From dc8977f123d61e857ab688bcad84bdaa2c83b0ac Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Thu, 29 Feb 2024 00:42:10 +0900 Subject: [PATCH 01/32] Added RHEL variables to .env --- .env | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.env b/.env index fa5236d66..6168d9fce 100644 --- a/.env +++ b/.env @@ -3,6 +3,7 @@ ZABBIX_ALPINE_IMAGE_TAG=alpine ZABBIX_CENTOS_IMAGE_TAG=centos ZABBIX_OL_IMAGE_TAG=ol ZABBIX_UBUNTU_IMAGE_TAG=ubuntu +ZABBIX_RHEL_IMAGE_TAG=rhel ZABBIX_IMAGE_TAG_POSTFIX=-trunk ZABBIX_LOCAL_IMAGE_TAG_POSTFIX=-local @@ -65,6 +66,7 @@ ALPINE_CACHE_FROM=alpine:3.19 CENTOS_CACHE_FROM=quay.io/centos/centos:stream9 OL_CACHE_FROM=oraclelinux:9-slim UBUNTU_CACHE_FROM=ubuntu:jammy +RHEL_CACHE_FROM=registry.access.redhat.com/ubi9/ubi-minimal:9.3 # Base images BUILD_BASE_IMAGE=zabbix-build-base @@ -84,3 +86,6 @@ OL_OS_TAG_SHORT=ol UBUNTU_OS_TAG=Ubuntu UBUNTU_OS_TAG_SHORT=ubuntu + +RHEL_OS_TAG=Red Hat +RHEL_OS_TAG_SHORT=rhel From ca4226799bd02a5299b353132b01adcdaba0af24 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Thu, 29 Feb 2024 01:12:07 +0900 Subject: [PATCH 02/32] Added secrets to ignore list --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 03f34fddd..b2f027583 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ zbx_env*/ .*CERT_FILE .*KEY_FILE .*CA_FILE +Dockerfiles/*/rhel/secrets/* From a7155b01a15896b32808a20d630f5ae4aeb50ba7 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Thu, 29 Feb 2024 02:21:49 +0900 Subject: [PATCH 03/32] 1. Disable subscription-manager plugin for tzdata operations.\n2. Using secrets directory to share pki / subscription data from host\n3. Initially update tzdata, then reinstall --- Dockerfiles/agent/rhel/Dockerfile | 12 +++++++++++- Dockerfiles/agent2/rhel/Dockerfile | 12 +++++++++++- Dockerfiles/build-base/rhel/Dockerfile | 1 + Dockerfiles/java-gateway/rhel/Dockerfile | 1 + Dockerfiles/proxy-mysql/rhel/Dockerfile | 11 +++++++++++ Dockerfiles/proxy-sqlite3/rhel/Dockerfile | 11 +++++++++++ Dockerfiles/server-mysql/rhel/Dockerfile | 12 +++++++++++- Dockerfiles/snmptraps/rhel/Dockerfile | 19 ++++++++++++++++++- Dockerfiles/web-nginx-mysql/rhel/Dockerfile | 14 ++++++++++++-- Dockerfiles/web-service/rhel/Dockerfile | 3 ++- 10 files changed, 89 insertions(+), 7 deletions(-) diff --git a/Dockerfiles/agent/rhel/Dockerfile b/Dockerfiles/agent/rhel/Dockerfile index 32a530d93..de3f9c303 100644 --- a/Dockerfiles/agent/rhel/Dockerfile +++ b/Dockerfiles/agent/rhel/Dockerfile @@ -53,7 +53,6 @@ COPY --from=builder ["/tmp/zabbix-${ZBX_VERSION}/conf/zabbix_agentd.conf", "/etc RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ set -eux && \ INSTALL_PKGS="bash \ - tzdata \ iputils \ shadow-utils \ pcre2 \ @@ -63,6 +62,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ rpm -ivh /tmp/epel-release-latest-9.noarch.rpm && \ rm -rf /tmp/epel-release-latest-9.noarch.rpm && \ microdnf -y install \ + --disableplugin=subscription-manager \ --disablerepo "*" \ --enablerepo "ubi-9-baseos-rpms" \ --enablerepo "epel" \ @@ -71,7 +71,17 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ --best \ --setopt=tsflags=nodocs \ ${INSTALL_PKGS} && \ + microdnf -y update \ + --disableplugin=subscription-manager \ + --disablerepo "*" \ + --enablerepo "ubi-9-baseos-rpms" \ + --setopt=install_weak_deps=0 \ + --best \ + --setopt=tsflags=nodocs \ + tzdata && \ microdnf -y reinstall \ + --disableplugin=subscription-manager \ + --disablerepo "*" \ --enablerepo "ubi-9-baseos-rpms" \ --setopt=install_weak_deps=0 \ --setopt=keepcache=0 \ diff --git a/Dockerfiles/agent2/rhel/Dockerfile b/Dockerfiles/agent2/rhel/Dockerfile index 1b23406bb..7bf7b6e58 100644 --- a/Dockerfiles/agent2/rhel/Dockerfile +++ b/Dockerfiles/agent2/rhel/Dockerfile @@ -58,7 +58,6 @@ COPY --from=builder ["/tmp/postgresql_plugin/zabbix-agent2-plugin-postgresql", " RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ set -eux && \ INSTALL_PKGS="bash \ - tzdata \ iputils \ shadow-utils \ pcre2 \ @@ -69,6 +68,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ rpm -ivh /tmp/epel-release-latest-9.noarch.rpm && \ rm -rf /tmp/epel-release-latest-9.noarch.rpm && \ microdnf -y install \ + --disableplugin=subscription-manager \ --disablerepo "*" \ --enablerepo "ubi-9-baseos-rpms" \ --enablerepo "epel" \ @@ -77,7 +77,17 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ --best \ --setopt=tsflags=nodocs \ ${INSTALL_PKGS} && \ + microdnf -y update \ + --disableplugin=subscription-manager \ + --disablerepo "*" \ + --enablerepo "ubi-9-baseos-rpms" \ + --setopt=install_weak_deps=0 \ + --best \ + --setopt=tsflags=nodocs \ + tzdata && \ microdnf -y reinstall \ + --disableplugin=subscription-manager \ + --disablerepo "*" \ --enablerepo "ubi-9-baseos-rpms" \ --setopt=install_weak_deps=0 \ --setopt=keepcache=0 \ diff --git a/Dockerfiles/build-base/rhel/Dockerfile b/Dockerfiles/build-base/rhel/Dockerfile index 0acd4d044..cab98e671 100644 --- a/Dockerfiles/build-base/rhel/Dockerfile +++ b/Dockerfiles/build-base/rhel/Dockerfile @@ -30,6 +30,7 @@ LABEL description="Prepared environment to build Zabbix components" \ COPY ["licenses", "/licenses"] RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ + --mount=type=bind,target=/run/secrets/,src=secrets/ \ set -eux && \ INSTALL_PKGS="autoconf \ automake \ diff --git a/Dockerfiles/java-gateway/rhel/Dockerfile b/Dockerfiles/java-gateway/rhel/Dockerfile index a403a9ede..f951115b7 100644 --- a/Dockerfiles/java-gateway/rhel/Dockerfile +++ b/Dockerfiles/java-gateway/rhel/Dockerfile @@ -55,6 +55,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ shadow-utils \ java-17-openjdk-headless" && \ microdnf -y install \ + --disableplugin=subscription-manager \ --disablerepo "*" \ --enablerepo "ubi-9-baseos-rpms" \ --enablerepo "ubi-9-appstream-rpms" \ diff --git a/Dockerfiles/proxy-mysql/rhel/Dockerfile b/Dockerfiles/proxy-mysql/rhel/Dockerfile index 0c9228d1c..5057b314d 100644 --- a/Dockerfiles/proxy-mysql/rhel/Dockerfile +++ b/Dockerfiles/proxy-mysql/rhel/Dockerfile @@ -54,6 +54,7 @@ COPY --from=builder ["/tmp/zabbix-${ZBX_VERSION}/conf/zabbix_proxy.conf", "/etc/ COPY --from=builder ["/tmp/zabbix-${ZBX_VERSION}/database/mysql/create_proxy.sql.gz", "/usr/share/doc/zabbix-proxy-mysql/create.sql.gz"] RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ + --mount=type=bind,target=/run/secrets/,src=secrets/ \ set -eux && \ INSTALL_PKGS="bash \ traceroute \ @@ -90,7 +91,17 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ --best \ --setopt=tsflags=nodocs \ ${INSTALL_PKGS} && \ + microdnf -y update \ + --disableplugin=subscription-manager \ + --disablerepo "*" \ + --enablerepo "ubi-9-baseos-rpms" \ + --setopt=install_weak_deps=0 \ + --best \ + --setopt=tsflags=nodocs \ + tzdata && \ microdnf -y reinstall \ + --disableplugin=subscription-manager \ + --disablerepo "*" \ --enablerepo "ubi-9-baseos-rpms" \ --setopt=install_weak_deps=0 \ --best \ diff --git a/Dockerfiles/proxy-sqlite3/rhel/Dockerfile b/Dockerfiles/proxy-sqlite3/rhel/Dockerfile index cdaea8f6f..436ea806b 100644 --- a/Dockerfiles/proxy-sqlite3/rhel/Dockerfile +++ b/Dockerfiles/proxy-sqlite3/rhel/Dockerfile @@ -53,6 +53,7 @@ COPY --from=builder ["/tmp/zabbix-${ZBX_VERSION}/src/zabbix_sender/zabbix_sender COPY --from=builder ["/tmp/zabbix-${ZBX_VERSION}/conf/zabbix_proxy.conf", "/etc/zabbix/zabbix_proxy.conf"] RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ + --mount=type=bind,target=/run/secrets/,src=secrets/ \ set -eux && \ INSTALL_PKGS="bash \ traceroute \ @@ -86,7 +87,17 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ --best \ --setopt=tsflags=nodocs \ ${INSTALL_PKGS} && \ + microdnf -y update \ + --disableplugin=subscription-manager \ + --disablerepo "*" \ + --enablerepo "ubi-9-baseos-rpms" \ + --setopt=install_weak_deps=0 \ + --best \ + --setopt=tsflags=nodocs \ + tzdata && \ microdnf -y reinstall \ + --disableplugin=subscription-manager \ + --disablerepo "*" \ --enablerepo "ubi-9-baseos-rpms" \ --setopt=install_weak_deps=0 \ --setopt=keepcache=0 \ diff --git a/Dockerfiles/server-mysql/rhel/Dockerfile b/Dockerfiles/server-mysql/rhel/Dockerfile index 1ecf82dea..d52bcddbb 100644 --- a/Dockerfiles/server-mysql/rhel/Dockerfile +++ b/Dockerfiles/server-mysql/rhel/Dockerfile @@ -54,13 +54,13 @@ COPY --from=builder ["/tmp/zabbix-${ZBX_VERSION}/conf/zabbix_server.conf", "/etc COPY --from=builder ["/tmp/zabbix-${ZBX_VERSION}/database/mysql/create_server.sql.gz", "/usr/share/doc/zabbix-server-mysql/create.sql.gz"] RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ + --mount=type=bind,target=/run/secrets/,src=secrets/ \ set -eux && \ INSTALL_PKGS="bash \ traceroute \ nmap \ fping \ shadow-utils \ - tzdata \ iputils \ hostname \ libssh \ @@ -94,7 +94,17 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ --best \ --setopt=tsflags=nodocs \ ${INSTALL_PKGS} && \ + microdnf -y update \ + --disableplugin=subscription-manager \ + --disablerepo "*" \ + --enablerepo "ubi-9-baseos-rpms" \ + --setopt=install_weak_deps=0 \ + --best \ + --setopt=tsflags=nodocs \ + tzdata && \ microdnf -y reinstall \ + --disableplugin=subscription-manager \ + --disablerepo "*" \ --enablerepo "ubi-9-baseos-rpms" \ --setopt=install_weak_deps=0 \ --setopt=keepcache=0 \ diff --git a/Dockerfiles/snmptraps/rhel/Dockerfile b/Dockerfiles/snmptraps/rhel/Dockerfile index 416b75b3a..8e7e128f3 100644 --- a/Dockerfiles/snmptraps/rhel/Dockerfile +++ b/Dockerfiles/snmptraps/rhel/Dockerfile @@ -46,9 +46,9 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ set -eux && \ INSTALL_PKGS="bash \ shadow-utils \ - tzdata \ net-snmp" && \ microdnf -y install \ + --disableplugin=subscription-manager \ --disablerepo="*" \ --enablerepo "ubi-9-baseos-rpms" \ --enablerepo "ubi-9-appstream-rpms" \ @@ -57,6 +57,23 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ --best \ --setopt=tsflags=nodocs \ ${INSTALL_PKGS} && \ + microdnf -y update \ + --disableplugin=subscription-manager \ + --disablerepo "*" \ + --enablerepo "ubi-9-baseos-rpms" \ + --setopt=install_weak_deps=0 \ + --best \ + --setopt=tsflags=nodocs \ + tzdata && \ + microdnf -y reinstall \ + --disableplugin=subscription-manager \ + --disablerepo "*" \ + --enablerepo "ubi-9-baseos-rpms" \ + --setopt=install_weak_deps=0 \ + --setopt=keepcache=0 \ + --best \ + --setopt=tsflags=nodocs \ + tzdata && \ groupadd \ --system \ --gid 1995 \ diff --git a/Dockerfiles/web-nginx-mysql/rhel/Dockerfile b/Dockerfiles/web-nginx-mysql/rhel/Dockerfile index 0b5031c58..e39f4f165 100644 --- a/Dockerfiles/web-nginx-mysql/rhel/Dockerfile +++ b/Dockerfiles/web-nginx-mysql/rhel/Dockerfile @@ -49,9 +49,9 @@ COPY ["conf/etc/", "/etc/"] COPY --from=builder ["/tmp/zabbix-${ZBX_VERSION}/ui", "/usr/share/zabbix"] RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ + --mount=type=bind,target=/run/secrets/,src=secrets/ \ set -eux && \ INSTALL_PKGS="bash \ - tzdata \ curl-minimal \ supervisor \ shadow-utils \ @@ -83,12 +83,22 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ --best \ --setopt=tsflags=nodocs \ ${INSTALL_PKGS} && \ - microdnf -y reinstall \ + microdnf -y update \ + --disableplugin=subscription-manager \ + --disablerepo "*" \ --enablerepo "ubi-9-baseos-rpms" \ --setopt=install_weak_deps=0 \ --best \ --setopt=tsflags=nodocs \ + tzdata && \ + microdnf -y reinstall \ + --disableplugin=subscription-manager \ + --disablerepo "*" \ + --enablerepo "ubi-9-baseos-rpms" \ + --setopt=install_weak_deps=0 \ --setopt=keepcache=0 \ + --best \ + --setopt=tsflags=nodocs \ tzdata && \ groupadd \ --system \ diff --git a/Dockerfiles/web-service/rhel/Dockerfile b/Dockerfiles/web-service/rhel/Dockerfile index 172b96093..150f3fac5 100644 --- a/Dockerfiles/web-service/rhel/Dockerfile +++ b/Dockerfiles/web-service/rhel/Dockerfile @@ -50,6 +50,7 @@ COPY --from=builder ["/tmp/zabbix-${ZBX_VERSION}/src/go/bin/zabbix_web_service", COPY --from=builder ["/tmp/zabbix-${ZBX_VERSION}/src/go/conf/zabbix_web_service.conf", "/etc/zabbix/zabbix_web_service.conf"] RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ + --mount=type=bind,target=/run/secrets/,src=secrets/ \ set -eux && \ INSTALL_PKGS="bash \ shadow-utils \ @@ -62,7 +63,6 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ --disablerepo "*" \ --enablerepo "ubi-9-baseos-rpms" \ --enablerepo "ubi-9-appstream-rpms" \ - --enablerepo "rhel-9-for-$ARCH_SUFFIX-baseos-rpms" \ --enablerepo "rhel-9-for-$ARCH_SUFFIX-appstream-rpms" \ --enablerepo "epel" \ --setopt=install_weak_deps=0 \ @@ -71,6 +71,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ --setopt=tsflags=nodocs \ ${INSTALL_PKGS} && \ microdnf -y install \ + --disableplugin=subscription-manager \ --disablerepo "*" \ --enablerepo "ubi-9-baseos-rpms" \ --enablerepo "ubi-9-appstream-rpms" \ From 854277901dd2ade2de74b7194a4a85826bcc8417 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Thu, 29 Feb 2024 02:50:10 +0900 Subject: [PATCH 04/32] Add compose file for RHEL local build --- docker-compose_v3_rhel_mysql_local.yaml | 236 ++++++++++++++++++++++++ 1 file changed, 236 insertions(+) create mode 100644 docker-compose_v3_rhel_mysql_local.yaml diff --git a/docker-compose_v3_rhel_mysql_local.yaml b/docker-compose_v3_rhel_mysql_local.yaml new file mode 100644 index 000000000..19b7f2433 --- /dev/null +++ b/docker-compose_v3_rhel_mysql_local.yaml @@ -0,0 +1,236 @@ +version: '3.8' +services: + zabbix-build-base: + build: + context: ./Dockerfiles/build-base/${RHEL_OS_TAG_SHORT} + cache_from: + - "${RHEL_CACHE_FROM}" + image: ${BUILD_BASE_IMAGE}:${ZABBIX_RHEL_IMAGE_TAG}${ZABBIX_LOCAL_IMAGE_TAG_POSTFIX} + + zabbix-build-mysql: + build: + context: ./Dockerfiles/build-mysql/${RHEL_OS_TAG_SHORT} + cache_from: + - "${RHEL_CACHE_FROM}" + args: + BUILD_BASE_IMAGE: ${BUILD_BASE_IMAGE}:${ZABBIX_RHEL_IMAGE_TAG}${ZABBIX_LOCAL_IMAGE_TAG_POSTFIX} + image: ${BUILD_BASE_MYSQL_IMAGE}:${ZABBIX_RHEL_IMAGE_TAG}${ZABBIX_LOCAL_IMAGE_TAG_POSTFIX} + depends_on: + - zabbix-build-base + + zabbix-build-sqlite3: + build: + context: ./Dockerfiles/build-sqlite3/${RHEL_OS_TAG_SHORT} + cache_from: + - "${RHEL_CACHE_FROM}" + args: + BUILD_BASE_IMAGE: ${BUILD_BASE_IMAGE}:${ZABBIX_RHEL_IMAGE_TAG}${ZABBIX_LOCAL_IMAGE_TAG_POSTFIX} + image: ${BUILD_BASE_SQLITE3_IMAGE}:${ZABBIX_RHEL_IMAGE_TAG}${ZABBIX_LOCAL_IMAGE_TAG_POSTFIX} + profiles: + - all + depends_on: + - zabbix-build-base + + zabbix-server: + extends: + file: compose_zabbix_components.yaml + service: server-mysql + build: + context: ./Dockerfiles/server-mysql/${RHEL_OS_TAG_SHORT} + cache_from: + - "${RHEL_CACHE_FROM}" + args: + BUILD_BASE_IMAGE: ${BUILD_BASE_MYSQL_IMAGE}:${ZABBIX_RHEL_IMAGE_TAG}${ZABBIX_LOCAL_IMAGE_TAG_POSTFIX} + image: zabbix-server-mysql:${ZABBIX_RHEL_IMAGE_TAG}${ZABBIX_LOCAL_IMAGE_TAG_POSTFIX} + volumes: + - /etc/timezone:/etc/timezone:ro + depends_on: + - mysql-server + - zabbix-build-mysql + labels: + com.zabbix.os: "${RHEL_OS_TAG}" + + zabbix-proxy-sqlite3: + extends: + file: compose_zabbix_components.yaml + service: proxy-sqlite3 + build: + context: ./Dockerfiles/proxy-sqlite3/${RHEL_OS_TAG_SHORT} + cache_from: + - "${RHEL_CACHE_FROM}" + args: + BUILD_BASE_IMAGE: ${BUILD_BASE_SQLITE3_IMAGE}:${ZABBIX_RHEL_IMAGE_TAG}${ZABBIX_LOCAL_IMAGE_TAG_POSTFIX} + image: zabbix-proxy-sqlite3:${ZABBIX_RHEL_IMAGE_TAG}${ZABBIX_LOCAL_IMAGE_TAG_POSTFIX} + volumes: + - /etc/timezone:/etc/timezone:ro + depends_on: + - zabbix-build-sqlite3 + labels: + com.zabbix.os: "${RHEL_OS_TAG}" + + zabbix-proxy-mysql: + extends: + file: compose_zabbix_components.yaml + service: proxy-mysql + build: + context: ./Dockerfiles/proxy-mysql/${RHEL_OS_TAG_SHORT} + cache_from: + - "${RHEL_CACHE_FROM}" + args: + BUILD_BASE_IMAGE: ${BUILD_BASE_MYSQL_IMAGE}:${ZABBIX_RHEL_IMAGE_TAG}${ZABBIX_LOCAL_IMAGE_TAG_POSTFIX} + image: zabbix-proxy-mysql:${ZABBIX_RHEL_IMAGE_TAG}${ZABBIX_LOCAL_IMAGE_TAG_POSTFIX} + volumes: + - /etc/timezone:/etc/timezone:ro + depends_on: + - mysql-server + - zabbix-build-mysql + labels: + com.zabbix.os: "${RHEL_OS_TAG}" + + zabbix-web-nginx-mysql: + extends: + file: compose_zabbix_components.yaml + service: web-nginx-mysql + build: + context: ./Dockerfiles/web-nginx-mysql/${RHEL_OS_TAG_SHORT} + cache_from: + - "${RHEL_CACHE_FROM}" + args: + BUILD_BASE_IMAGE: ${BUILD_BASE_MYSQL_IMAGE}:${ZABBIX_RHEL_IMAGE_TAG}${ZABBIX_LOCAL_IMAGE_TAG_POSTFIX} + image: zabbix-web-nginx-mysql:${ZABBIX_RHEL_IMAGE_TAG}${ZABBIX_LOCAL_IMAGE_TAG_POSTFIX} + volumes: + - /etc/timezone:/etc/timezone:ro + depends_on: + - mysql-server + - zabbix-build-mysql + labels: + com.zabbix.os: "${RHEL_OS_TAG}" + + zabbix-agent: + extends: + file: compose_zabbix_components.yaml + service: agent + build: + context: ./Dockerfiles/agent/${RHEL_OS_TAG_SHORT} + cache_from: + - "${RHEL_CACHE_FROM}" + args: + BUILD_BASE_IMAGE: ${BUILD_BASE_MYSQL_IMAGE}:${ZABBIX_RHEL_IMAGE_TAG}${ZABBIX_LOCAL_IMAGE_TAG_POSTFIX} + image: zabbix-agent:${ZABBIX_RHEL_IMAGE_TAG}${ZABBIX_LOCAL_IMAGE_TAG_POSTFIX} + volumes: + - /etc/timezone:/etc/timezone:ro + depends_on: + - zabbix-build-mysql + labels: + com.zabbix.os: "${RHEL_OS_TAG}" + + zabbix-java-gateway: + extends: + file: compose_zabbix_components.yaml + service: java-gateway + build: + context: ./Dockerfiles/java-gateway/${RHEL_OS_TAG_SHORT} + cache_from: + - "${RHEL_CACHE_FROM}" + args: + BUILD_BASE_IMAGE: ${BUILD_BASE_MYSQL_IMAGE}:${ZABBIX_RHEL_IMAGE_TAG}${ZABBIX_LOCAL_IMAGE_TAG_POSTFIX} + image: zabbix-java-gateway:${ZABBIX_RHEL_IMAGE_TAG}${ZABBIX_LOCAL_IMAGE_TAG_POSTFIX} + depends_on: + - zabbix-build-mysql + labels: + com.zabbix.os: "${RHEL_OS_TAG}" + + zabbix-snmptraps: + extends: + file: compose_zabbix_components.yaml + service: snmptraps + build: + context: ./Dockerfiles/snmptraps/${RHEL_OS_TAG_SHORT} + cache_from: + - "${RHEL_CACHE_FROM}" + image: zabbix-snmptraps:${ZABBIX_RHEL_IMAGE_TAG}${ZABBIX_LOCAL_IMAGE_TAG_POSTFIX} + depends_on: + - zabbix-build-mysql + labels: + com.zabbix.os: "${RHEL_OS_TAG}" + + zabbix-web-service: + extends: + file: compose_zabbix_components.yaml + service: web-service + build: + context: ./Dockerfiles/web-service/${RHEL_OS_TAG_SHORT} + cache_from: + - "${RHEL_CACHE_FROM}" + args: + BUILD_BASE_IMAGE: ${BUILD_BASE_MYSQL_IMAGE}:${ZABBIX_RHEL_IMAGE_TAG}${ZABBIX_LOCAL_IMAGE_TAG_POSTFIX} + image: zabbix-web-service:${ZABBIX_RHEL_IMAGE_TAG}${ZABBIX_LOCAL_IMAGE_TAG_POSTFIX} + depends_on: + - zabbix-build-mysql + labels: + com.zabbix.os: "${RHEL_OS_TAG}" + + mysql-server: + extends: + file: compose_databases.yaml + service: mysql-server + + db-data-mysql: + extends: + file: compose_databases.yaml + service: db-data-mysql + +# elasticsearch: +# extends: +# file: compose_databases.yaml +# service: elasticsearch + +networks: + zbx_net_frontend: + driver: bridge + driver_opts: + com.docker.network.enable_ipv6: "${FRONTEND_ENABLE_IPV6}" + ipam: + driver: "${FRONTEND_NETWORK_DRIVER}" + config: + - subnet: "${FRONTEND_SUBNET}" + zbx_net_backend: + driver: bridge + driver_opts: + com.docker.network.enable_ipv6: "${BACKEND_ENABLE_IPV6}" + internal: true + ipam: + driver: "${BACKEND_NETWORK_DRIVER}" + config: + - subnet: "${BACKEND_SUBNET}" + zbx_net_database: + driver: bridge + driver_opts: + com.docker.network.enable_ipv6: "${DATABASE_NETWORK_ENABLE_IPV6}" + internal: true + ipam: + driver: "${DATABASE_NETWORK_DRIVER}" + +volumes: + snmptraps: +# dbsocket: + +secrets: + MYSQL_USER: + file: ${ENV_VARS_DIRECTORY}/.MYSQL_USER + MYSQL_PASSWORD: + file: ${ENV_VARS_DIRECTORY}/.MYSQL_PASSWORD + MYSQL_ROOT_USER: + file: ${ENV_VARS_DIRECTORY}/.MYSQL_ROOT_USER + MYSQL_ROOT_PASSWORD: + file: ${ENV_VARS_DIRECTORY}/.MYSQL_ROOT_PASSWORD +# client-key.pem: +# file: ${ENV_VARS_DIRECTORY}/.ZBX_DB_KEY_FILE +# client-cert.pem: +# file: ${ENV_VARS_DIRECTORY}/.ZBX_DB_CERT_FILE +# root-ca.pem: +# file: ${ENV_VARS_DIRECTORY}/.ZBX_DB_CA_FILE +# server-cert.pem: +# file: ${ENV_VARS_DIRECTORY}/.DB_CERT_FILE +# server-key.pem: +# file: ${ENV_VARS_DIRECTORY}/.DB_KEY_FILE From ee611f67aac832933fd4a3fa3d5b41df0886defd Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Thu, 29 Feb 2024 13:23:54 +0900 Subject: [PATCH 05/32] Updated --- .github/workflows/images_build_test.yml | 1020 +++++++++++++++++++++++ build.json | 6 +- 2 files changed, 1024 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/images_build_test.yml diff --git a/.github/workflows/images_build_test.yml b/.github/workflows/images_build_test.yml new file mode 100644 index 000000000..56f5235c0 --- /dev/null +++ b/.github/workflows/images_build_test.yml @@ -0,0 +1,1020 @@ +name: Build images (DockerHub, rhel) + +on: + release: + types: + - published + push: + branches: + - '[0-9]+.[0-9]+' + - 'trunk' + paths: + - 'Dockerfiles/**' + - 'build.json' + - '!