cztYS9d?VFJF`;fkjK?izQ-$%~PSh z{rd1%H&I)_RqRuvE;B+Mw+*ePUSMc|y$ndl_`$YWMq8YY6u6>H0n#f$dFEefYo7vG z@`y4SUIEEwV!MpLZ{}E#Y$9c|QZw2`F&kEiLMs|jA^>mehOW!p&i+Njc(C;@{6E3@ z-skPP_N3Go-N$69DY*$bC2Ar=;kc2Wuv^Trn>h9Fr~c!Wu$(MSID(%<026h<#D?SU%Lrky9r;PToFiSiCScBB|b+d zZfzrTYpbNK#}cXYsYO3BM&&p!i#;}eVPf*7iL+CSFHg&&U$>4@=E>0)I<`GyhDaI873&iMk=ON z2A&z~+QBaOfLQs}$S+AHfNN-bg;sJgcdcSs?foe!<~2?2Ke z)bz~h>A7*rTJK%x7T3za>tpB6;F4b*Tymq; zL^e3R(g>c1{|oh{C>o>8fBP@2rv6IG${+m{f1x>f^VZIXH?gAE<}K&pN83AJZi`oi zdO@l)NJmOy*_Ye9pZq~MmQiCLzt4^3ot^(c;f)Gs-lU8tMqULHORWUMKiX!Uth4)* zo2GjnxBAiM&L<$u{p*i+?tBdbG0g*2y0=*F1CdD?pdUA|+X?kZM0&uHy5@W9R6la- z*6y!ww6#4JER|>7E3Q@p5J~7Lc8hg5m&g$db&a(KF$YB8wN?vc!77~Co?8(l;u2O7 zDO0AmS{SVPn70adNa#ht3lu#>AJ|(cKPe?+7&KP2UJ=Xmt#Fw>_Y&@pponGwGY=1J zVA-B%#E*iq*fvIUNNA!OW}8b%O>H6zMt5DkLlHQCyt{Mt#~|Co3!m<6UMIE67dKFy zLsqz*KYk<7>fx_$?J&CBy9UxdUa$>elVecLGOh7qgMBcwg3ul9Zr~EJwyz-WW5^$1{U@6^8s3CIy=%WpdYUiq?ELXBYi}Zk!X@qOjLB|lzyxv$Qpy75iekb^{3s_5G^a0p;{8NW*l`9{;O4u# zAOCv{y#O^tWkInHOoWsg)mSLA)E#LoH?ij7!w<=MK34sgv#i7$K`rHn=<;CcCSfF~ z>{W^`Mq*h)Rb$S*F9e>!P$gm9JMyqGhSw6P33IoY1t<(Cvd$+=sJNH-94-6Hp5wWZ z@5wcjh90IXs9*QWAP|J8I|t@zP0I-efsn1sTmz2dkyVM3S)xxlyb8*xQs6eI+$|vYmnF<9oo$`i0Jkg&g!3VH=o8%)9 z`9u~@l~R!#lr+b@85)~8qkZ(&@nB$^#QtRz5g?e z^A9&ByyeDDB^Ky<%3l2VH?kYSuZ`3sSH zqQr*lJEi_aeum*FA_GJTQOx{_E==gZ|J4^92j5XpXZ)m}^M2UyLyrxMsNend4fG=* z55l(3{0!_3y)vb}tdiZ6!rWqXTeKl4vCUqowW26#o`+{@Yt9jKDZM9{? zxF}OvBufBbcos7{36PrAW&iLujJs7;FAJ@bBD@(4T5>|vRbQaQDtDOnSx+Y8&~%bY1!c-1_wbT?FCnQ!84s~oiq0F{qnk}o(j zl695!b)&`-vntkWsMdKCi+DGCX%cvMub$e?JfAz07cRn9Euz_;{5qPoHm4aZwDO0M zeoD{JdlgKd8Rx^OMl>E)b}4QR6NUwjB*NIn27F-kdkW4`Zh=OJUrO4^CTkO|O zDj-IwlfSqyuSEpw$@GQEj3*Z(;U`oNgyc)vvRMXoTj+3yaG6oyOAlx+1>=$BSh1J672AXkSzs%hz`-PLvNa1KqdI%0AwFJetPuDlO+qWdt22r(vy}!jLr4L&m`1fYi1GCHsPkCbYUxn9FKF=D+9~x zaLV_X+XAvqtT>7tl0=bnJ*eqI^&qChAQ@>1^;o2s7t^=YPK8_#lGvV|t*wVYzx(jo zb#ad2#YdmxIWt-q9uiI?#PacR$nI}IGczDU&T`^VlF?M3Qr2cXj;`p_i_SlxJz|Cl znMUnH9y_j*ejKR)!6V|`yC4(Gz%C_beX*?)HZiqlt&(CuF(Gp2npU$Y)rQIz#*R{G8X?d9yyLBmk^7$sh)nFaO zq!3LDWO6UD9~p|}#TAx7!n|l{po~TWAgWC1OV|oZWE?lB%e$|FNalvc)eT`}8ie-; zmm@I_z#7Z7GOq6+;R2ZH8#j;_{sp>4nl34^C{h*m2A?Dsxm}2mFQ(=6uiC;v{q`=( z!x``pS^ou0EQHzp_-;Nnd&Ctn3KUlE{}~zb-)(Usb1_L%q6Z%D|N0;ud)k)+&L}z} zJtkSLK^j2XOf=?Se%O{!Fkw4FV^sB$5YS1vg0Uz;MXT|YZ4uq(^D$Z7P_k&ua>7Qn zitT{7?$?{^L{5t>pQ_ zRZn`V-`V--nktq-9&TEOW=AdZhr^8e>uDD$|5!c~kNw-Br<-E<=_k_UoxT!~bg1K|a&12inx zeeqN7AI!`>apKel z-V`4N>!yeHpjR)NkfW@y`sr#=F@3DtAgLCiU`-*=xle$soI27m3^=lCWOE{fioXwRsIMSe??~=XWuq2e4z}Ow`?fZq`2e40`(u zJG4q=sWh-=lgRkNY$Q%pieX+YQp0}v=iOU(q^(2RilxASVA{Sa1E<6sfu$lns2yyR zv87e1jb@bF0=#mDSIX<1O=2j1a}C4_k}lr6jWu2rt0Am(hUsma!iLgfn;E8(GZFUe zUwoRkIpKV}gn*y{qSMc>0lS2!kFX+r_LJCbnvwu$7Kp}S7vi8$P2jl=5n zq%{+*#$GJ@OYwoBKSS&mPAYaQf+@vsZ6xO1h{B$nJqFmwJp|v_h}GGiI_y%)CouMm z5A4RA>;~=IKwp#up7B8w?OhtfDT?+)Q2-pFVgda6Sf*A!fnh~-#0A!EDVOURgeg0; zzXtKOL40M9F^(QpQJ*Ig-8w_g5PShYv%bJbDPO>vWqpB{|74-AMs4L|fwh6}ZS;kUJG;acrg_^o#+ zzKHu0{^i|>t;=WYDRW{9A7_MZp)VX}b-5ypW=6*6?oP?vDQ#IoO}&ED_arn5DS|+TT0t?)2D{Nz zlhAZ_O%h(NomND0Weq(TlBuqtLLt#!k4zK`eO~OFp(e9&wq6JYTd+k;zEU)46K1WRK;?LYo^5|EWsQga1__!5m>AAE}LPAs$h z>J}SJwjX?b?H}=S=e_HyDjQO=PnA+)Tc{16*=~qN zGbH${LVHSQkC`_xM;b;1NQ2$`=7-XsT!giMc8yL-6pUnJ#yk@FS14&xu z?EL&AZP=kL5KDcq^VJo?D{Zo+xcx+;T9XYTy@fInp$3k99F2WTEoB%Z?tJ**Kfj4f z)K8Rj*t~%-A&w~iz{&}ugB+KESZ)-78lqESJk0*R+dKdIW58#CzGY90+qzY$*tEP# z6v-kUsLaxauD{1PBSdK|?f;JvZo+<+Pdl)IUFgw?QP2^b`Idq%Ut4ygx@u3GBZ(!# zW2Q$p>0S0kVUbwX@p^!cAqCS&eM3&C_8Rx)77mS}IyQku#s(xy`d-3#Eig7y)Tc)dAIUQX!UBBE2J*u0Q z1iR4a`)>*)VlNytb6W8pz-jXON60!fStP>g?W=&z4}Wz-g7wKkHQ|{`a<=>)TG+pLooE?am&*cAS^99}i@X?QJnH z45ytri?T9hb028&_1n#d_IC53y`0v#6Yq(KHg|DmhDL@L6Q^dyINSQV#n7sOB0Bpt zvA5fXn!qKR%L)6vHdd@1bZ`dJ{&H`;@j{C;N}o$@ol}O`h6fbU(56SxLgEw>jZls` zCK_)11VV8jFDr9k-Ope-c~G&?fYIt6N_0zB;;N#L?t3!OxF;4EY^P?zRt;5tB4oJ7 zh!;MRh!;j6+Px*5*kftt(oZ76H?p(3oZYSayT98K{B+z5 z_k>~65wcOWA3Q_`ozq+bo>SdPIkKk@!;d&KpT6Cn!8QROFvvx^;WzALV+k<8Mvr!9&RZe)}+<-M2AzNpIB zsubtW)^DhaHt;Ph1X&hx-n(R>{_!o+0sOy-)XRD@A7ch!A_FR8DS70{Tw6l$)}t0e zvNA5BGnmj!C(O8#P8bmwGFVE~*KEG#y4P61hlI9>Sp3tLoY#J@e3G~}BQQPYLH06v zQn4WL#jr<_hMq)H)mTbZcKfXcm?r@9dXOzP5Mr0Ly+u@Q&k{SCq1P0# zgXobNJ28clj;*^`9owv)?$S<8Py&N)6msb~S8XwxkD3?@iW$KHY@d+o| zTKgm?GcQHdLHG%>q;;?Uuab%!Zkr-G;0|WL*wEf_(&n1t z&00|2uDZCCh&+|dlC^!@7oMZ&KnZC9?Ti5#@+F5|pB{}`vGx0i%-%po~d zcOYy4%~F*n9cq={nueJ-%+x-Olr{Xo{6`IpU02_+`z|NEmF|soJq}m-W~#XM7z8Zm z)yN_L{tT6f)K@r|3r7wS{oF7|5IIyP7Ysj1IbwCS9-}zdC11Gxu}7UU6&ZG-T#^W+ zt4pLRHtCc#Xs2hC8W3mq(F83sXUTSc%ObqJWNWfo8p5MKfPx7oCyADp|nX- z*PgjlgJ_0r6$zAg*`*Vdbc_*KP^AX67Emra_?JxS$wIm+^396+iBXST1;V z%=XYI*Il2}{QGq}0om^!D_#i)0nXLxm89y;GpgbCA=@irXt`Eqlt?1dUm*1~H@6;y z7y#i{V`hS;GbCP1L{B)w(tizAOrc?h2$E;I`Q1o58{J|-vqdCplQkQ>srWZ@V2BNN zCzd)($cgFknX-8rjY=nOHy~?gIuC!dNoks6GO@H}NK>&jK8noOr;I3Hga5#J@W(At zk24bvqNJx$u=u8BW#nUBSG!X#(AW8Ses3^Fa18I)nX(P;Y&m@tnd^8uMGe2sDVGS} zY|bs6!};|MSQ88z{^U9XrRi98;Hwjp8i*T~^+uWKG#hlx=_K~K1G37)kG`hzrN8#C5U~sRQ=g&toL2QxeCOKpWToJHg12o^8scHlBJqu zW*%}Np?AN!ssh&4Q`qi6=6|Qnb(NC(RW>AKygQDCB8kL}QuK^FpM7w5=gz0`{^V5D z_WhWgOwfA}bvS~TBvMZ$)fIjC@($~q?=ptQ=d(Y{u=lOTsi&Ml=VEo4e`e~jG4soV zds~D24_bx*obBwm`Jm#}{fZ|smD9en*#gLk3_8|i-}K~#lirLkM+a`?1AY)J$qZBE z9=2fQZ*HO^5p&Ew8iZt8gYA+Wmrv@MMwJBRMy*cUjl7gd9iH87quOrAaP~GxwUo(= zz)=E6)2Ev|pS|ns{Nhh0KM>zRX0FGy^MQ86M}(<5YX(9*~~ z!dj@KIb-;u*V|twy8)%Dcl!L|(VW7gPCfPM*iM z0g-fX+05m$ERx2VF9_9!NZ*`}Kew$Mvqs*hc*7~l4V^@G!zOik_fC|~0;A4eo$-uU z7I8|~Kw@UkJD&^ZVM_J{Bfa@)rq63rqnps#x^Q;Vp=~BmW@5JLhGazH<631pcIyc% z9aokkvoxA|)=nS zT1pn#*?8z+bW`j@!v{4ht#Ok6Co|qtcn@p zq_S)Ygmli-waiJ|)m{hw3AaC|F~q_anC4aGd5NdvuZOZBq^%ArogY(CJ7daBGQ0n)V|ZVP=4WNp9`j`Ga(a zvVv?L$5idOj*ia7^Fh_G2Vqlh6XHugxQZ;%XYY1!;<5A^30B?U(d!{*L=suY>YOvq zWXX+G5fV2k^&kxu4@u=hNFuZg?ow z>Czgqjamjtq6$M!FSOK4!r#+ZH}Svd>h>-X<-}WKe-x~f=(3Wm8{6ecXxh! z7t2Sa9etZIG*jyNEYA=?vT5D2=Z$7BiQt$w znm5F8CaqtZI^DK|2)C1PlQN^+FlCnT*Dy*%T)ioBs^R%99gC#QpwXMoa~;PZSn%uv z{jUXzopSMbx@MgZX(w+F4~B=P(6gYNLIn?iU-6kNHFD8LwYVC>4t!G-eBokgHe=uj z((YA73Hcs<_Ao0uJI5{|CiAKtqxeV=pK2La@)*%7GPSFmxWky8q1Rt_p!;=-RS+uq zC17Px$pJ%3Qv~T?K3KPBrZ$l-u`Cy*B}VVs!!?pXHrjDlN}`;$(P%}l%VHrI+5&dgoD@!j}UJl6rzdh zdPMZvP>RM=xeJ?|8d%$6Vj>>1?wdwayYye4f$W+w`4oQ7F(__qE;`2mI|8bVaBRYK z_-u+p0AOA7LaM?bf?cQxs7pCzOTw)wJs@4`RhKs4tdsC1A8$d|&5{P_ECi%E{l=k8 z1jgKL*P+|nMDMm!5QzfjI1%e#SVBf(Mh4$IO^PhE%hbdR0vNt!Du973>Y=mZ)g`WJ z^ibt*L|rRnJz}W_-9*5m{z%3^0*_QGYvVlDI?PKyQo&|X-mFqU6|#Xts=JpRDq~@k zrnB441B=3fK&-zK(n9t*M_p{*a)~2$&MbG;7 zH$b#E47o8Ib zd6R3PimfV5Yxh24CO?k@CHv!-S03E^OT11EfN}TECJ&f1lJQ#x{lMrc=}=2=r`HsT zE#Y@WVf*7P)^nm!UkzA|f9DDi!ITv}?N)uS?40x71b7F|39ka=|Ai9WEtL80IGXJX z%i)PZewr~ZorwW2u>Y4lucldXq$O@$3hvs|8zk;?LD4N^B2^!~4Wcn*ue`Bbv{C`$ z0RI^XDt^80u8h_B5+wA{ysiM3T=C!Z2Hbi*^p}98kH)HgnHm^y%j@n&H1NYlP`6$X z-}==OjBEhNPHk+&x>a)P?pU20;c$_GQc!H*M6h*!R|I1Ylj8XD^4<1l6{KZtYG)74Lt?u6w{zIZZ3Ojjp5O84dQZOieRtva% z1;4rveGI|h(Zh$oHFR`%=;+8W{5y2)$j}ho9~v4N9vwOIt>MwpV@HmTj*cD~{npU% z=;31{-*Wz{0LhaXQvd#y{Lz`0gGC<`mA}o@cuS!hZsc-(ll^eJwh{U(t957k)OolH zYXxUyXy{lT|NGrsj%ji4H7#Mn`=Twe#WbX=7!2|cP* zLi7#Iqj1Cx24Rk5Rdk^jrP;{K*9$8uxa{oAMHokfl`CaE(hH5HvR}-d^NU_J;=~Pj z2UQVLP(lArXI>1#IfHr?(zPC!1*qhSJyIB!J&E@6C{y*hqRb%Yj_D`q26M!O`WR2l zTu)Hd^t>ii?bIOoQauNomVF2<|bwqUOle-{ed&#cCh{s zX&l@zbgNicayfT?YHspHcz@#5^ttJUS8>>9rWa z&Rv+DpDH-cyyr={=2GD*;Xpc;3MSepd4Npi2xk1MuHQtNl0&cP`D;R_QQPQX&Ct_T z>Q6KjkBji8yt5wqY%oZyW=^kW-kGiz3whvM;T5-f36S5J$HeT=z!