From 52c8df69e360f42a359dcf19f9f39588f01fdb94 Mon Sep 17 00:00:00 2001 From: Christer Edwards Date: Sat, 22 Jun 2019 09:28:42 -0600 Subject: [PATCH] Bastille 0.4.20190622 - ZFS plus bugfixes --- README.md | 248 ++++++++++++----------- docs/images/bastillebsd-twitter-poll.png | Bin 0 -> 40844 bytes usr/local/share/bastille/bootstrap.sh | 141 ++++++++----- usr/local/share/bastille/create.sh | 42 ++-- usr/local/share/bastille/destroy.sh | 19 +- usr/local/share/bastille/list.sh | 2 +- usr/local/share/bastille/stop.sh | 1 + 7 files changed, 266 insertions(+), 187 deletions(-) create mode 100644 docs/images/bastillebsd-twitter-poll.png diff --git a/README.md b/README.md index 81d2c3d4..d1ba606b 100644 --- a/README.md +++ b/README.md @@ -1,45 +1,22 @@ Bastille ======== -Bastille is a jail automation framework that allows you to quickly and -easily create and manage FreeBSD jail. +Bastille is a jail automation framework that allows you to quickly create and +manage FreeBSD jails. Installation ------------- +============ Bastille is available in the official ports tree. -``` +**pkg** +```shell pkg install bastille ``` -Development builds are available on the `pkg.bastillebsd.org` package server. -To subscribe to this repo, use the following two configuration additions. - -Note: The BastilleBSD pkg server will usually be ahead of FreeBSD latest. - +**ports** +```shell +make -C /usr/ports/sysutils/bastille install clean ``` -## /usr/local/etc/pkg/repos/BastilleBSD.conf -BastilleBSD: { - url: "https://pkg.bastillebsd.org/pkg/${ABI}", - signature_type: "pubkey", - pubkey: "/usr/local/etc/ssl/poudriere.pub", - enabled: yes -} -``` - -``` -## /usr/local/etc/ssl/poudriere.pub ------BEGIN PUBLIC KEY----- -MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq28OLDhJ12JmsKKcJpnn -pCW3fFYBNI1BtdvTvFx57ZXvQ2qecBvnR9+XWi83hKS9ALTKZI6CLC2uTv1fIsZl -u6rDRRNZwZFfITACSfwI+7UObMXz3oBZjk94J3rIegk49EyjDswKdVWv5k1EiVXF -SAwXSl2kA2hGfQJkj5NS4nrfoRBc0z6fm+BGdNuHKSTmeZh1dbLEHt9EArD20DJ7 -HIr8vUSPLwONeqJCBFA/MeDO+GpwtwA/ldc2ZZy1RCPctdC2NeiGW7oy1yVDu6wp -mHCq8qDfmCx5Aex84rWUf9iH8TM92AWmegTaz2p+BgESctpjNRCUuSEwOCBIO6g5 -3wIDAQAB ------END PUBLIC KEY----- -``` - Basic Usage ----------- @@ -73,12 +50,13 @@ Use "bastille command -h|--help" for more information about a command. ``` -## 0.3-beta +## 0.4-beta This document outlines the basic usage of the Bastille jail management framework. This release is still considered beta. -## Network Requirements +Network Requirements +==================== In order to segregate jails from the network and from the world, Bastille attaches jails to a loopback interface only. The host system then acts as the firewall, permitting and denying traffic as needed. @@ -90,14 +68,16 @@ ishmael ~ # sysrc cloned_interfaces+=lo1 ishmael ~ # service netif cloneup ``` -Second, enable NAT through the firewall: +Second, enable the firewall: ```shell ishmael ~ # sysrc pf_enable="YES" ``` Create the firewall config, or merge as necessary. -### /etc/pf.conf + +/etc/pf.conf +------------ ``` ext_if="vtnet0" @@ -108,7 +88,7 @@ set skip on lo nat on $ext_if from lo1:network to any -> ($ext_if) ## rdr example -## rdr pass inet proto tcp from any to any port {80, 443} -> 10.88.9.45 +## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45 block in log all pass out quick modulate state @@ -126,7 +106,7 @@ Note: if you have an existing firewall, the key lines for in/out traffic to jail nat on $ext_if from lo1:network to any -> ($ext_if) ## rdr example -## rdr pass inet proto tcp from any to any port {80, 443} -> 10.88.9.45 +## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45 ``` The `nat` routes traffic from the loopback interface to the external interface @@ -134,7 +114,7 @@ for outbound access. The `rdr pass ...` will redirect traffic from the host firewall on port X to the ip of Jail Y. The example shown redirects web traffic (80 & 443) to the -jails at `10.88.9.45`. +jails at `10.17.89.45`. We'll get to that later, but when you're ready to allow traffic inbound to your jails, that's where you'd do it. @@ -151,11 +131,46 @@ session and continue. This step only needs to be done once in order to prepare the host. +ZFS support +=========== + +![BastilleBSD Twitter Poll](/docs/images/bastillebsd-twitter-poll.png) + +Bastille 0.4 added initial support for ZFS. `bastille bootstrap` and `bastille +create` will generate ZFS volumes based on settings found in the +`bastille.conf`. This section outlines how to enable and configure Bastille for +ZFS. + +Two values are required for Bastille to use ZFS. The default values in the +`bastille.conf` are empty. Populate these two to enable ZFS. + +```shell +## ZFS options +bastille_zfs_enable="" ## default: "" +bastille_zfs_zpool="" ## default: "" +bastille_zfs_prefix="bastille" ## default: "${bastille_zfs_zpool}/bastille" +bastille_zfs_mountpoint=${bastille_prefix} ## default: "${bastille_prefix}" +bastille_zfs_options="-o compress=lz4 -o atime=off" ## default: "-o compress=lz4 -o atime=off" +``` + +**Example** + +```shell +ishmael ~ # sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_enable=YES +ishmael ~ # sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_zpool=ZPOOL_NAME +``` + +Replace `ZPOOL_NAME` with the zpool you want Bastille to use. Tip: `zpool list` +and `zpool status` will help. + + bastille bootstrap ------------------ -The first step is to "bootstrap" a release. Current supported releases are -11.2-RELEASE and 12.0-RELEASE, but you can bootstrap anything in the -ftp.FreeBSD.org RELEASES directory. +Before you can begin creating jails, Bastille needs to "bootstrap" a release. +Current supported releases are 11.2-RELEASE and 12.0-RELEASE, but you can +bootstrap anything in the ftp.FreeBSD.org RELEASES directory. + +**Important: If you need ZFS support see the above section BEFORE bootstrapping.