From 8f9fd3833ade0df5a4763b154910d36626a27a67 Mon Sep 17 00:00:00 2001 From: Andy Zhang Date: Wed, 15 Dec 2021 22:02:23 +0800 Subject: [PATCH 1/5] Update README.md --- README.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/README.md b/README.md index 2829eea71..ed2b8a6ca 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ ### Overview -This is a repository for [NFS](https://en.wikipedia.org/wiki/Network_File_System) [CSI](https://kubernetes-csi.github.io/docs/) Driver, csi plugin name: `nfs.csi.k8s.io` +This is a repository for [NFS](https://en.wikipedia.org/wiki/Network_File_System) [CSI](https://kubernetes-csi.github.io/docs/) driver, csi plugin name: `nfs.csi.k8s.io`. This driver requires existing and already configured NFSv3 or NFSv4 server, it supports dynamic provisioning of Persistent Volumes via Persistent Volume Claims by creating a new sub directory under NFS server. ### Project status: Beta @@ -14,10 +14,6 @@ This is a repository for [NFS](https://en.wikipedia.org/wiki/Network_File_System |v3.0.0 | 1.19+ | beta | |v2.0.0 | 1.14+ | alpha | -### Requirements - -This driver requires existing NFSv3 or NFSv4 server. - ### Install driver on a Kubernetes cluster - install by [kubectl](./docs/install-nfs-csi-driver.md) - install by [helm charts](./charts) From 53c3a3c970822f7f4c822af2976fb4b8ada63e01 Mon Sep 17 00:00:00 2001 From: andyzhangx Date: Sun, 19 Dec 2021 07:47:13 +0000 Subject: [PATCH 2/5] fix: CVE-2021-43618 in Ubuntu image fix chart --- .github/workflows/pluto.yaml | 26 +++++++++++++++++++++++ Dockerfile | 2 +- charts/latest/csi-driver-nfs-v3.1.0.tgz | Bin 3505 -> 3509 bytes charts/latest/csi-driver-nfs/values.yaml | 3 +++ 4 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/pluto.yaml diff --git a/.github/workflows/pluto.yaml b/.github/workflows/pluto.yaml new file mode 100644 index 000000000..57bc7a5ac --- /dev/null +++ b/.github/workflows/pluto.yaml @@ -0,0 +1,26 @@ +name: k8s api version check +on: + pull_request: {} + push: {} + +jobs: + + build: + name: Build + runs-on: ubuntu-latest + steps: + + - name: Checkout + uses: actions/checkout@v2 + + # https://pluto.docs.fairwinds.com/advanced/#display-options + - name: Download pluto + uses: FairwindsOps/pluto/github-action@master + + - name: Check deploy folder + run: | + pluto detect-files -d deploy + + - name: Check example folder + run: | + pluto detect-files -d deploy/example diff --git a/Dockerfile b/Dockerfile index 04ca3c233..f9f5590a2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -23,6 +23,6 @@ COPY bin/${ARCH}/nfsplugin /nfsplugin RUN apt update && apt-mark unhold libcap2 RUN clean-install ca-certificates mount nfs-common netbase # install updated packages to fix CVE issues -RUN clean-install libssl1.1 libgssapi-krb5-2 libk5crypto3 libkrb5-3 libkrb5support0 +RUN clean-install libssl1.1 libgssapi-krb5-2 libk5crypto3 libkrb5-3 libkrb5support0 libgmp10 ENTRYPOINT ["/nfsplugin"] diff --git a/charts/latest/csi-driver-nfs-v3.1.0.tgz b/charts/latest/csi-driver-nfs-v3.1.0.tgz index 9ac82022d7555ba9f9ac947ac01152b24b542559..ed83d9948e4bb0e07826f603f5b1d54f4da2ea3b 100644 GIT binary patch delta 3423 zcmV-l4WRO|8?_sdcYm$$kVqshi^c8_i{C;H74;)Y$0&V1P|f`jkvf==n7w+s(rUF@ zJ6l`!|5mG2{lC@T>AY%hwYT4I?{r$7_pe&*t=8t&D`-8T3=2!DG?A}bj~=T!xo@P9 zgnmY;sNh`~w>^?1)31zZRN9MBg_0)PKHKjd!SRP499WZqfq#(jQ`$$#QKRxWiLnc1 zlk&#X?l*&W(DGh-#_Lin75^U-mZExM09fMxTU%SLs{eQ1Z?FCTISP%*5W5}#03Rs# z!4!#!P*e*!=|UXJAf}-dN(^)minw|Cy=sPvHu*sLp`z1PnhdA7kv~gP#!dyJ;iL;k zgJYpjB`V~uLVu{}sT5;s5CUcW@R#4KU>M4Pil(ANUuhx95Y700GHY9wVcZEiL1#4? z7#$-=rB0>j*K}7HUP#k< zlPmdp`wA&Iu)K*5NcXyUO3M#8KWUlT`(3XQ+~of5v9#! z?CiZ-n|~W2VS02br0zoJe|NS`TPB7dag3}B+a7=x3?(reaptH#T;ik)4ZHYKFbpoI zo3SyH*pAxBmRuyJwUAwC99~nURsI480}OQ+8pom+jxb6YHdg9Cn{~nn$A^w0QHfNB zm`$l35EzZAE}&DGq+MuFzs49_|JZ7^KILE}@qf=0)qJB?JlCv~x2i>g6~}Hra_j>7 zt~g@n5hHqLN$1VjJoNx#a{V(WV?r6}GjwB@O>qVL-K@9RTKlLN!HcfLVle*OTEgaI zEMb5|r_!n!xmoWIy&t7WlYDP*khK&YH#Xo52Plz;XfRlCG~gQxiJ&l)s8t5d29M#& zY=0qU3!;1oHV9Fs3yFg+jI>Tvx7jR%O(a6q)I?n>gF6E{OeOk>h%ELJ%275=f4=R^ zPb3`^jrm?UX?hzQo_%$iGS+hfb>X+)y$$fQDK)aDrWYr2;~#%osl@*p)HSq(Et+Q}qrKhD4!