`rT8b4DG0+3iw z1wakq_45-BkgDOKf#K1iVdvuf1S}$a7;(O3@-ur0X6#mTfJgI<>dKPqIj;hfd?MnD z!bU*oAGsC0Qvlupwg8@jz*U@{om_bJ!jvOf4S@QobJLT~I8bFcg2$cL@U5wt1zauU zI)bXG59-XnI=?V=-Z?bB)bPutk{^x_@(YXN4Wi_SUeMnQHY@E*c(jPmKi~<0l5`$%#Svrex0V@hE!{rXC{izo93Ck$0J&Pn!+v7vGu=d@<&5mb ztT)$UjM1$c6%Aanz8kQ>kss;F6e}fp^M&+0B4+rDe8UY_K->sm@0>godOtk$0*G$V zK1jnw51G;zuwxv7zH?#_K1yu>5DFT2rPT{zs~76_5YT-FNLFW~xYX)}fogz3Qf<73 z+Hm7F0HO_Q76;4)X)d3f_Jr|IOY_8+`Cd&YSm)G+%)6o!jLITvKWupD`NsWGZ`hZS8c;9_K=2~2a-TAb zLgcSh-Ev{oEt`g`KG7>>ahRVzd*PM2eqDsmYQLBBpgJnN9xV*G2RU%)=n(V{FPBov ztLb8VXu-%!K^$3%dL!gCxryi|)D+UNB%JYEo#{~bmp4!5$PwD1sTjMKc6#p|!6Ke1sNJGqQQT zj~gVF)D?-Di85~l5GyvBd)oOCCVS5(4F@VlAB~T{zOj4n->uv{G?k-6yW12qwENN3 z>=sfCxm?ojk9Qw#Zc7V>)Y`^cp)NRyw;foi^uF;tGU+JX1YU&3T%#6YAr?+YavE!g zi1F2xhu3~AK!QrakFUqm24>=L_81VG6Vc|)){Jf8?N=Bf{h&+^Nk^i($eRyB^MPze zKfYu<=74N<`TD@?>I73aWpzfu`pNo|#H19tSZ;v1GtnWcknGMJCV-=aObr$#p&$y% zLn6MFmOY*3KpZPY=AE1Ec){fR6_FQ35Ky#i`eiRUsJgQ-eSQiA8FO&5WA>`AxR?D( zqvE(+B?J#3U>P)VSI#Vnf*LTYTG`mqT#b*!yq?C;I&o8QbUVo3%T*( zUYRq{a_(N#ERY#Q%oflfKQJJUVL4lJWe{(kAR|cK6JNzsS?Utajx(oNEzw?_#VS}I z+KDCOf`+821U_-n2&;~U9t_hM-ibkbw(UaT5C}WKM*FoyD>2t+>UFtQ02}ZCmnI-8DbRO!Ap5sPgsaJMVsM z=Yr$&+W|!1{ebcb;jyRpSvE_=ex52vK{`K#3BN>`_U&!7(=?e6wJmpMQxxHyw>K<_ z(YQVCky+%#vt$x<9VYX?O3Y}S0*nJ98mlLUPs^;HvXi{WH(1&#{v7y-+x7-irgD18 zD6asV-p_8Jr}xh{Fz<^tyQJjL*pmb z+`$gX+nWreT(-L>z}1!M9AK@QZ9?`fpQpMDawv9IY$IxCbf@`xxBG|gOK8aVT0lp?$^H6 zE!NTETl&=DrzK63PWGE;B74z`jK{zKGdw=9bFvQL6-q8!^QD+2Tl4iuEAR@gqG(uY zMnv9g1Tmp&&Gd~-VKJIB83}n@W{%_ZuCjBIW>=BODw5^F)hZBToiTN-h-(gP4*HkB=R{&4N8%-+$dAVaZzlk-Syy5SfDksKPY5o2{j6MVJte@2W6gcSrDu_#8P9iMe0~8 zigir~`pbLdX7tnj0a<*X$2NL%g}d*rR0HUwNc$WUL4N+o`+Ola>H0ES5D#wo(sR3$ zwUa+=S?DC`g5BA2H*ejl)8TOHZ&}T(HgMR8fYdUmvJzmz_H6 z0A0I^b^|X>z1rFLQL7hftzPh3y)fVEg%=;6D_7f|T(QJzhyNC=C(gZa6Lc zZc@^##nbd&yFvn=&aFm>D>R|W1ag^iI_()+Tbfu~$ls=DC>5#2JhaTIr(0sGRHABm z@)3k~^TvhHuh!!wbe&7y21aXD;-*H!K4P^Z5=vr@y{c0InaHO+V1C6Tm#i9ff{37= zVGk#TIkl_bgw;WF1j^CNx?q2(u`E`1t>4Vamr6ELw z2tfv)16=TbYEaP*UpV-gj&Uirrk3lVQl6#dY<#@nt0DMme(A{o4?6A)bfVZx7Tg@C z4{NIZ{u^g3)r_8S0OLUYn^+2y8tZ=|i{RrT__gTCEW-2!$1Rn@SgELXRs+5SSns}n z?dibfc}WVQCr1jf)nW{cGeKR5dMG#v!>C&=dLr>K+siotwa#PU7K`ZXX0;^VsdyDE zbc+`DMzxHE72MdPvR~m;%NQY!4$dy$vRV^G`mh>MQ)a~qptt(5nrpDcJ%oPB+`q^z zf>H43A*B5E)-JulJr>^}VwV{P6uhKlpM}^Ml!R z74`i;{exf#RPn&PNQUn0d~pL^l>T@ZQ%_@l3Cx)Or~6zK!Ybw|)2E~3k^YGN8-Du} z@>=@rLl{)tE7=~7^s}MPGRuaxWRK%x*TdL!hJ+c_W|Wc>z4CNpbHWMQDvgRl!RGIG zZ(rld?*8oa78UKDB2*VO)uj{1Cs&@>!Sf;>Jk?-ewE-jd-}DY#^vFJWka~sgdLAfy zRgH%VcU3qopxKzNx2y#YyQx?Udmt_{v&WC_?tF5MYnT6pJVky2du`i!c=IDOPu)$c z3Jj&HxOOG63vJgt)APTBZtT#DN5Y#lD`e6LY3cQjw{%>gl#Rk+`D(ms%!znsE%7#% z2Y=rXavsx3#xul22hDK>bH_AIeCxD6ln!Qpn{etC=8Wfi4;EbLsBGkLUSGwM@|4wz z(!NEk4i|%I3Riwdf_CTb{oPNl?|v)_iDIfWnZi94=prHf(*SzPh*+c(vkENiP+`rh zuNF}0v2RO3^p1INY@9SI4E12SJq(UhJl%|h@8*7kur-<4KVOHWosaz)QmlQ=T^+if z4o|VCL#q9Mf78FTwEqu}4#n;NqeDl!_W#Fc|JSzv|L+U5_m4QUp<66_1v9bBI=wJe zUGb{Ui4t8EJiHnY_~owMziapJ+Wq%v_kSww_6MAkrQ?(=vWA6L&S`21VnS;j zrQ!>x-{gWKIi(VB)JnAXafYn{t}}sfeq|Y-AHvb)QGp=%$u%I@bGsGj+0H7OA=_}F z*#s@!yo*%|;aDAE`C{CwCpJ(eoeog|hwOyLTVl-=c0l`vgM`bJd0)lHn{8$u_gHHig@o8_1k7aivRj_Vg z=fmqe_paLQi2io3-rC)~#c@10cCK9CFaMP`69w!+VO&Cmak~`#z;wwIRx%Bw3^G^{ z_BD@g$*ZqpIaVOe_z%;@n0XV4sG&(7m8~?_pJ0`ZFSa@G8F!OZOzFfAu-!iReD~I- zwOyL4e@8L5%|0n~_w0+(<_UXX%Q}w(h*hct0?pa;i?s$y8zj}a)f^@{OW45Sq^ZGXhO@G~ zQHY~sZ?(6D*@9Gcd1vy%MQs4gr&Vz~EjU^W5*T*}b%EsULb82s_Bol#5dDFEOT+)^QK zDaCCb*q)i=9td3}@)%r*l_U=_HsYtg?a}8(Mb3f;(rj(j1>#9D6x0Ushs4{dZ?Up< z(Mp>qnjyLzIek8C%rfjVOnAZWcgubl)%#l@w0SDh(YbZw!T$KKe$!N-y+1e0Pf<18ea4H@kPP^glM!T5CJn zzM9c6E2uoahb6_Yw1JBWOpM{-X~D;v71Qa+r6O)5kMP-=Clq4kmO;gHSx6CQ?S|vL zEHhMqFX@C&1e6P+N2R#Z?HZ4Nfzi2&xwYSa1BA3Kf$>b|Zdl1+2?ULo^(y6~zhWkpVjw>x(Rx0r4O!$j6an*Xl2%DDYE9RAD7CTI>2=*j! zIA?g2k>8aN!%aoVV=3)o*`Y)Pe!4ZP8-m{r!SDWcZvW>Kbl+S6n%n<}j*T2i)PFg4 zbf|0pf2{Ri#G=P@0gMa{AC4si=;i|G`UG@+0uIh6fW_5EO9x=Jv3J)3YGx0<1(F-p z&IK6`226C?;ZTPY9IEYUkm75Q@Ha4eGh7Zb+zwJTg`743K;VdEqn5DQL@|e-7`Z@+ z-#043-rq8mCh@T(91=2I60+P9(#qTlNW@eSnI?a`j7rvPmS}`(pC*04Rl_ur_7vXzQ4sj?+zG&kpF>VTVSf-|iaDfWwU z(rA%oyl85~Xll-Ag3#vQIf;N#qgG@6G2&Mt^Mkl$!OkA|o9jYj(*}+t?Y3DO<7~}w z)4+oLS}>+rPtB73H#%)7M1kx-(j7-7j)Vo=>-xprPhvatsl} zmM*Ck31CqrU7xg1u@2p6hptlTZ%h9J!eY zHw_#z@e$QB!cwgXl+dm#?IA|XF3EGE6YSaf{pSyVdOrhyIxe@@fg64Me)MUDblStG zM<}0z?!(Zk1FhoHp_i37WMgaOI8$zMmEJ4DOsVJw9G5+q8i2f!;OrTQJnX41#P{ z+*bG}usiVmQczz#4!Cu>F2qah7T@em*@+0Sh!Q~{^i!r@9y-C z^$TB{2Y3LRjwoo3nH8>h5RvaYxCe$jMakUodwYl@zrw>2+5Z#ETPZMaa-lUCgMO2ven3`^n^T?@DjYf3# zC*&7N-lR$jaGV_y@u44ST=s?kVHLS&>10i~*#L$W*Ax+I1^xwIX~l~Gr(JYfBy8Sr z2EBT5FanuCyeO~n1Ih9-s>v$W@LdDZP&6BHHWhM+tUE)=qL8f$jWLQD$x+EEjo>I1 z<~L2ZHu_*&yrKQmcIhp0W3wFXjS24l>WVo(u>l@_e3h%fNsa5yy&Jo?D2oexlgBwy z$Ur>tC4W5xXpN=OHn#*yq?MCvy7oGcp+$p}%#s-;LP{s6j&>7l10z4Yx?Dr}iOUB! z)pD2w7HDzEnNB-XI)fzx^V%llZ7@kciac4FMPG(2oRE^h%6 zkf8*YRAiJwT`D;vqpLJUZrqalf9JP%cm9JCS~c7BJY5l&2rETC^+c!4aFEu;08_N( zZC1?LduFNx23h*;1z7%?yN+xR$kDKAg={8>030Pj9c3im29ey*C^F@GVr5^o4|a-2 zXAgT*>*dX5r_1YEkStosUtab?4r=nKj;I^Us6M#lR|lh28(BIXi}Rglh7KP&&i{3& z$t5>h&9%4c= zM>{smSHojGD7a3dFAob|ah_e)HQv)Vn_y%k4I4fJ%qiHcDF@ec_r&(X2g5-6=6#CZ z$ovjrS_}O(7|{yAHCXdF*BbXJ;hpOtjf{1yFyv6Fha_p87o~_rXFX-DLC||)wCdNW zvVC!tSE@*QD-5Y91t!A`y^3&npCXb7Wa(w31^*zzxPiaJV;$Fmqp@$KsMU89?WWC>8G38qILIBH4xC5vNHBGkLo^n$$M?jWL>Zwl! zorkd^QGf8&H4(4@3x>HacRsp?BFe|t^M-)H111QW^^8SO!N>3Gy3}&LZ;Ex5f%jit zd2sJ98DR*I!Q0=q5eTcSVJT=k3tiVR+cnH~|JwBb=P;%O4RoP#v!8a=e1aL}!~Lg+)eItZ1HsY{fE({9+aQ_F zo<`Ge9FWcmy7~j*i#(ZETsrN_ly_}H#Od=2D?poii?s$OkidU>`?b+HUjKndA_E2B zQHVK_0?tJfHI_uE3b!hn5pDPO%LEd_#_E>16C;qgTv#l5a=zj?(O@sx{_%z zSHV1pDG%;lfxA{V5UzrHw*leUkrM{qd-zFIhYP;3Ww;&3OVkZzvsOH(TALmh&X zZRp=?)s8eUWzwpBgbbfDz-9yM<*!sFgKy4zFR;?FFR0{{box=D*4oDU*b4&n=oDsx zLWx2vC2tMbt*C(SrY=%?;AD?Fx@jGxr9`wQynoOKE;})q;nHy9#?ICa)^#UK&-CmU z(k3TwoYc;tq5SBf&LALh5dcsN1DJOdgpo5u7OPQ-qNzS6F-WMYr0A>h;LC5E(S+&c z1c=X-GMv*Ym=OaM9SE}!J7 z3cTsi_>f!n(wnbD%+8W*=?a0ALTU zljB%i?Eg>( z3qe#38c}%z4xZpmj!YmGw%K%|Vez9?lvZLyqVVeOolR6ZH0^^t$OtzmThBLJJ3mXu zA*|TCX`xYjv0I%fAO1S!KAj~c*-a4$H6>8z_yRmk_`}5V^PAbrpCLVJg=tKVY~DI4 z)Ze>Jfk~Kg{aunaDe-Zkxp?}!?cGoAW~F)Vil<%iwCnEI{cA`5KQr;)3iZqN{T7Xz z$p525iTp3aM~-#n|HtwNLQK#=Dz_R0=p;XuJ8A#HF)$T|L5Mpa|8hAGFEQq!>^bGY zW&7x=ivT)->6Z-kkCsQP8|WUDd$i_zK-FbK%qs2M2x~hd_>=W zpot(f9x^UfUHD~Zun~oWM4~865?&&;RmCl?mE9^Oz1OimhjKaNeY|TlI_9)98w{R- z3;b@Va0GTs6pW!}0$B-=(yQ_VVSOXQ>&yf&>*A^i7D2Bdkg(u!fGU-VYP9Ytm=5H) zv>Ke!Vlm^g{m6viIm*A?B&2=s0dfn=D<*-XCU;l9bA_0I<#LfKJ;3&0YZED z2Cm>DbvE|BqhpBA*TXx4kaO!16HY|a&H2+|y#dC52~P5j9I0i*yTTYCGj{TTL~2A^(sQJw4WH-MU6=#M z-WQTH^&2Q01!L3xbd`tI=1 znDhMsL03QbOnps$PyB5R%9t05VnE)tX;P%5X~Dl( za!z2=i?~150r8=UMW6^T+(Te{?D-gl%su%{b><^Q_&pRWCD!l<(*2C5$6(@CqPnTzK;Y-Rw>Kr+ACFT>$tw-S0Q-sLA{w`<#MXJTVJ zTTZmW8?S`{&TLzhmfz#HO!}iXO@6RnPU?FsnLT`vwdGfXb;|t4XH<=tL=e55KAF&s z)KG&ZZ*4HDmyiwdqiQcEJgnC@`kR`}hDGi^Q8wfc6olaHeoEF-J2a)w=l~65&^Fn? z&@1zr2v-rw)%qXJ0@ik7N<|R&>h7MX)Dcw68xFT>?ub5MABb-?v+xM>wRuaB)E33U zxe~aeqDMN|1WsRjBS2qf?B@12{reJr(0T``Q|G|;fnFdnZ@oY*;r-y=mW=%DjNt4q z61M?Hbt*pwI7&r#yMSbO>^&jwlL4k;T^<84MPKa$^Z)ws&hM|;rC*+YkS^z8BFk>I zxN(3$y@&#*L%rlh(e!~O7ZW?f*;8w@h&aMXop*0OxOWY6cHPBXSa>RJ-ISq|U)|cd z^9S_X;lf)_1dL}C7zdaSZihEMFnCWQ$L7eq$t7kAgJl7FiYkhb2@yIH8h7eaERY?6 zKX!{nuST}WYDuM@UG}|liOd%SE>gR^KJfa$s#mTxUsdbe!vUCUd1vRNYYyzAonL+` z*4(VGwn^?eKluiBPhY;@PED+~m)$$_F;@L_QFx0vCCWIwyLso~d$-LjUFtbS_WtT4 zAd@OT8_Wo2*)mDv<3z(1L_?OM+L5dtI|7QK*@i*NJ}XU5OP&s8PvRoBSMg8@SaCP- z-I^OA8L0p+`j`-~?pM4PbXw9}%sRLG$@LV`MWm6SfOf*Nwor_m%x>Su)X>=8$9FML z?Y*l;%I#$Cx5s>Zwks+htmuQIu+LRmTb23T5yN!K-kMjIF_01ECoH;lc~CQHHmaTx zAJ}v+ngbqR8qHgrGQb4g!zju=9$$ZljQq~O{tK;k^JXX)ph?B9{+mdLE}b2p0yJq` z6>?yBg7^SEHqapNU9N>*#2yK}+W{f66(B;#Z#C!ESa~0hB<0X>>P?