From cb85b960e301d5561df89091772464d0d303657c Mon Sep 17 00:00:00 2001 From: Bilgin Ibryam Date: Fri, 9 Dec 2016 00:16:46 +0000 Subject: [PATCH 01/63] Fixed wrong URL --- docs/contribute/write-new-topic.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/contribute/write-new-topic.md b/docs/contribute/write-new-topic.md index c34f3cfde1..d4037e724b 100644 --- a/docs/contribute/write-new-topic.md +++ b/docs/contribute/write-new-topic.md @@ -77,7 +77,7 @@ Depending page type, create an entry in one of these files: {% capture whatsnext %} * Learn about [using page templates](/docs/contribute/page-templates/). * Learn about [staging your changes](/docs/contribute/stage-documentation-changes). -* Learn about [creating a pull request](/docs/contribute/write-new-topic). +* Learn about [creating a pull request](/docs/contribute/create-pull-request/). {% endcapture %} {% include templates/task.md %} From 3ebef7eeceb9a93f19be6947961c2dd9738d9a5d Mon Sep 17 00:00:00 2001 From: Bilgin Ibryam Date: Fri, 9 Dec 2016 08:49:26 +0000 Subject: [PATCH 02/63] Fixed typos --- docs/admin/dns.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/admin/dns.md b/docs/admin/dns.md index d75acfa093..5e9d55f822 100644 --- a/docs/admin/dns.md +++ b/docs/admin/dns.md @@ -70,7 +70,7 @@ is no longer supported. When enabled, pods are assigned a DNS A record in the form of `pod-ip-address.my-namespace.pod.cluster.local`. -For example, a pod with ip `1.2.3.4` in the namespace `default` with a dns name of `cluster.local` would have an entry: `1-2-3-4.default.pod.cluster.local`. +For example, a pod with ip `1.2.3.4` in the namespace `default` with a DNS name of `cluster.local` would have an entry: `1-2-3-4.default.pod.cluster.local`. #### A Records and hostname based on Pod's hostname and subdomain fields @@ -171,7 +171,7 @@ busybox 1/1 Running 0 Once that pod is running, you can exec nslookup in that environment: ``` -kubectl exec busybox -- nslookup kubernetes.default +kubectl exec -ti busybox -- nslookup kubernetes.default ``` You should see something like: @@ -194,10 +194,10 @@ If the nslookup command fails, check the following: Take a look inside the resolv.conf file. (See "Inheriting DNS from the node" and "Known issues" below for more information) ``` -cat /etc/resolv.conf +kubectl exec busybox cat /etc/resolv.conf ``` -Verify that the search path and name server are set up like the following (note that seach path may vary for different cloud providers): +Verify that the search path and name server are set up like the following (note that search path may vary for different cloud providers): ``` search default.svc.cluster.local svc.cluster.local cluster.local google.internal c.gce_project_id.internal @@ -210,7 +210,7 @@ options ndots:5 Errors such as the following indicate a problem with the kube-dns add-on or associated Services: ``` -$ kubectl exec busybox -- nslookup kubernetes.default +$ kubectl exec -ti busybox -- nslookup kubernetes.default Server: 10.0.0.10 Address 1: 10.0.0.10 @@ -220,7 +220,7 @@ nslookup: can't resolve 'kubernetes.default' or ``` -$ kubectl exec busybox -- nslookup kubernetes.default +$ kubectl exec -ti busybox -- nslookup kubernetes.default Server: 10.0.0.10 Address 1: 10.0.0.10 kube-dns.kube-system.svc.cluster.local @@ -244,7 +244,7 @@ kube-dns-v19-ezo1y 3/3 Running 0 ... ``` -If you see that no pod is running or that the pod has failed/completed, the dns add-on may not be deployed by default in your current environment and you will have to deploy it manually. +If you see that no pod is running or that the pod has failed/completed, the DNS add-on may not be deployed by default in your current environment and you will have to deploy it manually. #### Check for Errors in the DNS pod @@ -258,7 +258,7 @@ kubectl logs --namespace=kube-system $(kubectl get pods --namespace=kube-system See if there is any suspicious log. W, E, F letter at the beginning represent Warning, Error and Failure. Please search for entries that have these as the logging level and use [kubernetes issues](https://github.com/kubernetes/kubernetes/issues) to report unexpected errors. -#### Is dns service up? +#### Is DNS service up? Verify that the DNS service is up by using the `kubectl get service` command. @@ -277,7 +277,7 @@ kube-dns 10.0.0.10 53/UDP,53/TCP 1h If you have created the service or in the case it should be created by default but it does not appear, see this [debugging services page](http://kubernetes.io/docs/user-guide/debugging-services/) for more information. -#### Are dns endpoints exposed? +#### Are DNS endpoints exposed? You can verify that dns endpoints are exposed by using the `kubectl get endpoints` command. @@ -348,7 +348,7 @@ some of those settings will be lost. As a partial workaround, the node can run `dnsmasq` which will provide more `nameserver` entries, but not more `search` entries. You can also use kubelet's `--resolv-conf` flag. -If you are using Alpine version 3.3 or earlier as your base image, dns may not +If you are using Alpine version 3.3 or earlier as your base image, DNS may not work properly owing to a known issue with Alpine. Check [here](https://github.com/kubernetes/kubernetes/issues/30215) for more information. From 08a199d6d17009a85edc3aaa226845d91079fb36 Mon Sep 17 00:00:00 2001 From: Eric Baum Date: Fri, 9 Dec 2016 23:03:48 +0000 Subject: [PATCH 03/63] Update header Updates header to remove hamburger on desktop, set 100px margin, and adds 100px margin to body. --- _includes/head-header.html | 10 +++++- _sass/_base.sass | 71 ++++++++++++++++++++++++++++++++++++++ _sass/_desktop.sass | 20 +++++++++-- images/search-icon.svg | 13 +++++++ js/script.js | 18 ++++++++++ 5 files changed, 128 insertions(+), 4 deletions(-) create mode 100644 images/search-icon.svg diff --git a/_includes/head-header.html b/_includes/head-header.html index 17a83fa31e..598f6e80fb 100644 --- a/_includes/head-header.html +++ b/_includes/head-header.html @@ -20,8 +20,16 @@
+
- View Documentation + + Try Kubernetes
diff --git a/_sass/_base.sass b/_sass/_base.sass index 635012a39b..7ef5103ff8 100644 --- a/_sass/_base.sass +++ b/_sass/_base.sass @@ -234,6 +234,40 @@ header color: $blue text-decoration: none +// Global Nav - 12/9/2016 Update + +ul.global-nav + display: none + + li + display: inline-block + margin-right: 14px + + a + color: #fff + font-weight: bold + padding: 0 + position: relative + + &.active:after + position: absolute + width: 100% + height: 2px + content: '' + bottom: -4px + left: 0 + background: #fff + + +.flip-nav ul.global-nav li a, +.open-nav ul.global-nav li a, + color: #333 + +.flip-nav ul.global-nav li a.active:after, +.open-nav ul.global-nav li a.active:after, + + background: $blue + // FLIP NAV .flip-nav header @@ -301,6 +335,26 @@ header padding-left: 0 padding-right: 0 margin-bottom: 0 + position: relative + + &.bot-bar:after + display: block + margin-bottom: -20px + height: 8px + width: 100% + background-color: transparentize(white, 0.9) + content: '' + + &.no-sub + + h5 + display: none + + h1 + margin-bottom: 20px + +#home #hero:after + display: none // VENDOR STRIP #vendorStrip @@ -482,6 +536,19 @@ section margin: 0 auto height: 44px line-height: 44px + position: relative + + &:before + position: absolute + width: 15px + height: 15px + content: '' + right: 8px + top: 7px + background-image: url(/images/search-icon.svg) + background-repeat: no-repeat + background-size: 100% 100% + z-index: 1 #search width: 100% @@ -490,6 +557,10 @@ section line-height: 30px font-size: 16px vertical-align: top + background: #fff + border: none + border-radius: 4px + position: relative #encyclopedia diff --git a/_sass/_desktop.sass b/_sass/_desktop.sass index 2e70b23e8a..27fbc46ae1 100644 --- a/_sass/_desktop.sass +++ b/_sass/_desktop.sass @@ -3,6 +3,15 @@ $vendor-strip-height: 44px $video-section-height: 550px @media screen and (min-width: 1025px) + #hamburger + display: none + + ul.global-nav + display: inline-block + + #docs #vendorStrip #searchBox:before + top: 15px + #vendorStrip height: $vendor-strip-height line-height: $vendor-strip-height @@ -40,7 +49,7 @@ $video-section-height: 550px #searchBox float: right - width: 30% + width: 320px #search vertical-align: middle @@ -65,7 +74,7 @@ $video-section-height: 550px #encyclopedia - padding: 50px 50px 20px 20px + padding: 50px 50px 100px 100px clear: both #docsToc @@ -88,6 +97,11 @@ $video-section-height: 550px section, header, footer main max-width: $main-max-width + + header, #vendorStrip, #encyclopedia, #hero h1, #hero h5, #docs #hero h1, #docs #hero h5, + #community #hero h1, .gridPage #hero h1, #community #hero h5, .gridPage #hero h5 + padding-left: 100px + padding-right: 100px #home section, header, footer @@ -276,7 +290,7 @@ $video-section-height: 550px text-align: left h1 - padding: 20px + padding: 20px 100px #tryKubernetes width: auto diff --git a/images/search-icon.svg b/images/search-icon.svg new file mode 100644 index 0000000000..285f57caff --- /dev/null +++ b/images/search-icon.svg @@ -0,0 +1,13 @@ + + + + + + diff --git a/js/script.js b/js/script.js index 22eff0a1b4..b944d91175 100755 --- a/js/script.js +++ b/js/script.js @@ -503,3 +503,21 @@ var pushmenu = (function(){ show: show }; })(); + +$(function() { + + // Make global nav be active based on pathname + if ((location.pathname.split("/")[1]) !== ""){ + $('.global-nav li a[href^="/' + location.pathname.split("/")[1] + '"]').addClass('active'); + } + + // If vendor strip doesn't exist add className + if ( !$('#vendorStrip').length > 0 ) { + $('#hero').addClass('bot-bar'); + } + + // If is not homepage add class to hero section + if (!$('#home').length > 0 ) { + $('#hero').addClass('no-sub'); + } +}); \ No newline at end of file From 7fcf266a242fb64a75008b8a6a8b4fc94a38c0a9 Mon Sep 17 00:00:00 2001 From: craigbox Date: Sat, 10 Dec 2016 18:10:54 +0000 Subject: [PATCH 04/63] Adjust header formatting There are too many horizontal lines in the documentation, which makes knowing which things are headings (h2) and which are sub-headings (h3) almost impossible. I've tidied up the weights a little to make it more obvious and trimmed some excess whitespace. Ultimately I think a typographer's eye on the single choice of font-face (perhaps a serif for headings?) would be worthwhile. --- _sass/_base.sass | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/_sass/_base.sass b/_sass/_base.sass index 109124052f..3fba0239c8 100644 --- a/_sass/_base.sass +++ b/_sass/_base.sass @@ -712,7 +712,6 @@ dd font-weight: 500 margin-bottom: 30px padding-bottom: 10px - border-bottom: 1px solid #cccccc // Make sure anchor links aren't hidden by the header &:before @@ -722,6 +721,9 @@ dd height: $header-clearance visibility: hidden + h1,h2 + border-bottom: 1px solid #cccccc + h1 font-size: 32px padding-right: 60px @@ -731,9 +733,12 @@ dd h3 font-size: 24px + font-weight: 300 + margin-bottom: 5px h4 font-size: 20px + margin-bottom: 0px h5, h6 font-size: 16px From af3d24c7ef9ca8fce02eecf63d3d74c356888ed8 Mon Sep 17 00:00:00 2001 From: craigbox Date: Sat, 10 Dec 2016 18:20:24 +0000 Subject: [PATCH 05/63] Change vertical alignment of code blocks Things looked odd due to the padding on code blocks; they sat 2px above the text surrounding them. This PR will fix that by aligning inline code blocks, and the text surrounding them, on their baseline. --- _sass/_base.sass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_sass/_base.sass b/_sass/_base.sass index 109124052f..c4db0c93ec 100644 --- a/_sass/_base.sass +++ b/_sass/_base.sass @@ -753,7 +753,7 @@ dd background-color: $light-grey color: $dark-grey font-family: $mono-font - vertical-align: bottom + vertical-align: baseline font-size: 14px font-weight: bold padding: 2px 4px From ad99f86c357b45ceeb2e9eb6e82ab3a0d8c72dc3 Mon Sep 17 00:00:00 2001 From: Ben Balter Date: Tue, 13 Dec 2016 13:54:28 -0500 Subject: [PATCH 06/63] Use the GitHub Pages Gem The GitHub Pages Gem (https://github.com/github/pages-gem) is a meta-gem that does two things: 1. It locks dependencies to the same version used by GitHub Pages ensuring that when you build the site locally, you're using the same version of plugins and other dependencies used in production. 2. When loaded as part of the :jekyll_plugins group, it allows the Gem to set certain configuration defaults and overrides (such as activating default plugins) to ensure, once again that your local preview replicates the production version as closely as possible. --- Gemfile | 19 +--------- Gemfile.lock | 104 ++++++++++++++++++++++++++++++++------------------- 2 files changed, 66 insertions(+), 57 deletions(-) diff --git a/Gemfile b/Gemfile index e29e26cdc8..0c8671cdee 100644 --- a/Gemfile +++ b/Gemfile @@ -1,20 +1,3 @@ source "https://rubygems.org" -gem "jekyll", "3.2.1" -gem "jekyll-sass-converter", "1.3.0" -gem "minima", "1.1.0" -gem "kramdown", "1.11.1" -gem "liquid", "3.0.6" -gem "rouge", "1.11.1" -gem "jemoji", "0.7.0" -gem "jekyll-mentions", "1.2.0" -gem "jekyll-redirect-from", "0.11.0" -gem "jekyll-sitemap", "0.10.0" -gem "jekyll-feed", "0.5.1" -gem "jekyll-gist", "1.4.0" -gem "jekyll-paginate", "1.1.0" -gem "jekyll-coffeescript", "1.0.1" -gem "jekyll-seo-tag", "2.0.0" -gem "jekyll-github-metadata", "2.0.2" -gem "listen", "3.0.6" -gem "activesupport", "4.2.7" +gem "github-pages", group: :jekyll_plugins diff --git a/Gemfile.lock b/Gemfile.lock index ee385b958b..c6f7150060 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -11,19 +11,52 @@ GEM coffee-script (2.4.1) coffee-script-source execjs - coffee-script-source (1.10.0) + coffee-script-source (1.11.1) colorator (1.1.0) + ethon (0.10.1) + ffi (>= 1.3.0) execjs (2.7.0) - faraday (0.9.2) + faraday (0.10.0) multipart-post (>= 1.2, < 3) ffi (1.9.14) forwardable-extended (2.6.0) gemoji (2.1.0) + github-pages (104) + activesupport (= 4.2.7) + github-pages-health-check (= 1.2.0) + jekyll (= 3.3.0) + jekyll-avatar (= 0.4.2) + jekyll-coffeescript (= 1.0.1) + jekyll-feed (= 0.8.0) + jekyll-gist (= 1.4.0) + jekyll-github-metadata (= 2.2.0) + jekyll-mentions (= 1.2.0) + jekyll-paginate (= 1.1.0) + jekyll-redirect-from (= 0.11.0) + jekyll-sass-converter (= 1.3.0) + jekyll-seo-tag (= 2.1.0) + jekyll-sitemap (= 0.12.0) + jekyll-swiss (= 0.4.0) + jemoji (= 0.7.0) + kramdown (= 1.11.1) + liquid (= 3.0.6) + listen (= 3.0.6) + mercenary (~> 0.3) + minima (= 2.0.0) + rouge (= 1.11.1) + terminal-table (~> 1.4) + github-pages-health-check (1.2.0) + addressable (~> 2.3) + net-dns (~> 0.8) + octokit (~> 4.0) + public_suffix (~> 1.4) + typhoeus (~> 0.7) html-pipeline (2.4.2) activesupport (>= 2) nokogiri (>= 1.4) i18n (0.7.0) - jekyll (3.2.1) + jekyll (3.3.0) + addressable (~> 2.4) colorator (~> 1.0) jekyll-sass-converter (~> 1.0) jekyll-watch (~> 1.1) @@ -33,14 +66,17 @@ GEM pathutil (~> 0.9) rouge (~> 1.7) safe_yaml (~> 1.0) + jekyll-avatar (0.4.2) + jekyll (~> 3.0) jekyll-coffeescript (1.0.1) coffee-script (~> 2.2) - jekyll-feed (0.5.1) + jekyll-feed (0.8.0) + jekyll (~> 3.3) jekyll-gist (1.4.0) octokit (~> 4.2) - jekyll-github-metadata (2.0.2) + jekyll-github-metadata (2.2.0) jekyll (~> 3.1) - octokit (~> 4.0) + octokit (~> 4.0, != 4.4.0) jekyll-mentions (1.2.0) activesupport (~> 4.0) html-pipeline (~> 2.3) @@ -50,9 +86,11 @@ GEM jekyll (>= 2.0) jekyll-sass-converter (1.3.0) sass (~> 3.2) - jekyll-seo-tag (2.0.0) - jekyll (~> 3.1) - jekyll-sitemap (0.10.0) + jekyll-seo-tag (2.1.0) + jekyll (~> 3.3) + jekyll-sitemap (0.12.0) + jekyll (~> 3.3) + jekyll-swiss (0.4.0) jekyll-watch (1.5.0) listen (~> 3.0, < 3.1) jemoji (0.7.0) @@ -68,52 +106,40 @@ GEM rb-inotify (>= 0.9.7) mercenary (0.3.6) mini_portile2 (2.1.0) - minima (1.1.0) - minitest (5.9.0) + minima (2.0.0) + minitest (5.10.1) multipart-post (2.0.0) - nokogiri (1.6.8) + net-dns (0.8.0) + nokogiri (1.6.8.1) mini_portile2 (~> 2.1.0) - pkg-config (~> 1.1.7) - octokit (4.3.0) - sawyer (~> 0.7.0, >= 0.5.3) + octokit (4.6.2) + sawyer (~> 0.8.0, >= 0.5.3) pathutil (0.14.0) forwardable-extended (~> 2.6) - pkg-config (1.1.7) - rb-fsevent (0.9.7) + public_suffix (1.5.3) + rb-fsevent (0.9.8) rb-inotify (0.9.7) ffi (>= 0.5.0) rouge (1.11.1) safe_yaml (1.0.4) sass (3.4.22) - sawyer (0.7.0) - addressable (>= 2.3.5, < 2.5) - faraday (~> 0.8, < 0.10) + sawyer (0.8.1) + addressable (>= 2.3.5, < 2.6) + faraday (~> 0.8, < 1.0) + terminal-table (1.7.3) + unicode-display_width (~> 1.1.1) thread_safe (0.3.5) + typhoeus (0.8.0) + ethon (>= 0.8.0) tzinfo (1.2.2) thread_safe (~> 0.1) + unicode-display_width (1.1.2) PLATFORMS ruby DEPENDENCIES - activesupport (= 4.2.7) - jekyll (= 3.2.1) - jekyll-coffeescript (= 1.0.1) - jekyll-feed (= 0.5.1) - jekyll-gist (= 1.4.0) - jekyll-github-metadata (= 2.0.2) - jekyll-mentions (= 1.2.0) - jekyll-paginate (= 1.1.0) - jekyll-redirect-from (= 0.11.0) - jekyll-sass-converter (= 1.3.0) - jekyll-seo-tag (= 2.0.0) - jekyll-sitemap (= 0.10.0) - jemoji (= 0.7.0) - kramdown (= 1.11.1) - liquid (= 3.0.6) - listen (= 3.0.6) - minima (= 1.1.0) - rouge (= 1.11.1) + github-pages BUNDLED WITH - 1.11.2 + 1.13.6 From f08e807226c86204a2e448d3c90a4c9380f5c08b Mon Sep 17 00:00:00 2001 From: Ben Balter Date: Tue, 13 Dec 2016 13:56:49 -0500 Subject: [PATCH 07/63] Use Jekyll Feed to generate the Atom feed. Jekyll Feed (https://github.com/jekyll/jekyll-feed) is an official Jekyll plugin which should replicate the existing feed nearly identically, but with a shared, battle-tested template that accounts for all sorts of edge cases like relative links in feed entries. It should be a drop in replacement and "just work" without any additional configuration. --- _config.yml | 1 + feed.xml | 29 ----------------------------- 2 files changed, 1 insertion(+), 29 deletions(-) delete mode 100644 feed.xml diff --git a/_config.yml b/_config.yml index 5b7f442fd8..ea24a1bfc0 100644 --- a/_config.yml +++ b/_config.yml @@ -30,3 +30,4 @@ permalink: pretty gems: - jekyll-redirect-from + - jekyll-feed diff --git a/feed.xml b/feed.xml deleted file mode 100644 index ae253f98b5..0000000000 --- a/feed.xml +++ /dev/null @@ -1,29 +0,0 @@ ---- ---- - - - - {{ site.title | xml_escape }} - {{ site.description | xml_escape }} - {{ site.url }}{{ site.baseurl }}/ - - {{ site.time | date_to_rfc822 }} - {{ site.time | date_to_rfc822 }} - Jekyll v{{ jekyll.version }} - {% for post in site.posts limit:10 %} - - {{ post.title | xml_escape }} - {{ post.content | xml_escape }} - {{ post.date | date_to_rfc822 }} - {{ post.url | prepend: site.baseurl | prepend: site.url }} - {{ post.url | prepend: site.baseurl | prepend: site.url }} - {% for tag in post.tags %} - {{ tag | xml_escape }} - {% endfor %} - {% for cat in post.categories %} - {{ cat | xml_escape }} - {% endfor %} - - {% endfor %} - - From 8f1f8d47bbb2f8b3233c525fbafe35dc5a1b137b Mon Sep 17 00:00:00 2001 From: Ben Balter Date: Tue, 13 Dec 2016 13:58:48 -0500 Subject: [PATCH 08/63] Use Jekyll Sitemap to generate the sitemap. Jekyll Sitemap (https://github.com/jekyll/jekyll-sitemap) is an official Jekyll plugin, which should serve as a drop-in replacement for the existing sitemap.xml. The resulting sitemap should be largely similar to the existing sitemap, but with a shared, battle-tested template that accounts for all sorts of edge cases, handles collections and static files, etc. --- _config.yml | 1 + sitemap.xml | 18 ------------------ 2 files changed, 1 insertion(+), 18 deletions(-) delete mode 100644 sitemap.xml diff --git a/_config.yml b/_config.yml index ea24a1bfc0..2c3c51a83b 100644 --- a/_config.yml +++ b/_config.yml @@ -31,3 +31,4 @@ permalink: pretty gems: - jekyll-redirect-from - jekyll-feed + - jekyll-sitemap diff --git a/sitemap.xml b/sitemap.xml deleted file mode 100644 index ff1dd0d398..0000000000 --- a/sitemap.xml +++ /dev/null @@ -1,18 +0,0 @@ ---- ---- - - - - - http://kubernetes.io/ - {{ site.time | date_to_xmlschema }} - -{% for page in site.pages %}{% if page.url != "/404.html" and page.url != "/sitemap.xml" and page.url != "/css/styles.css" %} - http://kubernetes.io{{ page.url }} - {% if page.date %}{{ page.date | date_to_xmlschema }}{% else %}{{ site.time | date_to_xmlschema }}{% endif %} -{% endif %}{% endfor %} - From cb9c9dccfd81dec094a43a2123f8fcdef2394ff3 Mon Sep 17 00:00:00 2001 From: Ben Balter Date: Tue, 13 Dec 2016 14:03:11 -0500 Subject: [PATCH 09/63] Add title and description to _config.yml Although the title already has a "name" entry, this commit replicates the name as "title", and adds a "description" entry, both of which are shared across common, official Jekyll plugins like jekyll-feed and jekyll-sitemap. This allows the feed and sitemap to properly output the title and description in various places. --- _config.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/_config.yml b/_config.yml index 2c3c51a83b..c95c693508 100644 --- a/_config.yml +++ b/_config.yml @@ -1,4 +1,6 @@ name: Kubernetes +title: Kubernetes +description: Production-Grade Container Orchestration markdown: kramdown kramdown: input: GFM From 69a6958209c5887ca4d6a88dc2fca4aed0db7a3d Mon Sep 17 00:00:00 2001 From: Ben Balter Date: Tue, 13 Dec 2016 14:04:51 -0500 Subject: [PATCH 10/63] Remove "baseurl" from _config.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Remove baseurl from the config for three reasons: 1. It's not used anyplace within the site 2. The site’s base URL is only to be used when the resulting site lives at a subpath of the domain. Otherwise, the subpath should be nil, not /. 3. When the Pages Gem is loaded as part of the :jekyll_plugins group, baseurl and url are set automatically. --- _config.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/_config.yml b/_config.yml index c95c693508..b5c1134b21 100644 --- a/_config.yml +++ b/_config.yml @@ -7,7 +7,6 @@ kramdown: html_to_native: true hard_wrap: false syntax_highlighter: rouge -baseurl: / incremental: true safe: false From 91634d19c0a12266d3fff01a30ea3a70fe93720e Mon Sep 17 00:00:00 2001 From: Ben Balter Date: Tue, 13 Dec 2016 14:07:53 -0500 Subject: [PATCH 11/63] Use absolute_url to generate the cannonical URL Starting with Jekyll v3.3, Jekyll ships with `relative_url` and `absolute_url` filters. Rather than manual concatenating strings, we can rely on Jekyll to handle the logic in Ruby land, which takes into account the site's URL (locally and in production), and handles things like double "/"s. --- _includes/head-header.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_includes/head-header.html b/_includes/head-header.html index 17a83fa31e..28cec80a84 100644 --- a/_includes/head-header.html +++ b/_includes/head-header.html @@ -2,7 +2,7 @@ - {% if !page.no_canonical %}{% endif %} + {% if !page.no_canonical %}{% endif %} From 731f5bac1aea36e1b3fa937552f27b3d503cf83a Mon Sep 17 00:00:00 2001 From: Ben Balter Date: Tue, 13 Dec 2016 14:16:54 -0500 Subject: [PATCH 12/63] Use Jekyll SEO Tag to generate the search engine HEAD meta. This commit moves the site to use the official Jekyll SEO Tag plugin (https://github.com/jekyll/jekyll-seo-tag) to generate the search-engine meta in the HEAD of each page. The title and canonical URL output should be largely the same as before, but with additional metadata, such as JSON-LD (for richer indexing), Twitter card metadat, etc. Like the other plugins, this should largely work out-of-the-box, with no additional day-to-day configuration, but is customizable where desired. --- _config.yml | 6 ++++++ _includes/head-header.html | 3 +-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/_config.yml b/_config.yml index b5c1134b21..8b131eb433 100644 --- a/_config.yml +++ b/_config.yml @@ -33,3 +33,9 @@ gems: - jekyll-redirect-from - jekyll-feed - jekyll-sitemap + - jekyll-seo-tag + +# SEO +logo: /images/favicon.png +twitter: + username: kubernetesio diff --git a/_includes/head-header.html b/_includes/head-header.html index 28cec80a84..e2b18fa6ee 100644 --- a/_includes/head-header.html +++ b/_includes/head-header.html @@ -2,7 +2,6 @@ - {% if !page.no_canonical %}{% endif %} @@ -14,7 +13,7 @@ - Kubernetes - {{ title }} + {% seo %}
From 5de11038b15670f28a4362f6f13afbc8f774d447 Mon Sep 17 00:00:00 2001 From: Ben Balter Date: Tue, 13 Dec 2016 14:21:22 -0500 Subject: [PATCH 13/63] Exclude 404.html from the sitemap. See https://github.com/jekyll/jekyll-sitemap/issues/113#issuecomment-266834805 for making this the default behavior. --- 404.md | 1 + 1 file changed, 1 insertion(+) diff --git a/404.md b/404.md index 3d32e81bcf..8354c87820 100644 --- a/404.md +++ b/404.md @@ -3,6 +3,7 @@ layout: docwithnav title: 404 Error! permalink: /404.html no_canonical: true +sitemap: false --- From e66750603f5a627c6ecbb5dda6698d045b219696 Mon Sep 17 00:00:00 2001 From: Ben Balter Date: Tue, 13 Dec 2016 14:39:22 -0500 Subject: [PATCH 14/63] Don't use the site description as the index title --- index.html | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/index.html b/index.html index a603025150..728100db84 100644 --- a/index.html +++ b/index.html @@ -1,9 +1,8 @@ --- -title: Production-Grade Container Orchestration --- - + {% include head-header.html %} @@ -22,7 +21,7 @@ title: Production-Grade Container Orchestration - + @@ -110,7 +109,7 @@ title: Production-Grade Container Orchestration exposing secrets in your stack configuration.

- +

Storage orchestration

@@ -198,9 +197,8 @@ title: Production-Grade Container Orchestration ga('create', 'UA-36037335-10', 'auto'); ga('send', 'pageview'); - - From e971f9cb627135e0a5b19740e856343eab705328 Mon Sep 17 00:00:00 2001 From: Ben Balter Date: Tue, 13 Dec 2016 14:42:51 -0500 Subject: [PATCH 15/63] bump github pages gem to v109 to get workflow improvements --- Gemfile.lock | 35 +++++++++++++++++++++++++++-------- 1 file changed, 27 insertions(+), 8 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index c6f7150060..4d72be803d 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -7,7 +7,8 @@ GEM minitest (~> 5.1) thread_safe (~> 0.3, >= 0.3.4) tzinfo (~> 1.1) - addressable (2.4.0) + addressable (2.5.0) + public_suffix (~> 2.0, >= 2.0.2) coffee-script (2.4.1) coffee-script-source execjs @@ -21,22 +22,28 @@ GEM ffi (1.9.14) forwardable-extended (2.6.0) gemoji (2.1.0) - github-pages (104) + github-pages (109) activesupport (= 4.2.7) - github-pages-health-check (= 1.2.0) - jekyll (= 3.3.0) + github-pages-health-check (= 1.3.0) + jekyll (= 3.3.1) jekyll-avatar (= 0.4.2) jekyll-coffeescript (= 1.0.1) + jekyll-default-layout (= 0.1.4) jekyll-feed (= 0.8.0) jekyll-gist (= 1.4.0) jekyll-github-metadata (= 2.2.0) jekyll-mentions (= 1.2.0) + jekyll-optional-front-matter (= 0.1.2) jekyll-paginate (= 1.1.0) + jekyll-readme-index (= 0.0.3) jekyll-redirect-from (= 0.11.0) + jekyll-relative-links (= 0.2.1) jekyll-sass-converter (= 1.3.0) jekyll-seo-tag (= 2.1.0) jekyll-sitemap (= 0.12.0) jekyll-swiss (= 0.4.0) + jekyll-theme-primer (= 0.1.1) + jekyll-titles-from-headings (= 0.1.2) jemoji (= 0.7.0) kramdown (= 1.11.1) liquid (= 3.0.6) @@ -45,17 +52,17 @@ GEM minima (= 2.0.0) rouge (= 1.11.1) terminal-table (~> 1.4) - github-pages-health-check (1.2.0) + github-pages-health-check (1.3.0) addressable (~> 2.3) net-dns (~> 0.8) octokit (~> 4.0) - public_suffix (~> 1.4) + public_suffix (~> 2.0) typhoeus (~> 0.7) html-pipeline (2.4.2) activesupport (>= 2) nokogiri (>= 1.4) i18n (0.7.0) - jekyll (3.3.0) + jekyll (3.3.1) addressable (~> 2.4) colorator (~> 1.0) jekyll-sass-converter (~> 1.0) @@ -70,6 +77,8 @@ GEM jekyll (~> 3.0) jekyll-coffeescript (1.0.1) coffee-script (~> 2.2) + jekyll-default-layout (0.1.4) + jekyll (~> 3.0) jekyll-feed (0.8.0) jekyll (~> 3.3) jekyll-gist (1.4.0) @@ -81,9 +90,15 @@ GEM activesupport (~> 4.0) html-pipeline (~> 2.3) jekyll (~> 3.0) + jekyll-optional-front-matter (0.1.2) + jekyll (~> 3.0) jekyll-paginate (1.1.0) + jekyll-readme-index (0.0.3) + jekyll (~> 3.0) jekyll-redirect-from (0.11.0) jekyll (>= 2.0) + jekyll-relative-links (0.2.1) + jekyll (~> 3.3) jekyll-sass-converter (1.3.0) sass (~> 3.2) jekyll-seo-tag (2.1.0) @@ -91,6 +106,10 @@ GEM jekyll-sitemap (0.12.0) jekyll (~> 3.3) jekyll-swiss (0.4.0) + jekyll-theme-primer (0.1.1) + jekyll (~> 3.3) + jekyll-titles-from-headings (0.1.2) + jekyll (~> 3.3) jekyll-watch (1.5.0) listen (~> 3.0, < 3.1) jemoji (0.7.0) @@ -116,7 +135,7 @@ GEM sawyer (~> 0.8.0, >= 0.5.3) pathutil (0.14.0) forwardable-extended (~> 2.6) - public_suffix (1.5.3) + public_suffix (2.0.4) rb-fsevent (0.9.8) rb-inotify (0.9.7) ffi (>= 0.5.0) From 2fa89315ebfbc30853a2b0c379043bd3485729bb Mon Sep 17 00:00:00 2001 From: steveperry-53 Date: Thu, 8 Dec 2016 14:22:13 -0800 Subject: [PATCH 16/63] Write new Task: Distributing Credentials Securely. --- _data/tasks.yml | 2 + .../distribute-credentials-secure.md | 122 ++++++++++++++++++ docs/tasks/administer-cluster/secret-pod.yaml | 16 +++ docs/tasks/administer-cluster/secret.yaml | 7 + 4 files changed, 147 insertions(+) create mode 100644 docs/tasks/administer-cluster/distribute-credentials-secure.md create mode 100644 docs/tasks/administer-cluster/secret-pod.yaml create mode 100644 docs/tasks/administer-cluster/secret.yaml diff --git a/_data/tasks.yml b/_data/tasks.yml index ee468f48d6..c720dfb09b 100644 --- a/_data/tasks.yml +++ b/_data/tasks.yml @@ -14,6 +14,8 @@ toc: path: /docs/tasks/configure-pod-container/assign-cpu-ram-container/ - title: Configuring a Pod to Use a Volume for Storage path: /docs/tasks/configure-pod-container/configure-volume-storage/ + - title: Distributing Credentials Securely + path: /docs/tasks/administer-cluster/distribute-credentials-secure/ - title: Accessing Applications in a Cluster section: diff --git a/docs/tasks/administer-cluster/distribute-credentials-secure.md b/docs/tasks/administer-cluster/distribute-credentials-secure.md new file mode 100644 index 0000000000..017b6aa459 --- /dev/null +++ b/docs/tasks/administer-cluster/distribute-credentials-secure.md @@ -0,0 +1,122 @@ +--- +--- + +{% capture overview %} +This page shows how to create a Secret and a Pod that has access to the Secret. +{% endcapture %} + +{% capture prerequisites %} + +{% include task-tutorial-prereqs.md %} + +{% endcapture %} + +{% capture steps %} + +### Converting your secret data to a base-64 representation + +Suppose you want to have two pieces of secret data: a username `my-app` and a password +`39528$vdg7Jb`. First, use [Base64 encoding](https://www.base64encode.org/) to +convert your username and password to a base-64 representation. Here's a Linux +example: + + echo 'my-app' | base64 + echo '39528$vdg7Jb' | base64 + +The output shows that the base-64 representation of your username is `bXktYXBwCg==`, +and the base-64 representation of your password is `Mzk1MjgkdmRnN0piCg==`. + +### Creating a Secret + +Here is a configuration file you can use to create a Secret that holds your +username and password: + +{% include code.html language="yaml" file="secret.yaml" ghlink="/docs/tasks/administer-cluster/secret.yaml" %} + +1. Create the Secret + + kubectl create -f http://k8s.io/docs/tasks/administer-cluster/secret.yaml + +1. View information about the Secret: + + kubectl get secret test-secret + + Output: + + NAME TYPE DATA AGE + test-secret Opaque 2 1m + + +1. View more detailed information about the Secret: + + kubectl describe secret test-secret + + Output: + + Name: test-secret + Namespace: default + Labels: + Annotations: + + Type: Opaque + + Data + ==== + password: 13 bytes + username: 7 bytes + +### Creating a Pod that has access to the secret data + +Here is a configuration file you can use to create a Pod: + +{% include code.html language="yaml" file="secret-pod.yaml" ghlink="/docs/tasks/administer-cluster/secret-pod.yaml" %} + +1. Create the Pod: + + kubectl create -f http://k8s.io/docs/tasks/administer-cluster/secret-pod.yaml + +1. Verify that your Pod is running: + + kubectl get pods + + Output: + + NAME READY STATUS RESTARTS AGE + secret-test-pod 1/1 Running 0 42m + + +1. Get a shell into the Container that is running in your Pod: + + kubectl exec -it secret-test-pod -- /bin/bash + +1. In your shell, go to the directory where the secret data is exposed: + + root@secret-test-pod:/# cd /etc/secret-volume + +1. In your shell, list the files in the `/etc/secret-volume` directory: + + root@secret-test-pod:/etc/secret-volume# ls + + The output shows two files, one for each piece of secret data: + + password username + +1. In your shell, display the contents of the `username` and `password` files: + + root@secret-test-pod:/etc/secret-volume# cat username password + + The output is your username and password: + + my-app + 39528$vdg7Jb + +{% endcapture %} + +{% capture whatsnext %} + +* Learn more about [secrets](/docs/user-guide/secrets/). +* See [Secret](docs/api-reference/v1/definitions/#_v1_secret). + +{% endcapture %} + +{% include templates/task.md %} diff --git a/docs/tasks/administer-cluster/secret-pod.yaml b/docs/tasks/administer-cluster/secret-pod.yaml new file mode 100644 index 0000000000..abbd6cb1d5 --- /dev/null +++ b/docs/tasks/administer-cluster/secret-pod.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: secret-test-pod +spec: + containers: + - name: test-container + image: nginx + volumeMounts: + # name must match the volume name below + - name: secret-volume + mountPath: /etc/secret-volume + volumes: + - name: secret-volume + secret: + secretName: test-secret diff --git a/docs/tasks/administer-cluster/secret.yaml b/docs/tasks/administer-cluster/secret.yaml new file mode 100644 index 0000000000..64627d638f --- /dev/null +++ b/docs/tasks/administer-cluster/secret.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: test-secret +data: + username: bXktYXBwCg== + password: Mzk1MjgkdmRnN0piCg== From c8d67ab1825cd074eba1e5bd66cf5562173b35b2 Mon Sep 17 00:00:00 2001 From: steveperry-53 Date: Fri, 9 Dec 2016 14:07:15 -0800 Subject: [PATCH 17/63] Addressed comments by pwittrock. --- _data/tasks.yml | 3 +- .../distribute-credentials-secure.md | 60 +++++++++++++++++-- .../secret-envars-pod.yaml | 19 ++++++ .../secret-pod.yaml | 1 + .../secret.yaml | 0 docs/tasks/index.md | 1 + 6 files changed, 77 insertions(+), 7 deletions(-) rename docs/tasks/{administer-cluster => configure-pod-container}/distribute-credentials-secure.md (58%) create mode 100644 docs/tasks/configure-pod-container/secret-envars-pod.yaml rename docs/tasks/{administer-cluster => configure-pod-container}/secret-pod.yaml (82%) rename docs/tasks/{administer-cluster => configure-pod-container}/secret.yaml (100%) diff --git a/_data/tasks.yml b/_data/tasks.yml index c720dfb09b..277efa4886 100644 --- a/_data/tasks.yml +++ b/_data/tasks.yml @@ -15,7 +15,7 @@ toc: - title: Configuring a Pod to Use a Volume for Storage path: /docs/tasks/configure-pod-container/configure-volume-storage/ - title: Distributing Credentials Securely - path: /docs/tasks/administer-cluster/distribute-credentials-secure/ + path: /docs/tasks/configure-pod-container/distribute-credentials-secure/ - title: Accessing Applications in a Cluster section: @@ -36,6 +36,7 @@ toc: section: - title: Assigning Pods to Nodes path: /docs/tasks/administer-cluster/assign-pods-nodes/ + - title: Autoscaling the DNS Service in a Cluster path: /docs/tasks/administer-cluster/dns-horizontal-autoscaling/ - title: Safely Draining a Node while Respecting Application SLOs diff --git a/docs/tasks/administer-cluster/distribute-credentials-secure.md b/docs/tasks/configure-pod-container/distribute-credentials-secure.md similarity index 58% rename from docs/tasks/administer-cluster/distribute-credentials-secure.md rename to docs/tasks/configure-pod-container/distribute-credentials-secure.md index 017b6aa459..c2828315cb 100644 --- a/docs/tasks/administer-cluster/distribute-credentials-secure.md +++ b/docs/tasks/configure-pod-container/distribute-credentials-secure.md @@ -2,7 +2,8 @@ --- {% capture overview %} -This page shows how to create a Secret and a Pod that has access to the Secret. +This page shows how to securely inject sensitive data, such as passwords and +encryption keys, into Pods. {% endcapture %} {% capture prerequisites %} @@ -37,6 +38,11 @@ username and password: kubectl create -f http://k8s.io/docs/tasks/administer-cluster/secret.yaml + **Note:** If you want to skip the Base64 encoding step, you can create a Secret + by using the `kubectl create secret` command: + + kubectl create secret generic test-secret --from-literal=username="my-app",password="39528$vdg7Jb" + 1. View information about the Secret: kubectl get secret test-secret @@ -65,7 +71,7 @@ username and password: password: 13 bytes username: 7 bytes -### Creating a Pod that has access to the secret data +### Creating a Pod that has access to the secret data through a Volume Here is a configuration file you can use to create a Pod: @@ -77,7 +83,7 @@ Here is a configuration file you can use to create a Pod: 1. Verify that your Pod is running: - kubectl get pods + kubectl get pod secret-test-pod Output: @@ -89,7 +95,9 @@ Here is a configuration file you can use to create a Pod: kubectl exec -it secret-test-pod -- /bin/bash -1. In your shell, go to the directory where the secret data is exposed: +1. The secret data is exposed to the Container through a Volume mounted under +`/etc/secret-volume`. In your shell, go to the directory where the secret data +is exposed: root@secret-test-pod:/# cd /etc/secret-volume @@ -110,12 +118,52 @@ Here is a configuration file you can use to create a Pod: my-app 39528$vdg7Jb +### Creating a Pod that has access to the secret data through environment variables + +Here is a configuration file you can use to create a Pod: + +{% include code.html language="yaml" file="secret-envars-pod.yaml" ghlink="/docs/tasks/administer-cluster/secret-envars-pod.yaml" %} + +1. Create the Pod: + + kubectl create -f http://k8s.io/docs/tasks/administer-cluster/secret-envars-pod.yaml + +1. Verify that your Pod is running: + + kubectl get pod secret-envars-test-pod + + Output: + + NAME READY STATUS RESTARTS AGE + secret-envars-test-pod 1/1 Running 0 4m + +1. Get a shell into the Container that is running in your Pod: + + kubectl exec -it secret-envars-test-pod -- /bin/bash + +1. In your shell, display the environment variables: + + root@secret-envars-test-pod:/# printenv + + The output includes your username and password: + + ... + SECRET_USERNAME=my-app + ... + SECRET_PASSWORD=39528$vdg7Jb + {% endcapture %} {% capture whatsnext %} -* Learn more about [secrets](/docs/user-guide/secrets/). -* See [Secret](docs/api-reference/v1/definitions/#_v1_secret). +* Learn more about [Secrets](/docs/user-guide/secrets/). +* Learn about [Volumes](/docs/user-guide/volumes/). + +#### Reference + +* [Secret](docs/api-reference/v1/definitions/#_v1_secret) +* [Volume](docs/api-reference/v1/definitions/#_v1_volume) +* [Pod](docs/api-reference/v1/definitions/#_v1_pod) {% endcapture %} diff --git a/docs/tasks/configure-pod-container/secret-envars-pod.yaml b/docs/tasks/configure-pod-container/secret-envars-pod.yaml new file mode 100644 index 0000000000..1637c0eac3 --- /dev/null +++ b/docs/tasks/configure-pod-container/secret-envars-pod.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: secret-envars-test-pod +spec: + containers: + - name: envars-test-container + image: nginx + env: + - name: SECRET_USERNAME + valueFrom: + secretKeyRef: + name: test-secret + key: username + - name: SECRET_PASSWORD + valueFrom: + secretKeyRef: + name: test-secret + key: password diff --git a/docs/tasks/administer-cluster/secret-pod.yaml b/docs/tasks/configure-pod-container/secret-pod.yaml similarity index 82% rename from docs/tasks/administer-cluster/secret-pod.yaml rename to docs/tasks/configure-pod-container/secret-pod.yaml index abbd6cb1d5..78633c477c 100644 --- a/docs/tasks/administer-cluster/secret-pod.yaml +++ b/docs/tasks/configure-pod-container/secret-pod.yaml @@ -10,6 +10,7 @@ spec: # name must match the volume name below - name: secret-volume mountPath: /etc/secret-volume + # The secret data is exposed to Containers in the Pod through a Volume. volumes: - name: secret-volume secret: diff --git a/docs/tasks/administer-cluster/secret.yaml b/docs/tasks/configure-pod-container/secret.yaml similarity index 100% rename from docs/tasks/administer-cluster/secret.yaml rename to docs/tasks/configure-pod-container/secret.yaml diff --git a/docs/tasks/index.md b/docs/tasks/index.md index 4daee756ca..6a2aaee6a4 100644 --- a/docs/tasks/index.md +++ b/docs/tasks/index.md @@ -10,6 +10,7 @@ single thing, typically by giving a short sequence of steps. * [Defining Environment Variables for a Container](/docs/tasks/configure-pod-container/define-environment-variable-container/) * [Defining a Command and Arguments for a Container](/docs/tasks/configure-pod-container/define-command-argument-container/) * [Assigning CPU and RAM Resources to a Container](/docs/tasks/configure-pod-container/assign-cpu-ram-container/) +* [Distributing Credentials Securely](/docs/tasks/configure-pod-container/distribute-credentials-secure/) #### Accessing Applications in a Cluster From b43e72124ff656e54321d65ea18e3783c3800f82 Mon Sep 17 00:00:00 2001 From: Eric Baum Date: Tue, 13 Dec 2016 21:37:53 +0000 Subject: [PATCH 18/63] Updates logo --- images/nav_logo.svg | 111 ++++++++++++++++++++++++++++++++++++++++++- images/nav_logo2.svg | 109 +++++++++++++++++++++++++++++++++++++++++- 2 files changed, 218 insertions(+), 2 deletions(-) diff --git a/images/nav_logo.svg b/images/nav_logo.svg index 666997a143..982c04f4aa 100644 --- a/images/nav_logo.svg +++ b/images/nav_logo.svg @@ -1 +1,110 @@ - \ No newline at end of file + + + + +Kubernetes_Logo_Hrz_lockup_REV + + + + + + + + + + + + + + + + + + + + + + diff --git a/images/nav_logo2.svg b/images/nav_logo2.svg index 1c88bd436a..92b8d19ac4 100644 --- a/images/nav_logo2.svg +++ b/images/nav_logo2.svg @@ -1 +1,108 @@ - \ No newline at end of file + + + + +Kubernetes_Logo_Hrz_lockup_POS + + + + + + + + + + + + + + + + + + + + + From 3921711fd90c17ffb98ba0b3909764a4c9d2b623 Mon Sep 17 00:00:00 2001 From: Janet Kuo Date: Tue, 13 Dec 2016 14:07:07 -0800 Subject: [PATCH 19/63] Add left nav for apps API group --- _data/reference.yml | 7 +++++++ docs/api-reference/README.md | 1 + docs/reference.md | 5 ++++- 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/_data/reference.yml b/_data/reference.yml index ce0504eed8..6b3351c954 100644 --- a/_data/reference.yml +++ b/_data/reference.yml @@ -41,6 +41,13 @@ toc: - title: Batch API Definitions path: /docs/api-reference/batch/v1/definitions/ +- title: Apps API + section: + - title: Apps API Operations + path: /docs/api-reference/apps/v1beta1/operations/ + - title: Apps API Definitions + path: /docs/api-reference/apps/v1beta1/definitions/ + - title: Extensions API section: - title: Extensions API Operations diff --git a/docs/api-reference/README.md b/docs/api-reference/README.md index c0c1f3620d..a2fae5b001 100644 --- a/docs/api-reference/README.md +++ b/docs/api-reference/README.md @@ -8,6 +8,7 @@ Use the following reference docs to understand the kubernetes REST API for vario * extensions/v1beta1: [operations](/docs/api-reference/extensions/v1beta1/operations.html), [model definitions](/docs/api-reference/extensions/v1beta1/definitions.html) * batch/v1: [operations](/docs/api-reference/batch/v1/operations.html), [model definitions](/docs/api-reference/batch/v1/definitions.html) * autoscaling/v1: [operations](/docs/api-reference/autoscaling/v1/operations.html), [model definitions](/docs/api-reference/autoscaling/v1/definitions.html) +* apps/v1beta1: [operations](/docs/api-reference/apps/v1beta1/operations.html), [model definitions](/docs/api-reference/apps/v1beta1/definitions.html) diff --git a/docs/reference.md b/docs/reference.md index 88f35a74f4..dc1cd2f297 100644 --- a/docs/reference.md +++ b/docs/reference.md @@ -6,7 +6,10 @@ In the reference section, you can find reference documentation for Kubernetes AP ## API References * [Kubernetes API](/docs/api/) - The core API for Kubernetes. -* [Extensions API](/docs/api-reference/extensions/v1beta1/operations/) - Manages extensions resources such as Jobs, Ingress and HorizontalPodAutoscalers. +* [Autoscaling API](/docs/api-reference/autoscaling/v1/operations/) - Manages autoscaling resources such as HorizontalPodAutoscalers. +* [Batch API](/docs/api-reference/batch/v1/operations/) - Manages batch resources such as Jobs. +* [Apps API](/docs/api-reference/apps/v1beta1/operations/) - Manages apps resources such as StatefulSets. +* [Extensions API](/docs/api-reference/extensions/v1beta1/operations/) - Manages extensions resources such as Ingress, Deployments, and ReplicaSets. ## CLI References From 93ffad35f27e17ecd0914e7e2031729790401114 Mon Sep 17 00:00:00 2001 From: "Madhusudan.C.S" Date: Tue, 13 Dec 2016 15:21:12 -0800 Subject: [PATCH 20/63] Fix URL typo and whitespace. --- _data/guides.yml | 2 +- docs/admin/federation/kubefed.md | 13 ++++++------- docs/tools/index.md | 6 ++++++ 3 files changed, 13 insertions(+), 8 deletions(-) diff --git a/_data/guides.yml b/_data/guides.yml index 583deaeedd..933a50fcbc 100644 --- a/_data/guides.yml +++ b/_data/guides.yml @@ -306,6 +306,6 @@ toc: - title: Administering Federation section: - title: Using `kubefed` - path: /docs/admin/federation/kubfed/ + path: /docs/admin/federation/kubefed/ - title: Using `federation-up` and `deploy.sh` path: /docs/admin/federation/ diff --git a/docs/admin/federation/kubefed.md b/docs/admin/federation/kubefed.md index de40263ecb..52d83d3535 100644 --- a/docs/admin/federation/kubefed.md +++ b/docs/admin/federation/kubefed.md @@ -3,6 +3,10 @@ assignees: - madhusudancs --- + +* TOC +{:toc} + Kubernetes version 1.5 includes a new command line tool called `kubefed` to help you administrate your federated clusters. `kubefed` helps you to deploy a new Kubernetes cluster federation @@ -14,11 +18,6 @@ using `kubefed`. > Note: `kubefed` is an alpha feature in Kubernetes 1.5. - -* TOC -{:toc} - - ## Prerequisites This guide assumes that you have a running Kubernetes cluster. Please @@ -61,8 +60,8 @@ The output should contain an entry corresponding to your host cluster, similar to the following: ``` -CURRENT NAME CLUSTER AUTHINFO NAMESPACE - gke_myproject_asia-east1-b_gce-asia-east1 gke_myproject_asia-east1-b_gce-asia-east1 gke_myproject_asia-east1-b_gce-asia-east1 +CURRENT NAME CLUSTER AUTHINFO NAMESPACE + gke_myproject_asia-east1-b_gce-asia-east1 gke_myproject_asia-east1-b_gce-asia-east1 gke_myproject_asia-east1-b_gce-asia-east1 ``` diff --git a/docs/tools/index.md b/docs/tools/index.md index 482df866b4..6b79c323da 100644 --- a/docs/tools/index.md +++ b/docs/tools/index.md @@ -13,6 +13,12 @@ assignees: [`kubectl`](/docs/user-guide/kubectl/) is the command line tool for Kubernetes. It controls the Kubernetes cluster manager. +### Kubefed + +[`kubefed`](/docs/admin/federation/kubefed/) is the command line tool +to help you administrate your federated clusters. + + ### Dashboard [Dashboard](/docs/user-guide/ui/), the web-based user interface of Kubernetes, allows you to deploy containerized applications From 47a75ca01181fccaeeb1e4baefb8e39e88e964de Mon Sep 17 00:00:00 2001 From: Eric Baum Date: Wed, 14 Dec 2016 00:54:21 +0000 Subject: [PATCH 21/63] Minor header change Change "Try Kubernetes" link point to /docs/tutorials/kubernetes-basics/ instead of "Hello Node" Reduce font weight in links across the top. --- _includes/head-header.html | 2 +- _sass/_base.sass | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/_includes/head-header.html b/_includes/head-header.html index 598f6e80fb..bb8d1e7f77 100644 --- a/_includes/head-header.html +++ b/_includes/head-header.html @@ -30,7 +30,7 @@
  • Case Studies
    • - Try Kubernetes + Try Kubernetes