>fx4atU_3h141C{soJvTDyEiuwoT0539OqBr z_SVSYI`e&n3_~sCZbQ17bFJX^wgJ9>MRYiNX`OycWugCHjF2TLRiKl{QUOc+zkl6& zzg_YFovqEywf{dyxw&b+g)xo0piskrGSrg-qvk7cSl2i^jlq*em zXkvppz^QE$6HbO0`Ta?yRen%i)G!M|Zf+p=!lDv`h3%#Us~yehc5lk#X3dON0yS#d z#VS?JCgabZ+anZ1S6_o$d#=9<$E(`I0p4oUXE4&2%-+ynmEBN1O zZFkoA|18D#eeaU;s0#-+)Qgd8ub31fNurwLwilx&5z%CJ0yKb;p?ASZxPz0dmJQ}y z)w&qZySV|%LzYGrU=H95P#z)I&@uH?f|k9TQET<1=kJ{adD!UA!m)`BKTgr!6p|#% z=aKtF*2`26E6Bd%dbr160Dt*ZO)*$Y2h$eS^Xshlxs$DtPK#ej%oewviuwJlqa59* z4@N@iW7JndUS|9+Y!vueAWRA1h><p0*S%rOfj`%>O(!WqW z`i~nXt5{~BkE`ZZeqB)HOl&S9?3I?^l=8+YR2LZK>Gkw|Mc+lknt!plg(WTbCk4YU zIMTJ$CGu$6D3Mf1swex5DCK6RCQ4)MXGbePlvLA@FuT)UQ9Y`Yr@*YuCS9W23IA5wYGAISs$S+WXb!nE&=CV+tXktN`!wqH`47k1RE~~A{Fbi3xej|qkxtwebf4tji z%suptv?PioDz*Fi&41p(!P#N2_gzgzh9pAiTMMCr7i%CNSBG<|$hs@N1F$L6F4%ln zsA!->cv;obX(89LOaZgJOc6W)#)73WezIAXs(jY%PKh2lIVuu5>5W{d{h2oc6p2@B zs1?L00c%#VA})LZp4nErQxrH?TF&MAN*>fL&9FN-*%$;->@dK>R{?qxgWz8_*bcNm8$i!JK`rc;u3spas2 zTE$$<*1N<=OqF@lP#C5bi3Qhqt;>o@Bpp+RLyV@W!dVGPLi&_ZO|ha+01`!A_^r|V zwRf?1@agEd@qc@%0%1&Co#ve%s*o_^uGUmWS-$pWR*P1=9y9&%A`{J$I~5IOt;}9Z zqutkUj!zB_FOClC@DzEJ2+H;D>o@zoql?4igVU3vBCf6szKm>Z)!N zhaC&VuoJC&M>*A$umfad(!)^jNOfVeRjQMr^7M7P{5nBNMO5E-IU*(^QocpMC8#(i zvdL)QW`C;~>ZWN}TV0BT3^QkM{6HfrUF<G7 zU^odGei9K*FNvHQk(729ICBm&0}l_GKiT7XQsy(ds;HW1Pt@iO+AU@UkKA3#1^3;nvZ zbDBg%V^2$>aX4`(Wg;ochdG%bwv?hi?^-}^9?Z8 z8z3YdQcjqqrbEHG3%%h=q%49yLSKqY$O^bHkS8a z%Fx=4IC+D||KaCl)U#pAtChtEbTuE6uw zc)+tF$*gf{dGGF`SoNW(R5SB?W(~dpj{iw>8pgL_8S(FSy*1_kx2F8>6`HKc{=3Nj z$EDJ~GNis#p5cB#eE%dtty1onAb+Ua!|%!%oXCB9o8IGt4*qwL!X zL)49T&|p;A|LxDG%m=3y^C>bIg|^)T1`HXY@yeq*nze4Ma%!q>h*B%gbHzE~ z7`c9c=CawmgGRDwxaHFd6@N8*@sm#IQ5}Xt$cXZy2h@#W{q{+eHoKu-aLpemk0>90 z4G*ncc=h|)P%GyQQkM&HE?SF`v+esn*ti-x8Z61qJM)0{aCCyH72Kid65PJ@&bBVA zluG;;jF822$c4nG8)Mo1kL}LR+~0rNTL1m0XDJ(SO0;o$`-=^?@_+7+GxSr+4Ddlh z!b>tl6?j>)Sfz<2GeC`yF&Hw@cj-yWhwnflBbtuU9(M}Q36H!D;OLH~@FtNspw}3= zwAX)q7r+T;6Z>}~5+{;5)B~d&11~t}UG%h&=xxBhh-1Ow^L`H^DwP)usczbTo%mkR z|4TOQzxjjFuxb9uzgVgFz1`kycedMGuUhS`R;Tp}T2Cm$!jvjaGD^8%ZRg zpHV6*co)WPk0i_SOx+sGb-Ame~K+R;yLD|IYUI+Wwy-(U=Ue>j41pfpQ;A zl9&iZwUCo8#Gwpg8cLzWKnJ0So0mVTW~gYB50oD&I<2M2aEcrGvm|BgR4^J&x^Of& z7W!18LhcHLihrI;F{TC~P}X;U`J)Pkp$w>KDmwI)7Lp9n^zSFLx@8&0ouCtRR+E9z zF>+MuREj>{ON6{;VrtF_upP8k6M%~d9iX1!kSZ<7{b$0oksGqiTbUDSYZZ|^g>phZ?ki0bvS( z4$MQiBHTVq6`Jo7#1#)re}Zc%7(?l{6RT&_XTBn^0mmdp5CiCC5@h0<<_g^lX&R3_ zPxeVz9f}9wwk)$xd4*1=8S|Zcc1aiwiRyyUFq!fb{)s4UgtepdYISOagz3?#kh%+< z|J~U(b$^){e#9}dE^K=MS}>HvY_ypn`f!PpE;Q`oO2II=oNl&831Zu8BU@6DnA$>i zp>cRkl~#EM4h9(NE;NosFC1Z%GHk5Wem3fa5snY-MWPa^3^5y0y}>gYQ(ZuxFiE@6 zo_>unw)(%-YJJMVM&jQos`*N-c&=I}uT^X5D}VOgeq`STbX~E>&LevC%#zNlv3cqN z#N_%{PR4{X(r4)UF00}S`ny@Lv9ZHO7hc-WH zaE`7$5H`H?7!W5zgu0g z|DCP&`?dW)N4mLbzJ)Q3yP#0RfHKsR1b1UIE#U~e@V0q->v^`=;dMfI1bT#aLp6sl z^EtGfu`PFV<3of4$`KmIfiT4y;LmbM$}|LyWwvG;e0GeJDU;0v8Gjl>9@)=MG)DT! zls#;Yki|2H6Kdsh#a(0WvvGV#l2i^rlq*emXncn{z^Sbh6HbO0`Ta?yR(?=jR55c> zZf+pA!r~+b3+qh@R@@{%HW+{QB(M3!o^%ZwH~yyqjf;kD zt1$U5t-R~>=(G_3=YN@x2eZOU@c;d0yMq6n)^=-+|IdSk+pF8;)>9qKr#B6cxshB^`8p_dq`d}oKK1O{d`nalYIxWOnmQBDcE>i>#fU#g{ zjGt_jr7E8_yHlb^PL7I%PI@C3YJX;p07YWfDryBWO2C>GtcVL=fM>eZ?i2;iCoSiC z{c@1(4uAD2vBS%>r(Ae7H3 zNhBRphC_^|p~6`TNkaORQBAQjp8zC^y6{J%_kVluV(;M7(Q)I?QUSu4xH`=nKU5)M z#9gha^s;>I&8QZwcs*wN<3%c(1%E0tl+`kODUEhtzd1fRIJ`JIsKZm_Q6ebUyRYBu z_l_vKK?rH7`t%S#!ICXgZL5jG#G5`aLEIPx%d`_0<6y11W zfqxma*`8~AE)KDNJ4iXb?lzl?z{SAD+yYIvVHae39Gc{??@Ihr$xEcrA{49(=liFH zyajh5>;w_YQil zrSm-qs~X93Zs*2VuSa4xM>Q_t!l^N51uM2!qXA3jNly~&!hxL@At!U)){YqCL{AQ= z?843McOT4qKw8TGxJ=3i;%o6gt0J=uM-EacxDw=-sFzkhe+ zVtaR!K;<2LO4$&tNjN&gzf&rWH2tL_vxdJ{^d@ng6d^b_-_am&3_(Sel20?kaE~NJp$4H3q!5E4bUT^fk*_7Au2`W z1hfE|a(hppP;DTjJ>q5TGr?H!9zKA4wi^0%Y3DSFh{m3lMB{McP|A2xln;NkS-Hnk zy;)Zkvz(v%TF&!1D>nEL_PR0=UyHY{bn^``)*B!s9a2u1rKUr{xpTeYN`Is*f<8iD zic92{ZWXC6wgJlBg}E<>eLn_zj_b9v{A?`mcgoV)N&YVRIXm(PGjn&oY;YG>H-Gtd zDR);>WnO{q;4ScahE913MH~|z&GSG$tnfBPQ6aL^?6j0IOW&M$cVE9bI6L}$cy@7i z`13{YWdE0o)4lWm{7~CUEPo>0t#7Jgj}K%+P3ce>%Ldl;ZK;r^9C>6<6SSYb@Ydkz`i6w7hpWQ7rmURH_;IJ);KS z0LTBNF%4teu#EV3yWX1e|5sD~_i|0vWdB`c|KmbwUl~$gD$Z~}Ab-Apkf3%_?iV1a z+r#gQ7@Wv`d*kTk0~QY%=SBW1(@K57q8<63{Le!EPxeXZKg}i3CH((pd$Y>_x3^mB z_y3tkT4i8K6eU7z~-{yYM9C z!