From 53c3a3c970822f7f4c822af2976fb4b8ada63e01 Mon Sep 17 00:00:00 2001 From: andyzhangx Date: Sun, 19 Dec 2021 07:47:13 +0000 Subject: [PATCH 1/2] fix: CVE-2021-43618 in Ubuntu image fix chart --- .github/workflows/pluto.yaml | 26 +++++++++++++++++++++++ Dockerfile | 2 +- charts/latest/csi-driver-nfs-v3.1.0.tgz | Bin 3505 -> 3509 bytes charts/latest/csi-driver-nfs/values.yaml | 3 +++ 4 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/pluto.yaml diff --git a/.github/workflows/pluto.yaml b/.github/workflows/pluto.yaml new file mode 100644 index 00000000..57bc7a5a --- /dev/null +++ b/.github/workflows/pluto.yaml @@ -0,0 +1,26 @@ +name: k8s api version check +on: + pull_request: {} + push: {} + +jobs: + + build: + name: Build + runs-on: ubuntu-latest + steps: + + - name: Checkout + uses: actions/checkout@v2 + + # https://pluto.docs.fairwinds.com/advanced/#display-options + - name: Download pluto + uses: FairwindsOps/pluto/github-action@master + + - name: Check deploy folder + run: | + pluto detect-files -d deploy + + - name: Check example folder + run: | + pluto detect-files -d deploy/example diff --git a/Dockerfile b/Dockerfile index 04ca3c23..f9f5590a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -23,6 +23,6 @@ COPY bin/${ARCH}/nfsplugin /nfsplugin RUN apt update && apt-mark unhold libcap2 RUN clean-install ca-certificates mount nfs-common netbase # install updated packages to fix CVE issues -RUN clean-install libssl1.1 libgssapi-krb5-2 libk5crypto3 libkrb5-3 libkrb5support0 +RUN clean-install libssl1.1 libgssapi-krb5-2 libk5crypto3 libkrb5-3 libkrb5support0 libgmp10 ENTRYPOINT ["/nfsplugin"] diff --git a/charts/latest/csi-driver-nfs-v3.1.0.tgz b/charts/latest/csi-driver-nfs-v3.1.0.tgz index 9ac82022d7555ba9f9ac947ac01152b24b542559..ed83d9948e4bb0e07826f603f5b1d54f4da2ea3b 100644 GIT binary patch delta 3423 zcmV-l4WRO|8?_sdcYm$$kVqshi^c8_i{C;H74;)Y$0&V1P|f`jkvf==n7w+s(rUF@ zJ6l`!|5mG2{lC@T>AY%hwYT4I?