docker-stable-24.0.9_ce-150000.1.33.1<>,7i)%p9|ŞIR}WMqCWF){PYD}zL9&4nx~W3aRa}1%%MZ5t"?r+օuZm]Θ91PwhO򭟚 {a 4N*vF#a,H}ůS\>-EYCŸ~#Ǩ;*a4d4ce {> !Xhk&QlWwΧR(Bچu~>Uiѝ8ĉ>Ol?ld ( Q% ;Mbhp x<  <  S` T<W[_`cTc(dh(g-(ggg(g8g#9lD#:#==>=?=@=B=F=G=HA(IDxXELYEhZE[E\E]I<^[pb\c]d^e^$f^'l^)u^<va we(xhxykzll l$lWl`lllrlCdocker-stable24.0.9_ce150000.1.33.1The Moby-project Linux container runtimeDocker complements LXC with a high-level API which operates at the process level. It runs unix processes with strong guarantees of isolation and repeatability across servers. Docker is a great building block for automating distributed systems: large-scale web deployments, database clusters, continuous deployment systems, private PaaS, service-oriented architectures, etc.i)%ibs-power9-21GwSUSE Linux Enterprise 15SUSE LLC Apache-2.0https://www.suse.com/System/Managementhttp://www.docker.iolinuxppc64le# /etc/sub[ug]id should exist already (it's part of shadow-utils), but older # distros don't have it. Docker just parses it and doesn't need any special # shadow-utils helpers. touch /etc/subuid /etc/subgid ||: # "useradd -r" doesn't add sub[ug]ids so we manually add some. Hopefully there # aren't any conflicts here, because usermod doesn't provide the same "get # unusued range" feature that dockremap does. grep -q '^dockremap:' /etc/subuid || \ usermod -v 100000000-200000000 dockremap &>/dev/null || \ echo "dockremap:100000000:100000001" >>/etc/subuid ||: grep -q '^dockremap:' /etc/subgid || \ usermod -w 100000000-200000000 dockremap &>/dev/null || \ echo "dockremap:100000000:100000001" >>/etc/subgid ||: if [ -x /usr/bin/systemctl ]; then test -n "$FIRST_ARG" || FIRST_ARG="$1" [ -d /var/lib/systemd/migrated ] || mkdir -p /var/lib/systemd/migrated || : for service in docker.service docker.socket ; do sysv_service=${service%.*} if [ ! -e /usr/lib/systemd/system/$service ] && [ ! -e /etc/init.d/$sysv_service ]; then mkdir -p /run/systemd/rpm/needs-preset touch /run/systemd/rpm/needs-preset/$service elif [ -e /etc/init.d/$sysv_service ] && [ ! -e /var/lib/systemd/migrated/$sysv_service ]; then /usr/sbin/systemd-sysv-convert --save $sysv_service || : mkdir -p /run/systemd/rpm/needs-sysv-convert touch /run/systemd/rpm/needs-sysv-convert/$service fi done fi #!/bin/bash tail -n 2 $0 | /usr/sbin/sysusers2shadow RET=$? test -f /.buildenv && exit 0 exit $RET ######## data below ######## g docker - - - - u dockremap - 'docker --userns-remap=default' - - if [ -x /usr/bin/systemctl ]; then test -n "$FIRST_ARG" || FIRST_ARG="$1" [ -d /var/lib/systemd/migrated ] || mkdir -p /var/lib/systemd/migrated || : if [ "$YAST_IS_RUNNING" != "instsys" ]; then /usr/bin/systemctl daemon-reload || : fi for service in docker.service docker.socket ; do sysv_service=${service%.*} if [ -e /run/systemd/rpm/needs-preset/$service ]; then /usr/bin/systemctl preset $service || : rm "/run/systemd/rpm/needs-preset/$service" || : elif [ -e /run/systemd/rpm/needs-sysv-convert/$service ]; then /usr/sbin/systemd-sysv-convert --apply $sysv_service || : rm "/run/systemd/rpm/needs-sysv-convert/$service" || : touch /var/lib/systemd/migrated/$sysv_service || : fi done fi PNAME=docker SUBPNAME= SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi test -n "$FIRST_ARG" || FIRST_ARG="$1" if [ "$FIRST_ARG" -eq 0 -a -x /usr/bin/systemctl ]; then # Package removal, not upgrade /usr/bin/systemctl --no-reload disable docker.service docker.socket || : ( test "$YAST_IS_RUNNING" = instsys && exit 0 test -f /etc/sysconfig/services -a \ -z "$DISABLE_STOP_ON_REMOVAL" && . /etc/sysconfig/services test "$DISABLE_STOP_ON_REMOVAL" = yes -o \ "$DISABLE_STOP_ON_REMOVAL" = 1 && exit 0 /usr/bin/systemctl stop docker.service docker.socket ) || : fi test -n "$FIRST_ARG" || FIRST_ARG="$1" if [ $1 -eq 0 ]; then # Package removal for service in docker.service docker.socket ; do sysv_service="${service%.*}" rm -f "/var/lib/systemd/migrated/$sysv_service" || : done fi if [ -x /usr/bin/systemctl ]; then /usr/bin/systemctl daemon-reload || : fi if [ "$FIRST_ARG" -ge 1 ]; then # Package upgrade, not uninstall if [ -x /usr/bin/systemctl ]; then ( test "$YAST_IS_RUNNING" = instsys && exit 0 test -f /etc/sysconfig/services -a \ -z "$DISABLE_RESTART_ON_UPDATE" && . /etc/sysconfig/services test "$DISABLE_RESTART_ON_UPDATE" = yes -o \ "$DISABLE_RESTART_ON_UPDATE" = 1 && exit 0 /usr/bin/systemctl try-restart docker.service docker.socket ) || : fi fic7({Y D * y%i<!p !:%L3R* <H W [czB    .6~ B 2%%; 'z  5wWER3>:1)E WEj%s UW=b.@<\1L4O'?)  \ 1( =}JG%Z`({A聠A큤AA큤A큤A큤Ai) i) i) i) i) i) i) i)!i) i) i) i) i) i) i) i)#ei)i) i)#ei) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) i) a96c13aa62dba0ba72e422703eba9ae57bb381c0793e49cd51fc1f056b1501552c5ee6dfb01ee498a1ba8d373a8124584325abd6b9fd4d9378315ea4a148a3734355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd8654ee856b25ee1c3d61bf116a26120362e00535f2e001df5b51377dcd03190db887d64c5b7bd40678768374a571913e6628837a3138e233a9753fe6280478d09f7f5f3eb0fc926b9de2f95a0d9a0d978e51acd190bb54cc34a83aa6ec601ed99be449aaac7f02d09a8b89386d06fed1443c838bbbb9f88c002b0333638d9840aa3b14e0057afa4ac1e691116f48cbe8f89ff62bc319f02a7850624273013aebb3d2778d52ceb07f545bee4a36f2de7d278b8d1b3f522d35a8d46b685eac0e19366c288873fc1cbcddeb816ff1f7914339f69555ac4c5e147dbc61692d82b0c48cde5af37e16b3ed9f4d3afca28e628c4f15c9053a902f80bec2c1a6109a7a1ae6ce79e09781c56252b74e90b4113e19ff8b6e14044adc1af2f4a6aa40372742c79b35cd2f6ea1d7f69576c38b07420e091600a69744c5cea2a32a710fb91abf2317c87873291f289713ac5df48b1f2010eb6963752bbd6b530416ab99fc37914a8f13dfc6ad31b0f3fa3c3208921001cedfcd877826c7181a415f4c14daca01de683a4f86b19994d7ee4dd1c39b50092a218fc03d43e51708cbb78f7f367065779998dee92786c8b56a6d14d348a431f71e51c06ef78677db2162706e1b21314bc8fd6632a75cbf529d1082fdee954fe8d9cccfeeade88318df25a0eecae97fab310188c47ee302ac8f2f7cd890f188e972d354f2bc8fe80cda6099ff11327444e8ce3851f8a1481e5457723f6de509e52856502802f946d09d6a202dc13778cb9530c370ac90b8d1705c4d476c49ec5204e1f8af37bf2299f249044b0b4918c5ff963f3159f09dbeb7bd4ce0cb7ef35d6ab59362478ea81471b6d0ade4bbcd97542a77732e19163c0b6ce8343b430d268f22cc61b12b4eb0eca35f4c3c2fb2f887782b870f0aee00e5f0ce6cdb66c437639470ac4e0478d1d9ddbe31bbc99238b2c2db40c7ed323562f70dbe2c4b62e6c7092ff2acd37825d13d28231370e385665aaa0b5bc9b24e3c4506c65ada9d448a967e5f6aa13fab735543dcd17ef373c0156a9eb566c31d4ff32b1d570ccfdee7998f853221825d354f0ddb7bc265e04a6e6834d8bd5280ef4fcae216bc38c1eb922388ee3a2afe43218fcbeeb017b48880323f25a4e61230485c986f30d293742484b2b63a82e23d29c72a115cb9873c3dc584b933c13ecb2cd1e584aad1bdfa9f1e59a6cfec370c7a610d81cece0db6872fc67ddecad0096f40b72835c8749d74783e22eed3c6c9693c93ad0ccca0c9b1b7b6eee119b00e18c7c67717eaa60914340c76ecf0ec53a1d43987a2654388432a02703ce8241033f5748a29d02c311c755b5a4742be2fa9b1ac9924119681394bc3c687206d4b0ee854d1c35401ad9b997e34bb34e176e28324f3cb963c74381bb1b147f54b46da8282c79fb1984ad40da42a0fc1b6d43b30bc114c6cfa71a98619306b0a477199f11bb61545a2810e75dc7530f06301a46eb1d6e388f295ecbf2a34947d36d46f3e2bc9180a96e403c4be7226af7977738b4715fffc47b38c1fade52cc49215e7669898b06d1a0efbba379be43025d8909a251dfcdad1ec025d4a644a5ad96d16f9274309cf6fed61f889ebc68d1b38225f0e3cab50f218f908f7ec01f2614d961831f010dd80c347d1fae656256695ce0560bcde93940af97cafb96bab79a162989a5076c8c307ad4cff837838fce0f5949ca380056ad51947f4bf6989297bcfd359c2b01e3bb072e812c14485233a3c930d5d1977f2b55f4639e3327d51f141c3367583158eac88160d5191db209a3c49a96866d622d6dcacec37ba8ddd154263ea34bd48aadb65fa3161ef3b34843ffb14ea51431eb6672c728c6940be9d650327e4d5ed296ef187784831929a9edb860f4bf9fea4b3500c61b902e572a22d456e539056fbe02ff676ff182cd781b9de4e676dd26dbd11402f4ac137d585ba1017fe50bbc7a1b18ca2307e75f37b61b40bc5ecb1df97bae4948c68691f169945c8a4b442eb5deb77c09d336be0b3ef3162daf7c7307abc37930ac2791b90b7687b0a210032d1dfc860c46a3dd106375942d59e564bbfdc32d1732dbacff142fda4b4a9b07f0c6c546b1068e51d5adbafdafc583b7a6e2a816f873d8bcf4a93405f5d7bedd3ecf70b233893fcce0521f85ca51cc4cfb66b5f747a6ce20db40859868d38010ca53f17b343701572218f034eabcf3ae4cc70a0c6c963eee78e1a07caefdc8dd7911dd3a20567e7bf6e3b61e7fc44558322ecea1356c7cff692cf53023e9bca0e0aa305fa8fca27d49de4d8ac3405be79d540f15552fdd2db6fdbe69c0a336a996386ae7879440366c13ed3995230dbdb2c8faa1b3a1aa45aaa00c8c18298c25faf17ddc23cb91fc0c6684555fe9722d5fd0e2f04515b22d2ad46c7cb06a1360a8c8fe3a923c099f3e7fc9ede3320c2135c224c48833aa4c675fce14671a14743724e01f1592de806646f1c6fe5d6028fee9b425091720b082d571d67ebd730b57abb6ba3247a26baecd7d9b78f6bd316fa834c83972e86a7e0240cf6f40b9ee20860ca7698e50a6a7c13fe97f27fa8f4a395643756ee8b41e9c0a12afc135c3016f2f1a0603971fde8a0927f3756b218f8dbda593c6d9295570d71d2110a1ea2c668fa0d4af9ff326a51ece5c7c3f48744efc94aaa0d77088b205f79774ee2541ff31e7607a5152c1a8da40679983f78e8d5239fa4b41d5a281e87aa2bdd619572c31026bd11120b8362785d8d405ae4f37e1b63b477e8759d7b6bcd28289a034646c25eacec35142cecfb8cbd1a07bad6e55162256f4a9b294a18f67f6263312b4c31bd158a12e2c0a27fe06693b5e308c6cedd90f8fcb3d210cbc81fa5a91e0daba0642bcba726e8a513ea46561b814dfe2c22c73445be7a8dd3bcf99a73c30b67cb2660098ed88802ebcd17999c72007232631256edc3671d47400a20f302988ec69f8165b48f3130b3f1293806cb07de5f69436fee4dae9085b0c8720e610a9a4fd49867984d60438d1cd9e1b7b898d09c4b26025468bb82342300eb5f65b4158c358d74f9e8ec67d7a3dce5200b71ee15b1f64ba6866b04fe548805744b40909a63e068f4d5669c081af800447f852642dacf586f0827bad039a0a1e4ef44f8ddd4603488e2fc9c3185620364ee5572bfc3b2eb2c0076b17a883872f9db041fb64561c4ae45eb03cfe9f297c4646ec7a03d585825748824a61b26fc5eed97ad131031fb56e1eca13e5b638d95301c7f49e7ebba751ce8db37937ca84c1203ef542afde1746abdcbf158e104b34834315097a5ee84e106adbc9edcbdbd990937a2c5311a3ccaf92aa30e873d5318fad851af0fcecc8d5f0bd307211d7f91c213dd3baafc2023ce35b591c5e947bb25d9c9901e252e49333644d3a3741dee723d8fd10028cdf72997ea834206ad1a1a993aef3a1acb58cccec565b664f5fd6c7fdb3e23399626fdf0dfbe027c5d802e76877bcafecabb8163b9e6d8754ea225a0d0a651d726f00d9ee44cf82a69918527b12ad540eb2842ab0b940884fe806f10ee34df37677d32b59358f30bad5bb659f868102aa6f2dfbeb0dbe2a150fbeb0854869e948106168c8f26e220face5def2b8aaf5e516ba3dfc58eec2729bcf78b4b1979a769b33c1334d28f0d5faaa97d0150f152af9dbe5c1ababe04ad9619628926b9fd91b94d9d333896f816e8de9d3f1cab20d3af0fa0fd47fc6d4fda81cdb5a3498f8be87705421364b3b6619e38cda93ce47ed1c7a1927ab9ce08d68e5d998db9d294ef581e1ef30dc80fb083b54b5e8b08c4bcf5b59f17659bf92eb39aa36452833ec3a97fb24af5f74c8229c21b03f048cefb4afae79f307aa3179927f0572819c704a7ef28364a615ed1efeec4b2d1fb7a350252d975f5fb60a543e8772c795207fe09031418a1ee538c6acbfa5e4dee459a05240f7f1306e5f6ac86bfb79e77002c2f1dcc28cf3167a932c67e620423e78eadf5037bad9c6fecd8c96cda68421d7791ea9dce7956ae17e9e5d41e2b16044cc3e04fb5d949df78b5221ed857468c3ba0391af103170fe7368bda567bacf7aacd2b2eae1b4f32d91e4c6b53cf221e1733251c5142ed1c20b3e84d47c536cf5c35e19fd09a42368201aa887975ef643e58f4e75a31917a6fb82d93e32c56fc29ed4eeabaf7c97bd73c147c66def149d82b2067e181f663acc8cedb76738e01bcc8d1b9263d7341a74cb788226834a9be2c7a492367985350e182a77f79db5369431ac7417a37481adb22321a8259bbdd3f3d06af9b75ead0ddd70954440b1c5112ee6fa9b5d87eb3e5891b77e8ced5e6fafd8146d3d4d83a5027c1edbf2e23d3428cf048e83e7028db8d2c479ecaf140b8d21a07bc98cba69579e20d84686ca1fc7da3c6e614dc0a4d20ba4d730b83272fc648f0b2fe1101e5bd0d6928382c4f6208d10fbf6b0973632722aef9a4d6e417590f28245c2e98f916168ff10ab41b49d6326f2e372c339f4c524b108387169be2ddd3f312cf08f2144f257583ce93d34a608696b718b4fab6a0e424d0edd7a71c37fc1bf632ff489a7282a497b112d8a7b1d93e3416108820905e725c8b682c530bc0d17716a3e02b1bbe7a5e2bfe20181ac9447c16ce99eac47a6b12990d9771ad0696562d9568a91e9d8d53f045ddea1c1e082f8419fd64cd7908fc178ae54b2b192a550f78e8fa6803122c663867895b339668a18c16b8ea872a651295ae989a2d76c3d9fd0d5c34c4e60db4dbe75ab64ee65c4d62e227f8cfba60be0fb49fce5a5dfcea6528189cd49ab79fe23f49aa10efd840a0322c218d4357dd5fc10f7549ae3944d6858967bcce1ef191254ba4489c708febe79f6981cff9be871234d9518fab8e7a6e09002a03e87300238e3f5dd27ba63ac415255e97b779efe929d6555d5b601c489cde3cd473ca757fe9aa3571645a294135c0821a69f6b60d824810867430e3522d0bf641e091b27bf7a197caf678ae2fe6e87c77f208df91620b7e34258a7d48ca50827325e7e2767507b80468d73558788edf4e4ed5e17dd54cfab8e643d89a26a121ec00a913c7842aec4216da1ef855e85a3f06e714503d6391ea1e652d6c903adb8e5d964bc754f7256f54eb0e0500a47c201be1cebda2479114db13efdda505eac57c44812275be53e7914543ae7ac79c7fc3762525ede60dddc6e180a71f12847f06fc8e5b30894517ac6f20109929d9031e0e3312aff76a60da6bc12fd1ff4a72fbb625766be9a0c95cada2715cdde60d4c300f4d10effa2d6a8e2ef0baeffffe194e9dd534d2f9b84accba702a2d8dd81cf1c3687820c8b6a313936c70a91f14a5bb4448596dd85d413b0140e2b9f010d5267378012b3bddb6ff46540c664119fc91cf1951831c7a395efa09b2d5d55bccd4b6bde437bbcff69347fd6c6f6dcb8c0f0377b0ad45501fe3f9f621562e7f7435b81ae3639cba343da42226399dadcec2173b4fc16489a858801f8f892e57c9b4ce6c61ef1360d0458dd531d108990ea800ebfc87b34cee60f9b7217b3b397dde9965da7f1c2efc7f4fb969420f3c409f7c42f7c92954de21f018cc71da92f4a8992707f75633e08474118c6f4a77be9c6c3ddd53c9f2759981f21acbede5d489182314cfd021db4bb106a2120f50c40b8553100df27ef67d74edec97f455a66d45a9e6c63b8917c4d682fe6196b4bbe3ad08806a4de38f9944f965418f63e78c3c7c138f7168ad636fc99f65c8895c2ab1333a16f2c2ab2497c4e5e99f80373d9e639fa63f67833eece0eb643d9bb7b26e1af5a61ff9a4f8c7b0e32c58d30faaee0359e638cb8c74cb4d671e20f9c718f906189b9153134ffa20d4ddb2ab3269cb7d7f0e6712f86d64b8d837c93932d0d2c08e54da16ec4d25e505296bb86c98cbd5f67b778258b67193bab5112f57845760a2cc0b9884a98a8afb39eda58b56235b548fc6e2f28fab1c43167fdfc1e913358445b0869006a78cb42d5bdef6b1e415be8090e7383f410656ac62d90fe3a95e8a2c80831fdfeda74ca9a554a74b0a593b6db539e56f40a31399d644c8db9d24018a9765d6d9d37b4a0bbcd444127221d73ea4f2b6dee4ab550f65797a84c0438644b6b5b5ac0afcb9b15f7dc91c80cebfccdf60bbeb6a1dacfc54f94313ebe7a6ad2457e50506d67cc9afdbb1db9cee977ad7f2bb22677f6b4af24b769af5c8aca87d3affbaa712fb97bf040cfaec7d2a21be2b3c83bbed53b0858410b5e3b2d7fa9767978daa33678e4ca78e0a31c7299dd154b8c8c55ef45e2db42e6241da9363f9c1bc9703987673e7d8c374a737cbb52b5d57210d380ce7a51d09920a4ebb3b5e348cc9e985ed6a04498fe5d980e5a52b0702c0c62990d2124ecaf5c7387b78137c321efd3c494f0ed2949ef75a1b570f2337d6fea387dda95407b959f695b11d4326d67a8762a6ffcbd0667e9a31d8301cf6b9dbe13659d41667fd256b4c137080c7a2af8128b3a8d0dca086618b0bf3b78edee71892ce1e55febe8c0586cf062dad868ee5239bfb766a1ac066375c0c329784987f2006f0f49d6a415252eb77e4c24bd84b80e15d21560120d15a9f9e6fcbdf8ccff2ffe5f44c76e703ca4241fb0ae91593d833a534f6892021d56fc7e0c0499d23576cc858c88e4261fda8665cc2fa244801175cf214f1e69d60da7386dfbd7e2a6456925e2d186759d03fa45113e4c46a8f9583139d30c5de0c54e41bebf702bb471555af783dc39db72e9eb5ac47e3c07c62fd1eb1f7af2010ab98f57fbc3a457bab98e7003784a1c58de3691e2533b73bd6873543287128c04573320d0e21dd1282a2350eff8820db98c9fd1b51b7026da0ca2a349135433b9492d71fa8bd0c7733a13361f3245a0fffeac76cb180d96c126b978acc1cd0151d5b99e1d6d2940f16edc672549823a609e037a53b629acb0a4be23fa33ee8bc6a1f1fa0b56d213844de27caa93131cce8c4641c27b3b7bf672250822c39f3aa5b264f21ed206641368a4ff7012fafb6c80b00bb64d464ab7b4db7093a67ff30a2150beac46c66faaf75fc1788c2115ff857be712d7f025fc26522fc48352234dbf4bec39d7cbb1a05cd31a63be30d1832a2b651c0cdccc7bfedbf9a3ae6c76619df3039af2957812cfca9b08e9e4401c95dfc73e66909f9c02a36606a9994edbdbb6a973c7829a63a8b56272a2d9e69a7be050b94d43cb474815e0ee06f17ed251289427c68e1d131e4bd5faf940475ba2b4356308cfc4c24d7f970b69cb05015f06fe709479f477590e0c6a932e1b47e6658c4f43b5ba425d613b2fe0cc90f73f9a93cf659b9da79c05f17ab4f254fdd0150f4befa256248ca27f414b3163e45e3dca8ec48bfad560445a04d27375985ff56249c6ca88d69d278acee4836dfbde43657e2ec679a064e1a57d9560ce0a7dcf7d401584a8ecf9bd2e29dd6adff19697293e4f706e0ea2954976889f1931bb343567a8086bd40100e8251883b7bf406bb4363adf596a8e0cbf1749236598e120f24d88cb03984fa7b2482cb47da51eaaed7d590866610fbab4dbff0648460f846852b7c4a9bbe7e0f8cbdf802fc3a31c65470fcd27b5b44509c458007b9db1d1b05662c2f5062deff8d89f1dc12eda5d9886d6a27c5254849b7908ffb20bcbda76fd49a645cadb7ed89d53967b73c3241f8e7309918bf16ef9d880f9dbd188a7e81504f6204bed2991df01a0b0668313462e8503cf8a9e51bbcd30c858ca8d9a27ceec26a3b1fd245fd913e406f118a2ea4cf5203ca07d8c26b554499b280eafdbc3f20a93aac171a229501ecac81e6decb10a4fcd0c8901397ab111fb703ffa669c54a866573c325efb1fc6315cea7151af9242e292c9ba200a5607357f276a46b331858615cb54fc3f795a04a4dea6cb1eab00725384de7d4f5e099d58cdf6d6166370b61549247f2de350c2eac49cc94e1052c130638291740810a983c77b365203dcde52aed6127d9fd8c238dc575fff94f79a8005ec3b1d18d471f01ed38ff597130d869e87cc52d72999a22c46f70818130a9cd2e08394e3a0bc3e0379c2a4c4fb7a8c63fc5da45e227ffccdfce47e1ea7eccbf266bec5c28e8af3b0ca912fd94160855921b20be83c8b0fb4eb9ed149cb2d7b03f7fb6482ec7d638a1445b3d4e8e75e096eb4b3fea9546eb64f5b0b5ea063109b12e1607106f30c5c98bb425f483b8849c3e06976938077550aec9ac85ed69f4ce9b5f15689decaf27f630038b132ba82eb26532b55fb0a41204b0fd709abce1ef0b0672cbc0a04c20628dfa53cb83b2d602b817639de0bb431e95bd5c55f7ac6b02b3fd85ac3b6c4fee0e22c8ababa163cf4b45bfde9854ed8672b3944dda88e6f00ed6d213770b6c17c7bc7ea4e12b23fef06d6ccf2ec04a50ba7ec145f33c0e277f126644cd480670ddbce999909ec8aa1e722b359bf4ae673dd673f8da872ebf2f1980437df46fc937ed7012191427b207fb4aa7351823878d96894805e41bf02ea01521cbf655d6ca496b267a0e66518a02a410c4282ef167c62960aefb488eb339801b37cef650abbf2b6ab14a2dda6b9a2e7df697eb4d5e0f8f63f42f2849de8426d9d8aa803ae126e5d950b71cc28ba00bba5589cd68a3b4dd05f5f1d1210a49b5e818084ea224a2ada840518ca66bf106652a352bcddfed89e85af7608cf7d7777caf8b55cf17df9abf1b0951e9d6fedf0c6a93a50031cd55dbfd48b6bc7ca236187101c295df6df256d40fafda3fe1f9f730038ee911090ba610888cdcf31943137e823c4c4081ff1999ece8499da4c83476a1d9fb786a19f14159f09103b2a84f526e7daa5d6195eac645c4190443ecddab188e7218e052eae44492750f602fa97341cbd1874539b80895ecfe2ce992786545ea5c5992e76507b9d467146e01d79acbd0b4a1fd8d276c1d997dc122cec04b924175c1ad5c60326b4274752ee1636b3dfb07bc2352e0db87ff33b7e6e9e92c2002800e1324d1859e15fd6929a3d1a3bc9d761befd733344347c6c6ef87e26e6995466200b8e649a276ef7c803bec2755c6e3b5a2c5000dac6c05739c79156a1c168ddef6c12servicerootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootdocker-stable-24.0.9_ce-150000.1.33.1.src.rpmconfig(docker-stable)dockerdocker-libnetworkdocker-stabledocker-stable(ppc-64)group(docker)user(dockremap)   @@@@@@@@@@@       (apparmor-parser or container-selinux)/bin/sh/bin/sh/bin/sh/bin/shca-certificates-mozillacatatonitconfig(docker-stable)containerdcoreutilsdiffutilse2fsprogsfillupgrepiproute2iptableslibc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libdevmapper.so.1.03()(64bit)libdevmapper.so.1.03(Base)(64bit)libdevmapper.so.1.03(DM_1_02_97)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.17)(64bit)libresolv.so.2()(64bit)libresolv.so.2(GLIBC_2.17)(64bit)libsystemd.so.0()(64bit)libsystemd.so.0(LIBSYSTEMD_209)(64bit)procpsrpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)rpmlib(RichDependencies)runcshadowshadowsysuser-shadowtarudevxz24.0.9_ce-150000.1.33.11.7.33.51.43.0.4-14.6.0-14.0-15.2-14.12.0-11.1.91.264.9docker4.14.1i&h^hth@hxhAh@5@ggg@gg@gb@gaggY~gY~gG g=@g3C@ggf@@f@fne̫@e;@e&@ed@d@d@dr@dddjdJcdI@cT@c.cV~@c5c5bz@bb>b=bk@bX aZ@a@@a]aHw``x*`?z@`)`#``>`>``_1@_@_S_#_d@_'@^)@^^?@]f@]+]@]҇]]z@]?]b@]@1@]:@]5@]/ ]@]\Q\!\-@\@\@\u*@\^\Z@\Yz\8@\2\@\[[F[s[s[@[}P@[{[{[ug@[a[`O@[^[6@[{@[{@[{@[ @Z@ZJ@Z̧@Za@Zľ@Z2@Z%Z@ZZ|;Zp^@Zo Zk@ZaZaZ7Z7Z&@Z%8ZZ@Z Z@Z@Y+@Y@YdY*@Y˒YY@YYYoIYoIYdY_wY^&@YGY-^Y, @Y;@YR@YY Y#@XXh@XXXX@X@X@XX@XO@XO@XO@XXX6@XXx@Xv@XY@XY@XWXEVX=mX6@X@Ww@W@W@W;WҤ@W@WίWiWiWu@W#W/@W/@W/@W/@WW@W:W:W:W@W@W@W-@W{@W{@Wm WXW>@W=W to fix incorrect permissions for overlayfs lowerdir. In practice the permissions of this directory are immaterial but some security scanners falsely flag this as an issue. bsc#1254206 + 0016-daemon-overlay2-remove-world-writable-permission-fro.patch- Enable SELinux in default daemon.json config (--selinux-enabled). This has no practical impact on non-SELinux systems. bsc#1252290- Remove git-core recommends on SLE. Most SLE systems have installRecommends=yes by default and thus end up installing git with Docker. bsc#1250508 This feature is mostly intended for developers ("docker build git://") so most users already have the dependency installed, and the error when git is missing is fairly straightforward (so they can easily figure out what they need to install). - Include historical changelog data from before the docker-stable fork. The initial changelog entry did technically provide all the necessary information, but our CVE tracking tools do not understand how the package is forked and so it seems that this package does not include fixes for ~12 years of updates. So, include a copy of the original package's changelog up until the fork point. bsc#1250596- Backport . bsc#1247362 + 0015-bsc1247362-release-container-layer-on-export.patch- Update to docker-buildx v0.25.0. Upstream changelog: - Update to Go 1.23 for building now that upstream has switched their 23.0.x LTSS to use Go 1.23.