**/README.md' + - '!Dockerfiles/*/rhel/*' + - '!Dockerfiles/*/windows/*' + - '.github/workflows/images_build_test.yml' + schedule: + - cron: '50 02 * * *' + workflow_dispatch: + +defaults: + run: + shell: bash + +permissions: + contents: read + +env: + TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }} + AUTO_PUSH_IMAGES: ${{ ! contains(fromJSON('["workflow_dispatch"]'), github.event_name) && vars.AUTO_PUSH_IMAGES }} + + DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }} + LATEST_BRANCH: ${{ github.event.repository.default_branch }} + TRUNK_GIT_BRANCH: "refs/heads/trunk" + IMAGES_PREFIX: "zabbix-" + + BASE_BUILD_NAME: "build-base" + BASE_CACHE_FILE_NAME: "base_image_metadata.json" + BUILD_CACHE_FILE_NAME: "base_build_image_metadata.json" + + MATRIX_FILE: "build.json" + DOCKERFILES_DIRECTORY: "./Dockerfiles" + + OIDC_ISSUER: "https://token.actions.githubusercontent.com" + IDENTITY_REGEX: "https://github.com/zabbix/zabbix-docker/.github/" + + DOCKER_REGISTRY_TEST: "ghcr.io" + DOCKER_REPOSITORY_TEST: "zabbix" + +jobs: + init_build: + name: Initialize build + runs-on: ubuntu-latest + permissions: + contents: read + outputs: + os: ${{ steps.os.outputs.list }} + database: ${{ steps.database.outputs.list }} + components: ${{ steps.components.outputs.list }} + is_default_branch: ${{ steps.branch_info.outputs.is_default_branch }} + current_branch: ${{ steps.branch_info.outputs.current_branch }} + sha_short: ${{ steps.branch_info.outputs.sha_short }} + steps: + - name: Block egress traffic + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + + - name: Checkout repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} + fetch-depth: 1 + sparse-checkout: ${{ env.MATRIX_FILE }} + + - name: Check ${{ env.MATRIX_FILE }} file + id: build_exists + env: + MATRIX_FILE: ${{ env.MATRIX_FILE }} + run: | + if [[ ! -f "$MATRIX_FILE" ]]; then + echo "::error::File $MATRIX_FILE is missing" + exit 1 + fi + + - name: Prepare Operating System list + id: os + env: + MATRIX_FILE: ${{ env.MATRIX_FILE }} + run: | + os_list=$(jq -r '.["os-linux"] | keys | map(select(. == "rhel")) | [ .[] | tostring ] | @json' "$MATRIX_FILE") + + echo "::group::Operating System List" + echo "$os_list" + echo "::endgroup::" + + echo "list=$os_list" >> $GITHUB_OUTPUT + + - name: Prepare Database engine list + id: database + env: + MATRIX_FILE: ${{ env.MATRIX_FILE }} + run: | + database_list=$(jq -r '[.components | values[].base ] | sort | unique | del(.. | select ( . == "" ) ) | @json' "$MATRIX_FILE") + + echo "::group::Database List" + echo "$database_list" + echo "::endgroup::" + + echo "list=$database_list" >> $GITHUB_OUTPUT + + - name: Prepare Zabbix component list + id: components + env: + MATRIX_FILE: ${{ env.MATRIX_FILE }} + run: | + component_list=$(jq -r '.components | keys | @json' "$MATRIX_FILE") + + echo "::group::Zabbix Component List" + echo "$component_list" + echo "::endgroup::" + + echo "list=$component_list" >> $GITHUB_OUTPUT + + - name: Get branch info + id: branch_info + env: + LATEST_BRANCH: ${{ env.LATEST_BRANCH }} + github_ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || github.ref }} + run: | + result=false + sha_short=$(git rev-parse --short HEAD) + + if [[ "$github_ref" == "refs/tags/"* ]]; then + github_ref=${github_ref%.*} + fi + + github_ref=${github_ref##*/} + + if [[ "$github_ref" == "$LATEST_BRANCH" ]]; then + result=true + fi + + echo "::group::Branch data" + echo "is_default_branch - $result" + echo "current_branch - $github_ref" + echo "sha_short - $sha_short" + echo "::endgroup::" + + echo "is_default_branch=$result" >> $GITHUB_OUTPUT + echo "current_branch=$github_ref" >> $GITHUB_OUTPUT + echo "sha_short=$sha_short" >> $GITHUB_OUTPUT + + build_base: + timeout-minutes: 30 + name: Build base on ${{ matrix.os }} + needs: init_build + strategy: + fail-fast: false + matrix: + os: ${{ fromJson(needs.init_build.outputs.os) }} + + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + packages: write + steps: + - name: Block egress traffic + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + archive.ubuntu.com:80 + atl.mirrors.knownhost.com:443 + atl.mirrors.knownhost.com:80 + auth.docker.io:443 + cdn03.quay.io:443 + centos-stream-distro.1gservers.com:443 + centos-stream-distro.1gservers.com:80 + dfw.mirror.rackspace.com:443 + dfw.mirror.rackspace.com:80 + dl-cdn.alpinelinux.org:443 + download.cf.centos.org:443 + download.cf.centos.org:80 + epel.mirror.constant.com:443 + ftp-nyc.osuosl.org:443 + ftp-nyc.osuosl.org:80 + ftp-osl.osuosl.org:443 + ftp-osl.osuosl.org:80 + ftp.plusline.net:443 + ftp.plusline.net:80 + ftpmirror.your.org:80 + fulcio.sigstore.dev:443 + github.com:443 + ghcr.io:443 + iad.mirror.rackspace.com:443 + iad.mirror.rackspace.com:80 + index.docker.io:443 + lesnet.mm.fcix.net:443 + mirror-mci.yuki.net.uk:443 + mirror-mci.yuki.net.uk:80 + mirror.arizona.edu:443 + mirror.arizona.edu:80 + mirror.dogado.de:443 + mirror.dogado.de:80 + mirror.facebook.net:443 + mirror.facebook.net:80 + mirror.fcix.net:443 + mirror.hoobly.com:443 + mirror.math.princeton.edu:443 + mirror.netzwerge.de:443 + mirror.pilotfiber.com:443 + mirror.pilotfiber.com:80 + mirror.rackspace.com:443 + mirror.rackspace.com:80 + mirror.scaleuptech.com:443 + mirror.scaleuptech.com:80 + mirror.servaxnet.com:443 + mirror.servaxnet.com:80 + mirror.siena.edu:80 + mirror.stream.centos.org:443 + mirror.stream.centos.org:80 + mirror.team-cymru.com:443 + mirror.team-cymru.com:80 + mirror1.hs-esslingen.de:443 + mirrors.centos.org:443 + mirrors.fedoraproject.org:443 + mirrors.fedoraproject.org:80 + mirrors.iu13.net:80 + mirrors.mit.edu:443 + mirrors.ocf.berkeley.edu:443 + mirrors.ocf.berkeley.edu:80 + mirrors.sonic.net:443 + mirrors.wcupa.edu:443 + mirrors.wcupa.edu:80 + mirrors.xtom.de:80 + na.edge.kernel.org:443 + nocix.mm.fcix.net:443 + oauth2.sigstore.dev:443 + objects.githubusercontent.com:443 + ports.ubuntu.com:80 + production.cloudflare.docker.com:443 + quay.io:443 + registry-1.docker.io:443 + rekor.sigstore.dev:443 + repo.ialab.dsu.edu:443 + repos.eggycrew.com:443 + repos.eggycrew.com:80 + security.ubuntu.com:80 + tuf-repo-cdn.sigstore.dev:443 + uvermont.mm.fcix.net:443 + yum.oracle.com:443 + ziply.mm.fcix.net:443 + pkg-containers.githubusercontent.com:443 + + - name: Checkout repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} + fetch-depth: 1 + + - name: Install cosign + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 + with: + cosign-release: 'v2.2.3' + + - name: Check cosign version + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + run: cosign version + + - name: Set up QEMU + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + with: + image: tonistiigi/binfmt:latest + platforms: all + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + with: + driver-opts: image=moby/buildkit:master + + - name: Prepare Platform list + id: platform + env: + MATRIX_OS: ${{ matrix.os }} + MATRIX_FILE: ${{ env.MATRIX_FILE }} + run: | + platform_list=$(jq -r ".[\"os-linux\"].$MATRIX_OS | join(\",\")" "$MATRIX_FILE") + platform_list="${platform_list%,}" + + echo "::group::Platform List" + echo "$platform_list" + echo "::endgroup::" + + echo "list=$platform_list" >> $GITHUB_OUTPUT + + - name: Generate tags + id: meta + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + with: + images: | + ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} + ${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} + context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} + tags: | + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }} + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' && !contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' && !contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,suffix=-${{ matrix.os }}-latest + type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}- + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' || contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,suffix=-${{ matrix.os }} + flavor: | + latest=${{ (matrix.os == 'alpine') && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) && ( needs.init_build.outputs.is_default_branch == 'true' ) }} + + - name: Prepare cache data + id: cache_data + env: + IMAGE_TAG: ${{ fromJSON(steps.meta.outputs.json).tags[0] }} + PUBLISH_IMAGES: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + run: | + cache_from=() + cache_to=() + + cache_from+=("type=gha,scope=${IMAGE_TAG}") + #cache_from+=("type=registry,ref=${IMAGE_TAG}") + + cache_to+=("type=gha,mode=max,scope=${IMAGE_TAG}") + + echo "::group::Cache from data" + echo "${cache_from[*]}" + echo "::endgroup::" + + echo "::group::Cache to data" + echo "${cache_to[*]}" + echo "::endgroup::" + + cache_from=$(printf '%s\n' "${cache_from[@]}") + cache_to=$(printf '%s\n' "${cache_to[@]}") + + echo 'cache_from<> "$GITHUB_OUTPUT" + echo "$cache_from" >> "$GITHUB_OUTPUT" + echo 'EOF' >> "$GITHUB_OUTPUT" + echo 'cache_to<> "$GITHUB_OUTPUT" + echo "$cache_to" >> "$GITHUB_OUTPUT" + echo 'EOF' >> "$GITHUB_OUTPUT" + + - name: Login to DockerHub + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Login to ${{ env.DOCKER_REGISTRY_TEST }} + if: ${{ env.AUTO_PUSH_IMAGES != 'true' }} + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ${{ env.DOCKER_REGISTRY_TEST }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and publish image + id: docker_build + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 + with: + context: ${{ format('{0}/{1}/{2}', env.DOCKERFILES_DIRECTORY, env.BASE_BUILD_NAME, matrix.os) }} + file: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, env.BASE_BUILD_NAME, matrix.os) }} + platforms: ${{ steps.platform.outputs.list }} + push: true + provenance: mode=max + sbom: true + tags: ${{ steps.meta.outputs.tags }} + labels: | + org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} + org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} + cache-from: ${{ steps.cache_data.outputs.cache_from }} + cache-to: ${{ steps.cache_data.outputs.cache_to }} + + - name: Sign the images with GitHub OIDC Token + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + TAGS: ${{ steps.meta.outputs.tags }} + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + + echo "::group::Images to sign" + echo "$images" + echo "::endgroup::" + + echo "::group::Signing" + echo "cosign sign --yes $images" + cosign sign --yes ${images} + echo "::endgroup::" + + - name: Image metadata + env: + CACHE_FILE_NAME: ${{ env.BASE_CACHE_FILE_NAME }} + METADATA: ${{ steps.docker_build.outputs.metadata }} + run: | + echo "::group::Image metadata" + echo "${METADATA}" + echo "::endgroup::" + echo "::group::Cache file name" + echo "${CACHE_FILE_NAME}" + echo "::endgroup::" + + echo "${METADATA}" > "$CACHE_FILE_NAME" + + - name: Cache image metadata + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 + with: + path: ${{ env.BASE_CACHE_FILE_NAME }} + key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }} + + build_base_database: + timeout-minutes: 180 + needs: [ "build_base", "init_build"] + name: Build ${{ matrix.build }} base on ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + build: ${{ fromJson(needs.init_build.outputs.database) }} + os: ${{ fromJson(needs.init_build.outputs.os) }} + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + packages: write + steps: + - name: Block egress traffic + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + auth.docker.io:443 + git.zabbix.com:443 + github.com:443 + go.googlesource.com:443 + go.mongodb.org:443 + golang.org:443 + google.golang.org:443 + gopkg.in:443 + ghcr.io:443 + index.docker.io:443 + noto-website.storage.googleapis.com:443 + production.cloudflare.docker.com:443 + proxy.golang.org:443 + registry-1.docker.io:443 + storage.googleapis.com:443 + fulcio.sigstore.dev:443 + oauth2.sigstore.dev:443 + objects.githubusercontent.com:443 + tuf-repo-cdn.sigstore.dev:443 + rekor.sigstore.dev:443 + pkg-containers.githubusercontent.com:443 + + - name: Checkout repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} + fetch-depth: 1 + + - name: Install cosign + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 + with: + cosign-release: 'v2.2.3' + + - name: Check cosign version + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + run: cosign version + + - name: Set up QEMU + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + with: + image: tonistiigi/binfmt:latest + platforms: all + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + with: + driver-opts: image=moby/buildkit:master + + - name: Prepare Platform list + id: platform + env: + MATRIX_OS: ${{ matrix.os }} + MATRIX_FILE: ${{ env.MATRIX_FILE }} + run: | + platform_list=$(jq -r ".[\"os-linux\"].$MATRIX_OS | join(\",\")" "$MATRIX_FILE") + platform_list="${platform_list%,}" + + echo "::group::Platform List" + echo "$platform_list" + echo "::endgroup::" + + echo "list=$platform_list" >> $GITHUB_OUTPUT + + - name: Generate tags + id: meta + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + with: + images: | + ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} + ${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} + context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} + tags: | + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }} + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) }},event=branch,suffix=-${{ matrix.os }}-latest + type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}- + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' || contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,suffix=-${{ matrix.os }} + flavor: | + latest=${{ (matrix.os == 'alpine') && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) && ( needs.init_build.outputs.is_default_branch == 'true' ) }} + + - name: Download metadata of ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 + with: + path: ${{ env.BASE_CACHE_FILE_NAME }} + key: ${{ env.BASE_BUILD_NAME }}-${{ matrix.os }}-${{ github.run_id }} + + - name: Process ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} image metadata + id: base_build + env: + CACHE_FILE_NAME: ${{ env.BASE_CACHE_FILE_NAME }} + run: | + echo "::group::Base image metadata" + cat "${CACHE_FILE_NAME}" + echo "::endgroup::" + + IMAGE_DIGEST=$(jq -r '."containerimage.digest"' "${CACHE_FILE_NAME}") + IMAGE_NAME=$(jq -r '."image.name"' "${CACHE_FILE_NAME}" | cut -d: -f1) + + echo "base_build_image=${IMAGE_NAME}@${IMAGE_DIGEST}" >> $GITHUB_OUTPUT + + - name: Verify ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} cosign + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + env: + BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }} + OIDC_ISSUER: ${{ env.OIDC_ISSUER }} + IDENTITY_REGEX: ${{ env.IDENTITY_REGEX }} + run: | + echo "::group::Image sign data" + echo "OIDC issuer=$OIDC_ISSUER" + echo "Identity=$IDENTITY_REGEX" + echo "Image to verify=$BASE_IMAGE" + echo "::endgroup::" + + echo "::group::Verify signature" + cosign verify \ + --certificate-oidc-issuer-regexp "$OIDC_ISSUER" \ + --certificate-identity-regexp "$IDENTITY_REGEX" \ + "$BASE_IMAGE" + echo "::endgroup::" + + - name: Prepare cache data + id: cache_data + env: + BASE_IMAGE_TAG: ${{ steps.base_build.outputs.base_build_image }} + IMAGE_TAG: ${{ fromJSON(steps.meta.outputs.json).tags[0] }} + PUBLISH_IMAGES: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + run: | + cache_from=() + cache_to=() + + cache_from+=("type=gha,scope=${BASE_IMAGE_TAG}") + cache_from+=("type=registry,ref=${BASE_IMAGE_TAG}") + cache_from+=("type=gha,scope=${IMAGE_TAG}") + cache_from+=("type=registry,ref=${IMAGE_TAG}") + + cache_to+=("type=gha,mode=max,scope=${IMAGE_TAG}") + + echo "::group::Cache from data" + echo "${cache_from[*]}" + echo "::endgroup::" + + echo "::group::Cache to data" + echo "${cache_to[*]}" + echo "::endgroup::" + + cache_from=$(printf '%s\n' "${cache_from[@]}") + cache_to=$(printf '%s\n' "${cache_to[@]}") + + echo 'cache_from<> "$GITHUB_OUTPUT" + echo "$cache_from" >> "$GITHUB_OUTPUT" + echo 'EOF' >> "$GITHUB_OUTPUT" + echo 'cache_to<> "$GITHUB_OUTPUT" + echo "$cache_to" >> "$GITHUB_OUTPUT" + echo 'EOF' >> "$GITHUB_OUTPUT" + + - name: Login to DockerHub + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Login to ${{ env.DOCKER_REGISTRY_TEST }} + if: ${{ env.AUTO_PUSH_IMAGES != 'true' }} + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ${{ env.DOCKER_REGISTRY_TEST }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build ${{ matrix.build }}/${{ matrix.os }} and push + id: docker_build + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 + with: + context: ${{ format('{0}/{1}/{2}/', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }} + file: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }} + platforms: ${{ steps.platform.outputs.list }} + push: true + provenance: mode=max + sbom: true + tags: ${{ steps.meta.outputs.tags }} + build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }} + labels: | + org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} + org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} + + - name: Sign the images with GitHub OIDC Token + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + TAGS: ${{ steps.meta.outputs.tags }} + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + + echo "::group::Images to sign" + echo "$images" + echo "::endgroup::" + + echo "::group::Signing" + echo "cosign sign --yes $images" + cosign sign --yes ${images} + echo "::endgroup::" + + - name: Image metadata + env: + CACHE_FILE_NAME: ${{ env.BUILD_CACHE_FILE_NAME }} + METADATA: ${{ steps.docker_build.outputs.metadata }} + run: | + echo "::group::Image metadata" + echo "${METADATA}" + echo "::endgroup::" + echo "::group::Cache file name" + echo "${CACHE_FILE_NAME}" + echo "::endgroup::" + + echo "${METADATA}" > "$CACHE_FILE_NAME" + + - name: Cache image metadata + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 + with: + path: ${{ env.BUILD_CACHE_FILE_NAME }} + key: ${{ matrix.build }}-${{ matrix.os }}-${{ github.run_id }} + + build_images: + timeout-minutes: 90 + needs: [ "build_base_database", "init_build"] + name: Build ${{ matrix.build }} on ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + build: ${{ fromJson(needs.init_build.outputs.components) }} + os: ${{ fromJson(needs.init_build.outputs.os) }} + + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + packages: write + steps: + - name: Block egress traffic + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + auth.docker.io:443 + dl-cdn.alpinelinux.org:443 + github.com:443 + index.docker.io:443 + production.cloudflare.docker.com:443 + registry-1.docker.io:443 + fulcio.sigstore.dev:443 + objects.githubusercontent.com:443 + tuf-repo-cdn.sigstore.dev:443 + rekor.sigstore.dev:443 + api.github.com:443 + atl.mirrors.knownhost.com:443 + atl.mirrors.knownhost.com:80 + auth.docker.io:443 + cdn03.quay.io:443 + centos-stream-distro.1gservers.com:443 + centos-stream-distro.1gservers.com:80 + d2lzkl7pfhq30w.cloudfront.net:443 + epel.mirror.constant.com:80 + forksystems.mm.fcix.net:80 + ftp-nyc.osuosl.org:443 + ftp-nyc.osuosl.org:80 + ftp-osl.osuosl.org:443 + ftp-osl.osuosl.org:80 + ftp.plusline.net:80 + ftpmirror.your.org:80 + github.com:443 + iad.mirror.rackspace.com:443 + index.docker.io:443 + ix-denver.mm.fcix.net:443 + mirror-mci.yuki.net.uk:443 + mirror.23m.com:80 + mirror.arizona.edu:80 + mirror.dal.nexril.net:80 + mirror.de.leaseweb.net:80 + mirror.dogado.de:80 + mirror.facebook.net:80 + mirror.hoobly.com:80 + mirror.math.princeton.edu:80 + mirror.netcologne.de:443 + mirror.netzwerge.de:443 + mirror.pilotfiber.com:443 + mirror.pilotfiber.com:80 + mirror.rackspace.com:443 + mirror.rackspace.com:80 + mirror.scaleuptech.com:443 + mirror.servaxnet.com:443 + mirror.servaxnet.com:80 + mirror.sfo12.us.leaseweb.net:80 + mirror.siena.edu:80 + mirror.steadfastnet.com:80 + mirror.team-cymru.com:443 + mirror.team-cymru.com:80 + mirror.umd.edu:443 + mirror1.hs-esslingen.de:443 + mirrors.centos.org:443 + mirrors.fedoraproject.org:443 + mirrors.iu13.net:443 + mirrors.iu13.net:80 + mirrors.ocf.berkeley.edu:443 + mirrors.sonic.net:80 + mirrors.syringanetworks.net:80 + mirrors.vcea.wsu.edu:80 + mirrors.wcupa.edu:80 + mirrors.xtom.de:80 + na.edge.kernel.org:443 + nnenix.mm.fcix.net:80 + ohioix.mm.fcix.net:80 + production.cloudflare.docker.com:443 + pubmirror1.math.uh.edu:443 + pubmirror3.math.uh.edu:80 + quay.io:443 + ghcr.io:443 + registry-1.docker.io:443 + repo.ialab.dsu.edu:80 + repos.eggycrew.com:80 + uvermont.mm.fcix.net:80 + ziply.mm.fcix.net:443 + fulcio.sigstore.dev:443 + objects.githubusercontent.com:443 + tuf-repo-cdn.sigstore.dev:443 + rekor.sigstore.dev:443 + oauth2.sigstore.dev:443 + api.github.com:443 + auth.docker.io:443 + github.com:443 + index.docker.io:443 + production.cloudflare.docker.com:443 + registry-1.docker.io:443 + yum.oracle.com:443 + fulcio.sigstore.dev:443 + objects.githubusercontent.com:443 + tuf-repo-cdn.sigstore.dev:443 + rekor.sigstore.dev:443 + api.github.com:443 + archive.ubuntu.com:80 + auth.docker.io:443 + deb.debian.org:80 + github.com:443 + index.docker.io:443 + keyserver.ubuntu.com:11371 + nginx.org:443 + nginx.org:80 + ports.ubuntu.com:80 + production.cloudflare.docker.com:443 + registry-1.docker.io:443 + security.ubuntu.com:80 + fulcio.sigstore.dev:443 + objects.githubusercontent.com:443 + tuf-repo-cdn.sigstore.dev:443 + rekor.sigstore.dev:443 + pkg-containers.githubusercontent.com:443 + + - name: Checkout repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }} + fetch-depth: 1 + + - name: Install cosign + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 + with: + cosign-release: 'v2.2.3' + + - name: Check cosign version + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + run: cosign version + + - name: Set up QEMU + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + with: + image: tonistiigi/binfmt:latest + platforms: all + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + with: + driver-opts: image=moby/buildkit:master + + - name: Prepare Platform list + id: platform + env: + MATRIX_OS: ${{ matrix.os }} + MATRIX_BUILD: ${{ matrix.build }} + MATRIX_FILE: ${{ env.MATRIX_FILE }} + run: | + # Chromium on Alpine is available only on linux/amd64, linux/arm64 platforms + if ([ "$MATRIX_OS" == "alpine" ] || [ "$MATRIX_OS" == "centos" ]) && [ "$MATRIX_BUILD" == "web-service" ]; then + platform_list="linux/amd64,linux/arm64" + # Chromium on Ubuntu is not available on s390x platform + elif [ "$MATRIX_OS" == "ubuntu" ] && [ "$MATRIX_BUILD" == "web-service" ]; then + platform_list="linux/amd64,linux/arm/v7,linux/arm64" + else + platform_list=$(jq -r ".[\"os-linux\"].