{r$7_pe&*t=8t&D`-8T3=2!DG?A}bj~=T!xo@P9 zgnmY;sNh`~w>^?1)31zZRN9MBg_0)PKHKjd!SRP499WZqfq#(jQ`$$#QKRxWiLnc1 zlk&#X?l*&W(DGh-#_Lin75^U-mZExM09fMxTU%SLs{eQ1Z?FCTISP%*5W5}#03Rs# z!4!#!P*e*!=|UXJAf}-dN(^)minw|Cy=sPvHu*sLp`z1PnhdA7kv~gP#!dyJ;iL;k zgJYpjB`V~uLVu{}sT5;s5CUcW@R#4KU>M4Pil(ANUuhx95Y700GHY9wVcZEiL1#4? z7#$-=rB0>j*K}7HUP#k< zlPmdp`wA&Iu)K*5NcXyUO3M#8KWUlT`(3XQ+~of5v9#! z?CiZ-n|~W2VS02br0zoJe|NS`TPB7dag3}B+a7=x3?(reaptH#T;ik)4ZHYKFbpoI zo3SyH*pAxBmRuyJwUAwC99~nURsI480}OQ+8pom+jxb6YHdg9Cn{~nn$A^w0QHfNB zm`$l35EzZAE}&DGq+MuFzs49_|JZ7^KILE}@qf=0)qJB?JlCv~x2i>g6~}Hra_j>7 zt~g@n5hHqLN$1VjJoNx#a{V(WV?r6}GjwB@O>qVL-K@9RTKlLN!HcfLVle*OTEgaI zEMb5|r_!n!xmoWIy&t7WlYDP*khK&YH#Xo52Plz;XfRlCG~gQxiJ&l)s8t5d29M#& zY=0qU3!;1oHV9Fs3yFg+jI>Tvx7jR%O(a6q)I?n>gF6E{OeOk>h%ELJ%275=f4=R^ zPb3`^jrm?UX?hzQo_%$iGS+hfb>X+)y$$fQDK)aDrWYr2;~#%osl@*p)HSq(Et+Q}qrKhD4!>fx4atU_3h141C{soJvTDyEiuwoT0539OqBr z_SVSYI`e&n3_~sCZbQ17bFJX^wgJ9>MRYiNX`OycWugCHjF2TLRiKl{QUOc+zkl6& zzg_YFovqEywf{dyxw&b+g)xo0piskrGSrg-qvk7cSl2i^jlq*em zXkvppz^QE$6HbO0`Ta?yRen%i)G!M|Zf+p=!lDv`h3%#Us~yehc5lk#X3dON0yS#d z#VS?JCgabZ+anZ1S6_o$d#=9<$E(`I0p4oUXE4&2%-+ynmEBN1O zZFkoA|18D#eeaU;s0#-+)Qgd8ub31fNurwLwilx&5z%CJ0yKb;p?ASZxPz0dmJQ}y z)w&qZySV|%LzYGrU=H95P#z)I&@uH?f|k9TQET<1=kJ{adD!UA!m)`BKTgr!6p|#% z=aKtF*2`26E6Bd%dbr160Dt*ZO)*$Y2h$eS^Xshlxs$DtPK#ej%oewviuwJlqa59* z4@N@iW7JndUS|9+Y!vueAWRA1h><p0*S%rOfj`%>O(!WqW z`i~nXt5{~BkE`ZZeqB)HOl&S9?3I?^l=8+YR2LZK>Gkw|Mc+lknt!plg(WTbCk4YU zIMTJ$CGu$6D3Mf1swex5DCK6RCQ4)MXGbePlvLA@FuT)UQ9Y`Yr@*YuCS9W23IA5wYGAISs$S+WXb!nE&=CV+tXktN`!wqH`47k1RE~~A{Fbi3xej|qkxtwebf4tji z%suptv?PioDz*Fi&41p(!P#N2_gzgzh9pAiTMMCr7i%CNSBG<|$hs@N1F$L6F4%ln zsA!->cv;obX(89LOaZgJOc6W)#)73WezIAXs(jY%PKh2lIVuu5>5W{d{h2oc6p2@B zs1?L00c%#VA})LZp4nErQxrH?TF&MAN*>fL&9FN-*%$;->@dK>R{?qxgWz8_*bcNm8$i!JK`rc;u3spas2 zTE$$<*1N<=OqF@lP#C5bi3Qhqt;>o@Bpp+RLyV@W!dVGPLi&_ZO|ha+01`!A_^r|V zwRf?1@agEd@qc@%0%1&Co#ve%s*o_^uGUmWS-$pWR*P1=9y9&%A`{J$I~5IOt;}9Z zqutkUj!zB_FOClC@DzEJ2+H;D>o@zoql?4igVU3vBCf6szKm>Z)!N zhaC&VuoJC&M>*A$umfad(!)