- Do not try to inject SUSEConnect secrets when in Rootless Docker mode, as Docker does not have permission to access the host zypper credentials in this mode (and unprivileged users cannot disable the feature using /etc/docker/suse-secrets-enable.) bsc#1240150 * 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch - Rebase patches: * 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch * 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch * 0007-CVE-2024-2365x-update-buildkit-to-include-CVE-patche.patch * 0008-bsc1221916-update-to-patched-buildkit-version-to-fix.patch * 0009-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch * 0010-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch * 0011-CVE-2024-29018-libnet-Don-t-forward-to-upstream-reso.patch * 0012-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch * 0013-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch * 0014-TESTS-backport-fixes-for-integration-tests.patch- Always clear SUSEConnect suse_* secrets when starting containers regardless of whether the daemon was built with SUSEConnect support. Not doing this causes containers from SUSEConnect-enabled daemons to fail to start when running with SUSEConnect-disabled (i.e. upstream) daemons. This was a long-standing issue with our secrets support but until recently this would've required migrating from SLE packages to openSUSE packages (which wasn't supported). However, as SLE Micro 6.x and SLES 16 will move away from in-built SUSEConnect support, this is now a practical issue users will run into. bsc#1244035 + 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch - Rearrange patches: - 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch + 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch - 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch + 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch - 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch + 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch - 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch + 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch - 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch + 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch - 0006-CVE-2024-2365x-update-buildkit-to-include-CVE-patche.patch + 0007-CVE-2024-2365x-update-buildkit-to-include-CVE-patche.patch - 0007-bsc1221916-update-to-patched-buildkit-version-to-fix.patch + 0008-bsc1221916-update-to-patched-buildkit-version-to-fix.patch - 0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch + 0009-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch - 0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch + 0010-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch - 0010-CVE-2024-29018-libnet-Don-t-forward-to-upstream-reso.patch + 0011-CVE-2024-29018-libnet-Don-t-forward-to-upstream-reso.patch - 0011-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch + 0012-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch - 0012-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch + 0013-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch - 0013-TESTS-backport-fixes-for-integration-tests.patch + 0014-TESTS-backport-fixes-for-integration-tests.patch- Update to docker-buildx v0.22.0. Upstream changelog: * Includes fixes for CVE-2025-0495. bsc#1239765- Disable transparent SUSEConnect support for SLE-16. PED-12534 When this patchset was first added in 2013 (and rewritten over the years), there was no upstream way to easily provide SLE customers with a way to build container images based on SLE using the host subscription. However, with docker-buildx you can now define secrets for builds (this is not entirely transparent, but we can easily document this new requirement for SLE-16). Users should use RUN --mount=type=secret,id=SCCcredentials zypper -n ... in their Dockerfiles, and docker buildx build --secret id=SCCcredentials,src=/etc/zypp/credentials.d/SCCcredentials,type=file . when doing their builds. - Now that the only blocker for docker-buildx support was removed for SLE-16, enable docker-buildx for SLE-16 as well. PED-8905- Don't use the new container-selinux conditional requires on SLE-12, as the RPM version there doesn't support it. Arguably the change itself is a bit suspect but we can fix that later. bsc#1237367- Add backport for golang.org/x/oauth2 CVE-2025-22868 fix. bsc#1239185 + 0011-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch - Add backport for golang.org/x/crypto CVE-2025-22869 fix. bsc#1239322 + 0012-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch - Refresh patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch * 0006-CVE-2024-2365x-update-buildkit-to-include-CVE-patche.patch * 0007-bsc1221916-update-to-patched-buildkit-version-to-fix.patch * 0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch * 0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch * 0010-CVE-2024-29018-libnet-Don-t-forward-to-upstream-reso.patch - Move test-related patch to the end of the patch stack: - 0011-TESTS-backport-fixes-for-integration-tests.patch + 0013-TESTS-backport-fixes-for-integration-tests.patch- Make container-selinux requirement conditional on selinux-policy (bsc#1237367)- Add backport for CVE-2024-29018 fix. bsc#1234089 + 0010-CVE-2024-29018-libnet-Don-t-forward-to-upstream-reso.patch - Add backport for CVE-2024-23650 fix and rename patch filename. bsc#1219437 - 0006-CVE-2024-23653-update-buildkit-to-include-CVE-patche.patch + 0006-CVE-2024-2365x-update-buildkit-to-include-CVE-patche.patch - Reorder and rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch * 0007-bsc1221916-update-to-patched-buildkit-version-to-fix.patch * 0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch * 0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch - 0010-TESTS-backport-fixes-for-integration-tests.patch + 0011-TESTS-backport-fixes-for-integration-tests.patch- Update to docker-buildx 0.19.3. See upstream changelog online at - Update docker-buildx to v0.19.2. See upstream changelog online at . Some notable changelogs from the last update: * * - Update to Go 1.22.- Add a new toggle file /etc/docker/suse-secrets-enable which allows users to disable the SUSEConnect integration with Docker (which creates special mounts in /run/secrets to allow container-suseconnect to authenticate containers with registries on registered hosts). bsc#1231348 bsc#1232999 In order to disable these mounts, just do echo 0 > /etc/docker/suse-secrets-enable and restart Docker. In order to re-enable them, just do echo 1 > /etc/docker/suse-secrets-enable and restart Docker. Docker will output information on startup to tell you whether the SUSE secrets feature is enabled or not. * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch- Disable docker-buildx builds for SLES. It turns out that build containers with docker-buildx don't currently get the SUSE secrets mounts applied, meaning that container-suseconnect doesn't work when building images. bsc#1233819- Add docker-integration-tests-devel subpackage for building and running the upstream Docker integration tests on machines to test that Docker works properly. Users should not install this package. - docker-rpmlintrc updated to include allow-list for all of the integration tests package, since it contains a bunch of stuff that wouldn't normally be allowed. - Rebased patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch * 0006-CVE-2024-23653-update-buildkit-to-include-CVE-patche.patch * 0007-bsc1221916-update-to-patched-buildkit-version-to-fix.patch * 0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch * 0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch - Added patches: + 0010-TESTS-backport-fixes-for-integration-tests.patch- Remove DOCKER_NETWORK_OPTS from docker.service. This was removed from sysconfig a long time ago, and apparently this causes issues with systemd in some cases. - Update --add-runtime to point to correct binary path.- Further merge docker and docker-stable specfiles to minimise the differences. The main thing is that we now include both halves of the Conflicts/Provides/Obsoletes dance in both specfiles.- Update to docker-buildx v0.17.1 to match standalone docker-buildx package we are replacing. See upstream changelog online at - Import specfile changes for docker-buildx as well as the changes to help reduce specfile differences between docker-stable and docker. bsc#1230331 bsc#1230333- Backport patch for CVE-2024-41110. bsc#1228324 + 0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch- Initial docker-stable fork, forked from Docker 24.0.7-ce release (packaged on 2024-02-14). The original changelog is included below for historical reference. - Patches included from snapshot: + 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch + 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch + 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch + 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch + 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch - 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch + 0006-CVE-2024-23653-update-buildkit-to-include-CVE-patche.patch + cli-0001-docs-include-required-tools-in-source-tree.patch - Update to Docker 24.0.9-ce, which is the latest version of the 24.0.x branch. It seems likely this will be the last upstream version of the 24.0.x branch (it seems Mirantis is going to do LTS for 23.0.x, not 24.0.x). - Fix BuildKit's symlink resolution logic to correctly handle non-lexical symlinks. Backport of and . bsc#1221916 + 0007-bsc1221916-update-to-patched-buildkit-version-to-fix.patch - Write volume options atomically so sudden system crashes won't result in future Docker starts failing due to empty files. Backport of . bsc#1214855 + 0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch- Vendor latest buildkit v0.11: Add patch 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch that vendors in the latest v0.11 buildkit branch including bugfixes for the following: * bsc#1219438: CVE-2024-23653 * bsc#1219268: CVE-2024-23652 * bsc#1219267: CVE-2024-23651 - rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch - switch from %patchN to %patch -PN syntax - remove unused rpmlint filters and add filters to silence pointless bash & zsh completion warnings- Update to Docker 24.0.7-ce. See upstream changelog online at . bsc#1217513 * Deny containers access to /sys/devices/virtual/powercap by default. - CVE-2020-8694 bsc#1170415 - CVE-2020-8695 bsc#1170446 - CVE-2020-12912 bsc#1178760 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch * cli-0001-docs-include-required-tools-in-source-tree.patch- Add a patch to fix apparmor on SLE-12, reverting the upstream removal of version-specific templating for the default apparmor profile. bsc#1213500 + 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch- Update to Docker 24.0.6-ce. See upstream changelog online at . bsc#1215323 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * cli-0001-docs-include-required-tools-in-source-tree.patch - Switch from disabledrun to manualrun in _service. - Add a docker.socket unit file, but with socket activation effectively disabled to ensure that Docker will always run even if you start the socket individually. Users should probably just ignore this unit file. bsc#1210141- Update to Docker 24.0.5-ce. See upstream changelog online at . bsc#1213229- Update to Docker 24.0.4-ce. See upstream changelog online at . bsc#1213500- Update to Docker 24.0.3-ce. See upstream changelog online at . bsc#1213120 - Rebase patches: * cli-0001-docs-include-required-tools-in-source-tree.patch- Recommend docker-rootless-extras instead of Require(ing) it, given it's an additional functionality and not inherently required for docker to function.- Add docker-rootless-extras subpackage (https://docs.docker.com/engine/security/rootless)- Update to Docker 24.0.2-ce. See upstream changelog online at . bsc#1212368 * Includes the upstreamed fix for the mount table pollution issue. bsc#1210797 - Add Recommends for docker-buildx, and add /usr/lib/docker/cli-plugins as being provided by this package. - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * cli-0001-docs-include-required-tools-in-source-tree.patch- Update to Docker 23.0.6-ce. See upstream changelog online at . bsc#1211578 - Rebase patches: * cli-0001-docs-include-required-tools-in-source-tree.patch - Re-unify packaging for SLE-12 and SLE-15. - Add patch to fix build on SLE-12 by switching back to libbtrfs-devel headers (the uapi headers in SLE-12 are too old). + 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch - Re-numbered patches: - 0003-bsc1073877-apparmor-clobber-docker-default-profile-o.patch + 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch`- Update to Docker 23.0.5-ce. See upstream changelog online at . - Rebase patches: * cli-0001-docs-include-required-tools-in-source-tree.patch- Update to Docker 23.0.4-ce. See upstream changelog online at . bsc#1208074 - Fixes: * bsc#1214107 - CVE-2023-28840 * bsc#1214108 - CVE-2023-28841 * bsc#1214109 - CVE-2023-28842 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-bsc1073877-apparmor-clobber-docker-default-profile-o.patch - Renumbered patches: - 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch - Remove upstreamed patches: - 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch - 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch - 0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch - Backport to allow man pages to be built without internet access in OBS. + cli-0001-docs-include-required-tools-in-source-tree.patch- update to 20.10.23-ce. * see upstream changelog at https://docs.docker.com/engine/release-notes/#201023 - drop kubic flavor as kubic is EOL. this removes: kubelet.env docker-kubic-service.conf 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch- Update to Docker 20.10.21-ce. See upstream changelog online at . bsc#1206065 bsc#1205375 CVE-2022-36109 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch * 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch * 0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch - The PRIVATE-REGISTRY patch will now output a warning if it is being used (in preparation for removing the feature). This feature was never meant to be used by users directly (and is only available in the -kubic/CaaSP version of the package anyway) and thus should not affect any users.- Fix wrong After: in docker.service, fixes bsc#1188447- Add apparmor-parser as a Recommends to make sure that most users will end up with it installed even if they are primarily running SELinux.- Fix syntax of boolean dependency- Allow to install container-selinux instead of apparmor-parser.- Change to using systemd-sysusers- Backport to fix a crash-on-start issue with dockerd. bsc#1200022 + 0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch- Update to Docker 20.10.17-ce. See upstream changelog online at . bsc#1200145 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch * 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch- Add patch to update golang.org/x/crypto for CVE-2021-43565 and CVE-2022-27191. bsc#1193930 bsc#1197284 * 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch- Update to Docker 20.10.14-ce. See upstream changelog online at . bsc#1197517 CVE-2022-24769- Update to Docker 20.10.12-ce. See upstream changelog online at . - Remove CHANGELOG.md. It hasn't been maintained since 2017, and all of the changelogs are currently only available online.- Update to Docker 20.10.11-ce. See upstream changelog online at . bsc#1192814 bsc#1193273 CVE-2021-41190 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch - Remove upstreamed patches: - 0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch- Update to Docker 20.10.9-ce. See upstream changelog online at . bsc#1191355 CVE-2021-41089 bsc#1191015 CVE-2021-41091 bsc#1191434 CVE-2021-41092 bsc#1191334 CVE-2021-41103 bsc#1191121 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch * 0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch - Switch to Go 1.16.x compiler, in line with upstream.- Add patch to return ENOSYS for clone3 to avoid breaking glibc again. bsc#1190670 + 0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch- Add shell requires for the *-completion subpackages.- Update to Docker 20.10.6-ce. See upstream changelog online at . bsc#1184768 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch - Backport upstream fix for btrfs quotas being removed by Docker regularly. bsc#1183855 bsc#1175081 + 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch- Update to Docker 20.10.5-ce. See upstream changelog online at . bsc#1182947 - Update runc dependency to 1.0.0~rc93. - Remove upstreamed patches: - cli-0001-Rename-bin-md2man-to-bin-go-md2man.patch - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch - Switch version to use -ce suffix rather than _ce to avoid confusing other tools. boo#1182476[NOTE: This update was only ever released in SLES and Leap.] - It turns out the boo#1178801 libnetwork patch is also broken on Leap, so drop the patch entirely. bsc#1180401 bsc#1182168 - boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch- Fix incorrect cast in SUSE secrets patches causing warnings on SLES. * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch[NOTE: This update was only ever released in SLES and Leap.] - Update Docker to 19.03.15-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. This update includes fixes for bsc#1181732 (CVE-2021-21284) and bsc#1181730 (CVE-2021-21285). - Rebase patches: * bsc1073877-0001-apparmor-clobber-docker-default-profile-on-start.patch - Only apply the boo#1178801 libnetwork patch to handle firewalld on openSUSE. It appears that SLES doesn't like the patch. bsc#1180401- Update to Docker 20.10.3-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. Fixes bsc#1181732 (CVE-2021-21284) and bsc#1181730 (CVE-2021-21285). - Rebase patches on top of 20.10.3-ce. - 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch + 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch - 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch + 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch - 0004-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch + 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch - 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch + 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch- Drop docker-runc, docker-test and docker-libnetwork packages. We now just use the upstream runc package (it's stable enough and Docker no longer pins git versions). docker-libnetwork is so unstable that it doesn't have any versioning scheme and so it really doesn't make sense to maintain the project as a separate package. bsc#1181641 bsc#1181677 - Remove no-longer-needed patch for packaging now that we've dropped docker-runc and docker-libnetwork. - 0001-PACKAGING-revert-Remove-docker-prefix-for-containerd.patch- Update to Docker 20.10.2-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1181594 - Remove upstreamed patches: - bsc1122469-0001-apparmor-allow-readby-and-tracedby.patch - boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch - Add patches to fix build: + cli-0001-Rename-bin-md2man-to-bin-go-md2man.patch - Since upstream has changed their source repo (again) we have to rebase all of our patches. While doing this, I've collapsed all patches into one branch per-release and thus all the patches are now just one series: - packaging-0001-revert-Remove-docker-prefix-for-containerd-and-runc-.patch + 0001-PACKAGING-revert-Remove-docker-prefix-for-containerd.patch - secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch + 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch - secrets-0002-SUSE-implement-SUSE-container-secrets.patch + 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch - private-registry-0001-Add-private-registry-mirror-support.patch + 0004-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch - bsc1073877-0001-apparmor-clobber-docker-default-profile-on-start.patch + 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch- Re-apply secrets fix for bsc#1065609 which appears to have been lost after it was fixed. * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch * secrets-0002-SUSE-implement-SUSE-container-secrets.patch- Add Conflicts and Provides for kubic flavour of docker-fish-completion.- Update to Docker 19.03.14-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2020-15257 bsc#1180243 https://github.com/docker/docker-ce/releases/tag/v19.03.14- Enable fish-completion- Add a patch which makes Docker compatible with firewalld with nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548 (boo#1178801, SLE-16460) * boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch- Update to Docker 19.03.13-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1176708- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)- Emergency fix: %requires_eq does not work with provide symbols, only effective package names. Convert back to regular Requires.