** Note: your mileage may vary with unsupported releases and releases newer than the host system likely will NOT work at all. @@ -163,30 +178,56 @@ the host system likely will NOT work at all. To `bootstrap` a release, run the bootstrap sub-command with the release version as the argument. + +** FreeBSD 12.0-RELEASE ** ```shell ishmael ~ # bastille bootstrap 12.0-RELEASE +``` + +** FreeBSD 11.2-RELEASE ** +```shell ishmael ~ # bastille bootstrap 11.2-RELEASE ``` +** HardenedBSD 12-STABLE-LAST ** +```shell +ishmael ~ # bastille bootstrap 12-STABLE-LAST +``` + +** HardenedBSD 11-STABLE-LAST ** +```shell +ishmael ~ # bastille bootstrap 11-STABLE-LAST +``` + This command will ensure the required directory structures are in place and download the requested release. For each requested release, `bootstrap` will -download the base.txz. These are verified (sha256 via MANIFEST file) before -they are extracted for use. +download the base.txz. If you need more than base (eg; ports, lib32, src) you +can configure the `bastille_bootstrap_archives` in the configuration file. By +default this value is set to "base". Additional components are added, space +separated, without extension. -Downloaded artifacts are stored in the `cache` directory. "bootstrapped" +Bastille will attempt to fetch the required archives if they are not found in +the `cache/$RELEASE` directory. + +Downloaded artifacts are stored in the `cache/$RELEASE` directory. "bootstrapped" releases are stored in `releases/$RELEASE`. -The bootstrap subcommand is generally only used once to prepare the system. The -only other use case for the bootstrap command is when a new FreeBSD version is -released and you want to start building jails on that version. +Advanced: If you want to create your own custom base.txz, or use an unsupported +variant of FreeBSD, drop your own base.txz in `cache/$RELEASE/base.txz` and +`bastille bootstrap` will attempt to extract and use it. -To update a release as patches are made available, see the `bastille update` -command. +The bootstrap subcommand is generally only used once to prepare the system. The +other use cases for the bootstrap command are when a new FreeBSD version is +released and you want to start building jails on that version, or bootstrapping +templates from GitHub or GitLab. + +See `bastille update` to ensure your bootstrapped releases include the latest +patches. bastille create --------------- -Bastille create uses any available bootstrapped release to create a lightweight +`bastille create` uses a bootstrapped release to create a lightweight jailed system. To create a jail simply provide a name, release and a private (rfc1918) IP address. @@ -194,16 +235,17 @@ a private (rfc1918) IP address. - release (bootstrapped) - ip + ```shell -ishmael ~ # bastille create folsom 12.0-RELEASE 10.8.62.1 +ishmael ~ # bastille create folsom 12.0-RELEASE 10.17.89.10 RELEASE: 12.0-RELEASE. NAME: folsom. -IP: 10.8.62.1. +IP: 10.17.89.10. ``` -This command will create a 12.0-RELEASE jail assigning the 10.8.62.1 ip address -to the new system. +This command will create a 12.0-RELEASE jail assigning the 10.17.89.10 ip +address to the new system. I recommend using private (rfc1918) ip address ranges for your jails. These ranges include: @@ -212,8 +254,11 @@ These ranges include: - 172.16.0.0/12 - 192.168.0.0/16 +If your Bastille host also uses private (rfc1918) addresses, use a different +range for your jails. ie; Host uses 192.168.0.0/16, jails use 10.0.0.0/8. + Bastille does its best to validate the submitted ip is valid. This has not been -thouroughly tested--I generally use the 10/8 range. +thouroughly tested. I generally use the 10.0.0.0/8 range for jails. bastille start @@ -222,9 +267,6 @@ To start a jail you can use the `bastille start` command. ```shell ishmael ~ # bastille start folsom -Targeting specified jails. -folsom - [folsom]: folsom: created @@ -237,9 +279,6 @@ To stop a jail you can use the `bastille stop` command. ```shell ishmael ~ # bastille stop folsom -Targeting specified jails. -folsom - [folsom]: folsom: removed @@ -252,15 +291,9 @@ To restart a jail you can use the `bastille restart` command. ```shell ishmael ~ # bastille restart folsom -Targeting specified jails. -folsom - [folsom]: folsom: removed -Targeting specified jails. -folsom - [folsom]: folsom: created @@ -273,9 +306,6 @@ To execute commands within the jail you can use `bastille cmd`. ```shell ishmael ~ # bastille cmd folsom 'ps -auxw' -Targeting specified jails. -folsom - [folsom]: USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 71464 0.0 0.0 14536 2000 - IsJ 4:52PM 0:00.00 /usr/sbin/syslogd -ss @@ -291,9 +321,6 @@ To manage binary packages within the jail use `bastille pkg`. ```shell ishmael ~ # bastille pkg folsom 'install vim-console git-lite zsh' -Targeting specified jails. -folsom - [folsom]: The package management tool is not yet installed on your system. Do you want to fetch and install it now? [y/N]: y @@ -364,17 +391,14 @@ Creating user 'git_daemon' with uid '964'. [folsom] [9/10] Extracting git-lite-2.19.1: 100% [folsom] [10/10] Installing zsh-5.6.2... [folsom] [10/10] Extracting zsh-5.6.2: 100% - ``` The PKG sub-command can, of course, do more than just `install`. The expectation is that you can fully leverage the pkg manager. This means, -`install`, `update`, `upgrade`, `audit`, `clean`, `autoremove`, etc., etc. +`install`, `update`, `upgrade`, `audit`, `clean`, `autoremove`, etc. ```shell ishmael ~ # bastille pkg ALL upgrade -Targeting all jails. - [bastion]: Updating pkg.bastillebsd.org repository catalogue... [bastion] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01 @@ -461,9 +485,6 @@ Note: jails must be stopped before destroyed. ```shell ishmael ~ # bastille stop folsom -Targeting specified jails. -folsom - [folsom]: folsom: removed @@ -583,10 +604,7 @@ In jail terms, this allows us to toggle on/off services and options at startup. ```shell -ishmael ~ # bastille sysrc nginx nginx_enable="YES" -Targeting specified jails. -nginx - +ishmael ~ # bastille sysrc nginx nginx_enable=YES [nginx]: nginx_enable: NO -> YES ``` @@ -601,9 +619,6 @@ password-less root login. ```shell ishmael ~ # bastille console folsom -Targeting specified jails. -folsom - [folsom]: FreeBSD 11.2-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018 @@ -642,8 +657,6 @@ This sub-command allows efficiently copying files from host to jail(s). ```shell ishmael ~ # bastille cp ALL /tmp/resolv.conf-cf etc/resolv.conf -Targeting all jails. - [bastion]: [unbound0]: @@ -668,12 +681,12 @@ This sub-command will show you the running jails on your system. ```shell ishmael ~ # bastille list JID IP Address Hostname Path - bastion 10.88.9.65 bastion /usr/local/bastille/jails/bastion/root - unbound0 10.88.9.60 unbound0 /usr/local/bastille/jails/unbound0/root - unbound1 10.88.9.61 unbound1 /usr/local/bastille/jails/unbound1/root - squid 10.88.9.30 squid /usr/local/bastille/jails/squid/root - nginx 10.88.9.45 nginx /usr/local/bastille/jails/nginx/root - folsom 10.8.62.1 folsom /usr/local/bastille/jails/folsom/root + bastion 10.17.89.65 bastion /usr/local/bastille/jails/bastion/root + unbound0 10.17.89.60 unbound0 /usr/local/bastille/jails/unbound0/root + unbound1 10.17.89.61 unbound1 /usr/local/bastille/jails/unbound1/root + squid 10.17.89.30 squid /usr/local/bastille/jails/squid/root + nginx 10.17.89.45 nginx /usr/local/bastille/jails/nginx/root + folsom 10.17.89.10 folsom /usr/local/bastille/jails/folsom/root ``` @@ -750,27 +763,21 @@ Example (create, start, console) This example creates, starts and consoles into the jail. ```shell -ishmael ~ # bastille create alcatraz 11.2-RELEASE 10.9.8.7 +ishmael ~ # bastille create alcatraz 11.2-RELEASE 10.17.89.7 RELEASE: 11.2-RELEASE. NAME: alcatraz. -IP: 10.9.8.7. +IP: 10.17.89.7. ``` ```shell ishmael ~ # bastille start alcatraz -Targeting specified jails. -alcatraz - [alcatraz]: alcatraz: created ``` ```shell ishmael ~ # bastille console alcatraz -Targeting specified jails. -alcatraz - [alcatraz]: FreeBSD 11.2-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018 @@ -833,29 +840,28 @@ Possible Jail names ------------------- prisons: +- alcatraz - arkham - ashecliffe +- astralqueen +- attica - azkaban - coldmountain +- corcoran - dolguldur +- folsom - foxriver +- leavenworth - litchfield - oswald +- pelicanbay +- rikers +- sanquentin - shawshank +- singsing - stockton - stormcage - ziggurat -- astralqueen - -- alcatraz -- rikers -- leavenworth -- folsom -- attica -- singsing -- sanquentin -- corcoran -- pelicanbay Networking Tips @@ -865,7 +871,7 @@ Tip #1: ------- Ports and destinations can be defined as lists. eg; ``` -rdr pass inet proto tcp from any to any port {80, 443} -> {10.88.9.45, 10.88.9.46, 10.88.9.47, 10.88.9.48} +rdr pass inet proto tcp from any to any port {80, 443} -> {10.17.89.45, 10.17.89.46, 10.17.89.47, 10.17.89.48} ``` This rule would redirect any traffic to the host on ports 80 or 443 and @@ -876,9 +882,9 @@ Tip #2: ------- Ports can redirect to other ports. eg; ``` -rdr pass inet proto tcp from any to any port 8080 -> 10.7.6.5 port 80 -rdr pass inet proto tcp from any to any port 8081 -> 10.7.6.5 port 8080 -rdr pass inet proto tcp from any to any port 8181 -> 10.7.6.5 port 443 +rdr pass inet proto tcp from any to any port 8080 -> 10.17.89.5 port 80 +rdr pass inet proto tcp from any to any port 8081 -> 10.17.89.5 port 8080 +rdr pass inet proto tcp from any to any port 8181 -> 10.17.89.5 port 443 ``` Tip #3: @@ -893,9 +899,9 @@ can. Community Support ================= -We would love to hear your feedback on Bastille! Please join us on the -[BastilleBSD Chat Server](https://chat.bastillebsd.org) and let us know what -you think. Registration is currently open pending email verification. +We would love to hear your feedback on Bastille! Please join us in the +[#bastillebsd](ircs://chat.freenode.net:6697/bastillebsd) and let us know what +you think. Be mindful of the [Bastille Code of Conduct](https://github.com/BastilleBSD/bastille/blob/master/CODE-OF-CONDUCT.md) diff --git a/docs/images/bastillebsd-twitter-poll.png b/docs/images/bastillebsd-twitter-poll.png new file mode 100644 index 0000000000000000000000000000000000000000..2d4ab97f667f99e271964d47f2c75a8e0d782312 GIT binary patch literal 40844 zcmXtf19TnV_kGx~vC*Kh(Kfcx*ftxhapT6eZQHhOn=dy0)6f6+y=%>TD=+KK%$s}e zKKtymZ?K$<*k^b=crY-q&l2Lo3SeLm@nB%!Qm~(ZPlCc-jDa^O2SEuXSYUX-8vO@ty-{4kcDe3RjF;2CMQkX;xO_`e|v2?vWL^xPgW z^}q4h8CjrYVfKGR>wAhqarXZWyLmIo{QrG(KsooNod!#Aij(QDj0usiHiO5x%9t|( z2?JL&e3CzE=!SR#nZrib*L7mMHHCrW9s?!i8~U05yG&EYbh>Fyy11h%y=Qni zS?#W<%y1nAxquK6cDojWB|;jK7)dS>gFhu%OWGJIWRkC8?5k}0R>|q-93pwzbX~<% zo%`gknF6pr0+oX%jqdrW(iCMXry#O;Q7iEnVSYUnkpO6_ea}@h7X2xFDh7t<^!(ZX zu3wa~Y4o(3HEXB2nep1_t$V?Ga%9WkSF>CEw+Di(@N?p5;JP_f_ zqBG2Z0s=2~=oObkbW~pL7`JX0w;xfe+r#d5Mmy7qH=ExnXd(zSL1Fx1ebMSb0Vd!B zUiNNILWy){veP85^AvOcYyVF5{nkCWL>_v#PBWfp{oB8B()WFSz_F&UXo3*;(5B$%7bh+UcDKc#e^-`oWmJ?Cnsas*)dgQR zykkh13>9o4`Zfe4L@phA5$v7;v}!f9Wy9yy00WaiXqI}@Z<%qJH7w-Ng{LbT47nN& zdK>OGGi~aMudg1_(gjEqc%0X4@;?268|C`*AU$YvOv4~%=<9;+^$Ij_`37<8Kw&D2Sd ziTZ&jj*95(qf(nwE?2qYZ!*3|_vGxj4V$r~9#6L-%Ui9Y5)k;7&B|*i2o5yYk`XS+ zI;)uEI}FHlBqzwrdqOZn+}`goh;BTd z2G6tEirB9Z5LN2*7<-4Y9+!U#2`SdN!xQAoqn$W0M7kAJL}gSc1|unA6JlnHG!;0V zk4K8G(3hJIR3peKm6It=GxXmH6NDMmRXxNLZ(LSHFmTL=aT!D%=Qs2Y?bOeSgwWpF>T zDz0>lL#@7q#8Dv3w)e(F@JA43raN_fe!j8C)w!VPXQGkAO^-!0Cmo5-j&|6~hX)U2I5-M2 zvLtJ5PG;vh*a7M0@R%6|GKrl~SCE6y8Gq%CyE8~qO^wQd_Zbn4sCGHm7GkJIT3nn7 zQYZ%(2YuY{VQl9jD3kQbY#pO@!D`iRwh69DO9ptF4#Xs13TGww^@z_ooeiGTT^#gm zAX*!&t`xj{g#@W+>5VnlK9NcE@DcyHC*)#v+cARh^IOJme6dIw7m^c)<#Br;q2K?V zZ^*}}9fs0VJGZVj6eDdbPE|OgAR)yOAyfF3{ac)jcFT0JrK$>@`kuVofOLwWQffn9 zKEa{*42d)at3E0!6cn`k2m&m8PF|kB=arp!jDKV$5fG&;COa4t>Ad47nTgxB?06#1 zy1IN|&x1%5`%Cf|iKC}Y!$t+No$nWuyu9HGrpk^dE8*L@15s|I0lQ+caB!bD7|PwM(M+^731eDi98VsLEx0$S-?vlu3>Vk35BI%aL+?@>&``e&ILLDM6rr-Q zn7`tfbaExmntJ2Y_S1f(jRVJ9>Ri3!lO*st44(+w^ypv#qx3^a^5;`BEnWjI}+B=Cta^mU^*eD%FNMaGI@fA zjdn&OHwqmFk^G@x^lO(nlH$hPKi>Sc-O;%B$C7>o1YNYp{*b4yUM5VFn%p9?Y5S=q zn4{`x9<&Q?+pJZ0GK2lc%2H*j!pahhL45$h`$??5GTS^>T*vK#+8WOplDC65uONMI zcd~Q4Fq4)RmYkeiYiJB&D;@dZYOnXfp=yi>0xA8`d+ohL?CZH)d3V3}fP52OAySGBb8aQ;065PR-lVp>v!|DV^h5 zs*)saQl^3+hD=1E{~)8auTuASh@x+UJ?wHw+&_wHsC5Wf*NR$>!_5Z=xU4*x=*}QA zuSJ;w*I1Dv$miE721q}0f6Uc2-)!dq=^uuO3M4v5uU~v;!B4&7a#0a>6k*Uef>EU2IGT*>^`_!@Psc>OCP2 zn=uUlbYsn|h3$KCS`3T z!jZP_ztEJ-+%DTgdKP|=SFVho&5IP?+ zZXr<9%2bNR8-vsyH8srQ){Z0*Q&hEG6cdtzt%e9s&WT+jki|A~6wXp3ktHsp6ci7p z+@GY#-g!j$Q?ycHSOFtpcGiNQ;9VBAc68+PZ_5_>s*%>h{z2KZ$Cr0^ zB+mQ*@wg|Er`H5yx-UR&V|)4D;(YOU`40K0r2NeMo0(x@piXV&xZYq`pG*b_k{?Rlul1JhMMn;bT4WU|++cTSbPP1X(}r{I!4_wbPq&$#ch8qHECdsx z+QX!AlYOHTIA`m1!JZ3kfUvLtmjuXQJ~{c`p3yAnh~|I^y~d6sJ9}n^4&`#rN?mSU zUQ!Q4<23;q-Y0$;nFiI4v@<$KH=cKJ@XzKDpFe*N7tOVLK?)<_`jR`WWXPL4{4dX$ zuXYIeomyZ>3$r)*hZjw;krj%Q)5p>Pn+w$IN|YhMIbHu zwKovy;1q<#Ot#R@cIIJ%^_6nXx1_}JY$_s;<{te%g3xE(y0BVBD%1U1K1Ed2o`J_N zDB~HDg9H2NRBDphY36r^=e0f-oyJN0#|D?FJt&>EedZrf4$xam?N#u=d2~KfUL-Mx zZ*393zxLF&UEZRXsnrL1x4(ViXr9-ErKMt^CSm1DEr^c(R=n?%+6zvqx+<9Yw9WAEDw}LXAj0*FM|u)XBdo(Y|Szo;~%f{ zFTVyM+W~+vRp1GO_Rt5Q)}Q6UpeDlA5+}N1Dz@FVWsTLWA8ulUTL7-ifUu*Sy3cJD zwUqjf;9|`%=Tl}WXSrQp?uqy}X}JfH&!uh^a=f&w!+=;7jIlaikWja`5%CD5Y;OwwX7PuR6S^YB8x&>@ zmB{^)uToQ@Q=wD|{T$lAlaT~1P9qL~gy92@n;XR>&f+E^2$K}e%&r9C|0R7s*p@~O zQ=kLV-YN=&vbRDqn{BHTfaoV25ee=dMFgV|!F-sp8l687nUO~oV)|6;+u8O=K)9+~ zQx+E&Xa5pr{<=HK$YR{1CMhKe&Mh@iIGINK@nu-E@+160n=7{IgBVF{KUK@l4lY2X z9|Lo7lC_0XG#uyT>9vP7^5)>Q5=Hrfe-_A=msN6=uO%f3Hi}Jo^D?O{-McHamB#t_IQ_-E5jBWa`pZqtQxCPYwkJZCz9B?1y{3u|$lp$^kUkq)K31t{Ax4YWEw4 zH4`3O=-;iiV@2fzJC5{LCram|@Uu;P5Fu_Bc*fJe;OQi9US6itY>WES#c!R#TRYR{ z+AP@o>q@XP=;qm8*@ce;>Sn{uPsh_u&vG%)`m0T!F}=X}gy`@{4m)jPO`1nYEu#S~ zO|QI3{{dBhMS{GRhOkd>@SXySOcW+&I!#wTF)fV>_zxxNny#W)lo;RPqFxIq<;vb{ zHqtO&oG=Q<8h?S9%R6RtG%RVQP}{h_Omjm8RNw-Sb-xDEil{PvKY>&on&W?;E%Vjb zkGlcDB@~3Xll!nqO3EFEo#C1ml=%!9I}oYA(OSzh+LxHi7+L;w-b3Ce{Gbn%chY!l zDL}D~o)|T>JJ~L*a$kQ(@EO^OHk@AbTcL62L3{*$xM(Fv*Sqm=XWP9EFmZ&djk~cN zHnR;*7?p2#kpN^3GAs?CVET$s())_i}SaajBIi%LJ6WR1&`;v@M*KAa^WAP@!h zLPueY-8*}r?c&YCI={mpY7S#!