From 2ba311b5ba307f99423844e362012bf583e2a15f Mon Sep 17 00:00:00 2001 From: Jan Jansen Date: Mon, 6 Mar 2023 11:22:34 +0100 Subject: [PATCH 1/4] feat: add readOnlyRootFilesystem if possible Signed-off-by: Jan Jansen --- .../latest/csi-driver-nfs/templates/csi-nfs-controller.yaml | 5 +++++ charts/latest/csi-driver-nfs/templates/csi-nfs-node.yaml | 3 +++ 2 files changed, 8 insertions(+) diff --git a/charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml b/charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml index 9190b6731..fab3c95dc 100644 --- a/charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml +++ b/charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml @@ -61,6 +61,8 @@ spec: - mountPath: /csi name: socket-dir resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }} + securityContext: + readOnlyRootFilesystem: true - name: liveness-probe image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" args: @@ -73,6 +75,8 @@ spec: - name: socket-dir mountPath: /csi resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }} + securityContext: + readOnlyRootFilesystem: true - name: nfs image: "{{ .Values.image.nfs.repository }}:{{ .Values.image.nfs.tag }}" securityContext: @@ -80,6 +84,7 @@ spec: capabilities: add: ["SYS_ADMIN"] allowPrivilegeEscalation: true + readOnlyRootFilesystem: true imagePullPolicy: {{ .Values.image.nfs.pullPolicy }} args: - "--v={{ .Values.controller.logLevel }}" diff --git a/charts/latest/csi-driver-nfs/templates/csi-nfs-node.yaml b/charts/latest/csi-driver-nfs/templates/csi-nfs-node.yaml index b9f819fc2..7a50edb81 100644 --- a/charts/latest/csi-driver-nfs/templates/csi-nfs-node.yaml +++ b/charts/latest/csi-driver-nfs/templates/csi-nfs-node.yaml @@ -51,6 +51,8 @@ spec: - name: socket-dir mountPath: /csi resources: {{- toYaml .Values.node.resources.livenessProbe | nindent 12 }} + securityContext: + readOnlyRootFilesystem: true - name: node-driver-registrar image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" livenessProbe: @@ -85,6 +87,7 @@ spec: capabilities: add: ["SYS_ADMIN"] allowPrivilegeEscalation: true + readOnlyRootFilesystem: true image: "{{ .Values.image.nfs.repository }}:{{ .Values.image.nfs.tag }}" args : - "--v={{ .Values.node.logLevel }}" From 215f821af1d52cd238a304d8ba177f27e27370cf Mon Sep 17 00:00:00 2001 From: andyzhangx Date: Tue, 7 Mar 2023 13:17:09 +0000 Subject: [PATCH 2/4] chore: update chart file config --- charts/latest/csi-driver-nfs-v0.0.0.tgz | Bin 3726 -> 3750 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/charts/latest/csi-driver-nfs-v0.0.0.tgz b/charts/latest/csi-driver-nfs-v0.0.0.tgz index 9a1bb81a217a1c73cac9ef225ccde8fb014bdb6b..b6aef05918086eb8beda0f157c14ea840f58b1dd 100644 GIT binary patch delta 3726 zcmV;94sr309i|+bAyx_jF@yWPEao$gMj_kaC6=sY10OIxNik?%T> zo~ypNzepn~{fbgi!9$pIJ(8xgUm4M;v=^g_Bu%w_cF;eDlh1uPv?>EbA>rq2fRdv| z<#Cc=2vwExCNuJ#pc8bw*Iw~kE4P~cPYBCUJ+T8=WBnmGkC68T z;yNq1ri{S=^C7W~BvX+E&_@kgz>qM7K!@fbToY~|W(v*k62vtR%zT1tDHucPq7EM_ zfBwu@1b?>Rgd_-J2>qOcoLxh%G`*09cYaC54rYVMSj&9keTgFfM7oxP0 zt>Yknc;Kj=F~V{Fs=-diNSGd<38_Qq{mdz*>$zr zI!Rj|K+IJknL`|sjA?)^AQM8F5fHdIHGBCH4p?S*{Y<6O|DbyOccJtN)?Ro3WH_Xp z>VK*AbsD2cW^XV>Aw6;4BFS=*6+M_Uf^(ukq)7CBKpx7n zA}HhjwaP=IiHC4)Lbyo*C?A1M4V57waTvl_>r{p9cGZu>B2sNl)Ri(WWk^SvM1MaO zv5i86a+GaD&$q<+qlLo%;E2cXxa5?fmx=4KBu5M|G%z5o&ErKE{-Z zDaOVp*vva}0VD9d3jxs>qpSMpRDZ+@lqNb;A0cH(6q>{_^gICLDk9Cm_l+s5ltj3H zdkeui+J3=F@f7av3=fW&@2fm^?6*jo))E)Wl_tD_5Zv9h!1u3-j>fMo=Kr^Csr_G$ zk)_Y0qk}*C)-am96ujs zq!Orc+iq5+YrYtN{-hZBrv(d)H*WoR3tE@0oR*O$9nQ9{3?YIQHfZrrlCb6;e*)z( zat%Ezen-yiW^H3%+cLh5w$%SGf=3Uo3as}3-EOD5SM~qB&Ti+e{(tu(&G&upit;#w zL!0U)$hB843X(Kc?Mc^5P?MNwG6yA$!zc`Vt|Z*Klf0Kr=3LjN9MAX)$|IJ=HOCy3 z-NfCUr&6@A>>Rypp1pYQI4IIacREf?BKXV9+nYwxbp1LCjMNR%7Ab8WQ$|zW*utK2 z4rVgkVBLF;!aW!TD1XFcTFpz>57l$(3&-sS556#Z#^w)mLM2D;9*iB#bS>mnUKD_> z5@-*EDFGZYwwQy(&4CZ?FAj)?m=@KE66Vz`hgpaD{M8D@NnLBJuS>LwP;^c8xM`{a z-I~ud!