- Update to Docker 19.03.12-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. - Use Go 1.13 instead of Go 1.14 because Go 1.14 can cause all sorts of spurrious errors due to Go returning -EINTR from I/O syscalls much more often (due to Go 1.14's pre-emptive goroutine support). - bsc1172377-0001-unexport-testcase.Cleanup-to-fix-Go-1.14.patch - Add BuildRequires for all -git dependencies so that we catch missing dependencies much more quickly.- Update to Docker 19.03.11-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1172377 CVE-2020-13401 - Backport https://github.com/gotestyourself/gotest.tools/pull/169 so that we can build Docker with Go 1.14 (upstream uses Go 1.13). + bsc1172377-0001-unexport-testcase.Cleanup-to-fix-Go-1.14.patch- BuildRequire pkgconfig(libsystemd) instead of systemd-devel: Allow OBS to shortcut through the -mini flavors.- Add backport of https://github.com/docker/docker/pull/39121. bsc#1122469 + bsc1122469-0001-apparmor-allow-readby-and-tracedby.patch- Support older SLE systems which don't have "usermod -w -v".- Update to Docker 19.03.5-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1158590 bsc#1157330- Update to Docker 19.03.4-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md.- Drop containerd.service workaround (we've released enough versions without containerd.service -- there's no need to support package upgrades that old). - Update to Docker 19.03.3-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1153367- Update to Docker 19.03.2-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1150397- Fix zsh-completion (docker -> _docker)- Fix default installation such that --userns-remap=default works properly (this appears to be an upstream regression, where --userns-remap=default doesn't auto-create the group and results in an error on-start). boo#1143349- Update to Docker 19.03.1-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2019-14271- Update to Docker 19.03.0-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1142413 - Remove upstreamed patches: - bsc1001161-0001-oci-include-the-domainname-in-kernel.domainname.patch - bsc1001161-0002-cli-add-a-separate-domainname-flag.patch - bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch - bsc1128746-0001-integration-cli-don-t-build-test-images-if-they-alre.patch - Rebase pacthes: * bsc1073877-0001-apparmor-clobber-docker-default-profile-on-start.patch * packaging-0001-revert-Remove-docker-prefix-for-containerd-and-runc-.patch * private-registry-0001-Add-private-registry-mirror-support.patch * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch * secrets-0002-SUSE-implement-SUSE-container-secrets.patch- Move bash-completion to correct location. - Update to Docker 18.09.8-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. * Includes fixes for CVE-2019-13509 bsc#1142160.- Update to Docker 18.09.7-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1139649 - Remove upstreamed patches: - CVE-2018-15664.patch- Use %config(noreplace) for /etc/docker/daemon.json. bsc#1138920- Add patch for CVE-2018-15664. bsc#1096726 + CVE-2018-15664.patch- Update to Docker 18.09.6-ce see upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. - Rebase patches: * bsc1128746-0001-integration-cli-don-t-build-test-images-if-they-alre.patch- Update to Docker 18.09.5-ce see upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1128376 boo#1134068 - Rebase patches: * bsc1001161-0001-oci-include-the-domainname-in-kernel.domainname.patch * bsc1001161-0002-cli-add-a-separate-domainname-flag.patch * bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch * bsc1128746-0001-integration-cli-don-t-build-test-images-if-they-alre.patch * packaging-0001-revert-Remove-docker-prefix-for-containerd-and-runc-.patch * private-registry-0001-Add-private-registry-mirror-support.patch * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch * secrets-0002-SUSE-implement-SUSE-container-secrets.patch - Updated patch name: + bsc1073877-0001-apparmor-clobber-docker-default-profile-on-start.patch - bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch- Update to Docker 18.09.3-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md.- docker-test: improvements to test packaging (we don't need to ship around the entire source tree, and we also need to build the born-again integration/ tests which contain a suite-per-directory). We also need a new patch which fixes the handling of *-test images. bsc#1128746 + bsc1128746-0001-integration-cli-don-t-build-test-images-if-they-alre.patch- Move daemon.json file to /etc/docker directory, bsc#1114832- Update shell completion to use Group: System/Shells.- Add daemon.json file with rotation logs cofiguration, bsc#1114832- Update to Docker 18.09.1-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1124308 * Includes fix for CVE-2018-10892 bsc#1100331. * Includes fix for CVE-2018-20699 bsc#1121768. - Remove upstreamed patches. - bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch- Disable leap based builds for kubic flavor. bsc#1121412- Update go requirements to >= go1.10.6 to fix * bsc#1118897 CVE-2018-16873 go#29230 cmd/go: remote command execution during "go get -u" * bsc#1118898 CVE-2018-16874 go#29231 cmd/go: directory traversal in "go get" via curly braces in import paths * bsc#1118899 CVE-2018-16875 go#29233 crypto/x509: CPU denial of service- Handle build breakage due to missing 'export GOPATH' (caused by resolution of boo#1119634). I believe Docker is one of the only packages with this problem.- Add backports of https://github.com/docker/docker/pull/37302 and https://github.com/docker/cli/pull/1130, which allow for users to explicitly specify the NIS domainname of a container. bsc#1001161 + bsc1001161-0001-oci-include-the-domainname-in-kernel.domainname.patch + bsc1001161-0002-cli-add-a-separate-domainname-flag.patch- Update docker.service to match upstream and avoid rlimit problems. bsc#1112980 - Upgrade to Docker 18.09.0-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. boo#1115464 bsc#1118990 - Add revert of an upstream patch to fix docker-* handling. + packaging-0001-revert-Remove-docker-prefix-for-containerd-and-runc-.patch - Rebase patches: * bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch * bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch * bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch * private-registry-0001-Add-private-registry-mirror-support.patch * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch * secrets-0002-SUSE-implement-SUSE-container-secrets.patch - Remove upstreamed patches: - bsc1100727-0001-build-add-buildmode-pie.patch- Reduce the disk footprint by recommending git-core instead of hard requiring it. bsc#1108038- ExcludeArch i586 for entire docker-kubic flavour- ExcludeArch i586 for docker-kubic-kubeadm-criconfig subpackage- Add patch to make package reproducible, which is a backport of https://github.com/docker/cli/pull/1306. boo#1047218 + bsc1047218-0001-man-obey-SOURCE_DATE_EPOCH-when-generating-man-pages.patch- Upgrade to docker-ce v18.06.1-ce. bsc#1102522 bsc#1113313 Upstream changelog: https://github.com/docker/docker-ce/releases/tag/v18.06.1-ce - Remove patches that were merged upstream: - bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch- Add a backport of https://github.com/docker/engine/pull/29 for the 18.06.0-ce upgrade. This is a potential security issue (the CRI plugin was enabled by default, which listens on a TCP port bound to 0.0.0.0) that will be fixed upstream in the 18.06.1-ce upgrade. bsc#1102522 + bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch- Kubic: Make crio default, docker as alternative runtime (boo#1104821) - Provide kubernetes CRI config with docker-kubic-kubeadm-criconfig subpackage- Merge -kubic packages back into the main Virtualization:containers packages. This is done using _multibuild to add a "kubic" flavour, which is then used to conditionally compile patches and other kubic-specific features. bsc#1105000 - Rework docker-rpmlintrc with the new _multibuild setup.- Enable seccomp support on SLE12, since libseccomp is now a new enough vintage to work with Docker and containerd. fate#325877- Upgrade to docker-ce v18.06.0-ce. bsc#1102522 - Remove systemd-service dependency on containerd, which is now being started by dockerd to align with upstream defaults. - Removed the following patches as they are merged upstream: - bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch - bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch - Rebased the following patches: * bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch * bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch * bsc1100727-0001-build-add-buildmode-pie.patch * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch * secrets-0002-SUSE-implement-SUSE-container-secrets.patch- Build the client binary with -buildmode=pie to fix issues on POWER. bsc#1100727 + bsc1100727-0001-build-add-buildmode-pie.patch- Update the AppArmor patchset again to fix a separate issue where changed AppArmor profiles don't actually get applied on Docker daemon reboot. bsc#1099277 * bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch + bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch- Update to AppArmor patch so that signal mediation also works for signals between in-container processes. bsc#1073877 * bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch- Make use of %license macro- Remove 'go test' from %check section, as it has only ever caused us problems and hasn't (as far as I remember) ever caught a release-blocking issue. Smoke testing has been far more useful. boo#1095817- Update secrets patch to not log incorrect warnings when attempting to inject non-existent host files. bsc#1065609 * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch * secrets-0002-SUSE-implement-SUSE-container-secrets.patch- Review Obsoletes to fix bsc#1080978- Put docker under the podruntime slice. This the recommended deployment to allow fine resource control on Kubernetes. bsc#1086185- Add patch to handle AppArmor changes that make 'docker kill' stop working. bsc#1073877 boo#1089732 + bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-kill.patch- Fix manpage generation breaking ppc64le builds due to a missing - buildemode=pie.- Compile and install all manpages. bsc#1085117- Add requirement for catatonit, which provides a docker-init implementation. fate#324652 bsc#1085380- Fix private-registry-0001-Add-private-registry-mirror-support.patch to deal corretly with TLS configs of 3rd party registries. fix bsc#1084533- Update patches to be sourced from https://github.com/suse/docker-ce (which are based on the upstream docker/docker-ce repo). The reason for this change (though it is functionally identical to the old patches) is so that public patch maintenance is much simpler. * bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch * bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch * private-registry-0001-Add-private-registry-mirror-support.patch * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch * secrets-0002-SUSE-implement-SUSE-container-secrets.patch- Add ${version} to equivalent non-kubic package provides- Add Provides for equivalent non-kubic packages- Disable all tests for docker/client and docker/pkg/discovery. The unit tests of those packages broke reproducibly the builds in IBS.- Disable flaky tests github.com/docker/docker/pkg/discovery/kv.- Add patch to support mirroring of private/non-upstream registries. As soon as the upstream PR (https://github.com/moby/moby/pull/34319) is merged, this patch will be replaced by the backported one from upstream. + private-registry-0001-Add-private-registry-mirror-support.patch fix bsc#1074971- Add Obsoletes: docker-image-migrator, as the tool is no longer needed and we've pretty much removed it from everywhere except the containers module. bsc#1069758- Remove requirement on bridge-utils, which has been replaced by libnetwork in Docker. bsc#1072798- Update to Docker v17.09.1_ce (bsc#1069758). Upstream changelog: https://github.com/docker/docker-ce/releases/tag/v17.09.1-ce - Removed patches (merged upstream): - bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch - bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch - bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch- Update to Docker v17.09.0_ce. Upstream changelog: https://github.com/docker/docker-ce/releases/tag/v17.09.0-ce - Rebased patches: * bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch * bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch * bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch * secrets-0002-SUSE-implement-SUSE-container-secrets.patch - Removed patches (merged upstream): - bsc1064781-0001-Allow-to-override-build-date.patch- Add a patch to dynamically probe whether libdevmapper supports dm_task_deferred_remove. This is necessary because we build the containers module on a SLE12 base, but later SLE versions have libdevmapper support. This should not affect openSUSE, as all openSUSE versions have a new enough libdevmapper. Backport of https://github.com/moby/moby/pull/35518. bsc#1021227 bsc#1029320 bsc#1058173 + bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch- Fix up the ordering of tests in docker.spec. This is to keep things easier to backport into the SLE package.- Include secrets fix to handle "old" containers that have orphaned secret data. It's not clear why Docker caches these secrets, but fix the problem by trashing the references manually. bsc#1057743 * secrets-0002-SUSE-implement-SUSE-container-secrets.patch- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Remove migration code for the v1.9.x -> v1.10.x migration. This has been around for a while, and we no longer support migrating from such an old version "nicely". Docker still has migration code that will run on first-boot, we are merely removing all of the "nice" warnings which tell users how to avoid issues during an upgrade that ocurred more than a year ago. - Drop un-needed files: - docker-plugin-message.txt - docker-update-message.txt- Add a backport of https://github.com/moby/moby/pull/35424, which fixes a security issue where a maliciously crafted image could be used to crash a Docker daemon. bsc#1066210 CVE-2017-14992 + bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch- Add a backport of https://github.com/moby/moby/pull/35399, which fixes a security issue where a Docker container (with a disabled AppArmor profile) could write to /proc/scsi/... and subsequently DoS the host. bsc#1066801 CVE-2017-16539 + bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch- Correctly set `docker version` information, including the version, git commit, and SOURCE_DATE_EPOCH (requires a backport). This should * effectively* make Docker builds reproducible, with minimal cost. boo#1064781 + bsc1064781-0001-Allow-to-override-build-date.patch- Add backport of https://github.com/moby/moby/pull/35205. This used to be fixed in docker-runc, but we're moving it here after upstream discussion. bsc#1055676 + bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch- Update to Docker v17.07.0_ce. Upstream changelog: https://github.com/docker/docker-ce/releases/tag/v17.06.0-ce https://github.com/docker/docker-ce/releases/tag/v17.07.0-ce - Removed no-longer needed patches. - bsc1037436-0001-client-check-tty-before-creating-exec-job.patch - bsc1037607-0001-apparmor-make-pkg-aaparser-work-on-read-only-root.patch - integration-cli-fix-TestInfoEnsureSucceeds.patch - Added backport of https://github.com/moby/moby/pull/34573. bsc#1045628 + bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch - Rewrite secrets patches to correctly handle directories in a way that doesn't cause errors when starting new containers. * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch * secrets-0002-SUSE-implement-SUSE-container-secrets.patch- Fix bsc#1059011 The systemd service helper script used a timeout of 60 seconds to start the daemon, which is insufficient in cases where the daemon takes longer to start. Instead, set the service type from 'simple' to 'notify' and remove the now superfluous helper script.- fix bsc#1057743: Add a Requires: fix_bsc_1057743 which is provided by the newer version of docker-libnetwork. This is necessary because of a versioning bug we found in bsc#1057743.- fix /var/adm/update-message/docker file name to be /var/adm/update-message/docker-%{version}-%{release}- devicemapper: add patch to make the dm storage driver remove a container's rootfs mountpoint before attempting to do libdm operations on it. This helps avoid complications when live mounts will leak into containers. Backport of https://github.com/moby/moby/pull/34573. bsc#1045628 + bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch- Fix a regression in our SUSE secrets patches, which caused the copied files to not carry the correct {uid,gid} mapping when using user namespaces. This would not cause any bugs (SUSEConnect does the right thing anyway) but it's possible some programs would not treat the files correctly. This is tangentially related to bsc#1055676. * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch * secrets-0002-SUSE-implement-SUSE-container-secrets.patch- Use -buildmode=pie for tests and binary build. bsc#1048046 bsc#1051429- enable deferred removal for sle12sp2 and newer (and openSUSE equivalent. fix bsc#1021227- enable libseccomp on sle12sp2 and newer, 42.2 and newer fix bsc#1028638 - docker: conditional filtering not supported on libseccomp for sle12- add SuSEfirewall2.service to the After clause in docker.service in order to fix bsc#1046024- fix path to docker-runc in systemd service file- change dependency to docker-runc- Fix bsc#1029630: docker does not wait for lvm on system startup I added "lvm2-monitor.service" as an "After dependency" of the docker systemd unit.- Fix bsc#1032287: missing docker systemd configuration- Update SUSE secrets patch to correctly handle restarting of containers. + secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch + secrets-0002-SUSE-implement-SUSE-container-secrets.patch- Fix bsc#1037607 which was causing read-only issues on Kubic, this is a backport of https://github.com/moby/moby/pull/33250. + bsc1037607-0001-apparmor-make-pkg-aaparser-work-on-read-only-root.patch- Fix bsc#1038476 warning about non-executable docker * Simply verify we have binary prior using it, might happen if someone had docker installed and then did remove it and install from scratch again- Add a partial fix for boo#1038493. - Fixed bsc#1037436 where execids were being leaked due to bad error handling. This is a backport of https://github.com/docker/cli/pull/52. + bsc1037436-0001-client-check-tty-before-creating-exec-job.patch- Fix golang requirements in the subpackages- Update golang build requirements to use golang(API) symbol: this is needed to solve a conflict between multiple versions of Go being available- Fix secrets-0002-SUSE-implement-SUSE-container-secrets.patch: substitute docker/distribution/digest by opencontainers/digest- Update to version 17.04.0-ce (fix bsc#1034053 ) - Patches removed because have been merged into this version: * pr31549-cmd-docker-fix-TestDaemonCommand.patch * pr31773-daemon-also-ensureDefaultApparmorProfile-in-exec-pat.patch - Patches rebased: * integration-cli-fix-TestInfoEnsureSucceeds.patch - Build man pages for all archs (bsc#953182) - Containers cannot resolve DNS if docker host uses 127.0.0.1 as resolver (bsc#1034063) see /usr/share/doc/packages/docker/CHANGELOG.md- Make sure this is being built with go 1.7- remove the go_arches macro because we are using go1.7 which is available in all archs - remove gcc specific patches * gcc-go-patches.patch * netlink_netns_powerpc.patch * boltdb_bolt_add_brokenUnaligned.patch- Enable Delegate=yes, since systemd will safely ignore lvalues it doesn't understand.- Update SUSE secrets patch to handle boo#1030702. * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch * secrets-0002-SUSE-implement-SUSE-container-secrets.patch- Fix (bsc#1032644) Change lvm2 from Requires to Recommends Docker usually uses a default storage driver, when it's not configured explicitly. This default driver then depends on the underlying system and gets chosen during installation.