*?K&5lzQvk2{6ugh$>6aCApgc#}vR&})ob*z3Q32;hXXiTz!P#EE1M^}r~{zzYs~ z7dp+qdmHr0rS~?_apJxGKW_s*6G=s?;OO8`c|jtDfp{;V5t61WC&gc0Fjk?6 cu(`&*by}x&`UcYf2LJ&7{~hY*DF9Xg00a!CzyJUM diff --git a/charts/latest/csi-driver-nfs/values.yaml b/charts/latest/csi-driver-nfs/values.yaml index de9e13341..a143393eb 100755 --- a/charts/latest/csi-driver-nfs/values.yaml +++ b/charts/latest/csi-driver-nfs/values.yaml @@ -24,6 +24,9 @@ rbac: create: true name: nfs +driver: + name: nfs.csi.k8s.io + controller: name: csi-nfs-controller replicas: 2 From 0e3ede5a213958ce76a7db3120c24cd1257aeb75 Mon Sep 17 00:00:00 2001 From: andyzhangx Date: Sun, 19 Dec 2021 09:03:22 +0000 Subject: [PATCH 3/5] feat: add node.mountPermissions in chart fix controller update chart fix chart update chart update chart fix mountPermissions --- charts/README.md | 2 ++ charts/latest/csi-driver-nfs-v3.1.0.tgz | Bin 3509 -> 3543 bytes .../templates/csi-nfs-controller.yaml | 1 + .../templates/csi-nfs-node.yaml | 1 + charts/latest/csi-driver-nfs/values.yaml | 10 ++++------ cmd/nfsplugin/main.go | 2 +- hack/verify-helm-chart-files.sh | 2 +- pkg/nfs/controllerserver.go | 9 ++++++--- pkg/nfs/nodeserver.go | 1 + test/external-e2e/run.sh | 4 ++-- 10 files changed, 19 insertions(+), 13 deletions(-) diff --git a/charts/README.md b/charts/README.md index f7d22d302..21416c5c9 100644 --- a/charts/README.md +++ b/charts/README.md @@ -38,6 +38,7 @@ The following table lists the configurable parameters of the latest NFS CSI Driv | Parameter | Description | Default | |---------------------------------------------------|------------------------------------------------------------|-------------------------------------------------------------------| | `driver.name` | alternative driver name | `nfs.csi.k8s.io` | +| `driver.mountPermissions` | mounted folder permissions name | `0777` | `feature.enableFSGroupPolicy` | enable `fsGroupPolicy` on a k8s 1.20+ cluster | `false` | | `image.nfs.repository` | csi-driver-nfs docker image | `gcr.io/k8s-staging-sig-storage/nfsplugin` | | `image.nfs.tag` | csi-driver-nfs docker image tag | `amd64-linux-canary` | @@ -70,6 +71,7 @@ The following table lists the configurable parameters of the latest NFS CSI Driv | `controller.resources.nfs.limits.memory` | csi-driver-nfs memory limits | 200Mi | | `controller.resources.nfs.requests.cpu` | csi-driver-nfs cpu requests limits | 10m | | `controller.resources.nfs.requests.memory` | csi-driver-nfs memory requests limits | 20Mi | +| `node.name` | driver node daemonset name | `csi-nfs-node` | `node.maxUnavailable` | `maxUnavailable` value of driver node daemonset | `1` | `node.logLevel` | node driver log level |`5` | | `node.livenessProbe.healthPort ` | the health check port for liveness probe |`29653` | diff --git a/charts/latest/csi-driver-nfs-v3.1.0.tgz b/charts/latest/csi-driver-nfs-v3.1.0.tgz index ed83d9948e4bb0e07826f603f5b1d54f4da2ea3b..504e516b82d14bcafd464433e6d3b734f9719e11 100644 GIT binary patch delta 3517 zcmV;u4MOs@8`m3lCHf zokRy&@{!~~mf?Q(TaxU=b{rD^4D8fI50KccR;%6JYW-SHsHh)FIzj34p=utCiPXWA z#O%%UwN|Uu+U<7j|5mG2{oiWucHXqR?cG*uyW86BzG=0)t$$AY4YZz7hNUf4n#eb; zCy!N~+&9ulLO-KaRPY{5+8#-g*;ht1D(yw6LP-;CuO0M{;pAf<4z0<+P)PVS9iZf> zQF)xi*n_f3d6OCY?VugByw{%brWISo|0jf{sGd0htnmMCcYC|)|DE0L#{XZU(U^>| z=K%olp>iKglYf{9MYWLA9>k#xVj4=J#83yJh?`eGsb;8XlMj_2Dmv?>$!Hcg@@q-T z*qLB7oc7>&cp~(fM1|ZDgo>U?F`*_xpsXMM>L(S9LK#reRCMGkEhHJC8Q)LleakXT zIzcDstS1Ab6XdAWnG^$jkO+Ct#PnPcU?*s;Cjb`_x_^Lrjw7nHBoEhw;gLJC%(*Ox z)Llm;PobR95ck7Sq+A$Y_B$Vg=WfF&JRhC9+GzRHOm) zQG*sRBupXDp}7dxgxia$Li1gMxaNTwPjD>-V<_EnV(n~p%~u4r;Dp2oVhH_Af=pb) zt}wiihJShFd2&F)>Qp=cw`7@h%5&Q56)y&%qJhym6&^rr_@AMSsWLXFdeCTn`0%0O zc|#;RmDYHWlL5nz{a>U=lU%=c(w3Q~{Ga3@r17pK7<){1;QQD}(v8uJ& zF%qW7XF}>8bpCgD$Mj`l^czl)^`?n zY9limk(k~>_MmZeLzPzf4IB5F{6iTQ5{Eq)Yn`ZGvssQ3kqA{& z6LqCbz!=g|D$!3wWP>K59A(q+^DQ$!k$-eTH0I0TwCQbadG^*>%2?kC)Pq0&iUHNf|;i4MoF zt?cNnSaRbE#zKU zRAR8S-wa^2qdDE~&v4wVo6$<3#!dUMN~GCj{P~r<=NG#VHPN{7KMiPHHY~4#@?YC{ zH|@!7Y5ZTrB_53muZaI2x}6W@_}^*mv^V(gi!