@J6|s|jgAJQY-Iw$;_(E>sAN^6X~zz8-x`%0I{KOMj}f8nzCh)vAz29+w8M znXFt3*kH;E#=KB!7-2Dz*RJ`%j05=SThi-x@kHBr!_g?jaR?eUA-*f(9aZqb2d35Ah4H zyKg*Dxij)feSuE+`2s5Mz@h3Pn9Ruh3zUei>icq5s+O)3`Mk1P_VfS~Tlcd?v4stA zwMC-Gj*l9Lj(fuwYJcuJ0m?ACwY7SJUXGx7#~QovCx7r9-mw^b#(_}qkjx#Zrsx%&u$oI)!t9%H$ECh*Dr-M zQ_3$y

8nmq?{{aiT_SXip*tHta&1-kIYECF~Fxnf5UfJXRrWcPf4I$TWN1 zt-elCQV}-~ULO@w5v#f4E{_bQU7BBMg1fu6A<#HXij<6Ur`7tA##Fl8kg&Q5y<~c1 z4yw&j$;qlAsb4B0b5OQydyAT|xx5@SaervVBT6?dSH^8jQa!bouWsKk*Ke<_#edyP z%7@~a@ZU~nx6`TPzdL(x`0tA}-}ftUZ+=<0xIaAU=IHQ2|Jc>{R|CP-TxkZ|60J!z zKF5D&RGI|0xHalL1b^o)hlgvCu^0vj11YYMTjX72x=aIm^FB$jJe{;DYM%CESs!gUvK`>(}$8-^?@ z;R=ihZ|07>Xpu+~!sA8E&4&%X!&g?S950ylvIVu2=<)t{?+?$9zaE`mo_`W z`1$he)5YKa)<`80G43~$s@e1dQK;Ru23xg``x^0M#IO`gZ5r5&Y%T|I?3ZL`skZxd z*)rU$KmYpU(WQlPPd>nbliOXH`w-afRGx_TsNyPP$(VxPL9EQ8*8)12v@) zs|rJ>@}T&d|AsPu?)ubY)_qxgcXXqL0!upkHcMIFUyYuRWqFH6AUm4N>6dNTf8L?5UB1@|NwSSf;hK`?y;{q*w zdR|MonjJT+GEmx!yd>u?E}sjAm37+QB-3Ld=^xg?m8y9was0|c@kW~@mzA#}+e_UW zFG^<2MLr)$N^KoYnIlPl5-CO4-&*Oc+LuSnywe2bz;+m+ZheFnqssoY-|96VoLJ1K z*u)03;~p?!#0X6`o`2PqBbw%_7EqgJ&U-|RD7E1_H(V1=kn0CXE?><@Xr;@hTfeMG zQDYlVx}Zl9jD(OeUFRv+ed54o-qm=c{0zJ35+Cm0V77}Z1b_V>@?F(h{uhjqC3M7v z#HX8M?fsu#J^$Nz%l}@eZNVAQ#t`hc?%dA1zxp%CC^OCgQW9N}5vsu3f{QU#pt970 zHlW7H7>t-0xZ*hFqmLkw5lts(k8h>tgvZ_%aCAp+c%Mof(i@Cjb@IRd7QiWIQ~L*r zQpXacD1lLqfqxeq_AmQdNc6VgKqQIa@b#b%F_p>-MpU=$|Bihx82lmI_W$C+c+@uk z6~C$pZ_f!0NOYB@_HQ33??a%jQ}07CAXnapKqsm9;eWj?_(~)dnS$fPBjp9D6vpj& s0gaKgT|X)QTfY zxtfdnMjFZJXOxNx9>HYOBUv{4l@X0fdkLyo(oEZD`~4$0{?La5t1>VY5`N7GC^>3W z9w#YAP**8$G9w=bVGw#>d&MuU+8XvhAuLDr$PQqI{qOX`cTM~6h2e|+KSzsmrA7K1 z86Z;;T;F&!C4VD~JOBVbRPKXm5;LKw7IGTFD3$>g-HV@;uQVA^KJpbE`AQ2(M%d*; zm9cz8`E0NzqX=TciJZ=!WjSLfg3)*y!O`$o=o5(wxwai*MNg!dP~$mJwsRqIM3t7) z;NmA`*r~E$)H<6Js53I@1-&3#j}b;E$Wf^iDF%3VK7Y#LnHk>TVk`J*T`sst(7D`G zHyOF7ObnsY-epN@fv??QYc*e&(b8YyEB@&GhXqh8yz(2>x?dP{p^abKN zE4ZYL!2pXPiH#&vkq6L64O+mEFoi&e<{?