From 499f3a9ec950ae3ae7df286fe0b3e13287c2a8c0 Mon Sep 17 00:00:00 2001
From: Wei Zhou <weizhou@apache.org>
Date: Tue, 2 Sep 2025 10:57:09 +0200
Subject: [PATCH 01/20] Resize volume: add pool capacity disablethreshold for
 resize and allow volume auto migration (#443)

---
 source/_static/images/resize-volume.png | Bin 10420 -> 40174 bytes
 source/adminguide/storage.rst           |  11 ++++++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/source/_static/images/resize-volume.png b/source/_static/images/resize-volume.png
index 75c63ab7a96331bacd6e302522c767fd3940871d..17b21d19951a268c84d927043ba9c524ecd39248 100644
GIT binary patch
literal 40174
zcmeFZWmuJM+bxQZk1ZggA|UWMQAA1U5{!vTD@d0j-6b79qJjb<CDJMiN-7;9D$*q_
zEhQi&ExpF=`+e&;_OHEvtRH)=z2_T>%z4l2zT!N`ImS5e2Uip?QSN5gO+i6HDRY^u
zOhNHCnS$c4qMd)?UmWM^?%<DIwwE;>C@7eGiT`a08lEwtp!kPEhJ5atOUy)%iOaQH
zE1NU!e4&O-?pyc&bB*=t0h%wmI<{N3yy7XW{;c(j`qZfbtt&ch<=h7UvY!%qd;8e|
znr$4_TBe$QXZOpx{d4bF=wri>vCSR6v3-`+hU_PI^k!T-kyPi&W~)0AYSV1lm21`V
z`YJIZisTofuCs=Cxkqdvem1#yQz*K)xVWomFY%)YKZ9>+W3M3b_mA{*=F@*Z^xblw
zG4U_2_utr#KW?9*`QQJ?vCbljvpqkpW)*Th?BpNOzkH#1>L;0Xe?L#Z+ZY|!pnJ{1
zcl#%rdsQ(5I(`CFz6r$^6xYUHUfo#sx2z0v)81pE*QdbDNLqi<`H~Zp;=ldIc9EOL
z(eE?0pCmo3I$mxnxPO?(?%a#^hjm8_!j;X};!`#pA8<0TZRxer!6!a$^XJ_f6FDmu
z`A$>WUup9&<3FJ*)htCdt+C{k<#_%*idBVsJ073x2v1r%CSC12c%1vK!X7L@{uLVI
z+x)gK&s%pLyVpu0{VU10WL}U^GMdAslOrg%@!`U5#Rq<0{;s@#GURaQ&sW49{1P*L
zs+nWn`tTq}lz4KZ>HFg1t$+PBFfb4j5>oz%sjJ9&I+wGdHSDCy!-o&=+_{r$)zzja
znC&lU(e{4jX9{VyMMWu)K`^<v#%zzYAm5LhC({qoj4_bn6`ydQi__CK2_K6dPWp=`
znB9AMLa8ZMVk-rOt+m*wrSZjtcd4nVWzCP6&lKLQcyy3Mt=p-~YHp-qY1Z5~GLhrd
zsp{%#c{Y_UZ^u>pjYr%eCK*CCY0-)&B5M+i>d3pA<3A01i7gw3tht7+Jw9<Fkk2z~
z&E1Vd6=&}INuN)@>V*5)yL@&~D_*|*>(}R)n3yx}i|k#j7Xx<g*<%sDqSbV+G(aUo
zuXtr)yxqmy)6?_DjT;v)-fuO}>6&Em`1Nm4Py=g_MAPEI0n*G`Lx?6fsYzU?O)+F&
z-~AIJ<Xoew=b<DLjTc{T1bJ0hVx%~FC^5(W*UKaPmHtJBz0cY*7%3>8x#FVd&Yc?@
z8zU)eX}NV-<+<*ctFEcZv+OVsik3bmDq2t+65zPTJGa`mxzTuu#cImb%xvuQy*(wX
zQ{ptPOFhm>im{z(+IhJgie&O3ZXHtr22T$SnW6Jf)Q_il(b7Dak5~wezRWj05fR}e
zBfY*kxx7l{`h%K}b=h07*}|w*gg#SQUPv=jWh11U{2iy;R4(CSVDjtN?A+W!k@Dm1
z8S#>yg{#6{g@uKbj6&=(i4G(6m?qN{+32rS>zVZlqobonHBWTi#$J&IY(*rOheC5R
zZj63?F5GQf`m4XRYa^l27~7xyW(_kvXK>&^MT+}y6^qh|$lm@YR(bLlgNTX`5yNjN
zm8K4`2kE=Jt@><DQ|H6kxb*)0dp3or14oW<l2lby<2@H6qt7ik6?vB4r^IdV4}Sdk
z@h)06Q-P=-iq>0yQt^{sG>>h}CrO>`y7cIXS)YOJx#XP6CpSr?GoOdrE_yO&aSSiV
zOOx5=pJYeQ4(bmjjfDuQSWlcJ%}yxUzc1`R-W;lwAvC9_HLga5ZL&*BszfG~?Ib1N
z^73;1Re?ayg;w>lvNF=Z__#RYVey81`M$h6k9zBBY3udehKGk0;@*01ZYV?xO?G6B
z3{{0{rRAz5DYol4)WvVEjnv1A3%h>ku<Xq?Yj*DQjEIcX)YWA=eE2XUqdTsw6em&O
zzBEOt=(Ri?!NI|?;I=*(B$YnlI$gYE@8F=#DJ~@Bv^dc*qG5h>x@6N!P3?(ax9do3
z9c6!KzTM!)`l|F$hWC2PIISk<le%bO@72k?$jC^{)b71|C)(1wZnf(Q-}>3|@oZ4r
zMSO++hn1fkG?5anvqllRZNKlf>wD`iQ~wI`UMnq_liFNvFp2kMBVn~EDJgq!vXkPy
z+~!9cS5{W?^YepQFDXU~DJ)z3+iKqP_C_h*`y@KrB1emM|Ne_X%xA1RvwtvLXjor8
z5NzY{#hi{NvMH}$mXDOV@>qmic)v39>cD!R6cu?@u9`A)>CDOWa3#K>Pbr%t`=w&L
zV~$NH%DBc(oDBKbF0LJc=<6vGiDX?kmWUlFa^%t09aLm#X<fUrgOv3hStdbzg%=YV
z16ZU!F!@%C=<dA1#?P<P;rH;NxoxE(-x+MkXki<t9?h#)?S6g#q?)3J$(hDXS@_7!
z&dp7KSe=TAIWiL0+1ZJ(mYtoAwQ+7s)m-ZHE*W2r_ug2Z8LaTRb0_A;kJagtzG8Q0
zf1{<zu6DuN80j~4%fAPMq>piOPJG(IV(HOhoK-yEB=_potD{GcDoM=Tb=dsixytPI
zyZ`g&^CNLlQBeq<vEt6@8t(>{N8*=Wa_Azc%#Ll{zSoqm7AaR@*|Xq&WNIqsaI#r*
z;+e&7H@os|oSBnTQ)??Le-HTc^m=c4^6+H1PZtXd3brnc+LWv>PUiKc>l9?3ixUm%
z8)@%I5-y*&92kAKn<m&oY*Rnv>S&I=0$qoT24B>}Z>)tiMP?+D)DI#XpY{EU*n!Zp
zB<?h^FL<&m@6yGK<rNj;LB>W#>xemOxxSQ)Kipn3y^*XvKu5<h{fWe9Sh=tLf?CS0
zAGMK1PLunCKYsj(Q+Vw7am}>0_0=VgW*$zh>`GICUWbM=^>UntYR)WmCmf5k$S8I~
zROs*T-|ll%P;g;9qa?S(GNX7=t36$}B8X)=@#U7S+yCAssN?;mrbaHQ+11_Mrl+vg
z;2nEXtlXPAdSUDCJv{HP3q?z9uFdUWc6nyUQ?Bo|{3<*98rk~&%taH5%W`r>>x*6E
zKYx;6;w0TH4;bq%aBy{9#@6=y{&9=XCtIAQ55GR|5$<)l>Ax+;|3tip{pQB{#>NIh
z+Gx`&xpU_}VXM~~&%L`@afnAx=gO7GQBj=*4kH+@q=?Axug@<?t^M*T?Z2#`plY8u
zCpj{MEq-%5O)ziqJeAGB=-`E+DUO$NwzR(XDP;1UD02aZ`MxL5TMU$B0fJ2TVDEBr
zaL6esIg1=2BASDJ*6i#o&xhaV>E%LWV!HDi6N_Jq)V8#>ZD9Vr`tQ;0-R|S}<;xfO
zNWQX#yX|`J3a+sVii%$A3+=I!Lc)C>bFt37t`$tqVPRn}U%o`F5v=d4pq5&*ogckQ
zvs|OUF*_8hBxWOs>EJ0@v!CiNAkEf`Pv=wfE9CmJAL7(_b}aIf&kk{I`}*{jA9wHH
zr(%)x0QkFi@80U-WYKIj2V=}L$I<=4L@Z=v3pJ~c5tR*zJbkkq3GhX8?1rx$@=%6W
zj(Ot?X{Vy~suS_=*Jf+91@BGwl}L$-E+f?j`1xH~#2px|%#V>W&6?SUEAH)~b8~m+
zxYUjvc>U8~G#&3<vn-xs2PgT3(MywGL`6EKDv_I4+fAxJ7|;Zd7YW+6D4o!~^YX3M
zqj>X~Ii#viMW3p=M1|-dwjx57-=4kylDj%@MCmxci$chzSE3-;Zm^sZ_wxPYztj@H
zZZ~nA5)pCf$TZrrWlQ~@l#~?pG_B*LfB*g02Aju+*%Sc4V>n!${KY!2WTu?4ex074
zzWU-In;-7<*ohOD$mGBO{+oSz-Q*{3NGH!a*6$b_TjI-?B7Kz&>DPo~PQE&Kf`jHw
zS{k;Xjr2>Uc***09&PEm+RDl#(gk0tSSjxh{8jA6wNIaad4OyROcT?{8h?_7B|bvm
zt0U5oZ20xrxq7x#EVlRBAWQwU0y$AJHrYeBqobqRo7e2#bn_LSCXc6P6BQnjzaDfi
zh5J>$P3JrHZmij0t29}$#l=k<X;bK#y!D~|`$<I3MBqcV3FY(D)X>l<Qqpfbdx@Ig
z$jE31qo~L4Ux;f~LeYMvIh|J%E~e?1d_eL_r}LVt6VA!WA@RA+4pmlGmOFpI76=Uq
zAsbdaVrp$oIuSFwB(+{%=(X-v)YJPtB*&tCW44CJqAhi1Zce;;2WGgYhNpy+1aQNl
zmU`uWR=nIB>$NH868{GeXlP6#gpx8!Hne06>OZoQsvmpO6d(jgz3-ps$O@-2)6TQD
zTFZ&K1ZZa6JsbMeMT|0lNj&%5*Znj`Mn`>1uc|nR9g10+R#~RDSePjAKEv(Z%U-1D
z=XdN<RrJj-DUqAgVmvf7?pgdSNF3SJ$l(uYPn^o|-nMPq3B{OwH2V5|_=o@6DZI3Y
z4z-P!?5CyG-8AmQos{|0O@DiL6Za69G-*#o%OYZX-9cD=HmJv1NlyHX^b`U>c;Kz^
zwjP(kz>_CWt}achD~A$OnC1QuJ4j;V_aK#TX+?#}^6W5WZ#%IwvbEBhXwow?mFYhZ
zznnkaJmx6e;~1J*VeoDZJB75Lfx!*wSlG4n?c29QLxwbO($m!n`*T8&IfQ!Y85oi+
z=O;S8P<WVZ;7ZlyuA7qKx47iYwI!~Shh`=R_B~jPc*Q!Lq8-i5o4_vo@G@;m8$wOC
zxRE`-39EcX<cHLMA4wV;4}5tLB)Rf>JkE1<kxM6^m!F@XhsUNaN|2c9+4Cc*I!b32
zTKF3znukQI`=+JIk(?T2x1}jh#FqD~Q$?hZ@bHD7DH(tbDadXY?(e0?sRP1e44SaH
z>g2Roywsb*8M3lA*C5RN#op;vp)f$wE4gnY@!mwV63<Y*7^36cbE{s%l=pC0CqskS
zWb&mTX4%W^Cr^$wCk34ljJfygSK|F|n-Lbm=ab4QV@K9k11Q6~Pn{IZb$JoiUe#|;
z6O3D>*3}j%c&jy3BC`uOYVth6H?llEf8b$jih9G-(}N%X-HN~!jbnR>#dE0BAi>s&
z1%TFcCQg>;Y*|8(WM`I1!*ET6c;ADR<m6oIp2Az>YDQMikW)T(sC|8bcpS-ZqNb|)
zpmKewZ`zVtl;>4pBf=E&)62v}ug&!(K|#UlQ>TFq3YugrXNRf+ZAQJ0(~n$LS}}?h
zY@gvZnSAdZf2P!M#O}1#v9xR4K~AfUKQ{FSxWgX!O^6-6rA8CX5g9>`VqXHVk+=?@
zXQZFN)9%#4EBa4qf^XlxjR6KR3fEuf9U2<yM!IM5`hCNv@jyNI4Qk2X*Zu2GQfkSu
z0W+F4y#!`K>PA*<@TFo>=DS^Gs8#HC%iR2Dl%PeF<#E$z>FL%0G_vdr$e~!Jt|7A#
z<z&WCHU(J)1;I#peb0sP5WO%-V;UNo`d&u@-=<iyPx9Bj$;hy=-RQ7e?65e4wK&qK
zD=EQF%H&G9$J@+B7Lun4yd3d_;a7}B`(BGTTXvwL32bd`wd&5l>M9x#6qMIti6h4w
zDbFZu{eGcMTfF5hz3P2>ng@>_d2K9@giD_Qj*18gc~KiZF(e;|+-4P;B3zi%Xu7h5
z+~K{6yo+U6Um4HP_n0X|t{b!!L3VnNCF`;&=~-u*a9VxuIv3W@uC9Blb*@3GuR9X(
z*Z~N1z1yLIKCqliJ6AqVLX?&D0{s-9b+<_S_I)NCp?uFZ9bzu^EdA}^v|?@@M?tOq
zq`nO2%Gc?jRBVf;k!PZWghsaYiC_7NSw#toEG+wJcFlxa6vnv!iw!pt*kj%I_J&W>
zJN9G847>B~sC)-Ysih=t{S5nb{TskN@<X>Bo51)eEk*um#96>2_AZ;^g*K#F-5@>t
zs^it=y~Xa)MHk%M+_bc`G&Lg~lyr3g1<RGB)`#4*E?=&s6z+Z;62fQG`~J}MShi{7
z3j|3;a-q}YN~c9e!PwbbPOoy=|M}-SC>l~Gzz)jc2B}S*j%l%=NWZ_gZM!wrBu&On
zjv9{`KEj^SXd2_-FId$f*)}xMdh6D$ILCFdOIXqt3nLvHn&3Msv!Av&n?za8HlAA^
zefG2`SE@Lg?cf55)Epx1{UnsYF4+%p^kwO<r3SqHI=<lL<%RvD+-n@fBDH}V&UOym
zyi|7MBKb!{d`4}tMOFup#rK#7Su*0p3rmmLsuK!MR>>I|@uChtTHdG-z|UkKgP?iK
z-CeZC4RMo4{+ar@RI*u|*}rm5L94)i7+{-+^!)jAn-9y0tEYub)RRwy^%?<q;&20=
z&<5jRU>1c%CY?)GWBpJUVDhr7Ry}Y&tKGdzyw<y={2fdK9livo=zFi{e7e?{_FV9T
zl8H}kNNiF>tXY$D!R#+*{5SJVMu&rJ;B0q8Qr@(s+oA}v=;Aw*hPe58M>7FWO)~il
zazgladZX`d?rLM_dv35DJ2nKIb1k>Ixw+4M`pn4lb3WTo&aD}nm~76)Z(4dx0;+!Z
zIOojG^5)CItd2EoVc`!$zARo>gu+y1qvjUc^*6`$H}}&N>uut9Me)ZcQsoxDAasSx
zr1T-T3|0imB^c9}VLOF+N7Y2|NI8yP@kv1WSugr2td+lKv@yXq^PTJ5kL_owPn|ji
zusY#7W0EHLp@I9H{pv7@G<?gx;?O(6ED`wz-bRZur4whO=^4~*Lg}N+OlfE|e~CYE
z5FSB}JR4nISGSI-PqU<E6iWSMPCDZ@e`Vt@ZW2ll9(H!q@s+3-Q@pIC1O#g#%cq&^
zNCH1bM#QPl%+>PCI()-INx3gh0NH+<bc(KX8mbJ&usnbF`w|6toXfzjk>k$YcD|Vs
zU$t$DbFP27gZjq5%pkAJ|KUUBKQHo^hKA_|?+pis1w&)wjY%7Cm5TxLPkEoed})Yk
zAJ}5~?aBHd{#op;7i8V4>go>C05$=m3rQxaXXqiRMEJF|wkm+D7_JWA?sJZ8Zeby{
zI+688CFztxAS?I)Ve6RHAUQ?Fsg^gPeqm3Z)IU89Vu=ai7u7w!AX30gSyA!P>QUhl
zISY^YAnM?kmuZ4yD~6xjMCo0~a?W2H;g*R$c_wN%zo0S5x5WrQzr6~N-M7aq`v8k(
zQ?-xPgoK7>AP<#~=zuDy?wb#<stXe?UwqZJi$Z68ecGES9<8jbJU!R%Y}=!jruAx~
zWFoUh&viH)J0m|meF{^#xv@GOPQz5MXdo7A4Md$jr@1iNc=OYpZAi~yrTrRte-akB
z5ukxAhp@c7B{`nr157;=F=`-^>K~Ly0)qreZG2N0e)sNOwM#fLX|yL4b#g5u_or|C
zu8_Ka_pX3z6ko$9BtCO<^Fv%(2r#5#y=jkqH1wkOLocNLwbn#XWp3MZs5X+n!aOH2
zDXAeww0U6^yADO)N;#uV%$Q2do3`JQ>&4*P3T^}*Xss;VE2?}nrCjixth@$)v-^=Z
zkHvE@KRHK!Y4Y@aEBW=`sDD@xdl-c*uO#xwUA}zyv;o<{<PiwM7cXAq=YKQg0|@o%
z%r=`8FNpl9ZA?DK&0Q}V-T~sIJwtz5V!lFZ1DHM#)muVSuR)Ghc)KP>`TT;f*UDH@
zU^D~Za-sdO?1)8rkF|P80Hy}igpgII0D^Fv%R@{AEvBUY^f86S(<;DhCULH8$B&nZ
zy7fjH0s|7YepuLnr9F)zs2kRhDY0Lidgz&%H%1eJKA@<v5?YeR=4jl=bP92#+E3G=
zPb%@&@9pgStl?cIzB*h;4F>WXg{HX79nbptQtS(@d&um3Xa7N_So=L=t@rK!N@_(5
zS=pycH**V2uFhB`e)zEQ{gV&yxmt=Ki8K%*$8BcUUxO%KTU%RQEsJ~g^YeT8@)&jB
zkFF0bb1AQ16AJ>Ik7$fTYid`k<gk19Zjh$te31qQ2H1}cHFutx^aG6y-{PChYA!A#
zzf^f9Kf#f(-{@?r%leYkhq|Mp;j{4u;EeCJCfyA13mD~=yCl@*1}^sNBG6It-j$_=
zg#}y9S_}jbi-SwFs;UY{%5vdUwB5VA^xq};x`u{(G9?zgql_H&2>$wC<(p3?s_*-l
zzgQohu^2w&%zuf<Ac8)hzQ>rmf`zH>z8Y6qU+={2a~cIv?s9_nO<aicU~8p=RLu`o
z12eaOzc!2QsG5wZidBF65;DU_*NacL)IVq>=^qJA(+p8Re&6lQYg%ucG1{YNN{40-
z7v%ao+B7TP!S~S7eEy?Ls21)s=ErSN*wT<{@dw3~<Nx)G|NqB7v!RQv<K9lp424O+
z6TneOJumG<j!fzjvqlkfTI+v*$>#q6)#?AyErg^O?=gK)b<97a(r?`8*Y~Usmz<oO
zpe`VsT)%$(+O?MB5jq2tlRdu$d`oW#Fi4X#+AUDFW)RDMc6|KT4YrcAixV{ZeOWvC
z5BVD*k0L9IdadP;Z-C<KFZGrB{oM!L<wkr^bpwm2{YyVi-NO0%jMgF*pAqONvXiO$
z>NrI-$j3-)@);@V>2YGWeuf;Ei;)4NcqyUL50qKmkGklJ0QxLs-Z?D}eCT#=^HFW%
zBUFv1iZ+*|A1a<mS71-S1oC=g4d9E09=s$F5O~>nx8fe_hN`ONiL8cRltZAQQLkM`
zHbD8N!acLFP>lHehl!Ptq9Lw4r+{jqv*`Y2c;v|-N$v<8l6Ms6*6n_NwI9@{iZ89`
zo+>NL^zyOXJeSTya$s?E2%4CfK+y;w37E1l?Y-$fNJ~_>$fo|4FJ(fJCtJjnfS4$r
z9lZ7aN#ytIGM69EJ1$=;oF8M&>p8V+X8(7d8s(wYNrOE9c)dbrXYU|_5It&D9zd@U
z$BRl0;get#fM7>9i9u3ie|SV^EOsj-?3J?Wao1&K4fY}@nTv@Y@73Ivo?O~sixrpg
zc<++K+me)?uGsM!_1IJlXqz27cKF`C+tS`XzTiglCN)*3!2XpV!IJ<CkupI~l=@N^
zZKi5l7aSK7YFkbyGay(QfCA7!rg>fBw|)vZj($a5^85F1m-*ksNF<tP3L^#Ix&=P1
z%al?$Byp66hFLG$dAhgDx=4YXUb3<BN-jc3l*ZwvtE(%eF@LnU^Avciv5jQVCX3U3
z`W=$?LzOY24$vwXW18`1)N^SzeIJ<HsB!sc(o7jf<*mLfRk;~MlLrTEE7wjKH9G8{
zYRoo9@umv6PQ@(oyT`dNke=VTI_xCwK%GImzES~XN!9U){HaD$0kPQh?Cg2G=U}j2
zv74xk_LVEP5Y1x6Zk^)g{RJ|Gh0oAWEu|;VrVmS~s-YnQ9U_oX7#lF&jFPy^sFr`V
zjU~0XEZVD>@@nqRVAlCJ<H>hx2E1jiJU*cwFJfl^juK>1{TWol;N=gC*nSsm*J(C<
zYu3%z{1SB*F{>v|oZ#cL$JVPaGe-h@2blzF6qa{sqNCZ>OGc&&HIBc(KT+l!|BE;t
zBF;>=Vk5WiFq#y55D<1cL7II2yy0gTQLpp8I{p2WI4koVCh<KGbk1#3N&%LlW?2A*
z?mQSM{OE}2tPi#1+YU<;t%!~fEgpye+Y4a%VI<Do-rj!RZ5<5tlsq34A1us)U_z=8
ztn#}oFJFr_ArFCssjsdUYgPgZqxkyr5rgqxf4$UJFYtaOQc<TA!ya*bv*8XuS0C&5
z;7iQQ&?eMVHBNi3%u9N%m~IrERnXJx&1#T@>@}2`$=6^rYAeF*Ip5gQaxL&;mdngQ
z4R=wk>nOfNO$fzz&+pFwWv3Wr2|<y<c1rB$)5tGVnU-Ul6En><Sq(8|u^yhD8AVft
z<LO0;<Wn3R&Xb)BAX~gagc)a{Tpvs?n$jxqDppHb7*Yc}{(_I?BP#uifegcL1m+<P
z3=c0L6bQMdMMOko8jfg65C`*ixtRG=GbU7x5HX435}%m@qz2_>WN2vFQ@8-+YB|$M
z2-F}XNPI@sVc>d%MBIM1oTPczH92J>1x`rJca|9VTKpc~+OY8OG|jBU7cUGx-`#}`
z?;1KnzI3SsoG5lE7!GLQ)~9RNew9);NX!NJ?PZp5>HmB$Q0Ypi6HqO)+vri@B^g3w
zK8Y(*<U4Nx0pbd|Px_dMNPYpzDj?Fv#ztvr>FqwB)_bU!!~~qDbfW8?Jbn5!B&2C5
zSrGe>q^zwi?zQGZEuQvgFVQjG`s=pCJ}}gDbSFpv)PEvFHZY>me93B#zG95XX^S?_
zgvP_n%pVNO9)AD+olQxFZ7VNBAh-f6kL=Xci3ca*G(LDNgOg|&)g;CyF!I-4eiEPO
ziX+WQF0NR96GedaL0WJuAO&x}(;yqxK0RI6GlHGXZ&J_6#nn2#fWp+7*8M&;%hbro
z36fj{x0S@;93vR@v7~rz-NLZb{J8MPW&0cVBXJ@HMMX8qP7~iwo434%TmjxHGcyyS
z802@<?v9vX?OaP5g13k2o>3L8!TAJi!4YvM`K0Dz$TkliJUD**cm?B|*RS^lfBpJZ
zd@BC}Sy@GekV8iT8V>mnr{(poeD|Ry8-BdKh2WFAJP0K7ahuYAa)H{_t5-2GsoB{A
z!Xta34U9FtlHAm-W&;z7vXzwSIM&2yo!<`>9(qE_dd3Hldk*Bbzh9lP`{;9DXhUoy
zNlD2FJ-0V-05m3C3eToxVcG2WWhpN&k6TS3R_F1aTYpi|?4qXLMCL%@QgWm8KEAL$
zU7sN^5fr;OL>agz+?l1WrnC~|x<z}s=XhG)?mc_Jhb2uc&CM}Nd96XZx^Uq_!(at*
zO}c_TxklxHYpUnY{rl-UmOIGL@ABo#egOfNtxC03RYaohu%x1<p6<%a(95uC4I*xw
z`#hcWQ{wZs{RO-y@F)KEiS_?DEZmgiyk!d6P+e6uvd%cP$}q31tLO-B_WO%LMAGr`
z@xeg|(=Xb`yNY5qpZ`I)7if=AT>|s=>ALCkd17K>4ly$`)6hI`H0>;U+zjVSRYOBY
zMh0Cl4$sGrXQia1($u<orT?r3Q*@o0y1F_zJ6&Bal3TIl(WB3c{l(H)??+-sKYX}5
zO^uO`Ze)78uXmWZ_P&HhjceBovpS$-<JDPoB$!HM3y50q())rHW5t3E@vhrcpZofx
zxVaU{@PH_=skle5Hf<>l;8O(M1cD@^*n;@-U*2o$>png{(l7B<#TGPUw{MhN3i)5Y
za^;FU-5+#vbXZ!~)y&43iMy7aOO45@NthS|LF;ndjr_q*yWhq2R{m$=-$ot9Xx?>L
zPU`wy-m#ZBs&GC0FD#LC-RZs-PB;~n_M5&{NoaI&&50QZvnYQ5UVx#l!!zBN#qm-7
ztNJ$E*&&(ex<ibNDQl)#9psl*)ma*xkf4mSI{Iy0+}#0kyuCMnC_0H8aVjdF**GM}
zb@JrQ>?}-2V$=t*&%Ynh`F;Z=;u!=i1?HwPM@W3Z!NG{Ey}iAGO5X|`k~%CQd^*6;
zQ$O!O%_6CztUNG1?Tt7bZ`Wuts`FD~S}{(-6#_K?(QpOiIo%?s2bHfP^g7*aHsRyS
z&;R}90WH{VN~-0RmGUoNjvYHT>PWfyhVIZIh~<K=7t++mr>9wHXc_^1%IVr#S`HjI
zko}VuOZJhL&PJF&rBzE+H9R~Va4Eg1scDgW<oxw_8c6LR$-wJ&8nZwvUYhE0|NZNR
zNeFJwK2asKDl9&}1Rp3Dt)Rr7)76cQjxIt7hgo6!B``6`&0`?ME#GO>*RT?+H=*;L
zi+^{qUSGl`>X9HQQN~%3@`;!z_)wtF15*cHZ2nF?iMqfzOEaTA&$ZYjaj+#aHrDE$
z2J9XEmUX{oXTc%t4`%E7P_JucH3=CiRV~Hu?;Sgw$C{2yNa!p(LWa}SbcLXVAgRUq
z1R$6Ch{)S2o0F$cH#RghEGN_fAJ!c_co4U1oVA?S=fx;s`q;wx-0?J2BSt1BOVE1+
z<Mv?0arx|@1JqKiGA~^Lu_Y@j%g4{pM0Lr{ZROcHA02(C(9qDXx8+&w=YFQ9rE#4)
zHM_Woh0JnD%E*|$y=AM`811CfDsou(v1Z(|NuSWYiwV2-5HAjpN42%t9hPAEkWKUl
zSMT1tck)4v>iP5M)zs7wN2?4^adQ)V;CLe_rjg-cj2OK6@qhmL?jc2#MH2QiPW&p+
zW9O%Ow8@AU*4EbU5eWv>d33b2&D$NA*%7nDw_Kf>nV}2`Ncr|n!${~3@KI>h(DHiG
zt?@+5YpSY(B16N&uew9MiSso%`oc8Qjt6I)UR+OExhX}RCrvG70yOJet+Y>{J`oB`
zDDGcIMn+otUZd#&8XKEw1fZu+4-01*7XT@#Y`3|Km#=S;RENPkm@?GW)Y{tH-C=WB
zS-F4zKJt*z;gH^E^*?|9#88%;krSwQ?Xv5+$$MB<PR_!@0-A47kdmpXsg6!eP*Bhb
z>f<D~&@tGRNc$193j54+4jnk)ciGV~J8K)OlvJN_)=7P66q;scZ$f1L`s*(cOP@b~
zmRKfZ8)#^-6Zx>G2*r-Qhlhuq-Mf+!Z){UUPG9O*t>(AHVq49vB#y@UeJLwDc<2xg
zS(723tCtccBj(awdYa&G-@g6)X^xtd_b`c-H9QvByPESxJ?~AvNF0-}!-Iyrhrv97
ztNgKc!OJ0RLy@!}s_nqOWngiT&g^px9AROgx<bRkhN3bUTHvaRjffc8_@R~7MsFN;
z^a7T(J^}Fr#uLcFC}~cgK0ReK>>)sdveD}6NHshrWq)tqj$m@&05AvCH<%A`0NZzP
za&tcl41~I7;~%e~s%j(@U6z&m3~zw`=@M6WfGt#Jth6nkHp*V9SWh1>)Y$_W%(%I<
ze}U}=JhC#9lkM+Emh<uP1zb!}Oakq>lZvX%Jm+G<X$&SeS4db`n4P^+@TS1Cz4bJ~
zzkdDlT3;#f-ptiX+d<8Y?F)0tu3fuivl_r<V;(pU`SZO`Do~%puE5URE*^eQ1tk|2
z71BuCn5_sgY2~0(^WovMv9UqsL1s`<2@MYJ@4s_OHcQ^$N+CTnD+^f>t|lzzyqhOT
z=^HnmHyu8R6v)IhxiL#1$<jLKsh{$p0c8eNm6iL5jkvu|K@qAxu<8k=xMKv2$lmiA
z-VTTElISWY1-8)Hzj~6CSVmTh_g{CK?!}nE@JG47<L2U0?G0dMW#xf8>QF=w955=K
ze?#P(_Si#BMMbr1myCi!PKPCYQ@VwYX0x3j9Plb%rDhU)nLP(@QNiMG<q&yg<q&=;
zh+EQ^E^VUP+wRj3`5BI)`gCW7OszDivQ6@PE;{@iA1?xs%Q8_Ku7HE#_3PJ!xsz#G
zYcGF2edw8q?;{tjt<%R1EvhYz5z(EBdfMCbz&r;=L|w(zv0Yl*+7Q>&qSA??(R!aT
znH<A2Zv8o+=}pyw;XTEq@z#`xCY$7{JrH2u9E-#^z<P5iG$3m)!t1jwC)n9vLp~CV
z<p#zti_XVJRc26fTlhKL$(gWM`~j?K`<Mk76sCKNQTQ0;XvxXSGSm*Y-gej(!5`HQ
z^OK<Ix!I*9YD!AM!+R;kW(8$-xi{6mY=F<r^-gGM{}nY^tG9hQDcW17PH;FdC#R=N
zCa4hwMhqQ}6b*bC1ESbBdU|?JMQ2!96X2>qKCHjdXDw!cnEWa!N&Lto7&qm(3%-ON
zV<pKpKP>J4R^sgqFP3iC#VCu%c7wlX2CLcE5EzT<qjgkN5?&^<jRTtE1@8?1;k{Ep
zCLa0)U*?h#P#KnTRH7;+mTw7&viH6DWO^j&*|TTmD$+Z)Z!g?_t*FNuWW6t@K@3F<
z3|G-Q&&rqI*V|yk6jl#-SqElKHhzd5c!1(v0pe#}U5*AP)Fy({K7018i;D}HOa|Hw
zJy~YR$0X)>*>w`fgPDz<h6wePlxaAwZ{CPHjy^{4$9|%w4hjg6XjWAKj>1(=k%+J=
zsk_@mDGfCl+ljL(g|BkHDGpd>+0RW1whisQKDC-vVDI&$!&0)M>I(>f=6s)+I%AYv
z`Fw9raB)pS^0HnVcS!5kAx!%pJC4@+<-gA;ve6!GON-9SbJo*~o1N9t{`0zW<vVCL
zpa767+Z8Bf4`1mNhC&zirci?Oq^PLqi4!A$64-V9wnz_n4G#_dUR`w_Z%ZpXdi){c
zHrzrFF5|`rnXT)0n(!X(?tW?KowhwjB|WxrH@~%_Q{T@Qwp8J#83F@K<)L}$oVY_9
zj8N#(<X$IJl@9d)p(Q;%9h-7yx_)_QoWOCwknitVG3wNZ-v;(AVp*Mkw!BGBPJaKs
z`#LZC);_L75Ig=<eA|8u4h&$khDSx=j@&1{y?gtXmpYmzTgwU%3-zuZs;H}15wCI3
zq`#O7KpoQNJk(BgQvv#}l<oK1J=RMzGX;>g7=+zKvI6<2Din@SNxiO9t8zTZzz`K5
z&qD$X2#iQHlW>k4sWV77xOp>NNfZKl^gnJ+!Y~qi6eZRAmG-lrI<=n$z^dwDAVVOV
z0P(s;Mg+`U^zX1#JM_gd@B*X{&=fSmfGLTIi3s^9%k`Z)jN;l8Tg?+*ya+qZCA)eS
z>r>iaSyeTLY#;4xn$o%g0|9CUNGhN%Qmg(RJ|f0)<cLQi|L%PI?MIDzN3uRN&|`Pa
zEiUG2a3U}v#YrVFTgN%{=2rbUX)>t9;VFi#&~4#c^2S*JW;vt+GVY^CfG-Ao6c!n=