- Disable libseccomp for leap 42.1, sle12sp1 and sle12, because docker needs a higher version. Otherwise, we get the error "conditional filtering requires libseccomp version >= 2.2.1 (bsc#1028639 and bsc#1028638)- Add a backport of fix to AppArmor lazy loading docker-exec case. https://github.com/docker/docker/pull/31773 + pr31773-daemon-also-ensureDefaultApparmorProfile-in-exec-pat.patch- Clean up docker-mount-secrets.patch to use the new swarm secrets internals of Docker 1.13.0, which removes the need to implement any secret handling ourselves. This resulted in a split up of the patch. - docker-mount-secrets.patch + secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch + secrets-0002-SUSE-implement-SUSE-container-secrets.patch- Remove old plugins.json to prevent docker-1.13 to fail to start- Fix bsc#1026827: systemd TasksMax default throttles docker- Fix post section by adding shadow as a package requirement Otherwise the groupadd instruction fails- Add patch to fix TestDaemonCommand failure in %check. This is an upstream bug, and has an upstream PR to fix it https://github.com/docker/docker/pull/31549. + pr31549-cmd-docker-fix-TestDaemonCommand.patch- update docker to 1.13.0 see details in https://github.com/docker/docker/releases/tag/v1.13.0 - use the same buildflags for building docker and for building the tests. - enable pkcs11: https://github.com/docker/docker/commit/37fa75b3447007bb8ea311f02610bb383b0db77f- enable architecture s390x for openSUSE- provide the oci runtime so that containers which were using an old runtime option, when started on the new docker version, the runtime is changed to the new one. fix bsc#1020806 bsc#1016992- fix CVE-2016-9962 bsc#1012568 . Fix it by updating to 1.12.6 plus an extra commit to fix liverestore: https://github.com/docker/docker/commit/97cd32a6a9076306baa637a29bba84c3f1f3d218- add "a wait" when starting docker service to fix bsc#1019251- remove netlink_gcc_go.patch after integration of PR https://github.com/golang/go/issues/11707 - new boltdb_bolt_add_brokenUnaligned.patch for ppc64 waiting for https://github.com/boltdb/bolt/pull/635- Remove old flags from dockerd's command-line, to be more inline with upstream (now that docker-runc is provided by the runc package). -H is dropped because upstream dropped it due to concerns with socket activation. - Remove socket activation entirely.- update docker to 1.12.5 (bsc#1016307). This fixes bsc#1015661- fix bash-completion- Add packageand(docker:bash) to bash-completion to match zsh-completion.- fix runc and containerd revisions fix bsc#1009961- update docker to 1.12.3 - fix bsc#1007249 - CVE-2016-8867: Fix ambient capability usage in containers - other fixes: https://github.com/docker/docker/releases/tag/v1.12.3- update docker to 1.12.2 (bsc#1004490). See changelog https://github.com/docker/docker/blob/v1.12.2/CHANGELOG.md - update docker-mount-secrets.patch to 1.12.2 code- docker-mount-secrets.patch: change the internal mountpoint name to not use ":" as that character can be considered a special character by other tools. bsc#999582- fix go_arches definition: use global instead of define, otherwise it fails to build- Add dockerd(8) man page.- add missing patch to changelog- fix integration test case - add integration-cli-fix-TestInfoEnsureSucceeds.patch- update rpmlintrc- make test timeout configurable- Remove noarch from docker-test, which was causing lots of fun issues when trying to run them.- Fix build for ppc64le: use static libgo for dockerd and docker-proxy as in docker build.- Update docker to 1.12.1 (bsc#996015) see changelog in https://github.com/docker/docker/releases/tag/v1.12.1- Add asaurin@suse.com's test.sh test script. - Add integration test binary in docker.spec file. This is work done by asaurin@suse.com.- Package docker-proxy (which was split out of the docker binary in 1.12). boo#995620- fix bsc#995102 - Docker "migrator" prevents installing "docker", if docker 1.9 was installed before but there were no images- Update docker.service file with several changes. * Reapply fix for bsc#983015 (Limit*=infinity). * Specify an "OCI" runtime for our runc package explicitly. bsc#978260- remove disable-pprof-trace.patch: We can remove this patch because we use go 1.6, either gcc6-go or gc-go. This patch was for gcc5-go- add go_arches in project configuration: this way, we can use the same spec file but decide in the project configuration if to use gc-go or gcc-go for some archs.- use gcc6-go instead of gcc5-go (bsc#988408) - build ppc64le with gc-go because this version builds with gc-go 1.6 - remove bnc964673-boltdb-metadata-recovery.patch because it has already been merged- update to v1.12.0 (bsc#995058) see detailed changelog at https://github.com/docker/docker/releases/tag/v1.12.0 - disable test that fail in obs build context - only run unit tests on architectures that provide the go list and go test tools - disable dockerd, parser, integration test, and devicemapper related tests on versions below SLE12 and openSUSE_13.2 - bump test timeout to 10m (for aarch64) - run unit tests during the build - Adapt docker.service file. - adapt install sections for gccgo builds: gccgo build are not built in separate folders for client and daemon. They both reside in dyngccgo. - gcc-go-patch: link against systemd when compiling the daemon. - Add disable-pprof-trace.patch pprof.Trace() is not available in go version <= 1.4 which we use to build SLES packages. This patch comments out the pprof.Trace() section. - update gcc-go-patch and docker-mount-secrets.patch- Fixed binary split, install both required binaries correctly* Explicitly state the version dependencies for runC and containerd, to avoid potential issues with incompatible component versions. These must be updated *each time we do a release*. bsc#993847- Don't exit mid install, add the ability to not restart the docker service during certain updates with long migration phases bsc#980555- remove kernel dependency (bsc#987198)- remove sysconfig.docker.ppc64le patch setting iptables option on ppc64le works now (bsc#988707)- fix bsc#984942: audit.rules in docker-1.9.1-58.1.x86_64.rpm has a syntax error* Update docker.service to include changes from upstream, including the soon-to-be-merged patch https://github.com/docker/docker/pull/24307, which fixes bnc#983015.- readd dropped declaration for patch200* Removed patches: - cve-2016-3697-numeric-uid.patch (merged upstream in gh@docker/docker#22998). * Update Docker to 1.11.2. (bsc#989566) Changelog from upstream: * Networking * Fix a stale endpoint issue on overlay networks during ungraceful restart (#23015) * Fix an issue where the wrong port could be reported by docker inspect/ps/port (#22997) * Runtime * Fix a potential panic when running docker build (#23032) * Fix interpretation of --user parameter (#22998) * Fix a bug preventing container statistics to be correctly reported (#22955) * Fix an issue preventing container to be restarted after daemon restart (#22947) * Fix issues when running 32 bit binaries on Ubuntu 16.04 (#22922) * Fix a possible deadlock on image deletion and container attach (#22918) * Fix an issue where containers fail to start after a daemon restart if they depend on a containerized cluster store (#22561) * Fix an issue causing docker ps to hang on CentOS when using devicemapper (#22168, #23067) * Fix a bug preventing to docker exec into a container when using devicemapper (#22168, #23067)- Fix udev files ownership- Pass over with spec-cleaner, no factual changes* Make sure we *always* build unstripped Go binaries.* Add a patch to fix database soft corruption issues if the Docker dameon dies in a bad state. There is a PR upstream to vendor Docker to have this fix as well, but it probably won't get in until 1.11.2. bnc#964673 (https://github.com/docker/docker/pull/22765) + bnc964673-boltdb-metadata-recovery.patch* Remove conditional Patch directive for SUSE secrets, since conditionally including patches results in incompatible .src.rpms. The patch is still applied conditionally.* Update to Docker 1.11.1. Changelog from upstream: * Distribution - Fix schema2 manifest media type to be of type `application/vnd.docker.container.image.v1+json` ([#21949](https://github.com/docker/docker/pull/21949)) * Documentation + Add missing API documentation for changes introduced with 1.11.0 ([#22048](https://github.com/docker/docker/pull/22048)) * Builder * Append label passed to `docker build` as arguments as an implicit `LABEL` command at the end of the processed `Dockerfile` ([#22184](https://github.com/docker/docker/pull/22184)) * Networking - Fix a panic that would occur when forwarding DNS query ([#22261](https://github.com/docker/docker/pull/22261)) - Fix an issue where OS threads could end up within an incorrect network namespace when using user defined networks ([#22261](https://github.com/docker/docker/pull/22261)) * Runtime - Fix a bug preventing labels configuration to be reloaded via the config file ([#22299](https://github.com/docker/docker/pull/22299)) - Fix a regression where container mounting `/var/run` would prevent other containers from being removed ([#22256](https://github.com/docker/docker/pull/22256)) - Fix an issue where it would be impossible to update both `memory-swap` and `memory` value together ([#22255](https://github.com/docker/docker/pull/22255)) - Fix a regression from 1.11.0 where the `/auth` endpoint would not initialize `serveraddress` if it is not provided ([#22254](https://github.com/docker/docker/pull/22254)) - Add missing cleanup of container temporary files when cancelling a schedule restart ([#22237](https://github.com/docker/docker/pull/22237)) - Removed scary error message when no restart policy is specified ([#21993](https://github.com/docker/docker/pull/21993)) - Fix a panic that would occur when the plugins were activated via the json spec ([#22191](https://github.com/docker/docker/pull/22191)) - Fix restart backoff logic to correctly reset delay if container ran for at least 10secs ([#22125](https://github.com/docker/docker/pull/22125)) - Remove error message when a container restart get cancelled ([#22123](https://github.com/docker/docker/pull/22123)) - Fix an issue where `docker` would not correcly clean up after `docker exec` ([#22121](https://github.com/docker/docker/pull/22121)) - Fix a panic that could occur when servicing concurrent `docker stats` commands ([#22120](https://github.com/docker/docker/pull/22120))` - Revert deprecation of non-existing host directories auto-creation ([#22065](https://github.com/docker/docker/pull/22065)) - Hide misleading rpc error on daemon shutdown ([#22058](https://github.com/docker/docker/pull/22058))- Fix go version to 1.5 (bsc#977394)- Add patch to fix vulnerability in Docker <= 1.11.0. This patch is upstream, but was merged after the 1.11.0 merge window. CVE-2016-3697. bsc#976777. + cve-2016-3697-numeric-uid.patch The upstream PR is here[1] and was vendored into Docker here[2]. [1]: https://github.com/opencontainers/runc/pull/708 [2]: https://github.com/docker/docker/pull/21665- Supplemnent zsh from zsh-completion * zsh-completion will be automatically installed if zsh and docker are installed- Remove gcc5_socker_workaround.patch: This patch is not needed anymore since gcc5 has been updated in all platforms* Removed patches that have been fixed upstream and in gcc-go: - boltdb_bolt_powerpc.patch - fix-apparmor.patch - fix-btrfs-ioctl-structure.patch - fix-docker-init.patch - libnetwork_drivers_bridge_powerpc.patch - ignore-dockerinit-checksum.patch * Require containerd, as it is the only currently supported Docker execdriver. * Update docker.socket to require containerd.socket and use --containerd in docker.service so that the services are self-contained. * Update to Docker 1.11.0. Changelog from upstream: * Builder - Fix a bug where Docker would not used the correct uid/gid when processing the `WORKDIR` command ([#21033](https://github.com/docker/docker/pull/21033)) - Fix a bug where copy operations with userns would not use the proper uid/gid ([#20782](https://github.com/docker/docker/pull/20782), [#21162](https://github.com/docker/docker/pull/21162)) * Client * Usage of the `:` separator for security option has been deprecated. `=` should be used instead ([#21232](https://github.com/docker/docker/pull/21232)) + The client user agent is now passed to the registry on `pull`, `build`, `push`, `login` and `search` operations ([#21306](https://github.com/docker/docker/pull/21306), [#21373](https://github.com/docker/docker/pull/21373)) * Allow setting the Domainname and Hostname separately through the API ([#20200](https://github.com/docker/docker/pull/20200)) * Docker info will now warn users if it can not detect the kernel version or the operating system ([#21128](https://github.com/docker/docker/pull/21128)) - Fix an issue where `docker stats --no-stream` output could be all 0s ([#20803](https://github.com/docker/docker/pull/20803)) - Fix a bug where some newly started container would not appear in a running `docker stats` command ([#20792](https://github.com/docker/docker/pull/20792)) * Post processing is no longer enabled for linux-cgo terminals ([#20587](https://github.com/docker/docker/pull/20587)) - Values to `--hostname` are now refused if they do not comply with [RFC1123](https://tools.ietf.org/html/rfc1123) ([#20566](https://github.com/docker/docker/pull/20566)) + Docker learned how to use a SOCKS proxy ([#20366](https://github.com/docker/docker/pull/20366), [#18373](https://github.com/docker/docker/pull/18373)) + Docker now supports external credential stores ([#20107](https://github.com/docker/docker/pull/20107)) * `docker ps` now supports displaying the list of volumes mounted inside a container ([#20017](https://github.com/docker/docker/pull/20017)) * `docker info` now also report Docker's root directory location ([#19986](https://github.com/docker/docker/pull/19986)) - Docker now prohibits login in with an empty username (spaces are trimmed) ([#19806](https://github.com/docker/docker/pull/19806)) * Docker events attributes are now sorted by key ([#19761](https://github.com/docker/docker/pull/19761)) * `docker ps` no longer show exported port for stopped containers ([#19483](https://github.com/docker/docker/pull/19483)) - Docker now cleans after itself if a save/export command fails ([#17849](https://github.com/docker/docker/pull/17849)) * Docker load learned how to display a progress bar ([#17329](https://github.com/docker/docker/pull/17329), [#120078](https://github.com/docker/docker/pull/20078)) * Distribution - Fix a panic that occurred when pulling an images with 0 layers ([#21222](https://github.com/docker/docker/pull/21222)) - Fix a panic that could occur on error while pushing to a registry with a misconfigured token service ([#21212](https://github.com/docker/docker/pull/21212)) + All first-level delegation roles are now signed when doing a trusted push ([#21046](https://github.com/docker/docker/pull/21046)) + OAuth support for registries was added ([#20970](https://github.com/docker/docker/pull/20970)) * `docker login` now handles token using the implementation found in [docker/distribution](https://github.com/docker/distribution) ([#20832](https://github.com/docker/docker/pull/20832)) * `docker login` will no longer prompt for an email ([#20565](https://github.com/docker/docker/pull/20565)) * Docker will now fallback to registry V1 if no basic auth credentials are available ([#20241](https://github.com/docker/docker/pull/20241)) * Docker will now try to resume layer download where it left off after a network error/timeout ([#19840](https://github.com/docker/docker/pull/19840)) - Fix generated manifest mediaType when pushing cross-repository ([#19509](https://github.com/docker/docker/pull/19509)) - Fix docker requesting additional push credentials when pulling an image if Content Trust is enabled ([#20382](https://github.com/docker/docker/pull/20382)) * Logging - Fix a race in the journald log driver ([#21311](https://github.com/docker/docker/pull/21311)) * Docker syslog driver now uses the RFC-5424 format when emitting logs ([#20121](https://github.com/docker/docker/pull/20121)) * Docker GELF log driver now allows to specify the compression algorithm and level via the `gelf-compression-type` and `gelf-compression-level` options ([#19831](https://github.com/docker/docker/pull/19831)) * Docker daemon learned to output uncolorized logs via the `--raw-logs` options ([#19794](https://github.com/docker/docker/pull/19794)) + Docker, on Windows platform, now includes an ETW (Event Tracing in Windows) logging driver named `etwlogs` ([#19689](https://github.com/docker/docker/pull/19689)) * Journald log driver learned how to handle tags ([#19564](https://github.com/docker/docker/pull/19564)) + The fluentd log driver learned the following options: `fluentd-address`, `fluentd-buffer-limit`, `fluentd-retry-wait`, `fluentd-max-retries` and `fluentd-async-connect` ([#19439](https://github.com/docker/docker/pull/19439)) + Docker learned to send log to Google Cloud via the new `gcplogs` logging driver. ([#18766](https://github.com/docker/docker/pull/18766)) * Misc + When saving linked images together with `docker save` a subsequent `docker load` will correctly restore their parent/child relationship ([#21385](https://github.com/docker/docker/pull/c)) + Support for building the Docker cli for OpenBSD was added ([#21325](https://github.com/docker/docker/pull/21325)) + Labels can now be applied at network, volume and image creation ([#21270](https://github.com/docker/docker/pull/21270)) * The `dockremap` is now created as a system user ([#21266](https://github.com/docker/docker/pull/21266)) - Fix a few response body leaks ([#21258](https://github.com/docker/docker/pull/21258)) - Docker, when run as a service with systemd, will now properly manage its processes cgroups ([#20633](https://github.com/docker/docker/pull/20633)) * Docker info now reports the value of cgroup KernelMemory or emits a warning if it is not supported ([#20863](https://github.com/docker/docker/pull/20863)) * Docker info now also reports the cgroup driver in use ([#20388](https://github.com/docker/docker/pull/20388)) * Docker completion is now available on PowerShell ([#19894](https://github.com/docker/docker/pull/19894)) * `dockerinit` is no more ([#19490](https://github.com/docker/docker/pull/19490),[#19851](https://github.com/docker/docker/pull/19851)) + Support for building Docker on arm64 was added ([#19013](https://github.com/docker/docker/pull/19013)) + Experimental support for building docker.exe in a native Windows Docker installation ([#18348](https://github.com/docker/docker/pull/18348)) * Networking - Fix panic if a node is forcibly removed from the cluster ([#21671](https://github.com/docker/docker/pull/21671)) - Fix "error creating vxlan interface" when starting a container in a Swarm cluster ([#21671](https://github.com/docker/docker/pull/21671)) * `docker network inspect` will now report all endpoints whether they have an active container or not ([#21160](https://github.com/docker/docker/pull/21160)) + Experimental support for the MacVlan and IPVlan network drivers have been added ([#21122](https://github.com/docker/docker/pull/21122)) * Output of `docker network ls` is now sorted by network name ([#20383](https://github.com/docker/docker/pull/20383)) - Fix a bug where Docker would allow a network to be created with the reserved `default` name ([#19431](https://github.com/docker/docker/pull/19431)) * `docker network inspect` returns whether a network is internal or not ([#19357](https://github.com/docker/docker/pull/19357)) + Control IPv6 via explicit option when creating a network (`docker network create --ipv6`). This shows up as a new `EnableIPv6` field in `docker network inspect` ([#17513](https://github.com/docker/docker/pull/17513)) * Support for AAAA Records (aka IPv6 Service Discovery) in embedded DNS Server ([#21396](https://github.com/docker/docker/pull/21396)) - Fix to not forward docker domain IPv6 queries to external servers ([#21396](https://github.com/docker/docker/pull/21396)) * Multiple A/AAAA records from embedded DNS Server for DNS Round robin ([#21019](https://github.com/docker/docker/pull/21019)) - Fix endpoint count inconsistency after an ungraceful dameon restart ([#21261](https://github.com/docker/docker/pull/21261)) - Move the ownership of exposed ports and port-mapping options from Endpoint to Sandbox ([#21019](https://github.com/docker/docker/pull/21019)) - Fixed a bug which prevents docker reload when host is configured with ipv6.disable=1 ([#21019](https://github.com/docker/docker/pull/21019)) - Added inbuilt nil IPAM driver ([#21019](https://github.com/docker/docker/pull/21019)) - Fixed bug in iptables.Exists() logic [#21019](https://github.com/docker/docker/pull/21019) - Fixed a