^jNOfVeRjQMr^7M7P{5nBNMO5E-IU*(^QocpMC8#(i zvdL)QW`C;~>ZWN}TV0BT3^QkM{6HfrUF<G7 zU^odGei9K*FNvHQk(729ICBm&0}l_GKiT7XQsy(ds;HW1Pt@iO+AU@UkKA3#1^3;nvZ zbDBg%V^2$>aX4`(Wg;ochdG%bwv?hi?^-}^9?Z8 z8z3YdQcjqqrbEHG3%%h=q%49yLSKqY$O^bHkS8a z%Fx=4IC+D||KaCl)U#pAtChtEbTuE6uw zc)+tF$*gf{dGGF`SoNW(R5SB?W(~dpj{iw>8pgL_8S(FSy*1_kx2F8>6`HKc{=3Nj z$EDJ~GNis#p5cB#eE%dtty1onAb+Ua!|%!%oXCB9o8IGt4*qwL!X zL)49T&|p;A|LxDG%m=3y^C>bIg|^)T1`HXY@yeq*nze4Ma%!q>h*B%gbHzE~ z7`c9c=CawmgGRDwxaHFd6@N8*@sm#IQ5}Xt$cXZy2h@#W{q{+eHoKu-aLpemk0>90 z4G*ncc=h|)P%GyQQkM&HE?SF`v+esn*ti-x8Z61qJM)0{aCCyH72Kid65PJ@&bBVA zluG;;jF822$c4nG8)Mo1kL}LR+~0rNTL1m0XDJ(SO0;o$`-=^?@_+7+GxSr+4Ddlh z!b>tl6?j>)Sfz<2GeC`yF&Hw@cj-yWhwnflBbtuU9(M}Q36H!D;OLH~@FtNspw}3= zwAX)q7r+T;6Z>}~5+{;5)B~d&11~t}UG%h&=xxBhh-1Ow^L`H^DwP)usczbTo%mkR z|4TOQzxjjFuxb9uzgVgFz1`kycedMGuUhS`R;Tp}T2Cm$!jvjaGD^8%ZRg zpHV6*co)WPk0i_SOx+sGb-Ame~K+R;yLD|IYUI+Wwy-(U=Ue>j41pfpQ;A zl9&iZwUCo8#Gwpg8cLzWKnJ0So0mVTW~gYB50oD&I<2M2aEcrGvm|BgR4^J&x^Of& z7W!18LhcHLihrI;F{TC~P}X;U`J)Pkp$w>KDmwI)7Lp9n^zSFLx@8&0ouCtRR+E9z zF>+MuREj>{ON6{;VrtF_upP8k6M%~d9iX1!kSZ<7{b$0oksGqiTbUDSYZZ|^g>phZ?ki0bvS( z4$MQiBHTVq6`Jo7#1#)re}Zc%7(?l{6RT&_XTBn^0mmdp5CiCC5@h0<<_g^lX&R3_ zPxeVz9f}9wwk)$xd4*1=8S|Zcc1aiwiRyyUFq!fb{)s4UgtepdYISOagz3?#kh%+< z|J~U(b$^){e#9}dE^K=MS}>HvY_ypn`f!PpE;Q`oO2II=oNl&831Zu8BU@6DnA$>i zp>cRkl~#EM4h9(NE;NosFC1Z%GHk5Wem3fa5snY-MWPa^3^5y0y}>gYQ(ZuxFiE@6 zo_>unw)(%-YJJMVM&jQos`*N-c&=I}uT^X5D}VOgeq`STbX~E>&LevC%#zNlv3cqN z#N_%{PR4{X(r4)UF00}S`ny@Lv9ZHO7hc-WH zaE`7$5H`H?7!W5zgu0g z|DCP&`?dW)N4mLbzJ)Q3yP#0RfHKsR1b1UIE#U~e@V0q->v^`=;dMfI1bT#aLp6sl z^EtGfu`PFV<3of4$`KmIfiT4y;LmbM$}|LyWwvG;e0GeJDU;0v8Gjl>9@)=MG)DT! zls#;Yki|2H6Kdsh#a(0WvvGV#l2i^rlq*emXncn{z^Sbh6HbO0`Ta?yR(?