zDP25V`ZCzdFqYVaD+lV|(i}MOa&Nb~SagntvYD9~EWCWJPebG5^?`lDT7>`wlpR8k
zP*o6sMo$$WK%u^clT=SJSZI)#0@4)FNmw+dJlw(deRN2@c;H18pFE^P{?eKslLSSg
zC!!|2M?HG^qn3$-HBwW?Yz!tKI5w7xBo<r0-sD>y6^`ItAL$nx^SrE1f0UM%Haubj
z!fx*GCVe;&V0Vm&Xutm5cif~v^V>1_Xf^jIA(C0QQJ~nD6<0>|A3QpN=+DW?S=-Pc
zg(X`xk9F7|)A%gRfsTbG!^2TivjfAAj#le3<U^nlu8fT1jjpRMp)@o8EIcw7H<n6>
zGa@|P52sF78=S0XVWRSFH5X(EMBJ@Ddm!*4k;lDyO2L0jOjs86#KpyVjlGHxix$Ur
z3m^OJC>9&7XO7T@WtWkY%j&S?auON`DS=|H%s@s-X&PQ4hrcfy8NK4WTUvMi365NK
zDJZ~-va-m!ALXUZ_^zfIPJjR|t~&FaslJlF9Ll5@FV34yeI0X@-Rj4P&?y^~0aPN~
zG4{UMQ~-Jxj9!2=JRBS;si^^v9zA;auxWe&)rE0Z0k$3J6yT@ofWP4QuKM>P?j-$m
zZNKfe$wjamO-;(LoHegqyB3<JEt|TqxG1@FPaNmb_7L|&0_B7maYPS|j{{@$9lBJ5
zdS~fp>o_(KiWwmNg{39PZ-UWv7Za|!s!yT1U!`HiGT7PKVJY!V_<#JpE*3H+Gb5w6
zj*gC=-Uo*f#p7J4h&je1*~0~#(=uNMWcGJkuW=Hjtg<rBaS)TZ@t=Bwao@i0gM%vS
z>PdzYI1Uh#TS9XtOG`_Ul=g1FfQm$0Vp#%rs}7+WGC)mD4NfFHbl6&rI`@j*7R)oH
zG$5Tv2krbrKiGu&hG~A+;HCxZTdZ^7M&fC_9|bs^?uf&H7yTYO7%?UfD+5@Dq_#Y=
z2Kp57-i7b}2Lyf;?Wh}Ix<GQbHWnJkik6g=G;NWO<X0d=K}8gYUfW=2bWpvTw1msR
z<*v*Yt+wdv>$^1CSXxST4a*Cz2<crdB`5Gw>FV#_FmVDaGfR09A3s+i0YC#e6_GGc
zL@Aa7V;mo6M9l_ducP)(D^0dW9^`333)t)1S&1`-3PHJ!LzOf%V~7OqbOVp74EY!W
zg`yS442ER7$~5^I0-=(k;_B)W=jDC7@Z+4CR%DpK{(bvw6RC6Dm#h;Szae&_*3VJC
z$7L^aq`KWGuM167=q=H<G2Os~q89wGqBO6G&`TZVnMMNFNmh}fmp**>F!Ijo%Nf+c
zx%46ZgM-a3u7?_KO?C<*y90hOl>%Mv+PTv-y8m~zV{i44Jw9(rN4IKeETaD+Az{JI
z6Whr@D_)lZBT&`VO=}-dNJ!`^I)uCPr@OIz#P?#tSVvZp-_VaAxz1c^imv5xXWR=l
z^A6xbX@R^xb8LXHFudZNXb%54PvotuS7|U=Pv)+m1b=q=^WOR-u=3krlJ)P`c@1kl
zdWE`c9|1z$&i(W^g-E=kSPu*?T}2Pu!r^r8J&r4%z55^8@zj54s%NryiMop-nf!;f
z`oH@T1czyk)_)j`o%q=8`(bpqhF=x;+{))21lvKvicISM&)=Xd?!D*d_>nikg9pR^
z@87^+y_UD_1@R$}L?jYmB-)Sun`{ZoL&;3bz|h&7Lws~_a*~Oj{v-*fZipD_GaqoO
z*l48v^z?6<(I0k%h9(ev$23FK<M{ZD`SLv|rg!hgY>fYNGk_SQ|HD@EG{h3*=k)YL
zFaX6re*CppI<^fRN62`9#$rPR&ojF7b7?6ni3FVJPG_&RgOdLtM6cxJQ;2wckrPht
z?hypVr{jq805;vz!vi=>tn!$#B9qu3hVQI{SU17;|1TzW{ulE@nV>R&cfungwA0#f
z9;bSW5U2%Rk-cF}BoXK55sSG{G}j@2wG<>F6KCJTLb0Nrslh?4h3BI(5rB1&?r$*-
z>FL}80@={OP%v573o`^#`CdqBMqMoA{Af;&mIfRi56>(YW~AlZe+Xe?BV%L2*io`J
z3q;}6)0d<a5B*6#N<b!|F@H)w%eW5RR?>zDn5fQ2W*fa%yZYcR?@m$AfVVKFhv_~Q
zla{iwJ!B}jXH`a&A7KC7g83KZOr{2B`YKW^dVi$)>}$ACC<kT~4m{)txH!nN@yi#6
z#;mF?a1rn#u_D)!A)OQ(R_%{f+_sE!N%8nmcbz5dPYAVZV3@;>CA6ByPLKOiv&2bx
zZ|FMrw0^JKxMTQE10Jgfgl35r9p$+8zP>*CRup*g?o$PbD$H>7$WKp18I}jJY@&lC
zgrFLqk(dN(UnV8-XuSPsop(uE`po)#v((1#n;>5P-MRy9Mp+)qv&aS4$b`2B7cLCn
z4FsN#xgz{`vP(;kF&OA5_|+*Aii;pLtKb)4u=4;Iirtq8pD^^ZeZjyjXo=!tWi6c(
zXWV-q)DMS@F~BD=Eje0N9A~y+KwlZaxVoZcDNW7d`t|Q{u3CRs{y{J*-nO>C2)i6+
z0K-xtw`J(-U%B#?VH>PTCQ#tyo^YB4M!QditLrU8bs!JH4%kBoHMkfsu8b&Rx`4qK
zKf)ax$$yCq%sW*yEt$|bT4hDKy)=NH9}F5NsX0->9d}B9ia1oQW6v_)BIVNsgS#)Q
zs1TO?IX%5u$qLfF&UkgEf~Bi4KQ|;IVhN2DewV@Hpt}X0`=%i?v_kahZ?34*oaE&6
z0I9F_KFuPeV6I-Aj#K07^-)6feYTs)G2m{~=PT;!?cKWo+u#38PQlrYaxasDzJ^<0
zM9x)JJxEXQS|`|!wu$2c0xb(M=wj(H<WqRcdoHP&OSez}Jz__X-oQk{irtZGrEP4C
zI`s?sJ?Msqa8(Zs1u#9Y$4T4HZU*!Tgc8c_7w{G^Yt{wBPqqu&gp~HXz%EIN7Lx!*
zVQ$cObyXbd>DgVABtGvAkEPJ$9`DU{RF5EBHE|YFHM6>Fb$>(|P8E#AL4SW%7KKoC
z`_UVp`;kxzCqS`+ZF}?PP4(Ny+d)%Ht&Ar8;NHZ9(Q)f&sHhBf&owJarJ+}(?BT%(
z9s36kBjVHVRdjWGfI;c>J>I>3eVGgi>>6Ym!^+2m=QXmfmfo0<hGCP$<`R~a+<5Lw
zRJ=~TBUoikI7JCBaE88=F!ivlNSxcxH_*QyRAL<_C9C`@(am*&1mOrX;^=LB_UuQf
zhwAA%X1s^Nxe7uBXH#-e;DdgP&HQAwiy+XMG<QrI3*9W=OLIE9t{D*liYhov6nEpx
z!$A_Wem&Olr*B@Am8~8q^WTJ_?%`#0W%g|>=9Qn|(auc;@ggbdRr&ZRbV&F(ogGF{
z0${ezp0uojA>s*V0fbNTm+QO|vz4q<BL&0>3qR)2=edN=w1#z7Y*?scewEnK9ZiD|
z{UB87bO1cqgr3M}i>zSrjyXnb(wy;UT>PkZynlV#5y7o%o}+~*hR%yM<&;*~+9(h6
zUPnWT&vr`t5>8{B7`WkEz&8$8z(7DO47_JzpnTEF2bce(o4uFUhE-nABD#g#TwPn+
z+lyGvzL@9GhLxPCPR>AwZ@w9HCKu`)%58*f!FG{3NU-U8#ad*d#SO<X_c!Ix$Os1`
zQMk_-(%7|yMn`uUcGMq3u;zF9bzNzSaO^u8GG!ZGB!jRoHg8Qv<06Mtr)4e{i10Ds
zjH4mJ>-)bu5W=F17I9Xc*y!(N<!KD2{Izu}i|Y`Lkr)rmipC!w3_vBeXWLN*|8c4%
zSXM#TDwx1G(Te9+xwbraMuv~1tg8CT(j|YzgiOA>zchwU?BsaW5lIh?lvc3qSsfD4
zTB%3Q5Ys7^`iRl^PY(|G_VpjpHbhi~sNO5u)@LbX1Isb2-m>RSEwQkai{O`}J51No
zy~_@&=d<YbogFj|1eD}p1mp;8(0}hTldPIT9(t1$r(D?J`q_~0BxC)n^F0prY2Eoo
zW}rY2#oNXlu^FzO*M(7MoU4%-M0OxmXI(8Q>d)XHu=A#DMF6{q4T7z~a>lL2;GG0)
ztvJ_cuf5<SXR_}H4&Z;D3jp?%aRNO!Dngux<a{pF#|%CP#k1W#M)UQ|(@0`pL>9?+
zE7rF?%{rH8w_@G|LNQFq#@<aBURo%cW?%eh5M$QSokKKw!Z$%h&qw&%<01$c;mFQZ
zXq33+PkrWy*aEZUNQ2~Rs$vptFkuamoD0y>!U{FK-YcwdJg_w2)Ag^W0+3M-2BSZ?
zV2q*tENY2xN@^Y?q{}{gboVIA$k3lQxa;?OWrbTalk9pIJz+nFhFmlV!^qc0$1l8D
zR$aMh$szW2UF@?)Q=+?9A(Bs;jJ+WzC)f41kRLe_y{g_H5Mn_EfXIGV!3=~Hr}GUt
z2q%%I1M1I-5yE9%U9PIG+xq?M<D(aleWgUaC%W>c;j3ULp$efsGyk~5a&c$_-+lH{
zGfinNma`9b45GWvvm_NXfqcj7)KtsR!uoRXHz(wu?nAxHsTBF-$s!y{uJ+F_CIC7F
z_!+_kj$Vu@C86lLc#qi!ejw|q83bOJMfcfNFjZH^&(F`}rreeP=WQm`T0_DKQ`L-e
zAe#2zbg7?NVtVXgolPXmF$<{F;NRnP#G%c<lKO@aI_VV|i%1e9;i_El1!8BJxP?HJ
z_xiYg^=K6OL(Xc(qWYq^67lG;F?u7*{rq;)Xl5E#!C}!iB)Ws@h(?i9n%`PKwYP1_
z5BVL>Tg?F$M8Otkbxhna$%1lU8+S&V3|@J<aGZOD{8u_i3AFws*FI@OBMfx+(o#2&
z9f<0$EgRycN?yONEZsw-0;(6R_vwrEO3>10BprtC+y>;cnkQT^Sp!#tIOxW*z)#?S
z+{h4k5s1v_x9=%JU(q!DfgtOSopq+b5bY|+2#10RjDWv*A(sP4hna0pPDv>Nu!y$#
zAbR|`G#L;%f=9o1fFzm@sXn3BSWQz?6wQCsJLYiz6innDu~Dwr%z*m{4DYK9JHZnH
zrZC3S9yowbU7iKtmB|`$izW1n5N)DhyRci)XPgQYGlj<u%(~5#(Sc5$1>p?zLZ|0~
zo=m-8i^R)GcOetJG5je8KCdLs%)mr{2Cc1NPLTr99d=6g{-51s8F{rE_>X8}!Lt$=
zco@)j=2XL#2Sds&NRE@rU7FyTycRo5pp8mQTLSx{-KQU@DUeBAO_K|)V(c;~ljo=V
zHUTc$k<9B!F!ul`Ap?bPBf3BpM#4;qFRMs0doLh+3Gf!HS5sXL$q2<CN?8!0VDQ}A
zTdB~Ki=Yp!Emh3|m<|Nu`3o1iirDe-XP&SB`BOan-kj)hy-sU1usLHAk~=12CTsRw
zhwIy+YTa`Oq@|zeK4J0AB;lbC)u#%XU#ASDuN>6Wr9Qil+Hu>qE$4zS{5nhC_czV8
zXJ4DPo;owy(<H9IS0crH_-50SL!E3}r`uT=*qUAAYJ+P{;!NWH<!G2R#v>~5G?f2*
z`PcvQ>FWN+r~Ci;A9<YBzk6T{L!P<@wGXZ<K*yFAjWo3+*8|dK!&<Q9Mar{5euDA{
z(?PnfINBW5(us^>dqd@#>MducdTE3Zux9_!Z%SD{ovzCEN^V3?Yqmu@H|RWG-mkj1
zh(+K&Cbow^IT>{cv$zwdl$3tk`_l{Ud;#PBYKiQ!a1dU*230y<`xNnJ9bQLT<7=vE
zZ{C1;YpAPJRc(FOx$uf1QbR}ESmJ0C0M>KhN0dI+Z;1EXZuxrY=~dMnL}s8(^BnVo
zPlC&(K1zX3v=my6@+f|f{}kWbhlt#!WpPX47E&GJx{>s&7wn4k<$^!6`9M;EX8?KY
ztV&$*tDq7!f2JGm4kym3NH?a6H~9)2jxA{x!k|mCxZ#tSbt#{zrH!nnKfklxrFrFm
z^aFqYJ=E0Ba$~r_?Q~bir@^<xfmuMvdRXOksXmXY`w?e%1_VY_cJ}PUS+p9VfnS;(
zoh2^vv<gs3z$|yG5(Mxwl{iM@Y@tYWZrUZDyU0%B7D@-29C`l@W!n)Mu@`<~QKsEb
zO%N@`9Y?>XHz7(=oSFT~%W9#jtW4lFbj^T_Nbaeru{gWA1+A4M1;6fmz5_gj1@<xc
z^;iPZEuKR{cjU;#lmGho7hcwsYr4AYNCldlhdOd<`x?Bje?IG7lGS&#`Ea;u`0CPR
zMr!hWj0BKZ=;O!N`69cO{|r}ryR-T;>*Qo0L^GL-JJCner-MKHr$<;A89DC0O>wd^
zG+Fu~=3hn<Zz0BNx;JPKzt)bd7cWSn=8?(CpzcQcifU!B5g;H>eEhM}!jK1|{?y5n
zcItoT^Mi}p(?$lFrsn3Hr#FP6iyWt#_Lton>n^htve;%8$ZuWCk1D}Iy^)xF;>|SY
zUnfUJM{8?ool3aZV;$u0Z&5IS2^*%^%G}few^sJEXCDI(;_VdkpM5?DJRyNk$)Pe1
zW@7dE%SS8ytI#<s*lMx|bU2z<b`m=K*_$p`aM{Ylrx<oxpLzs0SJS83tJm__(+*a?
z%Ze<5a9;Gzk$5MM1V`=8qlkuR8M?O*vP@S+(Lv_o{g~~^L2QP51NGbK72sV4T<X>(
zJPRM2U1gs(Mv)b%4H8jJ-p`}9xtH{T{o(#z$!?q=H=-t@h^tlk8~|cip8dR}ULtTz
znu;mt^$Fud!TS8X2Z_*K0$&jawD7y;jf<+P{$(%9c7;~8hz+kqc?>6r_IQ;B80Kj8
z=n~a2zLEUY&T=o(N~4=cj@Hwexuuk>pva;-fn^4Eas_zH?ME);r!-XkpUkr!@^c*n
zg`K8SSW>b%y;SRRR*C-)Yh$Yxx8GRc;R{nG&(jP6X=>@?3C7)(*MH?t5@nAILy)-H
z;>=8=o_hPWJjLgNt%7MPS6D^U|By(xW}or0y1T9)t-Y3~{M7DL<>Vy)AF}RysswxO
zWw5!O<3HQXdEdNF{i;`VrfTP(Z~VHGna&uXFsB`M2F!qrnaucsmdlSgh$%W7E5Th0
zFN0}DmVKty^H{QKD{bV7Z0}PKo0^Wtg@ccA{<G#vBj;{hO!Ry9?4PtyRS<7i?d;?t
zw6Ez*2pq_Cp9`omd|^an4-pRP-TVXc4{a@DWTc+7HQh^mnV9WJqksnMpHqK=l^8MA
zJD;;Zgm`q9#MDq}+Q_ISD=VjD7$>6p^vdW>;xeQ6lJ3$+k`74IB%Ahq@VtKgnLHho
z=CA!<o^UL+`;;*3-OeRmwR=r3QVl1vJ6*S^jfW1O`^prwlmAiwIktz0ZCpAC884aS
zY#!LFG&e)GKj6zgs1^ByJ#PyFTAB_CA9$w1Ok*sd^?D~IC9ypg8$6|^Yj`ScdNXJD
z>|Wf=?0YW#V~M@>{Wih44ohpiqevFY7{z>9*5`o7cIOd{j&cjt8}iW~@cHzN{rs|5
zd%cQLQdCM9{@-b$^ZCxQ>sR(ZJU3V_X^ho@87fWZPm0&aCWsMpJNa;6WTYJhVL~JO
zrlv*Oy4(1ZnC{RK{kE#^P<@*o^j96+@%g!C;=&xD{3s~+Dns*}{lvl*&xP?OG&bG)
zbbY58V-uR%((KC3bF8~QOpY!GzKn^ATbW$6f_0a=j<1>}%1BEe@B`Imx3a*W+kOZJ
zCcV@wlPx*9lZbs*PSHKqu+qv@$>323LPd4PSv7c40L`xT9ozGESvSr4%gJIsc!YTx
zuJazI1Q5C|aCmsUIkxtI&-i7Ev}f?0!a|#-LXc**pMGJZ-o3)~Z89mrzs|a*s!B#t
zF}E{SD7q)T^VL*i&!GF_?%jLE#tmw!YxV~nQIu0^KJSk?uxN=gQWUOVdsnJ02YnlH
zj_`fl%fv-*?+K{5M{md0go`@(V|*P};C#U<v<kNJHN;qdq%ps8{fc2lB~?ESQH8LC
zzMn*^cw)J-3Orw-?tC2LDXH(}sZRaFa*{PP;8?T~()PMBeQ4DI78a#xJne|$dp8jX
zxnt{&%)xO1JEx19)00;7P#d$XUBixlH$55r{kMEYz5y@0)@?iWkkg0vf^<W5wJ<wt
z-gxKF7@uN{GZpp5k6g>sJFSGYp|P&Ko4<4CujsmTX@<#+?0X_?v|Qzt?OG=M6~|b$
zUin16U<V$++(BR9QYWNs+ta_0nqsEVrW+sN#Hv7m1}_3MxVn~&E#FICpB%Hb{~`KR
zD<C*cpmR?<E|aRs_Rl~6fOrM6#^W@&-gywWV=(yO#>JL+lOxlwf)ONl@7@C>3XvHy
zghF7Man`Qq=8@#_^FKNhQinqVVB)SaoQ2L6DbH8_^#BnU1$d|_`Cp_<47$VzykFHX
zXAHD8kF@*8W?ibMWFjayaiPM1IIgxE62i4ReI;0r+!s-4_&cUAG~oA{S`jf?l_RsY
zktaJX`X75}trL$6fd!wL$@oj;F;<-@(-=Patv4>_zhp?-PJb?h_^o4Qb7{a(Cpn?m
z_Wg99nE-!3@BZ5=Z)pT7@k<J^q#$0_jc?@UkKRlL_YWmeT=?^$c{$-57wsPk3<S}a
z=NOfb37#g#lz)Acv)1%y4R88Sc|qdS^NJZaE;c`13B7?IZtn@2D&0%`#Xs~@&z}f)
z+u_`Q1P{6Y=pTjurGNat<ww1#^s@;XX>Cza3`g(6GnSW^SCrE1mQBqJ@o=heG^EEG
zKBxWXQOTpIb5`Fm0vCO?b)LRu-&WIIaGWG33mNO1U(b+(q*htUdw4I7Hx3xF?bQ0(
zzNZh?7`($XZ}8#bjI$Kh&x4*s5)>{T-2xayJbfbCvmgAJZWd2gL8@+%n%A#^0R!ju
zVL*fI+FE(%_80F67FYc{(Lg^{D8T4xb!V=BMdnh#;nTL?KjK;)x~gJIbPc(49-yw6
z(9{9K{8pPNQDDNn_)BVYIcV?;gh4#zrpLCFlA3tT54EIAvx4yO$Vi@sk+w{1eD=Xw
zRI?ZqVGbX*-=cHaai1|@1Kfo?`Y`jXLb0sN8NzSD=nuxZPno4})BA=NTcX7mycrH;
zK@m6I8-Ej89hdm|&#Pp*0+h%ETX23SU@Zz$wDmatY^mxA|LeAYFjZlsRZk&-mEksp
z_W{ZR+Om`+mkqNxmx;$6WE#n3aVFoxLwgp-+m&|q4-ao}g@=S>y3Am523|PLSl-z)
z9jfONKRN)Q2XktFnCgf1MeU<xWHvOe7o#~g|BZQFYQ55K3g-Itq)L+o^tJCix}B1t
z1%-M`OAG9(lAtNsLaTZf%qc-P!Zn{?1Sc|G2FlK6Gg;InklObdpvtC`523l`sZ8<9
zBd)iOlZR&-T_|+t_c97i5DzBX_aZyn5j6W$IvvG#lB%{ghrZ5bne7yg)y?S1S)W&l
zu7e_t6{7)@4&neUrm1*N7Kj_?SXVG+2*z~hCFZ|gP_zjT3*!W1w3BEag<xc2Y@Du{
z^#iLMJY63xthCb(5AxB&6X`nRk%oz94}i;u$MV<GQqZGE%xF6v?2>_sgT8~9$B%7W
zRn;f)xQT_It-x2?eV#*r#u84!<F)TaZZ2rz9JD16Pr!r{0q)4UXi}&`zXIE+>X9u-
zI+&sybi51<1_)+0E)F$TFD4Dm>DZBLMc}Z}O#`hJke9=x>+OvTT3Vg(6-PaO{MNSr
zGsNWRx*sKL!#t2l!UtQwS?1z_2gabI(aa6o2?{3!U+7u1Z1OvI?P`38NBYD$xsPKX
zf+6rlFL)q}lwS06j1#?Z#1SzzPVBM9Lu>}o`wYov8d~wMhskMay4j`(#P+%c_5TQ`
zykH065tO?h%^ida1<C`~VE-~0E1lrA=*0m*?vol%)WnC%3_t^d^t=$$yF%zkAtA7T
zW@}$XdlP8qQ+Lrwf4|H?6Gi~+U-+>~KYvay_z{IJkgG!b@qi?c`Nm7wHn7nE`k*Ls
z)cw7jdc4t3;mXyk?{EXKBH_6S;8q?ni4z9}l(~&EzcK65j-y{dZ{S&vLt7T00NHeA
zkAZkQ?+2d%R2ySdmbbV!(W(J=uadkx_8Yu}kAi|&#GO(ljxcP>yaH8a-JO3L%2Q1Z
zE@O@k>|5y$N6C0J3Mdrfp)|M|9Dy$t6-2ic0+M1@@$!#oFjW`?xSuE~Z!g$laGPw3
zF)pBb1>Tkq3H7|YiRYx<|6_87_n8HHA>18<QdiLh2$pFL(t|Xa3=Pq&HCYv8GAtj=
zm_ay1Kq9Bq;rU8^prGN<)KG0jN6F$?vk7P?LJqMQR#gQjl#)9M|J5zTo`s1H2Z)Ja
z&!7V`ir79I_dS!xq!F{MMsSxfiGZ44LEl)ch#iTYeH0zz1sK0OSi}*1!CMv9wUTYe
zumi0@5TL^@y?C(`O^(FF0Sw+%=6%>$8SnF2RoHnNt%;Cc#Wp3Rq`dKU=lyVSy%8e(
z>3HDXoa`xD!ZYTk@<S&&b1de5)WNz0hX&3CY~5ecj{glHSS$kW`J>Cx$`Er9Ik5V6
zP#^3Us1EafhkNcx7JB<7&zvcS5uMObbt3-p)|o0^(z8+!^HLUlb$W+1YY@*#Vc{h_
zphxU~wD+aqRIdNO_OD%OAQc%Bo63+3nKGre&_ISvnJY6<<|)*UGFIl9GS)IxEOS(f
z%tZ*HLP7{hhB%+w{{LT}>s;44=Q=Nr7klq^%UaKRo_qLyKhuq@3ygYm^C66_m6_OT
z@kcX%e9UFU%`v`pGn8Fg6b>=GsV~r3e+FRa;p_6SD|F7)jl#6Q1nZ`N|4CT)y#)5|
zHG{85A&>;V0p3PTMH%9`lE1`DJ7-C<Jj3ji1<y6Xtb!g{#BXI85ln@hglr`tjnEVU
zk0Z$%r6~|<U`{6DRgfKFPm)^E0SZ7E(}_xRtQ;hJgyA9p?w*Gkpofll7caZIh{NXu
zT?=BDz9!h^6GC$MCHAr@pqFL%x7OLS#8AY$;m<!wXbD<2+*mQorU%Zd0g%7qnvcuM
zhK7Z?CVZmg<a+@b9Ucc5D*yf2It1pqCuHMZlJGL0YTE>|n_&k+mEUu6+ienr01yI7
zVxQ&dI;RGb5(tMHr;N*M8#QPHk$X3jmFUox#V+Gw4cnDMAVA}fPa1_HcW&Iuq5*L~
zuIDH|M@_}!+v7S=uAI!w7-}-o`;Q#)LFSA?Aa<c45OEPBR};{}0gKKxESX$gnOaTy
z83U?Ndctg^EQYQBPdIqNqwsFtygBJhP+(vj63L+3XEP~%_v`oHw1<EXAvhL6KMwC7
zU4Q~oZB{)_gdnUMj7o`T_4OB;#9B)oE-Gn~_(yQf2D|Bsud5%}f&qWg*SD(D=J{K}
zk`FU@m6V#M&Kwo`CS?3wl1v<Qx$#^C_C74iAI|@J>beN9S5QE}o9qlo=RoA6^fbQk
z65L`&dVwwoaYEo?W>%KW8R!OZs|Sc3u~U6t!jp*@A!8Y<mL%NGFm~xS$CD)}4z3`?
z0CNCFxOeo<CxX-9vTU~ze+}_9KHnWvM@_;HcTOH;4OE!8h^xr8=rJ5ATNffW5KIEV
znk@|rEyJ|vh<VLE%qF48?65EAPCDOhQpnXh=io4j^<ovFAux1J#TYs`CR<@O!E#eD
z+j@sxn)}8$;tB~mpQkf&eIv)+)Oie7TuzkUXLe|C<gmUY@y{^{cHfbv_*o2T8J}ll
z@S#RQFO~r7qn7%S{ot77eXuNnb8|~Dm0B+S)>old@z0lEr-q|$ZVTqwW2z7cGagX<
z#?hP^_%&yzrxDfXjIm}>;6!7+<Bmi80{C4qQBi*e16eo(%}jh3EOI)^VLOB$bR{X4
zory^T6A#P0Lw}_{?IG`<m)7c!;R=$81j;yo0UZd&^3$OR6=;O3kaJ1wfVhbz{a$3J
z!w6y1dV{1t;?aQ_SQYk0Ik{yl{cAVRegZz(E{q}Q;feRKL7)I;5o2sfkT8KhgK<0K
zH)F>rGEZYpeZfPofcFyuH_X3&FbiPTy4-z!5atxC9Ef<LeGLzH#74Ndw4|r4O;T3N
z%F5s+CW{A32~I{vGGLI0WQ%$R!+?k%K#UBxu0lA0A7(*=eg1Kh_6C4T-B@R^YoVZ!
zcOBCPVowMq>?AB<wYWQ;)1P0#vP-@vmR9i0AD;1+f4aFF3V_6<q^qc@;QXj70f2zr
zexvjqNsMTIG|9^8j<Da5xZ<r_RZpMx!k8x<iQnqd03sMcUOF^&+C*TJWZbn&4I2@*
zZ%73}?aO(5{|E|%!*eK{1S?^KEcxK1g4zWB31$RdV#WcJ1Xmz~hOVsh?7GDB(7s?k
zq`tZcX*HqQU`x1E(hC~}v?>w!UTVm71f5SzFn-T?CblK$nfgeGi4|gGVFZq1ykWn^
zU`4%f6k)7z1|y)vpao4d$JOtDdzQPQ{`!r`pK-hr=ypT20C{hx;RXmNyN~sJ=Zyv%
zWLDC<^kY=)!V7;mBvACv_j?z>lZDNq96Dom;U6u~cBHt{v5F31vOwmmg)$7clu(C+
z^|GZl%u1gi)FxEUB#PI45}`1kP?SqNYFhz;h;Dtu#*HYT`q0KgbO{IMFH|4owm`W7
z<(^%BSyp$6F(xLcWvHz-(6f6$e1UOG$0mM~b{Y{e0BO!>Mxj(AF?S&Up$f)mF)hBN
z4_F-ZnHT(Kc6G6R4%P5I)3ZzcH3CYv2u>!9(|&w16cBIc5{H)E&o^W0ppb;1a|x;w
zSZBz3hcqCliVPl|{~N<-kNb!F&D|N%?HNAbk{|?h1#u3w<BXme)^kw}_?U)s{gz1G
zU0hs@M}bxg9{!vURP-xQOL~3(_;(o>OwyzR0U?P69C4QN2%JU5>9;bQN)4#|*<&Xf
zzdWk$mmuRxS=L8srq}N=NS9sQZmB)+_uGs?J1p2JCQ2z301?UZK3*6%U}jM+EuzMe
zvf!YxX6v|d1bIYIV-kk>%$YFBX_Bk}KnN8*=&7VHei&S4u%TSMXvFNg{L68nlL%eD
zFJnxOqd7vu2vq`4DkW<HZPM^E!fLBq4Hj;3c%5uPcJUBYy7olOy~nv0_5Z^&B?fsY
zgb_7KsAb7%Bq7B(?_y%A=SOXi6(Kk%$P@J_tSOQscy=g|g{_E(zG#$;s3a*&D?HJM
z6x)(s5X?F{#+4qAua0B=cA+do<ij)2Q*t>~avDpI(`R%Zd#un-_2Tl;FhxZ~e3tr+
zRU4%mKA(twcAMy7+Cc>sh>wN0J-I)k_W>TplNkzy+-uwx6rGrau1STJmCG=vhXw@^
zfhowBb*@k*`{C;oW4}Qp)EnYFJeDXFd!pbbwuiU5xcPAl*6q&DyutjL;aCOwD|P>^
z1u$(G#j~-irD_k<A(Hed1Shz`(5fZC1|;QYYfH%;dZ3xkJ|80^;p&IXDuJPwq!qrs
zMO{T@ysx69-M7@TnN7NIoQKeo!-k0PyYwqkX4fLwX?G>0q;R00+_`i1*}84kJ5l!J
zG-FNJ6I%%0w@W?h?%lt5<*@@feL{D5dt*T)62GKZ5&p3!J2oc9#I-{Q-yF}~v?lez
z!(IodVw|{Qjospl_tsCEgPy*783~nd9;OWVtv<b~@^d5#VOjfm5pvw-2!X&5K!Ju5
zOc-N(uflK7dP+Vc{~A^g>L@Tr>~Od7@R72CEZ?%cq^wCZx~toy!VPC3S!&Nh@>j!p
zUvz|4zh}|R+6{1F6)sESD@mYGNG*kddFj$O)Y|N;u!X5YE1U0ZZwwuK<CI_gW}@@Q
zZ^bHA!j0bZ0|Gl<9-c3qhL>IQqJIu@`_YdrWzexRo{_17N#R2RLI|7=K1OQ>M~TxH
zVl2-U*hypLIXQe6D>_kR&>jNoRM+VLBsvQLq2sjgDr1CA9SXZ4W<>wGKf70ZWwEQe
zVb?0DFYyz;g>+MUmfRZq9TWl~?y)HdV1P2*<Yh;~%y<#B*f||+EG)msQ!;5r(G{V$
zd3+YhYFfoS{K4F^Oz7x;jCI(d*qV8gpHAWzs$PS5`qd6RbE5yLA?-8?0Dsu%?cq`S
zt(xRo;8Qp3f-YIOAnWq`N6#HfWUKa<%)AcYYcY%!9f^{B{&7-{X`MNSn`vo1uxT<X
zJ%;en=X=Wl<QAE8im|Spli#u5oM3m4#v-chz%~)Y-TWkGY!=&XL(64Uk{Rv8pD>${
zF{VWu9urfHUifCLv%}JHn1S}*k^5XKpnT%QHV(OSv|LmB?+*E#fWXKD?Qe3-cN{TL
zfB!rN%I}+Y4{UmiCnDA5N6%Sf<E>QTJ#xf2k?(ROs6M~3huQ41m7BO$uzoZu7+2g~
zzhQ%IpBa?1yGsY5pgvheOG|qtsUKAa%FMN%O2*Z;hI1&Xq>rq%6DObO*<$erB1Pg;
zEE*WI;{hZcm{+gMmchuxqlCbz&LLhQ5L<Rvl}U5eI+8$lTcFumyg|4KcEWB0p@b@@
z1b0rmO+@ip^FC0_5C((>%NWq{E7hy>tL#=#6|8hsuVnI_hTXE$kz~C=_6qaD=)#}y
z8hrY>JgYsjw)SGuIoZiizub9yJ^+HPBS4YDDn~Zcj184t_yTZf4Um)S`{g}B?P{p~
zfw<u!#WL(4I~2CEie}&f@~0a3EFPa@TTt`_PYU^-l-k?L5@c0eNznJr@98nfUa7l{
zbaYv+mw1p&EG%Dt=)&UZ;^LC*2TY7NRd3K5q6;**_P@HB4dy3_{!gpw?%^0x!Ny(X
zYV~LPYl;9TB&U%Y1Q*53Pu{#c-PrAh8XTYQF{0hh#I(QSsx{SCxkvCYTNyu-lH*t@
z5R1L)?~3w2HB)28_RXL3^Yg2_luM*F-&ou_U7Z}3YVZ(@)fHvjzVZ1#$j^^i1$`aW
z>xi`x+<=WGbS$21?tllBP4+_HaHW~$$(_jJKP&o#WceC67SzOGmaUhKLsZM)k4`ir
zWDID9;a1m6r=nLuyT*6;u%5RaI!6MIj31iBAV?n9*ob=T+~bRDL8Ob#8YU(}?kDYM
zQU2}c;n~bp<ZPGil$<3#MgJjFg}JL&1$r!tTZa~ycoRyU5`6H`^9>=RJf-|uM(+}O
zDR{mQu<Pcs_c{Ym?D2_4hgg<1d{fu?2w#HN)%t{`rKJjbIv_G%7AH2-gpHKVH@)8d
z2e^l3OXqSWDs(3(+f`1TBBEFJI!?P?Gfqw@)yA*tB??{sBAxT*jYhVq?!<I#ezkH>
zlI@Xn(Fc?RIeG(+j-pAtt(PSMBi)tX*Si2+z!_m>ZjQ~5`^b^snAtr?s^&Trk@?K+
z52$vIx`lP?hKfFukt4&mckI{!=)?_33c3QjqnAjAIYS!eYtN}`#XaM_$FQHF=5fEY
z(^@EhFr!|Fje$X9<Z{`SbKc}}W=!l*b1yszjsz70NLBk~8Jo5hjgjw;Pxc(MGj9)e