\"$MATRIX_OS\" | join(\",\")" "$MATRIX_FILE") + fi + + # Build only Agent and Agent2 on 386 + if [ "$MATRIX_BUILD" != "agent"* ]; then + platform_list="${platform_list#linux/386,}" + fi + + platform_list="${platform_list%,}" + + echo "::group::Platform List" + echo "$platform_list" + echo "::endgroup::" + + echo "list=$platform_list" >> $GITHUB_OUTPUT + + - name: Detect Build Base Image + id: build_base_image + env: + MATRIX_BUILD: ${{ matrix.build }} + MATRIX_FILE: ${{ env.MATRIX_FILE }} + run: | + BUILD_BASE=$(jq -r ".components.\"$MATRIX_BUILD\".base" "$MATRIX_FILE") + + echo "::group::Base Build Image" + echo "$BUILD_BASE" + echo "::endgroup::" + + echo "build_base=${BUILD_BASE}" >> $GITHUB_OUTPUT + + - name: Generate tags + id: meta + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + with: + images: | + ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} + ${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} + context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} + tags: | + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- + type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }} + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' && !contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' && !contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,suffix=-${{ matrix.os }}-latest + type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}- + type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' || contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,suffix=-${{ matrix.os }} + flavor: | + latest=${{ (matrix.os == 'alpine') && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) && ( needs.init_build.outputs.is_default_branch == 'true' ) }} + + - name: Download metadata of ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 + if: ${{ matrix.build != 'snmptraps' }} + with: + path: ${{ env.BUILD_CACHE_FILE_NAME }} + key: ${{ steps.build_base_image.outputs.build_base }}-${{ matrix.os }}-${{ github.run_id }} + + - name: Process ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} image metadata + id: base_build + if: ${{ matrix.build != 'snmptraps' }} + env: + CACHE_FILE_NAME: ${{ env.BUILD_CACHE_FILE_NAME }} + run: | + echo "::group::Base build image metadata" + cat "${CACHE_FILE_NAME}" + echo "::endgroup::" + + IMAGE_DIGEST=$(jq -r '."containerimage.digest"' "${CACHE_FILE_NAME}") + IMAGE_NAME=$(jq -r '."image.name"' "${CACHE_FILE_NAME}" | cut -d: -f1) + + echo "base_build_image=${IMAGE_NAME}@${IMAGE_DIGEST}" >> $GITHUB_OUTPUT + + - name: Verify ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} cosign + if: ${{ matrix.build != 'snmptraps' && env.AUTO_PUSH_IMAGES == 'true' }} + env: + BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }} + OIDC_ISSUER: ${{ env.OIDC_ISSUER }} + IDENTITY_REGEX: ${{ env.IDENTITY_REGEX }} + run: | + echo "::group::Image sign data" + echo "OIDC issuer=${OIDC_ISSUER}" + echo "Identity=${IDENTITY_REGEX}" + echo "Image to verify=${BASE_IMAGE}" + echo "::endgroup::" + + echo "::group::Verify signature" + cosign verify \ + --certificate-oidc-issuer-regexp "${OIDC_ISSUER}" \ + --certificate-identity-regexp "${IDENTITY_REGEX}" \ + "${BASE_IMAGE}" + echo "::endgroup::" + + - name: Prepare cache data + if: ${{ matrix.build != 'snmptraps' }} + id: cache_data + env: + BASE_IMAGE_TAG: ${{ steps.base_build.outputs.base_build_image }} + run: | + cache_from=() + cache_to=() + + cache_from+=("type=registry,ref=${BASE_IMAGE_TAG}") + + echo "::group::Cache from data" + echo "${cache_from[*]}" + echo "::endgroup::" + + cache_from=$(printf '%s\n' "${cache_from[@]}") + + echo 'cache_from<> "$GITHUB_OUTPUT" + echo "$cache_from" >> "$GITHUB_OUTPUT" + echo 'EOF' >> "$GITHUB_OUTPUT" + + - name: Login to DockerHub + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Build and push image + id: docker_build + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 + with: + context: ${{ format('{0}/{1}/{2}', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }} + file: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }} + platforms: ${{ steps.platform.outputs.list }} + push: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + provenance: mode=max + sbom: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + tags: ${{ steps.meta.outputs.tags }} + build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }} + labels: | + org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} + org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} + + - name: Sign the images with GitHub OIDC Token + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + TAGS: ${{ steps.meta.outputs.tags }} + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + + echo "::group::Images to sign" + echo "$images" + echo "::endgroup::" + + echo "::group::Signing" + echo "cosign sign --yes $images" + cosign sign --yes ${images} + echo "::endgroup::" + + - name: Image metadata + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + env: + METADATA: ${{ steps.docker_build.outputs.metadata }} + run: | + echo "::group::Image metadata" + echo "${METADATA}" + echo "::endgroup::" diff --git a/build.json b/build.json index 8ead4ad34..1616e5a81 100644 --- a/build.json +++ b/build.json @@ -16,8 +16,10 @@ "linux/arm64" ], "rhel": [ - "X64", - "ARM64" + "linux/amd64", + "linux/arm64", + "linux/ppc64le", + "linux/s390x" ], "ubuntu": [ "linux/amd64", From cc789f29d2a135cbd96f3f9369325ffdea8692b2 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Thu, 29 Feb 2024 13:26:35 +0900 Subject: [PATCH 06/32] Updated --- .github/workflows/images_build_test.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/images_build_test.yml b/.github/workflows/images_build_test.yml index 56f5235c0..df77203b3 100644 --- a/.github/workflows/images_build_test.yml +++ b/.github/workflows/images_build_test.yml @@ -8,12 +8,11 @@ on: branches: - '[0-9]+.[0-9]+' - 'trunk' + - 'trunk_rhel' paths: - - 'Dockerfiles/**' - 'build.json' - '!**/README.md' - - '!Dockerfiles/*/rhel/*' - - '!Dockerfiles/*/windows/*' + - 'Dockerfiles/*/rhel/*' - '.github/workflows/images_build_test.yml' schedule: - cron: '50 02 * * *' From 1e7693d8816813e7e18f1dddc9e88bf8c323341b Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Thu, 29 Feb 2024 13:30:55 +0900 Subject: [PATCH 07/32] Updated --- .github/workflows/images_build_test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/images_build_test.yml b/.github/workflows/images_build_test.yml index df77203b3..db7564339 100644 --- a/.github/workflows/images_build_test.yml +++ b/.github/workflows/images_build_test.yml @@ -165,7 +165,7 @@ jobs: matrix: os: ${{ fromJson(needs.init_build.outputs.os) }} - runs-on: ubuntu-latest + runs-on: runs-on: [self-hosted, ubuntu] permissions: contents: read id-token: write @@ -175,7 +175,7 @@ jobs: uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: disable-sudo: true - egress-policy: block + egress-policy: audit allowed-endpoints: > api.github.com:443 archive.ubuntu.com:80 From a29363e3c2120bf660cf3bbce07703c779e27b65 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Thu, 29 Feb 2024 13:31:53 +0900 Subject: [PATCH 08/32] Updated --- .github/workflows/images_build_test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/images_build_test.yml b/.github/workflows/images_build_test.yml index db7564339..20e7a847e 100644 --- a/.github/workflows/images_build_test.yml +++ b/.github/workflows/images_build_test.yml @@ -165,7 +165,7 @@ jobs: matrix: os: ${{ fromJson(needs.init_build.outputs.os) }} - runs-on: runs-on: [self-hosted, ubuntu] + runs-on: [self-hosted, linux, ubuntu] permissions: contents: read id-token: write From 90f7fa9c665db0c3c561a17fa75bacf95375d5e4 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Thu, 29 Feb 2024 14:39:25 +0900 Subject: [PATCH 09/32] Updated --- .github/workflows/images_build_test.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/.github/workflows/images_build_test.yml b/.github/workflows/images_build_test.yml index 20e7a847e..72ea2f331 100644 --- a/.github/workflows/images_build_test.yml +++ b/.github/workflows/images_build_test.yml @@ -277,16 +277,11 @@ jobs: if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} run: cosign version - - name: Set up QEMU - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - with: - image: tonistiigi/binfmt:latest - platforms: all - - name: Set up Docker Buildx uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 with: driver-opts: image=moby/buildkit:master + install: true - name: Prepare Platform list id: platform From 67f8360ce2f60d5ac693066087ad32f2a59876ac Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Thu, 29 Feb 2024 14:49:24 +0900 Subject: [PATCH 10/32] Updated --- .github/workflows/images_build_test.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/images_build_test.yml b/.github/workflows/images_build_test.yml index 72ea2f331..a86c29d6d 100644 --- a/.github/workflows/images_build_test.yml +++ b/.github/workflows/images_build_test.yml @@ -27,7 +27,8 @@ permissions: env: TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }} - AUTO_PUSH_IMAGES: ${{ ! contains(fromJSON('["workflow_dispatch"]'), github.event_name) && vars.AUTO_PUSH_IMAGES }} +# AUTO_PUSH_IMAGES: ${{ ! contains(fromJSON('["workflow_dispatch"]'), github.event_name) && vars.AUTO_PUSH_IMAGES }} + AUTO_PUSH_IMAGES: false DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }} LATEST_BRANCH: ${{ github.event.repository.default_branch }} @@ -364,6 +365,12 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + - env: + CONTEXT: ${{ format('{0}/{1}/{2}', env.DOCKERFILES_DIRECTORY, env.BASE_BUILD_NAME, matrix.os) }} + run: | + cp -R /tmp/secrets/ $CONTEXT/ + ls -lah $CONTEXT/ + - name: Build and publish image id: docker_build uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 From 7ed03b6b94d55d9be13066e30b1156a992cf0ed3 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Thu, 29 Feb 2024 14:50:07 +0900 Subject: [PATCH 11/32] Updated --- .github/workflows/images_build_test.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/images_build_test.yml b/.github/workflows/images_build_test.yml index a86c29d6d..034aef75c 100644 --- a/.github/workflows/images_build_test.yml +++ b/.github/workflows/images_build_test.yml @@ -365,9 +365,9 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - env: - CONTEXT: ${{ format('{0}/{1}/{2}', env.DOCKERFILES_DIRECTORY, env.BASE_BUILD_NAME, matrix.os) }} - run: | + - env: + CONTEXT: ${{ format('{0}/{1}/{2}', env.DOCKERFILES_DIRECTORY, env.BASE_BUILD_NAME, matrix.os) }} + run: | cp -R /tmp/secrets/ $CONTEXT/ ls -lah $CONTEXT/ From f07a8c4e0bac86f4250eb758f3d097e8ebe3835d Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Thu, 29 Feb 2024 18:29:01 +0900 Subject: [PATCH 12/32] Updated --- .github/workflows/images_build_test.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/images_build_test.yml b/.github/workflows/images_build_test.yml index 034aef75c..e8834e18d 100644 --- a/.github/workflows/images_build_test.yml +++ b/.github/workflows/images_build_test.yml @@ -437,6 +437,9 @@ jobs: matrix: build: ${{ fromJson(needs.init_build.outputs.database) }} os: ${{ fromJson(needs.init_build.outputs.os) }} + exclude: + - build: build-pgsql + os: rhel runs-on: ubuntu-latest permissions: contents: read From 5915ead4bfb101273067cdd42fc4d00d71df3502 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Thu, 29 Feb 2024 19:08:36 +0900 Subject: [PATCH 13/32] Updated --- .github/workflows/images_build_test.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/images_build_test.yml b/.github/workflows/images_build_test.yml index e8834e18d..eed6ce36d 100644 --- a/.github/workflows/images_build_test.yml +++ b/.github/workflows/images_build_test.yml @@ -369,7 +369,6 @@ jobs: CONTEXT: ${{ format('{0}/{1}/{2}', env.DOCKERFILES_DIRECTORY, env.BASE_BUILD_NAME, matrix.os) }} run: | cp -R /tmp/secrets/ $CONTEXT/ - ls -lah $CONTEXT/ - name: Build and publish image id: docker_build From 855f6fd0c204718beb3eba364397e91b88f35cf4 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Thu, 29 Feb 2024 21:13:01 +0900 Subject: [PATCH 14/32] Updated --- .github/workflows/images_build_test.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/images_build_test.yml b/.github/workflows/images_build_test.yml index eed6ce36d..f735f670f 100644 --- a/.github/workflows/images_build_test.yml +++ b/.github/workflows/images_build_test.yml @@ -120,7 +120,7 @@ jobs: env: MATRIX_FILE: ${{ env.MATRIX_FILE }} run: | - component_list=$(jq -r '.components | keys | @json' "$MATRIX_FILE") + component_list=$(jq -r '.components | map_values(select(.rhel == true)) | keys | @json' "$MATRIX_FILE") echo "::group::Zabbix Component List" echo "$component_list" @@ -365,7 +365,8 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - env: + - name: Copy RedHat subscription + env: CONTEXT: ${{ format('{0}/{1}/{2}', env.DOCKERFILES_DIRECTORY, env.BASE_BUILD_NAME, matrix.os) }} run: | cp -R /tmp/secrets/ $CONTEXT/ @@ -379,7 +380,7 @@ jobs: platforms: ${{ steps.platform.outputs.list }} push: true provenance: mode=max - sbom: true + sbom: ${{ env.AUTO_PUSH_IMAGES == 'true' }} tags: ${{ steps.meta.outputs.tags }} labels: | org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} @@ -691,7 +692,7 @@ jobs: build: ${{ fromJson(needs.init_build.outputs.components) }} os: ${{ fromJson(needs.init_build.outputs.os) }} - runs-on: ubuntu-latest + runs-on: [self-hosted, linux, ubuntu] permissions: contents: read id-token: write @@ -701,7 +702,7 @@ jobs: uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: disable-sudo: true - egress-policy: block + egress-policy: audit allowed-endpoints: > api.github.com:443 auth.docker.io:443 From ce63d317e78e6b817f50e8ab25659f0e6f356d24 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Thu, 29 Feb 2024 23:57:46 +0900 Subject: [PATCH 15/32] Updated --- .github/workflows/images_build_test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/images_build_test.yml b/.github/workflows/images_build_test.yml index f735f670f..709e27574 100644 --- a/.github/workflows/images_build_test.yml +++ b/.github/workflows/images_build_test.yml @@ -835,6 +835,7 @@ jobs: run: cosign version - name: Set up QEMU + if: ${{ matrix.os != 'rhel' }} uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 with: image: tonistiigi/binfmt:latest From 4f03f39644a7311a7c70f7c7619948290c4b63db Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Fri, 1 Mar 2024 02:19:34 +0900 Subject: [PATCH 16/32] Updated --- .github/workflows/images_build_test.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/images_build_test.yml b/.github/workflows/images_build_test.yml index 709e27574..ca31ebc22 100644 --- a/.github/workflows/images_build_test.yml +++ b/.github/workflows/images_build_test.yml @@ -979,6 +979,14 @@ jobs: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} + - name: Login to ${{ env.DOCKER_REGISTRY_TEST }} + if: ${{ env.AUTO_PUSH_IMAGES != 'true' }} + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ${{ env.DOCKER_REGISTRY_TEST }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Build and push image id: docker_build uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 From d1fe8f943de678ecd18e4515799b56920782206e Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Fri, 1 Mar 2024 12:24:20 +0900 Subject: [PATCH 17/32] Updated --- .github/workflows/images_build_test.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/images_build_test.yml b/.github/workflows/images_build_test.yml index ca31ebc22..ae76ede04 100644 --- a/.github/workflows/images_build_test.yml +++ b/.github/workflows/images_build_test.yml @@ -972,6 +972,13 @@ jobs: echo "$cache_from" >> "$GITHUB_OUTPUT" echo 'EOF' >> "$GITHUB_OUTPUT" + - name: Remove smartmontools + if: ${{ matrix.build == 'agent2' && matrix.os == 'rhel' }} + env: + DOCKERFILES_DIRECTORY: ${{ env.DOCKERFILES_DIRECTORY }} + run: | + sed -i '/smartmontools/d' "$DOCKERFILES_DIRECTORY/agent2/rhel/Dockerfile" + - name: Login to DockerHub if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 From 6013e14371279fe190ff7eefd681015d30346173 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Fri, 1 Mar 2024 12:25:47 +0900 Subject: [PATCH 18/32] Updated --- .github/workflows/images_build_test.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/images_build_test.yml b/.github/workflows/images_build_test.yml index ae76ede04..ca2ee86ec 100644 --- a/.github/workflows/images_build_test.yml +++ b/.github/workflows/images_build_test.yml @@ -366,6 +366,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Copy RedHat subscription + if: ${{ matrix.os == 'rhel' }} env: CONTEXT: ${{ format('{0}/{1}/{2}', env.DOCKERFILES_DIRECTORY, env.BASE_BUILD_NAME, matrix.os) }} run: | @@ -979,6 +980,13 @@ jobs: run: | sed -i '/smartmontools/d' "$DOCKERFILES_DIRECTORY/agent2/rhel/Dockerfile" + - name: Copy RedHat subscription + if: ${{ matrix.os == 'rhel' }} + env: + CONTEXT: ${{ format('{0}/{1}/{2}', env.DOCKERFILES_DIRECTORY, env.BASE_BUILD_NAME, matrix.os) }} + run: | + cp -R /tmp/secrets/ $CONTEXT/ + - name: Login to DockerHub if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 From 17745d8f6de51915f036e5363cea8dd10d3ebc36 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Fri, 1 Mar 2024 13:05:03 +0900 Subject: [PATCH 19/32] Updated --- .github/workflows/images_build_test.yml | 7 ------- Dockerfiles/agent2/rhel/Dockerfile | 6 +++--- 2 files changed, 3 insertions(+), 10 deletions(-) diff --git a/.github/workflows/images_build_test.yml b/.github/workflows/images_build_test.yml index ca2ee86ec..90b3a5b9c 100644 --- a/.github/workflows/images_build_test.yml +++ b/.github/workflows/images_build_test.yml @@ -973,13 +973,6 @@ jobs: echo "$cache_from" >> "$GITHUB_OUTPUT" echo 'EOF' >> "$GITHUB_OUTPUT" - - name: Remove smartmontools - if: ${{ matrix.build == 'agent2' && matrix.os == 'rhel' }} - env: - DOCKERFILES_DIRECTORY: ${{ env.DOCKERFILES_DIRECTORY }} - run: | - sed -i '/smartmontools/d' "$DOCKERFILES_DIRECTORY/agent2/rhel/Dockerfile" - - name: Copy RedHat subscription if: ${{ matrix.os == 'rhel' }} env: diff --git a/Dockerfiles/agent2/rhel/Dockerfile b/Dockerfiles/agent2/rhel/Dockerfile index 7bf7b6e58..25519b909 100644 --- a/Dockerfiles/agent2/rhel/Dockerfile +++ b/Dockerfiles/agent2/rhel/Dockerfile @@ -56,6 +56,7 @@ COPY --from=builder ["/tmp/mongodb_plugin/zabbix-agent2-plugin-mongodb", "/usr/s COPY --from=builder ["/tmp/postgresql_plugin/zabbix-agent2-plugin-postgresql", "/usr/sbin/zabbix-agent2-plugin/zabbix-agent2-plugin-postgresql"] RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ + --mount=type=bind,target=/run/secrets/,src=secrets/ \ set -eux && \ INSTALL_PKGS="bash \ iputils \ @@ -64,13 +65,12 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ smartmontools \ sudo \ libcurl-minimal" && \ - curl -sSL -o /tmp/epel-release-latest-9.noarch.rpm https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \ - rpm -ivh /tmp/epel-release-latest-9.noarch.rpm && \ - rm -rf /tmp/epel-release-latest-9.noarch.rpm && \ + ARCH_SUFFIX="$(arch)"; \ microdnf -y install \ --disableplugin=subscription-manager \ --disablerepo "*" \ --enablerepo "ubi-9-baseos-rpms" \ + --enablerepo "rhel-9-for-$ARCH_SUFFIX-baseos-beta-rpms" \ --enablerepo "epel" \ --setopt=install_weak_deps=0 \ --setopt=keepcache=0 \ From bb6fc0707668a5535fdbc9734b8eeaefa57d64a1 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Fri, 1 Mar 2024 15:35:51 +0900 Subject: [PATCH 20/32] Updated --- .github/workflows/images_build_test.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/images_build_test.yml b/.github/workflows/images_build_test.yml index 90b3a5b9c..9bf6a341a 100644 --- a/.github/workflows/images_build_test.yml +++ b/.github/workflows/images_build_test.yml @@ -974,11 +974,12 @@ jobs: echo 'EOF' >> "$GITHUB_OUTPUT" - name: Copy RedHat subscription - if: ${{ matrix.os == 'rhel' }} + if: ${{ matrix.os == 'rhel' && matrix.build != 'snmptraps' }} env: - CONTEXT: ${{ format('{0}/{1}/{2}', env.DOCKERFILES_DIRECTORY, env.BASE_BUILD_NAME, matrix.os) }} + CONTEXT: ${{ format('{0}/{1}/{2}', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }} run: | - cp -R /tmp/secrets/ $CONTEXT/ + cp -R "/tmp/secrets/" "$CONTEXT/" + ls -lah "$CONTEXT/" - name: Login to DockerHub if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} From c006f9044fa6ae3fe9598f1c4611ba703e07979f Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Fri, 1 Mar 2024 17:50:05 +0900 Subject: [PATCH 21/32] Updated --- .github/workflows/images_build_test.yml | 10 ++++++++++ Dockerfiles/agent2/rhel/Dockerfile | 2 -- Dockerfiles/build-base/rhel/secrets.tar.gz | Bin 0 -> 141312 bytes 3 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 Dockerfiles/build-base/rhel/secrets.tar.gz diff --git a/.github/workflows/images_build_test.yml b/.github/workflows/images_build_test.yml index 9bf6a341a..0462dfdab 100644 --- a/.github/workflows/images_build_test.yml +++ b/.github/workflows/images_build_test.yml @@ -860,6 +860,9 @@ jobs: # Chromium on Ubuntu is not available on s390x platform elif [ "$MATRIX_OS" == "ubuntu" ] && [ "$MATRIX_BUILD" == "web-service" ]; then platform_list="linux/amd64,linux/arm/v7,linux/arm64" + # Chromium on RedHat is not available on ppc64le, s390x platforms + elif [ "$MATRIX_OS" == "rhel" ] && [ "$MATRIX_BUILD" == "web-service" ]; then + platform_list="linux/amd64,linux/arm64" else platform_list=$(jq -r ".[\"os-linux\"].