    diff --git a/_sass/_base.sass b/_sass/_base.sass index 7ef5103ff8..27d19a0fd3 100644 --- a/_sass/_base.sass +++ b/_sass/_base.sass @@ -245,7 +245,7 @@ ul.global-nav a color: #fff - font-weight: bold + font-weight: 400 padding: 0 position: relative From f664e4c65a2e5e20f6f37875d551d3084e23976c Mon Sep 17 00:00:00 2001 From: Janet Kuo Date: Wed, 14 Dec 2016 11:21:28 -0800 Subject: [PATCH 22/63] In DaemonSet doc, link to node selection doc instead of repo --- docs/admin/daemons.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/admin/daemons.md b/docs/admin/daemons.md index be3137bc93..bab12268ba 100644 --- a/docs/admin/daemons.md +++ b/docs/admin/daemons.md @@ -74,7 +74,7 @@ a node for testing. If you specify a `.spec.template.spec.nodeSelector`, then the DaemonSet controller will create pods on nodes which match that [node -selector](https://github.com/kubernetes/kubernetes.github.io/tree/{{page.docsbranch}}/docs/user-guide/node-selection). +selector](/docs/user-guide/node-selection/). If you specify a `scheduler.alpha.kubernetes.io/affinity` annotation in `.spec.template.metadata.annotations`, then DaemonSet controller will create pods on nodes which match that [node affinity](../../user-guide/node-selection/#alpha-feature-in-kubernetes-v12-node-affinity). From ae62b9864d9dddbfa51d46a5ad5d252390e1f969 Mon Sep 17 00:00:00 2001 From: Andrew Watson Date: Wed, 14 Dec 2016 15:12:34 -0500 Subject: [PATCH 23/63] Header displayed twice It was displaying the header twice --- docs/user-guide/node-selection/index.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/user-guide/node-selection/index.md b/docs/user-guide/node-selection/index.md index 725848b544..3152cb4e37 100644 --- a/docs/user-guide/node-selection/index.md +++ b/docs/user-guide/node-selection/index.md @@ -5,8 +5,6 @@ assignees: --- -# Constraining pods to run on particular nodes - You can constrain a [pod](/docs/user-guide/pods/) to only be able to run on particular [nodes](/docs/admin/node/) or to prefer to run on particular nodes. There are several ways to do this, and they all use [label selectors](/docs/user-guide/labels/) to make the selection. From e9cf14ffb404d01d3e775e553db395443b201f67 Mon Sep 17 00:00:00 2001 From: Kenneth Owens Date: Wed, 14 Dec 2016 13:56:21 -0800 Subject: [PATCH 24/63] Adds zookeeper example (#1894) * Initial commit * Adds section for cleanup Corrects some spelling errors decapitalizes liveness and readiness * Adds test for zookeeper example * Address enisoc review * Remove space between shell and raw annotation * Remove extranous inserted text * Remove fencing statement * Modify sentence for grammer * refocus to zookeeper with some loss of generality * Spelling, Grammar, DNS link * update to address foxish comments --- _data/tutorials.yml | 4 +- docs/tutorials/index.md | 2 + .../stateful-application/zookeeper.md | 1248 +++++++++++++++++ .../stateful-application/zookeeper.yaml | 164 +++ test/examples_test.go | 8 + 5 files changed, 1425 insertions(+), 1 deletion(-) create mode 100644 docs/tutorials/stateful-application/zookeeper.md create mode 100644 docs/tutorials/stateful-application/zookeeper.yaml diff --git a/_data/tutorials.yml b/_data/tutorials.yml index 41664efa31..82396ca65a 100644 --- a/_data/tutorials.yml +++ b/_data/tutorials.yml @@ -58,4 +58,6 @@ toc: - title: Running a Single-Instance Stateful Application path: /docs/tutorials/stateful-application/run-stateful-application/ - title: Running a Replicated Stateful Application - path: /docs/tutorials/stateful-application/run-replicated-stateful-application/ \ No newline at end of file + path: /docs/tutorials/stateful-application/run-replicated-stateful-application/ + - title: Running ZooKeeper, A CP Distributed System + path: /docs/tutorials/stateful-application/zookeeper/ diff --git a/docs/tutorials/index.md b/docs/tutorials/index.md index 507ca6d8e1..1b52a15e1a 100644 --- a/docs/tutorials/index.md +++ b/docs/tutorials/index.md @@ -26,6 +26,8 @@ each of which has a sequence of steps. * [Running a Replicated Stateful Application](/docs/tutorials/stateful-application/run-replicated-stateful-application/) +* [Running ZooKeeper, A CP Distributed System](/docs/tutorials/stateful-application/zookeeper/) + ### What's next If you would like to write a tutorial, see diff --git a/docs/tutorials/stateful-application/zookeeper.md b/docs/tutorials/stateful-application/zookeeper.md new file mode 100644 index 0000000000..38315cd37a --- /dev/null +++ b/docs/tutorials/stateful-application/zookeeper.md @@ -0,0 +1,1248 @@ +--- +assignees: +- bprashanth +- enisoc +- erictune +- foxish +- janetkuo +- kow3ns +- smarterclayton +--- + +{% capture overview %} +This tutorial demonstrates [Apache Zookeeper](https://zookeeper.apache.org) on +Kubernetes using [StatefulSets](/docs/concepts/abstractions/controllers/statefulsets/), +[PodDisruptionBudgets](/docs/admin/disruptions/#specifying-a-poddisruptionbudget), +and [PodAntiAffinity](/docs/user-guide/node-selection/). +{% endcapture %} + +{% capture prerequisites %} + +Before starting this tutorial, you should be familiar with the following +Kubernetes concepts. + +* [Pods](/docs/user-guide/pods/single-container/) +* [Cluster DNS](/docs/admin/dns/) +* [Headless Services](/docs/user-guide/services/#headless-services) +* [PersistentVolumes](/docs/user-guide/volumes/) +* [PersistentVolume Provisioning](http://releases.k8s.io/{{page.githubbranch}}/examples/experimental/persistent-volume-provisioning/) +* [ConfigMaps](/docs/user-guide/configmap/) +* [StatefulSets](/docs/concepts/abstractions/controllers/statefulsets/) +* [PodDisruptionBudgets](/docs/admin/disruptions/#specifying-a-poddisruptionbudget) +* [PodAntiAffinity](/docs/user-guide/node-selection/) +* [kubectl CLI](/docs/user-guide/kubectl) + +You will require a cluster with at least four nodes, and each node will require +at least 2 CPUs and 4 GiB of memory. In this tutorial you will cordon and +drain the cluster's nodes. **This means that all Pods on the cluster's nodes +will be terminated and evicted, and the nodes will, temporarily, become +unschedulable.** You should use a dedicated cluster for this tutorial, or you +should ensure that the disruption you cause will not interfere with other +tenants. + +This tutorial assumes that your cluster is configured to dynamically provision +PersistentVolumes. If your cluster is not configured to do so, you +will have to manually provision three 20 GiB volumes prior to starting this +tutorial. +{% endcapture %} + +{% capture objectives %} +After this tutorial, you will know the following. + +* How to deploy a ZooKeeper ensemble using StatefulSet. +* How to consistently configure the ensemble using ConfigMaps. +* How to spread the deployment of ZooKeeper servers in the ensemble. +* How to use PodDisruptionBudgets to ensure service availability during planned maintenance. +{% endcapture %} + +{% capture lessoncontent %} + +#### ZooKeeper Basics + +[Apache ZooKeeper](https://zookeeper.apache.org/doc/current/) is a +distributed, open-source coordination service for distributed applications. +ZooKeeper allows you to read, write, and observe updates to data. Data are +organized in a file system like hierarchy and replicated to all ZooKeeper +servers in the ensemble (a set of ZooKeeper servers). All operations on data +are atomic and sequentially consistent. ZooKeeper ensures this by using the +[Zab](https://pdfs.semanticscholar.org/b02c/6b00bd5dbdbd951fddb00b906c82fa80f0b3.pdf) +consensus protocol to replicate a state machine across all servers in the ensemble. + +The ensemble uses the Zab protocol to elect a leader, and +data can not be written until a leader is elected. Once a leader is +elected, the ensemble uses Zab to ensure that all writes are replicated to a +quorum before they are acknowledged and made visible to clients. Without respect +to weighted quorums, a quorum is a majority component of the ensemble containing +the current leader. For instance, if the ensemble has three servers, a component +that contains the leader and one other server constitutes a quorum. If the +ensemble can not achieve a quorum, data can not be written. + +ZooKeeper servers keep their entire state machine in memory, but every mutation +is written to a durable WAL (Write Ahead Log) on storage media. When a server +crashes, it can recover its previous state by replaying the WAL. In order to +prevent the WAL from growing without bound, ZooKeeper servers will periodically +snapshot their in memory state to storage media. These snapshots can be loaded +directly into memory, and all WAL entries that preceded the snapshot may be +safely discarded. + +### Creating a ZooKeeper Ensemble + +The manifest below contains a +[Headless Service](/docs/user-guide/services/#headless-services), +a [ConfigMap](/docs/user-guide/configmap/), +a [PodDisruptionBudget](/docs/admin/disruptions/#specifying-a-poddisruptionbudget), +and a [StatefulSet](/docs/concepts/abstractions/controllers/statefulsets/). + +{% include code.html language="yaml" file="zookeeper.yaml" ghlink="/docs/tutorials/stateful-application/zookeeper.yaml" %} + +Open a command terminal, and use +[`kubectl create`](/docs/user-guide/kubectl/kubectl_create/) to create the +manifest. + +```shell +kubectl create -f http://k8s.io/docs/tutorials/stateful-application/zookeeper.yaml +``` + +This creates the `zk-headless` Headless Service, the `zk-config` ConfigMap, +the `zk-budget` PodDisruptionBudget, and the `zk` StatefulSet. + +```shell +service "zk-headless" created +configmap "zk-config" created +poddisruptionbudget "zk-budget" created +statefulset "zk" created +``` + +Use [`kubectl get`](/docs/user-guide/kubectl/kubectl_get/) to watch the +StatefulSet controller create the StatefulSet's Pods. + +```shell +kubectl get pods -w -l app=zk +``` + +Once the `zk-2` Pod is Running and Ready, use `CRTL-C` to terminate kubectl. + +```shell +NAME READY STATUS RESTARTS AGE +zk-0 0/1 Pending 0 0s +zk-0 0/1 Pending 0 0s +zk-0 0/1 ContainerCreating 0 0s +zk-0 0/1 Running 0 19s +zk-0 1/1 Running 0 40s +zk-1 0/1 Pending 0 0s +zk-1 0/1 Pending 0 0s +zk-1 0/1 ContainerCreating 0 0s +zk-1 0/1 Running 0 18s +zk-1 1/1 Running 0 40s +zk-2 0/1 Pending 0 0s +zk-2 0/1 Pending 0 0s +zk-2 0/1 ContainerCreating 0 0s +zk-2 0/1 Running 0 19s +zk-2 1/1 Running 0 40s +``` + +The StatefulSet controller creates three Pods, and each Pod has a container with +a [ZooKeeper 3.4.9](http://www-us.apache.org/dist/zookeeper/zookeeper-3.4.9/) server. + +#### Facilitating Leader Election + +As there is no terminating algorithm for electing a leader in an anonymous +network, Zab requires explicit membership configuration in order to perform +leader election. Each server in the ensemble needs to have a unique +identifier, all servers need to know the global set of identifiers, and each +identifier needs to be associated with a network address. + +Use [`kubectl exec`](/docs/user-guide/kubectl/kubectl_exec/) to get the hostnames +of the Pods in the `zk` StatefulSet. + +```shell +for i in 0 1 2; do kubectl exec zk-$i -- hostname; done +``` + +The StatefulSet controller provides each Pod with a unique hostname based on its +ordinal index. The hostnames take the form `-`. +As the `replicas` field of the `zk` StatefulSet is set to `3`, the Set's +controller creates three Pods with their hostnames set to `zk-0`, `zk-1`, and +`zk-2`. + +```shell +zk-0 +zk-1 +zk-2 +``` + +The servers in a ZooKeeper ensemble use natural numbers as unique identifiers, and +each server's identifier is stored in a file called `myid` in the server’s +data directory. + +Examine the contents of the `myid` file for each server. + +```shell +for i in 0 1 2; do echo "myid zk-$i";kubectl exec zk-$i -- cat /var/lib/zookeeper/data/myid; done +``` + +As the identifiers are natural numbers and the ordinal indices are non-negative +integers, you can generate an identifier by adding one to the ordinal. + +```shell +myid zk-0 +1 +myid zk-1 +2 +myid zk-2 +3 +``` + +Get the FQDN (Fully Qualified Domain Name) of each Pod in the `zk` StatefulSet. + +```shell +for i in 0 1 2; do kubectl exec zk-$i -- hostname -f; done +``` + +The `zk-headless` Service creates a domain for all of the Pods, +`zk-headless.default.svc.cluster.local`. + +```shell +zk-0.zk-headless.default.svc.cluster.local +zk-1.zk-headless.default.svc.cluster.local +zk-2.zk-headless.default.svc.cluster.local +``` + +The A records in [Kubernetes DNS](/docs/admin/dns/) resolve the FQDNs to the Pods' IP addresses. +If the Pods are rescheduled, the A records will be updated with the Pods' new IP +addresses, but the A record's names will not change. + +ZooKeeper stores its application configuration in a file named `zoo.cfg`. Use +`kubectl exec` to view the contents of the `zoo.cfg` file in the `zk-0` Pod. + +``` +kubectl exec zk-0 -- cat /opt/zookeeper/conf/zoo.cfg +``` + +For the `server.1`, `server.2`, and `server.3` properties at the bottom of +the file, the `1`, `2`, and `3` correspond to the identifiers in the +ZooKeeper servers' `myid` files. They are set to the FQDNs for the Pods in +the `zk` StatefulSet. + +```shell +clientPort=2181 +dataDir=/var/lib/zookeeper/data +dataLogDir=/var/lib/zookeeper/log +tickTime=2000 +initLimit=10 +syncLimit=2000 +maxClientCnxns=60 +minSessionTimeout= 4000 +maxSessionTimeout= 40000 +autopurge.snapRetainCount=3 +autopurge.purgeInteval=0 +server.1=zk-0.zk-headless.default.svc.cluster.local:2888:3888 +server.2=zk-1.zk-headless.default.svc.cluster.local:2888:3888 +server.3=zk-2.zk-headless.default.svc.cluster.local:2888:3888 +``` + +#### Achieving Consensus + +Consensus protocols require that the identifiers of each participant be +unique. No two participants in the Zab protocol should claim the same unique +identifier. This is necessary to allow the processes in the system to agree on +which processes have committed which data. If two Pods were launched with the +same ordinal, two ZooKeeper servers would both identify themselves as the same + server. + +When you created the `zk` StatefulSet, the StatefulSet's controller created +each Pod sequentially, in the order defined by the Pods' ordinal indices, and it +waited for each Pod to be Running and Ready before creating the next Pod. + +```shell +kubectl get pods -w -l app=zk +NAME READY STATUS RESTARTS AGE +zk-0 0/1 Pending 0 0s +zk-0 0/1 Pending 0 0s +zk-0 0/1 ContainerCreating 0 0s +zk-0 0/1 Running 0 19s +zk-0 1/1 Running 0 40s +zk-1 0/1 Pending 0 0s +zk-1 0/1 Pending 0 0s +zk-1 0/1 ContainerCreating 0 0s +zk-1 0/1 Running 0 18s +zk-1 1/1 Running 0 40s +zk-2 0/1 Pending 0 0s +zk-2 0/1 Pending 0 0s +zk-2 0/1 ContainerCreating 0 0s +zk-2 0/1 Running 0 19s +zk-2 1/1 Running 0 40s +``` + +The A records for each Pod are only entered when the Pod becomes Ready. Therefore, +the FQDNs of the ZooKeeper servers will only resolve to a single endpoint, and that +endpoint will be the unique ZooKeeper server claiming the identity configured +in its `myid` file. + +```shell +zk-0.zk-headless.default.svc.cluster.local +zk-1.zk-headless.default.svc.cluster.local +zk-2.zk-headless.default.svc.cluster.local +``` + +This ensures that the `servers` properties in the ZooKeepers' `zoo.cfg` files +represents a correctly configured ensemble. + +```shell +server.1=zk-0.zk-headless.default.svc.cluster.local:2888:3888 +server.2=zk-1.zk-headless.default.svc.cluster.local:2888:3888 +server.3=zk-2.zk-headless.default.svc.cluster.local:2888:3888 +``` + +When the servers use the Zab protocol to attempt to commit a value, they will +either achieve consensus and commit the value (if leader election has succeeded +and at least two of the Pods are Running and Ready), or they will fail to do so +(if either of the aforementioned conditions are not met). No state will arise +where one server acknowledges a write on behalf of another. + +#### Sanity Testing the Ensemble + +The most basic sanity test is to write some data to one ZooKeeper server and +to read the data from another. + +Use the `zkCli.sh` script to write `world` to the path `/hello` on the `zk-0` Pod. + +```shell +kubectl exec zk-0 zkCli.sh create /hello world +``` + +This will write `world` to the `/hello` path in the ensemble. + +```shell +WATCHER:: + +WatchedEvent state:SyncConnected type:None path:null +Created /hello +``` + +Get the data from the `zk-1` Pod. + +```shell +kubectl exec zk-1 zkCli.sh get /hello +``` + +The data that you created on `zk-0` is available on all of the servers in the +ensemble. + +```shell +WATCHER:: + +WatchedEvent state:SyncConnected type:None path:null +world +cZxid = 0x100000002 +ctime = Thu Dec 08 15:13:30 UTC 2016 +mZxid = 0x100000002 +mtime = Thu Dec 08 15:13:30 UTC 2016 +pZxid = 0x100000002 +cversion = 0 +dataVersion = 0 +aclVersion = 0 +ephemeralOwner = 0x0 +dataLength = 5 +numChildren = 0 +``` + +#### Providing Durable Storage + +As mentioned in the [ZooKeeper Basics](#zookeeper-basics) section, +ZooKeeper commits all entries to a durable WAL, and periodically writes snapshots +in memory state, to storage media. Using WALs to provide durability is a common +technique for applications that use consensus protocols to achieve a replicated +state machine and for storage applications in general. + +Use [`kubectl delete`](/docs/user-guide/kubectl/kubectl_delete/) to delete the +`zk` StatefulSet. + +```shell +kubectl delete statefulset zk +statefulset "zk" deleted +``` + +Watch the termination of the Pods in the StatefulSet. + +```shell +get pods -w -l app=zk +``` + +When `zk-0` if fully terminated, use `CRTL-C` to terminate kubectl. + +```shell +zk-2 1/1 Terminating 0 9m +zk-0 1/1 Terminating 0 11m +zk-1 1/1 Terminating 0 10m +zk-2 0/1 Terminating 0 9m +zk-2 0/1 Terminating 0 9m +zk-2 0/1 Terminating 0 9m +zk-1 0/1 Terminating 0 10m +zk-1 0/1 Terminating 0 10m +zk-1 0/1 Terminating 0 10m +zk-0 0/1 Terminating 0 11m +zk-0 0/1 Terminating 0 11m +zk-0 0/1 Terminating 0 11m +``` +Reapply the manifest in `zookeeper.yaml`. + +```shell +kubectl apply -f http://k8s.io/docs/tutorials/stateful-application/zookeeper.yaml +``` + +The `zk` StatefulSet will be created, but, as they already exist, the other API +Objects in the manifest will not be modified. + +```shell +statefulset "zk" created +Error from server (AlreadyExists): error when creating "zookeeper.yaml": services "zk-headless" already exists +Error from server (AlreadyExists): error when creating "zookeeper.yaml": configmaps "zk-config" already exists +Error from server (AlreadyExists): error when creating "zookeeper.yaml": poddisruptionbudgets.policy "zk-budget" already exists +``` + +Watch the StatefulSet controller recreate the StatefulSet's Pods. + +```shell +kubectl get pods -w -l app=zk +``` + +Once the `zk-2` Pod is Running and Ready, use `CRTL-C` to terminate kubectl. + +```shell +NAME READY STATUS RESTARTS AGE +zk-0 0/1 Pending 0 0s +zk-0 0/1 Pending 0 0s +zk-0 0/1 ContainerCreating 0 0s +zk-0 0/1 Running 0 19s +zk-0 1/1 Running 0 40s +zk-1 0/1 Pending 0 0s +zk-1 0/1 Pending 0 0s +zk-1 0/1 ContainerCreating 0 0s +zk-1 0/1 Running 0 18s +zk-1 1/1 Running 0 40s +zk-2 0/1 Pending 0 0s +zk-2 0/1 Pending 0 0s +zk-2 0/1 ContainerCreating 0 0s +zk-2 0/1 Running 0 19s +zk-2 1/1 Running 0 40s +``` + +Get the value you entered during the [sanity test](#sanity-testing-the-ensemble), +from the `zk-2` Pod. + +```shell +kubectl exec zk-2 zkCli.sh get /hello +``` + +Even though all of the Pods in the `zk` StatefulSet have been terminated and +recreated, the ensemble still serves the original value. + +```shell +WATCHER:: + +WatchedEvent state:SyncConnected type:None path:null +world +cZxid = 0x100000002 +ctime = Thu Dec 08 15:13:30 UTC 2016 +mZxid = 0x100000002 +mtime = Thu Dec 08 15:13:30 UTC 2016 +pZxid = 0x100000002 +cversion = 0 +dataVersion = 0 +aclVersion = 0 +ephemeralOwner = 0x0 +dataLength = 5 +numChildren = 0 +``` + +The `volumeClaimTemplates` field, of the `zk` StatefulSet's `spec`, specifies a +PersistentVolume that will be provisioned for each Pod. + +```yaml +volumeClaimTemplates: + - metadata: + name: datadir + annotations: + volume.alpha.kubernetes.io/storage-class: anything + spec: + accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: 20Gi +``` + + +The StatefulSet controller generates a PersistentVolumeClaim for each Pod in +the StatefulSet. + +Get the StatefulSet's PersistentVolumeClaims. + +```shell +kubectl get pvc -l app=zk +``` + +When the StatefulSet recreated its Pods, the Pods' PersistentVolumes were +remounted. + +```shell +NAME STATUS VOLUME CAPACITY ACCESSMODES AGE +datadir-zk-0 Bound pvc-bed742cd-bcb1-11e6-994f-42010a800002 20Gi RWO 1h +datadir-zk-1 Bound pvc-bedd27d2-bcb1-11e6-994f-42010a800002 20Gi RWO 1h +datadir-zk-2 Bound pvc-bee0817e-bcb1-11e6-994f-42010a800002 20Gi RWO 1h +``` + +The `volumeMounts` section of the StatefulSet's container `template` causes the +PersistentVolumes to be mounted to the ZooKeeper servers' data directories. + +```shell +volumeMounts: + - name: datadir + mountPath: /var/lib/zookeeper +``` + +When a Pod in the `zk` StatefulSet is (re)scheduled, it will always have the +same PersistentVolume mounted to the ZooKeeper server's data directory. +Even when the Pods are rescheduled, all of the writes made to the ZooKeeper +servers' WALs, and all of their snapshots, remain durable. + +### Ensuring Consistent Configuration + +As noted in the [Facilitating Leader Election](#facilitating-leader-election) and +[Achieving Consensus](#achieving-consensus) sections, the servers in a +ZooKeeper ensemble require consistent configuration in order to elect a leader +and form a quorum. They also require consistent configuration of the Zab protocol +in order for the protocol to work correctly over a network. You can use +ConfigMaps to achieve this. + +Get the `zk-config` ConfigMap. + +```shell + kubectl get cm zk-config -o yaml +apiVersion: v1 +data: + client.cnxns: "60" + ensemble: zk-0;zk-1;zk-2 + init: "10" + jvm.heap: 2G + purge.interval: "0" + snap.retain: "3" + sync: "5" + tick: "2000" +``` + +The `env` field of the `zk` StatefulSet's Pod `template` reads the ConfigMap +into environment variables. These variables are injected into the containers +environment. + +```yaml +env: + - name : ZK_ENSEMBLE + valueFrom: + configMapKeyRef: + name: zk-config + key: ensemble + - name : ZK_HEAP_SIZE + valueFrom: + configMapKeyRef: + name: zk-config + key: jvm.heap + - name : ZK_TICK_TIME + valueFrom: + configMapKeyRef: + name: zk-config + key: tick + - name : ZK_INIT_LIMIT + valueFrom: + configMapKeyRef: + name: zk-config + key: init + - name : ZK_SYNC_LIMIT + valueFrom: + configMapKeyRef: + name: zk-config + key: tick + - name : ZK_MAX_CLIENT_CNXNS + valueFrom: + configMapKeyRef: + name: zk-config + key: client.cnxns + - name: ZK_SNAP_RETAIN_COUNT + valueFrom: + configMapKeyRef: + name: zk-config + key: snap.retain + - name: ZK_PURGE_INTERVAL + valueFrom: + configMapKeyRef: + name: zk-config + key: purge.interval +``` + +The entry point of the container invokes a bash script, `zkConfig.sh`, prior to +launching the ZooKeeper server process. This bash script generates the +ZooKeeper configuration files from the supplied environment variables. + +```yaml + command: + - sh + - -c + - zkGenConfig.sh && zkServer.sh start-foreground +``` + +Examine the environment of all of the Pods in the `zk` StatefulSet. + +```shell +for i in 0 1 2; do kubectl exec zk-$i env | grep ZK_*;echo""; done +``` + +All of the variables populated from `zk-config` contain identical values. This +allows the `zkGenConfig.sh` script to create consistent configurations for all +of the ZooKeeper servers in the ensemble. + +```shell +ZK_ENSEMBLE=zk-0;zk-1;zk-2 +ZK_HEAP_SIZE=2G +ZK_TICK_TIME=2000 +ZK_INIT_LIMIT=10 +ZK_SYNC_LIMIT=2000 +ZK_MAX_CLIENT_CNXNS=60 +ZK_SNAP_RETAIN_COUNT=3 +ZK_PURGE_INTERVAL=0 +ZK_CLIENT_PORT=2181 +ZK_SERVER_PORT=2888 +ZK_ELECTION_PORT=3888 +ZK_USER=zookeeper +ZK_DATA_DIR=/var/lib/zookeeper/data +ZK_DATA_LOG_DIR=/var/lib/zookeeper/log +ZK_LOG_DIR=/var/log/zookeeper + +ZK_ENSEMBLE=zk-0;zk-1;zk-2 +ZK_HEAP_SIZE=2G +ZK_TICK_TIME=2000 +ZK_INIT_LIMIT=10 +ZK_SYNC_LIMIT=2000 +ZK_MAX_CLIENT_CNXNS=60 +ZK_SNAP_RETAIN_COUNT=3 +ZK_PURGE_INTERVAL=0 +ZK_CLIENT_PORT=2181 +ZK_SERVER_PORT=2888 +ZK_ELECTION_PORT=3888 +ZK_USER=zookeeper +ZK_DATA_DIR=/var/lib/zookeeper/data +ZK_DATA_LOG_DIR=/var/lib/zookeeper/log +ZK_LOG_DIR=/var/log/zookeeper + +ZK_ENSEMBLE=zk-0;zk-1;zk-2 +ZK_HEAP_SIZE=2G +ZK_TICK_TIME=2000 +ZK_INIT_LIMIT=10 +ZK_SYNC_LIMIT=2000 +ZK_MAX_CLIENT_CNXNS=60 +ZK_SNAP_RETAIN_COUNT=3 +ZK_PURGE_INTERVAL=0 +ZK_CLIENT_PORT=2181 +ZK_SERVER_PORT=2888 +ZK_ELECTION_PORT=3888 +ZK_USER=zookeeper +ZK_DATA_DIR=/var/lib/zookeeper/data +ZK_DATA_LOG_DIR=/var/lib/zookeeper/log +ZK_LOG_DIR=/var/log/zookeeper +``` + +#### Configuring Logging + +One of the files generated by the `zkConfigGen.sh` script controls ZooKeeper's logging. +ZooKeeper uses [Log4j](http://logging.apache.org/log4j/2.x/), and, by default, +it uses a time and size based rolling file appender for its logging configuration. +Get the logging configuration from one of Pods in the `zk` StatefulSet. + +```shell +kubectl exec zk-0 cat /usr/etc/zookeeper/log4j.properties +``` + +The logging configuration below will cause the ZooKeeper process to write all +of its logs to the standard output file stream. + +```shell +zookeeper.root.logger=CONSOLE +zookeeper.console.threshold=INFO +log4j.rootLogger=${zookeeper.root.logger} +log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender +log4j.appender.CONSOLE.Threshold=${zookeeper.console.threshold} +log4j.appender.CONSOLE.layout=org.apache.log4j.PatternLayout +log4j.appender.CONSOLE.layout.ConversionPattern=%d{ISO8601} [myid:%X{myid}] - %-5p [%t:%C{1}@%L] - %m%n +``` + +This is the simplest possible way to safely log inside the container. As the +application's logs are being written to standard out, Kubernetes will handle +log rotation for you. Kubernetes also implements a sane retention policy that +ensures application logs written to standard out and standard error do not +exhaust local storage media. + +Use [`kubectl logs`](/docs/user-guide/kubectl/kubectl_logs/) to retrieve the last +few log lines from one of the Pods. + +```shell +kubectl logs zk-0 --tail 20 +``` + +Application logs that are written to standard out or standard error are viewable +using `kubectl logs` and from the Kubernetes Dashboard. + +```shell +2016-12-06 19:34:16,236 [myid:1] - INFO [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxn@827] - Processing ruok command from /127.0.0.1:52740 +2016-12-06 19:34:16,237 [myid:1] - INFO [Thread-1136:NIOServerCnxn@1008] - Closed socket connection for client /127.0.0.1:52740 (no session established for client) +2016-12-06 19:34:26,155 [myid:1] - INFO [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxnFactory@192] - Accepted socket connection from /127.0.0.1:52749 +2016-12-06 19:34:26,155 [myid:1] - INFO [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxn@827] - Processing ruok command from /127.0.0.1:52749 +2016-12-06 19:34:26,156 [myid:1] - INFO [Thread-1137:NIOServerCnxn@1008] - Closed socket connection for client /127.0.0.1:52749 (no session established for client) +2016-12-06 19:34:26,222 [myid:1] - INFO [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxnFactory@192] - Accepted socket connection from /127.0.0.1:52750 +2016-12-06 19:34:26,222 [myid:1] - INFO [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxn@827] - Processing ruok command from /127.0.0.1:52750 +2016-12-06 19:34:26,226 [myid:1] - INFO [Thread-1138:NIOServerCnxn@1008] - Closed socket connection for client /127.0.0.1:52750 (no session established for client) +2016-12-06 19:34:36,151 [myid:1] - INFO [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxnFactory@192] - Accepted socket connection from /127.0.0.1:52760 +2016-12-06 19:34:36,152 [myid:1] - INFO [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxn@827] - Processing ruok command from /127.0.0.1:52760 +2016-12-06 19:34:36,152 [myid:1] - INFO [Thread-1139:NIOServerCnxn@1008] - Closed socket connection for client /127.0.0.1:52760 (no session established for client) +2016-12-06 19:34:36,230 [myid:1] - INFO [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxnFactory@192] - Accepted socket connection from /127.0.0.1:52761 +2016-12-06 19:34:36,231 [myid:1] - INFO [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxn@827] - Processing ruok command from /127.0.0.1:52761 +2016-12-06 19:34:36,231 [myid:1] - INFO [Thread-1140:NIOServerCnxn@1008] - Closed socket connection for client /127.0.0.1:52761 (no session established for client) +2016-12-06 19:34:46,149 [myid:1] - INFO [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxnFactory@192] - Accepted socket connection from /127.0.0.1:52767 +2016-12-06 19:34:46,149 [myid:1] - INFO [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxn@827] - Processing ruok command from /127.0.0.1:52767 +2016-12-06 19:34:46,149 [myid:1] - INFO [Thread-1141:NIOServerCnxn@1008] - Closed socket connection for client /127.0.0.1:52767 (no session established for client) +2016-12-06 19:34:46,230 [myid:1] - INFO [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxnFactory@192] - Accepted socket connection from /127.0.0.1:52768 +2016-12-06 19:34:46,230 [myid:1] - INFO [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxn@827] - Processing ruok command from /127.0.0.1:52768 +2016-12-06 19:34:46,230 [myid:1] - INFO [Thread-1142:NIOServerCnxn@1008] - Closed socket connection for client /127.0.0.1:52768 (no session established for client) +``` + +Kubernetes also supports more powerful, but more complex, logging integrations +with [Google Cloud Logging](https://github.com/kubernetes/contrib/blob/master/logging/fluentd-sidecar-gcp/README.md) +and [ELK](https://github.com/kubernetes/contrib/blob/master/logging/fluentd-sidecar-es/README.md). +For cluster level log shipping and aggregation, you should consider deploying a +[sidecar](http://blog.kubernetes.io/2015/06/the-distributed-system-toolkit-patterns.html) +container to rotate and ship your logs. + +#### Configuring a Non-Privileged User + +The best practices with respect to allowing an application to run as a privileged +user inside of a container are a matter of debate. If your organization requires +that applications be run as a non-privileged user you can use a +[SecurityContext](/docs/user-guide/security-context/) to control the user that +the entry point runs as. + +The `zk` StatefulSet's Pod `template` contains a SecurityContext. + +```yaml +securityContext: + runAsUser: 1000 + fsGroup: 1000 +``` + +In the Pods' containers, UID 1000 corresponds to the zookeeper user and GID 1000 +corresponds to the zookeeper group. + +Get the ZooKeeper process information from the `zk-0` Pod. + +```shell +kubectl exec zk-0 -- ps -elf +``` + +As the `runAsUser` field of the `securityContext` object is set to 1000, +instead of running as root, the ZooKeeper process runs as the zookeeper user. + +```shell +F S UID PID PPID C PRI NI ADDR SZ WCHAN STIME TTY TIME CMD +4 S zookeep+ 1 0 0 80 0 - 1127 - 20:46 ? 00:00:00 sh -c zkGenConfig.sh && zkServer.sh start-foreground +0 S zookeep+ 27 1 0 80 0 - 1155556 - 20:46 ? 00:00:19 /usr/lib/jvm/java-8-openjdk-amd64/bin/java -Dzookeeper.log.dir=/var/log/zookeeper -Dzookeeper.root.logger=INFO,CONSOLE -cp /usr/bin/../build/classes:/usr/bin/../build/lib/*.jar:/usr/bin/../share/zookeeper/zookeeper-3.4.9.jar:/usr/bin/../share/zookeeper/slf4j-log4j12-1.6.1.jar:/usr/bin/../share/zookeeper/slf4j-api-1.6.1.jar:/usr/bin/../share/zookeeper/netty-3.10.5.Final.jar:/usr/bin/../share/zookeeper/log4j-1.2.16.jar:/usr/bin/../share/zookeeper/jline-0.9.94.jar:/usr/bin/../src/java/lib/*.jar:/usr/bin/../etc/zookeeper: -Xmx2G -Xms2G -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.local.only=false org.apache.zookeeper.server.quorum.QuorumPeerMain /usr/bin/../etc/zookeeper/zoo.cfg +``` + +By default, when the Pod's PersistentVolume is mounted to the ZooKeeper server's +data directory, it is only accessible by the root user. This configuration +prevents the ZooKeeper process from writing to its WAL and storing its snapshots. + +Get the file permissions of the ZooKeeper data directory on the `zk-0` Pod. + +```shell +kubectl exec -ti zk-0 -- ls -ld /var/lib/zookeeper/data +``` + +As the `fsGroup` field of the `securityContext` object is set to 1000, +the ownership of the Pods' PersistentVolumes is set to the zookeeper group, +and the ZooKeeper process is able to successfully read and write its data. + +```shell +drwxr-sr-x 3 zookeeper zookeeper 4096 Dec 5 20:45 /var/lib/zookeeper/data +``` + +### Managing the ZooKeeper Process + +The [ZooKeeper documentation](https://zookeeper.apache.org/doc/current/zookeeperAdmin.html#sc_supervision) +documentation indicates that "You will want to have a supervisory process that +manages each of your ZooKeeper server processes (JVM)." Utilizing a watchdog +(supervisory process) to restart failed processes in a distributed system is a +common pattern. When deploying an application in Kubernetes, rather than using +an external utility as a supervisory process, you should use Kubernetes as the +watchdog for your application. + +#### Handling Process Failure + + +[Restart Policies](/docs/user-guide/pod-states/#restartpolicy) control how +Kubernetes handles process failures for the entry point of the container in a Pod. +For Pods in a StatefulSet, the only appropriate RestartPolicy is Always, and this +is the default value. For stateful applications you should **never** override +the default policy. + + +Examine the process tree for the ZooKeeper server running in the `zk-0` Pod. + +```shell +kubectl exec zk-0 -- ps -ef +``` + +The command used as the container's entry point has PID 1, and the +the ZooKeeper process, a child of the entry point, has PID 23. + + +``` +UID PID PPID C STIME TTY TIME CMD +zookeep+ 1 0 0 15:03 ? 00:00:00 sh -c zkGenConfig.sh && zkServer.sh start-foreground +zookeep+ 27 1 0 15:03 ? 00:00:03 /usr/lib/jvm/java-8-openjdk-amd64/bin/java -Dzookeeper.log.dir=/var/log/zookeeper -Dzookeeper.root.logger=INFO,CONSOLE -cp /usr/bin/../build/classes:/usr/bin/../build/lib/*.jar:/usr/bin/../share/zookeeper/zookeeper-3.4.9.jar:/usr/bin/../share/zookeeper/slf4j-log4j12-1.6.1.jar:/usr/bin/../share/zookeeper/slf4j-api-1.6.1.jar:/usr/bin/../share/zookeeper/netty-3.10.5.Final.jar:/usr/bin/../share/zookeeper/log4j-1.2.16.jar:/usr/bin/../share/zookeeper/jline-0.9.94.jar:/usr/bin/../src/java/lib/*.jar:/usr/bin/../etc/zookeeper: -Xmx2G -Xms2G -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.local.only=false org.apache.zookeeper.server.quorum.QuorumPeerMain /usr/bin/../etc/zookeeper/zoo.cfg +``` + + +In one terminal watch the Pods in the `zk` StatefulSet. + +```shell +kubectl get pod -w -l app=zk +``` + + +In another terminal, kill the ZooKeeper process in Pod `zk-0`. + +```shell + kubectl exec zk-0 -- pkill java +``` + + +The death of the ZooKeeper process caused its parent process to terminate. As +the RestartPolicy of the container is Always, the parent process was relaunched. + + +```shell +NAME READY STATUS RESTARTS AGE +zk-0 1/1 Running 0 21m +zk-1 1/1 Running 0 20m +zk-2 1/1 Running 0 19m +NAME READY STATUS RESTARTS AGE +zk-0 0/1 Error 0 29m +zk-0 0/1 Running 1 29m +zk-0 1/1 Running 1 29m +``` + + +If your application uses a script (such as zkServer.sh) to launch the process +that implements the application's business logic, the script must terminate with the +child process. This ensures that Kubernetes will restart the application's +container when the process implementing the application's business logic fails. + + +#### Testing for Liveness + + +Configuring your application to restart failed processes is not sufficient to +keep a distributed system healthy. There are many scenarios where +a system's processes can be both alive and unresponsive, or otherwise +unhealthy. You should use liveness probes in order to notify Kubernetes +that your application's processes are unhealthy and should be restarted. + + +The Pod `template` for the `zk` StatefulSet specifies a liveness probe. + + +```yaml + livenessProbe: + exec: + command: + - "zkOk.sh" + initialDelaySeconds: 15 + timeoutSeconds: 5 +``` + + +The probe calls a simple bash script that uses the ZooKeeper `ruok` four letter +word to test the server's health. + + +```bash +ZK_CLIENT_PORT=${ZK_CLIENT_PORT:-2181} +OK=$(echo ruok | nc 127.0.0.1 $ZK_CLIENT_PORT) +if [ "$OK" == "imok" ]; then + exit 0 +else + exit 1 +fi +``` + + +In one terminal window, watch the Pods in the `zk` StatefulSet. + + +```shell +kubectl get pod -w -l app=zk +``` + + +In another window, delete the `zkOk.sh` script from the file system of Pod `zk-0`. + + +```shell +kubectl exec zk-0 -- rm /opt/zookeeper/bin/zkOk.sh +``` + + +When the liveness probe for the ZooKeeper process fails, Kubernetes will +automatically restart the process for you, ensuring that unhealthy processes in +the ensemble are restarted. + + +```shell +kubectl get pod -w -l app=zk +NAME READY STATUS RESTARTS AGE +zk-0 1/1 Running 0 1h +zk-1 1/1 Running 0 1h +zk-2 1/1 Running 0 1h +NAME READY STATUS RESTARTS AGE +zk-0 0/1 Running 0 1h +zk-0 0/1 Running 1 1h +zk-0 1/1 Running 1 1h +``` + + +#### Testing for Readiness + + +Readiness is not the same as liveness. If a process is alive, it is scheduled +and healthy. If a process is ready, it is able to process input. Liveness is +a necessary, but not sufficient, condition for readiness. There are many cases, +particularly during initialization and termination, when a process can be +alive but not ready. + + +If you specify a readiness probe, Kubernetes will ensure that your application's +processes will not receive network traffic until their readiness checks pass. + + +For a ZooKeeper server, liveness implies readiness. Therefore, the readiness +probe from the `zookeeper.yaml` manifest is identical to the liveness probe. + + +```yaml + readinessProbe: + exec: + command: + - "zkOk.sh" + initialDelaySeconds: 15 + timeoutSeconds: 5 +``` + + +Even though the liveness and readiness probes are identical, it is important +to specify both. This ensures that only healthy servers in the ZooKeeper +ensemble receive network traffic. + + +### Tolerating Node Failure + +ZooKeeper needs a quorum of servers in order to successfully commit mutations +to data. For a three server ensemble, two servers must be healthy in order for +writes to succeed. In quorum based systems, members are deployed across failure +domains to ensure availability. In order to avoid an outage, due to the loss of an +individual machine, best practices preclude co-locating multiple instances of the +application on the same machine. + +By default, Kubernetes may co-locate Pods in a StatefulSet on the same node. +For the three server ensemble you created, if two servers reside on the same +node, and that node fails, the clients of your ZooKeeper service will experience +an outage until at least one of the Pods can be rescheduled. + +You should always provision additional capacity to allow the processes of critical +systems to be rescheduled in the event of node failures. If you do so, then the +outage will only last until the Kubernetes scheduler reschedules one of the ZooKeeper +servers. However, if you want your service to tolerate node failures with no downtime, +you should use a `PodAntiAffinity` annotation. + +Get the nodes for Pods in the `zk` Stateful Set. + +```shell{% raw %} +for i in 0 1 2; do kubectl get pod zk-$i --template {{.spec.nodeName}}; echo ""; done +``` {% endraw %} + +All of the Pods in the `zk` StatefulSet are deployed on different nodes. + +```shell +kubernetes-minion-group-cxpk +kubernetes-minion-group-a5aq +kubernetes-minion-group-2g2d +``` + +This is because the Pods in the `zk` StatefulSet contain a +[PodAntiAffinity](/docs/user-guide/node-selection/) annotation. + +```yaml +scheduler.alpha.kubernetes.io/affinity: > + { + "podAntiAffinity": { + "requiredDuringSchedulingRequiredDuringExecution": [{ + "labelSelector": { + "matchExpressions": [{ + "key": "app", + "operator": "In", + "values": ["zk-headless"] + }] + }, + "topologyKey": "kubernetes.io/hostname" + }] + } + } +``` + +The `requiredDuringSchedulingRequiredDuringExecution` field tells the +Kubernetes Scheduler that it should never co-locate two Pods from the `zk-headless` +Service in the domain defined by the `topologyKey`. The `topologyKey` +`kubernetes.io/hostname` indicates that the domain is an individual node. Using +different rules, labels, and selectors, you can extend this technique to spread +your ensemble across physical, network, and power failure domains. + +### Surviving Maintenance + +**In this section you will cordon and drain nodes. If you are using this tutorial +on a shared cluster, be sure that this will not adversely affect other tenants.** + +The previous section showed you how to spread your Pods across nodes to survive +unplanned node failures, but you also need to plan for temporary node failures +that occur due to planned maintenance. + +Get the nodes in your cluster. + +```shell +kubectl get nodes +``` + +Use [`kubectl cordon`](/docs/user-guide/kubectl/kubectl_cordon/) to +cordon all but four of the nodes in your cluster. + +```shell{% raw %} +kubectl cordon < node name > +```{% endraw %} + +Get the `zk-budget` PodDisruptionBudget. + +```shell +kubectl get poddisruptionbudget zk-budget +``` + +The `min-available` field indicates to Kubernetes that at least two Pods from +`zk` StatefulSet must be available at any time. + +```yaml +NAME MIN-AVAILABLE ALLOWED-DISRUPTIONS AGE +zk-budget 2 1 1h + +``` + +In one terminal, watch the Pods in the `zk` StatefulSet. + +```shell +kubectl get pods -w -l app=zk +``` + +In another terminal, get the nodes that the Pods are currently scheduled on. + +```shell{% raw %} +for i in 0 1 2; do kubectl get pod zk-$i --template {{.spec.nodeName}}; echo ""; done +kubernetes-minion-group-pb41 +kubernetes-minion-group-ixsl +kubernetes-minion-group-i4c4 +{% endraw %}``` + +Use [`kubectl drain`](/docs/user-guide/kubectl/kubectl_drain/) to cordon and +drain the node on which the `zk-0` Pod is scheduled. + +```shell {% raw %} +kubectl drain $(kubectl get pod zk-0 --template {{.spec.nodeName}}) --ignore-daemonsets --force --delete-local-data +WARNING: Deleting pods not managed by ReplicationController, ReplicaSet, Job, or DaemonSet: fluentd-cloud-logging-kubernetes-minion-group-pb41, kube-proxy-kubernetes-minion-group-pb41; Ignoring DaemonSet-managed pods: node-problem-detector-v0.1-o5elz +pod "zk-0" deleted +node "kubernetes-minion-group-pb41" drained +{% endraw %}``` + +As there are four nodes in your cluster, `kubectl drain`, succeeds and the +`zk-0` is rescheduled to another node. + +``` +NAME READY STATUS RESTARTS AGE +zk-0 1/1 Running 2 1h +zk-1 1/1 Running 0 1h +zk-2 1/1 Running 0 1h +NAME READY STATUS RESTARTS AGE +zk-0 1/1 Terminating 2 2h +zk-0 0/1 Terminating 2 2h +zk-0 0/1 Terminating 2 2h +zk-0 0/1 Terminating 2 2h +zk-0 0/1 Pending 0 0s +zk-0 0/1 Pending 0 0s +zk-0 0/1 ContainerCreating 0 0s +zk-0 0/1 Running 0 51s +zk-0 1/1 Running 0 1m +``` + +Keep watching the StatefulSet's Pods in the first terminal and drain the node on which +`zk-1` is scheduled. + +```shell{% raw %} +kubectl drain $(kubectl get pod zk-1 --template {{.spec.nodeName}}) --ignore-daemonsets --force --delete-local-data "kubernetes-minion-group-ixsl" cordoned +WARNING: Deleting pods not managed by ReplicationController, ReplicaSet, Job, or DaemonSet: fluentd-cloud-logging-kubernetes-minion-group-ixsl, kube-proxy-kubernetes-minion-group-ixsl; Ignoring DaemonSet-managed pods: node-problem-detector-v0.1-voc74 +pod "zk-1" deleted +node "kubernetes-minion-group-ixsl" drained +{% endraw %}``` + +The `zk-1` Pod can not be scheduled. As the `zk` StatefulSet contains a +`PodAntiAffinity` annotation preventing co-location of the Pods, and as only +two nodes are schedulable, the Pod will remain in a Pending state. + +```shell +kubectl get pods -w -l app=zk +NAME READY STATUS RESTARTS AGE +zk-0 1/1 Running 2 1h +zk-1 1/1 Running 0 1h +zk-2 1/1 Running 0 1h +NAME READY STATUS RESTARTS AGE +zk-0 1/1 Terminating 2 2h +zk-0 0/1 Terminating 2 2h +zk-0 0/1 Terminating 2 2h +zk-0 0/1 Terminating 2 2h +zk-0 0/1 Pending 0 0s +zk-0 0/1 Pending 0 0s +zk-0 0/1 ContainerCreating 0 0s +zk-0 0/1 Running 0 51s +zk-0 1/1 Running 0 1m +zk-1 1/1 Terminating 0 2h +zk-1 0/1 Terminating 0 2h +zk-1 0/1 Terminating 0 2h +zk-1 0/1 Terminating 0 2h +zk-1 0/1 Pending 0 0s +zk-1 0/1 Pending 0 0s +``` + +Continue to watch the Pods of the stateful set, and drain the node on which +`zk-2` is scheduled. + +```shell{% raw %} +kubectl drain $(kubectl get pod zk-2 --template {{.spec.nodeName}}) --ignore-daemonsets --force --delete-local-data +node "kubernetes-minion-group-i4c4" cordoned +WARNING: Deleting pods not managed by ReplicationController, ReplicaSet, Job, or DaemonSet: fluentd-cloud-logging-kubernetes-minion-group-i4c4, kube-proxy-kubernetes-minion-group-i4c4; Ignoring DaemonSet-managed pods: node-problem-detector-v0.1-dyrog +WARNING: Ignoring DaemonSet-managed pods: node-problem-detector-v0.1-dyrog; Deleting pods not managed by ReplicationController, ReplicaSet, Job, or DaemonSet: fluentd-cloud-logging-kubernetes-minion-group-i4c4, kube-proxy-kubernetes-minion-group-i4c4 +There are pending pods when an error occurred: Cannot evict pod as it would violate the pod's disruption budget. +pod/zk-2 +{% endraw %}``` + +Use `CRTL-C` to terminate to kubectl. + +You can not drain the third node because evicting `zk-2` would violate `zk-budget`. However, +the node will remain cordoned. + +Use `zkCli.sh` to retrieve the value you entered during the sanity test from `zk-0`. + +```shell +kubectl exec zk-0 zkCli.sh get /hello +``` + +The service is still available because its PodDisruptionBudget is respected. + +``` +WatchedEvent state:SyncConnected type:None path:null +world +cZxid = 0x200000002 +ctime = Wed Dec 07 00:08:59 UTC 2016 +mZxid = 0x200000002 +mtime = Wed Dec 07 00:08:59 UTC 2016 +pZxid = 0x200000002 +cversion = 0 +dataVersion = 0 +aclVersion = 0 +ephemeralOwner = 0x0 +dataLength = 5 +numChildren = 0 +``` + +Use [`kubectl uncordon`](/docs/user-guide/kubectl/kubectl_uncordon/) to uncordon the first node. + +```shell +kubectl uncordon kubernetes-minion-group-pb41 +node "kubernetes-minion-group-pb41" uncordoned +``` + +`zk-1` is rescheduled on this node. Wait until `zk-1` is Running and Ready. + +```shell +kubectl get pods -w -l app=zk +NAME READY STATUS RESTARTS AGE +zk-0 1/1 Running 2 1h +zk-1 1/1 Running 0 1h +zk-2 1/1 Running 0 1h +NAME READY STATUS RESTARTS AGE +zk-0 1/1 Terminating 2 2h +zk-0 0/1 Terminating 2 2h +zk-0 0/1 Terminating 2 2h +zk-0 0/1 Terminating 2 2h +zk-0 0/1 Pending 0 0s +zk-0 0/1 Pending 0 0s +zk-0 0/1 ContainerCreating 0 0s +zk-0 0/1 Running 0 51s +zk-0 1/1 Running 0 1m +zk-1 1/1 Terminating 0 2h +zk-1 0/1 Terminating 0 2h +zk-1 0/1 Terminating 0 2h +zk-1 0/1 Terminating 0 2h +zk-1 0/1 Pending 0 0s +zk-1 0/1 Pending 0 0s +zk-1 0/1 Pending 0 12m +zk-1 0/1 ContainerCreating 0 12m +zk-1 0/1 Running 0 13m +zk-1 1/1 Running 0 13m +``` + +Attempt to drain the node on which `zk-2` is scheduled. + +```shell{% raw %} +kubectl drain $(kubectl get pod zk-2 --template {{.spec.nodeName}}) --ignore-daemonsets --force --delete-local-data +node "kubernetes-minion-group-i4c4" already cordoned +WARNING: Deleting pods not managed by ReplicationController, ReplicaSet, Job, or DaemonSet: fluentd-cloud-logging-kubernetes-minion-group-i4c4, kube-proxy-kubernetes-minion-group-i4c4; Ignoring DaemonSet-managed pods: node-problem-detector-v0.1-dyrog +pod "heapster-v1.2.0-2604621511-wht1r" deleted +pod "zk-2" deleted +node "kubernetes-minion-group-i4c4" drained +{% endraw %}``` + +This time `kubectl drain` succeeds. + +Uncordon the second node to allow `zk-2` to be rescheduled. + +```shell +kubectl uncordon kubernetes-minion-group-ixsl +node "kubernetes-minion-group-ixsl" uncordoned +``` + +You can use `kubectl drain` in conjunction with PodDisruptionBudgets to ensure that your service +remains available during maintenance. If drain is used to cordon nodes and evict pods prior to +taking the node offline for maintenance, services that express a disruption budget will have that +budget respected. You should always allocate additional capacity for critical services so that +their Pods can be immediately rescheduled. + +{% endcapture %} + +{% capture cleanup %} +* Use `kubectl uncordon` to uncordon all the nodes in your cluster. +* You will need to delete the persistent storage media for the PersistentVolumes +used in this tutorial. Follow the necessary steps, based on your environment, +storage configuration, and provisioning method, to ensure that all storage is +reclaimed. +{% endcapture %} +{% include templates/tutorial.md %} diff --git a/docs/tutorials/stateful-application/zookeeper.yaml b/docs/tutorials/stateful-application/zookeeper.yaml new file mode 100644 index 0000000000..75c4220576 --- /dev/null +++ b/docs/tutorials/stateful-application/zookeeper.yaml @@ -0,0 +1,164 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: zk-headless + labels: + app: zk-headless +spec: + ports: + - port: 2888 + name: server + - port: 3888 + name: leader-election + clusterIP: None + selector: + app: zk +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: zk-config +data: + ensemble: "zk-0;zk-1;zk-2" + jvm.heap: "2G" + tick: "2000" + init: "10" + sync: "5" + client.cnxns: "60" + snap.retain: "3" + purge.interval: "1" +--- +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: zk-budget +spec: + selector: + matchLabels: + app: zk + minAvailable: 2 +--- +apiVersion: apps/v1beta1 +kind: StatefulSet +metadata: + name: zk +spec: + serviceName: zk-headless + replicas: 3 + template: + metadata: + labels: + app: zk + annotations: + pod.alpha.kubernetes.io/initialized: "true" + scheduler.alpha.kubernetes.io/affinity: > + { + "podAntiAffinity": { + "requiredDuringSchedulingRequiredDuringExecution": [{ + "labelSelector": { + "matchExpressions": [{ + "key": "app", + "operator": "In", + "values": ["zk-headless"] + }] + }, + "topologyKey": "kubernetes.io/hostname" + }] + } + } + spec: + containers: + - name: k8szk + imagePullPolicy: Always + image: gcr.io/google_samples/k8szk:v1 + resources: + requests: + memory: "4Gi" + cpu: "1" + ports: + - containerPort: 2181 + name: client + - containerPort: 2888 + name: server + - containerPort: 3888 + name: leader-election + env: + - name : ZK_ENSEMBLE + valueFrom: + configMapKeyRef: + name: zk-config + key: ensemble + - name : ZK_HEAP_SIZE + valueFrom: + configMapKeyRef: + name: zk-config + key: jvm.heap + - name : ZK_TICK_TIME + valueFrom: + configMapKeyRef: + name: zk-config + key: tick + - name : ZK_INIT_LIMIT + valueFrom: + configMapKeyRef: + name: zk-config + key: init + - name : ZK_SYNC_LIMIT + valueFrom: + configMapKeyRef: + name: zk-config + key: tick + - name : ZK_MAX_CLIENT_CNXNS + valueFrom: + configMapKeyRef: + name: zk-config + key: client.cnxns + - name: ZK_SNAP_RETAIN_COUNT + valueFrom: + configMapKeyRef: + name: zk-config + key: snap.retain + - name: ZK_PURGE_INTERVAL + valueFrom: + configMapKeyRef: + name: zk-config + key: purge.interval + - name: ZK_CLIENT_PORT + value: "2181" + - name: ZK_SERVER_PORT + value: "2888" + - name: ZK_ELECTION_PORT + value: "3888" + command: + - sh + - -c + - zkGenConfig.sh && zkServer.sh start-foreground + readinessProbe: + exec: + command: + - "zkOk.sh" + initialDelaySeconds: 15 + timeoutSeconds: 5 + livenessProbe: + exec: + command: + - "zkOk.sh" + initialDelaySeconds: 15 + timeoutSeconds: 5 + volumeMounts: + - name: datadir + mountPath: /var/lib/zookeeper + securityContext: + runAsUser: 1000 + fsGroup: 1000 + volumeClaimTemplates: + - metadata: + name: datadir + annotations: + volume.alpha.kubernetes.io/storage-class: anything + spec: + accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: 20Gi diff --git a/test/examples_test.go b/test/examples_test.go index cb876db9ec..22e71c8bb0 100644 --- a/test/examples_test.go +++ b/test/examples_test.go @@ -38,6 +38,8 @@ import ( "k8s.io/kubernetes/pkg/apis/extensions" expvalidation "k8s.io/kubernetes/pkg/apis/extensions/validation" "k8s.io/kubernetes/pkg/capabilities" + "k8s.io/kubernetes/pkg/apis/policy" + policyvalidation "k8s.io/kubernetes/pkg/apis/policy/validation" "k8s.io/kubernetes/pkg/registry/batch/job" "k8s.io/kubernetes/pkg/runtime" "k8s.io/kubernetes/pkg/types" @@ -147,6 +149,11 @@ func validateObject(obj runtime.Object) (errors field.ErrorList) { t.Namespace = api.NamespaceDefault } errors = apps_validation.ValidateStatefulSet(t) + case *policy.PodDisruptionBudget: + if t.Namespace == "" { + t.Namespace = api.NamespaceDefault + } + errors = policyvalidation.ValidatePodDisruptionBudget(t) default: errors = field.ErrorList{} errors = append(errors, field.InternalError(field.NewPath(""), fmt.Errorf("no validation defined for %#v", obj))) @@ -323,6 +330,7 @@ func TestExampleObjectSchemas(t *testing.T) { "mysql-configmap": {&api.ConfigMap{}}, "mysql-statefulset": {&apps.StatefulSet{}}, "web": {&api.Service{}, &apps.StatefulSet{}}, + "zookeeper": {&api.Service{}, &api.ConfigMap{}, &policy.PodDisruptionBudget{}, &apps.StatefulSet{}}, }, } From a3a3c2fd80ed9f7dd17e40528385b1573856d290 Mon Sep 17 00:00:00 2001 From: "Madhusudan.C.S" Date: Wed, 14 Dec 2016 14:51:55 -0800 Subject: [PATCH 25/63] Removed backticks from the left nav entries. --- _data/guides.