z`1R<l&KwG6$gQpNE+ik9tB(|%xO#+_H@mXZi1zX20r@VKIR)D8Pz_u-T>Ks)k}E-=
z9j-&@IgeOHta$)lvDSMFVQEGyQ28anP6)o!4Y#G5r7u@(IG}H6m>3g-7?Q_?p+D*?
z2mc5^f4wa=xV-ozW|eX58we;0yK||sL0|f>kMBNrP)24EJAMz#?lT6`%~f}(e|F`$
z0b^PCOoA2xL>R4Rz!yP#Kkr=kd&3c3ctNngg;h3mYUfK_9-H2O*bWbTOil>t|1CW(
zTWRK|--tveBmmm1-pmDe{usNAGBQssW^aOEKj10xv`WRO=Lhl~Y7f2{7^to)Y55dW
zhjQ5S?Ad{f$>kN+M#7y~AZ$oqj|D3!zZCK05Q9BAq=O)#D25jfC5M;4r`8(LJq5;t
za(4;64+)gVksjy|usSd+;J^eEL%k<b5dSUaCpWf7A+{o?gECxesW~9yK4z+!ZE2)3
z_giP(h}Dds{;iwIH7jq9tuhEMSSuawy3i39v(w(fcEWp(*!Ilg9!{Nq*bY<<(fL3(
z_+>xt!4eIrEgF(lsEaOFOcbNPmiXZJC8@+XIr<<!KY<t!GW4lvFI-tz9qYI<ite2q
zFu{o!Us)^@+&8*Cy}j4Q_|%@*&ezfH-<Hm)T<NnlpjwD&`xG&eQ1!9Zl*?s*&=}eE
zzZ+C>=v>^;^6+vjB7i_(rHA$C50p5AbAEM^^fRemWBi5PS3B2BzHw{}cl)AgI!^(Y
zv5?jh5|Gd4oYm{mBc0TFz3!Ax`*?0G`Xk&_o~0Qo;;Y~$z&AntHabvUO`+T#91%Ze
zVhNbj8#@|XT;8GMzm0$$;%FL}!+J3{P*wplj!sO>;R_xV3mDn}XEKG-xp04o4U=gk
z#@t*tw|(JK1MY7Akc`c}<M)hst@_LoE&QzS-K5h#3z?bcIf<La>ponaZSFZ1;M%5~
zB)c&<jVQ>71{YU{MY#g=XOFZKD06_Zh+Ewwf7JsSp>)d&(wAkso<2rzglaOXt9sqK
zb;I_b$-@9t4dD!+S++WpD`$T5*!1rytx8wjMM*w<*k-uYg46CmS6-Hc7C4Ta>x_98
zYLWFB#*WUzE;Scw*nZ{Pg=TS>KA{%t+tSmh$sHm`6f`XDAzH$LutUfJidFyl3)<nL
zTfEjsnP#LDZ_gf{u}ykwy>-(jej%Ywhd#H6_;`L(@h_TU%`IJBhp}cOTwqRf+u6Oc
z)u%|qk6ICp4I-P8QglZbX=4{(b5bxlNRO6fdS)H8eg%~?4TO{hmI4sUiIWAf5`(M}
z-%OGC;_T!!6vnDHw87S6{PpjQmQ?j_$Fy#VK?A4#M{|p<$|GcF^*MQa4lW%}E;6|Q
zUNb*^OJIz2Zjl{3nADyldV;XBLTG-D-Wy9x5g>6QNB#1}7fl;B`Y}}HK7Q|wdevwT
zK{On1&f&K_O_b-OQGKIZG<F}?r++tD^Z=76d!!tjfYHDs?wOjKw{A81Nv_>pSwDlj
zlQ>Ri+&(NHVikbhx&y6|<H6AbuC6AHvaM6)xW7(RD=Vw6h5W%cj5KewQ>18~5#c#f
z7X06Em`&LNUYVgkFP;A&>A`Q`3gy_Fz0dd5hp3`E&7U>b8{ev7+WIYqXNtF*Y8N~1
zN<|fkYW1*_H0kf%yFLISP_xQcpq=2lX7%(ukDeX~sbn82)=bOh1S&$Nl~d>%IbZFO
zb%Xx=b+(r5Z&lk^n&GF}YG@iQB-ng=N<OHMHI;-7s3&B2c17%zexV50L9+WR^o|Yr
z{B%=~o2f_N@yo~<n7HN_2#0-0K+s57wdrs!T5)Fhru?t??7CkBXb7#YBQohmuIdm!
zIA%{5hcF)&0tjnu)r&59+_8<Z=dC{xi0B(g2b%fop{j*@Z}Y9&eqa$q#om=U6<;2h
zEK<Wlu>x|yxK|x4GaerwyK;|pTZ3bxyxU3<jn;q(f$o3}5ww3M)hRa|#a+GY`k3hG
zvdK$M>JP+9l1AK(weASV$2&Vak5}#(aWOndBOb(ilht#)8bKM!>ncwI`dMgCUD@aV
zx~VCuCWH1?h_hOCDUKon@|(Zqt<WKv6_M9<%eb9+fT3+x5WFG1XoWVLP2Si++KIhm
zdHHI#X12BtN!8lx-5w-19~~@~w|X1*l{ziHrz_NLFnI7KaaZndN<BJ2{Q*SC4%z&;
zF_+D)7E!0?qu;{>AzD*NV2&NTrZts?tQzUcR-hEd-mecL>HKF?zVolWVU=uSQkN2n
z?0Y5a@}-&|0L4j8BthX$>L#UE?vJOw4uX!2LwHX5*6;h%@C~wic>~lp5NczW^U$C_
zFLCiD?Zn;O*+|J~b_!{I-&JvoL%DmEFhi)b3B{4b`JNP5N+G*o=4hDPXEN@e?iyuZ
zhG!;tZsdpvS@w-WQqUJLd<O90B*Oq;&nWd^cjYZl6t?3x`XSpDYAvH4uR0|#!v6D+
zI>OBOXPah*8;yH)h;;~(@+!b|J@h;$9Ff9dLbZ)<Zz3me+3^Z3Bzho3%+p6BGB%dC
zeQLqFZJJzkHxoJ5%Ozm}Y07ua#{YO$HeD)0UUEW$K&mx|*OO%FNa3P<YY=KP-m`$2
z-zW#wH#C$Zbr~%1N3VvozR=Q3-A_;%yxxsy?yhR&schy-@%h;euak9`s5+oW1PU)O
z#1Xaiq}N3P1z6OQgEp|MrpCnRnwa<k8^#K)?k#`Z3|VoFzOy;Hc}~mQn;RPm9axmQ
z%kyu&w#j?OC<;Imn%}w(45s0h4WV>6SAX5=l+8rX2xM?(`(|8devM;iJt8!3-#ZXV
zn)W2M7FZV9rAL655f<;KDn~_M6)qYET_xH>=bv5M(DTEe;fbsU379FUI^eegb1Pa}
z%a){Wg+%Jwc=$_H^sMp+IAxk4^zQ$`?T;2H4qp){W&i^a5c^-F-$ouC6|aX60WwHP
zhT%7(`T?q5MERbjo{A>*pBpzgy}sVRdDKR$56bo@VohMof4yQhwMHy@JHe*Q(uTy&
zwlo729$G<?TNAR2?Y$tfWS<k*w@-0*V8L*4^1j`C$O@TYQN#Qt^dA;pn~;uvU{1D}
zKp-e_1wfR%0Js8ON5$jTmT@Y-t0i$>gjoR|uoFvFXLVeGjiXm(Qb1@p7t(dqE{`?X
zjLCoDf-&WSl4fv7$W-Ydece-Qh`(nph@!acDZC+6@lAB0C<nk){j^gra7P5M({%+j
za=0T&4w!bAvdb@Ux7n)kPAzp$vQE|Mp&cDqU2*4niSw?0qPDay^8!@qN`G?$3UtT$
zCL&ERSpZgIRO1ZuL<Vjo&|TE&P$7-t=n#B5@0kR2@SJe+!-1{4@)`!jo{69QT3HZ>
zGplv=!SbEQ7fhjGqJwO$@_<ZS4ms=n{ry{*g(`t5;oJ_Z=7c#yi{rBatUyQWPy+fC
z{+otu!}3N%&%?zJH+dDgmD&6Xfe5RCEhjrOQ{qcoI*iopI+9{y1QnPCtBa=y#2VHr
zE2;r#rB#%)pkrnG{o8@mB4iKs1xe$>@i5@Uor)f#5zENT^ug7F74NR{@xFSs63gW2
z)4|IVXaHw{l6C%4cdwy4Y|Tk&$$t+JgxHJ_Dh`BF3`RU+65g-@B(8SKd1D-gKr%9G
z+*gU$0!fB^!oq%_^+1`W!w3d9GGb&8AUzvfKHX94;UtMh1Ip!{a_D=Jeh3toBrhI?
zc@b-&jt<P0!wU`QU|PNC-RYN(N5ZBv+yOiq*?maKB$h(J45*c{n=~G>LW<f*b0RaO
zD4ps(`@m;<W0L@s-jB+ABj?peXlu}agE__*c<^m;1|QX!eIW@f;9Y_dz}zDPlo)b<
z(EH#MNSwWv7D60w+5!l`m|8=J-cvYw=owIA<SvmK7|95rj)6zwiq+9Mf=ncs1&RUo
zCA)>CrD{B2WaXa#c#YUj9I=)DR06_-h4=b(gAZ7@&ECDs5b|o~&GBu`u&rZs85AK<
zi12IdBbVC#9q~edya~StMT<J527tz(q(zb-RxYloYY@&71;OB7he;L>;UduG@}_uP
zL}(>S$|FQ~ri&aDu=Q$38kBFdv+mvvCSn<E7>)_)0B$ZMAb<#f$fM>4R<E7g-wlqV
z-6E$6#RwXLDy>8%fd!%=dmT>S0Hspdl2SwShJ~X`bQXQ;W-dHN=gw#M_=2ytrNK&x
zgv8;O<X(cp0+kVU$9w^x5QZd%`0$TPbACz5pAe+HtG)X+<qbH5SS(Sb5Jm$DMh0kx
zjK}wT6bg{vg@5U=e9Oh$5gd&15u@Vjmv}1#xH2#@l6VCuO2A9v;d;*urH9{HCI`ge
zMeHmr=k)c<uo6PFG1*-RK+h6DJGndPnS}h`Kd}gL+XM^;oPl1&gglNC=`S%8XT!k3
z;@b+Hc|8vD0W=MYiy!%9xWD2yZ6K`@T>b;ijj(Vt5s*|_(Su;U5wc4#I4q2cXeWC1
z_f$JQR7cj<U$MZU%P<~!MspjWK>4L^(K3Xv&7cOuIK(7`wnh2p1-nfIGwb~m7ANx9
zKrUitLU!#7h8Ki85aXXXCjfJ7%dUggO|)uf`ZyEDa99Z8!7v5v#o5~1+T12Tcw*~}
ztQSZBi!Uq_5WFaFqXh=zD{wPb3EL=4Wt`;$LLbryn9Ko&l73E@DfJF`jY^0M(AiQb
zS(%wOjhrBp2rP{`UFe%;+3mKr(i}7@eT0z-jVBI4ggzZ-2O7e5xl>&Z(8=cRkMV%X
z->=WXI)`;K38Vp9?%&JH5DDMf%1TZqlf#X2+EB+EDLHrnnHDRs^S!LCZMYYaoV*7S
zEtsEhi@mftKb)1H#4}-*Vg^bK8UR+2^Vib&05XwL;rQAA`FR$kH;;AXBvbb6*zp8*
zW^m*k=Au||ksv4buX`3^hy3G`z=H%~j{+h9&Sh7~enCM&VPRo3{ovC~%@&1HbRusH
zBQAoRhX9`Uk|Z-T^HdL20Kfq^H=$+Z#CJYh&}doIRy+cw%@N2K0D~Z54gD6I{O(8R
z4uZ173XU`jHN78#YxWx?$6@&)e9lPvqFe){9EDGwIG~@$AeER=hiHrl+SE@YyrI=g
zIgMiL=2rabA{g{5PpcJf7a@<e$<i5NAA8L@q`{+LAu8>#oxmOgSVU{1aWfLU)YbJE
zGjX2*^jP0NT`to~efNw<Lq`HoFE4K$Tw{1lBO;y7TJyJ@H4F?Al9CV|(vSWUwZI}r
z0#{3Mp~NZFv^b*U)Ttn(93c{}(!Goodlx5CG_YU8p#<u7j&A-#8v3FOCB2|jK>&p*
zW98g4?p^LsgAt5$SRwy&rB^N_XIG9?u7j|y1_U&=Wbhuz44(lKpc#YQ13jv>2iF;6
z>9B!1xzm^$P~PBgkY0A_(xsX`d02<d_v#Sj%ypc{9}kz1<nU9$^2?tc54Hw?6|M=W
zAPZtCzDZnen+Cjz6&ZDXFWL`I&Z&I)UK$}5X3My;Yd&zzLcsfban9K%#v1R0kY|vL
z*w?!;;JXDo*4^7eKzHQf;NZ*=8IQi&u-#}S`2F95{ssstwrh;h@=YZh{03M4m@W0T
zd?SLT8Co3s_m4iIHgGAITL3iFP~m0Nsz&on6CVM66hOy9=qM(FA{7EL$5H01(7r``
z0*&9i4g<|K<@=s`R-ol9MB^_>B2=Icd+ZbFO^|`+gUty~ESgz18)x33Z>ITpedw=h
z=)^$661@sgWHdnFZHV>?=_g9G)8PLa=Yr;lxZl9i1rZ)I)zB1Rssog*2gley+J_$2
zxWbc}W=ssbG}^^#tdLlquCVRy!l5kjRw?1fY1Ywv{8VbC91BZXSFZjnN(9g_Fg)zq
zwTlx&Vfk0B96viv2KaY4Lcf8(6FhkE$J`v<wrxn{evK^%y}MyrDfvqbbae3UOL2FZ
zGccbJuZ+d#fxa?)_fP-Z{WTd+1iAPAUs1pQU(@75X8UXbL-+vl<JKb0a1>nr!-oi?
zQJdupZfl@o#E8bLg35&)6SyEYZ2Whg5wQh)e3A8lGBzob6oM&-#vhvlu#=ld|1pcO
z`K`T{4FkavOgk_%RE*&lXpBy}>>}2!+*~=gZ|5MU$@MfFE3jbcV$M_5jDivhV-o(%
z5^eHgNSb+?9#9MrB#1yJfLj!b8FgGmLiBNIag&Ea2B~f_HNg*jI7=Sh$N${BBa%+B
zMYDeKVp@l7$AN=;!~CxKojVr?m#xHtm!~%l_}s#U1~`w}IhHU6>Fx6JazpTGCCwz!
zP`h_F7Fdh1b%`c6Pg2Mg+_OvJur!~;x5IjbP+6(S3)=VHz`z@JIY2sPWsJn9;px!9
zcwW(HF@J{q>8v^aU?f^Hb8t-lYnw8j{VK9|9Kh{cRLu)L4kbAX$W=Nr=mi0mI3#UM
z!`MB*@C9q2zxp1>lYm`NSxKoZXU!*+4V}5Qy(nJtS@lM!hN96WBLJ(do{vcoQiO}*
zc31JYrH5LvRpFe|=f-Q^9<QPM7nD0G85u*UP!KN;!-Gx*R+MWi>!34fasISEU_Is<
zvOhPx`pD&3dtT(nc$cu0)O*4I`gLgNbsv_OFQP<3n#dEo`0CWvXa3h$e66aFXB|3_
zb6|d|*Hm9;RN4~(SG-(Y&&@^4GS@EGeJeEEecC!_PM>az2xUM@XH^;g{bHc?sHCJW
z?FGGwp4Tmt&8`R!b9+Ga_9)VrEsN+afi5_`6V=f{2wY3Gdwe7YLTRZ~_x0wvhY}8&
z|AOxSy4ZZCb4Ai6A`l~Dcc|u)r2FWH%>BXRZDmMO>D=7LW(C(93fnLFX=Ff<7sHmJ
zBXRg}365-4-cr%W!OYy{^y(G%_CGerWfUS{)CQ@nyUDo_aN%qWU=>tC+hVt;iCb2A
z!}<+Wqx<&%^dJe)`c;{3*4)~u7(jc8+vDz;L%3{%>H;BSgNz&T=?@$<4Fv9*S&6v=
zdUP{ebETQA8O=~s0l3`Eg#lD@$6Y|qYd`LGZ(XlL$(C2ibfO9P!5Ujea*=4RWfPx^
zL{JjPOI1KGbeB2%H>>+-GVZVRDIJHXU!2@Fxp>%xV3UZ~@V{EAidN4s`wg5*-OZ|Y
zNsgCyp7Hc7+pR(-sLONsb|@6w?~t85kq=!P<|GyxPB@qUzR3#ip}c~)FYt+hB7^T)
zuxX{w{j#Ns4313cS#gTFuiqW=>T`?}xsiLO14Z_-zqrw1$z)}45+NIg*)HJk2BzYt
zuccW2mnEyw^kfJP4f~Z-ihpa%?QgPXRC=4Tcu}0iFwdy#M008Q^N)_b#8~!SoWs5C
z+u&gOQ!F$N$qIH9JA>?d%1%a`@Ry(xVZ8b|vv@r2p+ly~p!VI~UaK{G-7|epjks_a
zHK|=4c^&7^YU<yA>gFA>eeKilZHKK3ajLcjA;Ft*HzL|1I{6=jv+EI)*)<tYqd0&X
zZ%wR*&8Z5qK@<wFsJiv4He+U{iktxa=l@!@Qd;2iQ{7Ig0NxxdWNDv2#|V`?D1C3k
zXFmT0#u>#%VxhRA%fSds2ji#rQjxv~^D?)bId#Tnlsf@x`FDLf<U6=L!)<3!&}0Om
zL#rf{68<*ra8XoLOv-CH$8wSTZ|ca~yxF3@Nla9UFPK~VE$Sb{ea8!J-B5GCCP+|k
zvS6bhQaBCVBA9+X70n}&o>+JDOoi}!_hez=Vz0TO%7}H&pcDavr(|RLcMNA`Wuv*{
zr`N2diVA8vti$4FP^O4qIF>EP-DF*)u^oX@7%CH~OTPWFrgsM_EryvHzpYwS9}j7o
z(xiB9v6U<A{(x7wN8>1Rny(>N0jyku{#clf8(m65^cb<CYWmOo&QH#6P?ON($3G|D
zQ;%;CetwUI@kVW!PZOSwnVFeknFjgTY77D?*B@sYUm-^v%?2a`D}|i~OLLuq(q+7@
z)wz*nyw&~XuWYFY=>3lus*aDa-gy27S*~y-+U_S0&TEAKf^vH1mK)C*+9b*G$_9g>
z9kzYNKD}>ecb}4$I5O8e(VMF~4!>8_QSrv2D&+SOcR}WwD?R&P?QXmI8EqZv+B*16
z5~-kt-4PLyC>Y@YYqpHtiL|R7i`%w3?EH{1%p4nq`(f%}lJfk#2pdq!=hh+(UD>kn
z{2RK$X$<}bB!tq~F#8~`?c+b6Fi>gl%RK5;Kf#>X7X#H+Qqm==zP)6HF;%56y`paZ
z8xtdoOXsVY=-B-n(n&EXSpmCn54s*mG$uJDEtuUZiLn%60Y3+Q&%kC2GSQe>V0`_o
zn(??-ePkD|udo*;QN+&W*ikG}r2DSzeRuEKz1O$H_q^DPol8}o$FmnPwr9dJVG2FK
zJ8!P*rmOE6&#rw;{;V<&>nX`bY~hQ|qCAoO^71MD7Wf1JlvosvWD=#nu!g*H0;!t&
z?I6Ni2HGrlHjL6{2-Zz+io5LyA72s8VE#VXfWaxFWf&VC?nqm|c8wzB8t<&R#*C@G
zmx=+i{xBowmq;cWhlux>+H7%D<$+nNfC^vODdnQm8^x3~Q5)dik>I&}MsoWue#AB<
z)pykSi#+RuasnwJmPrADi1qf_EjmlR?VpC4oJFWCdkt-hnDg;A=L%JkPl^r)h!z+o
z!;2(w^4Y7}oi(8kj<!nmtL(*s$;7w|c69{lBGNR04Ys+R3LT<BodHeM6Z(z&S<zy_
zu0B2vk(qhueSTt`vNqvhvs5(pteuu;^_;H`J<Rs$o#^1P{zboXzi!UGXU6ZmBGdKb
zvZn*QuAa(LTOG4fHc3_UvQB%)IlAy<Ne#t|X%%(7;94kJ93ji|l}S07ra-Y%%BA9O
zr7Yq$ya>H=N<xiJ^q;i|ov(MZZ?V=>gOt5Lc??vyTU)-ku#YDD{9fz3<mS4lab8ef
zejJo_eO1PZPEhTSoB#e&ERukS7;Rp1iiO%WhPK;XTw95rztN9-`!4o^QAfNjewpTL
zvPn&7)}cAx8uBM*j=o!K(RR$dH!9Y4IGT}vM938$i(Ok%X<UN-{~!P7ccb!yF?lrV
znmBpEz`*wLIW)@H%PVqj$gphPfboQ&NjSI1$Gz!Qe(|5kl{t7e_~lz}O{2bVOz$!o
zOt+iuI&}ZyS>Zz>FZ!r9o0W8Q+`I6G&ziM$1o`;*P%XGCy@Aq38cDO7QOYfs9|y(y
zGF+bAnY7YbcQ252)91HbFY3NdQpD*mV8k9HM>s=vsSt>@4tw6>!UAiUjC5kfYZ!S@
z$zv*k3*z#}!A)4O*cM9Cb%RZv)T?y^G#LNRl|Hkba)42XR*9Bt@m5H4<Ok!-+D|DM
zCRZK{pasa!mt+gW;YPuTZ`rzaU%dx8(1nHNJs=^3I09e8yuvK4UH+tUG|<$^Z<}!N
zU-eQN0o-c5tUCA~uLLUkjM9}!h{m-L11wFNn&E3&4V251`Sfg!Xd$2jQV7JGpzgV8
zwIZR{w5l1{o;_|IXrxpyu{~(PA^(&agC%Z|(wTl<a%V?IMkdSe*`V&|Ewb6`kF%R?
zJX+?r(dxWmY(Ga~pfIRxE3e=PJ4XDB%o0cu@Tc9p*~wk$iqO!_$lZ_s;8%i9qD`os
z(J9kYig?6JAJlW49+7-4`~hC(AZ7pf3<a*QW}S*_wS+qF2{#EADgL(oSS`5xn=S1;
ziW_=#A2tUlWL3R5a9A(>kdy-%5MOtY$3b&V=-<QA{@4B(5&Q3yG>X&CQF?DrvDIR{
zA>t*VJayAjS7$*%Gio+<g8N^GW<sQG$wQs}l+3daezt23t!`C*#d~a;PIs%T%bl|V
zo3&LkHMZ8?ZJ877Hqm_08MTGW|7{(^JCj2!iPb;L706Awas%Z|XlN)5j5<2FhwX4F
zk&UwAZ1cmcEF=Non+g|%jQh8nXyxnf+N2}FrZ{k0eov1Fb#DGZ!Q;$f!-yF>`;KgF
zm4N31xxaqN{=Q$&7b+ioASz)o#)y3C#$S9dKBoUkEzqIU^;Yp?Q+Icqz|rtD4)Z`{
zFZEYS6Utz<=Akw8LXbo+LY`HTbFq0GF-Cbfw@m~p>rFd97{_*+6&%pXIW1E%=k=qf
zINf`(<k0W?yyyPTEMM%J36MQKBe0oK;@$bpSFX-KtzN(S@Wi<QrHN@vW0ib9#+aG)
zT_qI{{jM>5whk|y-Wjgf9l@!*ZEdZ~%b-xkK-Db+5*|9rq=ev7v_Naqh#b`_?PQJ~
z4Z8F#CC9&p+de#-qcX+9DDEBAJ)*iQ9C9W~-@jX(PoZcQ=eWsz{j&1Mom}A$9vK=E
zUIHfaVfs&0MGNj6O*Y@L<>i^w;1`sbCBE{thi6TPk09(N0?+~&03#8i1}+1jkNyns
z+7S^UKpr4Tc#SjgK9JGnW#!f~-WG57*7V37s?1|Z>*0}?`b(E{`>mM(h8O0HPitNl
ztz5hmYCUe{arxr=8>vkBss|-E1f=>rw(2qG`MHHbVL3v8Cyyy}ZceG<wTL*<DUR8Z
z&^?QYGHBDGK3yQuQar3&im(>~3^PT*5VTudF9CDGyzt?iPSU!Lv!2H8Q+_7By0p{1
z{L`^apW`R8BSRU|YI%MpGtT>PW#uw6Q57^_3YZ=DzSX0XllkeD%>MYN(w}S9Pl;Bq
zo%mB!3hgJTeOfN?0ai_M7sNXc(IRAlh)Dt%D3pA|l6-1T;B5Lk-72Y`T)wm>ZU+;A
zh%MtO6N!VLtAza-Uexh@S?<W~lyvC|(TeDf=Ev6>whB7R%v??Yo1#*3Ky+2<XjbA@
zSGq<4L@OPZkwKeXV%OC&3JnZ}gc<?=L3M)a0LTSEKZxz0LVcWca|^LXLM9I!0S5&D
z6Rtpw`Qd|+k|t^%=r4NURFMg3sjnwdhsw&zKqRZH{ajpr!1A-3m336c3f=*<n`oUt
zPk^#S&7EI9MnMlRX&+{EMY)cp{HDhyuKph3HWjvn*&LT?opKgd!J94;bM|_^57H*P
z%_H<Zd@6P?t*7NGwg{9x9B6Ae+hx?XHe>}G9o9}*R|o`%M*>RaX2JJPdCjl>mv%om
z_-N8kxE+Z_4xl1AtQT!?7NjZ<p`ZmfDWIE+g#BvCBZ7kVsG2}Z%^jKlFnA7&njw&J
zD2~{fQ=+1NfOQ~_4a|TZMI9YI@av9)%5{$KF)wDot->kl7Z2h4D>;Yf4_G3vKK}Nx
z+sY(`Pg!{j*UR@Q^0#~`W*f5i&FYkwdPhFGYi>kVZyJNn`bb_2dL;ag=v%opuS2U1
zn&46I1bo;a=&&A%vxR|C0i}l;wz;Kch1kVl&&aMOx-`%&cp~I%V~`mD(0#%F0T?EB
zQ_LR-nVsxgR)4SloRr|Bh_w#>TK&QFXL;G3d)Ln=>26Hs8{;#KR#A%UiHrN1e{p|$
z^l4G5p=<?HSjA=4uv5W#s-lKG6$uaV!EvW__QmL2uoCA_%ddT8rorCKV$2j~UMBuJ
zbGVI;?u>hCq3~@R{bR=%zrPu1%^4gWVNYqVV{R=-?Va*<2eGjohSj%7-oq$BnhZIX
z5I<|sHakDD^&u!$gT$IazXdi#MphP}G6_V6)q?&O2~3s!m9kY;t0TJm5ck=xhsBF0
zQtLD|d40Ho9=~oln7DP5m~E?TX7!SuUu5~pEk|yrj~Ay}=?z~5yZ+~Zg9q8Nt_5}U
z^iVj#6F9TS#zsd!q$I?}k?_hBlATFV2^`;cMBB&+Y{W2`Ejk^4r*|O%SGT}q&#0h2
z&SMK^5`eIUW9tSStj<x-ixtZ&f}f9%q>lZF1S3dd+(7D&xxtg!TY}S$l{ArwHn&ep
zL*qMGs1piZh?qndfFJOu2x^*gDyxOc!|IStVUp$cvTvJ$LaTb5{yNxI`6<bKb{&6>
zV$}6h%8D!6?Y&cUaqMF0WrO3o=P+hy&R?AS+5etl9~ajrw}K9FbU=9YfP9rBLe(^*
zkW{vP(}o*2l<$rD*}-zLF0mS1w^x@2*3Y3K=zF-h>2H}qSh7y|4%`pWU;nr^H0_}{
zgmVPf4sVC=YMZT20p=%U+KNAlb_VP)yDUzr@S+|vY3tduYrECAkDaAyC->F+Yi|$#
zT&<Rnnr5@|vqGnL)Snbd*MgWv#c%~B-g#+!;1c$H()#@u<7T?W*TYWwc{lv#y1JOY
zPF0t2biziWv=2wTS${&K7A>GRmb1k=!R^zF_1pE!T}IzTSQdJM{v=B=a{20(&D&4s
z4%dc!-4^C*5<;Ql^tL?5bfi8iDf)CtlpOzK-Qf}?8ytF1J?58tG0{=)fSmo>9OKc=
zI9@w4+gI;{an<MG4%z{%ubJ5(BwW269hrU^bT+KK2<CixquFxzIVlEOkEbTv<8e00
zn-}Z4?)>zS^Q|^j6f&(^hKGS(@WcD}eB34lB^4F2$UObY+47!yceRw6qE=0?O<ZQl
z#x@)=%~BZX^3#U9W-G_i9P2{YAUC(S@N2O$QQ_vrkdAs`&Qb@_UPdvxUx~j6TEU|W
z*Rn4|yqt3dF+f3f{P%B;;51MRt}ZTHz3cDIC2S1#XFY<{RAlKb_j9t=>XP|mdeo_&
zZ>w09ug!RPk<@}OMQ6*esP`|!8x8-d+IY52F~hR-vDvEQX<yIJwbQKv=EDc;Per8;
zy;_|w@$oAiIwV^wHfvkHmgT0J3pXU}MxC9VkT%&RNY02)q6CFlR2<e{97*`*L;#|o
zr@9MItcpYFARvI#`t-q`3B`_sCWYN^rBq<os5h(3=?UHa5Uzc}H&Lknd#88W35#^O
zi5+?riRQM!O?CWV429&g=H^%Uj#CX471bo^R$AY*7yO=i*&MlYZ@HbTyZY~gJf7ZX
z8caW&ab2Nr54}*{m$s7>k>_6^*;#d9Wf;OLEQx!g<iIBOPB_@w8j#dPqiSCt2rsxJ
zqNC^FDaDkaKgh0caQ-T!(W*R=6w1Uzjk*xxy%BGTpCH93tp89X{Zd=`>N0n$ai&Ox
zQOS2P{g)}boy4nb{+J6f677rL9UQG8>RDe`mxmJHPA%&cep@VDp4}W&B2X=O+VJ-Z
z^@?BU#gL~JbBFnK$(h!1SKv8}tJ-=D$+K@31h*6aI!3mlIb=g>*;+?;(%(`thdJ>^
zL}*}XpTqC-ABAGfpzxUM79F@MrkYreZ&q6Bfn-LcbEsvD2@0O6G88%g0QDCbDspzk
zUb(&>KTTH!^m>#OS3VUaZE45x9{LkDT?&W04BjaGLG4ZdS#(5R_)E}wF~uQux|yT)
zX5|ajdiC*^+ru}C*%$2MdAKs3&_JKSy|yl%x*H$AKq8b+;!rVc@3)LQbMN2(1VVo2
zb{JlKe|!Bl&zORg-cn-$mNlTTqjg>%S#QC(5cnF*KboBlJ{bi)xdqxh+>4#!=%-}h
zm%JA-F)@MS4R{;AiDm_JFs1&d*^bVa4&hG|+nAe+Z2w3dd%A1#!8Uhs|K4%!%Y~f-
zTHk-inHH!sg;zaVUJiNOFPB??lp`wTUf}D25!uZnJ?}VL6^{hn|94i`U}yf}a2MqZ
z)>}^a^$H8Mrs}M1Y!)D1z@Brz^|kPU14KbKm&3i0xI<a4qbco&diUhJQJg7Yng^~o
zSuGm|BZ!yKh7Da+QhEhM{{T0v2G*cQ0_9+lTRdL~i7AdSR5~pwApvKs;q_z36uDUs
z%IK6^oCpYfJ-?%A<EqeLGp`m$Q&GI)&NI}6{YQIO`WJt+rDoLWM?c~*+&1vFo;AHZ
zfA?YLaQCjvme5U<r^fE9tf4ohNh(?-7vvQ1Ka*5b#P;?eNDy4g*|TW{(d^y7aJCN2
zYB=na$4LhVoq?}}0JbGbnjC;xVI%|q+N}Z$8t7}N8{q!lx!uOWp{1pT<3!%)!NC&n
zlsI+bP8~Vi86{=wrz@D!a48roLdHUZg2(nJtBpWkhKDvfzl4L2aKH?)qs@8kW@G#D
zw*#v2cS~2&x~HmRZksHW=tP{4WR9(?E|oLs$l&GMv@WZ)Xu)Fq!ot-n>T!IQiCf>x
zT0eNooblHQ-J^fii>X$7TK-%V)l7F$9XRvvfQ!J!3ju_Vwl-RdjN)S54KG<jULhRi
zGt?e9bZ2Y1E%16&InTk)fS>opIfUB}#j7GL0YW4kPoGbr*xK8pa&6lf8dd|_C$X?X
zm;@<_q`3H3UVF)2)Ea2#pi+Al0s9z{j;p20PfUBrrR?6DjNTs-ghvn|P3xRbSQuoI
zo{UKqjIK@=9u<3;@j+FTYW!p>Eh>r0bTzP~l<FtVtzy+M|9PKZ%q2rES@r%rgWb_P
zsF6i@bc%|pSFn@wEKGSl?a#{MNo~#M!<kLENDh|WH^(L?^K)`=fCVlPVgNQ*t2oE6
zqoWTC3g(x7!<Y-9f>*)YNB_Bg3}>UYjuaZ?K|HnCL!)JJ@Un<mmwCsRRqww}O}d}X
zRVu&XL^b~4USu=ISXyjBu@hnQA_ZjDwVF?*d4l?Q(kD#X7g}DudL?-7(fNb>as1v;
z-O;_2(Ypzs4okf1drrV&8k(*DqFK-G{tIsXZ~tRjLieRz;a8;OI+&h&d=*yn3)*`!
ztV2;TF_i7h#sr?3zF4<Ar0u!(06t^I4B#&mfq$mom?rf(aF)H_c2;|PThoMo97WBQ
zN%;h6%Qeqj-sp~ODpw^Djy-$!%oua;dH$axO?;6W>7&Oq6&0N}kr^~Eb*qMpyRWa$
zx7v>~{!eduwFLM|wUO8RQ{y>{;>4dco%`CSCt0XFv{}tjr}i3w^wJVKY|p5v?Fxre
zD%@)8%c*$~V1Xx{oSq<ArR=*8eRuJ}eOtwMpE0+6TWs;X`!;`m(>cC`T3HY@Z(%{z
z(b>Iw_qyxX0ucg)9}tYUWwP0|xEVJiYkJ|Td}=E%H>AkeC&3DvvyC2JJoXpE=77%M
zhrU$S9pp|6iaRNJcyz!&t&b&WzNYBApM0Oy<8#W%q2j~j;rvAzMK)Ct(rhhTSXAH=
z#VKoPeCapi&x^drQ39MX?rMfAExpz&{lTZgQ-#I`%Ehh4NCuigo|bXCCRrqp6>Ygy
z;}ycUR?$5DltbAN_nSQcn_>TJoZ0DBeI4)TmTr^K+1r~_JzQOsaJ1@D{;0U|gt+U5
zxD$K1Bdoi=@KBs1-_gy!*p?Nbq^KE%<bS2Iu4+z#5Cys=WIb*Tb%Z?paZ%Y^sLZCh
zcn(at2V&uq>kpFAmX?e_n-$?VES>KMaNeK=$2%6}gC5_<dfy5g`myZRr297Jj7W{~
zq%>)OPhi<P6LVQflQE~mYf3#jXiazUA>#zw_WNNjm)n*u)NVK9*4Cj5PzVp;oV1+?
zJ@6#(A3UsiX4(D!HJ<BFKHow<nfw3H_@?<kHgo>>zO(9)BS*B13BO5GYQMU%etze<
U%s(GWlRuwQQd7)VIRDT80BVscrT_o{