Veth interface leak when using overlay network ([#21019](https://github.com/docker/docker/pull/21019)) - Fixed a bug which prevents docker reload after a network delete during shutdown ([#20214](https://github.com/docker/docker/pull/20214)) - Make sure iptables chains are recreated on firewalld reload ([#20419](https://github.com/docker/docker/pull/20419)) - Allow to pass global datastore during config reload ([#20419](https://github.com/docker/docker/pull/20419)) - For anonymous containers use the alias name for IP to name mapping, ie:DNS PTR record ([#21019](https://github.com/docker/docker/pull/21019)) - Fix a panic when deleting an entry from /etc/hosts file ([#21019](https://github.com/docker/docker/pull/21019)) - Source the forwarded DNS queries from the container net namespace ([#21019](https://github.com/docker/docker/pull/21019)) - Fix to retain the network internal mode config for bridge networks on daemon reload ([#21780] (https://github.com/docker/docker/pull/21780)) - Fix to retain IPAM driver option configs on daemon reload ([#21914] (https://github.com/docker/docker/pull/21914)) * Plugins - Fix a file descriptor leak that would occur every time plugins were enumerated ([#20686](https://github.com/docker/docker/pull/20686)) - Fix an issue where Authz plugin would corrupt the payload body when faced with a large amount of data ([#20602](https://github.com/docker/docker/pull/20602)) * Runtime - Fix a panic that could occur when cleanup after a container started with invalid parameters ([#21716](https://github.com/docker/docker/pull/21716)) - Fix a race with event timers stopping early ([#21692](https://github.com/docker/docker/pull/21692)) - Fix race conditions in the layer store, potentially corrupting the map and crashing the process ([#21677](https://github.com/docker/docker/pull/21677)) - Un-deprecate auto-creation of host directories for mounts. This feature was marked deprecated in ([#21666](https://github.com/docker/docker/pull/21666)) Docker 1.9, but was decided to be too much of an backward-incompatible change, so it was decided to keep the feature. + It is now possible for containers to share the NET and IPC namespaces when `userns` is enabled ([#21383](https://github.com/docker/docker/pull/21383)) + `docker inspect ` will now expose the rootfs layers ([#21370](https://github.com/docker/docker/pull/21370)) + Docker Windows gained a minimal `top` implementation ([#21354](https://github.com/docker/docker/pull/21354)) * Docker learned to report the faulty exe when a container cannot be started due to its condition ([#21345](https://github.com/docker/docker/pull/21345)) * Docker with device mapper will now refuse to run if `udev sync` is not available ([#21097](https://github.com/docker/docker/pull/21097)) - Fix a bug where Docker would not validate the config file upon configuration reload ([#21089](https://github.com/docker/docker/pull/21089)) - Fix a hang that would happen on attach if initial start was to fail ([#21048](https://github.com/docker/docker/pull/21048)) - Fix an issue where registry service options in the daemon configuration file were not properly taken into account ([#21045](https://github.com/docker/docker/pull/21045)) - Fix a race between the exec and resize operations ([#21022](https://github.com/docker/docker/pull/21022)) - Fix an issue where nanoseconds were not correctly taken in account when filtering Docker events ([#21013](https://github.com/docker/docker/pull/21013)) - Fix the handling of Docker command when passed a 64 bytes id ([#21002](https://github.com/docker/docker/pull/21002)) * Docker will now return a `204` (i.e http.StatusNoContent) code when it successfully deleted a network ([#20977](https://github.com/docker/docker/pull/20977)) - Fix a bug where the daemon would wait indefinitely in case the process it was about to killed had already exited on its own ([#20967](https://github.com/docker/docker/pull/20967) * The devmapper driver learned the `dm.min_free_space` option. If the mapped device free space reaches the passed value, new device creation will be prohibited. ([#20786](https://github.com/docker/docker/pull/20786)) + Docker can now prevent processes in container to gain new privileges via the `--security-opt=no-new-privileges` flag ([#20727](https://github.com/docker/docker/pull/20727)) - Starting a container with the `--device` option will now correctly resolves symlinks ([#20684](https://github.com/docker/docker/pull/20684)) + Docker now relies on [`containerd`](https://github.com/docker/containerd) and [`runc`](https://github.com/opencontainers/runc) to spawn containers. ([#20662](https://github.com/docker/docker/pull/20662)) - Fix docker configuration reloading to only alter value present in the given config file ([#20604](https://github.com/docker/docker/pull/20604)) + Docker now allows setting a container hostname via the `--hostname` flag when `--net=host` ([#20177](https://github.com/docker/docker/pull/20177)) + Docker now allows executing privileged container while running with `--userns-remap` if both `--privileged` and the new `--userns=host` flag are specified ([#20111](https://github.com/docker/docker/pull/20111)) - Fix Docker not cleaning up correctly old containers upon restarting after a crash ([#19679](https://github.com/docker/docker/pull/19679)) * Docker will now error out if it doesn't recognize a configuration key within the config file ([#19517](https://github.com/docker/docker/pull/19517)) - Fix container loading, on daemon startup, when they depends on a plugin running within a container ([#19500](https://github.com/docker/docker/pull/19500)) * `docker update` learned how to change a container restart policy ([#19116](https://github.com/docker/docker/pull/19116)) * `docker inspect` now also returns a new `State` field containing the container state in a human readable way (i.e. one of `created`, `restarting`, `running`, `paused`, `exited` or `dead`)([#18966](https://github.com/docker/docker/pull/18966)) + Docker learned to limit the number of active pids (i.e. processes) within the container via the `pids-limit` flags. NOTE: This requires `CGROUP_PIDS=y` to be in the kernel configuration. ([#18697](https://github.com/docker/docker/pull/18697)) - `docker load` now has a `--quiet` option to suppress the load output ([#20078](https://github.com/docker/docker/pull/20078)) - Fix a bug in neighbor discovery for IPv6 peers ([#20842](https://github.com/docker/docker/pull/20842)) - Fix a panic during cleanup if a container was started with invalid options ([#21802](https://github.com/docker/docker/pull/21802)) - Fix a situation where a container cannot be stopped if the terminal is closed ([#21840](https://github.com/docker/docker/pull/21840)) * Security * Object with the `pcp_pmcd_t` selinux type were given management access to `/var/lib/docker(/.*)?` ([#21370](https://github.com/docker/docker/pull/21370)) * `restart_syscall`, `copy_file_range`, `mlock2` joined the list of allowed calls in the default seccomp profile ([#21117](https://github.com/docker/docker/pull/21117), [#21262](https://github.com/docker/docker/pull/21262)) * `send`, `recv` and `x32` were added to the list of allowed syscalls and arch in the default seccomp profile ([#19432](https://github.com/docker/docker/pull/19432)) * Docker Content Trust now requests the server to perform snapshot signing ([#21046](https://github.com/docker/docker/pull/21046)) * Support for using YubiKeys for Content Trust signing has been moved out of experimental ([#21591](https://github.com/docker/docker/pull/21591)) * Volumes * Output of `docker volume ls` is now sorted by volume name ([#20389](https://github.com/docker/docker/pull/20389)) * Local volumes can now accepts options similar to the unix `mount` tool ([#20262](https://github.com/docker/docker/pull/20262)) - Fix an issue where one letter directory name could not be used as source for volumes ([#21106](https://github.com/docker/docker/pull/21106)) + `docker run -v` now accepts a new flag `nocopy`. This tell the runtime not to copy the container path content into the volume (which is the default behavior) ([#21223](https://github.com/docker/docker/pull/21223))- docker.spec: apply gcc5 socket patch also for sle12 and leap because gcc5 has been updated there as well. - docker.spec: add a "is_opensuse" check for the mount-secrets patch. This way we can use this same package for opensuse.- use go-lang for aarch64: - drop fix_platform_type_arm.patch (works around a gcc-go bug, so unnecessary)- Add patch from upstream (https://github.com/docker/docker/pull/21723) to fix compilation on Factory and Tumbleweed (which have btrfsprogs >= 4.5). + fix-btrfs-ioctl-structure.patch bnc#974208- Changed systemd unit file and default sysconfig file to include network options, this is needed to get SDN like flannel to work- docker.spec: update warning to mention that /etc/sysconfig/docker is sourced by the migration script.- docker.spec: only Reccomends: the docker-image-migrator package as it is no longer required for our ugly systemctl hacks. - docker.spec: fix up documentation to refer to the script you need to run in the migrator package. - docker.spec: print a warning if you force the DOCKER_FORCE_INSTALL option.- spec: switch to new done file name from docker-image-migrator- update to docker 1.10.3 (bnc#970637) Runtime Fix Docker client exiting with an "Unrecognized input header" error #20706 Fix Docker exiting if Exec is started with both AttachStdin and Detach #20647 Distribution Fix a crash when pushing multiple images sharing the same layers to the same repository in parallel #20831 Fix a panic when pushing images to a registry which uses a misconfigured token service #21030 Plugin system Fix issue preventing volume plugins to start when SELinux is enabled #20834 Prevent Docker from exiting if a volume plugin returns a null response for Get requests #20682 Fix plugin system leaking file descriptors if a plugin has an error #20680 Security Fix linux32 emulation to fail during docker build #20672 It was due to the personality syscall being blocked by the default seccomp profile. Fix Oracle XE 10g failing to start in a container #20981 It was due to the ipc syscall being blocked by the default seccomp profile. Fix user namespaces not working on Linux From Scratch #20685 Fix issue preventing daemon to start if userns is enabled and the subuid or subgid files contain comments #20725 More at https://github.com/docker/docker/releases/tag/v1.10.3- spec: improve file-based migration checks to make sure that it doesn't cause errors if running on a /var/lib/docker without /var/lib/docker/graph.- spec: implement file-based migration checks. The migrator will be updated to match the warning message's instructions. This looks like it works with my testing.- more patches to build on ppc64 architecture update netlink_gcc_go.patch new netlink_netns_powerpc.patch new boltdb_bolt_powerpc.patch new libnetwork_drivers_bridge_powerpc.patch to replace deleted fix-ppc64le.patch- fix bsc#968972 - let docker manage the cgroups of the processes that it launches without systemd- Require docker-image-migrator (bnc#968933)Update to version 1.10.2 (bnc#968933) - Runtime Prevent systemd from deleting containers' cgroups when its configuration is reloaded #20518 Fix SELinux issues by disregarding --read-only when mounting /dev/mqueue #20333 Fix chown permissions used during docker cp when userns is used #20446 Fix configuration loading issue with all booleans defaulting to true #20471 Fix occasional panic with docker logs -f #20522 - Distribution Keep layer reference if deletion failed to avoid a badly inconsistent state #20513 Handle gracefully a corner case when canceling migration #20372 Fix docker import on compressed data #20367 Fix tar-split files corruption during migration that later cause docker push and docker save to fail #20458 - Networking Fix daemon crash if embedded DNS is sent garbage #20510 - Volumes Fix issue with multiple volume references with same name #20381 - Security Fix potential cache corruption and delegation conflict issues #20523 link to changelog: https://github.com/docker/docker/blob/v1.10.2/CHANGELOG.md- fix-apparmor.patch: switch to a backported version of docker/docker#20305, which also fixes several potential issues if the major version of apparmor changes.- Remove 1.10.0 tarball.- Update to docker 1.10.1 It includes some fixes to 1.10.0, see detailed changelog in https://github.com/docker/docker/blob/v1.10.1/CHANGELOG.md- Update docker to 1.10.0 (bnc#965918) Add usernamespace support Add support for custom seccomp profiles Improvements in network and volume management detailed changelog in https://github.com/docker/docker/blob/590d5108bbdaabb05af590f76c9757daceb6d02e/CHANGELOG.md - removed patches, because code has been merged in 1.10.0 release: libcontainer-apparmor-fixes.patch: see: https://github.com/docker/docker/blob/release/v1.10/contrib/apparmor/template.go fix_bnc_958255.patch: see https://github.com/docker/docker/commit/2b4f64e59018c21aacbf311d5c774dd5521b5352 use_fs_cgroups_by_default.patch fix_cgroup.parent_path_sanitisation.patch add_bolt_ppc64.patch add_bolt_arm64.patch add_bolt_s390x.patch - remove gcc-go-build-static-libgo.patch: This has been replace by gcc-go-patches.patch - removed patches, because arm and ppc are not build using the dynbinary target, but the dyngccgo one: docker_remove_journald_to_fix_dynbinary_build_on_arm.patch docker_remove_journald_to_fix_dynbinary_build_on_powerpc.patch docker_remove_journald_to_fix_dynbinary_build_on_arm64.patch - added patches: fix_platform_type_arm.patch: fix build for arm64 and aarch64: set utsname as uint8 for arm64 and aarch64 gcc5_socket_workaround.patch: gcc5-go in Tumbleweed includes this commit https://github.com/golang/gofrontend/commit/a850225433a66a58613c22185c3b09626f5545eb Which "fixes" the data type for RawSockaddr.Data However, docker now expects the "wrong" data type, since docker had a workaround for that issue. Thus, we need to workaround the workaround in tumbleweed netlink_gcc_go.patch: add constants for syscalls TUNSETIFF and TUNSETPERSIST to fix a gcc issue. This is a workaround for bnc#964468: gcc-go can no longer compile Docker. fix-apparmor.patch: fix https://github.com/docker/docker/issues/20269 . It affects SLE12 which has apparmor version 2.8 and not openSUSE which has version 2.9. fix-ppc64le.patch: Build netlink driver using int8 and not uint8 for the data structure - reviewed patches: ignore-dockerinit-checksum.patch: review context in patch fix-docker-init.patch: review patch because build method has been changed in spec file for gcc-go gcc-go-patches.patch: review context in patch - Build requires go >= 1.5: For version 1.9, we could use Go 1.4.3 see GO_VERSION https://github.com/docker/docker/blob/release/v1.9/Dockerfile However, for version 1.10, we need go 1.5.3 see GO_VERSION https://github.com/docker/docker/blob/release/v1.10/Dockerfile - fix bnc#965600 - SLES12 SP1 - Static shared memory limit in container- docker-mount-secrets.patch: fix up this patch to work on Docker 1.10- docker-mount-secrets.patch: properly register /run/secrets as a mountpoint, so that it is unmounted properly when the container is removed and thus container removal works. (bnc#963142) - docker-mount-secrets.patch: in addition, add some extra debugging information to the secrets patch.- fix_json_econnreset_bug.patch: fix JSON bug that causes containers to not start in weird circumstances. https://github.com/docker/docker/issues/14203- fix_bnc_958255.patch: fix Docker creates strange apparmor profile (bnc#958255) - use_fs_cgroups_by_default.patch: Use fs cgroups by default: https://github.com/docker/docker/commit/419fd7449fe1a984f582731fcd4d9455000846b0 - fix_cgroup.parent_path_sanitisation.patch: fix cgroup.Parent path sanitisation: https://github.com/opencontainers/runc/commit/bf899fef451956be4abd63de6d6141d9f9096a02 - Add rules for auditd. This is required to fix bnc#959405 - Remove 7 patches, add 6 and modify 1, after 1.9.1 upgrade * Removed: - docker_missing_ppc64le_netlink_linux_files.patch: the code that this bug refers to has benn removed upstream - docker_rename_jump_amd64_as_jump_linux.patch: the code that this bug refers to has been removed upstream - Remove fix_15279.patch: code has been merged upstream - Remove add_missing_syscall_for_s390x.patch: code has been merged upstream - Remove fix_incompatible_assignment_error_bnc_950931.patch: code has been merged upstream - Remove fix_libsecomp_error_bnc_950931.patch: the code that this bug refers to has been removed upstream - Remove gcc5_socket_workaround.patch: Code has been fixed. Building with this patch is giving the error we were trying to fix, implying that the code has been fixed somewhere else. * Added: - add_bolt_ppc64.patch - add_bolt_arm64.patch - docker_remove_journald_to_fix_dynbinary_build_on_arm.patch - docker_remove_journald_to_fix_dynbinary_build_on_powerpc.patch - docker_remove_journald_to_fix_dynbinary_build_on_arm64.patch - gcc-go-build-static-libgo.patch: enable static linking of libgo in ggc-go In order to do this, we had to work-around an issue from gcc-go: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69357 * Modify: - Upgrade to 1.9.1(bnc#956434) * Runtime: - Do not prevent daemon from booting if images could not be restored (#17695) - Force IPC mount to unmount on daemon shutdown/init (#17539) - Turn IPC unmount errors into warnings (#17554) - Fix `docker stats` performance regression (#17638) - Clarify cryptic error message upon `docker logs` if `--log-driver=none` (#17767) - Fix seldom panics (#17639, #17634, #17703) - Fix opq whiteouts problems for files with dot prefix (#17819) - devicemapper: try defaulting to xfs instead of ext4 for performance reasons (#17903, #17918) - devicemapper: fix displayed fs in docker info (#17974) - selinux: only relabel if user requested so with the `z` option (#17450, #17834) - Do not make network calls when normalizing names (#18014) * Client: - Fix `docker login` on windows (#17738) - Fix bug with `docker inspect` output when not connected to daemon (#17715) - Fix `docker inspect -f {{.HostConfig.Dns}} somecontainer` (#17680) * Builder: - Fix regression with symlink behavior in ADD/COPY (#17710) * Networking: - Allow passing a network ID as an argument for `--net` (#17558) - Fix connect to host and prevent disconnect from host for `host` network (#17476) - Fix `--fixed-cidr` issue when gateway ip falls in ip-range and ip-range is not the first block in the network (#17853) - Restore deterministic `IPv6` generation from `MAC` address on default `bridge` network (#17890) - Allow port-mapping only for endpoints created on docker run (#17858) - Fixed an endpoint delete issue with a possible stale sbox (#18102) * Distribution: - Correct parent chain in v2 push when v1Compatibility files on the disk are inconsistent (#18047) - Update to version 1.9.0 (bnc#954812): * Runtime: - `docker stats` now returns block IO metrics (#15005) - `docker stats` now details network stats per interface (#15786) - Add `ancestor=` filter to `docker ps --filter` flag to filter containers based on their ancestor images (#14570) - Add `label=` filter to `docker ps --filter` to filter containers based on label (#16530) - Add `--kernel-memory` flag to `docker run` (#14006) - Add `--message` flag to `docker import` allowing to specify an optional message (#15711) - Add `--privileged` flag to `docker exec` (#14113) - Add `--stop-signal` flag to `docker run` allowing to replace the container process stopping signal (#15307) - Add a new `unless-stopped` restart policy (#15348) - Inspecting an image now returns tags (#13185) - Add container size information to `docker inspect` (#15796) - Add `RepoTags` and `RepoDigests` field to `/images/{name:.