From d9eaea2cc3f26945db99ee4d624c3a4afb58f703 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 13 Jun 2024 15:45:20 +0200
Subject: [PATCH 001/274] Set version.

---
 deploy/vmop-deployment.yaml | 2 +-
 dev-example/test-vm.yaml    | 3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/deploy/vmop-deployment.yaml b/deploy/vmop-deployment.yaml
index 648cc39..63b3d1e 100644
--- a/deploy/vmop-deployment.yaml
+++ b/deploy/vmop-deployment.yaml
@@ -20,7 +20,7 @@ spec:
       containers:
         - name: vm-operator
           image: >-
-            ghcr.io/mnlipp/org.jdrupes.vmoperator.manager:latest
+            ghcr.io/mnlipp/org.jdrupes.vmoperator.manager:3.0.0
           volumeMounts:
             - name: config
               mountPath: /etc/opt/vmoperator
diff --git a/dev-example/test-vm.yaml b/dev-example/test-vm.yaml
index e874ef8..4acbfe4 100644
--- a/dev-example/test-vm.yaml
+++ b/dev-example/test-vm.yaml
@@ -7,8 +7,7 @@ spec:
   image:
     repository: docker-registry.lan.mnl.de
     path: vmoperator/org.jdrupes.vmoperator.runner.qemu-alpine
-    version: latest
-    pullPolicy: Always
+    version: 3.0.0
 
   permissions:
     - user: admin

From bda983f753d7771f2226107e93456c05664cb3d6 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 22 Jun 2024 15:22:57 +0200
Subject: [PATCH 002/274] Update.

---
 deploy/vmop-deployment.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deploy/vmop-deployment.yaml b/deploy/vmop-deployment.yaml
index 648cc39..b7467d4 100644
--- a/deploy/vmop-deployment.yaml
+++ b/deploy/vmop-deployment.yaml
@@ -20,7 +20,7 @@ spec:
       containers:
         - name: vm-operator
           image: >-
-            ghcr.io/mnlipp/org.jdrupes.vmoperator.manager:latest
+            ghcr.io/mnlipp/org.jdrupes.vmoperator.manager:3.1.1
           volumeMounts:
             - name: config
               mountPath: /etc/opt/vmoperator

From 6c1dde7e822f12ced48ffd48912b54098d64ac4e Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 10 Aug 2024 13:41:05 +0200
Subject: [PATCH 003/274] Update image version.

---
 deploy/vmop-deployment.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deploy/vmop-deployment.yaml b/deploy/vmop-deployment.yaml
index 648cc39..adbfb3b 100644
--- a/deploy/vmop-deployment.yaml
+++ b/deploy/vmop-deployment.yaml
@@ -20,7 +20,7 @@ spec:
       containers:
         - name: vm-operator
           image: >-
-            ghcr.io/mnlipp/org.jdrupes.vmoperator.manager:latest
+            ghcr.io/mnlipp/org.jdrupes.vmoperator.manager:3.2.0
           volumeMounts:
             - name: config
               mountPath: /etc/opt/vmoperator

From 69767d6f5e474cdcccc3de86bfe46ca3a85c03e2 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Tue, 20 Aug 2024 10:04:23 +0200
Subject: [PATCH 004/274] Minor edits.

---
 webpages/vm-operator/index.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/webpages/vm-operator/index.md b/webpages/vm-operator/index.md
index 32d2cd5..9859fe2 100644
--- a/webpages/vm-operator/index.md
+++ b/webpages/vm-operator/index.md
@@ -1,6 +1,6 @@
 ---
-title: Run Qemu based VMs on Kubernetes
-description: A Kubernetes operator for running virtual machines (notably Qemu VMs) in pods on Kubernetes with a web interface for admins and users.
+title: Run VMs on Kubernetes using Qemu/KVM and SPICE
+description: A solution for running VMs on Kubernetes with a web interface for admins and users. Focuses on running Qemu/KVM virtual machines and using SPICE as display protocol.
 layout: vm-operator
 ---
 
@@ -8,8 +8,8 @@ layout: vm-operator
 
 ![Overview picture](index-pic.svg)
 
-The goal of this project is to provide easy to use and flexible components
-for running Qemu based VMs in Kubernetes pods. 
+The goal of this project is to provide an easy to use and flexible solution
+for running Qemu/KVM based VMs in Kubernetes pods.
 
 The image used for the VM pods combines Qemu and a control program
 for starting and managing the Qemu process. This application is called

From 8adb1d2c1cd1d05323334dcab8a2cc95d61ee8ee Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Tue, 20 Aug 2024 10:30:31 +0200
Subject: [PATCH 005/274] Update version.

---
 dev-example/test-vm.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dev-example/test-vm.yaml b/dev-example/test-vm.yaml
index 4acbfe4..b716159 100644
--- a/dev-example/test-vm.yaml
+++ b/dev-example/test-vm.yaml
@@ -7,7 +7,7 @@ spec:
   image:
     repository: docker-registry.lan.mnl.de
     path: vmoperator/org.jdrupes.vmoperator.runner.qemu-alpine
-    version: 3.0.0
+    version: 3.2.0
 
   permissions:
     - user: admin

From 452e0604cacf5765129a780b5f97079eb015af98 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 6 Oct 2024 14:07:09 +0200
Subject: [PATCH 006/274] Update version.

---
 deploy/vmop-deployment.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deploy/vmop-deployment.yaml b/deploy/vmop-deployment.yaml
index 648cc39..33d9674 100644
--- a/deploy/vmop-deployment.yaml
+++ b/deploy/vmop-deployment.yaml
@@ -20,7 +20,7 @@ spec:
       containers:
         - name: vm-operator
           image: >-
-            ghcr.io/mnlipp/org.jdrupes.vmoperator.manager:latest
+            ghcr.io/mnlipp/org.jdrupes.vmoperator.manager:3.4.0
           volumeMounts:
             - name: config
               mountPath: /etc/opt/vmoperator

From 86d3c757796a0613b30ed8d9db3fd1ffb60da213 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 26 Oct 2024 22:56:11 +0200
Subject: [PATCH 007/274] Update.

---
 deploy/vmop-deployment.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deploy/vmop-deployment.yaml b/deploy/vmop-deployment.yaml
index 33d9674..f7cc45b 100644
--- a/deploy/vmop-deployment.yaml
+++ b/deploy/vmop-deployment.yaml
@@ -20,7 +20,7 @@ spec:
       containers:
         - name: vm-operator
           image: >-
-            ghcr.io/mnlipp/org.jdrupes.vmoperator.manager:3.4.0
+            ghcr.io/mnlipp/org.jdrupes.vmoperator.manager:3.4.1
           volumeMounts:
             - name: config
               mountPath: /etc/opt/vmoperator

From c8781c2d8eedd193e90744412aee3bbd5e4c75a7 Mon Sep 17 00:00:00 2001
From: Michael Lipp <mnl@mnl.de>
Date: Fri, 8 Nov 2024 16:48:07 +0000
Subject: [PATCH 008/274] Use less gson internally.

---
 dev-example/config.yaml                       |  20 +-
 dev-example/kustomization.yaml                |  20 +-
 dev-example/test-vm.yaml                      |  14 +-
 .../org/jdrupes/vmoperator/common/K8s.java    |  21 --
 .../vmoperator/common/K8sGenericStub.java     |  22 +-
 .../vmoperator/common/VmDefinition.java       | 332 ++++++++++++++++++
 .../vmoperator/common/VmDefinitionModel.java  | 104 ------
 .../manager/events/GetDisplayPassword.java    |   8 +-
 .../vmoperator/manager/events/VmChannel.java  |  14 +-
 .../manager/events/VmDefChanged.java          |  18 +-
 .../vmoperator/manager/runnerConfig.ftl.yaml  | 139 ++++----
 .../vmoperator/manager/runnerDataPvc.ftl.yaml |   4 +-
 .../vmoperator/manager/runnerDiskPvc.ftl.yaml |   8 +-
 .../manager/runnerLoadBalancer.ftl.yaml       |  16 +-
 .../vmoperator/manager/runnerPod.ftl.yaml     |  73 ++--
 .../vmoperator/manager/runnerSts.ftl.yaml     | 194 ----------
 .../manager/ConfigMapReconciler.java          |   7 +-
 .../manager/DisplaySecretMonitor.java         |   5 +-
 .../manager/DisplaySecretReconciler.java      |  24 +-
 .../manager/LoadBalancerReconciler.java       | 104 ++++--
 .../vmoperator/manager/PodReconciler.java     |  17 +-
 .../vmoperator/manager/PvcReconciler.java     |  52 ++-
 .../vmoperator/manager/Reconciler.java        | 193 +++++-----
 .../manager/StatefulSetReconciler.java        |  33 +-
 .../jdrupes/vmoperator/manager/VmMonitor.java |  90 ++---
 .../test-resources/basic-vm.yaml              |  64 ++++
 .../test-resources/unittest-vm.yaml           |  35 --
 .../vmoperator/manager/BasicTests.java        | 319 ++++++++++++++---
 .../org/jdrupes/vmoperator/util/DataPath.java | 176 ++++++++++
 org.jdrupes.vmoperator.vmconlet/build.gradle  |   2 +-
 .../jdrupes/vmoperator/vmconlet/VmConlet.java | 113 +++---
 org.jdrupes.vmoperator.vmviewer/build.gradle  |   2 +-
 .../jdrupes/vmoperator/vmviewer/VmViewer.java |  67 ++--
 33 files changed, 1405 insertions(+), 905 deletions(-)
 create mode 100644 org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
 delete mode 100644 org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerSts.ftl.yaml
 create mode 100644 org.jdrupes.vmoperator.manager/test-resources/basic-vm.yaml
 delete mode 100644 org.jdrupes.vmoperator.manager/test-resources/unittest-vm.yaml
 create mode 100644 org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/DataPath.java

diff --git a/dev-example/config.yaml b/dev-example/config.yaml
index 579103d..3f973e4 100644
--- a/dev-example/config.yaml
+++ b/dev-example/config.yaml
@@ -9,6 +9,14 @@
     "/Reconciler":
       runnerData:
         storageClassName: null
+      loadBalancerService:
+        labels:
+          label1: label1
+          label2: toBeReplaced
+        annotations:
+          metallb.universe.tf/loadBalancerIPs: 192.168.168.1
+          metallb.universe.tf/ip-allocated-from-pool: single-common
+          metallb.universe.tf/allow-shared-ip: single-common
   "/GuiSocketServer":
     port: 8888
   "/GuiHttpServer":
@@ -17,12 +25,12 @@
       "/WebConsole":
         "/LoginConlet":
           users:
-            - name: admin
-              fullName: Administrator
-              password: "$2b$05$NiBd74ZGdplLC63ePZf1f.UtjMKkbQ23cQoO2OKOFalDBHWAOy21."
-            - name: test
-              fullName: Test Account
-              password: "$2b$05$hZaI/jToXf/d3BctZdT38Or7H7h6Pn2W3WiB49p5AyhDHFkkYCvo2"
+          - name: admin
+            fullName: Administrator
+            password: "$2b$05$NiBd74ZGdplLC63ePZf1f.UtjMKkbQ23cQoO2OKOFalDBHWAOy21."
+          - name: test
+            fullName: Test Account
+            password: "$2b$05$hZaI/jToXf/d3BctZdT38Or7H7h6Pn2W3WiB49p5AyhDHFkkYCvo2"
         "/RoleConfigurator":
           rolesByUser:
             # User admin has role admin
diff --git a/dev-example/kustomization.yaml b/dev-example/kustomization.yaml
index 19b6295..f6e51b8 100644
--- a/dev-example/kustomization.yaml
+++ b/dev-example/kustomization.yaml
@@ -35,6 +35,14 @@ patches:
             "/Reconciler":
               runnerData:
                 storageClassName: null
+              loadBalancerService:
+                labels:
+                  label1: label1
+                  label2: toBeReplaced
+                annotations:
+                  metallb.universe.tf/loadBalancerIPs: 192.168.168.1
+                  metallb.universe.tf/ip-allocated-from-pool: single-common
+                  metallb.universe.tf/allow-shared-ip: single-common
           "/GuiSocketServer":
             port: 8888
           "/GuiHttpServer":
@@ -43,12 +51,12 @@ patches:
               "/WebConsole":
                 "/LoginConlet":
                   users:
-                    admin:
-                      fullName: Administrator
-                      password: "$2b$05$NiBd74ZGdplLC63ePZf1f.UtjMKkbQ23cQoO2OKOFalDBHWAOy21."
-                    test:
-                      fullName: Test Account
-                      password: "$2b$05$hZaI/jToXf/d3BctZdT38Or7H7h6Pn2W3WiB49p5AyhDHFkkYCvo2"
+                  - name: admin
+                    fullName: Administrator
+                    password: "$2b$05$NiBd74ZGdplLC63ePZf1f.UtjMKkbQ23cQoO2OKOFalDBHWAOy21."
+                  - name: test
+                    fullName: Test Account
+                    password: "$2b$05$hZaI/jToXf/d3BctZdT38Or7H7h6Pn2W3WiB49p5AyhDHFkkYCvo2"
                 "/RoleConfigurator":
                   rolesByUser:
                     # User admin has role admin
diff --git a/dev-example/test-vm.yaml b/dev-example/test-vm.yaml
index e874ef8..6f71b6a 100644
--- a/dev-example/test-vm.yaml
+++ b/dev-example/test-vm.yaml
@@ -11,12 +11,12 @@ spec:
     pullPolicy: Always
 
   permissions:
-    - user: admin
-      may: 
-      - "*"
-    - user: test
-      may:
-      - "accessConsole"
+  - user: admin
+    may: 
+    - "*"
+  - user: test
+    may:
+    - "accessConsole"
 
   resources:
     requests:
@@ -62,3 +62,5 @@ spec:
       spice:
         port: 5810
         generateSecret: true
+
+  loadBalancerService: {}
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8s.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8s.java
index 481f724..7a28185 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8s.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8s.java
@@ -157,27 +157,6 @@ public class K8s {
         return Optional.of(apiRes);
     }
 
-    /**
-     * Get an object from its metadata.
-     *
-     * @param <T> the generic type
-     * @param <LT> the generic type
-     * @param api the api
-     * @param meta the meta
-     * @return the object
-     */
-    @Deprecated
-    @SuppressWarnings("PMD.GenericsNaming")
-    public static <T extends KubernetesObject, LT extends KubernetesListObject>
-            Optional<T>
-            get(GenericKubernetesApi<T, LT> api, V1ObjectMeta meta) {
-        var response = api.get(meta.getNamespace(), meta.getName());
-        if (response.isSuccess()) {
-            return Optional.of(response.getObject());
-        }
-        return Optional.empty();
-    }
-
     /**
      * Apply the given patch data.
      *
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java
index f118a17..09516a0 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java
@@ -27,6 +27,7 @@ import io.kubernetes.client.openapi.ApiException;
 import io.kubernetes.client.util.Strings;
 import io.kubernetes.client.util.generic.GenericKubernetesApi;
 import io.kubernetes.client.util.generic.KubernetesApiResponse;
+import io.kubernetes.client.util.generic.dynamic.DynamicKubernetesObject;
 import io.kubernetes.client.util.generic.options.GetOptions;
 import io.kubernetes.client.util.generic.options.ListOptions;
 import io.kubernetes.client.util.generic.options.PatchOptions;
@@ -47,7 +48,7 @@ import java.util.function.Function;
  * @param <O> the generic type
  * @param <L> the generic type
  */
-@SuppressWarnings("PMD.DataflowAnomalyAnalysis")
+@SuppressWarnings({ "PMD.DataflowAnomalyAnalysis", "PMD.TooManyMethods" })
 public class K8sGenericStub<O extends KubernetesObject,
         L extends KubernetesListObject> {
     protected final K8sClient client;
@@ -224,7 +225,7 @@ public class K8sGenericStub<O extends KubernetesObject,
      * @param patchType the patch type
      * @param patch the patch
      * @param options the options
-     * @return the kubernetes api response
+     * @return the kubernetes api response if successful
      * @throws ApiException the api exception
      */
     public Optional<O> patch(String patchType, V1Patch patch,
@@ -239,7 +240,7 @@ public class K8sGenericStub<O extends KubernetesObject,
      *
      * @param patchType the patch type
      * @param patch the patch
-     * @return the kubernetes api response
+     * @return the kubernetes api response if successful
      * @throws ApiException the api exception
      */
     public Optional<O>
@@ -248,6 +249,21 @@ public class K8sGenericStub<O extends KubernetesObject,
         return patch(patchType, patch, opts);
     }
 
+    /**
+     * Apply the given definition. 
+     *
+     * @param def the def
+     * @return the kubernetes api response if successful
+     * @throws ApiException the api exception
+     */
+    public Optional<O> apply(DynamicKubernetesObject def) throws ApiException {
+        PatchOptions opts = new PatchOptions();
+        opts.setForce(true);
+        opts.setFieldManager("kubernetes-java-kubectl-apply");
+        return patch(V1Patch.PATCH_FORMAT_APPLY_YAML,
+            new V1Patch(client.getJSON().serialize(def)), opts);
+    }
+
     /**
      * Update the object.
      *
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
new file mode 100644
index 0000000..71ea7f1
--- /dev/null
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
@@ -0,0 +1,332 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2024 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.common;
+
+import io.kubernetes.client.openapi.models.V1ObjectMeta;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.EnumSet;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.Set;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+import org.jdrupes.vmoperator.util.DataPath;
+
+/**
+ * Represents a VM definition.
+ */
+@SuppressWarnings({ "PMD.DataClass" })
+public class VmDefinition {
+
+    private String kind;
+    private String apiVersion;
+    private V1ObjectMeta metadata;
+    private Map<String, Object> spec;
+    private Map<String, Object> status;
+    private final Map<String, Object> extra = new ConcurrentHashMap<>();
+
+    /**
+     * The VM state from the VM definition.
+     */
+    public enum RequestedVmState {
+        STOPPED, RUNNING
+    }
+
+    /**
+     * Permissions for accessing and manipulating the VM.
+     */
+    public enum Permission {
+        START("start"), STOP("stop"), RESET("reset"),
+        ACCESS_CONSOLE("accessConsole");
+
+        @SuppressWarnings("PMD.UseConcurrentHashMap")
+        private static Map<String, Permission> reprs = new HashMap<>();
+
+        static {
+            for (var value : EnumSet.allOf(Permission.class)) {
+                reprs.put(value.repr, value);
+            }
+        }
+
+        private final String repr;
+
+        Permission(String repr) {
+            this.repr = repr;
+        }
+
+        /**
+         * Create permission from representation in CRD.
+         *
+         * @param value the value
+         * @return the permission
+         */
+        @SuppressWarnings("PMD.AvoidLiteralsInIfCondition")
+        public static Set<Permission> parse(String value) {
+            if ("*".equals(value)) {
+                return EnumSet.allOf(Permission.class);
+            }
+            return Set.of(reprs.get(value));
+        }
+
+        @Override
+        public String toString() {
+            return repr;
+        }
+    }
+
+    /**
+     * Gets the kind.
+     *
+     * @return the kind
+     */
+    public String getKind() {
+        return kind;
+    }
+
+    /**
+     * Sets the kind.
+     *
+     * @param kind the kind to set
+     */
+    public void setKind(String kind) {
+        this.kind = kind;
+    }
+
+    /**
+     * Gets the api version.
+     *
+     * @return the apiVersion
+     */
+    public String getApiVersion() {
+        return apiVersion;
+    }
+
+    /**
+     * Sets the api version.
+     *
+     * @param apiVersion the apiVersion to set
+     */
+    public void setApiVersion(String apiVersion) {
+        this.apiVersion = apiVersion;
+    }
+
+    /**
+     * Gets the metadata.
+     *
+     * @return the metadata
+     */
+    public V1ObjectMeta getMetadata() {
+        return metadata;
+    }
+
+    /**
+     * Gets the metadata.
+     *
+     * @return the metadata
+     */
+    public V1ObjectMeta metadata() {
+        return metadata;
+    }
+
+    /**
+     * Sets the metadata.
+     *
+     * @param metadata the metadata to set
+     */
+    public void setMetadata(V1ObjectMeta metadata) {
+        this.metadata = metadata;
+    }
+
+    /**
+     * Gets the spec.
+     *
+     * @return the spec
+     */
+    public Map<String, Object> getSpec() {
+        return spec;
+    }
+
+    /**
+     * Gets the spec.
+     *
+     * @return the spec
+     */
+    public Map<String, Object> spec() {
+        return spec;
+    }
+
+    /**
+     * Get a value from the spec using {@link DataPath#get}.
+     *
+     * @param <T> the generic type
+     * @param selectors the selectors
+     * @return the value, if found
+     */
+    public <T> Optional<T> fromSpec(Object... selectors) {
+        return DataPath.get(spec, selectors);
+    }
+
+    /**
+     * Get a value from the `spec().get("vm")` using {@link DataPath#get}.
+     *
+     * @param <T> the generic type
+     * @param selectors the selectors
+     * @return the value, if found
+     */
+    public <T> Optional<T> fromVm(Object... selectors) {
+        return DataPath.get(spec, "vm")
+            .flatMap(vm -> DataPath.get(vm, selectors));
+    }
+
+    /**
+     * Sets the spec.
+     *
+     * @param spec the spec to set
+     */
+    public void setSpec(Map<String, Object> spec) {
+        this.spec = spec;
+    }
+
+    /**
+     * Gets the status.
+     *
+     * @return the status
+     */
+    public Map<String, Object> getStatus() {
+        return status;
+    }
+
+    /**
+     * Gets the status.
+     *
+     * @return the status
+     */
+    public Map<String, Object> status() {
+        return status;
+    }
+
+    /**
+     * Get a value from the status using {@link DataPath#get}.
+     *
+     * @param <T> the generic type
+     * @param selectors the selectors
+     * @return the value, if found
+     */
+    public <T> Optional<T> fromStatus(Object... selectors) {
+        return DataPath.get(status, selectors);
+    }
+
+    /**
+     * Sets the status.
+     *
+     * @param status the status to set
+     */
+    public void setStatus(Map<String, Object> status) {
+        this.status = status;
+    }
+
+    /**
+     * Set extra data (locally used, unknown to kubernetes).
+     *
+     * @param property the property
+     * @param value the value
+     * @return the VM definition
+     */
+    public VmDefinition extra(String property, Object value) {
+        extra.put(property, value);
+        return this;
+    }
+
+    /**
+     * Return extra data.
+     *
+     * @param property the property
+     * @return the object
+     */
+    @SuppressWarnings("unchecked")
+    public <T> T extra(String property) {
+        return (T) extra.get(property);
+    }
+
+    /**
+     * Returns the definition's name.
+     *
+     * @return the string
+     */
+    public String name() {
+        return metadata.getName();
+    }
+
+    /**
+     * Returns the definition's namespace.
+     *
+     * @return the string
+     */
+    public String namespace() {
+        return metadata.getNamespace();
+    }
+
+    /**
+     * Return the requested VM state
+     *
+     * @return the string
+     */
+    public RequestedVmState vmState() {
+        // TODO
+        return fromVm("state")
+            .map(s -> "Running".equals(s) ? RequestedVmState.RUNNING
+                : RequestedVmState.STOPPED)
+            .orElse(RequestedVmState.STOPPED);
+    }
+
+    /**
+     * Collect all permissions for the given user with the given roles.
+     *
+     * @param user the user
+     * @param roles the roles
+     * @return the sets the
+     */
+    public Set<Permission> permissionsFor(String user,
+            Collection<String> roles) {
+        return this.<List<Map<String, Object>>> fromSpec("permissions")
+            .orElse(Collections.emptyList()).stream()
+            .filter(p -> DataPath.get(p, "user").map(u -> u.equals(user))
+                .orElse(false)
+                || DataPath.get(p, "role").map(roles::contains).orElse(false))
+            .map(p -> DataPath.<List<String>> get(p, "may")
+                .orElse(Collections.emptyList()).stream())
+            .flatMap(Function.identity())
+            .map(Permission::parse).map(Set::stream)
+            .flatMap(Function.identity()).collect(Collectors.toSet());
+    }
+
+    /**
+     * Get the display password serial.
+     *
+     * @return the optional
+     */
+    public Optional<Long> displayPasswordSerial() {
+        return this.<Number> fromStatus("displayPasswordSerial")
+            .map(Number::longValue);
+    }
+}
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinitionModel.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinitionModel.java
index 987b4c8..d4ae5da 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinitionModel.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinitionModel.java
@@ -20,16 +20,6 @@ package org.jdrupes.vmoperator.common;
 
 import com.google.gson.Gson;
 import com.google.gson.JsonObject;
-import com.google.gson.JsonPrimitive;
-import java.util.Collection;
-import java.util.EnumSet;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.Optional;
-import java.util.Set;
-import java.util.function.Function;
-import java.util.stream.Collectors;
-import org.jdrupes.vmoperator.util.GsonPtr;
 
 /**
  * Represents a VM definition.
@@ -37,55 +27,6 @@ import org.jdrupes.vmoperator.util.GsonPtr;
 @SuppressWarnings("PMD.DataClass")
 public class VmDefinitionModel extends K8sDynamicModel {
 
-    /**
-     * The VM state from the VM definition.
-     */
-    public enum RequestedVmState {
-        STOPPED, RUNNING
-    }
-
-    /**
-     * Permissions for accessing and manipulating the VM.
-     */
-    public enum Permission {
-        START("start"), STOP("stop"), RESET("reset"),
-        ACCESS_CONSOLE("accessConsole");
-
-        @SuppressWarnings("PMD.UseConcurrentHashMap")
-        private static Map<String, Permission> reprs = new HashMap<>();
-
-        static {
-            for (var value : EnumSet.allOf(Permission.class)) {
-                reprs.put(value.repr, value);
-            }
-        }
-
-        private final String repr;
-
-        Permission(String repr) {
-            this.repr = repr;
-        }
-
-        /**
-         * Create permission from representation in CRD.
-         *
-         * @param value the value
-         * @return the permission
-         */
-        @SuppressWarnings("PMD.AvoidLiteralsInIfCondition")
-        public static Set<Permission> parse(String value) {
-            if ("*".equals(value)) {
-                return EnumSet.allOf(Permission.class);
-            }
-            return Set.of(reprs.get(value));
-        }
-
-        @Override
-        public String toString() {
-            return repr;
-        }
-    }
-
     /**
      * Instantiates a new model from the JSON representation.
      *
@@ -95,49 +36,4 @@ public class VmDefinitionModel extends K8sDynamicModel {
     public VmDefinitionModel(Gson delegate, JsonObject json) {
         super(delegate, json);
     }
-
-    /**
-     * Collect all permissions for the given user with the given roles.
-     *
-     * @param user the user
-     * @param roles the roles
-     * @return the sets the
-     */
-    public Set<Permission> permissionsFor(String user,
-            Collection<String> roles) {
-        return GsonPtr.to(data())
-            .getAsListOf(JsonObject.class, "spec", "permissions")
-            .stream().filter(p -> GsonPtr.to(p).getAsString("user")
-                .map(u -> u.equals(user)).orElse(false)
-                || GsonPtr.to(p).getAsString("role").map(roles::contains)
-                    .orElse(false))
-            .map(p -> GsonPtr.to(p).getAsListOf(JsonPrimitive.class, "may")
-                .stream())
-            .flatMap(Function.identity()).map(p -> p.getAsString())
-            .map(Permission::parse).map(Set::stream)
-            .flatMap(Function.identity()).collect(Collectors.toSet());
-    }
-
-    /**
-     * Return the requested VM state
-     *
-     * @return the string
-     */
-    public RequestedVmState vmState() {
-        return GsonPtr.to(data()).getAsString("spec", "vm", "state")
-            .map(s -> "Running".equals(s) ? RequestedVmState.RUNNING
-                : RequestedVmState.STOPPED)
-            .orElse(RequestedVmState.STOPPED);
-    }
-
-    /**
-     * Get the display password serial.
-     *
-     * @return the optional
-     */
-    public Optional<Long> displayPasswordSerial() {
-        return GsonPtr.to(status())
-            .get(JsonPrimitive.class, "displayPasswordSerial")
-            .map(JsonPrimitive::getAsLong);
-    }
 }
diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetDisplayPassword.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetDisplayPassword.java
index 37eddec..3322f1a 100644
--- a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetDisplayPassword.java
+++ b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetDisplayPassword.java
@@ -19,7 +19,7 @@
 package org.jdrupes.vmoperator.manager.events;
 
 import java.util.Optional;
-import org.jdrupes.vmoperator.common.VmDefinitionModel;
+import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jgrapes.core.Event;
 
 /**
@@ -28,14 +28,14 @@ import org.jgrapes.core.Event;
 @SuppressWarnings("PMD.DataClass")
 public class GetDisplayPassword extends Event<String> {
 
-    private final VmDefinitionModel vmDef;
+    private final VmDefinition vmDef;
 
     /**
      * Instantiates a new returns the display secret.
      *
      * @param vmDef the vm name
      */
-    public GetDisplayPassword(VmDefinitionModel vmDef) {
+    public GetDisplayPassword(VmDefinition vmDef) {
         this.vmDef = vmDef;
     }
 
@@ -44,7 +44,7 @@ public class GetDisplayPassword extends Event<String> {
      *
      * @return the vm definition
      */
-    public VmDefinitionModel vmDefinition() {
+    public VmDefinition vmDefinition() {
         return vmDef;
     }
 
diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/VmChannel.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/VmChannel.java
index 46861ce..5ea282a 100644
--- a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/VmChannel.java
+++ b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/VmChannel.java
@@ -19,7 +19,7 @@
 package org.jdrupes.vmoperator.manager.events;
 
 import org.jdrupes.vmoperator.common.K8sClient;
-import org.jdrupes.vmoperator.common.VmDefinitionModel;
+import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.EventPipeline;
 import org.jgrapes.core.Subchannel.DefaultSubchannel;
@@ -32,7 +32,7 @@ public class VmChannel extends DefaultSubchannel {
 
     private final EventPipeline pipeline;
     private final K8sClient client;
-    private VmDefinitionModel vmDefinition;
+    private VmDefinition definition;
     private long generation = -1;
 
     /**
@@ -56,18 +56,18 @@ public class VmChannel extends DefaultSubchannel {
      * @return the watch channel
      */
     @SuppressWarnings("PMD.LinguisticNaming")
-    public VmChannel setVmDefinition(VmDefinitionModel definition) {
-        this.vmDefinition = definition;
+    public VmChannel setVmDefinition(VmDefinition definition) {
+        this.definition = definition;
         return this;
     }
 
     /**
      * Returns the last known definition of the VM.
      *
-     * @return the json object
+     * @return the defintion
      */
-    public VmDefinitionModel vmDefinition() {
-        return vmDefinition;
+    public VmDefinition vmDefinition() {
+        return definition;
     }
 
     /**
diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/VmDefChanged.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/VmDefChanged.java
index a2bafb7..a8873cf 100644
--- a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/VmDefChanged.java
+++ b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/VmDefChanged.java
@@ -19,7 +19,7 @@
 package org.jdrupes.vmoperator.manager.events;
 
 import org.jdrupes.vmoperator.common.K8sObserver;
-import org.jdrupes.vmoperator.common.VmDefinitionModel;
+import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Components;
 import org.jgrapes.core.Event;
@@ -36,7 +36,7 @@ public class VmDefChanged extends Event<Void> {
 
     private final K8sObserver.ResponseType type;
     private final boolean specChanged;
-    private final VmDefinitionModel vmDef;
+    private final VmDefinition vmDefinition;
 
     /**
      * Instantiates a new VM changed event.
@@ -46,10 +46,10 @@ public class VmDefChanged extends Event<Void> {
      * @param vmDefinition the VM definition
      */
     public VmDefChanged(K8sObserver.ResponseType type, boolean specChanged,
-            VmDefinitionModel vmDefinition) {
+            VmDefinition vmDefinition) {
         this.type = type;
         this.specChanged = specChanged;
-        this.vmDef = vmDefinition;
+        this.vmDefinition = vmDefinition;
     }
 
     /**
@@ -69,19 +69,19 @@ public class VmDefChanged extends Event<Void> {
     }
 
     /**
-     * Returns the object.
+     * Return the VM definition.
      *
-     * @return the object.
+     * @return the VM definition
      */
-    public VmDefinitionModel vmDefinition() {
-        return vmDef;
+    public VmDefinition vmDefinition() {
+        return vmDefinition;
     }
 
     @Override
     public String toString() {
         StringBuilder builder = new StringBuilder();
         builder.append(Components.objectName(this)).append(" [")
-            .append(vmDef.getMetadata().getName()).append(' ').append(type);
+            .append(vmDefinition.name()).append(' ').append(type);
         if (channels() != null) {
             builder.append(", channels=").append(Channel.toString(channels()));
         }
diff --git a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml
index 9e3d5ef..214b5b8 100644
--- a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml
+++ b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml
@@ -1,141 +1,142 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  namespace: ${ cr.metadata.namespace.asString }
-  name: ${ cr.metadata.name.asString }
+  namespace: ${ cr.namespace() }
+  name: ${ cr.name() }
   labels:
     app.kubernetes.io/name: ${ constants.APP_NAME }
-    app.kubernetes.io/instance: ${ cr.metadata.name.asString }
+    app.kubernetes.io/instance: ${ cr.name() }
     app.kubernetes.io/managed-by: ${ constants.VM_OP_NAME }
   annotations:
     vmoperator.jdrupes.org/version: ${ managerVersion }
   ownerReferences:
-  - apiVersion: ${ cr.apiVersion.asString }
+  - apiVersion: ${ cr.apiVersion }
     kind: ${ constants.VM_OP_KIND_VM }
-    name: ${ cr.metadata.name.asString }
-    uid: ${ cr.metadata.uid.asString }
+    name: ${ cr.name() }
+    uid: ${ cr.metadata().getUid() }
     controller: false
-  
+
 data:
   config.yaml: |
     "/Runner":
       # The directory used to store data files. Defaults to (depending on 
       # values available):
-      #  * $XDG_DATA_HOME/vmrunner/${ cr.metadata.name.asString }
-      #  * $HOME/.local/share/vmrunner/${ cr.metadata.name.asString }
-      #  * ./${ cr.metadata.name.asString }
+      #  * $XDG_DATA_HOME/vmrunner/${ cr.name() }
+      #  * $HOME/.local/share/vmrunner/${ cr.name() }
+      #  * ./${ cr.name() }
       dataDir: /var/local/vm-data
       
       # The directory used to store runtime files. Defaults to (depending on 
       # values available):
-      #  * $XDG_RUNTIME_DIR/vmrunner/${ cr.metadata.name.asString }
-      #  * /tmp/$USER/vmrunner/${ cr.metadata.name.asString }
-      #  * /tmp/vmrunner/${ cr.metadata.name.asString }
-      # runtimeDir: "$XDG_RUNTIME_DIR/vmrunner/${ cr.metadata.name.asString }"
+      #  * $XDG_RUNTIME_DIR/vmrunner/${ cr.name() }
+      #  * /tmp/$USER/vmrunner/${ cr.name() }
+      #  * /tmp/vmrunner/${ cr.name() }
+      # runtimeDir: "$XDG_RUNTIME_DIR/vmrunner/${ cr.name() }"
       
+      <#assign spec = cr.spec() />
       # The template to use. Resolved relative to /usr/share/vmrunner/templates.
       # template: "Standard-VM-latest.ftl.yaml"
-      <#if cr.spec.runnerTemplate?? && cr.spec.runnerTemplate.source?? >
-      template: ${ cr.spec.runnerTemplate.source.asString }
+      <#if spec.runnerTemplate?? && spec.runnerTemplate.source?? >
+      template: ${ cm.spec().runnerTemplate.source }
       </#if>
     
       # The template is copied to the data diretory when the VM starts for
       # the first time. Subsequent starts use the copy unless this option is set.
-      <#if cr.spec.runnerTemplate?? && cr.spec.runnerTemplate.update?? >
-      updateTemplate: ${ cr.spec.runnerTemplate.update.asBoolean?c }
+      <#if spec.runnerTemplate?? && spec.runnerTemplate.update?? >
+      updateTemplate: ${ spec.runnerTemplate.update?c }
       </#if>
 
       # Whether a shutdown initiated by the guest stops the pod deployment
-      guestShutdownStops: ${ cr.spec.guestShutdownStops!false?c }
+      guestShutdownStops: ${ (spec.guestShutdownStops!false)?c }
       
       # When incremented, the VM is reset. The value has no default value,
       # i.e. if you start the VM without a value for this property, and
       # decide to trigger a reset later, you have to first set the value
       # and then inrement it.
-      resetCounter: ${ cr.resetCount }
+      resetCounter: ${ cr.extra("resetCount")?c }
 
       # Forward the cloud-init data if provided
-      <#if cr.spec.cloudInit??>    
+      <#if spec.cloudInit??>    
       cloudInit:
-        <#if cr.spec.cloudInit.metaData??>
-        metaData: ${ cr.spec.cloudInit.metaData.toString() }
+        <#if spec.cloudInit.metaData??>
+        metaData: ${ toJson(adjustCloudInitMeta(spec.cloudInit.metaData, cr.metadata())) }
         <#else>
         metaData: {}
         </#if>
-        <#if cr.spec.cloudInit.userData??>
-        userData: ${ cr.spec.cloudInit.userData.toString() }
+        <#if spec.cloudInit.userData??>
+        userData: ${ toJson(spec.cloudInit.userData) }
         <#else>
         userData: {}
         </#if>
-        <#if cr.spec.cloudInit.networkConfig??>
-        networkConfig: ${ cr.spec.cloudInit.networkConfig.toString() }
+        <#if spec.cloudInit.networkConfig??>
+        networkConfig: ${ toJson(spec.cloudInit.networkConfig) }
         </#if>
       </#if>
       
       # Define the VM (required)
       vm:
         # The VM's name (required)
-        name: ${ cr.metadata.name.asString }
+        name: ${ cr.name() }
         
         # The machine's uuid. If none is specified, a uuid is generated
         # and stored in the data directory. If the uuid is important
         # (e.g. because licenses depend on it) it is recommaned to specify
         # it here explicitly or to carefully backup the data directory.
         # uuid: "generated uuid"
-        <#if cr.spec.vm.machineUuid??>
-        uuid: "${ cr.spec.vm.machineUuid.asString }"
+        <#if spec.vm.machineUuid??>
+        uuid: "${ spec.vm.machineUuid }"
         </#if>
 
         # Whether to provide a software TPM (defaults to false)
         # useTpm: false
-        useTpm: ${ cr.spec.vm.useTpm.asBoolean?c }
+        useTpm: ${ spec.vm.useTpm?c }
         
         # How to boot (see https://github.com/mnlipp/VM-Operator/blob/main/org.jdrupes.vmoperator.runner.qemu/resources/org/jdrupes/vmoperator/runner/qemu/defaults.yaml):
         #  * bios
         #  * uefi[-4m]
         #  * secure[-4m]
-        firmware: ${ cr.spec.vm.firmware.asString }
+        firmware: ${ spec.vm.firmware }
         
         # Whether to show a boot menu.
         # bootMenu: false
-        bootMenu: ${ cr.spec.vm.bootMenu.asBoolean?c }
+        bootMenu: ${ spec.vm.bootMenu?c }
     
         # When terminating, a graceful powerdown is attempted. If it
         # doesn't succeed within the given timeout (seconds) SIGTERM
         # is sent to Qemu.
         # powerdownTimeout: 900
-        powerdownTimeout: ${ cr.spec.vm.powerdownTimeout.asLong?c }
+        powerdownTimeout: ${ spec.vm.powerdownTimeout?c }
         
         # CPU settings
-        cpuModel: ${ cr.spec.vm.cpuModel.asString }
+        cpuModel: ${ spec.vm.cpuModel }
         # Setting maximumCpus to 1 omits the "-smp" options. The defaults (0)
         # cause the corresponding property to be omitted from the "-smp" option.
         # If currentCpus is greater than maximumCpus, the latter is adjusted.
-        <#if cr.spec.vm.maximumCpus?? >
-        maximumCpus: ${ parseQuantity(cr.spec.vm.maximumCpus.asString)?c }
+        <#if spec.vm.maximumCpus?? >
+        maximumCpus: ${ parseQuantity(spec.vm.maximumCpus)?c }
         </#if>
-        <#if cr.spec.vm.cpuTopology?? >
-        sockets: ${ cr.spec.vm.cpuTopology.sockets.asInt?c }
-        diesPerSocket: ${ cr.spec.vm.cpuTopology.diesPerSocket.asInt?c }
-        coresPerDie: ${ cr.spec.vm.cpuTopology.coresPerDie.asInt?c }
-        threadsPerCore: ${ cr.spec.vm.cpuTopology.threadsPerCore.asInt?c }
+        <#if spec.vm.cpuTopology?? >
+        sockets: ${ spec.vm.cpuTopology.sockets?c }
+        diesPerSocket: ${ spec.vm.cpuTopology.diesPerSocket?c }
+        coresPerDie: ${ spec.vm.cpuTopology.coresPerDie?c }
+        threadsPerCore: ${ spec.vm.cpuTopology.threadsPerCore?c }
         </#if>
-        <#if cr.spec.vm.currentCpus?? >
-        currentCpus: ${ parseQuantity(cr.spec.vm.currentCpus.asString)?c }
+        <#if spec.vm.currentCpus?? >
+        currentCpus: ${ parseQuantity(spec.vm.currentCpus)?c }
         </#if>
         
         # RAM settings
         # Maximum defaults to 1G
-        maximumRam: "${ formatMemory(parseQuantity(cr.spec.vm.maximumRam.asString)) }"
-        <#if cr.spec.vm.currentRam?? >
-        currentRam: "${ formatMemory(parseQuantity(cr.spec.vm.currentRam.asString)) }"
+        maximumRam: "${ formatMemory(parseQuantity(spec.vm.maximumRam)) }"
+        <#if spec.vm.currentRam?? >
+        currentRam: "${ formatMemory(parseQuantity(spec.vm.currentRam)) }"
         </#if>
         
         # RTC settings.
         # rtcBase: utc
         # rtcClock: rt
-        rtcBase: ${ cr.spec.vm.rtcBase.asString }
-        rtcClock: ${ cr.spec.vm.rtcClock.asString }
+        rtcBase: ${ spec.vm.rtcBase }
+        rtcClock: ${ spec.vm.rtcClock }
         
         # Network settings
         # Supported types are "tap" and "user" (for debugging). Type "user"
@@ -147,19 +148,19 @@ data:
         #   mac: (undefined)
         network:
         <#assign nwCounter = 0/>
-        <#list cr.spec.vm.networks.asList() as itf>
+        <#list spec.vm.networks as itf>
         <#if itf.tap??>
         - type: tap
-          device: ${ itf.tap.device.asString }
-          bridge: ${ itf.tap.bridge.asString }
+          device: ${ itf.tap.device }
+          bridge: ${ itf.tap.bridge }
           <#if itf.tap.mac??>
-          mac: "${ itf.tap.mac.asString }"
+          mac: "${ itf.tap.mac }"
           </#if>
         <#elseif itf.user??>
         - type: user
-          device: ${ itf.user.device.asString }
+          device: ${ itf.user.device }
           <#if itf.user.net??>
-          net: "${ itf.user.net.asString }"
+          net: "${ itf.user.net }"
           </#if>
         </#if>
         <#assign nwCounter += 1/>
@@ -175,11 +176,11 @@ data:
         #   file: (undefined)
         drives:
         <#assign drvCounter = 0/>
-        <#list cr.spec.vm.disks.asList() as disk>
+        <#list spec.vm.disks as disk>
         <#if disk.volumeClaimTemplate?? 
           && disk.volumeClaimTemplate.metadata??
           && disk.volumeClaimTemplate.metadata.name??>
-          <#assign diskName = disk.volumeClaimTemplate.metadata.name.asString + "-disk">
+          <#assign diskName = disk.volumeClaimTemplate.metadata.name + "-disk">
         <#else>
           <#assign diskName = "disk-" + drvCounter>
         </#if>
@@ -187,33 +188,33 @@ data:
         - type: raw
           resource: /dev/${ diskName }
           <#if disk.bootindex??>
-          bootindex: ${ disk.bootindex.asInt?c }
+          bootindex: ${ disk.bootindex?c }
           </#if>
           <#assign drvCounter = drvCounter + 1/>
         </#if>
         <#if disk.cdrom??> 
         - type: ide-cd
-          file: "${ disk.cdrom.image.asString }"
+          file: "${ imageLocation(disk.cdrom.image) }"
           <#if disk.bootindex??>
-          bootindex: ${ disk.bootindex.asInt?c }
+          bootindex: ${ disk.bootindex?c }
           </#if>
         </#if>
         </#list>
         
         display:
-          <#if cr.spec.vm.display.outputs?? >
-          outputs: ${ cr.spec.vm.display.outputs.asInt?c }
+          <#if spec.vm.display.outputs?? >
+          outputs: ${ spec.vm.display.outputs?c }
           </#if>
-          <#if cr.spec.vm.display.spice??>
+          <#if spec.vm.display.spice??>
           spice:
-            port: ${ cr.spec.vm.display.spice.port.asInt?c }
-            <#if cr.spec.vm.display.spice.ticket??>
-            ticket: "${ cr.spec.vm.display.spice.ticket.asString }"
+            port: ${ spec.vm.display.spice.port?c }
+            <#if spec.vm.display.spice.ticket??>
+            ticket: "${ spec.vm.display.spice.ticket }"
             </#if>
-            <#if cr.spec.vm.display.spice.streamingVideo??>
-            streaming-video: "${ cr.spec.vm.display.spice.streamingVideo.asString }"
+            <#if spec.vm.display.spice.streamingVideo??>
+            streaming-video: "${ spec.vm.display.spice.streamingVideo }"
             </#if>
-            usbRedirects: ${ cr.spec.vm.display.spice.usbRedirects.asInt?c }
+            usbRedirects: ${ spec.vm.display.spice.usbRedirects?c }
           </#if>
 
   logging.properties: |
diff --git a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerDataPvc.ftl.yaml b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerDataPvc.ftl.yaml
index a1a94e1..ddb638c 100644
--- a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerDataPvc.ftl.yaml
+++ b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerDataPvc.ftl.yaml
@@ -1,11 +1,11 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
-  namespace: ${ cr.metadata.namespace.asString }
+  namespace: ${ cr.namespace() }
   name: ${ runnerDataPvcName }
   labels:
     app.kubernetes.io/name: ${ constants.APP_NAME }
-    app.kubernetes.io/instance: ${ cr.metadata.name.asString }
+    app.kubernetes.io/instance: ${ cr.name() }
     app.kubernetes.io/managed-by: ${ constants.VM_OP_NAME }
 spec:
   accessModes:
diff --git a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerDiskPvc.ftl.yaml b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerDiskPvc.ftl.yaml
index 732f592..8258d55 100644
--- a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerDiskPvc.ftl.yaml
+++ b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerDiskPvc.ftl.yaml
@@ -1,16 +1,16 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
-  namespace: ${ cr.metadata.namespace.asString }
+  namespace: ${ cr.namespace() }
   name: ${ disk.generatedPvcName }
   labels:
     app.kubernetes.io/name: ${ constants.APP_NAME }
-    app.kubernetes.io/instance: ${ cr.metadata.name.asString }
+    app.kubernetes.io/instance: ${ cr.name() }
     app.kubernetes.io/managed-by: ${ constants.VM_OP_NAME }
   <#if disk.volumeClaimTemplate.metadata??
     && disk.volumeClaimTemplate.metadata.annotations??>
   annotations:
-    ${ disk.volumeClaimTemplate.metadata.annotations.toString() }
+    ${ toJson(disk.volumeClaimTemplate.metadata.annotations) }
   </#if>
 spec:
-  ${ disk.volumeClaimTemplate.spec.toString() }
+  ${ toJson(disk.volumeClaimTemplate.spec) }
diff --git a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerLoadBalancer.ftl.yaml b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerLoadBalancer.ftl.yaml
index 2c32aa6..9a70e19 100644
--- a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerLoadBalancer.ftl.yaml
+++ b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerLoadBalancer.ftl.yaml
@@ -1,26 +1,26 @@
 apiVersion: v1
 kind: Service
 metadata:
-  namespace: ${ cr.metadata.namespace.asString }
-  name: ${ cr.metadata.name.asString }
+  namespace: ${ cr.namespace() }
+  name: ${ cr.name() }
   labels:
     app.kubernetes.io/name: ${ constants.APP_NAME }
-    app.kubernetes.io/instance: ${ cr.metadata.name.asString }
+    app.kubernetes.io/instance: ${ cr.name() }
     app.kubernetes.io/managed-by: ${ constants.VM_OP_NAME }
   annotations:
     vmoperator.jdrupes.org/version: ${ managerVersion }
   ownerReferences:
-  - apiVersion: ${ cr.apiVersion.asString }
+  - apiVersion: ${ cr.apiVersion }
     kind: ${ constants.VM_OP_KIND_VM }
-    name: ${ cr.metadata.name.asString }
-    uid: ${ cr.metadata.uid.asString }
+    name: ${ cr.name() }
+    uid: ${ cr.metadata().getUid() }
     controller: false
 
 spec:
   type: LoadBalancer
   ports:
   - name: spice
-    port: ${ cr.spec.vm.display.spice.port.asInt?c }
+    port: ${ cr.spec().vm.display.spice.port?c }
   selector:
     app.kubernetes.io/name: ${ constants.APP_NAME }
-    app.kubernetes.io/instance: ${ cr.metadata.name.asString }
+    app.kubernetes.io/instance: ${ cr.name() }
diff --git a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerPod.ftl.yaml b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerPod.ftl.yaml
index ad652e4..e62ac70 100644
--- a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerPod.ftl.yaml
+++ b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerPod.ftl.yaml
@@ -1,42 +1,43 @@
 kind: Pod
 apiVersion: v1
 metadata:
-  namespace: ${ cr.metadata.namespace.asString }
-  name: ${ cr.metadata.name.asString }
+  namespace: ${ cr.namespace() }
+  name: ${ cr.name() }
   labels:
     app.kubernetes.io/name: ${ constants.APP_NAME }
-    app.kubernetes.io/instance: ${ cr.metadata.name.asString }
+    app.kubernetes.io/instance: ${ cr.name() }
     app.kubernetes.io/component: ${ constants.APP_NAME }
     app.kubernetes.io/managed-by: ${ constants.VM_OP_NAME }
   annotations:
     # Triggers update of config map mounted in pod
     # See https://ahmet.im/blog/kubernetes-secret-volumes-delay/
-    vmrunner.jdrupes.org/cmVersion: "${ cm.metadata.resourceVersion.asString }"
+    vmrunner.jdrupes.org/cmVersion: "${ cm.metadata.resourceVersion }"
     vmoperator.jdrupes.org/version: ${ managerVersion }
   ownerReferences:
-  - apiVersion: ${ cr.apiVersion.asString }
+  - apiVersion: ${ cr.apiVersion }
     kind: ${ constants.VM_OP_KIND_VM }
-    name: ${ cr.metadata.name.asString }
-    uid: ${ cr.metadata.uid.asString }
+    name: ${ cr.name() }
+    uid: ${ cr.metadata().getUid() }
     blockOwnerDeletion: true
     controller: false
+<#assign spec = cr.spec() />
 spec:
   containers:
-  - name: ${ cr.metadata.name.asString }
-    <#assign image = cr.spec.image>
+  - name: ${ cr.name() }
+    <#assign image = spec.image>
     <#if image.source??>
-    image: ${ image.source.asString }
+    image: ${ image.source }
     <#else>
-    image: ${ image.repository.asString }/${ image.path.asString }<#if image.version??>:${ image.version.asString }</#if>
+    image: ${ image.repository }/${ image.path }<#if image.version??>:${ image.version }</#if>
     </#if>
     <#if image.pullPolicy??>
-    imagePullPolicy: ${ image.pullPolicy.asString }
+    imagePullPolicy: ${ image.pullPolicy }
     </#if>
-    <#if cr.spec.vm.display.spice??>
+    <#if spec.vm.display.spice??>
     ports:
-      <#if cr.spec.vm.display.spice??>
+      <#if spec.vm.display.spice??>
       - name: spice
-        containerPort: ${ cr.spec.vm.display.spice.port.asInt?c }
+        containerPort: ${ spec.vm.display.spice.port?c }
         protocol: TCP
       </#if>
     </#if>
@@ -55,33 +56,33 @@ spec:
     - name: vmop-image-repository
       mountPath: ${ constants.IMAGE_REPO_PATH }
     volumeDevices:
-    <#list cr.spec.vm.disks.asList() as disk>
+    <#list spec.vm.disks as disk>
     <#if disk.volumeClaimTemplate??>
-    - name: ${ disk.generatedDiskName.asString }
-      devicePath: /dev/${ disk.generatedDiskName.asString }
+    - name: ${ disk.generatedDiskName }
+      devicePath: /dev/${ disk.generatedDiskName }
     </#if>
     </#list>
     securityContext:
       privileged: true
-    <#if cr.spec.resources??>
-    resources: ${ cr.spec.resources.toString() }
+    <#if spec.resources??>
+    resources: ${ toJson(spec.resources) }
     <#else>
-    <#if cr.spec.vm.currentCpus?? || cr.spec.vm.currentRam?? >
+    <#if spec.vm.currentCpus?? || spec.vm.currentRam?? >
     resources:
       requests:
-        <#if cr.spec.vm.currentCpus?? >
+        <#if spec.vm.currentCpus?? >
         <#assign factor = 2.0 />
         <#if reconciler.cpuOvercommit??>
         <#assign factor = reconciler.cpuOvercommit * 1.0 />
         </#if>
-        cpu: ${ (parseQuantity(cr.spec.vm.currentCpus.asString) / factor)?c }
+        cpu: ${ (parseQuantity(spec.vm.currentCpus) / factor)?c }
         </#if>
-        <#if cr.spec.vm.currentRam?? >
+        <#if spec.vm.currentRam?? >
         <#assign factor = 1.25 />
         <#if reconciler.ramOvercommit??>
         <#assign factor = reconciler.ramOvercommit * 1.0 />
         </#if>
-        memory: ${ (parseQuantity(cr.spec.vm.currentRam.asString) / factor)?floor?c }
+        memory: ${ (parseQuantity(spec.vm.currentRam) / factor)?floor?c }
         </#if>
     </#if>
     </#if>
@@ -102,7 +103,7 @@ spec:
     projected:
       sources:
       - configMap:
-          name: ${ cr.metadata.name.asString }
+          name: ${ cr.name() }
       <#if displaySecret??>
       - secret:
           name: ${ displaySecret }
@@ -113,22 +114,22 @@ spec:
   - name: runner-data
     persistentVolumeClaim:
       claimName: ${ runnerDataPvcName }
-  <#list cr.spec.vm.disks.asList() as disk>
+  <#list spec.vm.disks as disk>
   <#if disk.volumeClaimTemplate??>
-  - name: ${ disk.generatedDiskName.asString }
+  - name: ${ disk.generatedDiskName }
     persistentVolumeClaim:
-      claimName: ${ disk.generatedPvcName.asString }
+      claimName: ${ disk.generatedPvcName }
   </#if>
   </#list>
   hostNetwork: true
-  terminationGracePeriodSeconds: ${ (cr.spec.vm.powerdownTimeout.asInt + 5)?c }
-  <#if cr.spec.nodeName??>
-  nodeName: ${ cr.spec.nodeName.asString }
+  terminationGracePeriodSeconds: ${ (spec.vm.powerdownTimeout + 5)?c }
+  <#if spec.nodeName??>
+  nodeName: ${ spec.nodeName }
   </#if>
-  <#if cr.spec.nodeSelector??>
-  nodeSelector: ${ cr.spec.nodeSelector.toString() }
+  <#if spec.nodeSelector??>
+  nodeSelector: ${ toJson(spec.nodeSelector) }
   </#if>
-  <#if cr.spec.affinity??>
-  affinity: ${ cr.spec.affinity.toString() }
+  <#if spec.affinity??>
+  affinity: ${ toJson(spec.affinity) }
   </#if>
   serviceAccountName: vm-runner
diff --git a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerSts.ftl.yaml b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerSts.ftl.yaml
deleted file mode 100644
index 3d4a316..0000000
--- a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerSts.ftl.yaml
+++ /dev/null
@@ -1,194 +0,0 @@
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  namespace: ${ cr.metadata.namespace.asString }
-  name: ${ cr.metadata.name.asString }
-  labels:
-    app.kubernetes.io/name: ${ constants.APP_NAME }
-    app.kubernetes.io/instance: ${ cr.metadata.name.asString }
-    app.kubernetes.io/managed-by: ${ constants.VM_OP_NAME }
-  annotations:
-    vmoperator.jdrupes.org/version: ${ managerVersion }
-  ownerReferences:
-  - apiVersion: ${ cr.apiVersion.asString }
-    kind: ${ constants.VM_OP_KIND_VM }
-    name: ${ cr.metadata.name.asString }
-    uid: ${ cr.metadata.uid.asString }
-    blockOwnerDeletion: true
-    controller: false
-
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: ${ constants.APP_NAME }
-      app.kubernetes.io/instance: ${ cr.metadata.name.asString }
-  replicas: ${ (cr.spec.vm.state.asString == "Running")?then(1, 0) }
-  updateStrategy: 
-    type: OnDelete
-  template:
-    metadata:
-      namespace: ${ cr.metadata.namespace.asString }
-      name: ${ cr.metadata.name.asString }
-      labels:
-        app.kubernetes.io/name: ${ constants.APP_NAME }
-        app.kubernetes.io/instance: ${ cr.metadata.name.asString }
-        app.kubernetes.io/component: ${ constants.APP_NAME }
-        app.kubernetes.io/managed-by: ${ constants.VM_OP_NAME }
-      annotations:
-        # Triggers update of config map mounted in pod
-        # See https://ahmet.im/blog/kubernetes-secret-volumes-delay/
-        vmrunner.jdrupes.org/cmVersion: "${ cm.metadata.resourceVersion.asString }"
-        vmoperator.jdrupes.org/version: ${ managerVersion }
-    spec:
-      containers:
-      - name: ${ cr.metadata.name.asString }
-        <#assign image = cr.spec.image>
-        <#if image.source??>
-        image: ${ image.source.asString }
-        <#else>
-        image: ${ image.repository.asString }/${ image.path.asString }<#if image.version??>:${ image.version.asString }</#if>
-        </#if>
-        <#if image.pullPolicy??>
-        imagePullPolicy: ${ image.pullPolicy.asString }
-        </#if>
-        <#if cr.spec.vm.display.spice??>
-        ports:
-          <#if cr.spec.vm.display.spice??>
-          - name: spice
-            containerPort: ${ cr.spec.vm.display.spice.port.asInt?c }
-            protocol: TCP
-          </#if>
-        </#if>
-        volumeMounts:
-        # Not needed because pod is priviledged:
-        # - mountPath: /dev/kvm
-        #   name: dev-kvm
-        # - mountPath: /dev/net/tun
-        #   name: dev-tun
-        # - mountPath: /sys/fs/cgroup
-        #   name: cgroup
-        - name: config
-          mountPath: /etc/opt/vmrunner
-        - name: runner-data
-          mountPath: /var/local/vm-data
-        - name: vmop-image-repository
-          mountPath: ${ constants.IMAGE_REPO_PATH }
-        volumeDevices:
-        <#assign diskCounter = 0/>
-        <#list cr.spec.vm.disks.asList() as disk>
-        <#if disk.volumeClaimTemplate??>
-        <#if disk.volumeClaimTemplate.metadata??
-          && disk.volumeClaimTemplate.metadata.name??>
-          <#assign diskName = disk.volumeClaimTemplate.metadata.name.asString + "-disk">
-        <#else>
-          <#assign diskName = "disk-" + diskCounter>
-        </#if>
-        - name: ${ diskName }
-          devicePath: /dev/${ diskName }
-        <#assign diskCounter = diskCounter + 1/>
-        </#if>
-        </#list>
-        securityContext:
-          privileged: true
-        <#if cr.spec.resources??>
-        resources: ${ cr.spec.resources.toString() }
-        <#else>
-        <#if cr.spec.vm.currentCpus?? || cr.spec.vm.currentRam?? >
-        resources:
-          requests:
-            <#if cr.spec.vm.currentCpus?? >
-            <#assign factor = 2.0 />
-            <#if reconciler.cpuOvercommit??>
-            <#assign factor = reconciler.cpuOvercommit * 1.0 />
-            </#if>
-            cpu: ${ (parseQuantity(cr.spec.vm.currentCpus.asString) / factor)?c }
-            </#if>
-            <#if cr.spec.vm.currentRam?? >
-            <#assign factor = 1.25 />
-            <#if reconciler.ramOvercommit??>
-            <#assign factor = reconciler.ramOvercommit * 1.0 />
-            </#if>
-            memory: ${ (parseQuantity(cr.spec.vm.currentRam.asString) / factor)?floor?c }
-            </#if>
-        </#if>
-        </#if>
-      volumes:
-      # Not needed because pod is priviledged:
-      # - name: dev-kvm
-      #   hostPath:
-      #     path: /dev/kvm
-      #     type: CharDevice
-      # - hostPath:
-      #     path: /dev/net/tun
-      #     type: CharDevice
-      #   name: dev-tun
-      # - name: cgroup
-      #   hostPath:
-      #     path: /sys/fs/cgroup
-      - name: config
-        projected:
-          sources:
-          - configMap:
-              name: ${ cr.metadata.name.asString }
-          <#if displaySecret??>
-          - secret:
-              name: ${ displaySecret }
-          </#if>
-      - name: vmop-image-repository
-        persistentVolumeClaim:
-          claimName: vmop-image-repository
-      hostNetwork: true
-      terminationGracePeriodSeconds: ${ (cr.spec.vm.powerdownTimeout.asInt + 5)?c }
-      <#if cr.spec.nodeName??>
-      nodeName: ${ cr.spec.nodeName.asString }
-      </#if>
-      <#if cr.spec.nodeSelector??>
-      nodeSelector: ${ cr.spec.nodeSelector.toString() }
-      </#if>
-      <#if cr.spec.affinity??>
-      affinity: ${ cr.spec.affinity.toString() }
-      </#if>
-      serviceAccountName: vm-runner
-  volumeClaimTemplates:
-  - metadata:
-      namespace: ${ cr.metadata.namespace.asString }
-      name: runner-data
-      labels:
-        app.kubernetes.io/name: ${ constants.APP_NAME }
-        app.kubernetes.io/instance: ${ cr.metadata.name.asString }
-        app.kubernetes.io/managed-by: ${ constants.VM_OP_NAME }
-    spec:
-      accessModes:
-      - ReadWriteOnce
-      <#if reconciler.runnerDataPvc?? && reconciler.runnerDataPvc.storageClassName??>
-      storageClassName: ${ reconciler.runnerDataPvc.storageClassName }
-      </#if>
-      resources:
-        requests:
-          storage: 1Mi
-  <#assign diskCounter = 0/>
-  <#list cr.spec.vm.disks.asList() as disk>
-  <#if disk.volumeClaimTemplate??>
-  <#if disk.volumeClaimTemplate.metadata??
-    && disk.volumeClaimTemplate.metadata.name??>
-    <#assign diskName = disk.volumeClaimTemplate.metadata.name.asString + "-disk">
-  <#else>
-    <#assign diskName = "disk-" + diskCounter>
-  </#if>
-  - metadata:
-      namespace: ${ cr.metadata.namespace.asString }
-      name: ${ diskName }
-      labels:
-        app.kubernetes.io/name: ${ constants.APP_NAME }
-        app.kubernetes.io/instance: ${ cr.metadata.name.asString }
-        app.kubernetes.io/managed-by: ${ constants.VM_OP_NAME }
-      <#if disk.volumeClaimTemplate.metadata??
-        && disk.volumeClaimTemplate.metadata.annotations??>
-      annotations:
-        ${ disk.volumeClaimTemplate.metadata.annotations.toString() }
-      </#if>
-    spec:
-      ${ disk.volumeClaimTemplate.spec.toString() }
-  <#assign diskCounter = diskCounter + 1/>
-  </#if>
-  </#list>
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java
index 4219e53..129a54d 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java
@@ -68,7 +68,7 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
      * @throws TemplateException the template exception
      * @throws ApiException the api exception
      */
-    public DynamicKubernetesObject reconcile(Map<String, Object> model,
+    public Map<String, Object> reconcile(Map<String, Object> model,
             VmChannel channel)
             throws IOException, TemplateException, ApiException {
         // Get API
@@ -87,7 +87,10 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
         // Apply and maybe force pod update
         var newState = K8s.apply(cmApi, mapDef, out.toString());
         maybeForceUpdate(channel.client(), newState);
-        return newState;
+        @SuppressWarnings("unchecked")
+        var res = (Map<String, Object>) channel.client().getJSON().getGson()
+            .fromJson(newState.getRaw(), Map.class);
+        return res;
     }
 
     /**
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java
index fa0bbf0..69d4058 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java
@@ -256,10 +256,9 @@ public class DisplaySecretMonitor
     @SuppressWarnings("PMD.AvoidSynchronizedStatement")
     public void onVmDefChanged(VmDefChanged event, Channel channel) {
         synchronized (pendingGets) {
-            String vmName = event.vmDefinition().metadata().getName();
+            String vmName = event.vmDefinition().name();
             for (var pending : pendingGets) {
-                if (pending.event.vmDefinition().metadata().getName()
-                    .equals(vmName)
+                if (pending.event.vmDefinition().name().equals(vmName)
                     && event.vmDefinition().displayPasswordSerial()
                         .map(s -> s >= pending.expectedSerial).orElse(false)) {
                     pending.lock.remove();
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
index 17456aa..0665d32 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
@@ -18,7 +18,6 @@
 
 package org.jdrupes.vmoperator.manager;
 
-import com.google.gson.JsonPrimitive;
 import freemarker.template.TemplateException;
 import io.kubernetes.client.openapi.ApiException;
 import io.kubernetes.client.openapi.models.V1ObjectMeta;
@@ -36,7 +35,7 @@ import static org.jdrupes.vmoperator.manager.Constants.DATA_DISPLAY_PASSWORD;
 import static org.jdrupes.vmoperator.manager.Constants.DATA_PASSWORD_EXPIRY;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
-import org.jdrupes.vmoperator.util.GsonPtr;
+import org.jdrupes.vmoperator.util.DataPath;
 import org.jose4j.base64url.Base64;
 
 /**
@@ -61,32 +60,31 @@ import org.jose4j.base64url.Base64;
             Map<String, Object> model, VmChannel channel)
             throws IOException, TemplateException, ApiException {
         // Secret needed at all?
-        var display = GsonPtr.to(event.vmDefinition().data()).to("spec", "vm",
-            "display");
-        if (!display.get(JsonPrimitive.class, "spice", "generateSecret")
-            .map(JsonPrimitive::getAsBoolean).orElse(true)) {
+        var display = event.vmDefinition().fromVm("display").get();
+        if (!DataPath.<Boolean> get(display, "spice", "generateSecret")
+            .orElse(true)) {
             return;
         }
 
         // Check if exists
-        var metadata = event.vmDefinition().getMetadata();
+        var vmDef = event.vmDefinition();
         ListOptions options = new ListOptions();
         options.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
             + "app.kubernetes.io/component=" + COMP_DISPLAY_SECRET + ","
-            + "app.kubernetes.io/instance=" + metadata.getName());
-        var stubs = K8sV1SecretStub.list(channel.client(),
-            metadata.getNamespace(), options);
+            + "app.kubernetes.io/instance=" + vmDef.name());
+        var stubs = K8sV1SecretStub.list(channel.client(), vmDef.namespace(),
+            options);
         if (!stubs.isEmpty()) {
             return;
         }
 
         // Create secret
         var secret = new V1Secret();
-        secret.setMetadata(new V1ObjectMeta().namespace(metadata.getNamespace())
-            .name(metadata.getName() + "-" + COMP_DISPLAY_SECRET)
+        secret.setMetadata(new V1ObjectMeta().namespace(vmDef.namespace())
+            .name(vmDef.name() + "-" + COMP_DISPLAY_SECRET)
             .putLabelsItem("app.kubernetes.io/name", APP_NAME)
             .putLabelsItem("app.kubernetes.io/component", COMP_DISPLAY_SECRET)
-            .putLabelsItem("app.kubernetes.io/instance", metadata.getName()));
+            .putLabelsItem("app.kubernetes.io/instance", vmDef.name()));
         secret.setType("Opaque");
         SecureRandom random = null;
         try {
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/LoadBalancerReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/LoadBalancerReconciler.java
index 85158c7..2d632b9 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/LoadBalancerReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/LoadBalancerReconciler.java
@@ -18,22 +18,23 @@
 
 package org.jdrupes.vmoperator.manager;
 
-import com.google.gson.JsonObject;
+import com.google.gson.Gson;
 import freemarker.template.Configuration;
 import freemarker.template.TemplateException;
 import io.kubernetes.client.openapi.ApiException;
 import io.kubernetes.client.openapi.models.V1APIService;
 import io.kubernetes.client.openapi.models.V1ObjectMeta;
-import io.kubernetes.client.util.generic.dynamic.DynamicKubernetesApi;
 import io.kubernetes.client.util.generic.dynamic.DynamicKubernetesObject;
 import io.kubernetes.client.util.generic.dynamic.Dynamics;
 import java.io.IOException;
 import java.io.StringWriter;
+import java.util.Collections;
+import java.util.LinkedHashMap;
 import java.util.Map;
 import java.util.Optional;
 import java.util.logging.Logger;
-import org.jdrupes.vmoperator.common.K8s;
-import org.jdrupes.vmoperator.common.K8sDynamicModel;
+import org.jdrupes.vmoperator.common.K8sV1ServiceStub;
+import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
 import org.jdrupes.vmoperator.util.GsonPtr;
@@ -92,11 +93,13 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
         if (lbsDef instanceof Boolean isOn && !isOn) {
             return;
         }
-        JsonObject cfgMeta = new JsonObject();
-        if (lbsDef instanceof Map) {
-            var json = channel.client().getJSON();
-            cfgMeta
-                = json.deserialize(json.serialize(lbsDef), JsonObject.class);
+
+        // Load balancer can also be turned off for VM
+        var vmDef = event.vmDefinition();
+        if (vmDef
+            .<Map<String, Map<String, String>>> fromSpec(LOAD_BALANCER_SERVICE)
+            .map(m -> m.isEmpty()).orElse(false)) {
+            return;
         }
 
         // Combine template and data and parse result
@@ -107,53 +110,78 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
         // https://github.com/kubernetes-client/java/issues/2741
         var svcDef = Dynamics.newFromYaml(
             new Yaml(new SafeConstructor(new LoaderOptions())), out.toString());
-        mergeMetadata(svcDef, cfgMeta, event.vmDefinition());
+        @SuppressWarnings("unchecked")
+        var defaults = lbsDef instanceof Map
+            ? (Map<String, Map<String, String>>) lbsDef
+            : null;
+        var client = channel.client();
+        mergeMetadata(client.getJSON().getGson(), svcDef, defaults, vmDef);
 
         // Apply
-        DynamicKubernetesApi svcApi = new DynamicKubernetesApi("", "v1",
-            "services", channel.client());
-        K8s.apply(svcApi, svcDef, svcDef.getRaw().toString());
+        var svcStub = K8sV1ServiceStub
+            .get(client, vmDef.namespace(), vmDef.name());
+        if (svcStub.apply(svcDef).isEmpty()) {
+            logger.warning(
+                () -> "Could not patch service for " + svcStub.name());
+        }
     }
 
-    private void mergeMetadata(DynamicKubernetesObject svcDef,
-            JsonObject cfgMeta, K8sDynamicModel vmDefinition) {
-        // Get metadata from VM definition
-        var vmMeta = GsonPtr.to(vmDefinition.data()).to("spec")
-            .get(JsonObject.class, LOAD_BALANCER_SERVICE)
-            .map(JsonObject::deepCopy).orElseGet(() -> new JsonObject());
+    private void mergeMetadata(Gson gson, DynamicKubernetesObject svcDef,
+            Map<String, Map<String, String>> defaults,
+            VmDefinition vmDefinition) {
+        // Get specific load balancer metadata from VM definition
+        var vmLbMeta = vmDefinition
+            .<Map<String, Map<String, String>>> fromSpec(LOAD_BALANCER_SERVICE)
+            .orElse(Collections.emptyMap());
 
-        // Merge Data from VM definition into config data
-        mergeReplace(GsonPtr.to(cfgMeta).to(LABELS).get(JsonObject.class),
-            GsonPtr.to(vmMeta).to(LABELS).get(JsonObject.class));
-        mergeReplace(
-            GsonPtr.to(cfgMeta).to(ANNOTATIONS).get(JsonObject.class),
-            GsonPtr.to(vmMeta).to(ANNOTATIONS).get(JsonObject.class));
-
-        // Merge additional data into service definition
-        var svcMeta = GsonPtr.to(svcDef.getRaw()).to(METADATA);
-        mergeIfAbsent(svcMeta.to(LABELS).get(JsonObject.class),
-            GsonPtr.to(cfgMeta).to(LABELS).get(JsonObject.class));
-        mergeIfAbsent(svcMeta.to(ANNOTATIONS).get(JsonObject.class),
-            GsonPtr.to(cfgMeta).to(ANNOTATIONS).get(JsonObject.class));
+        // Merge
+        var svcMeta = svcDef.getMetadata();
+        var svcJsonMeta = GsonPtr.to(svcDef.getRaw()).to(METADATA);
+        Optional.ofNullable(mergeIfAbsent(svcMeta.getLabels(),
+            mergeReplace(defaults.get(LABELS), vmLbMeta.get(LABELS))))
+            .ifPresent(lbls -> svcJsonMeta.set(LABELS, gson.toJsonTree(lbls)));
+        Optional.ofNullable(mergeIfAbsent(svcMeta.getAnnotations(),
+            mergeReplace(defaults.get(ANNOTATIONS), vmLbMeta.get(ANNOTATIONS))))
+            .ifPresent(as -> svcJsonMeta.set(ANNOTATIONS, gson.toJsonTree(as)));
     }
 
-    private void mergeReplace(JsonObject dest, JsonObject src) {
+    private Map<String, String> mergeReplace(Map<String, String> dest,
+            Map<String, String> src) {
+        if (src == null) {
+            return dest;
+        }
+        if (dest == null) {
+            dest = new LinkedHashMap<>();
+        } else {
+            dest = new LinkedHashMap<>(dest);
+        }
         for (var e : src.entrySet()) {
-            if (e.getValue().isJsonNull()) {
+            if (e.getValue() == null) {
                 dest.remove(e.getKey());
                 continue;
             }
-            dest.add(e.getKey(), e.getValue());
+            dest.put(e.getKey(), e.getValue());
         }
+        return dest;
     }
 
-    private void mergeIfAbsent(JsonObject dest, JsonObject src) {
+    private Map<String, String> mergeIfAbsent(Map<String, String> dest,
+            Map<String, String> src) {
+        if (src == null) {
+            return dest;
+        }
+        if (dest == null) {
+            dest = new LinkedHashMap<>();
+        } else {
+            dest = new LinkedHashMap<>(dest);
+        }
         for (var e : src.entrySet()) {
-            if (dest.has(e.getKey())) {
+            if (dest.containsKey(e.getKey())) {
                 continue;
             }
-            dest.add(e.getKey(), e.getValue());
+            dest.put(e.getKey(), e.getValue());
         }
+        return dest;
     }
 
 }
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PodReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PodReconciler.java
index 33c2221..4ee96d8 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PodReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PodReconciler.java
@@ -20,7 +20,6 @@ package org.jdrupes.vmoperator.manager;
 
 import freemarker.template.Configuration;
 import freemarker.template.TemplateException;
-import io.kubernetes.client.custom.V1Patch;
 import io.kubernetes.client.openapi.ApiException;
 import io.kubernetes.client.util.generic.dynamic.Dynamics;
 import io.kubernetes.client.util.generic.options.PatchOptions;
@@ -29,7 +28,7 @@ import java.io.StringWriter;
 import java.util.Map;
 import java.util.logging.Logger;
 import org.jdrupes.vmoperator.common.K8sV1PodStub;
-import org.jdrupes.vmoperator.common.VmDefinitionModel.RequestedVmState;
+import org.jdrupes.vmoperator.common.VmDefinition.RequestedVmState;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
 import org.yaml.snakeyaml.LoaderOptions;
@@ -73,18 +72,18 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
         }
 
         // Get pod stub.
-        var metadata = event.vmDefinition().getMetadata();
-        var podStub = K8sV1PodStub.get(channel.client(),
-            metadata.getNamespace(), metadata.getName());
+        var vmDef = event.vmDefinition();
+        var podStub = K8sV1PodStub.get(channel.client(), vmDef.namespace(),
+            vmDef.name());
 
         // Nothing to do if exists and should be running
-        if (event.vmDefinition().vmState() == RequestedVmState.RUNNING
+        if (vmDef.vmState() == RequestedVmState.RUNNING
             && podStub.model().isPresent()) {
             return;
         }
 
         // Delete if running but should be stopped
-        if (event.vmDefinition().vmState() == RequestedVmState.STOPPED) {
+        if (vmDef.vmState() == RequestedVmState.STOPPED) {
             if (podStub.model().isPresent()) {
                 podStub.delete();
             }
@@ -104,9 +103,7 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
         PatchOptions opts = new PatchOptions();
         opts.setForce(true);
         opts.setFieldManager("kubernetes-java-kubectl-apply");
-        if (podStub.patch(V1Patch.PATCH_FORMAT_APPLY_YAML,
-            new V1Patch(channel.client().getJSON().serialize(podDef)), opts)
-            .isEmpty()) {
+        if (podStub.apply(podDef).isEmpty()) {
             logger.warning(
                 () -> "Could not patch pod for " + podStub.name());
         }
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
index 39fcfe9..d044199 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
@@ -18,8 +18,6 @@
 
 package org.jdrupes.vmoperator.manager;
 
-import com.google.gson.JsonElement;
-import com.google.gson.JsonObject;
 import freemarker.core.ParseException;
 import freemarker.template.Configuration;
 import freemarker.template.MalformedTemplateNameException;
@@ -32,6 +30,7 @@ import io.kubernetes.client.util.generic.options.ListOptions;
 import io.kubernetes.client.util.generic.options.PatchOptions;
 import java.io.IOException;
 import java.io.StringWriter;
+import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.logging.Logger;
@@ -41,7 +40,7 @@ import static org.jdrupes.vmoperator.common.Constants.VM_OP_NAME;
 import org.jdrupes.vmoperator.common.K8sV1PvcStub;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
-import org.jdrupes.vmoperator.util.GsonPtr;
+import org.jdrupes.vmoperator.util.DataPath;
 import org.yaml.snakeyaml.LoaderOptions;
 import org.yaml.snakeyaml.Yaml;
 import org.yaml.snakeyaml.constructor.SafeConstructor;
@@ -78,16 +77,16 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
     public void reconcile(VmDefChanged event, Map<String, Object> model,
             VmChannel channel)
             throws IOException, TemplateException, ApiException {
-        var metadata = event.vmDefinition().getMetadata();
+        var vmDef = event.vmDefinition();
 
         // Existing disks
         ListOptions listOpts = new ListOptions();
         listOpts.setLabelSelector(
             "app.kubernetes.io/managed-by=" + VM_OP_NAME + ","
                 + "app.kubernetes.io/name=" + APP_NAME + ","
-                + "app.kubernetes.io/instance=" + metadata.getName());
+                + "app.kubernetes.io/instance=" + vmDef.name());
         var knownDisks = K8sV1PvcStub.list(channel.client(),
-            metadata.getNamespace(), listOpts);
+            vmDef.namespace(), listOpts);
         var knownPvcs = knownDisks.stream().map(K8sV1PvcStub::name)
             .collect(Collectors.toSet());
 
@@ -95,23 +94,23 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
         reconcileRunnerDataPvc(event, model, channel, knownPvcs);
 
         // Reconcile pvcs for defined disks
-        var diskDefs = GsonPtr.to((JsonObject) model.get("cr"))
-            .getAsListOf(JsonObject.class, "spec", "vm", "disks");
+        var diskDefs = vmDef.<List<Map<String, Object>>> fromVm("disks")
+            .orElse(List.of());
         var diskCounter = 0;
         for (var diskDef : diskDefs) {
-            if (!diskDef.has("volumeClaimTemplate")) {
+            if (!diskDef.containsKey("volumeClaimTemplate")) {
                 continue;
             }
-            var diskName = GsonPtr.to(diskDef)
-                .getAsString("volumeClaimTemplate", "metadata", "name")
-                .map(name -> name + "-disk").orElse("disk-" + diskCounter);
+            var diskName = DataPath.get(diskDef, "volumeClaimTemplate",
+                "metadata", "name").map(name -> name + "-disk")
+                .orElse("disk-" + diskCounter);
             diskCounter += 1;
-            diskDef.addProperty("generatedDiskName", diskName);
+            diskDef.put("generatedDiskName", diskName);
 
             // Don't do anything if pvc with old (sts generated) name exists.
-            var stsDiskPvcName = diskName + "-" + metadata.getName() + "-0";
+            var stsDiskPvcName = diskName + "-" + vmDef.name() + "-0";
             if (knownPvcs.contains(stsDiskPvcName)) {
-                diskDef.addProperty("generatedPvcName", stsDiskPvcName);
+                diskDef.put("generatedPvcName", stsDiskPvcName);
                 continue;
             }
 
@@ -127,18 +126,18 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
             Set<String> knownPvcs)
             throws TemplateNotFoundException, MalformedTemplateNameException,
             ParseException, IOException, TemplateException, ApiException {
-        var metadata = event.vmDefinition().getMetadata();
+        var vmDef = event.vmDefinition();
 
         // Look for old (sts generated) name.
         var stsRunnerDataPvcName
-            = "runner-data" + "-" + metadata.getName() + "-0";
+            = "runner-data" + "-" + vmDef.name() + "-0";
         if (knownPvcs.contains(stsRunnerDataPvcName)) {
             model.put("runnerDataPvcName", stsRunnerDataPvcName);
             return;
         }
 
         // Generate PVC
-        model.put("runnerDataPvcName", metadata.getName() + "-runner-data");
+        model.put("runnerDataPvcName", vmDef.name() + "-runner-data");
         var fmTemplate = fmConfig.getTemplate("runnerDataPvc.ftl.yaml");
         StringWriter out = new StringWriter();
         fmTemplate.process(model, out);
@@ -149,7 +148,7 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
 
         // Do apply changes
         var pvcStub = K8sV1PvcStub.get(channel.client(),
-            metadata.getNamespace(), (String) model.get("runnerDataPvcName"));
+            vmDef.namespace(), (String) model.get("runnerDataPvcName"));
         PatchOptions opts = new PatchOptions();
         opts.setForce(true);
         opts.setFieldManager("kubernetes-java-kubectl-apply");
@@ -165,13 +164,13 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
             Map<String, Object> model, VmChannel channel)
             throws TemplateNotFoundException, MalformedTemplateNameException,
             ParseException, IOException, TemplateException, ApiException {
-        var metadata = event.vmDefinition().getMetadata();
+        var vmDef = event.vmDefinition();
 
         // Generate PVC
-        var diskDef = GsonPtr.to((JsonElement) model.get("disk"));
-        var pvcName = metadata.getName() + "-"
-            + diskDef.getAsString("generatedDiskName").get();
-        diskDef.set("generatedPvcName", pvcName);
+        @SuppressWarnings("unchecked")
+        var diskDef = (Map<String, Object>) model.get("disk");
+        var pvcName = vmDef.name() + "-" + diskDef.get("generatedDiskName");
+        diskDef.put("generatedPvcName", pvcName);
         var fmTemplate = fmConfig.getTemplate("runnerDiskPvc.ftl.yaml");
         StringWriter out = new StringWriter();
         fmTemplate.process(model, out);
@@ -181,9 +180,8 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
             new Yaml(new SafeConstructor(new LoaderOptions())), out.toString());
 
         // Do apply changes
-        var pvcStub = K8sV1PvcStub.get(channel.client(),
-            metadata.getNamespace(), GsonPtr.to((JsonElement) model.get("disk"))
-                .getAsString("generatedPvcName").get());
+        var pvcStub
+            = K8sV1PvcStub.get(channel.client(), vmDef.namespace(), pvcName);
         PatchOptions opts = new PatchOptions();
         opts.setForce(true);
         opts.setFieldManager("kubernetes-java-kubectl-apply");
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
index 17ba60d..32753ac 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
@@ -18,11 +18,13 @@
 
 package org.jdrupes.vmoperator.manager;
 
-import com.google.gson.JsonArray;
-import com.google.gson.JsonObject;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import freemarker.template.AdapterTemplateModel;
 import freemarker.template.Configuration;
 import freemarker.template.DefaultObjectWrapperBuilder;
 import freemarker.template.SimpleNumber;
+import freemarker.template.SimpleScalar;
 import freemarker.template.TemplateException;
 import freemarker.template.TemplateExceptionHandler;
 import freemarker.template.TemplateHashModel;
@@ -30,7 +32,7 @@ import freemarker.template.TemplateMethodModelEx;
 import freemarker.template.TemplateModelException;
 import io.kubernetes.client.custom.Quantity;
 import io.kubernetes.client.openapi.ApiException;
-import io.kubernetes.client.util.generic.dynamic.DynamicKubernetesObject;
+import io.kubernetes.client.openapi.models.V1ObjectMeta;
 import io.kubernetes.client.util.generic.options.ListOptions;
 import java.io.IOException;
 import java.math.BigDecimal;
@@ -44,15 +46,15 @@ import java.util.Optional;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
 import org.jdrupes.vmoperator.common.Convertions;
 import org.jdrupes.vmoperator.common.K8sClient;
-import org.jdrupes.vmoperator.common.K8sDynamicModel;
 import org.jdrupes.vmoperator.common.K8sObserver;
 import org.jdrupes.vmoperator.common.K8sV1SecretStub;
+import org.jdrupes.vmoperator.common.VmDefinition;
 import static org.jdrupes.vmoperator.manager.Constants.COMP_DISPLAY_SECRET;
 import org.jdrupes.vmoperator.manager.events.ResetVm;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
+import org.jdrupes.vmoperator.util.DataPath;
 import org.jdrupes.vmoperator.util.ExtendedObjectWrapper;
-import org.jdrupes.vmoperator.util.GsonPtr;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Component;
 import org.jgrapes.core.annotation.Handler;
@@ -135,6 +137,10 @@ import org.jgrapes.util.events.ConfigurationUpdate;
     "PMD.AvoidDuplicateLiterals" })
 public class Reconciler extends Component {
 
+    /** The Constant mapper. */
+    @SuppressWarnings("PMD.FieldNamingConventions")
+    protected static final ObjectMapper mapper = new ObjectMapper();
+
     @SuppressWarnings("PMD.SingularField")
     private final Configuration fmConfig;
     private final ConfigMapReconciler cmReconciler;
@@ -203,17 +209,17 @@ public class Reconciler extends Component {
         }
 
         // Ownership relationships takes care of deletions
-        var defMeta = event.vmDefinition().getMetadata();
         if (event.type() == K8sObserver.ResponseType.DELETED) {
-            logger.fine(() -> "VM \"" + defMeta.getName() + "\" deleted");
+            logger.fine(
+                () -> "VM \"" + event.vmDefinition().name() + "\" deleted");
             return;
         }
 
-        // Reconcile, use "augmented" vm definition for model
+        // Create model for processing templates
         Map<String, Object> model
-            = prepareModel(channel.client(), patchCr(event.vmDefinition()));
+            = prepareModel(channel.client(), event.vmDefinition());
         var configMap = cmReconciler.reconcile(model, channel);
-        model.put("cm", configMap.getRaw());
+        model.put("cm", configMap);
         dsReconciler.reconcile(event, model, channel);
         // Manage (eventual) removal of stateful set.
         stsReconciler.reconcile(event, model, channel);
@@ -235,81 +241,22 @@ public class Reconciler extends Component {
     @Handler
     public void onResetVm(ResetVm event, VmChannel channel)
             throws ApiException, IOException, TemplateException {
-        var defRoot
-            = GsonPtr.to(channel.vmDefinition().data()).get(JsonObject.class);
-        defRoot.addProperty("resetCount",
-            defRoot.get("resetCount").getAsLong() + 1);
+        var vmDef = channel.vmDefinition();
+        vmDef.extra("resetCount", vmDef.<Long> extra("resetCount") + 1);
         Map<String, Object> model
-            = prepareModel(channel.client(), patchCr(channel.vmDefinition()));
+            = prepareModel(channel.client(), channel.vmDefinition());
         cmReconciler.reconcile(model, channel);
     }
 
-    private DynamicKubernetesObject patchCr(K8sDynamicModel vmDef) {
-        var json = vmDef.data().deepCopy();
-        // Adjust cdromImage path
-        adjustCdRomPaths(json);
-
-        // Adjust cloud-init data
-        adjustCloudInitData(json);
-
-        return new DynamicKubernetesObject(json);
-    }
-
-    @SuppressWarnings("PMD.AvoidLiteralsInIfCondition")
-    private void adjustCdRomPaths(JsonObject json) {
-        var disks
-            = GsonPtr.to(json).to("spec", "vm", "disks").get(JsonArray.class);
-        for (var disk : disks) {
-            var cdrom = (JsonObject) ((JsonObject) disk).get("cdrom");
-            if (cdrom == null) {
-                continue;
-            }
-            String image = cdrom.get("image").getAsString();
-            if (image.isEmpty()) {
-                continue;
-            }
-            try {
-                @SuppressWarnings("PMD.AvoidInstantiatingObjectsInLoops")
-                var imageUri = new URI("file://" + Constants.IMAGE_REPO_PATH
-                    + "/").resolve(image);
-                if ("file".equals(imageUri.getScheme())) {
-                    cdrom.addProperty("image", imageUri.getPath());
-                } else {
-                    cdrom.addProperty("image", imageUri.toString());
-                }
-            } catch (URISyntaxException e) {
-                logger.warning(() -> "Invalid CDROM image: " + image);
-            }
-        }
-    }
-
-    private void adjustCloudInitData(JsonObject json) {
-        var spec = GsonPtr.to(json).to("spec").get(JsonObject.class);
-        if (!spec.has("cloudInit")) {
-            return;
-        }
-        var metaData = GsonPtr.to(spec).to("cloudInit", "metaData");
-        if (metaData.getAsString("instance-id").isEmpty()) {
-            metaData.set("instance-id",
-                GsonPtr.to(json).getAsString("metadata", "resourceVersion")
-                    .map(s -> "v" + s).orElse("v1"));
-        }
-        if (metaData.getAsString("local-hostname").isEmpty()) {
-            metaData.set("local-hostname",
-                GsonPtr.to(json).getAsString("metadata", "name").get());
-        }
-    }
-
-    @SuppressWarnings("PMD.CognitiveComplexity")
+    @SuppressWarnings({ "PMD.CognitiveComplexity", "PMD.NPathComplexity" })
     private Map<String, Object> prepareModel(K8sClient client,
-            DynamicKubernetesObject vmDef)
-            throws TemplateModelException, ApiException {
+            VmDefinition vmDef) throws TemplateModelException, ApiException {
         @SuppressWarnings("PMD.UseConcurrentHashMap")
         Map<String, Object> model = new HashMap<>();
         model.put("managerVersion",
             Optional.ofNullable(Reconciler.class.getPackage()
                 .getImplementationVersion()).orElse("(Unknown)"));
-        model.put("cr", vmDef.getRaw());
+        model.put("cr", vmDef);
         model.put("constants",
             (TemplateHashModel) new DefaultObjectWrapperBuilder(
                 Configuration.VERSION_2_3_32)
@@ -321,9 +268,10 @@ public class Reconciler extends Component {
         ListOptions options = new ListOptions();
         options.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
             + "app.kubernetes.io/component=" + COMP_DISPLAY_SECRET + ","
-            + "app.kubernetes.io/instance=" + vmDef.getMetadata().getName());
+            + "app.kubernetes.io/instance=" + vmDef.name());
         var dsStub = K8sV1SecretStub
-            .list(client, vmDef.getMetadata().getNamespace(), options).stream()
+            .list(client, vmDef.namespace(), options)
+            .stream()
             .findFirst();
         if (dsStub.isPresent()) {
             dsStub.get().model().ifPresent(m -> {
@@ -332,14 +280,23 @@ public class Reconciler extends Component {
         }
 
         // Methods
-        model.put("parseQuantity", new TemplateMethodModelEx() {
+        model.put("parseQuantity", parseQuantityModel);
+        model.put("formatMemory", formatMemoryModel);
+        model.put("imageLocation", imgageLocationModel);
+        model.put("adjustCloudInitMeta", adjustCloudInitMetaModel);
+        model.put("toJson", toJsonModel);
+        return model;
+    }
+
+    private final TemplateMethodModelEx parseQuantityModel
+        = new TemplateMethodModelEx() {
             @Override
             @SuppressWarnings("PMD.PreserveStackTrace")
             public Object exec(@SuppressWarnings("rawtypes") List arguments)
                     throws TemplateModelException {
                 var arg = arguments.get(0);
-                if (arg instanceof Number number) {
-                    return number;
+                if (arg instanceof SimpleNumber number) {
+                    return number.getAsNumber();
                 }
                 try {
                     return Quantity.fromString(arg.toString()).getNumber();
@@ -348,8 +305,10 @@ public class Reconciler extends Component {
                         + "specified as \"" + arg + "\": " + e.getMessage());
                 }
             }
-        });
-        model.put("formatMemory", new TemplateMethodModelEx() {
+        };
+
+    private final TemplateMethodModelEx formatMemoryModel
+        = new TemplateMethodModelEx() {
             @Override
             @SuppressWarnings("PMD.PreserveStackTrace")
             public Object exec(@SuppressWarnings("rawtypes") List arguments)
@@ -376,7 +335,71 @@ public class Reconciler extends Component {
                 }
                 return Convertions.formatMemory(bigInt);
             }
-        });
-        return model;
-    }
+        };
+
+    private final TemplateMethodModelEx imgageLocationModel
+        = new TemplateMethodModelEx() {
+            @Override
+            @SuppressWarnings({ "PMD.PreserveStackTrace",
+                "PMD.AvoidLiteralsInIfCondition" })
+            public Object exec(@SuppressWarnings("rawtypes") List arguments)
+                    throws TemplateModelException {
+                var image = ((SimpleScalar) arguments.get(0)).getAsString();
+                if (image.isEmpty()) {
+                    return "";
+                }
+                try {
+                    var imageUri = new URI("file://" + Constants.IMAGE_REPO_PATH
+                        + "/").resolve(image);
+                    if ("file".equals(imageUri.getScheme())) {
+                        return imageUri.getPath();
+                    }
+                    return imageUri.toString();
+                } catch (URISyntaxException e) {
+                    logger.warning(() -> "Invalid CDROM image: " + image);
+                }
+                return image;
+            }
+        };
+
+    private final TemplateMethodModelEx adjustCloudInitMetaModel
+        = new TemplateMethodModelEx() {
+            @Override
+            @SuppressWarnings("PMD.PreserveStackTrace")
+            public Object exec(@SuppressWarnings("rawtypes") List arguments)
+                    throws TemplateModelException {
+                @SuppressWarnings("unchecked")
+                var res = (Map<String, Object>) DataPath
+                    .deepCopy(((AdapterTemplateModel) arguments.get(0))
+                        .getAdaptedObject(Object.class));
+                var metadata
+                    = (V1ObjectMeta) ((AdapterTemplateModel) arguments.get(1))
+                        .getAdaptedObject(Object.class);
+                if (!res.containsKey("instance-id")) {
+                    res.put("instance-id",
+                        Optional.ofNullable(metadata.getResourceVersion())
+                            .map(s -> "v" + s).orElse("v1"));
+                }
+                if (!res.containsKey("local-hostname")) {
+                    res.put("local-hostname", metadata.getName());
+                }
+                return res;
+            }
+        };
+
+    private final TemplateMethodModelEx toJsonModel
+        = new TemplateMethodModelEx() {
+            @Override
+            @SuppressWarnings("PMD.PreserveStackTrace")
+            public Object exec(@SuppressWarnings("rawtypes") List arguments)
+                    throws TemplateModelException {
+                try {
+                    return mapper.writeValueAsString(
+                        ((AdapterTemplateModel) arguments.get(0))
+                            .getAdaptedObject(Object.class));
+                } catch (JsonProcessingException e) {
+                    return "{}";
+                }
+            }
+        };
 }
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/StatefulSetReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/StatefulSetReconciler.java
index a58d169..8803e61 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/StatefulSetReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/StatefulSetReconciler.java
@@ -22,19 +22,14 @@ import freemarker.template.Configuration;
 import freemarker.template.TemplateException;
 import io.kubernetes.client.custom.V1Patch;
 import io.kubernetes.client.openapi.ApiException;
-import io.kubernetes.client.util.generic.dynamic.Dynamics;
 import io.kubernetes.client.util.generic.options.PatchOptions;
 import java.io.IOException;
-import java.io.StringWriter;
 import java.util.Map;
 import java.util.logging.Logger;
 import org.jdrupes.vmoperator.common.K8sV1StatefulSetStub;
+import org.jdrupes.vmoperator.common.VmDefinition.RequestedVmState;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
-import org.jdrupes.vmoperator.util.GsonPtr;
-import org.yaml.snakeyaml.LoaderOptions;
-import org.yaml.snakeyaml.Yaml;
-import org.yaml.snakeyaml.constructor.SafeConstructor;
 
 /**
  * Before version 3.4, the pod running the VM was created by a stateful set.
@@ -45,15 +40,15 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
 /* default */ class StatefulSetReconciler {
 
     protected final Logger logger = Logger.getLogger(getClass().getName());
-    private final Configuration fmConfig;
 
     /**
      * Instantiates a new stateful set reconciler.
      *
      * @param fmConfig the fm config
      */
+    @SuppressWarnings("PMD.UnusedFormalParameter")
     public StatefulSetReconciler(Configuration fmConfig) {
-        this.fmConfig = fmConfig;
+        // Nothing to do
     }
 
     /**
@@ -70,12 +65,11 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
     public void reconcile(VmDefChanged event, Map<String, Object> model,
             VmChannel channel)
             throws IOException, TemplateException, ApiException {
-        var metadata = event.vmDefinition().getMetadata();
         model.put("usingSts", false);
 
         // If exists, delete when not running or supposed to be not running.
         var stsStub = K8sV1StatefulSetStub.get(channel.client(),
-            metadata.getNamespace(), metadata.getName());
+            event.vmDefinition().namespace(), event.vmDefinition().name());
         if (stsStub.model().isEmpty()) {
             return;
         }
@@ -94,16 +88,7 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
         // Check if VM is supposed to be stopped. If so,
         // set replicas to 0. This is the first step of the transition,
         // the stateful set will be deleted when the VM is restarted.
-        var fmTemplate = fmConfig.getTemplate("runnerSts.ftl.yaml");
-        StringWriter out = new StringWriter();
-        fmTemplate.process(model, out);
-        // Avoid Yaml.load due to
-        // https://github.com/kubernetes-client/java/issues/2741
-        var stsDef = Dynamics.newFromYaml(
-            new Yaml(new SafeConstructor(new LoaderOptions())), out.toString());
-        var desired = GsonPtr.to(stsDef.getRaw())
-            .to("spec").getAsInt("replicas").orElse(1);
-        if (desired == 1) {
+        if (event.vmDefinition().vmState() == RequestedVmState.RUNNING) {
             return;
         }
 
@@ -111,12 +96,12 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
         PatchOptions opts = new PatchOptions();
         opts.setForce(true);
         opts.setFieldManager("kubernetes-java-kubectl-apply");
-        if (stsStub.patch(V1Patch.PATCH_FORMAT_APPLY_YAML,
-            new V1Patch(channel.client().getJSON().serialize(stsDef)), opts)
-            .isEmpty()) {
+        if (stsStub.patch(V1Patch.PATCH_FORMAT_JSON_PATCH,
+            new V1Patch("[{\"op\": \"replace\", \"path\": \"/spec/replicas"
+                + "\", \"value\": 0}]"),
+            channel.client().defaultPatchOptions()).isEmpty()) {
             logger.warning(
                 () -> "Could not patch stateful set for " + stsStub.name());
         }
     }
-
 }
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
index 0ad5017..cc8ae7b 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
@@ -18,13 +18,15 @@
 
 package org.jdrupes.vmoperator.manager;
 
-import com.google.gson.JsonArray;
-import com.google.gson.JsonObject;
 import io.kubernetes.client.openapi.ApiException;
 import io.kubernetes.client.openapi.models.V1ObjectMeta;
 import io.kubernetes.client.util.Watch;
 import io.kubernetes.client.util.generic.options.ListOptions;
 import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 import java.util.logging.Level;
@@ -37,6 +39,7 @@ import org.jdrupes.vmoperator.common.K8sObserver.ResponseType;
 import org.jdrupes.vmoperator.common.K8sV1ConfigMapStub;
 import org.jdrupes.vmoperator.common.K8sV1PodStub;
 import org.jdrupes.vmoperator.common.K8sV1StatefulSetStub;
+import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.common.VmDefinitionModel;
 import org.jdrupes.vmoperator.common.VmDefinitionModels;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
@@ -46,7 +49,7 @@ import static org.jdrupes.vmoperator.manager.Constants.VM_OP_NAME;
 import org.jdrupes.vmoperator.manager.events.ChannelManager;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
-import org.jdrupes.vmoperator.util.GsonPtr;
+import org.jdrupes.vmoperator.util.DataPath;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Event;
 
@@ -116,42 +119,47 @@ public class VmMonitor extends
         V1ObjectMeta metadata = response.object.getMetadata();
         VmChannel channel = channelManager.channelGet(metadata.getName());
 
+        // Remove from channel manager if deleted
+        if (ResponseType.valueOf(response.type) == ResponseType.DELETED) {
+            channelManager.remove(metadata.getName());
+        }
+
         // Get full definition and associate with channel as backup
-        var vmDef = response.object;
-        if (vmDef.data() == null) {
+        var vmModel = response.object;
+        if (vmModel.data() == null) {
             // ADDED event does not provide data, see
             // https://github.com/kubernetes-client/java/issues/3215
-            vmDef = getModel(client, vmDef);
+            vmModel = getModel(client, vmModel);
         }
-        if (vmDef.data() != null) {
+        VmDefinition vmDef = null;
+        if (vmModel.data() != null) {
             // New data, augment and save
+            vmDef = client.getJSON().getGson().fromJson(vmModel.data(),
+                VmDefinition.class);
             addDynamicData(channel.client(), vmDef, channel.vmDefinition());
             channel.setVmDefinition(vmDef);
-        } else {
-            // Reuse cached
+        }
+        if (vmDef == null) {
+            // Reuse cached (e.g. if deleted)
             vmDef = channel.vmDefinition();
         }
         if (vmDef == null) {
-            logger.warning(
-                () -> "Cannot get model for " + response.object.getMetadata());
+            logger.warning(() -> "Cannot get defintion for "
+                + response.object.getMetadata());
             return;
         }
-        if (ResponseType.valueOf(response.type) == ResponseType.DELETED) {
-            channelManager.remove(metadata.getName());
-        }
 
         // Create and fire changed event. Remove channel from channel
         // manager on completion.
         channel.pipeline()
             .fire(Event.onCompletion(
                 new VmDefChanged(ResponseType.valueOf(response.type),
-                    channel.setGeneration(
-                        response.object.getMetadata().getGeneration()),
+                    channel.setGeneration(response.object.getMetadata()
+                        .getGeneration()),
                     vmDef),
                 e -> {
                     if (e.type() == ResponseType.DELETED) {
-                        channelManager
-                            .remove(e.vmDefinition().metadata().getName());
+                        channelManager.remove(e.vmDefinition().name());
                     }
                 }), channel);
     }
@@ -166,51 +174,53 @@ public class VmMonitor extends
         }
     }
 
-    private void addDynamicData(K8sClient client, VmDefinitionModel vmState,
-            VmDefinitionModel prevState) {
-        var rootNode = GsonPtr.to(vmState.data()).get(JsonObject.class);
-
+    @SuppressWarnings("PMD.AvoidDuplicateLiterals")
+    private void addDynamicData(K8sClient client, VmDefinition vmDef,
+            VmDefinition prevState) {
         // Maintain (or initialize) the resetCount
-        rootNode.addProperty("resetCount", Optional.ofNullable(prevState)
-            .map(ps -> GsonPtr.to(ps.data()))
-            .flatMap(d -> d.getAsLong("resetCount")).orElse(0L));
+        vmDef.extra("resetCount",
+            Optional.ofNullable(prevState).map(d -> d.extra("resetCount"))
+                .orElse(0L));
 
+        // Node information
         // Add defaults in case the VM is not running
-        rootNode.addProperty("nodeName", "");
-        rootNode.addProperty("nodeAddress", "");
+        vmDef.extra("nodeName", "");
+        vmDef.extra("nodeAddress", "");
 
         // VM definition status changes before the pod terminates.
         // This results in pod information being shown for a stopped
         // VM which is irritating. So check condition first.
-        var isRunning = GsonPtr.to(rootNode).to("status", "conditions")
-            .get(JsonArray.class)
-            .asList().stream().filter(el -> "Running"
-                .equals(((JsonObject) el).get("type").getAsString()))
-            .findFirst().map(el -> "True"
-                .equals(((JsonObject) el).get("status").getAsString()))
-            .orElse(false);
+        @SuppressWarnings("PMD.LambdaCanBeMethodReference")
+        var isRunning
+            = vmDef.<List<Map<String, Object>>> fromStatus("conditions")
+                .orElse(Collections.emptyList()).stream()
+                .filter(cond -> DataPath.get(cond, "type")
+                    .map(t -> "Running".equals(t)).orElse(false))
+                .findFirst().map(cond -> DataPath.get(cond, "status")
+                    .map(s -> "True".equals(s)).orElse(false))
+                .orElse(false);
         if (!isRunning) {
             return;
         }
         var podSearch = new ListOptions();
         podSearch.setLabelSelector("app.kubernetes.io/name=" + APP_NAME
             + ",app.kubernetes.io/component=" + APP_NAME
-            + ",app.kubernetes.io/instance=" + vmState.getMetadata().getName());
+            + ",app.kubernetes.io/instance=" + vmDef.name());
         try {
             var podList
                 = K8sV1PodStub.list(client, namespace(), podSearch);
             for (var podStub : podList) {
                 var nodeName = podStub.model().get().getSpec().getNodeName();
-                rootNode.addProperty("nodeName", nodeName);
+                vmDef.extra("nodeName", nodeName);
                 logger.fine(() -> "Added node name " + nodeName
-                    + " to VM info for " + vmState.getMetadata().getName());
+                    + " to VM info for " + vmDef.name());
                 @SuppressWarnings("PMD.AvoidInstantiatingObjectsInLoops")
-                var addrs = new JsonArray();
+                var addrs = new ArrayList<String>();
                 podStub.model().get().getStatus().getPodIPs().stream()
                     .map(ip -> ip.getIp()).forEach(addrs::add);
-                rootNode.add("nodeAddresses", addrs);
+                vmDef.extra("nodeAddresses", addrs);
                 logger.fine(() -> "Added node addresses " + addrs
-                    + " to VM info for " + vmState.getMetadata().getName());
+                    + " to VM info for " + vmDef.name());
             }
         } catch (ApiException e) {
             logger.log(Level.WARNING, e,
diff --git a/org.jdrupes.vmoperator.manager/test-resources/basic-vm.yaml b/org.jdrupes.vmoperator.manager/test-resources/basic-vm.yaml
new file mode 100644
index 0000000..54ea110
--- /dev/null
+++ b/org.jdrupes.vmoperator.manager/test-resources/basic-vm.yaml
@@ -0,0 +1,64 @@
+apiVersion: "vmoperator.jdrupes.org/v1"
+kind: VirtualMachine
+metadata:
+  namespace: vmop-dev
+  name: unittest-vm
+spec:
+  image:
+    repository: docker-registry.lan.mnl.de
+    path: vmoperator/this.will.never.start
+    version: 0.0.0
+    
+  cloudInit:
+    metaData: {}
+  
+  vm:
+    # state: Running
+    maximumRam: 4Gi
+    currentRam: 2Gi
+    maximumCpus: 4
+    currentCpus: 2
+    powerdownTimeout: 1
+  
+    networks:
+    - user: {}
+    disks:
+    - cdrom:
+        image: https://test.com/test.iso
+      bootindex: 0
+    - cdrom:
+        image: "image.iso"
+    - volumeClaimTemplate:
+        metadata:
+          name: system
+          annotations:
+            use_as: system-disk
+        spec:
+          storageClassName: local-path
+          resources:
+            requests:
+              storage: 1Gi
+    - volumeClaimTemplate:
+        spec:
+          storageClassName: local-path
+          resources:
+            requests:
+              storage: 1Gi
+
+    display:
+      outputs: 2
+      spice:
+        port: 5812
+        usbRedirects: 2
+
+  resources:
+    requests:
+      cpu: 1
+      memory: 2Gi
+    
+  loadBalancerService:
+    labels:
+      label2: replaced
+      label3: added
+    annotations:
+      anno1: added
diff --git a/org.jdrupes.vmoperator.manager/test-resources/unittest-vm.yaml b/org.jdrupes.vmoperator.manager/test-resources/unittest-vm.yaml
deleted file mode 100644
index 0d395bd..0000000
--- a/org.jdrupes.vmoperator.manager/test-resources/unittest-vm.yaml
+++ /dev/null
@@ -1,35 +0,0 @@
-apiVersion: "vmoperator.jdrupes.org/v1"
-kind: VirtualMachine
-metadata:
-  namespace: vmop-dev
-  name: unittest-vm
-spec:
-  resources:
-    requests:
-      cpu: 1
-      memory: 2Gi
-    
-  loadBalancerService:
-    labels:
-      test2: null
-      test3: added
-
-  vm:
-    # state: Running
-    maximumRam: 4Gi
-    currentRam: 2Gi
-    maximumCpus: 4
-    currentCpus: 2
-    powerdownTimeout: 1
-  
-    networks:
-    - user: {}
-    disks:
-    - cdrom:
-        # image: ""
-        image: https://download.fedoraproject.org/pub/fedora/linux/releases/38/Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-38-1.6.iso
-        # image: "Fedora-Workstation-Live-x86_64-38-1.6.iso"
-
-    display:
-      spice:
-        port: 5812
diff --git a/org.jdrupes.vmoperator.manager/test/org/jdrupes/vmoperator/manager/BasicTests.java b/org.jdrupes.vmoperator.manager/test/org/jdrupes/vmoperator/manager/BasicTests.java
index bd479d0..4f5d7a3 100644
--- a/org.jdrupes.vmoperator.manager/test/org/jdrupes/vmoperator/manager/BasicTests.java
+++ b/org.jdrupes.vmoperator.manager/test/org/jdrupes/vmoperator/manager/BasicTests.java
@@ -1,12 +1,19 @@
 package org.jdrupes.vmoperator.manager;
 
 import io.kubernetes.client.Discovery.APIResource;
+import io.kubernetes.client.custom.Quantity;
+import io.kubernetes.client.custom.V1Patch;
 import io.kubernetes.client.openapi.ApiException;
 import io.kubernetes.client.util.generic.options.ListOptions;
+import io.kubernetes.client.util.generic.options.PatchOptions;
 import java.io.FileReader;
 import java.io.IOException;
+import java.util.Collection;
+import java.util.LinkedHashMap;
+import java.util.List;
 import java.util.Map;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
+import static org.jdrupes.vmoperator.common.Constants.COMP_DISPLAY_SECRET;
 import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
 import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
 import static org.jdrupes.vmoperator.common.Constants.VM_OP_NAME;
@@ -15,7 +22,11 @@ import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.K8sDynamicStub;
 import org.jdrupes.vmoperator.common.K8sV1ConfigMapStub;
 import org.jdrupes.vmoperator.common.K8sV1DeploymentStub;
+import org.jdrupes.vmoperator.common.K8sV1PodStub;
 import org.jdrupes.vmoperator.common.K8sV1PvcStub;
+import org.jdrupes.vmoperator.common.K8sV1SecretStub;
+import org.jdrupes.vmoperator.common.K8sV1ServiceStub;
+import org.jdrupes.vmoperator.util.DataPath;
 import org.junit.jupiter.api.AfterAll;
 import static org.junit.jupiter.api.Assertions.*;
 import org.junit.jupiter.api.BeforeAll;
@@ -29,6 +40,9 @@ class BasicTests {
     private static K8sClient client;
     private static APIResource vmsContext;
     private static K8sV1DeploymentStub mgrDeployment;
+    private static K8sDynamicStub vmStub;
+    private static final String VM_NAME = "unittest-vm";
+    private static final Object EXISTS = new Object();
 
     @BeforeAll
     static void setUpBeforeClass() throws Exception {
@@ -38,23 +52,40 @@ class BasicTests {
         // Get client
         client = new K8sClient();
 
+        // Update manager pod by scaling deployment
+        mgrDeployment
+            = K8sV1DeploymentStub.get(client, "vmop-dev", "vm-operator");
+        mgrDeployment.scale(0);
+        mgrDeployment.scale(1);
+        waitForManager();
+
         // Context for working with our CR
         var apiRes = K8s.context(client, VM_OP_GROUP, null, VM_OP_KIND_VM);
         assertTrue(apiRes.isPresent());
         vmsContext = apiRes.get();
 
         // Cleanup existing VM
-        K8sDynamicStub.get(client, vmsContext, "vmop-dev", "unittest-vm")
+        K8sDynamicStub.get(client, vmsContext, "vmop-dev", VM_NAME)
             .delete();
+        ListOptions listOpts = new ListOptions();
+        listOpts.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
+            + "app.kubernetes.io/instance=" + VM_NAME + ","
+            + "app.kubernetes.io/component=" + COMP_DISPLAY_SECRET);
+        var secrets = K8sV1SecretStub.list(client, "vmop-dev", listOpts);
+        for (var secret : secrets) {
+            secret.delete();
+        }
+        deletePvcs();
 
-        // Update manager pod by scaling deployment
-        mgrDeployment
-            = K8sV1DeploymentStub.get(client, "vmop-dev", "vm-operator");
-        mgrDeployment.scale(0);
-        mgrDeployment.scale(1);
+        // Load from Yaml
+        var rdr = new FileReader("test-resources/basic-vm.yaml");
+        vmStub = K8sDynamicStub.createFromYaml(client, vmsContext, rdr);
+        assertTrue(vmStub.model().isPresent());
+    }
 
+    private static void waitForManager()
+            throws ApiException, InterruptedException {
         // Wait until available
-
         for (int i = 0; i < 10; i++) {
             if (mgrDeployment.model().get().getStatus().getConditions()
                 .stream().filter(c -> "Available".equals(c.getType())).findAny()
@@ -66,70 +97,250 @@ class BasicTests {
         fail("vm-operator not deployed.");
     }
 
-    @AfterAll
-    static void tearDownAfterClass() throws Exception {
-        // Bring down manager
-        mgrDeployment.scale(0);
-    }
-
-    @Test
-    void test() throws IOException, InterruptedException, ApiException {
-        // Load from Yaml
-        var rdr = new FileReader("test-resources/unittest-vm.yaml");
-        var vmStub = K8sDynamicStub.createFromYaml(client, vmsContext, rdr);
-        assertTrue(vmStub.model().isPresent());
-
-        // Wait for created resources
-        assertTrue(waitForConfigMap(client));
-        assertTrue(waitForPvc(client));
-
-        // Check config map
-        var config = K8sV1ConfigMapStub.get(client, "vmop-dev", "unittest-vm")
-            .model().get();
-        var yaml = new Yaml(new SafeConstructor(new LoaderOptions()))
-            .load(config.getData().get("config.yaml"));
-        @SuppressWarnings("unchecked")
-        var maximumRam = ((Map<String, Map<String, Map<String, String>>>) yaml)
-            .get("/Runner").get("vm").get("maximumRam");
-        assertEquals("4 GiB", maximumRam);
-
-        // Cleanup
-        K8sDynamicStub.get(client, vmsContext, "vmop-dev", "unittest-vm")
-            .delete();
+    private static void deletePvcs() throws ApiException {
         ListOptions listOpts = new ListOptions();
         listOpts.setLabelSelector(
             "app.kubernetes.io/managed-by=" + VM_OP_NAME + ","
                 + "app.kubernetes.io/name=" + APP_NAME + ","
-                + "app.kubernetes.io/instance=unittest-vm");
+                + "app.kubernetes.io/instance=" + VM_NAME);
         var knownPvcs = K8sV1PvcStub.list(client, "vmop-dev", listOpts);
         for (var pvc : knownPvcs) {
             pvc.delete();
         }
     }
 
-    private boolean waitForConfigMap(K8sClient client)
-            throws InterruptedException, ApiException {
-        var stub = K8sV1ConfigMapStub.get(client, "vmop-dev", "unittest-vm");
-        for (int i = 0; i < 10; i++) {
-            if (stub.model().isPresent()) {
-                return true;
-            }
-            Thread.sleep(1000);
-        }
-        return false;
+    @AfterAll
+    static void tearDownAfterClass() throws Exception {
+        // Cleanup
+        K8sDynamicStub.get(client, vmsContext, "vmop-dev", VM_NAME)
+            .delete();
+        deletePvcs();
+
+        // Bring down manager
+        mgrDeployment.scale(0);
     }
 
-    private boolean waitForPvc(K8sClient client)
-            throws InterruptedException, ApiException {
-        var stub
-            = K8sV1PvcStub.get(client, "vmop-dev", "unittest-vm-runner-data");
+    @Test
+    void testConfigMap()
+            throws IOException, InterruptedException, ApiException {
+        K8sV1ConfigMapStub stub
+            = K8sV1ConfigMapStub.get(client, "vmop-dev", VM_NAME);
         for (int i = 0; i < 10; i++) {
             if (stub.model().isPresent()) {
-                return true;
+                break;
             }
             Thread.sleep(1000);
         }
-        return false;
+        // Check config map
+        var config = stub.model().get();
+        Map<List<? extends Object>, Object> toCheck = Map.of(
+            List.of("namespace"), "vmop-dev",
+            List.of("name"), VM_NAME,
+            List.of("labels", "app.kubernetes.io/name"), Constants.APP_NAME,
+            List.of("labels", "app.kubernetes.io/instance"), VM_NAME,
+            List.of("labels", "app.kubernetes.io/managed-by"),
+            Constants.VM_OP_NAME,
+            List.of("annotations", "vmoperator.jdrupes.org/version"), EXISTS,
+            List.of("ownerReferences", 0, "apiVersion"),
+            vmsContext.getGroup() + "/" + vmsContext.getVersions().get(0),
+            List.of("ownerReferences", 0, "kind"), Constants.VM_OP_KIND_VM,
+            List.of("ownerReferences", 0, "name"), VM_NAME,
+            List.of("ownerReferences", 0, "uid"), EXISTS);
+        checkProps(config.getMetadata(), toCheck);
+
+        toCheck = new LinkedHashMap<>();
+        toCheck.put(List.of("/Runner", "guestShutdownStops"), false);
+        toCheck.put(List.of("/Runner", "cloudInit", "metaData", "instance-id"),
+            EXISTS);
+        toCheck.put(
+            List.of("/Runner", "cloudInit", "metaData", "local-hostname"),
+            VM_NAME);
+        toCheck.put(List.of("/Runner", "cloudInit", "userData"), Map.of());
+        toCheck.put(List.of("/Runner", "vm", "maximumRam"), "4 GiB");
+        toCheck.put(List.of("/Runner", "vm", "currentRam"), "2 GiB");
+        toCheck.put(List.of("/Runner", "vm", "maximumCpus"), 4);
+        toCheck.put(List.of("/Runner", "vm", "currentCpus"), 2);
+        toCheck.put(List.of("/Runner", "vm", "powerdownTimeout"), 1);
+        toCheck.put(List.of("/Runner", "vm", "network", 0, "type"), "user");
+        toCheck.put(List.of("/Runner", "vm", "drives", 0, "type"), "ide-cd");
+        toCheck.put(List.of("/Runner", "vm", "drives", 0, "file"),
+            "https://test.com/test.iso");
+        toCheck.put(List.of("/Runner", "vm", "drives", 0, "bootindex"), 0);
+        toCheck.put(List.of("/Runner", "vm", "drives", 1, "type"), "ide-cd");
+        toCheck.put(List.of("/Runner", "vm", "drives", 1, "file"),
+            "/var/local/vmop-image-repository/image.iso");
+        toCheck.put(List.of("/Runner", "vm", "drives", 2, "type"), "raw");
+        toCheck.put(List.of("/Runner", "vm", "drives", 2, "resource"),
+            "/dev/system-disk");
+        toCheck.put(List.of("/Runner", "vm", "drives", 3, "type"), "raw");
+        toCheck.put(List.of("/Runner", "vm", "drives", 3, "resource"),
+            "/dev/disk-1");
+        toCheck.put(List.of("/Runner", "vm", "display", "outputs"), 2);
+        toCheck.put(List.of("/Runner", "vm", "display", "spice", "port"), 5812);
+        toCheck.put(
+            List.of("/Runner", "vm", "display", "spice", "usbRedirects"), 2);
+        var cm = new Yaml(new SafeConstructor(new LoaderOptions()))
+            .load(config.getData().get("config.yaml"));
+        checkProps(cm, toCheck);
+    }
+
+    @Test
+    void testDisplaySecret() throws ApiException, InterruptedException {
+        ListOptions listOpts = new ListOptions();
+        listOpts.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
+            + "app.kubernetes.io/instance=" + VM_NAME + ","
+            + "app.kubernetes.io/component=" + COMP_DISPLAY_SECRET);
+        Collection<K8sV1SecretStub> secrets = null;
+        for (int i = 0; i < 10; i++) {
+            secrets = K8sV1SecretStub.list(client, "vmop-dev", listOpts);
+            if (secrets.size() > 0) {
+                break;
+            }
+            Thread.sleep(1000);
+        }
+        assertEquals(1, secrets.size());
+        var secretData = secrets.iterator().next().model().get().getData();
+        checkProps(secretData, Map.of(
+            List.of("display-password"), EXISTS));
+        assertEquals("now", new String(secretData.get("password-expiry")));
+    }
+
+    @Test
+    void testRunnerPvc() throws ApiException, InterruptedException {
+        var stub
+            = K8sV1PvcStub.get(client, "vmop-dev", VM_NAME + "-runner-data");
+        for (int i = 0; i < 10; i++) {
+            if (stub.model().isPresent()) {
+                break;
+            }
+            Thread.sleep(1000);
+        }
+        var pvc = stub.model().get();
+        checkProps(pvc.getMetadata(), Map.of(
+            List.of("labels", "app.kubernetes.io/name"), Constants.APP_NAME,
+            List.of("labels", "app.kubernetes.io/instance"), VM_NAME,
+            List.of("labels", "app.kubernetes.io/managed-by"),
+            Constants.VM_OP_NAME));
+        checkProps(pvc.getSpec(), Map.of(
+            List.of("resources", "requests", "storage"),
+            Quantity.fromString("1Mi")));
+    }
+
+    @Test
+    void testSystemDiskPvc() throws ApiException, InterruptedException {
+        var stub
+            = K8sV1PvcStub.get(client, "vmop-dev", VM_NAME + "-system-disk");
+        for (int i = 0; i < 10; i++) {
+            if (stub.model().isPresent()) {
+                break;
+            }
+            Thread.sleep(1000);
+        }
+        var pvc = stub.model().get();
+        checkProps(pvc.getMetadata(), Map.of(
+            List.of("labels", "app.kubernetes.io/name"), Constants.APP_NAME,
+            List.of("labels", "app.kubernetes.io/instance"), VM_NAME,
+            List.of("labels", "app.kubernetes.io/managed-by"),
+            Constants.VM_OP_NAME,
+            List.of("annotations", "use_as"), "system-disk"));
+        checkProps(pvc.getSpec(), Map.of(
+            List.of("resources", "requests", "storage"),
+            Quantity.fromString("1Gi")));
+    }
+
+    @Test
+    void testDisk1Pvc() throws ApiException, InterruptedException {
+        var stub
+            = K8sV1PvcStub.get(client, "vmop-dev", VM_NAME + "-disk-1");
+        for (int i = 0; i < 10; i++) {
+            if (stub.model().isPresent()) {
+                break;
+            }
+            Thread.sleep(1000);
+        }
+        var pvc = stub.model().get();
+        checkProps(pvc.getMetadata(), Map.of(
+            List.of("labels", "app.kubernetes.io/name"), Constants.APP_NAME,
+            List.of("labels", "app.kubernetes.io/instance"), VM_NAME,
+            List.of("labels", "app.kubernetes.io/managed-by"),
+            Constants.VM_OP_NAME));
+        checkProps(pvc.getSpec(), Map.of(
+            List.of("resources", "requests", "storage"),
+            Quantity.fromString("1Gi")));
+    }
+
+    @Test
+    void testPod() throws ApiException, InterruptedException {
+        PatchOptions opts = new PatchOptions();
+        opts.setForce(true);
+        opts.setFieldManager("kubernetes-java-kubectl-apply");
+        assertTrue(vmStub.patch(V1Patch.PATCH_FORMAT_JSON_PATCH,
+            new V1Patch("[{\"op\": \"replace\", \"path\": \"/spec/vm/state"
+                + "\", \"value\": \"Running\"}]"),
+            client.defaultPatchOptions()).isPresent());
+        var stub = K8sV1PodStub.get(client, "vmop-dev", VM_NAME);
+        for (int i = 0; i < 20; i++) {
+            if (stub.model().isPresent()) {
+                break;
+            }
+            Thread.sleep(1000);
+        }
+        var pod = stub.model().get();
+        checkProps(pod.getMetadata(), Map.of(
+            List.of("labels", "app.kubernetes.io/name"), APP_NAME,
+            List.of("labels", "app.kubernetes.io/instance"), VM_NAME,
+            List.of("labels", "app.kubernetes.io/component"), APP_NAME,
+            List.of("labels", "app.kubernetes.io/managed-by"),
+            Constants.VM_OP_NAME,
+            List.of("annotations", "vmrunner.jdrupes.org/cmVersion"), EXISTS,
+            List.of("annotations", "vmoperator.jdrupes.org/version"), EXISTS,
+            List.of("ownerReferences", 0, "apiVersion"),
+            vmsContext.getGroup() + "/" + vmsContext.getVersions().get(0),
+            List.of("ownerReferences", 0, "kind"), Constants.VM_OP_KIND_VM,
+            List.of("ownerReferences", 0, "name"), VM_NAME,
+            List.of("ownerReferences", 0, "uid"), EXISTS));
+        checkProps(pod.getSpec(), Map.of(
+            List.of("containers", 0, "image"), EXISTS,
+            List.of("containers", 0, "name"), VM_NAME,
+            List.of("containers", 0, "resources", "requests", "cpu"),
+            Quantity.fromString("1")));
+    }
+
+    @Test
+    public void testLoadBalancer() throws ApiException, InterruptedException {
+        var stub = K8sV1ServiceStub.get(client, "vmop-dev", VM_NAME);
+        for (int i = 0; i < 10; i++) {
+            if (stub.model().isPresent()) {
+                break;
+            }
+            Thread.sleep(1000);
+        }
+        var svc = stub.model().get();
+        checkProps(svc.getMetadata(), Map.of(
+            List.of("labels", "app.kubernetes.io/name"), APP_NAME,
+            List.of("labels", "app.kubernetes.io/instance"), VM_NAME,
+            List.of("labels", "app.kubernetes.io/managed-by"), VM_OP_NAME,
+            List.of("labels", "label1"), "label1",
+            List.of("labels", "label2"), "replaced",
+            List.of("labels", "label3"), "added",
+            List.of("annotations", "metallb.universe.tf/loadBalancerIPs"),
+            "192.168.168.1",
+            List.of("annotations", "anno1"), "added"));
+    }
+
+    private void checkProps(Object obj,
+            Map<? extends List<? extends Object>, Object> toCheck) {
+        for (var entry : toCheck.entrySet()) {
+            var prop = DataPath.get(obj, entry.getKey().toArray());
+            assertTrue(prop.isPresent(), () -> "Property " + entry.getKey()
+                + " not found in " + obj);
+
+            // Check for existance only
+            if (entry.getValue() == EXISTS) {
+                continue;
+            }
+            assertEquals(entry.getValue(), prop.get());
+        }
     }
 
 }
diff --git a/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/DataPath.java b/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/DataPath.java
new file mode 100644
index 0000000..be5b530
--- /dev/null
+++ b/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/DataPath.java
@@ -0,0 +1,176 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2023 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.util;
+
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.logging.Logger;
+
+/**
+ * Utility class that supports navigation through arbitrary data structures.
+ */
+public final class DataPath {
+
+    private static final Logger logger
+        = Logger.getLogger(DataPath.class.getName());
+
+    private DataPath() {
+    }
+
+    /**
+     * Apply the given selectors on the given object and return the
+     * value reached.
+     * 
+     * Selectors can be if type {@link String} or {@link Number}. The
+     * former are used to access a property of an object, the latter to
+     * access an element in an array or a {@link List}.
+     * 
+     * Depending on the object currently visited, a {@link String} can
+     * be the key of a {@link Map}, the property part of a getter method
+     * or the name of a method that has an empty parameter list.
+     *
+     * @param <T> the generic type
+     * @param from the from
+     * @param selectors the selectors
+     * @return the result
+     */
+    @SuppressWarnings("PMD.UseLocaleWithCaseConversions")
+    public static <T> Optional<T> get(Object from, Object... selectors) {
+        Object cur = from;
+        for (var selector : selectors) {
+            if (cur == null) {
+                return Optional.empty();
+            }
+            if (selector instanceof String && cur instanceof Map map) {
+                cur = map.get(selector);
+                continue;
+            }
+            if (selector instanceof Number index && cur instanceof List list) {
+                cur = list.get(index.intValue());
+                continue;
+            }
+            if (selector instanceof String property) {
+                var retrieved = tryAccess(cur, property);
+                if (retrieved.isEmpty()) {
+                    return Optional.empty();
+                }
+                cur = retrieved.get();
+            }
+        }
+        @SuppressWarnings("unchecked")
+        var result = Optional.ofNullable((T) cur);
+        return result;
+    }
+
+    @SuppressWarnings("PMD.UseLocaleWithCaseConversions")
+    private static Optional<Object> tryAccess(Object obj, String property) {
+        Method acc = null;
+        try {
+            // Try getter
+            acc = obj.getClass().getMethod("get" + property.substring(0, 1)
+                .toUpperCase() + property.substring(1));
+        } catch (SecurityException e) {
+            return Optional.empty();
+        } catch (NoSuchMethodException e) { // NOPMD
+            // Can happen...
+        }
+        if (acc == null) {
+            try {
+                // Try method
+                acc = obj.getClass().getMethod(property);
+            } catch (SecurityException | NoSuchMethodException e) {
+                return Optional.empty();
+            }
+        }
+        if (acc != null) {
+            try {
+                return Optional.ofNullable(acc.invoke(obj));
+            } catch (IllegalAccessException
+                    | InvocationTargetException e) {
+                return Optional.empty();
+            }
+        }
+        return Optional.empty();
+    }
+
+    /**
+     * Attempts to make a as-deep-as-possible copy of the given
+     * container. New containers will be created for Maps, Lists and
+     * Arrays. The method is invoked recursively for the entries/items.
+     * 
+     * If invoked with an object that is neither a map, list or array,
+     * the methods checks if the object implements {@link Cloneable}
+     * and if it does, invokes its {@link Object#clone()} method.
+     * Else the method return the object.
+     *
+     * @param <T> the generic type
+     * @param object the container
+     * @return the t
+     */
+    @SuppressWarnings({ "PMD.CognitiveComplexity", "unchecked" })
+    public static <T> T deepCopy(T object) {
+        if (object instanceof Map map) {
+            @SuppressWarnings("PMD.UseConcurrentHashMap")
+            Map<Object, Object> copy;
+            try {
+                copy = (Map<Object, Object>) object.getClass().getConstructor()
+                    .newInstance();
+            } catch (InstantiationException | IllegalAccessException
+                    | IllegalArgumentException | InvocationTargetException
+                    | NoSuchMethodException | SecurityException e) {
+                logger.severe(
+                    () -> "Cannot create new instance of " + object.getClass());
+                return null;
+            }
+            for (var entry : ((Map<?, ?>) map).entrySet()) {
+                copy.put(entry.getKey(),
+                    deepCopy(entry.getValue()));
+            }
+            return (T) copy;
+        }
+        if (object instanceof List list) {
+            List<Object> copy = new ArrayList<>();
+            for (var item : list) {
+                copy.add(deepCopy(item));
+            }
+            return (T) copy;
+        }
+        if (object.getClass().isArray()) {
+            var copy = new ArrayList<>();
+            for (var item : (Object[]) object) {
+                copy.add(deepCopy(item));
+            }
+            return (T) copy.toArray();
+        }
+        if (object instanceof Cloneable) {
+            try {
+                return (T) object.getClass().getMethod("clone")
+                    .invoke(object);
+            } catch (IllegalAccessException | InvocationTargetException
+                    | NoSuchMethodException | SecurityException e) {
+                return object;
+            }
+        }
+        return object;
+    }
+}
diff --git a/org.jdrupes.vmoperator.vmconlet/build.gradle b/org.jdrupes.vmoperator.vmconlet/build.gradle
index 4056256..606c6cd 100644
--- a/org.jdrupes.vmoperator.vmconlet/build.gradle
+++ b/org.jdrupes.vmoperator.vmconlet/build.gradle
@@ -5,7 +5,7 @@ plugins {
 dependencies {
     implementation project(':org.jdrupes.vmoperator.manager.events')
     
-    implementation 'org.jgrapes:org.jgrapes.webconsole.base:[2.0.0.3)'
+    implementation 'org.jgrapes:org.jgrapes.webconsole.base:[2.1.0,3)'
     implementation 'org.jgrapes:org.jgrapes.webconsole.provider.vue:[1,2)'
     implementation 'org.jgrapes:org.jgrapes.webconsole.provider.jgwcvuecomponents:[1.2,2)'
     implementation 'org.jgrapes:org.jgrapes.webconsole.provider.chartjs:[1.2,2)'
diff --git a/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/VmConlet.java b/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/VmConlet.java
index ea59767..69418af 100644
--- a/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/VmConlet.java
+++ b/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/VmConlet.java
@@ -18,8 +18,6 @@
 
 package org.jdrupes.vmoperator.vmconlet;
 
-import com.google.gson.Gson;
-import com.google.gson.JsonObject;
 import freemarker.core.ParseException;
 import freemarker.template.MalformedTemplateNameException;
 import freemarker.template.Template;
@@ -31,16 +29,19 @@ import java.math.BigDecimal;
 import java.math.BigInteger;
 import java.time.Duration;
 import java.time.Instant;
+import java.util.Collections;
 import java.util.EnumSet;
+import java.util.List;
+import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 import org.jdrupes.vmoperator.common.K8sObserver;
-import org.jdrupes.vmoperator.common.VmDefinitionModel;
+import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.manager.events.ChannelTracker;
 import org.jdrupes.vmoperator.manager.events.ModifyVm;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
-import org.jdrupes.vmoperator.util.GsonPtr;
+import org.jdrupes.vmoperator.util.DataPath;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Event;
 import org.jgrapes.core.Manager;
@@ -62,13 +63,14 @@ import org.jgrapes.webconsole.base.freemarker.FreeMarkerConlet;
 /**
  * The Class VmConlet.
  */
-@SuppressWarnings("PMD.DataflowAnomalyAnalysis")
+@SuppressWarnings({ "PMD.DataflowAnomalyAnalysis",
+    "PMD.CouplingBetweenObjects" })
 public class VmConlet extends FreeMarkerConlet<VmConlet.VmsModel> {
 
     private static final Set<RenderMode> MODES = RenderMode.asSet(
         RenderMode.Preview, RenderMode.View);
     private final ChannelTracker<String, VmChannel,
-            VmDefinitionModel> channelTracker = new ChannelTracker<>();
+            VmDefinition> channelTracker = new ChannelTracker<>();
     private final TimeSeries summarySeries = new TimeSeries(Duration.ofDays(1));
     private Summary cachedSummary;
 
@@ -160,22 +162,45 @@ public class VmConlet extends FreeMarkerConlet<VmConlet.VmsModel> {
         }
         if (sendVmInfos) {
             for (var item : channelTracker.values()) {
-                Gson gson = item.channel().client().getJSON().getGson();
-                var def = gson.fromJson(item.associated().data(), Object.class);
                 channel.respond(new NotifyConletView(type(),
-                    conletId, "updateVm", def));
+                    conletId, "updateVm",
+                    simplifiedVmDefinition(item.associated())));
             }
         }
 
         return renderedAs;
     }
 
+    @SuppressWarnings("PMD.AvoidDuplicateLiterals")
+    private Map<String, Object> simplifiedVmDefinition(VmDefinition vmDef) {
+        // Convert RAM sizes to unitless numbers
+        var spec = DataPath.deepCopy(vmDef.spec());
+        var vmSpec = DataPath.<Map<String, Object>> get(spec, "vm").get();
+        vmSpec.put("maximumRam", Quantity.fromString(
+            DataPath.<String> get(vmSpec, "maximumRam").orElse("0")).getNumber()
+            .toBigInteger());
+        vmSpec.put("currentRam", Quantity.fromString(
+            DataPath.<String> get(vmSpec, "currentRam").orElse("0")).getNumber()
+            .toBigInteger());
+        var status = DataPath.deepCopy(vmDef.status());
+        status.put("ram", Quantity.fromString(
+            DataPath.<String> get(status, "ram").orElse("0")).getNumber()
+            .toBigInteger());
+
+        // Build result
+        return Map.of("metadata",
+            Map.of("namespace", vmDef.namespace(),
+                "name", vmDef.name()),
+            "spec", spec,
+            "status", status,
+            "nodeName", vmDef.extra("nodeName"));
+    }
+
     /**
      * Track the VM definitions.
      *
      * @param event the event
      * @param channel the channel
-     * @throws JsonDecodeException the json decode exception
      * @throws IOException 
      */
     @Handler(namedChannels = "manager")
@@ -184,7 +209,7 @@ public class VmConlet extends FreeMarkerConlet<VmConlet.VmsModel> {
         "PMD.ConfusingArgumentToVarargsMethod" })
     public void onVmDefChanged(VmDefChanged event, VmChannel channel)
             throws IOException {
-        var vmName = event.vmDefinition().getMetadata().getName();
+        var vmName = event.vmDefinition().name();
         if (event.type() == K8sObserver.ResponseType.DELETED) {
             channelTracker.remove(vmName);
             for (var entry : conletIdsByConsoleConnection().entrySet()) {
@@ -194,15 +219,12 @@ public class VmConlet extends FreeMarkerConlet<VmConlet.VmsModel> {
                 }
             }
         } else {
-            var gson = channel.client().getJSON().getGson();
-            var vmDef = new VmDefinitionModel(gson,
-                cleanup(event.vmDefinition().data()));
+            var vmDef = event.vmDefinition();
             channelTracker.put(vmName, channel, vmDef);
-            var def = gson.fromJson(vmDef.data(), Object.class);
             for (var entry : conletIdsByConsoleConnection().entrySet()) {
                 for (String conletId : entry.getValue()) {
                     entry.getKey().respond(new NotifyConletView(type(),
-                        conletId, "updateVm", def));
+                        conletId, "updateVm", simplifiedVmDefinition(vmDef)));
                 }
             }
         }
@@ -217,28 +239,6 @@ public class VmConlet extends FreeMarkerConlet<VmConlet.VmsModel> {
         }
     }
 
-    @SuppressWarnings("PMD.AvoidDuplicateLiterals")
-    private JsonObject cleanup(JsonObject vmDef) {
-        // Clone and remove managed fields
-        var json = vmDef.deepCopy();
-        GsonPtr.to(json).to("metadata").get(JsonObject.class)
-            .remove("managedFields");
-
-        // Convert RAM sizes to unitless numbers
-        var vmSpec = GsonPtr.to(json).to("spec", "vm");
-        vmSpec.set("maximumRam", Quantity.fromString(
-            vmSpec.getAsString("maximumRam").orElse("0")).getNumber()
-            .toBigInteger());
-        vmSpec.set("currentRam", Quantity.fromString(
-            vmSpec.getAsString("currentRam").orElse("0")).getNumber()
-            .toBigInteger());
-        var status = GsonPtr.to(json).to("status");
-        status.set("ram", Quantity.fromString(
-            status.getAsString("ram").orElse("0")).getNumber()
-            .toBigInteger());
-        return json;
-    }
-
     /**
      * Handle the periodic update event by sending {@link NotifyConletView}
      * events.
@@ -267,10 +267,10 @@ public class VmConlet extends FreeMarkerConlet<VmConlet.VmsModel> {
         public int totalVms;
 
         /** The running vms. */
-        public int runningVms;
+        public long runningVms;
 
         /** The used cpus. */
-        public int usedCpus;
+        public long usedCpus;
 
         /** The used ram. */
         public BigInteger usedRam = BigInteger.ZERO;
@@ -289,7 +289,7 @@ public class VmConlet extends FreeMarkerConlet<VmConlet.VmsModel> {
          *
          * @return the runningVms
          */
-        public int getRunningVms() {
+        public long getRunningVms() {
             return runningVms;
         }
 
@@ -298,7 +298,7 @@ public class VmConlet extends FreeMarkerConlet<VmConlet.VmsModel> {
          *
          * @return the usedCpus
          */
-        public int getUsedCpus() {
+        public long getUsedCpus() {
             return usedCpus;
         }
 
@@ -313,7 +313,8 @@ public class VmConlet extends FreeMarkerConlet<VmConlet.VmsModel> {
 
     }
 
-    @SuppressWarnings("PMD.AvoidLiteralsInIfCondition")
+    @SuppressWarnings({ "PMD.AvoidLiteralsInIfCondition",
+        "PMD.LambdaCanBeMethodReference" })
     private Summary evaluateSummary(boolean force) {
         if (!force && cachedSummary != null) {
             return cachedSummary;
@@ -321,18 +322,20 @@ public class VmConlet extends FreeMarkerConlet<VmConlet.VmsModel> {
         Summary summary = new Summary();
         for (var vmDef : channelTracker.associated()) {
             summary.totalVms += 1;
-            var status = GsonPtr.to(vmDef.data()).to("status");
-            summary.usedCpus += status.getAsInt("cpus").orElse(0);
-            summary.usedRam = summary.usedRam.add(status.getAsString("ram")
-                .map(BigInteger::new).orElse(BigInteger.ZERO));
-            for (var c : status.getAsListOf(JsonObject.class, "conditions")) {
-                if ("Running".equals(GsonPtr.to(c).getAsString("type")
-                    .orElse(null))
-                    && "True".equals(GsonPtr.to(c).getAsString("status")
-                        .orElse(null))) {
-                    summary.runningVms += 1;
-                }
-            }
+            summary.usedCpus += vmDef.<Number> fromStatus("cpus")
+                .map(Number::intValue).orElse(0);
+            summary.usedRam = summary.usedRam
+                .add(vmDef.<String> fromStatus("ram")
+                    .map(r -> Quantity.fromString(r).getNumber().toBigInteger())
+                    .orElse(BigInteger.ZERO));
+            summary.runningVms
+                = vmDef.<List<Map<String, Object>>> fromStatus("conditions")
+                    .orElse(Collections.emptyList()).stream()
+                    .filter(cond -> DataPath.get(cond, "type")
+                        .map(t -> "Running".equals(t)).orElse(false)
+                        && DataPath.get(cond, "status")
+                            .map(s -> "True".equals(s)).orElse(false))
+                    .count();
         }
         cachedSummary = summary;
         return summary;
diff --git a/org.jdrupes.vmoperator.vmviewer/build.gradle b/org.jdrupes.vmoperator.vmviewer/build.gradle
index b5faf7c..606c6cd 100644
--- a/org.jdrupes.vmoperator.vmviewer/build.gradle
+++ b/org.jdrupes.vmoperator.vmviewer/build.gradle
@@ -5,7 +5,7 @@ plugins {
 dependencies {
     implementation project(':org.jdrupes.vmoperator.manager.events')
     
-    implementation 'org.jgrapes:org.jgrapes.webconsole.base:[2.0.0,3)'
+    implementation 'org.jgrapes:org.jgrapes.webconsole.base:[2.1.0,3)'
     implementation 'org.jgrapes:org.jgrapes.webconsole.provider.vue:[1,2)'
     implementation 'org.jgrapes:org.jgrapes.webconsole.provider.jgwcvuecomponents:[1.2,2)'
     implementation 'org.jgrapes:org.jgrapes.webconsole.provider.chartjs:[1.2,2)'
diff --git a/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/VmViewer.java b/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/VmViewer.java
index 59cc98f..8920e4c 100644
--- a/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/VmViewer.java
+++ b/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/VmViewer.java
@@ -23,8 +23,6 @@ import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
-import com.google.gson.JsonObject;
-import com.google.gson.JsonPrimitive;
 import com.google.gson.JsonSyntaxException;
 import freemarker.core.ParseException;
 import freemarker.template.MalformedTemplateNameException;
@@ -48,17 +46,16 @@ import java.util.ResourceBundle;
 import java.util.Set;
 import java.util.logging.Level;
 import org.bouncycastle.util.Objects;
-import org.jdrupes.vmoperator.common.K8sDynamicModel;
 import org.jdrupes.vmoperator.common.K8sObserver;
-import org.jdrupes.vmoperator.common.VmDefinitionModel;
-import org.jdrupes.vmoperator.common.VmDefinitionModel.Permission;
+import org.jdrupes.vmoperator.common.VmDefinition;
+import org.jdrupes.vmoperator.common.VmDefinition.Permission;
 import org.jdrupes.vmoperator.manager.events.ChannelTracker;
 import org.jdrupes.vmoperator.manager.events.GetDisplayPassword;
 import org.jdrupes.vmoperator.manager.events.ModifyVm;
 import org.jdrupes.vmoperator.manager.events.ResetVm;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
-import org.jdrupes.vmoperator.util.GsonPtr;
+import org.jdrupes.vmoperator.util.DataPath;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Components;
 import org.jgrapes.core.Event;
@@ -122,7 +119,7 @@ public class VmViewer extends FreeMarkerConlet<VmViewer.ViewerModel> {
     private static final Set<RenderMode> MODES_FOR_GENERATED = RenderMode.asSet(
         RenderMode.Preview, RenderMode.StickyPreview);
     private final ChannelTracker<String, VmChannel,
-            VmDefinitionModel> channelTracker = new ChannelTracker<>();
+            VmDefinition> channelTracker = new ChannelTracker<>();
     private static ObjectMapper objectMapper
         = new ObjectMapper().registerModule(new JavaTimeModule());
     private Class<?> preferredIpVersion = Inet4Address.class;
@@ -399,8 +396,7 @@ public class VmViewer extends FreeMarkerConlet<VmViewer.ViewerModel> {
             .map(d -> d.getMetadata().getName()).sorted().toList();
     }
 
-    private Set<Permission> permissions(VmDefinitionModel vmDef,
-            Session session) {
+    private Set<Permission> permissions(VmDefinition vmDef, Session session) {
         var user = WebConsoleUtils.userFromSession(session)
             .map(ConsoleUser::getName).orElse(null);
         var roles = WebConsoleUtils.rolesFromSession(session)
@@ -421,15 +417,16 @@ public class VmViewer extends FreeMarkerConlet<VmViewer.ViewerModel> {
         channelTracker.value(model.vmName()).ifPresent(item -> {
             try {
                 var vmDef = item.associated();
-                @SuppressWarnings("unchecked")
-                var def = (Map<String, Object>) item.channel().client()
-                    .getJSON().getGson()
-                    .fromJson(vmDef.data().toString(), Map.class);
-                def.put("userPermissions",
+                var data = Map.of("metadata",
+                    Map.of("namespace", vmDef.namespace(),
+                        "name", vmDef.name()),
+                    "spec", vmDef.spec(),
+                    "status", vmDef.getStatus(),
+                    "userPermissions",
                     permissions(vmDef, channel.session()).stream()
                         .map(Permission::toString).toList());
                 channel.respond(new NotifyConletView(type(),
-                    model.getConletId(), "updateVmDefinition", def));
+                    model.getConletId(), "updateVmDefinition", data));
             } catch (JsonSyntaxException e) {
                 logger.log(Level.SEVERE, e,
                     () -> "Failed to serialize VM definition");
@@ -452,7 +449,6 @@ public class VmViewer extends FreeMarkerConlet<VmViewer.ViewerModel> {
      *
      * @param event the event
      * @param channel the channel
-     * @throws JsonDecodeException the json decode exception
      * @throws IOException 
      */
     @Handler(namedChannels = "manager")
@@ -461,11 +457,8 @@ public class VmViewer extends FreeMarkerConlet<VmViewer.ViewerModel> {
         "PMD.ConfusingArgumentToVarargsMethod" })
     public void onVmDefChanged(VmDefChanged event, VmChannel channel)
             throws IOException {
-        var vmDef = new VmDefinitionModel(channel.client().getJSON()
-            .getGson(), event.vmDefinition().data());
-        GsonPtr.to(vmDef.data()).to("metadata").get(JsonObject.class)
-            .remove("managedFields");
-        var vmName = vmDef.getMetadata().getName();
+        var vmDef = event.vmDefinition();
+        var vmName = vmDef.name();
         if (event.type() == K8sObserver.ResponseType.DELETED) {
             channelTracker.remove(vmName);
         } else {
@@ -567,27 +560,26 @@ public class VmViewer extends FreeMarkerConlet<VmViewer.ViewerModel> {
             logger.severe(() -> "Failed to find display IP for " + vmName);
             return;
         }
-        var port = GsonPtr.to(vmDef.data()).get(JsonPrimitive.class, "spec",
-            "vm", "display", "spice", "port");
+        var port = vmDef.<Number> fromVm("display", "spice", "port")
+            .map(Number::longValue);
         if (port.isEmpty()) {
             logger.severe(() -> "No port defined for display of " + vmName);
             return;
         }
-        var proxyUrl = GsonPtr.to(vmDef.data()).get(JsonPrimitive.class, "spec",
-            "vm", "display", "spice", "proxyUrl");
         StringBuffer data = new StringBuffer(100)
             .append("[virt-viewer]\ntype=spice\nhost=")
             .append(addr.get().getHostAddress()).append("\nport=")
-            .append(Integer.toString(port.get().getAsInt()))
+            .append(port.get().toString())
             .append('\n');
         if (password != null) {
             data.append("password=").append(password).append('\n');
         }
-        proxyUrl.map(JsonPrimitive::getAsString).ifPresent(u -> {
-            if (!Strings.isNullOrEmpty(u)) {
-                data.append("proxy=").append(u).append('\n');
-            }
-        });
+        vmDef.<String> fromVm("display", "spice", "proxyUrl")
+            .ifPresent(u -> {
+                if (!Strings.isNullOrEmpty(u)) {
+                    data.append("proxy=").append(u).append('\n');
+                }
+            });
         if (deleteConnectionFile) {
             data.append("delete-this-file=1\n");
         }
@@ -596,11 +588,10 @@ public class VmViewer extends FreeMarkerConlet<VmViewer.ViewerModel> {
             Base64.getEncoder().encodeToString(data.toString().getBytes())));
     }
 
-    private Optional<InetAddress> displayIp(K8sDynamicModel vmDef) {
-        var server = GsonPtr.to(vmDef.data()).get(JsonPrimitive.class, "spec",
-            "vm", "display", "spice", "server");
+    private Optional<InetAddress> displayIp(VmDefinition vmDef) {
+        Optional<String> server = vmDef.fromVm("display", "spice", "server");
         if (server.isPresent()) {
-            var srv = server.get().getAsString();
+            var srv = server.get();
             try {
                 var addr = InetAddress.getByName(srv);
                 logger.fine(() -> "Using IP address from CRD for "
@@ -612,8 +603,8 @@ public class VmViewer extends FreeMarkerConlet<VmViewer.ViewerModel> {
                 return Optional.empty();
             }
         }
-        var addrs = GsonPtr.to(vmDef.data()).getAsListOf(JsonPrimitive.class,
-            "nodeAddresses").stream().map(JsonPrimitive::getAsString)
+        var addrs = Optional.<List<String>> ofNullable(vmDef
+            .extra("nodeAddresses")).orElse(Collections.emptyList()).stream()
             .map(a -> {
                 try {
                     return InetAddress.getByName(a);
@@ -623,7 +614,7 @@ public class VmViewer extends FreeMarkerConlet<VmViewer.ViewerModel> {
                 }
             }).filter(a -> a != null).toList();
         logger.fine(() -> "Known IP addresses for "
-            + vmDef.getMetadata().getName() + ": " + addrs);
+            + vmDef.name() + ": " + addrs);
         return addrs.stream()
             .filter(a -> preferredIpVersion.isAssignableFrom(a.getClass()))
             .findFirst().or(() -> addrs.stream().findFirst());

From abe06b46582408b0e7ecdbe43ef985a71806b55d Mon Sep 17 00:00:00 2001
From: Michael Lipp <mnl@mnl.de>
Date: Sat, 9 Nov 2024 11:08:59 +0000
Subject: [PATCH 009/274] Adapt viewer preview controls to permission changes.

---
 .../org/jdrupes/vmoperator/util/DataPath.java |  1 +
 .../jdrupes/vmoperator/vmviewer/VmViewer.java | 24 +++++++++----------
 2 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/DataPath.java b/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/DataPath.java
index be5b530..7a6596b 100644
--- a/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/DataPath.java
+++ b/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/DataPath.java
@@ -31,6 +31,7 @@ import java.util.logging.Logger;
  */
 public final class DataPath {
 
+    @SuppressWarnings("PMD.FieldNamingConventions")
     private static final Logger logger
         = Logger.getLogger(DataPath.class.getName());
 
diff --git a/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/VmViewer.java b/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/VmViewer.java
index 8920e4c..a21c420 100644
--- a/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/VmViewer.java
+++ b/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/VmViewer.java
@@ -45,6 +45,7 @@ import java.util.Optional;
 import java.util.ResourceBundle;
 import java.util.Set;
 import java.util.logging.Level;
+import java.util.stream.Collectors;
 import org.bouncycastle.util.Objects;
 import org.jdrupes.vmoperator.common.K8sObserver;
 import org.jdrupes.vmoperator.common.VmDefinition;
@@ -55,7 +56,6 @@ import org.jdrupes.vmoperator.manager.events.ModifyVm;
 import org.jdrupes.vmoperator.manager.events.ResetVm;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
-import org.jdrupes.vmoperator.util.DataPath;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Components;
 import org.jgrapes.core.Event;
@@ -123,7 +123,7 @@ public class VmViewer extends FreeMarkerConlet<VmViewer.ViewerModel> {
     private static ObjectMapper objectMapper
         = new ObjectMapper().registerModule(new JavaTimeModule());
     private Class<?> preferredIpVersion = Inet4Address.class;
-    private final Set<String> syncUsers = new HashSet<>();
+    private Set<String> syncUsers = new HashSet<>();
     private final Set<String> syncRoles = new HashSet<>();
     private boolean deleteConnectionFile = true;
 
@@ -173,15 +173,12 @@ public class VmViewer extends FreeMarkerConlet<VmViewer.ViewerModel> {
                         .filter(v -> v instanceof String).map(v -> (String) v)
                         .map(Boolean::parseBoolean).orElse(true);
 
-                // Sync
-                for (var entry : (List<Map<String, String>>) c.getOrDefault(
-                    "syncPreviewsFor", Collections.emptyList())) {
-                    if (entry.containsKey("user")) {
-                        syncUsers.add(entry.get("user"));
-                    } else if (entry.containsKey("role")) {
-                        syncRoles.add(entry.get("role"));
-                    }
-                }
+                // Sync preview for users or roles
+                syncUsers = ((List<Map<String, String>>) c.getOrDefault(
+                    "syncPreviewsFor", Collections.emptyList())).stream()
+                        .map(m -> Optional.ofNullable(m.get("user"))
+                            .orElse(m.get("role")))
+                        .filter(s -> s != null).collect(Collectors.toSet());
             } catch (ClassCastException e) {
                 logger.config("Malformed configuration: " + e.getMessage());
             }
@@ -367,8 +364,9 @@ public class VmViewer extends FreeMarkerConlet<VmViewer.ViewerModel> {
                     fmModel(event, channel, conletId, model)))
                         .setRenderAs(
                             RenderMode.Preview.addModifiers(event.renderAs()))
-                        .setSupportedModes(
-                            model.isGenerated() ? MODES_FOR_GENERATED : MODES));
+                        .setSupportedModes(syncPreviews(channel.session())
+                            ? MODES_FOR_GENERATED
+                            : MODES));
             renderedAs.add(RenderMode.Preview);
             if (!Strings.isNullOrEmpty(model.vmName())) {
                 Optional.ofNullable(channel.session().get(RENDERED))

From 3d446836b52163feffcc6739dfa2f481900b747a Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 9 Nov 2024 12:41:22 +0100
Subject: [PATCH 010/274] Add "testing" to branches with default versioning.

---
 .../src/org.jdrupes.vmoperator.versioning-conventions.gradle     | 1 +
 1 file changed, 1 insertion(+)

diff --git a/buildSrc/src/org.jdrupes.vmoperator.versioning-conventions.gradle b/buildSrc/src/org.jdrupes.vmoperator.versioning-conventions.gradle
index a9e8dfe..49b6f74 100644
--- a/buildSrc/src/org.jdrupes.vmoperator.versioning-conventions.gradle
+++ b/buildSrc/src/org.jdrupes.vmoperator.versioning-conventions.gradle
@@ -19,6 +19,7 @@ if (shortened == "manager") {
 var tagName = shortened.replace('.', '-') + "-"
 if (grgit.branch.current.name != "main"
     && grgit.branch.current.name != "HEAD"
+    && !grgit.branch.current.name.startsWith("testing")
     && !grgit.branch.current.name.startsWith("release")
     && !grgit.branch.current.name.startsWith("develop")) {
     tagName = tagName + grgit.branch.current.name.replace('/', '-') + "-"

From 5b209c935ee4051d16aca10465504f4e266714b9 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 9 Nov 2024 12:45:39 +0100
Subject: [PATCH 011/274] Pull from "testing" when using this branch.

---
 deploy/vmop-deployment.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/deploy/vmop-deployment.yaml b/deploy/vmop-deployment.yaml
index 648cc39..e232134 100644
--- a/deploy/vmop-deployment.yaml
+++ b/deploy/vmop-deployment.yaml
@@ -20,13 +20,13 @@ spec:
       containers:
         - name: vm-operator
           image: >-
-            ghcr.io/mnlipp/org.jdrupes.vmoperator.manager:latest
+            ghcr.io/mnlipp/org.jdrupes.vmoperator.manager:testing
+          imagePullPolicy: Always
           volumeMounts:
             - name: config
               mountPath: /etc/opt/vmoperator
             - name: vmop-image-repository
               mountPath: /var/local/vmop-image-repository
-          imagePullPolicy: Always
           securityContext:
             capabilities:
               drop:

From 90199072241c449f6b8481bb659415545827667f Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 9 Nov 2024 13:03:45 +0100
Subject: [PATCH 012/274] Add "testing" to branches with default versioning.

---
 .../src/org.jdrupes.vmoperator.versioning-conventions.gradle     | 1 +
 1 file changed, 1 insertion(+)

diff --git a/buildSrc/src/org.jdrupes.vmoperator.versioning-conventions.gradle b/buildSrc/src/org.jdrupes.vmoperator.versioning-conventions.gradle
index a9e8dfe..49b6f74 100644
--- a/buildSrc/src/org.jdrupes.vmoperator.versioning-conventions.gradle
+++ b/buildSrc/src/org.jdrupes.vmoperator.versioning-conventions.gradle
@@ -19,6 +19,7 @@ if (shortened == "manager") {
 var tagName = shortened.replace('.', '-') + "-"
 if (grgit.branch.current.name != "main"
     && grgit.branch.current.name != "HEAD"
+    && !grgit.branch.current.name.startsWith("testing")
     && !grgit.branch.current.name.startsWith("release")
     && !grgit.branch.current.name.startsWith("develop")) {
     tagName = tagName + grgit.branch.current.name.replace('/', '-') + "-"

From 4d762254424cc7159105c7d02b07623dccbfc6b3 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 9 Nov 2024 13:09:11 +0100
Subject: [PATCH 013/274] Fix image path.

---
 deploy/vmop-deployment.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deploy/vmop-deployment.yaml b/deploy/vmop-deployment.yaml
index e232134..f61d5f1 100644
--- a/deploy/vmop-deployment.yaml
+++ b/deploy/vmop-deployment.yaml
@@ -20,7 +20,7 @@ spec:
       containers:
         - name: vm-operator
           image: >-
-            ghcr.io/mnlipp/org.jdrupes.vmoperator.manager:testing
+            registry.mnl.de/org/jdrupes/vm-operator/org.jdrupes.vmoperator.manager:testing
           imagePullPolicy: Always
           volumeMounts:
             - name: config

From c7b65ca581aa5eb8f6513ac05f4f4815d6ad1796 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 10 Nov 2024 14:13:34 +0100
Subject: [PATCH 014/274] Report console connection events.

---
 deploy/crds/vms-crd.yaml                      | 11 +++
 .../vmoperator/runner/qemu/StatusUpdater.java | 92 +++++++++++++++++++
 .../runner/qemu/events/MonitorEvent.java      | 14 ++-
 .../qemu/events/SpiceConnectedEvent.java      | 37 ++++++++
 .../qemu/events/SpiceDisconnectedEvent.java   | 37 ++++++++
 .../runner/qemu/events/SpiceEvent.java        | 46 ++++++++++
 6 files changed, 234 insertions(+), 3 deletions(-)
 create mode 100644 org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/SpiceConnectedEvent.java
 create mode 100644 org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/SpiceDisconnectedEvent.java
 create mode 100644 org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/SpiceEvent.java

diff --git a/deploy/crds/vms-crd.yaml b/deploy/crds/vms-crd.yaml
index cda817c..492deae 100644
--- a/deploy/crds/vms-crd.yaml
+++ b/deploy/crds/vms-crd.yaml
@@ -1457,6 +1457,11 @@ spec:
                     Amount of memory in use.
                   type: string
                   default: "0"
+                consoleClient:
+                  description: >-
+                    The hostname of the currently connected client.
+                  type: string
+                  default: ""
                 displayPasswordSerial:
                   description: >-
                     Counts changes of the display password. Set to -1
@@ -1473,6 +1478,12 @@ spec:
                     lastTransitionTime: "1970-01-01T00:00:00Z"
                     reason: Creation
                     message: "Creation of CR"
+                  - type: ConsoleConnected
+                    status: "False"
+                    observedGeneration: 1
+                    lastTransitionTime: "1970-01-01T00:00:00Z"
+                    reason: Creation
+                    message: "Creation of CR"
                   type: array
                   items:
                     type: object
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
index 412681f..bac272e 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
@@ -30,10 +30,13 @@ import java.math.BigDecimal;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.time.Instant;
+import java.util.ArrayList;
+import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 import java.util.logging.Level;
+import java.util.stream.Collectors;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
 import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
 import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
@@ -50,6 +53,8 @@ import org.jdrupes.vmoperator.runner.qemu.events.HotpluggableCpuStatus;
 import org.jdrupes.vmoperator.runner.qemu.events.RunnerStateChange;
 import org.jdrupes.vmoperator.runner.qemu.events.RunnerStateChange.RunState;
 import org.jdrupes.vmoperator.runner.qemu.events.ShutdownEvent;
+import org.jdrupes.vmoperator.runner.qemu.events.SpiceConnectedEvent;
+import org.jdrupes.vmoperator.runner.qemu.events.SpiceDisconnectedEvent;
 import org.jdrupes.vmoperator.util.GsonPtr;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Component;
@@ -363,4 +368,91 @@ public class StatusUpdater extends Component {
     public void onShutdown(ShutdownEvent event) throws ApiException {
         shutdownByGuest = event.byGuest();
     }
+
+    /**
+     * On spice connected.
+     *
+     * @param event the event
+     * @throws ApiException the api exception
+     */
+    @Handler
+    public void onSpiceConnected(SpiceConnectedEvent event)
+            throws ApiException {
+        if (vmStub == null) {
+            return;
+        }
+        vmStub.updateStatus(from -> {
+            JsonObject status = from.status();
+            status.addProperty("consoleClient", event.clientHost());
+            updateConsoleConnectedCondition(from, status, true);
+            return status;
+        });
+
+        // Log event
+        var evt = new EventsV1Event()
+            .reportingController(VM_OP_GROUP + "/" + APP_NAME)
+            .action("ConsoleConnectionUpdate")
+            .reason("Connection from " + event.clientHost());
+        K8s.createEvent(apiClient, vmStub.model().get(), evt);
+    }
+
+    /**
+     * On spice disconnected.
+     *
+     * @param event the event
+     * @throws ApiException the api exception
+     */
+    @Handler
+    public void onSpiceDisconnected(SpiceDisconnectedEvent event)
+            throws ApiException {
+        if (vmStub == null) {
+            return;
+        }
+        vmStub.updateStatus(from -> {
+            JsonObject status = from.status();
+            status.addProperty("consoleClient", "");
+            updateConsoleConnectedCondition(from, status, false);
+            return status;
+        });
+
+        // Log event
+        var evt = new EventsV1Event()
+            .reportingController(VM_OP_GROUP + "/" + APP_NAME)
+            .action("ConsoleConnectionUpdate")
+            .reason("Disconnected from " + event.clientHost());
+        K8s.createEvent(apiClient, vmStub.model().get(), evt);
+    }
+
+    private void updateConsoleConnectedCondition(VmDefinitionModel from,
+            JsonObject status, boolean connected) {
+        // Optimize, as we can get this several times
+        var current = status.getAsJsonArray("conditions").asList().stream()
+            .map(cond -> (JsonObject) cond)
+            .filter(cond -> "ConsoleConnected"
+                .equals(cond.get("type").getAsString()))
+            .findFirst()
+            .map(cond -> "True".equals(cond.get("status").getAsString()));
+        if (current.isPresent() && current.get() == connected) {
+            return;
+        }
+
+        // Do update
+        final var condition = Map.of("type", "ConsoleConnected",
+            "status", connected ? "True" : "False",
+            "observedGeneration", from.getMetadata().getGeneration(),
+            "reason", connected ? "Connected" : "Disconnected",
+            "lastTransitionTime", Instant.now().toString());
+        List<Object> toReplace = new ArrayList<>(List.of(condition));
+        List<Object> newConds
+            = status.getAsJsonArray("conditions").asList().stream()
+                .map(cond -> (JsonObject) cond)
+                .map(cond -> "ConsoleConnected"
+                    .equals(cond.get("type").getAsString())
+                        ? toReplace.remove(0)
+                        : cond)
+                .collect(Collectors.toCollection(() -> new ArrayList<>()));
+        newConds.addAll(toReplace);
+        status.add("conditions",
+            apiClient.getJSON().getGson().toJsonTree(newConds));
+    }
 }
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/MonitorEvent.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/MonitorEvent.java
index ba04a26..2cc0f33 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/MonitorEvent.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/MonitorEvent.java
@@ -34,7 +34,8 @@ public class MonitorEvent extends Event<Void> {
      * The kind of monitor event.
      */
     public enum Kind {
-        READY, POWERDOWN, DEVICE_TRAY_MOVED, BALLOON_CHANGE, SHUTDOWN
+        READY, POWERDOWN, DEVICE_TRAY_MOVED, BALLOON_CHANGE, SHUTDOWN,
+        SPICE_CONNECTED, SPICE_DISCONNECTED
     }
 
     private final Kind kind;
@@ -49,8 +50,7 @@ public class MonitorEvent extends Event<Void> {
     @SuppressWarnings("PMD.TooFewBranchesForASwitchStatement")
     public static Optional<MonitorEvent> from(JsonNode response) {
         try {
-            var kind = MonitorEvent.Kind
-                .valueOf(response.get("event").asText());
+            var kind = Kind.valueOf(response.get("event").asText());
             switch (kind) {
             case POWERDOWN:
                 return Optional.of(new PowerdownEvent(kind, null));
@@ -63,6 +63,14 @@ public class MonitorEvent extends Event<Void> {
             case SHUTDOWN:
                 return Optional
                     .of(new ShutdownEvent(kind, response.get(EVENT_DATA)));
+            case SPICE_CONNECTED:
+                return Optional
+                    .of(new SpiceConnectedEvent(kind,
+                        response.get(EVENT_DATA)));
+            case SPICE_DISCONNECTED:
+                return Optional
+                    .of(new SpiceDisconnectedEvent(kind,
+                        response.get(EVENT_DATA)));
             default:
                 return Optional
                     .of(new MonitorEvent(kind, response.get(EVENT_DATA)));
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/SpiceConnectedEvent.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/SpiceConnectedEvent.java
new file mode 100644
index 0000000..c133307
--- /dev/null
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/SpiceConnectedEvent.java
@@ -0,0 +1,37 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2023 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.runner.qemu.events;
+
+import com.fasterxml.jackson.databind.JsonNode;
+
+/**
+ * Signals a connection from a client.
+ */
+public class SpiceConnectedEvent extends SpiceEvent {
+
+    /**
+     * Instantiates a new spice connected event.
+     *
+     * @param kind the kind
+     * @param data the data
+     */
+    public SpiceConnectedEvent(Kind kind, JsonNode data) {
+        super(kind, data);
+    }
+}
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/SpiceDisconnectedEvent.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/SpiceDisconnectedEvent.java
new file mode 100644
index 0000000..cfcb489
--- /dev/null
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/SpiceDisconnectedEvent.java
@@ -0,0 +1,37 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2023 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.runner.qemu.events;
+
+import com.fasterxml.jackson.databind.JsonNode;
+
+/**
+ * Signals a connection from a client.
+ */
+public class SpiceDisconnectedEvent extends SpiceEvent {
+
+    /**
+     * Instantiates a new spice disconnected event.
+     *
+     * @param kind the kind
+     * @param data the data
+     */
+    public SpiceDisconnectedEvent(Kind kind, JsonNode data) {
+        super(kind, data);
+    }
+}
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/SpiceEvent.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/SpiceEvent.java
new file mode 100644
index 0000000..6706f0c
--- /dev/null
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/SpiceEvent.java
@@ -0,0 +1,46 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2023 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.runner.qemu.events;
+
+import com.fasterxml.jackson.databind.JsonNode;
+
+/**
+ * Signals a connection from a client.
+ */
+public class SpiceEvent extends MonitorEvent {
+
+    /**
+     * Instantiates a new tray moved.
+     *
+     * @param kind the kind
+     * @param data the data
+     */
+    public SpiceEvent(Kind kind, JsonNode data) {
+        super(kind, data);
+    }
+
+    /**
+     * Returns the client's host.
+     *
+     * @return the client's host address
+     */
+    public String clientHost() {
+        return data().get("client").get("host").asText();
+    }
+}

From 12408143a7491489ed547ca23af5715b56bc548f Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 10 Nov 2024 14:15:17 +0100
Subject: [PATCH 015/274] Fix warning.

---
 .../src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java    | 1 +
 1 file changed, 1 insertion(+)

diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
index bac272e..f6814b3 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
@@ -280,6 +280,7 @@ public class StatusUpdater extends Component {
 
     private void updateRunningCondition(RunnerStateChange event,
             K8sDynamicModel from, JsonObject cond) {
+        @SuppressWarnings("PMD.AvoidDuplicateLiterals")
         boolean reportedRunning
             = "True".equals(cond.get("status").getAsString());
         if (RUNNING_STATES.contains(event.runState())

From e5fd45ebcba7120d2f68ff5e0a2539af69a71132 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 10 Nov 2024 14:41:45 +0100
Subject: [PATCH 016/274] Show console client.

---
 .../resources/org/jdrupes/vmoperator/vmconlet/l10n.properties | 1 +
 .../org/jdrupes/vmoperator/vmconlet/l10n_de.properties        | 1 +
 .../jdrupes/vmoperator/vmconlet/browser/VmConlet-functions.ts | 4 +++-
 3 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n.properties b/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n.properties
index 880369b..41bf670 100644
--- a/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n.properties
+++ b/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n.properties
@@ -11,5 +11,6 @@ nodeName = Node
 requestedCpus = Requested CPUs
 requestedRam = Requested RAM
 running = Running
+usedBy = Used by
 vmActions = Actions
 vmname = Name
diff --git a/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n_de.properties b/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n_de.properties
index 7e1d95e..819db03 100644
--- a/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n_de.properties
+++ b/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n_de.properties
@@ -15,6 +15,7 @@ maximumRam = Maximales RAM
 nodeName = Knoten
 requestedCpus = Angeforderte CPUs
 requestedRam = Angefordertes RAM
+usedBy = Benutzt von
 vmActions = Aktionen
 vmname = Name
 Value\ is\ above\ maximum = Wert ist zu groß
diff --git a/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/VmConlet-functions.ts b/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/VmConlet-functions.ts
index 44d6471..8daf3a9 100644
--- a/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/VmConlet-functions.ts
+++ b/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/VmConlet-functions.ts
@@ -111,7 +111,8 @@ window.orgJDrupesVmOperatorVmConlet.initView = (viewDom: HTMLElement,
                 ["runningConditionSince", "since"],
                 ["currentCpus", "currentCpus"],
                 ["currentRam", "currentRam"],
-                ["nodeName", "nodeName"]
+                ["nodeName", "nodeName"],
+                ["usedBy", "usedBy"]
             ], {
                 sortKey: "name",
                 sortOrder: "up"
@@ -179,6 +180,7 @@ JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmconlet.VmConlet",
         vmDefinition.name = vmDefinition.metadata.name;
         vmDefinition.currentCpus = vmDefinition.status.cpus;
         vmDefinition.currentRam = Number(vmDefinition.status.ram);
+        vmDefinition.usedBy = vmDefinition.status.consoleClient || "";
         for (const condition of vmDefinition.status.conditions) {
             if (condition.type === "Running") {
                 vmDefinition.running = condition.status === "True";

From 090d504b7757d3e2194fcf3c1ac69df23669efa1 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 10 Nov 2024 17:10:08 +0100
Subject: [PATCH 017/274] Add in-use visualization.

---
 .../vmoperator/vmviewer/computer-in-use.svg   | 86 +++++++++++++++++++
 .../vmviewer/browser/VmViewer-functions.ts    |  7 +-
 2 files changed, 91 insertions(+), 2 deletions(-)
 create mode 100644 org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/computer-in-use.svg

diff --git a/org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/computer-in-use.svg b/org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/computer-in-use.svg
new file mode 100644
index 0000000..90339c1
--- /dev/null
+++ b/org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/computer-in-use.svg
@@ -0,0 +1,86 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+
+<svg
+   fill="#000000"
+   width="800"
+   height="533.33331"
+   viewBox="0 0 24 15.999999"
+   version="1.1"
+   id="svg1"
+   sodipodi:docname="computer-in-use.svg"
+   inkscape:version="1.4 (e7c3feb100, 2024-10-09)"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg">
+  <defs
+     id="defs1">
+    <inkscape:path-effect
+       effect="fillet_chamfer"
+       id="path-effect4"
+       is_visible="true"
+       lpeversion="1"
+       nodesatellites_param="F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1"
+       radius="0"
+       unit="px"
+       method="auto"
+       mode="F"
+       chamfer_steps="1"
+       flexible="false"
+       use_knot_distance="true"
+       apply_no_radius="true"
+       apply_with_radius="true"
+       only_selected="false"
+       hide_knots="false" />
+    <linearGradient
+       id="swatch3"
+       inkscape:swatch="solid">
+      <stop
+         style="stop-color:#000000;stop-opacity:0;"
+         offset="0"
+         id="stop3" />
+    </linearGradient>
+  </defs>
+  <sodipodi:namedview
+     id="namedview1"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:showpageshadow="2"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     inkscape:deskcolor="#d1d1d1"
+     inkscape:zoom="1.28"
+     inkscape:cx="326.5625"
+     inkscape:cy="548.04688"
+     inkscape:window-width="1920"
+     inkscape:window-height="1008"
+     inkscape:window-x="0"
+     inkscape:window-y="35"
+     inkscape:window-maximized="1"
+     inkscape:current-layer="svg1" />
+  <path
+     id="rect1"
+     style="fill-opacity:0;stroke:#000000;stroke-width:1.97262;stroke-linecap:square;stroke-linejoin:round;stroke-miterlimit:0;paint-order:fill markers stroke"
+     d="M 3.0038192,0.98808897 H 20.99618 V 13.006705 H 3.0038192 Z" />
+  <rect
+     style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:0.00306926;stroke-linecap:square;stroke-linejoin:round;stroke-miterlimit:0;stroke-dasharray:none;stroke-opacity:1;paint-order:fill markers stroke"
+     id="rect2"
+     width="23.995173"
+     height="2.0017407"
+     x="0.0039473679"
+     y="13.998839" />
+  <path
+     id="rect3"
+     style="fill:#ffffff;fill-opacity:1;stroke:#000000;stroke-width:1.05373;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:0;stroke-dasharray:none;stroke-opacity:1;paint-order:fill markers stroke"
+     d="m 5.6839082,10.94394 c 0.2963594,-0.907428 2.9522319,-1.683971 2.767387,-1.6392261 0,0 1.5028596,1.6181771 3.6459428,1.6129171 2.018383,-0.005 3.362681,-1.6125503 3.362681,-1.6125503 -0.171441,-0.061235 2.778887,0.7741493 2.977303,1.6787203 0.393054,1.791919 0.25928,4.524228 0.25928,4.524228 L 5.3146272,15.391866 c 0,0 -0.181061,-2.762825 0.369281,-4.447926 z"
+     sodipodi:nodetypes="sssssccs" />
+  <ellipse
+     style="fill:none;stroke:#000000;stroke-width:1.02152;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:0;stroke-dasharray:none;stroke-opacity:1;paint-order:fill markers stroke"
+     id="path3"
+     cx="11.964992"
+     cy="6.3769712"
+     rx="3.2413731"
+     ry="3.225764" />
+</svg>
diff --git a/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/browser/VmViewer-functions.ts b/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/browser/VmViewer-functions.ts
index a14e83c..42c7d10 100644
--- a/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/browser/VmViewer-functions.ts
+++ b/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/browser/VmViewer-functions.ts
@@ -72,6 +72,7 @@ window.orgJDrupesVmOperatorVmViewer.initPreview = (previewDom: HTMLElement,
                 previewApi.vmDefinition.spec.vm.state !== 'Stopped' 
                 && previewApi.vmDefinition.running);
             const running = computed(() => previewApi.vmDefinition.running);
+            const inUse = computed(() => previewApi.vmDefinition.usedBy != '');
             const permissions = computed(() => previewApi.vmDefinition.spec
                 ? previewApi.vmDefinition.userPermissions : []);
 
@@ -88,7 +89,7 @@ window.orgJDrupesVmOperatorVmViewer.initPreview = (previewDom: HTMLElement,
             };
         
             return { localize, resourceBase, vmAction, configured,
-                        startable, stoppable, running, permissions };
+                        startable, stoppable, running, inUse, permissions };
         },
         template: `
           <table>
@@ -101,7 +102,8 @@ window.orgJDrupesVmOperatorVmViewer.initPreview = (previewDom: HTMLElement,
                       || !permissions.includes('accessConsole')" 
                   v-on:click="vmAction('openConsole')"
                   :src="resourceBase + (running
-                      ? 'computer.svg' : 'computer-off.svg')"
+                      ? (inUse ? 'computer-in-use.svg' : 'computer.svg') 
+                      : 'computer-off.svg')"
                   :title="localize('Open console')"></span><span
                   style="visibility: hidden;"><img
                   :src="resourceBase + 'computer.svg'"></span></td>
@@ -159,6 +161,7 @@ JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmviewer.VmViewer",
         vmDefinition.name = vmDefinition.metadata.name;
         vmDefinition.currentCpus = vmDefinition.status.cpus;
         vmDefinition.currentRam = Number(vmDefinition.status.ram);
+        vmDefinition.usedBy = vmDefinition.status.consoleClient || "";
         for (const condition of vmDefinition.status.conditions) {
             if (condition.type === "Running") {
                 vmDefinition.running = condition.status === "True";

From 355eded86b5f03b09c9e947ca7908cafb396799c Mon Sep 17 00:00:00 2001
From: Michael Lipp <mnl@mnl.de>
Date: Sun, 10 Nov 2024 16:19:46 +0000
Subject: [PATCH 018/274] Add tracking of client (viewer) connection state and
 visualize in GUI.

---
 deploy/crds/vms-crd.yaml                      | 11 +++
 .../vmoperator/runner/qemu/StatusUpdater.java | 93 +++++++++++++++++++
 .../runner/qemu/events/MonitorEvent.java      | 14 ++-
 .../qemu/events/SpiceConnectedEvent.java      | 37 ++++++++
 .../qemu/events/SpiceDisconnectedEvent.java   | 37 ++++++++
 .../runner/qemu/events/SpiceEvent.java        | 46 +++++++++
 .../vmoperator/vmconlet/l10n.properties       |  1 +
 .../vmoperator/vmconlet/l10n_de.properties    |  1 +
 .../vmconlet/browser/VmConlet-functions.ts    |  4 +-
 .../vmoperator/vmviewer/computer-in-use.svg   | 86 +++++++++++++++++
 .../vmviewer/browser/VmViewer-functions.ts    |  7 +-
 11 files changed, 331 insertions(+), 6 deletions(-)
 create mode 100644 org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/SpiceConnectedEvent.java
 create mode 100644 org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/SpiceDisconnectedEvent.java
 create mode 100644 org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/SpiceEvent.java
 create mode 100644 org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/computer-in-use.svg

diff --git a/deploy/crds/vms-crd.yaml b/deploy/crds/vms-crd.yaml
index cda817c..492deae 100644
--- a/deploy/crds/vms-crd.yaml
+++ b/deploy/crds/vms-crd.yaml
@@ -1457,6 +1457,11 @@ spec:
                     Amount of memory in use.
                   type: string
                   default: "0"
+                consoleClient:
+                  description: >-
+                    The hostname of the currently connected client.
+                  type: string
+                  default: ""
                 displayPasswordSerial:
                   description: >-
                     Counts changes of the display password. Set to -1
@@ -1473,6 +1478,12 @@ spec:
                     lastTransitionTime: "1970-01-01T00:00:00Z"
                     reason: Creation
                     message: "Creation of CR"
+                  - type: ConsoleConnected
+                    status: "False"
+                    observedGeneration: 1
+                    lastTransitionTime: "1970-01-01T00:00:00Z"
+                    reason: Creation
+                    message: "Creation of CR"
                   type: array
                   items:
                     type: object
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
index 412681f..f6814b3 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
@@ -30,10 +30,13 @@ import java.math.BigDecimal;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.time.Instant;
+import java.util.ArrayList;
+import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 import java.util.logging.Level;
+import java.util.stream.Collectors;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
 import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
 import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
@@ -50,6 +53,8 @@ import org.jdrupes.vmoperator.runner.qemu.events.HotpluggableCpuStatus;
 import org.jdrupes.vmoperator.runner.qemu.events.RunnerStateChange;
 import org.jdrupes.vmoperator.runner.qemu.events.RunnerStateChange.RunState;
 import org.jdrupes.vmoperator.runner.qemu.events.ShutdownEvent;
+import org.jdrupes.vmoperator.runner.qemu.events.SpiceConnectedEvent;
+import org.jdrupes.vmoperator.runner.qemu.events.SpiceDisconnectedEvent;
 import org.jdrupes.vmoperator.util.GsonPtr;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Component;
@@ -275,6 +280,7 @@ public class StatusUpdater extends Component {
 
     private void updateRunningCondition(RunnerStateChange event,
             K8sDynamicModel from, JsonObject cond) {
+        @SuppressWarnings("PMD.AvoidDuplicateLiterals")
         boolean reportedRunning
             = "True".equals(cond.get("status").getAsString());
         if (RUNNING_STATES.contains(event.runState())
@@ -363,4 +369,91 @@ public class StatusUpdater extends Component {
     public void onShutdown(ShutdownEvent event) throws ApiException {
         shutdownByGuest = event.byGuest();
     }
+
+    /**
+     * On spice connected.
+     *
+     * @param event the event
+     * @throws ApiException the api exception
+     */
+    @Handler
+    public void onSpiceConnected(SpiceConnectedEvent event)
+            throws ApiException {
+        if (vmStub == null) {
+            return;
+        }
+        vmStub.updateStatus(from -> {
+            JsonObject status = from.status();
+            status.addProperty("consoleClient", event.clientHost());
+            updateConsoleConnectedCondition(from, status, true);
+            return status;
+        });
+
+        // Log event
+        var evt = new EventsV1Event()
+            .reportingController(VM_OP_GROUP + "/" + APP_NAME)
+            .action("ConsoleConnectionUpdate")
+            .reason("Connection from " + event.clientHost());
+        K8s.createEvent(apiClient, vmStub.model().get(), evt);
+    }
+
+    /**
+     * On spice disconnected.
+     *
+     * @param event the event
+     * @throws ApiException the api exception
+     */
+    @Handler
+    public void onSpiceDisconnected(SpiceDisconnectedEvent event)
+            throws ApiException {
+        if (vmStub == null) {
+            return;
+        }
+        vmStub.updateStatus(from -> {
+            JsonObject status = from.status();
+            status.addProperty("consoleClient", "");
+            updateConsoleConnectedCondition(from, status, false);
+            return status;
+        });
+
+        // Log event
+        var evt = new EventsV1Event()
+            .reportingController(VM_OP_GROUP + "/" + APP_NAME)
+            .action("ConsoleConnectionUpdate")
+            .reason("Disconnected from " + event.clientHost());
+        K8s.createEvent(apiClient, vmStub.model().get(), evt);
+    }
+
+    private void updateConsoleConnectedCondition(VmDefinitionModel from,
+            JsonObject status, boolean connected) {
+        // Optimize, as we can get this several times
+        var current = status.getAsJsonArray("conditions").asList().stream()
+            .map(cond -> (JsonObject) cond)
+            .filter(cond -> "ConsoleConnected"
+                .equals(cond.get("type").getAsString()))
+            .findFirst()
+            .map(cond -> "True".equals(cond.get("status").getAsString()));
+        if (current.isPresent() && current.get() == connected) {
+            return;
+        }
+
+        // Do update
+        final var condition = Map.of("type", "ConsoleConnected",
+            "status", connected ? "True" : "False",
+            "observedGeneration", from.getMetadata().getGeneration(),
+            "reason", connected ? "Connected" : "Disconnected",
+            "lastTransitionTime", Instant.now().toString());
+        List<Object> toReplace = new ArrayList<>(List.of(condition));
+        List<Object> newConds
+            = status.getAsJsonArray("conditions").asList().stream()
+                .map(cond -> (JsonObject) cond)
+                .map(cond -> "ConsoleConnected"
+                    .equals(cond.get("type").getAsString())
+                        ? toReplace.remove(0)
+                        : cond)
+                .collect(Collectors.toCollection(() -> new ArrayList<>()));
+        newConds.addAll(toReplace);
+        status.add("conditions",
+            apiClient.getJSON().getGson().toJsonTree(newConds));
+    }
 }
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/MonitorEvent.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/MonitorEvent.java
index ba04a26..2cc0f33 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/MonitorEvent.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/MonitorEvent.java
@@ -34,7 +34,8 @@ public class MonitorEvent extends Event<Void> {
      * The kind of monitor event.
      */
     public enum Kind {
-        READY, POWERDOWN, DEVICE_TRAY_MOVED, BALLOON_CHANGE, SHUTDOWN
+        READY, POWERDOWN, DEVICE_TRAY_MOVED, BALLOON_CHANGE, SHUTDOWN,
+        SPICE_CONNECTED, SPICE_DISCONNECTED
     }
 
     private final Kind kind;
@@ -49,8 +50,7 @@ public class MonitorEvent extends Event<Void> {
     @SuppressWarnings("PMD.TooFewBranchesForASwitchStatement")
     public static Optional<MonitorEvent> from(JsonNode response) {
         try {
-            var kind = MonitorEvent.Kind
-                .valueOf(response.get("event").asText());
+            var kind = Kind.valueOf(response.get("event").asText());
             switch (kind) {
             case POWERDOWN:
                 return Optional.of(new PowerdownEvent(kind, null));
@@ -63,6 +63,14 @@ public class MonitorEvent extends Event<Void> {
             case SHUTDOWN:
                 return Optional
                     .of(new ShutdownEvent(kind, response.get(EVENT_DATA)));
+            case SPICE_CONNECTED:
+                return Optional
+                    .of(new SpiceConnectedEvent(kind,
+                        response.get(EVENT_DATA)));
+            case SPICE_DISCONNECTED:
+                return Optional
+                    .of(new SpiceDisconnectedEvent(kind,
+                        response.get(EVENT_DATA)));
             default:
                 return Optional
                     .of(new MonitorEvent(kind, response.get(EVENT_DATA)));
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/SpiceConnectedEvent.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/SpiceConnectedEvent.java
new file mode 100644
index 0000000..c133307
--- /dev/null
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/SpiceConnectedEvent.java
@@ -0,0 +1,37 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2023 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.runner.qemu.events;
+
+import com.fasterxml.jackson.databind.JsonNode;
+
+/**
+ * Signals a connection from a client.
+ */
+public class SpiceConnectedEvent extends SpiceEvent {
+
+    /**
+     * Instantiates a new spice connected event.
+     *
+     * @param kind the kind
+     * @param data the data
+     */
+    public SpiceConnectedEvent(Kind kind, JsonNode data) {
+        super(kind, data);
+    }
+}
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/SpiceDisconnectedEvent.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/SpiceDisconnectedEvent.java
new file mode 100644
index 0000000..cfcb489
--- /dev/null
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/SpiceDisconnectedEvent.java
@@ -0,0 +1,37 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2023 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.runner.qemu.events;
+
+import com.fasterxml.jackson.databind.JsonNode;
+
+/**
+ * Signals a connection from a client.
+ */
+public class SpiceDisconnectedEvent extends SpiceEvent {
+
+    /**
+     * Instantiates a new spice disconnected event.
+     *
+     * @param kind the kind
+     * @param data the data
+     */
+    public SpiceDisconnectedEvent(Kind kind, JsonNode data) {
+        super(kind, data);
+    }
+}
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/SpiceEvent.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/SpiceEvent.java
new file mode 100644
index 0000000..6706f0c
--- /dev/null
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/SpiceEvent.java
@@ -0,0 +1,46 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2023 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.runner.qemu.events;
+
+import com.fasterxml.jackson.databind.JsonNode;
+
+/**
+ * Signals a connection from a client.
+ */
+public class SpiceEvent extends MonitorEvent {
+
+    /**
+     * Instantiates a new tray moved.
+     *
+     * @param kind the kind
+     * @param data the data
+     */
+    public SpiceEvent(Kind kind, JsonNode data) {
+        super(kind, data);
+    }
+
+    /**
+     * Returns the client's host.
+     *
+     * @return the client's host address
+     */
+    public String clientHost() {
+        return data().get("client").get("host").asText();
+    }
+}
diff --git a/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n.properties b/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n.properties
index 880369b..41bf670 100644
--- a/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n.properties
+++ b/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n.properties
@@ -11,5 +11,6 @@ nodeName = Node
 requestedCpus = Requested CPUs
 requestedRam = Requested RAM
 running = Running
+usedBy = Used by
 vmActions = Actions
 vmname = Name
diff --git a/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n_de.properties b/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n_de.properties
index 7e1d95e..819db03 100644
--- a/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n_de.properties
+++ b/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n_de.properties
@@ -15,6 +15,7 @@ maximumRam = Maximales RAM
 nodeName = Knoten
 requestedCpus = Angeforderte CPUs
 requestedRam = Angefordertes RAM
+usedBy = Benutzt von
 vmActions = Aktionen
 vmname = Name
 Value\ is\ above\ maximum = Wert ist zu groß
diff --git a/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/VmConlet-functions.ts b/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/VmConlet-functions.ts
index 44d6471..8daf3a9 100644
--- a/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/VmConlet-functions.ts
+++ b/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/VmConlet-functions.ts
@@ -111,7 +111,8 @@ window.orgJDrupesVmOperatorVmConlet.initView = (viewDom: HTMLElement,
                 ["runningConditionSince", "since"],
                 ["currentCpus", "currentCpus"],
                 ["currentRam", "currentRam"],
-                ["nodeName", "nodeName"]
+                ["nodeName", "nodeName"],
+                ["usedBy", "usedBy"]
             ], {
                 sortKey: "name",
                 sortOrder: "up"
@@ -179,6 +180,7 @@ JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmconlet.VmConlet",
         vmDefinition.name = vmDefinition.metadata.name;
         vmDefinition.currentCpus = vmDefinition.status.cpus;
         vmDefinition.currentRam = Number(vmDefinition.status.ram);
+        vmDefinition.usedBy = vmDefinition.status.consoleClient || "";
         for (const condition of vmDefinition.status.conditions) {
             if (condition.type === "Running") {
                 vmDefinition.running = condition.status === "True";
diff --git a/org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/computer-in-use.svg b/org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/computer-in-use.svg
new file mode 100644
index 0000000..90339c1
--- /dev/null
+++ b/org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/computer-in-use.svg
@@ -0,0 +1,86 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+
+<svg
+   fill="#000000"
+   width="800"
+   height="533.33331"
+   viewBox="0 0 24 15.999999"
+   version="1.1"
+   id="svg1"
+   sodipodi:docname="computer-in-use.svg"
+   inkscape:version="1.4 (e7c3feb100, 2024-10-09)"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg">
+  <defs
+     id="defs1">
+    <inkscape:path-effect
+       effect="fillet_chamfer"
+       id="path-effect4"
+       is_visible="true"
+       lpeversion="1"
+       nodesatellites_param="F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1"
+       radius="0"
+       unit="px"
+       method="auto"
+       mode="F"
+       chamfer_steps="1"
+       flexible="false"
+       use_knot_distance="true"
+       apply_no_radius="true"
+       apply_with_radius="true"
+       only_selected="false"
+       hide_knots="false" />
+    <linearGradient
+       id="swatch3"
+       inkscape:swatch="solid">
+      <stop
+         style="stop-color:#000000;stop-opacity:0;"
+         offset="0"
+         id="stop3" />
+    </linearGradient>
+  </defs>
+  <sodipodi:namedview
+     id="namedview1"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:showpageshadow="2"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     inkscape:deskcolor="#d1d1d1"
+     inkscape:zoom="1.28"
+     inkscape:cx="326.5625"
+     inkscape:cy="548.04688"
+     inkscape:window-width="1920"
+     inkscape:window-height="1008"
+     inkscape:window-x="0"
+     inkscape:window-y="35"
+     inkscape:window-maximized="1"
+     inkscape:current-layer="svg1" />
+  <path
+     id="rect1"
+     style="fill-opacity:0;stroke:#000000;stroke-width:1.97262;stroke-linecap:square;stroke-linejoin:round;stroke-miterlimit:0;paint-order:fill markers stroke"
+     d="M 3.0038192,0.98808897 H 20.99618 V 13.006705 H 3.0038192 Z" />
+  <rect
+     style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:0.00306926;stroke-linecap:square;stroke-linejoin:round;stroke-miterlimit:0;stroke-dasharray:none;stroke-opacity:1;paint-order:fill markers stroke"
+     id="rect2"
+     width="23.995173"
+     height="2.0017407"
+     x="0.0039473679"
+     y="13.998839" />
+  <path
+     id="rect3"
+     style="fill:#ffffff;fill-opacity:1;stroke:#000000;stroke-width:1.05373;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:0;stroke-dasharray:none;stroke-opacity:1;paint-order:fill markers stroke"
+     d="m 5.6839082,10.94394 c 0.2963594,-0.907428 2.9522319,-1.683971 2.767387,-1.6392261 0,0 1.5028596,1.6181771 3.6459428,1.6129171 2.018383,-0.005 3.362681,-1.6125503 3.362681,-1.6125503 -0.171441,-0.061235 2.778887,0.7741493 2.977303,1.6787203 0.393054,1.791919 0.25928,4.524228 0.25928,4.524228 L 5.3146272,15.391866 c 0,0 -0.181061,-2.762825 0.369281,-4.447926 z"
+     sodipodi:nodetypes="sssssccs" />
+  <ellipse
+     style="fill:none;stroke:#000000;stroke-width:1.02152;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:0;stroke-dasharray:none;stroke-opacity:1;paint-order:fill markers stroke"
+     id="path3"
+     cx="11.964992"
+     cy="6.3769712"
+     rx="3.2413731"
+     ry="3.225764" />
+</svg>
diff --git a/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/browser/VmViewer-functions.ts b/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/browser/VmViewer-functions.ts
index a14e83c..42c7d10 100644
--- a/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/browser/VmViewer-functions.ts
+++ b/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/browser/VmViewer-functions.ts
@@ -72,6 +72,7 @@ window.orgJDrupesVmOperatorVmViewer.initPreview = (previewDom: HTMLElement,
                 previewApi.vmDefinition.spec.vm.state !== 'Stopped' 
                 && previewApi.vmDefinition.running);
             const running = computed(() => previewApi.vmDefinition.running);
+            const inUse = computed(() => previewApi.vmDefinition.usedBy != '');
             const permissions = computed(() => previewApi.vmDefinition.spec
                 ? previewApi.vmDefinition.userPermissions : []);
 
@@ -88,7 +89,7 @@ window.orgJDrupesVmOperatorVmViewer.initPreview = (previewDom: HTMLElement,
             };
         
             return { localize, resourceBase, vmAction, configured,
-                        startable, stoppable, running, permissions };
+                        startable, stoppable, running, inUse, permissions };
         },
         template: `
           <table>
@@ -101,7 +102,8 @@ window.orgJDrupesVmOperatorVmViewer.initPreview = (previewDom: HTMLElement,
                       || !permissions.includes('accessConsole')" 
                   v-on:click="vmAction('openConsole')"
                   :src="resourceBase + (running
-                      ? 'computer.svg' : 'computer-off.svg')"
+                      ? (inUse ? 'computer-in-use.svg' : 'computer.svg') 
+                      : 'computer-off.svg')"
                   :title="localize('Open console')"></span><span
                   style="visibility: hidden;"><img
                   :src="resourceBase + 'computer.svg'"></span></td>
@@ -159,6 +161,7 @@ JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmviewer.VmViewer",
         vmDefinition.name = vmDefinition.metadata.name;
         vmDefinition.currentCpus = vmDefinition.status.cpus;
         vmDefinition.currentRam = Number(vmDefinition.status.ram);
+        vmDefinition.usedBy = vmDefinition.status.consoleClient || "";
         for (const condition of vmDefinition.status.conditions) {
             if (condition.type === "Running") {
                 vmDefinition.running = condition.status === "True";

From 12d6745d759581dd4aee82f0aeabb27e7cfe92dd Mon Sep 17 00:00:00 2001
From: Michael Lipp <mnl@mnl.de>
Date: Tue, 12 Nov 2024 19:29:46 +0000
Subject: [PATCH 019/274] Add some logging messages and enhance logging
 configurability.

---
 deploy/crds/vms-crd.yaml                      |  5 ++++
 dev-example/config.yaml                       | 12 +++++++++
 .../manager/ConfigMapReconciler.java          | 27 +++++++++++++++----
 .../vmoperator/manager/Reconciler.java        |  5 ++++
 .../runner/qemu/CommandDefinition.java        |  5 ++++
 .../vmoperator/runner/qemu/Runner.java        | 18 +++++++++++++
 6 files changed, 67 insertions(+), 5 deletions(-)

diff --git a/deploy/crds/vms-crd.yaml b/deploy/crds/vms-crd.yaml
index 492deae..f1bbaf2 100644
--- a/deploy/crds/vms-crd.yaml
+++ b/deploy/crds/vms-crd.yaml
@@ -1019,6 +1019,11 @@ spec:
                           - accessConsole
                           - "*"
                         default: []
+                loggingProperties:
+                  type: string
+                  description: >-
+                    Override the default logging properties for 
+                    the runner for this VM.
                 vm:
                   type: object
                   description: Defines the VM.
diff --git a/dev-example/config.yaml b/dev-example/config.yaml
index 3f973e4..af1f3b8 100644
--- a/dev-example/config.yaml
+++ b/dev-example/config.yaml
@@ -17,6 +17,18 @@
           metallb.universe.tf/loadBalancerIPs: 192.168.168.1
           metallb.universe.tf/ip-allocated-from-pool: single-common
           metallb.universe.tf/allow-shared-ip: single-common
+      loggingProperties: |
+        # Defaults for namespace (VM domain)
+        handlers=java.util.logging.ConsoleHandler
+        
+        #org.jgrapes.level=FINE
+        #org.jgrapes.core.handlerTracking.level=FINER
+        
+        org.jdrupes.vmoperator.runner.qemu.level=FINEST
+        
+        java.util.logging.ConsoleHandler.level=ALL
+        java.util.logging.ConsoleHandler.formatter=java.util.logging.SimpleFormatter
+        java.util.logging.SimpleFormatter.format=%1$tb %1$td %1$tT %4$s %5$s%6$s%n
   "/GuiSocketServer":
     port: 8888
   "/GuiHttpServer":
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java
index 129a54d..68ca7fa 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java
@@ -18,6 +18,7 @@
 
 package org.jdrupes.vmoperator.manager;
 
+import com.google.gson.JsonObject;
 import freemarker.template.Configuration;
 import freemarker.template.TemplateException;
 import io.kubernetes.client.custom.V1Patch;
@@ -36,6 +37,8 @@ import org.jdrupes.vmoperator.common.K8s;
 import static org.jdrupes.vmoperator.manager.Constants.APP_NAME;
 import static org.jdrupes.vmoperator.manager.Constants.VM_OP_NAME;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
+import org.jdrupes.vmoperator.util.DataPath;
+import org.jdrupes.vmoperator.util.GsonPtr;
 import org.yaml.snakeyaml.LoaderOptions;
 import org.yaml.snakeyaml.Yaml;
 import org.yaml.snakeyaml.constructor.SafeConstructor;
@@ -71,10 +74,6 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
     public Map<String, Object> reconcile(Map<String, Object> model,
             VmChannel channel)
             throws IOException, TemplateException, ApiException {
-        // Get API
-        DynamicKubernetesApi cmApi = new DynamicKubernetesApi("", "v1",
-            "configmaps", channel.client());
-
         // Combine template and data and parse result
         var fmTemplate = fmConfig.getTemplate("runnerConfig.ftl.yaml");
         StringWriter out = new StringWriter();
@@ -84,8 +83,26 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
         var mapDef = Dynamics.newFromYaml(
             new Yaml(new SafeConstructor(new LoaderOptions())), out.toString());
 