=jR55c> zZf+pA!r~+b3+qh@R@@{%HW+{QB(M3!o^%ZwH~yyqjf;kD zt1$U5t-R~>=(G_3=YN@x2eZOU@c;d0yMq6n)^=-+|IdSk+pF8;)>9qKr#B6cxshB^`8p_dq`d}oKK1O{d`nalYIxWOnmQBDcE>i>#fU#g{ zjGt_jr7E8_yHlb^PL7I%PI@C3YJX;p07YWfDryBWO2C>GtcVL=fM>eZ?i2;iCoSiC z{c@1(4uAD2vBS%>r(Ae7H3 zNhBRphC_^|p~6`TNkaORQBAQjp8zC^y6{J%_kVluV(;M7(Q)I?QUSu4xH`=nKU5)M z#9gha^s;>I&8QZwcs*wN<3%c(1%E0tl+`kODUEhtzd1fRIJ`JIsKZm_Q6ebUyRYBu z_l_vKK?rH7`t%S#!ICXgZL5jG#G5`aLEIPx%d`_0<6y11W zfqxma*`8~AE)KDNJ4iXb?lzl?z{SAD+yYIvVHae39Gc{??@Ihr$xEcrA{49(=liFH zyajh5>;w_YQil zrSm-qs~X93Zs*2VuSa4xM>Q_t!l^N51uM2!qXA3jNly~&!hxL@At!U)){YqCL{AQ= z?843McOT4qKw8TGxJ=3i;%o6gt0J=uM-EacxDw=-sFzkhe+ zVtaR!K;<2LO4$&tNjN&gzf&rWH2tL_vxdJ{^d@ng6d^b_-_am&3_(Sel20?kaE~NJp$4H3q!5E4bUT^fk*_7Au2`W z1hfE|a(hppP;DTjJ>q5TGr?H!9zKA4wi^0%Y3DSFh{m3lMB{McP|A2xln;NkS-Hnk zy;)Zkvz(v%TF&!1D>nEL_PR0=UyHY{bn^``)*B!s9a2u1rKUr{xpTeYN`Is*f<8iD zic92{ZWXC6wgJlBg}E<>eLn_zj_b9v{A?`mcgoV)N&YVRIXm(PGjn&oY;YG>H-Gtd zDR);>WnO{q;4ScahE913MH~|z&GSG$tnfBPQ6aL^?6j0IOW&M$cVE9bI6L}$cy@7i z`13{YWdE0o)4lWm{7~CUEPo>0t#7Jgj}K%+P3ce>%Ldl;ZK;r^9C>6<6SSYb@Ydkz`i6w7hpWQ7rmURH_;IJ);KS z0LTBNF%4teu#EV3yWX1e|5sD~_i|0vWdB`c|KmbwUl~$gD$Z~}Ab-Apkf3%_?iV1a z+r#gQ7@Wv`d*kTk0~QY%=SBW1(@K57q8<63{Le!EPxeXZKg}i3CH((pd$Y>_x3^mB z_y3tkT4i8K6eU7z~-{yYM9C z!*?K&5lzQvk2{6ugh$>6aCApgc#}vR&})ob*z3Q32;hXXiTz!P#EE1M^}r~{zzYs~ z7dp+qdmHr0rS~?_apJxGKW_s*6G=s?;OO8`c|jtDfp{;V5t61WC&gc0Fjk?6 cu(`&*by}x&`UcYf2LJ&7{~hY*DF9Xg00a!CzyJUM diff --git a/charts/latest/csi-driver-nfs/values.yaml b/charts/latest/csi-driver-nfs/values.yaml index de9e1334..a143393e 100755 --- a/charts/latest/csi-driver-nfs/values.yaml +++ b/charts/latest/csi-driver-nfs/values.yaml @@ -24,6 +24,9 @@ rbac: create: true name: nfs +driver: + name: nfs.csi.k8s.io + controller: name: csi-nfs-controller replicas: 2 From 0e3ede5a213958ce76a7db3120c24cd1257aeb75 Mon Sep 17 00:00:00 2001 From: andyzhangx Date: Sun, 19 Dec 2021 09:03:22 +0000 Subject: [PATCH 2/2] feat: add node.mountPermissions in chart fix controller update chart fix chart update chart update chart fix mountPermissions --- charts/README.md | 2 ++ charts/latest/csi-driver-nfs-v3.1.0.tgz | Bin 3509 -> 3543 bytes .../templates/csi-nfs-controller.yaml | 1 + .../templates/csi-nfs-node.yaml | 1 + charts/latest/csi-driver-nfs/values.yaml | 10 ++++------ cmd/nfsplugin/main.go | 2 +- hack/verify-helm-chart-files.sh | 2 +- pkg/nfs/controllerserver.go | 9 ++++++--- pkg/nfs/nodeserver.go | 1 + test/external-e2e/run.sh | 4 ++-- 10 files changed, 19 insertions(+), 13 deletions(-) diff --git a/charts/README.md b/charts/README.md index f7d22d30..21416c5c 100644 --- a/charts/README.md +++ b/charts/README.md @@ -38,6 +38,7 @@ The following table lists the configurable parameters of the latest NFS CSI Driv | Parameter | Description | Default | |---------------------------------------------------|------------------------------------------------------------|-------------------------------------------------------------------| | `driver.name` | alternative driver name | `nfs.csi.k8s.io` | +| `driver.mountPermissions` | mounted folder permissions name | `0777` | `feature.enableFSGroupPolicy` | enable `fsGroupPolicy` on a k8s 1.20+ cluster | `false` | | `image.nfs.repository` | csi-driver-nfs docker image | `gcr.io/k8s-staging-sig-storage/nfsplugin` | | `image.nfs.tag` | csi-driver-nfs docker image tag | `amd64-linux-canary` | @@ -70,6 +71,7 @@ The following table lists the configurable parameters of the latest NFS CSI Driv | `controller.resources.nfs.limits.memory` | csi-driver-nfs memory limits | 200Mi | | `controller.resources.nfs.requests.cpu` | csi-driver-nfs cpu requests limits | 10m | | `controller.resources.nfs.requests.memory` | csi-driver-nfs memory requests limits | 20Mi | +| `node.name` | driver node daemonset name | `csi-nfs-node` | `node.maxUnavailable` | `maxUnavailable` value of driver node daemonset | `1` | `node.logLevel` | node driver log level |`5` | | `node.livenessProbe.healthPort ` | the health check port for liveness probe |`29653` | diff --git a/charts/latest/csi-driver-nfs-v3.1.0.tgz b/charts/latest/csi-driver-nfs-v3.1.0.tgz index ed83d9948e4bb0e07826f603f5b1d54f4da2ea3b..504e516b82d14bcafd464433e6d3b734f9719e11 100644 GIT binary patch delta 3517 zcmV;u4MOs@8`m3lCHf zokRy&@{!