}XZXf0f&F>P#B@fJef@>)lL+PRpA1Z(T z%vS_9;D4B;2x18Rf`fuxL#{HtkcN2Td2&GF=2AQW7uifW^PKde>cb#bw2-(5kQ(|Y zC{wD8_NfR$&l@7qxwIODoD3L#=>H-`o|U34=5gB(r6J!zWcmS6|UQj;zXar{0)#>Uq z>v#YOSEXbQa7c2d0XBe42xUe<;NsNmhV8>(#P0%;Q^50kaDW0 z)_>PI!|Ef$SPNM^(t@ER+U}fPhYuGxji6&~M+%0)#VqA9HkMi`bqb3SnHg=Ubq=qn z(yDxc!y(2xg3ht%$74)#hMl$O7u%N^fj{{y{)48Gs6;MfEF{Z{xbexN*o9r5P-n*}vwQ5^KrJi?_mxtZ2s8_v*=+(vsoZ=8A@)%7F6dX4x|*m9Wn9XTj&g~9CVvte zg$U&+yM~@`iTRnN6QZ%qMW$VEW5cDOCplw%$4~@+{ON6gUl>ED7;30EmOC$p%KNs) z`A=h-*>ivQ_|w^8KhRhD;d89Qe|p=^^WV+9|tn9wu=g&KyGp`K>Amm0CeV}Fd`P50); z^K7@ntBmjj^cZa9~L-JbnO(|$f2(ktlrb7II7``NL^EP!QEgfX&oo;5-%U#`0&=02MQ zYPoNTpws4ETF0b>lMyEVV1L>eRU#0}1{T@P^)-}MSQTQhblePJx3f9fzMtXv#V{k4 zK#jY0vua(7#rX3l<;X7@(d(%jktzJiok-9 z!Ayp0tb5l{xC5gArGJ=AYk2AAp?Xez;ke!6!52o)*!*cusN%@ogRz5|E`_`(iUP1v z0qub>C4eI)7IUz;Iq;$V#R1Wf(6TyF!Mxh#FzYa%zh0p@Zfb4)b%j?*2pwg$vTr%NUEp%j40(aK~0s$)Gto7ek`e`F=4lIP(dx{ zv};i29eA1{Viow#uOPl{1?^RBG>s*Y6JwP7nM2A6q&yBne92?jaR?b&oZGf)*lpr6uv55AjQ{ zyJtL5wKMWbbAe9y#R6*Yz@h39n9Ruh3zUd2n)`B6sg|x1`Mk1P_4EJ}Tlcd?v4stA zwMC-Gj*kY1j(fuwYJcuJ0je;%wY6q~UX7qd#|FFb1%G&<&6`_QhD)K9$h=>#b>E_} zH7tLXzScXhr>=FyT()tpr{&t$G)0l?y`Ea=;L03+CZyhLk3e-6=Vg)l_Bv{ly{$Xx zPM!9BROc4uFm1VJ-9vS1+^*CdK2+gOHD2kuU@}Q3l;H@I zSrLBTVtbtiCf%V`%gYAgcBp#pQUpbW~(JF5ZI@A7*4l$m_3_pql zXSab)3`CxxI)AQ5AU(WlV_J2J;d4KkgA6u!UBEh|OQhyD5yeH(b zv(nh=ntfLTe25s90(Wf#+hMfjXo3BL<19^fzb;#boAuYJVflut5zjjIDZm#|A^?!s`;oPs5(3TzCR$TZb_sefyuPO7Vu5mnM-RI@k`PP~X zmc{S@<1C_lfN`G?h;_9hjSX-y< zO>#XJlKySIX{DNXD~?}VC|+rkQM2kbRC}p+?M2C)xiISk$*8TPDRZnTPBWEo{zoU9 zRr`wYTy&bC9M}#c)Sb7`VN}_l_FJ9igAf)#?h*&q^RC7l z6$j=;mw12w2D4qfMbQ5t-&Jhnf58}8N=IBse7reU-v8NZ=6`?NFZtgywGB8S+8BcU z)|K0N_g7yAIc3HfKt|#VGC~!28*nzJ3RIq1gb36a8G{iM16LfUeDoG1GNS1O?OCz% zobbfk0FLgQ53e(cLwbdYt4{vcj{$t*Y-;}?P3BmF3?