|T&y(`M29vs?KFGjAtVo``BiE2*T zUW}SVM3ecJ-vo>-dKZj@yMJ(!QQ2h9k=EsS-t8?=9u z92lz~J-_cH$kRr*lZ{Po_}eVnn?{mk^*nN)$hge(u!iirj>7{61IVXpnu)b^IO|c} z#Ll@dY;TQpTKqv`w!HUD%%A3r^5{OhFcwOmpuQIJD#L$atANh}VSh>hM~v(q-$JCo zhxUtuS|Or25FK%qBccaxAMue&rTCYmUJd9%-4M6byUdAkz{{Oax0~{A8;v zRry?Hg6Of6qavY`-pGa8pL-)f5jM4kT8S8?z?ub-5XK;S@YKM_*z)d%;oh;xv;{CFL=$zJC{ zwo~T)7}L4OIDbrAZds2ooszUGEr$=)I_6@Q-W5h-NES^)VVK%TEV#xST~4Y*I zVKgfh&Ra+lGN6oViWPkVkSOZGpN;+>{mcEsPsb;Xf0YObW8(TOXMUtY!iYOsQyFFT zvp2I^_QdOBraxI`qFHICqM@vpSxafO_ru$h)5D|7($ za~v+-$?iFqF}Yk|)Mpm@+L4ROs$W=APH%e6=CUwl0?)#uo-OFEnD(@|lrJET;;+iR zL<%iJ!GC&iad1|+x8ziXRS=;pm3T3hsK$att{^yXW37{4P*-)ExG1zl3_H=fdz4d6 z2|GkarhNwL@Kl1`{V0`$R?u$Tl`|Eo2Fwe zxfBT*WnrW7GmWTpSqx!Szj?{Tz-0aPG2Q8?CV#nHsv5KFuwr{P7O+xJdYWJl4y{^* zoGuJoJ7bI!Jw2qd2e)_MNA2&;I{1&fN%>HGE&QjoT|NKXX?1r$Z1A6#XhoYCK1ut*OF))O_D>Ify*%5$_{Wd6Tw)R7UOlUdKRy!A*jedpWy^l313pC!OHsMH zj!TL!3y^@#F=kn;`?^egH`=ei|9^aRX@S6#{ZB_P1_iEx^VWF4i$;=p=hEZ7pGA@M zu~DgJ<`1kId;=K&v(_|>Z^J6!->rHZ$p1Tm{2!F$Y{35e!2YKd<-T%oeyuvg!$SJQ ziv+bwd02s{1=>>lSAPyj=s(XP z;1%_s?e=!H{?qQZb~pI%OSB4JS3OzjPH_5ncb@P2UggJP9CF()b*X`BjS&^rNn==f z&R2e^|CzyCBXQ+TkamdYFB>Eab+UW$>C%MpMw>*K z70*=K7vtBSmQ0yjC4C?XwSToPWp*RkCZw<$|Jg`pb+l}C&4?x_2bN%jy73+wj4J!z zzCLF@IJKBhky%;L_It#DAtN+idsGLr*Ns&!P1cQ^QG|>rwdOq6oD)uv>qlrVo6UP@ zB+G_dJ*`ktlR-V}gr3AO6hcOn7d@bE4C}YgqO|!N3I*5vnevG8(SO(Q(8_^le~=Be zcFibtwJ_(RwJ~y@bUh?Ct`{9mEXj7MivjKN(FtZ&aF3!(;r6vxwoO~7Rr0@Jj4Y-j zE+jtR7^}|z>~wY)e*bHGQ~!UFwgqQI8>hE#?6@cIexYNKQf2}lBqY2dBUFKx9Tre& zVj(C{V`L0QOblFknt$@qdyvS8rW3TA)WUVbBX0{hIzR#5CK8AA1|wJY{I4GaIOS|= ze>@~{B0+)@808pv!D0WhuZ2W!3l2ma3l5(T`Vdj6ykJCi)Bbhhd%@r@*|dN23*%AK z{K>zn32)9B4M=#ECie7$^46u@oz7fs8B@M+{C_3+q6yl2HO7z00960eaLo!09XJ3Af59+ delta 3483 zcmV;M4P^4y8?_sdJbznr+qSdMGe5;1Iddk>38{-O>CucIT-)j2)5P{zZaSS##{-co z2{j0?04Q5^d_Mab0Hj1xlqFwcH?8oHNF*+c#qJM_-$D)*^&?5gD1AOq&HWLPI+&1{ zy?VORYPDKBTU+-3R;yM0zt!I9ylQW?x8HB?bXuMFuUhS`)_>;KD`-8T3=2!DG?A}b zj~=T!xo@P9gnmY;sNh`~w>^?1)31zZRN9MBg_0)PKHKjd!SRP499WZqfspW1+DFMz zqw+Y3u?uCB^2XEdH-mQ2@?Ltz>ryNg{~r^UqIzNgSmOU%TU)KF|99SRul@fy3XRDS zyB+`lA1L?16n}|{P*e*!=|UXJAf}-dN(^)minw|Cy=sPvHu*sLp`z1PnhdA7kv~gP z#!dyJ;iL;kgJYpjB`V~uLa6Ae6k}=-0%iU1m*1;k7|MW(rlLb%X(7oF&G>#YYg?9K z+zC2CXEhlZ9V17jPNnGMy+p`cCZ^?_0NX)pH37JY(0>8y84jt^lH6YtrjOi_W!}r2 zNL#CjlPmdp`wA&Iu)K*5NcXyUO3M#8KWUlT`(3X zQ+~of5v9#!?CiZ-n;RivdUPtJ?n38(ceYJiCWaqzjI0aW9)K1MB{3Uu=BPeg;-m`= zyZBNt3@)deu`!a^j@rnUTqLHokX>jTUQ?x2{(k}o0}OQ+8pom+jxb6YHdg9Cn{~nn z$A^w0QHfNBm`$l35EzZAE}&DGq+MuFzs49_|JZ7^KILE}@y`_1e4|!8*Q}Gbszrho z$8JAz>;n3(IAZ4!BYI{@=grtW^#EdW{WB+HLK*2ZbYquIaRvL`thd-&`=}Vfi>||B zFn|8rTEgaIEMb5|r_!n!xmoWIy&t7WlYDP*khK&YH#Xo52Plz;XfRlCG~gQxiJ&l) zs8t5d29M#&Y$0X~qI?K82vMdBiGwbTv`$pF*(`%iBtq5HL|rO_I|DjQCHjeoEcO!0 zQ8rC~zU|CUBpnlt`Cd3_dK(*_eRY~L)_-#Xb>X+)y$$fQDK)aDrWYr2;~#%osl@*p zMRYiNX`OycWugCHjF2TLRiKl{ zQUOc+zukJjUGe{&tT~c5lk# zX3dON0yS#d#VS?JCgabZ+anZ1S6_o$d#=9<$E(`I0p4oUXE4&2% z-*2`n_}^)5ch>m-EXDVI?~?MU3kNpTi;-)um=q#OqMGBj7o#Q-(PVZ4G=Pzzcfm-w zgOjY54dz_cx){&9xdF;UmVZVSU=H95P#z)I&@uH?f|k9TQET<1=kJ{adD!UA!m)`B zKTgr!6p|#%=aKtF*2`26E6Bd%dbr160Qpo+F<46n(-zh9>#X;=ldX|Xi(g617Pp>? z`TeY;9Nni6MndUh)K@}YX8bQ~6!=*nObOtKkv-nWmV)I2`^8bM5P#8}h>p0*S%rOf zj`%>O(!WqW`i~nXt5{~BkE`ZZeqB)HOl&S9?3I?^l=8+YR2LZK>Gkw|Mc+lknz6Wr zB`xkC;N;j5W{d z{h2oc6p2@Bs1?L00c%#VA})LZp4nErQxrH?TF&MA6l~E$acM zQ<8S6o@Bpp+RLyV@W!dVGPLi&_ZO|ha+ z01`!A_^r|VwRf?1@agEd@q4KPVN6_|=A9p^kTBw|)>KAWzV>ETi&nfIGyU-*6U~x4 z6%A#r%w9^P-Pdo9PYw<*jt=VZ6nT^g%JuH+H~YP#i+{u8gVU3vBCf6sz*A$umfad(!)^jNOfVeRjQMr^7M7P{5nBNMO5E-IU*(^ zQocpMC8#(ivdL)QW~&(LrfFDPU5bPZGiPu7KqD$$>_J%7NuF~%H?ev>5<4B$goF!K zW6lazY_G-wmg-4Q670f(Rf~|5xnXN(jB%nT2Y*y{;pX-qpRD@|WhwvTUQ#{~UyJ`~ zZC3C9c3Ru5&YJ&uj#8w0vioFNO20X7XUx!k@5tr$?k0iCJNT5cAzG7gbcTPXRGMfi zzXIjpiJTgdly(>7Du?pyzCuuQS;0crK$Wg9e4q@y;xYWCHU9T1 zOMm^}#6gd|4}7=(w_EQ!?MnXdeP^e&_W$Q78*o0N3Vz-D^wDPj@*q?}^)e~^H-w62 zk1fBJuyjZ{?42Hg=>LJCR^A5a5z#;-0>==QB60#+fK0i)Cs1fM5Yis;GWMBZEO-we zKt5Xw{kpVsnnXlnPfMb4IB_UtA}Pv;KY!a-dBjt_Iad|4{63GhT;y|B?C>G%bwv?h zi?^-}^9?Z88z3YdQcjqqrbEHG3%%h=q%49yLSKqYb%H4&zFNb|U26~R` zwOW2QmiJ%E(pe?