From owner-freebsd-net@freebsd.org  Mon Jan 11 03:00:10 2021
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 707A74CA9B7
 for <freebsd-net@mailman.nyi.freebsd.org>;
 Mon, 11 Jan 2021 03:00:10 +0000 (UTC)
 (envelope-from knezour@weboutsourcing.cz)
Received: from smtp-out.ujezd.net (smtp-out.ujezd.net [81.90.241.92])
 by mx1.freebsd.org (Postfix) with ESMTP id 4DDdjj49VSz4ckW
 for <freebsd-net@freebsd.org>; Mon, 11 Jan 2021 03:00:09 +0000 (UTC)
 (envelope-from knezour@weboutsourcing.cz)
Received: by smtp-out.ujezd.net (Postfix, from userid 1001)
 id 4DDdjg0Q0Wz9s3g; Mon, 11 Jan 2021 04:00:07 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on smtp-out.ujezd.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=7.0 tests=ALL_TRUSTED,BAYES_00
 autolearn=ham version=3.3.2
Received: from [172.23.200.66] (unknown [10.128.99.254])
 by smtp-out.ujezd.net (Postfix) with ESMTP id 4DDdjc6zDdz9sFK
 for <freebsd-net@freebsd.org>; Mon, 11 Jan 2021 04:00:04 +0100 (CET)
To: freebsd-net@freebsd.org
From: Ondra Knezour <knezour@weboutsourcing.cz>
Subject: nfsd doesn't register with rpcbind
Message-ID: <9ec68f10-6008-34cd-d89d-2d2b2cf2c0da@weboutsourcing.cz>
Date: Mon, 11 Jan 2021 04:00:05 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101
 Thunderbird/78.6.0
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
 micalg=sha-256; boundary="------------ms020003080204000504070207"
X-Rspamd-Queue-Id: 4DDdjj49VSz4ckW
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=none (mx1.freebsd.org: domain of knezour@weboutsourcing.cz has no SPF
 policy when checking 81.90.241.92) smtp.mailfrom=knezour@weboutsourcing.cz
X-Spamd-Result: default: False [-2.24 / 15.00]; HAS_ATTACHMENT(0.00)[];
 TO_DN_NONE(0.00)[]; RCVD_NO_TLS_LAST(0.10)[];
 FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~];
 RBL_DBL_DONT_QUERY_IPS(0.00)[81.90.241.92:from];
 ASN(0.00)[asn:39761, ipnet:81.90.240.0/20, country:CZ];
 MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[];
 SIGNED_SMIME(-2.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[];
 NEURAL_HAM_LONG(-0.49)[-0.494];
 MIME_GOOD(-0.20)[multipart/signed,text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org];
 DMARC_NA(0.00)[weboutsourcing.cz]; AUTH_NA(1.00)[];
 RCPT_COUNT_ONE(0.00)[1];
 SPAMHAUS_ZRD(0.00)[81.90.241.92:from:127.0.2.255];
 R_DKIM_NA(0.00)[]; NEURAL_SPAM_SHORT(0.35)[0.353];
 RCVD_IN_DNSWL_NONE(0.00)[81.90.241.92:from];
 R_SPF_NA(0.00)[no SPF record]; RCVD_COUNT_TWO(0.00)[2];
 MAILMAN_DEST(0.00)[freebsd-net]
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jan 2021 03:00:10 -0000

This is a cryptographically signed message in MIME format.

--------------ms020003080204000504070207
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US

Hi all,

I have longstanding issue with our NFS server, going probably from 10.x=20
release times. Also problematic counterpart (client) has undergone=20
multiple upgrades, but problem persists.

Quick intro - NFS server on FreeBSD 12.2 (running there probably for=20
about 3-4 years, hence mentioning 10.x release), couple of clients,=20
mostly Linux. The problematic one is xen on two servers in pool. Now=20
running latest xcp-ng 8.2 (opensource fork of the Citrix product after=20
their licensing changes, based on CentOS 7), also with history of=20
upgrades over the years.