+        // Maybe override logging.properties from reconciler configuration.
+        DataPath.<String> get(model, "reconciler", "loggingProperties")
+            .ifPresent(props -> {
+                GsonPtr.to(mapDef.getRaw()).get(JsonObject.class, "data")
+                    .get().addProperty("logging.properties", props);
+            });
+
+        // Maybe override logging.properties from VM definition.
+        DataPath.<String> get(model, "cr", "spec", "loggingProperties")
+            .ifPresent(props -> {
+                GsonPtr.to(mapDef.getRaw()).get(JsonObject.class, "data")
+                    .get().addProperty("logging.properties", props);
+            });
+
+        // Get API
+        DynamicKubernetesApi cmApi = new DynamicKubernetesApi("", "v1",
+            "configmaps", channel.client());
+
         // Apply and maybe force pod update
-        var newState = K8s.apply(cmApi, mapDef, out.toString());
+        var newState = K8s.apply(cmApi, mapDef, mapDef.getRaw().toString());
         maybeForceUpdate(channel.client(), newState);
         @SuppressWarnings("unchecked")
         var res = (Map<String, Object>) channel.client().getJSON().getGson()
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
index 32753ac..3fa2ffe 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
@@ -132,6 +132,11 @@ import org.jgrapes.util.events.ConfigurationUpdate;
  *   ```
  *   This makes all VM consoles available at IP address 192.168.168.1
  *   with the port numbers from the VM definitions.
+ *   
+ * * `loggingProperties`: If defined, specifies the default logging
+ *   properties to be used by the runners managed by the controller.
+ *   This property is a string that holds the content of
+ *   a logging.properties file.
  */
 @SuppressWarnings({ "PMD.DataflowAnomalyAnalysis",
     "PMD.AvoidDuplicateLiterals" })
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/CommandDefinition.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/CommandDefinition.java
index 9057606..7aec209 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/CommandDefinition.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/CommandDefinition.java
@@ -69,4 +69,9 @@ class CommandDefinition {
     public String name() {
         return name;
     }
+
+    @Override
+    public String toString() {
+        return "Command " + name + ": " + command;
+    }
 }
\ No newline at end of file
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
index 0b6e22e..fedaf1e 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
@@ -48,6 +48,8 @@ import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.LogManager;
 import java.util.logging.Logger;
+import java.util.stream.Collectors;
+import java.util.stream.StreamSupport;
 import org.apache.commons.cli.CommandLine;
 import org.apache.commons.cli.CommandLineParser;
 import org.apache.commons.cli.DefaultParser;
@@ -318,6 +320,7 @@ public class Runner extends Component {
         });
     }
 
+    @SuppressWarnings("PMD.LambdaCanBeMethodReference")
     private void processInitialConfiguration(Configuration newConfig) {
         try {
             config = newConfig;
@@ -333,12 +336,15 @@ public class Runner extends Component {
             var tplData = dataFromTemplate();
             swtpmDefinition = Optional.ofNullable(tplData.get(SWTPM))
                 .map(d -> new CommandDefinition(SWTPM, d)).orElse(null);
+            logger.finest(() -> swtpmDefinition.toString());
             qemuDefinition = Optional.ofNullable(tplData.get(QEMU))
                 .map(d -> new CommandDefinition(QEMU, d)).orElse(null);
+            logger.finest(() -> qemuDefinition.toString());
             cloudInitImgDefinition
                 = Optional.ofNullable(tplData.get(CLOUD_INIT_IMG))
                     .map(d -> new CommandDefinition(CLOUD_INIT_IMG, d))
                     .orElse(null);
+            logger.finest(() -> cloudInitImgDefinition.toString());
 
             // Forward some values to child components
             qemuMonitor.configure(config.monitorSocket,
@@ -364,6 +370,12 @@ public class Runner extends Component {
                 break;
             }
         }
+        if (codePaths.iterator().hasNext() && config.firmwareRom == null) {
+            throw new IllegalArgumentException("No ROM found, candidates were: "
+                + StreamSupport.stream(codePaths.spliterator(), false)
+                    .map(JsonNode::asText).collect(Collectors.joining(", ")));
+        }
+
         // Get file for firmware vars, if necessary
         config.firmwareVars = config.dataDir.resolve(FW_VARS);
         if (!Files.exists(config.firmwareVars)) {
@@ -405,12 +417,14 @@ public class Runner extends Component {
         model.put("hasDisplayPassword", config.hasDisplayPassword);
         model.put("cloudInit", config.cloudInit);
         model.put("vm", config.vm);
+        logger.finest(() -> "Processing template with model: " + model);
 
         // Combine template and data and parse result
         // (tempting, but no need to use a pipe here)
         var fmTemplate = fmConfig.getTemplate(templatePath.toString());
         StringWriter out = new StringWriter();
         fmTemplate.process(model, out);
+        logger.finest(() -> "Result of processing template: " + out);
         return yamlMapper.readValue(out.toString(), JsonNode.class);
     }
 
@@ -746,6 +760,10 @@ public class Runner extends Component {
                 props = Runner.class.getResourceAsStream("logging.properties");
             }
             LogManager.getLogManager().readConfiguration(props);
+            Logger.getLogger(Runner.class.getName()).log(Level.CONFIG,
+                () -> path.isPresent()
+                    ? "Using logging configuration from " + path.get()
+                    : "Using default logging configuration");
         } catch (IOException e) {
             e.printStackTrace();
         }

From 40cbeb694bfd37aaa446b3d3ef80c8c56d4de1b3 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Tue, 12 Nov 2024 22:04:15 +0100
Subject: [PATCH 020/274] Avoid NPE.

---
 .../src/org/jdrupes/vmoperator/runner/qemu/Runner.java       | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
index fedaf1e..52db0ce 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
@@ -204,7 +204,7 @@ public class Runner extends Component {
     private static final String FW_VARS = "fw-vars.fd";
     private static int exitStatus;
 
-    private EventPipeline rep;
+    private final EventPipeline rep = newEventPipeline();
     private final ObjectMapper yamlMapper = new ObjectMapper(YAMLFactory
         .builder().disable(YAMLGenerator.Feature.WRITE_DOC_START_MARKER)
         .build());
@@ -446,8 +446,7 @@ public class Runner extends Component {
         // https://github.com/kubernetes-client/java/issues/100
         io.kubernetes.client.openapi.Configuration.setDefaultApiClient(null);
 
-        // Prepare specific event pipeline to avoid concurrency.
-        rep = newEventPipeline();
+        // Provide specific event pipeline to avoid concurrency.
         event.setAssociated(EventPipeline.class, rep);
         try {
             // Store process id

From 228322748b494c9a3c9b1f1db755f9f4de7fe9c7 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Tue, 12 Nov 2024 22:41:54 +0100
Subject: [PATCH 021/274] Use 4m bios if smaller version is not available.

---
 .../resources/org/jdrupes/vmoperator/runner/qemu/defaults.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/org.jdrupes.vmoperator.runner.qemu/resources/org/jdrupes/vmoperator/runner/qemu/defaults.yaml b/org.jdrupes.vmoperator.runner.qemu/resources/org/jdrupes/vmoperator/runner/qemu/defaults.yaml
index 9aadbf6..32fdf55 100644
--- a/org.jdrupes.vmoperator.runner.qemu/resources/org/jdrupes/vmoperator/runner/qemu/defaults.yaml
+++ b/org.jdrupes.vmoperator.runner.qemu/resources/org/jdrupes/vmoperator/runner/qemu/defaults.yaml
@@ -8,6 +8,9 @@
       - "/usr/share/edk2/ovmf/OVMF_CODE.fd"
       - "/usr/share/edk2/x64/OVMF_CODE.fd"
       - "/usr/share/OVMF/OVMF_CODE.fd"
+      # Use 4M version as fallback (if smaller version not available)
+      - "/usr/share/edk2/ovmf-4m/OVMF_CODE.fd"
+      - "/usr/share/edk2/x64/OVMF_CODE.4m.fd"
     "vars":
       - "/usr/share/edk2/ovmf/OVMF_VARS.fd"
       - "/usr/share/edk2/x64/OVMF_VARS.fd"

From 97732073078bec55dcb2f3490a4cd4c1b34cb101 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Wed, 13 Nov 2024 11:14:53 +0100
Subject: [PATCH 022/274] Better name.

---
 .../resources/org/jdrupes/vmoperator/vmconlet/l10n.properties | 2 +-
 .../org/jdrupes/vmoperator/vmconlet/l10n_de.properties        | 2 +-
 .../jdrupes/vmoperator/vmconlet/browser/VmConlet-functions.ts | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n.properties b/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n.properties
index 41bf670..f4165c4 100644
--- a/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n.properties
+++ b/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n.properties
@@ -11,6 +11,6 @@ nodeName = Node
 requestedCpus = Requested CPUs
 requestedRam = Requested RAM
 running = Running
-usedBy = Used by
+usedFrom = Used from
 vmActions = Actions
 vmname = Name
diff --git a/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n_de.properties b/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n_de.properties
index 819db03..29239ed 100644
--- a/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n_de.properties
+++ b/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n_de.properties
@@ -15,7 +15,7 @@ maximumRam = Maximales RAM
 nodeName = Knoten
 requestedCpus = Angeforderte CPUs
 requestedRam = Angefordertes RAM
-usedBy = Benutzt von
+usedFrom = Benutzt von
 vmActions = Aktionen
 vmname = Name
 Value\ is\ above\ maximum = Wert ist zu groß
diff --git a/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/VmConlet-functions.ts b/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/VmConlet-functions.ts
index 8daf3a9..b171569 100644
--- a/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/VmConlet-functions.ts
+++ b/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/VmConlet-functions.ts
@@ -112,7 +112,7 @@ window.orgJDrupesVmOperatorVmConlet.initView = (viewDom: HTMLElement,
                 ["currentCpus", "currentCpus"],
                 ["currentRam", "currentRam"],
                 ["nodeName", "nodeName"],
-                ["usedBy", "usedBy"]
+                ["usedFrom", "usedFrom"]
             ], {
                 sortKey: "name",
                 sortOrder: "up"
@@ -180,7 +180,7 @@ JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmconlet.VmConlet",
         vmDefinition.name = vmDefinition.metadata.name;
         vmDefinition.currentCpus = vmDefinition.status.cpus;
         vmDefinition.currentRam = Number(vmDefinition.status.ram);
-        vmDefinition.usedBy = vmDefinition.status.consoleClient || "";
+        vmDefinition.usedFrom = vmDefinition.status.consoleClient || "";
         for (const condition of vmDefinition.status.conditions) {
             if (condition.type === "Running") {
                 vmDefinition.running = condition.status === "True";

From 4d447717c2a40a9e933bf95ab60921fa72e88366 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Wed, 13 Nov 2024 23:45:54 +0100
Subject: [PATCH 023/274] Improve tracking.

---
 .../runner/qemu/ConsoleTracker.java           | 159 +++++++++++++++
 .../vmoperator/runner/qemu/StatusUpdater.java | 183 ++----------------
 .../vmoperator/runner/qemu/VmDefUpdater.java  | 141 ++++++++++++++
 .../runner/qemu/events/MonitorEvent.java      |  15 +-
 .../runner/qemu/events/SpiceEvent.java        |   9 +
 .../qemu/events/SpiceInitializedEvent.java    |  46 +++++
 6 files changed, 375 insertions(+), 178 deletions(-)
 create mode 100644 org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java
 create mode 100644 org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmDefUpdater.java
 create mode 100644 org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/SpiceInitializedEvent.java

diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java
new file mode 100644
index 0000000..7d54235
--- /dev/null
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java
@@ -0,0 +1,159 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2024 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.runner.qemu;
+
+import com.google.gson.JsonObject;
+import io.kubernetes.client.apimachinery.GroupVersionKind;
+import io.kubernetes.client.openapi.ApiException;
+import io.kubernetes.client.openapi.models.EventsV1Event;
+import java.io.IOException;
+import java.util.logging.Level;
+import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
+import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
+import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
+import org.jdrupes.vmoperator.common.K8s;
+import org.jdrupes.vmoperator.common.K8sClient;
+import org.jdrupes.vmoperator.common.VmDefinitionStub;
+import org.jdrupes.vmoperator.runner.qemu.events.Exit;
+import org.jdrupes.vmoperator.runner.qemu.events.SpiceDisconnectedEvent;
+import org.jdrupes.vmoperator.runner.qemu.events.SpiceInitializedEvent;
+import org.jgrapes.core.Channel;
+import org.jgrapes.core.annotation.Handler;
+import org.jgrapes.core.events.Start;
+
+/**
+ * A (sub)component that updates the console status in the CR status.
+ * Created as child of {@link StatusUpdater}.
+ */
+@SuppressWarnings("PMD.DataflowAnomalyAnalysis")
+public class ConsoleTracker extends VmDefUpdater {
+
+    private final K8sClient apiClient;
+    private VmDefinitionStub vmStub;
+    private String mainChannelClientHost;
+    private long mainChannelClientPort;
+
+    /**
+     * Instantiates a new status updater.
+     *
+     * @param componentChannel the component channel
+     */
+    @SuppressWarnings("PMD.ConstructorCallsOverridableMethod")
+    public ConsoleTracker(Channel componentChannel) {
+        super(componentChannel);
+        apiClient = (K8sClient) io.kubernetes.client.openapi.Configuration
+            .getDefaultApiClient();
+    }
+
+    /**
+     * Handle the start event.
+     *
+     * @param event the event
+     * @throws IOException 
+     * @throws ApiException 
+     */
+    @Handler
+    public void onStart(Start event) {
+        if (namespace == null) {
+            return;
+        }
+        try {
+            vmStub = VmDefinitionStub.get(apiClient,
+                new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
+                namespace, vmName);
+        } catch (ApiException e) {
+            logger.log(Level.SEVERE, e,
+                () -> "Cannot access VM object, terminating.");
+            event.cancel(true);
+            fire(new Exit(1));
+        }
+    }
+
+    /**
+     * On spice connected.
+     *
+     * @param event the event
+     * @throws ApiException the api exception
+     */
+    @Handler
+    @SuppressWarnings({ "PMD.AvoidLiteralsInIfCondition",
+        "PMD.AvoidDuplicateLiterals" })
+    public void onSpiceInitialized(SpiceInitializedEvent event)
+            throws ApiException {
+        if (vmStub == null) {
+            return;
+        }
+
+        // Only process connections using main channel.
+        if (event.channelType() != 1) {
+            return;
+        }
+        mainChannelClientHost = event.clientHost();
+        mainChannelClientPort = event.clientPort();
+        vmStub.updateStatus(from -> {
+            JsonObject status = from.status();
+            status.addProperty("consoleClient", event.clientHost());
+            updateCondition(apiClient, from, status, "ConsoleConnected",
+                true, "Connection from " + event.clientHost(), null);
+            return status;
+        });
+
+        // Log event
+        var evt = new EventsV1Event()
+            .reportingController(VM_OP_GROUP + "/" + APP_NAME)
+            .action("ConsoleConnectionUpdate")
+            .reason("Connection from " + event.clientHost());
+        K8s.createEvent(apiClient, vmStub.model().get(), evt);
+    }
+
+    /**
+     * On spice disconnected.
+     *
+     * @param event the event
+     * @throws ApiException the api exception
+     */
+    @Handler
+    @SuppressWarnings("PMD.AvoidDuplicateLiterals")
+    public void onSpiceDisconnected(SpiceDisconnectedEvent event)
+            throws ApiException {
+        if (vmStub == null) {
+            return;
+        }
+
+        // Only process disconnects from main channel.
+        if (!event.clientHost().equals(mainChannelClientHost)
+            || event.clientPort() != mainChannelClientPort) {
+            return;
+        }
+        vmStub.updateStatus(from -> {
+            JsonObject status = from.status();
+            status.addProperty("consoleClient", "");
+            updateCondition(apiClient, from, status, "ConsoleConnected",
+                false, event.clientHost() + " has disconnected", null);
+            return status;
+        });
+
+        // Log event
+        var evt = new EventsV1Event()
+            .reportingController(VM_OP_GROUP + "/" + APP_NAME)
+            .action("ConsoleConnectionUpdate")
+            .reason("Disconnected from " + event.clientHost());
+        K8s.createEvent(apiClient, vmStub.model().get(), evt);
+    }
+}
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
index f6814b3..ca5d46a 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
@@ -27,22 +27,13 @@ import io.kubernetes.client.openapi.ApiException;
 import io.kubernetes.client.openapi.models.EventsV1Event;
 import java.io.IOException;
 import java.math.BigDecimal;
-import java.nio.file.Files;
-import java.nio.file.Path;
-import java.time.Instant;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Map;
-import java.util.Optional;
 import java.util.Set;
 import java.util.logging.Level;
-import java.util.stream.Collectors;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
 import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
 import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
 import org.jdrupes.vmoperator.common.K8s;
 import org.jdrupes.vmoperator.common.K8sClient;
-import org.jdrupes.vmoperator.common.K8sDynamicModel;
 import org.jdrupes.vmoperator.common.VmDefinitionModel;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
 import org.jdrupes.vmoperator.runner.qemu.events.BalloonChangeEvent;
@@ -53,28 +44,21 @@ import org.jdrupes.vmoperator.runner.qemu.events.HotpluggableCpuStatus;
 import org.jdrupes.vmoperator.runner.qemu.events.RunnerStateChange;
 import org.jdrupes.vmoperator.runner.qemu.events.RunnerStateChange.RunState;
 import org.jdrupes.vmoperator.runner.qemu.events.ShutdownEvent;
-import org.jdrupes.vmoperator.runner.qemu.events.SpiceConnectedEvent;
-import org.jdrupes.vmoperator.runner.qemu.events.SpiceDisconnectedEvent;
 import org.jdrupes.vmoperator.util.GsonPtr;
 import org.jgrapes.core.Channel;
-import org.jgrapes.core.Component;
 import org.jgrapes.core.annotation.Handler;
 import org.jgrapes.core.events.HandlingError;
 import org.jgrapes.core.events.Start;
-import org.jgrapes.util.events.ConfigurationUpdate;
-import org.jgrapes.util.events.InitialConfiguration;
 
 /**
  * Updates the CR status.
  */
 @SuppressWarnings("PMD.DataflowAnomalyAnalysis")
-public class StatusUpdater extends Component {
+public class StatusUpdater extends VmDefUpdater {
 
     private static final Set<RunState> RUNNING_STATES
         = Set.of(RunState.RUNNING, RunState.TERMINATING);
 
-    private String namespace;
-    private String vmName;
     private K8sClient apiClient;
     private long observedGeneration;
     private boolean guestShutdownStops;
@@ -98,6 +82,7 @@ public class StatusUpdater extends Component {
                 () -> "Cannot access events API, terminating.");
             fire(new Exit(1));
         }
+        attach(new ConsoleTracker(componentChannel));
     }
 
     /**
@@ -114,43 +99,6 @@ public class StatusUpdater extends Component {
         }
     }
 
-    /**
-     * On configuration update.
-     *
-     * @param event the event
-     */
-    @Handler
-    @SuppressWarnings("unchecked")
-    public void onConfigurationUpdate(ConfigurationUpdate event) {
-        event.structured("/Runner").ifPresent(c -> {
-            if (event instanceof InitialConfiguration) {
-                namespace = (String) c.get("namespace");
-                updateNamespace();
-                vmName = Optional.ofNullable((Map<String, String>) c.get("vm"))
-                    .map(vm -> vm.get("name")).orElse(null);
-            }
-        });
-    }
-
-    private void updateNamespace() {
-        if (namespace == null) {
-            var path = Path
-                .of("/var/run/secrets/kubernetes.io/serviceaccount/namespace");
-            if (Files.isReadable(path)) {
-                try {
-                    namespace = Files.lines(path).findFirst().orElse(null);
-                } catch (IOException e) {
-                    logger.log(Level.WARNING, e,
-                        () -> "Cannot read namespace.");
-                }
-            }
-        }
-        if (namespace == null) {
-            logger.warning(() -> "Namespace is unknown, some functions"
-                + " won't be available.");
-        }
-    }
-
     /**
      * Handle the start event.
      *
@@ -238,13 +186,9 @@ public class StatusUpdater extends Component {
         }
         vmStub.updateStatus(vmDef, from -> {
             JsonObject status = from.status();
-            status.getAsJsonArray("conditions").asList().stream()
-                .map(cond -> (JsonObject) cond)
-                .forEach(cond -> {
-                    if ("Running".equals(cond.get("type").getAsString())) {
-                        updateRunningCondition(event, from, cond);
-                    }
-                });
+            boolean running = RUNNING_STATES.contains(event.runState());
+            updateCondition(apiClient, vmDef, vmDef.status(), "Running",
+                running, event.reason(), event.message());
             if (event.runState() == RunState.STARTING) {
                 status.addProperty("ram", GsonPtr.to(from.data())
                     .getAsString("spec", "vm", "maximumRam").orElse("0"));
@@ -253,6 +197,13 @@ public class StatusUpdater extends Component {
                 status.addProperty("ram", "0");
                 status.addProperty("cpus", 0);
             }
+
+            // In case console connection was still present
+            if (!running) {
+                status.addProperty("consoleClient", "");
+                updateCondition(apiClient, from, status, "ConsoleConnected",
+                    false, "VM has stopped", null);
+            }
             return status;
         });
 
@@ -278,29 +229,6 @@ public class StatusUpdater extends Component {
         K8s.createEvent(apiClient, vmDef, evt);
     }
 
-    private void updateRunningCondition(RunnerStateChange event,
-            K8sDynamicModel from, JsonObject cond) {
-        @SuppressWarnings("PMD.AvoidDuplicateLiterals")
-        boolean reportedRunning
-            = "True".equals(cond.get("status").getAsString());
-        if (RUNNING_STATES.contains(event.runState())
-            && !reportedRunning) {
-            cond.addProperty("status", "True");
-            cond.addProperty("lastTransitionTime",
-                Instant.now().toString());
-        }
-        if (!RUNNING_STATES.contains(event.runState())
-            && reportedRunning) {
-            cond.addProperty("status", "False");
-            cond.addProperty("lastTransitionTime",
-                Instant.now().toString());
-        }
-        cond.addProperty("reason", event.reason());
-        cond.addProperty("message", event.message());
-        cond.addProperty("observedGeneration",
-            from.getMetadata().getGeneration());
-    }
-
     /**
      * On ballon change.
      *
@@ -369,91 +297,4 @@ public class StatusUpdater extends Component {
     public void onShutdown(ShutdownEvent event) throws ApiException {
         shutdownByGuest = event.byGuest();
     }
-
-    /**
-     * On spice connected.
-     *
-     * @param event the event
-     * @throws ApiException the api exception
-     */
-    @Handler
-    public void onSpiceConnected(SpiceConnectedEvent event)
-            throws ApiException {
-        if (vmStub == null) {
-            return;
-        }
-        vmStub.updateStatus(from -> {
-            JsonObject status = from.status();
-            status.addProperty("consoleClient", event.clientHost());
-            updateConsoleConnectedCondition(from, status, true);
-            return status;
-        });
-
-        // Log event
-        var evt = new EventsV1Event()
-            .reportingController(VM_OP_GROUP + "/" + APP_NAME)
-            .action("ConsoleConnectionUpdate")
-            .reason("Connection from " + event.clientHost());
-        K8s.createEvent(apiClient, vmStub.model().get(), evt);
-    }
-
-    /**
-     * On spice disconnected.
-     *
-     * @param event the event
-     * @throws ApiException the api exception
-     */
-    @Handler
-    public void onSpiceDisconnected(SpiceDisconnectedEvent event)
-            throws ApiException {
-        if (vmStub == null) {
-            return;
-        }
-        vmStub.updateStatus(from -> {
-            JsonObject status = from.status();
-            status.addProperty("consoleClient", "");
-            updateConsoleConnectedCondition(from, status, false);
-            return status;
-        });
-
-        // Log event
-        var evt = new EventsV1Event()
-            .reportingController(VM_OP_GROUP + "/" + APP_NAME)
-            .action("ConsoleConnectionUpdate")
-            .reason("Disconnected from " + event.clientHost());
-        K8s.createEvent(apiClient, vmStub.model().get(), evt);
-    }
-
-    private void updateConsoleConnectedCondition(VmDefinitionModel from,
-            JsonObject status, boolean connected) {
-        // Optimize, as we can get this several times
-        var current = status.getAsJsonArray("conditions").asList().stream()
-            .map(cond -> (JsonObject) cond)
-            .filter(cond -> "ConsoleConnected"
-                .equals(cond.get("type").getAsString()))
-            .findFirst()
-            .map(cond -> "True".equals(cond.get("status").getAsString()));
-        if (current.isPresent() && current.get() == connected) {
-            return;
-        }
-
-        // Do update
-        final var condition = Map.of("type", "ConsoleConnected",
-            "status", connected ? "True" : "False",
-            "observedGeneration", from.getMetadata().getGeneration(),
-            "reason", connected ? "Connected" : "Disconnected",
-            "lastTransitionTime", Instant.now().toString());
-        List<Object> toReplace = new ArrayList<>(List.of(condition));
-        List<Object> newConds
-            = status.getAsJsonArray("conditions").asList().stream()
-                .map(cond -> (JsonObject) cond)
-                .map(cond -> "ConsoleConnected"
-                    .equals(cond.get("type").getAsString())
-                        ? toReplace.remove(0)
-                        : cond)
-                .collect(Collectors.toCollection(() -> new ArrayList<>()));
-        newConds.addAll(toReplace);
-        status.add("conditions",
-            apiClient.getJSON().getGson().toJsonTree(newConds));
-    }
 }
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmDefUpdater.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmDefUpdater.java
new file mode 100644
index 0000000..893fc61
--- /dev/null
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmDefUpdater.java
@@ -0,0 +1,141 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2024 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.runner.qemu;
+
+import com.google.gson.JsonObject;
+import io.kubernetes.client.openapi.ApiClient;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.time.Instant;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.logging.Level;
+import java.util.stream.Collectors;
+import org.jdrupes.vmoperator.common.VmDefinitionModel;
+import org.jgrapes.core.Channel;
+import org.jgrapes.core.Component;
+import org.jgrapes.core.annotation.Handler;
+import org.jgrapes.util.events.ConfigurationUpdate;
+import org.jgrapes.util.events.InitialConfiguration;
+
+/**
+ * Updates the CR status.
+ */
+@SuppressWarnings("PMD.DataflowAnomalyAnalysis")
+public class VmDefUpdater extends Component {
+
+    protected String namespace;
+    protected String vmName;
+
+    /**
+     * Instantiates a new status updater.
+     *
+     * @param componentChannel the component channel
+     */
+    @SuppressWarnings("PMD.ConstructorCallsOverridableMethod")
+    public VmDefUpdater(Channel componentChannel) {
+        super(componentChannel);
+    }
+
+    /**
+     * On configuration update.
+     *
+     * @param event the event
+     */
+    @Handler
+    @SuppressWarnings("unchecked")
+    public void onConfigurationUpdate(ConfigurationUpdate event) {
+        event.structured("/Runner").ifPresent(c -> {
+            if (event instanceof InitialConfiguration) {
+                namespace = (String) c.get("namespace");
+                updateNamespace();
+                vmName = Optional.ofNullable((Map<String, String>) c.get("vm"))
+                    .map(vm -> vm.get("name")).orElse(null);
+            }
+        });
+    }
+
+    private void updateNamespace() {
+        if (namespace == null) {
+            var path = Path
+                .of("/var/run/secrets/kubernetes.io/serviceaccount/namespace");
+            if (Files.isReadable(path)) {
+                try {
+                    namespace = Files.lines(path).findFirst().orElse(null);
+                } catch (IOException e) {
+                    logger.log(Level.WARNING, e,
+                        () -> "Cannot read namespace.");
+                }
+            }
+        }
+        if (namespace == null) {
+            logger.warning(() -> "Namespace is unknown, some functions"
+                + " won't be available.");
+        }
+    }
+
+    /**
+     * Update condition.
+     *
+     * @param apiClient the api client
+     * @param from the vM definition
+     * @param status the current status
+     * @param type the condition type
+     * @param state the new state
+     * @param reason the reason for the change
+     */
+    protected void updateCondition(ApiClient apiClient, VmDefinitionModel from,
+            JsonObject status, String type, boolean state, String reason,
+            String message) {
+        // Optimize, as we can get this several times
+        var current = status.getAsJsonArray("conditions").asList().stream()
+            .map(cond -> (JsonObject) cond)
+            .filter(cond -> type.equals(cond.get("type").getAsString()))
+            .findFirst()
+            .map(cond -> "True".equals(cond.get("status").getAsString()));
+        if (current.isPresent() && current.get() == state) {
+            return;
+        }
+
+        // Do update
+        final var condition = new HashMap<>(Map.of("type", type,
+            "status", state ? "True" : "False",
+            "observedGeneration", from.getMetadata().getGeneration(),
+            "reason", reason,
+            "lastTransitionTime", Instant.now().toString()));
+        if (message != null) {
+            condition.put("message", message);
+        }
+        List<Object> toReplace = new ArrayList<>(List.of(condition));
+        List<Object> newConds
+            = status.getAsJsonArray("conditions").asList().stream()
+                .map(cond -> (JsonObject) cond)
+                .map(cond -> type.equals(cond.get("type").getAsString())
+                    ? toReplace.remove(0)
+                    : cond)
+                .collect(Collectors.toCollection(() -> new ArrayList<>()));
+        newConds.addAll(toReplace);
+        status.add("conditions",
+            apiClient.getJSON().getGson().toJsonTree(newConds));
+    }
+}
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/MonitorEvent.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/MonitorEvent.java
index 2cc0f33..df981c8 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/MonitorEvent.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/MonitorEvent.java
@@ -35,7 +35,7 @@ public class MonitorEvent extends Event<Void> {
      */
     public enum Kind {
         READY, POWERDOWN, DEVICE_TRAY_MOVED, BALLOON_CHANGE, SHUTDOWN,
-        SPICE_CONNECTED, SPICE_DISCONNECTED
+        SPICE_CONNECTED, SPICE_INITIALIZED, SPICE_DISCONNECTED
     }
 
     private final Kind kind;
@@ -64,13 +64,14 @@ public class MonitorEvent extends Event<Void> {
                 return Optional
                     .of(new ShutdownEvent(kind, response.get(EVENT_DATA)));
             case SPICE_CONNECTED:
-                return Optional
-                    .of(new SpiceConnectedEvent(kind,
-                        response.get(EVENT_DATA)));
+                return Optional.of(new SpiceConnectedEvent(kind,
+                    response.get(EVENT_DATA)));
+            case SPICE_INITIALIZED:
+                return Optional.of(new SpiceInitializedEvent(kind,
+                    response.get(EVENT_DATA)));
             case SPICE_DISCONNECTED:
-                return Optional
-                    .of(new SpiceDisconnectedEvent(kind,
-                        response.get(EVENT_DATA)));
+                return Optional.of(new SpiceDisconnectedEvent(kind,
+                    response.get(EVENT_DATA)));
             default:
                 return Optional
                     .of(new MonitorEvent(kind, response.get(EVENT_DATA)));
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/SpiceEvent.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/SpiceEvent.java
index 6706f0c..4ce27e2 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/SpiceEvent.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/SpiceEvent.java
@@ -43,4 +43,13 @@ public class SpiceEvent extends MonitorEvent {
     public String clientHost() {
         return data().get("client").get("host").asText();
     }
+
+    /**
+     * Returns the client's port.
+     *
+     * @return the client's port number
+     */
+    public long clientPort() {
+        return data().get("client").get("port").asLong();
+    }
 }
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/SpiceInitializedEvent.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/SpiceInitializedEvent.java
new file mode 100644
index 0000000..7bb84b7
--- /dev/null
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/SpiceInitializedEvent.java
@@ -0,0 +1,46 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2023 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.runner.qemu.events;
+
+import com.fasterxml.jackson.databind.JsonNode;
+
+/**
+ * Signals a connection from a client.
+ */
+public class SpiceInitializedEvent extends SpiceEvent {
+
+    /**
+     * Instantiates a new spice connected event.
+     *
+     * @param kind the kind
+     * @param data the data
+     */
+    public SpiceInitializedEvent(Kind kind, JsonNode data) {
+        super(kind, data);
+    }
+
+    /**
+     * Returns the channel type.
+     *
+     * @return the channel type
+     */
+    public int channelType() {
+        return data().get("client").get("channel-type").asInt();
+    }
+}

From f1d973502ddf819638e3e543638acd2e2a9fa3af Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 14 Nov 2024 11:58:51 +0100
Subject: [PATCH 024/274] Fix transparency.

---
 .../vmoperator/vmviewer/computer-in-use.svg   | 28 +++++++++++--------
 1 file changed, 16 insertions(+), 12 deletions(-)

diff --git a/org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/computer-in-use.svg b/org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/computer-in-use.svg
index 90339c1..00e4cc0 100644
--- a/org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/computer-in-use.svg
+++ b/org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/computer-in-use.svg
@@ -51,9 +51,9 @@
      inkscape:pageopacity="0.0"
      inkscape:pagecheckerboard="0"
      inkscape:deskcolor="#d1d1d1"
-     inkscape:zoom="1.28"
-     inkscape:cx="326.5625"
-     inkscape:cy="548.04688"
+     inkscape:zoom="0.90509668"
+     inkscape:cx="345.81941"
+     inkscape:cy="376.2029"
      inkscape:window-width="1920"
      inkscape:window-height="1008"
      inkscape:window-x="0"
@@ -63,18 +63,17 @@
   <path
      id="rect1"
      style="fill-opacity:0;stroke:#000000;stroke-width:1.97262;stroke-linecap:square;stroke-linejoin:round;stroke-miterlimit:0;paint-order:fill markers stroke"
-     d="M 3.0038192,0.98808897 H 20.99618 V 13.006705 H 3.0038192 Z" />
-  <rect
-     style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:0.00306926;stroke-linecap:square;stroke-linejoin:round;stroke-miterlimit:0;stroke-dasharray:none;stroke-opacity:1;paint-order:fill markers stroke"
+     d="m 4.7729709,13.006705 -1.7691517,0 V 0.98808897 H 20.99618 V 13.006705 l -1.639132,0"
+     sodipodi:nodetypes="cccccc" />
+  <path
      id="rect2"
-     width="23.995173"
-     height="2.0017407"
-     x="0.0039473679"
-     y="13.998839" />
+     style="opacity:1;stroke-width:0.00145614;stroke-linecap:square;stroke-linejoin:round;stroke-miterlimit:0;stroke-dasharray:none;paint-order:fill markers stroke"
+     d="m 0,13.998258 h 5.4336202 v 2.001741 H 0 Z"
+     sodipodi:nodetypes="ccccc" />
   <path
      id="rect3"
-     style="fill:#ffffff;fill-opacity:1;stroke:#000000;stroke-width:1.05373;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:0;stroke-dasharray:none;stroke-opacity:1;paint-order:fill markers stroke"
-     d="m 5.6839082,10.94394 c 0.2963594,-0.907428 2.9522319,-1.683971 2.767387,-1.6392261 0,0 1.5028596,1.6181771 3.6459428,1.6129171 2.018383,-0.005 3.362681,-1.6125503 3.362681,-1.6125503 -0.171441,-0.061235 2.778887,0.7741493 2.977303,1.6787203 0.393054,1.791919 0.25928,4.524228 0.25928,4.524228 L 5.3146272,15.391866 c 0,0 -0.181061,-2.762825 0.369281,-4.447926 z"
+     style="fill:none;fill-opacity:1;stroke:#000000;stroke-width:1.05373;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:0;stroke-dasharray:none;stroke-opacity:1;paint-order:fill markers stroke"
+     d="m 5.6839082,10.94394 c 0.2963594,-0.907428 2.9522319,-1.683971 2.767387,-1.6392261 0,0 1.5028596,1.6181771 3.6459428,1.6129171 2.018383,-0.005 3.362681,-1.6125503 3.362681,-1.6125503 -0.171441,-0.061235 2.778887,0.7741493 2.977303,1.6787203 0.393054,1.791919 0.25928,4.489072 0.25928,4.489072 l -13.3818748,0.001 c 0,0 -0.181061,-2.844856 0.369281,-4.529957 z"
      sodipodi:nodetypes="sssssccs" />
   <ellipse
      style="fill:none;stroke:#000000;stroke-width:1.02152;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:0;stroke-dasharray:none;stroke-opacity:1;paint-order:fill markers stroke"
@@ -83,4 +82,9 @@
      cy="6.3769712"
      rx="3.2413731"
      ry="3.225764" />
+  <path
+     id="rect2-2"
+     style="stroke-width:0.00145614;stroke-linecap:square;stroke-linejoin:round;stroke-miterlimit:0;stroke-dasharray:none;paint-order:fill markers stroke"
+     d="M 18.56638,13.998258 H 24 v 2.001741 h -5.43362 z"
+     sodipodi:nodetypes="ccccc" />
 </svg>

From 811164f7b9c34c9e26fb19211b67cc48e69e6503 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 14 Nov 2024 11:59:14 +0100
Subject: [PATCH 025/274] Move api client to base class.

---
 .../runner/qemu/ConsoleTracker.java           |  5 ++---
 .../vmoperator/runner/qemu/StatusUpdater.java | 19 ++++-------------
 .../vmoperator/runner/qemu/VmDefUpdater.java  | 21 +++++++++++++++----
 3 files changed, 23 insertions(+), 22 deletions(-)

diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java
index 7d54235..95b748c 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java
@@ -44,7 +44,6 @@ import org.jgrapes.core.events.Start;
 @SuppressWarnings("PMD.DataflowAnomalyAnalysis")
 public class ConsoleTracker extends VmDefUpdater {
 
-    private final K8sClient apiClient;
     private VmDefinitionStub vmStub;
     private String mainChannelClientHost;
     private long mainChannelClientPort;
@@ -109,7 +108,7 @@ public class ConsoleTracker extends VmDefUpdater {
         vmStub.updateStatus(from -> {
             JsonObject status = from.status();
             status.addProperty("consoleClient", event.clientHost());
-            updateCondition(apiClient, from, status, "ConsoleConnected",
+            updateCondition(from, status, "ConsoleConnected",
                 true, "Connection from " + event.clientHost(), null);
             return status;
         });
@@ -144,7 +143,7 @@ public class ConsoleTracker extends VmDefUpdater {
         vmStub.updateStatus(from -> {
             JsonObject status = from.status();
             status.addProperty("consoleClient", "");
-            updateCondition(apiClient, from, status, "ConsoleConnected",
+            updateCondition(from, status, "ConsoleConnected",
                 false, event.clientHost() + " has disconnected", null);
             return status;
         });
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
index ca5d46a..f663476 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
@@ -33,7 +33,6 @@ import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
 import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
 import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
 import org.jdrupes.vmoperator.common.K8s;
-import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.VmDefinitionModel;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
 import org.jdrupes.vmoperator.runner.qemu.events.BalloonChangeEvent;
@@ -59,7 +58,6 @@ public class StatusUpdater extends VmDefUpdater {
     private static final Set<RunState> RUNNING_STATES
         = Set.of(RunState.RUNNING, RunState.TERMINATING);
 
-    private K8sClient apiClient;
     private long observedGeneration;
     private boolean guestShutdownStops;
     private boolean shutdownByGuest;
@@ -73,15 +71,6 @@ public class StatusUpdater extends VmDefUpdater {
     @SuppressWarnings("PMD.ConstructorCallsOverridableMethod")
     public StatusUpdater(Channel componentChannel) {
         super(componentChannel);
-        try {
-            apiClient = new K8sClient();
-            io.kubernetes.client.openapi.Configuration
-                .setDefaultApiClient(apiClient);
-        } catch (IOException e) {
-            logger.log(Level.SEVERE, e,
-                () -> "Cannot access events API, terminating.");
-            fire(new Exit(1));
-        }
         attach(new ConsoleTracker(componentChannel));
     }
 
@@ -187,8 +176,8 @@ public class StatusUpdater extends VmDefUpdater {
         vmStub.updateStatus(vmDef, from -> {
             JsonObject status = from.status();
             boolean running = RUNNING_STATES.contains(event.runState());
-            updateCondition(apiClient, vmDef, vmDef.status(), "Running",
-                running, event.reason(), event.message());
+            updateCondition(vmDef, vmDef.status(), "Running", running,
+                event.reason(), event.message());
             if (event.runState() == RunState.STARTING) {
                 status.addProperty("ram", GsonPtr.to(from.data())
                     .getAsString("spec", "vm", "maximumRam").orElse("0"));
@@ -201,8 +190,8 @@ public class StatusUpdater extends VmDefUpdater {
             // In case console connection was still present
             if (!running) {
                 status.addProperty("consoleClient", "");
-                updateCondition(apiClient, from, status, "ConsoleConnected",
-                    false, "VM has stopped", null);
+                updateCondition(from, status, "ConsoleConnected", false,
+                    "VM has stopped", null);
             }
             return status;
         });
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmDefUpdater.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmDefUpdater.java
index 893fc61..1c260c7 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmDefUpdater.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmDefUpdater.java
@@ -19,7 +19,6 @@
 package org.jdrupes.vmoperator.runner.qemu;
 
 import com.google.gson.JsonObject;
-import io.kubernetes.client.openapi.ApiClient;
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
@@ -31,7 +30,9 @@ import java.util.Map;
 import java.util.Optional;
 import java.util.logging.Level;
 import java.util.stream.Collectors;
+import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.VmDefinitionModel;
+import org.jdrupes.vmoperator.runner.qemu.events.Exit;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Component;
 import org.jgrapes.core.annotation.Handler;
@@ -46,15 +47,28 @@ public class VmDefUpdater extends Component {
 
     protected String namespace;
     protected String vmName;
+    protected K8sClient apiClient;
 
     /**
      * Instantiates a new status updater.
      *
      * @param componentChannel the component channel
+     * @throws IOException 
      */
     @SuppressWarnings("PMD.ConstructorCallsOverridableMethod")
     public VmDefUpdater(Channel componentChannel) {
         super(componentChannel);
+        if (apiClient == null) {
+            try {
+                apiClient = new K8sClient();
+                io.kubernetes.client.openapi.Configuration
+                    .setDefaultApiClient(apiClient);
+            } catch (IOException e) {
+                logger.log(Level.SEVERE, e,
+                    () -> "Cannot access events API, terminating.");
+                fire(new Exit(1));
+            }
+        }
     }
 
     /**
@@ -104,9 +118,8 @@ public class VmDefUpdater extends Component {
      * @param state the new state
      * @param reason the reason for the change
      */
-    protected void updateCondition(ApiClient apiClient, VmDefinitionModel from,
-            JsonObject status, String type, boolean state, String reason,
-            String message) {
+    protected void updateCondition(VmDefinitionModel from, JsonObject status,
+            String type, boolean state, String reason, String message) {
         // Optimize, as we can get this several times
         var current = status.getAsJsonArray("conditions").asList().stream()
             .map(cond -> (JsonObject) cond)

From 4ea568ea17ec338897b192ae0b3cd5c22a9cded1 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 14 Nov 2024 12:40:45 +0100
Subject: [PATCH 026/274] Automatically repeat status update in case of
 conflict.

---
 .../vmoperator/common/K8sGenericStub.java     | 30 +++++++++++++++++--
 1 file changed, 28 insertions(+), 2 deletions(-)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java
index 09516a0..0689a97 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java
@@ -193,7 +193,33 @@ public class K8sGenericStub<O extends KubernetesObject,
     }
 
     /**
-     * Updates the object's status.
+     * Updates the object's status, retrying for the given number of times
+     * if the update fails due to a conflict.
+     *
+     * @param object the current state of the object (passed to `status`)
+     * @param status function that returns the new status
+     * @param retries the retries
+     * @return the updated model or empty if not successful
+     * @throws ApiException the api exception
+     */
+    @SuppressWarnings("PMD.AssignmentInOperand")
+    public Optional<O> updateStatus(O object,
+            Function<O, Object> status, int retries) throws ApiException {
+        while (true) {
+            try {
+                return K8s.optional(api.updateStatus(object, status));
+            } catch (ApiException e) {
+                if (HttpURLConnection.HTTP_CONFLICT != e.getCode()
+                    || retries-- <= 0) {
+                    throw e;
+                }
+            }
+        }
+    }
+
+    /**
+     * Updates the object's status, retrying up to 16 times if there
+     * is a conflict.
      *
      * @param object the current state of the object (passed to `status`)
      * @param status function that returns the new status
@@ -202,7 +228,7 @@ public class K8sGenericStub<O extends KubernetesObject,
      */
     public Optional<O> updateStatus(O object,
             Function<O, Object> status) throws ApiException {
-        return K8s.optional(api.updateStatus(object, status));
+        return updateStatus(object, status, 16);
     }
 
     /**

From 0ba8d922ef486854da01603410952506a7755635 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 14 Nov 2024 18:46:19 +0100
Subject: [PATCH 027/274] Add used by information.

---
 deploy/crds/vms-crd.yaml                        |  6 ++++++
 .../manager/events/GetDisplayPassword.java      | 16 ++++++++++++++--
 .../manager/DisplaySecretMonitor.java           | 17 ++++++++++++++++-
 .../jdrupes/vmoperator/vmconlet/l10n.properties |  1 +
 .../vmoperator/vmconlet/l10n_de.properties      |  1 +
 .../vmconlet/browser/VmConlet-functions.ts      |  4 +++-
 .../jdrupes/vmoperator/vmviewer/VmViewer.java   |  9 ++++++---
 7 files changed, 47 insertions(+), 7 deletions(-)

diff --git a/deploy/crds/vms-crd.yaml b/deploy/crds/vms-crd.yaml
index f1bbaf2..93c70cc 100644
--- a/deploy/crds/vms-crd.yaml
+++ b/deploy/crds/vms-crd.yaml
@@ -1467,6 +1467,12 @@ spec:
                     The hostname of the currently connected client.
                   type: string
                   default: ""
+                consoleUser:
+                  description: >-
+                    The id of the user who has last requested a console
+                    connection.
+                  type: string
+                  default: ""
                 displayPasswordSerial:
                   description: >-
                     Counts changes of the display password. Set to -1
diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetDisplayPassword.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetDisplayPassword.java
index 3322f1a..f6fa555 100644
--- a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetDisplayPassword.java
+++ b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetDisplayPassword.java
@@ -29,14 +29,17 @@ import org.jgrapes.core.Event;
 public class GetDisplayPassword extends Event<String> {
 
     private final VmDefinition vmDef;
+    private final String user;
 
     /**
-     * Instantiates a new returns the display secret.
+     * Instantiates a new request for the display secret.
      *
      * @param vmDef the vm name
+     * @param user the requesting user
      */
-    public GetDisplayPassword(VmDefinition vmDef) {
+    public GetDisplayPassword(VmDefinition vmDef, String user) {
         this.vmDef = vmDef;
+        this.user = user;
     }
 
     /**
@@ -48,6 +51,15 @@ public class GetDisplayPassword extends Event<String> {
         return vmDef;
     }
 
+    /**
+     * Return the id of the user who has requested the password.
+     *
+     * @return the string
+     */
+    public String user() {
+        return user;
+    }
+
     /**
      * Return the password. May only be called when the event is completed.
      *
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java
index 69d4058..2f480a3 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java
@@ -18,6 +18,8 @@
 
 package org.jdrupes.vmoperator.manager;
 
+import com.google.gson.JsonObject;
+import io.kubernetes.client.apimachinery.GroupVersionKind;
 import io.kubernetes.client.custom.V1Patch;
 import io.kubernetes.client.openapi.ApiException;
 import io.kubernetes.client.openapi.models.V1Secret;
@@ -37,10 +39,13 @@ import java.util.Optional;
 import java.util.Scanner;
 import java.util.logging.Level;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
+import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
+import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
 import static org.jdrupes.vmoperator.common.Constants.VM_OP_NAME;
 import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.K8sV1PodStub;
 import org.jdrupes.vmoperator.common.K8sV1SecretStub;
+import org.jdrupes.vmoperator.common.VmDefinitionStub;
 import static org.jdrupes.vmoperator.manager.Constants.COMP_DISPLAY_SECRET;
 import static org.jdrupes.vmoperator.manager.Constants.DATA_DISPLAY_PASSWORD;
 import static org.jdrupes.vmoperator.manager.Constants.DATA_PASSWORD_EXPIRY;
@@ -181,12 +186,22 @@ public class DisplaySecretMonitor
             + "app.kubernetes.io/instance="
             + event.vmDefinition().metadata().getName());
         var stubs = K8sV1SecretStub.list(client(),
-            event.vmDefinition().metadata().getNamespace(), options);
+            event.vmDefinition().namespace(), options);
         if (stubs.isEmpty()) {
             return;
         }
         var stub = stubs.iterator().next();
 
+        // Valid request, update console user in status
+        var vmStub = VmDefinitionStub.get(client(),
+            new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
+            event.vmDefinition().namespace(), event.vmDefinition().name());
+        vmStub.updateStatus(from -> {
+            JsonObject status = from.status();
+            status.addProperty("consoleUser", event.user());
+            return status;
+        });
+
         // Check validity
         var model = stub.model().get();
         @SuppressWarnings("PMD.StringInstantiation")
diff --git a/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n.properties b/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n.properties
index f4165c4..4ab3a3f 100644
--- a/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n.properties
+++ b/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n.properties
@@ -11,6 +11,7 @@ nodeName = Node
 requestedCpus = Requested CPUs
 requestedRam = Requested RAM
 running = Running
+usedBy = Used by
 usedFrom = Used from
 vmActions = Actions
 vmname = Name
diff --git a/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n_de.properties b/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n_de.properties
index 29239ed..15a8b68 100644
--- a/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n_de.properties
+++ b/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n_de.properties
@@ -15,6 +15,7 @@ maximumRam = Maximales RAM
 nodeName = Knoten
 requestedCpus = Angeforderte CPUs
 requestedRam = Angefordertes RAM
+usedBy = Benutzt durch
 usedFrom = Benutzt von
 vmActions = Aktionen
 vmname = Name
diff --git a/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/VmConlet-functions.ts b/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/VmConlet-functions.ts
index b171569..cfda2de 100644
--- a/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/VmConlet-functions.ts
+++ b/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/VmConlet-functions.ts
@@ -112,7 +112,8 @@ window.orgJDrupesVmOperatorVmConlet.initView = (viewDom: HTMLElement,
                 ["currentCpus", "currentCpus"],
                 ["currentRam", "currentRam"],
                 ["nodeName", "nodeName"],
-                ["usedFrom", "usedFrom"]
+                ["usedFrom", "usedFrom"],
+                ["usedBy", "usedBy"]
             ], {
                 sortKey: "name",
                 sortOrder: "up"
@@ -181,6 +182,7 @@ JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmconlet.VmConlet",
         vmDefinition.currentCpus = vmDefinition.status.cpus;
         vmDefinition.currentRam = Number(vmDefinition.status.ram);
         vmDefinition.usedFrom = vmDefinition.status.consoleClient || "";
+        vmDefinition.usedBy = vmDefinition.status.consoleUser || "";
         for (const condition of vmDefinition.status.conditions) {
             if (condition.type === "Running") {
                 vmDefinition.running = condition.status === "True";
diff --git a/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/VmViewer.java b/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/VmViewer.java
index a21c420..f87b341 100644
--- a/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/VmViewer.java
+++ b/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/VmViewer.java
@@ -527,9 +527,12 @@ public class VmViewer extends FreeMarkerConlet<VmViewer.ViewerModel> {
             break;
         case "openConsole":
             if (perms.contains(Permission.ACCESS_CONSOLE)) {
-                var pwQuery = Event.onCompletion(new GetDisplayPassword(vmDef),
-                    e -> openConsole(vmName, channel, model,
-                        e.password().orElse(null)));
+                var user = WebConsoleUtils.userFromSession(channel.session())
+                    .map(ConsoleUser::getName).orElse("");
+                var pwQuery
+                    = Event.onCompletion(new GetDisplayPassword(vmDef, user),
+                        e -> openConsole(vmName, channel, model,
+                            e.password().orElse(null)));
                 fire(pwQuery, vmChannel);
             }
             break;

From 69507b540cb4c753616b43872e8ef6c73aded85e Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 14 Nov 2024 20:17:33 +0100
Subject: [PATCH 028/274] Improve messages.

---
 .../jdrupes/vmoperator/runner/qemu/ConsoleTracker.java    | 8 ++++----
 .../org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java
index 95b748c..f2309df 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java
@@ -108,8 +108,8 @@ public class ConsoleTracker extends VmDefUpdater {
         vmStub.updateStatus(from -> {
             JsonObject status = from.status();
             status.addProperty("consoleClient", event.clientHost());
-            updateCondition(from, status, "ConsoleConnected",
-                true, "Connection from " + event.clientHost(), null);
+            updateCondition(from, status, "ConsoleConnected", true, "Connected",
+                "Connection from " + event.clientHost());
             return status;
         });
 
@@ -143,8 +143,8 @@ public class ConsoleTracker extends VmDefUpdater {
         vmStub.updateStatus(from -> {
             JsonObject status = from.status();
             status.addProperty("consoleClient", "");
-            updateCondition(from, status, "ConsoleConnected",
-                false, event.clientHost() + " has disconnected", null);
+            updateCondition(from, status, "ConsoleConnected", false,
+                "Disconnected", event.clientHost() + " has disconnected");
             return status;
         });
 
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
index f663476..0b18df0 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
@@ -191,7 +191,7 @@ public class StatusUpdater extends VmDefUpdater {
             if (!running) {
                 status.addProperty("consoleClient", "");
                 updateCondition(from, status, "ConsoleConnected", false,
-                    "VM has stopped", null);
+                    "VmStopped", "The VM has been shut down");
             }
             return status;
         });

From e864f677c3aab675653d0673130c7e7688c01152 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 14 Nov 2024 22:10:18 +0100
Subject: [PATCH 029/274] Allow operator to patch CR status.

---
 deploy/vmop-role.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/deploy/vmop-role.yaml b/deploy/vmop-role.yaml
index 16c7cfb..55447e6 100644
--- a/deploy/vmop-role.yaml
+++ b/deploy/vmop-role.yaml
@@ -11,6 +11,12 @@ rules:
   - vms
   verbs:
   - '*'
+- apiGroups:
+  - vmoperator.jdrupes.org
+  resources:
+  - vms/status
+  verbs:
+  - patch
 - apiGroups:
   - apps
   resources:

From dc7382dc8669483e33ad4cb7efb449bea432ce36 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Fri, 15 Nov 2024 09:53:34 +0100
Subject: [PATCH 030/274] Always update console user.

---
 .../manager/DisplaySecretMonitor.java         | 29 ++++++++++---------
 1 file changed, 16 insertions(+), 13 deletions(-)

diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java
index 2f480a3..141c806 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java
@@ -180,19 +180,7 @@ public class DisplaySecretMonitor
     @SuppressWarnings("PMD.StringInstantiation")
     public void onGetDisplaySecrets(GetDisplayPassword event, VmChannel channel)
             throws ApiException {
-        ListOptions options = new ListOptions();
-        options.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
-            + "app.kubernetes.io/component=" + COMP_DISPLAY_SECRET + ","
-            + "app.kubernetes.io/instance="
-            + event.vmDefinition().metadata().getName());
-        var stubs = K8sV1SecretStub.list(client(),
-            event.vmDefinition().namespace(), options);
-        if (stubs.isEmpty()) {
-            return;
-        }
-        var stub = stubs.iterator().next();
-
-        // Valid request, update console user in status
+        // Update console user in status
         var vmStub = VmDefinitionStub.get(client(),
             new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
             event.vmDefinition().namespace(), event.vmDefinition().name());
@@ -202,6 +190,20 @@ public class DisplaySecretMonitor
             return status;
         });
 
+        // Look for secret
+        ListOptions options = new ListOptions();
+        options.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
+            + "app.kubernetes.io/component=" + COMP_DISPLAY_SECRET + ","
+            + "app.kubernetes.io/instance="
+            + event.vmDefinition().metadata().getName());
+        var stubs = K8sV1SecretStub.list(client(),
+            event.vmDefinition().namespace(), options);
+        if (stubs.isEmpty()) {
+            // No secret means no password for this VM wanted
+            return;
+        }
+        var stub = stubs.iterator().next();
+
         // Check validity
         var model = stub.model().get();
         @SuppressWarnings("PMD.StringInstantiation")
@@ -209,6 +211,7 @@ public class DisplaySecretMonitor
             .get(DATA_PASSWORD_EXPIRY)).map(b -> new String(b)).orElse(null);
         if (model.getData().get(DATA_DISPLAY_PASSWORD) != null
             && stillValid(expiry)) {
+            // Fixed secret, don't touch
             event.setResult(
                 new String(model.getData().get(DATA_DISPLAY_PASSWORD)));
             return;

From 558d8f95485c66049a763cce32a096154ba563b5 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Fri, 15 Nov 2024 09:58:30 +0100
Subject: [PATCH 031/274] Fix layout.

---
 .../org/jdrupes/vmoperator/vmconlet/VmConlet-view.ftl.html      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/VmConlet-view.ftl.html b/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/VmConlet-view.ftl.html
index 708a1a3..0af656b 100644
--- a/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/VmConlet-view.ftl.html
+++ b/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/VmConlet-view.ftl.html
@@ -68,7 +68,7 @@
         </tr>
         <tr :id="scopedId(rowIndex)" v-if="$aash.isDisclosed(scopedId(rowIndex))"
           :class="[(rowIndex % 2) ? 'odd' : 'even']">
-          <td colspan="6" class="details">
+          <td colspan="8" class="details">
             <table class="table--basic table--basic--autoStriped">
               <tr>
                 <td>{{ localize("maximumCpus") }}</td>

From 28df6ede159571f93690c9b0a300867aa151277a Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Fri, 15 Nov 2024 15:29:19 +0100
Subject: [PATCH 032/274] Force fixed webconsole library.

---
 org.jdrupes.vmoperator.manager/build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/org.jdrupes.vmoperator.manager/build.gradle b/org.jdrupes.vmoperator.manager/build.gradle
index ab41391..e286f7b 100644
--- a/org.jdrupes.vmoperator.manager/build.gradle
+++ b/org.jdrupes.vmoperator.manager/build.gradle
@@ -18,7 +18,7 @@ dependencies {
     implementation 'org.jgrapes:org.jgrapes.http:[3.5.0,4)'
     
     implementation 'org.jgrapes:org.jgrapes.webconsole.base:[2.1.0,3)'
-    implementation 'org.jgrapes:org.jgrapes.webconsole.vuejs:[1.5.0,2)'
+    implementation 'org.jgrapes:org.jgrapes.webconsole.vuejs:[1.8.0,2)'
     implementation 'org.jgrapes:org.jgrapes.webconsole.rbac:[1.4.0,2)'
     implementation 'org.jgrapes:org.jgrapes.webconlet.oidclogin:[1.7.0,2)'
     implementation 'org.jgrapes:org.jgrapes.webconlet.markdowndisplay:[1.2.0,2)'

From 31758b5ef107c33f029c442ef00e5748255259a0 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Fri, 15 Nov 2024 17:30:50 +0100
Subject: [PATCH 033/274] Add fallbacks for efi vars as well.

---
 .../resources/org/jdrupes/vmoperator/runner/qemu/defaults.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/org.jdrupes.vmoperator.runner.qemu/resources/org/jdrupes/vmoperator/runner/qemu/defaults.yaml b/org.jdrupes.vmoperator.runner.qemu/resources/org/jdrupes/vmoperator/runner/qemu/defaults.yaml
index 32fdf55..600f0ad 100644
--- a/org.jdrupes.vmoperator.runner.qemu/resources/org/jdrupes/vmoperator/runner/qemu/defaults.yaml
+++ b/org.jdrupes.vmoperator.runner.qemu/resources/org/jdrupes/vmoperator/runner/qemu/defaults.yaml
@@ -15,6 +15,9 @@
       - "/usr/share/edk2/ovmf/OVMF_VARS.fd"
       - "/usr/share/edk2/x64/OVMF_VARS.fd"
       - "/usr/share/OVMF/OVMF_VARS.fd"
+      # Use 4M version as fallback (if smaller version not available)
+      - "/usr/share/edk2/ovmf-4m/OVMF_VARS.fd"
+      - "/usr/share/edk2/x64/OVMF_VARS.4m.fd"
   "uefi-4m":
     "rom":
       - "/usr/share/edk2/ovmf-4m/OVMF_CODE.fd"

From 13cd262a47c6f83f4102073d2060295223f74619 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 16 Nov 2024 17:15:31 +0100
Subject: [PATCH 034/274] New CRD.

---
 deploy/crds/vmpools-crd.yaml | 59 ++++++++++++++++++++++++++++++++++++
 deploy/crds/vms-crd.yaml     |  7 +++++
 2 files changed, 66 insertions(+)
 create mode 100644 deploy/crds/vmpools-crd.yaml

diff --git a/deploy/crds/vmpools-crd.yaml b/deploy/crds/vmpools-crd.yaml
new file mode 100644
index 0000000..5f8414f
--- /dev/null
+++ b/deploy/crds/vmpools-crd.yaml
@@ -0,0 +1,59 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: vmpools.vmoperator.jdrupes.org
+spec:
+  group: vmoperator.jdrupes.org
+  # list of versions supported by this CustomResourceDefinition
+  versions:
+    - name: v1
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          properties:
+            spec:
+              type: object
+              properties:
+                permissions:
+                  type: array
+                  description: >-
+                    Defines permissions for accessing and manipulating the Pool.
+                  items:
+                    type: object
+                    description: >-
+                      Permissions can be granted to a user or to a role.
+                    oneOf:
+                    - required:
+                      - user
+                    - required:
+                      - role
+                    properties:
+                      user:
+                        type: string
+                      role:
+                        type: string
+                      may:
+                        type: array
+                        items:
+                          type: string
+                          enum:
+                          - start
+                          - stop
+                          - reset
+                          - accessConsole
+                          - "*"
+                        default: []
+              required:
+              - permissions
+  # either Namespaced or Cluster
+  scope: Namespaced
+  names:
+    # plural name to be used in the URL: /apis/<group>/<version>/<plural>
+    plural: vmpools
+    # singular name to be used as an alias on the CLI and for display
+    singular: vmpool
+    # kind is normally the CamelCased singular type. Your resource manifests use this.
+    kind: VmPool
+    listKind: VmPoolList
diff --git a/deploy/crds/vms-crd.yaml b/deploy/crds/vms-crd.yaml
index 93c70cc..5f67b4c 100644
--- a/deploy/crds/vms-crd.yaml
+++ b/deploy/crds/vms-crd.yaml
@@ -1019,6 +1019,13 @@ spec:
                           - accessConsole
                           - "*"
                         default: []
+                pools:
+                  type: array
+                  description: >-
+                    List of pools to which this VM belongs.
+                  items:
+                    type: string
+                  default: []
                 loggingProperties:
                   type: string
                   description: >-

From dec4c11785f0c730736095ccefc350ae9782c0b9 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 16 Nov 2024 17:33:37 +0100
Subject: [PATCH 035/274] Fix sync selection.

---
 .../jdrupes/vmoperator/vmviewer/VmViewer.java   | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/VmViewer.java b/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/VmViewer.java
index f87b341..b0d8502 100644
--- a/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/VmViewer.java
+++ b/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/VmViewer.java
@@ -123,8 +123,8 @@ public class VmViewer extends FreeMarkerConlet<VmViewer.ViewerModel> {
     private static ObjectMapper objectMapper
         = new ObjectMapper().registerModule(new JavaTimeModule());
     private Class<?> preferredIpVersion = Inet4Address.class;
-    private Set<String> syncUsers = new HashSet<>();
-    private final Set<String> syncRoles = new HashSet<>();
+    private Set<String> syncUsers = Collections.emptySet();
+    private Set<String> syncRoles = Collections.emptySet();
     private boolean deleteConnectionFile = true;
 
     /**
@@ -173,12 +173,19 @@ public class VmViewer extends FreeMarkerConlet<VmViewer.ViewerModel> {
                         .filter(v -> v instanceof String).map(v -> (String) v)
                         .map(Boolean::parseBoolean).orElse(true);
 
-                // Sync preview for users or roles
+                // Users or roles for which previews should be synchronized
                 syncUsers = ((List<Map<String, String>>) c.getOrDefault(
                     "syncPreviewsFor", Collections.emptyList())).stream()
-                        .map(m -> Optional.ofNullable(m.get("user"))
-                            .orElse(m.get("role")))
+                        .map(m -> m.get("user"))
                         .filter(s -> s != null).collect(Collectors.toSet());
+                logger.finest(() -> "Syncing previews for users: "
+                    + syncUsers.toString());
+                syncRoles = ((List<Map<String, String>>) c.getOrDefault(
+                    "syncPreviewsFor", Collections.emptyList())).stream()
+                        .map(m -> m.get("role"))
+                        .filter(s -> s != null).collect(Collectors.toSet());
+                logger.finest(() -> "Syncing previews for roles: "
+                    + syncRoles.toString());
             } catch (ClassCastException e) {
                 logger.config("Malformed configuration: " + e.getMessage());
             }

From 5d90a6a8a9b4f1c8fe82982f2193bf6429b48320 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 17 Nov 2024 12:21:16 +0100
Subject: [PATCH 036/274] Move test to tc1.

---
 dev-example/.gitignore          |  1 +
 dev-example/config.yaml         |  4 +-
 dev-example/gen-pool-vm-crds.sh | 47 +++++++++++++++++++++++
 dev-example/test-vm.tpl.yaml    | 67 +++++++++++++++++++++++++++++++++
 4 files changed, 117 insertions(+), 2 deletions(-)
 create mode 100755 dev-example/gen-pool-vm-crds.sh
 create mode 100644 dev-example/test-vm.tpl.yaml

diff --git a/dev-example/.gitignore b/dev-example/.gitignore
index 925478d..728072e 100644
--- a/dev-example/.gitignore
+++ b/dev-example/.gitignore
@@ -1 +1,2 @@
 /test-vm-ci.yaml
+/kubeconfig.yaml
diff --git a/dev-example/config.yaml b/dev-example/config.yaml
index af1f3b8..1c80ab8 100644
--- a/dev-example/config.yaml
+++ b/dev-example/config.yaml
@@ -7,8 +7,8 @@
   "/Controller":
     namespace: vmop-dev
     "/Reconciler":
-      runnerData:
-        storageClassName: null
+      runnerDataPvc:
+        storageClassName: rook-cephfs
       loadBalancerService:
         labels:
           label1: label1
diff --git a/dev-example/gen-pool-vm-crds.sh b/dev-example/gen-pool-vm-crds.sh
new file mode 100755
index 0000000..264e3ba
--- /dev/null
+++ b/dev-example/gen-pool-vm-crds.sh
@@ -0,0 +1,47 @@
+#!/bin/bash
+
+function usage() {
+  cat >&2 <<EOF
+Usage: $0 [OPTION]... [TEMPLATE]
+Generate VM CRDs using TEMPLATE.
+
+  -c, --count                 Count of VMs to generate
+  -d, --destination DIR       Generate into given directory (default: ".")
+  -h, --help                  Print this help
+  -p, --prefix PREFIX         Prefix for generated file (default: basename of template)
+EOF
+  exit 1  
+}
+
+count=0
+destination=.
+template=""
+prefix=""
+
+while [ "$#" -gt 0 ]; do
+  case "$1" in
+    -c|--count) shift; count=$1;;
+    -d|--destination) shift; destination="$1";;
+    -h|--help) shift; usage;;
+    -p|--prefix) shift; prefix="$1";;
+    -*) echo >&2 "Unknown option: $1"; exit 1;;
+    *) template="$1";;
+  esac
+  shift
+done
+
+if [ -z "$template" ]; then
+  usage
+fi
+
+if [ "$count" = "0" ]; then
+  exit 0
+fi
+for number in $(seq 1 $count); do
+  if [ -z "$prefix" ]; then
+    prefix=$(basename $template .tpl.yaml)
+  fi
+  name="$prefix$number"
+  index=$(($number - 1))
+  esh -o $destination/$name.yaml $template number=$number index=$index
+done
diff --git a/dev-example/test-vm.tpl.yaml b/dev-example/test-vm.tpl.yaml
new file mode 100644
index 0000000..aa6f3d1
--- /dev/null
+++ b/dev-example/test-vm.tpl.yaml
@@ -0,0 +1,67 @@
+apiVersion: "vmoperator.jdrupes.org/v1"
+kind: VirtualMachine
+metadata:
+  namespace: vmop-dev
+  name: test-vm<%= ${number} %>
+  annotations:
+    argocd.argoproj.io/sync-wave: "20"
+  
+spec:
+  image:
+#    repository: docker-registry.lan.mnl.de
+#    path: vmoperator/org.jdrupes.vmoperator.runner.qemu-arch
+#    pullPolicy: Always
+#    repository: ghcr.io
+#    path: mnlipp/org.jdrupes.vmoperator.runner.qemu-alpine
+#    version: "3.0.0"
+    source: registry.mnl.de/org/jdrupes/vm-operator/org.jdrupes.vmoperator.runner.qemu-arch:testing
+    pullPolicy: Always
+
+  permissions:
+  - role: admin
+    may: 
+    - "*"
+  - user: test
+    may:
+    - accessConsole
+
+  guestShutdownStops: true
+
+  cloudInit: {}
+
+  vm:
+    # state: Running
+    bootMenu: true
+    maximumCpus: 4
+    currentCpus: 2
+    maximumRam: 4Gi
+    currentRam: 3Gi
+  
+    networks:
+    # No bridge on TC1
+    # - tap: {}
+    - user: {}
+    
+    disks:
+    - volumeClaimTemplate:
+        metadata:
+          name: system
+        spec:
+          storageClassName: ceph-rbd3slow
+          dataSource:
+            name: test-vm-snapshot-1
+            kind: VolumeSnapshot
+            apiGroup: snapshot.storage.k8s.io
+          accessModes:
+            - ReadWriteOnce
+          resources:
+            requests:
+              storage: 40Gi
+    - cdrom:
+        image: ""
+        # image: https://download.fedoraproject.org/pub/fedora/linux/releases/38/Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-38-1.6.iso
+
+    display:
+      spice:
+        port: <%= $((5910 + number)) %>
+        server: 192.168.179.20

From e7da41f8388949a2418193e1e7f652ba15e84096 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 17 Nov 2024 13:20:20 +0100
Subject: [PATCH 037/274] Fix summary evaluation.

---
 .../src/org/jdrupes/vmoperator/vmconlet/VmConlet.java           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/VmConlet.java b/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/VmConlet.java
index 69418af..7244f56 100644
--- a/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/VmConlet.java
+++ b/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/VmConlet.java
@@ -329,7 +329,7 @@ public class VmConlet extends FreeMarkerConlet<VmConlet.VmsModel> {
                     .map(r -> Quantity.fromString(r).getNumber().toBigInteger())
                     .orElse(BigInteger.ZERO));
             summary.runningVms
-                = vmDef.<List<Map<String, Object>>> fromStatus("conditions")
+                += vmDef.<List<Map<String, Object>>> fromStatus("conditions")
                     .orElse(Collections.emptyList()).stream()
                     .filter(cond -> DataPath.get(cond, "type")
                         .map(t -> "Running".equals(t)).orElse(false)

From 043666a9328bce525a014f94d9d7e40182daf2e5 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 17 Nov 2024 15:08:22 +0100
Subject: [PATCH 038/274] Generate test VMs.

---
 dev-example/.gitignore            |  1 +
 dev-example/test-vm-snapshot.yaml | 10 ++++++++++
 dev-example/test-vm.tpl.yaml      |  6 +++---
 3 files changed, 14 insertions(+), 3 deletions(-)
 create mode 100644 dev-example/test-vm-snapshot.yaml

diff --git a/dev-example/.gitignore b/dev-example/.gitignore
index 728072e..16e0d04 100644
--- a/dev-example/.gitignore
+++ b/dev-example/.gitignore
@@ -1,2 +1,3 @@
 /test-vm-ci.yaml
 /kubeconfig.yaml
+/crds/
diff --git a/dev-example/test-vm-snapshot.yaml b/dev-example/test-vm-snapshot.yaml
new file mode 100644
index 0000000..fd60a25
--- /dev/null
+++ b/dev-example/test-vm-snapshot.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: snapshot.storage.k8s.io/v1
+kind: VolumeSnapshot
+metadata:
+  namespace: vmop-dev
+  name: test-vm-system-disk-snapshot
+spec:
+  volumeSnapshotClassName: csi-rbdplugin-snapclass
+  source:
+    persistentVolumeClaimName:  test-vm-system-disk
diff --git a/dev-example/test-vm.tpl.yaml b/dev-example/test-vm.tpl.yaml
index aa6f3d1..6d8a89c 100644
--- a/dev-example/test-vm.tpl.yaml
+++ b/dev-example/test-vm.tpl.yaml
@@ -27,7 +27,8 @@ spec:
 
   guestShutdownStops: true
 
-  cloudInit: {}
+  cloudInit: 
+    metaData: {}
 
   vm:
     # state: Running
@@ -49,7 +50,7 @@ spec:
         spec:
           storageClassName: ceph-rbd3slow
           dataSource:
-            name: test-vm-snapshot-1
+            name: test-vm-system-disk-snapshot
             kind: VolumeSnapshot
             apiGroup: snapshot.storage.k8s.io
           accessModes:
@@ -64,4 +65,3 @@ spec:
     display:
       spice:
         port: <%= $((5910 + number)) %>
-        server: 192.168.179.20

From 4690b897e959629185c44dc7b080510147ee4356 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 17 Nov 2024 16:32:55 +0100
Subject: [PATCH 039/274] Adapt to changed timestamp format.

---
 .../jdrupes/vmoperator/vmconlet/browser/VmConlet-functions.ts  | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/VmConlet-functions.ts b/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/VmConlet-functions.ts
index cfda2de..01bd897 100644
--- a/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/VmConlet-functions.ts
+++ b/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/VmConlet-functions.ts
@@ -204,8 +204,7 @@ JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmconlet.VmConlet",
     "summarySeries", function(_conletId: string, series: any[]) {
         chartData.clear();
         for (const entry of series) {
-            chartData.push(new Date(entry.time.epochSecond * 1000
-                + entry.time.nano / 1000000),
+            chartData.push(new Date(entry.time * 1000),
                 entry.values[0], entry.values[1]);
         }
         chartDateUpdate.value = new Date();

From 00adeba62521d263add55311885b5e6c70422e15 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Tue, 19 Nov 2024 17:10:55 +0100
Subject: [PATCH 040/274] Add pool manager.

---
 .../jdrupes/vmoperator/common/Constants.java  |   3 +
 .../org/jdrupes/vmoperator/common/VmPool.java | 164 +++++++++++++++
 .../manager/events/VmPoolChanged.java         |  88 ++++++++
 org.jdrupes.vmoperator.manager/build.gradle   |   1 +
 .../vmoperator/manager/Controller.java        |   1 +
 .../vmoperator/manager/PoolManager.java       | 191 ++++++++++++++++++
 6 files changed, 448 insertions(+)
 create mode 100644 org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
 create mode 100644 org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/VmPoolChanged.java
 create mode 100644 org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolManager.java

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java
index 150bb3b..5837264 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java
@@ -38,4 +38,7 @@ public class Constants {
 
     /** The Constant VM_OP_KIND_VM. */
     public static final String VM_OP_KIND_VM = "VirtualMachine";
+
+    /** The Constant VM_OP_KIND_VM_POOL. */
+    public static final String VM_OP_KIND_VM_POOL = "VmPool";
 }
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
new file mode 100644
index 0000000..aaa2746
--- /dev/null
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
@@ -0,0 +1,164 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2024 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.common;
+
+import java.util.Collections;
+import java.util.EnumSet;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+/**
+ * Represents a VM pool.
+ */
+@SuppressWarnings({ "PMD.DataClass" })
+public class VmPool {
+
+    private String name;
+    private List<Grant> permissions = Collections.emptyList();
+    private final Set<String> vms
+        = Collections.synchronizedSet(new HashSet<>());
+
+    /**
+     * Returns the name.
+     *
+     * @return the name
+     */
+    public String name() {
+        return name;
+    }
+
+    /**
+     * Sets the name.
+     *
+     * @param name the name to set
+     */
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    /**
+     * @return the permissions
+     */
+    public List<Grant> permissions() {
+        return permissions;
+    }
+
+    /**
+     * Sets the permissions.
+     *
+     * @param permissions the permissions to set
+     */
+    public void setPermissions(List<Grant> permissions) {
+        this.permissions = permissions;
+    }
+
+    /**
+     * Returns the VM names.
+     *
+     * @return the vms
+     */
+    public Set<String> vms() {
+        return vms;
+    }
+
+    @Override
+    @SuppressWarnings("PMD.AvoidLiteralsInIfCondition")
+    public String toString() {
+        StringBuilder builder = new StringBuilder(50);
+        builder.append("VmPool [name=").append(name).append(", permissions=")
+            .append(permissions).append(", vms=");
+        if (vms.size() <= 3) {
+            builder.append(vms);
+        } else {
+            builder.append('[');
+            vms.stream().limit(3).map(s -> s + ",").forEach(builder::append);
+            builder.append("...]");
+        }
+        builder.append(']');
+        return builder.toString();
+    }
+
+    /**
+     * A permission grant to a user or role.
+     *
+     * @param user the user
+     * @param role the role
+     * @param may the may
+     */
+    public record Grant(String user, String role, Set<Permission> may) {
+
+        @Override
+        public String toString() {
+            StringBuilder builder = new StringBuilder();
+            if (user != null) {
+                builder.append("User ").append(user);
+            } else {
+                builder.append("Role ").append(role);
+            }
+            builder.append(" may=").append(may).append(']');
+            return builder.toString();
+        }
+    }
+
+    /**
+     * Permissions for accessing and manipulating the pool.
+     */
+    public enum Permission {
+        START("start"), STOP("stop"), RESET("reset"),
+        ACCESS_CONSOLE("accessConsole");
+
+        @SuppressWarnings("PMD.UseConcurrentHashMap")
+        private static Map<String, Permission> reprs = new HashMap<>();
+
+        static {
+            for (var value : EnumSet.allOf(Permission.class)) {
+                reprs.put(value.repr, value);
+            }
+        }
+
+        private final String repr;
+
+        Permission(String repr) {
+            this.repr = repr;
+        }
+
+        /**
+         * Create permission from representation in CRD.
+         *
+         * @param value the value
+         * @return the permission
+         */
+        @SuppressWarnings("PMD.AvoidLiteralsInIfCondition")
+        public static Set<Permission> parse(String value) {
+            if ("*".equals(value)) {
+                return EnumSet.allOf(Permission.class);
+            }
+            return Set.of(reprs.get(value));
+        }
+
+        @Override
+        public String toString() {
+            return repr;
+        }
+    }
+
+}
diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/VmPoolChanged.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/VmPoolChanged.java
new file mode 100644
index 0000000..0c506a1
--- /dev/null
+++ b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/VmPoolChanged.java
@@ -0,0 +1,88 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2023 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.manager.events;
+
+import org.jdrupes.vmoperator.common.VmPool;
+import org.jgrapes.core.Channel;
+import org.jgrapes.core.Components;
+import org.jgrapes.core.Event;
+
+/**
+ * Indicates a change in a pool configuration. 
+ */
+@SuppressWarnings("PMD.DataClass")
+public class VmPoolChanged extends Event<Void> {
+
+    private final VmPool vmPool;
+    private final boolean deleted;
+
+    /**
+     * Instantiates a new VM changed event.
+     *
+     * @param pool the pool
+     * @param deleted true, if the pool was deleted
+     */
+    public VmPoolChanged(VmPool pool, boolean deleted) {
+        vmPool = pool;
+        this.deleted = deleted;
+    }
+
+    /**
+     * Instantiates a new VM changed event for an existing pool.
+     *
+     * @param pool the pool
+     */
+    public VmPoolChanged(VmPool pool) {
+        this(pool, false);
+    }
+
+    /**
+     * Returns the VM pool.
+     *
+     * @return the vm pool
+     */
+    public VmPool vmPool() {
+        return vmPool;
+    }
+
+    /**
+     * Pool has been deleted.
+     *
+     * @return true, if successful
+     */
+    public boolean deleted() {
+        return deleted;
+    }
+
+    @Override
+    public String toString() {
+        StringBuilder builder = new StringBuilder(30);
+        builder.append(Components.objectName(this))
+            .append(" [");
+        if (deleted) {
+            builder.append("Deleted: ");
+        }
+        builder.append(vmPool);
+        if (channels() != null) {
+            builder.append(", channels=").append(Channel.toString(channels()));
+        }
+        builder.append(']');
+        return builder.toString();
+    }
+}
diff --git a/org.jdrupes.vmoperator.manager/build.gradle b/org.jdrupes.vmoperator.manager/build.gradle
index e286f7b..d3d80cb 100644
--- a/org.jdrupes.vmoperator.manager/build.gradle
+++ b/org.jdrupes.vmoperator.manager/build.gradle
@@ -33,6 +33,7 @@ dependencies {
 
     runtimeOnly project(':org.jdrupes.vmoperator.vmconlet')
     runtimeOnly project(':org.jdrupes.vmoperator.vmviewer')
+    runtimeOnly project(':org.jdrupes.vmoperator.poolaccess')
 }
 
 application {
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
index effc938..d847785 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
@@ -106,6 +106,7 @@ public class Controller extends Component {
         // to access the VM's console. Might change in the future.
         // attach(new ServiceMonitor(channel()).channelManager(chanMgr));
         attach(new Reconciler(channel()));
+        attach(new PoolManager(channel()));
     }
 
     /**
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolManager.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolManager.java
new file mode 100644
index 0000000..f47c569
--- /dev/null
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolManager.java
@@ -0,0 +1,191 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2023,2024 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.manager;
+
+import io.kubernetes.client.openapi.ApiException;
+import io.kubernetes.client.openapi.models.V1ObjectMeta;
+import io.kubernetes.client.util.Watch;
+import java.io.IOException;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.Set;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.locks.ReentrantLock;
+import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
+import org.jdrupes.vmoperator.common.K8s;
+import org.jdrupes.vmoperator.common.K8sClient;
+import org.jdrupes.vmoperator.common.K8sDynamicModel;
+import org.jdrupes.vmoperator.common.K8sDynamicModels;
+import org.jdrupes.vmoperator.common.K8sDynamicStub;
+import org.jdrupes.vmoperator.common.K8sObserver.ResponseType;
+import org.jdrupes.vmoperator.common.VmPool;
+import static org.jdrupes.vmoperator.manager.Constants.VM_OP_KIND_VM_POOL;
+import org.jdrupes.vmoperator.manager.events.VmDefChanged;
+import org.jdrupes.vmoperator.manager.events.VmPoolChanged;
+import org.jdrupes.vmoperator.util.GsonPtr;
+import org.jgrapes.core.Channel;
+import org.jgrapes.core.annotation.Handler;
+
+/**
+ * Watches for changes of VM pools.
+ */
+@SuppressWarnings({ "PMD.DataflowAnomalyAnalysis", "PMD.ExcessiveImports" })
+public class PoolManager extends
+        AbstractMonitor<K8sDynamicModel, K8sDynamicModels, Channel> {
+
+    private final ReentrantLock pendingLock = new ReentrantLock();
+    private final Map<String, Set<String>> pending = new ConcurrentHashMap<>();
+    private final Map<String, VmPool> pools = new ConcurrentHashMap<>();
+
+    /**
+     * Instantiates a new VM pool manager.
+     *
+     * @param componentChannel the component channel
+     * @param channelManager the channel manager
+     */
+    public PoolManager(Channel componentChannel) {
+        super(componentChannel, K8sDynamicModel.class,
+            K8sDynamicModels.class);
+    }
+
+    @Override
+    protected void prepareMonitoring() throws IOException, ApiException {
+        client(new K8sClient());
+
+        // Get all our API versions
+        var ctx = K8s.context(client(), VM_OP_GROUP, "", VM_OP_KIND_VM_POOL);
+        if (ctx.isEmpty()) {
+            logger.severe(() -> "Cannot get CRD context.");
+            return;
+        }
+        context(ctx.get());
+    }
+
+    @Override
+    protected void handleChange(K8sClient client,
+            Watch.Response<K8sDynamicModel> response) {
+
+        var type = ResponseType.valueOf(response.type);
+        var poolName = response.object.metadata().getName();
+
+        // When pool is deleted, save VMs in pending
+        if (type == ResponseType.DELETED) {
+            try {
+                pendingLock.lock();
+                Optional.ofNullable(pools.get(poolName)).ifPresent(
+                    p -> {
+                        pending.computeIfAbsent(poolName, k -> Collections
+                            .synchronizedSet(new HashSet<>())).addAll(p.vms());
+                        pools.remove(poolName);
+                        fire(new VmPoolChanged(p, true));
+                    });
+            } finally {
+                pendingLock.unlock();
+            }
+            return;
+        }
+
+        // Get full definition
+        var poolModel = response.object;
+        if (poolModel.data() == null) {
+            // ADDED event does not provide data, see
+            // https://github.com/kubernetes-client/java/issues/3215
+            try {
+                poolModel = K8sDynamicStub.get(client(), context(), namespace(),
+                    poolModel.metadata().getName()).model().orElse(null);
+            } catch (ApiException e) {
+                return;
+            }
+        }
+
+        // Convert to VM pool
+        var vmPool = client().getJSON().getGson().fromJson(
+            GsonPtr.to(poolModel.data()).to("spec").get(),
+            VmPool.class);
+        V1ObjectMeta metadata = response.object.getMetadata();
+        vmPool.setName(metadata.getName());
+
+        // If modified, merge changes
+        if (type == ResponseType.MODIFIED && pools.containsKey(poolName)) {
+            pools.get(poolName).setPermissions(vmPool.permissions());
+            return;
+        }
+
+        // Add new pool
+        try {
+            pendingLock.lock();
+            Optional.ofNullable(pending.get(poolName)).ifPresent(s -> {
+                vmPool.vms().addAll(s);
+            });
+            pending.remove(poolName);
+            pools.put(poolName, vmPool);
+            fire(new VmPoolChanged(vmPool));
+        } finally {
+            pendingLock.unlock();
+        }
+    }
+
+    /**
+     * Track VM definition changes.
+     *
+     * @param event the event
+     */
+    @Handler
+    public void onVmDefChanged(VmDefChanged event) {
+        String vmName = event.vmDefinition().name();
+        switch (event.type()) {
+        case ADDED:
+            try {
+                pendingLock.lock();
+                event.vmDefinition().<List<String>> fromSpec("pools")
+                    .orElse(Collections.emptyList()).stream().forEach(p -> {
+                        if (pools.containsKey(p)) {
+                            pools.get(p).vms().add(vmName);
+                        } else {
+                            pending.computeIfAbsent(p, k -> Collections
+                                .synchronizedSet(new HashSet<>())).add(vmName);
+                        }
+                        fire(new VmPoolChanged(pools.get(p)));
+                    });
+            } finally {
+                pendingLock.unlock();
+            }
+            break;
+        case DELETED:
+            try {
+                pendingLock.lock();
+                pools.values().stream().forEach(p -> {
+                    if (p.vms().remove(vmName)) {
+                        fire(new VmPoolChanged(p));
+                    }
+                });
+                // Should not be necessary, but just in case
+                pending.values().stream().forEach(s -> s.remove(vmName));
+            } finally {
+                pendingLock.unlock();
+            }
+            break;
+        default:
+            break;
+        }
+    }
+}

From 27f983c18d9f51668b9e7c619ab5bc6248e2a268 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 23 Nov 2024 12:50:25 +0100
Subject: [PATCH 041/274] Rename vmviewer to vmaccess.

---
 org.jdrupes.vmoperator.manager/build.gradle   |   2 +-
 .../.checkstyle                               |   0
 .../.eclipse-pmd                              |   0
 .../.eslintignore                             |   0
 .../.eslintrc.json                            |   0
 .../.gitignore                                |   0
 .../org.eclipse.buildship.core.prefs          |   0
 .../org.eclipse.core.resources.prefs          |   0
 .../.settings/org.eclipse.core.runtime.prefs  |   0
 .../.settings/org.eclipse.jdt.ui.prefs        |   0
 .../build.gradle                              |   0
 .../package.json                              |   0
 ...pes.webconsole.base.ConletComponentFactory |   1 +
 .../vmaccess/VmAccess-confirmReset.ftl.html   |   4 +--
 .../vmaccess/VmAccess-edit.ftl.html           |   6 ++--
 .../vmaccess/VmAccess-l10nBundles.ftl.js      |   0
 .../vmaccess/VmAccess-preview.ftl.html        |   4 +--
 .../vmoperator/vmaccess}/computer-in-use.svg  |   0
 .../vmoperator/vmaccess}/computer-off.svg     |   0
 .../jdrupes/vmoperator/vmaccess}/computer.svg |   0
 .../vmoperator/vmaccess}/l10n.properties      |   2 +-
 .../vmoperator/vmaccess}/l10n_de.properties   |   2 +-
 .../vmoperator/vmaccess}/l10n_en.properties   |   0
 .../vmoperator/vmaccess}/reset-icon.svg       |   0
 .../rollup.config.mjs                         |   4 +--
 .../jdrupes/vmoperator/vmaccess/VmAccess.java |  24 ++++++-------
 .../vmoperator/vmaccess/VmAccessFactory.java  |  10 +++---
 .../vmaccess/browser/VmAccess-functions.ts    |  32 +++++++++---------
 .../vmaccess/browser/VmAccess-style.scss      |  10 +++---
 .../vmaccess}/browser/l10nBundles-stub.d.ts   |   0
 .../vmoperator/vmaccess}/package-info.java    |   4 +--
 .../tsconfig.json                             |   2 +-
 ...pes.webconsole.base.ConletComponentFactory |   1 -
 settings.gradle                               |   2 ++
 ...iewer-preview.png => VmAccess-preview.png} | Bin
 webpages/vm-operator/user-gui.md              |   4 +--
 36 files changed, 58 insertions(+), 56 deletions(-)
 rename {org.jdrupes.vmoperator.vmviewer => org.jdrupes.vmoperator.vmaccess}/.checkstyle (100%)
 rename {org.jdrupes.vmoperator.vmviewer => org.jdrupes.vmoperator.vmaccess}/.eclipse-pmd (100%)
 rename {org.jdrupes.vmoperator.vmviewer => org.jdrupes.vmoperator.vmaccess}/.eslintignore (100%)
 rename {org.jdrupes.vmoperator.vmviewer => org.jdrupes.vmoperator.vmaccess}/.eslintrc.json (100%)
 rename {org.jdrupes.vmoperator.vmviewer => org.jdrupes.vmoperator.vmaccess}/.gitignore (100%)
 rename {org.jdrupes.vmoperator.vmviewer => org.jdrupes.vmoperator.vmaccess}/.settings/org.eclipse.buildship.core.prefs (100%)
 rename {org.jdrupes.vmoperator.vmviewer => org.jdrupes.vmoperator.vmaccess}/.settings/org.eclipse.core.resources.prefs (100%)
 rename {org.jdrupes.vmoperator.vmviewer => org.jdrupes.vmoperator.vmaccess}/.settings/org.eclipse.core.runtime.prefs (100%)
 rename {org.jdrupes.vmoperator.vmviewer => org.jdrupes.vmoperator.vmaccess}/.settings/org.eclipse.jdt.ui.prefs (100%)
 rename {org.jdrupes.vmoperator.vmviewer => org.jdrupes.vmoperator.vmaccess}/build.gradle (100%)
 rename {org.jdrupes.vmoperator.vmviewer => org.jdrupes.vmoperator.vmaccess}/package.json (100%)
 create mode 100644 org.jdrupes.vmoperator.vmaccess/resources/META-INF/services/org.jgrapes.webconsole.base.ConletComponentFactory
 rename org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/VmViewer-confirmReset.ftl.html => org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-confirmReset.ftl.html (91%)
 rename org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/VmViewer-edit.ftl.html => org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-edit.ftl.html (73%)
 rename org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/VmViewer-l10nBundles.ftl.js => org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-l10nBundles.ftl.js (100%)
 rename org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/VmViewer-preview.ftl.html => org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-preview.ftl.html (59%)
 rename {org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer => org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess}/computer-in-use.svg (100%)
 rename {org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer => org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess}/computer-off.svg (100%)
 rename {org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer => org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess}/computer.svg (100%)
 rename {org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer => org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess}/l10n.properties (86%)
 rename {org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer => org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess}/l10n_de.properties (93%)
 rename {org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer => org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess}/l10n_en.properties (100%)
 rename {org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer => org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess}/reset-icon.svg (100%)
 rename {org.jdrupes.vmoperator.vmviewer => org.jdrupes.vmoperator.vmaccess}/rollup.config.mjs (92%)
 rename org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/VmViewer.java => org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java (97%)
 rename org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/VmViewerFactory.java => org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccessFactory.java (85%)
 rename org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/browser/VmViewer-functions.ts => org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts (91%)
 rename org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/browser/VmViewer-style.scss => org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-style.scss (87%)
 rename {org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer => org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess}/browser/l10nBundles-stub.d.ts (100%)
 rename {org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer => org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess}/package-info.java (89%)
 rename {org.jdrupes.vmoperator.vmviewer => org.jdrupes.vmoperator.vmaccess}/tsconfig.json (92%)
 delete mode 100644 org.jdrupes.vmoperator.vmviewer/resources/META-INF/services/org.jgrapes.webconsole.base.ConletComponentFactory
 rename webpages/vm-operator/{VmViewer-preview.png => VmAccess-preview.png} (100%)

diff --git a/org.jdrupes.vmoperator.manager/build.gradle b/org.jdrupes.vmoperator.manager/build.gradle
index d3d80cb..f5ffe2c 100644
--- a/org.jdrupes.vmoperator.manager/build.gradle
+++ b/org.jdrupes.vmoperator.manager/build.gradle
@@ -31,8 +31,8 @@ dependencies {
     runtimeOnly 'org.slf4j:slf4j-jdk14:[2.0.7,3)'
     runtimeOnly 'org.apache.logging.log4j:log4j-to-jul:2.20.0'
 
+    runtimeOnly project(':org.jdrupes.vmoperator.vmaccess')
     runtimeOnly project(':org.jdrupes.vmoperator.vmconlet')
-    runtimeOnly project(':org.jdrupes.vmoperator.vmviewer')
     runtimeOnly project(':org.jdrupes.vmoperator.poolaccess')
 }
 
diff --git a/org.jdrupes.vmoperator.vmviewer/.checkstyle b/org.jdrupes.vmoperator.vmaccess/.checkstyle
similarity index 100%
rename from org.jdrupes.vmoperator.vmviewer/.checkstyle
rename to org.jdrupes.vmoperator.vmaccess/.checkstyle
diff --git a/org.jdrupes.vmoperator.vmviewer/.eclipse-pmd b/org.jdrupes.vmoperator.vmaccess/.eclipse-pmd
similarity index 100%
rename from org.jdrupes.vmoperator.vmviewer/.eclipse-pmd
rename to org.jdrupes.vmoperator.vmaccess/.eclipse-pmd
diff --git a/org.jdrupes.vmoperator.vmviewer/.eslintignore b/org.jdrupes.vmoperator.vmaccess/.eslintignore
similarity index 100%
rename from org.jdrupes.vmoperator.vmviewer/.eslintignore
rename to org.jdrupes.vmoperator.vmaccess/.eslintignore
diff --git a/org.jdrupes.vmoperator.vmviewer/.eslintrc.json b/org.jdrupes.vmoperator.vmaccess/.eslintrc.json
similarity index 100%
rename from org.jdrupes.vmoperator.vmviewer/.eslintrc.json
rename to org.jdrupes.vmoperator.vmaccess/.eslintrc.json
diff --git a/org.jdrupes.vmoperator.vmviewer/.gitignore b/org.jdrupes.vmoperator.vmaccess/.gitignore
similarity index 100%
rename from org.jdrupes.vmoperator.vmviewer/.gitignore
rename to org.jdrupes.vmoperator.vmaccess/.gitignore
diff --git a/org.jdrupes.vmoperator.vmviewer/.settings/org.eclipse.buildship.core.prefs b/org.jdrupes.vmoperator.vmaccess/.settings/org.eclipse.buildship.core.prefs
similarity index 100%
rename from org.jdrupes.vmoperator.vmviewer/.settings/org.eclipse.buildship.core.prefs
rename to org.jdrupes.vmoperator.vmaccess/.settings/org.eclipse.buildship.core.prefs
diff --git a/org.jdrupes.vmoperator.vmviewer/.settings/org.eclipse.core.resources.prefs b/org.jdrupes.vmoperator.vmaccess/.settings/org.eclipse.core.resources.prefs
similarity index 100%
rename from org.jdrupes.vmoperator.vmviewer/.settings/org.eclipse.core.resources.prefs
rename to org.jdrupes.vmoperator.vmaccess/.settings/org.eclipse.core.resources.prefs
diff --git a/org.jdrupes.vmoperator.vmviewer/.settings/org.eclipse.core.runtime.prefs b/org.jdrupes.vmoperator.vmaccess/.settings/org.eclipse.core.runtime.prefs
similarity index 100%
rename from org.jdrupes.vmoperator.vmviewer/.settings/org.eclipse.core.runtime.prefs
rename to org.jdrupes.vmoperator.vmaccess/.settings/org.eclipse.core.runtime.prefs
diff --git a/org.jdrupes.vmoperator.vmviewer/.settings/org.eclipse.jdt.ui.prefs b/org.jdrupes.vmoperator.vmaccess/.settings/org.eclipse.jdt.ui.prefs
similarity index 100%
rename from org.jdrupes.vmoperator.vmviewer/.settings/org.eclipse.jdt.ui.prefs
rename to org.jdrupes.vmoperator.vmaccess/.settings/org.eclipse.jdt.ui.prefs
diff --git a/org.jdrupes.vmoperator.vmviewer/build.gradle b/org.jdrupes.vmoperator.vmaccess/build.gradle
similarity index 100%
rename from org.jdrupes.vmoperator.vmviewer/build.gradle
rename to org.jdrupes.vmoperator.vmaccess/build.gradle
diff --git a/org.jdrupes.vmoperator.vmviewer/package.json b/org.jdrupes.vmoperator.vmaccess/package.json
similarity index 100%
rename from org.jdrupes.vmoperator.vmviewer/package.json
rename to org.jdrupes.vmoperator.vmaccess/package.json
diff --git a/org.jdrupes.vmoperator.vmaccess/resources/META-INF/services/org.jgrapes.webconsole.base.ConletComponentFactory b/org.jdrupes.vmoperator.vmaccess/resources/META-INF/services/org.jgrapes.webconsole.base.ConletComponentFactory
new file mode 100644
index 0000000..ec5cf30
--- /dev/null
+++ b/org.jdrupes.vmoperator.vmaccess/resources/META-INF/services/org.jgrapes.webconsole.base.ConletComponentFactory
@@ -0,0 +1 @@
+org.jdrupes.vmoperator.vmaccess.VmAccessFactory
diff --git a/org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/VmViewer-confirmReset.ftl.html b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-confirmReset.ftl.html
similarity index 91%
rename from org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/VmViewer-confirmReset.ftl.html
rename to org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-confirmReset.ftl.html
index f7e3840..d7b9405 100644
--- a/org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/VmViewer-confirmReset.ftl.html
+++ b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-confirmReset.ftl.html
@@ -1,9 +1,9 @@
 <div 
-  class="jdrupes-vmoperator-vmviewer jdrupes-vmoperator-vmviewer-confirm-reset">
+  class="jdrupes-vmoperator-vmaccess jdrupes-vmoperator-vmaccess-confirm-reset">
   <p>${_("confirmResetMsg")}</p>
   <p>
     <span role="button" tabindex="0" class="svg-icon"
-      onclick="orgJDrupesVmOperatorVmViewer.confirmReset('${conletType}', '${conletId}')">
+      onclick="orgJDrupesVmOperatorVmAccess.confirmReset('${conletType}', '${conletId}')">
       <svg viewBox="0 0 1541.33 1535.5083">
         <path d="m 0,127.9968 v 448 c 0,35 29,64 64,64 h 448 c 35,0 64,-29 64,-64 0,-17 -6.92831,-33.07213 -19,-45 C 264.23058,241.7154 337.19508,314.89599 109,82.996795 c -11.999999,-12 -28,-19 -45,-19 -35,0 -64,29 -64,64.000005 z" />
         <path d="m 772.97656,1535.5046 c 117.57061,0.3623 236.06134,-26.2848 345.77544,-81.4687 292.5708,-147.1572 459.8088,-465.37411 415.5214,-790.12504 C 1489.9861,339.15993 1243.597,77.463924 922.29883,14.342498 601.00067,-48.778928 274.05699,100.37563 110.62891,384.39133 c -34.855139,60.57216 -14.006492,137.9313 46.5664,172.78516 60.57172,34.85381 137.92941,14.00532 172.78321,-46.56641 109.97944,-191.12927 327.69604,-290.34657 543.53515,-247.94336 215.83913,42.40321 380.18953,216.77543 410.00973,435.44141 29.8203,218.66598 -81.8657,430.94957 -278.4863,529.84567 -196.6206,98.8962 -432.84043,61.8202 -589.90233,-92.6777 -24.91016,-24.5038 -85.48587,-83.3326 -119.02246,-52.9832 -24.01114,21.7292 -35.41741,29.5454 -59.9209,54.4559 -24.50381,24.9102 -35.33636,36.9034 -57.54543,60.4713 -38.1335,40.4667 34.10761,93.9685 59.01808,118.472 145.96311,143.5803 339.36149,219.2087 535.3125,219.8125 z"/>
diff --git a/org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/VmViewer-edit.ftl.html b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-edit.ftl.html
similarity index 73%
rename from org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/VmViewer-edit.ftl.html
rename to org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-edit.ftl.html
index e86d9db..ba61399 100644
--- a/org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/VmViewer-edit.ftl.html
+++ b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-edit.ftl.html
@@ -1,7 +1,7 @@
 <div title="${_("conletName")}"
-  class="jdrupes-vmoperator-vmviewer jdrupes-vmoperator-vmviewer-edit"
-  data-jgwc-on-load="orgJDrupesVmOperatorVmViewer.initEdit"
-  data-jgwc-on-action="orgJDrupesVmOperatorVmViewer.applyEdit"    
+  class="jdrupes-vmoperator-vmaccess jdrupes-vmoperator-vmaccess-edit"
+  data-jgwc-on-load="orgJDrupesVmOperatorVmAccess.initEdit"
+  data-jgwc-on-action="orgJDrupesVmOperatorVmAccess.applyEdit"    
   data-jgwc-on-unload="JGConsole.jgwc.unmountVueApps">
   <form :id="formId" ref="formDom" onsubmit="return false;">
     <section>
diff --git a/org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/VmViewer-l10nBundles.ftl.js b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-l10nBundles.ftl.js
similarity index 100%
rename from org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/VmViewer-l10nBundles.ftl.js
rename to org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-l10nBundles.ftl.js
diff --git a/org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/VmViewer-preview.ftl.html b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-preview.ftl.html
similarity index 59%
rename from org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/VmViewer-preview.ftl.html
rename to org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-preview.ftl.html
index c034504..57693ea 100644
--- a/org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/VmViewer-preview.ftl.html
+++ b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-preview.ftl.html
@@ -1,7 +1,7 @@
 <div 
-  class="jdrupes-vmoperator-vmviewer jdrupes-vmoperator-vmviewer-preview"
+  class="jdrupes-vmoperator-vmaccess jdrupes-vmoperator-vmaccess-preview"
   data-conlet-grid-rows="2" data-conlet-grid-columns="2"
-  data-jgwc-on-load="orgJDrupesVmOperatorVmViewer.initPreview"
+  data-jgwc-on-load="orgJDrupesVmOperatorVmAccess.initPreview"
   data-jgwc-on-unload="JGConsole.jgwc.unmountVueApps"
   data-conlet-resource-base="${conletResource('')}">
 </div>
diff --git a/org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/computer-in-use.svg b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/computer-in-use.svg
similarity index 100%
rename from org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/computer-in-use.svg
rename to org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/computer-in-use.svg
diff --git a/org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/computer-off.svg b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/computer-off.svg
similarity index 100%
rename from org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/computer-off.svg
rename to org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/computer-off.svg
diff --git a/org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/computer.svg b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/computer.svg
similarity index 100%
rename from org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/computer.svg
rename to org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/computer.svg
diff --git a/org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/l10n.properties b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n.properties
similarity index 86%
rename from org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/l10n.properties
rename to org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n.properties
index 05309d6..d755e7a 100644
--- a/org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/l10n.properties
+++ b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n.properties
@@ -1,4 +1,4 @@
-conletName = VM Console
+conletName = VM Access
 
 okayLabel = Apply and Close
 
diff --git a/org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/l10n_de.properties b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties
similarity index 93%
rename from org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/l10n_de.properties
rename to org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties
index 5226cc3..bcdc332 100644
--- a/org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/l10n_de.properties
+++ b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties
@@ -1,4 +1,4 @@
-conletName = VM-Konsole
+conletName = VM-Zugriff
 
 okayLabel = Anwenden und Schließen
 Select\ VM = VM auswählen
diff --git a/org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/l10n_en.properties b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_en.properties
similarity index 100%
rename from org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/l10n_en.properties
rename to org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_en.properties
diff --git a/org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/reset-icon.svg b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/reset-icon.svg
similarity index 100%
rename from org.jdrupes.vmoperator.vmviewer/resources/org/jdrupes/vmoperator/vmviewer/reset-icon.svg
rename to org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/reset-icon.svg
diff --git a/org.jdrupes.vmoperator.vmviewer/rollup.config.mjs b/org.jdrupes.vmoperator.vmaccess/rollup.config.mjs
similarity index 92%
rename from org.jdrupes.vmoperator.vmviewer/rollup.config.mjs
rename to org.jdrupes.vmoperator.vmaccess/rollup.config.mjs
index f00a51f..ab1aae9 100644
--- a/org.jdrupes.vmoperator.vmviewer/rollup.config.mjs
+++ b/org.jdrupes.vmoperator.vmaccess/rollup.config.mjs
@@ -1,8 +1,8 @@
 import typescript from 'rollup-plugin-typescript2';
 import postcss from 'rollup-plugin-postcss';
 
-let packagePath = "org/jdrupes/vmoperator/vmviewer";
-let baseName = "VmViewer"
+let packagePath = "org/jdrupes/vmoperator/vmaccess";
+let baseName = "VmAccess"
 let module = "build/generated/resources/" + packagePath 
     +  "/" + baseName + "-functions.js";
 
diff --git a/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/VmViewer.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
similarity index 97%
rename from org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/VmViewer.java
rename to org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index b0d8502..b323084 100644
--- a/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/VmViewer.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -16,7 +16,7 @@
  * along with this program.  If not, see <https://www.gnu.org/licenses/>.
  */
 
-package org.jdrupes.vmoperator.vmviewer;
+package org.jdrupes.vmoperator.vmaccess;
 
 import com.fasterxml.jackson.annotation.JsonGetter;
 import com.fasterxml.jackson.annotation.JsonProperty;
@@ -89,7 +89,7 @@ import org.jgrapes.webconsole.base.events.UpdateConletType;
 import org.jgrapes.webconsole.base.freemarker.FreeMarkerConlet;
 
 /**
- * The Class VmViewer. The component supports the following
+ * The Class {@link VmAccess}. The component supports the following
  * configuration properties:
  * 
  *   * `displayResource`: a map with the following entries:
@@ -107,13 +107,13 @@ import org.jgrapes.webconsole.base.freemarker.FreeMarkerConlet;
  */
 @SuppressWarnings({ "PMD.DataflowAnomalyAnalysis", "PMD.ExcessiveImports",
     "PMD.CouplingBetweenObjects", "PMD.GodClass", "PMD.TooManyMethods" })
-public class VmViewer extends FreeMarkerConlet<VmViewer.ViewerModel> {
+public class VmAccess extends FreeMarkerConlet<VmAccess.ViewerModel> {
 
     private static final String VM_NAME_PROPERTY = "vmName";
     private static final String RENDERED
-        = VmViewer.class.getName() + ".rendered";
+        = VmAccess.class.getName() + ".rendered";
     private static final String PENDING
-        = VmViewer.class.getName() + ".pending";
+        = VmAccess.class.getName() + ".pending";
     private static final Set<RenderMode> MODES = RenderMode.asSet(
         RenderMode.Preview, RenderMode.Edit);
     private static final Set<RenderMode> MODES_FOR_GENERATED = RenderMode.asSet(
@@ -140,7 +140,7 @@ public class VmViewer extends FreeMarkerConlet<VmViewer.ViewerModel> {
      * on by default and that {@link Manager#fire(Event, Channel...)}
      * sends the event to
      */
-    public VmViewer(Channel componentChannel) {
+    public VmAccess(Channel componentChannel) {
         super(componentChannel);
     }
 
@@ -222,7 +222,7 @@ public class VmViewer extends FreeMarkerConlet<VmViewer.ViewerModel> {
             .addRenderMode(RenderMode.Preview)
             .addScript(new ScriptResource().setScriptType("module")
                 .setScriptUri(event.renderSupport().conletResource(
-                    type(), "VmViewer-functions.js"))));
+                    type(), "VmAccess-functions.js"))));
         channel.session().put(RENDERED, new HashSet<>());
     }
 
@@ -259,7 +259,7 @@ public class VmViewer extends FreeMarkerConlet<VmViewer.ViewerModel> {
                 foundMissing = true;
             }
             fire(new AddConletRequest(event.event().event().renderSupport(),
-                VmViewer.class.getName(),
+                VmAccess.class.getName(),
                 RenderMode.asSet(RenderMode.Preview))
                     .addProperty(VM_NAME_PROPERTY, vmName),
                 connection);
@@ -283,7 +283,7 @@ public class VmViewer extends FreeMarkerConlet<VmViewer.ViewerModel> {
     private String storagePath(Session session, String conletId) {
         return "/" + WebConsoleUtils.userFromSession(session)
             .map(ConsoleUser::getName).orElse("")
-            + "/" + VmViewer.class.getName() + "/" + conletId;
+            + "/" + VmAccess.class.getName() + "/" + conletId;
     }
 
     @Override
@@ -365,7 +365,7 @@ public class VmViewer extends FreeMarkerConlet<VmViewer.ViewerModel> {
 
             // Render
             Template tpl
-                = freemarkerConfig().getTemplate("VmViewer-preview.ftl.html");
+                = freemarkerConfig().getTemplate("VmAccess-preview.ftl.html");
             channel.respond(new RenderConlet(type(), conletId,
                 processTemplate(event, tpl,
                     fmModel(event, channel, conletId, model)))
@@ -383,7 +383,7 @@ public class VmViewer extends FreeMarkerConlet<VmViewer.ViewerModel> {
         }
         if (event.renderAs().contains(RenderMode.Edit)) {
             Template tpl = freemarkerConfig()
-                .getTemplate("VmViewer-edit.ftl.html");
+                .getTemplate("VmAccess-edit.ftl.html");
             var fmModel = fmModel(event, channel, conletId, model);
             fmModel.put("vmNames", accessibleVms(channel));
             channel.respond(new OpenModalDialog(type(), conletId,
@@ -633,7 +633,7 @@ public class VmViewer extends FreeMarkerConlet<VmViewer.ViewerModel> {
             ResourceBundle resourceBundle) throws TemplateNotFoundException,
             MalformedTemplateNameException, ParseException, IOException {
         Template tpl = freemarkerConfig()
-            .getTemplate("VmViewer-confirmReset.ftl.html");
+            .getTemplate("VmAccess-confirmReset.ftl.html");
         channel.respond(new OpenModalDialog(type(), model.getConletId(),
             processTemplate(event, tpl,
                 fmModel(event, channel, model.getConletId(), model)))
diff --git a/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/VmViewerFactory.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccessFactory.java
similarity index 85%
rename from org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/VmViewerFactory.java
rename to org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccessFactory.java
index 6748f47..5140056 100644
--- a/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/VmViewerFactory.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccessFactory.java
@@ -16,7 +16,7 @@
  * along with this program.  If not, see <https://www.gnu.org/licenses/>.
  */
 
-package org.jdrupes.vmoperator.vmviewer;
+package org.jdrupes.vmoperator.vmaccess;
 
 import java.util.Map;
 import java.util.Optional;
@@ -25,9 +25,9 @@ import org.jgrapes.core.ComponentType;
 import org.jgrapes.webconsole.base.ConletComponentFactory;
 
 /**
- * The factory service for {@link VmViewer}s.
+ * The factory service for {@link VmAccess}s.
  */
-public class VmViewerFactory implements ConletComponentFactory {
+public class VmAccessFactory implements ConletComponentFactory {
 
     /*
      * (non-Javadoc)
@@ -36,7 +36,7 @@ public class VmViewerFactory implements ConletComponentFactory {
      */
     @Override
     public Class<? extends ComponentType> componentType() {
-        return VmViewer.class;
+        return VmAccess.class;
     }
 
     /*
@@ -48,7 +48,7 @@ public class VmViewerFactory implements ConletComponentFactory {
     @Override
     public Optional<ComponentType> create(Channel componentChannel,
             Map<?, ?> properties) {
-        return Optional.of(new VmViewer(componentChannel));
+        return Optional.of(new VmAccess(componentChannel));
     }
 
 }
diff --git a/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/browser/VmViewer-functions.ts b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
similarity index 91%
rename from org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/browser/VmViewer-functions.ts
rename to org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
index 42c7d10..fb52353 100644
--- a/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/browser/VmViewer-functions.ts
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
@@ -24,12 +24,12 @@ import JgwcPlugin, { JGWC } from "jgwc";
 import { provideApi, getApi } from "aash-plugin";
 import l10nBundles from "l10nBundles";
 
-import "./VmViewer-style.scss";
+import "./VmAccess-style.scss";
 
 // For global access
 declare global {
     interface Window {
-        orgJDrupesVmOperatorVmViewer: { 
+        orgJDrupesVmOperatorVmAccess: { 
             initPreview?: (previewDom: HTMLElement, isUpdate: boolean) => void,
             initEdit?: (viewDom: HTMLElement, isUpdate: boolean) => void,
             applyEdit?: (viewDom: HTMLElement, apply: boolean) => void,
@@ -38,7 +38,7 @@ declare global {
     }
 }
 
-window.orgJDrupesVmOperatorVmViewer = {};
+window.orgJDrupesVmOperatorVmAccess = {};
 
 interface Api {
     /* eslint-disable @typescript-eslint/no-explicit-any */
@@ -51,7 +51,7 @@ const localize = (key: string) => {
         l10nBundles, JGWC.lang(), key);
 };
 
-window.orgJDrupesVmOperatorVmViewer.initPreview = (previewDom: HTMLElement,
+window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
     _isUpdate: boolean) => {
     const app = createApp({
         setup(_props: object) {
@@ -107,7 +107,7 @@ window.orgJDrupesVmOperatorVmViewer.initPreview = (previewDom: HTMLElement,
                   :title="localize('Open console')"></span><span
                   style="visibility: hidden;"><img
                   :src="resourceBase + 'computer.svg'"></span></td>
-                <td class="jdrupes-vmoperator-vmviewer-preview-action-list">
+                <td class="jdrupes-vmoperator-vmaccess-preview-action-list">
                   <span role="button" 
                     :aria-disabled="!startable || !permissions.includes('start')" 
                     tabindex="0" class="fa fa-play" :title="localize('Start VM')"
@@ -138,25 +138,25 @@ window.orgJDrupesVmOperatorVmViewer.initPreview = (previewDom: HTMLElement,
     app.mount(previewDom);
 };
 
-JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmviewer.VmViewer",
+JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmaccess.VmAccess",
     "updateConfig", function(conletId: string, vmName: string) {
         const conlet = JGConsole.findConletPreview(conletId);
         if (!conlet) {
             return;
         }
         const api = getApi<Api>(conlet.element().querySelector(
-            ":scope .jdrupes-vmoperator-vmviewer-preview"))!;
+            ":scope .jdrupes-vmoperator-vmaccess-preview"))!;
         api.vmName = vmName;
     });
 
-JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmviewer.VmViewer",
+JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmaccess.VmAccess",
     "updateVmDefinition", function(conletId: string, vmDefinition: any) {
         const conlet = JGConsole.findConletPreview(conletId);
         if (!conlet) {
             return;
         }
         const api = getApi<Api>(conlet.element().querySelector(
-            ":scope .jdrupes-vmoperator-vmviewer-preview"))!;
+            ":scope .jdrupes-vmoperator-vmaccess-preview"))!;
         // Add some short-cuts for rendering
         vmDefinition.name = vmDefinition.metadata.name;
         vmDefinition.currentCpus = vmDefinition.status.cpus;
@@ -173,13 +173,13 @@ JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmviewer.VmViewer",
         api.vmDefinition = vmDefinition;
     });
 
-JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmviewer.VmViewer",
+JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmaccess.VmAccess",
     "openConsole", function(_conletId: string, mimeType: string, data: string) {
         let target = document.getElementById(
-            "org.jdrupes.vmoperator.vmviewer.VmViewer.target");
+            "org.jdrupes.vmoperator.vmaccess.VmAccess.target");
         if (!target) {
             target = document.createElement("iframe");
-            target.id = "org.jdrupes.vmoperator.vmviewer.VmViewer.target";
+            target.id = "org.jdrupes.vmoperator.vmaccess.VmAccess.target";
             target.setAttribute("name", target.id);
             target.setAttribute("style", "display: none;");            
             document.querySelector("body")!.append(target);
@@ -188,7 +188,7 @@ JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmviewer.VmViewer",
         window.open(url, target.id);
     });
 
-window.orgJDrupesVmOperatorVmViewer.initEdit = (dialogDom: HTMLElement,
+window.orgJDrupesVmOperatorVmAccess.initEdit = (dialogDom: HTMLElement,
     isUpdate: boolean) => {
     if (isUpdate) {
         return;
@@ -209,7 +209,7 @@ window.orgJDrupesVmOperatorVmViewer.initEdit = (dialogDom: HTMLElement,
             const conlet = JGConsole.findConletPreview(conletId);
             if (conlet) {
                 const api = getApi<Api>(conlet.element().querySelector(
-                    ":scope .jdrupes-vmoperator-vmviewer-preview"))!;
+                    ":scope .jdrupes-vmoperator-vmaccess-preview"))!;
                 vmNameInput.value = api.vmName;
             }
 
@@ -222,7 +222,7 @@ window.orgJDrupesVmOperatorVmViewer.initEdit = (dialogDom: HTMLElement,
     app.mount(dialogDom);
 }
 
-window.orgJDrupesVmOperatorVmViewer.applyEdit =
+window.orgJDrupesVmOperatorVmAccess.applyEdit =
     (dialogDom: HTMLElement, apply: boolean) => {
     if (!apply) {
         return;
@@ -233,7 +233,7 @@ window.orgJDrupesVmOperatorVmViewer.applyEdit =
     JGConsole.notifyConletModel(conletId, "selectedVm", vmName);
 }
 
-window.orgJDrupesVmOperatorVmViewer.confirmReset = 
+window.orgJDrupesVmOperatorVmAccess.confirmReset = 
         (conletType: string, conletId: string) => {
     JGConsole.instance.closeModalDialog(conletType, conletId);
     JGConsole.notifyConletModel(conletId, "resetConfirmed");
diff --git a/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/browser/VmViewer-style.scss b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-style.scss
similarity index 87%
rename from org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/browser/VmViewer-style.scss
rename to org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-style.scss
index 3ee432a..547dc74 100644
--- a/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/browser/VmViewer-style.scss
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-style.scss
@@ -19,7 +19,7 @@
 /*
  * Conlet specific styles.
  */
-.jdrupes-vmoperator-vmviewer {
+.jdrupes-vmoperator-vmaccess {
   
   span[role="button"].svg-icon {
     display: inline-block;
@@ -47,7 +47,7 @@
   }
 }
 
-.jdrupes-vmoperator-vmviewer.jdrupes-vmoperator-vmviewer-preview {
+.jdrupes-vmoperator-vmaccess.jdrupes-vmoperator-vmaccess-preview {
   
   img {
     height: 3em;
@@ -58,7 +58,7 @@
     }
   }
   
-  .jdrupes-vmoperator-vmviewer-preview-action-list {
+  .jdrupes-vmoperator-vmaccess-preview-action-list {
     white-space: nowrap;
   }
   
@@ -76,13 +76,13 @@
   }  
 }
 
-.jdrupes-vmoperator-vmviewer.jdrupes-vmoperator-vmviewer-edit {
+.jdrupes-vmoperator-vmaccess.jdrupes-vmoperator-vmaccess-edit {
   select {
     width: 15em;
   }
 }
 
-.jdrupes-vmoperator-vmviewer.jdrupes-vmoperator-vmviewer-confirm-reset {
+.jdrupes-vmoperator-vmaccess.jdrupes-vmoperator-vmaccess-confirm-reset {
   p {
     text-align: center;
   }
diff --git a/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/browser/l10nBundles-stub.d.ts b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/l10nBundles-stub.d.ts
similarity index 100%
rename from org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/browser/l10nBundles-stub.d.ts
rename to org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/l10nBundles-stub.d.ts
diff --git a/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/package-info.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/package-info.java
similarity index 89%
rename from org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/package-info.java
rename to org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/package-info.java
index 9a4045a..745ded7 100644
--- a/org.jdrupes.vmoperator.vmviewer/src/org/jdrupes/vmoperator/vmviewer/package-info.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/package-info.java
@@ -1,6 +1,6 @@
 /*
  * VM-Operator
- * Copyright (C) 2023 Michael N. Lipp
+ * Copyright (C) 2023, 2024 Michael N. Lipp
  * 
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as
@@ -16,4 +16,4 @@
  * along with this program.  If not, see <https://www.gnu.org/licenses/>.
  */
 
-package org.jdrupes.vmoperator.vmviewer;
\ No newline at end of file
+package org.jdrupes.vmoperator.vmaccess;
diff --git a/org.jdrupes.vmoperator.vmviewer/tsconfig.json b/org.jdrupes.vmoperator.vmaccess/tsconfig.json
similarity index 92%
rename from org.jdrupes.vmoperator.vmviewer/tsconfig.json
rename to org.jdrupes.vmoperator.vmaccess/tsconfig.json
index 6418f59..d9dbb3f 100644
--- a/org.jdrupes.vmoperator.vmviewer/tsconfig.json
+++ b/org.jdrupes.vmoperator.vmaccess/tsconfig.json
@@ -14,7 +14,7 @@
       "aash-plugin": ["./build/unpacked/org/jgrapes/webconsole/provider/jgwcvuecomponents/aash-vue-components/lib/AashPlugin"],
       "jgconsole": ["./build/unpacked/org/jgrapes/webconsole/base/JGConsole"],
       "jgwc": ["./build/unpacked/org/jgrapes/webconsole/provider/jgwcvuecomponents/jgwc-vue-components/jgwc-components"],
-      "l10nBundles": ["./src/org/jdrupes/vmoperator/vmviewer/browser/l10nBundles-stub"],
+      "l10nBundles": ["./src/org/jdrupes/vmoperator/vmaccess/browser/l10nBundles-stub"],
       "vue": ["./build/unpacked/org/jgrapes/webconsole/provider/vue/vue/vue"]
     }
   },
diff --git a/org.jdrupes.vmoperator.vmviewer/resources/META-INF/services/org.jgrapes.webconsole.base.ConletComponentFactory b/org.jdrupes.vmoperator.vmviewer/resources/META-INF/services/org.jgrapes.webconsole.base.ConletComponentFactory
deleted file mode 100644
index ebe4408..0000000
--- a/org.jdrupes.vmoperator.vmviewer/resources/META-INF/services/org.jgrapes.webconsole.base.ConletComponentFactory
+++ /dev/null
@@ -1 +0,0 @@
-org.jdrupes.vmoperator.vmviewer.VmViewerFactory
diff --git a/settings.gradle b/settings.gradle
index 64f3056..a32eaf8 100644
--- a/settings.gradle
+++ b/settings.gradle
@@ -12,6 +12,8 @@ rootProject.name = 'VM-Operator'
 
 include 'org.jdrupes.vmoperator.manager'
 include 'org.jdrupes.vmoperator.manager.events'
+include 'org.jdrupes.vmoperator.poolaccess'
+include 'org.jdrupes.vmoperator.vmaccess'
 include 'org.jdrupes.vmoperator.vmconlet'
 include 'org.jdrupes.vmoperator.vmviewer'
 include 'org.jdrupes.vmoperator.runner.qemu'
diff --git a/webpages/vm-operator/VmViewer-preview.png b/webpages/vm-operator/VmAccess-preview.png
similarity index 100%
rename from webpages/vm-operator/VmViewer-preview.png
rename to webpages/vm-operator/VmAccess-preview.png
diff --git a/webpages/vm-operator/user-gui.md b/webpages/vm-operator/user-gui.md
index ce46e8f..416e243 100644
--- a/webpages/vm-operator/user-gui.md
+++ b/webpages/vm-operator/user-gui.md
@@ -11,7 +11,7 @@ The idea of the user view is to provide an intuitive widget that
 allows the users to access their own VMs and to optionally start
 and stop them.
 
-![VM-Viewer](VmViewer-preview.png)
+![VM-Viewer](VmAccess-preview.png)
 
 The configuration options resulting from this seemingly simple
 requirement are unexpectedly complex.
@@ -62,7 +62,7 @@ objects that either specify a role or a user.
     "/ConsoleWeblet":
       "/WebConsole":
         "/ComponentCollector":
-          "/VmViewer":
+          "/VmAccess":
             syncPreviewsFor:
             - role: user
             - user: test

From eabb2d9cf02a7fbdc09d166fa070e8fa0a515b4d Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 23 Nov 2024 12:52:42 +0100
Subject: [PATCH 042/274] Add method.

---
 .../org/jdrupes/vmoperator/common/VmPool.java | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
index aaa2746..8da0a9f 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
@@ -18,6 +18,7 @@
 
 package org.jdrupes.vmoperator.common;
 
+import java.util.Collection;
 import java.util.Collections;
 import java.util.EnumSet;
 import java.util.HashMap;
@@ -25,6 +26,9 @@ import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+import org.jdrupes.vmoperator.util.DataPath;
 
 /**
  * Represents a VM pool.
@@ -97,6 +101,24 @@ public class VmPool {
         return builder.toString();
     }
 
+    /**
+     * Collect all permissions for the given user with the given roles.
+     *
+     * @param user the user
+     * @param roles the roles
+     * @return the sets the
+     */
+    public Set<Permission> permissionsFor(String user,
+            Collection<String> roles) {
+        return permissions.stream()
+            .filter(g -> DataPath.get(g, "user").map(u -> u.equals(user))
+                .orElse(false)
+                || DataPath.get(g, "role").map(roles::contains).orElse(false))
+            .map(g -> DataPath.<Set<Permission>> get(g, "may")
+                .orElse(Collections.emptySet()).stream())
+            .flatMap(Function.identity()).collect(Collectors.toSet());
+    }
+
     /**
      * A permission grant to a user or role.
      *

From 5efef2a083f9366cb622e5473bcebac3e1d66190 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 23 Nov 2024 12:54:29 +0100
Subject: [PATCH 043/274] Deliver events on dedicated pipeline.

---
 .../vmoperator/manager/PoolManager.java       | 28 +++++++++++++++----
 1 file changed, 23 insertions(+), 5 deletions(-)

diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolManager.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolManager.java
index f47c569..fb1de27 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolManager.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolManager.java
@@ -43,10 +43,14 @@ import org.jdrupes.vmoperator.manager.events.VmDefChanged;
 import org.jdrupes.vmoperator.manager.events.VmPoolChanged;
 import org.jdrupes.vmoperator.util.GsonPtr;
 import org.jgrapes.core.Channel;
+import org.jgrapes.core.EventPipeline;
 import org.jgrapes.core.annotation.Handler;
+import org.jgrapes.core.events.Attached;
 
 /**
- * Watches for changes of VM pools.
+ * Watches for changes of VM pools. Reports the changes using 
+ * {@link VmPoolChanged} events fired on a special pipeline to
+ * avoid concurrent change informations.
  */
 @SuppressWarnings({ "PMD.DataflowAnomalyAnalysis", "PMD.ExcessiveImports" })
 public class PoolManager extends
@@ -55,6 +59,7 @@ public class PoolManager extends
     private final ReentrantLock pendingLock = new ReentrantLock();
     private final Map<String, Set<String>> pending = new ConcurrentHashMap<>();
     private final Map<String, VmPool> pools = new ConcurrentHashMap<>();
+    private EventPipeline poolPipeline;
 
     /**
      * Instantiates a new VM pool manager.
@@ -67,6 +72,19 @@ public class PoolManager extends
             K8sDynamicModels.class);
     }
 
+    /**
+     * On attached.
+     *
+     * @param event the event
+     */
+    @Handler
+    @SuppressWarnings("PMD.CompareObjectsWithEquals")
+    public void onAttached(Attached event) {
+        if (event.node() == this) {
+            poolPipeline = newEventPipeline();
+        }
+    }
+
     @Override
     protected void prepareMonitoring() throws IOException, ApiException {
         client(new K8sClient());
@@ -96,7 +114,7 @@ public class PoolManager extends
                         pending.computeIfAbsent(poolName, k -> Collections
                             .synchronizedSet(new HashSet<>())).addAll(p.vms());
                         pools.remove(poolName);
-                        fire(new VmPoolChanged(p, true));
+                        poolPipeline.fire(new VmPoolChanged(p, true));
                     });
             } finally {
                 pendingLock.unlock();
@@ -138,7 +156,7 @@ public class PoolManager extends
             });
             pending.remove(poolName);
             pools.put(poolName, vmPool);
-            fire(new VmPoolChanged(vmPool));
+            poolPipeline.fire(new VmPoolChanged(vmPool));
         } finally {
             pendingLock.unlock();
         }
@@ -164,7 +182,7 @@ public class PoolManager extends
                             pending.computeIfAbsent(p, k -> Collections
                                 .synchronizedSet(new HashSet<>())).add(vmName);
                         }
-                        fire(new VmPoolChanged(pools.get(p)));
+                        poolPipeline.fire(new VmPoolChanged(pools.get(p)));
                     });
             } finally {
                 pendingLock.unlock();
@@ -175,7 +193,7 @@ public class PoolManager extends
                 pendingLock.lock();
                 pools.values().stream().forEach(p -> {
                     if (p.vms().remove(vmName)) {
-                        fire(new VmPoolChanged(p));
+                        poolPipeline.fire(new VmPoolChanged(p));
                     }
                 });
                 // Should not be necessary, but just in case

From 22446c361873885a823452b5888cdc601de11902 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 23 Nov 2024 12:54:57 +0100
Subject: [PATCH 044/274] Clarify documentation.

---
 .../src/org/jdrupes/vmoperator/manager/AbstractMonitor.java   | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/AbstractMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/AbstractMonitor.java
index 43f4287..2deb9ab 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/AbstractMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/AbstractMonitor.java
@@ -246,7 +246,9 @@ public abstract class AbstractMonitor<O extends KubernetesObject,
     }
 
     /**
-     * Handle an observed change.
+     * Handle an observed change. The method is invoked by the observer
+     * thread(s). It is the responsibility of the implementing class to
+     * fire derived events on the appropriate event pipeline.
      *
      * @param client the client
      * @param change the change

From 64035d8dc12af271e4fe2602f4ab22702542e04c Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 23 Nov 2024 12:55:48 +0100
Subject: [PATCH 045/274] Remove poolaccess conlet.

---
 settings.gradle | 1 -
 1 file changed, 1 deletion(-)

diff --git a/settings.gradle b/settings.gradle
index a32eaf8..50b3277 100644
--- a/settings.gradle
+++ b/settings.gradle
@@ -12,7 +12,6 @@ rootProject.name = 'VM-Operator'
 
 include 'org.jdrupes.vmoperator.manager'
 include 'org.jdrupes.vmoperator.manager.events'
-include 'org.jdrupes.vmoperator.poolaccess'
 include 'org.jdrupes.vmoperator.vmaccess'
 include 'org.jdrupes.vmoperator.vmconlet'
 include 'org.jdrupes.vmoperator.vmviewer'

From dc21dc8a7bcaaa9f89d8701e18bfcd655c6e6560 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 23 Nov 2024 12:56:32 +0100
Subject: [PATCH 046/274] Test pools.

---
 dev-example/test-pool.yaml   | 10 ++++++++++
 dev-example/test-vm.tpl.yaml |  3 +++
 2 files changed, 13 insertions(+)
 create mode 100644 dev-example/test-pool.yaml

diff --git a/dev-example/test-pool.yaml b/dev-example/test-pool.yaml
new file mode 100644
index 0000000..73bd6ab
--- /dev/null
+++ b/dev-example/test-pool.yaml
@@ -0,0 +1,10 @@
+apiVersion: "vmoperator.jdrupes.org/v1"
+kind: VmPool
+metadata:
+  namespace: vmop-dev
+  name: test-vms
+spec:
+  permissions:
+  - user: admin
+    may:
+    - accessConsole
diff --git a/dev-example/test-vm.tpl.yaml b/dev-example/test-vm.tpl.yaml
index 6d8a89c..1ce8d95 100644
--- a/dev-example/test-vm.tpl.yaml
+++ b/dev-example/test-vm.tpl.yaml
@@ -30,6 +30,9 @@ spec:
   cloudInit: 
     metaData: {}
 
+  pools:
+  - test-vms
+    
   vm:
     # state: Running
     bootMenu: true

From c361f9296ddd1d311e3cbfefdae1499fcf6be695 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 23 Nov 2024 13:03:04 +0100
Subject: [PATCH 047/274] Remove conlet.

---
 org.jdrupes.vmoperator.manager/build.gradle | 1 -
 1 file changed, 1 deletion(-)

diff --git a/org.jdrupes.vmoperator.manager/build.gradle b/org.jdrupes.vmoperator.manager/build.gradle
index f5ffe2c..cefac0b 100644
--- a/org.jdrupes.vmoperator.manager/build.gradle
+++ b/org.jdrupes.vmoperator.manager/build.gradle
@@ -33,7 +33,6 @@ dependencies {
 
     runtimeOnly project(':org.jdrupes.vmoperator.vmaccess')
     runtimeOnly project(':org.jdrupes.vmoperator.vmconlet')
-    runtimeOnly project(':org.jdrupes.vmoperator.poolaccess')
 }
 
 application {

From 2be88d0f34facddbccfa77c8b329cb9a404497fd Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 23 Nov 2024 13:06:51 +0100
Subject: [PATCH 048/274] Remove viewer.

---
 settings.gradle | 1 -
 1 file changed, 1 deletion(-)

diff --git a/settings.gradle b/settings.gradle
index 50b3277..be8546d 100644
--- a/settings.gradle
+++ b/settings.gradle
@@ -14,7 +14,6 @@ include 'org.jdrupes.vmoperator.manager'
 include 'org.jdrupes.vmoperator.manager.events'
 include 'org.jdrupes.vmoperator.vmaccess'
 include 'org.jdrupes.vmoperator.vmconlet'
-include 'org.jdrupes.vmoperator.vmviewer'
 include 'org.jdrupes.vmoperator.runner.qemu'
 include 'org.jdrupes.vmoperator.common'
 include 'org.jdrupes.vmoperator.util'

From 4ceaaa9fa2371360c59c97e6f4e4a56ec0e77c68 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 23 Nov 2024 14:08:01 +0100
Subject: [PATCH 049/274] Provide backward compatibility for configuration.

---
 dev-example/config.yaml                       |  2 +-
 dev-example/kustomization.yaml                |  2 +-
 .../jdrupes/vmoperator/vmaccess/VmAccess.java | 83 +++++++++++--------
 webpages/vm-operator/upgrading.md             | 13 +++
 4 files changed, 63 insertions(+), 37 deletions(-)

diff --git a/dev-example/config.yaml b/dev-example/config.yaml
index 1c80ab8..f2e0563 100644
--- a/dev-example/config.yaml
+++ b/dev-example/config.yaml
@@ -65,7 +65,7 @@
             other:
             - org.jgrapes.webconlet.oidclogin.LoginConlet
         "/ComponentCollector":
-          "/VmViewer":
+          "/VmAccess":
             displayResource:
               preferredIpVersion: ipv4
             syncPreviewsFor:
diff --git a/dev-example/kustomization.yaml b/dev-example/kustomization.yaml
index f6e51b8..7dc4a15 100644
--- a/dev-example/kustomization.yaml
+++ b/dev-example/kustomization.yaml
@@ -79,7 +79,7 @@ patches:
                     other:
                     - org.jgrapes.webconlet.locallogin.LoginConlet
                 "/ComponentCollector":
-                  "/VmViewer":
+                  "/VmAccess":
                     displayResource:
                       preferredIpVersion: ipv4
                     syncPreviewsFor:
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index b323084..e1a41ef 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -152,44 +152,57 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ViewerModel> {
     @SuppressWarnings({ "unchecked", "PMD.AvoidDuplicateLiterals" })
     @Handler
     public void onConfigurationUpdate(ConfigurationUpdate event) {
-        event.structured(componentPath()).ifPresent(c -> {
-            try {
-                var dispRes = (Map<String, Object>) c
-                    .getOrDefault("displayResource", Collections.emptyMap());
-                switch ((String) dispRes.getOrDefault("preferredIpVersion",
-                    "")) {
-                case "ipv6":
-                    preferredIpVersion = Inet6Address.class;
-                    break;
-                case "ipv4":
-                default:
-                    preferredIpVersion = Inet4Address.class;
-                    break;
+        event.structured(componentPath())
+            .or(() -> {
+                var oldConfig = event.structured("/Manager/GuiHttpServer"
+                    + "/ConsoleWeblet/WebConsole/ComponentCollector/VmViewer");
+                if (oldConfig.isPresent()) {
+                    logger.warning(() -> "Using configuration with old "
+                        + "component name \"VmViewer\", please update to "
+                        + "\"VmAccess\"");
                 }
+                return oldConfig;
+            })
+            .ifPresent(c -> {
+                try {
+                    var dispRes = (Map<String, Object>) c
+                        .getOrDefault("displayResource",
+                            Collections.emptyMap());
+                    switch ((String) dispRes.getOrDefault("preferredIpVersion",
+                        "")) {
+                    case "ipv6":
+                        preferredIpVersion = Inet6Address.class;
+                        break;
+                    case "ipv4":
+                    default:
+                        preferredIpVersion = Inet4Address.class;
+                        break;
+                    }
 
-                // Delete connection file
-                deleteConnectionFile
-                    = Optional.ofNullable(c.get("deleteConnectionFile"))
-                        .filter(v -> v instanceof String).map(v -> (String) v)
-                        .map(Boolean::parseBoolean).orElse(true);
+                    // Delete connection file
+                    deleteConnectionFile
+                        = Optional.ofNullable(c.get("deleteConnectionFile"))
+                            .filter(v -> v instanceof String)
+                            .map(v -> (String) v)
+                            .map(Boolean::parseBoolean).orElse(true);
 
-                // Users or roles for which previews should be synchronized
-                syncUsers = ((List<Map<String, String>>) c.getOrDefault(
-                    "syncPreviewsFor", Collections.emptyList())).stream()
-                        .map(m -> m.get("user"))
-                        .filter(s -> s != null).collect(Collectors.toSet());
-                logger.finest(() -> "Syncing previews for users: "
-                    + syncUsers.toString());
-                syncRoles = ((List<Map<String, String>>) c.getOrDefault(
-                    "syncPreviewsFor", Collections.emptyList())).stream()
-                        .map(m -> m.get("role"))
-                        .filter(s -> s != null).collect(Collectors.toSet());
-                logger.finest(() -> "Syncing previews for roles: "
-                    + syncRoles.toString());
-            } catch (ClassCastException e) {
-                logger.config("Malformed configuration: " + e.getMessage());
-            }
-        });
+                    // Users or roles for which previews should be synchronized
+                    syncUsers = ((List<Map<String, String>>) c.getOrDefault(
+                        "syncPreviewsFor", Collections.emptyList())).stream()
+                            .map(m -> m.get("user"))
+                            .filter(s -> s != null).collect(Collectors.toSet());
+                    logger.finest(() -> "Syncing previews for users: "
+                        + syncUsers.toString());
+                    syncRoles = ((List<Map<String, String>>) c.getOrDefault(
+                        "syncPreviewsFor", Collections.emptyList())).stream()
+                            .map(m -> m.get("role"))
+                            .filter(s -> s != null).collect(Collectors.toSet());
+                    logger.finest(() -> "Syncing previews for roles: "
+                        + syncRoles.toString());
+                } catch (ClassCastException e) {
+                    logger.config("Malformed configuration: " + e.getMessage());
+                }
+            });
     }
 
     private boolean syncPreviews(Session session) {
diff --git a/webpages/vm-operator/upgrading.md b/webpages/vm-operator/upgrading.md
index ec5da7e..a794ab6 100644
--- a/webpages/vm-operator/upgrading.md
+++ b/webpages/vm-operator/upgrading.md
@@ -5,6 +5,19 @@ layout: vm-operator
 
 # Upgrading
 
+## To version 4.0.0
+
+The VmViewer conlet has been renamed to VmAccess. This affects the
+[configuration](https://jdrupes.org/vm-operator/user-gui.html). Configuration information using the old path
+"/Manager/GuiHttpServer/ConsoleWeblet/WebConsole/ComponentCollector/VmViewer"
+is still accepted for backward compatibility, but should be updated.
+
+The change of name also causes conlets added to the overview page by
+users to "disappear" from the GUI. They have to be re-added. 
+
+The latter behavior also applies to the VmConlet conlet which has been
+renamed to VmMgmt.
+
 ## To version 3.4.0
 
 Starting with this version, the VM-Operator no longer uses a stateful set

From e839f7b3b2dd34a658ab776cc4142a20bfc66e59 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 23 Nov 2024 14:08:45 +0100
Subject: [PATCH 050/274] Rename conlet.

---
 org.jdrupes.vmoperator.manager/build.gradle    |  2 +-
 ...apes.webconsole.base.ConletComponentFactory |  1 -
 .../.checkstyle                                |  0
 .../.eclipse-pmd                               |  0
 .../.eslintignore                              |  0
 .../.eslintrc.json                             |  0
 .../.gitignore                                 |  0
 .../.settings/org.eclipse.buildship.core.prefs |  0
 .../.settings/org.eclipse.core.resources.prefs |  0
 .../.settings/org.eclipse.core.runtime.prefs   |  0
 .../.settings/org.eclipse.jdt.ui.prefs         |  0
 .../build.gradle                               |  0
 .../package.json                               |  0
 ...apes.webconsole.base.ConletComponentFactory |  1 +
 .../vmmgmt/VmMgmt-l10nBundles.ftl.js           |  0
 .../vmoperator/vmmgmt/VmMgmt-preview.ftl.html  |  4 ++--
 .../vmoperator/vmmgmt/VmMgmt-view.ftl.html     | 10 +++++-----
 .../jdrupes/vmoperator/vmmgmt}/l10n.properties |  2 +-
 .../vmoperator/vmmgmt}/l10n_de.properties      |  2 +-
 .../vmoperator/vmmgmt}/l10n_en.properties      |  0
 .../rollup.config.mjs                          |  4 ++--
 .../jdrupes/vmoperator/vmmgmt}/TimeSeries.java |  2 +-
 .../org/jdrupes/vmoperator/vmmgmt/VmMgmt.java  | 14 +++++++-------
 .../vmoperator/vmmgmt/VmMgmtFactory.java       | 10 +++++-----
 .../browser/ConditionalInputController.ts      |  0
 .../vmoperator/vmmgmt}/browser/CpuRamChart.ts  |  0
 .../vmoperator/vmmgmt}/browser/MemorySize.ts   |  0
 .../vmoperator/vmmgmt}/browser/TimeSeries.ts   |  0
 .../vmmgmt/browser/VmMgmt-functions.ts         | 18 +++++++++---------
 .../vmmgmt/browser/VmMgmt-style.scss           |  8 ++++----
 .../vmmgmt}/browser/l10nBundles-stub.d.ts      |  0
 .../vmoperator/vmmgmt}/package-info.java       |  2 +-
 .../tsconfig.json                              |  2 +-
 settings.gradle                                |  2 +-
 34 files changed, 42 insertions(+), 42 deletions(-)
 delete mode 100644 org.jdrupes.vmoperator.vmconlet/resources/META-INF/services/org.jgrapes.webconsole.base.ConletComponentFactory
 rename {org.jdrupes.vmoperator.vmconlet => org.jdrupes.vmoperator.vmmgmt}/.checkstyle (100%)
 rename {org.jdrupes.vmoperator.vmconlet => org.jdrupes.vmoperator.vmmgmt}/.eclipse-pmd (100%)
 rename {org.jdrupes.vmoperator.vmconlet => org.jdrupes.vmoperator.vmmgmt}/.eslintignore (100%)
 rename {org.jdrupes.vmoperator.vmconlet => org.jdrupes.vmoperator.vmmgmt}/.eslintrc.json (100%)
 rename {org.jdrupes.vmoperator.vmconlet => org.jdrupes.vmoperator.vmmgmt}/.gitignore (100%)
 rename {org.jdrupes.vmoperator.vmconlet => org.jdrupes.vmoperator.vmmgmt}/.settings/org.eclipse.buildship.core.prefs (100%)
 rename {org.jdrupes.vmoperator.vmconlet => org.jdrupes.vmoperator.vmmgmt}/.settings/org.eclipse.core.resources.prefs (100%)
 rename {org.jdrupes.vmoperator.vmconlet => org.jdrupes.vmoperator.vmmgmt}/.settings/org.eclipse.core.runtime.prefs (100%)
 rename {org.jdrupes.vmoperator.vmconlet => org.jdrupes.vmoperator.vmmgmt}/.settings/org.eclipse.jdt.ui.prefs (100%)
 rename {org.jdrupes.vmoperator.vmconlet => org.jdrupes.vmoperator.vmmgmt}/build.gradle (100%)
 rename {org.jdrupes.vmoperator.vmconlet => org.jdrupes.vmoperator.vmmgmt}/package.json (100%)
 create mode 100644 org.jdrupes.vmoperator.vmmgmt/resources/META-INF/services/org.jgrapes.webconsole.base.ConletComponentFactory
 rename org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/VmConlet-l10nBundles.ftl.js => org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-l10nBundles.ftl.js (100%)
 rename org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/VmConlet-preview.ftl.html => org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-preview.ftl.html (88%)
 rename org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/VmConlet-view.ftl.html => org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html (93%)
 rename {org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet => org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt}/l10n.properties (92%)
 rename {org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet => org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt}/l10n_de.properties (94%)
 rename {org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet => org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt}/l10n_en.properties (100%)
 rename {org.jdrupes.vmoperator.vmconlet => org.jdrupes.vmoperator.vmmgmt}/rollup.config.mjs (93%)
 rename {org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet => org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt}/TimeSeries.java (98%)
 rename org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/VmConlet.java => org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java (97%)
 rename org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/VmConletFactory.java => org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmtFactory.java (85%)
 rename {org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet => org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt}/browser/ConditionalInputController.ts (100%)
 rename {org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet => org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt}/browser/CpuRamChart.ts (100%)
 rename {org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet => org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt}/browser/MemorySize.ts (100%)
 rename {org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet => org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt}/browser/TimeSeries.ts (100%)
 rename org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/VmConlet-functions.ts => org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts (93%)
 rename org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/VmConlet-style.scss => org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss (91%)
 rename {org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet => org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt}/browser/l10nBundles-stub.d.ts (100%)
 rename {org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet => org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt}/package-info.java (94%)
 rename {org.jdrupes.vmoperator.vmconlet => org.jdrupes.vmoperator.vmmgmt}/tsconfig.json (91%)

diff --git a/org.jdrupes.vmoperator.manager/build.gradle b/org.jdrupes.vmoperator.manager/build.gradle
index cefac0b..b581971 100644
--- a/org.jdrupes.vmoperator.manager/build.gradle
+++ b/org.jdrupes.vmoperator.manager/build.gradle
@@ -31,8 +31,8 @@ dependencies {
     runtimeOnly 'org.slf4j:slf4j-jdk14:[2.0.7,3)'
     runtimeOnly 'org.apache.logging.log4j:log4j-to-jul:2.20.0'
 
+    runtimeOnly project(':org.jdrupes.vmoperator.vmmgmt')
     runtimeOnly project(':org.jdrupes.vmoperator.vmaccess')
-    runtimeOnly project(':org.jdrupes.vmoperator.vmconlet')
 }
 
 application {
diff --git a/org.jdrupes.vmoperator.vmconlet/resources/META-INF/services/org.jgrapes.webconsole.base.ConletComponentFactory b/org.jdrupes.vmoperator.vmconlet/resources/META-INF/services/org.jgrapes.webconsole.base.ConletComponentFactory
deleted file mode 100644
index 5a22dc7..0000000
--- a/org.jdrupes.vmoperator.vmconlet/resources/META-INF/services/org.jgrapes.webconsole.base.ConletComponentFactory
+++ /dev/null
@@ -1 +0,0 @@
-org.jdrupes.vmoperator.vmconlet.VmConletFactory
diff --git a/org.jdrupes.vmoperator.vmconlet/.checkstyle b/org.jdrupes.vmoperator.vmmgmt/.checkstyle
similarity index 100%
rename from org.jdrupes.vmoperator.vmconlet/.checkstyle
rename to org.jdrupes.vmoperator.vmmgmt/.checkstyle
diff --git a/org.jdrupes.vmoperator.vmconlet/.eclipse-pmd b/org.jdrupes.vmoperator.vmmgmt/.eclipse-pmd
similarity index 100%
rename from org.jdrupes.vmoperator.vmconlet/.eclipse-pmd
rename to org.jdrupes.vmoperator.vmmgmt/.eclipse-pmd
diff --git a/org.jdrupes.vmoperator.vmconlet/.eslintignore b/org.jdrupes.vmoperator.vmmgmt/.eslintignore
similarity index 100%
rename from org.jdrupes.vmoperator.vmconlet/.eslintignore
rename to org.jdrupes.vmoperator.vmmgmt/.eslintignore
diff --git a/org.jdrupes.vmoperator.vmconlet/.eslintrc.json b/org.jdrupes.vmoperator.vmmgmt/.eslintrc.json
similarity index 100%
rename from org.jdrupes.vmoperator.vmconlet/.eslintrc.json
rename to org.jdrupes.vmoperator.vmmgmt/.eslintrc.json
diff --git a/org.jdrupes.vmoperator.vmconlet/.gitignore b/org.jdrupes.vmoperator.vmmgmt/.gitignore
similarity index 100%
rename from org.jdrupes.vmoperator.vmconlet/.gitignore
rename to org.jdrupes.vmoperator.vmmgmt/.gitignore
diff --git a/org.jdrupes.vmoperator.vmconlet/.settings/org.eclipse.buildship.core.prefs b/org.jdrupes.vmoperator.vmmgmt/.settings/org.eclipse.buildship.core.prefs
similarity index 100%
rename from org.jdrupes.vmoperator.vmconlet/.settings/org.eclipse.buildship.core.prefs
rename to org.jdrupes.vmoperator.vmmgmt/.settings/org.eclipse.buildship.core.prefs
diff --git a/org.jdrupes.vmoperator.vmconlet/.settings/org.eclipse.core.resources.prefs b/org.jdrupes.vmoperator.vmmgmt/.settings/org.eclipse.core.resources.prefs
similarity index 100%
rename from org.jdrupes.vmoperator.vmconlet/.settings/org.eclipse.core.resources.prefs
rename to org.jdrupes.vmoperator.vmmgmt/.settings/org.eclipse.core.resources.prefs
diff --git a/org.jdrupes.vmoperator.vmconlet/.settings/org.eclipse.core.runtime.prefs b/org.jdrupes.vmoperator.vmmgmt/.settings/org.eclipse.core.runtime.prefs
similarity index 100%
rename from org.jdrupes.vmoperator.vmconlet/.settings/org.eclipse.core.runtime.prefs
rename to org.jdrupes.vmoperator.vmmgmt/.settings/org.eclipse.core.runtime.prefs
diff --git a/org.jdrupes.vmoperator.vmconlet/.settings/org.eclipse.jdt.ui.prefs b/org.jdrupes.vmoperator.vmmgmt/.settings/org.eclipse.jdt.ui.prefs
similarity index 100%
rename from org.jdrupes.vmoperator.vmconlet/.settings/org.eclipse.jdt.ui.prefs
rename to org.jdrupes.vmoperator.vmmgmt/.settings/org.eclipse.jdt.ui.prefs
diff --git a/org.jdrupes.vmoperator.vmconlet/build.gradle b/org.jdrupes.vmoperator.vmmgmt/build.gradle
similarity index 100%
rename from org.jdrupes.vmoperator.vmconlet/build.gradle
rename to org.jdrupes.vmoperator.vmmgmt/build.gradle
diff --git a/org.jdrupes.vmoperator.vmconlet/package.json b/org.jdrupes.vmoperator.vmmgmt/package.json
similarity index 100%
rename from org.jdrupes.vmoperator.vmconlet/package.json
rename to org.jdrupes.vmoperator.vmmgmt/package.json
diff --git a/org.jdrupes.vmoperator.vmmgmt/resources/META-INF/services/org.jgrapes.webconsole.base.ConletComponentFactory b/org.jdrupes.vmoperator.vmmgmt/resources/META-INF/services/org.jgrapes.webconsole.base.ConletComponentFactory
new file mode 100644
index 0000000..d7d7c8d
--- /dev/null
+++ b/org.jdrupes.vmoperator.vmmgmt/resources/META-INF/services/org.jgrapes.webconsole.base.ConletComponentFactory
@@ -0,0 +1 @@
+org.jdrupes.vmoperator.vmmgmt.VmMgmtFactory
diff --git a/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/VmConlet-l10nBundles.ftl.js b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-l10nBundles.ftl.js
similarity index 100%
rename from org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/VmConlet-l10nBundles.ftl.js
rename to org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-l10nBundles.ftl.js
diff --git a/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/VmConlet-preview.ftl.html b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-preview.ftl.html
similarity index 88%
rename from org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/VmConlet-preview.ftl.html
rename to org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-preview.ftl.html
index 0c6aa37..8c9970a 100644
--- a/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/VmConlet-preview.ftl.html
+++ b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-preview.ftl.html
@@ -1,6 +1,6 @@
-<div class="jdrupes-vmoperator-vmconlet jdrupes-vmoperator-vmconlet-preview"
+<div class="jdrupes-vmoperator-vmmgmt jdrupes-vmoperator-vmmgmt-preview"
   data-conlet-grid-rows="5"
-  data-jgwc-on-load="orgJDrupesVmOperatorVmConlet.initPreview"
+  data-jgwc-on-load="orgJDrupesVmOperatorVmMgmt.initPreview"
   data-jgwc-on-unload="JGConsole.jgwc.unmountVueApps">
   
   <form>
diff --git a/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/VmConlet-view.ftl.html b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html
similarity index 93%
rename from org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/VmConlet-view.ftl.html
rename to org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html
index 0af656b..6b46faa 100644
--- a/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/VmConlet-view.ftl.html
+++ b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html
@@ -1,7 +1,7 @@
-<div class="jdrupes-vmoperator-vmconlet jdrupes-vmoperator-vmconlet-view"
-  data-jgwc-on-load="orgJDrupesVmOperatorVmConlet.initView"
+<div class="jdrupes-vmoperator-vmmgmt jdrupes-vmoperator-vmmgmt-view"
+  data-jgwc-on-load="orgJDrupesVmOperatorVmMgmt.initView"
   data-jgwc-on-unload="JGConsole.jgwc.unmountVueApps">
-  <div class="jdrupes-vmoperator-vmconlet-view-search">
+  <div class="jdrupes-vmoperator-vmmgmt-view-search">
     <form>
       <label class="form__label--horizontal">
         <span>{{ localize("Filter") }}</span>
@@ -13,7 +13,7 @@
     </form>
   </div>
   <table 
-    class="table--basic--striped jdrupes-vmoperator-vmconlet-view-table">
+    class="table--basic--striped jdrupes-vmoperator-vmmgmt-view-table">
     <thead>
       <tr>
         <th v-for="key in controller.keys"
@@ -51,7 +51,7 @@
             <span v-else
               v-html="controller.breakBeforeDots(entry[key])"></span>
           </td>
-          <td class="jdrupes-vmoperator-vmconlet-view-action-list">
+          <td class="jdrupes-vmoperator-vmmgmt-view-action-list">
             <span role="button" 
               v-if="entry.spec.vm.state != 'Running' && !entry['running']" 
               tabindex="0" class="fa fa-play" :title="localize('Start VM')"
diff --git a/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n.properties b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n.properties
similarity index 92%
rename from org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n.properties
rename to org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n.properties
index 4ab3a3f..88f1403 100644
--- a/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n.properties
+++ b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n.properties
@@ -1,4 +1,4 @@
-conletName = VM Infos
+conletName = VM Management
 
 VMsSummary = VMs (running/total)
 
diff --git a/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n_de.properties b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties
similarity index 94%
rename from org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n_de.properties
rename to org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties
index 15a8b68..80e36d2 100644
--- a/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n_de.properties
+++ b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties
@@ -1,4 +1,4 @@
-conletName = VM-Informationen
+conletName = VM-Management
 
 VMsSummary = VMs (gestartet/gesamt)
 
diff --git a/org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n_en.properties b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_en.properties
similarity index 100%
rename from org.jdrupes.vmoperator.vmconlet/resources/org/jdrupes/vmoperator/vmconlet/l10n_en.properties
rename to org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_en.properties
diff --git a/org.jdrupes.vmoperator.vmconlet/rollup.config.mjs b/org.jdrupes.vmoperator.vmmgmt/rollup.config.mjs
similarity index 93%
rename from org.jdrupes.vmoperator.vmconlet/rollup.config.mjs
rename to org.jdrupes.vmoperator.vmmgmt/rollup.config.mjs
index 83964f7..59aff08 100644
--- a/org.jdrupes.vmoperator.vmconlet/rollup.config.mjs
+++ b/org.jdrupes.vmoperator.vmmgmt/rollup.config.mjs
@@ -1,8 +1,8 @@
 import typescript from 'rollup-plugin-typescript2';
 import postcss from 'rollup-plugin-postcss';
 
-let packagePath = "org/jdrupes/vmoperator/vmconlet";
-let baseName = "VmConlet"
+let packagePath = "org/jdrupes/vmoperator/vmmgmt";
+let baseName = "VmMgmt"
 let module = "build/generated/resources/" + packagePath 
     +  "/" + baseName + "-functions.js";
 
diff --git a/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/TimeSeries.java b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/TimeSeries.java
similarity index 98%
rename from org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/TimeSeries.java
rename to org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/TimeSeries.java
index 62bdf55..29d0b8e 100644
--- a/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/TimeSeries.java
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/TimeSeries.java
@@ -16,7 +16,7 @@
  * along with this program.  If not, see <https://www.gnu.org/licenses/>.
  */
 
-package org.jdrupes.vmoperator.vmconlet;
+package org.jdrupes.vmoperator.vmmgmt;
 
 import java.time.Duration;
 import java.time.Instant;
diff --git a/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/VmConlet.java b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
similarity index 97%
rename from org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/VmConlet.java
rename to org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
index 7244f56..8395b4c 100644
--- a/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/VmConlet.java
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
@@ -16,7 +16,7 @@
  * along with this program.  If not, see <https://www.gnu.org/licenses/>.
  */
 
-package org.jdrupes.vmoperator.vmconlet;
+package org.jdrupes.vmoperator.vmmgmt;
 
 import freemarker.core.ParseException;
 import freemarker.template.MalformedTemplateNameException;
@@ -61,11 +61,11 @@ import org.jgrapes.webconsole.base.events.SetLocale;
 import org.jgrapes.webconsole.base.freemarker.FreeMarkerConlet;
 
 /**
- * The Class VmConlet.
+ * The Class {@link VmMgmt}.
  */
 @SuppressWarnings({ "PMD.DataflowAnomalyAnalysis",
     "PMD.CouplingBetweenObjects" })
-public class VmConlet extends FreeMarkerConlet<VmConlet.VmsModel> {
+public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
 
     private static final Set<RenderMode> MODES = RenderMode.asSet(
         RenderMode.Preview, RenderMode.View);
@@ -88,7 +88,7 @@ public class VmConlet extends FreeMarkerConlet<VmConlet.VmsModel> {
      * sends the event to
      */
     @SuppressWarnings("PMD.ConstructorCallsOverridableMethod")
-    public VmConlet(Channel componentChannel) {
+    public VmMgmt(Channel componentChannel) {
         super(componentChannel);
         setPeriodicRefresh(Duration.ofMinutes(1), () -> new Update());
     }
@@ -115,7 +115,7 @@ public class VmConlet extends FreeMarkerConlet<VmConlet.VmsModel> {
             .addRenderMode(RenderMode.Preview)
             .addScript(new ScriptResource().setScriptType("module")
                 .setScriptUri(event.renderSupport().conletResource(
-                    type(), "VmConlet-functions.js"))));
+                    type(), "VmMgmt-functions.js"))));
     }
 
     @Override
@@ -133,7 +133,7 @@ public class VmConlet extends FreeMarkerConlet<VmConlet.VmsModel> {
         boolean sendVmInfos = false;
         if (event.renderAs().contains(RenderMode.Preview)) {
             Template tpl
-                = freemarkerConfig().getTemplate("VmConlet-preview.ftl.html");
+                = freemarkerConfig().getTemplate("VmMgmt-preview.ftl.html");
             channel.respond(new RenderConlet(type(), conletId,
                 processTemplate(event, tpl,
                     fmModel(event, channel, conletId, conletState)))
@@ -150,7 +150,7 @@ public class VmConlet extends FreeMarkerConlet<VmConlet.VmsModel> {
         }
         if (event.renderAs().contains(RenderMode.View)) {
             Template tpl
-                = freemarkerConfig().getTemplate("VmConlet-view.ftl.html");
+                = freemarkerConfig().getTemplate("VmMgmt-view.ftl.html");
             channel.respond(new RenderConlet(type(), conletId,
                 processTemplate(event, tpl,
                     fmModel(event, channel, conletId, conletState)))
diff --git a/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/VmConletFactory.java b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmtFactory.java
similarity index 85%
rename from org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/VmConletFactory.java
rename to org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmtFactory.java
index d77ceb6..922f938 100644
--- a/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/VmConletFactory.java
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmtFactory.java
@@ -16,7 +16,7 @@
  * along with this program.  If not, see <https://www.gnu.org/licenses/>.
  */
 
-package org.jdrupes.vmoperator.vmconlet;
+package org.jdrupes.vmoperator.vmmgmt;
 
 import java.util.Map;
 import java.util.Optional;
@@ -25,9 +25,9 @@ import org.jgrapes.core.ComponentType;
 import org.jgrapes.webconsole.base.ConletComponentFactory;
 
 /**
- * The factory service for {@link VmConlet}s.
+ * The factory service for {@link VmMgmt}s.
  */
-public class VmConletFactory implements ConletComponentFactory {
+public class VmMgmtFactory implements ConletComponentFactory {
 
     /*
      * (non-Javadoc)
@@ -36,7 +36,7 @@ public class VmConletFactory implements ConletComponentFactory {
      */
     @Override
     public Class<? extends ComponentType> componentType() {
-        return VmConlet.class;
+        return VmMgmt.class;
     }
 
     /*
@@ -48,7 +48,7 @@ public class VmConletFactory implements ConletComponentFactory {
     @Override
     public Optional<ComponentType> create(Channel componentChannel,
             Map<?, ?> properties) {
-        return Optional.of(new VmConlet(componentChannel));
+        return Optional.of(new VmMgmt(componentChannel));
     }
 
 }
diff --git a/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/ConditionalInputController.ts b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/ConditionalInputController.ts
similarity index 100%
rename from org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/ConditionalInputController.ts
rename to org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/ConditionalInputController.ts
diff --git a/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/CpuRamChart.ts b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/CpuRamChart.ts
similarity index 100%
rename from org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/CpuRamChart.ts
rename to org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/CpuRamChart.ts
diff --git a/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/MemorySize.ts b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/MemorySize.ts
similarity index 100%
rename from org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/MemorySize.ts
rename to org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/MemorySize.ts
diff --git a/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/TimeSeries.ts b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/TimeSeries.ts
similarity index 100%
rename from org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/TimeSeries.ts
rename to org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/TimeSeries.ts
diff --git a/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/VmConlet-functions.ts b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
similarity index 93%
rename from org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/VmConlet-functions.ts
rename to org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
index 01bd897..78f5851 100644
--- a/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/VmConlet-functions.ts
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
@@ -27,19 +27,19 @@ import { formatMemory, parseMemory } from "./MemorySize";
 import CpuRamChart from "./CpuRamChart";
 import ConditionlInputController from "./ConditionalInputController";
 
-import "./VmConlet-style.scss";
+import "./VmMgmt-style.scss";
 
 // For global access
 declare global {
     interface Window {
-        orgJDrupesVmOperatorVmConlet: { 
+        orgJDrupesVmOperatorVmMgmt: { 
             initPreview?: (previewDom: HTMLElement, isUpdate: boolean) => void,
             initView?: (viewDom: HTMLElement, isUpdate: boolean) => void
         }
     }
 }
 
-window.orgJDrupesVmOperatorVmConlet = {};
+window.orgJDrupesVmOperatorVmMgmt = {};
 
 const vmInfos = reactive(new Map());
 const vmSummary = reactive({
@@ -64,7 +64,7 @@ const shortDateTime = (time: Date) => {
 const chartData = new TimeSeries(2);
 const chartDateUpdate = ref<Date>(null);
 
-window.orgJDrupesVmOperatorVmConlet.initPreview = (previewDom: HTMLElement,
+window.orgJDrupesVmOperatorVmMgmt.initPreview = (previewDom: HTMLElement,
     _isUpdate: boolean) => {
     const app = createApp({
         setup(_props: object) {
@@ -98,7 +98,7 @@ window.orgJDrupesVmOperatorVmConlet.initPreview = (previewDom: HTMLElement,
     app.mount(previewDom);
 };
 
-window.orgJDrupesVmOperatorVmConlet.initView = (viewDom: HTMLElement,
+window.orgJDrupesVmOperatorVmMgmt.initView = (viewDom: HTMLElement,
     _isUpdate: boolean) => {
     const app = createApp({
         setup(_props: object) {
@@ -174,7 +174,7 @@ window.orgJDrupesVmOperatorVmConlet.initView = (viewDom: HTMLElement,
     app.mount(viewDom);
 };
 
-JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmconlet.VmConlet",
+JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmmgmt.VmMgmt",
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     "updateVm", function(_conletId: string, vmDefinition: any) {
         // Add some short-cuts for table controller
@@ -194,12 +194,12 @@ JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmconlet.VmConlet",
         vmInfos.set(vmDefinition.name, vmDefinition);
     });
 
-JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmconlet.VmConlet",
+JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmmgmt.VmMgmt",
     "removeVm", function(_conletId: string, vmName: string) {
         vmInfos.delete(vmName);
     });
 
-JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmconlet.VmConlet",
+JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmmgmt.VmMgmt",
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     "summarySeries", function(_conletId: string, series: any[]) {
         chartData.clear();
@@ -210,7 +210,7 @@ JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmconlet.VmConlet",
         chartDateUpdate.value = new Date();
 });
 
-JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmconlet.VmConlet",
+JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmmgmt.VmMgmt",
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     "updateSummary", function(_conletId: string, summary: any) {
         chartData.push(new Date(), summary.usedCpus, Number(summary.usedRam));
diff --git a/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/VmConlet-style.scss b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss
similarity index 91%
rename from org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/VmConlet-style.scss
rename to org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss
index a5658e9..e02fe24 100644
--- a/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/VmConlet-style.scss
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss
@@ -20,7 +20,7 @@
  * Conlet specific styles.
  */
  
-.jdrupes-vmoperator-vmconlet-preview {
+.jdrupes-vmoperator-vmmgmt-preview {
   form {
     float: right;
     padding: 0.15em 0.3em;
@@ -37,7 +37,7 @@
   }    
 }
  
-.jdrupes-vmoperator-vmconlet-view-search {
+.jdrupes-vmoperator-vmmgmt-view-search {
   display: flex;
   justify-content: flex-end;
   
@@ -46,7 +46,7 @@
   }
 }
 
-.jdrupes-vmoperator-vmconlet-view-table {
+.jdrupes-vmoperator-vmmgmt-view-table {
   td {
     vertical-align: top;
 
@@ -94,7 +94,7 @@
   }
 }
 
-.jdrupes-vmoperator-vmconlet-view-action-list {
+.jdrupes-vmoperator-vmmgmt-view-action-list {
   white-space: nowrap;
 
   [role=button] {
diff --git a/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/l10nBundles-stub.d.ts b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/l10nBundles-stub.d.ts
similarity index 100%
rename from org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/browser/l10nBundles-stub.d.ts
rename to org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/l10nBundles-stub.d.ts
diff --git a/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/package-info.java b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/package-info.java
similarity index 94%
rename from org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/package-info.java
rename to org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/package-info.java
index 2cbbfa7..c39c193 100644
--- a/org.jdrupes.vmoperator.vmconlet/src/org/jdrupes/vmoperator/vmconlet/package-info.java
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/package-info.java
@@ -16,4 +16,4 @@
  * along with this program.  If not, see <https://www.gnu.org/licenses/>.
  */
 
-package org.jdrupes.vmoperator.vmconlet;
\ No newline at end of file
+package org.jdrupes.vmoperator.vmmgmt;
\ No newline at end of file
diff --git a/org.jdrupes.vmoperator.vmconlet/tsconfig.json b/org.jdrupes.vmoperator.vmmgmt/tsconfig.json
similarity index 91%
rename from org.jdrupes.vmoperator.vmconlet/tsconfig.json
rename to org.jdrupes.vmoperator.vmmgmt/tsconfig.json
index 5fb2dd7..96c4072 100644
--- a/org.jdrupes.vmoperator.vmconlet/tsconfig.json
+++ b/org.jdrupes.vmoperator.vmmgmt/tsconfig.json
@@ -14,7 +14,7 @@
       "aash-plugin": ["./build/unpacked/org/jgrapes/webconsole/provider/jgwcvuecomponents/aash-vue-components/lib/AashPlugin"],
       "jgconsole": ["./build/unpacked/org/jgrapes/webconsole/base/JGConsole"],
       "jgwc": ["./build/unpacked/org/jgrapes/webconsole/provider/jgwcvuecomponents/jgwc-vue-components/jgwc-components"],
-      "l10nBundles": ["./src/org/jdrupes/vmoperator/vmconlet/browser/l10nBundles-stub"],
+      "l10nBundles": ["./src/org/jdrupes/vmoperator/vmmgmt/browser/l10nBundles-stub"],
       "vue": ["./build/unpacked/org/jgrapes/webconsole/provider/vue/vue/vue"],
       "chartjs": ["./build/unpacked/org/jgrapes/webconsole/provider/chartjs/chart.js/auto/auto"]
     }
diff --git a/settings.gradle b/settings.gradle
index be8546d..4a3bfc8 100644
--- a/settings.gradle
+++ b/settings.gradle
@@ -13,7 +13,7 @@ rootProject.name = 'VM-Operator'
 include 'org.jdrupes.vmoperator.manager'
 include 'org.jdrupes.vmoperator.manager.events'
 include 'org.jdrupes.vmoperator.vmaccess'
-include 'org.jdrupes.vmoperator.vmconlet'
+include 'org.jdrupes.vmoperator.vmmgmt'
 include 'org.jdrupes.vmoperator.runner.qemu'
 include 'org.jdrupes.vmoperator.common'
 include 'org.jdrupes.vmoperator.util'

From 77cfcff2ed003d1b886cfa5b2482adf8bf477f2e Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Fri, 29 Nov 2024 14:17:13 +0100
Subject: [PATCH 051/274] Fix toString.

---
 .../src/org/jdrupes/vmoperator/common/VmPool.java            | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
index 8da0a9f..5574653 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
@@ -93,9 +93,8 @@ public class VmPool {
         if (vms.size() <= 3) {
             builder.append(vms);
         } else {
-            builder.append('[');
-            vms.stream().limit(3).map(s -> s + ",").forEach(builder::append);
-            builder.append("...]");
+            builder.append('[').append(vms.stream().limit(3).map(s -> s + ",")
+                .collect(Collectors.joining())).append("...]");
         }
         builder.append(']');
         return builder.toString();

From 367aebeee596c17695aa6ded9096037428d56ac2 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 1 Dec 2024 13:41:18 +0100
Subject: [PATCH 052/274] Pool configurable in GUI.

---
 .../org/jdrupes/vmoperator/common/VmPool.java |   2 +
 .../vmaccess/VmAccess-edit.ftl.html           |  38 +-
 .../vmoperator/vmaccess/l10n_de.properties    |   2 +-
 .../jdrupes/vmoperator/vmaccess/VmAccess.java | 339 ++++++++++++------
 .../vmaccess/browser/VmAccess-functions.ts    |  44 ++-
 .../vmaccess/browser/VmAccess-style.scss      |   5 +
 6 files changed, 296 insertions(+), 134 deletions(-)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
index 5574653..4b29adc 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
@@ -60,6 +60,8 @@ public class VmPool {
     }
 
     /**
+     * All permissions.
+     *
      * @return the permissions
      */
     public List<Grant> permissions() {
diff --git a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-edit.ftl.html b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-edit.ftl.html
index ba61399..1a10a7d 100644
--- a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-edit.ftl.html
+++ b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-edit.ftl.html
@@ -5,17 +5,33 @@
   data-jgwc-on-unload="JGConsole.jgwc.unmountVueApps">
   <form :id="formId" ref="formDom" onsubmit="return false;">
     <section>
-      <span>{{ localize("Select VM") }}</span>
-      <p>
-        <label>
-          <span>{{ localize("VM") }}</span>
-          <select v-model="vmNameInput">
-          <#list vmNames as name>
-            <option value="${name}">${name}</option>
-          </#list>
-          </select>
-        </label>
-      </p>
+      <fieldset>
+        <legend>{{ localize("Select VM or pool") }}</legend>
+        <ul>
+          <li>
+            <label>
+              <input v-model="resource" type="radio" name="resource" value="vm">
+              <span>{{ localize("VM") }}</span>
+              <select v-model="vmNameInput" :disabled="resource !== 'vm'">
+              <#list vmNames as name>
+                <option value="${name}">${name}</option>
+              </#list>
+              </select>
+            </label>
+          </li>
+          <li>
+            <label>
+              <input v-model="resource" type="radio" name="resource" value="pool">
+              <span>{{ localize("Pool") }}</span>
+              <select v-model="poolNameInput" :disabled="resource !== 'pool'">
+              <#list poolNames as name>
+                <option value="${name}">${name}</option>
+              </#list>
+              </select>
+            </label>
+          </li>
+        </ul>
+      </fieldset>
     </section>
   </form>  
 </div>
diff --git a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties
index bcdc332..7d4ff23 100644
--- a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties
+++ b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties
@@ -1,7 +1,7 @@
 conletName = VM-Zugriff
 
 okayLabel = Anwenden und Schließen
-Select\ VM = VM auswählen
+Select\ VM\ or\ pool = VM oder Pool auswählen
 
 Start\ VM = VM starten
 Stop\ VM = VM anhalten
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index e1a41ef..f671e93 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -38,6 +38,7 @@ import java.time.Duration;
 import java.util.Base64;
 import java.util.Collections;
 import java.util.EnumSet;
+import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
@@ -49,13 +50,14 @@ import java.util.stream.Collectors;
 import org.bouncycastle.util.Objects;
 import org.jdrupes.vmoperator.common.K8sObserver;
 import org.jdrupes.vmoperator.common.VmDefinition;
-import org.jdrupes.vmoperator.common.VmDefinition.Permission;
+import org.jdrupes.vmoperator.common.VmPool;
 import org.jdrupes.vmoperator.manager.events.ChannelTracker;
 import org.jdrupes.vmoperator.manager.events.GetDisplayPassword;
 import org.jdrupes.vmoperator.manager.events.ModifyVm;
 import org.jdrupes.vmoperator.manager.events.ResetVm;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
+import org.jdrupes.vmoperator.manager.events.VmPoolChanged;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Components;
 import org.jgrapes.core.Event;
@@ -107,7 +109,7 @@ import org.jgrapes.webconsole.base.freemarker.FreeMarkerConlet;
  */
 @SuppressWarnings({ "PMD.DataflowAnomalyAnalysis", "PMD.ExcessiveImports",
     "PMD.CouplingBetweenObjects", "PMD.GodClass", "PMD.TooManyMethods" })
-public class VmAccess extends FreeMarkerConlet<VmAccess.ViewerModel> {
+public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
 
     private static final String VM_NAME_PROPERTY = "vmName";
     private static final String RENDERED
@@ -126,6 +128,8 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ViewerModel> {
     private Set<String> syncUsers = Collections.emptySet();
     private Set<String> syncRoles = Collections.emptySet();
     private boolean deleteConnectionFile = true;
+    @SuppressWarnings("PMD.UseConcurrentHashMap")
+    private final Map<String, VmPool> vmPools = new HashMap<>();
 
     /**
      * The periodically generated update event.
@@ -247,20 +251,28 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ViewerModel> {
      * @throws InterruptedException the interrupted exception
      */
     @Handler
-    @SuppressWarnings("PMD.AvoidInstantiatingObjectsInLoops")
     public void onConsoleConfigured(ConsoleConfigured event,
             ConsoleConnection connection) throws InterruptedException,
             IOException {
         @SuppressWarnings("unchecked")
-        final var rendered = (Set<String>) connection.session().get(RENDERED);
+        final var rendered
+            = (Set<ResourceModel>) connection.session().get(RENDERED);
         connection.session().remove(RENDERED);
         if (!syncPreviews(connection.session())) {
             return;
         }
 
+        addMissingVms(event, connection, rendered);
+    }
+
+    @SuppressWarnings("PMD.AvoidInstantiatingObjectsInLoops")
+    private void addMissingVms(ConsoleConfigured event,
+            ConsoleConnection connection, final Set<ResourceModel> rendered) {
         boolean foundMissing = false;
         for (var vmName : accessibleVms(connection)) {
-            if (rendered.contains(vmName)) {
+            if (rendered.stream()
+                .anyMatch(r -> r.type() == ResourceModel.Type.VM
+                    && r.name().equals(vmName))) {
                 continue;
             }
             if (!foundMissing) {
@@ -300,13 +312,12 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ViewerModel> {
     }
 
     @Override
-    protected Optional<ViewerModel> createNewState(AddConletRequest event,
+    protected Optional<ResourceModel> createNewState(AddConletRequest event,
             ConsoleConnection connection, String conletId) throws Exception {
-        var model = new ViewerModel(conletId);
-        model.vmName = (String) event.properties().get(VM_NAME_PROPERTY);
-        if (model.vmName != null) {
-            model.setGenerated(true);
-        }
+        var model = new ResourceModel(conletId);
+        model.setType(ResourceModel.Type.VM);
+        model
+            .setName((String) event.properties().get(VM_NAME_PROPERTY));
         String jsonState = objectMapper.writeValueAsString(model);
         connection.respond(new KeyValueStoreUpdate().update(
             storagePath(connection.session(), model.getConletId()), jsonState));
@@ -314,9 +325,9 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ViewerModel> {
     }
 
     @Override
-    protected Optional<ViewerModel> createStateRepresentation(Event<?> event,
+    protected Optional<ResourceModel> createStateRepresentation(Event<?> event,
             ConsoleConnection connection, String conletId) throws Exception {
-        var model = new ViewerModel(conletId);
+        var model = new ResourceModel(conletId);
         String jsonState = objectMapper.writeValueAsString(model);
         connection.respond(new KeyValueStoreUpdate().update(
             storagePath(connection.session(), model.getConletId()), jsonState));
@@ -325,7 +336,7 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ViewerModel> {
 
     @Override
     @SuppressWarnings("PMD.EmptyCatchBlock")
-    protected Optional<ViewerModel> recreateState(Event<?> event,
+    protected Optional<ResourceModel> recreateState(Event<?> event,
             ConsoleConnection channel, String conletId) throws Exception {
         KeyValueStoreQuery query = new KeyValueStoreQuery(
             storagePath(channel.session(), conletId), channel);
@@ -334,8 +345,8 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ViewerModel> {
             if (!query.results().isEmpty()) {
                 var json = query.results().get(0).values().stream().findFirst()
                     .get();
-                ViewerModel model
-                    = objectMapper.readValue(json, ViewerModel.class);
+                ResourceModel model
+                    = objectMapper.readValue(json, ResourceModel.class);
                 return Optional.of(model);
             }
         } catch (InterruptedException e) {
@@ -347,58 +358,23 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ViewerModel> {
     }
 
     @Override
-    @SuppressWarnings({ "PMD.AvoidInstantiatingObjectsInLoops", "unchecked" })
+    @SuppressWarnings({ "PMD.AvoidInstantiatingObjectsInLoops" })
     protected Set<RenderMode> doRenderConlet(RenderConletRequestBase<?> event,
-            ConsoleConnection channel, String conletId, ViewerModel model)
+            ConsoleConnection channel, String conletId, ResourceModel model)
             throws Exception {
+        if (event.renderAs().contains(RenderMode.Preview)) {
+            return renderPreview(event, channel, conletId, model);
+        }
+
+        // Render edit
         ResourceBundle resourceBundle = resourceBundle(channel.locale());
         Set<RenderMode> renderedAs = EnumSet.noneOf(RenderMode.class);
-        if (event.renderAs().contains(RenderMode.Preview)) {
-            channel.associated(PENDING, Event.class)
-                .ifPresent(e -> {
-                    e.resumeHandling();
-                    channel.setAssociated(PENDING, null);
-                });
-
-            // Remove conlet if definition has been removed
-            if (model.vmName() != null
-                && !channelTracker.associated(model.vmName()).isPresent()) {
-                channel.respond(
-                    new DeleteConlet(conletId, Collections.emptySet()));
-                return Collections.emptySet();
-            }
-
-            // Don't render if user has not at least one permission
-            if (model.vmName() != null
-                && channelTracker.associated(model.vmName())
-                    .map(d -> permissions(d, channel.session()).isEmpty())
-                    .orElse(true)) {
-                return Collections.emptySet();
-            }
-
-            // Render
-            Template tpl
-                = freemarkerConfig().getTemplate("VmAccess-preview.ftl.html");
-            channel.respond(new RenderConlet(type(), conletId,
-                processTemplate(event, tpl,
-                    fmModel(event, channel, conletId, model)))
-                        .setRenderAs(
-                            RenderMode.Preview.addModifiers(event.renderAs()))
-                        .setSupportedModes(syncPreviews(channel.session())
-                            ? MODES_FOR_GENERATED
-                            : MODES));
-            renderedAs.add(RenderMode.Preview);
-            if (!Strings.isNullOrEmpty(model.vmName())) {
-                Optional.ofNullable(channel.session().get(RENDERED))
-                    .ifPresent(s -> ((Set<String>) s).add(model.vmName()));
-                updateConfig(channel, model);
-            }
-        }
         if (event.renderAs().contains(RenderMode.Edit)) {
             Template tpl = freemarkerConfig()
                 .getTemplate("VmAccess-edit.ftl.html");
             var fmModel = fmModel(event, channel, conletId, model);
             fmModel.put("vmNames", accessibleVms(channel));
+            fmModel.put("poolNames", accessiblePools(channel));
             channel.respond(new OpenModalDialog(type(), conletId,
                 processTemplate(event, tpl, fmModel))
                     .addOption("cancelable", true)
@@ -408,13 +384,69 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ViewerModel> {
         return renderedAs;
     }
 
+    @SuppressWarnings("unchecked")
+    private Set<RenderMode> renderPreview(RenderConletRequestBase<?> event,
+            ConsoleConnection channel, String conletId, ResourceModel model)
+            throws TemplateNotFoundException, MalformedTemplateNameException,
+            ParseException, IOException {
+        channel.associated(PENDING, Event.class)
+            .ifPresent(e -> {
+                e.resumeHandling();
+                channel.setAssociated(PENDING, null);
+            });
+
+        if (model.type() == ResourceModel.Type.VM && model.name() != null) {
+            // Remove conlet if VM definition has been removed
+            // or user has not at least one permission
+            Optional<VmDefinition> vmDef
+                = channelTracker.associated(model.name());
+            if (vmDef.isEmpty()
+                || vmPermissions(vmDef.get(), channel.session()).isEmpty()) {
+                channel.respond(
+                    new DeleteConlet(conletId, Collections.emptySet()));
+                return Collections.emptySet();
+            }
+        }
+
+        if (model.type() == ResourceModel.Type.POOL && model.name() != null) {
+            // Remove conlet if pool definition has been removed
+            // or user has not at least one permission
+            VmPool pool = vmPools.get(model.name());
+            if (pool == null
+                || poolPermissions(pool, channel.session()).isEmpty()) {
+                channel.respond(
+                    new DeleteConlet(conletId, Collections.emptySet()));
+                return Collections.emptySet();
+            }
+        }
+
+        // Render
+        Template tpl
+            = freemarkerConfig().getTemplate("VmAccess-preview.ftl.html");
+        channel.respond(new RenderConlet(type(), conletId,
+            processTemplate(event, tpl,
+                fmModel(event, channel, conletId, model)))
+                    .setRenderAs(
+                        RenderMode.Preview.addModifiers(event.renderAs()))
+                    .setSupportedModes(syncPreviews(channel.session())
+                        ? MODES_FOR_GENERATED
+                        : MODES));
+        if (!Strings.isNullOrEmpty(model.name())) {
+            Optional.ofNullable(channel.session().get(RENDERED))
+                .ifPresent(s -> ((Set<ResourceModel>) s).add(model));
+            updateConfig(channel, model);
+        }
+        return EnumSet.of(RenderMode.Preview);
+    }
+
     private List<String> accessibleVms(ConsoleConnection channel) {
         return channelTracker.associated().stream()
-            .filter(d -> !permissions(d, channel.session()).isEmpty())
+            .filter(d -> !vmPermissions(d, channel.session()).isEmpty())
             .map(d -> d.getMetadata().getName()).sorted().toList();
     }
 
-    private Set<Permission> permissions(VmDefinition vmDef, Session session) {
+    private Set<VmDefinition.Permission> vmPermissions(VmDefinition vmDef,
+            Session session) {
         var user = WebConsoleUtils.userFromSession(session)
             .map(ConsoleUser::getName).orElse(null);
         var roles = WebConsoleUtils.rolesFromSession(session)
@@ -422,17 +454,32 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ViewerModel> {
         return vmDef.permissionsFor(user, roles);
     }
 
-    private void updateConfig(ConsoleConnection channel, ViewerModel model) {
+    private List<String> accessiblePools(ConsoleConnection channel) {
+        return vmPools.values().stream()
+            .filter(d -> !poolPermissions(d, channel.session()).isEmpty())
+            .map(d -> d.name()).sorted().toList();
+    }
+
+    private Set<VmPool.Permission> poolPermissions(VmPool pool,
+            Session session) {
+        var user = WebConsoleUtils.userFromSession(session)
+            .map(ConsoleUser::getName).orElse(null);
+        var roles = WebConsoleUtils.rolesFromSession(session)
+            .stream().map(ConsoleRole::getName).toList();
+        return pool.permissionsFor(user, roles);
+    }
+
+    private void updateConfig(ConsoleConnection channel, ResourceModel model) {
         channel.respond(new NotifyConletView(type(),
-            model.getConletId(), "updateConfig", model.vmName()));
+            model.getConletId(), "updateConfig", model.type(), model.name()));
         updateVmDef(channel, model);
     }
 
-    private void updateVmDef(ConsoleConnection channel, ViewerModel model) {
-        if (Strings.isNullOrEmpty(model.vmName())) {
+    private void updateVmDef(ConsoleConnection channel, ResourceModel model) {
+        if (Strings.isNullOrEmpty(model.name())) {
             return;
         }
-        channelTracker.value(model.vmName()).ifPresent(item -> {
+        channelTracker.value(model.name()).ifPresent(item -> {
             try {
                 var vmDef = item.associated();
                 var data = Map.of("metadata",
@@ -441,8 +488,8 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ViewerModel> {
                     "spec", vmDef.spec(),
                     "status", vmDef.getStatus(),
                     "userPermissions",
-                    permissions(vmDef, channel.session()).stream()
-                        .map(Permission::toString).toList());
+                    vmPermissions(vmDef, channel.session()).stream()
+                        .map(VmDefinition.Permission::toString).toList());
                 channel.respond(new NotifyConletView(type(),
                     model.getConletId(), "updateVmDefinition", data));
             } catch (JsonSyntaxException e) {
@@ -454,7 +501,8 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ViewerModel> {
 
     @Override
     protected void doConletDeleted(ConletDeleted event,
-            ConsoleConnection channel, String conletId, ViewerModel conletState)
+            ConsoleConnection channel, String conletId,
+            ResourceModel conletState)
             throws Exception {
         if (event.renderModes().isEmpty()) {
             channel.respond(new KeyValueStoreUpdate().delete(
@@ -487,7 +535,7 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ViewerModel> {
             for (var conletId : entry.getValue()) {
                 var model = stateFromSession(connection.session(), conletId);
                 if (model.isEmpty()
-                    || !Objects.areEqual(model.get().vmName(), vmName)) {
+                    || !Objects.areEqual(model.get().name(), vmName)) {
                     continue;
                 }
                 if (event.type() == K8sObserver.ResponseType.DELETED) {
@@ -500,21 +548,36 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ViewerModel> {
         }
     }
 
+    /**
+     * On vm pool changed.
+     *
+     * @param event the event
+     * @param channel the channel
+     */
+    @Handler(namedChannels = "manager")
+    public void onVmPoolChanged(VmPoolChanged event) {
+        if (event.deleted()) {
+            vmPools.remove(event.vmPool().name());
+            return;
+        }
+        vmPools.put(event.vmPool().name(), event.vmPool());
+    }
+
     @Override
     @SuppressWarnings({ "PMD.AvoidDecimalLiteralsInBigDecimalConstructor",
         "PMD.ConfusingArgumentToVarargsMethod", "PMD.NcssCount",
         "PMD.AvoidLiteralsInIfCondition" })
     protected void doUpdateConletState(NotifyConletModel event,
-            ConsoleConnection channel, ViewerModel model)
+            ConsoleConnection channel, ResourceModel model)
             throws Exception {
         event.stop();
-        if ("selectedVm".equals(event.method())) {
-            selectVm(event, channel, model);
+        if ("selectedResource".equals(event.method())) {
+            selectResource(event, channel, model);
             return;
         }
 
         // Handle command for selected VM
-        var both = Optional.ofNullable(model.vmName())
+        var both = Optional.ofNullable(model.name())
             .flatMap(vm -> channelTracker.value(vm));
         if (both.isEmpty()) {
             return;
@@ -522,31 +585,31 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ViewerModel> {
         var vmChannel = both.get().channel();
         var vmDef = both.get().associated();
         var vmName = vmDef.metadata().getName();
-        var perms = permissions(vmDef, channel.session());
+        var perms = vmPermissions(vmDef, channel.session());
         var resourceBundle = resourceBundle(channel.locale());
         switch (event.method()) {
         case "start":
-            if (perms.contains(Permission.START)) {
+            if (perms.contains(VmDefinition.Permission.START)) {
                 fire(new ModifyVm(vmName, "state", "Running", vmChannel));
             }
             break;
         case "stop":
-            if (perms.contains(Permission.STOP)) {
+            if (perms.contains(VmDefinition.Permission.STOP)) {
                 fire(new ModifyVm(vmName, "state", "Stopped", vmChannel));
             }
             break;
         case "reset":
-            if (perms.contains(Permission.RESET)) {
+            if (perms.contains(VmDefinition.Permission.RESET)) {
                 confirmReset(event, channel, model, resourceBundle);
             }
             break;
         case "resetConfirmed":
-            if (perms.contains(Permission.RESET)) {
+            if (perms.contains(VmDefinition.Permission.RESET)) {
                 fire(new ResetVm(vmName), vmChannel);
             }
             break;
         case "openConsole":
-            if (perms.contains(Permission.ACCESS_CONSOLE)) {
+            if (perms.contains(VmDefinition.Permission.ACCESS_CONSOLE)) {
                 var user = WebConsoleUtils.userFromSession(channel.session())
                     .map(ConsoleUser::getName).orElse("");
                 var pwQuery
@@ -561,17 +624,26 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ViewerModel> {
         }
     }
 
-    private void selectVm(NotifyConletModel event, ConsoleConnection channel,
-            ViewerModel model) throws JsonProcessingException {
-        model.setVmName(event.param(0));
-        String jsonState = objectMapper.writeValueAsString(model);
-        channel.respond(new KeyValueStoreUpdate().update(storagePath(
-            channel.session(), model.getConletId()), jsonState));
-        updateConfig(channel, model);
+    @SuppressWarnings({ "PMD.AvoidLiteralsInIfCondition",
+        "PMD.UseLocaleWithCaseConversions" })
+    private void selectResource(NotifyConletModel event,
+            ConsoleConnection channel, ResourceModel model)
+            throws JsonProcessingException {
+        try {
+            model.setType(ResourceModel.Type
+                .valueOf(event.<String> param(0).toUpperCase()));
+            model.setName(event.param(1));
+            String jsonState = objectMapper.writeValueAsString(model);
+            channel.respond(new KeyValueStoreUpdate().update(storagePath(
+                channel.session(), model.getConletId()), jsonState));
+            updateConfig(channel, model);
+        } catch (IllegalArgumentException e) {
+            logger.warning(() -> "Invalid resource type: " + e.getMessage());
+        }
     }
 
     private void openConsole(String vmName, ConsoleConnection connection,
-            ViewerModel model, String password) {
+            ResourceModel model, String password) {
         var vmDef = channelTracker.associated(vmName).orElse(null);
         if (vmDef == null) {
             return;
@@ -642,7 +714,7 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ViewerModel> {
     }
 
     private void confirmReset(NotifyConletModel event,
-            ConsoleConnection channel, ViewerModel model,
+            ConsoleConnection channel, ResourceModel model,
             ResourceBundle resourceBundle) throws TemplateNotFoundException,
             MalformedTemplateNameException, ParseException, IOException {
         Template tpl = freemarkerConfig()
@@ -662,58 +734,97 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ViewerModel> {
     }
 
     /**
-     * The Class VmsModel.
+     * The Class AccessModel.
      */
     @SuppressWarnings("PMD.DataClass")
-    public static class ViewerModel extends ConletBaseModel {
-
-        private String vmName;
-        private boolean generated;
+    public static class ResourceModel extends ConletBaseModel {
 
         /**
-         * Instantiates a new vms model.
+         * The Enum ResourceType.
+         */
+        @SuppressWarnings("PMD.ShortVariable")
+        public enum Type {
+            VM, POOL
+        }
+
+        private Type type;
+        private String name;
+
+        /**
+         * Instantiates a new resource model.
          *
          * @param conletId the conlet id
          */
-        public ViewerModel(@JsonProperty("conletId") String conletId) {
+        public ResourceModel(@JsonProperty("conletId") String conletId) {
             super(conletId);
         }
 
         /**
-         * Gets the vm name.
+         * Gets the resource name.
          *
-         * @return the vmName
+         * @return the string
          */
-        @JsonGetter("vmName")
-        public String vmName() {
-            return vmName;
+        @JsonGetter("name")
+        public String name() {
+            return name;
         }
 
         /**
-         * Sets the vm name.
+         * Sets the name.
          *
-         * @param vmName the vmName to set
+         * @param name the resource name to set
          */
-        public void setVmName(String vmName) {
-            this.vmName = vmName;
+        public void setName(String name) {
+            this.name = name;
         }
 
         /**
-         * Checks if is generated.
-         *
-         * @return the generated
+         * @return the resourceType
          */
-        public boolean isGenerated() {
-            return generated;
+        @JsonGetter("type")
+        public Type type() {
+            return type;
         }
 
         /**
-         * Sets the generated.
+         * Sets the type.
          *
-         * @param generated the generated to set
+         * @param type the resource type to set
          */
-        public void setGenerated(boolean generated) {
-            this.generated = generated;
+        public void setType(Type type) {
+            this.type = type;
+        }
+
+        @Override
+        public int hashCode() {
+            final int prime = 31;
+            int result = super.hashCode();
+            result = prime * result + java.util.Objects.hash(name, type);
+            return result;
+        }
+
+        @Override
+        public boolean equals(Object obj) {
+            if (this == obj) {
+                return true;
+            }
+            if (!super.equals(obj)) {
+                return false;
+            }
+            if (getClass() != obj.getClass()) {
+                return false;
+            }
+            ResourceModel other = (ResourceModel) obj;
+            return java.util.Objects.equals(name, other.name)
+                && type == other.type;
+        }
+
+        @Override
+        public String toString() {
+            StringBuilder builder = new StringBuilder(50);
+            builder.append("AccessModel [resourceType=").append(type)
+                .append(", resourceName=").append(name).append(']');
+            return builder.toString();
         }
 
     }
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
index fb52353..c5f3da0 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
@@ -44,6 +44,7 @@ interface Api {
     /* eslint-disable @typescript-eslint/no-explicit-any */
     vmName: string;
     vmDefinition: any;
+    poolName: string;
 }
 
 const localize = (key: string) => {
@@ -62,7 +63,8 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
 
             const previewApi: Api = reactive({
                 vmName: "",
-                vmDefinition: {}
+                vmDefinition: {},
+                poolName: ""
             });
             const configured = computed(() => previewApi.vmDefinition.spec);
             const startable = computed(() => previewApi.vmDefinition.spec &&
@@ -76,7 +78,8 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
             const permissions = computed(() => previewApi.vmDefinition.spec
                 ? previewApi.vmDefinition.userPermissions : []);
 
-            watch(() => previewApi.vmName, (name: string) => {
+            watch(previewApi, (api: Api) => {
+                const name = api.vmName || api.poolName;
                 if (name !== "") {
                     JGConsole.instance.updateConletTitle(conletId, name);
                 }
@@ -139,14 +142,21 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
 };
 
 JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmaccess.VmAccess",
-    "updateConfig", function(conletId: string, vmName: string) {
+    "updateConfig",
+    function(conletId: string, type: string, resource: string) {
         const conlet = JGConsole.findConletPreview(conletId);
         if (!conlet) {
             return;
         }
         const api = getApi<Api>(conlet.element().querySelector(
             ":scope .jdrupes-vmoperator-vmaccess-preview"))!;
-        api.vmName = vmName;
+        if (type === "VM") {
+            api.vmName = resource;
+            api.poolName = "";
+        } else {
+            api.poolName = resource;
+            api.vmName = "";
+        }
     });
 
 JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmaccess.VmAccess",
@@ -203,19 +213,36 @@ window.orgJDrupesVmOperatorVmAccess.initEdit = (dialogDom: HTMLElement,
                     l10nBundles, JGWC.lang()!, key);
             };
 
+            const resource = ref<string>("vm");
             const vmNameInput = ref<string>("");
+            const poolNameInput = ref<string>("");
+            
+            watch(resource, (resource: string) => {
+                if (resource === "vm") {
+                    poolNameInput.value = "";
+                }
+                if (resource === "pool")
+                    vmNameInput.value = "";
+            });
+            
             const conletId = (<HTMLElement>dialogDom.closest(
                 "[data-conlet-id]")!).dataset["conletId"]!;
             const conlet = JGConsole.findConletPreview(conletId);
             if (conlet) {
                 const api = getApi<Api>(conlet.element().querySelector(
                     ":scope .jdrupes-vmoperator-vmaccess-preview"))!;
+                if (api.poolName) {
+                    resource.value = "pool";
+                }
                 vmNameInput.value = api.vmName;
+                poolNameInput.value = api.poolName;
             }
 
-            provideApi(dialogDom, vmNameInput);
+            provideApi(dialogDom, { resource: () => resource.value,
+                name: () => resource.value === "vm"
+                    ? vmNameInput.value : poolNameInput.value });
                         
-            return { formId, localize, vmNameInput };
+            return { formId, localize, resource, vmNameInput, poolNameInput };
         }
     });
     app.use(JgwcPlugin);
@@ -229,8 +256,9 @@ window.orgJDrupesVmOperatorVmAccess.applyEdit =
     }
     const conletId = (<HTMLElement>dialogDom.closest("[data-conlet-id]")!)
         .dataset["conletId"]!;
-    const vmName = getApi<ref<string>>(dialogDom!)!.value;
-    JGConsole.notifyConletModel(conletId, "selectedVm", vmName);
+    const editApi = getApi<ref<string>>(dialogDom!)!;
+    JGConsole.notifyConletModel(conletId, "selectedResource", editApi.resource(),
+        editApi.name());
 }
 
 window.orgJDrupesVmOperatorVmAccess.confirmReset = 
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-style.scss b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-style.scss
index 547dc74..cf0fb56 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-style.scss
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-style.scss
@@ -77,6 +77,11 @@
 }
 
 .jdrupes-vmoperator-vmaccess.jdrupes-vmoperator-vmaccess-edit {
+  
+  fieldset ul li {
+    margin-top: 0.5em;
+  }
+  
   select {
     width: 15em;
   }

From 2dc93f1370debfa03f93db5be5be6e7201ac1280 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 1 Dec 2024 14:21:25 +0100
Subject: [PATCH 053/274] Unify permission usage.

---
 .../vmoperator/common/VmDefinition.java       | 23 +++++-
 .../org/jdrupes/vmoperator/common/VmPool.java | 71 +------------------
 .../vmoperator/manager/PoolManager.java       |  3 +-
 .../jdrupes/vmoperator/vmaccess/VmAccess.java | 44 +++++++++---
 4 files changed, 63 insertions(+), 78 deletions(-)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
index 71ea7f1..bab0802 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
@@ -94,6 +94,28 @@ public class VmDefinition {
         }
     }
 
+    /**
+     * Permissions granted to a user or role.
+     *
+     * @param user the user
+     * @param role the role
+     * @param may the may
+     */
+    public record Grant(String user, String role, Set<Permission> may) {
+
+        @Override
+        public String toString() {
+            StringBuilder builder = new StringBuilder();
+            if (user != null) {
+                builder.append("User ").append(user);
+            } else {
+                builder.append("Role ").append(role);
+            }
+            builder.append(" may=").append(may).append(']');
+            return builder.toString();
+        }
+    }
+
     /**
      * Gets the kind.
      *
@@ -292,7 +314,6 @@ public class VmDefinition {
      * @return the string
      */
     public RequestedVmState vmState() {
-        // TODO
         return fromVm("state")
             .map(s -> "Running".equals(s) ? RequestedVmState.RUNNING
                 : RequestedVmState.STOPPED)
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
index 4b29adc..07e0616 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
@@ -20,14 +20,13 @@ package org.jdrupes.vmoperator.common;
 
 import java.util.Collection;
 import java.util.Collections;
-import java.util.EnumSet;
-import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
-import java.util.Map;
 import java.util.Set;
 import java.util.function.Function;
 import java.util.stream.Collectors;
+import org.jdrupes.vmoperator.common.VmDefinition.Grant;
+import org.jdrupes.vmoperator.common.VmDefinition.Permission;
 import org.jdrupes.vmoperator.util.DataPath;
 
 /**
@@ -60,7 +59,7 @@ public class VmPool {
     }
 
     /**
-     * All permissions.
+     * Permissions granted for a VM from the pool.
      *
      * @return the permissions
      */
@@ -120,68 +119,4 @@ public class VmPool {
             .flatMap(Function.identity()).collect(Collectors.toSet());
     }
 
-    /**
-     * A permission grant to a user or role.
-     *
-     * @param user the user
-     * @param role the role
-     * @param may the may
-     */
-    public record Grant(String user, String role, Set<Permission> may) {
-
-        @Override
-        public String toString() {
-            StringBuilder builder = new StringBuilder();
-            if (user != null) {
-                builder.append("User ").append(user);
-            } else {
-                builder.append("Role ").append(role);
-            }
-            builder.append(" may=").append(may).append(']');
-            return builder.toString();
-        }
-    }
-
-    /**
-     * Permissions for accessing and manipulating the pool.
-     */
-    public enum Permission {
-        START("start"), STOP("stop"), RESET("reset"),
-        ACCESS_CONSOLE("accessConsole");
-
-        @SuppressWarnings("PMD.UseConcurrentHashMap")
-        private static Map<String, Permission> reprs = new HashMap<>();
-
-        static {
-            for (var value : EnumSet.allOf(Permission.class)) {
-                reprs.put(value.repr, value);
-            }
-        }
-
-        private final String repr;
-
-        Permission(String repr) {
-            this.repr = repr;
-        }
-
-        /**
-         * Create permission from representation in CRD.
-         *
-         * @param value the value
-         * @return the permission
-         */
-        @SuppressWarnings("PMD.AvoidLiteralsInIfCondition")
-        public static Set<Permission> parse(String value) {
-            if ("*".equals(value)) {
-                return EnumSet.allOf(Permission.class);
-            }
-            return Set.of(reprs.get(value));
-        }
-
-        @Override
-        public String toString() {
-            return repr;
-        }
-    }
-
 }
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolManager.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolManager.java
index fb1de27..7bc455d 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolManager.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolManager.java
@@ -142,9 +142,10 @@ public class PoolManager extends
         V1ObjectMeta metadata = response.object.getMetadata();
         vmPool.setName(metadata.getName());
 
-        // If modified, merge changes
+        // If modified, merge changes and notify
         if (type == ResponseType.MODIFIED && pools.containsKey(poolName)) {
             pools.get(poolName).setPermissions(vmPool.permissions());
+            poolPipeline.fire(new VmPoolChanged(vmPool));
             return;
         }
 
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index f671e93..4f4ef53 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -50,6 +50,7 @@ import java.util.stream.Collectors;
 import org.bouncycastle.util.Objects;
 import org.jdrupes.vmoperator.common.K8sObserver;
 import org.jdrupes.vmoperator.common.VmDefinition;
+import org.jdrupes.vmoperator.common.VmDefinition.Permission;
 import org.jdrupes.vmoperator.common.VmPool;
 import org.jdrupes.vmoperator.manager.events.ChannelTracker;
 import org.jdrupes.vmoperator.manager.events.GetDisplayPassword;
@@ -108,7 +109,8 @@ import org.jgrapes.webconsole.base.freemarker.FreeMarkerConlet;
  *
  */
 @SuppressWarnings({ "PMD.DataflowAnomalyAnalysis", "PMD.ExcessiveImports",
-    "PMD.CouplingBetweenObjects", "PMD.GodClass", "PMD.TooManyMethods" })
+    "PMD.CouplingBetweenObjects", "PMD.GodClass", "PMD.TooManyMethods",
+    "PMD.CyclomaticComplexity" })
 public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
 
     private static final String VM_NAME_PROPERTY = "vmName";
@@ -265,7 +267,8 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
         addMissingVms(event, connection, rendered);
     }
 
-    @SuppressWarnings("PMD.AvoidInstantiatingObjectsInLoops")
+    @SuppressWarnings({ "PMD.AvoidInstantiatingObjectsInLoops",
+        "PMD.AvoidDuplicateLiterals" })
     private void addMissingVms(ConsoleConfigured event,
             ConsoleConnection connection, final Set<ResourceModel> rendered) {
         boolean foundMissing = false;
@@ -445,7 +448,7 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
             .map(d -> d.getMetadata().getName()).sorted().toList();
     }
 
-    private Set<VmDefinition.Permission> vmPermissions(VmDefinition vmDef,
+    private Set<Permission> vmPermissions(VmDefinition vmDef,
             Session session) {
         var user = WebConsoleUtils.userFromSession(session)
             .map(ConsoleUser::getName).orElse(null);
@@ -460,7 +463,7 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
             .map(d -> d.name()).sorted().toList();
     }
 
-    private Set<VmPool.Permission> poolPermissions(VmPool pool,
+    private Set<Permission> poolPermissions(VmPool pool,
             Session session) {
         var user = WebConsoleUtils.userFromSession(session)
             .map(ConsoleUser::getName).orElse(null);
@@ -530,15 +533,19 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
         } else {
             channelTracker.put(vmName, channel, vmDef);
         }
+
+        // Update known conlets
         for (var entry : conletIdsByConsoleConnection().entrySet()) {
             var connection = entry.getKey();
             for (var conletId : entry.getValue()) {
                 var model = stateFromSession(connection.session(), conletId);
                 if (model.isEmpty()
+                    || model.get().type() != ResourceModel.Type.VM
                     || !Objects.areEqual(model.get().name(), vmName)) {
                     continue;
                 }
-                if (event.type() == K8sObserver.ResponseType.DELETED) {
+                if (event.type() == K8sObserver.ResponseType.DELETED
+                    || vmPermissions(vmDef, connection.session()).isEmpty()) {
                     connection.respond(
                         new DeleteConlet(conletId, Collections.emptySet()));
                 } else {
@@ -555,12 +562,33 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
      * @param channel the channel
      */
     @Handler(namedChannels = "manager")
+    @SuppressWarnings("PMD.AvoidInstantiatingObjectsInLoops")
     public void onVmPoolChanged(VmPoolChanged event) {
+        var poolName = event.vmPool().name();
         if (event.deleted()) {
-            vmPools.remove(event.vmPool().name());
-            return;
+            vmPools.remove(poolName);
+        } else {
+            vmPools.put(poolName, event.vmPool());
+        }
+
+        // Update known conlets
+        for (var entry : conletIdsByConsoleConnection().entrySet()) {
+            var connection = entry.getKey();
+            for (var conletId : entry.getValue()) {
+                var model = stateFromSession(connection.session(), conletId);
+                if (model.isEmpty()
+                    || model.get().type() != ResourceModel.Type.POOL
+                    || !Objects.areEqual(model.get().name(), poolName)) {
+                    continue;
+                }
+                if (event.deleted()
+                    || poolPermissions(event.vmPool(), connection.session())
+                        .isEmpty()) {
+                    connection.respond(
+                        new DeleteConlet(conletId, Collections.emptySet()));
+                }
+            }
         }
-        vmPools.put(event.vmPool().name(), event.vmPool());
     }
 
     @Override

From c3428ea4a5912e2b5bba46880f9435caf97a1cef Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 1 Dec 2024 14:22:18 +0100
Subject: [PATCH 054/274] Rename pool manager to monitor.

---
 .../src/org/jdrupes/vmoperator/manager/Controller.java        | 2 +-
 .../vmoperator/manager/{PoolManager.java => PoolMonitor.java} | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)
 rename org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/{PoolManager.java => PoolMonitor.java} (98%)

diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
index d847785..1ef17f7 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
@@ -106,7 +106,7 @@ public class Controller extends Component {
         // to access the VM's console. Might change in the future.
         // attach(new ServiceMonitor(channel()).channelManager(chanMgr));
         attach(new Reconciler(channel()));
-        attach(new PoolManager(channel()));
+        attach(new PoolMonitor(channel()));
     }
 
     /**
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolManager.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
similarity index 98%
rename from org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolManager.java
rename to org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
index 7bc455d..49c708d 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolManager.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
@@ -53,7 +53,7 @@ import org.jgrapes.core.events.Attached;
  * avoid concurrent change informations.
  */
 @SuppressWarnings({ "PMD.DataflowAnomalyAnalysis", "PMD.ExcessiveImports" })
-public class PoolManager extends
+public class PoolMonitor extends
         AbstractMonitor<K8sDynamicModel, K8sDynamicModels, Channel> {
 
     private final ReentrantLock pendingLock = new ReentrantLock();
@@ -67,7 +67,7 @@ public class PoolManager extends
      * @param componentChannel the component channel
      * @param channelManager the channel manager
      */
-    public PoolManager(Channel componentChannel) {
+    public PoolMonitor(Channel componentChannel) {
         super(componentChannel, K8sDynamicModel.class,
             K8sDynamicModels.class);
     }

From 84ac4bb28c4ab8d82f23042bd029c02afd369b5d Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 1 Dec 2024 16:43:35 +0100
Subject: [PATCH 055/274] Add hashCode and equals.

---
 .../vmoperator/common/VmDefinition.java       | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
index bab0802..7545405 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
@@ -25,6 +25,7 @@ import java.util.EnumSet;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
 import java.util.Optional;
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
@@ -350,4 +351,27 @@ public class VmDefinition {
         return this.<Number> fromStatus("displayPasswordSerial")
             .map(Number::longValue);
     }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(metadata.getNamespace(), metadata.getName());
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (this == obj) {
+            return true;
+        }
+        if (obj == null) {
+            return false;
+        }
+        if (getClass() != obj.getClass()) {
+            return false;
+        }
+        VmDefinition other = (VmDefinition) obj;
+        return Objects.equals(metadata.getNamespace(),
+            other.metadata.getNamespace())
+            && Objects.equals(metadata.getName(), other.metadata.getName());
+    }
+
 }

From db7fbe2b7c22d1c0ee285c1fbc30ea17a0ea828c Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Mon, 2 Dec 2024 12:18:41 +0100
Subject: [PATCH 056/274] Cleanup CR deletion.

---
 .../jdrupes/vmoperator/manager/VmMonitor.java | 26 +++++++------------
 1 file changed, 10 insertions(+), 16 deletions(-)

diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
index cc8ae7b..315aee2 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
@@ -119,11 +119,6 @@ public class VmMonitor extends
         V1ObjectMeta metadata = response.object.getMetadata();
         VmChannel channel = channelManager.channelGet(metadata.getName());
 
-        // Remove from channel manager if deleted
-        if (ResponseType.valueOf(response.type) == ResponseType.DELETED) {
-            channelManager.remove(metadata.getName());
-        }
-
         // Get full definition and associate with channel as backup
         var vmModel = response.object;
         if (vmModel.data() == null) {
@@ -151,17 +146,16 @@ public class VmMonitor extends
 
         // Create and fire changed event. Remove channel from channel
         // manager on completion.
-        channel.pipeline()
-            .fire(Event.onCompletion(
-                new VmDefChanged(ResponseType.valueOf(response.type),
-                    channel.setGeneration(response.object.getMetadata()
-                        .getGeneration()),
-                    vmDef),
-                e -> {
-                    if (e.type() == ResponseType.DELETED) {
-                        channelManager.remove(e.vmDefinition().name());
-                    }
-                }), channel);
+        VmDefChanged chgEvt
+            = new VmDefChanged(ResponseType.valueOf(response.type),
+                channel.setGeneration(response.object.getMetadata()
+                    .getGeneration()),
+                vmDef);
+        if (ResponseType.valueOf(response.type) == ResponseType.DELETED) {
+            chgEvt = Event.onCompletion(chgEvt,
+                e -> channelManager.remove(e.vmDefinition().name()));
+        }
+        channel.pipeline().fire(chgEvt, channel);
     }
 
     private VmDefinitionModel getModel(K8sClient client,

From 15ac0721a6449ab6ac052e67ce8859a782de6c25 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Tue, 14 Jan 2025 10:22:56 +0100
Subject: [PATCH 057/274] Minor refactoring.

---
 .../jdrupes/vmoperator/common/VmDefinition.java   | 15 +++++++++++++++
 .../org/jdrupes/vmoperator/manager/VmMonitor.java | 15 +--------------
 .../src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java | 13 +++----------
 3 files changed, 19 insertions(+), 24 deletions(-)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
index 7545405..b807e8c 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
@@ -268,6 +268,21 @@ public class VmDefinition {
         this.status = status;
     }
 
+    /**
+     * Return a condition's status.
+     *
+     * @param name the condition's name
+     * @return the status, if the condition is defined
+     */
+    public Optional<Boolean> conditionStatus(String name) {
+        return this.<List<Map<String, Object>>> fromStatus("conditions")
+            .orElse(Collections.emptyList()).stream()
+            .filter(cond -> DataPath.get(cond, "type")
+                .map(name::equals).orElse(false))
+            .findFirst().map(cond -> DataPath.get(cond, "status")
+                .map("True"::equals).orElse(false));
+    }
+
     /**
      * Set extra data (locally used, unknown to kubernetes).
      *
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
index 315aee2..6c769d2 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
@@ -24,9 +24,6 @@ import io.kubernetes.client.util.Watch;
 import io.kubernetes.client.util.generic.options.ListOptions;
 import java.io.IOException;
 import java.util.ArrayList;
-import java.util.Collections;
-import java.util.List;
-import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 import java.util.logging.Level;
@@ -49,7 +46,6 @@ import static org.jdrupes.vmoperator.manager.Constants.VM_OP_NAME;
 import org.jdrupes.vmoperator.manager.events.ChannelManager;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
-import org.jdrupes.vmoperator.util.DataPath;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Event;
 
@@ -184,16 +180,7 @@ public class VmMonitor extends
         // VM definition status changes before the pod terminates.
         // This results in pod information being shown for a stopped
         // VM which is irritating. So check condition first.
-        @SuppressWarnings("PMD.LambdaCanBeMethodReference")
-        var isRunning
-            = vmDef.<List<Map<String, Object>>> fromStatus("conditions")
-                .orElse(Collections.emptyList()).stream()
-                .filter(cond -> DataPath.get(cond, "type")
-                    .map(t -> "Running".equals(t)).orElse(false))
-                .findFirst().map(cond -> DataPath.get(cond, "status")
-                    .map(s -> "True".equals(s)).orElse(false))
-                .orElse(false);
-        if (!isRunning) {
+        if (!vmDef.conditionStatus("Running").orElse(false)) {
             return;
         }
         var podSearch = new ListOptions();
diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
index 8395b4c..dbe17ca 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
@@ -29,9 +29,7 @@ import java.math.BigDecimal;
 import java.math.BigInteger;
 import java.time.Duration;
 import java.time.Instant;
-import java.util.Collections;
 import java.util.EnumSet;
-import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
@@ -328,14 +326,9 @@ public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
                 .add(vmDef.<String> fromStatus("ram")
                     .map(r -> Quantity.fromString(r).getNumber().toBigInteger())
                     .orElse(BigInteger.ZERO));
-            summary.runningVms
-                += vmDef.<List<Map<String, Object>>> fromStatus("conditions")
-                    .orElse(Collections.emptyList()).stream()
-                    .filter(cond -> DataPath.get(cond, "type")
-                        .map(t -> "Running".equals(t)).orElse(false)
-                        && DataPath.get(cond, "status")
-                            .map(s -> "True".equals(s)).orElse(false))
-                    .count();
+            if (vmDef.conditionStatus("Running").orElse(false)) {
+                summary.runningVms += 1;
+            }
         }
         cachedSummary = summary;
         return summary;

From 4943baf3e38bf9353ba75ef7e6cde6d878ad312c Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Tue, 14 Jan 2025 10:23:32 +0100
Subject: [PATCH 058/274] Save assignment information.

---
 deploy/crds/vms-crd.yaml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/deploy/crds/vms-crd.yaml b/deploy/crds/vms-crd.yaml
index 5f67b4c..1e79e27 100644
--- a/deploy/crds/vms-crd.yaml
+++ b/deploy/crds/vms-crd.yaml
@@ -1486,6 +1486,27 @@ spec:
                     by the runner if password protection is not enabled.
                   type: integer
                   default: 0
+                assignment:
+                  description: >-
+                    The assignment of this VM to a a particular user.
+                  type: object
+                  properties:
+                    pool:
+                      description: >-
+                        The pool this VM is taken from.
+                      type: string
+                      default: ""
+                    user:
+                      description: >-
+                        The user this VM is assigned to.
+                      type: string
+                      default: ""
+                    lastUsed:
+                      description: >-
+                        The last time this VM was used by the user.
+                      type: string
+                      default: "1970-01-01T00:00:00Z"
+                  default: {}
                 conditions:
                   description: >-
                     List of component conditions observed

From bd5227fda3e3981f81bb3bddad3a942544888497 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Wed, 15 Jan 2025 21:58:08 +0100
Subject: [PATCH 059/274] Simplify pool management.

---
 .../org/jdrupes/vmoperator/common/VmPool.java | 28 ++++++
 .../vmoperator/manager/PoolMonitor.java       | 96 +++++--------------
 2 files changed, 53 insertions(+), 71 deletions(-)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
index 07e0616..426a69c 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
@@ -36,10 +36,20 @@ import org.jdrupes.vmoperator.util.DataPath;
 public class VmPool {
 
     private String name;
+    private boolean defined;
     private List<Grant> permissions = Collections.emptyList();
     private final Set<String> vms
         = Collections.synchronizedSet(new HashSet<>());
 
+    /**
+     * Instantiates a new vm pool.
+     *
+     * @param name the name
+     */
+    public VmPool(String name) {
+        this.name = name;
+    }
+
     /**
      * Returns the name.
      *
@@ -58,6 +68,24 @@ public class VmPool {
         this.name = name;
     }
 
+    /**
+     * Checks if is defined.
+     *
+     * @return the result
+     */
+    public boolean isDefined() {
+        return defined;
+    }
+
+    /**
+     * Sets if is.
+     *
+     * @param defined the defined to set
+     */
+    public void setDefined(boolean defined) {
+        this.defined = defined;
+    }
+
     /**
      * Permissions granted for a VM from the pool.
      *
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
index 49c708d..27dfb7d 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
@@ -19,17 +19,13 @@
 package org.jdrupes.vmoperator.manager;
 
 import io.kubernetes.client.openapi.ApiException;
-import io.kubernetes.client.openapi.models.V1ObjectMeta;
 import io.kubernetes.client.util.Watch;
 import java.io.IOException;
 import java.util.Collections;
-import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
-import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
-import java.util.concurrent.locks.ReentrantLock;
 import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
 import org.jdrupes.vmoperator.common.K8s;
 import org.jdrupes.vmoperator.common.K8sClient;
@@ -56,8 +52,6 @@ import org.jgrapes.core.events.Attached;
 public class PoolMonitor extends
         AbstractMonitor<K8sDynamicModel, K8sDynamicModels, Channel> {
 
-    private final ReentrantLock pendingLock = new ReentrantLock();
-    private final Map<String, Set<String>> pending = new ConcurrentHashMap<>();
     private final Map<String, VmPool> pools = new ConcurrentHashMap<>();
     private EventPipeline poolPipeline;
 
@@ -107,18 +101,13 @@ public class PoolMonitor extends
 
         // When pool is deleted, save VMs in pending
         if (type == ResponseType.DELETED) {
-            try {
-                pendingLock.lock();
-                Optional.ofNullable(pools.get(poolName)).ifPresent(
-                    p -> {
-                        pending.computeIfAbsent(poolName, k -> Collections
-                            .synchronizedSet(new HashSet<>())).addAll(p.vms());
-                        pools.remove(poolName);
-                        poolPipeline.fire(new VmPoolChanged(p, true));
-                    });
-            } finally {
-                pendingLock.unlock();
-            }
+            Optional.ofNullable(pools.get(poolName)).ifPresent(pool -> {
+                pool.setDefined(false);
+                if (pool.vms().isEmpty()) {
+                    pools.remove(poolName);
+                }
+                poolPipeline.fire(new VmPoolChanged(pool, true));
+            });
             return;
         }
 
@@ -135,32 +124,13 @@ public class PoolMonitor extends
             }
         }
 
-        // Convert to VM pool
-        var vmPool = client().getJSON().getGson().fromJson(
-            GsonPtr.to(poolModel.data()).to("spec").get(),
-            VmPool.class);
-        V1ObjectMeta metadata = response.object.getMetadata();
-        vmPool.setName(metadata.getName());
-
-        // If modified, merge changes and notify
-        if (type == ResponseType.MODIFIED && pools.containsKey(poolName)) {
-            pools.get(poolName).setPermissions(vmPool.permissions());
-            poolPipeline.fire(new VmPoolChanged(vmPool));
-            return;
-        }
-
-        // Add new pool
-        try {
-            pendingLock.lock();
-            Optional.ofNullable(pending.get(poolName)).ifPresent(s -> {
-                vmPool.vms().addAll(s);
-            });
-            pending.remove(poolName);
-            pools.put(poolName, vmPool);
-            poolPipeline.fire(new VmPoolChanged(vmPool));
-        } finally {
-            pendingLock.unlock();
-        }
+        // Get pool and merge changes
+        var vmPool = pools.computeIfAbsent(poolName, k -> new VmPool(poolName));
+        var newData = client().getJSON().getGson().fromJson(
+            GsonPtr.to(poolModel.data()).to("spec").get(), VmPool.class);
+        vmPool.setPermissions(newData.permissions());
+        vmPool.setDefined(true);
+        poolPipeline.fire(new VmPoolChanged(vmPool));
     }
 
     /**
@@ -173,35 +143,19 @@ public class PoolMonitor extends
         String vmName = event.vmDefinition().name();
         switch (event.type()) {
         case ADDED:
-            try {
-                pendingLock.lock();
-                event.vmDefinition().<List<String>> fromSpec("pools")
-                    .orElse(Collections.emptyList()).stream().forEach(p -> {
-                        if (pools.containsKey(p)) {
-                            pools.get(p).vms().add(vmName);
-                        } else {
-                            pending.computeIfAbsent(p, k -> Collections
-                                .synchronizedSet(new HashSet<>())).add(vmName);
-                        }
-                        poolPipeline.fire(new VmPoolChanged(pools.get(p)));
-                    });
-            } finally {
-                pendingLock.unlock();
-            }
+            event.vmDefinition().<List<String>> fromSpec("pools")
+                .orElse(Collections.emptyList()).stream().forEach(p -> {
+                    pools.computeIfAbsent(p, k -> new VmPool(p))
+                        .vms().add(vmName);
+                    poolPipeline.fire(new VmPoolChanged(pools.get(p)));
+                });
             break;
         case DELETED:
-            try {
-                pendingLock.lock();
-                pools.values().stream().forEach(p -> {
-                    if (p.vms().remove(vmName)) {
-                        poolPipeline.fire(new VmPoolChanged(p));
-                    }
-                });
-                // Should not be necessary, but just in case
-                pending.values().stream().forEach(s -> s.remove(vmName));
-            } finally {
-                pendingLock.unlock();
-            }
+            pools.values().stream().forEach(p -> {
+                if (p.vms().remove(vmName)) {
+                    poolPipeline.fire(new VmPoolChanged(p));
+                }
+            });
             break;
         default:
             break;

From 5bd6700541c1a0722f313ff1a6320c61fc922636 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Wed, 15 Jan 2025 22:06:00 +0100
Subject: [PATCH 060/274] Name not needed.

---
 .../org/jdrupes/vmoperator/vmaccess/VmAccess-edit.ftl.html    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-edit.ftl.html b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-edit.ftl.html
index 1a10a7d..afbff3a 100644
--- a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-edit.ftl.html
+++ b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-edit.ftl.html
@@ -10,7 +10,7 @@
         <ul>
           <li>
             <label>
-              <input v-model="resource" type="radio" name="resource" value="vm">
+              <input v-model="resource" type="radio" value="vm">
               <span>{{ localize("VM") }}</span>
               <select v-model="vmNameInput" :disabled="resource !== 'vm'">
               <#list vmNames as name>
@@ -21,7 +21,7 @@
           </li>
           <li>
             <label>
-              <input v-model="resource" type="radio" name="resource" value="pool">
+              <input v-model="resource" type="radio" value="pool">
               <span>{{ localize("Pool") }}</span>
               <select v-model="poolNameInput" :disabled="resource !== 'pool'">
               <#list poolNames as name>

From 76be59a5b3cdef6e01044614c627a74ac54df81f Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 18 Jan 2025 17:02:30 +0100
Subject: [PATCH 061/274] Don't duplicate VM management.

---
 .../vmoperator/manager/events/GetPools.java   |  67 ++++++
 .../vmoperator/manager/events/GetVms.java     |  97 +++++++++
 .../vmoperator/manager/PoolMonitor.java       |  15 ++
 .../jdrupes/vmoperator/manager/VmMonitor.java |  20 ++
 .../jdrupes/vmoperator/vmaccess/VmAccess.java | 201 ++++++++++--------
 5 files changed, 315 insertions(+), 85 deletions(-)
 create mode 100644 org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetPools.java
 create mode 100644 org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetVms.java

diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetPools.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetPools.java
new file mode 100644
index 0000000..1257599
--- /dev/null
+++ b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetPools.java
@@ -0,0 +1,67 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2024 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.manager.events;
+
+import java.util.Collections;
+import java.util.List;
+import java.util.Optional;
+import org.jdrupes.vmoperator.common.VmPool;
+import org.jgrapes.core.Event;
+
+/**
+ * Gets the known pools' definitions.
+ */
+@SuppressWarnings("PMD.DataClass")
+public class GetPools extends Event<List<VmPool>> {
+
+    private String user;
+    private List<String> roles = Collections.emptyList();
+
+    /**
+     * Return only {@link VmPool}s that are accessible by
+     * the given user or roles.
+     *
+     * @param user the user
+     * @param roles the roles
+     * @return the event 
+     */
+    public GetPools accessibleFor(String user, List<String> roles) {
+        this.user = user;
+        this.roles = roles;
+        return this;
+    }
+
+    /**
+     * Returns the user filter criterion, if set.
+     *
+     * @return the optional
+     */
+    public Optional<String> forUser() {
+        return Optional.ofNullable(user);
+    }
+
+    /**
+     * Returns the roles criterion.
+     *
+     * @return the list
+     */
+    public List<String> forRoles() {
+        return roles;
+    }
+}
diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetVms.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetVms.java
new file mode 100644
index 0000000..ebb19cc
--- /dev/null
+++ b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetVms.java
@@ -0,0 +1,97 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2024 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.manager.events;
+
+import java.util.Collections;
+import java.util.List;
+import java.util.Optional;
+import org.jdrupes.vmoperator.common.VmDefinition;
+import org.jgrapes.core.Event;
+
+/**
+ * Gets the known VMs' definitions and channels.
+ */
+@SuppressWarnings("PMD.DataClass")
+public class GetVms extends Event<List<GetVms.VmData>> {
+
+    private String name;
+    private String user;
+    private List<String> roles = Collections.emptyList();
+
+    /**
+     * Return only the VMs with the given name.
+     *
+     * @param name the name
+     * @return the returns the vms
+     */
+    public GetVms withName(String name) {
+        this.name = name;
+        return this;
+    }
+
+    /**
+     * Return only {@link VmDefinition}s that are accessible by
+     * the given user or roles.
+     *
+     * @param user the user
+     * @param roles the roles
+     * @return the event
+     */
+    public GetVms accessibleFor(String user, List<String> roles) {
+        this.user = user;
+        this.roles = roles;
+        return this;
+    }
+
+    /**
+     * Returns the name filter criterion, if set.
+     *
+     * @return the optional
+     */
+    public Optional<String> name() {
+        return Optional.ofNullable(name);
+    }
+
+    /**
+     * Returns the user filter criterion, if set.
+     *
+     * @return the optional
+     */
+    public Optional<String> user() {
+        return Optional.ofNullable(user);
+    }
+
+    /**
+     * Returns the roles criterion.
+     *
+     * @return the list
+     */
+    public List<String> roles() {
+        return roles;
+    }
+
+    /**
+     * Return tuple.
+     *
+     * @param definition the definition
+     * @param channel the channel
+     */
+    public record VmData(VmDefinition definition, VmChannel channel) {
+    }
+}
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
index 27dfb7d..1864ea7 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
@@ -35,6 +35,7 @@ import org.jdrupes.vmoperator.common.K8sDynamicStub;
 import org.jdrupes.vmoperator.common.K8sObserver.ResponseType;
 import org.jdrupes.vmoperator.common.VmPool;
 import static org.jdrupes.vmoperator.manager.Constants.VM_OP_KIND_VM_POOL;
+import org.jdrupes.vmoperator.manager.events.GetPools;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
 import org.jdrupes.vmoperator.manager.events.VmPoolChanged;
 import org.jdrupes.vmoperator.util.GsonPtr;
@@ -161,4 +162,18 @@ public class PoolMonitor extends
             break;
         }
     }
+
+    /**
+     * Return the requested pools.
+     *
+     * @param event the event
+     */
+    @Handler
+    public void onGetPools(GetPools event) {
+        event.setResult(pools.values().stream()
+            .filter(p -> event.forUser().isEmpty() && event.forRoles().isEmpty()
+                || !p.permissionsFor(event.forUser().orElse(null),
+                    event.forRoles()).isEmpty())
+            .toList());
+    }
 }
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
index 6c769d2..b5268a2 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
@@ -44,10 +44,13 @@ import static org.jdrupes.vmoperator.manager.Constants.APP_NAME;
 import static org.jdrupes.vmoperator.manager.Constants.VM_OP_KIND_VM;
 import static org.jdrupes.vmoperator.manager.Constants.VM_OP_NAME;
 import org.jdrupes.vmoperator.manager.events.ChannelManager;
+import org.jdrupes.vmoperator.manager.events.GetVms;
+import org.jdrupes.vmoperator.manager.events.GetVms.VmData;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Event;
+import org.jgrapes.core.annotation.Handler;
 
 /**
  * Watches for changes of VM definitions.
@@ -208,4 +211,21 @@ public class VmMonitor extends
                 () -> "Cannot access node information: " + e.getMessage());
         }
     }
+
+    /**
+     * Returns the VM data.
+     *
+     * @param event the event
+     */
+    @Handler
+    public void onGetVms(GetVms event) {
+        event.setResult(channelManager.channels().stream()
+            .filter(c -> event.name().isEmpty()
+                || c.vmDefinition().name().equals(event.name().get()))
+            .filter(c -> event.user().isEmpty() && event.roles().isEmpty()
+                || !c.vmDefinition().permissionsFor(event.user().orElse(null),
+                    event.roles()).isEmpty())
+            .map(c -> new VmData(c.vmDefinition(), c))
+            .toList());
+    }
 }
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index 4f4ef53..8d1a71a 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -52,8 +52,10 @@ import org.jdrupes.vmoperator.common.K8sObserver;
 import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.common.VmDefinition.Permission;
 import org.jdrupes.vmoperator.common.VmPool;
-import org.jdrupes.vmoperator.manager.events.ChannelTracker;
 import org.jdrupes.vmoperator.manager.events.GetDisplayPassword;
+import org.jdrupes.vmoperator.manager.events.GetPools;
+import org.jdrupes.vmoperator.manager.events.GetVms;
+import org.jdrupes.vmoperator.manager.events.GetVms.VmData;
 import org.jdrupes.vmoperator.manager.events.ModifyVm;
 import org.jdrupes.vmoperator.manager.events.ResetVm;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
@@ -62,8 +64,10 @@ import org.jdrupes.vmoperator.manager.events.VmPoolChanged;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Components;
 import org.jgrapes.core.Event;
+import org.jgrapes.core.EventPipeline;
 import org.jgrapes.core.Manager;
 import org.jgrapes.core.annotation.Handler;
+import org.jgrapes.core.events.Start;
 import org.jgrapes.http.Session;
 import org.jgrapes.util.events.ConfigurationUpdate;
 import org.jgrapes.util.events.KeyValueStoreQuery;
@@ -122,8 +126,7 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
         RenderMode.Preview, RenderMode.Edit);
     private static final Set<RenderMode> MODES_FOR_GENERATED = RenderMode.asSet(
         RenderMode.Preview, RenderMode.StickyPreview);
-    private final ChannelTracker<String, VmChannel,
-            VmDefinition> channelTracker = new ChannelTracker<>();
+    private EventPipeline appPipeline;
     private static ObjectMapper objectMapper
         = new ObjectMapper().registerModule(new JavaTimeModule());
     private Class<?> preferredIpVersion = Inet4Address.class;
@@ -150,6 +153,16 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
         super(componentChannel);
     }
 
+    /**
+     * On start.
+     *
+     * @param event the event
+     */
+    @Handler
+    public void onStart(Start event) {
+        appPipeline = event.processedBy().get();
+    }
+
     /**
      * Configure the component. 
      * 
@@ -263,18 +276,24 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
         if (!syncPreviews(connection.session())) {
             return;
         }
-
-        addMissingVms(event, connection, rendered);
+        addMissingConlets(event, connection, rendered);
     }
 
     @SuppressWarnings({ "PMD.AvoidInstantiatingObjectsInLoops",
         "PMD.AvoidDuplicateLiterals" })
-    private void addMissingVms(ConsoleConfigured event,
-            ConsoleConnection connection, final Set<ResourceModel> rendered) {
+    private void addMissingConlets(ConsoleConfigured event,
+            ConsoleConnection connection, final Set<ResourceModel> rendered)
+            throws InterruptedException {
         boolean foundMissing = false;
-        for (var vmName : accessibleVms(connection)) {
+        var session = connection.session();
+        for (var vmName : appPipeline.fire(new GetVms().accessibleFor(
+            WebConsoleUtils.userFromSession(session)
+                .map(ConsoleUser::getName).orElse(null),
+            WebConsoleUtils.rolesFromSession(session).stream()
+                .map(ConsoleRole::getName).toList()))
+            .get().stream().map(d -> d.definition().name()).toList()) {
             if (rendered.stream()
-                .anyMatch(r -> r.type() == ResourceModel.Type.VM
+                .anyMatch(r -> r.mode() == ResourceModel.Mode.VM
                     && r.name().equals(vmName))) {
                 continue;
             }
@@ -318,7 +337,7 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
     protected Optional<ResourceModel> createNewState(AddConletRequest event,
             ConsoleConnection connection, String conletId) throws Exception {
         var model = new ResourceModel(conletId);
-        model.setType(ResourceModel.Type.VM);
+        model.setMode(ResourceModel.Mode.VM);
         model
             .setName((String) event.properties().get(VM_NAME_PROPERTY));
         String jsonState = objectMapper.writeValueAsString(model);
@@ -373,11 +392,25 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
         ResourceBundle resourceBundle = resourceBundle(channel.locale());
         Set<RenderMode> renderedAs = EnumSet.noneOf(RenderMode.class);
         if (event.renderAs().contains(RenderMode.Edit)) {
-            Template tpl = freemarkerConfig()
-                .getTemplate("VmAccess-edit.ftl.html");
+            var session = channel.session();
+            var vmNames = appPipeline.fire(new GetVms().accessibleFor(
+                WebConsoleUtils.userFromSession(session)
+                    .map(ConsoleUser::getName).orElse(null),
+                WebConsoleUtils.rolesFromSession(session).stream()
+                    .map(ConsoleRole::getName).toList()))
+                .get().stream().map(d -> d.definition().name()).sorted()
+                .toList();
+            var poolNames = appPipeline.fire(new GetPools().accessibleFor(
+                WebConsoleUtils.userFromSession(session)
+                    .map(ConsoleUser::getName).orElse(null),
+                WebConsoleUtils.rolesFromSession(session).stream()
+                    .map(ConsoleRole::getName).toList()))
+                .get().stream().map(VmPool::name).sorted().toList();
+            Template tpl
+                = freemarkerConfig().getTemplate("VmAccess-edit.ftl.html");
             var fmModel = fmModel(event, channel, conletId, model);
-            fmModel.put("vmNames", accessibleVms(channel));
-            fmModel.put("poolNames", accessiblePools(channel));
+            fmModel.put("vmNames", vmNames);
+            fmModel.put("poolNames", poolNames);
             channel.respond(new OpenModalDialog(type(), conletId,
                 processTemplate(event, tpl, fmModel))
                     .addOption("cancelable", true)
@@ -391,27 +424,32 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
     private Set<RenderMode> renderPreview(RenderConletRequestBase<?> event,
             ConsoleConnection channel, String conletId, ResourceModel model)
             throws TemplateNotFoundException, MalformedTemplateNameException,
-            ParseException, IOException {
+            ParseException, IOException, InterruptedException {
         channel.associated(PENDING, Event.class)
             .ifPresent(e -> {
                 e.resumeHandling();
                 channel.setAssociated(PENDING, null);
             });
 
-        if (model.type() == ResourceModel.Type.VM && model.name() != null) {
+        var session = channel.session();
+        if (model.mode() == ResourceModel.Mode.VM && model.name() != null) {
             // Remove conlet if VM definition has been removed
             // or user has not at least one permission
-            Optional<VmDefinition> vmDef
-                = channelTracker.associated(model.name());
-            if (vmDef.isEmpty()
-                || vmPermissions(vmDef.get(), channel.session()).isEmpty()) {
+            Optional<VmData> vmData = appPipeline.fire(new GetVms()
+                .withName(model.name()).accessibleFor(
+                    WebConsoleUtils.userFromSession(session)
+                        .map(ConsoleUser::getName).orElse(null),
+                    WebConsoleUtils.rolesFromSession(session).stream()
+                        .map(ConsoleRole::getName).toList()))
+                .get().stream().findFirst();
+            if (vmData.isEmpty()) {
                 channel.respond(
                     new DeleteConlet(conletId, Collections.emptySet()));
                 return Collections.emptySet();
             }
         }
 
-        if (model.type() == ResourceModel.Type.POOL && model.name() != null) {
+        if (model.mode() == ResourceModel.Mode.POOL && model.name() != null) {
             // Remove conlet if pool definition has been removed
             // or user has not at least one permission
             VmPool pool = vmPools.get(model.name());
@@ -442,12 +480,6 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
         return EnumSet.of(RenderMode.Preview);
     }
 
-    private List<String> accessibleVms(ConsoleConnection channel) {
-        return channelTracker.associated().stream()
-            .filter(d -> !vmPermissions(d, channel.session()).isEmpty())
-            .map(d -> d.getMetadata().getName()).sorted().toList();
-    }
-
     private Set<Permission> vmPermissions(VmDefinition vmDef,
             Session session) {
         var user = WebConsoleUtils.userFromSession(session)
@@ -457,12 +489,6 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
         return vmDef.permissionsFor(user, roles);
     }
 
-    private List<String> accessiblePools(ConsoleConnection channel) {
-        return vmPools.values().stream()
-            .filter(d -> !poolPermissions(d, channel.session()).isEmpty())
-            .map(d -> d.name()).sorted().toList();
-    }
-
     private Set<Permission> poolPermissions(VmPool pool,
             Session session) {
         var user = WebConsoleUtils.userFromSession(session)
@@ -472,34 +498,36 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
         return pool.permissionsFor(user, roles);
     }
 
-    private void updateConfig(ConsoleConnection channel, ResourceModel model) {
+    private void updateConfig(ConsoleConnection channel, ResourceModel model)
+            throws InterruptedException {
         channel.respond(new NotifyConletView(type(),
-            model.getConletId(), "updateConfig", model.type(), model.name()));
+            model.getConletId(), "updateConfig", model.mode(), model.name()));
         updateVmDef(channel, model);
     }
 
-    private void updateVmDef(ConsoleConnection channel, ResourceModel model) {
+    private void updateVmDef(ConsoleConnection channel, ResourceModel model)
+            throws InterruptedException {
         if (Strings.isNullOrEmpty(model.name())) {
             return;
         }
-        channelTracker.value(model.name()).ifPresent(item -> {
-            try {
-                var vmDef = item.associated();
-                var data = Map.of("metadata",
-                    Map.of("namespace", vmDef.namespace(),
-                        "name", vmDef.name()),
-                    "spec", vmDef.spec(),
-                    "status", vmDef.getStatus(),
-                    "userPermissions",
-                    vmPermissions(vmDef, channel.session()).stream()
-                        .map(VmDefinition.Permission::toString).toList());
-                channel.respond(new NotifyConletView(type(),
-                    model.getConletId(), "updateVmDefinition", data));
-            } catch (JsonSyntaxException e) {
-                logger.log(Level.SEVERE, e,
-                    () -> "Failed to serialize VM definition");
-            }
-        });
+        appPipeline.fire(new GetVms().withName(model.name())).get().stream()
+            .findFirst().map(d -> d.definition()).ifPresent(vmDef -> {
+                try {
+                    var data = Map.of("metadata",
+                        Map.of("namespace", vmDef.namespace(),
+                            "name", vmDef.name()),
+                        "spec", vmDef.spec(),
+                        "status", vmDef.getStatus(),
+                        "userPermissions",
+                        vmPermissions(vmDef, channel.session()).stream()
+                            .map(VmDefinition.Permission::toString).toList());
+                    channel.respond(new NotifyConletView(type(),
+                        model.getConletId(), "updateVmDefinition", data));
+                } catch (JsonSyntaxException e) {
+                    logger.log(Level.SEVERE, e,
+                        () -> "Failed to serialize VM definition");
+                }
+            });
     }
 
     @Override
@@ -519,20 +547,15 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
      * @param event the event
      * @param channel the channel
      * @throws IOException 
+     * @throws InterruptedException 
      */
     @Handler(namedChannels = "manager")
     @SuppressWarnings({ "PMD.ConfusingTernary", "PMD.CognitiveComplexity",
         "PMD.AvoidInstantiatingObjectsInLoops", "PMD.AvoidDuplicateLiterals",
         "PMD.ConfusingArgumentToVarargsMethod" })
     public void onVmDefChanged(VmDefChanged event, VmChannel channel)
-            throws IOException {
+            throws IOException, InterruptedException {
         var vmDef = event.vmDefinition();
-        var vmName = vmDef.name();
-        if (event.type() == K8sObserver.ResponseType.DELETED) {
-            channelTracker.remove(vmName);
-        } else {
-            channelTracker.put(vmName, channel, vmDef);
-        }
 
         // Update known conlets
         for (var entry : conletIdsByConsoleConnection().entrySet()) {
@@ -540,8 +563,8 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
             for (var conletId : entry.getValue()) {
                 var model = stateFromSession(connection.session(), conletId);
                 if (model.isEmpty()
-                    || model.get().type() != ResourceModel.Type.VM
-                    || !Objects.areEqual(model.get().name(), vmName)) {
+                    || model.get().mode() != ResourceModel.Mode.VM
+                    || !Objects.areEqual(model.get().name(), vmDef.name())) {
                     continue;
                 }
                 if (event.type() == K8sObserver.ResponseType.DELETED
@@ -577,7 +600,7 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
             for (var conletId : entry.getValue()) {
                 var model = stateFromSession(connection.session(), conletId);
                 if (model.isEmpty()
-                    || model.get().type() != ResourceModel.Type.POOL
+                    || model.get().mode() != ResourceModel.Mode.POOL
                     || !Objects.areEqual(model.get().name(), poolName)) {
                     continue;
                 }
@@ -605,13 +628,13 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
         }
 
         // Handle command for selected VM
-        var both = Optional.ofNullable(model.name())
-            .flatMap(vm -> channelTracker.value(vm));
-        if (both.isEmpty()) {
+        var vmData = appPipeline.fire(new GetVms().withName(model.name())).get()
+            .stream().findFirst();
+        if (vmData.isEmpty()) {
             return;
         }
-        var vmChannel = both.get().channel();
-        var vmDef = both.get().associated();
+        var vmChannel = vmData.get().channel();
+        var vmDef = vmData.get().definition();
         var vmName = vmDef.metadata().getName();
         var perms = vmPermissions(vmDef, channel.session());
         var resourceBundle = resourceBundle(channel.locale());
@@ -656,9 +679,9 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
         "PMD.UseLocaleWithCaseConversions" })
     private void selectResource(NotifyConletModel event,
             ConsoleConnection channel, ResourceModel model)
-            throws JsonProcessingException {
+            throws JsonProcessingException, InterruptedException {
         try {
-            model.setType(ResourceModel.Type
+            model.setMode(ResourceModel.Mode
                 .valueOf(event.<String> param(0).toUpperCase()));
             model.setName(event.param(1));
             String jsonState = objectMapper.writeValueAsString(model);
@@ -672,7 +695,13 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
 
     private void openConsole(String vmName, ConsoleConnection connection,
             ResourceModel model, String password) {
-        var vmDef = channelTracker.associated(vmName).orElse(null);
+        VmDefinition vmDef;
+        try {
+            vmDef = appPipeline.fire(new GetVms().withName(model.name())).get()
+                .stream().findFirst().map(VmData::definition).orElse(null);
+        } catch (InterruptedException e) {
+            return;
+        }
         if (vmDef == null) {
             return;
         }
@@ -771,11 +800,11 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
          * The Enum ResourceType.
          */
         @SuppressWarnings("PMD.ShortVariable")
-        public enum Type {
+        public enum Mode {
             VM, POOL
         }
 
-        private Type type;
+        private Mode mode;
         private String name;
 
         /**
@@ -807,27 +836,29 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
         }
 
         /**
+         * Returns the mode.
+         *
          * @return the resourceType
          */
-        @JsonGetter("type")
-        public Type type() {
-            return type;
+        @JsonGetter("mode")
+        public Mode mode() {
+            return mode;
         }
 
         /**
-         * Sets the type.
+         * Sets the mode.
          *
-         * @param type the resource type to set
+         * @param mode the resource mode to set
          */
-        public void setType(Type type) {
-            this.type = type;
+        public void setMode(Mode mode) {
+            this.mode = mode;
         }
 
         @Override
         public int hashCode() {
             final int prime = 31;
             int result = super.hashCode();
-            result = prime * result + java.util.Objects.hash(name, type);
+            result = prime * result + java.util.Objects.hash(name, mode);
             return result;
         }
 
@@ -844,14 +875,14 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
             }
             ResourceModel other = (ResourceModel) obj;
             return java.util.Objects.equals(name, other.name)
-                && type == other.type;
+                && mode == other.mode;
         }
 
         @Override
         public String toString() {
             StringBuilder builder = new StringBuilder(50);
-            builder.append("AccessModel [resourceType=").append(type)
-                .append(", resourceName=").append(name).append(']');
+            builder.append("AccessModel [mode=").append(mode)
+                .append(", name=").append(name).append(']');
             return builder.toString();
         }
 

From 9b47ad31367ae8b1d46ef8c14aa260242fcf8fd3 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 18 Jan 2025 17:16:54 +0100
Subject: [PATCH 062/274] Don't duplicate pool management.

---
 .../vmoperator/manager/events/GetPools.java   | 21 +++++++++++++++++++
 .../vmoperator/manager/PoolMonitor.java       |  2 ++
 .../jdrupes/vmoperator/vmaccess/VmAccess.java | 13 +++---------
 3 files changed, 26 insertions(+), 10 deletions(-)

diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetPools.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetPools.java
index 1257599..40fa6ad 100644
--- a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetPools.java
+++ b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetPools.java
@@ -30,9 +30,21 @@ import org.jgrapes.core.Event;
 @SuppressWarnings("PMD.DataClass")
 public class GetPools extends Event<List<VmPool>> {
 
+    private String name;
     private String user;
     private List<String> roles = Collections.emptyList();
 
+    /**
+     * Return only the pool with the given name.
+     *
+     * @param name the name
+     * @return the returns the vms
+     */
+    public GetPools withName(String name) {
+        this.name = name;
+        return this;
+    }
+
     /**
      * Return only {@link VmPool}s that are accessible by
      * the given user or roles.
@@ -47,6 +59,15 @@ public class GetPools extends Event<List<VmPool>> {
         return this;
     }
 
+    /**
+     * Returns the name filter criterion, if set.
+     *
+     * @return the optional
+     */
+    public Optional<String> name() {
+        return Optional.ofNullable(name);
+    }
+
     /**
      * Returns the user filter criterion, if set.
      *
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
index 1864ea7..00033ba 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
@@ -171,6 +171,8 @@ public class PoolMonitor extends
     @Handler
     public void onGetPools(GetPools event) {
         event.setResult(pools.values().stream()
+            .filter(p -> event.name().isEmpty()
+                || p.name().equals(event.name().get()))
             .filter(p -> event.forUser().isEmpty() && event.forRoles().isEmpty()
                 || !p.permissionsFor(event.forUser().orElse(null),
                     event.forRoles()).isEmpty())
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index 8d1a71a..c48488a 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -38,7 +38,6 @@ import java.time.Duration;
 import java.util.Base64;
 import java.util.Collections;
 import java.util.EnumSet;
-import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
@@ -133,8 +132,6 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
     private Set<String> syncUsers = Collections.emptySet();
     private Set<String> syncRoles = Collections.emptySet();
     private boolean deleteConnectionFile = true;
-    @SuppressWarnings("PMD.UseConcurrentHashMap")
-    private final Map<String, VmPool> vmPools = new HashMap<>();
 
     /**
      * The periodically generated update event.
@@ -452,7 +449,9 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
         if (model.mode() == ResourceModel.Mode.POOL && model.name() != null) {
             // Remove conlet if pool definition has been removed
             // or user has not at least one permission
-            VmPool pool = vmPools.get(model.name());
+            VmPool pool = appPipeline
+                .fire(new GetPools().withName(model.name())).get()
+                .stream().findFirst().orElse(null);
             if (pool == null
                 || poolPermissions(pool, channel.session()).isEmpty()) {
                 channel.respond(
@@ -588,12 +587,6 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
     @SuppressWarnings("PMD.AvoidInstantiatingObjectsInLoops")
     public void onVmPoolChanged(VmPoolChanged event) {
         var poolName = event.vmPool().name();
-        if (event.deleted()) {
-            vmPools.remove(poolName);
-        } else {
-            vmPools.put(poolName, event.vmPool());
-        }
-
         // Update known conlets
         for (var entry : conletIdsByConsoleConnection().entrySet()) {
             var connection = entry.getKey();

From d060a9334a21460f071411d9adf86091ba11f386 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 18 Jan 2025 17:50:33 +0100
Subject: [PATCH 063/274] Return only defined pools.

---
 .../src/org/jdrupes/vmoperator/manager/PoolMonitor.java         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
index 00033ba..e11f667 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
@@ -170,7 +170,7 @@ public class PoolMonitor extends
      */
     @Handler
     public void onGetPools(GetPools event) {
-        event.setResult(pools.values().stream()
+        event.setResult(pools.values().stream().filter(VmPool::isDefined)
             .filter(p -> event.name().isEmpty()
                 || p.name().equals(event.name().get()))
             .filter(p -> event.forUser().isEmpty() && event.forRoles().isEmpty()

From 6d5ba8829c71697411710d1499f92a365882eed9 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 23 Jan 2025 13:41:53 +0100
Subject: [PATCH 064/274] Basically working.

---
 deploy/crds/vmpools-crd.yaml                  |   2 +-
 deploy/crds/vms-crd.yaml                      |   5 +-
 dev-example/test-pool.yaml                    |   5 +
 dev-example/test-vm.tpl.yaml                  |   3 -
 dev-example/test-vm.yaml                      |   3 -
 .../vmoperator/common/VmDefinition.java       |  52 ++-
 .../vmoperator/manager/events/AssignVm.java   |  61 ++++
 .../vmoperator/manager/events/GetVms.java     |  42 +++
 .../jdrupes/vmoperator/manager/VmMonitor.java |  60 +++-
 .../jdrupes/vmoperator/vmaccess/VmAccess.java | 332 ++++++++++++------
 .../vmaccess/browser/VmAccess-functions.ts    |  71 ++--
 .../vmaccess/browser/VmAccess-style.scss      |   5 +
 12 files changed, 493 insertions(+), 148 deletions(-)
 create mode 100644 org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/AssignVm.java

diff --git a/deploy/crds/vmpools-crd.yaml b/deploy/crds/vmpools-crd.yaml
index 5f8414f..193d547 100644
--- a/deploy/crds/vmpools-crd.yaml
+++ b/deploy/crds/vmpools-crd.yaml
@@ -44,7 +44,7 @@ spec:
                           - reset
                           - accessConsole
                           - "*"
-                        default: []
+                        default: ["accessConsole"]
               required:
               - permissions
   # either Namespaced or Cluster
diff --git a/deploy/crds/vms-crd.yaml b/deploy/crds/vms-crd.yaml
index 1e79e27..9d7bbb8 100644
--- a/deploy/crds/vms-crd.yaml
+++ b/deploy/crds/vms-crd.yaml
@@ -1022,7 +1022,7 @@ spec:
                 pools:
                   type: array
                   description: >-
-                    List of pools to which this VM belongs.
+                    List of pools this VM belongs to.
                   items:
                     type: string
                   default: []
@@ -1495,17 +1495,14 @@ spec:
                       description: >-
                         The pool this VM is taken from.
                       type: string
-                      default: ""
                     user:
                       description: >-
                         The user this VM is assigned to.
                       type: string
-                      default: ""
                     lastUsed:
                       description: >-
                         The last time this VM was used by the user.
                       type: string
-                      default: "1970-01-01T00:00:00Z"
                   default: {}
                 conditions:
                   description: >-
diff --git a/dev-example/test-pool.yaml b/dev-example/test-pool.yaml
index 73bd6ab..2ff8d06 100644
--- a/dev-example/test-pool.yaml
+++ b/dev-example/test-pool.yaml
@@ -8,3 +8,8 @@ spec:
   - user: admin
     may:
     - accessConsole
+  - user: test
+    may:
+    - accessConsole
+    - start
+    - stop
diff --git a/dev-example/test-vm.tpl.yaml b/dev-example/test-vm.tpl.yaml
index 1ce8d95..50031bb 100644
--- a/dev-example/test-vm.tpl.yaml
+++ b/dev-example/test-vm.tpl.yaml
@@ -21,9 +21,6 @@ spec:
   - role: admin
     may: 
     - "*"
-  - user: test
-    may:
-    - accessConsole
 
   guestShutdownStops: true
 
diff --git a/dev-example/test-vm.yaml b/dev-example/test-vm.yaml
index 6f71b6a..7ee2793 100644
--- a/dev-example/test-vm.yaml
+++ b/dev-example/test-vm.yaml
@@ -14,9 +14,6 @@ spec:
   - user: admin
     may: 
     - "*"
-  - user: test
-    may:
-    - "accessConsole"
 
   resources:
     requests:
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
index b807e8c..375612b 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
@@ -89,6 +89,11 @@ public class VmDefinition {
             return Set.of(reprs.get(value));
         }
 
+        /**
+         * To string.
+         *
+         * @return the string
+         */
         @Override
         public String toString() {
             return repr;
@@ -104,6 +109,11 @@ public class VmDefinition {
      */
     public record Grant(String user, String role, Set<Permission> may) {
 
+        /**
+         * To string.
+         *
+         * @return the string
+         */
         @Override
         public String toString() {
             StringBuilder builder = new StringBuilder();
@@ -180,6 +190,16 @@ public class VmDefinition {
         this.metadata = metadata;
     }
 
+    /**
+     * The pools that this VM belongs to.
+     *
+     * @return the list
+     */
+    public List<String> pools() {
+        return this.<List<String>> fromSpec("pools")
+            .orElse(Collections.emptyList());
+    }
+
     /**
      * Gets the spec.
      *
@@ -268,6 +288,24 @@ public class VmDefinition {
         this.status = status;
     }
 
+    /**
+     * The pool that the VM was taken from.
+     *
+     * @return the optional
+     */
+    public Optional<String> assignedFrom() {
+        return fromStatus("assignment", "pool");
+    }
+
+    /**
+     * The user that the VM was assigned to.
+     *
+     * @return the optional
+     */
+    public Optional<String> assignedTo() {
+        return fromStatus("assignment", "user");
+    }
+
     /**
      * Return a condition's status.
      *
@@ -298,6 +336,7 @@ public class VmDefinition {
     /**
      * Return extra data.
      *
+     * @param <T> the generic type
      * @param property the property
      * @return the object
      */
@@ -325,7 +364,7 @@ public class VmDefinition {
     }
 
     /**
-     * Return the requested VM state
+     * Return the requested VM state.
      *
      * @return the string
      */
@@ -367,11 +406,22 @@ public class VmDefinition {
             .map(Number::longValue);
     }
 
+    /**
+     * Hash code.
+     *
+     * @return the int
+     */
     @Override
     public int hashCode() {
         return Objects.hash(metadata.getNamespace(), metadata.getName());
     }
 
+    /**
+     * Equals.
+     *
+     * @param obj the obj
+     * @return true, if successful
+     */
     @Override
     public boolean equals(Object obj) {
         if (this == obj) {
diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/AssignVm.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/AssignVm.java
new file mode 100644
index 0000000..21e6031
--- /dev/null
+++ b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/AssignVm.java
@@ -0,0 +1,61 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2024 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.manager.events;
+
+import org.jdrupes.vmoperator.manager.events.GetVms.VmData;
+import org.jgrapes.core.Event;
+
+/**
+ * Assign a VM from a pool to a user.
+ */
+@SuppressWarnings("PMD.DataClass")
+public class AssignVm extends Event<VmData> {
+
+    private final String fromPool;
+    private final String toUser;
+
+    /**
+     * Instantiates a new event.
+     *
+     * @param fromPool the from pool
+     * @param toUser the to user
+     */
+    public AssignVm(String fromPool, String toUser) {
+        this.fromPool = fromPool;
+        this.toUser = toUser;
+    }
+
+    /**
+     * Gets the pool to assign from.
+     *
+     * @return the pool
+     */
+    public String fromPool() {
+        return fromPool;
+    }
+
+    /**
+     * Gets the user to assign to.
+     *
+     * @return the to user
+     */
+    public String toUser() {
+        return toUser;
+    }
+}
diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetVms.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetVms.java
index ebb19cc..8b00698 100644
--- a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetVms.java
+++ b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetVms.java
@@ -33,6 +33,8 @@ public class GetVms extends Event<List<GetVms.VmData>> {
     private String name;
     private String user;
     private List<String> roles = Collections.emptyList();
+    private String fromPool;
+    private String toUser;
 
     /**
      * Return only the VMs with the given name.
@@ -59,6 +61,28 @@ public class GetVms extends Event<List<GetVms.VmData>> {
         return this;
     }
 
+    /**
+     * Return only {@link VmDefinition}s that are assigned from the given pool.
+     *
+     * @param pool the pool
+     * @return the returns the vms
+     */
+    public GetVms assignedFrom(String pool) {
+        this.fromPool = pool;
+        return this;
+    }
+
+    /**
+     * Return only {@link VmDefinition}s that are assigned to the given user.
+     *
+     * @param user the user
+     * @return the returns the vms
+     */
+    public GetVms assignedTo(String user) {
+        this.toUser = user;
+        return this;
+    }
+
     /**
      * Returns the name filter criterion, if set.
      *
@@ -86,6 +110,24 @@ public class GetVms extends Event<List<GetVms.VmData>> {
         return roles;
     }
 
+    /**
+     * Returns the pool filter criterion, if set.
+     *
+     * @return the optional
+     */
+    public Optional<String> fromPool() {
+        return Optional.ofNullable(fromPool);
+    }
+
+    /**
+     * Returns the user filter criterion, if set.
+     *
+     * @return the optional
+     */
+    public Optional<String> toUser() {
+        return Optional.ofNullable(toUser);
+    }
+
     /**
      * Return tuple.
      *
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
index b5268a2..b8ba467 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
@@ -18,6 +18,8 @@
 
 package org.jdrupes.vmoperator.manager;
 
+import com.google.gson.JsonObject;
+import io.kubernetes.client.apimachinery.GroupVersionKind;
 import io.kubernetes.client.openapi.ApiException;
 import io.kubernetes.client.openapi.models.V1ObjectMeta;
 import io.kubernetes.client.util.Watch;
@@ -29,6 +31,7 @@ import java.util.Set;
 import java.util.logging.Level;
 import java.util.stream.Collectors;
 import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
+import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
 import org.jdrupes.vmoperator.common.K8s;
 import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.K8sDynamicStub;
@@ -41,13 +44,15 @@ import org.jdrupes.vmoperator.common.VmDefinitionModel;
 import org.jdrupes.vmoperator.common.VmDefinitionModels;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
 import static org.jdrupes.vmoperator.manager.Constants.APP_NAME;
-import static org.jdrupes.vmoperator.manager.Constants.VM_OP_KIND_VM;
 import static org.jdrupes.vmoperator.manager.Constants.VM_OP_NAME;
+import org.jdrupes.vmoperator.manager.events.AssignVm;
 import org.jdrupes.vmoperator.manager.events.ChannelManager;
 import org.jdrupes.vmoperator.manager.events.GetVms;
 import org.jdrupes.vmoperator.manager.events.GetVms.VmData;
+import org.jdrupes.vmoperator.manager.events.ModifyVm;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
+import org.jdrupes.vmoperator.util.GsonPtr;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Event;
 import org.jgrapes.core.annotation.Handler;
@@ -225,7 +230,60 @@ public class VmMonitor extends
             .filter(c -> event.user().isEmpty() && event.roles().isEmpty()
                 || !c.vmDefinition().permissionsFor(event.user().orElse(null),
                     event.roles()).isEmpty())
+            .filter(c -> event.fromPool().isEmpty()
+                || c.vmDefinition().assignedFrom()
+                    .map(p -> p.equals(event.fromPool().get())).orElse(false))
+            .filter(c -> event.toUser().isEmpty()
+                || c.vmDefinition().assignedTo()
+                    .map(u -> u.equals(event.toUser().get())).orElse(false))
             .map(c -> new VmData(c.vmDefinition(), c))
             .toList());
     }
+
+    /**
+     * Assign a VM if not already assigned.
+     *
+     * @param event the event
+     * @throws ApiException the api exception
+     */
+    @Handler
+    public void onAssignVm(AssignVm event) throws ApiException {
+        // Search for existing assignment.
+        var assignedVm = channelManager.channels().stream()
+            .filter(c -> c.vmDefinition().assignedFrom()
+                .map(p -> p.equals(event.fromPool())).orElse(false))
+            .filter(c -> c.vmDefinition().assignedTo()
+                .map(u -> u.equals(event.toUser())).orElse(false))
+            .findFirst();
+        if (assignedVm.isPresent()) {
+            event.setResult(new VmData(assignedVm.get().vmDefinition(),
+                assignedVm.get()));
+            return;
+        }
+
+        // Find available VM.
+        assignedVm = channelManager.channels().stream()
+            .filter(c -> c.vmDefinition().pools().contains(event.fromPool()))
+            .filter(c -> c.vmDefinition().assignedTo().isEmpty())
+            .findFirst();
+        if (assignedVm.isPresent()) {
+            var vmDef = assignedVm.get().vmDefinition();
+            var vmStub = VmDefinitionStub.get(client(),
+                new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
+                vmDef.namespace(), vmDef.name());
+            vmStub.updateStatus(from -> {
+                JsonObject status = from.status();
+                var assignment = GsonPtr.to(status).to("assignment");
+                assignment.set("pool", event.fromPool());
+                assignment.set("user", event.toUser());
+                return status;
+            });
+
+            // Always start a newly assigned VM.
+            fire(new ModifyVm(vmDef.name(), "state", "Running",
+                assignedVm.get()));
+            event.setResult(new VmData(vmDef, assignedVm.get()));
+        }
+    }
+
 }
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index c48488a..d38d379 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -1,6 +1,6 @@
 /*
  * VM-Operator
- * Copyright (C) 2023,2024 Michael N. Lipp
+ * Copyright (C) 2023,2025 Michael N. Lipp
  * 
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as
@@ -51,6 +51,7 @@ import org.jdrupes.vmoperator.common.K8sObserver;
 import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.common.VmDefinition.Permission;
 import org.jdrupes.vmoperator.common.VmPool;
+import org.jdrupes.vmoperator.manager.events.AssignVm;
 import org.jdrupes.vmoperator.manager.events.GetDisplayPassword;
 import org.jdrupes.vmoperator.manager.events.GetPools;
 import org.jdrupes.vmoperator.manager.events.GetVms;
@@ -117,6 +118,7 @@ import org.jgrapes.webconsole.base.freemarker.FreeMarkerConlet;
 public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
 
     private static final String VM_NAME_PROPERTY = "vmName";
+    private static final String POOL_NAME_PROPERTY = "poolName";
     private static final String RENDERED
         = VmAccess.class.getName() + ".rendered";
     private static final String PENDING
@@ -281,33 +283,56 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
     private void addMissingConlets(ConsoleConfigured event,
             ConsoleConnection connection, final Set<ResourceModel> rendered)
             throws InterruptedException {
-        boolean foundMissing = false;
         var session = connection.session();
-        for (var vmName : appPipeline.fire(new GetVms().accessibleFor(
+
+        // Evaluate missing VMs
+        var missingVms = appPipeline.fire(new GetVms().accessibleFor(
             WebConsoleUtils.userFromSession(session)
                 .map(ConsoleUser::getName).orElse(null),
             WebConsoleUtils.rolesFromSession(session).stream()
                 .map(ConsoleRole::getName).toList()))
-            .get().stream().map(d -> d.definition().name()).toList()) {
-            if (rendered.stream()
-                .anyMatch(r -> r.mode() == ResourceModel.Mode.VM
-                    && r.name().equals(vmName))) {
-                continue;
-            }
-            if (!foundMissing) {
-                // Suspending to allow rendering of conlets to be noticed
-                var failSafe = Components.schedule(t -> event.resumeHandling(),
-                    Duration.ofSeconds(1));
-                event.suspendHandling(failSafe::cancel);
-                connection.setAssociated(PENDING, event);
-                foundMissing = true;
-            }
+            .get().stream().map(d -> d.definition().name())
+            .collect(Collectors.toCollection(HashSet::new));
+        missingVms.removeAll(rendered.stream()
+            .filter(r -> r.mode() == ResourceModel.Mode.VM)
+            .map(ResourceModel::name).toList());
+
+        // Evaluate missing pools
+        var missingPools = appPipeline.fire(new GetPools().accessibleFor(
+            WebConsoleUtils.userFromSession(session)
+                .map(ConsoleUser::getName).orElse(null),
+            WebConsoleUtils.rolesFromSession(session).stream()
+                .map(ConsoleRole::getName).toList()))
+            .get().stream().map(VmPool::name)
+            .collect(Collectors.toCollection(HashSet::new));
+        missingPools.removeAll(rendered.stream()
+            .filter(r -> r.mode() == ResourceModel.Mode.POOL)
+            .map(ResourceModel::name).toList());
+
+        // Nothing to do
+        if (missingVms.isEmpty() && missingPools.isEmpty()) {
+            return;
+        }
+
+        // Suspending to allow rendering of conlets to be noticed
+        var failSafe = Components.schedule(t -> event.resumeHandling(),
+            Duration.ofSeconds(1));
+        event.suspendHandling(failSafe::cancel);
+        connection.setAssociated(PENDING, event);
+
+        // Create conlets for VMs and pools that haven't been rendered
+        for (var vmName : missingVms) {
             fire(new AddConletRequest(event.event().event().renderSupport(),
-                VmAccess.class.getName(),
-                RenderMode.asSet(RenderMode.Preview))
+                VmAccess.class.getName(), RenderMode.asSet(RenderMode.Preview))
                     .addProperty(VM_NAME_PROPERTY, vmName),
                 connection);
         }
+        for (var poolName : missingPools) {
+            fire(new AddConletRequest(event.event().event().renderSupport(),
+                VmAccess.class.getName(), RenderMode.asSet(RenderMode.Preview))
+                    .addProperty(POOL_NAME_PROPERTY, poolName),
+                connection);
+        }
     }
 
     /**
@@ -334,9 +359,14 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
     protected Optional<ResourceModel> createNewState(AddConletRequest event,
             ConsoleConnection connection, String conletId) throws Exception {
         var model = new ResourceModel(conletId);
-        model.setMode(ResourceModel.Mode.VM);
-        model
-            .setName((String) event.properties().get(VM_NAME_PROPERTY));
+        var poolName = (String) event.properties().get(POOL_NAME_PROPERTY);
+        if (poolName != null) {
+            model.setMode(ResourceModel.Mode.POOL);
+            model.setName(poolName);
+        } else {
+            model.setMode(ResourceModel.Mode.VM);
+            model.setName((String) event.properties().get(VM_NAME_PROPERTY));
+        }
         String jsonState = objectMapper.writeValueAsString(model);
         connection.respond(new KeyValueStoreUpdate().update(
             storagePath(connection.session(), model.getConletId()), jsonState));
@@ -428,18 +458,13 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
                 channel.setAssociated(PENDING, null);
             });
 
-        var session = channel.session();
+        VmDefinition vmDef = null;
         if (model.mode() == ResourceModel.Mode.VM && model.name() != null) {
             // Remove conlet if VM definition has been removed
             // or user has not at least one permission
-            Optional<VmData> vmData = appPipeline.fire(new GetVms()
-                .withName(model.name()).accessibleFor(
-                    WebConsoleUtils.userFromSession(session)
-                        .map(ConsoleUser::getName).orElse(null),
-                    WebConsoleUtils.rolesFromSession(session).stream()
-                        .map(ConsoleRole::getName).toList()))
-                .get().stream().findFirst();
-            if (vmData.isEmpty()) {
+            vmDef = getVmData(model, channel).map(VmData::definition)
+                .orElse(null);
+            if (vmDef == null) {
                 channel.respond(
                     new DeleteConlet(conletId, Collections.emptySet()));
                 return Collections.emptySet();
@@ -453,11 +478,13 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
                 .fire(new GetPools().withName(model.name())).get()
                 .stream().findFirst().orElse(null);
             if (pool == null
-                || poolPermissions(pool, channel.session()).isEmpty()) {
+                || permissions(pool, channel.session()).isEmpty()) {
                 channel.respond(
                     new DeleteConlet(conletId, Collections.emptySet()));
                 return Collections.emptySet();
             }
+            vmDef = getVmData(model, channel).map(VmData::definition)
+                .orElse(null);
         }
 
         // Render
@@ -474,13 +501,32 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
         if (!Strings.isNullOrEmpty(model.name())) {
             Optional.ofNullable(channel.session().get(RENDERED))
                 .ifPresent(s -> ((Set<ResourceModel>) s).add(model));
-            updateConfig(channel, model);
+            updatePreview(channel, model, vmDef);
         }
         return EnumSet.of(RenderMode.Preview);
     }
 
-    private Set<Permission> vmPermissions(VmDefinition vmDef,
-            Session session) {
+    private Optional<VmData> getVmData(ResourceModel model,
+            ConsoleConnection channel) throws InterruptedException {
+        if (model.mode() == ResourceModel.Mode.VM) {
+            // Get the VM data by name.
+            var session = channel.session();
+            return appPipeline.fire(new GetVms().withName(model.name())
+                .accessibleFor(WebConsoleUtils.userFromSession(session)
+                    .map(ConsoleUser::getName).orElse(null),
+                    WebConsoleUtils.rolesFromSession(session).stream()
+                        .map(ConsoleRole::getName).toList()))
+                .get().stream().findFirst();
+        }
+
+        // Look for an (already) assigned VM
+        var user = WebConsoleUtils.userFromSession(channel.session())
+            .map(ConsoleUser::getName).orElse(null);
+        return appPipeline.fire(new GetVms().assignedFrom(model.name())
+            .assignedTo(user)).get().stream().findFirst();
+    }
+
+    private Set<Permission> permissions(VmDefinition vmDef, Session session) {
         var user = WebConsoleUtils.userFromSession(session)
             .map(ConsoleUser::getName).orElse(null);
         var roles = WebConsoleUtils.rolesFromSession(session)
@@ -488,8 +534,7 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
         return vmDef.permissionsFor(user, roles);
     }
 
-    private Set<Permission> poolPermissions(VmPool pool,
-            Session session) {
+    private Set<Permission> permissions(VmPool pool, Session session) {
         var user = WebConsoleUtils.userFromSession(session)
             .map(ConsoleUser::getName).orElse(null);
         var roles = WebConsoleUtils.rolesFromSession(session)
@@ -497,36 +542,60 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
         return pool.permissionsFor(user, roles);
     }
 
-    private void updateConfig(ConsoleConnection channel, ResourceModel model)
-            throws InterruptedException {
-        channel.respond(new NotifyConletView(type(),
-            model.getConletId(), "updateConfig", model.mode(), model.name()));
-        updateVmDef(channel, model);
+    private Set<Permission> permissions(ResourceModel model, Session session,
+            VmPool pool, VmDefinition vmDef) throws InterruptedException {
+        var user = WebConsoleUtils.userFromSession(session)
+            .map(ConsoleUser::getName).orElse(null);
+        var roles = WebConsoleUtils.rolesFromSession(session)
+            .stream().map(ConsoleRole::getName).toList();
+        Set<Permission> result = new HashSet<>();
+        if (model.mode() == ResourceModel.Mode.POOL) {
+            if (pool == null) {
+                pool = appPipeline.fire(new GetPools()
+                    .withName(model.name())).get().stream().findFirst()
+                    .orElse(null);
+            }
+            if (pool != null) {
+                result.addAll(pool.permissionsFor(user, roles));
+            }
+        }
+        if (vmDef != null) {
+            result.addAll(vmDef.permissionsFor(user, roles));
+        }
+        return result;
     }
 
-    private void updateVmDef(ConsoleConnection channel, ResourceModel model)
-            throws InterruptedException {
-        if (Strings.isNullOrEmpty(model.name())) {
-            return;
+    private void updatePreview(ConsoleConnection channel, ResourceModel model,
+            VmDefinition vmDef) throws InterruptedException {
+        channel.respond(new NotifyConletView(type(),
+            model.getConletId(), "updateConfig", model.mode(), model.name()));
+        updateVmDef(channel, model, vmDef);
+    }
+
+    private void updateVmDef(ConsoleConnection channel, ResourceModel model,
+            VmDefinition vmDef) throws InterruptedException {
+        Map<String, Object> data = null;
+        if (vmDef != null) {
+            model.setAssignedVm(vmDef.name());
+            try {
+                data = Map.of("metadata",
+                    Map.of("namespace", vmDef.namespace(),
+                        "name", vmDef.name()),
+                    "spec", vmDef.spec(),
+                    "status", vmDef.getStatus(),
+                    "userPermissions",
+                    permissions(model, channel.session(), null, vmDef).stream()
+                        .map(VmDefinition.Permission::toString).toList());
+            } catch (JsonSyntaxException e) {
+                logger.log(Level.SEVERE, e,
+                    () -> "Failed to serialize VM definition");
+                return;
+            }
+        } else {
+            model.setAssignedVm(null);
         }
-        appPipeline.fire(new GetVms().withName(model.name())).get().stream()
-            .findFirst().map(d -> d.definition()).ifPresent(vmDef -> {
-                try {
-                    var data = Map.of("metadata",
-                        Map.of("namespace", vmDef.namespace(),
-                            "name", vmDef.name()),
-                        "spec", vmDef.spec(),
-                        "status", vmDef.getStatus(),
-                        "userPermissions",
-                        vmPermissions(vmDef, channel.session()).stream()
-                            .map(VmDefinition.Permission::toString).toList());
-                    channel.respond(new NotifyConletView(type(),
-                        model.getConletId(), "updateVmDefinition", data));
-                } catch (JsonSyntaxException e) {
-                    logger.log(Level.SEVERE, e,
-                        () -> "Failed to serialize VM definition");
-                }
-            });
+        channel.respond(new NotifyConletView(type(),
+            model.getConletId(), "updateVmDefinition", data));
     }
 
     @Override
@@ -541,7 +610,7 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
     }
 
     /**
-     * Track the VM definitions.
+     * Track the VM definitions and update conlets.
      *
      * @param event the event
      * @param channel the channel
@@ -562,17 +631,43 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
             for (var conletId : entry.getValue()) {
                 var model = stateFromSession(connection.session(), conletId);
                 if (model.isEmpty()
-                    || model.get().mode() != ResourceModel.Mode.VM
-                    || !Objects.areEqual(model.get().name(), vmDef.name())) {
+                    || Strings.isNullOrEmpty(model.get().name())) {
                     continue;
                 }
-                if (event.type() == K8sObserver.ResponseType.DELETED
-                    || vmPermissions(vmDef, connection.session()).isEmpty()) {
-                    connection.respond(
-                        new DeleteConlet(conletId, Collections.emptySet()));
+                if (model.get().mode() == ResourceModel.Mode.VM) {
+                    // Check if this VM is used by conlet
+                    if (!Objects.areEqual(model.get().name(), vmDef.name())) {
+                        continue;
+                    }
+                    if (event.type() == K8sObserver.ResponseType.DELETED
+                        || permissions(vmDef, connection.session()).isEmpty()) {
+                        connection.respond(
+                            new DeleteConlet(conletId, Collections.emptySet()));
+                        continue;
+                    }
                 } else {
-                    updateVmDef(connection, model.get());
+                    // Check if VM is used by pool conlet or to be assigned to
+                    // it
+                    var user
+                        = WebConsoleUtils.userFromSession(connection.session())
+                            .map(ConsoleUser::getName).orElse(null);
+                    var toBeUsedByConlet = vmDef.assignedFrom()
+                        .map(p -> p.equals(model.get().name())).orElse(false)
+                        && vmDef.assignedTo().map(u -> u.equals(user))
+                            .orElse(false);
+                    if (!Objects.areEqual(model.get().assignedVm(),
+                        vmDef.name()) && !toBeUsedByConlet) {
+                        continue;
+                    }
+
+                    // Now unassigned if VM is deleted or no longer to be used
+                    if (event.type() == K8sObserver.ResponseType.DELETED
+                        || !toBeUsedByConlet) {
+                        updateVmDef(connection, model.get(), null);
+                        continue;
+                    }
                 }
+                updateVmDef(connection, model.get(), vmDef);
             }
         }
     }
@@ -598,7 +693,7 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
                     continue;
                 }
                 if (event.deleted()
-                    || poolPermissions(event.vmPool(), connection.session())
+                    || permissions(event.vmPool(), connection.session())
                         .isEmpty()) {
                     connection.respond(
                         new DeleteConlet(conletId, Collections.emptySet()));
@@ -612,24 +707,36 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
         "PMD.ConfusingArgumentToVarargsMethod", "PMD.NcssCount",
         "PMD.AvoidLiteralsInIfCondition" })
     protected void doUpdateConletState(NotifyConletModel event,
-            ConsoleConnection channel, ResourceModel model)
-            throws Exception {
+            ConsoleConnection channel, ResourceModel model) throws Exception {
         event.stop();
         if ("selectedResource".equals(event.method())) {
             selectResource(event, channel, model);
             return;
         }
 
-        // Handle command for selected VM
-        var vmData = appPipeline.fire(new GetVms().withName(model.name())).get()
-            .stream().findFirst();
+        Optional<VmData> vmData = getVmData(model, channel);
         if (vmData.isEmpty()) {
-            return;
+            if (model.mode() == ResourceModel.Mode.VM) {
+                return;
+            }
+            if ("start".equals(event.method())) {
+                // Assign a VM.
+                var user = WebConsoleUtils.userFromSession(channel.session())
+                    .map(ConsoleUser::getName).orElse(null);
+                vmData = Optional.ofNullable(appPipeline
+                    .fire(new AssignVm(model.name(), user)).get());
+                if (vmData.isEmpty()) {
+                    // TODO message
+                    return;
+                }
+            }
         }
+
+        // Handle command for selected VM
         var vmChannel = vmData.get().channel();
         var vmDef = vmData.get().definition();
         var vmName = vmDef.metadata().getName();
-        var perms = vmPermissions(vmDef, channel.session());
+        var perms = permissions(model, channel.session(), null, vmDef);
         var resourceBundle = resourceBundle(channel.locale());
         switch (event.method()) {
         case "start":
@@ -658,7 +765,7 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
                     .map(ConsoleUser::getName).orElse("");
                 var pwQuery
                     = Event.onCompletion(new GetDisplayPassword(vmDef, user),
-                        e -> openConsole(vmName, channel, model,
+                        e -> openConsole(vmDef, channel, model,
                             e.password().orElse(null)));
                 fire(pwQuery, vmChannel);
             }
@@ -680,33 +787,29 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
             String jsonState = objectMapper.writeValueAsString(model);
             channel.respond(new KeyValueStoreUpdate().update(storagePath(
                 channel.session(), model.getConletId()), jsonState));
-            updateConfig(channel, model);
+            updatePreview(channel, model,
+                getVmData(model, channel).map(VmData::definition).orElse(null));
         } catch (IllegalArgumentException e) {
             logger.warning(() -> "Invalid resource type: " + e.getMessage());
         }
     }
 
-    private void openConsole(String vmName, ConsoleConnection connection,
+    private void openConsole(VmDefinition vmDef, ConsoleConnection connection,
             ResourceModel model, String password) {
-        VmDefinition vmDef;
-        try {
-            vmDef = appPipeline.fire(new GetVms().withName(model.name())).get()
-                .stream().findFirst().map(VmData::definition).orElse(null);
-        } catch (InterruptedException e) {
-            return;
-        }
         if (vmDef == null) {
             return;
         }
         var addr = displayIp(vmDef);
         if (addr.isEmpty()) {
-            logger.severe(() -> "Failed to find display IP for " + vmName);
+            logger
+                .severe(() -> "Failed to find display IP for " + vmDef.name());
             return;
         }
         var port = vmDef.<Number> fromVm("display", "spice", "port")
             .map(Number::longValue);
         if (port.isEmpty()) {
-            logger.severe(() -> "No port defined for display of " + vmName);
+            logger
+                .severe(() -> "No port defined for display of " + vmDef.name());
             return;
         }
         StringBuffer data = new StringBuffer(100)
@@ -799,6 +902,7 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
 
         private Mode mode;
         private String name;
+        private String assignedVm;
 
         /**
          * Instantiates a new resource model.
@@ -809,6 +913,25 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
             super(conletId);
         }
 
+        /**
+         * Returns the mode.
+         *
+         * @return the resourceType
+         */
+        @JsonGetter("mode")
+        public Mode mode() {
+            return mode;
+        }
+
+        /**
+         * Sets the mode.
+         *
+         * @param mode the resource mode to set
+         */
+        public void setMode(Mode mode) {
+            this.mode = mode;
+        }
+
         /**
          * Gets the resource name.
          *
@@ -829,29 +952,29 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
         }
 
         /**
-         * Returns the mode.
+         * Gets the assigned vm.
          *
-         * @return the resourceType
+         * @return the string
          */
-        @JsonGetter("mode")
-        public Mode mode() {
-            return mode;
+        @JsonGetter("assignedVm")
+        public String assignedVm() {
+            return assignedVm;
         }
 
         /**
-         * Sets the mode.
+         * Sets the assigned vm.
          *
-         * @param mode the resource mode to set
+         * @param name the assigned vm
          */
-        public void setMode(Mode mode) {
-            this.mode = mode;
+        public void setAssignedVm(String name) {
+            this.assignedVm = name;
         }
 
         @Override
         public int hashCode() {
             final int prime = 31;
             int result = super.hashCode();
-            result = prime * result + java.util.Objects.hash(name, mode);
+            result = prime * result + java.util.Objects.hash(mode, name);
             return result;
         }
 
@@ -867,8 +990,8 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
                 return false;
             }
             ResourceModel other = (ResourceModel) obj;
-            return java.util.Objects.equals(name, other.name)
-                && mode == other.mode;
+            return mode == other.mode
+                && java.util.Objects.equals(name, other.name);
         }
 
         @Override
@@ -878,6 +1001,5 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
                 .append(", name=").append(name).append(']');
             return builder.toString();
         }
-
     }
 }
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
index c5f3da0..f00d876 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
@@ -44,7 +44,7 @@ interface Api {
     /* eslint-disable @typescript-eslint/no-explicit-any */
     vmName: string;
     vmDefinition: any;
-    poolName: string;
+    poolName: string | null;
 }
 
 const localize = (key: string) => {
@@ -64,12 +64,21 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
             const previewApi: Api = reactive({
                 vmName: "",
                 vmDefinition: {},
-                poolName: ""
+                poolName: null
             });
+            const poolName = computed(() => previewApi.poolName);
+            const vmName = computed(() => previewApi.vmDefinition.name);
             const configured = computed(() => previewApi.vmDefinition.spec);
-            const startable = computed(() => previewApi.vmDefinition.spec &&
-                previewApi.vmDefinition.spec.vm.state !== 'Running' 
-                && !previewApi.vmDefinition.running);
+            const busy = computed(() => previewApi.vmDefinition.spec
+                && (previewApi.vmDefinition.spec.vm.state === 'Running'
+                        && !previewApi.vmDefinition.running
+                    || previewApi.vmDefinition.spec.vm.state === 'Stopped' 
+                        && previewApi.vmDefinition.running));
+            const startable = computed(() => previewApi.vmDefinition.spec
+                && previewApi.vmDefinition.spec.vm.state !== 'Running' 
+                && !previewApi.vmDefinition.running
+                && previewApi.vmDefinition.userPermissions.includes('start')
+                || previewApi.poolName !== null && !previewApi.vmDefinition.name);
             const stoppable = computed(() => previewApi.vmDefinition.spec &&
                 previewApi.vmDefinition.spec.vm.state !== 'Stopped' 
                 && previewApi.vmDefinition.running);
@@ -79,10 +88,8 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
                 ? previewApi.vmDefinition.userPermissions : []);
 
             watch(previewApi, (api: Api) => {
-                const name = api.vmName || api.poolName;
-                if (name !== "") {
-                    JGConsole.instance.updateConletTitle(conletId, name);
-                }
+                JGConsole.instance.updateConletTitle(conletId, 
+                    api.poolName || api.vmDefinition.name || "");
             });
         
             provideApi(previewDom, previewApi);
@@ -91,16 +98,16 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
                 JGConsole.notifyConletModel(conletId, action);
             };
         
-            return { localize, resourceBase, vmAction, configured,
-                        startable, stoppable, running, inUse, permissions };
+            return { localize, resourceBase, vmAction, poolName, vmName, 
+                configured, busy, startable, stoppable, running, inUse,
+                permissions };
         },
         template: `
           <table>
             <tbody>
               <tr>
                 <td rowspan="2" style="position: relative"><span
-                  style="position: absolute;" 
-                  :class="{ busy: configured && !startable && !stoppable }"
+                  style="position: absolute;" :class="{ busy: busy }"
                   ><img role=button :aria-disabled="!running
                       || !permissions.includes('accessConsole')" 
                   v-on:click="vmAction('openConsole')"
@@ -110,9 +117,12 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
                   :title="localize('Open console')"></span><span
                   style="visibility: hidden;"><img
                   :src="resourceBase + 'computer.svg'"></span></td>
+                <td v-if="!poolName" style="padding: 0;"></td>
+                <td v-else>{{ vmName }}</td>
+              </tr>
+              <tr>
                 <td class="jdrupes-vmoperator-vmaccess-preview-action-list">
-                  <span role="button" 
-                    :aria-disabled="!startable || !permissions.includes('start')" 
+                  <span role="button" :aria-disabled="!startable" 
                     tabindex="0" class="fa fa-play" :title="localize('Start VM')"
                     v-on:click="vmAction('start')"></span>
                   <span role="button"
@@ -130,9 +140,6 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
                   </span>
                 </td>
               </tr>
-              <tr>
-                <td></td>
-              </tr>
             </tbody>
           </table>`
     });
@@ -160,25 +167,29 @@ JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmaccess.VmAccess",
     });
 
 JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmaccess.VmAccess",
-    "updateVmDefinition", function(conletId: string, vmDefinition: any) {
+    "updateVmDefinition", function(conletId: string, vmDefinition: any | null) {
         const conlet = JGConsole.findConletPreview(conletId);
         if (!conlet) {
             return;
         }
         const api = getApi<Api>(conlet.element().querySelector(
             ":scope .jdrupes-vmoperator-vmaccess-preview"))!;
-        // Add some short-cuts for rendering
-        vmDefinition.name = vmDefinition.metadata.name;
-        vmDefinition.currentCpus = vmDefinition.status.cpus;
-        vmDefinition.currentRam = Number(vmDefinition.status.ram);
-        vmDefinition.usedBy = vmDefinition.status.consoleClient || "";
-        for (const condition of vmDefinition.status.conditions) {
-            if (condition.type === "Running") {
-                vmDefinition.running = condition.status === "True";
-                vmDefinition.runningConditionSince 
-                    = new Date(condition.lastTransitionTime);
-                break;
+        if (vmDefinition) {
+            // Add some short-cuts for rendering
+            vmDefinition.name = vmDefinition.metadata.name;
+            vmDefinition.currentCpus = vmDefinition.status.cpus;
+            vmDefinition.currentRam = Number(vmDefinition.status.ram);
+            vmDefinition.usedBy = vmDefinition.status.consoleClient || "";
+            for (const condition of vmDefinition.status.conditions) {
+                if (condition.type === "Running") {
+                    vmDefinition.running = condition.status === "True";
+                    vmDefinition.runningConditionSince 
+                        = new Date(condition.lastTransitionTime);
+                    break;
+                }
             }
+        } else {
+            vmDefinition = {};
         }
         api.vmDefinition = vmDefinition;
     });
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-style.scss b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-style.scss
index cf0fb56..86b4014 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-style.scss
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-style.scss
@@ -49,7 +49,12 @@
 
 .jdrupes-vmoperator-vmaccess.jdrupes-vmoperator-vmaccess-preview {
   
+  table {
+    border-spacing: 0;
+  }
+    
   img {
+    display: block;
     height: 3em;
     padding: 0.25rem;
     

From 1cb90b0c94de5a2b9abc766cf303c3e64105c2db Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 23 Jan 2025 15:25:16 +0100
Subject: [PATCH 065/274] Update GUI on pool permission changes.

---
 .../jdrupes/vmoperator/vmaccess/VmAccess.java | 33 +++++++++++++------
 .../vmaccess/browser/VmAccess-functions.ts    | 13 +++++---
 2 files changed, 31 insertions(+), 15 deletions(-)

diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index d38d379..4ac3397 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -559,6 +559,11 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
                 result.addAll(pool.permissionsFor(user, roles));
             }
         }
+        if (vmDef == null) {
+            vmDef = appPipeline.fire(new GetVms().assignedFrom(model.name())
+                .assignedTo(user)).get().stream().map(VmData::definition)
+                .findFirst().orElse(null);
+        }
         if (vmDef != null) {
             result.addAll(vmDef.permissionsFor(user, roles));
         }
@@ -567,32 +572,36 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
 
     private void updatePreview(ConsoleConnection channel, ResourceModel model,
             VmDefinition vmDef) throws InterruptedException {
-        channel.respond(new NotifyConletView(type(),
-            model.getConletId(), "updateConfig", model.mode(), model.name()));
+        updateConfig(channel, model, vmDef);
         updateVmDef(channel, model, vmDef);
     }
 
+    private void updateConfig(ConsoleConnection channel, ResourceModel model,
+            VmDefinition vmDef) throws InterruptedException {
+        channel.respond(new NotifyConletView(type(),
+            model.getConletId(), "updateConfig", model.mode(), model.name(),
+            permissions(model, channel.session(), null, vmDef).stream()
+                .map(VmDefinition.Permission::toString).toList()));
+    }
+
     private void updateVmDef(ConsoleConnection channel, ResourceModel model,
             VmDefinition vmDef) throws InterruptedException {
         Map<String, Object> data = null;
-        if (vmDef != null) {
+        if (vmDef == null) {
+            model.setAssignedVm(null);
+        } else {
             model.setAssignedVm(vmDef.name());
             try {
                 data = Map.of("metadata",
                     Map.of("namespace", vmDef.namespace(),
                         "name", vmDef.name()),
                     "spec", vmDef.spec(),
-                    "status", vmDef.getStatus(),
-                    "userPermissions",
-                    permissions(model, channel.session(), null, vmDef).stream()
-                        .map(VmDefinition.Permission::toString).toList());
+                    "status", vmDef.getStatus());
             } catch (JsonSyntaxException e) {
                 logger.log(Level.SEVERE, e,
                     () -> "Failed to serialize VM definition");
                 return;
             }
-        } else {
-            model.setAssignedVm(null);
         }
         channel.respond(new NotifyConletView(type(),
             model.getConletId(), "updateVmDefinition", data));
@@ -677,10 +686,12 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
      *
      * @param event the event
      * @param channel the channel
+     * @throws InterruptedException 
      */
     @Handler(namedChannels = "manager")
     @SuppressWarnings("PMD.AvoidInstantiatingObjectsInLoops")
-    public void onVmPoolChanged(VmPoolChanged event) {
+    public void onVmPoolChanged(VmPoolChanged event)
+            throws InterruptedException {
         var poolName = event.vmPool().name();
         // Update known conlets
         for (var entry : conletIdsByConsoleConnection().entrySet()) {
@@ -697,7 +708,9 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
                         .isEmpty()) {
                     connection.respond(
                         new DeleteConlet(conletId, Collections.emptySet()));
+                    continue;
                 }
+                updateConfig(connection, model.get(), null);
             }
         }
     }
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
index f00d876..de65216 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
@@ -45,6 +45,7 @@ interface Api {
     vmName: string;
     vmDefinition: any;
     poolName: string | null;
+    permissions: string[];
 }
 
 const localize = (key: string) => {
@@ -64,7 +65,8 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
             const previewApi: Api = reactive({
                 vmName: "",
                 vmDefinition: {},
-                poolName: null
+                poolName: null,
+                permissions: []
             });
             const poolName = computed(() => previewApi.poolName);
             const vmName = computed(() => previewApi.vmDefinition.name);
@@ -77,15 +79,14 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
             const startable = computed(() => previewApi.vmDefinition.spec
                 && previewApi.vmDefinition.spec.vm.state !== 'Running' 
                 && !previewApi.vmDefinition.running
-                && previewApi.vmDefinition.userPermissions.includes('start')
+                && previewApi.permissions.includes('start')
                 || previewApi.poolName !== null && !previewApi.vmDefinition.name);
             const stoppable = computed(() => previewApi.vmDefinition.spec &&
                 previewApi.vmDefinition.spec.vm.state !== 'Stopped' 
                 && previewApi.vmDefinition.running);
             const running = computed(() => previewApi.vmDefinition.running);
             const inUse = computed(() => previewApi.vmDefinition.usedBy != '');
-            const permissions = computed(() => previewApi.vmDefinition.spec
-                ? previewApi.vmDefinition.userPermissions : []);
+            const permissions = computed(() => previewApi.permissions);
 
             watch(previewApi, (api: Api) => {
                 JGConsole.instance.updateConletTitle(conletId, 
@@ -150,7 +151,8 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
 
 JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmaccess.VmAccess",
     "updateConfig",
-    function(conletId: string, type: string, resource: string) {
+    function(conletId: string, type: string, resource: string,
+        permissions: []) {
         const conlet = JGConsole.findConletPreview(conletId);
         if (!conlet) {
             return;
@@ -164,6 +166,7 @@ JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmaccess.VmAccess",
             api.poolName = resource;
             api.vmName = "";
         }
+        api.permissions = permissions;
     });
 
 JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmaccess.VmAccess",

From 8799bcc8f244e1d121e5c69f5c54636705f6b0f9 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 23 Jan 2025 15:33:01 +0100
Subject: [PATCH 066/274] Update permissions on VM change.

---
 dev-example/test-pool.yaml                                    | 2 --
 .../src/org/jdrupes/vmoperator/vmaccess/VmAccess.java         | 4 +++-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/dev-example/test-pool.yaml b/dev-example/test-pool.yaml
index 2ff8d06..43c36b8 100644
--- a/dev-example/test-pool.yaml
+++ b/dev-example/test-pool.yaml
@@ -11,5 +11,3 @@ spec:
   - user: test
     may:
     - accessConsole
-    - start
-    - stop
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index 4ac3397..e6d4e58 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -676,7 +676,9 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
                         continue;
                     }
                 }
-                updateVmDef(connection, model.get(), vmDef);
+
+                // Full update because permissions may have changed
+                updatePreview(connection, model.get(), vmDef);
             }
         }
     }

From ba18e1f0d0ec5fe6467e093d3b0a83e98a011212 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 23 Jan 2025 17:35:46 +0100
Subject: [PATCH 067/274] Add assigned to.

---
 .../resources/org/jdrupes/vmoperator/vmmgmt/l10n.properties  | 3 ++-
 .../org/jdrupes/vmoperator/vmmgmt/l10n_de.properties         | 5 +++--
 .../jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts    | 2 ++
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n.properties b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n.properties
index 88f1403..51ca610 100644
--- a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n.properties
+++ b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n.properties
@@ -2,7 +2,7 @@ conletName = VM Management
 
 VMsSummary = VMs (running/total)
 
-since = Since
+assignedTo = Assigned to
 currentCpus = Current CPUs
 currentRam = Current RAM
 maximumCpus = Maximum CPUs
@@ -11,6 +11,7 @@ nodeName = Node
 requestedCpus = Requested CPUs
 requestedRam = Requested RAM
 running = Running
+since = Since
 usedBy = Used by
 usedFrom = Used from
 vmActions = Actions
diff --git a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties
index 80e36d2..3e67928 100644
--- a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties
+++ b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties
@@ -6,8 +6,7 @@ Period = Zeitraum
 Last\ hour = Letzte Stunde
 Last\ day = Letzter Tag
 
-running = Gestartet
-since = Seit
+assignedTo = Zugewiesen an
 currentCpus = Aktuelle CPUs
 currentRam = Akuelles RAM
 maximumCpus = Maximale CPUs
@@ -15,6 +14,8 @@ maximumRam = Maximales RAM
 nodeName = Knoten
 requestedCpus = Angeforderte CPUs
 requestedRam = Angefordertes RAM
+running = Gestartet
+since = Seit
 usedBy = Benutzt durch
 usedFrom = Benutzt von
 vmActions = Aktionen
diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
index 78f5851..d96ad65 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
@@ -112,6 +112,7 @@ window.orgJDrupesVmOperatorVmMgmt.initView = (viewDom: HTMLElement,
                 ["currentCpus", "currentCpus"],
                 ["currentRam", "currentRam"],
                 ["nodeName", "nodeName"],
+                ["assignedTo", "assignedTo"],
                 ["usedFrom", "usedFrom"],
                 ["usedBy", "usedBy"]
             ], {
@@ -183,6 +184,7 @@ JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmmgmt.VmMgmt",
         vmDefinition.currentRam = Number(vmDefinition.status.ram);
         vmDefinition.usedFrom = vmDefinition.status.consoleClient || "";
         vmDefinition.usedBy = vmDefinition.status.consoleUser || "";
+        vmDefinition.assignedTo = vmDefinition.status.assignment?.user || "";
         for (const condition of vmDefinition.status.conditions) {
             if (condition.type === "Running") {
                 vmDefinition.running = condition.status === "True";

From edc3596e7daebdce26185eb3f0e18ba41ca3ed26 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 23 Jan 2025 18:05:38 +0100
Subject: [PATCH 068/274] Move "used from" to details.

---
 .../org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html      | 6 ++++++
 .../jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts   | 1 -
 .../org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss | 2 ++
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html
index 6b46faa..9d0a2d4 100644
--- a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html
+++ b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html
@@ -103,6 +103,12 @@
                   ><span>{{ cic.error }}</span></form></td>
               </tr>
             </table>
+            <table class="table--basic table--basic--autoStriped">
+              <tr>
+                <td>{{ localize("usedFrom") }}</td>
+                <td>{{ entry.usedFrom }}</td>
+              </tr>
+            </table>
           </td>
         </tr>
       </template>
diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
index d96ad65..6ab15b8 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
@@ -113,7 +113,6 @@ window.orgJDrupesVmOperatorVmMgmt.initView = (viewDom: HTMLElement,
                 ["currentRam", "currentRam"],
                 ["nodeName", "nodeName"],
                 ["assignedTo", "assignedTo"],
-                ["usedFrom", "usedFrom"],
                 ["usedBy", "usedBy"]
             ], {
                 sortKey: "name",
diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss
index e02fe24..607b0c5 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss
@@ -78,6 +78,8 @@
     padding-left: 1em;
 
     table {
+      display: inline;
+      
       td:nth-child(2) {
         min-width: 7em;
 

From fb69c1d793c8faa7063b34d91bd4d807c4a4ebe3 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 23 Jan 2025 18:25:37 +0100
Subject: [PATCH 069/274] Minor style change.

---
 .../src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss
index 607b0c5..9d7721a 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss
@@ -75,7 +75,7 @@
   }
   
   td.details {
-    padding-left: 1em;
+    padding-left: 0;
 
     table {
       display: inline;

From 9318b1279abbe48a229d614be2f3a4d86684eacc Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 23 Jan 2025 21:17:06 +0100
Subject: [PATCH 070/274] Move jackson to base library.

---
 org.jdrupes.vmoperator.common/build.gradle         | 1 +
 org.jdrupes.vmoperator.manager.events/build.gradle | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/org.jdrupes.vmoperator.common/build.gradle b/org.jdrupes.vmoperator.common/build.gradle
index 07877fe..e72cb14 100644
--- a/org.jdrupes.vmoperator.common/build.gradle
+++ b/org.jdrupes.vmoperator.common/build.gradle
@@ -13,4 +13,5 @@ dependencies {
     api 'org.jgrapes:org.jgrapes.core:[1.22.1,2)'
     api 'io.kubernetes:client-java:[19.0.0,20.0.0)'
     api 'org.yaml:snakeyaml'
+    api 'com.fasterxml.jackson.datatype:jackson-datatype-jsr310:[2.16.1,3]'
 }
diff --git a/org.jdrupes.vmoperator.manager.events/build.gradle b/org.jdrupes.vmoperator.manager.events/build.gradle
index cfdd79e..bb4b8d8 100644
--- a/org.jdrupes.vmoperator.manager.events/build.gradle
+++ b/org.jdrupes.vmoperator.manager.events/build.gradle
@@ -10,5 +10,4 @@ plugins {
 
 dependencies {
     api project(':org.jdrupes.vmoperator.common')
-    api 'com.fasterxml.jackson.datatype:jackson-datatype-jsr310:[2.16.1,3]'
 }

From a5ddf6ac977c2301569bd757898c8d65a1823684 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 25 Jan 2025 13:32:00 +0100
Subject: [PATCH 071/274] Avoid updating immutable fields.

---
 .../vmoperator/manager/PvcReconciler.java     | 43 +++++++++++++-
 .../org/jdrupes/vmoperator/util/GsonPtr.java  | 58 ++++++++++++++++++-
 2 files changed, 97 insertions(+), 4 deletions(-)

diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
index d044199..4ced1b1 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
@@ -18,6 +18,7 @@
 
 package org.jdrupes.vmoperator.manager;
 
+import com.google.gson.JsonObject;
 import freemarker.core.ParseException;
 import freemarker.template.Configuration;
 import freemarker.template.MalformedTemplateNameException;
@@ -25,6 +26,7 @@ import freemarker.template.TemplateException;
 import freemarker.template.TemplateNotFoundException;
 import io.kubernetes.client.custom.V1Patch;
 import io.kubernetes.client.openapi.ApiException;
+import io.kubernetes.client.util.generic.dynamic.DynamicKubernetesObject;
 import io.kubernetes.client.util.generic.dynamic.Dynamics;
 import io.kubernetes.client.util.generic.options.ListOptions;
 import io.kubernetes.client.util.generic.options.PatchOptions;
@@ -41,6 +43,7 @@ import org.jdrupes.vmoperator.common.K8sV1PvcStub;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
 import org.jdrupes.vmoperator.util.DataPath;
+import org.jdrupes.vmoperator.util.GsonPtr;
 import org.yaml.snakeyaml.LoaderOptions;
 import org.yaml.snakeyaml.Yaml;
 import org.yaml.snakeyaml.constructor.SafeConstructor;
@@ -179,17 +182,51 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
         var pvcDef = Dynamics.newFromYaml(
             new Yaml(new SafeConstructor(new LoaderOptions())), out.toString());
 
-        // Do apply changes
+        // Apply changes
         var pvcStub
             = K8sV1PvcStub.get(channel.client(), vmDef.namespace(), pvcName);
+        var pvc = pvcStub.model();
+        if (pvc.isEmpty()
+            || !"Bound".equals(pvc.get().getStatus().getPhase())) {
+            // Does not exist or isn't bound, use apply
+            PatchOptions opts = new PatchOptions();
+            opts.setForce(true);
+            opts.setFieldManager("kubernetes-java-kubectl-apply");
+            if (pvcStub.patch(V1Patch.PATCH_FORMAT_APPLY_YAML,
+                new V1Patch(channel.client().getJSON().serialize(pvcDef)), opts)
+                .isEmpty()) {
+                logger.warning(
+                    () -> "Could not patch pvc for " + pvcStub.name());
+            }
+            return;
+        }
+
+        // If bound, use json merge, omitting immutable fields
+        var spec = GsonPtr.to(pvcDef.getRaw()).to("spec");
+        spec.removeExcept("volumeAttributesClassName", "resources");
+        spec.access("resources").ifPresent(p -> p.removeExcept("requests"));
         PatchOptions opts = new PatchOptions();
-        opts.setForce(true);
         opts.setFieldManager("kubernetes-java-kubectl-apply");
-        if (pvcStub.patch(V1Patch.PATCH_FORMAT_APPLY_YAML,
+        if (pvcStub.patch(V1Patch.PATCH_FORMAT_JSON_MERGE_PATCH,
             new V1Patch(channel.client().getJSON().serialize(pvcDef)), opts)
             .isEmpty()) {
             logger.warning(
                 () -> "Could not patch pvc for " + pvcStub.name());
         }
     }
+
+    @SuppressWarnings("PMD.AvoidLiteralsInIfCondition")
+    private void removeImmutable(DynamicKubernetesObject pvcDef) {
+        var spec = GsonPtr.to(pvcDef.getRaw()).to("spec").get(JsonObject.class);
+        for (var itr = spec.entrySet().iterator(); itr.hasNext();) {
+            var entry = itr.next();
+            if ("volumeAttributesClassName".equals(entry.getKey())) {
+                continue;
+            }
+            if ("resources".equals(entry.getKey())) {
+                continue;
+            }
+            itr.remove();
+        }
+    }
 }
diff --git a/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/GsonPtr.java b/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/GsonPtr.java
index 8b84ed3..de96ec6 100644
--- a/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/GsonPtr.java
+++ b/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/GsonPtr.java
@@ -23,6 +23,7 @@ import com.google.gson.JsonElement;
 import com.google.gson.JsonObject;
 import com.google.gson.JsonPrimitive;
 import java.math.BigInteger;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 import java.util.Optional;
@@ -62,7 +63,8 @@ public class GsonPtr {
      * @param selectors the selectors
      * @return the Gson pointer
      */
-    @SuppressWarnings({ "PMD.ShortMethodName", "PMD.PreserveStackTrace" })
+    @SuppressWarnings({ "PMD.ShortMethodName", "PMD.PreserveStackTrace",
+        "PMD.AvoidDuplicateLiterals" })
     public GsonPtr to(Object... selectors) {
         JsonElement element = position;
         for (Object sel : selectors) {
@@ -91,6 +93,42 @@ public class GsonPtr {
         return new GsonPtr(element);
     }
 
+    /**
+     * Create a new instance pointing to the {@link JsonElement} 
+     * selected by the given selectors. If a selector of type 
+     * {@link String} denotes a non-existant member of a
+     * {@link JsonObject} the result is empty.
+     *
+     * @param selectors the selectors
+     * @return the Gson pointer
+     */
+    @SuppressWarnings({ "PMD.ShortMethodName", "PMD.PreserveStackTrace" })
+    public Optional<GsonPtr> access(Object... selectors) {
+        JsonElement element = position;
+        for (Object sel : selectors) {
+            if (element instanceof JsonObject obj
+                && sel instanceof String member) {
+                element = obj.get(member);
+                if (element == null) {
+                    return Optional.empty();
+                }
+                continue;
+            }
+            if (element instanceof JsonArray arr
+                && sel instanceof Integer index) {
+                try {
+                    element = arr.get(index);
+                } catch (IndexOutOfBoundsException e) {
+                    throw new IllegalStateException("Selected array index"
+                        + " may not be empty.");
+                }
+                continue;
+            }
+            throw new IllegalStateException("Invalid selection");
+        }
+        return Optional.of(new GsonPtr(element));
+    }
+
     /**
      * Returns {@link JsonElement} that the pointer points to.
      *
@@ -336,4 +374,22 @@ public class GsonPtr {
         return this;
     }
 
+    /**
+     * Removes all properties except the specified ones.
+     *
+     * @param properties the properties
+     */
+    public void removeExcept(String... properties) {
+        if (!position.isJsonObject()) {
+            return;
+        }
+        for (var itr = ((JsonObject) position).entrySet().iterator();
+                itr.hasNext();) {
+            var entry = itr.next();
+            if (Arrays.asList(properties).contains(entry.getKey())) {
+                continue;
+            }
+            itr.remove();
+        }
+    }
 }

From 80d416550050588c7567fd95b6988cf8a70b9448 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 25 Jan 2025 13:32:27 +0100
Subject: [PATCH 072/274] Upgrade base library.

---
 org.jdrupes.vmoperator.manager/build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/org.jdrupes.vmoperator.manager/build.gradle b/org.jdrupes.vmoperator.manager/build.gradle
index b581971..eda5ce0 100644
--- a/org.jdrupes.vmoperator.manager/build.gradle
+++ b/org.jdrupes.vmoperator.manager/build.gradle
@@ -17,7 +17,7 @@ dependencies {
     implementation 'org.jgrapes:org.jgrapes.io:[2.12.1,3)'
     implementation 'org.jgrapes:org.jgrapes.http:[3.5.0,4)'
     
-    implementation 'org.jgrapes:org.jgrapes.webconsole.base:[2.1.0,3)'
+    implementation 'org.jgrapes:org.jgrapes.webconsole.base:[2.2.0,3)'
     implementation 'org.jgrapes:org.jgrapes.webconsole.vuejs:[1.8.0,2)'
     implementation 'org.jgrapes:org.jgrapes.webconsole.rbac:[1.4.0,2)'
     implementation 'org.jgrapes:org.jgrapes.webconlet.oidclogin:[1.7.0,2)'

From 877d4c69cde50345521b6ca7858c1a2506b5b2aa Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 25 Jan 2025 13:34:16 +0100
Subject: [PATCH 073/274] Remove obsolete method.

---
 .../jdrupes/vmoperator/manager/PvcReconciler.java | 15 ---------------
 1 file changed, 15 deletions(-)

diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
index 4ced1b1..5f10f47 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
@@ -214,19 +214,4 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
                 () -> "Could not patch pvc for " + pvcStub.name());
         }
     }
-
-    @SuppressWarnings("PMD.AvoidLiteralsInIfCondition")
-    private void removeImmutable(DynamicKubernetesObject pvcDef) {
-        var spec = GsonPtr.to(pvcDef.getRaw()).to("spec").get(JsonObject.class);
-        for (var itr = spec.entrySet().iterator(); itr.hasNext();) {
-            var entry = itr.next();
-            if ("volumeAttributesClassName".equals(entry.getKey())) {
-                continue;
-            }
-            if ("resources".equals(entry.getKey())) {
-                continue;
-            }
-            itr.remove();
-        }
-    }
 }

From 5d722abd2e95cc052124d3fe41ce27568c8be596 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 25 Jan 2025 13:35:51 +0100
Subject: [PATCH 074/274] Add assignment based on last usage.

---
 deploy/crds/vmpools-crd.yaml                  |  9 +++
 dev-example/test-pool.yaml                    |  1 +
 .../vmoperator/common/VmDefinition.java       | 34 +++++++-
 .../org/jdrupes/vmoperator/common/VmPool.java | 38 +++++++++
 .../vmoperator/manager/PoolMonitor.java       | 40 +++++++++-
 .../jdrupes/vmoperator/manager/VmMonitor.java | 80 +++++++++++++------
 .../vmoperator/vmaccess/l10n.properties       |  1 +
 .../vmoperator/vmaccess/l10n_de.properties    |  3 +
 .../jdrupes/vmoperator/vmaccess/VmAccess.java | 12 ++-
 9 files changed, 186 insertions(+), 32 deletions(-)

diff --git a/deploy/crds/vmpools-crd.yaml b/deploy/crds/vmpools-crd.yaml
index 193d547..b34d096 100644
--- a/deploy/crds/vmpools-crd.yaml
+++ b/deploy/crds/vmpools-crd.yaml
@@ -16,6 +16,15 @@ spec:
             spec:
               type: object
               properties:
+                retention:
+                  description: >-
+                    Defines the timeout for assignments. The time may be
+                    specified as ISO 8601 time or duration. When specifying
+                    a duration, it will be added to the last time the VM's 
+                    console was used to obtain the timeout.
+                  type: string
+                  pattern: '^(?:\d{4}-(?:0[1-9]|1[0-2])-(?:0[1-9]|[12]\d|3[01])T(?:[01]\d|2[0-3]):[0-5]\d:[0-5]\d(?:\.\d{1,9})?(?:Z|[+-](?:[01]\d|2[0-3])(?:|:?[0-5]\d))|P(?:\d+Y)?(?:\d+M)?(?:\d+W)?(?:\d+D)?(?:T(?:\d+[Hh])?(?:\d+[Mm])?(?:\d+(?:\.\d{1,9})?[Ss])?)?)$'
+                  default: "PT1h"
                 permissions:
                   type: array
                   description: >-
diff --git a/dev-example/test-pool.yaml b/dev-example/test-pool.yaml
index 43c36b8..96289e3 100644
--- a/dev-example/test-pool.yaml
+++ b/dev-example/test-pool.yaml
@@ -4,6 +4,7 @@ metadata:
   namespace: vmop-dev
   name: test-vms
 spec:
+  retention: "PT1m"
   permissions:
   - user: admin
     may:
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
index 375612b..2742b88 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
@@ -18,7 +18,11 @@
 
 package org.jdrupes.vmoperator.common;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
+import io.kubernetes.client.openapi.models.V1Condition;
 import io.kubernetes.client.openapi.models.V1ObjectMeta;
+import java.time.Instant;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.EnumSet;
@@ -36,9 +40,12 @@ import org.jdrupes.vmoperator.util.DataPath;
 /**
  * Represents a VM definition.
  */
-@SuppressWarnings({ "PMD.DataClass" })
+@SuppressWarnings({ "PMD.DataClass", "PMD.TooManyMethods" })
 public class VmDefinition {
 
+    private static ObjectMapper objectMapper
+        = new ObjectMapper().registerModule(new JavaTimeModule());
+
     private String kind;
     private String apiVersion;
     private V1ObjectMeta metadata;
@@ -306,6 +313,31 @@ public class VmDefinition {
         return fromStatus("assignment", "user");
     }
 
+    /**
+     * Last usage of assigned VM.
+     *
+     * @return the optional
+     */
+    public Optional<Instant> assignmentLastUsed() {
+        return this.<String> fromStatus("assignment", "lastUsed")
+            .map(Instant::parse);
+    }
+
+    /**
+     * Return a condition from the status.
+     *
+     * @param name the condition's name
+     * @return the status, if the condition is defined
+     */
+    public Optional<V1Condition> condition(String name) {
+        return this.<List<Map<String, Object>>> fromStatus("conditions")
+            .orElse(Collections.emptyList()).stream()
+            .filter(cond -> DataPath.get(cond, "type")
+                .map(name::equals).orElse(false))
+            .findFirst()
+            .map(cond -> objectMapper.convertValue(cond, V1Condition.class));
+    }
+
     /**
      * Return a condition's status.
      *
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
index 426a69c..8bf6dee 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
@@ -18,6 +18,8 @@
 
 package org.jdrupes.vmoperator.common;
 
+import java.time.Duration;
+import java.time.Instant;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashSet;
@@ -36,6 +38,7 @@ import org.jdrupes.vmoperator.util.DataPath;
 public class VmPool {
 
     private String name;
+    private String retention;
     private boolean defined;
     private List<Grant> permissions = Collections.emptyList();
     private final Set<String> vms
@@ -86,6 +89,24 @@ public class VmPool {
         this.defined = defined;
     }
 
+    /**
+     * Gets the retention.
+     *
+     * @return the retention
+     */
+    public String retention() {
+        return retention;
+    }
+
+    /**
+     * Sets the retention.
+     *
+     * @param retention the retention to set
+     */
+    public void setRetention(String retention) {
+        this.retention = retention;
+    }
+
     /**
      * Permissions granted for a VM from the pool.
      *
@@ -113,6 +134,11 @@ public class VmPool {
         return vms;
     }
 
+    /**
+     * To string.
+     *
+     * @return the string
+     */
     @Override
     @SuppressWarnings("PMD.AvoidLiteralsInIfCondition")
     public String toString() {
@@ -147,4 +173,16 @@ public class VmPool {
             .flatMap(Function.identity()).collect(Collectors.toSet());
     }
 
+    /**
+     * Return the instant until which an assignment should be retained.
+     *
+     * @param lastUsed the last used
+     * @return the instant
+     */
+    public Instant retainUntil(Instant lastUsed) {
+        if (retention.startsWith("P")) {
+            return lastUsed.plus(Duration.parse(retention));
+        }
+        return Instant.parse(retention);
+    }
 }
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
index e11f667..4a7a1cb 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
@@ -18,21 +18,26 @@
 
 package org.jdrupes.vmoperator.manager;
 
+import com.google.gson.JsonObject;
+import io.kubernetes.client.apimachinery.GroupVersionKind;
 import io.kubernetes.client.openapi.ApiException;
 import io.kubernetes.client.util.Watch;
 import java.io.IOException;
+import java.time.Instant;
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import java.util.concurrent.ConcurrentHashMap;
 import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
+import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
 import org.jdrupes.vmoperator.common.K8s;
 import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.K8sDynamicModel;
 import org.jdrupes.vmoperator.common.K8sDynamicModels;
 import org.jdrupes.vmoperator.common.K8sDynamicStub;
 import org.jdrupes.vmoperator.common.K8sObserver.ResponseType;
+import org.jdrupes.vmoperator.common.VmDefinitionStub;
 import org.jdrupes.vmoperator.common.VmPool;
 import static org.jdrupes.vmoperator.manager.Constants.VM_OP_KIND_VM_POOL;
 import org.jdrupes.vmoperator.manager.events.GetPools;
@@ -129,6 +134,7 @@ public class PoolMonitor extends
         var vmPool = pools.computeIfAbsent(poolName, k -> new VmPool(poolName));
         var newData = client().getJSON().getGson().fromJson(
             GsonPtr.to(poolModel.data()).to("spec").get(), VmPool.class);
+        vmPool.setRetention(newData.retention());
         vmPool.setPermissions(newData.permissions());
         vmPool.setDefined(true);
         poolPipeline.fire(new VmPoolChanged(vmPool));
@@ -138,13 +144,15 @@ public class PoolMonitor extends
      * Track VM definition changes.
      *
      * @param event the event
+     * @throws ApiException 
      */
     @Handler
-    public void onVmDefChanged(VmDefChanged event) {
-        String vmName = event.vmDefinition().name();
+    public void onVmDefChanged(VmDefChanged event) throws ApiException {
+        final var vmDef = event.vmDefinition();
+        final String vmName = vmDef.name();
         switch (event.type()) {
         case ADDED:
-            event.vmDefinition().<List<String>> fromSpec("pools")
+            vmDef.<List<String>> fromSpec("pools")
                 .orElse(Collections.emptyList()).stream().forEach(p -> {
                     pools.computeIfAbsent(p, k -> new VmPool(p))
                         .vms().add(vmName);
@@ -157,10 +165,34 @@ public class PoolMonitor extends
                     poolPipeline.fire(new VmPoolChanged(p));
                 }
             });
-            break;
+            return;
         default:
             break;
         }
+
+        // Sync last usage to console state change if user matches
+        var assignedTo = vmDef.assignedTo().orElse(null);
+        if (assignedTo == null || !assignedTo
+            .equals(vmDef.<String> fromStatus("consoleUser").orElse(null))) {
+            return;
+        }
+        var lastUsed
+            = vmDef.assignmentLastUsed().orElse(Instant.ofEpochSecond(0));
+        var conChange = vmDef.condition("ConsoleConnected")
+            .map(c -> c.getLastTransitionTime().toInstant())
+            .orElse(Instant.ofEpochSecond(0));
+        if (!conChange.isAfter(lastUsed)) {
+            return;
+        }
+        var vmStub = VmDefinitionStub.get(client(),
+            new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
+            vmDef.namespace(), vmDef.name());
+        vmStub.updateStatus(from -> {
+            JsonObject status = from.status();
+            var assignment = GsonPtr.to(status).to("assignment");
+            assignment.set("lastUsed", conChange.toString());
+            return status;
+        });
     }
 
     /**
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
index b8ba467..9b6f75f 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
@@ -1,6 +1,6 @@
 /*
  * VM-Operator
- * Copyright (C) 2023,2024 Michael N. Lipp
+ * Copyright (C) 2023,2025 Michael N. Lipp
  * 
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as
@@ -25,7 +25,9 @@ import io.kubernetes.client.openapi.models.V1ObjectMeta;
 import io.kubernetes.client.util.Watch;
 import io.kubernetes.client.util.generic.options.ListOptions;
 import java.io.IOException;
+import java.time.Instant;
 import java.util.ArrayList;
+import java.util.Comparator;
 import java.util.Optional;
 import java.util.Set;
 import java.util.logging.Level;
@@ -43,10 +45,12 @@ import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.common.VmDefinitionModel;
 import org.jdrupes.vmoperator.common.VmDefinitionModels;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
+import org.jdrupes.vmoperator.common.VmPool;
 import static org.jdrupes.vmoperator.manager.Constants.APP_NAME;
 import static org.jdrupes.vmoperator.manager.Constants.VM_OP_NAME;
 import org.jdrupes.vmoperator.manager.events.AssignVm;
 import org.jdrupes.vmoperator.manager.events.ChannelManager;
+import org.jdrupes.vmoperator.manager.events.GetPools;
 import org.jdrupes.vmoperator.manager.events.GetVms;
 import org.jdrupes.vmoperator.manager.events.GetVms.VmData;
 import org.jdrupes.vmoperator.manager.events.ModifyVm;
@@ -245,28 +249,59 @@ public class VmMonitor extends
      *
      * @param event the event
      * @throws ApiException the api exception
+     * @throws InterruptedException 
      */
     @Handler
-    public void onAssignVm(AssignVm event) throws ApiException {
-        // Search for existing assignment.
-        var assignedVm = channelManager.channels().stream()
-            .filter(c -> c.vmDefinition().assignedFrom()
-                .map(p -> p.equals(event.fromPool())).orElse(false))
-            .filter(c -> c.vmDefinition().assignedTo()
-                .map(u -> u.equals(event.toUser())).orElse(false))
-            .findFirst();
-        if (assignedVm.isPresent()) {
-            event.setResult(new VmData(assignedVm.get().vmDefinition(),
-                assignedVm.get()));
-            return;
-        }
+    @SuppressWarnings("PMD.AvoidInstantiatingObjectsInLoops")
+    public void onAssignVm(AssignVm event)
+            throws ApiException, InterruptedException {
+        VmPool vmPool = null;
+        while (true) {
+            // Search for existing assignment.
+            var assignedVm = channelManager.channels().stream()
+                .filter(c -> c.vmDefinition().assignedFrom()
+                    .map(p -> p.equals(event.fromPool())).orElse(false))
+                .filter(c -> c.vmDefinition().assignedTo()
+                    .map(u -> u.equals(event.toUser())).orElse(false))
+                .findFirst();
+            if (assignedVm.isPresent()) {
+                var vmDef = assignedVm.get().vmDefinition();
+                event.setResult(new VmData(vmDef, assignedVm.get()));
+                return;
+            }
 
-        // Find available VM.
-        assignedVm = channelManager.channels().stream()
-            .filter(c -> c.vmDefinition().pools().contains(event.fromPool()))
-            .filter(c -> c.vmDefinition().assignedTo().isEmpty())
-            .findFirst();
-        if (assignedVm.isPresent()) {
+            // Get the pool definition for retention time calculations
+            if (vmPool == null) {
+                vmPool = newEventPipeline().fire(new GetPools()
+                    .withName(event.fromPool())).get().stream().findFirst()
+                    .orElse(null);
+                if (vmPool == null) {
+                    return;
+                }
+            }
+
+            // Find available VM.
+            var pool = vmPool;
+            assignedVm = channelManager.channels().stream()
+                .filter(c -> c.vmDefinition().pools()
+                    .contains(event.fromPool()))
+                .filter(c -> !c.vmDefinition()
+                    .conditionStatus("ConsoleConnected").orElse(false))
+                .filter(c -> c.vmDefinition().assignedTo().isEmpty()
+                    || pool.retainUntil(c.vmDefinition()
+                        .<String> fromStatus("assignment", "lastUsed")
+                        .map(Instant::parse).orElse(Instant.ofEpochSecond(0)))
+                        .isBefore(Instant.now()))
+                .sorted(Comparator.comparing(c -> c.vmDefinition()
+                    .assignmentLastUsed().orElse(Instant.ofEpochSecond(0))))
+                .findFirst();
+
+            // None found
+            if (assignedVm.isEmpty()) {
+                return;
+            }
+
+            // Assign to user
             var vmDef = assignedVm.get().vmDefinition();
             var vmStub = VmDefinitionStub.get(client(),
                 new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
@@ -276,14 +311,13 @@ public class VmMonitor extends
                 var assignment = GsonPtr.to(status).to("assignment");
                 assignment.set("pool", event.fromPool());
                 assignment.set("user", event.toUser());
+                assignment.set("lastUsed", Instant.now().toString());
                 return status;
             });
 
-            // Always start a newly assigned VM.
+            // Make sure that a newly assigned VM is running.
             fire(new ModifyVm(vmDef.name(), "state", "Running",
                 assignedVm.get()));
-            event.setResult(new VmData(vmDef, assignedVm.get()));
         }
     }
-
 }
diff --git a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n.properties b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n.properties
index d755e7a..6305a4b 100644
--- a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n.properties
+++ b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n.properties
@@ -5,3 +5,4 @@ okayLabel = Apply and Close
 confirmResetTitle = Confirm reset
 confirmResetMsg = Resetting the VM may cause loss of data. \
   Please confirm to continue.
+poolEmptyNotification = No VM available. Please consult your administrator.
diff --git a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties
index 7d4ff23..dbd3b11 100644
--- a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties
+++ b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties
@@ -11,3 +11,6 @@ Open\ console = Konsole anzeigen
 confirmResetTitle = Zurücksetzen bestätigen
 confirmResetMsg = Zurücksetzen der VM kann zu Datenverlust führen. \
   Bitte bestätigen um fortzufahren.
+poolEmptyNotification = Keine VM verfügbar. Wenden Sie sich bitte an den \
+  Systemadministrator.
+  
\ No newline at end of file
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index e6d4e58..5c72309 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -86,6 +86,7 @@ import org.jgrapes.webconsole.base.events.ConsoleConfigured;
 import org.jgrapes.webconsole.base.events.ConsolePrepared;
 import org.jgrapes.webconsole.base.events.ConsoleReady;
 import org.jgrapes.webconsole.base.events.DeleteConlet;
+import org.jgrapes.webconsole.base.events.DisplayNotification;
 import org.jgrapes.webconsole.base.events.NotifyConletModel;
 import org.jgrapes.webconsole.base.events.NotifyConletView;
 import org.jgrapes.webconsole.base.events.OpenModalDialog;
@@ -717,10 +718,9 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
         }
     }
 
-    @Override
-    @SuppressWarnings({ "PMD.AvoidDecimalLiteralsInBigDecimalConstructor",
-        "PMD.ConfusingArgumentToVarargsMethod", "PMD.NcssCount",
+    @SuppressWarnings({ "PMD.NcssCount", "PMD.CognitiveComplexity",
         "PMD.AvoidLiteralsInIfCondition" })
+    @Override
     protected void doUpdateConletState(NotifyConletModel event,
             ConsoleConnection channel, ResourceModel model) throws Exception {
         event.stop();
@@ -741,7 +741,11 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
                 vmData = Optional.ofNullable(appPipeline
                     .fire(new AssignVm(model.name(), user)).get());
                 if (vmData.isEmpty()) {
-                    // TODO message
+                    ResourceBundle resourceBundle
+                        = resourceBundle(channel.locale());
+                    channel.respond(new DisplayNotification(
+                        resourceBundle.getString("poolEmptyNotification"),
+                        Map.of("autoClose", 15_000, "type", "Error")));
                     return;
                 }
             }

From 2a70c74234c6fc354403eb7444f00117b32cd372 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 25 Jan 2025 13:39:22 +0100
Subject: [PATCH 075/274] Use consistent method names.

---
 .../manager/ConfigMapReconciler.java           |  4 ++--
 .../vmoperator/manager/PvcReconciler.java      |  2 +-
 .../org/jdrupes/vmoperator/util/GsonPtr.java   | 18 +++++++++---------
 3 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java
index 68ca7fa..9c6dc3e 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java
@@ -86,14 +86,14 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
         // Maybe override logging.properties from reconciler configuration.
         DataPath.<String> get(model, "reconciler", "loggingProperties")
             .ifPresent(props -> {
-                GsonPtr.to(mapDef.getRaw()).get(JsonObject.class, "data")
+                GsonPtr.to(mapDef.getRaw()).getAs(JsonObject.class, "data")
                     .get().addProperty("logging.properties", props);
             });
 
         // Maybe override logging.properties from VM definition.
         DataPath.<String> get(model, "cr", "spec", "loggingProperties")
             .ifPresent(props -> {
-                GsonPtr.to(mapDef.getRaw()).get(JsonObject.class, "data")
+                GsonPtr.to(mapDef.getRaw()).getAs(JsonObject.class, "data")
                     .get().addProperty("logging.properties", props);
             });
 
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
index 5f10f47..caae5a3 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
@@ -204,7 +204,7 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
         // If bound, use json merge, omitting immutable fields
         var spec = GsonPtr.to(pvcDef.getRaw()).to("spec");
         spec.removeExcept("volumeAttributesClassName", "resources");
-        spec.access("resources").ifPresent(p -> p.removeExcept("requests"));
+        spec.get("resources").ifPresent(p -> p.removeExcept("requests"));
         PatchOptions opts = new PatchOptions();
         opts.setFieldManager("kubernetes-java-kubectl-apply");
         if (pvcStub.patch(V1Patch.PATCH_FORMAT_JSON_MERGE_PATCH,
diff --git a/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/GsonPtr.java b/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/GsonPtr.java
index de96ec6..36c3444 100644
--- a/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/GsonPtr.java
+++ b/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/GsonPtr.java
@@ -103,7 +103,7 @@ public class GsonPtr {
      * @return the Gson pointer
      */
     @SuppressWarnings({ "PMD.ShortMethodName", "PMD.PreserveStackTrace" })
-    public Optional<GsonPtr> access(Object... selectors) {
+    public Optional<GsonPtr> get(Object... selectors) {
         JsonElement element = position;
         for (Object sel : selectors) {
             if (element instanceof JsonObject obj
@@ -147,7 +147,7 @@ public class GsonPtr {
      * @return the result
      */
     @SuppressWarnings({ "PMD.AvoidBranchingStatementAsLastInLoop" })
-    public <T extends JsonElement> T get(Class<T> cls) {
+    public <T extends JsonElement> T getAs(Class<T> cls) {
         if (cls.isAssignableFrom(position.getClass())) {
             return cls.cast(position);
         }
@@ -166,7 +166,7 @@ public class GsonPtr {
      */
     @SuppressWarnings({ "PMD.AvoidBranchingStatementAsLastInLoop" })
     public <T extends JsonElement> Optional<T>
-            get(Class<T> cls, Object... selectors) {
+            getAs(Class<T> cls, Object... selectors) {
         JsonElement element = position;
         for (Object sel : selectors) {
             if (element instanceof JsonObject obj
@@ -201,7 +201,7 @@ public class GsonPtr {
      * @return the as string
      */
     public Optional<String> getAsString(Object... selectors) {
-        return get(JsonPrimitive.class, selectors)
+        return getAs(JsonPrimitive.class, selectors)
             .map(JsonPrimitive::getAsString);
     }
 
@@ -212,7 +212,7 @@ public class GsonPtr {
      * @return the as string
      */
     public Optional<Integer> getAsInt(Object... selectors) {
-        return get(JsonPrimitive.class, selectors)
+        return getAs(JsonPrimitive.class, selectors)
             .map(JsonPrimitive::getAsInt);
     }
 
@@ -223,7 +223,7 @@ public class GsonPtr {
      * @return the as string
      */
     public Optional<BigInteger> getAsBigInteger(Object... selectors) {
-        return get(JsonPrimitive.class, selectors)
+        return getAs(JsonPrimitive.class, selectors)
             .map(JsonPrimitive::getAsBigInteger);
     }
 
@@ -234,7 +234,7 @@ public class GsonPtr {
      * @return the as string
      */
     public Optional<Long> getAsLong(Object... selectors) {
-        return get(JsonPrimitive.class, selectors)
+        return getAs(JsonPrimitive.class, selectors)
             .map(JsonPrimitive::getAsLong);
     }
 
@@ -245,7 +245,7 @@ public class GsonPtr {
      * @return the boolean
      */
     public Optional<Boolean> getAsBoolean(Object... selectors) {
-        return get(JsonPrimitive.class, selectors)
+        return getAs(JsonPrimitive.class, selectors)
             .map(JsonPrimitive::getAsBoolean);
     }
 
@@ -260,7 +260,7 @@ public class GsonPtr {
     @SuppressWarnings("unchecked")
     public <T extends JsonElement> List<T> getAsListOf(Class<T> cls,
             Object... selectors) {
-        return get(JsonArray.class, selectors).map(a -> (List<T>) a.asList())
+        return getAs(JsonArray.class, selectors).map(a -> (List<T>) a.asList())
             .orElse(Collections.emptyList());
     }
 

From a0d626cc319f22966ac843201f7d0a878a3c2592 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 25 Jan 2025 13:40:51 +0100
Subject: [PATCH 076/274] Fix warnings.

---
 .../org/jdrupes/vmoperator/common/K8sClusterGenericStub.java | 5 +++--
 .../src/org/jdrupes/vmoperator/manager/PvcReconciler.java    | 2 --
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sClusterGenericStub.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sClusterGenericStub.java
index 81a4eab..af87af2 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sClusterGenericStub.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sClusterGenericStub.java
@@ -45,7 +45,8 @@ import java.util.function.Function;
  * @param <O> the generic type
  * @param <L> the generic type
  */
-@SuppressWarnings("PMD.DataflowAnomalyAnalysis")
+@SuppressWarnings({ "PMD.DataflowAnomalyAnalysis",
+    "PMD.CouplingBetweenObjects" })
 public class K8sClusterGenericStub<O extends KubernetesObject,
         L extends KubernetesListObject> {
     protected final K8sClient client;
@@ -373,7 +374,7 @@ public class K8sClusterGenericStub<O extends KubernetesObject,
     public static <O extends KubernetesObject, L extends KubernetesListObject,
             R extends K8sClusterGenericStub<O, L>>
             Collection<R> list(Class<O> objectClass, Class<L> objectListClass,
-                    K8sClient client, APIResource context, 
+                    K8sClient client, APIResource context,
                     ListOptions options, GenericSupplier<O, L, R> provider)
                     throws ApiException {
         var result = new ArrayList<R>();
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
index caae5a3..34085f0 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
@@ -18,7 +18,6 @@
 
 package org.jdrupes.vmoperator.manager;
 
-import com.google.gson.JsonObject;
 import freemarker.core.ParseException;
 import freemarker.template.Configuration;
 import freemarker.template.MalformedTemplateNameException;
@@ -26,7 +25,6 @@ import freemarker.template.TemplateException;
 import freemarker.template.TemplateNotFoundException;
 import io.kubernetes.client.custom.V1Patch;
 import io.kubernetes.client.openapi.ApiException;
-import io.kubernetes.client.util.generic.dynamic.DynamicKubernetesObject;
 import io.kubernetes.client.util.generic.dynamic.Dynamics;
 import io.kubernetes.client.util.generic.options.ListOptions;
 import io.kubernetes.client.util.generic.options.PatchOptions;

From 574ad5226bd5d03b4b46566b82b767544a047700 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 25 Jan 2025 14:33:56 +0100
Subject: [PATCH 077/274] Fix typescript error.

---
 .../jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts   | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
index 6ab15b8..f18836a 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
@@ -75,17 +75,17 @@ window.orgJDrupesVmOperatorVmMgmt.initPreview = (previewDom: HTMLElement,
                 chart = new CpuRamChart(canvas, chartData);
             })
 
-            watch(chartDateUpdate, (_) => {
+            watch(chartDateUpdate, (_: never) => {
                 chart?.update();
             })
 
-            watch(JGWC.langRef(), (_) => {
+            watch(JGWC.langRef(), (_: never) => {
                 chart?.localizeChart();
             })
 
             const period: Ref<string> = ref<string>("day");
             
-            watch(period, (_) => { 
+            watch(period, (_: never) => { 
                 const hours = (period.value === "day") ? 24 : 1;
                 chart?.setPeriod(hours * 3600 * 1000);
             });

From 53a58a2aca1fdda39e159ab2064fbfca08230d61 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 25 Jan 2025 15:12:49 +0100
Subject: [PATCH 078/274] Add users for pool testing.

---
 dev-example/config.yaml        | 18 ++++++++++++++----
 dev-example/kustomization.yaml | 14 ++++++++++++--
 dev-example/test-pool.yaml     |  2 +-
 3 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/dev-example/config.yaml b/dev-example/config.yaml
index f2e0563..c0dc4b1 100644
--- a/dev-example/config.yaml
+++ b/dev-example/config.yaml
@@ -40,15 +40,25 @@
           - name: admin
             fullName: Administrator
             password: "$2b$05$NiBd74ZGdplLC63ePZf1f.UtjMKkbQ23cQoO2OKOFalDBHWAOy21."
-          - name: test
-            fullName: Test Account
+          - name: test1
+            fullName: Test Account 1
+            password: "$2b$05$hZaI/jToXf/d3BctZdT38Or7H7h6Pn2W3WiB49p5AyhDHFkkYCvo2"
+          - name: test2
+            fullName: Test Account 2
+            password: "$2b$05$hZaI/jToXf/d3BctZdT38Or7H7h6Pn2W3WiB49p5AyhDHFkkYCvo2"
+          - name: test3
+            fullName: Test Account 3
             password: "$2b$05$hZaI/jToXf/d3BctZdT38Or7H7h6Pn2W3WiB49p5AyhDHFkkYCvo2"
         "/RoleConfigurator":
           rolesByUser:
             # User admin has role admin
             admin:
             - admin
-            test:
+            test1:
+            - user
+            test2:
+            - user
+            test3:
             - user
             # All users have role other
             "*":
@@ -60,7 +70,7 @@
             admin:
             - "*"
             user:
-            - org.jdrupes.vmoperator.vmviewer.VmViewer
+            - org.jdrupes.vmoperator.vmaccess.VmAccess
             # Others cannot use any conlet (except login conlet to log out)
             other:
             - org.jgrapes.webconlet.oidclogin.LoginConlet
diff --git a/dev-example/kustomization.yaml b/dev-example/kustomization.yaml
index 7dc4a15..975d95f 100644
--- a/dev-example/kustomization.yaml
+++ b/dev-example/kustomization.yaml
@@ -54,7 +54,13 @@ patches:
                   - name: admin
                     fullName: Administrator
                     password: "$2b$05$NiBd74ZGdplLC63ePZf1f.UtjMKkbQ23cQoO2OKOFalDBHWAOy21."
-                  - name: test
+                  - name: test1
+                    fullName: Test Account
+                    password: "$2b$05$hZaI/jToXf/d3BctZdT38Or7H7h6Pn2W3WiB49p5AyhDHFkkYCvo2"
+                  - name: test2
+                    fullName: Test Account
+                    password: "$2b$05$hZaI/jToXf/d3BctZdT38Or7H7h6Pn2W3WiB49p5AyhDHFkkYCvo2"
+                  - name: test3
                     fullName: Test Account
                     password: "$2b$05$hZaI/jToXf/d3BctZdT38Or7H7h6Pn2W3WiB49p5AyhDHFkkYCvo2"
                 "/RoleConfigurator":
@@ -62,7 +68,11 @@ patches:
                     # User admin has role admin
                     admin:
                     - admin
-                    test:
+                    test1:
+                    - user
+                    test2:
+                    - user
+                    test3:
                     - user
                     # All users have role other
                     "*":
diff --git a/dev-example/test-pool.yaml b/dev-example/test-pool.yaml
index 96289e3..82b9131 100644
--- a/dev-example/test-pool.yaml
+++ b/dev-example/test-pool.yaml
@@ -9,6 +9,6 @@ spec:
   - user: admin
     may:
     - accessConsole
-  - user: test
+  - role: user
     may:
     - accessConsole

From aaf1a0c545790aa55a3a120c5f22e27fd9f01cac Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 25 Jan 2025 22:27:07 +0100
Subject: [PATCH 079/274] Add operator for testing.

---
 dev-example/config.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/dev-example/config.yaml b/dev-example/config.yaml
index c0dc4b1..586a16e 100644
--- a/dev-example/config.yaml
+++ b/dev-example/config.yaml
@@ -40,6 +40,9 @@
           - name: admin
             fullName: Administrator
             password: "$2b$05$NiBd74ZGdplLC63ePZf1f.UtjMKkbQ23cQoO2OKOFalDBHWAOy21."
+          - name: operator
+            fullName: Operator
+            password: "$2b$05$hZaI/jToXf/d3BctZdT38Or7H7h6Pn2W3WiB49p5AyhDHFkkYCvo2"
           - name: test1
             fullName: Test Account 1
             password: "$2b$05$hZaI/jToXf/d3BctZdT38Or7H7h6Pn2W3WiB49p5AyhDHFkkYCvo2"
@@ -54,6 +57,8 @@
             # User admin has role admin
             admin:
             - admin
+            operator:
+            - operator
             test1:
             - user
             test2:
@@ -69,6 +74,8 @@
             # Admins can use all conlets
             admin:
             - "*"
+            operator:
+            - org.jdrupes.vmoperator.vmaccess.VmAccess
             user:
             - org.jdrupes.vmoperator.vmaccess.VmAccess
             # Others cannot use any conlet (except login conlet to log out)

From 224855efd3b12350966030c5453d34120fcca146 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 25 Jan 2025 22:27:52 +0100
Subject: [PATCH 080/274] Disable empty lists.

---
 .../org/jdrupes/vmoperator/vmaccess/VmAccess-edit.ftl.html  | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-edit.ftl.html b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-edit.ftl.html
index afbff3a..a34f725 100644
--- a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-edit.ftl.html
+++ b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/VmAccess-edit.ftl.html
@@ -10,7 +10,8 @@
         <ul>
           <li>
             <label>
-              <input v-model="resource" type="radio" value="vm">
+              <input v-model="resource" type="radio" value="vm"
+                <#if vmNames?size == 0>:disabled="true"</#if>label>
               <span>{{ localize("VM") }}</span>
               <select v-model="vmNameInput" :disabled="resource !== 'vm'">
               <#list vmNames as name>
@@ -21,7 +22,8 @@
           </li>
           <li>
             <label>
-              <input v-model="resource" type="radio" value="pool">
+              <input v-model="resource" type="radio" value="pool"
+                <#if poolNames?size == 0>:disabled="true"</#if>>
               <span>{{ localize("Pool") }}</span>
               <select v-model="poolNameInput" :disabled="resource !== 'pool'">
               <#list poolNames as name>

From 981cbe274456f3c674a94093ae85ec9cb1aed1f0 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 26 Jan 2025 14:52:26 +0100
Subject: [PATCH 081/274] Improve readability.

---
 .../vmoperator/common/VmDefinition.java       | 18 ++++++++
 .../vmoperator/manager/PoolMonitor.java       | 22 ++++-----
 .../jdrupes/vmoperator/manager/VmMonitor.java | 45 +++++++++++++++----
 3 files changed, 65 insertions(+), 20 deletions(-)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
index 2742b88..da639f4 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
@@ -353,6 +353,24 @@ public class VmDefinition {
                 .map("True"::equals).orElse(false));
     }
 
+    /**
+     * Return true if the console is in use.
+     *
+     * @return true, if successful
+     */
+    public boolean consoleConnected() {
+        return conditionStatus("ConsoleConnected").orElse(false);
+    }
+
+    /**
+     * Return the last known console user.
+     *
+     * @return the optional
+     */
+    public Optional<String> consoleUser() {
+        return this.<String> fromStatus("consoleUser");
+    }
+
     /**
      * Set extra data (locally used, unknown to kubernetes).
      *
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
index 4a7a1cb..0606650 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
@@ -23,7 +23,6 @@ import io.kubernetes.client.apimachinery.GroupVersionKind;
 import io.kubernetes.client.openapi.ApiException;
 import io.kubernetes.client.util.Watch;
 import java.io.IOException;
-import java.time.Instant;
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
@@ -171,17 +170,18 @@ public class PoolMonitor extends
         }
 
         // Sync last usage to console state change if user matches
-        var assignedTo = vmDef.assignedTo().orElse(null);
-        if (assignedTo == null || !assignedTo
-            .equals(vmDef.<String> fromStatus("consoleUser").orElse(null))) {
+        if (vmDef.assignedTo()
+            .map(at -> at.equals(vmDef.consoleUser().orElse(null)))
+            .orElse(true)) {
             return;
         }
-        var lastUsed
-            = vmDef.assignmentLastUsed().orElse(Instant.ofEpochSecond(0));
-        var conChange = vmDef.condition("ConsoleConnected")
-            .map(c -> c.getLastTransitionTime().toInstant())
-            .orElse(Instant.ofEpochSecond(0));
-        if (!conChange.isAfter(lastUsed)) {
+
+        var ccChange = vmDef.condition("ConsoleConnected")
+            .map(cc -> cc.getLastTransitionTime().toInstant());
+        if (ccChange
+            .map(tt -> vmDef.assignmentLastUsed().map(alu -> alu.isAfter(tt))
+                .orElse(true))
+            .orElse(true)) {
             return;
         }
         var vmStub = VmDefinitionStub.get(client(),
@@ -190,7 +190,7 @@ public class PoolMonitor extends
         vmStub.updateStatus(from -> {
             JsonObject status = from.status();
             var assignment = GsonPtr.to(status).to("assignment");
-            assignment.set("lastUsed", conChange.toString());
+            assignment.set("lastUsed", ccChange.get().toString());
             return status;
         });
     }
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
index 9b6f75f..102a6c9 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
@@ -283,15 +283,7 @@ public class VmMonitor extends
             // Find available VM.
             var pool = vmPool;
             assignedVm = channelManager.channels().stream()
-                .filter(c -> c.vmDefinition().pools()
-                    .contains(event.fromPool()))
-                .filter(c -> !c.vmDefinition()
-                    .conditionStatus("ConsoleConnected").orElse(false))
-                .filter(c -> c.vmDefinition().assignedTo().isEmpty()
-                    || pool.retainUntil(c.vmDefinition()
-                        .<String> fromStatus("assignment", "lastUsed")
-                        .map(Instant::parse).orElse(Instant.ofEpochSecond(0)))
-                        .isBefore(Instant.now()))
+                .filter(c -> isAssignable(pool, c.vmDefinition()))
                 .sorted(Comparator.comparing(c -> c.vmDefinition()
                     .assignmentLastUsed().orElse(Instant.ofEpochSecond(0))))
                 .findFirst();
@@ -320,4 +312,39 @@ public class VmMonitor extends
                 assignedVm.get()));
         }
     }
+
+    @SuppressWarnings("PMD.SimplifyBooleanReturns")
+    private boolean isAssignable(VmPool pool, VmDefinition vmDef) {
+        // Check if the VM is in the pool
+        if (!vmDef.pools().contains(pool.name())) {
+            return false;
+        }
+
+        // Check if the VM is not in use
+        if (vmDef.consoleConnected()) {
+            return false;
+        }
+
+        // If not assigned, it's usable
+        if (vmDef.assignedTo().isEmpty()) {
+            return true;
+        }
+
+        // Check if it is to be retained
+        if (vmDef.assignmentLastUsed()
+            .map(lu -> pool.retainUntil(lu))
+            .map(ru -> Instant.now().isBefore(ru)).orElse(false)) {
+            return false;
+        }
+
+        // Additional check in case lastUsed has not been updated
+        // by PoolMonitor#onVmDefChanged() yet ("race condition")
+        if (vmDef.condition("ConsoleConnected")
+            .map(cc -> cc.getLastTransitionTime().toInstant())
+            .map(t -> pool.retainUntil(t))
+            .map(ru -> Instant.now().isBefore(ru)).orElse(false)) {
+            return false;
+        }
+        return true;
+    }
 }

From e7cc7cc879b1870de86df0c36a4a3a082db0e0d0 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 26 Jan 2025 15:58:38 +0100
Subject: [PATCH 082/274] Enhance console connection entry.

---
 .../org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html     | 7 ++++++-
 .../org/jdrupes/vmoperator/vmmgmt/l10n.properties          | 1 +
 .../org/jdrupes/vmoperator/vmmgmt/l10n_de.properties       | 1 +
 .../jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts  | 2 +-
 .../jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss    | 4 ++++
 5 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html
index 9d0a2d4..a57c533 100644
--- a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html
+++ b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html
@@ -34,7 +34,7 @@
           :aria-expanded="(entry.name in detailsByName) ? 'true' : 'false'">
           <td v-for="key in controller.keys" 
             v-bind:class="'column-' + key"
-            v-bind:title="key == 'name' ? entry['name']: false"
+            v-bind:title="key == 'name' ? entry['name'] : null"
             v-bind:rowspan="(key == 'name') && $aash.isDisclosed(scopedId(rowIndex)) ? 2 : false">
             <aash-disclosure-button v-if="key === 'name'" :type="'div'"
               :id-ref="scopedId(rowIndex)">
@@ -48,6 +48,11 @@
               >{{ shortDateTime(entry[key].toString()) }}</span>
             <span v-else-if="key === 'currentRam'"
               >{{ formatMemory(entry[key]) }}</span>
+            <span v-else-if="key === 'usedBy'"
+              :class="{ 'console-conection-closed' : !entry.usedFrom }"
+              :title="entry.usedFrom ? localize('usedFrom') 
+                + ' ' + entry.usedFrom : localize('notInUse')"
+              v-html="controller.breakBeforeDots(entry[key])"></span>
             <span v-else
               v-html="controller.breakBeforeDots(entry[key])"></span>
           </td>
diff --git a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n.properties b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n.properties
index 51ca610..0ab15fd 100644
--- a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n.properties
+++ b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n.properties
@@ -7,6 +7,7 @@ currentCpus = Current CPUs
 currentRam = Current RAM
 maximumCpus = Maximum CPUs
 maximumRam = Maximum RAM
+notInUse = Currently closed
 nodeName = Node
 requestedCpus = Requested CPUs
 requestedRam = Requested RAM
diff --git a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties
index 3e67928..c8d8c4d 100644
--- a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties
+++ b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties
@@ -12,6 +12,7 @@ currentRam = Akuelles RAM
 maximumCpus = Maximale CPUs
 maximumRam = Maximales RAM
 nodeName = Knoten
+notInUse = Derzeit geschlossen
 requestedCpus = Angeforderte CPUs
 requestedRam = Angefordertes RAM
 running = Gestartet
diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
index f18836a..d8247ba 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
@@ -164,7 +164,7 @@ window.orgJDrupesVmOperatorVmMgmt.initView = (viewDom: HTMLElement,
             return {
                 controller, vmInfos, filteredData, detailsByName, localize, 
                 shortDateTime, formatMemory, vmAction, cic, parseMemory,
-                maximumCpus,
+                maximumCpus, 
                 scopedId: (id: string) => { return idScope.scopedId(id); }
             };
         }
diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss
index 9d7721a..3a3f0d7 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss
@@ -72,6 +72,10 @@
         }
       }
     }
+    
+    .console-conection-closed {
+      color: var(--disabled);
+    }
   }
   
   td.details {

From 3ca632c8dab3047a7f42013ae023a4a932d66c9f Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 26 Jan 2025 17:21:36 +0100
Subject: [PATCH 083/274] Exchange columns.

---
 .../org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
index d8247ba..c7f8519 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
@@ -112,8 +112,8 @@ window.orgJDrupesVmOperatorVmMgmt.initView = (viewDom: HTMLElement,
                 ["currentCpus", "currentCpus"],
                 ["currentRam", "currentRam"],
                 ["nodeName", "nodeName"],
-                ["assignedTo", "assignedTo"],
-                ["usedBy", "usedBy"]
+                ["usedBy", "usedBy"],
+                ["assignedTo", "assignedTo"]
             ], {
                 sortKey: "name",
                 sortOrder: "up"

From 1b5ad5b73e0e98edc8bca1e99618c764e3af5f35 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 26 Jan 2025 21:49:37 +0100
Subject: [PATCH 084/274] Prevent unauthorized console take over.

---
 deploy/crds/vms-crd.yaml                         |  5 +++++
 .../jdrupes/vmoperator/common/VmDefinition.java  |  2 +-
 .../jdrupes/vmoperator/vmaccess/l10n.properties  |  1 +
 .../vmoperator/vmaccess/l10n_de.properties       |  1 +
 .../jdrupes/vmoperator/vmaccess/VmAccess.java    | 16 +++++++++++++---
 5 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/deploy/crds/vms-crd.yaml b/deploy/crds/vms-crd.yaml
index 9d7bbb8..7b46dc7 100644
--- a/deploy/crds/vms-crd.yaml
+++ b/deploy/crds/vms-crd.yaml
@@ -994,6 +994,10 @@ spec:
                   type: array
                   description: >-
                     Defines permissions for accessing and manipulating the VM.
+                    The meaning of most permissions should be obvious. The
+                    difference between "accessConsole" and "takeConsole" is
+                    that "takeConsole" allows the user to take control of
+                    the console even if it is already in use by another user.
                   items:
                     type: object
                     description: >-
@@ -1017,6 +1021,7 @@ spec:
                           - stop
                           - reset
                           - accessConsole
+                          - takeConsole
                           - "*"
                         default: []
                 pools:
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
index da639f4..f577d28 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
@@ -65,7 +65,7 @@ public class VmDefinition {
      */
     public enum Permission {
         START("start"), STOP("stop"), RESET("reset"),
-        ACCESS_CONSOLE("accessConsole");
+        ACCESS_CONSOLE("accessConsole"), TAKE_CONSOLE("takeConsole");
 
         @SuppressWarnings("PMD.UseConcurrentHashMap")
         private static Map<String, Permission> reprs = new HashMap<>();
diff --git a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n.properties b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n.properties
index 6305a4b..8f4051e 100644
--- a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n.properties
+++ b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n.properties
@@ -5,4 +5,5 @@ okayLabel = Apply and Close
 confirmResetTitle = Confirm reset
 confirmResetMsg = Resetting the VM may cause loss of data. \
   Please confirm to continue.
+consoleTakenNotification = Console access is locked by another user.
 poolEmptyNotification = No VM available. Please consult your administrator.
diff --git a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties
index dbd3b11..e51eb5e 100644
--- a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties
+++ b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties
@@ -11,6 +11,7 @@ Open\ console = Konsole anzeigen
 confirmResetTitle = Zurücksetzen bestätigen
 confirmResetMsg = Zurücksetzen der VM kann zu Datenverlust führen. \
   Bitte bestätigen um fortzufahren.
+consoleTakenNotification = Die Konsole wird von einem anderen Benutzer verwendet.
 poolEmptyNotification = Keine VM verfügbar. Wenden Sie sich bitte an den \
   Systemadministrator.
   
\ No newline at end of file
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index 5c72309..5f2d747 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -779,9 +779,19 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
             }
             break;
         case "openConsole":
-            if (perms.contains(VmDefinition.Permission.ACCESS_CONSOLE)) {
-                var user = WebConsoleUtils.userFromSession(channel.session())
-                    .map(ConsoleUser::getName).orElse("");
+            var user = WebConsoleUtils.userFromSession(channel.session())
+                .map(ConsoleUser::getName).orElse("");
+            if (vmDef.conditionStatus("ConsoleConnected").orElse(false)
+                && vmDef.consoleUser().map(cu -> !cu.equals(user)
+                    && !perms.contains(VmDefinition.Permission.TAKE_CONSOLE))
+                    .orElse(false)) {
+                channel.respond(new DisplayNotification(
+                    resourceBundle.getString("consoleTakenNotification"),
+                    Map.of("autoClose", 5_000, "type", "Warning")));
+                return;
+            }
+            if (perms.contains(VmDefinition.Permission.ACCESS_CONSOLE)
+                || perms.contains(VmDefinition.Permission.TAKE_CONSOLE)) {
                 var pwQuery
                     = Event.onCompletion(new GetDisplayPassword(vmDef, user),
                         e -> openConsole(vmDef, channel, model,

From 86f6ece2648bbc514cd7fbb9a7ae8a4e54a21c78 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 26 Jan 2025 21:55:24 +0100
Subject: [PATCH 085/274] Adjust auto close time.

---
 .../src/org/jdrupes/vmoperator/vmaccess/VmAccess.java           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index 5f2d747..786fedf 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -745,7 +745,7 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
                         = resourceBundle(channel.locale());
                     channel.respond(new DisplayNotification(
                         resourceBundle.getString("poolEmptyNotification"),
-                        Map.of("autoClose", 15_000, "type", "Error")));
+                        Map.of("autoClose", 10_000, "type", "Error")));
                     return;
                 }
             }

From 5cd4edcec12672a74b07df52ac11aa4c1bfdc258 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Tue, 28 Jan 2025 18:08:28 +0100
Subject: [PATCH 086/274] Don't add channels until fully initialized.

---
 .../manager/events/ChannelManager.java          | 17 +++++++++++++++++
 .../org/jdrupes/vmoperator/vmmgmt/VmMgmt.java   |  2 ++
 2 files changed, 19 insertions(+)

diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/ChannelManager.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/ChannelManager.java
index 2cf7a85..ce0e4f0 100644
--- a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/ChannelManager.java
+++ b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/ChannelManager.java
@@ -62,6 +62,11 @@ public class ChannelManager<K, C extends Channel, A>
         this(k -> null);
     }
 
+    /**
+     * Return all keys.
+     *
+     * @return the keys.
+     */
     @Override
     public Set<K> keys() {
         return entries.keySet();
@@ -113,6 +118,18 @@ public class ChannelManager<K, C extends Channel, A>
         return this;
     }
 
+    /**
+     * Creates a new channel without adding it to the channel manager.
+     * After fully initializing the channel, it should be added to the 
+     * manager using {@link #put(K, C)}.
+     *
+     * @param key the key
+     * @return the c
+     */
+    public C createChannel(K key) {
+        return supplier.apply(key);
+    }
+
     /**
      * Returns the {@link Channel} for the given name, creating it using 
      * the supplier passed to the constructor if it doesn't exist yet.
diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
index dbe17ca..3842cbc 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
@@ -352,6 +352,8 @@ public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
         case "stop":
             fire(new ModifyVm(vmName, "state", "Stopped", vmChannel));
             break;
+        case "openConsole":
+            break;
         case "cpus":
             fire(new ModifyVm(vmName, "currentCpus",
                 new BigDecimal(event.param(1).toString()).toBigInteger(),

From af41c78c078b09068f5c5bdbc44087e8e98990a3 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Wed, 29 Jan 2025 17:33:16 +0100
Subject: [PATCH 087/274] Add console access to VM management.

---
 dev-example/config.yaml                       |   1 +
 .../vmoperator/common/VmDefinition.java       | 114 ++++++++++++++-
 .../jdrupes/vmoperator/manager/VmMonitor.java |  11 +-
 .../jdrupes/vmoperator/vmaccess/VmAccess.java | 119 ++++------------
 .../vmaccess/browser/VmAccess-functions.ts    |   5 +-
 .../vmoperator/vmmgmt/VmMgmt-view.ftl.html    |  16 ++-
 .../vmoperator/vmmgmt/computer-in-use.svg     |  90 ++++++++++++
 .../vmoperator/vmmgmt/computer-off.svg        |  74 ++++++++++
 .../jdrupes/vmoperator/vmmgmt/computer.svg    |  74 ++++++++++
 .../jdrupes/vmoperator/vmmgmt/l10n.properties |   5 +
 .../vmoperator/vmmgmt/l10n_de.properties      |   6 +
 .../org/jdrupes/vmoperator/vmmgmt/VmMgmt.java | 132 +++++++++++++++---
 .../vmmgmt/browser/VmMgmt-functions.ts        |  24 +++-
 .../vmmgmt/browser/VmMgmt-style.scss          |  14 ++
 14 files changed, 561 insertions(+), 124 deletions(-)
 create mode 100644 org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/computer-in-use.svg
 create mode 100644 org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/computer-off.svg
 create mode 100644 org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/computer.svg

diff --git a/dev-example/config.yaml b/dev-example/config.yaml
index 586a16e..2a72bc8 100644
--- a/dev-example/config.yaml
+++ b/dev-example/config.yaml
@@ -75,6 +75,7 @@
             admin:
             - "*"
             operator:
+            - org.jdrupes.vmoperator.vmmgmt.VmMgmt
             - org.jdrupes.vmoperator.vmaccess.VmAccess
             user:
             - org.jdrupes.vmoperator.vmaccess.VmAccess
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
index f577d28..ffb1bf2 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
@@ -1,6 +1,6 @@
 /*
  * VM-Operator
- * Copyright (C) 2024 Michael N. Lipp
+ * Copyright (C) 2025 Michael N. Lipp
  * 
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as
@@ -22,11 +22,15 @@ import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
 import io.kubernetes.client.openapi.models.V1Condition;
 import io.kubernetes.client.openapi.models.V1ObjectMeta;
+import io.kubernetes.client.util.Strings;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
 import java.time.Instant;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.EnumSet;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
@@ -34,6 +38,8 @@ import java.util.Optional;
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.function.Function;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 import java.util.stream.Collectors;
 import org.jdrupes.vmoperator.util.DataPath;
 
@@ -43,7 +49,11 @@ import org.jdrupes.vmoperator.util.DataPath;
 @SuppressWarnings({ "PMD.DataClass", "PMD.TooManyMethods" })
 public class VmDefinition {
 
-    private static ObjectMapper objectMapper
+    @SuppressWarnings("PMD.FieldNamingConventions")
+    private static final Logger logger
+        = Logger.getLogger(VmDefinition.class.getName());
+    @SuppressWarnings("PMD.FieldNamingConventions")
+    private static final ObjectMapper objectMapper
         = new ObjectMapper().registerModule(new JavaTimeModule());
 
     private String kind;
@@ -427,6 +437,8 @@ public class VmDefinition {
 
     /**
      * Collect all permissions for the given user with the given roles.
+     * If permission "takeConsole" is granted, the result will also
+     * contain "accessConsole" to simplify checks.
      *
      * @param user the user
      * @param roles the roles
@@ -434,7 +446,7 @@ public class VmDefinition {
      */
     public Set<Permission> permissionsFor(String user,
             Collection<String> roles) {
-        return this.<List<Map<String, Object>>> fromSpec("permissions")
+        var result = this.<List<Map<String, Object>>> fromSpec("permissions")
             .orElse(Collections.emptyList()).stream()
             .filter(p -> DataPath.get(p, "user").map(u -> u.equals(user))
                 .orElse(false)
@@ -443,7 +455,29 @@ public class VmDefinition {
                 .orElse(Collections.emptyList()).stream())
             .flatMap(Function.identity())
             .map(Permission::parse).map(Set::stream)
-            .flatMap(Function.identity()).collect(Collectors.toSet());
+            .flatMap(Function.identity())
+            .collect(Collectors.toCollection(HashSet::new));
+
+        // Take console implies access console, simplify checks
+        if (result.contains(Permission.TAKE_CONSOLE)) {
+            result.add(Permission.ACCESS_CONSOLE);
+        }
+        return result;
+    }
+
+    /**
+     * Check if the console is accessible. Returns true if the console is
+     * currently unused, used by the given user or if the permissions
+     * allow taking over the console. 
+     *
+     * @param user the user
+     * @param permissions the permissions
+     * @return true, if successful
+     */
+    public boolean consoleAccessible(String user, Set<Permission> permissions) {
+        return !conditionStatus("ConsoleConnected").orElse(true)
+            || consoleUser().map(cu -> cu.equals(user)).orElse(true)
+            || permissions.contains(VmDefinition.Permission.TAKE_CONSOLE);
     }
 
     /**
@@ -456,6 +490,78 @@ public class VmDefinition {
             .map(Number::longValue);
     }
 
+    /**
+     * Create a connection file.
+     *
+     * @param password the password
+     * @param preferredIpVersion the preferred IP version
+     * @param deleteConnectionFile the delete connection file
+     * @return the string
+     */
+    public String connectionFile(String password,
+            Class<?> preferredIpVersion, boolean deleteConnectionFile) {
+        var addr = displayIp(preferredIpVersion);
+        if (addr.isEmpty()) {
+            logger.severe(() -> "Failed to find display IP for " + name());
+            return null;
+        }
+        var port = this.<Number> fromVm("display", "spice", "port")
+            .map(Number::longValue);
+        if (port.isEmpty()) {
+            logger.severe(() -> "No port defined for display of " + name());
+            return null;
+        }
+        StringBuffer data = new StringBuffer(100)
+            .append("[virt-viewer]\ntype=spice\nhost=")
+            .append(addr.get().getHostAddress()).append("\nport=")
+            .append(port.get().toString())
+            .append('\n');
+        if (password != null) {
+            data.append("password=").append(password).append('\n');
+        }
+        this.<String> fromVm("display", "spice", "proxyUrl")
+            .ifPresent(u -> {
+                if (!Strings.isNullOrEmpty(u)) {
+                    data.append("proxy=").append(u).append('\n');
+                }
+            });
+        if (deleteConnectionFile) {
+            data.append("delete-this-file=1\n");
+        }
+        return data.toString();
+    }
+
+    private Optional<InetAddress> displayIp(Class<?> preferredIpVersion) {
+        Optional<String> server = fromVm("display", "spice", "server");
+        if (server.isPresent()) {
+            var srv = server.get();
+            try {
+                var addr = InetAddress.getByName(srv);
+                logger.fine(() -> "Using IP address from CRD for "
+                    + getMetadata().getName() + ": " + addr);
+                return Optional.of(addr);
+            } catch (UnknownHostException e) {
+                logger.log(Level.SEVERE, e, () -> "Invalid server address "
+                    + srv + ": " + e.getMessage());
+                return Optional.empty();
+            }
+        }
+        var addrs = Optional.<List<String>> ofNullable(
+            extra("nodeAddresses")).orElse(Collections.emptyList()).stream()
+            .map(a -> {
+                try {
+                    return InetAddress.getByName(a);
+                } catch (UnknownHostException e) {
+                    logger.warning(() -> "Invalid IP address: " + a);
+                    return null;
+                }
+            }).filter(a -> a != null).toList();
+        logger.fine(() -> "Known IP addresses for " + name() + ": " + addrs);
+        return addrs.stream()
+            .filter(a -> preferredIpVersion.isAssignableFrom(a.getClass()))
+            .findFirst().or(() -> addrs.stream().findFirst());
+    }
+
     /**
      * Hash code.
      *
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
index 102a6c9..2060109 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
@@ -30,6 +30,7 @@ import java.util.ArrayList;
 import java.util.Comparator;
 import java.util.Optional;
 import java.util.Set;
+import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.logging.Level;
 import java.util.stream.Collectors;
 import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
@@ -125,7 +126,12 @@ public class VmMonitor extends
     protected void handleChange(K8sClient client,
             Watch.Response<VmDefinitionModel> response) {
         V1ObjectMeta metadata = response.object.getMetadata();
-        VmChannel channel = channelManager.channelGet(metadata.getName());
+        AtomicBoolean toBeAdded = new AtomicBoolean(false);
+        VmChannel channel = channelManager.channel(metadata.getName())
+            .orElseGet(() -> {
+                toBeAdded.set(true);
+                return channelManager.createChannel(metadata.getName());
+            });
 
         // Get full definition and associate with channel as backup
         var vmModel = response.object;
@@ -151,6 +157,9 @@ public class VmMonitor extends
                 + response.object.getMetadata());
             return;
         }
+        if (toBeAdded.get()) {
+            channelManager.put(vmDef.name(), channel);
+        }
 
         // Create and fire changed event. Remove channel from channel
         // manager on completion.
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index 786fedf..fa00482 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -32,10 +32,7 @@ import io.kubernetes.client.util.Strings;
 import java.io.IOException;
 import java.net.Inet4Address;
 import java.net.Inet6Address;
-import java.net.InetAddress;
-import java.net.UnknownHostException;
 import java.time.Duration;
-import java.util.Base64;
 import java.util.Collections;
 import java.util.EnumSet;
 import java.util.HashSet;
@@ -779,24 +776,8 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
             }
             break;
         case "openConsole":
-            var user = WebConsoleUtils.userFromSession(channel.session())
-                .map(ConsoleUser::getName).orElse("");
-            if (vmDef.conditionStatus("ConsoleConnected").orElse(false)
-                && vmDef.consoleUser().map(cu -> !cu.equals(user)
-                    && !perms.contains(VmDefinition.Permission.TAKE_CONSOLE))
-                    .orElse(false)) {
-                channel.respond(new DisplayNotification(
-                    resourceBundle.getString("consoleTakenNotification"),
-                    Map.of("autoClose", 5_000, "type", "Warning")));
-                return;
-            }
-            if (perms.contains(VmDefinition.Permission.ACCESS_CONSOLE)
-                || perms.contains(VmDefinition.Permission.TAKE_CONSOLE)) {
-                var pwQuery
-                    = Event.onCompletion(new GetDisplayPassword(vmDef, user),
-                        e -> openConsole(vmDef, channel, model,
-                            e.password().orElse(null)));
-                fire(pwQuery, vmChannel);
+            if (perms.contains(VmDefinition.Permission.ACCESS_CONSOLE)) {
+                openConsole(channel, model, vmChannel, vmDef, perms);
             }
             break;
         default:// ignore
@@ -804,6 +785,30 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
         }
     }
 
+    private void openConsole(ConsoleConnection channel, ResourceModel model,
+            VmChannel vmChannel, VmDefinition vmDef, Set<Permission> perms) {
+        var resourceBundle = resourceBundle(channel.locale());
+        var user = WebConsoleUtils.userFromSession(channel.session())
+            .map(ConsoleUser::getName).orElse("");
+        if (!vmDef.consoleAccessible(user, perms)) {
+            channel.respond(new DisplayNotification(
+                resourceBundle.getString("consoleTakenNotification"),
+                Map.of("autoClose", 5_000, "type", "Warning")));
+            return;
+        }
+        var pwQuery = Event.onCompletion(new GetDisplayPassword(vmDef, user),
+            e -> {
+                var data = vmDef.connectionFile(e.password().orElse(null),
+                    preferredIpVersion, deleteConnectionFile);
+                if (data == null) {
+                    return;
+                }
+                channel.respond(new NotifyConletView(type(),
+                    model.getConletId(), "openConsole", data));
+            });
+        fire(pwQuery, vmChannel);
+    }
+
     @SuppressWarnings({ "PMD.AvoidLiteralsInIfCondition",
         "PMD.UseLocaleWithCaseConversions" })
     private void selectResource(NotifyConletModel event,
@@ -823,78 +828,6 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
         }
     }
 
-    private void openConsole(VmDefinition vmDef, ConsoleConnection connection,
-            ResourceModel model, String password) {
-        if (vmDef == null) {
-            return;
-        }
-        var addr = displayIp(vmDef);
-        if (addr.isEmpty()) {
-            logger
-                .severe(() -> "Failed to find display IP for " + vmDef.name());
-            return;
-        }
-        var port = vmDef.<Number> fromVm("display", "spice", "port")
-            .map(Number::longValue);
-        if (port.isEmpty()) {
-            logger
-                .severe(() -> "No port defined for display of " + vmDef.name());
-            return;
-        }
-        StringBuffer data = new StringBuffer(100)
-            .append("[virt-viewer]\ntype=spice\nhost=")
-            .append(addr.get().getHostAddress()).append("\nport=")
-            .append(port.get().toString())
-            .append('\n');
-        if (password != null) {
-            data.append("password=").append(password).append('\n');
-        }
-        vmDef.<String> fromVm("display", "spice", "proxyUrl")
-            .ifPresent(u -> {
-                if (!Strings.isNullOrEmpty(u)) {
-                    data.append("proxy=").append(u).append('\n');
-                }
-            });
-        if (deleteConnectionFile) {
-            data.append("delete-this-file=1\n");
-        }
-        connection.respond(new NotifyConletView(type(),
-            model.getConletId(), "openConsole", "application/x-virt-viewer",
-            Base64.getEncoder().encodeToString(data.toString().getBytes())));
-    }
-
-    private Optional<InetAddress> displayIp(VmDefinition vmDef) {
-        Optional<String> server = vmDef.fromVm("display", "spice", "server");
-        if (server.isPresent()) {
-            var srv = server.get();
-            try {
-                var addr = InetAddress.getByName(srv);
-                logger.fine(() -> "Using IP address from CRD for "
-                    + vmDef.getMetadata().getName() + ": " + addr);
-                return Optional.of(addr);
-            } catch (UnknownHostException e) {
-                logger.log(Level.SEVERE, e, () -> "Invalid server address "
-                    + srv + ": " + e.getMessage());
-                return Optional.empty();
-            }
-        }
-        var addrs = Optional.<List<String>> ofNullable(vmDef
-            .extra("nodeAddresses")).orElse(Collections.emptyList()).stream()
-            .map(a -> {
-                try {
-                    return InetAddress.getByName(a);
-                } catch (UnknownHostException e) {
-                    logger.warning(() -> "Invalid IP address: " + a);
-                    return null;
-                }
-            }).filter(a -> a != null).toList();
-        logger.fine(() -> "Known IP addresses for "
-            + vmDef.name() + ": " + addrs);
-        return addrs.stream()
-            .filter(a -> preferredIpVersion.isAssignableFrom(a.getClass()))
-            .findFirst().or(() -> addrs.stream().findFirst());
-    }
-
     private void confirmReset(NotifyConletModel event,
             ConsoleConnection channel, ResourceModel model,
             ResourceBundle resourceBundle) throws TemplateNotFoundException,
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
index de65216..9d2e134 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
@@ -198,7 +198,7 @@ JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmaccess.VmAccess",
     });
 
 JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmaccess.VmAccess",
-    "openConsole", function(_conletId: string, mimeType: string, data: string) {
+    "openConsole", function(_conletId: string, data: string) {
         let target = document.getElementById(
             "org.jdrupes.vmoperator.vmaccess.VmAccess.target");
         if (!target) {
@@ -208,7 +208,8 @@ JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmaccess.VmAccess",
             target.setAttribute("style", "display: none;");            
             document.querySelector("body")!.append(target);
         }
-        const url = "data:" + mimeType + ";base64," + data;
+        const url = "data:application/x-virt-viewer;base64," 
+            + window.btoa(data);
         window.open(url, target.id);
     });
 
diff --git a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html
index a57c533..178d069 100644
--- a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html
+++ b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html
@@ -1,6 +1,7 @@
 <div class="jdrupes-vmoperator-vmmgmt jdrupes-vmoperator-vmmgmt-view"
   data-jgwc-on-load="orgJDrupesVmOperatorVmMgmt.initView"
-  data-jgwc-on-unload="JGConsole.jgwc.unmountVueApps">
+  data-jgwc-on-unload="JGConsole.jgwc.unmountVueApps"
+  data-conlet-resource-base="${conletResource('')}">
   <div class="jdrupes-vmoperator-vmmgmt-view-search">
     <form>
       <label class="form__label--horizontal">
@@ -58,17 +59,26 @@
           </td>
           <td class="jdrupes-vmoperator-vmmgmt-view-action-list">
             <span role="button" 
-              v-if="entry.spec.vm.state != 'Running' && !entry['running']" 
+              v-if="entry.spec.vm.state != 'Running' && !entry['running']
+                && entry.permissions.includes('start')" 
               tabindex="0" class="fa fa-play" :title="localize('Start VM')"
               v-on:click="vmAction(entry.name, 'start')"></span>
             <span role="button" v-else class="fa fa-play"
               aria-disabled="true" :title="localize('Start VM')"></span>
             <span role="button"
-              v-if="entry.spec.vm.state != 'Stopped' && entry['running']"
+              v-if="entry.spec.vm.state != 'Stopped' && entry['running']
+                && entry.permissions.includes('stop')" 
               tabindex="0" class="fa fa-stop" :title="localize('Stop VM')"
               v-on:click="vmAction(entry.name, 'stop')"></span>
             <span role="button" v-else class="fa fa-stop"
               aria-disabled="true" :title="localize('Stop VM')"></span>
+            <img role="button" :src="resourceBase + (!entry['running'] 
+              ? 'computer-off.svg' : (entry.usedFrom 
+                ? 'computer-in-use.svg' : 'computer.svg'))"
+              :title="localize('Open console')" 
+              :aria-disabled="!entry['running']
+                || !(entry.permissions.includes('accessConsole'))"
+              v-on:click="vmAction(entry.name, 'openConsole')">
           </td>
         </tr>
         <tr :id="scopedId(rowIndex)" v-if="$aash.isDisclosed(scopedId(rowIndex))"
diff --git a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/computer-in-use.svg b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/computer-in-use.svg
new file mode 100644
index 0000000..00e4cc0
--- /dev/null
+++ b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/computer-in-use.svg
@@ -0,0 +1,90 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+
+<svg
+   fill="#000000"
+   width="800"
+   height="533.33331"
+   viewBox="0 0 24 15.999999"
+   version="1.1"
+   id="svg1"
+   sodipodi:docname="computer-in-use.svg"
+   inkscape:version="1.4 (e7c3feb100, 2024-10-09)"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg">
+  <defs
+     id="defs1">
+    <inkscape:path-effect
+       effect="fillet_chamfer"
+       id="path-effect4"
+       is_visible="true"
+       lpeversion="1"
+       nodesatellites_param="F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1"
+       radius="0"
+       unit="px"
+       method="auto"
+       mode="F"
+       chamfer_steps="1"
+       flexible="false"
+       use_knot_distance="true"
+       apply_no_radius="true"
+       apply_with_radius="true"
+       only_selected="false"
+       hide_knots="false" />
+    <linearGradient
+       id="swatch3"
+       inkscape:swatch="solid">
+      <stop
+         style="stop-color:#000000;stop-opacity:0;"
+         offset="0"
+         id="stop3" />
+    </linearGradient>
+  </defs>
+  <sodipodi:namedview
+     id="namedview1"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:showpageshadow="2"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     inkscape:deskcolor="#d1d1d1"
+     inkscape:zoom="0.90509668"
+     inkscape:cx="345.81941"
+     inkscape:cy="376.2029"
+     inkscape:window-width="1920"
+     inkscape:window-height="1008"
+     inkscape:window-x="0"
+     inkscape:window-y="35"
+     inkscape:window-maximized="1"
+     inkscape:current-layer="svg1" />
+  <path
+     id="rect1"
+     style="fill-opacity:0;stroke:#000000;stroke-width:1.97262;stroke-linecap:square;stroke-linejoin:round;stroke-miterlimit:0;paint-order:fill markers stroke"
+     d="m 4.7729709,13.006705 -1.7691517,0 V 0.98808897 H 20.99618 V 13.006705 l -1.639132,0"
+     sodipodi:nodetypes="cccccc" />
+  <path
+     id="rect2"
+     style="opacity:1;stroke-width:0.00145614;stroke-linecap:square;stroke-linejoin:round;stroke-miterlimit:0;stroke-dasharray:none;paint-order:fill markers stroke"
+     d="m 0,13.998258 h 5.4336202 v 2.001741 H 0 Z"
+     sodipodi:nodetypes="ccccc" />
+  <path
+     id="rect3"
+     style="fill:none;fill-opacity:1;stroke:#000000;stroke-width:1.05373;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:0;stroke-dasharray:none;stroke-opacity:1;paint-order:fill markers stroke"
+     d="m 5.6839082,10.94394 c 0.2963594,-0.907428 2.9522319,-1.683971 2.767387,-1.6392261 0,0 1.5028596,1.6181771 3.6459428,1.6129171 2.018383,-0.005 3.362681,-1.6125503 3.362681,-1.6125503 -0.171441,-0.061235 2.778887,0.7741493 2.977303,1.6787203 0.393054,1.791919 0.25928,4.489072 0.25928,4.489072 l -13.3818748,0.001 c 0,0 -0.181061,-2.844856 0.369281,-4.529957 z"
+     sodipodi:nodetypes="sssssccs" />
+  <ellipse
+     style="fill:none;stroke:#000000;stroke-width:1.02152;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:0;stroke-dasharray:none;stroke-opacity:1;paint-order:fill markers stroke"
+     id="path3"
+     cx="11.964992"
+     cy="6.3769712"
+     rx="3.2413731"
+     ry="3.225764" />
+  <path
+     id="rect2-2"
+     style="stroke-width:0.00145614;stroke-linecap:square;stroke-linejoin:round;stroke-miterlimit:0;stroke-dasharray:none;paint-order:fill markers stroke"
+     d="M 18.56638,13.998258 H 24 v 2.001741 h -5.43362 z"
+     sodipodi:nodetypes="ccccc" />
+</svg>
diff --git a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/computer-off.svg b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/computer-off.svg
new file mode 100644
index 0000000..27c11ae
--- /dev/null
+++ b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/computer-off.svg
@@ -0,0 +1,74 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+
+<svg
+   fill="#000000"
+   width="800"
+   height="533.33331"
+   viewBox="0 0 24 15.999999"
+   version="1.1"
+   id="svg1"
+   sodipodi:docname="computer-off.svg"
+   inkscape:version="1.3.2 (091e20ef0f, 2023-11-25)"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg">
+  <defs
+     id="defs1">
+    <inkscape:path-effect
+       effect="fillet_chamfer"
+       id="path-effect4"
+       is_visible="true"
+       lpeversion="1"
+       nodesatellites_param="F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1"
+       radius="0"
+       unit="px"
+       method="auto"
+       mode="F"
+       chamfer_steps="1"
+       flexible="false"
+       use_knot_distance="true"
+       apply_no_radius="true"
+       apply_with_radius="true"
+       only_selected="false"
+       hide_knots="false" />
+    <linearGradient
+       id="swatch3"
+       inkscape:swatch="solid">
+      <stop
+         style="stop-color:#000000;stop-opacity:0;"
+         offset="0"
+         id="stop3" />
+    </linearGradient>
+  </defs>
+  <sodipodi:namedview
+     id="namedview1"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:showpageshadow="2"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     inkscape:deskcolor="#d1d1d1"
+     inkscape:zoom="1.3435029"
+     inkscape:cx="377.74389"
+     inkscape:cy="227.01849"
+     inkscape:window-width="1920"
+     inkscape:window-height="1011"
+     inkscape:window-x="0"
+     inkscape:window-y="32"
+     inkscape:window-maximized="1"
+     inkscape:current-layer="svg1" />
+  <path
+     id="rect1"
+     style="fill-opacity:1;stroke:#000000;stroke-width:1.97262;stroke-linecap:square;stroke-linejoin:round;stroke-miterlimit:0;paint-order:fill markers stroke;fill:#545454"
+     d="M 3.0038192,0.98808897 H 20.99618 V 13.006705 H 3.0038192 Z" />
+  <rect
+     style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:0.00306926;stroke-linecap:square;stroke-linejoin:round;stroke-miterlimit:0;stroke-dasharray:none;stroke-opacity:1;paint-order:fill markers stroke"
+     id="rect2"
+     width="23.995173"
+     height="2.0017407"
+     x="0.0039473679"
+     y="13.998839" />
+</svg>
diff --git a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/computer.svg b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/computer.svg
new file mode 100644
index 0000000..f7a6b94
--- /dev/null
+++ b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/computer.svg
@@ -0,0 +1,74 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+
+<svg
+   fill="#000000"
+   width="800"
+   height="533.33331"
+   viewBox="0 0 24 15.999999"
+   version="1.1"
+   id="svg1"
+   sodipodi:docname="computer.svg"
+   inkscape:version="1.3.2 (091e20ef0f, 2023-11-25)"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg">
+  <defs
+     id="defs1">
+    <inkscape:path-effect
+       effect="fillet_chamfer"
+       id="path-effect4"
+       is_visible="true"
+       lpeversion="1"
+       nodesatellites_param="F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1 @ F,0,0,1,0,0,0,1"
+       radius="0"
+       unit="px"
+       method="auto"
+       mode="F"
+       chamfer_steps="1"
+       flexible="false"
+       use_knot_distance="true"
+       apply_no_radius="true"
+       apply_with_radius="true"
+       only_selected="false"
+       hide_knots="false" />
+    <linearGradient
+       id="swatch3"
+       inkscape:swatch="solid">
+      <stop
+         style="stop-color:#000000;stop-opacity:0;"
+         offset="0"
+         id="stop3" />
+    </linearGradient>
+  </defs>
+  <sodipodi:namedview
+     id="namedview1"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:showpageshadow="2"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     inkscape:deskcolor="#d1d1d1"
+     inkscape:zoom="1.3435029"
+     inkscape:cx="377.74389"
+     inkscape:cy="227.01849"
+     inkscape:window-width="1920"
+     inkscape:window-height="1011"
+     inkscape:window-x="0"
+     inkscape:window-y="32"
+     inkscape:window-maximized="1"
+     inkscape:current-layer="svg1" />
+  <path
+     id="rect1"
+     style="fill-opacity:0;stroke:#000000;stroke-width:1.97262;stroke-linecap:square;stroke-linejoin:round;stroke-miterlimit:0;paint-order:fill markers stroke"
+     d="M 3.0038192,0.98808897 H 20.99618 V 13.006705 H 3.0038192 Z" />
+  <rect
+     style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:0.00306926;stroke-linecap:square;stroke-linejoin:round;stroke-miterlimit:0;stroke-dasharray:none;stroke-opacity:1;paint-order:fill markers stroke"
+     id="rect2"
+     width="23.995173"
+     height="2.0017407"
+     x="0.0039473679"
+     y="13.998839" />
+</svg>
diff --git a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n.properties b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n.properties
index 0ab15fd..fb0362f 100644
--- a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n.properties
+++ b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n.properties
@@ -17,3 +17,8 @@ usedBy = Used by
 usedFrom = Used from
 vmActions = Actions
 vmname = Name
+
+confirmResetTitle = Confirm reset
+confirmResetMsg = Resetting the VM may cause loss of data. \
+  Please confirm to continue.
+consoleTakenNotification = Console access is locked by another user.
diff --git a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties
index c8d8c4d..2c142ae 100644
--- a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties
+++ b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties
@@ -24,6 +24,12 @@ vmname = Name
 Value\ is\ above\ maximum = Wert ist zu groß
 Illegal\ format = Ungültiges Format
 
+confirmResetTitle = Zurücksetzen bestätigen
+confirmResetMsg = Zurücksetzen der VM kann zu Datenverlust führen. \
+  Bitte bestätigen um fortzufahren.
+consoleTakenNotification = Die Konsole wird von einem anderen Benutzer verwendet.
+
+Open\ console = Konsole anzeigen
 Start\ VM = VM Starten
 Stop\ VM = VM Anhalten
 
diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
index 3842cbc..2959f46 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
@@ -27,15 +27,22 @@ import io.kubernetes.client.custom.Quantity.Format;
 import java.io.IOException;
 import java.math.BigDecimal;
 import java.math.BigInteger;
+import java.net.Inet4Address;
+import java.net.Inet6Address;
 import java.time.Duration;
 import java.time.Instant;
+import java.util.Collections;
 import java.util.EnumSet;
+import java.util.List;
 import java.util.Map;
 import java.util.Optional;
+import java.util.ResourceBundle;
 import java.util.Set;
 import org.jdrupes.vmoperator.common.K8sObserver;
 import org.jdrupes.vmoperator.common.VmDefinition;
+import org.jdrupes.vmoperator.common.VmDefinition.Permission;
 import org.jdrupes.vmoperator.manager.events.ChannelTracker;
+import org.jdrupes.vmoperator.manager.events.GetDisplayPassword;
 import org.jdrupes.vmoperator.manager.events.ModifyVm;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
@@ -44,13 +51,17 @@ import org.jgrapes.core.Channel;
 import org.jgrapes.core.Event;
 import org.jgrapes.core.Manager;
 import org.jgrapes.core.annotation.Handler;
+import org.jgrapes.util.events.ConfigurationUpdate;
 import org.jgrapes.webconsole.base.Conlet.RenderMode;
 import org.jgrapes.webconsole.base.ConletBaseModel;
 import org.jgrapes.webconsole.base.ConsoleConnection;
-import org.jgrapes.webconsole.base.events.AddConletRequest;
+import org.jgrapes.webconsole.base.ConsoleRole;
+import org.jgrapes.webconsole.base.ConsoleUser;
+import org.jgrapes.webconsole.base.WebConsoleUtils;
 import org.jgrapes.webconsole.base.events.AddConletType;
 import org.jgrapes.webconsole.base.events.AddPageResources.ScriptResource;
 import org.jgrapes.webconsole.base.events.ConsoleReady;
+import org.jgrapes.webconsole.base.events.DisplayNotification;
 import org.jgrapes.webconsole.base.events.NotifyConletModel;
 import org.jgrapes.webconsole.base.events.NotifyConletView;
 import org.jgrapes.webconsole.base.events.RenderConlet;
@@ -61,10 +72,12 @@ import org.jgrapes.webconsole.base.freemarker.FreeMarkerConlet;
 /**
  * The Class {@link VmMgmt}.
  */
-@SuppressWarnings({ "PMD.DataflowAnomalyAnalysis",
-    "PMD.CouplingBetweenObjects" })
+@SuppressWarnings({ "PMD.DataflowAnomalyAnalysis", "PMD.CouplingBetweenObjects",
+    "PMD.ExcessiveImports" })
 public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
 
+    private Class<?> preferredIpVersion = Inet4Address.class;
+    private boolean deleteConnectionFile = true;
     private static final Set<RenderMode> MODES = RenderMode.asSet(
         RenderMode.Preview, RenderMode.View);
     private final ChannelTracker<String, VmChannel,
@@ -91,6 +104,44 @@ public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
         setPeriodicRefresh(Duration.ofMinutes(1), () -> new Update());
     }
 
+    /**
+     * Configure the component. 
+     * 
+     * @param event the event
+     */
+    @SuppressWarnings({ "unchecked", "PMD.AvoidDuplicateLiterals" })
+    @Handler
+    public void onConfigurationUpdate(ConfigurationUpdate event) {
+        event.structured("/Manager/GuiHttpServer"
+            + "/ConsoleWeblet/WebConsole/ComponentCollector/VmAccess")
+            .ifPresent(c -> {
+                try {
+                    var dispRes = (Map<String, Object>) c
+                        .getOrDefault("displayResource",
+                            Collections.emptyMap());
+                    switch ((String) dispRes.getOrDefault("preferredIpVersion",
+                        "")) {
+                    case "ipv6":
+                        preferredIpVersion = Inet6Address.class;
+                        break;
+                    case "ipv4":
+                    default:
+                        preferredIpVersion = Inet4Address.class;
+                        break;
+                    }
+
+                    // Delete connection file
+                    deleteConnectionFile
+                        = Optional.ofNullable(c.get("deleteConnectionFile"))
+                            .filter(v -> v instanceof String)
+                            .map(v -> (String) v)
+                            .map(Boolean::parseBoolean).orElse(true);
+                } catch (ClassCastException e) {
+                    logger.config("Malformed configuration: " + e.getMessage());
+                }
+            });
+    }
+
     /**
      * On {@link ConsoleReady}, fire the {@link AddConletType}.
      *
@@ -117,7 +168,7 @@ public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
     }
 
     @Override
-    protected Optional<VmsModel> createNewState(AddConletRequest event,
+    protected Optional<VmsModel> createStateRepresentation(Event<?> event,
             ConsoleConnection connection, String conletId) throws Exception {
         return Optional.of(new VmsModel(conletId));
     }
@@ -160,17 +211,25 @@ public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
         }
         if (sendVmInfos) {
             for (var item : channelTracker.values()) {
-                channel.respond(new NotifyConletView(type(),
-                    conletId, "updateVm",
-                    simplifiedVmDefinition(item.associated())));
+                updateVm(channel, conletId, item.associated());
             }
         }
-
         return renderedAs;
     }
 
+    private void updateVm(ConsoleConnection channel, String conletId,
+            VmDefinition vmDef) {
+        var user = WebConsoleUtils.userFromSession(channel.session())
+            .map(ConsoleUser::getName).orElse(null);
+        var roles = WebConsoleUtils.rolesFromSession(channel.session())
+            .stream().map(ConsoleRole::getName).toList();
+        channel.respond(new NotifyConletView(type(), conletId, "updateVm",
+            simplifiedVmDefinition(vmDef, user, roles)));
+    }
+
     @SuppressWarnings("PMD.AvoidDuplicateLiterals")
-    private Map<String, Object> simplifiedVmDefinition(VmDefinition vmDef) {
+    private Map<String, Object> simplifiedVmDefinition(VmDefinition vmDef,
+            String user, List<String> roles) {
         // Convert RAM sizes to unitless numbers
         var spec = DataPath.deepCopy(vmDef.spec());
         var vmSpec = DataPath.<Map<String, Object>> get(spec, "vm").get();
@@ -191,7 +250,9 @@ public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
                 "name", vmDef.name()),
             "spec", spec,
             "status", status,
-            "nodeName", vmDef.extra("nodeName"));
+            "nodeName", vmDef.extra("nodeName"),
+            "permissions", vmDef.permissionsFor(user, roles).stream()
+                .map(VmDefinition.Permission::toString).toList());
     }
 
     /**
@@ -221,8 +282,7 @@ public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
             channelTracker.put(vmName, channel, vmDef);
             for (var entry : conletIdsByConsoleConnection().entrySet()) {
                 for (String conletId : entry.getValue()) {
-                    entry.getKey().respond(new NotifyConletView(type(),
-                        conletId, "updateVm", simplifiedVmDefinition(vmDef)));
+                    updateVm(entry.getKey(), conletId, vmDef);
                 }
             }
         }
@@ -337,22 +397,35 @@ public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
     @Override
     @SuppressWarnings("PMD.AvoidDecimalLiteralsInBigDecimalConstructor")
     protected void doUpdateConletState(NotifyConletModel event,
-            ConsoleConnection channel, VmsModel conletState)
-            throws Exception {
+            ConsoleConnection channel, VmsModel model) throws Exception {
         event.stop();
         String vmName = event.param(0);
-        var vmChannel = channelTracker.channel(vmName).orElse(null);
-        if (vmChannel == null) {
+        var value = channelTracker.value(vmName);
+        var vmChannel = value.map(v -> v.channel()).orElse(null);
+        var vmDef = value.map(v -> v.associated()).orElse(null);
+        if (vmDef == null) {
             return;
         }
+        var user = WebConsoleUtils.userFromSession(channel.session())
+            .map(ConsoleUser::getName).orElse("");
+        var roles = WebConsoleUtils.rolesFromSession(channel.session())
+            .stream().map(ConsoleRole::getName).toList();
+        var perms = vmDef.permissionsFor(user, roles);
         switch (event.method()) {
         case "start":
-            fire(new ModifyVm(vmName, "state", "Running", vmChannel));
+            if (perms.contains(VmDefinition.Permission.START)) {
+                fire(new ModifyVm(vmName, "state", "Running", vmChannel));
+            }
             break;
         case "stop":
-            fire(new ModifyVm(vmName, "state", "Stopped", vmChannel));
+            if (perms.contains(VmDefinition.Permission.STOP)) {
+                fire(new ModifyVm(vmName, "state", "Stopped", vmChannel));
+            }
             break;
         case "openConsole":
+            if (perms.contains(VmDefinition.Permission.ACCESS_CONSOLE)) {
+                openConsole(channel, model, vmChannel, vmDef, user, perms);
+            }
             break;
         case "cpus":
             fire(new ModifyVm(vmName, "currentCpus",
@@ -370,6 +443,29 @@ public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
         }
     }
 
+    private void openConsole(ConsoleConnection channel, VmsModel model,
+            VmChannel vmChannel, VmDefinition vmDef, String user,
+            Set<Permission> perms) {
+        ResourceBundle resourceBundle = resourceBundle(channel.locale());
+        if (!vmDef.consoleAccessible(user, perms)) {
+            channel.respond(new DisplayNotification(
+                resourceBundle.getString("consoleTakenNotification"),
+                Map.of("autoClose", 5_000, "type", "Warning")));
+            return;
+        }
+        var pwQuery = Event.onCompletion(new GetDisplayPassword(vmDef, user),
+            e -> {
+                var data = vmDef.connectionFile(e.password().orElse(null),
+                    preferredIpVersion, deleteConnectionFile);
+                if (data == null) {
+                    return;
+                }
+                channel.respond(new NotifyConletView(type(),
+                    model.getConletId(), "openConsole", data));
+            });
+        fire(pwQuery, vmChannel);
+    }
+
     @Override
     protected boolean doSetLocale(SetLocale event, ConsoleConnection channel,
             String conletId) throws Exception {
diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
index c7f8519..40534b1 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
@@ -104,6 +104,7 @@ window.orgJDrupesVmOperatorVmMgmt.initView = (viewDom: HTMLElement,
         setup(_props: object) {
             const conletId: string
                 = (<HTMLElement>viewDom.parentNode!).dataset["conletId"]!;
+            const resourceBase = (<HTMLElement>viewDom).dataset.conletResourceBase;
 
             const controller = reactive(new JGConsole.TableController([
                 ["name", "vmname"],
@@ -162,9 +163,9 @@ window.orgJDrupesVmOperatorVmMgmt.initView = (viewDom: HTMLElement,
             }
 
             return {
-                controller, vmInfos, filteredData, detailsByName, localize, 
-                shortDateTime, formatMemory, vmAction, cic, parseMemory,
-                maximumCpus, 
+                controller, vmInfos, filteredData, detailsByName, 
+                resourceBase, localize, shortDateTime, formatMemory,
+                vmAction, cic, parseMemory, maximumCpus, 
                 scopedId: (id: string) => { return idScope.scopedId(id); }
             };
         }
@@ -219,3 +220,20 @@ JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmmgmt.VmMgmt",
         Object.assign(vmSummary, summary);
 });
 
+JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmmgmt.VmMgmt",
+    "openConsole", function(_conletId: string, data: string) {
+        let target = document.getElementById(
+            "org.jdrupes.vmoperator.vmmgt.VmMgmt.target");
+        if (!target) {
+            target = document.createElement("iframe");
+            target.id = "org.jdrupes.vmoperator.vmmgt.VmMgmt.target";
+            target.setAttribute("name", target.id);
+            target.setAttribute("style", "display: none;");            
+            document.querySelector("body")!.append(target);
+        }
+        const url = "data:application/x-virt-viewer;base64," 
+            + window.btoa(data);
+        window.open(url, target.id);
+    });
+
+
diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss
index 3a3f0d7..7a7af97 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss
@@ -103,6 +103,10 @@
 .jdrupes-vmoperator-vmmgmt-view-action-list {
   white-space: nowrap;
 
+  & > * + * {
+      margin-left: 0.5em;
+  }
+  
   [role=button] {
     padding: 0.25rem;
 
@@ -110,4 +114,14 @@
       box-shadow: var(--darkening);
     }
   }
+  
+  img {
+    display: inline;
+    height: 1.5em;
+    vertical-align: top;
+    
+    &[aria-disabled=''], &[aria-disabled='true'] {
+        opacity: 0.4;
+    }
+  }
 }

From 8d96307bb59c92351666a5002d014f03750bb839 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Wed, 29 Jan 2025 18:42:10 +0100
Subject: [PATCH 088/274] Add reset action to VM management.

---
 .../jdrupes/vmoperator/vmaccess/VmAccess.java | 28 +++++-----
 .../vmmgmt/VmMgmt-confirmReset.ftl.html       | 13 +++++
 .../vmoperator/vmmgmt/VmMgmt-view.ftl.html    | 10 ++++
 .../vmoperator/vmmgmt/l10n_de.properties      |  1 +
 .../org/jdrupes/vmoperator/vmmgmt/VmMgmt.java | 31 ++++++++++-
 .../vmmgmt/browser/VmMgmt-functions.ts        | 10 +++-
 .../vmmgmt/browser/VmMgmt-style.scss          | 51 ++++++++++++++++++-
 7 files changed, 126 insertions(+), 18 deletions(-)
 create mode 100644 org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-confirmReset.ftl.html

diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index fa00482..eea1eae 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -785,6 +785,20 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
         }
     }
 
+    private void confirmReset(NotifyConletModel event,
+            ConsoleConnection channel, ResourceModel model,
+            ResourceBundle resourceBundle) throws TemplateNotFoundException,
+            MalformedTemplateNameException, ParseException, IOException {
+        Template tpl = freemarkerConfig()
+            .getTemplate("VmAccess-confirmReset.ftl.html");
+        channel.respond(new OpenModalDialog(type(), model.getConletId(),
+            processTemplate(event, tpl,
+                fmModel(event, channel, model.getConletId(), model)))
+                    .addOption("cancelable", true).addOption("closeLabel", "")
+                    .addOption("title",
+                        resourceBundle.getString("confirmResetTitle")));
+    }
+
     private void openConsole(ConsoleConnection channel, ResourceModel model,
             VmChannel vmChannel, VmDefinition vmDef, Set<Permission> perms) {
         var resourceBundle = resourceBundle(channel.locale());
@@ -828,20 +842,6 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
         }
     }
 
-    private void confirmReset(NotifyConletModel event,
-            ConsoleConnection channel, ResourceModel model,
-            ResourceBundle resourceBundle) throws TemplateNotFoundException,
-            MalformedTemplateNameException, ParseException, IOException {
-        Template tpl = freemarkerConfig()
-            .getTemplate("VmAccess-confirmReset.ftl.html");
-        channel.respond(new OpenModalDialog(type(), model.getConletId(),
-            processTemplate(event, tpl,
-                fmModel(event, channel, model.getConletId(), model)))
-                    .addOption("cancelable", true).addOption("closeLabel", "")
-                    .addOption("title",
-                        resourceBundle.getString("confirmResetTitle")));
-    }
-
     @Override
     protected boolean doSetLocale(SetLocale event, ConsoleConnection channel,
             String conletId) throws Exception {
diff --git a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-confirmReset.ftl.html b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-confirmReset.ftl.html
new file mode 100644
index 0000000..d174707
--- /dev/null
+++ b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-confirmReset.ftl.html
@@ -0,0 +1,13 @@
+<div 
+  class="jdrupes-vmoperator-vmmgmt jdrupes-vmoperator-vmmgmt-confirm-reset">
+  <p>${_("confirmResetMsg")}</p>
+  <p>
+    <span role="button" tabindex="0" class="svg-icon"
+      onclick="orgJDrupesVmOperatorVmMgmt.confirmReset('${conletType}', '${conletId}', '${vmName}')">
+      <svg viewBox="0 0 1541.33 1535.5083">
+        <path d="m 0,127.9968 v 448 c 0,35 29,64 64,64 h 448 c 35,0 64,-29 64,-64 0,-17 -6.92831,-33.07213 -19,-45 C 264.23058,241.7154 337.19508,314.89599 109,82.996795 c -11.999999,-12 -28,-19 -45,-19 -35,0 -64,29 -64,64.000005 z" />
+        <path d="m 772.97656,1535.5046 c 117.57061,0.3623 236.06134,-26.2848 345.77544,-81.4687 292.5708,-147.1572 459.8088,-465.37411 415.5214,-790.12504 C 1489.9861,339.15993 1243.597,77.463924 922.29883,14.342498 601.00067,-48.778928 274.05699,100.37563 110.62891,384.39133 c -34.855139,60.57216 -14.006492,137.9313 46.5664,172.78516 60.57172,34.85381 137.92941,14.00532 172.78321,-46.56641 109.97944,-191.12927 327.69604,-290.34657 543.53515,-247.94336 215.83913,42.40321 380.18953,216.77543 410.00973,435.44141 29.8203,218.66598 -81.8657,430.94957 -278.4863,529.84567 -196.6206,98.8962 -432.84043,61.8202 -589.90233,-92.6777 -24.91016,-24.5038 -85.48587,-83.3326 -119.02246,-52.9832 -24.01114,21.7292 -35.41741,29.5454 -59.9209,54.4559 -24.50381,24.9102 -35.33636,36.9034 -57.54543,60.4713 -38.1335,40.4667 34.10761,93.9685 59.01808,118.472 145.96311,143.5803 339.36149,219.2087 535.3125,219.8125 z"/>
+      </svg>
+    </span>
+  </p>
+</div>
\ No newline at end of file
diff --git a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html
index 178d069..4dfc8d7 100644
--- a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html
+++ b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html
@@ -72,6 +72,16 @@
               v-on:click="vmAction(entry.name, 'stop')"></span>
             <span role="button" v-else class="fa fa-stop"
               aria-disabled="true" :title="localize('Stop VM')"></span>
+            <span role="button"
+              :aria-disabled="!entry['running'] 
+                || !entry.permissions.includes('reset')" 
+              tabindex="0" class="svg-icon" :title="localize('Reset VM')"
+              v-on:click="vmAction(entry.name, 'reset')">
+              <svg viewBox="0 0 1541.33 1535.5083">
+                <path d="m 0,127.9968 v 448 c 0,35 29,64 64,64 h 448 c 35,0 64,-29 64,-64 0,-17 -6.92831,-33.07213 -19,-45 C 264.23058,241.7154 337.19508,314.89599 109,82.996795 c -11.999999,-12 -28,-19 -45,-19 -35,0 -64,29 -64,64.000005 z" />
+                <path d="m 772.97656,1535.5046 c 117.57061,0.3623 236.06134,-26.2848 345.77544,-81.4687 292.5708,-147.1572 459.8088,-465.37411 415.5214,-790.12504 C 1489.9861,339.15993 1243.597,77.463924 922.29883,14.342498 601.00067,-48.778928 274.05699,100.37563 110.62891,384.39133 c -34.855139,60.57216 -14.006492,137.9313 46.5664,172.78516 60.57172,34.85381 137.92941,14.00532 172.78321,-46.56641 109.97944,-191.12927 327.69604,-290.34657 543.53515,-247.94336 215.83913,42.40321 380.18953,216.77543 410.00973,435.44141 29.8203,218.66598 -81.8657,430.94957 -278.4863,529.84567 -196.6206,98.8962 -432.84043,61.8202 -589.90233,-92.6777 -24.91016,-24.5038 -85.48587,-83.3326 -119.02246,-52.9832 -24.01114,21.7292 -35.41741,29.5454 -59.9209,54.4559 -24.50381,24.9102 -35.33636,36.9034 -57.54543,60.4713 -38.1335,40.4667 34.10761,93.9685 59.01808,118.472 145.96311,143.5803 339.36149,219.2087 535.3125,219.8125 z"/>
+              </svg>
+            </span>
             <img role="button" :src="resourceBase + (!entry['running'] 
               ? 'computer-off.svg' : (entry.usedFrom 
                 ? 'computer-in-use.svg' : 'computer.svg'))"
diff --git a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties
index 2c142ae..a9b9600 100644
--- a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties
+++ b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties
@@ -32,6 +32,7 @@ consoleTakenNotification = Die Konsole wird von einem anderen Benutzer verwendet
 Open\ console = Konsole anzeigen
 Start\ VM = VM Starten
 Stop\ VM = VM Anhalten
+Reset\ VM = VM zurücksetzen
 
 Yes = Ja
 No = Nein
diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
index 2959f46..819a0d4 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
@@ -44,6 +44,7 @@ import org.jdrupes.vmoperator.common.VmDefinition.Permission;
 import org.jdrupes.vmoperator.manager.events.ChannelTracker;
 import org.jdrupes.vmoperator.manager.events.GetDisplayPassword;
 import org.jdrupes.vmoperator.manager.events.ModifyVm;
+import org.jdrupes.vmoperator.manager.events.ResetVm;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
 import org.jdrupes.vmoperator.util.DataPath;
@@ -64,6 +65,7 @@ import org.jgrapes.webconsole.base.events.ConsoleReady;
 import org.jgrapes.webconsole.base.events.DisplayNotification;
 import org.jgrapes.webconsole.base.events.NotifyConletModel;
 import org.jgrapes.webconsole.base.events.NotifyConletView;
+import org.jgrapes.webconsole.base.events.OpenModalDialog;
 import org.jgrapes.webconsole.base.events.RenderConlet;
 import org.jgrapes.webconsole.base.events.RenderConletRequestBase;
 import org.jgrapes.webconsole.base.events.SetLocale;
@@ -395,7 +397,8 @@ public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
     }
 
     @Override
-    @SuppressWarnings("PMD.AvoidDecimalLiteralsInBigDecimalConstructor")
+    @SuppressWarnings({ "PMD.AvoidDecimalLiteralsInBigDecimalConstructor",
+        "PMD.NcssCount" })
     protected void doUpdateConletState(NotifyConletModel event,
             ConsoleConnection channel, VmsModel model) throws Exception {
         event.stop();
@@ -422,6 +425,16 @@ public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
                 fire(new ModifyVm(vmName, "state", "Stopped", vmChannel));
             }
             break;
+        case "reset":
+            if (perms.contains(VmDefinition.Permission.RESET)) {
+                confirmReset(event, channel, model, vmName);
+            }
+            break;
+        case "resetConfirmed":
+            if (perms.contains(VmDefinition.Permission.RESET)) {
+                fire(new ResetVm(vmName), vmChannel);
+            }
+            break;
         case "openConsole":
             if (perms.contains(VmDefinition.Permission.ACCESS_CONSOLE)) {
                 openConsole(channel, model, vmChannel, vmDef, user, perms);
@@ -443,6 +456,22 @@ public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
         }
     }
 
+    private void confirmReset(NotifyConletModel event,
+            ConsoleConnection channel, VmsModel model, String vmName)
+            throws TemplateNotFoundException,
+            MalformedTemplateNameException, ParseException, IOException {
+        Template tpl = freemarkerConfig()
+            .getTemplate("VmMgmt-confirmReset.ftl.html");
+        ResourceBundle resourceBundle = resourceBundle(channel.locale());
+        var fmModel = fmModel(event, channel, model.getConletId(), model);
+        fmModel.put("vmName", vmName);
+        channel.respond(new OpenModalDialog(type(), model.getConletId(),
+            processTemplate(event, tpl, fmModel))
+                .addOption("cancelable", true).addOption("closeLabel", "")
+                .addOption("title",
+                    resourceBundle.getString("confirmResetTitle")));
+    }
+
     private void openConsole(ConsoleConnection channel, VmsModel model,
             VmChannel vmChannel, VmDefinition vmDef, String user,
             Set<Permission> perms) {
diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
index 40534b1..f0407b7 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-functions.ts
@@ -34,7 +34,9 @@ declare global {
     interface Window {
         orgJDrupesVmOperatorVmMgmt: { 
             initPreview?: (previewDom: HTMLElement, isUpdate: boolean) => void,
-            initView?: (viewDom: HTMLElement, isUpdate: boolean) => void
+            initView?: (viewDom: HTMLElement, isUpdate: boolean) => void,
+            confirmReset?: (conletType: string, conletId: string, 
+                vmName: string) => void
         }
     }
 }
@@ -236,4 +238,8 @@ JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmmgmt.VmMgmt",
         window.open(url, target.id);
     });
 
-
+window.orgJDrupesVmOperatorVmMgmt.confirmReset = 
+        (conletType: string, conletId: string, vmName: string) => {
+    JGConsole.instance.closeModalDialog(conletType, conletId);
+    JGConsole.notifyConletModel(conletId, "resetConfirmed", vmName);
+}
diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss
index 7a7af97..4c11b65 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss
@@ -114,7 +114,24 @@
       box-shadow: var(--darkening);
     }
   }
-  
+
+  span[role="button"].svg-icon {
+    display: inline-block;
+    line-height: 1;
+    /* Align with forkawesome */
+    font-size: 14px;
+    fill: var(--primary);
+
+    &[aria-disabled="true"], &[aria-disabled=""] {
+      fill: var(--disabled);
+    }
+    
+    svg {
+      height: 2ex;
+      width: 1em;
+    }
+  }
+
   img {
     display: inline;
     height: 1.5em;
@@ -125,3 +142,35 @@
     }
   }
 }
+
+.jdrupes-vmoperator-vmmgmt.jdrupes-vmoperator-vmmgmt-confirm-reset {
+
+  [role=button] {
+    padding: 0.25rem;
+
+    &:not([aria-disabled]):hover, &[aria-disabled='false']:hover {
+      box-shadow: var(--darkening);
+    }
+  }
+    
+  span[role="button"].svg-icon {
+    display: inline-block;
+    line-height: 1;
+    /* Align with forkawesome */
+    font-size: 14px;
+    fill: var(--danger);
+    
+    &[aria-disabled="true"], &[aria-disabled=""] {
+      fill: var(--disabled);
+    }
+      
+    svg {
+      width: 2.5em;
+      height: 2.5em;
+    }
+  }
+    
+  p {
+    text-align: center;
+  }
+}

From ebda41346a096c88c41e91c3b06e0ddbe45bc31a Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Wed, 29 Jan 2025 21:01:49 +0100
Subject: [PATCH 089/274] Simplify permission management.

---
 .../org/jdrupes/vmoperator/vmaccess/VmAccess.java    | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index eea1eae..c82ccd4 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -546,26 +546,26 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
             .map(ConsoleUser::getName).orElse(null);
         var roles = WebConsoleUtils.rolesFromSession(session)
             .stream().map(ConsoleRole::getName).toList();
-        Set<Permission> result = new HashSet<>();
         if (model.mode() == ResourceModel.Mode.POOL) {
             if (pool == null) {
                 pool = appPipeline.fire(new GetPools()
                     .withName(model.name())).get().stream().findFirst()
                     .orElse(null);
             }
-            if (pool != null) {
-                result.addAll(pool.permissionsFor(user, roles));
+            if (pool == null) {
+                return Collections.emptySet();
             }
+            return pool.permissionsFor(user, roles);
         }
         if (vmDef == null) {
             vmDef = appPipeline.fire(new GetVms().assignedFrom(model.name())
                 .assignedTo(user)).get().stream().map(VmData::definition)
                 .findFirst().orElse(null);
         }
-        if (vmDef != null) {
-            result.addAll(vmDef.permissionsFor(user, roles));
+        if (vmDef == null) {
+            return Collections.emptySet();
         }
-        return result;
+        return vmDef.permissionsFor(user, roles);
     }
 
     private void updatePreview(ConsoleConnection channel, ResourceModel model,

From e447a944dce88e3eb0704549ce0e30dca3fdff09 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 30 Jan 2025 16:55:54 +0100
Subject: [PATCH 090/274] Generate metaData even if only cloudInit is
 specified.

---
 .../vmoperator/manager/runnerConfig.ftl.yaml        |  6 +-----
 .../org/jdrupes/vmoperator/manager/Reconciler.java  | 13 +++++++------
 2 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml
index 214b5b8..8a50a5e 100644
--- a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml
+++ b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml
@@ -58,11 +58,7 @@ data:
       # Forward the cloud-init data if provided
       <#if spec.cloudInit??>    
       cloudInit:
-        <#if spec.cloudInit.metaData??>
-        metaData: ${ toJson(adjustCloudInitMeta(spec.cloudInit.metaData, cr.metadata())) }
-        <#else>
-        metaData: {}
-        </#if>
+        metaData: ${ toJson(adjustCloudInitMeta(spec.cloudInit.metaData!{}, cr.metadata())) }
         <#if spec.cloudInit.userData??>
         userData: ${ toJson(spec.cloudInit.userData) }
         <#else>
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
index 3fa2ffe..641247a 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
@@ -29,7 +29,9 @@ import freemarker.template.TemplateException;
 import freemarker.template.TemplateExceptionHandler;
 import freemarker.template.TemplateHashModel;
 import freemarker.template.TemplateMethodModelEx;
+import freemarker.template.TemplateModel;
 import freemarker.template.TemplateModelException;
+import freemarker.template.utility.DeepUnwrap;
 import io.kubernetes.client.custom.Quantity;
 import io.kubernetes.client.openapi.ApiException;
 import io.kubernetes.client.openapi.models.V1ObjectMeta;
@@ -53,7 +55,6 @@ import static org.jdrupes.vmoperator.manager.Constants.COMP_DISPLAY_SECRET;
 import org.jdrupes.vmoperator.manager.events.ResetVm;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
-import org.jdrupes.vmoperator.util.DataPath;
 import org.jdrupes.vmoperator.util.ExtendedObjectWrapper;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Component;
@@ -354,8 +355,9 @@ public class Reconciler extends Component {
                     return "";
                 }
                 try {
-                    var imageUri = new URI("file://" + Constants.IMAGE_REPO_PATH
-                        + "/").resolve(image);
+                    var imageUri
+                        = new URI("file://" + Constants.IMAGE_REPO_PATH + "/")
+                            .resolve(image);
                     if ("file".equals(imageUri.getScheme())) {
                         return imageUri.getPath();
                     }
@@ -374,9 +376,8 @@ public class Reconciler extends Component {
             public Object exec(@SuppressWarnings("rawtypes") List arguments)
                     throws TemplateModelException {
                 @SuppressWarnings("unchecked")
-                var res = (Map<String, Object>) DataPath
-                    .deepCopy(((AdapterTemplateModel) arguments.get(0))
-                        .getAdaptedObject(Object.class));
+                var res = new HashMap<>((Map<String, Object>) DeepUnwrap
+                    .unwrap((TemplateModel) arguments.get(0)));
                 var metadata
                     = (V1ObjectMeta) ((AdapterTemplateModel) arguments.get(1))
                         .getAdaptedObject(Object.class);

From 99c96e44c37f7eb620d809a29772751aacdfb24b Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 30 Jan 2025 22:00:10 +0100
Subject: [PATCH 091/274] Allow access to vmpools.

---
 deploy/vmop-role.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/deploy/vmop-role.yaml b/deploy/vmop-role.yaml
index 55447e6..c96fb47 100644
--- a/deploy/vmop-role.yaml
+++ b/deploy/vmop-role.yaml
@@ -9,6 +9,7 @@ rules:
   - vmoperator.jdrupes.org
   resources:
   - vms
+  - vmpools
   verbs:
   - '*'
 - apiGroups:

From 29dd6aab82f6eb8cf4c47183856f46c3e185bddf Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 30 Jan 2025 22:04:41 +0100
Subject: [PATCH 092/274] Javadoc fixes.

---
 .../src/org/jdrupes/vmoperator/manager/PoolMonitor.java       | 1 -
 .../src/org/jdrupes/vmoperator/runner/qemu/VmDefUpdater.java  | 4 ++--
 .../src/org/jdrupes/vmoperator/vmaccess/VmAccess.java         | 3 +--
 3 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
index 0606650..b83c0f5 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
@@ -64,7 +64,6 @@ public class PoolMonitor extends
      * Instantiates a new VM pool manager.
      *
      * @param componentChannel the component channel
-     * @param channelManager the channel manager
      */
     public PoolMonitor(Channel componentChannel) {
         super(componentChannel, K8sDynamicModel.class,
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmDefUpdater.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmDefUpdater.java
index 1c260c7..9683457 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmDefUpdater.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmDefUpdater.java
@@ -111,12 +111,12 @@ public class VmDefUpdater extends Component {
     /**
      * Update condition.
      *
-     * @param apiClient the api client
-     * @param from the vM definition
+     * @param from the VM definition
      * @param status the current status
      * @param type the condition type
      * @param state the new state
      * @param reason the reason for the change
+     * @param message the message
      */
     protected void updateCondition(VmDefinitionModel from, JsonObject status,
             String type, boolean state, String reason, String message) {
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index c82ccd4..0015d6c 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -685,8 +685,7 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
      * On vm pool changed.
      *
      * @param event the event
-     * @param channel the channel
-     * @throws InterruptedException 
+     * @throws InterruptedException the interrupted exception
      */
     @Handler(namedChannels = "manager")
     @SuppressWarnings("PMD.AvoidInstantiatingObjectsInLoops")

From 150b9f29083f53fd05fde1d8a2c6d4285daa0732 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 30 Jan 2025 22:14:09 +0100
Subject: [PATCH 093/274] Fix spaces.

---
 dev-example/Readme.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dev-example/Readme.md b/dev-example/Readme.md
index 516fb7e..3676411 100644
--- a/dev-example/Readme.md
+++ b/dev-example/Readme.md
@@ -3,9 +3,9 @@
 The CRD must be deployed independently. Apart from that, the
 `kustomize.yaml` 
 
-*   creates a small cdrom image repository and
+* creates a small cdrom image repository and
 
-*   deploys the operator in namespace `vmop-dev` with a replica of 0.
+* deploys the operator in namespace `vmop-dev` with a replica of 0.
 
 This allows you to run the manager in your IDE.
 

From ecd7ba7baf7dcb8643786c9eb24c4e9c2cea49f2 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 30 Jan 2025 22:17:35 +0100
Subject: [PATCH 094/274] Fix trailing space.

---
 README.md                          |  2 +-
 dev-example/Readme.md              |  2 +-
 overview.md                        |  2 +-
 webpages/vm-operator/controller.md | 46 +++++++++++++++---------------
 webpages/vm-operator/index.md      | 12 ++++----
 webpages/vm-operator/manager.md    | 46 +++++++++++++++---------------
 webpages/vm-operator/runner.md     | 36 +++++++++++------------
 webpages/vm-operator/upgrading.md  | 16 +++++------
 webpages/vm-operator/user-gui.md   | 12 ++++----
 webpages/vm-operator/webgui.md     | 20 ++++++-------
 10 files changed, 97 insertions(+), 97 deletions(-)

diff --git a/README.md b/README.md
index 9118f9d..4c989b6 100644
--- a/README.md
+++ b/README.md
@@ -6,7 +6,7 @@
 # Run Qemu in Kubernetes Pods
 
 The goal of this project is to provide easy to use and flexible components
-for running Qemu based VMs in Kubernetes pods. 
+for running Qemu based VMs in Kubernetes pods.
 
 See the [project's home page](https://jdrupes.org/vm-operator/)
 for details.
diff --git a/dev-example/Readme.md b/dev-example/Readme.md
index 3676411..ba381e1 100644
--- a/dev-example/Readme.md
+++ b/dev-example/Readme.md
@@ -1,7 +1,7 @@
 # Example setup for development
 
 The CRD must be deployed independently. Apart from that, the
-`kustomize.yaml` 
+`kustomize.yaml`
 
 * creates a small cdrom image repository and
 
diff --git a/overview.md b/overview.md
index 447a33c..30d595e 100644
--- a/overview.md
+++ b/overview.md
@@ -3,7 +3,7 @@ A Kubernetes operator for running VMs as pods.
 VM-Operator
 ===========
 
-The VM-operator enables you to easily run Qemu based VMs as pods 
+The VM-operator enables you to easily run Qemu based VMs as pods
 in Kubernetes. It is built on the
 [JGrapes](https://mnlipp.github.io/jgrapes/) event driven framework.
 
diff --git a/webpages/vm-operator/controller.md b/webpages/vm-operator/controller.md
index 17ca790..cc6a274 100644
--- a/webpages/vm-operator/controller.md
+++ b/webpages/vm-operator/controller.md
@@ -5,12 +5,12 @@ layout: vm-operator
 
 # The Controller
 
-The controller component (which is part of the manager) monitors 
-custom resources of kind `VirtualMachine`. It creates or modifies 
+The controller component (which is part of the manager) monitors
+custom resources of kind `VirtualMachine`. It creates or modifies
 other resources in the cluster as required to get the VM defined
-by the CR up and running. 
+by the CR up and running.
 
-Here is the sample definition of a VM from the 
+Here is the sample definition of a VM from the
 ["local-path" example](https://github.com/mnlipp/VM-Operator/tree/main/example/local-path):
 