*obA<_BV*IZuOVWLT_v_CDqWVA;9wMKy%5t5<$^q z!S8-SQ~%0w$XB~&42=H$<)9<`X0?vrBz`so6F+w;n2eTS??K^*T^s(EJN||&$ydm* zThXQ&l{-lfM)F!pM^2u_gOS-(@Id`d43NA@mWmvzG~VQa<5+XyA66rM#f>a(J!Bmj zA9m#`ZCUn=S21|LwX`9E`U1S1>0eASk);z2zu{FUHl7d9p<`fUPUpJlLO?(cx7c>0 zBMs{}y5CJxjHk@z_!-CNg-n zbGgsCoJ{(X>j|Yva0!3keDBK4b}2r*ZB&10gqSSp7>n z0IfoynBa#I3i{v%tPCZmA7jU(58fxMlw6H6D9vB&QdaDeBeom_O=-?r3us!#B5GyE zam#1o44A6H(7$AEkuV7uj7XU95pj%h)s?44(bx%xM0pqp^}glcjc@Hno`E8bm`EMn z9Am;JjD(?{h;QAdUjB6dm10a{_ac*0tu(%A&{mz-Q`WCvR%^6FFrCQARSde%u;pOn zzQc(jt7c`$7|eM4D$?Iyrrz*(f^gM+qJH_D`}!8a@q8`V-DF(vfS!$&i6RAnIy%|T zN9;2%onT=TCp%CS#v^w96F6ejSXcwHmZu zX^0^GM&=LZ-6>g3E}NIW7hR}Bd^h#QAEnMpv338n-!${mW24Q=G~AWm*f?YV41S-g z#+-HX8nl0shT=O^FwXA&Y*fx-WZGh=@%-E@wAzP6C_35UDY4YPYKR(!iyQXM3>A7ommekkF8o!!UQ#N=Zt47&PG>=gVSar^W^BAf;swv; z)!j|q>b{Y76aRHKq%bm$u(%l&$FlnOgvDY@Ho1Ap2!_Pm5}HtK55>}7TPj0oGL3%e zIaFkXYqB2#e$mFsPMsCEdk*Y`8Jk0klaa%X6U2NVQvAh=g0i}}tSmjzFv3IS`)tqP zFg(8Ks4AwFI!oF2{?NTcN?(bhTQumEW@@=1PiQfb5{<(D;4Q4hJ)8TW7&djicgoN6$r^P3X8s@m?#ySyj zMURwzcm)+D&^M7d6PM>|fd6hQ2fs-E9*aq?Pn2{b_3JbVmRLLw);`X`1a z0=MKbX5w~tG>~_d3*MBJC?;`69QK|Rai0sMLmF%n|Z_oK;W?rheEUPN(&s}Fl z9>55{Sxx%_(aGbE4haEiS>D>CsMaF=q>9mhs=p;D`ibX7)UaNSn`Hr0A^~9AUyDix zW7QL!;>)5tP&P7Jaf%wJ0O7)LA5w*0bAXf>qy&roZJ2p7M#YiHe1H6(2Kr|9%e;-dOVTX&g=pH?Ip*Q%x0AG;~H!J48*c1JeJ( zd>KMzo_92GN-y8uzA_`v>*H(8PL7C@lyvlVlc3P0)q;Oj#QBvKn$LzF1UQlut{~Ns zv>Q`0im0w*PrEJ}i9i+@iJuTS)DhW(sMI!uvYkzZ!wNX25w!n_jD!1W(@zB%=rjnA zv5U_s48*MXtHHBs2=G)4wAo_@+X+WFSp9?FC3nZY&M{3o??Y5IBqXSb#$GV~e8>NB z)3xrx~+@m&r6q$^F~n*d$)37}b=Lk})qAhLVzh6!H1){3js7(he(YXbkug zC8$VxzZZ+S0!RCdOghIXPb7ChdxEW;scd?mb?vmx7V(ct&EAB&Q=ISmq=pnNJXeHB zFvj`hVVNv|iW0n9y}rAo;1gNNsNHhMFAfpAEFG#MUl(Ta)A;~erXT~1_~zC1dEnM` z=n~aPx9Lv~4OF1kwZ#K6EE%AACm*ufauWE92=DBko~nxuwI)fKOE5G088G7@!jf#; zHL_6$Z?$#{Pi`eAj)(e z+&QNs8E~hSTkC+@<9I%eP9pL6{ERl=K!_UsQ=HE|upED3{!w!tv%R}Lvc5+FPOo0= zalbI1Jzb`f{|G6lw{|QoHQldwo0!76iZU=y))nP$R30P1?*$E)+YtwBF!D=rT%j)j z#X!L|FrC*cTyK8rRF*}&dGj)GzBG^&9E;0k4u2?aU4X;S)87Ex&=IU_no)ESabJfS_l3DS{PZ#q9~lH zJlt_mY&FKg_Abaz$3~Dcb?SIrye2GfmPCreD1D<{jAn|+P@GsC0z)oD(hdVl-?l{# z6I*6DxMT$ti8f^2XSP7E5#db6XJSi8t@2{)v_T1rh+BF(rF>~pH>;>A38K}nm9yTo zStfFPx#|%R`}5N{5@l*BqQ8hCh4u>$JV`sBOKin5c3i2^=z8C1(_zs9ys|*T2+AZj zIMnqijngymEocp^b}qJ%!}a9bcq*HaJjO)kq|rYW_%d3P8DIo!4@a!8Z~NFs)9nZ) zIrb-GxQKxxGGv(CZ#%k=gQJXS=D9B=hfkD5 z+XMIpaLAwg4eIT$=Wr*|TK5P&xXI%$02PQ~lg*@&YiM}fc(c3LhsaEIeJp3Rm;EiQ(h~;Tn?xnQJo#!CK-_jR*n|eZ6{2F^Q>u@csb-K$R>k5&UrN zA>hSJuPMT8aK^5r+;80|AC)Kz1UkV=;*q@Gj?1}l;p}vUkeJ);Md;{$URmATu0T24 z5pb?tp~4ARi5x&h0o3fJ%qkdLS{6(1r)2%y0VcB}rm_T<$l0OzG)XByu=cC7+KkTg zgQ22kFnKBXj7Z24BBR|J>-Ng7QW`*n&7jw{h5t{H{*;Rfh@IFh4DA(D`At+~lZDDk zmH=^x%%M^%$6_!!tYXwhrrsY>Qa7hIAB>!BQ>Nu~z6b$=M;;Z%ULyN4d%>W>PTwFOx~ z*SP)T12E;lwlysk22DxpiTU%N|F}z&%2Juij>~*oe;LVN6GFFz7wgNTE`d7PpCaR9 zeMJ0r`mtm+WZkZ{(bdR&;$wu3`tX;%_9t|y*zaA-dA*NPTcxaeEYF7bcS0<9(T;An zqPk%|?-)|>^zJUX#-Iyvldl%?a0|U+!@Q1h#GwfN`uWn;xkb)K?#vT4EOc1d{VG&S zj!+F&Vx2)3KH}(0)%4>MskVASU_r$P~;-0n+j2p<3vZ33Fu2O?CufsE*w`aZc&$Ac?W5) zHrU_aQa|@0ZWUai^VkG~H=5qRHiJ~%yz2%&umD}j=>GP4A*`7)r zLeaBb0fQ-Gc}$r;Hcmt0iYeK$oXRDZw`hz7aA`fozm~84AnH5bhYOGi5^ifvqm2oD z1bmJ@i=O?!?-vP35iAz?Elk!c7TJGnYfEzn#noW_-Y)VViT;QHeg&Iw;4XX0S%YYa zTN)B3A%uwd5gGJX2wf8Gkf1Vl)EHkp@-e=5!4yt|mq7aSshv?_!Lf=W_C)lO*iysu zej>~c>0|O{eZj9K|6YNh#b6o^x?gzQBs&*|Hz#U)aS#3f{lV{dZsTEOP@d2@gh)n( zJ30fRks)C@ExVV)B_XC)@;&Fp;l89wT0Mk!VyH9>5?e?O*}ihoa!gbZ>e2l3K2yy+ zJ*co<)EF4U0sI1B5O7f_u>K{aw%Otp_LH`RRGdc2K{D|pHzTl6HHsn)%ed616~mg& z|2ozG#yfU#BEa70!g3Ijag?Hz`Q@YiHTxAYFy&CGl&)W?*)&70AuTYOvqbu@LN58^ z2GefSJgAfEFP8+?Ka}|~EuQS^bH43e%a&+F)2uPmp3BVn8fZW-yjB${2E-C|Wbn^xq%*CLkk!)3qkiV|sSFfG^jv6M*WuHVvV;Nb=3nZYPp zLlb_`=S2a1n14gmP>wNwrn3ygj|PPSyCO2_$D|M0xaA}*(6zal*|#q%zZaX(6rX67D`AY( z3k+YJg+={8HgaA~UR4ZhbR>=c_WPE#2*Lg<=rGl>V8KI5vS7EZzPCYS!$0s2iq5jN zCwB1^ZAcnJOFl8D!;2Vx0XQSS0>FruPz>U1=f-T|RFw^i;DSgD_V|-D) z(ZJ5|uPQnEV7SS8NPpg!uwC0VtO6N4-O8I&`*FNQK`{~8|iN=Ao{?d2|})_r^QShmLl(Z*NTVxkJsLZrKW4KJWk>2Cwfr#odS)M zOrx;^<7g94yRu^pqTrT2wNg>+yqk-=XK68M^TDoa*5A<+CB_#;C8c@~4jp^0bMZei zu#P2J$+_<<=hJ7%3?NjLiX6kwY4&1>v?X|8hU!Rx6F<7~6xi^k1FiXFl~p8q{|-|bLiLhM6o z?t#~q2c3XmX^0ndG2^uT?ajmU>WZl#Tq0(q7hao> zs%ZZ@*q%pGL@=uf!$?AjZf-Gjm%7;Tc&=LEdGE^b@g?(J&Yb0ZrWg`TEFyodIRg1$ zywG7&O+mr?V{zzbGSjEj^$E{Np5BL0@10N^Z2MPX<7R6Dw9zngMK2h*?_oWUBMxc@nO%n!r<&~uTb0i+5Q26zw`MX_P%m^ ze5~JIOpnvH15Irs6XV##Ox;R1f{4@J;3DChXyJnWKdB33L^bvYz@BTLE%nWF+VjzGa3WJ zfA3yW>~1I@-WJ|R87uGU=v3QqCfX3p5wx-#yFgKb38LaAf^9h7+qFr0ncP1D571WHHU4HUWj#9}36=)kmdIx997#w2?Z6 zUrUS;fRnntuQXaIS|ukQh7zJE9$J1fTh75H^1l2rcz;d?nAmtfE_qVeEKfKXB+wXn zZ<-3z+E*8^)?y=n$J;HAX)ZUIKo`c`*BHJrt~tHj;;n9Fzg&=djpE5rklT7}GVr>A ze)jYV@(lJ03MIWv;Q!KYPuqQQj;`@$^Y*wH{J0|7vS zgJsGu_i?dRPV|wywzBySFL&qTJ2t%JfRq=r(|Fab`H^F8k=7HyI6B?O_(OLq&t9W%D%3Y?E*o3G>6I7Wo;TlxpRXXHwC`j7Mzd}3i;f7m zIfG6lPJ!hJU{3P)T`XA*?StHv0r%Pe+%Snesj3bv)IN$5?#lq$QAFTtTe%DLzF3_7 z!D%R07Z`b8Pm`9^>qpj|J%#_;-TL7b4+Mk%c; ztP9hw9}ZzLl@cL#6ppfJQ0FZ2%2*S1>J*zh?DG}q6Q>Cuw1^QJ&1a~goJpdsXM}h@ z+rq@gfFDiQBWN~&Ab|DRTfItnw(k9>IyaE@Mf)L~o9>(c&|lksU0dZqpzgbp?YDVrS}9IFY?Ma4tw@fDHcaA!y_QlTFn8NM26w4TMPsc|@( z>mYPl=Ov6C?(3C(%N}7FH$fl8_7c(41Jk8f6E-)eX0=Z4nSst^-A>>FV9cM=##x4e z@#9T50|ZzqORO?szIadEJgG@qq*ro$BTL#x=oGD7WPaG41p9q54fAwy;~JL2O&HWW z3<)^rjt9ROY!vE7d)xwq9o5KG*TS!m$o+3(hI`EXDckk2>L!atACpPvv+Bsm$fI3< z3C;fa#Kd-MKVNigsuZAzHh)yC!XYAVMZB!DZ4Ui~ec0=?L&)@g;StS^u8S?i)7osB z{>tI-BYknx3)!!`E37#7Y0s~b!KhfXVP-q9r`(Xd^7i7D1&nK4ZQ0dh_Eo6;Rb!f!_pJ2mwoJ)kLTK&u>Z> zBz~W!Dt=nNzYHI$(WwB6Y9HZjA&Ze7;;v1yh@Au+*uzB1aOe9w3zze`{*^54(ONZ+ zEZ;NnKNYR-#=GRM5$w@*9#5rA17WM4#r9PgFDNDgK>mRteYVTnTx10mje#}UwGdNa zDdlL?>rIGd>esIv%``*0NN1|-Kf0d2A#><#m=q_@dy)^z=3Oti6S?Kjn~o`0nV%wE zq;RA!`7oEQHbMUZ^Y(6WJn8a2@Pe8vxB2Fu-n!cinpi!aErm&KJclBtXh8<^bidn^ zn?ap4{X^LL@H<_1)I)iL&(Ge#8o-U~JkXE6bvQ`RCcC%$uxW5xJUeeqZDFQM zPe)^N_xv-@)Ch$Dqp$a2bKF;!&uD50E-o&?ZG<;5qx;O|ka(D-H?U77WmHm9a@qTm zNh;wDvFm)ckQuPOumhq=-`fRDSgXm#$l0O}3DEGh>EOZ+>g@(HdJ?xj-DJnDWc;G? z;{DM|GdiEw2Q&vqv&U=y;@+N)(Ph{Bzuq7Rk+-PZz>}o$qR2r@SnO1kp4am`t&+(0 zjZH@(AR6JrAd_}&c8*y320qksfZDqKnc1q32KNd0qJhUP^t4sJ$c!7F;co2+$^e9N z$eYf`z&b@!SR{C|^EvY|3LDv@&h}ewLs2Bd1;0qu=Jr#KhK~szxS|qC;2UM@Rm=1) znHfVhXLnu81x^^<-2(9g%kkfCzpSavNfpyE1CAIPAXwvnY;m(Ih$`zN-|TJ!nHHC|7P zdcKRV51T(nvBs0#UfTO8FDhANC;CI%?l!#JXD(ViIRylKFfcGwMm~-pAEt6#S*<(X zfZ0a|yFAayKT~^Qt!%q(6Dx+Gs#Q~~&9<-{h*wIiY_Rm&dv7&I!|l#HcBuhv>4VL% zGBAPK*>E}86T&qcrVCA7YV7SFAG~>sl)U8hz-0OEiBlUcwz?@ZV77o|T@BnFx9vlj zMSL4(>B4VMw&bui*VXc*aSFNwDYjjpRqGl*J@wpWb^iX`DspkJ(HY(JvsC?d7k(p| z75NYOsMo)=C{4h%;?VoDn)%LeC&7$fxGA9z6e<988Xfyix*lbykG<_VxH*AB$RygX z?qAY49U4}iPoFh^1g?R(K0$l1e@IO}jITN~d0%)pfhty$Z>9^O9$#*DYGtd8Ul=Yt zF71@&dF*E=b+?dZc?J>@y!1dFkQq0XukbiH(hK!