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/_data/guides.yml b/_data/guides.yml index 933a50fcbc..cd685afd5a 100644 --- a/_data/guides.yml +++ b/_data/guides.yml @@ -305,7 +305,7 @@ toc: - title: Administering Federation section: - - title: Using `kubefed` + - title: Using kubefed path: /docs/admin/federation/kubefed/ - - title: Using `federation-up` and `deploy.sh` + - title: Using federation-up and deploy.sh path: /docs/admin/federation/ From a1dededa56d75a1919c6af33377946ef03f48eda Mon Sep 17 00:00:00 2001 From: Jimmy Cuadra Date: Wed, 14 Dec 2016 15:52:22 -0800 Subject: [PATCH 26/63] Fix the formatting of bullet lists on the kubelet auth page. --- .../kubelet-authentication-authorization.md | 36 +++++++++++-------- 1 file changed, 21 insertions(+), 15 deletions(-) diff --git a/docs/admin/kubelet-authentication-authorization.md b/docs/admin/kubelet-authentication-authorization.md index b0617b8854..509792bf24 100644 --- a/docs/admin/kubelet-authentication-authorization.md +++ b/docs/admin/kubelet-authentication-authorization.md @@ -17,35 +17,40 @@ This document describes how to authenticate and authorize access to the kubelet' ## Kubelet authentication By default, requests to the kubelet's HTTPS endpoint that are not rejected by other configured -authentication methods are treated as anonymous requests, and given a username of `system:anonymous` +authentication methods are treated as anonymous requests, and given a username of `system:anonymous` and a group of `system:unauthenticated`. To disable anonymous access and send `401 Unauthorized` responses to unauthenticated requests: + * start the kubelet with the `--anonymous-auth=false` flag To enable X509 client certificate authentication to the kubelet's HTTPS endpoint: -* start the kubelet with the `--client-ca-file` flag, providing a CA bundle to verify client certificates with + +* start the kubelet with the `--client-ca-file` flag, providing a CA bundle to verify client certificates with * start the apiserver with `--kubelet-client-certificate` and `--kubelet-client-key` flags * see the [apiserver authentication documentation](/docs/admin/authentication/#x509-client-certs) for more details To enable API bearer tokens (including service account tokens) to be used to authenticate to the kubelet's HTTPS endpoint: + * ensure the `authentication.k8s.io/v1beta1` API group is enabled in the API server * start the kubelet with the `--authentication-token-webhook`, `--kubeconfig`, and `--require-kubeconfig` flags -* the kubelet calls the `TokenReview` API on the configured API server to determine user information from bearer tokens +* the kubelet calls the `TokenReview` API on the configured API server to determine user information from bearer tokens ## Kubelet authorization Any request that is successfully authenticated (including an anonymous request) is then authorized. The default authorization mode is `AlwaysAllow`, which allows all requests. There are many possible reasons to subdivide access to the kubelet API: + * anonymous auth is enabled, but anonymous users' ability to call the kubelet API should be limited * bearer token auth is enabled, but arbitrary API users' (like service accounts) ability to call the kubelet API should be limited * client certificate auth is enabled, but only some of the client certificates signed by the configured CA should be allowed to use the kubelet API To subdivide access to the kubelet API, delegate authorization to the API server: + * ensure the `authorization.k8s.io/v1beta1` API group is enabled in the API server * start the kubelet with the `--authorization-mode=Webhook`, `--kubeconfig`, and `--require-kubeconfig` flags -* the kubelet calls the `SubjectAccessReview` API on the configured API server to determine whether each request is authorized +* the kubelet calls the `SubjectAccessReview` API on the configured API server to determine whether each request is authorized The kubelet authorizes API requests using the same [request attributes](/docs/admin/authorization/#request-attributes) approach as the apiserver. @@ -63,19 +68,20 @@ The resource and subresource is determined from the incoming request's path: Kubelet API | resource | subresource -------------|----------|------------ -/stats/* | nodes | stats -/metrics/* | nodes | metrics -/logs/* | nodes | log -/spec/* | nodes | spec +/stats/\* | nodes | stats +/metrics/\* | nodes | metrics +/logs/\* | nodes | log +/spec/\* | nodes | spec *all others* | nodes | proxy -The namespace and API group attributes are always an empty string, and +The namespace and API group attributes are always an empty string, and the resource name is always the name of the kubelet's `Node` API object. -When running in this mode, ensure the user identified by the `--kubelet-client-certificate` and `--kubelet-client-key` +When running in this mode, ensure the user identified by the `--kubelet-client-certificate` and `--kubelet-client-key` flags passed to the apiserver is authorized for the following attributes: -* verb=*, resource=nodes, subresource=proxy -* verb=*, resource=nodes, subresource=stats -* verb=*, resource=nodes, subresource=log -* verb=*, resource=nodes, subresource=spec -* verb=*, resource=nodes, subresource=metrics + +* verb=\*, resource=nodes, subresource=proxy +* verb=\*, resource=nodes, subresource=stats +* verb=\*, resource=nodes, subresource=log +* verb=\*, resource=nodes, subresource=spec +* verb=\*, resource=nodes, subresource=metrics From 8d8c5f9c0a8d6e40c574f7edbcfbc3c124cd8402 Mon Sep 17 00:00:00 2001 From: Alejandro Escobar Date: Wed, 14 Dec 2016 12:47:36 -0800 Subject: [PATCH 27/63] updated the links to documents that do not exists locally but remotely in github. These links are broken online. missed a link. --- docs/getting-started-guides/minikube.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/getting-started-guides/minikube.md b/docs/getting-started-guides/minikube.md index 9d0264ccb3..4807e8dec8 100644 --- a/docs/getting-started-guides/minikube.md +++ b/docs/getting-started-guides/minikube.md @@ -308,11 +308,11 @@ Minikube uses [libmachine](https://github.com/docker/machine/tree/master/libmach For more information about minikube, see the [proposal](https://github.com/kubernetes/kubernetes/blob/master/docs/proposals/local-cluster-ux.md). ## Additional Links: -* **Goals and Non-Goals**: For the goals and non-goals of the minikube project, please see our [roadmap](./ROADMAP.md). -* **Development Guide**: See [CONTRIBUTING.md](./CONTRIBUTING.md) for an overview of how to send pull requests. -* **Building Minikube**: For instructions on how to build/test minikube from source, see the [build guide](./BUILD_GUIDE.md) -* **Adding a New Dependency**: For instructions on how to add a new dependency to minikube see the [adding dependencies guide](./ADD_DEPENDENCY.md) -* **Updating Kubernetes**: For instructions on how to add a new dependency to minikube see the [updating kubernetes guide](./UPDATE_KUBERNETES.md) +* **Goals and Non-Goals**: For the goals and non-goals of the minikube project, please see our [roadmap](https://github.com/kubernetes/minikube/blob/master/ROADMAP.md). +* **Development Guide**: See [CONTRIBUTING.md](https://github.com/kubernetes/minikube/blob/master/CONTRIBUTING.md) for an overview of how to send pull requests. +* **Building Minikube**: For instructions on how to build/test minikube from source, see the [build guide](https://github.com/kubernetes/minikube/blob/master/BUILD_GUIDE.md) +* **Adding a New Dependency**: For instructions on how to add a new dependency to minikube see the [adding dependencies guide](https://github.com/kubernetes/minikube/blob/master/ADD_DEPENDENCY.md) +* **Updating Kubernetes**: For instructions on how to add a new dependency to minikube see the [updating kubernetes guide](https://github.com/kubernetes/minikube/blob/master/UPDATE_KUBERNETES.md) ## Community From 061a332ac4e94590a3e9211c23e5af0f06814bec Mon Sep 17 00:00:00 2001 From: dbaumgarten Date: Thu, 15 Dec 2016 14:58:46 +0100 Subject: [PATCH 28/63] Wrong path for cloud-config in kubeadm.md The cloud-config file should be located under `/etc/kubernetes/cloud-config` instead of /etc/kubernetes/cloud-config.json. (See: https://github.com/kubernetes/kubernetes/blob/master/cmd/kubeadm/app/master/manifests.go#L41 ) If the file is not in this location the controller-manager will fail to start, as he is given the --cloud-provider option without --cloud-config. (--cloud-config will only be used when `/etc/kubernetes/cloud-config` exists https://github.com/kubernetes/kubernetes/blob/master/cmd/kubeadm/app/master/manifests.go#L367 ) --- docs/admin/kubeadm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/admin/kubeadm.md b/docs/admin/kubeadm.md index e1c8537149..bc64c5de84 100644 --- a/docs/admin/kubeadm.md +++ b/docs/admin/kubeadm.md @@ -82,7 +82,7 @@ of the box. You can specify a cloud provider using `--cloud-provider`. Valid values are the ones supported by `controller-manager`, namely `"aws"`, `"azure"`, `"cloudstack"`, `"gce"`, `"mesos"`, `"openstack"`, `"ovirt"`, `"rackspace"`, `"vsphere"`. In order to provide additional configuration for -the cloud provider, you should create a `/etc/kubernetes/cloud-config.json` +the cloud provider, you should create a `/etc/kubernetes/cloud-config` file manually, before running `kubeadm init`. `kubeadm` automatically picks those settings up and ensures other nodes are configured correctly. You must also set the `--cloud-provider` and `--cloud-config` parameters From 01bfb7925f788ceb8b3ba112997307708f60d050 Mon Sep 17 00:00:00 2001 From: Joe Rocklin Date: Thu, 15 Dec 2016 11:47:10 -0500 Subject: [PATCH 29/63] Fix link to nuage previous markdown resulted in a relative reference, which lead to a 404. --- docs/admin/networking.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/admin/networking.md b/docs/admin/networking.md index 9b77b3557a..903bac24f8 100644 --- a/docs/admin/networking.md +++ b/docs/admin/networking.md @@ -171,7 +171,7 @@ Lars Kellogg-Stedman. ### Nuage Networks VCS (Virtualized Cloud Services) -[Nuage](www.nuagenetworks.net) provides a highly scalable policy-based Software-Defined Networking (SDN) platform. Nuage uses the open source Open vSwitch for the data plane along with a feature rich SDN Controller built on open standards. +[Nuage](http://www.nuagenetworks.net) provides a highly scalable policy-based Software-Defined Networking (SDN) platform. Nuage uses the open source Open vSwitch for the data plane along with a feature rich SDN Controller built on open standards. The Nuage platform uses overlays to provide seamless policy-based networking between Kubernetes Pods and non-Kubernetes environments (VMs and bare metal servers). Nuage’s policy abstraction model is designed with applications in mind and makes it easy to declare fine-grained policies for applications.The platform’s real-time analytics engine enables visibility and security monitoring for Kubernetes applications. From 7a145852b9aff00dfccfd6aaca61219743acd837 Mon Sep 17 00:00:00 2001 From: Michail Kargakis Date: Wed, 9 Nov 2016 16:39:48 +0100 Subject: [PATCH 30/63] Proportional scaling in Deployments --- docs/user-guide/deployments.md | 69 ++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) diff --git a/docs/user-guide/deployments.md b/docs/user-guide/deployments.md index 84ea561bf4..8f138459d0 100644 --- a/docs/user-guide/deployments.md +++ b/docs/user-guide/deployments.md @@ -395,6 +395,75 @@ Events: You can set `.spec.revisionHistoryLimit` field to specify how much revision history of this deployment you want to keep. By default, all revision history will be kept; explicitly setting this field to `0` disallows a deployment being rolled back. +## Scaling a Deployment + +You can scale a Deployment by using the following command: + +```shell +$ kubectl scale deployment nginx-deployment --replicas 10 +deployment "nginx-deployment" scaled +``` + +Assuming [horizontal pod autoscaling](/docs/user-guide/horizontal-pod-autoscaling/walkthrough.md) is enabled +in your cluster, you can setup an autoscaler for your Deployment and choose the minimum and maximum number of +Pods you want to run based on the CPU utilization of your existing Pods. + +```shell +$ kubectl autoscale deployment nginx-deployment --min=10 --max=15 --cpu-percent=80 +deployment "nginx-deployment" autoscaled +``` + +RollingUpdate Deployments support running multitple versions of an application at the same time. When you +or an autoscaler scales a RollingUpdate Deployment that is in the middle of a rollout (either in progress +or paused), then the Deployment controller will balance the additional replicas in the existing active +ReplicaSets (ReplicaSets with Pods) in order to mitigate risk. This is called *proportional scaling*. + +For example, you are running a Deployment with 10 replicas, [maxSurge](#max-surge)=3, and [maxUnavailable](#max-unavailable)=2. + +```shell +$ kubectl get deploy +NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE +nginx-deployment 10 10 10 10 50s +``` + +You update to a new image which happens to be unresolvable from inside the cluster. + +```shell +$ kubectl set image deploy/nginx-deployment nginx=nginx:sometag +deployment "nginx-deployment" image updated +``` + +The image update starts a new rollout with ReplicaSet nginx-deployment-1989198191 but it's blocked due to the +maxUnavailable requirement that we mentioned above. + +```shell +$ kubectl get rs +NAME DESIRED CURRENT READY AGE +nginx-deployment-1989198191 5 5 0 9s +nginx-deployment-618515232 8 8 8 1m +``` + +Then a new scaling request for the Deployment comes along. The autoscaler increments the Deployment replicas +to 15. The Deployment controller needs to decide where to add these new 5 replicas. If we weren't using +proportional scaling, all 5 of them would be added in the new ReplicaSet. With proportional scaling, we +spread the additional replicas across all ReplicaSets. Bigger proportions go to the ReplicaSets with the +most replicas and lower proportions go to ReplicaSets with less replicas. Any leftovers are added to the +ReplicaSet with the most replicas. ReplicaSets with zero replicas are not scaled up. + +In our example above, 3 replicas will be added to the old ReplicaSet and 2 replicas will be added to the +new ReplicaSet. The rollout process should eventually move all replicas to the new ReplicaSet, assuming +the new replicas become healthy. + +```shell +$ kubectl get deploy +NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE +nginx-deployment 15 18 7 8 7m +$ kubectl get rs +NAME DESIRED CURRENT READY AGE +nginx-deployment-1989198191 7 7 0 7m +nginx-deployment-618515232 11 11 11 7m +``` + ## Pausing and Resuming a Deployment You can also pause a Deployment mid-way and then resume it. A use case is to support canary deployment. From bfa604351ff04bd35c4d5af5cb24adae59ef2bf3 Mon Sep 17 00:00:00 2001 From: Ben Balter Date: Thu, 15 Dec 2016 15:16:54 -0500 Subject: [PATCH 31/63] add explicit titles to docs --- docs/admin/accessing-the-api.md | 2 +- docs/admin/addons.md | 1 + docs/admin/admission-controllers.md | 2 +- docs/admin/apparmor/index.md | 2 +- docs/admin/authentication.md | 3 ++- docs/admin/authorization.md | 2 +- docs/admin/cluster-components.md | 2 +- docs/admin/cluster-large.md | 15 +++++++-------- docs/admin/cluster-management.md | 2 +- docs/admin/cluster-troubleshooting.md | 2 +- docs/admin/daemons.md | 2 +- docs/admin/dns.md | 2 +- docs/admin/etcd.md | 3 +-- docs/admin/federation-apiserver.md | 2 ++ docs/admin/federation-controller-manager.md | 2 ++ docs/admin/federation/index.md | 3 ++- docs/admin/garbage-collection.md | 2 +- docs/admin/high-availability/index.md | 8 ++++---- docs/admin/index.md | 2 +- docs/admin/kube-apiserver.md | 2 ++ docs/admin/kube-controller-manager.md | 2 ++ docs/admin/kube-proxy.md | 2 ++ docs/admin/kube-scheduler.md | 2 ++ docs/admin/kubeadm.md | 3 +-- .../admin/kubelet-authentication-authorization.md | 2 +- docs/admin/kubelet-tls-bootstrapping.md | 2 +- docs/admin/kubelet.md | 2 ++ docs/admin/limitrange/index.md | 2 +- docs/admin/master-node-communication.md | 2 +- docs/admin/multi-cluster.md | 2 +- docs/admin/multiple-schedulers.md | 2 +- docs/admin/multiple-zones.md | 2 +- docs/admin/namespaces/index.md | 2 +- docs/admin/namespaces/walkthrough.md | 2 +- docs/admin/network-plugins.md | 2 +- docs/admin/networking.md | 2 +- docs/admin/node-conformance.md | 2 +- docs/admin/node-problem.md | 2 +- docs/admin/node.md | 2 +- docs/admin/out-of-resource.md | 2 +- docs/admin/ovs-networking.md | 2 +- docs/admin/resourcequota/index.md | 2 +- docs/admin/resourcequota/walkthrough.md | 2 +- docs/admin/salt.md | 2 +- docs/admin/service-accounts-admin.md | 2 +- docs/admin/static-pods.md | 2 +- .../api-reference/autoscaling/v1/definitions.html | 2 ++ docs/api-reference/autoscaling/v1/operations.html | 2 ++ docs/api-reference/batch/v1/definitions.html | 2 ++ docs/api-reference/batch/v1/operations.html | 2 ++ .../extensions/v1beta1/definitions.html | 2 ++ .../extensions/v1beta1/operations.html | 2 ++ docs/api-reference/v1/definitions.html | 2 ++ docs/api-reference/v1/operations.html | 2 ++ docs/api.md | 2 +- .../abstractions/controllers/statefulsets.md | 1 + docs/concepts/index.md | 1 + docs/concepts/object-metadata/annotations.md | 1 + docs/contribute/create-pull-request.md | 1 + docs/contribute/page-templates.md | 5 +++-- docs/contribute/stage-documentation-changes.md | 1 + docs/contribute/style-guide.md | 1 + docs/contribute/write-new-topic.md | 1 + docs/federation/api-reference/README.md | 2 ++ docs/getting-started-guides/alternatives.md | 1 + docs/getting-started-guides/aws.md | 2 +- docs/getting-started-guides/azure.md | 2 +- docs/getting-started-guides/binary_release.md | 2 +- .../centos/centos_manual_config.md | 2 +- docs/getting-started-guides/clc.md | 3 ++- docs/getting-started-guides/cloudstack.md | 2 +- docs/getting-started-guides/coreos/azure/index.md | 1 + .../coreos/bare_metal_offline.md | 2 +- docs/getting-started-guides/coreos/index.md | 2 +- docs/getting-started-guides/dcos.md | 2 +- docs/getting-started-guides/docker-multinode.md | 1 + .../fedora/fedora_ansible_config.md | 2 +- .../fedora/fedora_manual_config.md | 2 +- .../fedora/flannel_multi_node_cluster.md | 3 ++- docs/getting-started-guides/gce.md | 3 +-- docs/getting-started-guides/index.md | 2 +- docs/getting-started-guides/kops.md | 1 + docs/getting-started-guides/kubeadm.md | 2 +- docs/getting-started-guides/kubectl.md | 1 + docs/getting-started-guides/libvirt-coreos.md | 2 +- .../logging-elasticsearch.md | 2 +- docs/getting-started-guides/logging.md | 2 +- docs/getting-started-guides/meanstack.md | 2 +- docs/getting-started-guides/mesos-docker.md | 3 +-- docs/getting-started-guides/mesos/index.md | 2 +- docs/getting-started-guides/minikube.md | 2 +- .../network-policy/calico.md | 2 +- .../network-policy/romana.md | 2 +- .../network-policy/walkthrough.md | 2 +- docs/getting-started-guides/openstack-heat.md | 2 +- docs/getting-started-guides/ovirt.md | 2 +- docs/getting-started-guides/photon-controller.md | 2 +- docs/getting-started-guides/rackspace.md | 2 +- docs/getting-started-guides/rkt/index.md | 2 +- docs/getting-started-guides/rkt/notes.md | 2 +- docs/getting-started-guides/scratch.md | 2 +- docs/getting-started-guides/vsphere.md | 2 +- docs/getting-started-guides/windows/index.md | 2 +- docs/hellonode.md | 2 +- docs/index.md | 2 +- docs/reference.md | 3 ++- docs/reporting-security-issues.md | 2 +- docs/samples.md | 3 ++- .../port-forward-access-application-cluster.md | 1 + .../http-proxy-access-api.md | 1 + .../tasks/administer-cluster/assign-pods-nodes.md | 1 + .../dns-horizontal-autoscaling.md | 1 + .../tasks/administer-cluster/safely-drain-node.md | 4 ++-- .../assign-cpu-ram-container.md | 1 + .../configure-volume-storage.md | 1 + .../define-command-argument-container.md | 1 + .../define-environment-variable-container.md | 1 + .../distribute-credentials-secure.md | 1 + .../determine-reason-pod-failure.md | 1 + docs/tasks/index.md | 1 + .../debugging-a-statefulset.md | 2 +- docs/tasks/manage-stateful-set/delete-pods.md | 2 +- .../manage-stateful-set/deleting-a-statefulset.md | 2 +- .../manage-stateful-set/scale-stateful-set.md | 2 +- .../upgrade-pet-set-to-stateful-set.md | 2 +- docs/tasks/troubleshoot/debug-init-containers.md | 2 +- docs/tools/index.md | 2 +- docs/troubleshooting.md | 2 +- docs/tutorials/index.md | 1 + .../kubernetes-basics/cluster-interactive.html | 1 + .../kubernetes-basics/cluster-intro.html | 5 +++-- .../kubernetes-basics/deploy-interactive.html | 1 + .../tutorials/kubernetes-basics/deploy-intro.html | 1 + .../kubernetes-basics/explore-interactive.html | 1 + .../kubernetes-basics/explore-intro.html | 1 + .../kubernetes-basics/expose-interactive.html | 1 + .../tutorials/kubernetes-basics/expose-intro.html | 1 + docs/tutorials/kubernetes-basics/index.html | 1 + .../kubernetes-basics/scale-interactive.html | 1 + docs/tutorials/kubernetes-basics/scale-intro.html | 1 + .../kubernetes-basics/update-interactive.html | 1 + .../tutorials/kubernetes-basics/update-intro.html | 1 + .../stateful-application/basic-stateful-set.md | 1 + .../run-replicated-stateful-application.md | 2 +- .../run-stateful-application.md | 1 + docs/tutorials/stateful-application/zookeeper.md | 1 + .../expose-external-ip-address-service.md | 1 + .../expose-external-ip-address.md | 1 + .../run-stateless-application-deployment.md | 1 + docs/user-guide/accessing-the-cluster.md | 14 +++++++------- docs/user-guide/annotations.md | 2 +- docs/user-guide/application-troubleshooting.md | 2 +- docs/user-guide/compute-resources.md | 2 +- docs/user-guide/config-best-practices.md | 2 +- docs/user-guide/configmap/index.md | 3 ++- docs/user-guide/configuring-containers.md | 2 +- docs/user-guide/connecting-applications.md | 2 +- .../connecting-to-applications-port-forward.md | 2 +- .../connecting-to-applications-proxy.md | 2 +- docs/user-guide/container-environment.md | 2 +- docs/user-guide/containers.md | 2 +- docs/user-guide/cron-jobs.md | 2 +- .../debugging-pods-and-replication-controllers.md | 2 +- docs/user-guide/debugging-services.md | 2 +- docs/user-guide/deploying-applications.md | 3 +-- docs/user-guide/deployments.md | 2 +- docs/user-guide/docker-cli-to-kubectl.md | 2 +- docs/user-guide/downward-api/index.md | 2 +- docs/user-guide/downward-api/volume/index.md | 1 + docs/user-guide/environment-guide/index.md | 12 ++++++------ docs/user-guide/federation/configmap.md | 1 + docs/user-guide/federation/daemonsets.md | 1 + docs/user-guide/federation/deployment.md | 1 + docs/user-guide/federation/events.md | 1 + docs/user-guide/federation/federated-ingress.md | 1 + docs/user-guide/federation/federated-services.md | 2 +- docs/user-guide/federation/index.md | 1 + docs/user-guide/federation/namespaces.md | 1 + docs/user-guide/federation/replicasets.md | 1 + docs/user-guide/federation/secrets.md | 1 + docs/user-guide/garbage-collection.md | 2 +- docs/user-guide/getting-into-containers.md | 2 +- .../horizontal-pod-autoscaling/index.md | 2 +- .../horizontal-pod-autoscaling/walkthrough.md | 2 +- docs/user-guide/identifiers.md | 2 +- docs/user-guide/images.md | 2 +- docs/user-guide/index.md | 2 +- docs/user-guide/ingress.md | 2 +- docs/user-guide/introspection-and-debugging.md | 2 +- docs/user-guide/jobs.md | 2 +- docs/user-guide/jobs/expansions/index.md | 1 + docs/user-guide/jobs/work-queue-1/index.md | 1 + docs/user-guide/jobs/work-queue-2/index.md | 1 + docs/user-guide/jsonpath.md | 2 +- docs/user-guide/kubeconfig-file.md | 14 +++++++------- docs/user-guide/kubectl-cheatsheet.md | 2 +- docs/user-guide/kubectl-conventions.md | 2 +- docs/user-guide/kubectl-overview.md | 2 +- docs/user-guide/kubectl/index.md | 2 ++ docs/user-guide/kubectl/kubectl_annotate.md | 2 ++ docs/user-guide/kubectl/kubectl_api-versions.md | 2 ++ docs/user-guide/kubectl/kubectl_apply.md | 2 ++ docs/user-guide/kubectl/kubectl_attach.md | 2 ++ docs/user-guide/kubectl/kubectl_autoscale.md | 2 ++ docs/user-guide/kubectl/kubectl_cluster-info.md | 2 ++ docs/user-guide/kubectl/kubectl_config.md | 2 ++ .../kubectl/kubectl_config_current-context.md | 2 ++ .../kubectl/kubectl_config_set-cluster.md | 2 ++ .../kubectl/kubectl_config_set-context.md | 2 ++ .../kubectl/kubectl_config_set-credentials.md | 2 ++ docs/user-guide/kubectl/kubectl_config_set.md | 2 ++ docs/user-guide/kubectl/kubectl_config_unset.md | 2 ++ .../kubectl/kubectl_config_use-context.md | 2 ++ docs/user-guide/kubectl/kubectl_config_view.md | 2 ++ docs/user-guide/kubectl/kubectl_convert.md | 2 ++ docs/user-guide/kubectl/kubectl_cordon.md | 2 ++ docs/user-guide/kubectl/kubectl_create.md | 2 ++ .../kubectl/kubectl_create_configmap.md | 2 ++ .../kubectl/kubectl_create_namespace.md | 2 ++ docs/user-guide/kubectl/kubectl_create_secret.md | 2 ++ .../kubectl_create_secret_docker-registry.md | 2 ++ .../kubectl/kubectl_create_secret_generic.md | 2 ++ .../kubectl/kubectl_create_serviceaccount.md | 2 ++ docs/user-guide/kubectl/kubectl_delete.md | 2 ++ docs/user-guide/kubectl/kubectl_describe.md | 2 ++ docs/user-guide/kubectl/kubectl_drain.md | 2 ++ docs/user-guide/kubectl/kubectl_edit.md | 2 ++ docs/user-guide/kubectl/kubectl_exec.md | 2 ++ docs/user-guide/kubectl/kubectl_explain.md | 2 ++ docs/user-guide/kubectl/kubectl_expose.md | 2 ++ docs/user-guide/kubectl/kubectl_get.md | 2 ++ docs/user-guide/kubectl/kubectl_label.md | 2 ++ docs/user-guide/kubectl/kubectl_logs.md | 2 ++ docs/user-guide/kubectl/kubectl_patch.md | 2 ++ docs/user-guide/kubectl/kubectl_port-forward.md | 2 ++ docs/user-guide/kubectl/kubectl_proxy.md | 2 ++ docs/user-guide/kubectl/kubectl_replace.md | 2 ++ docs/user-guide/kubectl/kubectl_rolling-update.md | 2 ++ docs/user-guide/kubectl/kubectl_rollout.md | 2 ++ .../user-guide/kubectl/kubectl_rollout_history.md | 2 ++ docs/user-guide/kubectl/kubectl_rollout_pause.md | 2 ++ docs/user-guide/kubectl/kubectl_rollout_resume.md | 2 ++ docs/user-guide/kubectl/kubectl_rollout_undo.md | 2 ++ docs/user-guide/kubectl/kubectl_run.md | 2 ++ docs/user-guide/kubectl/kubectl_scale.md | 2 ++ docs/user-guide/kubectl/kubectl_stop.md | 2 ++ docs/user-guide/kubectl/kubectl_uncordon.md | 2 ++ docs/user-guide/kubectl/kubectl_version.md | 2 ++ docs/user-guide/labels.md | 2 +- docs/user-guide/liveness/index.md | 2 +- docs/user-guide/load-balancer.md | 2 +- docs/user-guide/logging.md | 2 +- docs/user-guide/managing-deployments.md | 3 ++- docs/user-guide/monitoring.md | 2 +- docs/user-guide/namespaces.md | 2 +- docs/user-guide/networkpolicies.md | 2 +- docs/user-guide/node-selection/index.md | 2 +- docs/user-guide/persistent-volumes/index.md | 2 +- docs/user-guide/persistent-volumes/walkthrough.md | 2 +- docs/user-guide/petset.md | 2 +- docs/user-guide/petset/bootstrapping/index.md | 1 + docs/user-guide/pod-security-policy/index.md | 2 +- docs/user-guide/pod-states.md | 2 +- docs/user-guide/pods/index.md | 4 ++-- docs/user-guide/pods/multi-container.md | 2 +- docs/user-guide/pods/single-container.md | 2 +- docs/user-guide/prereqs.md | 2 +- docs/user-guide/production-pods.md | 2 +- docs/user-guide/quick-start.md | 2 +- docs/user-guide/replicasets.md | 2 +- docs/user-guide/replication-controller/index.md | 2 +- .../replication-controller/operations.md | 3 ++- .../resizing-a-replication-controller.md | 2 +- docs/user-guide/rolling-updates.md | 2 +- docs/user-guide/secrets/index.md | 2 +- docs/user-guide/secrets/walkthrough.md | 4 ++-- docs/user-guide/security-context.md | 2 +- docs/user-guide/service-accounts.md | 2 +- docs/user-guide/services-firewalls.md | 2 +- docs/user-guide/services/index.md | 2 +- docs/user-guide/services/operations.md | 3 ++- docs/user-guide/sharing-clusters.md | 2 +- docs/user-guide/simple-nginx.md | 2 +- docs/user-guide/thirdpartyresources.md | 2 +- docs/user-guide/ui.md | 3 +-- docs/user-guide/update-demo/index.md | 15 +++++++-------- docs/user-guide/volumes.md | 2 +- docs/user-guide/working-with-resources.md | 2 +- docs/whatisk8s.md | 3 +-- editdocs.md | 1 + kubernetes/third_party/swagger-ui/index.md | 4 ++++ 291 files changed, 409 insertions(+), 212 deletions(-) diff --git a/docs/admin/accessing-the-api.md b/docs/admin/accessing-the-api.md index cb3f3d4ce4..0e491ccf0d 100644 --- a/docs/admin/accessing-the-api.md +++ b/docs/admin/accessing-the-api.md @@ -3,7 +3,7 @@ assignees: - bgrant0607 - erictune - lavalamp - +title: Overview --- This document describes how access to the Kubernetes API is controlled. diff --git a/docs/admin/addons.md b/docs/admin/addons.md index 1555f8263c..d387c972b6 100644 --- a/docs/admin/addons.md +++ b/docs/admin/addons.md @@ -1,4 +1,5 @@ --- +title: Installing Addons --- ## Overview diff --git a/docs/admin/admission-controllers.md b/docs/admin/admission-controllers.md index 24da796163..475f2e4be9 100644 --- a/docs/admin/admission-controllers.md +++ b/docs/admin/admission-controllers.md @@ -6,7 +6,7 @@ assignees: - erictune - janetkuo - thockin - +title: Using Admission Controllers --- * TOC diff --git a/docs/admin/apparmor/index.md b/docs/admin/apparmor/index.md index 9730c07953..4c2d02d989 100644 --- a/docs/admin/apparmor/index.md +++ b/docs/admin/apparmor/index.md @@ -1,7 +1,7 @@ --- assignees: - stclair - +title: AppArmor --- AppArmor is a Linux kernel enhancement that can reduce the potential attack surface of an diff --git a/docs/admin/authentication.md b/docs/admin/authentication.md index 0cb5ea4dbe..ab41a6fd39 100644 --- a/docs/admin/authentication.md +++ b/docs/admin/authentication.md @@ -5,8 +5,9 @@ assignees: - ericchiang - deads2k - liggitt - +title: Authenticating --- + * TOC {:toc} diff --git a/docs/admin/authorization.md b/docs/admin/authorization.md index f1f46985b2..6f76a1c033 100644 --- a/docs/admin/authorization.md +++ b/docs/admin/authorization.md @@ -4,7 +4,7 @@ assignees: - lavalamp - deads2k - liggitt - +title: Using Authorization Plugins --- In Kubernetes, authorization happens as a separate step from authentication. diff --git a/docs/admin/cluster-components.md b/docs/admin/cluster-components.md index c1bcae8577..0b913d8956 100644 --- a/docs/admin/cluster-components.md +++ b/docs/admin/cluster-components.md @@ -1,7 +1,7 @@ --- assignees: - lavalamp - +title: Kubernetes Components --- This document outlines the various binary components that need to run to diff --git a/docs/admin/cluster-large.md b/docs/admin/cluster-large.md index d2285c3346..f41df12689 100644 --- a/docs/admin/cluster-large.md +++ b/docs/admin/cluster-large.md @@ -1,11 +1,10 @@ ---- -assignees: -- davidopp -- lavalamp - ---- - - +--- +assignees: +- davidopp +- lavalamp +title: Building Large Clusters +--- + ## Support At {{page.version}}, Kubernetes supports clusters with up to 1000 nodes. More specifically, we support configurations that meet *all* of the following criteria: diff --git a/docs/admin/cluster-management.md b/docs/admin/cluster-management.md index 97362c4bab..b1c4c340a3 100644 --- a/docs/admin/cluster-management.md +++ b/docs/admin/cluster-management.md @@ -2,7 +2,7 @@ assignees: - lavalamp - thockin - +title: Cluster Management Guide --- * TOC diff --git a/docs/admin/cluster-troubleshooting.md b/docs/admin/cluster-troubleshooting.md index 8bab089ce6..89cd99926b 100644 --- a/docs/admin/cluster-troubleshooting.md +++ b/docs/admin/cluster-troubleshooting.md @@ -1,7 +1,7 @@ --- assignees: - davidopp - +title: Troubleshooting Clusters --- This doc is about cluster troubleshooting; we assume you have already ruled out your application as the root cause of the diff --git a/docs/admin/daemons.md b/docs/admin/daemons.md index bab12268ba..fd2bc8afcb 100644 --- a/docs/admin/daemons.md +++ b/docs/admin/daemons.md @@ -1,7 +1,7 @@ --- assignees: - erictune - +title: Daemon Sets --- * TOC diff --git a/docs/admin/dns.md b/docs/admin/dns.md index 6115be7363..6ed558859b 100644 --- a/docs/admin/dns.md +++ b/docs/admin/dns.md @@ -3,7 +3,7 @@ assignees: - ArtfulCoder - davidopp - lavalamp - +title: Using DNS Pods and Services --- ## Introduction diff --git a/docs/admin/etcd.md b/docs/admin/etcd.md index 14b36a33be..ea4f6b09b3 100644 --- a/docs/admin/etcd.md +++ b/docs/admin/etcd.md @@ -1,10 +1,9 @@ --- assignees: - lavalamp - +title: Configuring Kubernetes Use of etcd --- - [etcd](https://coreos.com/etcd/docs/2.2.1/) is a highly-available key value store which Kubernetes uses for persistent storage of all of its REST API objects. diff --git a/docs/admin/federation-apiserver.md b/docs/admin/federation-apiserver.md index 9236c62d38..77b066854c 100644 --- a/docs/admin/federation-apiserver.md +++ b/docs/admin/federation-apiserver.md @@ -1,5 +1,7 @@ --- +title: federation-apiserver --- + ## federation-apiserver diff --git a/docs/admin/federation-controller-manager.md b/docs/admin/federation-controller-manager.md index a65bbef5f3..5e87fce3d0 100644 --- a/docs/admin/federation-controller-manager.md +++ b/docs/admin/federation-controller-manager.md @@ -1,5 +1,7 @@ --- +title: federation-controller-mananger --- + ## federation-controller-manager diff --git a/docs/admin/federation/index.md b/docs/admin/federation/index.md index ec40d581bb..478f7563de 100644 --- a/docs/admin/federation/index.md +++ b/docs/admin/federation/index.md @@ -3,8 +3,9 @@ assignees: - madhusudancs - mml - nikhiljindal - +title: Using `federation-up` and `deploy.sh` --- + This guide explains how to set up cluster federation that lets us control multiple Kubernetes clusters. diff --git a/docs/admin/garbage-collection.md b/docs/admin/garbage-collection.md index a3112a07f1..0276596f6c 100644 --- a/docs/admin/garbage-collection.md +++ b/docs/admin/garbage-collection.md @@ -1,7 +1,7 @@ --- assignees: - mikedanese - +title: Configuring kubelet Garbage Collection --- * TOC diff --git a/docs/admin/high-availability/index.md b/docs/admin/high-availability/index.md index ad78270e4a..42e51d3d51 100644 --- a/docs/admin/high-availability/index.md +++ b/docs/admin/high-availability/index.md @@ -1,7 +1,7 @@ ---- - ---- - +--- +title: Building High-Availability Clusters +--- + ## Introduction This document describes how to build a high-availability (HA) Kubernetes cluster. This is a fairly advanced topic. diff --git a/docs/admin/index.md b/docs/admin/index.md index 3624bb4202..98f38b428a 100644 --- a/docs/admin/index.md +++ b/docs/admin/index.md @@ -2,7 +2,7 @@ assignees: - davidopp - lavalamp - +title: Admin Guide --- The cluster admin guide is for anyone creating or administering a Kubernetes cluster. diff --git a/docs/admin/kube-apiserver.md b/docs/admin/kube-apiserver.md index 12d2b76a49..e8142fac4e 100644 --- a/docs/admin/kube-apiserver.md +++ b/docs/admin/kube-apiserver.md @@ -1,5 +1,7 @@ --- +title: kube-apiserver --- + ## kube-apiserver diff --git a/docs/admin/kube-controller-manager.md b/docs/admin/kube-controller-manager.md index 68cca731e7..5dab0da7e2 100644 --- a/docs/admin/kube-controller-manager.md +++ b/docs/admin/kube-controller-manager.md @@ -1,5 +1,7 @@ --- +title: kube-controller-manager --- + ## kube-controller-manager diff --git a/docs/admin/kube-proxy.md b/docs/admin/kube-proxy.md index 491a91d06e..f643748624 100644 --- a/docs/admin/kube-proxy.md +++ b/docs/admin/kube-proxy.md @@ -1,5 +1,7 @@ --- +title: kube-proxy --- + ## kube-proxy diff --git a/docs/admin/kube-scheduler.md b/docs/admin/kube-scheduler.md index 9b4d7264e6..bb6799bb73 100644 --- a/docs/admin/kube-scheduler.md +++ b/docs/admin/kube-scheduler.md @@ -1,5 +1,7 @@ --- +title: kube-scheduler --- + ## kube-scheduler diff --git a/docs/admin/kubeadm.md b/docs/admin/kubeadm.md index e1c8537149..3dc59fd2d6 100644 --- a/docs/admin/kubeadm.md +++ b/docs/admin/kubeadm.md @@ -4,10 +4,9 @@ assignees: - luxas - errordeveloper - jbeda - +title: kubeadm reference --- - This document provides information on how to use kubeadm's advanced options. Running `kubeadm init` bootstraps a Kubernetes cluster. This consists of the diff --git a/docs/admin/kubelet-authentication-authorization.md b/docs/admin/kubelet-authentication-authorization.md index b0617b8854..035f3068fa 100644 --- a/docs/admin/kubelet-authentication-authorization.md +++ b/docs/admin/kubelet-authentication-authorization.md @@ -1,7 +1,7 @@ --- assignees: - liggitt - +title: Kubelet authentication/authorization --- * TOC diff --git a/docs/admin/kubelet-tls-bootstrapping.md b/docs/admin/kubelet-tls-bootstrapping.md index 3458bdb310..f8d56923ee 100644 --- a/docs/admin/kubelet-tls-bootstrapping.md +++ b/docs/admin/kubelet-tls-bootstrapping.md @@ -1,7 +1,7 @@ --- assignees: - mikedanese - +title: TLS bootstrapping --- * TOC diff --git a/docs/admin/kubelet.md b/docs/admin/kubelet.md index a3004ea1aa..74186eb1ba 100644 --- a/docs/admin/kubelet.md +++ b/docs/admin/kubelet.md @@ -1,5 +1,7 @@ --- +title: Overview --- + ## kubelet diff --git a/docs/admin/limitrange/index.md b/docs/admin/limitrange/index.md index 0336264bc3..767513a1a3 100644 --- a/docs/admin/limitrange/index.md +++ b/docs/admin/limitrange/index.md @@ -2,7 +2,7 @@ assignees: - derekwaynecarr - janetkuo - +title: Setting Pod CPU and Memory Limits --- By default, pods run with unbounded CPU and memory limits. This means that any pod in the diff --git a/docs/admin/master-node-communication.md b/docs/admin/master-node-communication.md index 9e8b9cfa9e..91ecff7ef9 100644 --- a/docs/admin/master-node-communication.md +++ b/docs/admin/master-node-communication.md @@ -3,7 +3,7 @@ assignees: - dchen1107 - roberthbailey - liggitt - +title: Master-Node communication --- * TOC diff --git a/docs/admin/multi-cluster.md b/docs/admin/multi-cluster.md index 6359782409..1d238d8e13 100644 --- a/docs/admin/multi-cluster.md +++ b/docs/admin/multi-cluster.md @@ -1,7 +1,7 @@ --- assignees: - davidopp - +title: Using Multiple Clusters --- You may want to set up multiple Kubernetes clusters, both to diff --git a/docs/admin/multiple-schedulers.md b/docs/admin/multiple-schedulers.md index 8ba152ac04..eb1c4c44f9 100644 --- a/docs/admin/multiple-schedulers.md +++ b/docs/admin/multiple-schedulers.md @@ -2,7 +2,7 @@ assignees: - davidopp - madhusudancs - +title: Configuring Multiple Schedulers --- Kubernetes ships with a default scheduler that is described [here](/docs/admin/kube-scheduler/). diff --git a/docs/admin/multiple-zones.md b/docs/admin/multiple-zones.md index bfde54213e..e215b31716 100644 --- a/docs/admin/multiple-zones.md +++ b/docs/admin/multiple-zones.md @@ -3,7 +3,7 @@ assignees: - jlowdermilk - justinsb - quinton-hoole - +title: Running in Multiple Zones --- ## Introduction diff --git a/docs/admin/namespaces/index.md b/docs/admin/namespaces/index.md index 574f41b10a..b723a9c361 100644 --- a/docs/admin/namespaces/index.md +++ b/docs/admin/namespaces/index.md @@ -2,7 +2,7 @@ assignees: - derekwaynecarr - janetkuo - +title: Sharing a Cluster with Namespaces --- A Namespace is a mechanism to partition resources created by users into diff --git a/docs/admin/namespaces/walkthrough.md b/docs/admin/namespaces/walkthrough.md index 2a3e6298ea..9faecf89e9 100644 --- a/docs/admin/namespaces/walkthrough.md +++ b/docs/admin/namespaces/walkthrough.md @@ -2,7 +2,7 @@ assignees: - derekwaynecarr - janetkuo - +title: Namespaces Walkthrough --- Kubernetes _namespaces_ help different projects, teams, or customers to share a Kubernetes cluster. diff --git a/docs/admin/network-plugins.md b/docs/admin/network-plugins.md index 6c5f354423..6b80f1a002 100644 --- a/docs/admin/network-plugins.md +++ b/docs/admin/network-plugins.md @@ -3,7 +3,7 @@ assignees: - dcbw - freehan - thockin - +title: Network Plugins --- * TOC diff --git a/docs/admin/networking.md b/docs/admin/networking.md index 9b77b3557a..231b7b315d 100644 --- a/docs/admin/networking.md +++ b/docs/admin/networking.md @@ -2,7 +2,7 @@ assignees: - lavalamp - thockin - +title: Networking in Kubernetes --- Kubernetes approaches networking somewhat differently than Docker does by diff --git a/docs/admin/node-conformance.md b/docs/admin/node-conformance.md index 52935bc4cc..f53ba858b1 100644 --- a/docs/admin/node-conformance.md +++ b/docs/admin/node-conformance.md @@ -1,7 +1,7 @@ --- assignees: - Random-Liu - +title: Validate Node Setup --- * TOC diff --git a/docs/admin/node-problem.md b/docs/admin/node-problem.md index b6926ba15b..0d7b57005e 100644 --- a/docs/admin/node-problem.md +++ b/docs/admin/node-problem.md @@ -2,7 +2,7 @@ assignees: - Random-Liu - dchen1107 - +title: Monitoring Node Health --- * TOC diff --git a/docs/admin/node.md b/docs/admin/node.md index ad0867ffc8..3c3e16178d 100644 --- a/docs/admin/node.md +++ b/docs/admin/node.md @@ -3,7 +3,7 @@ assignees: - caesarxuchao - dchen1107 - lavalamp - +title: Nodes --- * TOC diff --git a/docs/admin/out-of-resource.md b/docs/admin/out-of-resource.md index 8af7114ed6..a663703d9c 100644 --- a/docs/admin/out-of-resource.md +++ b/docs/admin/out-of-resource.md @@ -3,7 +3,7 @@ assignees: - derekwaynecarr - vishh - timstclair - +title: Configuring Out Of Resource Handling --- * TOC diff --git a/docs/admin/ovs-networking.md b/docs/admin/ovs-networking.md index 7a8f89506c..9370dcec46 100644 --- a/docs/admin/ovs-networking.md +++ b/docs/admin/ovs-networking.md @@ -2,7 +2,7 @@ assignees: - lavalamp - thockin - +title: Kubernetes OpenVSwitch GRE/VxLAN networking --- This document describes how OpenVSwitch is used to setup networking between pods across nodes. diff --git a/docs/admin/resourcequota/index.md b/docs/admin/resourcequota/index.md index ff76942702..c967975dec 100644 --- a/docs/admin/resourcequota/index.md +++ b/docs/admin/resourcequota/index.md @@ -1,7 +1,7 @@ --- assignees: - derekwaynecarr - +title: Resource Quotas --- When several users or teams share a cluster with a fixed number of nodes, diff --git a/docs/admin/resourcequota/walkthrough.md b/docs/admin/resourcequota/walkthrough.md index 7422f2abcf..d5ef21ff6c 100644 --- a/docs/admin/resourcequota/walkthrough.md +++ b/docs/admin/resourcequota/walkthrough.md @@ -2,7 +2,7 @@ assignees: - derekwaynecarr - janetkuo - +title: Applying Resource Quotas and Limits --- This example demonstrates a typical setup to control for resource usage in a namespace. diff --git a/docs/admin/salt.md b/docs/admin/salt.md index 5d82b54d39..ba4d4fe227 100644 --- a/docs/admin/salt.md +++ b/docs/admin/salt.md @@ -2,7 +2,7 @@ assignees: - davidopp - lavalamp - +title: Configuring Kubernetes with Salt --- The Kubernetes cluster can be configured using Salt. diff --git a/docs/admin/service-accounts-admin.md b/docs/admin/service-accounts-admin.md index 810f4d7515..4a31fbeced 100644 --- a/docs/admin/service-accounts-admin.md +++ b/docs/admin/service-accounts-admin.md @@ -4,7 +4,7 @@ assignees: - davidopp - lavalamp - liggitt - +title: Managing Service Accounts --- *This is a Cluster Administrator guide to service accounts. It assumes knowledge of diff --git a/docs/admin/static-pods.md b/docs/admin/static-pods.md index 531494fb04..36235929a3 100644 --- a/docs/admin/static-pods.md +++ b/docs/admin/static-pods.md @@ -1,7 +1,7 @@ --- assignees: - jsafrane - +title: Static Pods --- **If you are running clustered Kubernetes and are using static pods to run a pod on every node, you should probably be using a [DaemonSet](/docs/admin/daemons/)!