The problem is I can mount and use NFS shares from any client, even=20
those xcp-ng servers, but I can't add what xen calls NFS storage=20
repository, which is basically only fancy name for NFS mount with info=20
stored in xen internal configuration database. There are three ways to=20
do it (known to me), xe command line utility, web tool from authors of=20
the mentioned fork named Xen Orchestra and Windows application, which is =

remnant of the Citrix era called XenCenter. All three use (AFAIK) some=20
Python scripting on the server (NFS client in this case) to do it.

It would be easy to blame this Python part of the problem, but I=20
noticed, that on the FreeBSD side nfsd does not register service with=20
the rpcbind, so I think this may be (at least part of) the problem. I=20
read somewhere, that NFSv4 can work without RPC and in fact, it does for =

me, at least partially, but I am not sure what specification says and=20
which part has to be blamed here.

So my questions are:
1. Why my nfsd doesn't register with rpcbind?
2. Is this registration somewhat optional at least for NFSv4?
3. How can I get some useful debug info? Using -d options in our servers =

startup configuration where it is available doesn't produce much.

In the following snippets, 172.22.1.4 or storage-smc is the NFS server=20
and 172.22.1.7 and 172.22.1.27 are the troublesome clients.

 From the server

uname -a
FreeBSD storage-smc.ujezd.net 12.2-RELEASE-p1 FreeBSD 12.2-RELEASE-p1 GEN=
ERIC  amd64



/etc/rc.conf

hostname=3D"storage-smc.ujezd.net"
cloned_interfaces=3D"vlan1000 vlan1500 vlan2000"
ifconfig_vlan1000=3D"inet 172.22.1.4 netmask 255.255.0.0 vlan 1000 vlande=
v igb1"
ifconfig_vlan2000=3D"inet 10.128.99.4 netmask 255.255.255.0 vlan 2000 vla=
ndev igb1"
ifconfig_vlan1500=3D"inet 192.168.222.1 netmask 255.255.255.0 vlan 1500 v=
landev igb1"
ifconfig_igb1=3D"up"
nfsuserd_flags=3D"-verbose"
defaultrouter=3D"172.22.0.1"
sshd_enable=3D"YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev=3D"AUTO"
zfs_enable=3D"YES"
nfsv4_server_enable=3D"YES"
nfsuserd_enable=3D"YES"
rpcbind_enable=3D"YES"
nfs_server_enable=3D"YES"
#nfs_server_flags=3D"-h 172.22.1.4"
mountd_enable=3D"YES"
mountd_flags=3D"-r"
kld_list=3D"aesni ipmi"
smartd_enable=3D"YES"
ntpdate_hosts=3D"10.128.99.95"
ntpdate_enable=3D"YES"
ntpd_sync_on_start=3D"YES"
ntpd_enable=3D"YES"
netdata_enable=3D"YES"
microcode_update_enable=3D"YES"
rpc_lockd_enable=3D"YES"           # Run NFS rpc.lockd needed for client/=
server.
rpc_statd_enable=3D"YES"           # Run NFS rpc.statd needed for client/=
server.



/etc/sysctl.conf

vfs.zfs.arc_max=3D"48000000000"
vfs.nfsd.server_min_nfsvers=3D4
vfs.nfs.enable_uidtostring=3D1
vfs.nfsd.tcpcachetimeo: 300
vfs.nfsd.tcphighwater: 100000



/etc/exports

/zdata/email -maproot=3Droot 10.128.99.79
/zdata/nf -maproot=3Droot 172.22.255.249
/zdata/odkladgalery -maproot=3Droot 172.22.1.10
/zdata/ios -maproot=3Droot 172.22.1.14
/zdata/xen-iso-library -maproot=3Droot 172.22.1.27
/zdata/xen-iso-library -maproot=3Droot 172.22.1.7
/zdata/xen-nfs-storage -maproot=3Droot 172.22.1.27
/zdata/xen-nfs-storage -maproot=3Droot 172.22.1.7
/zdata/servers/xenserver -maproot=3Droot 172.22.1.27
/zdata/servers/xenserver -maproot=3Droot 172.22.1.7
/zdata/servers/xenserver -maproot=3Droot 172.22.1.32
/zdata/virt -maproot=3Droot 172.22.1.27
/zdata/virt -maproot=3Droot 172.22.1.7
/zdata/virt -maproot=3Droot 172.22.1.13
/zdata/virt -maproot=3Droot 172.22.1.2
/zdata/virt -maproot=3Droot -sec=3Dsys 172.22.1.11
V4: / -sec=3Dsys -network 172.22.0.0 -mask 255.255.0.0
V4: / -sec=3Dsys -network 10.128.99.0 -mask 255.255.255.0