~~mf?Q(TaxU=b{rD^4D8fI50KccR;%6JYW-SHsHh)FIzj34p=utCiPXWA z#O%%UwN|Uu+U<7j|5mG2{oiWucHXqR?cG*uyW86BzG=0)t$$AY4YZz7hNUf4n#eb; zCy!N~+&9ulLO-KaRPY{5+8#-g*;ht1D(yw6LP-;CuO0M{;pAf<4z0<+P)PVS9iZf> zQF)xi*n_f3d6OCY?VugByw{%brWISo|0jf{sGd0htnmMCcYC|)|DE0L#{XZU(U^>| z=K%olp>iKglYf{9MYWLA9>k#xVj4=J#83yJh?`eGsb;8XlMj_2Dmv?>$!Hcg@@q-T z*qLB7oc7>&cp~(fM1|ZDgo>U?F`*_xpsXMM>L(S9LK#reRCMGkEhHJC8Q)LleakXT zIzcDstS1Ab6XdAWnG^$jkO+Ct#PnPcU?*s;Cjb`_x_^Lrjw7nHBoEhw;gLJC%(*Ox z)Llm;PobR95ck7Sq+A$Y_B$Vg=WfF&JRhC9+GzRHOm) zQG*sRBupXDp}7dxgxia$Li1gMxaNTwPjD>-V<_EnV(n~p%~u4r;Dp2oVhH_Af=pb) zt}wiihJShFd2&F)>Qp=cw`7@h%5&Q56)y&%qJhym6&^rr_@AMSsWLXFdeCTn`0%0O zc|#;RmDYHWlL5nz{a>U=lU%=c(w3Q~{Ga3@r17pK7<){1;QQD}(v8uJ& zF%qW7XF}>8bpCgD$Mj`l^czl)^`?n zY9limk(k~>_MmZeLzPzf4IB5F{6iTQ5{Eq)Yn`ZGvssQ3kqA{& z6LqCbz!=g|D$!3wWP>K59A(q+^DQ$!k$-eTH0I0TwCQbadG^*>%2?kC)Pq0&iUHNf|;i4MoF zt?cNnSaRbE#zKU zRAR8S-wa^2qdDE~&v4wVo6$<3#!dUMN~GCj{P~r<=NG#VHPN{7KMiPHHY~4#@?YC{ zH|@!7Y5ZTrB_53muZaI2x}6W@_}^*mv^V(gi!|T&y(`M29vs?KFGjAtVo``BiE2*T zUW}SVM3ecJ-vo>-dKZj@yMJ(!QQ2h9k=EsS-t8?=9u z92lz~J-_cH$kRr*lZ{Po_}eVnn?{mk^*nN)$hge(u!iirj>7{61IVXpnu)b^IO|c} z#Ll@dY;TQpTKqv`w!HUD%%A3r^5{OhFcwOmpuQIJD#L$atANh}VSh>hM~v(q-$JCo zhxUtuS|Or25FK%qBccaxAMue&rTCYmUJd9%-4M6byUdAkz{{Oax0~{A8;v zRry?Hg6Of6qavY`-pGa8pL-)f5jM4kT8S8?z?ub-5XK;S@YKM_*z)d%;oh;xv;{CFL=$zJC{ zwo~T)7}L4OIDbrAZds2ooszUGEr$=)I_6@Q-W5h-NES^)VVK%TEV#xST~4Y*I zVKgfh&Ra+lGN6oViWPkVkSOZGpN;+>{mcEsPsb;Xf0YObW8(TOXMUtY!iYOsQyFFT zvp2I^_QdOBraxI`qFHICqM@vpSxafO_ru$h)5D|7($ za~v+-$?iFqF}Yk|)Mpm@+L4ROs$W=APH%e6=CUwl0?)#uo-OFEnD(@|lrJET;;+iR zL<%iJ!GC&iad1|+x8ziXRS=;pm3T3hsK$att{^yXW37{4P*-)ExG1zl3_H=fdz4d6 z2|GkarhNwL@Kl1`{V0`$R?u$Tl`|Eo2Fwe zxfBT*WnrW7GmWTpSqx!Szj?{Tz-0aPG2Q8?CV#nHsv5KFuwr{P7O+xJdYWJl4y{^* zoGuJoJ7bI!Jw2qd2e)_MNA2&;I{1&fN%>HGE&QjoT|NKXX?1r$Z1A6#XhoYCK1ut*OF))O_D>Ify*%5$_{Wd6Tw)R7UOlUdKRy!A*jedpWy^l313pC!OHsMH zj!TL!3y^@#F=kn;`?