** diff --git a/docs/api-reference/autoscaling/v1/definitions.html b/docs/api-reference/autoscaling/v1/definitions.html index 949fa2e507..768d4e1543 100755 --- a/docs/api-reference/autoscaling/v1/definitions.html +++ b/docs/api-reference/autoscaling/v1/definitions.html @@ -1,5 +1,7 @@ --- +title: Autoscaling API Definitions --- + diff --git a/docs/api-reference/autoscaling/v1/operations.html b/docs/api-reference/autoscaling/v1/operations.html index 0e38da7627..cfc457d1e5 100755 --- a/docs/api-reference/autoscaling/v1/operations.html +++ b/docs/api-reference/autoscaling/v1/operations.html @@ -1,5 +1,7 @@ --- +title: Autoscaling API Operations --- + diff --git a/docs/api-reference/batch/v1/definitions.html b/docs/api-reference/batch/v1/definitions.html index be391e4acd..9989f4c4ca 100755 --- a/docs/api-reference/batch/v1/definitions.html +++ b/docs/api-reference/batch/v1/definitions.html @@ -1,5 +1,7 @@ --- +title: Batch API Definitions --- + diff --git a/docs/api-reference/batch/v1/operations.html b/docs/api-reference/batch/v1/operations.html index 691318f810..5be3ce0b60 100755 --- a/docs/api-reference/batch/v1/operations.html +++ b/docs/api-reference/batch/v1/operations.html @@ -1,5 +1,7 @@ --- +title: Batch API Operations --- + diff --git a/docs/api-reference/extensions/v1beta1/definitions.html b/docs/api-reference/extensions/v1beta1/definitions.html index 3863ee11f8..b92378524f 100755 --- a/docs/api-reference/extensions/v1beta1/definitions.html +++ b/docs/api-reference/extensions/v1beta1/definitions.html @@ -1,5 +1,7 @@ --- +title: Extensions API Definitions --- + diff --git a/docs/api-reference/extensions/v1beta1/operations.html b/docs/api-reference/extensions/v1beta1/operations.html index c1d9c191ec..a97f64b789 100755 --- a/docs/api-reference/extensions/v1beta1/operations.html +++ b/docs/api-reference/extensions/v1beta1/operations.html @@ -1,5 +1,7 @@ --- +title: Extensions API Operations --- + diff --git a/docs/api-reference/v1/definitions.html b/docs/api-reference/v1/definitions.html index 6c2515eeaa..e207f68c0a 100755 --- a/docs/api-reference/v1/definitions.html +++ b/docs/api-reference/v1/definitions.html @@ -1,5 +1,7 @@ --- +title: Kubernetes API Definitions --- + diff --git a/docs/api-reference/v1/operations.html b/docs/api-reference/v1/operations.html index dfdb663b8b..f75e9a44f5 100755 --- a/docs/api-reference/v1/operations.html +++ b/docs/api-reference/v1/operations.html @@ -1,5 +1,7 @@ --- +title: Kubernetes API Operations --- + diff --git a/docs/api.md b/docs/api.md index 3479dbff94..7964f604d0 100644 --- a/docs/api.md +++ b/docs/api.md @@ -3,7 +3,7 @@ assignees: - bgrant0607 - erictune - lavalamp - +title: Kubernetes API Overview --- Primary system and API concepts are documented in the [User guide](/docs/user-guide/). diff --git a/docs/concepts/abstractions/controllers/statefulsets.md b/docs/concepts/abstractions/controllers/statefulsets.md index 01825fc257..6f8e9629c3 100644 --- a/docs/concepts/abstractions/controllers/statefulsets.md +++ b/docs/concepts/abstractions/controllers/statefulsets.md @@ -7,6 +7,7 @@ assignees: - janetkuo - kow3ns - smarterclayton +title: StatefulSets --- {% capture overview %} diff --git a/docs/concepts/index.md b/docs/concepts/index.md index 72d1ecebb2..c26b972202 100644 --- a/docs/concepts/index.md +++ b/docs/concepts/index.md @@ -1,4 +1,5 @@ --- +title: Concepts --- The Concepts section of the Kubernetes documentation is a work in progress. diff --git a/docs/concepts/object-metadata/annotations.md b/docs/concepts/object-metadata/annotations.md index e337493fe1..fbf73f48fd 100644 --- a/docs/concepts/object-metadata/annotations.md +++ b/docs/concepts/object-metadata/annotations.md @@ -1,4 +1,5 @@ --- +title: Annotations --- {% capture overview %} diff --git a/docs/contribute/create-pull-request.md b/docs/contribute/create-pull-request.md index e74b49436e..4637c0b066 100644 --- a/docs/contribute/create-pull-request.md +++ b/docs/contribute/create-pull-request.md @@ -1,4 +1,5 @@ --- +title: Creating a Documentation Pull Request --- {% capture overview %} diff --git a/docs/contribute/page-templates.md b/docs/contribute/page-templates.md index 4b19cde39b..93fa03a6bb 100644 --- a/docs/contribute/page-templates.md +++ b/docs/contribute/page-templates.md @@ -1,7 +1,8 @@ --- redirect_from: - - /docs/templatedemos/ - - /docs/templatedemos.html +- "/docs/templatedemos/" +- "/docs/templatedemos.html" +title: Using Page Templates --- diff --git a/kubernetes/third_party/swagger-ui/index.md b/kubernetes/third_party/swagger-ui/index.md index c481f993f3..425a061477 100644 --- a/kubernetes/third_party/swagger-ui/index.md +++ b/kubernetes/third_party/swagger-ui/index.md @@ -1,3 +1,7 @@ +--- +title: Kubernetes API Swagger Spec +--- + --- Kubernetes swagger UI has now been replaced by our generated API reference docs From 664459c407614594af78ea25dba8deef767e9a14 Mon Sep 17 00:00:00 2001 From: Janet Kuo Date: Thu, 15 Dec 2016 13:00:17 -0800 Subject: [PATCH 32/63] Bump default {{page.version}} to v1.5.1 --- _config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_config.yml b/_config.yml index 8b131eb433..6397dda511 100644 --- a/_config.yml +++ b/_config.yml @@ -17,7 +17,7 @@ defaults: scope: path: "" values: - version: "v1.3" + version: "v1.5.1" githubbranch: "master" docsbranch: "master" - From 9b432f24e61fe68c79b4d9a7337130834d881331 Mon Sep 17 00:00:00 2001 From: Janet Kuo Date: Thu, 15 Dec 2016 13:14:47 -0800 Subject: [PATCH 33/63] Remove .0 suffix from all references to {{page.version}} --- docs/admin/network-plugins.md | 4 ++-- docs/getting-started-guides/minikube.md | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/admin/network-plugins.md b/docs/admin/network-plugins.md index 6c5f354423..7f2d59f0a2 100644 --- a/docs/admin/network-plugins.md +++ b/docs/admin/network-plugins.md @@ -26,13 +26,13 @@ The kubelet has a single default network plugin, and a default network common to ## Network Plugin Requirements -Besides providing the [`NetworkPlugin` interface](https://github.com/kubernetes/kubernetes/tree/{{page.version}}.0/pkg/kubelet/network/plugins.go) to configure and clean up pod networking, the plugin may also need specific support for kube-proxy. The iptables proxy obviously depends on iptables, and the plugin may need to ensure that container traffic is made available to iptables. For example, if the plugin connects containers to a Linux bridge, the plugin must set the `net/bridge/bridge-nf-call-iptables` sysctl to `1` to ensure that the iptables proxy functions correctly. If the plugin does not use a Linux bridge (but instead something like Open vSwitch or some other mechanism) it should ensure container traffic is appropriately routed for the proxy. +Besides providing the [`NetworkPlugin` interface](https://github.com/kubernetes/kubernetes/tree/{{page.version}}/pkg/kubelet/network/plugins.go) to configure and clean up pod networking, the plugin may also need specific support for kube-proxy. The iptables proxy obviously depends on iptables, and the plugin may need to ensure that container traffic is made available to iptables. For example, if the plugin connects containers to a Linux bridge, the plugin must set the `net/bridge/bridge-nf-call-iptables` sysctl to `1` to ensure that the iptables proxy functions correctly. If the plugin does not use a Linux bridge (but instead something like Open vSwitch or some other mechanism) it should ensure container traffic is appropriately routed for the proxy. By default if no kubelet network plugin is specified, the `noop` plugin is used, which sets `net/bridge/bridge-nf-call-iptables=1` to ensure simple configurations (like docker with a bridge) work correctly with the iptables proxy. ### Exec -Place plugins in `network-plugin-dir/plugin-name/plugin-name`, i.e if you have a bridge plugin and `network-plugin-dir` is `/usr/lib/kubernetes`, you'd place the bridge plugin executable at `/usr/lib/kubernetes/bridge/bridge`. See [this comment](https://github.com/kubernetes/kubernetes/tree/{{page.version}}.0/pkg/kubelet/network/exec/exec.go) for more details. +Place plugins in `network-plugin-dir/plugin-name/plugin-name`, i.e if you have a bridge plugin and `network-plugin-dir` is `/usr/lib/kubernetes`, you'd place the bridge plugin executable at `/usr/lib/kubernetes/bridge/bridge`. See [this comment](https://github.com/kubernetes/kubernetes/tree/{{page.version}}/pkg/kubelet/network/exec/exec.go) for more details. ### CNI diff --git a/docs/getting-started-guides/minikube.md b/docs/getting-started-guides/minikube.md index 4807e8dec8..b7fefcf3c4 100644 --- a/docs/getting-started-guides/minikube.md +++ b/docs/getting-started-guides/minikube.md @@ -36,13 +36,13 @@ Minikube is a tool that makes it easy to run Kubernetes locally. Minikube runs a **Kubectl for Linux/amd64** ``` -curl -Lo kubectl http://storage.googleapis.com/kubernetes-release/release/{{page.version}}.0/bin/linux/amd64/kubectl && chmod +x kubectl && sudo mv kubectl /usr/local/bin/ +curl -Lo kubectl http://storage.googleapis.com/kubernetes-release/release/{{page.version}}/bin/linux/amd64/kubectl && chmod +x kubectl && sudo mv kubectl /usr/local/bin/ ``` **Kubectl for OS X/amd64** ``` -curl -Lo kubectl http://storage.googleapis.com/kubernetes-release/release/{{page.version}}.0/bin/darwin/amd64/kubectl && chmod +x kubectl && sudo mv kubectl /usr/local/bin/ +curl -Lo kubectl http://storage.googleapis.com/kubernetes-release/release/{{page.version}}/bin/darwin/amd64/kubectl && chmod +x kubectl && sudo mv kubectl /usr/local/bin/ ``` ### Instructions @@ -316,4 +316,4 @@ For more information about minikube, see the [proposal](https://github.com/kuber ## Community -Contributions, questions, and comments are all welcomed and encouraged! minkube developers hang out on [Slack](https://kubernetes.slack.com) in the #minikube channel (get an invitation [here](http://slack.kubernetes.io/)). We also have the [kubernetes-dev Google Groups mailing list](https://groups.google.com/forum/#!forum/kubernetes-dev). If you are posting to the list please prefix your subject with "minikube: ". \ No newline at end of file +Contributions, questions, and comments are all welcomed and encouraged! minkube developers hang out on [Slack](https://kubernetes.slack.com) in the #minikube channel (get an invitation [here](http://slack.kubernetes.io/)). We also have the [kubernetes-dev Google Groups mailing list](https://groups.google.com/forum/#!forum/kubernetes-dev). If you are posting to the list please prefix your subject with "minikube: ". From 668e1a27ddfae0f7485d8be41f3e43ceeb9da022 Mon Sep 17 00:00:00 2001 From: gunjan5 Date: Thu, 15 Dec 2016 13:25:49 -0800 Subject: [PATCH 34/63] Update Calico docs link --- docs/admin/addons.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/admin/addons.md b/docs/admin/addons.md index 1555f8263c..e91ba6e661 100644 --- a/docs/admin/addons.md +++ b/docs/admin/addons.md @@ -11,7 +11,7 @@ Add-ons in each section are sorted alphabetically - the ordering does not imply ## Networking and Network Policy -* [Calico](http://docs.projectcalico.org/v1.6/getting-started/kubernetes/installation/hosted/) is a secure L3 networking and network policy provider. +* [Calico](http://docs.projectcalico.org/v2.0/getting-started/kubernetes/installation/hosted/) is a secure L3 networking and network policy provider. * [Canal](https://github.com/tigera/canal/tree/master/k8s-install/kubeadm) unites Flannel and Calico, providing networking and network policy. * [Flannel](https://github.com/coreos/flannel/blob/master/Documentation/kube-flannel.yml) is a overlay network provider that can be used with Kubernetes. * [Romana](http://romana.io) is a Layer 3 networking solution for pod networks that also supports the [NetworkPolicy API](/docs/user-guide/networkpolicies/). Kubeadm add-on installation details available [here](https://github.com/romana/romana/tree/master/containerize). From b301f4ad3a6f737d06f8653abc6b059bb179206d Mon Sep 17 00:00:00 2001 From: Ben Balter Date: Thu, 15 Dec 2016 17:06:04 -0500 Subject: [PATCH 35/63] add notitle attribute to pages that shouldnt have a title --- docs/admin/federation-apiserver.md | 1 + docs/admin/federation-controller-manager.md | 1 + docs/admin/kube-apiserver.md | 1 + docs/admin/kube-controller-manager.md | 1 + docs/admin/kube-proxy.md | 1 + docs/admin/kube-scheduler.md | 1 + docs/admin/kubelet.md | 1 + 7 files changed, 7 insertions(+) diff --git a/docs/admin/federation-apiserver.md b/docs/admin/federation-apiserver.md index 77b066854c..72d71547c7 100644 --- a/docs/admin/federation-apiserver.md +++ b/docs/admin/federation-apiserver.md @@ -1,5 +1,6 @@ --- title: federation-apiserver +notitle: true --- ## federation-apiserver diff --git a/docs/admin/federation-controller-manager.md b/docs/admin/federation-controller-manager.md index 5e87fce3d0..d3dca5bf06 100644 --- a/docs/admin/federation-controller-manager.md +++ b/docs/admin/federation-controller-manager.md @@ -1,5 +1,6 @@ --- title: federation-controller-mananger +notitle: true --- ## federation-controller-manager diff --git a/docs/admin/kube-apiserver.md b/docs/admin/kube-apiserver.md index e8142fac4e..bc08ef1f0a 100644 --- a/docs/admin/kube-apiserver.md +++ b/docs/admin/kube-apiserver.md @@ -1,5 +1,6 @@ --- title: kube-apiserver +notitle: true --- ## kube-apiserver diff --git a/docs/admin/kube-controller-manager.md b/docs/admin/kube-controller-manager.md index 5dab0da7e2..f6f11c5f37 100644 --- a/docs/admin/kube-controller-manager.md +++ b/docs/admin/kube-controller-manager.md @@ -1,5 +1,6 @@ --- title: kube-controller-manager +notitle: true --- ## kube-controller-manager diff --git a/docs/admin/kube-proxy.md b/docs/admin/kube-proxy.md index f643748624..31d3263b5d 100644 --- a/docs/admin/kube-proxy.md +++ b/docs/admin/kube-proxy.md @@ -1,5 +1,6 @@ --- title: kube-proxy +notitle: true --- ## kube-proxy diff --git a/docs/admin/kube-scheduler.md b/docs/admin/kube-scheduler.md index bb6799bb73..6d3b8c9f64 100644 --- a/docs/admin/kube-scheduler.md +++ b/docs/admin/kube-scheduler.md @@ -1,5 +1,6 @@ --- title: kube-scheduler +notitle: true --- ## kube-scheduler diff --git a/docs/admin/kubelet.md b/docs/admin/kubelet.md index 74186eb1ba..b272f869ab 100644 --- a/docs/admin/kubelet.md +++ b/docs/admin/kubelet.md @@ -1,5 +1,6 @@ --- title: Overview +notitle: true --- ## kubelet From 6b9326f0851d6e6a603698f5dd48463ee1593298 Mon Sep 17 00:00:00 2001 From: Doug Davis Date: Thu, 15 Dec 2016 18:30:55 -0500 Subject: [PATCH 36/63] fix indentation of a few lines --- docs/user-guide/kubectl-overview.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/docs/user-guide/kubectl-overview.md b/docs/user-guide/kubectl-overview.md index cc08e47c68..eca4770bc1 100644 --- a/docs/user-guide/kubectl-overview.md +++ b/docs/user-guide/kubectl-overview.md @@ -18,7 +18,6 @@ kubectl [command] [TYPE] [NAME] [flags] ``` where `command`, `TYPE`, `NAME`, and `flags` are: - * `command`: Specifies the operation that you want to perform on one or more resources, for example `create`, `get`, `describe`, `delete`. * `TYPE`: Specifies the [resource type](#resource-types). Resource types are case-sensitive and you can specify the singular, plural, or abbreviated forms. For example, the following commands produce the same output: @@ -27,11 +26,9 @@ where `command`, `TYPE`, `NAME`, and `flags` are: $ kubectl get pods pod1 $ kubectl get po pod1 ``` - * `NAME`: Specifies the name of the resource. Names are case-sensitive. If the name is omitted, details for all resources are displayed, for example `$ kubectl get pods`. When performing an operation on multiple resources, you can specify each resource by type and name or specify one or more files: - * To specify resources by type and name: * To group resources if they are all the same type: `TYPE1 name1 name2 name<#>`
    Example: `$ kubectl get pod example-pod1 example-pod2` From 5961a799fe5b3b985fbb6c03d6cc2cda34d190ca Mon Sep 17 00:00:00 2001 From: Cole Mickens Date: Mon, 14 Nov 2016 16:00:18 -0800 Subject: [PATCH 37/63] azure: update for k8s on acs launch --- _data/guides.yml | 4 +- docs/getting-started-guides/azure.md | 28 +- .../coreos/azure/.gitignore | 1 - ...kubernetes-cluster-main-nodes-template.yml | 335 ------------------ .../coreos/azure/index.md | 246 ------------- .../coreos/azure/package.json | 19 - docs/getting-started-guides/coreos/index.md | 6 - docs/getting-started-guides/index.md | 10 +- images/docs/initial_cluster.png | Bin 173212 -> 0 bytes 9 files changed, 31 insertions(+), 618 deletions(-) delete mode 100644 docs/getting-started-guides/coreos/azure/.gitignore delete mode 100644 docs/getting-started-guides/coreos/azure/cloud_config_templates/kubernetes-cluster-main-nodes-template.yml delete mode 100644 docs/getting-started-guides/coreos/azure/index.md delete mode 100644 docs/getting-started-guides/coreos/azure/package.json delete mode 100644 images/docs/initial_cluster.png diff --git a/_data/guides.yml b/_data/guides.yml index cd685afd5a..c134e7a8ca 100644 --- a/_data/guides.yml +++ b/_data/guides.yml @@ -171,10 +171,10 @@ toc: path: /docs/getting-started-guides/gce/ - title: Running Kubernetes on AWS EC2 path: /docs/getting-started-guides/aws/ + - title: Running Kubernetes on Azure Container Service + path: https://docs.microsoft.com/en-us/azure/container-service/container-service-kubernetes-walkthrough - title: Running Kubernetes on Azure path: /docs/getting-started-guides/azure/ - - title: Running Kubernetes on Azure (Weave-based) - path: /docs/getting-started-guides/coreos/azure/ - title: Running Kubernetes on CenturyLink Cloud path: /docs/getting-started-guides/clc/ - title: Running Kubernetes on IBM SoftLayer diff --git a/docs/getting-started-guides/azure.md b/docs/getting-started-guides/azure.md index 40652e3172..093ce614f9 100644 --- a/docs/getting-started-guides/azure.md +++ b/docs/getting-started-guides/azure.md @@ -1,12 +1,30 @@ --- assignees: - colemickens -- jeffmendoza +- brendandburns --- -The recommended approach for deploying a Kubernetes 1.4 cluster on Azure is the -[`kubernetes-anywhere`](https://github.com/kubernetes/kubernetes-anywhere) project. +## Azure Container Service -You will want to take a look at the -[Azure Getting Started Guide](https://github.com/kubernetes/kubernetes-anywhere/blob/master/phase1/azure/README.md). +The [Azure Container Service](https://azure.microsoft.com/en-us/services/container-service/) offers simple +deployments of one of three open source orchestrators: DC/OS, Swarm, and Kubernetes clusters. + +For an example of deploying a Kubernetes cluster onto Azure via the Azure Container Service: + +**[Microsoft Azure Container Service - Kubernetes Walkthrough](https://docs.microsoft.com/en-us/azure/container-service/container-service-kubernetes-walkthrough)** + +## Custom Deployments: ACS-Engine + +The core of the Azure Container Service is **open source** and available on GitHub for the community +to use and contribute to: **[ACS-Engine](https://github.com/Azure/acs-engine)**. + +ACS-Engine is a good choice if you need to make customizations to the deployment beyond what the Azure Container +Service officially supports. These customizations include deploying into existing virtual networks, utilizing multiple +agent pools, and more. Some community contributions to ACS-Engine may even become features of the Azure Container Service. + +The input to ACS-Engine is similar to the ARM template syntax used to deploy a cluster directly with the Azure Container Service. +The resulting output is an Azure Resource Manager Template that can then be checked into source control and can then be used +to deploy Kubernetes clusters into Azure. + +You can get started quickly by following the **[ACS-Engine Kubernetes Walkthrough](https://github.com/Azure/acs-engine/blob/master/docs/kubernetes.md)**. diff --git a/docs/getting-started-guides/coreos/azure/.gitignore b/docs/getting-started-guides/coreos/azure/.gitignore deleted file mode 100644 index c2658d7d1b..0000000000 --- a/docs/getting-started-guides/coreos/azure/.gitignore +++ /dev/null @@ -1 +0,0 @@ -node_modules/ diff --git a/docs/getting-started-guides/coreos/azure/cloud_config_templates/kubernetes-cluster-main-nodes-template.yml b/docs/getting-started-guides/coreos/azure/cloud_config_templates/kubernetes-cluster-main-nodes-template.yml deleted file mode 100644 index d44b26318d..0000000000 --- a/docs/getting-started-guides/coreos/azure/cloud_config_templates/kubernetes-cluster-main-nodes-template.yml +++ /dev/null @@ -1,335 +0,0 @@ -## This file is used as input to deployment script, which amends it as needed. -## More specifically, we need to add environment files for as many nodes as we -## are going to deploy. - -write_files: - - path: /opt/bin/curl-retry.sh - permissions: '0755' - owner: root - content: | - #!/bin/sh -x - until curl $@ - do sleep 1 - done - -coreos: - update: - group: stable - reboot-strategy: off - units: - - name: systemd-networkd-wait-online.service - drop-ins: - - name: 50-check-github-is-reachable.conf - content: | - [Service] - ExecStart=/bin/sh -x -c \ - 'until curl --silent --fail https://status.github.com/api/status.json | grep -q \"good\"; do sleep 2; done' - - - name: weave-network.target - enable: true - content: | - [Unit] - Description=Weave Network Setup Complete - Documentation=man:systemd.special(7) - RefuseManualStart=no - After=network-online.target - [Install] - WantedBy=multi-user.target - WantedBy=kubernetes-master.target - WantedBy=kubernetes-node.target - - - name: kubernetes-master.target - enable: true - command: start - content: | - [Unit] - Description=Kubernetes Cluster Master - Documentation=http://kubernetes.io/ - RefuseManualStart=no - After=weave-network.target - Requires=weave-network.target - ConditionHost=kube-00 - Wants=kube-apiserver.service - Wants=kube-scheduler.service - Wants=kube-controller-manager.service - Wants=kube-proxy.service - [Install] - WantedBy=multi-user.target - - - name: kubernetes-node.target - enable: true - command: start - content: | - [Unit] - Description=Kubernetes Cluster Node - Documentation=http://kubernetes.io/ - RefuseManualStart=no - After=weave-network.target - Requires=weave-network.target - ConditionHost=!kube-00 - Wants=kube-proxy.service - Wants=kubelet.service - [Install] - WantedBy=multi-user.target - - - name: 10-weave.network - runtime: false - content: | - [Match] - Type=bridge - Name=weave* - [Network] - - - name: install-weave.service - enable: true - content: | - [Unit] - After=network-online.target - After=docker.service - Before=weave.service - Description=Install Weave - Documentation=http://docs.weave.works/ - Requires=network-online.target - [Service] - EnvironmentFile=-/etc/weave.%H.env - EnvironmentFile=-/etc/weave.env - Type=oneshot - RemainAfterExit=yes - TimeoutStartSec=0 - ExecStartPre=/bin/mkdir -p /opt/bin/ - ExecStartPre=/opt/bin/curl-retry.sh \ - --silent \ - --location \ - git.io/weave \ - --output /opt/bin/weave - ExecStartPre=/usr/bin/chmod +x /opt/bin/weave - ExecStart=/opt/bin/weave setup - [Install] - WantedBy=weave-network.target - WantedBy=weave.service - - - name: weaveproxy.service - enable: true - content: | - [Unit] - After=install-weave.service - After=docker.service - Description=Weave proxy for Docker API - Documentation=http://docs.weave.works/ - Requires=docker.service - Requires=install-weave.service - [Service] - EnvironmentFile=-/etc/weave.%H.env - EnvironmentFile=-/etc/weave.env - ExecStartPre=/opt/bin/weave launch-proxy --rewrite-inspect --without-dns - ExecStart=/usr/bin/docker attach weaveproxy - Restart=on-failure - ExecStop=/opt/bin/weave stop-proxy - [Install] - WantedBy=weave-network.target - - - name: weave.service - enable: true - content: | - [Unit] - After=install-weave.service - After=docker.service - Description=Weave Network Router - Documentation=http://docs.weave.works/ - Requires=docker.service - Requires=install-weave.service - [Service] - TimeoutStartSec=0 - EnvironmentFile=-/etc/weave.%H.env - EnvironmentFile=-/etc/weave.env - ExecStartPre=/opt/bin/weave launch-router $WEAVE_PEERS - ExecStart=/usr/bin/docker attach weave - Restart=on-failure - ExecStop=/opt/bin/weave stop-router - [Install] - WantedBy=weave-network.target - - - name: weave-expose.service - enable: true - content: | - [Unit] - After=install-weave.service - After=weave.service - After=docker.service - Documentation=http://docs.weave.works/ - Requires=docker.service - Requires=install-weave.service - Requires=weave.service - [Service] - Type=oneshot - RemainAfterExit=yes - TimeoutStartSec=0 - EnvironmentFile=-/etc/weave.%H.env - EnvironmentFile=-/etc/weave.env - ExecStart=/opt/bin/weave expose - ExecStop=/opt/bin/weave hide - [Install] - WantedBy=weave-network.target - - - name: install-kubernetes.service - enable: true - content: | - [Unit] - After=network-online.target - Before=kube-apiserver.service - Before=kube-controller-manager.service - Before=kubelet.service - Before=kube-proxy.service - Description=Download Kubernetes Binaries - Documentation=http://kubernetes.io/ - Requires=network-online.target - [Service] - Environment=KUBE_RELEASE_TARBALL=https://github.com/kubernetes/kubernetes/releases/download/v1.2.2/kubernetes.tar.gz - ExecStartPre=/bin/mkdir -p /opt/ - ExecStart=/opt/bin/curl-retry.sh --silent --location $KUBE_RELEASE_TARBALL --output /tmp/kubernetes.tgz - ExecStart=/bin/tar xzvf /tmp/kubernetes.tgz -C /tmp/ - ExecStart=/bin/tar xzvf /tmp/kubernetes/server/kubernetes-server-linux-amd64.tar.gz -C /opt - ExecStartPost=/bin/chmod o+rx -R /opt/kubernetes - ExecStartPost=/bin/ln -s /opt/kubernetes/server/bin/kubectl /opt/bin/ - ExecStartPost=/bin/mv /tmp/kubernetes/examples/guestbook /home/core/guestbook-example - ExecStartPost=/bin/chown core. -R /home/core/guestbook-example - ExecStartPost=/bin/rm -rf /tmp/kubernetes - ExecStartPost=/bin/sed 's/# type: LoadBalancer/type: NodePort/' -i /home/core/guestbook-example/frontend-service.yaml - RemainAfterExit=yes - Type=oneshot - [Install] - WantedBy=kubernetes-master.target - WantedBy=kubernetes-node.target - - - name: kube-apiserver.service - enable: true - content: | - [Unit] - After=install-kubernetes.service - Before=kube-controller-manager.service - Before=kube-scheduler.service - ConditionFileIsExecutable=/opt/kubernetes/server/bin/kube-apiserver - Description=Kubernetes API Server - Documentation=http://kubernetes.io/ - Wants=install-kubernetes.service - ConditionHost=kube-00 - [Service] - ExecStart=/opt/kubernetes/server/bin/kube-apiserver \ - --insecure-bind-address=0.0.0.0 \ - --advertise-address=$public_ipv4 \ - --insecure-port=8080 \ - $ETCD_SERVERS \ - --service-cluster-ip-range=10.16.0.0/12 \ - --cloud-provider= \ - --logtostderr=true - Restart=always - RestartSec=10 - [Install] - WantedBy=kubernetes-master.target - - - name: kube-scheduler.service - enable: true - content: | - [Unit] - After=kube-apiserver.service - After=install-kubernetes.service - ConditionFileIsExecutable=/opt/kubernetes/server/bin/kube-scheduler - Description=Kubernetes Scheduler - Documentation=http://kubernetes.io/ - Wants=kube-apiserver.service - ConditionHost=kube-00 - [Service] - ExecStart=/opt/kubernetes/server/bin/kube-scheduler \ - --logtostderr=true \ - --master=127.0.0.1:8080 - Restart=always - RestartSec=10 - [Install] - WantedBy=kubernetes-master.target - - - name: kube-controller-manager.service - enable: true - content: | - [Unit] - After=install-kubernetes.service - After=kube-apiserver.service - ConditionFileIsExecutable=/opt/kubernetes/server/bin/kube-controller-manager - Description=Kubernetes Controller Manager - Documentation=http://kubernetes.io/ - Wants=kube-apiserver.service - Wants=install-kubernetes.service - ConditionHost=kube-00 - [Service] - ExecStart=/opt/kubernetes/server/bin/kube-controller-manager \ - --master=127.0.0.1:8080 \ - --logtostderr=true - Restart=always - RestartSec=10 - [Install] - WantedBy=kubernetes-master.target - - - name: kubelet.service - enable: true - content: | - [Unit] - After=install-kubernetes.service - ConditionFileIsExecutable=/opt/kubernetes/server/bin/kubelet - Description=Kubernetes Kubelet - Documentation=http://kubernetes.io/ - Wants=install-kubernetes.service - ConditionHost=!kube-00 - [Service] - ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests/ - ExecStart=/opt/kubernetes/server/bin/kubelet \ - --docker-endpoint=unix://var/run/weave/weave.sock \ - --address=0.0.0.0 \ - --port=10250 \ - --hostname-override=%H \ - --api-servers=http://kube-00:8080 \ - --logtostderr=true \ - --cluster-dns=10.16.0.3 \ - --cluster-domain=kube.local \ - --config=/etc/kubernetes/manifests/ - Restart=always - RestartSec=10 - [Install] - WantedBy=kubernetes-node.target - - - name: kube-proxy.service - enable: true - content: | - [Unit] - After=install-kubernetes.service - ConditionFileIsExecutable=/opt/kubernetes/server/bin/kube-proxy - Description=Kubernetes Proxy - Documentation=http://kubernetes.io/ - Wants=install-kubernetes.service - [Service] - ExecStart=/opt/kubernetes/server/bin/kube-proxy \ - --master=http://kube-00:8080 \ - --logtostderr=true - Restart=always - RestartSec=10 - [Install] - WantedBy=kubernetes-master.target - WantedBy=kubernetes-node.target - - - name: kube-create-addons.service - enable: true - content: | - [Unit] - After=install-kubernetes.service - ConditionFileIsExecutable=/opt/kubernetes/server/bin/kubectl - ConditionPathIsDirectory=/etc/kubernetes/addons/ - ConditionHost=kube-00 - Description=Kubernetes Addons - Documentation=http://kubernetes.io/ - Wants=install-kubernetes.service - Wants=kube-apiserver.service - [Service] - Type=oneshot - RemainAfterExit=no - ExecStart=/bin/bash -c 'until /opt/kubernetes/server/bin/kubectl create -f /etc/kubernetes/addons/; do sleep 2; done' - SuccessExitStatus=1 - [Install] - WantedBy=kubernetes-master.target diff --git a/docs/getting-started-guides/coreos/azure/index.md b/docs/getting-started-guides/coreos/azure/index.md deleted file mode 100644 index 589cf81fcc..0000000000 --- a/docs/getting-started-guides/coreos/azure/index.md +++ /dev/null @@ -1,246 +0,0 @@ ---- ---- - -* TOC -{:toc} - - -In this guide I will demonstrate how to deploy a Kubernetes cluster to Azure cloud. You will be using CoreOS with Weave, which implements simple and secure networking, in a transparent, yet robust way. The purpose of this guide is to provide an out-of-the-box implementation that can ultimately be taken into production with little change. It will demonstrate how to provision a dedicated Kubernetes master and etcd nodes, and show how to scale the cluster with ease. - -### Prerequisites - -1. You need an Azure account. - -## Let's go! - -To get started, you need to checkout the code: - -```shell -https://github.com/weaveworks-guides/weave-kubernetes-coreos-azure -cd weave-kubernetes-coreos-azure -``` - -You will need to have [Node.js installed](http://nodejs.org/download/) on you machine. If you have previously used Azure CLI, you should have it already. - -First, you need to install some of the dependencies with - -```shell -npm install -``` - -Now, all you need to do is: - -```shell -./azure-login.js -u -./create-kubernetes-cluster.js -``` - -This script will provision a cluster suitable for production use, where there is a ring of 3 dedicated etcd nodes: 1 kubernetes master and 2 kubernetes nodes. The `kube-00` VM will be the master, your work loads are only to be deployed on the nodes, `kube-01` and `kube-02`. Initially, all VMs are single-core, to ensure a user of the free tier can reproduce it without paying extra. I will show how to add more bigger VMs later. -If you need to pass Azure specific options for the creation script you can do this via additional environment variables e.g. - -```shell -AZ_SUBSCRIPTION= AZ_LOCATION="East US" ./create-kubernetes-cluster.js -# or -AZ_VM_COREOS_CHANNEL=beta ./create-kubernetes-cluster.js -``` - -![VMs in Azure](/images/docs/initial_cluster.png) - -Once the creation of Azure VMs has finished, you should see the following: - -```shell -... -azure_wrapper/info: Saved SSH config, you can use it like so: `ssh -F ./output/kube_1c1496016083b4_ssh_conf ` -azure_wrapper/info: The hosts in this deployment are: - [ 'etcd-00', 'etcd-01', 'etcd-02', 'kube-00', 'kube-01', 'kube-02' ] -azure_wrapper/info: Saved state into `./output/kube_1c1496016083b4_deployment.yml` -``` - -Let's login to the master node like so: - -```shell -ssh -F ./output/kube_1c1496016083b4_ssh_conf kube-00 -``` - -> Note: config file name will be different, make sure to use the one you see. - -Check there are 2 nodes in the cluster: - -```shell -core@kube-00 ~ $ kubectl get nodes -NAME LABELS STATUS -kube-01 kubernetes.io/hostname=kube-01 Ready -kube-02 kubernetes.io/hostname=kube-02 Ready -``` - -## Deploying the workload - -Let's follow the Guestbook example now: - -```shell -kubectl create -f ~/guestbook-example -``` - -You need to wait for the pods to get deployed, run the following and wait for `STATUS` to change from `Pending` to `Running`. - -```shell -kubectl get pods --watch -``` - -> Note: the most time it will spend downloading Docker container images on each of the nodes. - -Eventually you should see: - -```shell -NAME READY STATUS RESTARTS AGE -frontend-0a9xi 1/1 Running 0 4m -frontend-4wahe 1/1 Running 0 4m -frontend-6l36j 1/1 Running 0 4m -redis-master-talmr 1/1 Running 0 4m -redis-slave-12zfd 1/1 Running 0 4m -redis-slave-3nbce 1/1 Running 0 4m -``` - -## Scaling - -Two single-core nodes are certainly not enough for a production system of today. Let's scale the cluster by adding a couple of bigger nodes. - -You will need to open another terminal window on your machine and go to the same working directory (e.g. `~/Workspace/kubernetes/docs/getting-started-guides/coreos/azure/`). - -First, lets set the size of new VMs: - -```shell -export AZ_VM_SIZE=Large -``` - -Now, run scale script with state file of the previous deployment and number of nodes to add: - -```shell -core@kube-00 ~ $ ./scale-kubernetes-cluster.js ./output/kube_1c1496016083b4_deployment.yml 2 -... -azure_wrapper/info: Saved SSH config, you can use it like so: `ssh -F ./output/kube_8f984af944f572_ssh_conf ` -azure_wrapper/info: The hosts in this deployment are: - [ 'etcd-00', - 'etcd-01', - 'etcd-02', - 'kube-00', - 'kube-01', - 'kube-02', - 'kube-03', - 'kube-04' ] -azure_wrapper/info: Saved state into `./output/kube_8f984af944f572_deployment.yml` -``` - -> Note: this step has created new files in `./output`. - -Back on `kube-00`: - -```shell -core@kube-00 ~ $ kubectl get nodes -NAME LABELS STATUS -kube-01 kubernetes.io/hostname=kube-01 Ready -kube-02 kubernetes.io/hostname=kube-02 Ready -kube-03 kubernetes.io/hostname=kube-03 Ready -kube-04 kubernetes.io/hostname=kube-04 Ready -``` - -You can see that two more nodes joined happily. Let's scale the number of Guestbook instances now. - -First, double-check how many replication controllers there are: - -```shell -core@kube-00 ~ $ kubectl get rc -ONTROLLER CONTAINER(S) IMAGE(S) SELECTOR REPLICAS -frontend php-redis kubernetes/example-guestbook-php-redis:v2 name=frontend 3 -redis-master master redis name=redis-master 1 -redis-slave worker kubernetes/redis-slave:v2 name=redis-slave 2 -``` - -As there are 4 nodes, let's scale proportionally: - -```shell -core@kube-00 ~ $ kubectl scale --replicas=4 rc redis-slave -scaled -core@kube-00 ~ $ kubectl scale --replicas=4 rc frontend -scaled -``` - -Check what you have now: - -```shell -core@kube-00 ~ $ kubectl get rc -CONTROLLER CONTAINER(S) IMAGE(S) SELECTOR REPLICAS -frontend php-redis kubernetes/example-guestbook-php-redis:v2 name=frontend 4 -redis-master master redis name=redis-master 1 -redis-slave worker kubernetes/redis-slave:v2 name=redis-slave 4 -``` - -You now will have more instances of front-end Guestbook apps and Redis slaves; and, if you look up all pods labeled `name=frontend`, you should see one running on each node. - -```shell -core@kube-00 ~/guestbook-example $ kubectl get pods -l name=frontend -NAME READY STATUS RESTARTS AGE -frontend-0a9xi 1/1 Running 0 22m -frontend-4wahe 1/1 Running 0 22m -frontend-6l36j 1/1 Running 0 22m -frontend-z9oxo 1/1 Running 0 41s -``` - -## Exposing the app to the outside world - -There is no native Azure load-balancer support in Kubernetes 1.0, however here is how you can expose the Guestbook app to the Internet. - -```shell -./expose_guestbook_app_port.sh ./output/kube_1c1496016083b4_ssh_conf -Guestbook app is on port 31605, will map it to port 80 on kube-00 -info: Executing command vm endpoint create -+ Getting virtual machines -+ Reading network configuration -+ Updating network configuration -info: vm endpoint create command OK -info: Executing command vm endpoint show -+ Getting virtual machines -data: Name : tcp-80-31605 -data: Local port : 31605 -data: Protcol : tcp -data: Virtual IP Address : 137.117.156.164 -data: Direct server return : Disabled -info: vm endpoint show command OK -``` - -You then should be able to access it from anywhere via the Azure virtual IP for `kube-00` displayed above, i.e. `http://137.117.156.164/` in my case. - -## Next steps - -You now have a full-blown cluster running in Azure, congrats! - -You should probably try deploy other [example apps](https://github.com/kubernetes/kubernetes/tree/{{page.githubbranch}}/examples/) or write your own ;) - -## Tear down... - -If you don't wish care about the Azure bill, you can tear down the cluster. It's easy to redeploy it, as you can see. - -```shell -./destroy-cluster.js ./output/kube_8f984af944f572_deployment.yml -``` - -> Note: make sure to use the _latest state file_, as after scaling there is a new one. - -By the way, with the scripts shown, you can deploy multiple clusters, if you like :) - -## Support Level - - -IaaS Provider | Config. Mgmt | OS | Networking | Docs | Conforms | Support Level --------------------- | ------------ | ------ | ---------- | --------------------------------------------- | ---------| ---------------------------- -Azure | CoreOS | CoreOS | Weave | [docs](/docs/getting-started-guides/coreos/azure/) | | Community ([@errordeveloper](https://github.com/errordeveloper), [@squillace](https://github.com/squillace), [@chanezon](https://github.com/chanezon), [@crossorigin](https://github.com/crossorigin)) - - -For support level information on all solutions, see the [Table of solutions](/docs/getting-started-guides/#table-of-solutions) chart. - - -## Further reading - -Please see the [Kubernetes docs](/docs/) for more details on administering -and using a Kubernetes cluster - diff --git a/docs/getting-started-guides/coreos/azure/package.json b/docs/getting-started-guides/coreos/azure/package.json deleted file mode 100644 index 2ab720ea45..0000000000 --- a/docs/getting-started-guides/coreos/azure/package.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "name": "coreos-azure-weave", - "version": "1.0.0", - "description": "Small utility to bring up a woven CoreOS cluster", - "main": "index.js", - "scripts": { - "test": "echo \"Error: no test specified\" && exit 1" - }, - "author": "Ilya Dmitrichenko ", - "license": "Apache 2.0", - "dependencies": { - "azure-cli": "^0.10.1", - "colors": "^1.0.3", - "js-yaml": "^3.2.5", - "openssl-wrapper": "^0.2.1", - "underscore": "^1.7.0", - "underscore.string": "^3.0.2" - } -} diff --git a/docs/getting-started-guides/coreos/index.md b/docs/getting-started-guides/coreos/index.md index 80199a61c0..d0840cedde 100644 --- a/docs/getting-started-guides/coreos/index.md +++ b/docs/getting-started-guides/coreos/index.md @@ -71,12 +71,6 @@ Guide to running a single master, multi-worker cluster controlled by an OS X men
    -[**Resizable multi-node cluster on Azure with Weave**](/docs/getting-started-guides/coreos/azure/) - -Guide to running an HA etcd cluster with a single master on Azure. Uses the Azure node.js CLI to resize the cluster. - -
    - [**Multi-node cluster using cloud-config, CoreOS and VMware ESXi**](https://github.com/xavierbaude/VMware-coreos-multi-nodes-Kubernetes) Configure a single master, single worker cluster on VMware ESXi. diff --git a/docs/getting-started-guides/index.md b/docs/getting-started-guides/index.md index 609a0cc03d..6bac4acde8 100644 --- a/docs/getting-started-guides/index.md +++ b/docs/getting-started-guides/index.md @@ -37,6 +37,9 @@ Use the [Minikube getting started guide](/docs/getting-started-guides/minikube/) [Google Container Engine](https://cloud.google.com/container-engine) offers managed Kubernetes clusters. +[Azure Container Service](https://azure.microsoft.com/en-us/services/container-service/) can easily deploy Kubernetes +clusters. + [Stackpoint.io](https://stackpoint.io) provides Kubernetes infrastructure automation and management for multiple public clouds. [AppsCode.com](https://appscode.com/products/cloud-deployment/) provides managed Kubernetes clusters for various public clouds (including AWS and Google Cloud Platform). @@ -54,8 +57,7 @@ few commands, and have active community support. - [GCE](/docs/getting-started-guides/gce) - [AWS](/docs/getting-started-guides/aws) -- [Azure](/docs/getting-started-guides/azure/) -- [Azure](/docs/getting-started-guides/coreos/azure/) (Weave-based, contributed by WeaveWorks employees) +- [Azure](/docs/getting-started-guides/azure) - [CenturyLink Cloud](/docs/getting-started-guides/clc) - [IBM SoftLayer](https://github.com/patrocinio/kubernetes-softlayer) @@ -129,8 +131,8 @@ AppsCode.com | Saltstack | Debian | multi-support | [docs](https://ap KCluster.io | | multi-support | multi-support | [docs](https://kcluster.io) | | Commercial Platform9 | | multi-support | multi-support | [docs](https://platform9.com/products/kubernetes/) | | Commercial GCE | Saltstack | Debian | GCE | [docs](/docs/getting-started-guides/gce) | ['œ“][1] | Project -Azure | CoreOS | CoreOS | Weave | [docs](/docs/getting-started-guides/coreos/azure/) | | Community ([@errordeveloper](https://github.com/errordeveloper), [@squillace](https://github.com/squillace), [@chanezon](https://github.com/chanezon), [@crossorigin](https://github.com/crossorigin)) -Azure | Ignition | Ubuntu | Azure | [docs](/docs/getting-started-guides/azure) | | Community (Microsoft: [@brendandburns](https://github.com/brendandburns), [@colemickens](https://github.com/colemickens)) +Azure Container Service | | Ubuntu | Azure | [docs](https://azure.microsoft.com/en-us/services/container-service/) | | Commercial +Azure (IaaS) | | Ubuntu | Azure | [docs](/docs/getting-started-guides/azure) | | [Community (Microsoft)](https://github.com/Azure/acs-engine) Docker Single Node | custom | N/A | local | [docs](/docs/getting-started-guides/docker) | | Project ([@brendandburns](https://github.com/brendandburns)) Docker Multi Node | custom | N/A | flannel | [docs](/docs/getting-started-guides/docker-multinode) | | Project ([@brendandburns](https://github.com/brendandburns)) Bare-metal | Ansible | Fedora | flannel | [docs](/docs/getting-started-guides/fedora/fedora_ansible_config) | | Project diff --git a/images/docs/initial_cluster.png b/images/docs/initial_cluster.png deleted file mode 100644 index 99646a3fd06ece2c88cbe47a35d59a863d5f8e7a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 173212 zcmeEubyU>d+BSlKhzN>`fP|z-cb9Z20@5ik^w8ZRBHi8HLo+le(hM*l3^1fL!+^BZ z@QvrZ=e&=Pp0&>R|I1p;Vt#S&z3;vE9oKzrLRDYN5!@!bje&tdpdc@;hJkTw3IhYP z>=q9C%B7Ly4-AYukF2DmR28J8s8yZp0amu=7#Q-QiOIMc@dJjdtg}H^k#p*|{;EP1gi}R@S%|z#<8H#?_VnFgvE7=IREK1eQw1RLs4t5_MeOPM=rh|!JT*30btgSgb|y~)V>9luLgeN1VJVUqjrSeS zF#B7dwmOeb>-W#cFq)e~0xKkfZR0KtvcCEcrHW+5Ltau?%xD(`?+lIJ1JrI@XHV>R zDrpvZR1k`4ms;g@$q%F~x4khR#*5|n8kKRME+kk=^Mg<5XyUoj55qJ84!~FcfcO=x zjXNASByJ=l$uUVs=m#HIeDR2^CD5ab3`SW#7UzHFl@KrEOe1%g@7eaGvxM{I3U+YR zx;}mX9rBff2Oa)IW=-Q`D`!?vN3KjuB}#F=J6se_axY~y`b)0!FL|=7IjLd=)beI9 z4&V=B{R@V1)rSU2$w>eMCQ7^|k|)C|;dc{y-tM<${21f3)6c5PR>taG!+R^sYwF{X4EAwZ(QHminK(DSuvjX|?R;K2F~?~IYVQ88P63wX}7dFHbYPu^ov zE#YfR+_B+G!5Y8O>6_z+;TPZV1B;I+P@@a$QGQa*M**vF46%F(u^;&N30EWfJeBl3 zsR?I0BlOH);m6R}LE>f20*Yhm90=wp+GH55wUy@}$an!8oj*w^mJUqWTwm)e9=-Gy9|Z*w3N;PbY;GR*bR?*TVo)`*98 z?DYv)7pFs!a&PFO5vQc5=bYiA?#^F=v!9B4y)Cac)n<0P+ZvJidHV*wa5%5A-Lw^6 zbk%#t@kEX(y#ftAoZ)V&!!;b}>{QYZ?p+wtT*@BPrNkJxFgQ8)=uYSW-&;?#Z`@(P$OzBjJWh|SB9oY`#Nj*gA(OUi5s^aEK0EKe(afG_L*Tl31I$y(~tV``yk6048SLyS6Di# z$NJSoELg!gk1KHXy40>PSO2D#ByJPlZg&F|*Dyfx``tUVw_d!k zyoL2z&V@+o%aa<(3?lb0gm^MEu{Y`P6l89Ge5~`4MJ_Bhvfs^&P%ZK@EJJ$aX>#n# zRkrbMZm0$iIYdq?#|Elak16_bDtBY7d{d>K z+&A#92}XQhN(vhwP|!q7TOjFUp)rjur{?=aU;Q@8vP2yK480N*d60$3Kyj~sk) zzHtiRj`otQ*nCHNJTwdeFTwUHeTc3VbMEort=}YhLG&~$MlnU{8C?R=3GquJwl0cE zIS)Cy`>E2Vd9-uscwbz;VSXd~_VSy_TjHAdX{9GLvGUt=&T-^S8DALI;%+Oz<#81( z6buT)#&K&!bV6*UP8b>Euvami@Xj#K?lgyAMu@N!KeKqYK|{jUmzd5DehJLh&!6LM z7Hc*MyWf-YO*XWsKt1WTB2z;GegbX+|G~k5*TKla#Om3B(wfp*biYyDUhK8}o1(PW zz9rlxZ?|===^H}5lFvWL=95B2tU~McXLWUXks`=@NUTgrZ~-o~`H23A%Zs8t9Hl1t z@{{T(C6lBV9WO#Za|YYo#tL%^lMNFKv+d~#GY?~YXwQ6?i8G-h@pEEr!qhVg)s~7Q z{nP^6f}P^wH-@=wT4!xe>{zCo+&+(=^g8v5^%ZHYIK-{koHES>@JLb-~@p~gz-!%_;( z*3uJ&%);H`tlSRCcEhV&9FR#7r-~^^wz(HOGBETxu>qqK!y^?Dq5Uj|GOHre(q;+g zDnR;rOj4s}K$5CW`jlto4ZEVoVz-tP0Frz5O6U%SJ4MF`AhS-$zg9!XutHgrsXUms zq`Z{8gn4Q{9}W_(u&5x(*UE9%-pdt}SyT|0@vrl%L*)cUebNXD#^J>|y|Z>F^UlN_ zFj*s62R|2I7`LvKhW*i;HbkIbV6mz9M<5>LOE(?7;PdJSCg|4zo^F?7s}NFafPE4` z6W|7U!t2hlk-o>Xmm!_9Dx$zq`gYt7zbrUeCQBw#CYpYN>uYUS?ZUyDSr$iI7FW_yBxQ(z(*f8+r8n;q;9Jja56tNDsF)H}@UV6LqB4 zEI-`e(ZPjC@T<^~Fqr^@;I2a(vf$f;<@(;OIPOm~aL>>~rj2N}yKK#Dat0{31_y|P z=+e1Q*#3is1YdQp`J=gMp!ZzMyw0w|ZtHxjsEg<{&s48MZ;B(Y zExR?=1F_|+g}xq(*jMrF>*Py%tMJ|89g-FB{9bHlmVcRltR0{iM#X;!6a0%y6rm5O-N}IsG%0 z>|;4Ixl6uC0oJ#=Gxf!>Q?dB8dijrE*X7@pZVx|+G9>X8@1>J{GV!FGNSL-!=)^a} zey+D^_s76~__rzsOS; z0u_<34&|8@$d@j@gAa`gaf|j8{j=|7y-wwfBTe=c2+v4Na8=7;=_jfmhGucwzbqcp z*M7D$;x@1lC;II6J>;mQ6JVWZwX7@uW%{)AWqcFksAv_-UiaK|bKg1>gm~B{-JZ|? z_|oDGb=Jw!MdI*?hyANTldZ`pO_hxIBiitI5`K25QSDoW#qof`H$%^cxRS06jo(z) zEFlk?)*_kfHCYUx7wTQFc!Q5#yk15of|%VaKWpu4HB>bkwA&rSXn@efx8>jBzKz-l z*nlo=ubj6=X>HV}8mpYOwK}qz469L7IMD=e$P@Y2?RVyRT-E0RQ|oyUd+_jrQ}Y*) z8BB9fbAM`gd~E!K9S(fT{-RCP?gGNKSKBSj<6g0_@5ktFq19~RiDauZ=xG&0uJ3i! zF&e)z2!1UyVEApJt^L($&#ui?&sOsG71>4jsekDM4L2l(U8=T@aO>AZ?yiXv?D}i{!_X1XhDi{QJ{xUA6{>0o=^eMZ{FBf z*VkR@h1ABtQamIQ6v^mUcUgImuv=O?QC1Ag%+1ho1gzSkW^x%!Cc2uxI=4gW()Y5X z#r^Zmb(JoHWAKyN&W%JCw4Ik|T`NP*eR7L(zcHK6`=2zeoCj#61SB5Y5!Wji$iJew@D0=H2C~xQ-JEw0H zpI==FqcTtyi}=go%YmOe6Hv4JG6CF9Okq*%r1l? zh9%zj9gIE42Q51&de)CSBhTo+zhY_4R|v<#NX)|c!h%ixAnWy@3GaL5;Ow{+_j*PN zJG(xF<$yv>L+o1KXT3Yi-TnRKtQhi<7(VwRBkt@yAw8=l3~R@iP;cB>U}Tc^=v}O2 z%WZ^*E%hC+*M!*!=G-?#p%Vo>2YDT542(zgKYwp1sL_4Lz_^iRrJ?Pjt)eVsYH!D8 zVrKu=oXx||0sS-vhKPp{`cFG^7ZYj^J6oW$kcTMEKb{am|NZkaI}P8PPx0^^dD)eTm%`VgI-8#cn%r ze`UhJkibxomelaLu``dI@$k(>*M5k0%x)5pNK)~Im88&3Wz{dcUX!q0ALNq#+wdHD zrg2P~$M4^}C@3j{uMeLHbPvyayYICRVGg10X0N@>NEJNHY;t$cy2!X=1FO8ydUlIC z00Z-v4+)|BDWcvd3iI%wkazx3R*Q`g1v^4=IgA@Oi6nmgxWyjBd1+Qe^LG({llbqi zF&)^qDijv`vfKY8?Qg>W@%1CMgt5xa#|*UpWfKMVH!y9+PxmeM?)^#JAFk2dBGM+l z@nPT>9sIk;zc;(37tob<!>?OQ3Yyb!8(dZE9h3 zUnXxodhzRm`{VHc@yL<}@yF-Y>x=%^iToGsra{)bO>45vC);9yY}tcJOsp!SHa=xY za-`%R1Pb6`?)zcw(D5Xy{I-<4tk`14@3fNU@6WW_XJ4LNxRe@{7aeWQGZSeLLk_ z%IIcUHR{d#Ml!hoJ0604W-ZX&Jeow(I#kRtf?qxzU)L*8xFxfO*e^j}&{;9){Mf8_ zSSN4G6O|$?$7MeJOeLKscGo~iY58;Tj`iu@BD-nd^)uQIDkgvXSxZDca8l9BZ4Urj zUUaht!R_SW+}^t)sX|DSRBrn$+nJU(wRC2&l=Cf$A#Nm!FJ8PWw>EO$ouxPJB`r_m zEp#c3b6f0-%BI$XIH{2FC)Jt{4HiMt3+xd1bV^Aqf#z4VKvDCdgjih**!R)5kN?}n zjuZIPbSd$vt#<`tImu*qFi4nn`0Ve8yvDU<(W`kO=uIUbwKKDp2g)@6{6(SG`j|}5{>M_F zT8V@tTnti{e?!6!-WVIpaLb|&PZ7E=Y2?Qs6aL_&F*^-070II8CVg(`A3xs_#gAUf ziiyvjVs)ToISM_1 zS)6UviWhftno#}SO3UwIGF^GgXc$OZxh0l+oz_kz8+bM-XI!dl?51*4Zt-nLROrN4 zWYbziNgr~jn)9kh;T&43LfYLInI;$_lP~s~m1GI1Xhy}(QViD1I$%Qt;00i7nb&%# zocXtDs@1^jIaXp>e|Exo|0)9D*6FTypt5jjGtlm9+u0$~jS98r%Vqb?!}A)+zZ#3X zmu$rFs(Qv+vqGOf2#2r+>3%I(uC=&h5oDdk5y;tzI?5+7JHN~)EYK^CYTPb?n$FRL z8WK{8u^9RB_TvyY*e>uueHec8TmQkJO0yHaF^&YiY^5HTc*x4X;8xuBInVQ|kSI%aQW}HzxV~>THt3ay?6zttX6bys*>xwO-TU+` zeU)I*x6f{T-Yk6}=4nu760;T?beNa7Oe^tex2&{_(LT)R0I@e=*PC_8piYSW-|hsz zz!EGQ7vf}tIjIHj3zgOeRJI=*L0V&seFw$!kh>Ik0im6w%gMtjg7L_^TL(&PclDOv zC9&?f5NKG<*P7=Ek)@0`zERTYG|8{fYh~jQ=Y<)7lu1jqJA912fznuZBQ{@E-S%c# zFHZN|_}fSLB3`q+t}--W(l0TdPV-b|AYn~5 zoKqhWp!IQAPpzYy7P=s$tgk{{qo)9c{1L*NQiOJND22dfK0CG;AJ0RaqUP8S1S1VW zw0@6SXOZ!pJJZb*W_6@&4K|YrgAbX{EjT0o)U`icBMOmN7f8B?1ZNS2moI~%Z+NMt_hU(7qvoWp+{{HMkl76Fd zt)X|p_~t*{Y1>b%0BH_|VR&JV1`@#|?79Wj$X)BO`#_Zu2q7d$lLoC~=>dVNk|Ec!-v8fjyFp@8hNuwK9N0O9u-m)Yz)(hFoA(_sd#m z80x%6F{8KbJ%TAK2cW3E5Y}(5{`Z*aACK(ge@U$A?QCXY&>Qweo0f7Ii2D<*c-ju{ z&}xPCo2xhDlhtkmE>?SDeBR27%-#xMw#-70nzwPhh?)waVEhLOa@jsYY{_Z7qe-{d z1_wj3eP}X;8r2`+b5D4q9iP-;^YM0SXZ*v&%=JABojO2+Kg>zE$*&t{rrtArbud**F`;VV9FW@&a7|!qtqmrc4gbJ%gWk1cj{rRUQ*bd}-!` zCs+zs8_53VP(r&L!#x~3Z?sdIA8o|~ikr9alUZsExOnYn z>1^SIX`rn2Q6nNZ!+K)9dP@M7O)pB|^m3zA=1liY z%3X~+ZFMMFs}?ZuJRNMynQC(~!}2WcA$?^My;AZ_k&WA?8h!LtBV$y1i=$Llmn%!%JF#mniyreGcO6%kYCe*Aj$QMT;=`Et30Co1>w9E=efNQ6|h2rz`WR(dj_>!A3X{QkEdv$}yX zZnH19wtQy_0~xHd$N3k$MOjVLkKcfBJsB~@7 zRJ$VhprBxVD`!dOQdc(uerqF=l-&W|AHC+PcZZc}Y0F_14Xlt%Veo2ymS|7qROc3} zQO##iv1ROMCPO10W^J=tK`IW?^adV#rw$U0{1q||m*d2C7Y<5_N3lu%vQGn_0djCe=j4yQl#6n&Vi;{08*Fq$FXsGpbW2($9k!BApg9Odu<@^E78+; zm(9k3`s4Ynmba%B#8qOGjr=Fv(hFwv?(T>m;Dd#qhg^%Ygb-53p<_`GCWrYpZNuYq zj$C?P*nF*yy63m8jn!rnqohvF$|N=l;pvlTQhvjQz3Untt2z0!H1X$cc9^khYGl0D z#z>xz#d;efal-DPgo-Hh-_{pKpt|PLDJgebC!wn?Otb7wWn4++o99~huN2BePq^8mxY>sfv9o6aIq{Zj#9dT)lO+*Bw2$^t5{? zy8LUU5@YioNO-kea*Sz##KlQ$w*T219;sI!B1q?0 z1`^KX73W0O$rYdpZJr16RudcbI8*gj^Uu>{N`n4iZWIC&{VQvcBi5)#8qI1wDJLdZ z9|*YCHmqvhuDr-IoR_+8K!J^|F55)?Mc*`q(AM-|9b{ z;lY)6L}x_$_k843iPvOV+~OsH&C&G!!KnDP{QCQ0r!#sIZyk%1-Faqpl~Z{#m)gEN zHUqXTa?kY|BkF-OpBuXuDdKQGS)ODr`en1VDtART(i$zaje}HdnDm=s*s{z>PgkU8 zY&t3$f95N%lCwFiYG+=`qJyOv9ucsg@tL6W#=uUqbGxr5?R++0rS1%{A1jeIB7%!F z*hLVcTDg`ppnKT8$$8S?7=+U}KT`hU%*p9Q$705788hsy-L=LcxY5&p1Z*@mv69%6 z!C0BbujB%{G*M1wGh#bGZN)i844jHbBsCzWX593Rqkmp^Eg|+q8P!UxvIsNoRUn)?ovH3e6qBc;Ls{Qc24t8Pp-FgJj3+2i8j3!N#Oz4|1lr8Ub;!nryx{j}k zC)XKK77Ba$mvEa2KiuMi;dE4kXCQ;A6Z2<@4^5{?_ zmCIE(PYC$gRqHg?=j>qcW32e}5>Y0|hz4G_A&(JNUR;&txqhMtyidRprV(eI%$6@n z4-zi=>3)}TyCIDy(z=-hpc1`ew=ZWxrYl7%2g`lgvK9G~%x{z>5)R9>bKebg%|WM( zsx4#hP@pm?cE9FkCa~#@my-a4bCFa>5HMdqo&NlovkZ7|B!BGOIuCJID~{`!3Ss1T zVc^GeLwPxjvUP}k%j#Wy7<`7TD-S@%LJX?6a}Ff&DLCxBFi9BBJhf;lb4&Bnsj|;z zZa=9yPc*S@4Jp@%L~LBQTyVhj3z)=hLn8E~6pocmnCp;jg8>tshgFd8XGg z3B?{gh3Js>U@bRhc2pTt+F_X{|uNxwh8- z+V5=UW{;(BCfKBVQSD%ucAn>qdw4o{*xy_+IjQ~PWEN?u8Ciu(SVO8d=Y#yLSQli= zJLBM&F4k>kJF;|@32_Z6aOEwLtxHGuB+9NB$97Z9Dkc^Hfcl1N+*c;q`H4rM5u<7L zJ}Xg3N*tp*WxVf3PKH7L2LqS=@xs92aT%2)bvQt2IBJXA zVqkioc&GNZfVWKgxLOW-ytaxT1P%pP1M=bw2E1`=S7v+$>>$cFpfbE+R8`-=KZE9r&evyn|7 ztL-)0c9b+hv8e8PG@ZAIidw)b3^vS>e#Ahhe`slqZCNDOfg9eX=@ogEx=JS+jligCDS}$y;YTzZ}%;9sfg!!^Ae$@&+H? zFw&7PNj^J2rc~8#(lTVl;5t&8SaN)>!h?=kK0P9PzY>OH-v+y;CEv{X#0Xj)j+GiI z(|p5b>nllZEEgmzo5mJdZ+l^pPNKa+C^423Q|@H|Y}Ii>OkhwW-Q<-5FVE~?s;J#z za$W(gM%x+d)=6kUG=*@~%^Ox%hh)47y##2Lj(51E(Liew(d8vik8TMWq*4Df!+|DO7=3f|^!xSJD(p_Y&LNeW6x0 z8L;k7a?%OcAK`fKoj!@Bwad3kJIhqzitd8QpYvyG{ZbuRlD_q1i|AC^Hq`D3e;}2z zc%Sn+Bw5M(C}ytNnF4%VOY_U)|AS~h=m&5?=6t$c8S)2G4G(#iq_~rO#Fm)%Oxi}i zhU~GmM&i)?2(otR0K9bz#B236pw86EdtYzwoy-3UVeLq&?J}L6IZYKXhNxA-l;ll| zm8~1Lgy!5u0{W>mOf6Ebd2UICi*HJ`UY+1hZeG3!j&gmyipl2UrDl$LM@#Bg4=)+p znIQ96#eB>|-AkphGBuOqC(3X6E=|*`I~M22qeA;EIkR%c?NX9g2cq9n0O@-rQ{SRM7s^?wB&X1-4I2R#w; z=tmqVVA<;n8n<|z&%2Bk%t-SbhTz~dQDax;r@rQSCLJ!0A=$dWk2|+{S=x!R#(L(` zWF8I}0L*;H_2seg>R@~HtX#9QaYe2+`T_nhK7XDhH#y&vf!=&cLADrqgf(2NQmnS) zGr+L9*4)J@P9`WSjyVlm&cFUW&cKiM%R}@Oq1@;u{Rk4E&Jy7`r4dhfdnrdFQlotR z9pH`rJ3a(=9VPkLVx*&2nmcly>T!l%U)mA6S0uCP0b3E{Z+18Xb&Y&@H~T%~m!}nZ zC1jOi(ba<*0m~6dEr!(Hg=AKvr>tqb3NDn*ODvV}G8t#E{1+|vimSfQR1xcszWUC( z)svTTD?KgusMX3{Ds3d;6D6>9L47NqeDF5)X6fP+nb z*&a*Mw{Q9j3&rXI^j_m{vd2e@oh59=d!~VhZP?qFe7$?p`+u>-{{+q)((pA{j0|_% zjsa(0--)Wq=?RpfAh&vWk>??a2PWD38kA)~C_j`x$AHHw70{9c#lXEHS1wS?k?>>3 zM^8(xTV-0H49_#O{W#h{s#%#hK#l^aDTfduqE;;tC_Tyh{Y5x{B$UCX5A9>ZaBf>M z=@muzx?V#vPm7Z)WrG-L64#hDr*+7NiP_*UH=X=bm#C7li}jnA#4g$|Z}70?$b)kY zT$Xga zAcVPsx<``o2IBIH&vll))*PWJ?0uZZ%NHY!RnOMm6k?aHYdseANHm%UgFzqa3-{#7 zVS4&Byb_(o&YJe+*``W|S9039NSdbY_ddMdAKUG^q)$53Mf5sT@CkO-5TrTTP1uT_ ztFKgS|I9)Bogd5oQnh+nf)U8em>}E{xkW_+Y&~O`5O#vUOu#XQdyaeeNwsiM;4O4)b5c9;ez#Jr4Q5N}Kb*DVx|Z)+ zuUCM^{$@a#C%bS)qq|ScNLba&62Q0pFV3iC$w{Mq_Q{%rc<(0o zXvnkD)wKO?!>3uh$$9YN^A(26XWW3RW$YG6s_>|rmaE^2tXt>bz%2nNx(=OTxi0{A zPg3wL6Myi_p8Dr(2GU}J!f6SJ#+D+avBsHN${LU zyXC1QDB_7|FM*;bvF%EjIL1@ClO15K?=h~|>R=)>2m9Pd@y+gRNYCV?G6!3bT=2ms zWe(8GO~k=NW+dHw^5@{&*Z_;cjDaW%P6HcrzE4ccgW33xygpIBQOSzOQ(rpffVz5KDrGBmXzD$xh zFme>sVKr_2J*30H+|o22%@XDE`&RJrqVw&Vks*g%?mO)J*v?J32f54+lFx;F50hB= zawI|!uu5X>zFw7d=~k8TJV}0;um_FZ1K8A0xB~G(EV@o~h;VYk(=`3DkWQr{%Xcq$ z9Nuoo;4_D(zKC*>oi? z(#f2=l<(^X^xco`9rx1Ry1q+Gw&rmIz|yL442~ zow9?QZGPV~`*KR_8sA8lcu$78;?gFuvUo>x0z+ zB!U0_Bz4^)qRkQMw*k5K*5cWeRVu!VY`Z#n9!xq`Aq1ovN(F{r(#L5P1mvyG?qN#u zD2*^?`;$)dBVUwV7iSNk6aNkKv(V=Py^F?+4h4-DWtNLtZZ2R!eq2B9X*kGjk7vT8 zcJ0qrVKe8@Z<@EG!bm8)~pljpKEHf#S; z{N#Fg70%$^y2zwjiLs>BOj{~N<241r$=OD>zu7|eA(GDEy34+U*MJ3buzl8w7w#gW zzotEE1J>t(Eq|5?Ukgq)BB)n^3-{N z_E&8un&NuyBW<1_!M{N*j(9}dR3zm1e~q~QRc@q^>0HF*&QlP6hM&W7)aSzdsfvx z@JOx3$CE#86)|2owBs`mwA9R$H!Rnp5|o{V#C8f-uFm?ugw&aj%+UtkC-d3g4Y?w2 z=(LQbFil5MIW=fXSwfC{>z}uG6S$`e@1%x%=F)N6b%pqSK zZ(V=iqHe&Hr5>M-)vE$=K9Vm^!a{VlpDm~R>hw5FiG514D#N73-{}Sett^UqF`5jC zUDBlJRiSt>f_D8Y3tV|a)JahZs5BsyyJ4~mZotVK>NU#0vug*{`Z`$q{tvT zl0Vhk#Zxq!S6;5})m95nlfuxP=b;_U!R`I^FBPCbft&r>#JFVPe=0~8fFy!%ugPHD zq)9~ASO$KgO}Y$YpN-f$3yLkL2(@@tg7GcUIeqa@2p+G4$=YHAUGd;irLA9u#LJQK z+b&_3B(Q6Zl;;s1HEhKky^fOc_mc!TI#w$f}D(B05&oaLBmEXhmLSDk6q1@ z@hTh-nG@L4E&ZDCW@^pjx8IcG0L*yU@7Vj%>~eQL~`Lb8;G@gZU9~jGIp16XYftsA*;&3D_?5#ap?H(4 z!T`K0FW1GSgFo~KdukmvWgV?AXp z+4D3(X9g%+>7KZ%TuW|0x6{q5l@x*r6808A{vm^ z=sCGP8TZMIN&!Rwtzb_QYPp7k_o@NG_z!DmUcX3&Meto;)*0}0_jg`XCdnVaNEW`g z0Mh`? zScwvxDDL`9DYFcz;1ugKJO(UwT=7vejJI6Do!|r1q|#WgX)>=-=6R%1==Fah^wn3t z71)kQOs8 zDS-^?dNoVci(fjuNsaz%2maYghH9WI0+v07tl|8_SObsfC3@42T-#>!{&4q~*8WG2 zfzQw!)zJH4)_)wtUnb>WYS~iyNeKP_Yk^BnC;HC~NYnr1P`;kbzyAw5{g1{R%J5@q z)-}Xm)c>t){U7zYRB#LZMnQGm>)%JebVO{4=JsxZ)pzdw)>eVd4X&vIMEB^(f6Kg; zzK>?D#@(6ty#)CuE#J5~-hhtyw$8uT9sak9j=hPV7`kqk--q(Y@dvuFqPfE@VwXE2 zzYXsX(}?bc1RZ+Q&Q2_gmbT9M~c{%`5e@-XzC z`M+uSFn4gZbV_&=lc$7tf$Wra3MsT0Qw|H*JW4C1rsw`rrP zq4YYnW{LBy?n)Df7u{+mwqZU7|6hBsp}uP=mU059#uIxKDz}LTDi#B zotZlC!xk4?_EawOgWmZrbV4|^&1*81ic{=eDiFR;Q&1skIOzjL`BXCCT zU~S0e1L5ozE}HLihm^}>XjAmL%~XY2^IMrx%?3r|EUm50uCPRA^Mi!agX9@-WIEqW z=~-lIW1UX?A-&c}#{F`gO}-a>XaJr~{AC&ox^fiX9YUzo8$l`q)~WFkEVWQ(PSIlR zGrdM58&bUyLx~YMs@`s1_h21DY?;;pyL0VV;4411{1epEnJmZN7QnZ2 zM)USvb{$qld;KFW@i%Mwv)QwKN1v%RRr^2cF8&xGTy!q@#puX6FpKuw(5ORyrW*Eo z(*p1Mz-y;G#rz7^wm|NZisp%&g1{MqPKuRvHuC7Kc_@`W>_W>VMBOQp!Ik|eyUuG5 zF$St!9qcK1Ae3PP9nL`LKJn|JaiZb^ENW`s(UZvq@EQucN_Yl+rm{ z@ReegCm>JeNQ~2KP9POclrw|G^(@GhYn1~)&2DPwilp@MRUc zFIlqG`6a8>TuJVg$nthpSQR?J4U-Gz`xC}N9T32Xrhn)+Z=JNZ?f+!Ye7DC@Tp#X3 zwKc;j_P)V^B1P9HS+af468+=a zj<=P5p2WeLa9OQm$L(jfZ+n=6`f3{OfgqRh(Tu%bBoL@HbU#rwZ_#7YeJ9SsOzb|KF z?