rpcinfo -s

    program version(s) netid(s)                         service     owner=

     100000  2,3,4     local,udp6,tcp6,udp,tcp          rpcbind     super=
user
     100024  1         tcp,udp,tcp6,udp6                status      super=
user
     100021  4,3,1,0   tcp,udp,tcp6,udp6                nlockmgr    super=
user
     100005  3,1       tcp,udp,tcp6,udp6                mountd      super=
user



And from one of the Linux clients - rpcinfo doesn't show nfsd, but=20
mounts can be probed and mounted without problem.

showmount -e 172.22.1.4
Export list for 172.22.1.4:
/zdata/virt              172.22.1.11,172.22.1.2,172.22.1.13,172.22.1.7,17=
2.22.1.27
/zdata/xen-nfs-storage   172.22.1.7,172.22.1.27
/zdata/xen-iso-library   172.22.1.7,172.22.1.27
/zdata/odkladgalery      172.22.1.10
/zdata/email             10.128.99.79
/zdata/servers/xenserver 172.22.1.32,172.22.1.7,172.22.1.27
/zdata/ios               172.22.1.14
/zdata/nf                172.22.255.249

rpcinfo -s 172.22.1.4
    program version(s) netid(s)                         service     owner=

     100000  2,3,4     local,udp6,tcp6,udp,tcp          portmapper  super=
user
     100024  1         tcp,udp,tcp6,udp6                status      super=
user
     100021  4,3,1,0   tcp,udp,tcp6,udp6                nlockmgr    super=
user
     100005  3,1       tcp,udp,tcp6,udp6                mountd      super=
user

mount.nfs4 172.22.1.4:/zdata/xen-iso-storage /iso-storage/
mount.nfs4 172.22.1.4:/zdata/xen-iso-library /iso-storage/

mount
172.22.1.4:/zdata/xen-iso-library on /iso-storage type nfs4 (rw,relatime,=
vers=3D4.1,rsize=3D131072,wsize=3D131072,namlen=3D255,hard,proto=3Dtcp,ti=
meo=3D600,retrans=3D2,sec=3Dsys,clientaddr=3D172.22.1.7,local_lock=3Dnone=
,addr=3D172.22.1.4)
172.22.1.4:/zdata/xen-nfs-storage on /nfs-storage type nfs4 (rw,relatime,=
vers=3D4.1,rsize=3D131072,wsize=3D131072,namlen=3D255,hard,proto=3Dtcp,ti=
meo=3D600,retrans=3D2,sec=3Dsys,clientaddr=3D172.22.1.7,local_lock=3Dnone=
,addr=3D172.22.1.4)

Digging again deeper, I see in log on the client, that missing nfsd in=20
rpcinfo -s call is probably main culprit here. From where came "missing=20
serverpath" error I don't know. Also setting rpcdebug -m [nfs|rpc] -s=20
all (set all debug flags for those two modules) on client yeld nothing=20
at all.