^)t}B?ol964QE@ntAst^L#jW;TuOe)nIyx>uz!xD|eIgqD$ zc{ueWllVpNT~sc$X$IT6`>`<$JZ>+wGR0OoN&5AoyUId)O&z>)Lmrqt&5b)`;c@FTq?j{B@F+5-{591;PX z4r%fiHd%X%GKFI;QI_IN&>XhNX}EtpCCcnKsb$_?P}drB;M3aQ(=t-{jJ2_1RFTzS zcfI8IfQGX*c|_glO2B#O`AqKKSXtU|5qMkc!#oX4UI^P}`e@p9P|Re{D zcgQ}is{0oxumkVzBUJGgk%+pA11o$JcUi36+_ zvF+DBvopWP*@1Y04>OI4rp+kCa4xVUP-ti|G(PY$%KafB^JES>6(5{!v&UrAPgI_6 z&M?F*q-kEB?$s9OZVOf`zP;OeGwhAn7NCrEdF6RlbCtmjPZ;y%9M}56!7ze}>0Qba zWvWtA{Y`K(i5%D20_882RJA(?pDrfeMpN$AP`FTZH%}62@%(5jp9V<$#3g?20;W>H zB0-TG%>(xWb~N8x-Ze;0HUn5?9yUGFovk$8;}<)1bpgLJUxnH+$7a@It^1@-i_@_` z-C~E2N(|W~B)_nlTDU8IF7F?Qed@a<2ds=BEc!dD zIIv9yEr_n9=w3V#6Nwl(<#@=T*uRLC>I0AMFBSxRpR-8}E6T=tR>C!LSnY8*(_ct_ z>q&omf({^%=2STBm_~tz4_$KELh*xXeu>GfWNdG7F&?hT3?`gHCV>)!{e*lr892Ub zL3cXxRK&2`PQy}L%K=2Z%J;EE)tRUcn$he0X5zNzW?<9A&cj8e^LqkWFha7rk;x&7 z{Kny@K4G9R?OWWWZ#m(yQ*8(WuE5rZ1Ze#AUjhm`l*k>Nv^Zo8p6?HAucv9g`YVYE zJ*)SpU5+D5aqm-w^tgn2ld-e^1s2L&@r9;MMqj4x?}X0wcN20*A#Jm=`^`El7~qcY zemUTBQw0J*L_znh58cjSDC?boBLV0_AlxO?(pb!L;YqejI}O5z;_M!ZncFc_(YQHM zHGNllqzSS7!8X{h)?GQD{~;c3!e8p+Qp5dQ4$g(wfOCaT%oi zXDmj+MV$aDWLx(1*B0l09)@3=^+Cn416SQ`Pq)X*eumV=${O&Dg;hmG1N%NxQz(-$ zn%dNKG!SdsJSDWO`S7gXCMrK-$WRF|9Dk-eRJ0vzWf23FmE_9yh-?U^R1+|xzGP$> z9=BeAIkj(ru=Vk!bK^jGMZ(u_?Zu7P!^JuN?&;-8K~7DH+VgpCnEUr6p`+O*QaYWY zT1H_*JH_YnN*bVn&7AsE$2{K{OSWnyYKzz(#mLxHm6MH?HWi?sU@rbXTtpuKykvAz z9dBXi=9I2)|LP|;iAMgCiV8yS=mavDEkrJD~ zaV@v=N4)L-u6eXtO6ld*0T2!-i%f)yv{BNpJx`;dlPqU}YJ$M-4l25y!C#^=YgR<4 z7aO(d8{#9~`{$@wc)ny3MroC8ecI^t!&-{#w#P13Ks5|>bnZF=pYLmdDf;E?p6_mH zlHg9@A2??pGP#uH=NIh4AxS$_6lfOlN`J zK;jvnBB}PMt-9LjTqtn)76-@_hoK=?!4?wo&J;3t0}CCM(BXzolR7W)?$yZ-rxA{Xl@0|qWW*ON{Rh^rFF}e^bN!P2&N|lk+ z^w?95!%~o!UUyEu^cTKBRUNksqK;?(rD$|+DSSZw(Nxw543(mxMK!d>n|QH#k2UUm z9Rc{I0>GO6t8;%}W~kSXY(_no>|Ud2>zMEJ@G^FS0qx?jzeSGLMn>$-uC5uNRhNEd z=M(8?v4?FCV`mrk&4%e(9hW%JJKE@+o*&UhN7dKg+i!hQ>qqyDrF}M3GlS(!k5~(J zji2aDlUh`E-FO71{u=1AU%t0J_4QLiT%MsLFXBx-j$G~1MT*NOhMzMOqN|tuDz-jK zT5YqUq?AoJ8K@gh<913xI$ycYY`#!yb~?xZ(Mp)QE@LY<4!;^-rqSrb_qJ^=iby!N z<@2`O=1FNfkss@P{q3tYfiH^htFNH*;9?v3*2sO?=4)d}Oxu}rDhA@P5EV&>`;0Zw($=4o!;+_aWt*DSO(Z|mxg z5uZqirO{bq8Qc8a((b+J+an0TfkI_V_WRqJfex>zU-ry>+|V`5e5mX9NnFgfA1{1} z_-Lc4A07cSH7p5l*Ou+ZHevUh0Hp`Y!6x%ZIbajt@Yuxm(G~iy%jBVxz-l^1H+FGMk7>#|N|tEVQyQo~2TY*-Sm$Mc<0- zjEg^Yp?rvu%4pL^NXJ{%`j<0j`s?it&Bl}7m!G6x|60t) z_EC37CmT1R zPXx=ZO~x|5;;JVcFD|~}>z>=psokE>`vEkd*0|OEV=lvA7(O(l$#8&PhwWXxaUH(v z`Dc73$R21D2Z)F$yQ$otZNvlJ?%ysKgJ&zTU4W@OjVDpwCYcsvGlAa1rWNRl*O_h9 z#h}ejF&CE5+;qMsRI`0P%usLCuU1>CT3)BPJH|hpFlH+9;Ha(u!Z>g*cd*HI=eOwR z&gi@SgdC^T1}6P6DvB`N{*}+ECxmYKyt{9WS=y^q9v)+3FSk-E@A{GX7ggrXg3a1USCZL9hbL#@WX26Uy|Vg)6HDjf zs-m&14!B}i2m3FTGxjKBn3@tjT6#bylP`i#`$Q;?6h)Y&2!`EbJeXC4Lyk*{#t`IN z2JcTJM;=8+$dJxIU7Y36GKndpq#iU&&1Cq=9am;Kc&fF1f}A7@laQUfN=lpoa!6E; zFbe}!FK(!DH5!xBBsWYsx++(pY_>W-Z(FJrD>NP`(Q!G>J^>odQjKBaVbZ*XFGVXP%QXUAZ|*hsHhE%{{_`}Jy>5*8W3a4`c) zQc}u%x(qk9!P<0k!!!P5t@VSyd8`s}{C=Xt3LQMH`f+`IbE>^Le|gfmxt-X*c|E#g zqh9lB`s(r4^f0l??#|!`?EgaOI*RT+B3cj19aIEn*Ex=>O}YQQp!6*qPZHR>_vH4j z<=jt>f<`c=-MA@v(a+8Ma>CVh?(}m1LUjGSsdMnc$ZIg$knVUf6|rjFoD9^KbLNa! z4e53tk?k)L5jk!j?C%-psX9lnzB2-DsC2|XTZkcYfGzCe(I#U1rNBN!5qSY5lO}xCzgbhi_ex>kbE^=@Lr9Y3M^iV!bvdreC$?Oj9b6d#_l0znQ@d^E_4l<;;cO_zP0+$;J|Q?gJWZgD~;wE3r#Vyf?`8 zxbL_&FK-El!;u)!DEbBlj9Xn`xgk}M33+4+k*r`_U1LiZd#9-3-@UwL;4r;zun@2r zbKMicOhJ+V^8&~er3^Hrx4LGHy#ZaDcOGjnhP9G9-qQ1Mk?QpckuMy~VaqCxDr=Enr(tLe3@O}4pNA`= z;^Yxc2QM|@FLa2_YO7X9<)~kY+A~sk^EQ0wp+@<#JK64casjgFyN7r8x z$lsvxY5(=M;bw#n?){O?{{H^iY)e@kd}jX&S(mQO$;_goBS)YwwV62~Tc0au1}ia4 zO~7Xt!nT2*cu#Z|S80NRjxSYtp^f`CGRjVXRH4&45wV`!h-I_U5X&|gQ79W}ntb_= z(>0skWcncxqj>TDkg$H^y1Nvt=y*Jz$p(mHk6Yk*1)NL3PWfHld=d(Y1pB0AX zgN@$yI}YQ9LTC7@Rg?@`HspwpI5M?fnIAdAw~B6fPl%HE8DEqDmJQ9wD>`-&651dO zl~k~$fR^iLZq;KEv*o})nQy^0L}u!&JGuw7A7VbHrRCnvLJUo-t6wek21h*=4!epZ zF4Rj&I=~44Hu`mPXKV4sYr%^1OT^CcqbR-n~CrZdtMBdiZP7YvW86 zdv`Xyy&VNVF`-(Z_b2bFKGRuvWIN7b5}XBgKP z{xKH|6hmdd7|V@tR|2ce9ff%y?wl-qmcc_7h3Xe1o@YrNwRRI9sa}o5#l`(vE76|z zOEIdgx$)z-J=N1E;|~MLjo(+_-SwNDgP%D37|5j?;1+>{qRJQC*JV|#X(wzIZQPeJ zJXmu>t#gpWL2<{`Da;5WwgmppAlR1a#EhHhVjYhJTiXfw@bS*Z%_0+BzxIebwPSV& zt~xy&!%3UN)LEFZxCSpOcvFL6R9q_!*E8^ek82OS2H6G`Z*#EwMHcAMJDCMri_z_>KwCh zD`rcFTqBfPuJ!3S1rPo`x35fHN~!W=#cZ3oE2A0=Z;K;Z965L7NX(a)@`U_(g7LP7 z;MUwkET326*Y}QFK0{hZB(ABGm_HXPZfqR45XNJzkHFI;b7*RPi}hlteZboM!EgEy zm+wQy8fp;j23&g|^3pM9w?X3`-1qXKyetmQ^(iKPg<&TpRkRpAdb&lYId|f&V@@#& zh6?u7yzsKYBX7mf3RT<>MfL(pnIWnUuMhtGR**SOBkwNoTxWLP5jFDEeM-p;8bxSG z$CBgJECl4LJMEn1Z}KfWn(`MJa|eu~e1G~KgM~|&hyBx&*1o9G#gqVMqDybt{iqNk z$*_#^Z{|Fp;3byVwjD+}Ggdbld1a9B3snl^R2s%hOPg2qMUmH9CAKG)-}H3WtX14S zJ$a}|w~1EZr^B*)35XprAk9(f+Uygz8Z-)T3tq@}@0`iv9LQU%Y6iGSCgBm#!YP9h`Skqb-Q)^ZY>pK^Ot zTp;I31>e?B{Rkz)CO@>mR+Z)-0u_*pL1A+B$sh5HUD zHPcj|7J-o{CK*r%}$n$}t{4WL!=zU+J0|x=%NI#KS0f#!gtXoZ9$i zH1Fzq`ShZjm@v#}B0^*Hn)mWcN12I;KN%f6y4e!SXMCFcv{MbAQXzNDB*}*~L3l#z zSuIdhHFe5U?=3frp)34EDr_xI(|nyAN#n7l@lVA~qv$uPTSuW@mAdBoeSJlJZ%HY? zH`+42V4zi8TyK*7`m(_dLn!8gMIs2DrD@t7d@@VPDerDJSP3~G-+IK6++7V z=8mP~L67h19jh3v_jF$JdBrR_f1(=Ekd$e^|MgWuNCef8^>U3vn_0g>$SM|?0Lif3 zlVWhsiniN8T6?jMaHjDJjc_%($d@LN%59ZL=z+s1n=dWzXAbk^G#Ng?5c|Tb{6*u? zcEtvLg6FMJ#AA&K0%A6A6@!3vuh|$wT+&y30WehilnqU>a*ax%_Tm6G^j+q+n0*wj zL>=Q+JU?1BkavA}g!{w(`~4BPCpDkVKpPPY)6&kTSZUcKHEBkTAC;ENuz;8FPm)y_ z7$(?Pg2iM_OZXImXf6H zl97^Ro!To3cY6Ke^^*;Er(<2x4$YF|<>R_3HOd9UZ;W3fNZ3BI@tu_)=#YSA@OuB@ zL-x-+Irv{)muP+UH%!jUZ!%xDew?-IEt)h@5j|M_lRil5=c_tM&s*}OH5R?Kfrf&XQs&AOL`#pBV&kq;`!iAKXY*etb#7im!rJ3iofY(&9=qu;wKaC$F zK5h5lQ3qZfqryEn?mzp!0DCd96=r=dJ*x3}{C(8uWTpO8z3)F zV($wyq=he2ujv%se^Wo}VdRb&DP7J^ z)PGz=Mx!kBJ1$I0P6g}xqcIJ*iD731C@&_xA}(cpOq$&uLvQ6rPi6Ew=p2dJ)7?cI zj2;$Gr+kg(d8w|-<}WCxLAz9C_+s*d;%2qerdiE}Zq4pgorlDlHE;WttGUnOXF~E| zAi&}CK#f-&MdFeM8C(W-_CRXH`L+ns0^cjggvgc(_SKi6P3C1cIp{t`<&dF*!uB`vLl=VpE{IlJ3Y?cieO>dQ>DF z{aX6DR^jqv>=(6?bp9IizS$2rRJ3m;o%GPSWV{#3zNeNpqD2ZiNFXGG;yTaDwm*`;SyGvk*TZGgaAV zsCT03-$l)(maFEYp3yOpJvWB0Fezo`N)>LtLT}in*Hj zr8~>D9Z6mDt&JyNIS1gzEC)~RZH#0PFoeDNHBa0=bzWiS^VNT5W3#X)-)PbLetkqN zK{dRSm68Lzmi*-6m{}-Z+UQ3nICf6tB3e78N>GrjPl7i@QN{I31r?p~fWm2byw!~j z20=JZcBj^nszxMrPtm}A+w@OcJ$)is+S!EBxwmC>+LkY!^5^(eEP4ptA0aYN!X4&F z^tyX1v*teUnW6lcDrDd|_s^0HmUI%%u$`-p_UMI3u2PS5FYI$upKt528rCzz%rq*r zg1IW9zk1g(Z@PI88~u2Vpn2Z(ggDDy1Okx&-5n;&7aI$8gOP5zP#-g?L7MKx@zBDj zOFh`QKd&$BwxX-1Oqgr=@#;z zPndSuRT;BW^gk6F6oG`__xY2(b`pXZMh8|QEjRHkf5C`l&r43PDYQz{>toy+bxsY# zw^>=9FRFf@U~I5yf{s1f0&6TVJC_Gn(*(zNK#<87S5&_8s<78#5x@OJ)J&n5i!e)~ zABJDV*i{etG_Hobtdn(VPS9l^=pHE6)`d=bI2}c z%_Ai+O>Lj5YoXKcO&2_1jb1DX9^#jznM$$+$GG^El!^8tK>f0cc|br;G7|O9<>0#( z(!}6Q+EQzF;qD?5nS$LM!juIc?-f0HDks)XlpZy^BX;`R`jH^>+me>s)NfIT zb*@d|7Sw#Bx*pur%&b{hCPYVC4*%_6K_w2^EJ4ZFu!*5r7yh=>i&~jt6Clnmx_4qk zH(@QSR_4ByOk{X!G4qTJR(5hprL?%6tluJLzlisU!xwF3$OUDS;CZ+m-^cMWK29Uy zm)o~|RVn4K+GCn7_Yg!VCk1G)e;m^F;nqDfp3SITq5HG<+H_uNYj_DXBy1)g3Mi{l zWkY?TZ6_mF(4#Z5*Y1E&!ycWic6A{1!I!hfw?