>zaSKbF^gww&Azx~sqNGF8BsR!b#cMeX-4!qNd(*Im% zZ(;MzcY+7cRV6;$Av4CZ^@*3+D}N<^n%8!<>x~)+Gy!L74`VXlB8BF>>&x&zm!k25|Qj<%pG+!qP;}S0}QH7dE7@Y%U*J!}F}v z$$jp5Ma&6ZRq-3TM~XP?iNrM^-;pK7 zR=tiU+pLC_SM879y(50M+3hq$0P~!P+Tbl?CTJ%)AJv)fMAM~0Q<_#SL9Me5){6cs zug64q{I{Do+HHDmeBR$^FJ2vp7j{@A<9Cv#t_JKa_#S*KubR0q-?YXdpnSXcw1wS$ z-c4z#?(L?d^1#Nx7?LYW!U+@Zz7tapYJa-p9mQ4-o30X9Nf2~iAAq>eWzKEy`1p#q z<(P+eZQLLjY&}`m!y00wGfPtPav@YE7je;!+iO4#dS#bs)V!G6^C#0j-3ezO2(M~e zH?lLH_RYGbEYc&(mGu^xEBGJ6X$c8xr74y`N66gwvw*-rt5hyP+!Mhl^IRy)jodZ# zQJMo!`J9L;(reRiA!S1I*^{z;4L*Rz^2M9S$p-7`IcVE_@~XDmBE^;n^nN!eeFV*K zLW4a#uq?5ieO#zaT|}d9ouK|~>#Hw0WR>b|me4N#0av})ch>bCNt`Q;^4$!q(pcj9 z1BuMV!X1t;i}rW30mY?ibuYi*W&m5;FAN#?POqmU6*o^VPd&Am;$${C zosO@nt`>ZavV2ZF)91UzGneC;iMCSC^$KCH`@+3ubME?n+)->Ay${UlXlX%LPh!o` zMQMmzZ_S-YrH+vw7Vv2^>vCa%jjZ*XD3@Kw&>f!Co2IO}h||SAo|F<_Somk0$sgeS z3-l2r8_evP7ty9|*^F0klgELUH;;rmk4L=Yd`Ck81_P64pUk@P(fkiiY6sT$Bhdhn zqn3!Zt12`bg`QL+AMT#bm}fOKP)2-N;99Hu$?ZR6P=SwcQhM#+!FdCUUPd>v7}jbW zNxri5?7Wt9a@{kGV};k?YUaASv?&&baZMHgjm}`ttHQA|#oQONYmK3ADI&@?!AOVQR-_iaNil$-^8-yqr zRFU2KR%^Bu*5a~b%uV-zV^L_)tVQ{Jp~5+CYrIEPAe+lIt?m0k`2wHoQe!$WMs}Ti zgPh;)u2}{&}B9kD^RhgRZ@YT$r32SqwV#DLpS0_7)ldNH6FvBhOG| z<7uEA6~6(L<(BQToAaVIw4(G0no|k5;?&FHxIt}AsvF0JUy11DmDn${0lDX&ys2vx zIsHo9i2noAWjpJ%fHd_IFH81Rh5nsAlg z0Szjpu)%Bl%O-7BGf%~NQs17;JZEZ`U1=schd&aU+dI~>1zR4jk0vARo9ELjPx}(r zH$vqo4~ne7JcQyW1tc*g7o`Se6sXf`^zq0pm*s?`jTZMvsZERKYtf5(Bn@Kp41dRW zz|QvTv|}TAS$K6utLr*)d21sMzW;Qax$nVM^OT>%4 zRHyDk+u|PUgpB$-x|E%abISdN5ULp&*JhGz@7W6qnxj)(NEo;A7!1h0VAHf{+LN1t`bdaUtn{wzW~}MtUXU?05=1F)TbS4O<)XMufRav^qaIUHQ`W*1qE)E@QDN z_e{i5d!1eT8KKyT$CuONu6K-{@4M3CeK4l~LuUSkEoU*HWABsPY8`41cl?sEp=i(V z@k6&pu^-S~eSNJvCd_9HC;=-c>gsjxIzwNKosL9&93L<+mv0`d4=_I*Os<0&PCidGKbiB)gHqoHVVJ$>i;lj+oa+)Ivm zN?zrZfpt#QsXxPY!srgtcQPpkEu_tXdybzbBis}%wu9QnKza3*{QBOJXCFMj^(iZ) zdXnRlKIXE0PqLa{S1(*~deP3*?7VSeZ7m@M9?3LAOxcBE=I9q%p4gwGk8P$t*N5&J zd7kleWUn*(5t!BGM}_rdfmcJ>NwM_)w{@|p?()0~ z*R_Yqo-5}us7Sx-4eTiwOK+3B-LLiK#SZ52&3p@f8>03}3+b|VFQ!`Mwj1<14d=T~ z8pzAs>~!VsWJPTp7QirYh(1c@NCaLkc>2%Ki^?p@89+}#StPE!d)PX5s)hJX6K5fW z*9hz>G!@1#u2X85$B6nn?q$m{!e(=ieS;sknr#aI57`1>JD}g71YH zx-PJgaeHkj4Oq%{u+TS@#AGLi-*D919#*_0(W_pq!h`o8vS@j_98%NE9$#Xe;w}En z_~&T^Cf{Rn4HI*Na8m5w8m>kXlJ95oKe6gEFFZSkKQ$COM#8~E)q5SM@2p*B3eX=N zsK7b%>M=+3;iL?K8}7(0tnFil!%${4&G(MC0fTEhU?>T~3N)(Xna8oxB=d)cnCTu# zCVLwfuDGW}kf3tNo+-I){_B4MWNPMlaC)xq%ejs**Tvl$KYZRJxU^?I*cm1n)Oj2| z*hkgIJXxlRr#x{Fa`2E$AZH?;YvL?dhN|BG$3EkNnXfjgaUfusuxuZY7Kmm7pUctS zm7DGSBo%_4?rfAiEaYK)f=o)eb1{klJ*=j{z}JgoDY|ZDFeUB`oBkji_Z13pd(8D)*Gi-=Mwd*!_W)p~ty` z=W)-*e97hF#U5_s2ILm^lD$^S45!K<`gnmEnslHC7#Lq`9Fii4bEQ`=GCiEHSKm+U zN>kr28Dsb}On_blfvmHU@7&0j1}RSGn9-GF;;VdQZcxbFs&v(P%n)|(rWCxz)jAy{ zO6Glx4g*=z#6wmel=d)QUpm=Krh)lGi(24T!o$e2x4ha%6Rq|+KX@zTU$*uwZ# zE%VN+IzFT=m}h{s&j-yZOAWyJY^4SCPm5r2pFdrcaQ}JMjqt*5s{jORaUH?qk*E4$ zUGyQzPI%h>Ln|&!cfcI%fR9di#|dx@$+Nsc?p07ycq4`P_Xj19{~vpA8CT`@wF@h0 z5Gn%F2ny0lBe6hA8tDe5yK?~xWD6oC-QC?C3#7Y2a?#zjU@aD$oAbW^bKdjpy?=YZ zAI`Vui$8@mm-oEqoMVo0jcZ(E^Sj9hpxC||heYT@$(eJrN`~8~L_qGV5j;$3yN@f! zqk2AoVvmW4(yTk*@^hK)3>ktRH&|w+)hk%u1=;Il<6L7$hmszk_d)=XpC5DvHM@(822&7_#RJrgWgi+|l@ zk0tNr%Q4i$=sNG|Sb^&`;#9t|h&(?pdVg-!C7`RwF>}>l_mCjlrTuhmXV+HRsU`P} zG-Ok6%T{}<%tbv@{LtO7OYXq{9&r?L-jnw4w<$Y9{ok~k{CeN4v9V^RCB{SyN7_&{ z(L4$Aaj_>t@c#;_U0_%*nEE-4jf2y4*j1qi(cQPPnAj>`%<|uyiuK3c0k4vdRE%7+ zI%fneQZ>46Kl@#TMHF4ACYl1-CIpIOMGY471tNGQVfph~v%qEYR}S{JmN1poqRVLr z`-H&rDQsFq+1hb#>eE5qrCV;JH)FN!{@}<4m+e8kR1Hia( zZ*wbIAu&x_#zHTBFDMzh=WE{Wm{kjSo+X}$W$cW29?r-xs7%6&c#w2ga5+ShKSHz4 z+7ixsdLuA}D}Qr+)od|K5d+m`Nq`E^~8b2L!)uYC3mv4o<{MA89#0FX-jr$*q zGYA0cX6uILQ3LEBds=7Lb;iUWxTe{*FBFI_$`dvwMj3%KA3IP4`jKz&@5Wf-sojZ(hq zD6Gx0*;VBjmQCiB2g6fz!oertH(CZs@FiZT$~R!#$4 zs|uq#e?V6-)!DEK=mq+?R7V&-5>M>9m+(%J6 zzqWrOR||VhKqr6Fg+d?qzLGneTP@K6kFzM{8EG;ouQQi|-z3A^^WJ5M@GkegjOY>A{Q8Ym3!FQEL zu~ALV{UWftX;(wNfaDWE*HjAJ@R;0FMYNi2RHbH38^>a(W$Ut;)rx<6M1&)oirh@~ zwdbj@x^g&7Tz}63zOZtM!TO^vf)+eRVttnGogZP^u;V*DC)ZWlqJEAi3*O5&wJJ-O zpSVX0nPvegB+|{*1{~6{l|6%fZL`2R)v6&`UWA6hLZn zy2b=w*~FRUJcL}G6pCcDz5Y+g6h04_L|rD*ksN$@nCY=;_*jtwa2Mk?B4DN%huh(3 zB!(yf5*I^RF={MdG&AJ;Jl(?VeheoB-VFe2f4hwmN`44q*be^CnR$B<{ zYAI8pX!M4LS;1-64$3m-1OH~;N094uwIQdl3r2nP(6JC zZ8A@9VQSRoi%vY}75z+wb0JxEDL|!r{WgVRwOp9|HaG~Z^Xe9SVV+3RE_Vx*U662I zYV%k$_Bqlbjv8R#L$EKajfYaHRQxw>d8leCmyDY26qw5U6_jdUt<+}UG0U*AX6!V> zCh#jx6Q(En=$?K#jd;`RvzM#2qJEoxLrGAB&uNbfBydT;V{w|hBzNJ48Pg-WjAX_S zDs@H;dB-r!8zNqQ;L#$zJ_~r5p;^DBKxTG4y>jKyyv;~kpTBr2TxWQ;fS+mf z+Z6^5DNxRJ`R!8xRP-kdKXY$_d*jwQ&Qw%c(m+NXAt%2_0c0<*(RO?fzof(QE^cv} zdklX+;qUxc>wCTnq1N#^N>z*VZNC&Qn zXRG8#0Q@r2{>|Rjuffz$0(@?pGt%7gN5D5x$K8u;PSFQR!OrL5EjmwZ0InfNN<;)4 zbc>RMY?`}%w$v1Yl$iZYg?2RF-Z*D%y!GYE&+l*eYlw$>5~Ip8nn&NAq4)f@+9KN1 zmeQ?019oFG(`3HXJvcs{p3|Q<60mO5a#LQrDXzPa2cHEBGRT%30p2`YrY{f2K&$-e zJ;)ucQ|7CQv>oVk0Xq=Zgl77ox0w0yrciax1_|wJZNUuw~a6ODCXqq%P zfI)7MKd+nZGZ#{OmAzxM4;#7@0T~&*UW z%0_?^-wa?y4*kh+02e8=e$sm&2nI;?*(bm`yc5c(vskoLGSPbt69$qK^Cs-umofkv zDBc(g$ljDD7tM5JJk$v`xxHRMZ1>qhH}wDvtUF@{?W`@=gWJa57s}_LTFN9=xnOpT z%_YlqU+%6@GJ_7Wq!mBA;e{qhis6gVjY+XI5TsGks z`*ZtT#~qc!GNpy3xMlOkXpnXaSKK9jyColZOX=aQ$AMY>CKSK#R?kcDC!fNh`i!Rt zrw#4@W1||Z1HgmELSfs^;lobl`S>v9Le4yW&=Iv>BUe((EVXXib>w?Q{_JcnJGzL}(t0KXb7mSwKP_DPH`a8zZN9i;m z&T`O&3FT<#+NJ93GMFVBw&jB zt>mB(i3>hhVLHDNXneUFGrqV$+)D=_+yFG(!-qRmiQkow1W7UDCV@;lHdHXv*@*?2 z^t+!A8qQdq2{{~G4emGD-3p?9)9P^t<;V>^o(FSoi9vovV;?q73j`~?e;gx3j)XZ5 ze+;k@++*a-TPx2^iFRG|lw(vcirZ>IbgH9^Lq5pBZFE1-ODUOzAJ|)KRaf8-m<}M? zwe?eXzqWBN2EW0In1zmIOZR5t&$ESrPLpbLZUv5hZYk6`e2N{aL5lE{O4gS6uIBj? zA_z)!CU;NlBI9HHF@Gh)ZWij{CHz?_y&4210!Cjq&${(FeQYkL_2X?|75(FP;sJMZ zI-D;QDy6Q1b|aXxr}IiUroib?3VKToKbI7@wU>u2+56v}Y{%RaigOeW_1?!>NgbRT zRWPNYp-Da1I?qYP)vDe#YXA+rB#y(0BOM@}B{X(8Tv+BVH#`1v40Ua}7<)Wc?3gR8 ziYm(RZPlux7&je!w(r6^_3RLtYO=q(0RMPVT$230&xSxH53U61HU9c_!K)X9QX!=? z9L#s(G<*ElzR)YCCkX4V+eOD(uO;$^G{A+8?QUt)O!u5AJFg<6S3g@mSz}P%Gpifm zLKJTRq6Kw37uDNWA^W?_kj&jjjAd^DNe4S649>y<8M?9#{gTG37$d0MeksJ@_P(tO zmCCm0(MTGpSC3w^ma4V_Rg^+9FKdBqF8-~F0d90yQxYHG>rD1H}uO9jYkjWwA^3eVAom`$v9K!H-?3jiY*Aq;t1^1GdWV+S3X4&Zhh=ZU)y27J$rHq<}fs-ldOhgNRuysOWb6Ow_#*?iLw$J}W|oO{ye`&$@cm`7THac3PpQuvSQ6I0jie(B zAn|DD!2LIT!tw`3Lr%=cE_ZbYUWuPLsQ(bMq@yM(tTZjp`H zrYk=IBA&;WrGmFy#oA-oVsMyaZ0#tZS<>Ip8=2XnN0y|m|GuhmM0*jW2*9-5iXBkz zyhBHhY>PkyG0^cUKDtj_se((hZtTXp%?aY|dI{X-U*aPryH>?3!9!I2*N5@Fn)WKylkWT&FSW~|`l~^2N^7b(c z;-2Hg(MyNb>S+vKNekS_IuW2 zb;#e1hv->Gc3o4mBv3pSkm=h0^_t^m-;HG$ zgBQ?}@Lu=tHXmhgriPO!=l-_21xoa~-^C0^-Z;Mv78XE5H2zA?397T}Os*8g@+P@J zbwPtooR5i7&)PI1L%IlY1(>wfdXN=~Ii**p>yc`7GNDWf43do*K`OscEo(bnh?`uJ zHGl&>+iHqi%jz{bEJ)BDD(%#a*iB+=Cz&eIjx{n>wG6w+*UXhqR?Z%*LjQAATZXnf zRT?Jq1z2`_7S|@C_ik@4H(#Ju-~LCdY%Hg>1wdJ+OBNy+lqF^$OFp<|kG2QaD#3Ij@`WBSPl5E#Hlo{9N*^ol2F!>`w*P4{{ygLV`87()0P}KU!g%3N@BBYJ-v9Cob2VT9CwR+@ z_uo$2;t{|GO=u`0`}6tv(@VYk2=(CI026!)+<#36mAm7YE5|zj>)oLV3>e!>&s_d5 zv-{hB<}(1KS&N+tn}54IIGKO}34%_XC+Sd(w<@`0F+vLyo(KikgD9z#^dHh#j`&U29!oD*Q?Vn7j{;eVXa;Hvh z!cO#;Chaeb???PQQyq{wAoOnwMLL)Pi!xxu{5OXA&u^I$C=8IomyGuk`-}houb%V! zU9n4Cug1UpxG=RKAQB!)8Oo0Q8xQ+W&-A1cxMkl(mjBBO&_~$g3GiA4$&D|b{#!F@ z0<7E@I>UeY@q4~!cT(yeynTDL|Mo%~09LL;w(DPh94K`b0bc8wUDS-^zdE=8-W_*W zYZD)g`RASd*V7vFyDJ)5ep4Ctr#JpLyXDrh8O08DeVPS1oJ>GIR3D(PA*CnslFv`Dz3KTgZ=Iwv*`=?6dxI`K%Iz1yk+xB(QEnNWyY zk)9~{;vmyk|ALl>M?Eq0)J7I3nVEY%%qACKjJlWPrqBiJAgr zAF*->%N>Zn&hwn9hyuM$ojK)olq2O%19JYa=VFh4$i$Y8wETS1@XS40r^EU9eqMuYu#7m0gJXk!827;VUo)4tq3>hkR|lmA) zq-ecK-Wy--%p8y0~AZ~VY#*lh}8Bt z2$f1*YYR(X)W3)o3GK!DP6!RA1oX6>-~L|v4vrbN-bX<4R<#$_=P}XHS+J(;%0@mu z^*KGQJI3n%Wt+nFX8#6-VKHA({eby>l$DL%aW|V`p6DDmU9I5oDtozHI zDW#2Di~7Bc@c4H^>7b zO}9n&TiTV~JW}l5Ek6sy`Ask#>X?j>Au4KcJr;JGWe-KAH}p@RlX2e-PUOmdmnktq z{nRs4tCS5f=0B)Cq3t&vHD8%DV|qU8{9Gl!fJmi1Qp>^n`tqGK@n*qS3*M3K+Vafx zdO+xQYAH_XWaAhb#(NeKkW|EJ;-ZLSW!>#|Q$0|R;!i&FtR8#Eq zo%W)|epTWTK7On+CMM?7+q7&UUpeiXv5-WbZ2(-&KU~vWB2mp(3BSZrJsx~S19QOTCtj#%IbIfiU z;vVzNLPzO`%r`DV5sw{G&OG&4EpA(BXELrx*fjZ*-t6+TeRrx@Z+#8_f7;uh?vYr^ z>Nw*u#&eoKW6`SmK9tN)58<}@EzG1|!Z|uuUigJlAcKlKV3a=ye=PKr$K3k2^G^At z4^D;sUW)8+*JjUV!B8UZ?+=)>ag^VxOEY`|0s;iAOpo6ZBP7+gpV|)S8eU;)ss%QrR;w7twZQLA!dB-^T3csNq(38h~1pw1UV88 zlQeJ!h9Zzn&of)jouT>CK@P~>X9H}E{uTjKj&SD;=b$xwNPYXw2zr&gQR$Lp8;j)> z^U16o9S)d-&(1u4aIR*2gJo`Or`pm15YTXt$(1JT>xU!sfwloe)1U8)izU&s=HH3+ z?9Ar-wO!dkoKx4%;JFs6jN>b}EV;>z5ksZ!m2^(1S?80BiwqB%BVh=I?jb8w>#(g9E^zJ>XIyFVj%U!`Fiv29Ej02 z?a)Dn5I#a^BgR%ja=bhBA|??+1?OPVXo})(jLJ6IjSGrpH78MTxhY7+aVqCz!%k(^ zZ290~K370!`~+r==<-zra=p|;Un^D4kRPHV0QXIn=tTxqX3Rn-MDon{jr$+*^)9qK zIrGnn$>=M8y@=I0y*P=w5AuZCt0kI!?t$IUmX66fSmEaY$}xL$CRuU*dn{nI#NVS_;eGFC{HVK*MhPlM1PKf)AAe!F!%T-Y;-=`RG# z^22jbJxGM!@PTNm3SQRNcmb9Rg~vkelsp+3M!k_xI=Rt}4a^~och}vi zTd9-%y_d^}4o}ZcOu}4o5vPfOGoTElV$BD7p3b&g;=S4eZE0(c{lW1z`1;B`Kh{B^ z&w4OUP|~De>vsuDXJ_YVMRXy~#>UudKfq;5g(H3&2%55(EtFS!wid%$yM>H?+i5jB zJym_)_Qn&Z*#jPp|6LX2{ibBdm#U_4DR7luUMZ-C0ta#Of)#nv-t(!-rqkhs82@{{ zeXBg|M!)|Vo5Qz*>0jb9c_!5sy_9{s4X?D_C`6B;r1qp zE>+I0ZJ=-Dar^CH4^bsfHC^?2h>F@txxSebnQcyo2^k|~&3op6CPggpcEa$@Z;QyqLFvUUR);EwzEQ)3E5fpc4Wim^K}@* zWiS1<{8A2IV0^Z3{cgWOxLTgGSUJZd+7b(Y9DC1VvFah}Vj4qPx7zt4czFqAlO%Q5 zFUKMN(A*}c0&{^lJ4B_X0^pGugI4vkrK5fp@@~C8{+ywM_q;81eke&$vhiXsx=rai zCCvH98}!aWWsG*ClherlDR1MUsEM#JU%$oRIni?c7JTFxm04LJ6us;Ego%X!Mocc2 zYny~A0h@padMA6wqhr0KrO(^#Q_)eI_Df6YRin}pBpk~0+RX;X&)gMG-c{a@ z?e&N7lrg}v{YY7D+NM~PobWeYYGQw;zmy%VcX}$98^1L#g}-xN0tQ4 z=IA*ZDLg7sKD?^7SeK@`m;Fs=vPce`AYhHPPjsK#7VfFfdg>2ELN8YbI2?RN*@RM# zp|=dvL@Y|bsq@5~*RA-j`8E$LUZ38?On-;2s;suM-^k0Duihgadf#50@IY*}$mE-J z)YM+VR6bKh63a_fJ?Z@b^vF8y~OTV_$iBp^abVH8RQdikSXBI=_A0e?aDe6I!qQKzbDC5++fpC@(borg{CxW47 zY z%wf^Al6a1~6cs|r%I{aOi;_fMuUupD(PKjajfaVsr-f22+b{);anB;m4II*=Xt!1> z;pUbtrb;%uGR)Z9W$Xlfd=kb0d(A9Rci1HR_!0VQFbVs}_f&5pW2u}#rB}LgLc-k9 z;vy8-P?CRd}oPJ|(#pciF(#1N`1}*nA0gCk| zkMTxAS*0o9o_@%fmseVn_WC4bemP=W9RTb6K@=VjK6|ZSl^myOFegaEgv*2XY{iPY z!2Ssi$Z6x`{d`>$F~1|nknHJjAK^rWm!vs|<&ci1ixkz*cEh^sso-7$;~G4?ouy#X zB$n^!HoUt}Kpj)26&ftkIQFZ1oH_;lI;+@w=uo)^&}BN}NA}}6S0Vf%$__{V z6}>S!Zml>Wr0xDGyK9$90b7M`Ue|PvA+m=3w{)@NL}4*p6kgl#4BKCh81_0TIS)ph zN@CRMu0~b^tFozn@X@X2kUm8+wfqMNo4?j7EvI<4Z+K+Oel_3!Qtu-h+GnL%UeTyW zOC-qgkH>tc3JsED{PD?v?Aeaq4WhR>KQ+#;mv_Xl3+8Axo}kJe^b}jEE3m?To^t2w zqw`f+mdbYg6|hgghCRp7t9DpA0z5iF-V_RwL}7W-hFp2YhEiO18jV9@>e2OShjNs2 zKNEa%VUv%6a}1psJJ4`2C8y|Mdl}^J^ubw8^=BC?7DFh`GcS_E+oof?0xf&jFQWv* zG}C((N{xDW+g*tar)VjLBxG3^#%Ntcj(;{?v+&vgN+xy^_k2C>ihn?OXg})g^yIRe zUG^tLOq@s5Ua;8Z#{kEiq-cG0wUy9oRrrZ2&DsLxf>Av^%7s-oyW+rVp+!(r0`s8X z7Z=f`DbI_JQM(Moo&0K{lKP&@vWJ=N`erF|jNM{xbhR6ZLUwnGJ*(;Sx(w3X+Kpo_ zMJijiH|NUSgXTN9tqN>)W^>@VsXeMm`F>O-WVJ8-ut=j?ms=BEinaS}fUqd%10?Xwmonm=eX?MAjKs(mBL)bj4XRkYuI?p>u8wCP@$vCuOZ-Us$FR-V7lO zS6r>(puO6nOT0pQc7#a5&3-K;E$H>5wA9^XF?n9hcK$j~jn&TRDwEZ(Mt_ z8l*}(>3SlRN=@PEH(ZZD;n|KGYdeWDvtnUkJ-hwG-(Q+zNYOCAoCR*oVY!~gJZNY^ z22xbHZAh(k%!&O$7;#e#&A(yLoi1@^ii|hr70#5-mS)eC7>HzNU~Kh=bFJjQQ=x{W zwb>lbyOXXNku$eakOfAFcFicC5!mGut?m&gWxobg6Gv;^p1$d7!=ArM;ZMC5-$(-l za9#{F1I=&iQ4$k!@!{evUByLl5n>t!^-J8n$}I;=|;yZvvbIY z@Xm_Ti^VBS)xMBJmX<^B>l=O++DLCa*2mde(p`DwJI*s1S6X&7sjJia7q4#?S1RO` zbBCkiGwPa1V24S^eLAc6Xl?MHQI4(Bizu~2NQ=F?)NgIeT`2rLIeb*MYg*7-Vs=#- zK&WdSiDJ2K)>&^;`S_0jct7I$PGe)YNIHPT>WM95(4G>3m{bdYM$t0}NWgN{vg)Hz z640M?Tg#EVJfGk;i$~0aoOQb6zG!uU`gqAp)8Df!>~<7B^gFJ>Ta(;@SLQU?nhd}OHgpy(f0@OnB8tk&E4lkcrWn(!48i_ zw2sp|=U*1p?~NB}R(3!$YRSoeVI<*ZN=GxEbU!7rpfP+VCOpVD`%;>_`Mb;3j_%G| zS5P&>vVtx4=1W`RT+>+=Y$8G?wP2U;&xpx*Y^r!;`>;B^8lAR33}*_cAi0b4wW9lo z!f3O}ygEdU97Cw=9Of!*p`O3D_g0FWRY?e|2qhkOk$iS@1c<#M9waT!1n_j05Du+8 zCF-Q`^|?dHTmE1w=DD#kenFI0o##5E7msJw%xCi7?ZtrjM#b|;#w&J%ktZvutQ2zu zvEzLae3dhN6Ig^z?T0Yp_0%E#rjO$$LoxW%fO3iNUYBuBo#zwm;Uhm|e0+Q^9ig)6 z#ouK|9=%E{r#GArByo?AFJjg!>N+OK!_#vN8@bt6JFdlLjACuR-0q||kQyFTf4O?J zmd`Jti~@G(c5(3L+6f<`t4+}TWNoU{EJ+tqs0EIVOl2UEw8|hfc?ySyrSictz+7g^W*HInTnp_G@-I?gS62^ zAX(HSOr(cG)}>abk$MleebqnTmP-=(;U`BY8=t`Z(P(tc_-qK9%HEY^qSC2NXQje8 zh7|iA33kE@xVq*yE7TronED~e`?lFA6><{{Iax-YjhgC@Kvzz4(cJ1(h-2BRp2uZv zOhR`!qyU&I2@n~OkC{gTcsb|kVf~p6+{TFfr_r$eHvF6MKjw&c(G*hCv=5Qe7fZ~H zK}0MS+rNQ78T+Y?2jWI^Zeredet#zSI7}zqJe`=?8Ei90MA`hIP(eRafe}-w{exzz zIf&dKs{(Gv(r@b-5a`9GgHl%;sX&Zh2(Qdni@S7B0;h#=&~2?O*5r`~YeL11XbMMU*la!&Ss^`0N*1#Z*$Xb-Dn2eC5nRD8P^zb~|4CqabycMRxTKQG?kCU zX9%MJNe#|cWF+kp8U8<`^w6X>@mWYE!IA~x(7n5i&{er?2i+Igl48IRS+kHC)svhk9K zPGA}Nbjpl5cKz@V-^9$5(kI}j3g&rl{C>@l^8Q}0dsD5lajrD`Jif!vf_2)^bFdoE zh4ne3hOm}{T8J+ALMewnUV$;Nf*sI|u5z!TXmknMqy5Bf%3i*y$IePo|S02&>$F@kriUUI@~V!_`Y<_JbssB0@yYzq@HiW1AHJdH2a)_!uo{6d+ql- zF5@41$zy!xB)L|}t^Mue2k#isrCA}6`b0sbsL_*zW5KN9jg^fZi6p+D+s2;Pp%(`* z1t6Ox;}Uo6zNXe_B6o6rp1!4BTP1XSEJad$mq9$}>gsuom+&dx^941H;Q@UlBFRN%zgj)m2$`25Z)gYh9C}hS%i0j*87ZJFgNM6-u&-6y<4{ z@KXt}XUoWH_sOO{9e)w8es>MaQiLBa&TUV&G$CYHTz4N83e!wk=yE!&O*! z9hu!_oT^o8BbVxV66on>mS4&;2UKo}Hpftfw=v&3D~8;-4NJf>ht(*v@9)Y#i_P(v z>cZEW3EuxbqEzXE%N(LQxAJAxXgkZD!?b6Nx~b)J&{P%Z%x8y2zh3N7Z8Z%#hAGJ? z4_+ttXGib$)ZY=AN&ZLh4~8RP(L)mHl%SX zKxPWdQ_7E+?~FTM6|b-4r*rL&e>cEodOV^5yB2?|a{NUqTiqM!_;o-w6IK$#GS~~p zG)-DkQk+l<%LH^^jqKxyWnvgjl*|0qlo=KOxjzgM*mLconT@itf z$6JV1ix1kD+iz@Pi3M%Vh{jZg+cIA>qSl0#aj28*yOqFt@Q9oDcvM`oR&=y7-Cc7k zB&AZyxggGpIE0zswa|h$0Z#7+S8n;6UjE7qF=qaUYvgsZ7zZNhuzx&U(tX_ ziZPmFik^_lVY@&+JQd6Fih3P5eE!Pm<`-st5umKM{#zdsYfCm+N)Or$3`_CeEPgVR z9ZY8GKyr&rb*S#!>PQ_vhFrg%_CkzeyI@WpQMcf`9!Nbp3Xc@HBJ^hc(C>0Cv9G0N zLhePS9dm{Bk@;nhbo^!X;~5Nz=$i4miQ|A@eNWGMY&}#~XzRrw+qY(| zOE0nTBWO$YB4-R|opuVMzmu|C@d6q01p_M6_TkZs;1=EyF3x=Hce9-R|}jkhR!1R6Y9-D8W{7`I*B;}e*=447`@Z8V!PuX~kh!9db( z81$Sq%eZ>yTFvzlpPiz7@6X>k2sd5b5}I^V=NqL~jMb!gD6&n66-jzMJ;Y>vsGZB;KW#7E@z|YC%8t*0o}z zNOMDPXxscF7wIS29lSC)i6`D18$HE>uQnajJAb?~o>(5^f}+?ZSZ-jzKZAT zMQ%h1ruj5cUK=EGNXJ=4=4rHh0EpmqzuLsXK09II7@)(q{b?oBNOaQu$p3_< zOv3mP5YW8ni{XI^c(=4Lj!1#-hgENS+Y!TFe(Tswm}_kl?HvY%HHG0(30~+}pLJXH zpZJJ~uGQCWPkeh6%}mQ-cwFb*49WyD_;c*yKM-*ZLQ{0?JpLRb*W4GTd`Tc;TTTn< z`p3`Hnd?uVLIUgynb;fi_L#3zD#ZsABBDaR`4#@aj;7^aI>dyG?@r$WziPoRP*L?}JHf&eSY_s!zx4hDgx%POv~><#k)X|%%kU?zb7Z%J;sz^Fg<%IAL`eBAUP|<5$L^lw>-QpdSUr+*M zzT$2p8Z2=>=K6u>igXApQoZ6IHB++1)kY6DMqjyjQ5Bd9jTk0<@ac`G_}TIy9C%%@T7gCtBfm7 zr;+Jd7rfa|bN~x5%|6pRYKHE2v&cfOFNa5C%wWQpKNpi20~^Ge((*C6*=UtLZE<2B zMjI0Xj`~V;EvRfV`H6z}i2>5zS?dTJ`?sCM3!7_dk6)!wvv_~E1W_wVvxQQooo^Zd46bU+!swiGxSo=u26)}^(!Aqs z!aMh`Q>qYvF=WF)wQ(xpxVikYDTXypX3%N+4==vo!TkhYJeOpAKDK((wmZl za2)woJUABD>UsZpg=1ojsy~RW0N~*f4ko-04DN5|ve8Hd0NWhn041zz-2vZFAkLh4 zexj;diN7eG7>bj>M)ik;1wkY0*&zB} z;~<8gz3sHy$nS?hdq?eFW;w)-L)m2~%nMv&O;^KZb3q<^tkD$k4+OO*WvoZD(LFs7 z7UxEXtBQGYa&oKuIhk7PrB>hGPzGvhACHT@c&lbXre8K)qnF9cXY8?_6`P(aFa&1h z7=1K)?_6g~K#N6_M>4NHjkuUtUhV8|+2{7Eb>i~Y^$!PK^MoXNl#yX!JjN%dmF~5! zhF`We2F;E~c#poXbmqQ@sB8W%3G&$d$yjkA1r+b|qZFC?S&*RROUR(lm zzMkF$m`xSr&mbigCWBv&5jkt#OYDY8_3i!RqU5mgdykw2Q({9BV6(fOGO<;|A{(;t z)oHIRSM{d$uV$(@vM}J)&D$3s;~aP^M=SI0 zm~Xu&W$??9jx@Z`b!k}X!b+3nK+=otc+=kxCj>nb!ZD3V@?{n`-+dmuyPfAeqtKYY0+PqYU`<;Mvf--|fO z6;BzXJu8kUs%%nd@^Y*LlK|>xZOzc)x7gQZU5l#{kpCK}xp84W(Kxlx<00qzE62i3 z6=Mv_h>g&vG&Pb1dH#6nqiV@)r&X&`A?;Zbqi| z`K#IcijJ2=z7CXWRERz7+fHr2X9i#Na*{V1bhfwW(ipaVMnLr=qNLi`L{0g$;JyIF zPLYIBCCz7`s_x4<=?{Wz0Y3ipga8g2#Ac8D>mS6ls=qWtc+N=)$YcNrgka`*a@C%H z6BQd9TVEs-@f{`1L~A0f`dnusPKKuaY-j-tfccs$%z^U`2xNanX*6S$`a;z-z=IhF zk@1Z8D(8y%cWA^nR{+heCi1)m-SxD(=^rP(i(=s|G($Bw%bJ`nG@G&|^Fvaa#B1ie zaCiD0<$CLP;e*J9a!a0M0k4D-oxm)~3@2vOAr`%=HhySuyl+nJgFy_pO5 z&HbxRQK?hxeb!!kt?sXT_4oDAAJ%|}qKMXUGs4~_zh*`E!>%Bn)N`|DXaSktfN9qO z3%$V;SjFQswWi4CcPQ|?A8v|*l z<8{fwtKM*O)BEb^}6B6#D=+D zpky!u_t-siiNrZ-x}xxKI)ZejT9=f;c${-qt?@?*-z9}S8Q=RHEzh7n^p=ZA!>Uo%tlEmO)QR)JHi!KYOKzI-xWBcuIseK1%2sO2c@{W@< z%TPf8po304Sto!(Zyv6|2Vs5bRokT{4WkGbS9K8nswF=RYGer~=aN;En}$Z(T^@Hh zHjo5!lOSvl%*pXl+tPe-xOW0P^gu8#4un{Su3}V~_OuW7Ccx29)OPyaQmtbI5Q_1h zo?cH+LCAZ?}hEemfzf{!&kxr;_A^ z@`?5`H=7I6z`&qtZbkm~#mmGwUaZ$vP;C!A3Orm`m#1QK4%O7#j17Hqy(3aoE!qAV zfd2l6(ai$a@#UBI59KsbuyAXOe=r{=NS`0v?-<_;HzdtPUF3NGtQehmME^Eg_9+i0 z-3pg$4*)h+4y2MPiTM&Jq;Gzk$M3D8G^Hk^E)?fZ zR=@i-&DVS=q_h9AukbLOo$CLV@J;_gUIeH&+sg|alf#TX2$N1iq5&vS@-(5_y6W6_ z$K(ujYJAK-Kq3Y+;yk!yDO#=-*6&=k65PX{#GV?`Tjau$Q=}bAZhy^~BjIB>Ys3qO zof*azGI=Kn)Ls}(Hs+y$x8EP%=rcJ|CT1Dj6}IeVTss*(rr5SkSsR4l35JZ?F*$X> zPn4;vTG`u2>~{s5KftkS#kh(X8_O*rN-WqD>@4U96bY)yn|F+%434GiJHJ zuHx_9Du^owgddx+2qj}Gn!ai@#IMOJDodKgtt`7gM=jP~$Zf+NnqcUZN$MlMn&1a% zTYg=CmFSP!hb7k8t(*^nt_u!%+}3oPtR9YK_fV<%mJOs_ya|88jQV%NRt0`u?|K$s z%E+kt60G(a$fUR#_mtvQs#C?&CDgY}%ERVMV=?!Kx(8I|t z3Oy%xqtPfts;MRG3$NLJ``x_Df=NE(W#<(s87O?GYX~$~32!b@^YD6o69X#DMZk4hp0`(wkn^l1&}!IcShwWQu!_D~+kMJy(!`6uu7-BoP_ zFRR_N@qtc?6#=HAS^o9b5Q|TGnT1IKz`2B<72M~$!r>Sc9M}GhW?dcK-5Wn-D^-9J zlbhDls++%gG0el^Y!i{-Fmz&#m|dUsEs1K|ZTCzsjAbh`F-4SXGGBVI*mc&4qrvW& zC+F9%gLtf@-;+rqud-4jzrtu1K!6CJ;*hL7(6F0$uW{K$R>f${l=j!2CW=gO*ACeJ zFh5Y-D|*NykYZ{LZb@jADunQ1bXB0?_`wwm8qGS9b+^YPppILNVuu(gRGO%i=JRxW z(BIf8ldEuIa5`D>Sm@$m#U5#!)wno3i~5A}>4)rBoA)>zc8T?uE}HXdq9CraDs{iW z%=>F(G7XTva)lem`&(@>*Xwt0vUQB$83>(UhtZ4|EQ#iWhd%)Niv& zi!~ZZMA@ z{!A@I%I`>NSESU$XuCU;>~wwSbq29f_4yOy@4)08fGTu%2$nlJT*USX)5)0=m^M$p zJhc1!9a+g=udq*4gCy?s448{x8_bI5-RqM@72oG7_Y{Xqnpo1ZN~k>KK!zm!p$a)v z9~?La;s>Z>sihUG7lWb4mFH%Y%Bs7B@XWL~ecpAAxKlm{xO9Uy}1LkUNZeiB& zCYhyj#QV{D!Hn&W7X=+*(E-n|NS*h>F}qrt1H+3sEqlpQEX0k6N3qFRV_Z+Ch_3#C zFg%}=m#c95IH~@2-=cM>kUS#Svi;7=)hQ>({Y+F$Y~n6nr6+1!Qx(T)1wYEMDe~$` z8O?;{xDlBf2=pr-7|VsXTPf)-3|yv4!W*8V|9ry@a@#8hEau2Tu;s=bcJ_ zwFyE^z{b+F+XG5lhYx-&f~#1uiaf~;Zi*%a=zWwl*q5(helyS-50R%X?2e&jeX|Gf zJ098JTIA(RQfx-V*&f6_w^k|n*E(y$oeHHS`|DfP7%<=Q{s}ptK#L{P2HglQzc3Lr z-6w}Z3K46a{!&*al613?lo|^lE;yq+spdjPD#+AK`|87CUD2&aDnP@|Q?|C$yc^9^ zmm#@puC7rdpGX~wjYl?nIMcl4nFnhr>z?hReWdMzXV|{dwsGa)z~p4bk2H;6?JY8!#d#BO-^#@*HwnZ#A01?Rc^yyKd z-bHT4=PMTJ&?B)>$GS8&6&*PPg%ON;pj8?1bA9m~D%Bd<7LVl~N3P>*R8y6T zzSNEIDx9l>C&s4f47NuGM}IUj`h#w1db^1bl8P(er6&Bfri}|6bI&J-7k-)3%79QEQcqF#5fzLg(-`=M)^BcFm#lVF z;26<00n{c}>RhTgZF`1nWCHXm?t@B`sysPXEWX-NuZmZFPPO^Zc z)_8CjDTm9&2OuTM^8(NAW9e;KffF7>D|a;#|9&%|P?5$BgRV!<)sKW4UT*=H%T3HD z1bb2;fwpXOApniMaPV|<+Hh;qiyd-NzS8%9eLeWEJm`s5*7n4x zi>Vot$`TR^#2XP4-1?)W*3FXPL6u&Cx^JJKcQVJr+!4$Z~I?@ueHH z*r)j+^kU^>E?Wwd`g_N7c1JS=?+C2wzC(e@9JYCaubsP8h?3S(Fj7nC8`e2bmx5TH z2lW=r-A9g^?m;b6R0*=l3w4|2IX*e@!CirPlGDYS(@W>SfIzC!a!DhZ#4{N%b?kN4 z(tyX^Sir8m0F(^Lj+Vy9_a(+?;Vt9do|b%a<7DtLoy? zXqU7J^YHu1iA4a&?9eF21rm#mf|@4mq7@;Uq;Mi-S(_(zQEk*OV2YayUe$YMk~AUa zldE!5DkV>6R<4ODWO3(Mz3;a*69yX90DuSKKArx5o?%g)4A^akr+CEmV$tbH!#aE`bf zFA<8N#(AXIiLKrPVjnURMg?c{ecl%%roB^Beh;uI{X}^!x6oZH?0|mIAz4o1@d1HM zpLR@cSn3^i!_|&PHmOYG34cbEx7wJ@E5PEfuEYT(lyMPhnB9@pkCl4!c1Ba#9IjkC znT$sjAzTw+pa*MEPVnJepQ(%3q|tPSZMqFoND{3p34`gP1lF}gO^sg=B?BM`mX*`| zY!}KHS#cXlt{JyQqat?C2j7FI5kqC}#%gsCJ0(e_RG-Xdf0!Mv_h}>&gKl@`6xoLO zjN%YsKfcn854)qiNX`#QAw>NUw&bsvEz}NTEN4;H{fbW0nL55&qfwj+RxkVQ?Sn~t zXCw-H$$mtXGCNp3#xx zo->Lk3Ap#&0?sDG4oR;5)IiPWn*boc$;%Za-anYYnB6;W&|^Y_{TXPSCz~%@;mw1F zDZ0J3yUUXX2`^n^&-J+u*dXz;y=$EtjMT_g--b+#0J;#nKHS#s*kclCy%u~T{MPy_ zf`o=C)-zT1utC$ep$7;noDkFHOHmxts<1;H3(-Qx6*s`3bv+lgP6RR@cTTKbVwGw2yhy*HRqMz;(I7U*oA z;9H}{E8RFBc_=oMvy)ub@g7O+SUzy@G z;||oDs7w{_GPn^VT|7N(oUiNA>T-s6$sBM%jzJ3wRR_>+rk=U9?$Z8fl0OOs*|G$x zvZ`2=)mjiWwPe4HqqB3~>e=M%Y#dL!%Ci|C^%H_-qxr);pF4!nlwvViR z@x%eWhf2`Dg}o!NjdsMeV>*4|pJHhGpW52m?ks5@&w!NbvlapZ0yof_q|)gC8=ubQ z+OgnK%oeI|OFSvSAdB*7D4Q`s4ILwbyXD|rP7-=Jn6Q}LSkZ=zOcMnJl0i#Zj%kAp zX(w@t|Ba)}sMwK$J(K0ySASn$p(*p3Qh=nVtb%BFL|C*?%lCx1pTRWm%LT(?xJaW` zClH`$PN;b5lW)&fg-=R4eyYu6zL<7+4=2lggdNF}L1VgvDsqjCl&i2=juP9gIb{Dd zCO?N^^>ymlji~$@G#u`?H=WCECQvnN?}M9l0;@>&^yGRAnIWdrd^hXOt$Xm^}V_NnnnuE@oZfnm|lFC$3jD51tIz}@4T#?jG1>Jlc4Trs#1 zK=GxU?C;;My#Jqw%;Q-J|7>p(1*Z+*Aj#4XNqZvUVLY*91F$?e9`ii&wFkfeMIkLO zv$#Tgy7w(9xokn?a5(v%ZoWup&%|_l{azDK6A1b%g!cgri_WgD-WJ=FWo>2z-{+%K zcFdG{peyL+vgR0D7AgEG(>qnLq5&MyA2+HaP0ptmpHB%`0$SoMN+URLdKQ=qe^0)X zdE`8M@fWr2(?NS_1Q0x}o=IJTJ@kyv+Kl+Pk+L+Z8#+9u+W?(fFq?@3fpX{_CgXm! ztKA5HkB(Wh1HjR9llxuO9$VjJI;fWo_Cq8ijP4l{7Sx##zD{BviY5tSG zx`3EnnGJ^1?uf64iRtO){jKp-&Tu0h899}gjjfN*@l9U!)kZ>Y7%m`$zQCUaJ6DSz zJl*VdbjSrBqy-?ROlGOJSoN9F;h|Wp!h?PIM-qy#{JGTX`dES!p)zW3?&Zj9GocC{ zSxp;n_=bBc5IeTjGJXhU99&>3v-x;-ON?(Vrb&{9iJsc*IAF`eQ4^c~qEXA%+pod6 zs3W~4@gWeq7*O zTI%4UNe7x^QsTrE6cpUti;pdXC@45xSpY~D8{yb>DJmg28h`R_Plg>!9v~oT zzCS%;elz$GtY`QX_KBY10&LOwq_UVPCeTQgHfNAH#i2R(#;0<>Z!xBR0~s$TFZ!dg zOrIWHsb4J$Ic@32MExNg2gx)4)JH@)Ye`V(sV$>eK_P3ly-1%`I}ZbPqHNZ|J}m;N zT(fk)$(IHPCc*DtT^@%J!S617rMl?CuDm6ojM6Qql!iwV& zXe-1xy;@5<98|do{>(VH3?r7)lDvhl7NQ>xxm zwQO`rOhk)Me#oE^-EPIOl9LL`@nHiph&&GgWq~MePqa83whBXtG$KZpTX<&8YnmX2 zLV4u}QAPt5s-fe%!EbYwpS=9hpi=3!X_Pr6S)kp1583~Khydq07WxXzIC;G@Skgrd z8J>S^&blVoy3B+zN@lIyP;o2;6KzO9_F6MF7SeBmgBjjZ0ZUbNp}o73^o)8@*dacv zbE=F+6yS=SBJBFEe^rP@#j2L=q$MUxAzSWvO{Kj}{mtigXH?g8c8s?@J_@8vGHGxX zUS;*geMxQNA}HT#w!1%Kj=|MapGt#Dl*Cd26Lsd7VYsIVS~PJ|t&1#oF}4u}@RC%h z4TfSpSOc`MC-eQ0q%_ix^${D9963bZ7K2WNZ(ELNIel3Ar~1_`rNpnV#PzbVG^Eol zQXf_~InobMuq;z*<`}0$WNg1_#5~1Uc_Dqp+!_Bh{?pU(YlTg6`I~=lx-?oln=P(6 z-!Ho+=lc&Zs1Z^GILjb-W~n;|luI^IY*$QlZd5N4@`-~M-bBo6WJM*`Wmz6lRBCO$ zjZ4y3+(BH!bG1e`bYXebt+Jkq2$w2-SeDB*bXi}wSdYwyW$!Jeqa$O7KcvteWE{zb zvd_VzQRC_5^9P)-+i|VFHeIw1#bp;_<)Ti>8oG4*#fKr){y30CYR>2R zdyw~se8Ov}Oa@?2Hnx6hejLMrsl()Z5B8X=@g2{RH380BsFxtA&Ne0ZYiBlSN0hCL zOI6>g!4!F}`5Iq6q*)xEU&=QGDl<>z$yTM&DWa$2tWqvIE23v-|05VES!EgdHMtt0 zpX$XS+gbO*4R;uEj#3*pD=wOZz3%$A!7cSl?QYI|^}0gJv<~YM)+-8b5$$PlI4?GofRnKmxp6G#79fCq#w88<+n<#!$9_LI2p8C z`==Q6H}La9-aMfIq^GvH>P48=kqy;)^e7U0J?s5nC9rcA+u;ZU+aJY=3OHk$VK_lO z9>|J;!xryrlu5U6OBmW(?)K)P!!;}3*gc}A8?lJSfQv7iV*Vsn@Rot>NP~S)rCcFe zjMa%k4OG#aGiZBqgORUX7T6{Sz?rc7)u>`Z>-S95>mA}zdg10BB?Z$Npw>{Q5_bk$ zxT7`p8wasN#h}4>@{EC=_Bd-1w6Y_;UG~Yu-wxUS_*8&T%0%_ZxwIVX!)O6*JML|9 z+&Rs NSsGb?pP+pVZj76tf9T=FnjULOUdMml2(>#Ti@uQ|Z0PYK1Ron)3K#{%Q8 zY!iT;r6tu1nQcDCSFg1i)Y^|;gxu+fgQ`243;M=taZp*kINr`d-X5gX9%o*=IgrfX zY?VjM5UjX>z8N1~v`q5G(1qU)Cn|{~Li6n`mmE0MDU0R$nB23;GHDD8RtOapfRM@) zPTd@bJiFUBsuNklgAad26;$50e(^L6@kz=UTvMx?wMu^LdHVLZfZ@+FaiMR)L(8^^ z>w5l`MyqpR%unv0-jG%g7EXO6%=NCQ&iq;JXixStsev0iGMv-ZsortF+HNk$NS?%C zJ94?1fdXQ57B)uDJGQfcNm@V?&kF6n7SUDo?Jqe1A6%olZd02gc9+RUdh|tpdDGd^ zC8PG>T1WLcq{XF3y^b=8!#xg{-Gxl_E8u%YaF5IYPdt*V&?3OUR`_MX9~COqT4(u1 zng*`|O?pbq&E~R8oGKy+W=2|fu&G%(D{E_E>UXbuTT&glFK~&p@N6e-FYthhuS-Vgbh?j|~FF*AQ zF`VyY(+?rLaGHb8*9NDNv^Q+yA)v_hrt7LSQVKZR9yFX1Hnp%4sc+I0jX@bnpE@sy ziQOKY3hL?Zmo0842K!dL95_|pztNwBLf`(Hb^(`!#D67*j4C(VBu@uLF1>W2>oq3_ z8v}ZraX4+y$!UHnCLGM(Lb(T&RxjoKS;>!EE98*vE5Luw#`N=@vf2(=V0`CB+e=9 zKV2){;2I4`7=~XSd!zbehy^VyPCj+gTCB8!y0QK<`Vp&Ma_IC+IHd;yp!G?b4OeY0 zcuXbokX~0RF6Rg&Jk>@ul5Q3qJwz@^ig+1_r_kNERZIVRwsWuS_ zGSH$L9Ua|(3ZW~ytoq8Y-qr_~Q!H}PwTYt&ANlbncL$&XZH2w-IlVd?F{f3MpwL7m zEnjBtwUWnhZF*n5zf9z79ng&Yk#>m4--NlD-P4s>z^$4euBJNuiHRg@s>iPR23@8{>{|B5*NTOG!K`;%D; zf3wO4+W{dK25bwQ`IVP@vOz!P50%2I0XK|7+pu{Kjs;(L6T{-QMk~-DNK~=F)nvAW z%GHEJvH;Qx?qA;Jzuoaqe|pH_f0vQUTOnLS`7?I=^S9VEKz%`Xf{ws%c>3>M{L4?Z z#>-hCTEhIp!TpDY4F*(Vg4V^qeEgqt`ghj%KOT~s0!RUhQ`Gu0L;M>9eBBL;U)pt= z9sBR-S>mI0oK7-~X^*Z**rz1Zp2 zQ=qiRvXNZ>e-qjJ?=M9N0=P&R0v$2u&!+y*->x_SNQQX{h3-$sM1S|7nP9+0nLh%2 zWnWOipKtv8w-${+NP%tckMa9q>wkZa|9MLp58xs(wXc!}r5`F`)_HX59lmzUDC>-Wg>1p}o( zgF`~*d|MV8)bTF*Mq-bt!10|GwO{0Dcbr5PP7>Wn`7<4A&yKzTbiqG=Q0_fc?k>zv z)73njT=~(T-cYf)dQR~#l#j95nq1jhro%ind!0$Kf4cc6d7JoEsM){WAVI&3}IBG*W;V zE_o~5(2@8<#f=S05eK?B;B#d^_xFDxihx1`(8={C^9O8*f4=Y>{J_VWzILB2z!MV^ z{xDmt-zL_!B7u8fd}<>hc-)li*<2DG0(0N=kQF(W;~dl%V8V9!h8790Ap;X~vh=@-i34o^ zJOzLHc0~_Ss46SnoTp_O*%GJhaSKVCUs!1Q-s8QyFH)QTK`jJX3eNl+ z9wph6J0Gr4n}+&45)ikEXD~*K`vjY%#-ior4oLg+0W>EPCZ=xiY?Q$biS~TR5rwci z{c5OE$K=hlv%6a9&>orfo~}68TAL{VaGAtM_jB3qj`7#e)4xjk-LU*=A-?Q{R#CFh zy*I`)iEoVWt`0@n><&WP2%w>%(P$tbL%qDbdR}3{4Oq$*B=;*u>Yrs-ZKoR=Dn({w zN1cO^W-T4esQET~&@eG61`8pGPdU}q)w7hNDCDsnp<@3j76ldskViBG2ot?ltpE}& zeTTC8juPN#hg(3C!%^k|TBz+Jn3gM|1-x;2DrTC}xO=QPwP?D#p9{^bZAAn(tsP|b z5tY_^&~R}j08)M?aDp~VPi1hkD#jJuccwcoF$(?99X7k52R*7%docFRXsxBLGNDnY zKPn0$qIOu!8&ML;WJ*y!7Fr9U04T59MiU8EOS)td?0PXEhNi;x$qOQ;bC&i93?^61 z+S)FcOf2hGSqa<20|2$@TxD7y23@}VKMrF7AeG09KL|0EThO(c29$UUzbNhjYa+Z# zMv!8}%hL*b7N`oz`BDWtf+>w_)VoX8x4&*==QMn=yEEh|7}-Allj80^_VAh#i+N_J z)#HsqPERO-=Q}A1g~Hg$=AGZ2`v3Dne_1RV{2ugJN*UB>klrWo28Od`x{$;~M7iR< z8Z5P4qaF-Kr0>se5ucTes?Ir|3qMc&Fj7-j_Y*a;yuzjb695dIg3!^`C8wr7$^xBS zToBRFl*F9PSV;ZlXJ2+JKmH)(R4#0%2O;)n9dcb*$f(S#uI+EswYg$(v=f=a$jTC* zs@PT@{g!N9=6lbkFpEXr;3On>HCgJ2o8u^4&(>=p50 zxUi0--jcRNMGmcR&<*xt*f8gM&jZst%3_&U_%yPI-QOr8T>IJJn0=*y zte(ux<5e0s?=eCqI>gsqoUH4mEZ?RRf^^^XR4|?6T&=Wg>Lz=HP(t4^FqkoLFznnB z=znPefFnVj48}1hxCS-GcuiP8ZXO;TOgtYAaVDN0P3j#j)KL)-#B5F#slwT+iDzo( zW3%?YLBfCi*N;#KI9Xv`f2T((5wX7rKE4PvVS0m_Q!?Ri|MNetO@S&5d$5u~8W}gI zm|Se_p*Co6kc%Y?{a=6k_tE^1Z#-g=Q%gy< z4wS-wyXn7vV=a(-mGWt<$i%ES%tIo3{T;=pKMdSM32CKeOcy$|^AF?u&s*U$g45n) zMIUXR2_^kdwq>Y-ecM;Ai+-_u={sMR7q9on3w4CQ|B6=v16ls1 z|v04+wb0TLE*872Yd8_R{)D|2qVRb!w%jGR>1(>ew(iv>5Wr^O+4u^3#n-u8Yq6n?bUG9gsEk7qOW}JFVG{Sxf=7oUm z5{wW|4>~!qsIwOASmtsK-zjN|IA!pen-4sGTv_kl>>5mv$>rwh4Q*TA--tp4 zh&_Pz;`i#QUf1lKTJb|dLp-u;M3`Bjxmi0dzq}DUy~d)P{NW@rNjRMU*kjRU21`=W zL55e+Yodh>_t%O1zf()Z2sZuEtRGk`8xNOIDfM=1R<$NtLS!kio%UN<{R%>pbC;LP zKx$fd@}b1}st;YaC2F`C^An!yRUM^zGp|`bL`uVKmM8&$t?qYYH21BRU7s_sS)2~c z_#J}5Wxzc$+S+8Y>^KZZGV8p&)S3-+-ArdJ@}!Ru<5+d4IE+0}Nj1Uf^oPU1uA?F$ z3#P*h($a+OQn%D^HqPH{00uzV4*M#2UA^Amn3Khcawhq}@);=UWqnTZf!}9`bmJm( z^z;{PPVbD^aAs-Vk_zEIK81#wo3lI0ZfQB3Z&}`-3cmy9FLfZc5W1CbFlRr%cdmUM zFk}m_zrTXilR~r2M9JumkF?5Sk@%aP-~mo5MfutDfYqA+xr!=I788At8Y2oFOVUmp z+H&j3Q6s=IlvFai(u(Bb2n<%z_RHfEl28n1(&Q_*JUnDrSlAeX_N7QXQVBb9T)E6r zN>%3JBGSa7dH1mFqWQW=o?k%kO&X2{TTAC)KcY}1sGBT5wYPq|*1J?0fVSIS;dMQZ z`F*>Kuum(_W*=zxEULaeO_7gyE!%u;zJp%ooO&RI$vph3Q8#v}*;VyzhP z?ozXMQKtAlOCaglwd)ziY?X6}T#14_+F&w4!}SrvWN!;PwNTkTpkyMfP1?LQ;-wSD zDsR*qNuFW$WHvoj=PvwM&l=*>O&-$P=qlNlEc;1^!2-%8`xqA=6_zr3YO}j5zc^EB z=DcMtg7; z1q?wHIdl-Cc7y-VzDq2o-jy_Sp=y_(8#RxRNY#9!mBCW5kI8ORMY(VJJwsALyQt=& zewoZ1nx$iIIIm{K=v_5No{P$`VI4)hf?jY2v)-Z!4d49K=hZ8F?5f*a3E@S$Kiv>R zU#O`V&t$wNOBUbZPjoR?)iKAAau>yFYvj0h>Q?`5sonj-ai@3_9*-lRpP}dC*SI81 z-*le5sL^CDbr7B*8N}Iki!q>*aT57v^#FO8lLp~%1PR__Ms2!-4(5s|3&|H&Iw)!J zD578Q$y{#R0Lbd{>DCe^#kjRsX*ac>Lc^U|+j(RyfLqqgG>_nI{D-J2Vt?KvHHP7po5U-_Sb zz}r4kog(-S+KRJhXi3TtdSpRDcF)NMv6&%ErygyXpiB{M7xb6CjO9-sA{DSrEB)|h z_>Bmo+lm)wL2K1-Nmbf*wY-mr6gjDxkJdk+eRO2oD@v`5Ji;K%psie5^cCKKm&agrswsF1{4x63q9v*w*Ua8}LuOfsP z;2eijsiwNzt$r{jIN8V>XDu1(fqz-+zIKC;>MB(x#q)9W zw()8$xLeiYzUris3B|*YuvC%3yx-0_sPTVXavCbA71N8ZPDCVlo$N_QP zDZ~4#M-o5;1NA}1>Crn#0id!63JpEGNr!X*rK7NDSDg1og+mn*n?=$^`B5osz$6j6 z<8o3qxGhpab;{C{3FWiPDF@@iMw_-gq$j7bkELqhpo_)6VKiUN-tt{gx!Fo200Jad zXo4C2q2!NBA6oKxYZ*+(gjlQ0N#mZ7)0t!L?>ETf(!uRoj%GjE%k{(*8c8=Bcf-ll z*ikKVMJx|k#_;lHO1FDkFT%LQ|uqY8FrPy_oci()IC@IwfA4bHs(GJ6GrCvbsR*rB) zRqk;-%qeSpNaD4Hr(9$RN)HqN0Q3Vdla5c?$W$-Z(3*!Bve_g)~F6Nr==QL z#aj`D%VvNS5>0PDHnVNKt{34)s5-AerS}kmY@^iWdVjrtKU$}2S7r=rTY}l(vg!YV zAWlys0MUKbYZsgAku1>|P-p&ReLV4=^Y8$RwJlDa_2$HNVw1-9F$0;`wpnlaCiP*w zbpoS#SkPWvhqZ?Rt!8uM82=!PJf53S4MqaIwYx4Hg-mU!3)>UqM}ftLL|7I7YYpK=O6wPTbg3RaElypp{i=hIk zk3gp%ON4&>`Fw``jrHM{$YDUDn#PR~d?Hlae7BRvnE?v=Czper2l|JPg>7q+<5PzR z%0-XL72ADRLHmW8Ni;G6@f`P8HA4wWv*%k0iyut+Cf6#<&NllfJjCp*b8G6XHp9n^ z2=-P|d?pB;aua3O@Su#JIBom-u1i&H?5cr2QA)xX~l8Z$?=o-$f1A8;9{*OUVa zMe56#hu%^B7f%wzdk$Nj9y03CqX4^P_iVuASue-7IT@*G=BIt`tKsbe^G5RJ!26|q zEVfSyC1KLXuK1r~C?f%hdzM7i+^;lEcO0vs-kum0Te%QBL#*rw>`HA1)(a~hZ$JZr zDLXbU>3Q(xxjy4f7pTw2ha7IRAL_DG&DmQxn&WeAJ^if6R-J}7 z4RLzrb9`Qx#K~`G+uAqp?uE=)igFWa{Wh>b3ZL&-E!P_!&os1(Bb%%Bn#$Wt>MTZl zpU6C!Jv(+O{YgK92gwOrZZS#-VRO8_#>UYv{=gcm3G1#oAgKcpY23hmE zuIfkcQB-q}N&xNLI~&t9b3cP@ z$N4L>V=iBPe6qxcb%!s%1Z0=r5u4F3h^cJYC11hZEXW3*Qzu`aay@OF;UKAz1U@SS z+>3FHsw*x)9!5HxWJq!`@n4{=dkPu-x;e&fB)?;YWRdH8gLLwvb!vr%h>~z2AaT?H zx=%sCA5=oH9~@}k8^}1K(6q*n%5-mDJ1 z1PKD0X~rE1CH>vUAyWYlWSaQy8n<`v$TlpWmI?TM_PK{_b*3O`-Btg^3IpSRfS%=^5DDgoamTh~SV0we;82VF5v*L3D-#$HL-(AzKI zjaV%6DL!z@k4}YxOs;bi+b+w8@)~`(hEromlP=6onI`HjbK2P1Zkor$vefld;3DEG zRaHkp=*f;E6@i0Qe#L_wcDTveb7Un9rGV8lG$+2|{N>zR85g!Hk9$0>>R5JOBhlWF z#6~y0aEtrHz91)MrzC~OVS~Jk5_t|Yd_(Ju{zul zA~8I#$sF2$1Yw>kY&_QJXSGHkywgE-C@;g>lK7b4rbOz>B{6Jxt}lk_;%;qV{?1)B zz-VN7ah_4x8ubj$Q8)Gq4AkeiW?XE1a*C`X=V{+|hbpSKct$+s^5dykscB9wtEPE~ z2kxgMH<$*(jFU?^dR_W35|BY*q{e?j}zk z;>K+pJXQB%#+6XKKW|1&FOO`Vc<{$SFT0aY=Cc=$mxeOCPMMsF?&r9ha##&O!Z~i| z-StJ27jaMm#6)ooZ2B42<9&&aBB%nPTovYDCDDi8othOwdXg=umi?@adAvl-2`xw) zANZQ+k%V@^WeQH5W3g6vAOey<`)c+@Q6cAiTlzq&1&#&^e^%hj-R^k0NQj}OR){I8QR9ic%0S$ zkouZzvM{ZgA1WHQx`{w*zWd8jrcS^#35PdO=NfhL9_ZXOx+H0##Xhcux4o(diA!Dj zp;_Rk++OOhN_^0}cfYs?hCLzSBF&Q6cInSw55s@p?=vFgqk{d2R-J4E9grY>a6Py3D(#)`-nX) zuvqWj=K>1BaJUfzx3MN~D)gfyxjtmHH_RUQ1N2T&paqCclwhP_Nh%?~j!cs%#yvI! zjj99Zz`6Ia&3=?G6}O+ec7XnH_?>vXVf4LQ08Cw!#Lt=ij4f`j20Ad_jc$8R_7((E zg1}@%H9q#+hgP1R^ps&sP4~3+oYfE3n7jw8vzClduVMyLbfKy4FAmbSS2-owi%RZS zKMH1rpJ{9q@!+#q-6Tw@RhX>07y|tc(WVGCuz7Q}as3amH%#4QX*Q9V9rQiCy2EPX zhv1*IemcSoeAqyvXq-wN9CO5OpRXTG^g{aB!a$S;S5fevTjh`clKZ?ugGHomow;6i zG4(SFovKl!*;ky}XEKQdn#S#QPJbVG9jyqt0Sg5+va5e;4s;ca?tYb+!sT2~oZn`t zrKNzA{w9D@iL$+$0)wTdWB5V+6^7g!t+nx6ArFFjJG;er!2Q-(XeL5A&=ygoMfGZKpf zxMnI#Fi-3@N~H4~F^x}q{n5Eyk-M`+1xuaSC@yQY!qwG4s1c^ZkgwW3#MT*rDxV&# z57)bc=k>|1otMeW>+^sf)HR67tC&{9e#(3yx6}LTe8#66tAQtx*?g5SiGJ@85xD0D zj}RvmpB4i7%wf%&d->ReiYua&uMBVyldpM?R@8Nv8iWj@obXy(--;b>9j9o#ZN6!g zm@74`fa^Bk3VB>@_h$97X>(4Ky{~4)V$UET3i;At5Rr3#ZC$rTf>-Smf?LJA<5C0; zZYLeoYp`Tk))XV=I;83gpH1$8@Gc#y0T=><>*wxXTh)3w;r-+!I(HA^AD!o(2x_0% zRrz7i&oDgBIY1P(7>KuO>UEe#j&`)$I`xA^>T0qSy|^;WqEa{6Y>*i6tg+hCp|pOzMQO&d|;ac1UO*QUq^xSIPw;(Q)Q2hP2FC7PIg z9X7~1xgKyN3qk}J%M4kO0XWqdJOalzgq?cYh%tJ1#hke9qMh;yU-oyK$T#iH^TlUW zXf)~z*+PMi1HbINih$(V9}_R3--B8;6@O((eJ^M*QH^dmdO~(uFW!z=?^UhIXe`%q zF)u)XKs9Ya<8<7MtP(ovzcF73)bT5o(G!U}%V%bvt5x+aQ7wpW)eWw|kq?mVV)Hs@ z@v?Df9M*;Fb)KZDGzV%g%2zf+dv{-H5Dg`9m9TSf*t53t0jU+t}fTJ9IUzuqjCN`_c9ZO^gyii@eaT9Jul~1#1lrac8;^v zoRs}jAn+ZMBL|4>_-CX>%v4BIIt zM_4RVYm|#ENfFH83)EShrc)~2R0xdc@v+4iP_ybM9}#R@**i}qoeS8%3lUe163lVE zhllz~&t`u-^$SIox_Hj1Qu|HJG2In{2oF#3umle(60*J*t=(&Y9qg>vJ*0U_SLxaf zx4CH)vs<1iW1X;jJ*7$5B+p>_kn8zjzVARg#{=nsMHNuj!||FM+UCHSF4PdW+O|UF zSWhlfHQB~@R$m}}EeS56xpcf6IlYStOCRnJ;iPoCee5hl{ZqX%ILUr3U3{Ar`Hoo` z#+aInm_G1VyjOG64Cmji*`(G&t|4I_;zC0?`UH^pHb8@F_<%;xMlelGv>*-ADPgNS zVuLl9DpV~&BcJYesy#8$J!nqnA1t0fY<`q}rmO$1a`I)B?;x(k5vmFVe-0WBdHh^e z3eleKU-oKKzMb-29KF|@TOgeTM94MA3wBB?;stJlhb9Q~GlNUP97*>?p<_@sMQp`*N~(0#D@@m`~wed0?f47x9>6XLo~4%)lPgq zOF`vq1{qL)T;hR{%sY|ne!dfROJr8|DdS~E|Ii4!a4pQ?X7{{h%s3;|HUVPhSoM-> z)FXFp$8kTT)mUET$QXLBe%_vhJc>kZps7n`t5(-R9jhqbBxj?wgYIO$++;HKQ8W|D zb$C*g^`gV^%=@+EUtdl-bV@$59JG%kz56kxX?HM@=2LBU&yUAP33LkBJaph#^M-={*aF4}83sN94XYfcov}8f!0gqz7anX|k&Z&{ldqaq+MWaeYE&jlq6-b^%Ss z4?(gsN>5?6D6wU@u7IuDI<$c`P5^8OoLc?4o27TPR(LlCbltmab=S8Hx4VUJ&dp<} z?pDYWX)7qu*H$rKsB6!*iWo+yW4|446u;k69lj?tWB&Jt6=2{`3L3`E%g!qKo5O@r zXCSm^`s9o%!CcL2ym|-mA+IGdu#XK)>I1O^Ms3JcT09H01)hc&0TphBP4}9~X-22a zoP|;zKgxmL05O^-AKyhPqtM8*_Nl_Tx#HluwYRN9pw+`aJT*+Jd!hHN9MizdyN#R? zSsdJ0#+*O^k_1(KDAaNzIi17>`1V5h7)alJvz%ij>`|xjL4slfNAEl98kG-huhzap z+?Hv&WTV+G4r|8JEc|?3pEtHXmn@qm70+b4hBVh(iHs0BtH(*V&2HLqckz*jncSf4 z?HQj52)<&h#Gb}*w9pTK0`4nADIg-+_jAW>Z2=>Hz$Dw?MJ^uAD$HyX7M#Uv9t50R>aB(G#5SNPSSPdA6>!_CpM3J2v^<5x1k=)a=#Y}#D zqJ!{xxcmF8m~Px;62}U;P?$cfLCJa5dSBzv9P2DUh1(TaEYRVqoub_#v!Bi#Hqcw-s!s>s5WvLB`QGbMngN|sS_USDmGa#XMl;H(K za{^+PB0e{*wv$69&Fem69vhRhtsodGT5+m!`~8Jc-5c-w{-}!l`Fhs`?j105a62}u z0b5I?Z933NOg=mpXn3z2FP5Rt_%-kUVec)Y;##)0(FAuI55e8tT>^nXu;A_x+@;YF zECd1scY?dSyIX?0OK^9)E9bm>zi00x`y1!pG48lO?il@J_3G}`wW?~)sx{~HJku}f zW{Zf%SvLxYz|TyW7YXsJc+}Jr`XlTL@azmg*q!ch)FUwm_TDO*=ey$KVqW!H3m!56^ZWGA*OBReF6gh17rPjua|TLHgaAm zu18M=nvt|d7!MR3fnR2>=b^Z}ZAVaSG`YO&9e8wCco~8ZJiWahGl+$ReYE|qigF&> z=CSWFwC{9Xu3Iil<_Ms4>YZBb#b4)@~0x zujgyJp8pcD@o#X7B~*K~xe544Jl=6RB&h+rPVM&aJhA-T=mWyNm;$o=^>x^x8{O#-d{p>t!ZqKau6RcZkOiL9|gA6aLnIuVykS8^e;wrGTvo z!T8)y15<*UTFp`%5o8_;z9gX8CpXVitjI3*-af%9H(j!ETe=2ts(6fta9jMtJ)oj9 z_rh3NFCa!eT4!q0^yv8LrNeNhdUq%YAbJR04ooh0bjo!l8iVKk$s06VBG!2P=sVo8 zmS8n1cXP#cK?lnD@+&FGQ`&KoYu`{$VLLU4In}{#_M8~$$oEW{{4+EAKt6kZ(r_da zbbBH1L?O+MFuLqx+JA=2xR9?&cXEqXTews^v*BSNU90LKZ-7U28)*wwegj)?#ZOPF z1#iYn$HejZF@SmXxu4hj3A%?`DB}{V=;Y>tz%Lo;ZQPCi=@AIv6;mx$F$3srJ_ z?ur{xpS{Q>zl9k5qN*GDLkq>7$g5CbcwC+ka<8S)`?_i>%X5m5cf1v-aIkUhm;cO38sE^^ezuL&Wi6&?eWW9>hz(?U_Wib2 zFrWr~tqD5#7>*7S@92b%RsTe(&P(7m(TnlRTOx1C2F8V|BRQ(Y4phGxUlIDR%@!`e zlfZ|G*^PnN^Hry=zyiJx*2FIxFLbHN2fN@r-#@&7gD8_tO%ZS+h^x_ccc@KLwG6p; zxCyx+981%bqZ1oHa*^ocrqHTHbPvTBpgih@cEA=&sGqkYdEY*dG@>0qb0XsCdNlH) z{zKjf97XsCuwzH|kc#HY%8I$ZS7elT>Bqh51*&=oCPDM5{FQLT_W`pU_+$92(&yVf_(M~YFS_|_OD;P!xWVud!$9Jw_~wEz^g*pjFmbV&_Jc#7 z+LzDc3>OK?)&TON&M&B3wtnVV4sV%~!;FeTT3?1X=#I%u_xZ)|AYlNU?gIUeha>?{SNP#nOcI|09>9Y<4PJU9y!?6)^vy~wr$Ew~lPx2HUM3dD>Sg29nEBf?l z_XA|h?%Lh;i8&Juw_24+a+KS$h}l9}FeZcI;tIGEOg7jm=!eqHETLSat!vKVp(GVk zlG_RAd7d{I&)T;|)NBK$Ynx}azhYK=4TMwGPL@u84ESo}b6w!pxWRq%IW~*JQMzi4U`o!1i zaC8R!v8_M_zAIgS3_Ib~j1+2LPpX95<5P({5m(61WNLWMs1t=5IKw28W~1K~v`e^% zmNAP(d-Y_Y6e|(iV6bQO;arrf9Wy18TU!fHHcW|j9S1YuFjQ*AaLvZktJaZei%Ver z;8Gf^rVk;tgZ3c_`$D*3`WB)u2`XK<*v@?p=Q$_LQ}rw7t>0f0eK2~kQ=WR9$Qj&~fh!eNP8 z)62lP_NON!No;aCWLi@z84~AS2DeXk8438f9Sh9XUZV6g6UJE_Xcdbc8}P#4(JJMo z9j*`p1vyRe+t;>I!BVL`_d%vuBQnLJ;^z+QS~#JI*wlIpa;}pfqv#6;(&%?S&^d7R zbY@!H_C>K|u)AfZF`^u@XO9@u3TAeFy>LU8h`Qbk9w}7xO!au_u>G|t5VN)*D}m9PF4{N}Cu2 zDJ=|&;W8l@Ltfr_dhYi@B)3%3E>G8W7+;@ z71($e;c>n#!8pU*Ts43#?duk5MMmbwd2r+Jphli5BJK2r<=jtW*fRWq%EuIAkc({b8Epx2D0*g_A^aX2#m66rs6`i)A@p#b3fael0;csG zyQS~<_pm4$!4p;*)#3YiQ?CG6+>XO0J{Q#p zK*B9mps(0%-i72Ms!b(kW}O7WJQcg8=SoD_^QsSxy(LYyRJtE;IEBZb@mRUFcP`A#0v$U3Y1oARAcFE@x|WeF1``dfG7HgP+|FMjc>-^7T@lzK39CApT7CXIf(Dp zbe=6!LMKg*tC)PVmCEO`JCGMib-vvnO}E6Lna=A%e#NwqY9Qi|uG}(>`>U;$Pc6mK z$o3dZzU|>+6ALYlsy}H``yIQ@b6gnG;vG|g;}?3zs}%N{_YsrUswFyDexD@iV_pRb z@>aUEe27)M`EDU}MEBMYR97Sl*~)6#Pd`&(+F-$f!=w|j+wbrcI~}6Jqze1VzJKW# zuZN}68=Ob~uli-ZikjZ3 z{8>E#U+LARhx5Co0QB|;o~M4~^&T7LCn!MW6eD<$-@D^UQ1SYbHxu=@7v}f$9S*M? zO=e#J;p!H#DcGbQe)o%c@J8B3K#F@~yxg+YW&lFfMyg=b9M6nkj{)Owv08h9Uq#wJ zpqRH)hle)8@*I4@?0VaQrpnHTe?_cI|2;t?`*3gjUIw5^BdP4hr9z_G^6-cNUb(=}i(9n** zmb=L4`DCgLCA_I+_V(B$VA=e;tMyrz(A!^eF<$t5tb<%=;Pa9fb6jpNQTj-H37XX@ z_&n0BYmHK?Sd}0&=e6Cf;z!pV_C#QN@E7jEpKpEqC~bAWrS})S`f{PQYN1=4t4mm- zSu;$>M4sCqo6L)Tr27`xX0E?bYtZz8i9M*sI4eFEf@PN$x=YDkFJEHL5?wY z*_-ZmFAt`3xd_IJLIQx<^XMpt2L1HI{~;&nz=`3!?^UEa*&HHM%#l5&wN!G$Qppet zT209ZR?MH14X)(Nhq21DQQmR@)OeXC?B1_rCH1v>rB8K4MwV=-?`quNX&QepDkO=^ zFnWRN?yA~noT;kOEEqpsUHBuJJg*#GocUsWsxfPSABaCXQF0sz zG}cGu-u4Xtj7cRYf{>94`;2f+^y&0zn(TOT(x>)>bq^;V&fkrQ*ekuMV(rzU(#^B& zG5h1yE-@Yy=Z`=29q~5kt-~Xi-A-M$b(z1J*KTd*{pseR>NouSY zBG^oaC0$)>tqC>pAFsDk?JxG!k55kzyoZ2V9lcY!-VB#Z-Yx6H$(j(5kWQZ4V>z+> z;1kINb~AEdDLWPrtCsjF)gKN8-`emR@R+QJHLB$Nq$f)S%_w9|x^8BQ4^2h{4}HU( z4c<+2(zd^c)<`ZFLs81bljbSr*d7hQnaO3EHryc-<%!nCk-0@qT6hx zzc{9-uo6pX&pf~L|1k|Me2}3yCO)2pn~RJD0U?zdC#oJX1dE6@<&ED@jX&qee;%{~ zoM^)xETa5JloWO1HXN@0?SWg0y-h40hjSZkTDi^ltErsACnhvGP4mLxk?6qaM!8P# znEaxdKP=G4U5YqYGTcuKr7p)RuD`a4tJ{)-S{EPv(^Y_5AudCgjA>6$il8k!F=_d&Vf^P!|Hp9zoR1MrVI7%E z1e}+1V$uL> zNzC1Bn&rR!r60MlzKrOo>D+Hk=#LKn+ZTdjo&YZYVzkuoZy)?0-@^Z(Sovj+RR2Rb z@9&-Zul`1702oy0`&s%uzx?UG?v`6TIRP_^XtJ0e+z#_F`Lqr zZkR`|OfOYI{nG;R@9q(P4YxO6$41$u7VvAMIN!HR|2O%M9rpiVBwLwy zP}rg~r9wOYVK4TZm1Fg@Fc4~(|IBy%AzbFa_B9d^NYK&vCA2+a|E1-FEFk(u4P^@R zN+Etb{{R#*P?MU1oqaqw={S`_G5d7{kHhAbO&r57;P}F=r5SCP|dc3lx{@=M2TOD-J75z6oS z`;OE>gF{5Uq)n}fw@yA>wo-}pa526OOy| zr+)4F-a$pc_;5t%4hMO+J8?#v^D>uTTXL23`oCxL0a z-wxrQe(Em=K4PLjwhi_q)5yR1rB9U17h7!aZ57U%^H=$hcyd zThZT`OE@W9RR3p%l-zJRdt=F6yGHKI%zi})aA~{;kX@|B-(+Eu`^(ntkM$8ApT9yl zRCk^{hv|`0A5C@rEV{)>84QW=u|@aY`p_F40Dw=CXZEr35y{`=rn(35sSWY^sAsJ_o_yVhifd{w?iO($Ax)+0hXv4-7O6t){X%GUrF zVd1UbWMKrKYVp-T2Tq+M44wLrih*#*| zjG-pMK#nj3P`4l!>EYpWkMI*}=BD-sJD{pNvtYt&bSuBWz=32w(uarbNHOpIw+#;UW_x8vb#MyQ8>F8Y*=zrI7}-QTZm*BL1pbMU z4edn15nRHnXTb+X!l>;B$q>ET|-g)C23wFI_5q%WcMAQEF^%xU5WY=TgnjUpM-r7&qRez>|l+f&X7lcFq4+IN77VzR@`e(?LEYrSZ+~@094u zUpwd4r(=4xL}nh(=$&ig3eHbA?|u9zk^WV8@+Ohl`SEm zb$PZN8J4}N3P~nwmrY=#t%X{yR*PLE65&k%zzCJ}n)4=B2!lz(z7e=D)Koy`CG@!S zW4E4p2{P$;)_t})cPJHfg2kYKJiJgK&y}tHul;Q+C=S5TMkzUb1^C!9=rw}qtw{?% zKu7?AhTUeeGe@3XkQ2*h=0%Bia831r@e3eM5R*fAn3LG*eibH!x=>ZuArWS-fXv!- zbQbyk#L0Xj0)QF+fWb@o++81PEMAlIZ?FS}FH&4Dz&>vSV_e}nH|r@=6iTURqJI$B zyET*yO#_eQPrcpyQ=;fEBY`Pq1kU27{;dUye6baF+g9KV+Y=(9-F>JhU)sNx2r^}q z3bO}iI$j{zAGJGOn_RxSR`m~-ij>M!x(JD2a){!JGI~lv2=jF6feGb#AvDd~gKYF- zaudyF`zm^!`oW#mvmhZUUpFV?WOP`k@3Sv*3>9n+?)*m!+*RAsjYquhi;mTy>;4rG zIF{5Ksz0}v1rME2YH9O3)AeyE1C_wqh!~F1a#hat`=ZGLn@3{vx%^X|oj@HsQq7u2Qa}L);&0^Zr>^-k4(8%XsGgU78xe~(rR+2U zl*7BS^jN@N$)FB>5B3-Pk{|1V@JCX4MpMe|TVcVx7@=TbrJy9M!H)$v>$?nM93txX zSsFftm=m2x#lrt0U@KqU=7j0XTsA+$9-x#9({Oa(D$*a7yf0rE8IgNVYd4fw(q!&r zFk3hSameXhpjeQtb5@aK_pfl$s;_W&2(A-bv!8rWm{%Dx`Ug6QAK7RXhQ!?+N||KJ zsgl6DqUS64e^RZ3^vnN&YHhcZ*Ino37sCrc_Z{rZd9s0d;6TFz`rSOpeAy}_W1d&+ z$6@SX66GKGI02D}k9(IXRvof>*t68hqbmm|uad9p%cNZ`D$1xEBTW*!?sKw{1z;ZD zq`R^t6M$oi)M!jcl4E})nUwFC^&`fM)n5SdIvNJ$+)s|%>5WhHKU-esE9cMC@_0Wq z8udkp+iwk1I4M0y;Bkhtn~kcS;|tk|0%gu9_?-9ATiCsTov8`#-RKjndNSYWo~h)D ztzq>=b0A?rzOPYZpPO#A8^h|c{x-SVX356>W>6hVmNc~yNKa(~Ji|A~KDQjPvJ37! zQER})vvmRf4t!O*cjHuplB)7odNnE7eoH|oW2aW>9gp7Wq?LJSZ;`*vFm6bz(M2OP ztHT9;TlDByh5-jITSKuH&fB)^~Dftwo zdY5f-AO$qOzzHr6(1`@lUf(NIDP>|TXCO8bPO{JchhaSlLTk64oClYiovI|m5Ef~$ zM_yQI0Aa`C^d1126ur^U23HJ?bjngJGhiY^uxaSYnt%$2Hf23cZ82pf@34iN++e#R znxJ@||CvyHPkC>#K~+029v$C9%X+DffkHYeJY}JtI|TN6$n*VILD!l=AX~?26NIn3 ztHQ8en2-Yr!D{h2v*F0&Nc6ph-w8+};U78Hm8c?(O|ke0VDLLoFd{ZX%rZs~1+&E$ zBjv+^dMEQ&r<9*On>lqjq)G9}(&bB7mDx5+!?ac>%4vXF-xSpX1t+Or&6oK}mZcoS?vTM#2g z%^u*a-~@+!!Mkv4Hcq0=hi-hOOk4eH=R4H=qM@4<8s&1ov+uLwCmTZe($*+A2%?yww(TK<3>U4Shv@F>lkt6&ix?S-WACN_q~qOrmS!BXcu=_vo)b$2<4f z+lqY&u)P3mCVOnUh`6J`CM4;ebgZb+UhVPZCBH2|BMggTAmGR$X-RHr*fn1yxmx5s zxFst3PqH8X~!iKWwi^%=^~9M5}Zzsw{-h|0Pb;w z&>+lvOKY@5$vtzhIgSF4kd7b>{W#R_%x3G8^M>{LEH1QWn(dO$3r@w&6)H@Z9#Fux z%N#V@Wmo~(gqd=A)TyfUi-IRRK8b2I^^VVYx9QIOu#!DrYNW=h3?19y-3teZ8tzDXL!P>5Y2uB{xH{FRR zL$!xR^<@=6SG^YZ{}QjdDWfxZQxIHg0L@?vW%F#2#UBCttAQjO zh4)OQEI`y)lc(ZOM0$Rba4-d+nkU+yD-s>>ZQUXmya$STH86{14X+(-=-7W(Vuv*y zPKmY-J9nz%lDAB&Z`m0y+#ah6%B~Z0c@BYgN*K@zFUn-fMjH2p)IZB(rhL*2jxWXI zKz#Q$5H0fm3%u$S#Z>oxyTz_k!H1qyt>zc+2mFqg%faPmAm;+;PPu<(yP+4E>6iSx$6*BICK=~W}larKD7C2Z){ZT{>{=fB2yFnoXcJmd*0ZG7Cclq z%2dyWS701l>lUKB4s+BNEf<|!3AF-1Za@QE z3v81>e19iTOWLR$b*>DLNjh#V;R?JAHV1?=ND5*f=;t^KKR*gQ78c(op~IzXyK~o6 z?Q*HT$D}W1N?=or^;w31v0-1z6@P0OxAr=Yk1XFu5~e+DZ>D0~@+bS+Bp!ap>fi^8M$%$OO5{55VDwFt~ zG+nviCQ`+!$bHS< zG-Z_D(7`I*f~_n$Fei_*-vZh4q7gi+8PpVZq{C{pNuPY?n!4B@oZRB{d~tt1zHW2) z64aEBE^!WOn}B7dl?ArUL6qHIiXw5kXMYbT~|ou8YJEzF!8PHA>(< zJKVVOP9^y25xptPsY16ILcFE;((S1}?l?!vf&}0?K zp-OTX&J|$BB%GZDXkpdE5DBG;bGYIZ>Xs=@GUyr%QGGxBI8h*@?6$j$zb+pKOTG;4 zQ`AER{!Dj6@AEK|dFrcJX`AiPB{z;LI@*9ai!EVQrwK)GnviD`GO+Pf$FkzUU@{Hn$w@RBlnliw_C_^UBS;E1zTb79J(U^!eTzf8$ff%*J(?4GDbN*D^GxDy(9 z>I5A4A@ne_=?FWWw+^`#pUZ?L@Q{(+!8ilWLk($z+kFd#{f#B?1?XuTaw7`KdI&D! z36p}pkKU22ue^2&Qi@h=1(Nbc27DW{M-Xrw(29ZDzxhHN6WPmynS|ReJ*60CW`t3}PDXIYKC3w}$ za{-{w(?&;KlG-3c^nLDFs@zO4M%&K$WU}2!Gn${J3c$ zt>jw?%ro_ta-A0aAHsRcOwBMxD5Z_O#Ja-5?_>jWVXEEsc?S%i07jHz9b|5c|13_q zl=!_kHhs*B>Qp!7<5?5-#PT!5!lrtcXsVlYmK^PB&_L~Ng?kaRKOwd5u>RA@Ob6+I zEjT~(q{krXF@+XdS}5{ajDhX01(@#Y^s9cd<)zliO#zc;`g6r>)0$#890&QMpf$>w z*^9kNaX?bent<;RlSxG>h&O?UJi{AQJdKRF077qPjwP9oTmaSgyDq4=*kxej&5jrn z5!wK>iPc8`V8_wi8VR-Z=aH}^*ThIZBAI$MODKD)`qsmeK?{4N z$;vyPPayG_s}fth-Egl~PkGG%OgS%p>OKEOAS&JtXcYR;AE3YNSRRE0g!6arrO2cl zERAd=BzjB}3c8IWq@7lwgQmqfC{w{XT^Bm6=R7tff^iqRadaO@_kbo$oweapO<8Tf zp(t{91}a*{z+sP|irTgvSz^&>^_oHrUxw!`n~1GDIBl5cZp`#01#ffKATR|TGB_(B z@ARjM%E#BO#Gy}i`lmHNml8IqsV*XG8YD)B;Qfgw9hjP$nvw|oX(rj3qC3TzFA(1x zF{spEGf56Ov?a=ucTj-XTM|&M>v4e#%#o8LkMYYg z9Y*CYK#?gg9G-kxjQDExWlmHaK{cb0=n0J2$ANZI#(^_!PyT?|j|H5DlVk3R{fCQ6 z0~$Z)1OCizB*EV~QD`AR*VYd>4{vQ>rGCXrk)@bB)2tzT;TQL`xkwaKsq$XqYCTVJ zlC-XGZRnzVh&l$2PB~kN#^$5h@uvp=tNJQ)c>Yc9IfW{2jbFA5cIP7L20(i=Bh zLt0^O0l^A2AQq0=5aaLXr*=Es4oZ3li)?yGqw=(Btie5vL{kT89*pau$z zg;#s~oukP!Q^fOnJ-DRO6i$oI&qg#iwh?^t{d5zOp3rQuT?F53xUHfGph``M#>NaK z>~Ma){3M0RW-`v__HD5_9903T@l&g9n8(%jmYc`+Xcn7te~RbrnHO~@GFs>%`G?r| z2smXY3CXYkt~2;J7emJ@M9(x9!N!-}^-G?1M@0_FxM4d~`9WBCf4RR(F|dw|^&Z(E3Vot>DX>GQ_tO>UabV)rNC2f11;Ne}gzDmO{C;78kOctpIN9`I4IJ#D|I0MK*lc{~@rH9-{Ty0^7tGFYQ zi@_;CVZ_A*^>p1s@HK;FTWPKVy)bx!8Sw=r@`~_-Ah;jj{)dN@hDheCY_Yh?oK`v< zW_zE9n$9y_t?T^usrIa+*$~ZuVMz3H<=P$^Ob(jtw)JM}A|HwAj#3`QC*9}T6BA$M z!Mn+y2@8c=eC;WH_{F zhHN1kUpZn9@ME7>1Re8e20gYX&-k+*y*ux$7#a9DVUbkPAi!ymq#@O~dBB%ACrXR9 znpaysNZS~FddcJB)C2e{RjM(`*7(+}-A8UJ9(*pEdjQ4Hqb;j@Jx8*Dzm7~zT{IBJ z5mpnLer$#0MAHvwIMi%JUN4FEis4h0w{PE0>b zfmwsSpO1W-B^xifMb&PkG!?a>Oh@aqQDrsxpm8KNpayce*wJ(I>r!v2T)bx*k*{*a zCsF}qi`DD(iU*jg(O~-NKgQA!Y%svKG^3!ltSlcxATGdqJud7pwj+K8T&IET6a6qC ze&?uahb-#c*}1nUpEQuzrDMv3q83hc+huC5Fm-?Df8DPA>`Nl8K=D2g7D5(yjFK@e z`8D6ur}5gGY!1U?7X@-c=zfv**cQY>oi8t#>F(VwBd~`O;6(R@l^_$@o$Bc|o8L^* z>yiS>tz(OCf$jVbvD7&31T1#mkSK2>lxJakD{+g{?~K3&amS~l#M$7_(wmqu?`~_=BfHC8w^=>IINzj& znhd67(6C#~s=1dQWA!Z@km&Ay1XiQZ=k7bW3{awrs1jjO2^{&as#}Ho@;1`|$=Asd zO~>=jF7Ui!jSUY%t$axZG4ARb*ULsgJ_d&WGNjUaMhooQSJdguW7K?tJ+2#My=Nj8 zqB>p?DUThw`#h3|I<33MITG6^yj0qnZx6sY6S})50GV46T5211AuF40(qfU6;b=;Y z4PPe9@T$Nb^_~=G{vb#G4LOAEgO)4`|CEZb|BaRX4Luj`2X86hr0yl)Aijf*5M|G! z?T_9@qJJ{A!CZ&6F-Q&{#<{88BPv%{p5@ewO8>0+esfm`%BG&<(0Uuv)?lZbTw;sJ_=jP3edXE_<_4Hbkpm09TYO5MCoQVSE=rmdkRZSK|?5Fofs zTjVUhumO$7F`70I-uS%a7rK;7%?_G?z&J{>F)Gb_ zaTY%WJDt652n?_Dr0z{+I1-ue$D_!OuEh$M)C;NQ@b4WW2U>NV2TjX>T+8@=I)bb0 zv-5{Q6{{brsK?}b$?JeX`a1~-KvcUbHg_9?>TL;O?{uY%`w#KeK-QPvt1UNZ_l-Nf z&{yN+n(sza*2{%V4?K9l{T%D<`5YEi!XRi`e%lttOX2Gix8OP}Aera3v=B&zN_%k9 zO^%$RZLU&M9PD*>z4gA7?qCm)gg=OIN^pR~@^kf}M!(pYwkhI~p_&#vP%(AG>feE{ zq7IdpFP;8~O+1c&dcgN)_SN{C91|Js$I%TsqmkyNv*yztK&V%15p5Wp6h@-4eW}Kj zd^Z>jndLCD==Qk%aNnr$z2s`i6M}_`|6qRTV4}&WCDawC4)K+9jTc3a1DrZc8dEcB z<=ZKR;AZ0a0;RNe0leY{=Fi<3M4PA|YLcwVPtMjYDaG(^baUlJ0>@hRg_f%c17E}2 z>Y*yDmiuK8BNMu2zfN5lEdX|{+w8W$GfKt4b!Uui$>x_%PT32p6*!}FRL412HL+Us zQAZUW^NXF+ms-AG*=wQT;Ni(To556rCWrR1TA~oK18jE(&MqDg6R2xzq2N(-Cy>!%2Ba&~M=<+|qWA+ugP2#j% z6kWQ%s;J~vlvYFfDg+iN}1=J$_!CXU*3Uq^jzA6PEQI#Q*ibA%yteOVs)b3zPfS&j$q3c<& z?Mc1e81>iaqhy!^1+OVlD>T;fX0>$$j3qDYfrktt(>f&Hu0CUk{047h&tCF@eRMQNRnIrbK<*<;MFl1Eu6Vyj=)4-p6Lo zBn&bbn%8+(WNTRWs|KKAADK7>aD~}H3#HGFzbUFpHey%oVjKt|il`Ni0di&PuqAV; z-aH=<5IAY)8=W*Y!nVhoVmC?6$7>AD%0Y}f{sK6RI_a$on+*54Hz8s4?^mn9zG^~P zio+F}a5N)H0#p@rELrGMwnl*1>f5d2g@g~3w6s!|gNNxS%K2kx3!bEOrOQRu$r>2Yo2;QWp9}C@+ipNL^_g}&`pxn95yY?|<98je6_#Cz{xp$HJTbEpN z0K{i_3lfjRe6Q_#COPl}E$n#qiE;rh+%O6Oj}*@db|#~M+rX`O^xC0r=;QZD5=!w( z+NEIr&9mb)Ky(Dp(MP<*GL5mxw>-RS(ymyifwG{*TS$!X-s4n0S_hae18X+pm?a*?Aj@|M1;?k8Pge5-7oi@Z4NM&|q3GxX&T?WrlEIqeAxhzi6-)!IN zwCE7X2>0yHjAGGM-3E1e1jiPA)pFe)Xv#ee(el+9kNaBegm&aSWKsQsJ}TZjw*)lk z*T+v^Y^M3(k{{JVGr@FGr(%5_R^hRLkv_@L_0P0VTfSHooTavMcN;92TDI z?Ir=V8wv#RlfS>ZzJJQFRY4jYcOWpmfA@p(P6(IWvqeigEN6=nYHIPZW3iH+82aL1Icmk3egDfYQ*5gmg@ z{cDXjy_CCE=VG0vY!>}AG>3H@L>sU8BdW5mpNkg0&)CfkC2}gr()X^=e|t%l_J^ z$?>RBV+xZ+CGSCUi*F~{geg24ZVhJGIN`c*!tG9*6#=a86)g$m7-sJiF(~(#hR=9$Uh@ zOzmBjN+w%AAY~?25G$uf?{d(IHpB|wlXr1-H?Y!?D>23BK?~U+u8`^?!ItVYfkQ<_ zr98OY%lMi5S&sKjUk|&>O^b%kLCb8T2}{qoHzg%NYd#$Hzd74Ui(ZM`OM#cmtEh^M z4#xTV{WDpmBX&(`6%vZ&#@f_j3&z349>wLR47xv?oAdr$W%kgn3cRY$b*0-IUi|{& zB27vSjIm&I*CK6h)9lLpj2*Ml+%!y88ZHG(r$B~w+hq>di0Mq#m;mnKiHT^`D7u`m zy@p2SsceSni%KPBT8Ofh6!SVRBGa|V0BcpU%z&g>p5*-8S?U6 zzaR7f?<=;+%+~@lU6UUq0r@mFuT@m=MjmkjX zwk?{Xyv@<`wXfband~LB$t^F=NUDG<(hrLeQ$RfM>|{oXYh>u#eJa<=KqyVj-JnAE zdrLbUkwIal@g|I8qtAJ5bLeWF*KzH}DPF6}d}6&^U3u33OF_AitHyACHgq!JlYtfC zFE1ZQD%;b^BK8UJp4xlVV|FarKv9;L)?OOblD3eaQIs=2ZULCJgepv`l+1}hpvI9w z4ca97y#MzMMTxOQ*U8bI@eAM7_a-=`cI_NbU{PIAPmcROTXK+)pnfka)oR64Sk%#( zh56D9vdLX)a#0mzIsE?Jh?6K*{}NIzg`Z@&2aji)!APGA`m(dTB6#|l7ya-LL4{KF z%tNkWkta~Bp-&pf5!|0q(zkXhTwJ!OgUwA|9rrrEKILYg(3v9##4w~ ztk`q#U0q_osn+m3N6jrUyHcqC)c9V?48Tdu?uTA#qMO@dXEf}akI$!ST029k(-q{g zkGp^9%XNR{ZKK93beG)iBTjJBTHLX>zZW?eSm)|FQ|LUr`^weT53?>V!KIn&{UMAr zy`}L-2AeF*anIphyx_@ES_Ij=7KRqqpJ$zDbSMlV zUv?!-5?ko`3T7s^)(#m{OVxTx(OiMCztT^Y_HG_(BWH;xM)hxxB@-lVSEvqZ_I}$M zdc6gjG|HY4)dl)a_@@^VoUoeVJ4l?7_*S5-%=hs;KcQ#ch_M*@`lvLNl$$)4?H&$| zB5!h>t!S0tif0EEMG@fMJ^9OPn$yQ>t0ik6CtHoZSL!-ZN>zUBvMTe7k(Ok9L7`XK z!}ymgTZg`QPC`x*w*B$6wcj~urU>D0q~dsVcKq}zi*HJr$t9vaGC4xd$p+U?mWy6=6SH|KG|bib4W!|TNl%I`u_E{fAqpT zbqGcjo$=y37xu?q;R^5>JSypnvsmm@2fXTMr@~VqaN7G z0k41V7WGhJvn5WY4BH$eJg%uBt7-FhrQIr~*lQ4fGul7imYPGL67rYsJfu1Ne6{Kq zU%=bPN-VmOjzplTKBqZ*;A%0ZIEIja{QNJD;3=q73L+4NfK=L_17IDehlf|juU7ZB zWhnl9X(m761_bY%f{lcmt{aRgv)#6~N!Sm^K0o)^zt6OuQXZ}MVSN1bDQm9AMo~#A z$}%O)!xJDf*E?*X@NlbLN_9m3y5zm{^fVj}zl49W!n5v(b;k*$YD3@oE<>E}rm7zZlOy z+Dk62cag+nWNK=|8Ww2kysB#6aUTxb$+QN-!I1{C7A&FN9DlKaf15-cx%_MmGV-8$ z>IIa{7lBw)b^20$5gFl?6wKwvr*+(}@r85PWF&=UUFuzNKilFzooPjSirvjlEvVHz zJg*}nLgM2{w?{7iQYdq7Wy**~Hw;IzDYz?~i=3~eU$;i_O7_&ZXxg?QFhBjxxZeq5leNB&FQiQvEc53`F1V6Q7llY0g%w`S^M~mhj-e-Fziz>*^-u^Ql1vPy}jf3YKEb~+qF>7 z*{TP>vHU0|ap=?Qh^*^ckL8C9O!S-Zy?ykQl9lS@Uy3Gb722GP!U-kZUWUip1Vaf zYt?#uawg(`>6EXW9;-{sFqV-bHdgng0F#I)m0U>TYGatjpCe{-jWuTkR-rSa$HN>X zo7^DDcR`T0NT3;B5L^*cy>;|z*5P}tbCGPjIKd^6-g~xF4A&0*sIQDtO8=D}^9o zz|Cg9xgf}VenBhiLqHe5{tBAo-Wk~J`sEabI*iSqz4Z43y#grW!m^3@uG*jHV`1pK zuo@g_C7P1+|BJJ?4vKSI)`xcpPLLo&a0#x#9fAdS2=4Cg7J>vPL4&)yy99TF4({%Q zJHI#k+_UdJcW2-F>Z_VRrY4!1m$iEJ>VEp^r^Dzwq_r!e4FZ3fJdZ0)HQ5u;j|_~5 zShPN%&mnx1ariOer6pFHK>PIz+K^p=QYoqRVq>~&S}UDZBp3|Ac1;!fTevRKWE}W-lkz!`7pC^^nxjiuYN!DlzgWLHS9p+eoW?`6i zk+%|$3Z>@}Ngk#Au)8x!O4ar!(ImEFX%V9WV9Unb%kPP~px{smr5SL{f4?B7o$$(~ z8f-Gw!fG)TR#d+WwhAfHK!k!j4BENhXVsd#jzFo6Xk@hdVJy?M@k|Bp*x4hWc-)4G zBN-o%ZWI_&;rjqfaXAh}_Id};zpOKrXRl2kc|Xx?h@@X?LJ6bYEU5K7>MfSjpYQJf z$2g$p$te4G!~CyLI%W`ni1&ac{5R2w8nWL#s*w3*yf*BkJ_!<%=AxGNtM%K@OU!#q zymLrl9LsZjlPO~j8UFsQnB#By9FvcdrnB+tPbTs@9=jhS!$Y%-59*bU5@;3K-oE~7 z@2+L44Q1|qMtgwX)&F;^0G_BM6*&7d{KC6Le?R*pXm(Cc8CqN|xma&pT9v8Vi2zR* zulCLmUrSr7KxKm))+Rmt{IoXrmh;5YI!V!ni1F^^Cjz(KA!|=}_rx86XQ6s4Zb}N- zCI&;+tjCDDzOm_2-7^&fL!=7Tsm2$p@C`oikzA)wJ&ppS40--{KZc<#wOrvj~ zV<}Bhk{XR7Fk!UYe2_YE9V^gK|KY;YQ-Y4>M>kdK>eBnoBX)SeSM*?8A~+YTl3nK? z=g-)#2;0-GOHjC(UK68oa3pq(1_Y)Wg_0ut<3VDk2d+%!-=`#X(!}iS@#}#qI4pYv5!)CngEoGtB0BP3J8$<-;Y|&y449z@yXZyVV0;)Zz(BjjxiwtJ+ z(C-Dv3co+9fCtm_gx0Ix`ya!g_a@|D zkAQK=1KbMj_K!{Yn$txpEF*6ip|#_@>9=*?O19M`|1^A29%(Eb1W#nrEYeUX{}n74JXyoN_b%?}O^HZ6Lajo94W9P{Oi z*awv;kKg!SVkxvw6%QUf(l)+Gxk6 zmy=rsY$fhCe6;G8#Fb~n{7^|8%ZM5 z_42|G3<^@PvMLeOXozbnWZorX_{~mrg#NlAdt&^{{>d7FBt?^&2qtDI?7)hByv9}N zoGXh+F|NY2+UtBB_H+DyK5?7I@$SF10RFU5=~m zJflP2bNuGH|6J25c0Zvx?E=p^-q=a34|&yBsh`IGZZK*XFCG||l1yHD{{{j5^9c7l zKx+{k7Km}_7O8efMYh_!u+{M0YxClZ3>k9ZeW&-EGgUzWMW9sbd&k!2IKB zdj$wR?0v9R8J23)CO}@l#7?=Y>sOLft4Q?TXV*puo1)yn|IL>t0y`2HXm=g@8Je(M zK9d>}PLzHD8@2kR!Swh1h}oc0aE-`3bu@lgE2hU=SP2N z06@+=31SM0AO;xicynN~RIb$=^Y)KLO#mP2_lG;HPM_@SGtxyvfEsx1c5%bh*wkP& z%a^3JuosuthUAV9gM=wwZo%Tsr=XyK$ymprt(C&Eq?QK8y(9ert=%Rqmz7vrs z<0!@=PBNXD;kOWW6KgBIHzhKFo$=TeYi3WGun7esbG+eDCLTn? z_R@Xx$AO{L=I3=sPA5;^j-o)gq#o4KlR;dhQ~!d^VmVq!xQp3pF+B=jv=)~&4`{PA zR>LcpbwQw0YY8~Rrk7B$n8`d14wmMTztq0D`tp*Rot=F$Qg{UdaAL>D4g2=ibBVoc z=FWl9;{6Y%W9bR*vZ?&SK2JT=w%^vfosH{GTV{S@_XNUNA2quqw68>_^P1apFy8}9 zC~s6_4kcDLmZMt__p|OiW+c=?`i0&Ll!Ub^t1XIR=;Ru;7!?ZCjei0b`n8}#-J2&e z7f`o~y$7_WN`g@v5op=BJKvIYt9x9PVQ$zF>bi6a09oASP(G^H$k?V~6_ zPr}R`8Wiymoi~z_n$zIBCRF3I#r#r=6S5AuCLdCrz&mM6CupwO&g>GF4r#*Ir{{q;f+_*&>v^vA569 zho<6PF((@uIB@|!1>)i(5#;)`Ep?%Pe7pruZgl13=z90(w`^sW4A@eQmQTQZ)x4sZ z&tL=5Ff(xC+NOJHCSz!zHam}lt82^%B}aYlGbmxsLx_)0K~Gf!XUGQ2NM+>r(qu7v4xZ#G+wC zFri$&dgds2$*REaxHHg5lr1Gnl;a+iP*K$G*XH>-kyjYqBGRb0p^tp$t~nyQ<>bg7K+uqHnx6$;rDgE&d8Z}4nfsqU(m1b~1Jm7hUS~SL}e#VqY z>disw)76!;P5X{BT-)D%1>PCPM}P>55XL^%F`PovJQjOl`pvTqx(y@Qqx? zTu(&XS07D~ylH` z175X+%WAeJ@Ye__XZxpN^Qi(s?|Fu9!PKV9SV&7@y|P-t-cojQ%SX9yo(;{Dzlz6q z&Iez!{j=?moIf?SF3S}koD4iGP7lUy!lr{l{zR(8;h;3@Pcl|LucMt+6HrEGy|8L6 zVbR*rN}}GskFbd4F_m>sFJGxi{3Wqn7n59X6Jwqtkm2F%t^*A4(V(US=a8rH`1)NP zF32q}FL!^|hdv-Vr8~Fa%YH9cMf##n+3}*c*NNy3D1!9Q=~J;W^6@Vn)Wsv}SN3X{ zKt28r9{JOID?$%$Ipq5=ZsmURn%k39Ba65_VUC!^A&a6bf?PXfetOVBo6doh>ABJk z)(EJst*@u_CNa0Yv5g-|OK;e_8c}^)Sm;)@^y7!0&g=CgMuBJPgYFj5u#nOPJ3G6I z1i6lM-kPW;r^EMc?q^@4*MD{wz|DdVJQ`X6z60` zsN(lN2%~>*L)coQKK5uhi6;v1kgRhQ&5kL2wr$b}Gqu%dU2ciP2}$CYw`Ui2UpU#> zR=;9HzwaRPdkZ$rE6&B;_%K^L1zdFD+1A^*AWJI~8YZ+~f3KT8v_XIxKPd>{$8fwf z!-1{>y`XHi+C+4Bn@MsC2mRNLY4!b6SS!IaW@l1W6N*ktkiaNPsS^%_`8ro&l) zR>F7;<@l6F!@Qk?WDQhzvJoD;Eoh5&II!+-k78aB1nT6H3fkSgk<>*DmKHS2CFR%jNOAf zD^{6yyP#u0$MNa7Ats|%n_Gy?Eim|0LQ45=tXyM*Fd#^AQdI}IkL;4zT=})zJmR=( zZN+48*q^?kOM?&vw$PMPU&u))MW7(q+VTId?l55d?>7&MMM~TolvftU-vP+@jkRY|6{qf7+$?i?$>*g zGtbbzaUpo>VwKXYqBt?B6LNnckWNKd4_5Jv{Li?d&7&qB) z`SxWtxI0NHdw!^D#ME8snxkAW5D6QfJ2tZF$^ zme79C*=^fAN-(d~cV!&|A97ReC0_!z!V)hQcblA~dP&gPu1WdK zBXiHN3UM|A_geYVYx}?AjzmJM`1IaLnyOTQrT25nSiJFVh}?jHsW-%T&J-J)UsG