literal 10420
zcmch7XH-+&wl=;f2!<viy;rHBw*Vqdlz@neh?LNg5<)Mb3DOckK<R==vjWn43nU;V
z0wPH0y;mVY+TEP@d}Dk+?zm^%aqm5AjIhIAd#|iD=Unr7=A0|`o}nHMH5)Y<85xcK
zZSDJHWPfp!kzJs_Oaa`XpSzv`TrPUu(tmInXvoWUF~I+<-a3!HP2djRelSmaGDml~
zo4tgWt*5=cyO$H(dyBk99e7CQ{2?t*dziN~+@0rvvzt8`6z*;Z3*eEK;nDQ)bav&D
z0n149faO(W6;;4WJolhH`X&zoM~AUwWISa0+L{mivo|K-Xn`fz)ZrGbqjHr(mAF|$
z<5j^oqF3`?LI2$My_jb+)u}Vu{7L)fgIL@8S)ORxep(f!i!022`n+WkDm_xvnxG#i
z-Fdv+>$GSN(E?7nB%T|B;X^;K)Mu-j$NM{*`VU&HRPx;w7%}I_?PBZS>~C6rGm-Ho
zXJON`-XZGfh%A2Mg9d)@NAk^+#lsOtU!c)5Ffgoik0BIqYHMqANm6t3@$n6cy`Ve4
z{klCmCMM?hof$2lFR*Z%7wBucPXb;^vb=!=x^9<VQwO>VO#er(ecGRM56f1c8jrNf
z!Q4%oSx~%=%W1x>@f$%hV^&9;`V)lt_=E``whouSy%OPgX^NXj4gwopZj8|n9;XTL
z&^R;SuCsa(x-U<X<&HR;!Aq)#F504ObB`X9j;xe7AH~IV=~tKMB>JkfqIw9FAjY0@
zkK+sZuozn|sG7ydV6}vgpWMQREc*<NSi7_4`glOOzyU=s=0;~*N{<hx8)1OUM>S|S
z|IBV+E$Kw*_y>^_a@NTm9{Pt86}CHQPpZ+F2xZsNo}V}0DMMkbldopp9Jz0LDMegJ
z)Ma-iCJ1Ri^?IfFS_Qv|6RT9KEcLf?3fyF<yXC!Vg%JO1Mu^>$W4Od~oW@blc5f#E
z*HTwU^74DXP}~fczPOhb5{$qzhZdYw1M8S*I^OMR1U|>pbf-K<YWqLPt@hqNf~?!v
zsM03PP1ka1z5;jO>V0-c-O8;`uYH>e67f;Qc~j{jlVJS94%jXc?%sZ;V0AHeVtVK2
z_2Uk>c$Aqs@e``0rK(Da*sDX@YV1^Nm;tnEm{6P>k{KUQ(|o)jwfASOlw0Wx_$!;$
zH#$11v^#wP2VTOIS%^OwYl80;@o+|6%!%gK?Fi_cG=5d`EjFJF@3Zqf#`w{_tsHS%
zh_C=b?Ox%<hHytbj`MoZx6kQ9<hQ0Uds-AbuNF*nL5;1Q@2MS*uy>w)E648sHExc3
zvKY|I^Lq!93y#a^opK2)<fGwu?j5=T<(jGGcc@9Y2AT+~eD+~CU2}OR@Ir*Q?v={D
zY=3&mRZi%8T9D?%+MXn_u(TbgQ5pJv0e<E}`ksG}hB=o`tzM~m4Sw7@n<EvxuP%C(
zA!+iWX6xbJQozg$=FzdSdLN{V3yRs&KYVWq&v>!z&g!Nb(t9tN?MhE`z}rmv7t)2S
zNd`i8T8R!E4EBmviEf&Z+aK01tOz(>jZPm%ulAS3SoFU{7~i{gNk>|cyPjn<Qj6Pm
zfNT)V_r;ZBB~o9dwd6iU#PQ87im(;R+TM)UL6gf+ed7%Oyqcgen`>7KnI64*X-}18
zk)*?mS%J|sS<zJZ--O6gMNxf)gL6ATdRi3vu}mO+U9R5yx+^*Eg-6Iqd&_!ITQQOQ
zsN+y)3p>Y-!si~zxw>z(2$AHD4{9byv`{f!ajvee+b^V$;cwn>=7gRGR99C6E1o@E
z%5`*fjFv*qTmc^VT(HT6KXh_ljT?(BS$n^vJolMQ3N|g?zvQgDA!IN_f29@CRUgNb
zbuZz5W4+zvlgNn6Qx`mLA1_P#WR4#6{rWtC_E*7C3wM-UxcNqS-tFci0TQ-v7t8tZ
zWr`_7zG}3wL2j#lSKQUVLU$h6Yuf(-`Bms;Bwgp!OiiIc1w!zccE@ywSFkwT(Qvq|
zP4b^~vT&V;y7N^!Il|&xQmyHDmefm3lKl~ot*fEii)~azK}(*E-mD=je$#bZ6QO;=
z{Zdhu+S>DWDxs$kyc&_C<-nx{>#9IL{iSAdwr(kB?)Y$cBdcsSCov9j?dnBd7>o2B
zv2_vtTy50bfxh&<Hk#v3ykbT|#PB23B#m%Kjf>Du%;!-J4lh4W`(&`7fPSM+DJ9K9
zW&8GD5L>GkN)AvTkH){swzZ<G#YOyjBo?O+YyRqN6md4l6&W>uAI^R0v0L}=7|Yhw
zHP4`=moIF?VL^%!xW4?<OKw44I(@)WP6AeTZJKdjQw_^hfQKDgh!xJ^x%`);MSVx%
z-8BD$UycE@vBHm@EX4(>Ly|pj+1+~mB9f6&in`3tNKpbhV%*7Ph+Jx-^$wd!HYoNt
z)4d*TAd~39!Wd19eN(eO@S3XoT05eAsgrQ8>bqfd?U3M?4VB0DKQ6pb+K9BF%`unB
zibx~Xl(-VEi=)UtMMK$BQa9i0S{|64{>C=zLPqx{SB@k()Dgc6d$wgacc*vy`Z}8c
zNC?`m#(a=PQx%h!SMqc{??jEsfx(xtUNUEritMzS5FwV~UM!V9<Sp!*Qe~>uRG)sz
z4GSfq9U@UTUFdO0zc?aossX(*r+P!j_=4=We%s1ou{JrVQ&vQij0F@Gi?}TdxA^(R
zCgrOC^imUsE|{bFI8@3?A*g0DVRnsjDJ~|at9uu4O(xea8EKrzkyZRcqnM>iDv9|m
zRK-zxklnnlF5hTggT&Sq5n-az;Xv7r9u;}9z2(nnO9dm_T}hsV6V;GXzio>whg8{y
zQeqQyT2;=zty09<f;-fRE`r_vaUU9KmB+bYr)wK{F}nW~_$!T5R#RJHUN+~cD{)CP
z*RQ2zha6>z1~7pVAH4FZ$Fvf;^2y^ck(mg%?e5CDy6!7djjfDEkhTiEdJpgka=FyI
zxVU<7XW6F;#fk;JiGp;yOYT?3CSP{Rkzs*~EHXWmcT6o72%x#C7Q3CFj#McA=<;zT
z-PvvSFuHMIi3%|}9Yvm9T~q=O$?PPIaCSx-ux_N9J?uqg3rK9Tg=M#5J{H;OL@<($
zq8~Rh@K0H@>2(~U50Sb#+UO$A5XkJKC6u%E_xpH1mvRratdic_yR7y}DYQ`rnZ#w$
zIy$;PjX}Y)$2Lw2TcMXEn-JUMZ>APJSK>P_{>U95HpawcKQ=cvZzRp4*4Nj!$Gz}h
zzkY4QVkyqIoT{qodB;)eG*@9x+SnK<nZ6<O<s!;7cSgvd_(q7LAiJ)1M7rzG+41qv
z39f<;u4`t!JRnv>wru}fY~oY7P3Z<7R?-vspYzn7u#STuMMh5yVgVs>Ue(c>-2q{~
z()Iru?V;NF994w4e4>g8*HOwzrsG_Nz`(b=#G+xA>)dRfd=!$sgX=%JxcWu-cWAze
z3vuC>+h0Kt%H^b;xA>rFsnaf-sf1h-jsGbfocqix*AnRqXb<J0e#*PyF3RVb%%p>G
zvG17_tZKM04|tDvB5|*O1Umrk(os;bhjI{q_S5EY9dI~{Uh4<0NG~sG++0=`ii_?N
z9Ya#eT5XM~De2|WL0_K^9qw)#b5K~T&BGqLV5BroOG|=}&r|Vl>hx){#*`V@_0d`X
z9?tbohBy4DrsZT~&OHJka}e!*K#S`fe*6IV&(Gw+fcgB}IN<*Q<NQMwm6-X<uKlz6
zs;Buk@0-(g{%tYN<QouMdjDF>+bSBXe}ILmr$1s>S2$xb4?PL+-3&C=xvrv=5HVNl
zui0h&>Ls3VVrtJDl5X7OSV+_9Z!j<(B%39}&lO2J=Q`+eR!Vm%li5bW^j;CHbofJQ
zeWA+JNHb~J@?=nO5FwKe`MkCu=p{i1U{iU+k%?cvbmp=H$UHl3aVsXA(I^9dWmjAX
zyjWn|<z)1{48lD{EK8{U@KBwH<9g-kOII0Q_DlEBm-D-u-<p^*ec`;SB2?rCyJs>Y
z<i2d3DYQsF>^@7O-VBFv^vwYp%=TaVB=Q?udJ3&R?YqQvxPtdwwB7PN;XdXp30^S&
z9K2)d|C>@Fb<&naC<+Esz3!{hS#|53fbC*2i6VV6rbBf$N<rEA$&8Q*cBb#~oRVEh
zrwBUME7#eM{CiaxY@C+WLN9tpT`MA-QLtm{6X+bK>;=`hT`*QN<8Wlse*9TiyvA|p
zv~Y9Gj?`&)UYjkeqf+Y{b<x7?k`NsNL$$wosSoW<KieQ_$-=PYHC8D2(0~uV@?94Y
zt0H;S4Cl!WhgNXe`#n~96mPE6(}6xl$kHNx61(i$GoieQ3PMQ<Un2i4eCM8)u310>
z^x++PhX?zwl&C#0=(vQH?}E4ejvn8!k>V>A-Sxk@9OOUqvKtxNv&ILb|5MxGhT!1v
z>v~|T2y8s+&#wKr{t+v?BgNB;iKh`7-TPL^aCUQ|S=h|<=)IBs<P?b^|BhZZaL(&%
zEA-5%zi)Z>rld=2mH$xnXwDg#u2s7G%mYHXsw_W^E}AE&#6U$p#(n(w{@XQtS?sRz
zuy+^~s?PFKmPg`_Lki0$4(VQEWlIJF?$S>lK|ICXwHI-&>0rO;f;lSw20kdZCOYin
zE7<)Rtnva<SKV9sP5KJb;Qd#21_tFzkFKk`A7`Dlj)k73d=5TV?mzYKtSX&^{{epu
zD=|A*LuySthbb!+g|CpblY)4jR_gRRIWTbVzJoW=8h9Okk9D>l9Nc^aU$0(0z*AVW
zpcp5_`CZ5d<yxg_Km>lS!<s;&>rB;3`Do+m+0khHRm2>X^Zbkw?LaH;qu9r+jrTpt
zSXx&9>rt>7+FRLySY$v=B7nNF70JrnWQm~ABt7@j;EiJ7y44VwN&)_CKhO%J*L#JC
zw4wm%@$+pZ<fR0*i-;{ZO1JS=Jb+@tstaxPOZ5o@Ha3&C@LOu7&TE<Brt8XM1DT5(
zGh7%fK!a|2!3&FG^{djoY{EAJM(3WtqmJcxAIDm?F{?g`HU*4t^38a#`dD0m+w|zc
z;7}2B3Z8n9z6cSf*aatozso>z^twv+y1re1o)W6^MAIavzI>y0O<SnqwoA8G;@>SV
zXxz^*VcOxvh|zVi%6Pa4A!4>D(bOm<c1|}=fZ2$7+hFwMGr)?-TW9X3X8y)^)Z-D0
zwn9M)f661!h-`W~-bCTM<WURJwHxT2-w76KW6u!-)7oun(R2hK>9yy(>IcjLJbP$_
zs-28PdY{9!l*m>~#2a8}z2%O`#1fa4`qX;S?zxvv<FmrjcTGpCWe1fC-?OQxtOn?y
zUU<3qcXrS)Ga9_nyfqrHzbE*iHSV@ev?wb$vp3z8X;@r1!RC&O_SFeo3E$?+Jo6M9
zlelL);=|&Oe<mB=P2`s3yDhzXm>=H_IP?c9yfgXvceI|4@Us;fsHQ39CSQs+umfA%
zsu4`2B$eQJKJApF7tGoO6Vz743m?ne7)lT_z+J$K+sd(kdyBj^v2q%&^50<M@AM64
zf1;x=<Zxd#TJ+ZAWN5sQCoMSH@Z%>9i=EdC05z1E&Y@&HnCPW!JZ95jy(-HUt>_oz
z_Mzworq<@30qZD^pbqGd=y@wpeSWg?+962n@`0-?eAZvG2xje+3#1>EFI`hNWMU-9
zWEd6K9GtxU)RiJ_0fu<%e+3Lr{~auCs0g?f+330qV#I(w+8OfO20~YIfKE}7zjG6E
z>wuj98wrbN!4EIN;qW~yJN&y3=SYc#`9pbN08j0oBO}tF2!K+09<2X*JzS9t#a7qU
z9AXul+w|0T8MuPhzrI!v0~|0%{Kkfxf}&zw;J#??@w~9<!KtM_$$x*?RM~HngZp$l
zI<ejfkdN6{G1HQ=s;bTuBlWuET~nE*xs95s#T^{CmCgY0ljSx`_}t>PdSdhTg)aig
z@mfSgm3*H)6CjoN{v5T2!Nbfumx1U0%S26JEk@5=x^xT^YMED(lZ1cvsOF{qc~JD^
z*TE{WG+$I`UPou*xjms4rak{e?9*2Xukt~D=wF`&HMUHOK-l3vZUb>byDzf6i{Rzf
zBMwc^)Edl-K%~_-JkvD}yx1H(vX*eiWO2STyWY92vTP!3`4NGASE<O!w^RWv!H%P2
zz33N83#j?X$EID+q@du1CYVLK^6i&9MJduc+4P?!L&v!>wy$VBfK8Ao-G}RV2u;==
zMO`VgV8+Xt9<`TX(Syms!Ey&-h*_x*HMZ&r-HSq&EYjW*=<1?u!;EXR2<u5nzB~GV
zp-Nnw7fpob(7m@~gZFNJ0JJ9a!zbR}j0L-^Xf)y@2aRweoG7eI8r~*3rKicKrcJJ{
zl!<4JYD_+ouw|hD{F*<*SC^D{tO0edKp7diD$6*CPwa<JWsy;~ZqTYsDn*XFy2I1V
zi_W(y*=NPCs2-#~Z4zk%8@R%6%1P-jF_C&om;k~zJ6L!Zc~Ft7_Iv!r73M(qfr&RS
zw_!Fc-+wYmT<;0NyQ3ltXk(k=x+@FZq1ik(Ea|;_R72%OvK;LLmqUqy1c?xg)S^6;
zyl76EMMp_*SOVrB8De<9-}yNiDnW)bnLuS`N6zUZ4ZGj_L6w|vaG8Q(GC3#PU0sN)
z=A!;_jvA2A3U`LF_K@Rp#4?z@JoF;zMuY5FR`=-{l)GICi+zey1tn|bP3%4vQ}v4i
z%Djw*G{+*XABEAgXyl~$o0wny!gjJL*7UN}pjD(nGCCuRH{V~|`jLT9g*k@7LOy@}
z={w_FnY4%o)?c-dLH(R+H!X_+aaFS=yCDk4beaCE?=VqPV?bv+Yr>{;%m)`$@TR>}
zah`jt=cb>fzMhF;*IjbF-{zVjz%Qp{@es^HPnt7<K)&ln@I2hL&k0z}uyy_ADO|8b
zUdEr?Tgb9xP?6s5eVIaw&kuiv@S7#x-H@V6E1R!y$0kZ~YE*OjWuh1x(xBCY5<PCN
z$oPV`)6Os+m(+A0N*<9~5<w0p6%}@NR5PooCNPWNc*~3Te4-)byCuQr?MB)6%3CgP
z6C_UHe>#>wIMCjVXf29~-ODoWroKJ2{4?^G3b%9@5t6COQ?~U%A22L52-Aw-0K)Rf
zC5fnSQowaiDZ2lXvZ1grl8lA6O@!A;EUr5pa@T3@)y$?+cQY>;<4~CImNcegee8r$
znvhwZZQSoNRuuko<~H+CH76&<-7`WULxhYyBrfBS*LWGW)lgE%QGBgRN3L?K?oJOk
z*xTUgNc%F|H^eukOJb<aba**Q@nhC?cU_R!ZI+`}h^^9uRSBoPfTHkQUudT|H={6(
zexPF=Fx$bWwI1PDm?iH$9B$4vddDcU?nybs%Tfr+PW61$MBI;FUbLMRC{|FT$d9yJ
zmV9Hh8}j2JO|_SYvn1K|QxV(j$WcH-EV3UCK!1K*3Rs}`ml)~}22q;P=D0|xJON#S
z(_7aF+6R|~j3_v*J~R4-?bEODGir}opa=1f7uor~eF}K3*qp%C8}%jmYbwB(4|DGQ
zd4>igr%Y8xC`&p8gmf`JbETjIt*f0=A+q+~M{uaT^I%-79rqj-pq>9JX-Yb4lZI8n
z7$U$1^2o~WKEA+RO%A4|Jt9lkf;}2K$y*9RU1vx#fdvP1;t(Dj(fj);^0i+_x-WCP
zbqmDCR%Dldbk2<W*p=Q3J)YKdbQHJ5ZZy7IQ5g%wD&=x>csdhKq()Uko3%!Kyxp`O
zE*9*h*D-;W>{6Xf(5%c%P)cukpCMT0&keM75GsHz>h85Cy~4^3ClEJfUUodKp`Dv!
zfxfQsBRMxcLT@+DgiZLdy4kSV=gXo)kqG1a@-)zg$;|Q`%ap6`C%+WDcEyX!$@`9g
z4XFcQhx9pq%(-JN-k=}b1$KPUPcpiJm0i7VKxjiTzN55cc4469TkTHwx3gB|f?XRd
zsEI}xj9_kfV(X09%qT<D-->ld30m8XT~AOHn5e<5a7uWn^+JTjo@MrT_-g4!EWp0~
zrX*FQ>vO%-z3yfqE#=74jQ{@2k2n9ltxR7A^cfqb9YHCO<k$5w86frrzJ`_ttV=X+
zoNZMv>^PknmiTZ@WqLeISEy!B);_fe@&Ur8&5?{ZK+Bi>{o2%WMmG1b*O>X}<%-Bq
zq{^Mx^*MJG5Kp>3I+WC4#YlQaC)9VPzvBf!{cu|O{Kid33iNEg)f;}mK*s@?7a#}H
zUPm$jRG8exNdAAoHhiZYH#Wwm=sy1VpTI~U5X2@5Tm@(58k*M{Y6JIIMdPjmFESCv
z$Dgh+4+3!cw9!B5lWD2v!Z#)WrcI4soFnsB0GUgk*0m3RGOhF9nf<nE)-7aP<{zdw
z=^s(DR_nVlCi?Nbu)$y1+?)VoIUl3K5nu8-=k-5oAxZX?V?Y%5e^>?iuOeWT=51qq
zM&FvcsEtAfcr9NP;1B^uVjymbJ%|uB^67{$TGuY<>P-_NbTaFH9#QJ=pmk!8^PfR0
zCp3eB?iLb{q2t&6g;s^<;<z@;-V(e%OX!j&!y223^}yP=6vVD@`>5N2-M43@1Js3R
zB^I4~3qnE{p5!EM1wGaq{1)*Mc~eQ;>4f)}-7N*`w=4|0DGii4Dvs&Bh!k{}rSaT(
zKuz}3)Wo$<ytE9HowOxRt1NB#`}D3t6GJTVw8!jYxBd{dVulPY9LtX5^^(wq8Dt+B
zqzR(j4Q1}EJg0KDE_sgt41gOXwt5JbHgH<pBgZfuv3&2B(KQZRI*deobz~_LIN;l@
z=S$Q=D)PbKc597$c&^n8(e2E!LIWNv`+ZE;=F)t+$u4uj$-!h12qzo!tvW$06xV&4
zUDMwe#^_zc#>gS0HxC-msaE|qLnrxXQQpgXb``6wD6Y4kupP=5^|1mpZ*O<SHJK{R
z=SL2*CN13Xb9ioU+Gi7$((u~rlkTE^Z#u8pD(7YD{YDC0r<rH*obo;V)@5!^A9Vpq
zwsr91z+AxY)@$miiu+@nrD1j>^B8(5mY4kp#0VDO+X`F^O0)?Y0-mZLgT<`bRHS&>
zNwo>VPNmObFADr59P=b>bY+1+M4X1&4FGh>Qk)#v*_mjUS;8i3VBXl8$L83Zy1)q-
z!Y{|FyKc}#O@+d2D2p=9A(&5+*qrx8O)8MFC(?I|z)3#Rl6D$N6s3GGj81;uAAgy4
zMN^uFe9YHbipEV36<ep6AxE>wW1C&5t*fcfOq5pw<U;o;<lwLjLSbgOUUhA#JWZ77
zl2K%PnLk^GUsZsAw1nnio%h4L4<A`Kj0VxE@Rui%E1`AOp*b>ciS--j3Kaij{>*&X
zkHhTuZSk!~kJVJWSa4K3^t=9t<z_u}2m<Te3g?g=;qQ2<c^mfl=NG{iU9gQ)U-#hL
zWm8~?V%)QKJy}7{$jE%OvzhS-lf63M8?(rWhhI{f*cla{8i0K$s9=gheQBRDU-^<p
z^X^cfg=7~W>d5!R=BE#`C29K+EIJ%sMzZMqX(j^Rh2fCL97-y?g&mU4GfomFZ}+&F
ztOd?_S&M688UBA^kG72-W6>O$ZK^aIh{eIAp2s#*Dz~7%Wtl;%6qao`unf4iF3*3|
zP7@j!fNAb-f3Fz>a?t-f#nAuM4OBJ9-I@wm;<OCfkT0=l@C}VOvs%jMJ`q{!e`Bsw
z0qnZ@i;saoW20(>G>TKl0xfu=28b_en)fBt_dghYd1nU9)bp>;cB2bpRW3mNl1xEC
zVY8tIcvahwx$p3Qucj+T#qHwa;_Bu$K@0|x!=Fn_=NmT9XBeqe0W_~4FPiuIRT~e+
zT!<%vh_$sf<nMg$h4DHsy$Jz8MasO7uAbMFwQ2K}|2?(npNS0@0NEe`tO%HkS6r@7
za2YA#^z$-&wZHEJ!c5P0qO#S34!*CQo_yM_IJ<hf%vtN3kE3WdT65V}TbfQggCIA%
zL)O&Kmp24|4UBcw6$m5a;mC+Y<UBv*VAR$xxb21WgS%v8l*i|10o2jJkNp}SpI;sR
zgxpQZefno>Z_Db1RHFwdUR6}JmDPVo_=tw*JT*-B!PF}FwbxSr&J0~BsW!{=okgAJ
zi!Wa!a*(^zghP!Zd;hr&Tc;n!W8tVNnzI?lqfhs}00DB{hqs(4Bx;<J5Q=jhsz4pg
zVnjmCZ#9Clm9@71c;}HWP}QI3^_j!c{QUWw&0oq9pL5cRk6sBXi90Q21d#AwmiUoi
zADZFDBDGE5anwdCdlt<IJjA`x%VT4$UzKKL3(`E{8C)?_={8!pF$@&PPgX?Zx?cfI
z4E&Wd*MokV1vg&efK~bwi<O>4)GWAHvja<#4%uw+f6g6ZLvz}~e(b(~U4v-8z3MmR
zPNEAwr8*^UHDh!CER|8+#1W6FB0`A)DWN3D@!0TOVAxS{4!|%1JfNCv#n-+-!DxM5
z1}?$5?(7`m7nMSl?5#7dki9w__-sl(s)ZJl_H+6O8nV|iiB<MKi%+O<oLb-x4T+dK
z@hcYd4+{iDI3F&5Z7v(jm7D<a4b`iOk~~EytjQ_YbV{8r2ZRt6XG%|J`fTCta79Pb
z>y}-Xvpu5Q&fG9IoZ#!;*e3-c!ni^gK%x7uL$Z+9&JRk=x5>#mRJ}->q~)TldeHgG
z*=*p4#3*f>^=<2^#{7QPc$iXoh7t9*`U?a{rMLqS!CTJ0-%h32y{*!sy^Re2SAEnk
zI|J!bXBu`Kibc2IV$7=?d2F&o8k+D4`SV)U5(mdfo!~f6J9F#Xip5BOCcOxyd(7%*
z45zaVj-=Sqb=tOUNj6_Vxs-#$^6{{_Cw_JBzob8;2$AFKzDnV%m9y|5sMOg3jT3YL
z^CVCzLEHR2kK&4M#|q2)D)B*WDK_0JokRvBpNAPM2%-2ti}FikGC?+;LH6fW8k;da
zBXl`OV~VAi7qXE3uAB(P$r+O=_^w9q7XPtTOG|g5An^^wxmE94*VBULHk&|2IFD;H
z%GZmWXLK(ZnoCcm(TP7Fh-t0*>Y4~HbI!{8^q@Xje{vdR!-vPpNo4c1SG>(yGB8h^
z`HqnRfqHo3o@RRXJI8V_jo@$AR8$geTwJ1|KLe0PB=Bhpj)c?rBhqr><G&b<-?iF5
zej~1@bIvb!twH4Vn_NPv)ekD3|7t99W@l@44L4U4qFBtiXv;?7z430m{#~1pH=S;F
z^|R$M<(0B=ugZMcUK810K6_YNNMJnOjz}mHR~Ns}p1s7NKs<0qI>nEi(UI0#$V0bE
zS&zq;Cg*$3mM-=G{<X~i_WbA!T}PSQXZQZb3rl5rX+;81uWi0}nvrg)b`i(wE-C_d
z(kVt6^sjo<B;}^8yG&7>{$|Z-zOc~zH6~%}gk(m_*CUNhZtrZk9QUR5mtQ&_yz5B%
z;E3N#X&KpBQ#9-mPrF3Z06<g3S0u6_FPrP>BZ3c#f7tuh1}K)Fj(`kPaiv5>9Ufbg
zeRXB8kj%)9v*<`|INp~J!H-VEgI8(XUHwpf?bWL8Pq#?sMx{Hu-0dR=Pp5(%qetMU
z!Fx<3D+T=SUg&`v*G9|A7V5lC1>r$i)5H2@XFpq8%FFq5x+a6;;D(~|pn3<xVP9{k
zPSQf}Rxve3@Hfq3fUdE8rG=Ko;=Dbj;q7HP10X6}0i3Oa<-JWq61eqkzFPOpeB#Vj
zh<&^xV6s9Q+q9E)iioozKh`tF#63(XGOFe1$gkxjt;I9yOR+`=K3i3S9D3z%dv>H0
z_@JYnk(^junf|!C2OR4`_KsImL5RH%?3%{IMlY9gG`c(9%39FT8Hvn(SwoRJca@gR
z;8>|G-5|Y)ANwZUUiG3eC5v@H?ExAogFyvz70eaVSsewFzV^w7%v5kM-aS*^<|Iv+
zPUAu-CAT;|1MFyi9uN_(!B<Xa7AlV0LjzKoEh7~J-3}vE&yjAdI+7U(D7L?em2PL?
zk&Cri2vLp$`2N7z4hvfaU+Kxl>FQt^Kqvn75i73y0Hy+Iz&kA*1$saT^tm*&%&*A5
zVCm!+(?6U&Km_IhFu_fr8R1@DjF`vG!H1n&W8p*1uufVezAl9O*5Ceqru|ZhWz)CU
zVy2^$lj@s`*-F50PXS0dkC<lKUlfiU=W_=!_qTpHa;ULTB%HRK`nQ~&RCTAvbZM>r
z*<X9w;2W<vg-ih;=$wj-Lsg7{{OGUI(dqUV=ch-+n-*244ryD6e^kykT7q9`1TKL_
zj0V{ElVnj`iJ`x3w|47<m4CCEYW`zFRTUMO{k4&)qxR@=AkuSj>7k@PM`GfHUy%F2
zfQr{5=zMLx8K?E|b05lO0~D44Nsu>D)1G$%a@jh(-yCwH0<5E0vTGyiqaJr~<;e7f
uzYD9fP$eL3`me$4U+dt1e9Y~PyI}9h!PP%E<$x1~WcoUW+9kKFpZ^DP{o+jk