*5aFDsqh1vP( z??b-;vXWP_T1pP8;7r%azCy}iz{eFIZ3c*UrIOD9+zJJ)wv>(GGK{Y1*Ma9`HwU>A zc#!g1C{Q=Y;cTev{OgZ*?tD$0DQD08z!siltUGFS?z}6rTi*HT!GGQYG{+1VAKb=Q z5Yr#t{D`iu2teVv_{kr#-iDr0X#|b(;TuOYH8nG{rgXps5>5Hx?Sz~Aus04mgLmgz zC|)wnjJMoLtqSp~Qn|J^Fz=L=HqcYbC(|C}*CV4D+#-37_0KzgZS64efAHfdB6vul z0ND}Q!reYj18vf&lvcm|2_axC?1NDgnE&_QefZujF$m<>Xb_ljx#F}jaqQS< zeU(}!p;SUmVJD&PyebKW6!FwX9sqjH=K>MTwKsurN9w2H-H*356MS$H@F~F&T^IMR zi~HY^|IfPX*Z0u_s73zQ;nBmRasQvgN4oi6yZ%32|DUe^PuKtF@5BEG&zytw08;I@ z?E{2g5GK1)Q&ThqaFQ#M&OfPvpF#kju--4PpftGi(X|I(Uqe}O=h~GA_qPtx=Z9y0 z@cCW`qLjRa(Nph)VuOcPJ!)^+Mf9+D*+;1~&*TXHpNTZJAx5aPO=Wni*n^0xb#=y1 z!mJoFp~b;MCY8byKE{@~yyqYPBIKyuTbmC*+IFzU2dn-cn@dak{uB|K12|1z8#uLZ zIR<0v+!yuZIU)%`!OkbfpYw=h9mLr=5lAE&jo=u@GmPJAt^-3$&j+9G{Bb*#b|i{6 zW`%>x4^V=>0t3Q!AKtugS$lRrzAN?Iy#x6aYk9@ZeO=#I zaP?$wfW<+z#QVGCMLx!TF`BWi9uDy0s@E#I|2N9^(u%H==I_t9sF>NU2V0bqQ;ubK z`>Lrv{~OIUNt;K86-Lh7#hIDunX{d#o{+*u>|53=8tCP~v&3rIYlWRAlybCYNK#c> zySKkdS-AtqJsAUr9KhT23$qt4Or7rC2e4onVcDEO?R|ulEOo28kk!WINwhyO{QJvN z+09nc%~sM?<#tuMPlf(Bs=75mllo)H|2ceYcxX70|MT#0SO5ET>VGGJs#SfYIjBKP zR|4Br8_jx+NX2x?#;y*ys{{VK*8z7`z(NHqkDY^516zHxtqPtOU%@`sF=>gk{)QSj zE4GZps-J$k^WKkl-}_I&Jd;Pr&X<4Q{mu1*R0Hdox1kC~4Gng=ca<;)Cl;|G$-vr< z<-n-5uN!{)=En_{prMinbUWCHDJsQi20BZi`n1mT95zI*J*`%Jk~Fug!Ma%W$oXrW zFA)8K5Y`pXuRW}5Dr9D8aNc^#`1t12pJz9@7D728ob%ux&Wc2klg@aCR$Y7_wJ?Vy z`)Nu@$pMpSXt4-8u?Y<}7LAenc z*Bx1M%T||Q#j;ueY=NG}?ys&;fp_@u59npupNnfdverQ!LFg5ZRgVHxT?6kbL1jCp z8|<)EDNtmFBKF6rx%JfoaJM0+gsK)j%2?L=Bji?3AOWWX6jd&mvkFDW6NBouO6O%2 zV9}oyhmDu1te}YL@k1apa$1V()ic)Z>BjK&A+vKme;RQ5Xa|eKgVd4nrNoNq<&2Nw zALMaNSmy|Z2VjMq;ldEyD`UR84dxaiF+It|;|xI9@=}W=8C-=re25z_%}e|Cb`}Qg-2R5j z7w+Esx1D=ecR#ytPrv;Il;Frl4(y7Panq3O;*X@%BuK^Lp~TWU6yPNyWA0*N?)K2c z(tC2B^iE(~S3|sKwh{#u6-} zWMpGJPK(8I(v2Fte8_oFn*?8!VKiKc#wPFMDKT;GoFJJP2B5eGZdslPVz@v%est3ySuh-QQ0E<+SD^u!?d<2moXac5dp~y#MT;v@Ho=!QL3T^D zHR07(eE5MN?_@q9a_lFpDE3dGr|LxL=oIW^cuG4!Yza4xBeu|yNCE~GJ^bkN2mf{R z@q#!65KDomGy2dGsOLl%NwSc4Dl+e?v)lj*0My!MEhXVzU-gTt91mw|6+58k>7;@s z3x+rFDS!M)KKYz$+M;*OuQqq@Y(D(tsyH2Xf4!YFgG$?}kRxOz-rF~K{^R~*T31sj z?TFN$&_hXI%2$wlGs^I)>6N57Ar}LyYq2mxp}-ZPh(>(j%f73nD-17GV^)%=A1SmE z8JcyuXHSR^T4$$EA0d&W?;e^i$+RIf$1wC2AIC>;1Topj5L(oWhV?#vOeujVIT}%| zhO+YlAt9EaVARMid1bFI^GK_{%o7uVRtuuY2S!5Gh<76{Ki^me2_#ta!m_)uOf~A? zgnyRY;w58)bw;-Ib|9xGDR(DC591u&)C)L}Ts{(HViA{eBPObxQ_<VPuG`0>h5kK_ej9XLwDQ?FvUi^i z-G1Bt8k3gEinta+Oqg-f@`#FkHgd4ZuLCEHeYdvaSZsS6pm_wlm^9k;^#Buzfv9GX zY3p^-3`&}uCE0%5dh!{jCX|SD24%j7BFV_kS66nvl0w(ck8bY#B(?sihS!LiwE?k= z*%0)SgRz8#gl;LOim*NR6R=(N%98Aw?&sP@MIV^vB_X>@8Cx4ljqg>ZudINJlvyPp zzjNcp&Yhn;eE$wA2yfqPHYk#Kc@-_Sk+lM?AT{AExe*6D+AvxnYD@_f>n1Ew--fSX zKvT}n4n?pL0!S~0pRkyP)vcsXrnm}Q3qJPXkV5MX9LVclxokA#Vgm4b=&GEJm%I%U z*iaKfwVJY4O?)6Ihh97Um9-?CXfbOsgsYZ_;=+{FKfd+w#OpE_=NF$^aTa@B-34SP+Jg|TIWs&C%6@e#lbF>C9U-Tu z&P-f9x3D-lJ9B3G?6}z)EcG&#zLS5AYAy8F;Q5N}uHe>F*YST27Gx2u%f-QrF=s7k z+mN@+%Ppov%XDjV_v@RShcS`UYv=3Dhd=%L!B^K3x+P1$)8QOjblVXooMy&Ml+NQy z7O)VPnGZu=9C1Jdv{Hx@5W6vReTu+kY0kpZ3fo+O=?_!Tx>uf@e3r^Os0OoH2(1;* z8jnSBVVlbJ#!PJ2cQ@~oil0sS_jt>Hw7K)iO;RRq-3KsdBu32yz&=mE<>b?+Zn+Z; z>T|dCIXs`jGteO%JNi35fzy}~%Dv0nwuMItF6c^|1J2sRElEZ*dXX}}{iGEOtRjtb(;~|Ohq`-pXU#1)fW@YIr*LWu zB4(!a3xZ3H8u?;z$~feruzn{QA@JI(lkGIlrl)P=IKPTKtT?@uN7T=S6VLAZ*Wl_; zyC2`!`Nb{cSbnheEBy4q*8iqJ`Ax+>-7y?|9)X#9QbbnNM)|v>u$|6*pUG<{LCUC4 znLt4viR;$=-QR857LdrVSQ277IGO;X4FEKWs7RT7e$PYc{N!t~F#9*M&M@Y24Ql{M zYgqN_`#vOrvIcUskFo7o>=L?PVYN$YfSViay7s!qX0NmDKe0WrkEW4q`wu)jax8BD z85%m=wf{Vhzh|6tFP|TC)-Y4A$5jqY=NZe%DndI^VX5S;70PRs!rF>+5{t3ta-tE~ zpH-)ZWwYCC0Y6xz4^%_{{mlHBGZ&yY3-F5i^*5KJLWsB3n-|cpKb{wzJAnU@*Z)b! zau$z&CDlqv{+3!1j~DqdHs;lf2_aoH3RJcl_c|&vIMqb>x=<5u(@X}Rs}lTVofBDS zf?6`a!iEo^PCJPE&tro{(E$2B(eXGcJ062{I6XjaMuX@6dQrNf%`IWAC8Oz z4ceFOH#Y#|YqaQ8HKoYMxvVVcS0lgV5w^+vjRzTQPa{6ioU0sE{7S1A!d5S|mx8f* z8<$$wIu0%Y32WmukX|nBQ|Pl{hi_(m&t5m!(o4W|MtP@L_FO8hxZ0=#wGP&+MC)-* z((Wq@mej(aNVP>I%2^C5kkL~clJm?<(w>twdVbjOu*wGaN4;TR3D0vpt0EA60kKnN zQHcDNs#``sSu;{w7U?DKa(?>kg;(YHhNOVHlwvAf5wHPCj)9#zFAX z^tp4C;uWS*B;JAw48rk=U@yQyD3=88GcuU#g-eh*0Dip*{HJFY`o%F750sC=-*%^v z2_bvXuyR6%P!K6l7kTqRXg+|?^^;4+6IvU975Q|Y2 ztS-z^!K6w^m%WG?8+RGGBJr6FZ%~;Kb3NR2zUdYfJcVCDk_}A@n3Xj=L84C0??I zh>NN!v18)GG-_ke9({>&xs#2ONDELs1e3_qfRk>v#OPAyR#y=DN}S-qb(UOcL|DKn zBkuvg=9N5xhiFu1I53a$;f5r_B0h~b5CV;fdmqz)yn!4*-d5cZCf0-a(N6$F!g~O7 ztLHP)g)4Htr*z>uJGf{^F*PF5F3yh&cgwSBkHl|}>5Qk42_n<_Bj+z3>Lg2XPttD^ zQxQjvA~GWwe5-1VAAFt9;f_Z>QFXj91pEw&#YPx%L~z-2vR3k-XE3rS*rz3g=43Js zDt}~dXd&M2!z^0F`(+AQD&6+el4Sb{) zJs5nXaYb8vGORu_3TZFyg|_u4#r~790U5m+R-g<^5dVP`8*)moHEe z8Bo&nwV9=|nhHX;K$N&mkEB|}Q1&I>8BG5^D{Wu)`XzG4Q9`~(tp;4W$1pFXw>6mF zSW+}aCqCbe+gk~xcnG#C@dItkM>wXLa6L@XOn9a~UMbg|S=ijdT z?~{@?lky*O0gu)HZ{*16k%a%>=tx)odwlX=s|+urU74>d^L1suzf0#neDffk`&9eQ zo%>jr!6ZD)yEkeS^HB z@~)WvFov6j)k?)BzX?v}TLI?Qua!OWs3IS@8g+tepq^n5Cxy6FbA3Au|6t6sX&~3- z=l2h!|I~=;V#;w}OW_pqBxYK}nb!Q$W0@!P^JHe}<1Brw$MG0uIeo!#OQn!}fS=5C z=Oy|^j}3jXkz!00r1MuJ%P2gIu*?vaBae_p!j>*!taI5Z1s+@G-C_}aFRhluI~5Q3 z&JA+kYE(hA#T4)MqcTYEln*=d>f~qa@-15($Q?z<4mLYIh%X1`9SH1(-H+8=gJq2& zbQk9SMOp{UjDe2Y>@2H&wIz(h0OY2Ms2X5H+X(#Q9t)S?-vTwi=vNn)HqeRoWQ^Hp zR6q)|kA!&s_$GYA&gi_W_)}({QyycRdf7TvgpuaM`QZ`kz+$${r_Xs|7+d<|Mvyz`$wGF&@E!FR3or| zonDx#u7EIqqC{5(53j}pez~jn@9O>kF7^ITrQZI4WAfVz$p;qSuLq_~spXD?RM)o* zzZdc5t6sUKJ{*_@Q~+3_Hr?t>F+UIi_Y*574tJJ1Z6@@P;&@L?#cs#D3H3;ny22!h zqJp>9kQx|F99k<;=mpNBHCT1zH!AUc8Eqega5^BNDHh=;MfEUkXbE7}E{kSJHC<>n zK}!h)M@t1MznQsORXKN2MN(I46g;)COj`kDc~n*P{;(Iv_``-@m$!ndb_#-#=A^P~ z1AW};*gA%zBihh0<{DDFXhKxh!&mfY%A~=dBZa#o&?Zv7F$kYFV@C-!D(!B#{Zh6} zSkd0Nf-({i;Ln3u^6Kjz9KNty@E^wEn7(tt$SDSRJ}O&zbal#}O&D#Goc#jiJoaZN zWJAQL$ky zQE>6};A~zDFK;!6={^!_XxM`_*d9Pd${U3^0`yjUpUBdOxb*6n*sryn;|8tFc?KP^ z(wZP-BYx`JCP6nUa^4bP`D&{!Y%6j!qBe-a%T&_*EmqGgT8U0XGqhtPr_TojDg!=X z1Us7zm;ErR_df;|W>bCTKBy}(n~|i2!*VlM+E~8C;++=9m)@0mreL@Zd<-+G$`jmK zY%;cJ?ukGW%|}r-Q*x$rn^JNE=VV!mj;u-P7Nndq-85q%k~D;EN7E?in29U}qJzA( zPIs=g0Dw z>n4Eh>WaI%;;xVQBk7vU(Lt)3MeEHq%@hn8Q$0|=9ORvYswlyu!b=ZG?~Frjt#%%6 zspNG@r_l1Xsq!O9yfgF&Yc#kTs;eFIu zqAL`t51Dq?i1Dd<1(mPWS;zFXgC%cmFshgEX!WCNFM7w<>l^(~#P3kihy4Nq*Pp;V zhupG>7JU)AMFFQI>5Zc(O8=8_yHs><|EDizm|h3)G0sqt?ERmj%!vNP=ctaG{hy;~ z`pM5x9hLh(N73{XpW|{KHl$lEZtUMAFCv@oP@{RFj^d(~N+^B?F6B}g5GIma%zK<4i5OT!zu-&oG~pv!eHJDS3KuM{6@_994WO!4>iml z?n%K)$nB0$y08H|vx-e7LRMsHm>g4sX01$O1Cy&E0u$)NsnBhRNd30ntEg5|u3ARN4a)(z$FiVuGy{68Gnk2C-8=m;>FiTuBZhr9g$W3B(vw)>}+ z4v@)8_W?~&t0WXENQw-dN>^g&N(^0Z(7y?9P+Y(R6*Xl0Eo2PDBcK<`tu2w^^h}6#^4Ls5cFJg0Zpy8@J_pJ@t|gCP~LjVxcFvgL#v7Al0y?WJ8SL~ zHn-$biC#2qxGS+i+Rr*noJ;}JRksFYsov`4m+<9Fz+E#;n!kKnzKr~AtC!Eqmn&|u z)w}2L-Q_3(#yb`@jdxyaRQ>uJ9XheXITKt`HrA+_v+CdOUf{N#*1fz zRP64Y?#}7%oWJdzQ^%L}MX4_g{QFEIe zYFMCgxs*I5m+ezq(oq_2Om3`h_ajG-)f_-JO!D+mJVIp;18d$s>OkPJk?v^;9e_}W z4gzKosY=m~cCW)M6ezoI@FVcFf_9Aa-Sr{Id?#8GBJjJ!8WOiZd@WbQ7c0QHR;DUcG-Ghio%VGk69 zb=Yf|3!v!@ZCz$>dlw?mj zp&sR$0M^vQU;{%1s!p`psF#BEYJq@}OJtWy00Yz0MXYp#u9skvlzjx%ODSKUj_0Ma z305ZDY*=K$j^0x6Ght`C$Wr$-S=S-vfOTQ^KFSa977&dlt>)EK3A`nOwSZp(!-5w?WMbL3$R&)9Kz z&398)Z6>j5Av6H{iawS^ORb$mtRkjEuQuOulg1h)S2S&9;`73##a+QD0yGoG#ksD? zw;C0mp-FRv;xoRsS(aup>%#(?nB~FA7p;zguw5 zQyM1j)t(5D&Zw~@^qkaQT0+P8#F%;^jO9_M8k7+g+!oaw(%~FS8>D)50jjNsZ2(6s ziv*$WO~&1%1O^Ro#JOnt#1|3e%ir*bCPCiywqJ0?