    zQAS5N?X?0T%-Z18*}S~G(U6|_?cHrn@c5|UZ)tW<8kdPMMOS^O{YQ1p3yupw$Uen^bx;McOwV| zSA4_wPLx))RPu9&0WdsJ=#K{ZP?WdbNtJ;11U+i{X%d^mZ2kpAjOb1Gd5}Y&4d1U2 z2^O+=t*{cA3k-Tt`h=EkN5qfID$>-efYTU`+Z8+(WFZu*ls_ilJX(&kxy5{_XgYjz zV%}907b|C_<+$n$C~v%G1xRr2rM?@N4T4Ke^ByH~EUu#)=F^o*(I?2GW0uc@qUW`@ z8+Cm?&u_h-&&y$_A+E!^F%*-(_+3D(Vrjn5U#M6}8b_n9c(yI_6iKZ{+>R++CGYTD zcC@*3P#m{`QD?>MHoH@$Yui39hiIwn?X`llqDn`xJ5wx&9;B53;Z$^Fw0D>4I^uCH zXtrZA^Rl(Ojaz>zQf+oA+U}ijDJ3UD5}CSwhm@kWYm6TY-`j3SLZe$(5t?dKm=%(oXqM z_s4Nx-eoZfR@mKGu9P<{`+4 zfdvr6T<2GjlRO{17K9@qeAol8sJwRHgj9-K^v3$WDxuDEL1r$%#3t5z;m0S4LB&il z_&J5z6f&j|gm^!d1yDf928ONeG?7D5<)Y)~-k#1%nWPI|5d9|a{8s{RmGXz}dfoBQ zIXy?Gj{6hI1Tl+UB5&q^D*{gOE0?QHgHEW=gZTo-=rb_kqHHa%?*Dn&E&B20DUb$YjA&ASrFkLQys%wMUJ8r|3Ojm*<{g;y2u>dgk`N>pLBJ+C`sgd(^kTw z1`pk+y)_!~w*F|g5JAz+-+MYbu<8{O17`(WQhN_Y4Pr|#HHWLDau+EM$ftsq6UB-; z@MV~#n)3PFs$h-n4!g!X&!9RJfDTTe-QXs%y-~lrYqo#op=-U7q&-0}TiccK3d!_% zsa?*dQwY4vDE4z~B`PNQL5ts)U*K*dfyn%!UUx{wCem<-x)zV^+h;T#&3xIrFqGqE z34sWrp#i7IUV2>C3l@M*5eK%46ArOhJ_LWME7O%}4*2w`FFyX=(~fSA< zy7JBEQaqe5fC!cOqerW$YhuYhOWR2#0tA zO>Rk_DOD@-j(4|)Z}L)CiOI{>@Sp8`9cH0M)|LLKFUw&4+wf@fKLKWe9Wk#kuK7g}AEs%b0_hor1u%U*jmnTMzK!eV^gq!Q+ z!qc9D^4x-;drzYi2J6!Gmaeup)TMtEI&9w*xg$4uiH2I-H0$;CI@fr2X;|~EJ=rW) ziK>uC6#};s;sz8n9dX6Z86A>CZc5JrIh=DTvlyaj)5kkeUbOX;oS(~17PJyQjGUbp z7Ehmf0=NGYL;KGI^#1kg2ugI2ZRAsve)dZDAIVxW znzhqu+&XP`X->9iv}q~ZGWtGux0A1R`yC#7lNnf^9=|{psm9p1eB<;TH*m0X`YNXx zh4bt$xNMx&R%I+Hg@nYiGn@@1LKb_4d?6t+HBfjY?2+N6L#Ny2^Er}*HXxE#$ml&T zoPi%)9}?E6w9m;f{t1cz)8Ukxb#)&~=T&bmp6@f_0 zuU2TZXq?e)G-i!o!GU1U?s%Pk67Mh9hJ`EHTHX4+46|V`*QQ^z-1-Iv=)6e9nzw~g zQOgs|J&j1%-FZF|^S-AU(zY`?S_Qza6H^l)P`^<}AB*F_-nY|3)PADAnYbnrZ+T6GXpwZJYRz1*4D zZEk)VzT9jGU(VUiK%C~X7|^@RQt>@!V$$K_>MTpw_YLDx^WMpjsH3UUZPB!G9Cm;x z<8x==q@s5;^Br4gsTE{L*n9bgV+n=C;2hJ2jjKeXB^a08SEY*Ahje@^9zeq{u`G$3 zo0Xu1M#tK3Z_bC-$y~C*S`8mII@SkJ;gI8ZhF#8dF>>x%BUjl<+bY<5(+M^@+7o9O zbh8lX@2~c$!E0@{t+YEpKWLb;dT<;)GTm2vmVGJfQuTHRE;h@hkBA4eTlmfL8_v7x zU}C9ze=qffU(h8LO=`)sQz^5GdctP`Uf32HT5VQdpT`8Y&tDz||pVu1(4qZMzUbbSCl(ET4rQYg-pssl9 z1-7skUaejbFB#=7@ba=wHy&xrKxeY?!&EI|b^bH0D4W*^UP-H`Q+EB`waS1*Bwaky z<%DLbe4q}E?x^0&k3E_Wn-MvArStui^(sEg((A}p&}jYp(2IPFTX#RR<$Pt_dZD7H ztfDnKzjB1Gc%RG2C}$4>W2SYgKiUBkdT>hXwV2ndNdRU-+}?C+GVc}})$X7%Rw;p} zvv0)yR8gTeUOJ#VArj23!xp^#RB0zl1dI|348V7zH*}S|lP}N{9N8a@?08SjK9zsY zrP(qL2cl%qY?S;E@#s-QQKaBL3q&%)oE74NM6xN|)QgLY<6^mz%7*gtS`|YCPYmO5 zt>UKDH~gy|R^JQx0eoyS;|0-RL29#$l&jaB6F(7~LxZ0b_LI);L}lx6Z~XWyc@(0@ z5XDK`oWMXzv6mOGFC=SQXor!6_-B}fGXG`jRmpX9(b!G@y1%;+akro7YY&Bp!Q#7& zGV4pVCS{4EH0>&{K#I>>W2num>mBK(oq>pXxPE|D(*#FK+-UK=iuy^%Q&>|&cn*IZ z{m?ARShUvUfQYSZVckFm1pKcX+BAgT=b;`gP^cxYan|u?ivYXS-l}6h`$=w3)~D@H|YPr%Ll#CW&Gh;pVK5pjPZ6@T)kP=LmJ7F zBcdXt>|STV-qhMDbd*IXHvo+wbrNOkbX@!)vPJ_oxj+hREWt$G##H-Sw_TRNAdIVb zEo(MKafT#(ayGXM&s&!xn4co;r%63kFP;u;qO{g&kfOgy5ZUDYMZAV2IlSpGk?1yhg$XO4+dpm3=|_Y7lauPJc74wW&BxKr2DPA6&;<_1M`}k zInL*u&?Sz_Vr&6j-Ndrx@1lSv&8zNjG!gWk(hrZS)K2D)7D#ij*L?E92E9>_A8h6i zIL_2Df6RQ~JmovvC~qHvaB*=J((LU*HqLlI_aHL`tw_-6oG~h^4He54DVLFPY&6Q& zon=GwdGU9YrAw3-6ez>2;)G3JBNsVRO+N(yqo zeDB_NnI-sD1~8(TTw>ev15uhY@&q{05$&DW>c?3LM+s1$>flN&&DKfbmafl(wFeqb z7T{EJ#FBfR+jcGCEp;wlWqAJr(SGytqZ8H}fBszf32lazKH9$}h3V<(f zVuI4mflzLlrA<#+b9l&H*t_JuNAlk+~*IemQU0qR_Ef;y6klNl^R`mwqjSh1%Wj= z^hJdNfu_bRS$gh|C8yC9c`;O-3V~HfwC0BlVcN^XSjVrLo%hIKV39zKaq4%WS99E7 z$VoChkj?i<8(RQVyC?}i*ghff*0Yz(WK}a52kRs4Seb_aEj|mrs~JvwHKr#%K({D$ zD?s$>vpgoOs`0WoPv!Rh(A2fT)Y9K^jTv?mE*z47JbEF7Q}^j|=AH;wZIgu|zx|^@ z3b#;;$v#IifB92NkJ26%Z-6K5#)@O!zRwI>zjA8u%NK?K&wPb7lDWY~=MID0!JB`{ z!)=6EM;qux$f(<*ERve{(SMcNSgqR3?u?EVLrlsZ7q7lS_q^gsfve9x7$4#hR`yS1 z3?p(VaKLnuZ`4v206`a4mBTg8CST7Gz6A!8VxI-uh>9;a2>3g&873c?cRo*!^50oXE@WwQ@9%>FTF36fiUM{ly03)f)y0xUeW2Cez-22 z%&$GJ@_d1HGvMA@5X4b5L#HWp*aQQxJUUokxOh%&)B+N!mb1oU8lRVOL+#yb=Pa#y z{5Uo#Wp8BE?3r49ARhXI$nrJ8awn&Lc7YRBqUU5~smeTQX@n9pEO92sH#_A518f6o zB|mP}t#VweC)(v~EiNq_4ODsPiq_s)9(!rD>tk3iRm7j|4AGX3Tdh=#zK^A13FTPM z`G~h?MZRmg1{<_=CzHw~RZYWgwW(So)NriMZCmFTR%oG8{Ih^DD2AHDTT1{uvH^y3 zIX7jf2*d`>Jk*<(qlxJxFd*#kI~PyoZ53~al82z8qH=J}kl~1mSRCh)c4~;9PD@D? zt+`KV9nco0PGbiWd!Swbw-K$V#1-0zNwsL25d*q!x4fni{{JT%G^DaJBF4o80DdK%v zPs3=ocd8mDyY9^1;rZQ^ywL+eWWV!Ie>yEUedw!2`0TEFBE`qg%gPL@S@J^8R8*|d zWkI5fR-k7kY}<=iT1}0nhgIaR@^*avZ_`jc4K{&e#>Y_+j5a&m_yP{fas)LVwQzP;4;|(!FPMv zbgESRqQ(6D=~Gng9gvJ=-?HQ@IDlAchB;sO(S7(Nz;oWcq{O$(>E18pNCn_MJv+K4$j1xD#+J7A8@_3ydu4KK-(xO%C5bZ3Q{?s!1h=d)_ za57QdI?*|uMvd*UJ%2h9^JN)p#sr9SMJG*1GUdd=V}(8eN||QI=dt1gS_F4D6Xa48 zt}EerBt)ngH+9RU}sSjVWu=G|p6iM}6DXLX_ zjuCQ|)1|C;*sO9sy2G^oA?jN;&w=H7;F4uo-Z6sLeNxO!)2wwes@qVYtvQ4cmWRsg ze9H>C*3IeASgDsvU_4;lYSbY5i11=*;qgA{(K{h$6)95ugl!iF6>h{71SJQi$A)9{ zXuTUGTTd#Bqx@EHsn3-J_f6I8X|0}lsDGk0eVgcu#C4uL$v;+HKYdDjA1gm%1&^4i zo^PXcnjJ7Q?-`YCK6WX;c88FKYqCYW7~|$a7OduGXgiCon^;3}+U~d`{%qu+<%QqV z``tA)*Oj_6+2D|-+pRj8jV&L=BhyX_bY2{4x}bu%pd_R z$6u@xiuHyN4BMX-ic3|m!K_kHcpSEwET&@vtRUp!bT)!4+z3qB_Z?r~i?{{UptJdI zzcQcpSJJFG5C`f+>;Ot)bHHI8|M9~`2wmjuR+PYng2ZS7owh94mdv@a!u^1qdUp*9 zOSg!4s8zYGh4*Z}&goXt-DZCz1qMsWeGaDUQmqbeOJ7DbdC8gJjr zpgh}y6h_MRz+@j?mp1^vr0L+yjima~HblnW1*T_BT@;CK3jg_tLwR0&O0nFsy6S8!^{t>!UNkLJTp|jj4EFAto(?h{Wx5)mgIm@NOuRh`>{^H z@lI3CgBfK|6z{rS?*|m@0HtgivwDo0waOyUUo)8WK+Vu|v7a3N3_8j9># zl9(u^C(Q;L?C>b>&e!4H8r_nuc$q0A;mw;6Y1#UWn$W=&2b3ttq3wcC{LWik?IQwH zF%9A5Kfqmf5tTXNwL5+lz4NB?u}qW<;h# zGTB#9wI4eIl)q&Bdn4vN(-?X)n2;#a&b{8;bEoSMy=8rj76p~-sB0Vy+Fuzr1g7$* z@~I$V#Z&PTg|a#Slg^|@^a3=k<@U8gf1oUjw7Mw~cL@{Hy9s1s7EECY^!bu(7U-G` zdQ2mA1Uw-ebT9YWvL-w4J|P0U`ka+dI1h6>HG=R8ZTApUbNjsbiZ>a)XFmNqZwn0T z({wJy88&K%8z(IN|6zAK)@Q4oBdbh03_NSi4_i~3@{t6V9f zi)UwX$3CBZP1uB&Wj}|IyU; zj9L%~M8Q!`t5R%E+_dJrJ3iSi2GJPy?b>Yjt40gx;Ra?}M?0T3J>Di{@0RIhcaCV* z=U#pXMD-=4aPS587b;oR;ju3}(|{tV!m7=AypOVXuNX)W!rdTPl781dbOI8RBo|lq zwN(&8D9e`VW2kWi+Z@?40sJHbLm%w8a>dk0_}9i3!b{w>uR<#_GHvL)IQ?HWA-VA6 zh=~3wu!PdZeTqFnbs@O9Y=A`Tepr&?je5D_3*3XEh)X&rmc*PJt*C9TD(y~73HiLf z4+P3>7Hltn;50K0f2${U-W%6kW-P+@eRg;dOMk^gouzWCv&obnh010*KbwI>=V6TG zyhjilNLLq`eN}n9g8FUb=5{-iCJw!u*FVTBuhfvPdt+?e)>l?~g21>Z2wVsg7H^i$ z2ZDD+Z}%%<>hA5a5Hcsk4m0PhxJ>0(cGs=m%|G#c^l)Z`(R+Ya)h3DE zgv=VWf@r49S6gs65NNuA^c>)*Kln2Ybi- z6?W+8=FwqKhY{E^4M|_*`+ze{IuS!q8HK9r^=8#uWKr1R)prrZ1m8_wkA^ z-yALH`&MljS4tXJuGIi_w!|n7NYj;PA=g4n^|&4+x!;ydSs#*BMVTjNa7-PAUwPvQ6@&`+Og@VmTvuEgFNogv-U4+AWKTv4e63EDTqF}jPR)5Ty`iidjl?S4kk@-J}U_FBHq z1t1PtbJ)&{u%)hl;}S){W*(G$RX?<$=%>9CN1v*v(6_J<_H=V(Dzo{+rqitq7z;$+ zLt7NiWl4W`|9(qFtWLal{mrHKxNwT2=Kzcf(fOmtCbp1~yE0x0@p+=B_N93~T_@t|8CwjBU3TIpI>~GBVWK9}Tu;F8idbK#wJs zUq8ME0*_ZO+7Gt?`lvZep$O3Y9I%!2u@h^G#=*W{)@P0u(OxEt^Q8Y$-D&djqg1RVQ-0x^m1#R&ot1JA)Fd$zFg=3iHQMLZ5Fc zb$5nw*BRhhid09@`Ou40@jOHWp(neN!Blro1c(C8-w6-rqW7siF5ZRnpDc!caI%&f zqL2}CtL3%G;isU_7^d^$)Dz~zv%h4Sog+6( zOzpv_j)#4U0%uwyTr0)8P0-51SNx*L{PikHcyHV!hP<2SH64nWMWb)3Gh5u9O*?}` z6T!D3Q$p11BLx&uC$t)Ni`QjZiQ4gmfw?`?VnZVkpH>VyiZ^7ut*7Ugx!OXz&(py< zc%M^p^N$fOvP2*DZv0vugwM_G-B(Az?ksueVLHm<2P>a~kZ%K?9xf?WB3w5Ats;`& z0|@~%Kz`IVB2k)(IZ6b>y-23)INszu-RY3snTZGlN$re{_l|*#XR8p(IkMZ|$flzb zl;l!>8?qI`tTsEQ!?8U~67?p0zIB9>Nq?vxc08NHk$FE+=1e<}-H;lJMV~c2L`fIV zpI71_xl>{$)_V!jZ!_O3<5Ta;*~`_3nJ&{qBt%G-nw>KFTRqH-Z^)WWJC*jWj*Pa}Vb1gg85C{V(qpsD=YH?8mGLYmo!)HD?7vk8B)0ml>DjtQlRkb8*c0P_^Z{IPpB)Lo30Faz%QGV1G+c< zUb6n*Z^kg^Yn+Q&k&+jQUZyL#O0xqcG+qLDDWB4ih30Xix$w~8ZLdUpFKmV3QbNq< zZbsoG1nlF@S^N@vJ4VgKMMd*Qle^h+v#u1JPJ;-d2<;kn^)QNNRmOY){(ChI0i0$x zwk>M;;F*ymNikRJ>>}i3#SMla-{E)1>5xm`gO3x#mDz>oV(Ic-k>xm)0tpALcr!n3 z)4kru;k5|)`#kap&ur{4qp?IRHsOn;*I0me*VKbmB=4;10Zf*OR3t9Pul2#A#hm+h8t9#E^-Fg@8V%yR2@#1 zy-7SOV$zN4w4xQ|kL=sRHFOpCU*?~4ds5z%&1$;+OKK%o&pV-Xg!gq>omTe>gLLV@ z9a}uufaphbspK0tn|mMeV6FS_FC01I#u`!@Ep4s^%?j|5$_wZCs`210q~nm8(CE3Jo@%<9NN7cHs9Sp#sCT7({hEA&kaw+%P{T>KkYAb3v-l-sE&}kD)plj zaLnl`JhcN8+liMg^a^sk+Uy{v=CUMp!F>vt15}!;f|;VovzJ(QY9dS#uAs89h){GdT`SlQx;K!q{K{4#NHigkisIX!E}BM(wST7MO6;uVPXT_xG(xL_)@6 z%@7K#s{1;KpNx(5OvarQ&!9_^92FE7Xqpt{x_l`2AS6!UceBfjd7pvX(?@2j!RA~` zvAOL`O?Q~NoiN=H`Q39}fT<932Ab8DK9CI%$@!VfLRsh)q0u`%Xj!LGV+`SS*U9tv zV+->$63U3@RUD)Hx50Xh=9knLPkf=3uSra3zSvIB4Yg_c-vs`hi)kH^Nt}5Kfy8v&VwlB5e1mgx_dR4yBD-%;ASv##cpGNs z)9vhJw8>xbVv8D-6+IbwJ>RxRzX7IkV~-Z$#*L}@SVNg<s}U)mEU&ajgM&}YfeH~^E5m`TT> z(G~;}b^7TnT$@k-)_~ccWJ*Mz7U@|~P-CZTiW!MJ>lVm6gvj-CX{JmoR){Efr3yIT z0W`sn>|s_xQ%{A7D(tr*e?av@6Mkh8MVhR|0j>97prNMoUnc9}uxKZ(Q<4(#c}UwE z5ai~^*R*C6;Z6}yrfo}DpE7F4BVy7Df*De>TRUs48~52{_#@tU9nqvNx2t|!DKJzW znXx?O1*pn{;k+=s6n2HXof6mQfM!`d?AYUvHQN{Qh`GH5=Pf2dS5GIe5Q>St?GV zP(ao!UaPZW(t{fTnNAOXN9no$d26+dP}nI6k?@ffvtm!kkf*^TGKhmp4h|L@&?sVJ znQ{tQzFZ+R|M-1Gd!|rDiNCVObj7EMY|&Ds=mtHGT7^b}2LPb*9CyZ)ZmWy~8GkxR zOsHFRnxN(bsKJ8kajdVG;QlHE{bcC)>44n|6YmJ6v))8%@1+Ycma8)y!iReX`GZEIJAKA>kxWLH-EvXwdvRp8 z0EKLpA*C$ZeJLGK(!V;Ij*-M3EA(3|7o}mp;5*YB~K1jo+ZzOzt%= zrv1T;ZO-@EH%*Q_KQ30MaHbAPlJTNdkE@2{nZDtM27 zHKy3u3)mAlA529bh9adGPZxbu5UqK;qfRXyA_l*bx6iM1tsUsFCEYY-a6Snn(K$yv zP`SRwS4Zk~(l{0iMdVlz#*%4kYsxRwlrVkGYMS+m$EaaWi^$cj4z}(3BDiHKfepE` z#V)KT;FG=8_=u^k>>rznZwuYmHaww>j}8?Jl()Jm<;L*2-@BHxl-1ZN`i(=B&qw6Rcu)aoVhYxN zlZw@5*6MgWAys=&WKp}3YN@&#PIVGTi>gwhEf=;E^L2H>iOvpAo7X;;wEGSda{A&n zfk6y;-j#esXw1cyAJJF*OPw`(+c-hNhe_4F#qq8hk2?WOTIotpM3#mZ^z-t$+?QLp z?k6)c^Q{&*+Wej$u1I{ptxwfx+75JNbgi!|h;XLPwTp!&2z@@0&uO@NEtfT8v!rm! zegZl_dzPJiim=@49LU~0-lGo;Brk4}W(y=I<%oiAUtf&(kI8o98ovzNF`J(9rBeQG z7Lm_MqrPWsF;$4?zQyWADh1)#E=~t~J@uF^RKYmuoqISqpJPfN7Ahnho6s+vayz=+ zo6IvVUWkU&ru3<4sPz=Clqp4DHIDK2!NDA4C{a?eQ^eosY~7d46kGRq-S3?sjt2h^ zx2qoeUPES}TJxaMap$`eqho0ERjsLd=l;Ms5=DbVxBR5{$JS_~QjLA6&(kAn>EeRzMNC$j{@eDf zj3HICZc|}%U_#@W))1NOQxa=pJY$L&&;n|}iqFEVhannLKro_U&3{S{x1uc`vFC0JJPOs4ti#t`C zOjBLLoA!}_hddFfEFqAN7JCF7z#Si{eYux`_T0juho(}f{7o{Bj`{>ac8L4|_W5Ly zYrfT#5sUF-z|%sVXflt=)!=mT#T}mQ&`{&#bKG^}QyZ-=gTlKXi6A;1(jBchIbMbs zXWvuV2~SEU)X|cN_dOoSxfMZ6%&9yc!9}cQRzG{*tQlC}PrxuUWQfv|e3p2yuks%7 zny>U?x_raD_+Bl0J=y6 zBwnFWp854?JOmv5zN~i5Z~EMDxvbk#EaToZSQPfE_Y`LP&Yi&;Dnb53Ktb(Ku{2CF z!c_@sJN{o}!~gvfr}dj?vo83s_I}>eT|uK*yiO~kGc|ajV*0BeKc^Lz`ZgXIa)S@> zhMf`J#y=&T#}o^9(swYZk0Sa-)CORa6zQ+Q!huwFMcEc+%EzJcfJ!cNRG6FMu(CMy zV=5|~BuO83SI`8|{AYGPuQFBP^EnU>1b$#9QGoBdv|XrF!kDfQHw4(hHL6x0tHp!5 zN*d4iPNgn`GiB=INyf(0<>X9y8F$1 zqP~bs$O?rGZoTD_WN?sA)=8gNwz|B;(d-N&EvKaNxk)>Jjq{_$Jb8)7!@DcZ()2`u40!x zxLtP`wa{mx7>Y^f?SZD$vlJNZ+Q3{gln2|j-6D=;NiyZw_DK*9dm#?mTq zY^wh)kJtHrQ)&Nti(>)?D`8}BN6gmyk)W0TkhX}bq}5LEfChh&w;E5aKlU)#gK)BJ7MGcy^n>URy`59Hru2fA}K4kSxh`9P} zr5$;D31643oG#BmL8k8-w%-Nr`L=w9;re=JOG*R#`!y<2Yvz(LUFZ7MrLhme1tH(7 zM#iCv|Hs%j#>cs?d#|=}8mqBwPuwJpZ6}SbiQU*}Y}-1RZsV!bpuN%Z(*?f`RWT4Pb& zPIl}?&a{P0!f?W%lqoF8jbuA=xVib>D6Ji+(p&&=rCQ=Gk*Tk%%QGC1lMipiH&Vdl zu+pq!S>vM1{@gTqqra=#%G06Dvd(@Ouh762KTz$+So zL;o~gqob92|HPQ;6lbp&or~A~(hoM3%N zbH~Em8sU;8GnShQysPeF{o)VmOr?XXY4x4{}V z8EWt;U)wf~2R1eMG<}Q}?=G&9FH0>sQ8A>Jlc$O}2{8G&KfGhWy1q)nCH} zEV%Gm%N;K{jn3P&iV>w8R=GN5t@ndhcVnwNnr$8Y_|y>m%=PB$R^08@tb7F5@=`NN ztS*&=giRxxnR1%!u}jh6PvROsxkw-~JZs)mJfxsYYyJ_F6pV~!G;x}8JTf+?;>4vB)#9)dKQH`S{rYGmYeKG-ZkSs8F5h$? zOc>Oc$gdPkpxejhrs~SV*Gg@1J8F~`pw)(=PEsJ{$IT73PzLD=xpw(N;s_e#EdU~3 zfdRh7{eTxQ5Q#YWpEzww22;WO)sqLmtr1+cRUZ3)G`Dd|#3@hDDq$VU=M>P>E9N(k zynffouLkQO&{h8=fe)vnS1neMjBFKLdDd!F8Ls8eR36;CpOy z8PD%HYbOl%2CR83;Ipj8y?X9V%DW#kA`O*;hoBa+@W#d}x%3^`!SEa=HeervoZft+ z7vw{*FHrLAQOVL^vB-1BkcP4ZnVjnCmV_85j) zzsihqnA>%^p<`YW)N*&+vMDu z7kg6WJn!o|NjfSeCcti=A_4B|%KV5?Y6sMdYeNi;#+*T;Hj~(gr=~5?R5-)(qdxzj zS8VO^ma?N*)aiKF9ND9mN2<`S#UiX1loDSYv~qk_E_*mBbU3 zAeYkr`50Z5`t~~{?S_rd zExAm7x5jY{yUi`07fSeD%b7kJ!iG*Ms-7jgZoJD*U%id~pC)sQT+GofgdA$nl(wfqLlh3Q~I zZ}E{t`nb3GCJZ0e`5PJxVsU}TeNxRD1IUx*2C2rrlfM2iLYYwhX2!q6Kvf6)(Ka#~ z>YapVMbF8=WSw*b#Kjj>?s4FJu3w24!WC#FDdXVx-^K2Xj;nAi10t(o??3yT#>#RHjjgIUir zn%@`RE)boLmPL4WGs?^9P8O9vbsL0(goDlY#!jR^aW-l;=H=yK(nw~|QPIT zUPJ0N+negvXx0jTVA@z3EQnMIbtwgS*JM%ubm28d?_kuzoN8Dhu>~}mk%{yac z;LpqrR^ek?$a-2>u|)|_!^6indz_^$2nihMbXswCziLq1zr5Ir&^Ex~xwFwBrD}Ib z_J#pwJ()BSBSJfEZc`u5to-7wy=ayP(9zyG5hh^hi(~stA zUn>{aOGVYE3v;NcD_kP+aV&;@@nlJ8%&2;NuIEta_Z4I_+C;}*H*G_n{+Pz50>`&0 zix*eP!nMtM%dg6`0;0XkBU{v*ng};s zr+^QCO~NC8c8i1u+_w(HD)10HYl{@Cc+YVbm>Qw}kXCYY!(Ow0Iw@QNK>e@8{f~Eb z5V`M7CiD0W%}tM?>si5&I+}_wPlHAwV+weSpy06r5C|zQufl#iefhBA#^FR!T}jYM zVA1vntCDzYkBRD7xyKJ@-G=?@s~euN{LF|14$HEX+FnM}dhy&r0W)bCeSNe=k_e@t zsE(-ftuu|3L&Ow|v@;+ehTqM#`MV3g4UaP>KSX0=EhdsR!W&9*T9O!Jd+q0qgeh-T z=f){}8EAx*6=Tw%83A37gjbF;jiqDOD?KuA`%lFW6TC9sot-Q{8kr1sc2pR+@50aJ z?Dxi}lHRnaz+nqRCyQqiCakdpUliIu-r=+1-7Pbq+gRoke!MONm*pI0r))W2mDHWe z3lhD&nl`RoTyt4f9b*>O%eqU@>Mj0GTGnEeoOnVt5Eqynq+_oBMM>$>p*HWS7Y9Jm z8;40C!*aB$qO_JcY^pF=TxKGnkH9mZuOm(L7BgP&(u2blK;R!F|Jlr`OI2q}3H0rd zW-! zU~Zu}qZQH0D)n@Nk;h|Xc3aheUTw>`Df?{QEw5jHckk0YP)@*y-VqB+w{G9^;c&W$ zaqVe34Sl&oEYkWH#J`5sfjQW}Y1l^;Kf6CUr-K$Q@^{eFY7$WEqUH4^5XpBkll+nF z5KwaRR;eaCI0HQ*Nieq^duJWxoViIlIG9X*Xoz@d7P zoPBix{YJvWb494u=pS`FKUOSjuK=5HB*cuJVb$B!L*hAGPh0dUka3!GZ+Ev8mjC*J z{ba$##%0Z$RtH>HzO-AlpwHR0ZFoNMRp{15ag=M2Ln@$v^y7gHg_=oprTR4ylE<1? zQ7}1<8*47pSb9FfS>CUKyzI8G@b%9ND)rlKfu+T(97d;L#!%AY=2Mi`9xA-$BJ~02 z=`7Db7;(lPq}!uE7=%b*RGF%vtD%v?J3chVK71Ae&F7h3@HIw+HL)<0UzUVd8DNe1 zz9&#Dwm7?9($Ux)cTA(Q$j;cn6wMh?{|?>7R&Tj>6xn${jLV^nD_)%?u|LQSh)(>T zUIx}w&O8?{mQ{%zlV}=>I=Ke^NaBz zml0JlTCd9;6S7PgrBI zNg+7J-&6CWNVbRhUm{|Y5D@B2GYa4*@r(5>e?2ypYQ_Y{v1~BcP*r!?HKBPo1tr70 zE6PKVj^hdjlPU;KHBZ-}vSh3=(H6!QOPVg$+zbb8Q_%nYs+p5CH$7j%@}x;>duDhr zG(sASOsoI#O1&>$hED!3e-Ro!Xe8^)R|`w|iitqC7Uix=Ig-&B{)7~O$wf=Ep_nns z+vNE5Vf2rfIw_UpywUh=OtiWE0gVN36UkVPO2}|EMfK=RO$^Lkoe-Wf{4)HVKOD@S zOu`}vifgrA<{8N%z!IkBKs#VQD6VK|!Ph$NVC=~@NyX>s(ZOB-apnsku`w9+CH-+NWC6tnJp%FwqTdnuE%$i?BG*wJKRPbdx= zNKc;uK&Q>tJK}s=%S!b8AxX?GgqY?K2u9P=m-S}VJx za^AV!e(}=x&gWm?{+44rx{cZ|+`}LcBQe08h4;=S6TkA1^VTL_acW)q;bhowSwY;hyi7D`2*w-Qg-peO zQ;+{3vL>30N{gwAv{AZ6xrpnHHrQ|aq9C^VBMKS$U&Jvbnq#Q&t)^$nAjEot zK6!&CNK$=Xk3Ps~JM3D0TytE(XJ@b2se{@4{)0~h8#{$1T3EB=W&P>8%EyN;`s~LY z!{x7Oel6iO(xS=TMOU#SKvxmoH?`N`M$LjSUuoWXxD}?rAtmPJG ziG;Ofw?FM*_JCCr=@?MI|3paTJ_tiPCDYQ}Z=9g7$YHxeQNw7g!z z(!;*#T5Yn~ARbW6@+grHdDjoCM&cZ*Al>r)q`M@jhuL27gx%=0)|Y$zUjKTGQ`=VA zVmLoEHd4U^0orgN6cRDYIj>RYmT?3yVvZJ#D)-z$!n1a|pSW?mY&JXVo={<> zdEqY1)U35BbDU_lg}t)AnV&SXpTsBOu66^S=NmDkLVutE`tbO^*sj@ndl9nERC53` z9ymwyXMz#Ul!nJf^ZN*&<@=U!pt_u-W9%Xp?c1bia1*X#{jvT^J5b z2Fau~(DVc&q9D?_SPam$tDkRrKHfCVv7CY9kopUk+;p-+5^Qj+wPp+K*2gGVO;LKD zLPKVH%^5f6E4N46=$WIpd&-kFpKn1?1Y#W?BBAHP&W^u+5ifmgJK6uOLMr0SS?zxN zkQAbqK40}H()wY})aLn@fC}KQx@-h(;#uc5BR!r(__KZ5DrdMNoeb|pZnsdX!^lZ3 z+(h(V0jgfOu7bjH%j39CLys2uo z4QKjk`a!F008FC`Kt9xcGQ1<$^qAKsfCs9UKda0?+z#|P&ZHlW zMu}mXLE7SVnqRd@r;@Ll6n^;xVSa;;3Ga}YE}f8*eW=ycGQtyP$$MB@cF=aW9;;)o zUQk`E%kHeDt7~$rE%Q*yRK4x?XFuRs8A-(MP~n9;UqF9JVit)PBq1#dcN&w3*molL|V4 zL$TaA`0!->;GNg6QnoPpkuRxr7wi|xX`fN$c8>CRuyHoE)DyfPijB6DZf#}N;8trG zE!hY8Q15nN@UUrT^yp@vLfy1JSGoYhj%4*WL%zQN4u79?*~}2j4b_F8n-!Y@JnTVo zX_al{Yh!*FD_Zh}2VwC^YVty&3>Zn8EF2?GHy4gg?bVg}adDv6^P39}pl|a|Aubgq zr&ySvy7tvGE&P54ryixLg7-o6##Gz{uhTPo-mUgxIn zWo3wQPLu%oY8o28&z;~O4=xwB5+~rmW3eDi^tv@<_#9S6E4+1j?f0*I+{_{sE7PV? zC%aw{dldqYTUH~apQ~Tzu(FEcie$|hm^`~XS-wbn?e<&CqyQ8Qv(G%{BMz=N9VX<( z?I?u@Fx%_)O&{w^47AUNrrj0B+9_Wpk=9+1>_1T@9P-?yp3=@`F4qEf8(TPM+8-Fj zi&AsIjdCSXElxExxAGrVfV`|`f`Qw!LbVN7DMK(FoQ?yBjYxCeVRlUotTWHPyQID{ z=#c>Lc!VlAKRqiGQ4dcWjW0ekFxhX{+Bl&k2luG33#~~(1}){gIp$hTJ_|1iQJFE7cK81 z!gY@{ymY+CAeO^Y4fNFlT(9TRjs52orCQyDViUFpDD3&d*8Vbqs(v<&6NW9h)#**;&KqAq-Kn`7Dq4SWLH~PM=7932>LX0xeRcYlaQ4th>bOP zKweuLs~Eq~la`K^#jIo)-)7jgOr^`fz01h_PTb9jAr1we@7-+LEHeiC4x{VKxH3cu zS#6!}+K?49({IGIq%}@y4}=ki6KMz31-KM^6TL|y6{<=|jE_x9DjG)JtT}Y^)Z5+J z2|wCat$LzuY4&qA#T7a*!%serKhv~~uk+;&C35U1fy{f)j>pRZ_>w6x%!nDquHndE zH0);i^;;VH;yw4=^AdnzK1c4BQeIPV&h>-#F;#a@C|+POMP7A0BH7;jWZT2>$jmDn zxBlLVTxJjDr=5mCe=Fi_Dtc;S9uH{X6-!9<_0}%a=ZBUhWrle^(~Bh+G?L_HR3DSt zX~hz0&wjuIWbnLd`&{}KGZq%+pxYyieuQ-aQFZ0JQg@CkR40>7*8?W77 z8bD4xLn`G(>=8*lni#u#a9xGgWhrXKdF(e%>>(0bsrZlo*~vHaf?x<^3Pz9s_dTt| z8z{<@G)NBqAq!#N0@Xi{c5DaU;7%NL+2&Kv)YBK@zF6^pv?1+mmfL057!Ek~ZTFwO}^fhsz zK-Q9qbnbyHY}>cT3arx8f>rl>HmeMCvkocdg-2~%H95IWEY$z2pYjKc{jps-M;B#-$Wvsj|r7g!m6t`Cp#<|7z~ZLo63m_iF(> z>?Fmd3%k2XBxPkNeKwYRRH%q#I*b?aEG;cBQ044-%p`{y{E7?xbv>kUAvD9jcxIT32_fQ3jpX@F10N@R!!HX6#hQajA=|iObf9&UZg{Kzm4U=xU^c(AL3vhR zXX-5+t zHset+R`(Yw>Unij0X2%Q;@7$dZHj^rc5!k-O07c%Z3{dnP|hsZzj2cP=fVCH@13PX z$_e?z`g)Y7SNpc(Vgm&wXVp?szgK#j-IO>Od|0~})T5Zu79+m1gE7V*H9z?-+ya#~ zOtVLx2@3qi5Jj`=?DE0lH=om-LI9^ndvFSoq7Xd)l=A+okBP`;;C5rgsMRJGC8rwJ z<;`vU6I~@p%>h;`UP;FK1Pd!EggJlcqJFRG*iSLUV)+WPfAw>ABucf&ViAXPACva~ z?}h(a;hEw8e)T~a`u7E~!ELyZk591;2?>rBp*&fiHI}$!7^*?%at)ytv#x+I@%+;9 z!?uhoez8EwQ93KenJ(TxYy5v_!AJFW)H9>>e1)`|joCWqG@7 z0SuVm{Z^{IR%Kp{M-$s2ITd zd>*&je!5fSe}5ITGG8aN1)Z>1lyZgPEYYDYEorf%N=k%S`ZC%+7Z@9tK4>=KxgRR# ze|GUmU0zAM%@`^0+H;5uVj}8IfC^}xt`eK3W^PmGG1c6A^!468{3`sm_MK{^x|o82 zJnQ(R`~U=-VK$Otwd}8s!6=mSmWskXInymWPrkQZoSZID#U~y0& zJArItt+uK@_KS;D!Z*=`Em`lyj4y7R?UFv&YoYzlSNSgUnMxXq^Fl=Ad~u%bydh`o zWXNW=5U(ERBnW5Qf*(GlI^)yR(HA9`zn2`QHJ=#_t7RElU-K_Nf3TfdK=J<{TM^$z z$?TjT&lY7@eShyOu`B?#*GN6b@$hh$*Y)=ONUNe%w=Q)4)zVT)>$?eG)1GG(`eZZA zLP|S{ziZ%~hH{VjS4uTfeFVZi%mhnB&a^-?@Ey@LFS*_F))WWLM6C1o8l+%*d2ZLZ zfW-1r_*24B{5wu;RATIsJr3*qKq=d{R^LXjgZbj;ybt5jxX*>G8y4ByWP z5Wuhzvx`vlM}_v{_){{~1(xrj0D_@z(^RpVvg}%wChW~ldI7-fcj${6>zxCE&uM4(|o4Urv z+|NFG50{sYlwxAg)b*g3$zR!045gq08-8o#`G~1dy~PBRnG`yMsmL_Ds)OAC_ZsOid3pXTPhE0K4O(V{rP zwVFtV>Q^NtuEk!ywm@#tQ9&5y4^W7O)ip_RaZUPsV`1S1o9W9v2+la%eqeYxW!7Nv za^Xg?L#T&~(q)%de3If0&3rMG!oM=!{Kx8EliAl98!k+QE{VGZz%#e6?NBn%-<_;P z9mo)?W9(YmJhNDf>YrxoCzO5;!s-8PW5ERTpNqRwCV6Th!zjw?y9yIOeF+ zm>omQNzccXDPW@bIpfRi!8Ivmx!GKrm@jUE7<#UBIz1%XGHr#Cn>Fgk(&|(#;DiLs zQNp^)9~5nqttc!sot|b-qvmAHGMLcIjx*h&u9Y&)W2w0KDHedU z1Jny-P-1!@lDT81)nX(jjT;6)0%4PY{zXTIsX2@`tzv#&qY1l zd+-!^>tv}N2}7$d!E&2Ol|U*_Yyd(jyN%DO%CTU{W&D?9&p7+B$yLufddtqF99=&s z{=1$~N(*`Yr94gtUtah}+`jHqdy?`Q4=q$9Z0C#zD_OFdViRTK5NgcPeKdGGMBTwW z><%yU*UL}DqZf$-5-B3_T4pc@ESj?&F$z?|qAyMl8eTUP8;mGOe8yfFC^Gmn?Xwe9_{ zjN10@VaQ5a)T}&70A(ekFQz!Gbef48HQu!3MJCk>kPmPJ=_P2Q!`zy}2BsUJILBvc zyq%rBkyqYTZS&*vccL#D5nN&evVD`ELG5VE)Sp%N>RS;uPjXX?lpOys7gx8R5_KKZldmggUL(yo*+Z_=~pMz&52+KX`9)} z6?mc(k@MaENm0lE?u6e?ncJzk1u)Z$@?obvDl@DA-vbF2EgCrFE&n4EeXXo*K4=-7 z&ue`l}LuoKZBdB)M%MuqCc#9N6S07aU@A)7l{LZJL)S7JG zAAkOBj#-DkZ^DRgg<2PG+~)<`a*0Ry@uPi#3nwlFD_yC?C{?Vn`X8i$%pL9KfyhhM zv38{RHXcNI zBZ>u@1qX`KT&Ta1_PcM4sl|B}#6d>u@0_hDqx7g=H#mmchinq`?kqQ zCJBlt{b~5(-Nzkvh$A~7J5X!|-W#+b14T4((_17$GH>zu^_3ZRwcmTy+QF`|JV{>K zKr*O``u7Odp^2j$&26GlYYN~olr~V(T3Xh+0CT!yr6t#Y1b6q##Tq0;%utrJj}ieK zFRFAPl9FPGw5?Hxx>m%{=8eLT6^#QS(d)b;S1s_qtUp+%QM>k10a3b9WkWq)^N+7C zG*Q;6>8WD$vyKCPQc!}@oufq9q4W{Ht0mcN{{l(aJBzX zqBP>Ho=7EODa-~ZXuRE&pVTq;b`_6<8iMS!N@Erid%;>;XWp?*47hFos)YQ9??2Cf zon(fs4%szuhDCtEjG`2J?ndOGDXEroLF9y?zgK50RoF>{HBEiZeWe$Ej_hR}jtmlE zXB7#dVlZW(t{D|J_|Xr@~Loh#ze(CCJ^sSi4oC@xfgJ&0GNBY3UN4w{)L>;14Q zsW4VdJmt86z-l&r9l8xVrI>i5PFF)!n%?P*v=f%Mf!z^GW_3G;(dbnA)?Nr$UY`5~q zcLyA-0C0T-(dGhz9b*}U>nNh*Zki+YIFDnT&Y|90`+hD$AuVY3*U^xDsSS{=(q>pw zaXr>uBOU5YWRlko(lOkgZ#}%4ID(?YTxf=XP)Hh5Dw&x?A;bJ5CChy~X0=vc1lDww zCs-*dR84Vlab$?S7;Om_8b9eL(E-JlJhsI!Js|!)G(yfdUw^Q;HEu~U6{QCj=aP34 zwc2-ELSiQL_kEX&AZLm%Z0Y5$Rte)^@w$uCb^lhGG(mno_u(rcFRFC=()s%OxPbjZM9mvp9)~+rQDHLy?SgGWxD&vBc;O{Qm_@!DOX02o+wIO zCE44)FVq47XfyENnB##XuMpy++?=$-%Dug)3C9I|N!Yg^M-+$n*DN{&ZhSJQTw0y{ zYg7IlnFOB&j&Ws+V!=~}75G{|)U{Rm0Cu|0Pzl=Ebc<3=vIFIw0UvC9Z5iI4-_WBA zyZWi&gQH9SaAS409#FP)AFHIJ!^p4Cn$Cc^dW&!Z2N+Usm{Af0#JgTlYWz=={@y9J zW<7NK{ahj+LgLqC$#K~zpeLU95L+ZJbBMb$eB4e|2DdKS54-!?k}WZD=0Q8qE-I># zUG%SWahgb+>1cx16Yj%}I^32P?vZmD!yts1B8RI>l^V^a3?9hoQHi{vzNJugCN>kZ zdb%unJcnyp?gn-iX&9fy$Y4lD-udw^!CKc;81@3ir137tGa0oJCbeVCtsM|W0B>IY z*C0qqy51>Df{BJ1ib4CEsEF)$9Uf*yT%H&_XM-FNwz7fUkm6%*!7$c+C6?+iI(%*) z!Nsz?x;T-JzzbYTR^s;(9mW*jCRIVAF^dme8WVYyjY?%5Le@5`YKf}`VeGSum|7`vJ5X;45jG>)>G?duO;ZpgGuO@Zgv@g&%H zvcxRBaawjTT<+LkfKmLN+XT}oyh1(o#6h|oLETl!WPN}}66H9~;Cwiy5H=~GLp{)9 zKr6)D)8pp*DI32+hmkl1zZ#v8nmr98H96+I-6nHz6lN|L@iC~z{u3>ttqMgqzj5Ed zFv}~+HhNRhgP>QQ(LR;4{uE^;Ap-;BP0!o@2Tf$sk%))X z?DYn0wHZYiI7p6B+qwWSVu_B#bVCv0IT1>ffyljqyrdBe@KTg#s7CF&EigG@b0Gie zokAhc*9yQjYFi`BcbVhIxo!NVxb{{Ni*eP`tT15DUP<>CqJh071u5L9`8Ot7;F9|r z*YBdn&?Xn3nQ{6JKkR%-v8v>$nJna7%4MobEUTb_QfzWL&-^)}q2KWYOKhlTC=t9% zdGcQ53CF9**JTIedKt>JqmSdY#b{L^&E1~XLFFhnyr+-1=U@p=gg}5z00dRLvY9Onb$?K6vYe&rxi&1i^K;|yrpmU{C1YtgSboK;{ z(J{fm6h-Sx=esV$`kRRlk92unm_!G02h9OEqL~~Rlm|z4xDSwlBxFf~p1pqDEw|@|uYv%=2&A(npK#2!qR~bW56iGOsC|ab77kFnPKN4ZhvSt%~FCkx^RdH!nk{ z`vQZCR(WAO<|*R*)MN!dUWUWGfyTZYQ%!YnmkMaXf9xi5}pvSPvf$<0hQ6pm0m zJYeXW{-NYfH&;-gV4sk*Awx-w>tTANx{`H(VFbU%k&wE*w|*<~P{_?s(ef<3&LQpL zD!QJ%OH_n$%fcP?`re@`+xm~#Dr9)}motjg-dATNjtTIP2-uZ@bu1O(hW|#7*f&b% zkM2}w_ZNY64$%;caZWSmW1E?|JCVnm!Lj%_ftGm=X-M|R?nD@aOSqBZLSREf#aR*8 z-GlFGrf?7w*>R!)>8fHnKE6>BMgk%%`_0+GDMe;KBgIMJ5ItVA^%mW8Fx!F=V^zm}X4$pwX`jPl{h^?OAH!pm8aUV->f zJ?;*RVXEE&bK8QtL~tZr7$zu>H}G5{6nO2#6@floK>9N`6^+tFq0>poA4CdD`;KsNX|p}=I&C0r-Qe)%BB!$(W?M3G9CzDX`6Nnv?_&QE|u2NQqm7^ zxy%IV49Wy}N%FZbBI`<&`=&6P2K*|Dcn|%NrPN?~y^qhwEEfj}RJuij2LxCtUv{p= zJLKpu=rTStA8NaNCGDObBKsor>h*Xqu6&{i&q+`=%p|YBRh69{;1KV<3BcGf3TNI^ zSS{S3*50n$Li{(TVc@R8KG@bauV_m4)`#bnjC_YfS~*XQso_p&m<}d;d$ctJ?)qkV z=Jm2c%P5&Va|R1We@0GURe z(l^4fOcqs3@*mR`1stYW6?X6^+UPm8>M=%)1kMu~?0rNGs9r^3G4gn=CDdr)>DuY( z+w4Fzo6l1nt(?YJW@Vu;>5*>Y&G78f>N$i$tt;-ejIic6s~kwfH5jalEoz(om)&&}KCwE9n&!%`BMpbXSvp#THLO>~=5vJJqfo<fuSI10oQU5t!&vnH6oS>avB&~h{jtj>mF61)lLCn z;z>Raqv;o+I@`qgwd0|54?}mSrp6HeYZsqC#}3?d@AQj&XER~&Uf>S?7V2H>p~=j+m*cTxId|_ZDzdobE2pus#%ZbY3i3#W6!nsWzO@L$ z0T(SOZ1WSUU}jH$Ttdb}wMYZPBsr0ICd2qxPQ0*6&TJS9E7eYM7vyka4{?o@5-S>)Dmem9hMqg zhQrwS4|Uc*jWhrIqjlW3nmN&x^bevHq}A8wO09X1C!)}Dxmyxx#ntuVW&2;%B)xdv zzIYhgfRPJZTuuXksBQkEQ- zTM+c{F&)|*dwFRKPP*ozepl=)7vP(0U$2s=DhIeirgm#?l?Q6J+RtgGmNpPFL%sMr zZizaHf$;}}8@~v;y7T0)=o74B6=(9pBQ0b?{b%hfwAR|U0ki`-%b$1*h%!RuVjS+> z=Absum7E(J<6|?4pYXVf50~ebkz_fz-XXrj@Hy>(YU1HN<_70et7bBr)$%+3Gt@ud z1S{5*%90c>r(TxryZjrQ)Lp#d$2GW+xMY;9sQYH_)| z8QP@K35^z*Jhtyv85t#1JmIwlhExJv8WA&^0UD*K-Gf0i8_jxBsKIG)p8(0@wrgbR zo|4qgFE~KtN*3+3fnBQp0|p_rhwDRO32-vnw%ZG41zdLYrpi-{*a`g3WnCbLs7dG& zkhcKb-#gSt;A?ApdjqQ#ueWfFkU56@{tX1}ZxF2{xF=tqr{%k55$2ei{3uO7?DJ{t z_=;I3YB*P}Q6_t|n}*VlS!bb13p}!%NS2C1L_|kf4i!Z>5M$T`m6_x4XE(tJZi}Zm zpA;yfG?FuutI(pZ(Z=?})&%ow%>820r-dL&2jhU&=#Q5Ygvc;VN^PSn9bXMtG5}~| zA|zyzwXRExi^zLt0yG4ED=Xg*{jaz*!lC;;~`EnA^Ju-i{2shu2MT|aSfKqY3L z+ORn<{?TQUh2BWTG1cKQITdFbx@LK7g<#0WscNINbF@c()pxULuMUg<&B8xWwn>*Y zL0vg6BaO08%tD*Mrt*@z)X+*R@v}*P7?jIkZt9SN?PPT|^g)?`32udigoGY8tR=5d zHx7BZJrb<#IUudoVDCZ=nWt_$ton-(c5djpIt(fm1O*;WNuyE0s+wb#i={4_wj*t;KiXF5hrKT zfu`)?B8;*kc!*qj%=+)cO4D%{w# z70`SPJI{7Py0tDjjd+xhlt_A?oV$q%cYeizTK@^d%Fn<3S%{i|8Uqm?FIAE;)7)=2 ztsd67TtapPy*p3w^5T-nlo%{SAD{YNgq*yf78i*#3G<+?Wp7q>S&pGHdu<8o)?zd` zS~lD7Jvb#Ft}`03oc1E+9LcRY(AqB(umx+;xl9laF17p^o#4e17Q^&WsfZ}RPU5@u zD-h8t*A9ef>W!j1o;KRsr&{}}S$c&EVo_367Mgc%Wci2&FE$m-MSf zD3GgUMdNpLs5r-2EujPlvOWig`?s~B_a$>^Clh~RKkii$PN@aA?oo&f7TE@5VXmwK z&0tGTP+*+u3p*>JzMHJz@`--@4;sqkECd6EY9QE}a0MDE)rG!74mXloOS9jnM!CRT zO}3Kzr*0at9R~#%&dWFNxYdC9{`|84Ei#o++X)^HZg71(sy~`g&e!*y45w)Q-?c;V zBfdQp8RLHx@<=(oFzWH&e;gf{nimAjwKIya2No<{zpV3=f-Rl-1e#bYG}V=|xHz3O zFlXwOf%eYmh}TmoAdI`VU@)0U9@fJa~}{BJD)q=Y>&_GTUD zN&P0U7>SU2r}YX)>u%~2f(;VJ-vDH@^U#M@?rBB8Cza)AQk$0!J zi%qE~*M2=#O9R&Tg+CvR1iKMV5gPnQ_JSk*RlBJzFnOZO>V@kAe}a$z|HB-iS_;Nv ziYgr~4cl1l{U;l8%se5%e@gdRA>e2s=}ctVsmkbXmZ8EeXlRD1Sy{n~AI0ys8>g96 zEIb$g#?RujCFLXozGXY#*jrdh$r;YgHAJf&(~DrlLzc0R9n(p zuXXp6n^pPEh4YB^sDA@u`Rk7NU+ZjP)Nj>=8G6pn#Ts7E5?oR@L@P5>;kzHT$*x%7 zw+^1X?&c+Os(V|;S*ZRaKXO9(+V!z*%1+S|75>HK_C0Sha=r}sqp|6D=Aiy; zuDCaj56rf%kGQrHps!9veeTrC`H*^RZG zce5T~-jj~dNPxvTnodbQRc7NX!xBBLKyzm}!U5aMl6#Kk@{OfXsq7Op)H^Vajq}|M z`$1z4tuc8|s$;N-Wo&SR0HjNFd0X9M;-Gl0!G$9A&3TrEnvHc&YnWMpC2t105ldTt7xPB_UC+!fx#ziQ0?IeBIC``m^;pKod+L544* zj)q|ec@m~&b?ZDSFsKT-I243$O(%ioAzc`%kdugReZgYb<~qG-6ZGb4aWOsxHdgo? z3E}CI?-FD`6Ev`75sa7YdP`I~Qz zek#M@tkOT-E}*p?jd+utC097zcop<^WKl?*t?|#V=Ra;#6Q*8DUxxn5dZ8#Nm`^#c zI*4){sTSWlD;FHXAuqPuHRPWcVfUtLl<26#Sbo2;Y?Sk>mKsrg1T0Nw*G{^T%~Tmv z%*l&w9nH06XS{H)p~lswMiKz@Kl2VNGCv~`nzlCiAU|*|%>h*TU9zZHMFER+ys2L< zmIB!m`(Xd(3eBi|wky5hVw|#1xd&7Q8M=_o)Z!$3+q-EDfRvnv@HlJC3uFa-$2dBg?_FtV7!ps! z0s_Bh=!|U^ncza;fa%_5Ebj{n3eeGTDObQ&?eH2J8tfV?k3pz$u~ek2anCQ$g99sC zK5$P&Ur~IY{oaF{iB^psv$=w7wK0#KyKVtN0c^Dmw@Mww#UV5_Az(iL@@l@O1wu#s zSA(t1;^zDSA%Ee)p`oeGocf(3iwiP^>NPYfx-ry#e8TDR#Wz@HneR&vr7(aRA%CI< zs7ATz^K&h;WTqFp`V)YHF;O|Qhe!R|C@vI3t_vqZ5qMbPnW^CgCIifd!X-~R`+nU9 z2Srl+=ex?coGr>dMU51Y0NEHqA%89oA|nR>KDEOb5z;@$>oSBd7_O>`A1CWQ{%-ro z=)q^~|MB+KQBk&QzlumoC?Wz(loMzLTk(`ek>o#jkPQyUv%M8sp> zxZryf+BUK1W?wmWLI70{4}tiE1m*Gq<|c0he`v6EZgA{DPzPj2n}XL8e?3y8&GpC%L@bZQ;%dL86Zlk5#zyJBw$z&AglN>1ae<|1b()KI6 zEHx+`4Qg(L^YK?5(uXJPB+DP(%6c&HkUG@EE(tGZ=LPR#@$Qww4D^fiRZ|8a5-AEI zfCudQIW`V0I*3mj>b1Jg4ylqyEwCoyxyL9s4*a0aAz*qNV(GiJ>(vUInD_@b0(7R| z2&S#wJrF)%)N*)z%L2z>aURLN^t33>fbnn<0EFy{dUb;ey@}rt6i$=7VmxQ*G)Wn0 zUCgFl1~WRaGd_Qut%I?$Xc8#6FIBz8I%KLcH085&qq$yZkk%S%n=UB`7J_Zg9qpXtZ_2)< zm||(3o4@FgG?(H*pL=>RzH3kBx5fS|_QxI9F*1;#W(u;r_FSnau*>QKo7~?rs9$=X z`lDyOrciB{^mAVAcN>nSsp;uy7u15A>>#4m<9kGd29Q7rB!ceOnF<9G&A-(L4i>0z zTd(6Jdv|XA!k0&H<4nGOzmo~4 zU@IDP>-@r!K-Fdhnqr62l~^Sv#xo0EJxV4)vJ1>iiy6{~0GoVf@bFw5M0o2D&N+>B zX-AE50)yI=?i-KbrW_U-J=PWUAVguRMCR5g|E2*m*oe3HH^rU3?vCa-ay%z%S4E*y z;m@ILl`g`q;)J03XryoQBPzwb)hegml>>!481p{|#%3aO*ak^WY$-4tTF=rSrT35Y zhSVY364-lE^I&I1-x*L2V{V-Dfx91vnwHSbzBP*_uWx`xs{M_RbrA=Ay3}IN^s8)x z01;Hbc&UKH4~>7S_L&$JALk;>S9@JmREqcoim@uSBm;eg9da!OE-bZ6wRz&V(iKb$ zggWWA+WVA7mM&GOq;H*~%OK<7be(CIL5^iGC2t~ZH@u?SwjDIg*U0Fw*v-SIGr}J% z=yRqeGhTsfF9tE_cS12|3O74~Y86Ei)0pQrViX$0nec2!l>|oaii_e)wPw8?{FjRVpV%2% zvfD+8I~b8QRT~kbQ*o8hdb;NQ+ti0M$GoK(aomy~VR5#KO|2_e0A( z-71$xz)kUpSgxT+_Rp~~KWdMw*RU7vu4oY3r44p5Z@nud(eo5T4`Wfq2kmiN$|{M` zl=35DXElJs=5De3&2zNBDxAb6arlKOzi&-31~JL z@bHERgSt4_5r4{#&}kUhh?syk5J%YsAvnbU=@*muB0Qw9=r!o64QJTHPps{lgWJ&)-|5yE3J- z{m~ojxA}B=nV2z%GflFZna_*MY{NbqfymZ%BP66-U!4yT7RkGxD20Xv|GQYdRO%S( zNtVVjR^%|U(ETW=h-d4aYFpTxSbeoZ;!9%DcOgbeA`e7^od5ur611uk^dUqfV!Owg zMp~teFYfzyqN^bCl+vH+tJ~FVp5o(eCmLym3G1C4z4K~v8h?|0Rzw@Fg_dqRNFY!F zjW$IphN#Hx=(yE%v6*7|zQ&{8;!$l0NxL@6?n1Y}e>iWjL}3@4Pqg5Ube(L~)0(R3 zo}=%LlI6oG8!ffL{8gn}JV3`t-LPdp+vF26sCV8)bY6iY@+JLCX5&-?T2<~Ran%U6 zaM^6Scz*2M<2)M8?27vqr+^r+c}Bc#iK&z>s^|qhU?S`$xlgTxR%cHQ)c{Bs)7>lV z(ZG);MRZ}|(fJ2LZegQaH>w5Zy5hJBz7PBxXn@yASDo%PtgG{U1MiR9#TMldU#d*V4lKTRbB}Q;KD-Zu5ePGj!ehss|iKji2%G z@i%7Pey-wMauk8VuKS-CDcBo|+RYhj1KY06={!6!30ZDT4j;C{Eh8PVR%|+dRm>Tt?5LG(tPY#%BuH4X5J1#CLG$UNpID(zKx>lr&sGv+O!@ z+I~iye20Af@K8yZ=;me|$l)lKuqdBrQnl`WHf>jfNHk*M6;(pelredPevF{v`kbej zq<>^%A`2`Bxn?3{75CmenZiF)z{n!Pg-`e3l^0Z5-**SB)h)1mB7U3aJWbUxp2}c}hpF)w&Q^A9ug*CX~;p;0{MyW~2LOMu008 zJSh1byQ1)~Vy=OSR*1vrx|!QTGspP2zbs#Np4)nqM5pJ;>_&;6tlR%MDbl@jo5)LV zcX#Iv3yk66>L!j#WDr@96bE?Tz4{R&OM@D%oo=(Pu)0Eq7xi_xZBW;%2x@`x?Zh?j z8?;S2HXKdy>ic%fZaR(3$4~~sq?~s~KGmUyJ|Ej2)^5{$%lquetYriYxO}fTrGsv% z*?M*pa$a7)^p(g`qm5xMZc@E;2F=vDdl3nAfGp29)*(7ckT@o4moxcX(N?c7<#N`$S;yqwy`(#$3zC@1=3dK?B4Tu(2q7RgD z*xw!~5DK7T?^9ZHqYU-{B;5ka=zbiTe8J)VN{*4jLqi}Ax+Speg= z=Q;qdRPe4(e^_|K`i*KiTh1oN%{b%cO;FGZ6;UzeO&-^yn>*4l;Y%_jpGZwMWLPl% zE4=6x6g5zS1o_dpEPL}9nh%-`WPTe>m0w)m+*!byxD_Lazvvx4ji~Y$48sPeUeUox z&Tf=Iz>8Yp>2|goE8Iv*k=cFSQjYwkEttORQ0>&TDSH>ujTY;TVYBZ%)W)Gz@rma< zkUR2bdtzjpro2@Sje=ARkXvA4t=hj&&f;+>`va?VF|#&5lOmw zL*WcDyJ+G~xSZ4NuM~gd<51NRCgq+d8}|Ntm!KNRu(f7_b$_{C;A-(bn4f`B4LpBN zeM(9wVDVviJdbUzhWDyj7rF3#ZRWXzL~@N+22e9uJg9B>Fm|#Ba}u}VbIAgC}nvw!UKgEC@(@T^y;@git=MURO^dt z-*Mf5zpo=Ex;blwYLGT=z$#^S_eN0k3)oYA*JZDZsOxCov-qV|(kL5SeaY>%VIw=7 ziv8a5c07*@r1hfL$I-|ZF}C>C)hmT~q*sr*5%&Meo*Na#J?2PsXy5WZSiu&nxOUwc z`9ViHqmx&s4))N1Zh#l#4$iv9PD~=xUZnfnFsvFK7XKhh&L3$T-oAZEPb4C)7MSu$ z4h01>1vU>;yIPI`ddtLWoYMULYkX?g_V(y$E(=W-sfBzcgiQG`C$LdUQBmBqg1RpP zsD3F;?Pnbr58~^}j3ikl)=W9{OZY2ELJawtxVrTWwv0TGiY!Hqp4S@ZaEBLG-~@v6 z86)biQ)+=%QShk{qqzo;a7LLG?EQAMIa1Q)kFWF#Ud!hxwM4P0iJc@nI~JIdp(si0 zh=m1le0lk`dxj;5B-}<@{p@^+I$x~LHizbsFB{F_S!1H1SHN&;^a>{t+9zI1{TIzQ07E0-;<)W$XrlR7c%WWx-&&WqdbbV7ABCt_~OOi_) z2p&U2&V*jtE=i!g&v+mf--F(GBKqqs~PzTf`HJQu=^Sb2YuH7CQ=S@4s|sdm?J? z|8T0}mf1r2iwIE%)*F-8Npkzt-S*n4hF&{&yO8z9RF$#BOpl5yVk1RQW((i&2!kDN z;7R%u2{*@fwe36Vty_lPIyVcwYYXi*DRr7BFprU;L?y8zTSf0FS2GoKUGr7*`?J|4 z%ZX%-St_(NV!wyFIT!mO@kHqfq4DUa zZR-zY9^>ngz}6D#XD2MkE_aPd!@!QJ`^E(4g*7GWLW3kkSq)S^t08^6nTet_aN5yD zTD)l%L(r_bB=q@Bj4QRg@E1_^!!8rd7H8}BfU53B1;qW}^F-zThCTxK5 z6+Aq+*01ZS58|dd`Nh;8N4tz+diwdb*o`d6=Y(OwV~; z>L)`$tVl>U+^$=dg4?Nvbyy;z%;4$z&Flqb4jh+;*@9wm>ukTOi;xWQ(mMdB(4`b- z;yaxQe`QQGxQ&Shm};Nw+&ZY{u#Z4XYrZ|L(uXUxh>eelp^htGNfp3L-o-9?{H~i3 z?gccmz{6KKL`+5>8@=7j-uSh8O3Q9hZ{W~T7Oq7?4j+_pr)od@VSJ|k;l9EbVzT3= z;jk{RR~AZn!`yqCHxkvG^UM(MvjaEI{jY{GU9K~1l8x_rHtoYTn6vNU)(|tM}ffX;86LZ5^s`U6u`9}hz(&hnb^YXe~j6z0i`Z+#^ zZSZUSWZ@IMQcR;1$}N4SZcSZtp@o%-uil^vTHAIUNDs(3{u0+OURNz|`>No~)eg-* z8jDNdcZ+YqLv6D^U&*F9{G6WX3Rr~qrkpxZB7GXK=7J_IMwKD!WldW-J{+>bSiI z%qS+d{47SN;v}wPe73>ZeCGz8f_>dCpSpS(!Qgg^K_&9PT+v_NDEV!n7f;>vS~_k) zZyow2G-9WgbZ7kyqG{9^7t;;zDS$_r$m}uZ+!=W5bx7{<%+zv1iv1{c=y4a62z3#q z=~I5i<7#i8?w!$ROrU;!#6*KeB^+)(o7Sr}@^@IQig$8yGE?!b82C;$k?1+oMdWZn zG}zU(hl(jS0xe1txlBE-yo;{a?&zM9^1ZZgL$WJk_F{a^GZeadeR2mnpB-lXaBC0U z+GQROEm_&BFNPU_z-wGZ_3Yhwr-?|XM4Fl2p58)RyMet4Gz@2r$wV3&FE+5iq)3G~ zIy&gZ^$((^b|XaWU=y@V$h3h8>G6o|IXDds*497Detp(562*7@gPloU3-Pqt&?EsBx z&U1U`t%P_6*;IkkKJ|~nO6XVX5to6bw@bKwXaOsQ?r>04LJ=TnU#>^kT5t#fC9;9v z6eD0O#QLdM)uhu9{>c;uVFff5=jTiwH}>BL+Av!%xt3+>0q+x@PNz7OT-M(fx+$!s zlSbDXKmF)MAM{B9WIn{*Fz86#Ji@F(K;!k<@>yauO>c8t>er|Bh#m}c!<2LM?rn{} z1LI`US0yw1JvXbwtb9vz}(f5AGGcLZHjF>x=< z+pRXHw@cSuePs!kCr^SnsiKeG4ji1m-Tzf!SR;X9D51mEKT$>+bx-miL5*ptWqqal zK}{O<19dKOWM`k**k;)W(4c*Z#&<+fr#5!JPaYYgQH5*Q^5&E1^sy8sD(C`oWuzM? zj$u_!l8;F=F3s*s)9FIPHv{p>YOrBN_Z$Rja6+EHRNPlM?wwXVy&Ws+qHb$@fxVaK zsu)f5*~t5>iyv7&t~jv#7*i1A_M?1eKCE<(X6Ab|=8hJY{V*fokZtuaC+lc~?GKzC z^%#16XMPqxf}{4EXtx4AFnddJE*e$YZV8R5%rx`5Yf?n2m=<8)zL8-4odEC_hs#4o zUs;3kxicXVW8yfn zS_kvvZ&q;Z9~elSdl7gx&`g8S6O=rzT|HKOvdi$2RyG(uV%{7A8-5`=xF9;!dDv-BpL#`Y%*Q=kU0tfmN!v1*+a-ODrE6ErtIQd-$|+5V~W;r>uM5}x}~YRaaljnPmv zb9Ra5npkcVvy1L&AOjOa+!zX3g<5`%?ivF^+(TA+)jKxM76&V6ey~$pTZC6?-7&`iI-*Uc(yR{4#fKX>j-*~V_I2?sbBWKfROz5ROUx&KrD zj2U8;ehoQgaZg+xx@EUT5_8UGh$1f?ZpsEQoe9EXVLps72k<&B`a}bl2mOP>72fVX zJu<(YpEkVy>BSw^NhJ}K)AI6dNE_RM-a?b1kX7mflPVW}D#c+=DnrwWO}1gya-38E zh9nljc^_7M?5)bm&i3Oy)6}a=IE`(GUZ;fBkrk7PLPgz`Mc|mHV5+KguFT3Ph5&x5 zN(YtdVMk|x6RMpCw`tBNtkB4oPbR(tXDE6k=d#IX|5wVR@H>Mfm5*L0lwqypAK{I;0;|Nij z@Fdm;O5~_Xu3=M|@}cB(tE!!xyDR*Z-90~MR;sw0XP7GjCXazlkaZR+hOi8w*1bM} z0t^FkTe>8JJli@CGnMN{tXt90b2BT)=TDT(#=PVLt`PDIBwcA9cg(o&Ovj^BsX;!K z9qpbS9!!t(18@zUgT3*!#~h3^+N%*ofx>#TIspjsJ`?=Hz7T7p<5JB;2Rt+XS^ zV1rOg$7ul#DTSa<;7XFKA%Gh=x8QFRAIl!1X^`K9>Vq0>}$a8jnS=f(aPdrPJ*{#UOU z#?3Mur|)_pN2=e25i)Jilw@A;%={D@?4MCd?3W_DB&M={d&j26(!9L!Of>QC*=8sq zb^!$VXc#`p6gsNO-F^<+amlf1%^!OCQp-S8deM7J#N*;ejL+I(tC4w9rdM9OSf@p3 zp|fr}1JS&5Vu4#m7JT{)`iQEZLwoEV2Zi?8(71!*%Qf?Ay9forS0$<-Lo%#6)`inM z*o2tEU>DLM|B`umo}puZp_};_dp^&!7ILo|38!(Dlx}8&jR{-7#a^<@ZFZ2iAb2r* zVNm(4TAorh9@*u-J=ctB{IhH?=3;n%NgJUQ@8zz|d^=^j_x^pWrLss_bz&y7A?NL2 zJ$w9bvK-Y&bBoqRwccnLmg9~u0u?;*e#ML0`zJxsn6V)I^3bfRGmftlU}l=v_sAs( zx9Q{&Q|QNbkE7J0uW5V9X%?e}f?`oA?U9sVw{fv#k~mQj-)}uGq-UgCoy; z{IW4YN!^w`dr$@Z1n47=dJi`8 z?cll2wft84ygu(Gzqiq!TCCm|NJ#L0Mgy`N<~9hhMn`Q~*@lQI`IbKBFBAe=thf3* ze0}Bvwkzm{iJu%wjQsdQ0=X|7j-h0Y9S4MU-z&|zEwY%ErV>fXQ_=O+GJjJNx({DcDG~cg&b3 z)mb^8!j#T2GAUI5b}M)Z2xXfqY;l^R*x|Aa9ZY(~v*4(#)WbwzK6>j8lT6naf#lSW z8EZv6HmOCT<$~U0Ume;i2U1PkU!*Qn1z9GOvdn*4)=|ja~BvH>ADB^4%lvy z_9xcgjx}MYVsU8aQ?YM{8&cxDv^W%Q^gcHOI5WwxRQv2)qZ`Nft)YCC?U7)D(`EYT zzGjl8`cC%ZX~amrf!W}hUI_fG9SuKCubk%Tx~DBq<+PRJ(C!?-K3iwScA=PISzy-3 zCvVm}oVFAE1Fz0U^N<16G5j7rxzCuq^Gt|b$Nzv!j2*mO)OiO!*O6SF$X*N9xRYPA z{nD{XwEQ#Qt!|-%Ct{;jrE}xKm%75hbl6;OrrLt&(R7(SO~;-lzZ3~Y45BNH4rJ(i zLr&SUZ`U6jxf9aol1@aEbgQYjCu;cgSbq_@wc(;97I0d1@Z<#zeyY1YX&5_8Vr_C7 zdxN=5xE4d1C4rZ}S2Thy7TCl|1KRK75xD{zE7`Z(M*fq8evwrY&aG8`_~7U}%qh%OA#2W_2nqpx7fa%N{hMeTyR8JSa;l(VV&++Le$+tF z@bkHk=kvgE)uiSZ7z)DY+iO`6gVZcP-ufkjr9vc@Ze~ zp!;$A5-_pE*Q@DcS1|7#KWg;=W6^I3f)Sy^4s&e=)Rd?krCBFKF#Bb#ccT;UPe#|m zpIjU*mems5E#@EG&%<4Kiu(W**CUsR5!y zdzEz)e!h1HG9DDz0}`yv6EE%NW);yO_a0-$S{U(?Aw<}^wuvyJ%q+LGOI0Wn_KJ$oHa#-Hua0 zKw!P()v)HZ4)8Pp+RKo{b87kz^yLqN-fgEx-&gYG;93JJ_z5q;$ zudLYssZ~L$Dun<`*U;*4EPdO6Hg3mqscQ2^K$Bmvt4r0!&Y5IDJz@YecBikMU$Vvu zUaV2PTYU|VFUC0R%^zp^c0#D3RbF=FrG;Wo;rEbh(sVr>?POO=lnQTGsu!Jqv_8$n zJU<+JnJVb_RcaN38X+V16*q_cL)BzS#a-c%5p&u z+D5)9*Wp41F{cCJq**?{3#?z%cAq2THP7B<9zc6nS>>&a8p(O`5ntMxE;aCqPN3LB zmuY%=B{A7J%eQ)uyC6@qR2TgKtK}j2@>X^uHkd9J0VRvzJq2bdA=6>&g+)TKmm@A! zZfzMMbFa$gqIn??xvTvE>5DF17l-Wm!{1oYo-FB5Sw<(f5&N}Vjasc@zOz|vUrbE= z12Qeup7fui8FM=?2^?B3qF8w#MAru1VM3{rX|p`Jc6*ut@GMODdi?&OvCCsps_XT9 zkk(Jd`e+h@$Bw@QXqqgV?%Zz=@n%cn4yE7td6ki!@6wBvUv;OI>*YrY`3y8Po5G{0 z&~}faeKT6VTYS`tXAJrG&H$bO{o z?O6yBP34(jT;DDV`3_5;Q-9IZ&EFs)rQHQbh>e2vrQ^0E%;!K5>KGOlR(I9}6R`8~ zx92_^&Lokf+i_M35gog!z1sD@0jxKI?s+s8z?*Uk%&A;>P}Ycjulk<1T~#>0B%WYWK&m*d!IH)Dd$`U@ ziM*T~C)JsJPM=PxY2%jYSW{+P6xA$DeFBZ~eBhl3Q$HTuu8>qx9=pmTD}d5ddv=JE|-veG%t|B5c~37MkDshPAo_XI3VzjO~^Nsi}#kZniB ze5jeK+f90-`zqs10A!wqO1!U!+MHoi;3o2`mfr38!T?I~{E_ONYV&4jEY_J~+N%Mo z?*q*Xg~`K1zjQoP6r~}?N2wQg?P9R{6%2W2F$bT`3R37#)c2i@x5)AB=);xVnv>cM z)9k-7yP16odwSOdgLP;r9H*pj2^>95{|EI>OMHT%gq`o4C1_M)sp0{@&`Oi4GbtPS z)X5tjj@7L1Y-Y_=r}jD|Vm#BRW`bQ?;0F4!{;a1kJMG=(UBPBBJD(#+o>%;Z$H$l->IYzR+O-8#&jGRMu1*aoO>wbxsGF= zm`7}n7iQaKJEwwg;0dX7*@;vb-8y-5lLdwgNgJeo6Ve%NeV#9Y!*35^*0*~4HHr_s z&A1TB=CWg)z)p!m;HJ(v7_)N9cIL+xGJCIegpt6-@pBtW&u#xX)o`=;E{~PH|NWjB z4TjHTiCZA=??akduN|X>9m}he2vUpni_1g|Aw?(SWdpFwB-bC9Zu|_R&iy)DEuM3$ ztY>Xly5)YK-R7NQOY>e6l?nnX542J!E+_|T`4;yVg3_ih>-q057f^vUY`|o8?Ibwd zh_7^q)q7KXi*Zdot1andI%QLhUDaQ58Y zompaAKS72hI@5DVsonURHEjr>%4Te(4BaAds37}x1cxZJ#-Qvq^|g*ltG(n7K*gx= zu~Dxf5t0=rp|snJW+u(u*9z+u6TdVW5g%mw+?|}%0=NqwZG|=@0l6Eb=W;tWJ%N^R zmr#~cP?{G@Hm^IFV1Efb)RKJ^mS<7_@#x@@o#0O<=gmC${^UWe!GN!>JsKd0iPr(L zdU!eHwpcsy%TXeHwK0i$KYOoPKV(n0*|$|sER}Kc`fE5gjJwbRYA<@GllHN!5d}bZ zZLSNSEY~RpTvAiNy2MMlEf?Th3b1+J!^_plV?{2S=-~S?ZJF zaKZuQ%fBPymd5qUHndOr7^Xkw0JUK;%xZX(l$l!dkULHN5$ls)!WE@ z!J~35LwC)d1<&e(pDqbDZ|6`V*A*>iJ;jGFxrPOOrjR1AEBf)AkMu{YF?l?pme=dD zjN03uT`u4kZ8DEIt`yL^3OL4lvjxdVkj>S33qVN(>gDrY_Ow5V=iqKD+v(zwvNPY! z!fVLS_j@+M^v-3ACp*HNcMN(O0G(%WTLgqRD{&=QdJJQB^N*0CGIc)4#Z|Z(!bk8K zw~t7LTG4iPeYNgV@e-RMbFIx(&0eYz#r!3_e89(_BX!Lx4Sq<$)HUQhz#_;h_iDnb zL<*$i_jw{gA_(uUE}P)9ua8g{^-Bnjr1MMQf?W+#i5FCsCe)Ww-kQqJY&x^t32+y6 zqvyI$8GFs+ZmA#KFX}jKc{(K{HawFsr-Uh1O_9;91Seg$-iLBXI4}_D- zx3;@7YNHROXxlkGu{@w;md+LpMb;X{4Zx$w=8H!#@I_%#tPABm)?Ag8vrrm@i)Y63$irPskF&XK*b{m0B%wq!pkv)erT1Pjbhx&2aw3)l)yB7pJ4nFO~~zbtg`Noc>h7Rs)(g|tA*>>*WV(o^59 z7n%aa?7Xad^HIH~+B|VR|8PG$WN{I-t~PabMwK6=>gomxBUKT>u$?I`*TyVh95mWp@g?dtjAX5 z00*;n{?vFg&~$V5z7qc43D3LukE*D;ljEP3hl_UA9nDyA*5ruVa4YAT_C-{eSk@(( za!n=>c9U&;RSWie6lpywMt z1V;+rZ7ieWJ*%05@8;T(O|E-^ReHO>v(GZU z^0TI#bDPr!1w-HLk<<5FI#f4(kZ5YjXwtA;@n`7|w*vpmTO2Xl{2Gj%3d*phxMSPy`hs5?-g?lb%yc({=>g!KwEP6@^FE2`XKw`?<+w+ zn%(Jcr3v$YB1X56e<<`-{tedjJ|u#tZxtTm%+xz*DYh2#tS^6?M6La4x{&RTbkBPO^->&%U?RR}z0Rf#TDj~+X zI=k4MoM&^oK2xwIU$|nO!xH=0SSAvzFDLi8<$PRzyv9n6#i*_22fEh_l9XLv`?-1n zExOOKYJqa*OR`Ll-=?`jn*lLfm3NIHZ(n4WWhq1%4p}$jy(LTVRiuvIUIDc*W+L|% zn(t2hcHO_;#$<=R*sVsS{dADcm&ng%nlt2G74g8ZXFz=6c zd}DV#tP-=S8~Pe35^iR*DktFN(rznM(Pyub`9_09^`$i0sH)Sk=ce6qVa1$IjnYbU zmi_}J|J3liqByDIc;(t~sxJ})@#veG*wXWFwClUM|L;uaH=!ba$6N`Vk)&M4=f{)D ztb+Xq8oTAkisN!H%Ya{7`1v2>UU{xet4}H2{HI<2<7fQw822f))e4k5)pq(T|2CXI zJ^Npuoi>W2sn=3jG5#~@DJ(Y=_UG;VrvsL+O8fMV4LS%R?#HE+`=a+x%k}R|@;_tv zxrKq26_Uz|qU|rNME?=B{aqIP^;(tf}r(gfy&wkSX8fG8SYaVot zut`Iaa8sYay}vKJ_#yseRCxj%dj;o@!(K;cV-ntt?+t!J_}?x+26~z%k%sx}>)FO4 zPto{I`$3jj1F}`;=>%Ste8B?z^5KyFal}6>|)_)0x@HOZ7j{ z)~Uj;>;J`1_rBbr`!A{KO}h9S^O8c{LjTl{J>*~9YWeB^G2{QcssH|;pD;=2&j=pO zsdWgl%kMv|>2Ley7fSkTi9=g;Qy>4G7XBk4i>KqFIm%-43C?f#`cH3Z#c$9}_o6Qbkglp`<)*sp=Jkdmd)!%dj}NT+|09r>VN z%PN3mr?-gsk5l{m7cmnUnA7Vu%y7y7lEXrA(30cnDyP$f|8`UYY~t?~mBOpU{@X1M zC8n)le9BJG@m(a;N`z zt&LWpcI9{3qgblnDZsG_4^4xLXz`Q3cd_2`8#kZIygz}84W#?PbLHo%pXIq%etNr5 zYXM@t@eNWhRX5b-Ep^y?qA2@ibcxeprQYcoi_U7X#@Efr-TvJrl67dH;sdG;p$9e7Y`QrW zE_R7cMEPlVv$N-sR`4vmhcVXiFJuB{d2-%&h9WpHq25X2v_cqr;L?#{^VjuZ&yke~ zpMtO_Vw1F%X@i=USZQc$Pmc|@t)f$98g}mqKW+7pcJx2U<2B}$Q6=q5*5B1LExq5A z4axd)X4iO~nHq^UNyFx)ftP6)D20JV078%6q%AE*X^WQslVeQ zq}>Y0ww*sud?J#(iZ#tYXWbEwbuOc>`+f*sEgFk1i<(1n7imqjm7$!&OHd|iO+I@V z1pPbXjIK0FLU%L}c3m`_z&_}BgQ1;3c^5>qQ`m2}`X2gRe)(tEt%Ov;EfXPZGcPS5 z%18h5Kt9f-Hww1DCjO03ZDT^l{CDYwV}fSA?^mm%+<)gJzhlzSD7m4-)gg+tCEfg} zv!XrxZyDdX6qLi!#!gc8vQ6Xus^JcXW-2R}Umcreu-liKZxk^1n+JRad3yQNs^#W9 z%?=hcQ!ljQ`WZhlF));NwaTpcKX82-8|fS|^PoG|cp(|x;I-2HY?`XdY>u$GJifg& zHc(N|bZ~j`5CFK_PAuMm#~RaLCHXm3kiduWM=o{S~xgcdCqX)B3z)bH7p~(#!j58*?ph*OjL5B}g;A>}j72 zD}Qd0{#dCWnC4~}qG|7?Npkd5sAe*iqrDR1%q=;x#ptEzM$+L?A;LS8FHlf%^h0_wq8YEa>Wp7)6oD}7&z-W;ukYdIZISLSk$=DU@?iY>ifTY zVt?tjj%4A9HSymChpC!)fPp8#ihgWN1)yCJy#=H?O?OG5YQF4mky@IyTP@Zcei^Rt zS`B3?pU=y-&+dX#yq?X%)GSnoR@>3yW7`-`9@TQEM^Pu^+2&Sfy7JdkY%iKp|7ptQ zYkn$kPt^rRMg5(-90l=HKL+E5TG7)0E8o-|&9aG=8@?Elcw8kLV(JN;7Ji{s=EAZA zZdD8ZY(v7E^!{7+SEoVKrdLv26O#q1Dn;t7i7SA`_}n4Kf$s1}Ujjm+e}Yo#Wg)5z zt;I>wxBP7J&daqlo4OMdR_{*uTe^6D(pjw3l});wQ_`sl8ytkJn{oY}?$P#(?x&9A zSVmLqf3DZE!8)EaVm3Dsc!{^#B*QpHM?VA<$cH1s`^&Z?H5nZRxf!^{7fuvfrz&XID&EKl zJ2_#S+5A2r44e`OuRQOe&Qm=SU_3nw+-&bgu}-u5TM;^_^2_b|LXj&Z6L8vk$Ce6) zKJW=c*bI{YW`hS7caRqn>_KWvTW)R?1k5@6z0Y9}$VaQ?f3n>i$8!AQxd){22?yVS zYgM_c&&o_AsGQ`$J0Ev{XkC;ith5l`j{o{q5HpTYO6v73zkS^8V}eBiADCW&kw~M#cyVlDQLB`+;I!_3qO>lE%u1r#N@1-HlvbxtYtb` zF@-jDvu9pm;F#)(qkJJT6=U{B`2aS7E=>F_X-Jb@%08r7t3UAt6Z#Mi-4VQE1c!{@ z<*MQ#o9Z+0;aJPEvuOE+aFNE)Y&+j+mQVifV>Fc6=F*3!QlB4+YAF7^{CKuYo_v6{ z*%6FO$v1nie5y!2K8sP_rhq}r2&_Ev#q$e?<1;gmck_vqPV#XXZk{Zj`*)>Jir>?x zs$ABv8Gml_T9JsU>Vg}l6+ohphyYZ%o;dHL-_{lFk0_ymUs0X2g&O$HdT6fRO0auC zMT%&CiH?oM8*bIrU$|-)$a1NL1mR7WaSa`-lBIzSJwZ#IH`}8sio0MuO_AkOA2`v^ zO!`7p-`9A$9E`(=Ae_`5j1aY`fq8;vv#pg$@mgh;8ySVK|P@|4A~UyouwXO>9>)x z6mLOR_k{!8M$KKoNc;(Fd7HPX)Vxu^K<*foD`bGl|L%A0_%5EIligHhZRc-0S1B)Q z(4hW2k%O{EgN3Cxr>>8GVzVT#$_2tva&DJ~64(LMMKAKP;G1-6 z)HfkhQ2qC;Zuxa|_E&6RBv7W2(`@~4&f%=goWd`Z%+WudCqUXh!D&Mk1sFJ3Ti+C@ zI8vj}NTL%b>6{d*sz@TcX+2*e1~QV)-rrBvfJ@?1eV(yO_NCJ&}#4qh>ZLJ zE?{5sxiAY(+ON6!R$TVQYyg;0XQw;xRxSVMDd~&(;Dgy#J!^2$&hS=9Sc_+H`txuM zi-*Kp4(%nTEQ3ej3w00Y`Q!UnE<<*VYD0Z@@7R1ATHoN4OQDd@@e1he+FExiWavaq zrORWR*8eUgX^FMPtNS0m^h2L$Y(fLY?r3q!<3D6Z!@r~SW@{{2UDt{sp13J>KM@RK zmQ_a|6tp;l*&8i8GCsZL@$@}XOlIX< z5LK#?d^fPz3SaNC;>wXqxg3YC%G)YO8gz1?$%!`PZr)HT!$mT8q8p<^|B47mw0VMd zxH6kP{;Ua*U`TfPb6lBwrRX6GXzKc?teAtwCW%M<0(jeBuND0M;QE5MKsph5MxzA* z*1PVGz80*pd9g4e_O3|1Y`-*pr^dW(2jccg-{auo(84>9QibjvrqX89rtBR791L=t z!K;m;SVDBa0K<@wWZ2%+qSSo>#h&EQmXg$me>djE4RN2y%JEtaN6*=^55F2hMarwI z$8k}f+C=ny9i27Jgl+cLIPhRC%si2l=OBsT8oPJ5)@REeW;Ucd=2K(6$n3fiwlo~W zlDyNSmzC`^cU7-bxb$txc^tL8)ZkI<4WE#M*a=$J#znBu9Sn<3D4n6Li7F0dk-Uls zOZC^9hr-PGsQDM=NJJuTI)t8{LMsLWk0|sEcInKk z{bDO+g`#%b!Zk&+bl+v_dAwO&pMGrGDSXzo>b&`gft`JLYbgZ+A)8w->FCo3r`q9q zNz&S2Bo}UOv4PC&vWcxZ&;fb8w@Zv76cI$3fSZyBU;KD-S3jI>O=V2|M&dAO@jJ>j z3NU6KyXN{8LClT~Nw_;1ObIkI?Pk2IZ$t91+T6~6ACmakvR1k+N6%Llgui|v%e67O zLVsF|+s{I-C$S4II-H&`yIwPrzPHU{CLixYhH5k`7KShN9k#eVZL>DpnJCR3Dp)fZ z=0>YXql}M`Rn=y76`0lBZJj0t6>6Aywt6(%Q{Xe|N})&&oi|0_XjA>~D!myuLn+%P zMc?Iy51x}(&vUuMBeil>y08E@!Fy$2I27{h2vstr?pSkI^aurNphR2Eu1g>Q5wxv+ z%P;j2vnH$SRZGde%&!x6?}0e$dE!aqxw-F-3{QLXj=tUdcr?JHWqAK(@#q(NSnD8K$c#Jy)!6x-JKs~`xHRFZ%sm7J6uB#Gpt@+s7Quxn$+YBO>S}n4b5Ag=bSV4+1ve$GwyxIy<_m90##kB)~u?v z=KRm!Y^wAX$WVF{Mo1g~MJ&lIURrVKM@X(!1D@Z6NDqfvZsiW}a!tR63>+T zZU{RI&{34Lz-ylm%qfKxp7oF>v;^@H7brz<4-OM6r|`$a&`0mwH^;u;((mpEhE~pD z`OX5C7&mXNHq_Z!OsNhyJk=XI^Rn>(DMGFK8x{h&Nc**;+*;ff3UUzz6$t@sYXb=h zN6qdk4fD89lWZ}T#S(>;Yt1f!Sn5cPtN_Jx=eH!{_dYClECJvI^W{~R!%+y^U{pp= zUhXFRfzJWm=4@54YGtaJ*?PcflXv}2j3Yda3E%)#c7AubJW{0?>&P&0cGON;dL#AX z9j_B8f2_<S8dQ<(^rFM-CVDJzkMdHP^bdkm$#j>9fx zcTC86KZ^aFk*^Z5i)555QgdE>j6no!w00Ph>h| zhi1CPvw|RT{A%!7pt|2vhvqrib61O9QTUvb6VH2{tQYN51SkFiR(q}PJ>yrK%?ymp zo>kteTc{TcF>$P#v5JE{1t&sQc5yMR;Hxr7Cgpg^K#5bUP2@>ko7EPqgza&t(WAJ* z1@#Md=nd1W6ysxYxXj7 zZllNsVi!6H?$jufsoixQ?Dhs?gNttz-^?nT< zsly@_#uFdi8h_tgBFTjrM(7zPU#!-Y&3V$?JPEOemd8y}4lw~W?)=;|a+|?%y zgv2;>QLLHNHDw|o525x8zw$IR^p=N#Tc`5K#H~$_y-6`cINWpLdZQfi=AF@HaM_8d zZ;vRlkFDYwHrJryciM&FeSB~o1A!05Z;cn9m!>$pGvcK7&4X~KB^@sDj@}gg$0!#y z4?`X|`XU-2c{7g9ue-%hKDW#XS><8RxAB;MRZ2b#BG?e|+Rq%kI3sR|R8dNMroKn* z*>bs^0Xt`h5nA}?bLyjOAg&H5Od@esH%p~Be#QsVGy9MfM~`51ZMEY{YUiBi>^gRK zsa~7RFHNngVOfRL)^lz&ZW0n|Ut}*_UT4jODqGo$7nl#|0s98}3wkuWZ%#g2teMt_ zh?K$Ipx-1n)BE&fMbK7(f>Uh)K0C4*UTW?eqE1jaQn8|)^BTF)$qgFI+hYavr*s1s zCtJEshD8}d|F;MMI2hnoBci$l)9W2Ak(h> z^Szk|a{5M#ZCGO5Z+WvwMe&IUS$x_v1mD5vu-><1O*0i&q7bJe02l zm&yc`qC6xK<>sGo9o=XBw0iMTN^N_#3-I#xg$1weUH3p_(SQh}Std48h@ob?82SAM z@$<8>8i+{Bq_(Iy!B-!61necIck0)1tEd|43Y_<>mAp$>LSMh~Tr+;)8h>RQ>&S!$ zYm467_rVv{N)YzU(@$6+C+S5nNud5TO8BQMbMcsX*opH?^RjKjk(5ZOSkg0P_g?HF z_L$dw_H8x0QePq)P%tnQP?iaW?`|6+MVT*#{0ppQ-4Hj)QSOWL&b#8dVSS8?v4Qh` zC4J>bIXqM&+X4##@QD(GqOT&mO0gXJ-JnyUBXk88c(LQ{m2#r2MDQ)%w?A3J;gFin z!c9N=m@b8IOW#9m@KngUw&nKq)ub1d#%Kjn`mn2jcA&wSBP!4^ux!pR47YuBW$S2w z1yGCk6UadcPru~*n>0Y*;&J?%sZ=DYSQoq`{qS|UOFhik^_?xRoD8P8LIS5niA_EU z2cbeX3Vg1d^``h8xFk#M36z)Bte*>Dj?;i#}+oV*KWxe)VOjt(5~_l&5y$@KkndyJ?aEvIJN(~O=w z-ok@Sp*BZ#N9T~$VpR9}9o<1OW!i9x+(0IqR}t8K8@_?FWdbu-n>Cey?B4;{l<9}= zv(G@LU|-uvB&qZI##(lc9Bu?73+4my#K?!9$aIT=n zN^Sr|z1xcYW~^LuR3(r8&E zY5`EbKj{oTvs4`$B+}#EumsG1XkTw_*RL%3K&?)Jl;ZiNT1wI~(qmhxAVBmS-81&B zbIYIGFliw`&T)6!w)65SQ9Xj}QZECHfq6kyqBn0o|xxZsw7{IbSeT!*&Q}3C*#@XRg~}=J?n{_e1NKYnZxNQ%BlK3OZqN(2!Ac1| zUXcjGane%j{4Xtgs%_%DPZx72XcgLoJ!ZFjXeh^uP~eZgeREX{KWB&;n-K}f1#k6c zW9N2#sfwXtdh!_)Hc!*{DjStweKM>iCS7^VQ`*DQ4r6dDUDH`apNoMn292%|^aTOu z)oVNc?gwuJ#3*7?Po}&h*mTv>uR0EZx}^yJ^QBzekz5P5mH`jO9Bn^>1=Fw9ZtQd2 zsLvzp`WI;Dd8Z5H$RpyPWa^Lj9_;57(JH`b$n^${1C*&;OQQN-@=QO+^k@`edix4l zcJnFNIYIbyI`LrX_ZZlMd$?8=0s=Gk`A(RTe{`WVN`HFXwqneC!x=niC#OmRua79sIlbe$u&vrz2>hls9yu4hPBn=ZSF!p6n)eYITv>6;j~TFG z0#d(KFuD{;8W3$uIo-{Y&Xf{gMWUCgv;#(s~CRTZijQb4#n-F$>5_OONVN>Y>AEfLhi<}&L06sUz8=H!ZZ@*D#tc;EB zNb0Ga8o8druZuHe5h*w5IVee%2#Q^{gdLpMAD?K38M*IG+3;9R-MA;J?SH*-*Ff*M zO*5w%@yZD#&De1XnDPZQb__WlaMTbQGu5Y?Fb6wa1FHCThF#q9-E8Mw$vCo~Gy%j- z*&FETq#N8$n+pPb1D`oZZwLe5Irz%5Lch0R%SNvKLRDw`78f;OY1_$2&!`pQJ6XVn3a@PI1MV)uEOOy zbZnRJ2%0#+soYQkm}lM$J>K1YV!6qhNhkSJOBBENE7tB@>;!6g`PjYzncLJxtOb!t zZSm`1Eof7X{^?)UaQ|>(p)msYRKMCj+Z?q(!SML6Vc%CxN>swv2ml&ZCwA+>gvj3c zRwYgw*ACztUVTX$WAUw{Rt#=W^<>4o0D96BSwLvEJm%kvpEEpr6tO;}U*AZ5u0riU zo+a&Gh;f~rgxjv)It+U14NQaN9^#EvUtxZ~T8vQ=ml)kXn z;@h`L7Q7OGC$gSj{d+(RpKLg>NzUk(tA$ZDAQY75KG5!OV@!8Sgb!6nmh2Sw{nS#G z^nlORy!ji!P~@x5ikP$g=*Rp|r5e)C&?LkUbmYIr#Q2|z`cK%mYy(Q>rkhwG$tdF) z&pl@zuZ_E`9TkRl7_R90I*)~E`f{m7Yay@wD1Xrf^8oMlkn738yFO*^XN=Tad2d4Q zfZC1}Ilu^yXpz*fH3r6fH9Z3maXU=I;~L2?Sq{eb@7{EaUpUR!Aa;9UnK(oI+0ux6 zL!tQtcSu>y6E-U{fHY?n+Ofq@k_C7hHdmLnD($gXe4kQ&+Cj7G(BaCh9czhv&QZ8u z59m7&!RAdqswlFdv(c@cc#!a9#m=l^GDD8{c5Nx!yuV#Nzr)c)*~~1YV)ml+ghn8> z;3S>eF%);ycPmE7ZH`|oGo+?;nyN>i`&?G0@CJim?h;7Ngf zo6lp+8RcTr{)i2|Z1ig)P;vo8^=5|7^G%x=UaeBhSa%+j>orw7gc38a3>DY-b=^5% z>dDyg-Dsf=c&b|-FQgpLGgvcZgB(G0Gz|EHI=(RtPnA71Up64#hZ_UU-XZLOcW~x- z4_WK98%()t9;Y9~1D5NJ?Bd1veyg6b9KW7*b#17`J!V}~rt!oI?HacuTHTX|%;^1S zc7Zt3fDr4r6<6Ho`Hd#*uAsv$vC9R*B3lf*=5clg2D}iov72vXuH29I&T6i{1}Q{s zkcdn6ya}0MZd!ao#DjP{d=+>D@MUi4Rqq+V!waD6-XWd2H z*IOC)WMJFQ3KVgVLZt9k*_~x>dddk6_5K^A@lg`yt?eZO@z_WWqoGC^?(&rVzvgIw zev|+S@;b=zf9c-W>GJgVa*vj z;1iK$&QmU#;2)Ki@u+d*@-DkXmUX`J4#!4nKx7!n5Mqx^^>{dJpr+9F>m^x{}8Z6sCcRs}zj#ihoix3>%#19#>nU8ut7$Kjy}c(Jf1CA8uCM$4NZ}Xw5YPC|0L6QrAr)eu z5$%x#c!xA@61<@Z=v%}OwsY@|+#zw|C%N8D0~=kl6He1#AL2oh*g4xF7*?p**x0w7 zH>mjr+?oxnLSJl-*T^p^B2CvEbL;nC_>dj<^4I3W(LCu6O(EG`Eee{ssdojJ`Wg8~xTtj+C!^W$C@1HEapx=_6;se-H z_?`G?x_fhpJ6TUQJxnWyMmWTs7bU*ADQiR7d;8loM)A2CS0DtNpd46VN|h|z6DI09 z-OnSMVnbvb{(h!k_73|B+;&B$hwwdkEw*?|oJ}En{K3jv^4!f~)y)-yTidV9%_`cv zuUeM+dT63gccm()(oq;hh3_W+rK1Q)SRHI+|!W2Y4#tu&r1nk+=O-J~*j z(p+f(0;ANP)hF@tOj*yP%RQSHDa&|ryIS^6aa%gR0)gl~@a+^FvRvZQfB+quvx?fw zVb|#ozcE1|VnwC{L}mh}>y3rA!(+NF!V5%V-uuh0LViAW-9fmQsLWtdYVg?in%LNc zPBxxLij)Qai?p{*`*S?|J3gh!;w>9N zU*Z2BxEO=46z4&4&md0JdywnoFxSr#9$VvOW*i>9X#m+BOwepSlV3L`5R{!2&#=HA z2Yk@;sqV8)p6WIwTw;m@@2c0NSm(#=n49C)LoOQ)f=jT8cAPNn+KrmWjI;?-N3uJ= zZCNfSu1F_^FgH7_R9 za~Q=nX7laf?uj0TDWNy}{rsw#V8@HbVM0w;)qMXM$NiV_m_Ld#&$e7=*oj7JImA$h zsfpNmQj4)F3Lto-#P4Yke?S!WJ>aojb%th1rn;Vsm)E7~gIhr)!cv*mR*S$0TDZi% z2kLe$uV}GXj`Q?jIOj_^VfZo$L2c93o^Pt|=15b{5IZq7HBhBcP2}f^*UDa#xJh^L z^%c6s{A6Y{f{MSE0_Qk0ISU?aQ`Grk9o<`em?yZhvVUW=L3 z!ZwF3h(<(F`W1FR(Llgq5v4Y_hgW)22Bbk(rj?CPa6O6K_?S~cK-A$vX{wdsDhlt2 z+|MQ$;T~*h#a}m*HkJF)e;nR@oK&;xo@xA@yYN0G$hm0(<#WV7>mq2lvt5k+G;Z`v~W2yGrr#*5>6*?G+$#NRH- zkv84XPUZ$}j4kdhq`feL;9!W4&XMFg<1G*eDm=&a9U2v`!Y1k%!zVsTF)WbetFs-i9=%Y+bTabU^*FcfgK=9= z%0W#{Ua(BlyJ>Bog3f}x^JChMutaAgUFHI6`|>lB2x^ax^Qp=`J%v2Fm2Bpl%dA0I z1o`K#Q0?rrVh7Uxs4Osf5{ht(1A17xe`UBbF6smmY2bkxd7H z0NGz&6#mVIDRauwojD8eKRZLN-WmC?!bv+CkAU!}OMw%GXTq;J71*w_&%twU_Xyva z&4;lzro|T_b~rO#x2Hxh`QX{Qt4PI^LMl7UG(|;czjf2W#LQY6Zp`Zb(qoWO7`N_K z$93OZ#n1tLgi7Ur>rn!sX@PVw7B(R@Comy^({Mg}1_c=jh!>Qp4o6td3%S2xe&P?_ z9A=shAh-oJNrOI?o%Y}0IRK+*qSCs%SppsAENgl;c%~>GZ3TtV#sPrV8TfV@R3)j zB#s?9%cLg|J5nVjl3`0ZJY1EA;Lf;{PC*Uo#bu=gxM|rz9RDC(ETpj05Q*~7U#v~E z<-!iS?JDZZMj$`45+Y7<1r?u8y*Qrtm|nAKPaE5YWh?vIj2u49cw6&J{i7CF{4oIJ zi>X7-ZeX5peYCERiCuVsxYigB4>%rTY?-T>i1JX7}nn1RpuMD3Z!AeF6h)LZGETyC0J)a$R;sNfb+#kx#Kz%SClrXfLvOfPyzobGoNZ zlF?G3eYq?))aPKa7yfPN%EpsbOuU zl-@pq`>m#@W1Ey3)J=o6`8z9Y;z>Au#q=($(i!}f@9GbQD(~EV0qXi_JZ}|)Ei5R# za1Dg(;t1h}bbvrf;5&}lPVxP&@PQ*$u_a43C_c&minEAC);4f}LGv()ZN66rk@}9+ z>l1gpa;AP(VK%^d6^3J>152VL;=`T@RPDRH)9m;>`1=N233%J$@TRtA>r7i=2r z!T+II#BphZ2_m6goyzrmqDC@ZQyCXx?g&xGby|XQD9ENVZk~2pjQWkjwiVo{zmQlsqS0#mtUwj5z%on*WxW!-5x}Vx&JE#fMNs#Q6k&DwivHx}wnN|c( z0aEU3PWB`*lmvHiEBmdWePY3Wpl*CX-~kAJ2`hOWp!1J?mDZEPXBU${RShXQE9-?q z0R3dlS_(YR;qDI&%N~4Fa#QV)Z^@M{Pk4WqazxjGTYGmji#~8F10;|84_W=GI&zry zJc4WVluRHEs=}gO|9R+s&XHz`M!XPDfl!Hk!EomnaZ{0_2WR%^E*83!Jyi! zg&d**5vSHILY|d586*;@>L3@>9nl&tl{`V0y&1!lWRk@;GLC?u9_h9&@<0c%gFX>v zy&80XYQv(@Xp+gwE=8A(xvjIJCHUKAOYNx1FzO+=n&v_vO;h>*XEZ?+Uk67~4>+zTH^mBoM5bQ~7nFkyfmjUDMBO*zm?z*p!3?|g-m25H~7%js`iU=lxr>^~rl9;LT z888#nC?OIej+Wc&5aF4!zK90NLJ9 z%B;us#Xi@^n$`-7813L_%`5I}&ePI6ZaVB9u<0D#^nki{CB8ll&@x6?b^PDrSFrzo z&9B%aUI~l`KiLu}rBpWib5e~2-2etKOh{gHa1SPB(=xYfNu6fya!SlF5>*ci>Mgpe z$!NWIwi+YENc8~`SVk@A4D`hZXBNsRZflc8l~!jPGslLfEGi%mY&w+I(l^(zr zLPkzCfJBI4Ecdg5pI09lMSi+`jEJ~LjlnpU-5IwtT{m+}l;r8nhte;363n##XiM8W zEWD}6H$w{1FzF1_8P6SF3O%(9K1ycwYV&SgE#4WWY6@G$uw}gC*3rzov=&hFl%@ie z;t=bS@$qB}a_5<(N?2J?^X+1Ihhe3+=-#|PYNu(##AQP@p&qrFQKmf?iA zzGgjO>Uaj>=1g3z;zX8cw~Xy0Wz0BC3xHO^l?iK!A` z93a7yCvu0u7h_w%K1!1*l<<58Unn}U(O6AQt-7JcU{XOuPPo>IYrNz(*!(MAn0dmV z#HFT;`)ku-7E8?nFKjiBSm$beKDc(Od7nR6&+pQYO0~^v)vx#f=qh7%;bEWiu zD~iB*^a>E#eq^JtYR}4em@Bj2^-o;IMohJsmqYZwh!xz$a6|1MxrtmZZ>;YlT=V~Q zG8Nh&{sUOwNCYAzw$Ac=-TP~0iA6lmcwxR}3Divb4KNS+JB&aS6EKKq!CCtT*ngCK z3}Yy-y@n}Ismxrn$BQWrk3T;#`}dgd8>(IKc^fctbwI7WE0anIuUB_uzhw1%`l&{D zU)2^e{}M_IWYGL6rR&!!kmz5emKT*wX4@78l41DI41u6gl}yPHv61HPOal?8xdxiY zYX6{3%(tliP1db9VhIIkHLK2fK1l#lFF&s0bvOOR z7=T&+YG9DXK)ifm5TAa7W1Oh(>FRaNI{u%Uu2S?DY(;Jc9UPFW{#n;$abE1k0;p-Wvj=s~~83tkD+UsORdHLuBBOm!>eh1cH63@m)!Iq96A$W=* zcSxVGvMKM2xjQP52@Xv$v zyRUxrjH_7^xEjy^{ez5xY0sOPuN-l21VE**+&AQ2Y=7)RAH)~!r76VppZ)rKwF2Pq z`tTOJ+r7vw;Yzp0A^ypZF1tRlc7JpZ%3>x+8B}tIp;!T!I{+@fsv*~$n?eO<^p)%G zty`%)zq{Y%cYeY?B=~DpNd_&Odej->x2p{bF0hMzSS|AKNhewpG8e(#bndNi-&nC@DjKXT-nR z_W!6g00iQHc_;k!vH<-z=?Cy$=u+z(0EMwXQt0Xmb>p$2`fpqH0Pm%Fck1i$IQKjzZsaJjYriv{p6TcpeQ_4QHZBpG`7 z$AA6T?%!n3(I*@!Nf+YZKBd16RY?Fwaf6xtFT{<%>+)Za znA06)lB=x$`ZuBsgEn>?AAo0e=UX8B6&eQif&wx1|7|b72VfM;+ z@WU{Xf3o~bdgR~Sv(>U2L44lZL(so{_55ka;YZ+r^VJtnrT@jC{{!mLN(vAkoZ5sa z|7r!l>lYw?a}PKm!+<&Y2$6gpY~&hg1Kt`mLPEt?bSho8DeJ)0mexysF|F#C{J(89P*+&#;kvZw5boB?H z=lC9LpZ%0brHsIb%J)z1j00tV{`@D=%oIg$C~4v863rBf#Sh8okV7)zV*as@|C?nw zZwv}Gos~rsRTY(~+`@HJIk|py>F~erfyY69jw)kqxkTQ=R&tL=`9~x`zqxyIRJXWy z0ymqU&u*^on)r|$CO)5??FC2fE&;EizqI9lwn$7rTHG;_6;(J_n|r=jZRT<4H5@;H zTw53|gxi$VY!LkBICE|c3N4)#cJ>K#PnUcqQ&pBTAl7$upm3m$+R=R?{oI%Fr6?$N z2pT>4RmF!$8v}Dw*Zj#EL9Y}TTousy_|c<{kp1Sa_;*J9vxIlDZxhje{n8-dz21LP zJVyMIJ>fVqj@n zX&s8F3UP%(%G}_;9(4of32_iUTdAp$m{B^3*RIUx#`ShV6^iK4`$x|MIb#`{zrCT| zQ@6#n2MW8&GpSxF646r7bdMEj#<0e+m28_{wwS7BsI_p;Z7M8kPFDvIXqFkslL`8- zvyc1KMbBRQUemA|6q;O;GDKbUCA!r5%=skmPZb=4-!|OuO*`&eTDmt@@75r=qI41e z>hW(IX36ksa5Q9|H6f)ntw!(VHyfw$=N=(gDaIItzOvC|QpuKoZ%8K6pFStuZ8=0a6G*mG=!`&LC6G;c`BIhQ35j&+{d|2=Fg7tO zs9x+)i}|}(O_U36Z=n#h8fIf{#BXuGXQ8mvFL zOM3O;UGTMRLvTFKGv)WXI0`05g2(JwSQYmlrKt8o8br>|@SoiF4Hhx0!Q#;|FO8VO z=YPugkgW2|%lB(qqpoFxQXhqm;1TnxORI7vX$sv^GHc$CBRIrnG0HT#a6MG~5|zzMDBQQ){ct=x`FJWTm-~nfVEs9)$cnYU^`4nV4>N-TPc8 zt^S0T%aMAaA!P!+Pwk+y-*zbyxUAFau+ZiagPyO7L!UXYI2iC|oR(fiU_jEz9Ooj+ z9D4L|?@Q8A6XP_4r2Pu0paq6AYC3Xq)e+_gu^*3JS}bd==8DbjFiEWpFi`xZ`Djf= zD2jt}c$6uWylZsDdK_`GqZ-OI)$8+b6Jxta!vy_}!Z9w(&ros`>9~+xgn2P?a?NQC z6wSH!cvO_QLZ5JlRk3dqg=1kXdo@i>}0 z`sfN#(c}40vFbI-+qZpl?l-(c46l{I{_(-vfBJJd<2AjD2@4mVWhp`Qi?Nv5Ag6Av za$UBR&Ea~2Iy>rZ#GvG5jOg0Y0rxJr&DVX^`qHWXiKp?X-W8O^IbdWu5lZ`;FYAq< zRi@$Q4@@4+>&o+-x_Ks+lab+M98i0*c!1&0G23WWQ{XBl^d7Hhr*EN;cmBoMXeIA_ zXD-61_sW;IDo~&%o6^w%wq?B8gPZe_{8&ThaLqg%sBh?o-nf@6V)-((iaE18f&=HR zME`xkMsHDqV(k!6xj}q2fmP;&&d+l_Sh_|%h`M;TGTQxi+wuE;kgI&ri@wo& ze!Hx5PaivuXOzqYCFB-{uIQcm$29sC+13@ljI-6qa>QJ+Wo{7jeTQP7e*h~W9zvgq z<}94u!h0lDP3)C)l)RHBg-I86BS=vjyREiRX5m&#STl*B4s9Gg(#+VjH>$JdIWws5 zXHdh=kB`^vA*nQuGV(}TF>Ya%K}pw^yk)VumcWc()fro0Wr|GanB@q&`RCrbcm@8q z2}im)^o!(kVE0eRRC-r>YQ4AlmsE#>^!V*w0Q~Eip^cT9dRs|2*fN3}wj#|FCNsJN($k`MYur^6|pz5VwwI3F>h|5=_4`Dca zG<#!Z>axY!1@%)d(zxRSum<^KQMECOL&5h(cEfL*KXG$5`*48d5}Y>=NiVkdO*ik9 zsFWqw+V1)YJMXI|naw7?j(yy+ltuob`PmcLPMjHm6fGYBjd3Jt*g-umkiRb z=y!9wTxEGv^(DNrT_azEWoxqB;i2QbAF^=poUipvWSaZ#g@<>$zh7&SX88J8Wk8!C z{2C$^ws{!GrqOPo%lf)B(UCWFt|Me}>ql3(Mzgs*t9o;6d^uNwxUrbt@zH%@U-WZQ zR-LGM>a+TLcJ+z1j-4{iu6$9?XGMGGh9Ur6m@-E)|2>#u>F{pV;{MDQU+wkVAPP5| zx$36M$}yRi^jg9X)cTDZ1E#;5IgDTg`IS!5xReZ(&BUzwB~tdbRhkicEjx$AjUpScXcUJ@#cRQNq2Z=bJ0u;eA}j zlGCkTVjLMlhTRCgx_6YG+sfzR39&up&mgmt$;vBx{=Ea@Z(q=g#hzbJAGQp-*~18% z1C~;?WMq~xe|@Fw>GmN({>O43uCpJFR>YA~g{Ii+Dr%L>T!uxR;*gZ+=%P;#Jp$|z zV6Q+P)t!aMx4(6acd=?jql}ua^45}ne%_f_Q&huAX=}f2AjpVq!X57oSoP<*7vpqM zbT{iY+z|7Tw~nTgm*(eo&7F|X)*z^mGU-uev=UosRn5Q)@2ji#5|5J~g?s}>K0-QF zN+JBk5B007_|3gi2Fmy}$8;w^FU%d$jxKk7N-~gnV6z(T+*- z!pOmHCY=u|Eo+rS$*}sZ6t11d^9EXyhc9!)cyxMSpX^LFrC37F(?O1NPj0c`mbiB$ zqDhsnwy1P3htU3cjW5UR0#+Eet}gVqUd@!BIgp<0OoX(jUxZZZkoY#;#&c0cmCtQ1 zj9S&Tws!hc3R#xEPUX98e_%B{j4XO{?y3RQEzxUU*4F);2S(zuCt8}yDR4MYn)uSJEmz=!u@DHcrI2s zSvaEJQAZWsbXEIAztK9R@^^znn9-J9*+xp~JbsL9vjbkL95c($z_w zJ+p7n|L9{)H={Q&xVhmlrFE;?YJ=_=Un-_j3Qn1Q1p?(qm zwKGoaZ146#=w%5vSD?A4TR{VpQeKKSI>!!<59!Lzj#;R#pSZaLOgzj5F(ScWS0zGS zvy2X_M#(o4Ny%^Rzy=z5F6z_mJLJ_7Ro&xI}AK%Y8Sle~fgk;x0@erf!>EG;dj z1W#0Cs2)8`BiLgx{3%RTu?cvdaNd3!xZCK9gg>d%FqzO|VLCRurWq@!MLJyY-PidP8i7t>J5}=0R%ensV9;8~XuKPun4s=r8XY1{`|wBCkaENP74PdI+0HQe z0cLwXi|&S+5Wb{{{2?ZBEQzLdn%zm(Q#7(zlv# zKZ)u2!cd<~%t7;s{T>GGy5CvvYuk}x4(iFK;8ZimGXq1n-ix$1?D&0{b76Vzq~g~F z(%b@g30vdk%2w~kDceJJB*tnzM3h%~UOI2gX0<7aoWbamAKg-8bzZP*o0g-gzF{{3 z8!fWm9I5qP5c3KADc9_BR6iM@)WM$0g(YHN)UC%^Okgkh?-K6+UZCS3cCK#7p+q}s zj0}WK7`HM>^QD6cj}=tNU0uIneBy)effh-dotJT@tUO4_0v{K>%qw0^9*v2-tcv@I z`NZ`u5)JM3LE;V)0n=2R~5O290gdYT>j!{1lEc=%f2W0t} zYsUw9KGe->(IXa`{5c%@>|*Us0@Mq2Y3VqM5LFuSTp;i5b=m}VZ-Zg{H9Y>fI*a^H)uJ z9xJ(QL485WKZ?&o`F`T9EUCUI%Jw4EYmwG>tv2Df+AB+`wc2%Z-&|0)w>9SMhdGX? zD`;0(9PgyV6U|yYhhw5-HQK=?Bs65K^)QafS-Mx!DvCPum;Xn1{iHJQOPBun@Y0!%6Yr-YGwhDaGfi=nAV*X33 zF2eNbaSLSe!$MwO-mjxwNsIdJl!w6M+%X|vtPkFt6p158J8mPP!6M(e6FenoSeXP# zE37M-v$=dWkL9OZKnz$Pt)N^RLRcj1FHWXC`6-Fu+Aw)e@jzD1I&A9M)*$ee!vo{E zZVu*E$EQMTz4ToX>k~#}Ld%DFCF5gTHSUJe&k4vo?DRK&qUV-9H*YpIHsAY_^X}}5 zRgd%3GYDn5Tldr3f#CYm<1Ko={^L7GgS?$`nq^3w!Y8}h!;%OGF@gH}wB+*=J{y)0 zK6_El{aG6!?Zi{~R+rnflU-h@a@}g>aF4sjEb+dmEa`W7!y{ZnDb*J=BYkZx=AyDc zr@`n2Sg-JzZ!awMbsIrSFN&h8yV}vC?>l;} zD})OclgpL18Nw(3F&0apAsE4^lNa3R;z25)(MLU*Mi^#wFZ%eo@I*&-`&{8h>@$cC zU7*->okh;w^9SuO+0iE2N=M|J+2eK-&|acYJ2Iu?s}=wHSJ|b#l^=o!SS>ii&1Jsu zd~ls~7*5q)u#UIU@rxPl44xbrBEln6yPj{$Eqvd_*>5|TeZHX1wxp&I5^}UYJoz!k zdVNQTwSV0qN1JLm`~0X^{zKh#y)Dat(`;+pWXS#7Z5GKtLhg)!4v4gxiuv*yE#Z4@ zKklni341PO4-UM^jZ+MSPLlYpkxm)6S!8*Ob4GdVCRUq{SNxo?*I?GquO(Tpd=OGL zwKLz6kj&4IqpOjgFr{*~qwZt%Op%N^e!wuVhj6N0q<%E}Qpu+zp}sQzFk`kM zVdCm(*!%;5B+6Puc6Qlx=xn(EyiS{q;=%odgU55vLyVzYxOli(I90>DcaQK@6o+^B zsZLsZb1=9x=-*0MKKT|tO z&JNTXAgydkls5jH!_n~|-M<)HbxAKW5q(dHn3loqGapnThh^7Q?$+5Fm4 zTJUm`djdV}t8IaZnN_ScF6`rc#cLdwFPzQ`34uIu-RuUOP0q9dXZE>_7b~R(G7(v$ zQA^2p*S5}Uj=NIYJ|DWG&3r*4{fPGbD)EZ@cozW=8OWysFZ}Qw^wHtZCjuL<+avom zDjY!N6Yx>Qkr!j@JO?;+&>KvRN|6~d&Q23IT7;uZ(@|yZcb3n6N0+h2Jjc9j$Lb2= z^UGsiCmsZaaWU5yWre9Cev=<#6$~>y)BzKXdI(aVaO@ggh!8c@y!Ng}qj1CLuVha7BbG-?r@!N)NDd1-*bN zJzQ(i;sRL_tVg}H>|460-$)yy<(MmYawn@&>^XkBL;akHKsnS`d3&?Q79|p3XbEy0 z=GJM-SfJH1Nvw zS!MBEWYOKQz|V58(zM$NZ9kyu>y9i-9=Q&z%v_`Nd=T40tA#ulCfg6qHCPA%L^Ouv z|7q{5qT=ehEfWF(LXhAZ2m~)6xI=J<;10pv-Gc=wB)Ge~yA9n-VboOvS}#<6(VjXZSo+y$#}GBSz~=(bkvrs6x?g#ccd~%Npah^^BQ8j6REO z{J6+vXfp02O21sH(u92q8cxm#$6rC4fnTs{XiNsT->uI5aZ35HfbB=sow922Aq<~m z%ZJJn&+|$%aKxm*rDfUM*9k=#K#__!8iWiiJ}aP>2^i~=XB$Kd800#hRx~diz|bQ4 z7!hl0X|K`rMooKbiYucOL-|BO(jtGYSI(@Mai2{XROr!|tb_D5_IA;i{f1Rmc5@U) z;FRTup47akfJvXUyFAPpC5xrhJ_b#xsadPMS)2F2WUBUzhkmqoHLH|n9>-SZX2Vjq zcJP^ZDyaX2!y$A=1T$M63&3%6dkkS4T!})r_@BGGA_+Np4cREq(JA1u!Ig#i-I-b0 zV^)`)N5tD3dr>M~?t#cR34eP{; zFXI&E5L6_B)#NXM_hE#zI899o^{GtNLJrgj>u#6J`!&L8KHor$7)B}3oMb+6e`NG5 zm~&%b>^QkF-|j|-Mehzj82}5*Q{NLX<6vSA(H@T!#mLyTlLCJ$0k6i-?2n%wa5A$( zBbg*M(_S|SHZ47b9@CHb>9MT*4K^mD37-oOUpj=A#Z@L=j}caroe7zpUibI?Os0Wq zQt1J6+X;QfT@c^liY&&=B>}H*e)+OK3yLzR3>;09@H-w(a`V0?6kp@oL$TU3$sy)j ziWyxRos6=@q?R)<(9E(-nE2N9^nQk^SRSk+TAmG9b|`ePc1Kpm1j|jWR1BZu05_G^ zP6bxw`s5RC_+k$Y;}4YY=<>w)m;t2_-VTyaI_rmKBiXujr%dC>onRPc){uo_&b?YR z_^LwVwJnBi7f|=wjiDD0PK4={aHzT34<_qD^PE!x=J?qjeGRCJE+;RBN(#s2{hp%R zlUJ2_3LS3mT}ryJYmD*v3yexO!`dQerue^J8P!!E}3>@tx@Q zx|Oq?|LNu-oe15%tHm`ClU^K7TDspZ1@LO4(s2IW#dw-#<9iR|OS$<2r$eLrw3eGK zx8D%+ivmlgqc4wpHIP&EZI?MaNW(p^?hxj4If4ZXv~$gEBf>Yn?~3I5c{N zxzLf7tCFphqa_Lkbg$;`NfZI|jjnuEXhGd7RbO=)r8#pF`VIY(P`&jIlhBR|(TK3h zoa@T`{mG0zSRB-OW>e{{_79qhm~LN5gwO^^mrl=NZVmMWMAScjKbLye zubL%~*3V1}LMfQ7K%Go~U1PzP(R!B`m!PRiFLfhv^c+<7-*R9!3 z6DfxXrt-c+wt(%wImw2IMGm+cCH+L@NGm(43`Ej-&rcojwJsn9+u5dn{XP(4e`3M@ zJvf!t$Z(|pdKUdF?