(qiG4O(e{&`;uiQWe6i!>D+ zKJWJ-p;CFlh;Hhx{ok?g1%tn3*ZyBV7>~Nd2a%BnR#!5 z0lDzr1Uk*UH~;Hxz-J<<$Q2wN94ar!q%dyJ3uuC*>-tIYZ!egrSR~l}hW)`yducE2 T`)U6d00960#NsLB09*h7nk|6% From d9796d11933f40b75701d7fe462a5aa8e19b6f14 Mon Sep 17 00:00:00 2001 From: Jan Jansen Date: Mon, 13 Mar 2023 16:46:08 +0100 Subject: [PATCH 3/4] mark workingMountDir as emptyDir --- .../latest/csi-driver-nfs/templates/csi-nfs-controller.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml b/charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml index fab3c95dc..e8a1bb39e 100644 --- a/charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml +++ b/charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml @@ -118,6 +118,8 @@ spec: mountPropagation: "Bidirectional" - mountPath: /csi name: socket-dir + - mountPath: {{ .Values.controller.workingMountDir }} + name: tmp-dir resources: {{- toYaml .Values.controller.resources.nfs | nindent 12 }} volumes: - name: pods-mount-dir @@ -126,3 +128,5 @@ spec: type: Directory - name: socket-dir emptyDir: {} + - name: tmp-dir + emptyDir: {} From 18432fa13fc7a937e36a33f4510691da334d8889 Mon Sep 17 00:00:00 2001 From: Jan Jansen Date: Wed, 15 Mar 2023 08:46:28 +0100 Subject: [PATCH 4/4] update charts Signed-off-by: Jan Jansen --- charts/latest/csi-driver-nfs-v0.0.0.tgz | Bin 3750 -> 3771 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/charts/latest/csi-driver-nfs-v0.0.0.tgz b/charts/latest/csi-driver-nfs-v0.0.0.tgz index b6aef05918086eb8beda0f157c14ea840f58b1dd..ce8c9b343aed7bf4037a8419e4a5adaca901c6e0 100644 GIT binary patch delta 3528 zcmV;(4L9DNW>?&V%Qw zFYYhWNJ_t=R8;T~CS8xD>FifVG%D@Is3J*IZJ!