^egH`=ei|9^aRX@S6#{ZB_P1_iEx^VWF4i$;=p=hEZ7pGA@M zu~DgJ<`1kId;=K&v(_|>Z^J6!->rHZ$p1Tm{2!F$Y{35e!2YKd<-T%oeyuvg!$SJQ ziv+bwd02s{1=>>lSAPyj=s(XP z;1%_s?e=!H{?qQZb~pI%OSB4JS3OzjPH_5ncb@P2UggJP9CF()b*X`BjS&^rNn==f z&R2e^|CzyCBXQ+TkamdYFB>Eab+UW$>C%MpMw>*K z70*=K7vtBSmQ0yjC4C?XwSToPWp*RkCZw<$|Jg`pb+l}C&4?x_2bN%jy73+wj4J!z zzCLF@IJKBhky%;L_It#DAtN+idsGLr*Ns&!P1cQ^QG|>rwdOq6oD)uv>qlrVo6UP@ zB+G_dJ*`ktlR-V}gr3AO6hcOn7d@bE4C}YgqO|!N3I*5vnevG8(SO(Q(8_^le~=Be zcFibtwJ_(RwJ~y@bUh?Ct`{9mEXj7MivjKN(FtZ&aF3!(;r6vxwoO~7Rr0@Jj4Y-j zE+jtR7^}|z>~wY)e*bHGQ~!UFwgqQI8>hE#?6@cIexYNKQf2}lBqY2dBUFKx9Tre& zVj(C{V`L0QOblFknt$@qdyvS8rW3TA)WUVbBX0{hIzR#5CK8AA1|wJY{I4GaIOS|= ze>@~{B0+)@808pv!D0WhuZ2W!3l2ma3l5(T`Vdj6ykJCi)Bbhhd%@r@*|dN23*%AK z{K>zn32)9B4M=#ECie7$^46u@oz7fs8B@M+{C_3+q6yl2HO7z00960eaLo!09XJ3Af59+ delta 3483 zcmV;M4P^4y8?_sdJbznr+qSdMGe5;1Iddk>38{-O>CucIT-)j2)5P{zZaSS##{-co z2{j0?04Q5^d_Mab0Hj1xlqFwcH?8oHNF*+c#qJM_-$D)*^&?5gD1AOq&HWLPI+&1{ zy?VORYPDKBTU+-3R;yM0zt!I9ylQW?x8HB?bXuMFuUhS`)_>;KD`-8T3=2!DG?A}b zj~=T!xo@P9gnmY;sNh`~w>^?1)31zZRN9MBg_0)PKHKjd!SRP499WZqfspW1+DFMz zqw+Y3u?uCB^2XEdH-mQ2@?Ltz>ryNg{~r^UqIzNgSmOU%TU)KF|99SRul@fy3XRDS zyB+`lA1L?16n}|{P*e*!=|UXJAf}-dN(^)minw|Cy=sPvHu*sLp`z1PnhdA7kv~gP z#!dyJ;iL;kgJYpjB`V~uLa6Ae6k}=-0%iU1m*1;k7|MW(rlLb%X(7oF&G>#YYg?9K z+zC2CXEhlZ9V17jPNnGMy+p`cCZ^?_0NX)pH37JY(0>8y84jt^lH6YtrjOi_W!}r2 zNL#CjlPmdp`wA&Iu)K*5NcXyUO3M#8KWUlT`(3X zQ+~of5v9#!?CiZ-n;RivdUPtJ?n38(ceYJiCWaqzjI0aW9)K1MB{3Uu=BPeg;-m`= zyZBNt3@)deu`!a^j@rnUTqLHokX>jTUQ?x2{(k}o0}OQ+8pom+jxb6YHdg9Cn{~nn z$A^w0QHfNBm`$l35EzZAE}&DGq+MuFzs49_|JZ7^KILE}@y`_1e4|!8*Q}Gbszrho z$8JAz>;n3(IAZ4!BYI{@=grtW^#EdW{WB+HLK*2ZbYquIaRvL`thd-&`=}Vfi>||B zFn|8rTEgaIEMb5|r_!n!xmoWIy&t7WlYDP*khK&YH#Xo52Plz;XfRlCG~gQxiJ&l) zs8t5d29M#&Y$0X~qI?K82vMdBiGwbTv`$pF*(`%iBtq5HL|rO_I|DjQCHjeoEcO!0 zQ8rC~zU|CUBpnlt`Cd3_dK(*_eRY~L)_-#Xb>X+)y$$fQDK)aDrWYr2;~#%osl@*p zMRYiNX`OycWugCHjF2TLRiKl{ zQUOc+zukJjUGe{&tT~c5lk# zX3dON0yS#d#VS?JCgabZ+anZ1S6_o$d#=9<$E(`I0p4oUXE4&2% z-*2`n_}^)5ch>m-EXDVI?