Dec 27 22:31:36 xen-2u SM: [25530] _testHost: Testing host/port: storage-=
smc.ujezd.net,2049
Dec 27 22:31:36 xen-2u SM: [25530] scanning2 (target=3Dstorage-smc.ujezd.=
net)
Dec 27 22:31:36 xen-2u SM: [25530] scanning
Dec 27 22:31:36 xen-2u SM: [25530] ['/usr/sbin/showmount', '--no-headers'=
, '-e', 'storage-smc.ujezd.net']
Dec 27 22:31:36 xen-2u SM: [25530]   pread SUCCESS
Dec 27 22:31:36 xen-2u SM: [25530] Raising exception [101, The request is=
 missing the serverpath parameter]
Dec 27 22:31:36 xen-2u SM: [25530] lock: released /var/lock/sm/sr
Dec 27 22:31:36 xen-2u SM: [25530] ***** generic exception: sr_probe: EXC=
EPTION <class 'SR.SROSError'>, The request is missing the serverpath para=
meter
Dec 27 22:31:36 xen-2u SM: [25530]   File "/opt/xensource/sm/SRCommand.py=
", line 110, in run
Dec 27 22:31:36 xen-2u SM: [25530]     return self._run_locked(sr)
Dec 27 22:31:36 xen-2u SM: [25530]   File "/opt/xensource/sm/SRCommand.py=
", line 159, in _run_locked
Dec 27 22:31:36 xen-2u SM: [25530]     rv =3D self._run(sr, target)
Dec 27 22:31:36 xen-2u SM: [25530]   File "/opt/xensource/sm/SRCommand.py=
", line 332, in _run
Dec 27 22:31:36 xen-2u SM: [25530]     txt =3D sr.probe()
Dec 27 22:31:36 xen-2u SM: [25530]   File "/opt/xensource/sm/NFSSR", line=
 164, in probe
Dec 27 22:31:36 xen-2u SM: [25530]     self.validate_remotepath(True)
Dec 27 22:31:36 xen-2u SM: [25530]   File "/opt/xensource/sm/NFSSR", line=
 109, in validate_remotepath
Dec 27 22:31:36 xen-2u SM: [25530]     raise xs_errors.XenError('ConfigSe=
rverPathMissing')
Dec 27 22:31:36 xen-2u SM: [25530]
Dec 27 22:31:36 xen-2u SM: [25530] ***** NFS VHD: EXCEPTION <class 'SR.SR=
OSError'>, The request is missing the serverpath parameter
Dec 27 22:31:36 xen-2u SM: [25530]   File "/opt/xensource/sm/SRCommand.py=
", line 378, in run
Dec 27 22:31:36 xen-2u SM: [25530]     ret =3D cmd.run(sr)
Dec 27 22:31:36 xen-2u SM: [25530]   File "/opt/xensource/sm/SRCommand.py=
", line 110, in run
Dec 27 22:31:36 xen-2u SM: [25530]     return self._run_locked(sr)
Dec 27 22:31:36 xen-2u SM: [25530]   File "/opt/xensource/sm/SRCommand.py=
", line 159, in _run_locked
Dec 27 22:31:36 xen-2u SM: [25530]     rv =3D self._run(sr, target)
Dec 27 22:31:36 xen-2u SM: [25530]   File "/opt/xensource/sm/SRCommand.py=
", line 332, in _run
Dec 27 22:31:36 xen-2u SM: [25530]     txt =3D sr.probe()
Dec 27 22:31:36 xen-2u SM: [25530]   File "/opt/xensource/sm/NFSSR", line=
 164, in probe
Dec 27 22:31:36 xen-2u SM: [25530]     self.validate_remotepath(True)
Dec 27 22:31:36 xen-2u SM: [25530]   File "/opt/xensource/sm/NFSSR", line=
 109, in validate_remotepath
Dec 27 22:31:36 xen-2u SM: [25530]     raise xs_errors.XenError('ConfigSe=
rverPathMissing')
Dec 27 22:31:36 xen-2u SM: [25530]
Dec 27 22:32:02 xen-2u SM: [25713] sr_create {'sr_uuid': '34c61bf5-32d6-a=
0b7-47e7-65209f69ddb9', 'subtask_of': 'DummyRef:|2360ef68-4b8d-4db8-8943-=
ec4370f77fa7|SR.create', 'args': ['0'], 'host_ref': 'OpaqueRef:2669e2f3-3=
00e-4748-916f-5811c337e830', 'session_ref': 'OpaqueRef:8f327b0d-9799-420e=
-8164-a81353aa99ee', 'device_config': {'location': 'storage-smc.ujezd.net=
:/zdata/xen-iso-library', 'type': 'nfs_iso', 'SRmaster': 'true', 'nfsvers=
ion': '4'}, 'command': 'sr_create', 'sr_ref': 'OpaqueRef:55ecd645-3bf5-4a=
06-8aae-79443b019047'}
Dec 27 22:32:02 xen-2u SM: [25713] _testHost: Testing host/port: storage-=
smc.ujezd.net,2049
Dec 27 22:32:02 xen-2u SM: [25713] ['/usr/sbin/rpcinfo', '-s', 'storage-s=
mc.ujezd.net']
Dec 27 22:32:02 xen-2u SM: [25713]   pread SUCCESS
Dec 27 22:32:02 xen-2u SM: [25713] NFS service not ready on server storag=
e-smc.ujezd.net

And this is part of the code I suspect produces that error

RPCINFO_BIN =3D "/usr/sbin/rpcinfo"
SHOWMOUNT_BIN =3D "/usr/sbin/showmount"
[...]
def check_server_service(server):
     """Ensure NFS service is up and available on the remote server.