\"$MATRIX_OS\" | join(\",\")" "$MATRIX_FILE") fi @@ -981,6 +984,13 @@ jobs: cp -R "/tmp/secrets/" "$CONTEXT/" ls -lah "$CONTEXT/" + - name: Remove smartmontools + if: ${{ matrix.build == 'agent2' && matrix.os == 'rhel' }} + env: + DOCKERFILES_DIRECTORY: ${{ env.DOCKERFILES_DIRECTORY }} + run: | + sed -i '/smartmontools/d' "$DOCKERFILES_DIRECTORY/agent2/rhel/Dockerfile" + - name: Login to DockerHub if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 diff --git a/Dockerfiles/agent2/rhel/Dockerfile b/Dockerfiles/agent2/rhel/Dockerfile index 25519b909..97036f893 100644 --- a/Dockerfiles/agent2/rhel/Dockerfile +++ b/Dockerfiles/agent2/rhel/Dockerfile @@ -65,12 +65,10 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ smartmontools \ sudo \ libcurl-minimal" && \ - ARCH_SUFFIX="$(arch)"; \ microdnf -y install \ --disableplugin=subscription-manager \ --disablerepo "*" \ --enablerepo "ubi-9-baseos-rpms" \ - --enablerepo "rhel-9-for-$ARCH_SUFFIX-baseos-beta-rpms" \ --enablerepo "epel" \ --setopt=install_weak_deps=0 \ --setopt=keepcache=0 \ diff --git a/Dockerfiles/build-base/rhel/secrets.tar.gz b/Dockerfiles/build-base/rhel/secrets.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..e2f119b80d9987e909354bb778899fde8876f1e8 GIT binary patch literal 141312 zcmeFa+mfSLlO_CJ^Auq{bJ0Cm76=50F`Elc5=a68LV(ovTN`JAIEj;hr~kJiBC|58 zRFPScikdbX#f?G-HXCr4e0wCv<}21op2d;uGieZRoacoC-|MFPc0En{S{0@gMNBF#O|(-@Si5j_W~! zzo+lM`EUJi{d)bYW1W4L5rFgYlh+?yc5v>{$rPUukL&+W7|yrrANWV7`K=1d;_kZz z*Pooe-0y$B|1lINQSuM>KS4~We?6ghpUI5@{~y2q{|EFxp17cD;xP7{CiucSb>Khg zzzpiRDXKWA!4G67cOvkyJ3RgS)lvM%Q{B3?SH)!$7x|a$`RfY0j`hF(*Z+Dlj&c1I z#%b^bUY)inzC=MDRA6}jx2GrW=;TpQKV^;|JRO57c)G-C`s4;rMHf_GE>+w#LH^ry zq}TCwb@23WxAypSHPU&Xu+`c@u?}mj!wao_p;a5VZp#s z_|$wq&mb$C;mOJUmyheAZi4K30IxfC!SQ=VUV|NhBYkq7{%vTp=Lw{7-Td2iM^zA3 z0obS0IdST^;P|ie11AuI{<8v8`{Fc37JFZ)FP?w;g8hbn@dLMwzEova|9?>KWWm$_ z0jJ)75}oFWEAqyP!D)NqgDyymG7IwNX%#n5V8bWm-}&pNPr54C{{gw+qP0~DwmvpZ zS^sYY@%$Xz%g?v8S7Zp7I5?*b;)AIo*Qp>cQ$Z+%+6EOkfyn>74&qea5o~)xz&?=Y z$w5JWJrW;`jY3fwdB?yzfj5)un^Q1=f3H^>>=FqY4=GPE0uJX3_!0qg`?63MUsl5Y z%gbEAOB#UPKy{shea7K+^U3v{=Xk&f!Mo>Co`aF+Ag^1sLHS!5WY51#V{jZV`~9{< z@JZaH!Sw_oBsIgPI0YaCNl+w40pIfl{QT|q-|y=>;~xz0b>o*Q10c|}_4CBDpmBVs zasDgl%NQ8)|9P5`QxyGr&i?D`_uvZ@*npRJU#7oJ@GoIeeR(zr`ipZt<>d5BU9^=K z{Kym(r-{4Z$&9O}b<%hQZ;SltI_47?^GO$l^%MQX=<*Xeefsz9^Ozs9k<=N$o#{W@ z3XQx@5&;K*Tz7`N%of>#OT7Jhw9g0mun=I>AGeU|Sa{{tM##TwBbzeFx5qgA-f^g@ z(*U!`t_DK>BL?z3|Er0R4-@%=7rK`d`DP;1TPAWdl>EpxrnhY4Ba!8{*Z5`>Qv?LV zM?69AX9@sQ(9dS@HH=(?cu{`|+WOsyA^pyO(VB_$)673;Z{D$t^Das-!heJK)Q)dIACZ$ zXD9CjqrZt&-j70mI-ZAXxvOib0gg!17;sJAb29(sX0G!i1hf4*$`kiI%G0d`=N*&z znA3URa=?+j9uxA&fBwkA+$%CUfPw>r)R!x-m_73!U&_}!7f@3A!14-dMyhBtf@g(jA@1_s8-=x;^-nE8%}Hw{hj`(cjQp zKI5kfH@De(FybxW@$q`j?Fe(_>cOraRh+M7pnF;cU>t5%ael!pu0#G)c5&U;!!Yh` z7~fFFO%VEyY5WLlyaA(MvBtgq#W%z;eOSgnYZ>p+Xdg0-kL9-SWGmm<#>-?MmEZfD z$RG6~_?4l5gGBWoN<*&O0By)e@{pfVg^NB&g9bIP)A0QsK%av6^)%kA?> z|8ynq+aWwy_s?S8U$jJj7i#>jD!ZMW0A%=&pp920(F1FIQ>oo6J$crZy%8GXzY*_> z0e-iMKPnBumLQt^0-X4{ph7&n#3y-)TgE_s*cixv!WbTvlh3N0)IjJP1C42X75@ND zM;>_1m&q-5>%ENRDi;Q$JW1b;@;z_ytyuC4ZsRti1ysQ?GI{ulPxBR5?dk8#_)UWA zmSy|`L4K3*`UJ!I{m35rEGwQrk_fCJp>u|6=Ym1tAJ{_S$u!T zJ^Y@j{v~^Hv*i9EkMIs3{>olFg2yMY7q1JTej0s#CB=VKDftJX<^yB?(-@Qb`vHUc z)PO-f$|V0>ndD}X?B}86hs$NRS04P172l|_o)=6%R!@IyZS3Uh3i_A4qAWdfdes1b ztCaosFoD;3A>Zcp)(bpL;Cape$4%fp*m%$A8hl7{{wCQz&;+q;!}dfA1a!&+b-dEe&Wy4%h{)9rn5(4dRKz_ zPhCT9>FREVg`e+$a%ZCYPg8!F#6M>eUn%VW9wzaXxPF+#?H00kLXFUW{#^5$cO($+ z_r3WhzWq>&`Hte@O>3Ly={*`b-mlTXZDscDW;X97oHw=ElfP(Y^9fAWRi6!-*St*e zu}1X%!17fb^W)BqUnz(msbc<#HjR(|jKB9Hzf&Oj&$P?xzr};EiwHFMPoK;pZ9$*; zmyZ6`(-!pj2d(|D9ismky8Alut3fWD`|F{#QxLtA8ggVLB*@4=4L_l zFOt)*4<`9b5%$ec@;Axrcao7;P0gb<-hFHA@ARbntInG5c#e|sMxgNCiqIcbN#Ck0 zesO{5ZPf8*t`EdmOwcXs zQ9-|J1^w1VpWuK0s)NqTpLy9qGv!DAaL@eVy>(vi;ltnMRDVfL-2?!4hlt-+eZ9=~ zQ3}0(4)IRg)OT2^A7z)!w~ncwl3D(~F!Vt^y*{1!UKP=ol;QXGWj6`!86(Q%d@);@Epg^&{1>yQ9>1j_J8P_5iOqg--4--ulLF-fVJp z1Ec&b|9!K^)u#ZGmljtKByx8o@?QJ1n-JtjjQ35O_(+Mexz3M5&rNr7XN!1oAP-ZxrzyPB?>C<{9IZ8;Ya?j`jJ~9 z=iZLw7i{RAy!eeLc{z+nDfr$F<>!{v|7BOE_ZQT^E`R&SDmPB^#Y^Mh+J)dj;NP`y z^X`h-H#zVJm&)ERvH5+C>?5zaXI}GW$?2^u_XcA9;lkK^L(n&qe8A6pM~i1k;oGGt z-$Xeduk-&d8~Udr#kWa6!o*#}#7)WR2ZY9;ox-Qq_a9Q@`|8WT!h@Tn*WZK(H%YGh z!-K~XgZrAmpPCKaf(X|<;#NZXI|u3qdf@oO(>l)E{)uhl)DNl~Ej8YW6d%h*-*5N& zr=xo;Ui;L=YcG|mzpUKefSSL+Y22)|+#8vGUrl@|yF4GnWBvRc*Uvjmkfw1Hys`ja zZWiO-^FQy?8Q&Jrf6T+Y)05*(gTR*wKB%rwNnZZIo#Q_UM_-$@{JFvKby3tW*ul?n z=lCPcd}^4vwo0fu5yn$eUcPy{b1|&Ylb&w|~_n%(7`_wPZCjVU*h4mBtA5Z`O z6_niDO1>S!i<5bP)jNxo|4!H9Hw?VXYX>OlKc8hz8~1kj}~peK9=tte*O~- z=Jjc84=ee6D|xd#{`Si4ADPJ8b^RY+$Ne+yCm$g7o*?yGPWW@np?)o)yOG(bFv<**{B!yb%&T0@0o6kau&PTaM*}$<8l0mfK|f@7d17q5R); zC~rW@H@y0;8~Iw_{}4@f+Zx_Di3b~UPd4Oxcz1=WH*?=NR`3f@^=8)lc~JFH^8W;= z`X@c=8{_!uB7QIG-WH;MH&X@GPh zds%h%orvPKwcjr!oqq)*!R#MP&OYVIDX-w*W?J#a6Z{QW@W~wXD zH;3}Dp-;1+SJ3gZz3ji*&W}LHKi9ba3OXJg>+eo+|2fp)zfI7$YXZI+!|%BB&t=XD z`nfG3(MK9`=QQMxgu@kL`~YVD@v^^Qi;v`;KU31Wf{I5W_wcz1{Y9tHg#iu~RA->z+58I6CebHR0I53u-YVDXQk0soEuyP*MW@~MD; zeuRemHj=Ezc~d1 z_&1Ex;C~|s5;PuCo?-+X#uxBQ1fZ2K3w7~jCG5Xcfqw)KC8>fmaOwc6>$D51IJ|B? zxxVupFQ^*u?s*hYLeCJ-L0-3NgYvgB$ew@qyuRRNzu$Hk-2y&VL1c8CL=LY(`E|^y`wh|N8p<^N*qbd!J-vR~qRz-h|S$b#v`1eP4Wey%s zIr}V0!*}lEbuGk~Z;$WzC0g?L$Bz6;_p84SCf{cH0Fs{xByVDhcgmbUi!6RE^?Vm! zJkRcHxCBuWeL##WD*712K%syAU;C>AuL_#_3dz0zMD^u+M0Kx8p(sib#M8g7ujI=s zicO#2gO8s7o+eX*q)42YVB`}zp)j2I*AsEC3A{H>3$9rOrsfw-9)!(b{uKNy4FB@m ze_am_{Cz#Br+0q&-|DOPuK!=C{Qma*!FeI4FW39e*MEXx1VO&N{@8>fr~i6F|Ms3f zu)+W1*Z<4)j};b@^27t1@9kyh zF4A^y2$sxh3udwtxagwnGV>$}$0Ou(muPDd$vP4CGP{5I!R4ZU{ejQ1n}e<6V8BY= zY8NSb-U-jM&Gukv5wu;*QAtpaZl>1Wt#x_5ST$B`RjDc36L!0u4x z1nK4j7sKwp?aVbdZ`aa!k&o&6ST|}%9I>z~p-4^qVwDBuEZwU4f!nz2km`AQaE%?0 zPUZ(=uG)u9df2%ucmbCVxmONJyXnY_Tia0x<)pewzy{$AbzyZ+py!=_Qd<&jBo-db zOI(HRSuKwnU6;kQYC>3yyG4>4oXp#ODMR6&JL2ilj$2rBOngPTsZ*@OjIvHgBT~|g zto`0-kv(3AIuXFt-@*#%?z#C54)WVco>DYWh_G#0u zvrTa!^fGgeL5dw%OyOctj5e=Z3n-)W^(io>Cv`EKY)?mSRG%VZAH0Y#ne~Nd(X5Es9KynzY%$63mgl$#RY*mND`;*1y;N8 zkUUILne`Uj_BvIKJw?%yW3&~|991v#<%4}lU7pF_ZtMvQO|t`~s37A+oaD8P0!M-> z*q&k7?SVNa|>VD2rn7m-$64`P>=SW#kUxkX)%KasOUZ>H7> zLGX5c#NC;bM4STdVvLs*nS`ZiU>2Jb<3R+z7OdK~)i^!W9EVLuMfTuAmPZBNYBfpL zr&yTHH7S6LfX#Fcc6DjV;3zQYttn8DpyA@O=`uYulx0=NLn&J#UM@R3oWU0jhu5iH z(5E^Py%tNs&3sgJ15;LuUW~OCqai%@`ofBj4SRAg>%fZEGtVOOi|>%uY19wg9B!97 zeyWbX)X|~5txcHlr0I}xSb9t>h@T;o%vfld9n(dgq+vGtR9u27uM z)AOOMbWu$PXGWBMhvPk)L8ianNSCHc1j63RPRH(vHNP?`VXJz>I5In5Y%)eAHtSkQ zX_7B76X&P0W5WbVPnk8uF|9n+${llV)Yj&>PH5^S&eHL|!{>{6Qk7L@a~@;NBhE6H z%@C(@ei*zhn#D+OGmzsI6SYP+$?_0Hte6PW-0c!Lji7pkB%NOa)az0tV75~s|94a?^l9I($NWCF1IEQey@Zc8#M;>j6(#4|1&mu{^kX@2#O&Y zYe5FDPdsBVFW@Cuj%jFN#&qWBL`ol58Ocil@4AEqcE;0SfDl2l z3Mcm`8X6UHta=LX2xqOkwp;5owPt5$x$j}(IB;{b!8UH!8Ar)m2C_wmBv6bBO63W{tLw!fPZTs}32#u8DKtgap4k<#%rO(ieidw@-@6AVh=XLdgJN+4A|9Xlk>q$hDl2bAZ$XkbOa|kMbk3` zEkqihA+l1a;Oc~K17q>@JlKx(t!CrEV2Ai+9Z*vK`Z1KB?;C~l3?o*ej&*? zyX$wludX5{srAZHSrYE0V=&v9ycb09Qr$A@h^gmlWq82Eas$>wU4+yQF=I_A`WmbH3fySK>`>3( zh_;dNh$GYUY<9``T!=(t>Vj*tUeST)JLf^pPu0eDAU*HmNmDMomSTf2*cK=<#s^D1 zQT=Kb3Og8^BQss60z1mrojMTXX?M}iIAS7eDkMwD=5Pcz$7u$bc0=6f9MNvFO5S(i z-cM`SI8gK|IB^`}hWUA;b#X(EB^*0>f|$`(^C5&puxNe0;do*P&t#X&y-G=l6?GLo>%=md%&`kc zoKd4*r8|dn>UfinOJU77(~IZXfi8e!L|4!{Cg(1{a<%yqvtY8CfJ<1RpkSy36>cT) z>S~dPZC$a>kP$Sp6ZU7y^@()8Y{dbXa-t)_VuKTlLB;f3Q8#gE!@Uv}Mch{-p6|Aq zwCI}4Y<2=hYA~d(VoORe92`MpDvBV#uhn!$B5WrN1DWg@{V=c}^a~+@C zDhxX|&s}!esRK4U&>0$T#6w&`bcQ3Q&w`*V=3js-G3RKUG*!~!P?9HvDZ@6n*+ zlT+Q1J-MW4i`&9^ZphHMYlSV11~rm!dx0d7eLGgo`Qqf*xzXH>Bc6ve69`gV%|U$D z7E%n{>5zwwD45V$zqVjR6qEHVV3 zV&b0>6>4C7W!Q#lD$R1;qktqROMUeA6esL5DeU;VbPkd=92SFkVooRknahE&wh}4I zN542ig#(f_@u<=I^pI{BC%rr!qqrEjlX^lUgHQ~Lch8(jR7xTRu|ZJskpd^wpo9nk zyau$Yoe48>kog6X5t~Hzjwc6`eXX62W`0hO#}#ww=|a1B7K$${SrA7&jr-kHys*2C zXF&!VFx5#MNOO)TyJUrm1p}MAmUpVzX(ga1*5ZOF^3zsp6~_A;cZy z;?x$a#S#k(c`aU2oVgsg=aFQ%wKQFy+*TGdRah966!VI@+X2yrR*$fnGW}M(KmpGj zX3DXk7NY zIa!m1W%O7@vS>`f%bJ;^6`G)ZzTFZuqY$%zJh0r1*oK?2wR)@V#hKG=pw*dDlytHv z+%B71QK_=yyh4VQs9d~-cT+ab=TTkBp1zIpmE>SITK2I z^by}4L2%b8vjE<&^$tuUoidL}7pq~Nr!q#Q>n)|x8`#AL@AXw}7*qjIoX$}%!**#&gU^&1g7?RZZUmbyUBZN&-{~>PlbcOf{YczF(<%fZj_^nF!Hh| zt-?^(DTf(4&a^S(1k2Pt=$2OfXc+Qg7- zY;?70)}6vK>1~)*55{&{do$TW@f3r{7NaSrPqqSyFh6>UA&xEKn+*M`1BkNR2|h}Ip; z$+`~P*viA~d>mxwBJSFH!?1jX#|eOKT#`eXP{;EXp)JityFeBkxzg)!n~65c`&raR z=QFT7Kn^Ws*cccz0-P)0*iJq;X{dDMBxnq^m|YVVN~yd!JG4Pg!Dd}6rW|xOI_>%y z&->ju3XPc_^SbS}-GX5BEEP`$-O2$(kc*57;L}JIxqI3m8|x&imKiu1z>XssAZm7* zaNC)c=~$Yz!q}A3&~rmaQO=|Y3rRt_c(dmd{c!$|@vxUMn&(5%!hu5%I2x)Y*cZUMIcvB1o)IGo8C+lRo!01V| zb1p_I$tPxu3K&Vw@oAXi0P32gy_!*7v$O}KD5_PWMU_viw<4)-hqlm!)HY|Ac{F!x z8mB^}IRi2^Y=9>%4}N`s+U!CBq80;Zu*HTozg{1wXMQ%Z1*2LWG-W$&*Gr<453RO5 zBY80zbhp9#&XDcVbnq17Vs_(-c|asK;Pp$oFE5NJsHEQ=SMjD~jV@oTlg3jTHuSR# z8JRTUB3iYZ4MGpLfx^f&Vw1vR58z;UoOE&&`b^ij`m!wZu3<;UD3tOtPBbe6cUVzL zQdXaZ58mryyX={d>PTDFyq+1BUEMUUfyx07O-B^K5eKAaA4iCqH8rjtMkHiyPn z8=@g+!G$@>P)o#8=kjE&fS_gRBXc>#E#h=%MZsx*rnzdmn3uMq1(JDQde#(c0GT6U zT{zt;w%b61<{n7p?BaQV%tx%A3M6J>QEX?k({#GJlm=YdwIq zHDf&9vkB+xM50MW-5=y)fzB4Y={$vnJr%5%VV9&myccO> z3KK&CsqGr>@ad*y@@-NQNNAy*R@r-FJ7_C2u=4E+-KYUJvy9#0Mw zcosPx+KUShvt=CiCrRav&Ge)VyKK?Z2NmUu!$Q7HIaw@W`bfy5uu-RDJ85y;kw`_7fE54e!jL67oJ-DUa)N_tQ~kK z2EkD~OOxfsiL^!H$2+$I$tOZ`IWPd*X(By0#bR@;34q3IvY}{R?%HkHZy-?0Vz>Rg z?zWrh=AxsgZa5=nvYW5Y80s96cr&%mpsE!#@OX*nwae;fvFuqU+|9gXQ$jgLSylsX zNAyB&9ao#_QR%sfM^x0tKkv8&p;YmDr>^_}Fc(sbn?%k<(?Lx8DRA{`=w$oE9-H>Z zQnb&Vw;_Z=rZ!_b>5);tWz0@MuoeP7;1U3~3)W~Il<&0+MO6iW>V@BJT5ujc|ebrkk>j>0?*Jp%7#v9~*O>;yqP`L?oY?bSmM8g6`Uls^g+X z#%Fd)`rvM-yb{kvSlu4=Oq^R56NxJ2ROMD<;i@ioh6@1?EyXEHl{*52H(B#m05w@T z%S};FI2grd!Hc`7(Y$3M9rn>I-v_2-RWYDcW(eTFpf=!y>>TLJ_%eDmJmt-OCh_TF zIb7VO90<9v884dNh3~nx;)Cqxz8#ZIByVD9)Od~Y&xLj<#K6T2BtQAW9u_N zm{n^cu=g6Z@e;aIPIej>g*%Q%L!_9~Ww$`t3fk;IK*UUUrzm{hgfU!Era2qAQcT;% zjibDBnGv|6tYV}A$F@VnO|wWYSt;h`M4Ce&OBE)=${{yHsgOJcGP(0nX5d=jR3 zQ^yv4;gYdp0XVQb0}h}PMG09<*E2KU%%GslMNsG=x2xHS;xk|0^ypTtTmlw@2}sb; z*i2@|ndmbsl!wEq+mc3K9*Fe>w>HXFgY@NYHn!oZZjy4=ZY^D`A3$Fc%9UEU&b?@o$-0hj@{2?RP^?6%Xz z4k_?p#xQiqvd9?}u2qo*q1EVn4Z6VdJdGq`J@kNaJ50@E-|ncPpXQt)lw&PK~z3%UwW z5R0N?jI1b8kR!@&mw7=CP{;(+6=rdVA@{I>Ra%uj`srm7X3GOm17y3PSkkBYj^Jf? znT!X-GfhBVb+zYh&NHF`kx8V@B%?bMU6zH=NQXiXg~eGM)mV^@1he(B`k?Mrr}sT$ zSSH&!%ZosmGv?mvLXi-rl;o+*@m-)P7hqblGdCjQyp9cXecp6)CDB>Vu)4C`+p`Hc zk+{&$xMJp?*C?5CQ>fW>8|9P|wpm5VCYUd?WHb17j7#mml%OF6c1`bv;irL9!gM*Il#6> zR3Hm+lWv0b;C_eJJiNyHB%jWvIFm?aU9KITD-v?GEoR(ue$?f1RqShhZwhg8-0!7a z5#nL4PFdgvqA8@+jM**ZNV}jxMC)@cK1T_^#1vzSSw@2z7IE1cogl0j1CX~=$6%w1 z0lsBXZ#ej3LY}yGV8+t@`o!0i9PZj_B+xZ2X<^G$T^+F)u7i{l!TCZBkAVD9aAe*$ z9#J?TN_9{TAdVV`p~bFFmx^W!JaR)<2!51ogIk1zJwX4TX}g7lpe7BO}4cc#nW7Z zD4TFoZPu90%(wF$Ynmh#NPcl{`r7Zzk+;U!MOk*O!y(y@qB*7J4RTsnYRSn9cmr(# z6}w#p+G%Z9c-bGkVz7RgEiHRlP*A#cL7DDBeF%Rxxe0>Hw|GrrUIV==df5?`voCZXsKO9Xi#?L z3EdWmM+-tdIn^vul7nCQhOG~jybJ@=U7b(tWtqbo)?{Q=o4Wm0N1H;SP)m2ZK9>VL)4@n9T2S{G9s%z&44{nfj;QaB(b%;V11V| zCV0ipoDJs53Cu=QAsmzixA#Fh;g|FRch>C5n^P0B+8GP}GNPME2c~>*JOn_lgO{z? z6xAYZg^zG63thCDPubnNn*e4gPSy;$HGn{b6sx}UI>Yx;xWoD*0wISzbpooFwCg4p ze9g)Oi|6opzPJQA2~}(oDA6RCi>DCa8Ipq$}2%Bt+C58X6S{#vvxVl?KqV192-KQ5RW2l1E|}U>d(| zEJ{lh`JyS!f(&O)yW-Q?AvsYixo66Qf-mb0e=2+lE!l{GvV#aTcKBsQ&dJ_f(0QQ7 zaZ;e2&n}pF$H6UK$cR9Frj&J;cz%Vk4!6G;DpWi ztwu$j>w)AIh_vCrm6PAYM!3gQ|cIdu0&mi@&L&IV3w7;%h+jBVCr0OT3ngQ zL46S11uhkQAGvLr_J@ok$q5@Cd5g6f5%@XYZteL9O*0rU?p|Ja?pXjefPHRDmB97D z(?x4^32OI>sBb7+%@bWMnR1!f7~_Q$D1RI4V={+m-;GPtC=Q|)lIHd@>p}216_Wx~ zCuFp?!fHn@B8gW=RU_0(yI-*r?Yxag+ z%=as_!K)2_XtJ}nJk}GfM;H4NAhct``TYcVAc!q|N@SJ_yJ|K#wg*U4G)6O<0x4W^ zVu0RtyGjFZWX7gK5L1WeHBNZrnk)h1DI>9Gllk5J1^>S!fmQ}7sOFURsqP@;J#tx4@DVxOXSRGq6 zcUGaF^jHEC_*oz=TX_^k^rU1JwM~xh9E#WL3`Pd-bNo%SHK0@YEsDr2!&148XVd*T)@HA5TW;_~kbCj2P%YvsGrnL%RsLU4^jwX1SeS2EXj6{k%T~oz}a- zaVDOq$2IflQA{sE5y7;Tn0TJ%(58#tt*A3#-|daH=8nF zNX!LKs5;HD%{1`Oo!A%MER6;zb4h2bZw~X(7VA7+nk*3lF3CxOZeZ!Igk`mhKwgnL z$#ix&!i#}W*wXNb{hZO<{mO<^{(>>`4e>g;WR(DId527(Se-!7F;gD?~VsKqW9 z%uw1MJl9*DTU<_??V=82NNAJgd8!Ha0*GtNwRdy_e}gQrSr5okr)Hw*@nWdlK(8IT z6;+;gos^yn0P-OxFJnrGBDFo%3|yG(N1>Nj=|qu%WC@T2-ee+}q^9?P0NE_Ir%dW$ z4#>Mu+z_R@b;WVzWI3#FrG*TLbfz@KhGQgiNeGIy@TR-I5M$1{ zv=kiD3wz5*AU2lD6s$=o=KHNiGR#z{I5(22en&^8JI(4jkN{4OGK2Ak0N@O>TvFW0 zj-VoHPbC`NT zEyp--t_u^w%x!}D^Lj^_0gZaNX?6Hc@U$h6tr5&V*3at|zboTT?pC#^j2boJD%;S3P>v`~j(*UK@x z=$*62LhXv;L9{~8>w%xo&zMn*7yGDdFbxz&{^6qd*m2QxYqu(S#ojZa& zGw;?)fuS3ap~q($HBb{nO%;^wH{{8i%tUYQC3`Wb{Q);!dxJzYhW1pT^i$K3A+X|S ztzGbA?7I^uiYf2Zo)dm(aOQk4C+9Tv;#9-2GpA#$ZzxJ~-dxuN`2X}eo!G!T!IcI7obRrrusPL7>Z z!Cs&)rT9Wwz}9yg7%0%CF5d%LGR%V_yoT;J(u5;48EAL}aQZwcPUZ}_fuQvT)U`au z+HDQ4@jU13@^TV8JBt(h#kM#_(`c9R%$^p7;>d_fzGYVtl1~>C!HXg|giLd#8~jRx z1CJ|#*^CaB^{Bh{X9a^brlMGSi(-msxI1_3w*b>cfI$p*Wq46ZeR_f>>@o=oYP-Q{ zIEg@MBV>rI%)OGHVBNazKpB4OR#$;3-6~=;u4tlyu}!D}K4?~n6*SUaqv_2lw`p>%19fKq9Pe7WFX+q02_b9M+kOIy)c9 zn265KBq{dpGR~YWFKZhsiCI4NC@kj=43l2a{xspYE;`$8obc>G=&={zqV}7)y($eN zA3AP_(^(mb)^aIV@}Tb2?LlAi2~SM}*$sfgkChdyTCxIIG-E=hB}En}=-c8MRF)J+ zP|tcKiRqL*tq6`~j*--}^ksbxnrJuUdxddqd5&P~S~ECzH-%KI88P2wvMt)e{kis% zGto&>MFU*}abEFcu1be^xt_1=TqeVfyV2Ui=$>Mxj}Iqx0}aPA-wS)G-WcG@pO z&neQ95_YJsf(0)?yK`xRZAM<2bNq!(U;riq+xD<4%H@UA#*n2Mt0^S9oO#Tb)En+V0+li zPMac~!o%E*Q3dEdPjVqRno=3Li0;YXRM7YJAF z?%86E&_@;+Tm&(%Q_#N@_I8 z$yx^_LWlhfX4YB03E3T{k`vFinegy2{W?czfEBGlDdXJudC7?!CM_f8!v7icb&RI6iAK{h02ED?%QSNqw4+2MAC7_(q_%Ue!3^qt1iWi}o7A13ggG;9`hx2&O@9^Ri_OL=^dNBT-|g2u1J$ zNZyZ-s`*`+#-eZS)BmMg=XR3!_WBSSoy^S=3v=HZeX-WD>Tjx5Mx8aQ!Z8Zwr^|GE zDiAgL@?1U{dycY?jyF+CXeT#}pBiy>d8begL%@;U2v z(Z=tsGOf5Z!|@}p@EE}(<$QmsdBuPW3~zWl5d3tLKg?b5^-E`^I|f-&Y`h`C8^63b z_tMB_;xCq+=Eix5a2pU&J{~-%6dv4}~BBcK2!l*p=Y4JBblyRF^fD_P#Ye~jh)VtTp+(Fk z@fC*0zF(xm^Qm;|;T&nNrjuEx{!OXY5@J=8LGR+K3A7=TFoPWp%?w~HiGjH|gP(IL40yqb@vC|{Cj=&u!e zSBrLBZEuA(KeLx8UbucNj&fN})8n>r>Dg8R(YmVBbGQCLlp7?W;e{#s%mu&B`Gm4q zbeJ4LEEtWVNmwhxW*NB-0T5>1sR``e&fQDm%Z5VmyCWXmQU((;%G2uPe`Kcjy?VRWr&1u}k;{u2~fd z=gF19zZtc<9kXErrft*$6wfdcQvdof;+JB22%sjN8Ufb@(|W3yzI90_%R~!rdFgQB zW=dhA?2htMJePTu>XU9c>oL+dQOJ0h;=uD@e)RQCDufVwyAM_C@%qQ_dW?FNgE`pM zP`xsm7_r+Zf&#b|)8=7iYTL!1nZ>LZ4*^cSLEm#$uqH9Im;0^*oqEn8QS~RgR2QiK zbP1aCud%bEPpn2X@Je#0iHE2Lrlle=?+IDbI6ta*b|KsXjwF1W#5y@X^BOG68;vb% z^0*s>`=WmVWB$gaz%w7N5Uz=SL3&S$X`_<&t)w6uu)^t6F@>IwItf1|6+`$oG`HqH z&z&Pv(JQaI!P+k_mzkCKJGR)VRH=6n-3H8NeSJx7bJ_$70{8_iIUeJ zmAzw=X=rH4)u(>5r$>w2@#^#A*4cl1p#>RnM{8d9&6C+nmoSIRm}-AIP0px6@jf7k zuSlijKDe#f5}qjdA7Tj5Xe;0e7;2{wW@optj}iT5H9d>MIev>nJ>w)@FiFxGl7l-` z4%b%TtMug)g;I-gMN1Slu7Ad!E{sj%-Kr2>tS7FI4+X9>3q z@3opo5R2;SAZ5vwFCwE&k3XuH|Rk z$LjBShjcX3E49zilzIfXFBIRwl;xhZ8X%JQ@t7SAiy86FK6Mrf`{&kOgU{B4xbnri zIpA<-KvecY(j3+NCWYV*;e%daF1;AWB7Imvvwe?NMy2& zArPxsS9;Za;RSZWZ%cpL;dbI#nC=0bOA#drz4U{G$~n?+@g$xlRizfn+5%eT8k|f} z!dA9qz~R$fLl#X*o76W$H6DGc3C^ab_(r`xk za&zeXv909rwoEz^XW4Z33>`K}pGOF-_eS;XTZ^{Bb%Mn(^HY428nL!FwqgTCNABFFLl0#KDH{Vdz5cssHz$50# z4|`p^rD3V3z{jujYm|69K7UThkFM$+Vzbcc^>+(p`-qB9$#3bkWSapQClC5S!1-&Z zw~3j8;mP+iHIzrGT>L44r-6P|@dozo*z30}FD`s+u}0G|O*XazNA#C*`as6V3~}eJ zWOudbddKCcft1x95dDJ=<9E&0<;Ks%JZit8&#@+hk6y$yTDBr1bzz8$wLK%Q3rBrD z7|7Ifu{>w|?GA~7&AMVxWR!bhc$}`r&a=Y4W6@gW`2Lpf1BnLi(Mz~PNhI^2MS5r? zC}pLVcQ5k?@Z9bW(Kh@c9ene02m!#cXZ zEo`zaCYyJ1{@%h7Twd4p(2q~wTT`i~mk-fj&BL-i5eq&@l?BI{iU%NSnS z7>&KFXrZ!k@WbJed(p}Eae-f=Q~}pd7!CrS!$Rsr#TEQaKAs^zelMB^+_JgknTJE~ zq|vu03s}neGx;06iGlC4)Q^3x(fRBcBzp(u!rs>U4n-xOw|qkODR9_Su5PU@A50=S ziVOTSLq*c*T$k};-wj5upmn5Ls)HOsUusLqMLynk3|gZxJkkUoYcKQehiUg(FUE_W>|5M^v;4=y&z(V14=ec^=s+sZ zAr%ivZfzJgGmq!}O>e7$RK4~Vvkfaiax->Ud8Mmc?r*#>j^hkT6JpCXoN5!boOA5E z<6Yl*#(JC66V6j_1>dbVSmc?@1+;aNkV3nd6}q~4erbb30gK7+DXj! zA^?mJDvHV*eRm@!#Q(g0Z=Rl(jjzPHkpj4_rS4=vDxD^$6CPmU9W$my|B!f=jxdX_ zKh8I*Z%&5YKj8#9*N9X{%qrB$HT{VSPw>{1y85B_@C{STUu*^&y0!B7)*6>aTcr+J zh6g21+aBymBbPK5wbcnVZn@q%%kwF$QciS8Oe>R%kJx)dV0KVCF;}@4##;sv54vF; zNX^B1Fk6TK?-=zdpo#78dnUcpKE4({MC8NH+nI9;K z?uLCp+GJ76s4rb^#?986?&U9^{__RfL{|$;T(RjHXTaZ`8HxjjXo#jHl>t{U7V@4C z&AV5m*C*b^XaXYWYq;Jsbb1%s14_Un=f3rI)FxA3J>Ob_N}AhE99#EO;ya3bGi69g zirZ}&|D97UQX5x48lWQJ%Nj!2GVT&Ye}~iR!Rb*-pBJU7gY0+%_`^_4r?==36!)1AyK$H5_} z#-bD5FOdtE7+p^&npIZ;I(>*gQp?v7dY&MOo-wTHTGaM^JdU3VIi^xeu%yzLif)}W z2Xlc-d{0)5#Gd|PVP1PHa-tc;X}g~CXBRJLzk)#ycZ zIX*clBK?SpBA`n0R!5RMb1lkWoA=ZlJ?}|NZK!bl44=;v3>Zv)Rb^oN$qi5Y>2y0xI$ zD7Jf55+Dk55feCYyJzq#Q&uFO4R(+BPa%7XegI(e%hHTmG`BZ z^i)Zp1J|d$#jFP@cHl`KQj8g1BQ?V2P|)xHL3J6b=iE<$rVh&|{!}+!^}SN!K4!nl z-bf>6aQ#i}5z*}wL98eMP zL_SjpXzS4*F97__f-4$M{pnr>+1B0{wy&i(?||+)DBNzOu9V@&X|F&6Zw_wjn%^L@ zbA0o4GyBduJPG@vm*<^`;4j4WaskM5yeCzhlU*s+G&o|$Q1(myriS?I_4u%4ddDyoF?dS- zLD>R1qWfn7@zE#WpB#3_%eaTRX+vYxO=L;?wJ<_seksgVPHtaQ9T_{OZt|ji`ffhbgX}Bv^d0W!Qg5?L>U@2M4A@kZZQ5E&?Bz;wBL$YL&AIp9_ zsss1R_X4-@!fH;qGPMs;S}v@@9mnhU3rMANJXTT(61uk{z8TOZQ`{S34u?1wdwzBr zp}P+sW|Q1O_@-dE`oZpoZ(M@p!w^Ij-TT9v?bCw}pOe3+SFRPgf+YI2xO^rv$A{l_ z>UgZf!gRP>jB`OR!ShHIW3)cY_L{w?10}NleI^rxK|{(gCr5uE@dLmb-QPR7z`rgx zY&e|W(lbM;bt9pYB-&K2Zr2mFW^1GP?d^k@t-XFxwltgkkMx`wW9Lh^xvL610#vq&4EAT&HUwS+A+p(?EtW z=3^eV8SArYUpRMi`yu*X;O0|@d6uuiv<<_;4KAVtW){EhLyNMQU7c5zd)~aMGo`K< z@9=cI%C9IUhhGn!OQyY0aL7!n}O9v*Yr>nTL{>BC@g2U;Ru@Ac%THnnSL)9sx6Wg${% za?T>_O3-_Rv=_AE?uP3?kX?AY0))*n>~dM!Lvx6Q zI`9`S*5Y&X`ZWe8gt7_!Bz`9i>0n~EH+SObj*^CP*tMVCief&zG3EeZ55kvtrUlG` zLS?5vK3qi2lPrq`UA>3#l^)0|7PQLCUR5D;Lot45u<$+EVAN-F@oLeT2&EgXslBsm z_#%{#a>(INdcmbGdJhl6MA99nZdl(47&IZL{cEU{F?{6sdukX6mZq=$O~aY}*ar%_ zt9^kI+k{UlGZfSBr7#{$!et3Kz4KQe4NrWPeFCm$Irz!yOxH8f~6K`JH5;5 zQjpFp1fOL^ezw%iek{BloSfNZRRc;?b5@Np5J)8%=2kM@x=c&9|r1`z7@3f)H#pWTcfA)DX!y}LJfU?$)D zC#R95D+~F4oFKaK6{tpzs_)`orMV$^DR>^7LigWSkWsT>K}44C`fz4kf4#VHYsl-4 zMZ!WR3Z?#WD!8!<807S^^uB2=E_$)ey+xbPh2d>^4W0Qww1SJ%UIySaKgKmlwLDeS{*3r;ZN9C{V6zkk|gHA&=#BP z_NW{J>vi8eL_dV?yW=f|@mhADIQL;U){L=jJO6Pbq+ zYxJZ>x*qcj7|40e1BEP;#$tz-@esd?9F&qtoWj#EZz^QY@|>TN@56c7_m zW5<7Kf)qzes&MMAK8V*tKR&rw$8y>d=guWONIY_*xAHhWXNQ2KUe+SxJ#xeBv+o&a;Xk!||)*jUfLZ z$O@@xxJf{1qbvOrW5eIC&vtT3d=UT4njwDTzY@NNl{>$;S`38!RCI9J6|Z8G3YMV< z({@~dTg^+Q{czQKz|1>oeijX%H->_G;SIGg>OCQ8yO5HZQ_+m&(%+*Zhg$)r9}^&? z8!DqY9VKqB2+Qw>JwMa$YgaLIo3YDo{nW^LOGuNX>tJwBvp4|f1gW2cewYi?3Y0yHm3o<`g_vcV-E+Q`KHKK;r@mr15#sEt#aQY%vqMVp!^7+yoTp%QW zU6Nzn`}1}XbHQXWs0Ph$6wc#_?`eZ*XdW0VXl@7qqWo6pN`S0<#`z|-#QxrnpTr(l zvfh;R<&~PGcwRf`o_WgW1;zjqK-W`!_0xK`-21DJYV2Nu;kudUu2R3~IhOt2o#*c; z_DZW)t5{gL<23GC4!P^~%tu6|Uwah6vWAhGmgf9B@bv)%k7xaKfZIkA{49IDxR}$c{P~6}w`e}a2g0zKMWwK9me{hMkM>m0OQdYi7@q;q3$zPC6-q!h zUvr1CA)%;GD&<#e<<$Ur)$oEW9VR|}OelKQSkiRDh_Vem(3?Ep{5^QS2TOL!y&5l? zBhXHn9g5Xn3259a1@b!{tI(?##b2IW>(f;qiZ6R{x>!2hOE~E$KUb>*&GM{g+U!vrA|^s;>Pv;V5)0m@oNgx?$7E|V5&k9Al*xG?pRt{#_uDn(1CPNA6F zt72jS8vG2^NRa0N>#bl-(#N=)44TvsCj%t)F|0hpyqnDtq}F~4>5aEyR`V4WhEpof zY&Y$;qhF%Qk%Fn%*XB!_4)|9>!r`+rsZ>ZA8R*^d&9oi^^;xFD{8mhe@M73$s*M6D zA8d|~G7?!KQm(sCKa{&&2haBYd^YZNA}BQ+92%?}7J$ts=n4;cNA0Tu=YfYtHFi^1 zELG<#lGbKNf&PrP`EjehxYnp^iU6Fp@IsH?nciL?ttv zOy(N#=b{0~6MyTKj5qp8XGObz99z8~G!uWN-hoPa@t@cEnf1dZ?tcx$c?qi?R27kr z>`qC4^Mf7wXWqr3>MLAZ^Q#5emnSpJ9f#*+V`p}mUbL9+Tvj95B0d~OOZ6Q><6<#^ z3aj|*hh@*!BQ*T`n>qZRH??tGS@W}Nx&w1gU}^+w|8+OPHUsfpG^U{V+=SG{7Ck28 zXZE;W=^okjZ}t*E`vbz|jCp|L27{YE^(;WBve9M@IrA*nw{IX~^xpGa zioalP=JGxKaYCR-4>G(R$QxdQV6j&Cf{3hI5B2TVx_4yfqO=%2QdTJ`U^Y_?%+EpT3c}ojpD4>EoaZV82>%cP9W z?2vzeqh~L0cC;OCJ*XWbC_nLhRWnz7BZI_IWsxAm(fW_Of`2BQXQg5Xz*l3X-#NAt zT&%h@hsF|oW$cJ}&AmIPnYgX|Lx2kr^SRzX@JZxilqhdk%QCHPnA*=0UN3nLR!$-w zn~el&tqrqk1<0N}gvw8bqR=K7$8DzCLW|`&jo|qMd?U6UhfA;S zP0PW%aDgY-V_`oi1Ec&ZaU94H@BR%N(*WVH@7DvH8A$XZt}F+j9|K8)-bNaUc~XDa z<0E?K;k7*e{yg`65^XRuCNmbr3`4mEjEym@r(p^KcxZXYYumaci*V9m3torcTt9M# zKOUtHwf*a7B|+>!t>oR7_F9rSjZFaieiL9Rq zd&p#+VC+iX0{i>)o<1Ird~!o(_2YD%4L(!{a?zJqbdB-owBVr<@kU8Aii$OVH+qONb|Udq)Y6d~>vGojX#%>FUSQYJD{&9eT=R3HV?s|&PQ5LppZQQ!=pCu6KevCupE;;&&x|QqI6k6b-C8uE%)6-c;WHHi!b`*xY;L#klNAEh7N! zzJbub_aMJ{nh7*Ot>SqFMXF+wyW4ux^y1K40e47&)4)muw#MbR&|&7?#bvZjL{s5{ z-c%njv{E!-ZITG90@R2I55w?2Ea84Iadof9%VXtX0@wEPf{%fo^h5{zpm=}QW5*GRM@fRv22n1~MZrPFZ~tC_s2SU7 zL%>avY#Iq1RUG1R26cpNG3Q4 zsF8?6bH>2FNzu0X6x&CneRF^0n^k6nb@oPiO!z=3(Qf zhxlVu4DtoDOUEA!O1v*j-EMp*yz3eqk`{vVSICrFdP#`R%bbi}#h);xFLuzx=(sW4 z1(a-o@jishL)ph$6`!)16B@xEq!e;0VsndU=Ku$OT>&jTI|$8#2B}2V zWIG1?eOym(BEna4_8P>f;?5ajWJ)mu?6sde00EBJwVqzNZi?TqdmO-V;Hyq`+e7y) z-5>jK5BlKtdo^#WcDu`3W6=+h)V(+qQ-%S6=j(pA0?l-<_e}HUD2Ay#xJ*4L*~=%Z zM6Nt(@?uRgct&&BB*dU>f#}exa{))}Q-gC=VJ;yd%jtI;wW~`eqp$t=eK~!5r+&OZ z_d6)HJF$`UmDzSr8VeOEjG!!@&%JCYv&)yZzWjRlPWt%PLn4;Bt})gm48C7CY{Q9) zv3=Hu3$>3}r+z4rJU- zpXW;u=yGDK=B0&xBNd??bnOn-rT5Q)u@h?k*M-r1(b}UwD49+Yho3l!Kn24m&~8e+L-+Oq87x(-5U_FEyyZW zP-Lrs10^r+JuL7=X_nHquObU`q)busjxicGEqXP$3Lv|Ch0iBh!0G(;-gd~<`v;O# z(k4J68-?u#%dh+fx}mgruoR7JUX0o;C38HU(kmz(#o74rGUP21F7p?-8|Yzq#8X`t)gw_(`2u*g{}}*!i)unZEb~(d^g5d<5JO!nLcLZYVrk#L+;3M{U2yv4d68e> zq?{j(2GWfx9W&E$xtG`70JKk~{>dqQnGAsnV@3MsDvp4ZPuS4Zh8jJZw(&jT>fSg? z3K)F({xF-spdtOPzRayG%FFb_S-~9wSdOEF+*>n_n}ERM?Y%WcRLeh7##`+Gm8$1~ zdI4oGLA|TaYnnT_`uqLVwF3v#)T=#bAw#>5kt809bWM zY0|qi$EU!Z=a)B6RCl}U0ur}71XJ8R1Sz`Cr0E5@Z0*iO?Jd22XiU3f$8~}+an_3< z_Zv?1`Z8`HExyqo!2j|qpj`rl)JJPP!1*I#j}H(K+S^6Vh@37E2+JYp4!cz-hfODV zv&xA+b#2ewlUmc|JAg1X4CjEZHf&epI%dmh{9%3^5FMI}PE!RlEm*@#~cTHrkc_rVdlYA-DiRzi7`>^KEk@W=i_mi zLC6P62(a*h6>-Heu%Jt(RJ0{f zIcy-qkp|bbq%SDcZWzL_e5crunpY249_hM*A}I|8&FUyPF^(2y|3CX#-sb5myB0SU zvon%JaxBIkRMn9};%+h%bHjKdX$Z1r6s$Rbz zAK_8WTFE}YyN0w6i%uYD8E zXpk*l_%LTL2z9p2G)|DVuV9;?A_Nok?b0*{@9TL`=uXE@&@?9lG>p?$lhSam8Pjh= z$iu5SZO}s*?YAF|Kmox@iTm-qG%&K;hFXRlB?gR7cEFKAv5rAB-M3i7hI#qJChlIy;{uYjYIFXd!Q<~rEC>?!e*RfZc-yW7`;o~S27A`+M+0A18`4B>te`Squ@nWwyp}QTADs(=RD5Oqg zfl*jH-QRz~h^@TS7}N&WBu;Yy{INOaTx;0#upb}Wq<>_W0G*h%H_QaUt{9ia?htUC zynXa)La5_587X`wULf<6Y$C=DFR^fJd3ewb8N*XV6a%4A%wwKR@31W1SNbA;JyTkVu5V&8PiF&<@DV$g??LiiU;A3*!c3Mo+FAj_X zd|^B&4cM>4gbqB{VdsTeWmaA7##C0x6W=cfCttSv!sM~c`@~f%O zYI1G#yAr8=*}vq5Ml%n#Cf`49IUHP4=d`WX9Zm9%3Ve16Bm}%^xGFN_<|nzn@-1ws z020zk9otSR!FY`vC~)x*zU0j(zpK~yJhy24d?X-l($@`)?+#zRRExc$+XgyqN@L+= zm!S?xQxtUP&**&1DyhLhD{KsNx!PiapXFjS;6cWU3mhy4DyBMo@KPoN$8bHpqnQEp z*4%km<=JY&neJ~`0QL!32^_1&&5Ul@=$6`~+|4VG@YBo?kg*wJ5Mh6LmjKYTRSv)S z#IMp@Id86@wPD$?zj3PHr(tW=?pRSfYlR{-d5!Ss&AsAkPf;rReXQ(-m%m-AaUMAT z%Xjo89O2gX&HdNzE&IBJUT?LUkEH_^F$38<20;hs@%053Tq8{mRN5S`s3JsOLV#cs;hdiVV8dNM}y|q zukf@E&~+W4*Cr-!suvXHng9jLHC9XUi7-Nix)M)T1EtFidh$nZTiMh{uKbXK6 z%?g~XNel1%tq#JQBMRh@P7l{c8`#59e*!b`0@diHGXUNFsfBGf0)cec3kkp@biwiE z%AndfH`iq;bkS4`hyzdSuYH7wCJ((WzE%DWmbLeBLtzSWZ)OM&8vV8(^aQ;DU{vIw z4&1FV)e)v`Oreb}HtN?F%@F65*(IL(sR(45Y2y&gFHY?V2S=H$eJjDyYI}|-lJ&Fj z6cZgcXX14W?KGWR1S3YY0)-CXr+Iu~5u$!43Ajb#RS(JO`dw@7`^Ql*wRX;;FPHtd z;}20_VH*i+2w>E5nE_d3HvaOr>d&kcJpN=~q~tu_7)HwCZkhLTf18ce(S*+%L*Q+r zz1;)63={vmisHvaW_v3~en{wpfQl4~M7UatpU}&vCNnM8&mgv)%r80djmNj0Mbpp5 z)4G1rTTtiQ=L3Ull%75WVKW%s&5PkOZkM5b*>=+g&;9%T0}horUwupx`OmA_>g;9h zxx1z5GfnsjF^iOtHHo+asTubPp=E%VzXE$rA&lgb+y)B+aFU7{Ss$S~`p~Ba{@3O{ z&}v!mO@%;f;Zeduz|O8@;Uvcb9=YrS>ng&r*F4;6(I$O4&>owW)7aU?HbVC<|`G z$Bk^ny_p4Cz5A}p9!z9jGV#7OV36!gWx27xpGkii5znL?wmm*8}&Io>MJ zx&smQKI~5o%Aa!