 ```yaml
@@ -28,10 +28,10 @@ spec:
     currentCpus: 2
     maximumRam: 8Gi
     currentRam: 4Gi
-  
+
     networks:
     - user: {}
-    
+
     disks:
     - volumeClaimTemplate:
         metadata:
@@ -58,9 +58,9 @@ spec:
         # generateSecret: false
 ```
 
-## Pod management 
+## Pod management
 
-The central resource created by the controller is a 
+The central resource created by the controller is a
 [`Pod`](https://kubernetes.io/docs/concepts/workloads/pods/)
 with the same name as the VM (`metadata.name`). The pod is created only
 if `spec.vm.state` is "Running" (default is "Stopped" which deletes the
@@ -72,7 +72,7 @@ and thus the VM is automatically restarted. If set to `true`, the
 VM's state is set to "Stopped" when the VM terminates and the pod is
 deleted.
 
-[^oldSts]: Before version 3.4, the operator created a 
+[^oldSts]: Before version 3.4, the operator created a
     [stateful set](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/)
     that in turn created the pod and the PVCs (see below).
 
@@ -113,7 +113,7 @@ as shown in this example:
 ```
 
 The disk will be available as "/dev/*name*-disk" in the VM,
-using the string from `.volumeClaimTemplate.metadata.name` as *name*. 
+using the string from `.volumeClaimTemplate.metadata.name` as *name*.
 If no name is defined in the metadata, then "/dev/disk-*n*"
 is used instead, with *n* being the index of the volume claim
 template in the list of disks.
@@ -140,28 +140,28 @@ the PVCs by label in a delete command.
 
 ## Choosing an image for the runner
 
-The image used for the runner can be configured with 
+The image used for the runner can be configured with
 [`spec.image`](https://github.com/mnlipp/VM-Operator/blob/7e094e720b7b59a5e50f4a9a4ad29a6000ec76e6/deploy/crds/vms-crd.yaml#L19).
 This is a mapping with either a single key `source` or a detailed
 configuration using the keys `repository`, `path` etc.
 
-Currently two runner images are maintained. One that is based on 
-Arch Linux (`ghcr.io/mnlipp/org.jdrupes.vmoperator.runner.qemu-arch`) and a 
+Currently two runner images are maintained. One that is based on
+Arch Linux (`ghcr.io/mnlipp/org.jdrupes.vmoperator.runner.qemu-arch`) and a
 second one based on Alpine (`ghcr.io/mnlipp/org.jdrupes.vmoperator.runner.qemu-alpine`).
 
-Starting with release 1.0, all versions of runner images and managers 
+Starting with release 1.0, all versions of runner images and managers
 that have the same major release number are guaranteed to be compatible.
 
 ## Generating cloud-init data
 
-*Since: 2.2.0* 
+*Since: 2.2.0*
 
 The optional object `.spec.cloudInit` with sub-objects `.cloudInit.metaData`,
-`.cloudInit.userData` and `.cloudInit.networkConfig` can be used to provide 
+`.cloudInit.userData` and `.cloudInit.networkConfig` can be used to provide
 data for
 [cloud-init](https://cloudinit.readthedocs.io/en/latest/index.html).
 The data from the CRD will be made available to the VM by the runner
-as a vfat formatted disk (see the description of 
+as a vfat formatted disk (see the description of
 [NoCloud](https://cloudinit.readthedocs.io/en/latest/reference/datasources/nocloud.html)).
 
 If `.metaData.instance-id` is not defined, the controller automatically
@@ -180,9 +180,9 @@ generated automatically by the runner.)
 *Since: 2.3.0*
 
 You can define a display password using a Kubernetes secret.
-When you start a VM, the controller checks if there is a secret 
-with labels "app.kubernetes.io/name: vm-runner, 
-app.kubernetes.io/component: display-secret, 
+When you start a VM, the controller checks if there is a secret
+with labels "app.kubernetes.io/name: vm-runner,
+app.kubernetes.io/component: display-secret,
 app.kubernetes.io/instance: *vmname*" in the namespace of the
 VM definition. The name of the secret can be chosen freely.
 
@@ -204,13 +204,13 @@ data:
 ```
 
 If such a secret for the VM is found, the VM is configured to use
-the display password specified. The display password in the secret 
+the display password specified. The display password in the secret
 can be updated while the VM runs[^delay]. Activating/deactivating
 the display password while a VM runs is not supported by Qemu and
 therefore requires stopping the VM, adding/removing the secret and
 restarting the VM.
 
-[^delay]: Be aware of the possible delay, see e.g. 
+[^delay]: Be aware of the possible delay, see e.g.
     [here](https://web.archive.org/web/20240223073838/https://ahmet.im/blog/kubernetes-secret-volumes-delay/).
 
 *Since: 3.0.0*
@@ -221,7 +221,7 @@ values are those defined by qemu (`+n` seconds from now, `n` Unix
 timestamp, `never` and `now`).
 
 Unless `spec.vm.display.spice.generateSecret` is set to `false` in the VM
-definition (CRD), the controller creates a secret for the display 
+definition (CRD), the controller creates a secret for the display
 password automatically if none is found. The secret is created
 with a random password that expires immediately, which makes the
 display effectively inaccessible until the secret is modified.
diff --git a/webpages/vm-operator/index.md b/webpages/vm-operator/index.md
index 9859fe2..baf8e20 100644
--- a/webpages/vm-operator/index.md
+++ b/webpages/vm-operator/index.md
@@ -15,9 +15,9 @@ The image used for the VM pods combines Qemu and a control program
 for starting and managing the Qemu process. This application is called
 "[the runner](runner.html)".
 
-While you can deploy a runner manually (or with the help of some 
+While you can deploy a runner manually (or with the help of some
 helm templates), the preferred way is to deploy "[the manager](manager.html)"
-application which acts as a Kubernetes operator for runners 
+application which acts as a Kubernetes operator for runners
 and thus the VMs.
 
 If you just want to try out things, you can skip the remainder of this
@@ -25,11 +25,11 @@ page and proceed to "[the manager](manager.html)".
 
 ## Motivation
 The project was triggered by a remark in the discussion about RedHat
-[dropping SPICE support](https://bugzilla.redhat.com/show_bug.cgi?id=2030592) 
+[dropping SPICE support](https://bugzilla.redhat.com/show_bug.cgi?id=2030592)
 from the RHEL packages. Which means that you have to run Qemu in a
 container on RHEL and derivatives if you want to continue using Spice.
 So KubeVirt comes to mind. But
-[one comment](https://bugzilla.redhat.com/show_bug.cgi?id=2030592#c4) 
+[one comment](https://bugzilla.redhat.com/show_bug.cgi?id=2030592#c4)
 mentioned that the [KubeVirt](https://kubevirt.io/) project isn't
 interested in supporting SPICE either.
 
@@ -44,7 +44,7 @@ much as possible.
 ## VMs and Pods
 
 VMs are not the typical workload managed by Kubernetes. You can neither
-have replicas nor can the containers simply be restarted without a major 
+have replicas nor can the containers simply be restarted without a major
 impact on the "application". So there are many features for managing
 pods that we cannot make use of. Qemu in its container can only be
 deployed as a pod or using a stateful set with replica 1, which is rather
@@ -57,6 +57,6 @@ A second look, however, reveals that Kubernetes has more to offer.
 * Its managing features *are* useful for running the component that
 manages the pods with the VMs.
 
-And if you use Kubernetes anyway, well then the VMs within Kubernetes 
+And if you use Kubernetes anyway, well then the VMs within Kubernetes
 provide you with a unified view of all (or most of) your workloads,
 which simplifies the maintenance of your platform.
diff --git a/webpages/vm-operator/manager.md b/webpages/vm-operator/manager.md
index 8e6ebb4..c1965f1 100644
--- a/webpages/vm-operator/manager.md
+++ b/webpages/vm-operator/manager.md
@@ -7,13 +7,13 @@ layout: vm-operator
 
 The Manager is the program that provides the controller from the
 [operator pattern](https://github.com/cncf/tag-app-delivery/blob/eece8f7307f2970f46f100f51932db106db46968/operator-wg/whitepaper/Operator-WhitePaper_v1-0.md#operator-components-in-kubernetes)
-together with a web user interface. It should be run in a container in the cluster. 
+together with a web user interface. It should be run in a container in the cluster.
 
 ## Installation
 
 A manager instance manages the VMs in its own namespace. The only
 common (and therefore cluster scoped) resource used by all instances
-is the CRD. It is available 
+is the CRD. It is available
 [here](https://github.com/mnlipp/VM-Operator/raw/main/deploy/crds/vms-crd.yaml)
 and must be created first.
 
@@ -25,24 +25,24 @@ The example above uses the CRD from the main branch. This is okay if
 you apply it once. If you want to preserve the link for automatic
 upgrades, you should use a link that points to one of the release branches.
 
-The next step is to create a namespace for the manager and the VMs, e.g. 
+The next step is to create a namespace for the manager and the VMs, e.g.
 `vmop-demo`.
 
 ```sh
 kubectl create namespace vmop-demo
 ```
 
-Finally you have to create an account, the role, the binding etc. The 
-default files for creating these resources using the default namespace 
-can be found in the 
+Finally you have to create an account, the role, the binding etc. The
+default files for creating these resources using the default namespace
+can be found in the
 [deploy](https://github.com/mnlipp/VM-Operator/tree/main/deploy)
-directory. I recommend to use 
-[kustomize](https://kubernetes.io/docs/tasks/manage-kubernetes-objects/kustomization/) to create your own configuration. 
+directory. I recommend to use
+[kustomize](https://kubernetes.io/docs/tasks/manage-kubernetes-objects/kustomization/) to create your own configuration.
 
 ## Initial Configuration
 
 Use one of the `kustomize.yaml` files from the
-[example](https://github.com/mnlipp/VM-Operator/tree/main/example) directory 
+[example](https://github.com/mnlipp/VM-Operator/tree/main/example) directory
 as a starting point. The directory contains two examples. Here's the file
 from subdirectory `local-path`:
 
@@ -91,9 +91,9 @@ patches:
                 storageClassName: local-path
 ```
 
-The sample file adds a namespace (`vmop-demo`) to all resource 
+The sample file adds a namespace (`vmop-demo`) to all resource
 definitions and patches the PVC `vmop-image-repository`. This is a volume
-that is mounted into all pods that run a VM. The volume is intended 
+that is mounted into all pods that run a VM. The volume is intended
 to be used as a common repository for CDROM images. The PVC must exist
 and it must be bound before any pods can run.
 
@@ -101,13 +101,13 @@ The second patch affects the small volume that is created for each
 runner and contains the VM's configuration data such as the EFI vars.
 The manager's default configuration causes the PVC for this volume
 to be created with no storage class (which causes the default storage
-class to be used). The patch provides a new configuration file for 
-the manager that makes the reconciler use local-path as storage 
-class for this PVC. Details about the manager configuration can be 
+class to be used). The patch provides a new configuration file for
+the manager that makes the reconciler use local-path as storage
+class for this PVC. Details about the manager configuration can be
 found in the next section.
 
-Note that you need none of the patches if you are fine with using your 
-cluster's default storage class and this class supports ReadOnlyMany as 
+Note that you need none of the patches if you are fine with using your
+cluster's default storage class and this class supports ReadOnlyMany as
 access mode.
 
 Check that the pod with the manager is running:
@@ -121,30 +121,30 @@ for creating your first VM.
 
 ## Configuration Details
 
-The [config map](https://github.com/mnlipp/VM-Operator/blob/main/deploy/vmop-config-map.yaml) 
-for the manager may provide a configuration file (`config.yaml`) and 
+The [config map](https://github.com/mnlipp/VM-Operator/blob/main/deploy/vmop-config-map.yaml)
+for the manager may provide a configuration file (`config.yaml`) and
 a file with logging properties (`logging.properties`). Both files are mounted
 into the container that runs the manager and are evaluated by the manager
 on startup. If no files are provided, the manager uses built-in defaults.
 
 The configuration file for the Manager follows the conventions of
 the [JGrapes](https://jgrapes.org/) component framework.
-The keys that start with a slash select the component within the 
+The keys that start with a slash select the component within the
 application's component hierarchy. The mapping associated with the
 selected component configures this component's properties.
 
 The available configuration options for the components can be found
-in their respective JavaDocs (e.g. 
+in their respective JavaDocs (e.g.
 [here](latest-release/javadoc/org/jdrupes/vmoperator/manager/Reconciler.html)
 for the Reconciler).
 
 ## Development Configuration
 
 The [dev-example](https://github.com/mnlipp/VM-Operator/tree/main/dev-example)
-directory contains a `kustomize.yaml` that uses the development namespace 
+directory contains a `kustomize.yaml` that uses the development namespace
 `vmop-dev` and creates a deployment for the manager with 0 replicas.
 
-This environment can be used for running the manager in the IDE. As the 
+This environment can be used for running the manager in the IDE. As the
 namespace to manage cannot be detected from the environment, you must use
- `-c ../dev-example/config.yaml` as argument when starting the manager. This 
+ `-c ../dev-example/config.yaml` as argument when starting the manager. This
 configures it to use the namespace `vmop-dev`.
diff --git a/webpages/vm-operator/runner.md b/webpages/vm-operator/runner.md
index 319a5dc..c72793d 100644
--- a/webpages/vm-operator/runner.md
+++ b/webpages/vm-operator/runner.md
@@ -5,9 +5,9 @@ layout: vm-operator
 
 # The Runner
 
-For most use cases, Qemu needs to be started and controlled by another 
-program that manages the Qemu process. This program is called the 
-runner in this context. 
+For most use cases, Qemu needs to be started and controlled by another
+program that manages the Qemu process. This program is called the
+runner in this context.
 
 The most prominent reason for this second program is that it allows
 a VM to be shutdown cleanly in response to a TERM signal. Qemu handles
@@ -26,38 +26,38 @@ CPUs and the memory.
 The runner takes care of all these issues. Although it is intended to
 run in a container (which runs in a Kubernetes pod) it does not require
 a container. You can start and use it as an ordinary program on any
-system, provided that you have the required commands (qemu, swtpm) 
+system, provided that you have the required commands (qemu, swtpm)
 installed.
 
 ## Stand-alone Configuration
 
-Upon startup, the runner reads its main configuration file 
+Upon startup, the runner reads its main configuration file
 which defaults to `/etc/opt/vmrunner/config.yaml` and may be changed
 using the `-c` (or `--config`) command line option.
 
 A sample configuration file with annotated options can be found
 [here](https://github.com/mnlipp/VM-Operator/blob/main/org.jdrupes.vmoperator.runner.qemu/config-sample.yaml).
-As the runner implementation uses the 
-[JGrapes](https://jgrapes.org/) framework, the file 
-follows the framework's 
+As the runner implementation uses the
+[JGrapes](https://jgrapes.org/) framework, the file
+follows the framework's
 [conventions](https://jgrapes.org/latest-release/javadoc/org/jgrapes/util/YamlConfigurationStore.html). The top level "`/Runner`" selects
 the component to be configured. Nested within is the information
 to be applied to the component.
 
 The main entries in the configuration file are the "template" and
-the "vm" information. The runner processes the 
+the "vm" information. The runner processes the
 [freemarker template](https://freemarker.apache.org/), using the
-"vm" information to derive the qemu command. The idea is that 
+"vm" information to derive the qemu command. The idea is that
 the "vm" section provides high level information such as the boot
 mode, the number of CPUs, the RAM size and the disks. The template
 defines a particular VM type, i.e. it contains the "nasty details"
 that do not need to be modified for some given set of VM instances.
 
-The templates provided with the runner can be found 
-[here](https://github.com/mnlipp/VM-Operator/tree/main/org.jdrupes.vmoperator.runner.qemu/templates). When details 
+The templates provided with the runner can be found
+[here](https://github.com/mnlipp/VM-Operator/tree/main/org.jdrupes.vmoperator.runner.qemu/templates). When details
 of the VM configuration need modification, a new VM type
-(i.e. a new template) has to be defined. Authoring a new 
-template requires some knowledge about the 
+(i.e. a new template) has to be defined. Authoring a new
+template requires some knowledge about the
 [qemu invocation](https://www.qemu.org/docs/master/system/invocation.html).
 Despite many "warnings" that you find in the web, configuring the
 invocation arguments of qemu is only a bit (but not much) more
@@ -72,13 +72,13 @@ provided by a
 
 If additional templates are required, some ReadOnlyMany PV should
 be mounted in `/opt/vmrunner/templates`. The PV should contain copies
-of the standard templates as well as the additional templates. Of course, 
+of the standard templates as well as the additional templates. Of course,
 a ConfigMap can be used for this purpose again.
 
 Networking options are rather limited. The assumption is that in general
 the VM wants full network connectivity. To achieve this, the pod must
 run with host networking and the host's networking must provide a
-bridge that the VM can attach to. The only currently supported 
+bridge that the VM can attach to. The only currently supported
 alternative is the less performant
 "[user networking](https://wiki.qemu.org/Documentation/Networking#User_Networking_(SLIRP))",
 which may be used in a stand-alone development configuration.
@@ -87,7 +87,7 @@ which may be used in a stand-alone development configuration.
 
 The runner supports adaption to changes of the RAM size (using the
 balloon device) and to changes of the number of CPUs. Note that
-in order to get new CPUs online on Linux guests, you need a 
+in order to get new CPUs online on Linux guests, you need a
 [udev rule](https://docs.kernel.org/core-api/cpu_hotplug.html#user-space-notification) which is not installed by default[^simplest].
 
 The runner also changes the images loaded in CDROM drives. If the
@@ -103,6 +103,6 @@ Finally, `powerdownTimeout` can be changed while the qemu process runs.
 
 ## Testing with Helm
 
-There is a 
+There is a
 [Helm Chart](https://github.com/mnlipp/VM-Operator/tree/main/org.jdrupes.vmoperator.runner.qemu/helm-test)
 for testing the runner.
diff --git a/webpages/vm-operator/upgrading.md b/webpages/vm-operator/upgrading.md
index a794ab6..77cacad 100644
--- a/webpages/vm-operator/upgrading.md
+++ b/webpages/vm-operator/upgrading.md
@@ -13,7 +13,7 @@ The VmViewer conlet has been renamed to VmAccess. This affects the
 is still accepted for backward compatibility, but should be updated.
 
 The change of name also causes conlets added to the overview page by
-users to "disappear" from the GUI. They have to be re-added. 
+users to "disappear" from the GUI. They have to be re-added.
 
 The latter behavior also applies to the VmConlet conlet which has been
 renamed to VmMgmt.
@@ -25,14 +25,14 @@ with replica set to 1 to (indirectly) start the pod with the VM. Rather
 it creates the pod directly. This implies that the PVCs must also be created
 by the VM-Operator, which needs additional permissions to do so (update of
 `deploy/vmop-role.yaml). As it would be ridiculous to keep the naming scheme
-used by the stateful set when generating PVCs, the VM-Operator uses a 
+used by the stateful set when generating PVCs, the VM-Operator uses a
 [different pattern](controller.html#defining-disks) for creating new PVCs.
 
 The change is backward compatible:
 
   * Running pods created by a stateful set are left alone until stopped.
     Only then will the stateful set be removed.
-    
+
   * The VM-Operator looks for existing PVCs generated by a stateful
     set in the pre 3.4 versions (naming pattern "*name*-disk-*vmName*-0")
     and reuses them. Only new PVCs are generated using the new pattern.
@@ -40,22 +40,22 @@ The change is backward compatible:
 ## To version 3.0.0
 
 All configuration files are backward compatible to version 2.3.0.
-Note that in order to make use of the new viewer component, 
+Note that in order to make use of the new viewer component,
 [permissions](https://mnlipp.github.io/VM-Operator/user-gui.html#control-access-to-vms)
-must be configured in the CR definition. Also note that 
+must be configured in the CR definition. Also note that
 [display secrets](https://mnlipp.github.io/VM-Operator/user-gui.html#securing-access)
 are automatically created unless explicitly disabled.
 
 ## To version 2.3.0
 
 Starting with version 2.3.0, the web GUI uses a login conlet that
-supports OIDC providers. This effects the configuration of the 
+supports OIDC providers. This effects the configuration of the
 web GUI components.
 
-## To version 2.2.0 
+## To version 2.2.0
 
 Version 2.2.0 sets the stateful set's `.spec.updateStrategy.type` to
-"OnDelete". This fails for no apparent reason if a definition of 
+"OnDelete". This fails for no apparent reason if a definition of
 the stateful set with the default value "RollingUpdate" already exists.
 In order to fix this, either the stateful set or the complete VM definition
 must be deleted and the manager must be restarted.
diff --git a/webpages/vm-operator/user-gui.md b/webpages/vm-operator/user-gui.md
index 416e243..0439db2 100644
--- a/webpages/vm-operator/user-gui.md
+++ b/webpages/vm-operator/user-gui.md
@@ -19,20 +19,20 @@ requirement are unexpectedly complex.
 ## Control access to VMs
 
 First of all, we have to define which VMs a user can access. This
-is done using the optional property `spec.permissions` of the 
+is done using the optional property `spec.permissions` of the
 VM definition (CRD).
 
 ```yaml
 spec:
   permissions:
   - role: admin
-    may: 
+    may:
     - "*"
   - user: test
     may:
     - start
     - stop
-    - accessConsole 
+    - accessConsole
 ```
 
 Permissions can be granted to individual users or to roles. There
@@ -104,7 +104,7 @@ spec:
 ```
 
 The value of `server` is used as value for key "host" in the
-connection file, thus overriding the default value. The 
+connection file, thus overriding the default value. The
 value of `proxyUrl` is used as value for key "proxy".
 
 ## Securing access
@@ -123,8 +123,8 @@ in the future or with value "never" or doesn't define a
 `password-expiry` at all.
 
 The automatically generated password is the base64 encoded value
-of 16 (strong) random bytes (128 random bits). It is valid for 
-10 seconds only. This may be challenging on a slower computer 
+of 16 (strong) random bytes (128 random bits). It is valid for
+10 seconds only. This may be challenging on a slower computer
 or if users may not enable automatic open for connection files
 in the browser. The validity can therefore be adjusted in the
 configuration.
diff --git a/webpages/vm-operator/webgui.md b/webpages/vm-operator/webgui.md
index 1dbb20f..2d6e428 100644
--- a/webpages/vm-operator/webgui.md
+++ b/webpages/vm-operator/webgui.md
@@ -11,7 +11,7 @@ implemented using components from the
 project. Configuration of the GUI therefore follows the conventions
 of that framework.
 
-The structure of the configuration information should be easy to 
+The structure of the configuration information should be easy to
 understand from the examples provided. In general, configuration values
 are applied to the individual components that make up an application.
 The hierarchy of the components is reflected in the configuration
@@ -22,9 +22,9 @@ for information about the complete component structure.)
 
 ## Network access
 
-By default, the service is made available at port 8080 of the manager 
+By default, the service is made available at port 8080 of the manager
 pod. Of course, a kubernetes service and an ingress configuration must
-be added as required by the environment. (See the 
+be added as required by the environment. (See the
 [definition](https://github.com/mnlipp/VM-Operator/blob/main/deploy/vmop-service.yaml)
 from the
 [sample deployment](https://github.com/mnlipp/VM-Operator/tree/main/deploy)).
@@ -49,7 +49,7 @@ and role management.
           # configure an OIDC provider for user management and
           # authorization. See the text for details.
           oidcProviders: {}
-          
+
           # Support for "local" users is provided as a fallback mechanism.
           # Note that up to Version 2.2.x "users" was an object with user names
           # as its properties. Starting with 2.3.0 it is a list as shown.
@@ -60,11 +60,11 @@ and role management.
             - name: test
               fullName: Test Account
               password: "Generate hash with bcrypt"
-              
+
         # Required for using OIDC, see the text for details.
         "/OidcClient":
           redirectUri: https://my.server.here/oauth/callback"
-          
+
         # May be used for assigning roles to both local users and users from
         # the OIDC provider. Not needed if roles are managed by the OIDC provider.
         "/RoleConfigurator":
@@ -79,7 +79,7 @@ and role management.
             "*":
             - other
           replace: false
-          
+
         # Manages the permissions for the roles.
         "/RoleConletFilter":
           conletTypesByRole:
@@ -98,8 +98,8 @@ and role management.
 ```
 
 How local users can be configured should be obvious from the example.
-The configuration of OIDC providers for user authentication (and 
-optionally for role assignment) is explained in the documentation of the 
+The configuration of OIDC providers for user authentication (and
+optionally for role assignment) is explained in the documentation of the
 [login conlet](https://jgrapes.org/javadoc-webconsole/org/jgrapes/webconlet/oidclogin/LoginConlet.html).
 Details about the `RoleConfigurator` and `RoleConletFilter` can also be found
 in the documentation of the
@@ -113,5 +113,5 @@ all users to use the login conlet to log out.
 
 ## Views
 
-The configuration of the components that provide the manager and 
+The configuration of the components that provide the manager and
 users views is explained in the respective sections.

From 4fc0d6fc637cedf06895450ccc31efd0bc0403d3 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Fri, 31 Jan 2025 11:15:43 +0100
Subject: [PATCH 095/274] Support both string and boolean for
 deleteConnectionFile.

---
 .../src/org/jdrupes/vmoperator/vmaccess/VmAccess.java        | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index 0015d6c..bd9a802 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -198,9 +198,8 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
                     // Delete connection file
                     deleteConnectionFile
                         = Optional.ofNullable(c.get("deleteConnectionFile"))
-                            .filter(v -> v instanceof String)
-                            .map(v -> (String) v)
-                            .map(Boolean::parseBoolean).orElse(true);
+                            .map(Object::toString).map(Boolean::parseBoolean)
+                            .orElse(true);
 
                     // Users or roles for which previews should be synchronized
                     syncUsers = ((List<Map<String, String>>) c.getOrDefault(

From 6a1273e7013b8d5fdaef7e65fd6d86092b4df292 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Fri, 31 Jan 2025 12:24:21 +0100
Subject: [PATCH 096/274] Prevent concurrent modification exception.

---
 .../src/org/jdrupes/vmoperator/common/VmPool.java      | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
index 8bf6dee..cfc29ef 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
@@ -140,7 +140,8 @@ public class VmPool {
      * @return the string
      */
     @Override
-    @SuppressWarnings("PMD.AvoidLiteralsInIfCondition")
+    @SuppressWarnings({ "PMD.AvoidLiteralsInIfCondition",
+        "PMD.AvoidSynchronizedStatement" })
     public String toString() {
         StringBuilder builder = new StringBuilder(50);
         builder.append("VmPool [name=").append(name).append(", permissions=")
@@ -148,8 +149,11 @@ public class VmPool {
         if (vms.size() <= 3) {
             builder.append(vms);
         } else {
-            builder.append('[').append(vms.stream().limit(3).map(s -> s + ",")
-                .collect(Collectors.joining())).append("...]");
+            synchronized (vms) {
+                builder.append('[').append(vms.stream().limit(3)
+                    .map(s -> s + ",").collect(Collectors.joining()))
+                    .append("...]");
+            }
         }
         builder.append(']');
         return builder.toString();

From 23bc41d68d9442ae642c1e75f68599be1f0cc189 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Fri, 31 Jan 2025 15:26:25 +0100
Subject: [PATCH 097/274] Prefer running VMs for new assignments.

---
 .../jdrupes/vmoperator/manager/VmMonitor.java  | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
index 2060109..c2d717a 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
@@ -293,8 +293,9 @@ public class VmMonitor extends
             var pool = vmPool;
             assignedVm = channelManager.channels().stream()
                 .filter(c -> isAssignable(pool, c.vmDefinition()))
-                .sorted(Comparator.comparing(c -> c.vmDefinition()
-                    .assignmentLastUsed().orElse(Instant.ofEpochSecond(0))))
+                .sorted(Comparator.comparing((VmChannel c) -> c.vmDefinition()
+                    .assignmentLastUsed().orElse(Instant.ofEpochSecond(0)))
+                    .thenComparing(preferRunning))
                 .findFirst();
 
             // None found
@@ -322,6 +323,19 @@ public class VmMonitor extends
         }
     }
 
+    private static Comparator<VmChannel> preferRunning
+        = new Comparator<>() {
+            @Override
+            public int compare(VmChannel ch1, VmChannel ch2) {
+                if (ch1.vmDefinition().conditionStatus("Running").orElse(false)
+                    && !ch2.vmDefinition().conditionStatus("Running")
+                        .orElse(false)) {
+                    return -1;
+                }
+                return 0;
+            }
+        };
+
     @SuppressWarnings("PMD.SimplifyBooleanReturns")
     private boolean isAssignable(VmPool pool, VmDefinition vmDef) {
         // Check if the VM is in the pool

From b159bae5dabc696303de543dd09ce7e6f23a5760 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Fri, 31 Jan 2025 15:26:42 +0100
Subject: [PATCH 098/274] Allow users to start assigned VMs.

---
 dev-example/test-pool.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/dev-example/test-pool.yaml b/dev-example/test-pool.yaml
index 82b9131..a72a623 100644
--- a/dev-example/test-pool.yaml
+++ b/dev-example/test-pool.yaml
@@ -9,6 +9,8 @@ spec:
   - user: admin
     may:
     - accessConsole
+    - start
   - role: user
     may:
     - accessConsole
+    - start

From b5ae22a8ead79e376858e91059107d14f1a3b060 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Fri, 31 Jan 2025 22:09:17 +0100
Subject: [PATCH 099/274] Avoid duplicate assignment.

---
 .../jdrupes/vmoperator/manager/VmMonitor.java | 106 +++++++++---------
 1 file changed, 51 insertions(+), 55 deletions(-)

diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
index c2d717a..84edafc 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
@@ -264,63 +264,59 @@ public class VmMonitor extends
     @SuppressWarnings("PMD.AvoidInstantiatingObjectsInLoops")
     public void onAssignVm(AssignVm event)
             throws ApiException, InterruptedException {
-        VmPool vmPool = null;
-        while (true) {
-            // Search for existing assignment.
-            var assignedVm = channelManager.channels().stream()
-                .filter(c -> c.vmDefinition().assignedFrom()
-                    .map(p -> p.equals(event.fromPool())).orElse(false))
-                .filter(c -> c.vmDefinition().assignedTo()
-                    .map(u -> u.equals(event.toUser())).orElse(false))
-                .findFirst();
-            if (assignedVm.isPresent()) {
-                var vmDef = assignedVm.get().vmDefinition();
-                event.setResult(new VmData(vmDef, assignedVm.get()));
-                return;
-            }
-
-            // Get the pool definition for retention time calculations
-            if (vmPool == null) {
-                vmPool = newEventPipeline().fire(new GetPools()
-                    .withName(event.fromPool())).get().stream().findFirst()
-                    .orElse(null);
-                if (vmPool == null) {
-                    return;
-                }
-            }
-
-            // Find available VM.
-            var pool = vmPool;
-            assignedVm = channelManager.channels().stream()
-                .filter(c -> isAssignable(pool, c.vmDefinition()))
-                .sorted(Comparator.comparing((VmChannel c) -> c.vmDefinition()
-                    .assignmentLastUsed().orElse(Instant.ofEpochSecond(0)))
-                    .thenComparing(preferRunning))
-                .findFirst();
-
-            // None found
-            if (assignedVm.isEmpty()) {
-                return;
-            }
-
-            // Assign to user
+        // Search for existing assignment.
+        var assignedVm = channelManager.channels().stream()
+            .filter(c -> c.vmDefinition().assignedFrom()
+                .map(p -> p.equals(event.fromPool())).orElse(false))
+            .filter(c -> c.vmDefinition().assignedTo()
+                .map(u -> u.equals(event.toUser())).orElse(false))
+            .findFirst();
+        if (assignedVm.isPresent()) {
             var vmDef = assignedVm.get().vmDefinition();
-            var vmStub = VmDefinitionStub.get(client(),
-                new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
-                vmDef.namespace(), vmDef.name());
-            vmStub.updateStatus(from -> {
-                JsonObject status = from.status();
-                var assignment = GsonPtr.to(status).to("assignment");
-                assignment.set("pool", event.fromPool());
-                assignment.set("user", event.toUser());
-                assignment.set("lastUsed", Instant.now().toString());
-                return status;
-            });
-
-            // Make sure that a newly assigned VM is running.
-            fire(new ModifyVm(vmDef.name(), "state", "Running",
-                assignedVm.get()));
+            event.setResult(new VmData(vmDef, assignedVm.get()));
+            return;
         }
+
+        // Get the pool definition for retention time calculations
+        VmPool vmPool = newEventPipeline().fire(new GetPools()
+            .withName(event.fromPool())).get().stream().findFirst()
+            .orElse(null);
+        if (vmPool == null) {
+            return;
+        }
+
+        // Find available VM.
+        var pool = vmPool;
+        assignedVm = channelManager.channels().stream()
+            .filter(c -> isAssignable(pool, c.vmDefinition()))
+            .sorted(Comparator.comparing((VmChannel c) -> c.vmDefinition()
+                .assignmentLastUsed().orElse(Instant.ofEpochSecond(0)))
+                .thenComparing(preferRunning))
+            .findFirst();
+
+        // None found
+        if (assignedVm.isEmpty()) {
+            return;
+        }
+
+        // Assign to user
+        var vmDef = assignedVm.get().vmDefinition();
+        var vmStub = VmDefinitionStub.get(client(),
+            new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
+            vmDef.namespace(), vmDef.name());
+        vmStub.updateStatus(from -> {
+            JsonObject status = from.status();
+            var assignment = GsonPtr.to(status).to("assignment");
+            assignment.set("pool", event.fromPool());
+            assignment.set("user", event.toUser());
+            assignment.set("lastUsed", Instant.now().toString());
+            return status;
+        });
+        event.setResult(new VmData(vmDef, assignedVm.get()));
+
+        // Make sure that a newly assigned VM is running.
+        fire(new ModifyVm(vmDef.name(), "state", "Running",
+            assignedVm.get()));
     }
 
     private static Comparator<VmChannel> preferRunning

From 54747b25e8e7fbbe6064989a44c93d11df5386e0 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 1 Feb 2025 18:51:19 +0100
Subject: [PATCH 100/274] Use VmChannel's event pipeline to update assignment.

---
 .../org/jdrupes/vmoperator/common/VmPool.java | 103 ++++++++++++------
 .../manager/events/UpdateAssignment.java      |  60 ++++++++++
 .../vmoperator/manager/Controller.java        |  30 +++++
 .../jdrupes/vmoperator/manager/VmMonitor.java |  60 ++--------
 4 files changed, 169 insertions(+), 84 deletions(-)
 create mode 100644 org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/UpdateAssignment.java

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
index cfc29ef..e0817d5 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
@@ -134,6 +134,78 @@ public class VmPool {
         return vms;
     }
 
+    /**
+     * Collect all permissions for the given user with the given roles.
+     *
+     * @param user the user
+     * @param roles the roles
+     * @return the sets the
+     */
+    public Set<Permission> permissionsFor(String user,
+            Collection<String> roles) {
+        return permissions.stream()
+            .filter(g -> DataPath.get(g, "user").map(u -> u.equals(user))
+                .orElse(false)
+                || DataPath.get(g, "role").map(roles::contains).orElse(false))
+            .map(g -> DataPath.<Set<Permission>> get(g, "may")
+                .orElse(Collections.emptySet()).stream())
+            .flatMap(Function.identity()).collect(Collectors.toSet());
+    }
+
+    /**
+     * Checks if the given VM belongs to the pool and is not in use.
+     *
+     * @param vmDef the vm def
+     * @return true, if is assignable
+     */
+    @SuppressWarnings("PMD.SimplifyBooleanReturns")
+    public boolean isAssignable(VmDefinition vmDef) {
+        // Check if the VM is in the pool
+        if (!vmDef.pools().contains(name)) {
+            return false;
+        }
+
+        // Check if the VM is not in use
+        if (vmDef.consoleConnected()) {
+            return false;
+        }
+
+        // If not assigned, it's usable
+        if (vmDef.assignedTo().isEmpty()) {
+            return true;
+        }
+
+        // Check if it is to be retained
+        if (vmDef.assignmentLastUsed()
+            .map(this::retainUntil)
+            .map(ru -> Instant.now().isBefore(ru)).orElse(false)) {
+            return false;
+        }
+
+        // Additional check in case lastUsed has not been updated
+        // by PoolMonitor#onVmDefChanged() yet ("race condition")
+        if (vmDef.condition("ConsoleConnected")
+            .map(cc -> cc.getLastTransitionTime().toInstant())
+            .map(this::retainUntil)
+            .map(ru -> Instant.now().isBefore(ru)).orElse(false)) {
+            return false;
+        }
+        return true;
+    }
+
+    /**
+     * Return the instant until which an assignment should be retained.
+     *
+     * @param lastUsed the last used
+     * @return the instant
+     */
+    public Instant retainUntil(Instant lastUsed) {
+        if (retention.startsWith("P")) {
+            return lastUsed.plus(Duration.parse(retention));
+        }
+        return Instant.parse(retention);
+    }
+
     /**
      * To string.
      *
@@ -158,35 +230,4 @@ public class VmPool {
         builder.append(']');
         return builder.toString();
     }
-
-    /**
-     * Collect all permissions for the given user with the given roles.
-     *
-     * @param user the user
-     * @param roles the roles
-     * @return the sets the
-     */
-    public Set<Permission> permissionsFor(String user,
-            Collection<String> roles) {
-        return permissions.stream()
-            .filter(g -> DataPath.get(g, "user").map(u -> u.equals(user))
-                .orElse(false)
-                || DataPath.get(g, "role").map(roles::contains).orElse(false))
-            .map(g -> DataPath.<Set<Permission>> get(g, "may")
-                .orElse(Collections.emptySet()).stream())
-            .flatMap(Function.identity()).collect(Collectors.toSet());
-    }
-
-    /**
-     * Return the instant until which an assignment should be retained.
-     *
-     * @param lastUsed the last used
-     * @return the instant
-     */
-    public Instant retainUntil(Instant lastUsed) {
-        if (retention.startsWith("P")) {
-            return lastUsed.plus(Duration.parse(retention));
-        }
-        return Instant.parse(retention);
-    }
 }
diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/UpdateAssignment.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/UpdateAssignment.java
new file mode 100644
index 0000000..676af3d
--- /dev/null
+++ b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/UpdateAssignment.java
@@ -0,0 +1,60 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2024 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.manager.events;
+
+import org.jgrapes.core.Event;
+
+/**
+ * Note the assignment to a user in the VM status.
+ */
+@SuppressWarnings("PMD.DataClass")
+public class UpdateAssignment extends Event<Boolean> {
+
+    private final String usedPool;
+    private final String toUser;
+
+    /**
+     * Instantiates a new event.
+     *
+     * @param usedPool the used pool
+     * @param toUser the to user
+     */
+    public UpdateAssignment(String usedPool, String toUser) {
+        this.usedPool = usedPool;
+        this.toUser = toUser;
+    }
+
+    /**
+     * Gets the pool to assign from.
+     *
+     * @return the pool
+     */
+    public String usedPool() {
+        return usedPool;
+    }
+
+    /**
+     * Gets the user to assign to.
+     *
+     * @return the to user
+     */
+    public String toUser() {
+        return toUser;
+    }
+}
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
index 1ef17f7..32b3ac4 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
@@ -18,6 +18,7 @@
 
 package org.jdrupes.vmoperator.manager;
 
+import com.google.gson.JsonObject;
 import io.kubernetes.client.apimachinery.GroupVersionKind;
 import io.kubernetes.client.custom.V1Patch;
 import io.kubernetes.client.openapi.ApiException;
@@ -25,16 +26,20 @@ import io.kubernetes.client.openapi.Configuration;
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
+import java.time.Instant;
 import java.util.logging.Level;
 import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
 import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
 import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.K8sDynamicStub;
+import org.jdrupes.vmoperator.common.VmDefinitionStub;
 import org.jdrupes.vmoperator.manager.events.ChannelManager;
 import org.jdrupes.vmoperator.manager.events.Exit;
 import org.jdrupes.vmoperator.manager.events.ModifyVm;
+import org.jdrupes.vmoperator.manager.events.UpdateAssignment;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
+import org.jdrupes.vmoperator.util.GsonPtr;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Component;
 import org.jgrapes.core.annotation.Handler;
@@ -204,4 +209,29 @@ public class Controller extends Component {
                 () -> "Cannot patch definition for Vm " + vmStub.name());
         }
     }
+
+    /**
+     * Update the assignment information in the status of the VM CR.
+     *
+     * @param event the event
+     * @param channel the channel
+     * @throws ApiException the api exception
+     */
+    @Handler
+    public void onUpdatedAssignment(UpdateAssignment event, VmChannel channel)
+            throws ApiException {
+        var vmDef = channel.vmDefinition();
+        var vmStub = VmDefinitionStub.get(channel.client(),
+            new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
+            vmDef.namespace(), vmDef.name());
+        vmStub.updateStatus(from -> {
+            JsonObject status = from.status();
+            var assignment = GsonPtr.to(status).to("assignment");
+            assignment.set("pool", event.usedPool());
+            assignment.set("user", event.toUser());
+            assignment.set("lastUsed", Instant.now().toString());
+            return status;
+        });
+        event.setResult(true);
+    }
 }
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
index 84edafc..f0368a7 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
@@ -18,8 +18,6 @@
 
 package org.jdrupes.vmoperator.manager;
 
-import com.google.gson.JsonObject;
-import io.kubernetes.client.apimachinery.GroupVersionKind;
 import io.kubernetes.client.openapi.ApiException;
 import io.kubernetes.client.openapi.models.V1ObjectMeta;
 import io.kubernetes.client.util.Watch;
@@ -55,9 +53,9 @@ import org.jdrupes.vmoperator.manager.events.GetPools;
 import org.jdrupes.vmoperator.manager.events.GetVms;
 import org.jdrupes.vmoperator.manager.events.GetVms.VmData;
 import org.jdrupes.vmoperator.manager.events.ModifyVm;
+import org.jdrupes.vmoperator.manager.events.UpdateAssignment;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
-import org.jdrupes.vmoperator.util.GsonPtr;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Event;
 import org.jgrapes.core.annotation.Handler;
@@ -277,7 +275,7 @@ public class VmMonitor extends
             return;
         }
 
-        // Get the pool definition for retention time calculations
+        // Get the pool definition assignability check
         VmPool vmPool = newEventPipeline().fire(new GetPools()
             .withName(event.fromPool())).get().stream().findFirst()
             .orElse(null);
@@ -286,9 +284,8 @@ public class VmMonitor extends
         }
 
         // Find available VM.
-        var pool = vmPool;
         assignedVm = channelManager.channels().stream()
-            .filter(c -> isAssignable(pool, c.vmDefinition()))
+            .filter(c -> vmPool.isAssignable(c.vmDefinition()))
             .sorted(Comparator.comparing((VmChannel c) -> c.vmDefinition()
                 .assignmentLastUsed().orElse(Instant.ofEpochSecond(0)))
                 .thenComparing(preferRunning))
@@ -300,23 +297,14 @@ public class VmMonitor extends
         }
 
         // Assign to user
+        assignedVm.get().pipeline().fire(new UpdateAssignment(vmPool.name(),
+            event.toUser()), assignedVm.get()).get();
         var vmDef = assignedVm.get().vmDefinition();
-        var vmStub = VmDefinitionStub.get(client(),
-            new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
-            vmDef.namespace(), vmDef.name());
-        vmStub.updateStatus(from -> {
-            JsonObject status = from.status();
-            var assignment = GsonPtr.to(status).to("assignment");
-            assignment.set("pool", event.fromPool());
-            assignment.set("user", event.toUser());
-            assignment.set("lastUsed", Instant.now().toString());
-            return status;
-        });
         event.setResult(new VmData(vmDef, assignedVm.get()));
 
         // Make sure that a newly assigned VM is running.
-        fire(new ModifyVm(vmDef.name(), "state", "Running",
-            assignedVm.get()));
+        assignedVm.get().pipeline().fire(new ModifyVm(vmDef.name(),
+            "state", "Running", assignedVm.get()));
     }
 
     private static Comparator<VmChannel> preferRunning
@@ -332,38 +320,4 @@ public class VmMonitor extends
             }
         };
 
-    @SuppressWarnings("PMD.SimplifyBooleanReturns")
-    private boolean isAssignable(VmPool pool, VmDefinition vmDef) {
-        // Check if the VM is in the pool
-        if (!vmDef.pools().contains(pool.name())) {
-            return false;
-        }
-
-        // Check if the VM is not in use
-        if (vmDef.consoleConnected()) {
-            return false;
-        }
-
-        // If not assigned, it's usable
-        if (vmDef.assignedTo().isEmpty()) {
-            return true;
-        }
-
-        // Check if it is to be retained
-        if (vmDef.assignmentLastUsed()
-            .map(lu -> pool.retainUntil(lu))
-            .map(ru -> Instant.now().isBefore(ru)).orElse(false)) {
-            return false;
-        }
-
-        // Additional check in case lastUsed has not been updated
-        // by PoolMonitor#onVmDefChanged() yet ("race condition")
-        if (vmDef.condition("ConsoleConnected")
-            .map(cc -> cc.getLastTransitionTime().toInstant())
-            .map(t -> pool.retainUntil(t))
-            .map(ru -> Instant.now().isBefore(ru)).orElse(false)) {
-            return false;
-        }
-        return true;
-    }
 }

From 85a4521299f6ae693546927a1af82a44c3a6cee1 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 1 Feb 2025 22:06:30 +0100
Subject: [PATCH 101/274] Combine VmDefinitionModel and VmDefinition.

---
 .../vmoperator/common/K8sDynamicModel.java    |   2 +-
 .../vmoperator/common/VmDefinition.java       | 201 +++++++-----------
 .../vmoperator/common/VmDefinitionModel.java  |  39 ----
 .../vmoperator/common/VmDefinitionModels.java |   4 +-
 .../vmoperator/common/VmDefinitionStub.java   |  16 +-
 .../vmoperator/manager/runnerConfig.ftl.yaml  |   2 +-
 .../manager/runnerLoadBalancer.ftl.yaml       |   2 +-
 .../vmoperator/manager/runnerPod.ftl.yaml     |   2 +-
 .../vmoperator/manager/Controller.java        |   2 +-
 .../manager/DisplaySecretMonitor.java         |   2 +-
 .../vmoperator/manager/PoolMonitor.java       |   3 +-
 .../jdrupes/vmoperator/manager/VmMonitor.java |  24 +--
 .../runner/qemu/ConsoleTracker.java           |   4 +-
 .../vmoperator/runner/qemu/StatusUpdater.java |  18 +-
 .../vmoperator/runner/qemu/VmDefUpdater.java  |   4 +-
 .../jdrupes/vmoperator/vmaccess/VmAccess.java |   2 +-
 16 files changed, 121 insertions(+), 206 deletions(-)
 delete mode 100644 org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinitionModel.java

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sDynamicModel.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sDynamicModel.java
index 6a4410f..dd2bdd5 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sDynamicModel.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sDynamicModel.java
@@ -102,7 +102,7 @@ public class K8sDynamicModel implements KubernetesObject {
      *
      * @return the JSON object describing the status
      */
-    public JsonObject status() {
+    public JsonObject statusJson() {
         return data.getAsJsonObject("status");
     }
 
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
index ffb1bf2..e677642 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
@@ -20,8 +20,10 @@ package org.jdrupes.vmoperator.common;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
+import com.google.gson.Gson;
+import com.google.gson.JsonObject;
+import io.kubernetes.client.openapi.JSON;
 import io.kubernetes.client.openapi.models.V1Condition;
-import io.kubernetes.client.openapi.models.V1ObjectMeta;
 import io.kubernetes.client.util.Strings;
 import java.net.InetAddress;
 import java.net.UnknownHostException;
@@ -46,21 +48,20 @@ import org.jdrupes.vmoperator.util.DataPath;
 /**
  * Represents a VM definition.
  */
-@SuppressWarnings({ "PMD.DataClass", "PMD.TooManyMethods" })
-public class VmDefinition {
+@SuppressWarnings({ "PMD.DataClass", "PMD.TooManyMethods",
+    "PMD.CouplingBetweenObjects" })
+public class VmDefinition extends K8sDynamicModel {
 
     @SuppressWarnings("PMD.FieldNamingConventions")
     private static final Logger logger
         = Logger.getLogger(VmDefinition.class.getName());
     @SuppressWarnings("PMD.FieldNamingConventions")
+    private static final Gson gson = new JSON().getGson();
+    @SuppressWarnings("PMD.FieldNamingConventions")
     private static final ObjectMapper objectMapper
         = new ObjectMapper().registerModule(new JavaTimeModule());
 
-    private String kind;
-    private String apiVersion;
-    private V1ObjectMeta metadata;
-    private Map<String, Object> spec;
-    private Map<String, Object> status;
+    private final Model model;
     private final Map<String, Object> extra = new ConcurrentHashMap<>();
 
     /**
@@ -145,66 +146,34 @@ public class VmDefinition {
     }
 
     /**
-     * Gets the kind.
+     * Instantiates a new vm definition.
      *
-     * @return the kind
+     * @param delegate the delegate
+     * @param json the json
      */
-    public String getKind() {
-        return kind;
+    public VmDefinition(Gson delegate, JsonObject json) {
+        super(delegate, json);
+        model = gson.fromJson(json, Model.class);
     }
 
     /**
-     * Sets the kind.
+     * Gets the spec.
      *
-     * @param kind the kind to set
+     * @return the spec
      */
-    public void setKind(String kind) {
-        this.kind = kind;
+    public Map<String, Object> spec() {
+        return model.getSpec();
     }
 
     /**
-     * Gets the api version.
+     * Get a value from the spec using {@link DataPath#get}.
      *
-     * @return the apiVersion
+     * @param <T> the generic type
+     * @param selectors the selectors
+     * @return the value, if found
      */
-    public String getApiVersion() {
-        return apiVersion;
-    }
-
-    /**
-     * Sets the api version.
-     *
-     * @param apiVersion the apiVersion to set
-     */
-    public void setApiVersion(String apiVersion) {
-        this.apiVersion = apiVersion;
-    }
-
-    /**
-     * Gets the metadata.
-     *
-     * @return the metadata
-     */
-    public V1ObjectMeta getMetadata() {
-        return metadata;
-    }
-
-    /**
-     * Gets the metadata.
-     *
-     * @return the metadata
-     */
-    public V1ObjectMeta metadata() {
-        return metadata;
-    }
-
-    /**
-     * Sets the metadata.
-     *
-     * @param metadata the metadata to set
-     */
-    public void setMetadata(V1ObjectMeta metadata) {
-        this.metadata = metadata;
+    public <T> Optional<T> fromSpec(Object... selectors) {
+        return DataPath.get(spec(), selectors);
     }
 
     /**
@@ -217,35 +186,6 @@ public class VmDefinition {
             .orElse(Collections.emptyList());
     }
 
-    /**
-     * Gets the spec.
-     *
-     * @return the spec
-     */
-    public Map<String, Object> getSpec() {
-        return spec;
-    }
-
-    /**
-     * Gets the spec.
-     *
-     * @return the spec
-     */
-    public Map<String, Object> spec() {
-        return spec;
-    }
-
-    /**
-     * Get a value from the spec using {@link DataPath#get}.
-     *
-     * @param <T> the generic type
-     * @param selectors the selectors
-     * @return the value, if found
-     */
-    public <T> Optional<T> fromSpec(Object... selectors) {
-        return DataPath.get(spec, selectors);
-    }
-
     /**
      * Get a value from the `spec().get("vm")` using {@link DataPath#get}.
      *
@@ -254,35 +194,17 @@ public class VmDefinition {
      * @return the value, if found
      */
     public <T> Optional<T> fromVm(Object... selectors) {
-        return DataPath.get(spec, "vm")
+        return DataPath.get(spec(), "vm")
             .flatMap(vm -> DataPath.get(vm, selectors));
     }
 
-    /**
-     * Sets the spec.
-     *
-     * @param spec the spec to set
-     */
-    public void setSpec(Map<String, Object> spec) {
-        this.spec = spec;
-    }
-
-    /**
-     * Gets the status.
-     *
-     * @return the status
-     */
-    public Map<String, Object> getStatus() {
-        return status;
-    }
-
     /**
      * Gets the status.
      *
      * @return the status
      */
     public Map<String, Object> status() {
-        return status;
+        return model.getStatus();
     }
 
     /**
@@ -293,16 +215,7 @@ public class VmDefinition {
      * @return the value, if found
      */
     public <T> Optional<T> fromStatus(Object... selectors) {
-        return DataPath.get(status, selectors);
-    }
-
-    /**
-     * Sets the status.
-     *
-     * @param status the status to set
-     */
-    public void setStatus(Map<String, Object> status) {
-        this.status = status;
+        return DataPath.get(status(), selectors);
     }
 
     /**
@@ -411,7 +324,7 @@ public class VmDefinition {
      * @return the string
      */
     public String name() {
-        return metadata.getName();
+        return metadata().getName();
     }
 
     /**
@@ -420,7 +333,7 @@ public class VmDefinition {
      * @return the string
      */
     public String namespace() {
-        return metadata.getNamespace();
+        return metadata().getNamespace();
     }
 
     /**
@@ -569,7 +482,7 @@ public class VmDefinition {
      */
     @Override
     public int hashCode() {
-        return Objects.hash(metadata.getNamespace(), metadata.getName());
+        return Objects.hash(metadata().getNamespace(), metadata().getName());
     }
 
     /**
@@ -590,9 +503,55 @@ public class VmDefinition {
             return false;
         }
         VmDefinition other = (VmDefinition) obj;
-        return Objects.equals(metadata.getNamespace(),
-            other.metadata.getNamespace())
-            && Objects.equals(metadata.getName(), other.metadata.getName());
+        return Objects.equals(metadata().getNamespace(),
+            other.metadata().getNamespace())
+            && Objects.equals(metadata().getName(), other.metadata().getName());
+    }
+
+    /**
+     * The Class Model.
+     */
+    public static class Model {
+
+        private Map<String, Object> spec;
+        private Map<String, Object> status;
+
+        /**
+         * Gets the spec.
+         *
+         * @return the spec
+         */
+        public Map<String, Object> getSpec() {
+            return spec;
+        }
+
+        /**
+         * Sets the spec.
+         *
+         * @param spec the spec to set
+         */
+        public void setSpec(Map<String, Object> spec) {
+            this.spec = spec;
+        }
+
+        /**
+         * Gets the status.
+         *
+         * @return the status
+         */
+        public Map<String, Object> getStatus() {
+            return status;
+        }
+
+        /**
+         * Sets the status.
+         *
+         * @param status the status to set
+         */
+        public void setStatus(Map<String, Object> status) {
+            this.status = status;
+        }
+
     }
 
 }
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinitionModel.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinitionModel.java
deleted file mode 100644
index d4ae5da..0000000
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinitionModel.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * VM-Operator
- * Copyright (C) 2024 Michael N. Lipp
- * 
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Affero General Public License as
- * published by the Free Software Foundation, either version 3 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Affero General Public License for more details.
- *
- * You should have received a copy of the GNU Affero General Public License
- * along with this program.  If not, see <https://www.gnu.org/licenses/>.
- */
-
-package org.jdrupes.vmoperator.common;
-
-import com.google.gson.Gson;
-import com.google.gson.JsonObject;
-
-/**
- * Represents a VM definition.
- */
-@SuppressWarnings("PMD.DataClass")
-public class VmDefinitionModel extends K8sDynamicModel {
-
-    /**
-     * Instantiates a new model from the JSON representation.
-     *
-     * @param delegate the gson instance to use for extracting structured data
-     * @param json the JSON
-     */
-    public VmDefinitionModel(Gson delegate, JsonObject json) {
-        super(delegate, json);
-    }
-}
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinitionModels.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinitionModels.java
index 5ac412f..22e5bd7 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinitionModels.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinitionModels.java
@@ -25,7 +25,7 @@ import com.google.gson.JsonObject;
  * Represents a list of {@link VmDefinitionModel}s.
  */
 public class VmDefinitionModels
-        extends K8sDynamicModelsBase<VmDefinitionModel> {
+        extends K8sDynamicModelsBase<VmDefinition> {
 
     /**
      * Initialize the object list using the given JSON data.
@@ -34,6 +34,6 @@ public class VmDefinitionModels
      * @param data the data
      */
     public VmDefinitionModels(Gson delegate, JsonObject data) {
-        super(VmDefinitionModel.class, delegate, data);
+        super(VmDefinition.class, delegate, data);
     }
 }
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinitionStub.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinitionStub.java
index 49da3e0..e2e71da 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinitionStub.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinitionStub.java
@@ -33,9 +33,9 @@ import java.util.Collection;
  */
 @SuppressWarnings("PMD.DataflowAnomalyAnalysis")
 public class VmDefinitionStub
-        extends K8sDynamicStubBase<VmDefinitionModel, VmDefinitionModels> {
+        extends K8sDynamicStubBase<VmDefinition, VmDefinitionModels> {
 
-    private static DynamicTypeAdapterFactory<VmDefinitionModel,
+    private static DynamicTypeAdapterFactory<VmDefinition,
             VmDefinitionModels> taf = new VmDefintionModelTypeAdapterFactory();
 
     /**
@@ -48,7 +48,7 @@ public class VmDefinitionStub
      */
     public VmDefinitionStub(K8sClient client, APIResource context,
             String namespace, String name) {
-        super(VmDefinitionModel.class, VmDefinitionModels.class, taf, client,
+        super(VmDefinition.class, VmDefinitionModels.class, taf, client,
             context, namespace, name);
     }
 
@@ -101,9 +101,9 @@ public class VmDefinitionStub
      */
     public static VmDefinitionStub createFromYaml(K8sClient client,
             APIResource context, Reader yaml) throws ApiException {
-        var model = new VmDefinitionModel(client.getJSON().getGson(),
+        var model = new VmDefinition(client.getJSON().getGson(),
             K8s.yamlToJson(client, yaml));
-        return K8sGenericStub.create(VmDefinitionModel.class,
+        return K8sGenericStub.create(VmDefinition.class,
             VmDefinitionModels.class, client, context, model,
             (c, ns, n) -> new VmDefinitionStub(c, context, ns, n));
     }
@@ -121,7 +121,7 @@ public class VmDefinitionStub
     public static Collection<VmDefinitionStub> list(K8sClient client,
             APIResource context, String namespace, ListOptions options)
             throws ApiException {
-        return K8sGenericStub.list(VmDefinitionModel.class,
+        return K8sGenericStub.list(VmDefinition.class,
             VmDefinitionModels.class, client, context, namespace, options,
             (c, ns, n) -> new VmDefinitionStub(c, context, ns, n));
     }
@@ -144,13 +144,13 @@ public class VmDefinitionStub
      * A factory for creating VmDefinitionModel(s) objects.
      */
     public static class VmDefintionModelTypeAdapterFactory extends
-            DynamicTypeAdapterFactory<VmDefinitionModel, VmDefinitionModels> {
+            DynamicTypeAdapterFactory<VmDefinition, VmDefinitionModels> {
 
         /**
          * Instantiates a new dynamic model type adapter factory.
          */
         public VmDefintionModelTypeAdapterFactory() {
-            super(VmDefinitionModel.class, VmDefinitionModels.class);
+            super(VmDefinition.class, VmDefinitionModels.class);
         }
     }
 
diff --git a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml
index 8a50a5e..f348244 100644
--- a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml
+++ b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml
@@ -10,7 +10,7 @@ metadata:
   annotations:
     vmoperator.jdrupes.org/version: ${ managerVersion }
   ownerReferences:
-  - apiVersion: ${ cr.apiVersion }
+  - apiVersion: ${ cr.apiVersion() }
     kind: ${ constants.VM_OP_KIND_VM }
     name: ${ cr.name() }
     uid: ${ cr.metadata().getUid() }
diff --git a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerLoadBalancer.ftl.yaml b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerLoadBalancer.ftl.yaml
index 9a70e19..c25d7f4 100644
--- a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerLoadBalancer.ftl.yaml
+++ b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerLoadBalancer.ftl.yaml
@@ -10,7 +10,7 @@ metadata:
   annotations:
     vmoperator.jdrupes.org/version: ${ managerVersion }
   ownerReferences:
-  - apiVersion: ${ cr.apiVersion }
+  - apiVersion: ${ cr.apiVersion() }
     kind: ${ constants.VM_OP_KIND_VM }
     name: ${ cr.name() }
     uid: ${ cr.metadata().getUid() }
diff --git a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerPod.ftl.yaml b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerPod.ftl.yaml
index e62ac70..917d790 100644
--- a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerPod.ftl.yaml
+++ b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerPod.ftl.yaml
@@ -14,7 +14,7 @@ metadata:
     vmrunner.jdrupes.org/cmVersion: "${ cm.metadata.resourceVersion }"
     vmoperator.jdrupes.org/version: ${ managerVersion }
   ownerReferences:
-  - apiVersion: ${ cr.apiVersion }
+  - apiVersion: ${ cr.apiVersion() }
     kind: ${ constants.VM_OP_KIND_VM }
     name: ${ cr.name() }
     uid: ${ cr.metadata().getUid() }
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
index 32b3ac4..3e25a08 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
@@ -225,7 +225,7 @@ public class Controller extends Component {
             new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
             vmDef.namespace(), vmDef.name());
         vmStub.updateStatus(from -> {
-            JsonObject status = from.status();
+            JsonObject status = from.statusJson();
             var assignment = GsonPtr.to(status).to("assignment");
             assignment.set("pool", event.usedPool());
             assignment.set("user", event.toUser());
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java
index 141c806..a0809e9 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java
@@ -185,7 +185,7 @@ public class DisplaySecretMonitor
             new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
             event.vmDefinition().namespace(), event.vmDefinition().name());
         vmStub.updateStatus(from -> {
-            JsonObject status = from.status();
+            JsonObject status = from.statusJson();
             status.addProperty("consoleUser", event.user());
             return status;
         });
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
index b83c0f5..25fb10b 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
@@ -187,7 +187,8 @@ public class PoolMonitor extends
             new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
             vmDef.namespace(), vmDef.name());
         vmStub.updateStatus(from -> {
-            JsonObject status = from.status();
+            // TODO
+            JsonObject status = from.statusJson();
             var assignment = GsonPtr.to(status).to("assignment");
             assignment.set("lastUsed", ccChange.get().toString());
             return status;
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
index f0368a7..b458628 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
@@ -41,7 +41,6 @@ import org.jdrupes.vmoperator.common.K8sV1ConfigMapStub;
 import org.jdrupes.vmoperator.common.K8sV1PodStub;
 import org.jdrupes.vmoperator.common.K8sV1StatefulSetStub;
 import org.jdrupes.vmoperator.common.VmDefinition;
-import org.jdrupes.vmoperator.common.VmDefinitionModel;
 import org.jdrupes.vmoperator.common.VmDefinitionModels;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
 import org.jdrupes.vmoperator.common.VmPool;
@@ -65,7 +64,7 @@ import org.jgrapes.core.annotation.Handler;
  */
 @SuppressWarnings({ "PMD.DataflowAnomalyAnalysis", "PMD.ExcessiveImports" })
 public class VmMonitor extends
-        AbstractMonitor<VmDefinitionModel, VmDefinitionModels, VmChannel> {
+        AbstractMonitor<VmDefinition, VmDefinitionModels, VmChannel> {
 
     private final ChannelManager<String, VmChannel, ?> channelManager;
 
@@ -77,7 +76,7 @@ public class VmMonitor extends
      */
     public VmMonitor(Channel componentChannel,
             ChannelManager<String, VmChannel, ?> channelManager) {
-        super(componentChannel, VmDefinitionModel.class,
+        super(componentChannel, VmDefinition.class,
             VmDefinitionModels.class);
         this.channelManager = channelManager;
     }
@@ -122,7 +121,7 @@ public class VmMonitor extends
 
     @Override
     protected void handleChange(K8sClient client,
-            Watch.Response<VmDefinitionModel> response) {
+            Watch.Response<VmDefinition> response) {
         V1ObjectMeta metadata = response.object.getMetadata();
         AtomicBoolean toBeAdded = new AtomicBoolean(false);
         VmChannel channel = channelManager.channel(metadata.getName())
@@ -132,21 +131,17 @@ public class VmMonitor extends
             });
 
         // Get full definition and associate with channel as backup
-        var vmModel = response.object;
-        if (vmModel.data() == null) {
+        var vmDef = response.object;
+        if (vmDef.data() == null) {
             // ADDED event does not provide data, see
             // https://github.com/kubernetes-client/java/issues/3215
-            vmModel = getModel(client, vmModel);
+            vmDef = getModel(client, vmDef);
         }
-        VmDefinition vmDef = null;
-        if (vmModel.data() != null) {
+        if (vmDef.data() != null) {
             // New data, augment and save
-            vmDef = client.getJSON().getGson().fromJson(vmModel.data(),
-                VmDefinition.class);
             addDynamicData(channel.client(), vmDef, channel.vmDefinition());
             channel.setVmDefinition(vmDef);
-        }
-        if (vmDef == null) {
+        } else {
             // Reuse cached (e.g. if deleted)
             vmDef = channel.vmDefinition();
         }
@@ -173,8 +168,7 @@ public class VmMonitor extends
         channel.pipeline().fire(chgEvt, channel);
     }
 
-    private VmDefinitionModel getModel(K8sClient client,
-            VmDefinitionModel vmDef) {
+    private VmDefinition getModel(K8sClient client, VmDefinition vmDef) {
         try {
             return VmDefinitionStub.get(client, context(), namespace(),
                 vmDef.metadata().getName()).model().orElse(null);
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java
index f2309df..b91b5df 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java
@@ -106,7 +106,7 @@ public class ConsoleTracker extends VmDefUpdater {
         mainChannelClientHost = event.clientHost();
         mainChannelClientPort = event.clientPort();
         vmStub.updateStatus(from -> {
-            JsonObject status = from.status();
+            JsonObject status = from.statusJson();
             status.addProperty("consoleClient", event.clientHost());
             updateCondition(from, status, "ConsoleConnected", true, "Connected",
                 "Connection from " + event.clientHost());
@@ -141,7 +141,7 @@ public class ConsoleTracker extends VmDefUpdater {
             return;
         }
         vmStub.updateStatus(from -> {
-            JsonObject status = from.status();
+            JsonObject status = from.statusJson();
             status.addProperty("consoleClient", "");
             updateCondition(from, status, "ConsoleConnected", false,
                 "Disconnected", event.clientHost() + " has disconnected");
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
index 0b18df0..d33358b 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
@@ -33,7 +33,7 @@ import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
 import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
 import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
 import org.jdrupes.vmoperator.common.K8s;
-import org.jdrupes.vmoperator.common.VmDefinitionModel;
+import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
 import org.jdrupes.vmoperator.runner.qemu.events.BalloonChangeEvent;
 import org.jdrupes.vmoperator.runner.qemu.events.ConfigureQemu;
@@ -140,12 +140,12 @@ public class StatusUpdater extends VmDefUpdater {
         if (vmDef.isPresent()
             && vmDef.get().metadata().getGeneration() == observedGeneration
             && (event.configuration().hasDisplayPassword
-                || vmDef.get().status().getAsJsonPrimitive(
+                || vmDef.get().statusJson().getAsJsonPrimitive(
                     "displayPasswordSerial").getAsInt() == -1)) {
             return;
         }
         vmStub.updateStatus(vmDef.get(), from -> {
-            JsonObject status = from.status();
+            JsonObject status = from.statusJson();
             if (!event.configuration().hasDisplayPassword) {
                 status.addProperty("displayPasswordSerial", -1);
             }
@@ -169,14 +169,14 @@ public class StatusUpdater extends VmDefUpdater {
         "PMD.AvoidLiteralsInIfCondition" })
     public void onRunnerStateChanged(RunnerStateChange event)
             throws ApiException {
-        VmDefinitionModel vmDef;
+        VmDefinition vmDef;
         if (vmStub == null || (vmDef = vmStub.model().orElse(null)) == null) {
             return;
         }
         vmStub.updateStatus(vmDef, from -> {
-            JsonObject status = from.status();
+            JsonObject status = from.statusJson();
             boolean running = RUNNING_STATES.contains(event.runState());
-            updateCondition(vmDef, vmDef.status(), "Running", running,
+            updateCondition(vmDef, vmDef.statusJson(), "Running", running,
                 event.reason(), event.message());
             if (event.runState() == RunState.STARTING) {
                 status.addProperty("ram", GsonPtr.to(from.data())
@@ -230,7 +230,7 @@ public class StatusUpdater extends VmDefUpdater {
             return;
         }
         vmStub.updateStatus(from -> {
-            JsonObject status = from.status();
+            JsonObject status = from.statusJson();
             status.addProperty("ram",
                 new Quantity(new BigDecimal(event.size()), Format.BINARY_SI)
                     .toSuffixedString());
@@ -250,7 +250,7 @@ public class StatusUpdater extends VmDefUpdater {
             return;
         }
         vmStub.updateStatus(from -> {
-            JsonObject status = from.status();
+            JsonObject status = from.statusJson();
             status.addProperty("cpus", event.usedCpus().size());
             return status;
         });
@@ -269,7 +269,7 @@ public class StatusUpdater extends VmDefUpdater {
             return;
         }
         vmStub.updateStatus(from -> {
-            JsonObject status = from.status();
+            JsonObject status = from.statusJson();
             status.addProperty("displayPasswordSerial",
                 status.get("displayPasswordSerial").getAsLong() + 1);
             return status;
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmDefUpdater.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmDefUpdater.java
index 9683457..f04b478 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmDefUpdater.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmDefUpdater.java
@@ -31,7 +31,7 @@ import java.util.Optional;
 import java.util.logging.Level;
 import java.util.stream.Collectors;
 import org.jdrupes.vmoperator.common.K8sClient;
-import org.jdrupes.vmoperator.common.VmDefinitionModel;
+import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.runner.qemu.events.Exit;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Component;
@@ -118,7 +118,7 @@ public class VmDefUpdater extends Component {
      * @param reason the reason for the change
      * @param message the message
      */
-    protected void updateCondition(VmDefinitionModel from, JsonObject status,
+    protected void updateCondition(VmDefinition from, JsonObject status,
             String type, boolean state, String reason, String message) {
         // Optimize, as we can get this several times
         var current = status.getAsJsonArray("conditions").asList().stream()
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index bd9a802..d6c385e 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -593,7 +593,7 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
                     Map.of("namespace", vmDef.namespace(),
                         "name", vmDef.name()),
                     "spec", vmDef.spec(),
-                    "status", vmDef.getStatus());
+                    "status", vmDef.status());
             } catch (JsonSyntaxException e) {
                 logger.log(Level.SEVERE, e,
                     () -> "Failed to serialize VM definition");

From b7ea6860ff8a7e0496ae6e4374986edb8150c1e0 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 1 Feb 2025 22:08:57 +0100
Subject: [PATCH 102/274] Adapt name to previous change.

---
 .../vmoperator/common/VmDefinitionStub.java        | 14 +++++++-------
 ...{VmDefinitionModels.java => VmDefinitions.java} |  6 +++---
 .../org/jdrupes/vmoperator/manager/VmMonitor.java  |  6 +++---
 3 files changed, 13 insertions(+), 13 deletions(-)
 rename org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/{VmDefinitionModels.java => VmDefinitions.java} (88%)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinitionStub.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinitionStub.java
index e2e71da..72194da 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinitionStub.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinitionStub.java
@@ -33,10 +33,10 @@ import java.util.Collection;
  */
 @SuppressWarnings("PMD.DataflowAnomalyAnalysis")
 public class VmDefinitionStub
-        extends K8sDynamicStubBase<VmDefinition, VmDefinitionModels> {
+        extends K8sDynamicStubBase<VmDefinition, VmDefinitions> {
 
     private static DynamicTypeAdapterFactory<VmDefinition,
-            VmDefinitionModels> taf = new VmDefintionModelTypeAdapterFactory();
+            VmDefinitions> taf = new VmDefintionModelTypeAdapterFactory();
 
     /**
      * Instantiates a new stub for VM defintions.
@@ -48,7 +48,7 @@ public class VmDefinitionStub
      */
     public VmDefinitionStub(K8sClient client, APIResource context,
             String namespace, String name) {
-        super(VmDefinition.class, VmDefinitionModels.class, taf, client,
+        super(VmDefinition.class, VmDefinitions.class, taf, client,
             context, namespace, name);
     }
 
@@ -104,7 +104,7 @@ public class VmDefinitionStub
         var model = new VmDefinition(client.getJSON().getGson(),
             K8s.yamlToJson(client, yaml));
         return K8sGenericStub.create(VmDefinition.class,
-            VmDefinitionModels.class, client, context, model,
+            VmDefinitions.class, client, context, model,
             (c, ns, n) -> new VmDefinitionStub(c, context, ns, n));
     }
 
@@ -122,7 +122,7 @@ public class VmDefinitionStub
             APIResource context, String namespace, ListOptions options)
             throws ApiException {
         return K8sGenericStub.list(VmDefinition.class,
-            VmDefinitionModels.class, client, context, namespace, options,
+            VmDefinitions.class, client, context, namespace, options,
             (c, ns, n) -> new VmDefinitionStub(c, context, ns, n));
     }
 
@@ -144,13 +144,13 @@ public class VmDefinitionStub
      * A factory for creating VmDefinitionModel(s) objects.
      */
     public static class VmDefintionModelTypeAdapterFactory extends
-            DynamicTypeAdapterFactory<VmDefinition, VmDefinitionModels> {
+            DynamicTypeAdapterFactory<VmDefinition, VmDefinitions> {
 
         /**
          * Instantiates a new dynamic model type adapter factory.
          */
         public VmDefintionModelTypeAdapterFactory() {
-            super(VmDefinition.class, VmDefinitionModels.class);
+            super(VmDefinition.class, VmDefinitions.class);
         }
     }
 
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinitionModels.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinitions.java
similarity index 88%
rename from org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinitionModels.java
rename to org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinitions.java
index 22e5bd7..c79654e 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinitionModels.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinitions.java
@@ -22,9 +22,9 @@ import com.google.gson.Gson;
 import com.google.gson.JsonObject;
 
 /**
- * Represents a list of {@link VmDefinitionModel}s.
+ * Represents a list of {@link VmDefinition}s.
  */
-public class VmDefinitionModels
+public class VmDefinitions
         extends K8sDynamicModelsBase<VmDefinition> {
 
     /**
@@ -33,7 +33,7 @@ public class VmDefinitionModels
      * @param delegate the gson instance to use for extracting structured data
      * @param data the data
      */
-    public VmDefinitionModels(Gson delegate, JsonObject data) {
+    public VmDefinitions(Gson delegate, JsonObject data) {
         super(VmDefinition.class, delegate, data);
     }
 }
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
index b458628..79ce631 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
@@ -41,7 +41,7 @@ import org.jdrupes.vmoperator.common.K8sV1ConfigMapStub;
 import org.jdrupes.vmoperator.common.K8sV1PodStub;
 import org.jdrupes.vmoperator.common.K8sV1StatefulSetStub;
 import org.jdrupes.vmoperator.common.VmDefinition;
-import org.jdrupes.vmoperator.common.VmDefinitionModels;
+import org.jdrupes.vmoperator.common.VmDefinitions;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
 import org.jdrupes.vmoperator.common.VmPool;
 import static org.jdrupes.vmoperator.manager.Constants.APP_NAME;
@@ -64,7 +64,7 @@ import org.jgrapes.core.annotation.Handler;
  */
 @SuppressWarnings({ "PMD.DataflowAnomalyAnalysis", "PMD.ExcessiveImports" })
 public class VmMonitor extends
-        AbstractMonitor<VmDefinition, VmDefinitionModels, VmChannel> {
+        AbstractMonitor<VmDefinition, VmDefinitions, VmChannel> {
 
     private final ChannelManager<String, VmChannel, ?> channelManager;
 
@@ -77,7 +77,7 @@ public class VmMonitor extends
     public VmMonitor(Channel componentChannel,
             ChannelManager<String, VmChannel, ?> channelManager) {
         super(componentChannel, VmDefinition.class,
-            VmDefinitionModels.class);
+            VmDefinitions.class);
         this.channelManager = channelManager;
     }
 

From 21108771d9ed27de392f334f7516fce3017a65f5 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 1 Feb 2025 22:10:47 +0100
Subject: [PATCH 103/274] Fix warning.

---
 .../src/org/jdrupes/vmoperator/manager/VmMonitor.java           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
index 79ce631..e506d44 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
@@ -41,8 +41,8 @@ import org.jdrupes.vmoperator.common.K8sV1ConfigMapStub;
 import org.jdrupes.vmoperator.common.K8sV1PodStub;
 import org.jdrupes.vmoperator.common.K8sV1StatefulSetStub;
 import org.jdrupes.vmoperator.common.VmDefinition;
-import org.jdrupes.vmoperator.common.VmDefinitions;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
+import org.jdrupes.vmoperator.common.VmDefinitions;
 import org.jdrupes.vmoperator.common.VmPool;
 import static org.jdrupes.vmoperator.manager.Constants.APP_NAME;
 import static org.jdrupes.vmoperator.manager.Constants.VM_OP_NAME;

From d5e589709fb96d106af137c57ffb59dca2b893c6 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 2 Feb 2025 12:10:22 +0100
Subject: [PATCH 104/274] Handle conflict properly.

---
 .../vmoperator/common/K8sGenericStub.java     | 50 +++++-----
 .../vmoperator/manager/Controller.java        | 41 ++++++---
 .../jdrupes/vmoperator/manager/VmMonitor.java | 91 ++++++++++---------
 3 files changed, 100 insertions(+), 82 deletions(-)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java
index 0689a97..688f43f 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java
@@ -193,42 +193,41 @@ public class K8sGenericStub<O extends KubernetesObject,
     }
 
     /**
-     * Updates the object's status, retrying for the given number of times
-     * if the update fails due to a conflict.
+     * Updates the object's status.
      *
      * @param object the current state of the object (passed to `status`)
      * @param status function that returns the new status
-     * @param retries the retries
-     * @return the updated model or empty if not successful
+     * @return the updated model or empty if the object was not found
      * @throws ApiException the api exception
      */
     @SuppressWarnings("PMD.AssignmentInOperand")
-    public Optional<O> updateStatus(O object,
-            Function<O, Object> status, int retries) throws ApiException {
-        while (true) {
-            try {
-                return K8s.optional(api.updateStatus(object, status));
-            } catch (ApiException e) {
-                if (HttpURLConnection.HTTP_CONFLICT != e.getCode()
-                    || retries-- <= 0) {
-                    throw e;
-                }
-            }
-        }
+    public Optional<O> updateStatus(O object, Function<O, Object> status)
+            throws ApiException {
+        return K8s.optional(api.updateStatus(object, status));
     }
 
     /**
-     * Updates the object's status, retrying up to 16 times if there
-     * is a conflict.
+     * Gets the object and updates the status. In case of conflict, retries
+     * up to `retries` times.
      *
-     * @param object the current state of the object (passed to `status`)
-     * @param status function that returns the new status
-     * @return the updated model or empty if not successful
+     * @param status the status
+     * @param retries the retries in case of conflict
+     * @return the updated model or empty if the object was not found
      * @throws ApiException the api exception
      */
-    public Optional<O> updateStatus(O object,
-            Function<O, Object> status) throws ApiException {
-        return updateStatus(object, status, 16);
+    @SuppressWarnings({ "PMD.AssignmentInOperand", "PMD.UnusedAssignment" })
+    public Optional<O> updateStatus(Function<O, Object> status, int retries)
+            throws ApiException {
+        try {
+            return updateStatus(api.get(namespace, name).throwsApiException()
+                .getObject(), status);
+        } catch (ApiException e) {
+            if (HttpURLConnection.HTTP_CONFLICT != e.getCode()
+                || retries-- <= 0) {
+                throw e;
+            }
+        }
+        return Optional.empty();
     }
 
     /**
@@ -241,8 +240,7 @@ public class K8sGenericStub<O extends KubernetesObject,
      */
     public Optional<O> updateStatus(Function<O, Object> status)
             throws ApiException {
-        return updateStatus(
-            api.get(namespace, name).throwsApiException().getObject(), status);
+        return updateStatus(status, 16);
     }
 
     /**
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
index 3e25a08..80ff0f7 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
@@ -24,6 +24,7 @@ import io.kubernetes.client.custom.V1Patch;
 import io.kubernetes.client.openapi.ApiException;
 import io.kubernetes.client.openapi.Configuration;
 import java.io.IOException;
+import java.net.HttpURLConnection;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.time.Instant;
@@ -211,7 +212,10 @@ public class Controller extends Component {
     }
 
     /**
-     * Update the assignment information in the status of the VM CR.
+     * Attempt to Update the assignment information in the status of the
+     * VM CR. Returns true if successful. The handler does not attempt
+     * retries, because in case of failure it will be necessary to
+     * re-evaluate the chosen VM.
      *
      * @param event the event
      * @param channel the channel
@@ -220,18 +224,27 @@ public class Controller extends Component {
     @Handler
     public void onUpdatedAssignment(UpdateAssignment event, VmChannel channel)
             throws ApiException {
-        var vmDef = channel.vmDefinition();
-        var vmStub = VmDefinitionStub.get(channel.client(),
-            new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
-            vmDef.namespace(), vmDef.name());
-        vmStub.updateStatus(from -> {
-            JsonObject status = from.statusJson();
-            var assignment = GsonPtr.to(status).to("assignment");
-            assignment.set("pool", event.usedPool());
-            assignment.set("user", event.toUser());
-            assignment.set("lastUsed", Instant.now().toString());
-            return status;
-        });
-        event.setResult(true);
+        try {
+            var vmDef = channel.vmDefinition();
+            var vmStub = VmDefinitionStub.get(channel.client(),
+                new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
+                vmDef.namespace(), vmDef.name());
+            if (vmStub.updateStatus(vmDef, from -> {
+                JsonObject status = from.statusJson();
+                var assignment = GsonPtr.to(status).to("assignment");
+                assignment.set("pool", event.usedPool());
+                assignment.set("user", event.toUser());
+                assignment.set("lastUsed", Instant.now().toString());
+                return status;
+            }).isPresent()) {
+                event.setResult(true);
+            }
+        } catch (ApiException e) {
+            // Log exceptions except for conflict, which can be expected
+            if (HttpURLConnection.HTTP_CONFLICT != e.getCode()) {
+                throw e;
+            }
+        }
+        event.setResult(false);
     }
 }
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
index e506d44..17e3c58 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
@@ -256,49 +256,56 @@ public class VmMonitor extends
     @SuppressWarnings("PMD.AvoidInstantiatingObjectsInLoops")
     public void onAssignVm(AssignVm event)
             throws ApiException, InterruptedException {
-        // Search for existing assignment.
-        var assignedVm = channelManager.channels().stream()
-            .filter(c -> c.vmDefinition().assignedFrom()
-                .map(p -> p.equals(event.fromPool())).orElse(false))
-            .filter(c -> c.vmDefinition().assignedTo()
-                .map(u -> u.equals(event.toUser())).orElse(false))
-            .findFirst();
-        if (assignedVm.isPresent()) {
-            var vmDef = assignedVm.get().vmDefinition();
-            event.setResult(new VmData(vmDef, assignedVm.get()));
-            return;
+        while (true) {
+            // Search for existing assignment.
+            var vmQuery = channelManager.channels().stream()
+                .filter(c -> c.vmDefinition().assignedFrom()
+                    .map(p -> p.equals(event.fromPool())).orElse(false))
+                .filter(c -> c.vmDefinition().assignedTo()
+                    .map(u -> u.equals(event.toUser())).orElse(false))
+                .findFirst();
+            if (vmQuery.isPresent()) {
+                var vmDef = vmQuery.get().vmDefinition();
+                event.setResult(new VmData(vmDef, vmQuery.get()));
+                return;
+            }
+
+            // Get the pool definition for checking possible assignment
+            VmPool vmPool = newEventPipeline().fire(new GetPools()
+                .withName(event.fromPool())).get().stream().findFirst()
+                .orElse(null);
+            if (vmPool == null) {
+                return;
+            }
+
+            // Find available VM.
+            vmQuery = channelManager.channels().stream()
+                .filter(c -> vmPool.isAssignable(c.vmDefinition()))
+                .sorted(Comparator.comparing((VmChannel c) -> c.vmDefinition()
+                    .assignmentLastUsed().orElse(Instant.ofEpochSecond(0)))
+                    .thenComparing(preferRunning))
+                .findFirst();
+
+            // None found
+            if (vmQuery.isEmpty()) {
+                return;
+            }
+
+            // Assign to user
+            var chosenVm = vmQuery.get();
+            var vmPipeline = chosenVm.pipeline();
+            if (Optional.ofNullable(vmPipeline.fire(new UpdateAssignment(
+                vmPool.name(), event.toUser()), chosenVm).get())
+                .orElse(false)) {
+                var vmDef = chosenVm.vmDefinition();
+                event.setResult(new VmData(vmDef, chosenVm));
+
+                // Make sure that a newly assigned VM is running.
+                chosenVm.pipeline().fire(new ModifyVm(vmDef.name(),
+                    "state", "Running", chosenVm));
+                return;
+            }
         }
-
-        // Get the pool definition assignability check
-        VmPool vmPool = newEventPipeline().fire(new GetPools()
-            .withName(event.fromPool())).get().stream().findFirst()
-            .orElse(null);
-        if (vmPool == null) {
-            return;
-        }
-
-        // Find available VM.
-        assignedVm = channelManager.channels().stream()
-            .filter(c -> vmPool.isAssignable(c.vmDefinition()))
-            .sorted(Comparator.comparing((VmChannel c) -> c.vmDefinition()
-                .assignmentLastUsed().orElse(Instant.ofEpochSecond(0)))
-                .thenComparing(preferRunning))
-            .findFirst();
-
-        // None found
-        if (assignedVm.isEmpty()) {
-            return;
-        }
-
-        // Assign to user
-        assignedVm.get().pipeline().fire(new UpdateAssignment(vmPool.name(),
-            event.toUser()), assignedVm.get()).get();
-        var vmDef = assignedVm.get().vmDefinition();
-        event.setResult(new VmData(vmDef, assignedVm.get()));
-
-        // Make sure that a newly assigned VM is running.
-        assignedVm.get().pipeline().fire(new ModifyVm(vmDef.name(),
-            "state", "Running", assignedVm.get()));
     }
 
     private static Comparator<VmChannel> preferRunning

From d27339b1e9cdc3ee23a02e53078a808846ba2024 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 2 Feb 2025 13:54:10 +0100
Subject: [PATCH 105/274] Make VM extra data a class.

---
 .../vmoperator/common/VmDefinition.java       | 101 +----------
 .../vmoperator/common/VmExtraData.java        | 171 ++++++++++++++++++
 .../vmoperator/manager/runnerConfig.ftl.yaml  |   2 +-
 .../vmoperator/manager/Reconciler.java        |   2 +-
 .../jdrupes/vmoperator/manager/VmMonitor.java |  27 ++-
 .../jdrupes/vmoperator/vmaccess/VmAccess.java |  13 +-
 .../org/jdrupes/vmoperator/vmmgmt/VmMgmt.java |  15 +-
 7 files changed, 208 insertions(+), 123 deletions(-)
 create mode 100644 org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmExtraData.java

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
index e677642..ec79b80 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
@@ -24,9 +24,6 @@ import com.google.gson.Gson;
 import com.google.gson.JsonObject;
 import io.kubernetes.client.openapi.JSON;
 import io.kubernetes.client.openapi.models.V1Condition;
-import io.kubernetes.client.util.Strings;
-import java.net.InetAddress;
-import java.net.UnknownHostException;
 import java.time.Instant;
 import java.util.Collection;
 import java.util.Collections;
@@ -38,9 +35,7 @@ import java.util.Map;
 import java.util.Objects;
 import java.util.Optional;
 import java.util.Set;
-import java.util.concurrent.ConcurrentHashMap;
 import java.util.function.Function;
-import java.util.logging.Level;
 import java.util.logging.Logger;
 import java.util.stream.Collectors;
 import org.jdrupes.vmoperator.util.DataPath;
@@ -52,7 +47,7 @@ import org.jdrupes.vmoperator.util.DataPath;
     "PMD.CouplingBetweenObjects" })
 public class VmDefinition extends K8sDynamicModel {
 
-    @SuppressWarnings("PMD.FieldNamingConventions")
+    @SuppressWarnings({ "PMD.FieldNamingConventions", "unused" })
     private static final Logger logger
         = Logger.getLogger(VmDefinition.class.getName());
     @SuppressWarnings("PMD.FieldNamingConventions")
@@ -62,7 +57,7 @@ public class VmDefinition extends K8sDynamicModel {
         = new ObjectMapper().registerModule(new JavaTimeModule());
 
     private final Model model;
-    private final Map<String, Object> extra = new ConcurrentHashMap<>();
+    private VmExtraData extraData;
 
     /**
      * The VM state from the VM definition.
@@ -295,27 +290,21 @@ public class VmDefinition extends K8sDynamicModel {
     }
 
     /**
-     * Set extra data (locally used, unknown to kubernetes).
-     *
-     * @param property the property
-     * @param value the value
+     * Set extra data (unknown to kubernetes).
      * @return the VM definition
      */
-    public VmDefinition extra(String property, Object value) {
-        extra.put(property, value);
+    /* default */ VmDefinition extra(VmExtraData extraData) {
+        this.extraData = extraData;
         return this;
     }
 
     /**
-     * Return extra data.
+     * Return the extra data.
      *
-     * @param <T> the generic type
-     * @param property the property
-     * @return the object
+     * @return the data
      */
-    @SuppressWarnings("unchecked")
-    public <T> T extra(String property) {
-        return (T) extra.get(property);
+    public Optional<VmExtraData> extra() {
+        return Optional.ofNullable(extraData);
     }
 
     /**
@@ -403,78 +392,6 @@ public class VmDefinition extends K8sDynamicModel {
             .map(Number::longValue);
     }
 
-    /**
-     * Create a connection file.
-     *
-     * @param password the password
-     * @param preferredIpVersion the preferred IP version
-     * @param deleteConnectionFile the delete connection file
-     * @return the string
-     */
-    public String connectionFile(String password,
-            Class<?> preferredIpVersion, boolean deleteConnectionFile) {
-        var addr = displayIp(preferredIpVersion);
-        if (addr.isEmpty()) {
-            logger.severe(() -> "Failed to find display IP for " + name());
-            return null;
-        }
-        var port = this.<Number> fromVm("display", "spice", "port")
-            .map(Number::longValue);
-        if (port.isEmpty()) {
-            logger.severe(() -> "No port defined for display of " + name());
-            return null;
-        }
-        StringBuffer data = new StringBuffer(100)
-            .append("[virt-viewer]\ntype=spice\nhost=")
-            .append(addr.get().getHostAddress()).append("\nport=")
-            .append(port.get().toString())
-            .append('\n');
-        if (password != null) {
-            data.append("password=").append(password).append('\n');
-        }
-        this.<String> fromVm("display", "spice", "proxyUrl")
-            .ifPresent(u -> {
-                if (!Strings.isNullOrEmpty(u)) {
-                    data.append("proxy=").append(u).append('\n');
-                }
-            });
-        if (deleteConnectionFile) {
-            data.append("delete-this-file=1\n");
-        }
-        return data.toString();
-    }
-
-    private Optional<InetAddress> displayIp(Class<?> preferredIpVersion) {
-        Optional<String> server = fromVm("display", "spice", "server");
-        if (server.isPresent()) {
-            var srv = server.get();
-            try {
-                var addr = InetAddress.getByName(srv);
-                logger.fine(() -> "Using IP address from CRD for "
-                    + getMetadata().getName() + ": " + addr);
-                return Optional.of(addr);
-            } catch (UnknownHostException e) {
-                logger.log(Level.SEVERE, e, () -> "Invalid server address "
-                    + srv + ": " + e.getMessage());
-                return Optional.empty();
-            }
-        }
-        var addrs = Optional.<List<String>> ofNullable(
-            extra("nodeAddresses")).orElse(Collections.emptyList()).stream()
-            .map(a -> {
-                try {
-                    return InetAddress.getByName(a);
-                } catch (UnknownHostException e) {
-                    logger.warning(() -> "Invalid IP address: " + a);
-                    return null;
-                }
-            }).filter(a -> a != null).toList();
-        logger.fine(() -> "Known IP addresses for " + name() + ": " + addrs);
-        return addrs.stream()
-            .filter(a -> preferredIpVersion.isAssignableFrom(a.getClass()))
-            .findFirst().or(() -> addrs.stream().findFirst());
-    }
-
     /**
      * Hash code.
      *
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmExtraData.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmExtraData.java
new file mode 100644
index 0000000..85913c2
--- /dev/null
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmExtraData.java
@@ -0,0 +1,171 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2025 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.common;
+
+import io.kubernetes.client.util.Strings;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.util.Collections;
+import java.util.List;
+import java.util.Objects;
+import java.util.Optional;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+/**
+ * Represents internally used dynamic data associated with a
+ * {@link VmDefinition}.
+ */
+public class VmExtraData {
+
+    @SuppressWarnings("PMD.FieldNamingConventions")
+    private static final Logger logger
+        = Logger.getLogger(VmExtraData.class.getName());
+
+    private final VmDefinition vmDef;
+    private String nodeName = "";
+    private List<String> nodeAddresses = Collections.emptyList();
+    private long resetCount;
+
+    /**
+     * Initializes a new instance.
+     *
+     * @param vmDef the VM definition
+     */
+    public VmExtraData(VmDefinition vmDef) {
+        this.vmDef = vmDef;
+        vmDef.extra(this);
+    }
+
+    /**
+     * Sets the node info.
+     *
+     * @param name the name
+     * @param addresses the addresses
+     * @return the VM extra data
+     */
+    public VmExtraData nodeInfo(String name, List<String> addresses) {
+        nodeName = name;
+        nodeAddresses = addresses;
+        return this;
+    }
+
+    /**
+     * Return the node name.
+     *
+     * @return the string
+     */
+    public String nodeName() {
+        return nodeName;
+    }
+
+    /**
+     * Sets the reset count.
+     *
+     * @param resetCount the reset count
+     * @return the vm extra data
+     */
+    public VmExtraData resetCount(long resetCount) {
+        this.resetCount = resetCount;
+        return this;
+    }
+
+    /**
+     * Returns the reset count.
+     *
+     * @return the long
+     */
+    public long resetCount() {
+        return resetCount;
+    }
+
+    /**
+     * Create a connection file.
+     *
+     * @param password the password
+     * @param preferredIpVersion the preferred IP version
+     * @param deleteConnectionFile the delete connection file
+     * @return the string
+     */
+    public String connectionFile(String password,
+            Class<?> preferredIpVersion, boolean deleteConnectionFile) {
+        var addr = displayIp(preferredIpVersion);
+        if (addr.isEmpty()) {
+            logger
+                .severe(() -> "Failed to find display IP for " + vmDef.name());
+            return null;
+        }
+        var port = vmDef.<Number> fromVm("display", "spice", "port")
+            .map(Number::longValue);
+        if (port.isEmpty()) {
+            logger
+                .severe(() -> "No port defined for display of " + vmDef.name());
+            return null;
+        }
+        StringBuffer data = new StringBuffer(100)
+            .append("[virt-viewer]\ntype=spice\nhost=")
+            .append(addr.get().getHostAddress()).append("\nport=")
+            .append(port.get().toString())
+            .append('\n');
+        if (password != null) {
+            data.append("password=").append(password).append('\n');
+        }
+        vmDef.<String> fromVm("display", "spice", "proxyUrl")
+            .ifPresent(u -> {
+                if (!Strings.isNullOrEmpty(u)) {
+                    data.append("proxy=").append(u).append('\n');
+                }
+            });
+        if (deleteConnectionFile) {
+            data.append("delete-this-file=1\n");
+        }
+        return data.toString();
+    }
+
+    private Optional<InetAddress> displayIp(Class<?> preferredIpVersion) {
+        Optional<String> server = vmDef.fromVm("display", "spice", "server");
+        if (server.isPresent()) {
+            var srv = server.get();
+            try {
+                var addr = InetAddress.getByName(srv);
+                logger.fine(() -> "Using IP address from CRD for "
+                    + vmDef.metadata().getName() + ": " + addr);
+                return Optional.of(addr);
+            } catch (UnknownHostException e) {
+                logger.log(Level.SEVERE, e, () -> "Invalid server address "
+                    + srv + ": " + e.getMessage());
+                return Optional.empty();
+            }
+        }
+        var addrs = nodeAddresses.stream().map(a -> {
+            try {
+                return InetAddress.getByName(a);
+            } catch (UnknownHostException e) {
+                logger.warning(() -> "Invalid IP address: " + a);
+                return null;
+            }
+        }).filter(Objects::nonNull).toList();
+        logger.fine(
+            () -> "Known IP addresses for " + vmDef.name() + ": " + addrs);
+        return addrs.stream()
+            .filter(a -> preferredIpVersion.isAssignableFrom(a.getClass()))
+            .findFirst().or(() -> addrs.stream().findFirst());
+    }
+
+}
diff --git a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml
index f348244..f5aabc5 100644
--- a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml
+++ b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml
@@ -53,7 +53,7 @@ data:
       # i.e. if you start the VM without a value for this property, and
       # decide to trigger a reset later, you have to first set the value
       # and then inrement it.
-      resetCounter: ${ cr.extra("resetCount")?c }
+      resetCounter: ${ cr.extra().get().resetCount()?c }
 
       # Forward the cloud-init data if provided
       <#if spec.cloudInit??>    
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
index 641247a..7dbb410 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
@@ -248,7 +248,7 @@ public class Reconciler extends Component {
     public void onResetVm(ResetVm event, VmChannel channel)
             throws ApiException, IOException, TemplateException {
         var vmDef = channel.vmDefinition();
-        vmDef.extra("resetCount", vmDef.<Long> extra("resetCount") + 1);
+        vmDef.extra().ifPresent(e -> e.resetCount(e.resetCount() + 1));
         Map<String, Object> model
             = prepareModel(channel.client(), channel.vmDefinition());
         cmReconciler.reconcile(model, channel);
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
index 17e3c58..5c1ae77 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
@@ -43,6 +43,7 @@ import org.jdrupes.vmoperator.common.K8sV1StatefulSetStub;
 import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
 import org.jdrupes.vmoperator.common.VmDefinitions;
+import org.jdrupes.vmoperator.common.VmExtraData;
 import org.jdrupes.vmoperator.common.VmPool;
 import static org.jdrupes.vmoperator.manager.Constants.APP_NAME;
 import static org.jdrupes.vmoperator.manager.Constants.VM_OP_NAME;
@@ -139,7 +140,7 @@ public class VmMonitor extends
         }
         if (vmDef.data() != null) {
             // New data, augment and save
-            addDynamicData(channel.client(), vmDef, channel.vmDefinition());
+            addExtraData(channel.client(), vmDef, channel.vmDefinition());
             channel.setVmDefinition(vmDef);
         } else {
             // Reuse cached (e.g. if deleted)
@@ -178,17 +179,14 @@ public class VmMonitor extends
     }
 
     @SuppressWarnings("PMD.AvoidDuplicateLiterals")
-    private void addDynamicData(K8sClient client, VmDefinition vmDef,
+    private void addExtraData(K8sClient client, VmDefinition vmDef,
             VmDefinition prevState) {
-        // Maintain (or initialize) the resetCount
-        vmDef.extra("resetCount",
-            Optional.ofNullable(prevState).map(d -> d.extra("resetCount"))
-                .orElse(0L));
+        var extra = new VmExtraData(vmDef);
 
-        // Node information
-        // Add defaults in case the VM is not running
-        vmDef.extra("nodeName", "");
-        vmDef.extra("nodeAddress", "");
+        // Maintain (or initialize) the resetCount
+        extra.resetCount(
+            Optional.ofNullable(prevState).flatMap(VmDefinition::extra)
+                .map(VmExtraData::resetCount).orElse(0L));
 
         // VM definition status changes before the pod terminates.
         // This results in pod information being shown for a stopped
@@ -196,6 +194,8 @@ public class VmMonitor extends
         if (!vmDef.conditionStatus("Running").orElse(false)) {
             return;
         }
+
+        // Get pod and extract node information.
         var podSearch = new ListOptions();
         podSearch.setLabelSelector("app.kubernetes.io/name=" + APP_NAME
             + ",app.kubernetes.io/component=" + APP_NAME
@@ -205,16 +205,15 @@ public class VmMonitor extends
                 = K8sV1PodStub.list(client, namespace(), podSearch);
             for (var podStub : podList) {
                 var nodeName = podStub.model().get().getSpec().getNodeName();
-                vmDef.extra("nodeName", nodeName);
-                logger.fine(() -> "Added node name " + nodeName
+                logger.fine(() -> "Adding node name " + nodeName
                     + " to VM info for " + vmDef.name());
                 @SuppressWarnings("PMD.AvoidInstantiatingObjectsInLoops")
                 var addrs = new ArrayList<String>();
                 podStub.model().get().getStatus().getPodIPs().stream()
                     .map(ip -> ip.getIp()).forEach(addrs::add);
-                vmDef.extra("nodeAddresses", addrs);
-                logger.fine(() -> "Added node addresses " + addrs
+                logger.fine(() -> "Adding node addresses " + addrs
                     + " to VM info for " + vmDef.name());
+                extra.nodeInfo(nodeName, addrs);
             }
         } catch (ApiException e) {
             logger.log(Level.WARNING, e,
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index d6c385e..e283504 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -810,13 +810,12 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
         }
         var pwQuery = Event.onCompletion(new GetDisplayPassword(vmDef, user),
             e -> {
-                var data = vmDef.connectionFile(e.password().orElse(null),
-                    preferredIpVersion, deleteConnectionFile);
-                if (data == null) {
-                    return;
-                }
-                channel.respond(new NotifyConletView(type(),
-                    model.getConletId(), "openConsole", data));
+                vmDef.extra()
+                    .map(xtra -> xtra.connectionFile(e.password().orElse(null),
+                        preferredIpVersion, deleteConnectionFile))
+                    .ifPresent(
+                        cf -> channel.respond(new NotifyConletView(type(),
+                            model.getConletId(), "openConsole", cf)));
             });
         fire(pwQuery, vmChannel);
     }
diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
index 819a0d4..4cc63fa 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
@@ -41,6 +41,7 @@ import java.util.Set;
 import org.jdrupes.vmoperator.common.K8sObserver;
 import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.common.VmDefinition.Permission;
+import org.jdrupes.vmoperator.common.VmExtraData;
 import org.jdrupes.vmoperator.manager.events.ChannelTracker;
 import org.jdrupes.vmoperator.manager.events.GetDisplayPassword;
 import org.jdrupes.vmoperator.manager.events.ModifyVm;
@@ -252,7 +253,7 @@ public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
                 "name", vmDef.name()),
             "spec", spec,
             "status", status,
-            "nodeName", vmDef.extra("nodeName"),
+            "nodeName", vmDef.extra().map(VmExtraData::nodeName).orElse(""),
             "permissions", vmDef.permissionsFor(user, roles).stream()
                 .map(VmDefinition.Permission::toString).toList());
     }
@@ -484,13 +485,11 @@ public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
         }
         var pwQuery = Event.onCompletion(new GetDisplayPassword(vmDef, user),
             e -> {
-                var data = vmDef.connectionFile(e.password().orElse(null),
-                    preferredIpVersion, deleteConnectionFile);
-                if (data == null) {
-                    return;
-                }
-                channel.respond(new NotifyConletView(type(),
-                    model.getConletId(), "openConsole", data));
+                vmDef.extra().map(xtra -> xtra.connectionFile(
+                    e.password().orElse(null), preferredIpVersion,
+                    deleteConnectionFile)).ifPresent(
+                        cf -> channel.respond(new NotifyConletView(type(),
+                            model.getConletId(), "openConsole", cf)));
             });
         fire(pwQuery, vmChannel);
     }

From 1fc26647b615ac94f468a45c208005f1b9066b38 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 2 Feb 2025 16:50:52 +0100
Subject: [PATCH 106/274] Add maintenance script.

---
 dev-example/.gitignore     |  1 +
 dev-example/pool-action.sh | 62 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 63 insertions(+)
 create mode 100755 dev-example/pool-action.sh

diff --git a/dev-example/.gitignore b/dev-example/.gitignore
index 16e0d04..1e31cc5 100644
--- a/dev-example/.gitignore
+++ b/dev-example/.gitignore
@@ -1,3 +1,4 @@
 /test-vm-ci.yaml
 /kubeconfig.yaml
 /crds/
+/.vm-operator-cmd.rc
diff --git a/dev-example/pool-action.sh b/dev-example/pool-action.sh
new file mode 100755
index 0000000..b605479
--- /dev/null
+++ b/dev-example/pool-action.sh
@@ -0,0 +1,62 @@
+#!/bin/bash
+
+function usage() {
+  cat >&2 <<EOF
+Usage: $0 pool-name action
+Applys action to all VMs in the pool.
+
+  --context                   Context to be passed to kubectl (required)
+  -n, --namespace             Namespace to be passed to kubectl
+EOF
+  exit 1  
+}
+
+unset pool
+unset action
+unset context
+namespace=default
+
+if [ -r .vm-operator-cmd.rc ]; then
+  . .vm-operator-cmd.rc
+fi
+
+while [ "$#" -gt 0 ]; do
+  case "$1" in
+    --context) shift; context="$1";;
+    --context=*) IFS='=' read -r option value <<< "$1"; context="$value";;
+    -n|--namespace) shift; namespace="$1";;
+    -*) echo >&2 "Unknown option: $1"; exit 1;;
+    *) if [ ! -v pool ]; then
+         pool="$1"
+       elif [ ! -v action ]; then
+         action="$1"
+       else
+         usage
+       fi;;
+  esac
+  shift
+done
+
+if [ ! -v pool -o ! -v "action" -o ! -v context ]; then
+  echo >&2 "Missing arguments or context not set."
+  echo >&2
+  usage
+fi
+case "$action" in
+  "start"|"stop"|"delete"|"delete-disks") ;;
+  *) usage;;
+esac
+
+kubectl --context="$context" -n "$namespace" get vms -o json \
+  | jq -r '.items[] | select(.spec.pools | contains(["'${pool}'"])) | .metadata.name' \
+| while read vmName; do
+    case "$action" in
+      start) kubectl --context="$context" -n "$namespace" patch vms "$vmName" \
+        --type='merge' -p '{"spec":{"vm":{"state":"Running"}}}';;
+      stop) kubectl --context="$context" -n "$namespace" patch vms "$vmName" \
+        --type='merge' -p '{"spec":{"vm":{"state":"Stopped"}}}';;
+      delete) kubectl --context="$context" -n "$namespace" delete vm/"$vmName";;
+      delete-disks) kubectl --context="$context" -n "$namespace" delete \
+        pvc -l app.kubernetes.io/instance="$vmName" ;;
+    esac
+done

From 5078001f4bfbb0fe9b35afa05c04c9edba504d74 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Mon, 10 Feb 2025 22:24:10 +0100
Subject: [PATCH 107/274] Add guest agent client and retrieve OS info.

---
 deploy/crds/vms-crd.yaml                      |   4 +
 dev-example/test-vm.yaml                      |   9 +-
 .../vmoperator/runner/qemu/Configuration.java |   4 +
 .../runner/qemu/GuestAgentClient.java         | 254 ++++++++++++++++++
 .../vmoperator/runner/qemu/Runner.java        |   3 +
 .../vmoperator/runner/qemu/StatusUpdater.java |  33 +++
 .../qemu/commands/QmpGuestGetOsinfo.java      |  41 +++
 .../runner/qemu/commands/QmpGuestInfo.java    |  41 +++
 .../runner/qemu/commands/QmpGuestPing.java    |  41 +++
 .../runner/qemu/events/GuestAgentCommand.java |  63 +++++
 .../runner/qemu/events/MonitorEvent.java      |   5 +-
 .../runner/qemu/events/OsinfoEvent.java       |  43 +++
 .../qemu/events/VserportChangeEvent.java      |  56 ++++
 .../templates/Standard-VM-latest.ftl.yaml     |   2 +-
 14 files changed, 592 insertions(+), 7 deletions(-)
 create mode 100644 org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java
 create mode 100644 org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpGuestGetOsinfo.java
 create mode 100644 org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpGuestInfo.java
 create mode 100644 org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpGuestPing.java
 create mode 100644 org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/GuestAgentCommand.java
 create mode 100644 org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/OsinfoEvent.java
 create mode 100644 org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/VserportChangeEvent.java

diff --git a/deploy/crds/vms-crd.yaml b/deploy/crds/vms-crd.yaml
index 7b46dc7..749b896 100644
--- a/deploy/crds/vms-crd.yaml
+++ b/deploy/crds/vms-crd.yaml
@@ -1491,6 +1491,10 @@ spec:
                     by the runner if password protection is not enabled.
                   type: integer
                   default: 0
+                osinfo:
+                  description: Copy of the OS info provided by the guest agent.
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
                 assignment:
                   description: >-
                     The assignment of this VM to a a particular user.
diff --git a/dev-example/test-vm.yaml b/dev-example/test-vm.yaml
index 7ee2793..aa75bc3 100644
--- a/dev-example/test-vm.yaml
+++ b/dev-example/test-vm.yaml
@@ -5,9 +5,7 @@ metadata:
   name: test-vm
 spec:
   image:
-    repository: docker-registry.lan.mnl.de
-    path: vmoperator/org.jdrupes.vmoperator.runner.qemu-alpine
-    version: latest
+    source: registry.mnl.de/org/jdrupes/vm-operator/org.jdrupes.vmoperator.runner.qemu-arch:testing
     pullPolicy: Always
 
   permissions:
@@ -34,8 +32,9 @@ spec:
     currentCpus: 4
   
     networks:
-    - tap:
-        mac: "02:16:3e:33:58:10"
+    # No bridge on test cluster
+    - user: {}
+
     disks:
     - volumeClaimTemplate:
         metadata:
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Configuration.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Configuration.java
index dd45147..086f085 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Configuration.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Configuration.java
@@ -67,6 +67,9 @@ public class Configuration implements Dto {
     /** The monitor socket. */
     public Path monitorSocket;
 
+    /** The guest agent socket socket. */
+    public Path guestAgentSocket;
+
     /** The firmware rom. */
     public Path firmwareRom;
 
@@ -341,6 +344,7 @@ public class Configuration implements Dto {
             runtimeDir.toFile().mkdir();
             swtpmSocket = runtimeDir.resolve("swtpm-sock");
             monitorSocket = runtimeDir.resolve("monitor.sock");
+            guestAgentSocket = runtimeDir.resolve("org.qemu.guest_agent.0");
         }
         if (!Files.isDirectory(runtimeDir) || !Files.isWritable(runtimeDir)) {
             logger.severe(() -> String.format(
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java
new file mode 100644
index 0000000..4d1c764
--- /dev/null
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java
@@ -0,0 +1,254 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2025 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.runner.qemu;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.node.ObjectNode;
+import java.io.IOException;
+import java.io.Writer;
+import java.lang.reflect.UndeclaredThrowableException;
+import java.net.UnixDomainSocketAddress;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.util.LinkedList;
+import java.util.Queue;
+import java.util.logging.Level;
+import org.jdrupes.vmoperator.runner.qemu.commands.QmpCommand;
+import org.jdrupes.vmoperator.runner.qemu.commands.QmpGuestGetOsinfo;
+import org.jdrupes.vmoperator.runner.qemu.events.GuestAgentCommand;
+import org.jdrupes.vmoperator.runner.qemu.events.MonitorReady;
+import org.jdrupes.vmoperator.runner.qemu.events.OsinfoEvent;
+import org.jdrupes.vmoperator.runner.qemu.events.VserportChangeEvent;
+import org.jgrapes.core.Channel;
+import org.jgrapes.core.Component;
+import org.jgrapes.core.EventPipeline;
+import org.jgrapes.core.annotation.Handler;
+import org.jgrapes.core.events.Start;
+import org.jgrapes.core.events.Stop;
+import org.jgrapes.io.events.Closed;
+import org.jgrapes.io.events.ConnectError;
+import org.jgrapes.io.events.Input;
+import org.jgrapes.io.events.OpenSocketConnection;
+import org.jgrapes.io.util.ByteBufferWriter;
+import org.jgrapes.io.util.LineCollector;
+import org.jgrapes.net.SocketIOChannel;
+import org.jgrapes.net.events.ClientConnected;
+import org.jgrapes.util.events.ConfigurationUpdate;
+
+/**
+ * A component that handles the communication over the guest agent
+ * socket.
+ * 
+ * If the log level for this class is set to fine, the messages 
+ * exchanged on the monitor socket are logged.
+ */
+@SuppressWarnings("PMD.DataflowAnomalyAnalysis")
+public class GuestAgentClient extends Component {
+
+    private static ObjectMapper mapper = new ObjectMapper();
+
+    private EventPipeline rep;
+    private Path socketPath;
+    private SocketIOChannel gaChannel;
+    private final Queue<QmpCommand> executing = new LinkedList<>();
+
+    /**
+     * Instantiates a new guest agent client.
+     *
+     * @param componentChannel the component channel
+     * @throws IOException Signals that an I/O exception has occurred.
+     */
+    @SuppressWarnings({ "PMD.AssignmentToNonFinalStatic",
+        "PMD.ConstructorCallsOverridableMethod" })
+    public GuestAgentClient(Channel componentChannel) throws IOException {
+        super(componentChannel);
+    }
+
+    /**
+     * As the initial configuration of this component depends on the 
+     * configuration of the {@link Runner}, it doesn't have a handler 
+     * for the {@link ConfigurationUpdate} event. The values are 
+     * forwarded from the {@link Runner} instead.
+     *
+     * @param socketPath the socket path
+     * @param powerdownTimeout 
+     */
+    /* default */ void configure(Path socketPath) {
+        this.socketPath = socketPath;
+    }
+
+    /**
+     * Handle the start event.
+     *
+     * @param event the event
+     * @throws IOException Signals that an I/O exception has occurred.
+     */
+    @Handler
+    public void onStart(Start event) throws IOException {
+        rep = event.associated(EventPipeline.class).get();
+        if (socketPath == null) {
+            return;
+        }
+        Files.deleteIfExists(socketPath);
+    }
+
+    /**
+     * When the virtual serial port "channel0" has been opened,
+     * establish the connection by opening the socket.
+     *
+     * @param event the event
+     */
+    @Handler
+    public void onVserportChanged(VserportChangeEvent event) {
+        if ("channel0".equals(event.id()) && event.isOpen()) {
+            fire(new OpenSocketConnection(
+                UnixDomainSocketAddress.of(socketPath))
+                    .setAssociated(GuestAgentClient.class, this));
+        }
+    }
+
+    /**
+     * Check if this is from opening the monitor socket and if true,
+     * save the socket in the context and associate the channel with
+     * the context. Then send the initial message to the socket.
+     *
+     * @param event the event
+     * @param channel the channel
+     */
+    @SuppressWarnings("resource")
+    @Handler
+    public void onClientConnected(ClientConnected event,
+            SocketIOChannel channel) {
+        event.openEvent().associated(GuestAgentClient.class).ifPresent(qm -> {
+            gaChannel = channel;
+            channel.setAssociated(GuestAgentClient.class, this);
+            channel.setAssociated(Writer.class, new ByteBufferWriter(
+                channel).nativeCharset());
+            channel.setAssociated(LineCollector.class,
+                new LineCollector()
+                    .consumer(line -> {
+                        try {
+                            processGuestAgentInput(line);
+                        } catch (IOException e) {
+                            throw new UndeclaredThrowableException(e);
+                        }
+                    }));
+            fire(new GuestAgentCommand(new QmpGuestGetOsinfo()));
+        });
+    }
+
+    /**
+     * Called when a connection attempt fails.
+     *
+     * @param event the event
+     * @param channel the channel
+     */
+    @Handler
+    public void onConnectError(ConnectError event, SocketIOChannel channel) {
+        event.event().associated(GuestAgentClient.class).ifPresent(qm -> {
+            rep.fire(new Stop());
+        });
+    }
+
+    /**
+     * Handle data from qemu monitor connection.
+     *
+     * @param event the event
+     * @param channel the channel
+     */
+    @Handler
+    public void onInput(Input<?> event, SocketIOChannel channel) {
+        if (channel.associated(GuestAgentClient.class).isEmpty()) {
+            return;
+        }
+        channel.associated(LineCollector.class).ifPresent(collector -> {
+            collector.feed(event);
+        });
+    }
+
+    private void processGuestAgentInput(String line)
+            throws IOException {
+        logger.fine(() -> "guest agent(in): " + line);
+        try {
+            var response = mapper.readValue(line, ObjectNode.class);
+            if (response.has("QMP")) {
+                rep.fire(new MonitorReady());
+                return;
+            }
+            if (response.has("return") || response.has("error")) {
+                QmpCommand executed = executing.poll();
+                logger.fine(
+                    () -> String.format("(Previous \"guest agent(in)\" is "
+                        + "result from executing %s)", executed));
+                if (executed instanceof QmpGuestGetOsinfo) {
+                    rep.fire(new OsinfoEvent(response.get("return")));
+                }
+            }
+        } catch (JsonProcessingException e) {
+            throw new IOException(e);
+        }
+    }
+
+    /**
+     * On closed.
+     *
+     * @param event the event
+     */
+    @Handler
+    @SuppressWarnings({ "PMD.AvoidSynchronizedStatement",
+        "PMD.AvoidDuplicateLiterals" })
+    public void onClosed(Closed<?> event, SocketIOChannel channel) {
+        channel.associated(QemuMonitor.class).ifPresent(qm -> {
+            gaChannel = null;
+        });
+    }
+
+    /**
+     * On guest agent command.
+     *
+     * @param event the event
+     */
+    @Handler
+    @SuppressWarnings({ "PMD.AvoidLiteralsInIfCondition",
+        "PMD.AvoidSynchronizedStatement" })
+    public void onGuestAgentCommand(GuestAgentCommand event) {
+        var command = event.command();
+        logger.fine(() -> "guest agent(out): " + command.toString());
+        String asText;
+        try {
+            asText = command.asText();
+        } catch (JsonProcessingException e) {
+            logger.log(Level.SEVERE, e,
+                () -> "Cannot serialize Json: " + e.getMessage());
+            return;
+        }
+        synchronized (executing) {
+            gaChannel.associated(Writer.class).ifPresent(writer -> {
+                try {
+                    executing.add(command);
+                    writer.append(asText).append('\n').flush();
+                } catch (IOException e) {
+                    // Cannot happen, but...
+                    logger.log(Level.WARNING, e, e::getMessage);
+                }
+            });
+        }
+    }
+}
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
index 52db0ce..c8b9f44 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
@@ -218,6 +218,7 @@ public class Runner extends Component {
     private CommandDefinition cloudInitImgDefinition;
     private CommandDefinition qemuDefinition;
     private final QemuMonitor qemuMonitor;
+    private final GuestAgentClient guestAgentClient;
     private Integer resetCounter;
     private RunState state = RunState.INITIALIZING;
 
@@ -275,6 +276,7 @@ public class Runner extends Component {
         attach(new ProcessManager(channel()));
         attach(new SocketConnector(channel()));
         attach(qemuMonitor = new QemuMonitor(channel(), configDir));
+        attach(guestAgentClient = new GuestAgentClient(channel()));
         attach(new StatusUpdater(channel()));
         attach(new YamlConfigurationStore(channel(), configFile, false));
         fire(new WatchFile(configFile.toPath()));
@@ -349,6 +351,7 @@ public class Runner extends Component {
             // Forward some values to child components
             qemuMonitor.configure(config.monitorSocket,
                 config.vm.powerdownTimeout);
+            guestAgentClient.configure(config.guestAgentSocket);
         } catch (IllegalArgumentException | IOException | TemplateException e) {
             logger.log(Level.SEVERE, e, () -> "Invalid configuration: "
                 + e.getMessage());
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
index d33358b..d4548bf 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
@@ -18,12 +18,16 @@
 
 package org.jdrupes.vmoperator.runner.qemu;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
+import com.google.gson.Gson;
 import com.google.gson.JsonObject;
 import io.kubernetes.client.apimachinery.GroupVersionKind;
 import io.kubernetes.client.custom.Quantity;
 import io.kubernetes.client.custom.Quantity.Format;
 import io.kubernetes.client.custom.V1Patch;
 import io.kubernetes.client.openapi.ApiException;
+import io.kubernetes.client.openapi.JSON;
 import io.kubernetes.client.openapi.models.EventsV1Event;
 import java.io.IOException;
 import java.math.BigDecimal;
@@ -40,6 +44,7 @@ import org.jdrupes.vmoperator.runner.qemu.events.ConfigureQemu;
 import org.jdrupes.vmoperator.runner.qemu.events.DisplayPasswordChanged;
 import org.jdrupes.vmoperator.runner.qemu.events.Exit;
 import org.jdrupes.vmoperator.runner.qemu.events.HotpluggableCpuStatus;
+import org.jdrupes.vmoperator.runner.qemu.events.OsinfoEvent;
 import org.jdrupes.vmoperator.runner.qemu.events.RunnerStateChange;
 import org.jdrupes.vmoperator.runner.qemu.events.RunnerStateChange.RunState;
 import org.jdrupes.vmoperator.runner.qemu.events.ShutdownEvent;
@@ -55,6 +60,12 @@ import org.jgrapes.core.events.Start;
 @SuppressWarnings("PMD.DataflowAnomalyAnalysis")
 public class StatusUpdater extends VmDefUpdater {
 
+    @SuppressWarnings("PMD.FieldNamingConventions")
+    private static final Gson gson = new JSON().getGson();
+    @SuppressWarnings("PMD.FieldNamingConventions")
+    private static final ObjectMapper objectMapper
+        = new ObjectMapper().registerModule(new JavaTimeModule());
+
     private static final Set<RunState> RUNNING_STATES
         = Set.of(RunState.RUNNING, RunState.TERMINATING);
 
@@ -286,4 +297,26 @@ public class StatusUpdater extends VmDefUpdater {
     public void onShutdown(ShutdownEvent event) throws ApiException {
         shutdownByGuest = event.byGuest();
     }
+
+    /**
+     * On osinfo.
+     *
+     * @param event the event
+     * @throws ApiException 
+     */
+    @Handler
+    public void onOsinfo(OsinfoEvent event) throws ApiException {
+        if (vmStub == null) {
+            return;
+        }
+        var asGson = gson.toJsonTree(
+            objectMapper.convertValue(event.osinfo(), Object.class));
+
+        vmStub.updateStatus(from -> {
+            JsonObject status = from.statusJson();
+            status.add("osinfo", asGson);
+            return status;
+        });
+
+    }
 }
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpGuestGetOsinfo.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpGuestGetOsinfo.java
new file mode 100644
index 0000000..cf4ba72
--- /dev/null
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpGuestGetOsinfo.java
@@ -0,0 +1,41 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2025 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.runner.qemu.commands;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.node.ObjectNode;
+
+/**
+ * A {@link QmpCommand} that pings the guest agent.
+ */
+public class QmpGuestGetOsinfo extends QmpCommand {
+
+    @Override
+    public JsonNode toJson() {
+        ObjectNode cmd = mapper.createObjectNode();
+        cmd.put("execute", "guest-get-osinfo");
+        return cmd;
+    }
+
+    @Override
+    public String toString() {
+        return "QmpGuestGetOsinfo()";
+    }
+
+}
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpGuestInfo.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpGuestInfo.java
new file mode 100644
index 0000000..75fdf73
--- /dev/null
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpGuestInfo.java
@@ -0,0 +1,41 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2025 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.runner.qemu.commands;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.node.ObjectNode;
+
+/**
+ * A {@link QmpCommand} that requests the guest info.
+ */
+public class QmpGuestInfo extends QmpCommand {
+
+    @Override
+    public JsonNode toJson() {
+        ObjectNode cmd = mapper.createObjectNode();
+        cmd.put("execute", "guest-info");
+        return cmd;
+    }
+
+    @Override
+    public String toString() {
+        return "QmpGuestInfo()";
+    }
+
+}
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpGuestPing.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpGuestPing.java
new file mode 100644
index 0000000..257c838
--- /dev/null
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpGuestPing.java
@@ -0,0 +1,41 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2023 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.runner.qemu.commands;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.node.ObjectNode;
+
+/**
+ * A {@link QmpCommand} that pings the guest agent.
+ */
+public class QmpGuestPing extends QmpCommand {
+
+    @Override
+    public JsonNode toJson() {
+        ObjectNode cmd = mapper.createObjectNode();
+        cmd.put("execute", "guest-ping");
+        return cmd;
+    }
+
+    @Override
+    public String toString() {
+        return "QmpGuestPing()";
+    }
+
+}
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/GuestAgentCommand.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/GuestAgentCommand.java
new file mode 100644
index 0000000..a1b585d
--- /dev/null
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/GuestAgentCommand.java
@@ -0,0 +1,63 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2025 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.runner.qemu.events;
+
+import org.jdrupes.vmoperator.runner.qemu.commands.QmpCommand;
+import org.jgrapes.core.Channel;
+import org.jgrapes.core.Components;
+import org.jgrapes.core.Event;
+
+/**
+ * An {@link Event} that causes some component to send a QMP
+ * command to the guest agent process.
+ */
+public class GuestAgentCommand extends Event<Void> {
+
+    private final QmpCommand command;
+
+    /**
+     * Instantiates a new exec qmp command.
+     *
+     * @param command the command
+     */
+    public GuestAgentCommand(QmpCommand command) {
+        this.command = command;
+    }
+
+    /**
+     * Gets the command.
+     *
+     * @return the command
+     */
+    public QmpCommand command() {
+        return command;
+    }
+
+    @Override
+    public String toString() {
+        StringBuilder builder = new StringBuilder();
+        builder.append(Components.objectName(this))
+            .append(" [").append(command);
+        if (channels() != null) {
+            builder.append(", channels=").append(Channel.toString(channels()));
+        }
+        builder.append(']');
+        return builder.toString();
+    }
+}
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/MonitorEvent.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/MonitorEvent.java
index df981c8..e35a172 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/MonitorEvent.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/MonitorEvent.java
@@ -35,7 +35,7 @@ public class MonitorEvent extends Event<Void> {
      */
     public enum Kind {
         READY, POWERDOWN, DEVICE_TRAY_MOVED, BALLOON_CHANGE, SHUTDOWN,
-        SPICE_CONNECTED, SPICE_INITIALIZED, SPICE_DISCONNECTED
+        SPICE_CONNECTED, SPICE_INITIALIZED, SPICE_DISCONNECTED, VSERPORT_CHANGE
     }
 
     private final Kind kind;
@@ -72,6 +72,9 @@ public class MonitorEvent extends Event<Void> {
             case SPICE_DISCONNECTED:
                 return Optional.of(new SpiceDisconnectedEvent(kind,
                     response.get(EVENT_DATA)));
+            case VSERPORT_CHANGE:
+                return Optional.of(new VserportChangeEvent(kind,
+                    response.get(EVENT_DATA)));
             default:
                 return Optional
                     .of(new MonitorEvent(kind, response.get(EVENT_DATA)));
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/OsinfoEvent.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/OsinfoEvent.java
new file mode 100644
index 0000000..294ac7b
--- /dev/null
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/OsinfoEvent.java
@@ -0,0 +1,43 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2025 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.runner.qemu.events;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import org.jgrapes.core.Event;
+
+/**
+ * Signals information about the guest OS.
+ */
+public class OsinfoEvent extends Event<Void> {
+
+    private final JsonNode osinfo;
+
+    /**
+     * Instantiates a new osinfo event.
+     *
+     * @param data the data
+     */
+    public OsinfoEvent(JsonNode data) {
+        osinfo = data;
+    }
+
+    public JsonNode osinfo() {
+        return osinfo;
+    }
+}
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/VserportChangeEvent.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/VserportChangeEvent.java
new file mode 100644
index 0000000..b590cd3
--- /dev/null
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/VserportChangeEvent.java
@@ -0,0 +1,56 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2023 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.runner.qemu.events;
+
+import com.fasterxml.jackson.databind.JsonNode;
+
+/**
+ * Signals a virtual serial port's open state change.
+ */
+public class VserportChangeEvent extends MonitorEvent {
+
+    /**
+     * Initializes a new instance.
+     *
+     * @param kind the kind
+     * @param data the data
+     */
+    public VserportChangeEvent(Kind kind, JsonNode data) {
+        super(kind, data);
+    }
+
+    /**
+     * Return the channel's id.
+     *
+     * @return the string
+     */
+    @SuppressWarnings("PMD.ShortMethodName")
+    public String id() {
+        return data().get("id").asText();
+    }
+
+    /**
+     * Returns the open state of the port.
+     *
+     * @return true, if is open
+     */
+    public boolean isOpen() {
+        return Boolean.parseBoolean(data().get("open").asText());
+    }
+}
diff --git a/org.jdrupes.vmoperator.runner.qemu/templates/Standard-VM-latest.ftl.yaml b/org.jdrupes.vmoperator.runner.qemu/templates/Standard-VM-latest.ftl.yaml
index 5d10b54..e2610ba 100644
--- a/org.jdrupes.vmoperator.runner.qemu/templates/Standard-VM-latest.ftl.yaml
+++ b/org.jdrupes.vmoperator.runner.qemu/templates/Standard-VM-latest.ftl.yaml
@@ -122,7 +122,7 @@
     #   Best explanation found: 
     #   https://fedoraproject.org/wiki/Features/VirtioSerial
     - [ "-device", "virtio-serial-pci,id=virtio-serial0" ]
-    #   - Guest agent serial connection
+    #   - Guest agent serial connection. MUST have id "channel0"!
     - [ "-device", "virtserialport,id=channel0,name=org.qemu.guest_agent.0,\
         chardev=guest-agent-socket" ]
     - [ "-chardev","socket,id=guest-agent-socket,\

From 0ded0ff9a9143eb7e41200014f62a7c0e8559014 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 16 Feb 2025 21:06:49 +0100
Subject: [PATCH 108/274] Add usage info.

---
 dev-example/pool-action.sh | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/dev-example/pool-action.sh b/dev-example/pool-action.sh
index b605479..bc8fbce 100755
--- a/dev-example/pool-action.sh
+++ b/dev-example/pool-action.sh
@@ -7,6 +7,10 @@ Applys action to all VMs in the pool.
 
   --context                   Context to be passed to kubectl (required)
   -n, --namespace             Namespace to be passed to kubectl
+  
+Action is one of "start", "stop", "delete" or "delete-disks"
+
+Defaults for context and namespace are read from .vm-operator-cmd.rc.
 EOF
   exit 1  
 }

From 3e713b4ff2434013d509a08aa577fc7fc1821085 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Mon, 17 Feb 2025 09:49:06 +0100
Subject: [PATCH 109/274] Extend comment.

---
 .../vmoperator/manager/DisplaySecretReconciler.java        | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
index 0665d32..dcae3a3 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
@@ -41,13 +41,16 @@ import org.jose4j.base64url.Base64;
 /**
  * Delegee for reconciling the display secret
  */
-@SuppressWarnings("PMD.DataflowAnomalyAnalysis")
+@SuppressWarnings({ "PMD.DataflowAnomalyAnalysis", "PMD.TooManyStaticImports" })
 /* default */ class DisplaySecretReconciler {
 
     protected final Logger logger = Logger.getLogger(getClass().getName());
 
     /**
-     * Reconcile.
+     * Reconcile. If the configuration prevents generating a secret
+     * or the secret already exists, do nothing. Else generate a new
+     * secret with a random password and immediate expiration, thus
+     * preventing access to the display.
      *
      * @param event the event
      * @param model the model

From ec8152bd518572517f8f68cac63fdb2dd40dbb8f Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Mon, 17 Feb 2025 20:47:00 +0100
Subject: [PATCH 110/274] Add booted state.

---
 .../runner/qemu/GuestAgentClient.java         |  5 --
 .../vmoperator/runner/qemu/Runner.java        | 60 ++++++++++++-------
 .../vmoperator/runner/qemu/StatusUpdater.java | 15 +++--
 .../runner/qemu/events/RunnerStateChange.java | 23 ++++++-
 4 files changed, 70 insertions(+), 33 deletions(-)

diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java
index 4d1c764..f3928f5 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java
@@ -33,7 +33,6 @@ import java.util.logging.Level;
 import org.jdrupes.vmoperator.runner.qemu.commands.QmpCommand;
 import org.jdrupes.vmoperator.runner.qemu.commands.QmpGuestGetOsinfo;
 import org.jdrupes.vmoperator.runner.qemu.events.GuestAgentCommand;
-import org.jdrupes.vmoperator.runner.qemu.events.MonitorReady;
 import org.jdrupes.vmoperator.runner.qemu.events.OsinfoEvent;
 import org.jdrupes.vmoperator.runner.qemu.events.VserportChangeEvent;
 import org.jgrapes.core.Channel;
@@ -188,10 +187,6 @@ public class GuestAgentClient extends Component {
         logger.fine(() -> "guest agent(in): " + line);
         try {
             var response = mapper.readValue(line, ObjectNode.class);
-            if (response.has("QMP")) {
-                rep.fire(new MonitorReady());
-                return;
-            }
             if (response.has("return") || response.has("error")) {
                 QmpCommand executed = executing.poll();
                 logger.fine(
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
index c8b9f44..b258e1a 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
@@ -61,6 +61,7 @@ import org.jdrupes.vmoperator.runner.qemu.commands.QmpReset;
 import org.jdrupes.vmoperator.runner.qemu.events.ConfigureQemu;
 import org.jdrupes.vmoperator.runner.qemu.events.Exit;
 import org.jdrupes.vmoperator.runner.qemu.events.MonitorCommand;
+import org.jdrupes.vmoperator.runner.qemu.events.OsinfoEvent;
 import org.jdrupes.vmoperator.runner.qemu.events.QmpConfigured;
 import org.jdrupes.vmoperator.runner.qemu.events.RunnerStateChange;
 import org.jdrupes.vmoperator.runner.qemu.events.RunnerStateChange.RunState;
@@ -619,8 +620,8 @@ public class Runner extends Component {
     }
 
     /**
-     * On monitor ready.
-     *
+     * When the monitor is ready, send QEMU its initial configuration.  
+     * 
      * @param event the event
      */
     @Handler
@@ -629,28 +630,14 @@ public class Runner extends Component {
     }
 
     /**
-     * On configure qemu.
-     *
-     * @param event the event
-     */
-    @Handler(priority = -1000)
-    public void onConfigureQemuFinal(ConfigureQemu event) {
-        if (state == RunState.STARTING) {
-            fire(new MonitorCommand(new QmpCont()));
-            state = RunState.RUNNING;
-            rep.fire(new RunnerStateChange(state, "VmStarted",
-                "Qemu has been configured and is continuing"));
-        }
-    }
-
-    /**
-     * On configure qemu.
+     * Whenever a new QEMU configuration is available, check if it
+     * is supposed to trigger a reset.
      *
      * @param event the event
      */
     @Handler
     public void onConfigureQemu(ConfigureQemu event) {
-        if (state == RunState.RUNNING) {
+        if (state.vmActive()) {
             if (resetCounter != null
                 && event.configuration().resetCounter != null
                 && event.configuration().resetCounter > resetCounter) {
@@ -660,6 +647,36 @@ public class Runner extends Component {
         }
     }
 
+    /**
+     * As last step when handling a new configuration, check if
+     * QEMU is suspended after startup and should be continued. 
+     * 
+     * @param event the event
+     */
+    @Handler(priority = -1000)
+    public void onConfigureQemuFinal(ConfigureQemu event) {
+        if (state == RunState.STARTING) {
+            state = RunState.BOOTING;
+            fire(new MonitorCommand(new QmpCont()));
+            rep.fire(new RunnerStateChange(state, "VmStarted",
+                "Qemu has been configured and is continuing"));
+        }
+    }
+
+    /**
+     * Receiving the OSinfo means that the OS has been booted.
+     *
+     * @param event the event
+     */
+    @Handler
+    public void onOsinfo(OsinfoEvent event) {
+        if (state == RunState.BOOTING) {
+            state = RunState.BOOTED;
+            rep.fire(new RunnerStateChange(state, "VmBooted",
+                "The VM has started the guest agent."));
+        }
+    }
+
     /**
      * On process exited.
      *
@@ -675,6 +692,7 @@ public class Runner extends Component {
                 mayBeStartQemu(QemuPreps.CloudInit);
                 return;
             }
+
             // No other process(es) may exit during startup
             if (state == RunState.STARTING) {
                 logger.severe(() -> "Process " + procDef.name
@@ -683,7 +701,9 @@ public class Runner extends Component {
                 rep.fire(new Stop());
                 return;
             }
-            if (procDef.equals(qemuDefinition) && state == RunState.RUNNING) {
+
+            // No processes may exit while the VM is running normally
+            if (procDef.equals(qemuDefinition) && state.vmActive()) {
                 rep.fire(new Exit(event.exitValue()));
             }
             logger.info(() -> "Process " + procDef.name
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
index d4548bf..f9644c8 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
@@ -1,6 +1,6 @@
 /*
  * VM-Operator
- * Copyright (C) 2023,2024 Michael N. Lipp
+ * Copyright (C) 2023,2025 Michael N. Lipp
  * 
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as
@@ -31,7 +31,6 @@ import io.kubernetes.client.openapi.JSON;
 import io.kubernetes.client.openapi.models.EventsV1Event;
 import java.io.IOException;
 import java.math.BigDecimal;
-import java.util.Set;
 import java.util.logging.Level;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
 import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
@@ -66,9 +65,6 @@ public class StatusUpdater extends VmDefUpdater {
     private static final ObjectMapper objectMapper
         = new ObjectMapper().registerModule(new JavaTimeModule());
 
-    private static final Set<RunState> RUNNING_STATES
-        = Set.of(RunState.RUNNING, RunState.TERMINATING);
-
     private long observedGeneration;
     private boolean guestShutdownStops;
     private boolean shutdownByGuest;
@@ -186,16 +182,23 @@ public class StatusUpdater extends VmDefUpdater {
         }
         vmStub.updateStatus(vmDef, from -> {
             JsonObject status = from.statusJson();
-            boolean running = RUNNING_STATES.contains(event.runState());
+            boolean running = event.runState().vmRunning();
             updateCondition(vmDef, vmDef.statusJson(), "Running", running,
                 event.reason(), event.message());
+            updateCondition(vmDef, vmDef.statusJson(), "Booted",
+                event.runState() == RunState.BOOTED, event.reason(),
+                event.message());
             if (event.runState() == RunState.STARTING) {
                 status.addProperty("ram", GsonPtr.to(from.data())
                     .getAsString("spec", "vm", "maximumRam").orElse("0"));
                 status.addProperty("cpus", 1);
+
+                // In case we had an irregular shutdown
+                status.remove("osinfo");
             } else if (event.runState() == RunState.STOPPED) {
                 status.addProperty("ram", "0");
                 status.addProperty("cpus", 0);
+                status.remove("osinfo");
             }
 
             // In case console connection was still present
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/RunnerStateChange.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/RunnerStateChange.java
index bb6ab10..829cc88 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/RunnerStateChange.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/RunnerStateChange.java
@@ -18,6 +18,7 @@
 
 package org.jdrupes.vmoperator.runner.qemu.events;
 
+import java.util.EnumSet;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Components;
 import org.jgrapes.core.Event;
@@ -29,10 +30,28 @@ import org.jgrapes.core.Event;
 public class RunnerStateChange extends Event<Void> {
 
     /**
-     * The state.
+     * The states.
      */
     public enum RunState {
-        INITIALIZING, STARTING, RUNNING, TERMINATING, STOPPED
+        INITIALIZING, STARTING, BOOTING, BOOTED, TERMINATING, STOPPED;
+
+        /**
+         * Checks if the state is one of the states in which the VM is running.
+         *
+         * @return true, if is running
+         */
+        public boolean vmRunning() {
+            return EnumSet.of(BOOTING, BOOTED, TERMINATING).contains(this);
+        }
+
+        /**
+         * Checks if the state is one of the states in which the VM is active.
+         *
+         * @return true, if is active
+         */
+        public boolean vmActive() {
+            return EnumSet.of(BOOTING, BOOTED).contains(this);
+        }
     }
 
     private final RunState state;

From bccc4ac2190bc3bf1f8099e69d3b0977ca648229 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Tue, 18 Feb 2025 12:15:50 +0100
Subject: [PATCH 111/274] Add pretty os name to displayed data.

---
 .../org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html         | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html
index 4dfc8d7..6ec6ce3 100644
--- a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html
+++ b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html
@@ -129,6 +129,9 @@
               </tr>
             </table>
             <table class="table--basic table--basic--autoStriped">
+              <tr>
+                <td colspan="2">{{ entry.status?.osinfo?.["pretty-name"] || "" }}</td>
+              </tr>
               <tr>
                 <td>{{ localize("usedFrom") }}</td>
                 <td>{{ entry.usedFrom }}</td>

From 777ae73c745ecb769b3196dd468fc03b9d63e4fe Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Tue, 18 Feb 2025 16:50:43 +0100
Subject: [PATCH 112/274] Add OS icons.

---
 .../vmoperator/vmaccess/osicons/Licenses.txt  |  16 +
 .../vmoperator/vmaccess/osicons/almalinux.svg |  16 +
 .../vmoperator/vmaccess/osicons/arch.svg      |  20 +
 .../vmoperator/vmaccess/osicons/debian.svg    |   9 +
 .../vmoperator/vmaccess/osicons/fedora.svg    | Bin 0 -> 41315 bytes
 .../vmoperator/vmaccess/osicons/tux.svg       | 438 ++++++++++++++++++
 .../vmoperator/vmaccess/osicons/ubuntu.svg    |   8 +
 .../vmoperator/vmaccess/osicons/unknown.svg   |  84 ++++
 .../vmoperator/vmaccess/osicons/windows.svg   |   1 +
 .../vmaccess/browser/VmAccess-functions.ts    |  33 +-
 .../vmaccess/browser/VmAccess-style.scss      |  14 +
 11 files changed, 634 insertions(+), 5 deletions(-)
 create mode 100644 org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/Licenses.txt
 create mode 100644 org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/almalinux.svg
 create mode 100644 org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/arch.svg
 create mode 100644 org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/debian.svg
 create mode 100644 org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/fedora.svg
 create mode 100644 org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/tux.svg
 create mode 100644 org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/ubuntu.svg
 create mode 100644 org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/unknown.svg
 create mode 100644 org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/windows.svg