{EBQG)^9M6?cmCMmF0O9=a_v&?uBOSn0o}n{;Pnih@)C+TCVxDd z=Yf1!;nx&JgUC*^(^|$YeRJa7ef{R(?CA61*~Qu6j~Bg@{huyQ_s;+GU2QM1h;X;Q ztBOB9kQv!t>TG4pzOMs5Mhy%3y}E`Ak}q@Qf{ihzQLOvANPIWiPe1=~cws5U8pgL_8S(FSy*1_kx2F8> z6`HKc{=3Nj$EDJ~GNis#p5cB#eE%dtty1onAgJ5J@5&gQ$bEa`=;ad@51Hph{!^uu z#(+gT@;&*Vh5VoFlhA*fOQ1{m|IPMhmH%&Vb=qtG?>S0^uc_Xwb2s?>+kacn_kFMO z$3h%)*DE!tq3Vng6%f}LR=($#f7JcNbIg|^)T1`HXY@yeq*nze4Ma%!q> zh*B%gbHzE~7`c9c=CawmgGRDwxaHFd6*YVDlTPSS9fm^4i1MNb)Qw^N_DPgByP;li z%^xU_C?9?e53O8y_50aSE9VSSmkV(&T8ojh?fX91xEeYdEXmG0^M8Q$aCCyH72Kid z65PJ@&bBVAluG;;jF822$c4nG8)Mo1kL}LR+~0rNTL1m0XDJ(SO0;o$`-=^?^6rl_ z^i#?V@IgYtOEN?icv-SorHLgoK#h}~5+{;5)B~d&11~t}UG%h&=xxBhh-1Ow^L`H^DwP)u zsczbTo%mkR|4TOQzxjjFuxb9uzp62B&N}Lo@G?zo_FH*x19g>nZ-YL$^xg(KPQ17O z=WW1eBB@9f9331gFG!>?5bp&vLeg~gr1--N#wrvMHrLp Date: Tue, 21 Dec 2021 08:31:04 +0000 Subject: [PATCH 4/5] fix: CVE-2021-38561 with golang lib --- go.mod | 1 + go.sum | 13 +----- .../x/text/internal/language/language.go | 43 +++++++++++++++++-- .../x/text/internal/language/parse.go | 7 +++ vendor/golang.org/x/text/language/parse.go | 22 ++++++++++ vendor/modules.txt | 3 +- 6 files changed, 73 insertions(+), 16 deletions(-) diff --git a/go.mod b/go.mod index 2d75e473b..9abe783d9 100644 --- a/go.mod +++ b/go.mod @@ -23,6 +23,7 @@ require ( ) replace ( + golang.org/x/text => golang.org/x/text v0.3.7 k8s.io/api => k8s.io/api v0.22.3 k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.22.3 k8s.io/apimachinery => k8s.io/apimachinery v0.22.3 diff --git a/go.sum b/go.sum index 5658ed119..2457f81da 100644 --- a/go.sum +++ b/go.sum @@ -1064,17 +1064,8 @@ golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXR golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d h1:SZxvLBoTP5yHO3Frd4z4vrF+DBX9vMVanchswa69toE= golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.0.0-20170915090833-1cbadb444a80/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= -golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M= -golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= diff --git a/vendor/golang.org/x/text/internal/language/language.go b/vendor/golang.org/x/text/internal/language/language.go index f41aedcfc..6105bc7fa 100644 --- a/vendor/golang.org/x/text/internal/language/language.go +++ b/vendor/golang.org/x/text/internal/language/language.go @@ -251,6 +251,13 @@ func (t Tag) Parent() Tag { // ParseExtension parses s as an extension and returns it on success. func ParseExtension(s string) (ext string, err error) { + defer func() { + if recover() != nil { + ext = "" + err = ErrSyntax + } + }() + scan := makeScannerString(s) var end int if n := len(scan.token); n != 1 { @@ -461,7 +468,14 @@ func (t Tag) findTypeForKey(key string) (start, sep, end int, hasExt bool) { // ParseBase parses a 2- or 3-letter ISO 639 code. // It returns a ValueError if s is a well-formed but unknown language identifier // or another error if another error occurred. -func ParseBase(s string) (Language, error) { +func ParseBase(s string) (l Language, err error) { + defer func() { + if recover() != nil { + l = 0 + err = ErrSyntax + } + }() + if n := len(s); n < 2 || 3 < n { return 0, ErrSyntax } @@ -472,7 +486,14 @@ func ParseBase(s string) (Language, error) { // ParseScript parses a 4-letter ISO 15924 code. // It returns a ValueError if s is a well-formed but unknown script identifier // or another error if another error occurred. -func ParseScript(s string) (Script, error) { +func ParseScript(s string) (scr Script, err error) { + defer func() { + if recover() != nil { + scr = 0 + err = ErrSyntax + } + }() + if len(s) != 4 { return 0, ErrSyntax } @@ -489,7 +510,14 @@ func EncodeM49(r int) (Region, error) { // ParseRegion parses a 2- or 3-letter ISO 3166-1 or a UN M.49 code. // It returns a ValueError if s is a well-formed but unknown region identifier // or another error if another error occurred. -func ParseRegion(s string) (Region, error) { +func ParseRegion(s string) (r Region, err error) { + defer func() { + if recover() != nil { + r = 0 + err = ErrSyntax + } + }() + if n := len(s); n < 2 || 3 < n { return 0, ErrSyntax } @@ -578,7 +606,14 @@ type Variant struct { // ParseVariant parses and returns a Variant. An error is returned if s is not // a valid variant. -func ParseVariant(s string) (Variant, error) { +func ParseVariant(s string) (v Variant, err error) { + defer func() { + if recover() != nil { + v = Variant{} + err = ErrSyntax + } + }() + s = strings.ToLower(s) if id, ok := variantIndex[s]; ok { return Variant{id, s}, nil diff --git a/vendor/golang.org/x/text/internal/language/parse.go b/vendor/golang.org/x/text/internal/language/parse.go index c696fd0bd..47ee0fed1 100644 --- a/vendor/golang.org/x/text/internal/language/parse.go +++ b/vendor/golang.org/x/text/internal/language/parse.go @@ -232,6 +232,13 @@ func Parse(s string) (t Tag, err error) { if s == "" { return Und, ErrSyntax } + defer func() { + if recover() != nil { + t = Und + err = ErrSyntax + return + } + }() if len(s) <= maxAltTaglen { b := [maxAltTaglen]byte{} for i, c := range s { diff --git a/vendor/golang.org/x/text/language/parse.go b/vendor/golang.org/x/text/language/parse.go index 11acfd885..59b041008 100644 --- a/vendor/golang.org/x/text/language/parse.go +++ b/vendor/golang.org/x/text/language/parse.go @@ -43,6 +43,13 @@ func Parse(s string) (t Tag, err error) { // https://www.unicode.org/reports/tr35/#Unicode_Language_and_Locale_Identifiers. // The resulting tag is canonicalized using the canonicalization type c. func (c CanonType) Parse(s string) (t Tag, err error) { + defer func() { + if recover() != nil { + t = Tag{} + err = language.ErrSyntax + } + }() + tt, err := language.Parse(s) if err != nil { return makeTag(tt), err @@ -79,6 +86,13 @@ func Compose(part ...interface{}) (t Tag, err error) { // tag is returned after canonicalizing using CanonType c. If one or more errors // are encountered, one of the errors is returned. func (c CanonType) Compose(part ...interface{}) (t Tag, err error) { + defer func() { + if recover() != nil { + t = Tag{} + err = language.ErrSyntax + } + }() + var b language.Builder if err = update(&b, part...); err != nil { return und, err @@ -142,6 +156,14 @@ var errInvalidWeight = errors.New("ParseAcceptLanguage: invalid weight") // Tags with a weight of zero will be dropped. An error will be returned if the // input could not be parsed. func ParseAcceptLanguage(s string) (tag []Tag, q []float32, err error) { + defer func() { + if recover() != nil { + tag = nil + q = nil + err = language.ErrSyntax + } + }() + var entry string for s != "" { if entry, s = split(s, ','); entry == "" { diff --git a/vendor/modules.txt b/vendor/modules.txt index 3bc41b31a..605d4c547 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -269,7 +269,7 @@ golang.org/x/sys/unix golang.org/x/sys/windows # golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d golang.org/x/term -# golang.org/x/text v0.3.6 +# golang.org/x/text v0.3.6 => golang.org/x/text v0.3.7 golang.org/x/text/encoding golang.org/x/text/encoding/charmap golang.org/x/text/encoding/htmlindex @@ -887,6 +887,7 @@ sigs.k8s.io/structured-merge-diff/v4/value # sigs.k8s.io/yaml v1.2.0 ## explicit sigs.k8s.io/yaml +# golang.org/x/text => golang.org/x/text v0.3.7 # k8s.io/api => k8s.io/api v0.22.3 # k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.22.3 # k8s.io/apimachinery => k8s.io/apimachinery v0.22.3 From df5fefd8d69d4dc320dba634773ab614f7c6a1b5 Mon Sep 17 00:00:00 2001 From: andyzhangx Date: Mon, 27 Dec 2021 03:38:01 +0000 Subject: [PATCH 5/5] cleanup: remove cpu limits --- charts/README.md | 6 ------ charts/latest/csi-driver-nfs-v3.1.0.tgz | Bin 3543 -> 3542 bytes charts/latest/csi-driver-nfs/values.yaml | 6 ------ deploy/csi-nfs-controller.yaml | 3 --- deploy/csi-nfs-node.yaml | 3 --- pkg/nfs/nodeserver.go | 2 +- 6 files changed, 1 insertion(+), 19 deletions(-) diff --git a/charts/README.md b/charts/README.md index 21416c5c9..b5eb43fbc 100644 --- a/charts/README.md +++ b/charts/README.md @@ -59,15 +59,12 @@ The following table lists the configurable parameters of the latest NFS CSI Driv | `controller.runOnMaster` | run controller on