@VHC#pgH`iZpi3nQ~@Ik@j@mtt%HA(}l{l$byb zJ9(0@oks>T3An6_42>y-IJO|eyduMZ0eN+E1h34kGsd>m3OJ_Xy4m~R#`pPE~>C*hLQqy2Go$jeN=GXYh6 zry`AdZ1wTu4C-XPz^p0yc0*R3S^_ zN%OST&|j35v|3WOijswx4YaEYBI(3OZy_tBDAzj$%6lsrE)5WS@e?d{K27?NK#Ajn zz4VH@reR3}GqORF#FB$JZMBg^A7Sk;x=@*EXjp0n+CnKhlC&`CguXx;;Ik zC#*zm05)ajzcX|Pe_zy5s^iL4fdhIOv zy@Js6lJjFP@L0VE!es5mfd44arDo{}sPgm;W6gm~(6Zqk3@uv)A|Oj1rWk!|yH7XWrQJJ7d&QDCrv<;69Ez%-v z+6`htzjSg+$PTuej+;_BpT01oB12BaL)b-GT8nXaONY|}wqGCv?}gXT$vEyd^RX?%ydhsQ?Pi2Gpao-j65wmB_j=mT`^?S$y_XXJO@4I%=&s^8om8_ znR0=?m4;%Z@O{11W-o{=Qv7ICUisc)Jctm#7P4cY5#d^5c^ZtEb(Ep3XFz5 zIwa4{&MuspUpzm1ac04Uz8UrK%)W0z}s+g-@9`=HDGJOFdgGSKrRU#`Jqz{#V6=79s`%N;-Qyp zi2k2!O5-Arn7lZbRxUJi-cFxaSb+`STdXy(oFD$v+pnw7#U(=?iJ{O4vDRn6wJW2> zk`NfVRnd%S8>MJ2=XXN7xl6dJYfJNzH)VTao>lWq7B$YEqcR&PGvRS3z(Z@@kLc(W zwG5kj%Qy~JUgV>v`QoVhiqgc$LQsbb17m{8`dTj{64a}5$e0R-j#k-0=4$x54mF*l zaP+D|2RBz zq?eU&;`O~IU`?A!CbsW=^t=r)uTK>DD^+={o0Hnpd|K-pQxp^XoJXn0NT9@M35URP z5XdNp0=}CHFAXg-F|AuJ2kTx*er_0l3J90|S@7g&4T9<%8p@9zYB6NFlBjtK0~lxo zf`cZs8~Ugj<0z69gnj-D?r%Cs{@ zBplF7#Ke*sL7tlc3MC~_POsb&#YvNwNIk8!0(YDY zzhwU=o`NwZ>Bigsz~~m{kPu5Mb4ZA-xQr(TDSK*|=mJxLdu}NbX`THlsR;#e+v}4~ zQQ#y{W;Q}1$O%cn#1O9Gv52nc1D~>c;OWt3m*iTQ^==dB!pQ-H0)%K#LKJwx^+UO2 z%$tbGr|kmNj&o*^FesO?7kLC`Zyy2<1wq#~P}SPmpzA@K5NWYPCSY>7=8e#ch;wLb z%fRGTh(W;3!VST~k^fhlSb^*vY_kSOjx%q<4J{#iB7#60HQ>xVx00SbJf<`f@3i=8EVmDq#>WCYM!IuBlcksh{fUxq!Z7T4xtWF?hnuSV(VYFj=oI zU3b+~Q@L+2Tg{77mj?y0g8+hcKZZ{UEVXob&5$-lqqiq7yJpGjyXotnxPH&p|D?zt z```oCO8;}@XhQ!pdbC^rsq6pM)dF?3Ku^6E$UH$+PzsV!CncAMosthb~^Y3!@O#%q~40ro2D8?n#v!huaTpveX+ z$OPGwwglt`C1X}fBLqR}JwE<9p-s(v6UznPko1H^o@MXcd5JZuWB0f0;F})n4KIJ=S zCKe{n=}+?d$>iMhg7Lum3J%Vh)Q@5#u)ms_h0}2=^}FerGqYKrot`>%@vJc`)3rtX zt6lHnVVYi@!sgg*Mu1Elnt0aNqg)RziQpbA1SKJfimQu^sdNH+%gg8z7SIQ|9-6Rd ziax^pnRQ^S!h^$7mDt%vPmWZ3B(h|9%uqtJWgmsq=ADouS$Ni5L+dz~H zf$Krmt$Kiac_1wAJ2f+X?9%l%@-82sYkpX7xMlxMr30rb?@>?|Ux_3j@Jihm+PrK( zE;$U&-<0egSh-pV>`~R?d`ryK`h@f$hF(GwZW*)XZLl6U5v3^_@uj<&x8?_p2=ir# z$n73uvHLLX8~L}%AXFMO(l7d4Ko~Q{Mx^@S9RKWwjoA_~H#%|| z;TpQx%Q?tw7kg0cJ>z64_wrJyOo99*+t5tT_mGTeTXr}&iTB-lw`xFIWE;l|u zwXk@8;-x8A=9f{9cTPIvQCLLpqnuk=T=b*Gm1<*=u;!%mmh(FB709l6QQaAM)9HP- z55FeKu)p^>yA{07$;sVv1gnb|z<DVo}KCMb-wc* z^Wo&hxzp2gP1*wKAu*<9AOC%aCW*6K6b|@{2ytOAff?hgOX9Mrx z+P^NCv48A$jvrT7&-XiCaW!xbHEVnfz9)&U%vl`Aq({IZ)sFl-#63&du{SxEULAUN z$a&#ABgf4)yvu-;!(x11agvTrT^w zeKDNqw_u)Z!T8)*1_4mjz6r_aUw{3z*PYjU-T)x#IV?pdUw_@4RIICiuAwe-+39^Q zdcE4~95NcW!TGj>Qpcfa@Y!dVBK+TL_#X%V16>Xdt{nPjwU8QAj4aUWCBL>dXE2M3{N`s^LiC+uN(6Jhi0v-Wh4 zqtq|Z9Jc{HmjeTo-2ie48|1CnXi+NitGFrNIc~3m=tZr-$>-l57}>L#*{03TrZqboZ?>F#r`)vJa$2)xv)O^yN>isR zZ}ew3^4dQwWIondmAL@VK5K1n7?0em*pRaX!tAA#_DVrj5I2Dp;w#1pP3cPE2GAq8 z+h=uivU*%>@GO$m->)0NoMkHk>aP;*Txz48+NBi~-r$^p@1N}xzxxNrFHB6nG;tQr zBX~n(f0i%l%h-Eme@VW>Kae5Hvia8hh2H2dsvvcPs&Mk^h;nlI+g}EvF8cu5KhWO^3vM{|uHeOL@I1?CND2P1-Y%G74^yx1JI^)MBM9Vn5vG^lKLZ z-A+$kn3_2~H8VLqHQ&$uYxL;Pot_5#o18s=es+f1lYJW!kLbmCvp-k4Bz79S93^*N zDJSy385<90CcXCiF(I>%_y;Q)ebFo?Eb98iKco-BovnX$MmKXQyV2M&K&e2i{3}A=wW;!JfvM-*p^p znOIim+41AXOV~O0?beN!-FmENxRHFE>=zzTxB8Mgn4i5kH%VZm71fu7VQv)Y`iv!D8gq8#NdT<0r8mC;yoNs*qMPjJ?s@1^B;}-hV!Bw*udb zY1H(nHO|98msO+B)-?b5_WuCxQFlD}_S*&rOkct4rtCo7GJnLxS+FZ!$Wkl8Z5z>MQaia#8$Tjiow_3D7*&afBp66-+p88b@=KgOYs1PSET0`VG@lSdN0Gb43%$BhUg{sMk^dE2Cr(^X?^X4^iVm&)=A3xOV z3_6A9UmqO&c7#9Re}llr=3no_yZwW&{g1&nfN{*fKAi6rjR7@$<)wb7_tezc=^2m* zNNfGtp~9gzVBCieIq#@@&ptbX_l%1}xPzY^mWTkdU*A9cLsh&eXKk!$zn0eCa!BHV z&qwk`lgAzTxifU!?w7{$j%WZVI*tqdt`NU`Hv9nP=T_mKY!!aK;k?sJi()Q`1SH7G z-<~<%{6Ep)>(xOAu*O(`-li{7ca5r?I}K$KHECiyyrnttfj3Fq!#AW9`u5xK0zLdT z93}V|zB;578gO$t?Pe%%9#?RpmIT@D11=PYjmf<6GvN6KmT>{8Z|6||Axj~^t5+=b zn_ba2@)IQ_zGH4)aUjB0JUunPfI63F`{v*jJU>PIGN+hdzA5-nY@qJ0tav2`7QMlT z=RBV0f=c7h1(4VIB*d$8)AJYj^Oh$$Us zFt6;w)Z7fclKO19I@#=zXl77LRbLSRjXKAIxPq;TbDc_=BaA*G2^A{JU`8Dwy z?p{290U$;<`R90UYVyU|MS>Im5_e|Q9r@0Jy0ZXx&dyB{oahH!e}4+liEhxZ@!T2t z#ubQBWpK8f;Ja$XJqvXYRQ7F2sE} zG3I7*nIu(D-sLx~ux$CF9jndnotr%cBCOe*af{!%I1l7;deVByyl204`c(X#)2H|i zq1}>?#ijLZ@zlipRO|)17kg`pX-fQ_{g$31&9oim@qrG94MQ|uPLbAC~C82XBzNJ=e#<6TqR%FoO@@WxALjh(Bn z%qNTb2ua+u-jnn%c556pn`frKPmkyq+*x=L+08}fsPvWbM9G#siQMk-2>NTi#_Xk-z0#gZs2@ z2)jG$r0J=?MlWW#5g|UA~mhinWG*0vGarV0;j$x7WOC zDG2owz7|jASk$U&1JtcFEef|me0*Mj)i|^D+@=hIQSz7bu zJM?QjhvuinS_rc1Wm2B%OE!gQ69^eb6oB-Vcp|_fe~Y_;emRhDYS0*$@T^`bi@}MX z<2lRhHm)6a3kSjD&H)p$;s<;M9J-O+})aeW0(P|Gj7R2Skt84FHO?s)+MrmS&p+17gLa_r_HHHaM2i!_7SD3$e22SFs`LSH8 zHfYSru=hyamt}40&-IKiQ@I>g)&8S!u;>w{f!@@QdRfojBTV*ik6c!ISjR>xxtL`L z)okp`gbF9%bCi=xzvEW0sPuB^!9FsYaoCkZc|$FuU4?ya$gOASI6Ky`PXIZpkmjx@ z;ri2~T?Klir$7(s4}0}c1;}`yQrpz;3=FJP8%~NpY4341yGeawq7~}5t)_DF$5@7f zFK%X&`3wQ~8xgFaSgL>2>+-zyie8;PuZ#qwZYmDISc}8~^*aT7usFd6`zbs-u6!jn zmb}H#V-F3l#!Bzr+5G z@!tEgY{#mDxc&LjdPr+=ESJOJ;POThn7HbIF!GP(dIne{|9qhw)el$GL2ZT6=o8}=laUD`F zfjy42PXKgSlA<6r{6s zQri{>4;>fIeroVQ+4(C$H=VZyYABOaKiQ6Y)>kn=3AtlO*ihsM6cj869c7+r4U+Wl zTEgd9Jjukcb2(+RG7-eY2<58th&Vx`JNeI{kh>g+$^UqPM^~jB0SmBx3&0$coF@3OqiJ1 zf(1bA*oi48*xw+7!SDHsa+Q&0p*A%#JGR7?0>Y0&ys zKo)n2n7(*^$lOxq*w7Gk3-X*( zT&)Bpr|}Qr`eo;>cbwOctG?Cb?CB}$D?la<-!O0I+lIY2KDc5H;9Q$aHed``7`W{t zQb#)NxH{*w2^I2}twa?ItDT$*S~uMuu;A!aEx zg!xo=>m(L7hk9LTY|ZEP>0iJARHKeL_+Pp&evIWvd5Sb(IS{0QevIXEF{+`7mFClp zm#|ag!XjE~5HZ4J+~MJwS5^z=aJ5^j{=gW%b;I}o(8IW@m6r9_aAAGS*XG-i@p5Fp z8(FWaLo127V@?8>(-u1AB^x)KtSw|+U3v#;&v5?ND3{#=e=C1IpsgD?@WkT5Wh zEb{;}5vG77*E}yB>$rgzF1$E9^D3Qk;-nK*-y~=m`J3)Cnw3kiwShoFNI5eSlPly{a@O81O!;swujTC^|@?=1w0TYx5h?%a{`d=7x$MJhPTC zT)XIbB@7QQ%*;-GA6+oUa(@;1AKc2p=YN2|Bi;JnPwG!eTPG8CHPf(mQkd1c1+)I9 z>wk&;&x^gUTcg?jA31g;w*N;)h7Wi5|Ks>0DNU6LaVm`n&pu$T@-l@;&{$c;JSFll ztJLZnh1@h{!jtth;24DC5_1_-on5ZtOSmMn*kUnWjLBKU5+eK(Iypo&tiBRd%Nx#` z&j}ty8fH-%6vRIf5-yUb`B zRjRYnt6~b^)b0`Gf+FR|bL%p(DvpV!lL);zF{qxwHcPz!KL-mkHO6H=dKoR}@Mxheln*D+p#3$;vGDlv3tNrrkvli!}IY z^_`NHoib`VrPgvnq#@)WM5#LKt3E;#Xt!Q2%36-#LtRkw5>RQypE3(S?GYAYofor< zggrV)YDRr9nfP62T((ei|3K2T64pp-oUDgI8Tgl=Q9EdKEUsWL1=x)H4}Ppd;==C4 zXGpRr-vOMp+$XI977P?7I7&kiuhKS+=W3Pcg~}M1XA{609PU(e&uqs`*8MbKxBxF8 zA?8lpe-NMHoba3gUXfH)osbfsGqhIV@?a20@HASHEC2lhXIZ!=+l6LYWBdfRu^kQP(D~7U^fnSv(FHCBqaOqXXYOV zlD)Yc6;SPTa1e%xkYejG12<8~G0xs%0a!EJe-TTJSe3t1_ z2A**q-8Arw)2VR)r~b(H0b>mx!9wtiv%fZiXQ)gfB{FBev4kb{Xk7#0)C`M<#YX_u zopp~;T)Mj9@UW-|%nKUAlNqo{`JUBTL%jy+8t2a_Ip?yY}Z_DVtM zzT>=b(iuLC{@r*pT=mLy>zKR~!Dto*PV&nm!$Y~}R?5K=fZCeJaPB$aKYY{-!3Y+` z2*gub(^F{Mm}7tKNIn^8z}pc*frmuuWE@DlL(N&uj@j+zo&)yIU(W6xJBBS(oxeCg zMP1_$)ph#x(>s)1J%{lN=^z@)0ue2mYyfv1x?CV4pbR*OsrGS~z`u3B;w_Ti2*+JU zx)yrqSqL-2*qLfnaibqfw+JHR10V%h_<*jAfD@#s1Ego{$2F+=L{_N3zQ|+h58S8k zmirT{al#osVlT!CSPMBn&ed-XcwhkU4TyUKRCrcS&zSn$h4W6;^GXrdQyg3ZsxTOm zv&bCJbc|;3GOx-QP64(#29ZYO8C>@-`GXgz3%|PZ+^9R_0?)s4 zw&9l$W?uBnOi-QSI*?+>1ieF-4`D1C{G+e~$Fc~+aO^vnmZ$LCTk`2UF`UAh%JkK+ zf*TA0-~y|iQ*a>;E~j7y%Ou+y8!8N&&A$WBzO5cU_m*s*9w2RcCwFn~+?a$2;e}yu z0+{6H;WR6H&0ZNS1?$yv;Fh96=mCcN&cJhT$*m;^2NQp%PbGKdp&OC{q4I8hqa#5<)FDw)17^~hjEtbSIc(V_aX)Lm*u) z1;M3}?;na0&Qjn}EvuRrmN$^ka_hxaN4|a;3DZ2CVd&jOLAY@G0OgT-OEfHxtK3^7*1_W`UDQj~Y1r2((LiTBCf ztx7K82tj}JyGIB8Blw@A-#tnb`2Kf~E*?G1Q*c87`E&kdcyyU>r;O3+K%Y*6(5AwT zz_#GO=~V@&o_mW4ddaEdT?Mg3e`-nkO66dsU-bhAf-C?chU6{-}lNT-$@G4#fT^WG~ zlIB>v%k3kJwdCbQ^;e)SvZS(Q^`j4FlzZYbyxa&WsGO5PNrs%LRqhfh-^$XnM?x2N z&6;1L=rxay=I5D$<*kuuGdxhjI)VcRgkfbaOrk3Gm4qb86Y%a5Dxl$WEKLlcJ)~ZM zWh)(05XDK<1I&4aQdy$0|+yT-Yi)c!ii9t!WUDgqn4xr*2$2Ew*IeJEZHT=_f z8PrJsr{<6{dgDD~*b3i!WVaclJ#UaGYpy&TbF#es6SH0QTx9MTzPL_uw1P&!pmQZ- zGD^zCvof}jp$EjCYa{Z5Vod9c-}Qd_K05wv#zI6^YYiDWpy72({`oFhJw!j}j}KWV)|@&D!