diff --git a/source/adminguide/storage.rst b/source/adminguide/storage.rst
index e6fd6c3ebf..2a225ee031 100644
--- a/source/adminguide/storage.rst
+++ b/source/adminguide/storage.rst
@@ -897,6 +897,13 @@ Before you try to resize a volume, consider the following:
    Therefore, resize any partitions or file systems before you shrink a
    data disk so that all the data is moved off from that disk.
 
+-  In Apache CloudStack 4.20 and before, resizing volume will fail if 
+   the current storage pool does not have enough capacity for new volume size.
+   Since Apache CloudStack 4.21, it becomes possible if zone setting
+   volume.resize.allowed.beyond.allocation is set to true, and the new volume size
+   does not cross the resize threshold (pool.storage.allocated.resize.capacity.disablethreshold) of storage pool.
+   These two zone settings are configurable by ROOT admin.
+
 To resize a volume:
 
 #. Log in to the CloudStack UI as a user or admin.
@@ -913,7 +920,7 @@ To resize a volume:
 
    |resize-volume.png|
 
-   #. If you select Custom Disk, specify a custom size.
+   #. Specify a custom size.
 
    #. Click Shrink OK to confirm that you are reducing the size of a
       volume.
@@ -922,6 +929,8 @@ To resize a volume:
       which might lead to the risk of data loss. You must sign off that
       you know what you are doing.
 
+   #. Check if you wish to auto migrate volume to another storage pool if required.
+
 #. Click OK.
 