master node | `false` | | `controller.logLevel` | controller driver log level |`5` | | `controller.tolerations` | controller pod tolerations | | -| `controller.resources.csiProvisioner.limits.cpu` | csi-provisioner cpu limits | 1 | | `controller.resources.csiProvisioner.limits.memory` | csi-provisioner memory limits | 100Mi | | `controller.resources.csiProvisioner.requests.cpu` | csi-provisioner cpu requests limits | 10m | | `controller.resources.csiProvisioner.requests.memory` | csi-provisioner memory requests limits | 20Mi | -| `controller.resources.livenessProbe.limits.cpu` | liveness-probe cpu limits | 1 | | `controller.resources.livenessProbe.limits.memory` | liveness-probe memory limits | 100Mi | | `controller.resources.livenessProbe.requests.cpu` | liveness-probe cpu requests limits | 10m | | `controller.resources.livenessProbe.requests.memory` | liveness-probe memory requests limits | 20Mi | -| `controller.resources.nfs.limits.cpu` | csi-driver-nfs cpu limits | 1 | | `controller.resources.nfs.limits.memory` | csi-driver-nfs memory limits | 200Mi | | `controller.resources.nfs.requests.cpu` | csi-driver-nfs cpu requests limits | 10m | | `controller.resources.nfs.requests.memory` | csi-driver-nfs memory requests limits | 20Mi | @@ -76,15 +73,12 @@ The following table lists the configurable parameters of the latest NFS CSI Driv | `node.logLevel` | node driver log level |`5` | | `node.livenessProbe.healthPort ` | the health check port for liveness probe |`29653` | | `node.tolerations` | node pod tolerations | | -| `node.resources.livenessProbe.limits.cpu` | liveness-probe cpu limits | 1 | | `node.resources.livenessProbe.limits.memory` | liveness-probe memory limits | 100Mi | | `node.resources.livenessProbe.requests.cpu` | liveness-probe cpu requests limits | 10m | | `node.resources.livenessProbe.requests.memory` | liveness-probe memory requests limits | 20Mi | -| `node.resources.nodeDriverRegistrar.limits.cpu` | csi-node-driver-registrar cpu limits | 1 | | `node.resources.nodeDriverRegistrar.limits.memory` | csi-node-driver-registrar memory limits | 100Mi | | `node.resources.nodeDriverRegistrar.requests.cpu` | csi-node-driver-registrar cpu requests limits | 10m | | `node.resources.nodeDriverRegistrar.requests.memory` | csi-node-driver-registrar memory requests limits | 20Mi | -| `node.resources.nfs.limits.cpu` | csi-driver-nfs cpu limits | 1 | | `node.resources.nfs.limits.memory` | csi-driver-nfs memory limits | 300Mi | | `node.resources.nfs.requests.cpu` | csi-driver-nfs cpu requests limits | 10m | | `node.resources.nfs.requests.memory` | csi-driver-nfs memory requests limits | 20Mi | diff --git a/charts/latest/csi-driver-nfs-v3.1.0.tgz b/charts/latest/csi-driver-nfs-v3.1.0.tgz index 504e516b82d14bcafd464433e6d3b734f9719e11..9716a4e2f881364e69b62e4fa269e36e1d4999e7 100644 GIT binary patch delta 3515 zcmV;s4Mg(S8`c|;J%4lCwzAJNKgC|Tb0^IWsXvyTUe5R-wVfVM8^>d%In(K!@j&EC z!Z8T204Q5^eLwph0Hj1xlqLU(eKHjuY>8L^i^c9@@mo-lqJAvt6s6Bcs(m;iQU^1V zuvbr4I-O2uzu&k2JDpDbf2X_Od)4iC_j|qFUcc9W)#>&-y?@4yOvS(Sm2knnRhM9ER3 z@;FH_gsMt;(|Py1K{x1lFFoUJDVLi4PYKIVJ+T8=WB>i#PPcCVz5UMC{-2}Jgp4ut z008(%xeumDOn-%+%9Vy!8Bjrbm&Rc0Rp8JjBS(-6+ zCK!!oA)Jg(g+7z0kUN4%(K9Kg)OZM#&BI^*pn`EE11j2zj(w$tBx5w=`{|->m4|6B z=movacwlsj9F;ngVu<%*p=g!XIe3a$sd3Mnmjfe`t=&;QAC;pKrZN%ZaYSh{Z z5~e3-Lh2BD|GU3u+A=Zz1*gbD*z*9iU?_>U%zxV^K3w7~gqBqwDHsNq^X=TISz-+-(FEg+VQZuQ^I4~iaD3<}5|zkgg!z=3T?(TK z)g}LyU}8f-+r59EC8^I#pr2UA5&{M5?Wcx>Uxj zM|7M?^ivUA*G4Eu**5+8wlhDKbV@W9n}5};?d|M%w(2ZnY~UCQ;rD-eJK*OU*~*)m zUL4DRE~hi4jXQ z!4TfGZ*M)%k{w^CgvX#KX!m1t_5NCPziU6zWRQ(U^cq_JqBG>N{p?s{WQa`J!{!88vWOj_ zkuOK?I&+^*7)8>wc08e6X~H8DdNetl#x@DzWQ?&toYh(t2h~*#^BCvm27d}GEDJGM z*=`Q7+R>bB-_LQ}yqS?opeAj*SQXNIGXCO8(ef{Q4mIAm^*=3WU9@apCE>rc@@~tc z%S!*hj7vNi6<*{2-}QU%s{X&%+3W6a{r__m-}k*s%Ht4@Y^awY*Iqd(MAB5Xr(G{W zO=6p7c0EIKN@`~1N~D1D0hO32F`|An0rJ`02?0e>7Zw&;O{NP&;+ z7YDUMObZ}7=BhwM58XN91C>hulj_Mo+%P#|6@fmjt6R0YB*+EZT*Nr2EWat$jZ>%) z80FdZyuK#yvSKYT*wT_#`;&rU2o5r>bcsBkH%cWHlIqzZBTBiMshQH4`1#Swk0jMJ zBFyfzS5!