>5%|CC zPz7_R_xVEE?G=Il96b2eJ5KNMUg(*Eol^UyB?J0A#cVA}g-9(V&jF04^Brde{=4GU zQJ)>6t9DtDHxTn+G2j^$gmj~5y<~kKD=XrN`0z33xGJ%i;6p8jZ}7Bzc%CXd4bDB0K%my777KKQRp?QWeGFvDFrzo%@9UrD}*Z~3w++sO$-d3|Z^go{ECJ(`@JmQ`nN+$d91}%x4OcL8e>X$&<7O{ZS*Uw&cPjD6|>3H-h?)2vOWdc zMgg4yH0>HXc=AvPn&?O(AW9}lgxER;IZ}yQk6~i?*Y%MI4u=bUc|rl~1(7PPpTLRw zNexSA#4Tf%D!7?onhb|7%=t=z_{(LWPxKVGBtsJ#VSBj(kL2@|Y^4|;p}fk=1tSpf z>kkHhgq!)Ek2z z^#ACl85DP#ET$@bmn{{7WYfjT|{rkpCM}&t93Gdr5yYG&pjYADw=2^1>o) zKpcjAI+9nvj+n2VpZGpDKY9pef3Yg8KT!$U*8*aO^;GdoSQnS5nGH52cK&>XQmB2E!d)Ry$K_upe&FLy+3i% z0fsNboL?2Qq$3e2>LIG*9G;{R$bt4ceS*q3Zn53~3F=vi2>s9+^kHEm4j7p4Wz_I9 ztKX|YGmInX<-IKj23RjB7=l>BWcK{T^b8^Ap&ZgkbvibxxrAcCKJlH{kq@WRnE2RX zVUbQeYM@+_oGZ7T^*Hw&ai^s7LsNF&Kpy!Q`VR?t?hj~a@e6S7u>T`Gi zqk2ZCntf+bO5BA~tLKC6QdAFNSx9*Ah%`{VintJ&=#ghjv|6eXFbXz`f1cBTAc@tqVLnN%{; zWD>48&pBKaqM#7FRh1HWajQC4vex# zA(PI4GYtI5&;S~A$hY>bx}DO)_GLsgOE2ogu@zXe^^6>?-qu{SP;f!l&%D8EVYQ0fair;QQsDD zg44r9jvE~j56+1T%}UL8manfNNE6&A02?V;oCzJXU=#_&hXK_j0TZrqJ$bw zGRUd{;k<>12BJ=*PR^Ow-#l=r{{#&C$dSGFH|OEnmMENseLzLC6O9#Tlzf@mU({i0 zavJa*v(ce7Tbh|sVo5lclAjW~m#%u4h>4Vya5GvRpgUuThH&kn^X23B{{snZVQ%`= z#f9mavyapNZ|K;uqw)Cv;o*^yuK(ZT_#?X)k|WaT1ne~>JRoudP5z|0i(duFxaieL zK`q-u;|%N#2N(q=ChC#UFR*GiS93RzCZaJbAYGg5EPLw|$Fc&OhCIfHVY>;lRmtNd zCCfp%9ISJQRe;ruoT$Em8Pyv|EAXQc_=r5cIY>)bO`^ta%v5d z%754ZDT7-WmEDrYS-u|mE5PFCa=A(FcOLs4%O#*gnm+{~4hk!mH^j&z!-m5aL~9-e z$9XYW2cCo!Hlde8BPv4%xRzzOQ!RQCX$(=vgKF?by-czPoW7H@r(qW_&M%yMb*fM) ziP2>B<*cAPi?m2CqZ1tYG6^fE_yWD(U^#kD3s-bHk_JVZmO*ZBfX5z2^&Do15iKHa zL=hRgNo7+H0?K?@uSH{ngX`<-1z|#E*OB5Nro|hi)4rbG0ltvS&Erzi$pr@yKtl7Es!%QyC65w zZvn`5>c!z1PceNpY&^lcRxdGhG!SW?edta~#@YS?twW<0!T!MPg&2zhe76O4`Yk3F z5O?qjY8)l2iGy|(W-)j~3M3>Qd8fv{C1j%{Ga)S2sv9|OuBg1Sg%KIv!RFB57z!Y< z5>l?ak0uO8CWR=Jp?4WuMTehiZ(TV0(7K|_Ah0kFo3@wGgJTI8NHr?&GBDR_76h_kLLXMM zAHsuSAXr{L#L25luu=skIPwWn1@!Si{RykDlYvPD&#Fk)zBFenY7+K?FNTF{OIJMT;z-@8~?qtESk;=~#0hO#?RQiY(5R0e+&DO`g7 zcneRn9fI=V%PEt+jj+rP4ZvADV%BP30Qo73epD-5L?H-abW16tgZV5mHL79yiqKp0 zgGR*M0?sNg#h4|JLhq^F%7$~P8mt3Op_!3l)ZmoY2SXM8Tf(3Qd#-K|RX8|OD|*Vt zbma_Pb)FaypxZPwq-Z=8^VCH2^2j9F65x66Nr5RsD}NeL`x@0UZlY-iNh7-1)$79F zi3UY2$OAEP820BK@)Xkx6JL~K2FeKMtCGlU2get5S)tr=q%C37D-0+Kc(GxgYG0Kc zK*hX+D~|CS#eNgmsQOhjz^}vp?klBZ2A%#C$O0Q1jjEzkfZ|3kr$aBJt+e5mX$b6Q z30tiQtT_68#Rr4|4%7<=WbivKdYl1( zfJK+o$NH#`wO+KH%VLxSGq+6c)5urjd(#rf1SgSq^oNxVMg95#ER1(DdoZpksm$Sw zL7x`%-s3cbW~fgIM-_3*v_@WQ&OzqJ?u)SS!Wx>|N&rdnvLF)n17!Qq=;tyej@%8j zEl}I@#Ny+a2bMO*oH=&I_$NmnO()nrW4t8qAoKbH=ek1TSPGEj0KT!coP&SRr3OYi zFn|!j<6vD525pwgH_^i*$8FJJ30ssS{GGli2*Zs$V5U=xyhbUgZZP&> zp0j&PP%$+{(7vw2wl_}cyJ{&oMlf8D?CU-z&3*Zu4Mb^p45-M{W%_pkfc{p +Date: Sat, 26 Jan 2019 01:19:29 +0100 +Subject: [PATCH] CVE-2019-5736 (runC): rexec callers as memfd +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Adam Iwaniuk and Borys Popławski discovered that an attacker can compromise the +runC host binary from inside a privileged runC container. As a result, this +could be exploited to gain root access on the host. runC is used as the default +runtime for containers with Docker, containerd, Podman, and CRI-O. + +The attack can be made when attaching to a running container or when starting a +container running a specially crafted image. For example, when runC attaches +to a container the attacker can trick it into executing itself. This could be +done by replacing the target binary inside the container with a custom binary +pointing back at the runC binary itself. As an example, if the target binary +was /bin/bash, this could be replaced with an executable script specifying the +interpreter path #!/proc/self/exe (/proc/self/exec is a symbolic link created +by the kernel for every process which points to the binary that was executed +for that process). As such when /bin/bash is executed inside the container, +instead the target of /proc/self/exe will be executed - which will point to the +runc binary on the host. The attacker can then proceed to write to the target +of /proc/self/exe to try and overwrite the runC binary on the host. However in +general, this will not succeed as the kernel will not permit it to be +overwritten whilst runC is executing. To overcome this, the attacker can +instead open a file descriptor to /proc/self/exe using the O_PATH flag and then +proceed to reopen the binary as O_WRONLY through /proc/self/fd/ and try to +write to it in a busy loop from a separate process. Ultimately it will succeed +when the runC binary exits. After this the runC binary is compromised and can +be used to attack other containers or the host itself. + +This attack is only possible with privileged containers since it requires root +privilege on the host to overwrite the runC binary. Unprivileged containers +with a non-identity ID mapping do not have the permission to write to the host +binary and therefore are unaffected by this attack. + +LXC is also impacted in a similar manner by this vulnerability, however as the +LXC project considers privileged containers to be unsafe no CVE has been +assigned for this issue for LXC. Quoting from the +https://linuxcontainers.org/lxc/security/ project's Security information page: + +"As privileged containers are considered unsafe, we typically will not consider +new container escape exploits to be security issues worthy of a CVE and quick +fix. We will however try to mitigate those issues so that accidental damage to +the host is prevented." + +To prevent this attack, LXC has been patched to create a temporary copy of the +calling binary itself when it starts or attaches to containers. To do this LXC +creates an anonymous, in-memory file using the memfd_create() system call and +copies itself into the temporary in-memory file, which is then sealed to +prevent further modifications. LXC then executes this sealed, in-memory file +instead of the original on-disk binary. Any compromising write operations from +a privileged container to the host LXC binary will then write to the temporary +in-memory binary and not to the host binary on-disk, preserving the integrity +of the host LXC binary. Also as the temporary, in-memory LXC binary is sealed, +writes to this will also fail. + +Note: memfd_create() was added to the Linux kernel in the 3.17 release. + +Signed-off-by: Christian Brauner +Co-Developed-by: Aleksa Sarai +Acked-by: Serge Hallyn +--- + configure.ac | 12 +++ + src/lxc/Makefile.am | 4 + + src/lxc/file_utils.c | 41 +++++++++- + src/lxc/file_utils.h | 1 + + src/lxc/rexec.c | 181 +++++++++++++++++++++++++++++++++++++++++++++ + src/lxc/syscall_wrappers.h | 14 ++++ + 6 files changed, 252 insertions(+), 1 deletion(-) + create mode 100644 src/lxc/rexec.c + +diff --git a/configure.ac b/configure.ac +index 950c8dd..631e607 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -706,6 +706,17 @@ AC_ARG_ENABLE([thread-safety], + [], [enable_thread_safety=yes]) + AM_CONDITIONAL([ENFORCE_THREAD_SAFETY], [test "x$enable_thread_safety" = "xyes"]) + ++AC_ARG_ENABLE([memfd-rexec], ++ [AC_HELP_STRING([--enable-memfd-rexec], [enforce liblxc as a memfd to protect against certain symlink attacks [default=yes]])], ++ [], [enable_memfd_rexec=yes]) ++AM_CONDITIONAL([ENFORCE_MEMFD_REXEC], [test "x$enable_memfd_rexec" = "xyes"]) ++if test "x$enable_memfd_rexec" = "xyes"; then ++ AC_DEFINE([ENFORCE_MEMFD_REXEC], 1, [Rexec liblxc as memfd]) ++ AC_MSG_RESULT([yes]) ++else ++ AC_MSG_RESULT([no]) ++fi ++ + # Files requiring some variable expansion + AC_CONFIG_FILES([ + Makefile +@@ -934,6 +945,7 @@ Security features: + - Linux capabilities: $enable_capabilities + - seccomp: $enable_seccomp + - SELinux: $enable_selinux ++ - memfd rexec: $enable_memfd_rexec + + PAM: + - PAM module: $enable_pam +diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am +index 08e2fab..8bbfdaf 100644 +--- a/src/lxc/Makefile.am ++++ b/src/lxc/Makefile.am +@@ -173,6 +173,10 @@ if !HAVE_STRLCAT + liblxc_la_SOURCES += ../include/strlcat.c ../include/strlcat.h + endif + ++if ENFORCE_MEMFD_REXEC ++liblxc_la_SOURCES += rexec.c ++endif ++ + AM_CFLAGS = -DLXCROOTFSMOUNT=\"$(LXCROOTFSMOUNT)\" \ + -DLXCPATH=\"$(LXCPATH)\" \ + -DLXC_GLOBAL_CONF=\"$(LXC_GLOBAL_CONF)\" \ +diff --git a/src/lxc/file_utils.c b/src/lxc/file_utils.c +index f89aa63..930fd73 100644 +--- a/src/lxc/file_utils.c ++++ b/src/lxc/file_utils.c +@@ -31,7 +31,7 @@ + #include "config.h" + #include "file_utils.h" + #include "macro.h" +-#include "string.h" ++#include "string_utils.h" + + int lxc_write_to_file(const char *filename, const void *buf, size_t count, + bool add_newline, mode_t mode) +@@ -327,3 +327,42 @@ again: + + return ret; + } ++ ++char *file_to_buf(char *path, size_t *length) ++{ ++ int fd; ++ char buf[PATH_MAX]; ++ char *copy = NULL; ++ ++ if (!length) ++ return NULL; ++ ++ fd = open(path, O_RDONLY | O_CLOEXEC); ++ if (fd < 0) ++ return NULL; ++ ++ *length = 0; ++ for (;;) { ++ int n; ++ char *old = copy; ++ ++ n = lxc_read_nointr(fd, buf, sizeof(buf)); ++ if (n < 0) ++ goto on_error; ++ if (!n) ++ break; ++ ++ copy = must_realloc(old, (*length + n) * sizeof(*old)); ++ memcpy(copy + *length, buf, n); ++ *length += n; ++ } ++ ++ close(fd); ++ return copy; ++ ++on_error: ++ close(fd); ++ free(copy); ++ ++ return NULL; ++} +diff --git a/src/lxc/file_utils.h b/src/lxc/file_utils.h +index 6361557..518a61a 100644 +--- a/src/lxc/file_utils.h ++++ b/src/lxc/file_utils.h +@@ -55,5 +55,6 @@ extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val); + extern FILE *fopen_cloexec(const char *path, const char *mode); + extern ssize_t lxc_sendfile_nointr(int out_fd, int in_fd, off_t *offset, + size_t count); ++extern char *file_to_buf(char *path, size_t *length); + + #endif /* __LXC_FILE_UTILS_H */ +diff --git a/src/lxc/rexec.c b/src/lxc/rexec.c +new file mode 100644 +index 0000000..396bd61 +--- /dev/null ++++ b/src/lxc/rexec.c +@@ -0,0 +1,181 @@ ++/* liblxcapi ++ * ++ * Copyright © 2019 Christian Brauner . ++ * Copyright © 2019 Canonical Ltd. ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License version 2, as ++ * published by the Free Software Foundation. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License along ++ * with this program; if not, write to the Free Software Foundation, Inc., ++ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++ */ ++ ++#ifndef _GNU_SOURCE ++#define _GNU_SOURCE 1 ++#endif ++#include ++#include ++#include ++#include ++ ++#include "config.h" ++#include "file_utils.h" ++#include "raw_syscalls.h" ++#include "string_utils.h" ++#include "syscall_wrappers.h" ++ ++#define LXC_MEMFD_REXEC_SEALS \ ++ (F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE) ++ ++static int push_vargs(char *data, int data_length, char ***output) ++{ ++ int num = 0; ++ char *cur = data; ++ ++ if (!data || *output) ++ return -1; ++ ++ *output = must_realloc(NULL, sizeof(**output)); ++ ++ while (cur < data + data_length) { ++ num++; ++ *output = must_realloc(*output, (num + 1) * sizeof(**output)); ++ ++ (*output)[num - 1] = cur; ++ cur += strlen(cur) + 1; ++ } ++ (*output)[num] = NULL; ++ return num; ++} ++ ++static int parse_exec_params(char ***argv, char ***envp) ++{ ++ int ret; ++ char *cmdline = NULL, *env = NULL; ++ size_t cmdline_size, env_size; ++ ++ cmdline = file_to_buf("/proc/self/cmdline", &cmdline_size); ++ if (!cmdline) ++ goto on_error; ++ ++ env = file_to_buf("/proc/self/environ", &env_size); ++ if (!env) ++ goto on_error; ++ ++ ret = push_vargs(cmdline, cmdline_size, argv); ++ if (ret <= 0) ++ goto on_error; ++ ++ ret = push_vargs(env, env_size, envp); ++ if (ret <= 0) ++ goto on_error; ++ ++ return 0; ++ ++on_error: ++ free(env); ++ free(cmdline); ++ ++ return -1; ++} ++ ++static int is_memfd(void) ++{ ++ int fd, saved_errno, seals; ++ ++ fd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC); ++ if (fd < 0) ++ return -ENOTRECOVERABLE; ++ ++ seals = fcntl(fd, F_GET_SEALS); ++ saved_errno = errno; ++ close(fd); ++ errno = saved_errno; ++ if (seals < 0) ++ return -EINVAL; ++ ++ return seals == LXC_MEMFD_REXEC_SEALS; ++} ++ ++static void lxc_rexec_as_memfd(char **argv, char **envp, const char *memfd_name) ++{ ++ int saved_errno; ++ ssize_t bytes_sent; ++ int fd = -1, memfd = -1; ++ ++ memfd = memfd_create(memfd_name, MFD_ALLOW_SEALING | MFD_CLOEXEC); ++ if (memfd < 0) ++ return; ++ ++ fd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC); ++ if (fd < 0) ++ goto on_error; ++ ++ /* sendfile() handles up to 2GB. */ ++ bytes_sent = lxc_sendfile_nointr(memfd, fd, NULL, LXC_SENDFILE_MAX); ++ saved_errno = errno; ++ close(fd); ++ errno = saved_errno; ++ if (bytes_sent < 0) ++ goto on_error; ++ ++ if (fcntl(memfd, F_ADD_SEALS, LXC_MEMFD_REXEC_SEALS)) ++ goto on_error; ++ ++ fexecve(memfd, argv, envp); ++ ++on_error: ++ saved_errno = errno; ++ close(memfd); ++ errno = saved_errno; ++} ++ ++static int lxc_rexec(const char *memfd_name) ++{ ++ int ret; ++ char **argv = NULL, **envp = NULL; ++ ++ ret = is_memfd(); ++ if (ret < 0 && ret == -ENOTRECOVERABLE) { ++ fprintf(stderr, ++ "%s - Failed to determine whether this is a memfd\n", ++ strerror(errno)); ++ return -1; ++ } else if (ret > 0) { ++ return 0; ++ } ++ ++ ret = parse_exec_params(&argv, &envp); ++ if (ret < 0) { ++ fprintf(stderr, ++ "%s - Failed to parse command line parameters\n", ++ strerror(errno)); ++ return -1; ++ } ++ ++ lxc_rexec_as_memfd(argv, envp, memfd_name); ++ fprintf(stderr, "%s - Failed to rexec as memfd\n", strerror(errno)); ++ return -1; ++} ++ ++/** ++ * This function will copy any binary that calls liblxc into a memory file and ++ * will use the memfd to rexecute the binary. This is done to prevent attacks ++ * through the /proc/self/exe symlink to corrupt the host binary when host and ++ * container are in the same user namespace or have set up an identity id ++ * mapping: CVE-2019-5736. ++ */ ++__attribute__((constructor)) static void liblxc_rexec(void) ++{ ++ if (lxc_rexec("liblxc")) { ++ fprintf(stderr, "Failed to re-execute liblxc via memory file descriptor\n"); ++ _exit(EXIT_FAILURE); ++ } ++} +diff --git a/src/lxc/syscall_wrappers.h b/src/lxc/syscall_wrappers.h +index 42d94db..dca4d15 100644 +--- a/src/lxc/syscall_wrappers.h ++++ b/src/lxc/syscall_wrappers.h +@@ -58,6 +58,20 @@ static inline long __keyctl(int cmd, unsigned long arg2, unsigned long arg3, + #define keyctl __keyctl + #endif + ++#ifndef F_LINUX_SPECIFIC_BASE ++#define F_LINUX_SPECIFIC_BASE 1024 ++#endif ++#ifndef F_ADD_SEALS ++#define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9) ++#define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10) ++#endif ++#ifndef F_SEAL_SEAL ++#define F_SEAL_SEAL 0x0001 ++#define F_SEAL_SHRINK 0x0002 ++#define F_SEAL_GROW 0x0004 ++#define F_SEAL_WRITE 0x0008 ++#endif ++ + #ifndef HAVE_MEMFD_CREATE + static