-S{#+)!E|9o9p#UtWTdrMuboeOQ#lhg^6{Wb z%gK+e0h>q4(**+VzIG>4X zyy&TF$HTNV-5DjXH~0s>&cUI_qK5;T&btu;4z?2PVm34;Y1roP47Qn$ADA8&-IS_y zO25aBBS*&ds^IZfE{eCys-gAKFWz#OcIElVnupQMGJArQl36vUEX3pN#<%Gzax~~P z2-Kw&_Cw~I8=I#H3@GKb?QC*D0IB&a=73)g?Y$Iw*NC$^|n7Uwdsn z2pAJFBATE0A zD?kG9nXfMYcqBns^3Q z$Ad23xv*1{7wd`NLAGN`32Th7_%KH^4r1-$wn;q2+NBdYoTUjZShRFi(!@i`x;*)e zk|$Oh9NNLj;h3QwEdb{YVhj&F)mrf*CeOvfsRRp9t7(rUC{PSt+L4(*;Jv;jk&~ zD&v7PK~Rk6Pg=s)KC%v^TCqUoH+2X@WQLH(dVr&vRA3o?xZFBIlAk!4Xcpi8Ra^K z${eD(#u}GpNj>VENEI3vU%zSZwJ*oG+)%&|(GWvLD?RjdMOA2JQrH$iB5}~$=PpEGrliv)vRpy`98 z9?QfczRHq#=mscWz5w-wTH9hDs`*-Wv!~sBwxnGnLXdPkvKkbueNmX%U^!W90^-=! z+TJ`q?vP6UacT9bc@k)@#7A!GHg6#@W7536n&Wl&-U92$U7Dd--c6Z!+D>$Nhgty& zsJ|?<3V5ief%t=5EaSU(PF3`U+w;M{^l^!>s9m~y+C&{4H)hL}w9OCKw`GvI99hw4 zY?DjG=&h^~u)C6T5k_)c^NK~4m2J!`nYyFeM8jrI{3ue)L|O{3`(ps32e1BlQnzplyec_UHRi!@O4rax*84+*Zzf2w^n z<$o8+q}It)MqRYPQpV02sVjT@E16er(~2A6{HMQvO{I6VJI(SyBC!@W9V{GNOiGCb zq4`j+tTSU$N^$9?p=@vP4Ii!maA%y^zAE<=MYA^vaxAU4-SbFJL@sTS{LYNjX@~8~ z>D;@~wJ<92*DsMom$$7Vbjhsb*msFY<>j2UDM<&)CBH|daG(JBG0O>LaIzUm)3%6w z!J7Z>K0bLah=&gzqHMx-{dG6iR< zBOWooY>^%(kv^59n4A`gKqCN)`^esS9;|4(nSG~Wt;6#y-O8FaIxhk2MnN!ign4|D zpT%`8wG_#MrUxYWjx+?n>7BInb^+1#eeV{UY6RCHYV{?sY@U@DKFlG3U+&Sc(Ji8$ z)P8jIr>p5*P$P&r^$=5~q@q^wZI-c- zFmk&ZO~QW7BA_g*N(6a(EO2w42qOsLleMefg#vvBbH*Y<>{lb^!e)4&K4Qjv-V6D@r3x}jhAw=g{4Ag3Q zt~yP%A`;b9CeU$Jk+-jvsP1LoqEvnnK@ud4$IQ}7d%KXFP%L*U7y=^8?;Hl}ic)8V ztrU;tO;PTHFgCb9moGyoBYyW{yhX*T{*kzdnd8upJX;J+*_(cLWV0H+Y?K~t&X*T# zjgfHx;ZQQB2cyT8M7I>ErV^HatipETI5*nOA0 zZ>qEwEbz~dK$=+Q!h=gU(u^dWwmryaXVBN@$DS@U3;!C|#)*1msk;UPu=T;*=oct9 zz#VBmQ&_(I`Hb`V<`VBeko01?XM@I1`sx*z|Z24UU@&)?K2WQFaZp&;sQV;VU1la2W#l{|>5b=ea?%2|^B0&a- zBhjr0zypXCJn3nlDYFT}$uL17{;XYAcx$d7<=)Y=FFK2*gkMkcOC4d_dWK%-MuMTc zGt~%IIRkw?jo({XL*=_&$h(JG0zhA(!IV{PQUdFInu6!2k{l<&F+kU3i#;{Y$7|ux zbHEJ2_1t%-WrgNYFhhFHVJa4LyOM-m{Wxitk(R`|Mx-`l)!wh}aYc$D(ETx&{B9O; zvUYAfo)hu7K@T_KjBuk*vjYVG7>%L0nk0C+$#(B*qG0-)TKK>LmDWDuYu}u)@Cj&Y z&+wxKKNO&lQI{#5b5KtpELRfKGO^UQs;InGP;DHm#-L9@d2Clvc{1NUQQ$F?;TEA) z`b4>VtD7t{QkNSbyK{fm)kE_E=phZKzB6QW$x*M<(2ruFD@q z0B8%bsTvyjLMc;|I9)^^BR{de(NzR&Fe5hw4s+o-3gXrOxLWQ%oe1%2k*P`Ht*>Er zEvNbfaHlTuH)c*2J^+bPNU#xeA>OD+?qTSzCqVO#B?M+9nFu@{*cO~Jz55L^K-7Xw z_V}see(=@ALVJeAM{`B@2tiycMmrnjb+)cnX8pW3q<)YXf5?(iS(Tba6ao?^j!WKl0 zHtV*>*Qv~h1TtER^^RuqHrV#1IxXq^# z4={&*s6}ZM2O5(B_=yw_O)Ph$7@MkrK8`+E zW4CeMY7a$qpZTX!c4W}RGl*FZ?g007s(enCl!^`QIA;f^+H>(|iu?8>i-j|8xYw&K zP8yhN+lzQwW!~d>x&1Ao{Hj4_tF2accfMs+d~zy^<>~M%rp*m!W$Bcv>Z|Lz04^M_ zL_3b}B!0&2eK)qn4Y@-U%q`Ju+>{THt0lMpC z4ZAfsxB6;*8&RHqr>gCuS9NoxB|J1CTHSlax!7G;lD(=a!EB>1Cmg#2*4Lcn?I=@E z4V1Fv4C}H(N~N85=|INY1Hc~3!9q+ii={MtgXJ$Mld3zuE#mmup8}vuS=z7_-_~RC#IZ~je5Xj4TN9W0Y(OEu`O(X)Ka{+dwa;jEgBoM+_w^`?{R!!(&=4$QENa#C z<~DwX3$|kBogcfhl;@T@#9bLb_ff;IX_1f^0HvHRTVIx2ocvP*=Zwb};+W*H2mob) z{D?C;iLB-wBffOtXq)!O+P%3uj=D-CH*BJPp;*^XNp#3Y*B#dBH0=w)5$}MkKJQ$< zZ6CHnGsC)MRZ8gRmYsdGXsfJ-7TSp0CaQ+3;kd=i?Ej>zB$bLJ=a+c~WJZJ_{Shn{ z5)4`H7%^kuY2e9rMN6Wt10Rty2!#GHy$~5@}yS z*N~EVU{5NzXGEZgm9I9X{Xf>}Yq?bi${@?>f+4002U@Z10M_ITl)6x|@^v0<8o+F* zb`vPUS^H6dyS^6V`toO9t|I}eo=h{Z)2vgg;)An-n!`D0nB{R(&U9!OBiD5kD(o{| z4ipHOESI5$@=qJeyOai4kCt7aD%@zvoE|7;S~c-=8iVXp`2#5~&L5^*%`g@k-H_UD z*2NT_1`T$2ETgs`dx0zmHRsb>YFlnX!D6?44O0ErwT`_NJ@nQ0Al_fb-kfQV4i6uI zHt~QLWqZj3J?H&7-}Vg9*ZTP^P1Iy&i=V~v$^z2Y&!9p$3ynr4OQ=}wKkkhEL|BC0qUN^Spk(r+66JsN(k;N#mCaf5emj+D z*_&_j!fuFHuQS~&QhK*xu1quRiap`U3ej};8Q@mXf~@8ZPuHv-GL6onVt;63cdf*H zvGr-b+NT^>PXF;Eu^whW#l~bR04h_bdX6d%(rMfCkILC{ySf|^Ax0sP1R!kM9y+6q zKG?l}a=W!zsI(7!G#SvKuZHpbTZo8HdA2)>#)W;Ec(8qysi0$rqhG=EuE65cI%ZmB ze>e-@WbWZdpt&n!tL?sh?e~p>YW;fCwUd1r)|9$Q{0lT|p;#moI)#RuQnJ15k&~Yx zz0y;*+ec>meL}>i@l!Du(Cq4R^jWs?%{p0Gb?I6Hh~!+?v$Gp4C&gFmg;Yn(F)}dv zUbFq%KfC7IT7LrY#JW|AGJ4z1=u3~j(~k3IR%eH7{^t&dF8I~49Cdy9q-91K_cr)& z^+uiuZYuASA%Rf5IrE^(yxUg*Hb4|Mc~|-*ggL(EENyE7K7DARMLnAqjK% zQ=YpbSCQ_T&D;a2uTlC+jY@bWC6Kf0DAEov*HtFJx27nt9hWljm6(flf#|aPpu1(2 zMtXs*`~kB)pw8n#TZ7L4|5&3=FjTu-hsS1`L6tE9hfY@lV@GXS4+-zhJFKj1EZT{? z9I?HliSFb*KkZ*t-=-IAcTR;c?O&`36V&2|7VYVhn%`}5A=mSTS(qGBsP@)rH*3gj z21q;iSV-3ewy7(OM*4l9Z*%E@%W!9B-DGCfv1C8~-4aCgwUs@Yvt!{qIc=n9WM zmw-Vqin%N~43yKA{mK9B!0bGXL=_WOp}|eM5-3FAd#65dTr|A)p#S*}xGPvhly*cW zPamoz^)u;N>ato9(S-0NcMk+b8a zwxG+Ch=bX3k!3EIXs2T+w@p&HRPeavn&h+<&d4q444wFZn86FnQh8?+btOUGQaj%~ z?Ov%xkIe1k1rDu<|0+TGIQ{Y$I`wwHA%v*}Hy~y~AKl_N0X>E2vTIx1%j=W{&DVf< zyvKSybb|zSa$2R?gL1mqCqU|YrQrk&nG~mTU}e6meD~->ECYyQ^)b+hJI-Pz4%^G{ z6EkuCZa<4ukh9g^74)G_ED$=yrsgBLiOKCEC?%uTZVLOD3rgq&?%)Fh#VUe%kW=bD zj}33$y2qcH(E8~QofMUBlOp{mH}U`E&O_f%a`+--CC|HWzkc%M3O)(ID}A%%fiK~+ z;`&*O9|~BXT#AVC<*0HykvSu0!+^X-ftoaPi`>CD!S7WNTp7=Le0gak=n0?NZPT3z zSI0t=ro>P*@l`IBlty`eiv|`5mU>+*OO1}cBOy-Gko`yqNFi0N zwA+{Nl5oz{l{r0?G+-M> z4)p5&Z1HZv#oTk1-tm)hr;6U-iE$;Hx8=C3nUQcWB)*sN{xqIX=J=(_?9FnEmlTot zV$6e!lmM#O7K2%3k4~m5bL?mAo#A{?DqshHA!~jU>B^m)FGpEMdY~P(L zCvvEhWbQwzsKt1dhBz5cpRR^DI(9|S zzJGOmKcv6Oz~?Y#>)Bdwe~^U=$7;#v^aqdVpzp4%)Q3cQLwt_kEybHx{9bDhOh#~$ z#Ja^AbZ!IL^*%3Lg>sTH4}+}md4rwVibaAQ6O84QSSRAHN&#q-jvrLaWrw_}?T}l% zH@<-e2$V=viJHcVha<0JjcS8kom110MR7I;qfeqqN+n#NPw7ITl^;^lEBYx^c)RP{ zi$XX@KGB}GIKZ6Xl)rxzkfDr&}1@x3Ef zzh=E*m%wR#Xn&`Q`9d9As~gK{e_*Zg(UHiZi%3%K+YA84K}z}4x1aqy^RmQ3+c6Uaz1>Ak^LP&4J$H+scS z_>s`nOQ$LgT-4#mL-^&=NJ`6b(?2+DJ*|=G@fsJW#>^|c4KiAl&a#riA*k!5Ka+iV zN|44G!tS08mBSV|PwjVT&>!lZ8w$3kE(~Cjr0U#{xpzqbVbRbrk@`K~9lk=gQUcPa zJqOjyVM?l$>BVNiA?Fq2_Tw4-CaPTgL{6&BYl8iBy$nv~P}Df$w+mAl0SC2xfAtFc zorJJ}QYt-M&Y%n zI_G6Jn>`iTjhv*@Onb}}?%yACn_+K;q3c|H zRUgFH2n}IeGFz^{0TuaRh9D--b zcMs&BsIGW2`AWzxuaTWZCV-d0eRiShKpg!rwqE zZX;skbbVq(D<+aK#B!0yodbJkwMS;k7&Z?#h4`PoBv`}4O)zIQMq)n$pv4y=n)FIJ z8p`e_KRVGP+Qaf7Ipf_AWy$Q!__P_Q?Ch%Q4SWn487}bcGB%gTIocT`2q!z^!8b+$)$_QYc`-HJTwqFG-OHE;!B<(l*%!@K_1P~Lh|^1u zM-0U2(y!5Im3MPHH@nY#hI0Dr3C`%TFtA;esdQV?(K;?O|4Bp3w{kqqpmpo#4#mt_ z0o!dRp!`xZn`nkd&oFuA)^86JsexN0OFtdH+2oc;A6@@^83{b2)Z5Aa01tzg{Pjnr z`xond{QFW(P0q0i?S+9R|K;p0^b;_?%c+cJ0w6o);d*lI?M$Iz9lqm2*vy-!r5+%N z=IrLBdp10;H~ts53(M=&7}vK?vyBWa7UYkFwcwzf+NRJzhewkIo%v)Z<(Z8;?M+y?r?WJFEEA=*d4K0 z{tcAXe&>3Vq!^3VOGV4LL?0;y=R6TB*I2mG0n^7$DI4R^_DJ`^y6aYJ`@{G?L;9D- z%ym!6t&WHLOc2WDdF$!PHeD~{NU+edGm(+UMMqaqapavd@iXERr7$W_P)*~{7fEob z%nRWhr4+5VbC*#Pln)ZPvndQVT}d880#Yr;zmS43gz&+PT>PHa&FwexsrEb(FS2RB z15hmoLjtV`oy)&Gs-(|R0yq(I6h($rW5KUl7`Hl3nv<_i7QL(FmNQ&v{ByiEr_^JjF<$g`);Qq+~WRm$}KSWU?(_i0AW zV+FTckNTsOqAk_T%xfamI~`{W>j(+yw2@wkQjE9?P2G1J*QIyiw-rAscXD^gz1l*_ z67asxO=V@Mv{m%ig|7MqtFfP|9e$~NaQ@l> z^BN~18WZ1rOt84p5AXS_TDcjumVgx+eb&;zcv&hMcx2*&7PijPv+{fqk)#k zKM}O323HM?#G7a>EgSMQKn5Rm3ssQ1v%|u|?r^EFEx1rV8XGnx;w;>UCw~)d+QySjqE*eDVR!1?m3|8)6bBd?_4NyFFeHvoV&qKbPTjTg@lQ8 zzO|Z?Zdfu7nIwm>iH8E;L~pkX`w^7xYyRxLnHupH$7HD$p5iRCro=E-IlT zn3`MObgA9qZ}_Y8i`!xEZXTwBHd7-52cbloT~o3{ z?)ZBKW{ulm8Glg!Q#e)=xrMV;0=DMw_S2_f@}M|>6jcLd4Fc(nO!G( z-u@y#3jSyrAbzW3lTN8QbxF=twl21uIOw^7JPT4hdB-kHY?dSs`T?UaggLQI%3y_ks(&SJv>YOKtW+E)!LSnXnV0W*n=rm%_L7@?XAHA)V`Id7FEc~4tF6_%$k|DU^@8iT#aEf zc_3tJN+lA^zBMIT=`bdnj;xUvcakf~PZ}7vBIe?sH}{h}6DLz`F{`D)dJ;)5+z-c6 z%fTIwjw7kWU)zxf&04ncJv?OsVRmY#LUq$)eGjja zoL<(aOXxy%{=i^Xjf89QriE4y2>@^$P96>63D}Mf@H3Bu%p)PKwcZZ9eis`J(1Jj``dk#Uld8{iRUY$ppfi+})0r_~0$Z)0*6)xn#$GJ!~IDO>JC7 zX@R4k7uGDMlOf&ZE*zDGLd0`UiD_wGsSrJC9bLAXV~8jE^HxZr+|g*dOFNt3$!e6^ z5mB|de%>ud(P8Q?yWA%w6_wKs+L#5igXSH+-Lo@sTOEZb`n1gibnT%;o zC+o%)=*%R);*i&c)&;w_hMj4VJ_m`D+&1k@0Kk<4#wX8jC$nW>dc&fRkD&!bcZ#BR zX8V~<32y6lf?ffY6rTje{{qLoMiZ}rg+`*91r#-i7U`?+J~zATq{Fgd5TjotW@l$l zjz|oWVykEktK?XESJ?mylE$*g{=D!~3$FEz4mv_+1xprah<~d!``zz=CCSbmSP%uUeGgw5T@$tax`v`j&q>_&;0BqQCwI^;3~< zWhr|hwGareN1~gAE*8K2^`}iFifB|y-<_j1%FoA_6B@_DJ`ytBzhdP3!>Io{_u^(S z45S$oz}<;U;b8sjbl#XzejjWBxzpt=cvUDHvhBOQZRN#;mLq1G#`POF96FJ)^p&kW z^E36+wLS6qHcx6`8n4mdLE@y4u*aVU?EiYDnP4|A52T0l7Mz&)`J!q?^s}vv3~Pv= zTByZmlDX;v;OA$o_|K$-V*?bPU+v4bxBCxtuAEJZ8Gl94 zlQHHP#{H`v%zq8!PfVZ(?Yo}zj~DT~o3l=Lcg*IDt}a=mC>bhVFL$9GduOQf%LC!o zhJu1dlb(RA@q4sc!@imb#=nwOp+Eka_O%$u^YSR9@=FX%C!+^x>1ys*&~Mm3?iye3 zNjm(JMre|&cHRr986cByz5XwE{;?Pd5N?%<41}x=|0=#EUIKeGY2N>v;g8eyFMsfV z9w{yZgEpH>;Z=+Lmkr^c^WcBC{4z%Tsup7`hs^c%-|d-dcYOcv_GJBMu*sJbY=1c6U(bqv=E>J&@>hB?$-Jz4xc_cX^M3}*x}Rh9 zZ~DZSMe0>oGK+`#Z^nPO=k#ajV9h7R7XP=K{-$vB=eK6@uL4-juBS5%{`~I0Zz+<1 z4t6>>vi>gxzW=Mz_it||0k07(CXb2)`v30izxDagBNbwxgDsLEw)$5K@XrPQpDnpi zaXPbllYi;Tug#=u1g=clS2$^ZU1bBpu&p%Y=9QIdF;tdR|BcYwUr#!eBif-aBg)^6 zOZ@k#l#Avo8Haweqx#MXb@cBx{1}D(Ue#x8NcGo$_-`72;UPd50Nxl=AHu)6TE8ZYW1fWhC@^8TA?#fI^t^8Xw8FHZRX6Hj)$ybju8u)jHcdH)Lf Ok`R# Date: Fri, 18 Nov 2016 21:51:49 -0800 Subject: [PATCH 38/63] Add directions for using Azure Container Registry. --- docs/user-guide/images.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/docs/user-guide/images.md b/docs/user-guide/images.md index 582961593f..932bac57d4 100644 --- a/docs/user-guide/images.md +++ b/docs/user-guide/images.md @@ -39,6 +39,7 @@ Credentials can be provided in several ways: - Using AWS EC2 Container Registry (ECR) - use IAM roles and policies to control access to ECR repositories - automatically refreshes ECR login credentials + - Using Azure Container Registry (ACR) - Configuring Nodes to Authenticate to a Private Registry - all pods can read any configured private registries - requires node configuration by cluster administrator @@ -100,6 +101,25 @@ Troubleshooting: - `plugins.go:56] Registering credential provider: aws-ecr-key` - `provider.go:91] Refreshing cache for provider: *aws_credentials.ecrProvider` +### Using Azure Container Registry (ACR) +When using [Azure Container Registry](https://azure.microsoft.com/en-us/services/container-registry/) +you can authenticate using either an admin user or a service principal. +In either case, authentication is done via standard Docker authentication. These instructions assume the +[azure-cli](https://github.com/azure/azure-cli) command line tool. + +You first need to create a registry and generate credentials, complete documentation for this can be found in +the [Azure container registry documentation](https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-azure-cli). + +Once you have created your container registry, you will use the following credentials to login: + * `DOCKER_USER` : service principal, or admin username + * `DOCKER_PASSWORD`: service principal password, or admin user password + * `DOCKER_REGISTRY_SERVER`: `${some-registry-name}.azurecr.io` + * `DOCKER_EMAIL`: `${some-email-address}` + +Once you have those variables filled in you can [configure a Kubernetes Secret and use it to deploy a Pod] +(http://kubernetes.io/docs/user-guide/images/#specifying-imagepullsecrets-on-a-pod). + + ### Configuring Nodes to Authenticate to a Private Repository **Note:** if you are running on Google Container Engine (GKE), there will already be a `.dockercfg` on each node From 27d614a4f59980bd05c40a20533375534b8308e6 Mon Sep 17 00:00:00 2001 From: Gurucharan Shetty Date: Thu, 15 Dec 2016 23:17:20 -0800 Subject: [PATCH 39/63] networking.md: Add OVN as a networking plugin option. OVN is an opensource network virtualization solution developed by the Open vSwitch community. It lets one create logical switches, logical routers, stateful ACLs, load-balancers etc to build different virtual networking topologies. The project has a specific Kubernetes plugin and documentation at https://github.com/openvswitch/ovn-kubernetes. --- docs/admin/networking.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/admin/networking.md b/docs/admin/networking.md index 903bac24f8..e5cf737088 100644 --- a/docs/admin/networking.md +++ b/docs/admin/networking.md @@ -181,6 +181,14 @@ The Nuage platform uses overlays to provide seamless policy-based networking bet complicated way to build an overlay network. This is endorsed by several of the "Big Shops" for networking. +### OVN (Open Virtual Networking) + +OVN is an opensource network virtualization solution developed by the +Open vSwitch community. It lets one create logical switches, logical routers, +stateful ACLs, load-balancers etc to build different virtual networking +topologies. The project has a specific Kubernetes plugin and documentation +at [ovn-kubernetes](https://github.com/openvswitch/ovn-kubernetes). + ### Project Calico [Project Calico](http://docs.projectcalico.org/) is an open source container networking provider and network policy engine. From 4b748573109071bf50e89244279e7ec78e0072fa Mon Sep 17 00:00:00 2001 From: "xialong.lee" Date: Fri, 16 Dec 2016 14:38:24 +0800 Subject: [PATCH 40/63] make the docs content escaped from liquid template brace tag --- docs/user-guide/kubectl/kubectl_get.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/user-guide/kubectl/kubectl_get.md b/docs/user-guide/kubectl/kubectl_get.md index a0d5bd83de..a3915eccb5 100644 --- a/docs/user-guide/kubectl/kubectl_get.md +++ b/docs/user-guide/kubectl/kubectl_get.md @@ -50,7 +50,7 @@ kubectl get [(-o|--output=)json|yaml|wide|custom-columns=...|custom-columns-file ### Examples -``` +```{% raw %} # List all pods in ps output format. kubectl get pods @@ -74,7 +74,7 @@ kubectl get [(-o|--output=)json|yaml|wide|custom-columns=...|custom-columns-file # List one or more resources by their type and names. kubectl get rc/web service/frontend pods/web-pod-13je7 -``` +{% endraw %}``` ### Options From 09e40e26b33370226254f1058921beca47d82104 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lucas=20K=C3=A4ldstr=C3=B6m?= Date: Fri, 16 Dec 2016 16:29:28 +0200 Subject: [PATCH 41/63] Update the kubeadm documentation to v1.5 --- docs/admin/kubeadm.md | 97 +++++++++++------- docs/getting-started-guides/kubeadm.md | 133 +++++++++++++++---------- 2 files changed, 143 insertions(+), 87 deletions(-) diff --git a/docs/admin/kubeadm.md b/docs/admin/kubeadm.md index bc64c5de84..91eecc57b3 100644 --- a/docs/admin/kubeadm.md +++ b/docs/admin/kubeadm.md @@ -141,10 +141,10 @@ By default, `kubeadm init` automatically generates the token used to initialise each new node. If you would like to manually specify this token, you can use the `--token` flag. The token must be of the format `<6 character string>.<16 character string>`. -- `--use-kubernetes-version` (default 'v1.4.4') the kubernetes version to initialise +- `--use-kubernetes-version` (default 'v1.5.1') the kubernetes version to initialise `kubeadm` was originally built for Kubernetes version **v1.4.0**, older versions are not -supported. With this flag you can try any future version, e.g. **v1.5.0-beta.1** +supported. With this flag you can try any future version, e.g. **v1.6.0-beta.1** whenever it comes out (check [releases page](https://github.com/kubernetes/kubernetes/releases) for a full list of available versions). @@ -168,6 +168,59 @@ necessary. By default, when `kubeadm init` runs, a token is generated and revealed in the output. That's the token you should use here. + +## Using kubeadm with a configuration file + +WARNING: kubeadm is in alpha and the configuration API syntax will likely change before GA. + +It's possible to configure kubeadm with a configuration file instead of command line flags, and some more advanced features may only be +available as configuration file options. + +### Sample Master Configuration + + ```yaml + apiVersion: kubeadm.k8s.io/v1alpha1 + kind: MasterConfiguration + api: + advertiseAddresses: + - + - + bindPort: + externalDNSNames: + - + - + cloudProvider: + discovery: + bindPort: + etcd: + endpoints: + - + - + caFile: + certFile: + keyFile: + kubernetesVersion: + networking: + dnsDomain: + serviceSubnet: + podSubnet: + secrets: + givenToken: + ``` + +### Sample Node Configuration + + ```yaml + apiVersion: kubeadm.k8s.io/v1alpha1 + kind: NodeConfiguration + apiPort: + discoveryPort: + masterAddresses: + - + secrets: + givenToken: + ``` + ## Automating kubeadm Rather than copying the token you obtained from `kubeadm init` to each node, as @@ -175,13 +228,12 @@ in the basic `kubeadm` tutorials, you can parallelize the token distribution for easier automation. To implement this automation, you must know the IP address that the master will have after it is started. -1. Generate a token. This token must have the form `<6 character string>.<16 -character string>` +1. Generate a token. This token must have the form `<6 character string>.<16 character string>`. - Here is a simple python one-liner for this: + Kubeadm can pre-generate a token for you: - ``` - python -c 'import random; print "%0x.%0x" % (random.SystemRandom().getrandbits(3*8), random.SystemRandom().getrandbits(8*8))' + ```console + $ kubeadm token generate ``` 1. Start both the master node and the worker nodes concurrently with this token. As they come up they should find each other and form the cluster. @@ -191,6 +243,7 @@ Once the cluster is up, you can grab the admin credentials from the master node ## Environment variables There are some environment variables that modify the way that `kubeadm` works. Most users will have no need to set these. +These enviroment variables are a short-term solution, eventually they will be integrated in the kubeadm configuration file. | Variable | Default | Description | | --- | --- | --- | @@ -200,36 +253,10 @@ There are some environment variables that modify the way that `kubeadm` works. | `KUBE_HYPERKUBE_IMAGE` | `` | If set, use a single hyperkube image with this name. If not set, individual images per server component will be used. | | `KUBE_DISCOVERY_IMAGE` | `gcr.io/google_containers/kube-discovery-:1.0` | The bootstrap discovery helper image to use. | | `KUBE_ETCD_IMAGE` | `gcr.io/google_containers/etcd-:2.2.5` | The etcd container image to use. | -| `KUBE_COMPONENT_LOGLEVEL` | `--v=4` | Logging configuration for all Kubernetes components | - +| `KUBE_REPO_PREFIX` | `gcr.io/google_containers` | The image prefix for all images that are used. | ## Releases and release notes If you already have kubeadm installed and want to upgrade, run `apt-get update && apt-get upgrade` or `yum update` to get the latest version of kubeadm. - - Second release between v1.4 and v1.5: `v1.5.0-alpha.2.421+a6bea3d79b8bba` - - Switch to the 10.96.0.0/12 subnet: [#35290](https://github.com/kubernetes/kubernetes/pull/35290) - - Fix kubeadm on AWS by including /etc/ssl/certs in the controller-manager [#33681](https://github.com/kubernetes/kubernetes/pull/33681) - - The API was refactored and is now componentconfig: [#33728](https://github.com/kubernetes/kubernetes/pull/33728), [#34147](https://github.com/kubernetes/kubernetes/pull/34147) and [#34555](https://github.com/kubernetes/kubernetes/pull/34555) - - Allow kubeadm to get config options from a file: [#34501](https://github.com/kubernetes/kubernetes/pull/34501), [#34885](https://github.com/kubernetes/kubernetes/pull/34885) and [#34891](https://github.com/kubernetes/kubernetes/pull/34891) - - Implement preflight checks: [#34341](https://github.com/kubernetes/kubernetes/pull/34341) and [#35843](https://github.com/kubernetes/kubernetes/pull/35843) - - Using kubernetes v1.4.4 by default: [#34419](https://github.com/kubernetes/kubernetes/pull/34419) and [#35270](https://github.com/kubernetes/kubernetes/pull/35270) - - Make api and discovery ports configurable and default to 6443: [#34719](https://github.com/kubernetes/kubernetes/pull/34719) - - Implement kubeadm reset: [#34807](https://github.com/kubernetes/kubernetes/pull/34807) - - Make kubeadm poll/wait for endpoints instead of directly fail when the master isn't available [#34703](https://github.com/kubernetes/kubernetes/pull/34703) and [#34718](https://github.com/kubernetes/kubernetes/pull/34718) - - Allow empty directories in the directory preflight check: [#35632](https://github.com/kubernetes/kubernetes/pull/35632) - - Started adding unit tests: [#35231](https://github.com/kubernetes/kubernetes/pull/35231), [#35326](https://github.com/kubernetes/kubernetes/pull/35326) and [#35332](https://github.com/kubernetes/kubernetes/pull/35332) - - Various enhancements: [#35075](https://github.com/kubernetes/kubernetes/pull/35075), [#35111](https://github.com/kubernetes/kubernetes/pull/35111), [#35119](https://github.com/kubernetes/kubernetes/pull/35119), [#35124](https://github.com/kubernetes/kubernetes/pull/35124), [#35265](https://github.com/kubernetes/kubernetes/pull/35265) and [#35777](https://github.com/kubernetes/kubernetes/pull/35777) - - Bug fixes: [#34352](https://github.com/kubernetes/kubernetes/pull/34352), [#34558](https://github.com/kubernetes/kubernetes/pull/34558), [#34573](https://github.com/kubernetes/kubernetes/pull/34573), [#34834](https://github.com/kubernetes/kubernetes/pull/34834), [#34607](https://github.com/kubernetes/kubernetes/pull/34607), [#34907](https://github.com/kubernetes/kubernetes/pull/34907) and [#35796](https://github.com/kubernetes/kubernetes/pull/35796) - - Initial v1.4 release: `v1.5.0-alpha.0.1534+cf7301f16c0363` - - -## Troubleshooting - -* Some users on RHEL/CentOS 7 have reported issues with traffic being routed incorrectly due to iptables being bypassed. You should ensure `net.bridge.bridge-nf-call-iptables` is set to 1 in your sysctl config, eg. - -``` -# cat /etc/sysctl.d/k8s.conf -net.bridge.bridge-nf-call-ip6tables = 1 -net.bridge.bridge-nf-call-iptables = 1 -``` +Refer to the [CHANGELOG.md](https://github.com/kubernetes/kubeadm/blob/master/CHANGELOG.md) for more information. diff --git a/docs/getting-started-guides/kubeadm.md b/docs/getting-started-guides/kubeadm.md index a122180b23..fa2ad56dd9 100644 --- a/docs/getting-started-guides/kubeadm.md +++ b/docs/getting-started-guides/kubeadm.md @@ -14,7 +14,7 @@ li>.highlighter-rouge {position:relative; top:3px;} ## Overview This quickstart shows you how to easily install a secure Kubernetes cluster on machines running Ubuntu 16.04, CentOS 7 or HypriotOS v1.0.1+. -The installation uses a tool called `kubeadm` which is part of Kubernetes 1.4. +The installation uses a tool called `kubeadm` which is part of Kubernetes. This process works with local VMs, physical servers and/or cloud servers. It is simple enough that you can easily integrate its use into your own automation (Terraform, Chef, Puppet, etc). @@ -38,7 +38,7 @@ If you are not constrained, other tools build on kubeadm to give you complete cl ## Prerequisites -1. One or more machines running Ubuntu 16.04, CentOS 7 or HypriotOS v1.0.1+ +1. One or more machines running Ubuntu 16.04+, CentOS 7 or HypriotOS v1.0.1+ 1. 1GB or more of RAM per machine (any less will leave little room for your apps) 1. Full network connectivity between all machines in the cluster (public or private network is fine) @@ -62,12 +62,12 @@ You will install the following packages on all the machines: * `kubeadm`: the command to bootstrap the cluster. NOTE: If you already have kubeadm installed, you should do a `apt-get update && apt-get upgrade` or `yum update` to get the latest version of kubeadm. -See the reference doc if you want to read about the different [kubeadm releases](/docs/admin/kubeadm) +See the reference doc if you want to read about the different [kubeadm releases](https://github.com/kubernetes/kubeadm/blob/master/CHANGELOG.md) For each host in turn: * SSH into the machine and become `root` if you are not already (for example, run `sudo su -`). -* If the machine is running Ubuntu 16.04 or HypriotOS v1.0.1, run: +* If the machine is running Ubuntu or HypriotOS, run: # curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add - # cat < /etc/apt/sources.list.d/kubernetes.list @@ -78,7 +78,7 @@ For each host in turn: # apt-get install -y docker.io # apt-get install -y kubelet kubeadm kubectl kubernetes-cni - If the machine is running CentOS 7, run: + If the machine is running CentOS, run: # cat < /etc/yum.repos.d/kubernetes.repo [kubernetes] @@ -124,24 +124,36 @@ This may take several minutes. The output should look like: - generated token: "f0c861.753c505740ecde4c" - created keys and certificates in "/etc/kubernetes/pki" - created "/etc/kubernetes/kubelet.conf" - created "/etc/kubernetes/admin.conf" - created API client configuration - created API client, waiting for the control plane to become ready - all control plane components are healthy after 61.346626 seconds - waiting for at least one node to register and become ready - first node is ready after 4.506807 seconds - created essential addon: kube-discovery - created essential addon: kube-proxy - created essential addon: kube-dns + [kubeadm] WARNING: kubeadm is in alpha, please do not use it for production clusters. + [preflight] Running pre-flight checks + [init] Using Kubernetes version: v1.5.1 + [tokens] Generated token: "064158.548b9ddb1d3fad3e" + [certificates] Generated Certificate Authority key and certificate. + [certificates] Generated API Server key and certificate + [certificates] Generated Service Account signing keys + [certificates] Created keys and certificates in "/etc/kubernetes/pki" + [kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/kubelet.conf" + [kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/admin.conf" + [apiclient] Created API client, waiting for the control plane to become ready + [apiclient] All control plane components are healthy after 61.317580 seconds + [apiclient] Waiting for at least one node to register and become ready + [apiclient] First node is ready after 6.556101 seconds + [apiclient] Creating a test deployment + [apiclient] Test deployment succeeded + [token-discovery] Created the kube-discovery deployment, waiting for it to become ready + [token-discovery] kube-discovery is ready after 6.020980 seconds + [addons] Created essential addon: kube-proxy + [addons] Created essential addon: kube-dns - Kubernetes master initialised successfully! + Your Kubernetes master has initialized successfully! - You can connect any number of nodes by running: + You should now deploy a pod network to the cluster. + Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at: + http://kubernetes.io/docs/admin/addons/ - kubeadm join --token + You can now join any number of machines by running the following on each node: + + kubeadm join --token= Make a record of the `kubeadm join` command that `kubeadm init` outputs. You will need this in a moment. @@ -161,9 +173,9 @@ This will remove the "dedicated" taint from any nodes that have it, including th ### (3/4) Installing a pod network -You must install a pod network add-on so that your pods can communicate with each other. +You must install a pod network add-on so that your pods can communicate with each other. - **It is necessary to do this before you try to deploy any applications to your cluster, and before `kube-dns` will start up. Note also that `kubeadm` only supports CNI based networks and therefore kubenet based networks will not work.** +**It is necessary to do this before you try to deploy any applications to your cluster, and before `kube-dns` will start up. Note also that `kubeadm` only supports CNI based networks and therefore kubenet based networks will not work.** Several projects provide Kubernetes pod networks using CNI, some of which also support [Network Policy](/docs/user-guide/networkpolicies/). See the [add-ons page](/docs/admin/addons/) for a complete list of available network add-ons. @@ -189,13 +201,22 @@ If you want to add any new machines as nodes to your cluster, for each machine: For example: # kubeadm join --token - validating provided token - created cluster info discovery client, requesting info from "http://138.68.156.129:9898/cluster-info/v1/?token-id=0f8588" - cluster info object received, verifying signature using given token - cluster info signature and contents are valid, will use API endpoints [https://138.68.156.129:443] - created API client to obtain unique certificate for this node, generating keys and certificate signing request - received signed certificate from the API server, generating kubelet configuration - created "/etc/kubernetes/kubelet.conf" + [kubeadm] WARNING: kubeadm is in alpha, please do not use it for production clusters. + [preflight] Running pre-flight checks + [preflight] Starting the kubelet service + [tokens] Validating provided token + [discovery] Created cluster info discovery client, requesting info from "http://192.168.x.y:9898/cluster-info/v1/?token-id=f11877" + [discovery] Cluster info object received, verifying signature using given token + [discovery] Cluster info signature and contents are valid, will use API endpoints [https://192.168.x.y:6443] + [bootstrap] Trying to connect to endpoint https://192.168.x.y:6443 + [bootstrap] Detected server version: v1.5.1 + [bootstrap] Successfully established connection with endpoint "https://192.168.x.y:6443" + [csr] Created API client to obtain unique certificate for this node, generating keys and certificate signing request + [csr] Received signed certificate from the API server: + Issuer: CN=kubernetes | Subject: CN=system:node:yournode | CA: false + Not before: 2016-12-15 19:44:00 +0000 UTC Not After: 2017-12-15 19:44:00 +0000 UTC + [csr] Generating kubelet configuration + [kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/kubelet.conf" Node join complete: * Certificate signing request sent to master and response @@ -206,8 +227,6 @@ For example: A few seconds later, you should notice that running `kubectl get nodes` on the master shows a cluster with as many machines as you created. -Note that there currently isn't a out-of-the-box way of connecting to the Master's API Server via `kubectl` from a node. Read issue [#35729](https://github.com/kubernetes/kubernetes/issues/35729) for more details. - ### (Optional) Controlling your cluster from machines other than the master In order to get a kubectl on your laptop for example to talk to your cluster, you need to copy the `KubeConfig` file from your master to your laptop like this: @@ -217,7 +236,7 @@ In order to get a kubectl on your laptop for example to talk to your cluster, yo ### (Optional) Connecting to the API Server -If you want to connect to the API Server for viewing the dashboard (note: not deployed by default) from outside the cluster for example, you can use `kubectl proxy`: +If you want to connect to the API Server for viewing the dashboard (note: the dashboard isn't deployed by default) from outside the cluster for example, you can use `kubectl proxy`: # scp root@:/etc/kubernetes/admin.conf . # kubectl --kubeconfig ./admin.conf proxy @@ -277,7 +296,7 @@ See the [list of add-ons](/docs/admin/addons/) to explore other add-ons, includi * Slack Channel: [#sig-cluster-lifecycle](https://kubernetes.slack.com/messages/sig-cluster-lifecycle/) * Mailing List: [kubernetes-sig-cluster-lifecycle](https://groups.google.com/forum/#!forum/kubernetes-sig-cluster-lifecycle) -* [GitHub Issues](https://github.com/kubernetes/kubernetes/issues): please tag `kubeadm` issues with `@kubernetes/sig-cluster-lifecycle` +* [GitHub Issues in the kubeadm repository](https://github.com/kubernetes/kubeadm/issues) ## kubeadm is multi-platform @@ -285,11 +304,7 @@ kubeadm deb packages and binaries are built for amd64, arm and arm64, following deb-packages are released for ARM and ARM 64-bit, but not RPMs (yet, reach out if there's interest). -ARM had some issues when making v1.4, see [#32517](https://github.com/kubernetes/kubernetes/pull/32517) [#33485](https://github.com/kubernetes/kubernetes/pull/33485), [#33117](https://github.com/kubernetes/kubernetes/pull/33117) and [#33376](https://github.com/kubernetes/kubernetes/pull/33376). - -However, thanks to the PRs above, `kube-apiserver` works on ARM from the `v1.4.1` release, so make sure you're at least using `v1.4.1` when running on ARM 32-bit - -The multiarch flannel daemonset can be installed this way. +Currently, only the pod network flannel is working on multiple architectures. You can install it this way: # export ARCH=amd64 # curl -sSL "https://github.com/coreos/flannel/blob/master/Documentation/kube-flannel.yml?raw=true" | sed "s/amd64/${ARCH}/g" | kubectl create -f - @@ -297,33 +312,47 @@ The multiarch flannel daemonset can be installed this way. Replace `ARCH=amd64` with `ARCH=arm` or `ARCH=arm64` depending on the platform you're running on. Note that the Raspberry Pi 3 is in ARM 32-bit mode, so for RPi 3 you should set `ARCH` to `arm`, not `arm64`. +## Cloudprovider integrations (experimental) + +Enabling specific cloud providers is a common request, this currently requires manual configuration and is therefore not yet supported. If you wish to do so, +edit the `kubeadm` dropin for the `kubelet` service (`/etc/systemd/system/kubelet.service.d/10-kubeadm.conf`) on all nodes, including the master. +If your cloud provider requires any extra packages installed on host, for example for volume mounting/unmounting, install those packages. + +Specify the `--cloud-provider` flag to kubelet and set it to the cloud of your choice. If your cloudprovider requires a configuration +file, create the file `/etc/kubernetes/cloud-config` on every node and set the values your cloud requires. Also append +`--cloud-config=/etc/kubernetes/cloud-config` to the kubelet arguments. + +Lastly, run `kubeadm init --cloud-provider=xxx` to bootstrap your cluster with cloud provider features. + +This workflow is not yet fully supported, however we hope to make it extremely easy to spin up clusters with cloud providers in the future. +(See [this proposal](https://github.com/kubernetes/community/pull/128) for more information) The [Kubelet Dynamic Settings](https://github.com/kubernetes/kubernetes/pull/29459) feature may also help to fully automate this process in the future. + ## Limitations Please note: `kubeadm` is a work in progress and these limitations will be addressed in due course. -Also you can take a look at the troubleshooting section in the [reference document](/docs/admin/kubeadm/#troubleshooting) - -1. The cluster created here doesn't have cloud-provider integrations by default, so for example it doesn't work automatically with (for example) [Load Balancers](/docs/user-guide/load-balancer/) (LBs) or [Persistent Volumes](/docs/user-guide/persistent-volumes/walkthrough/) (PVs). - To set up kubeadm with CloudProvider integrations (it's experimental, but try), refer to the [kubeadm reference](/docs/admin/kubeadm/) document. - - Workaround: use the [NodePort feature of services](/docs/user-guide/services/#type-nodeport) for exposing applications to the internet. + 1. The cluster created here has a single master, with a single `etcd` database running on it. This means that if the master fails, your cluster loses its configuration data and will need to be recreated from scratch. Adding HA support (multiple `etcd` servers, multiple API servers, etc) to `kubeadm` is still a work-in-progress. Workaround: regularly [back up etcd](https://coreos.com/etcd/docs/latest/admin_guide.html). The `etcd` data directory configured by `kubeadm` is at `/var/lib/etcd` on the master. -1. `kubectl logs` is broken with `kubeadm` clusters due to [#22770](https://github.com/kubernetes/kubernetes/issues/22770). - - Workaround: use `docker logs` on the nodes where the containers are running as a workaround. -1. The HostPort functionality does not work with kubeadm due to that CNI networking is used, see issue [#31307](https://github.com/kubernetes/kubernetes/issues/31307). +1. The `HostPort` and `HostIP` functionality does not work with kubeadm due to that CNI networking is used, see issue [#31307](https://github.com/kubernetes/kubernetes/issues/31307). Workaround: use the [NodePort feature of services](/docs/user-guide/services/#type-nodeport) instead, or use HostNetwork. -1. A running `firewalld` service may conflict with kubeadm, so if you want to run `kubeadm`, you should disable `firewalld` until issue [#35535](https://github.com/kubernetes/kubernetes/issues/35535) is resolved. +1. Some users on RHEL/CentOS 7 have reported issues with traffic being routed incorrectly due to iptables being bypassed. You should ensure `net.bridge.bridge-nf-call-iptables` is set to 1 in your sysctl config, eg. - Workaround: Disable `firewalld` or configure it to allow Kubernetes the pod and service cidrs. -1. If you see errors like `etcd cluster unavailable or misconfigured`, it's because of high load on the machine which makes the `etcd` container a bit unresponsive (it might miss some requests) and therefore kubelet will restart it. This will get better with `etcd3`. + ```console + # cat /etc/sysctl.d/k8s.conf + net.bridge.bridge-nf-call-ip6tables = 1 + net.bridge.bridge-nf-call-iptables = 1 + ``` - Workaround: Set `failureThreshold` in `/etc/kubernetes/manifests/etcd.json` to a larger value. +1. There is no built-in way of fetching the token easily once the cluster is up and running, but here is a `kubectl` command you can copy and paste that will print out the token for you: + + ```console + # kubectl -n kube-system get secret clusterinfo -o yaml | grep token-map | awk '{print $2}' | base64 -d | sed "s|{||g;s|}||g;s|:|.|g;s/\"//g;" | xargs echo + ``` 1. If you are using VirtualBox (directly or via Vagrant), you will need to ensure that `hostname -i` returns a routable IP address (i.e. one on the second network interface, not the first one). By default, it doesn't do this and kubelet ends-up using first non-loopback network interface, which is usually NATed. From e25374f3c8e63502dff7e8c0cf8c297e3dfc92d3 Mon Sep 17 00:00:00 2001 From: joshrosso Date: Fri, 16 Dec 2016 12:52:14 -0800 Subject: [PATCH 42/63] statefulsets.md: Fix typos and make some statements more concise --- .../abstractions/controllers/statefulsets.md | 25 +++++++++---------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/docs/concepts/abstractions/controllers/statefulsets.md b/docs/concepts/abstractions/controllers/statefulsets.md index 01825fc257..c7acc4be02 100644 --- a/docs/concepts/abstractions/controllers/statefulsets.md +++ b/docs/concepts/abstractions/controllers/statefulsets.md @@ -31,12 +31,12 @@ following. * Ordered, graceful deployment and scaling. * Ordered, graceful deletion and termination. -In the above, stable is synonymous with persistent across Pod (re) schedulings. +In the above, stable is synonymous with persistence across Pod (re)schedulings. If an application doesn't require any stable identifiers or ordered deployment, deletion, or scaling, you should deploy your application with a controller that -provides a set of stateless replicas. Such controllers, such as +provides a set of stateless replicas. Controllers such as [Deployment](/docs/user-guide/deployments/) or -[ReplicaSet](/docs/user-guide/replicasets/) may be better suited to your needs. +[ReplicaSet](/docs/user-guide/replicasets/) may be better suited to your stateless needs. ### Limitations * StatefulSet is a beta resource, not available in any Kubernetes release prior to 1.5. @@ -51,7 +51,7 @@ The example below demonstrates the components of a StatefulSet. * A Headless Service, named nginx, is used to control the network domain. * The StatefulSet, named web, has a Spec that indicates that 3 replicas of the nginx container will be launched in unique Pods. -* The volumeClaimTemplates, will provide stable storage using [PersistentVolumes](/docs/user-guide/volumes/) provisioned by a +* The volumeClaimTemplates will provide stable storage using [PersistentVolumes](/docs/user-guide/volumes/) provisioned by a PersistentVolume Provisioner. ```yaml @@ -105,7 +105,7 @@ spec: ### Pod Identity StatefulSet Pods have a unique identity that is comprised of an ordinal, a stable network identity, and stable storage. The identity sticks to the Pod, -regardless of which node it's (re) scheduled on. +regardless of which node it's (re)scheduled on. __Ordinal Index__ @@ -140,13 +140,12 @@ Note that Cluster Domain will be set to `cluster.local` unless __Stable Storage__ -Kubernetes creates one [PersistentVolumes](/docs/user-guide/volumes/) for each -VolumeClaimTemplate, as specified in the StatefulSet's volumeClaimTemplates field -In the example above, each Pod will receive a single PersistentVolume with a storage -class of `anything` and 1 Gib of provisioned storage. When a Pod is (re) scheduled onto -a node, its `volumeMounts` mount the PersistentVolumes associated with its +Kubernetes creates one [PersistentVolume](/docs/user-guide/volumes/) for each +VolumeClaimTemplate. In the nginx example above, each Pod will receive a single PersistentVolume +with a storage class of `anything` and 1 Gib of provisioned storage. When a Pod is (re)scheduled +onto a node, its `volumeMounts` mount the PersistentVolumes associated with its PersistentVolume Claims. Note that, the PersistentVolumes associated with the -Pods' PersistentVolume Claims are not deleted when the Pods, or StatefulSet are deleted. +Pods' PersistentVolume Claims are not deleted when the Pods, or StatefulSet are deleted. This must be done manually. ### Deployment and Scaling Guarantee @@ -156,9 +155,9 @@ This must be done manually. * Before a scaling operation is applied to a Pod, all of its predecessors must be Running and Ready. * Before a Pod is terminated, all of its successors must be completely shutdown. -The StatefulSet should not specify a `pod.Spec.TerminationGracePeriodSeconds` of 0. The practice of setting a `pod.Spec.TerminationGracePeriodSeconds` of 0 seconds is unsafe and strongly discouraged. For further explanation, please refer to [force deleting StatefulSet Pods](/docs/tasks/manage-stateful-set/delete-pods/#deleting-pods). +The StatefulSet should not specify a `pod.Spec.TerminationGracePeriodSeconds` of 0. This practice is unsafe and strongly discouraged. For further explanation, please refer to [force deleting StatefulSet Pods](/docs/tasks/manage-stateful-set/delete-pods/#deleting-pods). -When the web example above is created, three Pods will be deployed in the order +When the nginx example above is created, three Pods will be deployed in the order web-0, web-1, web-2. web-1 will not be deployed before web-0 is [Running and Ready](/docs/user-guide/pod-states), and web-2 will not be deployed until web-1 is Running and Ready. If web-0 should fail, after web-1 is Running and Ready, but before From cbd92ba562e12fd5f436d7530f19911bf710590d Mon Sep 17 00:00:00 2001 From: joshrosso Date: Fri, 16 Dec 2016 14:39:12 -0800 Subject: [PATCH 43/63] services: Clearer definition of types; typo fixes This commit attempts to make more clear the differences between service types by ensuring definitions are consistent and concise. It also aims to fix a few typos and grammatical issues. --- docs/user-guide/services/index.md | 56 +++++++++++++++---------------- 1 file changed, 27 insertions(+), 29 deletions(-) diff --git a/docs/user-guide/services/index.md b/docs/user-guide/services/index.md index cad2b22328..6293627eaa 100644 --- a/docs/user-guide/services/index.md +++ b/docs/user-guide/services/index.md @@ -4,7 +4,7 @@ assignees: --- -Kubernetes [`Pods`](/docs/user-guide/pods) are mortal. They are born and they die, and they +Kubernetes [`Pods`](/docs/user-guide/pods) are mortal. They are born and when they die, they are not resurrected. [`ReplicationControllers`](/docs/user-guide/replication-controller) in particular create and destroy `Pods` dynamically (e.g. when scaling up or down or when doing [rolling updates](/docs/user-guide/kubectl/kubectl_rolling-update)). While each `Pod` gets its own IP address, even @@ -353,59 +353,57 @@ Sometimes you don't need or want load-balancing and a single service IP. In this case, you can create "headless" services by specifying `"None"` for the cluster IP (`spec.clusterIP`). -This option allows developers to reduce coupling to the Kubernetes system, if -they desire, but leaves them freedom to do discovery in their own way. -Applications can still use a self-registration pattern and adapters for other -discovery systems could easily be built upon this API. +This option allows developers to reduce coupling to the Kubernetes system by +allowing them freedom to do discovery their own way. Applications can still use +a self-registration pattern and adapters for other discovery systems could easily +be built upon this API. -For such `Services` a cluster IP is not allocated, the kube proxy does not handle +For such `Services`, a cluster IP is not allocated, kube-proxy does not handle these services, and there is no load balancing or proxying done by the platform -for them. How DNS is automatically configured depends on if the service has -selectors or not. +for them. How DNS is automatically configured depends on whether the service has +selectors defined. ### With selectors For headless services that define selectors, the endpoints controller creates `Endpoints` records in the API, and modifies the DNS configuration to return A -records (addresses) which point directly to the `Pods` backing the `Service`. +records (addresses) that point directly to the `Pods` backing the `Service`. ### Without selectors For headless services that do not define selectors, the endpoints controller does not create `Endpoints` records. However, the DNS system looks for and configures either: - - CNAME records for `ExternalName`-type services - - A records for any `Endpoints` that share a name with the service, for all + + * CNAME records for `ExternalName`-type services + * A records for any `Endpoints` that share a name with the service, for all other types ## Publishing services - service types For some parts of your application (e.g. frontends) you may want to expose a -Service onto an external (outside of your cluster, maybe public internet) IP -address, other services should be visible only from inside of the cluster. +Service onto an external (outside of your cluster) IP address. Kubernetes `ServiceTypes` allow you to specify what kind of service you want. -The default and base type is `ClusterIP`, which exposes a service to connection -from inside the cluster. `NodePort` and `LoadBalancer` are two types that expose -services to external traffic. +The default is `ClusterIP`. -Valid values for the `ServiceType` field are: +`ServiceType` values and their behaviors are: - * `ExternalName`: map the service to the contents of the `externalName` field + * `ClusterIP`: Exposes the service on a cluster-internal IP. Choosing this value + makes the service only reachable from within the cluster. This is the + default `ServiceType`. + * `NodePort`: Exposes the service on each Node's IP at a static port (the `NodePort`). + A `ClusterIP` service, to which the NodePort service will route, is automatically + created. You'll be able to contact the `NodePort` service, from outside the cluster, + by requesting `:`. + * `LoadBalancer`: Exposes the service externally using a cloud provider's load balancer. + `NodePort` and `ClusterIP` services, to which the external load balancer will route, + are automatically created. + * `ExternalName`: Maps the service to the contents of the `externalName` field (e.g. `foo.bar.example.com`), by returning a `CNAME` record with its value. No proxying of any kind is set up. This requires version 1.7 or higher of `kube-dns`. - * `ClusterIP`: use a cluster-internal IP only - this is the default and is - discussed above. Choosing this value means that you want this service to be - reachable only from inside of the cluster. - * `NodePort`: on top of having a cluster-internal IP, expose the service on a - port on each node of the cluster (the same port on each node). You'll be able - to contact the service on any `:NodePort` address. - * `LoadBalancer`: on top of having a cluster-internal IP and exposing service - on a NodePort also, ask the cloud provider for a load balancer - which forwards to the `Service` exposed as a `:NodePort` - for each Node. ### Type NodePort @@ -420,7 +418,7 @@ will fail (i.e. you need to take care about possible port collisions yourself). The value you specify must be in the configured range for node ports. This gives developers the freedom to set up their own load balancers, to -configure cloud environments that are not fully supported by Kubernetes, or +configure environments that are not fully supported by Kubernetes, or even to just expose one or more nodes' IPs directly. Note that this Service will be visible as both `:spec.ports[*].nodePort` From 030e6f230cacc47c519bcfa2c5878243cbe6473c Mon Sep 17 00:00:00 2001 From: Drinky Pool Date: Mon, 19 Dec 2016 16:57:08 +0800 Subject: [PATCH 44/63] delete the question mark 1. add "been" right before restarted. 2. delete the question mark at the end of the sentence. --- docs/user-guide/introspection-and-debugging.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user-guide/introspection-and-debugging.md b/docs/user-guide/introspection-and-debugging.md index 78b1a44862..3bf39a32bf 100644 --- a/docs/user-guide/introspection-and-debugging.md +++ b/docs/user-guide/introspection-and-debugging.md @@ -108,7 +108,7 @@ The container state is one of Waiting, Running, or Terminated. Depending on the Ready tells you whether the container passed its last readiness probe. (In this case, the container does not have a readiness probe configured; the container is assumed to be ready if no readiness probe is configured.) -Restart Count tells you how many times the container has restarted; this information can be useful for detecting crash loops in containers that are configured with a restart policy of 'always.'