 Root Volume size defined via Service Offering

From ce026c0439ab3d545e9fbc7625b97ae31426ec8a Mon Sep 17 00:00:00 2001
From: Vishesh <8760112+vishesh92@users.noreply.github.com>
Date: Tue, 7 Oct 2025 12:49:25 +0530
Subject: [PATCH 02/20] Update compatability matrix for OpenSUSE (#573)

---
 source/installguide/hypervisor/kvm.rst | 8 +++-----
 source/releasenotes/compat.rst         | 4 ++--
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/source/installguide/hypervisor/kvm.rst b/source/installguide/hypervisor/kvm.rst
index e8181481b4..3d1e07440e 100644
--- a/source/installguide/hypervisor/kvm.rst
+++ b/source/installguide/hypervisor/kvm.rst
@@ -24,13 +24,11 @@ KVM is included with a variety of Linux-based operating systems.
 Although you are not required to run these distributions, the following
 are recommended:
 
--  CentOS / RHEL: 7.X
+-  CentOS / RHEL / Binary-compatible variants: 8.X or 9.X
 
--  CentOS / RHEL / Binary-compatible variants: 8.X
+-  Ubuntu: 22.04 +
 
--  Ubuntu: 18.04 +
-
--  openSUSE / SLES: 15.2 +
+-  openSUSE / SLES: 15.6 +
 
 The main requirement for KVM hypervisors is the libvirt and Qemu
 version. No matter what Linux distribution you are using, make sure the
diff --git a/source/releasenotes/compat.rst b/source/releasenotes/compat.rst
index 7e601a23ea..e77e2a06a8 100644
--- a/source/releasenotes/compat.rst
+++ b/source/releasenotes/compat.rst
@@ -28,7 +28,7 @@ CloudStack Management Server.
 -  Alma Linux 8, 9
 -  RHEL versions 8, 9
 -  Experimental support for RHEL 10
--  openSUSE Leap 15 (not widely tested and used by the community, tested to work in past CloudStack versions)
+-  openSUSE Leap 15 (not widely tested and used by the community, tested to work openSUSE Leap 15.6)
 -  SUSE Linux Enterprise Server 15 (not tested, but expected to work same as with openSUSE 15 but likely require workarounds)
 -  Debian 12, 13 (not tested, but expected to work same as Ubuntu)
 
@@ -52,7 +52,7 @@ and VMware with vSphere.
 -  Alma Linux 8, 9 with KVM
 -  RHEL 8, 9 with KVM
 -  Experimental support for RHEL 10 with KVM
--  openSUSE Leap 15 with KVM (not widely tested and used by the community, tested to work in past CloudStack versions)
+-  openSUSE Leap 15 with KVM (not widely tested and used by the community, tested to work openSUSE Leap 15.6)
 -  SUSE Linux Enterprise Server 15 with KVM (not tested, but expected to work same as with openSUSE 15 but likely require workarounds)
 -  XCP-ng 8.2.0
 -  XCP-ng 8.3.0

From 5f003697d30bd7fec1d27aa0c563356781ce37f6 Mon Sep 17 00:00:00 2001
From: Wei Zhou <weizhou@apache.org>
Date: Wed, 22 Oct 2025 11:48:49 +0200
Subject: [PATCH 03/20] Clarification of Network ACL rules and Security group
 rules (#568)

---
 source/adminguide/networking/security_groups.rst             | 5 +++++
 .../adminguide/networking/virtual_private_cloud_config.rst   | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/source/adminguide/networking/security_groups.rst b/source/adminguide/networking/security_groups.rst
index 241ef1c1ff..e17a878f91 100644
--- a/source/adminguide/networking/security_groups.rst
+++ b/source/adminguide/networking/security_groups.rst
@@ -216,6 +216,11 @@ Adding Ingress and Egress Rules to a Security Group
 #. Click Add.
 
 
+.. note::
+- If there is no Egress rule in a Security Group, all the outgoing traffic will be allowed
+- If there are Egress rules in a Security Group, only the outgoing traffic which match a Egress rule will be allowed
+- Only the incoming traffic which match a Ingress rule will be allowed
+
 .. |httpaccess.png| image:: /_static/images/http-access.png
    :alt: allows inbound HTTP access from anywhere.
 
diff --git a/source/adminguide/networking/virtual_private_cloud_config.rst b/source/adminguide/networking/virtual_private_cloud_config.rst
index 9edcc5c591..c656128bd8 100644
--- a/source/adminguide/networking/virtual_private_cloud_config.rst
+++ b/source/adminguide/networking/virtual_private_cloud_config.rst
@@ -355,6 +355,8 @@ Afterwards traffic can be white- or blacklisted.
 - ACL rules for ingress and egress are not correlating. For example a
   egress "deny all" won't affect traffic in response to an allowed ingress
   connection
+- The incoming traffic which does not match any ACL rules will be denied
+- The outgoing traffic which does not match any ACL rules will be allowed
   
 
 Creating ACLs

From 851b10edb985ae29eaf80970610972a5a4b2d92d Mon Sep 17 00:00:00 2001
From: Wei Zhou <weizhou@apache.org>
Date: Wed, 22 Oct 2025 11:49:20 +0200
Subject: [PATCH 04/20] CKS: update doc of creating ISO (#565)

---
 .../plugins/cloudstack-kubernetes-service.rst | 33 ++++++++++++-------
 1 file changed, 22 insertions(+), 11 deletions(-)

diff --git a/source/plugins/cloudstack-kubernetes-service.rst b/source/plugins/cloudstack-kubernetes-service.rst
index d8f59ed558..f60f1cb953 100644
--- a/source/plugins/cloudstack-kubernetes-service.rst
+++ b/source/plugins/cloudstack-kubernetes-service.rst
@@ -61,26 +61,37 @@ Eg: To generate the latest kubernetes iso
 
 .. parsed-literal::
 
-   1.27.2,  kubernetes version, see https://github.com/kubernetes/kubernetes/releases
-   1.3.0, CNI version, see https://github.com/containernetworking/plugins/releases
-   1.27.0, cri-tools version, see https://github.com/kubernetes-sigs/cri-tools/releases
-   1.11, weave addon for kubernetes, see https://github.com/weaveworks/weave/tree/master/prog/weave-kube
-   2.7.0, kubernetes dashboard version, see https://github.com/kubernetes/dashboard/release
+   1.30.1,  kubernetes version, see https://github.com/kubernetes/kubernetes/releases
+   1.5.0,   CNI version, see https://github.com/containernetworking/plugins/releases
+   1.30.0,  cri-tools version, see https://github.com/kubernetes-sigs/cri-tools/releases
+   3.28.0,  CNI addon for kubernetes, see https://raw.githubusercontent.com/projectcalico/calico/v3.28.0/manifests/calico.yaml
+   2.7.0,   kubernetes dashboard version, see https://github.com/kubernetes/dashboard/releases
 
 Usage:
 
-.. parsed-literal::
+::
 
-   # ./create-kubernetes-binaries-iso.sh OUTPUT_PATH KUBERNETES_VERSION CNI_VERSION CRICTL_VERSION WEAVENET_NETWORK_YAML_CONFIG DASHBOARD_YAML_CONFIG [OPTIONAL_OUTPUT_FILENAME]
+   # ./create-kubernetes-binaries-iso.sh OUTPUT_PATH \
+        KUBERNETES_VERSION CNI_VERSION CRICTL_VERSION \
+        CNI_NETWORK_YAML_CONFIG \
+        DASHBOARD_YAML_CONFIG \
+        [OPTIONAL_OUTPUT_FILENAME]
 
 Eg:
 
-.. parsed-literal::
+::
 
-   # ./create-kubernetes-binaries-iso.sh ./ 1.27.2 1.3.0 1.27.0 https://raw.githubusercontent.com/weaveworks/weave/master/prog/weave-kube/weave-daemonset-k8s-1.11.yaml https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml setup-v1.27.2
+   # ./create-kubernetes-binaries-iso.sh ./ \
+        1.30.1 1.5.0 1.30.0 \
+        https://raw.githubusercontent.com/projectcalico/calico/v3.28.0/manifests/calico.yaml \
+        https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml \
+        setup-1.30.1-calico-3.28.0
+
+.. note::
+   From ACS 4.16 onwards, Kubernetes versions >= 1.20.x are only supported (https://endoflife.date/kubernetes).
+.. note::
+   Kubernetes dashboard versions >= 7.0.0 are not supported, as they support only Helm-based installation.
 
-**NOTE:**
-From ACS 4.16 onwards, Kubernetes versions >= 1.20.x are only supported (https://endoflife.date/kubernetes).
 
 Working with Kubernetes supported version
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From 24e969cd8839234ed539af343fc7bf9dfd3c542f Mon Sep 17 00:00:00 2001
From: prashanthr2 <prashanthreddy748@gmail.com>
Date: Wed, 22 Oct 2025 19:33:36 +0100
Subject: [PATCH 05/20] adding nmcli commands to configure Oracle Linux host
 (#570)

Add initial nmcli examples for KVM host setup, including Oracle Linux. Current docs lack references to NetworkManager usage, and with most Linux distros moving to NetworkManager by default, these commands provide a starting point for users.
---
 source/installguide/hypervisor/kvm.rst | 64 ++++++++++++++++++++++++++
 1 file changed, 64 insertions(+)

diff --git a/source/installguide/hypervisor/kvm.rst b/source/installguide/hypervisor/kvm.rst
index 3d1e07440e..d450a459fa 100644
--- a/source/installguide/hypervisor/kvm.rst
+++ b/source/installguide/hypervisor/kvm.rst
@@ -876,6 +876,38 @@ although a reboot is recommended to see if everything works properly.
    in case you made a configuration error and the network stops functioning!
 
 
+Configure Oracle Linux for Basic Networks using nmcli
+'''''''''''''''''''''''''''''''''''''''''''''''''''''
+All the required packages were installed when you installed libvirt, so
+we only have to configure the network.
+
+Disable IP settings on physical NIC first
+
+.. parsed-literal::
+   nmcli con mod eth0 ipv4.method disabled ipv6.method ignore
+  
+Configure cloudbr0 and include the Management IP of the hypervisor.
+
+.. parsed-literal::
+   nmcli con add type bridge ifname cloudbr0 con-name cloudbr0
+   nmcli con add type ethernet ifname eth0 master cloudbr0 slave-type bridge con-name cloudbr0-eth0
+   nmcli con modify cloudbr0 ipv4.addresses  192.168.42.11/24 ipv4.gateway 192.168.42.1 ipv4.method manual ipv6.method ignore
+
+
+Configure cloudbr1 as a plain bridge without an IP address
+
+.. parsed-literal::
+   nmcli con add type bridge ifname cloudbr1 con-name cloudbr1 ipv4.method disabled  ipv6.method ignore
+   nmcli con add type vlan ifname eth0.20 dev eth0 id 20 master cloudbr1 con-name vlan20
+
+With this configuration you should be able to restart the network,
+although a reboot is recommended to see if everything works properly.
+
+.. warning::
+   Make sure you have an alternative way like IPMI or ILO to reach the machine
+   in case you made a configuration error and the network stops functioning!
+
+
 
 Network Example for Advanced Networks
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -1182,6 +1214,38 @@ although a reboot is recommended to see if everything works properly.
    in case you made a configuration error and the network stops functioning!
 
 
+Configure Oracle Linux for Advance Networks using nmcli
+'''''''''''''''''''''''''''''''''''''''''''''''''''''
+All the required packages were installed when you installed libvirt, so
+we only have to configure the network.
+
+Disable IP settings on physical NICs first
+
+.. parsed-literal::
+   nmcli con mod eth0 ipv4.method disabled ipv6.method ignore
+   nmcli con mod eth1 ipv4.method disabled ipv6.method ignore
+  
+Configure cloudbr0 and include the Management IP of the hypervisor.
+
+.. parsed-literal::
+   nmcli con add type bridge ifname cloudbr0 con-name cloudbr0 ipv4.addresses 192.168.42.11/24 ipv4.gateway 192.168.42.1 ipv4.method manual ipv6.method ignore
+   nmcli con add type ethernet ifname eth0 master cloudbr0 slave-type bridge con-name cloudbr0-eth0
+
+Configure cloudbr1 as a plain bridge without an IP address
+
+.. parsed-literal::
+   nmcli con add type bridge ifname cloudbr1 con-name cloudbr1 ipv4.method disabled ipv6.method ignore
+   nmcli con add type ethernet ifname eth1 master cloudbr1 slave-type bridge con-name cloudbr1-eth1
+
+With this configuration you should be able to restart the network,
+although a reboot is recommended to see if everything works properly.
+
+.. warning::
+   Make sure you have an alternative way like IPMI or ILO to reach the machine
+   in case you made a configuration error and the network stops functioning!
+
+
+
 Configure the network using OpenVswitch
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

From ae00f36f6028fd9ad02352638c2d0733864f5aba Mon Sep 17 00:00:00 2001
From: Wei Zhou <weizhou@apache.org>
Date: Wed, 22 Oct 2025 20:33:50 +0200
Subject: [PATCH 06/20] systemvm: Update patch systemvm support matrix (#382)

* systemvm: Update patch systemvm support matrix

* add note for VR memory upgrade to 512 MiB

* Add notes for VR live-patch

* Update source/upgrading/upgrade/_sysvm_restart.rst

Co-authored-by: Pearl Dsilva <pearl1594@gmail.com>

---------

Co-authored-by: Pearl Dsilva <pearl1594@gmail.com>
---
 source/upgrading/upgrade/_sysvm_restart.rst | 33 +++++++++++++--------
 1 file changed, 20 insertions(+), 13 deletions(-)

diff --git a/source/upgrading/upgrade/_sysvm_restart.rst b/source/upgrading/upgrade/_sysvm_restart.rst
index 30f32282fb..77c40456ef 100644
--- a/source/upgrading/upgrade/_sysvm_restart.rst
+++ b/source/upgrading/upgrade/_sysvm_restart.rst
@@ -35,19 +35,26 @@ This will update the software packages, which were previously bundled in the sys
 agent.zip and cloud-scripts.tgz and restart the services that are present in the /var/cache/cloud/enabled_svcs file
 in the System VMs.
 
+.. note::
+   The System VM template has been upgrade to Debian 12.x in Apache CloudStack 4.20.0.0.
+   Due to it, the memory size of default system offerings has been changed to 512 MiB.
+   If you use custom system offerings, please check the memory size of the offerings.
+   If memory size is small (for example 256 MiB), the System VMs and virtual routers might have the "kernel panic" issue on boot.
+
 .. note::
 
    The following services will be restarted once a system VM is live patched:
 
-            +---------------------+-------------------------------+
-            | **System VM**       |         **Services**          |
-            +---------------------+-------------------------------+
-            | SSVM                | cloud, apache2, portmap       |
-            +---------------------+-------------------------------+
-            | CPVM                | cloud                         |
-            +---------------------+-------------------------------+
-            | VRs                 | haproxy, apache2, dnsmasq     |
-            +---------------------+-------------------------------+
+            +---------------------+-------------------------------+---------------------------------------------------+
+            | **System VM**       |         **Services**          |  **Note**                                         |
+            +---------------------+-------------------------------+---------------------------------------------------+
+            | SSVM                | cloud, apache2, portmap       |                                                   |
+            +---------------------+-------------------------------+---------------------------------------------------+
+            | CPVM                | cloud                         |                                                   |
+            +---------------------+-------------------------------+---------------------------------------------------+
+            | VRs                 | haproxy, apache2, dnsmasq     | Please set setting `minreq.sysvmtemplate.version` |
+            |                     |                               | to proper value before live-patching              |
+            +---------------------+-------------------------------+---------------------------------------------------+
 
    With respect to VRs, a Network restart without cleanup is initiated to during live patching to ensure all rules
    are re-applied. 
@@ -64,12 +71,12 @@ Following matrix lists the versions of CloudStack that support live patching.
          +---------------------+-------------------------+--------------------------------+------------------------------------------+
          | **ACS Version**     |  **Upgrade Version**    |   **Live Patching Support**    |     **Reason / Comment**                 |
          +---------------------+-------------------------+--------------------------------+------------------------------------------+
-         | <=4.13              | 4.17+                   |  No                            | Update in the openJDK version            |
+         | <=4.15              | 4.20+                   |  No                            | Debian 10 (buster) is EOL on 2024-06-30  |
          +---------------------+-------------------------+--------------------------------+------------------------------------------+
-         | 4.14                | 4.17+                   |Yes                             | May notice some issue with remove access |
-         |                     |                         |                                | VPN due to older version of Strongswan   |
+         | >=4.16              | 4.19                    | Yes                            |       N/A                                |
          +---------------------+-------------------------+--------------------------------+------------------------------------------+
-         | >=4.15              | 4.17+                   |Yes                             |       N/A                                |
+         | >=4.16              | 4.20                    | Yes                            | May notice some issues due to Debian |
+         |                     |                         |                                | upgrade from 11(bullseye) to 12(bookworm)|
          +---------------------+-------------------------+--------------------------------+------------------------------------------+
 
 In addition to the support for live patching, users still have the facility to follow the legacy workflow

From 1b8f2ca33c83bbf5d0cb6931c4971d4ec678734e Mon Sep 17 00:00:00 2001
From: Wei Zhou <weizhou@apache.org>
Date: Mon, 27 Oct 2025 09:22:48 +0100
Subject: [PATCH 07/20] 4.20.2 release note (#583)

---
 source/_global.rst                  |  24 +-
 source/conf.py                      |   2 +-
 source/releasenotes/about.rst       |  22 +-
 source/releasenotes/api-changes.rst |  30 ++
 source/releasenotes/changes.rst     | 525 +++++++++++++++++++++++++++-
 5 files changed, 587 insertions(+), 16 deletions(-)

diff --git a/source/_global.rst b/source/_global.rst
index 98a4083f6a..ea5a78a8f8 100644
--- a/source/_global.rst
+++ b/source/_global.rst
@@ -25,20 +25,20 @@
 
 .. Latest version systemvm template name
 
-.. |sysvm64-version|     replace:: 4.20.1
-.. |sysvm64-name-xen|    replace:: systemvm-xenserver-4.20.1-x86_64
-.. |sysvm64-name-kvm|    replace:: systemvm-kvm-4.20.1-x86_64
-.. |sysvm64-name-vmware| replace:: systemvm-vmware-4.20.1-x86_64
-.. |sysvm64-name-hyperv| replace:: systemvm-hyperv-4.20.1-x86_64
-.. |sysvm64-name-ovm|    replace:: systemvm-ovm-4.20.1-x86_64
+.. |sysvm64-version|     replace:: 4.20.2
+.. |sysvm64-name-xen|    replace:: systemvm-xenserver-4.20.2-x86_64
+.. |sysvm64-name-kvm|    replace:: systemvm-kvm-4.20.2-x86_64
+.. |sysvm64-name-vmware| replace:: systemvm-vmware-4.20.2-x86_64
+.. |sysvm64-name-hyperv| replace:: systemvm-hyperv-4.20.2-x86_64
+.. |sysvm64-name-ovm|    replace:: systemvm-ovm-4.20.2-x86_64
 
 .. Latest version systemvm template URL
-.. |sysvm64-url-xen|            replace:: http://download.cloudstack.org/systemvm/4.20/systemvmtemplate-4.20.1-x86_64-xen.vhd.bz2
-.. |sysvm64-url-kvm|            replace:: http://download.cloudstack.org/systemvm/4.20/systemvmtemplate-4.20.1-x86_64-kvm.qcow2.bz2
-.. |sysvm64-url-kvm-aarch64|    replace:: http://download.cloudstack.org/systemvm/4.20/systemvmtemplate-4.20.1-aarch64-kvm.qcow2.bz2
-.. |sysvm64-url-vmware|         replace:: http://download.cloudstack.org/systemvm/4.20/systemvmtemplate-4.20.1-x86_64-vmware.ova
-.. |sysvm64-url-hyperv|         replace:: http://download.cloudstack.org/systemvm/4.20/systemvmtemplate-4.20.1-x86_64-hyperv.vhd.zip
-.. |sysvm64-url-ovm|            replace:: http://download.cloudstack.org/systemvm/4.20/systemvmtemplate-4.20.1-x86_64-ovm.raw.bz2
+.. |sysvm64-url-xen|            replace:: http://download.cloudstack.org/systemvm/4.20/systemvmtemplate-4.20.2-x86_64-xen.vhd.bz2
+.. |sysvm64-url-kvm|            replace:: http://download.cloudstack.org/systemvm/4.20/systemvmtemplate-4.20.2-x86_64-kvm.qcow2.bz2
+.. |sysvm64-url-kvm-aarch64|    replace:: http://download.cloudstack.org/systemvm/4.20/systemvmtemplate-4.20.2-aarch64-kvm.qcow2.bz2
+.. |sysvm64-url-vmware|         replace:: http://download.cloudstack.org/systemvm/4.20/systemvmtemplate-4.20.2-x86_64-vmware.ova
+.. |sysvm64-url-hyperv|         replace:: http://download.cloudstack.org/systemvm/4.20/systemvmtemplate-4.20.2-x86_64-hyperv.vhd.zip
+.. |sysvm64-url-ovm|            replace:: http://download.cloudstack.org/systemvm/4.20/systemvmtemplate-4.20.2-x86_64-ovm.raw.bz2
 
 .. Images
 
diff --git a/source/conf.py b/source/conf.py
index 5bf1867ea2..e04c02c6f5 100644
--- a/source/conf.py
+++ b/source/conf.py
@@ -26,7 +26,7 @@
 # The short X.Y version
 version = '4.20'
 # The full version, including alpha/beta/rc tags
-release = '4.20.1.0'
+release = '4.20.2.0'
 
 rst_epilog = """
 .. include:: /_global.rst 
diff --git a/source/releasenotes/about.rst b/source/releasenotes/about.rst
index bc86fad7b8..81cbb6076f 100644
--- a/source/releasenotes/about.rst
+++ b/source/releasenotes/about.rst
@@ -17,7 +17,27 @@
 What's New in |release|
 =======================
 
-Apache CloudStack |release| is a 4.20 LTS minor release with over 150 fixes
+Apache CloudStack |release| is a 4.20 LTS minor release with around 150 fixes
+and improvements since the 4.20.1.0 release. Some of the highlights include:
+
+• Improvements for Vmware to KVM Migration
+• Fix: Potential remote code execution on Javascript engine defined rules
+• Fix: Lack of user permission validation leading to data leak for few APIs
+• Optimise VNC console performance
+• Some network related fixes and improvements
+• ScaleIO/PowerFlex smoke tests improvements and fixes
+• Some CloudStack Kubernetes Service (CKS) related fixes and improvements
+• Several UI fixes and improvements
+• Systemvm templates now built on Debian 12.12.0
+
+
+The full list of new features can be found in the project release notes at
+https://docs.cloudstack.apache.org/en/4.20.2.0/releasenotes/changes.html
+
+What's New in 4.20.1.0
+=======================
+
+Apache CloudStack 4.20.1.0 is a 4.20 LTS minor release with over 150 fixes
 and improvements since the 4.20.0.0 release. Some of the highlights include:
 
 • Improvements to multi-architecture support in CloudStack
diff --git a/source/releasenotes/api-changes.rst b/source/releasenotes/api-changes.rst
index be62c99603..b23a01bcf8 100644
--- a/source/releasenotes/api-changes.rst
+++ b/source/releasenotes/api-changes.rst
@@ -13,6 +13,36 @@
    specific language governing permissions and limitations
    under the License.
 
+API Changes Introduced in 4.20.2.0
+==================================
+
+For the complete list of API commands and params consult the `CloudStack Apidocs`_.
+
+Parameters Changed API Commands
+-------------------------------
+
+.. cssclass:: table-striped table-bordered table-hover
+
++---------------------------------------------+--------------------------------------------------------------------------------+
+| Name                                        | Description                                                                    |
++=============================================+================================================================================+
+| ``createTemplate``                          | **Request:**                                                                   |
+|                                             |                                                                                |
+|                                             | *New Parameters:*                                                              |
+|                                             |                                                                                |
+|                                             | - ``arch``                                                                     |
+|                                             |                                                                                |
++---------------------------------------------+--------------------------------------------------------------------------------+
+| ``listCapabilities``                        | **Response:**                                                                  |
+|                                             |                                                                                |
+|                                             | *New Parameters:*                                                              |
+|                                             |                                                                                |
+|                                             | - ``dynamicscalingenabled``                                                    |
+|                                             | - ``additionalconfigenabled``                                                  |
+|                                             |                                                                                |
++---------------------------------------------+--------------------------------------------------------------------------------+
+
+
 API Changes Introduced in 4.20.1.0
 ==================================
 
diff --git a/source/releasenotes/changes.rst b/source/releasenotes/changes.rst
index 56bb2e1505..bd6802e3d0 100644
--- a/source/releasenotes/changes.rst
+++ b/source/releasenotes/changes.rst
@@ -13,7 +13,528 @@
    specific language governing permissions and limitations
    under the License.
 