+;GYp77)gP`;2&zN$v4xntH`M`@%0v4c^tel`BaNoqKu$SW$Tq7 z+sp|hqJZSz(V(P}@p%ph97eM&Wm_;B&p{R}!(L%}+hY_!*9+=l zs*yVL8ng>G)SGLNBA1&-PwugjomZVt7qNh9mZsv5EuX^q`kL=E+rQ!}*T`ieJX525 zF$E_so1k!E-dp_IS5|^Pv`<8guxA>BqdM6gJ~#Ih`u3OK<0|n&I~Nzx6ZY7 z;r^1tkNKn^t^eFgEL$iQ^07B2mtPr1gKCw#-K#5Tgj1TD!3yA-cZ3-<^uM`$@$#tFWf3YuU#!V{h+qk`r&K{ImP{%?ex0S18-u&mFb7vzo3N zxkzgwX_~i?=03X5tR1G13If>A*a-LtsxV^^Rk%2Qnl{{T2n6fFVO~_qDq8Pn#`6{o zeKr^8i<6S$ESTPp)Ed9*=3J$jfVXQf=oIWDH%ReO3S>CmcoD~N6Tbv)KYJcb8kO{E zmAGFw@4p3zcyqx{|A@X8TvP!VxR1_ZQ#?ACE%#etwNTxeZ!oI{OeWD>HCep$Iwpwn z#@+L-{I0je_C(4qobJmVH+sI`mxGk!tJTTiTn$86#Gd*E2xKXcI*(8Y+Eh`Y^chl+ zVaXHc1w;C1++`~xuZRD-CMqxnv;k`(@(h-@?RpsP;71(OZy-#An*?Xm{?(Iy^N7PhfD*<-?C`Sc#?6l_t?DZ`Uxuy6NycHtsI8Ug+dHZY&&dVPh^ z@cIeGBiCFHCiy6&Rp1Ng>-bxRwK_JB!Ggp4_X~!LPVaYSV&!)s7lSyh%IiYDuR|~9 zlR>n_Da3~$cFNdx2DBEWmR6ANy-K3dKx)4kf+2!!QZ+FJS^mu53;5X&Jg|ZWG+;5> znq)EOB6PRAaWT9;f|j8N`x|4lnHTi(aYNRF&OdlkVCj3jXb}txB6s`V-f`!D83{Zr z7NK1h2qjFWXtY2>=c+v*7N3?d=MQtgEoBqT3G;1e72NMIh;vwhIi z7SP@-LZDG(4NL_J9BtJ1JqVz(ETP9`zaO3iZ9i>qq;1Oz>{c@VI|mNwY*v2S{&>;g>va9hg&{9a7KMgoT!bVH9UhsB&kE3 zgt)C9(TxCT6nLcb3oC|<=Yv}x4x6+cLOc!#zRd65{}&kupdoIgC3XQSJC4F3YU_|E z7DV~JZ^>xO2q-Yxiq@qp*b?@A zG&IM(560*@LoXzJYuG`*Da)(q2z`-fs3qWkfXs}dkh~!b?6-M#=*y?mjIOVb46&D& zsxeTzeV84>E9K)hu+_(x4yN(nPm%-pVS}AW^@~e`X%?7(n^GR=g8ivE@Y~>#QCHlo z&mL&8rFP2?9bM4m>f?{PZn1xhFMKe``Dh5vO`u1E>$x zLV$^iEB;_pIfzwY&C(H^6Pvyv)uw_mrne8iZOEsvzCY1Dl_0Fd466_8SWf_n^ZSz~ z7Hc$9qY@Gykds;ycBkoJza3xm#Uh; zQZ2l(1xO1IBkW&<)#YKW`tA<2x564a&!Dm{wdCqR|F914E&$~^CLpci;2`QwSN!+8 z-YrZiV6z?ur`7vG`&VJ^xC@|F!eY7E1*n7_R^V`_1>CN9(QKUxkd~AvsB2uNx$5T+ zIP5Va-$ST>V;M8(?q-d!?#_RUU^*MW|FHL_O^+g3ns$HYS3K5ZuUWULD+Q83Qkm5U zb|F9#ixy}bOJfs@*u)})#^%4jx1NZ|jI1TAtEOhGXFBskMuY&zad({K$IrR$EnF8Y z%tVTk`3uq>kI3P;(4e}FAvjbSAVMqa<{vm@8$k6iYv93t2l)kjOF9o|{d!m}iS4ZM9_pO?-6ZfDY?L0MJCL`_Pc(`u>+sO|rIX1Xk zWS@vc6W+?3^RX>1#vX0W;t58&Dx%S%O|`*Lx+C!^s(4kW;I)%m-#6= ziG&<4pkil`sd_bX152mceR&~wgOM%{Haxj{&Ij**n*2awzw>5SQ$HMFpTY}qP_b$Q zH$W3!!geaKD`kj^!%Z0t&v+Dv=zxr=W{qf}xxGAGvt{KnOC_Cg8N#C?W(}~H(7>aq zK{ja5uT+GGWtERS5(6noWowgVs~@Z>t&$M9D`{}UBWS?Xp6~SKt>z|X{U9{D7+{bi<{ z5yI9zN?$0As#K}R2ow*urrn~p*V@KgF3t~T7b6#hxlfHA>Aryo70ANA+azI~+PQw& zmV@ZsazDlQJ%tZ8s$OJsi4zAB;%)8QkvMG*hFnl0#I$s}=cnOzTgGL7CgiKjxo$jB zl}gj1nQ)BHhbq_Kx`n2Cy~hP6RQWl(Z9Cmnlqat*L-E`o`>@NX(5Uvrd@JrfI|**H zd3(qIAF*?B2mfLC+WFGeq=KQdj|#-_79+dc?}FlVcEx)koxy;;XGfx9ZwNcFcKXH? zl5zQ{4v;-=0v$^tYhR5%lA9(suEs#2v~9Hw3%xcgNOAjbh=DZMxI+x|cJDh>}b!ppCYyB?!eZ zGi)v0T6&VxhtsiM3_&5zJ9ocngZtH)OZ@_*Yqj$(PYE;z@Es^(Cnw5ter~NP^2FVF zJVoB*Tx5b;zXvbK)Mu+s>M`%2b-2GF5LL z!0qu7;-ladckYzD?S*Uy9BGUYpqmUm7wU<0FpyrA^C>;L1m(MWuxRgQaM<6Paf97` z#KK*ovH%A7w7v^w!t>RAyiRU`__*xrW5?Q?pmU;4N=JKM?nVM6iUzL3ac=oW*8`%ZUIKEQgKS00P==UbiEHj;iQDPVm&`tCLOL6R!#WU?O`tR>u=%{;hhR5U zq9t=rQb9_I=p`1jz=pDK%vHPJf<2h&LzwqkL#uRHMQd-5#g#`2i# z#Iiif0cUbS)*Ob~VQYY(P7w3fRuUcFAW7U4Q@(&#BI5H>Ssv~uO*U0o$cMvmIUBao zRPE%cTC;aUy$;ww@oS|fx4U*m!%^uhchnY^>R{<)Cokz@+R66F?1RxbJM*kOk&0H= z?QPjG^5tA+{8>7U6EHH4=3&Q476`olHbi3F>IN)HGjbse3Vx@N?j))2XS=VfnQTmJ zmzIGm1bXUmh4|-7eaz&>RS|QQjMe_Z6E7#ZQ(F?WLwR8yy>7XB`mUkfMxQy)s{^Ad z^Wz3$zAA<9QkVC40}RA&7nZ!tgC%o=oQi_vE@YQj3&Fz9%xNNT4b|L2KRjU85xcI% zl~vaIrWYj;HBtY@-a}k>|MZ|sAhmD{`%qdk&RV#9%;|le3KYoOy9I|Bx|6*jCFOkE zv=XZ<)-MPx3B%+lr~;H4tv<~aP9~UGy)D;oS<{5-t?G)$EEcU|PoWz<@s?4^ypE*x zAmu3n+GH?CAG16e*RTwOfyLe`@w~;BezlO@#!E-G3Ul2717}$lUTm(B+8H_mxpcxn zIw{rd9JA`F$fNGTLdbW9IEW1)x2xD#L|1)nRwhKTDvvrp4pndTD=0$UZce5ml}j(g z%DQaAwIx1X^e}`bl?jh%<|ARm>|85ErD283&Em%Wi{|4NBrSiHr%1LJL3_fC+h0f5 zrS*JnLSEk3A0ST5gLJ&PAQk6^wBotT(}&3nnbpv_GJ>jp0_$>D>{m{QeQ#TCAzZS2 zL6KdENwzz;<65L9Y7s1m&B@)VqGi&Pz_+y8jk2}Cw$THAAX2IO#0j=YKXDSij&|q6 zF+IvMo!WJcPv9y9G>o9;%%BU1u@~+(qV}{)1v~c!P@vG=m~DnMWWZXogJjFRtaf0G zWBqxA_u-XyMj~qi@hLq>B55H7?{vR=q>;LM9<2%vNqEIdYsaiS>|R_H?obYXlO@>K z6*v&>UR5M5E@xtBg%s43hnXJXx*9l+vYuObY&ivtNL?A3t@d)!@=3m)adWRnzH!6*#T%h?(`HV!uPMRlzWcMKk`bZ=$YssM@S z?qt1~&ohO{!g=^|cH|^`y1QX&sF$nx1m=G_O`@^}x7+o1@oiP?5NL=k&r$RDIp`#0 zP_kO=wTlUi5lI>vnhiK-CAha0b>)J7k7?MyA$f%FgC4aB= z2jC6_ecZ=JHB;%ca&yJkZV$mNc!$e%!sR173(XM>@ZpY|I`_;)&Z4xP+Rn_~f-=lg z&W@PqEuVzL654RU2)cdv*v{zarpoF$d$CcT-g6yntrkE`7=km@mq;xOJ0gHI0bF zie`)EGEvr+RwfDrL=E#a)7|RWZM3;!O1IeaK_xL4GqdW_K*07DVi7kTM1z#Mwjg5i zI`pa`ZO=%!wPus4;0I0(44G2cJIUMav{%?9lS@iTOF^8KX?86dNM5#AP#BS*jQvJ? z-t^dLa{%6&Tz8Av6579j&rBXrCDcAOor|UCnoF#y<>%zkHLr3ph1BSNiA5W*`EGy( z>*Df+0AzspndwqV9A@I*vwCuIda3D;=8bJGnp}mIkpdNcHT>+&1yKpU&%nIulJObq8?j z_H@layW1rrb(7Z4IJ?1Nwq>`PP{Z}N6VCc}?0F-_pj_r&HKx(xbc3QCf&G^IJ>R#R z2~rYC*|1fvg?x2>G8{jcieV@!Q2tpDmc`Iu{#!SIQxrDj)j>dV{TkcGi*Q)AV`86d zbzWiBNRRhh2?}r(HA!;8CXl|zPOJXfgNS_j8sIuF$<5@^LBFja=pCg8r;gbI)9Wx( zZR_yXBV{bhiZjtmFPvb@GqP?k*-AX6sM>ZY(J=e76IoBCZs>fwhAsPasXGR?@374AHje6SAmMiJ-?5_;caHZ@d9oJvyA_woml9mX)8Szv zlok$3GJH;g6ru((u&DJ#^WfMWE(}63K=m|M3~)otA&Fy9#euY^b!)Bpu07dDNC94G8esb&oxF-O za_b97i03coqCZ?~GMTngj=fzhJGgr7LY)BVhe(8}B%TEG)M(FfuUXVMFH)_M=7*q| z9hdat4%*08Z`0XcF&+j_H7Ak13vZ+!Gy(4^u@Tei6ztO+k_@B}E`Z(3t(t9aNpXbV zPmdd#1_isFoipa1u(pNV1A{(2A};e?Wl9rJY@L_S`^!eI>Lx&n-~-{4&^~o1!k%Pb zL16{>q7M|i3>Ul1yS)(Yuzt-!leB`%xu^(xYrgJ00}sXy;TK0ESVZ|z+Nc9LTUduH z&?m*sn~>pI1QFU_oqB6(#V*+2y=k{jpb}`!DNR|<5fGKv?RIt(KU_SUeR9&ZiCvZh zmW)VzA9vd=lzDG*_RyQnk(_Loi%uHGJ8`A$!`4DD;Av1E&H5e24zW0Yx<54+f00a_ z*>u=gE94AU&pU?wBfSf`{(>Xpa@>fI1EC!1r*vN+;Cc@9QIFtt>>|0?>KYVj&#*L< zawqcjwl!8*aaDYG+Rmk@zO&sH%Rv-K@F)9VmJRfoVZHl7=s{kZE~*P}Csoko*Q-U> z1uqQ~Fu;!PRC5G5o3!N8C?(chk0o&c$mQ_J$>wfE{a{w}EK?8LYI=g|gz*ga{iMa4 zyU-sx{g^Iy>tQ2WF-1Yy^CGSh&O$8a2cAa8Jh?gr$d*-4L#=JO||63eGHTR_>P(I3qWA=&Oye2@yZVQz^`pR0#|2q4FC zn;bNKdV=Fcy6|e{&#cp8znLC4Epgv9*J(VY_ie4kVy1131?T#&_%*0~z@0(yl;MR& zdXvT?=v&Ya`W+ch&&9<{`KCg^^J<}n09dX2YeIUtwI!dfG`I^Ylz1fTZ4f~|eLfj| z;a@i6us+SfvKE9LTz!c7In^7Ts6q{#c|qwPVc2sU>rg^2wl&z|aYmrzYL!5RJeAc9 z{6keV>G>5q4A>CjSLSFd4cxMdf95WN3&vEp_NJ=TsHeV;#@vJ;+;z zpD3wQW{^0&Axa)XzUwZnuEcoIDH>|(cN(DoJb7LB?L|L{umRHM=xy#mbj@bBWp}hhRJ`f~Im=3|5a>vXmJ#^?s;65bV2$5inS>#ETlbn8QLqhAQ|TYwj6B+l+SVc@*9!Zk4hvu7hr;;(6EJYyBx1|Hp<)hiTFh%qw z@})y68(&QkBfIb(AQlbMS^b2vA4pB|b?RZP%JpPkk=Bht&glL&Eg{D%o*uhR5^fg4 zdgbon>6#a^3}v86*RKGuS~bnGUsJcWRzuKYJ#nhZHs8TUo;b2J91`267W?V_e6R&( zl3ZumMq?q-xh4<^x@y)GiCr}VA#vS9C1=y-VmRRLEq7a=CbxM=Glp275XKp~M?f~# z)>@D_b=3M+A>w)=R9goN*#kf_*GYQb#^n)FF@`v4tkGn_o2NY}m-7-5vtnknMuB{C z%Ja!jqRoON>V_1nnTeber0>dIG)0EqZ4P9g1Mk7+UOW!V?)3!Ff<3t09&(Q6js%SR zyq}9UwhJsmmDc)62Tm0tS);{Tb4_{4(u{WbAbvm?HDil>d#0XjJC>bP9M@oU&)A8d zF}q*~TqtpbaMdJ)l^LPZa6#ydQ%GWW`7A(%&vwA(bls_ z1C72_cZifl(wVa5z(6e!8uv60@hR~I;|Ag9G>K6yCPl~%`%?Oar>zZPF^cy(xCP_k zDeMP_nC`p#^kUE73Z>zKmeR(sK}G3AO%$-naoTYM)@AN|U?IVJLuMQ#tU~}p?a<7+ ztxFS$0fO1}ULAGBK1IO9vW7?6v)6d_FP9?njO85fz6Y*F7Tvq!+!MjYS?T%^j(mQe zE{N>bpY=BH!PaoasT;+w-esH2FzrD&(art7xn{h3KNsR9fo|CraV&GES0IET-S-nD zK#Z6WFCi@;1ZkKHvp|R-8D1UnfvZzh6?S*2Gawdw-|l#tKGJ8#U0Ac@1puO}4pm|R zSray-clnG|7)dEI61%>PV`7Q|6L|%P*psbftyv*_6*f@p?_LmaN1@@iLlAt0W#8H7 zdBxw;*4d*IsL555Gy_FL+brR+6Q*fo)Y7u4Ti}vjXvd8)dYz#KE3O>uofyx3x#zLCI?N;@RH3xY z=Eo_?Nd68B+8A!@ox-kdhX>CVRBdPRT(L<So>&-Uykm9UqiMMd-U2Jy}w@W`~^9O*LdV+o0Hv};#$)d#X47$B4E?y zt3ENOv^0e!vRRKy??GsEg)f_1%zLYdX_G4_OT~%r&hjB3o651)3+&Q>nRD~`^MSna z?aPEAU_GjQy*%~fncy30LvAOtwfT(KJOo0*>-4uZz~ar0nd&@$vVkz3pU55FPulZJJZ<)w zaZUUQ^bT+W%zU{~4?YqeXRa_!~aBXUsMS>`kdyk6`tnPcY#poxm8gFU>e z^|Nz4z1q1a_%h+vawdW&a`v99t&+_Lup1CHYpqvZyI3lun-!yK$FKDqj4%k<^WCPL zk`wwO$Z^#iQ=%%&xpCl+ReWyTa*J=_bjNG(U_+^c?wecXLG5@Fl2^LV8;=5fl2j-& z!A4_-XxFPsG~_}~fdIcR5qx6mL20)J5Fc^cMG-_jtoivopL#EZFkp!`I4j7Z)pR%s zi^;x~4XPtz3DWVGY^@Yi%6DV_&kX5*`cL;? z8wE|&wbQ5zeplbp-ywG-?eeI=pHpVJnl0u_5^iI9$;=RlLH_O*jX%^;@i#pOu45L9 zkAK3SONRdZ6RWW=f4+~+De{9_(9DvV)6|UlAZIgrzWk>T@^8A!-+6N1c3y+3g;j^} z-0m-yg43?ozj*YY-VcZWzCF~(ublax>d@y@`(+A7SjvgD#Sc|EL%ZF)Zib+at|dwgif;aB@vmEO>n&E{{EJV z*vklqyWi&FtzRkAwF!bc^@QoMTLNgL-=IN#6Ar!teZQXPw)uT`A~wj~qsUeSoqnM8 z;`DTe#Dt;(?X&rHIgJ($Gn=V3&8{H439x4WO{wsx|epXT;cg- zu^E3nGY{UB$BubCUy3}Jl!u^^#?`uv*JnLaN4utS+Ma<4<_|qgp3&BXN%1IFcX|>P zG-lyPG1D5#8WKMp)uaXvVc~1`a)MM)WG@MexyRSY2t&*)JtOel9p{skF%1fmf_Kk6 z10zJu>>4SC<0E<8ky$L9on_WcuvsB3HuNMLE1Z9s?&N7UBlaP%(5|rTI}H(NZ5}Ad zz`kdUgMB(1k{HVi@W;)wqDi2Asg-AMX4oI2oztR$7F-?@V?U$McYaRyRIMBrg6sAT zx&_+8yXA&7UN0wVq}sWhUSqsg=gjPYobR(9Qwd#x+NTrK#8XO z5GnWhZZ4X=nsT&!y{=S7XP<(Y6oMF%STydc)f!TS^jVO0@xayq=!Vd(l*Q2Hf=ZZN zj}bK}0&B3`=MWa@lYH=ubC68}8e!?T3X|uc4*K9w z2gZ8ccYU7E%A7K&W7#WmC+vY^$YyWCQbO2vB0}i#uI|#?WZ824gOX1jIi9oaS(rW# zi5CEGu4oQITY7}8b|%*S&xQFq&KDZury#opdsRIpnKwbgs0HA_Rj!w#)F9sm^`pnqBAVrYhk#Z)7 z5_z1Yt68QaDJ;}&d1PC^5#}-lo=M8%@$~w0ZB)6WeuMeMO0%-F-!`+a2MxN}j8=6bZ zLR*|yGgd_8QR1zD@P@ipJz1X#SKj*YM|&IOQOsk6U1mu7a^0cYUk(tCV5iW`me|@&|jVrbr;!Zuh*8Xmrz})X0AEkdi0EHf3_06^r0*N>wkoOl~iB@_9}N z;$c4D@yB?pVR5gShnu?s#C{o3m{*J2V?BLkK|ia~OoSkv%qwI8nAD;KdlCXs$md}% z_6$zjnLN>VU4n0n2}7Bv083c<3mzHOk809m?zazmRTTAuogs)um5q&8ZkAaalq4cf zXS{U_v^1_0_jF7{Z5L194Z_=bd@Uf22?gP0RA0^t;DVAqmkZ-e%olXwy8ITH0>;ii;xE5jK zLXh50ejsH;yy8z8zicxmfG!7829K-jC2t+w(34U-LBo!dR?k4&28i^zhun3G{VP|I zp+h}xPmr9#nw=Dz{P|AQJR(#Xk)4e<9QX6X$vMJ(aiBEs1!2Ow4~7|>JB@mIjML3h zNUh_!?^!}ERl04FSp6`UUt8F5Dj|JoFvd5Re6g(j<>oN;4_$%Xj^SwUQ?BKJh3;$Y+T zW)kz+O3lwAcb;;HXW1MYD5h@vg>)N4%Z3Ktd?&*blRG>^oy1w zC5by;H+_>MuT6E9llu#iW~Z45Zk2ow;4fJAa&*StVgejPFu5r=Z`?2I>bixPaehx2 z;0*XMDvC;zgjpQSt_Y`mIY3e>&ve?0EeK$DnpZjGeIp`KV|CKu&a=aUuI|!Of&xiK zSlrh3>E;OgJn5eo_hMG<@oDU03reQ|)mRq~P>nJ0_6#l_>bCIfI%%;5NPELq<3FMZTuzRVI zqhzw0vKyxB_-fBt;u5-^eUeSH4ww+mex$3(%FLI^^0KVjULseJEx547IP8hW0rC8V ztPb}uH#TJzI?$gM?vgts6cx$E((a4rJ?@)|g^IYBu6j1IHZufu>(fS_UI_AfE~m;Q zq*NqLUagfpq)Vn3kTcDLHBU`n2|IcD)a1pDryBG$VD>YKG>*CJF76MGA$FPiWftBb zY|Vd!WPT^T73-6y)C1rh!Pw6zMsz!sPmp{io(8_YOt-BUJo>I}&nM!Vf$o(eZSy|( ziN7VU)}4F|-8*Dcz1f$})YJy~ZEk7S3nvHNEC`W+(zTC6s|E$*5k{Sp*(t2KYntH$ zdwtDDe8z-}e|a7!+8%iPb`KHvRo)D(yTfi2sYqex-Nxx@F@*bqaC$8CPC2PO`+h^U z2W*|*Vy9uYd6wNtfBS3?euu=fI6d<4{a#mP?rGQ4qFpUy<&u}g?V=zgL}vHUqt_Qw zEkLpp5z$+0-DlMRzEbBux?#TQFS_vBDsP%&a)Uh>@Fu>9;OM<(ca@3%pd*4R2MKd@Wm#ZmLYV=$zcH@(ka zr8JLzPZ0m@;|Lw=6xWGAdy75}xz}B*rugMG#J{%@va_52j;pNCzkMWC+m&8{lD_@z z;}0M0cX$8ca~w7iEawixv3TF{>$PIO8E zk1x;kE(bt4R0hBO`18ZO&$pB4qYV-`(!QScfwuYR@avZn21FZv^!598W&F`ZHL8S1 zD${pExBvE$UO!48zM>FiML)zpe7QS{c-Nx+ddsgj_`~Oq@4J3J@B2o7QrE9nd})y1 zQSXyc_2%Q<5ua7_dQ=YGiI#ZR2#@xQNB+J>U!M2#@;`ju)oa_KYQoQQe6LM|@9+OE z_)o8{zg_cL!n^IJVO4l(iIH%9cP-=;gBz6Ay3bNSZ~1*GW%c8ihQ#&%{vI#y0fy1q z;Tb+qhv);FBflr!f9snZz4+N~zn@Nnu>9edL(4?tw`o^3<3|y79=gQ)kPq?)tokp7 zynCkze~jz+$Ir6f&-`^f^6W205bFGO`~=>Q@1gZ0Z~^a83is;g>^cp+>HBgax_Yow zKfYf7ZH#=5iWm})?-vfeF!sflvGJaiq4D*5;$4>?zZQ;y|G$6v?neLGetEFp^-=wH z(!OtWP9hBA_qh9Rq_-b!QuTTG;bV~E!7<9vm|-7uJnAg`TxEEKr(cf{@4@laGyG@H z`tB%!%C>zGHGk%`Z-?Gh`!dITe0yBXI@R^3C;se^G-^M4|LZ&MW5z)N?=Jp5@_^qn z)Q|7>XweX#Bif9vP1Gh|n(T_ns{I(!F8TJlR+xvHG{mpCSA>6zpSQydgTg}M3g-#R z`z+$es{HZY_+Q_C<%%*sCy!UuRR8v+J@fQE)`m3CKgz26yeVdz&sW?FZm8V*Re#q4 zy^F_vANYQ<`uOq$Z%_MY1=Aq<;j?=&YU(cqyodN_0bifbMiCfL5rj2Rcf6u)1Wm)_ z`!@PAeSays`Ka?g#!NwheOT&NrMa%u} z>*M_^@h<4c&oZKScm4SFS$-N1efekmJ$iQ@g%q0K(up`S|myyMp!;kN$g`6%S`TlxMTy~oe{b$>rHD);T~U$5)&+Jva_ zyN(_{EgdH8+sEhNYDXvx6)5Um$*S*A_b-q5`N!u60S(sn_2f-1E& z+86H|hS=u?KmK&VXL+Arly`T9@6U>YwrgM8lg@3`A#~1fK_^ww>ZvRSr9{GHAP~V^KME%=$<^43- zMPNkWp?@I0*-`I_^8Ho(YGHjg`+I19smIsP4IVfu>h9y`_rHl^eB!^Dm+w~s1$;3- z-b1+hHksYfkq|z{NB#3f!4nl|xU|I2=#TQ>F$@C~520YfJ86%n`2Jh*Y|K>f6#OO)%8EU{G;{% zazQVCTmS!qn*Ude`EC9GUvT~ZHpPEi{eN*R{kHo5ZT0`#>i<0>{I>f4ZT0`#>K~58 z-&X&>t^U8PjQ^tR=KIzCpK;*)Ke77%;#>UU!1?AR_|>(iy_~-clulxT?a{f;r^gpf&f4QXp;_?5#=znZZ{^f@H`;YwX{l7r2 z$#4Dt_qX_e{K{YSKX!uZzQKlS^bZ{ee|!HkG>!P5-`@ZKct8HVXa1u9uh;`^|Dj#~ zS*^dl|LFxq|JMJ1Z=e1x*ZrdZzkC0G{_77}Ta|xHk$-Y7`v2GB|43>%|E2$bMj`3& zH~;^iH01w=AN~jN@$t`1l}G>l`;UJ%u`m1%1r*=gm30G=$qx;i+t07jPXGLG?~}jA z8hqKV{L#bq`DeE1`+6(NufKzu%sWuv%gOzF7yf-ncyDf2^=DqG9kty*6aVvn!_)j$ z7N|9J-Z_s@Uf z-~W-B;Pb-2c;XrHMaY?chZuZL1;2haUlldtNj`Q}82$5SCI0(+via5N=BLUYny5(o z;^*5~9X$G86Mpy0_cPNk%KtV)eOKCNB;+sZ{U@{6m&&1f0-~P~k<=iJI(Wwyj$dm} z{7>TV>5l*7*ZkuB$NCSkpoqHu7D4)tsm`yz{}eN4{^b$t`~Qz={J&DlclrN3 z~zXUHsd6#01A9gEXV5tAh3 zhuAvP89+0lqjS!e69z!Le>#DK7>qebfsJm9gEoBLL=gDIa?eI=$r7oEr=AGqob-|9 z?4F_IC9VhevQ6;Y!!PyNxSU8&UXR|zq;(6RgZTT$0$n{hWrSld~1$BZo~A?DR|-bST{Fb^r>|kvhMB18NM=H1ho$@%dxMbI`KZboTc7C|siRr<4Aa zUhL^hgT=aVqaQ(OR*JYwf@0lzXFAbMXCNf@^Vw8^rG9!g4S)n6U{u|V2PytMt_ke= zr{ju9=iw%N1Vsx?hKy~$+(p;7Cp-erDbB@+O|%J~y>-u2?w1C{3b)WaIb|WwaUrq@ z@yKJAXcQ@_++Qgr^dcIcJM}4m3*~Ys>{2;lzGHEJ82sgSLdjTU^U@L08 zU8gRXF z{$fE_R9ze5Z5OD{=?%NS+q~GdsCkulEP8OSh@Ly-E@yha376o zjK`I-Gp);FY!wKqBWoD>?G+O|AfC9L2SUe5YsXxISxLOek{26ax$@Bc7-sc@pvqy0qvLxX2$jL&<~EO%X7>0Lb0Ce+ z;U;}1j=n1_DwcNRN>Iu^iGA-D`#L6B_DTHlEc+jrWDT8Ne3^I#bmOs*@XqIuHT(71 z_b*Mp1SW`|XJ2zMY`)A;g20_5ANi@F{LKCHsmFOc=dvT+ixL~8`204H5Z^#De{~{p z6fmG=^|iVKIK#3!r+l^>Ar2xp9SlWh9ge-OK%Rj}*Pnis-jfY_X>-|nIzX>b@D1}K z8tfxM)@o*RwRAPDr*WX3`(@h+R~r{Zf;GN`=QK@yfK{#o^PD;}c0A7X?ryPZYL8CO zEr?s8l16fe0`F^JcNV}guadSN+**6?=Ns}dQ=#Cz?zfpXe@v3u>$x#2dQV6x|i#D{e%0jC(7#a4St>rykD$!#v+L>aryk+id>rP(FTg>;hg^XfLo~hR~fdmId zBw0U&B+0sn*4x{8nY_B^v2jn2#x*BNnb*Rk^DLn^*W3O23F3%weVX2Uxl~3c%WuY+ zNW$#i_thd(&ownaWmnJ#Cbzy%=Z@6ZcYI_mxjKOc*XknaB(xyawW@ii7gVIO&0Hm% zBVfAW$*%4#3qaVtu(acF5t7V)L093f1jcn#r)vJBCquEwT9rFS7GSK*YN2bZ)FxIF zZI=zJNarqetFNJ(dR%n%U8*kW&^W`5q|Jk-FlIyFpm(lZ&4*PQP|~P%`)U>4lQ5ds zDuATC?aU{eXXwzI_e0IlS;W}H1{@{)8Py3XXdlFmz}o^VqbH&3NHDxnPJKKO9+I zkq6yq2Og#x0b5NLhwbV35-&PJ%|C53cG%m+dJN?_HfGZ3&z`kkh)-}Q_g^fFKciz*u{w?!WnF`7bKzZC3xSR z9fs2%+bZ^1dWG_7gtY|OyI2v^N`!I;G%cq??AoMj|G*G(BhnBpt&YXRj?BenOY;oGA|-q1W&4!Iy9=vL z$m99CZf5N8RK){7GIRn3QGZky=OqD7hkH1+UV&k`sYhU(eUZvP9=KkY_5|GcQ06W=sqo z_GZRyAlIg6n{*OT`!b0i+;xrPdRr#}klVI&yB_0nV^ zyLqjS6t`S20?ua`MOCvreTx?hDm1E|!ur1Tb!l}3l$vst6Gti|(6Sx~TavD%^JkZz zPsiP@r=K$_8uViO7_##0vP1{IwsDjO<#M;OeqXslzalrx&hRITur#ggoIj@pAS*ZM z8<8)uX_Fd!O-ntNO}iLOB3;VuSrCFd*SE_^(}$ybcnG^wpc(yi<}8HcX6JAHaybzO z@t)EGnMC{~9Gz8aE$A5RuIZSZ9`~tyRkcY7;rpE@F8He1Zdv-iU0>&``97a|y+84` z5$7c^8v2tr3ju)UsyW9JVW|OWsb~jj5W0wq~u_SJ^yjq^?;T7ro zxl(B^S_jWgxVO&XY?#F3cByl#Pa8xT3@lAOR#FnJzFmMI1MjAt6zilpY_ky>@T-f? ze$HSa>=i@OVZOjt8Tj{F)g%vZU=zrBvJUzlf97S2mF0;Ddj;AK@6|S!vGM!W-#Gd-~NasWbR z*rZu-KhLxEh3eW9XwyV9VgyL(PS^CH?^uCa3}xf2zWC(odlhuYfg3=`^v#yoB^ zmkN_wYwPZ1&j|lO9k}Bo@646Cx8rp?R`jC7TJvn~=dDr?*AD2FNTPKo7?V++&*VyH z?m-OsdTq7L2ti|4%Tot=mKn=FNt=^Txqx1To^WK&cceofRI2Om^7%Rusr9sJOaBnx zq7YPR&}nO;Q!fWQy=aX-IZ(ZLpGOwt1L?p7umNPVgZ>idx_yH#m_dGXUJ>|l{OQNH0VMog1`rlyUz}4L z0ji14`I$pIzIuDL{+eM#{57xECSxHp`1UpGx^%=^^B0ajDj|ZonFlE+7`AxRdF6Yf zcgvd2$(e~=Fh30eJb)qOlif2uBp0K1X6p_MdY(|SKSw>?!*R8O#jNmrtm5w?fOBB5 zE%#2q1@iN3O-xIbXYzJN1P~%h!QU6*?0KlCR(Xtdv9lO3`_n)bce-PWUhaoh*2LG# z^ROLb_uQV&TRPtyuH1>J=I5K#NE=(Zgj18zo+Z2xRI%cpb9oS>-pa)(Yh?iy9Xh>i zH=E`2?yiS0U(r6rul7V6#QP;grgUmOyFDJ$N2E--Dpu}CqmMh8XsDHi)3SD9 zv+SUOdS!e`oXi&0nGjdC+}88g{k2Ny;xQ~96A-JPbe}E5ArrbtYMQe^b%DJ+LUN50 z&X-Kp4S^n@~o#F!E1p{KT_VNSmowix@Atkf@#=8%rIhEb0!tFD~-9;-)`mW6{Qf1 z2y*k4I<{X4&gKpz!$SvbQ8cM%d#x-7t+l;zn`@Zg_3}CgIy~6LO}_%l{Q$p?t}qjx zbRM_zklzKNgC1;l%@_AwcxB47HgR^B+N2yT&(88WwvSBj$tx>h?(&tbv`xZP^5FL` z3ThXt#Xip1Eg{H{skLI-N8z6F38RnIcCUzc$!VZIySL(3=hEGA5+4@V!BlRx>BFyX z#eH}(#r-8|3IDpo9S_Tm^RUQ$%Bk*=X9qxgJq+i|8{&)ko+Cf)8X-2$9A_yO<4RA_ zZ?m<3AnJ$XyLAUG?b?gmT?^{8BZzIr}5b1Bg?h^&r~ z)#dxLim$3}-ttl;;th4~7{+vN@vh$nQK@d&#H63GrBw%hf0EXXkm-FnLg?d}DSpuD zGs;|Y?Qp7FQ4xuKeWJ^J%M8#PZAx+~PTU)P+=e_TrBb~}?wd}8akO5R53{X}pgu8$`&l~sB z(6d*t;3oW9Cd6X(iV6YS7~Wyu4$(~9ZApX%InNY(^;nlwb7~T zfS*kuE~*jEbq>{$1(vf5h=?YDdcPj4gM8Urt6}4m*VB%jPp&~Ohz3=NoO<4D5V#{N zjDeZsu)0FJ&@$$SompCLzcMFH!g71DKVgHx%snT~;@RODk-J!1OZleVjpnst#ACzF z49Qek{!GmEimBaE$c%2eUqRDv&8-#avO(~G6h*7Mmgze;(ugXhDR1lOJIgUQc`PY@PXEu^#`*j_7}_!+&A_A6S}iu&3Vv zi;)0s)BWw>|F2E?>-+yC*e28;#sAHr0PtJ<&;N;$_`l#w#_r26eaQk0u>Z2YWIKkB z{Jm<5pZZIAe!rBWe){n@U-Gx0kv|^`@S89BH(&B^zU2RWzGMVxeMatZtgPOMI}NTi z%P*}x@7&jYO~1%)@S{nrEN4Nnq8F1>5tea4ftuA zL6>Le-RkZxrHpXvSltclZ6Uq|wl zc}>drGIq%-uaYN}I&}RqwB8|n=#!!D>N#uFcY2Tx=kdC|^C8o7&z@Z0D57lV&a@r9 znY_6R>cWStOw4cg)I7d9kJRQBPGj>66dEG9hMiMzUu_9(rhHWvWcLN^Hr*!caC&Am(;%DJhX@Idqq$A9 zwRIiSBYTqakTRVr|)sH)2+WNN@0f)q%IXT%w z)AFGi7v}|nPc%q0@7Rsp-Hwl0Oiii{l^fVNmnVmZo19;ZT81Yje_aQG@Gi&eWpmQuAQYme(N@ycbuu|DSwtH~xo#L?tbK-qb&UZ(ygk0a6}uDYW#QpHZ6 zhUK}8awry?>%r0=iC@M2NuEqu*Vrwl$7d$wQ6)lzjO5RbcMZ0t30Z7{3!hwOkISug xooD2R_oLD^q}BZYUwL^+QE+Z%h<^xhEE-s;jP?fT(Uu&wV>ARtLttoy002JDU6ud< literal 0 HcmV?d00001 From a37156c18790be5b0b27b449806c414699dc593c Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Sat, 2 Mar 2024 15:46:13 +0900 Subject: [PATCH 22/32] Updated --- Dockerfiles/agent2/rhel/Dockerfile | 2 -- Dockerfiles/build-base/rhel/secrets.tar.gz | Bin 141312 -> 0 bytes 2 files changed, 2 deletions(-) delete mode 100644 Dockerfiles/build-base/rhel/secrets.tar.gz diff --git a/Dockerfiles/agent2/rhel/Dockerfile b/Dockerfiles/agent2/rhel/Dockerfile index 97036f893..4a07e107a 100644 --- a/Dockerfiles/agent2/rhel/Dockerfile +++ b/Dockerfiles/agent2/rhel/Dockerfile @@ -56,7 +56,6 @@ COPY --from=builder ["/tmp/mongodb_plugin/zabbix-agent2-plugin-mongodb", "/usr/s COPY --from=builder ["/tmp/postgresql_plugin/zabbix-agent2-plugin-postgresql", "/usr/sbin/zabbix-agent2-plugin/zabbix-agent2-plugin-postgresql"] RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ - --mount=type=bind,target=/run/secrets/,src=secrets/ \ set -eux && \ INSTALL_PKGS="bash \ iputils \ @@ -69,7 +68,6 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ --disableplugin=subscription-manager \ --disablerepo "*" \ --enablerepo "ubi-9-baseos-rpms" \ - --enablerepo "epel" \ --setopt=install_weak_deps=0 \ --setopt=keepcache=0 \ --best \ diff --git a/Dockerfiles/build-base/rhel/secrets.tar.gz b/Dockerfiles/build-base/rhel/secrets.tar.gz deleted file mode 100644 index e2f119b80d9987e909354bb778899fde8876f1e8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 141312 zcmeFa+mfSLlO_CJ^Auq{bJ0Cm76=50F`Elc5=a68LV(ovTN`JAIEj;hr~kJiBC|58 zRFPScikdbX#f?G-HXCr4e0wCv<}21op2d;uGieZRoacoC-|MFPc0En{S{0@gMNBF#O|(-@Si5j_W~! zzo+lM`EUJi{d)bYW1W4L5rFgYlh+?yc5v>{$rPUukL&+W7|yrrANWV7`K=1d;_kZz z*Pooe-0y$B|1lINQSuM>KS4~We?6ghpUI5@{~y2q{|EFxp17cD;xP7{CiucSb>Khg zzzpiRDXKWA!4G67cOvkyJ3RgS)lvM%Q{B3?SH)!$7x|a$`RfY0j`hF(*Z+Dlj&c1I z#%b^bUY)inzC=MDRA6}jx2GrW=;TpQKV^;|JRO57c)G-C`s4;rMHf_GE>+w#LH^ry zq}TCwb@23WxAypSHPU&Xu+`c@u?}mj!wao_p;a5VZp#s z_|$wq&mb$C;mOJUmyheAZi4K30IxfC!SQ=VUV|NhBYkq7{%vTp=Lw{7-Td2iM^zA3 z0obS0IdST^;P|ie11AuI{<8v8`{Fc37JFZ)FP?w;g8hbn@dLMwzEova|9?>KWWm$_ z0jJ)75}oFWEAqyP!D)NqgDyymG7IwNX%#n5V8bWm-}&pNPr54C{{gw+qP0~DwmvpZ zS^sYY@%$Xz%g?v8S7Zp7I5?*b;)AIo*Qp>cQ$Z+%+6EOkfyn>74&qea5o~)xz&?=Y z$w5JWJrW;`jY3fwdB?yzfj5)un^Q1=f3H^>>=FqY4=GPE0uJX3_!0qg`?63MUsl5Y z%gbEAOB#UPKy{shea7K+^U3v{=Xk&f!Mo>Co`aF+Ag^1sLHS!5WY51#V{jZV`~9{< z@JZaH!Sw_oBsIgPI0YaCNl+w40pIfl{QT|q-|y=>;~xz0b>o*Q10c|}_4CBDpmBVs zasDgl%NQ8)|9P5`QxyGr&i?D`_uvZ@*npRJU#7oJ@GoIeeR(zr`ipZt<>d5BU9^=K z{Kym(r-{4Z$&9O}b<%hQZ;SltI_47?^GO$l^%MQX=<*Xeefsz9^Ozs9k<=N$o#{W@ z3XQx@5&;K*Tz7`N%of>#OT7Jhw9g0mun=I>AGeU|Sa{{tM##TwBbzeFx5qgA-f^g@ z(*U!`t_DK>BL?z3|Er0R4-@%=7rK`d`DP;1TPAWdl>EpxrnhY4Ba!8{*Z5`>Qv?LV zM?69AX9@sQ(9dS@HH=(?cu{`|+WOsyA^pyO(VB_$)673;Z{D$t^Das-!heJK)Q)dIACZ$ zXD9CjqrZt&-j70mI-ZAXxvOib0gg!17;sJAb29(sX0G!i1hf4*$`kiI%G0d`=N*&z znA3URa=?+j9uxA&fBwkA+$%CUfPw>r)R!x-m_73!U&_}!7f@3A!14-dMyhBtf@g(jA@1_s8-=x;^-nE8%}Hw{hj`(cjQp zKI5kfH@De(FybxW@$q`j?Fe(_>cOraRh+M7pnF;cU>t5%ael!pu0#G)c5&U;!!Yh` z7~fFFO%VEyY5WLlyaA(MvBtgq#W%z;eOSgnYZ>p+Xdg0-kL9-SWGmm<#>-?MmEZfD z$RG6~_?4l5gGBWoN<*&O0By)e@{pfVg^NB&g9bIP)A0QsK%av6^)%kA?> z|8ynq+aWwy_s?S8U$jJj7i#>jD!ZMW0A%=&pp920(F1FIQ>oo6J$crZy%8GXzY*_> z0e-iMKPnBumLQt^0-X4{ph7&n#3y-)TgE_s*cixv!WbTvlh3N0)IjJP1C42X75@ND zM;>_1m&q-5>%ENRDi;Q$JW1b;@;z_ytyuC4ZsRti1ysQ?GI{ulPxBR5?dk8#_)UWA zmSy|`L4K3*`UJ!I{m35rEGwQrk_fCJp>u|6=Ym1tAJ{_S$u!T zJ^Y@j{v~^Hv*i9EkMIs3{>olFg2yMY7q1JTej0s#CB=VKDftJX<^yB?(-@Qb`vHUc z)PO-f$|V0>ndD}X?B}86hs$NRS04P172l|_o)=6%R!@IyZS3Uh3i_A4qAWdfdes1b ztCaosFoD;3A>Zcp)(bpL;Cape$4%fp*m%$A8hl7{{wCQz&;+q;!}dfA1a!&+b-dEe&Wy4%h{)9rn5(4dRKz_ zPhCT9>FREVg`e+$a%ZCYPg8!F#6M>eUn%VW9wzaXxPF+#?H00kLXFUW{#^5$cO($+ z_r3WhzWq>&`Hte@O>3Ly={*`b-mlTXZDscDW;X97oHw=ElfP(Y^9fAWRi6!-*St*e zu}1X%!17fb^W)BqUnz(msbc<#HjR(|jKB9Hzf&Oj&$P?xzr};EiwHFMPoK;pZ9$*; zmyZ6`(-!pj2d(|D9ismky8Alut3fWD`|F{#QxLtA8ggVLB*@4=4L_l zFOt)*4<`9b5%$ec@;Axrcao7;P0gb<-hFHA@ARbntInG5c#e|sMxgNCiqIcbN#Ck0 zesO{5ZPf8*t`EdmOwcXs zQ9-|J1^w1VpWuK0s)NqTpLy9qGv!DAaL@eVy>(vi;ltnMRDVfL-2?!4hlt-+eZ9=~ zQ3}0(4)IRg)OT2^A7z)!w~ncwl3D(~F!Vt^y*{1!UKP=ol;QXGWj6`!86(Q%d@);@Epg^&{1>yQ9>1j_J8P_5iOqg--4--ulLF-fVJp z1Ec&b|9!K^)u#ZGmljtKByx8o@?QJ1n-JtjjQ35O_(+Mexz3M5&rNr7XN!1oAP-ZxrzyPB?>C<{9IZ8;Ya?j`jJ~9 z=iZLw7i{RAy!eeLc{z+nDfr$F<>!{v|7BOE_ZQT^E`R&SDmPB^#Y^Mh+J)dj;NP`y z^X`h-H#zVJm&)ERvH5+C>?5zaXI}GW$?2^u_XcA9;lkK^L(n&qe8A6pM~i1k;oGGt z-$Xeduk-&d8~Udr#kWa6!o*#}#7)WR2ZY9;ox-Qq_a9Q@`|8WT!h@Tn*WZK(H%YGh z!-K~XgZrAmpPCKaf(X|<;#NZXI|u3qdf@oO(>l)E{)uhl)DNl~Ej8YW6d%h*-*5N& zr=xo;Ui;L=YcG|mzpUKefSSL+Y22)|+#8vGUrl@|yF4GnWBvRc*Uvjmkfw1Hys`ja zZWiO-^FQy?8Q&Jrf6T+Y)05*(gTR*wKB%rwNnZZIo#Q_UM_-$@{JFvKby3tW*ul?n z=lCPcd}^4vwo0fu5yn$eUcPy{b1|&Ylb&w|~_n%(7`_wPZCjVU*h4mBtA5Z`O z6_niDO1>S!i<5bP)jNxo|4!H9Hw?VXYX>OlKc8hz8~1kj}~peK9=tte*O~- z=Jjc84=ee6D|xd#{`Si4ADPJ8b^RY+$Ne+yCm$g7o*?yGPWW@np?)o)yOG(bFv<**{B!yb%&T0@0o6kau&PTaM*}$<8l0mfK|f@7d17q5R); zC~rW@H@y0;8~Iw_{}4@f+Zx_Di3b~UPd4Oxcz1=WH*?=NR`3f@^=8)lc~JFH^8W;= z`X@c=8{_!uB7QIG-WH;MH&X@GPh zds%h%orvPKwcjr!oqq)*!R#MP&OYVIDX-w*W?J#a6Z{QW@W~wXD zH;3}Dp-;1+SJ3gZz3ji*&W}LHKi9ba3OXJg>+eo+|2fp)zfI7$YXZI+!|%BB&t=XD z`nfG3(MK9`=QQMxgu@kL`~YVD@v^^Qi;v`;KU31Wf{I5W_wcz1{Y9tHg#iu~RA->z+58I6CebHR0I53u-YVDXQk0soEuyP*MW@~MD; zeuRemHj=Ezc~d1 z_&1Ex;C~|s5;PuCo?-+X#uxBQ1fZ2K3w7~jCG5Xcfqw)KC8>fmaOwc6>$D51IJ|B? zxxVupFQ^*u?s*hYLeCJ-L0-3NgYvgB$ew@qyuRRNzu$Hk-2y&VL1c8CL=LY(`E|^y`wh|N8p<^N*qbd!J-vR~qRz-h|S$b#v`1eP4Wey%s zIr}V0!*}lEbuGk~Z;$WzC0g?L$Bz6;_p84SCf{cH0Fs{xByVDhcgmbUi!6RE^?Vm! zJkRcHxCBuWeL##WD*712K%syAU;C>AuL_#_3dz0zMD^u+M0Kx8p(sib#M8g7ujI=s zicO#2gO8s7o+eX*q)42YVB`}zp)j2I*AsEC3A{H>3$9rOrsfw-9)!