diff --git a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/Licenses.txt b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/Licenses.txt
new file mode 100644
index 0000000..f67978f
--- /dev/null
+++ b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/Licenses.txt
@@ -0,0 +1,16 @@
+almalinux.svg: 
+  Source: https://commons.wikimedia.org/wiki/File:AlmaLinux_Icon_Logo.svg
+  License: https://github.com/AlmaLinux/wiki/blob/master/LICENSE
+  
+archlinux.svg:
+  Source: https://commons.wikimedia.org/wiki/File:Arch_Linux_%22Crystal%22_icon.svghttps://commons.wikimedia.org/wiki/File:Arch_Linux_%22Crystal%22_icon.svg
+  License: GPL v2 or later
+  
+debian.svg:
+  Source: https://commons.wikimedia.org/wiki/File:Openlogo-debianV2.svg
+  License : LGPL
+  
+tux.svg:
+  Source: https://commons.wikimedia.org/wiki/File:Tux.svghttps://commons.wikimedia.org/wiki/File:Tux.svg
+  License: Creative Commons CC0 1.0 Universal Public Domain Dedication. Creative Commons CC0 1.0 Universal Public Domain Dedication.
+
diff --git a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/almalinux.svg b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/almalinux.svg
new file mode 100644
index 0000000..b2e050a
--- /dev/null
+++ b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/almalinux.svg
@@ -0,0 +1,16 @@
+<svg xmlns="http://www.w3.org/2000/svg" id="Layer_1" x="0" y="0" version="1.1" xml:space="preserve" viewBox="0 0 61.028259 59.731277">
+  <defs/>
+  <style id="style2" type="text/css">
+    .st1{fill:#86da2f}.st2{fill:#24c2ff}.st3{fill:#ffcb12}.st4{fill:#0069da}.st5{fill:#ff4649}
+  </style>
+  <path id="path22" d="M56.11382 33.731278c2.6-.2 4.7 1.5 4.9 4.1.2 2.7-1.7 4.9-4.3 5.1-2.5.2-4.7-1.7-4.9-4.2-.2-2.7 1.6-4.7 4.3-5z" class="st1"/>
+  <path id="path24" d="M24.51382 55.031278c0-2.6 2-4.6 4.4-4.6 2.4 0 4.7 2.2 4.7 4.7 0 2.4-2 4.5-4.3 4.6-2.9 0-4.8-1.8-4.8-4.7z" class="st2"/>
+  <path id="path26" d="M31.61382 25.831278c-.4.2-.6-.1-.7-.4-3.7-6.9-2.6-15.6000004 3.9-20.8000004 1.7-1.4 4.9-1.7 6.3-.3.6.5.7 1.1.8 1.8.2 1.5.5 3 1.5 4.2000004 1.1 1.3 2.5 1.8 4.1 1.7 1.4 0 2.8-.2 3.7 1.4.5.9.3 4.4-.5 5.1-.4.3-.7.1-1 0-2.3-.9-4.7-.9-7.1-.5-.8.1-1.2-.1-1.2-1-.1-1.5-.4-2.9-1.2-4.2-1.5-2.7-4.3-2.8-6.1-.3-1.5 2-1.9 4.4-2.3 6.8-.4 2.1-.3 4.3-.2 6.5 0 0-.1 0 0 0z" class="st3"/>
+  <path id="path28" d="M34.11382 27.331278c-.2-.3-.1-.6.2-.8 5.7-5.2 14.2-6.2 20.8-1.1 1.7 1.4 2.8 4.3 1.9 6-.4.7-.9 1-1.5 1.2-1.4.6-2.7 1.2-3.6 2.5-.9 1.3-1.1 2.8-.7 4.4.3 1.3.8 2.7-.5 3.9-.7.7-4.1 1.3-5 .7-.4-.3-.3-.6-.2-1 .3-2.5-.3-4.8-1.2-7-.3-.8-.2-1.2.6-1.4 1.4-.4 2.7-1.1 3.7-2.1 2.2-2.1 1.7-4.8-1.2-6-2.3-1-4.7-.8-7-.6-2.2.1-4.3.7-6.3 1.3z" class="st1"/>
+  <path id="path30" d="M32.81382 29.931278c.3-.3.5-.2.8 0 6.6 4 10 11.9 7 19.6-.8 2-3.4 4-5.3 3.5-.8-.2-1.2-.6-1.6-1.1-.9-1.2-1.9-2.3-3.4-2.8-1.6-.5-3-.2-4.4.6-1.2.7-2.4 1.6-3.9.7-.9-.5-2.4-3.6-2.1-4.6.2-.4.6-.4 1-.4 2.5-.4 4.5-1.6 6.4-3.2.6-.5 1.1-.5 1.6.2.8 1.2 1.8 2.2 3.1 2.9 2.6 1.5 5.1.2 5.4-2.8.3-2.5-.6-4.7-1.4-6.9-.9-2-2-3.9-3.2-5.7z" class="st2"/>
+  <path id="path32" d="M29.61382 30.531278c-.4 2-1.3 3.9-2.5 5.6-3.6 5.4-8.8 7.6-15.2 7-2.2999997-.2-4.1999997-2.1-4.3999997-4-.1-.8.1-1.4.6-2 .7-.9 1.3-1.7 1.6-2.8.5999997-2.2-.2-4-1.8-5.6-2.2-2.2-1.9-4.2.7-5.8.3-.2.7-.4 1.1-.6.5999997-.3 1.0999997-.3 1.2999997.4.9 2.3 2.7 4 4.7 5.4.7.6.7 1 .1 1.7-1.2 1.3-1.9 2.9-2 4.7-.2 2.2 1.1 3.6 3.3 3.6 1.4 0 2.7-.5 3.9-1.1 3.1-1.6 5.5-3.9 7.8-6.3.3-.1.4-.3.8-.2z" class="st4"/>
+  <path id="path34" d="M13.21382 9.5312776c.2 0 .7.1 1.2.2 3.7.7000004 6-.6 7.2-4.1.8-2.3 2.5-3 4.7-1.8.1 0 .1.1.2.1 2.3 1.3 2.3 1.5.9 3.5-1.2 1.6-1.8 3.4000004-2.1 5.3000004-.2 1.1-.6 1.3-1.6.9-1.6-.6-3.3-.6-5 0-1.9.6-2.7 2.3-2.1 4.2.8 2.5 3 3.6 4.9 4.9 1.9 1.3 4.1 2 6.2 2.9.3.1.8.1.7.6-.1.3-.5.3-.9.3-4.5.2-8.8-.5-12.3-3.5-3.3-2.7-5.6999997-6-5.2999997-10.6.2999997-1.5 1.3999997-2.6000004 3.2999997-2.9000004z" class="st5"/>
+  <path id="path36" d="M5.0138203 37.631278c-2.4.3-4.80000003-1.7-5.00000003-4.2-.2-2.4 1.80000003-4.8 4.10000003-5 2.6-.3 5 1.5 5.2 3.9.1 2.3-1.4 5.1-4.3 5.3z" class="st4"/>
+  <path id="path38" d="M47.01382 2.0312776c2.5-.2 4.9 1.8 5.1 4.3.2 2.4-1.8 4.7000004-4.2 4.9000004-2.6.2-4.9-1.7000004-5.1-4.2000004-.2-2.5 1.6-4.8 4.2-5z" class="st3"/>
+  <path id="path40" d="M20.91382 3.9312776c.3 2.6-1.5 4.8-4.2 5.2-2.3.3-4.7-1.6-5-3.8-.3-2.9 1.3-4.99999996 4-5.29999996 2.5-.3 4.9 1.59999996 5.2 3.89999996z" class="st5"/>
+</svg>
diff --git a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/arch.svg b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/arch.svg
new file mode 100644
index 0000000..ca8204c
--- /dev/null
+++ b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/arch.svg
@@ -0,0 +1,20 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="256" height="256" version="1.0">
+  <defs>
+    <linearGradient xlink:href="#a" id="d" gradientUnits="userSpaceOnUse" gradientTransform="matrix(-.39377 0 0 .39375 978.34969 416.9815)" x1="541.33502" y1="104.50665" x2="606.91248" y2="303.14029"/>
+    <linearGradient gradientUnits="userSpaceOnUse" id="a" y2="129.3468" x2="112.49853" y1="6.1372099" x1="112.49854" gradientTransform="translate(287 -83)">
+      <stop offset="0" style="stop-color:#fff;stop-opacity:0"/>
+      <stop offset="1" style="stop-color:#fff;stop-opacity:.27450982"/>
+    </linearGradient>
+    <linearGradient id="b">
+      <stop style="stop-color:#00bdec" offset="0"/>
+      <stop style="stop-color:#40bfde" offset="1"/>
+    </linearGradient>
+    <linearGradient id="c">
+      <stop style="stop-color:#6e6e6e" offset="0"/>
+      <stop style="stop-color:#4d4d4d" offset="1"/>
+    </linearGradient>
+  </defs>
+  <path style="fill:#1793d1" d="M128 0c-11.39482 27.937051-18.31337 46.237163-31 73.34375 7.7785 8.245207 17.33826 17.811753 32.84375 28.65625-16.66992-6.859577-28.03357-13.728504-36.53125-20.875C77.076039 115.00489 51.621645 163.24639 0 256c40.562707-23.41756 72.007597-37.86167 101.3125-43.375-1.25376-5.40435-1.923505-11.27752-1.875-17.375l.03125-1.28125c.64379-25.99398 14.16934-45.98224 30.1875-44.625 16.01815 1.35723 28.48754 23.53727 27.84375 49.53125-.12127 4.89622-.6905 9.60082-1.65625 13.96875C184.83328 218.51691 215.98162 232.89667 256 256c-7.89193-14.52962-14.96051-27.61983-21.6875-40.09375-10.59609-8.21269-21.64301-18.89743-44.1875-30.46875 15.4958 4.02645 26.60184 8.6825 35.25 13.875C156.97985 71.972668 151.45422 55.040376 128 0z" transform="matrix(1 0 0 1 -.000002 4e-8)"/>
+  <path style="fill:#fff;fill-opacity:.16568047" d="M818.22607 548.55277c-41.18143-55.89508-50.72685-100.94481-53.14467-111.70015 21.96737 50.6686 21.81733 51.28995 53.14467 111.70015z" transform="matrix(1.34737 0 0 1.34737 -902.40019 -586.944907)"/>
+  <path style="fill:url(#d);fill-opacity:1" d="M765.09805 436.43495c-1.05641 2.59705-2.08559 5.1172-3.06152 7.51465-1.08115 2.65585-2.10928 5.19128-3.13111 7.677-1.02174 2.48575-2.03439 4.91156-3.03833 7.30591-1.00398 2.39446-2.01068 4.76169-3.03833 7.14355-1.02758 2.38177-2.06156 4.78845-3.15429 7.23633-1.09273 2.44796-2.23335 4.94504-3.43262 7.53784-1.19937 2.59282-2.45641 5.27815-3.80371 8.09448-.18662.39008-.41312.83402-.60303 1.22925 5.75521 6.09563 12.84133 13.14976 24.28345 21.15234-12.34021-5.07792-20.76511-10.15751-27.06665-15.44677-.32717.66791-.61387 1.26431-.95093 1.94824-.44365.90024-.97632 1.92315-1.43799 2.85278-.80967 1.66032-1.65574 3.36576-2.52807 5.12574-.33524.66652-.62948 1.24283-.97413 1.92504-5.50733 11.05265-12.33962 24.28304-21.12915 40.72754 24.09557-13.57581 50.08533-33.16242 97.29615-16.30493-2.36708-4.48319-4.54319-8.68756-6.58692-12.64038-2.0437-3.95294-3.94246-7.6555-5.70556-11.15601-1.76297-3.50043-3.39212-6.80069-4.917-9.92675-1.52486-3.12599-2.93832-6.0765-4.26757-8.90625-1.32934-2.8297-2.58106-5.55264-3.75733-8.16407-1.17634-2.6114-2.29708-5.11315-3.36304-7.58422-1.06607-2.4712-2.08657-4.89718-3.08471-7.30591-.99823-2.4088-1.97267-4.81178-2.94556-7.23633-.34772-.86638-.69553-1.7689-1.0437-2.64404-2.66339-6.25269-5.3982-12.73163-8.55835-20.15503z" transform="matrix(1.34737 0 0 1.34737 -902.40019 -586.944907)"/>
+</svg>
diff --git a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/debian.svg b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/debian.svg
new file mode 100644
index 0000000..685f632
--- /dev/null
+++ b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/debian.svg
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="-60 -75 210 260">
+  <g fill="#D70751">
+    <path d="M64.525 62.053c-4.125.058.78 2.125 6.165 2.954 1.488-1.161 2.838-2.336 4.04-3.479-3.354.821-6.765.838-10.205.525m22.14-5.52c2.457-3.389 4.246-7.102 4.878-10.939-.551 2.736-2.035 5.099-3.435 7.592-7.711 4.854-.726-2.883-.004-5.824-8.29 10.436-1.138 6.257-1.439 9.171m8.174-21.265c.497-7.428-1.462-5.08-2.121-2.245.766.4 1.377 5.237 2.121 2.245M48.883-66.264c2.201.395 4.757.698 4.398 1.224 2.407-.528 2.954-1.015-4.398-1.224"/>
+    <path d="m53.281-65.04-1.556.32 1.448-.127.108-.193"/>
+    <path d="M121.93 38.085c.247 6.671-1.95 9.907-3.932 15.637l-3.564 1.781c-2.919 5.666.282 3.598-1.807 8.105-4.556 4.049-13.823 12.67-16.789 13.457-2.163-.047 1.469-2.554 1.943-3.537-6.097 4.188-4.894 6.285-14.217 8.83l-.273-.607C60.29 92.569 28.344 71.129 28.765 41.875c-.246 1.857-.698 1.393-1.208 2.144-1.186-15.052 6.952-30.17 20.675-36.343 13.427-6.646 29.163-3.918 38.78 5.044C81.73 5.8 71.217-1.534 58.757-.848c-12.208.193-23.625 7.95-27.436 16.369-6.253 3.938-6.979 15.177-9.704 17.233-3.665 26.943 6.896 38.583 24.762 52.275 2.812 1.896.792 2.184 1.173 3.627-5.936-2.779-11.372-6.976-15.841-12.114 2.372 3.473 4.931 6.847 8.239 9.499-5.596-1.897-13.074-13.563-15.256-14.038 9.647 17.274 39.142 30.295 54.587 23.836-7.146.263-16.226.146-24.256-2.822-3.371-1.734-7.958-5.331-7.14-6.003 21.079 7.875 42.854 5.965 61.09-8.655 4.641-3.614 9.709-9.761 11.173-9.846-2.206 3.317.377 1.596-1.318 4.523 4.625-7.456-2.008-3.035 4.779-12.877l2.507 3.453c-.931-6.188 7.687-13.704 6.813-23.492 1.975-2.994 2.206 3.22.107 10.107 2.912-7.64.767-8.867 1.516-15.171.81 2.118 1.867 4.37 2.412 6.606-1.895-7.382 1.948-12.433 2.898-16.724-.937-.415-2.928 3.264-3.383-5.457.065-3.788 1.054-1.985 1.435-2.917-.744-.427-2.694-3.33-3.88-8.9.86-1.308 2.3 3.393 3.47 3.586-.753-4.429-2.049-7.805-2.103-11.202-3.421-7.149-1.211.953-3.985-3.069-3.641-11.357 3.021-2.637 3.47-7.796 5.52 7.995 8.667 20.387 10.11 25.519-1.103-6.258-2.883-12.32-5.058-18.185 1.677.705-2.699-12.875 2.18-3.882-5.21-19.172-22.302-37.087-38.025-45.493 1.924 1.76 4.354 3.971 3.481 4.317-7.819-4.656-6.444-5.018-7.565-6.985-6.369-2.591-6.788.208-11.007.004-12.005-6.368-14.318-5.69-25.368-9.681l.502 2.349c-7.953-2.649-9.265 1.005-17.862.009-.523-.409 2.753-1.479 5.452-1.871-7.69 1.015-7.329-1.515-14.854.279 1.855-1.301 3.815-2.162 5.793-3.269-6.271.381-14.971 3.649-12.286.677C20.144-62.46 1.976-56.053-8.218-46.494l-.321-2.142c-4.672 5.608-20.371 16.748-21.622 24.011l-1.249.291c-2.431 4.116-4.004 8.781-5.932 13.016-3.18 5.417-4.661 2.085-4.208 2.934-6.253 12.679-9.359 23.332-12.043 32.069 1.912 2.858.046 17.206.769 28.688-3.141 56.709 39.8 111.77 86.737 124.48 6.88 2.459 17.11 2.364 25.813 2.618-10.268-2.937-11.595-1.556-21.595-5.044-7.215-3.398-8.797-7.277-13.907-11.711l2.022 3.573c-10.021-3.547-5.829-4.39-13.982-6.972l2.16-2.82c-3.249-.246-8.604-5.475-10.069-8.371l-3.553.14c-4.27-5.269-6.545-9.063-6.379-12.005l-1.148 2.047c-1.301-2.235-15.709-19.759-8.234-15.679-1.389-1.271-3.235-2.067-5.237-5.703l1.522-1.739c-3.597-4.627-6.621-10.562-6.391-12.536 1.919 2.592 3.25 3.075 4.568 3.52-9.083-22.539-9.593-1.242-16.474-22.942l1.456-.116c-1.116-1.682-1.793-3.506-2.69-5.298l.633-6.313c-6.541-7.562-1.829-32.151-.887-45.637.655-5.485 5.459-11.322 9.114-20.477l-2.227-.384C-27.316-2.419-7.271-24.81 2.011-23.658c4.499-5.649-.892-.02-1.772-1.443 9.878-10.223 12.984-7.222 19.65-9.061 7.19-4.268-6.17 1.664-2.761-1.628 12.427-3.174 8.808-7.216 25.021-8.828 1.71.973-3.969 1.503-5.395 2.766 10.354-5.066 32.769-3.914 47.326 2.811 16.895 7.896 35.873 31.232 36.622 53.189l.852.229c-.431 8.729 1.336 18.822-1.727 28.094l2.1-4.385"/>
+    <path d="m19.5 67.715-.578 2.893c2.71 3.683 4.861 7.673 8.323 10.552-2.49-4.863-4.341-6.872-7.745-13.445m6.409-.251c-1.435-1.587-2.284-3.497-3.235-5.4.909 3.345 2.771 6.219 4.504 9.143l-1.269-3.743m113.411-24.65-.605 1.52c-1.111 7.892-3.511 15.701-7.189 22.941 4.06-7.639 6.69-15.995 7.79-24.461M49.698-68.243c2.789-1.022 6.855-.56 9.814-1.233-3.855.324-7.693.517-11.484 1.005l1.67.228m-97.917 52.067c.642 5.951-4.477 8.26 1.134 4.337 3.007-6.773-1.175-1.87-1.134-4.337m-6.593 27.538c1.292-3.967 1.526-6.349 2.02-8.645-3.571 4.566-1.643 5.539-2.02 8.645"/>
+  </g>
+</svg>
\ No newline at end of file
diff --git a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/fedora.svg b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/fedora.svg
new file mode 100644
index 0000000000000000000000000000000000000000..78717917f660f45dd4c2e9d11c8af3b32c901589
GIT binary patch
literal 41315
zcmXV21yoc|7oVji6cj{4SOr8vQc_|ufF(q_MWsZfq@-6&q`M@PkmgT`G!`M<9ZE=p
zbS~e#^*efw@!p%cbMNo=9Rlv$R-&O~rUU@cV3lub0YC!(O1w-#2LGVFcU}|zL1L|-
zt^hz$DAnP8QuuGQxw4iz0G^isz`X!qAO06^4ggmn02b~6ARPw)qvN|uO&R!r?18G%
zO>m6-O0D@A3IB)O1*?9Ge2$!mf`{(psb*LBF~Htb(0Mw%H0BX!qWcX0cW2bNPq#*J
zzI}Y?8r6vt2eq7!nQ4{%11LH9Lxj>!wr5R=EU2+II`#gQcq=NMdO89;x`+j+Tj;#v
z8$>VolU^=)d79-eBu}uTKUgdm%#0gPbZqQqadP%KjOBQBcy&k(Pyk>tHa*kA5pBF5
zYs``zruNdd`e#(y6T|4AS@lnOV}%Ry^25wOGz_2SI}`i(eGpGkzap3R1;YX58S*_o
z-c#!xzauEQxHyk=^v<syy)|dX?@JgD-Jb8LYg9gA*u!gkjWxTcGP6%L;e`c@Wn}hE
z1x@XXeS=3$@33~&-vHPRy+8zc_-Ea#U+-FS&w%>yqYkm7^BvnI4SL3DkIdC8(kYp=
zFW64(O{^Y%<eV;YQC=w33Jhnq?0uM*ATy-cd{tU2(t<@+Dp=%G*H&*-@$KgpENRUv
zuYUN6;(^jx0O%pNEk?IC#D5r5Ru4!0p%GbsWnjC{GKAO5iBU7-pb69A$Trf7`ra*Y
zA-6_km~SXaZ`d}dL_c|qYe+VvYdq@DirYmu_eRvR&u&bmz(rz!gEZsngtq$k4f52U
z2d8~eWd7aE@_3qBr1*x6&41x!b=N*CIbKz^O0+0%dYJgPbWGZ<ByTK6WSA|G!NE`_
z_tSHT4ur55t($wf2L@6cGjZX?%=5||`B$~{I4rM*y;$$|#g1^=iFNDQwpvZuJP#Ky
ztr}iiD|2nTNdi*gr}eK3K3kj1b4N4pjDrc!Rhr$cc4@CkgQe&`GTYLwrh?c$Me}9P
zfd+B@+WWf#zfs^0{3;CFpTM+}$M!(0t0;M^p+(Z%(&b&=dG74DxUdYWOmRNDuu{F^
z+~7Xr{;q^}GHaTHQvh6sA4-xr|1tX07tW$6siH2_&tyAuo?B`vXvyHEU!ymP{!it^
zyguUyJyo|dr!BqWmV%1oNOR*i<N$*LpviWiV}#z}YWCldMCmT0KO{^^Xj^U-Uas>m
zUPgaXHnPjpYZ_#TFk}iC$Tya0Nmu^&8AVcjpm-Gbwa7+e^V@EDAten#v1K2X--e%D
zzf+#RrMJz%wDGoRJ6hbeb{hfIO=1FLNE#UG473;MKXbFpyEG@;=ie6Zrj0<I<m1Y|
z+fB(-^7Zc$-|hDY-M<Yv65o*hBd{VqFmJJ}kbSXYyt#PRf+^`r?itRCbmH_Mx3L`t
zY1YAIg;5_V@78X-`jzyZh_H=CZ?t<}p_ryuX5MYl;*YA*SS`9{VA#VmFJ@TtFzD{4
z%*NN^#YJ&iDgs_Qo%<8!sTLcJ(wu{rD*6*P;(ngm?Uus|8Vp$nZ@O5gZJZ9}A|c4=
z<h(}Do_2xkh=D1mO>sJN1d528CoOt?Gt0WQ1Y15CPhQA0jNu0W+N&mQZHN3&hM1uq
zOP5+#myo>n2%YO9n7MR|(yvCc%LWHgVk;%8e}aZ@@Dol-kzL`OztOO^6)Dqr_hG((
zNO#49Be}4`{&O}J(QM0Z<}L9T2++jg5{uUIQT>V?!o`e+^CH;i%B1yXe=Rl>WMmhV
zLt{L<te<uR0=?e$`-go#GH0Y(inbq1RVwRoM^fU<d+%phpSMjB6X{rDFFp$3&Q!ym
zrXsxmq}j;1?`s*i*Av0$CCiB0;nTF#xU0j0X*0#!;cxnG1QxQCBq<ZP7DgI7@hPo|
z=W$hM^btkRK5Dw&xY)BkoNc*h=x};jA|(QSnjnqzW?lC}mhg3#@S;kS?jI2k(uwNH
zPbz!1GRrcnE3TS(e_J!XNrdPe&Roc2Z(TX%%JWMfg9?OJM`zd-c!9S7mwB?pI@@~0
z?0ZXzpt}m31a?WjS^Q)7R^oGW;6&1}yt<Z|7K-+saqy<2%53?Obb@cA77E!OSMAp9
zAN}JcZ)JT`qK!o+mY0hGTyUxXDfe(%rZaQ<HCw!BcJRL=U0+3vosw3iPJe5ZOF%l2
z7Aj0>m`hf`oKfjP_`%r@=AoPaHh(W{{>zv+FSs>IxWr;P{<o$NKx0iK*vdpywdq!C
z$qU#@LjSEvWIbH1&Ty&Q=SP+MzC1tAbzb18%)_)%9c@Y*Tv2CbMGzFOu+5~j?7ym#
zjf+ZdpVIk$Z2E$^00FGuQ|oxlljh%sQ^o-#h_a*qWR4rL^JR5%t=dmZm};HK2AE+N
zWluE`s*8VD5E3WU|B+}Y>R#Zg7i1*y!$8znuZJ@_k`fwQlwrxuOIs~imPQ$2_kzD~
z{w>O3B`_$&X;ZDyG@Qs8jHUxkbh+n6_Jf0J%;%Sc`A!htO5J&mzs2%1(zKZ`U#uk9
z<-$ZFn5@bj($6auni;P0h#;J#UO4{RfHa>{-nEvd))<%I=(ku>;JupEMr?Vu*X8P!
zs-s!$)BnWnct^j@_*%bn>y}8RUN`zQ3RgeOlUrr^ZVzgOXQU(nW>*nYUaiF*y`)|&
z9eNX>UG%F8&uPf3UaIk0Ii4OoON2t~n8$2Rl|-*cb1%20OIkWJT&r_2Y7=MfdQdYE
z>>DMCpd0fBGC2o5WayX?T@yfa1ki;wT;^w8u923@KW*zI`%S>rg)d{ip#Fjo9{{8<
zv>^CkU1Kthl7@p)i%T0m<UsPP?q5E=N?B&r(UPbAyL$g9kdtukdbNI2f5FpySzg8J
zasU7!nt|cIHW};!Nur)&P6TC0i5GVmI}wswSJGV;@m84xbgCvtvz3dKk4t#<I#>pA
zokkQPj03UgWps;zqQ&L^WwQhHbH>)id|~<W<|exq`*Y*U7YSfcjhj6Mn!?X=9Er@t
zv5&dijTwJOAudqFV&C6&%A)O$<x*M1Z%!g8P>t?y{i5XpRrbB?25bb@c8jl>d4*Wm
zhhM!Bp?VPjcGKH+_k)j8-debPNs^#m<vfMZ;uwT4t(}P8Vc>H<3(s`ewj!ce?t1ID
zyysfNdzxv&b|Lo`^0$hfX6y(XZs=mou_S<2=t{(_2lh|hN|jTu-apRz&C~=R$@pLu
ziIEo^$Mm)b6jyd)+L^X45tvh7@Au`^g%cUIbIKA%*>N`kxM0pDYZ1IxXj!tDj6R7_
zv)*3nk^7oy;7AE85pezp1@?YPY0O^RX=B?mPG&`pg_$#T-KnG#&k!`8SH#ktMuF+~
z1C~ptF4>*)85pf-;2^B?Rcx)U#Mk@h-`d9(1!qIoi2){JJgR6S^t<9j&C?hx9XVpc
zzp(9gn28EowlXs95<|UZ$?tM!A$O>o3gFR>AaEL!s+MBrml<@FkgmE{fC7_QkA)iW
zA6Zld3}kG*B?#x5v=u$upE7NDaAl*to*e*I4n8}lJbYSZ$zI5agB+IvL72NgH%S*8
zu=|<mq3dJt7)Cj`w*I)|do~1TQY$pIQvQmUVb7Y+M=S3yIY6K3ZyH?v&k&8!S;4eB
zp({V=xt+o}#?PY&Woa?W+wAQ;zoc0gE*wKZe^XY=s-f|DY@FcFIcEYUF#Up)X3EXp
z2eneJr^3jPg={43#xp6WIBOpS$=PN+fXqYxNsd|?h;3)upw>hX+-WN@w*ACKLvx6x
zVZk_JKLQ4-_y-wEri(tm#upoEZ!;sv+?;&$75dZxKb_)<@T(CR0M^7hevU8STGn4V
z{yun~z`J_Qc)2>fntAncv50jzjOU+q3*@pZQI4(hCyNya5U7^S%AL(WzgRIl!P&-1
z0|1d-UC^Gd^>g3dwJWZsgk^A?^KZ=xn9gA(j~`{QaNUARh3hm~DU957Wjjv+5z*uv
z%Wq(4VnJE=IIk9+{RRSyVo|rwLoXR`Gw<r!K}QBH2)e_hA{GBcX*`rmH0mn!-Yj)x
z*}W5jRrg0nZla*|pr~M?TGS}+$18VBrK14m?m}2!e)!k#b%M!awb7CY_b!O~;1}dX
zR_c`ZgE(X1Hceh57E1#$cdvO~I3Pygdwnu<<Zj3c5AQ)~5tQ^3$Y9_nhJJd1%V(ul
zD$NW{gCH1VD&{wKE4eF_^Slx>0Fy#8d|u_@2R|~L6_+oZB)p-PQs-IvuIZHJvJQ0h
zpfR<Jxovr5{4kOLC|1ODr6g25w7vf!cPh7GK{et5Gy=eL?n<+_=lr`$?f@bv%Sq85
z#=Hv56W@zA)DUL4tA_91-o)eaxk^iyD3NVKO#ils5huOa)8G(IgiOJZT{TLp=rR~P
z=1;cN`i`)rskpf%R*Cl$&3;hPeoVR+aw4YfoU-lJ7*mPaTOSZKSTyTW^}maVIMC+s
zqC__0_xxjn>OW}A7ziHGK#0XrS1hfxMU!S1R7A+}HD92EHju?FHmJ6GbGVBNn#EHH
zIn3&227bYLNAJ@gA&17#p*9VEI^nnRLuvhI5Fw_<7VOR>JPUtuP^ag{40i(T3qt+A
zg_R{UBjpp`D*gm9HU2abT`t(yV9H%p<>jD-d~oJF@8RdX`mRXu3@Kb@^0H}><I&}T
zO#9eYdSoY5MAT-axa;8thx4T}I&$O{+Dn3FY}upYyHv$)1?iFj@Km^Aw1>o%B++dr
z!l@6Vp#t2FXce?@6+sS7`=8>z;cIjJ{4d+ZgaBg5|Ml_KTgFt8rspT3`s7vKhCx-L
zh_@@=uY!ERU(tks!Hg$}`z_lv#O*~iL_iIpsHmzM8=N4xD`XQ~wNsCspwiCSXurGt
zzN%VL5OkR2LA#&|o93m;1A>&VJM8;!o#Aw-O^;M224Fh-$C&++l@)?V%;g$~*T)Vj
zZ^Pl%O%84)77o)`6qE-oZ_i2|yA7+?$8=}pqsfjdxNzV8oRAKA5o;|LC*)h4hE2a(
zRW4pTr0=*yOZXY&6Kk*H)ch;1fl%MKm!U$S9W&dEWm|8K?m^cL;R8Z0bLAc{JQg|L
z|EIkWKhK2Bzf|VtZ=S)<K&=9fYIogboVRKQ2J$Z=5M0aW^DWA}dfFA=q9TFV2u!G}
zQCcB?)u$CbCUXK8y)B0i%RWjqjM`;rB1?qDbp7N|Y+j6Qm9yu*k5Jm)mSmg6z_EBd
zZs21^;1TG46e?Wl)V$Pn>NFzp>DE?KmRFqWk1nu4p8_nRqBp176*suVDM%ob^AbNf
zj_EcmxM6h(8!+UuE}HtRx|*ADBQ!RBjt|s}PM1!T|J1!jc)|62gj}6V``j@H;dvb2
zs*z9iR7D_XFc-98xOX8IF~b&{4VDtr4xH4JbCNd!YZ3%YyOZpW6xlIkl-xZrQ~L)q
zn|oW<r^y^$;!uF~3jr(VlgfV%)?I+BfC=o+xI)1ix85C#ATGoz%!U86mF*Xs*)*Wt
z0KQhMi*8dAGDvV!jG)C_#OK$rR6|0FL3SJ>528CLWn<Px@5jw$t{stx2C;S_+h`}9
zmoM#BN6tbkY1%*6(o&FL70rbp!%<mnj~oKA1=GmC_=L*d0*gdV-u0WLw(|BCzU@(d
z@PM6z_q6xtidhs3(Fg-NTW|HNyY>1RE1LZlMb?x~DxMWpEzGTYei>nY5#pJaFSQ8<
zyU-y@`@(b5xr#;O@Ce4eRajyu!Q}X&|L~l)%QX?N2q2IP@@*|q42V~?VlR&r3JYbu
zh`D<b&)D1XsbB8fB=oW9Py??|W#J5>vxO<w&owEvLW3ReY3sv(_kJDs{8>b)n~bqc
z8(SGAi?yossn9e(oINai9wAZ}-o=C*9AMqKuc_F3PR>4CzKMch<}5Jzylv8$@FQX$
zp#hBl(M?n_En9l!<Zy=cYltkM^%Ol@aKzG>pu}{D=nVR{NWnq(Ch686<T(?d$cL$H
z;!@V}r=VIjL_U)K>0;aLv2AP{@`N2Q1-m~Ix|Mq?MpR-Wku5^*<6OL4l{Ty$>h_{Y
zY#=MwDs0^QL$8L^m~}fLRN~lnZ<Mnf3_c&AwnI}weUjT+vGUtd$ss^w^FeCqc>2=J
z&bW{jjSZTAkc9TVu-&i9L{?ii^EFsLz>ODoU+xg|tA2#93{)n*|AiWmjQ^`Tkso2Y
zuMoDls@fb^cqPen$MgdPK-i6*S-Tve+rK45D#H*Eg()2C_jGwvB@+8XU3eD1F>q3a
zc_TF)OZYgb#FJlZ?rz!B{-#S`k<YpG+ss6}MBAT7kP*&UJlFPSwB>9EQ^m{6v{xS!
zy{V6Pvp(WVc1pG)P{<k=rn9hz_}+`i`IxSn{~E3n4)M98#e`r5twd&EoAR#6am<py
z!?8RuDDx!S{Jr>eif70RjVgJ4KBBV&ehHUp>6cJoB9VXt`#;TdX9$93uXOEhsPubx
zZQv=gMCxlRytl5d$XQd~+zrI|0Xa6qqf4jx-jzJnvm?I`r68#oD`+4p^B`%WB`XBs
z0WGepPdmKe`zE2bMR-L;f6P#R+<9r0i{>Jtt|U#51n0fyYFU)*xF~mN62Vt@t5IFQ
zSAPb%32;H<8l(z#4x`=k<&qJtU~Pz|S`aKx_A$|7N8pM<Gts!n>;&*J7RUz*AuoL2
zd};efvRIXq0dWn0sNiSWI7bg-!Lg7gr15Er4b_0p?fy|7p6dwMD2VwOT0D2ujX#Gp
z8a^iiVP#hPUtK3e_2lUjwP0+3_NEN#8xuX7cSNL#9ysTC!P-io*uJ;~?}n8itbe^@
zp-Q!o<%q!_igEq%T3wk?*U(=U4pS9m`KC0~;Ie)7N>8A5JUxO`520N%-H4?iIkXMp
z{s4N_peie~WM-HUp`1$vn1||#<=J092fXG?!V;DkIf?PS%q(~~_uH`Sd^!}xi*`$Q
zhXQ_O*Q49rHUwGC1t`ln?Gf@}B6>g(%(pT$*rA?@M-NS55m7zu5KRiHSR%Ms<b~>Z
zDsgJ;aBrGO4hJHIN#e9({fL62HDdkHAti*0dyopxIH$2jnD`Rj2pd<qRTH?1gsBJ|
zNZNHb`a`x%HnP$c2qds}8BN6n#+VqF2SYjGCaLkOdF-oF+ovMPU=R&mSm~10q7<V*
zRjoa-A!G!e{jj4@zDsml^Pl?wtR;3Ki+3GY#W)rNAdPGJHXHp(_e^AYvri$60<xCw
z*jaxV>=j<3N)Nn2q8y6^5)Tk<0O`-?1?R*0&K9uWI-3e`t7ON;ufE8`2Vrv0O&70x
zB*9evM*`+q5A_Mk73MaQXML$e80{Iz1nv=5*d4hyH8_K~cPun}nA;{|er-1iP6wmc
zt3{MrZa{=%JB62>l4(E;DQL>c?-$iJIEhQXM+QQM5PXh{o^;0}#%C#4EM#YJhN_>M
zo065!3QWeCxbD1?7L4{@7;B7xAA_dg@?i6J(<gRg;ved}9>5ibk=oprR<_bP#7F`u
ziPp@eDbYW6zlT}rfpXzIRsW9b#c_^*h91gG(G@GP*VLL)m~)Z(4nSYYY#Y(JFm-gd
z+W^rDaQK}qh4+n|%MZc+s0h-_pp#E~HAhg?{x_Xr5(YsP?i3%GcPX#;*^MCO3q-uh
zTzGuor?U;RUUli(1kkKGQ{C$j5PzwP)K)m)E|cfTk8>$cC!MbgcabB=MBy^Z1zX*X
zf3m(lLx<S0kSA*nV-`vl@52QUpAOJ>xav25=0Ep?WfjXja!SBDPxURq;?Mpyi&p-x
z2&F_Gn(}|Pel7alJedmW??XkzA4DYGI1L|RaD2dA{+c;{xPtT9j_6ICe7v0Bn0)h`
z7boJ0UNroHS+WnGFhtX8e9^tJK0Tw$Rxgo7@Be19mHRYZSvf%q51(q|o?p}XboK(4
zlmOKix6934hX@sr%a=h|qt$5Hw$5UFBUdy5skBCIA!3oMH3chTA0QOiDj)pX*DTmd
zj_!>`j2f<U#6~;2BxX!##qL9sM&3^Qz?Wme0cw~09rAyG89z7qd4-)&>_!$yj`P&_
ziBEK4i@F*_Sm5w}hURUNtq~X>6_Ladf%oi(6GrTTUfaI^7Y+t5T>Oz!I<2l^{!?sP
zx&jLKUvd9;-s%*rbczr{g0}!_^L@?V;t^%&TrP;2-#@BjiXS3y1*0gTX7=BTElIeB
zgVg%hQqsi&iEbGJ>el4?n@q|rZjW6@$f9Wd>^$bt-^Bq-j|e*_3td<iy`MI_rp25g
zB?Ux}ky;6-EMIm6LNs9giW=&ThnB89<nq@*S#W&`sS2{p`x4F!LQ+*4e4fIP+9v>#
zgc5b`>i??TJ?ii;_=LGbP*}BBVM;mAZF*>b-oTn}<kHe-)$aIzd!KvPGkxi7YmzM!
zpB6w<=$$M)E=Xr094M9Cs(`f?Z~UEB?lI9h5t$W4;W0)AUPs-F4XxZ1lwh|Li3ooV
z&ir<QVHV8i3VS52en!|XCUaB5r%eoXCZe6oZg(TPFa+fYV{?m*b<wC=ZO}AszPLL`
zj3%)X7&e-_^v;qRQDBfBJMVCD+y|-TzTt-mvF%T=ux>mbahr=8S>L7*q@UrqmA_$m
zMYM?rgsF<2?e#P5Zp1==0Wb{)J}wQWi?u4WUlgC8xz}^HAjvAPLZ4m=`BbDsv_Z{G
zq-w<%5y4qg5B(#j5bKmk9YsVbL2-JYvzGOk`|@XrH;|2nLjN*nst84bufg$qU5mK-
z@k(uxy`Uxum3AYs6{2`d*22#T2bU7zXX+|MQm_l~;1+jgViYFATj>eH54*PQ@7{2U
z;&cr3xsYG_KL<0a9gs~AJBbX;<!T?hja@{DGJ;C3)bd$Sg_j%AU?A7E@N_oFtFX}c
z7CpZ4G!Dd7Jk$*cs(L{%upou!FYA?fPkmVp?lgdr=Dc>XF6?SDC-UWP==t+I)uhES
zOta9u1T#_f`zkcFUOa(3!&?@-^VL6MZ2IzN^)%h?Ks41r%8bG439KeTM3c@uOzNi6
zUYqO)9~$q?R;wRH-u}(NM1zz&VCq@aC^<XLHPCOzL3w=t1n$(B%ScO?1?L{iKR6O)
z7H%zlfC|Py3$YyXb^JrIL(6c<KM8@P_@y_#q2~@?a{)O~JN$5VLmasWffpokV*Pi^
zrYnV25g3yTJL88Hu;zNoIhX!zJMd6D`%ElB_1DN_!0z|aiheA!HR>P#FKFI3*%??O
zpJb=Ixb}KLsn<`tn-qc=^OWJUA{S|a%7c&(1)8m{^iC7;VN9XtZoPBIyPI39m|`^o
zqIC7URU%IF<gP?<V;9tnxMWpRf&XNwj`gN-M6DWqMdN9}9w+Q~L~mOyulxjBXxu%g
z^Jzb?>x=!+)MZrCF{Rf``S2zuFpW1r3ij4iDNPtY&sS|OsChnGUhf@F+TZYV|Jd6-
zlbtP^LA;Dzw$*r~VS7FJJhqDwG+nR_ivMKcHg<GV0TnioDQGaEzpkgujJS$jeck&v
zpSMt5&8o(fF_1Ew=%qfh)YPR{oZdZr%WIj>JghxD64N>UDSi7BS7}+1@kl~tSxv=3
zjUgEfg2^vF(J+y*o<0kq)uamRx7IUn_9w8FNTRhyK5(v2kN%-fN}S?WfUSY9+Vh{3
zIwrL3`H^|i+ofEkHQC0-%o98$<Mwm?v#$hVn1FKmN0vwBW^3Q0c(5OuXtqJq`)H1S
zza#{U6@7JAbGrJRf^$M_b#&Ff<^FzqYyA&ffUs6wMAm-vP1o+!-#d7Zi<Vn%H)8u&
zS9|x5OpWRawMP=FEayqU=4b`O2-#6!y5EJjtUiCvDA=1+I4)O&h_(EvgxXb{lPUS(
z#8IG&_wjZ0IsNp72P>~x^Fv;Iq#>^?_0)JhKHB$Q%<Ec|au)@Vyp(Ld_1+6cg_kw&
zfa#b2x`Nt#oHR(ZC6b$7-*tjGP|OAserZ!sr!M01`*iF@%Q82IkK==51rlzqS-xf;
zwfI?pqlK4Nc+>ZTLbjsB%f*2|uQ77BwD)RIBXAS3!r171?2nm?Qux6<ASf{4*uin;
zLqXRI{L6&Sx;rUxo9&S&^j7D4`9_8}yFckI+nL7;;+`)oUOH2bO;DsC`Y|NbV%1uB
zoF(QajD?}nI8}nMm{XFT@ds_&K(VYm+#T=9<yQhVrTOZDc6L3lj*=eO!!Gjfiuks+
zs#WNo6!s2y;k@Rje{^qgC^{ksCIz^07A?(G=hv|dqxUlwT6%rWZ0D30GVJU;@2lqC
zofvvgUv+|rS~25O`rq5Ne%pg((6`a@uF9-CjHN}yBLVrQiL291>)x2Ty!TwpBjsTj
zqO3B$4E;~#wtEd$HAN*!@hFUMsIpnMjf33AcA^HBR&ln7921krT7*|ctoK}emaU7T
zU4TFV-@q>Z<>(iR&k=FC8%j|NhjbakV+ox-iAI~7nP=_n7A~=(Ck&FR3;$a(<Meqh
zBoew|eYVxWz%Qa~TMEk$3#OCjsCflDf294q>R}Q8^MQ<%#FF^=x$d;Z#I5NDt1@mG
zBGme8?s%%0_H3^R7)lT=uaCIV-=Z`&3%?oz0WMkm#@uDL^R%g!e!<kfQ@K35>m^y)
z4Yyo2!-4dzgKH;9nnIt=XP#_)N9dEMhktSAr?Zfp{Myehv`Y>qo8Ep15jba<$rqBV
z<0>3`d5@pX$)zhx#Pn*8nsH*~*7sLdNAGK~`D3k=;OkG7Z|2E6@)5IPinDietUF<G
z@$N$NVaz)ekSwj`()6(~c`3kZnE5s923j%;0(XWbVXJ;YaoOIoPzYU0tYa%*3k_f0
zr4y7m4D82fzjQj|pv;V<<ldcca^f;IvbvdWyq#edz&g6f@X3~E=(gyIJtS@+#tA(N
zGPrjCudDf|Gq?7I>jZA7r5`l@i@^OXAKp?E<<^^Tea|%-P%rEp<g(p)I!U(lrtP-N
z!}%Ptn(F*ur4vNIG{djX9&?)Bre`|$@wCFeDWUAV?F)U^WXCK0ADcx1J}!^!gc;Gw
zx%t6kM#T%b<ni8%p_c$fvvS|va+mEmQW6E!q;1ci!WE9GYMyvJj4W_h^F%U3)pNRS
z%0~YxS=l)(^cR}Rr&>#tH))Xog#imz(fhE-GxFx5j{#AbeZvtu7Qv85Vb0|bhG%ji
zub)T-9fp%W|4FsE=X_v0`<?fSPl<wt{i93@;Ga9{xqZ^`-~!V(ZYk4mx)+sG<~J4#
zql#LTVIJA>n@&l)F={cbQNJix{>dX%^YXJbwPqc5_LiXl{h6bmCAOVSHWYmsc+U{}
zs}Zy6*dwSzVX=%1iqd{h<E>J9m7-s&iM;U3o0!PHc6a=vn3psKF-3Cbo6&&4KS86{
z>1!H?q)ZhqwP_$(!+M|75#?5P&!elQ7ZuN~C29Kn-rs&rwm7eTrE;;%XLulnlO8Sk
z^Nh;T_5QnGwQ%F+WEf@`D{fCk>~TQ@u&$16?JMKn?)u?6W1@qmt&Gq+m2cPUFfN%I
z@<IuXxkFaa;QOd~Nm!m6LgZb7hmw!F$b*Rp9d%}aJFK9M6kygZ7~+NrT`LzYN&B<y
z^c7FLy5!NpRy@E6T~(T9>wufyKY<bCy14xs$<NTC)cHa4vpolo9;?3-qBYRHMK|`u
zO&+RCW=idUO2#ZzCrH=Ii_`z&HM%oyb~(3#xtB2M^E2r8ih~ix9{TsWws!^@OlNo@
zDlgEoVLKi{L><ir6RV`hodUawN8h`p%zba2qz8tsdv@2}UVNDkA*}%E{SPrz#_cPG
zbh?k%U#|`KMReK;E_MA(T7H4r9jLYV9^y5*AbjxV_uya0akjVgpAN4<ql+1=Xn454
ztKxIqeSsQJ=Xs=>wm%R^HXrzh=8oaJnkyhBCxo+g=goWTI8-OG=!%h7&Q_~)grq1e
zq}e)pJhPXoN>SXppD(|zp>3^lymQD_^IuuC5I8Oh>EqhDE3vPMxXG-4y@QjUUCP`r
z?nCFv$yAz1ywgg{YRMp4ADLoFaBWoe>TBm9M%B?+NR;JF?JCWxJ>m#XgW;LEPKE0l
zBT_s0nsa$!ZsX7PfcnQB%e7O=mG>;-@dxV{5;_aRgaCU{_u7LWb+=D9z7jnU{_OoF
z;g_bA!@mmXebHhKH8V+f+<vU$3F6(!dpAzy+w}VD@BB>%_3{xRVjsu6Ovh|*I>8dG
zWADU%|K}(6)-a8xVBwfwcVgIYe{Bm1c)j<|MEukBiA1B^FEgYhM7uY>i*A3459IeM
zInU)Ut<s}-*SRKKPUAGd3Guv@-v7Nv>@qY+DfKGgS$((;z2a3%i+C6Xlw}kpVsN7@
z7LhbGxv}_Nj}MX}?VC#XXFK$Dxu`zaa`wTj4b4v$rMMN{Oss4CWlSxV8=~$*id>!X
z82<_IB)?Bpx^c{XDl7k{(^GzwBxSSzTseV5(=VRg+F!}I0oA9*5&uRjrXAq#{JvSu
zPWvrfn0S&RbF2byG4)jN%?u<m>~ng7Ns4rhqJTF3S?NQKr~4Cs+!ia^@?W5)!^*b1
zEeC=<;y5n@Pm2|k#cH_^_)tCRB<KYc7+r(qoUP=OB&wr?a4x50IL8heP)ARG_!gl-
z(-3)4ZAmlhF;e<};p7O(3yS7ga6sxB6wf1wl#V^S&}7G$SLd+ovb8E^GJd!RbSp(D
zseN=mgPx}u`pq{#{a@(J4zn?(22+mg1Z2bhLe88*God@rpSm!GF*r!L%*)5DcGiC4
zybp#3!lNYc&!o&H=zfsHBhm&r)wWEs16r3GeCCL`5Zxs&erRB+Hj!kM3oXbCl!e*-
z?~;!xo@O}-(0O+TRrM!7lHI7jtPF#2aTvki=MPc5Z=XmLKe-TIyq^L&0__d_$}81&
zGn}hLNnZK1UjUzfod}$}$g{@BK8EzUeQ6T$Ir{pH8vl&-ZKdL|<841v4->BYz|bn+
z*X5{MUG3X@AX&}8G2mm=oecwMiX2tN*hNw6?I~eD+^KWefh3cBjbx*5y~gM&Me&Me
zLAr0`b&+cY|9ZIzo>&HG{3$+UoAYi;d=%~khjRhJZTl1QE1EyoQ!!}OLE5!KA>v7&
z57-R{#NaE4`FLl@{g`B5%WvlRxtY;StTVaJLt30J^x)kp-M5s#%Nrj9Gm%ELr>WKp
zgvG3f9dZG$2Y|xb?8?cbKkMfoX*`9eHt$@VKO}T|IO9-jY<x!&h}EENlgm!{B2SAx
zv(K=Q$aqQ%i;De?5q}!uE9qV^L#%{a3z^>-@cFLH4wEBHXKR8%#{AUKeO8KuaA?D4
ze>~Sc?R<i`Nr)rq^An3BS55^~Dq<omHd9zB0WP)T@#B|ra@nU807|TyH?x9K_zY;G
z%w1Kh$*m0{LU-ueoj)|hPVK=inE$kYxMk(vUS@wlWPejv&8*Hb?CpmrfO)kQ=q0|&
zP8Bzh2=2P=%>MM((XZjOPk{xRDd@WQzg7@W{}(Mt%WS*jwlKjqQgBk7j6@{6CsS(*
zse~+h)1V7;8y@B?CKCAhWMT4w4}KI6B^<`2eP&=l;9S<z7xA!F`eR0M-E+@<{H~md
zn8UI`hghNN+jW>5lYD8C6ZTn*_(DyKqxCY^ufiYwJ+G3^e;+XYX7U>MDQT2R3YGU7
zzpIdLvOx^9JY4FW@#(&SOlqhqFGl|!1#S+N><3`wFl6Lk`VY}&@GP<No3H^RAk>|~
zx({&Z%h1RyM4@snPdnYm$Vs{zWEaS0C!leyQm#MNw)C~ZG_h@P-iBR>2Nc=okgnKE
zr#d^|p1Th`ED)P-VM3|^m>vWj_4gVtZmdivxRcfgkuF*_&rzTBfJH~a+nhezt-c9^
zb#H`lGA`em#iVT?o=^bs!u)zR$1z0c@Aj3;Gg;AlXB(wqjUzL-uy>C`<pfcac7t-t
zwW_*?9X?KK^qCal+(M0il1tzI(IU^4CVkQs;3m|U%+hUdThIuFt->fjwu3ztpRr_0
zV}WsP9TuGJIrUD0CFpMPJxiye--}#5DO0Rq(pu~XozHRc1>V4-d3K!pWBa*oeZO+`
zBy6Y<Zu8`ukx?C&-rp>*R)4-uk#MjA^tp3Xi1d8*Cz*Zb521RZ4qv{H7WP?r%yx<*
zJu&+2neY{d>6VT}M$-D3oxJ>*B}U0=_`ZA3ypLG%scU%R-PE4fQFA#{xfDdoqULSt
z$S4y$Ip;;}1`XDdbr=BoDi^hv0_U3NDeK?+JkVlK68Rj5#$7$dB&#%$4k(`4Z0Mbe
zbP;X53hFyv={2~FH9y`bpIi$H$NzeVXV%ffoWpp^n}}ME>ay=Q{&-yrgy{YlN5rX~
zfED8`+s#vdHnn>#T?KI*d{EjSH^{SatJLWH8%l}A$G71q91IWHuGq?bDWV2zC3R9|
ziZ}S?a!{-_7Z^wrzU5s&w=v)Z-XU2wB@S17Y26`WP>~5t8e3EIAYl;+YBJ7LI`jI+
zff!nnuy)~e^SWCoS`4A5(bPUoO9pmzVG@pC392PQr8der>&f@gD?wfu6W{Adu5}#y
zK@SwXCRh*DXPUK7!buu)P9)%oZivewOZ}rl$?CK64*z8EBv78ZCsM6JLNNn8kT!MR
z)g%r^FsaWt5WTpIzXjJG2w61Fia&Dz$&j<YZT1=ejUJ%xThwu_;E92E4vb%ixQjd(
zahrQ{f1{cExNp;9hMyh_*xryRzvS|KnlQ9ctpB8*2plf-Sa0e&p=8Byn@+)9*6j<q
z6t*bb=6}*~>;0C?;1Dloc%WWWQhFM8S1Vu;ahq93jTUs<!^mF$yxA>UOyxNr(Z?m=
zx-L+waz1K~5SUUX1-qJ-_iqlQXx*R%BC|OsqM41DI4IDvw-ajb9Wl@YIZKm+D^5G?
zU{V`~Hu<MB@x)E3FkNafJen?sCGQ@z_C&(9fmgHB=M&hcf08cVjxE!cx(?BHwZP$h
zJDZ*gT-W}ou9`lZz5*@AXmCnDDDPC;nc1&B76wP6<lLY>)WqDSXI@NAlQ>L_J#kP8
zMr$Of^k+r;iU!+66t_^0Gp1XO&2t>A2@sYE(wQbV_zWVc&|XlzXqKdi(p%DPsQP{4
zi0Zk6tm`sq<+@-;%X`L2pFOenH5$&LXFm`0SfB_i5dJ7UkqXwH<*wY7_^MnY2_2U2
z)r0g$3?+ZrajbjO*<x=i`7uP@ldZ5zB^yhGZhWj_7DNB*DGAtZ>--s)8FZP00!WFb
zUd@3X3!<fEa%k^Sr{62gz%$qaSV(a>lgRl)iWM%qu|-8Da&(rxGk&wQTrB%lNP0q*
z)}wiq?2Hy|{q9IkS58@vWSw)a)8}~3I?=lZe+bc3_}(O@2&raxS&&1?!5dm7vrhB6
zFL`Zq$kHLVNc7e@jG$qMl;zM?+T9Zii>Ee|HeeY|qZly+c+pz33(t>b272SWM`%nv
ztKO?7vQ(DkXB&GBpMKO{kIs`>$$`I%g+46&enS?`koD;U29}C?%O!bl$cGKU^tC{$
z$msZB)cz~*Y?d64WtilednS9n^>8mI$3nrSB>nWs8_>4hE|`cn%I)fN>D{yN(k_Qp
zkoRR?*GgeQ#I20e`)?(sNt(h8Df6K{k5J{M0$Ahu!Lg(su8|jw|687j1c*Yo@xL;S
ztbP+^t`4Mse~`P8VT#e~gsA~}X*=Z;@DQCz#h!LviFZf33I^OtZ5)id%L|=*o(b4V
zcW#Z#I|p~I<-|2?2QPlEeF+N>cNm;vCB(i5g+s?0TDvoS8y=w1NozYW!k&8CU4hnY
zlZ#64EMu-?31@OH30ND@eHIRb>-RZV1kpiZC-=>U`!oNDm(TSrFE4nzkNKXX=I84S
zAP#i#v<nDX)W7_Rfr6cHK80=cL+~o!bFiuW^>cG2*8pp|)I&j;Fj4SU{ntdZ2rL5Z
zc6fYifu+jM{i7t$$37)6>;16(g7IgHlah0}+g10)FJi&G!4=Z3jzzcGwLV~p-|Ezx
zPhbC{T)F>3ZhxoIotCWgnx-Jbo`1Tr|E?_U<;YmUP@Tu;OTQ@JkX!+vRyvz`{`Kh5
zso<MG7qZo_cs{h7GE+<Gkofy1?F{+Z`O#k)(w2@z7u9Ges{Qa|dig^mSX#_#X-noS
z{u=vHJi2DCz71pzOFxW(Nd{PZ-}6Wnl8bTHS2<N+-@Ce)C{k?h*XaTaAFyK3VP~Uj
zING=OP1RM?RI1Sv2O~_m{Q>#M+!U$qZ-b^r`RC>RH$M>T|GEvE7^K*bPSC#`&Q@vL
z>Nd{$J?k5c?=IG*@w712&g$Q`ULacEMcvwO8l+5;$%<>FChM#_yq^dwanK;FE(vJd
zdOhaxZLMA{`$R7_Zk}qPBbFbAW4KkdCA067@~Oj>vR6DdaBL<$Su0UoVQKfcYHCYN
z3s)Zx;JUMra>q1X2LCCFu-r>J^KGWBM8GrKEVAcF7`yR&-Jf_H7_72OHNbh2t5drw
z*D2!Ct&wtykLS>cQDx4vFMg+%A7kgZJC^&cV`}mz^6j+zS&8re#$BYz527RKG;Y}Q
z&!bU0V2We(>>FcQsMdKDOr&oFz*l>nl+U&9Hdho#nij8(Y?UzXJo0juxSwta%a{dn
z??c;}?()tO?~bg~wC(?8cRxeYsoGz}c%{m%)m-6e{xc>uFP>Frf*(iHsp}MPpq0Q+
z^i*Bl=~|}7i(0tbUOzr+74VsVf5p>Q!nXBj3CcK!H;9&`bMZ^gp7))*kI-+2T2{tQ
z48s<NFJ`|;qXLuMmQMQeiNYqD$&o8wexsu~BX<YWVg%f_J2FdN#ms4c+|u<J<)UV<
z+-W1OJSaONL2ZU?v5NkxwOt%vKcJ%dets)%V9)&@S%0&hkR8hn42E~R!@R^#wk-0C
z-^oKK=UhC#wtQ=F-|Fky`%`_<d~Ek4u5_w4Y%TrqU%T#eY*UA{!}=5IreM=-cZKs&
zI?M{_UWDckb`|&?E?dD$Ww6kbtg?}wW4UtU319Em%+e7gzd5*s^%;Yvy{PA|@R_>*
zkYzd01e@K-Pxl%*X=cOVN^LyP19i1oxhU9GJoKo{#y&d8elk^08r|9ngoVd>cDBI}
zf67ZwzY6t!s3vs*)G#_nW+(Ch&jX_1BYs$xuMf=($wrf~KUz_lhoSNNj9ljL#Pf$A
zGx#!AWh=CiG@na${DOSe6~WHA1xW=^GkY}FdMlR_=86v+zV1inxk!`4WgK9UTFePU
zr?A`l>d18e_jBXTh61;*YZXchiJQSnpXPxok@v5!n*7ATvtv`kP0{KO*bIxVdHI|I
zOe+2P8{|CU0qd-_+Xwl>0}VKl%l#|My|L`WIqKw<6daAvXa2OpVLVlE8rop99=XTU
zv|!GP0l@4mfPv^2B{rjxtX26k?J=IrDDpP^b~;?j?s0FN`7KQ)Ynqw&#u(;zUVVpR
zXLvwJxY!CeSJAl>VDg%4pA!u)ADSZNGb}Uh?*)4Oc(OhT`wsgnXRd92S7c*|Q)T>*
z8YokBIC)>As*feDhg}n=^tzc&6xi+B`&MzVO0L&^UU0cDLV|^YgPO5bZ~t#e)z*ku
z@QZMc#;q&8sZV~YqiMLaY+;{nvZc{>w-^{mRpYhzX#O<8HG&t<CCS1}=g)wi-u}EZ
z_1SOkZTxLsHiE0RCzBd?Si(+nWry^#QsUAqm#ihNpvt;@#a)bUH1%)#i~jquW3?-7
zF<yXe_Vnamn(Dd=#|GMM6zE<zwc4~XT&z0s_tA%eO^I*1g}|>cxE)=h#mu<B{`P#=
zmO2UD`sqnT$=M~!Pb<d2b_R0N&>}c+l5`#ANYc>vab~0O3=vq5G*6EtXFPNB<dNr$
z@7T^+Tl~f|>kM|;Dpi<L!B3MkRl824&;R`5E;`~P)|m{)RNv>-BomWD*_t1m&Eap@
zJT~$0zER?Pw2$&{;s}W9b59w3?_-Dk+GK^Q7XfI~f;cBwjHkriP<AWph|>At1Sg}?
zdOjbdh$2Q!BW2<Stw&aoXvVSkgV&W2GJk}P6*mL29k5Yo+<2ft#{oTQ{e^gqCqb|$
zxS*5yWA=M{%nQW#Wyp}>_8v_=6FB;vQ9}}*&-VoTaX{-Sk<I?iF-hm}t+q{t33@;X
zt#h5FAfSA8j5SkH8KZP9pW4$uuF4hNSUwRdv_1+e=bQYAL{@F{5X0S;j>Wd$U_{J5
zIiBTCsRZlHe@efYQ2+U=kvx)iC3uVkh3!6;tuyvAIztjpYX0aq@7rQQi7>Wg2dm11
z-`cY9R?M5AS;u>j+(+HGi`ScqmHNfz<I9aHh*oVDw>RrLmgxc&L^{M2r}odDCJ8&K
zr{7wgR{M%*(lpwb%<Pg4P$GlM3&Xv*1W5&pE_m7%Z%cNCN#gOrzJib9TGW=`Zobt(
zn^H#5nX01J1kCvpkKt6Gt(vQeW~}a`p@_{q{9<;}f?DwkJGsQ_ObxUEbT=EQ0EF1Q
zxx)t#cGY=26R(%>6NLh6xl;$ujQoi!uz;L+(uI!XWOfB#hFSio1}&3#`o+w*pH*ow
zo<T`agiIc0fOB+(h4Ypq8)T-~dwKUS#g;HIimCR%p&f6A=Gk`lUlM=Q%E@6PLwY$(
zTs-4lhj)h^>R!HZ|7iVt*jmdq_?}geuys6C!5@bIQ!%EJKKPqPY1VLlWnhr|V$UU*
z|0uJY%lje&BC~cVq2+?DKX7V`1J3a3o7++{I2jzL(6mU1+b)ma_OI9Ua<WbAU!IC<
zPM>;u8id{EvVXSGRec3m)UZgAK@!Ci#*RxqaQuSH8}tO5mv6R_U2jT7S(5S!IKqII
zC9=m7NF7`?gZXJuczio-vaglU=?Y(O^7opMNqrT<sW2H=^SLa#28c-MgkSye_9DG9
zi)}};oZr@5H6M8UxXT601p{Cp&(imrYC_F+NqHUyJ|xeQO;uHmKD{*r@keaw6r|nz
zH8VHm!re)6!sBAqTk!qd%PxH%-;noN3`a<u%HnHo@SCf!9=F%D)qjf?u^_p1Ic!|v
zbJ@Vp;dhUPq9TdzAtMZ2&U6m4F#m*_<3T<gx$on1Mj=%n_GY=o%V=*l)KbNxKzd}f
zqG`o{_|j?~5VX`6@i_x3TUj_gVA_FE0NcUq(x(=tk&+Q2X%1MO4B=Qbt~4YdI+E$H
z6c5NN8d#5kX_^`M4|Puw_K}XBRUIow+NqBjb#S0W#qQj{p@Tk3$qk)Ay4szL07;|u
z^td<RM~4NUKHz9Y=DPMT!4Lg0!!qR=(X=8K54qqJp_SMHm8#%LAJk;UtEyv|t_4;q
z!uGI#6D{BT&f@2T(5s9f(b$kI?81@io*YT{6|TrFOE7c=<cTR(CX_P++82SQjbS%3
z^M=RXCtW$=k1<-dSAPhjWdA1IGdOWN%w#i+TvlWrCYt<N)t_XZ@vFKIfI1c(Xr0tN
zAIrKQhcgvEcHnqH4d<f5=x&8)UAt0BinEQ!!+PecXO<>QRw~xrJsWv_im$3+JC9Z*
zHB&MttEKcZdQ4_0Pk^||2<3<jZ|A!(I0ysuIZ_}BL}sF47_CyQ#S&j+<?vBD^07d?
zeS`9m%4Nl8rGB5%1FhOedgWb6>&HL5rQ+K9b%hLGY?_u>!E;1LB=-&1$ea`sod|^F
zlYQplmf~<B#T8|Tu8$J|{|}XyuTwBFzpE(@78`Ejr^L0+nW+d<TKJ2(S!Ge;kSbeV
zD?@b|tTtT^ta=fKQtMC@e>|vx3OmvFgFX%O>YW5~<?XsQ(0R<}{Vbh%Tp!kszH@|7
z4leO>+_io#Zt+EtjWmvK2EN?TFw?JCK&_6t7i6`bjO@-iOG|`|+W2{C1t;<NE0@5r
z4RmDMY+g{jsP9Wrf`O}vke~;&^p?T`Pefsfbu|7~|6|*wOE0eSg_e+jCRQ&zydiTy
zRtvI5#UH+nL-?$Psy8hN8ho0niVbZ%zHrU$(;bjr2d|~kHK7L#96TqffZ?}ISeQ(W
z5+O!&EDXib7?$R8DNr!&+Pe(0kv5&{xICrN-trJ7<Q(qGm3d4I$E4AA_V@PXF9ZKp
zVQ+b&c#CwN_`76bT}0@v8vEk(+UjWJM$XbhE6l5<p`I8{2!H_kFwKIfpK~;uL1#gO
zDEo{o2_T^f1+6-$`h>?88rs~Xm`hRgcL0cw9^%@J=YueeAROS`Wm3#AgtypV191yY
z(MDsdTJ|A$*ixR@v6>1IN7DLeIQbfR6}NK=)RPLFEOnMRJJgp{41*4ma4R}WE%X$7
z2~puecRd3Lagka*571%OcPVkDQ!DaMo*9Dq#?w6Ljl8x|1L@~pAdc_pB65W^EM1Z8
zLDRE>bgmay%^~p~ire2r8S{B5)KG+bMk?D+$ED#V`OjhL+xBq2#;iLHC?D)_kn)7l
z%ml17RXpPXk9oh&!W5(a0U2hWON;t@*z>6nBJ>d{fG;szvJ@$%MvIbyMd(IMCjFnC
zd*U;yDU)%05bjUkq(yx1Bk2cZyyiwlc>C0OVnDL}PL;%_QRngW^|w<3{}##54Sx^s
zr=(0C5TS?S-|=SSB#@z`is^G?x$}w{L>3zxF)9bGp4>-*-9ks~00_}OKNWIKMERgh
zjs}E@T_QGLEIkX5EbyESuLA=B_t3B2vAeTA1^&yM@f+e>J9el$MRsda5xgF-{9At@
zOnpP(KNHy_cmv!bI?^Q~cK;I)N<I==rGvvE^`zvgAS{pw#{?_I?dKLJh%k!uke*32
zDPY1)2~hJV0x)#cie<cgw^rtN7188a*@-hAfpB3nb0YBM%S^p$75$VSdW4s^oLa8W
zofIR|?Gs?|n;d|XM!+!ux8%$!qFkP?L<}sBSb0}()bas~Hm+(hxJN1@YtV5xv2ZLI
zG#*fM7W0BSD1mKodZ33bq=6J1e&Am@eLaB-4*4&MO1mO0qrFTJ=QOZ?hHGmk3HlTA
zI=A;IjN1>Wu}@Fl8_tjs0Z;1HZ&3-XsiP)`HuGU$6kOm3=U!iEf!-h+IVVQIfai+&
zN+~^1%sYl;zHYEzYWmcD4uaX`Qallueo@4}4XaDY1>1=B>GN=x*VU8v4nz6*tjREn
zrQDDjRwfyrFO^PGf`C%j<yrc<Rk)5MC&Uy?@-APnz!*zFYtGl7H6Xg`WePs)sS!4+
zo4j`d6zBQzz^zKP;gqO(_nKt=T}IG9$Wsj^iB4mL*M@L{rCeGsz;q7yZ@W6t-m602
z%)UmNy#t0mirr4gdz1e$vZ?`0Oc4qCNUJ}GuUQ-5Op3Jru6%f_?W_klITHBwwqW<1
zLx>-RiGkHg_XvACQ%J)TU%9gE4fu+(bV@no3~L2I6I<x_X28Lmqh;)M@WfBC%@TEw
zdjkdqIF7rHa5Qy<6p)(^FWaR7@I>w~wtb~d4#)}sgJU?y7xK%Ww8<Vd`J^{vq;{L+
z0;te0F8q8royQ0e*1ljcHpyTQMcwR|Z;a7+Qn_qR1|~ySB{U*S?t(X4um=$KAS)q&
z2uB@enlDo*x4f+h=hc2~J>?&Vh=k9<<eU%+4E2xx*jRv0B@qz$O64Z^^!NZz9q=C>
zw!N&>SZ~Y6Kq`$c!-}REix*r#v$*QNrSv=o0u7+i|F3*;e)e-Bbdq!=8}j`3IZ-KF
zQXJs~#g1Q4o4qla_Scoumeo&KDWUM)X~G^I?Trn|>f?}rEJ4XZQd+}pw;PNX(o4X@
z%sVLWAHyZqaEiQv3a5HDk3Xi5<TMn&Qs6K7Vmnb%j3<mAb%3vS|5(jz+|JCkS)x>f
zq8_eWO)QY%TcqTP0NvtN&e@whsfn9k?@vB?9e6hw?6d|kf(YkJns5rooDVdCAxos3
zk%aC}6`i+1qBwBqW?%MG5ru|#@_=LOb7Azz-Lc!Ku#>qvF1+)9dC0t<+P68v7&6>N
z8m@BP=X#mRTqesI5SB=k8obU!6Ng3Z!dox!R!UM45-5qeM&vX@y=SE&yWjMZ_&nBb
zw8IKlv%h3CUvVX$1hpH<1Aq8M&_6y-{}_s*S;Tc3)V`0W_52lVx;)&IfTpPbnAa*C
z+!dM+9I4^$JRrGEMV|?;FC-5R=CyNb5YJ^dUcLj&Hqu2!^nrmmAOX|g?nQS!sua#9
zs_2GQ%%u^v`>O%{_8NlF+O6&E=}P;|UR=zq0iS;}+Ny8`b3cHG&70E+Q>`-|Xp*Cs
zU0X{~bp5D&a;>6!WkswpqXsypN$W<a*23K>B4`e(HoN=9{UynkPiUOVv*DybgCN&X
z&rE!mAWCQ@`z95fFMU<@rYYY`Z^``9PvNKcT+@uIv`A1S@4;G#FFP(x5ah|mKZH|%
zrvx?L04Z3WG}f?tbm2`}=WuklgT4eU3GF-WCG5N)fC>+<j@}scytOh`@*qX}v<%&(
zGE6~IhAW#-P=x(Oeh7tzF-i!zeTx0o3^f-hl$Bq}ep$H8@#fo8XZP1J8*}pLhZnEd
z54<R401eC1*w!&PKQ8<I$Zz+@>VWwCR?;$w6YUsJZi-xaVh0~BhG&YkPXw1{Omy!&
z;@5F(QvyVXUsWoXU&`{6O1|+BT<vR*AyEJdG95-qakWH~=fshHB?nWf)&gNjcr-U;
zD#I}8gLK#@3T-b^pg(s@5@TK=v#;R&-{1Y>SA3^{g7UCSs;az?uY>~lBK{Y--nm`*
zZ*tT^DV!U=`gMAsaCIQicw}ArIUGmy`4ez{;kNL3B8tzu_@~XEp;61;p2JFiY9xg#
zAChJoeJgC7Irj4Wcy}T?C6P$nHFL8~sod7gIN~{q;#t}d#o8NUuf=l+Lf{2H*N=I%
zCEl;cn@Ucn=8yE$!GaDPn3AHvg$YToE8>)DOB`hS;qd{w6ppz}7}jb#EUz>Lrj*0%
z*zf3@I4lbPNIdmIb=4X)Nk=w8Pq#_N2PWN<uo@HIkE<X$Sr<~AZOzMT*VpvyEMNz+
zD;>@>_e>E@CYh2fpL>E(G03H*S1wm&>|R|e5p|$f4U3D%hp;x&lQ7vv_BDGmn$Gq$
z+ls`^lRJS2<}+zr#+VSum?p+L)1IsvJFL%aYb|d;#j|4%89t;=>07go(^_ge@xti4
z^c0uff+i~LiP-oW;$Lv^M|bq=<&TZLuaiwnxt)9E<WfgbmDqcB`6^?F<@rf<()DM;
zXE={ODZ$Wp{An}oMYz%WZ8&;*y!ZViGEN2?HEACnIwl7t73<ZR4Ww7y9V={4Z%jNf
z4gFxS{HUN($eM!&S^<7HU7|D~vG_9IE<wCji=D~%eb(YCiv?0)sMg=MaVCa$1@{_^
zdJ>5+QvtN_{r}N)9q?4Y-~V%MB_o8aD`ljz60$BOD-<DwM0S#qklae8vSnsuWRL8<
zl2t-xWMyTOopJB~e0+cZ`+9x9)n`1P=X0L(oaa2}ywCgdFBbw~FY=bUdFNwXH>kZ`
z+dt{BC2Sz`n{IQFLYwwe?GHypu-a_4Lr@TB0&FUQ8AucqBV8@vJ-Gi-^HQHLVK>^O
z!n*N^iCD!gmcY}xhP0B0iu672dcA*AnR-1>e1#I*SXps_CbEbSbqIemgENh{10Ifb
z{YgAl_k#(8hV@{to#*l@e6EV&<MGkbYq?=@witFg*I9sYcslDAZWf>NxP(+SU$^@#
z%7XCSX?ol23*ARvy;C)mt4TBrx^JU@z30d4=WpB~yRCWrTFUC99V?0=e%apT`5r(H
zc{;jeJuKy;;;yT2UR_=w{j~7&5R&zm2An<IMJH{{zYlW1X9r4+!DgKeO_5h-2uOcp
z3rYBf%sUW%O@}N>L0Q(bOAaT0f}ue1w8i|zr4osy>=i|hW@#lC+}5N?oZj&dUs|4W
zj}jzApwkHEdQq)h1}wf1{ahriJr*Q&+W(?@3SrN$#@D(x-0~gWhsd_X!^oe`j~H#Z
zd~)7{akeR#Vp{`r`3R?4@k6iW{a5u0`15S&exv0&3$iSW!Ch)Sg4Eq+o}~`Ifk9eA
zZ%#!JcmpdCKZBnPp|_l2;@Gkg8A0<5Cs?g};GU+aiznbH>iUrd@w=>(<Fi%ZG-3n)
zQBB)!%^XI&{7T>-_`eE({<gB5ht`6b0T^{aD1kgZ17&^GcnP!tJnB5);~%~{0Cn>o
zLr}&THd~Ppa7orp{5s*1VC9hgQ{fGPHxZ_A+jq3Z0Lef;sGti-OX>|V={Y}g+}A1U
z|8EN`-qgdH4^C?$96|hHJg7Fyw_3yzO9A*dE=E`h?Pkkqi?)!%h>%QdI(ivG1#98r
z^)r}H$JK9uCdGmOi{Sb?sxM8q7q^2%?E`3n5Ll1?QHTAoqYyg<7ZqfWZG>d)au&eq
z6Zw8e{q)KI#^~AiwV}aF#}Ec#QC~l3rQ!jR8(dPCNg8QO%$VUNR8n1L$ibWKujN%;
z0)ZAfAXI?zb;5xCD|kYXnC{d-2s<q3r2wa6n-vj92y^H^yPlqcLz82BLM}5TV|hMc
ztgvz{SX3mI??dE<Xb=tbCb1vzKd4QLhQQ))%0qaRCq^TahZ{WcZRpH35z{2E6*$h9
z=Hhqqk~~}s55_yG4on8qF(G0h7+@<x#B~1aBqQHPx^^TOoNgG4Xc9d1wB@_>&!{Kd
z0>}uF4ujnO^k)5~dM5Pine<J}*v*3r6aOke=Yo^NKFPJvAojaquygqUEnsi(|0ckl
zldR}vICu^&iq+eRqHZ@09a0ejC4yz5)kplm*+9_!6AH#J@3MyChY$tuevh;D2E)1x
zzr^vLD!J^PY7(dz*ys&SnuK={t1p1=;bYaVRP0t8fOjiP0+zw@6LNcx4yvG~`euoy
z(8D0qU&OkQBWM@J<Np$5N$ZYp0P_g?QyM__%8?cSoD=9-!80IGY}!th0U{Nj0fZn(
zaQ=TXV6(XK&lGbz;3IkyC<NmB_l(26MlW(a1FGscK4IAwv@fF5-r~p?bmJCW|KFV-
z-)tR1T5kk{C-?zv{jvW@DJ6bnA7;yc8Vf9I@G>Z43ldCu+A=2*{(_)`?EBuUk<(ry
z7F>Pl(-~1f--erRBBEy|b<P~maXp?i#T-iW03O?huH@KA+4t#Ap^l-m@V*CAO$4+p
z$Cbn4s~<ezK-fL}6NmWk4go{k|5(4Gl8-hQn=+ugq2uu1=f~$Z-*DJ-qQf=f^ThJg
zS5$>Q#k~y>bk3IL!k~)l^+Pd>1i|HMHz^0YL8&(S!=<z7&PYMEDV+D;h38K`+FQ=(
z3^|zg*uwt}tQ?C>NlSi{4qSzAGj*kh%cZAo>Q1V*p>4n$v}G472Zl@uqJM8-;k1N?
zwb*ngZ*HPzqhW7>uD-eK_#{97v!OJGu#?P4sgoXG7Ch$^wD;!=VYNfe15Iet=&xOt
z9T#x+y_8Ys#^grlV{-ICz<5Xlk*lAzG5Hno8wW45a?sLG`L1vs^PUik!0|usL4=sB
z9GO%0AK!(;f>D$vks)`FTEab53e1CCSzW#|gAk+jHXS1O=XmmXRPuOw@;He>BYB|u
zA;MlQaecID&lXw#bKk@wW&Ak}&QmOE>F<X<0gA2YuA%U*jkgz^>8GBe3CB!oJ+crA
zu+f#qM~!N0HNZ)?0WbdE{UttDr0zExv$DUQFIYGyr|bRc5JJm5VbH659ndB{X#z>|
zjSTR&UijNM2ki&UWWu8_KLBWe;%R=Ti>c|jSgQ-U7tcpSy7!(+WhhtSO$6btDhg;3
zP@+XvqeE`!9_<}lCFzY|vFWTN$^kH;piBdYJkC3_gd+Pd0(8o#QckY+qn@^dO`kEq
zk|~juv@BD}6BZ{Nz8}V#-8gpTe5UqQs29mR8)OT}SBh{I<{&2)Zk*IRCaDUW8_@t3
zPK6wQ@#J?>PY+{u8Dn5|D0KXCll`|Zg7pXRH1F=08wQ*PCJAM8nG>1kthyNSd!ng)
zxp`V_>5v@Q>HWIz`9wn~5y26TAt8SJ6UQ%_BRnGM**J*y+qr7qa_bfCjc5)m6Ou$G
zp98*Ur|Tc-`rPJ){e{MAC<MSVAuTdZ0jw6hupp3KS5C}&z5n+71E|T^6dqra2WkPe
z=WjNWh29ixZ;%?5WGV_qJSD+#<%jq|NP~pxC5Ut;ri`yzW{mp>f77L_P%QveKK-#j
zRrqPobkW6+e1xzz^v+bo@$ymQTcj&FfRWJ3JNsj{_|!qYhR7r(-c>5sEV0JNHis}j
zYhu*UO@d&#%a+@aG0)@pAewW+opA9*3)Otc)2uN=L`6rB=||}~t`wq&V<~vxN?3&6
zF~m=F9HxRZ1cq_eN6z*dUedT>Y>LA|QF$)lX$JQ7nA|p22CtA{@WEoC?0-*2R@x)Z
zi4{^ws53NP;k+RnaFhy}TuQp;<6;zWOJ!%#P92s%ULoZZFJWmZNCzA-U;typlCDnd
zFt2Wqj>hvmeS8MvDEslsz2W$X`!;;^2o<;FiR9zXNbrxh>bwCtf+)7lZDd8Kk(V~H
zj>yY{)%M=;uNnLm)A_z~fR!HkY=Ee?RgwoYFh4Me^gq|HocvYKq>WL90o#V)<jpuQ
zUNMuskFVKV(T4~$Jr&~ns+n0DUzC*<INv48e9`OX>l3u4IvA|Y*YRAypt`H$->L9Y
zAUq){U>}b$G|v<b-to3{c+s?Z_9XPK46+U0>)WT%<lAR-S-XxPGvQx9`^lfLxCPHQ
zP#!u3mxTmrrT2XMWmIhL!(xtlCius_0H&Rt5Rw2ia+2&-CPb;#&0pS2U%~r#sqq(7
zPO=fuRDGR~(nlz-;EUYY2g-v>LU&NOHJ3?8G6sVk1M@dF(*vbWP1~pA#H%jnnvc;T
z|0XB+*MD^1FNLfGSZk_t-(Wp>wUws%0kni+;tA5Ct@nZf-r?ht_ZngjHQ8)dun{YZ
z8TSJifYF}-0cN<UZffGRD{+qElujE7U>plzX<F%5x5!1|g(^+@pUSzBF*!)y|DhG?
zonZe7%jC0`Pt;hv!fR#!bDX+~S%G;v*L!&Akvd91YeUf+^6aY^DRA@zhCt~_ZcxIt
zkC{p}NAd3MK?toC;H{FgCX7n+!bA|P4UITZt)L)aN7>>l#Z%<IP-=1-R4@??_id<Z
z4h}kfm^a2nr?{Q_x;kr};-_75CmR$>w`Z^^s!M@9ON#?;gfzu~kaJvmxzhXwh3(u(
zC$G0g(s5Jf?j}+bXt2IZ5x6j31LkM=v8UOQyf+LKPGmy^WVFlg>LGWC(4TJ-Aw{Sv
z0V)l+ES1Q>j9_z9aRhs$sgLO>2|{*n@BUd}Zn3ha6Y5RV%DQgY21T5>LI2#>-&kA4
zOeheN21Yoq4knr~-BaVRN{O`iC8a0xFpEOK8ypU@7v|Imy?k2lvHANQGih(6-1jj^
zw0Ko0h>GOJDJbq^Qs(?FU2YWF6V6D1U?)(}JO)ldq);GM<dbTGd~!nO+ka5nAppx0
zWupc16f5Ku;3)O+3Md{6`yT0RLyZ;a8sfW5(hRGfqQs|coSAH1?MuBTDpFPPLlR>x
zKkY$W51%$1g-CWgt4>l!?0|M7IW6d@bCSSUX{bigLtt3x1+Mqow5#=2I5?1_=Q4xQ
zUN(L$0(HlTf*lu*m&7$>MXdrsnq0pqfUjRORa!yHf^}X3JPV8y?9KLv*}ThtkyuhU
zumK5+1L$r&q_}>mLgxG5rPH>3De^l%znuPz6zmO<Iz7_YaSyGaL7ts3*M;SI?=;r~
z6oc7sTigh+_}jMuM9&f`_{|!!9A8|}yxI13fUyufzTzNN4tUAB$civ79w_y0A}asj
z`ObvkJNy@o(}fcha8t5o0KK%(j1yEs@MAWnurmY!a+llOD0c)DKEp#jz-|nUl$?ay
zozANtg+w`NAgCgUH82MYgN!?bhmax;cQfND<mR3NI`p5*&ip#hDNrjaf4Lm!FaCpw
z803X=A^uw<>w)JxB5(q3{NUiYaDoh>qCsDJ@|yBcujDz7l;3)ypFthkcf8|#K~(0J
z@HUg`=-W&sDIULe9M!9_1zXMZkTh^VZa;E9E(n2MR?uY0bF3+El(^O?w<AuGj5*D1
zi9=xinJ*{^t^cw?I=Z4IrC(x&w1H86asWMo#bvjhgLw8^K#Ha3nTTBbOZD8RZi|Ki
z0?B?wT|&P=4%lmv7y6bWPF^{Ii=ZHy9h6@@g#{IjN-7E=L+*#rEHvANe4h})zh_TR
zJC%Q=BBOxt<*W72`T!Eeb(Wc;JxJy3&%0(8ErzdG04E#LWsL0asYwu$RH>;2n8#wW
z+t!0{<|?7ATu&21!1xcgRVb+_NG+9u=zUN|@yC5Wh6;l`v))P|P{Jc-x%Re%deFDN
z>1zv7+LfE7dAd;VMGyI(fPXHSx<xf?z{?v<GeTjMD8|jVeK>EC9|V2^b}A_*PyuLG
zdplVD(DqFX@_7nESe_OJGKvTeVY7$Wx$Eh-<!IGSMn#mK1deru2{-1QKq)j_{R~o`
z^f%)3p=%XiPFyjI6T1clrBE?Nee5sdv)MU#1vcs@sSv8A7vH%+yhm;|&m^?7e}Jk-
z7+Bx-_&zdwB3Nq<TN!d-AiUCL-La4sM#0QTK`#bob>tt%-m;5VPxLw!DME7Qu8uKu
z#<XJRi~L2O%YurqNtl(q&vAP~0Z`1(o{<1$iex*7Q4$+tCKZq-Zz8xFFI(gHPl`h`
zpqnJ$-&zMaBtbCI25f3+Y;OXFg#HeM+vR_a4CQdk6>3D#ks!YKfjt5dHqso=VX3OQ
zaQDL<hL@;72cVF#R<6Qik-Bf66esobEW9(_Ws_uKZLSZQNmMZPm8|a@E4dIqnRxvQ
z1%2l+PpK6^SX&X5S%CX?&)9KoQ6f|cXh3hCyTq0oaB)=3+7E?*%E&)8D9^GPvV#KE
z#g&&veeBX=F6yF9Sok;4AY(VLLgd3<E1QoBNCjm-Ra`%8I*`UBL%`q!JXS#>$$EyY
zKNMoS&1k&<LaLMk!JmZcGJ}q)VI@|C{tn-4J{cmFN%uBH-W`z7%_gYmn*cpCXDz&B
z{#60-HOsv3{_Ei(;0$QHSfkEJ$;3bw{3?njKxA;FC&#R+%0TF05g6LZS8)gAWxzZ0
z?C<^|370$E&yZE7tS9t*5b7%i1cF?3#*1PC5^UB-+)(%cQ3rL8q250ocZU^%J6KQf
z&@`{i$#HtxXeP)1>N?%D56cxlDQv|#+GXYmyIBRnK@`FLqvV%?!3-X3eW7%&HQ+lG
ziec%I7He8q`Wj;7YjpT&ETO&SGQ&3?Y@pUPXPDDyW61}CHH`2E!}DyQ(HvjF_m-D`
z?FJhjqH0QZg^vEcVZlX5H5&sBB^l$RgS|1GeNB#wHdb|Xh?G?S+8h{;=iX8r$;Rz-
zX;g=aA-pDPS-J1h0)4kwh*dIod*ft#_HD9C9G8QAtW>&m=jdx=SF<mMz9P8OZT)%3
zFXxs<ONf!pqT8eK`5SX|#LPh{LiItOoS6d@Ku$NgQ)Df^epkg?wGl_Ht#VP8*8NP4
zyT8Y)U7G4$k58MQnipjfN*a955mpObwrlfv&BHHVMW9BVx`V5CloF{+)G|4nY7f99
zCwjCdsUhnQ+0&xG*${_H9L`Z&yr-F-$osLWJtam)*KS4?>diAs9JS&8oLiH;bX8?J
znh=arLAT&{xAWqHZb@bYfFT#+&AhWS<E#D*7X%Ttd$tRG5iif7e{4=WF4}6^XdAD7
za^J>RRnq>R0Q0)Z+RMGbtqWwO$|lLR3Y7`BQVA0RMQ&c1qx~6Rp<&CU`~G-EQQlcK
z5m<Fs2DXXM*%9EDSpE*xHHpku_nYe%?KS2$Ocp&|3|`G`x!I|>NLDtG%31zf2M@Aw
zEf-Xw%FM*=R(F&52DeXN-=b|};Dze^tV{P7?E1Ch6CntJN5u4*kh%mY7O`$$;O`gN
zP#6Vwb>?HvJx`eHBZI?#S!8;6gC20ewOF&SQfU6jXEh|B`MAz?9KDB~wT4oMgWV7D
z_r^uVA=WmehUN5$x)=m&TxIDcNDl0|;V&4V#8H{vBNgV+pOPZb!Lvq%Y0rCGq-3oq
zKh`2x67bOPc9TldIl!`Wa`=&5z?&pm#mNSIgF4z#-VIGpb9?rnDKx6Wb&JftH}T19
z;32vTNK`1p^~EYV0{S2*=YAi6vmRaL_Ixy+at7M0xAX_|e<JWlnpO^vAN?-~=hJ07
z_JF(URLWf~=Mt(|@i&AF!OEoF0;_-n6n=){l*1lNlV~G5pjO9XuAp#C9MXjD@}-wG
z4<VDq;JM0s%CZw*+!Oh`H?6<Fv#~$;S&N{$i)nI#&;*&z>7znMDj4u7|D@P8p13-D
z<XauF@odgc?>uEudE#3f9`SyNfrTgf$Xn~)hu0A7{eT6=e!~WJ>Jw!83pV|q`!{X7
zF%$$C@jA)@NxH2pARDP3;NM`_B0Rt6<x={j{7x;bWZ@$CI@2H#N*ERY1V_3;43->G
zT83gkw0H+gl8FMd@?<{%oJ_EB3<Ir6ooOzF{i1f0YN2*EpC3{X8bA0m36dpxE(ULK
z_~6Gta*BJ|QQGto!9BTn|4{~%EK{Ah4Q61z<j>YjjvS{ih9V0ZQpuA!x_t1Cj8GLQ
z3PoFFs=!F_UXm6qhCU_t(hT?W6AO6h(RV-U!4k2Y3j5+{C^-SAn2doQN@6z}tlje~
z6<D)hUc8|LDiX#qU=XzKB>?<!0NG}n5TZVTWQQ+#WhvI)DmQ!0<i7tq*&>Xp%jf!M
zG)My_UsYE?#4guOqQ8!xQ`{b^DM@*<y>PC&_&pd)G~PDjO*#fX^}j|p|6JDQVV~NA
za;)816T1b=S3cW}7QI(3(a@gdwao8DwOY`a^Y0chJr<XnyW!zQ4tmd_?l<9#OZL;f
z(+DdhS%TH<59p*p>l!4kbl==vHvVoRxIdO*g0Ac4bz3uOVt+X`A?j<nG&lumPMD@Q
z0Iiw?1x|a*DqtaZHYa3?lFQ$tQyG6=+}TtnW)$=!m}8~OAL1mxFQM6ot%N}^G*H?k
zJN*fbAp7S75}}1VtvA9(RT%@I+GRiovIsBfy&)&UdrtU(cXNSYAXWgI9uJEqvOdD@
zcVUBt{&7iKdNREG;e$w*SiLHH#E3{$2wY?C>IOlD2hUchg=|N@d2Rga4e-T`dBe6G
z3`XMoa)03F7Ib~(01cd=>Uog-`ET7L6d+D5(5I^+1;U`V!ta_*;v``5J;p-O<Vcvz
z#@EdYpK)XP_R1885ZF%wbV_hS-o59K#kf*1N*^FV7umia8EC!nJdJISS9V*!^)d#B
zN(`5TJti}E3L@`RXZl$oJrav`ZY%5xiXYBlDFx@ssf^?x$mc5FmG!?#vknO&{e%<x
z`IDY2#0Kk!`P1Bq4M*{?x3vTtF__o<@lW8?7TDHLso+Taa#T)CRYSG2y1yPMIlWY$
zyf*MiX91Xb`^gKkkV{)N9yq8E2FFU}g&|Dilmz<|Z3u1~?Td`7^m<R~vEjABC(n@Q
zdLV%zlTQmbQ9=;lF^d7*u6Xu4tn(zKgLe`XmaOn(V>g9i3xqq)=Hf6<6h!D%A)2BC
z&~iVHpTIIg7eDwhr8!*oKeMvEppL<>$oO1l<C(<4EUM;rhpDT~iUjT-eSxaL`fA`k
zQXH_AX+h!!%5|tuP&#^<2VGcLK0yUS#%>*Ty#5!p5yb#v&#b$<TkGKEq?yb$+6e_t
zaKA!T6-sUg#^K&7)dk|WlJ5Z~Mk{mj&wx-X!UV2RW#?VHtWA)EM_d^VO>f!|I_Y<2
zPTgp~U$^p|>Vw~bRqQ!nOt;IB&M@>bYcC_;v=Rp-04oYkg(g%{IVFCUl!A0h=+%=t
zJ}D3(MfHNdVCF?mj%P~EYb=tI_Ftgd^Jev9B7ZYLxv)h$5tk*h#jemBq8ac)md&GN
ztB;D*$-wI6^$Tvkjwhh+<lAlMv2J$ZyO&2Et?Nl@65LL%o&XGiYPVXicR?EQH0;TA
z5RrWaWBtXY&WU-CNpAdkvn+bBceBA)-S`v0mf3`VxfL+a&hK{y{1(FU3poco?Fx^o
z52g;b-iW7<e7NcC?2Zq-{%67GZ>F4oM=@*YOMIGF!26FqgY5E1p}w}0{FU^$_8nrj
zRA+pTch+$#5}Z}%1n^((lHfL5NA`As?5&uj-=?eX#Iu%XklWU^?t*$Kwt8}~&(#qN
z&T-aWYm`p%FY`1xuBANkZ8+Zz1K6Yc-UwQ1`UDpt)s`Ep4gGx^cBPJ2^jC@*DV(+x
z*r%%tv?DY-5X&L}sX%Al&V}!L-zU-lCDh>GeL+NQ5#3qXyHhGc3y6G#^N<P{QKP8`
z2G4~KQJrWwR{a1^k66aS@&<P&=i9FIv4BDvHE#*u>7JqS@@8=-Vk{{~|3GqhPIl)f
zqi*U+^gQDZ%TcA5XFcO!J5u2K`!gThz8+=0u6mIG<+|I)=859=-{Wav5B91qK8j5M
z@dHic(lA_xGz(QuW|AM2vQwXU&ULd}l?r*@yKq-M9UABvq@4C2z6>)jre&Du4{Q!S
zZ;b~*0-J}B69^=~vb)6h6G)Jn#vNiC6!9eMM5wjbnQIlPx?>J9Djn^K5kM9unJY|=
zOLaY!!(}oGN?vg5AfeMqIt--EjA#cSkg{(`Ob~@qodb|8Vp)3NWO&xeSE9V`FmL->
z<R6@461VyH@|Y6JbBf@wO~mQnu7n3Llqm0nZ!pj9uP~$H$~Y`yS$mMs7>oMIvHS#X
zu0s46lwO`0?K~4S{2iH0I%qs_W2l@!7_jIE``L2^K#3OdKU)ByC|%)ajwTtJzl4<w
z5Bu-|Y5vC(OPLi?O7v_iK;r`iP>f{w*iW*a5IL~8lR^n2XqTK>zMCK@>~N2l43VB-
zfc`a)<1Q_hSi|Tnk>F>EY-{6v`bv=Hxe85>v9j)V{%`E;8nS*OB8)&}w7v<LSA;ct
z`kXFEcZ{|DeLHFNwu>M#CIkg;R6L}nLxW9?lK3IhmQGj-or;dCU*SrG>8s3<Tyx3+
ziK0e#DI`ubKR?Msd<j+vryGB+&bFfDw&*N}nCsW6OqoSlAt<O)q=#{i^?_s_p7-0A
zB_b+C#jC^)zazUcy?x&azYyoQXxdaoTGf5S7-U$B2)sS2L{U}#9(3&SHADoA44zlq
z=)tl?vLuLbogzXMfSu%Z=K$oeqKLtPY2aww9zEASnV=0^pRAWL!6Ap2+;%U5S!mBk
zr;y5Z<Ycigta3WYCo=3X)ZIZOp^gQ1;7A=qPSw^+QP_LadqO1f6o8q#92%a00<WlH
z>Oee5pi^$oeX)J_Ye*f-&M}uQ1%NTJ@E|MA%16*;miC+KmetO(AHDeA2W^H|cdQO#
z6CdD4EYd)f1o|A~xY=3=n613{s+3B!{`@Oo*cYkeKFGy6&HS$YzHlIvaQVhIK$=bG
zzB@qN)Un8>LK{x1eU?x56+ktT3xY|Y>lgT`FnFJH4yf<pB#;Fpfz=n;eHh?^r*eqc
zHKYiTLinJAX)`wVN7dq(_55-Yf)~C4G6Rq$B<i+j$6uoB$8%@hfoK9Mv2;rSbRNdT
zs)fj(Mxwx;)KRkKlx^))=z){Lp6_>E4fE<w1+Z#C&~bF-;L#%P)@#BRJuhOj{6Hj(
zF&71(Wq?b<|B(*XH6d_`!|yB+tS?*eLn3)BnFJ5fc4Tj(^}#<NuPeC@n;Rx&X`1dF
z@!1UC-wb5PsOoAs82~4PnwHxMX4I26c>pFW@z80D8(*996UG?7HShmr=oAz30m0=-
zxI@sdy57|doj_t<`R2=Jvi6psjH|R7NLOCiED@K-%BG|$j`|xbHTFlE%Vk)6gn5N0
zImF?-P-EN$gzy<Pej_e*0dB-V^lK!l+L*eW3y6H!q%<CulF;n@S|gOwA6h-Cfrwp4
zoDz@JnL*4DsjDQ%4^_HsxQnkUwS#2g!Kh>pn}GmSuNXn8CT{{T#*LhI8gLLA{s{^^
z`UoO&z?ZndDaL2buMFbhaDUO&F%@=XUETMN80qK+EIRnA$O5&k+*>usOX`+#GL{#!
z+*MLEruY%>mo4b%!Ax5nY1kT;vV&O0>RuA65lL`g0#Ab4U-%OjU)V%A(VzE}1SuCr
zZhnd<)F1ASd}<23G!!-Sf?n|LgnRCzn-P>i?6-B31gzV3E^-?NzxKbAZ8r7jS6o2A
zD1XjQI8&J~vaZAs#IITDSThfIx7o#Wn^G7^wRmIdXz)csZ_!aud>!!weYweeYg8R$
zNDz9ER^s{gG4h#SYrmssVK*HFLYw3l+W#z^_kskGFB3>XREcAa3_?*)<6l=?$)`&A
z;A%k)b4I)P%Ear@YY4JzH$R<wt)jdsy$l~D*~$13YzEa=Q`mxt)!u?p0ST<+PUkWK
zpfq7zfCrHiL~bgDF&uP+cRu>p-nu8S8@fR7i0wzIloAz=u4iQ+5xR+$i#L9_pKbu*
zoGsg>6r{!X$tk$YQy(_ctz;K4fO=rJ|E|5a8H3*6hP3$CpaCef@Wqk@Mj7$2GJC=D
zFJRP^i5wDBa=!&zlacORGuYC0f|{?M;e9kIgkWobCX7OXrWQm>us^9p_9-G+=t(-m
zP>}5`_g-4|8899=!b)gC>F(bb*TJ?J{iMV$?nGW@4q9QL4D9_N_O;Lz7{*}AVehlf
z*8jIcA{@{Kv6V)P6dq<8OT5K(6OQW-FlkM$zkXc-5w~#nNh$oDx1TsoS=0Fw=<cWi
zf8z@gHXi23R${uyNr+?y3tzZ8D6+}`9TVAfdJqK&hk6<(e{!S{y#n?|NHDkmg7%+w
zi5l-sNH07#cR$SXD*Bp%CI%Ap+aC~{DH$##nB`*j#?t!Q;S}&B58?GeIG;adMjc9i
z-1anCBKEF$v>*~SMUJ#k_6=39S3KB-un+IgOPFAWT+!nuocvT{0+3qhjnG9bQ$Yn`
zSoRuxI(mI}_my=(7?6GrUwx$N$_D{+RjRt{tR{?+7A-uB2A4uNMWKuIgtg&@EfeFd
zV-Trf(&@7^lX3SG`(0K8BN^DlYW2<XvaX8yu;3w3n6mOdqC2?TV?qn0!E9&&P|(VC
zN`Tk&h#2!R!ZwxxM7%Ik<*qes0RayPv4YY>)4K%(E_c*XNOAN-hZ|_{{!9pJxe+P}
zp?zEv*_{e@kc|ZkIj$*IDm{uG-@vNNX~3Y}*5Y?o6P?S~ewl>4A)FQvj>zKNZn9cB
zdbdpwnm3P=O827|(?eE<X%VVY?*CU3*6QK9i$AVroC}0Pb37J*Ny;1nXU4&PvXT=V
zuf<ls>a(iC0F$VB@IfvkwVg@PvIVlC)EFthf~YJ8y=-Df&z7fsDFmPJ*TlN^4n9Z(
z4DpHIhXlVyxx5UgCvl?ZKXN)kbTXJ4g<Sha6?X+a-%LUUbD#SI((+F6E;;0;c&Wzn
zVl|~BM2!a!dW3%DFL56}&SMIrzn+TNjNK6pYiDZ`L&o;s9Olqm=-44%9k`rv7@-pE
zC>uRIKA#F%jzh?~W8$-rOuy<zG4iKq@TjthJX3UmqZvOB;47Nv@^`I*c6iY^G(<DQ
z*Uu<gszO|xpLQ|?UzZRo_imOL-PIM|)ox|w22oZig8QQTvz<Y-qk<iFLhrBK?K$N(
z<%_7Eep?ySGC>qe1xmqm7l`7ncNN$-%fd`ZX*Ejqx9Vwq{`Q6*6A#s7wIJ_TrUy}k
zg#6{z>c^2lAk}<)ms|14KI)G2R?1NEJO@Grpr3n&8>z&1V9-!Ov(yb~^M)BzbI*I)
z)4^aI?D`T~>>&xCSyF|^ihVJ%-3Px9;E?V2rxm8#CAa|Eeg)jaLBRj|(E##oW{*Mk
zDE+^;h9c3$#Tmv>Du@Lnk9mq_z@?J?(=!UN|9Wh@!L`J3cQCwJ?~OFlq5?_dKQzh6
zx0GV9=vH!silrlJSwZx!dMM-*RWWsq7O6)dc`o?e<0N*qqbHyFO+}Ac^!m=Zng$G#
zSRix!?I_zzZt!+$zQ`j3qTWi(JlH&_+L4!yQ8Bj)E$(8k9E2nY{qZZCyRd0~c?YkA
zLCnxF@PShO{25cG#nIx@8KQ8GRWG$GN`s!QC?iqh`(q!#O*bs5yS^iwKcjF23K0H@
zGJZn}rsfzk2M!}1^=|&>xPh*Mt;CrhHV?>e^U23sPv27l%LNR`s8Rm&w=E8=1N^Dt
zFM(i0Y58-=-8qA!r~Iz6AdlT)KrGVOgGP^~asyDOW@EMFg5jN(H}+aHy!|3{$ZzHc
z{#IAhPx{elq-6K4fH#0sWzAaly}O9IM$0%A9pG-DI&qjHf_WzCV*J~{m7UHR=Z&c)
zpQaqB_F7`<J&Rz;vLBYcc%eY|D@Yk$*z2wrJC9{6zt&9h(F-b<s2WdPG5GuCZT9Vb
z$OxUE@M+%j`ng1aKmmkPSi%N$j=5~SR-*}}m+x*i$Vduy7GgI|Eh0yJ%~yo)&DwQx
zn(qw=AY=CPn-9}JzHL^!`|Z^g1K^tS$I>6~ZDcU<;IJnanggh|MAD5BLW|q}HTyt|
zm3ZszRp`uG_WE%db?fEB^{SF_`n;Q@mv0U^sR!I)pq+7e^u%5Wrj1gaV_?%!_m`WV
z36iW&wodD+7uq?DDrs`+D$-L`P3*GFw(-c0iy6oNf(8+)hV9XRrHzG6uO6zSc51np
zb5Y%6;dGp4fBer^e?IbdLS-nVjCuUd3;;dcFWF+q6F;&t(X{UVEJE~!Sy3I4%Os;=
zZ74fF1Kd=MjA;xv3i<Q_?t)RYY;`d%gHI7s)vt`s+5az5(UPAw>d51J<~{IpLh6^F
zimV+-CsG5fCu$u$!65;95#h7Z;&UUPh{3QGYiYdu9!d@rEe8V9dTa!=$#M9yCiF>R
z-?SnOUBJXapqmVGndj$!=6#Lo%#(p&Ar_bxste+vs_&Rv0C46!c~e1?N>2k6jJB7V
zKk8kOt1Q=B=psR=wpWPm-*P$EZp!baz{C8lZ&Cy^qPPXZq}?<8GMW~I=>8jQfy2L-
zR!R_^^<2O2zgGPCpE+!!So0k3>l#abL!8a$q7HGTQJ4uqQf^Ore@evgR2GnA-r0hs
zyK}e@IAtLgf$un}qc7}mH#y_hzum%JTUGMP%myF-6zzloZ6N*o+)~h7jtXm=zQJ?a
zY;BejUgU#p_3OJx`OzS$oz=;wrv=CCNeRwV+v-42dX?TVV*Si$E2M9CXVFg<f-fY$
z0k!fF(LZ`QkVYV2ZtV~4?HGy26JMSxS8QJ1OmBH%P*My9x5{ApKiFw1pCE?ZS2zz5
zkjBC;?mkI|%d~Njss~=NOY~63b(fq;NBRp|As5VM@8d-5<$b6NkJz&DF4W<oi~IWV
zTeIE_Fx`<ojTQ92xU>3?^hR6gyI7mKtFyhFvN6mE{WX1=q0f^(Qxie$;fy3{iM$z+
zCB+Pv15JFK1KN*&4Z{R`14c#T58bu1?{%iz7}*8yV34Pd2*KlT_Fs?kN-5~tY=~zB
zW->;!3(cl6?y@jY6u1wm?W{+8OV}dKCb^IFcZQ8>o?{RU=Z;36=HPix^BTe)jAcr=
z%wTchDMfneV-Ngm&U@eiLFM~2yKHIFPLu2U6?*A)*#9m%PVKTF^qnMiKRe({Flhah
zD)%k5AhE-BEI`~+^WZo30Bs>=2jo{K4{n`Oocwvoo}C&4_lWxb+c;q4>R^L#)F&?E
z(d^4_B+{Q;(;1r?J;#;J@D6DS4)V|HTnKwKWR{DjaWYLfQB_US`WR}~x<wCr$(v{p
z_<@U%;`ZeS^)lj^m-^R8u-~5(^O-AtGjYkyQr4Ob3)n$DC2s%rz>$d&*z1uv3>Y7|
z<-el}iM(1Ln@=dXhbE=*RPr~sh71X@%ONf~CW3PN55*M$#$w~1W>KR;1M(>Qe#FG6
zzA)YUV_Dsg+FMfBAZZu*aJ}81I=tfFdJPT1dz^0meQ$V*GdV&Q{KJ5|rX=v#dlJO_
zlWQ+VX(bw<UJBZ5=@28NrwH8VxR(OlbIJDF*;Xsdj8KMu$^JOHSbV7`zENYJn`R_~
zc;WbW6HXK+gMG|5&g%WU3bXSwMc((R#YIPy$Lau{vE2d;9)qLt5IDtk-VD<*RoDyy
zGI-a~ObVqH9^P3C#;o;O@!eLpvdFg$La)nrnqH8)Eq&7Yyb|)R*yyYK8GwSYByTPq
z(9K~%pkf{O@Aa0XIzC&;czY#$))<K941tq_qo=Nb#QV>s=WdUEHUn4Q^GlZ4xZ6L2
zHCC}Z^vzFUM%a5OwHVDl?F}INZ2?pRb28kyy(_1=82xHpQ69JDE~6u-g|RdVkmFm|
zL<y#zHMi`2+fQJvd=7kv^g7xO4t-B)`_gv?fH<XQ?Y9wB6!?o^EmET46;M(}rYYA+
z6<`fXTKwLY3!t3#%(=i+;wgxA``$cp*KL`7C}Xvfq<^N{db9fvka9lq&HM0JkIQ`{
z;4sB3W7tm1CplkX!`I6<z`kjl_eFJ#JXsUWHiPZsPawd3U7U$|0PKz4?x!_KR(}A?
z&U(YQS9758TU&)Jr6qPQ7A&YjG}_b`47h32!}zS?x(ZPQA*56QqqwuwV`L(cs4jaF
zy9ZQ5>{=N=`h_`CoG<vUOLVB$-l}&Ogs(Qm1caKQU7id{yHGr{NU>x@uKY!`V)~2x
zP7qzc9nSV0PRZ`7<}HOX2R~Tlc`CSwUO?ASa=u^_3eC<m&CMTtmj@&ktdboL)f|W-
zS=-DUeD7d25!H@2BAnRs@c03Kz4>3<cOr=&X0#0d3nSv|ju1zsL@al;TYs;dxQrL^
zd|;o|w>aMebRy<t4xhI3U+Y~=F1bnE`pgAYAZh}bhcIwxE^sGYq>xvY>*nwW?|ZV>
zVF4596Q91H5GD44@h1apWPa~a1iNn857i&a1g5wB=2vzbrD<Dww*JNAiYOr!N+StC
zir{*my7TTIVfY^c7@G_};P`NK;kwVs*Sr=Kh|)ZS?~Td}O~NQXbw9$^wgkAg&N#=(
zW#6dvn82f?BA34&^$%iJ=G08MmLb%ncY3bCpV#ln+71RSVTYx~Z@71=saA<r<rRDn
zs945yFza3O2hkSro=x1HiwRp_&0}Pf{EtjN78qwmvmwOj3s(&^)9<WsU#m1`JgCoy
z@s-$<oGzp@6@NEtui`a)g^a2&M{{^*xPs3FfNdfqxqx^C#@95B=7{-zA-b9H#e2S?
z7J(srK?2>){2SNZMAO1P7;n$XTMa;C)Ae@?RYo<yeAIcNS;KZNqs%u-eW9=F)8!v{
zFFt!ZIMn&E@jgeV%X{O-;8WlDX`5$a%|BMmZL1$SZDCCmdE{+fiKZISdDeA@W3BWH
z#1i&iZ2G2E8Z2}}x>$vkN32LJ6-8vBRVX!jM|LJ6^dr11Z$h%-74TiIJ_u*B;{lS1
zC!6D@sF?is=R)mO?(@QTG{#6FNs;|_{;S8C+f-0TGRxhun8$um2V@b(Wz?Mxo=JVm
z519BSQkhp-f==sFYu}}c+a0m%gnT;M*2@r6r-@`@&`HnWVJILkyZf^0ngM6O&yzC!
zm;0?sIYPD@J*if5B{hanr*l-5t~~GuV7g*1Rw#iVRq*eQ>f$|(nTTD<ETPtqurn2@
z;OvNXUEXlZ0?J(2eR?Frek0<(LmxTsH!9vQcNmhPuWk=a%E7mr|9j-S5fsz}#I+rg
zIu7#>2KTD&m57WJ?ZbpmyNw!ND5{90@wj(nJ@~FpH;&a*Xr~=HXLZ~qp7n<52XunW
zG49wjwm+0BE!PuvwAU5VAR~P4d=u5qYLo;ymV?Q-`bFs1uk~^L_*7VTjuz&gVEaes
z`~mj9>cGA0UR9-C8vFev{@)ije=V*X*<qB-LQ{rldLLysiYzV7%;zP3MfzC-=2`k}
zpKAd5bUsX`nGQ)PrZcPh(&U5Saeq%Phq;f4#7e}2n*8v(V^P@7rk{jDhOWd%VEAdy
zbOF!1Wv>Bv-bHs*D)ko}`T=s1=uPW+Px)!!vOx;S((W<wL^zWa2aU%<Jo9cbl;MMm
zg5)dg5EqBN9u3`%+xpwF|6VQZ{JmMsAwP2Un3Sn&D^&%u0$+2p<W)(#^lU==7`-yG
za&vR#D-P!t2;~a&ksrJDG!?7lz<2hnvfw-2rzPvEw(nEaW_j+lM{`*7iLdR-`!F#C
zM{qeuHSD^X-0D23Sw7Nz(#7WwVYv31M{A+$Z3q|_%9z^p3M;rpG);e^`f8=sH4x_P
zwwZG4yY&6gJJh<~UN>ZZoyfEg$}Bk>6XDL(a^#|BLTnnFuCt!Ab9}qZy)*r56B07U
zyq=F#AQ+6yrsSLb@Hs_Fij0-H(wuZ%e!IA{N||<)^!`n$1RtZCc7?NMp_ZYv>og$x
z)au`gi$}P3-0jV7Wqi`EQ@dD>O&8ZXp6nif{))90M>3o4>iK))tmI|G<ReOF%y)WS
z&Wg3~lOic}qwW`oL3df4osPhhw&iNFj3Z;^v<kJkHE1{<KJ{+$6}@QjIZCoh?&y}=
z2mahXLfPQXxZS*Vda-cs=2KtKB(;sE(BmA>G^kfyWSRZ{o|jfg7bI8IWMl8?c@}$#
z$Q79^uJ!f0X|Tx|DbKC@j{S-yuq1Z*weH`sHT*074n!9_CdoLv$ztR-&um@b_gPf9
z?Qq&;rjz=Txq_95?OedAUKWkhzcu!szdCoyZ+CO>UVm)ZA=7G_#<keh=kcq~u}wkL
z>Dc}Wy~i{ei#ZHAKiT+TKNQz9Jvo)Xk$^!&&KvEH8&&0BGJ8xE{8ATuoY5&pY_l_K
zv(D!2sjH>=8{9~+>EqU#YZC58zD$>1MaqS2aOE7aUwevCLRxOVl{~n@D%SCLj}Krl
zgT>WqZ*^zqsy<^y#M+xupX6B1!w#>yhr(s;J{AV-_Dxrnuvq^i*a_ccwf!xZv*X6>
z2sYpo^rhJA6vU6Q#%h-pZy+Lj7r0qFyB3Go*>P4PVUFIZhQDn>0odreL%pe6LV(cV
zl`s46FW&fd>=YTkXsc5rZg8;eA0L7*DiDo|ygjb~&$2xE-F3e3`*FYBFGz4nN$Hgv
z#l_EIPPmGVom#BOEdO&P^cjfYj?vC|#l%0zK&fhYKd*80E-{p6K?mYnX~Y?U0W}JE
zF+bzNH0_{XcSaJNk*M0?{_|PY36(KWGBwBlGdZy!NoKYVL0Bc+bL_h}^=Y}ugXOsf
zyAoNpwt%oHSZnZEtLWiL4zGSz1WD$feg9;0UD1tZMg2Iwr_|A`mdi6E4DHq(G4EWv
z`gJQE5qLWjsn8yuT=@_6CrQ<ijI0c=Yw*->+xp~)DsTJHy~H=;Q>cQZ_&2pjEj@aA
z34=*Vtx+^1=I<cx!Vr^r&-rw(YB~5R#2}sH?G}1@i_PH$1#8qw<$q;AuYPa`I<Ge5
zp?_V%{WztgD1zv8%gz5P&UvwX9nn#lYI=CjVZ2iTYT8719XF~%H+<2DWv6gnWcu_m
z$Y2ohui-!LS>)h#Fd-Yu!xLA>&FDd#!K<M6`%Zdc70GIMKqSHvbTdAtHm5-Ch8MKS
z_M9F6HACE<{d@I;;q@;VWk!xN^4pV()XlDIVU*!39!q41s*qZ1-lOfo(1)lby1wQH
zraO967^*FmliwzDqdB=g(JcKJ6f?q+D!k+IGa4Eg^`gWKGxr=w)ZrOK>9;l}n(5Ll
zu!?{uiplS-uS!bjL<P~um9^ZrY&Lh23~$b?9pmUZj^FgP_yRBXUjI*MzutE@j-*ED
zoDZGDQs>-DE+vHZ7zixawl7fM@zNngwU*n$ImW=`;gTZSGqGoC75gvrbAB~fmtkoB
zZn1<p`qU_QEYI>%AlUsUfzrcFr-h#QABFz;hpuZXc<p@XTehY`Zu`ZbSKHaB(3h*H
z<wbCwo_u@lsXqKLJ+Qo|9(Vi5xm{zAVFftigSV0;^FJyal|TyDH98jxwM`$g@%M|t
zqkX7Wbk-12grjs<(k*>@>KuB_s$l*kp(Zma<uw!fOv$M8`^|HtgMFW$njnG0&y6n@
zS+cuBaxg_`EAE=d4_(waTL#?xyq=InmtJyKod!|4*IJ?_R~Fs~v(}`aaOlNXt08qN
z3Mf~6{l$BK<}Y7wu{e-aZgLF`X265#LA!J9lH0#Wx?DK~SLwrCtN5GGcTc`98nQhx
zY8CF6D!GO}kHct{>^$x;DRwqxD9ts8$ClcB?)S--uk)_LR85T&CFg$?Iml1~(6ei+
zIa<8*_H0$sVhZ#R_iBmO>6<uZu^r2$>&UBZKGbS>T3SbeF*t8Zm{03vR<7m0>`4`h
zu$J@hy339x5$aQNW!;Y|;?G2^Xe#)m8VWDmwWdd~IR?b6%68cm(u**7EBd1+PMsa>
z%zavx*I_F40*gEL=8O06UXS8Ext0Mes8osep~us$-_B_SgIeQx(+3ALYNGNwYL}Tj
z0=aM{GaRZjslAj%mEu=G%`U!`>d4KFmrM=^(IXr$!i&u%wrJ;!Bja=Pr8$~0mKAcp
zqfmt#-1SH#166E`mFJEzD2Qj8eWgb!^5z03Yv&gCaK|&G#mSg<wU`!Zq0y?yNX_2H
zs6%g^I6zT%BExr!vUt^Lu%tPIy*b<p4{)Rp5>Po<YgkJj8^%#WXkQCwa58b3XkHud
z@iCGWmny3qx<1yYHB5M%6<PzSzu={ZWNXiuB}ZnWY|=#AVcuVswXN6~uqxg-<=Xpi
zh>u>?I;1S`MMtsC+0uW&mGZJZWlf$r#`vcuj4<-jFWPl9^`XQD%^bJ9h@LdYkpX5;
z>XPFAWX5y5Ij)nS`iv(}5@YV(ZLCzShwPom&Ed{ugNi#ln;+BWi~dTJVY<HT?C<YP
z6@I_94Aldy?L+-pLRRvMuiNSXM*e1Sn5|nO?`PJZ0VSFg*)S&0at#HK&<23wv2Bnp
z#m~J-`bCYlOU3H9yEC9m>9)0VftG<(=f?dr8QgLsDUIyE?mmttLByJM>-V-5f_Vy^
zsFC3Dt6i&c=G9$*p%<1jVO%4*jM2G#N#zD{!?h5WK(GOpp`6d34s~@7-JvaN6<L7k
z^ra-i4?ZU>H#jJZqq+SqI)z!LVP_<H*ASdaG0n<<OK+I_<9e0fv`wfB&HwyFl@fw?
z*;!v`-B~9OV{#fgg|OPjh4>zm|Mgjf772cRqTPi%Bi>-0L{N+|5`a2<wyBh*t~M6B
zwKbdlX><P67JelD!QUw<idM?4UhsnTM8pDwZMohO+nS&{BqsBI(46tNExX3{Pd}ST
zY4RR*xx%ZXlkylKx!Wu^7q59dkl+zxmjR8q0CV5U`#q{w1`3Zd`KDcPSdpHG?oF=q
zF;<I*U1*OYSlx27SEt|jXuWD{rUhh+gTq|EB-coCvDdC2h9)HC{-Nrjk3NRwL8vi!
z-cNA6+h4SA#&<bFc8G(7$})m3PTchHh|3#3r%K#dS#Pn5+b@^1gZ<w>!({(aLcT^4
zdE@)p1wQ46WALm7+1{U7M|O85mWTQ0@4wMHx<!oyj@(}D<aw`A>fUNC3kq*j!f&%9
zbBs9ff)g0FWZdm)2*2}E=i>Muq#<LA3l0G@C4Y>2dm6F`VBGq7W{JLE-?|@6PMT0g
zr=9hGVS1i~ljL%nq{#g~MvXawCa00!=yy&DAP&Ng%Pg;cyel5htGxLe?N4J^DrJf5
zOluRD3DH1T0zMdi8FMmPO?!E%S5CMjgTE<fABxg>Y}<41{!OU<i9sy8S*lVrI@t0&
zmM<FWHi;20Z4Qnc|3S>P?-nu<g~2L#(K^JU#H{QdcET&41Sy!SBqUxUNf_-;({7JV
z&k~Nx&X*oK!ZeU96xul+!0DNp|7sE5WMO=0OKIv1p^%V=fstE~5L8IF7mi5^V$uqp
zcm(CekGhH;Ti?_(mSNW1hRByCv&%y-O~Y0L*qcKSv!S(n9i=t{o9FbZ{#aJ;`jaGK
z3*%R!*7ru_&yM`eji>>lP-I}nokfC)XmNxS3wJ$=+o~?at&O-9q-su<JXKwLQJdoC
zwd+cprd?c~E_njqWZr*WcJcV8e9fx8GKVLr8q9~4i}PDs^Np!bs<-?}yr(}4#>h)Y
z3aHA+{7S00Z&3;Ul^<02Tg`_)s0?jX09QxqOrZiD$vJ8Js@!Nf!)4jmoETN_Bb=i9
z4_zujF|lAOzLiH>zScgoyO(WhG<L*CybMqY47F-fv(K#qyRC&|lf+rcu;hyl0RrpJ
zk)}hV9j#yo;w#lECyz$zN5**tAAckc?;~|We70Q9+td7h!Z~TLs@$5}1*xJ`bvDH6
zcSZRbW*Q}Kw*1CWZM7Zd{Y31aq{QKydlNbNq)46UdkG1%kAF0~yhaSMOI&^oCfn~(
zSAy=|Voz?M00?fourFmz*hK$AVFc{0&}Ui681WANIR3+s(PhKOTC?Y4ce4<GodD9n
zAG5M?!y+%@-f~yHspB62xWD&3n-O%@xNe+VrHK|n_!m;D@bWrRiV3k2*TdGLh3?F7
zECkr=d6#ni>P@b>8Hxqe#z!t~f=cAOj>jQPu>9TrGD#LIf8P7qIpLTO<6&!5&n8yW
z?h%4|UKUT)A(Xoq#OV=fdw+A*9~K48L$Fea*tN&P_j5a>)FR`>O&Og@$?AW>K4IhX
zr68`HMSTtKUwatj5&Lti3u&oImZt>kV2M?y^3+=PY`*C|6HC2Q7fpUhs{K%1!au%y
z_FSD|0o9(4+IbXVd#WVJn9VVwn55*5>qSs}oBC(^Bq9=fw8nOy@FZt+G%xJ%vmKk?
zWN0fF?>(k{P;e7=cG?n~bI}H#z2AyqK5@L2dh5d>3{qreexd8^_SbM?qh7pOl&0nA
zz5NGr)s+U?7dA69yn;ax9L?jSvEOq9g)(@^L77xFy7>ZsG+GDrpRx|>W@BukKl!|9
zy>Vll@I<aOO&fNH95Wzs>NAA6fl&j4cfP6^SgyoAONY@d(mWb1BGHt2ZH}uDRjV8X
znw>mt`>oBaj8_Ib7=)EXt#$gvSB)nssQiLMw9Zk@C3PQO&vp0jUFdGkyzQ^@j*02@
z?qJ{1AE~7K@TE61PEzV55Vh}HAD7cvf<jO5=ulyW9%;dpFeub!&pNElowcU*?N1;{
z@)t>4cWd~{7G=@Y7`~+R^1GFP*GZ5%C+O%6QxnrYV;wxW7uga#k{=AyrtSL#Jx<G?
zGJ6r`63%!VD{|{F!TWcVsoiUv`FhMf`#^!16>8915n;mAE#>s=nJ4JoNR?Kdbex=r
zzg1jl-e*CNi_1Na<8IZ(X$7gkE&|-=;}<RL7X0i~>@RyiKeG+5tVrGZwQQREQh;?c
zBBs=J6=tP`>lah6U$YY~H>6H!TWcOq7U!Ry%YJQf-i@P_<8gJojgD8t^TA<eT@$Yx
zZuc09H(ZVYk}TP#Gd33n$xsOu9zNOilVmRJF64H<CX8OV(A*u(XvRrZb&)md!UKQ4
zNeVHqL~fa)&e2i1^y=SHo3AK~C1um&Z-zoi5t0%Z<>Kg=o^8X1DkY-Ti5u!~FG+t`
zqCC2?xyPZcd)WEB+pTN5%~LjWWgKxjD|0?9WD@5ZDarPq*9`7X*ez<O=P2Zs)cB(R
zfNglWaBjT7VQ+A8qQiFLY}-Rulk|EJ05q^(0S^cKG4QGG|0Co}$Ma25N}TKO-X5x(
zCrGc)Q|A#bDl~g7K71h^-yQW~YYtz}`8SswZc5p=74@;nmyZ&Gt^FM5)lA{(tmR&x
zt)|et>T3R&8(uz2qz`g`0L?_ei|<4HnL=;k`BCky6JYn-J?=*rzw+nrP@?&>lSlY8
zpR2W-1ML2rTg*VS{pmOTAtc~AVxMpGY4re(F0a69bdC6Mw#rcW2YLd2SjI>~*9Z>#
z$YZABv!@+8@bI(5@-J?ZR6K5VdlAr6r@E?oaFo|d0~_t~H+24u;hx18Fm>qf%Cqk7
z`k}hC%xSG<K8h=(G6zR*|LiAtN=3aVy6d?dHr#_W5c;#6S*<N_G3wUSb4gRSdHUna
zse{8JkB`0lYW4V1Zj0*EAE-@(AFC%{x4Y6*qgkZO8A8ZWSS!)rB_Tl<vqO4J!v|&w
z4&d9)kHt>wN3!H#QIWt8XJr>wE|m4{?SDf0??~_|1%}KhJ(WW#r)e={a176A?#UD7
z#BKRE=mt0{=ub*Z%jjrJhj3Pm%vq%)DHp+@z_0GFp;TqQ&AGQeDTn`eBwtN^a|7Z~
z_jru{UtC=L8}Dbu6W@eR9q0nw*K(E8d$cmiir{}F1$S}$KVd)eGJbYwj~UuR7Z|j4
zhNyMbHkSkw>AX*`j;mV3iU>b^gYl#57C)GU{xIins|;Ge$iZ*#V^plS;0=A9RyE@7
zgCj_E#&`FJ8(jsV)(3_O4hBb;l;Os|e(aB{e8tpqKK4Jcg~k@8n1$5lTK%O1`-NT>
zay9imxcA@pE&jdOpTwmeQeS05<$|>6R8JRuNUeHA{c4}5+ar`V6m0_6C)%qq(kOAa
zQN!=40~_+C1-%yg?Tn<tpZ&yDHYi2?U&9{Iu&~3KiUO<pbrI=c&1cSUS^={J7f-l(
zI`^N;5ZEE@-{qB|L{b%D&j}B7GOohs8abO>=M@ajk(E|%MUP^i4=4EfSHcH>8)5i+
zpNY+favUg&WsIWQC~Y{4@JVtkd0bCB19~+g)+Rsdkzi<aVM1C5dG&~|IOL$$sZL!D
z_4V7zX9!Ovk06t`C;@*5T8Q@*-~GMNlq9WZCY2Y)QO8a`W&EDQ8a;=o+V93K`=ojj
z+9Z05kdaVp9ifApQu3J#CY5{FtaEwDol-Ekx?h(L-q=>)ciWRk<`zHFl$Z<4ir5~p
zE7sPIF$>pre5ppzPNdM4?2$INcx~^v)2Q|-p>RiJwyw4J(-gPV!}?2RIJ@(+=bh1`
zs^$zXJEmZNBU6yTIDR$0()R#E0!#Dr!l=fR52@KvjS5b{W7OIkLIQ_zhs2_v9BX@9
zYmLt55K^fpifUqi?z=Uy;ScUoe;a)^Jww1y?a<g4&OuD@ie%WqZJ8poboG|)s8AAJ
zX72ik8&s6l=yqKWMekx&zV5Q)_`NFWg>!ogh9>Tk3_|N|{y+}pw88%<YS$R7wEOzT
zr*)j0H5Y?F8FnEIwE}eltnb#J=h|xeR9h;xYB?hfyxW65(Z>8Q9neOv^j-LKOWDov
z#}yr<VZN9XF%==uNTX-`gHx_bsx&NBLuW$%zVsq~&&d8Yks{uT_VhNZ#7_IP@L8eX
z%Br`?Jnrvo6rMySDsr_=&3!{i?0utx$m+BE+u<%9Ul)uD(DqpG<Vmf`8<>b%NC@J8
z{C&xZv@fXr_hL#lYPE-^8-;KGrSm_xH7)s0zi%<Z^@1&WTkO~!i^%067W=Pn;!`L@
zc19jk;M)dxEzzerksK8p=Af=zgB@B1@AkAL*;S#(v)@t<&b7r}kSXslh;*@6!1nGn
z(jvl8)uu-J-$|Mi&P$c`LrGiuk@?${Iw4+Jk`elSXCv3uR?&w(lHtoaMCQ5==9E1H
zlaf1TUW4~p{?CX>70^n1S6Z3=s78k&<-&5#2<zId;uI<m^v)`B@qzK%pT8dpXC7@B
z=T@a#a#|KJxn*!xSMc@0d956e&F~nHQ$b-Qs=_0`N6ejTdFkK`-r$H-AveX^cp<#Z
ztl*<E_p4XQBHbv*<wE&_0lbN{*nKm>{_UNcZy&yN2<u(WTV3dSeR$Z}2*(F!u|h0|
zE2q|jdha$0rDIYQmQ|P6<CadMQ!v<VJoFgF>OsTN4b{VxAl`ey>yA38n4&vU^f05|
z7Oi_pkr^1vh_UOB+wx8gE1pK%Og12Fgw`19UjM(ku00;=td0MqL}YeTD7jQKS-DN)
zI^>pU#%)U%m54PiqY`7*m>6VN$)(1~wV}(-Yg`)kGg9lCt%$+2ScDmDjj<z<OGY%~
zJwN}wf4qOqAJ6xB&U4OlInVE$Ip;JnwVlHj#%2{$sq<^dFLXFkI&d`p%&p!iic5N%
z6TMf^n|Oj4DogfU-bI21?|xNK-#96dx=vbL=u{xI{8qo&Sp{`Xh1V#LaMA++XAl3W
zBhoL^R5x?_rVhQ?2&ZVDP}v-FW)2TWFN<>!yO#Wj+Lk%V%u(zx8#|fInv-W<ggGxv
z|6G>rd8~ccEuP0AFkHi(x?Nk}Ry;}Q#uwzm;eb<BF%;_J#DWubLDwy?DKl|iLreBw
z*Nvzf$v$Q0lqhnC*;ip`sKw<9g^9nUX(6W@%A@j_jvjV^-2lZY5IlFCbo()9Q|m|F
z#R|Du(744oXCOumHWj3X$X&JzU*{<#L+Wqr2ggr1)DW5pT{w6$VEyWYl?u<ji)qzQ
zIj~J{{F>@F=Y^WTV${Cd;Jh8!ne=_Ps=O&OD%b`KHI;lAYroV`J{yHKHP{Cb=*LPT
zvj6@dCmOsSN`h=J{P{s%!e6TvT|!Ba7&!J`na#2ic3|a*0$Q9{0YJo|-)?^s_qo-L
z--~@thfS_+-NHhN8|MbP%_9xArkvajCB}c5o?y|!uQ14tM!-HPk1nlrF`SgobXOh#
z09^>@D|z4WB1dwU1<y4%f9<Sr7t8$16Wgsx5UvR1lf1KoLPLoi30C1vPr*|9*RgD?
z#qcXY{v*x3jJH2^)^u$#D<B`j!{S2%SIl$BuH{YfTd|Oumd)u0<xjctJ)L^{jR1f2
z>GuagE}tob4bZ7za8(Inkk5n)=e!$=p8$Gm@b=;vm+>uf+WFzE01<@tO?Ca+x#Q0X
zzfHGa-$IsnT>zko?fV%?x|VCiGj4bdER<zw^Y??#Jl?ADk>S37Rs;ayyl0wGZ_mKq
zNb9P0V5jW`PalJmv3{nN>v`C<LsXzAz4^*rCgnJKXzf8|eVT9yLXV`rn#Ugyu1+=K
z8;+G_;()`XnAE!QlahGObBdIJ^)Xv4#L5UBElZxHeVMx6!YQ!K?*@%^d<!3p%D&b>
zB@SmzlK9G-48YAB49oD7vLjPh4udNnz)`>V3_UI@>1^%8cnd5<_yjpK#HR;kFY)6B
zV9f%;;0nB6s5G?JRPt1%3`J)<Wp$}OJ=bsP?R<pH#E_N+_X&5cn$HwE2IZ{FLfX<~
zOA!6+_@D0Y5%uEaOQlS0aKUXK76}~Dxp?0D`b&`}iRJ_;LB}7FV?L!}q*<(a0!-ZV
zZ~jcwV)JOESj&p82q~t7L=QX;C@5O=^WdQzKr_CKionvfY*Z>`(4<fg9NAZb-c*od
zuGV)8?e`>G14OiT3?6ZRZuUt<;k-8Z$V5ZhmHV7Sg;JEP@Ef3Ohk9d#Q-;l>`AJdj
zjwC1uLaT{Qs+)U?)-VV#8j$<Bi+!(31p!)?{P>x6of7b#ry6uKx5&7;My_5|JrxWv
zt;!J$Ny|f3LExFdKMM9jT<_?=<%Fr3mpY%i{I`AFMu^fwYyr5NE*E{eP;=F)I@{Je
zs$>v%xLp4=rN>n>{rE@Y60#`*4$Ye#aag}1wav2uai6fJA}D1i_V&6brKPYx-|3$u
z{Lp7Q08QA|6)*Xt>dM1h=EF!}CRc}8uJ#H$dIKo9Wj8%d0NMK=7QU)P5WqgxaCx>t
z-W<aK%a{lVDU$@X-Va^1M!+fPPEaGW>Rx@q(T)5ENvxsx0Vc0O-&S(`$Pqw~7itU%
z!)6t*QfD~GGQbL$8icHP$^|b)HG2E1BQ$`S@-ez-_ARefVc)|0y3GnHYI`AEA9F3z
zX*yAwfY+dw13_H(g3kQ=O_j66H9tq{aHtB<<|fcaGQFmg@s0K3BKIdfGvLHoRtCg0
z^XKtiV-xz7;!+#j4yc0*;yPe{bR_o|6)gr?1p&$_=k|ZCiD|j{%zNEb(b$&$-;fF^
zCi<Y+TYfd_J|hY3cPE!h$gArhN4M&b3unI1^|R6*)b~r`{NTO=82NL)ht|L)qi|^k
z_|Gs{R87SvI7oU~0#dbPE9^wJo8O%@(fZa*(E1E^6Cf7L9p8nj0@GzpPV9z&=!^1a
zBu|$cT`%0q%x`<b>BfEZq1Rj7GOn+7R~IjAkg*xkhSVymj6XVw?+Z=Yl+V!sl~rzy
z|B*Mm5EK<n91y&W0;PpwO7PD;!Y^zjX~w6>gNg$R-OM&;doR>^@bhcy^nsYH;=Z=J
zNsKfWe=0r#rXRb{dQ&1eaN}1!&g#XJI(R5W!P#R)Buh9rc`(H3uq5;S6`)Z{$gac0
z?AWM0l&~^0&`3c3kj*z#h0qZ0yr0mYQbBDv)#s%b27s?Tc*NR7&I0Sq2N^SbE&%P|
zp$UeGepWnQYhPneU%8V@d&AnK7X_r^eL2_!!D1ax`sPXXd9;HUJfQUN9lx~lDVslx
zZ9hm0^i8>?3(DjocS8;){Bo*hBDb<B+I&Mx_r}N=S!2(PCSG6s2>AQ%L;KjK7*39$
zmit=cQO0>)P%{xG_fcat2a*J_vr4&+t(QQL>Eczwh0CQ0?Tf<x`G4QlAug@oQ2-U2
zHq^u)$ecE_Ve4Bc1LcVOjVcBSIwFBm__KY51?T*%q)je;Fm7*;!9(t{MvFj-3^)pW
zpMJC$$+04Ga{YC>bp$5>&T&H?^I_F&73~2^=+r6cXOMmXMsq*$vFiDUQ4!&?VqZgL
z2IJrcQ0+J4xiKr#@0MOf_GzKKAA{z#kG6PiCyiX;dSk9GH;Kg4+*kwyY}7(Q_qtz%
zQvz+Z&GRI&KC9`-yP$NL&_3oh8)|r!RMvxkdsQ!2XOw511pC8I>#0)R@PtyEai-XF
z)+7TMXh@Rt^i)|v50PzgRhl}I<U;E;2D>GR3vkz12P`N9vPQ?CvdaYdfSMvm^M`a9
zakj)pQQS()v-@*#CNe=54HT7VsN-{RYhLEZ@wp;LQ?@ZO?>le_*wY~-Tj^^g{nRgn
z?fg@&2E`HOt1qb~A{gIVRiLujF|5?_VE=Js$+2A^>H6Gd(MVA>UfGO2%u~O3Rt7h1
z(V2x^W<O9K+FOUH3DjjaO)Vh`7tP}M0av&P54$`JC`hW(Sq>Ph&i<sLPdQJ=z19@P
zpLCTY$9YsY2f`+}t>24duhAY&Nq(|OxXW6cwDj*Yx~Bk5q(5eiAgw$jfA+m!bU}16
zvuK1FZdy9`e1%(fqV0(~sN`BfHAI_!p3N4&*3c@9o$5Lr!RO~Mv6I_RDnoRa29&C&
znTe6f`E&fVN#hwpFxGsg>m^BZnK2l~A7Q9aqKBu#ml@zQUJ2UGA@|-fDoqXN5i2{(
zIxO3y0z#2@j%6Dj%g8=lzX`v<niub6f%iwtA1D{LCDz}taloeI_r&*aZD-ai#A3c~
zvuFQ-9Wty<$GV}uTyM#=KmU$m22M}aK6FdvKR!7b$N6Kq`*)^Ah9ZQ%E_Xs%2c8Y9
zbBC*E6xr<@nGj44wF@DIf*%Nj##ox7ZA{Ua(`Z{e%fohuZH&=qJ2X1yS+&mpFkHPx
ZAcj%@Kf}aFO*UYF@NPcGs*eVx{udGWd3^u?

literal 0
HcmV?d00001

diff --git a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/tux.svg b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/tux.svg
new file mode 100644
index 0000000..6b558e7
--- /dev/null
+++ b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/tux.svg
@@ -0,0 +1,438 @@
+<?xml version="1.0" encoding="utf-8"?>
+<svg version="1.1" viewBox="0 0 216 256" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+	<title>Tux</title>
+	<defs id="tux_fx">
+		<linearGradient id="gradient_belly_shadow">
+			<stop offset="0" stop-color="#000000"/>
+			<stop offset="1" stop-color="#000000" stop-opacity="0.25"/>
+		</linearGradient>
+		<linearGradient id="gradient_wing_tip_right_shadow">
+			<stop offset="0"    stop-color="#110800"/>
+			<stop offset="0.59" stop-color="#a65a00" stop-opacity="0.8"/>
+			<stop offset="1"    stop-color="#ff921e" stop-opacity="0"/>
+		</linearGradient>
+		<linearGradient id="gradient_wing_tip_right_glare_1">
+			<stop offset="0" stop-color="#7c7c7c"/>
+			<stop offset="1" stop-color="#7c7c7c" stop-opacity="0.33"/>
+		</linearGradient>
+		<linearGradient id="gradient_wing_tip_right_glare_2">
+			<stop offset="0" stop-color="#7c7c7c"/>
+			<stop offset="1" stop-color="#7c7c7c" stop-opacity="0.33"/>
+		</linearGradient>
+		<linearGradient id="gradient_foot_left_layer_1">
+			<stop offset="0" stop-color="#b98309"/>
+			<stop offset="1" stop-color="#382605"/>
+		</linearGradient>
+		<linearGradient id="gradient_foot_left_glare">
+			<stop offset="0" stop-color="#ebc40c"/>
+			<stop offset="1" stop-color="#ebc40c" stop-opacity="0"/>
+		</linearGradient>
+		<linearGradient id="gradient_foot_right_shadow">
+			<stop offset="0" stop-color="#000000"/>
+			<stop offset="1" stop-color="#000000" stop-opacity="0"/>
+		</linearGradient>
+		<linearGradient id="gradient_foot_right_layer_1">
+			<stop offset="0" stop-color="#3e2a06"/>
+			<stop offset="1" stop-color="#ad780a"/>
+		</linearGradient>
+		<linearGradient id="gradient_foot_right_glare">
+			<stop offset="0" stop-color="#f3cd0c"/>
+			<stop offset="1" stop-color="#f3cd0c" stop-opacity="0"/>
+		</linearGradient>
+		<linearGradient id="gradient_eyeball">
+			<stop offset="0"    stop-color="#fefefc"/>
+			<stop offset="0.75" stop-color="#fefefc"/>
+			<stop offset="1"    stop-color="#d4d4d4"/>
+		</linearGradient>
+		<linearGradient id="gradient_pupil_left_glare">
+			<stop offset="0"    stop-color="#757574" stop-opacity="0"/>
+			<stop offset="0.25" stop-color="#757574"/>
+			<stop offset="0.5"  stop-color="#757574"/>
+			<stop offset="1"    stop-color="#757574" stop-opacity="0"/>
+		</linearGradient>
+		<linearGradient id="gradient_pupil_right_glare_2">
+			<stop offset="0"   stop-color="#949494" stop-opacity="0.39"/>
+			<stop offset="0.5" stop-color="#949494"/>
+			<stop offset="1"   stop-color="#949494" stop-opacity="0.39"/>
+		</linearGradient>
+		<linearGradient id="gradient_eyelid_left">
+			<stop offset="0" stop-color="#c8c8c8"/>
+			<stop offset="1" stop-color="#797978"/>
+		</linearGradient>
+		<linearGradient id="gradient_eyelid_right">
+			<stop offset="0"    stop-color="#747474"/>
+			<stop offset="0.13" stop-color="#8c8c8c"/>
+			<stop offset="0.25" stop-color="#a4a4a4"/>
+			<stop offset="0.5"  stop-color="#d4d4d4"/>
+			<stop offset="0.62" stop-color="#d4d4d4"/>
+			<stop offset="1"    stop-color="#7c7c7c"/>
+		</linearGradient>
+		<linearGradient id="gradient_eyebrow">
+			<stop offset="0"    stop-color="#646464" stop-opacity="0"/>
+			<stop offset="0.31" stop-color="#646464" stop-opacity="0.58"/>
+			<stop offset="0.47" stop-color="#646464"/>
+			<stop offset="0.73" stop-color="#646464" stop-opacity="0.26"/>
+			<stop offset="1"    stop-color="#646464" stop-opacity="0"/>
+		</linearGradient>
+		<linearGradient id="gradient_beak_base">
+			<stop offset="0"    stop-color="#020204"/>
+			<stop offset="0.73" stop-color="#020204"/>
+			<stop offset="1"    stop-color="#5c5c5c"/>
+		</linearGradient>
+		<linearGradient id="gradient_mandible_lower">
+			<stop offset="0"    stop-color="#d2940a"/>
+			<stop offset="0.75" stop-color="#d89c08"/>
+			<stop offset="0.87" stop-color="#b67e07"/>
+			<stop offset="1"    stop-color="#946106"/>
+		</linearGradient>
+		<linearGradient id="gradient_mandible_upper">
+			<stop offset="0"    stop-color="#ad780a"/>
+			<stop offset="0.12" stop-color="#d89e08"/>
+			<stop offset="0.25" stop-color="#edb80b"/>
+			<stop offset="0.39" stop-color="#ebc80d"/>
+			<stop offset="0.53" stop-color="#f5d838"/>
+			<stop offset="0.77" stop-color="#f6d811"/>
+			<stop offset="1"    stop-color="#f5cd31"/>
+		</linearGradient>
+		<linearGradient id="gradient_nares">
+			<stop offset="0"    stop-color="#3a2903"/>
+			<stop offset="0.55" stop-color="#735208"/>
+			<stop offset="1"    stop-color="#ac8c04"/>
+		</linearGradient>
+		<linearGradient id="gradient_beak_corner">
+			<stop offset="0" stop-color="#f5ce2d"/>
+			<stop offset="1" stop-color="#d79b08"/>
+		</linearGradient>
+		<radialGradient id="fill_belly_shadow_left" href="#gradient_belly_shadow" xlink:href="#gradient_belly_shadow"
+			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(61.18,121.19) scale(19,18)"/>
+		<radialGradient id="fill_belly_shadow_right" href="#gradient_belly_shadow" xlink:href="#gradient_belly_shadow"
+			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(125.74,131.6) scale(23.6,18)"/>
+		<radialGradient id="fill_belly_shadow_middle" href="#gradient_belly_shadow" xlink:href="#gradient_belly_shadow"
+			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(94.21,127.47) scale(9.35,10)"/>
+		<linearGradient id="fill_foot_left_base" href="#gradient_foot_left_layer_1" xlink:href="#gradient_foot_left_layer_1"
+			gradientUnits="userSpaceOnUse" x1="23.18" y1="193.01" x2="64.31" y2="262.02"/>
+		<linearGradient id="fill_foot_left_glare" href="#gradient_foot_left_glare" xlink:href="#gradient_foot_left_glare"
+			gradientUnits="userSpaceOnUse" x1="64.47" y1="210.83" x2="77.41" y2="235.21"/>
+		<linearGradient id="fill_foot_right_shadow" href="#gradient_foot_right_shadow" xlink:href="#gradient_foot_right_shadow"
+			gradientUnits="userSpaceOnUse" x1="146.93" y1="211.96" x2="150.2" y2="235.73"/>
+		<linearGradient id="fill_foot_right_base" href="#gradient_foot_right_layer_1" xlink:href="#gradient_foot_right_layer_1"
+			gradientUnits="userSpaceOnUse" x1="151.5" y1="253.02" x2="192.94" y2="185.84"/>
+		<linearGradient id="fill_foot_right_glare" href="#gradient_foot_right_glare" xlink:href="#gradient_foot_right_glare"
+			gradientUnits="userSpaceOnUse" x1="162.81" y1="180.67" x2="161.59" y2="191.64"/>
+		<radialGradient id="fill_wing_tip_right_shadow_lower" href="#gradient_wing_tip_right_shadow" xlink:href="#gradient_wing_tip_right_shadow"
+			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(169.71,194.53) rotate(15) scale(19.66,20.64)"/>
+		<radialGradient id="fill_wing_tip_right_shadow_upper" href="#gradient_wing_tip_right_shadow" xlink:href="#gradient_wing_tip_right_shadow"
+			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(169.71,189.89) rotate(-2.42) scale(19.74,14.86)"/>
+		<radialGradient id="fill_wing_tip_right_glare_1" href="#gradient_wing_tip_right_glare_1" xlink:href="#gradient_wing_tip_right_glare_1"
+			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(184.65,176.62) rotate(23.5) scale(6.95,3.21)"/>
+		<linearGradient id="fill_wing_tip_right_glare_2" href="#gradient_wing_tip_right_glare_2" xlink:href="#gradient_wing_tip_right_glare_2"
+			gradientUnits="userSpaceOnUse" x1="165.69" y1="173.58" x2="168.27" y2="173.47"/>
+		<radialGradient id="fill_eyeball_left" href="#gradient_eyeball" xlink:href="#gradient_eyeball"
+			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(86.49,51.41) rotate(-0.6) scale(10.24,15.68)"/>
+		<linearGradient id="fill_pupil_left_glare" href="#gradient_pupil_left_glare" xlink:href="#gradient_pupil_left_glare"
+			gradientUnits="userSpaceOnUse" x1="84.29" y1="46.64" x2="89.32" y2="55.63"/>
+		<radialGradient id="fill_eyelid_left" href="#gradient_eyelid_left" xlink:href="#gradient_eyelid_left"
+			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(84.89,43.74) rotate(-9.35) scale(6.25,5.77)"/>
+		<linearGradient id="fill_eyebrow_left" href="#gradient_eyebrow" xlink:href="#gradient_eyebrow"
+			gradientUnits="userSpaceOnUse" x1="83.59" y1="32.51" x2="94.48" y2="43.63"/>
+		<radialGradient id="fill_eyeball_right" href="#gradient_eyeball" xlink:href="#gradient_eyeball"
+			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(118.06,51.41) rotate(-1.8) scale(13.64,15.68)"/>
+		<linearGradient id="fill_pupil_right_glare" href="#gradient_pupil_right_glare_2" xlink:href="#gradient_pupil_right_glare_2"
+			gradientUnits="userSpaceOnUse" x1="117.87" y1="47.25" x2="123.66" y2="54.11"/>
+		<linearGradient id="fill_eyelid_right" href="#gradient_eyelid_right" xlink:href="#gradient_eyelid_right"
+			gradientUnits="userSpaceOnUse" x1="112.9" y1="36.23" x2="131.32" y2="47.01"/>
+		<linearGradient id="fill_eyebrow_right" href="#gradient_eyebrow" xlink:href="#gradient_eyebrow"
+			gradientUnits="userSpaceOnUse" x1="119.16" y1="31.56" x2="131.42" y2="43.14"/>
+		<radialGradient id="fill_beak_base" href="#gradient_beak_base" xlink:href="#gradient_beak_base"
+			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(97.64,60.12) rotate(-36) scale(11.44,10.38)"/>
+		<radialGradient id="fill_mandible_lower_base" href="#gradient_mandible_lower" xlink:href="#gradient_mandible_lower"
+			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(109.77,70.61) rotate(-22.4) scale(27.15,19.07)"/>
+		<linearGradient id="fill_mandible_upper_base" href="#gradient_mandible_upper" xlink:href="#gradient_mandible_upper"
+			gradientUnits="userSpaceOnUse" x1="78.09" y1="69.26" x2="126.77" y2="68.88"/>
+		<radialGradient id="fill_naris_left" href="#gradient_nares" xlink:href="#gradient_nares"
+			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(92.11,59.88) scale(1.32,1.42)"/>
+		<radialGradient id="fill_naris_right" href="#gradient_nares" xlink:href="#gradient_nares"
+			gradientUnits="userSpaceOnUse" cx="0" cy="0" r="1" gradientTransform="translate(104.65,59.7) scale(2.78,1.62)"/>
+		<linearGradient id="fill_beak_corner" href="#gradient_beak_corner" xlink:href="#gradient_beak_corner"
+			gradientUnits="userSpaceOnUse" x1="126.74" y1="67.49" x2="126.74" y2="71.09"/>
+		<filter id="blur_belly_shadow_left">
+			<feGaussianBlur stdDeviation="0.64 0.55"/>
+		</filter>
+		<filter id="blur_belly_shadow_right">
+			<feGaussianBlur stdDeviation="0.98"/>
+		</filter>
+		<filter id="blur_belly_shadow_middle">
+			<feGaussianBlur stdDeviation="0.68"/>
+		</filter>
+		<filter id="blur_belly_shadow_lower" x="-0.8" width="2.6" y="-0.2" height="1.4">
+			<feGaussianBlur stdDeviation="1.25"/>
+		</filter>
+		<filter id="blur_belly_glare" x="-0.8" width="2.6" y="-0.5" height="2">
+			<feGaussianBlur stdDeviation="1.78 2.19"/>
+		</filter>
+		<filter id="blur_head_glare" x="-0.3" width="1.6" y="-0.3" height="1.6">
+			<feGaussianBlur stdDeviation="1.73"/>
+		</filter>
+		<filter id="blur_neck_glare" x="-0.2" width="1.4" y="-0.2" height="1.4">
+			<feGaussianBlur stdDeviation="0.78"/>
+		</filter>
+		<filter id="blur_wing_left_glare" x="-0.2" width="1.4" y="-0.2" height="1.4">
+			<feGaussianBlur stdDeviation="0.98"/>
+		</filter>
+		<filter id="blur_wing_right_glare" x="-0.2" width="1.4" y="-0.2" height="1.4">
+			<feGaussianBlur stdDeviation="1.19 1.17"/>
+		</filter>
+		<filter id="blur_foot_left_layer_1" x="-0.2" width="1.4" y="-0.2" height="1.4">
+			<feGaussianBlur stdDeviation="3.38"/>
+		</filter>
+		<filter id="blur_foot_left_layer_2">
+			<feGaussianBlur stdDeviation="2.1 2.06"/>
+		</filter>
+		<filter id="blur_foot_left_glare">
+			<feGaussianBlur stdDeviation="0.32"/>
+		</filter>
+		<filter id="blur_foot_right_shadow">
+			<feGaussianBlur stdDeviation="1.95 1.9"/>
+		</filter>
+		<filter id="blur_foot_right_layer_1" x="-0.2" width="1.4" y="-0.2" height="1.4">
+			<feGaussianBlur stdDeviation="4.12"/>
+		</filter>
+		<filter id="blur_foot_right_layer_2" x="-0.2" width="1.4" y="-0.2" height="1.4">
+			<feGaussianBlur stdDeviation="3.12 3.37"/>
+		</filter>
+		<filter id="blur_foot_right_glare" x="-0.2" width="1.4" y="-0.2" height="1.4">
+			<feGaussianBlur stdDeviation="0.41"/>
+		</filter>
+		<filter id="blur_wing_tip_right_shadow_lower" x="-0.3" width="1.6" y="-0.3" height="1.6">
+			<feGaussianBlur stdDeviation="2.45"/>
+		</filter>
+		<filter id="blur_wing_tip_right_shadow_upper" x="-0.2" width="1.4" y="-0.2" height="1.4">
+			<feGaussianBlur stdDeviation="1.12 0.81"/>
+		</filter>
+		<filter id="blur_wing_tip_right_glare" x="-0.2" width="1.4" y="-0.2" height="1.4">
+			<feGaussianBlur stdDeviation="0.88"/>
+		</filter>
+		<filter id="blur_pupil_left_glare" x="-0.3" width="1.6" y="-0.3" height="1.6">
+			<feGaussianBlur stdDeviation="0.44"/>
+		</filter>
+		<filter id="blur_eyebrow_left">
+			<feGaussianBlur stdDeviation="0.12"/>
+		</filter>
+		<filter id="blur_pupil_right_glare" x="-0.2" width="1.4" y="-0.2" height="1.4">
+			<feGaussianBlur stdDeviation="0.45"/>
+		</filter>
+		<filter id="blur_eyebrow_right">
+			<feGaussianBlur stdDeviation="0.13"/>
+		</filter>
+		<filter id="blur_beak_shadow_lower" x="-0.2" width="1.4" y="-0.2" height="1.4">
+			<feGaussianBlur stdDeviation="1.75"/>
+		</filter>
+		<filter id="blur_beak_shadow_upper">
+			<feGaussianBlur stdDeviation="0.8 0.74"/>
+		</filter>
+		<filter id="blur_mandible_lower_glare" x="-0.2" width="1.4" y="-0.2" height="1.4">
+			<feGaussianBlur stdDeviation="0.77"/>
+		</filter>
+		<filter id="blur_mandible_upper_shadow">
+			<feGaussianBlur stdDeviation="0.65"/>
+		</filter>
+		<filter id="blur_mandible_upper_glare" x="-0.2" width="1.4" y="-0.2" height="1.4">
+			<feGaussianBlur stdDeviation="0.73"/>
+		</filter>
+		<filter id="blur_naris_left" x="-0.2" width="1.4" y="-0.2" height="1.4">
+			<feGaussianBlur stdDeviation="0.1"/>
+		</filter>
+		<filter id="blur_naris_right">
+			<feGaussianBlur stdDeviation="0.1"/>
+		</filter>
+		<filter id="blur_beak_corner" x="-0.2" width="1.4" y="-0.2" height="1.4">
+			<feGaussianBlur stdDeviation="0.23"/>
+		</filter>
+		<clipPath id="clip_body">
+			<use href="#body_base" xlink:href="#body_base"/>
+		</clipPath>
+		<clipPath id="clip_wing_left">
+			<use href="#wing_left_base" xlink:href="#wing_left_base"/>
+		</clipPath>
+		<clipPath id="clip_wing_right">
+			<use href="#wing_right_base" xlink:href="#wing_right_base"/>
+		</clipPath>
+		<clipPath id="clip_foot_left">
+			<use href="#foot_left_base" xlink:href="#foot_left_base"/>
+		</clipPath>
+		<clipPath id="clip_foot_right">
+			<use href="#foot_right_base" xlink:href="#foot_right_base"/>
+		</clipPath>
+		<clipPath id="clip_wing_tip_right">
+			<use href="#wing_tip_right_base" xlink:href="#wing_tip_right_base"/>
+		</clipPath>
+		<clipPath id="clip_eye_left">
+			<use href="#eyeball_left" xlink:href="#eyeball_left"/>
+		</clipPath>
+		<clipPath id="clip_pupil_left">
+			<use href="#pupil_left_base" xlink:href="#pupil_left_base"/>
+		</clipPath>
+		<clipPath id="clip_eye_right">
+			<use href="#eyeball_right" xlink:href="#eyeball_right"/>
+		</clipPath>
+		<clipPath id="clip_pupil_right">
+			<use href="#pupil_right_base" xlink:href="#pupil_right_base"/>
+		</clipPath>
+		<clipPath id="clip_mandible_lower">
+			<use href="#mandible_lower_base" xlink:href="#mandible_lower_base"/>
+		</clipPath>
+		<clipPath id="clip_mandible_upper">
+			<use href="#mandible_upper_base" xlink:href="#mandible_upper_base"/>
+		</clipPath>
+		<clipPath id="clip_beak">
+			<use href="#mandible_lower_base" xlink:href="#mandible_lower_base"/>
+			<use href="#mandible_upper_base" xlink:href="#mandible_upper_base"/>
+		</clipPath>
+	</defs>
+	<g id="tux">
+		<g id="body">
+			<path id="body_base" fill="#020204"
+				d="m 106.95,0 c -6,0 -12.02,1.18 -17.46,4.12 -5.78,3.11 -10.52,8.09 -13.43,13.97 -2.92,5.88 -4.06,12.16 -4.24,19.08 -0.33,13.14 0.3,26.92 1.29,39.41 0.26,3.8 0.74,6.02 0.25,9.93 -1.62,8.3 -8.88,13.88 -12.76,21.17 -4.27,8.04 -6.07,17.13 -9.29,25.65 -2.95,7.79 -7.09,15.1 -9.88,22.95 -3.91,10.97 -5.08,23.03 -2.5,34.39 1.97,8.66 6.08,16.78 11.62,23.73 -0.8,1.44 -1.58,2.91 -2.4,4.34 -2.57,4.43 -5.71,8.64 -7.17,13.55 -0.73,2.45 -1.02,5.07 -0.55,7.59 0.47,2.52 1.75,4.93 3.75,6.53 1.31,1.04 2.9,1.72 4.53,2.1 1.63,0.37 3.32,0.46 5,0.43 6.37,-0.14 12.55,-2.07 18.71,-3.69 3.66,-0.96 7.34,-1.81 11.03,-2.58 13.14,-2.69 27.8,-1.61 39.99,0.15 4.13,0.63 8.23,1.44 12.29,2.43 6.36,1.54 12.69,3.5 19.23,3.69 1.72,0.05 3.46,-0.03 5.14,-0.4 1.68,-0.38 3.31,-1.06 4.65,-2.13 2.01,-1.6 3.29,-4.02 3.76,-6.54 0.47,-2.52 0.18,-5.15 -0.56,-7.61 -1.48,-4.92 -4.65,-9.11 -7.27,-13.52 -1.04,-1.75 -2,-3.53 -3.03,-5.28 7.9,-8.87 14.26,-19.13 17.94,-30.4 4.01,-12.3 4.75,-25.55 3.06,-38.38 -1.69,-12.83 -5.76,-25.27 -11.11,-37.05 -6.72,-14.76 -12.37,-20.1 -16.47,-33.07 -4.42,-14.02 -0.77,-30.61 -4.06,-43.32 -1.17,-4.32 -3.04,-8.45 -5.45,-12.23 -2.82,-4.43 -6.4,-8.39 -10.65,-11.47 -6.78,-4.92 -15.3,-7.54 -23.96,-7.54 z"/>
+			<path id="belly" fill="#fdfdfb"
+				d="m 83.13,74 c -0.9,1.13 -1.48,2.49 -1.84,3.89 -0.35,1.4 -0.48,2.85 -0.54,4.3 -0.11,2.89 0.07,5.83 -0.7,8.62 -0.82,2.98 -2.65,5.57 -4.44,8.08 -3.11,4.36 -6.25,8.84 -7.78,13.97 -0.93,3.1 -1.24,6.39 -0.91,9.62 -3.47,5.1 -6.48,10.53 -8.98,16.18 -3.78,8.57 -6.37,17.69 -7.28,27.01 -1.12,11.41 0.34,23.15 4.85,33.69 3.25,7.63 8.11,14.6 14.38,20.04 3.18,2.76 6.72,5.11 10.5,6.97 13.11,6.45 29.31,6.46 42.2,-0.41 6.74,-3.59 12.43,-8.84 17.91,-14.15 3.3,-3.2 6.59,-6.48 9.11,-10.32 4.85,-7.41 6.54,-16.41 7.59,-25.2 1.83,-15.36 1.89,-31.6 -4.85,-45.53 -2.32,-4.8 -5.41,-9.22 -9.12,-13.05 -0.98,-6.7 -2.93,-13.27 -5.76,-19.42 -2.05,-4.45 -4.54,-8.68 -6.44,-13.18 -0.78,-1.85 -1.46,-3.75 -2.32,-5.56 -0.87,-1.81 -1.93,-3.55 -3.39,-4.94 -1.48,-1.42 -3.33,-2.43 -5.28,-3.07 -1.95,-0.65 -4.01,-0.94 -6.06,-1.04 -4.11,-0.21 -8.22,0.33 -12.33,0.16 -3.27,-0.13 -6.53,-0.7 -9.8,-0.51 -1.63,0.1 -3.26,0.39 -4.78,1.01 -1.52,0.61 -2.92,1.56 -3.94,2.84 z"/>
+			<g id="body_self_shadows">
+				<path id="belly_shadow_left" opacity="0.25" fill="url(#fill_belly_shadow_left)" filter="url(#blur_belly_shadow_left)" clip-path="url(#clip_body)"
+					d="m 68.67,115.18 c 0.87,1.31 -0.55,5.84 19.86,2.94 0,0 -3.59,0.39 -7.12,1.21 -5.49,1.84 -10.27,3.89 -13.97,6.61 -3.65,2.7 -6.33,6.21 -9.68,9.22 0,0 5.43,-9.92 6.78,-12.91 1.36,-2.99 -0.22,-2.85 0.85,-7.25 1.07,-4.4 3.69,-8.63 3.69,-8.63 0,0 -2.14,6.22 -0.41,8.81 z"/>
+				<path id="belly_shadow_right" opacity="0.42" fill="url(#fill_belly_shadow_right)" filter="url(#blur_belly_shadow_right)" clip-path="url(#clip_body)"
+					d="m 134.28,113.99 c -4.16,2.9 -6.6,2.56 -11.64,3.12 -5.05,0.57 -18.7,0.36 -18.7,0.36 0,0 1.97,-0.03 6.36,0.78 4.38,0.82 13.31,1.6 18.34,3.51 5.04,1.92 6.87,2.47 9.93,4.4 4.35,2.75 7.55,7.06 11.71,10.08 0,0 0.2,-4 -1.48,-6.99 -1.68,-2.99 -6.2,-7.7 -7.53,-12.1 -1.32,-4.4 -1.96,-13.04 -1.96,-13.04 0,0 -0.88,6.99 -5.03,9.88 z"/>
+				<path id="belly_shadow_middle" opacity="0.2" fill="url(#fill_belly_shadow_middle)" filter="url(#blur_belly_shadow_middle)" clip-path="url(#clip_body)"
+					d="m 95.17,107.81 c -0.16,1.25 -0.36,2.5 -0.6,3.74 -0.12,0.61 -0.26,1.22 -0.48,1.8 -0.23,0.58 -0.56,1.14 -1.02,1.55 -0.41,0.37 -0.9,0.62 -1.4,0.85 -1.94,0.88 -4.01,1.47 -6.12,1.74 0.84,0.06 1.68,0.14 2.53,0.23 0.53,0.06 1.06,0.12 1.57,0.25 0.52,0.14 1.03,0.34 1.46,0.65 0.47,0.35 0.84,0.82 1.12,1.34 0.55,1.02 0.73,2.2 0.83,3.37 0.13,1.48 0.14,2.98 0.03,4.46 0.1,-0.99 0.31,-1.98 0.62,-2.92 0.57,-1.72 1.47,-3.32 2.69,-4.65 0.49,-0.52 1.02,-1.01 1.6,-1.42 1.79,-1.26 4.07,-1.81 6.24,-1.51 -2.21,0.09 -4.44,-0.6 -6.2,-1.93 -0.9,-0.68 -1.68,-1.52 -2.22,-2.5 -0.84,-1.52 -1.08,-3.37 -0.65,-5.05 z"/>
+				<path id="belly_shadow_lower" opacity="0.11" fill="#000000" filter="url(#blur_belly_shadow_lower)" clip-path="url(#clip_body)"
+					d="m 89.85,137.14 c -1.06,4.03 -1.79,8.15 -2.17,12.31 -0.55,5.87 -0.42,11.78 -0.74,17.67 -0.26,4.99 -0.85,10.04 0.02,14.97 0.41,2.35 1.15,4.64 2.2,6.78 0.16,-0.82 0.29,-1.64 0.36,-2.47 0.37,-4 -0.3,-8.01 -0.53,-12.01 -0.4,-7.02 0.57,-14.04 0.97,-21.06 0.3,-5.39 0.27,-10.8 -0.11,-16.19 z"/>
+			</g>
+			<g id="body_glare">
+				<path id="belly_glare" opacity="0.75" fill="#7c7c7c" filter="url(#blur_belly_glare)" clip-path="url(#clip_body)"
+					d="m 160.08,131.23 c 1.03,-0.16 7.34,5.21 6.48,7.21 -0.86,1.99 -2.49,0.79 -3.65,0.8 -1.16,0.02 -4.33,1.46 -4.86,0.55 -0.54,-0.91 1.4,-3.03 2.41,-4.81 0.82,-1.43 -1.4,-3.59 -0.38,-3.75 z"/>
+				<path id="head_glare" fill="#7c7c7c" filter="url(#blur_head_glare)" clip-path="url(#clip_body)"
+					d="m 121.52,11.12 c -2.21,1.56 -1.25,3.51 -0.3,5.46 0.95,1.96 -2.09,7.59 -2.12,7.83 -0.03,0.24 5.98,-2.85 7.62,-4.87 1.94,-2.37 6.83,3.22 6.56,2.37 0.01,-1.52 -9.55,-12.34 -11.76,-10.79 z"/>
+				<path id="neck_glare" fill="#838384" filter="url(#blur_neck_glare)" clip-path="url(#clip_body)"
+					d="m 138.27,76.63 c -1.86,1.7 0.88,4.25 2.17,7.24 0.81,1.86 3.04,4.49 5.2,4.07 1.63,-0.32 2.63,-2.66 2.48,-4.3 -0.3,-3.18 -2.98,-3.93 -4.93,-5.02 -1.54,-0.86 -3.61,-3.18 -4.92,-1.99 z"/>
+			</g>
+		</g>
+		<g id="wings">
+			<g id="wing_left">
+				<path id="wing_left_base" fill="#020204"
+					d="m 63.98,100.91 c -6.1,6.92 -12.37,13.63 -15.81,21.12 -1.71,3.8 -2.51,7.93 -3.68,11.93 -1.32,4.54 -3.12,8.94 -5.14,13.22 -1.87,3.95 -3.93,7.81 -5.98,11.66 -1.5,2.81 -3.02,5.67 -3.54,8.81 -0.41,2.48 -0.18,5.04 0.46,7.47 0.63,2.43 1.64,4.75 2.79,6.98 4.88,9.55 12.21,17.77 20.89,24.07 3.94,2.85 8.15,5.32 12.58,7.35 2.4,1.09 4.92,2.07 7.56,2.11 1.32,0.03 2.65,-0.19 3.86,-0.72 1.2,-0.53 2.28,-1.38 3,-2.49 0.88,-1.36 1.18,-3.05 1,-4.66 -0.18,-1.61 -0.81,-3.15 -1.65,-4.53 -2.06,-3.38 -5.31,-5.83 -8.44,-8.25 -6.76,-5.23 -13.29,-10.76 -19.55,-16.58 -1.76,-1.65 -3.53,-3.34 -4.76,-5.42 -1.2,-2.02 -1.85,-4.32 -2.29,-6.63 -1.21,-6.33 -0.9,-12.99 1.25,-19.07 0.85,-2.38 1.96,-4.65 3.04,-6.93 1.86,-3.95 3.62,-7.98 6.07,-11.6 3.05,-4.51 7.13,-8.33 9.61,-13.17 2.1,-4.09 2.95,-8.68 3.76,-13.2 0.64,-3.54 1.85,-7 2.47,-10.54 -1.21,2.3 -5.11,6.07 -7.5,9.07 z"/>
+				<path id="wing_left_glare" opacity="0.95" fill="#7c7c7c" filter="url(#blur_wing_left_glare)" clip-path="url(#clip_wing_left)"
+					d="m 56.96,126.1 c -2,1.84 -3.73,3.97 -5.13,6.31 -2.3,3.84 -3.65,8.16 -5.33,12.31 -1.24,3.09 -2.69,6.2 -2.86,9.53 -0.09,1.71 0.16,3.42 0.22,5.13 0.06,1.71 -0.1,3.49 -0.94,4.98 -0.7,1.25 -1.87,2.23 -3.22,2.71 1.83,0.61 3.45,1.79 4.6,3.33 0.96,1.3 1.58,2.81 2.41,4.18 0.68,1.12 1.51,2.16 2.54,2.97 1.02,0.82 2.25,1.4 3.54,1.56 1.79,0.23 3.65,-0.36 4.97,-1.58 -1.66,-15.55 -0.14,-31.42 4.44,-46.37 0.29,-0.94 0.59,-1.89 0.67,-2.87 0.07,-0.99 -0.12,-2.03 -0.72,-2.81 -0.31,-0.42 -0.74,-0.75 -1.23,-0.96 -0.48,-0.2 -1.02,-0.28 -1.54,-0.21 -0.52,0.06 -1.03,0.26 -1.45,0.57 -0.42,0.32 -0.76,0.74 -0.97,1.22 z"/>
+			</g>
+			<g id="wing_right">
+				<path id="wing_right_base" fill="#020204"
+					d="m 162.76,127.12 c 5.24,4.22 8.57,10.59 9.6,17.24 0.8,5.18 0.28,10.51 -0.89,15.62 -1.17,5.12 -2.97,10.06 -4.77,15 -0.71,1.96 -1.43,3.95 -1.71,6.02 -0.29,2.08 -0.11,4.27 0.89,6.11 1.15,2.11 3.29,3.56 5.59,4.24 2.27,0.68 4.72,0.66 7.02,0.09 2.3,-0.57 6.17,-1.31 8.04,-2.77 4.75,-3.69 5.88,-10.1 7.01,-15.72 1.17,-5.87 0.6,-12.02 -0.43,-17.95 -1.41,-8.09 -3.78,-15.99 -6.79,-23.62 -2.22,-5.62 -5.06,-10.98 -8.44,-15.96 -3.32,-4.89 -8.02,-8.7 -11.5,-13.48 -1.21,-1.66 -2.66,-3.38 -3.84,-5.06 -2.56,-3.62 -1.98,-2.94 -3.57,-5.29 -1.15,-1.7 -2.97,-2.28 -4.88,-3.02 -1.92,-0.74 -4.06,-0.96 -6.04,-0.41 -2.6,0.73 -4.73,2.79 -5.86,5.24 -1.13,2.46 -1.33,5.28 -0.89,7.95 0.57,3.44 2.14,6.64 3.92,9.64 2,3.39 4.32,6.66 7.35,9.18 3.16,2.63 6.98,4.37 10.19,6.95 z"/>
+				<path id="wing_right_glare" fill="#838384" filter="url(#blur_wing_right_glare)" clip-path="url(#clip_wing_right)"
+					d="m 150.42,118.99 c 0.42,0.4 0.86,0.81 1.31,1.19 3.22,2.63 4.93,5.58 8.2,8.16 5.34,4.22 10.75,11.5 11.8,18.15 0.82,5.19 -0.26,8.01 -1.58,14.12 -1.32,6.12 -5.06,14.78 -7.09,20.68 -0.8,2.35 1.64,1.38 1.32,3.86 -0.16,1.22 -0.18,2.45 -0.03,3.67 0.02,-0.23 0.03,-0.48 0.06,-0.71 0.39,-3.38 1.42,-6.63 2.55,-9.82 2.17,-6.13 4.66,-12.15 6.38,-18.45 1.72,-6.29 1.53,-10.82 0.63,-16.23 -1.13,-6.81 -5.09,-13.09 -10.69,-17.24 -3.97,-2.93 -8.64,-4.81 -12.86,-7.38 z"/>
+			</g>
+		</g>
+		<g id="feet">
+			<g id="foot_left">
+				<path id="foot_left_base" fill="url(#fill_foot_left_base)"
+					d="m 34.98,175.33 c 1.38,-0.57 2.93,-0.68 4.39,-0.41 1.47,0.27 2.86,0.91 4.09,1.74 2.47,1.68 4.3,4.12 6.05,6.54 4.03,5.54 7.9,11.2 11.42,17.08 2.85,4.78 5.46,9.71 8.76,14.18 2.15,2.93 4.57,5.64 6.73,8.55 2.16,2.92 4.07,6.08 5.03,9.58 1.25,4.55 0.76,9.56 -1.4,13.75 -1.52,2.95 -3.86,5.48 -6.7,7.19 -2.84,1.71 -5.83,2.47 -9.15,2.47 -5.27,0 -10.42,-2.83 -15.32,-4.78 -9.98,-3.98 -20.82,-5.22 -31.11,-8.32 -3.16,-0.95 -6.27,-2.08 -9.45,-2.95 -1.42,-0.39 -2.85,-0.73 -4.19,-1.34 -1.34,-0.6 -2.59,-1.51 -3.33,-2.77 -0.57,-0.98 -0.8,-2.13 -0.8,-3.26 0,-1.14 0.28,-2.26 0.67,-3.32 0.77,-2.13 2.02,-4.06 2.86,-6.17 1.37,-3.44 1.62,-7.23 1.43,-10.93 -0.18,-3.69 -0.78,-7.36 -1.03,-11.05 -0.12,-1.65 -0.16,-3.32 0.16,-4.95 0.31,-1.62 1.01,-3.21 2.2,-4.35 1.1,-1.06 2.55,-1.69 4.05,-2 1.49,-0.31 3.03,-0.32 4.55,-0.29 1.52,0.03 3.05,0.12 4.57,-0.01 1.52,-0.12 3.05,-0.46 4.37,-1.22 1.26,-0.72 2.29,-1.79 3.14,-2.96 0.85,-1.17 1.54,-2.45 2.25,-3.72 0.7,-1.26 1.43,-2.52 2.36,-3.64 0.92,-1.12 2.06,-2.09 3.4,-2.64 z"/>
+				<path id="foot_left_layer_1" fill="#d99a03" filter="url(#blur_foot_left_layer_1)" clip-path="url(#clip_foot_left)"
+					d="m 37.16,177.7 c 1.25,-0.5 2.67,-0.56 3.98,-0.26 1.32,0.3 2.55,0.94 3.61,1.77 2.14,1.65 3.62,3.97 5.05,6.26 3.42,5.54 6.76,11.15 9.92,16.86 2.4,4.31 4.68,8.7 7.62,12.65 1.95,2.62 4.18,5.03 6.17,7.62 1.99,2.59 3.76,5.41 4.64,8.56 1.14,4.05 0.68,8.54 -1.28,12.26 -1.42,2.68 -3.58,4.96 -6.2,6.48 -2.61,1.52 -5.67,2.28 -8.69,2.14 -4.82,-0.22 -9.23,-2.63 -13.77,-4.26 -8.71,-3.16 -18.14,-3.59 -27.08,-6.05 -3.2,-0.87 -6.32,-2.03 -9.53,-2.84 -1.43,-0.36 -2.88,-0.66 -4.23,-1.23 -1.35,-0.57 -2.62,-1.45 -3.36,-2.72 -0.54,-0.95 -0.76,-2.06 -0.73,-3.15 0.04,-1.09 0.31,-2.17 0.7,-3.19 0.78,-2.04 2,-3.88 2.78,-5.92 1.19,-3.08 1.34,-6.47 1.12,-9.76 -0.22,-3.29 -0.8,-6.56 -1,-9.85 -0.08,-1.48 -0.1,-2.97 0.2,-4.41 0.3,-1.45 0.93,-2.85 1.98,-3.89 1.14,-1.13 2.7,-1.74 4.29,-1.99 1.58,-0.24 3.19,-0.13 4.78,0.01 1.6,0.14 3.2,0.32 4.8,0.23 1.6,-0.1 3.22,-0.49 4.54,-1.39 1.2,-0.81 2.1,-2 2.79,-3.27 0.69,-1.27 1.18,-2.64 1.71,-3.98 0.52,-1.35 1.09,-2.69 1.91,-3.89 0.82,-1.19 1.93,-2.24 3.28,-2.79 z"/>
+				<path id="foot_left_layer_2" fill="#f5bd0c" filter="url(#blur_foot_left_layer_2)" clip-path="url(#clip_foot_left)"
+					d="m 35.99,174.57 c 1.22,-0.6 2.65,-0.72 3.98,-0.45 1.33,0.27 2.57,0.92 3.62,1.77 2.09,1.7 3.43,4.13 4.67,6.51 2.84,5.46 5.5,11.04 8.9,16.19 2.48,3.73 5.33,7.2 7.83,10.92 3.39,5.03 6.15,10.57 7.29,16.5 0.76,4 0.74,8.31 -1.18,11.9 -1.27,2.37 -3.32,4.31 -5.75,5.52 -2.42,1.22 -5.21,1.71 -7.92,1.47 -4.27,-0.37 -8.14,-2.47 -12.16,-3.94 -7.13,-2.59 -14.84,-3.22 -22.18,-5.18 -3.09,-0.82 -6.13,-1.89 -9.26,-2.54 -1.39,-0.29 -2.8,-0.5 -4.12,-1 -1.32,-0.5 -2.57,-1.33 -3.25,-2.55 -0.47,-0.86 -0.63,-1.86 -0.56,-2.84 0.07,-0.97 0.36,-1.92 0.74,-2.83 0.77,-1.8 1.9,-3.46 2.49,-5.32 0.88,-2.75 0.52,-5.72 -0.14,-8.53 -0.65,-2.8 -1.6,-5.55 -1.89,-8.41 -0.13,-1.27 -0.13,-2.57 0.17,-3.82 0.29,-1.25 0.88,-2.45 1.81,-3.34 1.2,-1.15 2.88,-1.73 4.56,-1.89 1.67,-0.16 3.35,0.06 5.01,0.3 1.66,0.24 3.34,0.5 5.01,0.42 1.68,-0.07 3.39,-0.51 4.7,-1.54 1.3,-1.02 2.12,-2.53 2.59,-4.09 0.47,-1.57 0.62,-3.2 0.81,-4.82 0.19,-1.62 0.43,-3.26 1.06,-4.77 0.63,-1.51 1.69,-2.9 3.17,-3.64 z"/>
+				<path id="foot_left_glare" fill="url(#fill_foot_left_glare)" filter="url(#blur_foot_left_glare)" clip-path="url(#clip_foot_left)"
+					d="m 51.2,188.21 c 2.25,4.06 3.62,8.72 5.85,12.82 2.05,3.77 4.38,7.65 6.46,11.12 0.93,1.55 3.09,3.93 5.27,7.62 1.98,3.34 3.98,8.01 5.1,9.58 -0.64,-1.84 -1.96,-6.77 -3.54,-10.28 -1.47,-3.28 -3.19,-5.15 -4.24,-6.92 -2.08,-3.47 -4.33,-6.6 -6.47,-9.91 -2.95,-4.57 -5.2,-9.68 -8.43,-14.03 z"/>
+			</g>
+			<g id="foot_right">
+				<path id="foot_right_shadow" opacity="0.2" fill="url(#fill_foot_right_shadow)" filter="url(#blur_foot_right_shadow)" clip-path="url(#clip_body)"
+					d="m 198.7,215.61 c -0.4,1.33 -1.02,2.62 -1.81,3.8 -1.75,2.59 -4.3,4.55 -6.84,6.35 -4.33,3.07 -8.85,5.89 -12.89,9.38 -2.7,2.34 -5.17,4.97 -7.45,7.73 -1.95,2.36 -3.79,4.84 -6.02,6.94 -2.25,2.12 -4.89,3.84 -7.74,4.77 -3.47,1.13 -7.13,1.08 -10.47,0.22 -2.34,-0.6 -4.63,-1.64 -6.08,-3.53 -1.45,-1.89 -1.92,-4.44 -2.09,-6.94 -0.3,-4.42 0.23,-8.93 0.71,-13.42 0.4,-3.73 0.77,-7.46 0.92,-11.18 0.27,-6.77 -0.18,-13.47 -1.09,-20.05 -0.16,-1.11 -0.32,-2.22 -0.23,-3.35 0.09,-1.14 0.47,-2.32 1.27,-3.2 0.74,-0.81 1.77,-1.29 2.79,-1.52 1.02,-0.24 2.06,-0.25 3.09,-0.28 2.43,-0.06 4.86,-0.21 7.25,0.01 1.51,0.13 2.99,0.41 4.49,0.55 2.51,0.24 5.12,0.12 7.64,-0.62 2.71,-0.8 5.29,-2.29 8.05,-2.7 1.13,-0.17 2.26,-0.15 3.36,0.01 1.12,0.15 2.24,0.46 3.1,1.15 0.66,0.52 1.14,1.23 1.51,1.99 0.56,1.14 0.9,2.39 1.1,3.68 0.17,1.14 0.24,2.31 0.53,3.41 0.48,1.81 1.58,3.35 2.89,4.6 1.32,1.25 2.85,2.24 4.39,3.22 1.53,0.97 3.07,1.93 4.7,2.73 0.77,0.38 1.56,0.72 2.29,1.15 0.74,0.44 1.42,0.97 1.91,1.67 0.66,0.95 0.92,2.2 0.72,3.43 z"/>
+				<path id="foot_right_base" fill="url(#fill_foot_right_base)"
+					d="m 213.47,222.92 c -2.26,2.68 -5.4,4.45 -8.53,6.05 -5.33,2.71 -10.86,5.1 -15.87,8.37 -3.36,2.19 -6.46,4.76 -9.36,7.53 -2.48,2.37 -4.83,4.9 -7.61,6.91 -2.81,2.03 -6.05,3.5 -9.48,4.01 -0.95,0.14 -1.9,0.21 -2.86,0.21 -3.24,0 -6.48,-0.78 -9.46,-2.08 -2.7,-1.17 -5.3,-2.86 -6.86,-5.36 -1.56,-2.52 -1.92,-5.59 -1.92,-8.56 -0.01,-5.23 0.96,-10.41 1.87,-15.57 0.76,-4.29 1.48,-8.58 1.95,-12.91 0.85,-7.86 0.84,-15.81 0.28,-23.71 -0.1,-1.32 -0.21,-2.65 -0.01,-3.96 0.2,-1.31 0.74,-2.62 1.74,-3.48 0.93,-0.8 2.17,-1.16 3.4,-1.22 1.22,-0.07 2.44,0.12 3.65,0.3 2.85,0.42 5.73,0.74 8.52,1.48 1.76,0.46 3.48,1.08 5.23,1.56 2.94,0.79 6.01,1.17 9.02,0.82 3.25,-0.38 6.41,-1.6 9.68,-1.52 1.34,0.03 2.67,0.28 3.95,0.69 1.3,0.41 2.59,1 3.55,1.98 0.73,0.74 1.24,1.67 1.62,2.64 0.57,1.44 0.88,2.98 1.01,4.52 0.11,1.37 0.09,2.76 0.35,4.11 0.43,2.21 1.6,4.24 3.04,5.97 1.45,1.74 3.18,3.21 4.91,4.66 1.73,1.45 3.46,2.89 5.32,4.16 0.87,0.6 1.77,1.16 2.6,1.81 0.83,0.66 1.59,1.42 2.11,2.34 0.45,0.81 0.69,1.72 0.69,2.65 0,0.52 -0.07,1.04 -0.23,1.56 -0.45,1.43 -1.28,2.82 -2.3,4.04 z"/>
+				<path id="foot_right_layer_1" fill="#cd8907" filter="url(#blur_foot_right_layer_1)" clip-path="url(#clip_foot_right)"
+					d="m 213.21,216.12 c -0.53,1.33 -1.28,2.58 -2.22,3.67 -2.07,2.42 -4.93,4.01 -7.78,5.44 -4.88,2.44 -9.92,4.58 -14.5,7.52 -3.06,1.97 -5.9,4.28 -8.55,6.78 -2.26,2.13 -4.41,4.41 -6.95,6.21 -2.57,1.83 -5.53,3.14 -8.65,3.6 -3.8,0.56 -7.72,-0.16 -11.25,-1.67 -2.46,-1.06 -4.84,-2.56 -6.27,-4.83 -1.42,-2.26 -1.75,-5.02 -1.75,-7.69 -0.02,-4.71 0.87,-9.37 1.71,-14 0.7,-3.85 1.36,-7.71 1.78,-11.6 0.76,-7.08 0.73,-14.22 0.25,-21.32 -0.08,-1.19 -0.17,-2.39 0.01,-3.57 0.18,-1.18 0.67,-2.35 1.57,-3.13 0.85,-0.73 1.99,-1.05 3.11,-1.1 1.11,-0.06 2.22,0.12 3.33,0.28 2.61,0.38 5.23,0.67 7.78,1.33 1.61,0.42 3.18,0.98 4.78,1.4 2.68,0.72 5.49,1.06 8.24,0.74 2.97,-0.34 5.85,-1.44 8.83,-1.37 1.23,0.03 2.44,0.26 3.61,0.62 1.19,0.37 2.37,0.9 3.25,1.78 0.66,0.67 1.11,1.51 1.48,2.38 0.53,1.29 0.89,2.67 0.91,4.07 0.03,1.46 -0.28,2.92 -0.09,4.37 0.16,1.17 0.66,2.28 1.3,3.28 0.63,1 1.4,1.91 2.17,2.81 1.48,1.75 2.96,3.53 4.82,4.87 2.11,1.53 4.62,2.43 6.8,3.85 0.65,0.43 1.28,0.91 1.74,1.54 0.78,1.06 0.98,2.5 0.54,3.74 z"/>
+				<path id="foot_right_layer_2" fill="#f5c021" filter="url(#blur_foot_right_layer_2)" clip-path="url(#clip_foot_right)"
+					d="m 212.91,214.61 c -0.6,1.35 -1.37,2.6 -2.28,3.71 -2.12,2.58 -4.99,4.35 -8,5.49 -4.97,1.88 -10.39,2.13 -15.26,4.27 -2.97,1.3 -5.65,3.26 -8.36,5.12 -2.18,1.49 -4.42,2.94 -6.82,3.98 -2.72,1.19 -5.6,1.85 -8.5,2.32 -1.84,0.29 -3.71,0.51 -5.57,0.41 -1.86,-0.1 -3.72,-0.54 -5.37,-1.49 -1.24,-0.72 -2.36,-1.75 -3.03,-3.1 -0.73,-1.49 -0.86,-3.24 -0.85,-4.94 0.05,-4.5 1.02,-8.96 0.99,-13.47 -0.03,-3.93 -0.81,-7.8 -1.03,-11.72 -0.43,-7.54 1.19,-15.2 -0.24,-22.59 -0.22,-1.19 -0.53,-2.37 -0.52,-3.58 0.01,-0.6 0.1,-1.21 0.31,-1.77 0.22,-0.55 0.56,-1.06 1.01,-1.42 0.39,-0.29 0.84,-0.47 1.31,-0.56 0.46,-0.08 0.94,-0.06 1.41,0.01 0.93,0.15 1.82,0.51 2.73,0.78 2.6,0.78 5.35,0.76 8,1.35 1.66,0.36 3.26,0.97 4.91,1.41 2.75,0.76 5.63,1.08 8.46,0.75 3.04,-0.36 6.01,-1.46 9.07,-1.38 1.26,0.03 2.5,0.26 3.71,0.62 1.21,0.36 2.42,0.87 3.34,1.8 0.65,0.67 1.13,1.52 1.51,2.4 0.57,1.29 0.96,2.69 0.95,4.11 -0.01,0.74 -0.12,1.47 -0.19,2.21 -0.06,0.74 -0.08,1.49 0.09,2.2 0.18,0.72 0.55,1.37 0.97,1.96 0.42,0.59 0.9,1.12 1.34,1.7 1.22,1.61 2.1,3.49 3.05,5.3 0.95,1.81 2.02,3.6 3.53,4.91 2.05,1.77 4.7,2.48 6.99,3.89 0.67,0.41 1.31,0.89 1.78,1.55 0.38,0.52 0.63,1.15 0.73,1.81 0.09,0.65 0.03,1.34 -0.17,1.96 z"/>
+				<path id="foot_right_glare" fill="url(#fill_foot_right_glare)" filter="url(#blur_foot_right_glare)" clip-path="url(#clip_foot_right)"
+					d="m 148.08,181.58 c 2.82,-0.76 5.22,1.38 7.27,2.99 1.32,1.13 3.24,0.85 4.86,0.9 2.69,-0.09 5.36,0.45 8.05,0.12 5.3,-0.45 10.49,-1.75 15.81,-1.97 2.54,-0.16 5.4,-0.31 7.59,1.17 0.89,0.62 2.2,3.23 3.07,2.25 -0.36,-2.74 -2.39,-5.39 -5.11,-6.12 -2.14,-0.34 -4.3,0.25 -6.46,0.06 -6.39,-0.15 -12.75,-1.34 -19.16,-1 -4.46,0.04 -8.91,-0.17 -13.37,-0.34 -1.75,-0.36 -2.37,1.19 -3.32,1.79 0.25,0.19 0.34,0.25 0.77,0.15 z"/>
+			</g>
+		</g>
+		<g id="wing_tip_right">
+			<g id="wing_tip_right_shadow">
+				<path id="wing_tip_right_shadow_lower" opacity="0.35" fill="url(#fill_wing_tip_right_shadow_lower)" filter="url(#blur_wing_tip_right_shadow_lower)" clip-path="url(#clip_foot_right)"
+					d="m 185.49,187.61 c -0.48,-0.95 -1.36,-1.66 -2.35,-2.07 -0.98,-0.41 -2.06,-0.55 -3.13,-0.54 -2.13,0.02 -4.25,0.57 -6.38,0.39 -1.79,-0.16 -3.49,-0.83 -5.24,-1.26 -1.81,-0.44 -3.73,-0.61 -5.52,-0.12 -1.92,0.52 -3.61,1.81 -4.67,3.49 -0.94,1.48 -1.38,3.23 -1.52,4.98 -0.14,1.75 0.01,3.5 0.19,5.25 0.12,1.26 0.27,2.52 0.57,3.75 0.31,1.23 0.78,2.43 1.52,3.46 1.07,1.48 2.66,2.54 4.37,3.17 2.8,1.03 5.98,0.98 8.73,-0.15 4.88,-2.12 9.01,-5.92 11.52,-10.6 0.91,-1.68 1.61,-3.47 2.06,-5.31 0.18,-0.74 0.32,-1.49 0.32,-2.25 0.01,-0.75 -0.12,-1.52 -0.47,-2.19 z"/>
+				<path id="wing_tip_right_shadow_upper" opacity="0.35" fill="url(#fill_wing_tip_right_shadow_upper)" filter="url(#blur_wing_tip_right_shadow_upper)" clip-path="url(#clip_foot_right)"
+					d="m 185.49,184.89 c -0.48,-0.69 -1.36,-1.2 -2.35,-1.5 -0.98,-0.3 -2.06,-0.39 -3.13,-0.39 -2.13,0.02 -4.25,0.42 -6.38,0.28 -1.79,-0.11 -3.49,-0.6 -5.24,-0.9 -1.81,-0.32 -3.73,-0.45 -5.52,-0.09 -1.92,0.37 -3.61,1.3 -4.67,2.52 -0.94,1.07 -1.38,2.34 -1.52,3.6 -0.14,1.26 0.01,2.53 0.19,3.79 0.12,0.91 0.27,1.83 0.57,2.72 0.31,0.89 0.78,1.76 1.52,2.5 1.07,1.07 2.66,1.83 4.37,2.29 2.8,0.75 5.98,0.71 8.73,-0.11 4.88,-1.53 9.01,-4.28 11.52,-7.66 0.91,-1.22 1.61,-2.51 2.06,-3.84 0.18,-0.54 0.32,-1.08 0.32,-1.62 0.01,-0.55 -0.12,-1.11 -0.47,-1.59 z"/>
+			</g>
+			<path id="wing_tip_right_base" fill="#020204"
+				d="m 189.55,178.72 c -0.35,-0.95 -0.97,-1.79 -1.72,-2.47 -0.75,-0.68 -1.64,-1.2 -2.57,-1.6 -1.86,-0.79 -3.89,-1.09 -5.89,-1.46 -1.87,-0.35 -3.74,-0.78 -5.62,-1.1 -1.96,-0.33 -3.98,-0.55 -5.92,-0.11 -1.69,0.38 -3.26,1.26 -4.54,2.43 -1.28,1.17 -2.28,2.63 -3,4.21 -1.27,2.79 -1.67,5.92 -1.43,8.97 0.18,2.27 0.76,4.61 2.25,6.32 1.21,1.39 2.92,2.26 4.68,2.78 3.04,0.9 6.35,0.85 9.36,-0.13 4.97,-1.67 9.37,-4.98 12.35,-9.29 0.98,-1.43 1.82,-2.98 2.2,-4.66 0.29,-1.28 0.3,-2.66 -0.15,-3.89 z"/>
+			<g id="wing_tip_right_glare">
+				<defs>
+					<path id="path_wing_tip_right_glare"
+						d="m 168.89,171.07 c -0.47,0.03 -0.93,0.08 -1.4,0.17 -2.99,0.53 -5.73,2.42 -7.27,5.03 -1.09,1.85 -1.58,4.03 -1.43,6.17 0.07,-1.5 0.46,-2.97 1.19,-4.28 1.23,-2.23 3.47,-3.91 5.98,-4.37 1.54,-0.28 3.13,-0.11 4.68,0.08 1.5,0.19 3,0.39 4.47,0.7 2.28,0.5 4.53,1.26 6.44,2.59 0.44,0.31 0.86,0.66 1.21,1.08 0.35,0.41 0.62,0.89 0.73,1.42 0.15,0.78 -0.07,1.6 -0.46,2.29 -0.39,0.7 -0.92,1.3 -1.48,1.86 -0.46,0.46 -0.94,0.89 -1.43,1.32 2.21,-0.43 4.44,-1.03 6.28,-2.31 0.77,-0.55 1.48,-1.2 1.94,-2.02 0.46,-0.83 0.65,-1.83 0.43,-2.75 -0.16,-0.62 -0.5,-1.19 -0.92,-1.67 -0.42,-0.48 -0.93,-0.87 -1.45,-1.24 -2.31,-1.62 -5.01,-2.65 -7.81,-2.99 -1.8,-0.33 -3.61,-0.61 -5.42,-0.83 -1.41,-0.18 -2.86,-0.33 -4.28,-0.25 z"/>
+				</defs>
+				<use id="wing_tip_right_glare_1" href="#path_wing_tip_right_glare" xlink:href="#path_wing_tip_right_glare"
+					fill="url(#fill_wing_tip_right_glare_1)" filter="url(#blur_wing_tip_right_glare)" clip-path="url(#clip_wing_tip_right)"/>
+				<use id="wing_tip_right_glare_2" href="#path_wing_tip_right_glare" xlink:href="#path_wing_tip_right_glare"
+					fill="url(#fill_wing_tip_right_glare_2)" filter="url(#blur_wing_tip_right_glare)" clip-path="url(#clip_wing_tip_right)"/>
+			</g>
+		</g>
+		<g id="face">
+			<g id="eyes">
+				<g id="eye_left">
+					<path id="eyeball_left" fill="url(#fill_eyeball_left)"
+						d="m 84.45,38.28 c -1.53,0.08 -3,0.79 -4.12,1.84 -1.13,1.05 -1.92,2.43 -2.41,3.88 -0.97,2.92 -0.75,6.08 -0.53,9.15 0.2,2.77 0.41,5.6 1.45,8.18 0.52,1.3 1.25,2.51 2.22,3.51 0.97,0.99 2.2,1.76 3.55,2.09 1.26,0.32 2.62,0.26 3.86,-0.13 1.25,-0.4 2.38,-1.11 3.32,-2.02 1.36,-1.33 2.27,-3.07 2.8,-4.9 0.53,-1.83 0.68,-3.75 0.65,-5.66 -0.04,-2.38 -0.35,-4.77 -1.09,-7.03 -0.75,-2.26 -1.94,-4.4 -3.6,-6.11 -0.8,-0.83 -1.72,-1.55 -2.75,-2.06 -1.04,-0.51 -2.2,-0.8 -3.35,-0.74 z"/>
+					<g id="pupil_left">
+						<path id="pupil_left_base" fill="#020204"
+							d="m 80.75,50.99 c -0.32,1.94 -0.33,3.97 0.33,5.81 0.44,1.22 1.17,2.33 2.05,3.28 0.57,0.62 1.23,1.18 1.99,1.55 0.77,0.37 1.65,0.52 2.48,0.32 0.76,-0.19 1.42,-0.68 1.91,-1.29 0.49,-0.61 0.82,-1.34 1.05,-2.09 0.69,-2.21 0.58,-4.62 -0.11,-6.83 -0.49,-1.61 -1.32,-3.16 -2.6,-4.24 -0.62,-0.52 -1.34,-0.93 -2.12,-1.11 -0.78,-0.19 -1.63,-0.14 -2.36,0.19 -0.81,0.37 -1.44,1.07 -1.85,1.86 -0.41,0.79 -0.62,1.67 -0.77,2.55 z"/>
+						<path id="pupil_left_glare" fill="url(#fill_pupil_left_glare)" filter="url(#blur_pupil_left_glare)" clip-path="url(#clip_pupil_left)"
+							d="m 84.84,49.59 c 0.21,0.55 0.91,0.75 1.3,1.19 0.37,0.42 0.76,0.87 0.97,1.4 0.39,1.01 -0.39,2.51 0.43,3.23 0.25,0.22 0.77,0.23 1.02,0 0.99,-0.9 0.77,-2.71 0.38,-3.99 -0.36,-1.15 -1.23,-2.25 -2.31,-2.8 -0.5,-0.26 -1.25,-0.47 -1.68,-0.11 -0.27,0.24 -0.24,0.74 -0.11,1.08 z"/>
+					</g>
+					<path id="eyelid_left" fill="url(#fill_eyelid_left)" clip-path="url(#clip_eye_left)"
+						d="m 81.14,44.46 c 2.32,-1.38 5.13,-1.7 7.82,-1.45 2.68,0.26 5.27,1.04 7.87,1.75 1.91,0.52 3.84,1 5.63,1.84 1.78,0.84 3.44,2.08 4.43,3.8 0.16,0.27 0.29,0.56 0.46,0.83 0.17,0.27 0.37,0.52 0.62,0.71 0.25,0.19 0.57,0.32 0.88,0.3 0.16,-0.01 0.32,-0.05 0.45,-0.13 0.14,-0.08 0.26,-0.2 0.33,-0.34 0.08,-0.16 0.11,-0.35 0.1,-0.53 -0.01,-0.18 -0.05,-0.36 -0.1,-0.54 -0.65,-2.37 -2.19,-4.38 -3.35,-6.55 -0.7,-1.3 -1.28,-2.66 -1.98,-3.96 -2.43,-4.45 -6.42,-7.94 -10.95,-10.21 -4.53,-2.27 -9.59,-3.36 -14.65,-3.65 -5.86,-0.35 -11.73,0.35 -17.51,1.37 -2.51,0.44 -5.06,0.96 -7.27,2.21 -1.11,0.62 -2.13,1.42 -2.92,2.42 -0.8,0.99 -1.36,2.18 -1.55,3.44 -0.17,1.22 0.01,2.47 0.44,3.62 0.42,1.15 1.08,2.2 1.86,3.15 1.54,1.91 3.53,3.39 5.36,5.03 1.83,1.63 3.52,3.44 5.57,4.79 1.02,0.68 2.13,1.24 3.31,1.57 1.18,0.33 2.44,0.42 3.64,0.17 1.24,-0.25 2.4,-0.86 3.41,-1.64 1.01,-0.77 1.88,-1.7 2.71,-2.66 1.66,-1.93 3.21,-4.04 5.39,-5.34 z"/>
+					<path id="eyebrow_left" fill="url(#fill_eyebrow_left)" filter="url(#blur_eyebrow_left)"
+						d="m 90.77,36.57 c 2.16,2.02 3.76,4.52 4.85,7.16 -0.48,-2.91 -1.23,-5.26 -3.13,-7.16 -1.16,-1.09 -2.49,-2.05 -3.98,-2.72 -1.32,-0.59 -2.77,-0.96 -3.61,-0.97 -0.83,-0.02 -1.03,0 -1.2,0.01 -0.18,0.01 -0.31,0.01 0.23,0.08 0.54,0.06 1.75,0.39 3.05,0.97 1.3,0.58 2.62,1.54 3.79,2.63 z"/>
+				</g>
+				<g id="eye_right">
+					<path id="eyeball_right" fill="url(#fill_eyeball_right)"
+						d="m 111.61,38.28 c -2.39,1.65 -4.4,3.94 -5.38,6.68 -1.24,3.45 -0.77,7.31 0.43,10.77 1.22,3.55 3.27,6.93 6.36,9.06 1.54,1.07 3.33,1.8 5.19,2.02 1.87,0.22 3.8,-0.09 5.47,-0.95 2.02,-1.06 3.57,-2.91 4.53,-4.98 0.96,-2.08 1.37,-4.37 1.5,-6.66 0.16,-2.9 -0.12,-5.86 -1.08,-8.61 -1.04,-2.99 -2.92,-5.75 -5.58,-7.47 -1.32,-0.86 -2.83,-1.45 -4.4,-1.67 -1.57,-0.22 -3.19,-0.05 -4.67,0.52 -0.84,0.33 -1.62,0.78 -2.37,1.29 z"/>
+					<g id="pupil_right">
+						<path id="pupil_right_base" fill="#020204"
+							d="m 117.14,45.52 c -0.9,0.06 -1.78,0.37 -2.55,0.85 -0.76,0.48 -1.41,1.13 -1.92,1.88 -1.03,1.49 -1.48,3.31 -1.55,5.12 -0.05,1.35 0.1,2.72 0.55,4 0.45,1.28 1.2,2.47 2.25,3.33 1.07,0.89 2.42,1.42 3.81,1.49 1.39,0.06 2.79,-0.34 3.93,-1.13 0.91,-0.63 1.64,-1.5 2.16,-2.48 0.52,-0.97 0.84,-2.05 0.98,-3.15 0.25,-1.93 -0.03,-3.95 -0.93,-5.69 -0.89,-1.74 -2.41,-3.17 -4.24,-3.84 -0.8,-0.29 -1.65,-0.44 -2.49,-0.38 z"/>
+						<path id="pupil_right_glare" fill="url(#fill_pupil_right_glare)" filter="url(#blur_pupil_right_glare)" clip-path="url(#clip_pupil_right)"
+							d="m 122.71,53.36 c 1,-1 -0.71,-3.65 -2.05,-4.74 -0.97,-0.78 -3.78,-1.61 -3.66,-0.75 0.12,0.85 1.39,1.95 2.23,2.79 1.05,1.03 3,3.18 3.48,2.7 z"/>
+					</g>
+					<path id="eyelid_right" fill="url(#fill_eyelid_right)" clip-path="url(#clip_eye_right)"
+						d="m 102.56,47.01 c 2.06,-1.71 4.45,-3.01 7,-3.8 5.25,-1.62 11.2,-0.98 15.84,1.97 1.6,1.01 3.03,2.27 4.52,3.45 1.48,1.17 3.06,2.27 4.85,2.9 0.97,0.34 2,0.54 3.02,0.43 0.92,-0.09 1.81,-0.44 2.57,-0.96 0.76,-0.53 1.4,-1.23 1.88,-2.02 0.96,-1.58 1.27,-3.5 1.1,-5.34 -0.33,-3.69 -2.41,-6.94 -4.15,-10.21 -0.55,-1.02 -1.07,-2.06 -1.73,-3.01 -2.01,-2.93 -5.23,-4.86 -8.6,-5.99 -3.37,-1.13 -6.93,-1.54 -10.46,-1.98 -1.58,-0.2 -3.17,-0.41 -4.74,-0.22 -1.81,0.22 -3.51,0.95 -5.28,1.4 -0.84,0.22 -1.69,0.37 -2.52,0.61 -0.83,0.24 -1.65,0.57 -2.33,1.11 -0.98,0.79 -1.6,1.98 -1.87,3.21 -0.27,1.24 -0.21,2.52 -0.01,3.77 0.39,2.5 1.33,4.93 1.24,7.46 -0.06,1.73 -0.61,3.44 -0.54,5.17 0.02,0.51 0.12,1.55 0.21,2.05 z"/>
+					<path id="eyebrow_right" fill="url(#fill_eyebrow_right)" filter="url(#blur_eyebrow_right)"
+						d="m 119.93,31.18 c -0.41,0.52 -0.78,1.08 -1.07,1.7 1.85,0.4 3.61,1.16 5.19,2.21 3.06,2.03 5.38,4.99 7.01,8.29 0.38,-0.42 0.72,-0.87 1.02,-1.37 -1.64,-3.44 -4,-6.55 -7.16,-8.65 -1.52,-1 -3.21,-1.77 -4.99,-2.18 z"/>
+				</g>
+			</g>
+			<g id="beak">
+				<g id="beak_shadow">
+					<path id="beak_shadow_lower" fill="#000000" fill-opacity="0.258824" filter="url(#blur_beak_shadow_lower)" clip-path="url(#clip_body)"
+						d="m 81.12,89.33 c 1.47,4.26 4.42,7.89 7.92,10.72 1.16,0.95 2.39,1.82 3.76,2.43 1.36,0.62 2.87,0.97 4.36,0.84 1.46,-0.12 2.85,-0.7 4.13,-1.42 1.28,-0.72 2.46,-1.59 3.7,-2.37 2.12,-1.35 4.39,-2.44 6.6,-3.64 2.65,-1.45 5.23,-3.1 7.46,-5.14 1.03,-0.93 1.98,-1.95 3.11,-2.75 1.13,-0.81 2.49,-1.39 3.87,-1.29 1.04,0.07 2.01,0.51 3.03,0.73 0.51,0.11 1.03,0.16 1.55,0.08 0.51,-0.08 1.01,-0.29 1.37,-0.67 0.44,-0.46 0.64,-1.12 0.61,-1.76 -0.02,-0.63 -0.24,-1.25 -0.54,-1.81 -0.59,-1.13 -1.49,-2.1 -1.89,-3.31 -0.36,-1.08 -0.29,-2.24 -0.26,-3.37 0.03,-1.14 0.01,-2.32 -0.51,-3.33 -0.4,-0.76 -1.07,-1.37 -1.83,-1.77 -0.76,-0.41 -1.62,-0.62 -2.48,-0.7 -1.72,-0.16 -3.44,0.18 -5.17,0.27 -2.28,0.13 -4.58,-0.15 -6.87,-0.02 -2.85,0.18 -5.65,1 -8.51,1.01 -3.26,0.01 -6.52,-1.06 -9.74,-0.55 -1.39,0.22 -2.71,0.72 -4.03,1.16 -1.33,0.45 -2.7,0.84 -4.1,0.82 -1.59,-0.03 -3.13,-0.58 -4.72,-0.69 -0.79,-0.06 -1.6,0 -2.35,0.28 -0.74,0.28 -1.41,0.79 -1.78,1.5 -0.21,0.4 -0.31,0.86 -0.33,1.31 -0.02,0.46 0.04,0.91 0.15,1.36 0.22,0.88 0.63,1.71 0.96,2.55 1.2,3.07 1.46,6.42 2.53,9.53 z"/>
+					<path id="beak_shadow_upper" opacity="0.3" fill="#000000" filter="url(#blur_beak_shadow_upper)" clip-path="url(#clip_body)"
+						d="m 77.03,77.2 c 2.85,1.76 5.41,3.93 7.56,6.39 1.99,2.29 3.68,4.89 6.29,6.58 1.83,1.2 4.04,1.87 6.28,2.08 2.63,0.24 5.29,-0.15 7.83,-0.84 2.35,-0.63 4.62,-1.53 6.7,-2.71 3.97,-2.25 7.28,-5.55 11.65,-7.03 0.95,-0.33 1.94,-0.56 2.86,-0.96 0.92,-0.39 1.79,-0.99 2.23,-1.83 0.42,-0.82 0.4,-1.75 0.54,-2.64 0.15,-0.96 0.48,-1.88 0.66,-2.83 0.18,-0.95 0.2,-1.96 -0.24,-2.83 -0.37,-0.72 -1.04,-1.29 -1.81,-1.66 -0.77,-0.36 -1.64,-0.52 -2.51,-0.56 -1.72,-0.08 -3.43,0.33 -5.16,0.47 -2.28,0.19 -4.58,-0.08 -6.87,-0.01 -2.85,0.08 -5.66,0.67 -8.51,0.8 -3.25,0.14 -6.49,-0.34 -9.74,-0.44 -1.41,-0.05 -2.83,-0.03 -4.21,0.2 -1.39,0.22 -2.75,0.65 -3.92,1.37 -1.14,0.69 -2.07,1.64 -3.11,2.45 -0.52,0.41 -1.08,0.78 -1.68,1.07 -0.61,0.28 -1.28,0.48 -1.96,0.51 -0.35,0.01 -0.71,-0.01 -1.05,0.04 -0.59,0.08 -1.13,0.39 -1.47,0.83 -0.34,0.45 -0.47,1.02 -0.36,1.55 z"/>
+				</g>
+				<path id="beak_base" fill="url(#fill_beak_base)"
+					d="m 91.66,58.53 c 1.53,-1.71 2.57,-3.8 4.03,-5.56 0.73,-0.88 1.58,-1.69 2.57,-2.26 0.99,-0.57 2.15,-0.89 3.29,-0.79 1.27,0.11 2.46,0.74 3.39,1.61 0.93,0.87 1.62,1.97 2.17,3.12 0.53,1.11 0.95,2.28 1.71,3.24 0.81,1.02 1.94,1.71 2.97,2.52 0.51,0.4 1.01,0.83 1.41,1.34 0.41,0.51 0.72,1.1 0.86,1.74 0.13,0.65 0.06,1.33 -0.16,1.95 -0.23,0.62 -0.61,1.18 -1.09,1.64 -0.95,0.92 -2.25,1.42 -3.56,1.6 -2.62,0.37 -5.27,-0.41 -7.92,-0.34 -2.67,0.08 -5.29,1.02 -7.97,0.93 -1.33,-0.05 -2.69,-0.38 -3.79,-1.14 -0.55,-0.39 -1.03,-0.88 -1.38,-1.45 -0.34,-0.57 -0.55,-1.23 -0.58,-1.9 -0.02,-0.64 0.13,-1.28 0.39,-1.86 0.25,-0.59 0.61,-1.12 1.01,-1.62 0.81,-0.99 1.8,-1.81 2.65,-2.77 z"/>
+				<g id="mandible_lower">
+					<path id="mandible_lower_base" fill="url(#fill_mandible_lower_base)"
+						d="m 77.14,75.05 c 0.06,0.26 0.15,0.5 0.28,0.73 0.23,0.38 0.57,0.69 0.93,0.95 0.36,0.27 0.75,0.49 1.13,0.72 2.01,1.27 3.65,3.04 5.11,4.92 1.95,2.52 3.68,5.31 6.29,7.14 1.84,1.3 4.04,2.03 6.28,2.26 2.63,0.26 5.29,-0.16 7.83,-0.91 2.35,-0.69 4.62,-1.66 6.7,-2.95 3.97,-2.44 7.28,-6.02 11.65,-7.63 0.95,-0.35 1.94,-0.6 2.86,-1.03 0.92,-0.44 1.79,-1.08 2.23,-2 0.42,-0.88 0.4,-1.9 0.54,-2.87 0.15,-1.03 0.48,-2.03 0.66,-3.06 0.18,-1.03 0.2,-2.13 -0.24,-3.08 -0.37,-0.78 -1.04,-1.4 -1.81,-1.79 -0.77,-0.4 -1.64,-0.58 -2.51,-0.62 -1.72,-0.08 -3.43,0.36 -5.16,0.52 -2.28,0.21 -4.58,-0.09 -6.87,-0.02 -2.85,0.09 -5.66,0.73 -8.51,0.87 -3.25,0.15 -6.49,-0.35 -9.74,-0.48 -1.41,-0.06 -2.83,-0.04 -4.22,0.2 -1.39,0.23 -2.75,0.71 -3.91,1.51 -1.13,0.78 -2.03,1.84 -3.07,2.74 -0.52,0.45 -1.08,0.86 -1.7,1.16 -0.61,0.3 -1.29,0.49 -1.98,0.47 -0.35,-0.01 -0.72,-0.06 -1.05,0.04 -0.21,0.07 -0.4,0.2 -0.56,0.35 -0.16,0.16 -0.29,0.34 -0.41,0.52 -0.29,0.42 -0.54,0.87 -0.75,1.34 z"/>
+					<path id="mandible_lower_glare" fill="#d9b30d" filter="url(#blur_mandible_lower_glare)" clip-path="url(#clip_mandible_lower)"
+						d="m 89.9,78.56 c -0.33,1.37 -0.13,2.87 0.56,4.11 0.68,1.24 1.84,2.2 3.19,2.65 1.7,0.57 3.62,0.29 5.21,-0.54 0.93,-0.48 1.77,-1.16 2.3,-2.06 0.27,-0.44 0.46,-0.94 0.53,-1.46 0.06,-0.51 0.02,-1.05 -0.16,-1.54 -0.2,-0.53 -0.56,-1 -0.99,-1.37 -0.44,-0.37 -0.95,-0.64 -1.5,-0.82 -1.08,-0.36 -2.77,-0.66 -3.91,-0.68 -2.02,-0.04 -4.9,0.34 -5.23,1.71 z"/>
+				</g>
+				<g id="mandible_upper">
+					<path id="mandible_upper_shadow" fill="#604405" filter="url(#blur_mandible_upper_shadow)" clip-path="url(#clip_mandible_lower)"
+						d="m 84.31,67.86 c -1.16,0.68 -2.27,1.43 -3.36,2.2 -0.57,0.41 -1.15,0.84 -1.45,1.47 -0.21,0.44 -0.26,0.94 -0.27,1.43 0,0.5 0.03,0.99 -0.04,1.48 -0.04,0.33 -0.13,0.66 -0.14,0.99 -0.01,0.17 0,0.34 0.04,0.5 0.05,0.16 0.13,0.32 0.24,0.44 0.15,0.16 0.35,0.26 0.56,0.32 0.21,0.06 0.42,0.09 0.64,0.14 1.01,0.24 1.89,0.86 2.66,1.56 0.77,0.69 1.47,1.48 2.28,2.13 2.18,1.78 5.07,2.52 7.89,2.56 2.82,0.05 5.61,-0.54 8.36,-1.16 2.16,-0.49 4.32,-0.99 6.39,-1.76 3.2,-1.18 6.16,-2.96 8.72,-5.19 1.17,-1.01 2.26,-2.12 3.57,-2.94 1.15,-0.73 2.44,-1.21 3.62,-1.9 0.11,-0.06 0.21,-0.13 0.3,-0.2 0.1,-0.08 0.18,-0.18 0.24,-0.28 0.09,-0.19 0.09,-0.42 0.03,-0.62 -0.06,-0.2 -0.18,-0.38 -0.31,-0.55 -0.15,-0.18 -0.31,-0.34 -0.49,-0.5 -1.23,-1.05 -2.89,-1.43 -4.51,-1.56 -1.61,-0.12 -3.24,-0.03 -4.83,-0.3 -1.5,-0.25 -2.92,-0.81 -4.37,-1.27 -1.52,-0.49 -3.07,-0.87 -4.64,-1.13 -3.71,-0.61 -7.52,-0.49 -11.19,0.27 -3.49,0.73 -6.87,2.05 -9.94,3.87 z"/>
+					<path id="mandible_upper_base" fill="url(#fill_mandible_upper_base)"
+						d="m 83.94,63.95 c -1.66,1.12 -3.16,2.49 -4.43,4.04 -0.72,0.89 -1.38,1.86 -1.74,2.94 -0.29,0.86 -0.39,1.76 -0.57,2.65 -0.07,0.33 -0.15,0.66 -0.14,1 0,0.16 0.02,0.33 0.07,0.5 0.05,0.16 0.14,0.31 0.25,0.43 0.2,0.2 0.47,0.31 0.74,0.37 0.28,0.05 0.56,0.06 0.84,0.09 1.25,0.15 2.4,0.75 3.44,1.47 1.04,0.71 2,1.55 3.07,2.22 2.35,1.49 5.16,2.15 7.95,2.26 2.78,0.11 5.56,-0.31 8.3,-0.86 2.17,-0.43 4.33,-0.95 6.39,-1.76 3.16,-1.25 6.01,-3.16 8.72,-5.19 1.24,-0.92 2.46,-1.87 3.57,-2.94 0.37,-0.37 0.74,-0.74 1.14,-1.08 0.4,-0.33 0.85,-0.62 1.35,-0.78 0.76,-0.24 1.58,-0.17 2.37,-0.04 0.59,0.1 1.18,0.23 1.78,0.21 0.3,-0.02 0.6,-0.07 0.88,-0.18 0.28,-0.11 0.54,-0.28 0.73,-0.52 0.25,-0.3 0.38,-0.7 0.38,-1.09 0,-0.4 -0.12,-0.79 -0.32,-1.13 -0.4,-0.68 -1.09,-1.14 -1.81,-1.46 -0.99,-0.44 -2.06,-0.65 -3.11,-0.91 -3.23,-0.78 -6.37,-1.93 -9.34,-3.41 -1.48,-0.73 -2.92,-1.54 -4.37,-2.32 -1.5,-0.8 -3.02,-1.57 -4.64,-2.07 -3.64,-1.1 -7.6,-0.74 -11.19,0.51 -3.98,1.38 -7.58,3.84 -10.31,7.05 z"/>
+					<path id="mandible_upper_glare" fill="#f6da4a" filter="url(#blur_mandible_upper_glare)" clip-path="url(#clip_mandible_upper)"
+						d="m 109.45,64.75 c -0.2,-0.24 -0.48,-0.42 -0.78,-0.51 -0.3,-0.09 -0.62,-0.09 -0.93,-0.04 -0.62,0.11 -1.18,0.44 -1.7,0.8 -1.47,1.01 -2.77,2.26 -3.91,3.64 -1.5,1.83 -2.74,3.94 -3.16,6.27 -0.07,0.39 -0.11,0.8 -0.07,1.19 0.05,0.4 0.2,0.79 0.49,1.07 0.24,0.25 0.58,0.4 0.92,0.45 0.35,0.05 0.71,0 1.04,-0.11 0.66,-0.22 1.21,-0.69 1.74,-1.15 2.87,-2.58 5.47,-5.66 6.51,-9.38 0.1,-0.37 0.19,-0.75 0.19,-1.14 0,-0.39 -0.1,-0.78 -0.34,-1.09 z"/>
+					<path id="naris_left" opacity="0.8" fill="url(#fill_naris_left)" filter="url(#blur_naris_left)"
+						d="m 92.72,59.06 c -0.77,-0.25 -2.03,1.1 -1.62,1.79 0.11,0.19 0.46,0.43 0.7,0.3 0.35,-0.19 0.64,-0.89 1.02,-1.16 0.25,-0.18 0.2,-0.84 -0.1,-0.93 z"/>
+					<path id="naris_right" opacity="0.8" fill="url(#fill_naris_right)" filter="url(#blur_naris_right)"
+						d="m 102.56,59.42 c 0.2,0.64 1.23,0.53 1.83,0.84 0.52,0.27 0.94,0.86 1.53,0.88 0.56,0.01 1.44,-0.2 1.51,-0.76 0.09,-0.73 -0.98,-1.2 -1.67,-1.47 -0.89,-0.34 -2.03,-0.52 -2.86,-0.06 -0.19,0.11 -0.4,0.36 -0.34,0.57 z"/>
+				</g>
+				<path id="beak_corner" fill="url(#fill_beak_corner)" filter="url(#blur_beak_corner)" clip-path="url(#clip_beak)"
+					d="m 129.27,69.15 a 2.42,3.1 16.94 0 1 -2.81,3.04 2.42,3.1 16.94 0 1 -2.12,-3.04 2.42,3.1 16.94 0 1 2.81,-3.05 2.42,3.1 16.94 0 1 2.12,3.05 z"/>
+			</g>
+		</g>
+	</g>
+</svg>
diff --git a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/ubuntu.svg b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/ubuntu.svg
new file mode 100644
index 0000000..f217bc8
--- /dev/null
+++ b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/ubuntu.svg
@@ -0,0 +1,8 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 100 100">
+<circle fill="#f47421" cy="50" cx="50" r="45"/>
+<circle fill="none" stroke="#ffffff" stroke-width="8.55" cx="50" cy="50" r="21.825"/>
+<g id="friend"><circle fill="#f47421" cx="19.4" cy="50" r="8.4376"/>
+<path stroke="#f47421" stroke-width="3.2378" d="M67,50H77"/>
+<circle fill="#ffffff" cx="19.4" cy="50" r="6.00745"/></g>
+<use xlink:href="#friend" transform="rotate(120,50,50)"/>
+<use xlink:href="#friend" transform="rotate(240,50,50)"/></svg>
\ No newline at end of file
diff --git a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/unknown.svg b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/unknown.svg
new file mode 100644
index 0000000..51f3016
--- /dev/null
+++ b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/unknown.svg
@@ -0,0 +1,84 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   width="7.0275774mm"
+   height="7.0274887mm"
+   viewBox="0 0 7.0275774 7.0274887"
+   version="1.1"
+   id="svg1"
+   inkscape:version="1.4 (e7c3feb100, 2024-10-09)"
+   sodipodi:docname="unknown.svg"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg">
+  <sodipodi:namedview
+     id="namedview1"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:showpageshadow="2"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     inkscape:deskcolor="#d1d1d1"
+     inkscape:document-units="mm"
+     inkscape:zoom="2.0031716"
+     inkscape:cx="5.9905002"
+     inkscape:cy="46.675981"
+     inkscape:window-width="1920"
+     inkscape:window-height="1008"
+     inkscape:window-x="0"
+     inkscape:window-y="35"
+     inkscape:window-maximized="1"
+     inkscape:current-layer="layer1" />
+  <defs
+     id="defs1">
+    <rect
+       x="306.39844"
+       y="313.45834"
+       width="131.31361"
+       height="134.13757"
+       id="rect2" />
+    <rect
+       x="204.7363"
+       y="247.09554"
+       width="162.37706"
+       height="97.426239"
+       id="rect1" />
+  </defs>
+  <g
+     inkscape:label="Ebene 1"
+     inkscape:groupmode="layer"
+     id="layer1"
+     transform="translate(-101.48621,-144.98625)">
+    <text
+       xml:space="preserve"
+       transform="scale(0.26458333)"
+       id="text1"
+       style="font-size:16px;line-height:125%;font-family:sans-serif;-inkscape-font-specification:'sans-serif, Normal';letter-spacing:0px;word-spacing:0px;white-space:pre;shape-inside:url(#rect1);fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1" />
+    <text
+       xml:space="preserve"
+       transform="matrix(0.26458333,0,0,0.26458333,21.641841,63.192602)"
+       id="text2"
+       style="font-size:16px;line-height:125%;font-family:sans-serif;-inkscape-font-specification:'sans-serif, Normal';letter-spacing:0px;word-spacing:0px;white-space:pre;shape-inside:url(#rect2);fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"><tspan
+         x="306.39844"
+         y="327.92565"
+         id="tspan3"><tspan
+           style="font-stretch:condensed;font-family:'Fira Sans Condensed';-inkscape-font-specification:'Fira Sans Condensed,  Condensed';fill:#000000"
+           id="tspan1">OS</tspan></tspan></text>
+    <path
+       style="fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.657155;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:0;stroke-dasharray:none;paint-order:fill markers stroke"
+       id="path2"
+       sodipodi:type="arc"
+       sodipodi:cx="104.99995"
+       sodipodi:cy="148.49995"
+       sodipodi:rx="3.18698"
+       sodipodi:ry="3.18698"
+       sodipodi:start="5.6242269"
+       sodipodi:end="5.5711669"
+       sodipodi:arc-type="arc"
+       d="m 107.51967,146.54859 a 3.18698,3.18698 0 0 1 -0.5351,4.44498 3.18698,3.18698 0 0 1 -4.4517,-0.47609 3.18698,3.18698 0 0 1 0.41701,-4.45762 3.18698,3.18698 0 0 1 4.46275,0.35784"
+       sodipodi:open="true" />
+  </g>
+</svg>
diff --git a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/windows.svg b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/windows.svg
new file mode 100644
index 0000000..2c7392e
--- /dev/null
+++ b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/windows.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" height="88" width="88" xmlns:v="https://vecta.io/nano"><path d="M0 12.402l35.687-4.86.016 34.423-35.67.203zm35.67 33.529l.028 34.453L.028 75.48.026 45.7zm4.326-39.025L87.314 0v41.527l-47.318.376zm47.329 39.349l-.011 41.34-47.318-6.678-.066-34.739z" fill="#00adef"/></svg>
\ No newline at end of file
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
index 9d2e134..ec21fb5 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
@@ -87,6 +87,26 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
             const running = computed(() => previewApi.vmDefinition.running);
             const inUse = computed(() => previewApi.vmDefinition.usedBy != '');
             const permissions = computed(() => previewApi.permissions);
+            const osicon = computed(() => {
+                if (!previewApi.vmDefinition.status?.osinfo?.id) {
+                    return null;
+                }
+                switch(previewApi.vmDefinition.status.osinfo.id) {
+                    case "almalinux": return "almalinux.svg";
+                    case "arch": return "arch.svg";
+                    case "debian": return "debian.svg";
+                    case "fedora": return "fedora.svg";
+                    case "mswindows": return "windows.svg";
+                    case "ubuntu": return "ubuntu.svg";
+                    default: {
+                        if ((previewApi.vmDefinition.status.osinfo.name || "")
+                            .toLowerCase().includes("linux")) {
+                            return "tux.svg";
+                        }
+                        return "unknown.svg";
+                    }
+                }
+            });
 
             watch(previewApi, (api: Api) => {
                 JGConsole.instance.updateConletTitle(conletId, 
@@ -101,7 +121,7 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
         
             return { localize, resourceBase, vmAction, poolName, vmName, 
                 configured, busy, startable, stoppable, running, inUse,
-                permissions };
+                permissions, osicon };
         },
         template: `
           <table>
@@ -111,13 +131,16 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
                   style="position: absolute;" :class="{ busy: busy }"
                   ><img role=button :aria-disabled="!running
                       || !permissions.includes('accessConsole')" 
-                  v-on:click="vmAction('openConsole')"
-                  :src="resourceBase + (running
+                    v-on:click="vmAction('openConsole')"
+                    :src="resourceBase + (running
                       ? (inUse ? 'computer-in-use.svg' : 'computer.svg') 
                       : 'computer-off.svg')"
-                  :title="localize('Open console')"></span><span
+                    :title="localize('Open console')"></span><span
+                    v-if="!busy && !inUse && osicon"
+                    style="position: absolute;" class="osicon"><img
+                      :src="resourceBase + 'osicons/' + osicon"></span><span
                   style="visibility: hidden;"><img
-                  :src="resourceBase + 'computer.svg'"></span></td>
+                    :src="resourceBase + 'computer.svg'"></span></td>
                 <td v-if="!poolName" style="padding: 0;"></td>
                 <td v-else>{{ vmName }}</td>
               </tr>
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-style.scss b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-style.scss
index 86b4014..63ae299 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-style.scss
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-style.scss
@@ -79,6 +79,20 @@
     z-index: 100;
     pointer-events: none;
   }  
+  
+  span.osicon {
+    width: 4.25em;
+    height: 3em;
+    padding: 0.25rem;
+    pointer-events: none;
+    
+    img {
+      display: block;
+      height: 1.75em;
+      margin: 0.2em auto 0;
+      pointer-events: none;
+    }
+  }
 }
 
 .jdrupes-vmoperator-vmaccess.jdrupes-vmoperator-vmaccess-edit {

From 5ad052ffe479341ade5833af0d499620eb08c61a Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Wed, 19 Feb 2025 21:04:08 +0100
Subject: [PATCH 113/274] Delay console opening for pool VMs.

---
 .../manager/events/GetDisplayPassword.java    |  74 -----------
 .../manager/events/PrepareConsole.java        | 119 ++++++++++++++++++
 .../manager/DisplaySecretMonitor.java         |  48 ++++---
 .../jdrupes/vmoperator/vmaccess/VmAccess.java |  25 ++--
 .../vmaccess/browser/VmAccess-functions.ts    |  21 ++--
 .../org/jdrupes/vmoperator/vmmgmt/VmMgmt.java |  23 ++--
 6 files changed, 191 insertions(+), 119 deletions(-)
 delete mode 100644 org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetDisplayPassword.java
 create mode 100644 org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/PrepareConsole.java

diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetDisplayPassword.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetDisplayPassword.java
deleted file mode 100644
index f6fa555..0000000
--- a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetDisplayPassword.java
+++ /dev/null
@@ -1,74 +0,0 @@
-/*
- * VM-Operator
- * Copyright (C) 2024 Michael N. Lipp
- * 
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Affero General Public License as
- * published by the Free Software Foundation, either version 3 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Affero General Public License for more details.
- *
- * You should have received a copy of the GNU Affero General Public License
- * along with this program.  If not, see <https://www.gnu.org/licenses/>.
- */
-
-package org.jdrupes.vmoperator.manager.events;
-
-import java.util.Optional;
-import org.jdrupes.vmoperator.common.VmDefinition;
-import org.jgrapes.core.Event;
-
-/**
- * Gets the current display secret and optionally updates it.
- */
-@SuppressWarnings("PMD.DataClass")
-public class GetDisplayPassword extends Event<String> {
-
-    private final VmDefinition vmDef;
-    private final String user;
-
-    /**
-     * Instantiates a new request for the display secret.
-     *
-     * @param vmDef the vm name
-     * @param user the requesting user
-     */
-    public GetDisplayPassword(VmDefinition vmDef, String user) {
-        this.vmDef = vmDef;
-        this.user = user;
-    }
-
-    /**
-     * Gets the vm definition.
-     *
-     * @return the vm definition
-     */
-    public VmDefinition vmDefinition() {
-        return vmDef;
-    }
-
-    /**
-     * Return the id of the user who has requested the password.
-     *
-     * @return the string
-     */
-    public String user() {
-        return user;
-    }
-
-    /**
-     * Return the password. May only be called when the event is completed.
-     *
-     * @return the optional
-     */
-    public Optional<String> password() {
-        if (!isDone()) {
-            throw new IllegalStateException("Event is not done.");
-        }
-        return currentResults().stream().findFirst();
-    }
-}
diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/PrepareConsole.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/PrepareConsole.java
new file mode 100644
index 0000000..ad8f9ce
--- /dev/null
+++ b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/PrepareConsole.java
@@ -0,0 +1,119 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2024 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.manager.events;
+
+import org.jdrupes.vmoperator.common.VmDefinition;
+import org.jgrapes.core.Event;
+
+/**
+ * Gets the current display secret and optionally updates it.
+ */
+@SuppressWarnings("PMD.DataClass")
+public class PrepareConsole extends Event<String> {
+
+    private final VmDefinition vmDef;
+    private final String user;
+    private final boolean loginUser;
+
+    /**
+     * Instantiates a new request for the display secret.
+     * After handling the event, a result of `null` means that
+     * no password is needed. No result means that the console
+     * is not accessible.
+     *
+     * @param vmDef the vm name
+     * @param user the requesting user
+     * @param loginUser login the user
+     */
+    public PrepareConsole(VmDefinition vmDef, String user,
+            boolean loginUser) {
+        this.vmDef = vmDef;
+        this.user = user;
+        this.loginUser = loginUser;
+    }
+
+    /**
+     * Instantiates a new request for the display secret.
+     * After handling the event, a result of `null` means that
+     * no password is needed. No result means that the console
+     * is not accessible.
+     * 
+     * @param vmDef the vm name
+     * @param user the requesting user
+     */
+    public PrepareConsole(VmDefinition vmDef, String user) {
+        this(vmDef, user, false);
+    }
+
+    /**
+     * Gets the vm definition.
+     *
+     * @return the vm definition
+     */
+    public VmDefinition vmDefinition() {
+        return vmDef;
+    }
+
+    /**
+     * Return the id of the user who has requested the password.
+     *
+     * @return the string
+     */
+    public String user() {
+        return user;
+    }
+
+    /**
+     * Checks if the user should be logged in before allowing access.
+     *
+     * @return the loginUser
+     */
+    public boolean loginUser() {
+        return loginUser;
+    }
+
+    /**
+     * Returns `true` if a password is available. May only be called
+     * when the event is completed. Note that the password returned
+     * by {@link #password()} may be `null`, indicating that no password
+     * is needed.
+     *
+     * @return true, if successful
+     */
+    public boolean passwordAvailable() {
+        if (!isDone()) {
+            throw new IllegalStateException("Event is not done.");
+        }
+        return !currentResults().isEmpty();
+    }
+
+    /**
+     * Return the password. May only be called when the event has been
+     * completed with a valid result (see {@link #passwordAvailable()}).
+     *
+     * @return the password. A value of `null` means that no password
+     * is required.
+     */
+    public String password() {
+        if (!isDone() || currentResults().isEmpty()) {
+            throw new IllegalStateException("Event is not done.");
+        }
+        return currentResults().get(0);
+    }
+}
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java
index a0809e9..152f91e 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java
@@ -50,7 +50,7 @@ import static org.jdrupes.vmoperator.manager.Constants.COMP_DISPLAY_SECRET;
 import static org.jdrupes.vmoperator.manager.Constants.DATA_DISPLAY_PASSWORD;
 import static org.jdrupes.vmoperator.manager.Constants.DATA_PASSWORD_EXPIRY;
 import org.jdrupes.vmoperator.manager.events.ChannelDictionary;
-import org.jdrupes.vmoperator.manager.events.GetDisplayPassword;
+import org.jdrupes.vmoperator.manager.events.PrepareConsole;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
 import org.jgrapes.core.Channel;
@@ -72,7 +72,7 @@ public class DisplaySecretMonitor
         extends AbstractMonitor<V1Secret, V1SecretList, VmChannel> {
 
     private int passwordValidity = 10;
-    private final List<PendingGet> pendingGets
+    private final List<PendingGet> pendingPrepares
         = Collections.synchronizedList(new LinkedList<>());
     private final ChannelDictionary<String, VmChannel, ?> channelDictionary;
 
@@ -178,49 +178,59 @@ public class DisplaySecretMonitor
      */
     @Handler
     @SuppressWarnings("PMD.StringInstantiation")
-    public void onGetDisplaySecrets(GetDisplayPassword event, VmChannel channel)
+    public void onPrepareConsole(PrepareConsole event, VmChannel channel)
             throws ApiException {
         // Update console user in status
         var vmStub = VmDefinitionStub.get(client(),
             new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
             event.vmDefinition().namespace(), event.vmDefinition().name());
-        vmStub.updateStatus(from -> {
+        var optVmDef = vmStub.updateStatus(from -> {
             JsonObject status = from.statusJson();
             status.addProperty("consoleUser", event.user());
             return status;
         });
+        if (optVmDef.isEmpty()) {
+            return;
+        }
+        var vmDef = optVmDef.get();
+
+        // Check if access is possible
+        if (event.loginUser()
+            ? !vmDef.conditionStatus("Booted").orElse(false)
+            : !vmDef.conditionStatus("Running").orElse(false)) {
+            return;
+        }
 
         // Look for secret
         ListOptions options = new ListOptions();
         options.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
             + "app.kubernetes.io/component=" + COMP_DISPLAY_SECRET + ","
-            + "app.kubernetes.io/instance="
-            + event.vmDefinition().metadata().getName());
-        var stubs = K8sV1SecretStub.list(client(),
-            event.vmDefinition().namespace(), options);
+            + "app.kubernetes.io/instance=" + vmDef.name());
+        var stubs = K8sV1SecretStub.list(client(), vmDef.namespace(), options);
         if (stubs.isEmpty()) {
             // No secret means no password for this VM wanted
+            event.setResult(null);
             return;
         }
         var stub = stubs.iterator().next();
 
         // Check validity
-        var model = stub.model().get();
+        var secret = stub.model().get();
         @SuppressWarnings("PMD.StringInstantiation")
-        var expiry = Optional.ofNullable(model.getData()
+        var expiry = Optional.ofNullable(secret.getData()
             .get(DATA_PASSWORD_EXPIRY)).map(b -> new String(b)).orElse(null);
-        if (model.getData().get(DATA_DISPLAY_PASSWORD) != null
+        if (secret.getData().get(DATA_DISPLAY_PASSWORD) != null
             && stillValid(expiry)) {
             // Fixed secret, don't touch
             event.setResult(
-                new String(model.getData().get(DATA_DISPLAY_PASSWORD)));
+                new String(secret.getData().get(DATA_DISPLAY_PASSWORD)));
             return;
         }
         updatePassword(stub, event);
     }
 
     @SuppressWarnings("PMD.StringInstantiation")
-    private void updatePassword(K8sV1SecretStub stub, GetDisplayPassword event)
+    private void updatePassword(K8sV1SecretStub stub, PrepareConsole event)
             throws ApiException {
         SecureRandom random = null;
         try {
@@ -242,9 +252,9 @@ public class DisplaySecretMonitor
         var pending = new PendingGet(event,
             event.vmDefinition().displayPasswordSerial().orElse(0L) + 1,
             new CompletionLock(event, 1500));
-        pendingGets.add(pending);
+        pendingPrepares.add(pending);
         Event.onCompletion(event, e -> {
-            pendingGets.remove(pending);
+            pendingPrepares.remove(pending);
         });
 
         // Update, will (eventually) trigger confirmation
@@ -273,9 +283,9 @@ public class DisplaySecretMonitor
     @Handler
     @SuppressWarnings("PMD.AvoidSynchronizedStatement")
     public void onVmDefChanged(VmDefChanged event, Channel channel) {
-        synchronized (pendingGets) {
+        synchronized (pendingPrepares) {
             String vmName = event.vmDefinition().name();
-            for (var pending : pendingGets) {
+            for (var pending : pendingPrepares) {
                 if (pending.event.vmDefinition().name().equals(vmName)
                     && event.vmDefinition().displayPasswordSerial()
                         .map(s -> s >= pending.expectedSerial).orElse(false)) {
@@ -293,7 +303,7 @@ public class DisplaySecretMonitor
      */
     @SuppressWarnings("PMD.DataClass")
     private static class PendingGet {
-        public final GetDisplayPassword event;
+        public final PrepareConsole event;
         public final long expectedSerial;
         public final CompletionLock lock;
 
@@ -303,7 +313,7 @@ public class DisplaySecretMonitor
          * @param event the event
          * @param expectedSerial the expected serial
          */
-        public PendingGet(GetDisplayPassword event, long expectedSerial,
+        public PendingGet(PrepareConsole event, long expectedSerial,
                 CompletionLock lock) {
             super();
             this.event = event;
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index e283504..3b28d1c 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -49,11 +49,11 @@ import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.common.VmDefinition.Permission;
 import org.jdrupes.vmoperator.common.VmPool;
 import org.jdrupes.vmoperator.manager.events.AssignVm;
-import org.jdrupes.vmoperator.manager.events.GetDisplayPassword;
 import org.jdrupes.vmoperator.manager.events.GetPools;
 import org.jdrupes.vmoperator.manager.events.GetVms;
 import org.jdrupes.vmoperator.manager.events.GetVms.VmData;
 import org.jdrupes.vmoperator.manager.events.ModifyVm;
+import org.jdrupes.vmoperator.manager.events.PrepareConsole;
 import org.jdrupes.vmoperator.manager.events.ResetVm;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
@@ -808,18 +808,23 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
                 Map.of("autoClose", 5_000, "type", "Warning")));
             return;
         }
-        var pwQuery = Event.onCompletion(new GetDisplayPassword(vmDef, user),
-            e -> {
-                vmDef.extra()
-                    .map(xtra -> xtra.connectionFile(e.password().orElse(null),
-                        preferredIpVersion, deleteConnectionFile))
-                    .ifPresent(
-                        cf -> channel.respond(new NotifyConletView(type(),
-                            model.getConletId(), "openConsole", cf)));
-            });
+        var pwQuery = Event.onCompletion(new PrepareConsole(vmDef, user,
+            model.mode() == ResourceModel.Mode.POOL),
+            e -> gotPassword(channel, model, vmDef, e));
         fire(pwQuery, vmChannel);
     }
 
+    private void gotPassword(ConsoleConnection channel, ResourceModel model,
+            VmDefinition vmDef, PrepareConsole event) {
+        if (!event.passwordAvailable()) {
+            return;
+        }
+        vmDef.extra().map(xtra -> xtra.connectionFile(event.password(),
+            preferredIpVersion, deleteConnectionFile))
+            .ifPresent(cf -> channel.respond(new NotifyConletView(type(),
+                model.getConletId(), "openConsole", cf)));
+    }
+
     @SuppressWarnings({ "PMD.AvoidLiteralsInIfCondition",
         "PMD.UseLocaleWithCaseConversions" })
     private void selectResource(NotifyConletModel event,
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
index ec21fb5..31408cb 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
@@ -73,7 +73,9 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
             const configured = computed(() => previewApi.vmDefinition.spec);
             const busy = computed(() => previewApi.vmDefinition.spec
                 && (previewApi.vmDefinition.spec.vm.state === 'Running'
-                        && !previewApi.vmDefinition.running
+                        && (previewApi.poolName
+                            ? !previewApi.vmDefinition.booted
+                            : !previewApi.vmDefinition.running)
                     || previewApi.vmDefinition.spec.vm.state === 'Stopped' 
                         && previewApi.vmDefinition.running));
             const startable = computed(() => previewApi.vmDefinition.spec
@@ -85,6 +87,7 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
                 previewApi.vmDefinition.spec.vm.state !== 'Stopped' 
                 && previewApi.vmDefinition.running);
             const running = computed(() => previewApi.vmDefinition.running);
+            const booted = computed(() => previewApi.vmDefinition.booted);
             const inUse = computed(() => previewApi.vmDefinition.usedBy != '');
             const permissions = computed(() => previewApi.permissions);
             const osicon = computed(() => {
@@ -120,8 +123,8 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
             };
         
             return { localize, resourceBase, vmAction, poolName, vmName, 
-                configured, busy, startable, stoppable, running, inUse,
-                permissions, osicon };
+                configured, busy, startable, stoppable, running, booted,
+                inUse, permissions, osicon };
         },
         template: `
           <table>
@@ -129,7 +132,8 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
               <tr>
                 <td rowspan="2" style="position: relative"><span
                   style="position: absolute;" :class="{ busy: busy }"
-                  ><img role=button :aria-disabled="!running
+                  ><img role=button :aria-disabled="(poolName 
+                      ? !booted : !running)
                       || !permissions.includes('accessConsole')" 
                     v-on:click="vmAction('openConsole')"
                     :src="resourceBase + (running
@@ -206,14 +210,17 @@ JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmaccess.VmAccess",
             vmDefinition.currentCpus = vmDefinition.status.cpus;
             vmDefinition.currentRam = Number(vmDefinition.status.ram);
             vmDefinition.usedBy = vmDefinition.status.consoleClient || "";
-            for (const condition of vmDefinition.status.conditions) {
+            vmDefinition.status.conditions.forEach((condition: any) => {
                 if (condition.type === "Running") {
                     vmDefinition.running = condition.status === "True";
                     vmDefinition.runningConditionSince 
                         = new Date(condition.lastTransitionTime);
-                    break;
+                } else if (condition.type === "Booted") {
+                    vmDefinition.booted = condition.status === "True";
+                    vmDefinition.bootedConditionSince 
+                        = new Date(condition.lastTransitionTime);
                 }
-            }
+            })
         } else {
             vmDefinition = {};
         }
diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
index 4cc63fa..10b4f48 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
@@ -43,8 +43,8 @@ import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.common.VmDefinition.Permission;
 import org.jdrupes.vmoperator.common.VmExtraData;
 import org.jdrupes.vmoperator.manager.events.ChannelTracker;
-import org.jdrupes.vmoperator.manager.events.GetDisplayPassword;
 import org.jdrupes.vmoperator.manager.events.ModifyVm;
+import org.jdrupes.vmoperator.manager.events.PrepareConsole;
 import org.jdrupes.vmoperator.manager.events.ResetVm;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
@@ -483,17 +483,22 @@ public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
                 Map.of("autoClose", 5_000, "type", "Warning")));
             return;
         }
-        var pwQuery = Event.onCompletion(new GetDisplayPassword(vmDef, user),
-            e -> {
-                vmDef.extra().map(xtra -> xtra.connectionFile(
-                    e.password().orElse(null), preferredIpVersion,
-                    deleteConnectionFile)).ifPresent(
-                        cf -> channel.respond(new NotifyConletView(type(),
-                            model.getConletId(), "openConsole", cf)));
-            });
+        var pwQuery = Event.onCompletion(new PrepareConsole(vmDef, user),
+            e -> gotPassword(channel, model, vmDef, e));
         fire(pwQuery, vmChannel);
     }
 
+    private void gotPassword(ConsoleConnection channel, VmsModel model,
+            VmDefinition vmDef, PrepareConsole event) {
+        if (!event.passwordAvailable()) {
+            return;
+        }
+        vmDef.extra().map(xtra -> xtra.connectionFile(event.password(),
+            preferredIpVersion, deleteConnectionFile)).ifPresent(
+                cf -> channel.respond(new NotifyConletView(type(),
+                    model.getConletId(), "openConsole", cf)));
+    }
+
     @Override
     protected boolean doSetLocale(SetLocale event, ConsoleConnection channel,
             String conletId) throws Exception {

From e29135282848de191f1075d35e5cefe64bb25fb0 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Fri, 21 Feb 2025 20:54:27 +0100
Subject: [PATCH 114/274] Prepare usage of guest os command.

---
 .../runner/qemu/GuestAgentClient.java         | 39 ++++++++++++++++++-
 .../vmoperator/runner/qemu/Runner.java        |  9 ++++-
 .../templates/Standard-VM-latest.ftl.yaml     |  4 ++
 3 files changed, 49 insertions(+), 3 deletions(-)

diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java
index f3928f5..afe3d26 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java
@@ -20,6 +20,7 @@ package org.jdrupes.vmoperator.runner.qemu;
 
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.node.ArrayNode;
 import com.fasterxml.jackson.databind.node.ObjectNode;
 import java.io.IOException;
 import java.io.Writer;
@@ -28,6 +29,8 @@ import java.net.UnixDomainSocketAddress;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.LinkedList;
+import java.util.List;
+import java.util.Map;
 import java.util.Queue;
 import java.util.logging.Level;
 import org.jdrupes.vmoperator.runner.qemu.commands.QmpCommand;
@@ -65,6 +68,8 @@ public class GuestAgentClient extends Component {
 
     private EventPipeline rep;
     private Path socketPath;
+    private List<Map<String, String>> guestAgentCmds;
+    private String guestAgentCmd;
     private SocketIOChannel gaChannel;
     private final Queue<QmpCommand> executing = new LinkedList<>();
 
@@ -72,6 +77,7 @@ public class GuestAgentClient extends Component {
      * Instantiates a new guest agent client.
      *
      * @param componentChannel the component channel
+     * @param guestAgentCmds 
      * @throws IOException Signals that an I/O exception has occurred.
      */
     @SuppressWarnings({ "PMD.AssignmentToNonFinalStatic",
@@ -87,10 +93,20 @@ public class GuestAgentClient extends Component {
      * forwarded from the {@link Runner} instead.
      *
      * @param socketPath the socket path
+     * @param guestAgentCmds 
      * @param powerdownTimeout 
      */
-    /* default */ void configure(Path socketPath) {
+    @SuppressWarnings("PMD.EmptyCatchBlock")
+    /* default */ void configure(Path socketPath, ArrayNode guestAgentCmds) {
         this.socketPath = socketPath;
+        try {
+            this.guestAgentCmds = mapper.convertValue(guestAgentCmds,
+                mapper.constructType(getClass()
+                    .getDeclaredField("guestAgentCmds").getGenericType()));
+        } catch (IllegalArgumentException | NoSuchFieldException
+                | SecurityException e) {
+            // Cannot happen
+        }
     }
 
     /**
@@ -193,7 +209,7 @@ public class GuestAgentClient extends Component {
                     () -> String.format("(Previous \"guest agent(in)\" is "
                         + "result from executing %s)", executed));
                 if (executed instanceof QmpGuestGetOsinfo) {
-                    rep.fire(new OsinfoEvent(response.get("return")));
+                    processOsInfo(response);
                 }
             }
         } catch (JsonProcessingException e) {
@@ -201,6 +217,25 @@ public class GuestAgentClient extends Component {
         }
     }
 
+    private void processOsInfo(ObjectNode response) {
+        var osInfo = new OsinfoEvent(response.get("return"));
+        var osId = osInfo.osinfo().get("id").asText();
+        for (var cmdDef : guestAgentCmds) {
+            if (osId.equals(cmdDef.get("osId"))
+                || "*".equals(cmdDef.get("osId"))) {
+                guestAgentCmd = cmdDef.get("executable");
+                break;
+            }
+        }
+        if (guestAgentCmd == null) {
+            logger.warning(() -> "No guest agent command for OS " + osId);
+        } else {
+            logger.fine(() -> "Guest agent command for OS " + osId
+                + " is " + guestAgentCmd);
+        }
+        rep.fire(osInfo);
+    }
+
     /**
      * On closed.
      *
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
index b258e1a..e0cd837 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
@@ -23,6 +23,7 @@ import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.JsonMappingException;
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.node.ArrayNode;
 import com.fasterxml.jackson.dataformat.yaml.YAMLFactory;
 import com.fasterxml.jackson.dataformat.yaml.YAMLGenerator;
 import freemarker.core.ParseException;
@@ -197,6 +198,7 @@ public class Runner extends Component {
     private static final String QEMU = "qemu";
     private static final String SWTPM = "swtpm";
     private static final String CLOUD_INIT_IMG = "cloudInitImg";
+    private static final String GUEST_AGENT_CMDS = "guestAgentCmds";
     private static final String TEMPLATE_DIR
         = "/opt/" + APP_NAME.replace("-", "") + "/templates";
     private static final String DEFAULT_TEMPLATE
@@ -348,11 +350,16 @@ public class Runner extends Component {
                     .map(d -> new CommandDefinition(CLOUD_INIT_IMG, d))
                     .orElse(null);
             logger.finest(() -> cloudInitImgDefinition.toString());
+            var guestAgentCmds = (ArrayNode) tplData.get(GUEST_AGENT_CMDS);
+            if (guestAgentCmds != null) {
+                logger.finest(
+                    () -> "GuestAgentCmds: " + guestAgentCmds.toString());
+            }
 
             // Forward some values to child components
             qemuMonitor.configure(config.monitorSocket,
                 config.vm.powerdownTimeout);
-            guestAgentClient.configure(config.guestAgentSocket);
+            guestAgentClient.configure(config.guestAgentSocket, guestAgentCmds);
         } catch (IllegalArgumentException | IOException | TemplateException e) {
             logger.log(Level.SEVERE, e, () -> "Invalid configuration: "
                 + e.getMessage());
diff --git a/org.jdrupes.vmoperator.runner.qemu/templates/Standard-VM-latest.ftl.yaml b/org.jdrupes.vmoperator.runner.qemu/templates/Standard-VM-latest.ftl.yaml
index e2610ba..3eacfa3 100644
--- a/org.jdrupes.vmoperator.runner.qemu/templates/Standard-VM-latest.ftl.yaml
+++ b/org.jdrupes.vmoperator.runner.qemu/templates/Standard-VM-latest.ftl.yaml
@@ -233,3 +233,7 @@
     </#list>
     </#if>
     </#if>
+
+"guestAgentCmds":
+  - "osId": "*"
+    "executable": "/usr/local/libexec/vm-operator-cmd"

From 81b128e4a3461039abfde053ed7a32e5a391b811 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 22 Feb 2025 21:24:58 +0100
Subject: [PATCH 115/274] Clarify responsibilities of display secret monitor
 and reconciler.

---
 .../manager/DisplaySecretMonitor.java         | 210 +---------------
 .../manager/DisplaySecretReconciler.java      | 224 +++++++++++++++++-
 .../vmoperator/manager/Reconciler.java        |   5 +-
 webpages/vm-operator/upgrading.md             |  24 +-
 webpages/vm-operator/user-gui.md              |  12 +-
 5 files changed, 252 insertions(+), 223 deletions(-)

diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java
index 152f91e..99c8a11 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java
@@ -1,6 +1,6 @@
 /*
  * VM-Operator
- * Copyright (C) 2024 Michael N. Lipp
+ * Copyright (C) 2025 Michael N. Lipp
  * 
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as
@@ -18,8 +18,6 @@
 
 package org.jdrupes.vmoperator.manager;
 
-import com.google.gson.JsonObject;
-import io.kubernetes.client.apimachinery.GroupVersionKind;
 import io.kubernetes.client.custom.V1Patch;
 import io.kubernetes.client.openapi.ApiException;
 import io.kubernetes.client.openapi.models.V1Secret;
@@ -28,52 +26,26 @@ import io.kubernetes.client.util.Watch.Response;
 import io.kubernetes.client.util.generic.options.ListOptions;
 import io.kubernetes.client.util.generic.options.PatchOptions;
 import java.io.IOException;
-import java.security.NoSuchAlgorithmException;
-import java.security.SecureRandom;
-import java.time.Instant;
-import java.util.Collections;
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Map;
-import java.util.Optional;
-import java.util.Scanner;
 import java.util.logging.Level;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
-import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
-import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
 import static org.jdrupes.vmoperator.common.Constants.VM_OP_NAME;
 import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.K8sV1PodStub;
 import org.jdrupes.vmoperator.common.K8sV1SecretStub;
-import org.jdrupes.vmoperator.common.VmDefinitionStub;
 import static org.jdrupes.vmoperator.manager.Constants.COMP_DISPLAY_SECRET;
-import static org.jdrupes.vmoperator.manager.Constants.DATA_DISPLAY_PASSWORD;
-import static org.jdrupes.vmoperator.manager.Constants.DATA_PASSWORD_EXPIRY;
 import org.jdrupes.vmoperator.manager.events.ChannelDictionary;
-import org.jdrupes.vmoperator.manager.events.PrepareConsole;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
-import org.jdrupes.vmoperator.manager.events.VmDefChanged;
 import org.jgrapes.core.Channel;
-import org.jgrapes.core.CompletionLock;
-import org.jgrapes.core.Event;
-import org.jgrapes.core.annotation.Handler;
-import org.jgrapes.util.events.ConfigurationUpdate;
-import org.jose4j.base64url.Base64;
 
 /**
- * Watches for changes of display secrets. The component supports the
- * following configuration properties:
- * 
- *   * `passwordValidity`: the validity of the random password in seconds.
- *     Used to calculate the password expiry time in the generated secret.
+ * Watches for changes of display secrets. Updates an artifical attribute
+ * of the pod running the VM in response to force an update of the files 
+ * in the pod that reflect the information from the secret.
  */
 @SuppressWarnings({ "PMD.DataflowAnomalyAnalysis", "PMD.TooManyStaticImports" })
 public class DisplaySecretMonitor
         extends AbstractMonitor<V1Secret, V1SecretList, VmChannel> {
 
-    private int passwordValidity = 10;
-    private final List<PendingGet> pendingPrepares
-        = Collections.synchronizedList(new LinkedList<>());
     private final ChannelDictionary<String, VmChannel, ?> channelDictionary;
 
     /**
@@ -93,27 +65,6 @@ public class DisplaySecretMonitor
         options(options);
     }
 
-    /**
-     * On configuration update.
-     *
-     * @param event the event
-     */
-    @Handler
-    @Override
-    public void onConfigurationUpdate(ConfigurationUpdate event) {
-        super.onConfigurationUpdate(event);
-        event.structured(componentPath()).ifPresent(c -> {
-            try {
-                if (c.containsKey("passwordValidity")) {
-                    passwordValidity = Integer
-                        .parseInt((String) c.get("passwordValidity"));
-                }
-            } catch (ClassCastException e) {
-                logger.config("Malformed configuration: " + e.getMessage());
-            }
-        });
-    }
-
     @Override
     protected void prepareMonitoring() throws IOException, ApiException {
         client(new K8sClient());
@@ -168,157 +119,4 @@ public class DisplaySecretMonitor
                 + "\"}]"),
             patchOpts);
     }
-
-    /**
-     * On get display secrets.
-     *
-     * @param event the event
-     * @param channel the channel
-     * @throws ApiException the api exception
-     */
-    @Handler
-    @SuppressWarnings("PMD.StringInstantiation")
-    public void onPrepareConsole(PrepareConsole event, VmChannel channel)
-            throws ApiException {
-        // Update console user in status
-        var vmStub = VmDefinitionStub.get(client(),
-            new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
-            event.vmDefinition().namespace(), event.vmDefinition().name());
-        var optVmDef = vmStub.updateStatus(from -> {
-            JsonObject status = from.statusJson();
-            status.addProperty("consoleUser", event.user());
-            return status;
-        });
-        if (optVmDef.isEmpty()) {
-            return;
-        }
-        var vmDef = optVmDef.get();
-
-        // Check if access is possible
-        if (event.loginUser()
-            ? !vmDef.conditionStatus("Booted").orElse(false)
-            : !vmDef.conditionStatus("Running").orElse(false)) {
-            return;
-        }
-
-        // Look for secret
-        ListOptions options = new ListOptions();
-        options.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
-            + "app.kubernetes.io/component=" + COMP_DISPLAY_SECRET + ","
-            + "app.kubernetes.io/instance=" + vmDef.name());
-        var stubs = K8sV1SecretStub.list(client(), vmDef.namespace(), options);
-        if (stubs.isEmpty()) {
-            // No secret means no password for this VM wanted
-            event.setResult(null);
-            return;
-        }
-        var stub = stubs.iterator().next();
-
-        // Check validity
-        var secret = stub.model().get();
-        @SuppressWarnings("PMD.StringInstantiation")
-        var expiry = Optional.ofNullable(secret.getData()
-            .get(DATA_PASSWORD_EXPIRY)).map(b -> new String(b)).orElse(null);
-        if (secret.getData().get(DATA_DISPLAY_PASSWORD) != null
-            && stillValid(expiry)) {
-            // Fixed secret, don't touch
-            event.setResult(
-                new String(secret.getData().get(DATA_DISPLAY_PASSWORD)));
-            return;
-        }
-        updatePassword(stub, event);
-    }
-
-    @SuppressWarnings("PMD.StringInstantiation")
-    private void updatePassword(K8sV1SecretStub stub, PrepareConsole event)
-            throws ApiException {
-        SecureRandom random = null;
-        try {
-            random = SecureRandom.getInstanceStrong();
-        } catch (NoSuchAlgorithmException e) { // NOPMD
-            // "Every implementation of the Java platform is required
-            // to support at least one strong SecureRandom implementation."
-        }
-        byte[] bytes = new byte[16];
-        random.nextBytes(bytes);
-        var password = Base64.encode(bytes);
-        var model = stub.model().get();
-        model.setStringData(Map.of(DATA_DISPLAY_PASSWORD, password,
-            DATA_PASSWORD_EXPIRY,
-            Long.toString(Instant.now().getEpochSecond() + passwordValidity)));
-        event.setResult(password);
-
-        // Prepare wait for confirmation (by VM status change)
-        var pending = new PendingGet(event,
-            event.vmDefinition().displayPasswordSerial().orElse(0L) + 1,
-            new CompletionLock(event, 1500));
-        pendingPrepares.add(pending);
-        Event.onCompletion(event, e -> {
-            pendingPrepares.remove(pending);
-        });
-
-        // Update, will (eventually) trigger confirmation
-        stub.update(model).getObject();
-    }
-
-    private boolean stillValid(String expiry) {
-        if (expiry == null || "never".equals(expiry)) {
-            return true;
-        }
-        @SuppressWarnings({ "PMD.CloseResource", "resource" })
-        var scanner = new Scanner(expiry);
-        if (!scanner.hasNextLong()) {
-            return false;
-        }
-        long expTime = scanner.nextLong();
-        return expTime > Instant.now().getEpochSecond() + passwordValidity;
-    }
-
-    /**
-     * On vm def changed.
-     *
-     * @param event the event
-     * @param channel the channel
-     */
-    @Handler
-    @SuppressWarnings("PMD.AvoidSynchronizedStatement")
-    public void onVmDefChanged(VmDefChanged event, Channel channel) {
-        synchronized (pendingPrepares) {
-            String vmName = event.vmDefinition().name();
-            for (var pending : pendingPrepares) {
-                if (pending.event.vmDefinition().name().equals(vmName)
-                    && event.vmDefinition().displayPasswordSerial()
-                        .map(s -> s >= pending.expectedSerial).orElse(false)) {
-                    pending.lock.remove();
-                    // pending will be removed from pendingGest by
-                    // waiting thread, see updatePassword
-                    continue;
-                }
-            }
-        }
-    }
-
-    /**
-     * The Class PendingGet.
-     */
-    @SuppressWarnings("PMD.DataClass")
-    private static class PendingGet {
-        public final PrepareConsole event;
-        public final long expectedSerial;
-        public final CompletionLock lock;
-
-        /**
-         * Instantiates a new pending get.
-         *
-         * @param event the event
-         * @param expectedSerial the expected serial
-         */
-        public PendingGet(PrepareConsole event, long expectedSerial,
-                CompletionLock lock) {
-            super();
-            this.event = event;
-            this.expectedSerial = expectedSerial;
-            this.lock = lock;
-        }
-    }
 }
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
index dcae3a3..a281b8e 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
@@ -1,6 +1,6 @@
 /*
  * VM-Operator
- * Copyright (C) 2023 Michael N. Lipp
+ * Copyright (C) 2025 Michael N. Lipp
  * 
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as
@@ -18,7 +18,9 @@
 
 package org.jdrupes.vmoperator.manager;
 
+import com.google.gson.JsonObject;
 import freemarker.template.TemplateException;
+import io.kubernetes.client.apimachinery.GroupVersionKind;
 import io.kubernetes.client.openapi.ApiException;
 import io.kubernetes.client.openapi.models.V1ObjectMeta;
 import io.kubernetes.client.openapi.models.V1Secret;
@@ -26,25 +28,83 @@ import io.kubernetes.client.util.generic.options.ListOptions;
 import java.io.IOException;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
+import java.time.Instant;
+import java.util.Collections;
+import java.util.LinkedList;
+import java.util.List;
 import java.util.Map;
+import java.util.Optional;
+import java.util.Scanner;
 import java.util.logging.Logger;
+import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
+import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
+import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
 import org.jdrupes.vmoperator.common.K8sV1SecretStub;
-import static org.jdrupes.vmoperator.manager.Constants.APP_NAME;
+import org.jdrupes.vmoperator.common.VmDefinitionStub;
 import static org.jdrupes.vmoperator.manager.Constants.COMP_DISPLAY_SECRET;
 import static org.jdrupes.vmoperator.manager.Constants.DATA_DISPLAY_PASSWORD;
 import static org.jdrupes.vmoperator.manager.Constants.DATA_PASSWORD_EXPIRY;
+import org.jdrupes.vmoperator.manager.events.PrepareConsole;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
 import org.jdrupes.vmoperator.util.DataPath;
+import org.jgrapes.core.Channel;
+import org.jgrapes.core.CompletionLock;
+import org.jgrapes.core.Component;
+import org.jgrapes.core.Event;
+import org.jgrapes.core.annotation.Handler;
+import org.jgrapes.util.events.ConfigurationUpdate;
 import org.jose4j.base64url.Base64;
 
 /**
- * Delegee for reconciling the display secret
+ * The properties of the display secret do not only depend on the
+ * VM definition, but also on events that occur during runtime.
+ * The reconciler for the display secret is therefore a separate
+ * component.
+ * 
+ * The reconciler supports the following configuration properties:
+ * 
+ *   * `passwordValidity`: the validity of the random password in seconds.
+ *     Used to calculate the password expiry time in the generated secret.
  */
 @SuppressWarnings({ "PMD.DataflowAnomalyAnalysis", "PMD.TooManyStaticImports" })
-/* default */ class DisplaySecretReconciler {
+public class DisplaySecretReconciler extends Component {
 
     protected final Logger logger = Logger.getLogger(getClass().getName());
+    private int passwordValidity = 10;
+    private final List<PendingGet> pendingPrepares
+        = Collections.synchronizedList(new LinkedList<>());
+
+    /**
+     * On configuration update.
+     *
+     * @param event the event
+     */
+    @Handler
+    public void onConfigurationUpdate(ConfigurationUpdate event) {
+        event.structured(componentPath())
+            // for backward compatibility
+            .or(() -> {
+                var oldConfig = event
+                    .structured("/Manager/Controller/DisplaySecretMonitor");
+                if (oldConfig.isPresent()) {
+                    logger.warning(() -> "Using configuration with old "
+                        + "path '/Manager/Controller/DisplaySecretMonitor' "
+                        + "for `passwordValidity`, please update "
+                        + "the configuration.");
+                }
+                return oldConfig;
+            }).ifPresent(c -> {
+                try {
+                    if (c.containsKey("passwordValidity")) {
+                        passwordValidity = Integer
+                            .parseInt((String) c.get("passwordValidity"));
+                    }
+                } catch (ClassCastException e) {
+                    logger.config("Malformed configuration: " + e.getMessage());
+                }
+            });
+    }
 
     /**
      * Reconcile. If the configuration prevents generating a secret
@@ -104,4 +164,160 @@ import org.jose4j.base64url.Base64;
         K8sV1SecretStub.create(channel.client(), secret);
     }
 
+    /**
+     * Prepares access to the console for the user from the event.
+     * Generates a new password and sends it to the runner.
+     * Requests the VM (via the runner) to login the user if specified
+     * in the event.
+     *
+     * @param event the event
+     * @param channel the channel
+     * @throws ApiException the api exception
+     */
+    @Handler
+    @SuppressWarnings("PMD.StringInstantiation")
+    public void onPrepareConsole(PrepareConsole event, VmChannel channel)
+            throws ApiException {
+        // Update console user in status
+        var vmStub = VmDefinitionStub.get(channel.client(),
+            new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
+            event.vmDefinition().namespace(), event.vmDefinition().name());
+        var optVmDef = vmStub.updateStatus(from -> {
+            JsonObject status = from.statusJson();
+            status.addProperty("consoleUser", event.user());
+            return status;
+        });
+        if (optVmDef.isEmpty()) {
+            return;
+        }
+        var vmDef = optVmDef.get();
+
+        // Check if access is possible
+        if (event.loginUser()
+            ? !vmDef.conditionStatus("Booted").orElse(false)
+            : !vmDef.conditionStatus("Running").orElse(false)) {
+            return;
+        }
+
+        // Look for secret
+        ListOptions options = new ListOptions();
+        options.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
+            + "app.kubernetes.io/component=" + COMP_DISPLAY_SECRET + ","
+            + "app.kubernetes.io/instance=" + vmDef.name());
+        var stubs = K8sV1SecretStub.list(channel.client(), vmDef.namespace(),
+            options);
+        if (stubs.isEmpty()) {
+            // No secret means no password for this VM wanted
+            event.setResult(null);
+            return;
+        }
+        var stub = stubs.iterator().next();
+
+        // Check validity
+        var secret = stub.model().get();
+        @SuppressWarnings("PMD.StringInstantiation")
+        var expiry = Optional.ofNullable(secret.getData()
+            .get(DATA_PASSWORD_EXPIRY)).map(b -> new String(b)).orElse(null);
+        if (secret.getData().get(DATA_DISPLAY_PASSWORD) != null
+            && stillValid(expiry)) {
+            // Fixed secret, don't touch
+            event.setResult(
+                new String(secret.getData().get(DATA_DISPLAY_PASSWORD)));
+            return;
+        }
+        updatePassword(stub, event);
+    }
+
+    @SuppressWarnings("PMD.StringInstantiation")
+    private void updatePassword(K8sV1SecretStub stub, PrepareConsole event)
+            throws ApiException {
+        SecureRandom random = null;
+        try {
+            random = SecureRandom.getInstanceStrong();
+        } catch (NoSuchAlgorithmException e) { // NOPMD
+            // "Every implementation of the Java platform is required
+            // to support at least one strong SecureRandom implementation."
+        }
+        byte[] bytes = new byte[16];
+        random.nextBytes(bytes);
+        var password = Base64.encode(bytes);
+        var model = stub.model().get();
+        model.setStringData(Map.of(DATA_DISPLAY_PASSWORD, password,
+            DATA_PASSWORD_EXPIRY,
+            Long.toString(Instant.now().getEpochSecond() + passwordValidity)));
+        event.setResult(password);
+
+        // Prepare wait for confirmation (by VM status change)
+        var pending = new PendingGet(event,
+            event.vmDefinition().displayPasswordSerial().orElse(0L) + 1,
+            new CompletionLock(event, 1500));
+        pendingPrepares.add(pending);
+        Event.onCompletion(event, e -> {
+            pendingPrepares.remove(pending);
+        });
+
+        // Update, will (eventually) trigger confirmation
+        stub.update(model).getObject();
+    }
+
+    private boolean stillValid(String expiry) {
+        if (expiry == null || "never".equals(expiry)) {
+            return true;
+        }
+        @SuppressWarnings({ "PMD.CloseResource", "resource" })
+        var scanner = new Scanner(expiry);
+        if (!scanner.hasNextLong()) {
+            return false;
+        }
+        long expTime = scanner.nextLong();
+        return expTime > Instant.now().getEpochSecond() + passwordValidity;
+    }
+
+    /**
+     * On vm def changed.
+     *
+     * @param event the event
+     * @param channel the channel
+     */
+    @Handler
+    @SuppressWarnings("PMD.AvoidSynchronizedStatement")
+    public void onVmDefChanged(VmDefChanged event, Channel channel) {
+        synchronized (pendingPrepares) {
+            String vmName = event.vmDefinition().name();
+            for (var pending : pendingPrepares) {
+                if (pending.event.vmDefinition().name().equals(vmName)
+                    && event.vmDefinition().displayPasswordSerial()
+                        .map(s -> s >= pending.expectedSerial).orElse(false)) {
+                    pending.lock.remove();
+                    // pending will be removed from pendingGest by
+                    // waiting thread, see updatePassword
+                    continue;
+                }
+            }
+        }
+    }
+
+    /**
+     * The Class PendingGet.
+     */
+    @SuppressWarnings("PMD.DataClass")
+    private static class PendingGet {
+        public final PrepareConsole event;
+        public final long expectedSerial;
+        public final CompletionLock lock;
+
+        /**
+         * Instantiates a new pending get.
+         *
+         * @param event the event
+         * @param expectedSerial the expected serial
+         */
+        public PendingGet(PrepareConsole event, long expectedSerial,
+                CompletionLock lock) {
+            super();
+            this.event = event;
+            this.expectedSerial = expectedSerial;
+            this.lock = lock;
+        }
+    }
 }
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
index 7dbb410..7969d46 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
@@ -138,6 +138,8 @@ import org.jgrapes.util.events.ConfigurationUpdate;
  *   properties to be used by the runners managed by the controller.
  *   This property is a string that holds the content of
  *   a logging.properties file.
+ *   
+ * @see org.jdrupes.vmoperator.manager.DisplaySecretReconciler
  */
 @SuppressWarnings({ "PMD.DataflowAnomalyAnalysis",
     "PMD.AvoidDuplicateLiterals" })
@@ -163,6 +165,7 @@ public class Reconciler extends Component {
      *
      * @param componentChannel the component channel
      */
+    @SuppressWarnings("PMD.ConstructorCallsOverridableMethod")
     public Reconciler(Channel componentChannel) {
         super(componentChannel);
 
@@ -177,7 +180,7 @@ public class Reconciler extends Component {
         fmConfig.setClassForTemplateLoading(Reconciler.class, "");
 
         cmReconciler = new ConfigMapReconciler(fmConfig);
-        dsReconciler = new DisplaySecretReconciler();
+        dsReconciler = attach(new DisplaySecretReconciler());
         stsReconciler = new StatefulSetReconciler(fmConfig);
         pvcReconciler = new PvcReconciler(fmConfig);
         podReconciler = new PodReconciler(fmConfig);
diff --git a/webpages/vm-operator/upgrading.md b/webpages/vm-operator/upgrading.md
index 77cacad..2c4253e 100644
--- a/webpages/vm-operator/upgrading.md
+++ b/webpages/vm-operator/upgrading.md
@@ -7,16 +7,24 @@ layout: vm-operator
 
 ## To version 4.0.0
 
-The VmViewer conlet has been renamed to VmAccess. This affects the
-[configuration](https://jdrupes.org/vm-operator/user-gui.html). Configuration information using the old path
-"/Manager/GuiHttpServer/ConsoleWeblet/WebConsole/ComponentCollector/VmViewer"
-is still accepted for backward compatibility, but should be updated.
+ * The VmViewer conlet has been renamed to VmAccess. This affects the
+   [configuration](https://jdrupes.org/vm-operator/user-gui.html). Configuration
+   information using the old path
+   `/Manager/GuiHttpServer/ConsoleWeblet/WebConsole/ComponentCollector/VmViewer`
+   is still accepted for backward compatibility until the next major version,
+   but should be updated.
 
-The change of name also causes conlets added to the overview page by
-users to "disappear" from the GUI. They have to be re-added.
+   The change of name also causes conlets added to the overview page by
+   users to "disappear" from the GUI. They have to be re-added.
 
-The latter behavior also applies to the VmConlet conlet which has been
-renamed to VmMgmt.
+   The latter behavior also applies to the VmConlet conlet which has been
+   renamed to VmMgmt.
+   
+ * The configuration property `passwordValidity` has been moved from component
+   `/Manager/Controller/DisplaySecretMonitor` to
+   `/Manager/Controller/Reconciler/DisplaySecretReconciler`. The old path is 
+   still accepted for backward compatibility until the next major version,
+   but should be updated.
 
 ## To version 3.4.0
 
diff --git a/webpages/vm-operator/user-gui.md b/webpages/vm-operator/user-gui.md
index 0439db2..bc0b93e 100644
--- a/webpages/vm-operator/user-gui.md
+++ b/webpages/vm-operator/user-gui.md
@@ -127,16 +127,20 @@ of 16 (strong) random bytes (128 random bits). It is valid for
 10 seconds only. This may be challenging on a slower computer
 or if users may not enable automatic open for connection files
 in the browser. The validity can therefore be adjusted in the
-configuration.
+configuration.[^oldPath]
 
 ```yaml
 "/Manager":
   "/Controller":
-    "/DisplaySecretMonitor":
-      # Validity of generated password in seconds
-      passwordValidity: 10
+    "/Reconciler":
+      "/DisplaySecretReconciler":
+        # Validity of generated password in seconds
+        passwordValidity: 10
 ```
 
+[^oldPath]: Before version 4.0, the path for `passwordValidity` was
+  `/Manager/Controller/DisplaySecretMonitor`.
+
 Taking into account that the controller generates a display
 secret automatically by default, this approach to securing
 console access should be sufficient in all cases. (Any feedback

From 0828d0383520b88a019a433e813010e2bee4fc46 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 22 Feb 2025 21:27:39 +0100
Subject: [PATCH 116/274] Javadoc fixes.

---
 .../org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java  | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java
index afe3d26..fba975e 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java
@@ -77,7 +77,6 @@ public class GuestAgentClient extends Component {
      * Instantiates a new guest agent client.
      *
      * @param componentChannel the component channel
-     * @param guestAgentCmds 
      * @throws IOException Signals that an I/O exception has occurred.
      */
     @SuppressWarnings({ "PMD.AssignmentToNonFinalStatic",
@@ -93,8 +92,7 @@ public class GuestAgentClient extends Component {
      * forwarded from the {@link Runner} instead.
      *
      * @param socketPath the socket path
-     * @param guestAgentCmds 
-     * @param powerdownTimeout 
+     * @param guestAgentCmds the guest agent cmds
      */
     @SuppressWarnings("PMD.EmptyCatchBlock")
     /* default */ void configure(Path socketPath, ArrayNode guestAgentCmds) {

From 3012da3e876e1156db5f854a21ac4ebce8d00f8c Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 23 Feb 2025 11:14:46 +0100
Subject: [PATCH 117/274] Add login information to display secret.

---
 .../jdrupes/vmoperator/manager/Constants.java |  7 ++
 .../manager/DisplaySecretReconciler.java      | 96 ++++++++++++-------
 .../vmoperator/manager/Reconciler.java        |  2 +-
 3 files changed, 72 insertions(+), 33 deletions(-)

diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Constants.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Constants.java
index 7de839b..f12b512 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Constants.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Constants.java
@@ -18,6 +18,7 @@
 
 package org.jdrupes.vmoperator.manager;
 
+// TODO: Auto-generated Javadoc
 /**
  * Some constants.
  */
@@ -33,6 +34,12 @@ public class Constants extends org.jdrupes.vmoperator.common.Constants {
     /** The Constant DATA_PASSWORD_EXPIRY. */
     public static final String DATA_PASSWORD_EXPIRY = "password-expiry";
 
+    /** The Constant DATA_DISPLAY_USER. */
+    public static final String DATA_DISPLAY_USER = "display-user";
+
+    /** The Constant DATA_DISPLAY_LOGIN. */
+    public static final String DATA_DISPLAY_LOGIN = "login-user";
+
     /** The Constant STATE_RUNNING. */
     public static final String STATE_RUNNING = "Running";
 
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
index a281b8e..66bb021 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
@@ -26,6 +26,7 @@ import io.kubernetes.client.openapi.models.V1ObjectMeta;
 import io.kubernetes.client.openapi.models.V1Secret;
 import io.kubernetes.client.util.generic.options.ListOptions;
 import java.io.IOException;
+import static java.nio.charset.StandardCharsets.UTF_8;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 import java.time.Instant;
@@ -33,16 +34,19 @@ import java.util.Collections;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
 import java.util.Optional;
 import java.util.Scanner;
 import java.util.logging.Logger;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
+import static org.jdrupes.vmoperator.common.Constants.COMP_DISPLAY_SECRET;
 import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
 import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
 import org.jdrupes.vmoperator.common.K8sV1SecretStub;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
-import static org.jdrupes.vmoperator.manager.Constants.COMP_DISPLAY_SECRET;
+import static org.jdrupes.vmoperator.manager.Constants.DATA_DISPLAY_LOGIN;
 import static org.jdrupes.vmoperator.manager.Constants.DATA_DISPLAY_PASSWORD;
+import static org.jdrupes.vmoperator.manager.Constants.DATA_DISPLAY_USER;
 import static org.jdrupes.vmoperator.manager.Constants.DATA_PASSWORD_EXPIRY;
 import org.jdrupes.vmoperator.manager.events.PrepareConsole;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
@@ -75,6 +79,15 @@ public class DisplaySecretReconciler extends Component {
     private final List<PendingGet> pendingPrepares
         = Collections.synchronizedList(new LinkedList<>());
 
+    /**
+     * Instantiates a new display secret reconciler.
+     *
+     * @param componentChannel the component channel
+     */
+    public DisplaySecretReconciler(Channel componentChannel) {
+        super(componentChannel);
+    }
+
     /**
      * On configuration update.
      *
@@ -213,39 +226,13 @@ public class DisplaySecretReconciler extends Component {
         }
         var stub = stubs.iterator().next();
 
-        // Check validity
+        // Get secret and update
         var secret = stub.model().get();
-        @SuppressWarnings("PMD.StringInstantiation")
-        var expiry = Optional.ofNullable(secret.getData()
-            .get(DATA_PASSWORD_EXPIRY)).map(b -> new String(b)).orElse(null);
-        if (secret.getData().get(DATA_DISPLAY_PASSWORD) != null
-            && stillValid(expiry)) {
-            // Fixed secret, don't touch
-            event.setResult(
-                new String(secret.getData().get(DATA_DISPLAY_PASSWORD)));
+        var updPw = updatePassword(secret, event);
+        var updUsr = updateUser(secret, event);
+        if (!updPw && !updUsr) {
             return;
         }
-        updatePassword(stub, event);
-    }
-
-    @SuppressWarnings("PMD.StringInstantiation")
-    private void updatePassword(K8sV1SecretStub stub, PrepareConsole event)
-            throws ApiException {
-        SecureRandom random = null;
-        try {
-            random = SecureRandom.getInstanceStrong();
-        } catch (NoSuchAlgorithmException e) { // NOPMD
-            // "Every implementation of the Java platform is required
-            // to support at least one strong SecureRandom implementation."
-        }
-        byte[] bytes = new byte[16];
-        random.nextBytes(bytes);
-        var password = Base64.encode(bytes);
-        var model = stub.model().get();
-        model.setStringData(Map.of(DATA_DISPLAY_PASSWORD, password,
-            DATA_PASSWORD_EXPIRY,
-            Long.toString(Instant.now().getEpochSecond() + passwordValidity)));
-        event.setResult(password);
 
         // Prepare wait for confirmation (by VM status change)
         var pending = new PendingGet(event,
@@ -257,7 +244,52 @@ public class DisplaySecretReconciler extends Component {
         });
 
         // Update, will (eventually) trigger confirmation
-        stub.update(model).getObject();
+        stub.update(secret).getObject();
+    }
+
+    private boolean updateUser(V1Secret secret, PrepareConsole event) {
+        var curUser = DataPath.<byte[]> get(secret, "data", DATA_DISPLAY_USER)
+            .map(b -> new String(b, UTF_8)).orElse(null);
+        var curLogin = DataPath.<byte[]> get(secret, "data", DATA_DISPLAY_LOGIN)
+            .map(b -> new String(b, UTF_8)).map(Boolean::parseBoolean)
+            .orElse(null);
+        if (Objects.equals(curUser, event.user()) && Objects.equals(
+            curLogin, event.loginUser())) {
+            return false;
+        }
+        secret.getData().put(DATA_DISPLAY_USER, event.user().getBytes(UTF_8));
+        secret.getData().put(DATA_DISPLAY_LOGIN,
+            Boolean.toString(event.loginUser()).getBytes(UTF_8));
+        return true;
+    }
+
+    private boolean updatePassword(V1Secret secret, PrepareConsole event) {
+        var expiry = Optional.ofNullable(secret.getData()
+            .get(DATA_PASSWORD_EXPIRY)).map(b -> new String(b)).orElse(null);
+        if (secret.getData().get(DATA_DISPLAY_PASSWORD) != null
+            && stillValid(expiry)) {
+            // Fixed secret, don't touch
+            event.setResult(
+                new String(secret.getData().get(DATA_DISPLAY_PASSWORD)));
+            return false;
+        }
+
+        // Generate password and set expiry
+        SecureRandom random = null;
+        try {
+            random = SecureRandom.getInstanceStrong();
+        } catch (NoSuchAlgorithmException e) { // NOPMD
+            // "Every implementation of the Java platform is required
+            // to support at least one strong SecureRandom implementation."
+        }
+        byte[] bytes = new byte[16];
+        random.nextBytes(bytes);
+        var password = Base64.encode(bytes);
+        secret.setStringData(Map.of(DATA_DISPLAY_PASSWORD, password,
+            DATA_PASSWORD_EXPIRY,
+            Long.toString(Instant.now().getEpochSecond() + passwordValidity)));
+        event.setResult(password);
+        return true;
     }
 
     private boolean stillValid(String expiry) {
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
index 7969d46..8011e2c 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
@@ -180,7 +180,7 @@ public class Reconciler extends Component {
         fmConfig.setClassForTemplateLoading(Reconciler.class, "");
 
         cmReconciler = new ConfigMapReconciler(fmConfig);
-        dsReconciler = attach(new DisplaySecretReconciler());
+        dsReconciler = attach(new DisplaySecretReconciler(componentChannel));
         stsReconciler = new StatefulSetReconciler(fmConfig);
         pvcReconciler = new PvcReconciler(fmConfig);
         podReconciler = new PodReconciler(fmConfig);

From 5b8b47f95cb80bc469db18b2be7f166bfc95a5b8 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 23 Feb 2025 11:47:13 +0100
Subject: [PATCH 118/274] Add some metadata to make bing happy.

---
 dev-example/test-vm.tpl.yaml       | 2 +-
 webpages/vm-operator/admin-gui.md  | 4 ++++
 webpages/vm-operator/controller.md | 3 +++
 webpages/vm-operator/index.md      | 7 +++++--
 webpages/vm-operator/manager.md    | 3 +++
 webpages/vm-operator/runner.md     | 4 ++++
 webpages/vm-operator/upgrading.md  | 2 ++
 webpages/vm-operator/user-gui.md   | 4 ++++
 8 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/dev-example/test-vm.tpl.yaml b/dev-example/test-vm.tpl.yaml
index 50031bb..260341e 100644
--- a/dev-example/test-vm.tpl.yaml
+++ b/dev-example/test-vm.tpl.yaml
@@ -14,7 +14,7 @@ spec:
 #    repository: ghcr.io
 #    path: mnlipp/org.jdrupes.vmoperator.runner.qemu-alpine
 #    version: "3.0.0"
-    source: registry.mnl.de/org/jdrupes/vm-operator/org.jdrupes.vmoperator.runner.qemu-arch:testing
+    source: registry.mnl.de/org/jdrupes/vm-operator/org.jdrupes.vmoperator.runner.qemu-arch:feature-auto-login
     pullPolicy: Always
 
   permissions:
diff --git a/webpages/vm-operator/admin-gui.md b/webpages/vm-operator/admin-gui.md
index 4bfa3d3..4b7f5b2 100644
--- a/webpages/vm-operator/admin-gui.md
+++ b/webpages/vm-operator/admin-gui.md
@@ -1,5 +1,9 @@
 ---
 title: "VM-Operator: Administrator View — Provides an overview of running VMs"
+description: >-
+  Information about the administrator view of the VM-Operator, which provides
+  an overview of the defined VMs, their state and resource consumptions and
+  actions for starting, stopping and accessing the VMs.
 layout: vm-operator
 ---
 
diff --git a/webpages/vm-operator/controller.md b/webpages/vm-operator/controller.md
index cc6a274..e20263f 100644
--- a/webpages/vm-operator/controller.md
+++ b/webpages/vm-operator/controller.md
@@ -1,5 +1,8 @@
 ---
 title: "VM-Operator: Controller — Reconciles the VM CRs"
+description: >-
+  Information about the VM Operator's controller component its
+  configuration options and the CRD used to define VMs.
 layout: vm-operator
 ---
 
diff --git a/webpages/vm-operator/index.md b/webpages/vm-operator/index.md
index baf8e20..5cd2d58 100644
--- a/webpages/vm-operator/index.md
+++ b/webpages/vm-operator/index.md
@@ -1,6 +1,9 @@
 ---
-title: Run VMs on Kubernetes using Qemu/KVM and SPICE
-description: A solution for running VMs on Kubernetes with a web interface for admins and users. Focuses on running Qemu/KVM virtual machines and using SPICE as display protocol.
+title: "Run VMs on Kubernetes using QEMU/KVM and SPICE"
+description: >-
+  A solution for running VMs on Kubernetes with a web interface for
+  admins and users. Focuses on running QEMU/KVM virtual machines and
+  using SPICE as display protocol.
 layout: vm-operator
 ---
 
diff --git a/webpages/vm-operator/manager.md b/webpages/vm-operator/manager.md
index c1965f1..ee971c1 100644
--- a/webpages/vm-operator/manager.md
+++ b/webpages/vm-operator/manager.md
@@ -1,5 +1,8 @@
 ---
 title: "VM-Operator: The Manager — Provides the controller and a web user interface"
+description: >-
+  Information about the installation and configuration of the
+  VM Operator.
 layout: vm-operator
 ---
 
diff --git a/webpages/vm-operator/runner.md b/webpages/vm-operator/runner.md
index c72793d..a6a744d 100644
--- a/webpages/vm-operator/runner.md
+++ b/webpages/vm-operator/runner.md
@@ -1,5 +1,9 @@
 ---
 title: "VM-Operator: The Runner — Starts and monitors a VM"
+description: >-
+  Description of the VM Operator's runner component which starts
+  QEMU and thus the VM, optionally together with a TPM, in a
+  kubenernetes pod and monitors everything.
 layout: vm-operator
 ---
 
diff --git a/webpages/vm-operator/upgrading.md b/webpages/vm-operator/upgrading.md
index 77cacad..b987298 100644
--- a/webpages/vm-operator/upgrading.md
+++ b/webpages/vm-operator/upgrading.md
@@ -1,5 +1,7 @@
 ---
 title: "VM-Operator: Upgrading — Issues to watch out for"
+description: >-
+  Information about issues to watch out for when upgrading the VM-Operator.
 layout: vm-operator
 ---
 
diff --git a/webpages/vm-operator/user-gui.md b/webpages/vm-operator/user-gui.md
index 0439db2..0d16113 100644
--- a/webpages/vm-operator/user-gui.md
+++ b/webpages/vm-operator/user-gui.md
@@ -1,5 +1,9 @@
 ---
 title: "VM-Operator: User View — Allows users to manage their own VMs"
+description: >-
+  Information about the user view of the VM-Operator, which allows users
+  to access and optionally manage the VMs for which they have the
+  respective permissions.
 layout: vm-operator
 ---
 

From 558f4d96c9aee5186d85130d85345712cdaef5f1 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 23 Feb 2025 12:00:27 +0100
Subject: [PATCH 119/274] Add pagefind.

---
 webpages/_layouts/vm-operator.html | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/webpages/_layouts/vm-operator.html b/webpages/_layouts/vm-operator.html
index 30e6407..e779711 100644
--- a/webpages/_layouts/vm-operator.html
+++ b/webpages/_layouts/vm-operator.html
@@ -1,5 +1,5 @@
 <!doctype html>
-<html>
+<html lang="en">
   <head>
     <meta charset="utf-8">
     <meta http-equiv="X-UA-Compatible" content="chrome=1">
@@ -11,10 +11,31 @@
     <!--[if lt IE 9]>
     <script src="//html5shiv.googlecode.com/svn/trunk/html5.js"></script>
     <![endif]-->
-    {% seo %}
+    <link href="../pagefind/pagefind-ui.css" rel="stylesheet">
+    <script src="../pagefind/pagefind-ui.js"></script>
+    <script>
+        window.addEventListener('DOMContentLoaded', (event) => {
+          new PagefindUI({ element: "#search", showSubResults: true,
+          // See https://github.com/CloudCannon/pagefind/issues/530
+          processResult: function (result) {
+              if (result?.meta?.image) {
+                  let resultBase = new URL(result.url, window.location);
+                  let remappedImage = new URL(result.meta.image, resultBase);
+                  if (remappedImage.hostname !== window.location.hostname) {
+                      result.meta.image = remappedImage.toString();
+                  } else {
+                      result.meta.image = remappedImage.pathname;
+                  }
+              }
+          }
+				 });
+        });
+    </script>
+   {% seo %}
   </head>
   <body>
     <div class="wrapper">
+      <div id="search"></div>
       <header>
         <div>
         <div style="float: left;">
@@ -68,4 +89,4 @@
     {% include matomo.html %}
 
   </body>
-</html>
+</html lang="en">

From f236b376ae27d4c6c8f8a40ad9d8681ef0730c90 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 23 Feb 2025 12:05:55 +0100
Subject: [PATCH 120/274] Back to testing.

---
 dev-example/test-vm.tpl.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dev-example/test-vm.tpl.yaml b/dev-example/test-vm.tpl.yaml
index 260341e..50031bb 100644
--- a/dev-example/test-vm.tpl.yaml
+++ b/dev-example/test-vm.tpl.yaml
@@ -14,7 +14,7 @@ spec:
 #    repository: ghcr.io
 #    path: mnlipp/org.jdrupes.vmoperator.runner.qemu-alpine
 #    version: "3.0.0"
-    source: registry.mnl.de/org/jdrupes/vm-operator/org.jdrupes.vmoperator.runner.qemu-arch:feature-auto-login
+    source: registry.mnl.de/org/jdrupes/vm-operator/org.jdrupes.vmoperator.runner.qemu-arch:testing
     pullPolicy: Always
 
   permissions:

From e3b5f5a04dcd92cfbf1b34af605cf6f77534c085 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Mon, 24 Feb 2025 11:58:13 +0100
Subject: [PATCH 121/274] Refactor QEMU socket connection handling and start
 vmop agent.

---
 dev-example/test-vm.tpl.yaml                  |   2 +-
 .../runner/qemu/AgentConnector.java           |  86 +++++++
 .../vmoperator/runner/qemu/Configuration.java |   6 +-
 .../runner/qemu/GuestAgentClient.java         | 200 ++-------------
 .../vmoperator/runner/qemu/QemuConnector.java | 234 ++++++++++++++++++
 .../vmoperator/runner/qemu/QemuMonitor.java   | 134 ++--------
 .../vmoperator/runner/qemu/Runner.java        |  42 +++-
 .../runner/qemu/VmopAgentClient.java          |  48 ++++
 .../templates/Standard-VM-latest.ftl.yaml     |  11 +-
 webpages/vm-operator/upgrading.md             |   7 +
 10 files changed, 451 insertions(+), 319 deletions(-)
 create mode 100644 org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/AgentConnector.java
 create mode 100644 org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuConnector.java
 create mode 100644 org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmopAgentClient.java

diff --git a/dev-example/test-vm.tpl.yaml b/dev-example/test-vm.tpl.yaml
index 50031bb..260341e 100644
--- a/dev-example/test-vm.tpl.yaml
+++ b/dev-example/test-vm.tpl.yaml
@@ -14,7 +14,7 @@ spec:
 #    repository: ghcr.io
 #    path: mnlipp/org.jdrupes.vmoperator.runner.qemu-alpine
 #    version: "3.0.0"
-    source: registry.mnl.de/org/jdrupes/vm-operator/org.jdrupes.vmoperator.runner.qemu-arch:testing
+    source: registry.mnl.de/org/jdrupes/vm-operator/org.jdrupes.vmoperator.runner.qemu-arch:feature-auto-login
     pullPolicy: Always
 
   permissions:
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/AgentConnector.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/AgentConnector.java
new file mode 100644
index 0000000..40db84a
--- /dev/null
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/AgentConnector.java
@@ -0,0 +1,86 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2025 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.runner.qemu;
+
+import java.io.IOException;
+import java.nio.file.Path;
+import org.jdrupes.vmoperator.runner.qemu.events.VserportChangeEvent;
+import org.jgrapes.core.Channel;
+import org.jgrapes.core.annotation.Handler;
+import org.jgrapes.util.events.ConfigurationUpdate;
+
+/**
+ * A component that handles the communication with an agent
+ * running in the VM.
+ * 
+ * If the log level for this class is set to fine, the messages 
+ * exchanged on the socket are logged.
+ */
+public abstract class AgentConnector extends QemuConnector {
+
+    protected String channelId;
+
+    /**
+     * Instantiates a new agent connector.
+     *
+     * @param componentChannel the component channel
+     * @throws IOException Signals that an I/O exception has occurred.
+     */
+    public AgentConnector(Channel componentChannel) throws IOException {
+        super(componentChannel);
+    }
+
+    /**
+     * As the initial configuration of this component depends on the 
+     * configuration of the {@link Runner}, it doesn't have a handler 
+     * for the {@link ConfigurationUpdate} event. The values are 
+     * forwarded from the {@link Runner} instead.
+     *
+     * @param channelId the channel id
+     * @param socketPath the socket path
+     */
+    /* default */ void configure(String channelId, Path socketPath) {
+        super.configure(socketPath);
+        this.channelId = channelId;
+        logger.fine(() -> getClass().getSimpleName() + " configured with"
+            + " channelId=" + channelId);
+    }
+
+    /**
+     * When the virtual serial port with the configured channel id has
+     * been opened call {@link #agentConnected()}.
+     *
+     * @param event the event
+     */
+    @Handler
+    public void onVserportChanged(VserportChangeEvent event) {
+        if (event.id().equals(channelId) && event.isOpen()) {
+            agentConnected();
+        }
+    }
+
+    /**
+     * Called when the agent in the VM opens the connection. The
+     * default implementation does nothing.
+     */
+    @SuppressWarnings("PMD.EmptyMethodInAbstractClassShouldBeAbstract")
+    protected void agentConnected() {
+        // Default is to do nothing.
+    }
+}
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Configuration.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Configuration.java
index 086f085..20d4c66 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Configuration.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Configuration.java
@@ -39,7 +39,7 @@ import org.jdrupes.vmoperator.util.FsdUtils;
 /**
  * The configuration information from the configuration file.
  */
-@SuppressWarnings("PMD.ExcessivePublicCount")
+@SuppressWarnings({ "PMD.ExcessivePublicCount", "PMD.TooManyFields" })
 public class Configuration implements Dto {
     private static final String CI_INSTANCE_ID = "instance-id";
 
@@ -67,9 +67,6 @@ public class Configuration implements Dto {
     /** The monitor socket. */
     public Path monitorSocket;
 
-    /** The guest agent socket socket. */
-    public Path guestAgentSocket;
-
     /** The firmware rom. */
     public Path firmwareRom;
 
@@ -344,7 +341,6 @@ public class Configuration implements Dto {
             runtimeDir.toFile().mkdir();
             swtpmSocket = runtimeDir.resolve("swtpm-sock");
             monitorSocket = runtimeDir.resolve("monitor.sock");
-            guestAgentSocket = runtimeDir.resolve("org.qemu.guest_agent.0");
         }
         if (!Files.isDirectory(runtimeDir) || !Files.isWritable(runtimeDir)) {
             logger.severe(() -> String.format(
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java
index fba975e..2e5e059 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java
@@ -19,58 +19,26 @@
 package org.jdrupes.vmoperator.runner.qemu;
 
 import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.fasterxml.jackson.databind.node.ArrayNode;
 import com.fasterxml.jackson.databind.node.ObjectNode;
 import java.io.IOException;
-import java.io.Writer;
-import java.lang.reflect.UndeclaredThrowableException;
-import java.net.UnixDomainSocketAddress;
-import java.nio.file.Files;
-import java.nio.file.Path;
 import java.util.LinkedList;
-import java.util.List;
-import java.util.Map;
 import java.util.Queue;
 import java.util.logging.Level;
 import org.jdrupes.vmoperator.runner.qemu.commands.QmpCommand;
 import org.jdrupes.vmoperator.runner.qemu.commands.QmpGuestGetOsinfo;
 import org.jdrupes.vmoperator.runner.qemu.events.GuestAgentCommand;
 import org.jdrupes.vmoperator.runner.qemu.events.OsinfoEvent;
-import org.jdrupes.vmoperator.runner.qemu.events.VserportChangeEvent;
 import org.jgrapes.core.Channel;
-import org.jgrapes.core.Component;
-import org.jgrapes.core.EventPipeline;
 import org.jgrapes.core.annotation.Handler;
-import org.jgrapes.core.events.Start;
-import org.jgrapes.core.events.Stop;
-import org.jgrapes.io.events.Closed;
-import org.jgrapes.io.events.ConnectError;
-import org.jgrapes.io.events.Input;
-import org.jgrapes.io.events.OpenSocketConnection;
-import org.jgrapes.io.util.ByteBufferWriter;
-import org.jgrapes.io.util.LineCollector;
-import org.jgrapes.net.SocketIOChannel;
-import org.jgrapes.net.events.ClientConnected;
-import org.jgrapes.util.events.ConfigurationUpdate;
 
 /**
- * A component that handles the communication over the guest agent
- * socket.
+ * A component that handles the communication with the guest agent.
  * 
  * If the log level for this class is set to fine, the messages 
  * exchanged on the monitor socket are logged.
  */
-@SuppressWarnings("PMD.DataflowAnomalyAnalysis")
-public class GuestAgentClient extends Component {
+public class GuestAgentClient extends AgentConnector {
 
-    private static ObjectMapper mapper = new ObjectMapper();
-
-    private EventPipeline rep;
-    private Path socketPath;
-    private List<Map<String, String>> guestAgentCmds;
-    private String guestAgentCmd;
-    private SocketIOChannel gaChannel;
     private final Queue<QmpCommand> executing = new LinkedList<>();
 
     /**
@@ -79,135 +47,36 @@ public class GuestAgentClient extends Component {
      * @param componentChannel the component channel
      * @throws IOException Signals that an I/O exception has occurred.
      */
-    @SuppressWarnings({ "PMD.AssignmentToNonFinalStatic",
-        "PMD.ConstructorCallsOverridableMethod" })
     public GuestAgentClient(Channel componentChannel) throws IOException {
         super(componentChannel);
     }
 
     /**
-     * As the initial configuration of this component depends on the 
-     * configuration of the {@link Runner}, it doesn't have a handler 
-     * for the {@link ConfigurationUpdate} event. The values are 
-     * forwarded from the {@link Runner} instead.
-     *
-     * @param socketPath the socket path
-     * @param guestAgentCmds the guest agent cmds
+     * When the agent has connected, request the OS information.
      */
-    @SuppressWarnings("PMD.EmptyCatchBlock")
-    /* default */ void configure(Path socketPath, ArrayNode guestAgentCmds) {
-        this.socketPath = socketPath;
-        try {
-            this.guestAgentCmds = mapper.convertValue(guestAgentCmds,
-                mapper.constructType(getClass()
-                    .getDeclaredField("guestAgentCmds").getGenericType()));
-        } catch (IllegalArgumentException | NoSuchFieldException
-                | SecurityException e) {
-            // Cannot happen
-        }
+    @Override
+    protected void agentConnected() {
+        fire(new GuestAgentCommand(new QmpGuestGetOsinfo()));
     }
 
     /**
-     * Handle the start event.
+     * Process agent input.
      *
-     * @param event the event
+     * @param line the line
      * @throws IOException Signals that an I/O exception has occurred.
      */
-    @Handler
-    public void onStart(Start event) throws IOException {
-        rep = event.associated(EventPipeline.class).get();
-        if (socketPath == null) {
-            return;
-        }
-        Files.deleteIfExists(socketPath);
-    }
-
-    /**
-     * When the virtual serial port "channel0" has been opened,
-     * establish the connection by opening the socket.
-     *
-     * @param event the event
-     */
-    @Handler
-    public void onVserportChanged(VserportChangeEvent event) {
-        if ("channel0".equals(event.id()) && event.isOpen()) {
-            fire(new OpenSocketConnection(
-                UnixDomainSocketAddress.of(socketPath))
-                    .setAssociated(GuestAgentClient.class, this));
-        }
-    }
-
-    /**
-     * Check if this is from opening the monitor socket and if true,
-     * save the socket in the context and associate the channel with
-     * the context. Then send the initial message to the socket.
-     *
-     * @param event the event
-     * @param channel the channel
-     */
-    @SuppressWarnings("resource")
-    @Handler
-    public void onClientConnected(ClientConnected event,
-            SocketIOChannel channel) {
-        event.openEvent().associated(GuestAgentClient.class).ifPresent(qm -> {
-            gaChannel = channel;
-            channel.setAssociated(GuestAgentClient.class, this);
-            channel.setAssociated(Writer.class, new ByteBufferWriter(
-                channel).nativeCharset());
-            channel.setAssociated(LineCollector.class,
-                new LineCollector()
-                    .consumer(line -> {
-                        try {
-                            processGuestAgentInput(line);
-                        } catch (IOException e) {
-                            throw new UndeclaredThrowableException(e);
-                        }
-                    }));
-            fire(new GuestAgentCommand(new QmpGuestGetOsinfo()));
-        });
-    }
-
-    /**
-     * Called when a connection attempt fails.
-     *
-     * @param event the event
-     * @param channel the channel
-     */
-    @Handler
-    public void onConnectError(ConnectError event, SocketIOChannel channel) {
-        event.event().associated(GuestAgentClient.class).ifPresent(qm -> {
-            rep.fire(new Stop());
-        });
-    }
-
-    /**
-     * Handle data from qemu monitor connection.
-     *
-     * @param event the event
-     * @param channel the channel
-     */
-    @Handler
-    public void onInput(Input<?> event, SocketIOChannel channel) {
-        if (channel.associated(GuestAgentClient.class).isEmpty()) {
-            return;
-        }
-        channel.associated(LineCollector.class).ifPresent(collector -> {
-            collector.feed(event);
-        });
-    }
-
-    private void processGuestAgentInput(String line)
-            throws IOException {
+    @Override
+    protected void processInput(String line) throws IOException {
         logger.fine(() -> "guest agent(in): " + line);
         try {
             var response = mapper.readValue(line, ObjectNode.class);
             if (response.has("return") || response.has("error")) {
                 QmpCommand executed = executing.poll();
-                logger.fine(
-                    () -> String.format("(Previous \"guest agent(in)\" is "
-                        + "result from executing %s)", executed));
+                logger.fine(() -> String.format("(Previous \"guest agent(in)\""
+                    + " is result from executing %s)", executed));
                 if (executed instanceof QmpGuestGetOsinfo) {
-                    processOsInfo(response);
+                    var osInfo = new OsinfoEvent(response.get("return"));
+                    rep().fire(osInfo);
                 }
             }
         } catch (JsonProcessingException e) {
@@ -215,48 +84,17 @@ public class GuestAgentClient extends Component {
         }
     }
 
-    private void processOsInfo(ObjectNode response) {
-        var osInfo = new OsinfoEvent(response.get("return"));
-        var osId = osInfo.osinfo().get("id").asText();
-        for (var cmdDef : guestAgentCmds) {
-            if (osId.equals(cmdDef.get("osId"))
-                || "*".equals(cmdDef.get("osId"))) {
-                guestAgentCmd = cmdDef.get("executable");
-                break;
-            }
-        }
-        if (guestAgentCmd == null) {
-            logger.warning(() -> "No guest agent command for OS " + osId);
-        } else {
-            logger.fine(() -> "Guest agent command for OS " + osId
-                + " is " + guestAgentCmd);
-        }
-        rep.fire(osInfo);
-    }
-
-    /**
-     * On closed.
-     *
-     * @param event the event
-     */
-    @Handler
-    @SuppressWarnings({ "PMD.AvoidSynchronizedStatement",
-        "PMD.AvoidDuplicateLiterals" })
-    public void onClosed(Closed<?> event, SocketIOChannel channel) {
-        channel.associated(QemuMonitor.class).ifPresent(qm -> {
-            gaChannel = null;
-        });
-    }
-
     /**
      * On guest agent command.
      *
      * @param event the event
      */
     @Handler
-    @SuppressWarnings({ "PMD.AvoidLiteralsInIfCondition",
-        "PMD.AvoidSynchronizedStatement" })
+    @SuppressWarnings("PMD.AvoidSynchronizedStatement")
     public void onGuestAgentCommand(GuestAgentCommand event) {
+        if (qemuChannel() == null) {
+            return;
+        }
         var command = event.command();
         logger.fine(() -> "guest agent(out): " + command.toString());
         String asText;
@@ -268,7 +106,7 @@ public class GuestAgentClient extends Component {
             return;
         }
         synchronized (executing) {
-            gaChannel.associated(Writer.class).ifPresent(writer -> {
+            writer().ifPresent(writer -> {
                 try {
                     executing.add(command);
                     writer.append(asText).append('\n').flush();
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuConnector.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuConnector.java
new file mode 100644
index 0000000..143cfc2
--- /dev/null
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuConnector.java
@@ -0,0 +1,234 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2025 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.runner.qemu;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import java.io.IOException;
+import java.io.Writer;
+import java.lang.reflect.UndeclaredThrowableException;
+import java.net.UnixDomainSocketAddress;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.util.Optional;
+import org.jgrapes.core.Channel;
+import org.jgrapes.core.Component;
+import org.jgrapes.core.EventPipeline;
+import org.jgrapes.core.annotation.Handler;
+import org.jgrapes.core.events.Start;
+import org.jgrapes.core.events.Stop;
+import org.jgrapes.io.events.Closed;
+import org.jgrapes.io.events.ConnectError;
+import org.jgrapes.io.events.Input;
+import org.jgrapes.io.events.OpenSocketConnection;
+import org.jgrapes.io.util.ByteBufferWriter;
+import org.jgrapes.io.util.LineCollector;
+import org.jgrapes.net.SocketIOChannel;
+import org.jgrapes.net.events.ClientConnected;
+import org.jgrapes.util.events.ConfigurationUpdate;
+import org.jgrapes.util.events.FileChanged;
+import org.jgrapes.util.events.WatchFile;
+
+/**
+ * A component that handles the communication with QEMU over a socket.
+ * 
+ * If the log level for this class is set to fine, the messages 
+ * exchanged on the socket are logged.
+ */
+public abstract class QemuConnector extends Component {
+
+    @SuppressWarnings("PMD.FieldNamingConventions")
+    protected static final ObjectMapper mapper = new ObjectMapper();
+
+    private EventPipeline rep;
+    private Path socketPath;
+    private SocketIOChannel qemuChannel;
+
+    /**
+     * Instantiates a new QEMU connector.
+     *
+     * @param componentChannel the component channel
+     * @throws IOException Signals that an I/O exception has occurred.
+     */
+    public QemuConnector(Channel componentChannel) throws IOException {
+        super(componentChannel);
+    }
+
+    /**
+     * As the initial configuration of this component depends on the 
+     * configuration of the {@link Runner}, it doesn't have a handler 
+     * for the {@link ConfigurationUpdate} event. The values are 
+     * forwarded from the {@link Runner} instead.
+     *
+     * @param socketPath the socket path
+     */
+    /* default */ void configure(Path socketPath) {
+        this.socketPath = socketPath;
+        logger.fine(() -> getClass().getSimpleName()
+            + " configured with socketPath=" + socketPath);
+    }
+
+    /**
+     * Note the runner's event processor and delete the socket.
+     *
+     * @param event the event
+     * @throws IOException Signals that an I/O exception has occurred.
+     */
+    @Handler
+    public void onStart(Start event) throws IOException {
+        rep = event.associated(EventPipeline.class).get();
+        if (socketPath == null) {
+            return;
+        }
+        Files.deleteIfExists(socketPath);
+        fire(new WatchFile(socketPath));
+    }
+
+    /**
+     * Return the runner's event pipeline.
+     *
+     * @return the event pipeline
+     */
+    protected EventPipeline rep() {
+        return rep;
+    }
+
+    /**
+     * Watch for the creation of the swtpm socket and start the
+     * qemu process if it has been created.
+     *
+     * @param event the event
+     */
+    @Handler
+    public void onFileChanged(FileChanged event) {
+        if (event.change() == FileChanged.Kind.CREATED
+            && event.path().equals(socketPath)) {
+            // qemu running, open socket
+            fire(new OpenSocketConnection(
+                UnixDomainSocketAddress.of(socketPath))
+                    .setAssociated(getClass(), this));
+        }
+    }
+
+    /**
+     * Check if this is from opening the agent socket and if true,
+     * save the socket in the context and associate the channel with
+     * the context.
+     *
+     * @param event the event
+     * @param channel the channel
+     */
+    @SuppressWarnings("resource")
+    @Handler
+    public void onClientConnected(ClientConnected event,
+            SocketIOChannel channel) {
+        event.openEvent().associated(getClass()).ifPresent(qm -> {
+            qemuChannel = channel;
+            channel.setAssociated(getClass(), this);
+            channel.setAssociated(Writer.class, new ByteBufferWriter(
+                channel).nativeCharset());
+            channel.setAssociated(LineCollector.class,
+                new LineCollector()
+                    .consumer(line -> {
+                        try {
+                            processInput(line);
+                        } catch (IOException e) {
+                            throw new UndeclaredThrowableException(e);
+                        }
+                    }));
+            socketConnected();
+        });
+    }
+
+    /**
+     * Return the QEMU channel if the connection has been established.
+     *
+     * @return the socket IO channel
+     */
+    protected Optional<SocketIOChannel> qemuChannel() {
+        return Optional.ofNullable(qemuChannel);
+    }
+
+    /**
+     * Return the {@link Writer} for the connection if the connection
+     * has been established.
+     *
+     * @return the optional
+     */
+    protected Optional<Writer> writer() {
+        return qemuChannel().flatMap(c -> c.associated(Writer.class));
+    }
+
+    /**
+     * Called when the connector has been connected to the socket.
+     */
+    @SuppressWarnings("PMD.EmptyMethodInAbstractClassShouldBeAbstract")
+    protected void socketConnected() {
+        // Default is to do nothing.
+    }
+
+    /**
+     * Called when a connection attempt fails.
+     *
+     * @param event the event
+     * @param channel the channel
+     */
+    @Handler
+    public void onConnectError(ConnectError event, SocketIOChannel channel) {
+        event.event().associated(getClass()).ifPresent(qm -> {
+            rep.fire(new Stop());
+        });
+    }
+
+    /**
+     * Handle data from the socket connection.
+     *
+     * @param event the event
+     * @param channel the channel
+     */
+    @Handler
+    public void onInput(Input<?> event, SocketIOChannel channel) {
+        if (channel.associated(getClass()).isEmpty()) {
+            return;
+        }
+        channel.associated(LineCollector.class).ifPresent(collector -> {
+            collector.feed(event);
+        });
+    }
+
+    /**
+     * Process agent input.
+     *
+     * @param line the line
+     * @throws IOException Signals that an I/O exception has occurred.
+     */
+    protected abstract void processInput(String line) throws IOException;
+
+    /**
+     * On closed.
+     *
+     * @param event the event
+     * @param channel the channel
+     */
+    @Handler
+    public void onClosed(Closed<?> event, SocketIOChannel channel) {
+        channel.associated(getClass()).ifPresent(qm -> {
+            qemuChannel = null;
+        });
+    }
+}
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
index 7cac734..000a3bf 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
@@ -19,13 +19,8 @@
 package org.jdrupes.vmoperator.runner.qemu;
 
 import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.node.ObjectNode;
 import java.io.IOException;
-import java.io.Writer;
-import java.lang.reflect.UndeclaredThrowableException;
-import java.net.UnixDomainSocketAddress;
-import java.nio.file.Files;
 import java.nio.file.Path;
 import java.time.Duration;
 import java.time.Instant;
@@ -42,24 +37,13 @@ import org.jdrupes.vmoperator.runner.qemu.events.MonitorReady;
 import org.jdrupes.vmoperator.runner.qemu.events.MonitorResult;
 import org.jdrupes.vmoperator.runner.qemu.events.PowerdownEvent;
 import org.jgrapes.core.Channel;
-import org.jgrapes.core.Component;
 import org.jgrapes.core.Components;
 import org.jgrapes.core.Components.Timer;
-import org.jgrapes.core.EventPipeline;
 import org.jgrapes.core.annotation.Handler;
-import org.jgrapes.core.events.Start;
 import org.jgrapes.core.events.Stop;
 import org.jgrapes.io.events.Closed;
-import org.jgrapes.io.events.ConnectError;
-import org.jgrapes.io.events.Input;
-import org.jgrapes.io.events.OpenSocketConnection;
-import org.jgrapes.io.util.ByteBufferWriter;
-import org.jgrapes.io.util.LineCollector;
 import org.jgrapes.net.SocketIOChannel;
-import org.jgrapes.net.events.ClientConnected;
 import org.jgrapes.util.events.ConfigurationUpdate;
-import org.jgrapes.util.events.FileChanged;
-import org.jgrapes.util.events.WatchFile;
 
 /**
  * A component that handles the communication over the Qemu monitor
@@ -69,14 +53,9 @@ import org.jgrapes.util.events.WatchFile;
  * exchanged on the monitor socket are logged.
  */
 @SuppressWarnings("PMD.DataflowAnomalyAnalysis")
-public class QemuMonitor extends Component {
+public class QemuMonitor extends QemuConnector {
 
-    private static ObjectMapper mapper = new ObjectMapper();
-
-    private EventPipeline rep;
-    private Path socketPath;
     private int powerdownTimeout;
-    private SocketIOChannel monitorChannel;
     private final Queue<QmpCommand> executing = new LinkedList<>();
     private Instant powerdownStartedAt;
     private Stop suspendedStop;
@@ -84,7 +63,7 @@ public class QemuMonitor extends Component {
     private boolean powerdownConfirmed;
 
     /**
-     * Instantiates a new qemu monitor.
+     * Instantiates a new QEMU monitor.
      *
      * @param componentChannel the component channel
      * @param configDir the config dir
@@ -111,109 +90,26 @@ public class QemuMonitor extends Component {
      * @param powerdownTimeout 
      */
     /* default */ void configure(Path socketPath, int powerdownTimeout) {
-        this.socketPath = socketPath;
+        super.configure(socketPath);
         this.powerdownTimeout = powerdownTimeout;
     }
 
     /**
-     * Handle the start event.
-     *
-     * @param event the event
-     * @throws IOException Signals that an I/O exception has occurred.
+     * When the socket is connected, send the capabilities command.
      */
-    @Handler
-    public void onStart(Start event) throws IOException {
-        rep = event.associated(EventPipeline.class).get();
-        if (socketPath == null) {
-            return;
-        }
-        Files.deleteIfExists(socketPath);
-        fire(new WatchFile(socketPath));
+    @Override
+    protected void socketConnected() {
+        fire(new MonitorCommand(new QmpCapabilities()));
     }
 
-    /**
-     * Watch for the creation of the swtpm socket and start the
-     * qemu process if it has been created.
-     *
-     * @param event the event
-     */
-    @Handler
-    public void onFileChanged(FileChanged event) {
-        if (event.change() == FileChanged.Kind.CREATED
-            && event.path().equals(socketPath)) {
-            // qemu running, open socket
-            fire(new OpenSocketConnection(
-                UnixDomainSocketAddress.of(socketPath))
-                    .setAssociated(QemuMonitor.class, this));
-        }
-    }
-
-    /**
-     * Check if this is from opening the monitor socket and if true,
-     * save the socket in the context and associate the channel with
-     * the context. Then send the initial message to the socket.
-     *
-     * @param event the event
-     * @param channel the channel
-     */
-    @SuppressWarnings("resource")
-    @Handler
-    public void onClientConnected(ClientConnected event,
-            SocketIOChannel channel) {
-        event.openEvent().associated(QemuMonitor.class).ifPresent(qm -> {
-            monitorChannel = channel;
-            channel.setAssociated(QemuMonitor.class, this);
-            channel.setAssociated(Writer.class, new ByteBufferWriter(
-                channel).nativeCharset());
-            channel.setAssociated(LineCollector.class,
-                new LineCollector()
-                    .consumer(line -> {
-                        try {
-                            processMonitorInput(line);
-                        } catch (IOException e) {
-                            throw new UndeclaredThrowableException(e);
-                        }
-                    }));
-            fire(new MonitorCommand(new QmpCapabilities()));
-        });
-    }
-
-    /**
-     * Called when a connection attempt fails.
-     *
-     * @param event the event
-     * @param channel the channel
-     */
-    @Handler
-    public void onConnectError(ConnectError event, SocketIOChannel channel) {
-        event.event().associated(QemuMonitor.class).ifPresent(qm -> {
-            rep.fire(new Stop());
-        });
-    }
-
-    /**
-     * Handle data from qemu monitor connection.
-     *
-     * @param event the event
-     * @param channel the channel
-     */
-    @Handler
-    public void onInput(Input<?> event, SocketIOChannel channel) {
-        if (channel.associated(QemuMonitor.class).isEmpty()) {
-            return;
-        }
-        channel.associated(LineCollector.class).ifPresent(collector -> {
-            collector.feed(event);
-        });
-    }
-
-    private void processMonitorInput(String line)
+    @Override
+    protected void processInput(String line)
             throws IOException {
         logger.fine(() -> "monitor(in): " + line);
         try {
             var response = mapper.readValue(line, ObjectNode.class);
             if (response.has("QMP")) {
-                rep.fire(new MonitorReady());
+                rep().fire(new MonitorReady());
                 return;
             }
             if (response.has("return") || response.has("error")) {
@@ -221,11 +117,11 @@ public class QemuMonitor extends Component {
                 logger.fine(
                     () -> String.format("(Previous \"monitor(in)\" is result "
                         + "from executing %s)", executed));
-                rep.fire(MonitorResult.from(executed, response));
+                rep().fire(MonitorResult.from(executed, response));
                 return;
             }
             if (response.has("event")) {
-                MonitorEvent.from(response).ifPresent(rep::fire);
+                MonitorEvent.from(response).ifPresent(rep()::fire);
             }
         } catch (JsonProcessingException e) {
             throw new IOException(e);
@@ -241,8 +137,8 @@ public class QemuMonitor extends Component {
     @SuppressWarnings({ "PMD.AvoidSynchronizedStatement",
         "PMD.AvoidDuplicateLiterals" })
     public void onClosed(Closed<?> event, SocketIOChannel channel) {
+        super.onClosed(event, channel);
         channel.associated(QemuMonitor.class).ifPresent(qm -> {
-            monitorChannel = null;
             synchronized (this) {
                 if (powerdownTimer != null) {
                     powerdownTimer.cancel();
@@ -275,7 +171,7 @@ public class QemuMonitor extends Component {
             return;
         }
         synchronized (executing) {
-            monitorChannel.associated(Writer.class).ifPresent(writer -> {
+            writer().ifPresent(writer -> {
                 try {
                     executing.add(command);
                     writer.append(asText).append('\n').flush();
@@ -295,7 +191,7 @@ public class QemuMonitor extends Component {
     @Handler(priority = 100)
     @SuppressWarnings("PMD.AvoidSynchronizedStatement")
     public void onStop(Stop event) {
-        if (monitorChannel != null) {
+        if (qemuChannel() != null) {
             // We have a connection to Qemu, attempt ACPI shutdown.
             event.suspendHandling();
             suspendedStop = event;
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
index e0cd837..0eaabe9 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
@@ -23,7 +23,6 @@ import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.JsonMappingException;
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import com.fasterxml.jackson.databind.node.ArrayNode;
 import com.fasterxml.jackson.dataformat.yaml.YAMLFactory;
 import com.fasterxml.jackson.dataformat.yaml.YAMLGenerator;
 import freemarker.core.ParseException;
@@ -198,7 +197,6 @@ public class Runner extends Component {
     private static final String QEMU = "qemu";
     private static final String SWTPM = "swtpm";
     private static final String CLOUD_INIT_IMG = "cloudInitImg";
-    private static final String GUEST_AGENT_CMDS = "guestAgentCmds";
     private static final String TEMPLATE_DIR
         = "/opt/" + APP_NAME.replace("-", "") + "/templates";
     private static final String DEFAULT_TEMPLATE
@@ -222,6 +220,7 @@ public class Runner extends Component {
     private CommandDefinition qemuDefinition;
     private final QemuMonitor qemuMonitor;
     private final GuestAgentClient guestAgentClient;
+    private final VmopAgentClient vmopAgentClient;
     private Integer resetCounter;
     private RunState state = RunState.INITIALIZING;
 
@@ -280,6 +279,7 @@ public class Runner extends Component {
         attach(new SocketConnector(channel()));
         attach(qemuMonitor = new QemuMonitor(channel(), configDir));
         attach(guestAgentClient = new GuestAgentClient(channel()));
+        attach(vmopAgentClient = new VmopAgentClient(channel()));
         attach(new StatusUpdater(channel()));
         attach(new YamlConfigurationStore(channel(), configFile, false));
         fire(new WatchFile(configFile.toPath()));
@@ -350,16 +350,12 @@ public class Runner extends Component {
                     .map(d -> new CommandDefinition(CLOUD_INIT_IMG, d))
                     .orElse(null);
             logger.finest(() -> cloudInitImgDefinition.toString());
-            var guestAgentCmds = (ArrayNode) tplData.get(GUEST_AGENT_CMDS);
-            if (guestAgentCmds != null) {
-                logger.finest(
-                    () -> "GuestAgentCmds: " + guestAgentCmds.toString());
-            }
 
             // Forward some values to child components
             qemuMonitor.configure(config.monitorSocket,
                 config.vm.powerdownTimeout);
-            guestAgentClient.configure(config.guestAgentSocket, guestAgentCmds);
+            configureAgentClient(guestAgentClient, "guest-agent-socket");
+            configureAgentClient(vmopAgentClient, "vmop-agent-socket");
         } catch (IllegalArgumentException | IOException | TemplateException e) {
             logger.log(Level.SEVERE, e, () -> "Invalid configuration: "
                 + e.getMessage());
@@ -484,6 +480,36 @@ public class Runner extends Component {
         }
     }
 
+    @SuppressWarnings("PMD.CognitiveComplexity")
+    private void configureAgentClient(AgentConnector client, String chardev) {
+        String id = null;
+        Path path = null;
+        for (var arg : qemuDefinition.command) {
+            if (arg.startsWith("virtserialport,")
+                && arg.contains("chardev=" + chardev)) {
+                for (var prop : arg.split(",")) {
+                    if (prop.startsWith("id=")) {
+                        id = prop.substring(3);
+                    }
+                }
+            }
+            if (arg.startsWith("socket,")
+                && arg.contains("id=" + chardev)) {
+                for (var prop : arg.split(",")) {
+                    if (prop.startsWith("path=")) {
+                        path = Path.of(prop.substring(5));
+                    }
+                }
+            }
+        }
+        if (id == null || path == null) {
+            logger.warning(() -> "Definition of chardev " + chardev
+                + " missing in runner template.");
+            return;
+        }
+        client.configure(id, path);
+    }
+
     /**
      * Handle the started event.
      *
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmopAgentClient.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmopAgentClient.java
new file mode 100644
index 0000000..a74432b
--- /dev/null
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmopAgentClient.java
@@ -0,0 +1,48 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2025 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.runner.qemu;
+
+import java.io.IOException;
+import org.jgrapes.core.Channel;
+
+/**
+ * A component that handles the communication over the vmop agent
+ * socket.
+ * 
+ * If the log level for this class is set to fine, the messages 
+ * exchanged on the socket are logged.
+ */
+public class VmopAgentClient extends AgentConnector {
+
+    /**
+     * Instantiates a new VM operator agent client.
+     *
+     * @param componentChannel the component channel
+     * @throws IOException Signals that an I/O exception has occurred.
+     */
+    public VmopAgentClient(Channel componentChannel) throws IOException {
+        super(componentChannel);
+    }
+
+    @Override
+    protected void processInput(String line) throws IOException {
+        // TODO Auto-generated method stub
+    }
+
+}
diff --git a/org.jdrupes.vmoperator.runner.qemu/templates/Standard-VM-latest.ftl.yaml b/org.jdrupes.vmoperator.runner.qemu/templates/Standard-VM-latest.ftl.yaml
index 3eacfa3..c5c0252 100644
--- a/org.jdrupes.vmoperator.runner.qemu/templates/Standard-VM-latest.ftl.yaml
+++ b/org.jdrupes.vmoperator.runner.qemu/templates/Standard-VM-latest.ftl.yaml
@@ -122,11 +122,16 @@
     #   Best explanation found: 
     #   https://fedoraproject.org/wiki/Features/VirtioSerial
     - [ "-device", "virtio-serial-pci,id=virtio-serial0" ]
-    #   - Guest agent serial connection. MUST have id "channel0"!
+    #   - Guest agent serial connection.
     - [ "-device", "virtserialport,id=channel0,name=org.qemu.guest_agent.0,\
         chardev=guest-agent-socket" ]
     - [ "-chardev","socket,id=guest-agent-socket,\
         path=${ runtimeDir }/org.qemu.guest_agent.0,server=on,wait=off" ]
+    #   - VM operator agent serial connection.
+    - [ "-device", "virtserialport,id=channel1,name=org.jdrupes.vmop_agent.0,\
+        chardev=vmop-agent-socket" ]
+    - [ "-chardev","socket,id=vmop-agent-socket,\
+        path=${ runtimeDir }/org.jdrupes.vmop_agent.0,server=on,wait=off" ]
     # * USB Hub and devices (more in SPICE configuration below)
     #   https://qemu-project.gitlab.io/qemu/system/devices/usb.html
     #   https://github.com/qemu/qemu/blob/master/hw/usb/hcd-xhci.c
@@ -233,7 +238,3 @@
     </#list>
     </#if>
     </#if>
-
-"guestAgentCmds":
-  - "osId": "*"
-    "executable": "/usr/local/libexec/vm-operator-cmd"
diff --git a/webpages/vm-operator/upgrading.md b/webpages/vm-operator/upgrading.md
index 2c4253e..422c32d 100644
--- a/webpages/vm-operator/upgrading.md
+++ b/webpages/vm-operator/upgrading.md
@@ -26,6 +26,13 @@ layout: vm-operator
    still accepted for backward compatibility until the next major version,
    but should be updated.
 