|06n-S+3&?T5P%bVo^wIsIn zEr?~uML)WSIG83sH;fKX#?}yx^Mxymc}itzu3OWwVZVxe%C(VRn#v2G*}>&IbBgJ5 z<9$|j!u<=}ub(GEpS2K3_%Qn`F_v#VM8$U#W+%fAO2wJuecEWn>)f;S_qf33gAg}n zf`|SqI!+lw_=$_-TWkd9%kGUq{?fvRd_9Y>CjZ`**@KF3uJxxqMJ!oYBB&?SsJ~TL zUnv){8g#nAVY6fPqqECgT_G#1$Hv!BmF#|QtXilLYLrNvbGyAMp8mtLxqiWcqC&xR zzXDDQrNxa?D-)`hi>}i2{2V~(awOJB8|gv6fo%OkEv6J}KcbSaLQ}5aaw3M-=)Q+x zBH+Mfz4>hSTtlnuooq2^QBe^6bUY96-KSKXpVcjg*R-wx2I+#xWrg%Z$9SU$Fpu=_ zb|mMGB#OQYi#q(OTC=k9_$CmL+exHPF>qyIWim{pe{W~cvGDsAM)4*AEvJ$A=Q7v_ zVhR1bU`+BK&tPsS#og2a>9^c%Y`;j8+R(ML@lwl)CY;?FJ}@(BrY%D)pIl$+LH5a= z;@hKn4i`^&xb}<~mPQx8*k^Qk?);>*(JH(9U?FiDKAk~w$^oSVyi?#^Yj&P*(*v%} zv#wsBtoVs7S46Fc@Z-WncCqWDee%37$9;l5ZG34J(Db3xRF|=DINn9p=BB2m@1RyY z1~K$Vs9DC`O_*oWx)dEb1o$}Z5%S=eFd_>P?<&)Z_ zov57zvp|Ulvq9`v)Da?nHW|x5Zr~Z;^hn-(A0upVc+;$MHF(Tg7D!>Q#EcBWq!!VK59t&7!j0f>4f8rl2VRc3GwN{t#5LS$Lw0k z<35KQb)Jz|DsYp}`1q1iUBpmtdxIn2-8I;|BTd;;R??gw-8MUt3(kred-}|E z3-McMPcS0+d7G1jq?Uh_INjs!tlcv&1ry6R<8`UGGU~34w^$}(bwWN2 zzsW1brck6|oL!4>v(zVZ!>;My#b0Gf!2R+s7m*>oYSe{v`Dazubn+HIXd~IxjSv!s zj&`1*G&)b546aLQGNT>tH!6pPpWWY3yGUwW@tU_EX{XN{{bDkoWHU)7e9iWhuSoW` zxeg{t_wvJshf58#`<}MQ2Y8g4PzYvy zzhc<7Fx5`q5GlSrxUA^UOSs1%TD$MnGvG4AZTQ2+6EsCfjI5c<s{~o)f)ZMbW8Ygd>*sxJBDFk*2_yb3D;$E#LE@2uiT#!0RJ?FAqz6oXxQXx8@^vv29arnKLv~uEF3}f9%`RMIxW85Xk-Z_t;gFqu3UN z2`Y2!0JP*Mmj~VkdNUT2XNo;B8#jlab12$qj=Ku`#+G*&)<6DUV3SK0wV7yEnKd7{ zct^LHAgX>0o_(}{o?!B{z_r2(drJI4_R5YbMXCf!I-rqau^>5`krtw`D$4Nix2y(L zX-?U`S?8rI>vkeuF1w!Br=H1}2R`eFsPJgBk-JYX3iIE4&wZKF>G9W{h^-2-QrU8QM&g|jgQ zZjz@swdh|N#DGz#etlCkh!L4BA-&HL+VP?PK<%~oZ}R9%^ib2I6Nck{blbO>fVDwh zY5eBGga3XIVf;%bPEy6oP{QE@Zsfz>lLi*A1Baiq+*f`1>*6E0Ha;t;pLJ}@l~iFJ z&MrlWhmnYxX_&oej(jBa5b&LvCLdHD4?W`Jw)=+16Xfa&r1?LYDefyTb|$^z`!3?- z1IK52se)#P-)0q_@_b|_>L1HNe0ciDKMYsqu`#^%UFmc+OJ{v{+u5V;$e?5Rp$F=R zV@FDHQlV$C75k~C*s4UR`H3=6DBYeM;B0Uh<&D@-&vi~Ow#lOzkfm%(KCsZ+FtQ68pPi@?^Zs08LX<$mRSVL7{@#MwXw|?B&hX(b0p0-?c}1 za}Qhk^vrr|ED;^GXHpMN%{JTbc&!(bi#ETAHt}O7HLZ@-ak3lXZX8|LUBX+g8WH^7 zqU|FoX__pRUKg*_C}V2ZDsVRYlE?*w-0swphfhu%$QzwkESk*)>}60m&HpHaKBfW1 zL{wk9^KdS$x)0`}qA;GZ(;Q`0Aosv{)9Tx8_^cUXpQL1CPr6SJ4o}YVE=~;IaoPwg z*KWOrQzJM89F7Geat|jOB>uX$Y+l)ttosW@Co8+H{p=n<`62AfIl-*G9E{reVYV2Z zr|mK-WN0QX!Sp#JW85o_wswHtPFPhw2KDRLSxx$1yILs^F%toWC!j}wUQ{pP#S^pB}&`{$ddCLPt2U5{NUMNaaAX?pKgn+gRuF5758% zb=L8e+8jID;U}t3xomniuc`ZAVj5AiIACvQGVmdHN3;h(%EZ8?a!iHQsaoz5<`;{%9+L@1%1f#0k^t^hE5G6x$iTwXKS2?>cVd&1n$bGS(iu%O-F zPg1;o`0v%)e?XBiqTbdh=~_2<;MlCcb>2ip)zP(e;`zg$O}O6HcM^2j)OmP%A%8)K zv@J;Jy5dvN_{0a7qQ7!@aU?dhSZh7e>A;zVHbGiGrLauI^O8}y&L$e9uI97$!{+Tb zy0&+&MK7J81et-c?@kwP9c zw|Q1=ZQ>c?jc6z-1Kp8QvQ8|t+;+FJ*^1`FQ5-@p9~k&sG6fcH1AgY@0Jkhw@q-^D z6qZ^zc@Ll2W&WD-hIFh1i;c=Aj+j|bR5v?4ew0GY?~eK+UD$`ljjFgy4`^WGF6i%8 z+>M5Af?ZO|3-s0N#$Kai^&!qYC{WkIcr``?H8@IhPlK2 z{J=7?)8(@dy9ckg>NU6!aopu)5wPFr-lxRGdGza65*bJ0OW?QgFK0u9`1pyN3zjcu zcqKiSU7H16R|N~?le#_({t!Fd8||EKv*7?D`_(F0DvO4Dw|VB zB_lbEF}2hO=TzbyL%%-E@cDes4VIkpIDOHOTg~q(*8!M-DwYGrNCGu z33ULspZ7j|xpw=Kb(E{>-Au1B=b>Y(us-xj2yCmrvP~M+GhU$=$)A}mujgL4@OzFn zhZ`59Z7ZM-CVx+q(GI(JrQaDQ86A9+^rz3T9*ox`hOG8ku!F*zi!)oT%?HUc4l`#wAOww_V#_{I1o6 zpAET`$Y3Wy<|y}xVw$9xRNK548e;F{#Z+ou`KLU46c-tKvFd?|G{--0Xow6iD4#9<59Y!H>m3t-RcA(`9f;#4HyqtGn(&CK)D5pTkWqr%@iiNQVT4l2s8C$1V41UQ>Z3 zC5=&o4#l%706C-5hpf8zdEIG9Ky(}j;E;2{jH;`13z%~j!c3~d`Q(3nlmFtMcl$pg z#XfR3=TR8$wHn_zJa&hGf?54>uj;t$i2TGogi}lOq}tRI`v+fji^7|w2ZMA^znnfg zdYmMGq~snn`_{2Y$R7v1m7rf_SdcFrK-}FB0)txK<cNs3=orw9d7pavb*Z2v zvl?~lnMvfoYMp@}4r$0GGb+J)VynGom7e~o7zkG{+*+`Fwg>8>uE&+Vs;>xk7d!&Q z#ah&JJ-I+bq27cw=-SrV+oC~f@FFgutDQY`W#Gl2*fyE0=k~#C6iQd z{@x)(VW$&>owt7e+aKKjk9UWCyeAghY|ug_^ZLC;2%v25F0Z_Fp9|PeE19a{lk+<~ zr|S->sK5nvGxr~O#W=D2tU;9hdV})u)5nKEGI%KOhkCgQV=A&<;1>j=cwPX<7S;L* z8}sB^=sV}UF*tw2v5>RuXaiOXPQ*LTO~P~8e0=i((wE4)t5$wdqz9@=l+DQA=FaxgLthp{`t*qFR8*rZ9Jsp7P0cn>B2aoBmfLb?@ z2N0d~z#AYL>aec*oukJA${B{TJt@HWznO;{u@N88VUAE?z>5B^r*`|v7n_NIY_ zY3rW3J4LiJUh48URZJG5Pf;LWYkn{4v<$x;&J#XHgp6E-DqK}nt_M7Ep!SWb5z4!# z+mLS!8eo;EM?R6lIJ^rQL1EObeMlThrm2Yu^@>cOi$LQ9tXTctjFhb{MYhsy#PeR| z-(T(ROifpG!0xUhmNa6*)a0xg=W{ERP+goX+kHRf`ZV7!g$mRYv1?bT>N3|X8R|02 zUv6*d(VyZm&IxPZsAwd4O8%l6xe;$jZzQR`)x0(#@+my1NH{;4G68t?F36@WJ3rI8jy{EMfF#Led zUL_Q~quw|60fr;)OD#eYYCtGctXY1)J-YG`ySL1sMz~Cuw>vAX-_pnz=cT@{=&M(# zps8a7;Un~C{Osb|6}T@n){AFP(|E|QN;CC&>v~?G zMj%ZeIUQab)0V>YlUYVWtH64Qxj)(1~N zly^7r_+FG2GPLF;z4EgroFdYF?)KR~L4@SNW6HJPprVV8ZpFO?D2DnH)=ECiH;Gsd z8=!!9;@u|r#frzmdG8vB;xPjNmmSw$OU46Bh6p-wgEs6+ z-N$Q(7bhzx9Bn3}3Fb}y(cCHw3HSK*lJcJ@8UOtMl0E6St?cgo z2TL7QJd@xEzC4ImNyX8Q-5)r>2ONOWD}TdBM~h$wNA5nHE+eP!>YsvKbGmZ+*diN# zssDuNFAEa2n^SQ1<;9rX?(J&)NM(`PJg?@W7KuUB-Y9tpW zZvVjc;X|h5?8l!W=A3DVSWKV)MeO|hk09XeIWMa&`)`qeFDUfCFhO}QxzdIW7dej{frNj(l&WS0bH-dW%p{CG_x0!&74Z(Y*D393rC51?p5Kr-4F3U7clxNlQmP< zW*-EDpwpZW&~-2D=pyYn<5^BM3bSE8-t%ksjX*Uzo_8hhw@63C&R!JA6Pou1=AkHf z+Hvk|D4NaYlG*AW^2rxMeuh@GDP)E+uNki)>{k~363H!NjXB@nDWN2ehE14u*q-~B ztAP_feEmupBQ_3BuF5mL*49$0-J&#YCP$m4d1l0?=XSio?N`~r17?sJRl5yUWADf< zYA1Xr=yh?upa(v)g@^Zo^ezw?YA1@XpLS5%>NI`9aI-1YlW=`0F-$cho%1_R zzcmJ$pz;nSiCy(`p`O?)0N=7?J*9{uN64n2p}}`uh?E3pFgu~uUOSUuL(?b{s)Z4Gr@&@~FJn^0rg3J4EnmyCARP~cB zr5WrGrR_}fCv8Lj(SHp;v!7_7#`BIfjn9j3G=?APcUR(+?hEKQ#U` zsa~XBA~WM&@t9hnu0P4sq@5E;5_>^pkoS4P{GY^9ctlKJ%}#>K6+&gF2j}SI%w%gu zaVxpEi>}hS(_PDUs^=my8HR{H3Yw325BgB#UF4FVL%X&HQ!g@Y(vpc8Te)2JeT%iq zUw2-+xqM{?i>=Ad7`gxi5>M#!0tpJ0EOjcZo=V9=y9w;F*Aw3waohEZ8~7Wkbyl6OeZL1^4zDyG1&64VRTo}3O|{=O>a(|9`MYNskO1mbvm@~C2Tv{a z3H@zsT}@%N`>=+gZ@t;fwN^Aa_fDe6)Zq%RmhT0bS;(nk17iF_rpj&| zjqietTd~XjF`xZh#E%tsCVr6zF`4wg7h~hT2Gp+A6>F`QTo{>k#=>;&_6mO-OA09T zNVEhw7)>5KNUV(=-P-E4uu9eVP8MdH-bNTTy824^2vjW9J(1!}zuV>aUp|s;bUJ?s zl4$Y`i+6U=le7F-7^USFoLaEbjxt4g*An0&LN+zhfMw}O&Z`wCip82>tlsl#ud^}N zrDD}j-tgwX57?;|d*eZG56Ixomi4dl;v^QQmE9-85)=G((;L*cv1}!fwYjBveIc)a zy&Z6xiJN=~u77x$O|sM0rT@9zyMcE9Rv4wtx_07pmA`qjInK`HTF>-zE29RniF%?P zZTQb%GasQg50;ujWktOPP}iK0kiatsK{^Q7QeH3F?K$GZjRNjZ2kH0CLmi#6Z{JoG z__aN8Pt*wg^baG4kry~Vu7N`F_(9q?6Yf;x?xZ#Qpl8*J=Z&1w@Op|^B`an z<22X1zi=TB=M}N`GH)m@^#I;!R7OB$9p6=(n4Or+md1pEiFo22KocWFhD^z&F3a1C+ z`RC#^fsgI;-NfQw_UMHX%8fDxXDE_XCl*GCwNFstEweK6llibEK?Sv4Kr;xsGD5ds)@&UWTAw zh=(EhtJkjyPyDax3gw|Jm`Ps7u<~1Yo1OBEr35t#=$g{qmd8LQ=KrYpn|br%C~QN> zby=Z)n22yQw%c~SXDAAKyLl#j@Aj6H3?~TV!SSjYE)4KO{JV3ZViTzCUpKPpxtLOO z%p~Z#EgpzI@0%4L4XaqclQeaHlr)fJa*?wFul9aUf_w1R13U`EkW%~$sH-2#LkxU? z=+B;2I?CWsc9nWbR3ZK@*&3(=MYfSrcB=h!KwB%Lo6%cgH%K7hkF^}Qypg#nd^h?)mZ4~$qSD{c3 z`+S3vWDo2lt|})muUzxhPbZ2&@#v-F@_TlJrnD`8?Q+9B_n}bdO=}Pk2w%{2bolbR zV>2jcuN8Jf#9@e0OZ8Nq75QO`neZX|jc5;vuZ|xW!3KGRr6Rgx$#vbUZ0t4@*II); z7Mjg5@W<||_oY|G$9r(pH*flw`{cR;DfiK1Iep169ZT-+W^mlQj;^)8*%frWWCV(QCW2l|PmRCzQ;nYBz&=j0=nMS@ zB-CaARRUK$(4NUjIcQ2~p-;I4Sj|JT5>l-_%4%f`E1-r!Zh?X?