     Returns False if fails to detect service after
     NFS_SERVICE_RETRY * NFS_SERVICE_WAIT
     """

     retries =3D 0
     errlist =3D [errno.EPERM, errno.EPIPE, errno.EIO]

     while True:
         try:
             services =3D util.pread([RPCINFO_BIN, "-s", "%s" % server])
             services =3D services.split("\n")
             for i in range(len(services)):
                 if services[i].find("nfs") > 0:
                     return True
         except util.CommandException, inst:
             if not int(inst.code) in errlist:
                 raise

         util.SMlog("NFS service not ready on server %s" % server)
         retries +=3D 1
         if retries >=3D NFS_SERVICE_RETRY:
             break

         time.sleep(NFS_SERVICE_WAIT)

     return False

[...]

Best regards

Ondra Knezour




--------------ms020003080204000504070207
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: Elektronicky podpis S/MIME

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
EAUwggewMIIFmKADAgECAgIQETANBgkqhkiG9w0BAQ0FADBlMQswCQYDVQQGEwJDWjEXMBUG
A1UEYRMOTlRSQ1otNDcxMTQ5ODMxHTAbBgNVBAoMFMSMZXNrw6EgcG/FoXRhLCBzLnAuMR4w
HAYDVQQDExVQb3N0U2lnbnVtIFJvb3QgUUNBIDQwHhcNMTgwOTI3MDczOTIzWhcNMzMwOTI3
MDczOTIzWjBpMQswCQYDVQQGEwJDWjEXMBUGA1UEYRMOTlRSQ1otNDcxMTQ5ODMxHTAbBgNV
BAoMFMSMZXNrw6EgcG/FoXRhLCBzLnAuMSIwIAYDVQQDExlQb3N0U2lnbnVtIFF1YWxpZmll
ZCBDQSA0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAufhybRoyz3Y8nWLACeVN
Ui7ZYHNFw9IeBTQLs7f67EqUpVelFU6W+jeOJBQ+HvawXXgNnQRp5IOKF09/YFI6A8/Y79U0
onXCptFbRGPooGGdEbOzSLkBKDDc5AZoGCy2cjuUXHjWveMqC1XaRrtXCG4eVieghMND1Kzb
qWCgA1L/LY8AJdkH+iN2Lq7u/YYSBdMuDC+E7YvtfLjbtAP9Wy9ezIf+zDP+2moL9Z1F5/9F
16fTEZuTLqo1gvvR4F+qC+sZUUSh0UZrnjegO6cQWDpJW/gv6R2XGp6hJnqP2JBqaE6qBh7W
Az2+SEaUD/VBctDzGGkNA/w4xWh/GHGdaUnAwvPFp2xbvE6Zokmds+iTRvlGYpD4zDb44zAX
uybrNlMTMYZvrp0eHlnftrYX7z8K480ksDoumOyf72YuZlo6LxdViayBsCQaogOjd+cQFiAt
SnJxRUdIL6lErW/kg4FfAhcZVMuPDdI/oJ9DD7YclnImxxTADFAvtpwDqYmdrmaSTSeHXkid