(b{uKNy4FB@m ze_am_{Cz#Br+0q&-|DOPuK!=C{Qma*!FeI4FW39e*MEXx1VO&N{@8>fr~i6F|Ms3f zu)+W1*Z<4)j};b@^27t1@9kyh zF4A^y2$sxh3udwtxagwnGV>$}$0Ou(muPDd$vP4CGP{5I!R4ZU{ejQ1n}e<6V8BY= zY8NSb-U-jM&Gukv5wu;*QAtpaZl>1Wt#x_5ST$B`RjDc36L!0u4x z1nK4j7sKwp?aVbdZ`aa!k&o&6ST|}%9I>z~p-4^qVwDBuEZwU4f!nz2km`AQaE%?0 zPUZ(=uG)u9df2%ucmbCVxmONJyXnY_Tia0x<)pewzy{$AbzyZ+py!=_Qd<&jBo-db zOI(HRSuKwnU6;kQYC>3yyG4>4oXp#ODMR6&JL2ilj$2rBOngPTsZ*@OjIvHgBT~|g zto`0-kv(3AIuXFt-@*#%?z#C54)WVco>DYWh_G#0u zvrTa!^fGgeL5dw%OyOctj5e=Z3n-)W^(io>Cv`EKY)?mSRG%VZAH0Y#ne~Nd(X5Es9KynzY%$63mgl$#RY*mND`;*1y;N8 zkUUILne`Uj_BvIKJw?%yW3&~|991v#<%4}lU7pF_ZtMvQO|t`~s37A+oaD8P0!M-> z*q&k7?SVNa|>VD2rn7m-$64`P>=SW#kUxkX)%KasOUZ>H7> zLGX5c#NC;bM4STdVvLs*nS`ZiU>2Jb<3R+z7OdK~)i^!W9EVLuMfTuAmPZBNYBfpL zr&yTHH7S6LfX#Fcc6DjV;3zQYttn8DpyA@O=`uYulx0=NLn&J#UM@R3oWU0jhu5iH z(5E^Py%tNs&3sgJ15;LuUW~OCqai%@`ofBj4SRAg>%fZEGtVOOi|>%uY19wg9B!97 zeyWbX)X|~5txcHlr0I}xSb9t>h@T;o%vfld9n(dgq+vGtR9u27uM z)AOOMbWu$PXGWBMhvPk)L8ianNSCHc1j63RPRH(vHNP?`VXJz>I5In5Y%)eAHtSkQ zX_7B76X&P0W5WbVPnk8uF|9n+${llV)Yj&>PH5^S&eHL|!{>{6Qk7L@a~@;NBhE6H z%@C(@ei*zhn#D+OGmzsI6SYP+$?_0Hte6PW-0c!Lji7pkB%NOa)az0tV75~s|94a?^l9I($NWCF1IEQey@Zc8#M;>j6(#4|1&mu{^kX@2#O&Y zYe5FDPdsBVFW@Cuj%jFN#&qWBL`ol58Ocil@4AEqcE;0SfDl2l z3Mcm`8X6UHta=LX2xqOkwp;5owPt5$x$j}(IB;{b!8UH!8Ar)m2C_wmBv6bBO63W{tLw!fPZTs}32#u8DKtgap4k<#%rO(ieidw@-@6AVh=XLdgJN+4A|9Xlk>q$hDl2bAZ$XkbOa|kMbk3` zEkqihA+l1a;Oc~K17q>@JlKx(t!CrEV2Ai+9Z*vK`Z1KB?;C~l3?o*ej&*? zyX$wludX5{srAZHSrYE0V=&v9ycb09Qr$A@h^gmlWq82Eas$>wU4+yQF=I_A`WmbH3fySK>`>3( zh_;dNh$GYUY<9``T!=(t>Vj*tUeST)JLf^pPu0eDAU*HmNmDMomSTf2*cK=<#s^D1 zQT=Kb3Og8^BQss60z1mrojMTXX?M}iIAS7eDkMwD=5Pcz$7u$bc0=6f9MNvFO5S(i z-cM`SI8gK|IB^`}hWUA;b#X(EB^*0>f|$`(^C5&puxNe0;do*P&t#X&y-G=l6?GLo>%=md%&`kc zoKd4*r8|dn>UfinOJU77(~IZXfi8e!L|4!{Cg(1{a<%yqvtY8CfJ<1RpkSy36>cT) z>S~dPZC$a>kP$Sp6ZU7y^@()8Y{dbXa-t)_VuKTlLB;f3Q8#gE!@Uv}Mch{-p6|Aq zwCI}4Y<2=hYA~d(VoORe92`MpDvBV#uhn!$B5WrN1DWg@{V=c}^a~+@C zDhxX|&s}!esRK4U&>0$T#6w&`bcQ3Q&w`*V=3js-G3RKUG*!~!P?9HvDZ@6n*+ zlT+Q1J-MW4i`&9^ZphHMYlSV11~rm!dx0d7eLGgo`Qqf*xzXH>Bc6ve69`gV%|U$D z7E%n{>5zwwD45V$zqVjR6qEHVV3 zV&b0>6>4C7W!Q#lD$R1;qktqROMUeA6esL5DeU;VbPkd=92SFkVooRknahE&wh}4I zN542ig#(f_@u<=I^pI{BC%rr!qqrEjlX^lUgHQ~Lch8(jR7xTRu|ZJskpd^wpo9nk zyau$Yoe48>kog6X5t~Hzjwc6`eXX62W`0hO#}#ww=|a1B7K$${SrA7&jr-kHys*2C zXF&!VFx5#MNOO)TyJUrm1p}MAmUpVzX(ga1*5ZOF^3zsp6~_A;cZy z;?x$a#S#k(c`aU2oVgsg=aFQ%wKQFy+*TGdRah966!VI@+X2yrR*$fnGW}M(KmpGj zX3DXk7NY zIa!m1W%O7@vS>`f%bJ;^6`G)ZzTFZuqY$%zJh0r1*oK?2wR)@V#hKG=pw*dDlytHv z+%B71QK_=yyh4VQs9d~-cT+ab=TTkBp1zIpmE>SITK2I z^by}4L2%b8vjE<&^$tuUoidL}7pq~Nr!q#Q>n)|x8`#AL@AXw}7*qjIoX$}%!**#&gU^&1g7?RZZUmbyUBZN&-{~>PlbcOf{YczF(<%fZj_^nF!Hh| zt-?^(DTf(4&a^S(1k2Pt=$2OfXc+Qg7- zY;?70)}6vK>1~)*55{&{do$TW@f3r{7NaSrPqqSyFh6>UA&xEKn+*M`1BkNR2|h}Ip; z$+`~P*viA~d>mxwBJSFH!?1jX#|eOKT#`eXP{;EXp)JityFeBkxzg)!n~65c`&raR z=QFT7Kn^Ws*cccz0-P)0*iJq;X{dDMBxnq^m|YVVN~yd!JG4Pg!Dd}6rW|xOI_>%y z&->ju3XPc_^SbS}-GX5BEEP`$-O2$(kc*57;L}JIxqI3m8|x&imKiu1z>XssAZm7* zaNC)c=~$Yz!q}A3&~rmaQO=|Y3rRt_c(dmd{c!$|@vxUMn&(5%!hu5%I2x)Y*cZUMIcvB1o)IGo8C+lRo!01V| zb1p_I$tPxu3K&Vw@oAXi0P32gy_!*7v$O}KD5_PWMU_viw<4)-hqlm!)HY|Ac{F!x z8mB^}IRi2^Y=9>%4}N`s+U!CBq80;Zu*HTozg{1wXMQ%Z1*2LWG-W$&*Gr<453RO5 zBY80zbhp9#&XDcVbnq17Vs_(-c|asK;Pp$oFE5NJsHEQ=SMjD~jV@oTlg3jTHuSR# z8JRTUB3iYZ4MGpLfx^f&Vw1vR58z;UoOE&&`b^ij`m!wZu3<;UD3tOtPBbe6cUVzL zQdXaZ58mryyX={d>PTDFyq+1BUEMUUfyx07O-B^K5eKAaA4iCqH8rjtMkHiyPn z8=@g+!G$@>P)o#8=kjE&fS_gRBXc>#E#h=%MZsx*rnzdmn3uMq1(JDQde#(c0GT6U zT{zt;w%b61<{n7p?BaQV%tx%A3M6J>QEX?k({#GJlm=YdwIq zHDf&9vkB+xM50MW-5=y)fzB4Y={$vnJr%5%VV9&myccO> z3KK&CsqGr>@ad*y@@-NQNNAy*R@r-FJ7_C2u=4E+-KYUJvy9#0Mw zcosPx+KUShvt=CiCrRav&Ge)VyKK?Z2NmUu!$Q7HIaw@W`bfy5uu-RDJ85y;kw`_7fE54e!jL67oJ-DUa)N_tQ~kK z2EkD~OOxfsiL^!H$2+$I$tOZ`IWPd*X(By0#bR@;34q3IvY}{R?%HkHZy-?0Vz>Rg z?zWrh=AxsgZa5=nvYW5Y80s96cr&%mpsE!#@OX*nwae;fvFuqU+|9gXQ$jgLSylsX zNAyB&9ao#_QR%sfM^x0tKkv8&p;YmDr>^_}Fc(sbn?%k<(?Lx8DRA{`=w$oE9-H>Z zQnb&Vw;_Z=rZ!_b>5);tWz0@MuoeP7;1U3~3)W~Il<&0+MO6iW>V@BJT5ujc|ebrkk>j>0?*Jp%7#v9~*O>;yqP`L?oY?bSmM8g6`Uls^g+X z#%Fd)`rvM-yb{kvSlu4=Oq^R56NxJ2ROMD<;i@ioh6@1?EyXEHl{*52H(B#m05w@T z%S};FI2grd!Hc`7(Y$3M9rn>I-v_2-RWYDcW(eTFpf=!y>>TLJ_%eDmJmt-OCh_TF zIb7VO90<9v884dNh3~nx;)Cqxz8#ZIByVD9)Od~Y&xLj<#K6T2BtQAW9u_N zm{n^cu=g6Z@e;aIPIej>g*%Q%L!_9~Ww$`t3fk;IK*UUUrzm{hgfU!Era2qAQcT;% zjibDBnGv|6tYV}A$F@VnO|wWYSt;h`M4Ce&OBE)=${{yHsgOJcGP(0nX5d=jR3 zQ^yv4;gYdp0XVQb0}h}PMG09<*E2KU%%GslMNsG=x2xHS;xk|0^ypTtTmlw@2}sb; z*i2@|ndmbsl!wEq+mc3K9*Fe>w>HXFgY@NYHn!oZZjy4=ZY^D`A3$Fc%9UEU&b?@o$-0hj@{2?RP^?6%Xz z4k_?p#xQiqvd9?}u2qo*q1EVn4Z6VdJdGq`J@kNaJ50@E-|ncPpXQt)lw&PK~z3%UwW z5R0N?jI1b8kR!@&mw7=CP{;(+6=rdVA@{I>Ra%uj`srm7X3GOm17y3PSkkBYj^Jf? znT!X-GfhBVb+zYh&NHF`kx8V@B%?bMU6zH=NQXiXg~eGM)mV^@1he(B`k?Mrr}sT$ zSSH&!%ZosmGv?mvLXi-rl;o+*@m-)P7hqblGdCjQyp9cXecp6)CDB>Vu)4C`+p`Hc zk+{&$xMJp?*C?5CQ>fW>8|9P|wpm5VCYUd?WHb17j7#mml%OF6c1`bv;irL9!gM*Il#6> zR3Hm+lWv0b;C_eJJiNyHB%jWvIFm?aU9KITD-v?GEoR(ue$?f1RqShhZwhg8-0!7a z5#nL4PFdgvqA8@+jM**ZNV}jxMC)@cK1T_^#1vzSSw@2z7IE1cogl0j1CX~=$6%w1 z0lsBXZ#ej3LY}yGV8+t@`o!0i9PZj_B+xZ2X<^G$T^+F)u7i{l!TCZBkAVD9aAe*$ z9#J?TN_9{TAdVV`p~bFFmx^W!JaR)<2!51ogIk1zJwX4TX}g7lpe7BO}4cc#nW7Z zD4TFoZPu90%(wF$Ynmh#NPcl{`r7Zzk+;U!MOk*O!y(y@qB*7J4RTsnYRSn9cmr(# z6}w#p+G%Z9c-bGkVz7RgEiHRlP*A#cL7DDBeF%Rxxe0>Hw|GrrUIV==df5?`voCZXsKO9Xi#?L z3EdWmM+-tdIn^vul7nCQhOG~jybJ@=U7b(tWtqbo)?{Q=o4Wm0N1H;SP)m2ZK9>VL)4@n9T2S{G9s%z&44{nfj;QaB(b%;V11V| zCV0ipoDJs53Cu=QAsmzixA#Fh;g|FRch>C5n^P0B+8GP}GNPME2c~>*JOn_lgO{z? z6xAYZg^zG63thCDPubnNn*e4gPSy;$HGn{b6sx}UI>Yx;xWoD*0wISzbpooFwCg4p ze9g)Oi|6opzPJQA2~}(oDA6RCi>DCa8Ipq$}2%Bt+C58X6S{#vvxVl?KqV192-KQ5RW2l1E|}U>d(| zEJ{lh`JyS!f(&O)yW-Q?AvsYixo66Qf-mb0e=2+lE!l{GvV#aTcKBsQ&dJ_f(0QQ7 zaZ;e2&n}pF$H6UK$cR9Frj&J;cz%Vk4!6G;DpWi ztwu$j>w)AIh_vCrm6PAYM!3gQ|cIdu0&mi@&L&IV3w7;%h+jBVCr0OT3ngQ zL46S11uhkQAGvLr_J@ok$q5@Cd5g6f5%@XYZteL9O*0rU?p|Ja?pXjefPHRDmB97D z(?x4^32OI>sBb7+%@bWMnR1!f7~_Q$D1RI4V={+m-;GPtC=Q|)lIHd@>p}216_Wx~ zCuFp?!fHn@B8gW=RU_0(yI-*r?Yxag+ z%=as_!K)2_XtJ}nJk}GfM;H4NAhct``TYcVAc!q|N@SJ_yJ|K#wg*U4G)6O<0x4W^ zVu0RtyGjFZWX7gK5L1WeHBNZrnk)h1DI>9Gllk5J1^>S!fmQ}7sOFURsqP@;J#tx4@DVxOXSRGq6 zcUGaF^jHEC_*oz=TX_^k^rU1JwM~xh9E#WL3`Pd-bNo%SHK0@YEsDr2!&148XVd*T)@HA5TW;_~kbCj2P%YvsGrnL%RsLU4^jwX1SeS2EXj6{k%T~oz}a- zaVDOq$2IflQA{sE5y7;Tn0TJ%(58#tt*A3#-|daH=8nF zNX!LKs5;HD%{1`Oo!A%MER6;zb4h2bZw~X(7VA7+nk*3lF3CxOZeZ!Igk`mhKwgnL z$#ix&!i#}W*wXNb{hZO<{mO<^{(>>`4e>g;WR(DId527(Se-!7F;gD?~VsKqW9 z%uw1MJl9*DTU<_??V=82NNAJgd8!Ha0*GtNwRdy_e}gQrSr5okr)Hw*@nWdlK(8IT z6;+;gos^yn0P-OxFJnrGBDFo%3|yG(N1>Nj=|qu%WC@T2-ee+}q^9?P0NE_Ir%dW$ z4#>Mu+z_R@b;WVzWI3#FrG*TLbfz@KhGQgiNeGIy@TR-I5M$1{ zv=kiD3wz5*AU2lD6s$=o=KHNiGR#z{I5(22en&^8JI(4jkN{4OGK2Ak0N@O>TvFW0 zj-VoHPbC`NT zEyp--t_u^w%x!}D^Lj^_0gZaNX?6Hc@U$h6tr5&V*3at|zboTT?pC#^j2boJD%;S3P>v`~j(*UK@x z=$*62LhXv;L9{~8>w%xo&zMn*7yGDdFbxz&{^6qd*m2QxYqu(S#ojZa& zGw;?)fuS3ap~q($HBb{nO%;^wH{{8i%tUYQC3`Wb{Q);!dxJzYhW1pT^i$K3A+X|S ztzGbA?7I^uiYf2Zo)dm(aOQk4C+9Tv;#9-2GpA#$ZzxJ~-dxuN`2X}eo!G!T!IcI7obRrrusPL7>Z z!Cs&)rT9Wwz}9yg7%0%CF5d%LGR%V_yoT;J(u5;48EAL}aQZwcPUZ}_fuQvT)U`au z+HDQ4@jU13@^TV8JBt(h#kM#_(`c9R%$^p7;>d_fzGYVtl1~>C!HXg|giLd#8~jRx z1CJ|#*^CaB^{Bh{X9a^brlMGSi(-msxI1_3w*b>cfI$p*Wq46ZeR_f>>@o=oYP-Q{ zIEg@MBV>rI%)OGHVBNazKpB4OR#$;3-6~=;u4tlyu}!D}K4?~n6*SUaqv_2lw`p>%19fKq9Pe7WFX+q02_b9M+kOIy)c9 zn265KBq{dpGR~YWFKZhsiCI4NC@kj=43l2a{xspYE;`$8obc>G=&={zqV}7)y($eN zA3AP_(^(mb)^aIV@}Tb2?LlAi2~SM}*$sfgkChdyTCxIIG-E=hB}En}=-c8MRF)J+ zP|tcKiRqL*tq6`~j*--}^ksbxnrJuUdxddqd5&P~S~ECzH-%KI88P2wvMt)e{kis% zGto&>MFU*}abEFcu1be^xt_1=TqeVfyV2Ui=$>Mxj}Iqx0}aPA-wS)G-WcG@pO z&neQ95_YJsf(0)?yK`xRZAM<2bNq!(U;riq+xD<4%H@UA#*n2Mt0^S9oO#Tb)En+V0+li zPMac~!o%E*Q3dEdPjVqRno=3Li0;YXRM7YJAF z?%86E&_@;+Tm&(%Q_#N@_I8 z$yx^_LWlhfX4YB03E3T{k`vFinegy2{W?czfEBGlDdXJudC7?!CM_f8!v7icb&RI6iAK{h02ED?%QSNqw4+2MAC7_(q_%Ue!3^qt1iWi}o7A13ggG;9`hx2&O@9^Ri_OL=^dNBT-|g2u1J$ zNZyZ-s`*`+#-eZS)BmMg=XR3!_WBSSoy^S=3v=HZeX-WD>Tjx5Mx8aQ!Z8Zwr^|GE zDiAgL@?1U{dycY?jyF+CXeT#}pBiy>d8begL%@;U2v z(Z=tsGOf5Z!|@}p@EE}(<$QmsdBuPW3~zWl5d3tLKg?b5^-E`^I|f-&Y`h`C8^63b z_tMB_;xCq+=Eix5a2pU&J{~-%6dv4}~BBcK2!l*p=Y4JBblyRF^fD_P#Ye~jh)VtTp+(Fk z@fC*0zF(xm^Qm;|;T&nNrjuEx{!OXY5@J=8LGR+K3A7=TFoPWp%?w~HiGjH|gP(IL40yqb@vC|{Cj=&u!e zSBrLBZEuA(KeLx8UbucNj&fN})8n>r>Dg8R(YmVBbGQCLlp7?W;e{#s%mu&B`Gm4q zbeJ4LEEtWVNmwhxW*NB-0T5>1sR``e&fQDm%Z5VmyCWXmQU((;%G2uPe`Kcjy?VRWr&1u}k;{u2~fd z=gF19zZtc<9kXErrft*$6wfdcQvdof;+JB22%sjN8Ufb@(|W3yzI90_%R~!rdFgQB zW=dhA?2htMJePTu>XU9c>oL+dQOJ0h;=uD@e)RQCDufVwyAM_C@%qQ_dW?FNgE`pM zP`xsm7_r+Zf&#b|)8=7iYTL!1nZ>LZ4*^cSLEm#$uqH9Im;0^*oqEn8QS~RgR2QiK zbP1aCud%bEPpn2X@Je#0iHE2Lrlle=?+IDbI6ta*b|KsXjwF1W#5y@X^BOG68;vb% z^0*s>`=WmVWB$gaz%w7N5Uz=SL3&S$X`_<&t)w6uu)^t6F@>IwItf1|6+`$oG`HqH z&z&Pv(JQaI!P+k_mzkCKJGR)VRH=6n-3H8NeSJx7bJ_$70{8_iIUeJ zmAzw=X=rH4)u(>5r$>w2@#^#A*4cl1p#>RnM{8d9&6C+nmoSIRm}-AIP0px6@jf7k zuSlijKDe#f5}qjdA7Tj5Xe;0e7;2{wW@optj}iT5H9d>MIev>nJ>w)@FiFxGl7l-` z4%b%TtMug)g;I-gMN1Slu7Ad!E{sj%-Kr2>tS7FI4+X9>3q z@3opo5R2;SAZ5vwFCwE&k3XuH|Rk z$LjBShjcX3E49zilzIfXFBIRwl;xhZ8X%JQ@t7SAiy86FK6Mrf`{&kOgU{B4xbnri zIpA<-KvecY(j3+NCWYV*;e%daF1;AWB7Imvvwe?NMy2& zArPxsS9;Za;RSZWZ%cpL;dbI#nC=0bOA#drz4U{G$~n?+@g$xlRizfn+5%eT8k|f} z!dA9qz~R$fLl#X*o76W$H6DGc3C^ab_(r`xk za&zeXv909rwoEz^XW4Z33>`K}pGOF-_eS;XTZ^{Bb%Mn(^HY428nL!FwqgTCNABFFLl0#KDH{Vdz5cssHz$50# z4|`p^rD3V3z{jujYm|69K7UThkFM$+Vzbcc^>+(p`-qB9$#3bkWSapQClC5S!1-&Z zw~3j8;mP+iHIzrGT>L44r-6P|@dozo*z30}FD`s+u}0G|O*XazNA#C*`as6V3~}eJ zWOudbddKCcft1x95dDJ=<9E&0<;Ks%JZit8&#@+hk6y$yTDBr1bzz8$wLK%Q3rBrD z7|7Ifu{>w|?GA~7&AMVxWR!bhc$}`r&a=Y4W6@gW`2Lpf1BnLi(Mz~PNhI^2MS5r? zC}pLVcQ5k?@Z9bW(Kh@c9ene02m!#cXZ zEo`zaCYyJ1{@%h7Twd4p(2q~wTT`i~mk-fj&BL-i5eq&@l?BI{iU%NSnS z7>&KFXrZ!k@WbJed(p}Eae-f=Q~}pd7!CrS!$Rsr#TEQaKAs^zelMB^+_JgknTJE~ zq|vu03s}neGx;06iGlC4)Q^3x(fRBcBzp(u!rs>U4n-xOw|qkODR9_Su5PU@A50=S ziVOTSLq*c*T$k};-wj5upmn5Ls)HOsUusLqMLynk3|gZxJkkUoYcKQehiUg(FUE_W>|5M^v;4=y&z(V14=ec^=s+sZ zAr%ivZfzJgGmq!}O>e7$RK4~Vvkfaiax->Ud8Mmc?r*#>j^hkT6JpCXoN5!boOA5E z<6Yl*#(JC66V6j_1>dbVSmc?@1+;aNkV3nd6}q~4erbb30gK7+DXj! zA^?mJDvHV*eRm@!#Q(g0Z=Rl(jjzPHkpj4_rS4=vDxD^$6CPmU9W$my|B!f=jxdX_ zKh8I*Z%&5YKj8#9*N9X{%qrB$HT{VSPw>{1y85B_@C{STUu*^&y0!B7)*6>aTcr+J zh6g21+aBymBbPK5wbcnVZn@q%%kwF$QciS8Oe>R%kJx)dV0KVCF;}@4##;sv54vF; zNX^B1Fk6TK?-=zdpo#78dnUcpKE4({MC8NH+nI9;K z?uLCp+GJ76s4rb^#?986?&U9^{__RfL{|$;T(RjHXTaZ`8HxjjXo#jHl>t{U7V@4C z&AV5m*C*b^XaXYWYq;Jsbb1%s14_Un=f3rI)FxA3J>Ob_N}AhE99#EO;ya3bGi69g zirZ}&|D97UQX5x48lWQJ%Nj!2GVT&Ye}~iR!Rb*-pBJU7gY0+%_`^_4r?==36!)1AyK$H5_} z#-bD5FOdtE7+p^&npIZ;I(>*gQp?v7dY&MOo-wTHTGaM^JdU3VIi^xeu%yzLif)}W z2Xlc-d{0)5#Gd|PVP1PHa-tc;X}g~CXBRJLzk)#ycZ zIX*clBK?SpBA`n0R!5RMb1lkWoA=ZlJ?}|NZK!bl44=;v3>Zv)Rb^oN$qi5Y>2y0xI$ zD7Jf55+Dk55feCYyJzq#Q&uFO4R(+BPa%7XegI(e%hHTmG`BZ z^i)Zp1J|d$#jFP@cHl`KQj8g1BQ?V2P|)xHL3J6b=iE<$rVh&|{!}+!^}SN!K4!nl z-bf>6aQ#i}5z*}wL98eMP zL_SjpXzS4*F97__f-4$M{pnr>+1B0{wy&i(?||+)DBNzOu9V@&X|F&6Zw_wjn%^L@ zbA0o4GyBduJPG@vm*<^`;4j4WaskM5yeCzhlU*s+G&o|$Q1(myriS?I_4u%4ddDyoF?dS- zLD>R1qWfn7@zE#WpB#3_%eaTRX+vYxO=L;?wJ<_seksgVPHtaQ9T_{OZt|ji`ffhbgX}Bv^d0W!Qg5?L>U@2M4A@kZZQ5E&?Bz;wBL$YL&AIp9_ zsss1R_X4-@!fH;qGPMs;S}v@@9mnhU3rMANJXTT(61uk{z8TOZQ`{S34u?1wdwzBr zp}P+sW|Q1O_@-dE`oZpoZ(M@p!w^Ij-TT9v?bCw}pOe3+SFRPgf+YI2xO^rv$A{l_ z>UgZf!gRP>jB`OR!ShHIW3)cY_L{w?10}NleI^rxK|{(gCr5uE@dLmb-QPR7z`rgx zY&e|W(lbM;bt9pYB-&K2Zr2mFW^1GP?d^k@t-XFxwltgkkMx`wW9Lh^xvL610#vq&4EAT&HUwS+A+p(?EtW z=3^eV8SArYUpRMi`yu*X;O0|@d6uuiv<<_;4KAVtW){EhLyNMQU7c5zd)~aMGo`K< z@9=cI%C9IUhhGn!OQyY0aL7!n}O9v*Yr>nTL{>BC@g2U;Ru@Ac%THnnSL)9sx6Wg${% za?T>_O3-_Rv=_AE?uP3?kX?AY0))*n>~dM!Lvx6Q zI`9`S*5Y&X`ZWe8gt7_!Bz`9i>0n~EH+SObj*^CP*tMVCief&zG3EeZ55kvtrUlG` zLS?5vK3qi2lPrq`UA>3#l^)0|7PQLCUR5D;Lot45u<$+EVAN-F@oLeT2&EgXslBsm z_#%{#a>(INdcmbGdJhl6MA99nZdl(47&IZL{cEU{F?{6sdukX6mZq=$O~aY}*ar%_ zt9^kI+k{UlGZfSBr7#{$!et3Kz4KQe4NrWPeFCm$Irz!yOxH8f~6K`JH5;5 zQjpFp1fOL^ezw%iek{BloSfNZRRc;?b5@Np5J)8%=2kM@x=c&9|r1`z7@3f)H#pWTcfA)DX!y}LJfU?$)D zC#R95D+~F4oFKaK6{tpzs_)`orMV$^DR>^7LigWSkWsT>K}44C`fz4kf4#VHYsl-4 zMZ!WR3Z?#WD!8!<807S^^uB2=E_$)ey+xbPh2d>^4W0Qww1SJ%UIySaKgKmlwLDeS{*3r;ZN9C{V6zkk|gHA&=#BP z_NW{J>vi8eL_dV?yW=f|@mhADIQL;U){L=jJO6Pbq+ zYxJZ>x*qcj7|40e1BEP;#$tz-@esd?9F&qtoWj#EZz^QY@|>TN@56c7_m zW5<7Kf)qzes&MMAK8V*tKR&rw$8y>d=guWONIY_*xAHhWXNQ2KUe+SxJ#xeBv+o&a;Xk!||)*jUfLZ z$O@@xxJf{1qbvOrW5eIC&vtT3d=UT4njwDTzY@NNl{>$;S`38!RCI9J6|Z8G3YMV< z({@~dTg^+Q{czQKz|1>oeijX%H->_G;SIGg>OCQ8yO5HZQ_+m&(%+*Zhg$)r9}^&? z8!DqY9VKqB2+Qw>JwMa$YgaLIo3YDo{nW^LOGuNX>tJwBvp4|f1gW2cewYi?3Y0yHm3o<`g_vcV-E+Q`KHKK;r@mr15#sEt#aQY%vqMVp!^7+yoTp%QW zU6Nzn`}1}XbHQXWs0Ph$6wc#_?`eZ*XdW0VXl@7qqWo6pN`S0<#`z|-#QxrnpTr(l zvfh;R<&~PGcwRf`o_WgW1;zjqK-W`!_0xK`-21DJYV2Nu;kudUu2R3~IhOt2o#*c; z_DZW)t5{gL<23GC4!P^~%tu6|Uwah6vWAhGmgf9B@bv)%k7xaKfZIkA{49IDxR}$c{P~6}w`e}a2g0zKMWwK9me{hMkM>m0OQdYi7@q;q3$zPC6-q!h zUvr1CA)%;GD&<#e<<$Ur)$oEW9VR|}OelKQSkiRDh_Vem(3?Ep{5^QS2TOL!y&5l? zBhXHn9g5Xn3259a1@b!{tI(?##b2IW>(f;qiZ6R{x>!2hOE~E$KUb>*&GM{g+U!vrA|^s;>Pv;V5)0m@oNgx?$7E|V5&k9Al*xG?pRt{#_uDn(1CPNA6F zt72jS8vG2^NRa0N>#bl-(#N=)44TvsCj%t)F|0hpyqnDtq}F~4>5aEyR`V4WhEpof zY&Y$;qhF%Qk%Fn%*XB!_4)|9>!r`+rsZ>ZA8R*^d&9oi^^;xFD{8mhe@M73$s*M6D zA8d|~G7?!KQm(sCKa{&&2haBYd^YZNA}BQ+92%?}7J$ts=n4;cNA0Tu=YfYtHFi^1 zELG<#lGbKNf&PrP`EjehxYnp^iU6Fp@IsH?nciL?ttv zOy(N#=b{0~6MyTKj5qp8XGObz99z8~G!uWN-hoPa@t@cEnf1dZ?tcx$c?qi?R27kr z>`qC4^Mf7wXWqr3>MLAZ^Q#5emnSpJ9f#*+V`p}mUbL9+Tvj95B0d~OOZ6Q><6<#^ z3aj|*hh@*!BQ*T`n>qZRH??tGS@W}Nx&w1gU}^+w|8+OPHUsfpG^U{V+=SG{7Ck28 zXZE;W=^okjZ}t*E`vbz|jCp|L27{YE^(;WBve9M@IrA*nw{IX~^xpGa zioalP=JGxKaYCR-4>G(R$QxdQV6j&Cf{3hI5B2TVx_4yfqO=%2QdTJ`U^Y_?%+EpT3c}ojpD4>EoaZV82>%cP9W z?2vzeqh~L0cC;OCJ*XWbC_nLhRWnz7BZI_IWsxAm(fW_Of`2BQXQg5Xz*l3X-#NAt zT&%h@hsF|oW$cJ}&AmIPnYgX|Lx2kr^SRzX@JZxilqhdk%QCHPnA*=0UN3nLR!$-w zn~el&tqrqk1<0N}gvw8bqR=K7$8DzCLW|`&jo|qMd?U6UhfA;S zP0PW%aDgY-V_`oi1Ec&ZaU94H@BR%N(*WVH@7DvH8A$XZt}F+j9|K8)-bNaUc~XDa z<0E?K;k7*e{yg`65^XRuCNmbr3`4mEjEym@r(p^KcxZXYYumaci*V9m3torcTt9M# zKOUtHwf*a7B|+>!t>oR7_F9rSjZFaieiL9Rq zd&p#+VC+iX0{i>)o<1Ird~!o(_2YD%4L(!{a?zJqbdB-owBVr<@kU8Aii$OVH+qONb|Udq)Y6d~>vGojX#%>FUSQYJD{&9eT=R3HV?s|&PQ5LppZQQ!=pCu6KevCupE;;&&x|QqI6k6b-C8uE%)6-c;WHHi!b`*xY;L#klNAEh7N! zzJbub_aMJ{nh7*Ot>SqFMXF+wyW4ux^y1K40e47&)4)muw#MbR&|&7?#bvZjL{s5{ z-c%njv{E!-ZITG90@R2I55w?2Ea84Iadof9%VXtX0@wEPf{%fo^h5{zpm=}QW5*GRM@fRv22n1~MZrPFZ~tC_s2SU7 zL%>avY#Iq1RUG1R26cpNG3Q4 zsF8?6bH>2FNzu0X6x&CneRF^0n^k6nb@oPiO!z=3(Qf zhxlVu4DtoDOUEA!O1v*j-EMp*yz3eqk`{vVSICrFdP#`R%bbi}#h);xFLuzx=(sW4 z1(a-o@jishL)ph$6`!)16B@xEq!e;0VsndU=Ku$OT>&jTI|$8#2B}2V zWIG1?eOym(BEna4_8P>f;?5ajWJ)mu?6sde00EBJwVqzNZi?TqdmO-V;Hyq`+e7y) z-5>jK5BlKtdo^#WcDu`3W6=+h)V(+qQ-%S6=j(pA0?l-<_e}HUD2Ay#xJ*4L*~=%Z zM6Nt(@?uRgct&&BB*dU>f#}exa{))}Q-gC=VJ;yd%jtI;wW~`eqp$t=eK~!5r+&OZ z_d6)HJF$`UmDzSr8VeOEjG!!@&%JCYv&)yZzWjRlPWt%PLn4;Bt})gm48C7CY{Q9) zv3=Hu3$>3}r+z4rJU- zpXW;u=yGDK=B0&xBNd??bnOn-rT5Q)u@h?k*M-r1(b}UwD49+Yho3l!Kn24m&~8e+L-+Oq87x(-5U_FEyyZW zP-Lrs10^r+JuL7=X_nHquObU`q)busjxicGEqXP$3Lv|Ch0iBh!0G(;-gd~<`v;O# z(k4J68-?u#%dh+fx}mgruoR7JUX0o;C38HU(kmz(#o74rGUP21F7p?-8|Yzq#8X`t)gw_(`2u*g{}}*!i)unZEb~(d^g5d<5JO!nLcLZYVrk#L+;3M{U2yv4d68e> zq?{j(2GWfx9W&E$xtG`70JKk~{>dqQnGAsnV@3MsDvp4ZPuS4Zh8jJZw(&jT>fSg? z3K)F({xF-spdtOPzRayG%FFb_S-~9wSdOEF+*>n_n}ERM?Y%WcRLeh7##`+Gm8$1~ zdI4oGLA|TaYnnT_`uqLVwF3v#)T=#bAw#>5kt809bWM zY0|qi$EU!Z=a)B6RCl}U0ur}71XJ8R1Sz`Cr0E5@Z0*iO?Jd22XiU3f$8~}+an_3< z_Zv?1`Z8`HExyqo!2j|qpj`rl)JJPP!1*I#j}H(K+S^6Vh@37E2+JYp4!cz-hfODV zv&xA+b#2ewlUmc|JAg1X4CjEZHf&epI%dmh{9%3^5FMI}PE!RlEm*@#~cTHrkc_rVdlYA-DiRzi7`>^KEk@W=i_mi zLC6P62(a*h6>-Heu%Jt(RJ0{f zIcy-qkp|bbq%SDcZWzL_e5crunpY249_hM*A}I|8&FUyPF^(2y|3CX#-sb5myB0SU zvon%JaxBIkRMn9};%+h%bHjKdX$Z1r6s$Rbz zAK_8WTFE}YyN0w6i%uYD8E zXpk*l_%LTL2z9p2G)|DVuV9;?A_Nok?b0*{@9TL`=uXE@&@?9lG>p?$lhSam8Pjh= z$iu5SZO}s*?YAF|Kmox@iTm-qG%&K;hFXRlB?gR7cEFKAv5rAB-M3i7hI#qJChlIy;{uYjYIFXd!Q<~rEC>?!e*RfZc-yW7`;o~S27A`+M+0A18`4B>te`Squ@nWwyp}QTADs(=RD5Oqg zfl*jH-QRz~h^@TS7}N&WBu;Yy{INOaTx;0#upb}Wq<>_W0G*h%H_QaUt{9ia?htUC zynXa)La5_587X`wULf<6Y$C=DFR^fJd3ewb8N*XV6a%4A%wwKR@31W1SNbA;JyTkVu5V&8PiF&<@DV$g??LiiU;A3*!c3Mo+FAj_X zd|^B&4cM>4gbqB{VdsTeWmaA7##C0x6W=cfCttSv!sM~c`@~f%O zYI1G#yAr8=*}vq5Ml%n#Cf`49IUHP4=d`WX9Zm9%3Ve16Bm}%^xGFN_<|nzn@-1ws z020zk9otSR!FY`vC~)x*zU0j(zpK~yJhy24d?X-l($@`)?+#zRRExc$+XgyqN@L+= zm!S?xQxtUP&**&1DyhLhD{KsNx!PiapXFjS;6cWU3mhy4DyBMo@KPoN$8bHpqnQEp z*4%km<=JY&neJ~`0QL!32^_1&&5Ul@=$6`~+|4VG@YBo?kg*wJ5Mh6LmjKYTRSv)S z#IMp@Id86@wPD$?zj3PHr(tW=?pRSfYlR{-d5!Ss&AsAkPf;rReXQ(-m%m-AaUMAT z%Xjo89O2gX&HdNzE&IBJUT?LUkEH_^F$38<20;hs@%053Tq8{mRN5S`s3JsOLV#cs;hdiVV8dNM}y|q zukf@E&~+W4*Cr-!suvXHng9jLHC9XUi7-Nix)M)T1EtFidh$nZTiMh{uKbXK6 z%?g~XNel1%tq#JQBMRh@P7l{c8`#59e*!b`0@diHGXUNFsfBGf0)cec3kkp@biwiE z%AndfH`iq;bkS4`hyzdSuYH7wCJ((WzE%DWmbLeBLtzSWZ)OM&8vV8(^aQ;DU{vIw z4&1FV)e)v`Oreb}HtN?F%@F65*(IL(sR(45Y2y&gFHY?V2S=H$eJjDyYI}|-lJ&Fj z6cZgcXX14W?KGWR1S3YY0)-CXr+Iu~5u$!43Ajb#RS(JO`dw@7`^Ql*wRX;;FPHtd z;}20_VH*i+2w>E5nE_d3HvaOr>d&kcJpN=~q~tu_7)HwCZkhLTf18ce(S*+%L*Q+r zz1;)63={vmisHvaW_v3~en{wpfQl4~M7UatpU}&vCNnM8&mgv)%r80djmNj0Mbpp5 z)4G1rTTtiQ=L3Ull%75WVKW%s&5PkOZkM5b*>=+g&;9%T0}horUwupx`OmA_>g;9h zxx1z5GfnsjF^iOtHHo+asTubPp=E%VzXE$rA&lgb+y)B+aFU7{Ss$S~`p~Ba{@3O{ z&}v!mO@%;f;Zeduz|O8@;Uvcb9=YrS>ng&r*F4;6(I$O4&>owW)7aU?HbVC<|`G z$Bk^ny_p4Cz5A}p9!z9jGV#7OV36!gWx27xpGkii5znL?wmm*8}&Io>MJ zx&smQKI~5o%Aa!+;GYp77)gP`;2&zN$v4xntH`M`@%0v4c^tel`BaNoqKu$SW$Tq7 z+sp|hqJZSz(V(P}@p%ph97eM&Wm_;B&p{R}!(L%}+hY_!*9+=l zs*yVL8ng>G)SGLNBA1&-PwugjomZVt7qNh9mZsv5EuX^q`kL=E+rQ!}*T`ieJX525 zF$E_so1k!E-dp_IS5|^Pv`<8guxA>BqdM6gJ~#Ih`u3OK<0|n&I~Nzx6ZY7 z;r^1tkNKn^t^eFgEL$iQ^07B2mtPr1gKCw#-K#5Tgj1TD!3yA-cZ3-<^uM`$@$#tFWf3YuU#!V{h+qk`r&K{ImP{%?ex0S18-u&mFb7vzo3N zxkzgwX_~i?=03X5tR1G13If>A*a-LtsxV^^Rk%2Qnl{{T2n6fFVO~_qDq8Pn#`6{o zeKr^8i<6S$ESTPp)Ed9*=3J$jfVXQf=oIWDH%ReO3S>CmcoD~N6Tbv)KYJcb8kO{E zmAGFw@4p3zcyqx{|A@X8TvP!VxR1_ZQ#?ACE%#etwNTxeZ!oI{OeWD>HCep$Iwpwn z#@+L-{I0je_C(4qobJmVH+sI`mxGk!tJTTiTn$86#Gd*E2xKXcI*(8Y+Eh`Y^chl+ zVaXHc1w;C1++`~xuZRD-CMqxnv;k`(@(h-@?RpsP;71(OZy-#An*?Xm{?(Iy^N7PhfD*<-?C`Sc#?6l_t?DZ`Uxuy6NycHtsI8Ug+dHZY&&dVPh^ z@cIeGBiCFHCiy6&Rp1Ng>-bxRwK_JB!Ggp4_X~!LPVaYSV&!)s7lSyh%IiYDuR|~9 zlR>n_Da3~$cFNdx2DBEWmR6ANy-K3dKx)4kf+2!!QZ+FJS^mu53;5X&Jg|ZWG+;5> znq)EOB6PRAaWT9;f|j8N`x|4lnHTi(aYNRF&OdlkVCj3jXb}txB6s`V-f`!D83{Zr z7NK1h2qjFWXtY2>=c+v*7N3?d=MQtgEoBqT3G;1e72NMIh;vwhIi z7SP@-LZDG(4NL_J9BtJ1JqVz(ETP9`zaO3iZ9i>qq;1Oz>{c@VI|mNwY*v2S{&>;g>va9hg&{9a7KMgoT!bVH9UhsB&kE3 zgt)C9(TxCT6nLcb3oC|<=Yv}x4x6+cLOc!#zRd65{}&kupdoIgC3XQSJC4F3YU_|E z7DV~JZ^>xO2q-Yxiq@qp*b?@A zG&IM(560*@LoXzJYuG`*Da)(q2z`-fs3qWkfXs}dkh~!b?6-M#=*y?mjIOVb46&D& zsxeTzeV84>E9K)hu+_(x4yN(nPm%-pVS}AW^@~e`X%?7(n^GR=g8ivE@Y~>#QCHlo z&mL&8rFP2?9bM4m>f?{PZn1xhFMKe``Dh5vO`u1E>$x zLV$^iEB;_pIfzwY&C(H^6Pvyv)uw_mrne8iZOEsvzCY1Dl_0Fd466_8SWf_n^ZSz~ z7Hc$9qY@Gykds;ycBkoJza3xm#Uh; zQZ2l(1xO1IBkW&<)#YKW`tA<2x564a&!Dm{wdCqR|F914E&$~^CLpci;2`QwSN!+8 z-YrZiV6z?ur`7vG`&VJ^xC@|F!eY7E1*n7_R^V`_1>CN9(QKUxkd~AvsB2uNx$5T+ zIP5Va-$ST>V;M8(?q-d!?#_RUU^*MW|FHL_O^+g3ns$HYS3K5ZuUWULD+Q83Qkm5U zb|F9#ixy}bOJfs@*u)})#^%4jx1NZ|jI1TAtEOhGXFBskMuY&zad({K$IrR$EnF8Y z%tVTk`3uq>kI3P;(4e}FAvjbSAVMqa<{vm@8$k6iYv93t2l)kjOF9o|{d!m}iS4ZM9_pO?-6ZfDY?L0MJCL`_Pc(`u>+sO|rIX1Xk zWS@vc6W+?3^RX>1#vX0W;t58&Dx%S%O|`*Lx+C!^s(4kW;I)%m-#6= ziG&<4pkil`sd_bX152mceR&~wgOM%{Haxj{&Ij**n*2awzw>5SQ$HMFpTY}qP_b$Q zH$W3!!geaKD`kj^!%Z0t&v+Dv=zxr=W{qf}xxGAGvt{KnOC_Cg8N#C?W(}~H(7>aq zK{ja5uT+GGWtERS5(6noWowgVs~@Z>t&$M9D`{}UBWS?Xp6~SKt>z|X{U9{D7+{bi<{ z5yI9zN?$0As#K}R2ow*urrn~p*V@KgF3t~T7b6#hxlfHA>Aryo70ANA+azI~+PQw& zmV@ZsazDlQJ%tZ8s$OJsi4zAB;%)8QkvMG*hFnl0#I$s}=cnOzTgGL7CgiKjxo$jB zl}gj1nQ)BHhbq_Kx`n2Cy~hP6RQWl(Z9Cmnlqat*L-E`o`>@NX(5Uvrd@JrfI|**H zd3(qIAF*?B2mfLC+WFGeq=KQdj|#-_79+dc?}FlVcEx)koxy;;XGfx9ZwNcFcKXH? zl5zQ{4v;-=0v$^tYhR5%lA9(suEs#2v~9Hw3%xcgNOAjbh=DZMxI+x|cJDh>}b!ppCYyB?!eZ zGi)v0T6&VxhtsiM3_&5zJ9ocngZtH)OZ@_*Yqj$(PYE;z@Es^(Cnw5ter~NP^2FVF zJVoB*Tx5b;zXvbK)Mu+s>M`%2b-2GF5LL z!0qu7;-ladckYzD?S*Uy9BGUYpqmUm7wU<0FpyrA^C>;L1m(MWuxRgQaM<6Paf97` z#KK*ovH%A7w7v^w!t>RAyiRU`__*xrW5?Q?pmU;4N=JKM?nVM6iUzL3ac=oW*8`%ZUIKEQgKS00P==UbiEHj;iQDPVm&`tCLOL6R!#WU?O`tR>u=%{;hhR5U zq9t=rQb9_I=p`1jz=pDK%vHPJf<2h&LzwqkL#uRHMQd-5#g#`2i# z#Iiif0cUbS)*Ob~VQYY(P7w3fRuUcFAW7U4Q@(&#BI5H>Ssv~uO*U0o$cMvmIUBao zRPE%cTC;aUy$;ww@oS|fx4U*m!%^uhchnY^>R{<)Cokz@+R66F?1RxbJM*kOk&0H= z?QPjG^5tA+{8>7U6EHH4=3&Q476`olHbi3F>IN)HGjbse3Vx@N?j))2XS=VfnQTmJ zmzIGm1bXUmh4|-7eaz&>RS|QQjMe_Z6E7#ZQ(F?WLwR8yy>7XB`mUkfMxQy)s{^Ad z^Wz3$zAA<9QkVC40}RA&7nZ!tgC%o=oQi_vE@YQj3&Fz9%xNNT4b|L2KRjU85xcI% zl~vaIrWYj;HBtY@-a}k>|MZ|sAhmD{`%qdk&RV#9%;|le3KYoOy9I|Bx|6*jCFOkE zv=XZ<)-MPx3B%+lr~;H4tv<~aP9~UGy)D;oS<{5-t?G)$EEcU|PoWz<@s?4^ypE*x zAmu3n+GH?CAG16e*RTwOfyLe`@w~;BezlO@#!E-G3Ul2717}$lUTm(B+8H_mxpcxn zIw{rd9JA`F$fNGTLdbW9IEW1)x2xD#L|1)nRwhKTDvvrp4pndTD=0$UZce5ml}j(g z%DQaAwIx1X^e}`bl?jh%<|ARm>|85ErD283&Em%Wi{|4NBrSiHr%1LJL3_fC+h0f5 zrS*JnLSEk3A0ST5gLJ&PAQk6^wBotT(}&3nnbpv_GJ>jp0_$>D>{m{QeQ#TCAzZS2 zL6KdENwzz;<65L9Y7s1m&B@)VqGi&Pz_+y8jk2}Cw$THAAX2IO#0j=YKXDSij&|q6 zF+IvMo!WJcPv9y9G>o9;%%BU1u@~+(qV}{)1v~c!P@vG=m~DnMWWZXogJjFRtaf0G zWBqxA_u-XyMj~qi@hLq>B55H7?{vR=q>;LM9<2%vNqEIdYsaiS>|R_H?obYXlO@>K z6*v&>UR5M5E@xtBg%s43hnXJXx*9l+vYuObY&ivtNL?A3t@d)!@=3m)adWRnzH!6*#T%h?(`HV!uPMRlzWcMKk`bZ=$YssM@S z?qt1~&ohO{!g=^|cH|^`y1QX&sF$nx1m=G_O`@^}x7+o1@oiP?5NL=k&r$RDIp`#0 zP_kO=wTlUi5lI>vnhiK-CAha0b>)J7k7?MyA$f%FgC4aB= z2jC6_ecZ=JHB;%ca&yJkZV$mNc!$e%!sR173(XM>@ZpY|I`_;)&Z4xP+Rn_~f-=lg z&W@PqEuVzL654RU2)cdv*v{zarpoF$d$CcT-g6yntrkE`7=km@mq;xOJ0gHI0bF zie`)EGEvr+RwfDrL=E#a)7|RWZM3;!O1IeaK_xL4GqdW_K*07DVi7kTM1z#Mwjg5i zI`pa`ZO=%!wPus4;0I0(44G2cJIUMav{%?9lS@iTOF^8KX?86dNM5#AP#BS*jQvJ? z-t^dLa{%6&Tz8Av6579j&rBXrCDcAOor|UCnoF#y<>%zkHLr3ph1BSNiA5W*`EGy( z>*Df+0AzspndwqV9A@I*vwCuIda3D;=8bJGnp}mIkpdNcHT>+&1yKpU&%nIulJObq8?j z_H@layW1rrb(7Z4IJ?1Nwq>`PP{Z}N6VCc}?0F-_pj_r&HKx(xbc3QCf&G^IJ>R#R z2~rYC*|1fvg?x2>G8{jcieV@!Q2tpDmc`Iu{#!SIQxrDj)j>dV{TkcGi*Q)AV`86d zbzWiBNRRhh2?}r(HA!;8CXl|zPOJXfgNS_j8sIuF$<5@^LBFja=pCg8r;gbI)9Wx( zZR_yXBV{bhiZjtmFPvb@GqP?k*-AX6sM>ZY(J=e76IoBCZs>fwhAsPasXGR?