+ * The standard [template](./runner.html#stand-alone-configuration) used
+   to generate the QEMU command has been updated. Unless you have enabled
+   automatic updates of the template in the VM definition, you have to
+   update the template manually. If you're using your own template, you
+   have to add a virtual serial port (see the git history of the standard
+   template for the required addition).
+
 ## To version 3.4.0
 
 Starting with this version, the VM-Operator no longer uses a stateful set

From c45c452c83a09cf6c00ab6ab3cfe8ad0ab7e6529 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Mon, 24 Feb 2025 13:20:28 +0100
Subject: [PATCH 122/274] Adjust class name.

---
 .../vmoperator/manager/DisplaySecretReconciler.java    | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
index 66bb021..e1955b4 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
@@ -76,7 +76,7 @@ public class DisplaySecretReconciler extends Component {
 
     protected final Logger logger = Logger.getLogger(getClass().getName());
     private int passwordValidity = 10;
-    private final List<PendingGet> pendingPrepares
+    private final List<PendingPrepare> pendingPrepares
         = Collections.synchronizedList(new LinkedList<>());
 
     /**
@@ -234,8 +234,8 @@ public class DisplaySecretReconciler extends Component {
             return;
         }
 
-        // Prepare wait for confirmation (by VM status change)
-        var pending = new PendingGet(event,
+        // Register wait for confirmation (by VM status change)
+        var pending = new PendingPrepare(event,
             event.vmDefinition().displayPasswordSerial().orElse(0L) + 1,
             new CompletionLock(event, 1500));
         pendingPrepares.add(pending);
@@ -333,7 +333,7 @@ public class DisplaySecretReconciler extends Component {
      * The Class PendingGet.
      */
     @SuppressWarnings("PMD.DataClass")
-    private static class PendingGet {
+    private static class PendingPrepare {
         public final PrepareConsole event;
         public final long expectedSerial;
         public final CompletionLock lock;
@@ -344,7 +344,7 @@ public class DisplaySecretReconciler extends Component {
          * @param event the event
          * @param expectedSerial the expected serial
          */
-        public PendingGet(PrepareConsole event, long expectedSerial,
+        public PendingPrepare(PrepareConsole event, long expectedSerial,
                 CompletionLock lock) {
             super();
             this.event = event;

From ddab466fd05a8d168f5b38dd3716a4ccdb898985 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Mon, 24 Feb 2025 14:03:49 +0100
Subject: [PATCH 123/274] Restrict pagefind search to project.

---
 webpages/_layouts/vm-operator.html | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/webpages/_layouts/vm-operator.html b/webpages/_layouts/vm-operator.html
index e779711..4456d20 100644
--- a/webpages/_layouts/vm-operator.html
+++ b/webpages/_layouts/vm-operator.html
@@ -11,11 +11,12 @@
     <!--[if lt IE 9]>
     <script src="//html5shiv.googlecode.com/svn/trunk/html5.js"></script>
     <![endif]-->
-    <link href="../pagefind/pagefind-ui.css" rel="stylesheet">
-    <script src="../pagefind/pagefind-ui.js"></script>
+    <link href="/vm-operator/pagefind/pagefind-ui.css" rel="stylesheet">
+    <script src="/vm-operator/pagefind/pagefind-ui.js"></script>
     <script>
         window.addEventListener('DOMContentLoaded', (event) => {
           new PagefindUI({ element: "#search", showSubResults: true,
+          bundlePath: "/vm-operator/pagefind/",
           // See https://github.com/CloudCannon/pagefind/issues/530
           processResult: function (result) {
               if (result?.meta?.image) {

From bc33640c98f75b23adf5e0ea12c0a949c2a7de2d Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Mon, 24 Feb 2025 18:09:14 +0100
Subject: [PATCH 124/274] Avoid duplicate constants.

---
 .../jdrupes/vmoperator/common/Constants.java  | 19 ++++++++++++++++---
 .../jdrupes/vmoperator/manager/Constants.java | 16 ----------------
 .../runner/qemu/DisplayController.java        | 12 ++++++------
 3 files changed, 22 insertions(+), 25 deletions(-)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java
index 5837264..9bfba8d 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java
@@ -27,9 +27,6 @@ public class Constants {
     /** The Constant APP_NAME. */
     public static final String APP_NAME = "vm-runner";
 
-    /** The Constant COMP_DISPLAY_SECRETS. */
-    public static final String COMP_DISPLAY_SECRET = "display-secret";
-
     /** The Constant VM_OP_NAME. */
     public static final String VM_OP_NAME = "vm-operator";
 
@@ -41,4 +38,20 @@ public class Constants {
 
     /** The Constant VM_OP_KIND_VM_POOL. */
     public static final String VM_OP_KIND_VM_POOL = "VmPool";
+
+    /** The Constant COMP_DISPLAY_SECRETS. */
+    public static final String COMP_DISPLAY_SECRET = "display-secret";
+
+    /** The Constant DATA_DISPLAY_PASSWORD. */
+    public static final String DATA_DISPLAY_PASSWORD = "display-password";
+
+    /** The Constant DATA_PASSWORD_EXPIRY. */
+    public static final String DATA_PASSWORD_EXPIRY = "password-expiry";
+
+    /** The Constant DATA_DISPLAY_USER. */
+    public static final String DATA_DISPLAY_USER = "display-user";
+
+    /** The Constant DATA_DISPLAY_LOGIN. */
+    public static final String DATA_DISPLAY_LOGIN = "login-user";
+
 }
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Constants.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Constants.java
index f12b512..c5c8528 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Constants.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Constants.java
@@ -18,28 +18,12 @@
 
 package org.jdrupes.vmoperator.manager;
 
-// TODO: Auto-generated Javadoc
 /**
  * Some constants.
  */
 @SuppressWarnings("PMD.DataClass")
 public class Constants extends org.jdrupes.vmoperator.common.Constants {
 
-    /** The Constant COMP_DISPLAY_SECRET. */
-    public static final String COMP_DISPLAY_SECRET = "display-secret";
-
-    /** The Constant DATA_DISPLAY_PASSWORD. */
-    public static final String DATA_DISPLAY_PASSWORD = "display-password";
-
-    /** The Constant DATA_PASSWORD_EXPIRY. */
-    public static final String DATA_PASSWORD_EXPIRY = "password-expiry";
-
-    /** The Constant DATA_DISPLAY_USER. */
-    public static final String DATA_DISPLAY_USER = "display-user";
-
-    /** The Constant DATA_DISPLAY_LOGIN. */
-    public static final String DATA_DISPLAY_LOGIN = "login-user";
-
     /** The Constant STATE_RUNNING. */
     public static final String STATE_RUNNING = "Running";
 
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
index 1f9833c..fab11b1 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
@@ -23,6 +23,8 @@ import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.Objects;
 import java.util.logging.Level;
+import static org.jdrupes.vmoperator.common.Constants.DATA_DISPLAY_PASSWORD;
+import static org.jdrupes.vmoperator.common.Constants.DATA_PASSWORD_EXPIRY;
 import org.jdrupes.vmoperator.runner.qemu.commands.QmpSetDisplayPassword;
 import org.jdrupes.vmoperator.runner.qemu.commands.QmpSetPasswordExpiry;
 import org.jdrupes.vmoperator.runner.qemu.events.ConfigureQemu;
@@ -40,8 +42,6 @@ import org.jgrapes.util.events.WatchFile;
 @SuppressWarnings("PMD.DataflowAnomalyAnalysis")
 public class DisplayController extends Component {
 
-    public static final String DISPLAY_PASSWORD_FILE = "display-password";
-    public static final String PASSWORD_EXPIRY_FILE = "password-expiry";
     private String currentPassword;
     private String protocol;
     private final Path configDir;
@@ -57,7 +57,7 @@ public class DisplayController extends Component {
     public DisplayController(Channel componentChannel, Path configDir) {
         super(componentChannel);
         this.configDir = configDir;
-        fire(new WatchFile(configDir.resolve(DISPLAY_PASSWORD_FILE)));
+        fire(new WatchFile(configDir.resolve(DATA_DISPLAY_PASSWORD)));
     }
 
     /**
@@ -83,7 +83,7 @@ public class DisplayController extends Component {
     @Handler
     @SuppressWarnings("PMD.EmptyCatchBlock")
     public void onFileChanged(FileChanged event) {
-        if (event.path().equals(configDir.resolve(DISPLAY_PASSWORD_FILE))) {
+        if (event.path().equals(configDir.resolve(DATA_DISPLAY_PASSWORD))) {
             updatePassword();
         }
     }
@@ -100,7 +100,7 @@ public class DisplayController extends Component {
 
     private boolean setDisplayPassword() {
         String password;
-        Path dpPath = configDir.resolve(DISPLAY_PASSWORD_FILE);
+        Path dpPath = configDir.resolve(DATA_DISPLAY_PASSWORD);
         if (dpPath.toFile().canRead()) {
             logger.finer(() -> "Found display password");
             try {
@@ -125,7 +125,7 @@ public class DisplayController extends Component {
     }
 
     private void setPasswordExpiry() {
-        Path pePath = configDir.resolve(PASSWORD_EXPIRY_FILE);
+        Path pePath = configDir.resolve(DATA_PASSWORD_EXPIRY);
         if (!pePath.toFile().canRead()) {
             return;
         }

From c6704c886f653a9a47bcafc04840afbf25157fe0 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Mon, 24 Feb 2025 18:18:29 +0100
Subject: [PATCH 125/274] Avoid duplicate constants.

---
 .../src/org/jdrupes/vmoperator/runner/qemu/Runner.java        | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
index 0eaabe9..f64af2d 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
@@ -56,6 +56,7 @@ import org.apache.commons.cli.DefaultParser;
 import org.apache.commons.cli.Option;
 import org.apache.commons.cli.Options;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
+import static org.jdrupes.vmoperator.common.Constants.DATA_DISPLAY_PASSWORD;
 import org.jdrupes.vmoperator.runner.qemu.commands.QmpCont;
 import org.jdrupes.vmoperator.runner.qemu.commands.QmpReset;
 import org.jdrupes.vmoperator.runner.qemu.events.ConfigureQemu;
@@ -311,8 +312,7 @@ public class Runner extends Component {
 
             // Add some values from other sources to configuration
             newConf.asOf = Instant.ofEpochSecond(configFile.lastModified());
-            Path dsPath
-                = configDir.resolve(DisplayController.DISPLAY_PASSWORD_FILE);
+            Path dsPath = configDir.resolve(DATA_DISPLAY_PASSWORD);
             newConf.hasDisplayPassword = dsPath.toFile().canRead();
 
             // Special actions for initial configuration (startup)

From d1bc335db908f189c98b1be79f809dc849652534 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Mon, 24 Feb 2025 21:21:58 +0100
Subject: [PATCH 126/274] Prepare auto login.

---
 .../runner/qemu/DisplayController.java        | 69 +++++++++----------
 1 file changed, 33 insertions(+), 36 deletions(-)

diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
index fab11b1..7dee0a2 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
@@ -22,8 +22,11 @@ import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.Objects;
+import java.util.Optional;
 import java.util.logging.Level;
+import static org.jdrupes.vmoperator.common.Constants.DATA_DISPLAY_LOGIN;
 import static org.jdrupes.vmoperator.common.Constants.DATA_DISPLAY_PASSWORD;
+import static org.jdrupes.vmoperator.common.Constants.DATA_DISPLAY_USER;
 import static org.jdrupes.vmoperator.common.Constants.DATA_PASSWORD_EXPIRY;
 import org.jdrupes.vmoperator.runner.qemu.commands.QmpSetDisplayPassword;
 import org.jdrupes.vmoperator.runner.qemu.commands.QmpSetPasswordExpiry;
@@ -99,47 +102,41 @@ public class DisplayController extends Component {
     }
 
     private boolean setDisplayPassword() {
-        String password;
-        Path dpPath = configDir.resolve(DATA_DISPLAY_PASSWORD);
-        if (dpPath.toFile().canRead()) {
-            logger.finer(() -> "Found display password");
-            try {
-                password = Files.readString(dpPath);
-            } catch (IOException e) {
-                logger.log(Level.WARNING, e, () -> "Cannot read display"
-                    + " password: " + e.getMessage());
-                return false;
+        return readFromFile(DATA_DISPLAY_PASSWORD).map(password -> {
+            if (Objects.equals(this.currentPassword, password)) {
+                return true;
             }
-        } else {
-            logger.finer(() -> "No display password");
-            return false;
-        }
-
-        if (Objects.equals(this.currentPassword, password)) {
+            this.currentPassword = password;
+            logger.fine(() -> "Updating display password");
+            fire(new MonitorCommand(
+                new QmpSetDisplayPassword(protocol, password)));
             return true;
-        }
-        this.currentPassword = password;
-        logger.fine(() -> "Updating display password");
-        fire(new MonitorCommand(new QmpSetDisplayPassword(protocol, password)));
-        return true;
+        }).orElse(false);
     }
 
     private void setPasswordExpiry() {
-        Path pePath = configDir.resolve(DATA_PASSWORD_EXPIRY);
-        if (!pePath.toFile().canRead()) {
-            return;
-        }
-        logger.finer(() -> "Found expiry time");
-        String expiry;
-        try {
-            expiry = Files.readString(pePath);
-        } catch (IOException e) {
-            logger.log(Level.WARNING, e, () -> "Cannot read expiry"
-                + " time: " + e.getMessage());
-            return;
-        }
-        logger.fine(() -> "Updating expiry time");
-        fire(new MonitorCommand(new QmpSetPasswordExpiry(protocol, expiry)));
+        readFromFile(DATA_PASSWORD_EXPIRY).ifPresent(expiry -> {
+            logger.fine(() -> "Updating expiry time to " + expiry);
+            fire(
+                new MonitorCommand(new QmpSetPasswordExpiry(protocol, expiry)));
+        });
     }
 
+    private Optional<String> readFromFile(String dataItem) {
+        Path path = configDir.resolve(dataItem);
+        String label = dataItem.replace('-', ' ');
+        if (path.toFile().canRead()) {
+            logger.finer(() -> "Found display user");
+            try {
+                return Optional.ofNullable(Files.readString(path));
+            } catch (IOException e) {
+                logger.log(Level.WARNING, e, () -> "Cannot read " + label + ": "
+                    + e.getMessage());
+                return Optional.empty();
+            }
+        } else {
+            logger.finer(() -> "No " + label);
+            return Optional.empty();
+        }
+    }
 }

From 2119c215fca384c653413c5dd163843f2f48e962 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Tue, 25 Feb 2025 10:44:56 +0100
Subject: [PATCH 127/274] Prevent publishing doc in branches (except main).

---
 build.gradle | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index df173d8..8a7b571 100644
--- a/build.gradle
+++ b/build.gradle
@@ -5,7 +5,7 @@ buildscript {
 }
 
 plugins {
-    id 'org.ajoberstar.grgit' version '5.2.0' apply false
+    id 'org.ajoberstar.grgit' version '5.2.0'
     id 'org.ajoberstar.git-publish' version '4.2.0' apply false
     id 'pl.allegro.tech.build.axion-release' version '1.17.2' apply false
     id 'org.jdrupes.vmoperator.versioning-conventions'
@@ -28,7 +28,9 @@ task stage {
             tc -> tc.findByName("build") }.flatten()
     }
     
-    if (JavaVersion.current() == JavaVersion.VERSION_21) {
+    def gitBranch = grgit.branch.current.name.replace('/', '-')
+    if (JavaVersion.current() == JavaVersion.VERSION_21
+        && gitBranch == "main") {
         // Publish JavaDoc
         dependsOn gitPublishPush
     }

From d2c39dc06a95094ccd6a4cf4453e41f1b0433070 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Tue, 25 Feb 2025 13:48:23 +0100
Subject: [PATCH 128/274] Rename.

---
 dev-example/{gen-pool-vm-crds.sh => gen-pool-vm-crds} | 0
 dev-example/{pool-action.sh => pool-action}           | 0
 2 files changed, 0 insertions(+), 0 deletions(-)
 rename dev-example/{gen-pool-vm-crds.sh => gen-pool-vm-crds} (100%)
 rename dev-example/{pool-action.sh => pool-action} (100%)

diff --git a/dev-example/gen-pool-vm-crds.sh b/dev-example/gen-pool-vm-crds
similarity index 100%
rename from dev-example/gen-pool-vm-crds.sh
rename to dev-example/gen-pool-vm-crds
diff --git a/dev-example/pool-action.sh b/dev-example/pool-action
similarity index 100%
rename from dev-example/pool-action.sh
rename to dev-example/pool-action

From 4a7a309f071416074240a51184fa8820acf22234 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Tue, 25 Feb 2025 15:43:47 +0100
Subject: [PATCH 129/274] Get started with vmop-agent.

---
 dev-example/vmop-agent/99-vmop-agent.rules    |  2 ++
 dev-example/vmop-agent/vmop-agent             | 19 +++++++++++
 dev-example/vmop-agent/vmop-agent.service     | 15 ++++++++
 .../vmoperator/runner/qemu/StatusUpdater.java | 34 +++++++++++++++----
 .../runner/qemu/VmopAgentClient.java          |  5 ++-
 .../qemu/events/VmopAgentConnected.java       | 27 +++++++++++++++
 6 files changed, 95 insertions(+), 7 deletions(-)
 create mode 100644 dev-example/vmop-agent/99-vmop-agent.rules
 create mode 100755 dev-example/vmop-agent/vmop-agent
 create mode 100644 dev-example/vmop-agent/vmop-agent.service
 create mode 100644 org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/VmopAgentConnected.java

diff --git a/dev-example/vmop-agent/99-vmop-agent.rules b/dev-example/vmop-agent/99-vmop-agent.rules
new file mode 100644
index 0000000..4a18472
--- /dev/null
+++ b/dev-example/vmop-agent/99-vmop-agent.rules
@@ -0,0 +1,2 @@
+SUBSYSTEM=="virtio-ports", ATTR{name}=="org.jdrupes.vmop_agent.0", \
+  TAG+="systemd" ENV{SYSTEMD_WANTS}="vmop-agent.service"
diff --git a/dev-example/vmop-agent/vmop-agent b/dev-example/vmop-agent/vmop-agent
new file mode 100755
index 0000000..b3157b9
--- /dev/null
+++ b/dev-example/vmop-agent/vmop-agent
@@ -0,0 +1,19 @@
+#!/usr/bin/bash
+
+hostSerial="/dev/virtio-ports/org.jdrupes.vmop_agent.0"
+
+if [ ! -w "$hostSerial" ]; then
+  echo >&2 "Device $hostSerial not writable"
+  exit 1
+fi
+
+if ! exec {con}<>"$hostSerial"; then
+  echo >&2 "Cannot open device $hostSerial"
+  exit 1
+fi
+
+echo >&${con} "220 Hello"
+
+while read line <&${con}; do
+  true
+done
diff --git a/dev-example/vmop-agent/vmop-agent.service b/dev-example/vmop-agent/vmop-agent.service
new file mode 100644
index 0000000..11c64f2
--- /dev/null
+++ b/dev-example/vmop-agent/vmop-agent.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=VM-Operator (Guest) Agent
+BindsTo=dev-virtio\x2dports-org.jdrupes.vmop_agent.0.device
+After=dev-virtio\x2dports-org.jdrupes.vmop_agent.0.device multi-user.target
+IgnoreOnIsolate=True
+
+[Service]
+UMask=0077
+#EnvironmentFile=/etc/sysconfig/vmop-agent
+ExecStart=/usr/local/libexec/vmop-agent
+Restart=always
+RestartSec=0
+
+[Install]
+WantedBy=dev-virtio\x2dports-org.jdrupes.vmop_agent.0.device
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
index f9644c8..fa0e3ab 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
@@ -47,6 +47,7 @@ import org.jdrupes.vmoperator.runner.qemu.events.OsinfoEvent;
 import org.jdrupes.vmoperator.runner.qemu.events.RunnerStateChange;
 import org.jdrupes.vmoperator.runner.qemu.events.RunnerStateChange.RunState;
 import org.jdrupes.vmoperator.runner.qemu.events.ShutdownEvent;
+import org.jdrupes.vmoperator.runner.qemu.events.VmopAgentConnected;
 import org.jdrupes.vmoperator.util.GsonPtr;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.annotation.Handler;
@@ -192,20 +193,21 @@ public class StatusUpdater extends VmDefUpdater {
                 status.addProperty("ram", GsonPtr.to(from.data())
                     .getAsString("spec", "vm", "maximumRam").orElse("0"));
                 status.addProperty("cpus", 1);
-
-                // In case we had an irregular shutdown
-                status.remove("osinfo");
             } else if (event.runState() == RunState.STOPPED) {
                 status.addProperty("ram", "0");
                 status.addProperty("cpus", 0);
-                status.remove("osinfo");
             }
 
-            // In case console connection was still present
             if (!running) {
+                // In case console connection was still present
                 status.addProperty("consoleClient", "");
                 updateCondition(from, status, "ConsoleConnected", false,
-                    "VmStopped", "The VM has been shut down");
+                    "VmStopped", "The VM is not running");
+
+                // In case we had an irregular shutdown
+                status.remove("osinfo");
+                updateCondition(vmDef, vmDef.statusJson(), "VmopAgentConnected",
+                    false, "VmStopped", "The VM is not running");
             }
             return status;
         });
@@ -322,4 +324,24 @@ public class StatusUpdater extends VmDefUpdater {
         });
 
     }
+
+    /**
+     * @param event the event
+     * @throws ApiException 
+     */
+    @Handler
+    @SuppressWarnings("PMD.AssignmentInOperand")
+    public void onVmopAgentConnected(VmopAgentConnected event)
+            throws ApiException {
+        VmDefinition vmDef;
+        if (vmStub == null || (vmDef = vmStub.model().orElse(null)) == null) {
+            return;
+        }
+        vmStub.updateStatus(from -> {
+            JsonObject status = from.statusJson();
+            updateCondition(vmDef, status, "VmopAgentConnected",
+                true, "VmopAgentStarted", "The VM operator agent is running");
+            return status;
+        });
+    }
 }
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmopAgentClient.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmopAgentClient.java
index a74432b..89fdaa2 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmopAgentClient.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmopAgentClient.java
@@ -19,6 +19,7 @@
 package org.jdrupes.vmoperator.runner.qemu;
 
 import java.io.IOException;
+import org.jdrupes.vmoperator.runner.qemu.events.VmopAgentConnected;
 import org.jgrapes.core.Channel;
 
 /**
@@ -42,7 +43,9 @@ public class VmopAgentClient extends AgentConnector {
 
     @Override
     protected void processInput(String line) throws IOException {
-        // TODO Auto-generated method stub
+        if (line.startsWith("220 ")) {
+            rep().fire(new VmopAgentConnected());
+        }
     }
 
 }
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/VmopAgentConnected.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/VmopAgentConnected.java
new file mode 100644
index 0000000..dc13569
--- /dev/null
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/VmopAgentConnected.java
@@ -0,0 +1,27 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2025 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.runner.qemu.events;
+
+import org.jgrapes.core.Event;
+
+/**
+ * Signals information about the guest OS.
+ */
+public class VmopAgentConnected extends Event<Void> {
+}

From a1e941276ec9e89931e2b8b8048e0c4cc8183361 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Wed, 26 Feb 2025 21:59:38 +0100
Subject: [PATCH 130/274] Working login script.

---
 dev-example/vmop-agent/vmop-agent | 103 ++++++++++++++++++++++++++++--
 webpages/vm-operator/pools.md     |  65 +++++++++++++++++++
 2 files changed, 162 insertions(+), 6 deletions(-)
 create mode 100644 webpages/vm-operator/pools.md

diff --git a/dev-example/vmop-agent/vmop-agent b/dev-example/vmop-agent/vmop-agent
index b3157b9..ad5f427 100755
--- a/dev-example/vmop-agent/vmop-agent
+++ b/dev-example/vmop-agent/vmop-agent
@@ -1,19 +1,110 @@
 #!/usr/bin/bash
 
-hostSerial="/dev/virtio-ports/org.jdrupes.vmop_agent.0"
+while [ "$#" -gt 0 ]; do
+  case "$1" in
+    --path) shift; ttyPath="$1";;
+    --path=*) IFS='=' read -r option value <<< "$1"; ttyPath="$value";;
+  esac
+  shift
+done
 
-if [ ! -w "$hostSerial" ]; then
-  echo >&2 "Device $hostSerial not writable"
+ttyPath="${ttyPath:-/dev/virtio-ports/org.jdrupes.vmop_agent.0}"
+
+if [ ! -w "$ttyPath" ]; then
+  echo >&2 "Device $ttyPath not writable"
   exit 1
 fi
 
-if ! exec {con}<>"$hostSerial"; then
-  echo >&2 "Cannot open device $hostSerial"
+if ! exec {con}<>"$ttyPath"; then
+  echo >&2 "Cannot open device $ttyPath"
   exit 1
 fi
 
+temperr=$(mktemp)
+clear >/dev/tty1
 echo >&${con} "220 Hello"
 
+createUser() {
+  local missing=$1
+  local uid
+  local userHome="/home/$missing"
+  local createOpts=""
+  if [ -d "$userHome" ]; then
+    uid=$(ls -ldn "$userHome" | head -n 1 | awk '{print $3}')
+    createOpts="--no-create-home"
+  else
+    uid=$(ls -ln "/home" | tail -n +2 | awk '{print $3}' | sort | tail -1)
+    uid=$(( $uid + 1 ))
+    if [ $uid -lt 1000 ]; then
+      uid=1000
+    fi
+    createOpts="--create-home"
+  fi
+  groupadd -g $uid $missing
+  useradd $missing -u $uid -g $uid $createOpts
+}
+
+doLogin() {
+  user=$1
+  if [ "$user" = "root" ]; then
+    echo >&${con} "504 Won't log in root"
+    return
+  fi
+  uid=$(id -u ${user} 2>/dev/null)
+  if [ $? != 0 ]; then
+    ( flock 200
+      createUser ${user}
+    ) 200>/home/.gen-uid-lock
+    uid=$(id -u ${user} 2>/dev/null)
+    if [ $? != 0 ]; then
+      echo >&${con} "451 Cannot determine uid"
+      return
+    fi
+  fi
+  systemd-run 2>$temperr \
+    --unit vmop-user-desktop --uid=$uid --gid=$uid \
+    --working-directory="/home/$user" -p TTYPath=/dev/tty1 \
+    -p PAMName=login -p StandardInput=tty -p StandardOutput=journal \
+    -E XDG_RUNTIME_DIR="/run/user/$uid" \
+    -p ExecStartPre="/usr/bin/chvt 1" \
+    dbus-run-session -- gnome-shell --display-server --wayland
+  if [ $? -eq 0 ]; then
+    echo >&${con} "201 User logged in"
+  else
+    echo >&${con} "451 $(<${temperr})"
+  fi
+}
+
+attemptLogout() {
+  systemctl status vmop-user-desktop > /dev/null 2>&1
+  if [ $? = 0 ]; then
+    systemctl stop vmop-user-desktop
+    echo >&${con} "102 Desktop stopped"
+  fi
+}
+
+doLogout() {
+  attemptLogout
+  loginctl -j | jq -r '.[] | select(.tty=="tty1") | .session' \
+  | while read sid; do
+    loginctl kill-session $sid
+  done
+  echo >&${con} "202 User logged out"
+}
+
 while read line <&${con}; do
-  true
+  case $line in
+  "login "*) IFS=' ' read -ra args <<< "$line"; doLogin ${args[1]};;
+  logout) doLogout;;
+  esac
 done
+
+onExit() {
+  attemptLogout
+  if [ -n "$temperr" ]; then
+    rm -f $temperr
+  fi
+  echo >&${con} "240 Quit"
+}
+
+trap onExit EXIT
diff --git a/webpages/vm-operator/pools.md b/webpages/vm-operator/pools.md
new file mode 100644
index 0000000..290d0fd
--- /dev/null
+++ b/webpages/vm-operator/pools.md
@@ -0,0 +1,65 @@
+---
+title: "VM-Operator: VM pools — assigning VMs to users dynamically"
+layout: vm-operator
+---
+
+# VM Pools
+
+*Since 4.0.0*
+
+## Prepare the VM
+
+### Shared file system
+
+Mount a shared file system as home file system on all VMs in the pool.
+
+### Restrict access
+
+The only possibility to access the VMs should be via a desktop started by
+the VM-Operator.
+
+ * Disable the display manager.
+ 
+   ```console
+   # systemctl disable gdm
+   # systemctl stop gdm
+   ```
+   
+ * Disable `getty` on tty1.
+ 
+   ```console
+   # systemctl mask getty@tty1
+   # systemctl stop getty@tty1
+   ```
+   
+   You can, of course, disable `getty` completely. If you do this, make sure
+   that you can still access your master VM through `ssh`, else you have
+   locked yourself out.
+   
+ * Prevent suspend/hibernate, because it will lock the VM.
+ 
+   ```console
+   # systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target
+   ```
+ 
+### Install the VM-Operator agent
+
+The VM-Operator agent runs as a systemd service. Sample configuration
+files can be found
+[here](https://github.com/mnlipp/VM-Operator/tree/main/dev-example/vmop-agent).
+Copy 
+
+  * `99-vmop-agent.rules` to `/usr/local/lib/udev/rules.d/99-vmop-agent.rules`,
+  * `vmop-agent` to `/usr/local/libexec/vmop-agent` and
+  * `vmop-agent.service` to `/usr/local/lib/systemd/system/vmop-agent.service`.
+
+Note that some of the target directories do not exist by default and have to
+be created first. Don't forget to run `restorecon` on systems with SELinux.
+
+Enable everything:
+
+```console
+# udevadm control --reload-rules
+# systemctl enable vmop-agent
+# udevadm trigger
+ ```

From b4bc0c7b0f6ebb67ede504366c6886e323ef6a6f Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Wed, 26 Feb 2025 22:00:32 +0100
Subject: [PATCH 131/274] Delay enable until VM operator agent started.

---
 .../vmaccess/browser/VmAccess-functions.ts         | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
index 31408cb..f0ef3c8 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
@@ -74,7 +74,7 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
             const busy = computed(() => previewApi.vmDefinition.spec
                 && (previewApi.vmDefinition.spec.vm.state === 'Running'
                         && (previewApi.poolName
-                            ? !previewApi.vmDefinition.booted
+                            ? !previewApi.vmDefinition.vmopAgent
                             : !previewApi.vmDefinition.running)
                     || previewApi.vmDefinition.spec.vm.state === 'Stopped' 
                         && previewApi.vmDefinition.running));
@@ -87,7 +87,7 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
                 previewApi.vmDefinition.spec.vm.state !== 'Stopped' 
                 && previewApi.vmDefinition.running);
             const running = computed(() => previewApi.vmDefinition.running);
-            const booted = computed(() => previewApi.vmDefinition.booted);
+            const vmopAgent = computed(() => previewApi.vmDefinition.vmopAgent);
             const inUse = computed(() => previewApi.vmDefinition.usedBy != '');
             const permissions = computed(() => previewApi.permissions);
             const osicon = computed(() => {
@@ -123,7 +123,7 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
             };
         
             return { localize, resourceBase, vmAction, poolName, vmName, 
-                configured, busy, startable, stoppable, running, booted,
+                configured, busy, startable, stoppable, running, vmopAgent,
                 inUse, permissions, osicon };
         },
         template: `
@@ -133,7 +133,7 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
                 <td rowspan="2" style="position: relative"><span
                   style="position: absolute;" :class="{ busy: busy }"
                   ><img role=button :aria-disabled="(poolName 
-                      ? !booted : !running)
+                      ? !vmopAgent : !running)
                       || !permissions.includes('accessConsole')" 
                     v-on:click="vmAction('openConsole')"
                     :src="resourceBase + (running
@@ -215,9 +215,9 @@ JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmaccess.VmAccess",
                     vmDefinition.running = condition.status === "True";
                     vmDefinition.runningConditionSince 
                         = new Date(condition.lastTransitionTime);
-                } else if (condition.type === "Booted") {
-                    vmDefinition.booted = condition.status === "True";
-                    vmDefinition.bootedConditionSince 
+                } else if (condition.type === "VmopAgentConnected") {
+                    vmDefinition.vmopAgent = condition.status === "True";
+                    vmDefinition.vmopAgentConditionSince 
                         = new Date(condition.lastTransitionTime);
                 }
             })

From 31193494509744356c224562a5d29c2b2c9e335c Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Wed, 26 Feb 2025 22:33:08 +0100
Subject: [PATCH 132/274] Fix user switching.

---
 dev-example/vmop-agent/vmop-agent | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/dev-example/vmop-agent/vmop-agent b/dev-example/vmop-agent/vmop-agent
index ad5f427..2474e66 100755
--- a/dev-example/vmop-agent/vmop-agent
+++ b/dev-example/vmop-agent/vmop-agent
@@ -50,6 +50,12 @@ doLogin() {
     echo >&${con} "504 Won't log in root"
     return
   fi
+  curUser=$(loginctl -j | jq -r '.[] | select(.tty=="tty1") | .user')
+  if [ "$curUser" = "$user" ]; then
+    echo >&${con} "201 User already logged in"
+    return
+  fi
+  attemptLogout
   uid=$(id -u ${user} 2>/dev/null)
   if [ $? != 0 ]; then
     ( flock 200
@@ -69,7 +75,7 @@ doLogin() {
     -p ExecStartPre="/usr/bin/chvt 1" \
     dbus-run-session -- gnome-shell --display-server --wayland
   if [ $? -eq 0 ]; then
-    echo >&${con} "201 User logged in"
+    echo >&${con} "201 User logged in successfully"
   else
     echo >&${con} "451 $(<${temperr})"
   fi
@@ -79,16 +85,16 @@ attemptLogout() {
   systemctl status vmop-user-desktop > /dev/null 2>&1
   if [ $? = 0 ]; then
     systemctl stop vmop-user-desktop
-    echo >&${con} "102 Desktop stopped"
   fi
-}
-
-doLogout() {
-  attemptLogout
   loginctl -j | jq -r '.[] | select(.tty=="tty1") | .session' \
   | while read sid; do
     loginctl kill-session $sid
   done
+  echo >&${con} "102 Desktop stopped"
+}
+
+doLogout() {
+  attemptLogout
   echo >&${con} "202 User logged out"
 }
 

From 59bf4937ef53e8f124ed5738f5192b4298299504 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 27 Feb 2025 14:45:25 +0100
Subject: [PATCH 133/274] Avoid multi-line message.

---
 dev-example/vmop-agent/vmop-agent | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dev-example/vmop-agent/vmop-agent b/dev-example/vmop-agent/vmop-agent
index 2474e66..ab4e765 100755
--- a/dev-example/vmop-agent/vmop-agent
+++ b/dev-example/vmop-agent/vmop-agent
@@ -77,7 +77,7 @@ doLogin() {
   if [ $? -eq 0 ]; then
     echo >&${con} "201 User logged in successfully"
   else
-    echo >&${con} "451 $(<${temperr})"
+    echo >&${con} "451 $(tr '\n' ' ' <${temperr})"
   fi
 }
 

From b4cb3b8694b3bbf09580742ceb20b0cb7602fe20 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 27 Feb 2025 14:46:13 +0100
Subject: [PATCH 134/274] Control login.

---
 .../runner/qemu/DisplayController.java        | 66 +++++++++++++-
 .../runner/qemu/GuestAgentClient.java         | 17 ++--
 .../vmoperator/runner/qemu/QemuConnector.java | 20 ++++-
 .../vmoperator/runner/qemu/QemuMonitor.java   | 16 ++--
 .../runner/qemu/VmopAgentClient.java          | 89 ++++++++++++++++++-
 .../runner/qemu/events/VmopAgentLogIn.java    | 45 ++++++++++
 .../runner/qemu/events/VmopAgentLogOut.java   | 27 ++++++
 .../runner/qemu/events/VmopAgentLoggedIn.java | 49 ++++++++++
 .../qemu/events/VmopAgentLoggedOut.java       | 49 ++++++++++
 9 files changed, 349 insertions(+), 29 deletions(-)
 create mode 100644 org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/VmopAgentLogIn.java
 create mode 100644 org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/VmopAgentLogOut.java
 create mode 100644 org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/VmopAgentLoggedIn.java
 create mode 100644 org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/VmopAgentLoggedOut.java

diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
index 7dee0a2..a2a6bc9 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
@@ -33,6 +33,10 @@ import org.jdrupes.vmoperator.runner.qemu.commands.QmpSetPasswordExpiry;
 import org.jdrupes.vmoperator.runner.qemu.events.ConfigureQemu;
 import org.jdrupes.vmoperator.runner.qemu.events.MonitorCommand;
 import org.jdrupes.vmoperator.runner.qemu.events.RunnerStateChange.RunState;
+import org.jdrupes.vmoperator.runner.qemu.events.VmopAgentConnected;
+import org.jdrupes.vmoperator.runner.qemu.events.VmopAgentLogIn;
+import org.jdrupes.vmoperator.runner.qemu.events.VmopAgentLogOut;
+import org.jdrupes.vmoperator.runner.qemu.events.VmopAgentLoggedIn;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Component;
 import org.jgrapes.core.annotation.Handler;
@@ -48,6 +52,8 @@ public class DisplayController extends Component {
     private String currentPassword;
     private String protocol;
     private final Path configDir;
+    private boolean vmopAgentConnected;
+    private boolean userLoginRequested;
 
     /**
      * Instantiates a new Display controller.
@@ -63,6 +69,16 @@ public class DisplayController extends Component {
         fire(new WatchFile(configDir.resolve(DATA_DISPLAY_PASSWORD)));
     }
 
+    /**
+     * On vmop agent connected.
+     *
+     * @param event the event
+     */
+    @Handler
+    public void onVmopAgentConnected(VmopAgentConnected event) {
+        vmopAgentConnected = true;
+    }
+
     /**
      * On configure qemu.
      *
@@ -75,7 +91,7 @@ public class DisplayController extends Component {
         }
         protocol
             = event.configuration().vm.display.spice != null ? "spice" : null;
-        updatePassword();
+        configureAccess(false);
     }
 
     /**
@@ -87,12 +103,56 @@ public class DisplayController extends Component {
     @SuppressWarnings("PMD.EmptyCatchBlock")
     public void onFileChanged(FileChanged event) {
         if (event.path().equals(configDir.resolve(DATA_DISPLAY_PASSWORD))) {
-            updatePassword();
+            configureAccess(true);
         }
     }
 
     @SuppressWarnings("PMD.DataflowAnomalyAnalysis")
-    private void updatePassword() {
+    private void configureAccess(boolean passwordChange) {
+        var userLoginConfigured = readFromFile(DATA_DISPLAY_LOGIN)
+            .map(Boolean::parseBoolean).orElse(false);
+        if (!userLoginConfigured) {
+            // Check if it was configured before and there may thus be an
+            // active auto login
+            if (userLoginRequested && vmopAgentConnected) {
+                // Make sure to log out
+                fire(new VmopAgentLogOut());
+            }
+            userLoginRequested = false;
+            configurePassword();
+            return;
+        }
+
+        // With user login configured, we have to make sure that the
+        // user is logged in before we set the password and thus allow
+        // access to the display.
+        userLoginRequested = true;
+        if (!vmopAgentConnected) {
+            if (passwordChange) {
+                logger.warning(() -> "Request for user login before "
+                    + "VM operator agent has connected");
+            }
+            return;
+        }
+
+        var user = readFromFile(DATA_DISPLAY_USER);
+        if (user.isEmpty()) {
+            logger.warning(() -> "Login requested, but no user configured");
+        }
+        fire(new VmopAgentLogIn(user.get()).setAssociated(this, user.get()));
+    }
+
+    /**
+     * On vmop agent logged in.
+     *
+     * @param event the event
+     */
+    @Handler
+    public void onVmopAgentLoggedIn(VmopAgentLoggedIn event) {
+        configurePassword();
+    }
+
+    private void configurePassword() {
         if (protocol == null) {
             return;
         }
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java
index 2e5e059..880ca58 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java
@@ -88,10 +88,12 @@ public class GuestAgentClient extends AgentConnector {
      * On guest agent command.
      *
      * @param event the event
+     * @throws IOException 
      */
     @Handler
     @SuppressWarnings("PMD.AvoidSynchronizedStatement")
-    public void onGuestAgentCommand(GuestAgentCommand event) {
+    public void onGuestAgentCommand(GuestAgentCommand event)
+            throws IOException {
         if (qemuChannel() == null) {
             return;
         }
@@ -106,15 +108,10 @@ public class GuestAgentClient extends AgentConnector {
             return;
         }
         synchronized (executing) {
-            writer().ifPresent(writer -> {
-                try {
-                    executing.add(command);
-                    writer.append(asText).append('\n').flush();
-                } catch (IOException e) {
-                    // Cannot happen, but...
-                    logger.log(Level.WARNING, e, e::getMessage);
-                }
-            });
+            if (writer().isPresent()) {
+                executing.add(command);
+                sendCommand(asText);
+            }
         }
     }
 }
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuConnector.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuConnector.java
index 143cfc2..2e94c14 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuConnector.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuConnector.java
@@ -47,8 +47,8 @@ import org.jgrapes.util.events.WatchFile;
 /**
  * A component that handles the communication with QEMU over a socket.
  * 
- * If the log level for this class is set to fine, the messages 
- * exchanged on the socket are logged.
+ * Derived classes should log the messages exchanged on the socket
+ * if the log level is set to fine.
  */
 public abstract class QemuConnector extends Component {
 
@@ -174,6 +174,22 @@ public abstract class QemuConnector extends Component {
         return qemuChannel().flatMap(c -> c.associated(Writer.class));
     }
 
+    /**
+     * Send the given command to QEMU. A newline is appended to the
+     * command automatically.
+     *
+     * @param command the command
+     * @return true, if successful
+     * @throws IOException Signals that an I/O exception has occurred.
+     */
+    protected boolean sendCommand(String command) throws IOException {
+        if (writer().isEmpty()) {
+            return false;
+        }
+        writer().get().append(command).append('\n').flush();
+        return true;
+    }
+
     /**
      * Called when the connector has been connected to the socket.
      */
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
index 000a3bf..1de8f60 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
@@ -155,11 +155,12 @@ public class QemuMonitor extends QemuConnector {
      * On monitor command.
      *
      * @param event the event
+     * @throws IOException 
      */
     @Handler
     @SuppressWarnings({ "PMD.AvoidLiteralsInIfCondition",
         "PMD.AvoidSynchronizedStatement" })
-    public void onExecQmpCommand(MonitorCommand event) {
+    public void onExecQmpCommand(MonitorCommand event) throws IOException {
         var command = event.command();
         logger.fine(() -> "monitor(out): " + command.toString());
         String asText;
@@ -171,15 +172,10 @@ public class QemuMonitor extends QemuConnector {
             return;
         }
         synchronized (executing) {
-            writer().ifPresent(writer -> {
-                try {
-                    executing.add(command);
-                    writer.append(asText).append('\n').flush();
-                } catch (IOException e) {
-                    // Cannot happen, but...
-                    logger.log(Level.WARNING, e, e::getMessage);
-                }
-            });
+            if (writer().isPresent()) {
+                executing.add(command);
+                sendCommand(asText);
+            }
         }
     }
 
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmopAgentClient.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmopAgentClient.java
index 89fdaa2..f50d397 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmopAgentClient.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmopAgentClient.java
@@ -19,8 +19,16 @@
 package org.jdrupes.vmoperator.runner.qemu;
 
 import java.io.IOException;
+import java.util.Deque;
+import java.util.concurrent.ConcurrentLinkedDeque;
 import org.jdrupes.vmoperator.runner.qemu.events.VmopAgentConnected;
+import org.jdrupes.vmoperator.runner.qemu.events.VmopAgentLogIn;
+import org.jdrupes.vmoperator.runner.qemu.events.VmopAgentLogOut;
+import org.jdrupes.vmoperator.runner.qemu.events.VmopAgentLoggedIn;
+import org.jdrupes.vmoperator.runner.qemu.events.VmopAgentLoggedOut;
 import org.jgrapes.core.Channel;
+import org.jgrapes.core.Event;
+import org.jgrapes.core.annotation.Handler;
 
 /**
  * A component that handles the communication over the vmop agent
@@ -31,6 +39,8 @@ import org.jgrapes.core.Channel;
  */
 public class VmopAgentClient extends AgentConnector {
 
+    private final Deque<Event<?>> executing = new ConcurrentLinkedDeque<>();
+
     /**
      * Instantiates a new VM operator agent client.
      *
@@ -41,11 +51,82 @@ public class VmopAgentClient extends AgentConnector {
         super(componentChannel);
     }
 
-    @Override
-    protected void processInput(String line) throws IOException {
-        if (line.startsWith("220 ")) {
-            rep().fire(new VmopAgentConnected());
+    /**
+     * On vmop agent login.
+     *
+     * @param event the event
+     * @throws IOException Signals that an I/O exception has occurred.
+     */
+    @Handler
+    public void onVmopAgentLogIn(VmopAgentLogIn event) throws IOException {
+        logger.fine(() -> "vmop agent(out): login " + event.user());
+        if (writer().isPresent()) {
+            executing.add(event);
+            sendCommand("login " + event.user());
         }
     }
 
+    /**
+     * On vmop agent logout.
+     *
+     * @param event the event
+     * @throws IOException Signals that an I/O exception has occurred.
+     */
+    @Handler
+    public void onVmopAgentLogout(VmopAgentLogOut event) throws IOException {
+        logger.fine(() -> "vmop agent(out): logout");
+        if (writer().isPresent()) {
+            executing.add(event);
+            sendCommand("logout");
+        }
+    }
+
+    @Override
+    @SuppressWarnings({ "PMD.UnnecessaryReturn",
+        "PMD.AvoidLiteralsInIfCondition" })
+    protected void processInput(String line) throws IOException {
+        logger.fine(() -> "vmop agent(in): " + line);
+
+        // Check validity
+        if (line.isEmpty() || !Character.isDigit(line.charAt(0))) {
+            logger.warning(() -> "Illegal response: " + line);
+            return;
+        }
+
+        // Check positive responses
+        if (line.startsWith("220 ")) {
+            rep().fire(new VmopAgentConnected());
+            return;
+        }
+        if (line.startsWith("201 ")) {
+            Event<?> cmd = executing.pop();
+            if (cmd instanceof VmopAgentLogIn login) {
+                rep().fire(new VmopAgentLoggedIn(login));
+            } else {
+                logger.severe(() -> "Response " + line
+                    + " does not match executing command " + cmd);
+            }
+            return;
+        }
+        if (line.startsWith("202 ")) {
+            Event<?> cmd = executing.pop();
+            if (cmd instanceof VmopAgentLogOut logout) {
+                rep().fire(new VmopAgentLoggedOut(logout));
+            } else {
+                logger.severe(() -> "Response " + line
+                    + "does not match executing command " + cmd);
+            }
+            return;
+        }
+
+        // Ignore unhandled continuations
+        if (line.charAt(0) == '1') {
+            return;
+        }
+
+        // Error
+        logger.warning(() -> "Error response: " + line);
+        executing.pop();
+    }
+
 }
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/VmopAgentLogIn.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/VmopAgentLogIn.java
new file mode 100644
index 0000000..96db884
--- /dev/null
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/VmopAgentLogIn.java
@@ -0,0 +1,45 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2025 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.runner.qemu.events;
+
+import org.jgrapes.core.Event;
+
+/**
+ * Sends the login command to the VM operator agent.
+ */
+public class VmopAgentLogIn extends Event<Void> {
+
+    private final String user;
+
+    /**
+     * Instantiates a new vmop agent logout.
+     */
+    public VmopAgentLogIn(String user) {
+        this.user = user;
+    }
+
+    /**
+     * Returns the user.
+     *
+     * @return the user
+     */
+    public String user() {
+        return user;
+    }
+}
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/VmopAgentLogOut.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/VmopAgentLogOut.java
new file mode 100644
index 0000000..1502200
--- /dev/null
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/VmopAgentLogOut.java
@@ -0,0 +1,27 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2025 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.runner.qemu.events;
+
+import org.jgrapes.core.Event;
+
+/**
+ * Sends the logout command to the VM operator agent.
+ */
+public class VmopAgentLogOut extends Event<Void> {
+}
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/VmopAgentLoggedIn.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/VmopAgentLoggedIn.java
new file mode 100644
index 0000000..f59ed71
--- /dev/null
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/VmopAgentLoggedIn.java
@@ -0,0 +1,49 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2025 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.runner.qemu.events;
+
+import org.jgrapes.core.Event;
+
+/**
+ * Signals that the logout command has been processes by the
+ * VM operator agent.
+ */
+public class VmopAgentLoggedIn extends Event<Void> {
+
+    private final VmopAgentLogIn triggering;
+
+    /**
+     * Instantiates a new vmop agent logged in.
+     *
+     * @param triggeringEvent the triggering event
+     */
+    public VmopAgentLoggedIn(VmopAgentLogIn triggeringEvent) {
+        this.triggering = triggeringEvent;
+    }
+
+    /**
+     * Gets the triggering event.
+     *
+     * @return the triggering
+     */
+    public VmopAgentLogIn triggering() {
+        return triggering;
+    }
+
+}
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/VmopAgentLoggedOut.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/VmopAgentLoggedOut.java
new file mode 100644
index 0000000..5f60e00
--- /dev/null
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/VmopAgentLoggedOut.java
@@ -0,0 +1,49 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2025 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.runner.qemu.events;
+
+import org.jgrapes.core.Event;
+
+/**
+ * Signals that the logout command has been processes by the
+ * VM operator agent.
+ */
+public class VmopAgentLoggedOut extends Event<Void> {
+
+    private final VmopAgentLogOut triggering;
+
+    /**
+     * Instantiates a new vmop agent logged out.
+     *
+     * @param triggeringEvent the triggering event
+     */
+    public VmopAgentLoggedOut(VmopAgentLogOut triggeringEvent) {
+        this.triggering = triggeringEvent;
+    }
+
+    /**
+     * Gets the triggering event.
+     *
+     * @return the triggering
+     */
+    public VmopAgentLogOut triggering() {
+        return triggering;
+    }
+
+}

From 5cbdab9da88fc1e6dfda49cef030f97378332765 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 27 Feb 2025 14:55:31 +0100
Subject: [PATCH 135/274] Fix log message.

---
 .../org/jdrupes/vmoperator/runner/qemu/DisplayController.java   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
index a2a6bc9..6a3f783 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
@@ -186,7 +186,7 @@ public class DisplayController extends Component {
         Path path = configDir.resolve(dataItem);
         String label = dataItem.replace('-', ' ');
         if (path.toFile().canRead()) {
-            logger.finer(() -> "Found display user");
+            logger.finer(() -> "Found " + label);
             try {
                 return Optional.ofNullable(Files.readString(path));
             } catch (IOException e) {

From 5ec220d0a692022a36a558e1ccd3c12ccc5f7412 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 27 Feb 2025 17:41:57 +0100
Subject: [PATCH 136/274] Use gids for id management and isolate home
 directories.

---
 dev-example/vmop-agent/vmop-agent | 43 +++++++++++++++++++++++++++----
 1 file changed, 38 insertions(+), 5 deletions(-)

diff --git a/dev-example/vmop-agent/vmop-agent b/dev-example/vmop-agent/vmop-agent
index ab4e765..99aa25d 100755
--- a/dev-example/vmop-agent/vmop-agent
+++ b/dev-example/vmop-agent/vmop-agent
@@ -15,28 +15,45 @@ if [ ! -w "$ttyPath" ]; then
   exit 1
 fi
 
+# Create fd for the tty in variable con 
 if ! exec {con}<>"$ttyPath"; then
   echo >&2 "Cannot open device $ttyPath"
   exit 1
 fi
 
+# Temporary file for logging error messages, clear tty and signal ready
 temperr=$(mktemp)
 clear >/dev/tty1
 echo >&${con} "220 Hello"
 
+# This script uses the (shared) home directory as "dictonary" for
+# synchronizing the username and the uid between hosts.
+#
+# Every user has a directory with his username. The directory is
+# owned by root to prevent changes of access rights by the user.
+# The uid and gid of the directory are equal. Thus the name of the
+# directory and the id from the group ownership also provide the
+# association between the username and the uid.
+
+# Add the user with name $1 to the host's "user database". This
+# may not be invoked concurrently. 
 createUser() {
   local missing=$1
   local uid
   local userHome="/home/$missing"
   local createOpts=""
+  
+  # Retrieve or create the uid for the username
   if [ -d "$userHome" ]; then
-    uid=$(ls -ldn "$userHome" | head -n 1 | awk '{print $3}')
+    # If a home directory exists, use the id from the group ownership as uid
+    uid=$(ls -ldn "$userHome" | head -n 1 | awk '{print $4}')
     createOpts="--no-create-home"
   else
-    uid=$(ls -ln "/home" | tail -n +2 | awk '{print $3}' | sort | tail -1)
+    # Else get the maximum of all ids from the group ownership +1 
+    uid=$(ls -ln "/home" | tail -n +2 | awk '{print $4}' | sort | tail -1)
     uid=$(( $uid + 1 ))
-    if [ $uid -lt 1000 ]; then
-      uid=1000
+    if [ $uid -lt 1100 ]; then
+      uid=1100
     fi
     createOpts="--create-home"
   fi
@@ -44,33 +61,45 @@ createUser() {
   useradd $missing -u $uid -g $uid $createOpts
 }
 
+# Login the user, i.e. create a desktopn for the user.
 doLogin() {
   user=$1
   if [ "$user" = "root" ]; then
     echo >&${con} "504 Won't log in root"
     return
   fi
+  
+  # Check if this user is already logged in on tty1
   curUser=$(loginctl -j | jq -r '.[] | select(.tty=="tty1") | .user')
   if [ "$curUser" = "$user" ]; then
     echo >&${con} "201 User already logged in"
     return
   fi
+  
+  # Terminate a running desktop (fail safe)
   attemptLogout
+  
+  # Check if username is known on this host. If not, create user
   uid=$(id -u ${user} 2>/dev/null)
   if [ $? != 0 ]; then
     ( flock 200
       createUser ${user}
     ) 200>/home/.gen-uid-lock
+    
+    # This should now work, else something went wrong
     uid=$(id -u ${user} 2>/dev/null)
     if [ $? != 0 ]; then
       echo >&${con} "451 Cannot determine uid"
       return
     fi
   fi
+  
+  # Start the desktop for the user
   systemd-run 2>$temperr \
     --unit vmop-user-desktop --uid=$uid --gid=$uid \
     --working-directory="/home/$user" -p TTYPath=/dev/tty1 \
     -p PAMName=login -p StandardInput=tty -p StandardOutput=journal \
+    -p Conflicts="gdm.service getty@tty1.service" \
     -E XDG_RUNTIME_DIR="/run/user/$uid" \
     -p ExecStartPre="/usr/bin/chvt 1" \
     dbus-run-session -- gnome-shell --display-server --wayland
@@ -81,6 +110,8 @@ doLogin() {
   fi
 }
 
+# Attempt to log out a user currently using tty1. This is an intermediate
+# operation that can be invoked from other operations
 attemptLogout() {
   systemctl status vmop-user-desktop > /dev/null 2>&1
   if [ $? = 0 ]; then
@@ -93,6 +124,8 @@ attemptLogout() {
   echo >&${con} "102 Desktop stopped"
 }
 
+# Log out any user currently using tty1. This is invoked when executing
+# the logout command and therefore sends back a 2xx return code.
 doLogout() {
   attemptLogout
   echo >&${con} "202 User logged out"
@@ -101,7 +134,7 @@ doLogout() {
 while read line <&${con}; do
   case $line in
   "login "*) IFS=' ' read -ra args <<< "$line"; doLogin ${args[1]};;
-  logout) doLogout;;
+  "logout") doLogout;;
   esac
 done
 

From b4094434995859f8bc945e2c8aa601e87cf86f60 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 27 Feb 2025 22:54:19 +0100
Subject: [PATCH 137/274] Fix icon.

---
 .../vmoperator/vmaccess/osicons/Licenses.txt  |   6 +++++-
 .../vmoperator/vmaccess/osicons/fedora.svg    | Bin 41315 -> 1682 bytes
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/Licenses.txt b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/Licenses.txt
index f67978f..ac24b16 100644
--- a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/Licenses.txt
+++ b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/Licenses.txt
@@ -9,7 +9,11 @@ archlinux.svg:
 debian.svg:
   Source: https://commons.wikimedia.org/wiki/File:Openlogo-debianV2.svg
   License : LGPL
-  
+
+fedora.svg:
+  Source: https://commons.wikimedia.org/wiki/File:Fedora_icon_(2021).svg
+  License: Public Domain
+
 tux.svg:
   Source: https://commons.wikimedia.org/wiki/File:Tux.svghttps://commons.wikimedia.org/wiki/File:Tux.svg
   License: Creative Commons CC0 1.0 Universal Public Domain Dedication. Creative Commons CC0 1.0 Universal Public Domain Dedication.
diff --git a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/fedora.svg b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/osicons/fedora.svg
index 78717917f660f45dd4c2e9d11c8af3b32c901589..e22731170af09a5afaadf2beec75dd226a58481d 100644
GIT binary patch
literal 1682
zcmZ`)%WfPu5WMRvh{<)P)o+r4R)&+n$R)QVcR|`{7m#-iYoRsr^(l@X)*;qG8Wx+)
z>gsCh>ch9s59Mk5^>KeZY$hR|%Jy)3yxSk{H`8B#ep=d89#1!iyPJpOVY`_Q$LYiM
z#nt1}{Y5DShYydNX?Hq(`T6qld_L3J==k;iQknS@LDPsj@9$2#%@m@<E-SR#?(cUe
zV65cUSL|uOJ^yn2wwbta5exEKL-D25E&EH*cd9a7Bm33;_>I3`Zce-P3yXjD4-cE^
zr;v~O+s8He2)Wx#f0V3Lt2dju{9263GBdDX;@WDPwNo|F*MW%UoC$_)F!>$4o=OPT
z?6sBMOGvq0KdR4-Oud$*&eDCBAkNxQLy&dl{vFwsP_mjeaoQ@mc$0a-ooa26%$}U{
zGU$Xf<a~o(2w5+&U1DA=sp6U_%P0r80DC13a1@-X{vP~yDwjW&?bG`6UbfGr35BQj
zSu2@AsS4hUFh$nhq2D4MRipg5Qe%nKvZ#>sNSUP(Tg&ccRM@i3Of9f(0}zo4Y0z&^
z$h;!RIxA^NczJl%*=HA=f=)UVhuEyGqd*dc$g>!EH`NL*Mzy)L_Zalc?6OidYHm<B
ziNVI6Pdr078k~YIf|v%Hx-?Sbs%Q(2Y1Vn<_rS?o#3^e{<N`K&jby7YTsnwX>fwwW
z!(P&?{9O_!vUL+|FR%O9j@D(>)Jc=k!<YLZV^Gu%Z$j>-(I6V2j#_<IC%Cy)*mV>e
z!)9P5WUi<X+X0jHT5v+d1ggG4n8)6FPe`IrgxPQ_x)|zK5Y`(UyC^1<6B955sjTw?
zg4PAsj9yk7XPQ~C{VxDNBMBL@i>&=O4BRr>od!{dG_u+g8ZbHuU62q{iOXMQyM>Zz
z?(hwV_P`QGNZgH56`EjPM{t8}2E>>M6aj@XKaGdqpg%Mp##v(YtYUzGcEQ*Uy_5|z
zgk7m{MIw4^GrA2Wq;X_{)-mqv=#aBnK|}c2BX3ZUR<0GAj&6ChfRDk?18sRl-l7@A
z;E*<aj9i!&%t1g~wH2s_R|I0Xw{>>Ve9WMMb`MMwVo@mGD7-V$F>-^UK;DFjyJQw4
zQ17FDcU0KnVPWM_Gc^pJD-aiWbFI_!+4xN{wFp6@-33BO4Jd&&ns$dwF97BMkr?Bl
qn?UM_j!vM^>MW2-$CCt;!LkYihNJaw*y}TNb%{s(YW%;rzW5K2k6CE|

literal 41315
zcmXV21yoc|7oVji6cj{4SOr8vQc_|ufF(q_MWsZfq@-6&q`M@PkmgT`G!`M<9ZE=p
zbS~e#^*efw@!p%cbMNo=9Rlv$R-&O~rUU@cV3lub0YC!(O1w-#2LGVFcU}|zL1L|-
zt^hz$DAnP8QuuGQxw4iz0G^isz`X!qAO06^4ggmn02b~6ARPw)qvN|uO&R!r?18G%
zO>m6-O0D@A3IB)O1*?9Ge2$!mf`{(psb*LBF~Htb(0Mw%H0BX!qWcX0cW2bNPq#*J
zzI}Y?8r6vt2eq7!nQ4{%11LH9Lxj>!wr5R=EU2+II`#gQcq=NMdO89;x`+j+Tj;#v
z8$>VolU^=)d79-eBu}uTKUgdm%#0gPbZqQqadP%KjOBQBcy&k(Pyk>tHa*kA5pBF5
zYs``zruNdd`e#(y6T|4AS@lnOV}%Ry^25wOGz_2SI}`i(eGpGkzap3R1;YX58S*_o
z-c#!xzauEQxHyk=^v<syy)|dX?@JgD-Jb8LYg9gA*u!gkjWxTcGP6%L;e`c@Wn}hE
z1x@XXeS=3$@33~&-vHPRy+8zc_-Ea#U+-FS&w%>yqYkm7^BvnI4SL3DkIdC8(kYp=
zFW64(O{^Y%<eV;YQC=w33Jhnq?0uM*ATy-cd{tU2(t<@+Dp=%G*H&*-@$KgpENRUv
zuYUN6;(^jx0O%pNEk?IC#D5r5Ru4!0p%GbsWnjC{GKAO5iBU7-pb69A$Trf7`ra*Y
zA-6_km~SXaZ`d}dL_c|qYe+VvYdq@DirYmu_eRvR&u&bmz(rz!gEZsngtq$k4f52U
z2d8~eWd7aE@_3qBr1*x6&41x!b=N*CIbKz^O0+0%dYJgPbWGZ<ByTK6WSA|G!NE`_
z_tSHT4ur55t($wf2L@6cGjZX?%=5||`B$~{I4rM*y;$$|#g1^=iFNDQwpvZuJP#Ky
ztr}iiD|2nTNdi*gr}eK3K3kj1b4N4pjDrc!Rhr$cc4@CkgQe&`GTYLwrh?c$Me}9P
zfd+B@+WWf#zfs^0{3;CFpTM+}$M!(0t0;M^p+(Z%(&b&=dG74DxUdYWOmRNDuu{F^
z+~7Xr{;q^}GHaTHQvh6sA4-xr|1tX07tW$6siH2_&tyAuo?B`vXvyHEU!ymP{!it^
zyguUyJyo|dr!BqWmV%1oNOR*i<N$*LpviWiV}#z}YWCldMCmT0KO{^^Xj^U-Uas>m
zUPgaXHnPjpYZ_#TFk}iC$Tya0Nmu^&8AVcjpm-Gbwa7+e^V@EDAten#v1K2X--e%D
zzf+#RrMJz%wDGoRJ6hbeb{hfIO=1FLNE#UG473;MKXbFpyEG@;=ie6Zrj0<I<m1Y|
z+fB(-^7Zc$-|hDY-M<Yv65o*hBd{VqFmJJ}kbSXYyt#PRf+^`r?itRCbmH_Mx3L`t
zY1YAIg;5_V@78X-`jzyZh_H=CZ?t<}p_ryuX5MYl;*YA*SS`9{VA#VmFJ@TtFzD{4
z%*NN^#YJ&iDgs_Qo%<8!sTLcJ(wu{rD*6*P;(ngm?Uus|8Vp$nZ@O5gZJZ9}A|c4=
z<h(}Do_2xkh=D1mO>sJN1d528CoOt?Gt0WQ1Y15CPhQA0jNu0W+N&mQZHN3&hM1uq
zOP5+#myo>n2%YO9n7MR|(yvCc%LWHgVk;%8e}aZ@@Dol-kzL`OztOO^6)Dqr_hG((
zNO#49Be}4`{&O}J(QM0Z<}L9T2++jg5{uUIQT>V?!o`e+^CH;i%B1yXe=Rl>WMmhV
zLt{L<te<uR0=?e$`-go#GH0Y(inbq1RVwRoM^fU<d+%phpSMjB6X{rDFFp$3&Q!ym
zrXsxmq}j;1?`s*i*Av0$CCiB0;nTF#xU0j0X*0#!;cxnG1QxQCBq<ZP7DgI7@hPo|
z=W$hM^btkRK5Dw&xY)BkoNc*h=x};jA|(QSnjnqzW?lC}mhg3#@S;kS?jI2k(uwNH
zPbz!1GRrcnE3TS(e_J!XNrdPe&Roc2Z(TX%%JWMfg9?OJM`zd-c!9S7mwB?pI@@~0
z?0ZXzpt}m31a?WjS^Q)7R^oGW;6&1}yt<Z|7K-+saqy<2%53?Obb@cA77E!OSMAp9
zAN}JcZ)JT`qK!o+mY0hGTyUxXDfe(%rZaQ<HCw!BcJRL=U0+3vosw3iPJe5ZOF%l2
z7Aj0>m`hf`oKfjP_`%r@=AoPaHh(W{{>zv+FSs>IxWr;P{<o$NKx0iK*vdpywdq!C
z$qU#@LjSEvWIbH1&Ty&Q=SP+MzC1tAbzb18%)_)%9c@Y*Tv2CbMGzFOu+5~j?7ym#
zjf+ZdpVIk$Z2E$^00FGuQ|oxlljh%sQ^o-#h_a*qWR4rL^JR5%t=dmZm};HK2AE+N
zWluE`s*8VD5E3WU|B+}Y>R#Zg7i1*y!$8znuZJ@_k`fwQlwrxuOIs~imPQ$2_kzD~
z{w>O3B`_$&X;ZDyG@Qs8jHUxkbh+n6_Jf0J%;%Sc`A!htO5J&mzs2%1(zKZ`U#uk9
z<-$ZFn5@bj($6auni;P0h#;J#UO4{RfHa>{-nEvd))<%I=(ku>;JupEMr?Vu*X8P!
zs-s!$)BnWnct^j@_*%bn>y}8RUN`zQ3RgeOlUrr^ZVzgOXQU(nW>*nYUaiF*y`)|&
z9eNX>UG%F8&uPf3UaIk0Ii4OoON2t~n8$2Rl|-*cb1%20OIkWJT&r_2Y7=MfdQdYE
z>>DMCpd0fBGC2o5WayX?T@yfa1ki;wT;^w8u923@KW*zI`%S>rg)d{ip#Fjo9{{8<
zv>^CkU1Kthl7@p)i%T0m<UsPP?q5E=N?B&r(UPbAyL$g9kdtukdbNI2f5FpySzg8J
zasU7!nt|cIHW};!Nur)&P6TC0i5GVmI}wswSJGV;@m84xbgCvtvz3dKk4t#<I#>pA
zokkQPj03UgWps;zqQ&L^WwQhHbH>)id|~<W<|exq`*Y*U7YSfcjhj6Mn!?X=9Er@t
zv5&dijTwJOAudqFV&C6&%A)O$<x*M1Z%!g8P>t?y{i5XpRrbB?25bb@c8jl>d4*Wm
zhhM!Bp?VPjcGKH+_k)j8-debPNs^#m<vfMZ;uwT4t(}P8Vc>H<3(s`ewj!ce?t1ID
zyysfNdzxv&b|Lo`^0$hfX6y(XZs=mou_S<2=t{(_2lh|hN|jTu-apRz&C~=R$@pLu
ziIEo^$Mm)b6jyd)+L^X45tvh7@Au`^g%cUIbIKA%*>N`kxM0pDYZ1IxXj!tDj6R7_
zv)*3nk^7oy;7AE85pezp1@?YPY0O^RX=B?mPG&`pg_$#T-KnG#&k!`8SH#ktMuF+~
z1C~ptF4>*)85pf-;2^B?Rcx)U#Mk@h-`d9(1!qIoi2){JJgR6S^t<9j&C?hx9XVpc
zzp(9gn28EowlXs95<|UZ$?tM!A$O>o3gFR>AaEL!s+MBrml<@FkgmE{fC7_QkA)iW
zA6Zld3}kG*B?#x5v=u$upE7NDaAl*to*e*I4n8}lJbYSZ$zI5agB+IvL72NgH%S*8
zu=|<mq3dJt7)Cj`w*I)|do~1TQY$pIQvQmUVb7Y+M=S3yIY6K3ZyH?v&k&8!S;4eB
zp({V=xt+o}#?PY&Woa?W+wAQ;zoc0gE*wKZe^XY=s-f|DY@FcFIcEYUF#Up)X3EXp
z2eneJr^3jPg={43#xp6WIBOpS$=PN+fXqYxNsd|?h;3)upw>hX+-WN@w*ACKLvx6x
zVZk_JKLQ4-_y-wEri(tm#upoEZ!;sv+?;&$75dZxKb_)<@T(CR0M^7hevU8STGn4V
z{yun~z`J_Qc)2>fntAncv50jzjOU+q3*@pZQI4(hCyNya5U7^S%AL(WzgRIl!P&-1
z0|1d-UC^Gd^>g3dwJWZsgk^A?^KZ=xn9gA(j~`{QaNUARh3hm~DU957Wjjv+5z*uv
z%Wq(4VnJE=IIk9+{RRSyVo|rwLoXR`Gw<r!K}QBH2)e_hA{GBcX*`rmH0mn!-Yj)x
z*}W5jRrg0nZla*|pr~M?TGS}+$18VBrK14m?m}2!e)!k#b%M!awb7CY_b!O~;1}dX
zR_c`ZgE(X1Hceh57E1#$cdvO~I3Pygdwnu<<Zj3c5AQ)~5tQ^3$Y9_nhJJd1%V(ul
zD$NW{gCH1VD&{wKE4eF_^Slx>0Fy#8d|u_@2R|~L6_+oZB)p-PQs-IvuIZHJvJQ0h
zpfR<Jxovr5{4kOLC|1ODr6g25w7vf!cPh7GK{et5Gy=eL?n<+_=lr`$?f@bv%Sq85
z#=Hv56W@zA)DUL4tA_91-o)eaxk^iyD3NVKO#ils5huOa)8G(IgiOJZT{TLp=rR~P
z=1;cN`i`)rskpf%R*Cl$&3;hPeoVR+aw4YfoU-lJ7*mPaTOSZKSTyTW^}maVIMC+s
zqC__0_xxjn>OW}A7ziHGK#0XrS1hfxMU!S1R7A+}HD92EHju?FHmJ6GbGVBNn#EHH
zIn3&227bYLNAJ@gA&17#p*9VEI^nnRLuvhI5Fw_<7VOR>JPUtuP^ag{40i(T3qt+A
zg_R{UBjpp`D*gm9HU2abT`t(yV9H%p<>jD-d~oJF@8RdX`mRXu3@Kb@^0H}><I&}T
zO#9eYdSoY5MAT-axa;8thx4T}I&$O{+Dn3FY}upYyHv$)1?iFj@Km^Aw1>o%B++dr
z!l@6Vp#t2FXce?@6+sS7`=8>z;cIjJ{4d+ZgaBg5|Ml_KTgFt8rspT3`s7vKhCx-L
zh_@@=uY!ERU(tks!Hg$}`z_lv#O*~iL_iIpsHmzM8=N4xD`XQ~wNsCspwiCSXurGt
zzN%VL5OkR2LA#&|o93m;1A>&VJM8;!o#Aw-O^;M224Fh-$C&++l@)?V%;g$~*T)Vj
zZ^Pl%O%84)77o)`6qE-oZ_i2|yA7+?$8=}pqsfjdxNzV8oRAKA5o;|LC*)h4hE2a(
zRW4pTr0=*yOZXY&6Kk*H)ch;1fl%MKm!U$S9W&dEWm|8K?m^cL;R8Z0bLAc{JQg|L
z|EIkWKhK2Bzf|VtZ=S)<K&=9fYIogboVRKQ2J$Z=5M0aW^DWA}dfFA=q9TFV2u!G}
zQCcB?)u$CbCUXK8y)B0i%RWjqjM`;rB1?qDbp7N|Y+j6Qm9yu*k5Jm)mSmg6z_EBd
zZs21^;1TG46e?Wl)V$Pn>NFzp>DE?KmRFqWk1nu4p8_nRqBp176*suVDM%ob^AbNf
zj_EcmxM6h(8!+UuE}HtRx|*ADBQ!RBjt|s}PM1!T|J1!jc)|62gj}6V``j@H;dvb2
zs*z9iR7D_XFc-98xOX8IF~b&{4VDtr4xH4JbCNd!YZ3%YyOZpW6xlIkl-xZrQ~L)q
zn|oW<r^y^$;!uF~3jr(VlgfV%)?I+BfC=o+xI)1ix85C#ATGoz%!U86mF*Xs*)*Wt
z0KQhMi*8dAGDvV!jG)C_#OK$rR6|0FL3SJ>528CLWn<Px@5jw$t{stx2C;S_+h`}9
zmoM#BN6tbkY1%*6(o&FL70rbp!%<mnj~oKA1=GmC_=L*d0*gdV-u0WLw(|BCzU@(d
z@PM6z_q6xtidhs3(Fg-NTW|HNyY>1RE1LZlMb?x~DxMWpEzGTYei>nY5#pJaFSQ8<
zyU-y@`@(b5xr#;O@Ce4eRajyu!Q}X&|L~l)%QX?N2q2IP@@*|q42V~?VlR&r3JYbu
zh`D<b&)D1XsbB8fB=oW9Py??|W#J5>vxO<w&owEvLW3ReY3sv(_kJDs{8>b)n~bqc
z8(SGAi?yossn9e(oINai9wAZ}-o=C*9AMqKuc_F3PR>4CzKMch<}5Jzylv8$@FQX$
zp#hBl(M?n_En9l!<Zy=cYltkM^%Ol@aKzG>pu}{D=nVR{NWnq(Ch686<T(?d$cL$H
z;!@V}r=VIjL_U)K>0;aLv2AP{@`N2Q1-m~Ix|Mq?MpR-Wku5^*<6OL4l{Ty$>h_{Y
zY#=MwDs0^QL$8L^m~}fLRN~lnZ<Mnf3_c&AwnI}weUjT+vGUtd$ss^w^FeCqc>2=J
z&bW{jjSZTAkc9TVu-&i9L{?ii^EFsLz>ODoU+xg|tA2#93{)n*|AiWmjQ^`Tkso2Y
zuMoDls@fb^cqPen$MgdPK-i6*S-Tve+rK45D#H*Eg()2C_jGwvB@+8XU3eD1F>q3a
zc_TF)OZYgb#FJlZ?rz!B{-#S`k<YpG+ss6}MBAT7kP*&UJlFPSwB>9EQ^m{6v{xS!
zy{V6Pvp(WVc1pG)P{<k=rn9hz_}+`i`IxSn{~E3n4)M98#e`r5twd&EoAR#6am<py
z!?8RuDDx!S{Jr>eif70RjVgJ4KBBV&ehHUp>6cJoB9VXt`#;TdX9$93uXOEhsPubx
zZQv=gMCxlRytl5d$XQd~+zrI|0Xa6qqf4jx-jzJnvm?I`r68#oD`+4p^B`%WB`XBs
z0WGepPdmKe`zE2bMR-L;f6P#R+<9r0i{>Jtt|U#51n0fyYFU)*xF~mN62Vt@t5IFQ
zSAPb%32;H<8l(z#4x`=k<&qJtU~Pz|S`aKx_A$|7N8pM<Gts!n>;&*J7RUz*AuoL2
zd};efvRIXq0dWn0sNiSWI7bg-!Lg7gr15Er4b_0p?fy|7p6dwMD2VwOT0D2ujX#Gp
z8a^iiVP#hPUtK3e_2lUjwP0+3_NEN#8xuX7cSNL#9ysTC!P-io*uJ;~?}n8itbe^@
zp-Q!o<%q!_igEq%T3wk?*U(=U4pS9m`KC0~;Ie)7N>8A5JUxO`520N%-H4?iIkXMp
z{s4N_peie~WM-HUp`1$vn1||#<=J092fXG?!V;DkIf?PS%q(~~_uH`Sd^!}xi*`$Q
zhXQ_O*Q49rHUwGC1t`ln?Gf@}B6>g(%(pT$*rA?@M-NS55m7zu5KRiHSR%Ms<b~>Z
zDsgJ;aBrGO4hJHIN#e9({fL62HDdkHAti*0dyopxIH$2jnD`Rj2pd<qRTH?1gsBJ|
zNZNHb`a`x%HnP$c2qds}8BN6n#+VqF2SYjGCaLkOdF-oF+ovMPU=R&mSm~10q7<V*
zRjoa-A!G!e{jj4@zDsml^Pl?wtR;3Ki+3GY#W)rNAdPGJHXHp(_e^AYvri$60<xCw
z*jaxV>=j<3N)Nn2q8y6^5)Tk<0O`-?1?R*0&K9uWI-3e`t7ON;ufE8`2Vrv0O&70x
zB*9evM*`+q5A_Mk73MaQXML$e80{Iz1nv=5*d4hyH8_K~cPun}nA;{|er-1iP6wmc
zt3{MrZa{=%JB62>l4(E;DQL>c?-$iJIEhQXM+QQM5PXh{o^;0}#%C#4EM#YJhN_>M
zo065!3QWeCxbD1?7L4{@7;B7xAA_dg@?i6J(<gRg;ved}9>5ibk=oprR<_bP#7F`u
ziPp@eDbYW6zlT}rfpXzIRsW9b#c_^*h91gG(G@GP*VLL)m~)Z(4nSYYY#Y(JFm-gd
z+W^rDaQK}qh4+n|%MZc+s0h-_pp#E~HAhg?{x_Xr5(YsP?i3%GcPX#;*^MCO3q-uh
zTzGuor?U;RUUli(1kkKGQ{C$j5PzwP)K)m)E|cfTk8>$cC!MbgcabB=MBy^Z1zX*X
zf3m(lLx<S0kSA*nV-`vl@52QUpAOJ>xav25=0Ep?WfjXja!SBDPxURq;?Mpyi&p-x
z2&F_Gn(}|Pel7alJedmW??XkzA4DYGI1L|RaD2dA{+c;{xPtT9j_6ICe7v0Bn0)h`
z7boJ0UNroHS+WnGFhtX8e9^tJK0Tw$Rxgo7@Be19mHRYZSvf%q51(q|o?p}XboK(4
zlmOKix6934hX@sr%a=h|qt$5Hw$5UFBUdy5skBCIA!3oMH3chTA0QOiDj)pX*DTmd
zj_!>`j2f<U#6~;2BxX!##qL9sM&3^Qz?Wme0cw~09rAyG89z7qd4-)&>_!$yj`P&_
ziBEK4i@F*_Sm5w}hURUNtq~X>6_Ladf%oi(6GrTTUfaI^7Y+t5T>Oz!I<2l^{!?sP
zx&jLKUvd9;-s%*rbczr{g0}!_^L@?V;t^%&TrP;2-#@BjiXS3y1*0gTX7=BTElIeB
zgVg%hQqsi&iEbGJ>el4?n@q|rZjW6@$f9Wd>^$bt-^Bq-j|e*_3td<iy`MI_rp25g
zB?Ux}ky;6-EMIm6LNs9giW=&ThnB89<nq@*S#W&`sS2{p`x4F!LQ+*4e4fIP+9v>#
zgc5b`>i??TJ?ii;_=LGbP*}BBVM;mAZF*>b-oTn}<kHe-)$aIzd!KvPGkxi7YmzM!
zpB6w<=$$M)E=Xr094M9Cs(`f?Z~UEB?lI9h5t$W4;W0)AUPs-F4XxZ1lwh|Li3ooV
z&ir<QVHV8i3VS52en!|XCUaB5r%eoXCZe6oZg(TPFa+fYV{?m*b<wC=ZO}AszPLL`
zj3%)X7&e-_^v;qRQDBfBJMVCD+y|-TzTt-mvF%T=ux>mbahr=8S>L7*q@UrqmA_$m
zMYM?rgsF<2?e#P5Zp1==0Wb{)J}wQWi?u4WUlgC8xz}^HAjvAPLZ4m=`BbDsv_Z{G
zq-w<%5y4qg5B(#j5bKmk9YsVbL2-JYvzGOk`|@XrH;|2nLjN*nst84bufg$qU5mK-
z@k(uxy`Uxum3AYs6{2`d*22#T2bU7zXX+|MQm_l~;1+jgViYFATj>eH54*PQ@7{2U
z;&cr3xsYG_KL<0a9gs~AJBbX;<!T?hja@{DGJ;C3)bd$Sg_j%AU?A7E@N_oFtFX}c
z7CpZ4G!Dd7Jk$*cs(L{%upou!FYA?fPkmVp?lgdr=Dc>XF6?SDC-UWP==t+I)uhES
zOta9u1T#_f`zkcFUOa(3!&?@-^VL6MZ2IzN^)%h?Ks41r%8bG439KeTM3c@uOzNi6
zUYqO)9~$q?R;wRH-u}(NM1zz&VCq@aC^<XLHPCOzL3w=t1n$(B%ScO?1?L{iKR6O)
z7H%zlfC|Py3$YyXb^JrIL(6c<KM8@P_@y_#q2~@?a{)O~JN$5VLmasWffpokV*Pi^
zrYnV25g3yTJL88Hu;zNoIhX!zJMd6D`%ElB_1DN_!0z|aiheA!HR>P#FKFI3*%??O
zpJb=Ixb}KLsn<`tn-qc=^OWJUA{S|a%7c&(1)8m{^iC7;VN9XtZoPBIyPI39m|`^o
zqIC7URU%IF<gP?<V;9tnxMWpRf&XNwj`gN-M6DWqMdN9}9w+Q~L~mOyulxjBXxu%g
z^Jzb?>x=!+)MZrCF{Rf``S2zuFpW1r3ij4iDNPtY&sS|OsChnGUhf@F+TZYV|Jd6-
zlbtP^LA;Dzw$*r~VS7FJJhqDwG+nR_ivMKcHg<GV0TnioDQGaEzpkgujJS$jeck&v
zpSMt5&8o(fF_1Ew=%qfh)YPR{oZdZr%WIj>JghxD64N>UDSi7BS7}+1@kl~tSxv=3
zjUgEfg2^vF(J+y*o<0kq)uamRx7IUn_9w8FNTRhyK5(v2kN%-fN}S?WfUSY9+Vh{3
zIwrL3`H^|i+ofEkHQC0-%o98$<Mwm?v#$hVn1FKmN0vwBW^3Q0c(5OuXtqJq`)H1S
zza#{U6@7JAbGrJRf^$M_b#&Ff<^FzqYyA&ffUs6wMAm-vP1o+!-#d7Zi<Vn%H)8u&
zS9|x5OpWRawMP=FEayqU=4b`O2-#6!y5EJjtUiCvDA=1+I4)O&h_(EvgxXb{lPUS(
z#8IG&_wjZ0IsNp72P>~x^Fv;Iq#>^?_0)JhKHB$Q%<Ec|au)@Vyp(Ld_1+6cg_kw&
zfa#b2x`Nt#oHR(ZC6b$7-*tjGP|OAserZ!sr!M01`*iF@%Q82IkK==51rlzqS-xf;
zwfI?pqlK4Nc+>ZTLbjsB%f*2|uQ77BwD)RIBXAS3!r171?2nm?Qux6<ASf{4*uin;
zLqXRI{L6&Sx;rUxo9&S&^j7D4`9_8}yFckI+nL7;;+`)oUOH2bO;DsC`Y|NbV%1uB
zoF(QajD?}nI8}nMm{XFT@ds_&K(VYm+#T=9<yQhVrTOZDc6L3lj*=eO!!Gjfiuks+
zs#WNo6!s2y;k@Rje{^qgC^{ksCIz^07A?(G=hv|dqxUlwT6%rWZ0D30GVJU;@2lqC
zofvvgUv+|rS~25O`rq5Ne%pg((6`a@uF9-CjHN}yBLVrQiL291>)x2Ty!TwpBjsTj
zqO3B$4E;~#wtEd$HAN*!@hFUMsIpnMjf33AcA^HBR&ln7921krT7*|ctoK}emaU7T
zU4TFV-@q>Z<>(iR&k=FC8%j|NhjbakV+ox-iAI~7nP=_n7A~=(Ck&FR3;$a(<Meqh
zBoew|eYVxWz%Qa~TMEk$3#OCjsCflDf294q>R}Q8^MQ<%#FF^=x$d;Z#I5NDt1@mG
zBGme8?s%%0_H3^R7)lT=uaCIV-=Z`&3%?oz0WMkm#@uDL^R%g!e!<kfQ@K35>m^y)
z4Yyo2!-4dzgKH;9nnIt=XP#_)N9dEMhktSAr?Zfp{Myehv`Y>qo8Ep15jba<$rqBV
z<0>3`d5@pX$)zhx#Pn*8nsH*~*7sLdNAGK~`D3k=;OkG7Z|2E6@)5IPinDietUF<G
z@$N$NVaz)ekSwj`()6(~c`3kZnE5s923j%;0(XWbVXJ;YaoOIoPzYU0tYa%*3k_f0
zr4y7m4D82fzjQj|pv;V<<ldcca^f;IvbvdWyq#edz&g6f@X3~E=(gyIJtS@+#tA(N
zGPrjCudDf|Gq?7I>jZA7r5`l@i@^OXAKp?E<<^^Tea|%-P%rEp<g(p)I!U(lrtP-N
z!}%Ptn(F*ur4vNIG{djX9&?)Bre`|$@wCFeDWUAV?F)U^WXCK0ADcx1J}!^!gc;Gw
zx%t6kM#T%b<ni8%p_c$fvvS|va+mEmQW6E!q;1ci!WE9GYMyvJj4W_h^F%U3)pNRS
z%0~YxS=l)(^cR}Rr&>#tH))Xog#imz(fhE-GxFx5j{#AbeZvtu7Qv85Vb0|bhG%ji
zub)T-9fp%W|4FsE=X_v0`<?fSPl<wt{i93@;Ga9{xqZ^`-~!V(ZYk4mx)+sG<~J4#
zql#LTVIJA>n@&l)F={cbQNJix{>dX%^YXJbwPqc5_LiXl{h6bmCAOVSHWYmsc+U{}
zs}Zy6*dwSzVX=%1iqd{h<E>J9m7-s&iM;U3o0!PHc6a=vn3psKF-3Cbo6&&4KS86{
z>1!H?q)ZhqwP_$(!+M|75#?5P&!elQ7ZuN~C29Kn-rs&rwm7eTrE;;%XLulnlO8Sk
z^Nh;T_5QnGwQ%F+WEf@`D{fCk>~TQ@u&$16?JMKn?)u?6W1@qmt&Gq+m2cPUFfN%I
z@<IuXxkFaa;QOd~Nm!m6LgZb7hmw!F$b*Rp9d%}aJFK9M6kygZ7~+NrT`LzYN&B<y
z^c7FLy5!NpRy@E6T~(T9>wufyKY<bCy14xs$<NTC)cHa4vpolo9;?3-qBYRHMK|`u
zO&+RCW=idUO2#ZzCrH=Ii_`z&HM%oyb~(3#xtB2M^E2r8ih~ix9{TsWws!^@OlNo@
zDlgEoVLKi{L><ir6RV`hodUawN8h`p%zba2qz8tsdv@2}UVNDkA*}%E{SPrz#_cPG
zbh?k%U#|`KMReK;E_MA(T7H4r9jLYV9^y5*AbjxV_uya0akjVgpAN4<ql+1=Xn454
ztKxIqeSsQJ=Xs=>wm%R^HXrzh=8oaJnkyhBCxo+g=goWTI8-OG=!%h7&Q_~)grq1e
zq}e)pJhPXoN>SXppD(|zp>3^lymQD_^IuuC5I8Oh>EqhDE3vPMxXG-4y@QjUUCP`r
z?nCFv$yAz1ywgg{YRMp4ADLoFaBWoe>TBm9M%B?+NR;JF?JCWxJ>m#XgW;LEPKE0l
zBT_s0nsa$!ZsX7PfcnQB%e7O=mG>;-@dxV{5;_aRgaCU{_u7LWb+=D9z7jnU{_OoF
z;g_bA!@mmXebHhKH8V+f+<vU$3F6(!dpAzy+w}VD@BB>%_3{xRVjsu6Ovh|*I>8dG
zWADU%|K}(6)-a8xVBwfwcVgIYe{Bm1c)j<|MEukBiA1B^FEgYhM7uY>i*A3459IeM
zInU)Ut<s}-*SRKKPUAGd3Guv@-v7Nv>@qY+DfKGgS$((;z2a3%i+C6Xlw}kpVsN7@
z7LhbGxv}_Nj}MX}?VC#XXFK$Dxu`zaa`wTj4b4v$rMMN{Oss4CWlSxV8=~$*id>!X
z82<_IB)?Bpx^c{XDl7k{(^GzwBxSSzTseV5(=VRg+F!}I0oA9*5&uRjrXAq#{JvSu
zPWvrfn0S&RbF2byG4)jN%?u<m>~ng7Ns4rhqJTF3S?NQKr~4Cs+!ia^@?W5)!^*b1
zEeC=<;y5n@Pm2|k#cH_^_)tCRB<KYc7+r(qoUP=OB&wr?a4x50IL8heP)ARG_!gl-
z(-3)4ZAmlhF;e<};p7O(3yS7ga6sxB6wf1wl#V^S&}7G$SLd+ovb8E^GJd!RbSp(D
zseN=mgPx}u`pq{#{a@(J4zn?(22+mg1Z2bhLe88*God@rpSm!GF*r!L%*)5DcGiC4
zybp#3!lNYc&!o&H=zfsHBhm&r)wWEs16r3GeCCL`5Zxs&erRB+Hj!kM3oXbCl!e*-
z?~;!xo@O}-(0O+TRrM!7lHI7jtPF#2aTvki=MPc5Z=XmLKe-TIyq^L&0__d_$}81&
zGn}hLNnZK1UjUzfod}$}$g{@BK8EzUeQ6T$Ir{pH8vl&-ZKdL|<841v4->BYz|bn+
z*X5{MUG3X@AX&}8G2mm=oecwMiX2tN*hNw6?I~eD+^KWefh3cBjbx*5y~gM&Me&Me
zLAr0`b&+cY|9ZIzo>&HG{3$+UoAYi;d=%~khjRhJZTl1QE1EyoQ!!}OLE5!KA>v7&
z57-R{#NaE4`FLl@{g`B5%WvlRxtY;StTVaJLt30J^x)kp-M5s#%Nrj9Gm%ELr>WKp
zgvG3f9dZG$2Y|xb?8?cbKkMfoX*`9eHt$@VKO}T|IO9-jY<x!&h}EENlgm!{B2SAx
zv(K=Q$aqQ%i;De?5q}!uE9qV^L#%{a3z^>-@cFLH4wEBHXKR8%#{AUKeO8KuaA?D4
ze>~Sc?R<i`Nr)rq^An3BS55^~Dq<omHd9zB0WP)T@#B|ra@nU807|TyH?x9K_zY;G
z%w1Kh$*m0{LU-ueoj)|hPVK=inE$kYxMk(vUS@wlWPejv&8*Hb?CpmrfO)kQ=q0|&
zP8Bzh2=2P=%>MM((XZjOPk{xRDd@WQzg7@W{}(Mt%WS*jwlKjqQgBk7j6@{6CsS(*
zse~+h)1V7;8y@B?CKCAhWMT4w4}KI6B^<`2eP&=l;9S<z7xA!F`eR0M-E+@<{H~md
zn8UI`hghNN+jW>5lYD8C6ZTn*_(DyKqxCY^ufiYwJ+G3^e;+XYX7U>MDQT2R3YGU7
zzpIdLvOx^9JY4FW@#(&SOlqhqFGl|!1#S+N><3`wFl6Lk`VY}&@GP<No3H^RAk>|~
zx({&Z%h1RyM4@snPdnYm$Vs{zWEaS0C!leyQm#MNw)C~ZG_h@P-iBR>2Nc=okgnKE
zr#d^|p1Th`ED)P-VM3|^m>vWj_4gVtZmdivxRcfgkuF*_&rzTBfJH~a+nhezt-c9^
zb#H`lGA`em#iVT?o=^bs!u)zR$1z0c@Aj3;Gg;AlXB(wqjUzL-uy>C`<pfcac7t-t
zwW_*?9X?KK^qCal+(M0il1tzI(IU^4CVkQs;3m|U%+hUdThIuFt->fjwu3ztpRr_0
zV}WsP9TuGJIrUD0CFpMPJxiye--}#5DO0Rq(pu~XozHRc1>V4-d3K!pWBa*oeZO+`
zBy6Y<Zu8`ukx?C&-rp>*R)4-uk#MjA^tp3Xi1d8*Cz*Zb521RZ4qv{H7WP?r%yx<*
zJu&+2neY{d>6VT}M$-D3oxJ>*B}U0=_`ZA3ypLG%scU%R-PE4fQFA#{xfDdoqULSt
z$S4y$Ip;;}1`XDdbr=BoDi^hv0_U3NDeK?+JkVlK68Rj5#$7$dB&#%$4k(`4Z0Mbe
zbP;X53hFyv={2~FH9y`bpIi$H$NzeVXV%ffoWpp^n}}ME>ay=Q{&-yrgy{YlN5rX~
zfED8`+s#vdHnn>#T?KI*d{EjSH^{SatJLWH8%l}A$G71q91IWHuGq?bDWV2zC3R9|
ziZ}S?a!{-_7Z^wrzU5s&w=v)Z-XU2wB@S17Y26`WP>~5t8e3EIAYl;+YBJ7LI`jI+
zff!nnuy)~e^SWCoS`4A5(bPUoO9pmzVG@pC392PQr8der>&f@gD?wfu6W{Adu5}#y
zK@SwXCRh*DXPUK7!buu)P9)%oZivewOZ}rl$?CK64*z8EBv78ZCsM6JLNNn8kT!MR
z)g%r^FsaWt5WTpIzXjJG2w61Fia&Dz$&j<YZT1=ejUJ%xThwu_;E92E4vb%ixQjd(
zahrQ{f1{cExNp;9hMyh_*xryRzvS|KnlQ9ctpB8*2plf-Sa0e&p=8Byn@+)9*6j<q
z6t*bb=6}*~>;0C?;1Dloc%WWWQhFM8S1Vu;ahq93jTUs<!^mF$yxA>UOyxNr(Z?m=
zx-L+waz1K~5SUUX1-qJ-_iqlQXx*R%BC|OsqM41DI4IDvw-ajb9Wl@YIZKm+D^5G?
zU{V`~Hu<MB@x)E3FkNafJen?sCGQ@z_C&(9fmgHB=M&hcf08cVjxE!cx(?BHwZP$h
zJDZ*gT-W}ou9`lZz5*@AXmCnDDDPC;nc1&B76wP6<lLY>)WqDSXI@NAlQ>L_J#kP8
zMr$Of^k+r;iU!+66t_^0Gp1XO&2t>A2@sYE(wQbV_zWVc&|XlzXqKdi(p%DPsQP{4
zi0Zk6tm`sq<+@-;%X`L2pFOenH5$&LXFm`0SfB_i5dJ7UkqXwH<*wY7_^MnY2_2U2
z)r0g$3?+ZrajbjO*<x=i`7uP@ldZ5zB^yhGZhWj_7DNB*DGAtZ>--s)8FZP00!WFb
zUd@3X3!<fEa%k^Sr{62gz%$qaSV(a>lgRl)iWM%qu|-8Da&(rxGk&wQTrB%lNP0q*
z)}wiq?2Hy|{q9IkS58@vWSw)a)8}~3I?=lZe+bc3_}(O@2&raxS&&1?!5dm7vrhB6
zFL`Zq$kHLVNc7e@jG$qMl;zM?+T9Zii>Ee|HeeY|qZly+c+pz33(t>b272SWM`%nv
ztKO?7vQ(DkXB&GBpMKO{kIs`>$$`I%g+46&enS?`koD;U29}C?%O!bl$cGKU^tC{$
z$msZB)cz~*Y?d64WtilednS9n^>8mI$3nrSB>nWs8_>4hE|`cn%I)fN>D{yN(k_Qp
zkoRR?*GgeQ#I20e`)?(sNt(h8Df6K{k5J{M0$Ahu!Lg(su8|jw|687j1c*Yo@xL;S
ztbP+^t`4Mse~`P8VT#e~gsA~}X*=Z;@DQCz#h!LviFZf33I^OtZ5)id%L|=*o(b4V
zcW#Z#I|p~I<-|2?2QPlEeF+N>cNm;vCB(i5g+s?0TDvoS8y=w1NozYW!k&8CU4hnY
zlZ#64EMu-?31@OH30ND@eHIRb>-RZV1kpiZC-=>U`!oNDm(TSrFE4nzkNKXX=I84S
zAP#i#v<nDX)W7_Rfr6cHK80=cL+~o!bFiuW^>cG2*8pp|)I&j;Fj4SU{ntdZ2rL5Z
zc6fYifu+jM{i7t$$37)6>;16(g7IgHlah0}+g10)FJi&G!4=Z3jzzcGwLV~p-|Ezx
zPhbC{T)F>3ZhxoIotCWgnx-Jbo`1Tr|E?_U<;YmUP@Tu;OTQ@JkX!+vRyvz`{`Kh5
zso<MG7qZo_cs{h7GE+<Gkofy1?F{+Z`O#k)(w2@z7u9Ges{Qa|dig^mSX#_#X-noS
z{u=vHJi2DCz71pzOFxW(Nd{PZ-}6Wnl8bTHS2<N+-@Ce)C{k?h*XaTaAFyK3VP~Uj
zING=OP1RM?RI1Sv2O~_m{Q>#M+!U$qZ-b^r`RC>RH$M>T|GEvE7^K*bPSC#`&Q@vL
z>Nd{$J?k5c?=IG*@w712&g$Q`ULacEMcvwO8l+5;$%<>FChM#_yq^dwanK;FE(vJd
zdOhaxZLMA{`$R7_Zk}qPBbFbAW4KkdCA067@~Oj>vR6DdaBL<$Su0UoVQKfcYHCYN
z3s)Zx;JUMra>q1X2LCCFu-r>J^KGWBM8GrKEVAcF7`yR&-Jf_H7_72OHNbh2t5drw
z*D2!Ct&wtykLS>cQDx4vFMg+%A7kgZJC^&cV`}mz^6j+zS&8re#$BYz527RKG;Y}Q
z&!bU0V2We(>>FcQsMdKDOr&oFz*l>nl+U&9Hdho#nij8(Y?UzXJo0juxSwta%a{dn
z??c;}?()tO?~bg~wC(?8cRxeYsoGz}c%{m%)m-6e{xc>uFP>Frf*(iHsp}MPpq0Q+
z^i*Bl=~|}7i(0tbUOzr+74VsVf5p>Q!nXBj3CcK!H;9&`bMZ^gp7))*kI-+2T2{tQ
z48s<NFJ`|;qXLuMmQMQeiNYqD$&o8wexsu~BX<YWVg%f_J2FdN#ms4c+|u<J<)UV<
z+-W1OJSaONL2ZU?v5NkxwOt%vKcJ%dets)%V9)&@S%0&hkR8hn42E~R!@R^#wk-0C
z-^oKK=UhC#wtQ=F-|Fky`%`_<d~Ek4u5_w4Y%TrqU%T#eY*UA{!}=5IreM=-cZKs&
zI?M{_UWDckb`|&?E?dD$Ww6kbtg?}wW4UtU319Em%+e7gzd5*s^%;Yvy{PA|@R_>*
zkYzd01e@K-Pxl%*X=cOVN^LyP19i1oxhU9GJoKo{#y&d8elk^08r|9ngoVd>cDBI}
zf67ZwzY6t!s3vs*)G#_nW+(Ch&jX_1BYs$xuMf=($wrf~KUz_lhoSNNj9ljL#Pf$A
zGx#!AWh=CiG@na${DOSe6~WHA1xW=^GkY}FdMlR_=86v+zV1inxk!`4WgK9UTFePU
zr?A`l>d18e_jBXTh61;*YZXchiJQSnpXPxok@v5!n*7ATvtv`kP0{KO*bIxVdHI|I
zOe+2P8{|CU0qd-_+Xwl>0}VKl%l#|My|L`WIqKw<6daAvXa2OpVLVlE8rop99=XTU
zv|!GP0l@4mfPv^2B{rjxtX26k?J=IrDDpP^b~;?j?s0FN`7KQ)Ynqw&#u(;zUVVpR
zXLvwJxY!CeSJAl>VDg%4pA!u)ADSZNGb}Uh?*)4Oc(OhT`wsgnXRd92S7c*|Q)T>*
z8YokBIC)>As*feDhg}n=^tzc&6xi+B`&MzVO0L&^UU0cDLV|^YgPO5bZ~t#e)z*ku
z@QZMc#;q&8sZV~YqiMLaY+;{nvZc{>w-^{mRpYhzX#O<8HG&t<CCS1}=g)wi-u}EZ
z_1SOkZTxLsHiE0RCzBd?Si(+nWry^#QsUAqm#ihNpvt;@#a)bUH1%)#i~jquW3?-7
zF<yXe_Vnamn(Dd=#|GMM6zE<zwc4~XT&z0s_tA%eO^I*1g}|>cxE)=h#mu<B{`P#=
zmO2UD`sqnT$=M~!Pb<d2b_R0N&>}c+l5`#ANYc>vab~0O3=vq5G*6EtXFPNB<dNr$
z@7T^+Tl~f|>kM|;Dpi<L!B3MkRl824&;R`5E;`~P)|m{)RNv>-BomWD*_t1m&Eap@
zJT~$0zER?Pw2$&{;s}W9b59w3?_-Dk+GK^Q7XfI~f;cBwjHkriP<AWph|>At1Sg}?
zdOjbdh$2Q!BW2<Stw&aoXvVSkgV&W2GJk}P6*mL29k5Yo+<2ft#{oTQ{e^gqCqb|$
zxS*5yWA=M{%nQW#Wyp}>_8v_=6FB;vQ9}}*&-VoTaX{-Sk<I?iF-hm}t+q{t33@;X
zt#h5FAfSA8j5SkH8KZP9pW4$uuF4hNSUwRdv_1+e=bQYAL{@F{5X0S;j>Wd$U_{J5
zIiBTCsRZlHe@efYQ2+U=kvx)iC3uVkh3!6;tuyvAIztjpYX0aq@7rQQi7>Wg2dm11
z-`cY9R?M5AS;u>j+(+HGi`ScqmHNfz<I9aHh*oVDw>RrLmgxc&L^{M2r}odDCJ8&K
zr{7wgR{M%*(lpwb%<Pg4P$GlM3&Xv*1W5&pE_m7%Z%cNCN#gOrzJib9TGW=`Zobt(
zn^H#5nX01J1kCvpkKt6Gt(vQeW~}a`p@_{q{9<;}f?DwkJGsQ_ObxUEbT=EQ0EF1Q
zxx)t#cGY=26R(%>6NLh6xl;$ujQoi!uz;L+(uI!XWOfB#hFSio1}&3#`o+w*pH*ow
zo<T`agiIc0fOB+(h4Ypq8)T-~dwKUS#g;HIimCR%p&f6A=Gk`lUlM=Q%E@6PLwY$(
zTs-4lhj)h^>R!HZ|7iVt*jmdq_?}geuys6C!5@bIQ!%EJKKPqPY1VLlWnhr|V$UU*
z|0uJY%lje&BC~cVq2+?DKX7V`1J3a3o7++{I2jzL(6mU1+b)ma_OI9Ua<WbAU!IC<
zPM>;u8id{EvVXSGRec3m)UZgAK@!Ci#*RxqaQuSH8}tO5mv6R_U2jT7S(5S!IKqII
zC9=m7NF7`?gZXJuczio-vaglU=?Y(O^7opMNqrT<sW2H=^SLa#28c-MgkSye_9DG9
zi)}};oZr@5H6M8UxXT601p{Cp&(imrYC_F+NqHUyJ|xeQO;uHmKD{*r@keaw6r|nz
zH8VHm!re)6!sBAqTk!qd%PxH%-;noN3`a<u%HnHo@SCf!9=F%D)qjf?u^_p1Ic!|v
zbJ@Vp;dhUPq9TdzAtMZ2&U6m4F#m*_<3T<gx$on1Mj=%n_GY=o%V=*l)KbNxKzd}f
zqG`o{_|j?~5VX`6@i_x3TUj_gVA_FE0NcUq(x(=tk&+Q2X%1MO4B=Qbt~4YdI+E$H
z6c5NN8d#5kX_^`M4|Puw_K}XBRUIow+NqBjb#S0W#qQj{p@Tk3$qk)Ay4szL07;|u
z^td<RM~4NUKHz9Y=DPMT!4Lg0!!qR=(X=8K54qqJp_SMHm8#%LAJk;UtEyv|t_4;q
z!uGI#6D{BT&f@2T(5s9f(b$kI?81@io*YT{6|TrFOE7c=<cTR(CX_P++82SQjbS%3
z^M=RXCtW$=k1<-dSAPhjWdA1IGdOWN%w#i+TvlWrCYt<N)t_XZ@vFKIfI1c(Xr0tN
zAIrKQhcgvEcHnqH4d<f5=x&8)UAt0BinEQ!!+PecXO<>QRw~xrJsWv_im$3+JC9Z*
zHB&MttEKcZdQ4_0Pk^||2<3<jZ|A!(I0ysuIZ_}BL}sF47_CyQ#S&j+<?vBD^07d?
zeS`9m%4Nl8rGB5%1FhOedgWb6>&HL5rQ+K9b%hLGY?_u>!E;1LB=-&1$ea`sod|^F
zlYQplmf~<B#T8|Tu8$J|{|}XyuTwBFzpE(@78`Ejr^L0+nW+d<TKJ2(S!Ge;kSbeV
zD?@b|tTtT^ta=fKQtMC@e>|vx3OmvFgFX%O>YW5~<?XsQ(0R<}{Vbh%Tp!kszH@|7
z4leO>+_io#Zt+EtjWmvK2EN?TFw?JCK&_6t7i6`bjO@-iOG|`|+W2{C1t;<NE0@5r
z4RmDMY+g{jsP9Wrf`O}vke~;&^p?T`Pefsfbu|7~|6|*wOE0eSg_e+jCRQ&zydiTy
zRtvI5#UH+nL-?$Psy8hN8ho0niVbZ%zHrU$(;bjr2d|~kHK7L#96TqffZ?}ISeQ(W
z5+O!&EDXib7?$R8DNr!&+Pe(0kv5&{xICrN-trJ7<Q(qGm3d4I$E4AA_V@PXF9ZKp
zVQ+b&c#CwN_`76bT}0@v8vEk(+UjWJM$XbhE6l5<p`I8{2!H_kFwKIfpK~;uL1#gO
zDEo{o2_T^f1+6-$`h>?88rs~Xm`hRgcL0cw9^%@J=YueeAROS`Wm3#AgtypV191yY
z(MDsdTJ|A$*ixR@v6>1IN7DLeIQbfR6}NK=)RPLFEOnMRJJgp{41*4ma4R}WE%X$7
z2~puecRd3Lagka*571%OcPVkDQ!DaMo*9Dq#?w6Ljl8x|1L@~pAdc_pB65W^EM1Z8
zLDRE>bgmay%^~p~ire2r8S{B5)KG+bMk?D+$ED#V`OjhL+xBq2#;iLHC?D)_kn)7l
z%ml17RXpPXk9oh&!W5(a0U2hWON;t@*z>6nBJ>d{fG;szvJ@$%MvIbyMd(IMCjFnC
zd*U;yDU)%05bjUkq(yx1Bk2cZyyiwlc>C0OVnDL}PL;%_QRngW^|w<3{}##54Sx^s
zr=(0C5TS?S-|=SSB#@z`is^G?x$}w{L>3zxF)9bGp4>-*-9ks~00_}OKNWIKMERgh
zjs}E@T_QGLEIkX5EbyESuLA=B_t3B2vAeTA1^&yM@f+e>J9el$MRsda5xgF-{9At@
zOnpP(KNHy_cmv!bI?^Q~cK;I)N<I==rGvvE^`zvgAS{pw#{?_I?dKLJh%k!uke*32
zDPY1)2~hJV0x)#cie<cgw^rtN7188a*@-hAfpB3nb0YBM%S^p$75$VSdW4s^oLa8W
zofIR|?Gs?|n;d|XM!+!ux8%$!qFkP?L<}sBSb0}()bas~Hm+(hxJN1@YtV5xv2ZLI
zG#*fM7W0BSD1mKodZ33bq=6J1e&Am@eLaB-4*4&MO1mO0qrFTJ=QOZ?hHGmk3HlTA
zI=A;IjN1>Wu}@Fl8_tjs0Z;1HZ&3-XsiP)`HuGU$6kOm3=U!iEf!-h+IVVQIfai+&
zN+~^1%sYl;zHYEzYWmcD4uaX`Qallueo@4}4XaDY1>1=B>GN=x*VU8v4nz6*tjREn
zrQDDjRwfyrFO^PGf`C%j<yrc<Rk)5MC&Uy?@-APnz!*zFYtGl7H6Xg`WePs)sS!4+
zo4j`d6zBQzz^zKP;gqO(_nKt=T}IG9$Wsj^iB4mL*M@L{rCeGsz;q7yZ@W6t-m602
z%)UmNy#t0mirr4gdz1e$vZ?`0Oc4qCNUJ}GuUQ-5Op3Jru6%f_?W_klITHBwwqW<1
zLx>-RiGkHg_XvACQ%J)TU%9gE4fu+(bV@no3~L2I6I<x_X28Lmqh;)M@WfBC%@TEw
zdjkdqIF7rHa5Qy<6p)(^FWaR7@I>w~wtb~d4#)}sgJU?y7xK%Ww8<Vd`J^{vq;{L+
z0;te0F8q8royQ0e*1ljcHpyTQMcwR|Z;a7+Qn_qR1|~ySB{U*S?t(X4um=$KAS)q&
z2uB@enlDo*x4f+h=hc2~J>?&Vh=k9<<eU%+4E2xx*jRv0B@qz$O64Z^^!NZz9q=C>
zw!N&>SZ~Y6Kq`$c!-}REix*r#v$*QNrSv=o0u7+i|F3*;e)e-Bbdq!=8}j`3IZ-KF
zQXJs~#g1Q4o4qla_Scoumeo&KDWUM)X~G^I?Trn|>f?}rEJ4XZQd+}pw;PNX(o4X@
z%sVLWAHyZqaEiQv3a5HDk3Xi5<TMn&Qs6K7Vmnb%j3<mAb%3vS|5(jz+|JCkS)x>f
zq8_eWO)QY%TcqTP0NvtN&e@whsfn9k?@vB?9e6hw?6d|kf(YkJns5rooDVdCAxos3
zk%aC}6`i+1qBwBqW?%MG5ru|#@_=LOb7Azz-Lc!Ku#>qvF1+)9dC0t<+P68v7&6>N
z8m@BP=X#mRTqesI5SB=k8obU!6Ng3Z!dox!R!UM45-5qeM&vX@y=SE&yWjMZ_&nBb
zw8IKlv%h3CUvVX$1hpH<1Aq8M&_6y-{}_s*S;Tc3)V`0W_52lVx;)&IfTpPbnAa*C
z+!dM+9I4^$JRrGEMV|?;FC-5R=CyNb5YJ^dUcLj&Hqu2!^nrmmAOX|g?nQS!sua#9
zs_2GQ%%u^v`>O%{_8NlF+O6&E=}P;|UR=zq0iS;}+Ny8`b3cHG&70E+Q>`-|Xp*Cs
zU0X{~bp5D&a;>6!WkswpqXsypN$W<a*23K>B4`e(HoN=9{UynkPiUOVv*DybgCN&X
z&rE!mAWCQ@`z95fFMU<@rYYY`Z^``9PvNKcT+@uIv`A1S@4;G#FFP(x5ah|mKZH|%
zrvx?L04Z3WG}f?tbm2`}=WuklgT4eU3GF-WCG5N)fC>+<j@}scytOh`@*qX}v<%&(
zGE6~IhAW#-P=x(Oeh7tzF-i!zeTx0o3^f-hl$Bq}ep$H8@#fo8XZP1J8*}pLhZnEd
z54<R401eC1*w!&PKQ8<I$Zz+@>VWwCR?;$w6YUsJZi-xaVh0~BhG&YkPXw1{Omy!&
z;@5F(QvyVXUsWoXU&`{6O1|+BT<vR*AyEJdG95-qakWH~=fshHB?nWf)&gNjcr-U;
zD#I}8gLK#@3T-b^pg(s@5@TK=v#;R&-{1Y>SA3^{g7UCSs;az?uY>~lBK{Y--nm`*
zZ*tT^DV!U=`gMAsaCIQicw}ArIUGmy`4ez{;kNL3B8tzu_@~XEp;61;p2JFiY9xg#
zAChJoeJgC7Irj4Wcy}T?C6P$nHFL8~sod7gIN~{q;#t}d#o8NUuf=l+Lf{2H*N=I%
zCEl;cn@Ucn=8yE$!GaDPn3AHvg$YToE8>)DOB`hS;qd{w6ppz}7}jb#EUz>Lrj*0%
z*zf3@I4lbPNIdmIb=4X)Nk=w8Pq#_N2PWN<uo@HIkE<X$Sr<~AZOzMT*VpvyEMNz+
zD;>@>_e>E@CYh2fpL>E(G03H*S1wm&>|R|e5p|$f4U3D%hp;x&lQ7vv_BDGmn$Gq$
z+ls`^lRJS2<}+zr#+VSum?p+L)1IsvJFL%aYb|d;#j|4%89t;=>07go(^_ge@xti4
z^c0uff+i~LiP-oW;$Lv^M|bq=<&TZLuaiwnxt)9E<WfgbmDqcB`6^?F<@rf<()DM;
zXE={ODZ$Wp{An}oMYz%WZ8&;*y!ZViGEN2?HEACnIwl7t73<ZR4Ww7y9V={4Z%jNf
z4gFxS{HUN($eM!&S^<7HU7|D~vG_9IE<wCji=D~%eb(YCiv?0)sMg=MaVCa$1@{_^
zdJ>5+QvtN_{r}N)9q?4Y-~V%MB_o8aD`ljz60$BOD-<DwM0S#qklae8vSnsuWRL8<
zl2t-xWMyTOopJB~e0+cZ`+9x9)n`1P=X0L(oaa2}ywCgdFBbw~FY=bUdFNwXH>kZ`
z+dt{BC2Sz`n{IQFLYwwe?GHypu-a_4Lr@TB0&FUQ8AucqBV8@vJ-Gi-^HQHLVK>^O
z!n*N^iCD!gmcY}xhP0B0iu672dcA*AnR-1>e1#I*SXps_CbEbSbqIemgENh{10Ifb
z{YgAl_k#(8hV@{to#*l@e6EV&<MGkbYq?=@witFg*I9sYcslDAZWf>NxP(+SU$^@#
z%7XCSX?ol23*ARvy;C)mt4TBrx^JU@z30d4=WpB~yRCWrTFUC99V?0=e%apT`5r(H
zc{;jeJuKy;;;yT2UR_=w{j~7&5R&zm2An<IMJH{{zYlW1X9r4+!DgKeO_5h-2uOcp
z3rYBf%sUW%O@}N>L0Q(bOAaT0f}ue1w8i|zr4osy>=i|hW@#lC+}5N?oZj&dUs|4W
zj}jzApwkHEdQq)h1}wf1{ahriJr*Q&+W(?@3SrN$#@D(x-0~gWhsd_X!^oe`j~H#Z
zd~)7{akeR#Vp{`r`3R?4@k6iW{a5u0`15S&exv0&3$iSW!Ch)Sg4Eq+o}~`Ifk9eA
zZ%#!JcmpdCKZBnPp|_l2;@Gkg8A0<5Cs?g};GU+aiznbH>iUrd@w=>(<Fi%ZG-3n)
zQBB)!%^XI&{7T>-_`eE({<gB5ht`6b0T^{aD1kgZ17&^GcnP!tJnB5);~%~{0Cn>o
zLr}&THd~Ppa7orp{5s*1VC9hgQ{fGPHxZ_A+jq3Z0Lef;sGti-OX>|V={Y}g+}A1U
z|8EN`-qgdH4^C?$96|hHJg7Fyw_3yzO9A*dE=E`h?Pkkqi?)!%h>%QdI(ivG1#98r
z^)r}H$JK9uCdGmOi{Sb?sxM8q7q^2%?E`3n5Ll1?QHTAoqYyg<7ZqfWZG>d)au&eq
z6Zw8e{q)KI#^~AiwV}aF#}Ec#QC~l3rQ!jR8(dPCNg8QO%$VUNR8n1L$ibWKujN%;
z0)ZAfAXI?zb;5xCD|kYXnC{d-2s<q3r2wa6n-vj92y^H^yPlqcLz82BLM}5TV|hMc
ztgvz{SX3mI??dE<Xb=tbCb1vzKd4QLhQQ))%0qaRCq^TahZ{WcZRpH35z{2E6*$h9
z=Hhqqk~~}s55_yG4on8qF(G0h7+@<x#B~1aBqQHPx^^TOoNgG4Xc9d1wB@_>&!{Kd
z0>}uF4ujnO^k)5~dM5Pine<J}*v*3r6aOke=Yo^NKFPJvAojaquygqUEnsi(|0ckl
zldR}vICu^&iq+eRqHZ@09a0ejC4yz5)kplm*+9_!6AH#J@3MyChY$tuevh;D2E)1x
zzr^vLD!J^PY7(dz*ys&SnuK={t1p1=;bYaVRP0t8fOjiP0+zw@6LNcx4yvG~`euoy
z(8D0qU&OkQBWM@J<Np$5N$ZYp0P_g?QyM__%8?cSoD=9-!80IGY}!th0U{Nj0fZn(
zaQ=TXV6(XK&lGbz;3IkyC<NmB_l(26MlW(a1FGscK4IAwv@fF5-r~p?bmJCW|KFV-
z-)tR1T5kk{C-?zv{jvW@DJ6bnA7;yc8Vf9I@G>Z43ldCu+A=2*{(_)`?EBuUk<(ry
z7F>Pl(-~1f--erRBBEy|b<P~maXp?i#T-iW03O?huH@KA+4t#Ap^l-m@V*CAO$4+p
z$Cbn4s~<ezK-fL}6NmWk4go{k|5(4Gl8-hQn=+ugq2uu1=f~$Z-*DJ-qQf=f^ThJg
zS5$>Q#k~y>bk3IL!k~)l^+Pd>1i|HMHz^0YL8&(S!=<z7&PYMEDV+D;h38K`+FQ=(
z3^|zg*uwt}tQ?C>NlSi{4qSzAGj*kh%cZAo>Q1V*p>4n$v}G472Zl@uqJM8-;k1N?
zwb*ngZ*HPzqhW7>uD-eK_#{97v!OJGu#?P4sgoXG7Ch$^wD;!=VYNfe15Iet=&xOt
z9T#x+y_8Ys#^grlV{-ICz<5Xlk*lAzG5Hno8wW45a?sLG`L1vs^PUik!0|usL4=sB
z9GO%0AK!(;f>D$vks)`FTEab53e1CCSzW#|gAk+jHXS1O=XmmXRPuOw@;He>BYB|u
zA;MlQaecID&lXw#bKk@wW&Ak}&QmOE>F<X<0gA2YuA%U*jkgz^>8GBe3CB!oJ+crA
zu+f#qM~!N0HNZ)?0WbdE{UttDr0zExv$DUQFIYGyr|bRc5JJm5VbH659ndB{X#z>|
zjSTR&UijNM2ki&UWWu8_KLBWe;%R=Ti>c|jSgQ-U7tcpSy7!(+WhhtSO$6btDhg;3
zP@+XvqeE`!9_<}lCFzY|vFWTN$^kH;piBdYJkC3_gd+Pd0(8o#QckY+qn@^dO`kEq
zk|~juv@BD}6BZ{Nz8}V#-8gpTe5UqQs29mR8)OT}SBh{I<{&2)Zk*IRCaDUW8_@t3
zPK6wQ@#J?>PY+{u8Dn5|D0KXCll`|Zg7pXRH1F=08wQ*PCJAM8nG>1kthyNSd!ng)
zxp`V_>5v@Q>HWIz`9wn~5y26TAt8SJ6UQ%_BRnGM**J*y+qr7qa_bfCjc5)m6Ou$G
zp98*Ur|Tc-`rPJ){e{MAC<MSVAuTdZ0jw6hupp3KS5C}&z5n+71E|T^6dqra2WkPe
z=WjNWh29ixZ;%?5WGV_qJSD+#<%jq|NP~pxC5Ut;ri`yzW{mp>f77L_P%QveKK-#j
zRrqPobkW6+e1xzz^v+bo@$ymQTcj&FfRWJ3JNsj{_|!qYhR7r(-c>5sEV0JNHis}j
zYhu*UO@d&#%a+@aG0)@pAewW+opA9*3)Otc)2uN=L`6rB=||}~t`wq&V<~vxN?3&6
zF~m=F9HxRZ1cq_eN6z*dUedT>Y>LA|QF$)lX$JQ7nA|p22CtA{@WEoC?0-*2R@x)Z
zi4{^ws53NP;k+RnaFhy}TuQp;<6;zWOJ!%#P92s%ULoZZFJWmZNCzA-U;typlCDnd
zFt2Wqj>hvmeS8MvDEslsz2W$X`!;;^2o<;FiR9zXNbrxh>bwCtf+)7lZDd8Kk(V~H
zj>yY{)%M=;uNnLm)A_z~fR!HkY=Ee?RgwoYFh4Me^gq|HocvYKq>WL90o#V)<jpuQ
zUNMuskFVKV(T4~$Jr&~ns+n0DUzC*<INv48e9`OX>l3u4IvA|Y*YRAypt`H$->L9Y
zAUq){U>}b$G|v<b-to3{c+s?Z_9XPK46+U0>)WT%<lAR-S-XxPGvQx9`^lfLxCPHQ
zP#!u3mxTmrrT2XMWmIhL!(xtlCius_0H&Rt5Rw2ia+2&-CPb;#&0pS2U%~r#sqq(7
zPO=fuRDGR~(nlz-;EUYY2g-v>LU&NOHJ3?8G6sVk1M@dF(*vbWP1~pA#H%jnnvc;T
z|0XB+*MD^1FNLfGSZk_t-(Wp>wUws%0kni+;tA5Ct@nZf-r?ht_ZngjHQ8)dun{YZ
z8TSJifYF}-0cN<UZffGRD{+qElujE7U>plzX<F%5x5!1|g(^+@pUSzBF*!)y|DhG?
zonZe7%jC0`Pt;hv!fR#!bDX+~S%G;v*L!&Akvd91YeUf+^6aY^DRA@zhCt~_ZcxIt
zkC{p}NAd3MK?toC;H{FgCX7n+!bA|P4UITZt)L)aN7>>l#Z%<IP-=1-R4@??_id<Z
z4h}kfm^a2nr?{Q_x;kr};-_75CmR$>w`Z^^s!M@9ON#?;gfzu~kaJvmxzhXwh3(u(
zC$G0g(s5Jf?j}+bXt2IZ5x6j31LkM=v8UOQyf+LKPGmy^WVFlg>LGWC(4TJ-Aw{Sv
z0V)l+ES1Q>j9_z9aRhs$sgLO>2|{*n@BUd}Zn3ha6Y5RV%DQgY21T5>LI2#>-&kA4
zOeheN21Yoq4knr~-BaVRN{O`iC8a0xFpEOK8ypU@7v|Imy?k2lvHANQGih(6-1jj^
zw0Ko0h>GOJDJbq^Qs(?FU2YWF6V6D1U?)(}JO)ldq);GM<dbTGd~!nO+ka5nAppx0
zWupc16f5Ku;3)O+3Md{6`yT0RLyZ;a8sfW5(hRGfqQs|coSAH1?MuBTDpFPPLlR>x
zKkY$W51%$1g-CWgt4>l!?0|M7IW6d@bCSSUX{bigLtt3x1+Mqow5#=2I5?1_=Q4xQ
zUN(L$0(HlTf*lu*m&7$>MXdrsnq0pqfUjRORa!yHf^}X3JPV8y?9KLv*}ThtkyuhU
zumK5+1L$r&q_}>mLgxG5rPH>3De^l%znuPz6zmO<Iz7_YaSyGaL7ts3*M;SI?=;r~
z6oc7sTigh+_}jMuM9&f`_{|!!9A8|}yxI13fUyufzTzNN4tUAB$civ79w_y0A}asj
z`ObvkJNy@o(}fcha8t5o0KK%(j1yEs@MAWnurmY!a+llOD0c)DKEp#jz-|nUl$?ay
zozANtg+w`NAgCgUH82MYgN!?bhmax;cQfND<mR3NI`p5*&ip#hDNrjaf4Lm!FaCpw
z803X=A^uw<>w)JxB5(q3{NUiYaDoh>qCsDJ@|yBcujDz7l;3)ypFthkcf8|#K~(0J
z@HUg`=-W&sDIULe9M!9_1zXMZkTh^VZa;E9E(n2MR?uY0bF3+El(^O?w<AuGj5*D1
zi9=xinJ*{^t^cw?I=Z4IrC(x&w1H86asWMo#bvjhgLw8^K#Ha3nTTBbOZD8RZi|Ki
z0?B?wT|&P=4%lmv7y6bWPF^{Ii=ZHy9h6@@g#{IjN-7E=L+*#rEHvANe4h})zh_TR
zJC%Q=BBOxt<*W72`T!Eeb(Wc;JxJy3&%0(8ErzdG04E#LWsL0asYwu$RH>;2n8#wW
z+t!0{<|?7ATu&21!1xcgRVb+_NG+9u=zUN|@yC5Wh6;l`v))P|P{Jc-x%Re%deFDN
z>1zv7+LfE7dAd;VMGyI(fPXHSx<xf?z{?v<GeTjMD8|jVeK>EC9|V2^b}A_*PyuLG
zdplVD(DqFX@_7nESe_OJGKvTeVY7$Wx$Eh-<!IGSMn#mK1deru2{-1QKq)j_{R~o`
z^f%)3p=%XiPFyjI6T1clrBE?Nee5sdv)MU#1vcs@sSv8A7vH%+yhm;|&m^?7e}Jk-
z7+Bx-_&zdwB3Nq<TN!d-AiUCL-La4sM#0QTK`#bob>tt%-m;5VPxLw!DME7Qu8uKu
z#<XJRi~L2O%YurqNtl(q&vAP~0Z`1(o{<1$iex*7Q4$+tCKZq-Zz8xFFI(gHPl`h`
zpqnJ$-&zMaBtbCI25f3+Y;OXFg#HeM+vR_a4CQdk6>3D#ks!YKfjt5dHqso=VX3OQ
zaQDL<hL@;72cVF#R<6Qik-Bf66esobEW9(_Ws_uKZLSZQNmMZPm8|a@E4dIqnRxvQ
z1%2l+PpK6^SX&X5S%CX?&)9KoQ6f|cXh3hCyTq0oaB)=3+7E?*%E&)8D9^GPvV#KE
z#g&&veeBX=F6yF9Sok;4AY(VLLgd3<E1QoBNCjm-Ra`%8I*`UBL%`q!JXS#>$$EyY
zKNMoS&1k&<LaLMk!JmZcGJ}q)VI@|C{tn-4J{cmFN%uBH-W`z7%_gYmn*cpCXDz&B
z{#60-HOsv3{_Ei(;0$QHSfkEJ$;3bw{3?njKxA;FC&#R+%0TF05g6LZS8)gAWxzZ0
z?C<^|370$E&yZE7tS9t*5b7%i1cF?3#*1PC5^UB-+)(%cQ3rL8q250ocZU^%J6KQf
z&@`{i$#HtxXeP)1>N?%D56cxlDQv|#+GXYmyIBRnK@`FLqvV%?!3-X3eW7%&HQ+lG
ziec%I7He8q`Wj;7YjpT&ETO&SGQ&3?Y@pUPXPDDyW61}CHH`2E!}DyQ(HvjF_m-D`
z?FJhjqH0QZg^vEcVZlX5H5&sBB^l$RgS|1GeNB#wHdb|Xh?G?S+8h{;=iX8r$;Rz-
zX;g=aA-pDPS-J1h0)4kwh*dIod*ft#_HD9C9G8QAtW>&m=jdx=SF<mMz9P8OZT)%3
zFXxs<ONf!pqT8eK`5SX|#LPh{LiItOoS6d@Ku$NgQ)Df^epkg?wGl_Ht#VP8*8NP4
zyT8Y)U7G4$k58MQnipjfN*a955mpObwrlfv&BHHVMW9BVx`V5CloF{+)G|4nY7f99
zCwjCdsUhnQ+0&xG*${_H9L`Z&yr-F-$osLWJtam)*KS4?>diAs9JS&8oLiH;bX8?J
znh=arLAT&{xAWqHZb@bYfFT#+&AhWS<E#D*7X%Ttd$tRG5iif7e{4=WF4}6^XdAD7
za^J>RRnq>R0Q0)Z+RMGbtqWwO$|lLR3Y7`BQVA0RMQ&c1qx~6Rp<&CU`~G-EQQlcK
z5m<Fs2DXXM*%9EDSpE*xHHpku_nYe%?KS2$Ocp&|3|`G`x!I|>NLDtG%31zf2M@Aw
zEf-Xw%FM*=R(F&52DeXN-=b|};Dze^tV{P7?E1Ch6CntJN5u4*kh%mY7O`$$;O`gN
zP#6Vwb>?HvJx`eHBZI?#S!8;6gC20ewOF&SQfU6jXEh|B`MAz?9KDB~wT4oMgWV7D
z_r^uVA=WmehUN5$x)=m&TxIDcNDl0|;V&4V#8H{vBNgV+pOPZb!Lvq%Y0rCGq-3oq
zKh`2x67bOPc9TldIl!`Wa`=&5z?&pm#mNSIgF4z#-VIGpb9?rnDKx6Wb&JftH}T19
z;32vTNK`1p^~EYV0{S2*=YAi6vmRaL_Ixy+at7M0xAX_|e<JWlnpO^vAN?-~=hJ07
z_JF(URLWf~=Mt(|@i&AF!OEoF0;_-n6n=){l*1lNlV~G5pjO9XuAp#C9MXjD@}-wG
z4<VDq;JM0s%CZw*+!Oh`H?6<Fv#~$;S&N{$i)nI#&;*&z>7znMDj4u7|D@P8p13-D
z<XauF@odgc?>uEudE#3f9`SyNfrTgf$Xn~)hu0A7{eT6=e!~WJ>Jw!83pV|q`!{X7
zF%$$C@jA)@NxH2pARDP3;NM`_B0Rt6<x={j{7x;bWZ@$CI@2H#N*ERY1V_3;43->G
zT83gkw0H+gl8FMd@?<{%oJ_EB3<Ir6ooOzF{i1f0YN2*EpC3{X8bA0m36dpxE(ULK
z_~6Gta*BJ|QQGto!9BTn|4{~%EK{Ah4Q61z<j>YjjvS{ih9V0ZQpuA!x_t1Cj8GLQ
z3PoFFs=!F_UXm6qhCU_t(hT?W6AO6h(RV-U!4k2Y3j5+{C^-SAn2doQN@6z}tlje~
z6<D)hUc8|LDiX#qU=XzKB>?<!0NG}n5TZVTWQQ+#WhvI)DmQ!0<i7tq*&>Xp%jf!M
zG)My_UsYE?#4guOqQ8!xQ`{b^DM@*<y>PC&_&pd)G~PDjO*#fX^}j|p|6JDQVV~NA
za;)816T1b=S3cW}7QI(3(a@gdwao8DwOY`a^Y0chJr<XnyW!zQ4tmd_?l<9#OZL;f
z(+DdhS%TH<59p*p>l!4kbl==vHvVoRxIdO*g0Ac4bz3uOVt+X`A?j<nG&lumPMD@Q
z0Iiw?1x|a*DqtaZHYa3?lFQ$tQyG6=+}TtnW)$=!m}8~OAL1mxFQM6ot%N}^G*H?k
zJN*fbAp7S75}}1VtvA9(RT%@I+GRiovIsBfy&)&UdrtU(cXNSYAXWgI9uJEqvOdD@
zcVUBt{&7iKdNREG;e$w*SiLHH#E3{$2wY?C>IOlD2hUchg=|N@d2Rga4e-T`dBe6G
z3`XMoa)03F7Ib~(01cd=>Uog-`ET7L6d+D5(5I^+1;U`V!ta_*;v``5J;p-O<Vcvz
z#@EdYpK)XP_R1885ZF%wbV_hS-o59K#kf*1N*^FV7umia8EC!nJdJISS9V*!^)d#B
zN(`5TJti}E3L@`RXZl$oJrav`ZY%5xiXYBlDFx@ssf^?x$mc5FmG!?#vknO&{e%<x
z`IDY2#0Kk!`P1Bq4M*{?x3vTtF__o<@lW8?7TDHLso+Taa#T)CRYSG2y1yPMIlWY$
zyf*MiX91Xb`^gKkkV{)N9yq8E2FFU}g&|Dilmz<|Z3u1~?Td`7^m<R~vEjABC(n@Q
zdLV%zlTQmbQ9=;lF^d7*u6Xu4tn(zKgLe`XmaOn(V>g9i3xqq)=Hf6<6h!D%A)2BC
z&~iVHpTIIg7eDwhr8!*oKeMvEppL<>$oO1l<C(<4EUM;rhpDT~iUjT-eSxaL`fA`k
zQXH_AX+h!!%5|tuP&#^<2VGcLK0yUS#%>*Ty#5!p5yb#v&#b$<TkGKEq?yb$+6e_t
zaKA!T6-sUg#^K&7)dk|WlJ5Z~Mk{mj&wx-X!UV2RW#?VHtWA)EM_d^VO>f!|I_Y<2
zPTgp~U$^p|>Vw~bRqQ!nOt;IB&M@>bYcC_;v=Rp-04oYkg(g%{IVFCUl!A0h=+%=t
zJ}D3(MfHNdVCF?mj%P~EYb=tI_Ftgd^Jev9B7ZYLxv)h$5tk*h#jemBq8ac)md&GN
ztB;D*$-wI6^$Tvkjwhh+<lAlMv2J$ZyO&2Et?Nl@65LL%o&XGiYPVXicR?EQH0;TA
z5RrWaWBtXY&WU-CNpAdkvn+bBceBA)-S`v0mf3`VxfL+a&hK{y{1(FU3poco?Fx^o
z52g;b-iW7<e7NcC?2Zq-{%67GZ>F4oM=@*YOMIGF!26FqgY5E1p}w}0{FU^$_8nrj
zRA+pTch+$#5}Z}%1n^((lHfL5NA`As?5&uj-=?eX#Iu%XklWU^?t*$Kwt8}~&(#qN
z&T-aWYm`p%FY`1xuBANkZ8+Zz1K6Yc-UwQ1`UDpt)s`Ep4gGx^cBPJ2^jC@*DV(+x
z*r%%tv?DY-5X&L}sX%Al&V}!L-zU-lCDh>GeL+NQ5#3qXyHhGc3y6G#^N<P{QKP8`
z2G4~KQJrWwR{a1^k66aS@&<P&=i9FIv4BDvHE#*u>7JqS@@8=-Vk{{~|3GqhPIl)f
zqi*U+^gQDZ%TcA5XFcO!J5u2K`!gThz8+=0u6mIG<+|I)=859=-{Wav5B91qK8j5M
z@dHic(lA_xGz(QuW|AM2vQwXU&ULd}l?r*@yKq-M9UABvq@4C2z6>)jre&Du4{Q!S
zZ;b~*0-J}B69^=~vb)6h6G)Jn#vNiC6!9eMM5wjbnQIlPx?>J9Djn^K5kM9unJY|=
zOLaY!!(}oGN?vg5AfeMqIt--EjA#cSkg{(`Ob~@qodb|8Vp)3NWO&xeSE9V`FmL->
z<R6@461VyH@|Y6JbBf@wO~mQnu7n3Llqm0nZ!pj9uP~$H$~Y`yS$mMs7>oMIvHS#X
zu0s46lwO`0?K~4S{2iH0I%qs_W2l@!7_jIE``L2^K#3OdKU)ByC|%)ajwTtJzl4<w
z5Bu-|Y5vC(OPLi?O7v_iK;r`iP>f{w*iW*a5IL~8lR^n2XqTK>zMCK@>~N2l43VB-
zfc`a)<1Q_hSi|Tnk>F>EY-{6v`bv=Hxe85>v9j)V{%`E;8nS*OB8)&}w7v<LSA;ct
z`kXFEcZ{|DeLHFNwu>M#CIkg;R6L}nLxW9?lK3IhmQGj-or;dCU*SrG>8s3<Tyx3+
ziK0e#DI`ubKR?Msd<j+vryGB+&bFfDw&*N}nCsW6OqoSlAt<O)q=#{i^?_s_p7-0A
zB_b+C#jC^)zazUcy?x&azYyoQXxdaoTGf5S7-U$B2)sS2L{U}#9(3&SHADoA44zlq
z=)tl?vLuLbogzXMfSu%Z=K$oeqKLtPY2aww9zEASnV=0^pRAWL!6Ap2+;%U5S!mBk
zr;y5Z<Ycigta3WYCo=3X)ZIZOp^gQ1;7A=qPSw^+QP_LadqO1f6o8q#92%a00<WlH
z>Oee5pi^$oeX)J_Ye*f-&M}uQ1%NTJ@E|MA%16*;miC+KmetO(AHDeA2W^H|cdQO#
z6CdD4EYd)f1o|A~xY=3=n613{s+3B!{`@Oo*cYkeKFGy6&HS$YzHlIvaQVhIK$=bG
zzB@qN)Un8>LK{x1eU?x56+ktT3xY|Y>lgT`FnFJH4yf<pB#;Fpfz=n;eHh?^r*eqc
zHKYiTLinJAX)`wVN7dq(_55-Yf)~C4G6Rq$B<i+j$6uoB$8%@hfoK9Mv2;rSbRNdT
zs)fj(Mxwx;)KRkKlx^))=z){Lp6_>E4fE<w1+Z#C&~bF-;L#%P)@#BRJuhOj{6Hj(
zF&71(Wq?b<|B(*XH6d_`!|yB+tS?*eLn3)BnFJ5fc4Tj(^}#<NuPeC@n;Rx&X`1dF
z@!1UC-wb5PsOoAs82~4PnwHxMX4I26c>pFW@z80D8(*996UG?7HShmr=oAz30m0=-
zxI@sdy57|doj_t<`R2=Jvi6psjH|R7NLOCiED@K-%BG|$j`|xbHTFlE%Vk)6gn5N0
zImF?-P-EN$gzy<Pej_e*0dB-V^lK!l+L*eW3y6H!q%<CulF;n@S|gOwA6h-Cfrwp4
zoDz@JnL*4DsjDQ%4^_HsxQnkUwS#2g!Kh>pn}GmSuNXn8CT{{T#*LhI8gLLA{s{^^
z`UoO&z?ZndDaL2buMFbhaDUO&F%@=XUETMN80qK+EIRnA$O5&k+*>usOX`+#GL{#!
z+*MLEruY%>mo4b%!Ax5nY1kT;vV&O0>RuA65lL`g0#Ab4U-%OjU)V%A(VzE}1SuCr
zZhnd<)F1ASd}<23G!!-Sf?n|LgnRCzn-P>i?6-B31gzV3E^-?NzxKbAZ8r7jS6o2A
zD1XjQI8&J~vaZAs#IITDSThfIx7o#Wn^G7^wRmIdXz)csZ_!aud>!!weYweeYg8R$
zNDz9ER^s{gG4h#SYrmssVK*HFLYw3l+W#z^_kskGFB3>XREcAa3_?*)<6l=?$)`&A
z;A%k)b4I)P%Ear@YY4JzH$R<wt)jdsy$l~D*~$13YzEa=Q`mxt)!u?p0ST<+PUkWK
zpfq7zfCrHiL~bgDF&uP+cRu>p-nu8S8@fR7i0wzIloAz=u4iQ+5xR+$i#L9_pKbu*
zoGsg>6r{!X$tk$YQy(_ctz;K4fO=rJ|E|5a8H3*6hP3$CpaCef@Wqk@Mj7$2GJC=D
zFJRP^i5wDBa=!&zlacORGuYC0f|{?M;e9kIgkWobCX7OXrWQm>us^9p_9-G+=t(-m
zP>}5`_g-4|8899=!b)gC>F(bb*TJ?J{iMV$?nGW@4q9QL4D9_N_O;Lz7{*}AVehlf
z*8jIcA{@{Kv6V)P6dq<8OT5K(6OQW-FlkM$zkXc-5w~#nNh$oDx1TsoS=0Fw=<cWi
zf8z@gHXi23R${uyNr+?y3tzZ8D6+}`9TVAfdJqK&hk6<(e{!S{y#n?|NHDkmg7%+w
zi5l-sNH07#cR$SXD*Bp%CI%Ap+aC~{DH$##nB`*j#?t!Q;S}&B58?GeIG;adMjc9i
z-1anCBKEF$v>*~SMUJ#k_6=39S3KB-un+IgOPFAWT+!nuocvT{0+3qhjnG9bQ$Yn`
zSoRuxI(mI}_my=(7?6GrUwx$N$_D{+RjRt{tR{?+7A-uB2A4uNMWKuIgtg&@EfeFd
zV-Trf(&@7^lX3SG`(0K8BN^DlYW2<XvaX8yu;3w3n6mOdqC2?TV?qn0!E9&&P|(VC
zN`Tk&h#2!R!ZwxxM7%Ik<*qes0RayPv4YY>)4K%(E_c*XNOAN-hZ|_{{!9pJxe+P}
zp?zEv*_{e@kc|ZkIj$*IDm{uG-@vNNX~3Y}*5Y?o6P?S~ewl>4A)FQvj>zKNZn9cB
zdbdpwnm3P=O827|(?eE<X%VVY?*CU3*6QK9i$AVroC}0Pb37J*Ny;1nXU4&PvXT=V
zuf<ls>a(iC0F$VB@IfvkwVg@PvIVlC)EFthf~YJ8y=-Df&z7fsDFmPJ*TlN^4n9Z(
z4DpHIhXlVyxx5UgCvl?ZKXN)kbTXJ4g<Sha6?X+a-%LUUbD#SI((+F6E;;0;c&Wzn
zVl|~BM2!a!dW3%DFL56}&SMIrzn+TNjNK6pYiDZ`L&o;s9Olqm=-44%9k`rv7@-pE
zC>uRIKA#F%jzh?~W8$-rOuy<zG4iKq@TjthJX3UmqZvOB;47Nv@^`I*c6iY^G(<DQ
z*Uu<gszO|xpLQ|?UzZRo_imOL-PIM|)ox|w22oZig8QQTvz<Y-qk<iFLhrBK?K$N(
z<%_7Eep?ySGC>qe1xmqm7l`7ncNN$-%fd`ZX*Ejqx9Vwq{`Q6*6A#s7wIJ_TrUy}k
zg#6{z>c^2lAk}<)ms|14KI)G2R?1NEJO@Grpr3n&8>z&1V9-!Ov(yb~^M)BzbI*I)
z)4^aI?D`T~>>&xCSyF|^ihVJ%-3Px9;E?V2rxm8#CAa|Eeg)jaLBRj|(E##oW{*Mk
zDE+^;h9c3$#Tmv>Du@Lnk9mq_z@?J?(=!UN|9Wh@!L`J3cQCwJ?~OFlq5?_dKQzh6
zx0GV9=vH!silrlJSwZx!dMM-*RWWsq7O6)dc`o?e<0N*qqbHyFO+}Ac^!m=Zng$G#
zSRix!?I_zzZt!+$zQ`j3qTWi(JlH&_+L4!yQ8Bj)E$(8k9E2nY{qZZCyRd0~c?YkA
zLCnxF@PShO{25cG#nIx@8KQ8GRWG$GN`s!QC?iqh`(q!#O*bs5yS^iwKcjF23K0H@
zGJZn}rsfzk2M!}1^=|&>xPh*Mt;CrhHV?>e^U23sPv27l%LNR`s8Rm&w=E8=1N^Dt
zFM(i0Y58-=-8qA!r~Iz6AdlT)KrGVOgGP^~asyDOW@EMFg5jN(H}+aHy!|3{$ZzHc
z{#IAhPx{elq-6K4fH#0sWzAaly}O9IM$0%A9pG-DI&qjHf_WzCV*J~{m7UHR=Z&c)
zpQaqB_F7`<J&Rz;vLBYcc%eY|D@Yk$*z2wrJC9{6zt&9h(F-b<s2WdPG5GuCZT9Vb
z$OxUE@M+%j`ng1aKmmkPSi%N$j=5~SR-*}}m+x*i$Vduy7GgI|Eh0yJ%~yo)&DwQx
zn(qw=AY=CPn-9}JzHL^!`|Z^g1K^tS$I>6~ZDcU<;IJnanggh|MAD5BLW|q}HTyt|
zm3ZszRp`uG_WE%db?fEB^{SF_`n;Q@mv0U^sR!I)pq+7e^u%5Wrj1gaV_?%!_m`WV
z36iW&wodD+7uq?DDrs`+D$-L`P3*GFw(-c0iy6oNf(8+)hV9XRrHzG6uO6zSc51np
zb5Y%6;dGp4fBer^e?IbdLS-nVjCuUd3;;dcFWF+q6F;&t(X{UVEJE~!Sy3I4%Os;=
zZ74fF1Kd=MjA;xv3i<Q_?t)RYY;`d%gHI7s)vt`s+5az5(UPAw>d51J<~{IpLh6^F
zimV+-CsG5fCu$u$!65;95#h7Z;&UUPh{3QGYiYdu9!d@rEe8V9dTa!=$#M9yCiF>R
z-?SnOUBJXapqmVGndj$!=6#Lo%#(p&Ar_bxste+vs_&Rv0C46!c~e1?N>2k6jJB7V
zKk8kOt1Q=B=psR=wpWPm-*P$EZp!baz{C8lZ&Cy^qPPXZq}?<8GMW~I=>8jQfy2L-
zR!R_^^<2O2zgGPCpE+!!So0k3>l#abL!8a$q7HGTQJ4uqQf^Ore@evgR2GnA-r0hs
zyK}e@IAtLgf$un}qc7}mH#y_hzum%JTUGMP%myF-6zzloZ6N*o+)~h7jtXm=zQJ?a
zY;BejUgU#p_3OJx`OzS$oz=;wrv=CCNeRwV+v-42dX?TVV*Si$E2M9CXVFg<f-fY$
z0k!fF(LZ`QkVYV2ZtV~4?HGy26JMSxS8QJ1OmBH%P*My9x5{ApKiFw1pCE?ZS2zz5
zkjBC;?mkI|%d~Njss~=NOY~63b(fq;NBRp|As5VM@8d-5<$b6NkJz&DF4W<oi~IWV
zTeIE_Fx`<ojTQ92xU>3?^hR6gyI7mKtFyhFvN6mE{WX1=q0f^(Qxie$;fy3{iM$z+
zCB+Pv15JFK1KN*&4Z{R`14c#T58bu1?{%iz7}*8yV34Pd2*KlT_Fs?kN-5~tY=~zB
zW->;!3(cl6?y@jY6u1wm?W{+8OV}dKCb^IFcZQ8>o?{RU=Z;36=HPix^BTe)jAcr=
z%wTchDMfneV-Ngm&U@eiLFM~2yKHIFPLu2U6?*A)*#9m%PVKTF^qnMiKRe({Flhah
zD)%k5AhE-BEI`~+^WZo30Bs>=2jo{K4{n`Oocwvoo}C&4_lWxb+c;q4>R^L#)F&?E
z(d^4_B+{Q;(;1r?J;#;J@D6DS4)V|HTnKwKWR{DjaWYLfQB_US`WR}~x<wCr$(v{p
z_<@U%;`ZeS^)lj^m-^R8u-~5(^O-AtGjYkyQr4Ob3)n$DC2s%rz>$d&*z1uv3>Y7|
z<-el}iM(1Ln@=dXhbE=*RPr~sh71X@%ONf~CW3PN55*M$#$w~1W>KR;1M(>Qe#FG6
zzA)YUV_Dsg+FMfBAZZu*aJ}81I=tfFdJPT1dz^0meQ$V*GdV&Q{KJ5|rX=v#dlJO_
zlWQ+VX(bw<UJBZ5=@28NrwH8VxR(OlbIJDF*;Xsdj8KMu$^JOHSbV7`zENYJn`R_~
zc;WbW6HXK+gMG|5&g%WU3bXSwMc((R#YIPy$Lau{vE2d;9)qLt5IDtk-VD<*RoDyy
zGI-a~ObVqH9^P3C#;o;O@!eLpvdFg$La)nrnqH8)Eq&7Yyb|)R*yyYK8GwSYByTPq
z(9K~%pkf{O@Aa0XIzC&;czY#$))<K941tq_qo=Nb#QV>s=WdUEHUn4Q^GlZ4xZ6L2
zHCC}Z^vzFUM%a5OwHVDl?F}INZ2?pRb28kyy(_1=82xHpQ69JDE~6u-g|RdVkmFm|
zL<y#zHMi`2+fQJvd=7kv^g7xO4t-B)`_gv?fH<XQ?Y9wB6!?o^EmET46;M(}rYYA+
z6<`fXTKwLY3!t3#%(=i+;wgxA``$cp*KL`7C}Xvfq<^N{db9fvka9lq&HM0JkIQ`{
z;4sB3W7tm1CplkX!`I6<z`kjl_eFJ#JXsUWHiPZsPawd3U7U$|0PKz4?x!_KR(}A?
z&U(YQS9758TU&)Jr6qPQ7A&YjG}_b`47h32!}zS?x(ZPQA*56QqqwuwV`L(cs4jaF
zy9ZQ5>{=N=`h_`CoG<vUOLVB$-l}&Ogs(Qm1caKQU7id{yHGr{NU>x@uKY!`V)~2x
zP7qzc9nSV0PRZ`7<}HOX2R~Tlc`CSwUO?ASa=u^_3eC<m&CMTtmj@&ktdboL)f|W-
zS=-DUeD7d25!H@2BAnRs@c03Kz4>3<cOr=&X0#0d3nSv|ju1zsL@al;TYs;dxQrL^
zd|;o|w>aMebRy<t4xhI3U+Y~=F1bnE`pgAYAZh}bhcIwxE^sGYq>xvY>*nwW?|ZV>
zVF4596Q91H5GD44@h1apWPa~a1iNn857i&a1g5wB=2vzbrD<Dww*JNAiYOr!N+StC
zir{*my7TTIVfY^c7@G_};P`NK;kwVs*Sr=Kh|)ZS?~Td}O~NQXbw9$^wgkAg&N#=(
zW#6dvn82f?BA34&^$%iJ=G08MmLb%ncY3bCpV#ln+71RSVTYx~Z@71=saA<r<rRDn
zs945yFza3O2hkSro=x1HiwRp_&0}Pf{EtjN78qwmvmwOj3s(&^)9<WsU#m1`JgCoy
z@s-$<oGzp@6@NEtui`a)g^a2&M{{^*xPs3FfNdfqxqx^C#@95B=7{-zA-b9H#e2S?
z7J(srK?2>){2SNZMAO1P7;n$XTMa;C)Ae@?RYo<yeAIcNS;KZNqs%u-eW9=F)8!v{
zFFt!ZIMn&E@jgeV%X{O-;8WlDX`5$a%|BMmZL1$SZDCCmdE{+fiKZISdDeA@W3BWH
z#1i&iZ2G2E8Z2}}x>$vkN32LJ6-8vBRVX!jM|LJ6^dr11Z$h%-74TiIJ_u*B;{lS1
zC!6D@sF?is=R)mO?(@QTG{#6FNs;|_{;S8C+f-0TGRxhun8$um2V@b(Wz?Mxo=JVm
z519BSQkhp-f==sFYu}}c+a0m%gnT;M*2@r6r-@`@&`HnWVJILkyZf^0ngM6O&yzC!
zm;0?sIYPD@J*if5B{hanr*l-5t~~GuV7g*1Rw#iVRq*eQ>f$|(nTTD<ETPtqurn2@
z;OvNXUEXlZ0?J(2eR?Frek0<(LmxTsH!9vQcNmhPuWk=a%E7mr|9j-S5fsz}#I+rg
zIu7#>2KTD&m57WJ?ZbpmyNw!ND5{90@wj(nJ@~FpH;&a*Xr~=HXLZ~qp7n<52XunW
zG49wjwm+0BE!PuvwAU5VAR~P4d=u5qYLo;ymV?Q-`bFs1uk~^L_*7VTjuz&gVEaes
z`~mj9>cGA0UR9-C8vFev{@)ije=V*X*<qB-LQ{rldLLysiYzV7%;zP3MfzC-=2`k}
zpKAd5bUsX`nGQ)PrZcPh(&U5Saeq%Phq;f4#7e}2n*8v(V^P@7rk{jDhOWd%VEAdy
zbOF!1Wv>Bv-bHs*D)ko}`T=s1=uPW+Px)!!vOx;S((W<wL^zWa2aU%<Jo9cbl;MMm
zg5)dg5EqBN9u3`%+xpwF|6VQZ{JmMsAwP2Un3Sn&D^&%u0$+2p<W)(#^lU==7`-yG
za&vR#D-P!t2;~a&ksrJDG!?7lz<2hnvfw-2rzPvEw(nEaW_j+lM{`*7iLdR-`!F#C
zM{qeuHSD^X-0D23Sw7Nz(#7WwVYv31M{A+$Z3q|_%9z^p3M;rpG);e^`f8=sH4x_P
zwwZG4yY&6gJJh<~UN>ZZoyfEg$}Bk>6XDL(a^#|BLTnnFuCt!Ab9}qZy)*r56B07U
zyq=F#AQ+6yrsSLb@Hs_Fij0-H(wuZ%e!IA{N||<)^!`n$1RtZCc7?NMp_ZYv>og$x
z)au`gi$}P3-0jV7Wqi`EQ@dD>O&8ZXp6nif{))90M>3o4>iK))tmI|G<ReOF%y)WS
z&Wg3~lOic}qwW`oL3df4osPhhw&iNFj3Z;^v<kJkHE1{<KJ{+$6}@QjIZCoh?&y}=
z2mahXLfPQXxZS*Vda-cs=2KtKB(;sE(BmA>G^kfyWSRZ{o|jfg7bI8IWMl8?c@}$#
z$Q79^uJ!f0X|Tx|DbKC@j{S-yuq1Z*weH`sHT*074n!9_CdoLv$ztR-&um@b_gPf9
z?Qq&;rjz=Txq_95?OedAUKWkhzcu!szdCoyZ+CO>UVm)ZA=7G_#<keh=kcq~u}wkL
z>Dc}Wy~i{ei#ZHAKiT+TKNQz9Jvo)Xk$^!&&KvEH8&&0BGJ8xE{8ATuoY5&pY_l_K
zv(D!2sjH>=8{9~+>EqU#YZC58zD$>1MaqS2aOE7aUwevCLRxOVl{~n@D%SCLj}Krl
zgT>WqZ*^zqsy<^y#M+xupX6B1!w#>yhr(s;J{AV-_Dxrnuvq^i*a_ccwf!xZv*X6>
z2sYpo^rhJA6vU6Q#%h-pZy+Lj7r0qFyB3Go*>P4PVUFIZhQDn>0odreL%pe6LV(cV
zl`s46FW&fd>=YTkXsc5rZg8;eA0L7*DiDo|ygjb~&$2xE-F3e3`*FYBFGz4nN$Hgv
z#l_EIPPmGVom#BOEdO&P^cjfYj?vC|#l%0zK&fhYKd*80E-{p6K?mYnX~Y?U0W}JE
zF+bzNH0_{XcSaJNk*M0?{_|PY36(KWGBwBlGdZy!NoKYVL0Bc+bL_h}^=Y}ugXOsf
zyAoNpwt%oHSZnZEtLWiL4zGSz1WD$feg9;0UD1tZMg2Iwr_|A`mdi6E4DHq(G4EWv
z`gJQE5qLWjsn8yuT=@_6CrQ<ijI0c=Yw*->+xp~)DsTJHy~H=;Q>cQZ_&2pjEj@aA
z34=*Vtx+^1=I<cx!Vr^r&-rw(YB~5R#2}sH?G}1@i_PH$1#8qw<$q;AuYPa`I<Ge5
zp?_V%{WztgD1zv8%gz5P&UvwX9nn#lYI=CjVZ2iTYT8719XF~%H+<2DWv6gnWcu_m
z$Y2ohui-!LS>)h#Fd-Yu!xLA>&FDd#!K<M6`%Zdc70GIMKqSHvbTdAtHm5-Ch8MKS
z_M9F6HACE<{d@I;;q@;VWk!xN^4pV()XlDIVU*!39!q41s*qZ1-lOfo(1)lby1wQH
zraO967^*FmliwzDqdB=g(JcKJ6f?q+D!k+IGa4Eg^`gWKGxr=w)ZrOK>9;l}n(5Ll
zu!?{uiplS-uS!bjL<P~um9^ZrY&Lh23~$b?9pmUZj^FgP_yRBXUjI*MzutE@j-*ED
zoDZGDQs>-DE+vHZ7zixawl7fM@zNngwU*n$ImW=`;gTZSGqGoC75gvrbAB~fmtkoB
zZn1<p`qU_QEYI>%AlUsUfzrcFr-h#QABFz;hpuZXc<p@XTehY`Zu`ZbSKHaB(3h*H
z<wbCwo_u@lsXqKLJ+Qo|9(Vi5xm{zAVFftigSV0;^FJyal|TyDH98jxwM`$g@%M|t
zqkX7Wbk-12grjs<(k*>@>KuB_s$l*kp(Zma<uw!fOv$M8`^|HtgMFW$njnG0&y6n@
zS+cuBaxg_`EAE=d4_(waTL#?xyq=InmtJyKod!|4*IJ?_R~Fs~v(}`aaOlNXt08qN
z3Mf~6{l$BK<}Y7wu{e-aZgLF`X265#LA!J9lH0#Wx?DK~SLwrCtN5GGcTc`98nQhx
zY8CF6D!GO}kHct{>^$x;DRwqxD9ts8$ClcB?)S--uk)_LR85T&CFg$?Iml1~(6ei+
zIa<8*_H0$sVhZ#R_iBmO>6<uZu^r2$>&UBZKGbS>T3SbeF*t8Zm{03vR<7m0>`4`h
zu$J@hy339x5$aQNW!;Y|;?G2^Xe#)m8VWDmwWdd~IR?b6%68cm(u**7EBd1+PMsa>
z%zavx*I_F40*gEL=8O06UXS8Ext0Mes8osep~us$-_B_SgIeQx(+3ALYNGNwYL}Tj
z0=aM{GaRZjslAj%mEu=G%`U!`>d4KFmrM=^(IXr$!i&u%wrJ;!Bja=Pr8$~0mKAcp
zqfmt#-1SH#166E`mFJEzD2Qj8eWgb!^5z03Yv&gCaK|&G#mSg<wU`!Zq0y?yNX_2H
zs6%g^I6zT%BExr!vUt^Lu%tPIy*b<p4{)Rp5>Po<YgkJj8^%#WXkQCwa58b3XkHud
z@iCGWmny3qx<1yYHB5M%6<PzSzu={ZWNXiuB}ZnWY|=#AVcuVswXN6~uqxg-<=Xpi
zh>u>?I;1S`MMtsC+0uW&mGZJZWlf$r#`vcuj4<-jFWPl9^`XQD%^bJ9h@LdYkpX5;
z>XPFAWX5y5Ij)nS`iv(}5@YV(ZLCzShwPom&Ed{ugNi#ln;+BWi~dTJVY<HT?C<YP
z6@I_94Aldy?L+-pLRRvMuiNSXM*e1Sn5|nO?`PJZ0VSFg*)S&0at#HK&<23wv2Bnp
z#m~J-`bCYlOU3H9yEC9m>9)0VftG<(=f?dr8QgLsDUIyE?mmttLByJM>-V-5f_Vy^
zsFC3Dt6i&c=G9$*p%<1jVO%4*jM2G#N#zD{!?h5WK(GOpp`6d34s~@7-JvaN6<L7k
z^ra-i4?ZU>H#jJZqq+SqI)z!LVP_<H*ASdaG0n<<OK+I_<9e0fv`wfB&HwyFl@fw?
z*;!v`-B~9OV{#fgg|OPjh4>zm|Mgjf772cRqTPi%Bi>-0L{N+|5`a2<wyBh*t~M6B
zwKbdlX><P67JelD!QUw<idM?4UhsnTM8pDwZMohO+nS&{BqsBI(46tNExX3{Pd}ST
zY4RR*xx%ZXlkylKx!Wu^7q59dkl+zxmjR8q0CV5U`#q{w1`3Zd`KDcPSdpHG?oF=q
zF;<I*U1*OYSlx27SEt|jXuWD{rUhh+gTq|EB-coCvDdC2h9)HC{-Nrjk3NRwL8vi!
z-cNA6+h4SA#&<bFc8G(7$})m3PTchHh|3#3r%K#dS#Pn5+b@^1gZ<w>!({(aLcT^4
zdE@)p1wQ46WALm7+1{U7M|O85mWTQ0@4wMHx<!oyj@(}D<aw`A>fUNC3kq*j!f&%9
zbBs9ff)g0FWZdm)2*2}E=i>Muq#<LA3l0G@C4Y>2dm6F`VBGq7W{JLE-?|@6PMT0g
zr=9hGVS1i~ljL%nq{#g~MvXawCa00!=yy&DAP&Ng%Pg;cyel5htGxLe?N4J^DrJf5
zOluRD3DH1T0zMdi8FMmPO?!E%S5CMjgTE<fABxg>Y}<41{!OU<i9sy8S*lVrI@t0&
zmM<FWHi;20Z4Qnc|3S>P?-nu<g~2L#(K^JU#H{QdcET&41Sy!SBqUxUNf_-;({7JV
z&k~Nx&X*oK!ZeU96xul+!0DNp|7sE5WMO=0OKIv1p^%V=fstE~5L8IF7mi5^V$uqp
zcm(CekGhH;Ti?_(mSNW1hRByCv&%y-O~Y0L*qcKSv!S(n9i=t{o9FbZ{#aJ;`jaGK
z3*%R!*7ru_&yM`eji>>lP-I}nokfC)XmNxS3wJ$=+o~?at&O-9q-su<JXKwLQJdoC
zwd+cprd?c~E_njqWZr*WcJcV8e9fx8GKVLr8q9~4i}PDs^Np!bs<-?}yr(}4#>h)Y
z3aHA+{7S00Z&3;Ul^<02Tg`_)s0?jX09QxqOrZiD$vJ8Js@!Nf!)4jmoETN_Bb=i9
z4_zujF|lAOzLiH>zScgoyO(WhG<L*CybMqY47F-fv(K#qyRC&|lf+rcu;hyl0RrpJ
zk)}hV9j#yo;w#lECyz$zN5**tAAckc?;~|We70Q9+td7h!Z~TLs@$5}1*xJ`bvDH6
zcSZRbW*Q}Kw*1CWZM7Zd{Y31aq{QKydlNbNq)46UdkG1%kAF0~yhaSMOI&^oCfn~(
zSAy=|Voz?M00?fourFmz*hK$AVFc{0&}Ui681WANIR3+s(PhKOTC?Y4ce4<GodD9n
zAG5M?!y+%@-f~yHspB62xWD&3n-O%@xNe+VrHK|n_!m;D@bWrRiV3k2*TdGLh3?F7
zECkr=d6#ni>P@b>8Hxqe#z!t~f=cAOj>jQPu>9TrGD#LIf8P7qIpLTO<6&!5&n8yW
z?h%4|UKUT)A(Xoq#OV=fdw+A*9~K48L$Fea*tN&P_j5a>)FR`>O&Og@$?AW>K4IhX
zr68`HMSTtKUwatj5&Lti3u&oImZt>kV2M?y^3+=PY`*C|6HC2Q7fpUhs{K%1!au%y
z_FSD|0o9(4+IbXVd#WVJn9VVwn55*5>qSs}oBC(^Bq9=fw8nOy@FZt+G%xJ%vmKk?
zWN0fF?>(k{P;e7=cG?n~bI}H#z2AyqK5@L2dh5d>3{qreexd8^_SbM?qh7pOl&0nA
zz5NGr)s+U?7dA69yn;ax9L?jSvEOq9g)(@^L77xFy7>ZsG+GDrpRx|>W@BukKl!|9
zy>Vll@I<aOO&fNH95Wzs>NAA6fl&j4cfP6^SgyoAONY@d(mWb1BGHt2ZH}uDRjV8X
znw>mt`>oBaj8_Ib7=)EXt#$gvSB)nssQiLMw9Zk@C3PQO&vp0jUFdGkyzQ^@j*02@
z?qJ{1AE~7K@TE61PEzV55Vh}HAD7cvf<jO5=ulyW9%;dpFeub!&pNElowcU*?N1;{
z@)t>4cWd~{7G=@Y7`~+R^1GFP*GZ5%C+O%6QxnrYV;wxW7uga#k{=AyrtSL#Jx<G?
zGJ6r`63%!VD{|{F!TWcVsoiUv`FhMf`#^!16>8915n;mAE#>s=nJ4JoNR?Kdbex=r
zzg1jl-e*CNi_1Na<8IZ(X$7gkE&|-=;}<RL7X0i~>@RyiKeG+5tVrGZwQQREQh;?c
zBBs=J6=tP`>lah6U$YY~H>6H!TWcOq7U!Ry%YJQf-i@P_<8gJojgD8t^TA<eT@$Yx
zZuc09H(ZVYk}TP#Gd33n$xsOu9zNOilVmRJF64H<CX8OV(A*u(XvRrZb&)md!UKQ4
zNeVHqL~fa)&e2i1^y=SHo3AK~C1um&Z-zoi5t0%Z<>Kg=o^8X1DkY-Ti5u!~FG+t`
zqCC2?xyPZcd)WEB+pTN5%~LjWWgKxjD|0?9WD@5ZDarPq*9`7X*ez<O=P2Zs)cB(R
zfNglWaBjT7VQ+A8qQiFLY}-Rulk|EJ05q^(0S^cKG4QGG|0Co}$Ma25N}TKO-X5x(
zCrGc)Q|A#bDl~g7K71h^-yQW~YYtz}`8SswZc5p=74@;nmyZ&Gt^FM5)lA{(tmR&x
zt)|et>T3R&8(uz2qz`g`0L?_ei|<4HnL=;k`BCky6JYn-J?=*rzw+nrP@?&>lSlY8
zpR2W-1ML2rTg*VS{pmOTAtc~AVxMpGY4re(F0a69bdC6Mw#rcW2YLd2SjI>~*9Z>#
z$YZABv!@+8@bI(5@-J?ZR6K5VdlAr6r@E?oaFo|d0~_t~H+24u;hx18Fm>qf%Cqk7
z`k}hC%xSG<K8h=(G6zR*|LiAtN=3aVy6d?dHr#_W5c;#6S*<N_G3wUSb4gRSdHUna
zse{8JkB`0lYW4V1Zj0*EAE-@(AFC%{x4Y6*qgkZO8A8ZWSS!)rB_Tl<vqO4J!v|&w
z4&d9)kHt>wN3!H#QIWt8XJr>wE|m4{?SDf0??~_|1%}KhJ(WW#r)e={a176A?#UD7
z#BKRE=mt0{=ub*Z%jjrJhj3Pm%vq%)DHp+@z_0GFp;TqQ&AGQeDTn`eBwtN^a|7Z~
z_jru{UtC=L8}Dbu6W@eR9q0nw*K(E8d$cmiir{}F1$S}$KVd)eGJbYwj~UuR7Z|j4
zhNyMbHkSkw>AX*`j;mV3iU>b^gYl#57C)GU{xIins|;Ge$iZ*#V^plS;0=A9RyE@7
zgCj_E#&`FJ8(jsV)(3_O4hBb;l;Os|e(aB{e8tpqKK4Jcg~k@8n1$5lTK%O1`-NT>
zay9imxcA@pE&jdOpTwmeQeS05<$|>6R8JRuNUeHA{c4}5+ar`V6m0_6C)%qq(kOAa
zQN!=40~_+C1-%yg?Tn<tpZ&yDHYi2?U&9{Iu&~3KiUO<pbrI=c&1cSUS^={J7f-l(
zI`^N;5ZEE@-{qB|L{b%D&j}B7GOohs8abO>=M@ajk(E|%MUP^i4=4EfSHcH>8)5i+
zpNY+favUg&WsIWQC~Y{4@JVtkd0bCB19~+g)+Rsdkzi<aVM1C5dG&~|IOL$$sZL!D
z_4V7zX9!Ovk06t`C;@*5T8Q@*-~GMNlq9WZCY2Y)QO8a`W&EDQ8a;=o+V93K`=ojj
z+9Z05kdaVp9ifApQu3J#CY5{FtaEwDol-Ekx?h(L-q=>)ciWRk<`zHFl$Z<4ir5~p
zE7sPIF$>pre5ppzPNdM4?2$INcx~^v)2Q|-p>RiJwyw4J(-gPV!}?2RIJ@(+=bh1`
zs^$zXJEmZNBU6yTIDR$0()R#E0!#Dr!l=fR52@KvjS5b{W7OIkLIQ_zhs2_v9BX@9
zYmLt55K^fpifUqi?z=Uy;ScUoe;a)^Jww1y?a<g4&OuD@ie%WqZJ8poboG|)s8AAJ
zX72ik8&s6l=yqKWMekx&zV5Q)_`NFWg>!ogh9>Tk3_|N|{y+}pw88%<YS$R7wEOzT
zr*)j0H5Y?F8FnEIwE}eltnb#J=h|xeR9h;xYB?hfyxW65(Z>8Q9neOv^j-LKOWDov
z#}yr<VZN9XF%==uNTX-`gHx_bsx&NBLuW$%zVsq~&&d8Yks{uT_VhNZ#7_IP@L8eX
z%Br`?Jnrvo6rMySDsr_=&3!{i?0utx$m+BE+u<%9Ul)uD(DqpG<Vmf`8<>b%NC@J8
z{C&xZv@fXr_hL#lYPE-^8-;KGrSm_xH7)s0zi%<Z^@1&WTkO~!i^%067W=Pn;!`L@
zc19jk;M)dxEzzerksK8p=Af=zgB@B1@AkAL*;S#(v)@t<&b7r}kSXslh;*@6!1nGn
z(jvl8)uu-J-$|Mi&P$c`LrGiuk@?${Iw4+Jk`elSXCv3uR?&w(lHtoaMCQ5==9E1H
zlaf1TUW4~p{?CX>70^n1S6Z3=s78k&<-&5#2<zId;uI<m^v)`B@qzK%pT8dpXC7@B
z=T@a#a#|KJxn*!xSMc@0d956e&F~nHQ$b-Qs=_0`N6ejTdFkK`-r$H-AveX^cp<#Z
ztl*<E_p4XQBHbv*<wE&_0lbN{*nKm>{_UNcZy&yN2<u(WTV3dSeR$Z}2*(F!u|h0|
zE2q|jdha$0rDIYQmQ|P6<CadMQ!v<VJoFgF>OsTN4b{VxAl`ey>yA38n4&vU^f05|
z7Oi_pkr^1vh_UOB+wx8gE1pK%Og12Fgw`19UjM(ku00;=td0MqL}YeTD7jQKS-DN)
zI^>pU#%)U%m54PiqY`7*m>6VN$)(1~wV}(-Yg`)kGg9lCt%$+2ScDmDjj<z<OGY%~
zJwN}wf4qOqAJ6xB&U4OlInVE$Ip;JnwVlHj#%2{$sq<^dFLXFkI&d`p%&p!iic5N%
z6TMf^n|Oj4DogfU-bI21?|xNK-#96dx=vbL=u{xI{8qo&Sp{`Xh1V#LaMA++XAl3W
zBhoL^R5x?_rVhQ?2&ZVDP}v-FW)2TWFN<>!yO#Wj+Lk%V%u(zx8#|fInv-W<ggGxv
z|6G>rd8~ccEuP0AFkHi(x?Nk}Ry;}Q#uwzm;eb<BF%;_J#DWubLDwy?DKl|iLreBw
z*Nvzf$v$Q0lqhnC*;ip`sKw<9g^9nUX(6W@%A@j_jvjV^-2lZY5IlFCbo()9Q|m|F
z#R|Du(744oXCOumHWj3X$X&JzU*{<#L+Wqr2ggr1)DW5pT{w6$VEyWYl?u<ji)qzQ
zIj~J{{F>@F=Y^WTV${Cd;Jh8!ne=_Ps=O&OD%b`KHI;lAYroV`J{yHKHP{Cb=*LPT
zvj6@dCmOsSN`h=J{P{s%!e6TvT|!Ba7&!J`na#2ic3|a*0$Q9{0YJo|-)?^s_qo-L
z--~@thfS_+-NHhN8|MbP%_9xArkvajCB}c5o?y|!uQ14tM!-HPk1nlrF`SgobXOh#
z09^>@D|z4WB1dwU1<y4%f9<Sr7t8$16Wgsx5UvR1lf1KoLPLoi30C1vPr*|9*RgD?
z#qcXY{v*x3jJH2^)^u$#D<B`j!{S2%SIl$BuH{YfTd|Oumd)u0<xjctJ)L^{jR1f2
z>GuagE}tob4bZ7za8(Inkk5n)=e!$=p8$Gm@b=;vm+>uf+WFzE01<@tO?Ca+x#Q0X
zzfHGa-$IsnT>zko?fV%?x|VCiGj4bdER<zw^Y??#Jl?ADk>S37Rs;ayyl0wGZ_mKq
zNb9P0V5jW`PalJmv3{nN>v`C<LsXzAz4^*rCgnJKXzf8|eVT9yLXV`rn#Ugyu1+=K
z8;+G_;()`XnAE!QlahGObBdIJ^)Xv4#L5UBElZxHeVMx6!YQ!K?*@%^d<!3p%D&b>
zB@SmzlK9G-48YAB49oD7vLjPh4udNnz)`>V3_UI@>1^%8cnd5<_yjpK#HR;kFY)6B
zV9f%;;0nB6s5G?JRPt1%3`J)<Wp$}OJ=bsP?R<pH#E_N+_X&5cn$HwE2IZ{FLfX<~
zOA!6+_@D0Y5%uEaOQlS0aKUXK76}~Dxp?0D`b&`}iRJ_;LB}7FV?L!}q*<(a0!-ZV
zZ~jcwV)JOESj&p82q~t7L=QX;C@5O=^WdQzKr_CKionvfY*Z>`(4<fg9NAZb-c*od
zuGV)8?e`>G14OiT3?6ZRZuUt<;k-8Z$V5ZhmHV7Sg;JEP@Ef3Ohk9d#Q-;l>`AJdj
zjwC1uLaT{Qs+)U?)-VV#8j$<Bi+!(31p!)?{P>x6of7b#ry6uKx5&7;My_5|JrxWv
zt;!J$Ny|f3LExFdKMM9jT<_?=<%Fr3mpY%i{I`AFMu^fwYyr5NE*E{eP;=F)I@{Je
zs$>v%xLp4=rN>n>{rE@Y60#`*4$Ye#aag}1wav2uai6fJA}D1i_V&6brKPYx-|3$u
z{Lp7Q08QA|6)*Xt>dM1h=EF!}CRc}8uJ#H$dIKo9Wj8%d0NMK=7QU)P5WqgxaCx>t
z-W<aK%a{lVDU$@X-Va^1M!+fPPEaGW>Rx@q(T)5ENvxsx0Vc0O-&S(`$Pqw~7itU%
z!)6t*QfD~GGQbL$8icHP$^|b)HG2E1BQ$`S@-ez-_ARefVc)|0y3GnHYI`AEA9F3z
zX*yAwfY+dw13_H(g3kQ=O_j66H9tq{aHtB<<|fcaGQFmg@s0K3BKIdfGvLHoRtCg0
z^XKtiV-xz7;!+#j4yc0*;yPe{bR_o|6)gr?1p&$_=k|ZCiD|j{%zNEb(b$&$-;fF^
zCi<Y+TYfd_J|hY3cPE!h$gArhN4M&b3unI1^|R6*)b~r`{NTO=82NL)ht|L)qi|^k
z_|Gs{R87SvI7oU~0#dbPE9^wJo8O%@(fZa*(E1E^6Cf7L9p8nj0@GzpPV9z&=!^1a
zBu|$cT`%0q%x`<b>BfEZq1Rj7GOn+7R~IjAkg*xkhSVymj6XVw?+Z=Yl+V!sl~rzy
z|B*Mm5EK<n91y&W0;PpwO7PD;!Y^zjX~w6>gNg$R-OM&;doR>^@bhcy^nsYH;=Z=J
zNsKfWe=0r#rXRb{dQ&1eaN}1!&g#XJI(R5W!P#R)Buh9rc`(H3uq5;S6`)Z{$gac0
z?AWM0l&~^0&`3c3kj*z#h0qZ0yr0mYQbBDv)#s%b27s?Tc*NR7&I0Sq2N^SbE&%P|
zp$UeGepWnQYhPneU%8V@d&AnK7X_r^eL2_!!D1ax`sPXXd9;HUJfQUN9lx~lDVslx
zZ9hm0^i8>?3(DjocS8;){Bo*hBDb<B+I&Mx_r}N=S!2(PCSG6s2>AQ%L;KjK7*39$
zmit=cQO0>)P%{xG_fcat2a*J_vr4&+t(QQL>Eczwh0CQ0?Tf<x`G4QlAug@oQ2-U2
zHq^u)$ecE_Ve4Bc1LcVOjVcBSIwFBm__KY51?T*%q)je;Fm7*;!9(t{MvFj-3^)pW
zpMJC$$+04Ga{YC>bp$5>&T&H?^I_F&73~2^=+r6cXOMmXMsq*$vFiDUQ4!&?VqZgL
z2IJrcQ0+J4xiKr#@0MOf_GzKKAA{z#kG6PiCyiX;dSk9GH;Kg4+*kwyY}7(Q_qtz%
zQvz+Z&GRI&KC9`-yP$NL&_3oh8)|r!RMvxkdsQ!2XOw511pC8I>#0)R@PtyEai-XF
z)+7TMXh@Rt^i)|v50PzgRhl}I<U;E;2D>GR3vkz12P`N9vPQ?CvdaYdfSMvm^M`a9
zakj)pQQS()v-@*#CNe=54HT7VsN-{RYhLEZ@wp;LQ?@ZO?>le_*wY~-Tj^^g{nRgn
z?fg@&2E`HOt1qb~A{gIVRiLujF|5?_VE=Js$+2A^>H6Gd(MVA>UfGO2%u~O3Rt7h1
z(V2x^W<O9K+FOUH3DjjaO)Vh`7tP}M0av&P54$`JC`hW(Sq>Ph&i<sLPdQJ=z19@P
zpLCTY$9YsY2f`+}t>24duhAY&Nq(|OxXW6cwDj*Yx~Bk5q(5eiAgw$jfA+m!bU}16
zvuK1FZdy9`e1%(fqV0(~sN`BfHAI_!p3N4&*3c@9o$5Lr!RO~Mv6I_RDnoRa29&C&
znTe6f`E&fVN#hwpFxGsg>m^BZnK2l~A7Q9aqKBu#ml@zQUJ2UGA@|-fDoqXN5i2{(
zIxO3y0z#2@j%6Dj%g8=lzX`v<niub6f%iwtA1D{LCDz}taloeI_r&*aZD-ai#A3c~
zvuFQ-9Wty<$GV}uTyM#=KmU$m22M}aK6FdvKR!7b$N6Kq`*)^Ah9ZQ%E_Xs%2c8Y9
zbBC*E6xr<@nGj44wF@DIf*%Nj##ox7ZA{Ua(`Z{e%fohuZH&=qJ2X1yS+&mpFkHPx
ZAcj%@Kf}aFO*UYF@NPcGs*eVx{udGWd3^u?


From 3152ff842bb238351077add921569d9a6b69bff5 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 27 Feb 2025 22:55:50 +0100
Subject: [PATCH 138/274] Allow console take over.

---
 .../vmoperator/runner/qemu/DisplayController.java      | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
index 6a3f783..479e2b1 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
@@ -35,7 +35,6 @@ import org.jdrupes.vmoperator.runner.qemu.events.MonitorCommand;
 import org.jdrupes.vmoperator.runner.qemu.events.RunnerStateChange.RunState;
 import org.jdrupes.vmoperator.runner.qemu.events.VmopAgentConnected;
 import org.jdrupes.vmoperator.runner.qemu.events.VmopAgentLogIn;
-import org.jdrupes.vmoperator.runner.qemu.events.VmopAgentLogOut;
 import org.jdrupes.vmoperator.runner.qemu.events.VmopAgentLoggedIn;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Component;
@@ -53,7 +52,6 @@ public class DisplayController extends Component {
     private String protocol;
     private final Path configDir;
     private boolean vmopAgentConnected;
-    private boolean userLoginRequested;
 
     /**
      * Instantiates a new Display controller.
@@ -112,13 +110,6 @@ public class DisplayController extends Component {
         var userLoginConfigured = readFromFile(DATA_DISPLAY_LOGIN)
             .map(Boolean::parseBoolean).orElse(false);
         if (!userLoginConfigured) {
-            // Check if it was configured before and there may thus be an
-            // active auto login
-            if (userLoginRequested && vmopAgentConnected) {
-                // Make sure to log out
-                fire(new VmopAgentLogOut());
-            }
-            userLoginRequested = false;
             configurePassword();
             return;
         }
@@ -126,7 +117,6 @@ public class DisplayController extends Component {
         // With user login configured, we have to make sure that the
         // user is logged in before we set the password and thus allow
         // access to the display.
-        userLoginRequested = true;
         if (!vmopAgentConnected) {
             if (passwordChange) {
                 logger.warning(() -> "Request for user login before "

From 5366e240928a43d5114536727dc9b0da55ba6a24 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 1 Mar 2025 11:02:52 +0100
Subject: [PATCH 139/274] Move automatic login request to CRD.

Also reorganizes constants.
---
 deploy/crds/vms-crd.yaml                      |  11 ++
 dev-example/vmop-agent/vmop-agent             |  10 ++
 .../jdrupes/vmoperator/common/Constants.java  |  52 +++++---
 .../vmoperator/common/K8sGenericStub.java     |   4 +-
 .../vmoperator/manager/runnerConfig.ftl.yaml  |   3 +
 .../manager/ConfigMapReconciler.java          |   4 +-
 .../vmoperator/manager/Controller.java        |   7 +-
 .../manager/DisplaySecretMonitor.java         |   8 +-
 .../manager/DisplaySecretReconciler.java      | 112 ++++++++----------
 .../jdrupes/vmoperator/manager/Manager.java   |   6 +-
 .../vmoperator/manager/PoolMonitor.java       |   8 +-
 .../vmoperator/manager/PvcReconciler.java     |   4 +-
 .../vmoperator/manager/Reconciler.java        |   4 +-
 .../jdrupes/vmoperator/manager/VmMonitor.java |   8 +-
 .../vmoperator/manager/BasicTests.java        |  30 +++--
 .../logging.properties                        |   4 +-
 .../vmoperator/runner/qemu/Configuration.java |   3 +
 .../runner/qemu/ConsoleTracker.java           |   9 +-
 .../runner/qemu/DisplayController.java        |  94 ++++++---------
 .../vmoperator/runner/qemu/Runner.java        |   4 +-
 .../vmoperator/runner/qemu/StatusUpdater.java |  62 ++++++++--
 webpages/vm-operator/pools.md                 |  18 ++-
 22 files changed, 259 insertions(+), 206 deletions(-)

diff --git a/deploy/crds/vms-crd.yaml b/deploy/crds/vms-crd.yaml
index 749b896..2a14f0c 100644
--- a/deploy/crds/vms-crd.yaml
+++ b/deploy/crds/vms-crd.yaml
@@ -1430,6 +1430,12 @@ spec:
                         outputs:
                           type: integer
                           default: 1
+                        loggedInUser:
+                          description: >-
+                            The name of a user that should be automatically
+                            logged in on the display. Note that this requires
+                            support from an agent in the guest OS.
+                          type: string
                         spice:
                           type: object
                           properties:
@@ -1485,6 +1491,11 @@ spec:
                     connection.
                   type: string
                   default: ""
+                loggedInUser:
+                  description: >-
+                    The name of a user that is currently logged in by the
+                    VM operator agent.
+                  type: string
                 displayPasswordSerial:
                   description: >-
                     Counts changes of the display password. Set to -1
diff --git a/dev-example/vmop-agent/vmop-agent b/dev-example/vmop-agent/vmop-agent
index 99aa25d..bb2fb86 100755
--- a/dev-example/vmop-agent/vmop-agent
+++ b/dev-example/vmop-agent/vmop-agent
@@ -126,8 +126,18 @@ attemptLogout() {
 
 # Log out any user currently using tty1. This is invoked when executing
 # the logout command and therefore sends back a 2xx return code.
+# Also try to restart gdm, if it is not running.
 doLogout() {
   attemptLogout
+  systemctl status gdm >/dev/null 2>&1
+  if [ $? != 0 ]; then
+    systemctl restart gdm 2>$temperr
+    if [ $? -eq 0 ]; then
+      echo >&${con} "102 gdm restarted"
+    else
+      echo >&${con} "102 Restarting gdm failed: $(tr '\n' ' ' <${temperr})"
+    fi
+  fi
   echo >&${con} "202 User logged out"
 }
 
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java
index 9bfba8d..a7ed780 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java
@@ -27,31 +27,47 @@ public class Constants {
     /** The Constant APP_NAME. */
     public static final String APP_NAME = "vm-runner";
 
-    /** The Constant VM_OP_NAME. */
-    public static final String VM_OP_NAME = "vm-operator";
+    /**
+     * Constants related to the CRD.
+     */
+    @SuppressWarnings("PMD.ShortClassName")
+    public static class Crd {
 
-    /** The Constant VM_OP_GROUP. */
-    public static final String VM_OP_GROUP = "vmoperator.jdrupes.org";
+        /** The Constant NAME. */
+        public static final String NAME = "vm-operator";
 
-    /** The Constant VM_OP_KIND_VM. */
-    public static final String VM_OP_KIND_VM = "VirtualMachine";
+        /** The Constant GROUP. */
+        public static final String GROUP = "vmoperator.jdrupes.org";
 
-    /** The Constant VM_OP_KIND_VM_POOL. */
-    public static final String VM_OP_KIND_VM_POOL = "VmPool";
+        /** The Constant KIND_VM. */
+        public static final String KIND_VM = "VirtualMachine";
 
-    /** The Constant COMP_DISPLAY_SECRETS. */
-    public static final String COMP_DISPLAY_SECRET = "display-secret";
+        /** The Constant KIND_VM_POOL. */
+        public static final String KIND_VM_POOL = "VmPool";
+    }
 
-    /** The Constant DATA_DISPLAY_PASSWORD. */
-    public static final String DATA_DISPLAY_PASSWORD = "display-password";
+    /**
+     * Constants for the display secret.
+     */
+    public static class DisplaySecret {
 
-    /** The Constant DATA_PASSWORD_EXPIRY. */
-    public static final String DATA_PASSWORD_EXPIRY = "password-expiry";
+        /** The Constant NAME. */
+        public static final String NAME = "display-secret";
 
-    /** The Constant DATA_DISPLAY_USER. */
-    public static final String DATA_DISPLAY_USER = "display-user";
+        /** The Constant DISPLAY_PASSWORD. */
+        public static final String DISPLAY_PASSWORD = "display-password";
 
-    /** The Constant DATA_DISPLAY_LOGIN. */
-    public static final String DATA_DISPLAY_LOGIN = "login-user";
+        /** The Constant PASSWORD_EXPIRY. */
+        public static final String PASSWORD_EXPIRY = "password-expiry";
+    }
 
+    /**
+     * Constants for status fields.
+     */
+    public static class Status {
+
+        /** The Constant LOGGED_IN_USER. */
+        public static final String LOGGED_IN_USER = "loggedInUser";
+
+    }
 }
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java
index 688f43f..b1db86f 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java
@@ -193,7 +193,7 @@ public class K8sGenericStub<O extends KubernetesObject,
     }
 
     /**
-     * Updates the object's status.
+     * Updates the object's status. This method will not retry.
      *
      * @param object the current state of the object (passed to `status`)
      * @param status function that returns the new status
@@ -231,7 +231,7 @@ public class K8sGenericStub<O extends KubernetesObject,
     }
 
     /**
-     * Updates the status.
+     * Updates the status. In case of conflict, retries up to 16 times.
      *
      * @param status the status
      * @return the kubernetes api response
diff --git a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml
index f5aabc5..9c4b72a 100644
--- a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml
+++ b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml
@@ -201,6 +201,9 @@ data:
           <#if spec.vm.display.outputs?? >
           outputs: ${ spec.vm.display.outputs?c }
           </#if>
+          <#if spec.vm.display.loggedInUser?? >
+          loggedInUser: "${ spec.vm.display.loggedInUser }"
+          </#if>
           <#if spec.vm.display.spice??>
           spice:
             port: ${ spec.vm.display.spice.port?c }
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java
index 9c6dc3e..c5daf73 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java
@@ -33,9 +33,9 @@ import java.io.IOException;
 import java.io.StringWriter;
 import java.util.Map;
 import java.util.logging.Logger;
+import org.jdrupes.vmoperator.common.Constants.Crd;
 import org.jdrupes.vmoperator.common.K8s;
 import static org.jdrupes.vmoperator.manager.Constants.APP_NAME;
-import static org.jdrupes.vmoperator.manager.Constants.VM_OP_NAME;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.util.DataPath;
 import org.jdrupes.vmoperator.util.GsonPtr;
@@ -121,7 +121,7 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
             DynamicKubernetesObject newCm) {
         ListOptions listOpts = new ListOptions();
         listOpts.setLabelSelector(
-            "app.kubernetes.io/managed-by=" + VM_OP_NAME + ","
+            "app.kubernetes.io/managed-by=" + Crd.NAME + ","
                 + "app.kubernetes.io/name=" + APP_NAME + ","
                 + "app.kubernetes.io/instance=" + newCm.getMetadata()
                     .getLabels().get("app.kubernetes.io/instance"));
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
index 80ff0f7..f3deefa 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
@@ -29,8 +29,7 @@ import java.nio.file.Files;
 import java.nio.file.Path;
 import java.time.Instant;
 import java.util.logging.Level;
-import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
-import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
+import org.jdrupes.vmoperator.common.Constants.Crd;
 import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.K8sDynamicStub;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
@@ -194,7 +193,7 @@ public class Controller extends Component {
     private void patchVmDef(K8sClient client, String name, String path,
             Object value) throws ApiException, IOException {
         var vmStub = K8sDynamicStub.get(client,
-            new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM), namespace,
+            new GroupVersionKind(Crd.GROUP, "", Crd.KIND_VM), namespace,
             name);
 
         // Patch running
@@ -227,7 +226,7 @@ public class Controller extends Component {
         try {
             var vmDef = channel.vmDefinition();
             var vmStub = VmDefinitionStub.get(channel.client(),
-                new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
+                new GroupVersionKind(Crd.GROUP, "", Crd.KIND_VM),
                 vmDef.namespace(), vmDef.name());
             if (vmStub.updateStatus(vmDef, from -> {
                 JsonObject status = from.statusJson();
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java
index 99c8a11..66cd2f4 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java
@@ -28,11 +28,11 @@ import io.kubernetes.client.util.generic.options.PatchOptions;
 import java.io.IOException;
 import java.util.logging.Level;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
-import static org.jdrupes.vmoperator.common.Constants.VM_OP_NAME;
+import org.jdrupes.vmoperator.common.Constants.Crd;
+import org.jdrupes.vmoperator.common.Constants.DisplaySecret;
 import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.K8sV1PodStub;
 import org.jdrupes.vmoperator.common.K8sV1SecretStub;
-import static org.jdrupes.vmoperator.manager.Constants.COMP_DISPLAY_SECRET;
 import org.jdrupes.vmoperator.manager.events.ChannelDictionary;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jgrapes.core.Channel;
@@ -61,7 +61,7 @@ public class DisplaySecretMonitor
         context(K8sV1SecretStub.CONTEXT);
         ListOptions options = new ListOptions();
         options.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
-            + "app.kubernetes.io/component=" + COMP_DISPLAY_SECRET);
+            + "app.kubernetes.io/component=" + DisplaySecret.NAME);
         options(options);
     }
 
@@ -95,7 +95,7 @@ public class DisplaySecretMonitor
         // Force update for pod
         ListOptions listOpts = new ListOptions();
         listOpts.setLabelSelector(
-            "app.kubernetes.io/managed-by=" + VM_OP_NAME + ","
+            "app.kubernetes.io/managed-by=" + Crd.NAME + ","
                 + "app.kubernetes.io/name=" + APP_NAME + ","
                 + "app.kubernetes.io/instance=" + change.object.getMetadata()
                     .getLabels().get("app.kubernetes.io/instance"));
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
index e1955b4..24ba978 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
@@ -26,7 +26,6 @@ import io.kubernetes.client.openapi.models.V1ObjectMeta;
 import io.kubernetes.client.openapi.models.V1Secret;
 import io.kubernetes.client.util.generic.options.ListOptions;
 import java.io.IOException;
-import static java.nio.charset.StandardCharsets.UTF_8;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 import java.time.Instant;
@@ -34,20 +33,16 @@ import java.util.Collections;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
-import java.util.Objects;
 import java.util.Optional;
 import java.util.Scanner;
 import java.util.logging.Logger;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
-import static org.jdrupes.vmoperator.common.Constants.COMP_DISPLAY_SECRET;
-import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
-import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
+import org.jdrupes.vmoperator.common.Constants.Crd;
+import org.jdrupes.vmoperator.common.Constants.DisplaySecret;
+import org.jdrupes.vmoperator.common.Constants.Status;
 import org.jdrupes.vmoperator.common.K8sV1SecretStub;
+import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
-import static org.jdrupes.vmoperator.manager.Constants.DATA_DISPLAY_LOGIN;
-import static org.jdrupes.vmoperator.manager.Constants.DATA_DISPLAY_PASSWORD;
-import static org.jdrupes.vmoperator.manager.Constants.DATA_DISPLAY_USER;
-import static org.jdrupes.vmoperator.manager.Constants.DATA_PASSWORD_EXPIRY;
 import org.jdrupes.vmoperator.manager.events.PrepareConsole;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
@@ -146,7 +141,7 @@ public class DisplaySecretReconciler extends Component {
         var vmDef = event.vmDefinition();
         ListOptions options = new ListOptions();
         options.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
-            + "app.kubernetes.io/component=" + COMP_DISPLAY_SECRET + ","
+            + "app.kubernetes.io/component=" + DisplaySecret.NAME + ","
             + "app.kubernetes.io/instance=" + vmDef.name());
         var stubs = K8sV1SecretStub.list(channel.client(), vmDef.namespace(),
             options);
@@ -157,9 +152,9 @@ public class DisplaySecretReconciler extends Component {
         // Create secret
         var secret = new V1Secret();
         secret.setMetadata(new V1ObjectMeta().namespace(vmDef.namespace())
-            .name(vmDef.name() + "-" + COMP_DISPLAY_SECRET)
+            .name(vmDef.name() + "-" + DisplaySecret.NAME)
             .putLabelsItem("app.kubernetes.io/name", APP_NAME)
-            .putLabelsItem("app.kubernetes.io/component", COMP_DISPLAY_SECRET)
+            .putLabelsItem("app.kubernetes.io/component", DisplaySecret.NAME)
             .putLabelsItem("app.kubernetes.io/instance", vmDef.name()));
         secret.setType("Opaque");
         SecureRandom random = null;
@@ -172,8 +167,8 @@ public class DisplaySecretReconciler extends Component {
         byte[] bytes = new byte[16];
         random.nextBytes(bytes);
         var password = Base64.encode(bytes);
-        secret.setStringData(Map.of(DATA_DISPLAY_PASSWORD, password,
-            DATA_PASSWORD_EXPIRY, "now"));
+        secret.setStringData(Map.of(DisplaySecret.DISPLAY_PASSWORD, password,
+            DisplaySecret.PASSWORD_EXPIRY, "now"));
         K8sV1SecretStub.create(channel.client(), secret);
     }
 
@@ -192,49 +187,31 @@ public class DisplaySecretReconciler extends Component {
     public void onPrepareConsole(PrepareConsole event, VmChannel channel)
             throws ApiException {
         // Update console user in status
-        var vmStub = VmDefinitionStub.get(channel.client(),
-            new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
-            event.vmDefinition().namespace(), event.vmDefinition().name());
-        var optVmDef = vmStub.updateStatus(from -> {
-            JsonObject status = from.statusJson();
-            status.addProperty("consoleUser", event.user());
-            return status;
-        });
-        if (optVmDef.isEmpty()) {
+        var vmDef = updateConsoleUser(event, channel);
+        if (vmDef == null) {
             return;
         }
-        var vmDef = optVmDef.get();
 
         // Check if access is possible
         if (event.loginUser()
-            ? !vmDef.conditionStatus("Booted").orElse(false)
+            ? !vmDef.<String> fromStatus(Status.LOGGED_IN_USER)
+                .map(u -> u.equals(event.user())).orElse(false)
             : !vmDef.conditionStatus("Running").orElse(false)) {
             return;
         }
 
-        // Look for secret
-        ListOptions options = new ListOptions();
-        options.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
-            + "app.kubernetes.io/component=" + COMP_DISPLAY_SECRET + ","
-            + "app.kubernetes.io/instance=" + vmDef.name());
-        var stubs = K8sV1SecretStub.list(channel.client(), vmDef.namespace(),
-            options);
-        if (stubs.isEmpty()) {
-            // No secret means no password for this VM wanted
-            event.setResult(null);
+        // Get secret and update password in secret
+        var stub = getSecretStub(event, channel, vmDef);
+        if (stub == null) {
             return;
         }
-        var stub = stubs.iterator().next();
-
-        // Get secret and update
         var secret = stub.model().get();
-        var updPw = updatePassword(secret, event);
-        var updUsr = updateUser(secret, event);
-        if (!updPw && !updUsr) {
+        if (!updatePassword(secret, event)) {
             return;
         }
 
-        // Register wait for confirmation (by VM status change)
+        // Register wait for confirmation (by VM status change,
+        // after secret update)
         var pending = new PendingPrepare(event,
             event.vmDefinition().displayPasswordSerial().orElse(0L) + 1,
             new CompletionLock(event, 1500));
@@ -247,30 +224,45 @@ public class DisplaySecretReconciler extends Component {
         stub.update(secret).getObject();
     }
 
-    private boolean updateUser(V1Secret secret, PrepareConsole event) {
-        var curUser = DataPath.<byte[]> get(secret, "data", DATA_DISPLAY_USER)
-            .map(b -> new String(b, UTF_8)).orElse(null);
-        var curLogin = DataPath.<byte[]> get(secret, "data", DATA_DISPLAY_LOGIN)
-            .map(b -> new String(b, UTF_8)).map(Boolean::parseBoolean)
-            .orElse(null);
-        if (Objects.equals(curUser, event.user()) && Objects.equals(
-            curLogin, event.loginUser())) {
-            return false;
+    private VmDefinition updateConsoleUser(PrepareConsole event,
+            VmChannel channel) throws ApiException {
+        var vmStub = VmDefinitionStub.get(channel.client(),
+            new GroupVersionKind(Crd.GROUP, "", Crd.KIND_VM),
+            event.vmDefinition().namespace(), event.vmDefinition().name());
+        return vmStub.updateStatus(from -> {
+            JsonObject status = from.statusJson();
+            status.addProperty("consoleUser", event.user());
+            return status;
+        }).orElse(null);
+    }
+
+    private K8sV1SecretStub getSecretStub(PrepareConsole event,
+            VmChannel channel, VmDefinition vmDef) throws ApiException {
+        // Look for secret
+        ListOptions options = new ListOptions();
+        options.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
+            + "app.kubernetes.io/component=" + DisplaySecret.NAME + ","
+            + "app.kubernetes.io/instance=" + vmDef.name());
+        var stubs = K8sV1SecretStub.list(channel.client(), vmDef.namespace(),
+            options);
+        if (stubs.isEmpty()) {
+            // No secret means no password for this VM wanted
+            event.setResult(null);
+            return null;
         }
-        secret.getData().put(DATA_DISPLAY_USER, event.user().getBytes(UTF_8));
-        secret.getData().put(DATA_DISPLAY_LOGIN,
-            Boolean.toString(event.loginUser()).getBytes(UTF_8));
-        return true;
+        return stubs.iterator().next();
     }
 
     private boolean updatePassword(V1Secret secret, PrepareConsole event) {
         var expiry = Optional.ofNullable(secret.getData()
-            .get(DATA_PASSWORD_EXPIRY)).map(b -> new String(b)).orElse(null);
-        if (secret.getData().get(DATA_DISPLAY_PASSWORD) != null
+            .get(DisplaySecret.PASSWORD_EXPIRY)).map(b -> new String(b))
+            .orElse(null);
+        if (secret.getData().get(DisplaySecret.DISPLAY_PASSWORD) != null
             && stillValid(expiry)) {
             // Fixed secret, don't touch
             event.setResult(
-                new String(secret.getData().get(DATA_DISPLAY_PASSWORD)));
+                new String(
+                    secret.getData().get(DisplaySecret.DISPLAY_PASSWORD)));
             return false;
         }
 
@@ -285,8 +277,8 @@ public class DisplaySecretReconciler extends Component {
         byte[] bytes = new byte[16];
         random.nextBytes(bytes);
         var password = Base64.encode(bytes);
-        secret.setStringData(Map.of(DATA_DISPLAY_PASSWORD, password,
-            DATA_PASSWORD_EXPIRY,
+        secret.setStringData(Map.of(DisplaySecret.DISPLAY_PASSWORD, password,
+            DisplaySecret.PASSWORD_EXPIRY,
             Long.toString(Instant.now().getEpochSecond() + passwordValidity)));
         event.setResult(password);
         return true;
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Manager.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Manager.java
index 9d291cf..8acddc5 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Manager.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Manager.java
@@ -40,7 +40,7 @@ import org.apache.commons.cli.CommandLineParser;
 import org.apache.commons.cli.DefaultParser;
 import org.apache.commons.cli.Option;
 import org.apache.commons.cli.Options;
-import static org.jdrupes.vmoperator.manager.Constants.VM_OP_NAME;
+import org.jdrupes.vmoperator.common.Constants.Crd;
 import org.jdrupes.vmoperator.manager.events.Exit;
 import org.jdrupes.vmoperator.util.FsdUtils;
 import org.jgrapes.core.Channel;
@@ -108,7 +108,7 @@ public class Manager extends Component {
 
         // Configuration store with file in /etc/opt (default)
         File cfgFile = new File(cmdLine.getOptionValue('c',
-            "/etc/opt/" + VM_OP_NAME.replace("-", "") + "/config.yaml"));
+            "/etc/opt/" + Crd.NAME.replace("-", "") + "/config.yaml"));
         logger.config(() -> "Using configuration from: " + cfgFile.getPath());
         // Don't rely on night config to produce a good exception
         // for this simple case
@@ -271,7 +271,7 @@ public class Manager extends Component {
         try {
             // Get logging properties from file and put them in effect
             InputStream props;
-            var path = FsdUtils.findConfigFile(VM_OP_NAME.replace("-", ""),
+            var path = FsdUtils.findConfigFile(Crd.NAME.replace("-", ""),
                 "logging.properties");
             if (path.isPresent()) {
                 props = Files.newInputStream(path.get());
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
index 25fb10b..465a9ed 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
@@ -28,8 +28,7 @@ import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import java.util.concurrent.ConcurrentHashMap;
-import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
-import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
+import org.jdrupes.vmoperator.common.Constants.Crd;
 import org.jdrupes.vmoperator.common.K8s;
 import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.K8sDynamicModel;
@@ -38,7 +37,6 @@ import org.jdrupes.vmoperator.common.K8sDynamicStub;
 import org.jdrupes.vmoperator.common.K8sObserver.ResponseType;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
 import org.jdrupes.vmoperator.common.VmPool;
-import static org.jdrupes.vmoperator.manager.Constants.VM_OP_KIND_VM_POOL;
 import org.jdrupes.vmoperator.manager.events.GetPools;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
 import org.jdrupes.vmoperator.manager.events.VmPoolChanged;
@@ -88,7 +86,7 @@ public class PoolMonitor extends
         client(new K8sClient());
 
         // Get all our API versions
-        var ctx = K8s.context(client(), VM_OP_GROUP, "", VM_OP_KIND_VM_POOL);
+        var ctx = K8s.context(client(), Crd.GROUP, "", Crd.KIND_VM_POOL);
         if (ctx.isEmpty()) {
             logger.severe(() -> "Cannot get CRD context.");
             return;
@@ -184,7 +182,7 @@ public class PoolMonitor extends
             return;
         }
         var vmStub = VmDefinitionStub.get(client(),
-            new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
+            new GroupVersionKind(Crd.GROUP, "", Crd.KIND_VM),
             vmDef.namespace(), vmDef.name());
         vmStub.updateStatus(from -> {
             // TODO
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
index 34085f0..f0a3ede 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
@@ -36,7 +36,7 @@ import java.util.Set;
 import java.util.logging.Logger;
 import java.util.stream.Collectors;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
-import static org.jdrupes.vmoperator.common.Constants.VM_OP_NAME;
+import org.jdrupes.vmoperator.common.Constants.Crd;
 import org.jdrupes.vmoperator.common.K8sV1PvcStub;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
@@ -83,7 +83,7 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
         // Existing disks
         ListOptions listOpts = new ListOptions();
         listOpts.setLabelSelector(
-            "app.kubernetes.io/managed-by=" + VM_OP_NAME + ","
+            "app.kubernetes.io/managed-by=" + Crd.NAME + ","
                 + "app.kubernetes.io/name=" + APP_NAME + ","
                 + "app.kubernetes.io/instance=" + vmDef.name());
         var knownDisks = K8sV1PvcStub.list(channel.client(),
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
index 8011e2c..0622a7c 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
@@ -46,12 +46,12 @@ import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
+import org.jdrupes.vmoperator.common.Constants.DisplaySecret;
 import org.jdrupes.vmoperator.common.Convertions;
 import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.K8sObserver;
 import org.jdrupes.vmoperator.common.K8sV1SecretStub;
 import org.jdrupes.vmoperator.common.VmDefinition;
-import static org.jdrupes.vmoperator.manager.Constants.COMP_DISPLAY_SECRET;
 import org.jdrupes.vmoperator.manager.events.ResetVm;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
@@ -276,7 +276,7 @@ public class Reconciler extends Component {
         // Check if we have a display secret
         ListOptions options = new ListOptions();
         options.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
-            + "app.kubernetes.io/component=" + COMP_DISPLAY_SECRET + ","
+            + "app.kubernetes.io/component=" + DisplaySecret.NAME + ","
             + "app.kubernetes.io/instance=" + vmDef.name());
         var dsStub = K8sV1SecretStub
             .list(client, vmDef.namespace(), options)
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
index 5c1ae77..a253b17 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
@@ -31,8 +31,7 @@ import java.util.Set;
 import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.logging.Level;
 import java.util.stream.Collectors;
-import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
-import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
+import org.jdrupes.vmoperator.common.Constants.Crd;
 import org.jdrupes.vmoperator.common.K8s;
 import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.K8sDynamicStub;
@@ -46,7 +45,6 @@ import org.jdrupes.vmoperator.common.VmDefinitions;
 import org.jdrupes.vmoperator.common.VmExtraData;
 import org.jdrupes.vmoperator.common.VmPool;
 import static org.jdrupes.vmoperator.manager.Constants.APP_NAME;
-import static org.jdrupes.vmoperator.manager.Constants.VM_OP_NAME;
 import org.jdrupes.vmoperator.manager.events.AssignVm;
 import org.jdrupes.vmoperator.manager.events.ChannelManager;
 import org.jdrupes.vmoperator.manager.events.GetPools;
@@ -87,7 +85,7 @@ public class VmMonitor extends
         client(new K8sClient());
 
         // Get all our API versions
-        var ctx = K8s.context(client(), VM_OP_GROUP, "", VM_OP_KIND_VM);
+        var ctx = K8s.context(client(), Crd.GROUP, "", Crd.KIND_VM);
         if (ctx.isEmpty()) {
             logger.severe(() -> "Cannot get CRD context.");
             return;
@@ -105,7 +103,7 @@ public class VmMonitor extends
             .stream().map(stub -> stub.name()).collect(Collectors.toSet());
         ListOptions opts = new ListOptions();
         opts.setLabelSelector(
-            "app.kubernetes.io/managed-by=" + VM_OP_NAME + ","
+            "app.kubernetes.io/managed-by=" + Crd.NAME + ","
                 + "app.kubernetes.io/name=" + APP_NAME);
         for (var context : Set.of(K8sV1StatefulSetStub.CONTEXT,
             K8sV1ConfigMapStub.CONTEXT)) {
diff --git a/org.jdrupes.vmoperator.manager/test/org/jdrupes/vmoperator/manager/BasicTests.java b/org.jdrupes.vmoperator.manager/test/org/jdrupes/vmoperator/manager/BasicTests.java
index 4f5d7a3..b3b9b1a 100644
--- a/org.jdrupes.vmoperator.manager/test/org/jdrupes/vmoperator/manager/BasicTests.java
+++ b/org.jdrupes.vmoperator.manager/test/org/jdrupes/vmoperator/manager/BasicTests.java
@@ -13,10 +13,8 @@ import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
-import static org.jdrupes.vmoperator.common.Constants.COMP_DISPLAY_SECRET;
-import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
-import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
-import static org.jdrupes.vmoperator.common.Constants.VM_OP_NAME;
+import org.jdrupes.vmoperator.common.Constants.Crd;
+import org.jdrupes.vmoperator.common.Constants.DisplaySecret;
 import org.jdrupes.vmoperator.common.K8s;
 import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.K8sDynamicStub;
@@ -60,7 +58,7 @@ class BasicTests {
         waitForManager();
 
         // Context for working with our CR
-        var apiRes = K8s.context(client, VM_OP_GROUP, null, VM_OP_KIND_VM);
+        var apiRes = K8s.context(client, Crd.GROUP, null, Crd.KIND_VM);
         assertTrue(apiRes.isPresent());
         vmsContext = apiRes.get();
 
@@ -70,7 +68,7 @@ class BasicTests {
         ListOptions listOpts = new ListOptions();
         listOpts.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
             + "app.kubernetes.io/instance=" + VM_NAME + ","
-            + "app.kubernetes.io/component=" + COMP_DISPLAY_SECRET);
+            + "app.kubernetes.io/component=" + DisplaySecret.NAME);
         var secrets = K8sV1SecretStub.list(client, "vmop-dev", listOpts);
         for (var secret : secrets) {
             secret.delete();
@@ -100,7 +98,7 @@ class BasicTests {
     private static void deletePvcs() throws ApiException {
         ListOptions listOpts = new ListOptions();
         listOpts.setLabelSelector(
-            "app.kubernetes.io/managed-by=" + VM_OP_NAME + ","
+            "app.kubernetes.io/managed-by=" + Crd.NAME + ","
                 + "app.kubernetes.io/name=" + APP_NAME + ","
                 + "app.kubernetes.io/instance=" + VM_NAME);
         var knownPvcs = K8sV1PvcStub.list(client, "vmop-dev", listOpts);
@@ -139,11 +137,11 @@ class BasicTests {
             List.of("labels", "app.kubernetes.io/name"), Constants.APP_NAME,
             List.of("labels", "app.kubernetes.io/instance"), VM_NAME,
             List.of("labels", "app.kubernetes.io/managed-by"),
-            Constants.VM_OP_NAME,
+            Crd.NAME,
             List.of("annotations", "vmoperator.jdrupes.org/version"), EXISTS,
             List.of("ownerReferences", 0, "apiVersion"),
             vmsContext.getGroup() + "/" + vmsContext.getVersions().get(0),
-            List.of("ownerReferences", 0, "kind"), Constants.VM_OP_KIND_VM,
+            List.of("ownerReferences", 0, "kind"), Crd.KIND_VM,
             List.of("ownerReferences", 0, "name"), VM_NAME,
             List.of("ownerReferences", 0, "uid"), EXISTS);
         checkProps(config.getMetadata(), toCheck);
@@ -189,7 +187,7 @@ class BasicTests {
         ListOptions listOpts = new ListOptions();
         listOpts.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
             + "app.kubernetes.io/instance=" + VM_NAME + ","
-            + "app.kubernetes.io/component=" + COMP_DISPLAY_SECRET);
+            + "app.kubernetes.io/component=" + DisplaySecret.NAME);
         Collection<K8sV1SecretStub> secrets = null;
         for (int i = 0; i < 10; i++) {
             secrets = K8sV1SecretStub.list(client, "vmop-dev", listOpts);
@@ -220,7 +218,7 @@ class BasicTests {
             List.of("labels", "app.kubernetes.io/name"), Constants.APP_NAME,
             List.of("labels", "app.kubernetes.io/instance"), VM_NAME,
             List.of("labels", "app.kubernetes.io/managed-by"),
-            Constants.VM_OP_NAME));
+            Crd.NAME));
         checkProps(pvc.getSpec(), Map.of(
             List.of("resources", "requests", "storage"),
             Quantity.fromString("1Mi")));
@@ -241,7 +239,7 @@ class BasicTests {
             List.of("labels", "app.kubernetes.io/name"), Constants.APP_NAME,
             List.of("labels", "app.kubernetes.io/instance"), VM_NAME,
             List.of("labels", "app.kubernetes.io/managed-by"),
-            Constants.VM_OP_NAME,
+            Crd.NAME,
             List.of("annotations", "use_as"), "system-disk"));
         checkProps(pvc.getSpec(), Map.of(
             List.of("resources", "requests", "storage"),
@@ -263,7 +261,7 @@ class BasicTests {
             List.of("labels", "app.kubernetes.io/name"), Constants.APP_NAME,
             List.of("labels", "app.kubernetes.io/instance"), VM_NAME,
             List.of("labels", "app.kubernetes.io/managed-by"),
-            Constants.VM_OP_NAME));
+            Crd.NAME));
         checkProps(pvc.getSpec(), Map.of(
             List.of("resources", "requests", "storage"),
             Quantity.fromString("1Gi")));
@@ -291,12 +289,12 @@ class BasicTests {
             List.of("labels", "app.kubernetes.io/instance"), VM_NAME,
             List.of("labels", "app.kubernetes.io/component"), APP_NAME,
             List.of("labels", "app.kubernetes.io/managed-by"),
-            Constants.VM_OP_NAME,
+            Crd.NAME,
             List.of("annotations", "vmrunner.jdrupes.org/cmVersion"), EXISTS,
             List.of("annotations", "vmoperator.jdrupes.org/version"), EXISTS,
             List.of("ownerReferences", 0, "apiVersion"),
             vmsContext.getGroup() + "/" + vmsContext.getVersions().get(0),
-            List.of("ownerReferences", 0, "kind"), Constants.VM_OP_KIND_VM,
+            List.of("ownerReferences", 0, "kind"), Crd.KIND_VM,
             List.of("ownerReferences", 0, "name"), VM_NAME,
             List.of("ownerReferences", 0, "uid"), EXISTS));
         checkProps(pod.getSpec(), Map.of(
@@ -319,7 +317,7 @@ class BasicTests {
         checkProps(svc.getMetadata(), Map.of(
             List.of("labels", "app.kubernetes.io/name"), APP_NAME,
             List.of("labels", "app.kubernetes.io/instance"), VM_NAME,
-            List.of("labels", "app.kubernetes.io/managed-by"), VM_OP_NAME,
+            List.of("labels", "app.kubernetes.io/managed-by"), Crd.NAME,
             List.of("labels", "label1"), "label1",
             List.of("labels", "label2"), "replaced",
             List.of("labels", "label3"), "added",
diff --git a/org.jdrupes.vmoperator.runner.qemu/logging.properties b/org.jdrupes.vmoperator.runner.qemu/logging.properties
index 1cf84fe..6b0542d 100644
--- a/org.jdrupes.vmoperator.runner.qemu/logging.properties
+++ b/org.jdrupes.vmoperator.runner.qemu/logging.properties
@@ -19,8 +19,8 @@
 
 handlers=java.util.logging.ConsoleHandler
 
-org.jgrapes.level=FINE
-org.jgrapes.core.handlerTracking.level=FINER
+#org.jgrapes.level=FINE
+#org.jgrapes.core.handlerTracking.level=FINER
 
 org.jdrupes.vmoperator.runner.qemu.level=FINE
 
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Configuration.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Configuration.java
index 20d4c66..50635b5 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Configuration.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Configuration.java
@@ -248,6 +248,9 @@ public class Configuration implements Dto {
         /** The number of outputs. */
         public int outputs = 1;
 
+        /** The logged in user. */
+        public String loggedInUser;
+
         /** The spice. */
         public Spice spice;
     }
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java
index b91b5df..db29932 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java
@@ -25,8 +25,7 @@ import io.kubernetes.client.openapi.models.EventsV1Event;
 import java.io.IOException;
 import java.util.logging.Level;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
-import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
-import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
+import org.jdrupes.vmoperator.common.Constants.Crd;
 import org.jdrupes.vmoperator.common.K8s;
 import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
@@ -74,7 +73,7 @@ public class ConsoleTracker extends VmDefUpdater {
         }
         try {
             vmStub = VmDefinitionStub.get(apiClient,
-                new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
+                new GroupVersionKind(Crd.GROUP, "", Crd.KIND_VM),
                 namespace, vmName);
         } catch (ApiException e) {
             logger.log(Level.SEVERE, e,
@@ -115,7 +114,7 @@ public class ConsoleTracker extends VmDefUpdater {
 
         // Log event
         var evt = new EventsV1Event()
-            .reportingController(VM_OP_GROUP + "/" + APP_NAME)
+            .reportingController(Crd.GROUP + "/" + APP_NAME)
             .action("ConsoleConnectionUpdate")
             .reason("Connection from " + event.clientHost());
         K8s.createEvent(apiClient, vmStub.model().get(), evt);
@@ -150,7 +149,7 @@ public class ConsoleTracker extends VmDefUpdater {
 
         // Log event
         var evt = new EventsV1Event()
-            .reportingController(VM_OP_GROUP + "/" + APP_NAME)
+            .reportingController(Crd.GROUP + "/" + APP_NAME)
             .action("ConsoleConnectionUpdate")
             .reason("Disconnected from " + event.clientHost());
         K8s.createEvent(apiClient, vmStub.model().get(), evt);
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
index 479e2b1..63a3ec1 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
@@ -1,6 +1,6 @@
 /*
  * VM-Operator
- * Copyright (C) 2023 Michael N. Lipp
+ * Copyright (C) 2023,2025 Michael N. Lipp
  * 
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as
@@ -24,10 +24,7 @@ import java.nio.file.Path;
 import java.util.Objects;
 import java.util.Optional;
 import java.util.logging.Level;
-import static org.jdrupes.vmoperator.common.Constants.DATA_DISPLAY_LOGIN;
-import static org.jdrupes.vmoperator.common.Constants.DATA_DISPLAY_PASSWORD;
-import static org.jdrupes.vmoperator.common.Constants.DATA_DISPLAY_USER;
-import static org.jdrupes.vmoperator.common.Constants.DATA_PASSWORD_EXPIRY;
+import org.jdrupes.vmoperator.common.Constants.DisplaySecret;
 import org.jdrupes.vmoperator.runner.qemu.commands.QmpSetDisplayPassword;
 import org.jdrupes.vmoperator.runner.qemu.commands.QmpSetPasswordExpiry;
 import org.jdrupes.vmoperator.runner.qemu.events.ConfigureQemu;
@@ -35,9 +32,10 @@ import org.jdrupes.vmoperator.runner.qemu.events.MonitorCommand;
 import org.jdrupes.vmoperator.runner.qemu.events.RunnerStateChange.RunState;
 import org.jdrupes.vmoperator.runner.qemu.events.VmopAgentConnected;
 import org.jdrupes.vmoperator.runner.qemu.events.VmopAgentLogIn;
-import org.jdrupes.vmoperator.runner.qemu.events.VmopAgentLoggedIn;
+import org.jdrupes.vmoperator.runner.qemu.events.VmopAgentLogOut;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Component;
+import org.jgrapes.core.Event;
 import org.jgrapes.core.annotation.Handler;
 import org.jgrapes.util.events.FileChanged;
 import org.jgrapes.util.events.WatchFile;
@@ -52,6 +50,7 @@ public class DisplayController extends Component {
     private String protocol;
     private final Path configDir;
     private boolean vmopAgentConnected;
+    private String loggedInUser;
 
     /**
      * Instantiates a new Display controller.
@@ -64,17 +63,7 @@ public class DisplayController extends Component {
     public DisplayController(Channel componentChannel, Path configDir) {
         super(componentChannel);
         this.configDir = configDir;
-        fire(new WatchFile(configDir.resolve(DATA_DISPLAY_PASSWORD)));
-    }
-
-    /**
-     * On vmop agent connected.
-     *
-     * @param event the event
-     */
-    @Handler
-    public void onVmopAgentConnected(VmopAgentConnected event) {
-        vmopAgentConnected = true;
+        fire(new WatchFile(configDir.resolve(DisplaySecret.DISPLAY_PASSWORD)));
     }
 
     /**
@@ -89,7 +78,32 @@ public class DisplayController extends Component {
         }
         protocol
             = event.configuration().vm.display.spice != null ? "spice" : null;
-        configureAccess(false);
+        loggedInUser = event.configuration().vm.display.loggedInUser;
+        configureLogin();
+        if (event.runState() == RunState.STARTING) {
+            configurePassword();
+        }
+    }
+
+    /**
+     * On vmop agent connected.
+     *
+     * @param event the event
+     */
+    @Handler
+    public void onVmopAgentConnected(VmopAgentConnected event) {
+        vmopAgentConnected = true;
+        configureLogin();
+    }
+
+    private void configureLogin() {
+        if (!vmopAgentConnected) {
+            return;
+        }
+        Event<?> evt = loggedInUser != null
+            ? new VmopAgentLogIn(loggedInUser)
+            : new VmopAgentLogOut();
+        fire(evt);
     }
 
     /**
@@ -100,46 +114,10 @@ public class DisplayController extends Component {
     @Handler
     @SuppressWarnings("PMD.EmptyCatchBlock")
     public void onFileChanged(FileChanged event) {
-        if (event.path().equals(configDir.resolve(DATA_DISPLAY_PASSWORD))) {
-            configureAccess(true);
-        }
-    }
-
-    @SuppressWarnings("PMD.DataflowAnomalyAnalysis")
-    private void configureAccess(boolean passwordChange) {
-        var userLoginConfigured = readFromFile(DATA_DISPLAY_LOGIN)
-            .map(Boolean::parseBoolean).orElse(false);
-        if (!userLoginConfigured) {
+        if (event.path()
+            .equals(configDir.resolve(DisplaySecret.DISPLAY_PASSWORD))) {
             configurePassword();
-            return;
         }
-
-        // With user login configured, we have to make sure that the
-        // user is logged in before we set the password and thus allow
-        // access to the display.
-        if (!vmopAgentConnected) {
-            if (passwordChange) {
-                logger.warning(() -> "Request for user login before "
-                    + "VM operator agent has connected");
-            }
-            return;
-        }
-
-        var user = readFromFile(DATA_DISPLAY_USER);
-        if (user.isEmpty()) {
-            logger.warning(() -> "Login requested, but no user configured");
-        }
-        fire(new VmopAgentLogIn(user.get()).setAssociated(this, user.get()));
-    }
-
-    /**
-     * On vmop agent logged in.
-     *
-     * @param event the event
-     */
-    @Handler
-    public void onVmopAgentLoggedIn(VmopAgentLoggedIn event) {
-        configurePassword();
     }
 
     private void configurePassword() {
@@ -152,7 +130,7 @@ public class DisplayController extends Component {
     }
 
     private boolean setDisplayPassword() {
-        return readFromFile(DATA_DISPLAY_PASSWORD).map(password -> {
+        return readFromFile(DisplaySecret.DISPLAY_PASSWORD).map(password -> {
             if (Objects.equals(this.currentPassword, password)) {
                 return true;
             }
@@ -165,7 +143,7 @@ public class DisplayController extends Component {
     }
 
     private void setPasswordExpiry() {
-        readFromFile(DATA_PASSWORD_EXPIRY).ifPresent(expiry -> {
+        readFromFile(DisplaySecret.PASSWORD_EXPIRY).ifPresent(expiry -> {
             logger.fine(() -> "Updating expiry time to " + expiry);
             fire(
                 new MonitorCommand(new QmpSetPasswordExpiry(protocol, expiry)));
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
index f64af2d..0c62a93 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
@@ -56,7 +56,7 @@ import org.apache.commons.cli.DefaultParser;
 import org.apache.commons.cli.Option;
 import org.apache.commons.cli.Options;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
-import static org.jdrupes.vmoperator.common.Constants.DATA_DISPLAY_PASSWORD;
+import org.jdrupes.vmoperator.common.Constants.DisplaySecret;
 import org.jdrupes.vmoperator.runner.qemu.commands.QmpCont;
 import org.jdrupes.vmoperator.runner.qemu.commands.QmpReset;
 import org.jdrupes.vmoperator.runner.qemu.events.ConfigureQemu;
@@ -312,7 +312,7 @@ public class Runner extends Component {
 
             // Add some values from other sources to configuration
             newConf.asOf = Instant.ofEpochSecond(configFile.lastModified());
-            Path dsPath = configDir.resolve(DATA_DISPLAY_PASSWORD);
+            Path dsPath = configDir.resolve(DisplaySecret.DISPLAY_PASSWORD);
             newConf.hasDisplayPassword = dsPath.toFile().canRead();
 
             // Special actions for initial configuration (startup)
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
index fa0e3ab..9c149d5 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
@@ -33,8 +33,8 @@ import java.io.IOException;
 import java.math.BigDecimal;
 import java.util.logging.Level;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
-import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
-import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
+import org.jdrupes.vmoperator.common.Constants.Crd;
+import org.jdrupes.vmoperator.common.Constants.Status;
 import org.jdrupes.vmoperator.common.K8s;
 import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
@@ -48,6 +48,8 @@ import org.jdrupes.vmoperator.runner.qemu.events.RunnerStateChange;
 import org.jdrupes.vmoperator.runner.qemu.events.RunnerStateChange.RunState;
 import org.jdrupes.vmoperator.runner.qemu.events.ShutdownEvent;
 import org.jdrupes.vmoperator.runner.qemu.events.VmopAgentConnected;
+import org.jdrupes.vmoperator.runner.qemu.events.VmopAgentLoggedIn;
+import org.jdrupes.vmoperator.runner.qemu.events.VmopAgentLoggedOut;
 import org.jdrupes.vmoperator.util.GsonPtr;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.annotation.Handler;
@@ -110,11 +112,17 @@ public class StatusUpdater extends VmDefUpdater {
         }
         try {
             vmStub = VmDefinitionStub.get(apiClient,
-                new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
+                new GroupVersionKind(Crd.GROUP, "", Crd.KIND_VM),
                 namespace, vmName);
-            vmStub.model().ifPresent(model -> {
-                observedGeneration = model.getMetadata().getGeneration();
-            });
+            var vmDef = vmStub.updateStatus(from -> {
+                JsonObject status = from.statusJson();
+                status.remove(Status.LOGGED_IN_USER);
+                return status;
+            }).orElse(null);
+            if (vmDef == null) {
+                return;
+            }
+            observedGeneration = vmDef.getMetadata().getGeneration();
         } catch (ApiException e) {
             logger.log(Level.SEVERE, e,
                 () -> "Cannot access VM object, terminating.");
@@ -152,7 +160,7 @@ public class StatusUpdater extends VmDefUpdater {
                     "displayPasswordSerial").getAsInt() == -1)) {
             return;
         }
-        vmStub.updateStatus(vmDef.get(), from -> {
+        vmStub.updateStatus(from -> {
             JsonObject status = from.statusJson();
             if (!event.configuration().hasDisplayPassword) {
                 status.addProperty("displayPasswordSerial", -1);
@@ -173,15 +181,15 @@ public class StatusUpdater extends VmDefUpdater {
      * @throws ApiException 
      */
     @Handler
-    @SuppressWarnings({ "PMD.AssignmentInOperand",
-        "PMD.AvoidLiteralsInIfCondition" })
+    @SuppressWarnings({ "PMD.AvoidLiteralsInIfCondition",
+        "PMD.AssignmentInOperand", "PMD.AvoidDuplicateLiterals" })
     public void onRunnerStateChanged(RunnerStateChange event)
             throws ApiException {
         VmDefinition vmDef;
         if (vmStub == null || (vmDef = vmStub.model().orElse(null)) == null) {
             return;
         }
-        vmStub.updateStatus(vmDef, from -> {
+        vmStub.updateStatus(from -> {
             JsonObject status = from.statusJson();
             boolean running = event.runState().vmRunning();
             updateCondition(vmDef, vmDef.statusJson(), "Running", running,
@@ -196,6 +204,7 @@ public class StatusUpdater extends VmDefUpdater {
             } else if (event.runState() == RunState.STOPPED) {
                 status.addProperty("ram", "0");
                 status.addProperty("cpus", 0);
+                status.remove(Status.LOGGED_IN_USER);
             }
 
             if (!running) {
@@ -228,7 +237,7 @@ public class StatusUpdater extends VmDefUpdater {
 
         // Log event
         var evt = new EventsV1Event()
-            .reportingController(VM_OP_GROUP + "/" + APP_NAME)
+            .reportingController(Crd.GROUP + "/" + APP_NAME)
             .action("StatusUpdate").reason(event.reason())
             .note(event.message());
         K8s.createEvent(apiClient, vmDef, evt);
@@ -344,4 +353,35 @@ public class StatusUpdater extends VmDefUpdater {
             return status;
         });
     }
+
+    /**
+     * @param event the event
+     * @throws ApiException 
+     */
+    @Handler
+    @SuppressWarnings("PMD.AssignmentInOperand")
+    public void onVmopAgentLoggedIn(VmopAgentLoggedIn event)
+            throws ApiException {
+        vmStub.updateStatus(from -> {
+            JsonObject status = from.statusJson();
+            status.addProperty(Status.LOGGED_IN_USER,
+                event.triggering().user());
+            return status;
+        });
+    }
+
+    /**
+     * @param event the event
+     * @throws ApiException 
+     */
+    @Handler
+    @SuppressWarnings("PMD.AssignmentInOperand")
+    public void onVmopAgentLoggedOut(VmopAgentLoggedOut event)
+            throws ApiException {
+        vmStub.updateStatus(from -> {
+            JsonObject status = from.statusJson();
+            status.remove(Status.LOGGED_IN_USER);
+            return status;
+        });
+    }
 }
diff --git a/webpages/vm-operator/pools.md b/webpages/vm-operator/pools.md
index 290d0fd..a42293e 100644
--- a/webpages/vm-operator/pools.md
+++ b/webpages/vm-operator/pools.md
@@ -12,11 +12,12 @@ layout: vm-operator
 ### Shared file system
 
 Mount a shared file system as home file system on all VMs in the pool.
+If you want to use the sample script for logging in a user, the filesystem
+must support POSIX file access control lists (ACLs).
 
 ### Restrict access
 
-The only possibility to access the VMs should be via a desktop started by
-the VM-Operator.
+The VMs should only be accessible via a desktop started by the VM-Operator.
 
  * Disable the display manager.
  
@@ -31,10 +32,17 @@ the VM-Operator.
    # systemctl mask getty@tty1
    # systemctl stop getty@tty1
    ```
+
+You can, of course, disable `getty` completely. If you do this, make sure
+that you can still access your master VM through `ssh`, else you have
+locked yourself out.
+
+Strictly speaking, it is not necessary to disable these services, because
+the sample script includes a `Conflicts=` directive in the systemd service
+that starts the desktop for the user. However, this is mainly intended for
+development purposes and not for production.
    
-   You can, of course, disable `getty` completely. If you do this, make sure
-   that you can still access your master VM through `ssh`, else you have
-   locked yourself out.
+The following should actually be configured for any VM.
    
  * Prevent suspend/hibernate, because it will lock the VM.
  

From 5e282c4d2b298e96ebae18c9e095a28c88587a21 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 1 Mar 2025 15:44:05 +0100
Subject: [PATCH 140/274] Move automatic login request to CRD.

Undoes reorganize constants.
---
 .../jdrupes/vmoperator/common/Constants.java  | 51 +++++--------------
 .../vmoperator/common/K8sGenericStub.java     |  4 +-
 .../manager/ConfigMapReconciler.java          |  4 +-
 .../vmoperator/manager/Controller.java        |  7 +--
 .../manager/DisplaySecretMonitor.java         |  8 +--
 .../manager/DisplaySecretReconciler.java      | 36 ++++++-------
 .../jdrupes/vmoperator/manager/Manager.java   |  6 +--
 .../vmoperator/manager/PoolMonitor.java       |  8 +--
 .../vmoperator/manager/PvcReconciler.java     |  4 +-
 .../vmoperator/manager/Reconciler.java        |  4 +-
 .../jdrupes/vmoperator/manager/VmMonitor.java |  8 +--
 .../vmoperator/manager/BasicTests.java        | 30 ++++++-----
 .../logging.properties                        |  4 +-
 .../runner/qemu/ConsoleTracker.java           |  9 ++--
 .../runner/qemu/DisplayController.java        | 12 ++---
 .../vmoperator/runner/qemu/Runner.java        |  4 +-
 .../vmoperator/runner/qemu/StatusUpdater.java | 30 ++++-------
 17 files changed, 103 insertions(+), 126 deletions(-)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java
index a7ed780..7a1bd1a 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java
@@ -27,47 +27,24 @@ public class Constants {
     /** The Constant APP_NAME. */
     public static final String APP_NAME = "vm-runner";
 
-    /**
-     * Constants related to the CRD.
-     */
-    @SuppressWarnings("PMD.ShortClassName")
-    public static class Crd {
+    /** The Constant VM_OP_NAME. */
+    public static final String VM_OP_NAME = "vm-operator";
 
-        /** The Constant NAME. */
-        public static final String NAME = "vm-operator";
+    /** The Constant VM_OP_GROUP. */
+    public static final String VM_OP_GROUP = "vmoperator.jdrupes.org";
 
-        /** The Constant GROUP. */
-        public static final String GROUP = "vmoperator.jdrupes.org";
+    /** The Constant VM_OP_KIND_VM. */
+    public static final String VM_OP_KIND_VM = "VirtualMachine";
 
-        /** The Constant KIND_VM. */
-        public static final String KIND_VM = "VirtualMachine";
+    /** The Constant VM_OP_KIND_VM_POOL. */
+    public static final String VM_OP_KIND_VM_POOL = "VmPool";
 
-        /** The Constant KIND_VM_POOL. */
-        public static final String KIND_VM_POOL = "VmPool";
-    }
+    /** The Constant COMP_DISPLAY_SECRETS. */
+    public static final String COMP_DISPLAY_SECRET = "display-secret";
 
-    /**
-     * Constants for the display secret.
-     */
-    public static class DisplaySecret {
+    /** The Constant DATA_DISPLAY_PASSWORD. */
+    public static final String DATA_DISPLAY_PASSWORD = "display-password";
 
-        /** The Constant NAME. */
-        public static final String NAME = "display-secret";
-
-        /** The Constant DISPLAY_PASSWORD. */
-        public static final String DISPLAY_PASSWORD = "display-password";
-
-        /** The Constant PASSWORD_EXPIRY. */
-        public static final String PASSWORD_EXPIRY = "password-expiry";
-    }
-
-    /**
-     * Constants for status fields.
-     */
-    public static class Status {
-
-        /** The Constant LOGGED_IN_USER. */
-        public static final String LOGGED_IN_USER = "loggedInUser";
-
-    }
+    /** The Constant DATA_PASSWORD_EXPIRY. */
+    public static final String DATA_PASSWORD_EXPIRY = "password-expiry";
 }
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java
index b1db86f..688f43f 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java
@@ -193,7 +193,7 @@ public class K8sGenericStub<O extends KubernetesObject,
     }
 
     /**
-     * Updates the object's status. This method will not retry.
+     * Updates the object's status.
      *
      * @param object the current state of the object (passed to `status`)
      * @param status function that returns the new status
@@ -231,7 +231,7 @@ public class K8sGenericStub<O extends KubernetesObject,
     }
 
     /**
-     * Updates the status. In case of conflict, retries up to 16 times.
+     * Updates the status.
      *
      * @param status the status
      * @return the kubernetes api response
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java
index c5daf73..9c6dc3e 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java
@@ -33,9 +33,9 @@ import java.io.IOException;
 import java.io.StringWriter;
 import java.util.Map;
 import java.util.logging.Logger;
-import org.jdrupes.vmoperator.common.Constants.Crd;
 import org.jdrupes.vmoperator.common.K8s;
 import static org.jdrupes.vmoperator.manager.Constants.APP_NAME;
+import static org.jdrupes.vmoperator.manager.Constants.VM_OP_NAME;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.util.DataPath;
 import org.jdrupes.vmoperator.util.GsonPtr;
@@ -121,7 +121,7 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
             DynamicKubernetesObject newCm) {
         ListOptions listOpts = new ListOptions();
         listOpts.setLabelSelector(
-            "app.kubernetes.io/managed-by=" + Crd.NAME + ","
+            "app.kubernetes.io/managed-by=" + VM_OP_NAME + ","
                 + "app.kubernetes.io/name=" + APP_NAME + ","
                 + "app.kubernetes.io/instance=" + newCm.getMetadata()
                     .getLabels().get("app.kubernetes.io/instance"));
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
index f3deefa..80ff0f7 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
@@ -29,7 +29,8 @@ import java.nio.file.Files;
 import java.nio.file.Path;
 import java.time.Instant;
 import java.util.logging.Level;
-import org.jdrupes.vmoperator.common.Constants.Crd;
+import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
+import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
 import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.K8sDynamicStub;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
@@ -193,7 +194,7 @@ public class Controller extends Component {
     private void patchVmDef(K8sClient client, String name, String path,
             Object value) throws ApiException, IOException {
         var vmStub = K8sDynamicStub.get(client,
-            new GroupVersionKind(Crd.GROUP, "", Crd.KIND_VM), namespace,
+            new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM), namespace,
             name);
 
         // Patch running
@@ -226,7 +227,7 @@ public class Controller extends Component {
         try {
             var vmDef = channel.vmDefinition();
             var vmStub = VmDefinitionStub.get(channel.client(),
-                new GroupVersionKind(Crd.GROUP, "", Crd.KIND_VM),
+                new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
                 vmDef.namespace(), vmDef.name());
             if (vmStub.updateStatus(vmDef, from -> {
                 JsonObject status = from.statusJson();
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java
index 66cd2f4..99c8a11 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java
@@ -28,11 +28,11 @@ import io.kubernetes.client.util.generic.options.PatchOptions;
 import java.io.IOException;
 import java.util.logging.Level;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
-import org.jdrupes.vmoperator.common.Constants.Crd;
-import org.jdrupes.vmoperator.common.Constants.DisplaySecret;
+import static org.jdrupes.vmoperator.common.Constants.VM_OP_NAME;
 import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.K8sV1PodStub;
 import org.jdrupes.vmoperator.common.K8sV1SecretStub;
+import static org.jdrupes.vmoperator.manager.Constants.COMP_DISPLAY_SECRET;
 import org.jdrupes.vmoperator.manager.events.ChannelDictionary;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jgrapes.core.Channel;
@@ -61,7 +61,7 @@ public class DisplaySecretMonitor
         context(K8sV1SecretStub.CONTEXT);
         ListOptions options = new ListOptions();
         options.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
-            + "app.kubernetes.io/component=" + DisplaySecret.NAME);
+            + "app.kubernetes.io/component=" + COMP_DISPLAY_SECRET);
         options(options);
     }
 
@@ -95,7 +95,7 @@ public class DisplaySecretMonitor
         // Force update for pod
         ListOptions listOpts = new ListOptions();
         listOpts.setLabelSelector(
-            "app.kubernetes.io/managed-by=" + Crd.NAME + ","
+            "app.kubernetes.io/managed-by=" + VM_OP_NAME + ","
                 + "app.kubernetes.io/name=" + APP_NAME + ","
                 + "app.kubernetes.io/instance=" + change.object.getMetadata()
                     .getLabels().get("app.kubernetes.io/instance"));
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
index 24ba978..bf8042a 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
@@ -37,12 +37,14 @@ import java.util.Optional;
 import java.util.Scanner;
 import java.util.logging.Logger;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
-import org.jdrupes.vmoperator.common.Constants.Crd;
-import org.jdrupes.vmoperator.common.Constants.DisplaySecret;
-import org.jdrupes.vmoperator.common.Constants.Status;
+import static org.jdrupes.vmoperator.common.Constants.COMP_DISPLAY_SECRET;
+import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
+import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
 import org.jdrupes.vmoperator.common.K8sV1SecretStub;
 import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
+import static org.jdrupes.vmoperator.manager.Constants.DATA_DISPLAY_PASSWORD;
+import static org.jdrupes.vmoperator.manager.Constants.DATA_PASSWORD_EXPIRY;
 import org.jdrupes.vmoperator.manager.events.PrepareConsole;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
@@ -141,7 +143,7 @@ public class DisplaySecretReconciler extends Component {
         var vmDef = event.vmDefinition();
         ListOptions options = new ListOptions();
         options.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
-            + "app.kubernetes.io/component=" + DisplaySecret.NAME + ","
+            + "app.kubernetes.io/component=" + COMP_DISPLAY_SECRET + ","
             + "app.kubernetes.io/instance=" + vmDef.name());
         var stubs = K8sV1SecretStub.list(channel.client(), vmDef.namespace(),
             options);
@@ -152,9 +154,9 @@ public class DisplaySecretReconciler extends Component {
         // Create secret
         var secret = new V1Secret();
         secret.setMetadata(new V1ObjectMeta().namespace(vmDef.namespace())
-            .name(vmDef.name() + "-" + DisplaySecret.NAME)
+            .name(vmDef.name() + "-" + COMP_DISPLAY_SECRET)
             .putLabelsItem("app.kubernetes.io/name", APP_NAME)
-            .putLabelsItem("app.kubernetes.io/component", DisplaySecret.NAME)
+            .putLabelsItem("app.kubernetes.io/component", COMP_DISPLAY_SECRET)
             .putLabelsItem("app.kubernetes.io/instance", vmDef.name()));
         secret.setType("Opaque");
         SecureRandom random = null;
@@ -167,8 +169,8 @@ public class DisplaySecretReconciler extends Component {
         byte[] bytes = new byte[16];
         random.nextBytes(bytes);
         var password = Base64.encode(bytes);
-        secret.setStringData(Map.of(DisplaySecret.DISPLAY_PASSWORD, password,
-            DisplaySecret.PASSWORD_EXPIRY, "now"));
+        secret.setStringData(Map.of(DATA_DISPLAY_PASSWORD, password,
+            DATA_PASSWORD_EXPIRY, "now"));
         K8sV1SecretStub.create(channel.client(), secret);
     }
 
@@ -194,7 +196,7 @@ public class DisplaySecretReconciler extends Component {
 
         // Check if access is possible
         if (event.loginUser()
-            ? !vmDef.<String> fromStatus(Status.LOGGED_IN_USER)
+            ? !vmDef.<String> fromStatus("loggedInUser")
                 .map(u -> u.equals(event.user())).orElse(false)
             : !vmDef.conditionStatus("Running").orElse(false)) {
             return;
@@ -227,7 +229,7 @@ public class DisplaySecretReconciler extends Component {
     private VmDefinition updateConsoleUser(PrepareConsole event,
             VmChannel channel) throws ApiException {
         var vmStub = VmDefinitionStub.get(channel.client(),
-            new GroupVersionKind(Crd.GROUP, "", Crd.KIND_VM),
+            new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
             event.vmDefinition().namespace(), event.vmDefinition().name());
         return vmStub.updateStatus(from -> {
             JsonObject status = from.statusJson();
@@ -241,7 +243,7 @@ public class DisplaySecretReconciler extends Component {
         // Look for secret
         ListOptions options = new ListOptions();
         options.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
-            + "app.kubernetes.io/component=" + DisplaySecret.NAME + ","
+            + "app.kubernetes.io/component=" + COMP_DISPLAY_SECRET + ","
             + "app.kubernetes.io/instance=" + vmDef.name());
         var stubs = K8sV1SecretStub.list(channel.client(), vmDef.namespace(),
             options);
@@ -255,14 +257,12 @@ public class DisplaySecretReconciler extends Component {
 
     private boolean updatePassword(V1Secret secret, PrepareConsole event) {
         var expiry = Optional.ofNullable(secret.getData()
-            .get(DisplaySecret.PASSWORD_EXPIRY)).map(b -> new String(b))
-            .orElse(null);
-        if (secret.getData().get(DisplaySecret.DISPLAY_PASSWORD) != null
+            .get(DATA_PASSWORD_EXPIRY)).map(b -> new String(b)).orElse(null);
+        if (secret.getData().get(DATA_DISPLAY_PASSWORD) != null
             && stillValid(expiry)) {
             // Fixed secret, don't touch
             event.setResult(
-                new String(
-                    secret.getData().get(DisplaySecret.DISPLAY_PASSWORD)));
+                new String(secret.getData().get(DATA_DISPLAY_PASSWORD)));
             return false;
         }
 
@@ -277,8 +277,8 @@ public class DisplaySecretReconciler extends Component {
         byte[] bytes = new byte[16];
         random.nextBytes(bytes);
         var password = Base64.encode(bytes);
-        secret.setStringData(Map.of(DisplaySecret.DISPLAY_PASSWORD, password,
-            DisplaySecret.PASSWORD_EXPIRY,
+        secret.setStringData(Map.of(DATA_DISPLAY_PASSWORD, password,
+            DATA_PASSWORD_EXPIRY,
             Long.toString(Instant.now().getEpochSecond() + passwordValidity)));
         event.setResult(password);
         return true;
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Manager.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Manager.java
index 8acddc5..9d291cf 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Manager.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Manager.java
@@ -40,7 +40,7 @@ import org.apache.commons.cli.CommandLineParser;
 import org.apache.commons.cli.DefaultParser;
 import org.apache.commons.cli.Option;
 import org.apache.commons.cli.Options;
-import org.jdrupes.vmoperator.common.Constants.Crd;
+import static org.jdrupes.vmoperator.manager.Constants.VM_OP_NAME;
 import org.jdrupes.vmoperator.manager.events.Exit;
 import org.jdrupes.vmoperator.util.FsdUtils;
 import org.jgrapes.core.Channel;
@@ -108,7 +108,7 @@ public class Manager extends Component {
 
         // Configuration store with file in /etc/opt (default)
         File cfgFile = new File(cmdLine.getOptionValue('c',
-            "/etc/opt/" + Crd.NAME.replace("-", "") + "/config.yaml"));
+            "/etc/opt/" + VM_OP_NAME.replace("-", "") + "/config.yaml"));
         logger.config(() -> "Using configuration from: " + cfgFile.getPath());
         // Don't rely on night config to produce a good exception
         // for this simple case
@@ -271,7 +271,7 @@ public class Manager extends Component {
         try {
             // Get logging properties from file and put them in effect
             InputStream props;
-            var path = FsdUtils.findConfigFile(Crd.NAME.replace("-", ""),
+            var path = FsdUtils.findConfigFile(VM_OP_NAME.replace("-", ""),
                 "logging.properties");
             if (path.isPresent()) {
                 props = Files.newInputStream(path.get());
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
index 465a9ed..25fb10b 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
@@ -28,7 +28,8 @@ import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import java.util.concurrent.ConcurrentHashMap;
-import org.jdrupes.vmoperator.common.Constants.Crd;
+import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
+import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
 import org.jdrupes.vmoperator.common.K8s;
 import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.K8sDynamicModel;
@@ -37,6 +38,7 @@ import org.jdrupes.vmoperator.common.K8sDynamicStub;
 import org.jdrupes.vmoperator.common.K8sObserver.ResponseType;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
 import org.jdrupes.vmoperator.common.VmPool;
+import static org.jdrupes.vmoperator.manager.Constants.VM_OP_KIND_VM_POOL;
 import org.jdrupes.vmoperator.manager.events.GetPools;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
 import org.jdrupes.vmoperator.manager.events.VmPoolChanged;
@@ -86,7 +88,7 @@ public class PoolMonitor extends
         client(new K8sClient());
 
         // Get all our API versions
-        var ctx = K8s.context(client(), Crd.GROUP, "", Crd.KIND_VM_POOL);
+        var ctx = K8s.context(client(), VM_OP_GROUP, "", VM_OP_KIND_VM_POOL);
         if (ctx.isEmpty()) {
             logger.severe(() -> "Cannot get CRD context.");
             return;
@@ -182,7 +184,7 @@ public class PoolMonitor extends
             return;
         }
         var vmStub = VmDefinitionStub.get(client(),
-            new GroupVersionKind(Crd.GROUP, "", Crd.KIND_VM),
+            new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
             vmDef.namespace(), vmDef.name());
         vmStub.updateStatus(from -> {
             // TODO
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
index f0a3ede..34085f0 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
@@ -36,7 +36,7 @@ import java.util.Set;
 import java.util.logging.Logger;
 import java.util.stream.Collectors;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
-import org.jdrupes.vmoperator.common.Constants.Crd;
+import static org.jdrupes.vmoperator.common.Constants.VM_OP_NAME;
 import org.jdrupes.vmoperator.common.K8sV1PvcStub;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
@@ -83,7 +83,7 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
         // Existing disks
         ListOptions listOpts = new ListOptions();
         listOpts.setLabelSelector(
-            "app.kubernetes.io/managed-by=" + Crd.NAME + ","
+            "app.kubernetes.io/managed-by=" + VM_OP_NAME + ","
                 + "app.kubernetes.io/name=" + APP_NAME + ","
                 + "app.kubernetes.io/instance=" + vmDef.name());
         var knownDisks = K8sV1PvcStub.list(channel.client(),
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
index 0622a7c..8011e2c 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
@@ -46,12 +46,12 @@ import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
-import org.jdrupes.vmoperator.common.Constants.DisplaySecret;
 import org.jdrupes.vmoperator.common.Convertions;
 import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.K8sObserver;
 import org.jdrupes.vmoperator.common.K8sV1SecretStub;
 import org.jdrupes.vmoperator.common.VmDefinition;
+import static org.jdrupes.vmoperator.manager.Constants.COMP_DISPLAY_SECRET;
 import org.jdrupes.vmoperator.manager.events.ResetVm;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
@@ -276,7 +276,7 @@ public class Reconciler extends Component {
         // Check if we have a display secret
         ListOptions options = new ListOptions();
         options.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
-            + "app.kubernetes.io/component=" + DisplaySecret.NAME + ","
+            + "app.kubernetes.io/component=" + COMP_DISPLAY_SECRET + ","
             + "app.kubernetes.io/instance=" + vmDef.name());
         var dsStub = K8sV1SecretStub
             .list(client, vmDef.namespace(), options)
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
index a253b17..5c1ae77 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
@@ -31,7 +31,8 @@ import java.util.Set;
 import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.logging.Level;
 import java.util.stream.Collectors;
-import org.jdrupes.vmoperator.common.Constants.Crd;
+import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
+import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
 import org.jdrupes.vmoperator.common.K8s;
 import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.K8sDynamicStub;
@@ -45,6 +46,7 @@ import org.jdrupes.vmoperator.common.VmDefinitions;
 import org.jdrupes.vmoperator.common.VmExtraData;
 import org.jdrupes.vmoperator.common.VmPool;
 import static org.jdrupes.vmoperator.manager.Constants.APP_NAME;
+import static org.jdrupes.vmoperator.manager.Constants.VM_OP_NAME;
 import org.jdrupes.vmoperator.manager.events.AssignVm;
 import org.jdrupes.vmoperator.manager.events.ChannelManager;
 import org.jdrupes.vmoperator.manager.events.GetPools;
@@ -85,7 +87,7 @@ public class VmMonitor extends
         client(new K8sClient());
 
         // Get all our API versions
-        var ctx = K8s.context(client(), Crd.GROUP, "", Crd.KIND_VM);
+        var ctx = K8s.context(client(), VM_OP_GROUP, "", VM_OP_KIND_VM);
         if (ctx.isEmpty()) {
             logger.severe(() -> "Cannot get CRD context.");
             return;
@@ -103,7 +105,7 @@ public class VmMonitor extends
             .stream().map(stub -> stub.name()).collect(Collectors.toSet());
         ListOptions opts = new ListOptions();
         opts.setLabelSelector(
-            "app.kubernetes.io/managed-by=" + Crd.NAME + ","
+            "app.kubernetes.io/managed-by=" + VM_OP_NAME + ","
                 + "app.kubernetes.io/name=" + APP_NAME);
         for (var context : Set.of(K8sV1StatefulSetStub.CONTEXT,
             K8sV1ConfigMapStub.CONTEXT)) {
diff --git a/org.jdrupes.vmoperator.manager/test/org/jdrupes/vmoperator/manager/BasicTests.java b/org.jdrupes.vmoperator.manager/test/org/jdrupes/vmoperator/manager/BasicTests.java
index b3b9b1a..4f5d7a3 100644
--- a/org.jdrupes.vmoperator.manager/test/org/jdrupes/vmoperator/manager/BasicTests.java
+++ b/org.jdrupes.vmoperator.manager/test/org/jdrupes/vmoperator/manager/BasicTests.java
@@ -13,8 +13,10 @@ import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
-import org.jdrupes.vmoperator.common.Constants.Crd;
-import org.jdrupes.vmoperator.common.Constants.DisplaySecret;
+import static org.jdrupes.vmoperator.common.Constants.COMP_DISPLAY_SECRET;
+import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
+import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
+import static org.jdrupes.vmoperator.common.Constants.VM_OP_NAME;
 import org.jdrupes.vmoperator.common.K8s;
 import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.K8sDynamicStub;
@@ -58,7 +60,7 @@ class BasicTests {
         waitForManager();
 
         // Context for working with our CR
-        var apiRes = K8s.context(client, Crd.GROUP, null, Crd.KIND_VM);
+        var apiRes = K8s.context(client, VM_OP_GROUP, null, VM_OP_KIND_VM);
         assertTrue(apiRes.isPresent());
         vmsContext = apiRes.get();
 
@@ -68,7 +70,7 @@ class BasicTests {
         ListOptions listOpts = new ListOptions();
         listOpts.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
             + "app.kubernetes.io/instance=" + VM_NAME + ","
-            + "app.kubernetes.io/component=" + DisplaySecret.NAME);
+            + "app.kubernetes.io/component=" + COMP_DISPLAY_SECRET);
         var secrets = K8sV1SecretStub.list(client, "vmop-dev", listOpts);
         for (var secret : secrets) {
             secret.delete();
@@ -98,7 +100,7 @@ class BasicTests {
     private static void deletePvcs() throws ApiException {
         ListOptions listOpts = new ListOptions();
         listOpts.setLabelSelector(
-            "app.kubernetes.io/managed-by=" + Crd.NAME + ","
+            "app.kubernetes.io/managed-by=" + VM_OP_NAME + ","
                 + "app.kubernetes.io/name=" + APP_NAME + ","
                 + "app.kubernetes.io/instance=" + VM_NAME);
         var knownPvcs = K8sV1PvcStub.list(client, "vmop-dev", listOpts);
@@ -137,11 +139,11 @@ class BasicTests {
             List.of("labels", "app.kubernetes.io/name"), Constants.APP_NAME,
             List.of("labels", "app.kubernetes.io/instance"), VM_NAME,
             List.of("labels", "app.kubernetes.io/managed-by"),
-            Crd.NAME,
+            Constants.VM_OP_NAME,
             List.of("annotations", "vmoperator.jdrupes.org/version"), EXISTS,
             List.of("ownerReferences", 0, "apiVersion"),
             vmsContext.getGroup() + "/" + vmsContext.getVersions().get(0),
-            List.of("ownerReferences", 0, "kind"), Crd.KIND_VM,
+            List.of("ownerReferences", 0, "kind"), Constants.VM_OP_KIND_VM,
             List.of("ownerReferences", 0, "name"), VM_NAME,
             List.of("ownerReferences", 0, "uid"), EXISTS);
         checkProps(config.getMetadata(), toCheck);
@@ -187,7 +189,7 @@ class BasicTests {
         ListOptions listOpts = new ListOptions();
         listOpts.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
             + "app.kubernetes.io/instance=" + VM_NAME + ","
-            + "app.kubernetes.io/component=" + DisplaySecret.NAME);
+            + "app.kubernetes.io/component=" + COMP_DISPLAY_SECRET);
         Collection<K8sV1SecretStub> secrets = null;
         for (int i = 0; i < 10; i++) {
             secrets = K8sV1SecretStub.list(client, "vmop-dev", listOpts);
@@ -218,7 +220,7 @@ class BasicTests {
             List.of("labels", "app.kubernetes.io/name"), Constants.APP_NAME,
             List.of("labels", "app.kubernetes.io/instance"), VM_NAME,
             List.of("labels", "app.kubernetes.io/managed-by"),
-            Crd.NAME));
+            Constants.VM_OP_NAME));
         checkProps(pvc.getSpec(), Map.of(
             List.of("resources", "requests", "storage"),
             Quantity.fromString("1Mi")));
@@ -239,7 +241,7 @@ class BasicTests {
             List.of("labels", "app.kubernetes.io/name"), Constants.APP_NAME,
             List.of("labels", "app.kubernetes.io/instance"), VM_NAME,
             List.of("labels", "app.kubernetes.io/managed-by"),
-            Crd.NAME,
+            Constants.VM_OP_NAME,
             List.of("annotations", "use_as"), "system-disk"));
         checkProps(pvc.getSpec(), Map.of(
             List.of("resources", "requests", "storage"),
@@ -261,7 +263,7 @@ class BasicTests {
             List.of("labels", "app.kubernetes.io/name"), Constants.APP_NAME,
             List.of("labels", "app.kubernetes.io/instance"), VM_NAME,
             List.of("labels", "app.kubernetes.io/managed-by"),
-            Crd.NAME));
+            Constants.VM_OP_NAME));
         checkProps(pvc.getSpec(), Map.of(
             List.of("resources", "requests", "storage"),
             Quantity.fromString("1Gi")));
@@ -289,12 +291,12 @@ class BasicTests {
             List.of("labels", "app.kubernetes.io/instance"), VM_NAME,
             List.of("labels", "app.kubernetes.io/component"), APP_NAME,
             List.of("labels", "app.kubernetes.io/managed-by"),
-            Crd.NAME,
+            Constants.VM_OP_NAME,
             List.of("annotations", "vmrunner.jdrupes.org/cmVersion"), EXISTS,
             List.of("annotations", "vmoperator.jdrupes.org/version"), EXISTS,
             List.of("ownerReferences", 0, "apiVersion"),
             vmsContext.getGroup() + "/" + vmsContext.getVersions().get(0),
-            List.of("ownerReferences", 0, "kind"), Crd.KIND_VM,
+            List.of("ownerReferences", 0, "kind"), Constants.VM_OP_KIND_VM,
             List.of("ownerReferences", 0, "name"), VM_NAME,
             List.of("ownerReferences", 0, "uid"), EXISTS));
         checkProps(pod.getSpec(), Map.of(
@@ -317,7 +319,7 @@ class BasicTests {
         checkProps(svc.getMetadata(), Map.of(
             List.of("labels", "app.kubernetes.io/name"), APP_NAME,
             List.of("labels", "app.kubernetes.io/instance"), VM_NAME,
-            List.of("labels", "app.kubernetes.io/managed-by"), Crd.NAME,
+            List.of("labels", "app.kubernetes.io/managed-by"), VM_OP_NAME,
             List.of("labels", "label1"), "label1",
             List.of("labels", "label2"), "replaced",
             List.of("labels", "label3"), "added",
diff --git a/org.jdrupes.vmoperator.runner.qemu/logging.properties b/org.jdrupes.vmoperator.runner.qemu/logging.properties
index 6b0542d..1cf84fe 100644
--- a/org.jdrupes.vmoperator.runner.qemu/logging.properties
+++ b/org.jdrupes.vmoperator.runner.qemu/logging.properties
@@ -19,8 +19,8 @@
 
 handlers=java.util.logging.ConsoleHandler
 
-#org.jgrapes.level=FINE
-#org.jgrapes.core.handlerTracking.level=FINER
+org.jgrapes.level=FINE
+org.jgrapes.core.handlerTracking.level=FINER
 
 org.jdrupes.vmoperator.runner.qemu.level=FINE
 
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java
index db29932..b91b5df 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java
@@ -25,7 +25,8 @@ import io.kubernetes.client.openapi.models.EventsV1Event;
 import java.io.IOException;
 import java.util.logging.Level;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
-import org.jdrupes.vmoperator.common.Constants.Crd;
+import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
+import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
 import org.jdrupes.vmoperator.common.K8s;
 import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
@@ -73,7 +74,7 @@ public class ConsoleTracker extends VmDefUpdater {
         }
         try {
             vmStub = VmDefinitionStub.get(apiClient,
-                new GroupVersionKind(Crd.GROUP, "", Crd.KIND_VM),
+                new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
                 namespace, vmName);
         } catch (ApiException e) {
             logger.log(Level.SEVERE, e,
@@ -114,7 +115,7 @@ public class ConsoleTracker extends VmDefUpdater {
 
         // Log event
         var evt = new EventsV1Event()
-            .reportingController(Crd.GROUP + "/" + APP_NAME)
+            .reportingController(VM_OP_GROUP + "/" + APP_NAME)
             .action("ConsoleConnectionUpdate")
             .reason("Connection from " + event.clientHost());
         K8s.createEvent(apiClient, vmStub.model().get(), evt);
@@ -149,7 +150,7 @@ public class ConsoleTracker extends VmDefUpdater {
 
         // Log event
         var evt = new EventsV1Event()
-            .reportingController(Crd.GROUP + "/" + APP_NAME)
+            .reportingController(VM_OP_GROUP + "/" + APP_NAME)
             .action("ConsoleConnectionUpdate")
             .reason("Disconnected from " + event.clientHost());
         K8s.createEvent(apiClient, vmStub.model().get(), evt);
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
index 63a3ec1..39f71d5 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
@@ -24,7 +24,8 @@ import java.nio.file.Path;
 import java.util.Objects;
 import java.util.Optional;
 import java.util.logging.Level;
-import org.jdrupes.vmoperator.common.Constants.DisplaySecret;
+import static org.jdrupes.vmoperator.common.Constants.DATA_DISPLAY_PASSWORD;
+import static org.jdrupes.vmoperator.common.Constants.DATA_PASSWORD_EXPIRY;
 import org.jdrupes.vmoperator.runner.qemu.commands.QmpSetDisplayPassword;
 import org.jdrupes.vmoperator.runner.qemu.commands.QmpSetPasswordExpiry;
 import org.jdrupes.vmoperator.runner.qemu.events.ConfigureQemu;
@@ -63,7 +64,7 @@ public class DisplayController extends Component {
     public DisplayController(Channel componentChannel, Path configDir) {
         super(componentChannel);
         this.configDir = configDir;
-        fire(new WatchFile(configDir.resolve(DisplaySecret.DISPLAY_PASSWORD)));
+        fire(new WatchFile(configDir.resolve(DATA_DISPLAY_PASSWORD)));
     }
 
     /**
@@ -114,8 +115,7 @@ public class DisplayController extends Component {
     @Handler
     @SuppressWarnings("PMD.EmptyCatchBlock")
     public void onFileChanged(FileChanged event) {
-        if (event.path()
-            .equals(configDir.resolve(DisplaySecret.DISPLAY_PASSWORD))) {
+        if (event.path().equals(configDir.resolve(DATA_DISPLAY_PASSWORD))) {
             configurePassword();
         }
     }
@@ -130,7 +130,7 @@ public class DisplayController extends Component {
     }
 
     private boolean setDisplayPassword() {
-        return readFromFile(DisplaySecret.DISPLAY_PASSWORD).map(password -> {
+        return readFromFile(DATA_DISPLAY_PASSWORD).map(password -> {
             if (Objects.equals(this.currentPassword, password)) {
                 return true;
             }
@@ -143,7 +143,7 @@ public class DisplayController extends Component {
     }
 
     private void setPasswordExpiry() {
-        readFromFile(DisplaySecret.PASSWORD_EXPIRY).ifPresent(expiry -> {
+        readFromFile(DATA_PASSWORD_EXPIRY).ifPresent(expiry -> {
             logger.fine(() -> "Updating expiry time to " + expiry);
             fire(
                 new MonitorCommand(new QmpSetPasswordExpiry(protocol, expiry)));
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
index 0c62a93..f64af2d 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
@@ -56,7 +56,7 @@ import org.apache.commons.cli.DefaultParser;
 import org.apache.commons.cli.Option;
 import org.apache.commons.cli.Options;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
-import org.jdrupes.vmoperator.common.Constants.DisplaySecret;
+import static org.jdrupes.vmoperator.common.Constants.DATA_DISPLAY_PASSWORD;
 import org.jdrupes.vmoperator.runner.qemu.commands.QmpCont;
 import org.jdrupes.vmoperator.runner.qemu.commands.QmpReset;
 import org.jdrupes.vmoperator.runner.qemu.events.ConfigureQemu;
@@ -312,7 +312,7 @@ public class Runner extends Component {
 
             // Add some values from other sources to configuration
             newConf.asOf = Instant.ofEpochSecond(configFile.lastModified());
-            Path dsPath = configDir.resolve(DisplaySecret.DISPLAY_PASSWORD);
+            Path dsPath = configDir.resolve(DATA_DISPLAY_PASSWORD);
             newConf.hasDisplayPassword = dsPath.toFile().canRead();
 
             // Special actions for initial configuration (startup)
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
index 9c149d5..eeee5ac 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
@@ -33,8 +33,8 @@ import java.io.IOException;
 import java.math.BigDecimal;
 import java.util.logging.Level;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
-import org.jdrupes.vmoperator.common.Constants.Crd;
-import org.jdrupes.vmoperator.common.Constants.Status;
+import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
+import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
 import org.jdrupes.vmoperator.common.K8s;
 import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
@@ -112,17 +112,11 @@ public class StatusUpdater extends VmDefUpdater {
         }
         try {
             vmStub = VmDefinitionStub.get(apiClient,
-                new GroupVersionKind(Crd.GROUP, "", Crd.KIND_VM),
+                new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
                 namespace, vmName);
-            var vmDef = vmStub.updateStatus(from -> {
-                JsonObject status = from.statusJson();
-                status.remove(Status.LOGGED_IN_USER);
-                return status;
-            }).orElse(null);
-            if (vmDef == null) {
-                return;
-            }
-            observedGeneration = vmDef.getMetadata().getGeneration();
+            vmStub.model().ifPresent(model -> {
+                observedGeneration = model.getMetadata().getGeneration();
+            });
         } catch (ApiException e) {
             logger.log(Level.SEVERE, e,
                 () -> "Cannot access VM object, terminating.");
@@ -160,7 +154,7 @@ public class StatusUpdater extends VmDefUpdater {
                     "displayPasswordSerial").getAsInt() == -1)) {
             return;
         }
-        vmStub.updateStatus(from -> {
+        vmStub.updateStatus(vmDef.get(), from -> {
             JsonObject status = from.statusJson();
             if (!event.configuration().hasDisplayPassword) {
                 status.addProperty("displayPasswordSerial", -1);
@@ -189,7 +183,7 @@ public class StatusUpdater extends VmDefUpdater {
         if (vmStub == null || (vmDef = vmStub.model().orElse(null)) == null) {
             return;
         }
-        vmStub.updateStatus(from -> {
+        vmStub.updateStatus(vmDef, from -> {
             JsonObject status = from.statusJson();
             boolean running = event.runState().vmRunning();
             updateCondition(vmDef, vmDef.statusJson(), "Running", running,
@@ -204,7 +198,6 @@ public class StatusUpdater extends VmDefUpdater {
             } else if (event.runState() == RunState.STOPPED) {
                 status.addProperty("ram", "0");
                 status.addProperty("cpus", 0);
-                status.remove(Status.LOGGED_IN_USER);
             }
 
             if (!running) {
@@ -237,7 +230,7 @@ public class StatusUpdater extends VmDefUpdater {
 
         // Log event
         var evt = new EventsV1Event()
-            .reportingController(Crd.GROUP + "/" + APP_NAME)
+            .reportingController(VM_OP_GROUP + "/" + APP_NAME)
             .action("StatusUpdate").reason(event.reason())
             .note(event.message());
         K8s.createEvent(apiClient, vmDef, evt);
@@ -364,8 +357,7 @@ public class StatusUpdater extends VmDefUpdater {
             throws ApiException {
         vmStub.updateStatus(from -> {
             JsonObject status = from.statusJson();
-            status.addProperty(Status.LOGGED_IN_USER,
-                event.triggering().user());
+            status.addProperty("loggedInUser", event.triggering().user());
             return status;
         });
     }
@@ -380,7 +372,7 @@ public class StatusUpdater extends VmDefUpdater {
             throws ApiException {
         vmStub.updateStatus(from -> {
             JsonObject status = from.statusJson();
-            status.remove(Status.LOGGED_IN_USER);
+            status.remove("loggedInUser");
             return status;
         });
     }

From 62a72101176923701f57da155591e9d51f942ae5 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 1 Mar 2025 17:00:14 +0100
Subject: [PATCH 141/274] Fix and clarify usage of methods for status update.

---
 .../vmoperator/common/K8sGenericStub.java     | 35 ++++++++++---------
 .../runner/qemu/ConsoleTracker.java           | 10 +++---
 .../vmoperator/runner/qemu/StatusUpdater.java | 23 ++++++------
 .../vmoperator/runner/qemu/VmDefUpdater.java  | 16 ++++++---
 4 files changed, 43 insertions(+), 41 deletions(-)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java
index 688f43f..2af4d1b 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java
@@ -196,51 +196,52 @@ public class K8sGenericStub<O extends KubernetesObject,
      * Updates the object's status.
      *
      * @param object the current state of the object (passed to `status`)
-     * @param status function that returns the new status
+     * @param updater function that returns the new status
      * @return the updated model or empty if the object was not found
      * @throws ApiException the api exception
      */
     @SuppressWarnings("PMD.AssignmentInOperand")
-    public Optional<O> updateStatus(O object, Function<O, Object> status)
+    public Optional<O> updateStatus(O object, Function<O, Object> updater)
             throws ApiException {
-        return K8s.optional(api.updateStatus(object, status));
+        return K8s.optional(api.updateStatus(object, updater));
     }
 
     /**
      * Gets the object and updates the status. In case of conflict, retries
      * up to `retries` times.
      *
-     * @param status the status
+     * @param updater the function updating the status
      * @param retries the retries in case of conflict
      * @return the updated model or empty if the object was not found
      * @throws ApiException the api exception
      */
     @SuppressWarnings({ "PMD.AssignmentInOperand", "PMD.UnusedAssignment" })
-    public Optional<O> updateStatus(Function<O, Object> status, int retries)
+    public Optional<O> updateStatus(Function<O, Object> updater, int retries)
             throws ApiException {
-        try {
-            return updateStatus(api.get(namespace, name).throwsApiException()
-                .getObject(), status);
-        } catch (ApiException e) {
-            if (HttpURLConnection.HTTP_CONFLICT != e.getCode()
-                || retries-- <= 0) {
-                throw e;
+        while (true) {
+            try {
+                return updateStatus(api.get(namespace, name)
+                    .throwsApiException().getObject(), updater);
+            } catch (ApiException e) {
+                if (HttpURLConnection.HTTP_CONFLICT != e.getCode()
+                    || retries-- <= 0) {
+                    throw e;
+                }
             }
         }
-        return Optional.empty();
     }
 
     /**
-     * Updates the status.
+     * Updates the status. In case of conflict, retries up to 16 times.
      *
-     * @param status the status
+     * @param updater the function updating the status
      * @return the kubernetes api response
      * the updated model or empty if not successful
      * @throws ApiException the api exception
      */
-    public Optional<O> updateStatus(Function<O, Object> status)
+    public Optional<O> updateStatus(Function<O, Object> updater)
             throws ApiException {
-        return updateStatus(status, 16);
+        return updateStatus(updater, 16);
     }
 
     /**
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java
index b91b5df..7956fa1 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java
@@ -106,10 +106,9 @@ public class ConsoleTracker extends VmDefUpdater {
         mainChannelClientHost = event.clientHost();
         mainChannelClientPort = event.clientPort();
         vmStub.updateStatus(from -> {
-            JsonObject status = from.statusJson();
+            JsonObject status = updateCondition(from, "ConsoleConnected", true,
+                "Connected", "Connection from " + event.clientHost());
             status.addProperty("consoleClient", event.clientHost());
-            updateCondition(from, status, "ConsoleConnected", true, "Connected",
-                "Connection from " + event.clientHost());
             return status;
         });
 
@@ -141,10 +140,9 @@ public class ConsoleTracker extends VmDefUpdater {
             return;
         }
         vmStub.updateStatus(from -> {
-            JsonObject status = from.statusJson();
-            status.addProperty("consoleClient", "");
-            updateCondition(from, status, "ConsoleConnected", false,
+            JsonObject status = updateCondition(from, "ConsoleConnected", false,
                 "Disconnected", event.clientHost() + " has disconnected");
+            status.addProperty("consoleClient", "");
             return status;
         });
 
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
index eeee5ac..b4608b3 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
@@ -154,7 +154,7 @@ public class StatusUpdater extends VmDefUpdater {
                     "displayPasswordSerial").getAsInt() == -1)) {
             return;
         }
-        vmStub.updateStatus(vmDef.get(), from -> {
+        vmStub.updateStatus(from -> {
             JsonObject status = from.statusJson();
             if (!event.configuration().hasDisplayPassword) {
                 status.addProperty("displayPasswordSerial", -1);
@@ -183,12 +183,11 @@ public class StatusUpdater extends VmDefUpdater {
         if (vmStub == null || (vmDef = vmStub.model().orElse(null)) == null) {
             return;
         }
-        vmStub.updateStatus(vmDef, from -> {
-            JsonObject status = from.statusJson();
+        vmStub.updateStatus(from -> {
             boolean running = event.runState().vmRunning();
-            updateCondition(vmDef, vmDef.statusJson(), "Running", running,
-                event.reason(), event.message());
-            updateCondition(vmDef, vmDef.statusJson(), "Booted",
+            updateCondition(vmDef, "Running", running, event.reason(),
+                event.message());
+            JsonObject status = updateCondition(vmDef, "Booted",
                 event.runState() == RunState.BOOTED, event.reason(),
                 event.message());
             if (event.runState() == RunState.STARTING) {
@@ -203,13 +202,13 @@ public class StatusUpdater extends VmDefUpdater {
             if (!running) {
                 // In case console connection was still present
                 status.addProperty("consoleClient", "");
-                updateCondition(from, status, "ConsoleConnected", false,
-                    "VmStopped", "The VM is not running");
+                updateCondition(from, "ConsoleConnected", false, "VmStopped",
+                    "The VM is not running");
 
                 // In case we had an irregular shutdown
                 status.remove("osinfo");
-                updateCondition(vmDef, vmDef.statusJson(), "VmopAgentConnected",
-                    false, "VmStopped", "The VM is not running");
+                updateCondition(vmDef, "VmopAgentConnected", false, "VmStopped",
+                    "The VM is not running");
             }
             return status;
         });
@@ -340,10 +339,8 @@ public class StatusUpdater extends VmDefUpdater {
             return;
         }
         vmStub.updateStatus(from -> {
-            JsonObject status = from.statusJson();
-            updateCondition(vmDef, status, "VmopAgentConnected",
+            return updateCondition(vmDef, "VmopAgentConnected",
                 true, "VmopAgentStarted", "The VM operator agent is running");
-            return status;
         });
     }
 
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmDefUpdater.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmDefUpdater.java
index f04b478..50017c1 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmDefUpdater.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmDefUpdater.java
@@ -31,6 +31,7 @@ import java.util.Optional;
 import java.util.logging.Level;
 import java.util.stream.Collectors;
 import org.jdrupes.vmoperator.common.K8sClient;
+import org.jdrupes.vmoperator.common.K8sGenericStub;
 import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.runner.qemu.events.Exit;
 import org.jgrapes.core.Channel;
@@ -109,17 +110,21 @@ public class VmDefUpdater extends Component {
     }
 
     /**
-     * Update condition.
+     * Update condition. The `from` VM definition is used to determine the
+     * observed generation and the current status. This method is intended
+     * to be called in the function passed to
+     * {@link K8sGenericStub#updateStatus}.
      *
      * @param from the VM definition
-     * @param status the current status
      * @param type the condition type
      * @param state the new state
      * @param reason the reason for the change
      * @param message the message
+     * @return the updated status
      */
-    protected void updateCondition(VmDefinition from, JsonObject status,
-            String type, boolean state, String reason, String message) {
+    protected JsonObject updateCondition(VmDefinition from, String type,
+            boolean state, String reason, String message) {
+        JsonObject status = from.statusJson();
         // Optimize, as we can get this several times
         var current = status.getAsJsonArray("conditions").asList().stream()
             .map(cond -> (JsonObject) cond)
@@ -127,7 +132,7 @@ public class VmDefUpdater extends Component {
             .findFirst()
             .map(cond -> "True".equals(cond.get("status").getAsString()));
         if (current.isPresent() && current.get() == state) {
-            return;
+            return status;
         }
 
         // Do update
@@ -150,5 +155,6 @@ public class VmDefUpdater extends Component {
         newConds.addAll(toReplace);
         status.add("conditions",
             apiClient.getJSON().getGson().toJsonTree(newConds));
+        return status;
     }
 }

From 4a242c46570fd95346c5bb14cb5778950e3f8536 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 1 Mar 2025 17:12:02 +0100
Subject: [PATCH 142/274] Clear logged in user on startup and shutdown.

---
 .../vmoperator/runner/qemu/StatusUpdater.java        | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
index b4608b3..1bea80f 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
@@ -114,8 +114,15 @@ public class StatusUpdater extends VmDefUpdater {
             vmStub = VmDefinitionStub.get(apiClient,
                 new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
                 namespace, vmName);
-            vmStub.model().ifPresent(model -> {
-                observedGeneration = model.getMetadata().getGeneration();
+            var vmDef = vmStub.model().orElse(null);
+            if (vmDef == null) {
+                return;
+            }
+            observedGeneration = vmDef.getMetadata().getGeneration();
+            vmStub.updateStatus(from -> {
+                JsonObject status = from.statusJson();
+                status.remove("loggedInUser");
+                return status;
             });
         } catch (ApiException e) {
             logger.log(Level.SEVERE, e,
@@ -197,6 +204,7 @@ public class StatusUpdater extends VmDefUpdater {
             } else if (event.runState() == RunState.STOPPED) {
                 status.addProperty("ram", "0");
                 status.addProperty("cpus", 0);
+                status.remove("loggedInUser");
             }
 
             if (!running) {

From e822d472f9028a50134d55944db09acb4923bb44 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 1 Mar 2025 17:44:52 +0100
Subject: [PATCH 143/274] Optimize status update.

---
 .../vmoperator/common/K8sGenericStub.java     | 65 +++++++++++++++----
 .../vmoperator/runner/qemu/StatusUpdater.java | 17 ++---
 2 files changed, 61 insertions(+), 21 deletions(-)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java
index 2af4d1b..b8f1992 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java
@@ -193,7 +193,7 @@ public class K8sGenericStub<O extends KubernetesObject,
     }
 
     /**
-     * Updates the object's status.
+     * Updates the object's status. Does not retry in case of conflict.
      *
      * @param object the current state of the object (passed to `status`)
      * @param updater function that returns the new status
@@ -206,6 +206,39 @@ public class K8sGenericStub<O extends KubernetesObject,
         return K8s.optional(api.updateStatus(object, updater));
     }
 
+    /**
+     * Updates the status of the given object. In case of conflict,
+     * get the current version of the object and tries again. Retries
+     * up to `retries` times.
+     *
+     * @param updater the function updating the status
+     * @param current the current state of the object, used for the first
+     * attempt to update
+     * @param retries the retries in case of conflict
+     * @return the updated model or empty if the object was not found
+     * @throws ApiException the api exception
+     */
+    @SuppressWarnings({ "PMD.AssignmentInOperand", "PMD.UnusedAssignment" })
+    public Optional<O> updateStatus(Function<O, Object> updater, O current,
+            int retries) throws ApiException {
+        while (true) {
+            try {
+                if (current == null) {
+                    current = api.get(namespace, name)
+                        .throwsApiException().getObject();
+                }
+                return updateStatus(current, updater);
+            } catch (ApiException e) {
+                if (HttpURLConnection.HTTP_CONFLICT != e.getCode()
+                    || retries-- <= 0) {
+                    throw e;
+                }
+                // Get current version for new attempt
+                current = null;
+            }
+        }
+    }
+
     /**
      * Gets the object and updates the status. In case of conflict, retries
      * up to `retries` times.
@@ -218,17 +251,23 @@ public class K8sGenericStub<O extends KubernetesObject,
     @SuppressWarnings({ "PMD.AssignmentInOperand", "PMD.UnusedAssignment" })
     public Optional<O> updateStatus(Function<O, Object> updater, int retries)
             throws ApiException {
-        while (true) {
-            try {
-                return updateStatus(api.get(namespace, name)
-                    .throwsApiException().getObject(), updater);
-            } catch (ApiException e) {
-                if (HttpURLConnection.HTTP_CONFLICT != e.getCode()
-                    || retries-- <= 0) {
-                    throw e;
-                }
-            }
-        }
+        return updateStatus(updater, null, retries);
+    }
+
+    /**
+     * Updates the status of the given object. In case of conflict,
+     * get the current version of the object and tries again. Retries
+     * up to `retries` times.
+     *
+     * @param updater the function updating the status
+     * @param current the current
+     * @return the kubernetes api response
+     * the updated model or empty if not successful
+     * @throws ApiException the api exception
+     */
+    public Optional<O> updateStatus(Function<O, Object> updater, O current)
+            throws ApiException {
+        return updateStatus(updater, current, 16);
     }
 
     /**
@@ -241,7 +280,7 @@ public class K8sGenericStub<O extends KubernetesObject,
      */
     public Optional<O> updateStatus(Function<O, Object> updater)
             throws ApiException {
-        return updateStatus(updater, 16);
+        return updateStatus(updater, null);
     }
 
     /**
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
index 1bea80f..f2437d3 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
@@ -153,11 +153,13 @@ public class StatusUpdater extends VmDefUpdater {
         // by a new version of the CR. So we update only if we have
         // a new version of the CR. There's one exception: the display
         // password is configured by a file, not by the CR.
-        var vmDef = vmStub.model();
-        if (vmDef.isPresent()
-            && vmDef.get().metadata().getGeneration() == observedGeneration
+        var vmDef = vmStub.model().orElse(null);
+        if (vmDef == null) {
+            return;
+        }
+        if (vmDef.metadata().getGeneration() == observedGeneration
             && (event.configuration().hasDisplayPassword
-                || vmDef.get().statusJson().getAsJsonPrimitive(
+                || vmDef.statusJson().getAsJsonPrimitive(
                     "displayPasswordSerial").getAsInt() == -1)) {
             return;
         }
@@ -172,7 +174,7 @@ public class StatusUpdater extends VmDefUpdater {
                 .forEach(cond -> cond.addProperty("observedGeneration",
                     from.getMetadata().getGeneration()));
             return status;
-        });
+        }, vmDef);
     }
 
     /**
@@ -219,7 +221,7 @@ public class StatusUpdater extends VmDefUpdater {
                     "The VM is not running");
             }
             return status;
-        });
+        }, vmDef);
 
         // Maybe stop VM
         if (event.runState() == RunState.TERMINATING && !event.failed()
@@ -325,7 +327,6 @@ public class StatusUpdater extends VmDefUpdater {
         }
         var asGson = gson.toJsonTree(
             objectMapper.convertValue(event.osinfo(), Object.class));
-
         vmStub.updateStatus(from -> {
             JsonObject status = from.statusJson();
             status.add("osinfo", asGson);
@@ -349,7 +350,7 @@ public class StatusUpdater extends VmDefUpdater {
         vmStub.updateStatus(from -> {
             return updateCondition(vmDef, "VmopAgentConnected",
                 true, "VmopAgentStarted", "The VM operator agent is running");
-        });
+        }, vmDef);
     }
 
     /**

From 41ae658e0c1c400a16f44fed7a5970abd5961120 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 1 Mar 2025 21:51:33 +0100
Subject: [PATCH 144/274] Reorganize imports.

---
 .../jdrupes/vmoperator/common/Constants.java  | 52 ++++++++++++++-----
 .../vmoperator/common/VmDefinition.java       |  3 +-
 .../vmoperator/manager/runnerConfig.ftl.yaml  |  2 +-
 .../manager/runnerLoadBalancer.ftl.yaml       |  2 +-
 .../vmoperator/manager/runnerPod.ftl.yaml     |  2 +-
 .../vmoperator/manager/Controller.java        |  7 ++-
 .../manager/DisplaySecretMonitor.java         |  4 +-
 .../manager/DisplaySecretReconciler.java      | 36 ++++++-------
 .../vmoperator/manager/PoolMonitor.java       |  8 ++-
 .../vmoperator/manager/Reconciler.java        | 39 ++++++++++----
 .../jdrupes/vmoperator/manager/VmMonitor.java |  5 +-
 .../vmoperator/manager/BasicTests.java        | 31 +++++------
 .../runner/qemu/ConsoleTracker.java           | 14 ++---
 .../runner/qemu/DisplayController.java        | 11 ++--
 .../vmoperator/runner/qemu/Runner.java        |  4 +-
 .../vmoperator/runner/qemu/StatusUpdater.java | 19 +++----
 16 files changed, 139 insertions(+), 100 deletions(-)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java
index 7a1bd1a..60afd91 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java
@@ -18,6 +18,7 @@
 
 package org.jdrupes.vmoperator.common;
 
+// TODO: Auto-generated Javadoc
 /**
  * Some constants.
  */
@@ -30,21 +31,48 @@ public class Constants {
     /** The Constant VM_OP_NAME. */
     public static final String VM_OP_NAME = "vm-operator";
 
-    /** The Constant VM_OP_GROUP. */
-    public static final String VM_OP_GROUP = "vmoperator.jdrupes.org";
+    /**
+     * Constants related to the CRD.
+     */
+    @SuppressWarnings("PMD.ShortClassName")
+    public static class Crd {
+        /** The Constant GROUP. */
+        public static final String GROUP = "vmoperator.jdrupes.org";
 
-    /** The Constant VM_OP_KIND_VM. */
-    public static final String VM_OP_KIND_VM = "VirtualMachine";
+        /** The Constant KIND_VM. */
+        public static final String KIND_VM = "VirtualMachine";
 
-    /** The Constant VM_OP_KIND_VM_POOL. */
-    public static final String VM_OP_KIND_VM_POOL = "VmPool";
+        /** The Constant KIND_VM_POOL. */
+        public static final String KIND_VM_POOL = "VmPool";
+    }
 
-    /** The Constant COMP_DISPLAY_SECRETS. */
-    public static final String COMP_DISPLAY_SECRET = "display-secret";
+    /**
+     * Status related constants.
+     */
+    public static class Status {
+        /** The Constant LOGGED_IN_USER. */
+        public static final String LOGGED_IN_USER = "loggedInUser";
 
-    /** The Constant DATA_DISPLAY_PASSWORD. */
-    public static final String DATA_DISPLAY_PASSWORD = "display-password";
+        /** The Constant CONSOLE_CLIENT. */
+        public static final String CONSOLE_CLIENT = "consoleClient";
 
-    /** The Constant DATA_PASSWORD_EXPIRY. */
-    public static final String DATA_PASSWORD_EXPIRY = "password-expiry";
+        /** The Constant CONSOLE_USER. */
+        public static final String CONSOLE_USER = "consoleUser";
+    }
+
+    /**
+     * DisplaySecret related constants.
+     */
+    public static class DisplaySecret {
+
+        /** The Constant NAME. */
+        public static final String NAME = "display-secret";
+
+        /** The Constant PASSWORD. */
+        public static final String PASSWORD = "display-password";
+
+        /** The Constant EXPIRY. */
+        public static final String EXPIRY = "password-expiry";
+
+    }
 }
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
index ec79b80..0eb1428 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
@@ -38,6 +38,7 @@ import java.util.Set;
 import java.util.function.Function;
 import java.util.logging.Logger;
 import java.util.stream.Collectors;
+import org.jdrupes.vmoperator.common.Constants.Status;
 import org.jdrupes.vmoperator.util.DataPath;
 
 /**
@@ -286,7 +287,7 @@ public class VmDefinition extends K8sDynamicModel {
      * @return the optional
      */
     public Optional<String> consoleUser() {
-        return this.<String> fromStatus("consoleUser");
+        return this.<String> fromStatus(Status.CONSOLE_USER);
     }
 
     /**
diff --git a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml
index 9c4b72a..2fbeb94 100644
--- a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml
+++ b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml
@@ -11,7 +11,7 @@ metadata:
     vmoperator.jdrupes.org/version: ${ managerVersion }
   ownerReferences:
   - apiVersion: ${ cr.apiVersion() }
-    kind: ${ constants.VM_OP_KIND_VM }
+    kind: ${ constants.Crd.KIND_VM }
     name: ${ cr.name() }
     uid: ${ cr.metadata().getUid() }
     controller: false
diff --git a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerLoadBalancer.ftl.yaml b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerLoadBalancer.ftl.yaml
index c25d7f4..b7215a5 100644
--- a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerLoadBalancer.ftl.yaml
+++ b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerLoadBalancer.ftl.yaml
@@ -11,7 +11,7 @@ metadata:
     vmoperator.jdrupes.org/version: ${ managerVersion }
   ownerReferences:
   - apiVersion: ${ cr.apiVersion() }
-    kind: ${ constants.VM_OP_KIND_VM }
+    kind: ${ constants.Crd.KIND_VM }
     name: ${ cr.name() }
     uid: ${ cr.metadata().getUid() }
     controller: false
diff --git a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerPod.ftl.yaml b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerPod.ftl.yaml
index 917d790..f000c70 100644
--- a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerPod.ftl.yaml
+++ b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerPod.ftl.yaml
@@ -15,7 +15,7 @@ metadata:
     vmoperator.jdrupes.org/version: ${ managerVersion }
   ownerReferences:
   - apiVersion: ${ cr.apiVersion() }
-    kind: ${ constants.VM_OP_KIND_VM }
+    kind: ${ constants.Crd.KIND_VM }
     name: ${ cr.name() }
     uid: ${ cr.metadata().getUid() }
     blockOwnerDeletion: true
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
index 80ff0f7..f3deefa 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
@@ -29,8 +29,7 @@ import java.nio.file.Files;
 import java.nio.file.Path;
 import java.time.Instant;
 import java.util.logging.Level;
-import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
-import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
+import org.jdrupes.vmoperator.common.Constants.Crd;
 import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.K8sDynamicStub;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
@@ -194,7 +193,7 @@ public class Controller extends Component {
     private void patchVmDef(K8sClient client, String name, String path,
             Object value) throws ApiException, IOException {
         var vmStub = K8sDynamicStub.get(client,
-            new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM), namespace,
+            new GroupVersionKind(Crd.GROUP, "", Crd.KIND_VM), namespace,
             name);
 
         // Patch running
@@ -227,7 +226,7 @@ public class Controller extends Component {
         try {
             var vmDef = channel.vmDefinition();
             var vmStub = VmDefinitionStub.get(channel.client(),
-                new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
+                new GroupVersionKind(Crd.GROUP, "", Crd.KIND_VM),
                 vmDef.namespace(), vmDef.name());
             if (vmStub.updateStatus(vmDef, from -> {
                 JsonObject status = from.statusJson();
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java
index 99c8a11..a254c0e 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java
@@ -28,11 +28,11 @@ import io.kubernetes.client.util.generic.options.PatchOptions;
 import java.io.IOException;
 import java.util.logging.Level;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
+import org.jdrupes.vmoperator.common.Constants.DisplaySecret;
 import static org.jdrupes.vmoperator.common.Constants.VM_OP_NAME;
 import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.K8sV1PodStub;
 import org.jdrupes.vmoperator.common.K8sV1SecretStub;
-import static org.jdrupes.vmoperator.manager.Constants.COMP_DISPLAY_SECRET;
 import org.jdrupes.vmoperator.manager.events.ChannelDictionary;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jgrapes.core.Channel;
@@ -61,7 +61,7 @@ public class DisplaySecretMonitor
         context(K8sV1SecretStub.CONTEXT);
         ListOptions options = new ListOptions();
         options.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
-            + "app.kubernetes.io/component=" + COMP_DISPLAY_SECRET);
+            + "app.kubernetes.io/component=" + DisplaySecret.NAME);
         options(options);
     }
 
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
index bf8042a..7c5c3ad 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
@@ -37,14 +37,12 @@ import java.util.Optional;
 import java.util.Scanner;
 import java.util.logging.Logger;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
-import static org.jdrupes.vmoperator.common.Constants.COMP_DISPLAY_SECRET;
-import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
-import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
+import org.jdrupes.vmoperator.common.Constants.Crd;
+import org.jdrupes.vmoperator.common.Constants.DisplaySecret;
+import org.jdrupes.vmoperator.common.Constants.Status;
 import org.jdrupes.vmoperator.common.K8sV1SecretStub;
 import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
-import static org.jdrupes.vmoperator.manager.Constants.DATA_DISPLAY_PASSWORD;
-import static org.jdrupes.vmoperator.manager.Constants.DATA_PASSWORD_EXPIRY;
 import org.jdrupes.vmoperator.manager.events.PrepareConsole;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
@@ -143,7 +141,7 @@ public class DisplaySecretReconciler extends Component {
         var vmDef = event.vmDefinition();
         ListOptions options = new ListOptions();
         options.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
-            + "app.kubernetes.io/component=" + COMP_DISPLAY_SECRET + ","
+            + "app.kubernetes.io/component=" + DisplaySecret.NAME + ","
             + "app.kubernetes.io/instance=" + vmDef.name());
         var stubs = K8sV1SecretStub.list(channel.client(), vmDef.namespace(),
             options);
@@ -154,9 +152,9 @@ public class DisplaySecretReconciler extends Component {
         // Create secret
         var secret = new V1Secret();
         secret.setMetadata(new V1ObjectMeta().namespace(vmDef.namespace())
-            .name(vmDef.name() + "-" + COMP_DISPLAY_SECRET)
+            .name(vmDef.name() + "-" + DisplaySecret.NAME)
             .putLabelsItem("app.kubernetes.io/name", APP_NAME)
-            .putLabelsItem("app.kubernetes.io/component", COMP_DISPLAY_SECRET)
+            .putLabelsItem("app.kubernetes.io/component", DisplaySecret.NAME)
             .putLabelsItem("app.kubernetes.io/instance", vmDef.name()));
         secret.setType("Opaque");
         SecureRandom random = null;
@@ -169,8 +167,8 @@ public class DisplaySecretReconciler extends Component {
         byte[] bytes = new byte[16];
         random.nextBytes(bytes);
         var password = Base64.encode(bytes);
-        secret.setStringData(Map.of(DATA_DISPLAY_PASSWORD, password,
-            DATA_PASSWORD_EXPIRY, "now"));
+        secret.setStringData(Map.of(DisplaySecret.PASSWORD, password,
+            DisplaySecret.EXPIRY, "now"));
         K8sV1SecretStub.create(channel.client(), secret);
     }
 
@@ -196,7 +194,7 @@ public class DisplaySecretReconciler extends Component {
 
         // Check if access is possible
         if (event.loginUser()
-            ? !vmDef.<String> fromStatus("loggedInUser")
+            ? !vmDef.<String> fromStatus(Status.LOGGED_IN_USER)
                 .map(u -> u.equals(event.user())).orElse(false)
             : !vmDef.conditionStatus("Running").orElse(false)) {
             return;
@@ -229,11 +227,11 @@ public class DisplaySecretReconciler extends Component {
     private VmDefinition updateConsoleUser(PrepareConsole event,
             VmChannel channel) throws ApiException {
         var vmStub = VmDefinitionStub.get(channel.client(),
-            new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
+            new GroupVersionKind(Crd.GROUP, "", Crd.KIND_VM),
             event.vmDefinition().namespace(), event.vmDefinition().name());
         return vmStub.updateStatus(from -> {
             JsonObject status = from.statusJson();
-            status.addProperty("consoleUser", event.user());
+            status.addProperty(Status.CONSOLE_USER, event.user());
             return status;
         }).orElse(null);
     }
@@ -243,7 +241,7 @@ public class DisplaySecretReconciler extends Component {
         // Look for secret
         ListOptions options = new ListOptions();
         options.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
-            + "app.kubernetes.io/component=" + COMP_DISPLAY_SECRET + ","
+            + "app.kubernetes.io/component=" + DisplaySecret.NAME + ","
             + "app.kubernetes.io/instance=" + vmDef.name());
         var stubs = K8sV1SecretStub.list(channel.client(), vmDef.namespace(),
             options);
@@ -257,12 +255,12 @@ public class DisplaySecretReconciler extends Component {
 
     private boolean updatePassword(V1Secret secret, PrepareConsole event) {
         var expiry = Optional.ofNullable(secret.getData()
-            .get(DATA_PASSWORD_EXPIRY)).map(b -> new String(b)).orElse(null);
-        if (secret.getData().get(DATA_DISPLAY_PASSWORD) != null
+            .get(DisplaySecret.EXPIRY)).map(b -> new String(b)).orElse(null);
+        if (secret.getData().get(DisplaySecret.PASSWORD) != null
             && stillValid(expiry)) {
             // Fixed secret, don't touch
             event.setResult(
-                new String(secret.getData().get(DATA_DISPLAY_PASSWORD)));
+                new String(secret.getData().get(DisplaySecret.PASSWORD)));
             return false;
         }
 
@@ -277,8 +275,8 @@ public class DisplaySecretReconciler extends Component {
         byte[] bytes = new byte[16];
         random.nextBytes(bytes);
         var password = Base64.encode(bytes);
-        secret.setStringData(Map.of(DATA_DISPLAY_PASSWORD, password,
-            DATA_PASSWORD_EXPIRY,
+        secret.setStringData(Map.of(DisplaySecret.PASSWORD, password,
+            DisplaySecret.EXPIRY,
             Long.toString(Instant.now().getEpochSecond() + passwordValidity)));
         event.setResult(password);
         return true;
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
index 25fb10b..465a9ed 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
@@ -28,8 +28,7 @@ import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import java.util.concurrent.ConcurrentHashMap;
-import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
-import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
+import org.jdrupes.vmoperator.common.Constants.Crd;
 import org.jdrupes.vmoperator.common.K8s;
 import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.K8sDynamicModel;
@@ -38,7 +37,6 @@ import org.jdrupes.vmoperator.common.K8sDynamicStub;
 import org.jdrupes.vmoperator.common.K8sObserver.ResponseType;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
 import org.jdrupes.vmoperator.common.VmPool;
-import static org.jdrupes.vmoperator.manager.Constants.VM_OP_KIND_VM_POOL;
 import org.jdrupes.vmoperator.manager.events.GetPools;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
 import org.jdrupes.vmoperator.manager.events.VmPoolChanged;
@@ -88,7 +86,7 @@ public class PoolMonitor extends
         client(new K8sClient());
 
         // Get all our API versions
-        var ctx = K8s.context(client(), VM_OP_GROUP, "", VM_OP_KIND_VM_POOL);
+        var ctx = K8s.context(client(), Crd.GROUP, "", Crd.KIND_VM_POOL);
         if (ctx.isEmpty()) {
             logger.severe(() -> "Cannot get CRD context.");
             return;
@@ -184,7 +182,7 @@ public class PoolMonitor extends
             return;
         }
         var vmStub = VmDefinitionStub.get(client(),
-            new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
+            new GroupVersionKind(Crd.GROUP, "", Crd.KIND_VM),
             vmDef.namespace(), vmDef.name());
         vmStub.updateStatus(from -> {
             // TODO
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
index 8011e2c..e5bfaec 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
@@ -22,12 +22,10 @@ import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import freemarker.template.AdapterTemplateModel;
 import freemarker.template.Configuration;
-import freemarker.template.DefaultObjectWrapperBuilder;
 import freemarker.template.SimpleNumber;
 import freemarker.template.SimpleScalar;
 import freemarker.template.TemplateException;
 import freemarker.template.TemplateExceptionHandler;
-import freemarker.template.TemplateHashModel;
 import freemarker.template.TemplateMethodModelEx;
 import freemarker.template.TemplateModel;
 import freemarker.template.TemplateModelException;
@@ -37,21 +35,23 @@ import io.kubernetes.client.openapi.ApiException;
 import io.kubernetes.client.openapi.models.V1ObjectMeta;
 import io.kubernetes.client.util.generic.options.ListOptions;
 import java.io.IOException;
+import java.lang.reflect.Modifier;
 import java.math.BigDecimal;
 import java.math.BigInteger;
 import java.net.URI;
 import java.net.URISyntaxException;
+import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
+import org.jdrupes.vmoperator.common.Constants.DisplaySecret;
 import org.jdrupes.vmoperator.common.Convertions;
 import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.K8sObserver;
 import org.jdrupes.vmoperator.common.K8sV1SecretStub;
 import org.jdrupes.vmoperator.common.VmDefinition;
-import static org.jdrupes.vmoperator.manager.Constants.COMP_DISPLAY_SECRET;
 import org.jdrupes.vmoperator.manager.events.ResetVm;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
@@ -266,17 +266,14 @@ public class Reconciler extends Component {
             Optional.ofNullable(Reconciler.class.getPackage()
                 .getImplementationVersion()).orElse("(Unknown)"));
         model.put("cr", vmDef);
-        model.put("constants",
-            (TemplateHashModel) new DefaultObjectWrapperBuilder(
-                Configuration.VERSION_2_3_32)
-                    .build().getStaticModels()
-                    .get(Constants.class.getName()));
+        // Freemarker's static models don't handle nested classes.
+        model.put("constants", constantsMap(Constants.class));
         model.put("reconciler", config);
 
         // Check if we have a display secret
         ListOptions options = new ListOptions();
         options.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
-            + "app.kubernetes.io/component=" + COMP_DISPLAY_SECRET + ","
+            + "app.kubernetes.io/component=" + DisplaySecret.NAME + ","
             + "app.kubernetes.io/instance=" + vmDef.name());
         var dsStub = K8sV1SecretStub
             .list(client, vmDef.namespace(), options)
@@ -297,6 +294,30 @@ public class Reconciler extends Component {
         return model;
     }
 
+    @SuppressWarnings("PMD.EmptyCatchBlock")
+    private Map<String, Object> constantsMap(Class<?> clazz) {
+        @SuppressWarnings("PMD.UseConcurrentHashMap")
+        Map<String, Object> result = new HashMap<>();
+        Arrays.stream(clazz.getFields()).filter(f -> {
+            var modifiers = f.getModifiers();
+            return Modifier.isStatic(modifiers) && Modifier.isPublic(modifiers)
+                && f.getType() == String.class;
+        }).forEach(f -> {
+            try {
+                result.put(f.getName(), f.get(null));
+            } catch (IllegalArgumentException | IllegalAccessException e) {
+                // Should not happen, ignore
+            }
+        });
+        Arrays.stream(clazz.getClasses()).filter(c -> {
+            var modifiers = c.getModifiers();
+            return Modifier.isStatic(modifiers) && Modifier.isPublic(modifiers);
+        }).forEach(c -> {
+            result.put(c.getSimpleName(), constantsMap(c));
+        });
+        return result;
+    }
+
     private final TemplateMethodModelEx parseQuantityModel
         = new TemplateMethodModelEx() {
             @Override
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
index 5c1ae77..4f8ac77 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
@@ -31,8 +31,7 @@ import java.util.Set;
 import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.logging.Level;
 import java.util.stream.Collectors;
-import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
-import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
+import org.jdrupes.vmoperator.common.Constants.Crd;
 import org.jdrupes.vmoperator.common.K8s;
 import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.K8sDynamicStub;
@@ -87,7 +86,7 @@ public class VmMonitor extends
         client(new K8sClient());
 
         // Get all our API versions
-        var ctx = K8s.context(client(), VM_OP_GROUP, "", VM_OP_KIND_VM);
+        var ctx = K8s.context(client(), Crd.GROUP, "", Crd.KIND_VM);
         if (ctx.isEmpty()) {
             logger.severe(() -> "Cannot get CRD context.");
             return;
diff --git a/org.jdrupes.vmoperator.manager/test/org/jdrupes/vmoperator/manager/BasicTests.java b/org.jdrupes.vmoperator.manager/test/org/jdrupes/vmoperator/manager/BasicTests.java
index 4f5d7a3..03db0d2 100644
--- a/org.jdrupes.vmoperator.manager/test/org/jdrupes/vmoperator/manager/BasicTests.java
+++ b/org.jdrupes.vmoperator.manager/test/org/jdrupes/vmoperator/manager/BasicTests.java
@@ -12,10 +12,10 @@ import java.util.Collection;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
+import org.jdrupes.vmoperator.common.Constants;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
-import static org.jdrupes.vmoperator.common.Constants.COMP_DISPLAY_SECRET;
-import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
-import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
+import org.jdrupes.vmoperator.common.Constants.Crd;
+import org.jdrupes.vmoperator.common.Constants.DisplaySecret;
 import static org.jdrupes.vmoperator.common.Constants.VM_OP_NAME;
 import org.jdrupes.vmoperator.common.K8s;
 import org.jdrupes.vmoperator.common.K8sClient;
@@ -60,7 +60,7 @@ class BasicTests {
         waitForManager();
 
         // Context for working with our CR
-        var apiRes = K8s.context(client, VM_OP_GROUP, null, VM_OP_KIND_VM);
+        var apiRes = K8s.context(client, Crd.GROUP, null, Crd.KIND_VM);
         assertTrue(apiRes.isPresent());
         vmsContext = apiRes.get();
 
@@ -70,7 +70,7 @@ class BasicTests {
         ListOptions listOpts = new ListOptions();
         listOpts.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
             + "app.kubernetes.io/instance=" + VM_NAME + ","
-            + "app.kubernetes.io/component=" + COMP_DISPLAY_SECRET);
+            + "app.kubernetes.io/component=" + DisplaySecret.NAME);
         var secrets = K8sV1SecretStub.list(client, "vmop-dev", listOpts);
         for (var secret : secrets) {
             secret.delete();
@@ -138,12 +138,11 @@ class BasicTests {
             List.of("name"), VM_NAME,
             List.of("labels", "app.kubernetes.io/name"), Constants.APP_NAME,
             List.of("labels", "app.kubernetes.io/instance"), VM_NAME,
-            List.of("labels", "app.kubernetes.io/managed-by"),
-            Constants.VM_OP_NAME,
+            List.of("labels", "app.kubernetes.io/managed-by"), VM_OP_NAME,
             List.of("annotations", "vmoperator.jdrupes.org/version"), EXISTS,
             List.of("ownerReferences", 0, "apiVersion"),
             vmsContext.getGroup() + "/" + vmsContext.getVersions().get(0),
-            List.of("ownerReferences", 0, "kind"), Constants.VM_OP_KIND_VM,
+            List.of("ownerReferences", 0, "kind"), Crd.KIND_VM,
             List.of("ownerReferences", 0, "name"), VM_NAME,
             List.of("ownerReferences", 0, "uid"), EXISTS);
         checkProps(config.getMetadata(), toCheck);
@@ -189,7 +188,7 @@ class BasicTests {
         ListOptions listOpts = new ListOptions();
         listOpts.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
             + "app.kubernetes.io/instance=" + VM_NAME + ","
-            + "app.kubernetes.io/component=" + COMP_DISPLAY_SECRET);
+            + "app.kubernetes.io/component=" + DisplaySecret.NAME);
         Collection<K8sV1SecretStub> secrets = null;
         for (int i = 0; i < 10; i++) {
             secrets = K8sV1SecretStub.list(client, "vmop-dev", listOpts);
@@ -219,8 +218,7 @@ class BasicTests {
         checkProps(pvc.getMetadata(), Map.of(
             List.of("labels", "app.kubernetes.io/name"), Constants.APP_NAME,
             List.of("labels", "app.kubernetes.io/instance"), VM_NAME,
-            List.of("labels", "app.kubernetes.io/managed-by"),
-            Constants.VM_OP_NAME));
+            List.of("labels", "app.kubernetes.io/managed-by"), VM_OP_NAME));
         checkProps(pvc.getSpec(), Map.of(
             List.of("resources", "requests", "storage"),
             Quantity.fromString("1Mi")));
@@ -240,8 +238,7 @@ class BasicTests {
         checkProps(pvc.getMetadata(), Map.of(
             List.of("labels", "app.kubernetes.io/name"), Constants.APP_NAME,
             List.of("labels", "app.kubernetes.io/instance"), VM_NAME,
-            List.of("labels", "app.kubernetes.io/managed-by"),
-            Constants.VM_OP_NAME,
+            List.of("labels", "app.kubernetes.io/managed-by"), VM_OP_NAME,
             List.of("annotations", "use_as"), "system-disk"));
         checkProps(pvc.getSpec(), Map.of(
             List.of("resources", "requests", "storage"),
@@ -262,8 +259,7 @@ class BasicTests {
         checkProps(pvc.getMetadata(), Map.of(
             List.of("labels", "app.kubernetes.io/name"), Constants.APP_NAME,
             List.of("labels", "app.kubernetes.io/instance"), VM_NAME,
-            List.of("labels", "app.kubernetes.io/managed-by"),
-            Constants.VM_OP_NAME));
+            List.of("labels", "app.kubernetes.io/managed-by"), VM_OP_NAME));
         checkProps(pvc.getSpec(), Map.of(
             List.of("resources", "requests", "storage"),
             Quantity.fromString("1Gi")));
@@ -290,13 +286,12 @@ class BasicTests {
             List.of("labels", "app.kubernetes.io/name"), APP_NAME,
             List.of("labels", "app.kubernetes.io/instance"), VM_NAME,
             List.of("labels", "app.kubernetes.io/component"), APP_NAME,
-            List.of("labels", "app.kubernetes.io/managed-by"),
-            Constants.VM_OP_NAME,
+            List.of("labels", "app.kubernetes.io/managed-by"), VM_OP_NAME,
             List.of("annotations", "vmrunner.jdrupes.org/cmVersion"), EXISTS,
             List.of("annotations", "vmoperator.jdrupes.org/version"), EXISTS,
             List.of("ownerReferences", 0, "apiVersion"),
             vmsContext.getGroup() + "/" + vmsContext.getVersions().get(0),
-            List.of("ownerReferences", 0, "kind"), Constants.VM_OP_KIND_VM,
+            List.of("ownerReferences", 0, "kind"), Crd.KIND_VM,
             List.of("ownerReferences", 0, "name"), VM_NAME,
             List.of("ownerReferences", 0, "uid"), EXISTS));
         checkProps(pod.getSpec(), Map.of(
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java
index 7956fa1..ddfc702 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java
@@ -25,8 +25,8 @@ import io.kubernetes.client.openapi.models.EventsV1Event;
 import java.io.IOException;
 import java.util.logging.Level;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
-import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
-import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
+import org.jdrupes.vmoperator.common.Constants.Crd;
+import org.jdrupes.vmoperator.common.Constants.Status;
 import org.jdrupes.vmoperator.common.K8s;
 import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
@@ -74,7 +74,7 @@ public class ConsoleTracker extends VmDefUpdater {
         }
         try {
             vmStub = VmDefinitionStub.get(apiClient,
-                new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
+                new GroupVersionKind(Crd.GROUP, "", Crd.KIND_VM),
                 namespace, vmName);
         } catch (ApiException e) {
             logger.log(Level.SEVERE, e,
@@ -108,13 +108,13 @@ public class ConsoleTracker extends VmDefUpdater {
         vmStub.updateStatus(from -> {
             JsonObject status = updateCondition(from, "ConsoleConnected", true,
                 "Connected", "Connection from " + event.clientHost());
-            status.addProperty("consoleClient", event.clientHost());
+            status.addProperty(Status.CONSOLE_CLIENT, event.clientHost());
             return status;
         });
 
         // Log event
         var evt = new EventsV1Event()
-            .reportingController(VM_OP_GROUP + "/" + APP_NAME)
+            .reportingController(Crd.GROUP + "/" + APP_NAME)
             .action("ConsoleConnectionUpdate")
             .reason("Connection from " + event.clientHost());
         K8s.createEvent(apiClient, vmStub.model().get(), evt);
@@ -142,13 +142,13 @@ public class ConsoleTracker extends VmDefUpdater {
         vmStub.updateStatus(from -> {
             JsonObject status = updateCondition(from, "ConsoleConnected", false,
                 "Disconnected", event.clientHost() + " has disconnected");
-            status.addProperty("consoleClient", "");
+            status.addProperty(Status.CONSOLE_CLIENT, "");
             return status;
         });
 
         // Log event
         var evt = new EventsV1Event()
-            .reportingController(VM_OP_GROUP + "/" + APP_NAME)
+            .reportingController(Crd.GROUP + "/" + APP_NAME)
             .action("ConsoleConnectionUpdate")
             .reason("Disconnected from " + event.clientHost());
         K8s.createEvent(apiClient, vmStub.model().get(), evt);
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
index 39f71d5..d301aac 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
@@ -24,8 +24,7 @@ import java.nio.file.Path;
 import java.util.Objects;
 import java.util.Optional;
 import java.util.logging.Level;
-import static org.jdrupes.vmoperator.common.Constants.DATA_DISPLAY_PASSWORD;
-import static org.jdrupes.vmoperator.common.Constants.DATA_PASSWORD_EXPIRY;
+import org.jdrupes.vmoperator.common.Constants.DisplaySecret;
 import org.jdrupes.vmoperator.runner.qemu.commands.QmpSetDisplayPassword;
 import org.jdrupes.vmoperator.runner.qemu.commands.QmpSetPasswordExpiry;
 import org.jdrupes.vmoperator.runner.qemu.events.ConfigureQemu;
@@ -64,7 +63,7 @@ public class DisplayController extends Component {
     public DisplayController(Channel componentChannel, Path configDir) {
         super(componentChannel);
         this.configDir = configDir;
-        fire(new WatchFile(configDir.resolve(DATA_DISPLAY_PASSWORD)));
+        fire(new WatchFile(configDir.resolve(DisplaySecret.PASSWORD)));
     }
 
     /**
@@ -115,7 +114,7 @@ public class DisplayController extends Component {
     @Handler
     @SuppressWarnings("PMD.EmptyCatchBlock")
     public void onFileChanged(FileChanged event) {
-        if (event.path().equals(configDir.resolve(DATA_DISPLAY_PASSWORD))) {
+        if (event.path().equals(configDir.resolve(DisplaySecret.PASSWORD))) {
             configurePassword();
         }
     }
@@ -130,7 +129,7 @@ public class DisplayController extends Component {
     }
 
     private boolean setDisplayPassword() {
-        return readFromFile(DATA_DISPLAY_PASSWORD).map(password -> {
+        return readFromFile(DisplaySecret.PASSWORD).map(password -> {
             if (Objects.equals(this.currentPassword, password)) {
                 return true;
             }
@@ -143,7 +142,7 @@ public class DisplayController extends Component {
     }
 
     private void setPasswordExpiry() {
-        readFromFile(DATA_PASSWORD_EXPIRY).ifPresent(expiry -> {
+        readFromFile(DisplaySecret.EXPIRY).ifPresent(expiry -> {
             logger.fine(() -> "Updating expiry time to " + expiry);
             fire(
                 new MonitorCommand(new QmpSetPasswordExpiry(protocol, expiry)));
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
index f64af2d..a01618d 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
@@ -56,7 +56,7 @@ import org.apache.commons.cli.DefaultParser;
 import org.apache.commons.cli.Option;
 import org.apache.commons.cli.Options;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
-import static org.jdrupes.vmoperator.common.Constants.DATA_DISPLAY_PASSWORD;
+import org.jdrupes.vmoperator.common.Constants.DisplaySecret;
 import org.jdrupes.vmoperator.runner.qemu.commands.QmpCont;
 import org.jdrupes.vmoperator.runner.qemu.commands.QmpReset;
 import org.jdrupes.vmoperator.runner.qemu.events.ConfigureQemu;
@@ -312,7 +312,7 @@ public class Runner extends Component {
 
             // Add some values from other sources to configuration
             newConf.asOf = Instant.ofEpochSecond(configFile.lastModified());
-            Path dsPath = configDir.resolve(DATA_DISPLAY_PASSWORD);
+            Path dsPath = configDir.resolve(DisplaySecret.PASSWORD);
             newConf.hasDisplayPassword = dsPath.toFile().canRead();
 
             // Special actions for initial configuration (startup)
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
index f2437d3..3323a7e 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
@@ -33,8 +33,8 @@ import java.io.IOException;
 import java.math.BigDecimal;
 import java.util.logging.Level;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
-import static org.jdrupes.vmoperator.common.Constants.VM_OP_GROUP;
-import static org.jdrupes.vmoperator.common.Constants.VM_OP_KIND_VM;
+import org.jdrupes.vmoperator.common.Constants.Crd;
+import org.jdrupes.vmoperator.common.Constants.Status;
 import org.jdrupes.vmoperator.common.K8s;
 import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
@@ -112,7 +112,7 @@ public class StatusUpdater extends VmDefUpdater {
         }
         try {
             vmStub = VmDefinitionStub.get(apiClient,
-                new GroupVersionKind(VM_OP_GROUP, "", VM_OP_KIND_VM),
+                new GroupVersionKind(Crd.GROUP, "", Crd.KIND_VM),
                 namespace, vmName);
             var vmDef = vmStub.model().orElse(null);
             if (vmDef == null) {
@@ -121,7 +121,7 @@ public class StatusUpdater extends VmDefUpdater {
             observedGeneration = vmDef.getMetadata().getGeneration();
             vmStub.updateStatus(from -> {
                 JsonObject status = from.statusJson();
-                status.remove("loggedInUser");
+                status.remove(Status.LOGGED_IN_USER);
                 return status;
             });
         } catch (ApiException e) {
@@ -206,12 +206,12 @@ public class StatusUpdater extends VmDefUpdater {
             } else if (event.runState() == RunState.STOPPED) {
                 status.addProperty("ram", "0");
                 status.addProperty("cpus", 0);
-                status.remove("loggedInUser");
+                status.remove(Status.LOGGED_IN_USER);
             }
 
             if (!running) {
                 // In case console connection was still present
-                status.addProperty("consoleClient", "");
+                status.addProperty(Status.CONSOLE_CLIENT, "");
                 updateCondition(from, "ConsoleConnected", false, "VmStopped",
                     "The VM is not running");
 
@@ -239,7 +239,7 @@ public class StatusUpdater extends VmDefUpdater {
 
         // Log event
         var evt = new EventsV1Event()
-            .reportingController(VM_OP_GROUP + "/" + APP_NAME)
+            .reportingController(Crd.GROUP + "/" + APP_NAME)
             .action("StatusUpdate").reason(event.reason())
             .note(event.message());
         K8s.createEvent(apiClient, vmDef, evt);
@@ -363,7 +363,8 @@ public class StatusUpdater extends VmDefUpdater {
             throws ApiException {
         vmStub.updateStatus(from -> {
             JsonObject status = from.statusJson();
-            status.addProperty("loggedInUser", event.triggering().user());
+            status.addProperty(Status.LOGGED_IN_USER,
+                event.triggering().user());
             return status;
         });
     }
@@ -378,7 +379,7 @@ public class StatusUpdater extends VmDefUpdater {
             throws ApiException {
         vmStub.updateStatus(from -> {
             JsonObject status = from.statusJson();
-            status.remove("loggedInUser");
+            status.remove(Status.LOGGED_IN_USER);
             return status;
         });
     }

From f8cc26e6576d919e7dd1768e761e6556b1e819f1 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 1 Mar 2025 22:51:51 +0100
Subject: [PATCH 145/274] Define some more constants.

---
 .../jdrupes/vmoperator/common/Constants.java  | 16 +++++++++++++
 .../vmoperator/common/VmDefinition.java       |  8 +++----
 .../vmoperator/manager/Controller.java        |  3 ++-
 .../vmoperator/manager/PoolMonitor.java       |  3 ++-
 .../vmoperator/runner/qemu/StatusUpdater.java | 24 +++++++++----------
 .../org/jdrupes/vmoperator/vmmgmt/VmMgmt.java |  9 +++----
 6 files changed, 41 insertions(+), 22 deletions(-)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java
index 60afd91..71c8cf3 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java
@@ -50,6 +50,19 @@ public class Constants {
      * Status related constants.
      */
     public static class Status {
+        /** The Constant CPUS. */
+        public static final String CPUS = "cpus";
+
+        /** The Constant RAM. */
+        public static final String RAM = "ram";
+
+        /** The Constant OSINFO. */
+        public static final String OSINFO = "osinfo";
+
+        /** The Constant DISPLAY_PASSWORD_SERIAL. */
+        public static final String DISPLAY_PASSWORD_SERIAL
+            = "displayPasswordSerial";
+
         /** The Constant LOGGED_IN_USER. */
         public static final String LOGGED_IN_USER = "loggedInUser";
 
@@ -58,6 +71,9 @@ public class Constants {
 
         /** The Constant CONSOLE_USER. */
         public static final String CONSOLE_USER = "consoleUser";
+
+        /** The Constant ASSIGNMENT. */
+        public static final String ASSIGNMENT = "assignment";
     }
 
     /**
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
index 0eb1428..a42d2d4 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
@@ -220,7 +220,7 @@ public class VmDefinition extends K8sDynamicModel {
      * @return the optional
      */
     public Optional<String> assignedFrom() {
-        return fromStatus("assignment", "pool");
+        return fromStatus(Status.ASSIGNMENT, "pool");
     }
 
     /**
@@ -229,7 +229,7 @@ public class VmDefinition extends K8sDynamicModel {
      * @return the optional
      */
     public Optional<String> assignedTo() {
-        return fromStatus("assignment", "user");
+        return fromStatus(Status.ASSIGNMENT, "user");
     }
 
     /**
@@ -238,7 +238,7 @@ public class VmDefinition extends K8sDynamicModel {
      * @return the optional
      */
     public Optional<Instant> assignmentLastUsed() {
-        return this.<String> fromStatus("assignment", "lastUsed")
+        return this.<String> fromStatus(Status.ASSIGNMENT, "lastUsed")
             .map(Instant::parse);
     }
 
@@ -389,7 +389,7 @@ public class VmDefinition extends K8sDynamicModel {
      * @return the optional
      */
     public Optional<Long> displayPasswordSerial() {
-        return this.<Number> fromStatus("displayPasswordSerial")
+        return this.<Number> fromStatus(Status.DISPLAY_PASSWORD_SERIAL)
             .map(Number::longValue);
     }
 
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
index f3deefa..b61b26a 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
@@ -30,6 +30,7 @@ import java.nio.file.Path;
 import java.time.Instant;
 import java.util.logging.Level;
 import org.jdrupes.vmoperator.common.Constants.Crd;
+import org.jdrupes.vmoperator.common.Constants.Status;
 import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.K8sDynamicStub;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
@@ -230,7 +231,7 @@ public class Controller extends Component {
                 vmDef.namespace(), vmDef.name());
             if (vmStub.updateStatus(vmDef, from -> {
                 JsonObject status = from.statusJson();
-                var assignment = GsonPtr.to(status).to("assignment");
+                var assignment = GsonPtr.to(status).to(Status.ASSIGNMENT);
                 assignment.set("pool", event.usedPool());
                 assignment.set("user", event.toUser());
                 assignment.set("lastUsed", Instant.now().toString());
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
index 465a9ed..1ea15e1 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
@@ -29,6 +29,7 @@ import java.util.Map;
 import java.util.Optional;
 import java.util.concurrent.ConcurrentHashMap;
 import org.jdrupes.vmoperator.common.Constants.Crd;
+import org.jdrupes.vmoperator.common.Constants.Status;
 import org.jdrupes.vmoperator.common.K8s;
 import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.K8sDynamicModel;
@@ -187,7 +188,7 @@ public class PoolMonitor extends
         vmStub.updateStatus(from -> {
             // TODO
             JsonObject status = from.statusJson();
-            var assignment = GsonPtr.to(status).to("assignment");
+            var assignment = GsonPtr.to(status).to(Status.ASSIGNMENT);
             assignment.set("lastUsed", ccChange.get().toString());
             return status;
         });
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
index 3323a7e..36a63c1 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
@@ -160,13 +160,13 @@ public class StatusUpdater extends VmDefUpdater {
         if (vmDef.metadata().getGeneration() == observedGeneration
             && (event.configuration().hasDisplayPassword
                 || vmDef.statusJson().getAsJsonPrimitive(
-                    "displayPasswordSerial").getAsInt() == -1)) {
+                    Status.DISPLAY_PASSWORD_SERIAL).getAsInt() == -1)) {
             return;
         }
         vmStub.updateStatus(from -> {
             JsonObject status = from.statusJson();
             if (!event.configuration().hasDisplayPassword) {
-                status.addProperty("displayPasswordSerial", -1);
+                status.addProperty(Status.DISPLAY_PASSWORD_SERIAL, -1);
             }
             status.getAsJsonArray("conditions").asList().stream()
                 .map(cond -> (JsonObject) cond).filter(cond -> "Running"
@@ -200,12 +200,12 @@ public class StatusUpdater extends VmDefUpdater {
                 event.runState() == RunState.BOOTED, event.reason(),
                 event.message());
             if (event.runState() == RunState.STARTING) {
-                status.addProperty("ram", GsonPtr.to(from.data())
+                status.addProperty(Status.RAM, GsonPtr.to(from.data())
                     .getAsString("spec", "vm", "maximumRam").orElse("0"));
-                status.addProperty("cpus", 1);
+                status.addProperty(Status.CPUS, 1);
             } else if (event.runState() == RunState.STOPPED) {
-                status.addProperty("ram", "0");
-                status.addProperty("cpus", 0);
+                status.addProperty(Status.RAM, "0");
+                status.addProperty(Status.CPUS, 0);
                 status.remove(Status.LOGGED_IN_USER);
             }
 
@@ -216,7 +216,7 @@ public class StatusUpdater extends VmDefUpdater {
                     "The VM is not running");
 
                 // In case we had an irregular shutdown
-                status.remove("osinfo");
+                status.remove(Status.OSINFO);
                 updateCondition(vmDef, "VmopAgentConnected", false, "VmStopped",
                     "The VM is not running");
             }
@@ -258,7 +258,7 @@ public class StatusUpdater extends VmDefUpdater {
         }
         vmStub.updateStatus(from -> {
             JsonObject status = from.statusJson();
-            status.addProperty("ram",
+            status.addProperty(Status.RAM,
                 new Quantity(new BigDecimal(event.size()), Format.BINARY_SI)
                     .toSuffixedString());
             return status;
@@ -278,7 +278,7 @@ public class StatusUpdater extends VmDefUpdater {
         }
         vmStub.updateStatus(from -> {
             JsonObject status = from.statusJson();
-            status.addProperty("cpus", event.usedCpus().size());
+            status.addProperty(Status.CPUS, event.usedCpus().size());
             return status;
         });
     }
@@ -297,8 +297,8 @@ public class StatusUpdater extends VmDefUpdater {
         }
         vmStub.updateStatus(from -> {
             JsonObject status = from.statusJson();
-            status.addProperty("displayPasswordSerial",
-                status.get("displayPasswordSerial").getAsLong() + 1);
+            status.addProperty(Status.DISPLAY_PASSWORD_SERIAL,
+                status.get(Status.DISPLAY_PASSWORD_SERIAL).getAsLong() + 1);
             return status;
         });
     }
@@ -329,7 +329,7 @@ public class StatusUpdater extends VmDefUpdater {
             objectMapper.convertValue(event.osinfo(), Object.class));
         vmStub.updateStatus(from -> {
             JsonObject status = from.statusJson();
-            status.add("osinfo", asGson);
+            status.add(Status.OSINFO, asGson);
             return status;
         });
 
diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
index 10b4f48..6d3891d 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
@@ -38,6 +38,7 @@ import java.util.Map;
 import java.util.Optional;
 import java.util.ResourceBundle;
 import java.util.Set;
+import org.jdrupes.vmoperator.common.Constants.Status;
 import org.jdrupes.vmoperator.common.K8sObserver;
 import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.common.VmDefinition.Permission;
@@ -243,8 +244,8 @@ public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
             DataPath.<String> get(vmSpec, "currentRam").orElse("0")).getNumber()
             .toBigInteger());
         var status = DataPath.deepCopy(vmDef.status());
-        status.put("ram", Quantity.fromString(
-            DataPath.<String> get(status, "ram").orElse("0")).getNumber()
+        status.put(Status.RAM, Quantity.fromString(
+            DataPath.<String> get(status, Status.RAM).orElse("0")).getNumber()
             .toBigInteger());
 
         // Build result
@@ -383,10 +384,10 @@ public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
         Summary summary = new Summary();
         for (var vmDef : channelTracker.associated()) {
             summary.totalVms += 1;
-            summary.usedCpus += vmDef.<Number> fromStatus("cpus")
+            summary.usedCpus += vmDef.<Number> fromStatus(Status.CPUS)
                 .map(Number::intValue).orElse(0);
             summary.usedRam = summary.usedRam
-                .add(vmDef.<String> fromStatus("ram")
+                .add(vmDef.<String> fromStatus(Status.RAM)
                     .map(r -> Quantity.fromString(r).getNumber().toBigInteger())
                     .orElse(BigInteger.ZERO));
             if (vmDef.conditionStatus("Running").orElse(false)) {

From 01db49397aa812e7f5ef5d9d5bf6346bbe5412e4 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 2 Mar 2025 11:28:08 +0100
Subject: [PATCH 146/274] Try readthedocs.

---
 webpages/.readthedocs.yaml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 webpages/.readthedocs.yaml

diff --git a/webpages/.readthedocs.yaml b/webpages/.readthedocs.yaml
new file mode 100644
index 0000000..69b2e35
--- /dev/null
+++ b/webpages/.readthedocs.yaml
@@ -0,0 +1,17 @@
+# Read the Docs configuration file
+# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details
+
+# Required
+version: 2
+# Set the OS, Python version, and other tools you might need
+build:
+  os: ubuntu-24.04
+  tools:
+    ruby: "3.3"
+  commands:
+    # Install dependencies
+    - gem install bundle
+    - bundle install
+    # Build the site and save generated files into Read the Docs directory
+    - jekyll build --destination $READTHEDOCS_OUTPUT/html
+    
\ No newline at end of file

From d0298eb7e8e822d7492ad84ebf22492159a81c2c Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 2 Mar 2025 11:32:36 +0100
Subject: [PATCH 147/274] Update.

---
 webpages/.readthedocs.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/webpages/.readthedocs.yaml b/webpages/.readthedocs.yaml
index 69b2e35..15aece6 100644
--- a/webpages/.readthedocs.yaml
+++ b/webpages/.readthedocs.yaml
@@ -10,8 +10,8 @@ build:
     ruby: "3.3"
   commands:
     # Install dependencies
-    - gem install bundle
-    - bundle install
+    - cd webpages && gem install bundle
+    - cd webpages && bundle install
     # Build the site and save generated files into Read the Docs directory
-    - jekyll build --destination $READTHEDOCS_OUTPUT/html
+    - cd webpages && jekyll build --destination $READTHEDOCS_OUTPUT/html
     
\ No newline at end of file

From 5b7531c5e5915e39d20a2b3daeb2e5c36bd25ca4 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 2 Mar 2025 11:51:47 +0100
Subject: [PATCH 148/274] Add for readthedocs.

---
 webpages/index.html | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 webpages/index.html

diff --git a/webpages/index.html b/webpages/index.html
new file mode 100644
index 0000000..daa1b9c
--- /dev/null
+++ b/webpages/index.html
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta http-equiv="refresh" content="0; URL=vm-operator/index.html">
+    <title>Redirecting...</title>
+</head>
+<body>
+    <p>If you are not redirected automatically, <a href="vm-operator/index.html">click here</a>.</p>
+</body>
+</html>

From 502842f486b86910e456fa2ab410c86e322389ea Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 2 Mar 2025 12:05:32 +0100
Subject: [PATCH 149/274] Trigger generation of a canonical url.

---
 webpages/_config.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/webpages/_config.yml b/webpages/_config.yml
index 39ca339..bc830a3 100644
--- a/webpages/_config.yml
+++ b/webpages/_config.yml
@@ -1,10 +1,14 @@
 plugins:
   - jekyll-seo-tag
 
+url: "https://jdrupes.org"
+    
 author: Michael N. Lipp
 
 logo: VM-Operator.svg
 
 tagline: VM-Operator by mnlipp 
 
-description: A Kubernetes operator for running virtual machines (notably Qemu VMs) as pods.
+description: >-
+  A Kubernetes operator for running virtual machines (notably Qemu VMs)
+  as pods.

From 6b7c78ed2c2316b2fcd2e32f5841b6d2a9a29eb5 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 2 Mar 2025 12:13:33 +0100
Subject: [PATCH 150/274] Add readthedocs specific footer.

---
 webpages/_layouts/vm-operator.html | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/webpages/_layouts/vm-operator.html b/webpages/_layouts/vm-operator.html
index 4456d20..5d780ef 100644
--- a/webpages/_layouts/vm-operator.html
+++ b/webpages/_layouts/vm-operator.html
@@ -81,6 +81,27 @@
         {{ content }}
       </section>
       <footer>
+        <!-- Optional footer data -->
+        <p id=githubfooter style="padding: 5px 6px; visibility: hidden">
+          Hosted on GitHub Pages &mdash; 
+          <a href="https://github.com/site/terms" target="_top">Terms</a>
+          &mdash; <a href="https://github.com/site/privacy" target="_top">Privacy</a>
+        </p>
+        <p id=readthedocsfooter style="padding: 5px 6px; visibility: hidden">
+          Hosted on Readthedocs &mdash; 
+          <a href="https://docs.readthedocs.io/page/terms-of-service.html" target="_top">Terms</a>
+          &mdash; <a href="https://docs.readthedocs.io/page/privacy-policy.html" target="_top">Privacy</a>
+        </p>
+        <script type="text/javascript">
+        if (location.hostname.indexOf("github") !== -1 || location.hostname.indexOf("jdrupes.org") !== -1) {
+            document.getElementById("githubfooter").style.visibility="visible";
+        } else if (location.hostname.indexOf("readthedocs") !== -1) {
+          document.getElementById("readthedocsfooter").style.visibility="visible";
+        }
+        </script>
+        
+        
+        
         <p><small>Hosted on GitHub Pages &mdash; <a href="https://github.com/site/terms">Terms</a>
         &mdash; <a href="https://github.com/site/privacy">Privacy</a> 
         &mdash; Theme derived from <a href="https://github.com/orderedlist/minimal">minimal</a></small></p>

From d7af1f5d068ab4f8283e109220b16ace7f88c322 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 2 Mar 2025 12:23:02 +0100
Subject: [PATCH 151/274] Fix footer.

---
 webpages/_layouts/vm-operator.html | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/webpages/_layouts/vm-operator.html b/webpages/_layouts/vm-operator.html
index 5d780ef..1c3bad2 100644
--- a/webpages/_layouts/vm-operator.html
+++ b/webpages/_layouts/vm-operator.html
@@ -82,15 +82,17 @@
       </section>
       <footer>
         <!-- Optional footer data -->
-        <p id=githubfooter style="padding: 5px 6px; visibility: hidden">
+        <p id=githubfooter style="padding: 5px 6px; visibility: hidden"><small>
           Hosted on GitHub Pages &mdash; 
           <a href="https://github.com/site/terms" target="_top">Terms</a>
           &mdash; <a href="https://github.com/site/privacy" target="_top">Privacy</a>
+          &mdash; Theme derived from <a href="https://github.com/orderedlist/minimal">minimal</a></small>
         </p>
-        <p id=readthedocsfooter style="padding: 5px 6px; visibility: hidden">
+        <p id=readthedocsfooter style="padding: 5px 6px; visibility: hidden"><small></small>
           Hosted on Readthedocs &mdash; 
           <a href="https://docs.readthedocs.io/page/terms-of-service.html" target="_top">Terms</a>
           &mdash; <a href="https://docs.readthedocs.io/page/privacy-policy.html" target="_top">Privacy</a>
+          &mdash; Theme derived from <a href="https://github.com/orderedlist/minimal">minimal</a></small>
         </p>
         <script type="text/javascript">
         if (location.hostname.indexOf("github") !== -1 || location.hostname.indexOf("jdrupes.org") !== -1) {
@@ -99,12 +101,6 @@
           document.getElementById("readthedocsfooter").style.visibility="visible";
         }
         </script>
-        
-        
-        
-        <p><small>Hosted on GitHub Pages &mdash; <a href="https://github.com/site/terms">Terms</a>
-        &mdash; <a href="https://github.com/site/privacy">Privacy</a> 
-        &mdash; Theme derived from <a href="https://github.com/orderedlist/minimal">minimal</a></small></p>
       </footer>
     </div>
 

From 05d53c58b16f5ac60842012d0fc0c662bdd03cbd Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 2 Mar 2025 12:28:08 +0100
Subject: [PATCH 152/274] Fix footer.

---
 webpages/_layouts/vm-operator.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/webpages/_layouts/vm-operator.html b/webpages/_layouts/vm-operator.html
index 1c3bad2..966b268 100644
--- a/webpages/_layouts/vm-operator.html
+++ b/webpages/_layouts/vm-operator.html
@@ -88,7 +88,7 @@
           &mdash; <a href="https://github.com/site/privacy" target="_top">Privacy</a>
           &mdash; Theme derived from <a href="https://github.com/orderedlist/minimal">minimal</a></small>
         </p>
-        <p id=readthedocsfooter style="padding: 5px 6px; visibility: hidden"><small></small>
+        <p id=readthedocsfooter style="padding: 5px 6px; visibility: hidden"><small>
           Hosted on Readthedocs &mdash; 
           <a href="https://docs.readthedocs.io/page/terms-of-service.html" target="_top">Terms</a>
           &mdash; <a href="https://docs.readthedocs.io/page/privacy-policy.html" target="_top">Privacy</a>

From 2f6b3d2127464b938243056e987c084a9ae58209 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 2 Mar 2025 12:39:48 +0100
Subject: [PATCH 153/274] Fix footer.

---
 webpages/_layouts/vm-operator.html | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/webpages/_layouts/vm-operator.html b/webpages/_layouts/vm-operator.html
index 966b268..8be6f81 100644
--- a/webpages/_layouts/vm-operator.html
+++ b/webpages/_layouts/vm-operator.html
@@ -82,13 +82,13 @@
       </section>
       <footer>
         <!-- Optional footer data -->
-        <p id=githubfooter style="padding: 5px 6px; visibility: hidden"><small>
+        <p id=githubfooter style="display: none"><small>
           Hosted on GitHub Pages &mdash; 
           <a href="https://github.com/site/terms" target="_top">Terms</a>
           &mdash; <a href="https://github.com/site/privacy" target="_top">Privacy</a>
           &mdash; Theme derived from <a href="https://github.com/orderedlist/minimal">minimal</a></small>
         </p>
-        <p id=readthedocsfooter style="padding: 5px 6px; visibility: hidden"><small>
+        <p id=readthedocsfooter style="display: none"><small>
           Hosted on Readthedocs &mdash; 
           <a href="https://docs.readthedocs.io/page/terms-of-service.html" target="_top">Terms</a>
           &mdash; <a href="https://docs.readthedocs.io/page/privacy-policy.html" target="_top">Privacy</a>
@@ -96,9 +96,9 @@
         </p>
         <script type="text/javascript">
         if (location.hostname.indexOf("github") !== -1 || location.hostname.indexOf("jdrupes.org") !== -1) {
-            document.getElementById("githubfooter").style.visibility="visible";
+            document.getElementById("githubfooter").style.display="inherit";
         } else if (location.hostname.indexOf("readthedocs") !== -1) {
-          document.getElementById("readthedocsfooter").style.visibility="visible";
+          document.getElementById("readthedocsfooter").style.display="inherit";
         }
         </script>
       </footer>

From 687a050ec446441ba6e28e1e56f19d2473b9641c Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 2 Mar 2025 12:55:40 +0100
Subject: [PATCH 154/274] Generate sitemap.

---
 webpages/Gemfile     | 1 +
 webpages/_config.yml | 1 +
 2 files changed, 2 insertions(+)

diff --git a/webpages/Gemfile b/webpages/Gemfile
index ecbbb7d..3e965ca 100644
--- a/webpages/Gemfile
+++ b/webpages/Gemfile
@@ -2,4 +2,5 @@ source 'https://rubygems.org'
 # gem 'github-pages', group: :jekyll_plugins
 gem "jekyll", "~> 4.0"
 gem "jekyll-seo-tag"
+gem 'jekyll-sitemap'
 gem 'webrick', '~> 1.3', '>= 1.3.1'
diff --git a/webpages/_config.yml b/webpages/_config.yml
index bc830a3..a2ee1a3 100644
--- a/webpages/_config.yml
+++ b/webpages/_config.yml
@@ -1,5 +1,6 @@
 plugins:
   - jekyll-seo-tag
+  - jekyll-sitemap
 
 url: "https://jdrupes.org"
     

From 07fb07a6a4c4c334cad516282a0ffeac331dc17d Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 2 Mar 2025 12:57:26 +0100
Subject: [PATCH 155/274] Javadoc is hosted on main site only.

---
 webpages/_layouts/vm-operator.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/webpages/_layouts/vm-operator.html b/webpages/_layouts/vm-operator.html
index 8be6f81..820aeb6 100644
--- a/webpages/_layouts/vm-operator.html
+++ b/webpages/_layouts/vm-operator.html
@@ -68,7 +68,7 @@
         <li><p class="part-entry"><a href="user-gui.html">For Users</a></p></li>
         </ul>
         <p class="part-list-title"><a href="upgrading.html">Upgrading</a></p>
-        <p class="part-list-title"><a href="latest-release/javadoc/index.html">Javadoc</a></p>
+        <p class="part-list-title"><a href="https://jdrupes.org/vm-operator/latest-release/javadoc/index.html">Javadoc</a></p>
 
       </header>
       <section>

From 3a94602a0d825cda0045401e270f34e1ab183b61 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 2 Mar 2025 13:02:46 +0100
Subject: [PATCH 156/274] Add sitemap.

---
 webpages/robots.txt | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 webpages/robots.txt

diff --git a/webpages/robots.txt b/webpages/robots.txt
new file mode 100644
index 0000000..457a45d
--- /dev/null
+++ b/webpages/robots.txt
@@ -0,0 +1,3 @@
+User-agent: *
+Allow: /
+Sitemap: sitemap.xml

From f6338758d8b5abfaa125cc3e07698eb6eacf8b29 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 2 Mar 2025 13:13:03 +0100
Subject: [PATCH 157/274] Sitemap property must be an absolute url.

---
 webpages/.readthedocs.yaml      | 1 +
 webpages/robots-readthedocs.txt | 3 +++
 webpages/robots.txt             | 3 ---
 3 files changed, 4 insertions(+), 3 deletions(-)
 create mode 100644 webpages/robots-readthedocs.txt
 delete mode 100644 webpages/robots.txt

diff --git a/webpages/.readthedocs.yaml b/webpages/.readthedocs.yaml
index 15aece6..2eac996 100644
--- a/webpages/.readthedocs.yaml
+++ b/webpages/.readthedocs.yaml
@@ -14,4 +14,5 @@ build:
     - cd webpages && bundle install
     # Build the site and save generated files into Read the Docs directory
     - cd webpages && jekyll build --destination $READTHEDOCS_OUTPUT/html
+    - cp webpages/robots-readthedocs.txt $READTHEDOCS_OUTPUT/html
     
\ No newline at end of file
diff --git a/webpages/robots-readthedocs.txt b/webpages/robots-readthedocs.txt
new file mode 100644
index 0000000..90e0f33
--- /dev/null
+++ b/webpages/robots-readthedocs.txt
@@ -0,0 +1,3 @@
+User-agent: *
+Allow: /
+Sitemap: https://kubernetes-vm-operator.readthedocs.io/sitemap.xml
diff --git a/webpages/robots.txt b/webpages/robots.txt
deleted file mode 100644
index 457a45d..0000000
--- a/webpages/robots.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-User-agent: *
-Allow: /
-Sitemap: sitemap.xml

From 199cd8185ea66681ba2617f1ef553dc3eae54cc8 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 2 Mar 2025 13:15:38 +0100
Subject: [PATCH 158/274] Fix robots.txt "generation".

---
 webpages/.readthedocs.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/webpages/.readthedocs.yaml b/webpages/.readthedocs.yaml
index 2eac996..546c09f 100644
--- a/webpages/.readthedocs.yaml
+++ b/webpages/.readthedocs.yaml
@@ -14,5 +14,5 @@ build:
     - cd webpages && bundle install
     # Build the site and save generated files into Read the Docs directory
     - cd webpages && jekyll build --destination $READTHEDOCS_OUTPUT/html
-    - cp webpages/robots-readthedocs.txt $READTHEDOCS_OUTPUT/html
+    - cp webpages/robots-readthedocs.txt $READTHEDOCS_OUTPUT/html/robots.txt
     
\ No newline at end of file

From 60349bca7881b4c08fc034aa6934d5eff078b882 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 2 Mar 2025 13:45:38 +0100
Subject: [PATCH 159/274] Shorten title to make bing happy.

---
 webpages/vm-operator/manager.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/webpages/vm-operator/manager.md b/webpages/vm-operator/manager.md
index ee971c1..d283484 100644
--- a/webpages/vm-operator/manager.md
+++ b/webpages/vm-operator/manager.md
@@ -1,5 +1,5 @@
 ---
-title: "VM-Operator: The Manager — Provides the controller and a web user interface"
+title: "VM-Operator: The Manager — Provides the controller and a Web UI"
 description: >-
   Information about the installation and configuration of the
   VM Operator.

From 0e28bcd038bc529a5ee8be6f228449bfd33426bb Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 2 Mar 2025 18:48:13 +0100
Subject: [PATCH 160/274] Change (main) site.

---
 webpages/_config.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/webpages/_config.yml b/webpages/_config.yml
index a2ee1a3..1ebd835 100644
--- a/webpages/_config.yml
+++ b/webpages/_config.yml
@@ -2,7 +2,7 @@ plugins:
   - jekyll-seo-tag
   - jekyll-sitemap
 
-url: "https://jdrupes.org"
+url: "https://vm-operator.jdrupes.org"
     
 author: Michael N. Lipp
 

From fd0bcc93074418fec8ba33f962210a856edd7f53 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 2 Mar 2025 20:10:42 +0100
Subject: [PATCH 161/274] Move main site to vm-operator.jdrupes.org.

---
 misc/javadoc.bottom.txt        | 7 ++++---
 webpages/_includes/matomo.html | 6 +++---
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/misc/javadoc.bottom.txt b/misc/javadoc.bottom.txt
index abf54f3..631d63f 100644
--- a/misc/javadoc.bottom.txt
+++ b/misc/javadoc.bottom.txt
@@ -16,18 +16,19 @@
       var _paq = _paq || [];
       /* tracker methods like "setCustomDimension" should be called before "trackPageView" */
       _paq.push(["setDocumentTitle", document.domain + "/" + document.title]);
-      _paq.push(["setCookieDomain", "*.jdrupes.org"]);
+      _paq.push(["setCookieDomain", "*.mnlipp.github.io"]);
+      _paq.push(["setDomains", ["*.mnlipp.github.io", "*.jdrupes.org", "kubernetes-vm-operator.readthedocs.io"]]);
       _paq.push(['disableCookies']);
       _paq.push(['trackPageView']);
       _paq.push(['enableLinkTracking']);
       (function() {
         var u="//jdrupes.org/";
         _paq.push(['setTrackerUrl', u+'piwik.php']);
-        _paq.push(['setSiteId', '15']);
+        _paq.push(['setSiteId', '17']);
         var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
         g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'piwik.js'; s.parentNode.insertBefore(g,s);
       })();
     </script>
-    <noscript><p><img referrerpolicy="no-referrer-when-downgrade" src="//piwik.mnl.de/matomo.php?idsite=15&amp;rec=1" style="border:0;" alt="" /></p></noscript>
+    <noscript><p><img referrerpolicy="no-referrer-when-downgrade" src="//piwik.mnl.de/matomo.php?idsite=17&amp;rec=1" style="border:0;" alt="" /></p></noscript>
     <!-- End Matomo Code -->
 </div>
\ No newline at end of file
diff --git a/webpages/_includes/matomo.html b/webpages/_includes/matomo.html
index 3a93186..75978bc 100644
--- a/webpages/_includes/matomo.html
+++ b/webpages/_includes/matomo.html
@@ -4,20 +4,20 @@
   /* tracker methods like "setCustomDimension" should be called before "trackPageView" */
   _paq.push(["setDocumentTitle", document.domain + "/" + document.title]);
   _paq.push(["setCookieDomain", "*.mnlipp.github.io"]);
-  _paq.push(["setDomains", ["*.mnlipp.github.io"]]);
+  _paq.push(["setDomains", ["*.mnlipp.github.io", "*.jdrupes.org", "kubernetes-vm-operator.readthedocs.io"]]);
   _paq.push(['disableCookies']);
   _paq.push(['trackPageView']);
   _paq.push(['enableLinkTracking']);
   (function() {
     var u="//piwik.mnl.de/";
     _paq.push(['setTrackerUrl', u+'piwik.php']);
-    _paq.push(['setSiteId', '14']);
+    _paq.push(['setSiteId', '17']);
     var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
     g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'piwik.js'; s.parentNode.insertBefore(g,s);
   })();
 </script>
 <noscript>
-<img src="https://piwik.mnl.de/piwik.php?idsite=14&amp;rec=1&amp;action_name=JGrapes" style="border:0" alt="" />
+<img src="https://piwik.mnl.de/piwik.php?idsite=17&amp;rec=1&amp;action_name=JGrapes" style="border:0" alt="" />
 </noscript>
 <!-- End Matomo Code -->
 

From a0dfd2519226e6ac479d0cbe462a9ac5bc9a65fd Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 2 Mar 2025 20:29:56 +0100
Subject: [PATCH 162/274] Add robots.txt.

---
 webpages/robots.txt | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 webpages/robots.txt

diff --git a/webpages/robots.txt b/webpages/robots.txt
new file mode 100644
index 0000000..c2a49f4
--- /dev/null
+++ b/webpages/robots.txt
@@ -0,0 +1,2 @@
+User-agent: *
+Allow: /

From 4965845f3da5170ce813aa8430c6364d3c85bf2b Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 2 Mar 2025 20:44:39 +0100
Subject: [PATCH 163/274] Move robots.txt.

---
 webpages/vm-operator/robots.txt | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 webpages/vm-operator/robots.txt

diff --git a/webpages/vm-operator/robots.txt b/webpages/vm-operator/robots.txt
new file mode 100644
index 0000000..c2a49f4
--- /dev/null
+++ b/webpages/vm-operator/robots.txt
@@ -0,0 +1,2 @@
+User-agent: *
+Allow: /

From d8cff8b9425e449255dc15db3e5496ffb0a8fef4 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 2 Mar 2025 21:06:26 +0100
Subject: [PATCH 164/274] Track vm-operator separately.

---
 buildSrc/src/org.jdrupes.vmoperator.java-doc-conventions.gradle | 1 +
 .../{matomo.html => matomo-vm-operator.jdrupes.org.html}        | 0
 webpages/_layouts/vm-operator.html                              | 2 +-
 3 files changed, 2 insertions(+), 1 deletion(-)
 rename webpages/_includes/{matomo.html => matomo-vm-operator.jdrupes.org.html} (100%)

diff --git a/buildSrc/src/org.jdrupes.vmoperator.java-doc-conventions.gradle b/buildSrc/src/org.jdrupes.vmoperator.java-doc-conventions.gradle
index 5eed550..0b6e68f 100644
--- a/buildSrc/src/org.jdrupes.vmoperator.java-doc-conventions.gradle
+++ b/buildSrc/src/org.jdrupes.vmoperator.java-doc-conventions.gradle
@@ -124,6 +124,7 @@ gitPublish {
     branch = 'main'
     contents {
         from("${rootProject.projectDir}/webpages") {
+            include '_includes/matomo-vm-operator.jdrupes.org.html'
             include '_layouts/vm-operator.html'
             include 'vm-operator/**'
         }
diff --git a/webpages/_includes/matomo.html b/webpages/_includes/matomo-vm-operator.jdrupes.org.html
similarity index 100%
rename from webpages/_includes/matomo.html
rename to webpages/_includes/matomo-vm-operator.jdrupes.org.html
diff --git a/webpages/_layouts/vm-operator.html b/webpages/_layouts/vm-operator.html
index 820aeb6..2e2e444 100644
--- a/webpages/_layouts/vm-operator.html
+++ b/webpages/_layouts/vm-operator.html
@@ -104,7 +104,7 @@
       </footer>
     </div>
 
-    {% include matomo.html %}
+    {% include matomo-vm-operator.jdrupes.org.html %}
 
   </body>
 </html lang="en">

From d6e2a92fe8a3f5578e606d8eb9956e07f967c67d Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 2 Mar 2025 21:20:25 +0100
Subject: [PATCH 165/274] Fix url.

---
 misc/javadoc.bottom.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/misc/javadoc.bottom.txt b/misc/javadoc.bottom.txt
index 631d63f..c858345 100644
--- a/misc/javadoc.bottom.txt
+++ b/misc/javadoc.bottom.txt
@@ -22,7 +22,7 @@
       _paq.push(['trackPageView']);
       _paq.push(['enableLinkTracking']);
       (function() {
-        var u="//jdrupes.org/";
+        var u="//piwik.mnl.de/";
         _paq.push(['setTrackerUrl', u+'piwik.php']);
         _paq.push(['setSiteId', '17']);
         var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];

From 7670857d0a48bf8fd4c6faa89e36dba0bfa46665 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 2 Mar 2025 21:50:24 +0100
Subject: [PATCH 166/274] Separate sites.

---
 .github/workflows/jekyll.yml                  | 68 +++++++++++++++++++
 ...-operator.jdrupes.org.html => matomo.html} |  0
 webpages/_layouts/vm-operator.html            |  4 +-
 webpages/robots.txt                           |  2 -
 4 files changed, 70 insertions(+), 4 deletions(-)
 create mode 100644 .github/workflows/jekyll.yml
 rename webpages/_includes/{matomo-vm-operator.jdrupes.org.html => matomo.html} (100%)
 delete mode 100644 webpages/robots.txt

diff --git a/.github/workflows/jekyll.yml b/.github/workflows/jekyll.yml
new file mode 100644
index 0000000..57d3802
--- /dev/null
+++ b/.github/workflows/jekyll.yml
@@ -0,0 +1,68 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# Sample workflow for building and deploying a Jekyll site to GitHub Pages
+name: Deploy Jekyll site to Pages
+
+on:
+  # Runs on pushes targeting the default branch
+  push:
+    branches: ["main"]
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+# Allow only one concurrent deployment, skipping runs queued between
+# the run in-progress and latest queued. However, do NOT cancel
+# in-progress runs as we want to allow these production deployments
+# to complete.
+concurrency:
+  group: "pages"
+  cancel-in-progress: false
+
+jobs:
+  # Build job
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.3' # Not needed with a .ruby-version file
+          bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+          cache-version: 0 # Increment this number if you need to re-download cached gems
+      - name: Setup Pages
+        id: pages
+        uses: actions/configure-pages@v5
+      - name: Build with Jekyll
+        # Outputs to the './_site' directory by default
+        run: bundle exec jekyll build
+        env:
+          JEKYLL_ENV: production
+      - name: Index pagefind
+        run: npx pagefind --source "_site/vm-operator"          
+      - name: Upload artifact
+        # Automatically uploads an artifact from the './_site' directory by default
+        uses: actions/upload-pages-artifact@v3
+
+  # Deployment job
+  deploy:
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4
diff --git a/webpages/_includes/matomo-vm-operator.jdrupes.org.html b/webpages/_includes/matomo.html
similarity index 100%
rename from webpages/_includes/matomo-vm-operator.jdrupes.org.html
rename to webpages/_includes/matomo.html
diff --git a/webpages/_layouts/vm-operator.html b/webpages/_layouts/vm-operator.html
index 2e2e444..6d0df26 100644
--- a/webpages/_layouts/vm-operator.html
+++ b/webpages/_layouts/vm-operator.html
@@ -83,7 +83,7 @@
       <footer>
         <!-- Optional footer data -->
         <p id=githubfooter style="display: none"><small>
-          Hosted on GitHub Pages &mdash; 
+          Hosted on GitHub Pages &mdash;
           <a href="https://github.com/site/terms" target="_top">Terms</a>
           &mdash; <a href="https://github.com/site/privacy" target="_top">Privacy</a>
           &mdash; Theme derived from <a href="https://github.com/orderedlist/minimal">minimal</a></small>
@@ -104,7 +104,7 @@
       </footer>
     </div>
 
-    {% include matomo-vm-operator.jdrupes.org.html %}
+    {% include matomo.html %}
 
   </body>
 </html lang="en">
diff --git a/webpages/robots.txt b/webpages/robots.txt
deleted file mode 100644
index c2a49f4..0000000
--- a/webpages/robots.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-User-agent: *
-Allow: /

From 083c6db2da1224786963e0cfe791fcf24a65f692 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 2 Mar 2025 22:12:43 +0100
Subject: [PATCH 167/274] Build own site.

---
 .github/workflows/jekyll.yml | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/jekyll.yml b/.github/workflows/jekyll.yml
index 57d3802..b273259 100644
--- a/.github/workflows/jekyll.yml
+++ b/.github/workflows/jekyll.yml
@@ -35,25 +35,38 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+      - name: Set up JDK 21
+        uses: actions/setup-java@v3
+        with:
+          java-version: '21'
+          distribution: 'temurin'
       - name: Setup Ruby
         uses: ruby/setup-ruby@v1
         with:
           ruby-version: '3.3' # Not needed with a .ruby-version file
           bundler-cache: true # runs 'bundle install' and caches installed gems automatically
           cache-version: 0 # Increment this number if you need to re-download cached gems
+      - name: Install graphviz
+        run: sudo apt-get install graphviz
+      - name: Build apidocs
+        run: ./gradlew apidocs
       - name: Setup Pages
         id: pages
         uses: actions/configure-pages@v5
       - name: Build with Jekyll
         # Outputs to the './_site' directory by default
-        run: bundle exec jekyll build
+        run: cd webpages && bundle exec jekyll build
         env:
           JEKYLL_ENV: production
+      - name: Copy javadoc
+        run: cp -a build/javadoc webpages/_site/vm-operator/
       - name: Index pagefind
-        run: npx pagefind --source "_site/vm-operator"          
+        run: cd webpages && npx pagefind --source "_site/vm-operator"          
       - name: Upload artifact
         # Automatically uploads an artifact from the './_site' directory by default
         uses: actions/upload-pages-artifact@v3
+        with:
+          path: './webpages/_site'
 
   # Deployment job
   deploy:

From 987f634f40cc1ab3abbade24ab5cb36b2634a8ce Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 2 Mar 2025 22:33:22 +0100
Subject: [PATCH 168/274] Update.

---
 .github/workflows/jekyll.yml | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/jekyll.yml b/.github/workflows/jekyll.yml
index b273259..c7df16e 100644
--- a/.github/workflows/jekyll.yml
+++ b/.github/workflows/jekyll.yml
@@ -35,21 +35,12 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-      - name: Set up JDK 21
-        uses: actions/setup-java@v3
-        with:
-          java-version: '21'
-          distribution: 'temurin'
       - name: Setup Ruby
         uses: ruby/setup-ruby@v1
         with:
           ruby-version: '3.3' # Not needed with a .ruby-version file
           bundler-cache: true # runs 'bundle install' and caches installed gems automatically
           cache-version: 0 # Increment this number if you need to re-download cached gems
-      - name: Install graphviz
-        run: sudo apt-get install graphviz
-      - name: Build apidocs
-        run: ./gradlew apidocs
       - name: Setup Pages
         id: pages
         uses: actions/configure-pages@v5
@@ -58,6 +49,15 @@ jobs:
         run: cd webpages && bundle exec jekyll build
         env:
           JEKYLL_ENV: production
+      - name: Install graphviz
+        run: sudo apt-get install graphviz
+      - name: Set up JDK 21
+        uses: actions/setup-java@v3
+        with:
+          java-version: '21'
+          distribution: 'temurin'
+      - name: Build apidocs
+        run: ./gradlew apidocs
       - name: Copy javadoc
         run: cp -a build/javadoc webpages/_site/vm-operator/
       - name: Index pagefind

From 30bc11917880229e14bcbd46e80935019484bfbd Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 2 Mar 2025 22:57:22 +0100
Subject: [PATCH 169/274] Update.

---
 .github/workflows/jekyll.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/jekyll.yml b/.github/workflows/jekyll.yml
index c7df16e..58609d6 100644
--- a/.github/workflows/jekyll.yml
+++ b/.github/workflows/jekyll.yml
@@ -41,6 +41,7 @@ jobs:
           ruby-version: '3.3' # Not needed with a .ruby-version file
           bundler-cache: true # runs 'bundle install' and caches installed gems automatically
           cache-version: 0 # Increment this number if you need to re-download cached gems
+          working-directory: webpages
       - name: Setup Pages
         id: pages
         uses: actions/configure-pages@v5

From 214085119c180a990835e05d01902bd54396fdd0 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 2 Mar 2025 23:15:19 +0100
Subject: [PATCH 170/274] Add style for searching.

---
 webpages/stylesheets/styles.css | 50 +++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)

diff --git a/webpages/stylesheets/styles.css b/webpages/stylesheets/styles.css
index 8d6b803..41fb0d0 100644
--- a/webpages/stylesheets/styles.css
+++ b/webpages/stylesheets/styles.css
@@ -189,6 +189,56 @@ footer {
     margin-bottom:5px;
 }
 
+#search {
+
+  --pagefind-ui-font: inherit;
+  --pagefind-ui-border-radius: 4px;
+
+  position: absolute;
+  right: 1em;
+  top: 1em;
+
+  .pagefind-ui__form {
+    width: 20em;
+    margin-left: auto;
+    
+    &::before {
+      top: calc(17px * var(--pagefind-ui-scale));      
+    }
+  }
+    
+  .pagefind-ui__search-input {
+    font-weight: inherit;
+    height: calc(48px * var(--pagefind-ui-scale));
+  }
+
+  .pagefind-ui__search-clear {
+    font-weight: inherit;
+    height: calc(42px * var(--pagefind-ui-scale));
+  }
+  
+  .pagefind-ui__drawer {
+    position: absolute;
+    right: 0;
+    width: 40em;
+    background-color: white;
+    border: solid var(--pagefind-ui-border-width) var(--pagefind-ui-border);
+    padding: 0 1em 1em 1em;
+  }
+  
+  .pagefind-ui__message {
+    padding-top: 0;
+  }
+
+  .pagefind-ui__result {
+    padding: 0;
+  }
+  
+  .pagefind-ui__result-title {
+    font-weight: inherit;
+  }
+}
+
 @media print, screen and (max-width: 960px) {
 
   div.wrapper {

From 03fdabe85a777618b9e9cd69158acafde87922e8 Mon Sep 17 00:00:00 2001
From: Michael Lipp <mnl@mnl.de>
Date: Mon, 3 Mar 2025 06:50:03 +0000
Subject: [PATCH 171/274] Edit README.md

---
 README.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 4c989b6..e6292ec 100644
--- a/README.md
+++ b/README.md
@@ -5,8 +5,8 @@
 
 # Run Qemu in Kubernetes Pods
 
-The goal of this project is to provide easy to use and flexible components
+The goal of this project is to provide orgy to use and flexible components
 for running Qemu based VMs in Kubernetes pods.
-
-See the [project's home page](https://jdrupes.org/vm-operator/)
+vm-ovm
+See the [project's home page](https://vm-operator.jdrupes.org/)
 for details.

From c004265f5e8165c4a88bba79b96e132169972c46 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Mon, 3 Mar 2025 09:25:58 +0100
Subject: [PATCH 172/274] Don't merge into jdrupes.org any more.

---
 build.gradle                                  |  9 +-----
 ...pes.vmoperator.java-doc-conventions.gradle | 31 -------------------
 2 files changed, 1 insertion(+), 39 deletions(-)

diff --git a/build.gradle b/build.gradle
index 8a7b571..eb8e59a 100644
--- a/build.gradle
+++ b/build.gradle
@@ -19,7 +19,7 @@ allprojects {
 }
 
 task stage {
-    description = 'To be executed by CI, build and update JavaDoc.'
+    description = 'To be executed by CI.'
     group = 'build'
 
     // Build everything first
@@ -27,13 +27,6 @@ task stage {
         dependsOn subprojects.tasks.collect { 
             tc -> tc.findByName("build") }.flatten()
     }
-    
-    def gitBranch = grgit.branch.current.name.replace('/', '-')
-    if (JavaVersion.current() == JavaVersion.VERSION_21
-        && gitBranch == "main") {
-        // Publish JavaDoc
-        dependsOn gitPublishPush
-    }
 }
 
 eclipse {
diff --git a/buildSrc/src/org.jdrupes.vmoperator.java-doc-conventions.gradle b/buildSrc/src/org.jdrupes.vmoperator.java-doc-conventions.gradle
index 0b6e68f..6af8fa7 100644
--- a/buildSrc/src/org.jdrupes.vmoperator.java-doc-conventions.gradle
+++ b/buildSrc/src/org.jdrupes.vmoperator.java-doc-conventions.gradle
@@ -118,34 +118,3 @@ if (System.properties['org.ajoberstar.grgit.auth.username'] == null) {
     System.setProperty('org.ajoberstar.grgit.auth.username',
         project.rootProject.properties['website.push.token'] ?: "nouser")
 }
-
-gitPublish {
-    repoUri = 'https://github.com/mnlipp/jdrupes.org.git'
-    branch = 'main'
-    contents {
-        from("${rootProject.projectDir}/webpages") {
-            include '_includes/matomo-vm-operator.jdrupes.org.html'
-            include '_layouts/vm-operator.html'
-            include 'vm-operator/**'
-        }
-        from("${rootProject.buildDir}/javadoc") {
-            into 'vm-operator/javadoc'
-        }
-        if (!findProject(':org.jdrupes.vmoperator.runner.qemu').isSnapshot
-                && !findProject(':org.jdrupes.vmoperator.manager').isSnapshot) {
-            from("${rootProject.buildDir}/javadoc") {
-                into 'vm-operator/latest-release/javadoc'
-            }
-        }
-    }
-    preserve { include '**/*' }
-    commitMessage = "Updated."
-}
-
-gradle.projectsEvaluated {
-    tasks.gitPublishReset.mustRunAfter subprojects.tasks
-        .collect { tc -> tc.findByName("build") }.flatten()
-    tasks.gitPublishReset.mustRunAfter subprojects.tasks
-        .collect { tc -> tc.findByName("test") }.flatten()
-    tasks.gitPublishCopy.dependsOn apidocs
-}

From cc78c38efe650301f9bfba4d4632d781acd8a7eb Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Mon, 3 Mar 2025 10:16:05 +0100
Subject: [PATCH 173/274] Remove no longer needed sub-directory.

---
 .github/workflows/jekyll.yml                     |   4 ++--
 misc/javadoc.bottom.txt                          |   5 +++--
 webpages/{vm-operator => }/02_2_operator.png     | Bin
 .../VM-Operator-GUI-preview.png                  | Bin
 .../{vm-operator => }/VM-Operator-GUI-view.png   | Bin
 .../{vm-operator => }/VM-Operator-with-font.svg  |   0
 webpages/{vm-operator => }/VM-Operator.svg       |   0
 webpages/{vm-operator => }/VmAccess-preview.png  | Bin
 webpages/_includes/matomo.html                   |   4 ++--
 webpages/_layouts/vm-operator.html               |  15 ++++++++-------
 webpages/{vm-operator => }/admin-gui.md          |   0
 webpages/{vm-operator => }/controller.md         |   0
 webpages/{vm-operator => }/favicon.svg           |   0
 webpages/{vm-operator => }/index-pic.svg         |   0
 webpages/index.html                              |  11 -----------
 webpages/{vm-operator => }/index.md              |   0
 webpages/{vm-operator => }/manager.md            |   0
 webpages/{vm-operator => }/pools.md              |   0
 webpages/{vm-operator => }/robots.txt            |   0
 webpages/{vm-operator => }/runner.md             |   0
 webpages/{vm-operator => }/upgrading.md          |   0
 webpages/{vm-operator => }/user-gui.md           |   0
 webpages/{vm-operator => }/webgui.md             |   0
 23 files changed, 15 insertions(+), 24 deletions(-)
 rename webpages/{vm-operator => }/02_2_operator.png (100%)
 rename webpages/{vm-operator => }/VM-Operator-GUI-preview.png (100%)
 rename webpages/{vm-operator => }/VM-Operator-GUI-view.png (100%)
 rename webpages/{vm-operator => }/VM-Operator-with-font.svg (100%)
 rename webpages/{vm-operator => }/VM-Operator.svg (100%)
 rename webpages/{vm-operator => }/VmAccess-preview.png (100%)
 rename webpages/{vm-operator => }/admin-gui.md (100%)
 rename webpages/{vm-operator => }/controller.md (100%)
 rename webpages/{vm-operator => }/favicon.svg (100%)
 rename webpages/{vm-operator => }/index-pic.svg (100%)
 delete mode 100644 webpages/index.html
 rename webpages/{vm-operator => }/index.md (100%)
 rename webpages/{vm-operator => }/manager.md (100%)
 rename webpages/{vm-operator => }/pools.md (100%)
 rename webpages/{vm-operator => }/robots.txt (100%)
 rename webpages/{vm-operator => }/runner.md (100%)
 rename webpages/{vm-operator => }/upgrading.md (100%)
 rename webpages/{vm-operator => }/user-gui.md (100%)
 rename webpages/{vm-operator => }/webgui.md (100%)

diff --git a/.github/workflows/jekyll.yml b/.github/workflows/jekyll.yml
index 58609d6..b5acc1f 100644
--- a/.github/workflows/jekyll.yml
+++ b/.github/workflows/jekyll.yml
@@ -60,9 +60,9 @@ jobs:
       - name: Build apidocs
         run: ./gradlew apidocs
       - name: Copy javadoc
-        run: cp -a build/javadoc webpages/_site/vm-operator/
+        run: cp -a build/javadoc webpages/_site/
       - name: Index pagefind
-        run: cd webpages && npx pagefind --source "_site/vm-operator"          
+        run: cd webpages && npx pagefind --source "_site"          
       - name: Upload artifact
         # Automatically uploads an artifact from the './_site' directory by default
         uses: actions/upload-pages-artifact@v3
diff --git a/misc/javadoc.bottom.txt b/misc/javadoc.bottom.txt
index c858345..dfc3373 100644
--- a/misc/javadoc.bottom.txt
+++ b/misc/javadoc.bottom.txt
@@ -22,13 +22,14 @@
       _paq.push(['trackPageView']);
       _paq.push(['enableLinkTracking']);
       (function() {
-        var u="//piwik.mnl.de/";
+        var u="https://piwik.mnl.de/";
         _paq.push(['setTrackerUrl', u+'piwik.php']);
         _paq.push(['setSiteId', '17']);
         var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
         g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'piwik.js'; s.parentNode.insertBefore(g,s);
       })();
     </script>
-    <noscript><p><img referrerpolicy="no-referrer-when-downgrade" src="//piwik.mnl.de/matomo.php?idsite=17&amp;rec=1" style="border:0;" alt="" /></p></noscript>
+    <noscript><p><img referrerpolicy="no-referrer-when-downgrade"
+      src="//piwik.mnl.de/matomo.php?idsite=17&amp;rec=1&amp;action_name=VM-Operator" style="border:0;" alt="" /></p></noscript>
     <!-- End Matomo Code -->
 </div>
\ No newline at end of file
diff --git a/webpages/vm-operator/02_2_operator.png b/webpages/02_2_operator.png
similarity index 100%
rename from webpages/vm-operator/02_2_operator.png
rename to webpages/02_2_operator.png
diff --git a/webpages/vm-operator/VM-Operator-GUI-preview.png b/webpages/VM-Operator-GUI-preview.png
similarity index 100%
rename from webpages/vm-operator/VM-Operator-GUI-preview.png
rename to webpages/VM-Operator-GUI-preview.png
diff --git a/webpages/vm-operator/VM-Operator-GUI-view.png b/webpages/VM-Operator-GUI-view.png
similarity index 100%
rename from webpages/vm-operator/VM-Operator-GUI-view.png
rename to webpages/VM-Operator-GUI-view.png
diff --git a/webpages/vm-operator/VM-Operator-with-font.svg b/webpages/VM-Operator-with-font.svg
similarity index 100%
rename from webpages/vm-operator/VM-Operator-with-font.svg
rename to webpages/VM-Operator-with-font.svg
diff --git a/webpages/vm-operator/VM-Operator.svg b/webpages/VM-Operator.svg
similarity index 100%
rename from webpages/vm-operator/VM-Operator.svg
rename to webpages/VM-Operator.svg
diff --git a/webpages/vm-operator/VmAccess-preview.png b/webpages/VmAccess-preview.png
similarity index 100%
rename from webpages/vm-operator/VmAccess-preview.png
rename to webpages/VmAccess-preview.png
diff --git a/webpages/_includes/matomo.html b/webpages/_includes/matomo.html
index 75978bc..adb7c30 100644
--- a/webpages/_includes/matomo.html
+++ b/webpages/_includes/matomo.html
@@ -9,7 +9,7 @@
   _paq.push(['trackPageView']);
   _paq.push(['enableLinkTracking']);
   (function() {
-    var u="//piwik.mnl.de/";
+    var u="https://piwik.mnl.de/";
     _paq.push(['setTrackerUrl', u+'piwik.php']);
     _paq.push(['setSiteId', '17']);
     var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
@@ -17,7 +17,7 @@
   })();
 </script>
 <noscript>
-<img src="https://piwik.mnl.de/piwik.php?idsite=17&amp;rec=1&amp;action_name=JGrapes" style="border:0" alt="" />
+<img src="https://piwik.mnl.de/piwik.php?idsite=17&amp;rec=1&amp;action_name=VM-Operator" style="border:0" alt="" />
 </noscript>
 <!-- End Matomo Code -->
 
diff --git a/webpages/_layouts/vm-operator.html b/webpages/_layouts/vm-operator.html
index 6d0df26..590412a 100644
--- a/webpages/_layouts/vm-operator.html
+++ b/webpages/_layouts/vm-operator.html
@@ -5,18 +5,19 @@
     <meta http-equiv="X-UA-Compatible" content="chrome=1">
     <meta name="referrer" content="no-referrer">
     <link rel="icon" type="image/svg+xml" href="favicon.svg" sizes="any">
-    <link rel="stylesheet" href="../stylesheets/styles.css">
-    <link rel="stylesheet" href="../stylesheets/pygment_trac.css">
+    <link rel="stylesheet" href="stylesheets/styles.css">
+    <link rel="stylesheet" href="stylesheets/pygment_trac.css">
     <meta name="viewport" content="width=device-width">
     <!--[if lt IE 9]>
     <script src="//html5shiv.googlecode.com/svn/trunk/html5.js"></script>
     <![endif]-->
-    <link href="/vm-operator/pagefind/pagefind-ui.css" rel="stylesheet">
-    <script src="/vm-operator/pagefind/pagefind-ui.js"></script>
+    <link href="pagefind/pagefind-ui.css" rel="stylesheet">
+    <script src="pagefind/pagefind-ui.js"></script>
     <script>
         window.addEventListener('DOMContentLoaded', (event) => {
           new PagefindUI({ element: "#search", showSubResults: true,
-          bundlePath: "/vm-operator/pagefind/",
+          // Regrettably works with absolute path only
+          bundlePath: "/pagefind/",
           // See https://github.com/CloudCannon/pagefind/issues/530
           processResult: function (result) {
               if (result?.meta?.image) {
@@ -40,7 +41,7 @@
       <header>
         <div>
         <div style="float: left;">
-          <div class="index-title"><a style="color: #222;" href="https://jdrupes.org/vm-operator/">VM-Operator</a></div>
+          <div class="index-title"><a style="color: #222;" href="https://vm-operator.jdrupes.org/">VM-Operator</a></div>
           <div class="index-subtitle">By <a href="https://github.com/mnlipp/">Michael N. Lipp</a></div>
           <p><a rel="me" href="https://fosstodon.org/@mnl"><img alt="Mastodon Follow" 
             src="https://img.shields.io/mastodon/follow/108843609567976408?domain=https%3A%2F%2Ffosstodon.org&style=social"></a></p>
@@ -68,7 +69,7 @@
         <li><p class="part-entry"><a href="user-gui.html">For Users</a></p></li>
         </ul>
         <p class="part-list-title"><a href="upgrading.html">Upgrading</a></p>
-        <p class="part-list-title"><a href="https://jdrupes.org/vm-operator/latest-release/javadoc/index.html">Javadoc</a></p>
+        <p class="part-list-title"><a href="https://vm-operator.jdrupes.org/javadoc/index.html">Javadoc</a></p>
 
       </header>
       <section>
diff --git a/webpages/vm-operator/admin-gui.md b/webpages/admin-gui.md
similarity index 100%
rename from webpages/vm-operator/admin-gui.md
rename to webpages/admin-gui.md
diff --git a/webpages/vm-operator/controller.md b/webpages/controller.md
similarity index 100%
rename from webpages/vm-operator/controller.md
rename to webpages/controller.md
diff --git a/webpages/vm-operator/favicon.svg b/webpages/favicon.svg
similarity index 100%
rename from webpages/vm-operator/favicon.svg
rename to webpages/favicon.svg
diff --git a/webpages/vm-operator/index-pic.svg b/webpages/index-pic.svg
similarity index 100%
rename from webpages/vm-operator/index-pic.svg
rename to webpages/index-pic.svg
diff --git a/webpages/index.html b/webpages/index.html
deleted file mode 100644
index daa1b9c..0000000
--- a/webpages/index.html
+++ /dev/null
@@ -1,11 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-    <meta charset="UTF-8">
-    <meta http-equiv="refresh" content="0; URL=vm-operator/index.html">
-    <title>Redirecting...</title>
-</head>
-<body>
-    <p>If you are not redirected automatically, <a href="vm-operator/index.html">click here</a>.</p>
-</body>
-</html>
diff --git a/webpages/vm-operator/index.md b/webpages/index.md
similarity index 100%
rename from webpages/vm-operator/index.md
rename to webpages/index.md
diff --git a/webpages/vm-operator/manager.md b/webpages/manager.md
similarity index 100%
rename from webpages/vm-operator/manager.md
rename to webpages/manager.md
diff --git a/webpages/vm-operator/pools.md b/webpages/pools.md
similarity index 100%
rename from webpages/vm-operator/pools.md
rename to webpages/pools.md
diff --git a/webpages/vm-operator/robots.txt b/webpages/robots.txt
similarity index 100%
rename from webpages/vm-operator/robots.txt
rename to webpages/robots.txt
diff --git a/webpages/vm-operator/runner.md b/webpages/runner.md
similarity index 100%
rename from webpages/vm-operator/runner.md
rename to webpages/runner.md
diff --git a/webpages/vm-operator/upgrading.md b/webpages/upgrading.md
similarity index 100%
rename from webpages/vm-operator/upgrading.md
rename to webpages/upgrading.md
diff --git a/webpages/vm-operator/user-gui.md b/webpages/user-gui.md
similarity index 100%
rename from webpages/vm-operator/user-gui.md
rename to webpages/user-gui.md
diff --git a/webpages/vm-operator/webgui.md b/webpages/webgui.md
similarity index 100%
rename from webpages/vm-operator/webgui.md
rename to webpages/webgui.md

From 6b6a33e70290ad9ac2a7701dfbddaa905f50ff05 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Mon, 3 Mar 2025 10:21:33 +0100
Subject: [PATCH 174/274] Need full fetch for javadoc build.

---
 .github/workflows/jekyll.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/jekyll.yml b/.github/workflows/jekyll.yml
index b5acc1f..122c4bc 100644
--- a/.github/workflows/jekyll.yml
+++ b/.github/workflows/jekyll.yml
@@ -35,6 +35,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
       - name: Setup Ruby
         uses: ruby/setup-ruby@v1
         with:

From fa53a07a52d5ab7a3c0a2c32819c705c31862255 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Mon, 3 Mar 2025 10:41:16 +0100
Subject: [PATCH 175/274] Update.

---
 webpages/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/webpages/index.md b/webpages/index.md
index 5cd2d58..ea9c5eb 100644
--- a/webpages/index.md
+++ b/webpages/index.md
@@ -11,7 +11,7 @@ layout: vm-operator
 
 ![Overview picture](index-pic.svg)
 
-The goal of this project is to provide an easy to use and flexible solution
+This project provides an easy to use and flexible solution
 for running Qemu/KVM based VMs in Kubernetes pods.
 
 The image used for the VM pods combines Qemu and a control program

From 51a72a162d76b4ed68b1f67cfe5214ea626c3cc3 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Mon, 3 Mar 2025 10:50:58 +0100
Subject: [PATCH 176/274] Sitemap generated by jekyll is incomplete.

---
 .github/workflows/jekyll.yml | 5 +++++
 webpages/Gemfile             | 1 -
 webpages/_config.yml         | 1 -
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/jekyll.yml b/.github/workflows/jekyll.yml
index 122c4bc..d0e4ec9 100644
--- a/.github/workflows/jekyll.yml
+++ b/.github/workflows/jekyll.yml
@@ -63,6 +63,11 @@ jobs:
         run: ./gradlew apidocs
       - name: Copy javadoc
         run: cp -a build/javadoc webpages/_site/
+      - name: Generate the sitemap
+        uses: cicirello/generate-sitemap@v1
+        with:
+          path-to-root: webpages/_site
+          base-url-path: https://vm-operator.jdrupes.org
       - name: Index pagefind
         run: cd webpages && npx pagefind --source "_site"          
       - name: Upload artifact
diff --git a/webpages/Gemfile b/webpages/Gemfile
index 3e965ca..ecbbb7d 100644
--- a/webpages/Gemfile
+++ b/webpages/Gemfile
@@ -2,5 +2,4 @@ source 'https://rubygems.org'
 # gem 'github-pages', group: :jekyll_plugins
 gem "jekyll", "~> 4.0"
 gem "jekyll-seo-tag"
-gem 'jekyll-sitemap'
 gem 'webrick', '~> 1.3', '>= 1.3.1'
diff --git a/webpages/_config.yml b/webpages/_config.yml
index 1ebd835..a2162f7 100644
--- a/webpages/_config.yml
+++ b/webpages/_config.yml
@@ -1,6 +1,5 @@
 plugins:
   - jekyll-seo-tag
-  - jekyll-sitemap
 
 url: "https://vm-operator.jdrupes.org"
     

From d4fdd4209fbc93afab33ed6819e0d1866537baac Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Mon, 3 Mar 2025 10:57:23 +0100
Subject: [PATCH 177/274] Activate sitemap.

---
 webpages/robots.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/webpages/robots.txt b/webpages/robots.txt
index c2a49f4..e1ed7b0 100644
--- a/webpages/robots.txt
+++ b/webpages/robots.txt
@@ -1,2 +1,3 @@
 User-agent: *
 Allow: /
+Sitemap: https://vm-operator.jdrupes.org/sitemap.xml

From e871fc059b0d1004330e46a2a064645f8aa8f4a1 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Mon, 3 Mar 2025 11:11:55 +0100
Subject: [PATCH 178/274] Add bing site auth.

---
 webpages/BingSiteAuth.xml | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 webpages/BingSiteAuth.xml

diff --git a/webpages/BingSiteAuth.xml b/webpages/BingSiteAuth.xml
new file mode 100644
index 0000000..b0cf39a
--- /dev/null
+++ b/webpages/BingSiteAuth.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0"?>
+<users>
+	<user>0309051EFD625D32489366E1BE8189EF</user>
+</users>
\ No newline at end of file

From eb3979dc8347fcd3a4d87f6dc13c963dabebf85f Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Mon, 3 Mar 2025 11:59:40 +0100
Subject: [PATCH 179/274] Consistent indentation.

---
 webpages/pools.md     | 32 +++++++++++++++----------------
 webpages/upgrading.md | 44 +++++++++++++++++++++----------------------
 2 files changed, 38 insertions(+), 38 deletions(-)

diff --git a/webpages/pools.md b/webpages/pools.md
index a42293e..fd25044 100644
--- a/webpages/pools.md
+++ b/webpages/pools.md
@@ -19,19 +19,19 @@ must support POSIX file access control lists (ACLs).
 
 The VMs should only be accessible via a desktop started by the VM-Operator.
 
- * Disable the display manager.
- 
-   ```console
-   # systemctl disable gdm
-   # systemctl stop gdm
-   ```
+  * Disable the display manager.
+
+    ```console
+    # systemctl disable gdm
+    # systemctl stop gdm
+    ```
    
- * Disable `getty` on tty1.
- 
-   ```console
-   # systemctl mask getty@tty1
-   # systemctl stop getty@tty1
-   ```
+  * Disable `getty` on tty1.
+
+    ```console
+    # systemctl mask getty@tty1
+    # systemctl stop getty@tty1
+    ```
 
 You can, of course, disable `getty` completely. If you do this, make sure
 that you can still access your master VM through `ssh`, else you have
@@ -44,11 +44,11 @@ development purposes and not for production.
    
 The following should actually be configured for any VM.
    
- * Prevent suspend/hibernate, because it will lock the VM.
+  * Prevent suspend/hibernate, because it will lock the VM.
  