Ki7kX70crKmbuneJjpL7uvVcjIFkBJFmol6fkOcpBd70jmnoFdV5sCzD4lrwcBcxVHet0OPq
INSSfMzO1+8TyTKZnoMFnZcWoMm4e51EO3IhoymycPd13I7qGv35YD/SI7zodZuLBT/IUmQV
uNwH3j6t4NZEtJUCAwEAAaOCAmQwggJgMIHVBgNVHSAEgc0wgcowgccGBFUdIAAwgb4wgbsG
CCsGAQUFBwICMIGuGoGrVGVudG8gY2VydGlmaWthdCBwcm8gZWxla3Ryb25pY2tvdSBwZWNl
dCBieWwgdnlkYW4gdiBzb3VsYWR1IHMgbmFyaXplbmltIEVVIGMuIDkxMC8yMDE0LlRoaXMg
aXMgYSBjZXJ0aWZpY2F0ZSBmb3IgZWxlY3Ryb25pYyBzZWFsIGFjY29yZGluZyB0byBSZWd1
bGF0aW9uIChFVSkgTm8gOTEwLzIwMTQuMBIGA1UdEwEB/wQIMAYBAf8CAQAwegYIKwYBBQUH
AQEEbjBsMDcGCCsGAQUFBzAChitodHRwOi8vY3J0LnBvc3RzaWdudW0uY3ovY3J0L3Bzcm9v
dHFjYTQuY3J0MDEGCCsGAQUFBzABhiVodHRwOi8vb2NzcC5wb3N0c2lnbnVtLmN6L09DU1Av
UlFDQTQvMA4GA1UdDwEB/wQEAwIBBjAfBgNVHSMEGDAWgBSTGDYfqWlwUTWqTz+sjVB+JgUp
CjCBpQYDVR0fBIGdMIGaMDGgL6AthitodHRwOi8vY3JsLnBvc3RzaWdudW0uY3ovY3JsL3Bz
cm9vdHFjYTQuY3JsMDKgMKAuhixodHRwOi8vY3JsMi5wb3N0c2lnbnVtLmN6L2NybC9wc3Jv
b3RxY2E0LmNybDAxoC+gLYYraHR0cDovL2NybC5wb3N0c2lnbnVtLmV1L2NybC9wc3Jvb3Rx
Y2E0LmNybDAdBgNVHQ4EFgQUDyh8PjYAOBBQrj24IZeL92BcYXgwDQYJKoZIhvcNAQENBQAD
ggIBABuGFixikXQXOPeKKwO8lrZxavCXzjowiWBDmyBzpvidK0pyiYNnqaYKJ2k99/LX0l8n
8TF0t7XM0TDzZN2uN7pYPDDoLte3oOgIT60yyvAlKDRb2KsWtAMibJJRBCGUUmygB8Dw8mys
fE0+TMpJa0WG35IqVKgsP7Z4ZS3rwU0m1TTcE+b5rZ5Nfn5o8qZoz7i7q2H3lpzSyGXBbZPX
3vG5Wa/pZ3qlUDS9bNLtZdMZu77MWi19igZ7Hq4Xp/8OE/zFJEPY7cxW+Wj+DdtCZRsht0e6
03w2FxFFefevehicFYBf6g48TzUxurRvB+15IMnNZzNFXtE502oyb2PGrcOykehW1fAOPVHg
fQNFxixyD2S68Lvi/IfKt61X76lIBOt3RnglMHveIxXGjMIpqdwf69ulbOAMuetmPQ8gtvy8
4U6TMGTJRoyefJBv2rqQm91ZDgoLMAs1grUjOOjoZdeVjvutdJD/+zR7P0zdGNZ/Nn9sRlOm
uwdlU1Z/udrvco9PtKT8qN5fQfpYY9wYneubRPU4LCwix8FnqhxKcR7mtbVVdEjrDCjD+tEU
b27RHSklTyQXUUq1ENa0FplMNs4lneg5wMraIq5RHG3iqAqE9Th5E+s+JyoAZB54p+y8pzdg
lEdXY/8+sr8VPUjwtqzmS3EgrGqnbiN1iYeAd1o0MIIITTCCBjWgAwIBAgIEAVK5BjANBgkq
hkiG9w0BAQsFADBpMQswCQYDVQQGEwJDWjEXMBUGA1UEYRMOTlRSQ1otNDcxMTQ5ODMxHTAb
BgNVBAoMFMSMZXNrw6EgcG/FoXRhLCBzLnAuMSIwIAYDVQQDExlQb3N0U2lnbnVtIFF1YWxp
ZmllZCBDQSA0MB4XDTIwMDgzMTA2NDkyMFoXDTIxMDkyMDA2NDkyMFowgaExCzAJBgNVBAYT
AkNaMRcwFQYDVQRhEw5OVFJDWi02ODg4NTQ4MjEaMBgGA1UECgwRT25kxZllaiBLbsSbxb5v