}$_$h&Ci+@R1khPKm)K+?FjpqPO2~F}#C}2~XCD*w;lqjoMP(@&aMFs~0WcLTOYo!3vefx= znF*pNj*l9Lj(fuwYJXvk0A-BTDr(JRR2*wgSYsFd0-ozuw^wGk5LyA-`qd=a9qLm7 zde>=Bm3TAdsjA7Ug>#gaYhTj@MWzpS)e?b2xcyW}ebDUOt1K=M@#^xr-lhk=d+AQK z?}w<)9m-+KYJbgofa+AZU8^~Kq&86(v-Pe~5<{}A8VaM#dSbyfUhAr0Qc0(j;TYq2 zs&G*vl9C~1R8y?U6M)2V2*0-mzYQ+lAALMIZT+i4Ko}EOXGQ17Dk6-yt2MPz)~~&p z)v6V5_L=^4m5SzhoSKC4R%S1y@xgbmPd^aoqMt6(uMMs18QNM;D?NKYu_n*{L5ifl#sDLVEI!B4 za!p?6Ovc1=ff1kC=o?2a3#)l!$vC|Z+wE0u$~c~-rJir-F7x&{zf^1>j^fW+T`GkZ zkzgTwK7Twb)vdTyVFg4e%OrlDNK_NSVwXK!l!?~qPpIp%O`R87!G@h^Qyt}0Q^Jmr zk=Xzv!DAJ|Zl^+%`}cWuw_2T|q#|x^yxzB_B38Nf-tAwfM79|n+O!%&-8Kyy$)!li zICmSZA8Aabi(&|?+s$(Z1}5rn_UTSW4Z-C~(SMjzhh^Jq(15ja(z6spII?09a<(*V zY&K3T=J_>Zfkd?daW{?pm5-~a7(`tQ11{O37J8S2UJljRql+S6{1 z3>^+mTyF1f5U9F?&mkM4HHjwY_(w*iiKdDROwK9%LPr?QB8DGDjPv^-XND!E-37VY zp?^HTYZWwHw6YFoq$*dhK2U~U`56Av693OCYwh1eFOR$re7F5~yPe(LTK?}{uixL= z|8tZb_&lKsetZA%7n}VnLPrJl%cSt%5Gk5Jw)k4gvN7fG{_F(A@ZT6|20;OgnA?*<_N1q8Mf`1S20pPRM(60+SXK73{4zwg1$1~@pO#DOn z_*Yw1#3}Vla&6V$9SP1|zzkO+ zV=)X7hEiN2w{WY-bh!^u?k>!IG3@&x&`VgamGZNpynj=a&INB0q!9sf=0r=A3%)-Rq4b1@v}jJ8{oVR7VxZ|WYM^?ymxm|CVi+^ zYMA*wvj*P)#{Z-_4P)D|4)}Mw-WKxzn?U~e3Uan!|6O4JmGm$x@!|PJFsDVZ7ER5N72& zmG;H>ji)6u=5|RRNJ?$4OMjWuNPY+@?Z&^i(s>>&-(7Q}DaxTG7^7~zg%+dA{ebdr_^PK_Hge6b1k?-&=q(4(mUI>Y*K3RUob(I&@mSh zpKgqG_kZ?!`%Az7wY$y#KTFwxGop>r+c$RH%DdnG7-p0i#|J5iF3A{G;N_PERF+x@ z3e*G{gE13Bm!774{C^fCGNS1e?IE@FobcG&0get(fY+(S5xvIPr9J=a`v5+1HnTrV zk~)?kMG1^@47}iIa52zAqPGKwB1r^?FNXt&sZ?Gtrn+taI`+L__@`{!zr};exNZIv zU)7Yi7aa{rbeX00_Ji`?1nMgF-ULH(>AeYbl6r6c&)b17L^M*7DL6SgR$h=wVO+cy p&=^VE(Mj=dFPN%G#Ms{YzHQl-ZTSYu{|5j7|NrVdAkY9<008K;>vI4A delta 3516 zcmV;t4MXzQ8`m3(=btvGa$(>`fI9EHHbh-2sZQb82hr6s6dm zL&k>o&@;ePg8lI+BG91{Kv?9@aLkl3wOtKHpd{aQ|_s2@o>LFx0MY95S<)WMX* z?9KDFR;$(8?RM?|R;yM0-)ir6-n6^z-BxS6+uH5EX|=npPJjCiw4PChr7cyO$TzJg zk5!%AH_}K#KciGs@E%Os9!ZkfS4K1{?M0|UNfT|a9rTak}Cj+AsncgOkBgR zFuah4d4J@2azMiBR6GE;WSMo!bK2__F9xBafzdh@9zbmPpP`JYGB&4r&}e=5@S)*( zLnJzt)_9PU0mF~|U!+KrT)%eGo>!RGY?Q_6dG?_*8WPn5W5Y7#r~DI9+Ni^^sUrc5sr@?MWPa^3^AKheMn(6 zrn(T{!X)iMd-gTP*m_vE)%ui&Gl~C6Q7v|A#S7g!d9T`7vgX+BCyrf+-)oN8dBTXE zd4HsfW^Aq+S0OjQb21^68E3S&kBs2vt)P zb)`(e7}8NH(N9EVgC?OIWz+EUEi*rnbbmrL=F8x;>1}O!_SRX-SlphZJDu%K{{IpUF2-2h z)l&r{)Y`abgb5Q_SqooT@@~d!nXJl~9d|x5MPz$-&kdAVp7u?-7!1u3-4#%&p z({HIQ_5aH;vIM0Hbn;XvV1@s;TOW2R{=eJpv^M_#67BZ3`3@#D?twxLL&{K36Woi9 zTEa2*;9c|X&hsqU(M>{l1bU2i)qgabFY`IHn6ah1z4al&A>{}SvwbpT4e;l8NXj$> z4rR7(8+>+%lc7AFpp-O1_+oZvJcQkC`;o@|bU36p(D3KXkVp2j6OEApGG#ZLV`T9> z9fVrB9JyoWKAU8RBuQm^Lb=j}hbBR&3pllXV#3J?BY!Zh^vXA?%Q|M6$baoEiX9Yd!QwCLR& z7^@#Wzwac-(?++GjZJR&+br6fMv`RpJaV7NxXkphhU~kJ!vh8b$fs(WiM4b%>rvgr z&bcpaZ;fz83N-!+&9`fX@P9N`C-HjO-rYLZrZl z_KSmBA)+}D9dVT-q6cmt@sUcU|4H@uA8we8u#7;TRL!k?yP(Lq*jz-|FFk(K$_uAZ zJz$ilH?#W{eHRUDj=>flX_=oC413@p(-KSM(X3Md{ zrXgW=rM;$lTqjQf7k`^ix&)RL450F)7oPD9Mk!!EegW94E3;%am!%R#6AQ`+Y%s52 zz};PM6}2X#EM=MbjT{x^ag>)ZPzo_YV)xkNW)|YX}*V2&Hc= zgbH4yKt8Ds=TwogE8PRICDR_*dRVAvphS38)zVp^*0M?g^MATbF?aw>1WRN5WUDMy z`CMg!=&_TdBB7Js$c5UUdm}&*HnoOYi5R88nh{pSg)hJ}+iG`;0_RH0kyyW6B)i9a zO4#ix>nRhjXFO#yS@z%@rIp&(G)9r?y=}EX;6Q6X5mN8f2lujwbCA3IcpbONUgtr! zQ|A2`)49huOn+N$S&uNClC&!=hY!^{=3>%cGOS zv(w{~i#k%b-7wF%D2=XBPU}k&DWzUszI3Z+gwq^reiI+ z6bTt+VWaUgji_{43}IEjdCA1UWc~Fq-RY<%xqn=$8nf%LVtX|fuu@NYnqUtOty+Yf zE(}{cV~i6$J*2V+w|C!1?eEPx_>a3u`A~c<{HL{DJ^$Njb$35(@Sm4xMW`n`PnI2c zYEIf2GIY>CcD23xL7?&qK7(wC)+8LC<9|{rO*WMuU~)m>H#)>{8Z!JOBAgxZI5Q$C z?SBr)RW{|>S*xJtpp^|cLsdF@^^r34iretl*7)D6t@MABy*%+e@csVZZnqZB|9R+BZDySYNh5v?7(d@Ft*AkYFD2M&CV-SOXW2lw41$s<0 z5Q)GsM5TzFf)*fCZqEr6x($W2Tf7W?CVvHr#Mi>DE5m#Pi1ii-Nk^0uW})d&aPAUj zxE3jkV1O`?;tIKiTScmiJV3d#Fb~DBABI3LV7*q$FNX4drzo9O@^^{P*_l5YnSZ$y2YchE3vzpE{g_q588k?^XQbfP{c9e(IR@|!y0c>6b&NVgU+aoTl!|7y7$A| z!}H_MN9UL4N55S5PY-^*Jlntc$B(sKViDn9J*$d8J`&H^S?O$L%YLW>K1B^nQMtN~ zONuWGkbuoGW?8KJx=egG+ONO=e1CLlfxwgfPe(5X1+Ibf)_A~+Mv{5w(&N3KMUnKe zQK@F;53Cw|0~r6a)-;T7!z$q4t$G{C|2u*FAC%;5!2bKd{-+h?zH)GWtvbWQLi)pt z1hq+Oqp9HeIN<7wSO*Ub|cv)q_7(Q*+^z}v}|?Fh$bipmSBXs@g5qCD*NBQ zK4(5SwU|$lSy|Bbd&GbtBQ#!nR0p%yja4p9){UG|gp4S)<~-M&6HbupM`$ja&3kAh z%Z6J$tx!>uK|Sk)p2RQ|LPnGqJ)mw3>$lIMwD}tf1=swU@`&=$*MIQP%7JHpkPWqV z%_w!XFz2GRF>;=CJtQ`+7adJ3$#$uW0qyb831(JskD^QA_O(~GO