-   ```console
-   # systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target
-   ```
+    ```console
+    # systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target
+    ```
  
 ### Install the VM-Operator agent
 
diff --git a/webpages/upgrading.md b/webpages/upgrading.md
index 6fdbc44..6a7f10f 100644
--- a/webpages/upgrading.md
+++ b/webpages/upgrading.md
@@ -9,31 +9,31 @@ layout: vm-operator
 
 ## To version 4.0.0
 
- * The VmViewer conlet has been renamed to VmAccess. This affects the
-   [configuration](https://jdrupes.org/vm-operator/user-gui.html). Configuration
-   information using the old path
-   `/Manager/GuiHttpServer/ConsoleWeblet/WebConsole/ComponentCollector/VmViewer`
-   is still accepted for backward compatibility until the next major version,
-   but should be updated.
+  * The VmViewer conlet has been renamed to VmAccess. This affects the
+    [configuration](https://jdrupes.org/vm-operator/user-gui.html). 
+    Configuration information using the old path
+    `/Manager/GuiHttpServer/ConsoleWeblet/WebConsole/ComponentCollector/VmViewer`
+    is still accepted for backward compatibility until the next major version,
+    but should be updated.
 
-   The change of name also causes conlets added to the overview page by
-   users to "disappear" from the GUI. They have to be re-added.
+    The change of name also causes conlets added to the overview page by
+    users to "disappear" from the GUI. They have to be re-added.
 
-   The latter behavior also applies to the VmConlet conlet which has been
-   renamed to VmMgmt.
-   
- * The configuration property `passwordValidity` has been moved from component
-   `/Manager/Controller/DisplaySecretMonitor` to
-   `/Manager/Controller/Reconciler/DisplaySecretReconciler`. The old path is 
-   still accepted for backward compatibility until the next major version,
-   but should be updated.
+    The latter behavior also applies to the VmConlet conlet which has been
+    renamed to VmMgmt.
 
- * The standard [template](./runner.html#stand-alone-configuration) used
-   to generate the QEMU command has been updated. Unless you have enabled
-   automatic updates of the template in the VM definition, you have to
-   update the template manually. If you're using your own template, you
-   have to add a virtual serial port (see the git history of the standard
-   template for the required addition).
+  * The configuration property `passwordValidity` has been moved from component
+    `/Manager/Controller/DisplaySecretMonitor` to
+    `/Manager/Controller/Reconciler/DisplaySecretReconciler`. The old path is 
+    still accepted for backward compatibility until the next major version,
+    but should be updated.
+
+  * The standard [template](./runner.html#stand-alone-configuration) used
+    to generate the QEMU command has been updated. Unless you have enabled
+    automatic updates of the template in the VM definition, you have to
+    update the template manually. If you're using your own template, you
+    have to add a virtual serial port (see the git history of the standard
+    template for the required addition).
 
 ## To version 3.4.0
 

From 17e2a7c6f0dd6619b87a809de6ae167f57355611 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Mon, 3 Mar 2025 12:39:50 +0100
Subject: [PATCH 180/274] Fix some codacy issues.

---
 .markdownlint.yaml                            | 38 +++++++++++++++++++
 dev-example/test-vm.tpl.yaml                  |  2 +-
 org.jdrupes.vmoperator.vmaccess/.eclipse-pmd  |  2 +-
 .../jdrupes/vmoperator/vmaccess/VmAccess.java |  2 +-
 .../vmaccess/browser/VmAccess-style.scss      |  1 +
 .../vmmgmt/browser/VmMgmt-style.scss          |  1 +
 webpages/pools.md                             |  4 +-
 webpages/upgrading.md                         |  4 +-
 8 files changed, 47 insertions(+), 7 deletions(-)
 create mode 100644 .markdownlint.yaml

diff --git a/.markdownlint.yaml b/.markdownlint.yaml
new file mode 100644
index 0000000..3501bd3
--- /dev/null
+++ b/.markdownlint.yaml
@@ -0,0 +1,38 @@
+# See https://github.com/DavidAnson/markdownlint/blob/main/schema/.markdownlint.yaml
+
+# Default state for all rules
+default: true
+
+# MD007/ul-indent : Unordered list indentation : 
+# https://github.com/DavidAnson/markdownlint/blob/v0.37.4/doc/md007.md
+MD007:
+  # Spaces for indent
+  indent: 2
+  # Whether to indent the first level of the list
+  start_indented: true
+  # Spaces for first level indent (when start_indented is set)
+  start_indent: 2
+
+# MD025/single-title/single-h1 : Multiple top-level headings in the same document :
+# https://github.com/DavidAnson/markdownlint/blob/v0.37.4/doc/md025.md
+MD025:
+  # Heading level
+  level: 1
+  # RegExp for matching title in front matter (disable)
+  front_matter_title: ""
+
+# MD036/no-emphasis-as-heading : Emphasis used instead of a heading : 
+# https://github.com/DavidAnson/markdownlint/blob/v0.37.4/doc/md036.md
+MD036: false
+  
+# MD043/required-headings : Required heading structure : 
+# https://github.com/DavidAnson/markdownlint/blob/v0.37.4/doc/md043.md
+MD043:
+  # List of headings
+  headings:   [
+      "# Head",
+      "## Item",
+      "### Detail"
+  ]
+  # Match case of headings
+  match_case: false
diff --git a/dev-example/test-vm.tpl.yaml b/dev-example/test-vm.tpl.yaml
index 50031bb..260341e 100644
--- a/dev-example/test-vm.tpl.yaml
+++ b/dev-example/test-vm.tpl.yaml
@@ -14,7 +14,7 @@ spec:
 #    repository: ghcr.io
 #    path: mnlipp/org.jdrupes.vmoperator.runner.qemu-alpine
 #    version: "3.0.0"
-    source: registry.mnl.de/org/jdrupes/vm-operator/org.jdrupes.vmoperator.runner.qemu-arch:testing
+    source: registry.mnl.de/org/jdrupes/vm-operator/org.jdrupes.vmoperator.runner.qemu-arch:feature-auto-login
     pullPolicy: Always
 
   permissions:
diff --git a/org.jdrupes.vmoperator.vmaccess/.eclipse-pmd b/org.jdrupes.vmoperator.vmaccess/.eclipse-pmd
index 5d69caa..60d7780 100644
--- a/org.jdrupes.vmoperator.vmaccess/.eclipse-pmd
+++ b/org.jdrupes.vmoperator.vmaccess/.eclipse-pmd
@@ -4,4 +4,4 @@
   <rulesets>
     <ruleset name="Custom Rules" ref="VM-Operator/ruleset.xml" refcontext="workspace" />
   </rulesets>
-</eclipse-pmd>
+</eclipse-pmd>
\ No newline at end of file
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index 3b28d1c..ad4ec63 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -265,7 +265,7 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
     public void onConsoleConfigured(ConsoleConfigured event,
             ConsoleConnection connection) throws InterruptedException,
             IOException {
-        @SuppressWarnings("unchecked")
+        @SuppressWarnings({ "unchecked", "PMD.PrematureDeclaration" })
         final var rendered
             = (Set<ResourceModel>) connection.session().get(RENDERED);
         connection.session().remove(RENDERED);
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-style.scss b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-style.scss
index 63ae299..3a291dd 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-style.scss
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-style.scss
@@ -24,6 +24,7 @@
   span[role="button"].svg-icon {
     display: inline-block;
     line-height: 1;
+
     /* Align with forkawesome */
     font-size: 14px;
     fill: var(--primary);
diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss
index 4c11b65..248df56 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss
@@ -118,6 +118,7 @@
   span[role="button"].svg-icon {
     display: inline-block;
     line-height: 1;
+
     /* Align with forkawesome */
     font-size: 14px;
     fill: var(--primary);
diff --git a/webpages/pools.md b/webpages/pools.md
index fd25044..6b1e75f 100644
--- a/webpages/pools.md
+++ b/webpages/pools.md
@@ -25,7 +25,7 @@ The VMs should only be accessible via a desktop started by the VM-Operator.
     # systemctl disable gdm
     # systemctl stop gdm
     ```
-   
+
   * Disable `getty` on tty1.
 
     ```console
@@ -55,7 +55,7 @@ The following should actually be configured for any VM.
 The VM-Operator agent runs as a systemd service. Sample configuration
 files can be found
 [here](https://github.com/mnlipp/VM-Operator/tree/main/dev-example/vmop-agent).
-Copy 
+Copy
 
   * `99-vmop-agent.rules` to `/usr/local/lib/udev/rules.d/99-vmop-agent.rules`,
   * `vmop-agent` to `/usr/local/libexec/vmop-agent` and
diff --git a/webpages/upgrading.md b/webpages/upgrading.md
index 6a7f10f..c1331e5 100644
--- a/webpages/upgrading.md
+++ b/webpages/upgrading.md
@@ -10,7 +10,7 @@ layout: vm-operator
 ## To version 4.0.0
 
   * The VmViewer conlet has been renamed to VmAccess. This affects the
-    [configuration](https://jdrupes.org/vm-operator/user-gui.html). 
+    [configuration](https://jdrupes.org/vm-operator/user-gui.html).
     Configuration information using the old path
     `/Manager/GuiHttpServer/ConsoleWeblet/WebConsole/ComponentCollector/VmViewer`
     is still accepted for backward compatibility until the next major version,
@@ -24,7 +24,7 @@ layout: vm-operator
 
   * The configuration property `passwordValidity` has been moved from component
     `/Manager/Controller/DisplaySecretMonitor` to
-    `/Manager/Controller/Reconciler/DisplaySecretReconciler`. The old path is 
+    `/Manager/Controller/Reconciler/DisplaySecretReconciler`. The old path is
     still accepted for backward compatibility until the next major version,
     but should be updated.
 

From 701194799fab3c4338221471b13a5a9b68e0a4b8 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Mon, 3 Mar 2025 21:19:34 +0100
Subject: [PATCH 181/274] Reduce to secret query.

---
 ...pareConsole.java => GetDisplaySecret.java} | 50 +++++-------------
 .../manager/DisplaySecretReconciler.java      | 52 ++++++++-----------
 .../jdrupes/vmoperator/vmaccess/VmAccess.java | 11 ++--
 .../org/jdrupes/vmoperator/vmmgmt/VmMgmt.java | 10 ++--
 4 files changed, 43 insertions(+), 80 deletions(-)
 rename org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/{PrepareConsole.java => GetDisplaySecret.java} (64%)

diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/PrepareConsole.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetDisplaySecret.java
similarity index 64%
rename from org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/PrepareConsole.java
rename to org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetDisplaySecret.java
index ad8f9ce..2f7dbd6 100644
--- a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/PrepareConsole.java
+++ b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetDisplaySecret.java
@@ -25,46 +25,29 @@ import org.jgrapes.core.Event;
  * Gets the current display secret and optionally updates it.
  */
 @SuppressWarnings("PMD.DataClass")
-public class PrepareConsole extends Event<String> {
+public class GetDisplaySecret extends Event<String> {
 
     private final VmDefinition vmDef;
     private final String user;
-    private final boolean loginUser;
 
     /**
      * Instantiates a new request for the display secret.
      * After handling the event, a result of `null` means that
-     * no password is needed. No result means that the console
-     * is not accessible.
-     *
-     * @param vmDef the vm name
-     * @param user the requesting user
-     * @param loginUser login the user
-     */
-    public PrepareConsole(VmDefinition vmDef, String user,
-            boolean loginUser) {
-        this.vmDef = vmDef;
-        this.user = user;
-        this.loginUser = loginUser;
-    }
-
-    /**
-     * Instantiates a new request for the display secret.
-     * After handling the event, a result of `null` means that
-     * no password is needed. No result means that the console
+     * no secret is needed. No result means that the console
      * is not accessible.
      * 
      * @param vmDef the vm name
      * @param user the requesting user
      */
-    public PrepareConsole(VmDefinition vmDef, String user) {
-        this(vmDef, user, false);
+    public GetDisplaySecret(VmDefinition vmDef, String user) {
+        this.vmDef = vmDef;
+        this.user = user;
     }
 
     /**
-     * Gets the vm definition.
+     * Gets the VM definition.
      *
-     * @return the vm definition
+     * @return the VM definition
      */
     public VmDefinition vmDefinition() {
         return vmDef;
@@ -79,24 +62,15 @@ public class PrepareConsole extends Event<String> {
         return user;
     }
 
-    /**
-     * Checks if the user should be logged in before allowing access.
-     *
-     * @return the loginUser
-     */
-    public boolean loginUser() {
-        return loginUser;
-    }
-
     /**
      * Returns `true` if a password is available. May only be called
      * when the event is completed. Note that the password returned
-     * by {@link #password()} may be `null`, indicating that no password
+     * by {@link #secret()} may be `null`, indicating that no password
      * is needed.
      *
      * @return true, if successful
      */
-    public boolean passwordAvailable() {
+    public boolean secretAvailable() {
         if (!isDone()) {
             throw new IllegalStateException("Event is not done.");
         }
@@ -104,13 +78,13 @@ public class PrepareConsole extends Event<String> {
     }
 
     /**
-     * Return the password. May only be called when the event has been
-     * completed with a valid result (see {@link #passwordAvailable()}).
+     * Return the secret. May only be called when the event has been
+     * completed with a valid result (see {@link #secretAvailable()}).
      *
      * @return the password. A value of `null` means that no password
      * is required.
      */
-    public String password() {
+    public String secret() {
         if (!isDone() || currentResults().isEmpty()) {
             throw new IllegalStateException("Event is not done.");
         }
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
index 7c5c3ad..dabffb6 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
@@ -43,7 +43,7 @@ import org.jdrupes.vmoperator.common.Constants.Status;
 import org.jdrupes.vmoperator.common.K8sV1SecretStub;
 import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
-import org.jdrupes.vmoperator.manager.events.PrepareConsole;
+import org.jdrupes.vmoperator.manager.events.GetDisplaySecret;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
 import org.jdrupes.vmoperator.util.DataPath;
@@ -71,7 +71,7 @@ public class DisplaySecretReconciler extends Component {
 
     protected final Logger logger = Logger.getLogger(getClass().getName());
     private int passwordValidity = 10;
-    private final List<PendingPrepare> pendingPrepares
+    private final List<PendingRequest> pendingPrepares
         = Collections.synchronizedList(new LinkedList<>());
 
     /**
@@ -184,21 +184,23 @@ public class DisplaySecretReconciler extends Component {
      */
     @Handler
     @SuppressWarnings("PMD.StringInstantiation")
-    public void onPrepareConsole(PrepareConsole event, VmChannel channel)
+    public void onGetDisplaySecret(GetDisplaySecret event, VmChannel channel)
             throws ApiException {
-        // Update console user in status
-        var vmDef = updateConsoleUser(event, channel);
-        if (vmDef == null) {
+        // Get VM definition and check if running
+        var vmStub = VmDefinitionStub.get(channel.client(),
+            new GroupVersionKind(Crd.GROUP, "", Crd.KIND_VM),
+            event.vmDefinition().namespace(), event.vmDefinition().name());
+        var vmDef = vmStub.model().orElse(null);
+        if (vmDef == null || !vmDef.conditionStatus("Running").orElse(false)) {
             return;
         }
 
-        // Check if access is possible
-        if (event.loginUser()
-            ? !vmDef.<String> fromStatus(Status.LOGGED_IN_USER)
-                .map(u -> u.equals(event.user())).orElse(false)
-            : !vmDef.conditionStatus("Running").orElse(false)) {
-            return;
-        }
+        // Update console user in status
+        vmDef = vmStub.updateStatus(from -> {
+            JsonObject status = from.statusJson();
+            status.addProperty(Status.CONSOLE_USER, event.user());
+            return status;
+        }).get();
 
         // Get secret and update password in secret
         var stub = getSecretStub(event, channel, vmDef);
@@ -212,7 +214,7 @@ public class DisplaySecretReconciler extends Component {
 
         // Register wait for confirmation (by VM status change,
         // after secret update)
-        var pending = new PendingPrepare(event,
+        var pending = new PendingRequest(event,
             event.vmDefinition().displayPasswordSerial().orElse(0L) + 1,
             new CompletionLock(event, 1500));
         pendingPrepares.add(pending);
@@ -224,19 +226,7 @@ public class DisplaySecretReconciler extends Component {
         stub.update(secret).getObject();
     }
 
-    private VmDefinition updateConsoleUser(PrepareConsole event,
-            VmChannel channel) throws ApiException {
-        var vmStub = VmDefinitionStub.get(channel.client(),
-            new GroupVersionKind(Crd.GROUP, "", Crd.KIND_VM),
-            event.vmDefinition().namespace(), event.vmDefinition().name());
-        return vmStub.updateStatus(from -> {
-            JsonObject status = from.statusJson();
-            status.addProperty(Status.CONSOLE_USER, event.user());
-            return status;
-        }).orElse(null);
-    }
-
-    private K8sV1SecretStub getSecretStub(PrepareConsole event,
+    private K8sV1SecretStub getSecretStub(GetDisplaySecret event,
             VmChannel channel, VmDefinition vmDef) throws ApiException {
         // Look for secret
         ListOptions options = new ListOptions();
@@ -253,7 +243,7 @@ public class DisplaySecretReconciler extends Component {
         return stubs.iterator().next();
     }
 
-    private boolean updatePassword(V1Secret secret, PrepareConsole event) {
+    private boolean updatePassword(V1Secret secret, GetDisplaySecret event) {
         var expiry = Optional.ofNullable(secret.getData()
             .get(DisplaySecret.EXPIRY)).map(b -> new String(b)).orElse(null);
         if (secret.getData().get(DisplaySecret.PASSWORD) != null
@@ -323,8 +313,8 @@ public class DisplaySecretReconciler extends Component {
      * The Class PendingGet.
      */
     @SuppressWarnings("PMD.DataClass")
-    private static class PendingPrepare {
-        public final PrepareConsole event;
+    private static class PendingRequest {
+        public final GetDisplaySecret event;
         public final long expectedSerial;
         public final CompletionLock lock;
 
@@ -334,7 +324,7 @@ public class DisplaySecretReconciler extends Component {
          * @param event the event
          * @param expectedSerial the expected serial
          */
-        public PendingPrepare(PrepareConsole event, long expectedSerial,
+        public PendingRequest(GetDisplaySecret event, long expectedSerial,
                 CompletionLock lock) {
             super();
             this.event = event;
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index ad4ec63..74a9f76 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -49,11 +49,11 @@ import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.common.VmDefinition.Permission;
 import org.jdrupes.vmoperator.common.VmPool;
 import org.jdrupes.vmoperator.manager.events.AssignVm;
+import org.jdrupes.vmoperator.manager.events.GetDisplaySecret;
 import org.jdrupes.vmoperator.manager.events.GetPools;
 import org.jdrupes.vmoperator.manager.events.GetVms;
 import org.jdrupes.vmoperator.manager.events.GetVms.VmData;
 import org.jdrupes.vmoperator.manager.events.ModifyVm;
-import org.jdrupes.vmoperator.manager.events.PrepareConsole;
 import org.jdrupes.vmoperator.manager.events.ResetVm;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
@@ -808,18 +808,17 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
                 Map.of("autoClose", 5_000, "type", "Warning")));
             return;
         }
-        var pwQuery = Event.onCompletion(new PrepareConsole(vmDef, user,
-            model.mode() == ResourceModel.Mode.POOL),
+        var pwQuery = Event.onCompletion(new GetDisplaySecret(vmDef, user),
             e -> gotPassword(channel, model, vmDef, e));
         fire(pwQuery, vmChannel);
     }
 
     private void gotPassword(ConsoleConnection channel, ResourceModel model,
-            VmDefinition vmDef, PrepareConsole event) {
-        if (!event.passwordAvailable()) {
+            VmDefinition vmDef, GetDisplaySecret event) {
+        if (!event.secretAvailable()) {
             return;
         }
-        vmDef.extra().map(xtra -> xtra.connectionFile(event.password(),
+        vmDef.extra().map(xtra -> xtra.connectionFile(event.secret(),
             preferredIpVersion, deleteConnectionFile))
             .ifPresent(cf -> channel.respond(new NotifyConletView(type(),
                 model.getConletId(), "openConsole", cf)));
diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
index 6d3891d..ac16803 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
@@ -44,8 +44,8 @@ import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.common.VmDefinition.Permission;
 import org.jdrupes.vmoperator.common.VmExtraData;
 import org.jdrupes.vmoperator.manager.events.ChannelTracker;
+import org.jdrupes.vmoperator.manager.events.GetDisplaySecret;
 import org.jdrupes.vmoperator.manager.events.ModifyVm;
-import org.jdrupes.vmoperator.manager.events.PrepareConsole;
 import org.jdrupes.vmoperator.manager.events.ResetVm;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
@@ -484,17 +484,17 @@ public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
                 Map.of("autoClose", 5_000, "type", "Warning")));
             return;
         }
-        var pwQuery = Event.onCompletion(new PrepareConsole(vmDef, user),
+        var pwQuery = Event.onCompletion(new GetDisplaySecret(vmDef, user),
             e -> gotPassword(channel, model, vmDef, e));
         fire(pwQuery, vmChannel);
     }
 
     private void gotPassword(ConsoleConnection channel, VmsModel model,
-            VmDefinition vmDef, PrepareConsole event) {
-        if (!event.passwordAvailable()) {
+            VmDefinition vmDef, GetDisplaySecret event) {
+        if (!event.secretAvailable()) {
             return;
         }
-        vmDef.extra().map(xtra -> xtra.connectionFile(event.password(),
+        vmDef.extra().map(xtra -> xtra.connectionFile(event.secret(),
             preferredIpVersion, deleteConnectionFile)).ifPresent(
                 cf -> channel.respond(new NotifyConletView(type(),
                     model.getConletId(), "openConsole", cf)));

From dfe30384632ad20979b71fcf14ba168b9e0b5881 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Mon, 3 Mar 2025 21:26:10 +0100
Subject: [PATCH 182/274] So auto login according to pool setting.

---
 deploy/crds/vmpools-crd.yaml                  |  6 +++
 dev-example/test-pool.yaml                    |  1 +
 .../org/jdrupes/vmoperator/common/VmPool.java | 50 ++++++++-----------
 .../vmoperator/manager/PoolMonitor.java       |  9 ++--
 .../jdrupes/vmoperator/manager/VmMonitor.java |  4 ++
 5 files changed, 36 insertions(+), 34 deletions(-)

diff --git a/deploy/crds/vmpools-crd.yaml b/deploy/crds/vmpools-crd.yaml
index b34d096..2144940 100644
--- a/deploy/crds/vmpools-crd.yaml
+++ b/deploy/crds/vmpools-crd.yaml
@@ -25,6 +25,12 @@ spec:
                   type: string
                   pattern: '^(?:\d{4}-(?:0[1-9]|1[0-2])-(?:0[1-9]|[12]\d|3[01])T(?:[01]\d|2[0-3]):[0-5]\d:[0-5]\d(?:\.\d{1,9})?(?:Z|[+-](?:[01]\d|2[0-3])(?:|:?[0-5]\d))|P(?:\d+Y)?(?:\d+M)?(?:\d+W)?(?:\d+D)?(?:T(?:\d+[Hh])?(?:\d+[Mm])?(?:\d+(?:\.\d{1,9})?[Ss])?)?)$'
                   default: "PT1h"
+                loginOnAssignment:
+                  description: >-
+                    If set to true, the user will be automatically logged in
+                    to the VM's console when the VM is assigned to him.
+                  type: boolean
+                  default: false
                 permissions:
                   type: array
                   description: >-
diff --git a/dev-example/test-pool.yaml b/dev-example/test-pool.yaml
index a72a623..497aaf7 100644
--- a/dev-example/test-pool.yaml
+++ b/dev-example/test-pool.yaml
@@ -5,6 +5,7 @@ metadata:
   name: test-vms
 spec:
   retention: "PT1m"
+  loginOnAssignment: true
   permissions:
   - user: admin
     may:
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
index e0817d5..155609f 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
@@ -37,8 +37,9 @@ import org.jdrupes.vmoperator.util.DataPath;
 @SuppressWarnings({ "PMD.DataClass" })
 public class VmPool {
 
-    private String name;
+    private final String name;
     private String retention;
+    private boolean loginOnAssignment;
     private boolean defined;
     private List<Grant> permissions = Collections.emptyList();
     private final Set<String> vms
@@ -53,6 +54,19 @@ public class VmPool {
         this.name = name;
     }
 
+    /**
+     * Fill the properties of a provisionally created pool from
+     * the definition.
+     *
+     * @param definition the definition
+     */
+    public void defineFrom(VmPool definition) {
+        retention = definition.retention();
+        permissions = definition.permissions();
+        loginOnAssignment = definition.loginOnAssignment();
+        defined = true;
+    }
+
     /**
      * Returns the name.
      *
@@ -63,12 +77,12 @@ public class VmPool {
     }
 
     /**
-     * Sets the name.
+     * Checks if is login on assignment.
      *
-     * @param name the name to set
+     * @return the loginOnAssignment
      */
-    public void setName(String name) {
-        this.name = name;
+    public boolean loginOnAssignment() {
+        return loginOnAssignment;
     }
 
     /**
@@ -81,12 +95,10 @@ public class VmPool {
     }
 
     /**
-     * Sets if is.
-     *
-     * @param defined the defined to set
+     * Marks the pool as undefined.
      */
-    public void setDefined(boolean defined) {
-        this.defined = defined;
+    public void setUndefined() {
+        defined = false;
     }
 
     /**
@@ -98,15 +110,6 @@ public class VmPool {
         return retention;
     }
 
-    /**
-     * Sets the retention.
-     *
-     * @param retention the retention to set
-     */
-    public void setRetention(String retention) {
-        this.retention = retention;
-    }
-
     /**
      * Permissions granted for a VM from the pool.
      *
@@ -116,15 +119,6 @@ public class VmPool {
         return permissions;
     }
 
-    /**
-     * Sets the permissions.
-     *
-     * @param permissions the permissions to set
-     */
-    public void setPermissions(List<Grant> permissions) {
-        this.permissions = permissions;
-    }
-
     /**
      * Returns the VM names.
      *
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
index 1ea15e1..0e25803 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
@@ -105,7 +105,7 @@ public class PoolMonitor extends
         // When pool is deleted, save VMs in pending
         if (type == ResponseType.DELETED) {
             Optional.ofNullable(pools.get(poolName)).ifPresent(pool -> {
-                pool.setDefined(false);
+                pool.setUndefined();
                 if (pool.vms().isEmpty()) {
                     pools.remove(poolName);
                 }
@@ -129,11 +129,8 @@ public class PoolMonitor extends
 
         // Get pool and merge changes
         var vmPool = pools.computeIfAbsent(poolName, k -> new VmPool(poolName));
-        var newData = client().getJSON().getGson().fromJson(
-            GsonPtr.to(poolModel.data()).to("spec").get(), VmPool.class);
-        vmPool.setRetention(newData.retention());
-        vmPool.setPermissions(newData.permissions());
-        vmPool.setDefined(true);
+        vmPool.defineFrom(client().getJSON().getGson().fromJson(
+            GsonPtr.to(poolModel.data()).to("spec").get(), VmPool.class));
         poolPipeline.fire(new VmPoolChanged(vmPool));
     }
 
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
index 4f8ac77..9e080e6 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
@@ -301,6 +301,10 @@ public class VmMonitor extends
                 // Make sure that a newly assigned VM is running.
                 chosenVm.pipeline().fire(new ModifyVm(vmDef.name(),
                     "state", "Running", chosenVm));
+                if (vmPool.loginOnAssignment()) {
+                    chosenVm.pipeline().fire(new ModifyVm(vmDef.name(),
+                        "display/loggedInUser", event.toUser(), chosenVm));
+                }
                 return;
             }
         }

From 28b1903acc4b17e806ce71e392b1ba49b97d9388 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Tue, 4 Mar 2025 09:00:13 +0100
Subject: [PATCH 183/274] Extend accessibility check.

---
 .../vmoperator/common/VmDefinition.java       | 30 +++++++++++++++++--
 .../vmoperator/vmaccess/l10n.properties       |  2 +-
 .../vmoperator/vmaccess/l10n_de.properties    |  2 +-
 .../jdrupes/vmoperator/vmaccess/VmAccess.java |  2 +-
 4 files changed, 30 insertions(+), 6 deletions(-)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
index a42d2d4..5699017 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
@@ -377,10 +377,34 @@ public class VmDefinition extends K8sDynamicModel {
      * @param permissions the permissions
      * @return true, if successful
      */
+    @SuppressWarnings("PMD.SimplifyBooleanReturns")
     public boolean consoleAccessible(String user, Set<Permission> permissions) {
-        return !conditionStatus("ConsoleConnected").orElse(true)
-            || consoleUser().map(cu -> cu.equals(user)).orElse(true)
-            || permissions.contains(VmDefinition.Permission.TAKE_CONSOLE);
+        // If user has takeConsole permission, console is always accessible
+        if (permissions.contains(VmDefinition.Permission.TAKE_CONSOLE)) {
+            return true;
+        }
+
+        // Check if an automatic login is requested. If so, allow access only
+        // if the log in has been established
+        var wantedLogIn = DataPath.<String> get(spec(), "vm", "display",
+            "loggedInUser").orElse(null);
+        if (wantedLogIn != null
+            && !wantedLogIn.equals(status().get(Status.LOGGED_IN_USER))) {
+            return false;
+        }
+
+        // If the console is not in use, allow access
+        if (!conditionStatus("ConsoleConnected").orElse(true)) {
+            return true;
+        }
+
+        // If the console is in use by the user, allow access
+        if (consoleUser().map(cu -> cu.equals(user)).orElse(true)) {
+            return true;
+        }
+
+        // Else deny access
+        return false;
     }
 
     /**
diff --git a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n.properties b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n.properties
index 8f4051e..6ec24aa 100644
--- a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n.properties
+++ b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n.properties
@@ -5,5 +5,5 @@ okayLabel = Apply and Close
 confirmResetTitle = Confirm reset
 confirmResetMsg = Resetting the VM may cause loss of data. \
   Please confirm to continue.
-consoleTakenNotification = Console access is locked by another user.
+consoleInaccessibleNotification = Console is not ready or in use.
 poolEmptyNotification = No VM available. Please consult your administrator.
diff --git a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties
index e51eb5e..28c01f0 100644
--- a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties
+++ b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties
@@ -11,7 +11,7 @@ Open\ console = Konsole anzeigen
 confirmResetTitle = Zurücksetzen bestätigen
 confirmResetMsg = Zurücksetzen der VM kann zu Datenverlust führen. \
   Bitte bestätigen um fortzufahren.
-consoleTakenNotification = Die Konsole wird von einem anderen Benutzer verwendet.
+consoleInaccessibleNotification = Die Konsole ist nicht bereit oder belegt.
 poolEmptyNotification = Keine VM verfügbar. Wenden Sie sich bitte an den \
   Systemadministrator.
   
\ No newline at end of file
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index 74a9f76..d6d9e64 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -804,7 +804,7 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
             .map(ConsoleUser::getName).orElse("");
         if (!vmDef.consoleAccessible(user, perms)) {
             channel.respond(new DisplayNotification(
-                resourceBundle.getString("consoleTakenNotification"),
+                resourceBundle.getString("consoleInaccessibleNotification"),
                 Map.of("autoClose", 5_000, "type", "Warning")));
             return;
         }

From bfe4c2bb32ac1ce12f6f99ffc45af9aff9c89055 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Tue, 4 Mar 2025 13:33:54 +0100
Subject: [PATCH 184/274] Set loggedInUser via Reconciler.

---
 .../vmoperator/common/VmDefinition.java       | 38 ++++------
 .../org/jdrupes/vmoperator/common/VmPool.java |  6 +-
 .../manager/events/UpdateAssignment.java      | 17 +++--
 .../vmoperator/manager/runnerConfig.ftl.yaml  |  4 +-
 .../vmoperator/manager/Controller.java        |  2 +-
 .../vmoperator/manager/PoolMonitor.java       |  7 +-
 .../vmoperator/manager/Reconciler.java        | 73 +++++++++++++------
 .../jdrupes/vmoperator/manager/VmMonitor.java | 18 ++---
 .../org/jdrupes/vmoperator/util/GsonPtr.java  | 12 +++
 .../jdrupes/vmoperator/vmaccess/VmAccess.java |  8 +-
 10 files changed, 111 insertions(+), 74 deletions(-)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
index 5699017..6a27723 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
@@ -141,6 +141,16 @@ public class VmDefinition extends K8sDynamicModel {
         }
     }
 
+    /**
+     * The assignment information.
+     *
+     * @param pool the pool
+     * @param user the user
+     * @param lastUsed the last used
+     */
+    public record Assignment(String pool, String user, Instant lastUsed) {
+    }
+
     /**
      * Instantiates a new vm definition.
      *
@@ -215,31 +225,15 @@ public class VmDefinition extends K8sDynamicModel {
     }
 
     /**
-     * The pool that the VM was taken from.
+     * The assignment information.
      *
      * @return the optional
      */
-    public Optional<String> assignedFrom() {
-        return fromStatus(Status.ASSIGNMENT, "pool");
-    }
-
-    /**
-     * The user that the VM was assigned to.
-     *
-     * @return the optional
-     */
-    public Optional<String> assignedTo() {
-        return fromStatus(Status.ASSIGNMENT, "user");
-    }
-
-    /**
-     * Last usage of assigned VM.
-     *
-     * @return the optional
-     */
-    public Optional<Instant> assignmentLastUsed() {
-        return this.<String> fromStatus(Status.ASSIGNMENT, "lastUsed")
-            .map(Instant::parse);
+    public Optional<Assignment> assignment() {
+        return this.<Map<String, Object>> fromStatus(Status.ASSIGNMENT)
+            .filter(m -> !m.isEmpty()).map(a -> new Assignment(
+                a.get("pool").toString(), a.get("user").toString(),
+                Instant.parse(a.get("lastUsed").toString())));
     }
 
     /**
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
index 155609f..7c13ddb 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
@@ -27,6 +27,7 @@ import java.util.List;
 import java.util.Set;
 import java.util.function.Function;
 import java.util.stream.Collectors;
+import org.jdrupes.vmoperator.common.VmDefinition.Assignment;
 import org.jdrupes.vmoperator.common.VmDefinition.Grant;
 import org.jdrupes.vmoperator.common.VmDefinition.Permission;
 import org.jdrupes.vmoperator.util.DataPath;
@@ -165,13 +166,12 @@ public class VmPool {
         }
 
         // If not assigned, it's usable
-        if (vmDef.assignedTo().isEmpty()) {
+        if (vmDef.assignment().isEmpty()) {
             return true;
         }
 
         // Check if it is to be retained
-        if (vmDef.assignmentLastUsed()
-            .map(this::retainUntil)
+        if (vmDef.assignment().map(Assignment::lastUsed).map(this::retainUntil)
             .map(ru -> Instant.now().isBefore(ru)).orElse(false)) {
             return false;
         }
diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/UpdateAssignment.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/UpdateAssignment.java
index 676af3d..af9dde0 100644
--- a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/UpdateAssignment.java
+++ b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/UpdateAssignment.java
@@ -18,6 +18,7 @@
 
 package org.jdrupes.vmoperator.manager.events;
 
+import org.jdrupes.vmoperator.common.VmPool;
 import org.jgrapes.core.Event;
 
 /**
@@ -26,31 +27,31 @@ import org.jgrapes.core.Event;
 @SuppressWarnings("PMD.DataClass")
 public class UpdateAssignment extends Event<Boolean> {
 
-    private final String usedPool;
+    private final VmPool fromPool;
     private final String toUser;
 
     /**
      * Instantiates a new event.
      *
-     * @param usedPool the used pool
+     * @param fromPool the pool from which the VM was assigned
      * @param toUser the to user
      */
-    public UpdateAssignment(String usedPool, String toUser) {
-        this.usedPool = usedPool;
+    public UpdateAssignment(VmPool fromPool, String toUser) {
+        this.fromPool = fromPool;
         this.toUser = toUser;
     }
 
     /**
-     * Gets the pool to assign from.
+     * Gets the pool from which the VM was assigned.
      *
      * @return the pool
      */
-    public String usedPool() {
-        return usedPool;
+    public VmPool fromPool() {
+        return fromPool;
     }
 
     /**
-     * Gets the user to assign to.
+     * Gets the user to whom the VM was assigned.
      *
      * @return the to user
      */
diff --git a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml
index 2fbeb94..2a59a2c 100644
--- a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml
+++ b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml
@@ -201,8 +201,8 @@ data:
           <#if spec.vm.display.outputs?? >
           outputs: ${ spec.vm.display.outputs?c }
           </#if>
-          <#if spec.vm.display.loggedInUser?? >
-          loggedInUser: "${ spec.vm.display.loggedInUser }"
+          <#if loginRequestedFor?? >
+          loggedInUser: "${ loginRequestedFor }"
           </#if>
           <#if spec.vm.display.spice??>
           spice:
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
index b61b26a..5d5c592 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
@@ -232,7 +232,7 @@ public class Controller extends Component {
             if (vmStub.updateStatus(vmDef, from -> {
                 JsonObject status = from.statusJson();
                 var assignment = GsonPtr.to(status).to(Status.ASSIGNMENT);
-                assignment.set("pool", event.usedPool());
+                assignment.set("pool", event.fromPool().name());
                 assignment.set("user", event.toUser());
                 assignment.set("lastUsed", Instant.now().toString());
                 return status;
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
index 0e25803..5d85280 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
@@ -36,6 +36,7 @@ import org.jdrupes.vmoperator.common.K8sDynamicModel;
 import org.jdrupes.vmoperator.common.K8sDynamicModels;
 import org.jdrupes.vmoperator.common.K8sDynamicStub;
 import org.jdrupes.vmoperator.common.K8sObserver.ResponseType;
+import org.jdrupes.vmoperator.common.VmDefinition.Assignment;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
 import org.jdrupes.vmoperator.common.VmPool;
 import org.jdrupes.vmoperator.manager.events.GetPools;
@@ -165,7 +166,7 @@ public class PoolMonitor extends
         }
 
         // Sync last usage to console state change if user matches
-        if (vmDef.assignedTo()
+        if (vmDef.assignment().map(Assignment::user)
             .map(at -> at.equals(vmDef.consoleUser().orElse(null)))
             .orElse(true)) {
             return;
@@ -174,8 +175,8 @@ public class PoolMonitor extends
         var ccChange = vmDef.condition("ConsoleConnected")
             .map(cc -> cc.getLastTransitionTime().toInstant());
         if (ccChange
-            .map(tt -> vmDef.assignmentLastUsed().map(alu -> alu.isAfter(tt))
-                .orElse(true))
+            .map(tt -> vmDef.assignment().map(Assignment::lastUsed)
+                .map(alu -> alu.isAfter(tt)).orElse(true))
             .orElse(true)) {
             return;
         }
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
index e5bfaec..8df5c88 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
@@ -45,6 +45,7 @@ import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
+import java.util.logging.Level;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
 import org.jdrupes.vmoperator.common.Constants.DisplaySecret;
 import org.jdrupes.vmoperator.common.Convertions;
@@ -52,6 +53,9 @@ import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.K8sObserver;
 import org.jdrupes.vmoperator.common.K8sV1SecretStub;
 import org.jdrupes.vmoperator.common.VmDefinition;
+import org.jdrupes.vmoperator.common.VmDefinition.Assignment;
+import org.jdrupes.vmoperator.common.VmPool;
+import org.jdrupes.vmoperator.manager.events.GetPools;
 import org.jdrupes.vmoperator.manager.events.ResetVm;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
@@ -212,11 +216,6 @@ public class Reconciler extends Component {
     @SuppressWarnings("PMD.ConfusingTernary")
     public void onVmDefChanged(VmDefChanged event, VmChannel channel)
             throws ApiException, TemplateException, IOException {
-        // We're only interested in "spec" changes.
-        if (!event.specChanged()) {
-            return;
-        }
-
         // Ownership relationships takes care of deletions
         if (event.type() == K8sObserver.ResponseType.DELETED) {
             logger.fine(
@@ -228,6 +227,11 @@ public class Reconciler extends Component {
         Map<String, Object> model
             = prepareModel(channel.client(), event.vmDefinition());
         var configMap = cmReconciler.reconcile(model, channel);
+
+        // The remaining reconcilers depend only on changes of the spec part.
+        if (!event.specChanged()) {
+            return;
+        }
         model.put("cm", configMap);
         dsReconciler.reconcile(event, model, channel);
         // Manage (eventual) removal of stateful set.
@@ -266,24 +270,10 @@ public class Reconciler extends Component {
             Optional.ofNullable(Reconciler.class.getPackage()
                 .getImplementationVersion()).orElse("(Unknown)"));
         model.put("cr", vmDef);
-        // Freemarker's static models don't handle nested classes.
-        model.put("constants", constantsMap(Constants.class));
         model.put("reconciler", config);
-
-        // Check if we have a display secret
-        ListOptions options = new ListOptions();
-        options.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
-            + "app.kubernetes.io/component=" + DisplaySecret.NAME + ","
-            + "app.kubernetes.io/instance=" + vmDef.name());
-        var dsStub = K8sV1SecretStub
-            .list(client, vmDef.namespace(), options)
-            .stream()
-            .findFirst();
-        if (dsStub.isPresent()) {
-            dsStub.get().model().ifPresent(m -> {
-                model.put("displaySecret", m.getMetadata().getName());
-            });
-        }
+        model.put("constants", constantsMap(Constants.class));
+        addLoginRequestedFor(model, vmDef);
+        addDisplaySecret(client, model, vmDef);
 
         // Methods
         model.put("parseQuantity", parseQuantityModel);
@@ -294,6 +284,13 @@ public class Reconciler extends Component {
         return model;
     }
 
+    /**
+     * Creates a map with constants. Needed because freemarker doesn't support
+     * nested classes with its static models.
+     *
+     * @param clazz the clazz
+     * @return the map
+     */
     @SuppressWarnings("PMD.EmptyCatchBlock")
     private Map<String, Object> constantsMap(Class<?> clazz) {
         @SuppressWarnings("PMD.UseConcurrentHashMap")
@@ -318,6 +315,38 @@ public class Reconciler extends Component {
         return result;
     }
 
+    private void addLoginRequestedFor(Map<String, Object> model,
+            VmDefinition vmDef) {
+        vmDef.assignment().filter(a -> {
+            try {
+                return newEventPipeline()
+                    .fire(new GetPools().withName(a.pool())).get()
+                    .stream().findFirst().map(VmPool::loginOnAssignment)
+                    .orElse(false);
+            } catch (InterruptedException e) {
+                logger.log(Level.WARNING, e, e::getMessage);
+            }
+            return false;
+        }).map(Assignment::user)
+            .or(() -> vmDef.fromSpec("vm", "display", "loggedInUser"))
+            .ifPresent(u -> model.put("loginRequestedFor", u));
+    }
+
+    private void addDisplaySecret(K8sClient client, Map<String, Object> model,
+            VmDefinition vmDef) throws ApiException {
+        ListOptions options = new ListOptions();
+        options.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
+            + "app.kubernetes.io/component=" + DisplaySecret.NAME + ","
+            + "app.kubernetes.io/instance=" + vmDef.name());
+        var dsStub = K8sV1SecretStub
+            .list(client, vmDef.namespace(), options).stream().findFirst();
+        if (dsStub.isPresent()) {
+            dsStub.get().model().ifPresent(m -> {
+                model.put("displaySecret", m.getMetadata().getName());
+            });
+        }
+    }
+
     private final TemplateMethodModelEx parseQuantityModel
         = new TemplateMethodModelEx() {
             @Override
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
index 9e080e6..1a559b3 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
@@ -40,6 +40,7 @@ import org.jdrupes.vmoperator.common.K8sV1ConfigMapStub;
 import org.jdrupes.vmoperator.common.K8sV1PodStub;
 import org.jdrupes.vmoperator.common.K8sV1StatefulSetStub;
 import org.jdrupes.vmoperator.common.VmDefinition;
+import org.jdrupes.vmoperator.common.VmDefinition.Assignment;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
 import org.jdrupes.vmoperator.common.VmDefinitions;
 import org.jdrupes.vmoperator.common.VmExtraData;
@@ -234,10 +235,10 @@ public class VmMonitor extends
                 || !c.vmDefinition().permissionsFor(event.user().orElse(null),
                     event.roles()).isEmpty())
             .filter(c -> event.fromPool().isEmpty()
-                || c.vmDefinition().assignedFrom()
+                || c.vmDefinition().assignment().map(Assignment::pool)
                     .map(p -> p.equals(event.fromPool().get())).orElse(false))
             .filter(c -> event.toUser().isEmpty()
-                || c.vmDefinition().assignedTo()
+                || c.vmDefinition().assignment().map(Assignment::user)
                     .map(u -> u.equals(event.toUser().get())).orElse(false))
             .map(c -> new VmData(c.vmDefinition(), c))
             .toList());
@@ -257,9 +258,9 @@ public class VmMonitor extends
         while (true) {
             // Search for existing assignment.
             var vmQuery = channelManager.channels().stream()
-                .filter(c -> c.vmDefinition().assignedFrom()
+                .filter(c -> c.vmDefinition().assignment().map(Assignment::pool)
                     .map(p -> p.equals(event.fromPool())).orElse(false))
-                .filter(c -> c.vmDefinition().assignedTo()
+                .filter(c -> c.vmDefinition().assignment().map(Assignment::user)
                     .map(u -> u.equals(event.toUser())).orElse(false))
                 .findFirst();
             if (vmQuery.isPresent()) {
@@ -280,7 +281,8 @@ public class VmMonitor extends
             vmQuery = channelManager.channels().stream()
                 .filter(c -> vmPool.isAssignable(c.vmDefinition()))
                 .sorted(Comparator.comparing((VmChannel c) -> c.vmDefinition()
-                    .assignmentLastUsed().orElse(Instant.ofEpochSecond(0)))
+                    .assignment().map(Assignment::lastUsed)
+                    .orElse(Instant.ofEpochSecond(0)))
                     .thenComparing(preferRunning))
                 .findFirst();
 
@@ -293,7 +295,7 @@ public class VmMonitor extends
             var chosenVm = vmQuery.get();
             var vmPipeline = chosenVm.pipeline();
             if (Optional.ofNullable(vmPipeline.fire(new UpdateAssignment(
-                vmPool.name(), event.toUser()), chosenVm).get())
+                vmPool, event.toUser()), chosenVm).get())
                 .orElse(false)) {
                 var vmDef = chosenVm.vmDefinition();
                 event.setResult(new VmData(vmDef, chosenVm));
@@ -301,10 +303,6 @@ public class VmMonitor extends
                 // Make sure that a newly assigned VM is running.
                 chosenVm.pipeline().fire(new ModifyVm(vmDef.name(),
                     "state", "Running", chosenVm));
-                if (vmPool.loginOnAssignment()) {
-                    chosenVm.pipeline().fire(new ModifyVm(vmDef.name(),
-                        "display/loggedInUser", event.toUser(), chosenVm));
-                }
                 return;
             }
         }
diff --git a/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/GsonPtr.java b/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/GsonPtr.java
index 36c3444..f78374c 100644
--- a/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/GsonPtr.java
+++ b/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/GsonPtr.java
@@ -327,6 +327,18 @@ public class GsonPtr {
         return set(selector, new JsonPrimitive(value));
     }
 
+    /**
+     * Short for `set(selector, new JsonPrimitive(value))`.
+     *
+     * @param selector the selector
+     * @param value the value
+     * @return the gson ptr
+     * @see #set(Object, JsonElement)
+     */
+    public GsonPtr set(Object selector, Boolean value) {
+        return set(selector, new JsonPrimitive(value));
+    }
+
     /**
      * Same as {@link #set(Object, JsonElement)}, but sets the value
      * only if it doesn't exist yet, else returns the existing value.
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index d6d9e64..5625a4d 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -46,6 +46,7 @@ import java.util.stream.Collectors;
 import org.bouncycastle.util.Objects;
 import org.jdrupes.vmoperator.common.K8sObserver;
 import org.jdrupes.vmoperator.common.VmDefinition;
+import org.jdrupes.vmoperator.common.VmDefinition.Assignment;
 import org.jdrupes.vmoperator.common.VmDefinition.Permission;
 import org.jdrupes.vmoperator.common.VmPool;
 import org.jdrupes.vmoperator.manager.events.AssignVm;
@@ -657,10 +658,11 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
                     var user
                         = WebConsoleUtils.userFromSession(connection.session())
                             .map(ConsoleUser::getName).orElse(null);
-                    var toBeUsedByConlet = vmDef.assignedFrom()
+                    var toBeUsedByConlet = vmDef.assignment()
+                        .map(Assignment::pool)
                         .map(p -> p.equals(model.get().name())).orElse(false)
-                        && vmDef.assignedTo().map(u -> u.equals(user))
-                            .orElse(false);
+                        && vmDef.assignment().map(Assignment::user)
+                            .map(u -> u.equals(user)).orElse(false);
                     if (!Objects.areEqual(model.get().assignedVm(),
                         vmDef.name()) && !toBeUsedByConlet) {
                         continue;

From 04ccdd7dee7c463258787d1237939ce86f1a9133 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Tue, 4 Mar 2025 21:35:36 +0100
Subject: [PATCH 185/274] Add condition for logged in state.

---
 deploy/crds/vms-crd.yaml                      | 18 +++++++++
 .../jdrupes/vmoperator/common/Constants.java  | 15 +++++++
 .../vmoperator/runner/qemu/StatusUpdater.java | 40 ++++++++++++++++---
 .../vmoperator/runner/qemu/VmDefUpdater.java  |  9 +++--
 4 files changed, 74 insertions(+), 8 deletions(-)

diff --git a/deploy/crds/vms-crd.yaml b/deploy/crds/vms-crd.yaml
index 2a14f0c..101784f 100644
--- a/deploy/crds/vms-crd.yaml
+++ b/deploy/crds/vms-crd.yaml
@@ -1534,6 +1534,24 @@ spec:
                     lastTransitionTime: "1970-01-01T00:00:00Z"
                     reason: Creation
                     message: "Creation of CR"
+                  - type: Booted
+                    status: "False"
+                    observedGeneration: 1
+                    lastTransitionTime: "1970-01-01T00:00:00Z"
+                    reason: Creation
+                    message: "Creation of CR"
+                  - type: VmopAgentConnected
+                    status: "False"
+                    observedGeneration: 1
+                    lastTransitionTime: "1970-01-01T00:00:00Z"
+                    reason: Creation
+                    message: "Creation of CR"
+                  - type: UserLoggedIn
+                    status: "False"
+                    observedGeneration: 1
+                    lastTransitionTime: "1970-01-01T00:00:00Z"
+                    reason: Creation
+                    message: "Creation of CR"
                   - type: ConsoleConnected
                     status: "False"
                     observedGeneration: 1
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java
index 71c8cf3..0d9657a 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java
@@ -74,6 +74,21 @@ public class Constants {
 
         /** The Constant ASSIGNMENT. */
         public static final String ASSIGNMENT = "assignment";
+
+        /** The Constant COND_RUNNING. */
+        public static final String COND_RUNNING = "Running";
+
+        /** The Constant COND_BOOTED. */
+        public static final String COND_BOOTED = "Booted";
+
+        /** The Constant COND_VMOP_AGENT. */
+        public static final String COND_VMOP_AGENT = "VmopAgentConnected";
+
+        /** The Constant COND_USER_LOGGED_IN. */
+        public static final String COND_USER_LOGGED_IN = "UserLoggedIn";
+
+        /** The Constant COND_CONSOLE. */
+        public static final String COND_CONSOLE = "ConsoleConnected";
     }
 
     /**
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
index 36a63c1..d983311 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
@@ -72,6 +72,7 @@ public class StatusUpdater extends VmDefUpdater {
     private boolean guestShutdownStops;
     private boolean shutdownByGuest;
     private VmDefinitionStub vmStub;
+    private String loggedInUser;
 
     /**
      * Instantiates a new status updater.
@@ -143,6 +144,7 @@ public class StatusUpdater extends VmDefUpdater {
     public void onConfigureQemu(ConfigureQemu event)
             throws ApiException {
         guestShutdownStops = event.configuration().guestShutdownStops;
+        loggedInUser = event.configuration().vm.display.loggedInUser;
 
         // Remainder applies only if we have a connection to k8s.
         if (vmStub == null) {
@@ -169,10 +171,12 @@ public class StatusUpdater extends VmDefUpdater {
                 status.addProperty(Status.DISPLAY_PASSWORD_SERIAL, -1);
             }
             status.getAsJsonArray("conditions").asList().stream()
-                .map(cond -> (JsonObject) cond).filter(cond -> "Running"
+                .map(cond -> (JsonObject) cond)
+                .filter(cond -> Status.COND_RUNNING
                     .equals(cond.get("type").getAsString()))
                 .forEach(cond -> cond.addProperty("observedGeneration",
                     from.getMetadata().getGeneration()));
+            updateUserLoggedIn(from);
             return status;
         }, vmDef);
     }
@@ -194,9 +198,9 @@ public class StatusUpdater extends VmDefUpdater {
         }
         vmStub.updateStatus(from -> {
             boolean running = event.runState().vmRunning();
-            updateCondition(vmDef, "Running", running, event.reason(),
+            updateCondition(vmDef, Status.COND_RUNNING, running, event.reason(),
                 event.message());
-            JsonObject status = updateCondition(vmDef, "Booted",
+            JsonObject status = updateCondition(vmDef, Status.COND_BOOTED,
                 event.runState() == RunState.BOOTED, event.reason(),
                 event.message());
             if (event.runState() == RunState.STARTING) {
@@ -212,10 +216,12 @@ public class StatusUpdater extends VmDefUpdater {
             if (!running) {
                 // In case console connection was still present
                 status.addProperty(Status.CONSOLE_CLIENT, "");
-                updateCondition(from, "ConsoleConnected", false, "VmStopped",
+                updateCondition(from, Status.COND_CONSOLE, false, "VmStopped",
                     "The VM is not running");
 
                 // In case we had an irregular shutdown
+                updateCondition(from, Status.COND_USER_LOGGED_IN, false,
+                    "VmStopped", "The VM is not running");
                 status.remove(Status.OSINFO);
                 updateCondition(vmDef, "VmopAgentConnected", false, "VmStopped",
                     "The VM is not running");
@@ -245,6 +251,26 @@ public class StatusUpdater extends VmDefUpdater {
         K8s.createEvent(apiClient, vmDef, evt);
     }
 
+    private void updateUserLoggedIn(VmDefinition from) {
+        if (loggedInUser == null) {
+            updateCondition(from, Status.COND_USER_LOGGED_IN, false,
+                "NotRequested", "No user to be logged in");
+            return;
+        }
+        if (!from.conditionStatus(Status.COND_VMOP_AGENT).orElse(false)) {
+            updateCondition(from, Status.COND_USER_LOGGED_IN, false,
+                "VmopAgentDisconnected", "Waiting for VMOP agent to connect");
+            return;
+        }
+        if (!from.fromStatus(Status.LOGGED_IN_USER).map(loggedInUser::equals)
+            .orElse(false)) {
+            updateCondition(from, Status.COND_USER_LOGGED_IN, false,
+                "Processing", "Waiting for user to be logged in");
+        }
+        updateCondition(from, Status.COND_USER_LOGGED_IN, true,
+            "UserLoggedIn", "User is logged in");
+    }
+
     /**
      * On ballon change.
      *
@@ -348,8 +374,10 @@ public class StatusUpdater extends VmDefUpdater {
             return;
         }
         vmStub.updateStatus(from -> {
-            return updateCondition(vmDef, "VmopAgentConnected",
+            var status = updateCondition(vmDef, "VmopAgentConnected",
                 true, "VmopAgentStarted", "The VM operator agent is running");
+            updateUserLoggedIn(from);
+            return status;
         }, vmDef);
     }
 
@@ -365,6 +393,7 @@ public class StatusUpdater extends VmDefUpdater {
             JsonObject status = from.statusJson();
             status.addProperty(Status.LOGGED_IN_USER,
                 event.triggering().user());
+            updateUserLoggedIn(from);
             return status;
         });
     }
@@ -380,6 +409,7 @@ public class StatusUpdater extends VmDefUpdater {
         vmStub.updateStatus(from -> {
             JsonObject status = from.statusJson();
             status.remove(Status.LOGGED_IN_USER);
+            updateUserLoggedIn(from);
             return status;
         });
     }
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmDefUpdater.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmDefUpdater.java
index 50017c1..4c64ff1 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmDefUpdater.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmDefUpdater.java
@@ -129,9 +129,12 @@ public class VmDefUpdater extends Component {
         var current = status.getAsJsonArray("conditions").asList().stream()
             .map(cond -> (JsonObject) cond)
             .filter(cond -> type.equals(cond.get("type").getAsString()))
-            .findFirst()
-            .map(cond -> "True".equals(cond.get("status").getAsString()));
-        if (current.isPresent() && current.get() == state) {
+            .findFirst();
+        if (current.isPresent()
+            && current.map(c -> c.get("status").getAsString())
+                .map("True"::equals).map(s -> s == state).orElse(false)
+            && current.map(c -> c.get("reason").getAsString())
+                .map(reason::equals).orElse(false)) {
             return status;
         }
 

From 940913cf896e08f190deae3b8bb3c970188449c7 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Tue, 4 Mar 2025 23:39:22 +0100
Subject: [PATCH 186/274] Use UserLoggedIn condition for access control.

---
 dev-example/test-vm.tpl.yaml                  |  3 +-
 .../vmaccess/browser/VmAccess-functions.ts    | 29 +++++++++++--------
 2 files changed, 18 insertions(+), 14 deletions(-)

diff --git a/dev-example/test-vm.tpl.yaml b/dev-example/test-vm.tpl.yaml
index 260341e..a6d8825 100644
--- a/dev-example/test-vm.tpl.yaml
+++ b/dev-example/test-vm.tpl.yaml
@@ -8,12 +8,11 @@ metadata:
   
 spec:
   image:
-#    repository: docker-registry.lan.mnl.de
-#    path: vmoperator/org.jdrupes.vmoperator.runner.qemu-arch
 #    pullPolicy: Always
 #    repository: ghcr.io
 #    path: mnlipp/org.jdrupes.vmoperator.runner.qemu-alpine
 #    version: "3.0.0"
+#    source: docker-registry.lan.mnl.de/vm-operator/org.jdrupes.vmoperator.runner.qemu-arch:feature-auto-login
     source: registry.mnl.de/org/jdrupes/vm-operator/org.jdrupes.vmoperator.runner.qemu-arch:feature-auto-login
     pullPolicy: Always
 
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
index f0ef3c8..21fadfd 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
@@ -73,8 +73,9 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
             const configured = computed(() => previewApi.vmDefinition.spec);
             const busy = computed(() => previewApi.vmDefinition.spec
                 && (previewApi.vmDefinition.spec.vm.state === 'Running'
-                        && (previewApi.poolName
-                            ? !previewApi.vmDefinition.vmopAgent
+                        && ((previewApi.poolName
+                             && previewApi.vmDefinition.userLoginRequested)
+                            ? !previewApi.vmDefinition.userLoggedIn
                             : !previewApi.vmDefinition.running)
                     || previewApi.vmDefinition.spec.vm.state === 'Stopped' 
                         && previewApi.vmDefinition.running));
@@ -87,7 +88,8 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
                 previewApi.vmDefinition.spec.vm.state !== 'Stopped' 
                 && previewApi.vmDefinition.running);
             const running = computed(() => previewApi.vmDefinition.running);
-            const vmopAgent = computed(() => previewApi.vmDefinition.vmopAgent);
+            const userLoginRequested = computed(() => previewApi.vmDefinition.userLoginRequested);
+            const userLoggedIn = computed(() => previewApi.vmDefinition.userLoggedIn);
             const inUse = computed(() => previewApi.vmDefinition.usedBy != '');
             const permissions = computed(() => previewApi.permissions);
             const osicon = computed(() => {
@@ -123,8 +125,8 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
             };
         
             return { localize, resourceBase, vmAction, poolName, vmName, 
-                configured, busy, startable, stoppable, running, vmopAgent,
-                inUse, permissions, osicon };
+                configured, busy, startable, stoppable, running, userLoggedIn,
+                userLoginRequested, inUse, permissions, osicon };
         },
         template: `
           <table>
@@ -132,9 +134,10 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
               <tr>
                 <td rowspan="2" style="position: relative"><span
                   style="position: absolute;" :class="{ busy: busy }"
-                  ><img role=button :aria-disabled="(poolName 
-                      ? !vmopAgent : !running)
-                      || !permissions.includes('accessConsole')" 
+                  ><img role=button :aria-disabled="
+                      ((poolName && userLoginRequested)
+                       ? !userLoggedIn : !running)
+                       || !permissions.includes('accessConsole')" 
                     v-on:click="vmAction('openConsole')"
                     :src="resourceBase + (running
                       ? (inUse ? 'computer-in-use.svg' : 'computer.svg') 
@@ -210,15 +213,17 @@ JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmaccess.VmAccess",
             vmDefinition.currentCpus = vmDefinition.status.cpus;
             vmDefinition.currentRam = Number(vmDefinition.status.ram);
             vmDefinition.usedBy = vmDefinition.status.consoleClient || "";
+            // safety fallbacks
+            vmDefinition.userLoginRequested = true;
+            vmDefinition.userLoggedIn = false;
             vmDefinition.status.conditions.forEach((condition: any) => {
                 if (condition.type === "Running") {
                     vmDefinition.running = condition.status === "True";
                     vmDefinition.runningConditionSince 
                         = new Date(condition.lastTransitionTime);
-                } else if (condition.type === "VmopAgentConnected") {
-                    vmDefinition.vmopAgent = condition.status === "True";
-                    vmDefinition.vmopAgentConditionSince 
-                        = new Date(condition.lastTransitionTime);
+                } else if (condition.type === "UserLoggedIn") {
+                    vmDefinition.userLoggedIn = condition.status === "True";
+                    vmDefinition.userLoginRequested = condition.reason !== "NotRequested";
                 }
             })
         } else {

From 7e650bf9806d4e05fa8ccd76f9dc522a2e0ed7a8 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Wed, 5 Mar 2025 10:18:16 +0100
Subject: [PATCH 187/274] Use more constants.

---
 .../jdrupes/vmoperator/common/Constants.java  | 32 ++++++++++++++-----
 .../vmoperator/runner/qemu/StatusUpdater.java | 23 +++++++------
 2 files changed, 37 insertions(+), 18 deletions(-)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java
index 0d9657a..c011a24 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java
@@ -78,17 +78,33 @@ public class Constants {
         /** The Constant COND_RUNNING. */
         public static final String COND_RUNNING = "Running";
 
-        /** The Constant COND_BOOTED. */
-        public static final String COND_BOOTED = "Booted";
+        /**
+         * Conditions used in Status.
+         */
+        public static class Condition {
+            /** The Constant COND_BOOTED. */
+            public static final String BOOTED = "Booted";
 
-        /** The Constant COND_VMOP_AGENT. */
-        public static final String COND_VMOP_AGENT = "VmopAgentConnected";
+            /** The Constant COND_VMOP_AGENT. */
+            public static final String VMOP_AGENT = "VmopAgentConnected";
 
-        /** The Constant COND_USER_LOGGED_IN. */
-        public static final String COND_USER_LOGGED_IN = "UserLoggedIn";
+            /** The Constant COND_USER_LOGGED_IN. */
+            public static final String USER_LOGGED_IN = "UserLoggedIn";
 
-        /** The Constant COND_CONSOLE. */
-        public static final String COND_CONSOLE = "ConsoleConnected";
+            /** The Constant COND_CONSOLE. */
+            public static final String CONSOLE_CONNECTED = "ConsoleConnected";
+
+            /**
+             * Reasons used in conditions.
+             */
+            public static class Reason {
+                /** The Constant NOT_REQUESTED. */
+                public static final String NOT_REQUESTED = "NotRequested";
+
+                /** The Constant USER_LOGGED_IN. */
+                public static final String LOGGED_IN = "LoggedIn";
+            }
+        }
     }
 
     /**
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
index d983311..d9c32c4 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
@@ -35,6 +35,8 @@ import java.util.logging.Level;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
 import org.jdrupes.vmoperator.common.Constants.Crd;
 import org.jdrupes.vmoperator.common.Constants.Status;
+import org.jdrupes.vmoperator.common.Constants.Status.Condition;
+import org.jdrupes.vmoperator.common.Constants.Status.Condition.Reason;
 import org.jdrupes.vmoperator.common.K8s;
 import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
@@ -200,7 +202,7 @@ public class StatusUpdater extends VmDefUpdater {
             boolean running = event.runState().vmRunning();
             updateCondition(vmDef, Status.COND_RUNNING, running, event.reason(),
                 event.message());
-            JsonObject status = updateCondition(vmDef, Status.COND_BOOTED,
+            JsonObject status = updateCondition(vmDef, Condition.BOOTED,
                 event.runState() == RunState.BOOTED, event.reason(),
                 event.message());
             if (event.runState() == RunState.STARTING) {
@@ -216,11 +218,12 @@ public class StatusUpdater extends VmDefUpdater {
             if (!running) {
                 // In case console connection was still present
                 status.addProperty(Status.CONSOLE_CLIENT, "");
-                updateCondition(from, Status.COND_CONSOLE, false, "VmStopped",
+                updateCondition(from, Condition.CONSOLE_CONNECTED, false,
+                    "VmStopped",
                     "The VM is not running");
 
                 // In case we had an irregular shutdown
-                updateCondition(from, Status.COND_USER_LOGGED_IN, false,
+                updateCondition(from, Condition.USER_LOGGED_IN, false,
                     "VmStopped", "The VM is not running");
                 status.remove(Status.OSINFO);
                 updateCondition(vmDef, "VmopAgentConnected", false, "VmStopped",
@@ -253,22 +256,22 @@ public class StatusUpdater extends VmDefUpdater {
 
     private void updateUserLoggedIn(VmDefinition from) {
         if (loggedInUser == null) {
-            updateCondition(from, Status.COND_USER_LOGGED_IN, false,
-                "NotRequested", "No user to be logged in");
+            updateCondition(from, Condition.USER_LOGGED_IN, false,
+                Reason.NOT_REQUESTED, "No user to be logged in");
             return;
         }
-        if (!from.conditionStatus(Status.COND_VMOP_AGENT).orElse(false)) {
-            updateCondition(from, Status.COND_USER_LOGGED_IN, false,
+        if (!from.conditionStatus(Condition.VMOP_AGENT).orElse(false)) {
+            updateCondition(from, Condition.USER_LOGGED_IN, false,
                 "VmopAgentDisconnected", "Waiting for VMOP agent to connect");
             return;
         }
         if (!from.fromStatus(Status.LOGGED_IN_USER).map(loggedInUser::equals)
             .orElse(false)) {
-            updateCondition(from, Status.COND_USER_LOGGED_IN, false,
+            updateCondition(from, Condition.USER_LOGGED_IN, false,
                 "Processing", "Waiting for user to be logged in");
         }
-        updateCondition(from, Status.COND_USER_LOGGED_IN, true,
-            "UserLoggedIn", "User is logged in");
+        updateCondition(from, Condition.USER_LOGGED_IN, true,
+            Reason.LOGGED_IN, "User is logged in");
     }
 
     /**

From 7437a17c9f39f70e34af4db215d312a05001d2aa Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Wed, 5 Mar 2025 10:24:40 +0100
Subject: [PATCH 188/274] Moved missed condition.

---
 .../src/org/jdrupes/vmoperator/common/Constants.java        | 6 +++---
 .../org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java   | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java
index c011a24..83b261e 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java
@@ -75,13 +75,13 @@ public class Constants {
         /** The Constant ASSIGNMENT. */
         public static final String ASSIGNMENT = "assignment";
 
-        /** The Constant COND_RUNNING. */
-        public static final String COND_RUNNING = "Running";
-
         /**
          * Conditions used in Status.
          */
         public static class Condition {
+            /** The Constant COND_RUNNING. */
+            public static final String RUNNING = "Running";
+
             /** The Constant COND_BOOTED. */
             public static final String BOOTED = "Booted";
 
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
index d9c32c4..b1580ae 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
@@ -174,7 +174,7 @@ public class StatusUpdater extends VmDefUpdater {
             }
             status.getAsJsonArray("conditions").asList().stream()
                 .map(cond -> (JsonObject) cond)
-                .filter(cond -> Status.COND_RUNNING
+                .filter(cond -> Condition.RUNNING
                     .equals(cond.get("type").getAsString()))
                 .forEach(cond -> cond.addProperty("observedGeneration",
                     from.getMetadata().getGeneration()));
@@ -200,7 +200,7 @@ public class StatusUpdater extends VmDefUpdater {
         }
         vmStub.updateStatus(from -> {
             boolean running = event.runState().vmRunning();
-            updateCondition(vmDef, Status.COND_RUNNING, running, event.reason(),
+            updateCondition(vmDef, Condition.RUNNING, running, event.reason(),
                 event.message());
             JsonObject status = updateCondition(vmDef, Condition.BOOTED,
                 event.runState() == RunState.BOOTED, event.reason(),

From 2524172c12b8707a1c1cd0a9a2289547095b774b Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Wed, 5 Mar 2025 13:02:00 +0100
Subject: [PATCH 189/274] Centralize evaluation of console accessibility.

---
 .../vmoperator/common/VmDefinition.java       | 47 ++++++++------
 .../jdrupes/vmoperator/vmaccess/VmAccess.java | 62 +++++++++++++------
 .../vmaccess/browser/VmAccess-functions.ts    | 24 ++-----
 .../vmoperator/vmmgmt/VmMgmt-view.ftl.html    |  9 ++-
 .../org/jdrupes/vmoperator/vmmgmt/VmMgmt.java |  9 ++-
 5 files changed, 85 insertions(+), 66 deletions(-)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
index 6a27723..f763c47 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
@@ -39,6 +39,8 @@ import java.util.function.Function;
 import java.util.logging.Logger;
 import java.util.stream.Collectors;
 import org.jdrupes.vmoperator.common.Constants.Status;
+import org.jdrupes.vmoperator.common.Constants.Status.Condition;
+import org.jdrupes.vmoperator.common.Constants.Status.Condition.Reason;
 import org.jdrupes.vmoperator.util.DataPath;
 
 /**
@@ -363,9 +365,17 @@ public class VmDefinition extends K8sDynamicModel {
     }
 
     /**
-     * Check if the console is accessible. Returns true if the console is
-     * currently unused, used by the given user or if the permissions
-     * allow taking over the console. 
+     * Check if the console is accessible. Always returns `true` if 
+     * the VM is running and the permissions allow taking over the
+     * console. Else, returns `true` if
+     * 
+     *   * the permissions allow access to the console and
+     * 
+     *   * the VM is running and
+     * 
+     *   * the console is currently unused or used by the given user and
+     *     
+     *   * if user login is requested, the given user is logged in.
      *
      * @param user the user
      * @param permissions the permissions
@@ -373,32 +383,29 @@ public class VmDefinition extends K8sDynamicModel {
      */
     @SuppressWarnings("PMD.SimplifyBooleanReturns")
     public boolean consoleAccessible(String user, Set<Permission> permissions) {
-        // If user has takeConsole permission, console is always accessible
-        if (permissions.contains(VmDefinition.Permission.TAKE_CONSOLE)) {
+        // Basic checks
+        if (!conditionStatus(Condition.RUNNING).orElse(false)) {
+            return false;
+        }
+        if (permissions.contains(Permission.TAKE_CONSOLE)) {
             return true;
         }
-
-        // Check if an automatic login is requested. If so, allow access only
-        // if the log in has been established
-        var wantedLogIn = DataPath.<String> get(spec(), "vm", "display",
-            "loggedInUser").orElse(null);
-        if (wantedLogIn != null
-            && !wantedLogIn.equals(status().get(Status.LOGGED_IN_USER))) {
+        if (!permissions.contains(Permission.ACCESS_CONSOLE)) {
             return false;
         }
 
-        // If the console is not in use, allow access
-        if (!conditionStatus("ConsoleConnected").orElse(true)) {
-            return true;
+        // If the console is in use by another user, deny access
+        if (conditionStatus(Condition.CONSOLE_CONNECTED).orElse(false)
+            && !consoleUser().map(cu -> cu.equals(user)).orElse(false)) {
+            return false;
         }
 
-        // If the console is in use by the user, allow access
-        if (consoleUser().map(cu -> cu.equals(user)).orElse(true)) {
+        // If no login is requested, allow access, else check if user matches
+        if (condition(Condition.USER_LOGGED_IN).map(V1Condition::getReason)
+            .map(r -> Reason.NOT_REQUESTED.equals(r)).orElse(false)) {
             return true;
         }
-
-        // Else deny access
-        return false;
+        return user.equals(status().get(Status.LOGGED_IN_USER));
     }
 
     /**
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index 5625a4d..91642f1 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -524,6 +524,13 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
             .assignedTo(user)).get().stream().findFirst();
     }
 
+    /**
+     * Returns the permissions from the VM definition.
+     *
+     * @param vmDef the VM definition
+     * @param session the session
+     * @return the sets the
+     */
     private Set<Permission> permissions(VmDefinition vmDef, Session session) {
         var user = WebConsoleUtils.userFromSession(session)
             .map(ConsoleUser::getName).orElse(null);
@@ -532,6 +539,13 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
         return vmDef.permissionsFor(user, roles);
     }
 
+    /**
+     * Returns the permissions from the pool.
+     *
+     * @param pool the pool
+     * @param session the session
+     * @return the sets the
+     */
     private Set<Permission> permissions(VmPool pool, Session session) {
         var user = WebConsoleUtils.userFromSession(session)
             .map(ConsoleUser::getName).orElse(null);
@@ -540,23 +554,33 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
         return pool.permissionsFor(user, roles);
     }
 
-    private Set<Permission> permissions(ResourceModel model, Session session,
-            VmPool pool, VmDefinition vmDef) throws InterruptedException {
+    /**
+     * Returns the permissions from the VM definition or the pool depending
+     * on the state of the model.
+     *
+     * @param session the session
+     * @param model the model
+     * @param vmDef the vm def
+     * @return the sets the
+     * @throws InterruptedException the interrupted exception
+     */
+    private Set<Permission> permissions(Session session, ResourceModel model,
+            VmDefinition vmDef) throws InterruptedException {
         var user = WebConsoleUtils.userFromSession(session)
             .map(ConsoleUser::getName).orElse(null);
         var roles = WebConsoleUtils.rolesFromSession(session)
             .stream().map(ConsoleRole::getName).toList();
         if (model.mode() == ResourceModel.Mode.POOL) {
-            if (pool == null) {
-                pool = appPipeline.fire(new GetPools()
-                    .withName(model.name())).get().stream().findFirst()
-                    .orElse(null);
-            }
+            // Use permissions from pool
+            var pool = appPipeline.fire(new GetPools().withName(model.name()))
+                .get().stream().findFirst().orElse(null);
             if (pool == null) {
                 return Collections.emptySet();
             }
             return pool.permissionsFor(user, roles);
         }
+
+        // Use permissions from VM
         if (vmDef == null) {
             vmDef = appPipeline.fire(new GetVms().assignedFrom(model.name())
                 .assignedTo(user)).get().stream().map(VmData::definition)
@@ -578,7 +602,7 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
             VmDefinition vmDef) throws InterruptedException {
         channel.respond(new NotifyConletView(type(),
             model.getConletId(), "updateConfig", model.mode(), model.name(),
-            permissions(model, channel.session(), null, vmDef).stream()
+            permissions(channel.session(), model, vmDef).stream()
                 .map(VmDefinition.Permission::toString).toList()));
     }
 
@@ -589,12 +613,17 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
             model.setAssignedVm(null);
         } else {
             model.setAssignedVm(vmDef.name());
+            var session = channel.session();
+            var user = WebConsoleUtils.userFromSession(session)
+                .map(ConsoleUser::getName).orElse(null);
+            var perms = permissions(session, model, vmDef);
             try {
-                data = Map.of("metadata",
-                    Map.of("namespace", vmDef.namespace(),
+                data = Map.of(
+                    "metadata", Map.of("namespace", vmDef.namespace(),
                         "name", vmDef.name()),
                     "spec", vmDef.spec(),
-                    "status", vmDef.status());
+                    "status", vmDef.status(),
+                    "consoleAccessible", vmDef.consoleAccessible(user, perms));
             } catch (JsonSyntaxException e) {
                 logger.log(Level.SEVERE, e,
                     () -> "Failed to serialize VM definition");
@@ -635,6 +664,8 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
         // Update known conlets
         for (var entry : conletIdsByConsoleConnection().entrySet()) {
             var connection = entry.getKey();
+            var user = WebConsoleUtils.userFromSession(connection.session())
+                .map(ConsoleUser::getName).orElse(null);
             for (var conletId : entry.getValue()) {
                 var model = stateFromSession(connection.session(), conletId);
                 if (model.isEmpty()
@@ -655,9 +686,6 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
                 } else {
                     // Check if VM is used by pool conlet or to be assigned to
                     // it
-                    var user
-                        = WebConsoleUtils.userFromSession(connection.session())
-                            .map(ConsoleUser::getName).orElse(null);
                     var toBeUsedByConlet = vmDef.assignment()
                         .map(Assignment::pool)
                         .map(p -> p.equals(model.get().name())).orElse(false)
@@ -752,7 +780,7 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
         var vmChannel = vmData.get().channel();
         var vmDef = vmData.get().definition();
         var vmName = vmDef.metadata().getName();
-        var perms = permissions(model, channel.session(), null, vmDef);
+        var perms = permissions(channel.session(), model, vmDef);
         var resourceBundle = resourceBundle(channel.locale());
         switch (event.method()) {
         case "start":
@@ -776,9 +804,7 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
             }
             break;
         case "openConsole":
-            if (perms.contains(VmDefinition.Permission.ACCESS_CONSOLE)) {
-                openConsole(channel, model, vmChannel, vmDef, perms);
-            }
+            openConsole(channel, model, vmChannel, vmDef, perms);
             break;
         default:// ignore
             break;
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
index 21fadfd..47e6e11 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/browser/VmAccess-functions.ts
@@ -1,6 +1,6 @@
 /*
  * VM-Operator
- * Copyright (C) 2024 Michael N. Lipp
+ * Copyright (C) 2024,2025 Michael N. Lipp
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as
@@ -71,12 +71,10 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
             const poolName = computed(() => previewApi.poolName);
             const vmName = computed(() => previewApi.vmDefinition.name);
             const configured = computed(() => previewApi.vmDefinition.spec);
+            const accessible = computed(() => previewApi.vmDefinition.consoleAccessible);
             const busy = computed(() => previewApi.vmDefinition.spec
                 && (previewApi.vmDefinition.spec.vm.state === 'Running'
-                        && ((previewApi.poolName
-                             && previewApi.vmDefinition.userLoginRequested)
-                            ? !previewApi.vmDefinition.userLoggedIn
-                            : !previewApi.vmDefinition.running)
+                        && (!previewApi.vmDefinition.consoleAccessible)
                     || previewApi.vmDefinition.spec.vm.state === 'Stopped' 
                         && previewApi.vmDefinition.running));
             const startable = computed(() => previewApi.vmDefinition.spec
@@ -88,8 +86,6 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
                 previewApi.vmDefinition.spec.vm.state !== 'Stopped' 
                 && previewApi.vmDefinition.running);
             const running = computed(() => previewApi.vmDefinition.running);
-            const userLoginRequested = computed(() => previewApi.vmDefinition.userLoginRequested);
-            const userLoggedIn = computed(() => previewApi.vmDefinition.userLoggedIn);
             const inUse = computed(() => previewApi.vmDefinition.usedBy != '');
             const permissions = computed(() => previewApi.permissions);
             const osicon = computed(() => {
@@ -125,8 +121,8 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
             };
         
             return { localize, resourceBase, vmAction, poolName, vmName, 
-                configured, busy, startable, stoppable, running, userLoggedIn,
-                userLoginRequested, inUse, permissions, osicon };
+                configured, accessible, busy, startable, stoppable, running, 
+                inUse, permissions, osicon };
         },
         template: `
           <table>
@@ -134,10 +130,7 @@ window.orgJDrupesVmOperatorVmAccess.initPreview = (previewDom: HTMLElement,
               <tr>
                 <td rowspan="2" style="position: relative"><span
                   style="position: absolute;" :class="{ busy: busy }"
-                  ><img role=button :aria-disabled="
-                      ((poolName && userLoginRequested)
-                       ? !userLoggedIn : !running)
-                       || !permissions.includes('accessConsole')" 
+                  ><img role=button :aria-disabled="!accessible" 
                     v-on:click="vmAction('openConsole')"
                     :src="resourceBase + (running
                       ? (inUse ? 'computer-in-use.svg' : 'computer.svg') 
@@ -214,16 +207,11 @@ JGConsole.registerConletFunction("org.jdrupes.vmoperator.vmaccess.VmAccess",
             vmDefinition.currentRam = Number(vmDefinition.status.ram);
             vmDefinition.usedBy = vmDefinition.status.consoleClient || "";
             // safety fallbacks
-            vmDefinition.userLoginRequested = true;
-            vmDefinition.userLoggedIn = false;
             vmDefinition.status.conditions.forEach((condition: any) => {
                 if (condition.type === "Running") {
                     vmDefinition.running = condition.status === "True";
                     vmDefinition.runningConditionSince 
                         = new Date(condition.lastTransitionTime);
-                } else if (condition.type === "UserLoggedIn") {
-                    vmDefinition.userLoggedIn = condition.status === "True";
-                    vmDefinition.userLoginRequested = condition.reason !== "NotRequested";
                 }
             })
         } else {
diff --git a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html
index 6ec6ce3..533b2f4 100644
--- a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html
+++ b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html
@@ -60,21 +60,21 @@
           <td class="jdrupes-vmoperator-vmmgmt-view-action-list">
             <span role="button" 
               v-if="entry.spec.vm.state != 'Running' && !entry['running']
-                && entry.permissions.includes('start')" 
+                && entry.permissions.includes('START')" 
               tabindex="0" class="fa fa-play" :title="localize('Start VM')"
               v-on:click="vmAction(entry.name, 'start')"></span>
             <span role="button" v-else class="fa fa-play"
               aria-disabled="true" :title="localize('Start VM')"></span>
             <span role="button"
               v-if="entry.spec.vm.state != 'Stopped' && entry['running']
-                && entry.permissions.includes('stop')" 
+                && entry.permissions.includes('STOP')" 
               tabindex="0" class="fa fa-stop" :title="localize('Stop VM')"
               v-on:click="vmAction(entry.name, 'stop')"></span>
             <span role="button" v-else class="fa fa-stop"
               aria-disabled="true" :title="localize('Stop VM')"></span>
             <span role="button"
               :aria-disabled="!entry['running'] 
-                || !entry.permissions.includes('reset')" 
+                || !entry.permissions.includes('RESET')" 
               tabindex="0" class="svg-icon" :title="localize('Reset VM')"
               v-on:click="vmAction(entry.name, 'reset')">
               <svg viewBox="0 0 1541.33 1535.5083">
@@ -86,8 +86,7 @@
               ? 'computer-off.svg' : (entry.usedFrom 
                 ? 'computer-in-use.svg' : 'computer.svg'))"
               :title="localize('Open console')" 
-              :aria-disabled="!entry['running']
-                || !(entry.permissions.includes('accessConsole'))"
+              :aria-disabled="!entry.consoleAccessible"
               v-on:click="vmAction(entry.name, 'openConsole')">
           </td>
         </tr>
diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
index ac16803..00df484 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
@@ -249,14 +249,15 @@ public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
             .toBigInteger());
 
         // Build result
+        var perms = vmDef.permissionsFor(user, roles);
         return Map.of("metadata",
             Map.of("namespace", vmDef.namespace(),
                 "name", vmDef.name()),
             "spec", spec,
             "status", status,
             "nodeName", vmDef.extra().map(VmExtraData::nodeName).orElse(""),
-            "permissions", vmDef.permissionsFor(user, roles).stream()
-                .map(VmDefinition.Permission::toString).toList());
+            "consoleAccessible", vmDef.consoleAccessible(user, perms),
+            "permissions", perms);
     }
 
     /**
@@ -438,9 +439,7 @@ public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
             }
             break;
         case "openConsole":
-            if (perms.contains(VmDefinition.Permission.ACCESS_CONSOLE)) {
-                openConsole(channel, model, vmChannel, vmDef, user, perms);
-            }
+            openConsole(channel, model, vmChannel, vmDef, user, perms);
             break;
         case "cpus":
             fire(new ModifyVm(vmName, "currentCpus",

From fb73a177484bc2b04625148e367217352ff88d55 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Wed, 5 Mar 2025 15:38:08 +0100
Subject: [PATCH 190/274] Fix link.

---
 webpages/upgrading.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/webpages/upgrading.md b/webpages/upgrading.md
index c1331e5..12ff096 100644
--- a/webpages/upgrading.md
+++ b/webpages/upgrading.md
@@ -10,7 +10,7 @@ layout: vm-operator
 ## To version 4.0.0
 
   * The VmViewer conlet has been renamed to VmAccess. This affects the
-    [configuration](https://jdrupes.org/vm-operator/user-gui.html).
+    [configuration](https://vm-operator.jdrupes.org/user-gui.html).
     Configuration information using the old path
     `/Manager/GuiHttpServer/ConsoleWeblet/WebConsole/ComponentCollector/VmViewer`
     is still accepted for backward compatibility until the next major version,

From 5ae162445cb201c052b423fd84f2a25183237345 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Wed, 5 Mar 2025 18:10:54 +0100
Subject: [PATCH 191/274] Add number format.

---
 dev-example/gen-pool-vm-crds | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dev-example/gen-pool-vm-crds b/dev-example/gen-pool-vm-crds
index 264e3ba..f9cf692 100755
--- a/dev-example/gen-pool-vm-crds
+++ b/dev-example/gen-pool-vm-crds
@@ -41,7 +41,7 @@ for number in $(seq 1 $count); do
   if [ -z "$prefix" ]; then
     prefix=$(basename $template .tpl.yaml)
   fi
-  name="$prefix$number"
+  name="$prefix$(printf %03d $number)"
   index=$(($number - 1))
   esh -o $destination/$name.yaml $template number=$number index=$index
 done

From 7dc68b5ac75e7c0fa0ed9dd9e3a07ff0783a27ce Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Wed, 5 Mar 2025 23:24:03 +0100
Subject: [PATCH 192/274] Add documentation.

---
 webpages/ConfigAccess-preview.png  | Bin 0 -> 10855 bytes
 webpages/PoolAccess-preview.png    | Bin 0 -> 7090 bytes
 webpages/_layouts/vm-operator.html |   5 +
 webpages/auto-login.md             |  84 +++++++++++++++++
 webpages/pools.md                  | 145 ++++++++++++++++++-----------
 webpages/user-gui.md               |   2 +-
 6 files changed, 179 insertions(+), 57 deletions(-)
 create mode 100644 webpages/ConfigAccess-preview.png
 create mode 100644 webpages/PoolAccess-preview.png
 create mode 100644 webpages/auto-login.md

diff --git a/webpages/ConfigAccess-preview.png b/webpages/ConfigAccess-preview.png
new file mode 100644
index 0000000000000000000000000000000000000000..e7523f91b927b6095c8e9e0084730288337eaed5
GIT binary patch
literal 10855
zcmb7q2UJr_*LDOI6#=n;fM5XysVYsniXZ_2rAi=xBE1`mG=VF^MXFS#3M7;S5(GkT
zih@$5gwR3}X$b+Tq4Q0=|F{14zGc1t&pL}_PUg&+*?Z5kpS|~lKhU|ya*X>J1Oj1!
zYTVU>Kp33BciNG|;QxEfkx1}y5OD`;a0LAMA9?yGXmfd}J@U|Zwej$N{LC6+>*DHc
zErzgqW^L_)uygfTWNc7|KrTR_cW)a!Pot82o*PV&_LsWubCgJ&xNsrj{fQ$N4rG^v
zUJio2<Wc<b#|hKzTaNgK{yM$nA@re-sGtXGcSjC!`U`)(6w-0%nrQZ6At9|JXBmzj
z9khKBnARQ(wTU}$;~itI1yS1Arn9O`Zj9^HOjE$v%(=E7Um~as5J-@{$u1mB6hc<F
zWQ0Jj$uaPNo8J!k!nzAhB)>E_qYDcQ-9<pp%Ep6COq78SR`R~9`NL~2jHabF9jE#D
zu+tr>BI4qmL}}2;?E5nWB0c@-!kyINMh+extw&%`JAvr-wKj={N){)Vnc~F6MD~90
zLhgrVW@#-2c4;1<VfpN!4ETuWFFpW)yge7p0)aICJVF=ml^L1hLFxz_ACU0}pH|D&
zf9b*JzXQ)Q-;{6YUrsxf=<7fDkg8zbE#&#Uc2fZi^U7&Kc5{o$6lR@VCW|xEwXhmF
zBs_B$6<S|wp|Yo!D=TwGXp-hk5O1z{^O}!73t7HxMdN6FNXF(R-9VE#%E^9#xjd_>
zlx=M)UuEcTIk{PF<#QY>PV?Pu=ky`Vc;X}rp?b+2AGhEQcA3OGbWyrlIq4xsYl{-K
z?Ak=i<ubkP*$WNhhlG@SXp-%}m&P{|ce;QR=lammr}u$l&MRs50q}N31-(ZFCOpwZ
zScb7vuNK8Yf_CP&Qh4qii#m0@UPW)(t8VgcNb{|~-qPpD1pfqk5@Fd<nYA8%WC7dT
z|Gkoxu0<aAi36Q8;bMQ_$==R{OP6kSd}5SZpsJ$Fv^XOAL`C0s?n)i}Yv}VM-7u@M
z_Wn1YGy}FM5q+0F9kHnpP;0$3*Oj@KEqG6+S6k_lzd7@7#Y7cbMkw#DsksoNv|slP
zAit_(UdjE|)xCeTq2H^yAKeJH$G=tY$YGg?FF#zagEjkq)jz!QJdd%4B%a!l+uEvW
zXkd_^oqb0pRU2GhHE^#QQt}$GuQYE_jtFoS8ezc2z{q&!?AiRFAc#p(29vVVVVRcB
zbKt&Yq1=ffFl?=U9j(yU4iSQ{R=-K9P0qKn<%sw)h*8%7`njnPol#DXsqXVz@or&t
zSom`sOw`SH<dCFmCvU!Nae7B5utm3ZhYlAJ5s?+$%V0n^jFF{++jvl*F!(9R6whGl
z?*8HbHtg(#1W$u*8^L+UjYNv^_Px2+$@HGd43al)q)B9FXZK-@B^o#mf=<T4nf}Y+
zD{9;8)T6(Jcj{)qmPa5F{1hbryuM8ce7PU|AEo!#=J+RplPkN0!Q)&TipA-QK6;Wi
z?cdjk7P$I=ZHJ9t6TaiYOl6KlZ0}GPnSe=5ODo*nrpZ2X_VMwlUaa5tnEie+#`%hN
z3bL$BDkjT?wm{O<(dm!7td%Bh?*8RWYgZSJP+nR2Xm@K(|Jk#WlG0M1`GAdhiM<;7
za+KMeXe95<BvF&>rO6h@=14BzjfpVN)!Bz6pPBTbQrj3Dn?;`UaQRh!{+v!3dwcuV
zZ{NDhorg!T79~%^KYjWn<uUtU<_0hT79N>ChnmMthZB>NWp7PEAmev_^fo3XCZeKv
zWXZU|U5t7RU(wH>Pg%|@n}J0>u(Qh_^`(ee@YUZ&=H?0u2;6N;mcZdVT`DLmT`I&s
z+4)bOJo&?Hw9e1F$fPvaXgf0Uxaa&p_lz_nBxof<mvQ)mRSOc$mq!NE@E8lA**69q
z5N{g`+z%i<pNt|CahWdln>Ix-Ji2q2NE`*@QY*&#wPi`j1B{1fr&C?~dr(^Gl*NYq
z7tkJ0B0LXFuA=1#3yYzH1KOzY(L+kWQyUv$LBV@D>QT>3GUDR0B^q}0&YU^ZX$=4o
zR^gH!dYnsd#;;_U3afO>0@BOb+uf!lnYy_9SVUj^8l$|W!LJ_qoj&$tOH9ptQ@0JJ
zzo>e5eVEV?7#PK?U?gHxc(cgLXBe3AM$+2n@KfkbJ0VhyxAEP(A$)%G*E=$lOclK5
zA6Q$X1m?&XTz~Q7rZnf7u1p-T(>XK-+XG~U12Up~WIEqh?MWF~7*1VBOt*J4OVqxf
zXbN-OTAd>gSKzMbW)!Ybh+1(ARWp3hp1uNoY1dK3m_>duG3~0Vs@C>)50m<*-%bMi
zSBFBO;%(csMO<9m$>jBS@7^6ddi3FwCr{Ed2h-#bQr4}f={oGq)z&9s;cJbIY<=9-
z=_-Nse1SXeqyQS}b$GaY4NhfmDF&Eqa)#f6oF{e2kWFRBt*9%n-pa?64fvO{3neC&
z4<5vJv7TjT&zkGaqkL%L>&4*e(Z&`5hV1O@bOkm?@#MLXs-bb3nwqOajyU^IAxBfB
z?BfIqT*vB#MMe7xO-iNQ#&0F>`u5f%k$0InM86kRjH1W(_h@lQ5nQbv*r~l0V=pj3
z<@o{I>v71Ckb`&^($M6#hK`Przkh9#m}#zZz?Mc_Yg-%s*_0;9YuFh-6c!dHA}43U
z#l=;<v)qP4PkjIQl8LzKbB2@C@#7zdxD~t#R|0@Mbq5CreK)6);pMuzy12EfzJ$2A
zAM<MSV+{>ptE~ZzIgB?3oAXjU=$OLN1eYm2eE2YWI_Kir0?G7z;LZn|_P1H4E>&vo
z?(VR9|Eiwe-nBv7OlX|f!bm}O_9d2cHy_X~?%w|1E*>$XbLRBv%K6^Zbp`JQ1AF^|
z!z|oCOQ=BC<MSpfNnf6HOB2m<5=D&V{f-cE7PvqDV1WBk@h%lWrQJh#$8;RPG%_!1
zM{BDd*vv&2q?`t>QAg`c1$8q##3|piRO>wV$;J(6d?o-F9TW=nk5gwZg9QX$EpKeR
zwMHE_2GUGKGZ0nTl#q1ofu(wxGfWa2_VB}01Ofp!_v;;HUrv#69=fo25m?#EbVo1H
zC!xaCLJVGQ@a@|-2Ld{Ac>U_tt0_0EU$4&(@&gzFGhUnPZJ9iQLs#Frd{suK-@0nj
z^Wnoch<CD!7@w7CaUAck!TBvL<x!sg|FNTY01KMfR75cZbYA9*A#0zR&h)j^u^n|?
z#ifww^D5Y{Up1gT@w&=$<ukL{5#l`nThnlL_KQcHqEDSax3@jEk47Rt%blYXty70F
zezXO;CVW?Cv+#~Y@|$~nO9RTv%H~Ip9)*?KL<tKE1Cwj?^^@RT#MpEIAdW-k=jZpL
ztETbe%gf78@vt+zyi~#m?rOk)9;kQ^w&#%?i%ctw)YU^-fjS*Y!Hi6OW%l}CK7Y<f
z%yiOsm$`Yy$y2A&W8gJj_M^2vC67eKhk;3hUmbdo;cdl80j2$&l@v+a=%s0l@(I^P
zkJzN7T!4s0@ERi{jA21RfoHicP%?mkT5eWDf?0KJY%J{5mT?hm%3mcfXBwpjAT0|Z
zg@};QSB#akhZ2D3cB%OgJa==<dE6NhBOxUvl26=i05vjB1Mg|0e!2j_@_}on<7*4A
zw;fQCu!x9$SB4URKa@$S%^cX0hHh@fZ7=HV&!0P2=swwOzqhk_jG0+qPcN<?7$B};
z4+cQ9MBu8tJS?uvY4FAxz=Zz64C$zIa(VzldI6#&q@<v~fB!B&%*Lnq2rStUz`_=7
z(PDAt3^z9#3_6D=n(IG*UKtk`SLVO@%z3odL_hcb(vMT#YYR1t!itJ!05XXH&DTiY
zV{%Ps*%pUcUqB<@E!kT}gok(UY_3RqFPH`FEVcMfB^m<_5l~v3O0*G#xZuJ2X*VCf
zdGp41f0wq_DuT-gHdZ|ut>8g~dsmSvWT}F{x&Hd)CT3Ro0Ia53ynf?}cBV4Prvt!9
z^=}9ssX|<aMsP}C5iXAm3=;J8^vVE`XlE!^jnc-zivZG^rOSKjJ$m%kICBty{F##{
zvtKcDIsjRbzh}M7z5njVv!kb7!4oDcGhM`5pOu8z*!NtLHu<()8F`+Cp@mF<Msd;k
zzhe{=aKGiFqgUP%fh0Y_tSLD$%6h})&bx3{2;^4}0JM?O%wbyIpMZOf7oMQ=)BBxy
zh=K9*s-efbbG1`<;K1G3UHDg4e&wI23H{0c%mo>!UNsGl*YNRQP^}#b*qj#T9r&>z
zU#W<2J+t1kuU^S4d0&ONHIG<JE?kC%fnGy?<FQY2F7;td1p|{A-}4QIA@H=ui=KA9
zufHE2uYCf51HBn^QFgKNNe=&MP9Ex_9_0B&aT(Z$Zg%j71<)LitZK7qe~fABo;>70
zx}@{*<Ly21LqVK>ynNYLt#(fTEMS{|v8)y-kQwC4k98#DZ@TRBmmvPO90bpRlT50`
zYXHr+oEJ*Clzwx%ALU_UqN43HOr2dSS=8acz6_=9gyduisKbyHj8~ytKZXx}nwNKO
zg&Vw}^Uy-cyDo{engG9~>5lDNsWQ&S=H~T(F<yWMz@K_`q|$=RUAxfUD)Cpe^<c1+
z7E@a~=mH3Y0TyM1GpF++_<x{lKLdasH(mpbTc?`9s-D#eT)mi;1E>v*<mXzwP$vtQ
z9rG_bc~V|8&IoH};cBO)rKPW<6AjE{+G`gu!P6WZxml`V^2vivGR_0VSw_QvtL4|$
z?ud@@f`w21GO=vyQkgjJ`0_A3%Mr_!-CtxX?>7MWO#!`i`z1COeaH00-qDzCEp2T>
z4UIpOBrMDw(@8GGnan^eJHNV+fWYUfS~_l)+GrQ81FuO2F(+f4J|s^BfXe3nA6tBL
zb8~y*oRFPP+hFJI_46on23|R!+RurYr|WI2n`*`5eMeO_5g-9TqCR=QOOlfMa&mIq
z(hdo2%Lxgm1Avo7=jXeLV+srDJV)y3*I3CHu8_`7KmiiozJ26c^ZE1LjudIkLk9+k
z<cf*qaH(ykK!I%+cCFmA%-v}c3Iq=V-NbkA=1Tm(#a(vj&5Z(pVwOZ(9J9E5`LZ}w
zQc@D^%pZj0Ly)l}%*?$^=l#dMo>1q?4g@j3>S9QpJowV62-Y`TZiwONJjG6q18jU_
z<GGk=d3#l1ZLOJzG1dSEgB7h$OiTb4PRDzM3HW!Ijn98*k?B^G=KcG9?e8R&u$gj*
zEBnO^LBh%^T4fhaL^<Gy4r!oU6u{TZPzn)eeEW7Vwr(9(F^oha?WjZeP9l)%@i2xf
zZ!$8lM^9bpgDF4$bZ{Db;Fh#9vy*nJdK=)k-?RAF%9T83|D5-#Ns)=dRycz-(;Xn7
z;F@ts;&3#uGrR+#)p;9;lvnZj1Hbk8?gdf}K-~9$1f_jcU>IkXo+-WV$^vl!G6boE
zbOC!x|9P@A#cpySSDZRrVGLpnJV0T<O6<YJT*6d&e@sp$0>F}X?6(8(&VAGEJ&5vj
zDRq!v>0|`qZN*{8!lr1|>TI_feR~-7^Wp8-XO`}FcceDxgVv19sD_qS@BCn?C(v@6
z1728K8sAAL26T?Csij3?ZGim3kyi%kL*X|I!^Gs}^$H3Y1)z?^7de-;j6@W+i@}<~
zRZ`04_$`hAt6ArP>N$`hAX1lp_EUpC+0HaMO<=!vc6RAhCN{o80HgN6myyRB0vT%+
zAS_}^O6fk1knv#MmcxFl8nI~c*Qts4dnP7+Pd_|Da?8qSYx9mfQKItmg-}2#Q>}?9
ziayWks5KsQ*&v^S(a+O4jt7w(BHDWC#}~Xy=OEaEFrt(K&kVU^OwxN^59g8&us5jp
z^O$%Lf&hTJEO37h*2ZJK9^m1DJj_~a#>iwodNzz6>EhD#iI2gT$`k)BCjWa>Y08`O
z<?hvO4Qy*`>n{8lL?R(EQ3N!>-OZZQ5W5El%jG{yM|FSLxiiJrMgtIC8|x=((Xz~Z
zhA7oMhJxIB>5yQmpN{!-CpBL+)rb!5?YuQRaMr(|Jxr$PG{?~A-yJU%6Zl2T!iV5}
zdQ@?TIe^cQ#zU_!J_NY<@3KPw&bv^GrGx&x0};nEkEh+SRL~NP(4xDEFY0Rf#uYky
z;!L-cO4w!`7K2qs*bg+yy}H<4nvm*k2Ass}h^Te?f=+Pq6b;NCnVROMuWwwMVc108
zxAs<%>F29AZ+-<+|8>XBEf!Ysr`0jWAjGkM%v}AuIsR)rZ<aHXLjD@ADK_k`=jfGa
zXRA{sP=N4{)suf^_q5^~{?FrfkvHhx0jj+Cc>71o6Vk2?cCT(ar2M>)zIzq?%aoV1
z%7ffMoLpATSUZ7Jg~JbzBVdd{%rQ9C4Hz=Xt%)T?4v`DUCU==v%hLMd*x38+-DOJD
z79pxaX!}95?$BRhu-`!aM%E)q<1<1E4SM`1Ri&!ELww6wk_4Pd7P)F;91feb%PE^`
z!B3MzJz3Tq8oHFX3t{C>SD_$D*au>=_na2~4*}8NTFKm>Z>s=Vj_<Sn{Y_p!@1ksM
z(;j%eK<!-<)eNkuFQBK(y2?Lp4X<ghg*|@Q+9^B4C--oUP=D&=$-bO>Y-_XKsvyp&
zUh6mY+@@AgCSz1wewoWa_5fswgRBvOANYc?DTW|ju!EfkqvPchEV9_cFIMli9)b2G
zpf<Ozl|G2`(8nE7dhS`~(s1LBiJUcT%_=;Jdb7YifWK?@dAfpk|F?KSI$QxB)9O;;
z*qyEB3sM+~>FGsY)FJyHpToK3J@OGeu0v9x%gfK|Rz8NoYW75Um7m?c9ei7J*1zCI
zys}QRN9DlaLRewCuML@b%V+-u-i4r9LGq8+JG_oVjP;tQpw5?i%_Y9;su69V?cM9c
zYV)wndcWGcZe5)bKz8qVr(gjhOJfktd(b|Q30-JJCtJMB3)p7MhY!nC&v-W&=4k<k
zTu&;|#x-n4uTxdt0}jbD?~QsP`8W-*75~+%6L%yX`$e5cDj(8w7U@(F000CnRL3ww
zc0SrFIRV4U@3|7S5FlJAHex1}s$DXOe3i;9ZEasKkfV+27?{3K9c!@APLX=(<Wwj?
z$2WQ)70PxV3z7o`AZbKT9woeaGcnSfDibw<GQrK3qC}*on;&kqoQffP@B8JIuua*u
zt_FT{sZbcMyJi*bYu*o!*`K=YsXbe0n^%W)t#HC1##HqWlP%XTQg`QUXG+qV?v-sf
z_(=;`2MK($DRm^T?Dyn5s*`asBN8Bhv&~h;&6vL}D8t+%2k(2w=%fkt_08C7#6{1{
zPzr1_^i%tb)_(pBlb%>NEpwW3s9V{)lo_C2`77krtGSnK$`2kr8Zf~h2wDm5@*VJ+
zPQZM!@n(G~@7s^w2Ij$L&Rdk>{L=7osY2I<B3%%xAZAPR^EFasUHeU4>rfPIjSfeI
z+Lte1V8xcf&C$FVX#5pu+}0W;Z+_mX4#e`@iqDIUow;9j*bu`%-O=81t`0qZgTWxi
zC9bF^m(!-RduhktcKA(!s)zB`O{iX`xl$tH=bxkgG{!ZZ>h{UKcyS8$?W|o9=~tq>
z*@$^unGGrV_3KCjT!zwWN3QE-sBBFAZT>JGrHFekz7Zk^ab#WE2%5bqR3q+K#Idy>
z?SU9DU%&Oe!k&^FD7d6vIQ*0V^nele#LLj+w{P>`N!pS-6&5{eUQD;Y1BAh8wHhSR
zrCY6)xQE_ew=y#~73Bc@?S9}!(|G}?iHV7@m{`%7>QEM*+yebP^3QMaLsbadI<P{5
zL-(l|Wg)1%*L)@GQ(KCqSG0`(T9iOR?M`1>ZAw$-E>@#|-q^y}9U6W|^^SqboIKOD
z3m0yIaPsBhRl?Akh5e4R)n(vg0}F05ZV6u)@0&8H_NedMRFt^_i%a-E*H@CSVU=H9
zJd2bsbIrT*@uM$!a7IeN`u!H%rz(_{Pe>$-ML8A_765IIAlMOa6TJVnaYP!zc|7w_
zdFRsYt%X}v<qHz}09L9Cj6*nFyr|YS1<BXVsyzeWF%)rlM$=sOdJ$bpc^qOejX1Dx
z2xvo*S7Bia#LS!ScjD5Ta#*8@YHDiccze;Yfc+es-EHaJ)fMGeAyVC6s6)c?Lr1g;
zVRx;ptjx+I!lUB^(naM9zQ>-3;zrc8ZFMR88l$;6c2`Tg)_S|P`;gF6yWWesDbJHB
zoNzlks-#D%l>LwL(Sd=pN-Gr&<a9RWzQ82$UcvneKsB4mdn%(v8Ofe1lU)aXA*cOi
zri%_#e%}x+MtL0TW*eM>tvYA<mOG=Fa54-U9r3IJ_T3e)jumqcKc9@#5`PFnHYIFK
zA(;gz=xy6_ZLK0y4}_1vIGaFbb8SPv3$2UGNZI+GNf53_fr!G$y0DkXBU@7@ChEcR
z#;0Y)8V@_oWq)vtGf$bieinXG{%XB7bJ6y)<Do-`u3}9jJu%#^iu&OG+_!IR1xTbp
z>Wzw7Dve|An{6(+PS)J;!3jaW_mAbK(eM|WQ*obbfo9GD&AcIfDtoT=At}%zJ7nVy
z=>>}Y`?-r96GgZv#}D`@mcFkpEGsJGAd~hgBt(dxUljy0ol_X2B0Z3JApjxb0QlCa
zEb0Tp+Ou6<b07(iR_##GRn`Q*0hz!WwQ#t+f(6cWA64zKfE>59%COASQt(ym91q^b
zyX)sJ`9BCW5lxcB`t(+qN>RVOOWDQEy^em}*Z9I1U4}HE!*je~#2H>~OVuVsyDdVI
zDTq0|i@`MFD@2?7T){icF{#N22J5K=pISE;id~MgDk)o7O3GleIjYwYSC<Q*7!ZE@
z&E=_~TAxyS`0bh6?B>2*evFm1hr&GCJ<FqBP*S32@wAYT;>jZbMWL)a%Og}w(Z7CO
zgOAjw8)0EN=e-yDB?D9E3GTqs^JyFbqR?s@tw9Nsa!MX9oJzvdk?^{#c^=&j?N11j
zdp7md?#b$O35efsH(_+kTAqV4HC2ada?DK`9)hJCW>1ZAwiyu~KgDa@KEQzwKl*(!
zRNej&=i<V%@uKikg7g$QGpBeT$Yv0-RGGBj-B4=^Wl<=SsqdGPF^W;%u&vvhuJK)-
zD|mf`O@Bs9q8p*BQotmrQUH9JuyE_y`hZ`$G`j_gtFVILJ?b#NS3gE6n~zjWv9}|Z
zM~S<P=}b*cRU@s!O3`vRZrst`U1RSEm=se|psIZnUt1vPp9++mC|qZTKt@VM&1(nD
z5s!flCnhBHSu)9Gy6$CESta{=QhqMpfTUg7^E&Xh`*$v)srI2brTfy2Ta#Pr8B6fv
zfES5BHM<Fh`QLKk{~PH#7fcnE2FZo>H)bIJv<=9txsZs6F=$FhOw?CEI(ZM4m!2j{
zsRJ&X=qEb%o98Wj@aJulFaQaOz+?u9xg(w0cKugs8$>+f#B$-EsjbhS|6kPhUuomt
zYNUT#bQOyeM+9m~1Y{yA8$rc1I76m*m|8OE1X!AZn%XPC1D}=-f-8*zx{NE`yHE-%
zDuERpJAT~2((*k61H)6iFW<)M*#UqP2-S!$*`UA%;{8FY*C&vsXygJJ#m+Rt-G{^@
zc`c2(4p|*bz3hFzBL~}N_V#lhJC^db(u0epbuj#8;0<Yf-XGgj5lmzjC)-j4&{&$1
zIQ`9kFAAm^BS3bkGPdr`Ri(1~^8R;zBq$izzUjN6w>6_-?=LaN8wP}Mi+A*ELJuc<
z-*^UGuk+}n_uXZ<ot4IEP%=|2i!2V^8pOOX_J8%eCu`;}??X3@H<rEsYR|%7R`_q$
z{4UP^Z=L&Z@lZcoMdkya%lh=<UVH1-Xws>n6gYWN9!z=s_ITR$rPoKTpMv^cV_{*4
zG`NZ2FFF7jw=&(kFt{%cA8qz-sl3>Ivl-Rl?;R;Qkx%(CP(2*Ac)4h|$it~5L3Z%@
z3#%v8-M7?TX%2cCNx3fv<zZ60x+~EG|F&luGh_yV9Hr9F0$`i{3pwU?O_5wV$jD5j
z=~#TTM8f*Hc;#Ac->1b5B2r<u0y)7vHl6Oc+B-(Cs^_jgMX%0uA+v7;8e8-2;~J#U
z5mMu0Jr#p_N&90ldbh(@X%ju47I#dt<i0l@h6KeNe1sbI)ztFVTy#$U^b(m`Q&aAK
zd~MBDFu<?EU?-$(*WCU-t=CbXROT4@_{%tiIMue0z%fdGk$NS#N52VGr~*alY95M#
zwk;;a!K(VNRlY2v@)i7q&S3zve@@)pu@5SnQO;?$_SRft&rmrZ@x^X`$c9)v{fkEE
zX~&^X$dW)6T59gt+_nmL%aB(L<pf$Fs?uO+)o<?SDZTZk9xZ!3&C}b$ekL=LwnD1I
z(;jos4+;1`{d`#ub7ZclNY5*{>{-mr<L>>)<o-PY(neC*-23bIH!z)fW9o6!wwfO<
z_86w?h(*N2hI%G&IJpPz1ddrAe1Fvu`39#&^B4AXxKbBT${u}gdQ?cM!JK;~x=&m^
zMRu#N`kN~9sxjAr`Opev(<^n2WuzmbKs#Y|P=`ig<J6?>WtQ!_Q9X5!ONKt=T(}mE
zpL<_6D>GM(ZQkOT=xM3YGO6mpyK2OU$G;%m+oF8e-+t~EyZQ--^sdk%ipAbo=ML^C
z*^*t4hciIN`6vCL@4}FaXoeP^cRhbxSAVcM!AUI7+!NYeQfXd6)gW0v^jI~SHATug
z3)q`RUq9|=s%ymqt)9AZwc#%8$CYy?VtTy~_|Mgqc05XYNKm~=Q!lXIC@9x0y1|eo
zpcH?x&ZDSL^uDlYJfG&9j4{jANNCTDp){-A%-%|sQ0vC#iaSnOC-0Z#T=4ClhWZ3P
z(+S_gyil!(z*yh%xKDo|O)Ru1fign|4Z64NVpnHR%w;<2QmqDEu3j<NYSHMr*kdsZ
z(hH4Dmr^x|-igX17r%s@jgeT_5NspSN(l3turk%^>?n3ooxG?futZOIq#HkUG7d-s
zYMqE59-8mTKcxOBBIa7C(xRra^v@wAjHa`e)%NmGbJs7+0%MV@mj>SY8NuNzUBb@I
zx|lBr9`869G%L7AP^D7b0*qdWS{iiix~@!#aY;6>G~(|0I6LRhztX3iouaY-Esmim
zk59`>6S|}xBz?*k;LNY!{W+J_Uy9Nr&kbbjlUKjqApS~#j}J|2WIcVuzDl2{sVOSZ
z+&ZMZV^A-%zvsO2n%Uy}h^ULrZ7}XS>oMM>=+j&jG+Q`_ahk6ShWz2#>UU^QcRY4m
z$>Y<?b=nk<%J7%7b$=|Bg(tE8tPzhWlJA#L!?y9__*2hj8j>A*erEM7Vq^CPx{kb^
z<mCQXW%9P$t7*Sl#l;_)U_4*7-b_De(#X_Ii>sHrptM>=S#}XaaoMXc4l@yaGtV9P
zlw}=qJ;YcE;?vta;g)s%vutk7b%RO;-7SZPZP+A#<feP(Vw`$|*siQ@$uMfzk2|=F
zr%F(lP&WCsV9I@hPqup@r`c_mknTWhhw81k*)In4NIIJNtw(ca!Ytrz=u_vS4U6_2
z8WPq+yBVK*3R-P!#JlT_^yaN!fAN?)VGkYhYp<b^9-TdT2=YD{AMr*{Tqg9I@uFuy
z`<{C1)j}mv@>|ixYhYSO>wP8CWS!A|{Jl4qEIqvKZ|BbVN<<`IdWo_np1s&=PCz6X
zo$0UT`p~W@z$<dymjhEHleIuK-|E>Ab;xiQ=2D73U^G|fjF0gw897o%AiWiG{`Tf|
zTU3zOPYFG<x9(htY6?huO623={3|_4=zy}wYdVkI6vZQCvAZ^<Z3c7$eIFd9d*e=5
zHZPuNI25VnKhkULa30~XsT2@Ji4F*8ylL{@)ztng1`En%xz)NaVr`5y>rA2hE73Dv
z!)!dN>0OZt8K#cyQ{2e{QPjtUYzWDF*xY5!x$dc+_J?{e3Rb@aMrj2fpL;;_+TYTw
zt}abjGM#(H(o>y@%s(+HSzC`;9iLH;f#+4~51&qi_V#N9a*3Wv;1)bHGSYOje-=&K
z><C6jERQ;*ZE~L!P)d8US}hl<lZTDplNouNQ}H<SI*xjtKk~gPY@*&gFe{7&5_DKb
z913gbTG=V8DCd6sgBYMAwoPs68EA{tdg$SBB`VD}<WF*~y*?cJsvA@BBC|}e3sIvg
zh`jE~ll*DpX_^%6N{*nzcM-i;+T@uD(XJHpJy<n`e=Zc;^FtxhymU+g>zBH$X*IB1
zV5ok})FXAZm8Dq`PZ>?f#d<c7CPkuxZe}IB7b<gdJ*GCHW7CX9;gVysy#6!}`#n1=
z^U+y{k89zHJr+sOxjGc;6w+^-s|DkT&1`tYAz^NY>BWIMC3&zkFHo2P(s)-iKA>iw
z=Oik|C0<_1_4vIEdyvd$K)qz+TA4K`^;urdVO?*?B(0lPxDe_C@cK7ZvjL&7eWDsQ
znw`ZP#aB{Mu~l;^O^ohfXWqpfn@rNWJk>*8<cX)ayU<UUjo&*TXt7_60oEuYo(xkA
z=tq6LdvgxB^Z&viZ}HYv#ay{?ejiJ({^YB+X#^SvAzn!Y8q=vy-$W+=oVDt%s9}Rh
zJ)L5_X9cj1i%I&yf7B(v<I<$}<XU(0;%l5+9!SKJuh%ELHbe$*(Vg)>5uv{kJI?1n
zzrKMngJT={BO_)Y6|so|=YoQmwOw4WAc7@fnadtISQt(>1~Y<+My$Xc`nj)|sp)C*
z_{W!k=sl|$b+&Bl>;&cfhoBP5%BMJR#2VCq%qqdt;E)wE=Uz-T{Jb5$I<wgeod4mK
z_xRc}C0(C#fUs1(rR&{w`P-5Ss3|1R5Qh6k8b~hQJ`2yCO9#y|Y8>@fd^&ck{8-*5
zO6;wVP>o&oyv_x>5;BLKWI#1~W0u5lt7-Y{K&RlsUf6<5U7iH9u7!Z~u#agNeHa%!
zEZyQtbbx%l)449p{%Xjt!==~T#`qv<6!AYBjpA$eyZyF^z8w<bTfY5@0pSL0mV^rT
z9mfXWAWZ#!^(R<IP&4P*_D;?~KZx5!H-#{&zdq4#wXBoWFkQF#q`+~Xz?j4zVz>y$
z)YsZHVz_2U2)EgI+M9`ie&}`CN$NAmO-^{MlG8%v_MKlgLe0a0)EXXEPudXN&u2Dk
zrHsW*TrRbtj@*TzsWUciPX96c7?D@ccU{-w(%LI&@0Bixg&La;w48SbDVep-{-%Z0
z&#{cWtBeO_Au~J-sj0-#<37F$$I15THB}CT1`mf9N0+8vuBfT*QPVq5T!o~y?Wv$R
W8+=P6Gk1XXL7-|ncd>UY|M(w2iYRLU

literal 0
HcmV?d00001

diff --git a/webpages/PoolAccess-preview.png b/webpages/PoolAccess-preview.png
new file mode 100644
index 0000000000000000000000000000000000000000..34db8cd3cbbfef15c8ce24c00527d48b449e81f2
GIT binary patch
literal 7090
zcmcIp^<R_k_a>Bji-0r;h)5^`0s=A^B@Gf1(p^%cW5iGiky1grLqNK_h0!74Xrvr4
zMt6R1fBgOdA6{eiY<uqeoa<cIb<Pv6p{77e!a#z9gF~vMDEk^bu7m%4A_8#Fm`~mT
z9&WkIC}|UcKYt>tkKi@Ehn${=7R<)O+uY3>$JQC<WX<Dl>1J*1>~071*uig;0AH0=
zl9kr>NyX0l`BSa6AooU0+*pldWP-@E9}u&@`k0LuD&|I7z*W7z@n5w?jf*%<9-ND(
z;83dQeS*b1W$C@q|6Y^D>5`L5Ka^pmP-0)>kXDp=@R*pD_Un+d7y8oNYkGcg;cL6v
z^3D|;%iT00E_mVCn}ANTwXya1l+E?RHL&n_?t0v&sxaQq5P8)=?i8h#@322-m~@qI
zQg+f1EheWq+CWIf!dfFammrqV1pB4M#a^7vvrF~h#0|acOOkycP_tIQCL@%&{mo^Q
zUvool9@7*yg{lp)`%nBfb)7~d%5w*rHX!aan@$mf+dZ(WQ$njV8|fa@@}-@GXP-vV
zcH6w`r5ThI(L(B);;c`UMGQ$(3$2$q#mL`vWm*$ZdKBy}0{_};o#K`#M|5Mn)Ae+l
zRS0hXvCQOGQhs@(<QqR8S;IUo5=h$iOr*n#`-M8%ym%msG9NxXtGRMdqh{BKq4S(!
zlK?VD4OT8(EXSTZymUZiW4moFkG{P<(h{PkNfjy2CZB^;)B6Z(2@NG+U|`TrXb96U
zQE>Xo3tRHwjddYeN`bPy3!PAliP6`sVf~TKMRzCk_xT-}Y6pT39S-pmQv*@gssy4Z
znZhYU7_}1e&Tne@T{cx&;~PdC(Q_j$I*glerkqAH*d#|-FnOzQ^7C#aG5ITw@Mh2M
zdm60C3Ot#^9fuPUaOmC5jnPlHv_H1j6Hc6c{?7!i*%tjlne2(|fDdG4cxNSZm|8r|
z@c}M%wr{H7YM@=WzEqh0oXFE9s_ZlWG;6d8t)EnY&c26126?BXeHhRDz~l?O&5cxj
zSUwI3>m{XPda7yBab~O9No)`a1)Vzm{^Z8Sr10`c3Nh;?8df@oIcw(7d>~dULo|{s
zxb)-1v(h<pAej7>5U0Abd+8=8IFWC1EK>&OK;0oJ9>347*&!S%Dk_>h6+Ie{kKR1J
z%2FPVO9{tVtV$Ain#<egn~88g*tR7(JGV((T&#~@$$Xf&F!iRRip8k&I>B~S`XstX
zm~!;*UnItyM%yO-QR=e1n4Xy%F?ybu=|yEGnS;$Ck)0U5>7)SSqODLssAWZ3Ei3$H
z&OlkIrskW$ytca=JL)M#^2x=^H!jx)S5^zJaAB6{@S?%fMT<e*)8^ivNcErN?3XFm
z8)omq`!Ep&rEg9TF%XF)Z_0|a8rN>}4D_<S^vjp{vvn}rg=XJK7RmIc?Z$|voz|2F
zcl6h!qz%`WfdsxPkB!$oF)Sm!U)X%NDv(nxe%?|$E%uX72*{WR&yO%V39#wPkd6<8
z2b)D@GAq|RqggL2^qv-*wxz!v|IY6?_3XQP#<1T`3!#*!rx5p>Qmg*B$C39%zp`BZ
zA>5j($my#+!OkL^eGd|!zrEKLMrM0{xY2xlj?vcEzI8}H(<rz`Q#L@BA#yg?)0M(!
z;k<R9j5;~7`C5GPNI1a-FZHx8$<!vUMy<=Rz0BRUMoN>4hS#Wfe{J9lEJ#sF$$X+f
zQ&vuHubbAi+-~gQ0^%lM@`xF6>FR}@k$e66p7)$9Au@&qjh4I-bwHIKU0m%npqX(5
z1O&7b5SM#M9Mv?)WS)P=``eB))#1Uxw_a;$J$~|JdGd|vTAKHQ`EaV})?7pE_0>ge
zYU<#|c)ot4$72vw@8X+2&Wzoys*$fLDJpG&S9JUqw`d|lByY|}F4q+#JFWJw6sAoM
z*H>p!c!s$0e;2!apX-FeXx&F<yCv!>%sk=-FfT(mdag@**;8@Sx;zHy?@fOyfzijj
zInttxjHN!_o*!rpxKMoc${IUU<FP*4QL#1ey=Z;3Iq3*;k|by={1%g^lHhZJt)qY8
z@&G4aJ;P>uuEBAx{tLfl&*!gSmk+KeDJhjyRUb)8W?WwS-=m~t8c<eN?j0D&QO}Tg
z#K|ev?<CA<ZEbytg(27=5QZSh%O$d6gPKn@4k!V$cAQ$L*}r<n32m1l)ZDte*B3hn
z?f7I;mLnxxB$(eNmZO={qc6TDN+Kjcxma0QJ#(6=rn&a2*~y^YO!_+UrNmb#y3%x;
z7kv^|>XJ7sZ~UP%yD2BY8GS}PU#@4aZ_|*orRdtCk~VA(kqBJo2wk|p(4UdLff^E@
z)Vyj;ir0TiBOk*&ba{4Q+)2E9wS!<`_>gV$yI4Qk1@CZYF@rPR2Tx9Os?oD((W(3-
zd%J5TM)I0YPBZy19Y-B{6vq}+e^jn6c~w17*%!-+uc4vwhpWkB;~ow_KYz49&RFmJ
z+yCh``|#H-z>5~Kup+kz4E>ERg)c4UtRr)ncYs&du+Tw+?mkP;2=eSMSNo0XcF)(n
zO;7C7{onaVUDNlH$<|l<VtucUPz_hdvrN_;vEi|t>ibJ!EHaiKp(Pk+08gCNzkko?
zLk|x<JRrug=Fal+1dz1o$6DW?>m$!33EJ5|FJ5hX8^?QY{JM=(HNC}Eg;+o``$d99
zMXVrWa=1vYE>8Z{%^`LcwR2o2*U){Ws`uvS8icXv*fh&K_e(;4&*uqfoCf}3#N8#@
zmFzP>7}0&q2-PcRP8prQh;wAHz%$`$Pf1yBJIbnhAt9m5qcX%=`#bzpG4JR~0aTig
z`pa#T7P!!3%-Bjwp|2m=?Q*NWdkK(Z^PWoU0i5-P7O|J1cUU<&!@%~w#>L4>OXKFN
zrC9(3{Os-)@@4T`pQ|fGVK(L(sx}2|BWU?-KuM*Fx`&c73YVLA5oG7&(2IFJC6hSK
z9MEWLIYWmyELHm*jg$NyUhfDG8M=wt(0CVqc!Xw(l^c$xLdCXTi?cu})X~qdhlU`^
z0Pcw*FlK6MY7gwpx41Z}U*qFv!``i3Ox|-HEhh^Y*ZK1DXE6h*WuI=w6j%y>R}jYa
zu-dDs-AzhLdc@A|n|eQ+KiJ;e_^zyx(ft$=7zfx(aq-j2swz<K7PGZZj*G2n2`2FH
zy%l8LI<$H{gSM6aHzbVmPu^qxOLTeZ(1Nqq%Ak|ZRSh<j!G#zj$$(#+_t{<|lUuhq
zGdue|k_C~<a&wC0MV#vB=$N2*`1ri1!|>}}mhf<(e#ahhOcMT6wqiX|jK~4LHdPxN
z4uDW9dU|@gD0vRm#L-CgHI^0=bpr#2w{PF#q)H;v>lOo3K)`~89DY|f1qBxVa>pyK
z&lkIa3iq$Tuj>((6)G>p!ZuFV_fk%Gtw`Hu+^03KWAG?dB%WAKUcF1Z<=SGm(nib|
z%?u@py0F-8`IYrDtbKs|4c2I`#qR{q1)b(iFcJOnBT-K@)4<sQdb-M%3_YA?x!U{X
zRcK|&5}?_^WT6O_>)kNkwY|N)r$+VULBD?e(nTzqo$t#)S5VXx6xrU>3jWyE_%KQr
zQTB4Jf@tFyq+m1b#lX0w-qv$hD*K>9r5VuxjRV}MPv?JGY!_Ptc-Iu7@0)jjq8_Ew
zs0q&&S@e%RK#z!-px4$aTvy~}WMq8Sv%>J4BLZGr%s7-aG&?(ujg3v9Q0`k({9fC0
z8<m3+nrjkc6Tj!%DiZe%7-15lA6&yJa4u~OyaOSPYfHEE1Y0=W#~*GijI}GM{}jyL
zsbRwdEAnx*5NQm>oV6*y1%0Jti<)g6M)gZ{yU*yNt`@kD(e`9TlbZsvjy(2@GH2r%
z*FPCy&A9EE(jV4;moSEegrrIYB=`0z0)Mr(wg&X=!_<@>(#yia;u%8}khEu3z2r}6
z{tF{x>9Mb=1Qmqb>ygqc(fzKLrtIr0ng;QF$j0_zR0EYH30ur1wwnIJrr@*R$NARI
z?!n{7;R`K(TCZPsR#+m5NJ*{d8$ENse<!%4ueSfWDRZsqf?bVR1RKqle~!q|a!^)L
z;itP3eMWo|rk3wM*VKI$n4P>MZ9A0Q4f4ihJ7;BU3%G*}dPol7?zM&Acv8+J=4I6t
zO8QTr=jM!BFZWfP+pfG8;FuDdkl3Ck?P;=k)x>96N-qq@|J4<63j_78D+R^HRv>F}
zadFRl_pPo^k&?AVE_jztYA}NCkStWk3_X@Rl_#r^S=+x!zgR=l*2&G@)Nj<;Ph$^D
zVPOYfz}BVR(k3DW{w&KJn8W9)cu#^um83#OpAi?3GjQNi%XB@;l(9?vAAAV=B$JSg
z*=qS`c=Ux)bq(@oIA!1P@ZIAwO*_RVlJy@tMZJTAcf16Xc?1Px7q5@&L{?iWD=X>5
zeV)n5$)WPDqbl9eYON<NJN*8qE;b|SCGa{A#O720p!_>55=Md<RmQhHM$(}j&N2~L
zK$BCi>;(TwcLZN+Z-HixUV|IEtE=l^hGa&S?FfN35-7C$<tnFShokV~AN6JZCK5X*
zC#Uk1Q42uJ;73v_oaZ5c584Gs#JfIHu=$*=B{ZD<O_{EKt0m<Lzy*@|7wAimm4L5L
z-5<L*xYR?o!YOC-JAueZdO<}M70bi*G4Zq2*i?vTf8N4ajzW@<0}bF5@zXyafJncH
z=P_=KqZhP!K7G73UFEwJLfhNlZ?Qg_1$0Wl@7NJgcF#*PsI0RyuR;v7HTX~@9shg4
z4erZ7iOaAh1qBa)p8yu)ML#ggmOYV6e>y${qHtfh{J{Yh%Noe@Q-kV)q_z%Bjxpi$
zM~{BG3R;v%fU16f<$(9+P1`xOVV(2Z7X@bXp=2SzDW5w#WoY<JBCiNWa0cReEPFq*
zHt+Q?&H-3nF4MOC0iF{lH$PuXPp=mkFs7r3hzL>N{oIw|RpFE<bOs_Fh{HbM3G*5Q
z{c1Z3zUEy#LEB-g=}K#D9i6?)gAqR`7|<&mz%x}UzB>yokGZ*XYHNR&L2&x|`uul0
z2nSO{)CF&ty?V?<q;6#l+2mAKenqGIMFY)NXqdFO20vxg>OZY1>@@Q{-S;m&4v3Mw
zt1CY+L2NucQLHaR$(fj50ZIo-9o7@DS!&$mhBEf9K->i4Fb5oJZnuFaye7@PDts+J
z{~;sbWS&q;M~50%@chQc<l!{2qS~{~$s!z&t*Nm*@rMsPE9NpF6ciL7mpLIIlKI9b
znVpjGmh{ETzasyFp{v_NYwF)|jGbkQbsmo8h~;?YrtdwN$iKR_rfFyx(P3r=K+h|<
z(d4~j(-}-m7lk^1{|=uJlJ1T9O&SCgR6!qAYK&V@T1t?amDRC^TYtEjE)gr~S*->i
z#aX>>x*Ig>=RxG9Wnc`DP}aOpa&~qGZ0I{+l7X6c@Z33;nx4i?OiYkdP)Nh!5W`wW
zRsf9MT^F@9NVoe46kQqZ7eheK%)DLU1n|dOM#dtc3S5JfwZ-UlqgK9J;N%#D*bYZ{
z?VI^1roKhNzdYsFkN*CCpYx4;dSOR8&`&&)kYG+zLxO-#)xk1U=70Qnl7Ir-yM6=*
zREi7Sah~_i0>E+D=%@z#c&iU^wZVi0n*NR0MW8iE5y)`#{_?T~IHshhmuL#McM;Gm
zKOw~B|Jk%}Snyliq|mJ<(UK=%=`%A1|FY%WxWVB8VZzA>IM$DC9IncEo^JFdIeBv*
zDe?B#qvM^$5zY+%&RnI~`?C(EtE*NCgi%m$85ul%ef?-SfFv-SaR3sh#tN8R!lUu{
z*o2BFW=`c5*dp%B)7nHck;2JG931y(XnH`#eNUId0R5YRTtvU*8b%T<`t3j=o}023
z77xX|w*HvjoYR7;@|<3Xd#p88@5+V)%vGy1HeJy6u1fq<)+bLsnRkWmowVJgWoJJO
zyuz3gYAXyp$_y-jyc^c+))@(L6lP*sHC@^>v>dG~wj7O2Or$gMU84qN+NF*-*MfL&
ztGc-fFbX@G0dBevg-`IiR{5W~>6RGCX=+l0hle)<`kC`Zr}55WP-QIO4ZWu{U%!4W
zHEbFmA1^E{G#~%|%5k<f3IOBZmq0Uw_any|QZ)HviW8SguEVBEG<s~>QFt<J(mv02
zB)!Agj}j=6M-n*^G4b1P<FyiErd^kV4;@LSs6xooq7#rk{2TGTG%&H}&#5B1mwlKh
zD3)G`KbVR6_3QN=0(^Lj$&vX@XYiHi?hwXI#0cX^vTD@apO^xnuo(rnoOQE-aPAK0
z<Wri@LFc<msBc??Wslmj(_6n}1=D*3GkT={c((Ue)3ZE<b4HZ7fR?2ENc(mc0n{d?
za}C06PQV17L;fIcJf~wyh{pWyY4FtsdWQ7F8O`OH<kRlPPRf6qmam!q)cxIMTNx_W
zRtf|}PK=|fo;k6YWL8Z_Lw~XT%>F-}Bi%Xm`{TG}HVFc2@x5MxIo#E9a1F8rQG*^@
z_L}?Lf|}EG!`l?{=N`nK6PiJkYaF%dKZxuN<u2H9bzJin`W-~`w0|2iS#Ml5?yjX;
zRkA28FWf?PadW#X^UpSCB=X3*D@y4!U;93O!y}Az_;A;Ro^pq-hnId~ATQATThii9
z)t0=7mj8c>Qu9>0Nz*>nb9u!uD>|qcLz+q0FUifBhJ2;5rQ+-5MeO!{V+ycU5k97;
z9m~Q-SO#ai*Ja*lhl}jnI!A-b;eTJ3+|sV*B`%0%%d5FOs>aaE%(F$#O%`pO(6U9M
z0zExRNgSe$mfO5&-CAdU<(85Uv4`oWUb@}LArJg0ANoG8VPspGY@4_ko{#{G@x8IS
zjerCu{U<~dosgs#=b0|K;5|U<cvPouZq5qaCMfY@U2cGvyv)p?<Yb0H8^MZ-io=a@
zq-H)(Y>+TS!~a`q#GAA0Ag*-AnOKlq2~<Oa3fIV8Y@gsucqLZ*c3FUlvW>KmC~cX5
zb{=Z760}pXpFfZOFtxY_vQSu5bkNkQme0n^8x62qb_AM%24L5(&X3r{#G3l@1XPrj
zxgI}e<>QN?V3U8*8a_^=B*nO9RNsF+jjy=QaLQ63O(+<feYz0D<&|1!b<(gYOgn0c
zjNSv|gD;><y1BmMr%T@UCfo$7KV&fSM(XXB9QF+&=Htf);H2y8b^y-*c9@$R49G`7
zP!Q<yo%tqjn6BabS9mja9iQV(r(czQcpLsjRmJfPHTu58qT+Kx0uo3b;65j}24$WK
z1UvVmN5M+591TXif)WzxKvWK<Z8OY;Q-IasfI{cjI<1}LW|=c1Fxj=W@mpJt;6x2z
z@>8C&@@?AjFVNR1N8yBhupH2BN12r6mzGACwOvE(oE*cwm^31~?;VQ8pTS=s^bH-J
zJb41_!ZPR`lN;IP937v6R$5j;VLV5HtXQ{blZP=oJ9~XRpX|8_S22&hUqEa960cEx
zdv^q_lA_`RcJ`1_jYUd3)Hv`)m!*u1j03<}81uHy$5$6ISMwO5CumCo3FI_;M@G<H
zWRj~Bg<7vd;|#3ZMm-%=;kRD`&sP0*{QZ0|jo+Vlgzx8Xl>tix20Z!I)z7D1?Wy>l
ziR3%M8$*JB*KDwsUgTXRJk@_cW@iN`%4u6S_@4m=Bc01FTS<rg1_QY9^zZEPjrz5C
zLoiF)gR`G9=79+P>m*xp`mEgMqzd1Znf&mqE*&D6Fnd;=WF9YBYSPjVcw4^(UbE?D
zdP3i@U}0(5fUTWf|COhrF>CI9w5bE)%g+#XhY3>M=c*Rl_Y;hdDhx{K?hv#^m)L8j
zkQUVQH+o_Fo$BVlH;4u4=;~Ssr|_o?Sy@|CFfyuu2GzLHBMbDDl$>g2;0WEFNCu%F
zujc+rN8Qpc*c{Em$0xj-3r0A}^cG^k4Xtc9?Qn>Rr2q&aHv)z`ySnH_-5zObYDzoU
zssNw;ADDCm;o{RhGYk4_D`9D2ktpsf0My*5(IfoRClW_t#xGyK9BxiV7&<rP4IQU?
z-P6F0qLd1_IJW-N{;otAmx`IW6pr_<%oET2IfIh2a${*-BGGp*PYmIhKS!(*rC=5I
z+uXTy^~YeXl>e2J|9_1`IS1~MR}un^@dP7aw7S<syb>AcDK@?^YZ47r*uIAU>oSBg
zhoL{N(kbl0wD;OUt@LtRnmt$MxvBfX3YhRSel;T*6L@Fy<WGPGaUuE8c<R<Vw1jGX
zkAXGVcBn7b^n|cxXRu$1M5a2@J#>yUT-=qopp9EeF@z|xt--Afee^8CVEKx)f_#|)
z44s7pCdFXw0Ux&4hOIwk8^w&U$~NV2eHsxLbq~a%%xP*q{NRW!teN4HZL$$a5>L<l
z1Kvcmbu2fV$M(rOIq?Xmlz2*nkYgi({RHN8Ea|qulD(<TVRifP0(2Gu;S)(xotT_7
zubM8OcI5iByl1``f1u7fa}V*?W{a%FB*vu7Tl}PUXT!-ExxRpNvg<RGq(gNZ92l~B
zS%wnpza%cWaA&O^9&gR53z|W|i!j&#4UF{UlONdCnXaw-zy2Pl-_y;KTfkd|DMBY*
z`A&XPXrRrXI%jEKEOs%g`YGaXKqpQ9%d%dGcJsk7O@`LnXB}3<HY*5q9OC?v+@HCU
z_-4K|BrY0#Xo|R5IA&|PjY2&`C5`#Ejcf7!pi!=wHbjR%Lc1vMJf6Wv_(5S8x%M50
zwM=Yk;8MYZnx)dR05#aG3+Fp(gVhpmhvCmC!*-~XDG2mM7BxaLvQCK=CVg}Q4JHzX
zb;#z49NM}mmYh^O2q?)0v3lP9elbdubpIYUQWCdYMPo9)0ft&@SdOQIQHrI*6=7L%
zL7$F)YDw*}<)-&f{Pv9VBPqy7UtfD5wo6n$);|24WQ+)e`$Zc_5kJUn?H6yM$%Yc;
ziX7>DuZ4==2A7Q--g2>*XY<$(7xM<*8lSC&5>QFL+}x<i7eFj15b+SL5`~sk{tc!y
z#jQD@mRC>t{3jfSZ;BMS3MgqLMc^q1L33|u`7@p|YQsEJCJsb0y-FHjkELmxq%%2x
g-Ks3x9Js;X)W|k&Q(e*m7u|4_<kVzKWz63H9}zMrM*si-

literal 0
HcmV?d00001

diff --git a/webpages/_layouts/vm-operator.html b/webpages/_layouts/vm-operator.html
index 590412a..88abf8d 100644
--- a/webpages/_layouts/vm-operator.html
+++ b/webpages/_layouts/vm-operator.html
@@ -68,6 +68,11 @@
         <li><p class="part-entry"><a href="admin-gui.html">For Admins</a></p></li>
         <li><p class="part-entry"><a href="user-gui.html">For Users</a></p></li>
         </ul>
+        <p class="part-list-title">Advanced</p>
+        <ul style="margin-bottom: 0;" class="no-bullets">
+        <li><p class="part-entry"><a href="auto-login.html">Auto Login</a></p></li>
+        <li><p class="part-entry"><a href="pools.html">Pools</a></p></li>
+        </ul>
         <p class="part-list-title"><a href="upgrading.html">Upgrading</a></p>
         <p class="part-list-title"><a href="https://vm-operator.jdrupes.org/javadoc/index.html">Javadoc</a></p>
 
diff --git a/webpages/auto-login.md b/webpages/auto-login.md
new file mode 100644
index 0000000..8893bc5
--- /dev/null
+++ b/webpages/auto-login.md
@@ -0,0 +1,84 @@
+---
+title: "VM-Operator: Auto login — Login users automatically on the guest"
+layout: vm-operator
+---
+
+# Auto Login
+
+*Since 4.0.0*
+
+When a user logs in on the web GUI, he has already authenticated with the
+VM-Operator. Depending on the environment, it may be tedious to log in again
+on the guest. The VM-Operator therefore supports automatic login on the guest
+operating system which can streamline the user experience by eliminating
+the need for multiple logins. This requires, however, some support from
+the guest OS.
+
+## Prepare the VM
+
+Automatic login requires an agent in the guest OS. Similar to QEMU's
+standard guest agent, the VM-Operator agent communicates with the host
+through a tty device (`/dev/virtio-ports/org.jdrupes.vmop_agent.0`). On a modern
+Linux system, the device is detected by `udev` which triggers the start
+of a systemd service.
+
+Sample configuration files can be found
+[here](https://github.com/mnlipp/VM-Operator/tree/main/dev-example/vmop-agent).
+Copy
+
+  * `99-vmop-agent.rules` to `/usr/local/lib/udev/rules.d/99-vmop-agent.rules`,
+  * `vmop-agent` to `/usr/local/libexec/vmop-agent` and
+  * `vmop-agent.service` to `/usr/local/lib/systemd/system/vmop-agent.service`.
+
+Note that some of the target directories do not exist by default and have to
+be created first. Don't forget to run `restorecon` on systems with SELinux.
+
+Enable everything:
+
+```console
+# systemctl daemon-reload
+# systemctl enable vmop-agent
+# udevadm control --reload-rules
+# udevadm trigger
+ ```
+
+## The VM operator agent
+
+Communication with the VM-Operator agent follows the pattern established
+by protocols such as SMTP and FTP. The agent must handle the commands
+"`login <username>`" and "`logout`". In response to these commands, the agent
+sends back lines that start with a three digit number. The first digit
+determines the type of message: "1" for informational, "2" for success
+"4" and "5" for errors. The second digit provides information about the
+category that the response relates to. The third digit is specific to
+the command.
+
+While this describes the general pattern, the only response code that
+the runner evaluates are:
+
+| Code | Meaning |
+| ---- | ------- |
+| 220  | Sent by the agent on startup |
+| 201  | Login command executed successfully |
+| 202  | Logout command executed successfully |
+
+The sample script is written for the gnome desktop environment. It assumes
+that gdm is running as a service by default. On receiving the login command,
+it stops gdm and starts a gnome-session for the given user. On receiving the
+logout command, it terminates the session and starts gdm again.
+
+No attempt has been made to make the script configurable. There are too
+many possible options. The script should therefore be considered as a
+starting point that you can adapt to your needs.
+
+The sample script also creates new user accounts if a user does not exist
+yet. The idea behind this is further explained in the
+[section about pools](pools.html#vm-pools).
+
+## Enable auto login for a VM
+
+To enable auto login for a VM, specify the user to be logged in in the VM's
+definition with "`spec.vm.display.loggedInUser: user-name`". If everything has been
+set up correctly, you should be able to open the console and observe the
+change from gdm's login screen to the user's desktop when updating the
+VM's spec.
diff --git a/webpages/pools.md b/webpages/pools.md
index 6b1e75f..5b587ea 100644
--- a/webpages/pools.md
+++ b/webpages/pools.md
@@ -7,67 +7,100 @@ layout: vm-operator
 
 *Since 4.0.0*
 
-## Prepare the VM
+Not all VMs are replacements for carefully maintained individual PCs.
+In many workplaces, a standard configuration can be used where 
+user-specific data is kept in each user's home directory on a shared
+file system. In such cases, an alternative to providing individual
+PCs is to offer a pool of VMs and allocate them from the pool to users
+as needed.
+
+## Pool definitions
+
+The VM-operator supports this use case with a CRD for pools.
+
+```yaml
+apiVersion: "vmoperator.jdrupes.org/v1"
+kind: VmPool
+metadata:
+  namespace: vmop-dev
+  name: test-vms
+spec:
+  retention: "PT4h"
+  loginOnAssignment: true
+  permissions:
+  - user: admin
+    may:
+    - accessConsole
+    - start
+  - role: user
+    may:
+    - accessConsole
+    - start
+```
+
+The `retention` specifies how long the assignment of a VM from the pool to
+a user is retained after the user closes the console. This allows a user
+to interrupt his work for this period of time without risking that
+another user takes over the VM. The time is specified as
+[ISO 8601 duration](https://en.wikipedia.org/wiki/ISO_8601#Durations).
+
+Setting `loginOnAssignment` to `true` triggers automatic login of the
+user (as described in [section auto login](auto-login.html)) when
+the VM is assigned. The `permissions` property defines what a user can
+do with a VM assigned to him.
+
+VMs become members of one (or more) pools by adding the pool name to
+property `spec.pools` (an array of strings), e.g.:
+
+```yaml
+apiVersion: "vmoperator.jdrupes.org/v1"
+kind: VirtualMachine
+
+spec:
+  pools:
+    - test-vms
+```
+
+## Accessing a VM from the pool
+
+Users can access a VM from a pool using the widget described in
+[user view](user-gui.html). The widget must be configured to
+provide access to a pool instead of to a specific VM.
+
+![VM Access configuration](ConfigAccess-preview.png){: width="500"}
+
+Assignment happens when the "start" icon is pushed. If the assigned VM
+is not running, it will also be started. The assigned VM's name is
+shown in the widget above the action icons. 
+
+![VM Access via pool](PoolAccess-preview.png)
+
+Apart from showing the assigned VM, the widget behaves in the same way
+as it does when configured to access a specific VM.
+
+## Requirements on the guest
+
+Some provisions must be made on the guest to ensure that VMs from
+pools work as expected.
 
 ### Shared file system
 
 Mount a shared file system as home file system on all VMs in the pool.
-If you want to use the sample script for logging in a user, the filesystem
-must support POSIX file access control lists (ACLs).
+When using the
+[sample agent](https://github.com/mnlipp/VM-Operator/tree/main/dev-example/vmop-agent),
+the filesystem must support POSIX file access control lists (ACLs).
 
-### Restrict access
+### User management
 
-The VMs should only be accessible via a desktop started by the VM-Operator.
+All VMs in the pool must map a given user name to the same user
+id. This is typically accomplished by using a central user management,
+such as LDAP. The drawback of such a solution is that it is rather
+complicated to configure.
 
-  * Disable the display manager.
+As an alternative, the sample auto login agent provides a very simple
+approach that uses the shared home directory for managing the user ids.
+Simplified, the script searches for a home directory with the given user
+name and derives the user id from it. It then checks if the user id is
+known by the guest operating system. If not, the user is added.
 
-    ```console
-    # systemctl disable gdm
-    # systemctl stop gdm
-    ```
-
-  * Disable `getty` on tty1.
-
-    ```console
-    # systemctl mask getty@tty1
-    # systemctl stop getty@tty1
-    ```
-
-You can, of course, disable `getty` completely. If you do this, make sure
-that you can still access your master VM through `ssh`, else you have
-locked yourself out.
-
-Strictly speaking, it is not necessary to disable these services, because
-the sample script includes a `Conflicts=` directive in the systemd service
-that starts the desktop for the user. However, this is mainly intended for
-development purposes and not for production.
-   
-The following should actually be configured for any VM.
-   
-  * Prevent suspend/hibernate, because it will lock the VM.
- 
-    ```console
-    # systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target
-    ```
- 
-### Install the VM-Operator agent
-
-The VM-Operator agent runs as a systemd service. Sample configuration
-files can be found
-[here](https://github.com/mnlipp/VM-Operator/tree/main/dev-example/vmop-agent).
-Copy
-
-  * `99-vmop-agent.rules` to `/usr/local/lib/udev/rules.d/99-vmop-agent.rules`,
-  * `vmop-agent` to `/usr/local/libexec/vmop-agent` and
-  * `vmop-agent.service` to `/usr/local/lib/systemd/system/vmop-agent.service`.
-
-Note that some of the target directories do not exist by default and have to
-be created first. Don't forget to run `restorecon` on systems with SELinux.
-
-Enable everything:
-
-```console
-# udevadm control --reload-rules
-# systemctl enable vmop-agent
-# udevadm trigger
- ```
+Details can be found in the comments of the sample script.
diff --git a/webpages/user-gui.md b/webpages/user-gui.md
index 828eb98..be7b6a2 100644
--- a/webpages/user-gui.md
+++ b/webpages/user-gui.md
@@ -15,7 +15,7 @@ The idea of the user view is to provide an intuitive widget that
 allows the users to access their own VMs and to optionally start
 and stop them.
 
-![VM-Viewer](VmAccess-preview.png)
+![VM Access](VmAccess-preview.png)
 
 The configuration options resulting from this seemingly simple
 requirement are unexpectedly complex.

From 12c72b3f52e70629faa080f7b6682dedbe323228 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 6 Mar 2025 09:16:05 +0100
Subject: [PATCH 193/274] Update link.

---
 overview.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/overview.md b/overview.md
index 30d595e..e263b6a 100644
--- a/overview.md
+++ b/overview.md
@@ -7,4 +7,4 @@ The VM-operator enables you to easily run Qemu based VMs as pods
 in Kubernetes. It is built on the
 [JGrapes](https://mnlipp.github.io/jgrapes/) event driven framework.
 
-See the project's [home page](https://jdrupes.org/vm-operator/) for details.
+See the project's [home page](https://vm-operator.jdrupes.org/) for details.

From c51da8650af2ab75b38ee67232ad558dbfb426e1 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 6 Mar 2025 11:43:32 +0100
Subject: [PATCH 194/274] Editorial changes.

---
 webpages/auto-login.md | 75 ++++++++++++++++++++++--------------------
 webpages/pools.md      | 47 ++++++++++++++------------
 2 files changed, 65 insertions(+), 57 deletions(-)

diff --git a/webpages/auto-login.md b/webpages/auto-login.md
index 8893bc5..c4b859d 100644
--- a/webpages/auto-login.md
+++ b/webpages/auto-login.md
@@ -7,33 +7,34 @@ layout: vm-operator
 
 *Since 4.0.0*
 
-When a user logs in on the web GUI, he has already authenticated with the
-VM-Operator. Depending on the environment, it may be tedious to log in again
-on the guest. The VM-Operator therefore supports automatic login on the guest
-operating system which can streamline the user experience by eliminating
-the need for multiple logins. This requires, however, some support from
-the guest OS.
+When users log into the web GUI, they have already authenticated with the
+VM-Operator. In some environments, requiring an additional login on the
+guest OS can be cumbersome. To enhance the user experience, the VM-Operator
+supports automatic login on the guest operating system, thus eliminating
+the need for multiple logins. However, this feature requires specific 
+support from the guest OS.
 
 ## Prepare the VM
 
-Automatic login requires an agent in the guest OS. Similar to QEMU's
-standard guest agent, the VM-Operator agent communicates with the host
-through a tty device (`/dev/virtio-ports/org.jdrupes.vmop_agent.0`). On a modern
-Linux system, the device is detected by `udev` which triggers the start
-of a systemd service.
+Automatic login requires an agent running inside the guest OS. Similar
+to QEMU's standard guest agent, the VM-Operator agent communicates with
+the host via a tty device (`/dev/virtio-ports/org.jdrupes.vmop_agent.0`). On 
+modern Linux systems, `udev` can detect this device and trigger the start
+of an associated systemd service.
 
-Sample configuration files can be found
+Sample configuration files for a VM-Operator agent are available
 [here](https://github.com/mnlipp/VM-Operator/tree/main/dev-example/vmop-agent).
 Copy
 
-  * `99-vmop-agent.rules` to `/usr/local/lib/udev/rules.d/99-vmop-agent.rules`,
-  * `vmop-agent` to `/usr/local/libexec/vmop-agent` and
-  * `vmop-agent.service` to `/usr/local/lib/systemd/system/vmop-agent.service`.
+  * `99-vmop-agent.rules` → `/usr/local/lib/udev/rules.d/99-vmop-agent.rules`,
+  * `vmop-agent` → `/usr/local/libexec/vmop-agent` and
+  * `vmop-agent.service` → `/usr/local/lib/systemd/system/vmop-agent.service`.
 
-Note that some of the target directories do not exist by default and have to
-be created first. Don't forget to run `restorecon` on systems with SELinux.
+Some of these target directories may not exist by default and must be 
+created manually. If your system uses SELinux, run `restorecon` to apply
+the correct security contexts.
 
-Enable everything:
+Enable the agent:
 
 ```console
 # systemctl daemon-reload
@@ -44,17 +45,17 @@ Enable everything:
 
 ## The VM operator agent
 
-Communication with the VM-Operator agent follows the pattern established
-by protocols such as SMTP and FTP. The agent must handle the commands
-"`login <username>`" and "`logout`". In response to these commands, the agent
-sends back lines that start with a three digit number. The first digit
-determines the type of message: "1" for informational, "2" for success
-"4" and "5" for errors. The second digit provides information about the
-category that the response relates to. The third digit is specific to
-the command.
+Communication with the VM-Operator agent follows the pattern established by
+protocols such as SMTP and FTP. The agent must handle the commands
+"`login <username>`" and "`logout`" on its input. In response to
+these commands, the agent sends back lines that start with a three
+digit number. The first digit determines the type of message: "1" for
+informational, "2" for success and "4" or "5" for errors. The second
+digit provides information about the category that a response relates
+to. The third digit is specific to the command.
 
-While this describes the general pattern, the only response code that
-the runner evaluates are:
+While this describes the general pattern, the [runner](runner.html)
+only evaluates the following codes:
 
 | Code | Meaning |
 | ---- | ------- |
@@ -62,17 +63,19 @@ the runner evaluates are:
 | 201  | Login command executed successfully |
 | 202  | Logout command executed successfully |
 
-The sample script is written for the gnome desktop environment. It assumes
-that gdm is running as a service by default. On receiving the login command,
-it stops gdm and starts a gnome-session for the given user. On receiving the
-logout command, it terminates the session and starts gdm again.
+The provided sample script is written for the gnome desktop environment.
+It assumes that GDM is running as a service by default. When the agent
+receives a login command, it stops GDM and starts a gnome-session for
+the specified user. Upon receiving the logout command, it terminates
+the session and starts GDM again.
 
 No attempt has been made to make the script configurable. There are too
 many possible options. The script should therefore be considered as a
-starting point that you can adapt to your needs.
+starting point that you may need to adapt to your specific needs.
 
-The sample script also creates new user accounts if a user does not exist
-yet. The idea behind this is further explained in the
+In addition to starting the desktop for the logged in user, the sample
+script automatically creates user accounts if they do not already exist.
+The idea behind this behavior is further explained in the
 [section about pools](pools.html#vm-pools).
 
 ## Enable auto login for a VM
@@ -80,5 +83,5 @@ yet. The idea behind this is further explained in the
 To enable auto login for a VM, specify the user to be logged in in the VM's
 definition with "`spec.vm.display.loggedInUser: user-name`". If everything has been
 set up correctly, you should be able to open the console and observe the
-change from gdm's login screen to the user's desktop when updating the
+transition from GDM's login screen to the user's desktop when updating the
 VM's spec.
diff --git a/webpages/pools.md b/webpages/pools.md
index 5b587ea..b36397e 100644
--- a/webpages/pools.md
+++ b/webpages/pools.md
@@ -7,12 +7,17 @@ layout: vm-operator
 
 *Since 4.0.0*
 
-Not all VMs are replacements for carefully maintained individual PCs.
-In many workplaces, a standard configuration can be used where 
-user-specific data is kept in each user's home directory on a shared
-file system. In such cases, an alternative to providing individual
-PCs is to offer a pool of VMs and allocate them from the pool to users
-as needed.
+Not all VMs are defined as replacements for carefully maintained
+individual PCs. In many workplaces, a standardardized VM configuration
+can be used where all user-specific data is stored in each user's home
+directory. By using a shared file system for home directories, users
+can login on any VM and find themselves in their personal
+environment.
+
+If only a subset of users require access simultaneously, this makes it
+possible to define a pool of standardardized VMs and dynamically assign
+them to users as needed, eliminating the need to define a dedicated VM
+for each user.
 
 ## Pool definitions
 
@@ -39,18 +44,18 @@ spec:
 ```
 
 The `retention` specifies how long the assignment of a VM from the pool to
-a user is retained after the user closes the console. This allows a user
-to interrupt his work for this period of time without risking that
-another user takes over the VM. The time is specified as
+a user remains valid after the user closes the console. This ensures that
+a user can resume work within this timeframe without the risk of another
+user taking over the VM. The time is specified as
 [ISO 8601 duration](https://en.wikipedia.org/wiki/ISO_8601#Durations).
 
 Setting `loginOnAssignment` to `true` triggers automatic login of the
 user (as described in [section auto login](auto-login.html)) when
-the VM is assigned. The `permissions` property defines what a user can
-do with a VM assigned to him.
+the VM is assigned. The `permissions` property specifies the actions
+that users or roles can perform on assigned VMs.
 
 VMs become members of one (or more) pools by adding the pool name to
-property `spec.pools` (an array of strings), e.g.:
+the `spec.pools` array, as shown below:
 
 ```yaml
 apiVersion: "vmoperator.jdrupes.org/v1"
@@ -69,26 +74,26 @@ provide access to a pool instead of to a specific VM.
 