? +Restart Count tells you how many times the container has been restarted; this information can be useful for detecting crash loops in containers that are configured with a restart policy of 'always.' Currently the only Condition associated with a Pod is the binary Ready condition, which indicates that the pod is able to service requests and should be added to the load balancing pools of all matching services. From d8d99a171e577b27c4fe5bcc3ee3a107dd4490ba Mon Sep 17 00:00:00 2001 From: Ben Balter Date: Mon, 19 Dec 2016 15:08:54 -0500 Subject: [PATCH 45/63] use in-page titles to generate sidebar nav --- Gemfile | 1 + Gemfile.lock | 3 + _config.yml | 13 + _data/concepts.yml | 9 +- _data/docs-home.yml | 3 +- _data/guides.yml | 372 +++++++++---------------- _data/reference.yml | 354 ++++++++--------------- _data/samples.yml | 6 +- _data/support.yml | 42 +-- _data/tasks.yml | 57 ++-- _data/tools.yml | 3 +- _data/tutorials.yml | 63 ++--- _includes/head-header.html | 1 - _includes/tocsearch.html | 16 +- _includes/tree.html | 32 ++- _layouts/docwithnav.html | 64 +++-- docs/user-guide/index.md | 4 +- docs/user-guide/kubectl/kubectl_get.md | 16 +- 18 files changed, 409 insertions(+), 650 deletions(-) diff --git a/Gemfile b/Gemfile index 0c8671cdee..3a9bc43ce1 100644 --- a/Gemfile +++ b/Gemfile @@ -1,3 +1,4 @@ source "https://rubygems.org" gem "github-pages", group: :jekyll_plugins +gem "jekyll-include-cache" diff --git a/Gemfile.lock b/Gemfile.lock index 4d72be803d..cd6d47a90f 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -86,6 +86,8 @@ GEM jekyll-github-metadata (2.2.0) jekyll (~> 3.1) octokit (~> 4.0, != 4.4.0) + jekyll-include-cache (0.1.0) + jekyll (~> 3.3) jekyll-mentions (1.2.0) activesupport (~> 4.0) html-pipeline (~> 2.3) @@ -159,6 +161,7 @@ PLATFORMS DEPENDENCIES github-pages + jekyll-include-cache BUNDLED WITH 1.13.6 diff --git a/_config.yml b/_config.yml index 8b131eb433..d8aab803b3 100644 --- a/_config.yml +++ b/_config.yml @@ -34,8 +34,21 @@ gems: - jekyll-feed - jekyll-sitemap - jekyll-seo-tag + - jekyll-include-cache # SEO logo: /images/favicon.png twitter: username: kubernetesio + +# Tables of contents, stored in the _data folder, that control the sidebar nav +tocs: + - docs-home + - guides + - tutorials + - tasks + - concepts + - reference + - tools + - samples + - support diff --git a/_data/concepts.yml b/_data/concepts.yml index 93c790c0ab..a9a7c3eb29 100644 --- a/_data/concepts.yml +++ b/_data/concepts.yml @@ -1,13 +1,10 @@ bigheader: "Concepts" abstract: "Detailed explanations of Kubernetes system concepts and abstractions." toc: -- title: Concepts - path: /docs/concepts/ +- docs/concepts/index.md - title: Object Metadata section: - - title: Annotations - path: /docs/concepts/object-metadata/annotations/ + - docs/concepts/object-metadata/annotations.md - title: Controllers section: - - title: StatefulSets - path: /docs/concepts/abstractions/controllers/statefulsets/ + - docs/concepts/abstractions/controllers/statefulsets.md diff --git a/_data/docs-home.yml b/_data/docs-home.yml index 1cb8c9b05a..b80c025d5e 100644 --- a/_data/docs-home.yml +++ b/_data/docs-home.yml @@ -1,5 +1,4 @@ bigheader: "Kubernetes Documentation" abstract: "Documentation for using and learning about Kubernetes." toc: -- title: Kubernetes Documentation - path: /docs/ +- docs/index.md diff --git a/_data/guides.yml b/_data/guides.yml index 583deaeedd..179be261d7 100644 --- a/_data/guides.yml +++ b/_data/guides.yml @@ -1,311 +1,187 @@ bigheader: "Guides" abstract: "How to get started, and accomplish tasks, using Kubernetes." toc: -- title: Guides - path: /docs/user-guide/ +- docs/user-guide/index.md - title: Getting Started section: - - title: What is Kubernetes? - path: /docs/whatisk8s/ - - title: Installing Kubernetes on Linux with kubeadm - path: /docs/getting-started-guides/kubeadm/ - - title: Installing Kubernetes on AWS with kops - path: /docs/getting-started-guides/kops/ - - title: Hello World on Google Container Engine - path: /docs/hellonode/ - - title: Installing kubectl - path: /docs/getting-started-guides/kubectl/ - - title: Downloading or Building Kubernetes - path: /docs/getting-started-guides/binary_release/ + - docs/whatisk8s.md + - docs/getting-started-guides/kubeadm.md + - docs/getting-started-guides/kops.md + - docs/hellonode.md + - docs/getting-started-guides/kubectl.md + - docs/getting-started-guides/binary_release.md - title: Online Training Course path: https://www.udacity.com/course/scalable-microservices-with-kubernetes--ud615 - title: Accessing the Cluster section: - - title: Installing and Setting up kubectl - path: /docs/user-guide/prereqs/ - - title: Accessing Clusters - path: /docs/user-guide/accessing-the-cluster/ - - title: Sharing Cluster Access with kubeconfig - path: /docs/user-guide/sharing-clusters/ - - title: Authenticating Across Clusters with kubeconfig - path: /docs/user-guide/kubeconfig-file/ + - docs/user-guide/prereqs.md + - docs/user-guide/accessing-the-cluster.md + - docs/user-guide/sharing-clusters.md + - docs/user-guide/kubeconfig-file.md -- title: User Guide - path: /docs/user-guide/ +- docs/user-guide/index.md -- title: Web UI (Dashboard) - path: /docs/user-guide/ui/ +- docs/user-guide/ui.md - title: Workload Deployment and Management section: - - title: Launching, Exposing, and Killing Applications - path: /docs/user-guide/quick-start/ - - title: Deploying Applications - path: /docs/user-guide/deploying-applications/ - - title: Managing Resources - path: /docs/user-guide/managing-deployments/ - - title: Replication Controller Operations - path: /docs/user-guide/replication-controller/operations/ - - title: Resizing a Replication Controller - path: /docs/user-guide/resizing-a-replication-controller/ - - title: Rolling Updates - path: /docs/user-guide/rolling-updates/ - - title: Rolling Update Demo - path: /docs/user-guide/update-demo/ - - title: Secrets Walkthrough - path: /docs/user-guide/secrets/walkthrough/ - - title: Using ConfigMap - path: /docs/user-guide/configmap/ - - title: Horizontal Pod Autoscaling - path: /docs/user-guide/horizontal-pod-autoscaling/walkthrough/ - - title: Best Practices for Configuration - path: /docs/user-guide/config-best-practices/ - - title: Using kubectl to Manage Resources - path: /docs/user-guide/working-with-resources/ - - title: Garbage Collection (Beta) - path: /docs/user-guide/garbage-collection/ + - docs/user-guide/quick-start.md + - docs/user-guide/deploying-applications.md + - docs/user-guide/managing-deployments.md + - docs/user-guide/replication-controller/operations.md + - docs/user-guide/resizing-a-replication-controller.md + - docs/user-guide/rolling-updates.md + - docs/user-guide/update-demo/index.md + - docs/user-guide/secrets/walkthrough.md + - docs/user-guide/configmap/index.md + - docs/user-guide/horizontal-pod-autoscaling/walkthrough.md + - docs/user-guide/config-best-practices.md + - docs/user-guide/working-with-resources.md + - docs/user-guide/garbage-collection.md - title: Using NetworkPolicy section: - - title: Example Walkthrough - path: /docs/getting-started-guides/network-policy/walkthrough/ - - title: Using Calico for NetworkPolicy - path: /docs/getting-started-guides/network-policy/calico/ - - title: Using Romana for NetworkPolicy - path: /docs/getting-started-guides/network-policy/romana/ + - docs/getting-started-guides/network-policy/walkthrough.md + - docs/getting-started-guides/network-policy/calico.md + - docs/getting-started-guides/network-policy/romana.md - title: Batch Jobs section: - - title: Jobs - path: /docs/user-guide/jobs/ - - title: Parallel Processing using Expansions - path: /docs/user-guide/jobs/expansions/ - - title: Coarse Parallel Processing using a Work Queue - path: /docs/user-guide/jobs/work-queue-1/ - - title: Fine Parallel Processing using a Work Queue - path: /docs/user-guide/jobs/work-queue-2/ - - title: Cron Jobs - path: /docs/user-guide/cron-jobs/ + - docs/user-guide/jobs.md + - docs/user-guide/jobs/expansions/index.md + - docs/user-guide/jobs/work-queue-1/index.md + - docs/user-guide/jobs/work-queue-2/index.md + - docs/user-guide/cron-jobs.md - title: Service Discovery and Load Balancing section: - - title: Connecting Applications with Services - path: /docs/user-guide/connecting-applications/ - - title: Service Operations - path: /docs/user-guide/services/operations/ - - title: Creating an External Load Balancer - path: /docs/user-guide/load-balancer/ - - title: Configuring Your Cloud Provider's Firewalls - path: /docs/user-guide/services-firewalls/ - - title: Cross-cluster Service Discovery using Federated Services - path: /docs/user-guide/federation/federated-services/ + - docs/user-guide/connecting-applications.md + - docs/user-guide/services/operations.md + - docs/user-guide/load-balancer.md + - docs/user-guide/services-firewalls.md + - docs/user-guide/federation/federated-services.md - title: Containers and Pods section: - - title: Running Your First Containers - path: /docs/user-guide/simple-nginx/ - - title: Creating Single-Container Pods - path: /docs/user-guide/pods/single-container/ - - title: Creating Multi-Container Pods - path: /docs/user-guide/pods/multi-container/ - - title: Configuring Containers - path: /docs/user-guide/configuring-containers/ - - title: Working with Containers in Production - path: /docs/user-guide/production-pods/ - - title: Commands and Capabilities - path: /docs/user-guide/containers/ - - title: Using Environment Variables - path: /docs/user-guide/environment-guide/ - - title: Managing Compute Resources - path: /docs/user-guide/compute-resources/ - - title: The Lifecycle of a Pod - path: /docs/user-guide/pod-states/ - - title: Checking Pod Health - path: /docs/user-guide/liveness/ - - title: Container Lifecycle Hooks - path: /docs/user-guide/container-environment/ - - title: Assigning Pods to Nodes - path: /docs/user-guide/node-selection/ - - title: Using the Downward API to Convey Pod Properties - path: /docs/user-guide/downward-api/ - - title: Downward API Volumes - path: /docs/user-guide/downward-api/volume - - title: Persistent Volumes Walkthrough - path: /docs/user-guide/persistent-volumes/walkthrough/ - - title: Bootstrapping Pet Sets - path: /docs/user-guide/petset/bootstrapping/ + - docs/user-guide/simple-nginx.md + - docs/user-guide/pods/single-container.md + - docs/user-guide/pods/multi-container.md + - docs/user-guide/configuring-containers.md + - docs/user-guide/production-pods.md + - docs/user-guide/containers.md + - docs/user-guide/environment-guide/index.md + - docs/user-guide/compute-resources.md + - docs/user-guide/pod-states.md + - docs/user-guide/liveness/index.md + - docs/user-guide/container-environment.md + - docs/user-guide/node-selection/index.md + - docs/user-guide/downward-api/index.md + - docs/user-guide/downward-api/volume/index.md + - docs/user-guide/persistent-volumes/walkthrough.md + - docs/user-guide/petset/bootstrapping/index.md - title: Monitoring, Logging, and Debugging Containers section: - - title: Resource Usage Monitoring - path: /docs/user-guide/monitoring/ - - title: Logging - path: /docs/getting-started-guides/logging/ - - title: Logging with Elasticsearch and Kibana - path: /docs/getting-started-guides/logging-elasticsearch/ - - title: Running Commands in a Container with kubectl exec - path: /docs/user-guide/getting-into-containers/ - - title: Connect with Proxies - path: /docs/user-guide/connecting-to-applications-proxy/ - - title: Connect with Port Forwarding - path: /docs/user-guide/connecting-to-applications-port-forward/ + - docs/user-guide/monitoring.md + - docs/getting-started-guides/logging.md + - docs/getting-started-guides/logging-elasticsearch.md + - docs/user-guide/getting-into-containers.md + - docs/user-guide/connecting-to-applications-proxy.md + - docs/user-guide/connecting-to-applications-port-forward.md - title: Using Explorer to Examine the Runtime Environment path: https://github.com/kubernetes/kubernetes/tree/release-1.3/examples/explorer - title: Creating a Cluster section: - - title: Picking the Right Solution - path: /docs/getting-started-guides/ + - docs/getting-started-guides/index.md - title: Running Kubernetes on Your Local Machine section: - - title: Running Kubernetes Locally via Minikube - path: /docs/getting-started-guides/minikube/ - - title: Deprecated Alternatives - path: /docs/getting-started-guides/alternatives/ + - docs/getting-started-guides/minikube.md + - docs/getting-started-guides/alternatives.md - title: Running Kubernetes on Turn-key Cloud Solutions section: - title: Running Kubernetes on Google Container Engine path: https://cloud.google.com/container-engine/docs/before-you-begin/ - - title: Running Kubernetes on Google Compute Engine - path: /docs/getting-started-guides/gce/ - - title: Running Kubernetes on AWS EC2 - path: /docs/getting-started-guides/aws/ - - title: Running Kubernetes on Azure - path: /docs/getting-started-guides/azure/ - - title: Running Kubernetes on Azure (Weave-based) - path: /docs/getting-started-guides/coreos/azure/ - - title: Running Kubernetes on CenturyLink Cloud - path: /docs/getting-started-guides/clc/ + - docs/getting-started-guides/gce.md + - docs/getting-started-guides/aws.md + - docs/getting-started-guides/azure.md + - docs/getting-started-guides/coreos/azure/index.md + - docs/getting-started-guides/clc.md - title: Running Kubernetes on IBM SoftLayer path: https://github.com/patrocinio/kubernetes-softlayer - title: Running Kubernetes on Custom Solutions section: - - title: Creating a Custom Cluster from Scratch - path: /docs/getting-started-guides/scratch/ + - docs/getting-started-guides/scratch.md - title: Custom Cloud Solutions section: - - title: CoreOS on AWS or GCE - path: /docs/getting-started-guides/coreos/ - - title: Ubuntu on AWS or Joyent - path: /docs/getting-started-guides/juju/ - - title: CoreOS on Rackspace - path: /docs/getting-started-guides/rackspace/ + - docs/getting-started-guides/coreos/index.md + - /docs/getting-started-guides/juju/ + - docs/getting-started-guides/rackspace.md - title: On-Premise VMs section: - - title: CoreOS on Vagrant - path: /docs/getting-started-guides/coreos/ - - title: Cloudstack - path: /docs/getting-started-guides/cloudstack/ - - title: VMware vSphere - path: /docs/getting-started-guides/vsphere/ - - title: VMware Photon Controller - path: /docs/getting-started-guides/photon-controller/ - - title: Juju - path: /docs/getting-started-guides/juju/ - - title: DCOS - path: /docs/getting-started-guides/dcos/ - - title: CoreOS on libvirt - path: /docs/getting-started-guides/libvirt-coreos/ - - title: oVirt - path: /docs/getting-started-guides/ovirt/ - - title: OpenStack Heat - path: /docs/getting-started-guides/openstack-heat/ + - docs/getting-started-guides/coreos/index.md + - docs/getting-started-guides/cloudstack.md + - docs/getting-started-guides/vsphere.md + - docs/getting-started-guides/photon-controller.md + - /docs/getting-started-guides/juju/ + - docs/getting-started-guides/dcos.md + - docs/getting-started-guides/libvirt-coreos.md + - docs/getting-started-guides/ovirt.md + - docs/getting-started-guides/openstack-heat.md - title: rkt section: - - title: Running Kubernetes with rkt - path: /docs/getting-started-guides/rkt/ - - title: Known Issues when Using rkt - path: /docs/getting-started-guides/rkt/notes/ - - title: Kubernetes on Mesos - path: /docs/getting-started-guides/mesos/ - - title: Kubernetes on Mesos on Docker - path: /docs/getting-started-guides/mesos-docker/ + - docs/getting-started-guides/rkt/index.md + - docs/getting-started-guides/rkt/notes.md + - docs/getting-started-guides/mesos/index.md + - docs/getting-started-guides/mesos-docker.md - title: Bare Metal section: - - title: Offline - path: /docs/getting-started-guides/coreos/bare_metal_offline/ - - title: Fedora via Ansible - path: /docs/getting-started-guides/fedora/fedora_ansible_config/ - - title: Fedora (Single Node) - path: /docs/getting-started-guides/fedora/fedora_manual_config/ - - title: Fedora (Multi Node) - path: /docs/getting-started-guides/fedora/flannel_multi_node_cluster/ - - title: CentOS - path: /docs/getting-started-guides/centos/centos_manual_config/ - - title: CoreOS - path: /docs/getting-started-guides/coreos - - title: Ubuntu - path: /docs/getting-started-guides/ubuntu/ - - title: Windows Server Containers - path: /docs/getting-started-guides/windows/ - - title: Validate Node Setup - path: /docs/admin/node-conformance - - title: Portable Multi-Node Cluster - path: /docs/getting-started-guides/docker-multinode/ - - title: Building Large Clusters - path: /docs/admin/cluster-large/ - - title: Running in Multiple Zones - path: /docs/admin/multiple-zones/ - - title: Building High-Availability Clusters - path: /docs/admin/high-availability/ + - docs/getting-started-guides/coreos/bare_metal_offline.md + - docs/getting-started-guides/fedora/fedora_ansible_config.md + - docs/getting-started-guides/fedora/fedora_manual_config.md + - docs/getting-started-guides/fedora/flannel_multi_node_cluster.md + - docs/getting-started-guides/centos/centos_manual_config.md + - docs/getting-started-guides/coreos/index.md + - /docs/getting-started-guides/ubuntu/ + - docs/getting-started-guides/windows/index.md + - docs/admin/node-conformance.md + - docs/getting-started-guides/docker-multinode.md + - docs/admin/cluster-large.md + - docs/admin/multiple-zones.md + - docs/admin/high-availability/index.md - title: Administering Clusters section: - - title: Admin Guide - path: /docs/admin/ - - title: Cluster Management Guide - path: /docs/admin/cluster-management/ - - title: kubeadm reference - path: /docs/admin/kubeadm/ - - title: Installing Addons - path: /docs/admin/addons/ - - title: Sharing a Cluster with Namespaces - path: /docs/admin/namespaces/ - - title: Namespaces Walkthrough - path: /docs/admin/namespaces/walkthrough/ - - title: Setting Pod CPU and Memory Limits - path: /docs/admin/limitrange/ - - title: Understanding Resource Quotas - path: /docs/admin/resourcequota/ - - title: Applying Resource Quotas and Limits - path: /docs/admin/resourcequota/walkthrough/ - - title: Kubernetes Components - path: /docs/admin/cluster-components/ - - title: Configuring Kubernetes Use of etcd - path: /docs/admin/etcd/ - - title: Using Multiple Clusters - path: /docs/admin/multi-cluster/ + - docs/admin/index.md + - docs/admin/cluster-management.md + - docs/admin/kubeadm.md + - docs/admin/addons.md + - docs/admin/namespaces/index.md + - docs/admin/namespaces/walkthrough.md + - docs/admin/limitrange/index.md + - docs/admin/resourcequota/index.md + - docs/admin/resourcequota/walkthrough.md + - docs/admin/cluster-components.md + - docs/admin/etcd.md + - docs/admin/multi-cluster.md - title: Changing Cluster Size path: https://github.com/kubernetes/kubernetes/wiki/User-FAQ#how-do-i-change-the-size-of-my-cluster/ - - title: Configuring Multiple Schedulers - path: /docs/admin/multiple-schedulers/ - - title: Networking in Kubernetes - path: /docs/admin/networking/ - - title: Using DNS Pods and Services - path: /docs/admin/dns/ + - docs/admin/multiple-schedulers.md + - docs/admin/networking.md + - docs/admin/dns.md - title: Setting Up and Configuring DNS path: https://github.com/kubernetes/kubernetes/tree/release-1.3/examples/cluster-dns - - title: Master <-> Node Communication - path: /docs/admin/master-node-communication/ - - title: Network Plugins - path: /docs/admin/network-plugins/ - - title: Static Pods - path: /docs/admin/static-pods/ - - title: Configuring kubelet Garbage Collection - path: /docs/admin/garbage-collection/ - - title: Configuring Out Of Resource Handling - path: /docs/admin/out-of-resource/ - - title: Configuring Kubernetes with Salt - path: /docs/admin/salt/ - - title: Monitoring Node Health - path: /docs/admin/node-problem/ - - title: AppArmor - path: /docs/admin/apparmor/ + - docs/admin/master-node-communication.md + - docs/admin/network-plugins.md + - docs/admin/static-pods.md + - docs/admin/garbage-collection.md + - docs/admin/out-of-resource.md + - docs/admin/salt.md + - docs/admin/node-problem.md + - docs/admin/apparmor/index.md - title: Administering Federation section: - - title: Using `kubefed` - path: /docs/admin/federation/kubfed/ - - title: Using `federation-up` and `deploy.sh` - path: /docs/admin/federation/ + - /docs/admin/federation/kubfed/ + - docs/admin/federation/index.md diff --git a/_data/reference.yml b/_data/reference.yml index ce0504eed8..41d9d49558 100644 --- a/_data/reference.yml +++ b/_data/reference.yml @@ -1,247 +1,141 @@ bigheader: "Reference Documentation" abstract: "Design docs, concept definitions, and references for APIs and CLIs." toc: -- title: Reference Documentation - path: /docs/reference/ +- docs/reference.md - title: Kubernetes API section: - - title: Kubernetes API Overview - path: /docs/api/ + - docs/api.md - title: Accessing the API section: - - title: Overview - path: /docs/admin/accessing-the-api/ - - title: Authenticating - path: /docs/admin/authentication/ - - title: Using Authorization Plugins - path: /docs/admin/authorization/ - - title: Using Admission Controllers - path: /docs/admin/admission-controllers/ - - title: Managing Service Accounts - path: /docs/admin/service-accounts-admin/ - - title: Kubernetes API Operations - path: /docs/api-reference/v1/operations/ - - title: Kubernetes API Definitions - path: /docs/api-reference/v1/definitions/ - - title: Kubernetes API Swagger Spec - path: /kubernetes/third_party/swagger-ui/ + - docs/admin/accessing-the-api.md + - docs/admin/authentication.md + - docs/admin/authorization.md + - docs/admin/admission-controllers.md + - docs/admin/service-accounts-admin.md + - docs/api-reference/v1/operations.html + - docs/api-reference/v1/definitions.html + - kubernetes/third_party/swagger-ui/index.md - title: Autoscaling API section: - - title: Autoscaling API Operations - path: /docs/api-reference/autoscaling/v1/operations/ - - title: Autoscaling API Definitions - path: /docs/api-reference/autoscaling/v1/definitions/ + - docs/api-reference/autoscaling/v1/operations.html + - docs/api-reference/autoscaling/v1/definitions.html - title: Batch API section: - - title: Batch API Operations - path: /docs/api-reference/batch/v1/operations/ - - title: Batch API Definitions - path: /docs/api-reference/batch/v1/definitions/ + - docs/api-reference/batch/v1/operations.html + - docs/api-reference/batch/v1/definitions.html - title: Extensions API section: - - title: Extensions API Operations - path: /docs/api-reference/extensions/v1beta1/operations/ - - title: Extensions API Definitions - path: /docs/api-reference/extensions/v1beta1/definitions/ + - docs/api-reference/extensions/v1beta1/operations.html + - docs/api-reference/extensions/v1beta1/definitions.html - title: kubectl CLI section: - - title: kubectl Overview - path: /docs/user-guide/kubectl-overview/ - - title: kubectl for Docker Users - path: /docs/user-guide/docker-cli-to-kubectl/ - - title: kubectl Usage Conventions - path: /docs/user-guide/kubectl-conventions/ - - title: JSONpath Support - path: /docs/user-guide/jsonpath/ - - title: kubectl Cheat Sheet - path: /docs/user-guide/kubectl-cheatsheet/ + - docs/user-guide/kubectl-overview.md + - docs/user-guide/docker-cli-to-kubectl.md + - docs/user-guide/kubectl-conventions.md + - docs/user-guide/jsonpath.md + - docs/user-guide/kubectl-cheatsheet.md - title: kubectl Commands section: - - title: kubectl - path: /docs/user-guide/kubectl/ - - title: kubectl annotate - path: /docs/user-guide/kubectl/kubectl_annotate/ - - title: kubectl api-versions - path: /docs/user-guide/kubectl/kubectl_api-versions/ - - title: kubectl apply - path: /docs/user-guide/kubectl/kubectl_apply/ - - title: kubectl attach - path: /docs/user-guide/kubectl/kubectl_attach/ - - title: kubectl autoscale - path: /docs/user-guide/kubectl/kubectl_autoscale/ - - title: kubectl cluster-info - path: /docs/user-guide/kubectl/kubectl_cluster-info/ - - title: kubectl config - path: /docs/user-guide/kubectl/kubectl_config/ - - title: kubectl config current-context - path: /docs/user-guide/kubectl/kubectl_config_current-context/ - - title: kubectl config set-cluster - path: /docs/user-guide/kubectl/kubectl_config_set-cluster/ - - title: kubectl config set-context - path: /docs/user-guide/kubectl/kubectl_config_set-context/ - - title: kubectl config set-credentials - path: /docs/user-guide/kubectl/kubectl_config_set-credentials/ - - title: kubectl config set - path: /docs/user-guide/kubectl/kubectl_config_set/ - - title: kubectl config unset - path: /docs/user-guide/kubectl/kubectl_config_unset/ - - title: kubectl config use-context - path: /docs/user-guide/kubectl/kubectl_config_use-context/ - - title: kubectl config view - path: /docs/user-guide/kubectl/kubectl_config_view/ - - title: kubectl convert - path: /docs/user-guide/kubectl/kubectl_convert/ - - title: kubectl cordon - path: /docs/user-guide/kubectl/kubectl_cordon/ - - title: kubectl create - path: /docs/user-guide/kubectl/kubectl_create/ - - title: kubectl create configmap - path: /docs/user-guide/kubectl/kubectl_create_configmap/ - - title: kubectl create namespace - path: /docs/user-guide/kubectl/kubectl_create_namespace/ - - title: kubectl create secret docker-registry - path: /docs/user-guide/kubectl/kubectl_create_secret_docker-registry/ - - title: kubectl create secret - path: /docs/user-guide/kubectl/kubectl_create_secret/ - - title: kubectl create secret generic - path: /docs/user-guide/kubectl/kubectl_create_secret_generic/ - - title: kubectl create serviceaccount - path: /docs/user-guide/kubectl/kubectl_create_serviceaccount/ - - title: kubectl delete - path: /docs/user-guide/kubectl/kubectl_delete/ - - title: kubectl describe - path: /docs/user-guide/kubectl/kubectl_describe/ - - title: kubectl drain - path: /docs/user-guide/kubectl/kubectl_drain/ - - title: kubectl edit - path: /docs/user-guide/kubectl/kubectl_edit/ - - title: kubectl exec - path: /docs/user-guide/kubectl/kubectl_exec/ - - title: kubectl explain - path: /docs/user-guide/kubectl/kubectl_explain/ - - title: kubectl expose - path: /docs/user-guide/kubectl/kubectl_expose/ - - title: kubectl get - path: /docs/user-guide/kubectl/kubectl_get/ - - title: kubectl label - path: /docs/user-guide/kubectl/kubectl_label/ - - title: kubectl logs - path: /docs/user-guide/kubectl/kubectl_logs/ - - title: kubectl patch - path: /docs/user-guide/kubectl/kubectl_patch/ - - title: kubectl port-forward - path: /docs/user-guide/kubectl/kubectl_port-forward/ - - title: kubectl proxy - path: /docs/user-guide/kubectl/kubectl_proxy/ - - title: kubectl replace - path: /docs/user-guide/kubectl/kubectl_replace/ - - title: kubectl rolling-update - path: /docs/user-guide/kubectl/kubectl_rolling-update/ - - title: kubectl rollout - path: /docs/user-guide/kubectl/kubectl_rollout/ - - title: kubectl rollout history - path: /docs/user-guide/kubectl/kubectl_rollout_history/ - - title: kubectl rollout pause - path: /docs/user-guide/kubectl/kubectl_rollout_pause/ - - title: kubectl rollout resume - path: /docs/user-guide/kubectl/kubectl_rollout_resume/ - - title: kubectl rollout undo - path: /docs/user-guide/kubectl/kubectl_rollout_undo/ - - title: kubectl run - path: /docs/user-guide/kubectl/kubectl_run/ - - title: kubectl scale - path: /docs/user-guide/kubectl/kubectl_scale/ - - title: kubectl uncordon - path: /docs/user-guide/kubectl/kubectl_uncordon/ - - title: kubectl version - path: /docs/user-guide/kubectl/kubectl_version/ + - docs/user-guide/kubectl/index.md + - docs/user-guide/kubectl/kubectl_annotate.md + - docs/user-guide/kubectl/kubectl_api-versions.md + - docs/user-guide/kubectl/kubectl_apply.md + - docs/user-guide/kubectl/kubectl_attach.md + - docs/user-guide/kubectl/kubectl_autoscale.md + - docs/user-guide/kubectl/kubectl_cluster-info.md + - docs/user-guide/kubectl/kubectl_config.md + - docs/user-guide/kubectl/kubectl_config_current-context.md + - docs/user-guide/kubectl/kubectl_config_set-cluster.md + - docs/user-guide/kubectl/kubectl_config_set-context.md + - docs/user-guide/kubectl/kubectl_config_set-credentials.md + - docs/user-guide/kubectl/kubectl_config_set.md + - docs/user-guide/kubectl/kubectl_config_unset.md + - docs/user-guide/kubectl/kubectl_config_use-context.md + - docs/user-guide/kubectl/kubectl_config_view.md + - docs/user-guide/kubectl/kubectl_convert.md + - docs/user-guide/kubectl/kubectl_cordon.md + - docs/user-guide/kubectl/kubectl_create.md + - docs/user-guide/kubectl/kubectl_create_configmap.md + - docs/user-guide/kubectl/kubectl_create_namespace.md + - docs/user-guide/kubectl/kubectl_create_secret_docker-registry.md + - docs/user-guide/kubectl/kubectl_create_secret.md + - docs/user-guide/kubectl/kubectl_create_secret_generic.md + - docs/user-guide/kubectl/kubectl_create_serviceaccount.md + - docs/user-guide/kubectl/kubectl_delete.md + - docs/user-guide/kubectl/kubectl_describe.md + - docs/user-guide/kubectl/kubectl_drain.md + - docs/user-guide/kubectl/kubectl_edit.md + - docs/user-guide/kubectl/kubectl_exec.md + - docs/user-guide/kubectl/kubectl_explain.md + - docs/user-guide/kubectl/kubectl_expose.md + - docs/user-guide/kubectl/kubectl_get.md + - docs/user-guide/kubectl/kubectl_label.md + - docs/user-guide/kubectl/kubectl_logs.md + - docs/user-guide/kubectl/kubectl_patch.md + - docs/user-guide/kubectl/kubectl_port-forward.md + - docs/user-guide/kubectl/kubectl_proxy.md + - docs/user-guide/kubectl/kubectl_replace.md + - docs/user-guide/kubectl/kubectl_rolling-update.md + - docs/user-guide/kubectl/kubectl_rollout.md + - docs/user-guide/kubectl/kubectl_rollout_history.md + - docs/user-guide/kubectl/kubectl_rollout_pause.md + - docs/user-guide/kubectl/kubectl_rollout_resume.md + - docs/user-guide/kubectl/kubectl_rollout_undo.md + - docs/user-guide/kubectl/kubectl_run.md + - docs/user-guide/kubectl/kubectl_scale.md + - docs/user-guide/kubectl/kubectl_uncordon.md + - docs/user-guide/kubectl/kubectl_version.md - title: Superseded and Deprecated Commands section: - - title: kubectl namespace - path: /docs/user-guide/kubectl/kubectl_namespace/ - - title: kubectl stop - path: /docs/user-guide/kubectl/kubectl_stop/ + - /docs/user-guide/kubectl/kubectl_namespace/ + - docs/user-guide/kubectl/kubectl_stop.md - title: Kubernetes Components section: - - title: kube-apiserver - path: /docs/admin/kube-apiserver/ - - title: kube-controller-manager - path: /docs/admin/kube-controller-manager/ - - title: kube-proxy - path: /docs/admin/kube-proxy/ - - title: kube-scheduler - path: /docs/admin/kube-scheduler/ + - docs/admin/kube-apiserver.md + - docs/admin/kube-controller-manager.md + - docs/admin/kube-proxy.md + - docs/admin/kube-scheduler.md - title: kubelet section: - - title: Overview - path: /docs/admin/kubelet/ - - title: Master-Node communication - path: /docs/admin/master-node-communication/ - - title: TLS bootstrapping - path: /docs/admin/kubelet-tls-bootstrapping/ - - title: Kubelet authentication/authorization - path: /docs/admin/kubelet-authentication-authorization/ + - docs/admin/kubelet.md + - docs/admin/master-node-communication.md + - docs/admin/kubelet-tls-bootstrapping.md + - docs/admin/kubelet-authentication-authorization.md - title: Glossary section: - - title: Annotations - path: /docs/user-guide/annotations/ - - title: Daemon Sets - path: /docs/admin/daemons/ - - title: Deployments - path: /docs/user-guide/deployments/ - - title: Horizontal Pod Autoscaling - path: /docs/user-guide/horizontal-pod-autoscaling/ - - title: Images - path: /docs/user-guide/images/ - - title: Ingress Resources - path: /docs/user-guide/ingress/ - - title: Jobs - path: /docs/user-guide/jobs/ - - title: Labels and Selectors - path: /docs/user-guide/labels/ - - title: Names - path: /docs/user-guide/identifiers/ - - title: Namespaces - path: /docs/user-guide/namespaces/ - - title: Network Policies - path: /docs/user-guide/networkpolicies/ - - title: Nodes - path: /docs/admin/node/ - - title: Persistent Volumes - path: /docs/user-guide/persistent-volumes/ - - title: Pet Sets - path: /docs/user-guide/petset/ - - title: Pods - path: /docs/user-guide/pods/ - - title: Pod Security Policies - path: /docs/user-guide/pod-security-policy/ - - title: Replica Sets - path: /docs/user-guide/replicasets/ - - title: Replication Controller - path: /docs/user-guide/replication-controller/ - - title: Resource Quotas - path: /docs/admin/resourcequota/ - - title: Cron Jobs - path: /docs/user-guide/cron-jobs/ - - title: Secrets - path: /docs/user-guide/secrets/ - - title: Security Context - path: /docs/user-guide/security-context/ - - title: Services - path: /docs/user-guide/services/ - - title: Service Accounts - path: /docs/user-guide/service-accounts/ - - title: Third Party Resources - path: /docs/user-guide/thirdpartyresources/ - - title: Volumes - path: /docs/user-guide/volumes/ + - docs/user-guide/annotations.md + - docs/admin/daemons.md + - docs/user-guide/deployments.md + - docs/user-guide/horizontal-pod-autoscaling/index.md + - docs/user-guide/images.md + - docs/user-guide/ingress.md + - docs/user-guide/jobs.md + - docs/user-guide/labels.md + - docs/user-guide/identifiers.md + - docs/user-guide/namespaces.md + - docs/user-guide/networkpolicies.md + - docs/admin/node.md + - docs/user-guide/persistent-volumes/index.md + - docs/user-guide/petset.md + - docs/user-guide/pods/index.md + - docs/user-guide/pod-security-policy/index.md + - docs/user-guide/replicasets.md + - docs/user-guide/replication-controller/index.md + - docs/admin/resourcequota/index.md + - docs/user-guide/cron-jobs.md + - docs/user-guide/secrets/index.md + - docs/user-guide/security-context.md + - docs/user-guide/services/index.md + - docs/user-guide/service-accounts.md + - docs/user-guide/thirdpartyresources.md + - docs/user-guide/volumes.md - title: Kubernetes Design Docs section: @@ -251,8 +145,7 @@ toc: path: https://github.com/kubernetes/kubernetes/blob/release-1.3/docs/design/ - title: Kubernetes Identity and Access Management path: https://github.com/kubernetes/kubernetes/blob/release-1.3/docs/design/access.md - - title: Kubernetes OpenVSwitch GRE/VxLAN networking - path: /docs/admin/ovs-networking/ + - docs/admin/ovs-networking.md - title: Security Contexts path: https://github.com/kubernetes/kubernetes/blob/release-1.3/docs/design/security_context.md - title: Security in Kubernetes @@ -260,29 +153,18 @@ toc: - title: Federation section: - - title: Federation User Guide - path: /docs/user-guide/federation/ - - title: Federated ConfigMap - path: /docs/user-guide/federation/configmap/ - - title: Federated DaemonSet - path: /docs/user-guide/federation/daemonsets/ - - title: Federated Deployment - path: /docs/user-guide/federation/deployment/ - - title: Federated Events - path: /docs/user-guide/federation/events/ - - title: Federated Ingress - path: /docs/user-guide/federation/federated-ingress/ - - title: Federated Namespaces - path: /docs/user-guide/federation/namespaces/ - - title: Federated ReplicaSets - path: /docs/user-guide/federation/replicasets/ - - title: Federated Secrets - path: /docs/user-guide/federation/secrets/ - - title: Federation API - path: /docs/federation/api-reference/README/ + - docs/user-guide/federation/index.md + - docs/user-guide/federation/configmap.md + - docs/user-guide/federation/daemonsets.md + - docs/user-guide/federation/deployment.md + - docs/user-guide/federation/events.md + - docs/user-guide/federation/federated-ingress.md + - docs/user-guide/federation/namespaces.md + - docs/user-guide/federation/replicasets.md + - docs/user-guide/federation/secrets.md + - docs/federation/api-reference/README.md - title: Federation Components section: - - title: federation-apiserver - path: /docs/admin/federation-apiserver + - docs/admin/federation-apiserver.md - title : federation-controller-mananger path: /docs/admin/federation-controller-manager diff --git a/_data/samples.yml b/_data/samples.yml index 3a9f0bcf28..e94f2b3223 100644 --- a/_data/samples.yml +++ b/_data/samples.yml @@ -1,8 +1,7 @@ bigheader: "Samples" abstract: "A collection of example applications that show how to use Kubernetes." toc: -- title: Samples - path: /docs/samples/ +- docs/samples.md - title: Storage / Database / KV section: @@ -67,8 +66,7 @@ toc: path: https://github.com/kubernetes/kubernetes/tree/release-1.3/examples/guestbook-go/ - title: GuestBook - PHP Server path: https://github.com/kubernetes/kubernetes/tree/release-1.3/examples/guestbook/ - - title: MEAN stack on Google Cloud Platform - path: /docs/getting-started-guides/meanstack/ + - docs/getting-started-guides/meanstack.md - title: MySQL + Wordpress path: https://github.com/kubernetes/kubernetes/tree/release-1.3/examples/mysql-wordpress-pd/ - title: MySQL + Phabricator Server diff --git a/_data/support.yml b/_data/support.yml index 487ff3d614..efb049ccb1 100644 --- a/_data/support.yml +++ b/_data/support.yml @@ -1,38 +1,25 @@ bigheader: "Support" abstract: "Troubleshooting resources, frequently asked questions, and community support channels." toc: -- title: Support - path: /docs/troubleshooting/ +- docs/troubleshooting.md - title: Contributing to the Kubernetes Docs section: - - title: Contributing to the Kubernetes Documentation - path: /editdocs/ - - title: Creating a Documentation Pull Request - path: /docs/contribute/create-pull-request/ - - title: Writing a New Topic - path: /docs/contribute/write-new-topic/ - - title: Staging Your Documentation Changes - path: /docs/contribute/stage-documentation-changes/ - - title: Using Page Templates - path: /docs/contribute/page-templates/ - - title: Documentation Style Guide - path: /docs/contribute/style-guide/ + - editdocs.md + - docs/contribute/create-pull-request.md + - docs/contribute/write-new-topic.md + - docs/contribute/stage-documentation-changes.md + - docs/contribute/page-templates.md + - docs/contribute/style-guide.md - title: Troubleshooting section: - - title: Debugging Pods and Replication Controllers - path: /docs/user-guide/debugging-pods-and-replication-controllers/ - - title: Application Introspection and Debugging - path: /docs/user-guide/introspection-and-debugging/ - - title: Retrieving Logs - path: /docs/user-guide/logging/ - - title: Troubleshooting Applications - path: /docs/user-guide/application-troubleshooting/ - - title: Troubleshooting Clusters - path: /docs/admin/cluster-troubleshooting/ - - title: Debugging Services - path: /docs/user-guide/debugging-services/ + - docs/user-guide/debugging-pods-and-replication-controllers.md + - docs/user-guide/introspection-and-debugging.md + - docs/user-guide/logging.md + - docs/user-guide/application-troubleshooting.md + - docs/admin/cluster-troubleshooting.md + - docs/user-guide/debugging-services.md - title: Frequently Asked Questions section: @@ -47,8 +34,7 @@ toc: section: - title: Kubernetes Issue Tracker on GitHub path: https://github.com/kubernetes/kubernetes/issues/ - - title: Report a Security Vulnerability - path: /docs/reporting-security-issues/ + - docs/reporting-security-issues.md - title: Release Notes path: https://github.com/kubernetes/kubernetes/releases/ - title: Release Roadmap diff --git a/_data/tasks.yml b/_data/tasks.yml index 277efa4886..05a880637a 100644 --- a/_data/tasks.yml +++ b/_data/tasks.yml @@ -1,63 +1,44 @@ bigheader: "Tasks" abstract: "Step-by-step instructions for performing operations with Kuberentes." toc: -- title: Tasks - path: /docs/tasks/ +- docs/tasks/index.md - title: Configuring Pods and Containers section: - - title: Defining Environment Variables for a Container - path: /docs/tasks/configure-pod-container/define-environment-variable-container/ - - title: Defining a Command and Arguments for a Container - path: /docs/tasks/configure-pod-container/define-command-argument-container/ - - title: Assigning CPU and RAM Resources to a Container - path: /docs/tasks/configure-pod-container/assign-cpu-ram-container/ - - title: Configuring a Pod to Use a Volume for Storage - path: /docs/tasks/configure-pod-container/configure-volume-storage/ - - title: Distributing Credentials Securely - path: /docs/tasks/configure-pod-container/distribute-credentials-secure/ + - docs/tasks/configure-pod-container/define-environment-variable-container.md + - docs/tasks/configure-pod-container/define-command-argument-container.md + - docs/tasks/configure-pod-container/assign-cpu-ram-container.md + - docs/tasks/configure-pod-container/configure-volume-storage.md + - docs/tasks/configure-pod-container/distribute-credentials-secure.md - title: Accessing Applications in a Cluster section: - - title: Using Port Forwarding to Access Applications in a Cluster - path: /docs/tasks/access-application-cluster/port-forward-access-application-cluster/ + - docs/tasks/access-application-cluster/port-forward-access-application-cluster.md - title: Debugging Applications in a Cluster section: - - title: Determining the Reason for Pod Failure - path: /docs/tasks/debug-application-cluster/determine-reason-pod-failure/ + - docs/tasks/debug-application-cluster/determine-reason-pod-failure.md - title: Accessing the Kubernetes API section: - - title: Using an HTTP Proxy to Access the Kubernetes API - path: /docs/tasks/access-kubernetes-api/http-proxy-access-api/ + - docs/tasks/access-kubernetes-api/http-proxy-access-api.md - title: Administering a Cluster section: - - title: Assigning Pods to Nodes - path: /docs/tasks/administer-cluster/assign-pods-nodes/ + - docs/tasks/administer-cluster/assign-pods-nodes.md - - title: Autoscaling the DNS Service in a Cluster - path: /docs/tasks/administer-cluster/dns-horizontal-autoscaling/ - - title: Safely Draining a Node while Respecting Application SLOs - path: /docs/tasks/administer-cluster/safely-drain-node/ + - docs/tasks/administer-cluster/dns-horizontal-autoscaling.md + - docs/tasks/administer-cluster/safely-drain-node.md - title: Managing Stateful Applications section: - - title: Upgrading from PetSets to StatefulSets - path: /docs/tasks/manage-stateful-set/upgrade-pet-set-to-stateful-set/ - - title: Scaling a StatefulSet - path: /docs/tasks/manage-stateful-set/scale-stateful-set/ - - title: Deleting a Stateful Set - path: /docs/tasks/manage-stateful-set/deleting-a-statefulset/ - - title: Debugging a StatefulSet - path: /docs/tasks/manage-stateful-set/debugging-a-statefulset/ - - title: Force Deleting StatefulSet Pods - path: /docs/tasks/manage-stateful-set/delete-pods/ + - docs/tasks/manage-stateful-set/upgrade-pet-set-to-stateful-set.md + - docs/tasks/manage-stateful-set/scale-stateful-set.md + - docs/tasks/manage-stateful-set/deleting-a-statefulset.md + - docs/tasks/manage-stateful-set/debugging-a-statefulset.md + - docs/tasks/manage-stateful-set/delete-pods.md - title: Troubleshooting section: - - title: Debugging Init Containers - path: /docs/tasks/troubleshoot/debug-init-containers/ - - title: Configuring Access Control and Identity Management - path: /docs/tasks/administer-cluster/access-control-identity-management/ + - docs/tasks/troubleshoot/debug-init-containers.md + - /docs/tasks/administer-cluster/access-control-identity-management/ diff --git a/_data/tools.yml b/_data/tools.yml index cf2afca34c..6b743c2e95 100644 --- a/_data/tools.yml +++ b/_data/tools.yml @@ -1,5 +1,4 @@ bigheader: "Tools" abstract: "Tools to help you use and enhance Kubernetes." toc: -- title: Tools - path: /docs/tools/ +- docs/tools/index.md diff --git a/_data/tutorials.yml b/_data/tutorials.yml index 82396ca65a..a4ff243bfb 100644 --- a/_data/tutorials.yml +++ b/_data/tutorials.yml @@ -1,63 +1,42 @@ bigheader: "Tutorials" abstract: "Detailed walkthroughs of common Kubernetes operations and workflows." toc: -- title: Tutorials - path: /docs/tutorials/ +- docs/tutorials/index.md - title: Kubernetes Basics section: - - title: Overview - path: /docs/tutorials/kubernetes-basics/ + - docs/tutorials/kubernetes-basics/index.html - title: 1. Create a Cluster section: - - title: Using Minikube to Create a Cluster - path: /docs/tutorials/kubernetes-basics/cluster-intro/ - - title: Interactive Tutorial - Creating a Cluster - path: /docs/tutorials/kubernetes-basics/cluster-interactive/ + - docs/tutorials/kubernetes-basics/cluster-intro.html + - docs/tutorials/kubernetes-basics/cluster-interactive.html - title: 2. Deploy an App section: - - title: Using kubectl to Create a Deployment - path: /docs/tutorials/kubernetes-basics/deploy-intro/ - - title: Interactive Tutorial - Deploying an App - path: /docs/tutorials/kubernetes-basics/deploy-interactive/ + - docs/tutorials/kubernetes-basics/deploy-intro.html + - docs/tutorials/kubernetes-basics/deploy-interactive.html - title: 3. Explore Your App section: - - title: Viewing Pods and Nodes - path: /docs/tutorials/kubernetes-basics/explore-intro/ - - title: Interactive Tutorial - Exploring Your App - path: /docs/tutorials/kubernetes-basics/explore-interactive/ + - docs/tutorials/kubernetes-basics/explore-intro.html + - docs/tutorials/kubernetes-basics/explore-interactive.html - title: 4. Expose Your App Publicly section: - - title: Using a Service to Expose Your App - path: /docs/tutorials/kubernetes-basics/expose-intro/ - - title: Interactive Tutorial - Exposing Your App - path: /docs/tutorials/kubernetes-basics/expose-interactive/ + - docs/tutorials/kubernetes-basics/expose-intro.html + - docs/tutorials/kubernetes-basics/expose-interactive.html - title: 5. Scale Your App section: - - title: Running Multiple Instances of Your App - path: /docs/tutorials/kubernetes-basics/scale-intro/ - - title: Interactive Tutorial - Scaling Your App - path: /docs/tutorials/kubernetes-basics/scale-interactive/ + - docs/tutorials/kubernetes-basics/scale-intro.html + - docs/tutorials/kubernetes-basics/scale-interactive.html - title: 6. Update Your App section: - - title: Performing a Rolling Update - path: /docs/tutorials/kubernetes-basics/update-intro/ - - title: Interactive Tutorial - Updating Your App - path: /docs/tutorials/kubernetes-basics/update-interactive/ + - docs/tutorials/kubernetes-basics/update-intro.html + - docs/tutorials/kubernetes-basics/update-interactive.html - title: Stateless Applications section: - - title: Running a Stateless Application Using a Deployment - path: /docs/tutorials/stateless-application/run-stateless-application-deployment/ - - title: Using a Service to Access an Application in a Cluster - path: /docs/tutorials/stateless-application/expose-external-ip-address-service/ - - title: Exposing an External IP Address to Access an Application in a Cluster - path: /docs/tutorials/stateless-application/expose-external-ip-address/ + - docs/tutorials/stateless-application/run-stateless-application-deployment.md + - docs/tutorials/stateless-application/expose-external-ip-address-service.md + - docs/tutorials/stateless-application/expose-external-ip-address.md - title: Stateful Applications section: - - title: StatefulSet Basics - path: /docs/tutorials/stateful-application/basic-stateful-set/ - - title: Running a Single-Instance Stateful Application - path: /docs/tutorials/stateful-application/run-stateful-application/ - - title: Running a Replicated Stateful Application - path: /docs/tutorials/stateful-application/run-replicated-stateful-application/ - - title: Running ZooKeeper, A CP Distributed System - path: /docs/tutorials/stateful-application/zookeeper/ + - docs/tutorials/stateful-application/basic-stateful-set.md + - docs/tutorials/stateful-application/run-stateful-application.md + - docs/tutorials/stateful-application/run-replicated-stateful-application.md + - docs/tutorials/stateful-application/zookeeper.md diff --git a/_includes/head-header.html b/_includes/head-header.html index e2b18fa6ee..4a05708d6b 100644 --- a/_includes/head-header.html +++ b/_includes/head-header.html @@ -1,4 +1,3 @@ -{% if page.title %}{% assign title=page.title %}{% endif %} diff --git a/_includes/tocsearch.html b/_includes/tocsearch.html index 38587a21a4..5bd5c5fd50 100644 --- a/_includes/tocsearch.html +++ b/_includes/tocsearch.html @@ -1 +1,15 @@ -{% for item in tree %}{% if item.section %}{% assign tree = item.section %}{% include tocsearch.html %}{% else %}{% if item.path == page.url %}{% assign foundTOC = thistoc %}{% assign title = item.title %}{% break %}{% endif %}{% endif %}{% endfor %} \ No newline at end of file +{% capture whitespace %} + {% for item in include.tree %} + {% if found_toc %} + {% break %} + {% endif %} + {% if item.section %} + {% include tocsearch.html tree=item.section toc=include.toc %} + {% else %} + {% if item == page.path %} + {% assign found_toc = include.toc %} + {% break %} + {% endif %} + {% endif %} + {% endfor %} +{% endcapture %} diff --git a/_includes/tree.html b/_includes/tree.html index 4914c13eef..6387c171e7 100644 --- a/_includes/tree.html +++ b/_includes/tree.html @@ -1,6 +1,26 @@ -{% for item in tree %}{% if item.section %} -

    -
    {% assign tree = item.section %}{% include tree.html %} -
    -
    {% else %}{% assign prefix = item.path | slice: 0, 4 %}{% if prefix == "http" %}{% assign target=" target='_blank'" %}{% else %}{% assign target="" %}{% endif %} - {% endif %}{% endfor %} \ No newline at end of file +{% for item in include.tree %} + {% if item.section %} +
    +
    + {% include_cached tree.html tree=item.section %} +
    +
    + {% else %} + + {% capture whitespace %} + {% if item.path %} + {% assign path = item.path %} + {% assign title = item.title %} + {% assign target = " target='_blank'" %} + {% else %} + {% assign page = site.pages | where: "path", item | first %} + {% assign title = page.title %} + {% assign path = page.url %} + {% endif %} + {% endcapture %} + + {% if path %} + + {% endif %} + {% endif %} +{% endfor %} diff --git a/_layouts/docwithnav.html b/_layouts/docwithnav.html index b97f92d53a..4ac68e8acd 100755 --- a/_layouts/docwithnav.html +++ b/_layouts/docwithnav.html @@ -1,25 +1,32 @@ -{% for thistoc in site.data.globals.tocs %}{% if foundTOC %}{% break %}{% else %}{% assign tree = site.data[thistoc].toc %}{% include tocsearch.html %}{% endif %}{% endfor %} -{% for override in site.data.overrides.overrides %}{% if page.path contains override.path %}{% assign notitle = "true" %}{% endif %}{% endfor %} +{% for current_toc in site.tocs %} + {% if found_toc %} + {% break %} + {% else %} + {% assign toc=site.data[current_toc] %} + {% include tocsearch.html tree=toc.toc toc=toc %} + {% endif %} +{% endfor %} + - + {% include head-header.html %}
    -

    {{ site.data[foundTOC].bigheader }}

    -
    {{ site.data[foundTOC].abstract }}
    +

    {{ toc.bigheader }}

    +
    {{ toc.abstract }}