@OPMHOx*6Ex;m66GIupM+ZV}#KOa#ZS6iUHo8kAGr#YKGUi=mkG)$^{oOI+uIq zCL{Nhi6KNvj_F<;b{4POU@xaU{xR!!3lrHMHEX^6+3CkG^|FU13JkoX52*~H zJt4Bq=%AfH^t_TNW}GdG#IxGMXhc*9T@S$QzkkNj^n99P2xsV)ZMtRr3;#@%HnMdb zcb(4l&Xpv`$1n8e^O>Y;8n8-@eoc{K;qWA2f|bB{CUdF1cne&S*k)DY7J(Sl_kN z>3pVM;nV(;p(^)^(kz5-Cs`QQD@HZC>VIXEbssocDK;*fqW6F)JhM%UmTaCrrFA6a z`d2=q<6K15WH+$$?faTpqqfyl>UlSLdDwkHz1n_=UTtl`84gh*kI=+G!O;Z2L`Vc> z+`m?NXf*K74J@>ayzMLQR1AVO@KF2!zXM3l9{@dN%>As%-o}ADxO=fq&9OXX-tq42eRMIEJ1FU|dC{8Th_2WtEZ$_it_> zI78bnI4PdO?XBU#5%YbO$Bz9LNz+>5Lb=j}HxPo`+ZOo#717c7rN#XJwk@^)i!rhk zr3!TVP$+1P{darYb^Ld4r?>NJ|Ig8GZrbl)LX!{_Y8X<6dYa;XV#E@SF@J=2?b}<= zv)zuaQ^I4=W3-XjoT|;|$kq&OzndE$VjNPA&@$&@)2#*m{Ef|316O6RHX3|&h@1V?sy@r-QCx$$>pB-z=0$3JB7$ZyOStB&^<+?j!?z2gt zmiv|vT20=iaZExu8DZ=Xrhm0j1p={bV4mIF+(2Q4Wg!Mj$ISqCJDZd3#~F^F4>M8; z)VOUotI{=Jj6Z);jQrDr1;!h<{<{UOi&jp{NRtj{TUUk zo)y0%XLhr;u`g{I-$q;N{};iddshWk`~PmYx4m8U|Gmy`cl*`^V0Q0^_=>`al65TFN~hC`NN!0$&tGUV+S)`33-_p1z@WL z+5=%q07r~1=3sGi;6wY11EL|OMRlTtc{R&n)?q$>wL)=H*V^jq60IT>T~R%5nyNsz z<}=OkuCnZELRt_{1r?iZbv3vP6#}C?yPmzTN8gh2&oTRw>VK?;twU(FDx{IerNL_^ zE7t-xn6iQ~FPV9j+{*&1Wg6>bok}Vs)zbq;lyaJ&rb=Vt=O( z3Y2*Vo@R(x3BL17h;LH?GdI^fgDYESP(|B=d07x{Z^L!HH5ujE-OT04QHd|dTg#v9 z_gV`NeZwt@V}FTC?SJ?7nxfKm@O~B);<@e&KcZ zjRz`sMn0)8&v(&s`@#8Ai9ZR!`8&5j5{uV;BAeo_}j|w^wCYVU$_h5?tf8uJSCA z#9ug@o(Z8pQHIXyW(Cix;0tu$uhz>~D1D_KuukWzoi|hYs&X&eeAm-*?Q5E#$n^fU zTIk?PC4MTT-fxa#RTk%^m8!%YwaI?(PWo4+eINB(p3_1QUMo3GC7n=)BaCa@nHG_h3@D?TVr@?VNF0aoTdV)C{>8_`&&MaN-zyym zW8&(xAbzAG!ic-ew=l~_!rDa9%<`A1S94hLC(G<1uRb>Wd6N*(c>lY%CtnVaE{+eI zLJsmc6_o4!@7^Btk1vi+4o|-vpPV;!bq8Ui43jGfEmBF5)HMrWNRh>7I9z;_zjMZJ zjvY2RGhw-L=Cb6Q!)nIqb=Yn%bFju`F6hlHfpW#?hk4W@e7YWg)ZV31Xb}k(!ui2z z>D`k1VOBtdvP|Onld1_yf7{!