inline int memfd_create(const char *name, unsigned int flags) { + #ifndef __NR_memfd_create +-- +1.8.3.1 + diff --git a/lxc.spec b/lxc.spec new file mode 100644 index 0000000..f45fe64 --- /dev/null +++ b/lxc.spec @@ -0,0 +1,428 @@ +%global with_seccomp 1 +%global _release 20190926 +%global debug_package %{nil} + +Name: lxc +Version: 3.0.3 +Release: %{_release}%{?dist} +Summary: Linux Containers userspace tools +License: LGPLv2+ +URL: http://linuxcontainers.org +Source0: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz +Patch6000: lxc-2.0.7-fix-init.patch +Patch6001: lxc-2.0.6-fix-lxc-net.patch +Patch6002: lxc-CVE-2019-5736-runC-rexec-callers-as-memfd.patch +Patch9003: 0001-confile-add-lxc.isulad.init.args-config-interface.patch +Patch9004: 0002-namespace-add-support-share-namespace-by-path.patch +Patch9005: 0003-confile-add-lxc.isulad.populate.device-interface.patch +Patch9006: 0004-support-isulad-fifo-log.patch +Patch9007: 0005-auto-mount-cgroup-sys-and-proc.patch +Patch9008: 0006-conf.c-fix-bug-when-set-no-ro-mount-mount-propagatio.patch +Patch9009: 0007-use-isulad-log-format.patch +Patch9010: 0008-isulad-modify-exit-code-and-stop-signal.patch +Patch9011: 0009-lxc_start-add-default-terminal-fifos.patch +Patch9012: 0010-Save-pid-ppid-info-into-file-for-isulad.patch +Patch9013: 0011-Add-exit-FIFO-to-monitor-state-of-lxc-monitor.patch +Patch9014: 0012-Init-fifos-in-lxc_attach_terminal.patch +Patch9015: 0013-isulad-set-env-home-in-container.patch +Patch9016: 0014-support-rotate-for-container-log-file.patch +Patch9017: 0015-fix-high-gcc-compile-bug.patch +Patch9018: 0016-add-masked-paths-and-ro-paths.patch +Patch9019: 0017-isulad-check-cgroup-cpu.shares-after-setted.patch +Patch9020: 0018-lxc-attach-add-support-terminal-fifos.patch +Patch9021: 0019-remount-cgroup-readonly-and-make-soft-link-of-subcgr.patch +Patch9022: 0020-fix-log-error-when-symlink-subcgroup.patch +Patch9023: 0021-lxc-attch-add-error-message.patch +Patch9024: 0022-support-rootfs-mount-propagation.patch +Patch9025: 0023-attach.c-change-uid-and-gid-from-lxc-container-confi.patch +Patch9026: 0024-isulad-support-symlink-in-mount-entry-and-not-permit.patch +Patch9027: 0025-support-oci-hooks.patch +Patch9028: 0026-remove-filelock-and-do-not-destroy-directory-when-de.patch +Patch9029: 0027-fix-bug-of-memory-leak.patch +Patch9030: 0028-support-rootfs-for-container.patch +Patch9031: 0029-add-start-timeout-to-limit-start-time.patch +Patch9032: 0030-support-block-device-as-rootfs.patch +Patch9033: 0031-clean-add-clean-resources-api.patch +Patch9034: 0032-Drop-all-caps-when-cap.keep-ISULAD_KEEP_NONE.patch +Patch9035: 0033-support-mount-squashfs-in-mount-entry.patch +Patch9036: 0034-some-small-bugfix.patch +Patch9037: 0035-lxc-fixup-builds-with-newer-glibc.patch +Patch9038: 0036-drop_caps-add-drop-caps-of-current-process.patch +Patch9039: 0037-restore-default-signal-handlers-and-set-umask-0027.patch +Patch9040: 0038-make-the-given-terminal-as-controlling-terminal.patch +Patch9041: 0039-print-error-message-when-container-start-failed.patch +Patch9042: 0040-add-timeout-200ms-for-cmds-send-to-lxc-monitor.patch +Patch9043: 0041-return-1-when-_lxc_start-fails.patch +Patch9044: 0042-lxc-seccomp-adopt-to-lxc3.0.patch +Patch9045: 0043-check-null-pointer-of-handler-to-fix-coredump-of-att.patch +Patch9046: 0044-support-space-in-volume-mount-and-env.patch +Patch9047: 0045-add_terminal_fifos-Add-terminal-fifos-dynamically.patch +Patch9048: 0046-Do-not-test-cgroup-writeable.patch +Patch9049: 0047-Fix-memory-leak-in-lxc_global_config_value.patch +Patch9050: 0048-clear-ONLCR-flag-from-master-of-terminal.patch +Patch9051: 0049-Add-100ms-timeout-for-console-epoll.patch +Patch9052: 0050-seccomp-add-rules-for-specified-architecture-only.patch +Patch9053: 0051-if-ocihook-is-empty.patch +Patch9054: 0052-Fix-seccomp-fail-when-all-specified-in-config.patch +Patch9055: 0053-destroy-empty-cgroup-path-return-ture.patch +Patch9056: 0054-fix-invalid-log-message.patch +Patch9057: 0055-Fix-compile-error.patch +Patch9058: 0056-caps-use-_LINUX_CAPABILITY_VERSION_3-to-set-cap.patch +Patch9059: 0057-confile-add-support-umask.patch +Patch9060: 0058-do-not-check-ppid-when-set-death-signal.patch +Patch9061: 0059-delete-unused-variable-ppid.patch +Patch9062: 0060-using-json-file-to-write-console-log-of-container.patch +Patch9063: 0061-Fix-hook-use-the-path-args-envs-execvp-dirctory.patch +Patch9064: 0062-setup-sysctls-before-set-read-only-path-and-masked-p.patch +Patch9065: 0063-lxc-ignore-systemcall-load-failure-error.patch +Patch9066: 0064-lxc-Reduce-seccomp-processing-log-level.patch +Patch9067: 0065-Storage-return-true-if-storage_init-init-fail.patch +Patch9068: 0066-lxc-Pids-limit-does-not-report-an-error-after-execut.patch +Patch9069: 0067-lxc-report-error-when-remove-directory-failed.patch +Patch9070: 0068-support-record-stdout-stderr-log-of-container-consol.patch +Patch9071: 0069-lxc-killall-processes-if-container-shared-pid-namesp.patch +Patch9072: 0070-lxc-signal-all-process-for-shared-container-when-con.patch +Patch9073: 0071-lxc-get-cgroup-path-according-to-cgroup-mountpoint.patch +Patch9074: 0072-lxc-adapt-to-docker-18.09.patch +Patch9075: 0073-lxc-support-set-additional-groups.patch +Patch9076: 0074-lxc-only-add-valid-fd-to-mainloop.patch +Patch9077: 0075-lxc-add-timeout-for-attach.patch +Patch9078: 0076-lxc-delete-unused-variable.patch +Patch9079: 0077-lxc-set-negative-files.limit-to-max-and-fix-bug-of-s.patch +Patch9080: 0078-Run-pre-start-hook-before-chroot.patch +Patch9081: 0079-inherid-env-from-parent-in-oci-hooks.patch +Patch9082: 0080-lxc-fix-compile-error.patch +Patch9083: 0081-lxc-Change-the-range-of-attach-timeout.patch +Patch9084: 0082-lxc-fix-memory-leak-cause-by-setenv.patch +Patch9085: 0083-lxc-free-lxc-handler.patch +Patch9086: 0084-lxc-memory-leak-of-lxc_grow_array.patch +Patch9087: 0085-lxc-update-json-file-from-isulad.patch +Patch9088: 0086-confile-add-support-systemd.patch +Patch9089: 0087-lxc-adapt-to-spec-of-oci-hook.patch +Patch9090: 0088-fix-lxc-build-error.patch +Patch9091: 0089-lxc-add-get-container-processes-pids-func.patch +Patch9092: 0090-lxc-remove-unused-variable.patch +Patch9093: 0091-lxc-support-namespaced-kernel-params-can-be-changed-.patch +Patch9094: 0092-lxc-add-output-error-when-create-unified-cgroup.patch +Patch9095: 0093-optimize-isulad_kit-operator.patch +Patch9096: 0094-exec-load-uid-gid-and-groups.patch +Patch9097: 0095-lxc-don-t-use-the-unified-hierarchy-for-the-systemd-.patch +Patch9098: 0096-close-inherited-fd-in-hook-process.patch +Patch9099: 0097-lxc-report-error-when-fork-exec-error-for-hooks.patch +Patch9100: 0098-lxc-make-dev-bind-mount-from-host-tmpfs-for-system-c.patch +Patch9101: 0099-terminal-do-not-close-the-master-fd-of-pty.patch +Patch9102: 0100-start-add-check-save-pid-info-file.patch +Patch9103: 0101-lxc-fix-code-error.patch +Patch9104: 0102-lxc-fix-compile-warnings.patch +Patch9105: 0103-lxc-fix-code-error-in-conf.c.patch +Patch9106: 0104-lxc-fix-code-error.patch +Patch9107: 0105-lxc-fix-code-error-warnings.patch +Patch9108: 0106-set-timeout-to-1s-for-cmds-send-to-lxc-monitor.patch +Patch9109: 0107-add-log-for-failure-of-rename-file.patch +Patch9110: 0108-check-calloc-input-valid.patch +Patch9111: 