-Changes in |release| since 4.20.0.0
+Changes in 4.20.2.0 since 4.20.1.0
+===================================
+
+Apache CloudStack uses GitHub https://github.com/apache/cloudstack/milestone/39?closed=1
+to track its issues.
+
+
+
+.. cssclass:: table-striped table-bordered table-hover
+
+
++-------------------------+--------------------+------------------------------------------------------------+
+| Version                 | Github             | Description                                                |
++=========================+====================+============================================================+
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11318`_          | cloudutils: fix warning, error during kvm agent            |
+|                         |                    | installation                                               |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11823`_          | systemvm: fix duplicated "en_US.UTF-8 UTF-8" in            |
+|                         |                    | /etc/locale.gen                                            |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11624`_          | Routed: fix create network exception when auto-allocation  |
+|                         |                    | is disabled                                                |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11822`_          | agent: increase timeout for host arch retrieval            |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11811`_          | importvm: fix IP address allocation on Shared networks     |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11782`_          | Delete template from storage pool instantly if no volume   |
+|                         |                    | is using it                                                |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11793`_          | update jetty                                               |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11773`_          | storage: change storage pool to Up state when cancel       |
+|                         |                    | storage migration                                          |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11801`_          | Sanitize the rbd file cmd parameter logs during qemu-img   |
+|                         |                    | convert (through Script)                                   |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11760`_          | UI: Fix primary storage for datastore cluster and retain   |
+|                         |                    | traffic labels during zone deployment                      |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#10533`_          | Deal with crosssite api call after login.                  |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11778`_          | systemvmtemplate: Bump Debian version to 12.12.0           |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11722`_          | Fix to not enable the disabled local storage(s) on host    |
+|                         |                    | connection                                                 |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11228`_          | server: add user.password.reset.smtp.useStartTLS and       |
+|                         |                    | enabledSecurityProtocols for password reset                |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11787`_          | linstor: use sparse/discard qemu-img convert on thin       |
+|                         |                    | devices                                                    |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#10641`_          | VMware: match nic mac for ip address fetch                 |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11735`_          | CKS: fix CKS creation on an existing Shared or Routed      |
+|                         |                    | network                                                    |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11751`_          | Consider Instance in Starting state as well for allocation |
+|                         |                    | algorithm                                                  |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11639`_          | CKS: generate a random UUID as password of CKS user in     |
+|                         |                    | project                                                    |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11719`_          | UI support for extraconfig in deploy and update instance   |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11753`_          | Fix importing unmanaged instances due to incorrect         |
+|                         |                    | internal name                                              |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#10962`_          | systemvm: fix failed to get script version when patch      |
+|                         |                    | system vm or router                                        |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11198`_          | server: set download volume format to qcow2 for KVM        |
+|                         |                    | volumes                                                    |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11687`_          | KVM: fix delete vm snapshot if it does not exist with a    |
+|                         |                    | Stopped vm                                                 |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11696`_          | LDAP: honour nested groups for MSAD                        |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11686`_          | Fix vpclimit count for listAcccount API response           |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11530`_          | server: set VirtualMachineTO arch from template if present |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11640`_          | honor templateId passed in importVM API                    |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11666`_          | Mount the disabled storage pools by default                |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11659`_          | Fix VM import DB sequence issue on import failure          |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#8452`_           | Cleanup allocated snapshots / vm snapshots, and update     |
+|                         |                    | pending ones to Error on MS start                          |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11506`_          | Update gson date format for serializing/deserializing Date |
+|                         |                    | in MS stats                                                |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11681`_          | VR: consider NICs for remote access VPN when apply dhcp    |
+|                         |                    | entry                                                      |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11670`_          | use /prod/stat to get uptime instead of the uptime command |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11632`_          | Fix for No VMs start after Renew Host Security Keys due to |
+|                         |                    | wrong qemu group reading                                   |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11602`_          | [UI] Fix group disable action for  compute and disk        |
+|                         |                    | offering                                                   |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11590`_          | ui: fix tab name in query params                           |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11389`_          | Fix NPE during VM IP fetch for shared networks             |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11576`_          | ui: searchview change should only remove related query     |
+|                         |                    | params                                                     |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11558`_          | server: check limit on correct store during snapshot       |
+|                         |                    | allocation                                                 |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11554`_          | ScaleIO/PowerFlex smoke tests improvements, and some fixes |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11614`_          | fix qemu-img path in cloudstack sudoers                    |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#10735`_          | ssvm: use mgmt network if no storage network               |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11598`_          | Fix transition exception when scaling Stopped k8s clusters |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11610`_          | Fix NPE in case host UEFI detail is not set on agent       |
+|                         |                    | connection                                                 |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11507`_          | Import KVM VM: Autodetect vlan id from bridge name         |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#10970`_          | IPv6 firewall: accept packets from related and established |
+|                         |                    | connections                                                |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#9305`_           | server: allow migration of vm with snapshots for vmware    |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#10869`_          | Change log level of AgentHandler#processRequest()          |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11556`_          | server: allow adding non-overlapping ipv6 ranges in same   |
+|                         |                    | vlan                                                       |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11528`_          | CKS: Validate network offering from network if provided    |
+|                         |                    | rather than global setting                                 |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11575`_          | ui: donot remove account, domain from query on public ip   |
+|                         |                    | filter change                                              |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11314`_          | server: prevent vm schedule update failure for time when   |
+|                         |                    | not changed                                                |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11218`_          | server,kvm: detect boot options for vm import              |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#10734`_          | 2fa: log error on totp mismatch                            |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11487`_          | Delete session after key expiration                        |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11361`_          | Make logout function more robust to prevent session issues |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11553`_          | [UI] Fix display of disk size and IOPS fields in the scale |
+|                         |                    | VM form                                                    |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11557`_          | kvm: add ssvm storage nic null uri check during plug       |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11543`_          | systemvm template: update URLs of debian ISOs              |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11536`_          | ui: show multiple domains as links in list view            |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11329`_          | server: remove extra chars when template status is error   |
+|                         |                    | string                                                     |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#10865`_          | ui: do not filter edge zones while registering             |
+|                         |                    | directdownload iso                                         |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11230`_          | Added events for snapshots, vmsnapshots, internalLB        |
+|                         |                    | operations                                                 |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11542`_          | test: fix test_04_rvpc_network_garbage_collector_nics      |
+|                         |                    | failure                                                    |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11550`_          | [UI] Use update offering APIs to disable compute and disk  |
+|                         |                    | offerings                                                  |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11537`_          | api: use single quote instead of double quote in           |
+|                         |                    | StatsResponse                                              |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11532`_          | kvm: fix vm deployment with direct-download iso            |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#10152`_          | Add response object required by go SDK for parsing         |
+|                         |                    | response                                                   |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11243`_          | SG: Apply rules for both ipv4/ipv6 of VMs with associated  |
+|                         |                    | account/SG                                                 |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11518`_          | VPC VR: return UNKNOWN redundant state if no guest nics    |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11466`_          | UI: Prevent restriction of changeOfferingForVolume API to  |
+|                         |                    | Admin role                                                 |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11516`_          | Fix for live migration of VM with config drive, on KVM     |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11457`_          | Fix deployment of CKS clusters in Basic zone               |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11463`_          | Remove non-existent network service provider from UI       |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11448`_          | Fix snapshot physical size listing                         |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11397`_          | linstor: fix getVolumeStats if multiple Linstor primary    |
+|                         |                    | storages are used                                          |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11401`_          | UI: fix addHost error in zone creation wizard              |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11393`_          | ui: make vpc cidr required when not showing cidrsize       |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11062`_          | api: fix scale or upgrade systemvm                         |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11242`_          | server: fix vm deployment without networkid in a zone with |
+|                         |                    | shared networks                                            |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11388`_          | Fix create statement for safer upgrades                    |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11373`_          | juniper-contrail: publish events only for the module       |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11366`_          | fix storage pool capacity threshold flag                   |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11197`_          | Handle project delete in details view                      |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11315`_          | ui: pass validated storagepolicy for swift store           |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11380`_          | plugin-swift: handle null cache store                      |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11372`_          | cloud.spec: provide option between tzdata-java and         |
+|                         |                    | timezone-java                                              |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11369`_          | ui: update project menu on projects change                 |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11291`_          | Update System VM template Guest OS version                 |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#10946`_          | Find system VM templates for CKS clusters and SharedFS     |
+|                         |                    | honouring the preferred architecture                       |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11337`_          | ui: fix delete traffic type                                |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11352`_          | API: Set Object name when expunging VM                     |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11142`_          | UI: Display NSX Provider only when NSX is the selected     |
+|                         |                    | Isolation method                                           |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11316`_          | Fix listCapacity sort by usage                             |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11342`_          | kvm: fix regression                                        |
+|                         |                    | 5a52ca78ae5e165211c618525613c3d62cfd1b28                   |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11245`_          | kvm, ui: fix interface when using vlan subnet for storage  |
+|                         |                    | traffic type                                               |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11306`_          | ui: fix advance setting behaviour in autoscale form        |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11310`_          | server: fix IllegalMonitorStateException on cluster        |
+|                         |                    | managedstate change                                        |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11328`_          | ui: fix volume size not showing                            |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11068`_          | [Multi-Arch] Select Template Arch when creating template   |
+|                         |                    | from volume                                                |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11244`_          | Prevent infinite autoscaling                               |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11237`_          | Prevent multi-select dropdown menu from floating on        |
+|                         |                    | scrolling through the form                                 |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11195`_          | [UI] Add dedicated account field dropdown on zone creation |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11220`_          | Mark LDAP user query timeout as incorrect login instead of |
+|                         |                    | disabling user immediately                                 |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11210`_          | Allow custom NTP servers for CPVM                          |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11053`_          | linstor: Use template's uuid if pool's downloadPath is     |
+|                         |                    | null as resour…                                            |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11264`_          | Validate qcow2 file during import operation                |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#10975`_          | [Vmware to KVM Migration] Preserve boot type and boot mode |
+|                         |                    | of instances to be migrated                                |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#10856`_          | polish: Fix some inconsistencies in object names and       |
+|                         |                    | messages                                                   |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11221`_          | console: optimise buffer sizes for faster console          |
+|                         |                    | performance                                                |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11102`_          | UI: Fix missing labels                                     |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11087`_          | list only own zones for resource admin                     |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11086`_          | Fix for dynamic scaling toggle for instance                |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11258`_          | Fix restore from NAS backup when datadisk is older than    |
+|                         |                    | the root disk.                                             |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11204`_          | NAS backup provider: Support backup and restore with       |
+|                         |                    | Shared mount point primary storage.                        |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#10857`_          | Add special Icon to Shared FileSystem Instances            |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11211`_          | Fix to create instances with smaller templates (< 1 GB) on |
+|                         |                    | PowerFlex/ScaleIO storage                                  |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11214`_          | Add format and physicalsize in listIsoOs api response      |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#10879`_          | Handle exception for decoder while uploading ISO from      |
+|                         |                    | local                                                      |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11138`_          | Fix update resource count failure for domains              |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11054`_          | npe guard for get host info on vmware                      |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#10917`_          | kvm: consider Debian same as Ubuntu                        |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11179`_          | List templates and ISOs by domain                          |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11099`_          | PowerFlex/ScaleIO - Wait after SDC service                 |
+|                         |                    | start/restart/stop, and retry to fetch SDC id/guid         |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11128`_          | systemvm: build 4.20.2 template with 'depmod -a'           |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#10848`_          | Remove unfinished usage job entries of the host on start   |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11171`_          | schema: fix missing columns index                          |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11170`_          | Improve error when a template to owned by non root-admin   |
+|                         |                    | is registered for all zones.                               |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11158`_          | .github: restrict codecov in UI build to apache/cloudstack |
+|                         |                    | repo                                                       |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11168`_          | UI: Fix volumes `SearchView`                               |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11091`_          | [Vmware to KVM Migration] Fix issue with vCenter           |
+|                         |                    | Standalone hosts for VM listing                            |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11113`_          | directdownload: fix keytool importcert                     |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#10778`_          | Normalize naming of Kubernetes clusters                    |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11003`_          | [VMware to KVM Migration] Fix for converted instance NPE   |
+|                         |                    | issue when source VMware instance OVF is exported from     |
+|                         |                    | management server                                          |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11116`_          | ui: fix handler for deploy button menu                     |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11095`_          | server: fix orphan db transaction issue                    |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11085`_          | Corrected quota type indexes                               |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11106`_          | Do not rely on Memory engine in DB setup scripts           |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11004`_          | Block volume shrink on Xen                                 |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11019`_          | [Vmware to KVM Migration] Display virt-v2v and ovftool     |
+|                         |                    | versions for supported hosts for migration                 |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11035`_          | [Vmware to KVM Migration] Improve the Force MS option text |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#11055`_          | Add check for ldap truststore password                     |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#10663`_          | Accept case insensitive values in boolean settings         |
++-------------------------+--------------------+------------------------------------------------------------+
+| 4.20.2.0                | `#10814`_          | ui: show deploy/create button on right info pane           |
++-------------------------+--------------------+------------------------------------------------------------+
+
+145 Issues listed
+
+.. _`#11318`: https://github.com/apache/cloudstack/pull/11318 
+.. _`#11823`: https://github.com/apache/cloudstack/pull/11823 
+.. _`#11624`: https://github.com/apache/cloudstack/pull/11624 
+.. _`#11822`: https://github.com/apache/cloudstack/pull/11822 
+.. _`#11811`: https://github.com/apache/cloudstack/pull/11811 
+.. _`#11782`: https://github.com/apache/cloudstack/pull/11782 
+.. _`#11793`: https://github.com/apache/cloudstack/pull/11793 
+.. _`#11773`: https://github.com/apache/cloudstack/pull/11773 
+.. _`#11801`: https://github.com/apache/cloudstack/pull/11801 
+.. _`#11760`: https://github.com/apache/cloudstack/pull/11760 
+.. _`#10533`: https://github.com/apache/cloudstack/pull/10533 
+.. _`#11778`: https://github.com/apache/cloudstack/pull/11778 
+.. _`#11722`: https://github.com/apache/cloudstack/pull/11722 
+.. _`#11228`: https://github.com/apache/cloudstack/pull/11228 
+.. _`#11787`: https://github.com/apache/cloudstack/pull/11787 
+.. _`#10641`: https://github.com/apache/cloudstack/pull/10641 
+.. _`#11735`: https://github.com/apache/cloudstack/pull/11735 
+.. _`#11751`: https://github.com/apache/cloudstack/pull/11751 
+.. _`#11639`: https://github.com/apache/cloudstack/pull/11639 
+.. _`#11719`: https://github.com/apache/cloudstack/pull/11719 
+.. _`#11753`: https://github.com/apache/cloudstack/pull/11753 
+.. _`#10962`: https://github.com/apache/cloudstack/pull/10962 
+.. _`#11198`: https://github.com/apache/cloudstack/pull/11198 
+.. _`#11687`: https://github.com/apache/cloudstack/pull/11687 
+.. _`#11696`: https://github.com/apache/cloudstack/pull/11696 
+.. _`#11686`: https://github.com/apache/cloudstack/pull/11686 
+.. _`#11530`: https://github.com/apache/cloudstack/pull/11530 
+.. _`#11640`: https://github.com/apache/cloudstack/pull/11640 
+.. _`#11666`: https://github.com/apache/cloudstack/pull/11666 
+.. _`#11659`: https://github.com/apache/cloudstack/pull/11659 
+.. _`#8452`: https://github.com/apache/cloudstack/pull/8452 
+.. _`#11506`: https://github.com/apache/cloudstack/pull/11506 
+.. _`#11681`: https://github.com/apache/cloudstack/pull/11681 
+.. _`#11670`: https://github.com/apache/cloudstack/pull/11670 
+.. _`#11632`: https://github.com/apache/cloudstack/pull/11632 
+.. _`#11602`: https://github.com/apache/cloudstack/pull/11602 
+.. _`#11590`: https://github.com/apache/cloudstack/pull/11590 
+.. _`#11389`: https://github.com/apache/cloudstack/pull/11389 
+.. _`#11576`: https://github.com/apache/cloudstack/pull/11576 
+.. _`#11558`: https://github.com/apache/cloudstack/pull/11558 
+.. _`#11554`: https://github.com/apache/cloudstack/pull/11554 
+.. _`#11614`: https://github.com/apache/cloudstack/pull/11614 
+.. _`#10735`: https://github.com/apache/cloudstack/pull/10735 
+.. _`#11598`: https://github.com/apache/cloudstack/pull/11598 
+.. _`#11610`: https://github.com/apache/cloudstack/pull/11610 
+.. _`#11507`: https://github.com/apache/cloudstack/pull/11507 
+.. _`#10970`: https://github.com/apache/cloudstack/pull/10970 
+.. _`#9305`: https://github.com/apache/cloudstack/pull/9305 
+.. _`#10869`: https://github.com/apache/cloudstack/pull/10869 
+.. _`#11556`: https://github.com/apache/cloudstack/pull/11556 
+.. _`#11528`: https://github.com/apache/cloudstack/pull/11528 
+.. _`#11575`: https://github.com/apache/cloudstack/pull/11575 
+.. _`#11314`: https://github.com/apache/cloudstack/pull/11314 
+.. _`#11218`: https://github.com/apache/cloudstack/pull/11218 
+.. _`#10734`: https://github.com/apache/cloudstack/pull/10734 
+.. _`#11487`: https://github.com/apache/cloudstack/pull/11487 
+.. _`#11361`: https://github.com/apache/cloudstack/pull/11361 
+.. _`#11553`: https://github.com/apache/cloudstack/pull/11553 
+.. _`#11557`: https://github.com/apache/cloudstack/pull/11557 
+.. _`#11543`: https://github.com/apache/cloudstack/pull/11543 
+.. _`#11536`: https://github.com/apache/cloudstack/pull/11536 
+.. _`#11329`: https://github.com/apache/cloudstack/pull/11329 
+.. _`#10865`: https://github.com/apache/cloudstack/pull/10865 
+.. _`#11230`: https://github.com/apache/cloudstack/pull/11230 
+.. _`#11542`: https://github.com/apache/cloudstack/pull/11542 
+.. _`#11550`: https://github.com/apache/cloudstack/pull/11550 
+.. _`#11537`: https://github.com/apache/cloudstack/pull/11537 
+.. _`#11532`: https://github.com/apache/cloudstack/pull/11532 
+.. _`#10152`: https://github.com/apache/cloudstack/pull/10152 
+.. _`#11243`: https://github.com/apache/cloudstack/pull/11243 
+.. _`#11518`: https://github.com/apache/cloudstack/pull/11518 
+.. _`#11466`: https://github.com/apache/cloudstack/pull/11466 
+.. _`#11516`: https://github.com/apache/cloudstack/pull/11516 
+.. _`#11457`: https://github.com/apache/cloudstack/pull/11457 
+.. _`#11463`: https://github.com/apache/cloudstack/pull/11463 
+.. _`#11448`: https://github.com/apache/cloudstack/pull/11448 
+.. _`#11397`: https://github.com/apache/cloudstack/pull/11397 
+.. _`#11401`: https://github.com/apache/cloudstack/pull/11401 
+.. _`#11393`: https://github.com/apache/cloudstack/pull/11393 
+.. _`#11062`: https://github.com/apache/cloudstack/pull/11062 
+.. _`#11242`: https://github.com/apache/cloudstack/pull/11242 
+.. _`#11388`: https://github.com/apache/cloudstack/pull/11388 
+.. _`#11373`: https://github.com/apache/cloudstack/pull/11373 
+.. _`#11366`: https://github.com/apache/cloudstack/pull/11366 
+.. _`#11197`: https://github.com/apache/cloudstack/pull/11197 
+.. _`#11315`: https://github.com/apache/cloudstack/pull/11315 
+.. _`#11380`: https://github.com/apache/cloudstack/pull/11380 
+.. _`#11372`: https://github.com/apache/cloudstack/pull/11372 
+.. _`#11369`: https://github.com/apache/cloudstack/pull/11369 
+.. _`#11291`: https://github.com/apache/cloudstack/pull/11291 
+.. _`#10946`: https://github.com/apache/cloudstack/pull/10946 
+.. _`#11337`: https://github.com/apache/cloudstack/pull/11337 
+.. _`#11352`: https://github.com/apache/cloudstack/pull/11352 
+.. _`#11142`: https://github.com/apache/cloudstack/pull/11142 
+.. _`#11316`: https://github.com/apache/cloudstack/pull/11316 
+.. _`#11342`: https://github.com/apache/cloudstack/pull/11342 
+.. _`#11245`: https://github.com/apache/cloudstack/pull/11245 
+.. _`#11306`: https://github.com/apache/cloudstack/pull/11306 
+.. _`#11310`: https://github.com/apache/cloudstack/pull/11310 
+.. _`#11328`: https://github.com/apache/cloudstack/pull/11328 
+.. _`#11068`: https://github.com/apache/cloudstack/pull/11068 
+.. _`#11244`: https://github.com/apache/cloudstack/pull/11244 
+.. _`#11237`: https://github.com/apache/cloudstack/pull/11237 
+.. _`#11195`: https://github.com/apache/cloudstack/pull/11195 
+.. _`#11220`: https://github.com/apache/cloudstack/pull/11220 
+.. _`#11210`: https://github.com/apache/cloudstack/pull/11210 
+.. _`#11053`: https://github.com/apache/cloudstack/pull/11053 
+.. _`#11264`: https://github.com/apache/cloudstack/pull/11264 
+.. _`#10975`: https://github.com/apache/cloudstack/pull/10975 
+.. _`#10856`: https://github.com/apache/cloudstack/pull/10856 
+.. _`#11221`: https://github.com/apache/cloudstack/pull/11221 
+.. _`#11102`: https://github.com/apache/cloudstack/pull/11102 
+.. _`#11087`: https://github.com/apache/cloudstack/pull/11087 
+.. _`#11086`: https://github.com/apache/cloudstack/pull/11086 
+.. _`#11258`: https://github.com/apache/cloudstack/pull/11258 
+.. _`#11204`: https://github.com/apache/cloudstack/pull/11204 
+.. _`#10857`: https://github.com/apache/cloudstack/pull/10857 
+.. _`#11211`: https://github.com/apache/cloudstack/pull/11211 
+.. _`#11214`: https://github.com/apache/cloudstack/pull/11214 
+.. _`#10879`: https://github.com/apache/cloudstack/pull/10879 
+.. _`#11138`: https://github.com/apache/cloudstack/pull/11138 
+.. _`#11054`: https://github.com/apache/cloudstack/pull/11054 
+.. _`#10917`: https://github.com/apache/cloudstack/pull/10917 
+.. _`#11179`: https://github.com/apache/cloudstack/pull/11179 
+.. _`#11099`: https://github.com/apache/cloudstack/pull/11099 
+.. _`#11128`: https://github.com/apache/cloudstack/pull/11128 
+.. _`#10848`: https://github.com/apache/cloudstack/pull/10848 
+.. _`#11171`: https://github.com/apache/cloudstack/pull/11171 
+.. _`#11170`: https://github.com/apache/cloudstack/pull/11170 
+.. _`#11158`: https://github.com/apache/cloudstack/pull/11158 
+.. _`#11168`: https://github.com/apache/cloudstack/pull/11168 
+.. _`#11091`: https://github.com/apache/cloudstack/pull/11091 
+.. _`#11113`: https://github.com/apache/cloudstack/pull/11113 
+.. _`#10778`: https://github.com/apache/cloudstack/pull/10778 
+.. _`#11003`: https://github.com/apache/cloudstack/pull/11003 
+.. _`#11116`: https://github.com/apache/cloudstack/pull/11116 
+.. _`#11095`: https://github.com/apache/cloudstack/pull/11095 
+.. _`#11085`: https://github.com/apache/cloudstack/pull/11085 
+.. _`#11106`: https://github.com/apache/cloudstack/pull/11106 
+.. _`#11004`: https://github.com/apache/cloudstack/pull/11004 
+.. _`#11019`: https://github.com/apache/cloudstack/pull/11019 
+.. _`#11035`: https://github.com/apache/cloudstack/pull/11035 
+.. _`#11055`: https://github.com/apache/cloudstack/pull/11055 
+.. _`#10663`: https://github.com/apache/cloudstack/pull/10663 
+.. _`#10814`: https://github.com/apache/cloudstack/pull/10814 
+
+
+Changes in 4.20.1.0 since 4.20.0.0
 ===================================
 
 Apache CloudStack uses GitHub https://github.com/apache/cloudstack/milestone/36?closed=1
@@ -545,7 +1066,7 @@ to track its issues.
 .. _`#10418`: https://github.com/apache/cloudstack/pull/10418 
 
 
-Changes in |release| since 4.19.1.0
+Changes in 4.20.0.0 since 4.19.1.0
 ===================================
 
 Apache CloudStack uses GitHub https://github.com/apache/cloudstack/milestone/30?closed=1

From 9a5fb9dbaf67d2d8bfed51e8d9228994db19e140 Mon Sep 17 00:00:00 2001
From: Harikrishna <harikrishna.patnala@gmail.com>
Date: Wed, 10 Dec 2025 17:07:45 +0530
Subject: [PATCH 08/20] Log4j file details (#607)

---
 .../upgrading/upgrade/_log4j_file_check.rst   | 26 +++++++++++++++++++
 source/upgrading/upgrade/upgrade-4.20.rst     |  2 ++
 2 files changed, 28 insertions(+)
 create mode 100644 source/upgrading/upgrade/_log4j_file_check.rst

diff --git a/source/upgrading/upgrade/_log4j_file_check.rst b/source/upgrading/upgrade/_log4j_file_check.rst
new file mode 100644
index 0000000000..c8aa002165
--- /dev/null
+++ b/source/upgrading/upgrade/_log4j_file_check.rst
@@ -0,0 +1,26 @@
+.. Licensed to the Apache Software Foundation (ASF) under one
+   or more contributor license agreements.  See the NOTICE file
+   distributed with this work for additional information#
+   regarding copyright ownership.  The ASF licenses this file
+   to you under the Apache License, Version 2.0 (the
+   "License"); you may not use this file except in compliance
+   with the License.  You may obtain a copy of the License at
+   http://www.apache.org/licenses/LICENSE-2.0
+   Unless required by applicable law or agreed to in writing,
+   software distributed under the License is distributed on an
+   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+   KIND, either express or implied.  See the License for the
+   specific language governing permissions and limitations
+   under the License.
+
+.. sub-section included in upgrade notes.
+
+.. note::
+
+   During upgrades from versions prior to 4.20, the logging configuration file may not be migrated automatically to the new Log4j2 format - especially if the original log4j configuration file was manually customized or modified.
+
+   It is strongly recommended to verify **before starting the Management Server and the Usage Server** that the configuration file (e.g. `log4j-cloud.xml`) under `/etc/cloudstack/management` and `/etc/cloudstack/usage` respectively uses the Log4j2 format.
+
+   If the file still uses legacy Log4j (version 1) syntax or structure, **manually replace or update** the configuration using the default Log4j2 configuration supplied with the latest package.
+
+   Failure to update may result in missing or incomplete log generation after upgrade.
\ No newline at end of file
diff --git a/source/upgrading/upgrade/upgrade-4.20.rst b/source/upgrading/upgrade/upgrade-4.20.rst
index 8a1073fc04..c55bafd036 100644
--- a/source/upgrading/upgrade/upgrade-4.20.rst
+++ b/source/upgrading/upgrade/upgrade-4.20.rst
@@ -207,6 +207,8 @@ Setup the GPG public key if you wish to enable ``gpgcheck=1``:
 
       $ sudo yum upgrade cloudstack-usage
 
+.. include:: _log4j_file_check.rst
+
 .. _upg_hyp_414:
 
 Upgrade Hypervisors

From 53173a118c6add1206f2b33d7e0c72cee727d910 Mon Sep 17 00:00:00 2001
From: Wei Zhou <weizhou@apache.org>
Date: Thu, 18 Dec 2025 08:52:15 +0100
Subject: [PATCH 09/20] Debian: add instruction for MySQL python connector
 (#610)

Co-authored-by: Jonathan de Jong <jonathandejong02@gmail.com>
---
 .../management-server/_pkg_install.rst           | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/source/installguide/management-server/_pkg_install.rst b/source/installguide/management-server/_pkg_install.rst
index ad8aed59cd..e44ddcaac3 100644
--- a/source/installguide/management-server/_pkg_install.rst
+++ b/source/installguide/management-server/_pkg_install.rst
@@ -53,3 +53,19 @@ Install on Ubuntu
 
    sudo apt install cloudstack-management
 
+Install on Debian
+^^^^^^^^^^^^^^^^^
+
+.. note::
+   The MySQL Python connector is not available in Debian's package repository sources, please add MySQL's own package repository:
+
+   .. code:: bash
+
+       wget https://dev.mysql.com/get/mysql-apt-config_0.8.36-1_all.deb -O /tmp/mysql-apt-config_0.8.36-1_all.deb
+       sudo apt install -y /tmp/mysql-apt-config_0.8.36-1_all.deb
+       sudo apt update
+
+.. parsed-literal::
+
+   sudo apt install cloudstack-management
+

From 822838ba314b1cfc4e116b539f0e55f6f23746a4 Mon Sep 17 00:00:00 2001
From: Harikrishna Patnala <harikrishna.patnala@gmail.com>
Date: Thu, 18 Dec 2025 18:14:16 +0530
Subject: [PATCH 10/20] Improvements added in making the existing templates
 available on newly added secondary storage

---
 source/installguide/configuration.rst | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/source/installguide/configuration.rst b/source/installguide/configuration.rst
index 5d1a3e878e..4aa0c30b2b 100644
--- a/source/installguide/configuration.rst
+++ b/source/installguide/configuration.rst
@@ -1705,6 +1705,26 @@ add more servers to an existing zone.
    -  Path. The path to the zone's Secondary Staging Store.
 
 
+When a new Secondary Storage is added, the Management Server attempts to make
+existing templates available on the new Secondary Storage.
+
+CloudStack improves template availability using the configuration:
+
++----------------------------------------------+-------------------------------------------------------------------------------------------------------------+-----------+
+| Name                                         | Description                                                                                                 | Default   |
++==============================================+=============================================================================================================+===========+
+| copy.templates.from.other.secondary.storages | Allow templates to be copied from existing Secondary Storage servers (within the same zone or across zones) | true      |
+|                                              | when adding a new Secondary Storage, instead of downloading them from the source URL.                       |           |
++----------------------------------------------+-------------------------------------------------------------------------------------------------------------+-----------+
+
+This setting is enabled by default and can be configured globally or at zone level.
+
+CloudStack applies the following order of steps while trying to make a template available in the new secondary storage:
+
+1. Attempt to copy the template from another Secondary Storage in the same zone.
+2. If not found, attempt to copy the template from a Secondary Storage in a different zone.
+3. If the copy operation fails, CloudStack falls back to downloading the template using its URL when it is registered.
+
 Adding an NFS Secondary Staging Store for Each Zone
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

From adc272ae6b03477fc810cb81d6bebad79473ee63 Mon Sep 17 00:00:00 2001
From: Harikrishna Patnala <harikrishna.patnala@gmail.com>
Date: Mon, 29 Dec 2025 14:52:55 +0530
Subject: [PATCH 11/20] Added parameter details

---
 source/installguide/configuration.rst | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/source/installguide/configuration.rst b/source/installguide/configuration.rst
index 4aa0c30b2b..05b7bbc9c1 100644
--- a/source/installguide/configuration.rst
+++ b/source/installguide/configuration.rst
@@ -1686,7 +1686,7 @@ add more servers to an existing zone.
          Swift or S3 is used as the secondary storage provider, an NFS staging
          storage in each zone is still required.
 
-   -  Zone. The zone where the NFS Secondary Staging Store is to be
+   -  Zone: The zone where the NFS Secondary Staging Store is to be
       located.
 
    -  **SMB Username**: Applicable only if you select SMB/CIFS provider.
@@ -1700,9 +1700,13 @@ add more servers to an existing zone.
    -  **SMB Domain**: Applicable only if you select SMB/CIFS provider.
       The Active Directory domain that the SMB share is a part of.
 
-   -  NFS server. The name of the zone's Secondary Staging Store.
+   -  NFS server: The name of the zone's Secondary Staging Store.
 
-   -  Path. The path to the zone's Secondary Staging Store.
+   -  Path: The path to the zone's Secondary Staging Store.
+
+   -  Copy templates from other storages: This switch can be used to automatically
+      copy existing templates from secondary storages in other zones instead of
+      fetching from their URLs, more details are as below.
 