(A<#HXij<6Ur`7tA##Fl8kg&Q5-8((14c^r18Yj?6 z`tan-9D|!TQAYOXYcZHd+-8lT~RGAd1iTihCTzU&t|#Aq5Z{48Re-3B`~EGg}-K-X}n{5EZ{ zcwIJklRg}!V@yyI=2da6m6R%%a&7mas$A1GX>o<%OYh%9+gkfKY25?A53;WQv(xR? z>i-{lyRY@1XKAJSe-FV#@IKz7{9|?GX$wDD8WWBEN-4%9O_Yy*wXcfgrhbLB&Sv#} zkyg3n=B!NcKJ}xTAfBrFQ=8^5Q1{saA?b*6!fb&j5}dmn9b0h`s;2X>LhciL@s}KocmR3n$n0>rJFDEp!k~qhBANZ3erQ?eNlXOF?6H3U|Evz(m>n`wWav49FWM* zRq9Fc-_G`KXKw-j-Fd}-pQY8%!upkHcMIFUz4eof3>X|ohK`?x;{q*wd|peqnjJT+ zGEmx!yd>u?E}sdLzzh}vT9eldFBZLr7Ng4kwBPDAADmdsr`W^>wBznElN=2me|tzS zU(I`HrOT#UzpO}6V;hgUpa&6*gpe`iWeaGU!&>dr2(5AVT_L4uzTdrhHLhgbKT;l3 zK6(lpuYJqFALLVQT%F4X|Heq?M&9UM=PB1+;=pF!)p(=)47=zO@9*DWwu>tS{Wtlp zYAyc@#>f&n;zHu%&9V0WPp_W;f9<^Hf6vsm;FM@%2=-fdZs*-!{TXDG8D{_~i7v?q zRp4#G`IstDS!zKWP-A2aMobJ`ah&qedyvS8rW3Tsx6*UMV{Z#Mx}!I|O(hQLHO8(w z`Cs1$@P)If{ewiQV+m4}z$nMS3l94ieJvzM$G#T~ z{*Z0^fAL^EYMcLxU)6-S=Y$3%y3A7hw-1!}E>Ksg_bwQaOYdEvlhk|nzup#nC6bCv z!SUgd@`6+f9i|#<7k&*nQq+$nouKsjP_+-nMCxEl687%t zTBppPf#p{%Hsl>~y+&+dI46y?34NPN(<%JAddrArDJirZkc7I**>K zzPP_gBPsogQc=M}m~=gorn6re(WtZ+qlzR=wS9KbKZcXfeK@o#14AL<=WKwIqekU% zl3)l`mGUMt@|~a)biCJI@mnjmn*C1*%TPVB16X7KyW5@b>-OLKe*4Y-U!p~s(jxhV z43Mc1Ztpyrkbe<|9smFzD)+%OiK$Rj3pov86v=>!_SFx{SDK6{ANh)oe5HjXBW&}b zN?A6dd^T8_XXlQ zE4ZeN!2t6iv5h2Ckp<944O+mEFoi&e<{?}YZXad}&F>P#H4n^uf@>)lL+PRpA1Z(T z%vS`q;D3Z92x18RoP(TQL#{NvkcN2dd2&Fa`cgaq7uifW^PKd;^1~ofG?%yskQn-B zC=;rT_Nfp$o;O6IGifylIT9-j%RL+Jg_-mcLpCPu&D1X&2X9>BGbSCo&w7=hV!wc0vK zTOL5nRUw%}9FmM_fGr>sLYWZ|xHvU?`4J9SW_bNfrPBYPdi-~x^a<8pcmQNLq@3!h z^?!BFu=>a_(n98sv|uQSwmWCn;lmY9Lugssk%D1xHA{JnjU`q}t=wWnYDODst)m;N zv?^ZUaEOr(p>-nq(HP^5VQVA$`Szto;Lkpb|EOssDv`+ubICP(aYhrWOOYkP#QLtC zPUj2t3ZM4x3{|;Tlx87xJITVZUNNfCRevv=toz8xO0jX-6un1G;hAk(v}E)2Ijtih zH^1^39p@sdCcA;1Z$H$`8nvyaQZKv7%fs#~>ecpR^lEDh&T)tmd4whg3XUfDB|;)7 zOBGb0FwdGRKvy8F6VeRA%dNLVpY5Ic`EPf3d++W1_Yw^*##l#nsDcq{ZA?DKl!+`-$3j7C?7!RFuH(OZJH76k{l7%Jy={Mh2~9#!s9{JM>S>Dmi4jXQ#(xk#wD0ab z&vrYyNePcZkI_bAbE-C}D{cdl4h;c|cLd%?sO}7^K^EWnE4P2GM+Gz0AA&#c! z=>(;uF~XnbILss1+qNHR($9uNdIK$gP7HZ$KRec#1+XlNFh-Wlvqos-%XN3e+-H+O zE%z-Uw3@t2Ieea6$ID|u+ z>LtjvS1t;YG*#_M*Go{7m}oKwC5*!;41BI6+_{symrdqe*QOlL_zKD+mc=#49F*O} z-JPdWw6N?Py=B%go!GM$&ZsItq-`4bm1VZ5~rbQ{C9Yo^lRm zGTdO@dyc|A7zHTAWPe)COVWJ95J?