dXIxCjAIBgNVBAsTATExGjAYBgNVBAMMEU9uZMWZZWogS27Em8W+b3VyMRIwEAYDVQQEDAlL
bsSbxb5vdXIxEDAOBgNVBCoMB09uZMWZZWoxDzANBgNVBAUTBlAxODIzNjCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANRgqhfMT27FOuxPYzPOFFgHaBG2vpKUVZX751RO//cZ
tN4vaRxOnxQUSr/j8M2G+cwkaG+srbm60Bwt+f4t3oKSIaoYjzookXgHiiaG5zggeqNKP8Vk
fBHA5LuCCm2vESWqWPaRI3HgdusmVinEvaRi28uQiEoKpcqktqU6YjOGv+B5sgt65TBhenby
2OgjjHKF/Jqqd0GYvkTl0G1s8uVxj69ihrt29AVadp2M3UFrkuSE57WdIhCtTkW/Ik8IH3DP
OCUtRMMlehj6QQYWunFFs1yG9pNvG0WZYqmzTvpXVRPR98UKDWdFeUB284S6yeiP4vS3cXAy
GzhQZM4f/xkCAwEAAaOCA8IwggO+MD8GA1UdEQQ4MDaBGWtuZXpvdXJAd2Vib3V0c291cmNp
bmcuY3qgGQYJKwYBBAHcGQIBoAwTCjExMjg5MTE4NjEwCQYDVR0TBAIwADCCASwGA1UdIASC
ASMwggEfMIIBEAYJZ4EGAQQBEYFIMIIBATCB2AYIKwYBBQUHAgIwgcsagchUZW50byBrdmFs
aWZpa292YW55IGNlcnRpZmlrYXQgcHJvIGVsZWt0cm9uaWNreSBwb2RwaXMgYnlsIHZ5ZGFu
IHYgc291bGFkdSBzIG5hcml6ZW5pbSBFVSBjLiA5MTAvMjAxNC5UaGlzIGlzIGEgcXVhbGlm
aWVkIGNlcnRpZmljYXRlIGZvciBlbGVjdHJvbmljIHNpZ25hdHVyZSBhY2NvcmRpbmcgdG8g
UmVndWxhdGlvbiAoRVUpIE5vIDkxMC8yMDE0LjAkBggrBgEFBQcCARYYaHR0cDovL3d3dy5w
b3N0c2lnbnVtLmN6MAkGBwQAi+xAAQAwgZsGCCsGAQUFBwEDBIGOMIGLMAgGBgQAjkYBATBq
BgYEAI5GAQUwYDAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfZW4ucGRm
EwJlbjAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfY3MucGRmEwJjczAT
BgYEAI5GAQYwCQYHBACORgEGATB9BggrBgEFBQcBAQRxMG8wOwYIKwYBBQUHMAKGL2h0dHA6
Ly9jcnQucG9zdHNpZ251bS5jei9jcnQvcHNxdWFsaWZpZWRjYTQuY3J0MDAGCCsGAQUFBzAB
hiRodHRwOi8vb2NzcC5wb3N0c2lnbnVtLmN6L09DU1AvUUNBNC8wDgYDVR0PAQH/BAQDAgXg
MB8GA1UdJQQYMBYGCCsGAQUFBwMEBgorBgEEAYI3CgMMMB8GA1UdIwQYMBaAFA8ofD42ADgQ
UK49uCGXi/dgXGF4MIGxBgNVHR8EgakwgaYwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251
bS5jei9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMDagNKAyhjBodHRwOi8vY3JsMi5wb3N0c2ln
bnVtLmN6L2NybC9wc3F1YWxpZmllZGNhNC5jcmwwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNp
Z251bS5ldS9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMB0GA1UdDgQWBBSnhnDHAreHeXLSacaI