*}/json` (#17275) - Remove the deprecated `/container/ps` endpoint from the API (#15972) - Send and document correct HTTP codes for `/exec//start` (#16250) - Share shm and mqueue between containers sharing IPC namespace (#15862) - Event stream now shows OOM status when `--oom-kill-disable` is set (#16235) - Ensure special network files (/etc/hosts etc.) are read-only if bind-mounted with `ro` option (#14965) - Improve `rmi` performance (#16890) - Do not update /etc/hosts for the default bridge network, except for links (#17325) - Fix conflict with duplicate container names (#17389) - Fix an issue with incorrect template execution in `docker inspect` (#17284) - DEPRECATE `-c` short flag variant for `--cpu-shares` in docker run (#16271) * Client: - Allow `docker import` to import from local files (#11907) * Builder: - Add a `STOPSIGNAL` Dockerfile instruction allowing to set a different stop-signal for the container process (#15307) - Add an `ARG` Dockerfile instruction and a `--build-arg` flag to `docker build` that allows to add build-time environment variables (#15182) - Improve cache miss performance (#16890) * Storage: - devicemapper: Implement deferred deletion capability (#16381) * Networking: - `docker network` exits experimental and is part of standard release (#16645) - New network top-level concept, with associated subcommands and API (#16645) WARNING: the API is different from the experimental API - Support for multiple isolated/micro-segmented networks (#16645) - Built-in multihost networking using VXLAN based overlay driver (#14071) - Support for third-party network plugins (#13424) - Ability to dynamically connect containers to multiple networks (#16645) - Support for user-defined IP address management via pluggable IPAM drivers (#16910) - Add daemon flags `--cluster-store` and `--cluster-advertise` for built-in nodes discovery (#16229) - Add `--cluster-store-opt` for setting up TLS settings (#16644) - Add `--dns-opt` to the daemon (#16031) - DEPRECATE following container `NetworkSettings` fields in API v1.21: `EndpointID`, `Gateway`, `GlobalIPv6Address`, `GlobalIPv6PrefixLen`, `IPAddress`, `IPPrefixLen`, `IPv6Gateway` and `MacAddress`. Those are now specific to the `bridge` network. Use `NetworkSettings.Networks` to inspect the networking settings of a container per network. * Volumes: - New top-level `volume` subcommand and API (#14242) - Move API volume driver settings to host-specific config (#15798) - Print an error message if volume name is not unique (#16009) - Ensure volumes created from Dockerfiles always use the local volume driver (#15507) - DEPRECATE auto-creating missing host paths for bind mounts (#16349) * Logging: - Add `awslogs` logging driver for Amazon CloudWatch (#15495) - Add generic `tag` log option to allow customizing container/image information passed to driver (e.g. show container names) (#15384) - Implement the `docker logs` endpoint for the journald driver (#13707) - DEPRECATE driver-specific log tags (e.g. `syslog-tag`, etc.) (#15384) * Distribution: - `docker search` now works with partial names (#16509) - Push optimization: avoid buffering to file (#15493) - The daemon will display progress for images that were already being pulled by another client (#15489) - Only permissions required for the current action being performed are requested (#) - Renaming trust keys (and respective environment variables) from `offline` to `root` and `tagging` to `repository` (#16894) - DEPRECATE trust key environment variables `DOCKER_CONTENT_TRUST_OFFLINE_PASSPHRASE` and `DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE` (#16894) * Security: - Add SELinux profiles to the rpm package (#15832) - Fix various issues with AppArmor profiles provided in the deb package (#14609) - Add AppArmor policy that prevents writing to /proc (#15571) - Change systemd unit file to no longer use the deprecated "-d" option (bnc#954737)- Changed docker-mount-secrets.patch: allow removal of containers even when the entry point failed. bnc#954797- Fixed the format of the fix_libsecomp_error_bnc_950931 patch.- Merged the fix_libsecomp_error_bnc_950931.patch and the fix_x86_build_removing_empty_file_jump_amd_64.patch patches.- Fix build for x86_64. Patch fix_libsecomp_error_bnc_950931.patch had created and empty file jump_amd64.go instead of removing it. This broke the build for x86_64. This commit fixes it by removing that empty file. fix_x86_build_removing_empty_file_jump_amd_64.patch: patch that removes empty file jump_amd64.go- Added patch that fixes a known gcc-go for ppc64xe in the syscall.RawSockAddr type. gcc5_socket_workaround.patch- Add patches for fixing ppc64le build (bnc#950931) fix_libsecomp_error_bnc_950931.patch fix_incompatible_assignment_error_bnc_950931.patch docker_missing_ppc64le_netlink_linux_files.patch - Remove docker_rename_jump_amd64_as_jump_linux.patch because it clashes with the previous patches.- Exclude libgo as a requirement. The auto requires script was adding libgo as a requirement when building with gcc-go which was wrong.- Add patch for missing systemcall for s390x. See https://github.com/docker/docker/commit/eecf6cd48cf7c48f00aa8261cf431c87084161ae add_missing_syscall_for_s390x.patch: contains the patch - Exclude s390x for sle12 because it hangs when running go. It works for sle12sp1 thus we don't want to exclude sle12sp1 but only sle12.- Update docker to 1.8.3 version: * Fix layer IDs lead to local graph poisoning (CVE-2014-8178) (bnc#949660) * Fix manifest validation and parsing logic errors allow pull-by-digest validation bypass (CVE-2014-8179) * Add `--disable-legacy-registry` to prevent a daemon from using a v1 registry- Update docker to 1.8.2 version see detailed changelog in https://github.com/docker/docker/releases/tag/v1.8.2 fix bsc#946653 update do docker 1.8.2 - devicemapper: fix zero-sized field access Fix issue #15279: does not build with Go 1.5 tip Due to golang/go@7904946 the devices field is dropped. This solution works on go1.4 and go1.5 See more in https://github.com/docker/docker/pull/15404 This fix was not included in v1.8.2. See previous link on why. fix_15279.patch: contains the patch for issue#15279- new patch as per upstream issue https://github.com/docker/docker/issues/14056#issuecomment-113680944 docker_rename_jump_amd64_as_jump_linux.patch- ignore-dockerinit-checksum.patch need -p1 in spec- Update to docker 1.8.1(bsc#942369 and bsc#942370): - Fix a bug where pushing multiple tags would result in invalid images - Update to docker 1.8.0: see detailed changelog in https://github.com/docker/docker/releases/tag/v1.8.0 - remove docker-netns-aarch64.patch: This patch was adding vendor/src/github.com/vishvananda/netns/netns_linux_arm64.go which is now included upstream, so we don't need this patch anymore- Remove 0002-Stripped-dockerinit-binary.patch because we do not use it anymore (we got rid of that when updating to 1.7.1)- Exclude archs where docker does not build. Otherwise it gets into and infinite loop when building. We'll fix that later if we want to release for those archs.- Update to 1.7.1 (2015-07-14) (bnc#938156) * Runtime - Fix default user spawning exec process with docker exec - Make --bridge=none not to configure the network bridge - Publish networking stats properly - Fix implicit devicemapper selection with static binaries - Fix socket connections that hung intermittently - Fix bridge interface creation on CentOS/RHEL 6.6 - Fix local dns lookups added to resolv.conf - Fix copy command mounting volumes - Fix read/write privileges in volumes mounted with --volumes-from * Remote API - Fix unmarshalling of Command and Entrypoint - Set limit for minimum client version supported - Validate port specification - Return proper errors when attach/reattach fail * Distribution - Fix pulling private images - Fix fallback between registry V2 and V1- Exclude init scripts other than systemd from the test-package- Exclude intel 32 bits arch. Docker does not built on that. Let's make it explicit.- rediff ignore-dockerinit-checksum.patch, gcc-go-build-static-libgo.patch to make them apply again. - introduce go_arches for architectures that use the go compiler instead of gcc-go - add docker-netns-aarch64.patch: Add support for AArch64 - enable build for aarch64- Build man pages only on platforms where gc compiler is available.- Updated to 1.7.0 (2015-06-16) - bnc#935570 * Runtime - Experimental feature: support for out-of-process volume plugins - The userland proxy can be disabled in favor of hairpin NAT using the daemon’s `--userland-proxy=false` flag - The `exec` command supports the `-u|--user` flag to specify the new process owner - Default gateway for containers can be specified daemon-wide using the `--default-gateway` and `--default-gateway-v6` flags - The CPU CFS (Completely Fair Scheduler) quota can be set in `docker run` using `--cpu-quota` - Container block IO can be controlled in `docker run` using`--blkio-weight` - ZFS support - The `docker logs` command supports a `--since` argument - UTS namespace can be shared with the host with `docker run --uts=host` * Quality - Networking stack was entirely rewritten as part of the libnetwork effort - Engine internals refactoring - Volumes code was entirely rewritten to support the plugins effort - Sending SIGUSR1 to a daemon will dump all goroutines stacks without exiting * Build - Support ${variable:-value} and ${variable:+value} syntax for environment variables - Support resource management flags `--cgroup-parent`, `--cpu-period`, `--cpu-quota`, `--cpuset-cpus`, `--cpuset-mems` - git context changes with branches and directories - The .dockerignore file support exclusion rules * Distribution - Client support for v2 mirroring support for the official registry * Bugfixes - Firewalld is now supported and will automatically be used when available - mounting --device recursively - Patch 0002-Stripped-dockerinit-binary.patch renamed to fix-docker-init.patch and fixed to build with latest version of docker- Add test subpackage and fix line numbers in patches- Fixed ppc64le name inside of spec file- Build docker on PPC and S390x using gcc-go provided by gcc5 * added sysconfig.docker.ppc64le: make docker daemon start on ppc64le despite some iptables issues. To be removed soon * ignore-dockerinit-checksum.patch: applied only when building with gcc-go. Required to workaround a limitation of gcc-go * gcc-go-build-static-libgo.patch: used only when building with gcc-go, link libgo statically into docker itself.- Remove set-SCC_URL-env-variable.patch, the SCC_URL is now read from SUSEConnect by the container service- Automatically set SCC_URL environment variable inside of the containers by parsing the /etc/SUSEConnect.example file * Add set-SCC_URL-env-variable.patch- Place SCC machine credentials inside of /run/secrets/credentials.d * Edit docker-mount-scc-credentials.patch¬- pass the SCC machine credentials to the container * Add docker-mount-scc-credentials.patch- build and install man pages- Update to version 1.6.2 (2015-05-13) [bnc#931301] * Revert change prohibiting mounting into /sysUpdated to version 1.6.1 (2015-05-07) [bnc#930235] * Security - Fix read/write /proc paths (CVE-2015-3630) - Prohibit VOLUME /proc and VOLUME / (CVE-2015-3631) - Fix opening of file-descriptor 1 (CVE-2015-3627) - Fix symlink traversal on container respawn allowing local privilege escalation (CVE-2015-3629) - Prohibit mount of /sys * Runtime - Update Apparmor policy to not allow mounts - Updated libcontainer-apparmor-fixes.patch: adapt patch to reflect changes introduced by docker 1.6.1- Get rid of SocketUser and SocketGroup workarounds for docker.socket- Updated to version 1.6.0 (2015-04-07) [bnc#908033] * Builder: + Building images from an image ID + build containers with resource constraints, ie `docker build --cpu-shares=100 --memory=1024m...` + `commit --change` to apply specified Dockerfile instructions while committing the image + `import --change` to apply specified Dockerfile instructions while importing the image + basic build cancellation * Client: + Windows Support * Runtime: + Container and image Labels + `--cgroup-parent` for specifying a parent cgroup to place container cgroup within + Logging drivers, `json-file`, `syslog`, or `none` + Pulling images by ID + `--ulimit` to set the ulimit on a container + `--default-ulimit` option on the daemon which applies to all created containers (and overwritten by `--ulimit` on run) - Updated '0002-Stripped-dockerinit-binary.patch' to reflect changes inside of the latest version of Docker. - bnc#908033: support of Docker Registry API v2.- enable build for armv7l- Updated docker.spec to fixed building with the latest version of our Go pacakge. - Updated 0002-Stripped-dockerinit-binary.patch to fix check made by the docker daemon against the dockerinit binary.- Updated systemd service and socket units to fix socket activation and to align with best practices recommended by upstram. Moreover socket activation fixes bnc#920645.- Updated to 1.5.0 (2015-02-10): * Builder: - Dockerfile to use for a given `docker build` can be specified with the `-f` flag - Dockerfile and .dockerignore files can be themselves excluded as part of the .dockerignore file, thus preventing modifications to these files invalidating ADD or COPY instructions cache - ADD and COPY instructions accept relative paths - Dockerfile `FROM scratch` instruction is now interpreted as a no-base specifier - Improve performance when exposing a large number of ports * Hack: - Allow client-side only integration tests for Windows - Include docker-py integration tests against Docker daemon as part of our test suites * Packaging: - Support for the new version of the registry HTTP API - Speed up `docker push` for images with a majority of already existing layers - Fixed contacting a private registry through a proxy * Remote API: - A new endpoint will stream live container resource metrics and can be accessed with the `docker stats` command - Containers can be renamed using the new `rename` endpoint and the associated `docker rename` command - Container `inspect` endpoint show the ID of `exec` commands running in this container - Container `inspect` endpoint show the number of times Docker auto-restarted the container - New types of event can be streamed by the `events` endpoint: ‘OOM’ (container died with out of memory), ‘exec_create’, and ‘exec_start' - Fixed returned string fields which hold numeric characters incorrectly omitting surrounding double quotes * Runtime: - Docker daemon has full IPv6 support - The `docker run` command can take the `--pid=host` flag to use the host PID namespace, which makes it possible for example to debug host processes using containerized debugging tools - The `docker run` command can take the `--read-only` flag to make the container’s root filesystem mounted as readonly, which can be used in combination with volumes to force a container’s processes to only write to locations that will be persisted - Container total memory usage can be limited for `docker run` using the `—memory-swap` flag - Major stability improvements for devicemapper storage driver - Better integration with host system: containers will reflect changes to the host's `/etc/resolv.conf` file when restarted - Better integration with host system: per-container iptable rules are moved to the DOCKER chain - Fixed container exiting on out of memory to return an invalid exit code * Other: - The HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables are properly taken into account by the client when connecting to the Docker daemon- Updated to 1.4.1 (2014-12-15): * Runtime: - Fix issue with volumes-from and bind mounts not being honored after create (fixes bnc#913213)- Added e2fsprogs as runtime dependency, this is required when the devicemapper driver is used. (bnc#913211). - Fixed owner & group for docker.socket (thanks to Andrei Dziahel and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752555#5)- Updated to 1.4.0 (2014-12-11): * Notable Features since 1.3.0: - Set key=value labels to the daemon (displayed in `docker info`), applied with new `-label` daemon flag - Add support for `ENV` in Dockerfile of the form: `ENV name=value name2=value2...` - New Overlayfs Storage Driver - `docker info` now returns an `ID` and `Name` field - Filter events by event name, container, or image - `docker cp` now supports copying from container volumes - Fixed `docker tag`, so it honors `--force` when overriding a tag for existing image. - Changes introduced by 1.3.3 (2014-12-11): * Security: - Fix path traversal vulnerability in processing of absolute symbolic links (CVE-2014-9356) - (bnc#909709) - Fix decompression of xz image archives, preventing privilege escalation (CVE-2014-9357) - (bnc#909710) - Validate image IDs (CVE-2014-9358) - (bnc#909712) * Runtime: - Fix an issue when image archives are being read slowly * Client: - Fix a regression related to stdin redirection - Fix a regression with `docker cp` when destination is the current directory- Updated to 1.3.2 (2014-11-20) - fixes bnc#907012 (CVE-2014-6407) and bnc#907014 (CVE-2014-6408) * Security: - Fix tar breakout vulnerability - Extractions are now sandboxed chroot - Security options are no longer committed to images * Runtime: - Fix deadlock in `docker ps -f exited=1` - Fix a bug when `--volumes-from` references a container that failed to start * Registry: - `--insecure-registry` now accepts CIDR notation such as 10.1.0.0/16 - Private registries whose IPs fall in the 127.0.0.0/8 range do no need the `--insecure-registry` flag - Skip the experimental registry v2 API when mirroring is enabled - Fixed minor packaging issues.- Updated to version 1.3.1 2014-10-28) * Security: - Prevent fallback to SSL protocols < TLS 1.0 for client, daemon and registry [CVE-2014-5277] - Secure HTTPS connection to registries with certificate verification and without HTTP fallback unless `--insecure-registry` is specified * Runtime: - Fix issue where volumes would not be shared * Client: - Fix issue with `--iptables=false` not automatically setting `--ip-masq=false` - Fix docker run output to non-TTY stdout * Builder: - Fix escaping `$` for environment variables - Fix issue with lowercase `onbuild` Dockerfile instruction - Restrict envrionment variable expansion to `ENV`, `ADD`, `COPY`, `WORKDIR`, `EXPOSE`, `VOLUME` and `USER`- Upgraded to version 1.3.0 (2014-10-14) * docker `exec` allows you to run additional processes inside existing containers * docker `create` gives you the ability to create a container via the cli without executing a process * `--security-opts` options to allow user to customize container labels and apparmor profiles * docker `ps` filters * wildcard support to copy/add * move production urls to get.docker.com from get.docker.io * allocate ip address on the bridge inside a valid cidr * use drone.io for pr and ci testing * ability to setup an official registry mirror * Ability to save multiple images with docker `save`/bin/sh/bin/sh/bin/sh/bin/shdockerdocker-libnetworkibs-power9-21 1764337189  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~24.0.9_ce-150000.1.33.124.0.9_ce0.7.0.2.24.0.9_ce24.0.9_ce-150000.1.33.124.0.9_ce-150000.1.33.124.0.9_ce0.7.0.2 