-gT>8(5A81wh=!OJ)rk`3)hvfuhxz=~3dKoXYpbtIw2Dx4P4&2Gssi1b z&oslk%Cf5oX+b;{RBX1@)!;5v2#oUVX7;`weM`ze$Lve0vws@44x!bmkVYPt2Ctc{ zTnpG>$_mE3Wad?JFAJ=eX{?iVDyfiEPY)PT%4vd{DvgPspJ@F^QcWYmR&r26E$6f= zQ06^&njvB(_|7jOzD)(p++6bvu56t_6>SgZWkI;R3)l75WRz!jGnXSrCB7VQEq}7# zYb`wV4YwqYC4VZl|K0mfhll4!{r=w?Ix-|NO5g4w6?}b<4S<3MB6y=E@tqIx3$MFx zJW#na@=1MxPWbr(D(}Fd>LHlS$ovbGh_34Ua#pIAt`qsZvRd}^025pHvqiCm4REzZ zqQ{Pp8i$U1!xw6Q?m7X=FuJw1dV*e#pn1m{yYMIQTz{Lpy(+^Bqs-ct;2Ljqm1l`0 zKILqBE`0g!hL)34Df|<5lJ0GBa6>eWd`}k08qH-o* zTcc>E%YUMJt>iS7bV3=9Fs^ZDT0~MZpp0sYwLJkKaU8;Lt^Pmzm!A&59G|p)uXG@c ziR-h1_>qbTBknHW!YmsJYZFB?%U`Bm&0)o#EVGBa`q=E}O+rB9{qNqNoE{!s9v?P^ z9OQ8-DA)Vny+7z5Uml$to}C__Tr_oc2VtWOWs@xlEK*C6)HMrWNRh?oI9z;_zjMZJ zjvY2RGhw-L=Cb6Q!)nIqP1tTPbFju`F6hlHfpW#?$9dEue7YWg)ZV31Xb}k(!o|T^ z>D`k1VOBtdvP|N|ldB0zf4jT3A<#HXij<6Ur`7tA##Fl8kg&Q5y<~c14yw&j$;qlA zsb4B0b5OQydyAT|xx5@SacIRON;fT6#%)YeJ++swZr?E1Z?CPzf89&UhvJ#=-%e+@ z)2ZXXJ9}^V?~63w_bYI3ep$G1m`Y?hij3s7zPLfDXx%P z*3-<&gUTPxq+YC!@r@$7R> zXpu+~!sA8E&4&%X!&g?S950ylvIVu2=<)t{?+?$9zaE`mo*(^m**`t_`SR@3#ozzd zNF@<5?l+UF+4KWZsNJ;&TeXh+8u4SquoO#e8rY0%E(dVzmt<$Dw)=J2GTf{`|N7(6 zrG;@%K7BcQe=#6;1IWL@5?<6R%?DSuc{Pc0*N1wzhLtb%bIp~e|D?LmlNQX3Gk|r) zA{T1EjWW?&W#@jG)mu$xRZZt{h1_TM;;&s!x?c>qe=Vp{I1j4>HKh@&3PY#zp!k~q zhBANd`qX3AeOY{WbfdXoS(5PDK-?>}rTDKLkjT$f9qL)}-_G`KXKw-j-Fd@*U!>L0 z!upkHcMIFUyYrKw3>Y&fhK`?y;{q*wdR|MonjJT+GEmx!yd>u?E}sjAm37+QB-3Ld z=^xg?m8y9was0|c@kW#E3@;XagchU9{<@ zXr;@hTfeMGQDYlVx}Zl9jD(OeUFRv+ed54o-qm=c{0zJ35+Cm0V77}Z1pOcKUDaCt z7mSf5bi{?kr<-H#{hwYv|9{(g%l}@eZNVAQ#t`hc?%dA1zxp%CC^OCgQW9N}5vsu3 zf{QU#pt970HlW7H7>t-0xZ*hFqmLkw5lts(k8h>tgvZ_%aCAp+c%Mof(i@Cjb@IRd z7QiWIQ~L*rQpXacD1lLqffpS1FZ)_Z^tRwYB#Geg^`H+imC6f7RBpHJ|Bihx82lmI z_W$C+c+@uk6~C$pZ_f!0NOYB@_HQ33??a%jQ}07CAXnapKqsm9;eWj?_(~)dnS$fP zBjp9D6vpj&0gaKgT|X)Q