0109-add-secure-compile-flags-to-lxc.patch +Patch9112: 0110-add-doc-for-lxc.patch +Patch9113: 0111-lxc-use-safe_strdup-instead-of-strdup.patch +Patch9114: 0112-fix-secure-errors.patch +Patch9115: 0113-Malloc-parameter-check-and-judgment.patch +Patch9116: 0114-lxc-fix-code-errors.patch +Patch9117: 0115-fix-compile-error-on-ubuntu.patch +Patch9118: 0116-lxc-set-base-cgroup-path-to.patch +Patch9119: 0117-pupulate-device-with-dir-mode-750-and-set-uid-gid.patch +Patch9120: 0118-fix-sscanf-return-value-check.patch +Patch9121: 0119-remove-unuse-binary.patch +Patch9122: 0120-remove-unuse-unmount-namespace.patch +Patch9123: 0121-optimize-log-when-root-path-is-invalid.patch +Patch9124: 0122-lxc-fix-code-reivew-errors.patch + +BuildRequires: systemd-units +BuildRequires: git libtool +BuildRequires: docbook2X doxygen +BuildRequires: chrpath +%if 0%{?with_seccomp} +BuildRequires: pkgconfig(libseccomp) +%endif +BuildRequires: libcap libcap-devel +BuildRequires: libselinux-devel +BuildRequires: yajl yajl-devel +BuildRequires: libsecurec libsecurec-devel +BuildRequires: pkgconfig(bash-completion) + +Requires: rsync +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +Requires(post): /sbin/ldconfig +Requires(postun): /sbin/ldconfig + +%{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}} + +%description +Containers are insulated areas inside a system, which have their own namespace +for filesystem, network, PID, IPC, CPU and memory allocation and which can be +created using the Control Group and Namespace features included in the Linux +kernel. + +This package provides the lxc-* tools and libraries for running %{name} +applications, which can be used to start a single daemon in a container, or to +boot an entire "containerized" system, and to manage and debug your containers. + +%package devel +Summary: Development files for %{name} +Requires: %{name} = %{version}-%{release} +Requires: pkgconfig + +%description devel +The %{name}-devel package contains header files ,library and templates needed for +development of the Linux containers. + + +%package help +Summary: Documentation and templates for %{name} +BuildArch: noarch + +%description help +This package contains documentation for %{name} for creating containers. + +%prep +%setup -q -n %{name}-%{version} +%patch6000 -p1 +%patch6001 -p1 +%patch6002 -p1 +%patch9003 -p1 +%patch9004 -p1 +%patch9005 -p1 +%patch9006 -p1 +%patch9007 -p1 +%patch9008 -p1 +%patch9009 -p1 +%patch9010 -p1 +%patch9011 -p1 +%patch9012 -p1 +%patch9013 -p1 +%patch9014 -p1 +%patch9015 -p1 +%patch9016 -p1 +%patch9017 -p1 +%patch9018 -p1 +%patch9019 -p1 +%patch9020 -p1 +%patch9021 -p1 +%patch9022 -p1 +%patch9023 -p1 +%patch9024 -p1 +%patch9025 -p1 +%patch9026 -p1 +%patch9027 -p1 +%patch9028 -p1 +%patch9029 -p1 +%patch9030 -p1 +%patch9031 -p1 +%patch9032 -p1 +%patch9033 -p1 +%patch9034 -p1 +%patch9035 -p1 +%patch9036 -p1 +%patch9037 -p1 +%patch9038 -p1 +%patch9039 -p1 +%patch9040 -p1 +%patch9041 -p1 +%patch9042 -p1 +%patch9043 -p1 +%patch9044 -p1 +%patch9045 -p1 +%patch9046 -p1 +%patch9047 -p1 +%patch9048 -p1 +%patch9049 -p1 +%patch9050 -p1 +%patch9051 -p1 +%patch9052 -p1 +%patch9053 -p1 +%patch9054 -p1 +%patch9055 -p1 +%patch9056 -p1 +%patch9057 -p1 +%patch9058 -p1 +%patch9059 -p1 +%patch9060 -p1 +%patch9061 -p1 +%patch9062 -p1 +%patch9063 -p1 +%patch9064 -p1 +%patch9065 -p1 +%patch9066 -p1 +%patch9067 -p1 +%patch9068 -p1 +%patch9069 -p1 +%patch9070 -p1 +%patch9071 -p1 +%patch9072 -p1 +%patch9073 -p1 +%patch9074 -p1 +%patch9075 -p1 +%patch9076 -p1 +%patch9077 -p1 +%patch9078 -p1 +%patch9079 -p1 +%patch9080 -p1 +%patch9081 -p1 +%patch9082 -p1 +%patch9083 -p1 +%patch9084 -p1 +%patch9085 -p1 +%patch9086 -p1 +%patch9087 -p1 +%patch9088 -p1 +%patch9089 -p1 +%patch9090 -p1 +%patch9091 -p1 +%patch9092 -p1 +%patch9093 -p1 +%patch9094 -p1 +%patch9095 -p1 +%patch9096 -p1 +%patch9097 -p1 +%patch9098 -p1 +%patch9099 -p1 +%patch9100 -p1 +%patch9101 -p1 +%patch9102 -p1 +%patch9103 -p1 +%patch9104 -p1 +%patch9105 -p1 +%patch9106 -p1 +%patch9107 -p1 +%patch9108 -p1 +%patch9109 -p1 +%patch9110 -p1 +%patch9111 -p1 +%patch9112 -p1 +%patch9113 -p1 +%patch9114 -p1 +%patch9115 -p1 +%patch9116 -p1 +%patch9117 -p1 +%patch9118 -p1 +%patch9119 -p1 +%patch9120 -p1 +%patch9121 -p1 +%patch9122 -p1 +%patch9123 -p1 +%patch9124 -p1 + +%build +%configure --with-distro=fedora --enable-doc --enable-api-docs \ + --disable-silent-rules --docdir=%{_pkgdocdir} --disable-rpath \ + --disable-static --disable-apparmor --enable-selinux \ +%if 0%{?with_seccomp} + --enable-seccomp \ +%endif + --with-init-script=systemd --disable-werror + +%{make_build} + +%install +%{make_install} +mkdir -p %{buildroot}%{_sharedstatedir}/%{name} + +for file in $(find %{buildroot}/usr/bin/lxc-* -type f -exec file {} ';' | grep "\" | awk -F ':' '{print $1}') +do + strip --strip-debug ${file} + chrpath -d ${file} +done + +for file in $(find %{buildroot}/usr/sbin/* -type f -exec file {} ';' | grep "\" | awk -F ':' '{print $1}') +do + strip --strip-debug ${file} + chrpath -d ${file} +done + +for file in $(find %{buildroot}/usr/libexec/lxc/lxc-* -type f -exec file {} ';' | grep "\" | awk -F ':' '{print $1}') +do + strip --strip-debug ${file} + chrpath -d ${file} +done + +strip --strip-debug %{buildroot}/usr/lib64/liblxc.so +chrpath -d %{buildroot}/usr/lib64/liblxc.so + +# docs +mkdir -p %{buildroot}%{_pkgdocdir}/api +cp -a AUTHORS README %{buildroot}%{_pkgdocdir} +cp -a doc/api/html/* %{buildroot}%{_pkgdocdir}/api/ + +# cache dir +mkdir -p %{buildroot}%{_localstatedir}/cache/%{name} + +# remove libtool .la file +rm -rf %{buildroot}%{_libdir}/liblxc.la + +%check +make check + +%post +%{?ldconfig} +%systemd_post %{name}-net.service +%systemd_post %{name}.service +%systemd_post %{name}@.service + +%preun +%systemd_preun %{name}-net.service +%systemd_preun %{name}.service +%systemd_preun %{name}@.service + +%postun +%{?ldconfig} +%systemd_postun %{name}-net.service +%systemd_postun %{name}.service +%systemd_postun %{name}@.service + +%files +%defattr(-,root,root) +%{_bindir}/%{name}-* +%{_datadir}/%{name}/%{name}.functions +%dir %{_datadir}/bash-completion +%dir %{_datadir}/bash-completion/completions +%{_datadir}/bash-completion/completions/%{name} +%{_libdir}/liblxc.so +%{_libdir}/liblxc.so.* +%{_libdir}/%{name} +%{_libexecdir}/%{name} +%{_sbindir}/init.%{name} +%{_sharedstatedir}/%{name} +%dir %{_sysconfdir}/%{name} +%config(noreplace) %{_sysconfdir}/%{name}/default.conf +%config(noreplace) %{_sysconfdir}/sysconfig/%{name} +%license COPYING +%dir %{_pkgdocdir} +%{_pkgdocdir}/AUTHORS +%{_pkgdocdir}/README +%{_unitdir}/%{name}.service +%{_unitdir}/%{name}@.service +%{_unitdir}/%{name}-net.service +%dir %{_localstatedir}/cache/%{name} + +%files devel +%defattr(-,root,root) +%{_includedir}/%{name}/* +%{_libdir}/pkgconfig/%{name}.pc +%dir %{_datadir}/%{name} +%{_datadir}/%{name}/hooks +%{_datadir}/%{name}/%{name}-patch.py* +%{_datadir}/%{name}/selinux +%dir %{_datadir}/%{name}/templates +%{_datadir}/%{name}/templates/lxc-* +%dir %{_datadir}/%{name}/config +%{_datadir}/%{name}/config/* + +%files help +%dir %{_pkgdocdir} +%{_pkgdocdir}/* +%{_mandir}/man1/%{name}* +%{_mandir}/*/man1/%{name}* +%{_mandir}/man5/%{name}* +%{_mandir}/man7/%{name}* +%{_mandir}/*/man5/%{name}* +%{_mandir}/*/man7/%{name}*