rules.ddocker.rulesdockerdaemon.jsonsuse-secrets-enabledockerdocker-proxydockerddockercli-pluginsdocker.servicedocker.socketdocker.conf80-docker.rulesrcdockerdocker-stableREADME.mdREADME_SUSE.mdsysconfig.dockerdocker-stableLICENSEdocker-attach.1.gzdocker-build.1.gzdocker-builder-build.1.gzdocker-builder-prune.1.gzdocker-builder.1.gzdocker-checkpoint-create.1.gzdocker-checkpoint-ls.1.gzdocker-checkpoint-rm.1.gzdocker-checkpoint.1.gzdocker-commit.1.gzdocker-config-create.1.gzdocker-config-inspect.1.gzdocker-config-ls.1.gzdocker-config-rm.1.gzdocker-config.1.gzdocker-container-attach.1.gzdocker-container-commit.1.gzdocker-container-cp.1.gzdocker-container-create.1.gzdocker-container-diff.1.gzdocker-container-exec.1.gzdocker-container-export.1.gzdocker-container-inspect.1.gzdocker-container-kill.1.gzdocker-container-logs.1.gzdocker-container-ls.1.gzdocker-container-pause.1.gzdocker-container-port.1.gzdocker-container-prune.1.gzdocker-container-rename.1.gzdocker-container-restart.1.gzdocker-container-rm.1.gzdocker-container-run.1.gzdocker-container-start.1.gzdocker-container-stats.1.gzdocker-container-stop.1.gzdocker-container-top.1.gzdocker-container-unpause.1.gzdocker-container-update.1.gzdocker-container-wait.1.gzdocker-container.1.gzdocker-context-create.1.gzdocker-context-export.1.gzdocker-context-import.1.gzdocker-context-inspect.1.gzdocker-context-ls.1.gzdocker-context-rm.1.gzdocker-context-show.1.gzdocker-context-update.1.gzdocker-context-use.1.gzdocker-context.1.gzdocker-cp.1.gzdocker-create.1.gzdocker-diff.1.gzdocker-events.1.gzdocker-exec.1.gzdocker-export.1.gzdocker-history.1.gzdocker-image-build.1.gzdocker-image-history.1.gzdocker-image-import.1.gzdocker-image-inspect.1.gzdocker-image-load.1.gzdocker-image-ls.1.gzdocker-image-prune.1.gzdocker-image-pull.1.gzdocker-image-push.1.gzdocker-image-rm.1.gzdocker-image-save.1.gzdocker-image-tag.1.gzdocker-image.1.gzdocker-images.1.gzdocker-import.1.gzdocker-info.1.gzdocker-inspect.1.gzdocker-kill.1.gzdocker-load.1.gzdocker-login.1.gzdocker-logout.1.gzdocker-logs.1.gzdocker-manifest-annotate.1.gzdocker-manifest-create.1.gzdocker-manifest-inspect.1.gzdocker-manifest-push.1.gzdocker-manifest-rm.1.gzdocker-manifest.1.gzdocker-network-connect.1.gzdocker-network-create.1.gzdocker-network-disconnect.1.gzdocker-network-inspect.1.gzdocker-network-ls.1.gzdocker-network-prune.1.gzdocker-network-rm.1.gzdocker-network.1.gzdocker-node-demote.1.gzdocker-node-inspect.1.gzdocker-node-ls.1.gzdocker-node-promote.1.gzdocker-node-ps.1.gzdocker-node-rm.1.gzdocker-node-update.1.gzdocker-node.1.gzdocker-pause.1.gzdocker-plugin-create.1.gzdocker-plugin-disable.1.gzdocker-plugin-enable.1.gzdocker-plugin-inspect.1.gzdocker-plugin-install.1.gzdocker-plugin-ls.1.gzdocker-plugin-push.1.gzdocker-plugin-rm.1.gzdocker-plugin-set.1.gzdocker-plugin-upgrade.1.gzdocker-plugin.1.gzdocker-port.1.gzdocker-ps.1.gzdocker-pull.1.gzdocker-push.1.gzdocker-rename.1.gzdocker-restart.1.gzdocker-rm.1.gzdocker-rmi.1.gzdocker-run.1.gzdocker-save.1.gzdocker-search.1.gzdocker-secret-create.1.gzdocker-secret-inspect.1.gzdocker-secret-ls.1.gzdocker-secret-rm.1.gzdocker-secret.1.gzdocker-service-create.1.gzdocker-service-inspect.1.gzdocker-service-logs.1.gzdocker-service-ls.1.gzdocker-service-ps.1.gzdocker-service-rm.1.gzdocker-service-rollback.1.gzdocker-service-scale.1.gzdocker-service-update.1.gzdocker-service.1.gzdocker-stack-config.1.gzdocker-stack-deploy.1.gzdocker-stack-ls.1.gzdocker-stack-ps.1.gzdocker-stack-rm.1.gzdocker-stack-services.1.gzdocker-stack.1.gzdocker-start.1.gzdocker-stats.1.gzdocker-stop.1.gzdocker-swarm-ca.1.gzdocker-swarm-init.1.gzdocker-swarm-join-token.1.gzdocker-swarm-join.1.gzdocker-swarm-leave.1.gzdocker-swarm-unlock-key.1.gzdocker-swarm-unlock.1.gzdocker-swarm-update.1.gzdocker-swarm.1.gzdocker-system-df.1.gzdocker-system-events.1.gzdocker-system-info.1.gzdocker-system-prune.1.gzdocker-system.1.gzdocker-tag.1.gzdocker-top.1.gzdocker-trust-inspect.1.gzdocker-trust-key-generate.1.gzdocker-trust-key-load.1.gzdocker-trust-key.1.gzdocker-trust-revoke.1.gzdocker-trust-sign.1.gzdocker-trust-signer-add.1.gzdocker-trust-signer-remove.1.gzdocker-trust-signer.1.gzdocker-trust.1.gzdocker-unpause.1.gzdocker-update.1.gzdocker-version.1.gzdocker-volume-create.1.gzdocker-volume-inspect.1.gzdocker-volume-ls.1.gzdocker-volume-prune.1.gzdocker-volume-rm.1.gzdocker-volume-update.1.gzdocker-volume.1.gzdocker-wait.1.gzdocker.1.gzDockerfile.5.gzdockerd.8.gzdocker/etc/audit//etc/audit/rules.d//etc//etc/docker//usr/bin//usr/lib//usr/lib/docker//usr/lib/systemd/system//usr/lib/sysusers.d//usr/lib/udev/rules.d//usr/sbin//usr/share/doc/packages//usr/share/doc/packages/docker-stable//usr/share/fillup-templates//usr/share/licenses//usr/share/licenses/docker-stable//usr/share/man/man1//usr/share/man/man5//usr/share/man/man8//var/lib/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:41825/SUSE_SLE-15_Update/045e3e735fbf2cb5a55702dae9239750-docker-stable.SUSE_SLE-15_Updatedrpmxz5ppc64le-suse-linux     directoryASCII textELF 64-bit LSB executable, 64-bit PowerPC or cisco 7500, version 1 (SYSV), statically linked, strippedELF 64-bit LSB shared object, 64-bit PowerPC or cisco 7500, version 1 (SYSV), dynamically linked, interpreter /lib64/ld64.so.2, not strippedELF 64-bit LSB shared object, 64-bit PowerPC or cisco 7500, version 1 (SYSV), dynamically linked, interpreter /lib64/ld64.so.2, BuildID[sha1]=a7261276d682185e64a5c73a184ee554df4afc98, for GNU/Linux 3.10.0, strippedUTF-8 Unicode texttroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)troff or preprocessor input, UTF-8 Unicode text (gzip compressed data, max compression, from Unix)troff or preprocessor input, UTF-8 Unicode text, with very long lines (gzip compressed data, max compression, from Unix)troff or preprocessor input, ASCII text, with very long lines (gzip compressed data, max compression, from Unix) RRRRRRRRRRRRRRRRPP"YDt!apparmor-parserdocker-stable-rootless-extraslvm22.2.89 utf-884eb59070746d27cbda1772cc51c1db4d56cf72194945c6de288376f79236428?7zXZ !t/$]"k%+f;ӡF5Fn妺ZsCrQpGkIt[U@c-L#zPS @ozU1)< .yf5zM&VGJG!ug'.Ujv.T"(rDQjՖfh_h*ǽZ]2sM4dҒzpIrRrXx-.P jMG;ٰ:Yl|F (7j翹%gw?Dz^V "<ݟ[p1J;!R?׉؊u~03f怟`se1sX(5;ݬO6_Q§ A3bZeZ׹jr@bYiкMw=Ƣ(vH.GYi%1pȑ,W/E2ln<ԒP6Eԭae'_,+ Xk|ݧmQ>3͘"t?}Y$V&T{ Q3%la :.Da01Gw*he!Fڤi~,wF7^#&@ @$zJ~}@#Y吆G۹:%|zfXޏ he~% [ԓ{si6Z/RP_=yܔc%Ll1ڈ /-YҖ/h Wqo:.t KԕgO Yimb' Q\MiFNQE,tn7aGgJ;.lvT׃YeF't/R^9Q3Yy\B lTwl`49@z)I/a ӌluBc!PP`ޒLm__$çܻV޲ӿrׅSIƝ:ߗ#:y.&ϽZx|r+ d'[|bj# ;ܜ)(^Fjx_3]6QG;5cZJ:yJ-rjIcp|vս<RPFd^=O¡!Um+|A ʃRt+%yI\p ꡲLaŇ!(xas |lSuvlbU/hB|'l~;\h"4ɺ'ѡcZTCd kb^c v)!BA2 A7BS%X9Q&9-w|?Ռy'{{ E&7j9ȜxkWqMkR(p+^>Tv2'5I:픑sU\Y'h1Hp0w;xlc>3 V=n osR/ڛf||E[E (Q"m~)<v ~c+t)lbUY ;"4p-^&oSCbnqZаf !𡪣9ͽ$^)V(jjWs"Np9CMx 4@uYxW&=WHpяz`k YMDt2[Yx{t׶uOqF_0e03Vۗ͙}72 F6ڿ5Z $d|XqOfNէTk>3(1r Owe%jCcFu!̚72ch%wDǪVZkh6}vα~Q 7e"@ێ u )y&'Bm؇={T(Y^Cz uW4lVlLuWY: 22wXOs+ +ӣM;&M"m;Mӣg|]Cu x# w B" dԉ5?הPYtri]Q0#gFΔPx.!aw,An}z$GAt"BBȂz5&LA)}UP\ 2,>ߏ5lX24bi^2+vix@пHxMnRaJ\k] wMd—IBh }VV LYB-jOdHGYA*2u[עP{UD/6BQ/vM x$pēR{GgM]XPߚ{~[n6f Xҹ7Ls, h=$ v))ilx4\ x:Kq@~T3V~n%8Q{`opz7}Њtg#_dGцL zUpJb)sIx]As#Y3fFnRNPJV #%+@t\q:>WN[1CG UY3# xPGR̡owaG!-x?D=n3M&l E,?<,[>1<.߲\:iʂ C B.嗆_RĥA2;j1Ԫ8]6TN-L24Ydv%~wa(4∡WzqZz6V5m,JQd͛,']f[P=r-dom^Lґ/\='/_IR&^&Gy@ߢ,rA ,>*9I@VYըZUn:;ֿUD#bi!-x4x+ɿIz;&Ċ _=:GmOFM HL֊!2 ~ $OuT&ɾ2ǒ#\**vMۥQӿl;b+šnD[_wUmr.wˬѺ/ˈ91/ 7^bND8Q`uĥ>ͥxe?ߜoA!Ž/;wA w>nɝ"uߕp6V1rW }tw̤Д-εsdچ?|cLGUoPM]Å\}*2I<Bx|ଡ0KsZJM,ސ\VY0 <-j'b\M*WZތ$Tv!>;j&T|"Ǔ%DK|pmms/7Jx K8̌>Lcw;e7w;:ƇhxY%dFўbj*6SU|Gr%iD89x=rS|f 3HQ(1D6,OIώr냴@TlhPzǗ"]0q{`x7-1>xu] ɡͷnsQ'}uϋAnߍ:,fNGĉèϺJ|duAN` !j%p;aNIoaX8nNi<"ȿ(t g5\JG<5i4+֌MI;3qt:GWߍXڐ1E*#} `&dT38g48$9)V]n1 tLVik%="5&q}uE?qlZL!g[Em{Z^of#()m.6 ιJW)-7IJq5v{[MNK $ lU`XQC66ОW @dt݊n"&|= "V .dP JwqvC4:sMT66ր(-lSiMBiPa5^!{T6.ŋpyX=үj%`<:l.?b*׃&*k{gr$S ꋾiAV@#KtNjf`l5OY+Wo`kc@@VM8zfSJWש%wGe`z}dwnP9gjYa;lG}@DIQ)Q=f# m[Z^(3s+Yܛ¥;t1 _*mF"q@mv{fTR,#SVV;Yhv epsp0fTU@vxK_8`8₃qĖiGk+G5wE~˹GsO1{ L[)j iN |j:-־jVjb{b0ipMbQ4ؑ-1!t,ڽ~QaO"f9L|2kqN,jz23Rf; EO"9S1I&z1ygR3TQ )|l&4126k0[HXiF]K a J]m&me a4>$u |bLGp̒1ʅa̝HEѬzLe*$c3 1bL}DR9j4o8m_&A-mp[G:p*(Sx: o3.:Cg'g'Cg4-cQȻ;b7bm1x:SqH a2"_l ꂀ 6)[7Ag6!O`zj\xL/x (zXľ%f ƺcXGe7准=Ճ/Fљ*cv\]ikI顂1 ͪܜ-:H*lv$h]BƁMZmj ]D:gI%΅ ~C1UYt|YNH{]M*4;)nJMj Q4cNpW P:Ao"y_  /.N]4@ia>;=춉.o/mPYmժMIJ+ȫ`eNX,:f0cous\m5)؇zY0LmCr;tp>:t:Tޘ-wtDkyPSr g9w߭]hUIC̽*4Dt݀e:9TTKrC-d@.=d@y,pS\Ͻ4 \'(4Y%< Db NGuFCcǑ+S Z "Azm=;рB7xmH!!V綽$SﰟHJ8$儺4d,%M/Gh6 d Y#rJx+ ʚw}=Ih/E|9Z$vs@>0zS(/+\41)t<ĖTqv(kIEJ6z͂`)Qs!^VV Tvͷ?޿^]\9&selvICg`bZL} *16sEɗOZp-)мv_ .,,6ugKe?4|Nh 9$njsjH]6̭comSuCc$ ڀiEc]y":gvL7 8bH-s޺MWƲA\NVVAZhVY>TUu~i7'%j}7xR?dEPv`4F1q Y$'bg2$ •cmVH"`MHW .FaN`VcrѩQ?iAY.n8qvdp rj5Zd|)sH/ս&J+6A:v^8ͳo0TX #عi< ^ۍYsBo3:Ά 07Ri>Dq<.颋L4[ZХxWs֏Afjxn7M: 4(Sx z3Hҵ1, ZXZq+um$?6n-5nOۆr˙1XpTϱU.rG(R臘-~"-xՌ_bG1 WIC-ٺXʵơ~f\ֆxMC\4m I^J 3$kW_rU-~?Y/80!z3Kq/]U4xX#d^l; ~ VNVv6o~YYyڢ`q5Cfgɜ{#L8>Ȩ j$ px`3lO,,߆?(ZTKͬ~[Z]&@:<6?<?Bݨ-'s'ٷi{{1sw@ >ZVԁS|hl#ZeU@tWl6D?ճu8ʽy| k@[_T$6%WRdV2gRszvdGLCkI7[ր[f/\Xr"sg9. q|}vsTLh1pxׅ v|^qXs7PNdtbIlnL~c{[~{g&\GF( nʌDa,uj];j8  jRMR ~v+ءkJ!-奠 %@VD7u[ G 1*2H)Ni~BlneTb0Iü^ԾP; y˲q }3#Jg|( kd%ؠ&kz}/HI'XV\D7xS U[;*Mb 'q@awJXHzzu[±OЖM|ւB`W {{GY:sEmSYrUn`og{R?߂]^:j[1p~3Z`k+~ LlG̾`MtpMAG]ddsx̾~ʒl;뀦PP&0@P Fɬ"vB޿ZѲ7 e{o:И*{%.F(D43ʂ9g`s}QWX~TWZg<oDlJNfiŵcm2Y~:=?)y{:hÈ&{*R)x'l. "|z@7ċZ)NO<׀w`1-ڈ "&T#wzO4+p7U)%4 )~U+.;n7[4z~x2S@uƏ^63-ޗrREI7s RT›xW1}v(צ·,>mr{/4|6\HIS|g } Ii~T ;ufN ;z1b;"hl[I t* qIs͸a/⡞gjls-Ol(rn9U?f6VP[?1Pδ#6K8s~7$'x5h|(*ҎHhc{t>PePX%aG]H"B ˣÎ  : \+\>W+ ă)jiO;Y5Xhhݐ1ys\m<;]mF,Y%À0f\h]O) 2B,me-M6HK;]߄nLHRd * )@ Ϭ8-'{'10y?<sqj`TAH.iqKHAL=X^ Ѡu2"YooNqpWAυRc XIHU+CA xΔL cpx{Gr VJeN1~EIM\^gL7ƒ{ɏ{/+7]>.b6Ҡ(wF |ʆ NwHw.|%C( z$BE IF$WdX8_;h`Z~5!J4ڪ֫R9ݕXOR@5dBK},$)NFב}Ŷ;N5SPO|;;|OW4׸NY+bc=7!.bg,ɨ^+9Ir[= Vm̺*bCe}%jQ 5 'bX aPf',@QrzP˔C&n!, E3k 7)=7#}9bQ%~riJ5?~ᦤ 0Kc'9w( X_X< |w0Ǜk V.܂GH*EQ :ό ‘э ?Z3R͚aLS3߃nFlL'dKi<ç>Ҁ\͗iIX|-g| /4%/Gυ Cʍ^6L JزT*3BZ5?[o?GnoNV_t]7PϋrbheŭG\BF_o=98.C< 6/A3 0xIWHN!zԔ7D߼@'hK0Y!,2Nykp4}FB3Z:F=Z0ex,rLlleW* i2B$YU/#(ik fY#1{q<4RJ[yMF ,JNnaMon`:=59Y]<59̩2Y?LofGH{tݻNo"8zVļlH.鞴=aMp+_ W q/GhvF. a{7m NPEߜe3Oy{zO,l}b``ư 3@̆AfAI8K2x≩nɁFK4 ~3$a`Б d"F|/͓šm⪏\~vr5mu6SyF\Ay$p7>R6#'`RZ\P[E -{wp0eqz#$.zq EMS ԛ!nkYЬcHގO*xٴBCI}~&er/Bi 8Сju@Mju'^kxJZQcFWTv0k3e Z3qd9rƪeFmTq*$YaAWIWR2&g4?/qcbԭ7V([G^\6 !?-k˫J߮*51S1]AޞPTpr'w豂//+K>2>Ŭ{瓍 Jf2˙'Wd]e킻Ϟ}&gAXYed%fRck8BV`+?&Wgq}l-["YvpIIF*/ {{ˣ I| `%d֩E6>MҀ=Dvok6h4n&`!0n!1OzDIG[J3/v2(0>_gQ% 'I#Ɍ"Tț Ad]!,(~Äez,b/m^9m3>8[psUFO蛜YNQ2Գ;TyxXqN@ 6LO=Q]G$׽rOQ]W'" )lxKz ٲGF>$!W#JX_$XG!fq;M0) _/'z R ^oc4+|4탮L6p_lӉb]1TPM>4u~iJGbAC-I+"CQl,XTrJ'"úڂwnEfPia 2r o%iXME9Lx, a1 ߰[Q7MwӈBGf# - Rgwđw2jB`*N^a_|w>fb e=ɌFY׀maM2 MM#Kh (A~fC,;s_pyAEc` craޥOѮ$oXP 9_UW^ۿvd:00zL:ԏEj[Tc&K%ǝ$Ҝ8ӼY\#zQ"٢I Ъmqwe\h)U3S["Y$`r_0 E/֥x;܅`|xWh+ǜc3[5`/H 7~jhK6g2UZ >yMy.|˕ǂJCt4;ToҬ6Wʸzf~9%>>X=}d;3 iUF=U'O0Pg<>6):zAmS_:rwRq1տ$/G[K"^%tAHO\Sp>bN-iMIdžl#DŽ~! 92yyKR{6X-z9El1W'6( x>1Y# !>3:bIk$S6~䧊1oGY j*Z.e`e(hQZ(3=)cU3&_cJ!nEaZn Iv&QMCKdslR:+f@E k{2O(J&܋sƑ;rG6;Ŷ"Aruޜ߈QA+:+B,JDJ<ĐDq;t󝑵#&S߷IeG\KN`z_ނ" a: N^{p|QXǑd^S #b!0h:dZ80PvW42%|8kcB'ݽӋssmȘ#b+ܞhRq~_FsSjpqOk<鵗!^M4ߝz+9"=?ca,4%SĀYXV Z'U:*&wSmcUbr61(ôJ:R5<.%Ä̮75nI F]uSxLc_Yb*8$;?+4*{$Wš(ʋmA0(pHNܮ@)d' s @=Vf3!/r O` LBZ`ty :XgB|u18Jdk}D"lNwpZĽnaUQ`+:O+0FoLWse%cc;akohaRBډʫK[yim* >o sTΐr< %o_[G7PlURk/Uۧ;-㲙ul-J@hv/s#HJCge5yE鯀g1aA*.OL./S'8`V4f)\&Ħ˫(F'/¡cLcacv$k2*) c *Y㾽wtxX r^.Ψ0 s#o]p8Rs;^.e 4_iQv?3и,.8|ŲKیh;`M\_0N+\]Zmɏ."=Hu]:+\ڡi#yO)*(0φ+UVbme˜c! 2ut~?.5j\0n~'c8źW^z^f6ÂX}T1Q:‹*z$KnFȄz6aE g0E:AFbR&eBnI:gN[|^}UlU~=ԧzERkΕ@ސ{xy-e#-2 (yIFoOBay`2[hޜ>DƱ2Zͬ4Ct1uzB:z5K㏪Sey}Dd\6pGTV0Iq%\FEG:\jrv|Npd|7Ruqa=YܜͰ( ȳ4-2r&H p\r" t3>gN6ɀh.~J2؟J2>>lȸv"(!Sa-_tzys < l˔zW滩V}Z9M:*~JbTMF* \/qüaʧa0|3KԻK~2>i<7D(O I|UhL&9*w6F&;'S ]*[m5>3'x^Twy Ja@mCKJ=/觘@H3 x<Y؀:aIOJg5fl!,)I AAD,&Z_6̭`Ye `K3a*z\S).Nޅ([ @ûm ̗M; EKU~y xGiwcbrpS?:rx1Mt.MbU2ŀH(1v}BeY?JsTǪk3՟|(\7c?d-%x`$Waed}϶&߬2$͖)'V# a6 },j$Mj ptz!i 3dTjT-'`@$#iDܓWxpA XW*>oY(s؄kV |{&aw7l-S~p&v!>bGGs9AS,Ƈ8M#{|#;Oh_ gЎ nFԣ{UOPjJbq( D/B ֬|܁4/ux:ZrߔezWJ`ps`4Ăq<^U 38n* ŖE;N=}M_)х6}' 1ѻ9LPÀ EzI֢ kу ,*_k@6z,[F>RV73+ǘ.SCzv@]D&v7R^!ΊR |tLYzw5,ޖDl,rb!EE2aBl+ըIi̮_H#ҸˌM(,UZRcv4{5aܩ#KVTVuAe7zֺ odjv̖.ۏ~ RU}k-0`Jkl>QLV9+aTFh[mywfNfN$35%3̓/ƒeWJ",/ d76 I~Zh އ e%Lwя6z#$%*橨XL.MH>GJ.7wlA^dJ'LCU} )q]LIn%v+ŜtZ[/`s wZEx:YleO+Pw;NOGm*UgVPDnd"fPєo~Z"9gtz(QV!o5B{}UTwTA %vAP2޿^w uO XɁ Q!j#[[)ݬy42+UԘG] t2QLZO@!Zk!Pň7 ${3ȃ"iWżvH㸯 1t}İ$$JEϙR}'K^nBS;^U?U|Q29볂hMOʡxFqT?+ɗP9zq+ȥCaCsgC~b=BJلL H1M4?*b/9~KjۓdWTSilєQ)܄ rǏGT J5Z.WMm"J@`?țZ.A@:T/aʀD3ZyM0th$8C ,կ Ks @oɤQ?HK3zT)@@A_VpҽQ-\ iu"d)m@Lm+#pF*?y#H/pKhiyM>{&'(KhYs9옚,uM6/l=̟aؖNcjPʺ+:׈LUﮀp\4Q:}zD8&ifrV3[@k$p?Q$0nCs%_L9(A!TFdB'`:yt^!&VJи6WX2]Ž V}Pn&䏷+j}ey4o YG2Fʂ=RIg3 r5p;jQK1MRӗMMaa0@K4}t=SzjDVҿPJ3>Je]my7&뤐bƾV"o9UqMw|q9!q[gcL-%LTS‹I3IɰaA d֭k 5su =듅 ۖFLs.jh_8`s tM乯DAtd0ۂ+{2jӔг+R"!O=TWy I+out)ޠZ'̿Aθw BB* -/g"fcbWPg6ࡅpOfExUZҁwt-K)X;g| 1ZE&2+++E.hdoY4LRifs JE! X( ̗MTEiO`~\6_Oefȵh~0I yԽOFAZffp!Y^GwQȐN ,0R 02rɯHS;&eu!BCp>~*ref(1=GO}ͲgkmB\rW^n'XEfV-z6|1E E*r2e"IaI@,堼$lL#=nuFJe=LG%1yشr`JD"{ )b[EF $ʹa38]=نTgKJl&!*St)X tB-^.{O 0gTnךfHtX⪀3P|ZҒ"m_T㢎V"Y tZ. $H `'QR!:݊(苬+LَbW~`bR6s\즪y;UY}EWYS_esxg,3GA%^~~ܶ`vE@Ti[$o\M(؎2 Xv]l?!)n7"V[=Pŝ,Z: R㏆F_iYbs^phD M dI/xZM]JfT)Ai &B>W9I'7ҎIVM0$4\&L ƍs-`䗌H=! 2R =PӮ.5yk!qg}F0=P`woѱAëWRɭPƍrt;+xP~N+g*&=4ܿSg Kp%mmKHQzbֽg%ú&͘+ EC,Ov.8h=@V`IL][8T-ET -kywLFCWL6r켾Q]-q$8FZٳg_Ž5t[xFu 32*gۂX%Lhܯ5ܾJ |C %U2S_V͐chdpgB%碳q=qiȼ L5 ݃>ࠈڦB?ta>z v{PSv,-wYDޜ4՞edZCy,$*mse_Z 豱ޞ~v"-;z 8TɯwB΀e&i;qP^;lt[(ڝC'\b4%Rg_h]NcXCrM%/,G訹s"ks}&{ܦB ٫2L5~ N)"C4V}_ZT*[/+%Z5$ 4TBוX6x` }X ї5+Glk Po{ 'n0KKb\0yCh:DSl©C R>0ys^,j%P:T'wZ+n`yI+.ŵ"Lp.} ̖<ȥGiۛq $sO ]~U/ƌ`nZߢVFZ:a %U4HJs񩸍?yo)sDAPbt!Y>mOݔWǽ^94FHDL/W x`M-]FoaV#:A+Md{,eFҸ "?y-kꝻl5F$n<\T3B.Rv[/?!-<]{gcvo۩ac][4ef~OJ$8\\#?u* A,ٲo̰դ* #arJ&"M$s+ώvjHtKQ $F%M"% &_%&Da5xm3ZE;n գ7o$.lg2٥`4W@OK,'Κ>(cHy쿑 {U`Gx-IGaTX83 }~+\&ɉ* ɛM9}%#6CiE n?Z];KpsKוkmUq{9SY2xϫ5!pj-cj9gU9pcD"ZOܕ\astaN꼷JmR#t7G4unf@r՜\`Bh%e "Yv~#C,wg^s^up.¾ E&κuɲuA#H)4e\{;+}D`UeQFoz_Wyt*JK%O4kfuk8}y"v zxJZ DL?&Y\""opZo {yI+"dªb@N(@/U?\AtÃ_KER!z$ahA2dM܍>g[C=,6bnϒR(ҝ* d9맣[y;]JQ搄Iy)+ۏ{ dJC֋!$X6U.>\h.bd*e}4K54˴ZÝFrL:0 9`J;#ip>ڨJ!EfuhOOLY׹{)QPe!+[]{K |U7sP$8]%rb W4:x-Sts> v,L"Gv1ɝd#jmE)w۴-#?NӺC\H=m ]Ai}NSjq1!~vcp;!xƙ|wx*yl8uǜfV wp/BRw7":+֠W:)b[80\uI0CyŇ;Oqd!2Oȍ&F~$P`kunk\_Gm+I9FTtl$CYjeZ Qks*S$T!էLK[y!&z0*X[X5!!pXkKAaRetkG|C0lr|$|ئ:{=sa\wxpZU\0Wj>lBle/bԹAΐSB! рm/*۱x>zN%I"F$lmشu$cng0=rpʕaJ%ǚIfWM*ԿF;3B3B̚DIVVAv?H"xHy_R f2vpOu*7(}g߀YZ_ć'b}J$Pr[BO(=. Kw}R/st퇎}Ӣ`@ d;ꁏC+A4T̕)Xtwͷ]뼬([~dK HTQtUl-' iA^eW]Pȿ"XUW ׅ/(W^p=#-'%ɲSq؛V6!bM..j|E@TDKo n#CTVL-6bid 2oSJ_U>J\XkEA3N]F>q# ,Pgp!ظwJܻC̀g졻hġ4RN:d!C-$nrD)o_Vu!DJIMI–6 G5=%H0j1ǻKI =bka.hh`ITIggrKI;o|Uͬ揸䏹&S=:F̹؉Q>fsrW^WNLį$T?URՖĺRwRjC*N, 4ks8xUI=q.oq+3ͷ+0Q)OUGAJx{7$9bppDl5# @:+O NiyjMQsdD2z4eӱcpsd&FYajݦx~kBv5f׋ghə\Ci56>K\-D-1BOȼ;#OVZr{޾AxhK)lR2 uu?_R#.'15>`C}+\{"U: +pt,Fp"*U)$|i8YUrR0e:>_vo KZ ܽwS L?f m2Q2kҊu14LGۖƹuBnԷ @wZSo3-lZo'Ol}WW{N?}؊lmMj=X37-eJkPEYqp 0ᅃo2[_u]1EJ\L i*7 fHВBPSUCi}k")bO+l?\[#\mO)зX4_clr}3˩fႆ1$yJDa G荌 yVk.~(*"hq:9vedLۢE cI_;<7V1/;:#ฏî߼q^(s-U,E sS$d UwX?tMɺ/!b^Bplfq< _oU׏<0 V_Q D7Q^8\9BڮWGxf @&n9^wE|g~IbȐ Y,DM_o)J`q͋%kRUt:tQb@@DYXLaA_ Rrf[YT}.pFt8Y#6!X2N肴\2X6a#H7ZwRW=q+Iя94%SdLNEYZ5@I !ZD>ԁք//%t.yYO@gUQ^(K- bxQ+\?6HNUҮڀa}`dpO펂s1_,4p:R\wg`}K20|=z7fSJgceޑ8&! D.X"z3PGJ Nms6qCۮ͠HX.@gjM b8AU=PྣG"éah)Ok_ƣ_xdPOd3 #ӆzhr<]o0oQ̗#}>OVot /:AÀhW*s9捯?p2zC=ǝ&#!\Vm&2/Xm*ƙL@s!w9ڱ6pqσzٱߎ{JIȠT7Q^W5m8 !'PNJBK%<]/rWFE5CٱD 'x@D2;\1WT*W{al!P}z.}Sr9b.91}q SIտsv'Qq +ׄ^6PUmcaĮTg[v/Yz=X' xAM1VޯPšr?s0W)~a]U1 pl_cjBsq*z~d Μճ54#Q6,/t%z +Q{*MDi9eu&{0~I$%hmXT#׊'.1"L"<'iEWI]@oJhk+`fvVt; LJs+rD%Q@x"Q"DfQh܄EؽE^[#_CrV:=umb'[<sOq;-D:(LՓ/ bBŧ4?ȍ ^GV5}K:0=ᘹ+_Npd݋啑z\M/$CB=k [ )5Ww=H>ú Ψ W{ ,]Y(ˮ4Ϻ{CLZP2BAR4a_vz۩Ns+#;t 41`_3LGT/T!Qp;]n:32˯Q)~pkͧt]EQJ9Kw^R,ɔ5-Zzs cWRSeN3LOcsq:膛uBrayaĝj[Qʼ -2_g`}m a}Z[.lG7#h]i2_8WN-yu_Zne- ITRs _lⳔtm \VOʱlG3)]C֭I>v͌y m[ə_Cļ-FbMIcQJ` d(ro:;ȧ|rhRx&0zz ] ŸgOd%]'h _וw8oX|Ob<ݚwzPĦ~Wbf~eEb Wͫ踹tsư;2ij lu7mX8<ח g flG%ǯ=YwB+Q.PǷ.ˏե?-M84o)j,b w5"l9fD':Gͪp1?}}X8Z #c`,\Oi'oS|l⃆T7 wh-u1h\OoN)w1n2ƗAdUD<@,fnp=&e/a޲TNWOepɽ#յr*wxa/fQuR,P*ӣî=}!Ƃw`Y+ӿ0/1~pQ9$꿙h1ml>DD|ѷ7r?X8t|TLGu%#d;j%ֿK1Լa70Ă6'"KpZG@ތJ7맅jtTf#o,oaV7WH]Meq6ջD,ᵞެu MCyz.uݑH}2bIO~;80^Up%X`|I^RC zJ1o['V4]Lp"y-t/j6ŋ K#I1[aRlձ/Ipo*Y2,x;x;:?۬g`)}g{;M,_j2`cij'ÜTA[AUmrҬ~oKqܱY=*TZܘJ3e*(gCiS,W',rF攄8H\z]wH]4Lk)T;X74/-Ng*C1vE|_6΋v-2{cp).~YvIO@.eV_uȵ>[{`848KB}*@;PRY ߑOaQzh'wP័IO:^{{3ҍ>(e>\T'Ow׮WvZK39ԧxC4zܛ 'DZ+ѽI_L!R٘E3/( "E񻍑]oYZ*мq%Eq͘֐"8-Rc[t&ѸV%Sz+p@&eQSv}-m?#9@OKb $zQ˵r[((CH;@ twXv\(v4D$k{{A9-0ՠl쵩"@xྲྀsީ}c1[ iQo),3YIVmibHk ^r]F',9.ВECAѲ@( cd>3+C*B VP޵)4ցROq†7yԗ<;nFmA|rܞbZH.+n™j}S&pN$?KMY,{[H YzstbbTCEh4Y#Kk)5t)]̀HA-YLoBOmGNjRsbw{rpP)錻_CJ< ijׁ29!=s>h\cHw Q؞W9s1. Ox`8sM@bkUvRLK LN>Q']!u{;xE b2]{Dy*;X|xk,<^EF"KėlGY D{ԖPxv|ɥIhvTkE~$c,=Ԑw˄l3(P8CWDmq{yԫ9< //z+hg"plGGzG{dSCS q辕Aĕ9Aþ 5<X!$GTj_/j)*zuQ(rSv|M1JL{Y_lzzu ,ͺٓ5aG|Srf`UWh]󢡂xr~$* b Ι:Mò6Sf.B,. i~/ǁƨ6EMo]˄JTTQ'*tJ³Y0Ļ+/@0`} G"`Kw`fukGb!J[8mXcqUd._`mq#;ԶuI<5,NH@J 5:JC;'R ~-V N ev%br|9mxr$>oÍ"shU#ubJ[2șEaa+;ƚxjylJGFHðe ʉ!+5I*_ .qZAS@ (ww2T\o0wXYGs-A49|sߓxvbZG''.Us"e ӷ;k}N+J]ݒ4Գ_uZ~uFE(/kK7A+OTa/)E#ŀWTS;sZK=%S#ޝ)NMDu#{Â$( mb8x\5 *(WTn6JMm59Vslzz"zq!əAlkڎ3ܤ7" .jCxz_uuj">:v$lSCl'بl=)^ͻ=Vv9fZ{-x.m J~0"9?6U9Jf:@̹"ڇx%~SU .N3j"y~9PPBA} EhZ yh^Q#E\@BRu Wi䣥 fwF 5+vH"НrC`8kE`mo>eU8}a l+d%(5{\hz籧M8]9O0H7N^*~C Ơ[g"]{b( +8Le;7֤rVT".2t5g";+7< UЊͪ1l0bݢVppb:2|yN[sՃ4S(tu Gvfh$H΀4~MqdQH3 LS\)F< t+eg g&a]çvhy4,3s_u$"X+UpD04Q oLV\[Y$W} x+h!y9PdJX-_:M 6MĊڇuxw)VwsZ#]XX}m&,/Anzjkv*0ʲIx~P)& V!j5#~O7腶mKbCyx|Z1F|zQ5Hkh̑ù8-NWԉl/gF]4ƏSZcʵ =.CG{y*erF51],{&.- 2?!u}_ K aś,pOTyN {H߻|$"v{İ_ 0 kaW=7 MklYOPZ]慛bLgt֬މ:/^*"'X__,; UDZ>-ta[¤o\I(/Ki@xudՙeNu4GQ k&F#V^`x>HFN"[|lY0UlfXϕ8L2wji/oZ}/o@!f{cN Z4R.k_aΐ)Ƃi$0ͯ?"wN gN@] J E6s+*citO$"! |-(+WUs=h߄q~HT {.`&䰧@hud Dxch[`uc~E ta|םnHq̌>V, ">&aEp#p*", :OJ=G0䒆6 6 ^+T]Q+yb/1#,!yh<1Xli!q;9A$7%|Ed//ay^oy6y dl~-̐E1S-$≮8(YYm5)S)s_7j עid{ܾ|: cA>%YdTʁoR6TrQe" .9a=z.;o,-V!9Yc]u#<8%+ g5pD#\Z) ,$4ա^+m~fj#"{^+S ]8pdUv1P-1ƒ XƪhSF8/ɯuѭFo:W&5J WF_l"T5pbv]z}*v95-(*_pZ33΂_2 ,Sx4-/DeFӠ<[a%NQ Z?21c܆C6V7v=/^7=! g`dtPn y-%WQۛGT'S PN(dx- :hw/SvĦ A^ ]^/R0LmcA5dpFE<ɟځ|ޥg N9Ki޽4֓ˬWY<(vɘTfC7˻ǨRbQ`Da/8%LӃ\ SM>yQfџ2Z#>y7X̂gou\AwV+\ց Čċ;%чN|NFXӚ_`Ysf J6}q,o$^p< Yi*Bu_C +P<7D}mcl=ƒ:e|ZI8$zszh#w$"xM!;iv%ҠL< Kk nA[fBWNzl[.}&t8+A<)^y \fӋ'CQ%= 2؍~ ĮaCa`}T0 _?Q\ HBD-vQn+WL4؉?&Ο۲ d4w>#O=RY 8Hs#6ϪxC[t9lFV!j0F;4\rj;˖Eڱ_ot AOy'?r1B4pjԾO.w%|-۞!%s׍QDj99nLarV$:<,zk>/.?& u0?x<-vY?gm{ֵQ vB<܍% mM*Wb1=|:P-m't(eeOx7wnaJ=I+PwH qeb+ G6V2" {?DzF0͇,LѦ{4B|S{Q_qu[6Cp:]}~y^s$2l{Z+Ӊ[ixPǑ5RҶw EW*X?W;5_ZŀM18=-b4b X|LڅWoNEif/(8Fk""ռ2%SxH8)2Li2lmkɮm< 6_I}w *o[| Fi$f<VCz:QcCf WJPNffރ)8BeJDUگ 0\5+tFE)H=kpA T5x{]ɩȊ xM͗YҊ$25Oo `A~H5CpfkM7 gbnWzJ#"7F'e]I"<nk r &N}Lf vA(4 q̣)o'"#Jd\PUƅ I1^6]># Z"1ZxCtGV& ,w[?O<ۚf/b&%A /l P9XQƯuyY7fu"Ꟊ.ǘʞd !ҧ.D4k夶c= 'P*$woZz:@k|_@/*1sTC75}'' fOL=Q4p*M˫D}`29{eB [5C+Gl+*5vu凯>זNUyb4Q rd-i ш̛YB6zͧ.;BY}3|UiP >J T_`X\?d= %b+]bbVa_\{f(3 'de; >;W(oO:(6<ϧ[a|Sv1AΥf3JYwnR!a4Cv:`J'CxK\TWk~8%Gɡ885+'gգ61m'O8?N%K;$'h?:eF3dqv qzeQVaC*ba`MHo(pw$&~xa4_[Vȡr b"ۋuj(Bnv .Ki8ϓcK/A =zz8iHLg ywl-6nHJ×bڂpr>U)qud,&3ftd>y=ݼUWY4Ct|vqX>Dd1+R+m~SQS4uϪ4ڍoAlrYgfF3R[9$fOC$$TmnSjѳyw%i$7rj4iً$>} *J(JwGɛw@ B&|=E KQ`m= Qܽ)1.A(:=q}9Ei OV$@SuH%SYAV)WD%zX깡l=ztc Ԯ-,TDl?p&Q'i;w)wcweO - dm$_P10˺xJ&x!ۣ">5[aӣ8'XّNq0JT6B{zdK\rֶFAF=u6=}ѪjWeuS-R{nN{ƒb'g A9H.WRH)i[?@WmՁ|6,Tq*Y^*l[ XUvQF؂Bh>(:L$5$ճ.~0_57i-|%0v|#x/ռq3޵f.W{xadR&Ż焞MY505k0atbxp")ڷ0:PKK:} :A&N@,6JYz ~0„\7w,ңOu)Yd]cgOQT]Vw;3Jv-Wζ^g$A&. )1sL(m>qZ=*ae/ N>R%ǭxՏ,=I:[C9Иk8Z”7#T)W4שiC]Sfv/ZyFG`B8v(/8˵),ɴ"wCv;ioUQv/9]yinGcʛ} #<8^,KiLr6i_8Zku[~Ȫg k_I͟%|YvoC*+m S4\y3.ޞ>]bf\ qlݱlfohX瘿 ~nq57W=8WZcY$t-{_s3QM1JSAu*Sa63z(f #t"략5R EXmZ\m|aaHAFa|j`- \#/ﯩ $߉_rhv@">˧")>uأmBd[!Sm&z t@ PYhf8=&x= ܌q^T*l&g@רxcƟ.6a߶ fM F%[<[NYB1 M'JAcŋ|;J8:Ln;g<,ѩ 9nI Vbt an-8g^vR^Q9iH![N"I]@&ТP*ښLxY/Huԉ 18*Hyjee0m&NRo7}uF St#k7SEfvˆPE|XOg;ec/3[!>Vrt]~u 3+AȈ (ǔwVuhXU@v6.tuC`$ b s< c>7 q o) GMG4ÄKjozCbǨ 1&}s{ѴSce{PѧNZj1fY8hV 19#ۺƬy\Qe음MAjxiLo٨4roiUF:/p*i9 xRR6p-+A-@l7݆.#.0rDΜ<ĬMd `f[{CD];@juh]O^N[ktLߖ4?u|_c2Ƣh+ЛpcnF>y=R{bUI' ډ(  DwK &1/džHNifNopV.¸k& r%kI`5va?-5aL,.93|VPGXC?R )6lan(&E>6?,qRtI{G=tx@tDHZCT2o, Rg)wįk:|峎;2'8, C綷VQ"fpUoy x_7s?e/ H|f&nJ92`NMiU_AYTvr4ܕdS#uB.@܏ t{#`'(JVҰԟE|'Ƒ919!sF{f,/1mϒL~Hγd!dK'iɎ77J@5IbC?D^v@:KxT Hpy %}a(?BMy(9"ϵ|32rvF R,-o"xyH9E:CT7U{n^BY~K>OGQe9xhC߼Z?d$N:Ph:7.,}{vC?M{Y2/9(k$}Y_Je2ZNͼ+V"X,Szz\'ұsz&)݌NFrElsfyUV{"J)IEc@^*j#r2}JdxBwI zL^qN.{5S'чT,pl"Ph@G(E]iA q-3W!I;ă{t﫳xOU#*Ĭjf( rxQ*t7R,}z׏#FrS|don!y|)L<"hz>-\12ο'3Dd1Y_ g3{pʊjUk2D`xm|S tF_Ia{+EC7e:RoZ&C.Z+xpޞg54)4KzͿR $dS7B!!/[+P :r*2'qv#=9"Z7 ex+1Q~>s\K38V2n4*MW0qncýa|h ˄C婚ҕU~t1s&MUb1[#^*qWD}9 yF4Ũ1ʞ͢T/n!!bݓ[@o 0 u2[ZA 53xv-Tie0vhӕ5Ag^|jӹnAnKZ4la(/8)߇P>Ҵ #;uuI4]afS.rB Nh}\ #7@-%j Ayɹ 8|/Bl^oY9'l-LFJz=TwٚdzKAL-BhjY_RKZlRG۪k $>jb, KMӯ05|h2 U$-R-U9U?@Q-ɱH_lhcs18T> :d 3?v,z3CǼz=gPX+$;ؐpSS7 - ϕUJ&oR(j07fv4'}*j2(B SA$Q+CR~&Ego4q^fJ,쭢{7ڝi=;7xowsQ;<~B|S\eDUm{P$? ChԹ :Ʉmly=5‡S_]7?FJpOkfqiN$+4o·aôZ_F nB sJNʼn ``Qզs0DN릞=4yLq/9+WsG%d$Xe# =vV>=aDy1ܠFM0ǝJ>W{~%a3dIHg ν+/^Y<2AΰZN9q2 A뗥i܇ݎ Fd<+ێbQ)}9=/^5|3wC)L_k`xլ[ͪƽk27\JTF6PqbE-F-ƾEޗc{p`׳HYs|%urQ̈́PhSb<4|: aiZtd݋@>FKxMk[O%slxwTM@ȫ*v)f+g)<(2^@TuG(fx_`+=,HK7!R4jUIc.e%cY;$~ӢMu4>؊?F>ɭ,/ct./APW|yBvv(k?MǤ#O#6aB{hML(:30y'!XyGF5Kq/ "s6Sp2Л-OLuF*3]iϪE["PMT/WAI@n7G9MEMS ̿G7 $^ImEZbb D=Οy_v/"UHhutQ77aB}#z ÄjOg5A)t򵺞k,\l=K؟tؠ1?f6Dnoe"z]8BiAC+6zAѶ]VLpQлŜu\{-F8 @4`E"E"XcmeN/%o YiJK~eIg遤&? dž+Ĩ`ت4QUbwfxd)xau)8HBԌVH;[geHt%O#-: pGnS w؎މdQ֛C7wF_:@Kt982r3eؼ\ X+>c"qg@W܈(7WY}YB!i@sIns.iHr"4wȽ" 3 Ӱ//]t|8|[ZbIf[ȣA>ygG] J4n8W.5!hhV kJ5[Jҩh>򺐚0}9 bm d)|i6sizCC2]c ]k1UWkT\FnD.`wo`p.TVTr;jj<,0[0V7~ooFK4bTd˧޴f=/YY65.E q,J& YwȊ5B{@9g QupRU 8TH׮AV*w3곆dQ;U]a*I^$zoո@X`B 0[~( ڊ&\~\?Km)E Y\ʣ;LC1 nׁfs jg|p OjD.xn2(ӝ3@Il8кtߒNu/N7m!hvQ,:Bh `eFմ=dyFkDkԊe߰jQ]#\s^X\0,TW,o[,Qf0_kekF\5Od1$:et(I)H]qjN'}/)A@ yFlWtiӡ*ϜVEyR(.X'j0|&;SD5LdE|SO/l ~ȳ$_;CuzOoX?&C`R*FvnszoT΋!f: ng~! G׾xw:[@Dkaҿ9QΨu Mk aLύuz?Q",&hKg[_yEA_0J5v6*14qO3f{'[zoz:_|gN|/z,&ӂ l)5w8 ƀM$_1~AnbC¬=twv2V[KJ$@z(h$XJQ~n:8եW77`p @JBom ?2"֋O@k)zX,5͸H.Hp7 .-+@%߾@ t KyJ7eRLɯaő p4 ӟxa8=3Y\pѕh6ni@]nj9ߕ%r)_MIGvY AM9\Lj:_%2uܬӓKف1ؽ*Jm wc0/(t,|^ӲI@ Ѧgm;g;%,[ ZmUlѷ| 6e'ZAN;e'TqRZ#k`\_R b[aI)(9,BQ.D}rs!$[%Q ! bꌸ0}Tò?l_as-ZzЙ][vEi2NY5X-ţNް_05 nvଃ}Ap_ _4F>L~WT'R/NkkKlD&m Uiqn l^g\|b%B[gKxn>?cUT4[Hn O!~;*&OPyLjn=*WtxPFNX̀ £&fgѨY|]M\]bcdhmiI2_V=-*QM_9U>f%̝7;ԧ4M>WȬ&!Ld^ \BK<{-?T+ˏz(ixH1, o‘ܤ.%eW6$P)g0v^R3hˣRN$Z\B㠹TZQD6+ʕd(zrQi.pl"]P"* rmǸyœ?g.Mh5zEJB){Iqc#:pH2 $P:ta &M nƲר*Y0lTz;st|ŧ|jDVhkבP&cY}GsgƸثxEџIۯxL"-?b _s;'c;zYu+YҪƎRSLQU*A(::Is#h lH w9Ft91k v~+hKT.ycRan3DakE+3n+ ^ [sD\" _ R7o䌴9 OkA…t 6#*O Χ A^dP}A_yL1#t2Kb F|;XڀOK=YmYCNStԛb(6JJѷX<"SCyu/3hM'HVfQِ(Pץ}7fšg,0j/V(A,&iھHGɱuiz: b0+/Ko 8>P)R֌*l\FZ"MKSX}PX ȟ5v}HFMw8),~QcdP=3| VB0WZ^ዦ"[)#0_ %ORyCiџʸ֣GgE'c1Ѭ#;;~[|}ꦎp{B `,!w HNk ͫ'Uc̎OcL nD7Zedr>*V q=7St兩>ۓZ`c fhP渆1?~Y뷑F ]xCU p t7s=@Ft.,bNt+6e1 5Ǵ `teγ:O-"pRv2KtW"?ZEj4,PO|)݇#_ZӬJTnrfl2HSK(P|(8%(Xh|ȸNR`O@ûm2q4Lk~E`47UлA]EB%iҊ)qQoc:#mݢc_%R\ t' D+x'D U }okցH@&ʀ g.4!'etKl ZlUݵǽPrNq{Yk 1ay8drBXAk aVkǺ֒LMT`jW0GgՖHKL{HYJY ?R -ܤY0eD ٍSSLXG#t62|d-oWϖ#­"ˆ?ۍOAq%Q~RH?:Q/*CeYE>X7?SBqThFgv;c+#mbmPU|ls&æfeVng[/8* ?U;%s"T̴հ P$NLWo k jC6awZF_%/S %}b%Cw7:ϔqPCywIM]#$GnOiN!2KG]ts(]MaO6-/  N\$n`z # F nQ 4E1oPT .sYP 1?Zd=byRţ\[3&"nJTge"m$4|!d5+j @2D͂q`u } Hԣ5XF5p[_Ф]eQGg8o }Wgn7yzT|Z;3<ꓚL"&,o!$tHctNfLp BV=~oqWR8+ACly3J|J#Coyd[*ɉfiwt_ Jb:hia+Xg4뎢$w+ TӨIŦSt7J-nMtm=M CSy- j]{;Ej[M RN6PmBل*[NPe.J~䨷HmzD&kF>P Ͱq Ѫ8~M{A< -Rt<<6u2M|IJ>Y;T@kJ}̠RxG+ufQ}܈0|,dQ*iVjYFs2`BAϛ3qyL} `9lq.O(IەRu6楒Q8o6h1YjNJC2͖ydI]QCU Mkr^(?z~>C6m^QTj 1E~ЉHKMaGFMABp2=L۪ z˫pRDѿ_ʨwe:nFi(8sX`f,ptZZv٘[6SaU%gY CMqNx}5 l}D\ 3b$smpƵɘr* oA/'MʼdirOFMO+ 3dE  J kw1,_y:niRg" Drx^;[ڼEI݊+ ,'\ ة8҆7izCbQM1Ml7\:N Ft6ڸ&GFa0U eڲae%k.gݚ I2>`XO4B~`v9!nD8V]#5?,`V/)>U]aL{q8;? ^ S't';7|ˡVpa_ -j W&OFd~75L)!h:(Z=!;1} ;>qGnu̖чQ^a<.