 
 When a new Secondary Storage is added, the Management Server attempts to make

From c4e9ba61ee0ea4566a987b0ba61d718d67d530d3 Mon Sep 17 00:00:00 2001
From: Harikrishna Patnala <harikrishna.patnala@gmail.com>
Date: Mon, 29 Dec 2025 15:29:00 +0530
Subject: [PATCH 12/20] corrections

---
 source/installguide/configuration.rst | 32 +++++++++++++--------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/source/installguide/configuration.rst b/source/installguide/configuration.rst
index 05b7bbc9c1..9b458660ac 100644
--- a/source/installguide/configuration.rst
+++ b/source/installguide/configuration.rst
@@ -1664,9 +1664,9 @@ add more servers to an existing zone.
 
 #. Fill in the following fields:
 
-   -  Name. Give the storage a descriptive name.
+   -  **Name**: Give the storage a descriptive name.
 
-   -  Provider. Choose S3, Swift, NFS, or CIFS then fill in the related
+   -  **Provider**: Choose S3, Swift, NFS, or CIFS then fill in the related
       fields which appear. The fields will vary depending on the storage
       provider; for more information, consult the provider's
       documentation (such as the S3 or Swift website). NFS can be used
@@ -1677,7 +1677,7 @@ add more servers to an existing zone.
          Heterogeneous Secondary Storage is not supported in Regions. You can
          use only a single NFS, S3, or Swift account per region.
 
-   -  Create NFS Secondary Staging Store. This box must always be
+   -  **Create NFS Secondary Staging Store**: This box must always be
       checked.
 
       .. warning::
@@ -1686,7 +1686,7 @@ add more servers to an existing zone.
          Swift or S3 is used as the secondary storage provider, an NFS staging
          storage in each zone is still required.
 
-   -  Zone: The zone where the NFS Secondary Staging Store is to be
+   -  **Zone**: The zone where the NFS Secondary Staging Store is to be
       located.
 
    -  **SMB Username**: Applicable only if you select SMB/CIFS provider.
@@ -1700,34 +1700,34 @@ add more servers to an existing zone.
    -  **SMB Domain**: Applicable only if you select SMB/CIFS provider.
       The Active Directory domain that the SMB share is a part of.
 
-   -  NFS server: The name of the zone's Secondary Staging Store.
+   -  **NFS server**: The name of the zone's Secondary Staging Store.
 
-   -  Path: The path to the zone's Secondary Staging Store.
+   -  **Path**: The path to the zone's Secondary Staging Store.
 
-   -  Copy templates from other storages: This switch can be used to automatically
-      copy existing templates from secondary storages in other zones instead of
+   -  **Copy Templates from other storages**: This switch can be used to automatically
+      copy existing Templates from Secondary Storages in other Zones instead of
       fetching from their URLs, more details are as below.
 
 
 When a new Secondary Storage is added, the Management Server attempts to make
-existing templates available on the new Secondary Storage.
+existing Templates available on the new Secondary Storage.
 
-CloudStack improves template availability using the configuration:
+CloudStack improves Template availability using the configuration:
 
 +----------------------------------------------+-------------------------------------------------------------------------------------------------------------+-----------+
 | Name                                         | Description                                                                                                 | Default   |
 +==============================================+=============================================================================================================+===========+
-| copy.templates.from.other.secondary.storages | Allow templates to be copied from existing Secondary Storage servers (within the same zone or across zones) | true      |
+| copy.templates.from.other.secondary.storages | Allow templates to be copied from existing Secondary Storages (within the same Zone or across Zones) | true      |
 |                                              | when adding a new Secondary Storage, instead of downloading them from the source URL.                       |           |
 +----------------------------------------------+-------------------------------------------------------------------------------------------------------------+-----------+
 
-This setting is enabled by default and can be configured globally or at zone level.
+This setting is enabled by default and can be configured globally or at Zone level.
 
-CloudStack applies the following order of steps while trying to make a template available in the new secondary storage:
+CloudStack applies the following order of steps while trying to make a Template available in the new Secondary Storage:
 
-1. Attempt to copy the template from another Secondary Storage in the same zone.
-2. If not found, attempt to copy the template from a Secondary Storage in a different zone.
-3. If the copy operation fails, CloudStack falls back to downloading the template using its URL when it is registered.
+1. Attempt to copy the Template from another Secondary Storage in the same Zone.
+2. If not found, attempt to copy the Template from a Secondary Storage in a different Zone.
+3. If the copy operation fails, CloudStack falls back to downloading the Template using its URL when it is registered.
 
 Adding an NFS Secondary Staging Store for Each Zone
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From 423da79d11fb5c2f3ddfa0eb376791b3754499d2 Mon Sep 17 00:00:00 2001
From: Harikrishna Patnala <harikrishna.patnala@gmail.com>
Date: Mon, 29 Dec 2025 15:35:00 +0530
Subject: [PATCH 13/20] more corrections

---
 source/installguide/configuration.rst | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/source/installguide/configuration.rst b/source/installguide/configuration.rst
index 9b458660ac..d8d945d802 100644
--- a/source/installguide/configuration.rst
+++ b/source/installguide/configuration.rst
@@ -1635,9 +1635,9 @@ System Requirements for Secondary Storage
 Adding Secondary Storage
 ~~~~~~~~~~~~~~~~~~~~~~~~
 
-When you create a new zone, the first secondary storage is added as part
-of that procedure. You can add secondary storage servers at any time to
-add more servers to an existing zone.
+When you create a new Zone, the first Secondary Storage is added as part
+of that procedure. You can add Secondary Storage servers at any time to
+add more servers to an existing Zone.
 
 .. warning::
    Ensure that nothing is stored on the server. Adding the server to
@@ -1670,7 +1670,7 @@ add more servers to an existing zone.
       fields which appear. The fields will vary depending on the storage
       provider; for more information, consult the provider's
       documentation (such as the S3 or Swift website). NFS can be used
-      for zone-based storage, and the others for region-wide storage.
+      for Zone-based storage, and the others for region-wide storage.
       For Hyper-V, select SMB/CIFS.
 
       .. warning::
@@ -1683,10 +1683,10 @@ add more servers to an existing zone.
       .. warning::
          Even if the UI allows you to uncheck this box, do not do so. This
          checkbox and the three fields below it must be filled in. Even when
-         Swift or S3 is used as the secondary storage provider, an NFS staging
+         Swift or S3 is used as the Secondary Storage provider, an NFS staging
          storage in each zone is still required.
 
-   -  **Zone**: The zone where the NFS Secondary Staging Store is to be
+   -  **Zone**: The Zone where the NFS Secondary Staging Store is to be
       located.
 
    -  **SMB Username**: Applicable only if you select SMB/CIFS provider.
@@ -1700,9 +1700,9 @@ add more servers to an existing zone.
    -  **SMB Domain**: Applicable only if you select SMB/CIFS provider.
       The Active Directory domain that the SMB share is a part of.
 
-   -  **NFS server**: The name of the zone's Secondary Staging Store.
+   -  **NFS server**: The name of the Zone's Secondary Staging Store.
 
-   -  **Path**: The path to the zone's Secondary Staging Store.
+   -  **Path**: The path to the Zone's Secondary Staging Store.
 
    -  **Copy Templates from other storages**: This switch can be used to automatically
       copy existing Templates from Secondary Storages in other Zones instead of
@@ -1717,7 +1717,7 @@ CloudStack improves Template availability using the configuration:
 +----------------------------------------------+-------------------------------------------------------------------------------------------------------------+-----------+
 | Name                                         | Description                                                                                                 | Default   |
 +==============================================+=============================================================================================================+===========+
-| copy.templates.from.other.secondary.storages | Allow templates to be copied from existing Secondary Storages (within the same Zone or across Zones) | true      |
+| copy.templates.from.other.secondary.storages | Allow Templates to be copied from existing Secondary Storages (within the same Zone or across Zones) | true      |
 |                                              | when adding a new Secondary Storage, instead of downloading them from the source URL.                       |           |
 +----------------------------------------------+-------------------------------------------------------------------------------------------------------------+-----------+
 

From 07514df1449fe9fc2a18f68c52acaef0247b09e4 Mon Sep 17 00:00:00 2001
From: Harikrishna Patnala <harikrishna.patnala@gmail.com>
Date: Mon, 5 Jan 2026 13:57:29 +0530
Subject: [PATCH 14/20] Correction

---
 source/installguide/configuration.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source/installguide/configuration.rst b/source/installguide/configuration.rst
index d8d945d802..6028cb1ce0 100644
--- a/source/installguide/configuration.rst
+++ b/source/installguide/configuration.rst
@@ -1727,7 +1727,7 @@ CloudStack applies the following order of steps while trying to make a Template
 
 1. Attempt to copy the Template from another Secondary Storage in the same Zone.
 2. If not found, attempt to copy the Template from a Secondary Storage in a different Zone.
-3. If the copy operation fails, CloudStack falls back to downloading the Template using its URL when it is registered.
+3. If the copy operation fails, CloudStack falls back to downloading the Template using its URL as registered.
 
 Adding an NFS Secondary Staging Store for Each Zone
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From 2437b2a851d608341144ccfadae5cd9c08a795c0 Mon Sep 17 00:00:00 2001
From: Abhisar Sinha <63767682+abh1sar@users.noreply.github.com>
Date: Thu, 15 Jan 2026 13:51:15 +0530
Subject: [PATCH 15/20] Warning about VM with VMHA not restarting  when primary
 storage is put on maintenance (#619)

---
 source/adminguide/storage.rst | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/source/adminguide/storage.rst b/source/adminguide/storage.rst
index 2a225ee031..8cfc02a6d1 100644
--- a/source/adminguide/storage.rst
+++ b/source/adminguide/storage.rst
@@ -259,6 +259,10 @@ The CloudStack will bring the device back online and attempt to start
 all guests that were running at the time of the entry into maintenance
 mode.
 
+.. note::
+   HA-Enabled Instances will also be stopped when the primary storage is put into maintenance mode.
+   It is recommended to migrate any business-critical Instances to alternate primary storage before initiating maintenance.
+
 Browsing files on a primary storage
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

From 79e87a60638d16f9e4be1e0844d9d95d02538ddb Mon Sep 17 00:00:00 2001
From: Manoj Kumar <manojkr.itbhu@gmail.com>
Date: Mon, 19 Jan 2026 16:43:50 +0530
Subject: [PATCH 16/20] Add minreq.sysvmtemplate.versione example for VR live
 patch (#618)

---
 source/upgrading/upgrade/_sysvm_restart.rst | 35 +++++++++++++++------
 1 file changed, 25 insertions(+), 10 deletions(-)

diff --git a/source/upgrading/upgrade/_sysvm_restart.rst b/source/upgrading/upgrade/_sysvm_restart.rst
index 77c40456ef..3df02b3f64 100644
--- a/source/upgrading/upgrade/_sysvm_restart.rst
+++ b/source/upgrading/upgrade/_sysvm_restart.rst
@@ -45,16 +45,31 @@ in the System VMs.
 
    The following services will be restarted once a system VM is live patched:
 
-            +---------------------+-------------------------------+---------------------------------------------------+
-            | **System VM**       |         **Services**          |  **Note**                                         |
-            +---------------------+-------------------------------+---------------------------------------------------+
-            | SSVM                | cloud, apache2, portmap       |                                                   |
-            +---------------------+-------------------------------+---------------------------------------------------+
-            | CPVM                | cloud                         |                                                   |
-            +---------------------+-------------------------------+---------------------------------------------------+
-            | VRs                 | haproxy, apache2, dnsmasq     | Please set setting `minreq.sysvmtemplate.version` |
-            |                     |                               | to proper value before live-patching              |
-            +---------------------+-------------------------------+---------------------------------------------------+
+            +---------------------+-------------------------------+
+            | **System VM**       |         **Services**          |
+            +---------------------+-------------------------------+
+            | SSVM                | cloud, apache2, portmap       |
+            +---------------------+-------------------------------+
+            | CPVM                | cloud                         |
+            +---------------------+-------------------------------+
+            | VRs                 | haproxy, apache2, dnsmasq     |
+            |                     |                               |
+            +---------------------+-------------------------------+
+   
+   **NOTE**: Before live patching Virtual Routers (VRs), administrators must ensure that
+   the global configuration parameter ``minreq.sysvmtemplate.version`` is set
+   to the minimum supported VR template version.
+
+   For example, if the deployed Virtual Router template version is ``4.20.1``,
+   set:
+
+   ::
+
+      minreq.sysvmtemplate.version = 4.20.1
+
+   This ensures that live patching is only performed on Virtual Routers running
+   template version ``4.20.1`` or later. Virtual Routers using older template
+   versions must be upgraded before live patching is attempted.
 
    With respect to VRs, a Network restart without cleanup is initiated to during live patching to ensure all rules
    are re-applied. 

From d0880cf1e0307873315c4b42439952d7a194c10f Mon Sep 17 00:00:00 2001
From: Harikrishna Patnala <harikrishna.patnala@gmail.com>
Date: Wed, 28 Jan 2026 15:24:48 +0530
Subject: [PATCH 17/20] Fix table format

---
 source/installguide/configuration.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source/installguide/configuration.rst b/source/installguide/configuration.rst
index 6028cb1ce0..9a492ba996 100644
--- a/source/installguide/configuration.rst
+++ b/source/installguide/configuration.rst
@@ -1717,7 +1717,7 @@ CloudStack improves Template availability using the configuration:
 +----------------------------------------------+-------------------------------------------------------------------------------------------------------------+-----------+
 | Name                                         | Description                                                                                                 | Default   |
 +==============================================+=============================================================================================================+===========+
-| copy.templates.from.other.secondary.storages | Allow Templates to be copied from existing Secondary Storages (within the same Zone or across Zones) | true      |
+| copy.templates.from.other.secondary.storages | Allow Templates to be copied from existing Secondary Storages (within the same Zone or across Zones)        | true      |
 |                                              | when adding a new Secondary Storage, instead of downloading them from the source URL.                       |           |
 +----------------------------------------------+-------------------------------------------------------------------------------------------------------------+-----------+
 

From ac474765b58e704cafe5383224eeadf43e78e96b Mon Sep 17 00:00:00 2001
From: Suresh Kumar Anaparti <sureshkumar.anaparti@gmail.com>
Date: Wed, 18 Feb 2026 19:22:33 +0530
Subject: [PATCH 18/20] Updated configuration details for Management and KVM
 Agent services (#623)

* Updated configuration details for Management and KVM Agent services

* indentation correction

* review changes

* Update for usage server and ssvm, and move tuning to dir
---
 source/adminguide/index.rst                   |  2 +-
 .../tuning/disable_omit_stack_trace.rst       | 55 +++++++++++++++++++
 source/adminguide/{ => tuning}/tuning.rst     |  3 +
 source/installguide/hypervisor/kvm.rst        | 47 ++++++++++++++++
 4 files changed, 106 insertions(+), 1 deletion(-)
 create mode 100644 source/adminguide/tuning/disable_omit_stack_trace.rst
 rename source/adminguide/{ => tuning}/tuning.rst (99%)

diff --git a/source/adminguide/index.rst b/source/adminguide/index.rst
index a3aad694ed..9bfe226b8d 100644
--- a/source/adminguide/index.rst
+++ b/source/adminguide/index.rst
@@ -176,7 +176,7 @@ Tuning
 .. toctree::
    :maxdepth: 4
 
-   tuning
+   tuning/tuning
 
 
 Events and Troubleshooting
diff --git a/source/adminguide/tuning/disable_omit_stack_trace.rst b/source/adminguide/tuning/disable_omit_stack_trace.rst
new file mode 100644
index 0000000000..79e7b88725
--- /dev/null
+++ b/source/adminguide/tuning/disable_omit_stack_trace.rst
@@ -0,0 +1,55 @@
+.. Licensed to the Apache Software Foundation (ASF) under one
+   or more contributor license agreements.  See the NOTICE file
+   distributed with this work for additional information#
+   regarding copyright ownership.  The ASF licenses this file
+   to you under the Apache License, Version 2.0 (the
+   "License"); you may not use this file except in compliance
+   with the License.  You may obtain a copy of the License at
+   http://www.apache.org/licenses/LICENSE-2.0
+   Unless required by applicable law or agreed to in writing,
+   software distributed under the License is distributed on an
+   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+   KIND, either express or implied.  See the License for the
+   specific language governing permissions and limitations
+   under the License.
+   
+
+Disable Omit Stack Trace
+------------------------
+
+The JVM, by default stops printing some stack traces in the logs. To enable printing full stack traces at all times:
+
+#. Edit the following configuration file for the respective service to disable there and restart it:
+
+   - For cloudstack-management.service in the Management Server:
+
+      .. code:: bash
+
+         /etc/default/cloudstack-management
+
+   - For cloudstack-usage.service in the Usage Server:
+
+      .. code:: bash
+
+         /etc/default/cloudstack-usage
+
+   - For cloudstack-agent.service in the KVM Host:
+
+      .. code:: bash
+
+         /etc/default/cloudstack-agent
+
+   - For cloud.service in the SSVM:
+
+      .. code:: bash
+
+         /usr/local/cloud/systemvm/_run.sh
+
+#. Add the command-line parameter -XX:-OmitStackTraceInFastThrow to disable the omit stack trace flag in the JVM so that all
+   the stack traces are always printed on the logs. This flag is enabled by default in the JVM to omit the stack traces
+   for certain exceptions that are thrown frequently. Printing of the stack traces might impact performance, and is not
+   recommended for production, so it's better to disable this flag for troubleshooting or debugging purposes when required.
+
+   .. code:: bash
+
+      JAVA_OPTS="... -XX:-OmitStackTraceInFastThrow"
diff --git a/source/adminguide/tuning.rst b/source/adminguide/tuning/tuning.rst
similarity index 99%
rename from source/adminguide/tuning.rst
rename to source/adminguide/tuning/tuning.rst
index bb214602ee..bc8cb35dcb 100644
--- a/source/adminguide/tuning.rst
+++ b/source/adminguide/tuning/tuning.rst
@@ -57,6 +57,9 @@ For more information about memory issues, see "FAQ: Memory" at `Tomcat
 Wiki. <http://wiki.apache.org/tomcat/FAQ/Memory>`_
 
 
+.. include:: disable_omit_stack_trace.rst
+
+
 Set Database Buffer Pool Size
 -----------------------------
 
diff --git a/source/installguide/hypervisor/kvm.rst b/source/installguide/hypervisor/kvm.rst
index d450a459fa..5c0ec09a48 100644
--- a/source/installguide/hypervisor/kvm.rst
+++ b/source/installguide/hypervisor/kvm.rst
@@ -310,6 +310,53 @@ sudoers file:
    cloudstack ALL=NOPASSWD: /usr/bin/cloudstack-setup-agent
    Defaults:cloudstack !requiretty
 
+Limit Resources For the Agent Service
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+#. Edit the cloudstack-agent.service file at:
+
+   .. code:: bash
+
+      /usr/lib/systemd/system/cloudstack-agent.service
+
+#. You can set the following resource controls in the cloudstack-agent service:
+
+   - Limit the number of file descriptors
+
+   The default configuration is usually higher, set to a lower number explicitly when required. It is observed
+   that the average FDs for a host with 40 VMs was 380, we can reserve +20% based on the requirement. Example
+   shown below.
+
+      .. code:: bash
+
+         LimitNOFILE=1500
+
+   - Limit the memory usage
+
+   You can limit the memory usage. For example, set to 2500MB (2500 * 1024 * 1024 bytes) as shown below.
+
+      .. code:: bash
+
+         MemoryMax=2500M
+
+   - Limit the CPU quota
+
+   You can control the CPU allocation. For example, set to allow 2 full cores worth of CPU time as shown below.
+
+      .. code:: bash
+
+         CPUQuota=200%
+
+#. Reload and restart the cloudstack-agent service after changing any of the resource controls:
+
+   .. code:: bash
+
+      sudo systemctl daemon-reload
+      sudo systemctl restart cloudstack-agent
+
+
+.. include:: ../../adminguide/tuning/disable_omit_stack_trace.rst
+
 
 Configure CPU model for KVM guest (Optional)
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

From 9b9c0c1f0d2106e0f5e478f5b17f3a7e08f2fe32 Mon Sep 17 00:00:00 2001
From: Suresh Kumar Anaparti <sureshkumar.anaparti@gmail.com>
Date: Mon, 2 Mar 2026 16:47:17 +0530
Subject: [PATCH 19/20] Fix the User Interface ref link in install guide (#626)

---
 source/installguide/overview/_overview.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source/installguide/overview/_overview.rst b/source/installguide/overview/_overview.rst
index 376cbc1481..91d6b1f9f4 100644
--- a/source/installguide/overview/_overview.rst
+++ b/source/installguide/overview/_overview.rst
@@ -50,7 +50,7 @@ recommended that you read the following:
 
 #. Configure your cloud. See :ref:`Configuring_your_CloudStack_Installation`
 
-   #. Using CloudStack UI. See `*User Interface* :ref:`log-in-to-ui`
+   #. Using CloudStack UI. See *User Interface* :ref:`log-in-to-ui`
 
    #. Add a zone. Includes the first pod, cluster, and host. See :ref:`adding-a-zone`
 

From c3f0a0fcae1ef4c4b558f0f364235dcf66883ea7 Mon Sep 17 00:00:00 2001
From: Suresh Kumar Anaparti <sureshkumar.anaparti@gmail.com>
Date: Tue, 10 Mar 2026 10:55:33 +0530
Subject: [PATCH 20/20] Doc update for MySQL 8.4 support (#629)

* Doc update for MySQL 8.4 support

* added steps to update authentication method to caching_sha2_password

* fix alignment

* some text improvements

* fix alignments

* changes

* move mysql upgrade details to mysql.rst
---
 source/releasenotes/compat.rst             |   2 +-
 source/upgrading/upgrade/mysql.rst         | 103 ++++++++++++++++++++-
 source/upgrading/upgrade/upgrade_notes.rst |  32 +------
 3 files changed, 104 insertions(+), 33 deletions(-)

diff --git a/source/releasenotes/compat.rst b/source/releasenotes/compat.rst
index e77e2a06a8..b4e5af8314 100644
--- a/source/releasenotes/compat.rst
+++ b/source/releasenotes/compat.rst
@@ -38,7 +38,7 @@ Software Requirements
 ~~~~~~~~~~~~~~~~~~~~~
 
 -  Java JRE 17
--  MySQL 8.0 (or equivalent compatible DBMS)
+-  MySQL 8.4 (or equivalent compatible DBMS)
 
 Supported Hypervisor Versions
 -----------------------------
diff --git a/source/upgrading/upgrade/mysql.rst b/source/upgrading/upgrade/mysql.rst
index ea9e88497a..a0e611f41e 100644
--- a/source/upgrading/upgrade/mysql.rst
+++ b/source/upgrading/upgrade/mysql.rst
@@ -13,8 +13,109 @@
    specific language governing permissions and limitations
    under the License.
 
+MySQL upgrade
+=============
+
+Explicit JDBC driver declaration
+--------------------------------
+
+While upgrading, on some environments the following may be required to be
+added in CloudStack's db.properties file:
+
+   # Add these to your db.properties file
+
+   db.cloud.driver=jdbc:mysql
+
+   db.usage.driver=jdbc:mysql
+
+MySQL support updated to 8.4
+----------------------------
+
+As of Apache CloudStack 4.20.3, support for MySQL 8.4 has been added.
+
+Existing deployments upgraded to version 4.20.3 can still continue using MySQL 8.0
+without any changes.
+
+If you are running MySQL 8.0 and would like to upgrade to MySQL 8.4,
+you may follow the standard MySQL upgrade process to migrate safely to version 8.4,
+and then update the authentication method for the root and CloudStack (cloud) users with
+caching_sha2_password plugin using the below steps as the mysql_native_password plugin
+is deprecated as of MySQL 8.0.34, and disabled by default in MySQL 8.4. For more details,
+refer to MySQL documentation here: https://dev.mysql.com/doc/refman/8.4/en/caching-sha2-pluggable-authentication.html
+
+#. Stop MySQL server if already running
+
+   .. code-block:: bash
+
+      sudo systemctl stop mysqld
+
+#. Start MySQL server in safe mode without auth
+
+   .. code-block:: bash
+
+      sudo mysqld --skip-grant-tables --skip-networking &
+
+#. Login to MySQL without password
+
+   .. code-block:: bash
+
+      mysql -u root
+
+#. Reset passwords for root and CloudStack (cloud) users.
+
+   .. code-block:: mysql
+
+      ALTER USER 'root'@'localhost' IDENTIFIED WITH caching_sha2_password BY 'ROOT_PASSWORD';
+      ALTER USER 'root'@'%' IDENTIFIED WITH caching_sha2_password BY 'ROOT_PASSWORD';
+      ALTER USER 'cloud'@'localhost' IDENTIFIED WITH caching_sha2_password BY 'CLOUD_PASSWORD';
+      ALTER USER 'cloud'@'%' IDENTIFIED WITH caching_sha2_password BY 'CLOUD_PASSWORD';
+      FLUSH PRIVILEGES;
+
+   Note: Please ensure that the password used for the cloud database user matches the value
+   configured in /etc/cloudstack/management/db.properties. If the password in db.properties
+   is encrypted, you can retrieve it using the below command.
+
+   .. code-block:: bash
+
+      java -classpath /usr/share/cloudstack-common/lib/cloudstack-utils.jar \
+      com.cloud.utils.crypt.EncryptionCLI -d \
+      -i "$(grep -oP 'db.cloud.password=ENC\(\K[^\)]+(?=\))' /etc/cloudstack/management/db.properties)" \
+      -p "$(cat /etc/cloudstack/management/key)"
+
+#. Remove deprecated authentication plugin 'mysql_native_password' from the MySQL configuration. Either comment or remove the below line from /etc/my.cnf
+
+   .. parsed-literal::
+
+      default_authentication_plugin=mysql_native_password
+
+#. Restart MySQL server
+
+   .. code-block:: bash
+
+      killall mysqld
+      systemctl start mysqld
+
+MySQL 8.0+ sql mode change
+--------------------------
+
+MySQL mode (sql_mode) has changed in CloudStack db.properties to
+"STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,
+ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION".
+
+This gets automatically applies to the MySQL session used by CloudStack management server.
+
+If the admin uses MySQL directly and wants to query tables it is advised to change the sql_mode in the corresponding session or globally.
+
+Eg. mysql> set global sql_mode="STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,
+                             "> ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION";
+    Query OK, 0 rows affected (0.00 sec)
+
+    mysql> set sql_mode="STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,
+                     "> ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION";
+    Query OK, 0 rows affected (0.00 sec)
+
 MySQL upgrade problems
-======================
+----------------------
 
 With certain MySQL versions (see below), issues have been seen with "cloud.nics" table's 
 column type (which was not updated properly during CloudStack upgrades, due to MySQL limitations),
diff --git a/source/upgrading/upgrade/upgrade_notes.rst b/source/upgrading/upgrade/upgrade_notes.rst
index 4493589159..c433e87290 100644
--- a/source/upgrading/upgrade/upgrade_notes.rst
+++ b/source/upgrading/upgrade/upgrade_notes.rst
@@ -108,34 +108,4 @@ SystemVM 32bit deprecated
 
 32bit versions of System VM Templates are in the process of being deprecated. Upgrade instructions from this Release Notes use 64bit Templates.
 
-Explicit JDBC driver declaration
---------------------------------
-
-While upgrading, on some environments the following may be required to be
-added in CloudStack's db.properties file:
-
-   # Add these to your db.properties file
-
-   db.cloud.driver=jdbc:mysql
-
-   db.usage.driver=jdbc:mysql
-
-
-MySQL 8.0 sql mode change
--------------------------
-
-MySQL mode (sql_mode) has changed in CloudStack db.properties to 
-"STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,
-ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION".
-
-This gets automatically applies to the MySQL session used by CloudStack management server.
-
-If the admin uses MySQL directly and wants to query tables it is advised to change the sql_mode in the corresponding session or globally.
-
-Eg. mysql> set global sql_mode="STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,
-                             "> ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION";
-    Query OK, 0 rows affected (0.00 sec)
-
-    mysql> set sql_mode="STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,
-                     "> ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION";
-    Query OK, 0 rows affected (0.00 sec)
\ No newline at end of file
+.. include:: mysql.rst