@374AHje6SAmMiJ-?5_;caHZ@d9oJvyA_woml9mX)8Szv zlok$3GJH;g6ru((u&DJ#^WfMWE(}63K=m|M3~)otA&Fy9#euY^b!)Bpu07dDNC94G8esb&oxF-O za_b97i03coqCZ?~GMTngj=fzhJGgr7LY)BVhe(8}B%TEG)M(FfuUXVMFH)_M=7*q| z9hdat4%*08Z`0XcF&+j_H7Ak13vZ+!Gy(4^u@Tei6ztO+k_@B}E`Z(3t(t9aNpXbV zPmdd#1_isFoipa1u(pNV1A{(2A};e?Wl9rJY@L_S`^!eI>Lx&n-~-{4&^~o1!k%Pb zL16{>q7M|i3>Ul1yS)(Yuzt-!leB`%xu^(xYrgJ00}sXy;TK0ESVZ|z+Nc9LTUduH z&?m*sn~>pI1QFU_oqB6(#V*+2y=k{jpb}`!DNR|<5fGKv?RIt(KU_SUeR9&ZiCvZh zmW)VzA9vd=lzDG*_RyQnk(_Loi%uHGJ8`A$!`4DD;Av1E&H5e24zW0Yx<54+f00a_ z*>u=gE94AU&pU?wBfSf`{(>Xpa@>fI1EC!1r*vN+;Cc@9QIFtt>>|0?>KYVj&#*L< zawqcjwl!8*aaDYG+Rmk@zO&sH%Rv-K@F)9VmJRfoVZHl7=s{kZE~*P}Csoko*Q-U> z1uqQ~Fu;!PRC5G5o3!N8C?(chk0o&c$mQ_J$>wfE{a{w}EK?8LYI=g|gz*ga{iMa4 zyU-sx{g^Iy>tQ2WF-1Yy^CGSh&O$8a2cAa8Jh?gr$d*-4L#=JO||63eGHTR_>P(I3qWA=&Oye2@yZVQz^`pR0#|2q4FC zn;bNKdV=Fcy6|e{&#cp8znLC4Epgv9*J(VY_ie4kVy1131?T#&_%*0~z@0(yl;MR& zdXvT?=v&Ya`W+ch&&9<{`KCg^^J<}n09dX2YeIUtwI!dfG`I^Ylz1fTZ4f~|eLfj| z;a@i6us+SfvKE9LTz!c7In^7Ts6q{#c|qwPVc2sU>rg^2wl&z|aYmrzYL!5RJeAc9 z{6keV>G>5q4A>CjSLSFd4cxMdf95WN3&vEp_NJ=TsHeV;#@vJ;+;z zpD3wQW{^0&Axa)XzUwZnuEcoIDH>|(cN(DoJb7LB?L|L{umRHM=xy#mbj@bBWp}hhRJ`f~Im=3|5a>vXmJ#^?s;65bV2$5inS>#ETlbn8QLqhAQ|TYwj6B+l+SVc@*9!Zk4hvu7hr;;(6EJYyBx1|Hp<)hiTFh%qw z@})y68(&QkBfIb(AQlbMS^b2vA4pB|b?RZP%JpPkk=Bht&glL&Eg{D%o*uhR5^fg4 zdgbon>6#a^3}v86*RKGuS~bnGUsJcWRzuKYJ#nhZHs8TUo;b2J91`267W?V_e6R&( zl3ZumMq?q-xh4<^x@y)GiCr}VA#vS9C1=y-VmRRLEq7a=CbxM=Glp275XKp~M?f~# z)>@D_b=3M+A>w)=R9goN*#kf_*GYQb#^n)FF@`v4tkGn_o2NY}m-7-5vtnknMuB{C z%Ja!jqRoON>V_1nnTeber0>dIG)0EqZ4P9g1Mk7+UOW!V?)3!Ff<3t09&(Q6js%SR zyq}9UwhJsmmDc)62Tm0tS);{Tb4_{4(u{WbAbvm?HDil>d#0XjJC>bP9M@oU&)A8d zF}q*~TqtpbaMdJ)l^LPZa6#ydQ%GWW`7A(%&vwA(bls_ z1C72_cZifl(wVa5z(6e!8uv60@hR~I;|Ag9G>K6yCPl~%`%?Oar>zZPF^cy(xCP_k zDeMP_nC`p#^kUE73Z>zKmeR(sK}G3AO%$-naoTYM)@AN|U?IVJLuMQ#tU~}p?a<7+ ztxFS$0fO1}ULAGBK1IO9vW7?6v)6d_FP9?njO85fz6Y*F7Tvq!+!MjYS?T%^j(mQe zE{N>bpY=BH!PaoasT;+w-esH2FzrD&(art7xn{h3KNsR9fo|CraV&GES0IET-S-nD zK#Z6WFCi@;1ZkKHvp|R-8D1UnfvZzh6?S*2Gawdw-|l#tKGJ8#U0Ac@1puO}4pm|R zSray-clnG|7)dEI61%>PV`7Q|6L|%P*psbftyv*_6*f@p?_LmaN1@@iLlAt0W#8H7 zdBxw;*4d*IsL555Gy_FL+brR+6Q*fo)Y7u4Ti}vjXvd8)dYz#KE3O>uofyx3x#zLCI?N;@RH3xY z=Eo_?Nd68B+8A!@ox-kdhX>CVRBdPRT(L<So>&-Uykm9UqiMMd-U2Jy}w@W`~^9O*LdV+o0Hv};#$)d#X47$B4E?y zt3ENOv^0e!vRRKy??GsEg)f_1%zLYdX_G4_OT~%r&hjB3o651)3+&Q>nRD~`^MSna z?aPEAU_GjQy*%~fncy30LvAOtwfT(KJOo0*>-4uZz~ar0nd&@$vVkz3pU55FPulZJJZ<)w zaZUUQ^bT+W%zU{~4?YqeXRa_!~aBXUsMS>`kdyk6`tnPcY#poxm8gFU>e z^|Nz4z1q1a_%h+vawdW&a`v99t&+_Lup1CHYpqvZyI3lun-!yK$FKDqj4%k<^WCPL zk`wwO$Z^#iQ=%%&xpCl+ReWyTa*J=_bjNG(U_+^c?wecXLG5@Fl2^LV8;=5fl2j-& z!A4_-XxFPsG~_}~fdIcR5qx6mL20)J5Fc^cMG-_jtoivopL#EZFkp!`I4j7Z)pR%s zi^;x~4XPtz3DWVGY^@Yi%6DV_&kX5*`cL;? z8wE|&wbQ5zeplbp-ywG-?eeI=pHpVJnl0u_5^iI9$;=RlLH_O*jX%^;@i#pOu45L9 zkAK3SONRdZ6RWW=f4+~+De{9_(9DvV)6|UlAZIgrzWk>T@^8A!-+6N1c3y+3g;j^} z-0m-yg43?ozj*YY-VcZWzCF~(ublax>d@y@`(+A7SjvgD#Sc|EL%ZF)Zib+at|dwgif;aB@vmEO>n&E{{EJV z*vklqyWi&FtzRkAwF!bc^@QoMTLNgL-=IN#6Ar!teZQXPw)uT`A~wj~qsUeSoqnM8 z;`DTe#Dt;(?X&rHIgJ($Gn=V3&8{H439x4WO{wsx|epXT;cg- zu^E3nGY{UB$BubCUy3}Jl!u^^#?`uv*JnLaN4utS+Ma<4<_|qgp3&BXN%1IFcX|>P zG-lyPG1D5#8WKMp)uaXvVc~1`a)MM)WG@MexyRSY2t&*)JtOel9p{skF%1fmf_Kk6 z10zJu>>4SC<0E<8ky$L9on_WcuvsB3HuNMLE1Z9s?&N7UBlaP%(5|rTI}H(NZ5}Ad zz`kdUgMB(1k{HVi@W;)wqDi2Asg-AMX4oI2oztR$7F-?@V?U$McYaRyRIMBrg6sAT zx&_+8yXA&7UN0wVq}sWhUSqsg=gjPYobR(9Qwd#x+NTrK#8XO z5GnWhZZ4X=nsT&!y{=S7XP<(Y6oMF%STydc)f!TS^jVO0@xayq=!Vd(l*Q2Hf=ZZN zj}bK}0&B3`=MWa@lYH=ubC68}8e!?T3X|uc4*K9w z2gZ8ccYU7E%A7K&W7#WmC+vY^$YyWCQbO2vB0}i#uI|#?WZ824gOX1jIi9oaS(rW# zi5CEGu4oQITY7}8b|%*S&xQFq&KDZury#opdsRIpnKwbgs0HA_Rj!w#)F9sm^`pnqBAVrYhk#Z)7 z5_z1Yt68QaDJ;}&d1PC^5#}-lo=M8%@$~w0ZB)6WeuMeMO0%-F-!`+a2MxN}j8=6bZ zLR*|yGgd_8QR1zD@P@ipJz1X#SKj*YM|&IOQOsk6U1mu7a^0cYUk(tCV5iW`me|@&|jVrbr;!Zuh*8Xmrz})X0AEkdi0EHf3_06^r0*N>wkoOl~iB@_9}N z;$c4D@yB?pVR5gShnu?s#C{o3m{*J2V?BLkK|ia~OoSkv%qwI8nAD;KdlCXs$md}% z_6$zjnLN>VU4n0n2}7Bv083c<3mzHOk809m?zazmRTTAuogs)um5q&8ZkAaalq4cf zXS{U_v^1_0_jF7{Z5L194Z_=bd@Uf22?gP0RA0^t;DVAqmkZ-e%olXwy8ITH0>;ii;xE5jK zLXh50ejsH;yy8z8zicxmfG!7829K-jC2t+w(34U-LBo!dR?k4&28i^zhun3G{VP|I zp+h}xPmr9#nw=Dz{P|AQJR(#Xk)4e<9QX6X$vMJ(aiBEs1!2Ow4~7|>JB@mIjML3h zNUh_!?^!}ERl04FSp6`UUt8F5Dj|JoFvd5Re6g(j<>oN;4_$%Xj^SwUQ?BKJh3;$Y+T zW)kz+O3lwAcb;;HXW1MYD5h@vg>)N4%Z3Ktd?&*blRG>^oy1w zC5by;H+_>MuT6E9llu#iW~Z45Zk2ow;4fJAa&*StVgejPFu5r=Z`?2I>bixPaehx2 z;0*XMDvC;zgjpQSt_Y`mIY3e>&ve?0EeK$DnpZjGeIp`KV|CKu&a=aUuI|!Of&xiK zSlrh3>E;OgJn5eo_hMG<@oDU03reQ|)mRq~P>nJ0_6#l_>bCIfI%%;5NPELq<3FMZTuzRVI zqhzw0vKyxB_-fBt;u5-^eUeSH4ww+mex$3(%FLI^^0KVjULseJEx547IP8hW0rC8V ztPb}uH#TJzI?$gM?vgts6cx$E((a4rJ?@)|g^IYBu6j1IHZufu>(fS_UI_AfE~m;Q zq*NqLUagfpq)Vn3kTcDLHBU`n2|IcD)a1pDryBG$VD>YKG>*CJF76MGA$FPiWftBb zY|Vd!WPT^T73-6y)C1rh!Pw6zMsz!sPmp{io(8_YOt-BUJo>I}&nM!Vf$o(eZSy|( ziN7VU)}4F|-8*Dcz1f$})YJy~ZEk7S3nvHNEC`W+(zTC6s|E$*5k{Sp*(t2KYntH$ zdwtDDe8z-}e|a7!+8%iPb`KHvRo)D(yTfi2sYqex-Nxx@F@*bqaC$8CPC2PO`+h^U z2W*|*Vy9uYd6wNtfBS3?euu=fI6d<4{a#mP?rGQ4qFpUy<&u}g?V=zgL}vHUqt_Qw zEkLpp5z$+0-DlMRzEbBux?#TQFS_vBDsP%&a)Uh>@Fu>9;OM<(ca@3%pd*4R2MKd@Wm#ZmLYV=$zcH@(ka zr8JLzPZ0m@;|Lw=6xWGAdy75}xz}B*rugMG#J{%@va_52j;pNCzkMWC+m&8{lD_@z z;}0M0cX$8ca~w7iEawixv3TF{>$PIO8E zk1x;kE(bt4R0hBO`18ZO&$pB4qYV-`(!QScfwuYR@avZn21FZv^!598W&F`ZHL8S1 zD${pExBvE$UO!48zM>FiML)zpe7QS{c-Nx+ddsgj_`~Oq@4J3J@B2o7QrE9nd})y1 zQSXyc_2%Q<5ua7_dQ=YGiI#ZR2#@xQNB+J>U!M2#@;`ju)oa_KYQoQQe6LM|@9+OE z_)o8{zg_cL!n^IJVO4l(iIH%9cP-=;gBz6Ay3bNSZ~1*GW%c8ihQ#&%{vI#y0fy1q z;Tb+qhv);FBflr!f9snZz4+N~zn@Nnu>9edL(4?tw`o^3<3|y79=gQ)kPq?)tokp7 zynCkze~jz+$Ir6f&-`^f^6W205bFGO`~=>Q@1gZ0Z~^a83is;g>^cp+>HBgax_Yow zKfYf7ZH#=5iWm})?-vfeF!sflvGJaiq4D*5;$4>?zZQ;y|G$6v?neLGetEFp^-=wH z(!OtWP9hBA_qh9Rq_-b!QuTTG;bV~E!7<9vm|-7uJnAg`TxEEKr(cf{@4@laGyG@H z`tB%!%C>zGHGk%`Z-?Gh`!dITe0yBXI@R^3C;se^G-^M4|LZ&MW5z)N?=Jp5@_^qn z)Q|7>XweX#Bif9vP1Gh|n(T_ns{I(!F8TJlR+xvHG{mpCSA>6zpSQydgTg}M3g-#R z`z+$es{HZY_+Q_C<%%*sCy!UuRR8v+J@fQE)`m3CKgz26yeVdz&sW?FZm8V*Re#q4 zy^F_vANYQ<`uOq$Z%_MY1=Aq<;j?=&YU(cqyodN_0bifbMiCfL5rj2Rcf6u)1Wm)_ z`!@PAeSays`Ka?g#!NwheOT&NrMa%u} z>*M_^@h<4c&oZKScm4SFS$-N1efekmJ$iQ@g%q0K(up`S|myyMp!;kN$g`6%S`TlxMTy~oe{b$>rHD);T~U$5)&+Jva_ zyN(_{EgdH8+sEhNYDXvx6)5Um$*S*A_b-q5`N!u60S(sn_2f-1E& z+86H|hS=u?KmK&VXL+Arly`T9@6U>YwrgM8lg@3`A#~1fK_^ww>ZvRSr9{GHAP~V^KME%=$<^43- zMPNkWp?@I0*-`I_^8Ho(YGHjg`+I19smIsP4IVfu>h9y`_rHl^eB!^Dm+w~s1$;3- z-b1+hHksYfkq|z{NB#3f!4nl|xU|I2=#TQ>F$@C~520YfJ86%n`2Jh*Y|K>f6#OO)%8EU{G;{% zazQVCTmS!qn*Ude`EC9GUvT~ZHpPEi{eN*R{kHo5ZT0`#>i<0>{I>f4ZT0`#>K~58 z-&X&>t^U8PjQ^tR=KIzCpK;*)Ke77%;#>UU!1?AR_|>(iy_~-clulxT?a{f;r^gpf&f4QXp;_?5#=znZZ{^f@H`;YwX{l7r2 z$#4Dt_qX_e{K{YSKX!uZzQKlS^bZ{ee|!HkG>!P5-`@ZKct8HVXa1u9uh;`^|Dj#~ zS*^dl|LFxq|JMJ1Z=e1x*ZrdZzkC0G{_77}Ta|xHk$-Y7`v2GB|43>%|E2$bMj`3& zH~;^iH01w=AN~jN@$t`1l}G>l`;UJ%u`m1%1r*=gm30G=$qx;i+t07jPXGLG?~}jA z8hqKV{L#bq`DeE1`+6(NufKzu%sWuv%gOzF7yf-ncyDf2^=DqG9kty*6aVvn!_)j$ z7N|9J-Z_s@Uf z-~W-B;Pb-2c;XrHMaY?chZuZL1;2haUlldtNj`Q}82$5SCI0(+via5N=BLUYny5(o z;^*5~9X$G86Mpy0_cPNk%KtV)eOKCNB;+sZ{U@{6m&&1f0-~P~k<=iJI(Wwyj$dm} z{7>TV>5l*7*ZkuB$NCSkpoqHu7D4)tsm`yz{}eN4{^b$t`~Qz={J&DlclrN3 z~zXUHsd6#01A9gEXV5tAh3 zhuAvP89+0lqjS!e69z!Le>#DK7>qebfsJm9gEoBLL=gDIa?eI=$r7oEr=AGqob-|9 z?4F_IC9VhevQ6;Y!!PyNxSU8&UXR|zq;(6RgZTT$0$n{hWrSld~1$BZo~A?DR|-bST{Fb^r>|kvhMB18NM=H1ho$@%dxMbI`KZboTc7C|siRr<4Aa zUhL^hgT=aVqaQ(OR*JYwf@0lzXFAbMXCNf@^Vw8^rG9!g4S)n6U{u|V2PytMt_ke= zr{ju9=iw%N1Vsx?hKy~$+(p;7Cp-erDbB@+O|%J~y>-u2?w1C{3b)WaIb|WwaUrq@ z@yKJAXcQ@_++Qgr^dcIcJM}4m3*~Ys>{2;lzGHEJ82sgSLdjTU^U@L08 zU8gRXF z{$fE_R9ze5Z5OD{=?%NS+q~GdsCkulEP8OSh@Ly-E@yha376o zjK`I-Gp);FY!wKqBWoD>?G+O|AfC9L2SUe5YsXxISxLOek{26ax$@Bc7-sc@pvqy0qvLxX2$jL&<~EO%X7>0Lb0Ce+ z;U;}1j=n1_DwcNRN>Iu^iGA-D`#L6B_DTHlEc+jrWDT8Ne3^I#bmOs*@XqIuHT(71 z_b*Mp1SW`|XJ2zMY`)A;g20_5ANi@F{LKCHsmFOc=dvT+ixL~8`204H5Z^#De{~{p z6fmG=^|iVKIK#3!r+l^>Ar2xp9SlWh9ge-OK%Rj}*Pnis-jfY_X>-|nIzX>b@D1}K z8tfxM)@o*RwRAPDr*WX3`(@h+R~r{Zf;GN`=QK@yfK{#o^PD;}c0A7X?ryPZYL8CO zEr?s8l16fe0`F^JcNV}guadSN+**6?=Ns}dQ=#Cz?zfpXe@v3u>$x#2dQV6x|i#D{e%0jC(7#a4St>rykD$!#v+L>aryk+id>rP(FTg>;hg^XfLo~hR~fdmId zBw0U&B+0sn*4x{8nY_B^v2jn2#x*BNnb*Rk^DLn^*W3O23F3%weVX2Uxl~3c%WuY+ zNW$#i_thd(&ownaWmnJ#Cbzy%=Z@6ZcYI_mxjKOc*XknaB(xyawW@ii7gVIO&0Hm% zBVfAW$*%4#3qaVtu(acF5t7V)L093f1jcn#r)vJBCquEwT9rFS7GSK*YN2bZ)FxIF zZI=zJNarqetFNJ(dR%n%U8*kW&^W`5q|Jk-FlIyFpm(lZ&4*PQP|~P%`)U>4lQ5ds zDuATC?aU{eXXwzI_e0IlS;W}H1{@{)8Py3XXdlFmz}o^VqbH&3NHDxnPJKKO9+I zkq6yq2Og#x0b5NLhwbV35-&PJ%|C53cG%m+dJN?_HfGZ3&z`kkh)-}Q_g^fFKciz*u{w?!WnF`7bKzZC3xSR z9fs2%+bZ^1dWG_7gtY|OyI2v^N`!I;G%cq??AoMj|G*G(BhnBpt&YXRj?BenOY;oGA|-q1W&4!Iy9=vL z$m99CZf5N8RK){7GIRn3QGZky=OqD7hkH1+UV&k`sYhU(eUZvP9=KkY_5|GcQ06W=sqo z_GZRyAlIg6n{*OT`!b0i+;xrPdRr#}klVI&yB_0nV^ zyLqjS6t`S20?ua`MOCvreTx?hDm1E|!ur1Tb!l}3l$vst6Gti|(6Sx~TavD%^JkZz zPsiP@r=K$_8uViO7_##0vP1{IwsDjO<#M;OeqXslzalrx&hRITur#ggoIj@pAS*ZM z8<8)uX_Fd!O-ntNO}iLOB3;VuSrCFd*SE_^(}$ybcnG^wpc(yi<}8HcX6JAHaybzO z@t)EGnMC{~9Gz8aE$A5RuIZSZ9`~tyRkcY7;rpE@F8He1Zdv-iU0>&``97a|y+84` z5$7c^8v2tr3ju)UsyW9JVW|OWsb~jj5W0wq~u_SJ^yjq^?;T7ro zxl(B^S_jWgxVO&XY?#F3cByl#Pa8xT3@lAOR#FnJzFmMI1MjAt6zilpY_ky>@T-f? ze$HSa>=i@OVZOjt8Tj{F)g%vZU=zrBvJUzlf97S2mF0;Ddj;AK@6|S!vGM!W-#Gd-~NasWbR z*rZu-KhLxEh3eW9XwyV9VgyL(PS^CH?^uCa3}xf2zWC(odlhuYfg3=`^v#yoB^ zmkN_wYwPZ1&j|lO9k}Bo@646Cx8rp?R`jC7TJvn~=dDr?*AD2FNTPKo7?V++&*VyH z?m-OsdTq7L2ti|4%Tot=mKn=FNt=^Txqx1To^WK&cceofRI2Om^7%Rusr9sJOaBnx zq7YPR&}nO;Q!fWQy=aX-IZ(ZLpGOwt1L?p7umNPVgZ>idx_yH#m_dGXUJ>|l{OQNH0VMog1`rlyUz}4L z0ji14`I$pIzIuDL{+eM#{57xECSxHp`1UpGx^%=^^B0ajDj|ZonFlE+7`AxRdF6Yf zcgvd2$(e~=Fh30eJb)qOlif2uBp0K1X6p_MdY(|SKSw>?!*R8O#jNmrtm5w?fOBB5 zE%#2q1@iN3O-xIbXYzJN1P~%h!QU6*?0KlCR(Xtdv9lO3`_n)bce-PWUhaoh*2LG# z^ROLb_uQV&TRPtyuH1>J=I5K#NE=(Zgj18zo+Z2xRI%cpb9oS>-pa)(Yh?iy9Xh>i zH=E`2?yiS0U(r6rul7V6#QP;grgUmOyFDJ$N2E--Dpu}CqmMh8XsDHi)3SD9 zv+SUOdS!e`oXi&0nGjdC+}88g{k2Ny;xQ~96A-JPbe}E5ArrbtYMQe^b%DJ+LUN50 z&X-Kp4S^n@~o#F!E1p{KT_VNSmowix@Atkf@#=8%rIhEb0!tFD~-9;-)`mW6{Qf1 z2y*k4I<{X4&gKpz!$SvbQ8cM%d#x-7t+l;zn`@Zg_3}CgIy~6LO}_%l{Q$p?t}qjx zbRM_zklzKNgC1;l%@_AwcxB47HgR^B+N2yT&(88WwvSBj$tx>h?(&tbv`xZP^5FL` z3ThXt#Xip1Eg{H{skLI-N8z6F38RnIcCUzc$!VZIySL(3=hEGA5+4@V!BlRx>BFyX z#eH}(#r-8|3IDpo9S_Tm^RUQ$%Bk*=X9qxgJq+i|8{&)ko+Cf)8X-2$9A_yO<4RA_ zZ?m<3AnJ$XyLAUG?b?gmT?^{8BZzIr}5b1Bg?h^&r~ z)#dxLim$3}-ttl;;th4~7{+vN@vh$nQK@d&#H63GrBw%hf0EXXkm-FnLg?d}DSpuD zGs;|Y?Qp7FQ4xuKeWJ^J%M8#PZAx+~PTU)P+=e_TrBb~}?wd}8akO5R53{X}pgu8$`&l~sB z(6d*t;3oW9Cd6X(iV6YS7~Wyu4$(~9ZApX%InNY(^;nlwb7~T zfS*kuE~*jEbq>{$1(vf5h=?YDdcPj4gM8Urt6}4m*VB%jPp&~Ohz3=NoO<4D5V#{N zjDeZsu)0FJ&@$$SompCLzcMFH!g71DKVgHx%snT~;@RODk-J!1OZleVjpnst#ACzF z49Qek{!GmEimBaE$c%2eUqRDv&8-#avO(~G6h*7Mmgze;(ugXhDR1lOJIgUQc`PY@PXEu^#`*j_7}_!+&A_A6S}iu&3Vv zi;)0s)BWw>|F2E?>-+yC*e28;#sAHr0PtJ<&;N;$_`l#w#_r26eaQk0u>Z2YWIKkB z{Jm<5pZZIAe!rBWe){n@U-Gx0kv|^`@S89BH(&B^zU2RWzGMVxeMatZtgPOMI}NTi z%P*}x@7&jYO~1%)@S{nrEN4Nnq8F1>5tea4ftuA zL6>Le-RkZxrHpXvSltclZ6Uq|wl zc}>drGIq%-uaYN}I&}RqwB8|n=#!!D>N#uFcY2Tx=kdC|^C8o7&z@Z0D57lV&a@r9 znY_6R>cWStOw4cg)I7d9kJRQBPGj>66dEG9hMiMzUu_9(rhHWvWcLN^Hr*!caC&Am(;%DJhX@Idqq$A9 zwRIiSBYTqakTRVr|)sH)2+WNN@0f)q%IXT%w z)AFGi7v}|nPc%q0@7Rsp-Hwl0Oiii{l^fVNmnVmZo19;ZT81Yje_aQG@Gi&eWpmQuAQYme(N@ycbuu|DSwtH~xo#L?tbK-qb&UZ(ygk0a6}uDYW#QpHZ6 zhUK}8awry?>%r0=iC@M2NuEqu*Vrwl$7d$wQ6)lzjO5RbcMZ0t30Z7{3!hwOkISug xooD2R_oLD^q}BZYUwL^+QE+Z%h<^xhEE-s;jP?fT(Uu&wV>ARtLttoy002JDU6ud< From 54d75509179b6421d51317bfe65e1537056c3cf7 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Mon, 4 Mar 2024 11:24:33 +0900 Subject: [PATCH 23/32] Updated --- .github/workflows/images_build_test.yml | 69 +++++++++++++++++++++++-- 1 file changed, 65 insertions(+), 4 deletions(-) diff --git a/.github/workflows/images_build_test.yml b/.github/workflows/images_build_test.yml index 0462dfdab..6144daac6 100644 --- a/.github/workflows/images_build_test.yml +++ b/.github/workflows/images_build_test.yml @@ -10,9 +10,9 @@ on: - 'trunk' - 'trunk_rhel' paths: + - 'Dockerfiles/*/rhel/*' - 'build.json' - '!**/README.md' - - 'Dockerfiles/*/rhel/*' - '.github/workflows/images_build_test.yml' schedule: - cron: '50 02 * * *' @@ -48,6 +48,12 @@ env: DOCKER_REGISTRY_TEST: "ghcr.io" DOCKER_REPOSITORY_TEST: "zabbix" + REGISTRY: "quay.io" + REGISTRY_NAMESPACE: "redhat-isv-containers" + PREFLIGHT_IMAGE: "quay.io/opdev/preflight:stable" + PFLT_LOGLEVEL: "warn" + PFLT_ARTIFACTS: "/tmp/artifacts" + jobs: init_build: name: Initialize build @@ -61,6 +67,7 @@ jobs: is_default_branch: ${{ steps.branch_info.outputs.is_default_branch }} current_branch: ${{ steps.branch_info.outputs.current_branch }} sha_short: ${{ steps.branch_info.outputs.sha_short }} + secret_prefix: ${{ steps.branch_info.outputs.secret_prefix }} steps: - name: Block egress traffic uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 @@ -155,6 +162,7 @@ jobs: echo "is_default_branch=$result" >> $GITHUB_OUTPUT echo "current_branch=$github_ref" >> $GITHUB_OUTPUT + echo "secret_prefix=RHEL_64" >> $GITHUB_OUTPUT echo "sha_short=$sha_short" >> $GITHUB_OUTPUT build_base: @@ -847,6 +855,19 @@ jobs: with: driver-opts: image=moby/buildkit:master + - name: Variables formating + id: var_format + env: + MATRIX_BUILD: ${{ matrix.build }} + run: | + MATRIX_BUILD=${MATRIX_BUILD^^} + MATRIX_BUILD=${MATRIX_BUILD//-/_} + + echo "::group::Result" + echo "matrix_build=${MATRIX_BUILD}" + echo "::endgroup::" + echo "matrix_build=${MATRIX_BUILD}" >> $GITHUB_OUTPUT + - name: Prepare Platform list id: platform env: @@ -899,8 +920,9 @@ jobs: uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 with: images: | - ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} + ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} ${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} + ${{ env.REGISTRY }}/${{ env.REGISTRY_NAMESPACE }}/${{ secrets[format('{0}_{1}_PROJECT', needs.init_build.outputs.secret_prefix, steps.var_format.outputs.matrix_build)] || matrix.build }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- @@ -982,7 +1004,6 @@ jobs: CONTEXT: ${{ format('{0}/{1}/{2}', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }} run: | cp -R "/tmp/secrets/" "$CONTEXT/" - ls -lah "$CONTEXT/" - name: Remove smartmontools if: ${{ matrix.build == 'agent2' && matrix.os == 'rhel' }} @@ -999,13 +1020,21 @@ jobs: password: ${{ secrets.DOCKER_PASSWORD }} - name: Login to ${{ env.DOCKER_REGISTRY_TEST }} - if: ${{ env.AUTO_PUSH_IMAGES != 'true' }} + if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: registry: ${{ env.DOCKER_REGISTRY_TEST }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Log in to ${{ env.REGISTRY }} + uses: redhat-actions/podman-login@9184318aae1ee5034fbfbacc0388acf12669171f # v1.6 + if: ${{ env.AUTO_PUSH_IMAGES != 'true' }} + with: + username: ${{ format('redhat-isv-containers+{0}-robot', secrets[format('{0}_{1}_PROJECT', needs.init_build.outputs.secret_prefix, steps.var_format.outputs.matrix_build)]) }} + password: ${{ secrets[format('{0}_{1}_SECRET', needs.init_build.outputs.secret_prefix, steps.var_format.outputs.matrix_build)] }} + registry: ${{ env.REGISTRY }} + - name: Build and push image id: docker_build uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 @@ -1022,6 +1051,38 @@ jobs: org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} + - name: Preflight certification + if: ${{ env.AUTO_PUSH_IMAGES != 'true' }} + env: + PFLT_CERTIFICATION_PROJECT_ID: ${{ secrets[format('{0}_{1}_PROJECT', needs.init_build.outputs.secret_prefix, steps.var_format.outputs.matrix_build)] }} + PFLT_PYXIS_API_TOKEN: ${{ secrets.REDHAT_API_TOKEN }} + PFLT_ARTIFACTS: ${{ env.PFLT_ARTIFACTS }} + PFLT_LOGLEVEL: ${{ env.PFLT_LOGLEVEL }} + IMAGE_TAG: ${{ fromJSON(steps.meta.outputs.json).tags[0] }} + PREFLIGHT_IMAGE: ${{ env.PREFLIGHT_IMAGE }} + run: | + mkdir -p $PFLT_ARTIFACTS + echo "::group::Pull preflight \"$PREFLIGHT_IMAGE\" image" + docker pull "$PREFLIGHT_IMAGE" + echo "::endgroup::" + + echo "::group::Perform certification tests" + docker run \ + -it \ + --rm \ + --security-opt=label=disable \ + --env PFLT_LOGLEVEL=$PFLT_LOGLEVEL \ + --env PFLT_ARTIFACTS=/artifacts \ + --env PFLT_LOGFILE=/artifacts/preflight.log \ + --env PFLT_CERTIFICATION_PROJECT_ID=$PFLT_CERTIFICATION_PROJECT_ID \ + --env PFLT_PYXIS_API_TOKEN=$PFLT_PYXIS_API_TOKEN \ + --env PFLT_DOCKERCONFIG=/temp-authfile.json \ + -v $PFLT_ARTIFACTS:/artifacts \ + -v $HOME/.docker/config.json:/temp-authfile.json:ro \ + "$PREFLIGHT_IMAGE" check container $IMAGE_TAG --submit + docker rmi -i -f "$PREFLIGHT_IMAGE" + echo "::endgroup::" + - name: Sign the images with GitHub OIDC Token if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} env: From f5ed6a6876a12d8696d161e36ffea1386d5f2a3d Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Mon, 4 Mar 2024 11:55:07 +0900 Subject: [PATCH 24/32] Updated --- build.json | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/build.json b/build.json index 1616e5a81..a7fd773f6 100644 --- a/build.json +++ b/build.json @@ -17,9 +17,7 @@ ], "rhel": [ "linux/amd64", - "linux/arm64", - "linux/ppc64le", - "linux/s390x" + "linux/arm64" ], "ubuntu": [ "linux/amd64", From 1327b1e2e974ebad8f8c04f0027137eeadd44758 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Mon, 4 Mar 2024 13:05:33 +0900 Subject: [PATCH 25/32] Updated --- .github/workflows/images_build_test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/images_build_test.yml b/.github/workflows/images_build_test.yml index 6144daac6..6104d124f 100644 --- a/.github/workflows/images_build_test.yml +++ b/.github/workflows/images_build_test.yml @@ -1028,7 +1028,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Log in to ${{ env.REGISTRY }} - uses: redhat-actions/podman-login@9184318aae1ee5034fbfbacc0388acf12669171f # v1.6 + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 if: ${{ env.AUTO_PUSH_IMAGES != 'true' }} with: username: ${{ format('redhat-isv-containers+{0}-robot', secrets[format('{0}_{1}_PROJECT', needs.init_build.outputs.secret_prefix, steps.var_format.outputs.matrix_build)]) }} From 2304866b47b0363f05b6636bf72865e24eda795c Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Mon, 4 Mar 2024 15:16:04 +0900 Subject: [PATCH 26/32] Updated --- .github/workflows/images_build_test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/images_build_test.yml b/.github/workflows/images_build_test.yml index 6104d124f..a70404b92 100644 --- a/.github/workflows/images_build_test.yml +++ b/.github/workflows/images_build_test.yml @@ -1020,7 +1020,7 @@ jobs: password: ${{ secrets.DOCKER_PASSWORD }} - name: Login to ${{ env.DOCKER_REGISTRY_TEST }} - if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + if: ${{ env.AUTO_PUSH_IMAGES != 'true' }} uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: registry: ${{ env.DOCKER_REGISTRY_TEST }} From 14704cf1d27a16b5e29fb67fc09a068d0a5269d4 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Mon, 4 Mar 2024 16:29:57 +0900 Subject: [PATCH 27/32] Updated --- .github/workflows/images_build_test.yml | 22 +++++----------------- 1 file changed, 5 insertions(+), 17 deletions(-) diff --git a/.github/workflows/images_build_test.yml b/.github/workflows/images_build_test.yml index a70404b92..d7533f643 100644 --- a/.github/workflows/images_build_test.yml +++ b/.github/workflows/images_build_test.yml @@ -1042,8 +1042,7 @@ jobs: context: ${{ format('{0}/{1}/{2}', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }} file: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }} platforms: ${{ steps.platform.outputs.list }} - push: ${{ env.AUTO_PUSH_IMAGES == 'true' }} - provenance: mode=max + push: ${{ env.AUTO_PUSH_IMAGES != 'true' }} sbom: ${{ env.AUTO_PUSH_IMAGES == 'true' }} tags: ${{ steps.meta.outputs.tags }} build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }} @@ -1056,10 +1055,11 @@ jobs: env: PFLT_CERTIFICATION_PROJECT_ID: ${{ secrets[format('{0}_{1}_PROJECT', needs.init_build.outputs.secret_prefix, steps.var_format.outputs.matrix_build)] }} PFLT_PYXIS_API_TOKEN: ${{ secrets.REDHAT_API_TOKEN }} - PFLT_ARTIFACTS: ${{ env.PFLT_ARTIFACTS }} + PFLT_ARTIFACTS: "/tmp/artifacts" PFLT_LOGLEVEL: ${{ env.PFLT_LOGLEVEL }} IMAGE_TAG: ${{ fromJSON(steps.meta.outputs.json).tags[0] }} PREFLIGHT_IMAGE: ${{ env.PREFLIGHT_IMAGE }} + PFLT_LOGFILE: "/tmp/artifacts/preflight.log" run: | mkdir -p $PFLT_ARTIFACTS echo "::group::Pull preflight \"$PREFLIGHT_IMAGE\" image" @@ -1067,20 +1067,8 @@ jobs: echo "::endgroup::" echo "::group::Perform certification tests" - docker run \ - -it \ - --rm \ - --security-opt=label=disable \ - --env PFLT_LOGLEVEL=$PFLT_LOGLEVEL \ - --env PFLT_ARTIFACTS=/artifacts \ - --env PFLT_LOGFILE=/artifacts/preflight.log \ - --env PFLT_CERTIFICATION_PROJECT_ID=$PFLT_CERTIFICATION_PROJECT_ID \ - --env PFLT_PYXIS_API_TOKEN=$PFLT_PYXIS_API_TOKEN \ - --env PFLT_DOCKERCONFIG=/temp-authfile.json \ - -v $PFLT_ARTIFACTS:/artifacts \ - -v $HOME/.docker/config.json:/temp-authfile.json:ro \ - "$PREFLIGHT_IMAGE" check container $IMAGE_TAG --submit - docker rmi -i -f "$PREFLIGHT_IMAGE" + export PFLT_DOCKERCONFIG="$HOME/.docker/config.json" + preflight check container $IMAGE_TAG echo "::endgroup::" - name: Sign the images with GitHub OIDC Token From b01adcf5effea2ec1cbf0ed5ad1856b194c24124 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Mon, 4 Mar 2024 17:25:41 +0900 Subject: [PATCH 28/32] Updated --- .github/workflows/images_build_test.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/images_build_test.yml b/.github/workflows/images_build_test.yml index d7533f643..3c26362bd 100644 --- a/.github/workflows/images_build_test.yml +++ b/.github/workflows/images_build_test.yml @@ -1063,7 +1063,6 @@ jobs: run: | mkdir -p $PFLT_ARTIFACTS echo "::group::Pull preflight \"$PREFLIGHT_IMAGE\" image" - docker pull "$PREFLIGHT_IMAGE" echo "::endgroup::" echo "::group::Perform certification tests" From 6f44f78dca931bfb895cfd591dc7994f764c4f6d Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Mon, 4 Mar 2024 20:18:36 +0900 Subject: [PATCH 29/32] Updated --- .github/workflows/images_build_test.