>c6nNfp$AnHCB9n z-lFLYXL9o9;twC6ib6@r2vSyh|7a-3wTNjB85#WW{={LyAt|-e^jP^=MOvAperVr| zzH@PeL|S!os+x;ZkAJul5|GV-0s^O$hAoAdNL`M{Mm?);byTc)rlhZ=>C8B~!1FPQ z5i&BO=z%pkJ&1^-g_=cjP)La5`tFs&Bsw|EXOdm?z4+rWlU5(CRQT0OHwN*M7H~uezz|Q{AEw|rGtF`?Tv~h!z3$h|V;HK0eG2R5!)GUegzU@cqh0`9- ze8hsM>2kQK=j^4iaUKo2w$7H_%c_hsaKa2nxqp3Qp_7tfYKEv%4`47JzOrQnfy?~& z7tBV@q|GVNly&XG&gb&%f{pAPdaG|4F*Hn4L&CL_lEnMnFeY9K1L>q9rDX6a39w#P zLF@X79^rshl&@$PciAfjnwIpR^WE#}?pDut%u$$}j|h9MsY%SC*A22Z+@(;@tz)rF zo)TWg0laNKMX9Dviah%itX8G$t!6tB4_Gm*X1qc@5?Nd@SV0fAksD(&I2aGmpO9n+ z3?%V9hXI0O6*|%rTOe2P$aUuyzgO9Ug6_`4A(m?R+`wlV)VmTaPYtd;PK6#@# zV%c)2lNahDrXhFXAr2yds8UK~p{{5Qd*Zj|*^Ww2`kcP9W-d~0T^~~Ytd*qDTZzZ*dY`uTP~ zs5B6x_?%Nd0}gki*O-d3-xL<#osiYQGWy9#Y!6hi(V-N+j__Y>bDbD|USB$e=ny4SM3coY;08m_!2By3G9 zRX!4vpoce%O%Lj|BVn7#Q@=l_SVF7_vN3*-sf1*@opHI>b{xLHYkhjQGrl~YTEiG2 z3BE@a^qS!b82G>oHX3eiwFk|?GZyEg4zz2W~%6tpDwRm)P!k{`_Q)U>9mG(dQiXb@onzf>+YV>tv>qGy)mkk zfuW`WZ7wn#!3_3=Ox{o0M!Oxzz{k!Nel~k?j}tPj+rOaw(cUhd2QkT)O6Ajg_xy)= zC5gFw(%-SVN|8TDp#87!&8Xh#?s!Na4~gUD>N^>K&hUlI*<<}shS43j*RQ*)O*{Ef zz#*Q&QXfC)Ly1906QBkZMLkAae}1ya7K!r2CzXYJYP4YZBUd%}Oc zZWJ%X(LBMHh;;k_{S-rNX-VMfh&>Sh?=4q_rH=ca4Czv8RM802e_I>%)07`pZAEZ> z<_%`2yMRU8bFHoc*36k@dwyRlGT4ore?!*}>_U&VnjZ8oub7zwN|vY8r|1=dsi_%E z+{3?^a*c{n3Wz*m$z}StBFKdI2`(ZOwq`oVkT{hXjL>T>_{?ZzkhMRO`@s56Wc?m5 zSu|X9?|J=!#9$X$)9lBy3#Q=L3%cA8VvN?T$MfE69!%hdcb!N=izf*|EtH|Oe%qW@ zuSi`WIXwn)5Wnb@>+GaIHP>D3Iz8g=(Yxoqu`QH;BLX4A#sEj@fgfp0+&@5UIE$!6z!?Go zq5k^SejE@L1fGc)cHr+-%!}!~{-#&?R!q9)E+pOW5oS4GSsPDWW+gt4uUy z7W30+mVZm$JbDNcLVw+x8vWN9-&TzxrX9E3h2KU*uU~KFHO_M%>mWDvRL6iHaBk6m ztuOR%f)7bT#xb@3e{vW@*cV0b*1+Eh1yz^m#+<1qyFb`vna}g@gKSljhdr`%BexyN z?0}2ZG_7-CJ16itj6^bM+|SGVA&z^iCYZ@!CW07MzE?@tSBd6)16R=R*Ujvqm2l-$BgLY}3x6>oqv6aHZ}A)K z5@N&~M@JR^l!U<155{N9=%;(rVo-UcZh{-II1dzL&;$lN zC2y%+uKzyfFV$B7%N({R@}K;KXohYHNje8HE90)T1gdqQ;LaqFNm-79_^2ZjLR6yYU8>kZd;Kvf6mV=^=x*u>Z}c{yNS?Wp(ptzis3)Q zd-Lr5^Ee#I`abb@piny~s_RAEd;FiykaCukKA{n>VV(_A=aHHWliPFZy;+HCYa-lv zH!P3gtl>-nMa!dpH@m6+kTcx<0lt-L}`q{f)!;ygA5-FGeu-GiL-U6=V~Y znT5s6VU&TSZfN_vt@OOGhw1jEs_m^4r0gXoI26(o5lNJvZ_W)lKNXHNc4zfjyyIi7 zh5FqT(a^9$ZqU_CFRDCdy|cXG0)j#lZP9`Aw_XR)+F_A1((u5C#I3i&sCVHpG=>HvQhztC@zADu)*PF~0m>S)TX5U*6Qm z-F1L}yG+jMq3YE56J%vkMd46SY);b9(x${7naObZZP)#{T7c}}d`4j}X9s=MQ2GZ3 zs-|rlo0^su%UH1X(|Vx`{@J<9%aPNzXBze2o=8bLIy;-f%71xZXum774WH`0ZCLyT zGKb-cZ|VVR)&ASpuQZla2A|wqpoly_M{&G-L($z$r_W>0o8DmWaO(HuN&G-3TaBejo$l4; z35S!rdyhp8_>WCexUgqfy8V}qh=WP)jS#ZWNl8!0J)#g7H^J}C&1*cjv`Jd$A0?F) z4NUh{eJ6W|lPr|#^aw>_@o^VDywd3|QAFJfpexK(h8hoSSENF2hR#*4 zc5WcACfWVxJa6V-OH*S!V-rjCFocAMuk=nlq5de$n5Hd1+koo@W0>wjk>=aqYiw4N);+*3xuc7xI+kz3?GjV22QCarM!Q2g%4byf_eSOUR!tBf~_XkV+V6KbQd@1emtJm+7(UOnb< z{bdYZH|y1*nB?^Xv_o(J(B1V<7K-r52Y-XL7gu2yh@mR97A7{9l`Ttz%!X2Cqup>c z{QP1>#Zc90bhd2ifZw9M%JT7kWCVSsPr&WQTY?_^>@QvMjh_G3qs}J}Z!$N;M4V31$(Bn`{Z(ORW~scjZOoxr|G52kZ)FetWuX#f)#sGNY=?5q{qe1B zsu3m1611gt(Cr5J`mNtNVk*;)zZtG zp$FbGrN5s!7q|C#T1aZ@%7TZw^#((oUdb4Aay{Q8OPzS01x{gIgOsNa8bE!&fF{+4 z=|=OtX3BR@aB+bN9XWJSM4KJlUCX}Gi;y&DnSpFF@~1~nt20#FjRXqc7#Qe(aoh6* zU5Ucw#ZfgzYVJF_J6A&>;{1Ah#_`~A3veJPd_NWXhbi5SzNN2%hCyJ23ZIJ1&30$2*#($s5w7U zr&nw@=8Q{mpr@@qCk%W{ITIhJfuPU;OXY`ohOnk3@3yDhnfHC@aN8Nx2}JppL*zN_ zbhDWNhxi5dtcT1L$<>@o?;db+3MHX(IFN?iK^`I7g}M}Qoar}Z3Uy0F#r_wm$>Ge) zarg#{N}(=?AL$*f!m=6#ZmMLYmy-LMt$yw%Z3z z&dxufdXvI-g5IUx%O8~N-9~JUFaD&HZ2qeIC7Rg{_o2?MtPE3LfRt!CIGWi`{U8cx z*_gLpwBRIdwAp7{T}$7CPWAOF@dhb8Mq zM$G9OY*GCk2~Yg4Xq^}qrcdRLXiSOk4E^JseDZ6_1f?s}V9vYTN}c|RxHBo@azi=W z_u@pUF!GgHQrYf=v=QFsVz4DuYqk}^&v5ayfXGNJvrruR7eyqq&v7ePXV1=$eQ-4^ zE^lGaFRHyJ4TWn@mJX|4)8@tUZu=tq5mNS0FaAaL+b`yezP)|5uE3{c3cIfY*Yv^p z#zW>cx7+b+VYgjl+>d<3b3zTn*0msgQR6lH*nNMYlVt>vTDA0C5T7J=!n(jn#mLb6 zmhE^5y^Dc9-s_rIS@aqY^q&(H5mGfY91hK9vvMXUU*4<}OiBXYMyxx6j{0QGW#sVi zrv&fy+>`hlomPJWBt&WTKK-j>im%RK&>7^E=XE^|Rn^gW&(Y%BeF0xnhUV3lMzPJh zqa4nsor%KRTTw)B;E{FPRKoA^_UQ>`Jtq7WlE6%o5&K=EW9?`3ZbU9DNl^PoKpM*7 z2M$!Ly{$LlVRPCgrHP6E+-|XA{^jYC&ev;)3#g%Q44CUBdu}e@O*})-vmq^q24G?= z%-+KR)qwNOMreVLwd$=Y1bFG4*7lLQMWlx66fHS3Z zS6?YV+xqnC_+)4>%Lf-~bjj%AkQ&{PA}}o^^m@NS1inC;?mso0o$a4MZmG~vAya-d z$KxiYW$lge-HL1u@e5IX7;og#c?JW>kDQZ)5P0aQmKKq#^?OKAyV(HUDA>58MqG?L z^bHMIt`*k}S({1eF6&Z=QgrGet^ydSeZC}>OoF9`8!di*RCw1F-b=l{KF!kveoxSU z`94;*e=>OUdL?tmNsA}Fh5iHI*k*TQ*@OvQf>u|U1cgLue3bVfFYVLZ#MVFFqrH&k zYi6URb-ohJbPMsqqFPOrU|r2dTw<-Qt@*ZiQ$oC!l7!72TDLGhUY{-p%4SzO=z$id zpCmC3XC&_Aq|NDo{}=XQ|G9|$337-xbncKZE+yOGMzEWJyWjL-<9c&mU=votFge^@ zpfr-NuP?r^usdI$6-&&q);+0EKroiUeQ?kT@+<5ARorz(!`Ve^5g~e%An}QOYV>Z9AR>q;qxTjvM2#9z zMsyJ^x`|$fMDL6eB}%j*iQY?sFzPU)yT`ph?^^fQz3a{o>s^j{-&6Lp_p|po-sgdy zq=K>b3scCoM$c)$li73>bE`?+e?qOCSHft=i+RCitv&PA-v(%cmf~VwRay6sd9#=( zIU;jom)r-C^ig(_FU7?zpVt^@fHS-W$9dBM=8@nf`lT%W>Xz=R+E64o`u<)@{l9gH z9(;u+f=BPeRr@!3UM29Lt`}sRIzdwhvZ?pxZZOi)Bdg+3$ zq6d&=%&yW{9PS0W<+vbA3OydfjG4LahqJ~xdoVxRo}0Lg9CNs_i1vG@8ljo#uq7X# z(N%ogvOzO{n2d!syg7p8G$8ub7*@RJ%x|a2hI_#m58uV5OFewJw7mSGrp99+d)DgJ zv5ct}e5g5TI}?}_Wmv!M#vJ5*-><@zrN72@mM)r-rsHL0bwi6UtrVj8`}<{!Ytq+&)z?Lo}IHOa~c)(LF%qw<9I#Il8vjEhYhw#qV5SY z{YT8;fjI4QY`t%@5R9|CyXz^dlWQ9xShVj*joj)x33PPtW2d3heRPkGjylOxAc)yJ zBDNI0v0d&bdWG<2;MSBO>@XNCMrNmAvrxqK8B^4JK;r(s`zg*CvhX}2mc_Vby^Y|l zkDnOslj_0x90{YHohHn-(r$uE6ZUenc(~2)e%zyDztiE@Z6~4xf`Wq4S+11l#GzK= zs6;qd)Z9#cLVOAtV0!ocXWyPs{}Wo2%82Cb?z;EE_I1~`a%*hi{vp<8UKU?%zvU3i z5_!X_|KN`2)@od895ot^2BMB`;#}daG|iaYxtH#CIOm3yxpG+-7Z-Ylw8+`ksH1$9 zyYTIgBORd>_oAWAxJJLXT0mreLX82a=y`T*65V=qKa?iFcjPOa1kg0;Ul=0plTEF9kV5m`R&=*#E!>S74y+|AI4Vyq@`kcPngp(+xd4;ec8GsWWBvZ zF-;OnOg3n%2`hjUo41Apum7GweEu$*WZb{Izn@po*r+|xSD|KDIMfof5=n|#z_Pn2 z+Z@WizIHg*Jl-e-pc{kKn(EKU$h;D=R3#<#BFsMdUmDW3#zgsjRe{?IZE|ySTljbfo1+L>BR5Cr@$jxl4i-Zi@kL zOQD(xLj#lN?$%GrJcw``8dk#=Pn{N&N9Sb;3OKmk@ItH{p3j(?8=Si<93js?M7^J^ zD$}0G(OpB+Gcsr!7))Cs1kIb>78K(~r*SK>TbQ`Bsty~VCe)q#`JCXX%9h=U>+XQ*C%H~okReGAvwBPZ5BTYgBkiPWw+k) z6-U_B%hJ(}Jb4%QGl6y=>%O=7^LAkLfp{=UsIXTLKW-=Tz7V9L#N=ji&6vXOWcx?Fd zM88ADdd5dbu9hE_IySpXt=j$Wlvdlr~hwGX9c3sW*j$nB?lgXmUlNgldlwGya;gDf; zt1Yd^>b!!5CRKC8>pHw>NEx~+_ErBCyzT8l$>KXea>;8;orJ{C#l=peBB-gUgY_|H zMnl7XffSij-Gsyk4MsP&SqYhdl~xH^TzeoO(DAFp1)2d|nPmEq9FcRK$tIEEY!6(#L(E$OU0WZK@JeTPOxIW&Udk5L5d)SYwiI&`4 zHQn3aU+vAD=^Gg89ve&kB4%6n9d*|ulRyVr@X?no%;nk~LipIk7L7u{qU1Rr@_|AT&rAII3SxMzI6P02Z)1HkDk8$JYz&;o5oTIv7|C4D%k#a?sYjA>)W}Xm zee+)cm({Ztlfxno&Yyh^V&>=9F*DIzbPDIh9|QIaT2re_Yl&X7X3H#bh_O?K82YSqqjCpuCihJ&$Wmk2s zaOD0+2W0CTn28&KV#daY+u1TU3@O#3ARvj{)i|Ic%LAwOFw?kiKASNyv9?;1!o(C5 zF#IqB?4L>IzQB==*|!7ExUq%n#FU+5LuCf7U$}MFS?C9o{)$P#c@twZ{ipCNE}9(N z;DyaZiA5T{AbJ5aX}1M}shXH6R0xo7RSu22cAY+L2$Uv8fcxqfU?3yEYk>*?;-d!D zny{Zj9HDuggurD|5MKvjsIDJ@#jcM*-sfEKaNK)n@D6tPYS8P7C4e>S>no>1z=Kb( zeS}MT_JEKFFugk18qzpv#GfKcIE)@E)qW+|Zd)Vza`NWju}=ni&}nx*ER^c&@0}=+ zn4su+P2-`>8~5_^I)i=jj12T64VLmxzJ*)YnDl|0AM*Evzs&AqW0#E)G;eZ0aNX)< z*4NXkwEoK&ohcQmpct`?!2oYh0YsWjS^Uv5V2M~{-sD}jYXzSia?1-*dwWv@uW5|k zB2$jJqoQ?ralp!C!s74Y;p*lUR)b|YrKaef`xXKM3;JcI?MxvhrQAhPnUm4E>#(22q_k}7L9bHAb@?