~?MU3kNpTi;-)um=q#OqMGBj7o#Q-(PVZ4G=Pzzcfm-w zgOjY54dz_cx){&9xdF;UmVZVSU=H95P#z)I&@uH?f|k9TQET<1=kJ{adD!UA!m)`B zKTgr!6p|#%=aKtF*2`26E6Bd%dbr160Qpo+F<46n(-zh9>#X;=ldX|Xi(g617Pp>? z`TeY;9Nni6MndUh)K@}YX8bQ~6!=*nObOtKkv-nWmV)I2`^8bM5P#8}h>p0*S%rOf zj`%>O(!WqW`i~nXt5{~BkE`ZZeqB)HOl&S9?3I?^l=8+YR2LZK>Gkw|Mc+lknz6Wr zB`xkC;N;j5W{d z{h2oc6p2@Bs1?L00c%#VA})LZp4nErQxrH?TF&MA6l~E$acM zQ<8S6o@Bpp+RLyV@W!dVGPLi&_ZO|ha+ z01`!A_^r|VwRf?1@agEd@q4KPVN6_|=A9p^kTBw|)>KAWzV>ETi&nfIGyU-*6U~x4 z6%A#r%w9^P-Pdo9PYw<*jt=VZ6nT^g%JuH+H~YP#i+{u8gVU3vBCf6sz*A$umfad(!)^jNOfVeRjQMr^7M7P{5nBNMO5E-IU*(^ zQocpMC8#(ivdL)QW~&(LrfFDPU5bPZGiPu7KqD$$>_J%7NuF~%H?ev>5<4B$goF!K zW6lazY_G-wmg-4Q670f(Rf~|5xnXN(jB%nT2Y*y{;pX-qpRD@|WhwvTUQ#{~UyJ`~ zZC3C9c3Ru5&YJ&uj#8w0vioFNO20X7XUx!k@5tr$?k0iCJNT5cAzG7gbcTPXRGMfi zzXIjpiJTgdly(>7Du?pyzCuuQS;0crK$Wg9e4q@y;xYWCHU9T1 zOMm^}#6gd|4}7=(w_EQ!?MnXdeP^e&_W$Q78*o0N3Vz-D^wDPj@*q?}^)e~^H-w62 zk1fBJuyjZ{?42Hg=>LJCR^A5a5z#;-0>==QB60#+fK0i)Cs1fM5Yis;GWMBZEO-we zKt5Xw{kpVsnnXlnPfMb4IB_UtA}Pv;KY!a-dBjt_Iad|4{63GhT;y|B?C>G%bwv?h zi?^-}^9?Z88z3YdQcjqqrbEHG3%%h=q%49yLSKqYb%H4&zFNb|U26~R` zwOW2QmiJ%E(pe?{EBQG)^9M6?cmCMmF0O9=a_v&?uBOSn0o}n{;Pnih@)C+TCVxDd z=Yf1!;nx&JgUC*^(^|$YeRJa7ef{R(?CA61*~Qu6j~Bg@{huyQ_s;+GU2QM1h;X;Q ztBOB9kQv!t>TG4pzOMs5Mhy%3y}E`Ak}q@Qf{ihzQLOvANPIWiPe1=~cws5U8pgL_8S(FSy*1_kx2F8> z6`HKc{=3Nj$EDJ~GNis#p5cB#eE%dtty1onAgJ5J@5&gQ$bEa`=;ad@51Hph{!^uu z#(+gT@;&*Vh5VoFlhA*fOQ1{m|IPMhmH%&Vb=qtG?>S0^uc_Xwb2s?>+kacn_kFMO z$3h%)*DE!tq3Vng6%f}LR=($#f7JcNbIg|^)T1`HXY@yeq*nze4Ma%!q> zh*B%gbHzE~7`c9c=CawmgGRDwxaHFd6*YVDlTPSS9fm^4i1MNb)Qw^N_DPgByP;li z%^xU_C?9?e53O8y_50aSE9VSSmkV(&T8ojh?fX91xEeYdEXmG0^M8Q$aCCyH72Kid z65PJ@&bBVAluG;;jF822$c4nG8)Mo1kL}LR+~0rNTL1m0XDJ(SO0;o$`-=^?^6rl_ z^i#?V@IgYtOEN?icv-SorHLgoK#h}~5+{;5)B~d&11~t}UG%h&=xxBhh-1Ow^L`H^DwP)u zsczbTo%mkR|4TOQzxjjFuxb9uzp62B&N}Lo@G?zo_FH*x19g>nZ-YL$^xg(KPQ17O z=WW1eBB@9f9331gFG!>?5bp&vLeg~gr1--N#wrvMHrLp