 ![VM Access configuration](ConfigAccess-preview.png){: width="500"}
 
-Assignment happens when the "start" icon is pushed. If the assigned VM
-is not running, it will also be started. The assigned VM's name is
-shown in the widget above the action icons. 
+Assignment happens when the "Start" icon is clicked. If the assigned VM
+is not already running, it will be started automatically. The assigned
+VM's name apears in the widget above the action icons. 
 
 ![VM Access via pool](PoolAccess-preview.png)
 
 Apart from showing the assigned VM, the widget behaves in the same way
-as it does when configured to access a specific VM.
+as when configured for accessing a specific VM.
 
-## Requirements on the guest
+## Guest OS Requirements
 
-Some provisions must be made on the guest to ensure that VMs from
-pools work as expected.
+To ensure proper functionality when using VM pools, certain requirements
+must be met on the guest OS.
 
 ### Shared file system
 
-Mount a shared file system as home file system on all VMs in the pool.
+All VMs in the pool must mount a shared file system as the home directory.
 When using the
 [sample agent](https://github.com/mnlipp/VM-Operator/tree/main/dev-example/vmop-agent),
-the filesystem must support POSIX file access control lists (ACLs).
+the file system must support POSIX file access control lists (ACLs).
 
 ### User management
 

From 1a8412d7670cfe9d76797fb340df0e8d0700aa13 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 6 Mar 2025 12:59:06 +0100
Subject: [PATCH 195/274] Fix deepCopy for arrays.

Isn't used in project.
---
 .../org/jdrupes/vmoperator/util/DataPath.java   | 10 ++++++----
 .../jdrupes/vmoperator/util/DataPathTests.java  | 17 +++++++++++++++++
 2 files changed, 23 insertions(+), 4 deletions(-)
 create mode 100644 org.jdrupes.vmoperator.util/test/org/jdrupes/vmoperator/util/DataPathTests.java

diff --git a/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/DataPath.java b/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/DataPath.java
index 7a6596b..445d383 100644
--- a/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/DataPath.java
+++ b/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/DataPath.java
@@ -18,6 +18,7 @@
 
 package org.jdrupes.vmoperator.util;
 
+import java.lang.reflect.Array;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
 import java.util.ArrayList;
@@ -157,11 +158,12 @@ public final class DataPath {
             return (T) copy;
         }
         if (object.getClass().isArray()) {
-            var copy = new ArrayList<>();
-            for (var item : (Object[]) object) {
-                copy.add(deepCopy(item));
+            var copy = Array.newInstance(object.getClass().getComponentType(),
+                Array.getLength(object));
+            for (int i = 0; i < Array.getLength(object); i++) {
+                Array.set(copy, i, deepCopy(Array.get(object, i)));
             }
-            return (T) copy.toArray();
+            return (T) copy;
         }
         if (object instanceof Cloneable) {
             try {
diff --git a/org.jdrupes.vmoperator.util/test/org/jdrupes/vmoperator/util/DataPathTests.java b/org.jdrupes.vmoperator.util/test/org/jdrupes/vmoperator/util/DataPathTests.java
new file mode 100644
index 0000000..9c7855f
--- /dev/null
+++ b/org.jdrupes.vmoperator.util/test/org/jdrupes/vmoperator/util/DataPathTests.java
@@ -0,0 +1,17 @@
+package org.jdrupes.vmoperator.util;
+
+import static org.junit.jupiter.api.Assertions.*;
+import org.junit.jupiter.api.Test;
+
+class DataPathTests {
+
+    @Test
+    void testArray() {
+        int[] orig
+            = { Integer.valueOf(1), Integer.valueOf(2), Integer.valueOf(3) };
+        var copy = DataPath.deepCopy(orig);
+        for (int i = 0; i < orig.length; i++) {
+            assertEquals(orig[i], copy[i]);
+        }
+    }
+}

From c5a00acf3d401e217cdc4ebe5389e286bd9c1011 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 6 Mar 2025 13:02:53 +0100
Subject: [PATCH 196/274] "Fix" PMD warning.

---
 .../src/org/jdrupes/vmoperator/runner/qemu/Runner.java          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
index a01618d..01c4127 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
@@ -192,7 +192,7 @@ import org.jgrapes.util.events.WatchFile;
  */
 @SuppressWarnings({ "PMD.ExcessiveImports", "PMD.AvoidPrintStackTrace",
     "PMD.DataflowAnomalyAnalysis", "PMD.TooManyMethods",
-    "PMD.CouplingBetweenObjects" })
+    "PMD.CouplingBetweenObjects", "PMD.TooManyFields" })
 public class Runner extends Component {
 
     private static final String QEMU = "qemu";

From 9459c367aca18b796f471f6043399339b2098afb Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 6 Mar 2025 13:03:04 +0100
Subject: [PATCH 197/274] PMD is wrong.

---
 .../src/org/jdrupes/vmoperator/common/K8sDynamicModelsBase.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sDynamicModelsBase.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sDynamicModelsBase.java
index 4e21c0e..1813621 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sDynamicModelsBase.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sDynamicModelsBase.java
@@ -62,7 +62,7 @@ public class K8sDynamicModelsBase<T extends K8sDynamicModel>
             } catch (InstantiationException | IllegalAccessException
                     | IllegalArgumentException | InvocationTargetException
                     | NoSuchMethodException | SecurityException exc) {
-                throw new IllegalArgumentException(exc);
+                throw new IllegalArgumentException(exc); // NOPMD
             }
         }
     }

From f3907ffae9535ee65e14f61ecb7a578e3edcd285 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 6 Mar 2025 14:40:50 +0100
Subject: [PATCH 198/274] Fix some markdown style issues.

---
 .markdownlint.yaml     |   12 +-
 package-lock.json      | 1003 ++++++++++++++++++++++++++++++++++++++--
 package.json           |   10 +-
 webpages/admin-gui.md  |    1 -
 webpages/auto-login.md |    6 +-
 webpages/index.md      |    9 +-
 webpages/manager.md    |    3 +-
 webpages/pools.md      |    2 +-
 webpages/runner.md     |   16 +-
 webpages/user-gui.md   |    3 +-
 10 files changed, 997 insertions(+), 68 deletions(-)

diff --git a/.markdownlint.yaml b/.markdownlint.yaml
index 3501bd3..6ed5002 100644
--- a/.markdownlint.yaml
+++ b/.markdownlint.yaml
@@ -1,4 +1,4 @@
-# See https://github.com/DavidAnson/markdownlint/blob/main/schema/.markdownlint.yaml
+# See [rules](https://github.com/DavidAnson/markdownlint/blob/main/schema/.markdownlint.yaml)
 
 # Default state for all rules
 default: true
@@ -27,12 +27,4 @@ MD036: false
   
 # MD043/required-headings : Required heading structure : 
 # https://github.com/DavidAnson/markdownlint/blob/v0.37.4/doc/md043.md
-MD043:
-  # List of headings
-  headings:   [
-      "# Head",
-      "## Item",
-      "### Detail"
-  ]
-  # Match case of headings
-  match_case: false
+MD043: false
diff --git a/package-lock.json b/package-lock.json
index 97aaade..4bfe990 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -4,6 +4,9 @@
     "requires": true,
     "packages": {
         "": {
+            "dependencies": {
+                "markdownlint-cli": "^0.44.0"
+            },
             "devDependencies": {
                 "@rollup/plugin-node-resolve": "^15.0.1",
                 "@rollup/plugin-replace": "^5.0.2",
@@ -12,6 +15,7 @@
                 "documentation": "^14.0.1",
                 "install": "^0.13.0",
                 "jsdoc": "^4.0.2",
+                "markdownlint": "^0.37.4",
                 "node-sass": "^9.0.0",
                 "npm": "^8.11.0",
                 "rollup": "^4.1.5",
@@ -1240,7 +1244,6 @@
             "version": "4.1.12",
             "resolved": "https://registry.npmjs.org/@types/debug/-/debug-4.1.12.tgz",
             "integrity": "sha512-vIChWdVG3LG1SMxEvI/AK+FWJthlrqlTu7fbrlywTkkaONwk/UAGaULXRlf8vkzFBLVm0zkMdCquhL5aOjhXPQ==",
-            "dev": true,
             "dependencies": {
                 "@types/ms": "*"
             }
@@ -1272,6 +1275,12 @@
             "integrity": "sha512-5+fP8P8MFNC+AyZCDxrB2pkZFPGzqQWUzpSeuuVLvm8VMcorNYavBqoFcxK8bQz4Qsbn4oUEEem4wDLfcysGHA==",
             "dev": true
         },
+        "node_modules/@types/katex": {
+            "version": "0.16.7",
+            "resolved": "https://registry.npmjs.org/@types/katex/-/katex-0.16.7.tgz",
+            "integrity": "sha512-HMwFiRujE5PjrgwHQ25+bsLJgowjGjm5Z8FVSf0N6PwgJrwxH0QxzHYDcKsTfV3wva0vzrpqMTJS2jXPr5BMEQ==",
+            "license": "MIT"
+        },
         "node_modules/@types/linkify-it": {
             "version": "5.0.0",
             "resolved": "https://registry.npmjs.org/@types/linkify-it/-/linkify-it-5.0.0.tgz",
@@ -1312,8 +1321,7 @@
         "node_modules/@types/ms": {
             "version": "0.7.34",
             "resolved": "https://registry.npmjs.org/@types/ms/-/ms-0.7.34.tgz",
-            "integrity": "sha512-nG96G3Wp6acyAgJqGasjODb+acrI7KltPiRxzHPXnP3NgI28bpQDRv53olbqGXbfcgF5aiiHmO3xpwEpS5Ld9g==",
-            "dev": true
+            "integrity": "sha512-nG96G3Wp6acyAgJqGasjODb+acrI7KltPiRxzHPXnP3NgI28bpQDRv53olbqGXbfcgF5aiiHmO3xpwEpS5Ld9g=="
         },
         "node_modules/@types/normalize-package-data": {
             "version": "2.4.4",
@@ -1348,8 +1356,7 @@
         "node_modules/@types/unist": {
             "version": "2.0.10",
             "resolved": "https://registry.npmjs.org/@types/unist/-/unist-2.0.10.tgz",
-            "integrity": "sha512-IfYcSBWE3hLpBg8+X2SEa8LVkJdJEkT2Ese2aaLs3ptGdVtABxndrMaxuFlQ1qdFf9Q5rDvDpxI3WwgvKFAsQA==",
-            "dev": true
+            "integrity": "sha512-IfYcSBWE3hLpBg8+X2SEa8LVkJdJEkT2Ese2aaLs3ptGdVtABxndrMaxuFlQ1qdFf9Q5rDvDpxI3WwgvKFAsQA=="
         },
         "node_modules/@typescript-eslint/eslint-plugin": {
             "version": "6.21.0",
@@ -1736,8 +1743,7 @@
         "node_modules/argparse": {
             "version": "2.0.1",
             "resolved": "https://registry.npmjs.org/argparse/-/argparse-2.0.1.tgz",
-            "integrity": "sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==",
-            "dev": true
+            "integrity": "sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q=="
         },
         "node_modules/array-union": {
             "version": "2.1.0",
@@ -1779,8 +1785,7 @@
         "node_modules/balanced-match": {
             "version": "1.0.2",
             "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz",
-            "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==",
-            "dev": true
+            "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw=="
         },
         "node_modules/binary-extensions": {
             "version": "2.3.0",
@@ -1810,7 +1815,6 @@
             "version": "2.0.1",
             "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
             "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
-            "dev": true,
             "dependencies": {
                 "balanced-match": "^1.0.0"
             }
@@ -2021,7 +2025,6 @@
             "version": "2.0.2",
             "resolved": "https://registry.npmjs.org/character-entities/-/character-entities-2.0.2.tgz",
             "integrity": "sha512-shx7oQ0Awen/BRIdkjkvz54PnEEI/EjwXDSIZp86/KKdbafHh1Df/RYGBhn4hbe2+uKC9FnT5UCEdyPz3ai9hQ==",
-            "dev": true,
             "funding": {
                 "type": "github",
                 "url": "https://github.com/sponsors/wooorm"
@@ -2041,7 +2044,16 @@
             "version": "3.0.0",
             "resolved": "https://registry.npmjs.org/character-entities-legacy/-/character-entities-legacy-3.0.0.tgz",
             "integrity": "sha512-RpPp0asT/6ufRm//AJVwpViZbGM/MkjQFxJccQRHmISF/22NBtsHqAWmL+/pmkPWoIUJdWyeVleTl1wydHATVQ==",
-            "dev": true,
+            "funding": {
+                "type": "github",
+                "url": "https://github.com/sponsors/wooorm"
+            }
+        },
+        "node_modules/character-reference-invalid": {
+            "version": "2.0.1",
+            "resolved": "https://registry.npmjs.org/character-reference-invalid/-/character-reference-invalid-2.0.1.tgz",
+            "integrity": "sha512-iBZ4F4wRbyORVsu0jPV7gXkOsGYjGHPmAyv+HiHG8gi5PtC9KI2j1+v8/tlibRvjoWX027ypmG/n0HtO5t7unw==",
+            "license": "MIT",
             "funding": {
                 "type": "github",
                 "url": "https://github.com/sponsors/wooorm"
@@ -2357,7 +2369,6 @@
             "version": "4.3.5",
             "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.5.tgz",
             "integrity": "sha512-pt0bNEmneDIvdL1Xsd9oDQ/wrQRkXDT4AUWlNZNPKvW5x/jyO9VFXkJUP07vQ2upmw5PlaITaPKc31jK13V+jg==",
-            "dev": true,
             "dependencies": {
                 "ms": "2.1.2"
             },
@@ -2408,7 +2419,6 @@
             "version": "1.0.2",
             "resolved": "https://registry.npmjs.org/decode-named-character-reference/-/decode-named-character-reference-1.0.2.tgz",
             "integrity": "sha512-O8x12RzrUF8xyVcY0KJowWsmaJxQbmy0/EtnNtHRpsOcT7dFk5W598coHqBVpmWo1oQQfsCqfCmkZN5DJrZVdg==",
-            "dev": true,
             "dependencies": {
                 "character-entities": "^2.0.0"
             },
@@ -2417,6 +2427,15 @@
                 "url": "https://github.com/sponsors/wooorm"
             }
         },
+        "node_modules/deep-extend": {
+            "version": "0.6.0",
+            "resolved": "https://registry.npmjs.org/deep-extend/-/deep-extend-0.6.0.tgz",
+            "integrity": "sha512-LOHxIOaPYdHlJRtCQfDIVZtfw/ufM8+rVj649RIHzcm/vGwQRXFt6OPqIFWsm2XEMrNIEtWR64sY1LEKD2vAOA==",
+            "license": "MIT",
+            "engines": {
+                "node": ">=4.0.0"
+            }
+        },
         "node_modules/deep-is": {
             "version": "0.1.4",
             "resolved": "https://registry.npmjs.org/deep-is/-/deep-is-0.1.4.tgz",
@@ -2437,11 +2456,23 @@
             "version": "2.0.3",
             "resolved": "https://registry.npmjs.org/dequal/-/dequal-2.0.3.tgz",
             "integrity": "sha512-0je+qPKHEMohvfRTCEo3CrPG6cAzAYgmzKyxRiYSSDkS6eGJdyVJm7WaYA5ECaAD9wLB2T4EEeymA5aFVcYXCA==",
-            "dev": true,
             "engines": {
                 "node": ">=6"
             }
         },
+        "node_modules/devlop": {
+            "version": "1.1.0",
+            "resolved": "https://registry.npmjs.org/devlop/-/devlop-1.1.0.tgz",
+            "integrity": "sha512-RWmIqhcFf1lRYBvNmr7qTNuyCt/7/ns2jbpp1+PalgE/rDQcBT0fioSMUpJ93irlUhC5hrg4cYqe6U+0ImW0rA==",
+            "license": "MIT",
+            "dependencies": {
+                "dequal": "^2.0.0"
+            },
+            "funding": {
+                "type": "github",
+                "url": "https://github.com/sponsors/wooorm"
+            }
+        },
         "node_modules/diff": {
             "version": "5.2.0",
             "resolved": "https://registry.npmjs.org/diff/-/diff-5.2.0.tgz",
@@ -2639,7 +2670,6 @@
             "version": "4.5.0",
             "resolved": "https://registry.npmjs.org/entities/-/entities-4.5.0.tgz",
             "integrity": "sha512-V0hjH4dGPh9Ao5p0MoRY6BVqtwCjhz6vI5LT8AJ55H+4g9/4vbHx1I54fS0XuclLhDHArPQCiMjDxjaL8fPxhw==",
-            "dev": true,
             "engines": {
                 "node": ">=0.12"
             },
@@ -3143,8 +3173,7 @@
         "node_modules/fs.realpath": {
             "version": "1.0.0",
             "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz",
-            "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==",
-            "dev": true
+            "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw=="
         },
         "node_modules/fsevents": {
             "version": "2.3.3",
@@ -3246,7 +3275,6 @@
             "version": "9.3.5",
             "resolved": "https://registry.npmjs.org/glob/-/glob-9.3.5.tgz",
             "integrity": "sha512-e1LleDykUz2Iu+MTYdkSsuWX8lvAjAcs0Xef0lNIu0S2wOAzuTxCJtcd9S3cijlwYF18EsU3rzb8jPVobxDh9Q==",
-            "dev": true,
             "dependencies": {
                 "fs.realpath": "^1.0.0",
                 "minimatch": "^8.0.2",
@@ -3276,7 +3304,6 @@
             "version": "8.0.4",
             "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-8.0.4.tgz",
             "integrity": "sha512-W0Wvr9HyFXZRGIDgCicunpQ299OKXs9RgZfaukz4qAW/pJhcpUfupc9c+OObPOFueNy8VSrZgEmDtk6Kh4WzDA==",
-            "dev": true,
             "dependencies": {
                 "brace-expansion": "^2.0.1"
             },
@@ -3291,7 +3318,6 @@
             "version": "4.2.8",
             "resolved": "https://registry.npmjs.org/minipass/-/minipass-4.2.8.tgz",
             "integrity": "sha512-fNzuVyifolSLFL4NzpF+wEF4qrgqaaKX0haXPQEdQ7NKAN+WecoKMHV09YcuL/DHxrUsYQOK3MiuDf7Ip2OXfQ==",
-            "dev": true,
             "engines": {
                 "node": ">=8"
             }
@@ -3822,6 +3848,30 @@
                 "node": ">=0.10.0"
             }
         },
+        "node_modules/is-alphabetical": {
+            "version": "2.0.1",
+            "resolved": "https://registry.npmjs.org/is-alphabetical/-/is-alphabetical-2.0.1.tgz",
+            "integrity": "sha512-FWyyY60MeTNyeSRpkM2Iry0G9hpr7/9kD40mD/cGQEuilcZYS4okz8SN2Q6rLCJ8gbCt6fN+rC+6tMGS99LaxQ==",
+            "license": "MIT",
+            "funding": {
+                "type": "github",
+                "url": "https://github.com/sponsors/wooorm"
+            }
+        },
+        "node_modules/is-alphanumerical": {
+            "version": "2.0.1",
+            "resolved": "https://registry.npmjs.org/is-alphanumerical/-/is-alphanumerical-2.0.1.tgz",
+            "integrity": "sha512-hmbYhX/9MUMF5uh7tOXyK/n0ZvWpad5caBA17GsC6vyuCqaWliRG5K1qS9inmUhEMaOBIW7/whAnSwveW/LtZw==",
+            "license": "MIT",
+            "dependencies": {
+                "is-alphabetical": "^2.0.0",
+                "is-decimal": "^2.0.0"
+            },
+            "funding": {
+                "type": "github",
+                "url": "https://github.com/sponsors/wooorm"
+            }
+        },
         "node_modules/is-arrayish": {
             "version": "0.2.1",
             "resolved": "https://registry.npmjs.org/is-arrayish/-/is-arrayish-0.2.1.tgz",
@@ -3890,6 +3940,16 @@
                 "url": "https://github.com/sponsors/ljharb"
             }
         },
+        "node_modules/is-decimal": {
+            "version": "2.0.1",
+            "resolved": "https://registry.npmjs.org/is-decimal/-/is-decimal-2.0.1.tgz",
+            "integrity": "sha512-AAB9hiomQs5DXWcRB1rqsxGUstbRroFOPPVAomNk/3XHR5JyEZChOyTWe2oayKnsSsr/kcGqF+z6yuH6HHpN0A==",
+            "license": "MIT",
+            "funding": {
+                "type": "github",
+                "url": "https://github.com/sponsors/wooorm"
+            }
+        },
         "node_modules/is-extglob": {
             "version": "2.1.1",
             "resolved": "https://registry.npmjs.org/is-extglob/-/is-extglob-2.1.1.tgz",
@@ -3920,6 +3980,16 @@
                 "node": ">=0.10.0"
             }
         },
+        "node_modules/is-hexadecimal": {
+            "version": "2.0.1",
+            "resolved": "https://registry.npmjs.org/is-hexadecimal/-/is-hexadecimal-2.0.1.tgz",
+            "integrity": "sha512-DgZQp241c8oO6cA1SbTEWiXeoxV42vlcJxgH+B3hi1AiqqKruZR3ZGF8In3fj4+/y/7rHvlOZLZtgJ/4ttYGZg==",
+            "license": "MIT",
+            "funding": {
+                "type": "github",
+                "url": "https://github.com/sponsors/wooorm"
+            }
+        },
         "node_modules/is-lambda": {
             "version": "1.0.1",
             "resolved": "https://registry.npmjs.org/is-lambda/-/is-lambda-1.0.1.tgz",
@@ -4048,7 +4118,6 @@
             "version": "4.1.0",
             "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz",
             "integrity": "sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==",
-            "dev": true,
             "dependencies": {
                 "argparse": "^2.0.1"
             },
@@ -4173,10 +4242,10 @@
             }
         },
         "node_modules/jsonc-parser": {
-            "version": "3.2.1",
-            "resolved": "https://registry.npmjs.org/jsonc-parser/-/jsonc-parser-3.2.1.tgz",
-            "integrity": "sha512-AilxAyFOAcK5wA1+LeaySVBrHsGQvUFCDWXKpZjzaL0PqW+xfBOttn8GNtWKFWqneyMZj41MWF9Kl6iPWLwgOA==",
-            "dev": true
+            "version": "3.3.1",
+            "resolved": "https://registry.npmjs.org/jsonc-parser/-/jsonc-parser-3.3.1.tgz",
+            "integrity": "sha512-HUgH65KyejrUFPvHFPbqOY0rsFip3Bo5wb4ngvdi1EpCYWUQDC5V+Y7mZws+DLkr4M//zQJoanu1SP+87Dv1oQ==",
+            "license": "MIT"
         },
         "node_modules/jsonfile": {
             "version": "6.1.0",
@@ -4190,6 +4259,40 @@
                 "graceful-fs": "^4.1.6"
             }
         },
+        "node_modules/jsonpointer": {
+            "version": "5.0.1",
+            "resolved": "https://registry.npmjs.org/jsonpointer/-/jsonpointer-5.0.1.tgz",
+            "integrity": "sha512-p/nXbhSEcu3pZRdkW1OfJhpsVtW1gd4Wa1fnQc9YLiTfAjn0312eMKimbdIQzuZl9aa9xUGaRlP9T/CJE/ditQ==",
+            "license": "MIT",
+            "engines": {
+                "node": ">=0.10.0"
+            }
+        },
+        "node_modules/katex": {
+            "version": "0.16.21",
+            "resolved": "https://registry.npmjs.org/katex/-/katex-0.16.21.tgz",
+            "integrity": "sha512-XvqR7FgOHtWupfMiigNzmh+MgUVmDGU2kXZm899ZkPfcuoPuFxyHmXsgATDpFZDAXCI8tvinaVcDo8PIIJSo4A==",
+            "funding": [
+                "https://opencollective.com/katex",
+                "https://github.com/sponsors/katex"
+            ],
+            "license": "MIT",
+            "dependencies": {
+                "commander": "^8.3.0"
+            },
+            "bin": {
+                "katex": "cli.js"
+            }
+        },
+        "node_modules/katex/node_modules/commander": {
+            "version": "8.3.0",
+            "resolved": "https://registry.npmjs.org/commander/-/commander-8.3.0.tgz",
+            "integrity": "sha512-OkTL9umf+He2DZkUq8f8J9of7yL6RJKI24dVITBmNfZBmri9zYZQrKkuXiKhyfPSu8tUhnVBB1iKXevvnlR4Ww==",
+            "license": "MIT",
+            "engines": {
+                "node": ">= 12"
+            }
+        },
         "node_modules/keyv": {
             "version": "4.5.4",
             "resolved": "https://registry.npmjs.org/keyv/-/keyv-4.5.4.tgz",
@@ -4270,7 +4373,6 @@
             "version": "5.0.0",
             "resolved": "https://registry.npmjs.org/linkify-it/-/linkify-it-5.0.0.tgz",
             "integrity": "sha512-5aHCbzQRADcdP+ATqnDuhhJ/MRIqDkZX5pyjFHRRysS8vZ5AbqGEoFIb6pYHPZ+L/OC2Lc+xT8uHVVR5CAK/wQ==",
-            "dev": true,
             "dependencies": {
                 "uc.micro": "^2.0.0"
             }
@@ -4450,7 +4552,6 @@
             "version": "14.1.0",
             "resolved": "https://registry.npmjs.org/markdown-it/-/markdown-it-14.1.0.tgz",
             "integrity": "sha512-a54IwgWPaeBCAAsv13YgmALOF1elABB08FxO9i+r4VFk5Vl4pKokRPeX8u5TCgSsPi6ec1otfLjdOpVcgbpshg==",
-            "dev": true,
             "dependencies": {
                 "argparse": "^2.0.1",
                 "entities": "^4.4.0",
@@ -4483,6 +4584,559 @@
                 "url": "https://github.com/sponsors/wooorm"
             }
         },
+        "node_modules/markdownlint": {
+            "version": "0.37.4",
+            "resolved": "https://registry.npmjs.org/markdownlint/-/markdownlint-0.37.4.tgz",
+            "integrity": "sha512-u00joA/syf3VhWh6/ybVFkib5Zpj2e5KB/cfCei8fkSRuums6nyisTWGqjTWIOFoFwuXoTBQQiqlB4qFKp8ncQ==",
+            "license": "MIT",
+            "dependencies": {
+                "markdown-it": "14.1.0",
+                "micromark": "4.0.1",
+                "micromark-core-commonmark": "2.0.2",
+                "micromark-extension-directive": "3.0.2",
+                "micromark-extension-gfm-autolink-literal": "2.1.0",
+                "micromark-extension-gfm-footnote": "2.1.0",
+                "micromark-extension-gfm-table": "2.1.0",
+                "micromark-extension-math": "3.1.0",
+                "micromark-util-types": "2.0.1"
+            },
+            "engines": {
+                "node": ">=18"
+            },
+            "funding": {
+                "url": "https://github.com/sponsors/DavidAnson"
+            }
+        },
+        "node_modules/markdownlint-cli": {
+            "version": "0.44.0",
+            "resolved": "https://registry.npmjs.org/markdownlint-cli/-/markdownlint-cli-0.44.0.tgz",
+            "integrity": "sha512-ZJTAONlvF9NkrIBltCdW15DxN9UTbPiKMEqAh2EU2gwIFlrCMavyCEPPO121cqfYOrLUJWW8/XKWongstmmTeQ==",
+            "license": "MIT",
+            "dependencies": {
+                "commander": "~13.1.0",
+                "glob": "~10.4.5",
+                "ignore": "~7.0.3",
+                "js-yaml": "~4.1.0",
+                "jsonc-parser": "~3.3.1",
+                "jsonpointer": "~5.0.1",
+                "markdownlint": "~0.37.4",
+                "minimatch": "~9.0.5",
+                "run-con": "~1.3.2",
+                "smol-toml": "~1.3.1"
+            },
+            "bin": {
+                "markdownlint": "markdownlint.js"
+            },
+            "engines": {
+                "node": ">=18"
+            }
+        },
+        "node_modules/markdownlint-cli/node_modules/commander": {
+            "version": "13.1.0",
+            "resolved": "https://registry.npmjs.org/commander/-/commander-13.1.0.tgz",
+            "integrity": "sha512-/rFeCpNJQbhSZjGVwO9RFV3xPqbnERS8MmIQzCtD/zl6gpJuV/bMLuN92oG3F7d8oDEHHRrujSXNUr8fpjntKw==",
+            "license": "MIT",
+            "engines": {
+                "node": ">=18"
+            }
+        },
+        "node_modules/markdownlint-cli/node_modules/ignore": {
+            "version": "7.0.3",
+            "resolved": "https://registry.npmjs.org/ignore/-/ignore-7.0.3.tgz",
+            "integrity": "sha512-bAH5jbK/F3T3Jls4I0SO1hmPR0dKU0a7+SY6n1yzRtG54FLO8d6w/nxLFX2Nb7dBu6cCWXPaAME6cYqFUMmuCA==",
+            "license": "MIT",
+            "engines": {
+                "node": ">= 4"
+            }
+        },
+        "node_modules/markdownlint-cli/node_modules/minimatch": {
+            "version": "9.0.5",
+            "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz",
+            "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==",
+            "license": "ISC",
+            "dependencies": {
+                "brace-expansion": "^2.0.1"
+            },
+            "engines": {
+                "node": ">=16 || 14 >=14.17"
+            },
+            "funding": {
+                "url": "https://github.com/sponsors/isaacs"
+            }
+        },
+        "node_modules/markdownlint/node_modules/micromark": {
+            "version": "4.0.1",
+            "resolved": "https://registry.npmjs.org/micromark/-/micromark-4.0.1.tgz",
+            "integrity": "sha512-eBPdkcoCNvYcxQOAKAlceo5SNdzZWfF+FcSupREAzdAh9rRmE239CEQAiTwIgblwnoM8zzj35sZ5ZwvSEOF6Kw==",
+            "funding": [
+                {
+                    "type": "GitHub Sponsors",
+                    "url": "https://github.com/sponsors/unifiedjs"
+                },
+                {
+                    "type": "OpenCollective",
+                    "url": "https://opencollective.com/unified"
+                }
+            ],
+            "license": "MIT",
+            "dependencies": {
+                "@types/debug": "^4.0.0",
+                "debug": "^4.0.0",
+                "decode-named-character-reference": "^1.0.0",
+                "devlop": "^1.0.0",
+                "micromark-core-commonmark": "^2.0.0",
+                "micromark-factory-space": "^2.0.0",
+                "micromark-util-character": "^2.0.0",
+                "micromark-util-chunked": "^2.0.0",
+                "micromark-util-combine-extensions": "^2.0.0",
+                "micromark-util-decode-numeric-character-reference": "^2.0.0",
+                "micromark-util-encode": "^2.0.0",
+                "micromark-util-normalize-identifier": "^2.0.0",
+                "micromark-util-resolve-all": "^2.0.0",
+                "micromark-util-sanitize-uri": "^2.0.0",
+                "micromark-util-subtokenize": "^2.0.0",
+                "micromark-util-symbol": "^2.0.0",
+                "micromark-util-types": "^2.0.0"
+            }
+        },
+        "node_modules/markdownlint/node_modules/micromark-core-commonmark": {
+            "version": "2.0.2",
+            "resolved": "https://registry.npmjs.org/micromark-core-commonmark/-/micromark-core-commonmark-2.0.2.tgz",
+            "integrity": "sha512-FKjQKbxd1cibWMM1P9N+H8TwlgGgSkWZMmfuVucLCHaYqeSvJ0hFeHsIa65pA2nYbes0f8LDHPMrd9X7Ujxg9w==",
+            "funding": [
+                {
+                    "type": "GitHub Sponsors",
+                    "url": "https://github.com/sponsors/unifiedjs"
+                },
+                {
+                    "type": "OpenCollective",
+                    "url": "https://opencollective.com/unified"
+                }
+            ],
+            "license": "MIT",
+            "dependencies": {
+                "decode-named-character-reference": "^1.0.0",
+                "devlop": "^1.0.0",
+                "micromark-factory-destination": "^2.0.0",
+                "micromark-factory-label": "^2.0.0",
+                "micromark-factory-space": "^2.0.0",
+                "micromark-factory-title": "^2.0.0",
+                "micromark-factory-whitespace": "^2.0.0",
+                "micromark-util-character": "^2.0.0",
+                "micromark-util-chunked": "^2.0.0",
+                "micromark-util-classify-character": "^2.0.0",
+                "micromark-util-html-tag-name": "^2.0.0",
+                "micromark-util-normalize-identifier": "^2.0.0",
+                "micromark-util-resolve-all": "^2.0.0",
+                "micromark-util-subtokenize": "^2.0.0",
+                "micromark-util-symbol": "^2.0.0",
+                "micromark-util-types": "^2.0.0"
+            }
+        },
+        "node_modules/markdownlint/node_modules/micromark-extension-gfm-autolink-literal": {
+            "version": "2.1.0",
+            "resolved": "https://registry.npmjs.org/micromark-extension-gfm-autolink-literal/-/micromark-extension-gfm-autolink-literal-2.1.0.tgz",
+            "integrity": "sha512-oOg7knzhicgQ3t4QCjCWgTmfNhvQbDDnJeVu9v81r7NltNCVmhPy1fJRX27pISafdjL+SVc4d3l48Gb6pbRypw==",
+            "license": "MIT",
+            "dependencies": {
+                "micromark-util-character": "^2.0.0",
+                "micromark-util-sanitize-uri": "^2.0.0",
+                "micromark-util-symbol": "^2.0.0",
+                "micromark-util-types": "^2.0.0"
+            },
+            "funding": {
+                "type": "opencollective",
+                "url": "https://opencollective.com/unified"
+            }
+        },
+        "node_modules/markdownlint/node_modules/micromark-extension-gfm-footnote": {
+            "version": "2.1.0",
+            "resolved": "https://registry.npmjs.org/micromark-extension-gfm-footnote/-/micromark-extension-gfm-footnote-2.1.0.tgz",
+            "integrity": "sha512-/yPhxI1ntnDNsiHtzLKYnE3vf9JZ6cAisqVDauhp4CEHxlb4uoOTxOCJ+9s51bIB8U1N1FJ1RXOKTIlD5B/gqw==",
+            "license": "MIT",
+            "dependencies": {
+                "devlop": "^1.0.0",
+                "micromark-core-commonmark": "^2.0.0",
+                "micromark-factory-space": "^2.0.0",
+                "micromark-util-character": "^2.0.0",
+                "micromark-util-normalize-identifier": "^2.0.0",
+                "micromark-util-sanitize-uri": "^2.0.0",
+                "micromark-util-symbol": "^2.0.0",
+                "micromark-util-types": "^2.0.0"
+            },
+            "funding": {
+                "type": "opencollective",
+                "url": "https://opencollective.com/unified"
+            }
+        },
+        "node_modules/markdownlint/node_modules/micromark-extension-gfm-table": {
+            "version": "2.1.0",
+            "resolved": "https://registry.npmjs.org/micromark-extension-gfm-table/-/micromark-extension-gfm-table-2.1.0.tgz",
+            "integrity": "sha512-Ub2ncQv+fwD70/l4ou27b4YzfNaCJOvyX4HxXU15m7mpYY+rjuWzsLIPZHJL253Z643RpbcP1oeIJlQ/SKW67g==",
+            "license": "MIT",
+            "dependencies": {
+                "devlop": "^1.0.0",
+                "micromark-factory-space": "^2.0.0",
+                "micromark-util-character": "^2.0.0",
+                "micromark-util-symbol": "^2.0.0",
+                "micromark-util-types": "^2.0.0"
+            },
+            "funding": {
+                "type": "opencollective",
+                "url": "https://opencollective.com/unified"
+            }
+        },
+        "node_modules/markdownlint/node_modules/micromark-factory-destination": {
+            "version": "2.0.1",
+            "resolved": "https://registry.npmjs.org/micromark-factory-destination/-/micromark-factory-destination-2.0.1.tgz",
+            "integrity": "sha512-Xe6rDdJlkmbFRExpTOmRj9N3MaWmbAgdpSrBQvCFqhezUn4AHqJHbaEnfbVYYiexVSs//tqOdY/DxhjdCiJnIA==",
+            "funding": [
+                {
+                    "type": "GitHub Sponsors",
+                    "url": "https://github.com/sponsors/unifiedjs"
+                },
+                {
+                    "type": "OpenCollective",
+                    "url": "https://opencollective.com/unified"
+                }
+            ],
+            "license": "MIT",
+            "dependencies": {
+                "micromark-util-character": "^2.0.0",
+                "micromark-util-symbol": "^2.0.0",
+                "micromark-util-types": "^2.0.0"
+            }
+        },
+        "node_modules/markdownlint/node_modules/micromark-factory-label": {
+            "version": "2.0.1",
+            "resolved": "https://registry.npmjs.org/micromark-factory-label/-/micromark-factory-label-2.0.1.tgz",
+            "integrity": "sha512-VFMekyQExqIW7xIChcXn4ok29YE3rnuyveW3wZQWWqF4Nv9Wk5rgJ99KzPvHjkmPXF93FXIbBp6YdW3t71/7Vg==",
+            "funding": [
+                {
+                    "type": "GitHub Sponsors",
+                    "url": "https://github.com/sponsors/unifiedjs"
+                },
+                {
+                    "type": "OpenCollective",
+                    "url": "https://opencollective.com/unified"
+                }
+            ],
+            "license": "MIT",
+            "dependencies": {
+                "devlop": "^1.0.0",
+                "micromark-util-character": "^2.0.0",
+                "micromark-util-symbol": "^2.0.0",
+                "micromark-util-types": "^2.0.0"
+            }
+        },
+        "node_modules/markdownlint/node_modules/micromark-factory-space": {
+            "version": "2.0.1",
+            "resolved": "https://registry.npmjs.org/micromark-factory-space/-/micromark-factory-space-2.0.1.tgz",
+            "integrity": "sha512-zRkxjtBxxLd2Sc0d+fbnEunsTj46SWXgXciZmHq0kDYGnck/ZSGj9/wULTV95uoeYiK5hRXP2mJ98Uo4cq/LQg==",
+            "funding": [
+                {
+                    "type": "GitHub Sponsors",
+                    "url": "https://github.com/sponsors/unifiedjs"
+                },
+                {
+                    "type": "OpenCollective",
+                    "url": "https://opencollective.com/unified"
+                }
+            ],
+            "license": "MIT",
+            "dependencies": {
+                "micromark-util-character": "^2.0.0",
+                "micromark-util-types": "^2.0.0"
+            }
+        },
+        "node_modules/markdownlint/node_modules/micromark-factory-title": {
+            "version": "2.0.1",
+            "resolved": "https://registry.npmjs.org/micromark-factory-title/-/micromark-factory-title-2.0.1.tgz",
+            "integrity": "sha512-5bZ+3CjhAd9eChYTHsjy6TGxpOFSKgKKJPJxr293jTbfry2KDoWkhBb6TcPVB4NmzaPhMs1Frm9AZH7OD4Cjzw==",
+            "funding": [
+                {
+                    "type": "GitHub Sponsors",
+                    "url": "https://github.com/sponsors/unifiedjs"
+                },
+                {
+                    "type": "OpenCollective",
+                    "url": "https://opencollective.com/unified"
+                }
+            ],
+            "license": "MIT",
+            "dependencies": {
+                "micromark-factory-space": "^2.0.0",
+                "micromark-util-character": "^2.0.0",
+                "micromark-util-symbol": "^2.0.0",
+                "micromark-util-types": "^2.0.0"
+            }
+        },
+        "node_modules/markdownlint/node_modules/micromark-factory-whitespace": {
+            "version": "2.0.1",
+            "resolved": "https://registry.npmjs.org/micromark-factory-whitespace/-/micromark-factory-whitespace-2.0.1.tgz",
+            "integrity": "sha512-Ob0nuZ3PKt/n0hORHyvoD9uZhr+Za8sFoP+OnMcnWK5lngSzALgQYKMr9RJVOWLqQYuyn6ulqGWSXdwf6F80lQ==",
+            "funding": [
+                {
+                    "type": "GitHub Sponsors",
+                    "url": "https://github.com/sponsors/unifiedjs"
+                },
+                {
+                    "type": "OpenCollective",
+                    "url": "https://opencollective.com/unified"
+                }
+            ],
+            "license": "MIT",
+            "dependencies": {
+                "micromark-factory-space": "^2.0.0",
+                "micromark-util-character": "^2.0.0",
+                "micromark-util-symbol": "^2.0.0",
+                "micromark-util-types": "^2.0.0"
+            }
+        },
+        "node_modules/markdownlint/node_modules/micromark-util-character": {
+            "version": "2.1.1",
+            "resolved": "https://registry.npmjs.org/micromark-util-character/-/micromark-util-character-2.1.1.tgz",
+            "integrity": "sha512-wv8tdUTJ3thSFFFJKtpYKOYiGP2+v96Hvk4Tu8KpCAsTMs6yi+nVmGh1syvSCsaxz45J6Jbw+9DD6g97+NV67Q==",
+            "funding": [
+                {
+                    "type": "GitHub Sponsors",
+                    "url": "https://github.com/sponsors/unifiedjs"
+                },
+                {
+                    "type": "OpenCollective",
+                    "url": "https://opencollective.com/unified"
+                }
+            ],
+            "license": "MIT",
+            "dependencies": {
+                "micromark-util-symbol": "^2.0.0",
+                "micromark-util-types": "^2.0.0"
+            }
+        },
+        "node_modules/markdownlint/node_modules/micromark-util-chunked": {
+            "version": "2.0.1",
+            "resolved": "https://registry.npmjs.org/micromark-util-chunked/-/micromark-util-chunked-2.0.1.tgz",
+            "integrity": "sha512-QUNFEOPELfmvv+4xiNg2sRYeS/P84pTW0TCgP5zc9FpXetHY0ab7SxKyAQCNCc1eK0459uoLI1y5oO5Vc1dbhA==",
+            "funding": [
+                {
+                    "type": "GitHub Sponsors",
+                    "url": "https://github.com/sponsors/unifiedjs"
+                },
+                {
+                    "type": "OpenCollective",
+                    "url": "https://opencollective.com/unified"
+                }
+            ],
+            "license": "MIT",
+            "dependencies": {
+                "micromark-util-symbol": "^2.0.0"
+            }
+        },
+        "node_modules/markdownlint/node_modules/micromark-util-classify-character": {
+            "version": "2.0.1",
+            "resolved": "https://registry.npmjs.org/micromark-util-classify-character/-/micromark-util-classify-character-2.0.1.tgz",
+            "integrity": "sha512-K0kHzM6afW/MbeWYWLjoHQv1sgg2Q9EccHEDzSkxiP/EaagNzCm7T/WMKZ3rjMbvIpvBiZgwR3dKMygtA4mG1Q==",
+            "funding": [
+                {
+                    "type": "GitHub Sponsors",
+                    "url": "https://github.com/sponsors/unifiedjs"
+                },
+                {
+                    "type": "OpenCollective",
+                    "url": "https://opencollective.com/unified"
+                }
+            ],
+            "license": "MIT",
+            "dependencies": {
+                "micromark-util-character": "^2.0.0",
+                "micromark-util-symbol": "^2.0.0",
+                "micromark-util-types": "^2.0.0"
+            }
+        },
+        "node_modules/markdownlint/node_modules/micromark-util-combine-extensions": {
+            "version": "2.0.1",
+            "resolved": "https://registry.npmjs.org/micromark-util-combine-extensions/-/micromark-util-combine-extensions-2.0.1.tgz",
+            "integrity": "sha512-OnAnH8Ujmy59JcyZw8JSbK9cGpdVY44NKgSM7E9Eh7DiLS2E9RNQf0dONaGDzEG9yjEl5hcqeIsj4hfRkLH/Bg==",
+            "funding": [
+                {
+                    "type": "GitHub Sponsors",
+                    "url": "https://github.com/sponsors/unifiedjs"
+                },
+                {
+                    "type": "OpenCollective",
+                    "url": "https://opencollective.com/unified"
+                }
+            ],
+            "license": "MIT",
+            "dependencies": {
+                "micromark-util-chunked": "^2.0.0",
+                "micromark-util-types": "^2.0.0"
+            }
+        },
+        "node_modules/markdownlint/node_modules/micromark-util-decode-numeric-character-reference": {
+            "version": "2.0.2",
+            "resolved": "https://registry.npmjs.org/micromark-util-decode-numeric-character-reference/-/micromark-util-decode-numeric-character-reference-2.0.2.tgz",
+            "integrity": "sha512-ccUbYk6CwVdkmCQMyr64dXz42EfHGkPQlBj5p7YVGzq8I7CtjXZJrubAYezf7Rp+bjPseiROqe7G6foFd+lEuw==",
+            "funding": [
+                {
+                    "type": "GitHub Sponsors",
+                    "url": "https://github.com/sponsors/unifiedjs"
+                },
+                {
+                    "type": "OpenCollective",
+                    "url": "https://opencollective.com/unified"
+                }
+            ],
+            "license": "MIT",
+            "dependencies": {
+                "micromark-util-symbol": "^2.0.0"
+            }
+        },
+        "node_modules/markdownlint/node_modules/micromark-util-encode": {
+            "version": "2.0.1",
+            "resolved": "https://registry.npmjs.org/micromark-util-encode/-/micromark-util-encode-2.0.1.tgz",
+            "integrity": "sha512-c3cVx2y4KqUnwopcO9b/SCdo2O67LwJJ/UyqGfbigahfegL9myoEFoDYZgkT7f36T0bLrM9hZTAaAyH+PCAXjw==",
+            "funding": [
+                {
+                    "type": "GitHub Sponsors",
+                    "url": "https://github.com/sponsors/unifiedjs"
+                },
+                {
+                    "type": "OpenCollective",
+                    "url": "https://opencollective.com/unified"
+                }
+            ],
+            "license": "MIT"
+        },
+        "node_modules/markdownlint/node_modules/micromark-util-html-tag-name": {
+            "version": "2.0.1",
+            "resolved": "https://registry.npmjs.org/micromark-util-html-tag-name/-/micromark-util-html-tag-name-2.0.1.tgz",
+            "integrity": "sha512-2cNEiYDhCWKI+Gs9T0Tiysk136SnR13hhO8yW6BGNyhOC4qYFnwF1nKfD3HFAIXA5c45RrIG1ub11GiXeYd1xA==",
+            "funding": [
+                {
+                    "type": "GitHub Sponsors",
+                    "url": "https://github.com/sponsors/unifiedjs"
+                },
+                {
+                    "type": "OpenCollective",
+                    "url": "https://opencollective.com/unified"
+                }
+            ],
+            "license": "MIT"
+        },
+        "node_modules/markdownlint/node_modules/micromark-util-normalize-identifier": {
+            "version": "2.0.1",
+            "resolved": "https://registry.npmjs.org/micromark-util-normalize-identifier/-/micromark-util-normalize-identifier-2.0.1.tgz",
+            "integrity": "sha512-sxPqmo70LyARJs0w2UclACPUUEqltCkJ6PhKdMIDuJ3gSf/Q+/GIe3WKl0Ijb/GyH9lOpUkRAO2wp0GVkLvS9Q==",
+            "funding": [
+                {
+                    "type": "GitHub Sponsors",
+                    "url": "https://github.com/sponsors/unifiedjs"
+                },
+                {
+                    "type": "OpenCollective",
+                    "url": "https://opencollective.com/unified"
+                }
+            ],
+            "license": "MIT",
+            "dependencies": {
+                "micromark-util-symbol": "^2.0.0"
+            }
+        },
+        "node_modules/markdownlint/node_modules/micromark-util-resolve-all": {
+            "version": "2.0.1",
+            "resolved": "https://registry.npmjs.org/micromark-util-resolve-all/-/micromark-util-resolve-all-2.0.1.tgz",
+            "integrity": "sha512-VdQyxFWFT2/FGJgwQnJYbe1jjQoNTS4RjglmSjTUlpUMa95Htx9NHeYW4rGDJzbjvCsl9eLjMQwGeElsqmzcHg==",
+            "funding": [
+                {
+                    "type": "GitHub Sponsors",
+                    "url": "https://github.com/sponsors/unifiedjs"
+                },
+                {
+                    "type": "OpenCollective",
+                    "url": "https://opencollective.com/unified"
+                }
+            ],
+            "license": "MIT",
+            "dependencies": {
+                "micromark-util-types": "^2.0.0"
+            }
+        },
+        "node_modules/markdownlint/node_modules/micromark-util-sanitize-uri": {
+            "version": "2.0.1",
+            "resolved": "https://registry.npmjs.org/micromark-util-sanitize-uri/-/micromark-util-sanitize-uri-2.0.1.tgz",
+            "integrity": "sha512-9N9IomZ/YuGGZZmQec1MbgxtlgougxTodVwDzzEouPKo3qFWvymFHWcnDi2vzV1ff6kas9ucW+o3yzJK9YB1AQ==",
+            "funding": [
+                {
+                    "type": "GitHub Sponsors",
+                    "url": "https://github.com/sponsors/unifiedjs"
+                },
+                {
+                    "type": "OpenCollective",
+                    "url": "https://opencollective.com/unified"
+                }
+            ],
+            "license": "MIT",
+            "dependencies": {
+                "micromark-util-character": "^2.0.0",
+                "micromark-util-encode": "^2.0.0",
+                "micromark-util-symbol": "^2.0.0"
+            }
+        },
+        "node_modules/markdownlint/node_modules/micromark-util-subtokenize": {
+            "version": "2.1.0",
+            "resolved": "https://registry.npmjs.org/micromark-util-subtokenize/-/micromark-util-subtokenize-2.1.0.tgz",
+            "integrity": "sha512-XQLu552iSctvnEcgXw6+Sx75GflAPNED1qx7eBJ+wydBb2KCbRZe+NwvIEEMM83uml1+2WSXpBAcp9IUCgCYWA==",
+            "funding": [
+                {
+                    "type": "GitHub Sponsors",
+                    "url": "https://github.com/sponsors/unifiedjs"
+                },
+                {
+                    "type": "OpenCollective",
+                    "url": "https://opencollective.com/unified"
+                }
+            ],
+            "license": "MIT",
+            "dependencies": {
+                "devlop": "^1.0.0",
+                "micromark-util-chunked": "^2.0.0",
+                "micromark-util-symbol": "^2.0.0",
+                "micromark-util-types": "^2.0.0"
+            }
+        },
+        "node_modules/markdownlint/node_modules/micromark-util-symbol": {
+            "version": "2.0.1",
+            "resolved": "https://registry.npmjs.org/micromark-util-symbol/-/micromark-util-symbol-2.0.1.tgz",
+            "integrity": "sha512-vs5t8Apaud9N28kgCrRUdEed4UJ+wWNvicHLPxCa9ENlYuAY31M0ETy5y1vA33YoNPDFTghEbnh6efaE8h4x0Q==",
+            "funding": [
+                {
+                    "type": "GitHub Sponsors",
+                    "url": "https://github.com/sponsors/unifiedjs"
+                },
+                {
+                    "type": "OpenCollective",
+                    "url": "https://opencollective.com/unified"
+                }
+            ],
+            "license": "MIT"
+        },
+        "node_modules/markdownlint/node_modules/micromark-util-types": {
+            "version": "2.0.1",
+            "resolved": "https://registry.npmjs.org/micromark-util-types/-/micromark-util-types-2.0.1.tgz",
+            "integrity": "sha512-534m2WhVTddrcKVepwmVEVnUAmtrx9bfIjNoQHRqfnvdaHQiFytEhJoTgpWJvDEXCO5gLTQh3wYC1PgOJA4NSQ==",
+            "funding": [
+                {
+                    "type": "GitHub Sponsors",
+                    "url": "https://github.com/sponsors/unifiedjs"
+                },
+                {
+                    "type": "OpenCollective",
+                    "url": "https://opencollective.com/unified"
+                }
+            ],
+            "license": "MIT"
+        },
         "node_modules/marked": {
             "version": "4.3.0",
             "resolved": "https://registry.npmjs.org/marked/-/marked-4.3.0.tgz",
@@ -4802,8 +5456,7 @@
         "node_modules/mdurl": {
             "version": "2.0.0",
             "resolved": "https://registry.npmjs.org/mdurl/-/mdurl-2.0.0.tgz",
-            "integrity": "sha512-Lf+9+2r+Tdp5wXDXC4PcIBjTDtq4UKjCPMQhKIuzpJNW0b96kVqSwW0bT7FhRSfmAiFYgP+SCRvdrDozfh0U5w==",
-            "dev": true
+            "integrity": "sha512-Lf+9+2r+Tdp5wXDXC4PcIBjTDtq4UKjCPMQhKIuzpJNW0b96kVqSwW0bT7FhRSfmAiFYgP+SCRvdrDozfh0U5w=="
         },
         "node_modules/meow": {
             "version": "9.0.0",
@@ -5038,6 +5691,119 @@
                 "uvu": "^0.5.0"
             }
         },
+        "node_modules/micromark-extension-directive": {
+            "version": "3.0.2",
+            "resolved": "https://registry.npmjs.org/micromark-extension-directive/-/micromark-extension-directive-3.0.2.tgz",
+            "integrity": "sha512-wjcXHgk+PPdmvR58Le9d7zQYWy+vKEU9Se44p2CrCDPiLr2FMyiT4Fyb5UFKFC66wGB3kPlgD7q3TnoqPS7SZA==",
+            "license": "MIT",
+            "dependencies": {
+                "devlop": "^1.0.0",
+                "micromark-factory-space": "^2.0.0",
+                "micromark-factory-whitespace": "^2.0.0",
+                "micromark-util-character": "^2.0.0",
+                "micromark-util-symbol": "^2.0.0",
+                "micromark-util-types": "^2.0.0",
+                "parse-entities": "^4.0.0"
+            },
+            "funding": {
+                "type": "opencollective",
+                "url": "https://opencollective.com/unified"
+            }
+        },
+        "node_modules/micromark-extension-directive/node_modules/micromark-factory-space": {
+            "version": "2.0.1",
+            "resolved": "https://registry.npmjs.org/micromark-factory-space/-/micromark-factory-space-2.0.1.tgz",
+            "integrity": "sha512-zRkxjtBxxLd2Sc0d+fbnEunsTj46SWXgXciZmHq0kDYGnck/ZSGj9/wULTV95uoeYiK5hRXP2mJ98Uo4cq/LQg==",
+            "funding": [
+                {
+                    "type": "GitHub Sponsors",
+                    "url": "https://github.com/sponsors/unifiedjs"
+                },
+                {
+                    "type": "OpenCollective",
+                    "url": "https://opencollective.com/unified"
+                }
+            ],
+            "license": "MIT",
+            "dependencies": {
+                "micromark-util-character": "^2.0.0",
+                "micromark-util-types": "^2.0.0"
+            }
+        },
+        "node_modules/micromark-extension-directive/node_modules/micromark-factory-whitespace": {
+            "version": "2.0.1",
+            "resolved": "https://registry.npmjs.org/micromark-factory-whitespace/-/micromark-factory-whitespace-2.0.1.tgz",
+            "integrity": "sha512-Ob0nuZ3PKt/n0hORHyvoD9uZhr+Za8sFoP+OnMcnWK5lngSzALgQYKMr9RJVOWLqQYuyn6ulqGWSXdwf6F80lQ==",
+            "funding": [
+                {
+                    "type": "GitHub Sponsors",
+                    "url": "https://github.com/sponsors/unifiedjs"
+                },
+                {
+                    "type": "OpenCollective",
+                    "url": "https://opencollective.com/unified"
+                }
+            ],
+            "license": "MIT",
+            "dependencies": {
+                "micromark-factory-space": "^2.0.0",
+                "micromark-util-character": "^2.0.0",
+                "micromark-util-symbol": "^2.0.0",
+                "micromark-util-types": "^2.0.0"
+            }
+        },
+        "node_modules/micromark-extension-directive/node_modules/micromark-util-character": {
+            "version": "2.1.1",
+            "resolved": "https://registry.npmjs.org/micromark-util-character/-/micromark-util-character-2.1.1.tgz",
+            "integrity": "sha512-wv8tdUTJ3thSFFFJKtpYKOYiGP2+v96Hvk4Tu8KpCAsTMs6yi+nVmGh1syvSCsaxz45J6Jbw+9DD6g97+NV67Q==",
+            "funding": [
+                {
+                    "type": "GitHub Sponsors",
+                    "url": "https://github.com/sponsors/unifiedjs"
+                },
+                {
+                    "type": "OpenCollective",
+                    "url": "https://opencollective.com/unified"
+                }
+            ],
+            "license": "MIT",
+            "dependencies": {
+                "micromark-util-symbol": "^2.0.0",
+                "micromark-util-types": "^2.0.0"
+            }
+        },
+        "node_modules/micromark-extension-directive/node_modules/micromark-util-symbol": {
+            "version": "2.0.1",
+            "resolved": "https://registry.npmjs.org/micromark-util-symbol/-/micromark-util-symbol-2.0.1.tgz",
+            "integrity": "sha512-vs5t8Apaud9N28kgCrRUdEed4UJ+wWNvicHLPxCa9ENlYuAY31M0ETy5y1vA33YoNPDFTghEbnh6efaE8h4x0Q==",
+            "funding": [
+                {
+                    "type": "GitHub Sponsors",
+                    "url": "https://github.com/sponsors/unifiedjs"
+                },
+                {
+                    "type": "OpenCollective",
+                    "url": "https://opencollective.com/unified"
+                }
+            ],
+            "license": "MIT"
+        },
+        "node_modules/micromark-extension-directive/node_modules/micromark-util-types": {
+            "version": "2.0.2",
+            "resolved": "https://registry.npmjs.org/micromark-util-types/-/micromark-util-types-2.0.2.tgz",
+            "integrity": "sha512-Yw0ECSpJoViF1qTU4DC6NwtC4aWGt1EkzaQB8KPPyCRR8z9TWeV0HbEFGTO+ZY1wB22zmxnJqhPyTpOVCpeHTA==",
+            "funding": [
+                {
+                    "type": "GitHub Sponsors",
+                    "url": "https://github.com/sponsors/unifiedjs"
+                },
+                {
+                    "type": "OpenCollective",
+                    "url": "https://opencollective.com/unified"
+                }
+            ],
+            "license": "MIT"
+        },
         "node_modules/micromark-extension-gfm": {
             "version": "2.0.3",
             "resolved": "https://registry.npmjs.org/micromark-extension-gfm/-/micromark-extension-gfm-2.0.3.tgz",
@@ -5159,6 +5925,97 @@
                 "url": "https://opencollective.com/unified"
             }
         },
+        "node_modules/micromark-extension-math": {
+            "version": "3.1.0",
+            "resolved": "https://registry.npmjs.org/micromark-extension-math/-/micromark-extension-math-3.1.0.tgz",
+            "integrity": "sha512-lvEqd+fHjATVs+2v/8kg9i5Q0AP2k85H0WUOwpIVvUML8BapsMvh1XAogmQjOCsLpoKRCVQqEkQBB3NhVBcsOg==",
+            "license": "MIT",
+            "dependencies": {
+                "@types/katex": "^0.16.0",
+                "devlop": "^1.0.0",
+                "katex": "^0.16.0",
+                "micromark-factory-space": "^2.0.0",
+                "micromark-util-character": "^2.0.0",
+                "micromark-util-symbol": "^2.0.0",
+                "micromark-util-types": "^2.0.0"
+            },
+            "funding": {
+                "type": "opencollective",
+                "url": "https://opencollective.com/unified"
+            }
+        },
+        "node_modules/micromark-extension-math/node_modules/micromark-factory-space": {
+            "version": "2.0.1",
+            "resolved": "https://registry.npmjs.org/micromark-factory-space/-/micromark-factory-space-2.0.1.tgz",
+            "integrity": "sha512-zRkxjtBxxLd2Sc0d+fbnEunsTj46SWXgXciZmHq0kDYGnck/ZSGj9/wULTV95uoeYiK5hRXP2mJ98Uo4cq/LQg==",
+            "funding": [
+                {
+                    "type": "GitHub Sponsors",
+                    "url": "https://github.com/sponsors/unifiedjs"
+                },
+                {
+                    "type": "OpenCollective",
+                    "url": "https://opencollective.com/unified"
+                }
+            ],
+            "license": "MIT",
+            "dependencies": {
+                "micromark-util-character": "^2.0.0",
+                "micromark-util-types": "^2.0.0"
+            }
+        },
+        "node_modules/micromark-extension-math/node_modules/micromark-util-character": {
+            "version": "2.1.1",
+            "resolved": "https://registry.npmjs.org/micromark-util-character/-/micromark-util-character-2.1.1.tgz",
+            "integrity": "sha512-wv8tdUTJ3thSFFFJKtpYKOYiGP2+v96Hvk4Tu8KpCAsTMs6yi+nVmGh1syvSCsaxz45J6Jbw+9DD6g97+NV67Q==",
+            "funding": [
+                {
+                    "type": "GitHub Sponsors",
+                    "url": "https://github.com/sponsors/unifiedjs"
+                },
+                {
+                    "type": "OpenCollective",
+                    "url": "https://opencollective.com/unified"
+                }
+            ],
+            "license": "MIT",
+            "dependencies": {
+                "micromark-util-symbol": "^2.0.0",
+                "micromark-util-types": "^2.0.0"
+            }
+        },
+        "node_modules/micromark-extension-math/node_modules/micromark-util-symbol": {
+            "version": "2.0.1",
+            "resolved": "https://registry.npmjs.org/micromark-util-symbol/-/micromark-util-symbol-2.0.1.tgz",
+            "integrity": "sha512-vs5t8Apaud9N28kgCrRUdEed4UJ+wWNvicHLPxCa9ENlYuAY31M0ETy5y1vA33YoNPDFTghEbnh6efaE8h4x0Q==",
+            "funding": [
+                {
+                    "type": "GitHub Sponsors",
+                    "url": "https://github.com/sponsors/unifiedjs"
+                },
+                {
+                    "type": "OpenCollective",
+                    "url": "https://opencollective.com/unified"
+                }
+            ],
+            "license": "MIT"
+        },
+        "node_modules/micromark-extension-math/node_modules/micromark-util-types": {
+            "version": "2.0.2",
+            "resolved": "https://registry.npmjs.org/micromark-util-types/-/micromark-util-types-2.0.2.tgz",
+            "integrity": "sha512-Yw0ECSpJoViF1qTU4DC6NwtC4aWGt1EkzaQB8KPPyCRR8z9TWeV0HbEFGTO+ZY1wB22zmxnJqhPyTpOVCpeHTA==",
+            "funding": [
+                {
+                    "type": "GitHub Sponsors",
+                    "url": "https://github.com/sponsors/unifiedjs"
+                },
+                {
+                    "type": "OpenCollective",
+                    "url": "https://opencollective.com/unified"
+                }
+            ],
+            "license": "MIT"
+        },
         "node_modules/micromark-factory-destination": {
             "version": "1.1.0",
             "resolved": "https://registry.npmjs.org/micromark-factory-destination/-/micromark-factory-destination-1.1.0.tgz",
@@ -5569,6 +6426,15 @@
                 "url": "https://github.com/sponsors/isaacs"
             }
         },
+        "node_modules/minimist": {
+            "version": "1.2.8",
+            "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz",
+            "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==",
+            "license": "MIT",
+            "funding": {
+                "url": "https://github.com/sponsors/ljharb"
+            }
+        },
         "node_modules/minimist-options": {
             "version": "4.1.0",
             "resolved": "https://registry.npmjs.org/minimist-options/-/minimist-options-4.1.0.tgz",
@@ -5709,8 +6575,7 @@
         "node_modules/ms": {
             "version": "2.1.2",
             "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
-            "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==",
-            "dev": true
+            "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
         },
         "node_modules/nan": {
             "version": "2.20.0",
@@ -8897,6 +9762,25 @@
                 "node": ">=6"
             }
         },
+        "node_modules/parse-entities": {
+            "version": "4.0.2",
+            "resolved": "https://registry.npmjs.org/parse-entities/-/parse-entities-4.0.2.tgz",
+            "integrity": "sha512-GG2AQYWoLgL877gQIKeRPGO1xF9+eG1ujIb5soS5gPvLQ1y2o8FL90w2QWNdf9I361Mpp7726c+lj3U0qK1uGw==",
+            "license": "MIT",
+            "dependencies": {
+                "@types/unist": "^2.0.0",
+                "character-entities-legacy": "^3.0.0",
+                "character-reference-invalid": "^2.0.0",
+                "decode-named-character-reference": "^1.0.0",
+                "is-alphanumerical": "^2.0.0",
+                "is-decimal": "^2.0.0",
+                "is-hexadecimal": "^2.0.0"
+            },
+            "funding": {
+                "type": "github",
+                "url": "https://github.com/sponsors/wooorm"
+            }
+        },
         "node_modules/parse-filepath": {
             "version": "1.0.2",
             "resolved": "https://registry.npmjs.org/parse-filepath/-/parse-filepath-1.0.2.tgz",
@@ -9002,7 +9886,6 @@
             "version": "1.11.1",
             "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-1.11.1.tgz",
             "integrity": "sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA==",
-            "dev": true,
             "dependencies": {
                 "lru-cache": "^10.2.0",
                 "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0"
@@ -9018,7 +9901,6 @@
             "version": "10.2.2",
             "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.2.2.tgz",
             "integrity": "sha512-9hp3Vp2/hFQUiIwKo8XCeFVnrg8Pk3TYNPIR7tJADKi5YfcF7vEaK7avFHTlSy3kOKYaJQaalfEo6YuXdceBOQ==",
-            "dev": true,
             "engines": {
                 "node": "14 || >=16.14"
             }
@@ -9027,7 +9909,6 @@
             "version": "7.1.2",
             "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz",
             "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==",
-            "dev": true,
             "engines": {
                 "node": ">=16 || 14 >=14.17"
             }
@@ -9777,7 +10658,6 @@
             "version": "2.3.1",
             "resolved": "https://registry.npmjs.org/punycode.js/-/punycode.js-2.3.1.tgz",
             "integrity": "sha512-uxFIHU0YlHYhDQtV4R9J6a52SLx28BCjT+4ieh7IGbgwVJWO+km431c4yRlREUAsAmt/uMjQUyQHNEPf0M39CA==",
-            "dev": true,
             "engines": {
                 "node": ">=6"
             }
@@ -10354,6 +11234,42 @@
             "integrity": "sha512-SqmZANLWS0mnatqbSfRP5g8OXZC12Fgg1IwNtLsyHDzJizORW4khDfjPqJZsemPWBB2uqykUah5YpQ6epsqC/w==",
             "dev": true
         },
+        "node_modules/run-con": {
+            "version": "1.3.2",
+            "resolved": "https://registry.npmjs.org/run-con/-/run-con-1.3.2.tgz",
+            "integrity": "sha512-CcfE+mYiTcKEzg0IqS08+efdnH0oJ3zV0wSUFBNrMHMuxCtXvBCLzCJHatwuXDcu/RlhjTziTo/a1ruQik6/Yg==",
+            "license": "(BSD-2-Clause OR MIT OR Apache-2.0)",
+            "dependencies": {
+                "deep-extend": "^0.6.0",
+                "ini": "~4.1.0",
+                "minimist": "^1.2.8",
+                "strip-json-comments": "~3.1.1"
+            },
+            "bin": {
+                "run-con": "cli.js"
+            }
+        },
+        "node_modules/run-con/node_modules/ini": {
+            "version": "4.1.3",
+            "resolved": "https://registry.npmjs.org/ini/-/ini-4.1.3.tgz",
+            "integrity": "sha512-X7rqawQBvfdjS10YU1y1YVreA3SsLrW9dX2CewP2EbBJM4ypVNLDkO5y04gejPwKIY9lR+7r9gn3rFPt/kmWFg==",
+            "license": "ISC",
+            "engines": {
+                "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
+            }
+        },
+        "node_modules/run-con/node_modules/strip-json-comments": {
+            "version": "3.1.1",
+            "resolved": "https://registry.npmjs.org/strip-json-comments/-/strip-json-comments-3.1.1.tgz",
+            "integrity": "sha512-6fPc+R4ihwqP6N/aIv2f1gMH8lOVtWQHoqC4yK6oSDVVocumAsfCqjkXnqiYMhmMwS/mEHLp7Vehlt3ql6lEig==",
+            "license": "MIT",
+            "engines": {
+                "node": ">=8"
+            },
+            "funding": {
+                "url": "https://github.com/sponsors/sindresorhus"
+            }
+        },
         "node_modules/run-parallel": {
             "version": "1.2.0",
             "resolved": "https://registry.npmjs.org/run-parallel/-/run-parallel-1.2.0.tgz",
@@ -10567,6 +11483,18 @@
             "integrity": "sha512-g6T+p7QO8npa+/hNx9ohv1E5pVCmWrVCUzUXJyLdMmftX6ER0oiWY/w9knEonLpnOp6b6FenKnMfR8gqwWdwig==",
             "dev": true
         },
+        "node_modules/smol-toml": {
+            "version": "1.3.1",
+            "resolved": "https://registry.npmjs.org/smol-toml/-/smol-toml-1.3.1.tgz",
+            "integrity": "sha512-tEYNll18pPKHroYSmLLrksq233j021G0giwW7P3D24jC54pQ5W5BXMsQ/Mvw1OJCmEYDgY+lrzT+3nNUtoNfXQ==",
+            "license": "BSD-3-Clause",
+            "engines": {
+                "node": ">= 18"
+            },
+            "funding": {
+                "url": "https://github.com/sponsors/cyyynthia"
+            }
+        },
         "node_modules/socks": {
             "version": "2.8.3",
             "resolved": "https://registry.npmjs.org/socks/-/socks-2.8.3.tgz",
@@ -11102,8 +12030,7 @@
         "node_modules/uc.micro": {
             "version": "2.1.0",
             "resolved": "https://registry.npmjs.org/uc.micro/-/uc.micro-2.1.0.tgz",
-            "integrity": "sha512-ARDJmphmdvUk6Glw7y9DQ2bFkKBHwQHLi2lsaH6PPmz/Ka9sFOBsBluozhDltWmnv9u/cF6Rt87znRTPV+yp/A==",
-            "dev": true
+            "integrity": "sha512-ARDJmphmdvUk6Glw7y9DQ2bFkKBHwQHLi2lsaH6PPmz/Ka9sFOBsBluozhDltWmnv9u/cF6Rt87znRTPV+yp/A=="
         },
         "node_modules/unc-path-regex": {
             "version": "0.1.2",
diff --git a/package.json b/package.json
index 329bcd5..1f72d6f 100644
--- a/package.json
+++ b/package.json
@@ -7,6 +7,7 @@
         "documentation": "^14.0.1",
         "install": "^0.13.0",
         "jsdoc": "^4.0.2",
+        "markdownlint": "^0.37.4",
         "node-sass": "^9.0.0",
         "npm": "^8.11.0",
         "rollup": "^4.1.5",
@@ -22,8 +23,8 @@
         "typescript": "^5.2.2"
     },
     "overrides": {
-      "node-gyp": "^10.1.0",
-      "glob": "^9.0.0"
+        "node-gyp": "^10.1.0",
+        "glob": "^9.0.0"
     },
     "eslintConfig": {
         "root": true,
@@ -34,5 +35,8 @@
     },
     "eslintIgnore": [
         "node_modules/**"
-    ]
+    ],
+    "dependencies": {
+        "markdownlint-cli": "^0.44.0"
+    }
 }
diff --git a/webpages/admin-gui.md b/webpages/admin-gui.md
index 4b7f5b2..b968a74 100644
--- a/webpages/admin-gui.md
+++ b/webpages/admin-gui.md
@@ -19,4 +19,3 @@ the VMs and adjust the CPU and RAM usages (modifies the definition
 in kubernetes).
 
 ![VM-Operator GUI](VM-Operator-GUI-view.png)
-
diff --git a/webpages/auto-login.md b/webpages/auto-login.md
index c4b859d..59856b2 100644
--- a/webpages/auto-login.md
+++ b/webpages/auto-login.md
@@ -11,14 +11,14 @@ When users log into the web GUI, they have already authenticated with the
 VM-Operator. In some environments, requiring an additional login on the
 guest OS can be cumbersome. To enhance the user experience, the VM-Operator
 supports automatic login on the guest operating system, thus eliminating
-the need for multiple logins. However, this feature requires specific 
+the need for multiple logins. However, this feature requires specific
 support from the guest OS.
 
 ## Prepare the VM
 
 Automatic login requires an agent running inside the guest OS. Similar
 to QEMU's standard guest agent, the VM-Operator agent communicates with
-the host via a tty device (`/dev/virtio-ports/org.jdrupes.vmop_agent.0`). On 
+the host via a tty device (`/dev/virtio-ports/org.jdrupes.vmop_agent.0`). On
 modern Linux systems, `udev` can detect this device and trigger the start
 of an associated systemd service.
 
@@ -30,7 +30,7 @@ Copy
   * `vmop-agent` → `/usr/local/libexec/vmop-agent` and
   * `vmop-agent.service` → `/usr/local/lib/systemd/system/vmop-agent.service`.
 
-Some of these target directories may not exist by default and must be 
+Some of these target directories may not exist by default and must be
 created manually. If your system uses SELinux, run `restorecon` to apply
 the correct security contexts.
 
diff --git a/webpages/index.md b/webpages/index.md
index ea9c5eb..9ad3aba 100644
--- a/webpages/index.md
+++ b/webpages/index.md
@@ -27,6 +27,7 @@ If you just want to try out things, you can skip the remainder of this
 page and proceed to "[the manager](manager.html)".
 
 ## Motivation
+
 The project was triggered by a remark in the discussion about RedHat
 [dropping SPICE support](https://bugzilla.redhat.com/show_bug.cgi?id=2030592)
 from the RHEL packages. Which means that you have to run Qemu in a
@@ -55,9 +56,11 @@ close to simply deploying the pod (you get the restart and some PVC
 management "for free").
 
 A second look, however, reveals that Kubernetes has more to offer.
-* It has a well defined API for managing resources.
-* It provides access to different kinds of managed storage for the VMs.
-* Its managing features *are* useful for running the component that
+
+  * It has a well defined API for managing resources.
+  * It provides access to different kinds of managed storage for the VMs.
+  * Its managing features *are* useful for running the component that
+  
 manages the pods with the VMs.
 
 And if you use Kubernetes anyway, well then the VMs within Kubernetes
diff --git a/webpages/manager.md b/webpages/manager.md
index d283484..8748ad8 100644
--- a/webpages/manager.md
+++ b/webpages/manager.md
@@ -40,7 +40,8 @@ default files for creating these resources using the default namespace
 can be found in the
 [deploy](https://github.com/mnlipp/VM-Operator/tree/main/deploy)
 directory. I recommend to use
-[kustomize](https://kubernetes.io/docs/tasks/manage-kubernetes-objects/kustomization/) to create your own configuration.
+[kustomize](https://kubernetes.io/docs/tasks/manage-kubernetes-objects/kustomization/)
+to create your own configuration.
 
 ## Initial Configuration
 
diff --git a/webpages/pools.md b/webpages/pools.md
index b36397e..41e26ef 100644
--- a/webpages/pools.md
+++ b/webpages/pools.md
@@ -76,7 +76,7 @@ provide access to a pool instead of to a specific VM.
 
 Assignment happens when the "Start" icon is clicked. If the assigned VM
 is not already running, it will be started automatically. The assigned
-VM's name apears in the widget above the action icons. 
+VM's name apears in the widget above the action icons.
 
 ![VM Access via pool](PoolAccess-preview.png)
 
diff --git a/webpages/runner.md b/webpages/runner.md
index a6a744d..a877b57 100644
--- a/webpages/runner.md
+++ b/webpages/runner.md
@@ -44,9 +44,9 @@ A sample configuration file with annotated options can be found
 As the runner implementation uses the
 [JGrapes](https://jgrapes.org/) framework, the file
 follows the framework's
-[conventions](https://jgrapes.org/latest-release/javadoc/org/jgrapes/util/YamlConfigurationStore.html). The top level "`/Runner`" selects
-the component to be configured. Nested within is the information
-to be applied to the component.
+[conventions](https://jgrapes.org/latest-release/javadoc/org/jgrapes/util/YamlConfigurationStore.html).
+The top level "`/Runner`" selects the component to be configured. Nested
+within is the information to be applied to the component.
 
 The main entries in the configuration file are the "template" and
 the "vm" information. The runner processes the
@@ -58,8 +58,8 @@ defines a particular VM type, i.e. it contains the "nasty details"
 that do not need to be modified for some given set of VM instances.
 
 The templates provided with the runner can be found
-[here](https://github.com/mnlipp/VM-Operator/tree/main/org.jdrupes.vmoperator.runner.qemu/templates). When details
-of the VM configuration need modification, a new VM type
+[here](https://github.com/mnlipp/VM-Operator/tree/main/org.jdrupes.vmoperator.runner.qemu/templates).
+When details of the VM configuration need modification, a new VM type
 (i.e. a new template) has to be defined. Authoring a new
 template requires some knowledge about the
 [qemu invocation](https://www.qemu.org/docs/master/system/invocation.html).
@@ -92,7 +92,8 @@ which may be used in a stand-alone development configuration.
 The runner supports adaption to changes of the RAM size (using the
 balloon device) and to changes of the number of CPUs. Note that
 in order to get new CPUs online on Linux guests, you need a
-[udev rule](https://docs.kernel.org/core-api/cpu_hotplug.html#user-space-notification) which is not installed by default[^simplest].
+[udev rule](https://docs.kernel.org/core-api/cpu_hotplug.html#user-space-notification)
+which is not installed by default[^simplest].
 
 The runner also changes the images loaded in CDROM drives. If the
 drive is locked, i.e. if it doesn't respond to the "open tray" command
@@ -101,7 +102,8 @@ the change will be suspended until the VM opens the tray.
 Finally, `powerdownTimeout` can be changed while the qemu process runs.
 
 [^simplest]: The simplest form of the rule is probably:
-    ```
+
+    ```txt
     ACTION=="add", SUBSYSTEM=="cpu", ATTR{online}="1"
     ```
 
diff --git a/webpages/user-gui.md b/webpages/user-gui.md
index be7b6a2..3ff816f 100644
--- a/webpages/user-gui.md
+++ b/webpages/user-gui.md
@@ -77,7 +77,8 @@ objects that either specify a role or a user.
 ## Console access
 
 Access to the VM's console is implemented by generating a
-[connection file](https://manpages.debian.org/testing/virt-viewer/remote-viewer.1.en.html#CONNECTION_FILE) for virt-viewer when the user clicks on
+[connection file](https://manpages.debian.org/testing/virt-viewer/remote-viewer.1.en.html#CONNECTION_FILE)
+for virt-viewer when the user clicks on
 the console icon. If automatic open is enabled for this kind of
 files in the browser, the console opens without further user action.
 

From 7130c128bb4bcf152a42a86adc818674603f4bbf Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 6 Mar 2025 23:30:57 +0100
Subject: [PATCH 199/274] Add another environment setting.

---
 dev-example/vmop-agent/vmop-agent | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dev-example/vmop-agent/vmop-agent b/dev-example/vmop-agent/vmop-agent
index bb2fb86..1c74c61 100755
--- a/dev-example/vmop-agent/vmop-agent
+++ b/dev-example/vmop-agent/vmop-agent
@@ -101,6 +101,7 @@ doLogin() {
     -p PAMName=login -p StandardInput=tty -p StandardOutput=journal \
     -p Conflicts="gdm.service getty@tty1.service" \
     -E XDG_RUNTIME_DIR="/run/user/$uid" \
+    -E XDG_CURRENT_DESKTOP=GNOME \
     -p ExecStartPre="/usr/bin/chvt 1" \
     dbus-run-session -- gnome-shell --display-server --wayland
   if [ $? -eq 0 ]; then

From 7104984ac7c6852f37b65a3e0f19e94c0d6fc6c9 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Fri, 7 Mar 2025 13:26:31 +0100
Subject: [PATCH 200/274] Consistent spelling for QEMU.

---
 webpages/controller.md |  4 ++--
 webpages/index.md      | 14 +++++++-------
 webpages/runner.md     |  8 ++++----
 webpages/upgrading.md  |  2 +-
 4 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/webpages/controller.md b/webpages/controller.md
index e20263f..c91e2d4 100644
--- a/webpages/controller.md
+++ b/webpages/controller.md
@@ -209,7 +209,7 @@ data:
 If such a secret for the VM is found, the VM is configured to use
 the display password specified. The display password in the secret
 can be updated while the VM runs[^delay]. Activating/deactivating
-the display password while a VM runs is not supported by Qemu and
+the display password while a VM runs is not supported by QEMU and
 therefore requires stopping the VM, adding/removing the secret and
 restarting the VM.
 
@@ -220,7 +220,7 @@ restarting the VM.
 
 The secret's `data` can have an additional property `data.password-expiry` which
 specifies a (base64 encoded) expiry date for the password. Supported
-values are those defined by qemu (`+n` seconds from now, `n` Unix
+values are those defined by QEMU (`+n` seconds from now, `n` Unix
 timestamp, `never` and `now`).
 
 Unless `spec.vm.display.spice.generateSecret` is set to `false` in the VM
diff --git a/webpages/index.md b/webpages/index.md
index 9ad3aba..2f1afaf 100644
--- a/webpages/index.md
+++ b/webpages/index.md
@@ -12,10 +12,10 @@ layout: vm-operator
 ![Overview picture](index-pic.svg)
 
 This project provides an easy to use and flexible solution
-for running Qemu/KVM based VMs in Kubernetes pods.
+for running QEMU/KVM based VMs in Kubernetes pods.
 
-The image used for the VM pods combines Qemu and a control program
-for starting and managing the Qemu process. This application is called
+The image used for the VM pods combines QEMU and a control program
+for starting and managing the QEMU process. This application is called
 "[the runner](runner.html)".
 
 While you can deploy a runner manually (or with the help of some
@@ -30,7 +30,7 @@ page and proceed to "[the manager](manager.html)".
 
 The project was triggered by a remark in the discussion about RedHat
 [dropping SPICE support](https://bugzilla.redhat.com/show_bug.cgi?id=2030592)
-from the RHEL packages. Which means that you have to run Qemu in a
+from the RHEL packages. Which means that you have to run QEMU in a
 container on RHEL and derivatives if you want to continue using Spice.
 So KubeVirt comes to mind. But
 [one comment](https://bugzilla.redhat.com/show_bug.cgi?id=2030592#c4)
@@ -38,10 +38,10 @@ mentioned that the [KubeVirt](https://kubevirt.io/) project isn't
 interested in supporting SPICE either.
 
 Time to have a look at alternatives. Libvirt has become a common
-tool to configure and run Qemu. But some of its functionality, notably
+tool to configure and run QEMU. But some of its functionality, notably
 the management of storage for the VMs and networking is already provided
 by Kubernetes. Therefore this project takes a fresh approach of
-running Qemu in a pod using a simple, lightweight manager called "runner".
+running QEMU in a pod using a simple, lightweight manager called "runner".
 Providing resources to the VM is left to Kubernetes mechanisms as
 much as possible.
 
@@ -50,7 +50,7 @@ much as possible.
 VMs are not the typical workload managed by Kubernetes. You can neither
 have replicas nor can the containers simply be restarted without a major
 impact on the "application". So there are many features for managing
-pods that we cannot make use of. Qemu in its container can only be
+pods that we cannot make use of. QEMU in its container can only be
 deployed as a pod or using a stateful set with replica 1, which is rather
 close to simply deploying the pod (you get the restart and some PVC
 management "for free").
diff --git a/webpages/runner.md b/webpages/runner.md
index a877b57..e677a7a 100644
--- a/webpages/runner.md
+++ b/webpages/runner.md
@@ -9,19 +9,19 @@ layout: vm-operator
 
 # The Runner
 
-For most use cases, Qemu needs to be started and controlled by another
-program that manages the Qemu process. This program is called the
+For most use cases, QEMU needs to be started and controlled by another
+program that manages the QEMU process. This program is called the
 runner in this context.
 
 The most prominent reason for this second program is that it allows
-a VM to be shutdown cleanly in response to a TERM signal. Qemu handles
+a VM to be shutdown cleanly in response to a TERM signal. QEMU handles
 the TERM signal by flushing all buffers and stopping, leaving the disks in
 a [crash consistent state](https://gitlab.com/qemu-project/qemu/-/issues/148).
 For a graceful shutdown, a parent process must handle the TERM signal, send
 the `system_powerdown` command to the qemu process and wait for its completion.
 
 Another reason for having the runner is that another process needs to be started
-before qemu if the VM is supposed to include a TPM (software TPM).
+before QEMU if the VM is supposed to include a TPM (software TPM).
 
 Finally, we want some kind of higher level interface for applying runtime
 changes to the VM such as changing the CD or configuring the number of
diff --git a/webpages/upgrading.md b/webpages/upgrading.md
index 12ff096..a590bcc 100644
--- a/webpages/upgrading.md
+++ b/webpages/upgrading.md
@@ -29,7 +29,7 @@ layout: vm-operator
     but should be updated.
 
   * The standard [template](./runner.html#stand-alone-configuration) used
-    to generate the QEMU command has been updated. Unless you have enabled
+    to generate the qemu command has been updated. Unless you have enabled
     automatic updates of the template in the VM definition, you have to
     update the template manually. If you're using your own template, you
     have to add a virtual serial port (see the git history of the standard

From 29bc6f539c1a14e5fd28d83b1af5f840d89bc573 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Fri, 7 Mar 2025 20:52:10 +0100
Subject: [PATCH 201/274] Add hint regarding requirements.

---
 dev-example/vmop-agent/vmop-agent | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/dev-example/vmop-agent/vmop-agent b/dev-example/vmop-agent/vmop-agent
index 1c74c61..f61a55e 100755
--- a/dev-example/vmop-agent/vmop-agent
+++ b/dev-example/vmop-agent/vmop-agent
@@ -1,5 +1,8 @@
 #!/usr/bin/bash
 
+# Note that this script requires "jq" to be installed and a version
+# of loginctl that accepts the "-j" option.
+
 while [ "$#" -gt 0 ]; do
   case "$1" in
     --path) shift; ttyPath="$1";;

From 591278a07f77d8f95281182918e3f7efba9c6196 Mon Sep 17 00:00:00 2001
From: Michael Lipp <mnl@mnl.de>
Date: Sat, 8 Mar 2025 05:37:40 +0000
Subject: [PATCH 202/274] Edit README.md

---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index e6292ec..e9eeb5e 100644
--- a/README.md
+++ b/README.md
@@ -5,8 +5,8 @@
 
 # Run Qemu in Kubernetes Pods
 
-The goal of this project is to provide orgy to use and flexible components
+The goal of this project is to provide simply to use and flexible components
 for running Qemu based VMs in Kubernetes pods.
-vm-ovm
+
 See the [project's home page](https://vm-operator.jdrupes.org/)
 for details.

From ce1a9afec7b875d20e9c7143bab7451093917e52 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 9 Mar 2025 15:52:35 +0100
Subject: [PATCH 203/274] Fix layout.

---
 webpages/index.md | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/webpages/index.md b/webpages/index.md
index 2f1afaf..aa982b1 100644
--- a/webpages/index.md
+++ b/webpages/index.md
@@ -59,9 +59,8 @@ A second look, however, reveals that Kubernetes has more to offer.
 
   * It has a well defined API for managing resources.
   * It provides access to different kinds of managed storage for the VMs.
-  * Its managing features *are* useful for running the component that
-  
-manages the pods with the VMs.
+  * Its managing features *are* useful for running the component that  
+    manages the pods with the VMs.
 
 And if you use Kubernetes anyway, well then the VMs within Kubernetes
 provide you with a unified view of all (or most of) your workloads,

From 61286a528c7e26d64816a802552016527fef2b05 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 9 Mar 2025 16:43:19 +0100
Subject: [PATCH 204/274] Add hint.

---
 webpages/_layouts/vm-operator.html |  1 +
 webpages/hints.md                  | 16 ++++++++++++++++
 2 files changed, 17 insertions(+)
 create mode 100644 webpages/hints.md

diff --git a/webpages/_layouts/vm-operator.html b/webpages/_layouts/vm-operator.html
index 88abf8d..b85f650 100644
--- a/webpages/_layouts/vm-operator.html
+++ b/webpages/_layouts/vm-operator.html
@@ -73,6 +73,7 @@
         <li><p class="part-entry"><a href="auto-login.html">Auto Login</a></p></li>
         <li><p class="part-entry"><a href="pools.html">Pools</a></p></li>
         </ul>
+        <p class="part-list-title"><a href="hints.html">Hints</a></p>
         <p class="part-list-title"><a href="upgrading.html">Upgrading</a></p>
         <p class="part-list-title"><a href="https://vm-operator.jdrupes.org/javadoc/index.html">Javadoc</a></p>
 
diff --git a/webpages/hints.md b/webpages/hints.md
new file mode 100644
index 0000000..1f896a4
--- /dev/null
+++ b/webpages/hints.md
@@ -0,0 +1,16 @@
+---
+title: "VM-Operator: Hints — Miscellaneous hints for using VM-Operator"
+layout: vm-operator
+---
+
+# Hints
+
+## Disable suspend and hibernate
+
+Suspend and hibernate are poorly supported in VMs and usually do not
+work as expected. To disable these on systemd based systems, use the
+following command:
+
+```console
+# systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target
+```

From 44868464b94d6898458c33f901da49a168022e25 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 9 Mar 2025 17:07:08 +0100
Subject: [PATCH 205/274] Update title.

---
 webpages/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/webpages/index.md b/webpages/index.md
index aa982b1..3c7101e 100644
--- a/webpages/index.md
+++ b/webpages/index.md
@@ -1,5 +1,5 @@
 ---
-title: "Run VMs on Kubernetes using QEMU/KVM and SPICE"
+title: "VM-Operator: Easy to use kubernetes operator for QEM/KVM VMs"
 description: >-
   A solution for running VMs on Kubernetes with a web interface for
   admins and users. Focuses on running QEMU/KVM virtual machines and

From 68a688c4cea71abb8df8d0c3215de4f136be1aae Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Wed, 12 Mar 2025 11:56:32 +0100
Subject: [PATCH 206/274] Intermediate state.

---
 dev-example/config.yaml                       |  4 +-
 dev-example/test-vm.tpl.yaml                  | 10 ++-
 .../runner/qemu/DisplayController.java        | 14 ++++
 .../runner/qemu/GuestAgentClient.java         |  2 +-
 .../vmoperator/runner/qemu/QemuConnector.java | 16 ++---
 .../vmoperator/runner/qemu/QemuMonitor.java   | 19 +++--
 .../vmoperator/runner/qemu/Runner.java        | 71 +++++++++++--------
 7 files changed, 83 insertions(+), 53 deletions(-)

diff --git a/dev-example/config.yaml b/dev-example/config.yaml
index 2a72bc8..fc1cee7 100644
--- a/dev-example/config.yaml
+++ b/dev-example/config.yaml
@@ -21,8 +21,8 @@
         # Defaults for namespace (VM domain)
         handlers=java.util.logging.ConsoleHandler
         
-        #org.jgrapes.level=FINE
-        #org.jgrapes.core.handlerTracking.level=FINER
+        org.jgrapes.level=FINE
+        org.jgrapes.core.handlerTracking.level=FINER
         
         org.jdrupes.vmoperator.runner.qemu.level=FINEST
         
diff --git a/dev-example/test-vm.tpl.yaml b/dev-example/test-vm.tpl.yaml
index a6d8825..5e104f8 100644
--- a/dev-example/test-vm.tpl.yaml
+++ b/dev-example/test-vm.tpl.yaml
@@ -8,12 +8,10 @@ metadata:
   
 spec:
   image:
-#    pullPolicy: Always
-#    repository: ghcr.io
-#    path: mnlipp/org.jdrupes.vmoperator.runner.qemu-alpine
-#    version: "3.0.0"
-#    source: docker-registry.lan.mnl.de/vm-operator/org.jdrupes.vmoperator.runner.qemu-arch:feature-auto-login
-    source: registry.mnl.de/org/jdrupes/vm-operator/org.jdrupes.vmoperator.runner.qemu-arch:feature-auto-login
+    source: ghcr.io/mnlipp/org.jdrupes.vmoperator.runner.qemu-arch:3.3.1
+#    source: registry.mnl.de/org/jdrupes/vm-operator/org.jdrupes.vmoperator.runner.qemu-arch:feature-login-pool
+#    source: docker-registry.lan.mnl.de/vmoperator/org.jdrupes.vmoperator.runner.qemu-arch:feature-pools
+#    source: docker-registry.lan.mnl.de/vmoperator/org.jdrupes.vmoperator.runner.qemu-arch:fix-race-condition
     pullPolicy: Always
 
   permissions:
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
index d301aac..f1b2c53 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
@@ -29,6 +29,7 @@ import org.jdrupes.vmoperator.runner.qemu.commands.QmpSetDisplayPassword;
 import org.jdrupes.vmoperator.runner.qemu.commands.QmpSetPasswordExpiry;
 import org.jdrupes.vmoperator.runner.qemu.events.ConfigureQemu;
 import org.jdrupes.vmoperator.runner.qemu.events.MonitorCommand;
+import org.jdrupes.vmoperator.runner.qemu.events.QmpConfigured;
 import org.jdrupes.vmoperator.runner.qemu.events.RunnerStateChange.RunState;
 import org.jdrupes.vmoperator.runner.qemu.events.VmopAgentConnected;
 import org.jdrupes.vmoperator.runner.qemu.events.VmopAgentLogIn;
@@ -85,6 +86,19 @@ public class DisplayController extends Component {
         }
     }
 
+    /**
+     * When the monitor is ready, send QEMU its initial configuration.  
+     * 
+     * @param event the event
+     */
+    @Handler
+    public void onQmpConfigured(QmpConfigured event) {
+        if (pendingConfig != null) {
+            rep.fire(new ConfigureQemu(pendingConfig, state));
+            pendingConfig = null;
+        }
+    }
+
     /**
      * On vmop agent connected.
      *
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java
index 880ca58..ead7dd7 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java
@@ -56,7 +56,7 @@ public class GuestAgentClient extends AgentConnector {
      */
     @Override
     protected void agentConnected() {
-        fire(new GuestAgentCommand(new QmpGuestGetOsinfo()));
+        rep().fire(new GuestAgentCommand(new QmpGuestGetOsinfo()));
     }
 
     /**
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuConnector.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuConnector.java
index 2e94c14..d3ff86e 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuConnector.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuConnector.java
@@ -121,7 +121,7 @@ public abstract class QemuConnector extends Component {
             // qemu running, open socket
             fire(new OpenSocketConnection(
                 UnixDomainSocketAddress.of(socketPath))
-                    .setAssociated(getClass(), this));
+                    .setAssociated(this, this));
         }
     }
 
@@ -137,21 +137,21 @@ public abstract class QemuConnector extends Component {
     @Handler
     public void onClientConnected(ClientConnected event,
             SocketIOChannel channel) {
-        event.openEvent().associated(getClass()).ifPresent(qm -> {
+        event.openEvent().associated(this, getClass()).ifPresent(qc -> {
             qemuChannel = channel;
-            channel.setAssociated(getClass(), this);
+            channel.setAssociated(this, this);
             channel.setAssociated(Writer.class, new ByteBufferWriter(
                 channel).nativeCharset());
             channel.setAssociated(LineCollector.class,
                 new LineCollector()
                     .consumer(line -> {
                         try {
-                            processInput(line);
+                            qc.processInput(line);
                         } catch (IOException e) {
                             throw new UndeclaredThrowableException(e);
                         }
                     }));
-            socketConnected();
+            qc.socketConnected();
         });
     }
 
@@ -206,7 +206,7 @@ public abstract class QemuConnector extends Component {
      */
     @Handler
     public void onConnectError(ConnectError event, SocketIOChannel channel) {
-        event.event().associated(getClass()).ifPresent(qm -> {
+        event.event().associated(this, getClass()).ifPresent(qc -> {
             rep.fire(new Stop());
         });
     }
@@ -219,7 +219,7 @@ public abstract class QemuConnector extends Component {
      */
     @Handler
     public void onInput(Input<?> event, SocketIOChannel channel) {
-        if (channel.associated(getClass()).isEmpty()) {
+        if (channel.associated(this, getClass()).isEmpty()) {
             return;
         }
         channel.associated(LineCollector.class).ifPresent(collector -> {
@@ -243,7 +243,7 @@ public abstract class QemuConnector extends Component {
      */
     @Handler
     public void onClosed(Closed<?> event, SocketIOChannel channel) {
-        channel.associated(getClass()).ifPresent(qm -> {
+        channel.associated(this, getClass()).ifPresent(qm -> {
             qemuChannel = null;
         });
     }
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
index 1de8f60..4be0aff 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
@@ -61,6 +61,7 @@ public class QemuMonitor extends QemuConnector {
     private Stop suspendedStop;
     private Timer powerdownTimer;
     private boolean powerdownConfirmed;
+    private boolean monitorReady;
 
     /**
      * Instantiates a new QEMU monitor.
@@ -99,7 +100,7 @@ public class QemuMonitor extends QemuConnector {
      */
     @Override
     protected void socketConnected() {
-        fire(new MonitorCommand(new QmpCapabilities()));
+        rep().fire(new MonitorCommand(new QmpCapabilities()));
     }
 
     @Override
@@ -109,6 +110,7 @@ public class QemuMonitor extends QemuConnector {
         try {
             var response = mapper.readValue(line, ObjectNode.class);
             if (response.has("QMP")) {
+                monitorReady = true;
                 rep().fire(new MonitorReady());
                 return;
             }
@@ -137,8 +139,9 @@ public class QemuMonitor extends QemuConnector {
     @SuppressWarnings({ "PMD.AvoidSynchronizedStatement",
         "PMD.AvoidDuplicateLiterals" })
     public void onClosed(Closed<?> event, SocketIOChannel channel) {
+        logger.finer(() -> "Closing QMP socket.");
         super.onClosed(event, channel);
-        channel.associated(QemuMonitor.class).ifPresent(qm -> {
+        channel.associated(this, getClass()).ifPresent(qm -> {
             synchronized (this) {
                 if (powerdownTimer != null) {
                     powerdownTimer.cancel();
@@ -149,6 +152,7 @@ public class QemuMonitor extends QemuConnector {
                 }
             }
         });
+        logger.finer(() -> "QMP socket closed.");
     }
 
     /**
@@ -158,9 +162,14 @@ public class QemuMonitor extends QemuConnector {
      * @throws IOException 
      */
     @Handler
-    @SuppressWarnings({ "PMD.AvoidLiteralsInIfCondition",
-        "PMD.AvoidSynchronizedStatement" })
-    public void onExecQmpCommand(MonitorCommand event) throws IOException {
+    @SuppressWarnings("PMD.AvoidSynchronizedStatement")
+    public void onMonitorCommand(MonitorCommand event) throws IOException {
+        if (!monitorReady) {
+            logger.severe(() -> "Premature monitor command (not ready): "
+                + event.command());
+            rep().fire(new Stop());
+            return;
+        }
         var command = event.command();
         logger.fine(() -> "monitor(out): " + command.toString());
         String asText;
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
index 01c4127..e3aa70a 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
@@ -192,7 +192,7 @@ import org.jgrapes.util.events.WatchFile;
  */
 @SuppressWarnings({ "PMD.ExcessiveImports", "PMD.AvoidPrintStackTrace",
     "PMD.DataflowAnomalyAnalysis", "PMD.TooManyMethods",
-    "PMD.CouplingBetweenObjects", "PMD.TooManyFields" })
+    "PMD.CouplingBetweenObjects", "PMD.TooManyFields", "PMD.GodClass" })
 public class Runner extends Component {
 
     private static final String QEMU = "qemu";
@@ -214,12 +214,14 @@ public class Runner extends Component {
     @SuppressWarnings("PMD.UseConcurrentHashMap")
     private final File configFile;
     private final Path configDir;
-    private Configuration config = new Configuration();
+    private Configuration initialConfig;
+    private Configuration pendingConfig;
     private final freemarker.template.Configuration fmConfig;
     private CommandDefinition swtpmDefinition;
     private CommandDefinition cloudInitImgDefinition;
     private CommandDefinition qemuDefinition;
     private final QemuMonitor qemuMonitor;
+    private boolean qmpConfigured;
     private final GuestAgentClient guestAgentClient;
     private final VmopAgentClient vmopAgentClient;
     private Integer resetCounter;
@@ -318,27 +320,33 @@ public class Runner extends Component {
             // Special actions for initial configuration (startup)
             if (event instanceof InitialConfiguration) {
                 processInitialConfiguration(newConf);
-                return;
             }
-            logger.fine(() -> "Updating configuration");
-            rep.fire(new ConfigureQemu(newConf, state));
+
+            // Check if to be sent immediately or later
+            if (qmpConfigured) {
+                rep.fire(new ConfigureQemu(newConf, state));
+            } else {
+                pendingConfig = newConf;
+            }
         });
     }
 
     @SuppressWarnings("PMD.LambdaCanBeMethodReference")
     private void processInitialConfiguration(Configuration newConfig) {
         try {
-            config = newConfig;
-            if (!config.check()) {
+            if (!newConfig.check()) {
                 // Invalid configuration, not used, problems already logged.
-                config = null;
+                return;
             }
 
             // Prepare firmware files and add to config
-            setFirmwarePaths();
+            setFirmwarePaths(newConfig);
 
             // Obtain more context data from template
-            var tplData = dataFromTemplate();
+            var tplData = dataFromTemplate(newConfig);
+            initialConfig = newConfig;
+
+            // Configure
             swtpmDefinition = Optional.ofNullable(tplData.get(SWTPM))
                 .map(d -> new CommandDefinition(SWTPM, d)).orElse(null);
             logger.finest(() -> swtpmDefinition.toString());
@@ -352,21 +360,19 @@ public class Runner extends Component {
             logger.finest(() -> cloudInitImgDefinition.toString());
 
             // Forward some values to child components
-            qemuMonitor.configure(config.monitorSocket,
-                config.vm.powerdownTimeout);
+            qemuMonitor.configure(initialConfig.monitorSocket,
+                initialConfig.vm.powerdownTimeout);
             configureAgentClient(guestAgentClient, "guest-agent-socket");
             configureAgentClient(vmopAgentClient, "vmop-agent-socket");
         } catch (IllegalArgumentException | IOException | TemplateException e) {
             logger.log(Level.SEVERE, e, () -> "Invalid configuration: "
                 + e.getMessage());
-            // Don't use default configuration
-            config = null;
         }
     }
 
     @SuppressWarnings({ "PMD.CognitiveComplexity",
         "PMD.DataflowAnomalyAnalysis" })
-    private void setFirmwarePaths() throws IOException {
+    private void setFirmwarePaths(Configuration config) throws IOException {
         JsonNode firmware = defaults.path("firmware").path(config.vm.firmware);
         // Get file for firmware ROM
         JsonNode codePaths = firmware.path("rom");
@@ -396,7 +402,7 @@ public class Runner extends Component {
         }
     }
 
-    private JsonNode dataFromTemplate()
+    private JsonNode dataFromTemplate(Configuration config)
             throws IOException, TemplateNotFoundException,
             MalformedTemplateNameException, ParseException, TemplateException,
             JsonProcessingException, JsonMappingException {
@@ -442,7 +448,7 @@ public class Runner extends Component {
      */
     @Handler(priority = 100)
     public void onStart(Start event) {
-        if (config == null) {
+        if (initialConfig == null) {
             // Missing configuration, fail
             event.cancel(true);
             fire(new Stop());
@@ -458,19 +464,19 @@ public class Runner extends Component {
         try {
             // Store process id
             try (var pidFile = Files.newBufferedWriter(
-                config.runtimeDir.resolve("runner.pid"))) {
+                initialConfig.runtimeDir.resolve("runner.pid"))) {
                 pidFile.write(ProcessHandle.current().pid() + "\n");
             }
 
             // Files to watch for
-            Files.deleteIfExists(config.swtpmSocket);
-            fire(new WatchFile(config.swtpmSocket));
+            Files.deleteIfExists(initialConfig.swtpmSocket);
+            fire(new WatchFile(initialConfig.swtpmSocket));
 
             // Helper files
-            var ticket = Optional.ofNullable(config.vm.display)
+            var ticket = Optional.ofNullable(initialConfig.vm.display)
                 .map(d -> d.spice).map(s -> s.ticket);
             if (ticket.isPresent()) {
-                Files.write(config.runtimeDir.resolve("ticket.txt"),
+                Files.write(initialConfig.runtimeDir.resolve("ticket.txt"),
                     ticket.get().getBytes());
             }
         } catch (IOException e) {
@@ -522,12 +528,12 @@ public class Runner extends Component {
             "Runner has been started"));
         // Start first process(es)
         qemuLatch.add(QemuPreps.Config);
-        if (config.vm.useTpm && swtpmDefinition != null) {
+        if (initialConfig.vm.useTpm && swtpmDefinition != null) {
             startProcess(swtpmDefinition);
             qemuLatch.add(QemuPreps.Tpm);
         }
-        if (config.cloudInit != null) {
-            generateCloudInitImg();
+        if (initialConfig.cloudInit != null) {
+            generateCloudInitImg(initialConfig);
             qemuLatch.add(QemuPreps.CloudInit);
         }
         mayBeStartQemu(QemuPreps.Config);
@@ -546,7 +552,7 @@ public class Runner extends Component {
         }
     }
 
-    private void generateCloudInitImg() {
+    private void generateCloudInitImg(Configuration config) {
         try {
             var cloudInitDir = config.dataDir.resolve("cloud-init");
             cloudInitDir.toFile().mkdir();
@@ -583,7 +589,7 @@ public class Runner extends Component {
     private boolean startProcess(CommandDefinition toStart) {
         logger.info(
             () -> "Starting process: " + String.join(" ", toStart.command));
-        fire(new StartProcess(toStart.command)
+        rep.fire(new StartProcess(toStart.command)
             .setAssociated(CommandDefinition.class, toStart));
         return true;
     }
@@ -597,7 +603,7 @@ public class Runner extends Component {
     @Handler
     public void onFileChanged(FileChanged event) {
         if (event.change() == Kind.CREATED
-            && event.path().equals(config.swtpmSocket)) {
+            && event.path().equals(initialConfig.swtpmSocket)) {
             // swtpm running, maybe start qemu
             mayBeStartQemu(QemuPreps.Tpm);
         }
@@ -620,7 +626,7 @@ public class Runner extends Component {
             .ifPresent(procDef -> {
                 channel.setAssociated(CommandDefinition.class, procDef);
                 try (var pidFile = Files.newBufferedWriter(
-                    config.runtimeDir.resolve(procDef.name + ".pid"))) {
+                    initialConfig.runtimeDir.resolve(procDef.name + ".pid"))) {
                     pidFile.write(channel.process().toHandle().pid() + "\n");
                 } catch (IOException e) {
                     throw new UndeclaredThrowableException(e);
@@ -659,7 +665,10 @@ public class Runner extends Component {
      */
     @Handler
     public void onQmpConfigured(QmpConfigured event) {
-        rep.fire(new ConfigureQemu(config, state));
+        if (pendingConfig != null) {
+            rep.fire(new ConfigureQemu(pendingConfig, state));
+            pendingConfig = null;
+        }
     }
 
     /**
@@ -791,7 +800,7 @@ public class Runner extends Component {
             logger.log(Level.WARNING, e, () -> "Proper shutdown failed.");
         }
 
-        Optional.ofNullable(config).map(c -> c.runtimeDir)
+        Optional.ofNullable(initialConfig).map(c -> c.runtimeDir)
             .ifPresent(runtimeDir -> {
                 try {
                     Files.walk(runtimeDir).sorted(Comparator.reverseOrder())

From 19968ab73e70ec7f8e8c6e6e1e74a2896cb99291 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Wed, 12 Mar 2025 15:04:03 +0100
Subject: [PATCH 207/274] Move code to agent.

---
 .../runner/qemu/AgentConnector.java           | 33 ++++++++++++++--
 .../vmoperator/runner/qemu/Runner.java        | 38 +++----------------
 2 files changed, 34 insertions(+), 37 deletions(-)

diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/AgentConnector.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/AgentConnector.java
index 40db84a..3320a04 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/AgentConnector.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/AgentConnector.java
@@ -20,6 +20,7 @@ package org.jdrupes.vmoperator.runner.qemu;
 
 import java.io.IOException;
 import java.nio.file.Path;
+import java.util.List;
 import org.jdrupes.vmoperator.runner.qemu.events.VserportChangeEvent;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.annotation.Handler;
@@ -52,12 +53,36 @@ public abstract class AgentConnector extends QemuConnector {
      * for the {@link ConfigurationUpdate} event. The values are 
      * forwarded from the {@link Runner} instead.
      *
-     * @param channelId the channel id
-     * @param socketPath the socket path
+     * @param command the command
+     * @param chardev the chardev
      */
-    /* default */ void configure(String channelId, Path socketPath) {
+    @SuppressWarnings("PMD.CognitiveComplexity")
+    protected void configure(List<String> command, String chardev) {
+        Path socketPath = null;
+        for (var arg : command) {
+            if (arg.startsWith("virtserialport,")
+                && arg.contains("chardev=" + chardev)) {
+                for (var prop : arg.split(",")) {
+                    if (prop.startsWith("id=")) {
+                        channelId = prop.substring(3);
+                    }
+                }
+            }
+            if (arg.startsWith("socket,")
+                && arg.contains("id=" + chardev)) {
+                for (var prop : arg.split(",")) {
+                    if (prop.startsWith("path=")) {
+                        socketPath = Path.of(prop.substring(5));
+                    }
+                }
+            }
+        }
+        if (channelId == null || socketPath == null) {
+            logger.warning(() -> "Definition of chardev " + chardev
+                + " missing in runner template.");
+            return;
+        }
         super.configure(socketPath);
-        this.channelId = channelId;
         logger.fine(() -> getClass().getSimpleName() + " configured with"
             + " channelId=" + channelId);
     }
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
index e3aa70a..8aa2b7c 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
@@ -192,7 +192,7 @@ import org.jgrapes.util.events.WatchFile;
  */
 @SuppressWarnings({ "PMD.ExcessiveImports", "PMD.AvoidPrintStackTrace",
     "PMD.DataflowAnomalyAnalysis", "PMD.TooManyMethods",
-    "PMD.CouplingBetweenObjects", "PMD.TooManyFields", "PMD.GodClass" })
+    "PMD.CouplingBetweenObjects", "PMD.TooManyFields" })
 public class Runner extends Component {
 
     private static final String QEMU = "qemu";
@@ -362,8 +362,10 @@ public class Runner extends Component {
             // Forward some values to child components
             qemuMonitor.configure(initialConfig.monitorSocket,
                 initialConfig.vm.powerdownTimeout);
-            configureAgentClient(guestAgentClient, "guest-agent-socket");
-            configureAgentClient(vmopAgentClient, "vmop-agent-socket");
+            guestAgentClient.configure(qemuDefinition.command,
+                "guest-agent-socket");
+            vmopAgentClient.configure(qemuDefinition.command,
+                "vmop-agent-socket");
         } catch (IllegalArgumentException | IOException | TemplateException e) {
             logger.log(Level.SEVERE, e, () -> "Invalid configuration: "
                 + e.getMessage());
@@ -486,36 +488,6 @@ public class Runner extends Component {
         }
     }
 
-    @SuppressWarnings("PMD.CognitiveComplexity")
-    private void configureAgentClient(AgentConnector client, String chardev) {
-        String id = null;
-        Path path = null;
-        for (var arg : qemuDefinition.command) {
-            if (arg.startsWith("virtserialport,")
-                && arg.contains("chardev=" + chardev)) {
-                for (var prop : arg.split(",")) {
-                    if (prop.startsWith("id=")) {
-                        id = prop.substring(3);
-                    }
-                }
-            }
-            if (arg.startsWith("socket,")
-                && arg.contains("id=" + chardev)) {
-                for (var prop : arg.split(",")) {
-                    if (prop.startsWith("path=")) {
-                        path = Path.of(prop.substring(5));
-                    }
-                }
-            }
-        }
-        if (id == null || path == null) {
-            logger.warning(() -> "Definition of chardev " + chardev
-                + " missing in runner template.");
-            return;
-        }
-        client.configure(id, path);
-    }
-
     /**
      * Handle the started event.
      *

From 5d0c6c64232bc3756f0c3b88f3dd8ea1947b37c9 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Wed, 12 Mar 2025 17:22:46 +0100
Subject: [PATCH 208/274] Fix startup.

---
 .../runner/qemu/AgentConnector.java           | 11 ++----
 .../runner/qemu/DisplayController.java        | 19 ++--------
 .../vmoperator/runner/qemu/QemuConnector.java |  3 +-
 .../vmoperator/runner/qemu/QemuMonitor.java   |  5 ++-
 .../vmoperator/runner/qemu/Runner.java        | 37 +++++++++++--------
 5 files changed, 34 insertions(+), 41 deletions(-)

diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/AgentConnector.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/AgentConnector.java
index 3320a04..11b840c 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/AgentConnector.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/AgentConnector.java
@@ -24,7 +24,6 @@ import java.util.List;
 import org.jdrupes.vmoperator.runner.qemu.events.VserportChangeEvent;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.annotation.Handler;
-import org.jgrapes.util.events.ConfigurationUpdate;
 
 /**
  * A component that handles the communication with an agent
@@ -48,16 +47,14 @@ public abstract class AgentConnector extends QemuConnector {
     }
 
     /**
-     * As the initial configuration of this component depends on the 
-     * configuration of the {@link Runner}, it doesn't have a handler 
-     * for the {@link ConfigurationUpdate} event. The values are 
-     * forwarded from the {@link Runner} instead.
+     * Extracts the channel id and the socket path from the QEMU
+     * command line.
      *
      * @param command the command
      * @param chardev the chardev
      */
     @SuppressWarnings("PMD.CognitiveComplexity")
-    protected void configure(List<String> command, String chardev) {
+    protected void configureConnection(List<String> command, String chardev) {
         Path socketPath = null;
         for (var arg : command) {
             if (arg.startsWith("virtserialport,")
@@ -82,9 +79,9 @@ public abstract class AgentConnector extends QemuConnector {
                 + " missing in runner template.");
             return;
         }
-        super.configure(socketPath);
         logger.fine(() -> getClass().getSimpleName() + " configured with"
             + " channelId=" + channelId);
+        super.configure(socketPath);
     }
 
     /**
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
index f1b2c53..e0d0a89 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
@@ -29,7 +29,6 @@ import org.jdrupes.vmoperator.runner.qemu.commands.QmpSetDisplayPassword;
 import org.jdrupes.vmoperator.runner.qemu.commands.QmpSetPasswordExpiry;
 import org.jdrupes.vmoperator.runner.qemu.events.ConfigureQemu;
 import org.jdrupes.vmoperator.runner.qemu.events.MonitorCommand;
-import org.jdrupes.vmoperator.runner.qemu.events.QmpConfigured;
 import org.jdrupes.vmoperator.runner.qemu.events.RunnerStateChange.RunState;
 import org.jdrupes.vmoperator.runner.qemu.events.VmopAgentConnected;
 import org.jdrupes.vmoperator.runner.qemu.events.VmopAgentLogIn;
@@ -50,6 +49,7 @@ public class DisplayController extends Component {
     private String currentPassword;
     private String protocol;
     private final Path configDir;
+    private boolean canBeUpdated;
     private boolean vmopAgentConnected;
     private String loggedInUser;
 
@@ -84,19 +84,7 @@ public class DisplayController extends Component {
         if (event.runState() == RunState.STARTING) {
             configurePassword();
         }
-    }
-
-    /**
-     * When the monitor is ready, send QEMU its initial configuration.  
-     * 
-     * @param event the event
-     */
-    @Handler
-    public void onQmpConfigured(QmpConfigured event) {
-        if (pendingConfig != null) {
-            rep.fire(new ConfigureQemu(pendingConfig, state));
-            pendingConfig = null;
-        }
+        canBeUpdated = true;
     }
 
     /**
@@ -128,7 +116,8 @@ public class DisplayController extends Component {
     @Handler
     @SuppressWarnings("PMD.EmptyCatchBlock")
     public void onFileChanged(FileChanged event) {
-        if (event.path().equals(configDir.resolve(DisplaySecret.PASSWORD))) {
+        if (event.path().equals(configDir.resolve(DisplaySecret.PASSWORD))
+            && canBeUpdated) {
             configurePassword();
         }
     }
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuConnector.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuConnector.java
index d3ff86e..2e1dbfa 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuConnector.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuConnector.java
@@ -202,10 +202,9 @@ public abstract class QemuConnector extends Component {
      * Called when a connection attempt fails.
      *
      * @param event the event
-     * @param channel the channel
      */
     @Handler
-    public void onConnectError(ConnectError event, SocketIOChannel channel) {
+    public void onConnectError(ConnectError event) {
         event.event().associated(this, getClass()).ifPresent(qc -> {
             rep.fire(new Stop());
         });
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
index 4be0aff..21c3a0f 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
@@ -164,12 +164,15 @@ public class QemuMonitor extends QemuConnector {
     @Handler
     @SuppressWarnings("PMD.AvoidSynchronizedStatement")
     public void onMonitorCommand(MonitorCommand event) throws IOException {
-        if (!monitorReady) {
+        // Check prerequisites
+        if (!monitorReady && !(event.command() instanceof QmpCapabilities)) {
             logger.severe(() -> "Premature monitor command (not ready): "
                 + event.command());
             rep().fire(new Stop());
             return;
         }
+
+        // Send the command
         var command = event.command();
         logger.fine(() -> "monitor(out): " + command.toString());
         String asText;
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
index 8aa2b7c..6c69191 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
@@ -303,7 +303,10 @@ public class Runner extends Component {
     }
 
     /**
-     * On configuration update.
+     * Process the initial configuration. The initial configuration
+     * and any subsequent updates will be forwarded to other components
+     * only when the QMP connection is ready
+     * (see @link #onQmpConfigured(QmpConfigured)).
      *
      * @param event the event
      */
@@ -362,9 +365,9 @@ public class Runner extends Component {
             // Forward some values to child components
             qemuMonitor.configure(initialConfig.monitorSocket,
                 initialConfig.vm.powerdownTimeout);
-            guestAgentClient.configure(qemuDefinition.command,
+            guestAgentClient.configureConnection(qemuDefinition.command,
                 "guest-agent-socket");
-            vmopAgentClient.configure(qemuDefinition.command,
+            vmopAgentClient.configureConnection(qemuDefinition.command,
                 "vmop-agent-socket");
         } catch (IllegalArgumentException | IOException | TemplateException e) {
             logger.log(Level.SEVERE, e, () -> "Invalid configuration: "
@@ -443,6 +446,21 @@ public class Runner extends Component {
         return yamlMapper.readValue(out.toString(), JsonNode.class);
     }
 
+    /**
+     * Note ready state and send a {@link ConfigureQemu} event for
+     * any pending configuration (initial or change).  
+     * 
+     * @param event the event
+     */
+    @Handler
+    public void onQmpConfigured(QmpConfigured event) {
+        qmpConfigured = true;
+        if (pendingConfig != null) {
+            rep.fire(new ConfigureQemu(pendingConfig, state));
+            pendingConfig = null;
+        }
+    }
+
     /**
      * Handle the start event.
      *
@@ -630,19 +648,6 @@ public class Runner extends Component {
                 .ifPresent(lc -> lc.feed(event)));
     }
 
-    /**
-     * When the monitor is ready, send QEMU its initial configuration.  
-     * 
-     * @param event the event
-     */
-    @Handler
-    public void onQmpConfigured(QmpConfigured event) {
-        if (pendingConfig != null) {
-            rep.fire(new ConfigureQemu(pendingConfig, state));
-            pendingConfig = null;
-        }
-    }
-
     /**
      * Whenever a new QEMU configuration is available, check if it
      * is supposed to trigger a reset.

From 46f079504c4e950f1b0df1ed4893217d07bd7319 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Wed, 12 Mar 2025 17:40:58 +0100
Subject: [PATCH 209/274] Update.

---
 dev-example/test-vm.tpl.yaml | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/dev-example/test-vm.tpl.yaml b/dev-example/test-vm.tpl.yaml
index 5e104f8..12057f9 100644
--- a/dev-example/test-vm.tpl.yaml
+++ b/dev-example/test-vm.tpl.yaml
@@ -8,10 +8,9 @@ metadata:
   
 spec:
   image:
-    source: ghcr.io/mnlipp/org.jdrupes.vmoperator.runner.qemu-arch:3.3.1
-#    source: registry.mnl.de/org/jdrupes/vm-operator/org.jdrupes.vmoperator.runner.qemu-arch:feature-login-pool
-#    source: docker-registry.lan.mnl.de/vmoperator/org.jdrupes.vmoperator.runner.qemu-arch:feature-pools
-#    source: docker-registry.lan.mnl.de/vmoperator/org.jdrupes.vmoperator.runner.qemu-arch:fix-race-condition
+#    source: ghcr.io/mnlipp/org.jdrupes.vmoperator.runner.qemu-arch:3.3.1
+#    source: registry.mnl.de/org/jdrupes/vm-operator/org.jdrupes.vmoperator.runner.qemu-arch:testing
+    source: docker-registry.lan.mnl.de/vmoperator/org.jdrupes.vmoperator.runner.qemu-arch:feature-pools
     pullPolicy: Always
 
   permissions:
@@ -32,8 +31,8 @@ spec:
     bootMenu: true
     maximumCpus: 4
     currentCpus: 2
-    maximumRam: 4Gi
-    currentRam: 3Gi
+    maximumRam: 6Gi
+    currentRam: 4Gi
   
     networks:
     # No bridge on TC1

From 36877666f38c0a7f93a14963a5e7045c50bd67bf Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Wed, 12 Mar 2025 20:59:36 +0100
Subject: [PATCH 210/274] No QMP poweroff if QMP not available.

---
 .../vmoperator/runner/qemu/QemuMonitor.java   | 51 ++++++++++---------
 1 file changed, 28 insertions(+), 23 deletions(-)

diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
index 21c3a0f..9f6e48e 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
@@ -199,28 +199,31 @@ public class QemuMonitor extends QemuConnector {
     @Handler(priority = 100)
     @SuppressWarnings("PMD.AvoidSynchronizedStatement")
     public void onStop(Stop event) {
-        if (qemuChannel() != null) {
-            // We have a connection to Qemu, attempt ACPI shutdown.
-            event.suspendHandling();
-            suspendedStop = event;
-
-            // Attempt powerdown command. If not confirmed, assume
-            // "hanging" qemu process.
-            powerdownTimer = Components.schedule(t -> {
-                // Powerdown not confirmed
-                logger.fine(() -> "QMP powerdown command has not effect.");
-                synchronized (this) {
-                    powerdownTimer = null;
-                    if (suspendedStop != null) {
-                        suspendedStop.resumeHandling();
-                        suspendedStop = null;
-                    }
-                }
-            }, Duration.ofSeconds(1));
-            logger.fine(() -> "Attempting QMP powerdown.");
-            powerdownStartedAt = Instant.now();
-            fire(new MonitorCommand(new QmpPowerdown()));
+        if (!monitorReady) {
+            logger.fine(() -> "No QMP connection,"
+                + " cannot send powerdown command");
+            return;
         }
+        // We have a connection to Qemu, attempt ACPI shutdown.
+        event.suspendHandling();
+        suspendedStop = event;
+
+        // Attempt powerdown command. If not confirmed, assume
+        // "hanging" qemu process.
+        powerdownTimer = Components.schedule(t -> {
+            // Powerdown not confirmed
+            logger.fine(() -> "QMP powerdown command not confirmed");
+            synchronized (this) {
+                powerdownTimer = null;
+                if (suspendedStop != null) {
+                    suspendedStop.resumeHandling();
+                    suspendedStop = null;
+                }
+            }
+        }, Duration.ofSeconds(1));
+        logger.fine(() -> "Attempting QMP powerdown.");
+        powerdownStartedAt = Instant.now();
+        fire(new MonitorCommand(new QmpPowerdown()));
     }
 
     /**
@@ -238,7 +241,9 @@ public class QemuMonitor extends QemuConnector {
             }
 
             // (Re-)schedule timer as fallback
-            logger.fine(() -> "QMP powerdown confirmed, waiting...");
+            var waitUntil = powerdownStartedAt.plusSeconds(powerdownTimeout);
+            logger.fine(() -> "QMP powerdown confirmed, waiting for"
+                + " termination until " + waitUntil);
             powerdownTimer = Components.schedule(t -> {
                 logger.fine(() -> "Powerdown timeout reached.");
                 synchronized (this) {
@@ -247,7 +252,7 @@ public class QemuMonitor extends QemuConnector {
                         suspendedStop = null;
                     }
                 }
-            }, powerdownStartedAt.plusSeconds(powerdownTimeout));
+            }, waitUntil);
             powerdownConfirmed = true;
         }
     }

From 2a33f468f2d99f614c60237dcaccf4531965162e Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Wed, 12 Mar 2025 21:46:46 +0100
Subject: [PATCH 211/274] Track connection closing.

---
 .../src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java    | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
index 9f6e48e..75310f8 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
@@ -139,8 +139,9 @@ public class QemuMonitor extends QemuConnector {
     @SuppressWarnings({ "PMD.AvoidSynchronizedStatement",
         "PMD.AvoidDuplicateLiterals" })
     public void onClosed(Closed<?> event, SocketIOChannel channel) {
-        logger.finer(() -> "Closing QMP socket.");
         super.onClosed(event, channel);
+        logger.finer(() -> "QMP socket closed.");
+        monitorReady = false;
         channel.associated(this, getClass()).ifPresent(qm -> {
             synchronized (this) {
                 if (powerdownTimer != null) {

From ecb43db83e8e71501262ccb063a3e527a38f8803 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Wed, 12 Mar 2025 21:48:18 +0100
Subject: [PATCH 212/274] Test configuration.

---
 dev-example/test-vm.tpl.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dev-example/test-vm.tpl.yaml b/dev-example/test-vm.tpl.yaml
index 12057f9..18709f7 100644
--- a/dev-example/test-vm.tpl.yaml
+++ b/dev-example/test-vm.tpl.yaml
@@ -10,7 +10,7 @@ spec:
   image:
 #    source: ghcr.io/mnlipp/org.jdrupes.vmoperator.runner.qemu-arch:3.3.1
 #    source: registry.mnl.de/org/jdrupes/vm-operator/org.jdrupes.vmoperator.runner.qemu-arch:testing
-    source: docker-registry.lan.mnl.de/vmoperator/org.jdrupes.vmoperator.runner.qemu-arch:feature-pools
+    source: docker-registry.lan.mnl.de/vmoperator/org.jdrupes.vmoperator.runner.qemu-arch:fix-runner-poweroff
     pullPolicy: Always
 
   permissions:

From f493a2c582fa77a33d5fb7269bfa379f7b3a2c8b Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 13 Mar 2025 10:25:32 +0100
Subject: [PATCH 213/274] Use process exit as termination confirmation.

---
 dev-example/config.yaml                       |  4 +-
 .../vmoperator/runner/qemu/QemuConnector.java |  2 +-
 .../vmoperator/runner/qemu/QemuMonitor.java   | 49 ++++++++++++-------
 .../vmoperator/runner/qemu/Runner.java        |  6 +--
 4 files changed, 38 insertions(+), 23 deletions(-)

diff --git a/dev-example/config.yaml b/dev-example/config.yaml
index 2a72bc8..fc1cee7 100644
--- a/dev-example/config.yaml
+++ b/dev-example/config.yaml
@@ -21,8 +21,8 @@
         # Defaults for namespace (VM domain)
         handlers=java.util.logging.ConsoleHandler
         
-        #org.jgrapes.level=FINE
-        #org.jgrapes.core.handlerTracking.level=FINER
+        org.jgrapes.level=FINE
+        org.jgrapes.core.handlerTracking.level=FINER
         
         org.jdrupes.vmoperator.runner.qemu.level=FINEST
         
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuConnector.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuConnector.java
index 2e1dbfa..777478e 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuConnector.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuConnector.java
@@ -242,7 +242,7 @@ public abstract class QemuConnector extends Component {
      */
     @Handler
     public void onClosed(Closed<?> event, SocketIOChannel channel) {
-        channel.associated(this, getClass()).ifPresent(qm -> {
+        channel.associated(this, getClass()).ifPresent(qc -> {
             qemuChannel = null;
         });
     }
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
index 75310f8..3b229b5 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
@@ -42,6 +42,7 @@ import org.jgrapes.core.Components.Timer;
 import org.jgrapes.core.annotation.Handler;
 import org.jgrapes.core.events.Stop;
 import org.jgrapes.io.events.Closed;
+import org.jgrapes.io.events.ProcessExited;
 import org.jgrapes.net.SocketIOChannel;
 import org.jgrapes.util.events.ConfigurationUpdate;
 
@@ -136,24 +137,12 @@ public class QemuMonitor extends QemuConnector {
      * @param event the event
      */
     @Handler
-    @SuppressWarnings({ "PMD.AvoidSynchronizedStatement",
-        "PMD.AvoidDuplicateLiterals" })
     public void onClosed(Closed<?> event, SocketIOChannel channel) {
-        super.onClosed(event, channel);
-        logger.finer(() -> "QMP socket closed.");
-        monitorReady = false;
         channel.associated(this, getClass()).ifPresent(qm -> {
-            synchronized (this) {
-                if (powerdownTimer != null) {
-                    powerdownTimer.cancel();
-                }
-                if (suspendedStop != null) {
-                    suspendedStop.resumeHandling();
-                    suspendedStop = null;
-                }
-            }
+            super.onClosed(event, channel);
+            logger.finer(() -> "QMP socket closed.");
+            monitorReady = false;
         });
-        logger.finer(() -> "QMP socket closed.");
     }
 
     /**
@@ -163,7 +152,8 @@ public class QemuMonitor extends QemuConnector {
      * @throws IOException 
      */
     @Handler
-    @SuppressWarnings("PMD.AvoidSynchronizedStatement")
+    @SuppressWarnings({ "PMD.AvoidSynchronizedStatement",
+        "PMD.AvoidDuplicateLiterals" })
     public void onMonitorCommand(MonitorCommand event) throws IOException {
         // Check prerequisites
         if (!monitorReady && !(event.command() instanceof QmpCapabilities)) {
@@ -228,7 +218,9 @@ public class QemuMonitor extends QemuConnector {
     }
 
     /**
-     * On powerdown event.
+     * When the powerdown event is confirmed, wait for termination
+     * or timeout. Termination is detected by the qemu process exiting
+     * (see {@link #onProcessExited(ProcessExited)}).
      *
      * @param event the event
      */
@@ -258,6 +250,29 @@ public class QemuMonitor extends QemuConnector {
         }
     }
 
+    /**
+     * On process exited.
+     *
+     * @param event the event
+     */
+    @Handler
+    @SuppressWarnings("PMD.AvoidSynchronizedStatement")
+    public void onProcessExited(ProcessExited event) {
+        if (!event.startedBy().associated(CommandDefinition.class)
+            .map(cd -> Runner.QEMU.equals(cd.name())).orElse(false)) {
+            return;
+        }
+        synchronized (this) {
+            if (powerdownTimer != null) {
+                powerdownTimer.cancel();
+            }
+            if (suspendedStop != null) {
+                suspendedStop.resumeHandling();
+                suspendedStop = null;
+            }
+        }
+    }
+
     /**
      * On configure qemu.
      *
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
index 6c69191..1bbf597 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
@@ -195,9 +195,9 @@ import org.jgrapes.util.events.WatchFile;
     "PMD.CouplingBetweenObjects", "PMD.TooManyFields" })
 public class Runner extends Component {
 
-    private static final String QEMU = "qemu";
-    private static final String SWTPM = "swtpm";
-    private static final String CLOUD_INIT_IMG = "cloudInitImg";
+    public static final String QEMU = "qemu";
+    public static final String SWTPM = "swtpm";
+    public static final String CLOUD_INIT_IMG = "cloudInitImg";
     private static final String TEMPLATE_DIR
         = "/opt/" + APP_NAME.replace("-", "") + "/templates";
     private static final String DEFAULT_TEMPLATE

From d637cb2c72ff13be5072231194ee1e2ccf4d018a Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 13 Mar 2025 10:34:36 +0100
Subject: [PATCH 214/274] Move constants to separate class.

---
 .../vmoperator/runner/qemu/Constants.java     | 42 +++++++++++++++++++
 .../vmoperator/runner/qemu/QemuMonitor.java   |  3 +-
 .../vmoperator/runner/qemu/Runner.java        | 22 +++++-----
 3 files changed, 56 insertions(+), 11 deletions(-)
 create mode 100644 org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Constants.java

diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Constants.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Constants.java
new file mode 100644
index 0000000..ca88f0b
--- /dev/null
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Constants.java
@@ -0,0 +1,42 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2023 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.runner.qemu;
+
+/**
+ * Some constants.
+ */
+@SuppressWarnings("PMD.DataClass")
+public class Constants extends org.jdrupes.vmoperator.common.Constants {
+
+    /**
+     * Process names.
+     */
+    public static class ProcessName {
+
+        /** The Constant QEMU. */
+        public static final String QEMU = "qemu";
+
+        /** The Constant SWTPM. */
+        public static final String SWTPM = "swtpm";
+
+        /** The Constant CLOUD_INIT_IMG. */
+        public static final String CLOUD_INIT_IMG = "cloudInitImg";
+    }
+
+}
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
index 3b229b5..67011e0 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
@@ -27,6 +27,7 @@ import java.time.Instant;
 import java.util.LinkedList;
 import java.util.Queue;
 import java.util.logging.Level;
+import org.jdrupes.vmoperator.runner.qemu.Constants.ProcessName;
 import org.jdrupes.vmoperator.runner.qemu.commands.QmpCapabilities;
 import org.jdrupes.vmoperator.runner.qemu.commands.QmpCommand;
 import org.jdrupes.vmoperator.runner.qemu.commands.QmpPowerdown;
@@ -259,7 +260,7 @@ public class QemuMonitor extends QemuConnector {
     @SuppressWarnings("PMD.AvoidSynchronizedStatement")
     public void onProcessExited(ProcessExited event) {
         if (!event.startedBy().associated(CommandDefinition.class)
-            .map(cd -> Runner.QEMU.equals(cd.name())).orElse(false)) {
+            .map(cd -> ProcessName.QEMU.equals(cd.name())).orElse(false)) {
             return;
         }
         synchronized (this) {
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
index 1bbf597..f3219ba 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
@@ -1,6 +1,6 @@
 /*
  * VM-Operator
- * Copyright (C) 2023,2024 Michael N. Lipp
+ * Copyright (C) 2023,2025 Michael N. Lipp
  * 
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as
@@ -57,6 +57,7 @@ import org.apache.commons.cli.Option;
 import org.apache.commons.cli.Options;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
 import org.jdrupes.vmoperator.common.Constants.DisplaySecret;
+import org.jdrupes.vmoperator.runner.qemu.Constants.ProcessName;
 import org.jdrupes.vmoperator.runner.qemu.commands.QmpCont;
 import org.jdrupes.vmoperator.runner.qemu.commands.QmpReset;
 import org.jdrupes.vmoperator.runner.qemu.events.ConfigureQemu;
@@ -195,9 +196,6 @@ import org.jgrapes.util.events.WatchFile;
     "PMD.CouplingBetweenObjects", "PMD.TooManyFields" })
 public class Runner extends Component {
 
-    public static final String QEMU = "qemu";
-    public static final String SWTPM = "swtpm";
-    public static final String CLOUD_INIT_IMG = "cloudInitImg";
     private static final String TEMPLATE_DIR
         = "/opt/" + APP_NAME.replace("-", "") + "/templates";
     private static final String DEFAULT_TEMPLATE
@@ -350,15 +348,19 @@ public class Runner extends Component {
             initialConfig = newConfig;
 
             // Configure
-            swtpmDefinition = Optional.ofNullable(tplData.get(SWTPM))
-                .map(d -> new CommandDefinition(SWTPM, d)).orElse(null);
+            swtpmDefinition
+                = Optional.ofNullable(tplData.get(ProcessName.SWTPM))
+                    .map(d -> new CommandDefinition(ProcessName.SWTPM, d))
+                    .orElse(null);
             logger.finest(() -> swtpmDefinition.toString());
-            qemuDefinition = Optional.ofNullable(tplData.get(QEMU))
-                .map(d -> new CommandDefinition(QEMU, d)).orElse(null);
+            qemuDefinition = Optional.ofNullable(tplData.get(ProcessName.QEMU))
+                .map(d -> new CommandDefinition(ProcessName.QEMU, d))
+                .orElse(null);
             logger.finest(() -> qemuDefinition.toString());
             cloudInitImgDefinition
-                = Optional.ofNullable(tplData.get(CLOUD_INIT_IMG))
-                    .map(d -> new CommandDefinition(CLOUD_INIT_IMG, d))
+                = Optional.ofNullable(tplData.get(ProcessName.CLOUD_INIT_IMG))
+                    .map(d -> new CommandDefinition(ProcessName.CLOUD_INIT_IMG,
+                        d))
                     .orElse(null);
             logger.finest(() -> cloudInitImgDefinition.toString());
 

From 2a3774ae24248665bbcdf49b3ff08ea1fab798f6 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 13 Mar 2025 15:46:11 +0100
Subject: [PATCH 215/274] Minor edits.

---
 .../src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
index 67011e0..2c7e760 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
@@ -196,6 +196,7 @@ public class QemuMonitor extends QemuConnector {
                 + " cannot send powerdown command");
             return;
         }
+
         // We have a connection to Qemu, attempt ACPI shutdown.
         event.suspendHandling();
         suspendedStop = event;
@@ -203,7 +204,6 @@ public class QemuMonitor extends QemuConnector {
         // Attempt powerdown command. If not confirmed, assume
         // "hanging" qemu process.
         powerdownTimer = Components.schedule(t -> {
-            // Powerdown not confirmed
             logger.fine(() -> "QMP powerdown command not confirmed");
             synchronized (this) {
                 powerdownTimer = null;
@@ -212,7 +212,7 @@ public class QemuMonitor extends QemuConnector {
                     suspendedStop = null;
                 }
             }
-        }, Duration.ofSeconds(1));
+        }, Duration.ofSeconds(5));
         logger.fine(() -> "Attempting QMP powerdown.");
         powerdownStartedAt = Instant.now();
         fire(new MonitorCommand(new QmpPowerdown()));

From 2d16cbc352be302e70ae8b6e723815bbea2267b2 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 13 Mar 2025 17:45:28 +0100
Subject: [PATCH 216/274] Add powerdown through guest agent (more reliable).

---
 dev-example/test-vm.tpl.yaml                  |   2 +-
 .../runner/qemu/AgentConnector.java           |  18 ++-
 .../runner/qemu/GuestAgentClient.java         | 111 +++++++++++++++++-
 .../vmoperator/runner/qemu/QemuMonitor.java   |  20 +++-
 .../qemu/commands/QmpGuestPowerdown.java      |  41 +++++++
 5 files changed, 181 insertions(+), 11 deletions(-)
 create mode 100644 org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpGuestPowerdown.java

diff --git a/dev-example/test-vm.tpl.yaml b/dev-example/test-vm.tpl.yaml
index 12057f9..18709f7 100644
--- a/dev-example/test-vm.tpl.yaml
+++ b/dev-example/test-vm.tpl.yaml
@@ -10,7 +10,7 @@ spec:
   image:
 #    source: ghcr.io/mnlipp/org.jdrupes.vmoperator.runner.qemu-arch:3.3.1
 #    source: registry.mnl.de/org/jdrupes/vm-operator/org.jdrupes.vmoperator.runner.qemu-arch:testing
-    source: docker-registry.lan.mnl.de/vmoperator/org.jdrupes.vmoperator.runner.qemu-arch:feature-pools
+    source: docker-registry.lan.mnl.de/vmoperator/org.jdrupes.vmoperator.runner.qemu-arch:fix-runner-poweroff
     pullPolicy: Always
 
   permissions:
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/AgentConnector.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/AgentConnector.java
index 11b840c..6303794 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/AgentConnector.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/AgentConnector.java
@@ -92,8 +92,12 @@ public abstract class AgentConnector extends QemuConnector {
      */
     @Handler
     public void onVserportChanged(VserportChangeEvent event) {
-        if (event.id().equals(channelId) && event.isOpen()) {
-            agentConnected();
+        if (event.id().equals(channelId)) {
+            if (event.isOpen()) {
+                agentConnected();
+            } else {
+                agentDisconnected();
+            }
         }
     }
 
@@ -105,4 +109,14 @@ public abstract class AgentConnector extends QemuConnector {
     protected void agentConnected() {
         // Default is to do nothing.
     }
+
+    /**
+     * Called when the agent in the VM closes the connection. The
+     * default implementation does nothing.
+     */
+    @SuppressWarnings("PMD.EmptyMethodInAbstractClassShouldBeAbstract")
+    protected void agentDisconnected() {
+        // Default is to do nothing.
+    }
+
 }
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java
index ead7dd7..b0001e4 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java
@@ -21,15 +21,23 @@ package org.jdrupes.vmoperator.runner.qemu;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.node.ObjectNode;
 import java.io.IOException;
+import java.time.Instant;
 import java.util.LinkedList;
 import java.util.Queue;
 import java.util.logging.Level;
+import org.jdrupes.vmoperator.runner.qemu.Constants.ProcessName;
 import org.jdrupes.vmoperator.runner.qemu.commands.QmpCommand;
 import org.jdrupes.vmoperator.runner.qemu.commands.QmpGuestGetOsinfo;
+import org.jdrupes.vmoperator.runner.qemu.commands.QmpGuestPowerdown;
+import org.jdrupes.vmoperator.runner.qemu.events.ConfigureQemu;
 import org.jdrupes.vmoperator.runner.qemu.events.GuestAgentCommand;
 import org.jdrupes.vmoperator.runner.qemu.events.OsinfoEvent;
 import org.jgrapes.core.Channel;
+import org.jgrapes.core.Components;
+import org.jgrapes.core.Components.Timer;
 import org.jgrapes.core.annotation.Handler;
+import org.jgrapes.core.events.Stop;
+import org.jgrapes.io.events.ProcessExited;
 
 /**
  * A component that handles the communication with the guest agent.
@@ -39,7 +47,12 @@ import org.jgrapes.core.annotation.Handler;
  */
 public class GuestAgentClient extends AgentConnector {
 
+    private boolean connected;
+    private Instant powerdownStartedAt;
+    private int powerdownTimeout;
+    private Timer powerdownTimer;
     private final Queue<QmpCommand> executing = new LinkedList<>();
+    private Stop suspendedStop;
 
     /**
      * Instantiates a new guest agent client.
@@ -56,9 +69,17 @@ public class GuestAgentClient extends AgentConnector {
      */
     @Override
     protected void agentConnected() {
+        logger.fine(() -> "guest agent connected");
+        connected = true;
         rep().fire(new GuestAgentCommand(new QmpGuestGetOsinfo()));
     }
 
+    @Override
+    protected void agentDisconnected() {
+        logger.fine(() -> "guest agent disconnected");
+        connected = false;
+    }
+
     /**
      * Process agent input.
      *
@@ -88,10 +109,11 @@ public class GuestAgentClient extends AgentConnector {
      * On guest agent command.
      *
      * @param event the event
-     * @throws IOException 
+     * @throws IOException Signals that an I/O exception has occurred.
      */
     @Handler
-    @SuppressWarnings("PMD.AvoidSynchronizedStatement")
+    @SuppressWarnings({ "PMD.AvoidSynchronizedStatement",
+        "PMD.AvoidDuplicateLiterals" })
     public void onGuestAgentCommand(GuestAgentCommand event)
             throws IOException {
         if (qemuChannel() == null) {
@@ -114,4 +136,89 @@ public class GuestAgentClient extends AgentConnector {
             }
         }
     }
+
+    /**
+     * Shutdown the VM.
+     *
+     * @param event the event
+     */
+    @Handler(priority = 200)
+    @SuppressWarnings("PMD.AvoidSynchronizedStatement")
+    public void onStop(Stop event) {
+        if (!connected) {
+            logger.fine(() -> "No guest agent connection,"
+                + " cannot send shutdown command");
+            return;
+        }
+
+        // We have a connection to the guest agent attempt shutdown.
+        powerdownStartedAt = event.associated(Instant.class).orElseGet(() -> {
+            var now = Instant.now();
+            event.setAssociated(Instant.class, now);
+            return now;
+        });
+        var waitUntil = powerdownStartedAt.plusSeconds(powerdownTimeout);
+        if (waitUntil.isBefore(Instant.now())) {
+            return;
+        }
+        event.suspendHandling();
+        suspendedStop = event;
+        logger.fine(() -> "Sending powerdown command, waiting for"
+            + " termination until " + waitUntil);
+        powerdownTimer = Components.schedule(t -> {
+            logger.fine(() -> "Powerdown timeout reached.");
+            synchronized (this) {
+                powerdownTimer = null;
+                if (suspendedStop != null) {
+                    suspendedStop.resumeHandling();
+                    suspendedStop = null;
+                }
+            }
+        }, waitUntil);
+        rep().fire(new GuestAgentCommand(new QmpGuestPowerdown()));
+    }
+
+    /**
+     * On process exited.
+     *
+     * @param event the event
+     */
+    @Handler
+    @SuppressWarnings("PMD.AvoidSynchronizedStatement")
+    public void onProcessExited(ProcessExited event) {
+        if (!event.startedBy().associated(CommandDefinition.class)
+            .map(cd -> ProcessName.QEMU.equals(cd.name())).orElse(false)) {
+            return;
+        }
+        synchronized (this) {
+            if (powerdownTimer != null) {
+                powerdownTimer.cancel();
+            }
+            if (suspendedStop != null) {
+                suspendedStop.resumeHandling();
+                suspendedStop = null;
+            }
+        }
+    }
+
+    /**
+     * On configure qemu.
+     *
+     * @param event the event
+     */
+    @Handler
+    @SuppressWarnings("PMD.AvoidSynchronizedStatement")
+    public void onConfigureQemu(ConfigureQemu event) {
+        int newTimeout = event.configuration().vm.powerdownTimeout;
+        if (powerdownTimeout != newTimeout) {
+            powerdownTimeout = newTimeout;
+            synchronized (this) {
+                if (powerdownTimer != null) {
+                    powerdownTimer
+                        .reschedule(powerdownStartedAt.plusSeconds(newTimeout));
+                }
+
+            }
+        }
+    }
 }
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
index 2c7e760..6be7603 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
@@ -197,12 +197,20 @@ public class QemuMonitor extends QemuConnector {
             return;
         }
 
-        // We have a connection to Qemu, attempt ACPI shutdown.
+        // We have a connection to Qemu, attempt ACPI shutdown if time left
+        powerdownStartedAt = event.associated(Instant.class).orElseGet(() -> {
+            var now = Instant.now();
+            event.setAssociated(Instant.class, now);
+            return now;
+        });
+        if (powerdownStartedAt.plusSeconds(powerdownTimeout)
+            .isBefore(Instant.now())) {
+            return;
+        }
         event.suspendHandling();
         suspendedStop = event;
 
-        // Attempt powerdown command. If not confirmed, assume
-        // "hanging" qemu process.
+        // Send command. If not confirmed, assume "hanging" qemu process.
         powerdownTimer = Components.schedule(t -> {
             logger.fine(() -> "QMP powerdown command not confirmed");
             synchronized (this) {
@@ -213,9 +221,8 @@ public class QemuMonitor extends QemuConnector {
                 }
             }
         }, Duration.ofSeconds(5));
-        logger.fine(() -> "Attempting QMP powerdown.");
-        powerdownStartedAt = Instant.now();
-        fire(new MonitorCommand(new QmpPowerdown()));
+        logger.fine(() -> "Attempting QMP (ACPI) powerdown.");
+        rep().fire(new MonitorCommand(new QmpPowerdown()));
     }
 
     /**
@@ -241,6 +248,7 @@ public class QemuMonitor extends QemuConnector {
             powerdownTimer = Components.schedule(t -> {
                 logger.fine(() -> "Powerdown timeout reached.");
                 synchronized (this) {
+                    powerdownTimer = null;
                     if (suspendedStop != null) {
                         suspendedStop.resumeHandling();
                         suspendedStop = null;
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpGuestPowerdown.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpGuestPowerdown.java
new file mode 100644
index 0000000..04110a5
--- /dev/null
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpGuestPowerdown.java
@@ -0,0 +1,41 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2025 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.runner.qemu.commands;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.node.ObjectNode;
+
+/**
+ * A {@link QmpCommand} that powers down the guest.
+ */
+public class QmpGuestPowerdown extends QmpCommand {
+
+    @Override
+    public JsonNode toJson() {
+        ObjectNode cmd = mapper.createObjectNode();
+        cmd.put("execute", "guest-shutdown");
+        return cmd;
+    }
+
+    @Override
+    public String toString() {
+        return "QmpGuestPowerdown()";
+    }
+
+}

From 3df01fcad06601f3287bc32cf6237dc9cfe68f10 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 13 Mar 2025 18:19:09 +0100
Subject: [PATCH 217/274] Add debug messages.

---
 .../jdrupes/vmoperator/runner/qemu/DisplayController.java | 8 +++++---
 .../src/org/jdrupes/vmoperator/runner/qemu/Runner.java    | 1 +
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
index e0d0a89..f5deda8 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
@@ -116,9 +116,11 @@ public class DisplayController extends Component {
     @Handler
     @SuppressWarnings("PMD.EmptyCatchBlock")
     public void onFileChanged(FileChanged event) {
-        if (event.path().equals(configDir.resolve(DisplaySecret.PASSWORD))
-            && canBeUpdated) {
-            configurePassword();
+        if (event.path().equals(configDir.resolve(DisplaySecret.PASSWORD))) {
+            logger.fine(() -> "Display password updated");
+            if (canBeUpdated) {
+                configurePassword();
+            }
         }
     }
 
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
index f3219ba..d8ac5d8 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
@@ -311,6 +311,7 @@ public class Runner extends Component {
     @Handler
     public void onConfigurationUpdate(ConfigurationUpdate event) {
         event.structured(componentPath()).ifPresent(c -> {
+            logger.fine(() -> "Runner configuratation updated");
             var newConf = yamlMapper.convertValue(c, Configuration.class);
 
             // Add some values from other sources to configuration

From c02b3d99cbbf65a4ad961c01c4f34db24e76bd77 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 13 Mar 2025 18:42:52 +0100
Subject: [PATCH 218/274] Restore reasonable default.

---
 dev-example/test-vm.tpl.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dev-example/test-vm.tpl.yaml b/dev-example/test-vm.tpl.yaml
index 12057f9..b6aa65a 100644
--- a/dev-example/test-vm.tpl.yaml
+++ b/dev-example/test-vm.tpl.yaml
@@ -8,9 +8,9 @@ metadata:
   
 spec:
   image:
-#    source: ghcr.io/mnlipp/org.jdrupes.vmoperator.runner.qemu-arch:3.3.1
+    source: ghcr.io/mnlipp/org.jdrupes.vmoperator.runner.qemu-arch:latest
 #    source: registry.mnl.de/org/jdrupes/vm-operator/org.jdrupes.vmoperator.runner.qemu-arch:testing
-    source: docker-registry.lan.mnl.de/vmoperator/org.jdrupes.vmoperator.runner.qemu-arch:feature-pools
+#    source: docker-registry.lan.mnl.de/vmoperator/org.jdrupes.vmoperator.runner.qemu-arch:latest
     pullPolicy: Always
 
   permissions:

From 5947bd36848e59ec5cb8e3d2b3e7cfd2fda0be8c Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Fri, 14 Mar 2025 11:21:29 +0100
Subject: [PATCH 219/274] Avoid unnecessary config map changes.

---
 dev-example/test-vm.tpl.yaml                  |  4 +-
 .../vmoperator/manager/runnerPod.ftl.yaml     |  2 +-
 .../manager/ConfigMapReconciler.java          | 71 +++++++++++++++----
 .../vmoperator/manager/Reconciler.java        | 31 +-------
 4 files changed, 62 insertions(+), 46 deletions(-)

diff --git a/dev-example/test-vm.tpl.yaml b/dev-example/test-vm.tpl.yaml
index b6aa65a..0a667d8 100644
--- a/dev-example/test-vm.tpl.yaml
+++ b/dev-example/test-vm.tpl.yaml
@@ -8,9 +8,9 @@ metadata:
   
 spec:
   image:
-    source: ghcr.io/mnlipp/org.jdrupes.vmoperator.runner.qemu-arch:latest
+#    source: ghcr.io/mnlipp/org.jdrupes.vmoperator.runner.qemu-arch:latest
 #    source: registry.mnl.de/org/jdrupes/vm-operator/org.jdrupes.vmoperator.runner.qemu-arch:testing
-#    source: docker-registry.lan.mnl.de/vmoperator/org.jdrupes.vmoperator.runner.qemu-arch:latest
+    source: docker-registry.lan.mnl.de/vmoperator/org.jdrupes.vmoperator.runner.qemu-arch:feature-auto-login
     pullPolicy: Always
 
   permissions:
diff --git a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerPod.ftl.yaml b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerPod.ftl.yaml
index f000c70..7518ad3 100644
--- a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerPod.ftl.yaml
+++ b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerPod.ftl.yaml
@@ -11,7 +11,7 @@ metadata:
   annotations:
     # Triggers update of config map mounted in pod
     # See https://ahmet.im/blog/kubernetes-secret-volumes-delay/
-    vmrunner.jdrupes.org/cmVersion: "${ cm.metadata.resourceVersion }"
+    vmrunner.jdrupes.org/cmVersion: "${ configMapResourceVersion }"
     vmoperator.jdrupes.org/version: ${ managerVersion }
   ownerReferences:
   - apiVersion: ${ cr.apiVersion() }
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java
index 9c6dc3e..e136a31 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java
@@ -19,11 +19,17 @@
 package org.jdrupes.vmoperator.manager;
 
 import com.google.gson.JsonObject;
+import freemarker.template.AdapterTemplateModel;
 import freemarker.template.Configuration;
 import freemarker.template.TemplateException;
+import freemarker.template.TemplateMethodModelEx;
+import freemarker.template.TemplateModel;
+import freemarker.template.TemplateModelException;
+import freemarker.template.utility.DeepUnwrap;
 import io.kubernetes.client.custom.V1Patch;
 import io.kubernetes.client.openapi.ApiClient;
 import io.kubernetes.client.openapi.ApiException;
+import io.kubernetes.client.openapi.models.V1ObjectMeta;
 import io.kubernetes.client.util.generic.dynamic.DynamicKubernetesApi;
 import io.kubernetes.client.util.generic.dynamic.DynamicKubernetesObject;
 import io.kubernetes.client.util.generic.dynamic.Dynamics;
@@ -31,7 +37,11 @@ import io.kubernetes.client.util.generic.options.ListOptions;
 import io.kubernetes.client.util.generic.options.PatchOptions;
 import java.io.IOException;
 import java.io.StringWriter;
+import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
+import java.util.Objects;
+import java.util.Optional;
 import java.util.logging.Logger;
 import org.jdrupes.vmoperator.common.K8s;
 import static org.jdrupes.vmoperator.manager.Constants.APP_NAME;
@@ -66,48 +76,59 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
      *
      * @param model the model
      * @param channel the channel
-     * @return the dynamic kubernetes object
      * @throws IOException Signals that an I/O exception has occurred.
      * @throws TemplateException the template exception
      * @throws ApiException the api exception
      */
-    public Map<String, Object> reconcile(Map<String, Object> model,
-            VmChannel channel)
+    @SuppressWarnings("PMD.AvoidDuplicateLiterals")
+    public void reconcile(Map<String, Object> model, VmChannel channel)
             throws IOException, TemplateException, ApiException {
         // Combine template and data and parse result
+        model.put("adjustCloudInitMeta", adjustCloudInitMetaModel);
         var fmTemplate = fmConfig.getTemplate("runnerConfig.ftl.yaml");
         StringWriter out = new StringWriter();
         fmTemplate.process(model, out);
         // Avoid Yaml.load due to
         // https://github.com/kubernetes-client/java/issues/2741
-        var mapDef = Dynamics.newFromYaml(
+        var newCm = Dynamics.newFromYaml(
             new Yaml(new SafeConstructor(new LoaderOptions())), out.toString());
 
         // Maybe override logging.properties from reconciler configuration.
         DataPath.<String> get(model, "reconciler", "loggingProperties")
             .ifPresent(props -> {
-                GsonPtr.to(mapDef.getRaw()).getAs(JsonObject.class, "data")
+                GsonPtr.to(newCm.getRaw()).getAs(JsonObject.class, "data")
                     .get().addProperty("logging.properties", props);
             });
 
         // Maybe override logging.properties from VM definition.
         DataPath.<String> get(model, "cr", "spec", "loggingProperties")
             .ifPresent(props -> {
-                GsonPtr.to(mapDef.getRaw()).getAs(JsonObject.class, "data")
+                GsonPtr.to(newCm.getRaw()).getAs(JsonObject.class, "data")
                     .get().addProperty("logging.properties", props);
             });
 
-        // Get API
+        // Look for changes
+        var oldCm = channel
+            .associated(getClass(), DynamicKubernetesObject.class).orElse(null);
+        channel.setAssociated(getClass(), newCm);
+        if (oldCm != null && Objects.equals(oldCm.getRaw().get("data"),
+            newCm.getRaw().get("data"))) {
+            logger.finer(() -> "No changes in config map for "
+                + DataPath.<String> get(model, "cr", "name").get());
+            model.put("configMapResourceVersion",
+                oldCm.getMetadata().getResourceVersion());
+            return;
+        }
+
+        // Get API and update
         DynamicKubernetesApi cmApi = new DynamicKubernetesApi("", "v1",
             "configmaps", channel.client());
 
         // Apply and maybe force pod update
-        var newState = K8s.apply(cmApi, mapDef, mapDef.getRaw().toString());
-        maybeForceUpdate(channel.client(), newState);
-        @SuppressWarnings("unchecked")
-        var res = (Map<String, Object>) channel.client().getJSON().getGson()
-            .fromJson(newState.getRaw(), Map.class);
-        return res;
+        var updatedCm = K8s.apply(cmApi, newCm, newCm.getRaw().toString());
+        maybeForceUpdate(channel.client(), updatedCm);
+        model.put("configMapResourceVersion",
+            updatedCm.getMetadata().getResourceVersion());
     }
 
     /**
@@ -153,4 +174,28 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
         }
     }
 
+    private final TemplateMethodModelEx adjustCloudInitMetaModel
+        = new TemplateMethodModelEx() {
+            @Override
+            @SuppressWarnings("PMD.PreserveStackTrace")
+            public Object exec(@SuppressWarnings("rawtypes") List arguments)
+                    throws TemplateModelException {
+                @SuppressWarnings("unchecked")
+                var res = new HashMap<>((Map<String, Object>) DeepUnwrap
+                    .unwrap((TemplateModel) arguments.get(0)));
+                var metadata
+                    = (V1ObjectMeta) ((AdapterTemplateModel) arguments.get(1))
+                        .getAdaptedObject(Object.class);
+                if (!res.containsKey("instance-id")) {
+                    res.put("instance-id",
+                        Optional.ofNullable(metadata.getGeneration())
+                            .map(s -> "v" + s).orElse("v1"));
+                }
+                if (!res.containsKey("local-hostname")) {
+                    res.put("local-hostname", metadata.getName());
+                }
+                return res;
+            }
+        };
+
 }
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
index 8df5c88..700e068 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
@@ -27,12 +27,9 @@ import freemarker.template.SimpleScalar;
 import freemarker.template.TemplateException;
 import freemarker.template.TemplateExceptionHandler;
 import freemarker.template.TemplateMethodModelEx;
-import freemarker.template.TemplateModel;
 import freemarker.template.TemplateModelException;
-import freemarker.template.utility.DeepUnwrap;
 import io.kubernetes.client.custom.Quantity;
 import io.kubernetes.client.openapi.ApiException;
-import io.kubernetes.client.openapi.models.V1ObjectMeta;
 import io.kubernetes.client.util.generic.options.ListOptions;
 import java.io.IOException;
 import java.lang.reflect.Modifier;
@@ -226,13 +223,12 @@ public class Reconciler extends Component {
         // Create model for processing templates
         Map<String, Object> model
             = prepareModel(channel.client(), event.vmDefinition());
-        var configMap = cmReconciler.reconcile(model, channel);
+        cmReconciler.reconcile(model, channel);
 
         // The remaining reconcilers depend only on changes of the spec part.
         if (!event.specChanged()) {
             return;
         }
-        model.put("cm", configMap);
         dsReconciler.reconcile(event, model, channel);
         // Manage (eventual) removal of stateful set.
         stsReconciler.reconcile(event, model, channel);
@@ -279,7 +275,6 @@ public class Reconciler extends Component {
         model.put("parseQuantity", parseQuantityModel);
         model.put("formatMemory", formatMemoryModel);
         model.put("imageLocation", imgageLocationModel);
-        model.put("adjustCloudInitMeta", adjustCloudInitMetaModel);
         model.put("toJson", toJsonModel);
         return model;
     }
@@ -422,30 +417,6 @@ public class Reconciler extends Component {
             }
         };
 
-    private final TemplateMethodModelEx adjustCloudInitMetaModel
-        = new TemplateMethodModelEx() {
-            @Override
-            @SuppressWarnings("PMD.PreserveStackTrace")
-            public Object exec(@SuppressWarnings("rawtypes") List arguments)
-                    throws TemplateModelException {
-                @SuppressWarnings("unchecked")
-                var res = new HashMap<>((Map<String, Object>) DeepUnwrap
-                    .unwrap((TemplateModel) arguments.get(0)));
-                var metadata
-                    = (V1ObjectMeta) ((AdapterTemplateModel) arguments.get(1))
-                        .getAdaptedObject(Object.class);
-                if (!res.containsKey("instance-id")) {
-                    res.put("instance-id",
-                        Optional.ofNullable(metadata.getResourceVersion())
-                            .map(s -> "v" + s).orElse("v1"));
-                }
-                if (!res.containsKey("local-hostname")) {
-                    res.put("local-hostname", metadata.getName());
-                }
-                return res;
-            }
-        };
-
     private final TemplateMethodModelEx toJsonModel
         = new TemplateMethodModelEx() {
             @Override

From f0ebea5353373cb2e06db6a0b85467e3c6872d9b Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Fri, 14 Mar 2025 12:33:59 +0100
Subject: [PATCH 220/274] Use two digit numbers for VMs.

---
 dev-example/test-vm.tpl.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dev-example/test-vm.tpl.yaml b/dev-example/test-vm.tpl.yaml
index b6aa65a..869c757 100644
--- a/dev-example/test-vm.tpl.yaml
+++ b/dev-example/test-vm.tpl.yaml
@@ -2,7 +2,7 @@ apiVersion: "vmoperator.jdrupes.org/v1"
 kind: VirtualMachine
 metadata:
   namespace: vmop-dev
-  name: test-vm<%= ${number} %>
+  name: test-vm<%= $(printf "%02d" ${number}) %>
   annotations:
     argocd.argoproj.io/sync-wave: "20"
   

From 3a4404b758f28b0332a4690e6310e881df465bd2 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Fri, 14 Mar 2025 16:57:58 +0100
Subject: [PATCH 221/274] Add runner version to status.

---
 deploy/crds/vms-crd.yaml                                      | 4 ++++
 .../src/org/jdrupes/vmoperator/common/Constants.java          | 3 +++
 .../src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java | 4 ++++
 3 files changed, 11 insertions(+)

diff --git a/deploy/crds/vms-crd.yaml b/deploy/crds/vms-crd.yaml
index 101784f..c2a7a66 100644
--- a/deploy/crds/vms-crd.yaml
+++ b/deploy/crds/vms-crd.yaml
@@ -1470,6 +1470,10 @@ spec:
               type: object
               default: {}
               properties:
+                runnerVersion:
+                  description: >-
+                    The version string of the runner.
+                  type: string
                 cpus:
                   description: >-
                     Number of CPUs currently in use.
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java
index 83b261e..67939de 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java
@@ -50,6 +50,9 @@ public class Constants {
      * Status related constants.
      */
     public static class Status {
+        /** The Constant RUNNER_VERSION. */
+        public static final String RUNNER_VERSION = "runnerVersion";
+
         /** The Constant CPUS. */
         public static final String CPUS = "cpus";
 
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
index b1580ae..bd4ddb4 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
@@ -31,6 +31,7 @@ import io.kubernetes.client.openapi.JSON;
 import io.kubernetes.client.openapi.models.EventsV1Event;
 import java.io.IOException;
 import java.math.BigDecimal;
+import java.util.Optional;
 import java.util.logging.Level;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
 import org.jdrupes.vmoperator.common.Constants.Crd;
@@ -124,6 +125,9 @@ public class StatusUpdater extends VmDefUpdater {
             observedGeneration = vmDef.getMetadata().getGeneration();
             vmStub.updateStatus(from -> {
                 JsonObject status = from.statusJson();
+                status.addProperty(Status.RUNNER_VERSION, Optional.ofNullable(
+                    Runner.class.getPackage().getImplementationVersion())
+                    .orElse("(unknown)"));
                 status.remove(Status.LOGGED_IN_USER);
                 return status;
             });

From ba582d877e91fe738d83f3c55ed0caae45bd3be3 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Fri, 14 Mar 2025 17:52:25 +0100
Subject: [PATCH 222/274] Display runner version in GUI.

---
 .../vmoperator/vmmgmt/VmMgmt-view.ftl.html    | 19 ++++++++++---------
 .../jdrupes/vmoperator/vmmgmt/l10n.properties |  2 ++
 .../vmoperator/vmmgmt/l10n_de.properties      |  2 ++
 .../vmmgmt/browser/VmMgmt-style.scss          |  8 +++++++-
 4 files changed, 21 insertions(+), 10 deletions(-)

diff --git a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html
index 533b2f4..5a28cb8 100644
--- a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html
+++ b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html
@@ -127,15 +127,16 @@
                   ><span>{{ cic.error }}</span></form></td>
               </tr>
             </table>
-            <table class="table--basic table--basic--autoStriped">
-              <tr>
-                <td colspan="2">{{ entry.status?.osinfo?.["pretty-name"] || "" }}</td>
-              </tr>
-              <tr>
-                <td>{{ localize("usedFrom") }}</td>
-                <td>{{ entry.usedFrom }}</td>
-              </tr>
-            </table>
+            <p>
+              <template v-if="entry.status?.runnerVersion">
+                {{ localize("runnerVersion") }}:
+                {{ entry.status.runnerVersion }}<br></template>
+              <template v-if="entry.status?.osinfo">
+                {{ localize("guestOs") }}:
+                {{ entry.status?.osinfo?.["pretty-name"] || "" }}<br></template>
+              <template v-if="entry.usedFrom">{{ localize("usedFrom") }}:
+                {{ entry.usedFrom }}<br></template>
+            </p>
           </td>
         </tr>
       </template>
diff --git a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n.properties b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n.properties
index fb0362f..ef55662 100644
--- a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n.properties
+++ b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n.properties
@@ -5,12 +5,14 @@ VMsSummary = VMs (running/total)
 assignedTo = Assigned to
 currentCpus = Current CPUs
 currentRam = Current RAM
+guestOs = Guest OS
 maximumCpus = Maximum CPUs
 maximumRam = Maximum RAM
 notInUse = Currently closed
 nodeName = Node
 requestedCpus = Requested CPUs
 requestedRam = Requested RAM
+runnerVersion = Runner version
 running = Running
 since = Since
 usedBy = Used by
diff --git a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties
index a9b9600..b8ece92 100644
--- a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties
+++ b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties
@@ -9,12 +9,14 @@ Last\ day = Letzter Tag
 assignedTo = Zugewiesen an
 currentCpus = Aktuelle CPUs
 currentRam = Akuelles RAM
+guestOs = Gast BS
 maximumCpus = Maximale CPUs
 maximumRam = Maximales RAM
 nodeName = Knoten
 notInUse = Derzeit geschlossen
 requestedCpus = Angeforderte CPUs
 requestedRam = Angefordertes RAM
+runnerVersion = Runner-Version
 running = Gestartet
 since = Seit
 usedBy = Benutzt durch
diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss
index 248df56..eb1b556 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/browser/VmMgmt-style.scss
@@ -82,7 +82,7 @@
     padding-left: 0;
 
     table {
-      display: inline;
+      display: inline-block;
       
       td:nth-child(2) {
         min-width: 7em;
@@ -97,6 +97,12 @@
         color: var(--danger);
       }
     }
+    
+    p {
+      display: inline-block;
+      margin: 0.25rem 0.5rem 0.25rem 0.5rem;
+      vertical-align: top;
+    }
   }
 }
 

From 8bc413b2da5491b570d5426f735061b9106942cd Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Fri, 14 Mar 2025 18:37:05 +0100
Subject: [PATCH 223/274] Update templates when testing.

---
 dev-example/test-vm.tpl.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/dev-example/test-vm.tpl.yaml b/dev-example/test-vm.tpl.yaml
index 869c757..76adfba 100644
--- a/dev-example/test-vm.tpl.yaml
+++ b/dev-example/test-vm.tpl.yaml
@@ -13,6 +13,9 @@ spec:
 #    source: docker-registry.lan.mnl.de/vmoperator/org.jdrupes.vmoperator.runner.qemu-arch:latest
     pullPolicy: Always
 
+  runnerTemplate:
+    update: true
+    
   permissions:
   - role: admin
     may: 

From 197c21bc324bf7dfbcd6b9b9766f881fe224d352 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Fri, 14 Mar 2025 18:37:43 +0100
Subject: [PATCH 224/274] More consistent logging.

---
 .../src/org/jdrupes/vmoperator/manager/AbstractMonitor.java   | 3 +++
 .../src/org/jdrupes/vmoperator/manager/PodReconciler.java     | 1 +
 .../src/org/jdrupes/vmoperator/manager/Reconciler.java        | 2 --
 .../src/org/jdrupes/vmoperator/manager/VmMonitor.java         | 4 ++--
 4 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/AbstractMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/AbstractMonitor.java
index 2deb9ab..56440f9 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/AbstractMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/AbstractMonitor.java
@@ -220,6 +220,9 @@ public abstract class AbstractMonitor<O extends KubernetesObject,
         new K8sObserver<>(objectClass, objectListClass, client,
             K8s.preferred(context, version), namespace, options)
                 .handler((c, r) -> {
+                    logger.fine(() -> "Resource " + context.getKind()
+                        + "/" + r.object.getMetadata().getName() + " "
+                        + r.type);
                     handleChange(c, r);
                 }).onTerminated((o, t) -> {
                     if (observerCounter.decrementAndGet() == 0) {
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PodReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PodReconciler.java
index 4ee96d8..c3ab422 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PodReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PodReconciler.java
@@ -91,6 +91,7 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
         }
 
         // Create pod. First combine template and data and parse result
+        logger.fine(() -> "Create/update pod " + podStub.name());
         var fmTemplate = fmConfig.getTemplate("runnerPod.ftl.yaml");
         StringWriter out = new StringWriter();
         fmTemplate.process(model, out);
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
index 700e068..77fa281 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
@@ -215,8 +215,6 @@ public class Reconciler extends Component {
             throws ApiException, TemplateException, IOException {
         // Ownership relationships takes care of deletions
         if (event.type() == K8sObserver.ResponseType.DELETED) {
-            logger.fine(
-                () -> "VM \"" + event.vmDefinition().name() + "\" deleted");
             return;
         }
 
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
index 1a559b3..e4ee0a0 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
@@ -205,13 +205,13 @@ public class VmMonitor extends
                 = K8sV1PodStub.list(client, namespace(), podSearch);
             for (var podStub : podList) {
                 var nodeName = podStub.model().get().getSpec().getNodeName();
-                logger.fine(() -> "Adding node name " + nodeName
+                logger.finer(() -> "Adding node name " + nodeName
                     + " to VM info for " + vmDef.name());
                 @SuppressWarnings("PMD.AvoidInstantiatingObjectsInLoops")
                 var addrs = new ArrayList<String>();
                 podStub.model().get().getStatus().getPodIPs().stream()
                     .map(ip -> ip.getIp()).forEach(addrs::add);
-                logger.fine(() -> "Adding node addresses " + addrs
+                logger.finer(() -> "Adding node addresses " + addrs
                     + " to VM info for " + vmDef.name());
                 extra.nodeInfo(nodeName, addrs);
             }

From 1b1e5ffb8c1462073e7f3c878507233d2af27f06 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Fri, 14 Mar 2025 21:16:01 +0100
Subject: [PATCH 225/274] Reduce default logging.

---
 .../org/jdrupes/vmoperator/manager/logging.properties      | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/logging.properties b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/logging.properties
index 9e6d0f5..2a16af6 100644
--- a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/logging.properties
+++ b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/logging.properties
@@ -1,6 +1,6 @@
 #
 # VM-Operator
-# Copyright (C) 2023 Michael N. Lipp
+# Copyright (C) 2025 Michael N. Lipp
 #
 # This program is free software; you can redistribute it and/or modify it 
 # under the terms of the GNU General Public License as published by 
@@ -19,10 +19,7 @@
 handlers=java.util.logging.ConsoleHandler, \
     org.jgrapes.webconlet.logviewer.LogViewerHandler
 
-org.jgrapes.level=FINE
-org.jgrapes.core.handlerTracking.level=FINER
-
-org.jdrupes.vmoperator.manager.level=FINE
+org.jdrupes.vmoperator.level=FINE
 
 java.util.logging.ConsoleHandler.level=ALL
 java.util.logging.ConsoleHandler.formatter=java.util.logging.SimpleFormatter

From dc228295d177c7f7e2eb0576b593ff352b100ca7 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 15 Mar 2025 11:25:13 +0100
Subject: [PATCH 226/274] Update.

---
 README.md | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index e9eeb5e..09fcd25 100644
--- a/README.md
+++ b/README.md
@@ -3,10 +3,23 @@
 ![Latest Manager](https://img.shields.io/github/v/tag/mnlipp/vm-operator?filter=manager*&label=latest)
 ![Latest Runner](https://img.shields.io/github/v/tag/mnlipp/vm-operator?filter=runner-qemu*&label=latest)
 
-# Run Qemu in Kubernetes Pods
+# Run QEMU/KVM in Kubernetes Pods
 
-The goal of this project is to provide simply to use and flexible components
-for running Qemu based VMs in Kubernetes pods.
+![Overview picture](webpages/index-pic.svg)
+
+This project provides an easy to use and flexible solution for running
+QEMU/KVM based VMs in Kubernetes pods.
+
+The central component of this solution is the kubernetes operator that
+manages "runners". These run in pods and are used to start and manage
+the QEMU/KVM process for the VMs (optionally together with a SW-TPM).
+
+A web GUI for administrators provides an overview of the VMs together
+with some basic control over the VMs. A web GUI for users provides an
+interface to access and optionally start, stop and reset the VMs.
+
+Advanced features of the operator include pooling of VMs and automatic
+login.
 
 See the [project's home page](https://vm-operator.jdrupes.org/)
 for details.

From 5309460fbf6da606a505d7174e9ff285c12b5df9 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 15 Mar 2025 12:33:20 +0100
Subject: [PATCH 227/274] Prevent update of lastTransitionTime if we have no
 transition.

---
 .../vmoperator/runner/qemu/VmDefUpdater.java    | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmDefUpdater.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmDefUpdater.java
index 4c64ff1..49c9e67 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmDefUpdater.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmDefUpdater.java
@@ -125,16 +125,19 @@ public class VmDefUpdater extends Component {
     protected JsonObject updateCondition(VmDefinition from, String type,
             boolean state, String reason, String message) {
         JsonObject status = from.statusJson();
-        // Optimize, as we can get this several times
+        // Avoid redundant updates, as this may be called several times
         var current = status.getAsJsonArray("conditions").asList().stream()
             .map(cond -> (JsonObject) cond)
             .filter(cond -> type.equals(cond.get("type").getAsString()))
             .findFirst();
-        if (current.isPresent()
-            && current.map(c -> c.get("status").getAsString())
-                .map("True"::equals).map(s -> s == state).orElse(false)
+        var stateUnchanged = current.map(c -> c.get("status").getAsString())
+            .map("True"::equals).map(s -> s == state).orElse(false);
+        if (stateUnchanged
             && current.map(c -> c.get("reason").getAsString())
-                .map(reason::equals).orElse(false)) {
+                .map(reason::equals).orElse(false)
+            && current.map(c -> c.get("observedGeneration").getAsLong())
+                .map(from.getMetadata().getGeneration()::equals)
+                .orElse(false)) {
             return status;
         }
 
@@ -143,7 +146,9 @@ public class VmDefUpdater extends Component {
             "status", state ? "True" : "False",
             "observedGeneration", from.getMetadata().getGeneration(),
             "reason", reason,
-            "lastTransitionTime", Instant.now().toString()));
+            "lastTransitionTime", stateUnchanged
+                ? current.get().get("lastTransitionTime").getAsString()
+                : Instant.now().toString()));
         if (message != null) {
             condition.put("message", message);
         }

From 017607f2e29ae22b425ccbfc59003c179a51d7f3 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 15 Mar 2025 15:21:44 +0100
Subject: [PATCH 228/274] Prune not required data before transfer.

---
 .../src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java              | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
index 00df484..3d58d09 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
@@ -236,7 +236,10 @@ public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
             String user, List<String> roles) {
         // Convert RAM sizes to unitless numbers
         var spec = DataPath.deepCopy(vmDef.spec());
+        spec.remove("cloudInit");
         var vmSpec = DataPath.<Map<String, Object>> get(spec, "vm").get();
+        vmSpec.remove("networks");
+        vmSpec.remove("disks");
         vmSpec.put("maximumRam", Quantity.fromString(
             DataPath.<String> get(vmSpec, "maximumRam").orElse("0")).getNumber()
             .toBigInteger());

From ce4d0bfb727b9f2e9739c949191d5d34f9a9c1ff Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 16 Mar 2025 14:53:01 +0100
Subject: [PATCH 229/274] More features, more resources.

---
 deploy/vmop-deployment.yaml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/deploy/vmop-deployment.yaml b/deploy/vmop-deployment.yaml
index 648cc39..4a22d9e 100644
--- a/deploy/vmop-deployment.yaml
+++ b/deploy/vmop-deployment.yaml
@@ -36,7 +36,13 @@ spec:
           resources:
             requests:
               cpu: 100m
-              memory: 128Mi
+              # The VM operator needs about 25 MB of memory, plus 1 MB for
+              # each VM. The reason is that for the sake of effeciency, we
+              # have to keep a parsed representation of the CRD in memory,
+              # which requires about 512 KB per VM. While handling updates,
+              # we temporarily have the old and the new version of the CRD
+              # in memory, so we need another 512 KB per VM.  
+              memory: 256Mi
       volumes:
       - name: config
         configMap:

From 227c097c01fbceb00f18103bfbb4cec4c0488c02 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 16 Mar 2025 15:13:16 +0100
Subject: [PATCH 230/274] Actively add pod info, don't run queries.

---
 .../jdrupes/vmoperator/common/Constants.java  |   1 -
 .../vmoperator/common/VmExtraData.java        |   9 ++
 .../vmoperator/manager/events/PodChanged.java |  75 ++++++++++
 .../vmoperator/manager/events/VmChannel.java  |  14 ++
 org.jdrupes.vmoperator.manager/.gitignore     |   1 +
 .../vmoperator/manager/Controller.java        |   1 +
 .../vmoperator/manager/PodMonitor.java        | 138 ++++++++++++++++++
 .../jdrupes/vmoperator/manager/VmMonitor.java |  89 ++++++-----
 8 files changed, 287 insertions(+), 41 deletions(-)
 create mode 100644 org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/PodChanged.java
 create mode 100644 org.jdrupes.vmoperator.manager/.gitignore
 create mode 100644 org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PodMonitor.java

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java
index 67939de..b9de69f 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Constants.java
@@ -18,7 +18,6 @@
 
 package org.jdrupes.vmoperator.common;
 
-// TODO: Auto-generated Javadoc
 /**
  * Some constants.
  */
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmExtraData.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmExtraData.java
index 85913c2..79f262f 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmExtraData.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmExtraData.java
@@ -75,6 +75,15 @@ public class VmExtraData {
         return nodeName;
     }
 
+    /**
+     * Gets the node addresses.
+     *
+     * @return the nodeAddresses
+     */
+    public List<String> nodeAddresses() {
+        return nodeAddresses;
+    }
+
     /**
      * Sets the reset count.
      *
diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/PodChanged.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/PodChanged.java
new file mode 100644
index 0000000..8bbcfe8
--- /dev/null
+++ b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/PodChanged.java
@@ -0,0 +1,75 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2023 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.manager.events;
+
+import io.kubernetes.client.openapi.models.V1Pod;
+import org.jdrupes.vmoperator.common.K8sObserver;
+import org.jgrapes.core.Channel;
+import org.jgrapes.core.Components;
+import org.jgrapes.core.Event;
+
+/**
+ * Indicates a change in a pod that runs a VM.
+ */
+public class PodChanged extends Event<Void> {
+
+    private final V1Pod pod;
+    private final K8sObserver.ResponseType type;
+
+    /**
+     * Instantiates a new VM changed event.
+     *
+     * @param pod the pod
+     * @param type the type
+     */
+    public PodChanged(V1Pod pod, K8sObserver.ResponseType type) {
+        this.pod = pod;
+        this.type = type;
+    }
+
+    /**
+     * Gets the pod.
+     *
+     * @return the pod
+     */
+    public V1Pod pod() {
+        return pod;
+    }
+
+    /**
+     * Returns the type.
+     *
+     * @return the type
+     */
+    public K8sObserver.ResponseType type() {
+        return type;
+    }
+
+    @Override
+    public String toString() {
+        StringBuilder builder = new StringBuilder();
+        builder.append(Components.objectName(this)).append(" [")
+            .append(pod.getMetadata().getName()).append(' ').append(type);
+        if (channels() != null) {
+            builder.append(", channels=").append(Channel.toString(channels()));
+        }
+        builder.append(']');
+        return builder.toString();
+    }
+}
diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/VmChannel.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/VmChannel.java
index 5ea282a..7b03ad3 100644
--- a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/VmChannel.java
+++ b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/VmChannel.java
@@ -21,6 +21,7 @@ package org.jdrupes.vmoperator.manager.events;
 import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jgrapes.core.Channel;
+import org.jgrapes.core.Event;
 import org.jgrapes.core.EventPipeline;
 import org.jgrapes.core.Subchannel.DefaultSubchannel;
 
@@ -104,6 +105,19 @@ public class VmChannel extends DefaultSubchannel {
         return pipeline;
     }
 
+    /**
+     * Fire the given event on this channel, using the associated
+     * {@link #pipeline()}.
+     *
+     * @param <T> the generic type
+     * @param event the event
+     * @return the t
+     */
+    public <T extends Event<?>> T fire(T event) {
+        pipeline.fire(event, this);
+        return event;
+    }
+
     /**
      * Returns the API client.
      *
diff --git a/org.jdrupes.vmoperator.manager/.gitignore b/org.jdrupes.vmoperator.manager/.gitignore
new file mode 100644
index 0000000..50a6b62
--- /dev/null
+++ b/org.jdrupes.vmoperator.manager/.gitignore
@@ -0,0 +1 @@
+/logging.properties
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
index 5d5c592..5531d8d 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
@@ -113,6 +113,7 @@ public class Controller extends Component {
         // attach(new ServiceMonitor(channel()).channelManager(chanMgr));
         attach(new Reconciler(channel()));
         attach(new PoolMonitor(channel()));
+        attach(new PodMonitor(channel(), chanMgr));
     }
 
     /**
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PodMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PodMonitor.java
new file mode 100644
index 0000000..9145d9d
--- /dev/null
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PodMonitor.java
@@ -0,0 +1,138 @@
+/*
+ * VM-Operator
+ * Copyright (C) 2025 Michael N. Lipp
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package org.jdrupes.vmoperator.manager;
+
+import io.kubernetes.client.openapi.ApiException;
+import io.kubernetes.client.openapi.models.V1Pod;
+import io.kubernetes.client.openapi.models.V1PodList;
+import io.kubernetes.client.util.Watch.Response;
+import io.kubernetes.client.util.generic.options.ListOptions;
+import java.io.IOException;
+import java.time.Duration;
+import java.time.Instant;
+import java.util.Map;
+import java.util.Optional;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.logging.Level;
+import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
+import static org.jdrupes.vmoperator.common.Constants.VM_OP_NAME;
+import org.jdrupes.vmoperator.common.K8sClient;
+import org.jdrupes.vmoperator.common.K8sObserver.ResponseType;
+import org.jdrupes.vmoperator.common.K8sV1PodStub;
+import org.jdrupes.vmoperator.manager.events.ChannelDictionary;
+import org.jdrupes.vmoperator.manager.events.PodChanged;
+import org.jdrupes.vmoperator.manager.events.VmChannel;
+import org.jdrupes.vmoperator.manager.events.VmDefChanged;
+import org.jgrapes.core.Channel;
+import org.jgrapes.core.annotation.Handler;
+
+/**
+ * Watches for changes of pods that run VMs.
+ */
+public class PodMonitor extends AbstractMonitor<V1Pod, V1PodList, VmChannel> {
+
+    private final ChannelDictionary<String, VmChannel, ?> channelDictionary;
+
+    private final Map<String, PendingChange> pendingChanges
+        = new ConcurrentHashMap<>();
+
+    /**
+     * Instantiates a new pod monitor.
+     *
+     * @param componentChannel the component channel
+     * @param channelDictionary the channel dictionary
+     */
+    public PodMonitor(Channel componentChannel,
+            ChannelDictionary<String, VmChannel, ?> channelDictionary) {
+        super(componentChannel, V1Pod.class, V1PodList.class);
+        this.channelDictionary = channelDictionary;
+        context(K8sV1PodStub.CONTEXT);
+        ListOptions options = new ListOptions();
+        options.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
+            + "app.kubernetes.io/component=" + APP_NAME + ","
+            + "app.kubernetes.io/managed-by=" + VM_OP_NAME);
+        options(options);
+    }
+
+    @Override
+    protected void prepareMonitoring() throws IOException, ApiException {
+        client(new K8sClient());
+    }
+
+    @Override
+    protected void handleChange(K8sClient client, Response<V1Pod> change) {
+        String vmName = change.object.getMetadata().getLabels()
+            .get("app.kubernetes.io/instance");
+        if (vmName == null) {
+            return;
+        }
+        var channel = channelDictionary.channel(vmName).orElse(null);
+        var responseType = ResponseType.valueOf(change.type);
+        if (channel != null && channel.vmDefinition() != null) {
+            pendingChanges.remove(vmName);
+            channel.fire(new PodChanged(change.object, responseType));
+            return;
+        }
+
+        // VM definition not available yet, may happen during startup
+        if (responseType == ResponseType.DELETED) {
+            return;
+        }
+        purgePendingChanges();
+        logger.finer(() -> "Add pending pod change for " + vmName);
+        pendingChanges.put(vmName, new PendingChange(Instant.now(), change));
+    }
+
+    private void purgePendingChanges() {
+        Instant tooOld = Instant.now().minus(Duration.ofMinutes(15));
+        for (var itr = pendingChanges.entrySet().iterator(); itr.hasNext();) {
+            var change = itr.next();
+            if (change.getValue().from().isBefore(tooOld)) {
+                itr.remove();
+                logger.finer(
+                    () -> "Cleaned pending pod change for " + change.getKey());
+            }
+        }
+    }
+
+    /**
+     * Check for pending changes.
+     *
+     * @param event the event
+     * @param channel the channel
+     */
+    @Handler
+    public void onVmDefChanged(VmDefChanged event, VmChannel channel) {
+        Optional.ofNullable(pendingChanges.remove(event.vmDefinition().name()))
+            .map(PendingChange::change).ifPresent(change -> {
+                logger.finer(() -> "Firing pending pod change for "
+                    + event.vmDefinition().name());
+                channel.fire(new PodChanged(change.object,
+                    ResponseType.valueOf(change.type)));
+                if (logger.isLoggable(Level.FINER)
+                    && pendingChanges.isEmpty()) {
+                    logger.finer("No pending pod changes left.");
+                }
+            });
+    }
+
+    private record PendingChange(Instant from, Response<V1Pod> change) {
+    }
+
+}
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
index e4ee0a0..f729240 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
@@ -25,11 +25,12 @@ import io.kubernetes.client.util.generic.options.ListOptions;
 import java.io.IOException;
 import java.time.Instant;
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.Comparator;
+import java.util.Objects;
 import java.util.Optional;
 import java.util.Set;
 import java.util.concurrent.atomic.AtomicBoolean;
-import java.util.logging.Level;
 import java.util.stream.Collectors;
 import org.jdrupes.vmoperator.common.Constants.Crd;
 import org.jdrupes.vmoperator.common.K8s;
@@ -37,7 +38,6 @@ import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.K8sDynamicStub;
 import org.jdrupes.vmoperator.common.K8sObserver.ResponseType;
 import org.jdrupes.vmoperator.common.K8sV1ConfigMapStub;
-import org.jdrupes.vmoperator.common.K8sV1PodStub;
 import org.jdrupes.vmoperator.common.K8sV1StatefulSetStub;
 import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.common.VmDefinition.Assignment;
@@ -53,6 +53,7 @@ import org.jdrupes.vmoperator.manager.events.GetPools;
 import org.jdrupes.vmoperator.manager.events.GetVms;
 import org.jdrupes.vmoperator.manager.events.GetVms.VmData;
 import org.jdrupes.vmoperator.manager.events.ModifyVm;
+import org.jdrupes.vmoperator.manager.events.PodChanged;
 import org.jdrupes.vmoperator.manager.events.UpdateAssignment;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
@@ -140,7 +141,7 @@ public class VmMonitor extends
         }
         if (vmDef.data() != null) {
             // New data, augment and save
-            addExtraData(channel.client(), vmDef, channel.vmDefinition());
+            addExtraData(vmDef, channel.vmDefinition());
             channel.setVmDefinition(vmDef);
         } else {
             // Reuse cached (e.g. if deleted)
@@ -166,7 +167,7 @@ public class VmMonitor extends
             chgEvt = Event.onCompletion(chgEvt,
                 e -> channelManager.remove(e.vmDefinition().name()));
         }
-        channel.pipeline().fire(chgEvt, channel);
+        channel.fire(chgEvt);
     }
 
     private VmDefinition getModel(K8sClient client, VmDefinition vmDef) {
@@ -179,46 +180,56 @@ public class VmMonitor extends
     }
 
     @SuppressWarnings("PMD.AvoidDuplicateLiterals")
-    private void addExtraData(K8sClient client, VmDefinition vmDef,
-            VmDefinition prevState) {
+    private void addExtraData(VmDefinition vmDef, VmDefinition prevState) {
         var extra = new VmExtraData(vmDef);
+        var prevExtra
+            = Optional.ofNullable(prevState).flatMap(VmDefinition::extra);
 
         // Maintain (or initialize) the resetCount
-        extra.resetCount(
-            Optional.ofNullable(prevState).flatMap(VmDefinition::extra)
-                .map(VmExtraData::resetCount).orElse(0L));
+        extra.resetCount(prevExtra.map(VmExtraData::resetCount).orElse(0L));
 
-        // VM definition status changes before the pod terminates.
-        // This results in pod information being shown for a stopped
-        // VM which is irritating. So check condition first.
-        if (!vmDef.conditionStatus("Running").orElse(false)) {
+        // Maintain node info
+        prevExtra
+            .ifPresent(e -> extra.nodeInfo(e.nodeName(), e.nodeAddresses()));
+    }
+
+    /**
+     * On pod changed.
+     *
+     * @param event the event
+     * @param channel the channel
+     */
+    @Handler
+    public void onPodChanged(PodChanged event, VmChannel channel) {
+        if (channel.vmDefinition().extra().isEmpty()) {
             return;
         }
-
-        // Get pod and extract node information.
-        var podSearch = new ListOptions();
-        podSearch.setLabelSelector("app.kubernetes.io/name=" + APP_NAME
-            + ",app.kubernetes.io/component=" + APP_NAME
-            + ",app.kubernetes.io/instance=" + vmDef.name());
-        try {
-            var podList
-                = K8sV1PodStub.list(client, namespace(), podSearch);
-            for (var podStub : podList) {
-                var nodeName = podStub.model().get().getSpec().getNodeName();
-                logger.finer(() -> "Adding node name " + nodeName
-                    + " to VM info for " + vmDef.name());
-                @SuppressWarnings("PMD.AvoidInstantiatingObjectsInLoops")
-                var addrs = new ArrayList<String>();
-                podStub.model().get().getStatus().getPodIPs().stream()
-                    .map(ip -> ip.getIp()).forEach(addrs::add);
-                logger.finer(() -> "Adding node addresses " + addrs
-                    + " to VM info for " + vmDef.name());
-                extra.nodeInfo(nodeName, addrs);
+        var extra = channel.vmDefinition().extra().get();
+        var pod = event.pod();
+        if (event.type() == ResponseType.DELETED) {
+            // The status of a deleted pod is the status before deletion,
+            // i.e. the node info is still there.
+            extra.nodeInfo("", Collections.emptyList());
+        } else {
+            var nodeName = Optional
+                .ofNullable(pod.getSpec().getNodeName()).orElse("");
+            logger.finer(() -> "Adding node name " + nodeName
+                + " to VM info for " + channel.vmDefinition().name());
+            @SuppressWarnings("PMD.AvoidInstantiatingObjectsInLoops")
+            var addrs = new ArrayList<String>();
+            Optional.ofNullable(pod.getStatus().getPodIPs())
+                .orElse(Collections.emptyList()).stream()
+                .map(ip -> ip.getIp()).forEach(addrs::add);
+            logger.finer(() -> "Adding node addresses " + addrs
+                + " to VM info for " + channel.vmDefinition().name());
+            if (Objects.equals(nodeName, extra.nodeName())
+                && Objects.equals(addrs, extra.nodeAddresses())) {
+                return;
             }
-        } catch (ApiException e) {
-            logger.log(Level.WARNING, e,
-                () -> "Cannot access node information: " + e.getMessage());
+            extra.nodeInfo(nodeName, addrs);
         }
+        channel.fire(new VmDefChanged(ResponseType.MODIFIED, false,
+            channel.vmDefinition()));
     }
 
     /**
@@ -293,10 +304,8 @@ public class VmMonitor extends
 
             // Assign to user
             var chosenVm = vmQuery.get();
-            var vmPipeline = chosenVm.pipeline();
-            if (Optional.ofNullable(vmPipeline.fire(new UpdateAssignment(
-                vmPool, event.toUser()), chosenVm).get())
-                .orElse(false)) {
+            if (Optional.ofNullable(chosenVm.fire(new UpdateAssignment(
+                vmPool, event.toUser())).get()).orElse(false)) {
                 var vmDef = chosenVm.vmDefinition();
                 event.setResult(new VmData(vmDef, chosenVm));
 

From 9bd17e88998d5718cb4f19c15ce6d5fad7c07014 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 16 Mar 2025 15:44:27 +0100
Subject: [PATCH 231/274] Update.

---
 .../org/jdrupes/vmoperator/manager/console-footer.ftl.html      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/console-footer.ftl.html b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/console-footer.ftl.html
index 8147dca..72596d5 100644
--- a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/console-footer.ftl.html
+++ b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/console-footer.ftl.html
@@ -1,3 +1,3 @@
 <footer>
-Copyright &copy; Michael N. Lipp 2023
+Copyright &copy; Michael N. Lipp 2023, 2025
 </footer>

From fd0f4f8eb2979859fff78821584dcac973eccc99 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 16 Mar 2025 17:01:36 +0100
Subject: [PATCH 232/274] Fetch display secret only when needed.

---
 .../vmoperator/manager/PodReconciler.java     | 22 ++++++++++++++
 .../vmoperator/manager/Reconciler.java        | 30 +++----------------
 2 files changed, 26 insertions(+), 26 deletions(-)

diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PodReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PodReconciler.java
index c3ab422..5e9b409 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PodReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PodReconciler.java
@@ -22,12 +22,18 @@ import freemarker.template.Configuration;
 import freemarker.template.TemplateException;
 import io.kubernetes.client.openapi.ApiException;
 import io.kubernetes.client.util.generic.dynamic.Dynamics;
+import io.kubernetes.client.util.generic.options.ListOptions;
 import io.kubernetes.client.util.generic.options.PatchOptions;
 import java.io.IOException;
 import java.io.StringWriter;
 import java.util.Map;
 import java.util.logging.Logger;
+import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
+import org.jdrupes.vmoperator.common.Constants.DisplaySecret;
+import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.K8sV1PodStub;
+import org.jdrupes.vmoperator.common.K8sV1SecretStub;
+import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.common.VmDefinition.RequestedVmState;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
@@ -92,6 +98,7 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
 
         // Create pod. First combine template and data and parse result
         logger.fine(() -> "Create/update pod " + podStub.name());
+        addDisplaySecret(channel.client(), model, vmDef);
         var fmTemplate = fmConfig.getTemplate("runnerPod.ftl.yaml");
         StringWriter out = new StringWriter();
         fmTemplate.process(model, out);
@@ -110,4 +117,19 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
         }
     }
 
+    private void addDisplaySecret(K8sClient client, Map<String, Object> model,
+            VmDefinition vmDef) throws ApiException {
+        ListOptions options = new ListOptions();
+        options.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
+            + "app.kubernetes.io/component=" + DisplaySecret.NAME + ","
+            + "app.kubernetes.io/instance=" + vmDef.name());
+        var dsStub = K8sV1SecretStub
+            .list(client, vmDef.namespace(), options).stream().findFirst();
+        if (dsStub.isPresent()) {
+            dsStub.get().model().ifPresent(m -> {
+                model.put("displaySecret", m.getMetadata().getName());
+            });
+        }
+    }
+
 }
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
index 77fa281..fddd5c8 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
@@ -30,7 +30,6 @@ import freemarker.template.TemplateMethodModelEx;
 import freemarker.template.TemplateModelException;
 import io.kubernetes.client.custom.Quantity;
 import io.kubernetes.client.openapi.ApiException;
-import io.kubernetes.client.util.generic.options.ListOptions;
 import java.io.IOException;
 import java.lang.reflect.Modifier;
 import java.math.BigDecimal;
@@ -43,12 +42,8 @@ import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import java.util.logging.Level;
-import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
-import org.jdrupes.vmoperator.common.Constants.DisplaySecret;
 import org.jdrupes.vmoperator.common.Convertions;
-import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.K8sObserver;
-import org.jdrupes.vmoperator.common.K8sV1SecretStub;
 import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.common.VmDefinition.Assignment;
 import org.jdrupes.vmoperator.common.VmPool;
@@ -220,7 +215,7 @@ public class Reconciler extends Component {
 
         // Create model for processing templates
         Map<String, Object> model
-            = prepareModel(channel.client(), event.vmDefinition());
+            = prepareModel(event.vmDefinition());
         cmReconciler.reconcile(model, channel);
 
         // The remaining reconcilers depend only on changes of the spec part.
@@ -251,13 +246,12 @@ public class Reconciler extends Component {
         var vmDef = channel.vmDefinition();
         vmDef.extra().ifPresent(e -> e.resetCount(e.resetCount() + 1));
         Map<String, Object> model
-            = prepareModel(channel.client(), channel.vmDefinition());
+            = prepareModel(channel.vmDefinition());
         cmReconciler.reconcile(model, channel);
     }
 
-    @SuppressWarnings({ "PMD.CognitiveComplexity", "PMD.NPathComplexity" })
-    private Map<String, Object> prepareModel(K8sClient client,
-            VmDefinition vmDef) throws TemplateModelException, ApiException {
+    private Map<String, Object> prepareModel(VmDefinition vmDef)
+            throws TemplateModelException, ApiException {
         @SuppressWarnings("PMD.UseConcurrentHashMap")
         Map<String, Object> model = new HashMap<>();
         model.put("managerVersion",
@@ -267,7 +261,6 @@ public class Reconciler extends Component {
         model.put("reconciler", config);
         model.put("constants", constantsMap(Constants.class));
         addLoginRequestedFor(model, vmDef);
-        addDisplaySecret(client, model, vmDef);
 
         // Methods
         model.put("parseQuantity", parseQuantityModel);
@@ -325,21 +318,6 @@ public class Reconciler extends Component {
             .ifPresent(u -> model.put("loginRequestedFor", u));
     }
 
-    private void addDisplaySecret(K8sClient client, Map<String, Object> model,
-            VmDefinition vmDef) throws ApiException {
-        ListOptions options = new ListOptions();
-        options.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
-            + "app.kubernetes.io/component=" + DisplaySecret.NAME + ","
-            + "app.kubernetes.io/instance=" + vmDef.name());
-        var dsStub = K8sV1SecretStub
-            .list(client, vmDef.namespace(), options).stream().findFirst();
-        if (dsStub.isPresent()) {
-            dsStub.get().model().ifPresent(m -> {
-                model.put("displaySecret", m.getMetadata().getName());
-            });
-        }
-    }
-
     private final TemplateMethodModelEx parseQuantityModel
         = new TemplateMethodModelEx() {
             @Override

From fe18bb3cdf1decc5e10868084075a0347a66f2ce Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 16 Mar 2025 22:09:20 +0100
Subject: [PATCH 233/274] Consolidate debug messages.

---
 .../jdrupes/vmoperator/common/K8sObserver.java  | 17 ++++++++++++-----
 .../vmoperator/manager/AbstractMonitor.java     |  9 +--------
 2 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sObserver.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sObserver.java
index 80e3863..a0cd16c 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sObserver.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sObserver.java
@@ -27,6 +27,7 @@ import io.kubernetes.client.util.generic.GenericKubernetesApi;
 import io.kubernetes.client.util.generic.options.ListOptions;
 import java.time.Duration;
 import java.time.Instant;
+import java.util.Optional;
 import java.util.function.BiConsumer;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -89,10 +90,11 @@ public class K8sObserver<O extends KubernetesObject,
         thread = (Components.useVirtualThreads() ? Thread.ofVirtual()
             : Thread.ofPlatform()).unstarted(() -> {
                 try {
-                    logger
-                        .config(() -> "Watching " + context.getResourcePlural()
-                            + " (" + context.getPreferredVersion() + ")"
-                            + " in " + namespace);
+                    logger.fine(() -> "Observing " + context.getResourcePlural()
+                        + " (" + context.getPreferredVersion() + ")"
+                        + Optional.ofNullable(options.getLabelSelector())
+                            .map(ls -> " with labels " + ls).orElse("")
+                        + " in " + namespace);
 
                     // Watch sometimes terminates without apparent reason.
                     while (!Thread.currentThread().isInterrupted()) {
@@ -102,7 +104,12 @@ public class K8sObserver<O extends KubernetesObject,
                             var changed
                                 = api.watch(namespace, options).iterator();
                             while (changed.hasNext()) {
-                                handler.accept(client, changed.next());
+                                var response = changed.next();
+                                logger.fine(() -> "Resource "
+                                    + context.getKind() + "/"
+                                    + response.object.getMetadata().getName()
+                                    + " " + response.type);
+                                handler.accept(client, response);
                             }
                         } catch (ApiException | RuntimeException e) {
                             logger.log(Level.FINE, e, () -> "Problem watching"
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/AbstractMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/AbstractMonitor.java
index 56440f9..eb545a3 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/AbstractMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/AbstractMonitor.java
@@ -199,8 +199,6 @@ public abstract class AbstractMonitor<O extends KubernetesObject,
             assert client != null;
             assert context != null;
             assert namespace != null;
-            logger.fine(() -> "Observing " + K8s.toString(context)
-                + " objects in " + namespace);
 
             // Monitor all versions
             for (var version : context.getVersions()) {
@@ -219,12 +217,7 @@ public abstract class AbstractMonitor<O extends KubernetesObject,
         observerCounter.incrementAndGet();
         new K8sObserver<>(objectClass, objectListClass, client,
             K8s.preferred(context, version), namespace, options)
-                .handler((c, r) -> {
-                    logger.fine(() -> "Resource " + context.getKind()
-                        + "/" + r.object.getMetadata().getName() + " "
-                        + r.type);
-                    handleChange(c, r);
-                }).onTerminated((o, t) -> {
+                .handler(this::handleChange).onTerminated((o, t) -> {
                     if (observerCounter.decrementAndGet() == 0) {
                         unregisterAsGenerator();
                     }

From 9644e5fd83f0c6e53d70fa78f7286dcf8d8b1f21 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 16 Mar 2025 22:33:01 +0100
Subject: [PATCH 234/274] Improve debug message.

---
 .../src/org/jdrupes/vmoperator/common/K8sObserver.java           | 1 +
 1 file changed, 1 insertion(+)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sObserver.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sObserver.java
index a0cd16c..f3e10bb 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sObserver.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sObserver.java
@@ -113,6 +113,7 @@ public class K8sObserver<O extends KubernetesObject,
                             }
                         } catch (ApiException | RuntimeException e) {
                             logger.log(Level.FINE, e, () -> "Problem watching"
+                                + " resource " + context.getKind()
                                 + " (will retry): " + e.getMessage());
                             delayRestart(startedAt);
                         }

From efd489b22ff21302ba442815afb22feb56e95c49 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 16 Mar 2025 22:44:44 +0100
Subject: [PATCH 235/274] Allow VM operator to watch pods.

---
 deploy/vmop-role.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/deploy/vmop-role.yaml b/deploy/vmop-role.yaml
index c96fb47..e1ae7bc 100644
--- a/deploy/vmop-role.yaml
+++ b/deploy/vmop-role.yaml
@@ -38,6 +38,7 @@ rules:
   - persistentvolumeclaims
   - pods
   verbs:
+  - watch
   - list
   - get
   - create

From 5ca45d76202df8b976ec41c1ce72ae26bb6351ec Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 16 Mar 2025 23:12:22 +0100
Subject: [PATCH 236/274] Minor edit.

---
 deploy/vmop-deployment.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deploy/vmop-deployment.yaml b/deploy/vmop-deployment.yaml
index 4a22d9e..b1f5075 100644
--- a/deploy/vmop-deployment.yaml
+++ b/deploy/vmop-deployment.yaml
@@ -21,12 +21,12 @@ spec:
         - name: vm-operator
           image: >-
             ghcr.io/mnlipp/org.jdrupes.vmoperator.manager:latest
+          imagePullPolicy: Always
           volumeMounts:
             - name: config
               mountPath: /etc/opt/vmoperator
             - name: vmop-image-repository
               mountPath: /var/local/vmop-image-repository
-          imagePullPolicy: Always
           securityContext:
             capabilities:
               drop:

From 3b0a4c8a2314604aadad7af5ae3539ae6f3d8b58 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Mon, 17 Mar 2025 16:49:10 +0100
Subject: [PATCH 237/274] Rate limit for RAM size updates.

---
 .../vmoperator/runner/qemu/StatusUpdater.java | 54 +++++++++++++++++--
 1 file changed, 51 insertions(+), 3 deletions(-)

diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
index bd4ddb4..17f1915 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
@@ -31,6 +31,8 @@ import io.kubernetes.client.openapi.JSON;
 import io.kubernetes.client.openapi.models.EventsV1Event;
 import java.io.IOException;
 import java.math.BigDecimal;
+import java.math.BigInteger;
+import java.time.Instant;
 import java.util.Optional;
 import java.util.logging.Level;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
@@ -55,6 +57,8 @@ import org.jdrupes.vmoperator.runner.qemu.events.VmopAgentLoggedIn;
 import org.jdrupes.vmoperator.runner.qemu.events.VmopAgentLoggedOut;
 import org.jdrupes.vmoperator.util.GsonPtr;
 import org.jgrapes.core.Channel;
+import org.jgrapes.core.Components;
+import org.jgrapes.core.Components.Timer;
 import org.jgrapes.core.annotation.Handler;
 import org.jgrapes.core.events.HandlingError;
 import org.jgrapes.core.events.Start;
@@ -62,7 +66,8 @@ import org.jgrapes.core.events.Start;
 /**
  * Updates the CR status.
  */
-@SuppressWarnings("PMD.DataflowAnomalyAnalysis")
+@SuppressWarnings({ "PMD.DataflowAnomalyAnalysis",
+    "PMD.CouplingBetweenObjects" })
 public class StatusUpdater extends VmDefUpdater {
 
     @SuppressWarnings("PMD.FieldNamingConventions")
@@ -76,6 +81,10 @@ public class StatusUpdater extends VmDefUpdater {
     private boolean shutdownByGuest;
     private VmDefinitionStub vmStub;
     private String loggedInUser;
+    private BigInteger lastRamValue;
+    private Instant lastRamChange;
+    private Timer balloonTimer;
+    private BigInteger targetRamValue;
 
     /**
      * Instantiates a new status updater.
@@ -151,6 +160,7 @@ public class StatusUpdater extends VmDefUpdater {
             throws ApiException {
         guestShutdownStops = event.configuration().guestShutdownStops;
         loggedInUser = event.configuration().vm.display.loggedInUser;
+        targetRamValue = event.configuration().vm.currentRam;
 
         // Remainder applies only if we have a connection to k8s.
         if (vmStub == null) {
@@ -279,7 +289,11 @@ public class StatusUpdater extends VmDefUpdater {
     }
 
     /**
-     * On ballon change.
+     * Update the current RAM size in the status. Balloon changes happen
+     * more than once every second during changes. While this is nice
+     * to watch, this puts a heavy load on the system. Therefore we
+     * only update the status once every 15 seconds or when the target
+     * value is reached.
      *
      * @param event the event
      * @throws ApiException 
@@ -289,10 +303,44 @@ public class StatusUpdater extends VmDefUpdater {
         if (vmStub == null) {
             return;
         }
+        Instant now = Instant.now();
+        if (lastRamChange == null
+            || lastRamChange.isBefore(now.minusSeconds(15))
+            || event.size().equals(targetRamValue)) {
+            if (balloonTimer != null) {
+                balloonTimer.cancel();
+                balloonTimer = null;
+            }
+            lastRamChange = now;
+            lastRamValue = event.size();
+            updateRam(lastRamValue);
+            return;
+        }
+
+        // Save for later processing and maybe start timer
+        lastRamChange = now;
+        lastRamValue = event.size();
+        if (balloonTimer != null) {
+            return;
+        }
+        balloonTimer = Components.schedule(t -> {
+            activeEventPipeline().submit("Update RAM size", () -> {
+                try {
+                    updateRam(lastRamValue);
+                } catch (ApiException e) {
+                    logger.log(Level.WARNING, e,
+                        () -> "Failed to update ram size: " + e.getMessage());
+                }
+                balloonTimer = null;
+            });
+        }, now.plusSeconds(15));
+    }
+
+    private void updateRam(BigInteger size) throws ApiException {
         vmStub.updateStatus(from -> {
             JsonObject status = from.statusJson();
             status.addProperty(Status.RAM,
-                new Quantity(new BigDecimal(event.size()), Format.BINARY_SI)
+                new Quantity(new BigDecimal(size), Format.BINARY_SI)
                     .toSuffixedString());
             return status;
         });

From 3686629a2851f4436df3a8ec5c35933ca51f249a Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Tue, 18 Mar 2025 16:44:15 +0100
Subject: [PATCH 238/274] Fix race condition.

---
 .../jdrupes/vmoperator/runner/qemu/StatusUpdater.java | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
index 17f1915..8eaeea8 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
@@ -313,7 +313,7 @@ public class StatusUpdater extends VmDefUpdater {
             }
             lastRamChange = now;
             lastRamValue = event.size();
-            updateRam(lastRamValue);
+            updateRam();
             return;
         }
 
@@ -323,10 +323,11 @@ public class StatusUpdater extends VmDefUpdater {
         if (balloonTimer != null) {
             return;
         }
+        final var pipeline = activeEventPipeline();
         balloonTimer = Components.schedule(t -> {
-            activeEventPipeline().submit("Update RAM size", () -> {
+            pipeline.submit("Update RAM size", () -> {
                 try {
-                    updateRam(lastRamValue);
+                    updateRam();
                 } catch (ApiException e) {
                     logger.log(Level.WARNING, e,
                         () -> "Failed to update ram size: " + e.getMessage());
@@ -336,11 +337,11 @@ public class StatusUpdater extends VmDefUpdater {
         }, now.plusSeconds(15));
     }
 
-    private void updateRam(BigInteger size) throws ApiException {
+    private void updateRam() throws ApiException {
         vmStub.updateStatus(from -> {
             JsonObject status = from.statusJson();
             status.addProperty(Status.RAM,
-                new Quantity(new BigDecimal(size), Format.BINARY_SI)
+                new Quantity(new BigDecimal(lastRamValue), Format.BINARY_SI)
                     .toSuffixedString());
             return status;
         });

From 9baf9b7673b2848d3c5983922b231d70ac971040 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Tue, 18 Mar 2025 21:48:10 +0100
Subject: [PATCH 239/274] Reset runner info when pod is deleted.

---
 .../vmoperator/manager/Controller.java        | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
index 5531d8d..54bf831 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
@@ -33,10 +33,12 @@ import org.jdrupes.vmoperator.common.Constants.Crd;
 import org.jdrupes.vmoperator.common.Constants.Status;
 import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.K8sDynamicStub;
+import org.jdrupes.vmoperator.common.K8sObserver.ResponseType;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
 import org.jdrupes.vmoperator.manager.events.ChannelManager;
 import org.jdrupes.vmoperator.manager.events.Exit;
 import org.jdrupes.vmoperator.manager.events.ModifyVm;
+import org.jdrupes.vmoperator.manager.events.PodChanged;
 import org.jdrupes.vmoperator.manager.events.UpdateAssignment;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
@@ -248,4 +250,28 @@ public class Controller extends Component {
         }
         event.setResult(false);
     }
+
+    /**
+     * Remove runner version from status when pod is deleted
+     *
+     * @param event the event
+     * @param channel the channel
+     * @throws ApiException the api exception
+     */
+    @Handler
+    public void onPodChange(PodChanged event, VmChannel channel)
+            throws ApiException {
+        if (event.type() == ResponseType.DELETED) {
+            // Remove runner info from status
+            var vmDef = channel.vmDefinition();
+            var vmStub = VmDefinitionStub.get(channel.client(),
+                new GroupVersionKind(Crd.GROUP, "", Crd.KIND_VM),
+                vmDef.namespace(), vmDef.name());
+            vmStub.updateStatus(from -> {
+                JsonObject status = from.statusJson();
+                status.remove(Status.RUNNER_VERSION);
+                return status;
+            });
+        }
+    }
 }

From dbc89e6e090a7d463dfb92ee6f55e8f3bad7e6eb Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Wed, 19 Mar 2025 22:57:58 +0100
Subject: [PATCH 240/274] Avoid unnecessary processing.

---
 .../manager/ConfigMapReconciler.java          | 34 +++++++++++--------
 .../vmoperator/manager/Reconciler.java        |  7 ++--
 2 files changed, 22 insertions(+), 19 deletions(-)

diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java
index e136a31..f133542 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java
@@ -76,13 +76,24 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
      *
      * @param model the model
      * @param channel the channel
+     * @param modelChanged the model has changed
      * @throws IOException Signals that an I/O exception has occurred.
      * @throws TemplateException the template exception
-     * @throws ApiException the api exception
+     * @throws ApiException the API exception
      */
     @SuppressWarnings("PMD.AvoidDuplicateLiterals")
-    public void reconcile(Map<String, Object> model, VmChannel channel)
+    public void reconcile(Map<String, Object> model, VmChannel channel,
+            boolean modelChanged)
             throws IOException, TemplateException, ApiException {
+        // Check if an update is needed
+        Object prevInputs
+            = channel.associated(PrevData.class, Object.class).orElse(null);
+        Object newInputs = model.get("loginRequestedFor");
+        if (!modelChanged && Objects.equals(prevInputs, newInputs)) {
+            return;
+        }
+        channel.setAssociated(PrevData.class, newInputs);
+
         // Combine template and data and parse result
         model.put("adjustCloudInitMeta", adjustCloudInitMetaModel);
         var fmTemplate = fmConfig.getTemplate("runnerConfig.ftl.yaml");
@@ -107,19 +118,6 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
                     .get().addProperty("logging.properties", props);
             });
 
-        // Look for changes
-        var oldCm = channel
-            .associated(getClass(), DynamicKubernetesObject.class).orElse(null);
-        channel.setAssociated(getClass(), newCm);
-        if (oldCm != null && Objects.equals(oldCm.getRaw().get("data"),
-            newCm.getRaw().get("data"))) {
-            logger.finer(() -> "No changes in config map for "
-                + DataPath.<String> get(model, "cr", "name").get());
-            model.put("configMapResourceVersion",
-                oldCm.getMetadata().getResourceVersion());
-            return;
-        }
-
         // Get API and update
         DynamicKubernetesApi cmApi = new DynamicKubernetesApi("", "v1",
             "configmaps", channel.client());
@@ -131,6 +129,12 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
             updatedCm.getMetadata().getResourceVersion());
     }
 
+    /**
+     * Key for association.
+     */
+    private final class PrevData {
+    }
+
     /**
      * Triggers update of config map mounted in pod
      * See https://ahmet.im/blog/kubernetes-secret-volumes-delay/
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
index fddd5c8..70f684a 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
@@ -214,9 +214,8 @@ public class Reconciler extends Component {
         }
 
         // Create model for processing templates
-        Map<String, Object> model
-            = prepareModel(event.vmDefinition());
-        cmReconciler.reconcile(model, channel);
+        Map<String, Object> model = prepareModel(event.vmDefinition());
+        cmReconciler.reconcile(model, channel, event.specChanged());
 
         // The remaining reconcilers depend only on changes of the spec part.
         if (!event.specChanged()) {
@@ -247,7 +246,7 @@ public class Reconciler extends Component {
         vmDef.extra().ifPresent(e -> e.resetCount(e.resetCount() + 1));
         Map<String, Object> model
             = prepareModel(channel.vmDefinition());
-        cmReconciler.reconcile(model, channel);
+        cmReconciler.reconcile(model, channel, true);
     }
 
     private Map<String, Object> prepareModel(VmDefinition vmDef)

From 16a15bc9ad1930eceb8a617af93e77e662cc554a Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 20 Mar 2025 09:33:10 +0100
Subject: [PATCH 241/274] Document memory allocation.

---
 deploy/vmop-deployment.yaml | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/deploy/vmop-deployment.yaml b/deploy/vmop-deployment.yaml
index b1f5075..08316f6 100644
--- a/deploy/vmop-deployment.yaml
+++ b/deploy/vmop-deployment.yaml
@@ -22,6 +22,19 @@ spec:
           image: >-
             ghcr.io/mnlipp/org.jdrupes.vmoperator.manager:latest
           imagePullPolicy: Always
+          env:
+          - name: JAVA_OPTS
+            # The VM operator needs about 25 MB of memory, plus 1 MB for
+            # each VM. The reason is that for the sake of effeciency, we
+            # have to keep a parsed representation of the CRD in memory,
+            # which requires about 512 KB per VM. While handling updates,
+            # we temporarily have the old and the new version of the CRD
+            # in memory, so we need another 512 KB per VM.
+            value: "-Xmx128m"
+          resources:
+            requests:
+              cpu: 100m
+              memory: 128Mi
           volumeMounts:
             - name: config
               mountPath: /etc/opt/vmoperator
@@ -33,16 +46,6 @@ spec:
                 - ALL
             readOnlyRootFilesystem: true
             allowPrivilegeEscalation: false
-          resources:
-            requests:
-              cpu: 100m
-              # The VM operator needs about 25 MB of memory, plus 1 MB for
-              # each VM. The reason is that for the sake of effeciency, we
-              # have to keep a parsed representation of the CRD in memory,
-              # which requires about 512 KB per VM. While handling updates,
-              # we temporarily have the old and the new version of the CRD
-              # in memory, so we need another 512 KB per VM.  
-              memory: 256Mi
       volumes:
       - name: config
         configMap:

From 359b1fdb84baf3310eefce7a2ea92d1563a00c3f Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 20 Mar 2025 18:02:14 +0100
Subject: [PATCH 242/274] Clarify pipeline usage.

---
 .../jdrupes/vmoperator/manager/VmMonitor.java  |  3 +--
 .../jdrupes/vmoperator/vmaccess/VmAccess.java  |  9 +++++----
 .../org/jdrupes/vmoperator/vmmgmt/VmMgmt.java  | 18 ++++++++----------
 3 files changed, 14 insertions(+), 16 deletions(-)

diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
index f729240..7470f4e 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
@@ -310,8 +310,7 @@ public class VmMonitor extends
                 event.setResult(new VmData(vmDef, chosenVm));
 
                 // Make sure that a newly assigned VM is running.
-                chosenVm.pipeline().fire(new ModifyVm(vmDef.name(),
-                    "state", "Running", chosenVm));
+                chosenVm.fire(new ModifyVm(vmDef.name(), "state", "Running"));
                 return;
             }
         }
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index 91642f1..d3de96e 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -129,6 +129,7 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
     private EventPipeline appPipeline;
     private static ObjectMapper objectMapper
         = new ObjectMapper().registerModule(new JavaTimeModule());
+
     private Class<?> preferredIpVersion = Inet4Address.class;
     private Set<String> syncUsers = Collections.emptySet();
     private Set<String> syncRoles = Collections.emptySet();
@@ -785,12 +786,12 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
         switch (event.method()) {
         case "start":
             if (perms.contains(VmDefinition.Permission.START)) {
-                fire(new ModifyVm(vmName, "state", "Running", vmChannel));
+                vmChannel.fire(new ModifyVm(vmName, "state", "Running"));
             }
             break;
         case "stop":
             if (perms.contains(VmDefinition.Permission.STOP)) {
-                fire(new ModifyVm(vmName, "state", "Stopped", vmChannel));
+                vmChannel.fire(new ModifyVm(vmName, "state", "Stopped"));
             }
             break;
         case "reset":
@@ -800,7 +801,7 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
             break;
         case "resetConfirmed":
             if (perms.contains(VmDefinition.Permission.RESET)) {
-                fire(new ResetVm(vmName), vmChannel);
+                vmChannel.fire(new ResetVm(vmName));
             }
             break;
         case "openConsole":
@@ -838,7 +839,7 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
         }
         var pwQuery = Event.onCompletion(new GetDisplaySecret(vmDef, user),
             e -> gotPassword(channel, model, vmDef, e));
-        fire(pwQuery, vmChannel);
+        vmChannel.fire(pwQuery);
     }
 
     private void gotPassword(ConsoleConnection channel, ResourceModel model,
diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
index 3d58d09..f1c5d70 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
@@ -423,12 +423,12 @@ public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
         switch (event.method()) {
         case "start":
             if (perms.contains(VmDefinition.Permission.START)) {
-                fire(new ModifyVm(vmName, "state", "Running", vmChannel));
+                vmChannel.fire(new ModifyVm(vmName, "state", "Running"));
             }
             break;
         case "stop":
             if (perms.contains(VmDefinition.Permission.STOP)) {
-                fire(new ModifyVm(vmName, "state", "Stopped", vmChannel));
+                vmChannel.fire(new ModifyVm(vmName, "state", "Stopped"));
             }
             break;
         case "reset":
@@ -438,22 +438,20 @@ public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
             break;
         case "resetConfirmed":
             if (perms.contains(VmDefinition.Permission.RESET)) {
-                fire(new ResetVm(vmName), vmChannel);
+                vmChannel.fire(new ResetVm(vmName));
             }
             break;
         case "openConsole":
             openConsole(channel, model, vmChannel, vmDef, user, perms);
             break;
         case "cpus":
-            fire(new ModifyVm(vmName, "currentCpus",
-                new BigDecimal(event.param(1).toString()).toBigInteger(),
-                vmChannel));
+            vmChannel.fire(new ModifyVm(vmName, "currentCpus",
+                new BigDecimal(event.param(1).toString()).toBigInteger()));
             break;
         case "ram":
-            fire(new ModifyVm(vmName, "currentRam",
+            vmChannel.fire(new ModifyVm(vmName, "currentRam",
                 new Quantity(new BigDecimal(event.param(1).toString()),
-                    Format.BINARY_SI).toSuffixedString(),
-                vmChannel));
+                    Format.BINARY_SI).toSuffixedString()));
             break;
         default:// ignore
             break;
@@ -488,7 +486,7 @@ public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
         }
         var pwQuery = Event.onCompletion(new GetDisplaySecret(vmDef, user),
             e -> gotPassword(channel, model, vmDef, e));
-        fire(pwQuery, vmChannel);
+        vmChannel.fire(pwQuery);
     }
 
     private void gotPassword(ConsoleConnection channel, VmsModel model,

From fe1d56517b763ade0a215c70d717ab6790e67a31 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 20 Mar 2025 18:29:45 +0100
Subject: [PATCH 243/274] Reorganize handlers.

---
 .../vmoperator/manager/Controller.java        | 166 +++++++++++-------
 .../jdrupes/vmoperator/manager/VmMonitor.java | 158 +++++++----------
 2 files changed, 166 insertions(+), 158 deletions(-)

diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
index 54bf831..a2e5aae 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
@@ -20,29 +20,33 @@ package org.jdrupes.vmoperator.manager;
 
 import com.google.gson.JsonObject;
 import io.kubernetes.client.apimachinery.GroupVersionKind;
-import io.kubernetes.client.custom.V1Patch;
 import io.kubernetes.client.openapi.ApiException;
 import io.kubernetes.client.openapi.Configuration;
 import java.io.IOException;
-import java.net.HttpURLConnection;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.time.Instant;
+import java.util.Comparator;
+import java.util.Optional;
 import java.util.logging.Level;
 import org.jdrupes.vmoperator.common.Constants.Crd;
 import org.jdrupes.vmoperator.common.Constants.Status;
 import org.jdrupes.vmoperator.common.K8sClient;
-import org.jdrupes.vmoperator.common.K8sDynamicStub;
 import org.jdrupes.vmoperator.common.K8sObserver.ResponseType;
+import org.jdrupes.vmoperator.common.VmDefinition.Assignment;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
+import org.jdrupes.vmoperator.common.VmPool;
+import org.jdrupes.vmoperator.manager.events.AssignVm;
 import org.jdrupes.vmoperator.manager.events.ChannelManager;
 import org.jdrupes.vmoperator.manager.events.Exit;
+import org.jdrupes.vmoperator.manager.events.GetPools;
+import org.jdrupes.vmoperator.manager.events.GetVms;
+import org.jdrupes.vmoperator.manager.events.GetVms.VmData;
 import org.jdrupes.vmoperator.manager.events.ModifyVm;
 import org.jdrupes.vmoperator.manager.events.PodChanged;
 import org.jdrupes.vmoperator.manager.events.UpdateAssignment;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
-import org.jdrupes.vmoperator.util.GsonPtr;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Component;
 import org.jgrapes.core.annotation.Handler;
@@ -89,6 +93,7 @@ import org.jgrapes.util.events.ConfigurationUpdate;
 public class Controller extends Component {
 
     private String namespace;
+    private final ChannelManager<String, VmChannel, ?> chanMgr;
 
     /**
      * Creates a new instance.
@@ -97,17 +102,16 @@ public class Controller extends Component {
     public Controller(Channel componentChannel) {
         super(componentChannel);
         // Prepare component tree
-        ChannelManager<String, VmChannel, ?> chanMgr
-            = new ChannelManager<>(name -> {
-                try {
-                    return new VmChannel(channel(), newEventPipeline(),
-                        new K8sClient());
-                } catch (IOException e) {
-                    logger.log(Level.SEVERE, e, () -> "Failed to create client"
-                        + " for handling changes: " + e.getMessage());
-                    return null;
-                }
-            });
+        chanMgr = new ChannelManager<>(name -> {
+            try {
+                return new VmChannel(channel(), newEventPipeline(),
+                    new K8sClient());
+            } catch (IOException e) {
+                logger.log(Level.SEVERE, e, () -> "Failed to create client"
+                    + " for handling changes: " + e.getMessage());
+                return null;
+            }
+        });
         attach(new VmMonitor(channel(), chanMgr));
         attach(new DisplaySecretMonitor(channel(), chanMgr));
         // Currently, we don't use the IP assigned by the load balancer
@@ -181,76 +185,102 @@ public class Controller extends Component {
     }
 
     /**
-     * On modify vm.
+     * Returns the VM data.
      *
      * @param event the event
-     * @throws ApiException the api exception
-     * @throws IOException Signals that an I/O exception has occurred.
      */
     @Handler
-    public void onModifyVm(ModifyVm event, VmChannel channel)
-            throws ApiException, IOException {
-        patchVmDef(channel.client(), event.name(), "spec/vm/" + event.path(),
-            event.value());
-    }
-
-    private void patchVmDef(K8sClient client, String name, String path,
-            Object value) throws ApiException, IOException {
-        var vmStub = K8sDynamicStub.get(client,
-            new GroupVersionKind(Crd.GROUP, "", Crd.KIND_VM), namespace,
-            name);
-
-        // Patch running
-        String valueAsText = value instanceof String
-            ? "\"" + value + "\""
-            : value.toString();
-        var res = vmStub.patch(V1Patch.PATCH_FORMAT_JSON_PATCH,
-            new V1Patch("[{\"op\": \"replace\", \"path\": \"/"
-                + path + "\", \"value\": " + valueAsText + "}]"),
-            client.defaultPatchOptions());
-        if (!res.isPresent()) {
-            logger.warning(
-                () -> "Cannot patch definition for Vm " + vmStub.name());
-        }
+    public void onGetVms(GetVms event) {
+        event.setResult(chanMgr.channels().stream()
+            .filter(c -> event.name().isEmpty()
+                || c.vmDefinition().name().equals(event.name().get()))
+            .filter(c -> event.user().isEmpty() && event.roles().isEmpty()
+                || !c.vmDefinition().permissionsFor(event.user().orElse(null),
+                    event.roles()).isEmpty())
+            .filter(c -> event.fromPool().isEmpty()
+                || c.vmDefinition().assignment().map(Assignment::pool)
+                    .map(p -> p.equals(event.fromPool().get())).orElse(false))
+            .filter(c -> event.toUser().isEmpty()
+                || c.vmDefinition().assignment().map(Assignment::user)
+                    .map(u -> u.equals(event.toUser().get())).orElse(false))
+            .map(c -> new VmData(c.vmDefinition(), c))
+            .toList());
     }
 
     /**
-     * Attempt to Update the assignment information in the status of the
-     * VM CR. Returns true if successful. The handler does not attempt
-     * retries, because in case of failure it will be necessary to
-     * re-evaluate the chosen VM.
+     * Assign a VM if not already assigned.
      *
      * @param event the event
-     * @param channel the channel
      * @throws ApiException the api exception
+     * @throws InterruptedException 
      */
     @Handler
-    public void onUpdatedAssignment(UpdateAssignment event, VmChannel channel)
-            throws ApiException {
-        try {
-            var vmDef = channel.vmDefinition();
-            var vmStub = VmDefinitionStub.get(channel.client(),
-                new GroupVersionKind(Crd.GROUP, "", Crd.KIND_VM),
-                vmDef.namespace(), vmDef.name());
-            if (vmStub.updateStatus(vmDef, from -> {
-                JsonObject status = from.statusJson();
-                var assignment = GsonPtr.to(status).to(Status.ASSIGNMENT);
-                assignment.set("pool", event.fromPool().name());
-                assignment.set("user", event.toUser());
-                assignment.set("lastUsed", Instant.now().toString());
-                return status;
-            }).isPresent()) {
-                event.setResult(true);
+    @SuppressWarnings("PMD.AvoidInstantiatingObjectsInLoops")
+    public void onAssignVm(AssignVm event)
+            throws ApiException, InterruptedException {
+        while (true) {
+            // Search for existing assignment.
+            var vmQuery = chanMgr.channels().stream()
+                .filter(c -> c.vmDefinition().assignment().map(Assignment::pool)
+                    .map(p -> p.equals(event.fromPool())).orElse(false))
+                .filter(c -> c.vmDefinition().assignment().map(Assignment::user)
+                    .map(u -> u.equals(event.toUser())).orElse(false))
+                .findFirst();
+            if (vmQuery.isPresent()) {
+                var vmDef = vmQuery.get().vmDefinition();
+                event.setResult(new VmData(vmDef, vmQuery.get()));
+                return;
             }
-        } catch (ApiException e) {
-            // Log exceptions except for conflict, which can be expected
-            if (HttpURLConnection.HTTP_CONFLICT != e.getCode()) {
-                throw e;
+
+            // Get the pool definition for checking possible assignment
+            VmPool vmPool = newEventPipeline().fire(new GetPools()
+                .withName(event.fromPool())).get().stream().findFirst()
+                .orElse(null);
+            if (vmPool == null) {
+                return;
+            }
+
+            // Find available VM.
+            vmQuery = chanMgr.channels().stream()
+                .filter(c -> vmPool.isAssignable(c.vmDefinition()))
+                .sorted(Comparator.comparing((VmChannel c) -> c.vmDefinition()
+                    .assignment().map(Assignment::lastUsed)
+                    .orElse(Instant.ofEpochSecond(0)))
+                    .thenComparing(preferRunning))
+                .findFirst();
+
+            // None found
+            if (vmQuery.isEmpty()) {
+                return;
+            }
+
+            // Assign to user
+            var chosenVm = vmQuery.get();
+            if (Optional.ofNullable(chosenVm.fire(new UpdateAssignment(
+                vmPool, event.toUser())).get()).orElse(false)) {
+                var vmDef = chosenVm.vmDefinition();
+                event.setResult(new VmData(vmDef, chosenVm));
+
+                // Make sure that a newly assigned VM is running.
+                chosenVm.fire(new ModifyVm(vmDef.name(), "state", "Running"));
+                return;
             }
         }
-        event.setResult(false);
     }
 
+    private static Comparator<VmChannel> preferRunning
+        = new Comparator<>() {
+            @Override
+            public int compare(VmChannel ch1, VmChannel ch2) {
+                if (ch1.vmDefinition().conditionStatus("Running").orElse(false)
+                    && !ch2.vmDefinition().conditionStatus("Running")
+                        .orElse(false)) {
+                    return -1;
+                }
+                return 0;
+            }
+        };
+
     /**
      * Remove runner version from status when pod is deleted
      *
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
index 7470f4e..9e6e5c9 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
@@ -18,21 +18,25 @@
 
 package org.jdrupes.vmoperator.manager;
 
+import com.google.gson.JsonObject;
+import io.kubernetes.client.apimachinery.GroupVersionKind;
+import io.kubernetes.client.custom.V1Patch;
 import io.kubernetes.client.openapi.ApiException;
 import io.kubernetes.client.openapi.models.V1ObjectMeta;
 import io.kubernetes.client.util.Watch;
 import io.kubernetes.client.util.generic.options.ListOptions;
 import java.io.IOException;
+import java.net.HttpURLConnection;
 import java.time.Instant;
 import java.util.ArrayList;
 import java.util.Collections;
-import java.util.Comparator;
 import java.util.Objects;
 import java.util.Optional;
 import java.util.Set;
 import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.stream.Collectors;
 import org.jdrupes.vmoperator.common.Constants.Crd;
+import org.jdrupes.vmoperator.common.Constants.Status;
 import org.jdrupes.vmoperator.common.K8s;
 import org.jdrupes.vmoperator.common.K8sClient;
 import org.jdrupes.vmoperator.common.K8sDynamicStub;
@@ -40,23 +44,18 @@ import org.jdrupes.vmoperator.common.K8sObserver.ResponseType;
 import org.jdrupes.vmoperator.common.K8sV1ConfigMapStub;
 import org.jdrupes.vmoperator.common.K8sV1StatefulSetStub;
 import org.jdrupes.vmoperator.common.VmDefinition;
-import org.jdrupes.vmoperator.common.VmDefinition.Assignment;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
 import org.jdrupes.vmoperator.common.VmDefinitions;
 import org.jdrupes.vmoperator.common.VmExtraData;
-import org.jdrupes.vmoperator.common.VmPool;
 import static org.jdrupes.vmoperator.manager.Constants.APP_NAME;
 import static org.jdrupes.vmoperator.manager.Constants.VM_OP_NAME;
-import org.jdrupes.vmoperator.manager.events.AssignVm;
 import org.jdrupes.vmoperator.manager.events.ChannelManager;
-import org.jdrupes.vmoperator.manager.events.GetPools;
-import org.jdrupes.vmoperator.manager.events.GetVms;
-import org.jdrupes.vmoperator.manager.events.GetVms.VmData;
 import org.jdrupes.vmoperator.manager.events.ModifyVm;
 import org.jdrupes.vmoperator.manager.events.PodChanged;
 import org.jdrupes.vmoperator.manager.events.UpdateAssignment;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
+import org.jdrupes.vmoperator.util.GsonPtr;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Event;
 import org.jgrapes.core.annotation.Handler;
@@ -233,100 +232,79 @@ public class VmMonitor extends
     }
 
     /**
-     * Returns the VM data.
-     *
-     * @param event the event
-     */
-    @Handler
-    public void onGetVms(GetVms event) {
-        event.setResult(channelManager.channels().stream()
-            .filter(c -> event.name().isEmpty()
-                || c.vmDefinition().name().equals(event.name().get()))
-            .filter(c -> event.user().isEmpty() && event.roles().isEmpty()
-                || !c.vmDefinition().permissionsFor(event.user().orElse(null),
-                    event.roles()).isEmpty())
-            .filter(c -> event.fromPool().isEmpty()
-                || c.vmDefinition().assignment().map(Assignment::pool)
-                    .map(p -> p.equals(event.fromPool().get())).orElse(false))
-            .filter(c -> event.toUser().isEmpty()
-                || c.vmDefinition().assignment().map(Assignment::user)
-                    .map(u -> u.equals(event.toUser().get())).orElse(false))
-            .map(c -> new VmData(c.vmDefinition(), c))
-            .toList());
-    }
-
-    /**
-     * Assign a VM if not already assigned.
+     * On modify vm.
      *
      * @param event the event
      * @throws ApiException the api exception
-     * @throws InterruptedException 
+     * @throws IOException Signals that an I/O exception has occurred.
      */
     @Handler
-    @SuppressWarnings("PMD.AvoidInstantiatingObjectsInLoops")
-    public void onAssignVm(AssignVm event)
-            throws ApiException, InterruptedException {
-        while (true) {
-            // Search for existing assignment.
-            var vmQuery = channelManager.channels().stream()
-                .filter(c -> c.vmDefinition().assignment().map(Assignment::pool)
-                    .map(p -> p.equals(event.fromPool())).orElse(false))
-                .filter(c -> c.vmDefinition().assignment().map(Assignment::user)
-                    .map(u -> u.equals(event.toUser())).orElse(false))
-                .findFirst();
-            if (vmQuery.isPresent()) {
-                var vmDef = vmQuery.get().vmDefinition();
-                event.setResult(new VmData(vmDef, vmQuery.get()));
-                return;
-            }
+    public void onModifyVm(ModifyVm event, VmChannel channel)
+            throws ApiException, IOException {
+        patchVmDef(channel.client(), event.name(), "spec/vm/" + event.path(),
+            event.value());
+    }
 
-            // Get the pool definition for checking possible assignment
-            VmPool vmPool = newEventPipeline().fire(new GetPools()
-                .withName(event.fromPool())).get().stream().findFirst()
-                .orElse(null);
-            if (vmPool == null) {
-                return;
-            }
+    private void patchVmDef(K8sClient client, String name, String path,
+            Object value) throws ApiException, IOException {
+        var vmStub = K8sDynamicStub.get(client,
+            new GroupVersionKind(Crd.GROUP, "", Crd.KIND_VM), namespace(),
+            name);
 
-            // Find available VM.
-            vmQuery = channelManager.channels().stream()
-                .filter(c -> vmPool.isAssignable(c.vmDefinition()))
-                .sorted(Comparator.comparing((VmChannel c) -> c.vmDefinition()
-                    .assignment().map(Assignment::lastUsed)
-                    .orElse(Instant.ofEpochSecond(0)))
-                    .thenComparing(preferRunning))
-                .findFirst();
-
-            // None found
-            if (vmQuery.isEmpty()) {
-                return;
-            }
-
-            // Assign to user
-            var chosenVm = vmQuery.get();
-            if (Optional.ofNullable(chosenVm.fire(new UpdateAssignment(
-                vmPool, event.toUser())).get()).orElse(false)) {
-                var vmDef = chosenVm.vmDefinition();
-                event.setResult(new VmData(vmDef, chosenVm));
-
-                // Make sure that a newly assigned VM is running.
-                chosenVm.fire(new ModifyVm(vmDef.name(), "state", "Running"));
-                return;
-            }
+        // Patch running
+        String valueAsText = value instanceof String
+            ? "\"" + value + "\""
+            : value.toString();
+        var res = vmStub.patch(V1Patch.PATCH_FORMAT_JSON_PATCH,
+            new V1Patch("[{\"op\": \"replace\", \"path\": \"/"
+                + path + "\", \"value\": " + valueAsText + "}]"),
+            client.defaultPatchOptions());
+        if (!res.isPresent()) {
+            logger.warning(
+                () -> "Cannot patch definition for Vm " + vmStub.name());
         }
     }
 
-    private static Comparator<VmChannel> preferRunning
-        = new Comparator<>() {
-            @Override
-            public int compare(VmChannel ch1, VmChannel ch2) {
-                if (ch1.vmDefinition().conditionStatus("Running").orElse(false)
-                    && !ch2.vmDefinition().conditionStatus("Running")
-                        .orElse(false)) {
-                    return -1;
+    /**
+     * Attempt to Update the assignment information in the status of the
+     * VM CR. Returns true if successful. The handler does not attempt
+     * retries, because in case of failure it will be necessary to
+     * re-evaluate the chosen VM.
+     *
+     * @param event the event
+     * @param channel the channel
+     * @throws ApiException the api exception
+     */
+    @Handler
+    public void onUpdatedAssignment(UpdateAssignment event, VmChannel channel)
+            throws ApiException {
+        try {
+            var vmDef = channel.vmDefinition();
+            var vmStub = VmDefinitionStub.get(channel.client(),
+                new GroupVersionKind(Crd.GROUP, "", Crd.KIND_VM),
+                vmDef.namespace(), vmDef.name());
+            if (vmStub.updateStatus(vmDef, from -> {
+                JsonObject status = from.statusJson();
+                if (event.toUser() == null) {
+                    ((JsonObject) GsonPtr.to(status).get())
+                        .remove(Status.ASSIGNMENT);
+                } else {
+                    var assignment = GsonPtr.to(status).to(Status.ASSIGNMENT);
+                    assignment.set("pool", event.fromPool().name());
+                    assignment.set("user", event.toUser());
+                    assignment.set("lastUsed", Instant.now().toString());
                 }
-                return 0;
+                return status;
+            }).isPresent()) {
+                event.setResult(true);
             }
-        };
+        } catch (ApiException e) {
+            // Log exceptions except for conflict, which can be expected
+            if (HttpURLConnection.HTTP_CONFLICT != e.getCode()) {
+                throw e;
+            }
+        }
+        event.setResult(false);
+    }
 
 }

From d9799df8610551e165bf2818afe1d570af02236e Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Thu, 20 Mar 2025 18:46:45 +0100
Subject: [PATCH 244/274] Delete assignments when pool is deleted.

---
 .../vmoperator/manager/Controller.java        | 20 +++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
index a2e5aae..ed404c0 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
@@ -47,6 +47,7 @@ import org.jdrupes.vmoperator.manager.events.PodChanged;
 import org.jdrupes.vmoperator.manager.events.UpdateAssignment;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
+import org.jdrupes.vmoperator.manager.events.VmPoolChanged;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Component;
 import org.jgrapes.core.annotation.Handler;
@@ -281,6 +282,25 @@ public class Controller extends Component {
             }
         };
 
+    /**
+     * When s pool is deleted, remove all related assignments.
+     *
+     * @param event the event
+     * @throws InterruptedException 
+     */
+    @Handler
+    @SuppressWarnings("PMD.AvoidInstantiatingObjectsInLoops")
+    public void onPoolChanged(VmPoolChanged event) throws InterruptedException {
+        if (!event.deleted()) {
+            return;
+        }
+        var vms = newEventPipeline()
+            .fire(new GetVms().assignedFrom(event.vmPool().name())).get();
+        for (var vm : vms) {
+            vm.channel().fire(new UpdateAssignment(event.vmPool(), null));
+        }
+    }
+
     /**
      * Remove runner version from status when pod is deleted
      *

From 331b6d8d61e7056242e765fce64b2e590d3b6a76 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Fri, 21 Mar 2025 09:18:38 +0100
Subject: [PATCH 245/274] Minor edit.

---
 webpages/index.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/webpages/index.md b/webpages/index.md
index 3c7101e..34a3c99 100644
--- a/webpages/index.md
+++ b/webpages/index.md
@@ -11,8 +11,8 @@ layout: vm-operator
 
 ![Overview picture](index-pic.svg)
 
-This project provides an easy to use and flexible solution
-for running QEMU/KVM based VMs in Kubernetes pods.
+This project provides an easy to use and flexible solution for
+running QEMU/KVM based virtual machines (VMs) in Kubernetes pods.
 
 The image used for the VM pods combines QEMU and a control program
 for starting and managing the QEMU process. This application is called

From 4bcbafb4f19abc7962245ba0a92c15476018e2d2 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 22 Mar 2025 11:25:02 +0100
Subject: [PATCH 246/274] Improve label.

---
 .../org/jdrupes/vmoperator/vmmgmt/l10n.properties    | 12 ++++++------
 .../org/jdrupes/vmoperator/vmmgmt/l10n_de.properties | 12 ++++++------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n.properties b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n.properties
index ef55662..95cb839 100644
--- a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n.properties
+++ b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n.properties
@@ -3,15 +3,15 @@ conletName = VM Management
 VMsSummary = VMs (running/total)
 
 assignedTo = Assigned to
-currentCpus = Current CPUs
-currentRam = Current RAM
+currentCpus = Current vCPUs
+currentRam = Current vRAM
 guestOs = Guest OS
-maximumCpus = Maximum CPUs
-maximumRam = Maximum RAM
+maximumCpus = Maximum vCPUs
+maximumRam = Maximum vRAM
 notInUse = Currently closed
 nodeName = Node
-requestedCpus = Requested CPUs
-requestedRam = Requested RAM
+requestedCpus = Requested vCPUs
+requestedRam = Requested vRAM
 runnerVersion = Runner version
 running = Running
 since = Since
diff --git a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties
index b8ece92..abe0d46 100644
--- a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties
+++ b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/l10n_de.properties
@@ -7,15 +7,15 @@ Last\ hour = Letzte Stunde
 Last\ day = Letzter Tag
 
 assignedTo = Zugewiesen an
-currentCpus = Aktuelle CPUs
-currentRam = Akuelles RAM
+currentCpus = Aktuelle vCPUs
+currentRam = Akuelles vRAM
 guestOs = Gast BS
-maximumCpus = Maximale CPUs
-maximumRam = Maximales RAM
+maximumCpus = Maximale vCPUs
+maximumRam = Maximales vRAM
 nodeName = Knoten
 notInUse = Derzeit geschlossen
-requestedCpus = Angeforderte CPUs
-requestedRam = Angefordertes RAM
+requestedCpus = Angeforderte vCPUs
+requestedRam = Angefordertes vRAM
 runnerVersion = Runner-Version
 running = Gestartet
 since = Seit

From 3143a1be93eb0a76ff7d8d30bb2666fb2d11a407 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Mon, 24 Mar 2025 15:04:39 +0100
Subject: [PATCH 247/274] Remove no longer valid optimization.

---
 .../vmoperator/runner/qemu/StatusUpdater.java | 19 +------------------
 1 file changed, 1 insertion(+), 18 deletions(-)

diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
index 8eaeea8..b5d02c2 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
@@ -76,7 +76,6 @@ public class StatusUpdater extends VmDefUpdater {
     private static final ObjectMapper objectMapper
         = new ObjectMapper().registerModule(new JavaTimeModule());
 
-    private long observedGeneration;
     private boolean guestShutdownStops;
     private boolean shutdownByGuest;
     private VmDefinitionStub vmStub;
@@ -131,7 +130,6 @@ public class StatusUpdater extends VmDefUpdater {
             if (vmDef == null) {
                 return;
             }
-            observedGeneration = vmDef.getMetadata().getGeneration();
             vmStub.updateStatus(from -> {
                 JsonObject status = from.statusJson();
                 status.addProperty(Status.RUNNER_VERSION, Optional.ofNullable(
@@ -166,21 +164,6 @@ public class StatusUpdater extends VmDefUpdater {
         if (vmStub == null) {
             return;
         }
-
-        // A change of the runner configuration is typically caused
-        // by a new version of the CR. So we update only if we have
-        // a new version of the CR. There's one exception: the display
-        // password is configured by a file, not by the CR.
-        var vmDef = vmStub.model().orElse(null);
-        if (vmDef == null) {
-            return;
-        }
-        if (vmDef.metadata().getGeneration() == observedGeneration
-            && (event.configuration().hasDisplayPassword
-                || vmDef.statusJson().getAsJsonPrimitive(
-                    Status.DISPLAY_PASSWORD_SERIAL).getAsInt() == -1)) {
-            return;
-        }
         vmStub.updateStatus(from -> {
             JsonObject status = from.statusJson();
             if (!event.configuration().hasDisplayPassword) {
@@ -194,7 +177,7 @@ public class StatusUpdater extends VmDefUpdater {
                     from.getMetadata().getGeneration()));
             updateUserLoggedIn(from);
             return status;
-        }, vmDef);
+        });
     }
 
     /**

From e8097d87d9194c2d23a1b9fe91f90d2d7a59f50a Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Fri, 28 Mar 2025 18:03:09 +0100
Subject: [PATCH 248/274] Let the operator manage pod restarts.

---
 .../vmoperator/manager/runnerPod.ftl.yaml     |  1 +
 .../manager/ConfigMapReconciler.java          | 16 ++++--
 .../manager/DisplaySecretReconciler.java      |  9 ++--
 .../manager/LoadBalancerReconciler.java       |  6 +--
 .../vmoperator/manager/PodReconciler.java     |  6 +--
 .../vmoperator/manager/PvcReconciler.java     | 19 +++----
 .../vmoperator/manager/Reconciler.java        | 51 ++++++++++++++++---
 .../manager/StatefulSetReconciler.java        | 10 ++--
 8 files changed, 77 insertions(+), 41 deletions(-)

diff --git a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerPod.ftl.yaml b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerPod.ftl.yaml
index 7518ad3..2f082ab 100644
--- a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerPod.ftl.yaml
+++ b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerPod.ftl.yaml
@@ -133,3 +133,4 @@ spec:
   affinity: ${ toJson(spec.affinity) }
   </#if>
   serviceAccountName: vm-runner
+  restartPolicy: Never
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java
index f133542..161678a 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java
@@ -86,16 +86,20 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
             boolean modelChanged)
             throws IOException, TemplateException, ApiException {
         // Check if an update is needed
-        Object prevInputs
-            = channel.associated(PrevData.class, Object.class).orElse(null);
+        var prevData = channel.associated(PrevData.class)
+            .orElseGet(() -> new PrevData(null, new HashMap<>()));
         Object newInputs = model.get("loginRequestedFor");
-        if (!modelChanged && Objects.equals(prevInputs, newInputs)) {
+        if (!modelChanged && Objects.equals(prevData.inputs, newInputs)) {
+            // Make added data available in new model
+            model.putAll(prevData.added);
             return;
         }
-        channel.setAssociated(PrevData.class, newInputs);
+        prevData = new PrevData(newInputs, prevData.added);
+        channel.setAssociated(PrevData.class, prevData);
 
         // Combine template and data and parse result
         model.put("adjustCloudInitMeta", adjustCloudInitMetaModel);
+        prevData.added.put("adjustCloudInitMeta", adjustCloudInitMetaModel);
         var fmTemplate = fmConfig.getTemplate("runnerConfig.ftl.yaml");
         StringWriter out = new StringWriter();
         fmTemplate.process(model, out);
@@ -127,12 +131,14 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
         maybeForceUpdate(channel.client(), updatedCm);
         model.put("configMapResourceVersion",
             updatedCm.getMetadata().getResourceVersion());
+        prevData.added.put("configMapResourceVersion",
+            updatedCm.getMetadata().getResourceVersion());
     }
 
     /**
      * Key for association.
      */
-    private final class PrevData {
+    private record PrevData(Object inputs, Map<String, Object> added) {
     }
 
     /**
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
index dabffb6..2770347 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
@@ -120,25 +120,24 @@ public class DisplaySecretReconciler extends Component {
      * secret with a random password and immediate expiration, thus
      * preventing access to the display.
      *
-     * @param event the event
+     * @param vmDef the VM definition
      * @param model the model
      * @param channel the channel
      * @throws IOException Signals that an I/O exception has occurred.
      * @throws TemplateException the template exception
      * @throws ApiException the api exception
      */
-    public void reconcile(VmDefChanged event,
-            Map<String, Object> model, VmChannel channel)
+    public void reconcile(VmDefinition vmDef, Map<String, Object> model,
+            VmChannel channel)
             throws IOException, TemplateException, ApiException {
         // Secret needed at all?
-        var display = event.vmDefinition().fromVm("display").get();
+        var display = vmDef.fromVm("display").get();
         if (!DataPath.<Boolean> get(display, "spice", "generateSecret")
             .orElse(true)) {
             return;
         }
 
         // Check if exists
-        var vmDef = event.vmDefinition();
         ListOptions options = new ListOptions();
         options.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
             + "app.kubernetes.io/component=" + DisplaySecret.NAME + ","
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/LoadBalancerReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/LoadBalancerReconciler.java
index 2d632b9..16af2c8 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/LoadBalancerReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/LoadBalancerReconciler.java
@@ -36,7 +36,6 @@ import java.util.logging.Logger;
 import org.jdrupes.vmoperator.common.K8sV1ServiceStub;
 import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
-import org.jdrupes.vmoperator.manager.events.VmDefChanged;
 import org.jdrupes.vmoperator.util.GsonPtr;
 import org.yaml.snakeyaml.LoaderOptions;
 import org.yaml.snakeyaml.Yaml;
@@ -69,14 +68,14 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
     /**
      * Reconcile.
      *
-     * @param event the event
+     * @param vmDef the VM definition
      * @param model the model
      * @param channel the channel
      * @throws IOException Signals that an I/O exception has occurred.
      * @throws TemplateException the template exception
      * @throws ApiException the api exception
      */
-    public void reconcile(VmDefChanged event,
+    public void reconcile(VmDefinition vmDef,
             Map<String, Object> model, VmChannel channel)
             throws IOException, TemplateException, ApiException {
         // Check if to be generated
@@ -95,7 +94,6 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
         }
 
         // Load balancer can also be turned off for VM
-        var vmDef = event.vmDefinition();
         if (vmDef
             .<Map<String, Map<String, String>>> fromSpec(LOAD_BALANCER_SERVICE)
             .map(m -> m.isEmpty()).orElse(false)) {
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PodReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PodReconciler.java
index 5e9b409..acda24e 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PodReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PodReconciler.java
@@ -36,7 +36,6 @@ import org.jdrupes.vmoperator.common.K8sV1SecretStub;
 import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.common.VmDefinition.RequestedVmState;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
-import org.jdrupes.vmoperator.manager.events.VmDefChanged;
 import org.yaml.snakeyaml.LoaderOptions;
 import org.yaml.snakeyaml.Yaml;
 import org.yaml.snakeyaml.constructor.SafeConstructor;
@@ -62,14 +61,14 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
     /**
      * Reconcile the pod.
      *
-     * @param event the event
+     * @param vmDef the vm def
      * @param model the model
      * @param channel the channel
      * @throws IOException Signals that an I/O exception has occurred.
      * @throws TemplateException the template exception
      * @throws ApiException the api exception
      */
-    public void reconcile(VmDefChanged event, Map<String, Object> model,
+    public void reconcile(VmDefinition vmDef, Map<String, Object> model,
             VmChannel channel)
             throws IOException, TemplateException, ApiException {
         // Don't do anything if stateful set is still in use (pre v3.4)
@@ -78,7 +77,6 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
         }
 
         // Get pod stub.
-        var vmDef = event.vmDefinition();
         var podStub = K8sV1PodStub.get(channel.client(), vmDef.namespace(),
             vmDef.name());
 
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
index 34085f0..107dca7 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
@@ -38,8 +38,8 @@ import java.util.stream.Collectors;
 import static org.jdrupes.vmoperator.common.Constants.APP_NAME;
 import static org.jdrupes.vmoperator.common.Constants.VM_OP_NAME;
 import org.jdrupes.vmoperator.common.K8sV1PvcStub;
+import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
-import org.jdrupes.vmoperator.manager.events.VmDefChanged;
 import org.jdrupes.vmoperator.util.DataPath;
 import org.jdrupes.vmoperator.util.GsonPtr;
 import org.yaml.snakeyaml.LoaderOptions;
@@ -67,7 +67,7 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
     /**
      * Reconcile the PVCs.
      *
-     * @param event the event
+     * @param vmDef the vm def
      * @param model the model
      * @param channel the channel
      * @throws IOException Signals that an I/O exception has occurred.
@@ -75,11 +75,9 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
      * @throws ApiException the api exception
      */
     @SuppressWarnings("PMD.AvoidDuplicateLiterals")
-    public void reconcile(VmDefChanged event, Map<String, Object> model,
+    public void reconcile(VmDefinition vmDef, Map<String, Object> model,
             VmChannel channel)
             throws IOException, TemplateException, ApiException {
-        var vmDef = event.vmDefinition();
-
         // Existing disks
         ListOptions listOpts = new ListOptions();
         listOpts.setLabelSelector(
@@ -92,7 +90,7 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
             .collect(Collectors.toSet());
 
         // Reconcile runner data pvc
-        reconcileRunnerDataPvc(event, model, channel, knownPvcs);
+        reconcileRunnerDataPvc(vmDef, model, channel, knownPvcs);
 
         // Reconcile pvcs for defined disks
         var diskDefs = vmDef.<List<Map<String, Object>>> fromVm("disks")
@@ -117,17 +115,16 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
 
             // Update PVC
             model.put("disk", diskDef);
-            reconcileRunnerDiskPvc(event, model, channel);
+            reconcileRunnerDiskPvc(vmDef, model, channel);
         }
         model.remove("disk");
     }
 
-    private void reconcileRunnerDataPvc(VmDefChanged event,
+    private void reconcileRunnerDataPvc(VmDefinition vmDef,
             Map<String, Object> model, VmChannel channel,
             Set<String> knownPvcs)
             throws TemplateNotFoundException, MalformedTemplateNameException,
             ParseException, IOException, TemplateException, ApiException {
-        var vmDef = event.vmDefinition();
 
         // Look for old (sts generated) name.
         var stsRunnerDataPvcName
@@ -161,12 +158,10 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
         }
     }
 
-    private void reconcileRunnerDiskPvc(VmDefChanged event,
+    private void reconcileRunnerDiskPvc(VmDefinition vmDef,
             Map<String, Object> model, VmChannel channel)
             throws TemplateNotFoundException, MalformedTemplateNameException,
             ParseException, IOException, TemplateException, ApiException {
-        var vmDef = event.vmDefinition();
-
         // Generate PVC
         @SuppressWarnings("unchecked")
         var diskDef = (Map<String, Object>) model.get("disk");
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
index 70f684a..170263e 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
@@ -44,10 +44,12 @@ import java.util.Optional;
 import java.util.logging.Level;
 import org.jdrupes.vmoperator.common.Convertions;
 import org.jdrupes.vmoperator.common.K8sObserver;
+import org.jdrupes.vmoperator.common.K8sObserver.ResponseType;
 import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.common.VmDefinition.Assignment;
 import org.jdrupes.vmoperator.common.VmPool;
 import org.jdrupes.vmoperator.manager.events.GetPools;
+import org.jdrupes.vmoperator.manager.events.PodChanged;
 import org.jdrupes.vmoperator.manager.events.ResetVm;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
 import org.jdrupes.vmoperator.manager.events.VmDefChanged;
@@ -213,20 +215,57 @@ public class Reconciler extends Component {
             return;
         }
 
+        // Reconcile
+        reconcile(event, channel);
+    }
+
+    private void reconcile(VmDefChanged event, VmChannel channel)
+            throws TemplateModelException, ApiException, IOException,
+            TemplateException {
         // Create model for processing templates
-        Map<String, Object> model = prepareModel(event.vmDefinition());
+        var vmDef = event.vmDefinition();
+        Map<String, Object> model = prepareModel(vmDef);
         cmReconciler.reconcile(model, channel, event.specChanged());
 
         // The remaining reconcilers depend only on changes of the spec part.
         if (!event.specChanged()) {
             return;
         }
-        dsReconciler.reconcile(event, model, channel);
+        dsReconciler.reconcile(vmDef, model, channel);
         // Manage (eventual) removal of stateful set.
-        stsReconciler.reconcile(event, model, channel);
-        pvcReconciler.reconcile(event, model, channel);
-        podReconciler.reconcile(event, model, channel);
-        lbReconciler.reconcile(event, model, channel);
+        stsReconciler.reconcile(vmDef, model, channel);
+        pvcReconciler.reconcile(vmDef, model, channel);
+        podReconciler.reconcile(vmDef, model, channel);
+        lbReconciler.reconcile(vmDef, model, channel);
+    }
+
+    /**
+     * On pod changed.
+     *
+     * @param event the event
+     * @param channel the channel
+     * @throws ApiException the api exception
+     * @throws IOException Signals that an I/O exception has occurred.
+     * @throws TemplateException the template exception
+     */
+    @Handler
+    public void onPodChanged(PodChanged event, VmChannel channel)
+            throws ApiException, IOException, TemplateException {
+        if (event.type() != ResponseType.DELETED) {
+            // Nothing to reconcile
+            return;
+        }
+
+        // If the pod was deleted, it may be necessary to recreate it
+        var vmDef = channel.vmDefinition();
+        Map<String, Object> model = prepareModel(vmDef);
+
+        // Call all steps because they may augment the model
+        cmReconciler.reconcile(model, channel, false);
+        dsReconciler.reconcile(vmDef, model, channel);
+        stsReconciler.reconcile(vmDef, model, channel);
+        pvcReconciler.reconcile(vmDef, model, channel);
+        podReconciler.reconcile(vmDef, model, channel);
     }
 
     /**
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/StatefulSetReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/StatefulSetReconciler.java
index 8803e61..854f630 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/StatefulSetReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/StatefulSetReconciler.java
@@ -27,9 +27,9 @@ import java.io.IOException;
 import java.util.Map;
 import java.util.logging.Logger;
 import org.jdrupes.vmoperator.common.K8sV1StatefulSetStub;
+import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.common.VmDefinition.RequestedVmState;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
-import org.jdrupes.vmoperator.manager.events.VmDefChanged;
 
 /**
  * Before version 3.4, the pod running the VM was created by a stateful set.
@@ -54,7 +54,7 @@ import org.jdrupes.vmoperator.manager.events.VmDefChanged;
     /**
      * Reconcile stateful set.
      *
-     * @param event the event
+     * @param vmDef the VM definition
      * @param model the model
      * @param channel the channel
      * @throws IOException Signals that an I/O exception has occurred.
@@ -62,14 +62,14 @@ import org.jdrupes.vmoperator.manager.events.VmDefChanged;
      * @throws ApiException the api exception
      */
     @SuppressWarnings("PMD.AvoidLiteralsInIfCondition")
-    public void reconcile(VmDefChanged event, Map<String, Object> model,
+    public void reconcile(VmDefinition vmDef, Map<String, Object> model,
             VmChannel channel)
             throws IOException, TemplateException, ApiException {
         model.put("usingSts", false);
 
         // If exists, delete when not running or supposed to be not running.
         var stsStub = K8sV1StatefulSetStub.get(channel.client(),
-            event.vmDefinition().namespace(), event.vmDefinition().name());
+            vmDef.namespace(), vmDef.name());
         if (stsStub.model().isEmpty()) {
             return;
         }
@@ -88,7 +88,7 @@ import org.jdrupes.vmoperator.manager.events.VmDefChanged;
         // Check if VM is supposed to be stopped. If so,
         // set replicas to 0. This is the first step of the transition,
         // the stateful set will be deleted when the VM is restarted.
-        if (event.vmDefinition().vmState() == RequestedVmState.RUNNING) {
+        if (vmDef.vmState() == RequestedVmState.RUNNING) {
             return;
         }
 

From db49f5ba2fe56f10386c834371da4e955b168668 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Fri, 28 Mar 2025 21:28:55 +0100
Subject: [PATCH 249/274] Restart non-deleted pods.

---
 .../resources/org/jdrupes/vmoperator/manager/runnerPod.ftl.yaml  | 1 -
 1 file changed, 1 deletion(-)

diff --git a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerPod.ftl.yaml b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerPod.ftl.yaml
index 2f082ab..7518ad3 100644
--- a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerPod.ftl.yaml
+++ b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerPod.ftl.yaml
@@ -133,4 +133,3 @@ spec:
   affinity: ${ toJson(spec.affinity) }
   </#if>
   serviceAccountName: vm-runner
-  restartPolicy: Never

From 991763f228dd0d77ff84c80d50b92583348e10dd Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 29 Mar 2025 15:09:38 +0100
Subject: [PATCH 250/274] Optimize state change handling.