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/images_build_test.yml b/.github/workflows/images_build_test.yml index 3c26362bd..ad1602ab6 100644 --- a/.github/workflows/images_build_test.yml +++ b/.github/workflows/images_build_test.yml @@ -698,7 +698,7 @@ jobs: strategy: fail-fast: false matrix: - build: ${{ fromJson(needs.init_build.outputs.components) }} + build: ["agent"] os: ${{ fromJson(needs.init_build.outputs.os) }} runs-on: [self-hosted, linux, ubuntu] @@ -1051,7 +1051,6 @@ jobs: org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} - name: Preflight certification - if: ${{ env.AUTO_PUSH_IMAGES != 'true' }} env: PFLT_CERTIFICATION_PROJECT_ID: ${{ secrets[format('{0}_{1}_PROJECT', needs.init_build.outputs.secret_prefix, steps.var_format.outputs.matrix_build)] }} PFLT_PYXIS_API_TOKEN: ${{ secrets.REDHAT_API_TOKEN }} @@ -1060,6 +1059,7 @@ jobs: IMAGE_TAG: ${{ fromJSON(steps.meta.outputs.json).tags[0] }} PREFLIGHT_IMAGE: ${{ env.PREFLIGHT_IMAGE }} PFLT_LOGFILE: "/tmp/artifacts/preflight.log" + SUBMIT_IMAGE: ${{ env.AUTO_PUSH_IMAGES != 'true' && '--submit' || '' }} run: | mkdir -p $PFLT_ARTIFACTS echo "::group::Pull preflight \"$PREFLIGHT_IMAGE\" image" @@ -1067,7 +1067,7 @@ jobs: echo "::group::Perform certification tests" export PFLT_DOCKERCONFIG="$HOME/.docker/config.json" - preflight check container $IMAGE_TAG + preflight check container $IMAGE_TAG --submit echo "::endgroup::" - name: Sign the images with GitHub OIDC Token From 39bff12835e39c76b3f6c3fb95cc3a99fa2e4b93 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Tue, 5 Mar 2024 13:47:19 +0900 Subject: [PATCH 30/32] Updated --- .github/workflows/images_build_test.yml | 304 ++++-------------------- 1 file changed, 49 insertions(+), 255 deletions(-) diff --git a/.github/workflows/images_build_test.yml b/.github/workflows/images_build_test.yml index ad1602ab6..1b4f1270c 100644 --- a/.github/workflows/images_build_test.yml +++ b/.github/workflows/images_build_test.yml @@ -1,4 +1,4 @@ -name: Build images (DockerHub, rhel) +name: Build images (RedHat registry) on: release: @@ -8,7 +8,6 @@ on: branches: - '[0-9]+.[0-9]+' - 'trunk' - - 'trunk_rhel' paths: - 'Dockerfiles/*/rhel/*' - 'build.json' @@ -27,8 +26,7 @@ permissions: env: TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }} -# AUTO_PUSH_IMAGES: ${{ ! contains(fromJSON('["workflow_dispatch"]'), github.event_name) && vars.AUTO_PUSH_IMAGES }} - AUTO_PUSH_IMAGES: false + AUTO_PUSH_IMAGES: ${{ ! contains(fromJSON('["workflow_dispatch"]'), github.event_name) && vars.AUTO_PUSH_IMAGES }} DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }} LATEST_BRANCH: ${{ github.event.repository.default_branch }} @@ -177,99 +175,8 @@ jobs: runs-on: [self-hosted, linux, ubuntu] permissions: contents: read - id-token: write packages: write steps: - - name: Block egress traffic - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - disable-sudo: true - egress-policy: audit - allowed-endpoints: > - api.github.com:443 - archive.ubuntu.com:80 - atl.mirrors.knownhost.com:443 - atl.mirrors.knownhost.com:80 - auth.docker.io:443 - cdn03.quay.io:443 - centos-stream-distro.1gservers.com:443 - centos-stream-distro.1gservers.com:80 - dfw.mirror.rackspace.com:443 - dfw.mirror.rackspace.com:80 - dl-cdn.alpinelinux.org:443 - download.cf.centos.org:443 - download.cf.centos.org:80 - epel.mirror.constant.com:443 - ftp-nyc.osuosl.org:443 - ftp-nyc.osuosl.org:80 - ftp-osl.osuosl.org:443 - ftp-osl.osuosl.org:80 - ftp.plusline.net:443 - ftp.plusline.net:80 - ftpmirror.your.org:80 - fulcio.sigstore.dev:443 - github.com:443 - ghcr.io:443 - iad.mirror.rackspace.com:443 - iad.mirror.rackspace.com:80 - index.docker.io:443 - lesnet.mm.fcix.net:443 - mirror-mci.yuki.net.uk:443 - mirror-mci.yuki.net.uk:80 - mirror.arizona.edu:443 - mirror.arizona.edu:80 - mirror.dogado.de:443 - mirror.dogado.de:80 - mirror.facebook.net:443 - mirror.facebook.net:80 - mirror.fcix.net:443 - mirror.hoobly.com:443 - mirror.math.princeton.edu:443 - mirror.netzwerge.de:443 - mirror.pilotfiber.com:443 - mirror.pilotfiber.com:80 - mirror.rackspace.com:443 - mirror.rackspace.com:80 - mirror.scaleuptech.com:443 - mirror.scaleuptech.com:80 - mirror.servaxnet.com:443 - mirror.servaxnet.com:80 - mirror.siena.edu:80 - mirror.stream.centos.org:443 - mirror.stream.centos.org:80 - mirror.team-cymru.com:443 - mirror.team-cymru.com:80 - mirror1.hs-esslingen.de:443 - mirrors.centos.org:443 - mirrors.fedoraproject.org:443 - mirrors.fedoraproject.org:80 - mirrors.iu13.net:80 - mirrors.mit.edu:443 - mirrors.ocf.berkeley.edu:443 - mirrors.ocf.berkeley.edu:80 - mirrors.sonic.net:443 - mirrors.wcupa.edu:443 - mirrors.wcupa.edu:80 - mirrors.xtom.de:80 - na.edge.kernel.org:443 - nocix.mm.fcix.net:443 - oauth2.sigstore.dev:443 - objects.githubusercontent.com:443 - ports.ubuntu.com:80 - production.cloudflare.docker.com:443 - quay.io:443 - registry-1.docker.io:443 - rekor.sigstore.dev:443 - repo.ialab.dsu.edu:443 - repos.eggycrew.com:443 - repos.eggycrew.com:80 - security.ubuntu.com:80 - tuf-repo-cdn.sigstore.dev:443 - uvermont.mm.fcix.net:443 - yum.oracle.com:443 - ziply.mm.fcix.net:443 - pkg-containers.githubusercontent.com:443 - - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: @@ -277,15 +184,22 @@ jobs: fetch-depth: 1 - name: Install cosign - if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + if: ${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }} uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 with: cosign-release: 'v2.2.3' - name: Check cosign version - if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + if: ${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }} run: cosign version + - name: Set up QEMU + if: ${{ matrix.os != 'rhel' }} + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + with: + image: tonistiigi/binfmt:latest + platforms: all + - name: Set up Docker Buildx uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 with: @@ -312,8 +226,8 @@ jobs: uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 with: images: | - ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} - ${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} + ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' || matrix.os == 'rhel' }} + ${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- @@ -359,26 +273,26 @@ jobs: echo 'EOF' >> "$GITHUB_OUTPUT" - name: Login to DockerHub - if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + if: ${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }} uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - name: Login to ${{ env.DOCKER_REGISTRY_TEST }} - if: ${{ env.AUTO_PUSH_IMAGES != 'true' }} + if: ${{ env.AUTO_PUSH_IMAGES != 'true' || matrix.os == 'rhel' }} uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: registry: ${{ env.DOCKER_REGISTRY_TEST }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Copy RedHat subscription + - name: Prepare RedHat subscription if: ${{ matrix.os == 'rhel' }} env: CONTEXT: ${{ format('{0}/{1}/{2}', env.DOCKERFILES_DIRECTORY, env.BASE_BUILD_NAME, matrix.os) }} run: | - cp -R /tmp/secrets/ $CONTEXT/ + cp -R "/tmp/secrets/" "$CONTEXT/" - name: Build and publish image id: docker_build @@ -388,7 +302,7 @@ jobs: file: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, env.BASE_BUILD_NAME, matrix.os) }} platforms: ${{ steps.platform.outputs.list }} push: true - provenance: mode=max + provenance: ${{ env.AUTO_PUSH_IMAGES == 'true' && 'mode=max' || '' }} sbom: ${{ env.AUTO_PUSH_IMAGES == 'true' }} tags: ${{ steps.meta.outputs.tags }} labels: | @@ -398,7 +312,7 @@ jobs: cache-to: ${{ steps.cache_data.outputs.cache_to }} - name: Sign the images with GitHub OIDC Token - if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + if: ${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }} env: DIGEST: ${{ steps.docker_build.outputs.digest }} TAGS: ${{ steps.meta.outputs.tags }} @@ -491,13 +405,13 @@ jobs: fetch-depth: 1 - name: Install cosign - if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + if: ${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }} uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 with: cosign-release: 'v2.2.3' - name: Check cosign version - if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + if: ${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }} run: cosign version - name: Set up QEMU @@ -531,15 +445,15 @@ jobs: uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 with: images: | - ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }} - ${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} + ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' || matrix.os == 'rhel' }} + ${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},suffix=-${{ matrix.os }} type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) }},event=branch,prefix=${{ matrix.os }}-,suffix=-latest type=ref,enable=${{ needs.init_build.outputs.current_branch != 'trunk' && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) }},event=branch,suffix=-${{ matrix.os }}-latest - type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') }},value=${{matrix.os}}-latest + type=raw,enable=${{ (needs.init_build.outputs.current_branch != 'trunk') && (needs.init_build.outputs.is_default_branch == 'true') && matrix.os != 'rhel' }},value=${{matrix.os}}-latest type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}- type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' || contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,suffix=-${{ matrix.os }} flavor: | @@ -566,7 +480,7 @@ jobs: echo "base_build_image=${IMAGE_NAME}@${IMAGE_DIGEST}" >> $GITHUB_OUTPUT - name: Verify ${{ env.BASE_BUILD_NAME }}:${{ matrix.os }} cosign - if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + if: ${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }} env: BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }} OIDC_ISSUER: ${{ env.OIDC_ISSUER }} @@ -621,14 +535,14 @@ jobs: echo 'EOF' >> "$GITHUB_OUTPUT" - name: Login to DockerHub - if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + if: ${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }} uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - name: Login to ${{ env.DOCKER_REGISTRY_TEST }} - if: ${{ env.AUTO_PUSH_IMAGES != 'true' }} + if: ${{ env.AUTO_PUSH_IMAGES != 'true' || matrix.os == 'rhel' }} uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: registry: ${{ env.DOCKER_REGISTRY_TEST }} @@ -643,8 +557,8 @@ jobs: file: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }} platforms: ${{ steps.platform.outputs.list }} push: true - provenance: mode=max - sbom: true + provenance: ${{ env.AUTO_PUSH_IMAGES == 'true' && 'mode=max' || '' }} + sbom: ${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }} tags: ${{ steps.meta.outputs.tags }} build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }} labels: | @@ -652,7 +566,7 @@ jobs: org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} - name: Sign the images with GitHub OIDC Token - if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + if: ${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }} env: DIGEST: ${{ steps.docker_build.outputs.digest }} TAGS: ${{ steps.meta.outputs.tags }} @@ -698,7 +612,7 @@ jobs: strategy: fail-fast: false matrix: - build: ["agent"] + build: ${{ fromJson(needs.init_build.outputs.components) }} os: ${{ fromJson(needs.init_build.outputs.os) }} runs-on: [self-hosted, linux, ubuntu] @@ -707,126 +621,6 @@ jobs: id-token: write packages: write steps: - - name: Block egress traffic - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - disable-sudo: true - egress-policy: audit - allowed-endpoints: > - api.github.com:443 - auth.docker.io:443 - dl-cdn.alpinelinux.org:443 - github.com:443 - index.docker.io:443 - production.cloudflare.docker.com:443 - registry-1.docker.io:443 - fulcio.sigstore.dev:443 - objects.githubusercontent.com:443 - tuf-repo-cdn.sigstore.dev:443 - rekor.sigstore.dev:443 - api.github.com:443 - atl.mirrors.knownhost.com:443 - atl.mirrors.knownhost.com:80 - auth.docker.io:443 - cdn03.quay.io:443 - centos-stream-distro.1gservers.com:443 - centos-stream-distro.1gservers.com:80 - d2lzkl7pfhq30w.cloudfront.net:443 - epel.mirror.constant.com:80 - forksystems.mm.fcix.net:80 - ftp-nyc.osuosl.org:443 - ftp-nyc.osuosl.org:80 - ftp-osl.osuosl.org:443 - ftp-osl.osuosl.org:80 - ftp.plusline.net:80 - ftpmirror.your.org:80 - github.com:443 - iad.mirror.rackspace.com:443 - index.docker.io:443 - ix-denver.mm.fcix.net:443 - mirror-mci.yuki.net.uk:443 - mirror.23m.com:80 - mirror.arizona.edu:80 - mirror.dal.nexril.net:80 - mirror.de.leaseweb.net:80 - mirror.dogado.de:80 - mirror.facebook.net:80 - mirror.hoobly.com:80 - mirror.math.princeton.edu:80 - mirror.netcologne.de:443 - mirror.netzwerge.de:443 - mirror.pilotfiber.com:443 - mirror.pilotfiber.com:80 - mirror.rackspace.com:443 - mirror.rackspace.com:80 - mirror.scaleuptech.com:443 - mirror.servaxnet.com:443 - mirror.servaxnet.com:80 - mirror.sfo12.us.leaseweb.net:80 - mirror.siena.edu:80 - mirror.steadfastnet.com:80 - mirror.team-cymru.com:443 - mirror.team-cymru.com:80 - mirror.umd.edu:443 - mirror1.hs-esslingen.de:443 - mirrors.centos.org:443 - mirrors.fedoraproject.org:443 - mirrors.iu13.net:443 - mirrors.iu13.net:80 - mirrors.ocf.berkeley.edu:443 - mirrors.sonic.net:80 - mirrors.syringanetworks.net:80 - mirrors.vcea.wsu.edu:80 - mirrors.wcupa.edu:80 - mirrors.xtom.de:80 - na.edge.kernel.org:443 - nnenix.mm.fcix.net:80 - ohioix.mm.fcix.net:80 - production.cloudflare.docker.com:443 - pubmirror1.math.uh.edu:443 - pubmirror3.math.uh.edu:80 - quay.io:443 - ghcr.io:443 - registry-1.docker.io:443 - repo.ialab.dsu.edu:80 - repos.eggycrew.com:80 - uvermont.mm.fcix.net:80 - ziply.mm.fcix.net:443 - fulcio.sigstore.dev:443 - objects.githubusercontent.com:443 - tuf-repo-cdn.sigstore.dev:443 - rekor.sigstore.dev:443 - oauth2.sigstore.dev:443 - api.github.com:443 - auth.docker.io:443 - github.com:443 - index.docker.io:443 - production.cloudflare.docker.com:443 - registry-1.docker.io:443 - yum.oracle.com:443 - fulcio.sigstore.dev:443 - objects.githubusercontent.com:443 - tuf-repo-cdn.sigstore.dev:443 - rekor.sigstore.dev:443 - api.github.com:443 - archive.ubuntu.com:80 - auth.docker.io:443 - deb.debian.org:80 - github.com:443 - index.docker.io:443 - keyserver.ubuntu.com:11371 - nginx.org:443 - nginx.org:80 - ports.ubuntu.com:80 - production.cloudflare.docker.com:443 - registry-1.docker.io:443 - security.ubuntu.com:80 - fulcio.sigstore.dev:443 - objects.githubusercontent.com:443 - tuf-repo-cdn.sigstore.dev:443 - rekor.sigstore.dev:443 - pkg-containers.githubusercontent.com:443 - - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: @@ -834,13 +628,13 @@ jobs: fetch-depth: 1 - name: Install cosign - if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + if: ${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }} uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 with: cosign-release: 'v2.2.3' - name: Check cosign version - if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + if: ${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }} run: cosign version - name: Set up QEMU @@ -857,6 +651,7 @@ jobs: - name: Variables formating id: var_format + if: ${{ matrix.os == 'rhel' }} env: MATRIX_BUILD: ${{ matrix.build }} run: | @@ -920,9 +715,9 @@ jobs: uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 with: images: | - ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} - ${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }} - ${{ env.REGISTRY }}/${{ env.REGISTRY_NAMESPACE }}/${{ secrets[format('{0}_{1}_PROJECT', needs.init_build.outputs.secret_prefix, steps.var_format.outputs.matrix_build)] || matrix.build }} + ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }} + ${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }} + ${{ env.REGISTRY }}/${{ env.REGISTRY_NAMESPACE }}/${{ secrets[format('{0}_{1}_PROJECT', needs.init_build.outputs.secret_prefix, steps.var_format.outputs.matrix_build)] || matrix.build }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os == 'rhel' }} context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }} tags: | type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}- @@ -933,7 +728,7 @@ jobs: type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' }},event=branch,prefix=${{ matrix.os }}- type=ref,enable=${{ needs.init_build.outputs.current_branch == 'trunk' || contains(fromJSON('["workflow_dispatch"]'), github.event_name) }},event=branch,suffix=-${{ matrix.os }} flavor: | - latest=${{ (matrix.os == 'alpine') && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) && ( needs.init_build.outputs.is_default_branch == 'true' ) }} + latest=${{ ((matrix.os == 'alpine' && needs.init_build.outputs.is_default_branch == 'true') || matrix.os == 'rhel') && (!contains(fromJSON('["workflow_dispatch"]'), github.event_name)) }} - name: Download metadata of ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 @@ -958,7 +753,7 @@ jobs: echo "base_build_image=${IMAGE_NAME}@${IMAGE_DIGEST}" >> $GITHUB_OUTPUT - name: Verify ${{ steps.build_base_image.outputs.build_base }}:${{ matrix.os }} cosign - if: ${{ matrix.build != 'snmptraps' && env.AUTO_PUSH_IMAGES == 'true' }} + if: ${{ matrix.build != 'snmptraps' && env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }} env: BASE_IMAGE: ${{ steps.base_build.outputs.base_build_image }} OIDC_ISSUER: ${{ env.OIDC_ISSUER }} @@ -1013,14 +808,14 @@ jobs: sed -i '/smartmontools/d' "$DOCKERFILES_DIRECTORY/agent2/rhel/Dockerfile" - name: Login to DockerHub - if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + if: ${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }} uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - name: Login to ${{ env.DOCKER_REGISTRY_TEST }} - if: ${{ env.AUTO_PUSH_IMAGES != 'true' }} + if: ${{ env.AUTO_PUSH_IMAGES != 'true' || matrix.os == 'rhel' }} uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: registry: ${{ env.DOCKER_REGISTRY_TEST }} @@ -1029,7 +824,7 @@ jobs: - name: Log in to ${{ env.REGISTRY }} uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 - if: ${{ env.AUTO_PUSH_IMAGES != 'true' }} + if: ${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os == 'rhel' }} with: username: ${{ format('redhat-isv-containers+{0}-robot', secrets[format('{0}_{1}_PROJECT', needs.init_build.outputs.secret_prefix, steps.var_format.outputs.matrix_build)]) }} password: ${{ secrets[format('{0}_{1}_SECRET', needs.init_build.outputs.secret_prefix, steps.var_format.outputs.matrix_build)] }} @@ -1042,8 +837,9 @@ jobs: context: ${{ format('{0}/{1}/{2}', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }} file: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }} platforms: ${{ steps.platform.outputs.list }} - push: ${{ env.AUTO_PUSH_IMAGES != 'true' }} - sbom: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + provenance: ${{ env.AUTO_PUSH_IMAGES == 'true' && 'mode=max' || '' }} + push: ${{ env.AUTO_PUSH_IMAGES != 'true' || matrix.os == 'rhel' }} + sbom: ${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }} tags: ${{ steps.meta.outputs.tags }} build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }} labels: | @@ -1051,6 +847,7 @@ jobs: org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} - name: Preflight certification + if: ${{ matrix.os == 'rhel' }} env: PFLT_CERTIFICATION_PROJECT_ID: ${{ secrets[format('{0}_{1}_PROJECT', needs.init_build.outputs.secret_prefix, steps.var_format.outputs.matrix_build)] }} PFLT_PYXIS_API_TOKEN: ${{ secrets.REDHAT_API_TOKEN }} @@ -1062,16 +859,13 @@ jobs: SUBMIT_IMAGE: ${{ env.AUTO_PUSH_IMAGES != 'true' && '--submit' || '' }} run: | mkdir -p $PFLT_ARTIFACTS - echo "::group::Pull preflight \"$PREFLIGHT_IMAGE\" image" - echo "::endgroup::" - - echo "::group::Perform certification tests" + echo "::group::Perform certification tests (${SUBMIT_IMAGE})" export PFLT_DOCKERCONFIG="$HOME/.docker/config.json" - preflight check container $IMAGE_TAG --submit + preflight check container "${IMAGE_TAG}" ${SUBMIT_IMAGE} echo "::endgroup::" - name: Sign the images with GitHub OIDC Token - if: ${{ env.AUTO_PUSH_IMAGES == 'true' }} + if: ${{ env.AUTO_PUSH_IMAGES == 'true' && matrix.os != 'rhel' }} env: DIGEST: ${{ steps.docker_build.outputs.digest }} TAGS: ${{ steps.meta.outputs.tags }} From a743df313139cda39be8dcd9d1ec5fc534a07ac7 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Tue, 5 Mar 2024 13:48:14 +0900 Subject: [PATCH 31/32] Updated --- .github/workflows/images_build_test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/images_build_test.yml b/.github/workflows/images_build_test.yml index 1b4f1270c..775168bdd 100644 --- a/.github/workflows/images_build_test.yml +++ b/.github/workflows/images_build_test.yml @@ -13,8 +13,8 @@ on: - 'build.json' - '!**/README.md' - '.github/workflows/images_build_test.yml' - schedule: - - cron: '50 02 * * *' +# schedule: +# - cron: '50 02 * * *' workflow_dispatch: defaults: From 654e624c4a179269d71df75ac610bb40e2ad332d Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Tue, 5 Mar 2024 13:48:38 +0900 Subject: [PATCH 32/32] Updated --- .../{images_build_test.yml => images_build_rhel_multiarch.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{images_build_test.yml => images_build_rhel_multiarch.yml} (100%) diff --git a/.github/workflows/images_build_test.yml b/.github/workflows/images_build_rhel_multiarch.yml similarity index 100% rename from .github/workflows/images_build_test.yml rename to .github/workflows/images_build_rhel_multiarch.yml