/Z8kg9/lLjANBgkqhkiG9w0BAQsFAAOCAgEAq5EvldLkudiwRjrWhpSvwZPEHXuh0cwUssY4
PPhJgbFp/LgWtKyN4/pg6o0CgJB7cnNARH5RoBKiZY0EIXhi0ihp6IwspU5MndkCIjjqIAsa
rAWeEVGWmy/DyBN72lOWKzDT8FgZUE1yUqOP5UVHo1IMU0R0dmPx9w+K043K1V/7AU5RaX0s
TCpDqCuQtpCPTTzeQExjpYRvC1CsEm4LXgXpJtrShrMp1XyHddMnOsUJ8eN96LlwvxdeNrEu
Nt+d9WgJQgq5S8VuoLe6YmRiBCHvzDOhmQvi9OTFTB2hwXiin9qXDLhP7aKLVHK7mB91lRhs
Z+XLkMT1LdwHnq0urNSY5r6gZH1oGTGaDjHRLPci/evsdck36I1izjWNpgP4a1Ppay/qbwp0
GlcsIvE7x29AiVvsAJM+20D+Vxl5hcID0vdYze62FbuZktGG6u5yikIjVQE0qv9W91LZuAfm
X+KUJR6bcCdLwn5oeq15sXKUekuU7QMbMc4U7VFSggxpp9+wjg5JnSN8CTGp1iuCMOVLF6ov
n7jM9EW6DQvxngSF4L6Z0GnrbSUf5iOqPg26/Fps3squSEMvO2sNLT3qNCjLEQjNezyctwR+
JWn7WKQ9wl+O4gkYZ++PRo4Yu4GZr5els7L9Zkp4OgwEHfGAvZz5JX/Lh9oi+/vXt022mFcx
ggN/MIIDewIBATBxMGkxCzAJBgNVBAYTAkNaMRcwFQYDVQRhEw5OVFJDWi00NzExNDk4MzEd
MBsGA1UECgwUxIxlc2vDoSBwb8WhdGEsIHMucC4xIjAgBgNVBAMTGVBvc3RTaWdudW0gUXVh
bGlmaWVkIENBIDQCBAFSuQYwDQYJYIZIAWUDBAIBBQCgggHfMBgGCSqGSIb3DQEJAzELBgkq
hkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDExMTAzMDAwNlowLwYJKoZIhvcNAQkEMSIE
IBMjPun/Nap9o0RIF54ogefhmzF3yh4glnFCpLZd6YqQMGwGCSqGSIb3DQEJDzFfMF0wCwYJ
YIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYI
KoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgYAGCSsGAQQBgjcQBDFzMHEw
aTELMAkGA1UEBhMCQ1oxFzAVBgNVBGETDk5UUkNaLTQ3MTE0OTgzMR0wGwYDVQQKDBTEjGVz
a8OhIHBvxaF0YSwgcy5wLjEiMCAGA1UEAxMZUG9zdFNpZ251bSBRdWFsaWZpZWQgQ0EgNAIE
AVK5BjCBggYLKoZIhvcNAQkQAgsxc6BxMGkxCzAJBgNVBAYTAkNaMRcwFQYDVQRhEw5OVFJD
Wi00NzExNDk4MzEdMBsGA1UECgwUxIxlc2vDoSBwb8WhdGEsIHMucC4xIjAgBgNVBAMTGVBv
c3RTaWdudW0gUXVhbGlmaWVkIENBIDQCBAFSuQYwDQYJKoZIhvcNAQEBBQAEggEALpKhJHxa
qFOi9H/UiehQpwW5CU7e5hTrknpkMiVCyfwrUrJ0LOhn8uQO85oTbogwGsRB6XDbltsxLRl3
525DVsiLSjBPahG5m/dsL58zd6n1WRESk+3gwH7g/xQc8oRx3HcpVALz/OWVDnbZmtl8Rm5h
48yB7jvBm5Rf60yTgIFbgcaY7vBCBvJ7dt0RkpaNMoc4OFWpSUEmv4eLXC5ZiuRZWgQIFUju
1n9oGm7vxnwhwFKnTBmclOI6tchLR3CZGHEUOTEt78SFsWuuy7ECtKwNetEm64RYxrJnKegD
JmtzUME0BNU5lIOAbrb6qTmZ/26v7ACrMI7od+q6WDK+WwAAAAAAAA==
--------------ms020003080204000504070207--