(*J=4/hyC@ M~XrjeyH{ vb .Q!geW_ OÇV^ itQ]}iux1.?{s>!ίTAH`*.ϬeR9fI ?M1;`1jza/#^-Mg[JF uIޒ!^G`}0ݓm-Cz<#+RZ:?239aB^@0=o3TcQ{-BE*ÑfU 5aǭu>O^@gT|3",퓸jZȹSMZMȯARcb&d^k1qAY=HB,d5!c ce Qr n酵֠:jw3`Ʉ_'s4u9Pٸxu\"am3g^'Q|*zak~~ hgp dEI!E&+G.S$f|]9nNMKRΆ/L}F[`O-G^ұ` ̙{ vnӕgTlVCʓlYV4{+CHLڀLCf? X݃PSE<,=9XgaNU>ޕM7@U"~B@Rn`u˳6mֹ'z}lK;`!UvXԎ2{{Q1iɥT X+L`<*gzǂ?Ь⦔Z#4@(>AF n:{+S[L=qҝzq{Kf ǶsG-'Rs8z2Y·C#fkO阻mOS^~ PIԮ -7qA XdX~{]#2G|`x%d;jx< 5GN4mN.P]CEW5 AOG-orj6q\_`UOp=BQ3}f >FkX_[{[c/>KbVUϷfy'Ħ"hQ5vOϙM#(dE#OV .B N[( }=ctfB| R?1#xndZ NN'7OϤk"^sβcJ K$(+="i.we95ݼm!m>Oq tB}SPEH𺬭%<ϙ[)R/mdI<}RP 1\-e!XKIj8'/zH罂c QBmO៵5&9,gܠT4ǮC05U]4[hZJ{W.hODbyE|;QBC@p`6*w.̢$~HKXv}ik ,E4kFN$ \WSO m\g2k䁱ۄgܞ'#eQ-8]jĦh`mBnOn;sgM-WnQND7]P|r-[*staHsCṤ%]u0f*NA>*V$o@#T+ƸvKt8w]m999!W_D"\aG h_+ΔF![ejRg`Gzh@Ɠ;Z聝SU($C6YΤwCr"u_"UIgU$@*t7! hLX>&F?s>`mM5DF-z:~_' i# UZJ(_*G8kK4؈A ZNRj_~lM;!#v6xGlRD P I$6s4*&cfXѶ3f-iV/'Eu@F+eQ$z˥ e芄U!Td# հ9_hW1su~d#y }>#us 18\VZǵHF\` 8O }!=9yr򃀱{ =)j@^ HV6ѤVnLaI LsX2m䧣UY+r7:TGڄoR!qwdatپH_v O H i?9αgHP,-BR%6L;yĶa$Z$Y9LblF'k!ze䜀A:,DLO_ã_48Ki{^*ߞ-PӂF6t#;|g,Fv^*)f엫 V)bf(|ϱo7#!w-V0-WL[,DT!ä T)<⒥ 7怟@pd;M+)G֥kx\z N⚵NB=Am|lڵ8h:KAE-HUw+^pdPmL~34h- anP碑in:˺ZvD'_v܊Ɲ# 5r4ׇN"TVQY]\r&^ޑA˱ r`޽܋x.aS>,Lln_AHwYb}91pq눊L7Ms.h.KH?)2N PNk XTP ݄QCɅKGEZj#:y!ObZ1!w{/FdU>.Pr$sf{'Dw `s)=,ip 8A"Pc?- 1ڕz5KP(|N2bv 0Ll;2&-[ƹ%+Dl)d"&U-NCt`FkfÌ㱟q 08l٠B$1vJAtGjtM Pp#j>״{Zu|u1O(b U{ -(uZK{(ax(ПCpWs,ΡmRw #^  Q'uy_l ²bkGTI(}1{`d׏PUcv`:-[ABJͯh2#l/wP޾Mz($z x=o{فmhMB'X);-7չfɺs_10J2f 8lNY*,8$ֽr b]!]#I)TsBϕőӃZS:R܉eguU[S 71",|1>佾K48(&#0T܍^5ckHrTmS p8 ).jE˸L PdUp" Ci.Wc{[!*χ%Pߋ=m5[c 4\Pҏ X>3m8gTjDžq֣}|+!P[~8 7'1IP>>n[S#DE>$dJ!SsOCҹgn$ WH,Yb_5^k46Y|ŽWJQS ݗ7/*={"&4?udY˽ipkHGu㇧쏱"*)8F@B@H̙.E 6x À)@W'lXs yҔ>6mA)6P̋ &vF8! ZU_K;8T(wMb@i6$-PepޡP[ ;;Дa;tjA^%rnʱ$"ܛ uW3[Kitf Yg7h|!Ֆ$?>4+ۮDǐ+aNG?@³)4=^fh^7ah|=GX1xZRmpzE O}3yԈDqbJ$j @me~@UUX))ѥs=׺xM%gq_Ev2K'Y ~!+>%PTjGCl|gpurSQ,Aix9A2Bb-=&ekʌV6'T]y郑&#ʑb>+et CΕf =@H xi'w`j/#%~0v)k5(?i=5\ymNv]&Q?+#,'a4اmܖ=bҐ*arh3r90an4xM>g7*WX|'7 G ^2 ź6E"_Nrx~F,ʫ}l.ڞW/<[7W/jg΋qr'fnKxZQJbTߨ]W| >HoM XI}8#OǴᔌswiJ:V.Ec4f<7TZQ\ڇhaU|9j%7ǵKAVV&{@ڃ)7(w _BTTԇH՗[b"0d5;fȦӧŏzpo{4MP|DcbZ]# f /yybz͸wx LTuv݆e!FEGKۇd 1j˝`L!>*xks4s*):*ձ[,:w)4 >=lpW޼f2h;%@xp߳k|C++48y̝tq(mJ')f$A/7́x UX\Up KwIJQQ2pI@l" My%LUs // /m%&(υQj05{#ϕ)@ː~&5_OGk8jA9z"GƴS up# Ղe6jUnOr&KֲǔjI}`%Z1ak'm#ɀ}1$ݯwIo&F8/zP<h+ylUD9vv r=506 :{J;\$Xbܟ5@@w*Oq.S E$J jڏǃ8pʘЅ$IMk?=:帏%=^O&׌,Y߮/Op)u&ZdG9bגWŔ:A?|X _O|b vzG_x -& Ʒ9,/>XD~+'3#'ZkIb\EGT)\."$<5Qxkvt[J6ȲZjgll OYq-}n&ZVS?pi OV:<vv'$]1axF[+V ] op{/XHl\;/47Sȷ1¦Qm?cޛS+;&f'Ia䶨؇V&^ tpSQUe7}uUGBK[D Oy_O͆/9j'%6i\:K/<[];F^A 5LkܱK<ׅ?}Kqpϯ8'_y|" lݣUl*Q-3?9 -7< U?O/8[QtV 4ς%LA;.lZ7gGIW;f %أtӍG/Ծ4%N~%lݔia{߉U#4|F@ވGӔڙݟVnkYtfчWmaVI *suNpHM[CzҩǮ够gdzc q+aL(&W@[oƱL~tW]k9ptwr8mB#?;ؕKnu HGA%ؤbJ14e{z-~F)T"C2N_-.}2p-'z%a7Jqw~ڲ(Eܻa !IMžߙ8w)uLك͢ñQ'=>!H}V:%+*IUvO1qN`\)q5%)h1i6)(zƆ1nK/zm3yX !E9 h^4)hN?fD"HNʉ0ḨWK*F)i,sY  @M$*Tg2낼+jJ:7yM3U4mv\Q s>~4Iv8}Zuvʌ]Rwa,#d]@0ٳb/pmIuGj_*GK9&#(rEΡ:C֊sf[[0` i*'E8ܹU1{8C"B0-!Y0ѥJ=ek&*3p'^1΂X鱈 ._}ٔH A3.daawi_y4KdN6"nF3Wh%wMt r }H?(=ˏÄ㫊 Ňa ."1XeHN?5{Pf]}G<~@8#n&$Y'o39Bb{y-SW0>[0'q$Py:XpBeh`o4 @4B!0aoE\\.f$[:tNLA`IxB2kC krZ/df!` HmZ@RxcqO!gq>N~͈4D;0G: 7l4 HMB-PC˜a%Lf?ڼ{ +9:=!Snd\ңPhCԇp'k.iQmrYRp5(W9=zlh=|}dЛS^[K]E(@Ȃd4nj/Jwfx  H; 1CNh*Jv6.xr2# ТxnҝCoD_ 9n <ͻ؟{fS}/n1c:kT''? Tv>N j;gyUPo^ Q1> ݢ&[LC@ĸһ>(UIJ`\G |4KX!7tF+Q162G+i9B*'8Qd8i֑tQ qF5e!4o;׃G wP7"wJ'oCV ,| ɱdu5L\Rux`nPp\CnmP0#_n_>)9n-ئ߰X~x (CFIZ~\(KʃGPF\KJDbeN$3 ?zM/}ScQLm]/Uj[("m0g-/M8 ;2G70'{oل%F/ks& E)[Ӝ!{[\#uCbqT^' VkyzDVYLKZ>FS@E`'8淦%ַ!.E k^kh;31P8 ] ,®3TBYOʉnrx6 Lmr@dW %ƜI,@x%{0=ۻ вJ~ُ,t]/ux$dBrٟD ?W?6Є 56NT9{a%InWib#eN97'.rGɉ@B`Ht}ye g8Kmٚn3*9 B=ZH f9lq:/)5XO܁UHG-~傭\>`Xco‹B6KRfS:f&R.Qdiw#\d_,<ۃ;tW]dYM+PUKv_-WsU]Ҫw@KcKY#X b2Ej/Y[J^ɲ|ݖъ <}ېCn|iRmY;utޟD?:qb0T5 r dǥ &O,ߚQm,IkɽI| ' ru&+hWHӓƊ߯y+oxeNLu0z,I*p.XV$ O[̵7)CW Ʋ8Qq~Ӡa=-Pr}1H ϼSzܒ4A} (';EDFbc\ ٙT?Xb*6qGmp:ԡRLv5I*-'ѥ8Ԓ(+Aj +/Ww:0fM8dz=Ӱ{z_r;oSK<56Dx0D y)q=zY0kÁOn(i@C}3NLh'_e S)Rgd,SՁ%RV/yd5iy#y_eWsHṗ/qpn V#"<#x82 Z/F ~ЖȦ$/SK8#/S4%h/W\Ȟ 3<\[E K켫S9ى/Ɵv%D'.XV^RQ=tȼ*1>pk䗘CN45XHBm(?P}qq%VeSUppVv! `r> 'o9csV"pY"]{虬s{ʣ[%ctmѴS8ͫc]::0*s>J|SamG `)獹aSGxCL<K8F=x _q3KS\,|tUjh3Cʕt}A+ƾǦ)Mb{sAkwrCnǚw5C R{;Uk{F,|=:uǗ-ū-cueױϰ}֣˭"| tY+($w}?5'u:~hG^n^M|nnF.0`;ڧUmAY\7madYDLAJ@=V0t,G1 ]#CBwN΋2Bd[F}*03`/%;mVNcs6EoIkމ׷8?$NؗjiXNGat6ک(`/Nl!سYiak@1t '5~eبujH0=ϖ)STǑi$GZc^¥_BOY+3:Tk6Bt9'L\yP+yagOV5+(KBKn/n "HV;decJݜ' &ɞYrEpjK&:.GƚU}!N ^Z=27 wrhSY4C-^?Qo 8,`bݯbfw{8h kf/siXҾrMs@:%At&m?ßqBv ?`_ *N|04(wbˣhn##ͪRp/y } \k[(?|k^wVr kIvw n[͌Fm4eb%PGce 4Y&& X9tbqM)<@UؗUU-5W㗊"UO.M֐-aPE[D 5h=_V$15[' Hl)Mi`3S#GGR@r~6ICl|͢v7fP\f))`ι{S4 U@QcNgް2]ؼ2]FrLv(XS2rƈ=]"VLC Cnq430B zvCn@~mS }Q?b{<L4W&`;& Zu[PCGE{bT1O1xe{ʆ %u{\甫=$𛮲^<^{7kfU2˓:1OF7,CN@>Ah0-rtQ+8X:#K*3] cVzfw/rT+8nU 0l"|*/[3 k-I pN@;'+!}g^ϥzpzIfdB$ALd kn®"_Une+UL\AzCPyE!b%($/WFmI{֏bv0pSu\Vr.wSK6hM7#{MW*v5xb:8^Pa "9!:z3.a:owk % »;3Tt^H2}Y{f!6{ _GxF\4V؅k5;НKհn1ܽį}jϥ`Ihzۿ (qR(a./af~RTyamP_N:ъTVkP^ou$e9:T$BDZN/y佺.'}]f..$kHsC{U.Jeˈ6U)ڰ'V0MLI"[_(O7޻xS8kj|zj;0:՟Bϓ)n &x-Iees$Uoڞe 4F<&OxeG\zm{.4º=,NȃҐ&tӑ9 Ʋej醱džx'8R# !Da9x<ȉoV(O-qJ[rJZ8MR\2aeH{Zn"f*5Xdr۽ɓ 3z=.<;̏}\AT%K3)XJP?J6ƄݧeB3J}[eeTjN stA-AB4^y,hW~LE%ȝ0K;ES ޖA/ o)b. \M^^TGu0}hDECJYD#| G;]pb xM?{ M;isف"@ãUhy x"cWq (LìOo !cDkS)xqW$!1UXSagIw=_ЧIț͟8f\&E^>KJ k"=\^%Kq>)85Or7( x5%9ӨX)ޞAmN"ȨaE,;=eyV*6 "g6ﳙ||ELYF2nQ-f!ΟMs*%`ٶ7cԅ3 cJ`X*ev_5Z,UDWLQƣ]eEД`U0js[OtRY* L{*fźWz1 'O胶 TkEaī;̬0Sj29O΅`go0"]tX,[cl"|%yqGډJyz ,ϖ+4ϰɿ U4*{\#XM;jz˝K e>.b];D-GemmīL1+WZYoXF O-ۭS.G~"^w"TvukTAoeEGe:sfŠ_lN ~zCtp!{q%`ͥv#FF߆ÙɋyȈ4STt5PZ TpR`ȕQw6k\81FY<_+QxC}0(ؓ$ϟu}XQ|4ż)k;ʟD"V-_.GLzPሒvi+4 HS.OEֻCŴށ5(4D5aoĚE)6k;׬/b~]9+GƝ5{pajq.rhTvv%(i2Wd]gVқW-]q)B/@ϗG2]F0'`ol7DҤr2ZOFFin@^XiG)O#^r;\2qti\Sxh72(Mp#~ o3wϤACG5}|=k ̰Pr^RaчIo5M̯7NPKR랩Û3;<{=1poFBl PZ"yfobt:*&Ր5 E>:W') G@ۖ3d8{/:NlՈN{'(3/>;fG0b&Ljn'xTn&VB1]Q#AXB)W% fZI&\0h@]=iϊ\( {5ph0%ڪWUѹr_o ~9']v6?-v?Bt(k/ lcP 707 {rd1}M>vP!՗s+@# 6w=F boڙQW5U"bx g&:fDcP/yq}CUCG^Kkl; "u̜)7c+ *-46n}& XRn p,L/#%GG.xHMXUiXܐp/b D be3nw9gluY . m͌Xvе|$*`}9];b1w'4G@oY[ {=HbGyH;R@>x^r83Z{Ճ =~2Z=ܰ3<~]nfPۑVZO4/@2(Db#h~etymOl1@dΎ&T˱p3SF4o;gP=tbfktaـ)~s|r-VlHZ? .}/ܷbe "L㎎fєa!\X߸Írᴿyt.M]OXjr{\+}Y7tE1& IU-LrA$~֣% mū"Zg@nq氷 8nvȉuhK|;m%k&M7RמC+xZ,Gצ`?T۸8B'iy8BjUQXD`$!S]jeM1|k:a5xa*lFw3C6;8Nz iy@ltژʵ$(5!YRL$o@(-$vCv4= $Z&k.x|?S TrDW`2>ttchj\:{=~9)ƤkIFrthWĵ'dA򠚲31?0|-yᛶ)Raeȕ^mBɲy}t'lJ.4rzgH7"}SmLmŽg%e;rJ`Ft0Mil&DX.4 !\ lEŊ9Nуs$qU],3$!Y V'꼏QRɌ mT'.<FfK|:(nLsc9u{d/:{! n+րYX#]*'CC'n*ۚ6 _@ǞU09S+~lTqÞSS=B!d&`Ž0 + öL\d닳(#pvR{y[Q#z; Rez Tq5u( -'3Z8QL杨q72@"hYXMJ0nPRAL.;}% 줷*AtKbo,`(|&"$E"J 8g|fDCGϩ`@KQD%(YA ZuV5W!rW\z΁̷| TȞKe }~"QLqKYu OAOcTΟIןώDo5 e(03pkq[bo ]5G1Zլ`&:\qzڧ3n}t.uy mrVrʾޙ>y.qQ;?́RLr,S+d([ !viI > `5k8,?pn Y:Zt/a?b%q.%KIX{(bt}1qjM?nyiUwW&$֩/FxY Qjۭc۳&hORU)<#ZDގb1|\~//\d0l{*r' k D$YCCL vHݤ5(Ǽ#`0"Z1 3Tn33!4{)!jZ1{gh&kWZ\n4om8m#ݾk9H3w ȟT~^W^`~\ P%N^aw7RnMxWT;?E6*{t6˨ۂiI6l|If!\.9A:)7 ; L&![7Hҽ&h=yXYsZ(8^E;|mؿ@%5f4OB]z)չB`r .Tu/4mu\<2A$֫2~M.X; e3;ft;?6QA_R3Em/ GRׇ!8eq}WRxR_ʡP 3t դ'7Z5^٫[֦&ѭb}xT߬5mZCt{ <|_ay;{w,qң"[kqs .DZ6GKkЬuI~dÿLOG _щIu3.HW~/X'0"r@W)ZǍzl5Dw|l(4?j!7 Uz+~/LB_Β›ͻ-c)֤CI)DfˋtxunVvwt*tO8gmuvQ)Bmiil ˏַ,RB$z{Ĥ*9YgX wrCTbd[v,50tvRBy[JX{AV#;E;C~2ɥe:vbJ, ' ^D0)jwb{ p샥5ƃ/dmuSoˎBd {Tu׎6WuB]m}fL]S}?ĝM {/zm֜`j{;[]#k;1?7HzBCZ=ѓWHb7Tr/jch/#8Z `9UoZ4^#l1?CKHzzBULJ;גZQxHJ J  ?'XD8~0HzWBN=G."Qy[[_"@}I0kMSC@_ܧ+}S<&d8X/لh4k͛U NVG8E\8ѫhR\T0/?3u8|Eoe‹g2 /1K #>];O8vJhs~;pJ4P#kͽOT[pr]Iq8 N0WI_bۑG ~Ӑ䨂B6vPnlw.+Lj+7,Y Nܖf:GW;enfE d}7 h[Y%,B& H@_օ%/2cM/,OsLm=W8<:v3ם1KȸQ*'t駸 - MCR*sm-[x< םuAI kOJ@-bWSOHA:Ms,#?TZHS]4^I{`h[̢Ja%5sFq뫩{.ss;%&sCD׽Ma*Kw UDү%@ c^"^;hes(vYRi/q~pELǫpByVG? ǿ|IqKIbf@ /SDuu)uK}8%fjgvhx}v.Y nQ7BD3Fh$0Ƥ3|BA>+zpthuG72PӖ<ћF2W1wTf%[*8k9FdJi%4FN.I]3sK0 \"{D[3zԭ!e8".՗ y'F&FiҙP{ e^Y{I9J;#,5>5jY[Wq# M z}dF[r.ԩhW wQAݰTsOS|]jAsϫmt^88 c~Xc*b]!gIÎ\yrfELl=$7>CԠQ#Z! Hpqy7Jwk4=_9DzgZ"vZnPwojP? F Ht#~KZ *69ΛkAzoCzm<^b#vve~b@/{-d0G>X \`,1'>7WFiX_!v]$(ghxj+Hl(1c18p??emx7s%o=?'$bӷ һ-#4POc;&c^Eٵ SHHA W RpQA]w,F Đ ц!)«`T{.{SvIrc$KlP-T~ct0QϳdchZdIO,7έڔ$:}֯JԇDat~ex(m)*ϭSsqpt6M{ҒZH/Wvbw$6X0648G@N`khZB@ ?Hv_Fڟ/ |ۢ'\T,"*ϱČ mMw *@:,EoP.%镊JRbǵ+":cf-lCE@f?J 1騆Η?+Orc㱹5,$f5Ь*)6u#N=FZ2C8zThD:/ST/|izBf8 9cDQ䶶R`[jtk;uXy~zhz #UЗO·<ʵ@Lhic wV*yDr"I^d!Gg*9ۮK^籣f!%`xƪߙ|Ʌpҧ̵[i*w/gB 90ɰVmQXAg`i=Q-d^w&$<j@2 %,#R0P#jZwka2O#Ī'/ =Ͱ$VίY. b/Qf诲@7k]CnstIbǝmvȉ]̴56Dz*+ag 𻭍0}Qq5?R#frlUUWmzlB VX4ѝti/f8xw7z1jA8| u'S_tZWٰrYւCkA85]w&ڷ ̙nm-əE׍3b"ûPZE7SXlkwCѓFX!?Q`mb:( ;lBInn yXr['CmO,?{#'p@%E*SdYVs FiX_-fݒ?oi89H۩ Vu&csbKa[,ʞ6XzR}[mJ -鸾vW, p0ڈ=4I"18 9Oyeo^ǐLg&r:U] T1v{QnqdL8_?'pdA hY0v~&qMWZO|iWlLя0?802%{25 yE}QcyDnn h^.Q{\Љbbv Gd%MUJ~[JfʀJۤcQ07ѝ@j<@FН?CE?=I$HI&w=Iq*Fp\ U5|rvP ʮB etzٍ"86B^OB޽ aI+ȏMP (֤>LFL)b^rCKVҴx~i^-Ghҧq5{#de m]>:mbSڨSRN6M((ӄ-\_x+ 0_5 ^a:Gp/M&Uk[UsT,I+$z"N(C䪋/Dj bXQ wf4S]:Vm2+e D%iKҍ_͢=82:C.ӆgafC"%ոL*zg Kz\,^N),0U]ڛm`l] "k?.ݫ\AV΢ De.x]dtQӒwP&{ ^j}AE.sR Gu(wN襄NA1*K{}SeB(slLoHcx\!$Bjd;r;<ywoVPB*DyԵ>ar㞵J,sFGZ3{oJ2:A15xxKdO![فTrw#0Ԧi 0ި'd?]&(ezcseMw՞~ L/@L~Ba@4nfp1TMnnZp>ux{9P,m)k)B {z`f9>|)4(jB>mȅv{-oBTK*0m/hQ[krP<g֯^,+ )ʣpWcSPƟ.IƤe =1r<[bei&<#|ss -j~Oو26FZ J`zt2{$RNҽ }VgUh Tph^!:u#:A=\j˜ֱEscBSgz( K2>ַž嶉dn&Z{UMG'k*Gl\(]&]U hA{/2g"hbo׀Ԟ]t=OAlBv A`3l;H].qg_*yJ>-5 iB;m4э*EJ"x$^c"s.%*EYWoc;N? ^G}(82#x"JPSRpZc铰ˉ}pƴ0,>’݃HA-v|(j<$1kZC{(oJ0$lꓻj V ͆)d]O2U[ Z2u@:kb IHh1+vmap 񲎼UCvO P%|Ɛg/Acf'\*!ք$|7D1^[isX<_nL,8ۏO0"Gz7~Io>;w6ȇ$`p\1K;9gy#N*| JGZ%k`֏OUtN\.^ *1<^…~%7V aB' M iT0C8vl!]5ߒ=+|'<;JgSCOdZzq!dYLt+/)_ 3n3 t)F'z#^<kroOqD%0ZL蚿 y7?1BksHH'з7181,aBc1|v(aMСy2;{Gy;uYR! Sq91bMRq]Yv*n l?zq$y{dCT~x6 l C*ФvYtm0I9y:7Z2`J$ԩJ.Ebe Uڢg$A<(2tdE|Q+_b!#\YuP{Mc`Y_yEf-WR?E{ᎎw`04Doܸ]UJ€T6cH~i{j+mNp~R_%Cކ!{gÃ-VY n:h3&7 SD %jj3ύk]LB A( +`業w,F\7 ۸5e!WX':ЃV>lr;;饬y7$'\S(4\ևd8Z!1%*VT`A(ķN.&$>be7e S77ĒJs]SS?k<ϪCl .c-SBY;7F/e&.h>~= zzZũ^q|  QRt( ߃a;-8rpw`Uww8W_xg"2Pn`$6Du(~KVˮà G҆E}T5޻ݺy_ b iK8^GT'Eߡ,PQzVy8( ^Q Y178G,:8ƽH,Vqi_ZWbԔT&b3R"x^j"0KT ~WUEH <>e@a0nKĠ "5fwYDRN+[NtY I㮎~9 )1P̓( drjpLX6=/m,iAX'5)dmJ+qآjmxcT7۲p%d |bii</`{U.K-kSr !W2i-o*uG+:~6dy$u^]dŶzDFLHSf.Y0W_'DŽ$O 0>@RèҌ4%Kx.:/)Ajг+֧siktYqtO\=%IPwŁ*M#IOluՇ$F%8]12CO~˟BU(LAqpó<-]`"EWe'-a_''?x"a]$QVM2'U1g.66oף th s *KCux^Oř8\!:rn8 D3oQi}k!Z.{il}$#+'$uXr m>EB x&0ra͵>8\դ[*W/|^x8&zP,”*PIZB%O-y(M:TTy(ΏQȘ$(~Rf[.MG]|Yf  Wv}9~O$֮ɫX7̗қd~=HJ*_8lcz혣ZP[~r_.1OKW-9me;4&S?U& WϹ!m6I׹_7O\撴!Z=o%qrY ht|N]-}@ `\U  *?itW2WoGK,pcs~@?`]h@6`'Hճ_JX fenv ٲN;6*Z쑳ھ#ڳm]XժoM8+c̈́JOB)Q'1>ɉ-u,W^޳Ư*2m;]BPD$8s독Xp[ X뇷Y6Z%|Ϟڟ-cD`۝q*%:_p23ꦚ\҆r?D%z# V3$ =C:*}C:*y[H2 Ă!2i*I}u(DgHDx@<Ѩ@c[شdI(NkR*UQPX^'AU|] QiKyѮw}$.,dZK?~`.h)םn=m9sGWLPdx@һ8 q8fY/h ŗs9 xOZx+n#_"l09}7lg7YrfoTad[P4LR媓+}v1zיqԼ&iw{p=Xm`#4%:o ^t`!ySg|K*VD vZz]^SO&BY|sz+G]F!6,G'ݽԝU`7z.UK3;)FZٟkq\N0:7%:٘~ C$!1+VD֑3J5O?}O$q,r&F]:FCL;R_EQ*PfR'jHfэ !ܵ6BᎹ;jL ܍tH1QX:rf|5:Nz) ;6S)b)iC.{m8_#A4Apeʋ4CP7lpO_26q&a,ٶ{-_ʑ7}0[fN6mGA/2/%ܑ@5+S/`i`DHDȓOl@oDSQwAb̐]ۙ N[zN]+}7̗iյ|(DݱkU:g~bR@)TD A9\@m*aw$ƍC܁%RJy)7פ=]Z46v /~ ΟP_E\-EQK Y*hW܈BC'#vs{"PqTV,Ŀ; .?Zwacs̞m^$]6%r=s~g?|HL a&l ew^H-A0WiOʢ )vWb:۲ ~IB;4ƚǛΐh3h=/pm;ͫvP]Kg=ƠNd箛| )y:bȁGr]&bB)L/.Eh N? I-l3ec Bݲ KƝ1EqmQZIN}$DIdZȶGMEr8UscvѮUℒv'?1y#'# $mՏcSz8˴t 1#]=dyXE#>@eڈ]`C' Sud]YMcU߂8vEQapI lI6Z`#ٰ(F̀//Z-'BerpҢ}'㟹#JT; KfOёQI ̲X-y?Si,ԔhCDiX_rr!kݯ4:0šN#V!_1E,Y}6Pɭ wŔs鑾r0M^ G\E0yenx+OpɫWfpN50NR7=£C&&{_k) 9f}OӿzA/1Ec|yQJ27:1GY&ѯx RIuo"<v=lN-|VW)‰A>@h>֧ k&&*aVBq?ZMR(- rZr8N:I0?/m f^h{1AYT="^Sp,b3:06Aޭ,d֫- 2eyް$j KcЬN1 .&!m}pʜg1yPn] pMnٰIxZDJ-@pP&0S婲HѯL{Ȏ#噎8Gh6 L[ N5? `DO 'OQ#r"nXӢO*y{˺Ks:)zHJ+ܻ:o,VȍA依@ ;G zC ĉHWtw)+{@^a1OLDmF>QC{]DQ>f(?ԑ񫝸6 z=B =!ǟu R}朄7Bw]>//=!YE3I U1zpc: +=\JчcKxU 0b%>c'8EA wT8͎'jSeDt<ڭCxR@+0`rI NBH0T9yh\6ukS-(1)SwrP\=[IeC!E_ ' ȮxP2q =C.WR8mXk7ȅOK)A"w3ZP_lAjNSZGͻ]ϕ6?|醔ppQ5{FX݅O6"KIJs/#k-*1ӌn U}T$eRfe _tXBw9/+ހݓٚ)N퉮ztmBJ _DվAC*N`![=3Yjvb "ϫg<n 6+ L'# L o>?O~`QX5a&mG-sܐ2A` UAjy{J-GG58Y+X9P^Q,kaZw7$|*[vjFqJY()u1R3V-)Da/a$&_Dԇ>_--#,$7r:~ oaTt7Gmʅ/ lTR/&PO]ѳ#G`:$ w JkY̰ÞUbBES^)vyW2MȭK,Xl+ϭJ!!I.~hx<$e+kw c $|YU+r !)\ ~ע\<&Ӛ#w`oA5La/]Gl=^sP=gVO!G q@r p fUmVV/ m\\{}u"Q'"yEϿM }0Hd]6ڂy̱e5]`=#pFRk K@U?{VVPt Ϻ' 5 Q* ٪]›-9)lyGL)dm2_ l]f3w8~򅫥5htۅ{>dDɘI0F< 8 F&}rb 1@0}A]%?_UZ.48kS"Y"tLRou.&z֓rKh]dW /CNzy50Ĉ۱SzQT`;'*L\tZR[:-P5p@’З5߀Ss~m?~z 2.s\K'*dH'18^}mBi=rxvM mzݣ. H0 ZdqqŚ޼{(+tcnoL[/ߎ^)LX69` jG0}D\'fw ?/1SP):U[~] 1W^ѫ":GqBY@ezY,V!~ݰKY10UJ\PO+6QDC6_1k&FǭLu_nL 1'VrIT#JCPBn4nI#CnO+;ZFtbtź3zn7 g"LcTu(^z,SSczPU746[!R*G63:Q}/cwTp^-L8ng|R2m@dȁ#{ϻ ʐWu`00u;Փ\0 g友m38>aA*VO(6#p4sdL^IAPc?![*.ND Jn)mzN\>': :_umYBWl _|`l:۬ n(m('|'@V؋id#0K{]p SR;B(fkQ)V{ MSϪ®E>ҚDmp7.HU ^ N{G,pP$u;hHpGLzE֪# D0/=i3 z*^O|4^AH5ә> 4#ga eݟEeť^=唞K<Of*h? 햜W+<;Sr )J!6Ȯ[i.PGw"HR祕K$;KX@qPc]ͮ%  k&^d5gCK2X6X=v} _IbƔ]JʁmBseU6\CHus-^vZPXD tү 1 W4bJJw,MU]4YZ^]̥խ 2y$Y|ۥ9SSs`NfaL؋X M 3@c,pz!*(Y޸^RĤu)VL%xb u-@8L_caD7 S䢏M3-hP0{F5ۑBd hDu3P5cS۴#$Ak)f3 /2QĬ @]ՉZ |ϿWR|M.#km%"QHhDʅr`Z >~ (z^ g4ȵ$r!+Yk?KÓ#Y :Rݻc.~=8Y+T "boϱB#f66)ƫܫt] Ms5X׌sǹx3ɟA]&BKG3D ك4W]\бouXiu\f OMHA ̲6|wvYTf/>x>! uh' Hc?};0T^-j{M4δ!B15}\9[&QI\U{\sLy\ds/ءr+Zp%urWalF$7 <lx)OF",nZ. t)]X@ +0y'z<_5!9K'jnjcX 68~In;6Wi]à\ h,@0#X?Qsd%JgM uj+W:1Mi%"FUɒ+6:iG3iH---4<2WCj/X ;U:p+o^5ߨ"]l o7#: FpjU^oHN5VȐ_mTr IA?Ȍ ia+e؁, 䵣eJA5JpXO5)Kvѿ*wT#"-\TV+C{ :;&e~js?dlZ#KB?,lO @إ9t":(g/#|q[׬s\S-Fпfj|+8Ow,V l5sX@>/4fŅ&+UHZz ڝEѤ!.(wjĖ(5_,F>`^}Bvy{ ym[ZhPaS4^"Pv Er3t7s$kFGf@}Dϡ[mAN{naځr5:U83 Zx&X:ϱ#W448cGUR+3ʯg&za1W_085Iq¢H„/m91 p\KOo 㣚@DN˪|A8.Ƭ/߷MRJѠ.#`DS-t1SVTSl2AuK3dOgIqwhwƿ@x1F3}۶I˗.w0uk:SWqh&fcf66}rɃ &O*'u41utwcZ_`V y Cd))NvݙZ@ 7?9ν;щg1IT&mb( 螱mܥenE:215hjXLSǴӲ Ƭ )0L. 5?9&`W| BS5!V:w'7`B`3UF.jvQSbҭ>S/k2VaZ2dYX2 V"Mi`f?,;mꭈW\t攣2ۭDfD;w1!hOZ, X7 b3״oʚ% ~蝾D\T{߸3 >è  Cfuͣݻސk Gwj,..:*4#58 'R姿0N'[&V` FG^&EZCk_&9"X;}ոٯ@G.j *_G13uz?l.C ;:݀?'cN nr3EL!@~a8(UoI%Z N}HWPà5,;1ƍDGiXsF2vlM@/j[4i_R\;W92(- 61Mb ji/Mo :H=|Y?.2mj4G/O +pN"lصYϭ-dES>E,d߀ڭea?5?gK`;pfxt_{,5u (&6! [9u+ ״Z[muA =( >)Jtb"=UٯE[MYŚ^^mʼnPu.SU2 JQGJNDKU۳J ߽aI-p UW3m+0O.zQܖ^!|ZYCv"*DbUޝ_8/_=/zR+Ҿٱń/D,V55XChqCgZ,Jȃ=외 4t2fVqo|E\'d,ƙFk/1-g).n$z$ķF jt {ۮ6 %2&-U.}`;ttzhh?(ءq;ro!÷Lְ˳J Sg(7t"ZeZ|W4\2sHNKg>4؆!DordpzP%BbF#_I,.?H{9i2,bTš,[]!`ny1,C5d,qDrM9j 8_ƗXn)#HQ#Q]2dHP0"!jFARLunm(k/N_6Ki/9`.zz\q_fڀIKd⨪' ]<;HC I]]i0FSgIx,Yi O9H\CTY4P _cCؐ+96Pk(M1>=3,5V?%EoJv/ _'M4xd 0 xe n~A%Lmr찞Eӧ:v,hS|}kku]P|ɓG%d_? a%!0'R*p|jOaO@mYT%i2i]g) 5 r8tV:] LW Yc&EdՊ&0 xgLxXP)rNUμ$ާu'"E1f1ܢmo]inOVO6|76H(^80k@J|t?<gN׽:7vj!cQ1ǻ7OEH tۃΕLL}_D` S^YMm @^{ WXO/w+)xVͳ&g"\e";9Gyڐ2D;V,8 `W lB&#A(>=8Qcp6z#X+_Xݼs07bP"hVMȔ\ԿɼtvRx;M(9}TZ[Vf|`ćlNkc#%ܞdnXd_FYk-{6e4$[~`:WƲ 馩)bH G%O< kB(imyҌuZ ԨE*f@G]RQ3u JDS%͍3 vTCJ7E^Gːby5O\q8uyR](a{_4to،2sGHUs9L]B<g$rxf1k$.E!2+|]eপ:m:趴 _9z$cWu㒕tއ( JTha N߭eQ뭰g|]]I EzioͿo?y؏ `d>vWX\G_:e'{ zG~406}3คH-v.QDZB7ث'iUk,t-~0wJe܉$=TZq| ט@ԩ\>pS)]BF֧DeR#!m=cUW?V~f B&]J֩pb ^7)\o{tVj*3kllUttMzMQ,gyؽ>#*}C~ { qm}|N.NgqGbC-Rjr^U#~J4$i\4, /HfԃVnVVJ#B̂GK00GS8x_yz;.8M7>;wMt$Ő?m&DnlCYm̓0K*dJAJx荹Sf@hÓKJJ X|-qnwsRkMKV`ƙ;v#6D)TH/Rply$LHi%f>n} qBP\{ ƅ"|'#caECwȯz4Efӂ@>~!9geD%oRE$IH F9?aqǠ)ޖw; ʆ:c%[j%Nw ]I0zY~%ևYvށWHףFw,Kv^Fs)`lz-n+ +Gqށ` jp[~U _xX !F^qD@'2?xL+5hpkc-B#%h/R"v]2I869{pv䛓sum"i t*~6c1'_ ,̈́ ̤3]A֝T+ëRRrT}+ãQ!;R3dߺi^GOç\G5yucצLM Sq mdhJx)^foФC=R΋ dF>U|ې@C ^himQ'[ `{:K!khpd`,,M6\*dV-iTIm6jA? ˝ڹpH)5ٴXh4H?ڌ׸U&da1 l lԈS:@26X ˆ2veS.#LSIH"4S Σր'4Eַhj7 تjKsXZLj o~ꔤC {o„ ]X'B!." ;u@-`NI! Eq+-dܽ@fp9,{;#1vC-şp<Ɯ±/PR]"cerNOS.2Ij8RX9QB VXŰ)7?l3 7yl_ݑA \љyzt?&у. wFDq8ktK a3){!y *g:˞W||IȻXB|% l֎< 496ZrOj,DDK PAѧn (:N2Z::uu~S0N1HSĶsgWi:(\pswf&Ku P&,Q)KP2(k }* Xɲ#:=RzUzE~[K\hK:G5tv/Xv(d%H.][.~=FM$/ͲjfD;fJEDB1.\=83{Z!+1iIŸ%[,I. L@riWJ7(Sl7˥0^H<="j}\ݎ  UB wEܐWH(F`YnC\rb[v!G]-e2 P7έ{3v2EC }UP[1t҈C*TUP]U+3"Gg] @r²p`m..HɊOA#/xq c`\X=Ld$ FN! Ե(Ŕ9\dF4<28MA!^[/1\Spynmc/+fqYD-|2]r4-gk"mW@b +Cn|E6ۥ<;Xl$N %8n^<%fXzPk2npZxٙ,!pZ0[%?{mD:qKk]]%WJxfM{t8;7ť,GY#CaЊ(Et{7Dв}OHyI ?#EMP7.ւZKE @'; zJs)ߩSVj2 ^ԕlvBlF3 FNߍzѓ 5N5t>AUќyi>:Pv ZE}NkٍH(wu&N+iHk xM:ȵ?-Dci,[9 DX,s!oDQ%=lZ(g'uuq;K۝K~HpuWYqjylhyz從4/j3ˤs|oeh2ᡆSP:h3 dVxQt/B z$t6l9TxaHS)Hy$5+>aVdE\F0 1CVϺxBlE DhX)m9H;3x =VQecLXz1ZRiL˼.1ͼ*{>~c1Hugyg/ Gv"끰֞y&(CW\{D!yupE[>.fL nl>aKLE?Lp㕧2+HH N}}DuY@dFCф?' 5Ӧ ?f1B/#Ӱ8z;G-ˆx\NW>tL }yY? 9c&DXoS$@:-KMs:#VsAh8͖hw6p6<\֛.j/d;Q*jdR$R/\ Qzl/$]X` *ofMlOozN20P4.1NaEke%0d:af"&v.љ{q˯x}!xr9 Gpb*e!\(Û1; 㢕[3ԯ›b\|9ak3^NOcN y{Q~FgEeɘaob4AfXn" wQXm*"?x]+!]LbVzCzz[2H)1=d$c5\HüRzwӞeA-.:emλ66@wZf<{@xqO؊y=nf068p(tρz3_-Im hJ:/1 EZ`TZ1uC7IU߫Xte&MQƞi{h zt*eMIڅ(Wv K,(GBZL4X~3*d^,l|{lkG1S=5AH~iT@VT/ܨ"V8.!\ áݰ%5TɸM _!ȯrKi* k?/B2vy߀ ef"e.뇬2[11i(32sŝ}xA[[_%;z!@^-!F]~_ l>3$]r|r ٔ}@fXаe"[^.A!q'ERHt,-gv0F\[hs`kuS!C()ޜlT37?-&6ƉI8 f#Qۚz<Ҹ?U;GfM C' qcsY8ffo_Qьܟ89_oJ\ ?xoxYڵD[d'Q07yP͊`e }O_T"J;i~uVqjE*ebXN}!_n ·waή^FKuK AjzЖPƷ] YP-Vн-)ǀɱ>1栖zk8D-q2/תB'>eU|J8! ?͕qn(s(m! $՗5,^zǝvgQ$s#@pbZ^Ya"D~+|WKŒ^=)~Y&9%DxVle~1z1wwY{RL-QL4d?_W< -_8#yk~P騧DuSgC@(t}_GcAI{0i?*^V4 (E g O<ϋqBb9^P2tU>0 ̴v{HH4 x+XD!+f6W!kbڋw'$P a TΩ69!7i4':(P.P4Cοm^K ץkU^H#W"|Cl)CsiBPW`&w_ANҦY34ҷToB3kOf&bڦxwͶ9ى0! Y5dR#O ʲ@!Nsx=@d祙BGtvG;ޮZ xaX3Eju'?Ja14zK`G!ԫCJk`k5"NaEj"jS-K#b faS{ow^a$)w>W "?+J:B!eꙸˠ麟t>b],x<^XeTb%2q1 K :HL˧Uܴo5?M"3 APԚ^!H3 q3#ڒCf1IFǪn#=!-Kt4;<91-m>2ş;btXI:T, tpWz͟%q/D=aa>Ŵj 6-yI-m7-Oh]}3^uE,1t~c:-;m^Mk^1α\$HZbycǴ3X|gE =vz)ZԸ@Ru C'sN2wQ'hZ8{Í7H74j/RK7 SN(={J S'&%q͂$\MɊb?_(Tv!`Zx]Q˺9#  Cp\S 7BÈBsDoɠaKA\g Qji|]z?ʉ?(`6_h2z˹/> {W݂8:_ڧ:fR"(wy%$^):yG6ml-A'єZÞKÒZ!t*Dn7chL^1-L7cvJZgs̚pmɭUȁ+-!NSGCzD"XHFbgqClGў}xMu3۶@ o2~T+=j@X:6]y]zW)+"`uqg0,mzd晐|D"?-\ 6wO_dedتdfgx [B<҇4A "2&qOʴ|J* #6r7i[?)zȺTH~S<u'-ĿeP UTf>X5նG_yOXj+KYٱq޽.6{ -_!fNfzaOH~:\FևH"ob7:J iIp|Tu0bK4[9&͔s,k+N'| 5Kh%iK膦ZWP=SVg'wN/qSXjG(ULy&1OG0VqwQ'lg]pS>3=c:6ʺtU0d'x)yq a9̡4(%=qIX]mT2 AU±e[;4mFor CM4ȷ%X4) V[vdQՠϿZp0F=9NEes$Ն4. +-@)HbXnɡ:c5ŃkƐ} g>Vg<`Qu 3à҇h 4a6X( N#T{!&㊮A(Vbv6H݋:'V Z"{%(c%OO/?Gg&(H$]*cNxFX*.aEvGbR)!׵ 4%Ty*Fω9(ubC_)qrTDs2XT֘ofSρs^ GASrNRm):v9`862i^(#Qx>C֮ g \m|̅lYJ./Xnly7rYt|-".=KJo{2J؈G28Yݯ> פ!݊90X$B:3JP=q4 GA_hI1 aB-zbD͉kд{b_u5!tw Ӓr?_)`f=U!&θKK\ݳgUij- Zph*7N(`N@|no~E/h)1eb^~Xqy4 [K4{:ҽc_wPM'jӉ;L*AM\jK~)'$dw<Vv|Ն`7}HO8yM|,6H#m|]j(\7gUн_T#r.BAQJ멦)5A<:";ʵl bCY8h[bڅ˸MXlnt;b'JsoIR\ˬ{gn`z5rh;ǐL/(~ɡT=N5r Ja3pk'a1bU|b;$o&zac4}G7!OuN l?J%3o[^n ~Dw(H Xa1gaC<^7Ɩ.!H7S)y4_| m_KK?[dG`.? /*IԝrY0e/ Ka2Wx/;W{*c zMX T{n`sbj7 |$d1&+",Ym\(| S|kbd*aa]qr$&(HŲ8l#lF 9en'@hG{g\3zȏ3l_[~sC^ ;CuL}5#8J(LOrwqfMQ_İ`m;޳2}cЯ^4mp6w;[یbY&ɕ: YN`i2]>b+B"}h18qhid}) b-1SF٠4pV%JZ[xZF~cW@uzx"JMʌ=3,?m͆+> k{TUnsE"L@reH*οq Mp8ђw(#F]ѳ#wmJߒ_$W]aTVcVu`{TnF.RlEn;0 BObyy(~:QxPaAw4čz٠Uu5쳎6C&D2[_B27R=0Uk.tL"sIBҨe !^Z=6#z>\f/h#J'E}} ࿽("Q۴ii=o4P"01\m@d ͠7knŵL_i 8y">>$B SIgP` ТeBt u5.݀; 4σս;\˦&;F"?.Hg BhеIY[Zcx+&4۔ŶCߔqO3 *3E e H_Ee 8ØXpu&@sRR^ $r^λ8DcİK6l?0Ofd`*r}k^N})+Y,B^*%?xFNXnThOӱK_ \ XZP~,o"I@9ՈF|4ʋh2Oʴ\װnD]V-vRscfRcbS<AZHy?Wp_ZpŪ#ڈK-0HE'DT$[:O,_6n9>->D4ǖo<)cjow2|4VPK?\$"(pBCɊg/-x%fʅԼrk G\4,*+KuͰ /)E `@4~jxN b)BV>4K򽰁郛`,k R4E'+zI_S1 |}.4?.O Iv$s}û'ߕ615cD 2OI5?٠)1]$[;߉Y𗟥6IPlՏ9'ZP ĮY`n!$('{5x&«t# oL9|Ry]}(FU%s )դ$=w,‚n-=K?B F~[oPTA=/.(F7*xm9tL:b,0OWAH'1ʷ8I9ɹq4nAV\f b&D,Mɶ AU9%*B%vzZF5Z1*rUYZRjlBŃl}&A"VcY,Qgb}؈_3X20}\<5;"Xz4``&[`7 mR(cݻr,{Zvq=zTt{ևl:Ҝ'" zžt O{W1i=zmes 8{/pjf3 G .+dlD۱]frt_1|%B.>g&du2) q{;(Ԇ+K<"3c|^Lx.w㿞:GȘmuj8ba|qo]=?ƣ.0 /q?*/^&sS{ֆ>TM9:Kż#1qR*D6v K6AIE8YHF ^ħlpɪ?m}nij7m`BrxqŁJJDC|m C.pͥ{ק^"m%8,/41UtE@y7dj^´] XA]@%俩)x{ ȱl2Rljgs}HэAHo Kz}X..μmrqFa.#8'A0@JxiK!.WH,02oJK"+5;{H;܇]l684U6]XK|ƥ0lXgڰýymP6mJ^ƽR 'jHU8瓕>;ӒU!Dre Ɣ;P?P[7`-*x6/DO*eX]q 繏&`R΋}@tג{TcU?ba Ǣenp.IncNPpm0= ¶o9ZyGIHNDVK@g m>-H m@4 HAk{۠g*JW"e'frsұ:j Khд(5NOo)lA !uʅGV+ m>"h_\8c$Nܟ[5yWȖ˜xM < U# ,h5u&~]!UGJ5C<`OQȝ }XpүBD [iݴq >8B˿M[ {&7K&au,[u|bkex~8 _Gy#?zOK"eU~>Qo',3PiD_V !t!9d05++oC7rtRtm;aѹd|pscw&1]Tpkݡow4^Yay/J"tfa7u;B;*R\Z39(~/DD12Kֽce#.YN#Ar=F2~5x_[a-;8VP4noubA=qy({*t9'TR3u~ɔ}AfƯ0 /؆ H~9A "p-9)pՄُᗣk*OI (>hpgA K>%Ҏ j_&[?9{dDOP^ Nc,w\ոv3*[I'5r bвv{XKg;9&Ц]E '\QjĔ]&4[^%Sq54 "-L{j+DIDOX Ar*.$hf`ag+ѻwˏm^}g&An 'R}Fq>a`W[9{ mqzS,ؾq5!gMQ2jƺi`yNiY¯̅\0YW2e4F}e҇ e#k#\y\EG&?~E_'1YQM"z´ @-3 ~Rϻilnvqc?zCDu9fڌgo['t6r .U2B>K{T]C#뇠n ]tX}c2eLpB0] / ;f>Z79|^/5tTL4cJ_fi=yk+ Y'Qa6,P;_4+w´N?R9d)ƣ`o'zr[{Hج+>k+`4a^-=)Fŧ=./M |Eh0F] @$EC+cѨ@jI[4̑c25w5asSt8 2KslV}gфg%nE4YI۸ -rg/Ea>+-G^ <6+/%Vqς +I{T #zx]'K-A Pww t/ٟB8qߘ50,[4ohhA+6DB{ܻH߃7ǎ\o]XmHͽ/aNO,,>u y r*Y9"@X&^!LKQ$2VL8$=xA352'z5SS˒ OWeR2pF/A3oZb } >YCAȺgpxH QA ;SY\k㡯8RIzd .hBOhV۟uxf_(tw0- <0nLK0/Tl֔s>x|Ui{# 5rN&bNEYu^.p9h4\r6rLQsP@E1Ƹc-?ҺP5mݜV'O qCŻg}iBrxԏ]ٍۓևu:'` |%!ԚB <: _cׇsrpxlgU8Uoh8"˗ ̆0}}$e!qdH#|Khr샿$@s_ Wnռh<58X{ A ?X q8k=}؏`O- w yW_b f٧fӭ*sB2UHT7pXfv.9]l#89!XnyK~Nis.92`#1dGҰŜeiV %C%I : ɢ$YH?hzDa݈u ){b&|“~LkE[|{uuLZVjj:n,hKуdv7M 0f|Xg!}~ Op \ص~Z\j /k.Pvl^&sdz%GU~hq(^tWpl\]8z Uo͙qw_ W Y1!ȝ'b]]ɸgA0(ŢĈ}DEylb!G*UaDj!Yo#HvFƎJQbH&!< ӱn,KΊ\7L*[b@9QN:7Ÿ!uO!*Wb­@VJ1"Zs 9w}*Y# Ȱx?{݂a qVy=(KK+yUyOl;"y9u΁ĥ>.:[T+Ls-./`' J^1o VmJ"̋G8WeFXIrF@{ {=wk,GF~}߿ V~6~Cs 2-;`ra/TYp0v ;'aIi%j-ɯI3(TD&98|>VՆr8{1b% ̾ۿ L$:M!YiƮZѻda|Nn Ł䔼&@:`CjG˙g 1"VI$ O(۰>Ka-Gj̉6?S^W*8yE"w&ZʖrzQ4Vb=`!*1X %=^6C߉ mO f55\Q tK\E36XVCs&i;WY~aHza#֛nTQX&|3ulO$(˃eq"<)7,4WJ%ATOq3FmVlra.OA0~)M7"CAXzGLSYn8AomfDG_j2#Y <̂_X0::^6n[e 5G =u~929R^& ,BnS17f*IQ`bs ^~{`qVA%1wTK ʃ>-Zée%Yi=2Fg?b3fORQs:2׃[eKU)7Blyq{QHj*[5Mh? 0;DxP>¥Ljۿ w2}r {\B',{` '5@E䷪Zbn{1z+@y唄XY4g/S.sLp$,T#U\j4FHj7u;`&Xycy3 Kch8p\L9PZ\A:.>>*͡杋jrڷ֟S6Lnc^liR;p&:WIqO#z+'xzɶ(I#d c(66G8{#T@x8d~_ 5ÉRPYP;WƺZ>r8r\]㖱n- d?ʥC=([+s/71kӢl;B̓^a_A=bRYI"+5?Yi`: $"ҜPhX-.<cR! XIi+sG W^&1[BQ1O{Ց#V%3]$בvX(J0Ĝi'yA{PV@m!Wלc6=wX ,&s:bNcd?(~A`cw;Abބ^)4(Kf"յ7z /GV\ [ /0~my [>S_ф;4m>5zx)az?lCiJ& ԒCx~ Jh>NHu1o8#/.PSWC?0ք|N7q /77f{tf@xRAA:) ZqooZgtSᱶ$M7;hS2喾و&6yM.a>g-nYZU]0:++>̝N xL]4vl-jN!0g:'$SJ9o|^NwI|@r*Pΰ8\p=ڻY5jϜp&́'yښTw`D؏6Lfc΂au)֑ RTci;m(bYpv%&%|bp/r>cCv\+}w$yod:dFi=AE ' Or#'fHOG/0d+*+Y \ JӇ}6Jٳ8"vH mP&fpM86ѯU—ޢDz€x59ؼڈ=XD%lãD.31#DӃz᨞ eB'7 gF0HΊ^5fSq0~CYX1vo(@i`Z)O<{,47f<73Cs@EqS_Hʫthw|r:|uFܪeהʏ6А!H#? /9 y}8;e٫(^ < !@5cWFjyyP4} +\biGbD? jW<Wp`ܭ