}uSCwkr>atm%oMn+#er8SUuHYzh1^zm^r zX`cT2enWlS-T;ohy~3rz1!w^%H*t0=0e}9YN>9GIwzf8O%T!W~&0qXlkgQZDVrsFq z*=+l2J`fZa9f~Gz>H@DwtC_yP%#nlUe=$_e|5t)Lctu80$okFl zYycPqdIox{s-&fvsW?n2zk#47S$oFJPCK|SM$DKghN}hc4+vy0nzg>xZ2+mPkyDy$ z#p4d!|GQYCHDxwoE}saVUwZsTDc@K5gy@FH+@YANruwTlm7Z_hmvh6Q5{;M56)Ew) zY)E4-%RUD}n39#3tEYxQ`ECB13%THa%^u>oog)jgC?d7=C^{eN!=maM(l&Y4SCwW< z(cAR%qao$*CL`Pr*$|uE4(Lo^Wwl#>f5bY~|9GU8+|AjOOz`l6lR>pZnF!FnH zZ&8R4dOox146LI&>MtGr;G`qh-dI960OYGt5g!!l_u8r`V8Aa6kUB=t3R@fcG;+XQ zj5Y@bW|;H)x-MARD~F*?OtOe1wPopUZ+Hr3&!yQ^Lx;@mm=1X)O;XY3@I>6#6 zCmy z4=Xz-4^1{G6#{M+cEh%M_@(q&Q#pe~kSH)1K=UYWvUG(5e<|!R`}PAFnWwB$`F&+? z>Y*=AvDzy=bd1b4J1q94zq^Qlk&-gYtT@qLt3`B6(i=CU2+ z=u2Aug>!P2!mB?C@2G-izb>3KBg}%%cXB0(K>J)lDhRO2gA2G9?snP`ZvKMMV-8~X z;}kFQVxOLn&`*35&(Cwgq`KEzIaS=OXp=`>z1R^!dheEwom|mq1yrk2R?EerAw01C z9u6*ncj-SAd+ZAX?<{{Bd{uiLcA<4BT-PY5Z-J<5FMpXVxb*)>Vxs?|hjQ}#=*6Cc-6~slDSHaosZ3s z=}=EHz9O4d>pafZW3(Zy2-S2#G9qz5P{Yws8&+3u)M}W39-i2W^i&n-*|`+7xaqAX zyz(aKY(>u~2wyxJ_3OSpy`iDuqerbbnMDYxq0stL%b9VFCZ~d;tQITkmmX^^AHE~i za;qcB$OSVk3P2_S(p9#9w~b68N(D+|gVMM|tmD3T;wMNzEP5hc?6q8gc@v?l)y_SE zU^*HU0VsULBTJ**qq;95O1=QFH#`%T_@oZD#nhLp@{P(2cdV&UqF|8#Mrdhe8vA;~ zDOpvOO?Xp8d&3PHT+D`>cG@^E)@j0H?hb|aO~~kFzyF>LN*j0b@^Lhh{zS@&UsQYV zXmI(G+!!-<`t?ui$w7DD;!~X`n}d9G_Kt2MA_vrz&Odh$=idB1dp9KPG_$$D(lbw# zviV-hg;TIb4o^jts+q(8$>7^w-(&lUqvuWkSH?l!%Blw=t#J|p0VWfz{A+53PxU zsK!KA3ez3SXc^-N;y`u?sHhQk3vyKJINajLa0?6s2v$?3Kt8GCB9IkE^<7IZqyxcD zR01N)z%jYFHaZy9%G22DUFIxF&A87d>_6zW*C}u7a(M>7d2_O!lYprJzBdYbd3rA!zRL={&C;*(O!&K_#=XJjHH-cM0soVZcP1QK zgl`*OQ$PN}SxbBFzL=nU&h)uDca62vsi9OxJSF!+7dQsW10G>JC^0dTtEhs*%yxw9FG!m;0P9khO%^C< zcPc!?)bI^&WzM3!)LOI2mfs&Fa{HW)rJB~FOM?8KGK4{h5>7`5%ygpw-di2!CF+>6 z|Ma@WeWtqfArHo!IuIh&9I6zZ*N<@Vre{V+9z7@lf%z9tZO;^~E) zOy&oMf~M1KYciEW3D-~AObY~Q;!7f*z{od8QDWF_RBCjs-q$nCim$w~=5#o|SkLL6 zAic(4gB=wi10vt)i27m56oK0hkjMNmSgBck(pAjg$?}VgEe^1?X6cQ0I20aK^!i2SZ! x(q8KNz+K|k#_Rv1Dk4a@uZpVwV-2(NlDb<475e2GVwwPaRFyQJmOrry{tq/dev/null; then @@ -68,6 +69,16 @@ create_jail() { bastille_jail_rc_conf="${bastille_jailsdir}/${NAME}/root/etc/rc.conf" ## file bastille_jail_resolv_conf="${bastille_jailsdir}/${NAME}/root/etc/resolv.conf" ## file + if [ ! -d "${bastille_jailsdir}/${NAME}" ]; then + if [ "${bastille_zfs_enable}" = "YES" ]; then + if [ ! -z "${bastille_zfs_zpool}" ]; then + zfs create ${bastille_zfs_options} -o mountpoint=${bastille_jailsdir}/${NAME} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME} + fi + else + mkdir -p "${bastille_jailsdir}/${NAME}" + fi + fi + if [ ! -d "${bastille_jail_base}" ]; then mkdir -p "${bastille_jail_base}" mkdir -p "${bastille_jail_path}/usr/home" @@ -83,14 +94,14 @@ create_jail() { fi if [ ! -f "${bastille_jail_conf}" ]; then - echo -e "interface = lo1;\nhost.hostname = ${NAME};\nexec.consolelog =\ - ${bastille_jail_log};\npath = ${bastille_jail_path};\nip6 =\ - disable;\nsecurelevel = 2;\ndevfs_ruleset = 4;\nenforce_statfs =\ - 2;\nexec.start = '/bin/sh /etc/rc';\nexec.stop = '/bin/sh\ - /etc/rc.shutdown';\nexec.clean;\nmount.devfs;\nmount.fstab =\ - ${bastille_jail_fstab};\n\n${NAME} {\n\tip4.addr = ${IP};\n}" >\ - ${bastille_jail_conf} - fi +echo -e "interface = lo1;\nhost.hostname = ${NAME};\nexec.consolelog = \ +${bastille_jail_log};\npath = ${bastille_jail_path};\nip6 = \ +disable;\nsecurelevel = 2;\ndevfs_ruleset = 4;\nenforce_statfs = \ +2;\nexec.start = '/bin/sh /etc/rc';\nexec.stop = '/bin/sh \ +/etc/rc.shutdown';\nexec.clean;\nmount.devfs;\nmount.fstab = \ +${bastille_jail_fstab};\n\n${NAME} {\n\tip4.addr = ${IP};\n}" > \ +${bastille_jail_conf} +fi ## using relative paths here ## MAKE SURE WE'RE IN THE RIGHT PLACE @@ -136,14 +147,9 @@ create_jail() { echo fi - ## resolv.conf - ## + default nameservers configurable; 1 required, 3 optional ## cedwards 20190522 - ## + nameserver options supported + ## resolv.conf (default: copy from host) if [ ! -f "${bastille_jail_resolv_conf}" ]; then - [ ! -z "${bastille_nameserver1}" ] && echo -e "nameserver ${bastille_nameserver1}" >> ${bastille_jail_resolv_conf} - [ ! -z "${bastille_nameserver2}" ] && echo -e "nameserver ${bastille_nameserver2}" >> ${bastille_jail_resolv_conf} - [ ! -z "${bastille_nameserver3}" ] && echo -e "nameserver ${bastille_nameserver3}" >> ${bastille_jail_resolv_conf} - [ ! -z "${bastille_nameserver_options}" ] && echo -e "${bastille_nameserver_options}" >> ${bastille_jail_resolv_conf} + cp -L ${bastille_resolv_conf} ${bastille_jail_resolv_conf} fi ## TZ: configurable (default: etc/UTC) @@ -191,6 +197,12 @@ if [ -d "${bastille_jailsdir}/${NAME}/root/.bastille" ]; then exit 1 fi +## check for required release +if [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then + echo -e "${COLOR_RED}Release must be bootstrapped first; see `bastille bootstrap`.${COLOR_RESET}" + exit 1 +fi + ## check if a running jail matches name if running_jail ${NAME}; then echo -e "${COLOR_RED}A running jail matches name.${COLOR_RESET}" diff --git a/usr/local/share/bastille/destroy.sh b/usr/local/share/bastille/destroy.sh index 375deeb8..7fa129a7 100644 --- a/usr/local/share/bastille/destroy.sh +++ b/usr/local/share/bastille/destroy.sh @@ -53,11 +53,24 @@ destroy_jail() { if [ -d "${bastille_jail_base}" ]; then echo -e "${COLOR_GREEN}Deleting Jail: ${NAME}.${COLOR_RESET}" + if [ "${bastille_zfs_enable}" = "YES" ]; then + if [ ! -z "${bastille_zfs_zpool}" ]; then + zfs destroy ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME} + fi + fi + + ## removing all flags chflags -R noschg ${bastille_jail_base} + + ## remove jail base rm -rf ${bastille_jail_base} - mv ${bastille_jail_log} ${bastille_jail_log}-$(date +%F) - echo -e "${COLOR_GREEN}Note: jail console logs archived.${COLOR_RESET}" - echo -e "${COLOR_GREEN}${bastille_jail_log}-$(date +%F)${COLOR_RESET}" + + ## archive jail log + if [ -f "${bastille_jail_log}" ]; then + mv ${bastille_jail_log} ${bastille_jail_log}-$(date +%F) + echo -e "${COLOR_GREEN}Note: jail console logs archived.${COLOR_RESET}" + echo -e "${COLOR_GREEN}${bastille_jail_log}-$(date +%F)${COLOR_RESET}" + fi echo fi } diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index 0b39b194..3e8c3329 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -37,7 +37,7 @@ usage() { } if [ $# -eq 0 ]; then - jls -N + jls -N | grep -v 'poudriere' fi if [ $# -gt 0 ]; then diff --git a/usr/local/share/bastille/stop.sh b/usr/local/share/bastille/stop.sh index 84eb0e96..af2c2ba3 100644 --- a/usr/local/share/bastille/stop.sh +++ b/usr/local/share/bastille/stop.sh @@ -57,5 +57,6 @@ fi for _jail in ${JAILS}; do echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r ${_jail} + pfctl -f /etc/pf.conf echo done