---
 .../vmoperator/common/VmDefinition.java       |   4 +-
 .../vmoperator/common/VmExtraData.java        |   4 +-
 .../org/jdrupes/vmoperator/common/VmPool.java |   2 +-
 ...DefChanged.java => VmResourceChanged.java} |  43 ++++---
 .../vmoperator/manager/runnerConfig.ftl.yaml  |   2 +-
 .../vmoperator/manager/Controller.java        |   6 +-
 .../manager/DisplaySecretReconciler.java      |  12 +-
 .../manager/LoadBalancerReconciler.java       |  10 +-
 .../vmoperator/manager/PodMonitor.java        |   5 +-
 .../vmoperator/manager/PodReconciler.java     |   8 +-
 .../vmoperator/manager/PoolMonitor.java       |   5 +-
 .../vmoperator/manager/PvcReconciler.java     |  59 ++++++----
 .../vmoperator/manager/Reconciler.java        |  62 ++--------
 .../manager/StatefulSetReconciler.java        | 107 ------------------
 .../jdrupes/vmoperator/manager/VmMonitor.java |  62 +++++-----
 .../jdrupes/vmoperator/vmaccess/VmAccess.java |   8 +-
 .../org/jdrupes/vmoperator/vmmgmt/VmMgmt.java |  11 +-
 webpages/upgrading.md                         |   4 +
 18 files changed, 152 insertions(+), 262 deletions(-)
 rename org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/{VmDefChanged.java => VmResourceChanged.java} (75%)
 delete mode 100644 org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/StatefulSetReconciler.java

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
index f763c47..0a25dd6 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
@@ -300,8 +300,8 @@ public class VmDefinition extends K8sDynamicModel {
      *
      * @return the data
      */
-    public Optional<VmExtraData> extra() {
-        return Optional.ofNullable(extraData);
+    public VmExtraData extra() {
+        return extraData;
     }
 
     /**
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmExtraData.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmExtraData.java
index 79f262f..83d9577 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmExtraData.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmExtraData.java
@@ -112,7 +112,7 @@ public class VmExtraData {
      * @param deleteConnectionFile the delete connection file
      * @return the string
      */
-    public String connectionFile(String password,
+    public Optional<String> connectionFile(String password,
             Class<?> preferredIpVersion, boolean deleteConnectionFile) {
         var addr = displayIp(preferredIpVersion);
         if (addr.isEmpty()) {
@@ -144,7 +144,7 @@ public class VmExtraData {
         if (deleteConnectionFile) {
             data.append("delete-this-file=1\n");
         }
-        return data.toString();
+        return Optional.of(data.toString());
     }
 
     private Optional<InetAddress> displayIp(Class<?> preferredIpVersion) {
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
index 7c13ddb..2bf1c30 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
@@ -177,7 +177,7 @@ public class VmPool {
         }
 
         // Additional check in case lastUsed has not been updated
-        // by PoolMonitor#onVmDefChanged() yet ("race condition")
+        // by PoolMonitor#onVmResourceChanged() yet ("race condition")
         if (vmDef.condition("ConsoleConnected")
             .map(cc -> cc.getLastTransitionTime().toInstant())
             .map(this::retainUntil)
diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/VmDefChanged.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/VmResourceChanged.java
similarity index 75%
rename from org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/VmDefChanged.java
rename to org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/VmResourceChanged.java
index a8873cf..eac30fb 100644
--- a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/VmDefChanged.java
+++ b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/VmResourceChanged.java
@@ -25,31 +25,35 @@ import org.jgrapes.core.Components;
 import org.jgrapes.core.Event;
 
 /**
- * Indicates a change in a VM definition. Note that the definition
- * consists of the metadata (mostly immutable), the "spec" and the 
- * "status" parts. Consumers that are only interested in "spec" 
- * changes should check {@link #specChanged()} before processing 
- * the event any further. 
+ * Indicates a change in a VM "resource". Note that the resource
+ * combines the VM CR's metadata (mostly immutable), the VM CR's
+ * "spec" part, the VM CR's "status" subresource and state information
+ * from the pod. Consumers that are only interested in "spec" changes
+ * should check {@link #specChanged()} before processing the event any
+ * further. 
  */
 @SuppressWarnings("PMD.DataClass")
-public class VmDefChanged extends Event<Void> {
+public class VmResourceChanged extends Event<Void> {
 
     private final K8sObserver.ResponseType type;
-    private final boolean specChanged;
     private final VmDefinition vmDefinition;
+    private final boolean specChanged;
+    private final boolean podChanged;
 
     /**
      * Instantiates a new VM changed event.
      *
      * @param type the type
-     * @param specChanged the spec part changed
      * @param vmDefinition the VM definition
+     * @param specChanged the spec part changed
      */
-    public VmDefChanged(K8sObserver.ResponseType type, boolean specChanged,
-            VmDefinition vmDefinition) {
+    public VmResourceChanged(K8sObserver.ResponseType type,
+            VmDefinition vmDefinition, boolean specChanged,
+            boolean podChanged) {
         this.type = type;
-        this.specChanged = specChanged;
         this.vmDefinition = vmDefinition;
+        this.specChanged = specChanged;
+        this.podChanged = podChanged;
     }
 
     /**
@@ -61,6 +65,15 @@ public class VmDefChanged extends Event<Void> {
         return type;
     }
 
+    /**
+     * Return the VM definition.
+     *
+     * @return the VM definition
+     */
+    public VmDefinition vmDefinition() {
+        return vmDefinition;
+    }
+
     /**
      * Indicates if the "spec" part changed.
      */
@@ -69,12 +82,10 @@ public class VmDefChanged extends Event<Void> {
     }
 
     /**
-     * Return the VM definition.
-     *
-     * @return the VM definition
+     * Indicates if the pod status changed.
      */
-    public VmDefinition vmDefinition() {
-        return vmDefinition;
+    public boolean podChanged() {
+        return podChanged;
     }
 
     @Override
diff --git a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml
index 2a59a2c..5dc8d9b 100644
--- a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml
+++ b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml
@@ -53,7 +53,7 @@ data:
       # i.e. if you start the VM without a value for this property, and
       # decide to trigger a reset later, you have to first set the value
       # and then inrement it.
-      resetCounter: ${ cr.extra().get().resetCount()?c }
+      resetCounter: ${ cr.extra().resetCount()?c }
 
       # Forward the cloud-init data if provided
       <#if spec.cloudInit??>    
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
index ed404c0..eaf2447 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
@@ -1,6 +1,6 @@
 /*
  * VM-Operator
- * Copyright (C) 2023 Michael N. Lipp
+ * Copyright (C) 2023, 2025 Michael N. Lipp
  * 
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as
@@ -46,8 +46,8 @@ import org.jdrupes.vmoperator.manager.events.ModifyVm;
 import org.jdrupes.vmoperator.manager.events.PodChanged;
 import org.jdrupes.vmoperator.manager.events.UpdateAssignment;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
-import org.jdrupes.vmoperator.manager.events.VmDefChanged;
 import org.jdrupes.vmoperator.manager.events.VmPoolChanged;
+import org.jdrupes.vmoperator.manager.events.VmResourceChanged;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Component;
 import org.jgrapes.core.annotation.Handler;
@@ -61,7 +61,7 @@ import org.jgrapes.util.events.ConfigurationUpdate;
  * 
  * The implementation splits the controller in two components. The
  * {@link VmMonitor} and the {@link Reconciler}. The former watches
- * the VM definitions (CRs) and generates {@link VmDefChanged} events
+ * the VM definitions (CRs) and generates {@link VmResourceChanged} events
  * when they change. The latter handles the changes and reconciles the
  * resources in the cluster.
  * 
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
index 2770347..5111438 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
@@ -45,7 +45,7 @@ import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
 import org.jdrupes.vmoperator.manager.events.GetDisplaySecret;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
-import org.jdrupes.vmoperator.manager.events.VmDefChanged;
+import org.jdrupes.vmoperator.manager.events.VmResourceChanged;
 import org.jdrupes.vmoperator.util.DataPath;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.CompletionLock;
@@ -123,13 +123,19 @@ public class DisplaySecretReconciler extends Component {
      * @param vmDef the VM definition
      * @param model the model
      * @param channel the channel
+     * @param specChanged the spec changed
      * @throws IOException Signals that an I/O exception has occurred.
      * @throws TemplateException the template exception
      * @throws ApiException the api exception
      */
     public void reconcile(VmDefinition vmDef, Map<String, Object> model,
-            VmChannel channel)
+            VmChannel channel, boolean specChanged)
             throws IOException, TemplateException, ApiException {
+        // Nothing to do unless spec changed
+        if (!specChanged) {
+            return;
+        }
+
         // Secret needed at all?
         var display = vmDef.fromVm("display").get();
         if (!DataPath.<Boolean> get(display, "spice", "generateSecret")
@@ -292,7 +298,7 @@ public class DisplaySecretReconciler extends Component {
      */
     @Handler
     @SuppressWarnings("PMD.AvoidSynchronizedStatement")
-    public void onVmDefChanged(VmDefChanged event, Channel channel) {
+    public void onVmResourceChanged(VmResourceChanged event, Channel channel) {
         synchronized (pendingPrepares) {
             String vmName = event.vmDefinition().name();
             for (var pending : pendingPrepares) {
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/LoadBalancerReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/LoadBalancerReconciler.java
index 16af2c8..c0d183b 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/LoadBalancerReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/LoadBalancerReconciler.java
@@ -71,13 +71,19 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
      * @param vmDef the VM definition
      * @param model the model
      * @param channel the channel
+     * @param specChanged the spec changed
      * @throws IOException Signals that an I/O exception has occurred.
      * @throws TemplateException the template exception
      * @throws ApiException the api exception
      */
-    public void reconcile(VmDefinition vmDef,
-            Map<String, Object> model, VmChannel channel)
+    public void reconcile(VmDefinition vmDef, Map<String, Object> model,
+            VmChannel channel, boolean specChanged)
             throws IOException, TemplateException, ApiException {
+        // Nothing to do unless spec changed
+        if (!specChanged) {
+            return;
+        }
+
         // Check if to be generated
         @SuppressWarnings({ "PMD.AvoidDuplicateLiterals", "unchecked" })
         var lbsDef = Optional.of(model)
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PodMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PodMonitor.java
index 9145d9d..cfb49e5 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PodMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PodMonitor.java
@@ -38,7 +38,7 @@ import org.jdrupes.vmoperator.common.K8sV1PodStub;
 import org.jdrupes.vmoperator.manager.events.ChannelDictionary;
 import org.jdrupes.vmoperator.manager.events.PodChanged;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
-import org.jdrupes.vmoperator.manager.events.VmDefChanged;
+import org.jdrupes.vmoperator.manager.events.VmResourceChanged;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.annotation.Handler;
 
@@ -118,7 +118,8 @@ public class PodMonitor extends AbstractMonitor<V1Pod, V1PodList, VmChannel> {
      * @param channel the channel
      */
     @Handler
-    public void onVmDefChanged(VmDefChanged event, VmChannel channel) {
+    public void onVmResourceChanged(VmResourceChanged event,
+            VmChannel channel) {
         Optional.ofNullable(pendingChanges.remove(event.vmDefinition().name()))
             .map(PendingChange::change).ifPresent(change -> {
                 logger.finer(() -> "Firing pending pod change for "
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PodReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PodReconciler.java
index acda24e..4b7f394 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PodReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PodReconciler.java
@@ -64,18 +64,14 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
      * @param vmDef the vm def
      * @param model the model
      * @param channel the channel
+     * @param specChanged the spec changed
      * @throws IOException Signals that an I/O exception has occurred.
      * @throws TemplateException the template exception
      * @throws ApiException the api exception
      */
     public void reconcile(VmDefinition vmDef, Map<String, Object> model,
-            VmChannel channel)
+            VmChannel channel, boolean specChanged)
             throws IOException, TemplateException, ApiException {
-        // Don't do anything if stateful set is still in use (pre v3.4)
-        if ((Boolean) model.get("usingSts")) {
-            return;
-        }
-
         // Get pod stub.
         var podStub = K8sV1PodStub.get(channel.client(), vmDef.namespace(),
             vmDef.name());
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
index 5d85280..1bc323c 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
@@ -40,8 +40,8 @@ import org.jdrupes.vmoperator.common.VmDefinition.Assignment;
 import org.jdrupes.vmoperator.common.VmDefinitionStub;
 import org.jdrupes.vmoperator.common.VmPool;
 import org.jdrupes.vmoperator.manager.events.GetPools;
-import org.jdrupes.vmoperator.manager.events.VmDefChanged;
 import org.jdrupes.vmoperator.manager.events.VmPoolChanged;
+import org.jdrupes.vmoperator.manager.events.VmResourceChanged;
 import org.jdrupes.vmoperator.util.GsonPtr;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.EventPipeline;
@@ -142,7 +142,8 @@ public class PoolMonitor extends
      * @throws ApiException 
      */
     @Handler
-    public void onVmDefChanged(VmDefChanged event) throws ApiException {
+    public void onVmResourceChanged(VmResourceChanged event)
+            throws ApiException {
         final var vmDef = event.vmDefinition();
         final String vmName = vmDef.name();
         switch (event.type()) {
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
index 107dca7..47aa8be 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
@@ -67,30 +67,35 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
     /**
      * Reconcile the PVCs.
      *
-     * @param vmDef the vm def
+     * @param vmDef the VM definition
      * @param model the model
      * @param channel the channel
+     * @param specChanged the spec changed
      * @throws IOException Signals that an I/O exception has occurred.
      * @throws TemplateException the template exception
      * @throws ApiException the api exception
      */
-    @SuppressWarnings("PMD.AvoidDuplicateLiterals")
+    @SuppressWarnings({ "PMD.AvoidDuplicateLiterals", "unchecked" })
     public void reconcile(VmDefinition vmDef, Map<String, Object> model,
-            VmChannel channel)
+            VmChannel channel, boolean specChanged)
             throws IOException, TemplateException, ApiException {
-        // Existing disks
-        ListOptions listOpts = new ListOptions();
-        listOpts.setLabelSelector(
-            "app.kubernetes.io/managed-by=" + VM_OP_NAME + ","
-                + "app.kubernetes.io/name=" + APP_NAME + ","
-                + "app.kubernetes.io/instance=" + vmDef.name());
-        var knownDisks = K8sV1PvcStub.list(channel.client(),
-            vmDef.namespace(), listOpts);
-        var knownPvcs = knownDisks.stream().map(K8sV1PvcStub::name)
-            .collect(Collectors.toSet());
+        Set<String> knownPvcs;
+        if (!specChanged && channel.associated(this, Set.class).isPresent()) {
+            knownPvcs = (Set<String>) channel.associated(this, Set.class).get();
+        } else {
+            ListOptions listOpts = new ListOptions();
+            listOpts.setLabelSelector(
+                "app.kubernetes.io/managed-by=" + VM_OP_NAME + ","
+                    + "app.kubernetes.io/name=" + APP_NAME + ","
+                    + "app.kubernetes.io/instance=" + vmDef.name());
+            knownPvcs = K8sV1PvcStub.list(channel.client(),
+                vmDef.namespace(), listOpts).stream().map(K8sV1PvcStub::name)
+                .collect(Collectors.toSet());
+            channel.setAssociated(this, knownPvcs);
+        }
 
         // Reconcile runner data pvc
-        reconcileRunnerDataPvc(vmDef, model, channel, knownPvcs);
+        reconcileRunnerDataPvc(vmDef, model, channel, knownPvcs, specChanged);
 
         // Reconcile pvcs for defined disks
         var diskDefs = vmDef.<List<Map<String, Object>>> fromVm("disks")
@@ -114,15 +119,13 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
             }
 
             // Update PVC
-            model.put("disk", diskDef);
-            reconcileRunnerDiskPvc(vmDef, model, channel);
+            reconcileRunnerDiskPvc(vmDef, model, channel, specChanged, diskDef);
         }
-        model.remove("disk");
     }
 
     private void reconcileRunnerDataPvc(VmDefinition vmDef,
             Map<String, Object> model, VmChannel channel,
-            Set<String> knownPvcs)
+            Set<String> knownPvcs, boolean specChanged)
             throws TemplateNotFoundException, MalformedTemplateNameException,
             ParseException, IOException, TemplateException, ApiException {
 
@@ -135,7 +138,12 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
         }
 
         // Generate PVC
-        model.put("runnerDataPvcName", vmDef.name() + "-runner-data");
+        var runnerDataPvcName = vmDef.name() + "-runner-data";
+        model.put("runnerDataPvcName", runnerDataPvcName);
+        if (!specChanged) {
+            // Augmenting the model is all we have to do
+            return;
+        }
         var fmTemplate = fmConfig.getTemplate("runnerDataPvc.ftl.yaml");
         StringWriter out = new StringWriter();
         fmTemplate.process(model, out);
@@ -159,17 +167,24 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
     }
 
     private void reconcileRunnerDiskPvc(VmDefinition vmDef,
-            Map<String, Object> model, VmChannel channel)
+            Map<String, Object> model, VmChannel channel, boolean specChanged,
+            Map<String, Object> diskDef)
             throws TemplateNotFoundException, MalformedTemplateNameException,
             ParseException, IOException, TemplateException, ApiException {
         // Generate PVC
-        @SuppressWarnings("unchecked")
-        var diskDef = (Map<String, Object>) model.get("disk");
         var pvcName = vmDef.name() + "-" + diskDef.get("generatedDiskName");
         diskDef.put("generatedPvcName", pvcName);
+        if (!specChanged) {
+            // Augmenting the model is all we have to do
+            return;
+        }
+
+        // Generate PVC
+        model.put("disk", diskDef);
         var fmTemplate = fmConfig.getTemplate("runnerDiskPvc.ftl.yaml");
         StringWriter out = new StringWriter();
         fmTemplate.process(model, out);
+        model.remove("disk");
         // Avoid Yaml.load due to
         // https://github.com/kubernetes-client/java/issues/2741
         var pvcDef = Dynamics.newFromYaml(
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
index 170263e..700b081 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
@@ -44,15 +44,13 @@ import java.util.Optional;
 import java.util.logging.Level;
 import org.jdrupes.vmoperator.common.Convertions;
 import org.jdrupes.vmoperator.common.K8sObserver;
-import org.jdrupes.vmoperator.common.K8sObserver.ResponseType;
 import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.common.VmDefinition.Assignment;
 import org.jdrupes.vmoperator.common.VmPool;
 import org.jdrupes.vmoperator.manager.events.GetPools;
-import org.jdrupes.vmoperator.manager.events.PodChanged;
 import org.jdrupes.vmoperator.manager.events.ResetVm;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
-import org.jdrupes.vmoperator.manager.events.VmDefChanged;
+import org.jdrupes.vmoperator.manager.events.VmResourceChanged;
 import org.jdrupes.vmoperator.util.ExtendedObjectWrapper;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Component;
@@ -151,7 +149,6 @@ public class Reconciler extends Component {
     private final Configuration fmConfig;
     private final ConfigMapReconciler cmReconciler;
     private final DisplaySecretReconciler dsReconciler;
-    private final StatefulSetReconciler stsReconciler;
     private final PvcReconciler pvcReconciler;
     private final PodReconciler podReconciler;
     private final LoadBalancerReconciler lbReconciler;
@@ -179,7 +176,6 @@ public class Reconciler extends Component {
 
         cmReconciler = new ConfigMapReconciler(fmConfig);
         dsReconciler = attach(new DisplaySecretReconciler(componentChannel));
-        stsReconciler = new StatefulSetReconciler(fmConfig);
         pvcReconciler = new PvcReconciler(fmConfig);
         podReconciler = new PodReconciler(fmConfig);
         lbReconciler = new LoadBalancerReconciler(fmConfig);
@@ -208,64 +204,27 @@ public class Reconciler extends Component {
      */
     @Handler
     @SuppressWarnings("PMD.ConfusingTernary")
-    public void onVmDefChanged(VmDefChanged event, VmChannel channel)
+    public void onVmResourceChanged(VmResourceChanged event, VmChannel channel)
             throws ApiException, TemplateException, IOException {
         // Ownership relationships takes care of deletions
         if (event.type() == K8sObserver.ResponseType.DELETED) {
             return;
         }
 
-        // Reconcile
-        reconcile(event, channel);
-    }
-
-    private void reconcile(VmDefChanged event, VmChannel channel)
-            throws TemplateModelException, ApiException, IOException,
-            TemplateException {
         // Create model for processing templates
         var vmDef = event.vmDefinition();
         Map<String, Object> model = prepareModel(vmDef);
         cmReconciler.reconcile(model, channel, event.specChanged());
 
-        // The remaining reconcilers depend only on changes of the spec part.
-        if (!event.specChanged()) {
+        // The remaining reconcilers depend only on changes of the spec part
+        // or the pod state.
+        if (!event.specChanged() && !event.podChanged()) {
             return;
         }
-        dsReconciler.reconcile(vmDef, model, channel);
-        // Manage (eventual) removal of stateful set.
-        stsReconciler.reconcile(vmDef, model, channel);
-        pvcReconciler.reconcile(vmDef, model, channel);
-        podReconciler.reconcile(vmDef, model, channel);
-        lbReconciler.reconcile(vmDef, model, channel);
-    }
-
-    /**
-     * On pod changed.
-     *
-     * @param event the event
-     * @param channel the channel
-     * @throws ApiException the api exception
-     * @throws IOException Signals that an I/O exception has occurred.
-     * @throws TemplateException the template exception
-     */
-    @Handler
-    public void onPodChanged(PodChanged event, VmChannel channel)
-            throws ApiException, IOException, TemplateException {
-        if (event.type() != ResponseType.DELETED) {
-            // Nothing to reconcile
-            return;
-        }
-
-        // If the pod was deleted, it may be necessary to recreate it
-        var vmDef = channel.vmDefinition();
-        Map<String, Object> model = prepareModel(vmDef);
-
-        // Call all steps because they may augment the model
-        cmReconciler.reconcile(model, channel, false);
-        dsReconciler.reconcile(vmDef, model, channel);
-        stsReconciler.reconcile(vmDef, model, channel);
-        pvcReconciler.reconcile(vmDef, model, channel);
-        podReconciler.reconcile(vmDef, model, channel);
+        dsReconciler.reconcile(vmDef, model, channel, event.specChanged());
+        pvcReconciler.reconcile(vmDef, model, channel, event.specChanged());
+        podReconciler.reconcile(vmDef, model, channel, event.specChanged());
+        lbReconciler.reconcile(vmDef, model, channel, event.specChanged());
     }
 
     /**
@@ -282,7 +241,8 @@ public class Reconciler extends Component {
     public void onResetVm(ResetVm event, VmChannel channel)
             throws ApiException, IOException, TemplateException {
         var vmDef = channel.vmDefinition();
-        vmDef.extra().ifPresent(e -> e.resetCount(e.resetCount() + 1));
+        var extra = vmDef.extra();
+        extra.resetCount(extra.resetCount() + 1);
         Map<String, Object> model
             = prepareModel(channel.vmDefinition());
         cmReconciler.reconcile(model, channel, true);
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/StatefulSetReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/StatefulSetReconciler.java
deleted file mode 100644
index 854f630..0000000
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/StatefulSetReconciler.java
+++ /dev/null
@@ -1,107 +0,0 @@
-/*
- * VM-Operator
- * Copyright (C) 2023 Michael N. Lipp
- * 
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Affero General Public License as
- * published by the Free Software Foundation, either version 3 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Affero General Public License for more details.
- *
- * You should have received a copy of the GNU Affero General Public License
- * along with this program.  If not, see <https://www.gnu.org/licenses/>.
- */
-
-package org.jdrupes.vmoperator.manager;
-
-import freemarker.template.Configuration;
-import freemarker.template.TemplateException;
-import io.kubernetes.client.custom.V1Patch;
-import io.kubernetes.client.openapi.ApiException;
-import io.kubernetes.client.util.generic.options.PatchOptions;
-import java.io.IOException;
-import java.util.Map;
-import java.util.logging.Logger;
-import org.jdrupes.vmoperator.common.K8sV1StatefulSetStub;
-import org.jdrupes.vmoperator.common.VmDefinition;
-import org.jdrupes.vmoperator.common.VmDefinition.RequestedVmState;
-import org.jdrupes.vmoperator.manager.events.VmChannel;
-
-/**
- * Before version 3.4, the pod running the VM was created by a stateful set.
- * Starting with version 3.4, this reconciler simply deletes the stateful
- * set, provided that the VM is not running.
- */
-@SuppressWarnings("PMD.DataflowAnomalyAnalysis")
-/* default */ class StatefulSetReconciler {
-
-    protected final Logger logger = Logger.getLogger(getClass().getName());
-
-    /**
-     * Instantiates a new stateful set reconciler.
-     *
-     * @param fmConfig the fm config
-     */
-    @SuppressWarnings("PMD.UnusedFormalParameter")
-    public StatefulSetReconciler(Configuration fmConfig) {
-        // Nothing to do
-    }
-
-    /**
-     * Reconcile stateful set.
-     *
-     * @param vmDef the VM definition
-     * @param model the model
-     * @param channel the channel
-     * @throws IOException Signals that an I/O exception has occurred.
-     * @throws TemplateException the template exception
-     * @throws ApiException the api exception
-     */
-    @SuppressWarnings("PMD.AvoidLiteralsInIfCondition")
-    public void reconcile(VmDefinition vmDef, Map<String, Object> model,
-            VmChannel channel)
-            throws IOException, TemplateException, ApiException {
-        model.put("usingSts", false);
-
-        // If exists, delete when not running or supposed to be not running.
-        var stsStub = K8sV1StatefulSetStub.get(channel.client(),
-            vmDef.namespace(), vmDef.name());
-        if (stsStub.model().isEmpty()) {
-            return;
-        }
-
-        // Stateful set still exists, check if replicas is 0 so we can
-        // delete it.
-        var stsModel = stsStub.model().get();
-        if (stsModel.getSpec().getReplicas() == 0) {
-            stsStub.delete();
-            return;
-        }
-
-        // Cannot yet delete the stateful set.
-        model.put("usingSts", true);
-
-        // Check if VM is supposed to be stopped. If so,
-        // set replicas to 0. This is the first step of the transition,
-        // the stateful set will be deleted when the VM is restarted.
-        if (vmDef.vmState() == RequestedVmState.RUNNING) {
-            return;
-        }
-
-        // Do apply changes (set replicas to 0)
-        PatchOptions opts = new PatchOptions();
-        opts.setForce(true);
-        opts.setFieldManager("kubernetes-java-kubectl-apply");
-        if (stsStub.patch(V1Patch.PATCH_FORMAT_JSON_PATCH,
-            new V1Patch("[{\"op\": \"replace\", \"path\": \"/spec/replicas"
-                + "\", \"value\": 0}]"),
-            channel.client().defaultPatchOptions()).isEmpty()) {
-            logger.warning(
-                () -> "Could not patch stateful set for " + stsStub.name());
-        }
-    }
-}
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
index 9e6e5c9..09bade8 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
@@ -30,7 +30,6 @@ import java.net.HttpURLConnection;
 import java.time.Instant;
 import java.util.ArrayList;
 import java.util.Collections;
-import java.util.Objects;
 import java.util.Optional;
 import java.util.Set;
 import java.util.concurrent.atomic.AtomicBoolean;
@@ -54,7 +53,7 @@ import org.jdrupes.vmoperator.manager.events.ModifyVm;
 import org.jdrupes.vmoperator.manager.events.PodChanged;
 import org.jdrupes.vmoperator.manager.events.UpdateAssignment;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
-import org.jdrupes.vmoperator.manager.events.VmDefChanged;
+import org.jdrupes.vmoperator.manager.events.VmResourceChanged;
 import org.jdrupes.vmoperator.util.GsonPtr;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Event;
@@ -157,11 +156,11 @@ public class VmMonitor extends
 
         // Create and fire changed event. Remove channel from channel
         // manager on completion.
-        VmDefChanged chgEvt
-            = new VmDefChanged(ResponseType.valueOf(response.type),
+        VmResourceChanged chgEvt
+            = new VmResourceChanged(ResponseType.valueOf(response.type), vmDef,
                 channel.setGeneration(response.object.getMetadata()
                     .getGeneration()),
-                vmDef);
+                false);
         if (ResponseType.valueOf(response.type) == ResponseType.DELETED) {
             chgEvt = Event.onCompletion(chgEvt,
                 e -> channelManager.remove(e.vmDefinition().name()));
@@ -181,8 +180,7 @@ public class VmMonitor extends
     @SuppressWarnings("PMD.AvoidDuplicateLiterals")
     private void addExtraData(VmDefinition vmDef, VmDefinition prevState) {
         var extra = new VmExtraData(vmDef);
-        var prevExtra
-            = Optional.ofNullable(prevState).flatMap(VmDefinition::extra);
+        var prevExtra = Optional.ofNullable(prevState).map(VmDefinition::extra);
 
         // Maintain (or initialize) the resetCount
         extra.resetCount(prevExtra.map(VmExtraData::resetCount).orElse(0L));
@@ -200,35 +198,35 @@ public class VmMonitor extends
      */
     @Handler
     public void onPodChanged(PodChanged event, VmChannel channel) {
-        if (channel.vmDefinition().extra().isEmpty()) {
-            return;
-        }
-        var extra = channel.vmDefinition().extra().get();
-        var pod = event.pod();
+        var vmDef = channel.vmDefinition();
+        updateNodeInfo(event, vmDef);
+        channel
+            .fire(new VmResourceChanged(ResponseType.MODIFIED, vmDef, false, true));
+    }
+
+    private void updateNodeInfo(PodChanged event, VmDefinition vmDef) {
+        var extra = vmDef.extra();
         if (event.type() == ResponseType.DELETED) {
             // The status of a deleted pod is the status before deletion,
-            // i.e. the node info is still there.
+            // i.e. the node info is still cached and must be removed.
             extra.nodeInfo("", Collections.emptyList());
-        } else {
-            var nodeName = Optional
-                .ofNullable(pod.getSpec().getNodeName()).orElse("");
-            logger.finer(() -> "Adding node name " + nodeName
-                + " to VM info for " + channel.vmDefinition().name());
-            @SuppressWarnings("PMD.AvoidInstantiatingObjectsInLoops")
-            var addrs = new ArrayList<String>();
-            Optional.ofNullable(pod.getStatus().getPodIPs())
-                .orElse(Collections.emptyList()).stream()
-                .map(ip -> ip.getIp()).forEach(addrs::add);
-            logger.finer(() -> "Adding node addresses " + addrs
-                + " to VM info for " + channel.vmDefinition().name());
-            if (Objects.equals(nodeName, extra.nodeName())
-                && Objects.equals(addrs, extra.nodeAddresses())) {
-                return;
-            }
-            extra.nodeInfo(nodeName, addrs);
+            return;
         }
-        channel.fire(new VmDefChanged(ResponseType.MODIFIED, false,
-            channel.vmDefinition()));
+
+        // Get current node info from pod
+        var pod = event.pod();
+        var nodeName = Optional
+            .ofNullable(pod.getSpec().getNodeName()).orElse("");
+        logger.finer(() -> "Adding node name " + nodeName
+            + " to VM info for " + vmDef.name());
+        @SuppressWarnings("PMD.AvoidInstantiatingObjectsInLoops")
+        var addrs = new ArrayList<String>();
+        Optional.ofNullable(pod.getStatus().getPodIPs())
+            .orElse(Collections.emptyList()).stream()
+            .map(ip -> ip.getIp()).forEach(addrs::add);
+        logger.finer(() -> "Adding node addresses " + addrs
+            + " to VM info for " + vmDef.name());
+        extra.nodeInfo(nodeName, addrs);
     }
 
     /**
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index d3de96e..b48aa7e 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -57,8 +57,8 @@ import org.jdrupes.vmoperator.manager.events.GetVms.VmData;
 import org.jdrupes.vmoperator.manager.events.ModifyVm;
 import org.jdrupes.vmoperator.manager.events.ResetVm;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
-import org.jdrupes.vmoperator.manager.events.VmDefChanged;
 import org.jdrupes.vmoperator.manager.events.VmPoolChanged;
+import org.jdrupes.vmoperator.manager.events.VmResourceChanged;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Components;
 import org.jgrapes.core.Event;
@@ -658,7 +658,7 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
     @SuppressWarnings({ "PMD.ConfusingTernary", "PMD.CognitiveComplexity",
         "PMD.AvoidInstantiatingObjectsInLoops", "PMD.AvoidDuplicateLiterals",
         "PMD.ConfusingArgumentToVarargsMethod" })
-    public void onVmDefChanged(VmDefChanged event, VmChannel channel)
+    public void onVmResourceChanged(VmResourceChanged event, VmChannel channel)
             throws IOException, InterruptedException {
         var vmDef = event.vmDefinition();
 
@@ -847,8 +847,8 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
         if (!event.secretAvailable()) {
             return;
         }
-        vmDef.extra().map(xtra -> xtra.connectionFile(event.secret(),
-            preferredIpVersion, deleteConnectionFile))
+        vmDef.extra().connectionFile(event.secret(),
+            preferredIpVersion, deleteConnectionFile)
             .ifPresent(cf -> channel.respond(new NotifyConletView(type(),
                 model.getConletId(), "openConsole", cf)));
     }
diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
index f1c5d70..97d6867 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
@@ -42,13 +42,12 @@ import org.jdrupes.vmoperator.common.Constants.Status;
 import org.jdrupes.vmoperator.common.K8sObserver;
 import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.common.VmDefinition.Permission;
-import org.jdrupes.vmoperator.common.VmExtraData;
 import org.jdrupes.vmoperator.manager.events.ChannelTracker;
 import org.jdrupes.vmoperator.manager.events.GetDisplaySecret;
 import org.jdrupes.vmoperator.manager.events.ModifyVm;
 import org.jdrupes.vmoperator.manager.events.ResetVm;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
-import org.jdrupes.vmoperator.manager.events.VmDefChanged;
+import org.jdrupes.vmoperator.manager.events.VmResourceChanged;
 import org.jdrupes.vmoperator.util.DataPath;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Event;
@@ -258,7 +257,7 @@ public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
                 "name", vmDef.name()),
             "spec", spec,
             "status", status,
-            "nodeName", vmDef.extra().map(VmExtraData::nodeName).orElse(""),
+            "nodeName", vmDef.extra().nodeName(),
             "consoleAccessible", vmDef.consoleAccessible(user, perms),
             "permissions", perms);
     }
@@ -274,7 +273,7 @@ public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
     @SuppressWarnings({ "PMD.ConfusingTernary", "PMD.CognitiveComplexity",
         "PMD.AvoidInstantiatingObjectsInLoops", "PMD.AvoidDuplicateLiterals",
         "PMD.ConfusingArgumentToVarargsMethod" })
-    public void onVmDefChanged(VmDefChanged event, VmChannel channel)
+    public void onVmResourceChanged(VmResourceChanged event, VmChannel channel)
             throws IOException {
         var vmName = event.vmDefinition().name();
         if (event.type() == K8sObserver.ResponseType.DELETED) {
@@ -494,8 +493,8 @@ public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
         if (!event.secretAvailable()) {
             return;
         }
-        vmDef.extra().map(xtra -> xtra.connectionFile(event.secret(),
-            preferredIpVersion, deleteConnectionFile)).ifPresent(
+        vmDef.extra().connectionFile(event.secret(),
+            preferredIpVersion, deleteConnectionFile).ifPresent(
                 cf -> channel.respond(new NotifyConletView(type(),
                     model.getConletId(), "openConsole", cf)));
     }
diff --git a/webpages/upgrading.md b/webpages/upgrading.md
index a590bcc..644dce6 100644
--- a/webpages/upgrading.md
+++ b/webpages/upgrading.md
@@ -34,6 +34,10 @@ layout: vm-operator
     update the template manually. If you're using your own template, you
     have to add a virtual serial port (see the git history of the standard
     template for the required addition).
+    
+  * Stateful sets from pre 3.4.0 versions are no longer removed automatically
+    (see notes below). However, PVCs with the old naming scheme are still
+    reused.
 
 ## To version 3.4.0
 

From f30ea79abb3b52a378a123fc04e7b04e363b5767 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 29 Mar 2025 17:41:01 +0100
Subject: [PATCH 251/274] Minor editorial changes.

---
 dev-example/Readme.md | 4 ++--
 webpages/upgrading.md | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/dev-example/Readme.md b/dev-example/Readme.md
index ba381e1..d794b24 100644
--- a/dev-example/Readme.md
+++ b/dev-example/Readme.md
@@ -3,9 +3,9 @@
 The CRD must be deployed independently. Apart from that, the
 `kustomize.yaml`
 
-* creates a small cdrom image repository and
+  * creates a small cdrom image repository and
 
-* deploys the operator in namespace `vmop-dev` with a replica of 0.
+  * deploys the operator in namespace `vmop-dev` with a replica of 0.
 
 This allows you to run the manager in your IDE.
 
diff --git a/webpages/upgrading.md b/webpages/upgrading.md
index 644dce6..f3119b0 100644
--- a/webpages/upgrading.md
+++ b/webpages/upgrading.md
@@ -34,7 +34,7 @@ layout: vm-operator
     update the template manually. If you're using your own template, you
     have to add a virtual serial port (see the git history of the standard
     template for the required addition).
-    
+
   * Stateful sets from pre 3.4.0 versions are no longer removed automatically
     (see notes below). However, PVCs with the old naming scheme are still
     reused.

From c79d678a2a8928e6ba9a78ea9e7748d36e71665d Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 29 Mar 2025 18:38:09 +0100
Subject: [PATCH 252/274] More consistent logging.

---
 .../org/jdrupes/vmoperator/manager/ConfigMapReconciler.java   | 2 ++
 .../src/org/jdrupes/vmoperator/manager/Controller.java        | 2 +-
 .../jdrupes/vmoperator/manager/DisplaySecretReconciler.java   | 4 +++-
 .../jdrupes/vmoperator/manager/LoadBalancerReconciler.java    | 3 +++
 .../src/org/jdrupes/vmoperator/manager/Manager.java           | 2 +-
 .../src/org/jdrupes/vmoperator/manager/PvcReconciler.java     | 2 ++
 6 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java
index 161678a..264a166 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java
@@ -98,6 +98,8 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
         channel.setAssociated(PrevData.class, prevData);
 
         // Combine template and data and parse result
+        logger.fine(() -> "Create/update configmap "
+            + DataPath.<String> get(model, "cr", "name").orElse("unknown"));
         model.put("adjustCloudInitMeta", adjustCloudInitMetaModel);
         prevData.added.put("adjustCloudInitMeta", adjustCloudInitMetaModel);
         var fmTemplate = fmConfig.getTemplate("runnerConfig.ftl.yaml");
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
index eaf2447..c15acc5 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
@@ -182,7 +182,7 @@ public class Controller extends Component {
             fire(new Exit(2));
             return;
         }
-        logger.fine(() -> "Controlling namespace \"" + namespace + "\".");
+        logger.config(() -> "Controlling namespace \"" + namespace + "\".");
     }
 
     /**
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
index 5111438..60d27d4 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
@@ -155,9 +155,11 @@ public class DisplaySecretReconciler extends Component {
         }
 
         // Create secret
+        var secretName = vmDef.name() + "-" + DisplaySecret.NAME;
+        logger.fine(() -> "Create/update secret " + secretName);
         var secret = new V1Secret();
         secret.setMetadata(new V1ObjectMeta().namespace(vmDef.namespace())
-            .name(vmDef.name() + "-" + DisplaySecret.NAME)
+            .name(secretName)
             .putLabelsItem("app.kubernetes.io/name", APP_NAME)
             .putLabelsItem("app.kubernetes.io/component", DisplaySecret.NAME)
             .putLabelsItem("app.kubernetes.io/instance", vmDef.name()));
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/LoadBalancerReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/LoadBalancerReconciler.java
index c0d183b..d190cef 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/LoadBalancerReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/LoadBalancerReconciler.java
@@ -36,6 +36,7 @@ import java.util.logging.Logger;
 import org.jdrupes.vmoperator.common.K8sV1ServiceStub;
 import org.jdrupes.vmoperator.common.VmDefinition;
 import org.jdrupes.vmoperator.manager.events.VmChannel;
+import org.jdrupes.vmoperator.util.DataPath;
 import org.jdrupes.vmoperator.util.GsonPtr;
 import org.yaml.snakeyaml.LoaderOptions;
 import org.yaml.snakeyaml.Yaml;
@@ -107,6 +108,8 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
         }
 
         // Combine template and data and parse result
+        logger.fine(() -> "Create/update load balancer service for "
+            + DataPath.<String> get(model, "cr", "name").orElse("unknown"));
         var fmTemplate = fmConfig.getTemplate("runnerLoadBalancer.ftl.yaml");
         StringWriter out = new StringWriter();
         fmTemplate.process(model, out);
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Manager.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Manager.java
index 9d291cf..41b59f9 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Manager.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Manager.java
@@ -264,7 +264,7 @@ public class Manager extends Component {
      */
     @Handler(priority = -1000)
     public void onStop(Stop event) {
-        logger.fine(() -> "Application stopped.");
+        logger.info(() -> "Application stopped.");
     }
 
     static {
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
index 47aa8be..e297183 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
@@ -139,6 +139,7 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
 
         // Generate PVC
         var runnerDataPvcName = vmDef.name() + "-runner-data";
+        logger.fine(() -> "Create/update pvc " + runnerDataPvcName);
         model.put("runnerDataPvcName", runnerDataPvcName);
         if (!specChanged) {
             // Augmenting the model is all we have to do
@@ -180,6 +181,7 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
         }
 
         // Generate PVC
+        logger.fine(() -> "Create/update pvc " + pvcName);
         model.put("disk", diskDef);
         var fmTemplate = fmConfig.getTemplate("runnerDiskPvc.ftl.yaml");
         StringWriter out = new StringWriter();

From c716e32534918af32700d72555106efb98e6f1f1 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 30 Mar 2025 11:42:03 +0200
Subject: [PATCH 253/274] Make tests work again.

---
 .../test-resources/basic-vm.yaml              |   4 +-
 .../test-resources/kustomization.yaml         | 111 ++++++++++++++++++
 .../vmoperator/manager/BasicTests.java        |  28 ++---
 3 files changed, 127 insertions(+), 16 deletions(-)
 create mode 100644 org.jdrupes.vmoperator.manager/test-resources/kustomization.yaml

diff --git a/org.jdrupes.vmoperator.manager/test-resources/basic-vm.yaml b/org.jdrupes.vmoperator.manager/test-resources/basic-vm.yaml
index 54ea110..36054a2 100644
--- a/org.jdrupes.vmoperator.manager/test-resources/basic-vm.yaml
+++ b/org.jdrupes.vmoperator.manager/test-resources/basic-vm.yaml
@@ -1,8 +1,8 @@
 apiVersion: "vmoperator.jdrupes.org/v1"
 kind: VirtualMachine
 metadata:
-  namespace: vmop-dev
-  name: unittest-vm
+  namespace: vmop-test
+  name: test-vm
 spec:
   image:
     repository: docker-registry.lan.mnl.de
diff --git a/org.jdrupes.vmoperator.manager/test-resources/kustomization.yaml b/org.jdrupes.vmoperator.manager/test-resources/kustomization.yaml
new file mode 100644
index 0000000..3a8451e
--- /dev/null
+++ b/org.jdrupes.vmoperator.manager/test-resources/kustomization.yaml
@@ -0,0 +1,111 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- ../../deploy
+
+namespace: vmop-test
+
+patches:
+- patch: |-
+    kind: PersistentVolumeClaim
+    apiVersion: v1
+    metadata:
+      name: vmop-image-repository
+    spec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: 10Gi
+      storageClassName: local-path
+
+- patch: |-
+    kind: ConfigMap
+    apiVersion: v1
+    metadata:
+      name: vm-operator
+    data:
+      # Keep in sync with config.yaml
+      config.yaml: |
+        "/Manager":
+          # clusterName: "test"
+          "/Controller":
+            "/Reconciler":
+              runnerData:
+                storageClassName: null
+              loadBalancerService:
+                labels:
+                  label1: label1
+                  label2: toBeReplaced
+                annotations:
+                  metallb.universe.tf/loadBalancerIPs: 192.168.168.1
+                  metallb.universe.tf/ip-allocated-from-pool: single-common
+                  metallb.universe.tf/allow-shared-ip: single-common
+          "/GuiSocketServer":
+            port: 8888
+          "/GuiHttpServer":
+            # This configures the GUI
+            "/ConsoleWeblet":
+              "/WebConsole":
+                "/LoginConlet":
+                  users:
+                  - name: admin
+                    fullName: Administrator
+                    password: "$2b$05$NiBd74ZGdplLC63ePZf1f.UtjMKkbQ23cQoO2OKOFalDBHWAOy21."
+                  - name: test1
+                    fullName: Test Account
+                    password: "$2b$05$hZaI/jToXf/d3BctZdT38Or7H7h6Pn2W3WiB49p5AyhDHFkkYCvo2"
+                  - name: test2
+                    fullName: Test Account
+                    password: "$2b$05$hZaI/jToXf/d3BctZdT38Or7H7h6Pn2W3WiB49p5AyhDHFkkYCvo2"
+                  - name: test3
+                    fullName: Test Account
+                    password: "$2b$05$hZaI/jToXf/d3BctZdT38Or7H7h6Pn2W3WiB49p5AyhDHFkkYCvo2"
+                "/RoleConfigurator":
+                  rolesByUser:
+                    # User admin has role admin
+                    admin:
+                    - admin
+                    test1:
+                    - user
+                    test2:
+                    - user
+                    test3:
+                    - user
+                    # All users have role other
+                    "*":
+                    - other
+                  replace: false
+                "/RoleConletFilter":
+                  conletTypesByRole:
+                    # Admins can use all conlets
+                    admin:
+                    - "*"
+                    user:
+                    - org.jdrupes.vmoperator.vmviewer.VmViewer
+                    # Others cannot use any conlet (except login conlet to log out)
+                    other:
+                    - org.jgrapes.webconlet.locallogin.LoginConlet
+                "/ComponentCollector":
+                  "/VmAccess":
+                    displayResource:
+                      preferredIpVersion: ipv4
+                    syncPreviewsFor:
+                    - role: user
+- target:
+    group: apps
+    version: v1
+    kind: Deployment
+    name: vm-operator
+  patch: |-
+    - op: replace
+      path: /spec/template/spec/containers/0/image
+      value: docker-registry.lan.mnl.de/vmoperator/org.jdrupes.vmoperator.manager:test
+    - op: replace
+      path: /spec/template/spec/containers/0/imagePullPolicy
+      value: Always
+    - op: replace
+      path: /spec/replicas
+      value: 0
+      
\ No newline at end of file
diff --git a/org.jdrupes.vmoperator.manager/test/org/jdrupes/vmoperator/manager/BasicTests.java b/org.jdrupes.vmoperator.manager/test/org/jdrupes/vmoperator/manager/BasicTests.java
index 03db0d2..d600d3c 100644
--- a/org.jdrupes.vmoperator.manager/test/org/jdrupes/vmoperator/manager/BasicTests.java
+++ b/org.jdrupes.vmoperator.manager/test/org/jdrupes/vmoperator/manager/BasicTests.java
@@ -41,7 +41,7 @@ class BasicTests {
     private static APIResource vmsContext;
     private static K8sV1DeploymentStub mgrDeployment;
     private static K8sDynamicStub vmStub;
-    private static final String VM_NAME = "unittest-vm";
+    private static final String VM_NAME = "test-vm";
     private static final Object EXISTS = new Object();
 
     @BeforeAll
@@ -54,7 +54,7 @@ class BasicTests {
 
         // Update manager pod by scaling deployment
         mgrDeployment
-            = K8sV1DeploymentStub.get(client, "vmop-dev", "vm-operator");
+            = K8sV1DeploymentStub.get(client, "vmop-test", "vm-operator");
         mgrDeployment.scale(0);
         mgrDeployment.scale(1);
         waitForManager();
@@ -65,13 +65,13 @@ class BasicTests {
         vmsContext = apiRes.get();
 
         // Cleanup existing VM
-        K8sDynamicStub.get(client, vmsContext, "vmop-dev", VM_NAME)
+        K8sDynamicStub.get(client, vmsContext, "vmop-test", VM_NAME)
             .delete();
         ListOptions listOpts = new ListOptions();
         listOpts.setLabelSelector("app.kubernetes.io/name=" + APP_NAME + ","
             + "app.kubernetes.io/instance=" + VM_NAME + ","
             + "app.kubernetes.io/component=" + DisplaySecret.NAME);
-        var secrets = K8sV1SecretStub.list(client, "vmop-dev", listOpts);
+        var secrets = K8sV1SecretStub.list(client, "vmop-test", listOpts);
         for (var secret : secrets) {
             secret.delete();
         }
@@ -103,7 +103,7 @@ class BasicTests {
             "app.kubernetes.io/managed-by=" + VM_OP_NAME + ","
                 + "app.kubernetes.io/name=" + APP_NAME + ","
                 + "app.kubernetes.io/instance=" + VM_NAME);
-        var knownPvcs = K8sV1PvcStub.list(client, "vmop-dev", listOpts);
+        var knownPvcs = K8sV1PvcStub.list(client, "vmop-test", listOpts);
         for (var pvc : knownPvcs) {
             pvc.delete();
         }
@@ -112,7 +112,7 @@ class BasicTests {
     @AfterAll
     static void tearDownAfterClass() throws Exception {
         // Cleanup
-        K8sDynamicStub.get(client, vmsContext, "vmop-dev", VM_NAME)
+        K8sDynamicStub.get(client, vmsContext, "vmop-test", VM_NAME)
             .delete();
         deletePvcs();
 
@@ -124,7 +124,7 @@ class BasicTests {
     void testConfigMap()
             throws IOException, InterruptedException, ApiException {
         K8sV1ConfigMapStub stub
-            = K8sV1ConfigMapStub.get(client, "vmop-dev", VM_NAME);
+            = K8sV1ConfigMapStub.get(client, "vmop-test", VM_NAME);
         for (int i = 0; i < 10; i++) {
             if (stub.model().isPresent()) {
                 break;
@@ -134,7 +134,7 @@ class BasicTests {
         // Check config map
         var config = stub.model().get();
         Map<List<? extends Object>, Object> toCheck = Map.of(
-            List.of("namespace"), "vmop-dev",
+            List.of("namespace"), "vmop-test",
             List.of("name"), VM_NAME,
             List.of("labels", "app.kubernetes.io/name"), Constants.APP_NAME,
             List.of("labels", "app.kubernetes.io/instance"), VM_NAME,
@@ -191,7 +191,7 @@ class BasicTests {
             + "app.kubernetes.io/component=" + DisplaySecret.NAME);
         Collection<K8sV1SecretStub> secrets = null;
         for (int i = 0; i < 10; i++) {
-            secrets = K8sV1SecretStub.list(client, "vmop-dev", listOpts);
+            secrets = K8sV1SecretStub.list(client, "vmop-test", listOpts);
             if (secrets.size() > 0) {
                 break;
             }
@@ -207,7 +207,7 @@ class BasicTests {
     @Test
     void testRunnerPvc() throws ApiException, InterruptedException {
         var stub
-            = K8sV1PvcStub.get(client, "vmop-dev", VM_NAME + "-runner-data");
+            = K8sV1PvcStub.get(client, "vmop-test", VM_NAME + "-runner-data");
         for (int i = 0; i < 10; i++) {
             if (stub.model().isPresent()) {
                 break;
@@ -227,7 +227,7 @@ class BasicTests {
     @Test
     void testSystemDiskPvc() throws ApiException, InterruptedException {
         var stub
-            = K8sV1PvcStub.get(client, "vmop-dev", VM_NAME + "-system-disk");
+            = K8sV1PvcStub.get(client, "vmop-test", VM_NAME + "-system-disk");
         for (int i = 0; i < 10; i++) {
             if (stub.model().isPresent()) {
                 break;
@@ -248,7 +248,7 @@ class BasicTests {
     @Test
     void testDisk1Pvc() throws ApiException, InterruptedException {
         var stub
-            = K8sV1PvcStub.get(client, "vmop-dev", VM_NAME + "-disk-1");
+            = K8sV1PvcStub.get(client, "vmop-test", VM_NAME + "-disk-1");
         for (int i = 0; i < 10; i++) {
             if (stub.model().isPresent()) {
                 break;
@@ -274,7 +274,7 @@ class BasicTests {
             new V1Patch("[{\"op\": \"replace\", \"path\": \"/spec/vm/state"
                 + "\", \"value\": \"Running\"}]"),
             client.defaultPatchOptions()).isPresent());
-        var stub = K8sV1PodStub.get(client, "vmop-dev", VM_NAME);
+        var stub = K8sV1PodStub.get(client, "vmop-test", VM_NAME);
         for (int i = 0; i < 20; i++) {
             if (stub.model().isPresent()) {
                 break;
@@ -303,7 +303,7 @@ class BasicTests {
 
     @Test
     public void testLoadBalancer() throws ApiException, InterruptedException {
-        var stub = K8sV1ServiceStub.get(client, "vmop-dev", VM_NAME);
+        var stub = K8sV1ServiceStub.get(client, "vmop-test", VM_NAME);
         for (int i = 0; i < 10; i++) {
             if (stub.model().isPresent()) {
                 break;

From 592b30f6c5d9e1a3e4dbb544d8afe1a77e41b3d9 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 30 Mar 2025 12:17:14 +0200
Subject: [PATCH 254/274] Update state diagram.

---
 .../src/org/jdrupes/vmoperator/runner/qemu/Runner.java   | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
index d8ac5d8..5c0da21 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
@@ -157,6 +157,15 @@ import org.jgrapes.util.events.WatchFile;
  * 
  * success --> Running
  * 
+ * state Running {
+ *     state Booting
+ *     state Booted
+ *     
+ *     [*] -right-> Booting
+ *     Booting -down-> Booting: VserportChanged[guest agent connected]/fire GetOsinfo
+ *     Booting --> Booted: Osinfo
+ * }
+ * 
  * state Terminating {
  *     state terminate <<entryPoint>>
  *     state qemuRunning <<choice>>

From af112bb66b4088cd7409370c0bcddb88f931e1f0 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 30 Mar 2025 12:37:49 +0200
Subject: [PATCH 255/274] Editorial changes.

---
 webpages/auto-login.md | 8 ++++----
 webpages/pools.md      | 5 ++++-
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/webpages/auto-login.md b/webpages/auto-login.md
index 59856b2..66f0edf 100644
--- a/webpages/auto-login.md
+++ b/webpages/auto-login.md
@@ -9,7 +9,7 @@ layout: vm-operator
 
 When users log into the web GUI, they have already authenticated with the
 VM-Operator. In some environments, requiring an additional login on the
-guest OS can be cumbersome. To enhance the user experience, the VM-Operator
+guest OS can be annoying. To enhance the user experience, the VM-Operator
 supports automatic login on the guest operating system, thus eliminating
 the need for multiple logins. However, this feature requires specific
 support from the guest OS.
@@ -18,9 +18,9 @@ support from the guest OS.
 
 Automatic login requires an agent running inside the guest OS. Similar
 to QEMU's standard guest agent, the VM-Operator agent communicates with
-the host via a tty device (`/dev/virtio-ports/org.jdrupes.vmop_agent.0`). On
-modern Linux systems, `udev` can detect this device and trigger the start
-of an associated systemd service.
+the host via a tty device (provided in the guest as 
+`/dev/virtio-ports/org.jdrupes.vmop_agent.0`). On modern Linux systems, `udev` can
+detect this device and trigger the start of an associated systemd service.
 
 Sample configuration files for a VM-Operator agent are available
 [here](https://github.com/mnlipp/VM-Operator/tree/main/dev-example/vmop-agent).
diff --git a/webpages/pools.md b/webpages/pools.md
index 41e26ef..614ec3e 100644
--- a/webpages/pools.md
+++ b/webpages/pools.md
@@ -46,8 +46,11 @@ spec:
 The `retention` specifies how long the assignment of a VM from the pool to
 a user remains valid after the user closes the console. This ensures that
 a user can resume work within this timeframe without the risk of another
-user taking over the VM. The time is specified as
+user taking over the VM. The time is specified as an
 [ISO 8601 duration](https://en.wikipedia.org/wiki/ISO_8601#Durations).
+Specifying an ISO 8601 time is also supported, but if you consider to
+using an absolute time, check again whether a dedicated VM for the user
+is more appropriate.
 
 Setting `loginOnAssignment` to `true` triggers automatic login of the
 user (as described in [section auto login](auto-login.html)) when

From fb976802cf794af916af86d2c31b8a7bf53b0313 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 30 Mar 2025 13:05:33 +0200
Subject: [PATCH 256/274] Minor edit.

---
 webpages/pools.md | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/webpages/pools.md b/webpages/pools.md
index 614ec3e..c84264f 100644
--- a/webpages/pools.md
+++ b/webpages/pools.md
@@ -48,17 +48,18 @@ a user remains valid after the user closes the console. This ensures that
 a user can resume work within this timeframe without the risk of another
 user taking over the VM. The time is specified as an
 [ISO 8601 duration](https://en.wikipedia.org/wiki/ISO_8601#Durations).
-Specifying an ISO 8601 time is also supported, but if you consider to
+Specifying an ISO 8601 time is also supported, but if you consider
 using an absolute time, check again whether a dedicated VM for the user
-is more appropriate.
+isn't the more appropriate choice.
 
-Setting `loginOnAssignment` to `true` triggers automatic login of the
-user (as described in [section auto login](auto-login.html)) when
-the VM is assigned. The `permissions` property specifies the actions
-that users or roles can perform on assigned VMs.
+Setting `loginOnAssignment` to `true` (defaults to `false`) triggers automatic
+login of the user (as described in [section auto login](auto-login.html))
+when the VM is assigned. The `permissions` property specifies the actions
+that users or roles can perform on assigned VMs. The `may` property defaults
+to `[accessConsole]` if not specified.
 
 VMs become members of one (or more) pools by adding the pool name to
-the `spec.pools` array, as shown below:
+the `spec.pools` array in the VM definition, as shown below:
 
 ```yaml
 apiVersion: "vmoperator.jdrupes.org/v1"

From 85a9b4104631e1785da62e0962198edf353b4ced Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 30 Mar 2025 21:12:18 +0200
Subject: [PATCH 257/274] Update picture.

---
 webpages/index-pic.svg | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/webpages/index-pic.svg b/webpages/index-pic.svg
index e912900..d6b0ef9 100644
--- a/webpages/index-pic.svg
+++ b/webpages/index-pic.svg
@@ -8,7 +8,7 @@
    version="1.1"
    id="svg1"
    xml:space="preserve"
-   inkscape:version="1.3.2 (091e20ef0f, 2023-11-25)"
+   inkscape:version="1.4 (e7c3feb100, 2024-10-09)"
    sodipodi:docname="index-pic.svg"
    xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
    xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
@@ -24,13 +24,13 @@
      inkscape:pagecheckerboard="0"
      inkscape:deskcolor="#d1d1d1"
      inkscape:document-units="mm"
-     inkscape:zoom="0.67704826"
-     inkscape:cx="757.70079"
-     inkscape:cy="438.66888"
+     inkscape:zoom="0.95749083"
+     inkscape:cx="689.30164"
+     inkscape:cy="285.64242"
      inkscape:window-width="1920"
-     inkscape:window-height="1011"
+     inkscape:window-height="1008"
      inkscape:window-x="0"
-     inkscape:window-y="32"
+     inkscape:window-y="35"
      inkscape:window-maximized="1"
      inkscape:current-layer="g1"><inkscape:page
        x="0"
@@ -7320,10 +7320,10 @@
        id="image1-3"
        x="26.606333"
        y="57.346931" /><image
-       width="896"
-       height="167"
+       width="894.26611"
+       height="159.40393"
        preserveAspectRatio="none"
-       xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA4AAAACnCAYAAABAdTJEAAAABHNCSVQICAgIfAhkiAAAABl0RVh0&#10;U29mdHdhcmUAZ25vbWUtc2NyZWVuc2hvdO8Dvz4AACAASURBVHic7d1/fFP14e/xd5ICBQvll+BA&#10;EIUOVFCm1fmDzYrcKehc8bFNnd4J+vVxnYC/N69f2b7+wPkDp3D9cYHixKHDbResc4gibnwZKmJV&#10;nAIqBYECFhWoWiW1bc79oztpcnKSnKRJTprzej4eeSRNTpIT7YvTz/kVXygUMgzDkMm8HXltdzsU&#10;CkVNZ72d6D6gUPh8Plfel67gdbQHuMOt9iT6AzLVny8UChmS/UDOOvCzu9/6HKtU7wdyKdMLsmwt&#10;GDPdC/3BbbQHuKOztCfRHwpPvvTnM9pIij8ITDbwczIQBApJsuAyFXiynugNXkN7gDty1Z5Ef4BV&#10;pvvzmaO/eIM6J/dL7buExkOsKATxAkv1/mTYog5Eoz3AHblqT6I/wCpb/YUHgFL8rXl298c73o8Y&#10;UYgSBWV9zG5ap0E6OY42UWP0h0JDe4A7ctWeRH+AVbb7YwAIOOQksMifnQQaKdHCzsmCkPZQqGgP&#10;cEe225PoD4gnm/2xCygQIdV9rOOF5+R2pHgLPCe37X5O9PpAPqI9wB1utSfRH+BWf5wEBnDAyRoW&#10;63W829bnJ+rP7vFU1pYCnR3tAe7IZnsS/QGJZHvZx9dAADacHFwbL0AnYZrXyVa+OLm23o5EZ+hs&#10;aA9wR67ak+gPsMr1ss/HF8EDsZLtd20XW7zb8Z5rSqc/pwtC+kNnQ3uAO3LRns/nczz4oz94Sa6X&#10;fUXWO8zrRFv/nKyVsb6m0/uBfJAoRHMBFnktKeq29XnWx8JrYOKsEc12f0C+oj3AHdluT2rbeJBo&#10;V2z6g1fletlXFG+ti/XnoqIiFRVFjRcBRGhpaVFLS4vtY3YRS4oJOt5Cq0uXLvQHxEF7gDuctme9&#10;z7xNf0D6OrLsKzJ/MK8Z/AHpMRsxY7Qu1Jzs+kJ/QOpoD3CH0/biXUv0B6SrI8s+f+QP1gfNSyAQ&#10;yO4nAApEIBCIWZhJsQu4SMmmpz8gOdoD3JGsPfN2JLtdOyN/pj/AmXSXfUWJnhAKheLuXwogls/n&#10;Cx/j4Pf7o+6X4h+rEPk4/QGpoz3AHU7bi5zObkBIf0Dq0l32FUX+EO8CwLl4azyTPYf+gI6hPcAd&#10;idpLNJCjP6Dj0ln2xexcTYRAx9iFaHcQrnm/9Tn0B6SH9gB3xGvPvM/uWKR4e5/RH5CadJZ9RXbB&#10;ESGQPmuI1t1dIoOM932a9AekjvYAdyRrz5RoIEh/QHrSWfbFfA8ga2GAjom3UIvcN9tO5B+k9Aek&#10;jvYAdyTauscuoEB2pbPs80dOaPdkIgRSY7dFPfJ+qe0PTusfnXbT0h/gHO0B7nDSnmG0n+DF7jG7&#10;1wGQXDrLPr91E6H1hYgQSI1dP3YxWn+mP6BjaA9wR6L2pPat7HY/0x/QMeks+6K+B9D6IpH3A3Am&#10;nZboD+g42gPckW5H9Ad0XDod+a1PBJB5iRqjPyB7aA9wR7K+6A/InmTLPr91AutmRMIEUhOvocj9&#10;sE3WMxHSH5A+2gPckaw963387QlkTjrLvoSnRiNCIHV2+1tbRR6Ma31uvNcBkBjtAe6wa8bu58iT&#10;wCSajv4A59JZ9kUNAO3WvBAhkBq7PySddER/QMfQHuCOdNuLNz39Ac6l01/UMYCJXhCAc6k0RX9A&#10;5tAe4I5Ue6I/IHNSXfbF3QU0VwG6FTr/wCDbOvI7Rn9A+mgv/94X3tDR3y/6A9KXyu9XzNdAJLqd&#10;aZs2bdKUKVOy9vr59r4dsWHDBk2bNk1nnXWWzjjjDF199dV66623HD33N7/5jU4++eQsz2FmvbL9&#10;oC57ul7jHtmpny7eo2XvNro9S47F68fuuCO7x+gv/6Ta3/r16zV9+nRVVFTolFNOUWVlpR5++GF9&#10;/fXXOZzr9NBe7O1Moz3nUmlv27ZtuuWWWzRhwgSdeuqpqqys1Ny5c/Xll1/meK7TU4jtJdoVLdFu&#10;n/TnvtbWVi1ZskQXXXSRTjvtNE2cOFEzZ87URx99lJHp800h9pdo2VdkfYFc7oN9+eWXq6WlJavv&#10;kU/vm661a9fqhhtukN/v18knn6yWlhbV1NTojTfe0OzZs1VRURH3uYsXL9bzzz8vvz/h+X7yyoNr&#10;DujG5z6V+dsX8EmHHlKkC8aUuDpfqbBbAPp8vqTPob/8k2p/S5cu1d13361AIKDRo0erZ8+eeu+9&#10;97Ro0SK9+uqrWrhwoXr06OHOh0mC9mJfIxtoz5lU2tuyZYumTp2qYDCoESNGaOzYsaqtrdXixYv1&#10;0ksv6fHHH9ehhx7q3odJohDbk5S0PXNa+ssvoVBIN998s1avXh1elhUXF2v16tVavXq1HnjggagN&#10;C6lOn28Ksb9ky74iNzdHJxqZFuL7piMYDOq2225TUVGRqqqqdOyxx0qS3njjDc2YMUN33XWXvvvd&#10;76p79+5Rz2tpadHcuXO1ZMkSN2Y7ba/tCEZFeObw7przowE67lvdUnqdlR9+rb9tatSsc/qrV3H0&#10;4Hf9zqAef+Nz/dcP+uuwnoEMzblzkVHSX35Ltb/PPvtMDzzwgHr06KF58+bpmGOOkSQ1Njbqpptu&#10;Uk1NjaqqqnTttde69pniob3cob3kUm3v1ltvVTAY1I033qiLL75YUtsWiXvvvVfLli3TQw89pDvu&#10;uMO1z5OI19ozf3YL/SW3bNkyrV69Wr1799acOXM0evRoSdLOnTs1bdo0zZw5U88884wOOeSQtKbP&#10;J17rz2yv82wW8qjly5eroaFBP/zhD8MLQEk66aSTVFlZqQMHDuill16Kes66det06aWXasmSJRo8&#10;eHCuZ7lDFqxrUORi4e9XDUk5wuWbv9IPf79LD73SoLOrdumLYPs/uq/tCGrCgjrNW/e5xs+rU/2X&#10;rRmacxSiVPt7+eWX1dTUpIsvvjg8+JOkkpIS3XTTTZKkVatW5e4DpID2kE9SaW/Lli3atm2bysrK&#10;woM/SQoEArrqqqskSa+++mpuP0AKaA/55q9//askacaMGeHBnCQNHTpUN9xwg/bv36+lS5emPX0+&#10;8Wp/SU8Ck621NOXl5eG1IeXl5SovL4+Z5l//+pduvPHG8P78F1xwgebNm2d7HM2aNWt01VVX6Qc/&#10;+IFOO+00TZ48WQ888IAOHDiQ8vvamTt3rsrLy1VVVWX7+J/+9CeVl5fr/vvvD7/2ySefrObmZlVV&#10;Ven888/XqaeeqsmTJ+vpp5+WJH355ZeaPXu2Jk6cqHHjxuniiy/W3/72t6jXfe211yRJ3/ve92Le&#10;8/vf/76k2AXb9OnTVVtbq/POO0+LFy929PnyxdZ9zQkfr9kVTPoa/3PJx/rm332t2xnU2VW79GVT&#10;SK/tCOrsqjp92dT2O735k290+8rPOjzPVploh/6idZb+DMNQWVmZvvOd78RMf/jhh0tq20qYj2gv&#10;c6+RCO1lvr2ysjK9+OKLmj17dsy05n+zQCD3a92dor3Mv0489Oesv23btkmSTj/99Jj3PPHEEyW1&#10;bWxId/p84tX+XNsCeM4550TdnjhxYtTj1dXVuuKKK7R27VoNGTJE48aN08GDB7Vw4UJdccUV+uKL&#10;L8LT/v3vf9eNN96ot99+W0cddZROP/10NTc3649//KOuuOIKBYNBx+8bz7nnnitJWrlype3jL774&#10;oiRp0qRJUfdff/31+sMf/qDhw4drzJgxqqur0/3336/f//73mjp1qpYvX66ysjIdc8wx2rJli267&#10;7TZVV1eHn29GdeSRR8a857BhwyRJtbW1UfefeeaZWrx4sW677Tb16tXL0efLFwNKohfSt63cp6+/&#10;MbR1X7POfWy3zn1sd9LXuP77faJ+XrczqIr/WxcVoST17ObT1JNKMzPjnQz9Zae/iy66SEuWLNEp&#10;p5wSM/37778vSXl7HBLt5QbtZae9fv36hVeymBobG8N/GFvnL5/QXu7Qn7P+WlvbRjN2u2ya55TY&#10;sWNH2tPnE6/2V5R8kuyYNWuWVq5cqVAopFmzZkU9tnXrVt1zzz3q16+f5s6dq5EjR0qSmpub9dvf&#10;/lbPPfec7r33Xt11112S2taQGIah+fPna+zYsZLajoG75pprtH79eq1cuVLnn39+0vdNZMSIERox&#10;YoRqa2tVW1urESNGhB+rr6/Xu+++qyOOOCJqt69QKKTPPvtMzz77rPr27Sup7aQsc+fO1aOPPqqR&#10;I0dq2bJl4cf+/Oc/67777tNf/vIXVVZWSmrfWtCvX7+YeTLv279/f9T9dmtBO4MNe5o0cdQhWhpx&#10;5qXbX9qnBesa1HAwpIMthv73mX2Tvs6vJ/RTc6t056p94fve2t0UNU3Pbj69eOUQnTy0OHMfoBOh&#10;v+z1F8/ChQslKeFJm9xCe7lDe9lv7/nnn9fy5cv1zjvvKBgM6vzzz9e0adMcf+Zcor3coj9n/R1x&#10;xBGqra3VO++8E7NC891335UkNTQ0hO9Ldfp84eX+8vIYwKefflotLS266aabwgFKUpcuXXTzzTer&#10;f//+eumll/TJJ59Ikj799FNJUv/+/cPTFhUV6frrr9ett96q4447LiPzZa6JsR5z9+KLL8owDNs1&#10;jNOnTw9HJkWvpbn22mujHjv77LMlRa8lOXjwoCSpW7fY/ZG7du0qSZ3i1PLJvL27SWfNq9O7Hzfp&#10;4rE9ox77+MtWHWwxVH54N90yPnmIknTH2f008yz7ac0ITz0iPyLMN/SX+f6efPJJrVu3Tr169dLP&#10;f/7zpNPnEu3lD9rLTHtr167V66+/rmAwKJ/Pp88++0xbtmxJ/CFdQHv5hf7a+zO3WN53333atWtX&#10;+P76+nr97ne/k9Q2ME53+nzg9f7ycgD45ptvSpLtKWOLi4vD+1Jv2LBBksLH21x++eWaN2+eNm3a&#10;FD4WZ/LkyeHdRTrqnHPOkc/ni9kUv3LlSvl8PttN+pEHw0qKiu7oo4+OeszcXfObb74J32cet5Do&#10;VK6d6cxSdt7e3aQJ8+u0/2BIc9c2aHBpke6Z1F+jDu2qrgHpqL5d9J/j++rvVw2JObNSIpOOLlFX&#10;m8M+yvp31ejDumbwExQW+stsf88884zmzJkjv9+vO+64I+qPBbfRXn6hvcy0d80112jNmjWqrq7W&#10;lClTtG7dOl155ZXh3bDzAe3lH/pr7++SSy7R2LFjtXPnTl144YX6xS9+oenTp+snP/mJxowZI7/f&#10;H3VcbarTu43+XNwFNJG9e/dKksaPH59wuvr6ekltp3++/vrrtXXrVi1cuFALFy5U3759VVFRoZ/+&#10;9KdRm8wTmTlzZtTP5oLnzjvvlNR27M5JJ52k9evX6/3339eoUaO0Y8cOffDBBxo7dqwGDRoU85rW&#10;Y/DM1/T7/erZs6ftY5GKi4vV2Niob775JrzW09TU1LZ52foVEJ3Jhj3tEZru/+8DevSCAdr8q2Fp&#10;v+66HUGdU7UrfFBupLd2N+mcql164crD1bNbXq4DcRX9tetof08++WR48Hf77bdr3LhxcafNNdrL&#10;P7TXriPtHXbYYZKkHj16aNq0aerSpYsWLFigefPmac6cOfb/EXKI9vIT/bXr0qWLHn74YT322GNa&#10;sWKF3n77bQ0ZMkQzZszQpEmT9Nxzz6m0tDTt6d1Ef23ycgBoHkwaedBsJPOXdciQIZKkQYMGacmS&#10;JVq/fr1Wr16t119/XXV1dVq2bJmqq6t1991366yzzkr6vi+88ILt/WaEUttm9PXr12vVqlUaNWpU&#10;3ANwpbbQOvoF7IceeqgaGxu1f//+8ELNZB7/YHeMRGewYU/b5vfICCXp7on99YtTe6f9uq//+wxM&#10;XzS1v27XgKKifPXfoeZTjPmC/tp1pL+5c+dq8eLFKioq0qxZszRhwoQOzUsm0V5+or12mVz2VVZW&#10;asGCBdq0aVOH5ikTaC9/0V+04uJiTZs2Leb42c2bN0tSTJepTu8G+muXlwPA/v37q76+XjNmzNDA&#10;gQMdPcfv9+uUU04JH3y6a9cuPfbYY3ruuef0yCOPOIqwpqYm6TTjx4/XPffco1WrVmn69OlauXKl&#10;ioqKsvbH3VFHHaWPPvpI27dvj4ln+/btkuR4LVM+ecdmDYwk3XfuofplRZ84z3LmR4/vjoqwZzef&#10;XviPIXr+/Ubd9XL7SQNe3RHUzBc+09wfDejQ+xUa+muXbn933323li5dqu7du2v27Nm2ZwV1C+3l&#10;L9prl0p7NTU1WrFihU444YTw8VKRunTpIsn9Y5BoL7/RX7u6ujrV1dXpuOOOU0lJSdRj5i6w3/72&#10;t9Oe3g30F83VIWi8ffvN/apfeeUV28enT5+uqVOnauPGjdq/f78uueQSXXbZZVHTHH744frVr34l&#10;qX2zfrL3daJHjx6qqKjQrl279PLLL2v79u0aN25c1r5uwfxHZe3atTGPrVmzRpJ06qmnZuW9s+Wd&#10;PU06a36denTxR+0r/bsfdjxCSbpgTPs/PiVdfVrxH4frtGHFmnVOf90acYBu14A0aVSJ3Ut4Av0l&#10;l05/VVVVWrp0qUpLSzV//vy8G/zRnvtoL7lU2tu3b5+effZZPfXUU7bfg2W+RuSZEnON9vIH/SW3&#10;dOnS8LG0kQzDCH9nYOSusqlOn2v0F8vVAaC5X39jY2PU/RdeeKF8Pp8efvhhvfXWW+H7DcNQVVWV&#10;1q1bp927d6usrEx9+/ZVU1OTNm7cqOXLl0e9jnnArPWA13jv65S5yd08s1E2v19owoQJKi0t1bJl&#10;y6L+W9TU1Ki6ulq9e/fO6+83svOjx3dr39ch/Z/KARo/oockac75h+qG73c8Qkl6ZPJA/a9TSnXo&#10;IQG9cOXhOn1Y+3Eis87pr//6H/3Uu9iv//fzwTp7ZI+MvGdnRH/Jpdrf5s2bVVVVpaKiIj300EOu&#10;/sFph/byA+0ll0p7Z5xxhvr3768PP/xQjz76aNTJYd588009+OCDkhTzx3ou0V7+oL/kzjjjDEnS&#10;E088oa+++ip8/4IFC/TBBx9o1KhRUV/6nur0uUZ/sXzBYNAwDEOhUMj20tra6nhTeKouueQSffDB&#10;BxoxYoSGDh2qO++8M3zKZ/PkCZI0atQofetb31Jtba3q6urUrVs3PfLII+HvXXnrrbd09dVXq6Wl&#10;RaNGjdLgwYNVX1+vjRs3qmvXrpo/f77GjBnj6H2daG1t1aRJk7Rv3z6VlJRo5cqVMQepl5eXy+/3&#10;a/369THPT/WxVatW6ZZbbpHf79dJJ50kwzD0xhtvSJIefPDBpFElej83nP7wTr26o/0LUh+qHKDp&#10;p6e/73W+2bt3rwKBQHg/fJ/PF3Utta8JNNdWh0IhmR1G9kh/sfK5v1/+8pf6xz/+oQEDBuiEE06I&#10;eX3rwf25Rnu0V6jtvfnmm7r22msVDAY1ePBglZWVqb6+Xu+//778fr+uu+46/exnP3P8WTPNa+1Z&#10;+zMvJsMwwhdre/RnL9f93XnnnXr22WfVv39/jR49Wjt37tS2bdvUr18/VVVVaejQoVGvker0ueS1&#10;/pws+1zdAvjrX/9aRx99tHbs2KGampqo7w659NJLNW/ePI0bN04ff/yx1q5dK8MwdN5552nJkiXh&#10;ACXphBNO0KJFizR+/Hh9/vnnWrNmjerr63X22WfrySefjAow2fs6EQgEwt+bMmHChJgAM23ChAnh&#10;f3Q2bNigzZs3q7y8XAsWLHB1jUq6np06WGMHdZPfJz16QWFF2JnQnzOp9Pf2229Lkj755BO98MIL&#10;MZcVK1ZoxYoVWZ3fRGgvP9CeM6m0d+KJJ+qpp57Seeedp6amJv3zn/9UfX29KioqtHDhQlcHfxLt&#10;5RP6c+aWW27R1VdfreLiYq1du1bBYFA//vGPtXjxYtvBXKrT5xL9xXJ1CyC8q7lVOnCwVQNK8ud7&#10;YTKls2yFgDfRHu3BHV5qL5+3AMKbvNRf3m8BhHd1CaggIwTyHe0B7qA9wD30F40BIAAAAAB4BANA&#10;AAAAAPAIBoAAAAAA4BEMAAEAAADAIxgAAgAAAIBHMAAEAAAAAI9gAAgAAAAAHsEAEAAAAAA8ggEg&#10;AAAAAHgEA0AAAAAA8AgGgAAAAADgEQwAAQAAAMAjGAACAAAAgEcwAAQAAAAAj2AACAAAAAAewQAQ&#10;AAAAADyCASAAAAAAeAQDQAAAAADwCAaAAAAAAOARDAABAAAAwCMYAAIAAACARzAABAAAAACPYAAI&#10;AAAAAB7BABAAAAAAPIIBIAAAAAB4BANAAAAAAPAIBoAAAAAA4BGdfgC4YcMGTZ06VX369JHP5+tU&#10;lz59+mjq1KnasGGD2/8ZgbTQH+AO2gPcQ3/o7IrcnoGOmjNnjp544gm3ZyMtDQ0NWrRokQzD0KJF&#10;i9yeHSBl9Ae4g/YA99AfOjtfMBg0DMNQKBSyvbS2tmrgwIFuz2dcffr0UUNDg9uz0SG9e/fWgQMH&#10;3J4NZMjevXsVCATk9/vl9/vl8/miriXJ5/NJkgzDkCSFQiGZHUb2SH/ZR3+Fg/Y6F9orHNb2rP2Z&#10;F5NhGOGLtT36yw36KxzpLPs6/S6gnT1AqTA+A7ypEH53C+EzwHsK4fe2ED4DvKkQfncL4TMgfZ1+&#10;AAgAAAAAcKbTHwNox9y8ma8id4MACg39Ae6gPcA99IfOhC2AAAAAAOARDAABAAAAwCMYAAIAAACA&#10;RzAABAAAAACPYAAIAAAAAB7BABAAAAAAPKIgvwYChWv11oOqGN5dktRwMKQnaj5X9cZGbdjdpIZg&#10;SGMHddOU8l66rLxUvbuzfgPIJPoD3EF7gHsKsT9fMBg0DMNQKBSyvbS2tmrgwIFuz2dcdt9r0hm/&#10;i8XNed60aZOGDx+ubt26Zew1L/9zvfZ83uL8CT6fzj/mEF19Wu/Ek/3yw3BkkxftVkMwZDtd72K/&#10;npkyOBxsLu3du1eBQEB+v19+v18+ny/qWmr/HTD/v4dCIZkdRvZIf5mXb/NMf5lDe7SXCtrLHGt7&#10;1v7Mi8kwjPDF2h79ZUe+zTP9ZU46yz62AEIbN27Uhx9+qFGjRqmsrEyBQKDDr/n4G1+k9bxkEUrS&#10;opovtKim7fVLi/2qPLZEYwd307A+XVT9XqOqNzaqIRjSmfPq9Mxlg1Q5uiSteQFygf4Ad9Ae4B76&#10;cxcDQEiSmpub9e6772rr1q0aM2aMhg4d6vYsJdW3e0AvX3W4xg5qX3tUObpE2/c3q3LRHr3zcZOm&#10;/qleFcOP6jSb5OFN9Ae4g/YA99Cfe/J3zuCKr7/+Wq+//rpWrVqlTz/91O3ZiRWxt8L+g62a+88D&#10;MZMM69tF1VMGqbTYr4ZgSItqPs/hDALpoz/AHbQHuIf+co8BIGwdOHBAq1ev1iuvvKLGxka3Zyfs&#10;R6NL9N0h3fTdId10xlHd9dH+Zm3f3xwz3bC+XVR5bNvm9ydq0tslAHAL/QHuoD3APfSXO+wCioT2&#10;7Nmjjz/+WMOHD9exxx6rrl27ujo/1VMGOZ62cnSJnnjzC23Y05TFOQKyh/4Ad9Ae4B76yz4GgEjK&#10;MAzV1tZqx44dOvroo1VWVhY+q1A+azjYdpam0uL8n1cgHvoD3EF7gHvoL7vye+6QV5qbm7Vp0ybt&#10;3bvX7VlxZPXWryUp6kBdoLOiP8AdtAe4h/6ygy2AcMTn8+nII4/Uscceq+LiYrdnRw0HQwnPrrR9&#10;f7Oe3di2/3jF8B65mi0gK+gPcAftAe6hv+xhAIikDjvsMB1//PHq1auX27MiqS3A7zy4Xb27B/TM&#10;ZYM0rG+XqMe372/W5Cf2qCEYUmmxX9d9r49Lcwp0HP0B7qA9wD30l10MABFX7969dfzxx2vAgAFu&#10;z0qUDXuatP1Ai3SgRUfe/ZGmlPcKr2lZvfVrVb/X9mWcklQ9ZXBefw8LEA/9Ae6gPcA99JcbDAAR&#10;o3v37ho9erSOOOII+Xw+t2cnRsXw7vrHVUNUuWi3Pg+GtKjmCy2ynG63tNivRRceporh3V2aSyA9&#10;9Ae4g/YA99BfbjEARFhRUZFGjhypkSNHKhAIuD07CVUM767t/3mUFtV8rur3GvXf2w5Kks44qrsq&#10;R5doSnlp3q99ASLRH+AO2gPcQ3/uYAAI+Xw+DRs2TKNHj87YQbbf6hnQx1+2pvScQb1SC79397Z9&#10;rPN9P2sgEfoD3EF7gHvoz12+YDBoGIahUChke2ltbdXAgQPdns+47DYTG4bhwpw4l2/zHAwG8+Ls&#10;SoVi7969CgQC8vv98vv98vl8UddS+++A+f89FArJ7DCyR/rLvHybZ/rLHNqjvVTQXuZY27P2Z15M&#10;hmGEL9b26C878m2e6S9z0ln2dY7tlMgqAgTcQ3+AO2gPcA/9uYsBIAAAAAB4REEeA5iPZw8CvIL+&#10;AHfQHuAe+kNnwhZAAAAAAPCITj8ALC0tdXsWOqwQPgO8qRB+dwvhM8B7CuH3thA+A7ypEH53C+Ez&#10;IH2dfgBYWVnp9ix0WCF8BnhTIfzuFsJngPcUwu9tIXwGeFMh/O4WwmdA+gIzZ868TYo+Ja/1UlJS&#10;4vJstrOesvbII49UMBjU9u3b1dTU5NJcpae0tFQXXXSRrrvuupjTHbMveef11VdfxZz62noabOv/&#10;X/P3OvKa/rKL/goP7XUOtFd4krVn/RqISHbt0V/20F/hSWfZ16m+BzAQCCgUCrk9GzmT798pA3uF&#10;+l1k9Id8R3uFgfY6n0L+HkD6Q77jewABAAAAAHExAAQAAAAAj2AACAAAAAAewQAQAAAAADyiyO0Z&#10;SEVra6vbswB4Fv0B7qA9wD30h0LEFkAAAAAA8AgGgAAAAADgEQwAAQAAAMAjGAACAAAAgEcwAAQA&#10;AAAAj2AACAAAAAAewQAQAAAAADyCASAAAAAAeAQDQAAAAADwCAaAAAAAAOARDAABAAAAwCMYAAIA&#10;AACARzAABAAAAACPYAAIAAAAAB7BABAAAAAAPIIBIAAAAAB4BANAAAAAAPAIBoAAAAAA4BEMAAEA&#10;AADAIxgAAgAAAIBHMAAEAAAAAI9gAAgAAAAAHsEAEAAAAAA8ggEgAAAAAHhE3AGgz+eLugbgTCba&#10;oT8gdbQHuCNT3dAfkLp0umELIAAA7SmF4gAABS5JREFUAAB4hJ+1LEBuRTZHf0Du0B7gDmtv9Afk&#10;jl1vfusELCCBjrN25KQl+gM6jvYAd6TTnt209AekLtX+wgPAePERIpCaeP34/fH3uI58jP6A9NAe&#10;4I5Ef0PGaynRwI/+AOfS6SjpSWAApCcTJ6IAkDraA9yRqZPAAEhdyieBSbR2BkDqUmmK/oDMoT3A&#10;Han2RH9A5qTak+0xgGyGB9Jnt/tLKsch0R+QHtoD3JFue/Gmpz/AuXT6S/g1EKkEDKCNkwWZ3++3&#10;PS4p3YPoAdAe4Ba7Zux+9vv9jqajP8A5J81Ypwl/DUTktfUCwLl4DZnXkX98mrfpD+g42gPckaw9&#10;63387QlkjpP+IqeVLMcAxgvOMIzszTVQQOK1kqgx+gM6jvYAd6TTnpPH6Q9ILt3+Yr4Gwm70GAwG&#10;MzqzQKEKBoMJW4qH/oCOoT3AHem2F/k4/QHpSbe/Ip/PFx49mretLxAMBmUYhoqLixN+nxLgVaFQ&#10;SMFgUE1NTY52g4lsTlK4O/oDUkN7gDuctie17XIduaXC7/crFAqFp6M/IDWp9Be57DN/9jU3NxuG&#10;YcgwDIVCIdtr83aix82LpJhroDNKdIyCeSB75G3z5BJ290uKOvg98o9P89pcGNIfvI72AHdksr14&#10;f5RGdhJ5oT94Xab6s2vPZC7vipK9sdS+htRcYxN5nShC6207hAo3ON0tJfK2NSi76OymswvQjtkT&#10;/aGQ0Z6zx4FMc6O9dN9Toj8Ulnxb9hVZJ7BbCEZOE7kZ3y6+eGtgiA2dgbUHa1yRtxOtbbFb6xn5&#10;XLMH624x9Aevoj3AHdlsz64luz9M6Q9elYtln9TegrkcjNoCaJ0R87bdvtrmiyULkLUwyEcdWRMT&#10;edu6BibR5vdEC0CzK/pDoaM9Z48DmeZGe9bXMluLvI733vSHQpLL/uK9fuTvfVHkA4lmJnKTu/mz&#10;ZL8mJvLaiuiQjxIFY72Ot1bGySXe7z/9watoD3BHrtpLdR7oD16Qzf4Svb4pvAuo3VoYMzxzDUy8&#10;GWXzOwqN3VYC89q6lsZ6SbQ2JtkCkf7gdbQHuCOb7Zmsx9vytyfQJpP92b2Odat7zBbARDHaXexm&#10;3C48YkRnkGxtZOTPqaz5TPTHp1079AevoT3AHbloL/IPz8if+dsTXpfN/hK9Z5F5w3oMhPXnyCcl&#10;2/RuDTrZjAD5KFGA5rV1AZfoPvNn60KP/oBotAe4I1vtxbumP6Bdpvozr63Lucg2iuwmSDRjkaE5&#10;2featS/ojBKtkYkXZOTteI9J0Wczi9wdhv4A2gPcks32rCteIm/TH5DZ/uyeb20o5nsAk619sU5n&#10;twk/EhGiM0oUYuTtRDHaTZfs9ekPXkd7gDuy3Z4U+/Ur5nT0B6/LZH92W/wiH5MkXygUMiT70+c6&#10;vbbejkSE6IzirY1MFmOia7v7ErVEf/Ai2gPckav2JPoDrDLZn8k6EDSMtpMrGYYhn9Em/EDkk6y3&#10;421udxIj0JnZBWj9OdGCL97jUvKFGv3By2gPcEc225PoD0ikI/3F2yoeMwA0H4icKJXbdj/bvTGQ&#10;7+KtgYn3eLKFXqLbkegPXkd7gDvcak+iPyAb/ZkitwDGHQCaE1qf6OSxRPcBhSLZ/tnWnxM9Zof+&#10;AHu0B7gj2+1J9AfEk25/dt0kHADaPSneC8VDiChEiRZiThZ4ThaCEv0BVrQHuCNX7Un0B1h1pD+7&#10;Y/+SDgAjn5yJ+4FC4uQgXSf3J0N/QDTaA9yRq/Yk+gOs0unP7vhZ6wDw/wMeBpL+pj81ngAAAABJ&#10;RU5ErkJggg==&#10;"
-       id="image1-7"
-       x="391.92126"
-       y="382.84091" /></g></svg>
+       xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA3wAAACfCAYAAACiLNuTAAAABHNCSVQICAgIfAhkiAAAIABJREFU&#10;eJzt3Xl4U2XCNvD7pOm+sHUBCohApyxFoJadF1mKLMqi7zczMriAyIyv4oLggoiDuDCOwFBABygz&#10;qICg34dTR9kLOH0rtKVQXFik7KVQlrZAS5tuyfdHmzRJT5KTNMlJTu7fdfVqcnKWJ23uPOc5z3nO&#10;EXQ6nQ4iLEy2+Zoz5idyN0EQnDa/vesSw/yRL/Gk/DF75Gs8JX/MHvkad2ZPMG/wiYXEUnAYKPI1&#10;lgIlNt2Rio/5I7LMlflj9oisc1X+mD0i65yRPZMGn3mQbD23NZ1IKaSGzdZza5g/InGuzh+zR2SZ&#10;K/PH7BFZ5szsCbp6JhONn0sJn9TgMaDkaaTuEEo5imL83J6Kj/kjXyV3/pg98mVy5o/ZI18mR/YE&#10;rVZr8ZRO/WN7gyjlNSJPZM/50WIhc0Wlx/yRr3Bn/pg9IlPuyh+zR2TKHdkzNPikBs7REBJ5I0eD&#10;Zil8lio95o+oKVflj9kjss0V+WP2iGxzRfYErVarsxYwW7/NH1ubRuQNbHWhmwfL1m+xx1IrPeaP&#10;fI2r82eM2SMy5cr86XQ6qwddmD3yZS7f96yrqzMkxDhUYkGzJ3wMHnkre46sCIIgaZr567aOZjJ/&#10;5KtcnT89Zo+oKVfmT9/gY/aImnL5vqe+wWcpYGLPzecHg0cKYvH8ZxvhEnsutpzYUU7mj6ieK/On&#10;z4XYQRdmj8h1+RPD7BE1cvW+pxoioTN/rlaroVar3fF+ibxObW0tamtrRV+zdVQTzB9Rs0jNn1ar&#10;NVR8+sfMHlHzSMmfpedg9ogcZs++pyAIUItVeMbTGDoi6/T5sCd45o1A5o/IMVLzBwkHWpg9IvvY&#10;U/8ZH2jR/2b2iBxj776nyjxsevppfn5+bik4kTfz8/OzmiNYOf2E+SNqHlv5EzvVi3UfkXNYy59W&#10;qxVdRqvVMntEzSRl31NPrTM74qn/0YfR2vnXRFTP+OilSqUymQ6jU8jMj3LqzMbzMX9E9rOWP0vj&#10;elj3ETmHpfzBKIPGvXx65gc9mT0i+9ja99RnTBAEy2P4LB0VJSJxlnrypCxn6YeIpLGWP0s7kKz7&#10;iJzD3vyJjdtj9ojsJzV7avOFGDwix4iFzjhslo5ymr/O/BHZz1b+jC/aYt6LwOwRNY+1/FnbIWX2&#10;iJpHyr4n9Kd0Wjq1hcEjks48dGJXKLO1DPNH5Bhb+RObn3UfkXPYU/+x3iNyHqnZM/Tw6XscGDwi&#10;x4hVYnqWehpg4Qgn80dkH0s7kcbjGsQyxbqPqPnM82c8bl0/Xez2RKz3iJrH0r6neSeDSQ+f2NEW&#10;IpLGOD+W7r8nNi/zR9R89uRPbBkwe0QOk5I/KXUhs0dkH6l1n4oVHpHzmOfHWmUn9hrzR+Q4S/mz&#10;taMptiwR2Ucsf5byJDYfs0fkGGv7nnoqiFR4xisgImnETlUxn25tOeaPyHGO5I/ZI3IOe/PH7BE5&#10;h9TsqcRCJ3VHlYgaieXGeHyQtd+W7k1ERNJY6rEzf2ztNWaPyDHW8mR+VWqxepHZI3KMtTPKjKeJ&#10;9vCxe53IfpbyY6kis3ZKGfNHZB978sfsETmX1Pwxe0TOJTV7alsrISJppOTFngqN+SOSTkpexO5/&#10;6ei6iKiRlKELUutIIpJOaq5Uxk/YrU7UPGJHLaUux/wRNY8j+WP2iJzD3vwxe0TOISV7KmuhZPiI&#10;pLOWF0s9C9Z6HJg/Iums1WNir7HuI3IeSxkTe81aA4/ZI7KPtcw0GcNn7wqcRa5g8wuFXMVZny3m&#10;j8h+zvhsMXtEjmnu54vZI3KMlM+XSmxGd3wwT5w4genTp7t8O56y3eY4duwYnn/+eYwePRoPPPAA&#10;nnvuORw9elTSsm+//TYGDBjg8jI6yw8XKvHU1iIM+/gSfrfxCr7+uVzuItnN3jwxf57N3vzl5ORg&#10;9uzZGDFiBAYNGoQpU6Zg9erVqKiocGu5HeFr+WP2PJs92Tt37hzmz5+PMWPGYMiQIZgyZQpSUlJQ&#10;Vlbm9nI7ypfyx+x5tubsdwJASUkJHnzwQa/Z//SF7DW5aIvYlcxc4emnn0Ztba3L1u9p23VUZmYm&#10;XnnlFahUKgwYMAC1tbXIzc3F4cOH8dFHH2HEiBEWl924cSN27NgBlcpiR65H+VtGKeZ+ewP6T52f&#10;AESFqvFo7zCZSyaNM7LD/HkWe/O3bds2LFmyBH5+fkhISEB4eDh++eUXfPrppzh48CDWr1+PkJAQ&#10;2d6PNUrLnyAIzVreVZg9aezJXn5+PmbMmAGNRoO4uDj07dsX+fn52LhxI/bu3YsNGzYgKipK1vdj&#10;i9Ly565l7cHsSdOc/U69xYsXo6SkxCv2P30le2rjmdwVOthxtTSlbNcRGo0GixYtglqtRmpqKnr1&#10;6gUAOHz4MF544QW8//77GDhwIIKDg02Wq62tRUpKCrZs2SJTye136KLGJHAjuwZjxeRo3Ncu0K71&#10;7Dldge9OlOO9cZGICDL9osm5pMGGw7fx5wcj0Tbcz4mlbySWIf2Op/lOqPm8zJ9nsTd/N2/exPLl&#10;yxESEoI1a9agZ8+eAIDy8nLMmzcPubm5SE1NxUsvvSTr+xKj1PwZZ878sfl8YutwBWbPNnuzt2DB&#10;Amg0GsydOxdTp04FANTV1eHDDz/E119/jZUrV+Ldd9+V9T1Zo9T8QaT+Y/Y8m6P7nca++uorZGZm&#10;urHUjlNq9sTqPs9vevuw7du349atW5g4caIhdADQv39/TJkyBaWlpdi7d6/JMllZWXj88cexZcsW&#10;xMbGylBqx6zLugXjr/r9z3a0O3DbT97FxH9exqofbmFs6mXc0TR+yR66qEHyugKsybqNUWsKUFRW&#10;58TSkxLZm799+/ahqqoKU6dONTT2ACAsLAzz5s0DAKSnp7v5XUjD/JEnsSd7+fn5OHfuHOLi4gyN&#10;PQDw8/PDs88+CwA4dOiQDO9COuaPPIUj+53Gzp8/j5SUFCQmJrqpxM3jS9lTyTGQNCkpyXDEIykp&#10;CUlJSU3m+emnnzB37lwkJydj8ODBePTRR7FmzRrRcTAZGRl49tln8eCDD2LIkCF45JFHsHz5cpSW&#10;ltq9XTEpKSlISkpCamqq6OtffvklkpKSsHTpUsO6BwwYgJqaGqSmpmLSpEkYPHgwHnnkEWzduhUA&#10;UFZWho8++gjjx4/HsGHDMHXqVHz33Xcm69VXUv/1X//VZJvDhw8HABw8eNBk+uzZs3HmzBk8/PDD&#10;2Lhxo6T35wnOFtdYfT33ssbmOp7YchXVDVnKuqTB2NTLKKvS4tBFDcamFqCsqv6zfvJ6Nd7Zc9M5&#10;BbeDHGMWxDB/rsmfTqdDXFwc+vXr12T+Dh06AA29gJ5I6fnzlKsBMnvOz15cXBx2796Njz76qMm8&#10;+r+Zn59rjqo7i5Lz5ylXwmX2XLffqVdTU4MFCxbA398fixcvlvQ+5abk7JmTpYdv3LhxJo/Hjx9v&#10;8npaWhpmzpyJzMxMdOzYEcOGDUNlZSXWr1+PmTNn4s6dO4Z59+/fj7lz5yIvLw9dunTB0KFDUVNT&#10;gy+++AIzZ86ERqORvF1LHnroIQDAnj17RF/fvXs3AGDChAkm0+fMmYPPP/8cXbt2Re/evVFQUICl&#10;S5fin//8J2bMmIHt27cjLi4OPXv2RH5+PhYtWoS0tDTD8ufOnQMA3HvvvU222blzZwDAmTNnTKaP&#10;HDkSGzduxKJFixARESHp/XmC6DDTCnnRnmJUVOtwtrgGD/2jEA/9o9DmOuYMb2XyPOuSBiP+XmAS&#10;OAAIDxQwo38LJ5beuzB/rsnfY489hi1btmDQoEFN5j916hQAeOw4IubPPZg912SvTZs2hoMqeuXl&#10;5YadYanvVy7Mn+sxe67b79RbvXo1Tp8+jddffx1t27aV9D7l5kvZE8rLy3X68z21Wq3ht1arRV1d&#10;HWJiYlyy4QEDBkCr1SI3N9dk+tmzZzFt2jS0bNkSKSkpiI+PBxqOHHzwwQf49ttvMXbsWLz//vsA&#10;gMmTJ6OwsBDr169H3759gYYxbC+++CJycnLw9ttvY9KkSTa3a8tjjz2GM2fOYOvWrejWrZthelFR&#10;ESZOnIhOnTph27ZtQMORFgDo1q0bPvnkE7Ru3RpouIhKSkoKACA+Ph6rVq0yvPbVV1/hr3/9K+Lj&#10;47F582ag4WhKRUUFMjMzERQUZFKeqqoqDB06FBEREdi/f7/FciclJUGlUiEnJ8eu9+tOx65U4chl&#10;DZ75v9dMprcL98OtSi0qa3V4Y2RrLJkQaXNdb+8uxrvpxRZfDw8UsHtWRwy+J8jiPI66du0a/Pz8&#10;oFKpDD+CIBh+o2E8g34cg/G9iMyzx/yZ8tb86c2ePRtZWVn4wx/+gFdeecWu9+5qSs2fcfb0P8aM&#10;b1DLus8yb8vejh07sH37dvz444/QaDSYOHEiFixYALW6yTXqPIIS82eePf2FO4zHFekzZ54/Zq+R&#10;N2UvOzsbzz//PMaMGYMlS5YYyuTJ+59KzJ7YjyGHTt9yM23duhW1tbWYN2+eIXQA4O/vj9dffx2R&#10;kZHYu3cvrl+/DgC4ceMGACAysvEfolarMWfOHCxYsAD33XefU8qlP9pifu7y7t27odPpmhxlQcNO&#10;nj5YMDsS89JLL5m8NnbsWADAxYsXDdMqKysBAIGBTc8nDggIAIxOWfFWeYVVGL2mAD9frcLUvuEm&#10;r10tq0NlrQ5JHQIxf1Rri+swtnhsG7w1WnxeVwZOKZg/5+dv06ZNyMrKQkREBJ588kmb87sT8+c5&#10;mD3nZC8zMxPZ2dnQaDQQBAHFxcXIz8+34x27D/PnGZi95mXv9u3b+POf/4zo6GjMnz/fgXfqfr6Y&#10;PY9r8B05cgRoOCJiLigoyHA+9LFjxwDAMF7m6aefxpo1a3DixAnDWJpHHnnE0AXdXOPGjYMgCE26&#10;1/fs2QNBEES76RMSEkyeGwetR48eJq/pT7+srq42TNOPO7B2eXFvuvqTubzCKiSvLUBJpRYpmbcQ&#10;20KNv0yIRPeoAAT4AV1a++PNUa2x/9mOTa56ZM2EHmEIEBmyERcZgIS2Ac59EwrD/Dk3f//617+w&#10;YsUKqFQqLF682GQHQW7Mn2dh9pyTvRdffBEZGRlIS0vD9OnTkZWVhVmzZhlOq/YUzJ/nYPaal733&#10;3nsPN2/e9JqhRL6aPY87x+Hatfqu1VGjRlmdr6ioCGi4HPOcOXNw9uxZrF+/HuvXr0fr1q0xYsQI&#10;/O53vzPpBrfmrbfeMnmu/7DrL+UcFRWF/v37IycnB6dOnUL37t1x8eJF/Prrr+jbty/at2/fZJ3m&#10;H3z9OlUqFcLDw0VfMxYUFITy8nJUV1cbjqzoVVVVAYDVS+N6smNXGgOnt/Q/pfjk0WicfM3xL8us&#10;ixqMS71sGEBr7GhhFcalXsauWR0QHuhxxzo8AvPXqLn527Rpk6Gx984772DYsGE2/w7uwvx5Hmav&#10;UXOypx87FBISgueffx7+/v5Yt24d1qxZgxUrVkj4i7ge8+dZmL1G9mYvLS0NBw4cwLRp07ziJuu+&#10;nD2Pa/DV1dX/tYwHuhrTf0A7duwIAGjfvj22bNmCnJwcfP/998jOzkZBQQG+/vprpKWlYcmSJRg9&#10;erTN7e7atUt0uvG9eyZMmICcnBykp6eje/fuFgfNoiFczb3hZFRUFMrLy1FSUtJkAGxJSQnQMFjd&#10;2xy7Ut+Vbhw4AFgyPhL/M7ilw+vNbrg60p2qxvUG+MEkgAcbQil38DwV89eoOflLSUnBxo0boVar&#10;8d577yE5OblZZXEm5s8zMXuNnFn3TZ48GevWrcOJEyeaVSZnYf48D7PXyN7s6S+MVFRU1KQBi4Zx&#10;mwsXLmzyvuTg69nzuAZfZGQkioqK8MILL0geuKtSqTBo0CDD1fEuX76Mf/zjH/j222/x8ccfSwqe&#10;lMG0o0aNwl/+8hekp6dj9uzZ2LNnD9Rqtct25rp06YLz58/jwoULTYJ34cIFoGGArjf5UeToCgD8&#10;9aEovDqilcXlpJi8odAkcOGBAnY90xE7TpXj/X0lhukHL2rw1q6bSJkc3aztKRHz18jR/C1ZsgTb&#10;tm1DcHAwPvroI9GrdsqF+fNczF4je7KXm5uLnTt3IjEx0TDmyZi+l6Kmxvrl192B+fNMzF4je+s9&#10;/RVJ9+3bJ7o+nU6HnTt3AjI3+Jg9GcfwWTo/WH9u9A8//CD6+uzZszFjxgwcP34cJSUlmDZtGp56&#10;6imTeTp06IDXXnsNMOqqt7VdKUJCQjBixAhcvnwZ+/btw4ULFzBs2DCXnbOs/yLJzMxs8lpGRgYA&#10;YPDgwS7Ztiv8eKUKo9cWIMRfZXKe87KJzQ8cADzaO8zwOCxAwM5nOmBI5yC8Ny4SC4wG0wb4ARO6&#10;h1lYi29g/mxzJH+pqanYtm0bWrRogbVr13pcY4/5kx+zZ5s92SsuLsY333yDzZs3i97bTb+Onj17&#10;uqSsUjF/8mP2bLO33svNzbX4g4aGsfFzOTB79WRr8OmPupWXl5tM//3vfw9BELB69WocPXrUMF2n&#10;0yE1NRVZWVkoLCxEXFwcWrdujaqqKhw/fhzbt283WY9+kKv5IFVL25VK342+bNkyk+eukJycjBYt&#10;WuDrr782+Vvk5uYiLS0NLVu2dOn2nW3yhkIUV2ixcko0RnULAQCsmBSFV4Y3P3AA8PEjMfjToBaI&#10;CvXDrlkdMLRz43nm742LxJ/HtEHLIBX+35OxGBsf4pRteivmzzZ783fy5EmkpqZCrVZj1apVsu9g&#10;mmP+PAOzZ5s92XvggQcQGRmJ06dP45NPPjG5oMSRI0ewfPlyAGiyg+5uzJ/8mD3blLbfCWbPQLb7&#10;8E2bNg2//vorunXrhk6dOuHdd981XAZWf7EDAOjevTvatWuHM2fOoKCgAIGBgfj4448N9z45evQo&#10;nnvuOdTW1qJ79+6IjY1FUVERjh8/joCAAKxduxa9e/eWtF0p6urqMGHCBBQXFyMsLAx79uxpMrDV&#10;2r1H7H0tPT0d8+fPh0qlQv/+/aHT6XD48GEAwN/+9jcMHTrUank96T4oQ1dfwsGLjTckXTUlGrOH&#10;On7etKfxpvvwMX/Oz9+rr76KAwcOIDo6GomJiU3Wbz4g3918LX+eeh8+Zs/52Tty5AheeuklaDQa&#10;xMbG4je/+Q2uXr2KU6dOQRAEvPzyy5g2bZrk9+oKvpQ/T70PH7Pnnv1OKdt1J1/Knkfeh2/hwoXo&#10;0aMHLl68iNzcXFy+fNnw2uOPP441a9Zg2LBhuHr1KjIzM6HT6fDwww9jy5YthtABQGJiIj799FOM&#10;GjUKt2/fRkZGBoqKijB27Fhs2rTJJHS2tiuFn5+f4d4lycnJTULnbMnJyYYvmmPHjuHkyZNISkrC&#10;unXrJIfOU3wzIxZ92wdCJQCfPKqswHkb5k8ae/KXl5cHALh+/Tp27drV5Gfnzp2GsQxyYP48A7Mn&#10;jT3Zu//++7F582Y8/PDDqKqqMvwtRowYgfXr18ve2APz5xGYPWmUtN8JZs9Ath4+8k01dUBpZR2i&#10;w0RuVuLlvKmHj3yTL+XPU3v4yHf5Sv48tYePfJevZM8je/jIN/n7QZGBI/IGzB+RfJg/InkwezJe&#10;tIWIiIiIiIhciw0+IiIiIiIihWKDj4iIiIiISKHY4CMiIiIiIlIoNviIiIiIiIgUig0+IiIiIiIi&#10;hWKDj4iIiIiISKHY4CMiIiIiIlIoNviIiIiIiIgUig0+IiIiIiIihWKDj4iIiIiISKHY4CMiIiIi&#10;IlIoNviIiIiIiIgUig0+IiIiIiIihWKDj4iIiIiISKHY4CMiIiIiIlIoNviIiIiIiIgUig0+IiIi&#10;IiIihWKDj4iIiIiISKHY4CMiIiIiIlIoNviIiIiIiIgUig0+IiIiIiIihWKDj4iIiIiISKHY4CMi&#10;IiIiIlIoNviIiIiIiIgUyisbfIcOHcKYMWMgCIJX/owZMwbZ2dly/xmJHML8EcmD2SOSB7NH3k4t&#10;dwEckZKSgvT0dLmL4bD09HTExMRg4MCBcheFyG7MH5E8mD0ieTB75O28sodv3759cheh2fbu3St3&#10;EYgcwvwRyYPZI5IHs0fezisbfBUVFXIXodnKy8vlLgKRQ5g/Inkwe0TyYPbI23llg4+IiIiIiIhs&#10;88oxfOb8/f1RXV0tdzGsCggIQE1NjdzFIHI65o9IHswekTyYPfI2imjwERERkWNqampw7NgxHD58&#10;GMHBwejfvz969eoFQRDkLhoRETkBG3wNSivrcLTwLm7cNT0aEhXqj8TYULQK9pOtbERKdra4CjkF&#10;5Th9U4Narc4wXa0SEB8VhIGdwnBvq0BZy0ikRAcPHsSrr76Kw4cPN+kJCAkJwejRo7Fy5Up07txZ&#10;tjISKRXrPnInn2/wlVbWYUPuDWReKLM63wNdwjH9/ii0CGLDj8gZSivrkJpzHVmXLA8k//FqBb76&#10;qQTD7w3HjCTmj8gZKisr8eabb2LlypXQarWi81RUVODbb7/Fvn378MEHH+CFF16ASsVh/0TNxbqP&#10;5ODTDb69+bexIfcGNLU6m/P+51wZDhfcxTMDojCiS4RbykekVGeKNXh//xXc1tRJmj/jfBmOX6vE&#10;wtGx6NQywOXlI1KqyspK9O/fH8ePHzdMGzNmDPr374/ExERUVFQgLy8PGRkZOHLkCCoqKvDyyy/j&#10;wIEDSEtLk7XsRN6OdR/JxWcbfFt/LMZXP5XYtUxFjRYrf7iG25o6TO7ZymVlI1KyC6XVeGv3ZVTX&#10;2T7QYqy4ohZv7irAsoc7ISbM32XlI1Ky119/3dDYi4mJwaZNm5CcnGwyzxNPPAEAWLt2LebNm4fy&#10;8nJ88803SE1NxaxZs2QpN5G3Y91HcvLJ8zPyrlTYbOzdHxuKF4e2xbzh7TCyawRURmPXPztyEyev&#10;a1xfUCKFqajR4v39hVYrvB7RwXhnTAds/UM3LH2oE8bHtzBZ/t19hajR2ldhEhFw4MABrFq1CgDQ&#10;uXNnnDx5skljz9if/vQn5ObmIiQkBAAwZ84cXLhwwW3lJVIK1n0kN59r8Gl1wPqc61bn+X2fNlgw&#10;qj26tQlEVKgaLwyJwewhMSbzbMi94eKS0hd5ZahpOOuholqHVZm3MHjVJbR5+wz8XjuNCesL8UVe&#10;GaoknJJLnuGfh2+guKLW4uvRYWq8PToWPaKDkX9Tg5bBfpg1IBoPxjVWfFfu1ODLH4vdVGLfxfwp&#10;z9KlSwEAgiBg8+bNaNXK9pkq8fHxWLZsGQDg7t27WLt2rcvL6euYPeVh3ecdlJw9nzul89Clclwt&#10;s3xfEpUATOrREieva/DnvQWo1QKzBkRjfHwLbDx6E6WV9Z+EM8Ua/FxUid5tg91Y+uY7ceIEunbt&#10;isBA51356emvinDltuUvsiYEAZN6huK5IS2tzvbElqv47kQ5Zg5ogce3XEVRmek57zt/vYudv97F&#10;/JZqpE2PRb9YXs3Kk5VVabH/7B2r8yR3a4FAtYC/fH8FOQV3EeKvwvr/0wVDO4djT/5tw3zfnbyF&#10;x/q0gVrlXZeNZ/5ITpmZmQCA4cOHY8iQIZKX++Mf/4gFCxagpKQE2dnZLiyh6zB7JBdfr/uYPc/g&#10;cw2+/z1vPXQtg9QI9lch/2YlahsuXnbyeiXGx7dA+4gAlFZWGub94UKZ1zX4jh8/jtOnT6N79+6I&#10;i4uDn1/zr/y04bD1v6kltoKn1QFbjpVhy7H6K6h2bqXGxJ5hGNApCMH+KqzPvoU9pytw6VYtBq68&#10;iL1/6ogHunjX/8OXZBdYviKZXpuQ+q+kX4rqc1ZRo0XBrSpEhpp+VVXX6fBzUSX6tQ9xUWldg/kj&#10;ueTn5+POnfrPyoMPPmjXsiqVCiNHjsS2bduQlZUFrVbrdVfsZPZILr5e9zF7nsHnGnxnblZZfV3s&#10;PrPHrtzF2uzrOHm90mT6rzcqm87sBWpqavDzzz/j7Nmz6N27Nzp16iR3kcTpe8wFoFWQCj+9ci/C&#10;gxr/Qf/dOwzZlzSYsP4ySiq1eOKLqzj+ameEB3rXjoivOF/i2LjXzXnFouMW8m9qvKrS02P+SA5Z&#10;WVmGx2PGjLF7+eTkZGzbtg2VlZU4ceIEEhISnFxC12P2SA6s+5g9T+D5JXSy8uqml8L1E4DOrQLQ&#10;KyYYAX71/9jIUH/0iglGRKAfyqu12H36Nsxzd9PK+djeoKKiAtnZ2UhPT8eNGx48JlEHlFZq8ftN&#10;V5qcNz2wUxB2/7EDAv0EFNyuxfrs2xZXQ/K6Y+Ey1K2C/dAjOhixEY1XH+sRHYy4yCAAwE9FFU0O&#10;tgDA9XLLp2Z7A+aP3Mn4fnuOnFoVHh5ueFxdXe20csmB2SN3Yt3XiNmTj8/18JlfIWn4veH448Bo&#10;hPjXt33fSS8EAAy5JwxD7gnDL9cq8faey6LrqlPI1ZJKS0vx/fffo3379ujTpw/CwsLkLhIAYHz3&#10;UJRXaaGp1SEkQEBFjRZFZXW4p5XpxzapQxCeTIpAavZtfP1zOeYM5y0zPJF59qLD1HhhSFv0iqk/&#10;HeKA0RiHBaPaAwDe338FRwrviq6vlvlzKeZPWfr162d4fPToUdx33312LX/06FGg4fTO3r17O718&#10;cmD2yB1Y9zXF7LmfzzX4jP0mMggvD2sLTa0OGefL8EtRheHISeaFMuw+fdvqzTFbBSvrz3flyhVc&#10;vXoVXbt2Ra9evRAQIO9NPnc8Eyt53gd/E4rU7NvIKfDO02x9jUoAXnugPbq0DsTpmxr8dLUCZ4o1&#10;GNix/kv/619Kcbe6DidEjm7qmY9t8HbMH7lSQkIC/P39UVNTg7y8PEyfPt2u5fPy8gAAvXv3hr+/&#10;su4FxuyRu7DuM8XsuY9yPjUOmNC9JbQ64LUdl3D5dv0pKvqBs8UVtTh+zfo/MT7KOwZq2kOn0+HM&#10;mTO4ePEievTogbi4OK8YnH+3uv50pdAAzy8rAQkxIejSOhDfnbyFfxrd4qSx0itBRY3WyhqArm2C&#10;XF5Od2P+yFVUKhX69OmD3NxcfPbZZ5g7d67kcTSZmZnIyMgAACQmJrrD2PpfAAAOrklEQVS4pPJg&#10;9sgdWPc1xey5h3eU0kViIwJwvbzG0NgDYLjUbZ31vAENp4MqVU1NDU6cOIFr167JXRRJsi7WN85/&#10;EyXv0SGSpmPL+v/T4cumVy/zbxhDa+uUFZUAJLYPdWEJ5cX8kSssXLgQAHD79m2MHz8epaWlNpfJ&#10;z8/HpEmTUFdXh5CQEMybN88NJZUPs0euxLrPMmbPtXy6wXe1rBrRYf6IDmvs6Ly/Q32QTt+03rvX&#10;qWUA+nrZVZKkEgQBXbp0wfjx49GuXTu5i4OCW7WorLH8JXj1Th0+y60/B358d2V+ESqN/iDLfe0a&#10;MxSkFtC7bQgu3qpuMubB3ITuLRGo9p77ENmD+SNXmTRpEhYsWAA03BurZ8+e2LVrl8X5//73v6Nf&#10;v36GhuHGjRvRs2dPt5XX3Zg9cjXWfeKYPdfz6VM6//VLKQZ1CsPyh+/BwYvlaB2sRt/2IfipqAK5&#10;l8UHy+o9MyDabeV0p7Zt26JPnz6IiIiQuygAgPMlNUhacRHhgSp8+lg7jOhqehptUVkdJm24jMpa&#10;HUL8BfzPYOv3WCH5GN/y5OeiChy/Von/TmiN+KhgnLhWicTYULQI8sO67OtW19M23B+P94t0fYFl&#10;wPyRs+Xn5+Pjjz/G/v37UVhYiIULF+Kpp57CZ599hqKiIowfPx7JyckYMGAAEhMTUVFRgWPHjuE/&#10;//kPjhw5AjTsjH344Ye4desWBEFAu3btMHXqVDzzzDPo0aOH3G/RKZg9chXWfdYxe+7h0w2+86VV&#10;eG3HJUxPisLQe8Jwt1qLf58oxdYfi5vcgsHYk4mRSIhR1vi9li1bok+fPoiO9qyG7C9F1Sip1KKk&#10;UouRawowoXsoHuoRip4xgcgr1OD9fcUortAiWC1g+8wOiA5r/g09yTV0RpnS6oAPDlzBaw+0Q592&#10;IUiICca5kiqs/KEIhy5ZvkltsL8KC0fHGm6fohTMHznbjh07sGLFCuzdu9dk+pw5czB37lx88803&#10;eOaZZ3Djxg2kp6cjPT1ddD3x8fHYvHkzcnNzMXPmTADA1atXsXz5cixfvhzDhw/HokWLMHLkSLe8&#10;L2dj9sjVWPeJY/bcy+cafGqVYHKO9IXSaizaWyh5+ScSIzGll+dfflWq4OBgJCQk4J577oEgdtd5&#10;mU3sGYqM5zri8S+u4tKtWuw4dRc7Tpn2vraP8MM3M2KR1EFZA5mVRmX2+aqs0eKd9EJEhqoR6Ceg&#10;8I71ewu1CVHjrdGxaBeunCsEMn/kbCdPnsRvf/tbHD9+3OI8y5Ytw+7du/Hll19ixYoV+Pe//91k&#10;HpVKhTlz5mDhwoV44403sGbNGqDhfnwtWrTA5cv1tyvKyMjAqFGjMH78eKSmpiI2VvpV7uTE7JG7&#10;sO4zxezJw+cafIPvCcP/ni+ze7n7Y0MxpVcrw31TvJ1arUZ8fDzi4+Ph5+fZRyf+695gnHj1XqzM&#10;LEXGuQrkFVahqlaH3u0C8VCPUMwc0AKRoZ79HgiIbeEPFDSdfvNurc1lh98bjqf7RyEiUBn/Z+aP&#10;XCEnJwfJyckoK2us4yZPnoxnn30W48aNw5IlS/Dmm28CAH755ReMGjUKI0eOxOrVq9G5c2eo1WpE&#10;RkairKwMd+7cQWZmJvr27YsLFy4ADY29vXv3YuDAgUhLS8OyZcuQmZkJANi5cycSEhKwa9cuDBw4&#10;UKa/gG3MHrkb6756zJ68fK7B99ygGLQN88fJ65WwNjQ2NECF6DB/dGkdhH7tQ9AiyLv+sZYIgoDO&#10;nTsjISEBQUHOOTLRLtwPV8ss369QTPsI+/6eoQEC5o9qjfmjWttZOvIUv7uvDcqq6vCfc2VWB6YL&#10;ANqEqtEu3B+9YkIwoGMYOrfyjqtg2cL8kSvNnj3b0Nj77W9/i6VLl5rcemH+/Pno2bMn5s6di7Nn&#10;zwIADhw4gAMHDthc9+OPP44PPvgAHTt2BABMmTIFU6ZMwe7du/HGG2/g2LFjuHXrFsaNG4dz586h&#10;VSvPOhOG2SO5+Hrdx+x5BqG8vFyn0+mg0+mg1WoNv7VaLerq6hATEyN3GZsIDQ1FRUWF4bm/vz+q&#10;q6utLiO3gIAA1NQ0dtuHhITg7l3rF4ZxBY1G47TAkalr167Bz88PKpXK8CMIguE3Gr74BEGAPnNo&#10;uAeNefaYP+di/pTPPH/G2dP/GNNnUCl13+nTpxEfHw8AmDZtGjZt2mR1XZ9//jlWr16Nw4cPW51v&#10;+vTpeOmll9C3b1+r873xxhv48MMPAQDr1q3DrFmzAGbPZxjnzzx7+nuq6XQ6Qw71mTPPnzdmz1Mx&#10;e75BbN/TfD9UEATf6+HzdQwdkXyYP3KVrKwsw+OpU6fanP/JJ5/Ek08+iePHjyMtLc2wYxgQEICY&#10;mBh06NABgwYNQosWLSRtf968eYYG38mTJx1+H67C7BHJg9nzDGzwEREReblDhw4ZHtszhq5Xr17o&#10;1atXs7cfGRmJiIgI3LlzB6dOnWr2+oiIyHkU0eCrqanxyCv9EPkC5o9IHmLZi4qKQmSkPPfq6tq1&#10;K/Ly8rBz505+J5Cisd4jb6OSuwBERETkHHLe06pt27aybZuIiCzzygZfWFiY3EVoNiW8B/JNSvjs&#10;KuE9kO+R8rkNDpbv1kGhoaE252H2yBsp4XOrhPdAjvPKBt+kSZPkLkKzTZkyRe4iEDmE+SOSh5Ts&#10;hYSEuKUsYqTsUDJ75I1Y75G384oxfPrL1+u99dZbUKvV+Pzzz00uk+sNQkNDMWPGDLz++utN3hfP&#10;BydPxPwRuZ/55xMSs+epDT5r2QPzRx6G9R4pjcffh8/Pzw9arVbWMriTWEVI3kGJ9+Fj/shbKO0+&#10;fI7uiC1evBgLFy50enmkWLRoEd555x2HlmX2vJuS7sPHeo+8idT78HnlKZ1ERETUVF1dnWzb9qWd&#10;ZCIib+IVp3QSERGRbRs2bMD3338vy7bPnz8vy3aJiMg6NviIiIgU4tKlS7h06ZLcxSAiIg/CUzqJ&#10;iIiIiIgUyuN7+OQcj0Dk65g/InnwQgpE8mC9R0rEHj4iIiIiIiKFYoOPiIiIiIhIodjgIyIiIiIi&#10;Uig2+IiIiIiIiBSKDT4iIiIiIiKFYoOPiIiIiIhIodjgIyIiIiIiUig2+IiIiIiIiBSKDT4iIiIi&#10;IiKFYoOPiIiIiIhIodjgIyIiIiIiUig2+IiIiIiIiBSKDT4iIiIiIiKFYoOPiIiIiIhIodjgIyIi&#10;IiIiUig2+IiIiIiIiBSKDT4iIiIiIiKFYoOPiIiIiIhIodjgIyIiIiIiUig2+IiIiIiIiBSKDT4i&#10;IiIiIiKFYoOPiIiIiIhIodjgIyIiIiIiUig2+IiIiIiIiBRKtMEnCILJbyKyTUpunDUPEZmSmi1m&#10;j8j5pGRHpbLcx8DsETlGat3HHj4iIiIiIiKFUvFoCpF7mGeN2SNyD7GsMX9ErmcpZ8wfkXuxh4+I&#10;iIiIiEihDA0+87ENPPpCZD/zDFnLlD3zEpFtUjPF7BE5n5RcMXtEziclV016+Bg+Isc4IzvMH5Fj&#10;mpsdZo/Icc3JD7NH5Dip+VGJzcDAETnO3jwxf0TOY0+emD0i55KaKWaPyLlsZcriGD6Gj8h+zsoN&#10;80dkP2fkhtkjckxzs8PsETlGSnZU1u5LxPARSefI/Yek3JeIiGyzVo9Zukon6z4i57B2JVxLPQ+8&#10;ei5R80k9i6XJRVt480sixxnnx9ZNns2XY/6ImseR/DF7RM5hb/6YPSLnkJI9q7dlYPiIpJO6c6lS&#10;qSTPS0TSSDqlRaWy2qtuz7qIqJGUxp2Uuo/ZI7KP5H1PWGgZ2tM7QUSW8yP1tBbmj8hx9uSP2SNy&#10;Lqn5Y/aInEtq9lTmoTOfSafTyfQWiLyHTqcT3bHU9ybYqvSMex2YPyL7iOXPvE4zb/Cx7iNyDvP8&#10;WavfYKFeZPaI7Gdp31N0f9T8BfMFNBqN+0pO5KU0Go3VHUprmD+i5nE0f8weUfM5kj9mj6j57Mme&#10;Wn80xfi3/ken00Gj0UCn0yEoKEjS2AciX6LVaqHRaFBVVWW1S938McyOZDJ/RPaTmj+xnU7WfUTN&#10;IyV/thp8zB6R/ezZ99QTqqqqdDqdDlqt1rAS/XOdTmfyWKvVmkwX+0FDgI1/E3kLKeML9D/6C0AI&#10;RoPRjR8bTzMOonEXvHl+mD/yZc7OHxpOH7O008m6j6iRM/Nn/Nx4/cbZMM8Us0e+yhX7nuZZVOs3&#10;plKpRM8F1el0UKlU0Gq1huBKDZ75YyJPJtYbZyt0xhWatXmN6bNma7tg/siHuCp/YtswzgXrPiLn&#10;58+8Z854ncZntgiCYDjowuyRL3JH3Qf9KZ16lga+m4fP0aMsDCF5GrFQ2HukxdI8xtOlbJ/5I1/j&#10;jvzBbCdTbNvMHvkiueo/Zo98nbuyZ7wdtdjGjB/rA6cPnz1HWcSeE3kqS70B1kKnf13s9E2x9RlX&#10;ZMa5Md8+80e+xtX5s3ZqGbNHvs6V+RM78GLcy2c+H7NHvsRd+55qsY2ZTzPfOdWH1t4udYaQPI2t&#10;z76l4IlNs/Zj7bPP/JGvckf+mrN9Zo+UzNX5s7QNKdtm9kjJ3LXvacxwSqdxtzqMwqY/t9qYzuiq&#10;Ssah41EW8naWjoyYvyYWLEsXaYFZ74LxmCHBbDyD+TzMH/kSV+TP1o4n6z6ieq6q/4wzY9yQM98e&#10;s0e+ytXZg9gYPvON2zp32nx+a2FjEMnTWOsBEAsgJBxdMV/GeDnzjOnMrthpvi3mj5TMnfmztn5m&#10;j3yRu/In9vm3NqyB2SOlk6PuM7kPn9RCinWnm/dSiIVM6jaI5GQtbBBpxFnqVbDWy2DeCGT+iOq5&#10;Kn/mB1eYPaKmXFn/WboirpQyMXukdK7e91SLnQdtrSD2VJBE3shW6MyvjgQLIbPUyHNkx9O4whNE&#10;Br7ztBZSCimVHhzIn/HtUIx3PJk9okauyp/Y+pk9okauyp7hd21trSEhYudF25pmvqyl50TewloF&#10;JRYk4wYgrFR25r0NsJAh5o98mb35kzJNbL3MHlFTrsyfecMNzB6Rgavrvv8PkewEYgzT2W0AAAAA&#10;SUVORK5CYII=&#10;"
+       id="image1-35"
+       x="395.12466"
+       y="387.88336" /></g></svg>

From cb2ae7c33e476b03f7add65359725d76b9fe0bdd Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 30 Mar 2025 21:32:55 +0200
Subject: [PATCH 258/274] Update.

---
 webpages/VM-Operator-GUI-view.png | Bin 42919 -> 70852 bytes
 webpages/admin-gui.md             |   4 ++--
 webpages/index.md                 |   2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/webpages/VM-Operator-GUI-view.png b/webpages/VM-Operator-GUI-view.png
index 0463cc58f2e4739353d8fa5505920254691db7ba..dbda8005f36256b7aef1db2f05c8b29ac3fac914 100644
GIT binary patch
literal 70852
zcmcG$1yq&m_bt2u1wl|sNkNd7mX?wRk&x~ZC8Qfkr6oiqrMpv7Iu($T5)=duAR*l$
zcfFo-e)rz*`;TvY|8d9N<DBCW_TFzi&suA)Ip=yqRg`4$aL92`C={N&oYX@U>H;1L
zh4%3hCj5lnnCJogaluJKUi}ihye>TofxnYEOKUr;**$i4GjTLWJ+Za3F=ul!b2K-%
zb+WK?-oR)UMWJq@<fZPZyC<!E_wZ8GI>*`^P`s`qPfJ^^8<wZSa*sPCIm<Lx>V<GD
z&TufH4|7#aHJ!$!EL$-#n@v^u$gno;1r3&$GF61-Z=|Fi%{*B=2=4o(xX6$oW%_*J
zWUr^UuW>2mB>ApeSJH;al78sJeD&ucf4}mG^P4bk(*Aj6Ooqy1{QbYQgq>Mv1b@Fm
zxf{Gss+-LIeV49WTPS|$-yfI54Q9mu`)$!o40!*1sT}beOsT(LbYcJHSDFs{{qtTa
zE=%!$-kTB6^UpD8RTatqzrVJpEXQs0WE9=YjTY-+DB+#pkw7!2%*1K>e@<Eh1G!2~
zw`?4GdzNa{Owg0ro?o;~#LBVvv&9dpyW+V&5*p}IXdT%8b0vA?8rH+&=@%lU7R~gu
zuiMg-NUF+we#ksnm(7(^uh-I<uH^D7<<Ci9LcNNQ578*pq@kz3_$61l`$y}Gy&De$
z=jP^&pFRzbWz&n*VYq$!avX<I*L-&r*Q1ZGo{&>FCKb?I-qb>MXY6c!E@%DbrGjf<
z{Z_$mT#u~viQh#}!9-yj(!cKn%5OmIoN~td;07v9r}FVcja_P!WWk`@jCU~diz`>I
zY;JD0q}_XA{Nzb+U!S6stgIw^TzgLs4zk9Hyw+tFL$uz(r^6~NF|Xw4s;Zk3ch!k#
zdakw1ifwcH>`Ag7vESf-?V?PYmi449dsW(fqp&-^Y>_5XW+~?D-FxP{KZopHU4tqs
z@A#bj;veEx$R=E0Uzezxs<FEqrQu7#_jGWwe_%j4vo8Rf$k~^Rp7z$Q@<*Qtac>9_
zi+Jw(y?aN|6+sc~vN}d1C|EbVH>!DbbTm<6{<5i^NlR6gVA^w)ZEdpZ{!IGM<hVGJ
zq~v64XX@TK4q0(=@rd;oaF^w@igl|9sqP92F7w9rguQ&(e!REJ<+`SQ;lhO<FFBh0
z-n=0?KG?X*$jC@aO8WC|2Y0@Yn_-=!^pcHIve3mRPoB^*Flbt)7W~?nZqzF_N4v?!
zhPSgcAp7v)!x+=T<>QpVTm^E<m;K$_1_h7qjoxKtiV^>IX6jXT>qfWPb}!pq`yb-7
zTcJdZQoZ_3US#?C`6$0?o2d+sokd;qjLb~ll->o$j;=1vt!pTpK=ga}?rrYvNn2Pj
zy?*^#MMcH$+c$mvW}h1$Tz|EFjK1aYb1<D{BeNQ=tR<eyY;$kiX!Y(}$BS54x5UJ#
z?Hc!Dn<PD$`;r8Sp7bZR=BwrI-oQb2vaqo5V3s@)DLMIE^Z8k6Q~MBX>wxrh8qb6E
zh$yk&q_R;|fti`N_BUp(!i!bA43(aq{;|J*%q=g2kdV;+*Cg-zr(X$A4mNxrpZprm
zz6{q86of~iX|00_iHMMf4aX~`b7xQFva-uTK(j50MEV6UT(>kOAC~=*gfR8GYp9kE
zIsZ>btLa5%{-t3v{x!~6eV5hJdAK{ZdUPai7`{%<)7wQUnBDQpjt_0Ny=H13R}svD
zOC?OIS7UoofxNV{vy+o&#EXnkIfa<&Dmjnb`;_MM-xRPTIJrD3N^5Hc{#snrJkoyp
zwc_Fjw+)}|$p?y@rX81@e-5I-XG6lnJ4%~>hh=2YvKlo}UcY|*C&XOLLAKpHe!G&r
zMuzoobuWHR)tC)sNON+}-ME_)2-jyilBcTO=*g?EuOBdQ9q!~%Wtut*0R_cNh6jl)
z5Ge=i-zAlluDn&Chp_$e<A)!_5gj9AChXa=ii%;kkL03fyK3*P$FFopQ3q#dXOA79
zo_Zw-dl15PAS>|H#%AkR&5Y@Amb_=ER$sbg@L;u#9xfU81-<I0tqmSK##UCk^C!i6
zHS9vLZ-1FDhvu$W+8=4spwjLqH*ZCHu_fXCZuHz>Y7BD=6O-1O7ehnM<N9{p-L8s{
zZpL9#q(VdCX8Tc#b|OD{TJ|8bzXDlH_(n|BqeqW!val!=h9AfD56i#s+*?6IL6q=%
zUeEKS${W+_f_IhKOuacQE-ET>T2eYZIcfj?{YFYkiguHi;O~RxbL{USqQ4K#h_A<<
z3oS3NeXApqk&zkb4B+Q@O>j%*CNJ-`;H%VQZcMO4c3(&LF2oDDuzdUeeRgi{IhR@2
zO%ahBj&+oGp7cvK`<x-mb$EQNxvX%eW#paB`<Kq%!Kjvzh|6hUVBqHNZbznU6h0v#
zt!~$+PuR$392~e_zj@=ba-{dgq448^Bc-6@1?~jg7npbwhK5v;)MD(quHz*Jq<l|F
zA90gC9!O!^C6txdD}gN)5*q4XQ^T)sV8CVjO`xNr<0c>9_37#9pF^2g4ULUkkRdNk
z<pojZQOQb6o17kQ*}J#|Mnzqno1d@hL2o(QSqc>T{{1@vF>%22=jb$4zP`SwmNJv}
zfZ3)3q5WS|!TuOnrW0i*a>~lGCMGm|Hj@FWnKG@NofmCwZR2^Zufu-nDZWZCU;645
zemL13OgL}I^5eCnhGU|=Y6ctLF>f$0N{gSK(W1oPc3eXZs*>F*@-;ZhBA_xKod1NL
zP53qEGb)t0_^lQi$|l^lolfkcU~F+(#~b;ZbL-b`HRqkCUs;hPZfkGn9W!Y5F%Uqb
zym4cw*1;@d&(+mcLW_8h28WAF*>qzhU(NjL#Vb_8m!v;=)1RH54rWMSF6RFJ!L56u
z+|2*A1M7<9ZFRdONU>DH?tX!nN!mVt#ydMX=w?jyqCL*e5z239X!x<R5+>?>{NuaZ
z%(Vv@dE?Xs1Zc|2${!zbN7(8zGcz9^&PQ>19opB{*JrqGOviJYpu7H>q;KHUFn}fc
zQt;vZZLJbxh(0JvelK5M78VgHw;E;n*6iD?u%#j6=_z!DS~T3S(KB5snbB?O5-x54
z6qf!}u~LoS+Y7x=XpoW>;0~u^zdFX&mv9HG(Q~iO4-KQtbI*$S`gK|^E`r~`f7?4b
zwYT_Vlshj!EWTPKkuEMLcL^4p=FO)ci;F>S(;irmI|;ncHk!{xAwhFl4%5LkASLM?
zpUv=L+px5ck0{^MiJO#?)YR1a_0IC|;aghPzkirrSh$#=802$y+&VKujg5^hk<dfQ
zk8<A|)q=~q>~(&2pv?OS0Sb8xU#F(DJl`Ql+i2K{?C&k?86GCg$;r|F;K~*j7REE?
z;o)HdIiak&daSPL$+ZKx>#q_MaopV8cq|4{-|Jn7Ze*0XtZI5~b&??ad#uFZG6e;N
z*YR>Lxj8Y;#aLFI=jCSIroSeuUiB^jj%*puzK>MCBK<nTgoFg`ibwJZTgYFC7!<{g
zjc-CAm78|r6mwfzT5cX3$iBSJwt2LaYBpA+bGQ&^6p-=@wYmOb10D7J`SXCwoh)}<
z*IFvfdpV!&Kh@UJnazw6ZA%e(#tFB}>u4cPyVjlt$*7$#NiH`>^cL9l#<IbZbs)>(
z`b)QAf6`jJ%-DZSC207BRoSKSKtqXKze(p(-JHCn*km4~3XA0+fijgW#YYrMK~B}!
zI8ti9+P-B5s^{y%kNnm5GPY-eyvrp*o9(Q91QgVoJ-xR7l8=xn_T<YcD(oxh@GI~y
zR%Zze(pc(Gb`iy7Az{}?q2%aZa|cVljg&2NNPY9>h2@tV8ew6|y1KfLA3wIh+5cEt
z3Z9!Yji{jZIi%4nHH@$xFG<hKyY%(z*Tb`enc3A<y+w`bw{M9X&VQfCDJjXAn54h@
z_OYj@4I;SAZNm_DE48$=^v6%1?s<6$j}_|$KX}KdvEsfqRdZD>N3j)FWOH*?l7^_>
z_uR+b!y~k5e|xU5NG(?>JuMA&cDzRv+jzA24&`Uo9cdXO=DEwH!oB`rVQaoSp3jCH
z7Z;b)bJs#!Tl*#*-38<vfA6H8Baj3Vqs$wI2b-&<&8DLT8g12pC13&DRz?e>6B0sA
z+Jn-KntkNt<XWC>GzQx>pK0C>S{*NK9~ig_=@)>*^`}pt;!{$F3py=YB+V>9qTbxu
zX@@*!0@!dUQ#P}<mJ~8B@eQR40B9F3UcAQ=W7-$b1x55K#Nbs3g>(`n^C$|`?#2vt
zjor-H$2>x)m!sE%f`WA0-??bimuq~-+qmnt{$t$8xAS&s!*hUQ*0_~bRaFS|@Htu_
z0lb*0*@=gOiV^hU#f!n)ULRl40KDk@{Ek168)^WgBP<5Rct2RU*3r>xkT3!=Gcz^4
zMMXtPMZE+d$3ygQ{v5icm@IUyJ@~3DQdG=)h`-glT-MRi$=FhS$A{M*geO^Q*!W|9
z{sn-B;>+G!TU#Fo2D$-I{a9NIhkHeH^QO3&lJKY*78X{q2_Ag=&##q?m{+NA110>!
z!*QVsnstN_*gHBt&&_4bQBIA7f<nW_R@`^Iy}i8&8PMcgtpfnLz{0}Yfa5U%UKUr!
zAB(!E-hjNm#B+F}L_kbmBUF1jaox?vvz2DvE&g3kwBA#{{vNT-!JON_<;I^L(v!ZI
zweEalOIONLLOcD#CH~$O?39sg6_l1ON&0>3dG3Sn?=Ame3$0Q^X<c1%c7yr=_!pHO
z#DGi6Deim%7<Lx!*&%ET1WW=f0)#E8t))|dnb6oM(%0A5!<y^UtWlnDkBErK#KtB9
z>Y5~NwDIa#F%+(DBj2;Y#%BjOM8|=_!Sm3cp!{I*ZrqZMlmhtebGju9*NIW6RT=~r
z3Ok5rW#HpSaR~KUxVg^`)?1-YpvqvYr@M7^gc1!kc|Ysu?!KH*Iyk7(mm)&JL}pzD
z*}$ZFU|6RWzQ*)(A}?esP9C0)!>#$DoCg&84ekWNS8hny+Ol6~*AIb{vBJB^e7mXV
zAwB(w*vJhbXYtC%pY0*`k&tX7DT9QrtxZbKZyOG0YQU75m>6~rIHirW9D>N~aC26`
z@vlokS8jxv_r{{px9fL>lf8iO!*+TU5EMkq%8JX*&VC68hp@|mo{`b)cy}3UI0m2u
z<YY{I`E9@X!KIFs8ePS}z+fWAVKr<Z1!UJf+aAmXNE65C0P4Q|@-Tfkr63_h;BzV3
zdw^0z4}V|;1O{5Z6>(i7jieF@LsE0=^NX((QvbTj_#iPr{tbi4(e}b6Z0!792Q{&E
zRaI3BD2wznBG5@^Bx>mEhnJOc^4Lrg!&d7AoXTZ4Eexe}<-PYZrnZacLW~xt!<<w=
zKtP(^OcVL4OgJgBQ~z38%7o1klVaS+Fy9YZNlNO1mzP(7j2C>liK*#xsN(aD2h$h|
zi_yKky+~Z}RBy~Qi~T;`QI0T&+lx;%UTQ?mv@BneQQu>zIV^tWmY1A-LuL53mI3S%
z_zqfJwhhPv&|^3^-3|0SQG(0>nM_<>Zw~TD?X!cD!8=V2v&#++4opl;;?PL(#vZJW
zUxi+W+-W0!LrqKhWLm2(w>6t0kwZvf4qeiNYMQeleE)H1UYz$0)!}vBsqe4eOX>-e
zr3~tl1+Nb8>zbREXbDdniBx8+tfVF-g%@h2j+}K-*j-|jwJhimht2u>c$LE>{&{pX
z!DP*NWG-z1QB^|#ngWBII<qyUhKdS4WC~87Q}+nlnS#Q4rn=WxQBZy-Y8`GNn**R4
zHlrniAt?oEb<cZZZbSQx5BUzGv~izY<+Z*}mDM$5LqfhZ{?XzeFY=5J&<Ez*q+J&8
z<6VEqRb5Vd@;BT7;p~P%t;JsKPku=w8DtEL+{VUwhnpKI7s>O5MX>GLplPs{QHRd!
zk-0gxh@=WPtMq7uLNc@m(El<D*VNR=X39kPy$-7K6dV=IRLIIB6hcEoBPVK}n3^(M
z>`PE#B9<U?*=RZ`*}O;}qYzkfANn_;Mq3R#Kj{3i54?CGq`uWTRrOE_*rNcU$KQ1;
zdButHyUwO-3_(%rv=liwmB!uuKm!Y95>5u0J6d$4SdRpba=2DG@ZOUM>%xVWsVRzF
zrQ|k9$K}w#DvTNsX{~73PB(;V7VFY5Gt2*+=7^T#1dvAwN7>)s{|T5QhT)_nzqY-t
z?Nw@O6nruh_UF&38V=Ym$WI_kUv6hrC$YM3B>cXrYP8@Bw7k|j<_wdXcxp1A?5yAF
zAF?#gKpBPB=nBM#e`zTPU_*zkIqBqm)ni&4MMd1MDC(<#jQW!Al0b_};#u{U-&t!k
zg;iutYEPJvF}KfqWyNy(gk_IMg{kTdX7occ8I(n7_`UiDG}KK6+Aov)^}D=0{f2nA
zcf8*7$+cKY`#P%|jxp^leP(nsf2Gh9X#$IUc)By-|N8a@fXD?Uzq}GSC(b)}Bq22c
zPINdsc1fdi(ijU?UgL8t=&H!iXRfHM<egUJT3PKR#2p(OBR8^8Qc}v(Dy8D)=C+^j
z!ZWEW;EIil3kKv7w!R7=R=2nB^JnSOQ$DMaOA+L}5>{3$(8NTFou3ksa2OJMQop4l
zSEU-og2b)(bFzdR;2eS~#Xn)Kh@BrrDQ#(tK@TC_eb4|P;&7#~)P8M(YqmC@d@|dt
zs-|ZAFyr2*6I|4TM4lmS+oz{lTH!0boT8#sc;r0dUveH)nYzzM@cX@fnjv)g^5yq7
zQ<`Qv^IZ`p=H}U4!BQS21|Kk=J$qKnK>`1rn4Gkt^DQxK#8FdIdpgr(P?!P<AG<Wu
zX{kR($X2EISk&iKJGT~ryH;&ecFhsc?x9c+Bn*8VL9eGF<j!s=_`Dp&1o&0!Fpmi|
z3<v88AWUemxttaizkP7KI^%mT63cE721QMHlx@E73#8fEpFf%OcOTZlN6;}aV59n@
zVPIZrCi*fwya`u~v%r!#SjynCHbDRYM;1c3KlyGjbpGT!i=W$phzXcEs+W84pfgF(
z329l<(rzMIl`!-IM2vv<v2)#2!FsIf@j<1PoFu^P!rjS&`!TOE$Ja?{?i$^>za#5F
zLQJlg`C^W6IJ^24Mf_aSH)-oB3d~=qZ1fkaMlxqpzO(hC*5dhmmYON(*rC!EQ(0?k
zNVzriJ#zu7XAUl+*6XNZuq;j?o1FUnFu=OOax+=|T6;7|`?W5s*Hv1*Fbj0pN2O(C
z(CH)A0fhnqMus4m8o7I)yzgr$C=Z5kuYWU!iVaylf}I%<y?IyuHek!4`i`vJTr)s{
zaOeGi=22&no~pJnv9#2A?3P-QR}l=WjbGwg2z`XOS!#WkmJYz%46@ps2k$Z<#Nbon
z_wJ#=N!ibJU;}fZWc@o}+ZIo4C{9*MDRMBdfM=A8={v6i>xZz{W*Jr;nU9_myAXy-
zeI$MS<VjrJ43G$xba)jN6*uF0dy^fsTv9X^YwxjP=znzzMtUEieEyaZjuy0*I3piy
z*gOasQeIvz;dpO`O2jj3G*b0Jc=7Ldo0S8iU!F-mq=zdX8XEf3EnHZ(YuLhk{^CVB
zU<!aZDCllpWM|X2wY3daS!<<#`&#*A4`0xJ{hJ`GK|L`I4GoYm66e3qq9Mu_dgE>}
zGGcXgbxCjphA|u|$;pXB>>}lmY6|t9L4u@kptTi^fq?<ea!?=$2pTE4aaHV(MXfay
z$WJ{gFKs_`subzrZ8LxQ`{%0ztl<dq+0^>8=%mc=-gN0@*xL^%GK^+LnQ+4iN-YXC
zWYRB~+Fg%*$0IIphpypj1C_6h^94ka=7dcqV2)b*S#-!8fwn9f2^R?HMbOo?UihBv
zX+_xnS{Y$vBK|P%r!8r;XP%pK#&hQm5qTHj3BvDj+H)C2>%!J!MF_!nGe&^`AK$O_
z1r}sjbO_c$=k|fFF2Jh7Es$E%)meB6u~tfzS?{SNtjjFq1A0hk7n}Cld2j&}bM9cq
zH#jsDd-%&20BmY(CmLLE9B+>FF?^2Xn=GsB*n)zB<mR2^M+I5_+1cg^rFtUE0k5+{
zAY}V%WQzJ6)H>5PIQRjgc-H-zX{H9GTvlG*TJN&TGq&*8Uo9ge>OU2X^zz8x0Re#U
zgaC!=U4Mlk<${(Lz4>gP0*)P>oE)*Xw&uv;EOHyL9zZ67Mhk0WV?TsK0fJ3VK|un_
zAJS<S88(t5)ZJv&ZNRn~i&D$HpNEDBfLMk?70+Wyh;#XJx%Y`HK(TukrFlLtsqebt
z!k&>yu<3$sEE7J2;5i1Rq!8%y0P*37IBSsLb*|ju<qZTnsOe~tBL3YwB#8<5oC;)Q
zWZ;vM9)?HCd@bMsfWo~<8N%f(-PkZ?k>Wu$6qI<!Qz6Zd@F8)p|Ef&#rc94=t<8FP
zIJzVgYBu(zyQ7;-$8?dq;R_@~MGQl5VMm;A2QlR3E%K^Rk3aO3;CG3Rj@I>Mf&T3}
zmEGif`FO2+2JY?xS11KgZ+YT7Mb(iNNXVO*(4OsSJkIhcU_T`zBeVFD6Tw+34k*iE
ze@zD{>acxXChr9!>6ow96J_c4xd?AOM0SuKd*g*%*8>+^Cnu+>MU9EdCsCUdpFYVi
z9kTR}jcE$lW<xHx1RWYAJ{}07o6&O4DIV%tAPpeo?@yhK427rpZru{{LDkM1FR`vt
z-K3|NHfxL9?r$GAe1?bYvKLrac~<0=mB&3frruk^->58hMOCn`UhQ7|{4S76Anz{+
zwZ_O{Cj~@_8Kn!A%HWdHV2Q~nD^oGcEB5#I=VYy^{?ymkvHT^MfQl+ID~k?kAwekk
zIg(EVJ!0^++nPV1Gdw(AEuH=KD?-cALwbe=gMP=(Wo0D4FQt--iV748grq>B%(}u`
zU(?^WUm0O;IGBDG5)}nvK+B!T<4{OTvk2q=Fux;1`eoVEuiWo#zmo$9l^~Oql|_i=
z*49>NdWnK?-#)gse#vV+_J{0;ssZpX`rW&iz=gK8w20SE7-)LmdED1hq*H1CbC3o(
z&f!w3FYJ^&2U!8{{D;afQX*aKd4!a$J>LH{Gka-hm~n@USld=QxyaH_3O#gN9^))$
z1TAvgtd`k(_%H^&?K=@loE9x<Qr&Cx>)6<JgL>zokBVgE<STF4)+WktWj)M)#bW^}
zJ?6t9!ri`MRPKtrarYGj&iUz*7}EO+xvhu8mQK3srZgYx0?}Y@7-#^vGe;>I2YR~;
zSXh^PN4q1h0*?h-4w|fZK_>>_y-YxAvYD!${e5<V^24LxyHs;GKO`{lA~dqE-o6b0
z9y=Xy&P3z0nl4IQfVC1eUVBt%h^UnHkQsV$RK9wc!+aMFbWRY3w>67es;tKc>s_p&
zb5o5!MRF0ei$xs-B}u^PUV~n{)@>tYtN~q9Q`6qTp%u6Y%<PAukQJ?P-{oBaW*K4X
zb5ni7;LzA)KY(m``mL4#RJc{XKsW-3MlExlFKMFXpu7P0WrU*Ns9{GiJH)IB6l`rk
z=D2uxfu8pn-H;#0$CDzd4)`g;#ckkhx`4ENUR1;y;ouu1Xj|||ep!$l5`Ku)Ykz+<
zh=Er?3_(ZNJ~^oyuedRoE(zR_A6$6<op~{9Ac*aqodYD&neKE!h*64qk)9v;o(I=C
zEzJSW7!d9s9^t?Zb8vPZsU5tCf(+cfIor+~oA0y3XZuaN&?{BcyT>4>=>asY&g_L@
zrMvjXE)ai*KQp6P!m&`E`)kZXOG(E8bEbRgbju5nl^@$pSL`3Lsxw<|KGsq@b;`w`
zk+pF3i0row#fUVzhjWpA+V*lb4|c)jqbG(QS7jbv#J_rK=tlQ;zm!I(hW8a#k{ut>
zUih~E>$+K)+IW-Nm$n8rn0Vw_(L8Yfhw``V9zPBOIR~c^y}+?h+NJWz0MJ@AK8Led
z#MiFT0MP_xl-wL{DHIx&MX$?ytK-4?>?92C>dRxr6ad8om+YF37@!E?L-=-dNENf+
zh6@jV`EuWj(436>Q3xl^G^{VroQC;hwTBM_Fx^k~e+BAg<dIhcQ~w;gNo4avC-q}z
zKui`&MAO;6UWB)ft}ZPTQ(m73b%EqSiU<KYdD#6p_E066!^L-YIE}Xz_@@ioU(rYg
zux<f<y!qx6LUDkmbL-YE3?CmKT|BEhckWOMIbVVXR<=9x2EmOR5zuVm)c6c_0s-s*
z=muKySs-qK$Y}#~;IPnh4f-kTT|QDF=REr>5!7N-zy>g}ut)%<z<uXVxp6Cc@ezTu
zh;0F@)xr9tn=(`}+5*eP#l?&}8!z`diXW)gkoNWVwnJgPs;8&tygG&lF(oA<gK27N
zYJdLQ8*+|r?GH6QPl~~p#R~EmsQ9}TRKM%AiX5JGWSAODKW8-bes$$mr7&r{R69c<
z-d{bmr|u;b>k}fDOjI6&S7bLgSdUh1Pp6n1y*lwPcdz{RUx#)bkT6YLum8gu(;~ST
zbw1L6y#Uay1!UdRSh}MUt&klr<|_)oARGh-ka}-{H1jZ@7`imr2L5qzabtZaE5P9(
zY&irBEdv8)Y-}t-#+R0scD+J{N<CK=J-PrOzZ0Q2fMS=UBW&32xlJnK`CfCZgtn=v
z2_bF(-EJLjnejji<9)I(4Q<8NY%n!Cy<61g{yruOVdfAp5Edo@C{wrkDKn+-+eh-i
z3x)%si3Ui|{q&G)WxVt%Q0dHSIhShKi<m(hfu2>s_jiL#g>*Kk2b}!;vVfH%!cE@D
z(IEnz&+nrrr`x?80`@;pP!%vBr8k`IPh}jSY=^V3PtVS_mUB~SVKYZi@CP+Fi-B}p
ztnljuVXdu88-w6XXCZ~lK#x!kgw)zhv(YU}sD_Z!LqG?ahy4QbIkn=02M7<Om?WUe
zBU!NO@Bt8<?t2R~EUaLKP9>1Iq?A3;ns@r|A`OjFl7K&CFKs=&c2IpVu&#`_x$hFb
zX1bk-SwXohh|_T65dTxuc``|hBD-w&;00o5OH})ammJk%X5Je-T+@dHtJCDt+ZC&o
z)o)F6o7vWit)IlDCuSrPmqSKAgqym1qyO^ke3V!h+;ayYPj#IxCszpEz1z&WaTar1
zi_>HKk=JG`7Aco$KvO%iRcSMF)w4tKHH!MO51%IDt>k_G>*jb1O8!i@?XQh)CQYWB
zzMpY&melOMRSF%6Fds5+&Q57^7_|9W1w}<gahfrU+=c!+7$P<Zmn>sL1<9KsdE~+x
z!zdJGBALmS`{&sUp+T4*EvzF<i6lR&ZEuymyD@xiVZ$mX_~N5q9xwR{sE`!^sD&uV
zZEay29ru(sp!f*5Z{7rs<aT)Ftv@HaG^NIfhccGax)W~CMU+B9L2<Lak2GkT(M?*8
zi~nLz-8;jLD=wR<_jvias2Y<V_r;?@xSxW^bbMtYyUg+n!|uxH{an2igoP#;+L_H?
z<WbSm##J;p$M>D_;GSwqSAV`wvQAr?f3bwOg2m}W>^|n9s}Dx}C^KW>zh067{VIAq
z)Xk%E^yz!~A3ynWb7lCWrKzA47T$=-=QsG}mtVL`GLhln-Ea2KN7Sd(t^eanF{B*j
z&i&T_)9C)+FsA%>{4ThAH&CNV?w`=TgT*=0t9x$3pU7U68VwNnue>x08R{%C$5;OK
z?pRUp|Nl44DBQMe@gVre>~d-CKc*XV6S!!pU+1?ejEp`G>ZT;ocUPE2*)uk3b2uOi
z0K&Oh-UccpZy)>jEsQU|J}7#>cb3wJ6YbZT<VknGJCkTpU!R-$s3_HE6{J;k$SZ+d
zz;1@AG6wB%#jXX5dgVJW!jvHC^n7w`3{>r2?WI;<ivy`YPM-{tU@0A|Mak@k*Z?n^
z!S=D?YShy<HN$wXWdE138H==TiiG=ge?KXs_q(>~*Z<rVLv^qRMdwj-n74jVpA!$n
z{^MH8h{FIgQgq%{GTYXX{oUdPzMO{)xPNxKAt8LAkxs#dr9efYnv!B5+nP<eSMA5k
z%E{h8x8!GMdlp*Er}1$Tz%k~0d_;tVh@=2)cao3`PJe&@PpFvO-0vB?foy#NL^4=b
zqT}Q9s(xG6<W_(?z~uMo5wttQ9`D|+F}|Vto&1og-jG+2_RlSBoY+kS0*iR!gBu6Z
z!2oS!+Tw@ie(>FGtDD;Q=N(r60vgEA2HwFL$O#|<)zha%Kab(~@d*j(K)khagMtA-
z$udU7ZJiQ?MwV|&Uu=~pP0h^U5UTk$K|W4Kw@e17`$;KeCR)X9>fb20ec9X#eByg>
zfgzr!acxEoSs3-o-B{#Q+<|@C`uZd_9S)1|gk_+rjsRZ_AOZoXyVnxapk_~0+fb16
zJ<Z!t+0F1h|INw8)e2;M)fjV(0;Py2F{H+T(9qDb2569=5qYn96cTdjz13(zo44q%
zeRYwipYZ~^fBgz~aD05HZ`~v?nTQ-a6eILPp50>=S9;!XYy^7%NuFDi)p}Lz)DLtj
zW6&S~%S+bSen(VYDDLeb$)2CgoNq#!U%4%e5(lU_1gr}w1;r}w6>lzHUTNS72(Dkp
z43tPOXNT(d>C-0!2Xr~|^YfqnKG|SmXTKi%X~8i`<k@xLc=PR3W4<<(mEnUd+?J=B
z`D1Pl9p2fO$a@)>ZokQE6M1<|;Q%2@N=i1jwm=VT=y%CG-E6=5k5q-|M!?ot8+`f=
zwTaX5FFD}z=Zb5l+djQv40M6gEdi&GPeg=aXJ-e$G6k&#TnqP}K4k^m4w~Fm_h--M
zQ+<CAO}I(#Y3`Drot>efK;3##S?LtGfrdI2F6R<9x+7cjm_b0Wl5CANg$}FBt-7NG
zJ7Tc5gr<r7JAS5+?oV~22gc9;Y~Q@aWqM1X-^#)1f#?^Jk&(Kq-4PU6@Iss&s4}l3
z$8d69g~B9A;6Ti=2#;qwRN2jl;!+CW!;#yev+60<Dw?wMIN99ZZUag)a0#d>M4Sh$
zIKVuLS`4v+^{0sF1>QPX^YHYf1sKA`#YNsLDJeMwa+dS@HyyJ&MFvS9pC*|j0Ppef
z@o7+=udSDIPx<Z+$wCu*70fpQ9L=YMmr2+=z^hi~zGWKWL8@7zABs)HaFdf0AJ$I0
z+*CSyWunTOMD%3sj=Q_NF_1-NK!OTvpo{?yB1$`ghL8>i_9zI}>0Kv9DokadZ-(Ev
zdmTu(Kz(-T9#IGbiRd*8Jux4lPlfi9MZ-?IbPII8iztvnO@Jl3)`W#Je$3k1%KX57
zwz>2YHb#s?GMj_1{B6ZmL*?9hD+O~R^#yNNv>&HOI}+PnV4{K66ZDWlkF!bzagD%-
z`BGp+05u8&a1TVs%d!0XPyggV$D#YfKR`)wKis4NA*z@4OO2fovLR6@;Jks<#{w;f
zXlw?gXOMb2L8bFo;3;ukoA3vT%VdA;E7$|H1NUO5s~fz*$pBy!X8}}G|JO35J>V(;
zuVK;7H6w2)aOwd`2~o?ydYgr%4XDx|%ggy1)8D>PLgpej`w4}4@PnIO@_z2>KIqH9
zLx4}9JA~lYkH7x909FshRM8u-V<mKT6IEO%-&-QK1n9aif;QaI*-0ZJVvs8Y<{|=+
znW1BBg)9l7p<U;gEmLtD>}xY#J9rGrDY!;PMzyuIH*elV0h!PR0toNi{?--&xw)aC
zq5JMn0_bSN0PtjjpdHU`j$`}1KCq~$NMTfO%=&^Ka1IzKN=izEP)(i=Ub<&asCdoW
z70BTq8yiueb|5`QH+1fsy&TPm%qdjdeMd=LV+>?k1ndD*gX|OcUsdB}fc7H>64=X;
z<U7<W%fYX!tfYjAf)*i8CkL(oL}OV%_CRRifb#-+38Yg-`9Vx09!h|X<5v1;h?NC&
zfO3a<nccOoYI)<`-LmfNz>F4aoypd-pS=3?2vN163ke1SmX@2F5XhI1moFt16mWnP
zv;TeSAs{Gd*@vO>PM(es*~T+X-iW&b2-;1c)oFmSlMKQo_}&FtE7$}H>pNwoq>Q)b
zIzRUIez8ogf65V~Q0{Z)i4q4j!FHx80#Sj%^}tlOQaD^<aCf#Gk@L2Fbaiwzv}M7y
z0F6#niT+h!SL4_X&`}`RBDAT<v;C3U6}C5@?Em^m@aXYloL(X4pErd|jKFwoL3a~Y
z0EGgA8kqIby6FnT`Im|!ts}t6riEX4!=C#6@X#H!NHb8-BsR$McW08Uq*q6YRDk7a
zbF9;k1hh&EHio^G(Jyl1Xo$oL{>K2PeC`?Z`X1<~z_XfLHPg`{^>p$*Hi*Du3X!3m
zGDvuEFg8w$w6>(J$&aY7f(;MxNPy=ORs(w#vP~o`XbaT8!l9hwH=iC!WGZJvRFI!A
zl^VL#uOTcfv=ZImQb9vOKLM=_4`?d^)YD4?so;qeDOflZxs8-kWn~h>@#tH!NI92@
zAP<do0~-;Dr?3t1=;-Kf!YY8aBebDB{>#kN6cH9{KYTC)2h0Tcmo}U7uPW!M<wkC5
zj}EGR9#T=g0jGwEg4V!#ZK|tF#=R)9)wky@Gjw7Ezty!Y)zr=#dDDSq9b09(?XRBT
z+50SlgBz*~h!!&LR0IU+F+YYDDyM*Ef%Mn{r7hLxm>IPF+1Xi|-JE=jMwZZp_4P>L
zU!}mk28B()VeUejBzggNxu&MRJ|zwg&imKQz#mFVNT549Ik|*IAPC1$$#dB<ZN+5s
zM=M5zOhY|zabOOUt=(RMFM|zzi-zV8KmPJ1QHfL`e@RCkf5`~NvumS;N^#y$v2hGO
zxJo~IL<d?<R6xK5*toM`QI!RSPPfV`aAahJ#ei)j7h*IMDfK|Gf~7G8%JmO0*Kkxq
zRTF{GwLjjqBqkxrd@_)tD<8l8v%(uTE@+$>T3T9=ZPUU00dC|=czD;6DV4+7UGhpM
z3twZgtPHTRv7w=Wfx;I_eaB<@99qhsr^nXy(<Gr_B!&(dSu2q2X<D<U@5_x3tV6sZ
zmKSJ;k+#8NFbz%gbW_s#*W|V8>gt6OS$T9T@FRd}#t*bSL+?F}*^?X=?7Rw7AOdZ(
zBULpuV}JT+3^+MDI{)YP$&<gg7(xf_t_{d}fCRL<08S*#`d>g^%>a=fS%>h5h@mnQ
z$@F)dUwBG-3bm5iPsHWNx7hTmZvyP#<KwfKZV;?@UVaWHAmnN-#)`-i`D_a2qYFe3
zSDeSrW8@^Ed4~<iQPTid2L<&d*bo&{gzJV+3N4<EUV8{xm&bZcQM<%vw2roZWT?Tz
z3HICk?(!G%9hJPOi*{4hY>JACuVQ0!xE{@e7Sjsi$<~l8wZ>e`d13vE#-6ashWA#+
zAbo4r>XRBc7wu*r5ugPTb;av!Z#<sgE@kt(%JeZr%#&EZ0#=RW?1RF@gG|WCLjMU)
zJmq*{4{k6Pb9m}?B5gKc0`UGl@7lii0&{llYvm<iiot_^Gg`RLq``B(0N&F!0~{jQ
zPWjUHb$SZ4l1q>*iKKqSB-F6gMS=1IMertUMj+~Z*MU&S1sWTea`1*<M(o^bYF`|C
zK{=oRT?uK$A93qsA7~Bj!@|iV3%P(z6EjK7mkM@RCvb^@*c2{g1Eu$GfHZ_u6xWUE
zh|;EG9LNFPvee#mxTCKWvO(!>2MY^w^MOmf1$i2htpxbyii(R1y?Xms3Tg}+8Qla0
zpzvN66g7x3CZtG2-4Oc#{<C&)y}e3FVgF_|0tz}f`@kQTZ|}W);qA&vTG55K^%aCF
z8b|Cz^FMx|fUAu-L$v?|90DIO5`DQ7NNE0C$cjtBL?Qk!@El?TzzzaGCMYe?L`xtN
z8rBuc7Py^5+4o5zY(QKO(CcC|Y|z#&nXYAFWt9RriBCcj49&MGn5wSvmHd5U0T9Uo
zR(61xLtNiX2|xQMCP+brisSq=v6BN!iTEV}3jmKmt*+e!0geO;RCkO!cPbS&N;7`h
z*w~am{!EUz{$NW`v9hrtKA)%G>#qSxE)M8|^L;ieY`_AI+u(RZd~Tp;-$9fXz<Ojr
zgto!vWA5NH>%!I6)tv+Cw+*a25kOHI&vk@??@c$`=tKQV-Z%(7fCyyl?Kx4P#$#}(
z*X&F;KD#9#Knmng1~!9%=m$WoAO#?9$1M3bD%#p1;FLjf4cI74>>EANt>7C0$IDn)
z<XNCwLH;W%D{BFFR3s6j(%S^Tf;G3VAf;9HdjNTd>?z=T5w_9T);1F8-FYx2A;cA|
zI_f7e1%eA2ljwRLddJ2nn8%bnMo?S_*c8g13{WA)C^#*PnI;hgtv5b%8?phLLKOJV
zVU=X9zXL@W1z8&#pek}lflzsl*xCjM@nNZ+14RXpFL&r#V}oaBHM1Qx3#i%Ma1LAT
zSH&*5nS)skvqZn{Iq-8VMjkm&l=Ic+fN2IMb2$ER>z!RwE4(-GF56(`t^GPm?njqk
z#cqAWlhjy*J7@8&mMg9O$pPpZhjTAEU|(QC>kR3&FI9{h6rn-OGb9&)pn^DfB+#w4
z|N4X+aN76WJDijY9aRPr+bOsqkeEccTR<=KfTyI~-D^3G{Ml#jWJd+ZU%4S<3`8%i
z2Lf;;BqR`H9->|VB`68TJf5Ca!oTmKKJ>LWJ*l9bf%y|NI8#`zuF*oRa$s=~7H`02
zfWUL#$_c%IulrBYKZda))r$ZTHesCMDp(_=TwVDRA?HJdHf;;QJ}pwo9$CDgZWH;Z
ztnCKF^ial=EI!6GE2lr8I!o+-nG8}2eSjbdc>Q-qhyFVZ&HLAwAdrhi|1*rFT5QTx
zt&*=Uk**@n9*0;fVL$=8Y51qjv)~NK&(aP2pY*`!-TIfxQI;P~7w17JNl<(PyD>2_
zk@vI2D3ao<)<GKIy@8HwM*<jFlA=xF@zb3X-z#O&X@T*pm~K!HXK4N$Ta_0|=PRb$
zAJIdKAJ6?WJoU3Pn><AYA#nbF87eg_{LMHJ5QP38k68V8?$iH8g6z-T5ovbZ!FiP!
z8!5Y-aC{{&ghgehfc>dWk?~_)*(Dn~h3tnqnW}%@IdqwszZAv4LEl<ma*>?>{ivIO
zl)8ThR=#^uLPYEXisdAMADb5t-hsB@^~if??eR*#ViytbU<oOqvZ@lSRnO~k5AKh9
zQ2aB^mZw0K{UoD2nGK3RGL*C2GBI%};@8vLyh$Pd7e?DS@UtK0Z{Uagyx8{l0G=uv
zB8dVw9Cvg8`3}c?eY&x5ixf3HJk06)+l!8#e)%LDf9P_D$_(0{oifyn_@7|}#){1j
z@CS%}|BU?1fh0@5YW9aP@&~)9Si42&PwDP|4+BFmevdyV#?&<dVi@3|q8%<h^EID0
ziKP7UVf>3WLJa22eBr9n6KOEjaC-3Uit--{&r|6w)$6o=K(Z*#rxToTqSi$x|8H8P
zYULZy@R(O9LlB#;h{zdP137Jh+$J>{Y1J))jR4`6j6ro1564(aZ~pI{!QIs92VEa(
z-x%tfadH05RjR*)IT3)D)~C$GVK_C<fILG(K`Ra%)w?pU|B@G=0d!SZeg+5*QH>Gb
zDrlFyn>`_U6|qzg0<EmR07q8F#G@fcs_(6R=^t|P(TFxKWy&8SR{bT|!)2_$zGYV9
z1mA{ZjWqx~74C*~K%^)?m<RIO`OJ^NBrk7oG!#fqAig7w?@;9vWs_$B<RX@&vV2qV
zs@f4s)9|(6A)PRuo{zGu?sRi#2XHI#%etj&3MqvD%u7~%gd&P__wL;YbI9g-4-F89
zGnhX?MN`#3wL35eiUCAfXj;^?$AFi~4M_x#R&9T*3i_tzeag2=q)EFrIL~?$ttapN
zd)FF{R|*%D0<@v)SFUGOPT-by_O@DSHp{Yk`n142RZ6`Pp_Vc!1yA>LEm&)~V#eIt
zQ2!*^###Uce?#+M^2i_>kQTC6qY0u*9#$+&xGOz#9DXl+u}R=vWR%ELYv=Q%OVNKI
z&&8WDqDPjcVB<Fji8>H*stgYg0=Ssnn5?o!SVcO*P^w!D8DUwE#1eKlH{MDN?G=0?
zu>SW(aQJ!dr6>jfB;!Ir6EHN7g8<8zg3NR2$`u*tRA2-p5Hx*6q=76sph~3b@&BMe
z*=7#p-N~DpT0Z<eqN*wgV>Dduo5lbGF;Iw61Db!t847CIA?#RWC@&MRZM=X3Ep!+;
z8?Qq1(5n|Q+vfLOyZ+|ka8+i$iN{l_(xR=rBYUei@Z}ZL=n2Q4yhE_ewAjPjFgqbL
zV}jpU=6E@VwB`;0^H)d8q~Qy$*UuTS5N5mK#np0C6>p%H>h#z(7b|;HF#j%KQdO@K
z$}eE$@(>vCmsHYsxl|WzkqZ1rg809k%?q-cGz{o+vcTLSH<OMZeFf+8%UAKQ!;Upw
zT&9Em$#VsSdK9;X`#;L8%;WyamvY`o{@r9>%c{zUJt&ZQ+c69EKbN!H*7NzcxRtID
z<j$45#IyzC-i7t>w&w|!H<D}qXTg$kaR0md{h!sV-9Bbw94NR|xC7X<1;vMF>UZ4r
zQ>lZFul%qSyn7b|g<v!=qlA=9L7$P7l(b7|l+6_5CzY|m<eVW?y@Cjjuo-~8LZ+ak
zfnnaeKJK)WGA;pq`5|!h1k}_~5bg*=4!>-NtYB<s$MJT)+{YF1?%%lUicFzFBLlF!
z8=3}Wb^)0C<+}|E9>D$~^CZCgYE5}$u5K}(HPT1RspKl%;IaKi3PU_Cz{I`p0XMFW
z*@urG<zSEwCu%QnDWJCC_Y80^!7#Qe$r3XMj)t<z%G)*T{4-ueAi1V*p1!y$+5*Ta
zV2RhoR=9UYxN1RPmhD7%rDC9Bu9(ePaHjCS%~^5UYMmO<`4f@Sf}IBD)!MPKoj}91
z6igV_=z=+c><!Kog~dp@zl>@#H#k{3fdPZuBMt(;G1$z3NI*tlV5X|caIU<v@&#~C
z;o;%C73WLeK}{~RpOpYfIum+>$B!SoZ~j0-rqLkrWo2h$n|l<cMgZqy3TAu(r$t;~
z(@Y*c3IN5y1mI=7sJ9TX8M`-3v%{%G$RUBhc$i-ldtBh?r9Ptvgpwqf8En7R`oo~L
z2{`aZ3Dq9V3#yj)oX+fmTk;fEMf{USDf9>$+P==t@4I$@4A#(Ft9K{x*?HxozTo9c
zK5$|en0V;pNu_b%p*H5=Jv|Ud^7Zl?9+Y2NTH4Zqq(M<jrUv7y`qTKPTlsGRxZdL7
zAx7+^(Cj0_k*F4AdMiHuuy6hdvcnb>;5qoyck#rB;7=Br_BpXh67?pBZ8A~k#K_9Z
z3bS5eK)GFli?=oejt1xp@bbX`(o4`rfCa)tW?#Ut0#k%#*5mBn!8*)97maFaX+%Y>
zJi85U9K^nuicVRR_OBN})Ek8YPNb-M!U|^q`@8z$c@Ee#B-2#@ijXqNr^I$c?*ZKi
z=uhY<@RZRC3LYh#fAlW#-FY>wzVGF$`(NLO7@k_kg)pUrQfST)jRLG%Sjb#4bTgLv
z^#2TiBfSdr6p{>YOdwYxO%z;Ij$#5jlp?5tv(Sc<yD-wxwZKFYT(=ag6f)uPt-+(R
zEuOpiB_wv)k0OKz-}d-a7~gyf=w4o4_M6;N-}tTJnXqyM9pwvT%ma7=gu_Fo0;?j}
z&B4FtJdKG0kjDAAj}*vnM4j>deUw}FtM@P9kWnaWYwKAoduZi>9=-}X3y<BjK9k<4
z*%{1#BIg1lgc9J{fwIl24`bn(iW*|F9Em`MA*dawiq7|zUtoiyqmWU0m}2L&7`zD#
zkOY%a!oVc7k}wpaf`}tPE}F9kM{Wd{q$*!CGMeEQGXjqaqKiN!la90dR$H#nEgKGN
z$jOQfyFYi6(%00y4$D5fyo|JF2%QMC1LPu31(ydxw+BKiLe6Hg91k~5P)OTvVqp;i
z5n;JUrvhrgUGd@?{}rRr?I+UXGs2*)X*alYVd9edfx*@o!YHGZ19k{_DxWJdyhu%@
zhOy3@x<)qVK4W`3d8?~~d$l1R5QL|vr(mn$v>IXhL#HAf98APVn6RUeF+ad)^FTls
z53iPnlq`K<?^ccD&i1`6-aVsV|2rq|(?NO02BU$P9>?<@FJ;Z$yQK~DEUryI9g|!H
zjZzlQM>#S`7%bC{2RuPI0(8P$`7PnjlQI}VL<ZiWbw*~gvhT-nKIx}~^kw}v`OcFo
zpi`=<s|Nu8W&+bQ$f!IJ)*xfrgZut;=KL&m@Y*gkzA$9Ga$e~+<Dg1;M%^OTGE``s
z8KO=geNjq^7!B<j@4jJ%)S75016OP}p>)8+{f_5s&*LX}t<+ibjET!HZ>g$C5lAm5
zzxXgiZF11v`rW~e^5&s;vtbkAzU$Is*Cz*$pETd;)l?BpjiTVUg?*xYs&>Fl#f@HC
z=F3-Yfua7kDlN^=`(bWI20A#L^S|hn8KZ$uCu(^3VS~>ZIWR7gIywm>t8#DFAqEj&
z5e$vL7+9JICj_EIjd<AM0L<_Y+pz%u-ytLm0w8bTmuAxq9xy#&7hxGPH4Y1lC@{cr
zv@SRT9T@}=27#x{%;&DLpS-Ae@AW+}fJiFz-bZHAfXsw(y(mRXEU@?R^OL}!Vp&zy
zwL1ODd7AaZ8jGRl2B6|7|K<J>;0xNd2;oI}E9k4I<dKIM)cs0bTYLJq>||y(PrjdM
zU#MB!24w@7tt$^6JOE8#4mKj<OL?TAOj$rQw<@K<d&bw<-8~N}QAJIy9eB4vfV62r
zxfbAXL_-O?Z;JnD1_u&tO*Fs!lrXiJPX|K%yd>d3&M)ud1_(75$iKL)e`^J0@zv|s
z=u}a`Fti6Wu*UsTF8x$`L27!o;H(qrx8UOkk;%V%o`#<OA{eDjgJU>dgjiU@M5sl*
z4*h_QMu`ItzVKf5cPh`G!Rs@o-YVruzPQ>|Sp#ZWhjB*vf#MwTM9*9Dca?`%MITKJ
z%&pw_{;kO`{UGNH!mxXKdV&+sSh6V4<NUV>Vw3{a5!m(eh)!T$Vfii>O{Gg>={I^_
zgLHz9f~OI*O-_<)mFTxZ=P+Te7_|sAi7I&1V7Q2eg#`yv0^(TS-q}Ii?9m>k8Mveo
z%#(i0G;81zfEoF6ppnw%mZJbzjx2*2bPlFDwQFo|pl-rbL1674mfm_$540aDs{2K8
zF&ohT$WYAB<z@NggB)a%nv<IworV1rVFqCw`k&$vDq+(3YZY>AT2|Htxc88}aoCNT
zaABqchNS0)vwiROJ`#ya%-G#^PV2c^)F2=vgdF)0gtLnb{e|^^Z<lk}lWU$}nMGV#
zgAE?;?&4}{M6iO7GF#y5!nd~_o!2I!Biy51&RKQeUjla+_`eY2&(tQ6tYPZQobe7R
z&-T|^5$7G)XhBv(WHWf419vtv&M5Yl%X6A#yDy+`W25Zd+=7FGFsF{}kG9RD`R5fU
zo{q}B05i9IS=@r;FrP9!Faux#!k8kwF5FpoT7Z;?hagNv_m+@=sE>l3-iaIuz93yy
zC}Q@Q_0tiPr6ApRjtpQOE2g+^i1cka!f|3_uY(}+wZ8=fU^Ennd%BEoh!oUj=)Xo)
z=$~ZSIE8-j8QF6ncJqF{`^^d`E1&=M`yIN*b;+PJ){>@?B|8_jk)JauErY|uZP4eG
zgPjh*tTEWmCB`Xut%yNA3Ov}DnQsfcjNX2^AhMK9*q!rjOw2`cbO0fN1qB5y+>h@v
z6ax%Fb_uFw!SSMKVUEIEwD~UsamL$m%{(8{?!hXj!}>u8i+2*m!{C?FV!0fcpZ&wa
za6ET^wz3y`>eK1SCOW4Id$g6b^DqD~dI@3Js~*(V*U@nS#H~(Hy&T}d9>~n{#fuk_
zDQ4(7Tj#fsLBet*zbLj_{Pi(<aAf2Hs>tBO^_7(s6)i0+WOL+!4j^>@12{@l9zK)+
z4!46nZr}Z*qmO2GP7WpjH^lD(@*#|BU`$Qqol5D9owWz#-ezXLcmMunz<5Y^1iUD{
zl4SbuJ6l8sg4}hw`$ZY(W=W`EpjaLYEqi4N(KIP>(jD2%Io3UeCaejC0u}7%$_gz=
zlHg-Tw;M5rzhyvs=zez0n<C~L$!|B^0+Mxoef`6jd_Fpx9l#JoDCC-;wo~R^;%IXH
zMGlW|L9z+tW<F<kz$|MUh{L=vu-~_2{E6j&tb8xcvJXMF<A>*8*WosaOOM<K*%h&j
z>cdl9phK_q++$J67wviT{(sLU-Zx}T=tOGB?^>=#(ESp&l>3m{IU09-T5KDZsF;Pu
zV!I7=Ig+Y@h{rKlf)zpfe&D(T{QOX^w6`vKXff^R=JdRw;EG_-(9m!t+u7x1WDGvr
z0I6eZYhJe6fyHV~eUu49#w?T%n%FL|<IXNEVWHfQcbTV~yl=ZwI7ApePSu)j&WL<j
z>yjlOw`}l;T?RD>{CoK_uLf9m0cDWFrbC`dfehV(Py)}D!9e|hC(Q8X(AXN?NjHz-
z7(6~cMi-;2NRoYUZHGrkyAG5IYnKv@l8w38`_F_Q35o@pNVt^(u7gAYnH)uVMb<bZ
zyy)Z!C>|hSw}UYQ|Jt=caQCRMavC!{D@b%>=!<SYIu|{F%WnVjg$U-31U$Cs5Pt<M
zHw_b$-1<gZ&c91u55mo}2Z<mlK&v$fc9&|eT;<g32_%n0(04}Sk3NXX4=;Y|=|M;N
zk1vpulUJM%Q1a(ENgElZo+)bc+?O;+UGNrF(7hsm@RF&mx=`4sej7hfIaPEPklzn`
z0Whe%KD<juZ{r>JNUX>4*PH6k^y|l}M%}8UPz$=0CjZm|^5OL-4tv?6zJ>2H7)CAA
z^72A1UcQcs@ysdEEjPUgj|1TXo2C8-S3G!*%=LFEbiJf~7dJuCxCb&TpmTh19fRUN
z2dz&@lYa=ZZV6K`pc<XbS<%oy2}XT)NJ&+D@zX{Q%JK1MdPn*GtgCXBcssY+6wyOC
zHW!JnnRP%&BV%qiZ_Up{veMJjLryjYQXbX9P9poQ=`s6a%)uV?cLZc)pCVn}91B~u
z#S1dPY*C?iHE`(g@QSy|*P6KH`*|OuHzxkOeC0JY$n+0lY&Pq@vU%i%7!=ZIXjgwn
zU-)wGbomRT|AOKRBR#!$205jrQILtrkZJ~`1`<tRi=G2L1f3}L69$s4Ggc15PHapi
zY^6P58oSEmC2r0eKM!vG)EzQTI?El-X1f^1qoULEz9mH_uZ3g7Bcab0d8?HT{|UD3
zrpMd59uxOq`<Pf+g#p@lI#GruOod=@LZ+w&Ilccq2ah`tYegpZ|F0{xlsI{^x2N}=
zm^WVuLtWpmGtdQY7Ciq37dH)rm(9Q4SC_JzlH)<oDg#gPsMTi&EgB0lN|8}>)8ugm
zQi16w{g7u+<>lx5_b$*12*exogCTj=WUh;y_X30d9s~(u`~YACZ3VfI-X54^t|TTV
z{@6JJ-O2cwU1dcDGLMe(i->qo-1H)WChqGvSo@IC;_DoSef`92zdT0XLi}F=;93jG
z2sk7^0EV0H!j!`9_yBg$3i>4UNtO~DqJm$)CREvapPz%Rm{8`FGxU%b*I@GO79O-M
zX{M)aU&KH4_doW%6Ca8$=5>fdoHHLj%!77_h<4DKOvn^8r1GgI;~Oys5bRIAO-T4O
zt&Th(3Fg@G51&Ba5)#U1EQA;DDk<qqF8-WP8FB#{3K_TuV+-7#lN@Yt)mA6L17pOq
zt({<84j#gy&(;`JFWP(J_4YmG>va-UxDT)3ArqiOf}2nMW+`sY74XHNyYTSbn>=R!
z<nwlKl5v1f%bQYG^$*PIQjA^Ag5)UY@I7war(|Ph1-b<n@-$OSOH~ujzCbe=V}o`I
zKZM6v!s-#P%ZfTI1`@OYAY`B!Lv&1l7rU$D%JvK7f3F$pTDl}?qL?fULG_LcGutj8
zkmp^(rV@0d1Kyh93tgy7;Iic@nE#OHJ^+yRjV?8UJlqAi(l0DG9wyfyA3TQ#{D4IU
z?@I6snCKW=xeLbe^n!vgXc=XHP^xNabwi7XvK+`{D1qMZ5Ik7^VLHRmcSV2@X$Ed0
z6bfqJ;o)J~>Ud`z!^V8;X$uEDApmSHrm0?9O*A7zL;mmHy=z$-UZ=K%$4E#@OJC$L
zYU%(1{0EFSHF=-R!59=Ir?sq5cygI3MJt#!k-;>WR!1KH0>vZUPB0G-LDvDCZ9eai
zG55D|agxf)SD`8mLI;1?jjJW-ww^SIS)7nSMlqXKS~`=)e`#(~7<9K6)zy6PpcjCG
zmtoo*I@*hrSArX-Gc%f;1SrABQs!bXv0?nbWljKOKWCc7pjdD1E~`P*n*z;+zN%jG
zMORn%CuH*C11*i=F*o`B%%X8okLtRWd4aHcQF%{W-p3XCjP#aE_rg}28up#M&k-<P
z@g)sL$4A+F!Vy#E*RNz&R#tG@Euaws`+<f+-?$JHSXU<~0d_#h`L3)H;0md>n=!P}
zT=-_crHUEecKKX#>(_WykCr$2U02q-zrEqc|8T5>2~jkt6cFg>=H}*4ryIyXCBsYB
z&;&iT3<PR$${-I00MFUls;^YwDxU`63B=QYd?-IZ6o|Q>tE=tp?HE8SnMr2CmzW2F
zbqM<07wxm+Iyz*~_9GIkiLLDwIS(ptY_Pb#1osH=ec}%u-~kH-k8HScomJZpYPmmt
zL%qQGU*5vVBU;MdT(7bkRaje{1JY|kXdDcD{zvAd!)w%*6JNiY051;#`ywTU3Sd=Q
zdO8{j2?^r21Si;9J<?@CC=bHi0pN29EiDq*O^Ex2G?<w~ov~va+oa$(A6GOEP-Kr&
z-8H)U-XPHk&dGF3ZoI*u_<=NT2OBDwia{J|V452o8bV7Q2nJ;4y8ewBKibs9#2>N|
zJcIxj>7*SU3CRTqRmPuqq(;4tl^i~!?Ew`CMx}Aooq22^BZK&Xz6x_JiOHXup_-zb
zl`kwn<LCGGUnG=bQ*ta2nNgzrIz=xcfpt&jwJTLt?Ru}1*!TgU<II*)8%0r?h;Pt4
zZvH-dMoLCz0#8$c=^f-DO6AWEY+(Ykk|r<!U*ZzYHb^zWzzd*XBe?fqAxMqb%86iD
zfHy&loshN=lBR3YD9m=_s3(4R11mIMB0qd4fJX$zNZ@Hhj~Ge8$@4gvh}V2%kv7XA
zLkVNMlS0f#7<w+GRocIn1k=9AoIFC>^E>auXYq$S;M&LmSgUAgNJA~!nmPYnGiFC>
ziJSLXT5evdod|gsau|GC^*10@{Qdv%gDTl%%zu6(afu*I2=9Nsk=TX&KW~#_TH(3*
z@B2bjMl8ku^S*QemjrjPIT|o1|D~v>N0BzqKs4zl^-x_)PD7osNzv%o;e5E4<LdjX
z6#POyQiO^kmKMbS>*w>n`2FWN5~{gq|DLHt09^Z@b4LDiNh6nthVO!C>eY)E17+g)
zkavX$j9j4!@M4Y>W^OCHvZA7ij&uL$(lhOVTgo`mZ*?NqOsN{!Mmg)>kOxf^+>5z&
z{y$iI@3@}-fB*m0up%oNnaM1&%1F{QvMMDa3ZckIQD{-wTQ(IX6<G;MQf5Y!3K^v`
z$}B7McfEVR&-eHJelO>o-}&R`axS0aO?dTuKF0liTlWe<k{5g~cQ_Y~O>G6L$D19G
zhUH8*66?1pY$SmTYuoxxo|R?8t*tZIIh!|aQWzQ<Li9`W5Ia9F|1$svyqF6e+`YbZ
z4Cc6BY1kE9JCb9_7HFUAgHMpfGQT*Z#<HK^8X=UrjEbQbX>nb;c2!c?jUC&I(%i#c
z9N~4FcH4CJF?_n{go!7Rz(3hzC~NV8H$Lx-NO8U25nTj4P;um;gj`?P*T_g98IAE*
zi|0$3EGkRXcybIcVM|Dj>h0~Vn%osxEQT{WvMT`*#>4FNX+{r?2DmN(Ewr3EwLROH
zR(K)Ay$a7`CHU<5JMe4bi$j`QXV6gmPIVCNqSI<YqvzvfQrW{V$$}G^aD;k-kRw5w
zT5xny0}m(1M@bdA6e^;{`-GH<3ior`AZ;J*UcDNTRAOUm8+YdYUjI%l-&gr=nFn${
zWwz$XibGwi7LOhrzJ6^F>z+3zx6U2yR$`G>^mU4Lx2rLiryfa-4_S5Z_T4Ks6JES;
z`~oJ|Ys84j`x>an-SE~Dp(pyYg)eTo+q-K#)cl~<sPdyC#r;91Md9hFQ#zZabY9su
zASfoL<G3T^gZWQaIyLDVkwmNJ-zGx~k&4uAm^zcMdP*<|u#CX+=yJdbjM3kQ2zE-l
zmY3r*e||c)!1*|sMNTGXC)Kpr{8Cem#U^(6RjC{bD05Zk=J@#d#OVH@Toaex$elfv
zC`rx+{xNxx9kCGrEEB0?>7p&ACr)C^Bn4;K-eWK|k!U>?LDUMyfxlaUeOnG6zB+wC
zcFD(vEnC(F?G1hlj}3O#@wdr@;S=?9J`Eq+S-K)h>1jxenxmUBFfiCezzhcM=XA&9
zkC*{2-95K(CYcwlyE`SN(?JF4z8r>ak!(8Yc0>!x*Tm=c-V&IX+!~e2a^U|1NlEta
z{1R>^wRECg7G+@4*oaMGTZn+gpO{I<%0tntR#@%NXxsEglC!6gy6>{0SGnz5`G0@E
z_)Ol|<?{v_dK-=l(;BK&t8J6#)^>HCmTo(k{d7$KK{pf^9%Y@;vEp{4r8;d*H85sw
zwfiuTtDt2Q)O<s~6~E2)b^2K^@WrIdUcVcB$bbFh?!)+du=mo6a$9|glRwNgyMb5N
zl#BgM3MK|H6DxcBZI*?th;zYZy_48NMI_*>gpmdO`L(#)q_fAJQf_TsNcy2@<`t5{
zux;BmX{NDXtYGg=PFq%o&e6O4{_q!Gv9YlwApHVbN+G2{GK)$%lX6U==b{QVH8qEC
zyOzb>AM;)5baHZ2-`@FgV>^>lS%hv;BuM8UV~<8;9-r?n&InEkkhc*(_nq97JSqD1
z)}+zM+n;mt5aF~O<@Nc;PoK6yzbpTu@Js-$uU@^11ZYt%bR0Akh!wm;f-RT*czfoP
z>X$xO%e)r6xYgp#lk?58vMT-69Cx?}>f77fmw$HG*WLmO;rsjN05Dh;DsV0?L+|aS
z8>f7nQX_KL?)Gy>%~SF`{ikhM&&%V~7sO3kx9+;-j7AM|$IK|XbL7R{aWP$gl$)<u
zq}A>0rnSx|YV`ITm^neC;`^V#ojo<o2Ot?%h<Exy_UQe_t2sV&1`QHLqUg`?uv`rY
zz}dq+TkF`Ai(!CN0EE4WE9v{jZqg$MNq{BC#nshydG)?tDl8={a9??-BA5m*zQ!^Y
zB97Y2Z20gxyu&N(RRPQ-K!(tU&F+5;+(J{^|NOS7<Nl_DRTLl6uT`h&tv`_K!U-h8
z<XO|H5$O^sH|rj0iDrycv(?EoAXkapl@QHEt+_SnAvF+AHrqXy1`Aw6)zR@%7j=LZ
zmPI=q9Tm2WshwS81Oc-h-eHf7JfL&%B;=<Hocx<-4i-~8-qw+Cg-x*%5gfa*!@>ZR
zy|#$?I2RV}LL2`3TS)^Dv*66?uQ?MYPu{@JmJjLk$i3Y$ug!-nb{oN^D^cJE*H;Nk
zOw`9!unx#g#o><G0y2hz*Yx@l{cg3#O1_y^g9BQDDqIC!5efzS$nkx91aGFG?*;Jz
z`|67C-p>C$Z$zGFbab@jz7GEVO$VB;bW5^<uW=jpI6B%e{P)zyQlcT^RkpawxxSg*
z&o5J0o@&(laB~ky|D&K3+m0Czh|@)!3iv>d-%LtM;zq3noTXN8jBE?|v<GkNs;NaD
zJ-QwUd0flnA;bLT4&tMH{Qi0Ng9i^xr%bsRb*e+)vUUlpYF*TL*x$fujLUE3&ePoX
z?z~&?*O!^kJ?9RnZ_*{BRkMc&Tdta={z&sw;>G&L-J{z!c<mmgd)HN=z%pG+am4Ag
z8p~wn4$$)E{A4BKQphJ!lO7p=LYY9nnz~o(0PMEn?qPFfpiEux`=?*<o&a0-x+P_0
zp?pdEu3c9<e|h(0pd7c9F{W2GJ|pm_C(&8tEk^=(z*<_8y(L6?#}V7x_2|)nOL+5=
zX9k*M)<zVMGn;g}OxEDel*VJ${Bhl3`0~}XfVD01@_)60?~6iwYI-H~H&tTox^-8a
zKY!lz?BIy(YuqUJj!x{iI+?|-uCQ-8!h<(SEDq)JxDjWp);2|!I{9>z5;h}hU)O8>
zFE0742FWf72&BLCBt;1UtzEoVpTSf4XOwR~yRdX6nEsa+sa~@T6sxONtvS~K`+n`g
zgD*P$nZ*Mz2bpUZeT(jeLPPw@=igx2p<q0kduNc}_O%A;Irmp5B^huw(N9>E8i~*S
z;>C;Cv+@1Ok$duFZwgyk=Ms3rvo<h{TQIJz<!K861JD7a(}u8R!^o%RH7s~}r?ub-
z>U7`r1`i&*>wuDolpzu%G!9deC6d%16FhUbU*&DG=9I~ALVbUU!;<I%k!hYE&90Nc
z-b=8(R8=<gzObe`o9gofSx{WtYPD+BVoMk=`_>S9!Vr9Ia?i~_Hz~Lx^>`{f0kmJD
zltCKZ_if+TaCm8Hspu8hS~Clmt#_U>+wkn}_{fA4YD;#-MQ*y8(D#^<qQ6$0%cN#L
ziu7H9Yg)F8of1~F?f!<n$2WWWqxYuW6ZJ2Fwrpr@UemGdh$nP7ilFdt&4I&hxJ{9d
zhQJJ8qEI~Sn==94ga#)ACpF9m65gx$oF0Cth%dgAk<;`F(qP!FOt8?0v8RCl@8;!M
zQJXxxBiR(LbOxqY@4o_EiO@jOMHHI|1mdf8di2=nf1oO6Ro7Kl0-x15xNb_=d#BNv
zT`n9`D6CSab{por`kGapHz~IVe19<GWKB<dttsR4x!g8KL`VQ&-%tBL{;Xd3q57vs
zzk>&oT?5+1_btlH%X^qj-kRm1n`f6*_m(OMD%_0wmE#eAj1}jv*p>bL{RNulD6YXP
zK)l;gceVsI(RI>P&T@CZ#5scpW$M7T6rmgf-3<&<4jK0*K2QySf-t!v1R;&f>W0r<
zwey#V8Cnr`Lr<%GYTIlNj|^TGD}FwOtFBQGf+Y+N*cJST7NG0L#W&3JIV(r(Ho9cl
z(EhDW=||t9kE$)Fj8q-vK)gs|@-480X8}Ks);rhvWW&6x)%eUMpLtP0GtPaY{G0O8
z%z=w)v_CPu7;hB_u9D`yG`@pr5myWPdJg|sy^OU(PMBJVOBKt?|9ca_I9Ydc7tNS)
zHTeSG`CvGDkCM%|Z{H?LP}%-XCQc!Wh1G+G0zd6H@z?cA)EY5j#3E<@2Y@2zW?A2d
z+FH>INSwJQhc?SrPcLDJbB~Sd=XLs+;@{1FK~aGAy9=|IEKFFYua%k`^jfuf<NaOl
zeb-*$<9bBr;n}B%QJOSql78h%=!LGZCz)Jdtb+#R3JFO`y<Ws|MlpA(uyEpm1qZ@&
zEv;6J;H6PVAY8~mH=|<jtwobi+u%C!-4FlF+}{Kf<bLO?#%9FX|9Nhtp6_4Vti_*a
z{^vUmYNBS7ZrXaDoM{{57d20su%d6)`eT_v*)ONP&WV9O$-tG+bMd=LBEF`4RMic;
zg}uX}=+OAbeGNlv_jz4=#184RB;G)BNDH+u70*9D_lc1>BXKX9T3s72z+4;SRcO!E
zMkVO-nB~ysF<-@P7`$eouuoz{y1aE{otrwkbJr0HEuOH|m18I5wQLXjLx(Z()z$*^
z0YxA&-?9ULW3ncREbY(lrA?X@jLKf*nPs)RlY50~pOCon+26%$3H4pO8+w$6yNBSC
z1gNiX@BM+?{@R>r8C+P=OIE0DKE~7L>W_qQQogxj`SNJ%q2nip*`9OGxF5_J8(h7(
zd^i7JOmqsmIh2@6WH@~+&a4%AK&2ZjFepr(QE%c$5`47mH?*7fLho>^*Vi6TUtMl+
z*tkh>i>prK#^oQLcV}2`#>*<X7E_mgt<Srh#Y)^d&!UOfAJ1B|;|<<=^^LCi-oP}b
zxMp4b(lyRw9u?O+cka)jemwc8h?&!;r-OeGE+groclHigfgwPEDiKcnFtBX`tQUN7
zSFbQ`HBt3QRm&Za>ihA4Q=5=b@0^5$--g2joAix&KlRVky=g74ox1Z}{cG#<M`~PC
zOe|FGn^j-M-e7sk;`jCKjaxkb==*PwVG~Ww1(bDt%PqHf?)+|V*x~5mSI=6^+?5>~
zvvy7A9b_z<vdzSH`{kMy2owc#UjAZKBj9ccx4X960DcdOvl<G9y@r?hRKKoUMn-qi
z-KaS3cC)GPk|n}H^9bK)*tgl(xo555p5gOWQO`=7yIH#cFzi8!j~;~zbuedQEm+{b
z%ZEMn7^|OSFnnTXY+E(#Et4Gf@0pHl<V~wCTnu9DwhV}cL^6#Qe$RTuhy_2tEm($<
z*1&d>iffn;8GqHe{ar0jyD5m@?_KaXzLD-{ZAfb}u_<g+R%QktI@GCf#?<zWY~nP6
zw2#bHJ3rTYp+(0xQH^iEH8U9sM>Tx-@XuN;?%TXe`_(Ta-7ccjx<tK*QEL~5o$A!M
z&rPe*>-tkX_t_iMa^Q_mAz-ZIU+F#B+3+H_M!POuYID*`ZZHBI$@zwiw4O6<n7vK{
zg+HWt25?v8ks~r<Bj4jib&uP%F9a8@*m(Q(`G;-}1M4N9o}i*pcJ=H2@3i0aZB0P<
zm2VF8e)Tt92I5gyS68Bx3AgO{G_20)kt0TE`1amL0mxrSX`sn|QhrT1<AY#Sw(0m>
z2mk!A!gNI!9FAm{SOH<H?(f!XOn%4p%e(67S=ie*Svt4p&iOgi%vZ`9DVF92V6h4=
zV+pEy>`YB6SKr(pFnIat(}rSprFH;uy#IRr(to$4B{#K940-ixR&X6Fy@F~w^Wpm%
zPy+Co+V|)&#$|3JyTF}yZpV+wnL>|BJsP}f$b!p0&Hd|JTU*b6|8$U0qZ9>mIxi$f
zc;J}&x#OT}8+|+KvF2EC2g}Alo0#^4!^0g826n0L8{4X;)*2hfaSgv$|1fUTzRj;6
zn{Hi;U$Eoz!Y>cKwIbVZDXNa`J!$EL_QxkZxV+M#*M-aBOP5l^M;$s8M)K09w}m^L
z11KIJr}?*p=Ds3KAvyZoHtNu}ko^(@#L}YXuT4uB<$lom!DI)H-#I0Ba&u2P&Fa!<
zUi8y;k?pf0PhNfO8nou)Hv#+_G-x*K!B4D&J$v>HqU`5k)u8oEb{xOOlZ^&!y8%>`
zJ)x{QW(9dXMcAzrhz)~HQxpxGHWf*<i*Uh~6T{2O%3OiVxvav78$JIM+<|5|+;_av
z%FIi6VnqMDC}1<Yp*`3U0w#^~o}>IiHVx@fRcg?)r_H;qwfIiNJ;O^s+P7I~YTnFq
z!%EtX*eArdWVM3=^>vEtJ>lukk8d9K;kGy2^>s|(JIm7x>>V6FVh+lD`gFfDBKrEY
z6wpxP4<ubV?PgL7_gEJ_y%n<i?48P1`w*WU#ZsmQtLr`WMvnH7Vbcl-o2NIpU(xeG
z%9gzjH8&1wao5f^eS`Lr`F%8&?fjt~vGPRV^aF?2HBfh}@onI}(o~<aQ{@Ihn^rfn
z8ntY^W}mAJRhj+j@wq<8s8rR})nz;Zxi3TA-MeB*mZ>$AVh4o$x3vwXF8Q|1MD7DH
zEUstRAZ1Wj_S^VJh9AFtxyq%aP>|&5fAq_Z9q}I5%<7I_IA^xTgINRX+4S06%t>~F
zIWqzuw5nf=VK+nA4=uggHfz@TgNOO>WV0&?XDNZB5)$enKKlt!OAX~VCC|a|37F5%
zFNO02rXaX@)22=BHaY6)>B+PWdV-<&={cLEtz(fDa~25Lf1dFR`tam+`NGZj28hKR
zo<YoM^k|~n1pGikm~`E{!;OP$)>xk&(j(W#pkKdZ3o7m0&!wbDM08eGR^EZZrAJL}
zT4~jqP;QB?=woHsh;9>3s=_15pok3{>Vrx`$FAnyyF}vN^jhhtn#dMYvA?xhnm`dq
zAlltD>vvnbr3W7M2VjyIpQyyd4U*aoSSlPk$h(%&O|OGTkE(O2bKNMToq%cd{ravo
zTKJ$f^}RUiP_K(Km&XU=Ap<979GYI`)+nb5SV#KRtA~bL1^%i!(Q22K@${xjDh*~t
z9t+p~J|W?Ne_c1@fb1(Nd;G3<dv3AsV9>#mPxs8XzA!kf7vUUhmbbc5$9>=MdVPT!
zoBFJKYqD0ccDMqKins-X>--NzW^!~$>K=x>pfwuZaN|LDUqvu<>1CC)Wq>iUSCg)g
zEV+VMIpGvjjN4z>ykte>k#w`^@6@|_{E8Uzgg%tMO8lDy7Oap=2F_i&Xwf?jT%6A9
zl(>cAr`2_h;yH~zkato97$P}P^poP*KGae}V+BwjwzR>@pZ5_ZSRZh&+r;F0EM3Xx
zCJ4U{MI_p>6OHN}_I-3Cwb0rA@E<-mfbI!GEGSdbfr}tq8lSa|+r1&$@5mUk04zWz
z09Lf`O{y2NtUg0T*3*EBk5+C@FE6i1RwiBxN!VL&>cT{YEf`+h+=SMU@C769S%b><
zuku*=t-9LG!a_wR^YCc|CdGIVT(NLkY<#>L_pUU}Y~z)j@1V_haSRd`+kW7{maNF0
z#8V2G#_0_(a%x_QaO@V%f;Sn7-sWE{>fH4i&lbg>?RiC!J9<XRsL=!TJ8mzsJK$oO
z5|!M({zmtjLv^aNk7bs8RP8i4++pl17ssN4;y2xIbr^Kg<wf63i`uBPA2?&#63-2V
zJJx)8a#2I=4z32k_BpSPEXzNfxGDbd=w-XoK9&5A*)gTfthRmUo@{fG1P+C!#o*hw
zZsC!f{IXw+Q9@4i)2oHn>Ybx~JrDG+5wq;gy6)*mx7it6mmElH_3G}H6#@D2-yWH%
z)YPin*t5C8ESuA3>fOk~7~6UD-c9a>*=60AL^ww)tuU%v+uisd2qhye^dDa1dIYs1
z7Am6Zo#$<Bm7H&P`Ny)?Pxt0HjR>%9uv=H{ThxxG0h=bSIdDVgWMn**{i)Zz=Y5?$
z$D|PcV_1nRsiFis8dQH(Xb2Nx(4j$tjY|S`GOFHB%&YjiIlF-nH6EiTPW*AIPDFcQ
zY24$re&{tBym-A~<H*E&)6D)~7RBm+NcYq*iO4>daQXFx6YJ}anm+VjwkNvxn*W^!
z`jlm5r*5_CU-o8L=J!eMFLllNFWH>pI+h)@4w;s&uXEx+O5Rz2{V1=$lv4CN+vxv_
z_4%KE-v67Pn!f1A7f%Vuq<Yf)u6BX?L0q76bW$Lde%}YwxOK!5^|zu=Oq$gQoO~s4
zh)h!Y_T&A<8u_kSld7N5;0nnhBqU)Gk5UeNX;5`8b;D49k=Px)J+RvNWA)FlJIdPY
z$9dj~IOO}z@JjDS=CxNCsSi8)(bt$b=wpv6q1sVpWPLs_iZMAQDABz}ok`;hM4^W8
zQsM*y7)&7Dl-RvF9cY-HJokv#7NR&4%d|w?i6|S1{AKX&{B~}K$8fKb@HWL_=8F5~
z-rfe1?aurn3Da*5VJO}=sM{skBgTzuDtaY0YQb6kjn^^(@>au7W>Dqvc&?!83!Pl0
zh$I&X1Aq*<5rhd5xD1`5rnP(7hk}7pru`qnovrsBI{t}l5|8i=N1pB3y<0c;<>&6b
zd)vJUuqL|+k8Fpm9y@Mcq2pYE$<^h`8coWFsi%FoW65S&%}TcaF^9)Y{Cx7dj+?X7
z!e9K{JiYLH|EGrgMj$NSG3y7YqDS@7W4)b8mxkloI&lfSrTS=#nL!2toUc^Lp(|Ie
zOs_<Kw{!RI_Qbo+eHO!YgOBB0Oo5HGLZZy0_dK4IG=0Zn5)IJ-_V<3(5J;g8tn!yW
z6q>;or97s#6Zs|ZLCux9-eX>}Ld=H`kBd5GHXR1Lll&eH?qw)6Nbca$(&>`^gcL<a
z@Bjta&Z}NcUMp!4D9v>i4MOXSX+y5U<|fPfgWiOphIx#y8jdfWzpy8mbFe2hcNo~C
z*nWw{Rp&sK&~u4`r+W$_eCU3)GeRwxw+Wu-$OE|VZdj9o^D4Dj#p%(jwh-(J+_E_$
zHagm+I3tvLExgNx4<F{E3YFeT6tW1>P?tu<#$HQYNQNV~Y7vx$a$%*fF_45n&!@ZC
zz8${g_plUC|2Fe%Uv4qD7~xPgaf%yO-nO($Vc?$WH*b!Z`?|6Dst&u~IoFKqCk7yt
zI-)`O{ecvC9ew@!0^aPaiC9R6R3P8ljI^4oL<$<*0(jL;c{mb+AU+0BLk7`<yI^A%
z<5@bW05S&=4iK;?{x(2CxlKXY<uc--3fchW_TkIhiGT+#yj(cZ4Cu3mZ+EqvKVt$U
zELTiNpWP0g$S05`Wb*K9Y|mydaXX8<pFg6~qel;b^{db^*k9V&>fDFCq6$G3)ohlx
zbvcEWg!xI0g)Cfxt5B+ejfNW?O{t{TW!9DplZ}8GhFZ*AIjk#8EO(+A8<i<*56XDp
zh<8K4{sjs}YiBUaBoua}|L@;F=839<;_{6bjtF@w^!OIYI~ZVy0P^GW8ltg>LpcDb
z_U1cnn`}U~zwX!pM~@!eGl%xq$jAt>qlLvx6-7fWE#0KdEjP=AFp^L;IE9YZ)P;2~
z{`o!dM<L#<1`3J)fO1fXTAIG<3X5TWQMyv<vg*cw45n6=7DUXGT2eYbBg`@4+Qc?5
zw{)mJy0&-ME?r!Z?jzJ-f7SAd)-W&ER3FpsbpAgK8Q~Sd&Q064ZQ$UL=g}{Zh*e1g
z4{Oj?qHv}{R!fB^V@9wTkn<+EC-Ru<Ob4KR1^ZP;v_`;T!lT7izQz)et5UOGIy9^e
zbO;Y%D$Psto-PVuN71$L1-8#C@An-=*CFr-)$-IG7XtsZ;Y1Rt7}CWLBKO;~ChOCu
zPd%ZPR_`BnC?>{?W|lst@s5p>(amv_j&zt)M3OM1xTRwnwr`xXG_h=9nao3dXz0CY
zRXsVO$fCLHnhq3urS!(uhtu@BMLUkK{fjjZTW?7d*o-xO*01W2DX_@XD>NB*FG3@d
zJ0@=xyzR#TjpqZQ#pu}7ZubKtMFSxI8d-eYCe#4k=ci4dIa5WmU{e-Mia15Qxr?06
zm1?F<$~936qNtwA=(bnvLS#8Mp0jH6w;-?*$tLo#2E_kp4qJJn3TIL;T*s2u1~0%7
za0MlncwCTj$#@U(?vbcecUP93-?N^7{!qUQK`s6tick{##(O@AFN}?e5ydu#dw=4z
ze^m1(<&-7{?nE^~)Yrh9KhnN9{&>T#lJzE1a4xXn_KAED!Q}~(HMNR8h7brQ{Grc&
zV?Sm69c!^Vo3Y+qn&0ANMc%ZW20^KJn_~#>f{pzVMBucRaRxT__Nw=v|J)qirgmX+
zd9Q6rlMa-J7_S=W82{po$<0!R9dPk#Rp@JnTyN>4waIC$qvKFE&wR**MH5Js+q-XH
zjr@|2zN|8_HQnVp1c|Lf*4-sG>qica<V%B?%z#iaWaUcfmFPHRC{*<?7D5QxIj-_G
zlAMCZLTp%EeKKMJnxdF9hVx;^*^#G*pF+}hH#gUUqwIV)E<<)CcE_15+veQ4nO^cy
zdTvVK(z3E*;B9%5Xy4?Zad1+6D9_WADxJ%gBV5b`thdh-2HgW(HsCiN9M;G=i)T<A
zRFCe)WC{NWHN83)PNOI6c72X6vTYC04-yYoL!^H8#<!i*mJJ};RYv*I(>w<<g<hJL
zE6zfN3*_H}H2?E=-^ax*Y@i^{ER^=<WMJW=N9HKm#W;R3aPaTymu;a%RTL8SK}6aj
zXZH*uzHUBT7*XwbZrXuE{>#^Bn^2v|ECOPb6@vy1`bnI*^0S4UB@&eayN-I)lrIsm
zFL-tfg;;H{0%;R>rsnMIELvD;9e5Kbz<!0VCPukCCjIVbZWMD;Y-D#xM4ilSqJ8i9
z=nfQ;Ou%C)OQ!YSy{+aHCad!{8%^wSGb`&jiDc4}z#u+)NhQ#qM}*<4!v?YQsXc!D
zSatiu!os@VXC+vU--kL2W+<0wtV}io1`wUyb>CF>-GegF2)TiTs4OaSIh>GCP%g`G
znAf}EPWltdLyj+uJ91=X<bG?fMEh|OZaH`F1~KxBn}`7;b+j$_&+=8?EZx0$AUU~I
zboXb7dI+xRjS<|(cwUe~WEG509X4Xbv}aAzNA5n1Bzaz1b<K;vzv}@&Z0|9pKI+KL
z&z@j^`|@X3=j}{fdDFXf>(&a!Sp;7$+uUgs5LB>d__l3#6C8VR3mxA&$qLgcDL^QF
z<_wEUTK_tJ>l6;|^t?QWS7VRwhL(+lO6Tsn0*zTj1{R$k^Dlp$s^d43$IKIN$jh{{
zDt|U--OkmQ;ul$d^iA~`Q_``;SnjfQ6oh{VfmKzh=!Ol|Y|_Mq(+Miw45<)7cmg7Q
zSv@E3JKyp@%oiwkXh5^7?e$$tB3huGlBgQad)mRsn3zzI5*@Hj680~1$42ohAY86Y
zC{=D$Hz%aW7{Z?(ofLaJ0?o#6x1x@dHPjpl?9vP3G^7s}38z9-kV2sYcdr|@a>7iU
z4Z<t@c!KVBn$FOjcZv|dW)v3gagK$urDnDu>FVyDx$ex3sY9{B>v=VorNmL$*mEE*
z&5^r$*Pt>N2}%D}_0xX58+f8nN;{4RqUkPChR6Hsza9Ts;4(u)hoZ%*n)_;s90!LE
zyH)_m<jf~<cwB=BIfWwPq>~u8$fnoyI3f-=ugUIIr68o{KXLKI$^C=3<geI$XOMeV
z$N15!)~0GK(pO5CGMR|2;ogb%4$s_9GKhjM#A-VNy>eyRx^wajSabi{$ha2Kg=y>S
zk9N5L=LF<c7xOC&kOkMz!?u}O{qDhKh$IoZMM4KoJUg10IN5W8=e5#;zc=Y#f<Wbu
zusmoqAJ*6Glu-ozI%lVc11SlBkPXKtqa<Ini{ng!u0PyA?A6BV!s+D`5^365nKI2{
z=!RC8WXu{|tOn?fWOS3L(`~_oiY#u4;ukM!N_pKmVdQ12vHQQBh;!M0(s6yrgmYdU
zF*R!+??&+H)lcXTP)aF~jRrfeH$q-O$QD4m04{{CNos{8FCjrgLB0K4pOKFj-MVdG
zHro-sooLfoQ4%mIfD^TYm^SddWD-<ZZVYd4zjox*-`l50FpIV(WghJ3N>eQ~sBhNW
zu#N$cRp+`W(n%lWxoOm%O|IC{bQ2^3%DRaY=RHj|^YGAZxupAR)nLQ8Wv6a$yWka@
z)L*_+#6$z@>38X}>g_kp7bKZU5EzQIvV7MY-jNP(L%inCHw6dgdlRxkurGvD%DQ2{
zHDS(yyReA*;=~i?=>BtG!HeaJ{xaOiBEM?r<j<zNy;dWWHc}7SH{$U9I@`FUOU||L
z?ziIx#3rI<Hg^z3?MOeme0SS~J=YNmbaz1uOS{8ao=HU4qfyQ?W^`g$Ne$w}#l*&z
z<T;xHP+~-_kw1vA@%wps09_}jV6-CCh9`LGOvwq0HNYMyGZ19%AYkDv;y!-Z-@AUj
zwg|?+PD8>>UNRm9S0NYYWu#CK%J?YC^Tsp`TfGK4zsVz;pPyc9z|%ZHK)GIBdK|iL
z8Hp75^J6VZW}!prtC}3uv-N0RV&m~9wAPW&)ti)7<@2y2pU3%^4IhlK<xZMU5xb!A
znEAW*?5RuI{NlvB*-RgkBn*=2+ks}vt-`4x!o_ZA)sgDiz2ts!es%8hwh<5Zwr3a9
zt4zy&PyC{UKD}wE>^{#D!q%#O%PrF*dREw9uuW{GlwR+2yit^H)#9?2d*Z9s8VCGr
zE)$H|8DN_A5o#@J?WaEG@MHIzZ!X5)(|vyS+&Ndy7B>43ylGbw&;KvJ%4u%v?IWXU
zhj*uYAsk{bw?w^h_OsL6s-Wsr$%-|GXJnUQPMiL$js2dI&^6C$gYJ>s-WDPJoLyKx
zrkezo+BS&px}%$q`QvjT)-Si7U1;T0sjqRWzMwqi8geKsShQ#eP91>a(6p*=lxV>1
z8MOYYa|84?))``zSpv-?N`DcG5&m}e{P|OTMitc5Fx#|w^QFG6N(cDaxq&IaS$|A~
z{ki#4{{R<Kb51!uYXw&To>YgHKXhf(5uIZ@Bcqf@^$M4nv_-|X9Pqql&GYoeNES_p
z4waNmG>Ucl&U?BJUL3v>;&w&)GxA#`ejeb#dTaZ>jXfVF1)n(4iw5!G!(v;vvl+bT
zcu&W3n<t$cyRn5@62??|`Ei9C>ZrfN*u}tBO2ZJ=wfIYfaEZHm-z?@ov;bpcJ0upc
z{AN8#F@zPdyffS8^C@aqb6eXJkIvs`^0QRJz?;N?4o&>*xWzwX<oq49O7kzowR)Nz
zoq4N!rpxc9hL+uQbW{MjhwzOZXL2t+r?9yo`c1X+r#M>XwUE<S<n8n{wA_dXZKgZj
zn$!@HwZ`~6_4;jfGait8qQjh>lUULp=oAmf#~+|rR9@Htzf*hG0P03Y%GF(})3xH`
zRH3+8n-Vq6@|9q`FMTH5Y3rA_;?eem<eeoQ-c8!PJ@w{gZ}U}aw<B@(I~bf{IhS5z
z12=v#lj!Euc5}Pc{5vScbM8|H73xz)Wry|H4qZ*RhYD&aAC0yvn7PK06xmV;PHL~r
z=8lBPVjd%9rGQ9HjBcJaW?|?c%|)G}tPvSCwek#o|I`~>I+A3Q4ivM1feDnJ&jE;b
z8vC8R+cIdktTfau*cgSFkZ4w1$|4EjF6cA)V!-VUxpNT3Qrtiot>uC(=8z^|usI)K
z`jVC_QYTEDSoh~_UYm{W#`q0&J4GDhLCC+LtPwMA``*2`eh<!#b3CV0On>v{&qOCD
zb8HIK<`PQx<30WhK3fogstoFdr4dgh*be;LH4b@v_LoiWY4kl}x)XcYbF8f9nOlGa
z*76}~(zZBX_3mAJsZIvv@ZBR5`kafHxaExoNc61Pvr9O}l?%t2biyjYg__W}S0RrZ
zVM|9Z-+T@P(ejD3=fQ)WZ(F&&h>x3XnAgHS)#(fW2vAmEih2~Y`t~i293S!&Re$%&
ztN{h&7VuV2<2UWq<hOmm%jHI(=85}K_>i7j8gl4m<%k<gQk!F4gcQ0$f{OI&i|RL+
zkll88h1sZ=lRa-bOx&_p&mnK|E?%l?>(=``Z1qAK+U@9)6Lft&%H~g>KSLDidyiJ2
z&k;i^*V0gc6azy;QRYzI{zOD|g;m#(2AGOQ%{XokLNe*JSrLn-cACIRRV*onNC>6Y
zCrVJzD4c$$tsR?l3ZSF{#8eBJaj^X|zlSH?`V+;@&IqHGGG+6#700J|yPxhiW?1IU
zn|0~G#d<BFA;ju56#Rm@NVG=R!kl>A(*Om(F+l#oi8M}bf)6~7-W*-~ATjIs3Oh0d
zn))AwdM!Sb4A!9|mb7NhcO1lK&d#ktDMew*te*}a>>c4Jgv$ZlvUPHj1SxVrrc$)Z
zz(#H(m)W!HvUvrfAjN}HO%{-xVfAkrN71`zN$FCV(wo9o<UWGaag-LldR3b?7LegN
zUJZ#hB-}J3aWJ|&iF!bAeu?!ap^@CXIta=HmnFzO{izEk`scKcpj7b=_8U9=P*q6!
zGmFUrvpIw{dFYqeTo1juhI?@W(3i^ZpbZzLjzlYXm053oHqX^n3Au)-XL$faC_BZX
zjy^_NbKj){4Bm@!>bwR#&HjgkMNX|4N!`JSZ$+(IwH7T;;|Ox4G^S%ecK2C)eATO-
ztsB#+x9@!C$Z+9?U~<?K?EkvUUXXsqr(401Utxgs>M|#@xN)d0PTX`GG}(cKXmuRQ
zmw6CbzdL1l{T}Ajz{BWkse``l<Wyhn-X7`90mm9(xc~1O1qLWCE$#4m5lgfsPLb&^
zo<FzqoK#IucR6va-`;s{Jgez{E|!lH>6rMFzs&12NJr<O$Fm;Y#yIStM0fac$<1V5
zUVQjS_cbRO7`{0IxMms{n1tIuFzE0rF)Jk8b|*nt+7Q?ANiElO`w_gX&Hu%74QzQ9
zV4WIEk}MZJ;q1_1n97Ll-GcdLu{=>Ro{AtAtOjgVf1mOuB1eKXm&9jDIk34G)Bv+G
z)$~Kh3l#C{ymi;yzv-B%snnqL?MG&GnR8uEBbi*zH6oy#I4=ecs37Xy?rp1FG<~2<
zjA)WjY`My44M~bbd=!*k>cLi&jCua9$rS~A^OMFXTnIXqUIOdw22O90j|zk-_-U{=
zEV~H3Wr7ne-W8%S6RfNqX21`L&sA~>xcBL?Y5;^wgN`LY!m)*EoO|=lpDcu5y}+hc
z-$X*ApL|EW8%Sr<=@TD#@_nxaWtzrmDM~7xkBjrRQyko_T@N_|H1okDN9q9{Do4C7
zFV8^ahae<AxvkrP$qvX*g<h3tGf^*q`s}*H$rXIuGhxfnbC!)3Z%u=!#2+<+CWlU%
zWY^2I99QZe(+=5`5}CfEpqrIB&`F*{PIUdACFMIyhFsftePW)`5UtphHjX2Qjor3+
zbFh#zpm>I9nyVVR(q*h<qm-OMelchA#*ww-CPs|dv-ZV5<W$@=N_BzXK~W#wouIwG
zA)E()z8A?<<vrVl+#mQaTNGD|`Q~Q-YD^8i#|_h2h+XHeO>EB!DYgJVyJ_t=E!R>X
zGfT^4hs^*X(l#A>v(SCve?wUvo7ADbzkYGg=+{vxR)3kZVI`*UZkv|GoYFlSb;`7~
z-Qshu7BhqY5@+{S<kQ?Am{L6F@!^t{@@u6x%@+R8yjTCdcgiFEWmQX~x_?PFOk(Z$
z>igCZMFcV@{6b3KR>ECbNl~EmQK!0Yg$t1pl+04zF=ENBH0u!wPb$jwC#S9wgT)m8
z&zdrOKz`0?(B!*w_@8Q^M$&1;wnWPif0X*yDYiQCD4`?S?c4tI?=BnOUwxlaj)9au
z5VO<&=#%VAkP@=sb@-(ryN{SvbzVz5D<C^qz4|^)1@Ryj==11UdNG+-tTTA3(Z~v_
zg1@zwYldpDr*7LF|A$TH#>}z$!#RB!nG_9w^Y_VLZ?@7%ebuCYv+`Vap-raU$E+cl
zw5Apo2QO6?G!YFd1z-k@*<FyBMSkel#9awidg;lN*7)t-%yif|0^E`MIheJ}ebb_7
zzSgyl?En<%Ce`<;|3k5+^*1mMzTb7!sM{Vl#S%enBbpO@B?(QPveEjX0T8{8pu58O
ziSlR8td!&Pm$+(wGW5?zGa!Vc$bF^D;sXi&5pc(HsNlSm5q9B93YPU6ma_~K5dSEH
zc`e_?a><X}Z4mdUvPGX6E&$pHE~M-tow0^dz2;jxjmm&Q;DXex9N3(2mM**mbb;$D
z)W+rpY(2x%murot-e;eGt$!SNmi<|nUbcYqU;$sIP+(BJFF-wkU1IC{-h#aWPyP;k
z^TcnGy~Cec9~ul?71U+bi1use=)P;WM>%-SI1i8AVOsjdTMmUEGKq`Z=rrg>8vn6s
z``K|GQ`KspJUhegP*9h1F||+LR%G6Kzj5b}X*<noHdp;z6>wo$otIA+zB~7Izw5hS
zPZ!>?`gf)UJAWFC*RYWzn`C`w@a}PL2h<U+w9!5L_Pq**kl+vzpS%_59~vedGK|{o
z8lL|J5NvOrUYOXWgycAdLb^tjlQ!q)C}i9Q2ehcU(Dz4z#!%Y&$9z^Nkr@fldNlFc
zZ>fufQd3q|o)57sjU4EwZWSlw-|XL0rxGe3Jif5B87I#yh@$X{anW}c;NZ4gPT|3V
zROJ#qy4CZaK-;p(>(XxAFIta3qU&wg35GMnk+xTuc55o<ub^K<jVTngXmtGPRM1k;
zqookv3kI)MHiyoiAIKuk3+SDAXA!C$?WSvc0X;!nDJzmrYfhU*yQQQMwuvogfBp@P
zxSaMP`r5w%6GDkJ4~yRJ&N32ml)`|bBpB1Of>uupxz4Mn7Y0&p)KjQc4LNMl=9bw*
zV-0c?8ZGID>dPUao5G`Yzfq4sk-dF<dO>gOrANP$Z1Fb%F}~L<Q!R-j7(ae|B#IcZ
zs_@TAs#vHCgEq9#!oagc^;~+9?*d*R6psv5bgii;nzJM`ynsBV>)=N6$g|q_7Q{;u
zrsXnY5rEG#^J0A2SwEkwJ6vqTIxNSbWj>jFGV2vJsWh=o4dsl3(66<vhC1jlS{J?h
z2`R?{k2Jq^FDJ*G(vb5b#3NiMdtz?MI1L7ZnquI@9%vgITn7?}c-&SiYDPDLw95!t
z$~^fXq){kVC00Nr1zq+iwN*&$ez=>=KEF_h3%1F2n5L0$Qx2bM&E+fEs1GhI?I$~x
zR*luAOhIPF8ROxQysS0#bf}wy&#?xqFrJJsrU>)tqQ*YhfR{i~#C6_iNqc(<Q-;#j
zjlQvBfC5i^19-j|zfQmeipZSmhNZ88lgM~axVIodcy+;Ms4pcg**eDb;lvId8sDhf
zXSI%mblzLL&hd$TXQ8_gHzR1cM3xDyj>Kv!Txg~!O2%d7o^%_r%CddroHwa(kH<#_
z=uF=Kvr}WY%$lY5AJ$hS&3o2{?X+@O2Xim4-V#HKhqM)XiZJTXtY7iBO{k#l-FA6V
z{tiWwB#uR@cGOmrnkx&oG=9PaXpRYSwNw=NFkA@g@qK^cYly4H;fA;3))}{}VhCU8
z_bkz4(+*{%6_lRM3t6^d70+XW_8??hiuu$(>pc;0^TU2x#FTgqzEDhdm#6mPw5+-9
z_M>@-=eSsKEY<zPq+YRAv7%%z(50}>ZM*bf?EANeKwDkT-v~b+@GIrRDWgKM`{K_K
zv>6mYCcRK$$hV4&%4Y77fNE`}@@;RCUutM<o%znfjcW)JZ52&b#<OQrT%QJuxk2Xf
zd3eOzrO7QxD(LI(4aza91(RyP;TgXD#`NCYa$xnEtW?=U50l)tW?Y0{RQWryhf~7c
zd*a`16s@&X%VyterUvsbEg%TFUW?wUz(h>OQx%ymTbi({M)XLu_yfOxd8=m}vmfdh
z=r0tKE($tXCdqnvowS)tIDo`Y0%}XxA#}u8-}1-If6_fu!UQPd45{_S&n{wiOG{OF
zfRHn4*H<=^&_-qtEKf*CaB@>g=NOe}C?wkl37Qgmki#wBcm@M;r36qE;kOt!zAx4(
zkxkGVUgpk`fmOJgp2Mfg=Yg&V3W)dLkEyK}7|pWJd5(Yz%SrTO8%f;y-u??@P7gzN
zIw}tPJT|!U@Zp5w#eSQvGyV5f_rEjNEPd9Rsl<;3a34Y?Aw&|mpbX>~O3$-^d_h6R
zsaEA#4cXYHd#PW=(KBqIjUbSiErprJKGbYUH_;dn$|pG|QUDA5k$+@@AdWUe910n*
zb%j)%)tsS4gtqsX-n#`HQ%}M@qUyo?fHSvaD2;+cT}g%&e{sDVX$DJ}NvA`jT?YVG
zGIlAP^7?Gt0VE0o#dWUCuZOzPB9Bj=(?T3Wkga?ua~fU|52kp>Wt48tgLzTqFBKOn
z<3VJ)IgdxIs*q}C&66YVEMT+|K>CiA+mEE=o^V`|a_suSuuI$~vm#%1N0%YzCGRq#
z_r;=-&7KW?r@TM2S&M9Kwu9}Ht<NIz`rY|ogYa}YvHz|)OH17aqg9q@Lm_|AT>8&1
zWw%(W_4nFp)M&GHz5n#5dvk+U?H`zX<!i-xwSU%b&F;HKc1lRdsH&_ikDnE<Qu#Hg
zGF8qY#wqux{x!jW+8CAiCM#-1yVo0ep_Nuvv*v$)YtVoGnf|wr_y76RkKt?WrvYfm
z!)1v{G($|m@zqzR%E)8Z_a#sWK#`aeV)br;L_OZe@3U1}Tg}(xXdnuapo;qS!vMH)
zjN1BtY9#7)T-oXO?%BGX%dXmcKb+f2thO?3XY}a$(9=>mfIe6Z9r|*YAKj9)w1T1o
z*w1>D)K!)YM7@FMBm40~pKj-@J?L%1y$Rr|gr8f)1Ds(#DHs1fI`u{?YTD0cP730w
zkcfx~^Y3)2wsv+0?s@vWx~nAP-~jxi?s-+*1R8Kf-uzR)@#+sm5Nabz5r?4R?Clxf
z*+622VJ^W6mRC$<@Z&1u&ORbgrT^v5X&|%PBs3!McXekuP6Vo>GCFMV9?_D}DL_pw
zn9#5um_sN?wGLnq^=sR_5t8<!yH}<{U~(3EP@=z)LhLX6ts$?`un8IBr(cwoh9H-U
z`NaQFe$V!vNF7a5#}fDb-yd<MBQX9}fK^juc{)SZrGxirH(uQ&e=xK-jp{v^e6*zI
z-I^wJ`|7uUYYLH#8|Yc4;pvcU7i8Wch~0|zEq*GLnckE4GLwfBO4?-^$%Sl0bUb_u
zLYph(bDDPajQd$FP?V&xGoPs$5`62Ie}_uGa!8L<%G=Fc8mW62NDv*qeY@b2r25#5
zKSOdVHJG3R;sfO$c9E%vV{oAoK_I?+CIg+_)EOWMwU{N~d}9p_smO%>U^O-;x{Um`
zo+uFrwrT=-DzmZ}M704O-gEgLKn^w&mb1-g_>Px5w#E)x_U-r(w{b}vx0Ln6yZWPq
z8h_d&-09kVF!8QOd6DSCq)ekAYS(maqh`%wdk6a58ICi<URA-he!@J3TL+Fn^GiZ1
zA1WQSDi^Db(+sd5`QBkhm2}<f#$T@>Fx4Y<@ZaUvL${{-;d}v{dA$-eZ0^JdrQ(pr
zDAWhx+bS#`f>MZTk`i<QM5wfOjJsv<2oFnYDZ&V4_&Dcgq!4%?KiWP@wkKaXT(6f)
zy5iQJehtuz$!zo!VD6HD!Mn4>T8tt;?#u7{$s<XHk|#&O)HsKr*C1+e8I9^bk&zVN
znESgDUPlUAxCi^4xkdcNzLlkQB*7OPHi}vc6lVI-?BN!rZ{E}c%%tGa#>s-ORB*=+
z+!SDHZLBY;Dr7>PY{`@Ru0y0W;FlA<{i>@Zu~k+Z+6PH&C3e;zIq;t+q{bn2dIpRR
zNCz_rqR_#ZPUz>$dJFx`$N|20(F%Pd%KA0mrHH}N_sKLCIty25ZopZ}isfK1S)IRn
zQIcDLr6?4CepWS*9EXi2-)n=r{>|7Y;;Rj(h{yY}K3PY6RSL-!FmTUNg<1hBuAv}2
z^wRzNO~@s+9lsa|#<~!GwU_8UXd=5rM{s+CDpG$aDadV_hAc#Ew>WQ_<U4%bYhceE
zB&CzUz$`<x*8;|(%FHqb7E)Ej)ae~#*Of8ucGdBRjoMNyX79BKmcr|m+to-V_YkW0
z4Xp+&r^i)Rz<A2N7<%I6qeqXVD^(Ox)CfNz@-|KmMZ-?7W^)>f(3S@+p~_sm*7KCQ
z9Q!#vhz>*{$ffpez8?jAW#pIN_OZ9tn5jTHa~rk8b&QkObi!Sh@x<3Ne26oU5mVyh
zB8x+2VP*9HUWp5DGXvleAJw_Ek<Q{$db&b@S&oJ9FJ}7|=Gef)ipEzi0`y>#B_JXD
zV*Z0nkTWsHSW`vCi$>UxRx@@}GW}(EMOJpLtWGhhfW-useq;qr<zUr%*zfNR+^mi?
z3vzGNtt$b73_HPUyOCN#jt{kpnCNJsEQMajU<>5wI%7sn`{sS#p|fI#m}0$0^_TrP
zIliE=R`cffJpw%@l3mv$;QQ;&9I)wp4?t`gx0m{%4$0WMfXV~Dg4<u2dKST4(DBLt
z1PaRtAMS*qQR~=FE|ebBB4dX+@}@1_-Q8t_2oNovS2wf9n}>yn)Z^QSV(Vkh+b(`C
z!ck)0pn;+}@l=eUSKD^_A~kGs&fD#S+g5r)FBJh@Sk9XDYD6EU&T`6cPHAq?Zao6q
z5YSX4?_djSuwr%@<PgZeL~7hRQF?&q%zAjTBZ^)^1&<o!{^6-oimFm`(j=5H%Q|P4
z|IJ!m%Aemj4>lv_T6V7)(O{HsK&}4a)f8}&t~(XR72Ti4+>mVaoYYV;+I3ON^3W}4
zMi4P+ZjW0yT1%G{V$8mw-aIA=N<ijg-k{+*ZvBG<tAHEWHxIi<n^XLfo7<z{%GIki
zk?cr19*6Sm<Nf~G<NBjRhG~@`o`KS7*R^XMIcJ;#==|x9<Nz0I8+jHAnT)Ac;Y@z6
zEHe;-hK(C9XYpv#EZ-Z}x@=JGtY^mKzBCPagzmAK{-m=K>MJMNgJ(1E6%<^<$RRW*
zD6f*+m^;Uu&)38$FS#SdQ^X>2`?lV`h9}}#x2L(P6*31_H~JZD8;xIhea9AHoB_W+
zJ5EaVwJobeoML}oA80Owo8hib*x#M%P&w6jQFJqNV1>Vk7Y`PU$<gU4D<6{D1;e>7
zvMg=JhGRvcnNfB-_E1J?!nEJzxIt~Dq=43yaHJy>&m`viczby*kBZV3FFzI4-y=Ht
zm^%%ih{_Z$9B>{lE4X5%QRlCe#C{$|Fi#6j+_wDi?1&G!V+I$~(%Cvq&Kux<SjOz3
z;C1Ew(z?!K#9P3RxBUc@<J65$x@Jk&55^@kPWd$d0&)_gBXAU1u-;gba}=gamKYIb
z6m+tV5sxuU0CA4iv0C+MXc)?@>vA{9;3`fTI;>E7+pGafjHg>e(V;^L55F7=IgJEu
zrHp9(Q=J_s>D(kG7qczUx1?>F2dX3C3!-CnbS!Yny9Xx0^Ab(AfF0Nyi+~hm(yE6;
zqApvNb5~+Z-n@OA5WbkUOTvU`QNs}N@Wu9z44=|tN+t)7cU$sU9>sN&@2_;EwnW?_
z*C7I&)o@A;>94YH^#i$=kR~2eCfbTkNF%@z_?uk7!?Nq`mpr13Y!aVm-8)bNVE0(h
zi>k6u?<H7{7#A@AOxTTx2lv*RJuRCU@YMJBuw32bUQ2ons_^V2&nLQtdfD!^fX?zK
z{_8^jKQI6Pw_i>9?5yN*Rx3--<W*T_ven;5Kb1$nYQNq;?LoBCxw=mIi#7i)&H;aa
zXW-NMX%CuzlUeUeeCCf<kwcXqcB{?)>z}%(u1ok2Ex>>B#Rqh+Pe1uR@t*-3wik-@
zn#GMH*Hoqk#dyP!GGwqGV5+zzv`A3z@i}2Vh{4~9Hby?WPRU1p=_!|8)1|!{QkM5(
z{21_OPEhF*X^ri-C!iVR@Z|2bcRe?(Lk3BR^mTS6DYMOy+3<1>jcd(6_kng;Mg?Qj
z0ALS_jqNPrSqhXo72@=uo}@(Io^yim1uHl?$-0KM&PY#>9Q}2pJfOqcQ(3iBdB3P}
z&V5)45+NEmSs@hqy7LybOhG3v1t`1jv$JN6yg~U~74-L_2NT4T!hf&5t`!F)T(oA+
zR*q>t=+LDH_Y*lK3hSdjj^G6_O~vc`Jx%8uxqH}FN6LB%A8{jdUDIQ%<}T$@Rp+$7
z42Te<c5Pg@rX`%I519Ob;&=Igg)i>EHu*cY-q5n1)}|r-`}Y^0znVKGr}$cv=RR38
z#-zG5^o{4;h7MoH|G}Ig=~>_wYq>M0QoYb=*y$F~nj>Hst0vK2nH<hsn?7e9v*jK}
ziDG|lGEZ1wHP}3fDH--2ZN<NgfVc>dTP<hu<)bt6j%~X5{KQ*Q$*IXin*zCYN?rPs
zdwMGuf~@rJ+jpEb4v>aI5YlX*W)XLu+D*6KEhIre`Z9!rnXuwQl~O=S&^>yy6_CM9
zqS7nf9Q)*A;FPy-1?+&5Mn0CoF)1krICtyZEF1G?=z6Uhfq{QK-l`}><imMpjzLBS
zGXNYqEZLj(vvLGcV@_QM!6U$KB^XTci{IcwQzyqd?5s=xZ@;-VZHjKyQa`_9t{cus
zwd$=~wvY*Wa9rzhbINlRFwBbBsawG0xFG2n(@lX!>+x14mC`2h_O^LL<1tSt_7?u_
zbtc=&E5c}P&fooqf|c%JC3ld7NBEi}j+iXUU48&Ybd_0oC>z@M>Sf!d;{5xxOkO*}
z#t@O)A^!#sJT}fh{?TZ{W#Lq1I7K&XL%=K7Sj@+1zoXVQF!`oXNc6m57jI80$*m*z
zHdmYwr%c8cKS+3fzjo~ufq#DW!zCJ$Bn>I64~6mJdnalJ$wiFIfe$5?5;8nKA}~le
zLZZ$<pg%(Mbfe`O27jl=wEOX3_7=<bm*@)`aUs*unk;;Rloaca3IhJ{#46+i;=T#j
z?-4lX%G6$L3aOqzbPm_c`g;goc+=lF*kCGl2y1s5R|(^yU<^Ll>$&i(1nTk^D=R2S
zEP!T2rcHDcue})a*fq>TA-$hGdGc>A-0AWI|2;@QdZ+K0eJ9thT`P`G6s{wEjVLGo
zN*uY8bSoZXNrgX^q&u7@iXcq$=rLq|eV$3a7qr;?`SXLQ!W3ft65vC0Ib1cmM`mNO
zN2bx9@)<pxN>*4WatsrE9#>?rma!+VWokk(*n9S*uYdxINCR)i?U?I^>qfsWkN=$;
zTmB$fh9Aa`IcD~DwH!&4m&wu**D&>&m=4%h!U<6n*%x;rAxoVg0cn|EDZl4ipf}Pc
zrUb+wczid8f9^Ow2?aX$nRqCid~9b9q(Px9zRbcF-3gHuK>y<g%$>aNBxpN;0B(f1
zO$7x7XL2Hgf#KQejYy|Pi9->qLa`Lna+1#mLj~a|(j!2cHBr`QDTh*`1pKa^iOkn3
zPKYxRl3)-}C^%g*DP`-O82|HDiCr`4E<pupVa>Zn9<*lb+2l{onn-gC`KX!0<zl~G
zdvJ1>rL)C$7e*oILZJxAGOqiVe@d(?m!%n^ruYzYhFby6`6VfG5i9aYRowa%sic!Y
zc=+Tx=+)vE`L}M3blvsS(68KP=0Na15wgfG5$!S8K8<RP7kBpQ8M_^Ge^}|Go0f7s
z{@rI*z1WjLv&9UGC?)>!2BT|Q3N}8yKl`jc>(nA@9f0Um_}IU7|5s+&vw8rsl;Z3q
zo{&1p%JtQis*@P5IL$K2+M%0%)t!EY@^9Pnu5@^cAkciZ3x+m*Z%qfCH+?vNEd`T9
z%I(T)P2J44gE<QzDYzJ#Bg3=^x!^6;TL4-8kEw+_O7!DAfg!1>mCko=4zA-kbD%=B
z%5rRQ9-&SaM$Y8V&xHsb&gSgNeDo%h73i?NYXM&+6Pu;J#f-t785*ULeV}~&!EQZC
zCp=&<U7HOKG|hyS)SPdD&?VeMMXYZQO%~<hB)vfAtwdqmxx^6VdI}~ptutRDnNe^P
zG}B!_*>`QL>Ps-l=?d4GGgtEMqDvrK^PfVdcah~P`_6phLeZ|eGF7Yz3Nc(E?ZnbU
zFz|$LJ3y(Jb_7c%(hV%oRwGBQGxx)@l#yLoP-FW=C1$Do5BP=+D=JUDNEn+;Rtb|b
z_n&JJ{t;da?J{%y>S7OxN&HgYrh=FC91Vm8S}!EU@gL>^L<!_b?|JB?F~$+3P@;nS
zY!o38=uLi)BE(a1oRwg`v@Yt%5{|U+HWj;5`&J@<6E28>q;_vp|Gw59MqdmfjdFpU
z<?bUpO`;{Ke<V?f<)%X0^y<M09oWYcj8?@P<>;F-7-C*x*%&5m4tUd$*<rwcQI9E-
zGvQk#!jC3N<~M)1e-4k0!`y3J_+Urqm_@-#8O04%o2s^Uzm=86HN<2G?T#ZSe%wPv
zPfB3)=T5F(moO*V``x0bk%1$MbT;&)l4<^EY$SuKpuo}HS%8D;>S7p(jMCsTYA{zW
z4VH~$us!m*Ye0V(`mD^XJ*zS5%rGltpW;G6Fn%|7Ok1Sqf~-jL3H65bBb43;bC8Vh
z=@;5Y8(c>WCjyGn10Bn%)|az!)#M@dC@gj}9HDXJ#>dGjl4}$tkBL^lx$9t)rg86a
zdx^eGq@UW^6X#v1K{+bUB*0rCcLoQferWQ9M<qHmu0I(lB{UCpjZEeU?H&JU1NDs*
z4w8xf=hyo{?X5S+S`5Pmq~-?crNbpkX=(bf)DKj}<83BIU1V(RO2iC;5DUfw=99)~
z#F=e+z*R!8%2W=1-OwbT$HY6G7W3pagruD7(n7;2s@)`ZQUGh@b)g0Q(z+ZPxobHd
zzvo<p<IgYZPUw{y=e2y&DFM|TvDr>=e+sEoXK)1>csOEZd`iZoMt>L9vBupeRHqea
z9eSr%dDxYZ7A37$e%yYUatT0BydFDaNw1yyX&WEcFkacC_kIfw;R7k1FAh$aCrraX
zKkO-u|Kq36_tyMmE-2%YE6kafA9>xs7_^hdfFI%D6#x9}|M;m)7#y_t(AxI}|8yg(
zhN(OC-ZgTZW9UoKBHgpERr+43%nzJ}AMsNvf1LV$6$kr2KcXA2sQLfjPq%Cz*=cLu
zVv*g-kHf{TWB%*bM?TJf+Z+A;g4Z#1weFX->`=YPT0VY{)cV>79IY;w8E@P6`^Q4p
z6ZI;ddlj8~SATc+VWD^4v}}I-t$us`mr=v)`UN(FEvyS;y8dScHmZI1Kl<ft$t&r1
zH!1Uv%afuPT3stZ_M|eToY&wuw$^bo*?2Oc1aRUihtXQ<tW3rW$RKTWH1>&mI1*8(
zh;{+9^X-Ml^c>znwvE5A#8C2Bq2QuWehRdXl_)&FwWuEmQs+oMU3s{0NNL%3@IRV#
zX_ecUEL%k&uh^GGC4tFEp#TID2qQd;T!w~Vna92aIOdO2Dgt~9*WWs<gG2s_1C+u7
zH}+@O#Y8-$ep>eZb*!2@0H}1!PzoyuO_vnQ3U{D243TIc)ch>lH=2wh2D^{(!lj0`
zTm54l*BW^`>!Xp7`9vf#Nf(ZSA4I1vJ|OmX!~AOWw=x?DOJCg2b;5XKs%g9IgAyQm
zx%Zz}Q+A)NA9u&cta_2n!<4*g{e&LkB*ned6KEW2wV*#w<JUcoNuxL&Tc2NG@K_B4
z69WUU{raHzy5IVKc4SOw@Z0sht|Sa!e<rTakD5cg`(E;0+(-5Og^jiRVsr~m%{{O-
z^Zl721^K%Nwc&g0(%s?0?eZMVaF%xKO9~XP^Iu*qxc0K>``{}NdL5`Sxle+#gTzjg
zG_<VpMrW;rXH{J$I*Z4GXV{3F660>G0bZ)y!q?dJC~6aq&mA(Prr6u*bC)E%ud->^
z{c_f=+aC<x2Aftr{p{TOv}k0gN5Z(lIBfJJ;$-}(8S2t4(mLoJ`2p82EEy^bPQ7K}
ze)m0fD!raOetev41yM@EGlUR_D<2HNSch0O)Ot!;`t?pHC5h}Ow57wsg;gGJe{kD1
z3D{vB18u8MQo@&8%gXPcNTtE$CbE9J#GfJWh;fw_G(67{EL=wKD4^TM!N12xrB$xI
zR!O-gLn}_7acrIUWbu;I_OVA9aL`I@PNE37Gw{8P8>F)qyAK7g#JWg|!z;Q=xHBc{
z4Bobqril&`76^IiZOB|mV^F!#lcC=oJ&#!!_&eL|dw;UoF67#>rVKppA5Kd!?=Wom
z@Jp<tB4~<QwN}2YZ0LHe`mt77!l=8Zx+-5L-^hHb=ciD#T<Dydm)7g?QFYho*!7;n
z2lV$l*l@8|hgavm^gUo+m|k$_@YTYxRud<l&ktU)qfC3ug_`P$qWibaeG|{GXszSa
z?rw14Ha!jUqKI!1PFf)*Uy0)6MiRs3U#mE!qCgxJI2Grv`Xrb-t-8@~M#-7wO<FDc
zsj<B<U_<1gV+D&($9tDvZ^WJ`Vq$wEeRD8(5iB#qZDR58Ayg<5a{=eb=FJ_FwL`EH
zuD~{Q0#~?r6bd?<hHL*OozwTJVt*9(0B{*5i4jM?Ji*3T{FTxv3dRk1Ezw}(unu+!
z8_Iwk5}g7g_wC)=WPh~J>zo>*ou!G9JYnq%>~GKt2T%jl6&yaiE01|&TN^&)Z5}Sn
z-$<MR6qpO6HMu4l<<R185Pp*qS3rC29R$(wpC%mr)?xue4WOzd0(R+_IZtg2U3`50
zeRXMRCj9caXL;>t7wwj#4QmZ5B+*HyPy6^g4zDWpFFvhUXyG~O*Mp{=!kjXmM<uS`
z>^*dyQsM8b8k?IO)On}lwq1Q>Jzr1zW?GkRfBlG4^-un}{`1EHhWZvyL%pcpte->%
zek-me6XZ!0xQu076u+TmaEL-n;~vHt^LK(gwl<G&=X=ejEEDBPml)WSX&iB@Hf#u^
zCl;+Zhb}hsspvW+(^FdH`#NZ7gz;6hBcq3v3b&=1m7AY0iDA?%AxQ`U#hH&Prwxqb
z*xNeao_E={rf1pJnct4KtD$HYT5sj44J?BDy^(X#taP0;og3b))7Gv&6Rk&%q>@?b
zBs;n6=55k|8MVli5zVFUM0+uXs5bAcX4Vodit<^X`ioAUFStU-+yEp~dl1JeXpt#w
zv*NJx&~r%LpHp?BjGKD2{N<}xtMHDOzW5zD{Q?Ij5eGK?$54j}AQKTW<!ExOwa?dm
zle_1+SBOi~#U&CHBoWH(ThWRJcaz-5nqHZCymw`G_iGOZw+(k*$zV+`a3M1B7m77s
zSbJAL&trAv(czNKKp@4kvcd{zbNhYoQD~}A%xP_CJ9q<2sffA~Es@#i4bOc_*uWv}
z#EpJ=>WSlT(2Gm62?EmSpHWgpXh<&cpPR$OL)iw!oGGF<C!QnJn9Fi#KmY<!h)0>g
zBkdLL-~_wYtM<q84MQ*%^AJFOZT%f%=Uxw*v$=^*#`~_fr`*kb)bQf64_fuSlQvb`
zFZUcirsC-C9_MQ|GT5|d(YLlE2mTy$yK?lNnu>4F{``);tNvZE8?l>007*Qw99|-r
zXEb5toV`UdeVb~K;e|ChW@U82ag@QjH^+6vzANF<Qu!vaab%Xd$X9K?l=TBoO|7~!
zP<mJ!=pRr(7nY#!%YBOlt>*=+m0SUmP*+&nUIsQQfv87#s`^(*CfB)~0D}fy&}w}x
z>^bMmWs_0%);(moy_k8{ZvLoYr|!=VJLhS#<c{Hy7KmY}ZdKgIY(Zji!n3fi#4``y
z`saN{$E`QWcdJc+{NI8hYeylrK=ESJUaR@hBV!!wv~Iy@Vr&s?Kqsk#)udLx*ducv
zJ$zb`{wy-JdQ1t@zObxdmcpZ;kz2{19T*s?bPB%Tu;I^hdp8Mlp)W84`9x-F{s;t8
za@uHZ3Ots^+s}OVI?rxjasYgIbZqQFayNjPNO}`&7MQ7f_fX6B!TjI&ZW4qkJv+M9
zyjgquJ4|sa(5AMQf=C(~4pVYki?}aEydN1{u^b?^_`=txnf$Y|hD3CC`0C<ahcJN%
zE{#Wc2<nD=bZQJ8)#>%|&oPbPKdZ(}0uSSMWqpT%xMVz=z0JQ?CkSg!SNXM(oh%Sf
zLEO^9Zsb}&z==zr8lGRqd58}rgotMjcS+1%|GtN<kK4?dI&4vy%buNm?0xwx%fOk_
zKAkjNKCz|6w?{3bj$6iiO<vLFSc|D6HwLOatQ8nI;L8Q=_^-uvH1oXouK<ryc6-vL
zY^y3_9Ek!DrcoAvjG;A!?U1x;@E@2G6|PaxW{s37j&CXx;@@Q9yNn`_m|e5&gLhxb
zGqejb89vlSPLGX%SV{`vnRz9m4)#Uu6?C%m3F(eDBNo7*p|DBmzjf$0lF0?&Hkg;V
zYk0?siMMhWe(Ue4-Jy4#8E2{+zBg>Erf4|)%FZQKeJ0)c<2=5=?pTZDfr&#VW)_s6
zxN4Y7)CUhZ6E!CXgTwemP(&OfG^>Zhhd$|RhryXRuym;O4=gNmW}yIQ2%d@O<HNn7
zZKEcfn$aJ1OWN=6vxmjlrT%z#KJV#!Ebn6In0MjxcDuzB9Gnj(#2<Xj>p-?DDH_^+
z`zAYm-aNR49!g*eC+T-32g=Fm&olKqlqGUx5=()~DClI%Z<QAYmOHuq7=3JedD3S9
zLZzUb>5EVkp+(dl<>>f%@jD>uZ8>mmpKnE3MNbHKE<qLDQgE{u{a@p#M+>n6It(cI
ze11U<xwX0G>qz9Jk_^y*yb3L@mHk~mS14Qn5{dn-y-s|3owoAm>vFf>h1jHGD}ME=
z%d(57XWdf<5@h0rU6*VSlASNFVVW0l6WZy9kto%!f-dXsOE^S>nvp^eESD8Y15>`c
zMtz!kcJcc*yx9hL=e%FtEe@T#<65VraZ8`1ZMgbi_opT|b{#M}nwxOsQVsRUOMdlb
zW;QPy!9W-99ca%o&?Zo#uSKdV5@O=Cx^jIMy?iNSX%h@bCrxc;Oil&FLL~cD4rNge
zAsc2NYU*F7lIilZTcF*2BJQ<EwTUAMJ>le!mp2zx9WVW2J#6})HigIf6j;=C@-3XI
zIP~~uy&bwW>+KzP@aUzr&3ZD{S(+q-UX7qZ@s5h24&hZz1^G+qPo6jzKQ__ZnBr;a
zz_Nin<|0=@_TpOa0(6NOxj@pB0AIV*T{j3{8iY<Jw^YKD-|SeCNxDu+uyAN?+tjxZ
z`6t2=`?ufiQ?-H4GjQE)fHt&oe<BmU*e2$V#gz6xUk?5gJk0*<6ua=Z11~tm7v`5~
z^bc<kq?C@#b3Xa#p-Egq@!iComvMV0WRqAw$aR-Ikvwvd-SfHVq;iI>?HWxUPl{97
z;gs#00oB^iQz=_f)4_j-JGA)ro=HQxHI;a3v@4RP7JO1M9(teyI<-L^3kZ&gi8QNz
zI-v65%d*UcHhniLWi782zwLeSjOm}=N6&7&x->Lxz`-4BIiR?FCGdoh0BVL*@2_f_
znoa(+RPC1^c<$>d6T|C~N?ErT9-ljZ;j&lGrxNFmiTFJ*(Tx*CcgJA7++fQOlH4^w
z=Ql81Ui3nIxbdmJCq5XQ=#73~?c&WTEt|n*NP$W<BtSIeeaxpvx(?1pdP_%b{&{o4
z(<_rk|Ne2ack!mjA=@vF516_B!w<(@702I4Se$kKbY@fjq-^EFz2h!yQc~IGtm?OP
zDOXe&oRg%BGQLBO0X&}O$25GTo3#&Ld$RKmN}C}(KZ#8#zG(#~|5sn|4Ckb*1WJX3
zUmf(&aB_j=?N5q5X{4O)IK@8{U1`RR8+AZ!eV6P0MQwEnX;JHEiGC23g<FhsB3phv
zK0Pf8U<ww=UIO(BZDZ+EHsSA~ko=kUS>bjmta9Pjkr5`X1)Wk9QF>>m-b*@j#_?60
zOsyp6e;PN+w>PJ<eNWksDP5Sj?PBrK)me#dHpMBHzZb_YYY-lvcGIAY3;nG3>&62A
zu#YfstNCpGYH50|T~Pe@n{nSw4&Ny~7oT7DxXt~BWSA7uas~06?M&agZT0=}Y-PU<
z+kcwG>#6sh6<G(8MG*vK)b+ylhHfPnZ2KnsKr;aYFrQ#yakI4z{MidytYGHkdL&$q
za7#hg?{sEv_tG;sE%R<wRqjckJkedZFAdcZ;*QBFU#DN3J)pVWt|n955;bzzo5=%@
zhMf-n{$#t>8WbgR;lT{3y+(>f#b!xyz%BoQ1uH4%9xrWU*F!6G*`{{}6&{tX$o#|`
zcW}Ph|I^-khxPooal_w4A=x7hDy!0-Bx&2UOB%E^g(T5Vp&?0;N~xrwl9se1qavCL
z4M{3QNlUt4r{C|o*Kyy^aXioc9M4~m<GNhe@Aw(t?`OQv^L(unkxg6i8pp$eGq*x;
z{G)cy1_@mQXswThrDh&!T4d!jn*oE&J(Y*QZ4JhQIs=8;7jE4RkP}8$GPUnmyBLR*
zf)wwqIeP!TjCjF=T1?NfgX^0cZddxNZJO11di>6W^PJ7#Qt?rtWQj3Ly!mW;ea(ii
z;Xoby42AVSulp_>VN#<IB;T<+kKOtiYHJK4K9JeqO>9dCI=4ju9nZ4-(3)0`YLD;C
zxM;c#c1Oyeh3ZMjLts4NS#4N(r6H@v86%-<9d#mAt}FhqC;W2#q_D;1b_EN&sZ>Ko
z^Y@u<YDMn3EjYUoC_!4H_S4<$d{e;x(1Aa~19Tj>N!ain15+d%FmvFP;l=x2wZaTJ
zNDMrnLNyw#5Av%CCw}l?;B7&ccFU`N0;?gA0Hq_c$9i4Fu4Pa3%N#UhrbpSA_As-a
zu3%<i90ME=GjKN!zqxW<u)#ybHw!SeFD@f=rEL3;3GKmH$;;TOrmS1m^c=afCRSXV
zvEf;zkbxlBQ*`HmS68YX?CJUR$sEfkfC4|lGA{q005n=Y2jOOrOC7muzHM%4X=`+i
ze^$rEWEvN0cgsm5`GT?*P{R8ye;;-0|AM2_uD%&D{-LPGYk=**v$Ctke(2#VaPiVd
z-x=OYmu-rz&ODB1iS|U{Q8C$JmS?w&)X0D~@~ShRt7Z1Pi`iD=uLtvj+5hf65w~)N
zm8$&6&!4c~rheyfMP^?}liz1`h}GCmq9|)DIK_G6;Qn2&EJhr!bJ$q)7KwBnaZ0-P
zTiH~Q<=Yq+|HXMBKXb)fb%vK@*OzfxzT$m#ODk`KinNpzbM=!cRKR7>2`YnvCg_<m
z=?K3^UNUWCq><05_y-F{|JSH>Xlkf^hRaPEreex!2gEXWg=$)L<}P4U{wps{V?ki!
z_Z`2>P}kg%B!x`d^UyaCF%N!=Jblepa=OcySzn9@XTP^?V&f85YE75(f{m3<9sJ2Y
zsB$z*p~IN-{$-DoT*|&xDX%qzBBNnFCgCWkG}z`I;eg82G=QQD&Hp1vSZNyzJ``U3
z5K6~{rix&4e;14g$Dz-{0+Fpbt}mf211v7&ao;SP+od0|OIashZ}d9R1};=+gII<r
z3N7uzf?7t%sa#t9J&?WKd)p>}$NNLnK?n)5>6CB;5{-v%L~0~j^oC-(k)1(-&Xx8(
zBtFDOzTe*;EkHE>;ks+RN%!qz2<k+vyiH@uB3Q<KF;HWMqhM|qqtz~D*Q6`J%)|UK
z1`R4~(lf!$A+&)lYZee!e{8xmHZeKgSHBKUcUq-^N!P>8OnG~f3LJdcY|?wp+WaKr
z!LN9Z{c73@i*|OEZC=706Y?V<NTTiF%FZDZiO4@U{O_s=2A|CPK0Ma)s#u~dynmM;
z8>jo{_cI4r49c=yp&}<;1D<%F`*UJR1qJLA>VQtLl;xPxNbdpF6We}yB;*npM=7P?
z+Whvc_rpB~>KiUp<GCD60C{Q<@my(t(T+l%Q0<AigNu4L+BKRaQGoMAi}<*j+-LvH
z8#yLCVBmgOYQTR!$KS;;B!)ttXaVmYg+>8(&W6hD@Hf)P`H$MBhqKz{h6VOKdHk4c
zWRwp%XO33d0EC*fSP~D}JTRe80N!CJng#d+f1^g1Nf+)@C8k-SkEy}MT#i=GEV{zm
z-^(lRhscuDipT@2+)^!*!S`)T$ph<`F>|27CvgTzJ|WaS$5x9xAw?;M{-41BgxZ;&
z{VL-QAv6uOH+8<I-XFLOP=SK)2rh&C1#Xsm7}@;G>RgoH53bvbCgL0}6G7Xc6cJUn
z8Z^wmrZj9BJcQ*RxH^<LfjV7@shTq0A(i|Qap7k@Qf^cr@PaP&t<i|X(F^T%PQh;k
z9T##RUk$i#)2R~1)65kDcN?m8S+}bgB|f#ku{wY+VwcQ`J!S!nqR6|ejyS!(;iB3#
z+P3G+4z&?`$YjSpCx#w^+N4A8ufj_3E555hbYlY=32bI?@zgQ;adR)vR7~*k1kS9z
z?vcLcE1REKt&uHRcx`a`tsVS+_Pd#jyUc@se6zkM-u(Ly(1`&ePBp42D0E-Urdwh6
z`*-_&w$*$;&UPW?FqWKPlP(LS00Tur#F1e16%io-2t!ky<CRB|>*XKB85m_KWbBb~
zUE_2&%fB#7uIgQjj8sK`PNTY02pA-Ffl+mjx4TM4rBj~&o~71!4?L{$+QlWh-Jgje
z;p7B+Us<;37GL@R->P|>jpZOG8g2f}AnpS{($0=>{)hBQ2-xjB_?W&sek5F*`+tMD
zxpLHG`ORzB46ap$2Sh<Wqu?Y{X|cWE{NSy?H|tIJW=*(xHI14rIX%zJLBT6&zT1{m
zr!W6YQ_cU{wbIn5cHv(Vsp-d~LH^?R?X%CwD}kIT%DV9V(V+j1v)X~&*-L$X1#o<`
zyPzx@ApWYUe(V=y0>LO9_DOevVWKBt<`hgXEk3Et9JPl<MC65B%tO&=T%^wjPV=a!
zq1}SD4+gzI&Tl_mP27C?@&>(aev!*3wtTioh&~=tFkaEc{rg1D?8G9D!ymf16>1IM
z{duk{u`f9=`*ZGm{($I2=iMcoPP-#8LWD%zPVH3nNNb6&xVxlq%<OWiMs+pJ9|S9b
ze@uYFmQ!%p?Wze6`dBp>0l?SH2C4)L!yKRv%OZELT};O%ts{X}_#9}UZql6rOuLns
zsN*!UUY&Gy#coohbK~IT<VSr4v4VF>*T@xmozozZNWGgkq}zmAG0=r5q3A;Ndk}Gf
z077~w<aM`yc}`AF8a(`hA{HU4bH~J>_j)y|-C<ZZ{&GHG1ITaIj(q?Ba6aAm2;wq&
zzoXYJzDRkUz_&pfsw8@?8H-9zgAnvE`fIzq5};)yHm8+H$WX;LwSR$hn(Zs)$#aEo
zjko#skW@WTD7XMfLWEqkl!mE9FWV3DYoSn}{1PBTptuH(WF9Q#(ak@)_s=&)C&=y}
z1Hzy*M(_il3wt-DvElwb@R*b(M+^>y-V<9FdaCOty64T|++kJz$DaR7*{{L;x3aI5
zy|$~Kbjn~=H4*vp(D;H`L*V7{+@)DgUcqY;qbu%YSThSkng0w4VR|cpp1d~n=+^;D
zP<e&zSa<eJF4h~j@@&6yx<gHd{0<37`9qop-L7V20)wZPi9^wS6FzPL-eJ;oQ|NtL
zz9Soh;Pd_4rp`eU0gKck9MW%)Fb^Rvxcad(>1Ry@FE2OmPK-Tf-#E*2z3E?K2$NZy
z`w$6Zv$5Jr0sjc}i#$Xi-<LMOz-~^IZzQFLfNC*_+8!&bUHT4%JFUqY(=CMx!s{yF
zE&<+8&%Q&>;Z6MaA|UqI(fAq#^2n$3v`bB!lhcHaA1uV_%KDe~L5o076}q^kio<|I
zATq(OUEODKSd)o)+Kz|KrNl1IHtqjV78$oF+b|d+hr<vVQIAXz`kl!g(`jE_o<ZgK
zz4b^Ocn!lfBdK3I-mf5Wo`Qk`r!Mcg*$i50(*1<p(%PDqV399vP{{V?-7j7u<?l4P
zdKK@TyVx~7n#=jo`~sWnZgJrcb8cQp8tc@Ye`Wo_^2gpfznc8dtiE|{eaUQ}4(r3+
zN>XEQe_T|zBHJ=lQnb94K`H?NBIZ!l(`1MC{1|vj3Rf5`ofKunV|Ju?CqN^lZFBs3
ztyfhSwB80UFCY6417kn>#0+^SXZj?U3=|pZ0UP01yLb-td;AJ{3ooi6^ou!pf7~Tp
zX|@4V0Fyv+z(we9+^^@DWL`M5p;s?23M+q#f3?|zGRbHvMF6&G*C<dQqI%FDrAvp(
ze|;$bRCgI_x&H=ROl7pEl>#dfdYn`Qfi)BmyOjOVQlXq+F=OJ5?H^lB^XjDaI?%T?
zovDNX&mR~DJ+J^37uFY@?3)3x41GnA0*}!kp#1*B^Yr}>%Fy9C4$S)Cbm%vu55a(7
z-15Hd&wCFoM4xPH5$#lK!ohG18?D}9{|o9S1{YhRd@PmncLZMc+x$kV_+sVnSzC<;
zx;oE(`drXG=g&)#s>~YxJtHY@gDh#reh)qrM;{DS?%KaF(pa-w@}r3W)S<T<*(Y%F
zfZEZ(T_LR^-ZvrPZIFtC11Fg!Ai%?r?%~F0r+*3jp9Q0;7)>aX03YmJKmbKeaL66y
zCdw4U$SqQ(jsXo~Fd!F(y5)R9L4oE?G?{Qq5Uk4}*tOk#c<*U9LB-<*h^5ieT7({@
zQ8AL;<d*Ka{nMuBaOW8eLCZ~%qxK#KyG1~KJcg=rndp5iw?&H$*gx&wHz0Tf8~mmG
zgd)?AM(@OQT2fM?5vq#V2+H#Y*C=>$H1xl!XW3F(Gt-^-G+6<ACSIqfXO1oHslpcr
zOmtZvYyy1hn2{T8w$u#?c_gP!fO8{50Ztm-!lQ7u!rH%d2FnRB^@JqDE5WoZuA-V`
zu2vRbQore);^7Z}PJvfwW~n_z9U%buo&x+FXt|$m87%fgScdM|B6!rQ5NJr@!4wM$
z>_kbXtVUW{D1t%=NCpiafGpUg^u-uHcfiWha`ph=cjYdlZ(WbhkM&$LyNt*QSXa8p
z=NuHI3cL&5B=);_g9`;z(22uL<t8|7#O!O1jpGj_|1|yw`=#S`SraC{!+4I}ixk}l
zj^r-k>t?K~rw<Gyp0)QFd-FLF__{Qf6P~ocjb!T(24nm5(iYXdX6z&F4e`YXHk=5X
zNXpe1=63&H!Ai$795}+kFJ{sP!artbM|oNrNB%JV4!?Zw{Ig@;&z9braLLIP)x4E&
zmyu}5ohziDk>958$a8yY#y6k2cDIFmn-An=xO~^qRXQH@V4?ABL#v(MN{g>_tiCe2
z?y}MhCSS$Dmh`OZ7bP2d+hg9vOup;ANlsJuU#&+d?hf|HY(#kCp~TuYW&ps1g@QRc
zk1O7Z!I?~O=&oT%GO}+Sf+)2c*G+PTQEO`}<m->1C7FLqb2d&>%qG-5;4Y)3Q95=^
zoWj1LGDCA<4#hOG%BxTtFf`9$Ab*Oo=TLm`RD!u+E9CKoPmnYf2b}hX8=YFMzO3rI
z<Y$qbV%^%O1qUh~n4AhdVExiI#7Wrq<JAN=pyE{uZy)y#!-*LPn~X)dH<M)FpT!qv
z!ofm$UlDB@QL+i(N_8^tJAMNAMS^%ZUl9w#1o;zXv;d_#UK08U4+SDv#j%Ywsz*;J
zkx4*ryKHnuqlBJ1gaMGPSl(2{#QKOnI<~C>?w=9CV+Y9^rreeR54+)fk2@D9U^b%J
z3*?PUyI%G4=M~UXh$F<vf508oRbC{NzZElUpi+T7=HKnm92~EBVw2-jR^P{hU<%Yh
z(?m=k3|e%kLje5%s&Xs=#bNJ{MQk8_bv--4^wF|$v?=A#bdZM$xAL}EP2)P)7XVcH
z=Hy5L8$f6%vMMg2z;$7IWffw6hgXG|B6w%OW|9>&>I8}c-qcP6CE)A4Lk=@JlHmS9
zxyRP(AJ`0zb+qC=)#*V{h5!?xYmLBH&I%Ki8#Pdq|3F?gj(0L#XROrN`?YhX&g~W+
zhb+I?mfgoi4sH!S6m~;e$i|x`*cm4$D}z#*rFLjy(HsQ3wA2w2hj>Y=B52xheTZ9v
zGYIKKBwJiR_3%t}R`LC1#B?A&n=q^OHc%-p0H;VI9?Xt2$Se6bBt~dWD=pvfoyFEU
zFu=y>{BfEny3-1)mPp)f-`vn}c8OlN=|X*g)90a1KZJ@PA{4SY`=g|1t?B$QwR44$
z4dVGt+Zl|~2lG0tX07q}x^|!?rh$_yL-n<CQP0*I87zYU)cUBlHhAZ@Yk(8{)c8}6
zOQhLwS-riGaN>4a!Ad08K{iYob2!1EfgrMkqQ?*{gJUhdxC6V!2x5nM<lvgGI;M6f
zO<eA#<y#mX^hjEvMmj~e;q^3;qX~%8s%D3g7Y8+Dp_0mecsHWHTzb;1UDlvhg2e?4
zZ0JO_#YWuJW*4*K(@f9i2n1G{U#Pn8>adA>+{BmIP($Q8Zb4&xXI0*Yky|ODIgqTA
zXsDKB15TPJ=zu9T5)YXa)0>GKaMQp@#-eK)Ob`=#aLLfsjlIR`b1$mR!269$7uB1;
z4o{4Z4uXc}BXJMF+N0*?$iA}&3=OewvW4SuE%Y4FhbZ+(6g&6Mht9Ryefv2TKKzzt
zm-M<jJIn75Ai)mMuZqCZ{LevBL#M)atUW#PQxK2jVU!nOSEVB!0oq;BcjcJB7M$G{
z9sUG#(Uarz@!C)x1K8lGtLD%+VO~e@X$4$j5KS50x157I`8vyN8}UgaF*Z$-TCH6~
zus~5s%GSR;>^x4eahl1hpFVu3{C)7uofOo7T1nfaQqY1gf9`kN;7evqP%4NcbV~ev
zK`vQuT0?2Ao3n#l@$Y5A_r%}5VePP<)vZ6`t$bedWM_V{H(25dbh8wejT#7H4OfTz
zFgx}v%-2<vY(NfpR9$|)<5kF|sw1wnSR>Dh;(m!Pa(ufyWnM5I2|f_Dfcmt@&wmDp
z4jRDfm)^3xyn%<8Qu&+2E*J_gpBNpiv*gt4fer|ylw`L!p;Uki1UB0LKKUT>ckKH9
zVMG(t5dziBE|1Zq)DKN}`q&VNhZXErkzZjnJ-V{&_YfN@uTOPRHRQf3kU+p7t9L`$
zKg9qTKy^(`S6`oCj)Ji8p4%rrj#wq7{o0-6h@jGQb2uAE@fa)*BI_R$1HTf+q)G)*
z?`no2nh-U9tq|UwNN2R0$)09?c_(v=Ue21N71M#fEPAU`!(XoAUwl!(MoIdTCPink
zKsd<7t<-qZ;AYu#@nbf7rFP3K51GdqU%iPn-92Q{NBy#&+xwiY(OX4Mp26IPX)2r6
zj)3_jI~@*d0%1TtNVqOpwh{qLwH@`g-P9!^ON4}M0PJ8CKO7?eY<Hiov`fUv_x*JO
zSQcAo#RI_xkRTH4pmHBHK6%`HAlq>C#Kz&#iED3<rF4o}&drIkTFxzX&ULnJ7!$MZ
zDPOEX_o?2Z3YHsERe+q#(J!7LN#*+8C06-b`616XuE@(>iFX0?U5jA{QmRP?ZEAY6
zdYc*s7x)SffBPwro_WfoMM5vBe^wYeIvhTU;yrC(kf8mg(F3L!oK!IKzqDK^6B+pj
z_cI6R+B{C_*=S$Uu<yzDh9zUi+O#kcg45z96EphXtOc$>E6g>=ukW?AOsX8s&B+OW
zu8Y#gI&%gSg_U5$s#iMxLQVct;7NtR3GK#fOuSO|-am_VWK?gL_L}G+xTF&j7@U?!
zs7FOPG_j|C&rIDpGj=?;j~<e=(@jk;j@~7m&-z+gcsUzhY!ncOA3EKNUM5UZ9<o0l
z2p49RbzaQwZI1r)ZQ;|%lB^qhEc{sdc|*>LA<i0<n2hPQ<gtI(+98ve*6-2wBRGyh
zV>h;~)NXu!!o@`$eLOX}*fEL>C0Uz~ZhcjH`}SSh)3^<pu^<8^H~0}N2sjLuAb31I
zgJNo?!u22V`OF+JJ8BWBw}8Xp%fh+#N2fle9o<J&Oo`VUq;)MVav{40Ew#s`hZih}
z6pbYzl8z{CYRSf_ZEbr%CV@flg$1N0DRI}}-QBFJI#oaxukTB~Z<n4Z`SecyK9>=;
z1l+g=7Tl2?yLR~^6#)9F%Bx3R+_*{`)I5@y(#od)9JF?W16K2^?}7;1ukdI<`gGat
z+e5qPx)(3>3Rl4qv~c!JTyE)74XH2|x%7^mUfAx9if1XwX|Hpzd`DQoO;<h2af36W
z0ud)r3>;eZv=;pY%B_!3g%48nqB?|J_DbyBvD+LX?;}Tg3(S{?Z<xhD@7+ySRmbK0
z+w&_Y^Y6D<O)n4n(O2sJU48Lq=L6T<qMx+d3UhKv-;-?C?)x#*_UZ$>+!l<lq&bCL
z0rfem2M7Ao+q<uk{R{0a7SPYbYwe5HgJm9vH<IPZ_JKO}3Wxqd*|ghV_2dA*Bs=5h
zc+S*YX|zQS)+Y3mQCi_}YT^H&@GY<|q5ceH1R1li*KT0S^Twe)>2l1@dhFcs{;cyf
z$M>9pyannX%YC0nZh$ZhI4O`BI}<16r}?FlZ|}8!k$?LPoVI1P|6<30r`<GYAs`lS
zq(!9JKO?MAoyiMyJyB7Dt^teG`_pjaw#UNAd<+=<?3unAUVAznC-yBFN%8dA@M19m
z)SCp%al459WnyM|#{Q=1$ir78iAE#4zA0LImAVI{^gOU^FTyuC5(%u-_l30uCe~dM
zCI`(l!jcsRv7-sCAB6eOgFDu;bHqz}zd+|iyIgqnJ!Y7n%hi4I<Ox(ip6N3RM@{v3
z<HR%+S97e2J%8(xJjbUbzn9C6lZqFbH_ci#G`{%ral=iW9h}Qqu3l_4l$Nv+e`dP9
z$7kW~y6dqZ3d!nBsX`cYEwFV4+JAb{iMYV5POuk3S8;0sAjCyu2b7HhL}&Y}P%JGb
z{5?l@n6|n=5~PfypK%EFV?<%`v=sVt*ePl84kGNv(9B<sh^X502)l~>0RvXR@<9v)
zzQ0wzE8hO&f=NxxtjoEb@xIlYGqa>{i}$0&AYrQF)K8sbo48S#`4kmz?%Yy#W<&^b
z?ZkRn&4dtLF@q@C2DsGGZa}9$V}=g{%<v;x@(3sePLUf23ZOc~DyXcSSSxF5*c}Cm
zbIeM(t@=~G{LoqfgAA1bW6^>qCbBMPxXK!my3))#cZvlfscGr_#({x>AjE_~%;Q-O
zPajrn&%$~}SU0=y#8JEs0!K2$p<n7!wVwMhFmNtOSxGf~B+f%4N^Gy1*6Je=BhcC$
zOf7VoX~084h7fvhV)Grrx*{0)X)h(rA&2el+0fO&hm2@6Mg-Fd*=TmqUKA>b#Bj_%
zl#M(zJlv$eKt(zN>{(1q3~W=AEbo&V)jVTQ9y1SInLMR+p|)k&rU=tZI(<Eo1G!S>
z7K5jCemZ3RQ4BK_j$HXPskA+yV^;_p=gh*DjrP@5U{8ou!_sx79`Ah!lz>rVF3Ra~
zXneuCQX&%M2uHr1<mBR_hm=xY{~&`1my#qi<b#W~YI)M!yqwOVx&8>(39p{iiN#_a
zAX@j(91>Y}FDFM8JE~E3eX6zIAzpyiXGA^RUG?~}K&)@Z&L_DO3yqhv-U)hXarkYP
z(aCZKgJ>1hD`M%8B<G8x7c&U@oT^}+V?EW&Af_?6?HI4dm1>Gn%o>^H^yos#7X*b8
zv?55{*t5O{<kT$W9i`^P?rgAG7P3<FKezrGg@fR`;X|J|BBFJzU}VeQ8&C1fb-}a<
z5Qras13KPuOwqdlP_|{_nI@*sVJFmOP-hl^_GFUxtP9z$wQVgxY7pEMw@Fe$;N5um
zpT)#+sp{Nxb@^v4CiLN57=LlPAg1y^0$l(f7-K8pa(0mAB0V#zZ&d4PC|)v}Cl)3M
zqO-##gA;93-}tJ~2dl)88Z)CqH9d>hZe7x;e`%rb-14R?euwwTUvE@hZ9UOnCr(Xf
z2$SEy?i;h-UCCY>vgu6F$;+$MgS}pcjTiCxt-2Brt{7+9(yL*YU@>Z~RDl&mR2*IP
zq&f4JY4hY=bZsd5Q&=`InKl39yo31@o}K{m&mof#58Dlg%a8WiPgez*XD_z@vtP+|
zt6H#)Tj;&iH97IJ^*$33dT~D<ar$Xka;C_8GV!V9D7X#H1Yv4n&ByyU3btPk$>!_h
z7V$ZnMz8nSmf&_{tBq#d54PESH>yC20<4l=#!K0wJJ#6s=?K`#>q#-SFMGi$oiaE!
z>)gT@=IBTy`gHz{vmLQ*e(SpwalZeqpOjwFvv^6#B~`#x|7ZdJNo1YPrzSf0zYEj-
zAO9gzjXzA<b=}{nSo$f!O`zew?XNtc_3HodA4*)5{hq`qU$MTkmcEzsEl;HTnq>E~
zET{~Wn-*QR<DSH=g*Un4DjaO(b4&L>Vtt!)5C5_!;mKw(bX!Y>m+uyt2Cpi!izj;V
z?)u;|B{Lqkiy?`^P1^dv?vN5nnFh#ZG!?OuRc}qBQSb*u)qH4i@N84W60r%NM&J}Q
z$C*o10*)e5zyXLs^h`l({~kN-9_Jyr3t`8GZ02fPa;B_y$ven|`CvFEwfLW@Q8St?
zFi}tvI>KE3x^BimgxFt|Kxhv9z-oO{kp>G=p==Uz-@A5k(}AZGxl=%DN$DwBgC`ku
zK@f!MwCS9C{`mu;FRW=FE!<yWtpRnt7I5_7_`o}K-KcI+^_MMf1w62xL5ZlB_O<Hi
zQ{rbR*8sBtNSE)}Z9&otFsrrl$bc3hx(KNS&!#R>JB5YD*A+eF0kd$rOh4o5|9qZ$
zc$jEuA%#4I>jMw<-YT06q#2#kx$<qhN8O9GRjevEDp8QSIy+w_^>);amMQ(R4;$jT
zXUNfI=N)C5(LZ(5sN>FIceyq0UDm$dC7VxIq+c$&xp(9IOM9|a7Hk|@wE*LD;N0=S
zR3Y%47u1Bfx3NFAeJR&*)$qck*sM1ar6PCta_U0{wG?To6whaHaOy^agB6uwAX$`m
zOhzPvpuw;Jb)>!r(~&<#lAuGR7&FsS_lvXwW!tvZSh(Pv(^Mo8abb71tTUTJ$k|6v
zbG@7mwhN}Y?*mAA8ciU|7%6ZX3-_8hCY>q79xY|iQ)F9&nwH8i@ikD$ffu1@viKq2
zm@4xwWXVMoYRX{ik!^?Tmp6RF1<))fs0Y2m{A5&+o_>klaT1;5b{J<F3=Es3(S%^p
z8*L<_z4j-ULPac-P=%jyM}>IUtOSS0FS{Dx)&Zrz)A$f<4~$p>6ovsAH1aMO@QJBF
z!-}u%NBsff<ROTAjKQ5I6WmuuQ|TJ)lq7>D{s@xvLi>@bH5yj@`jzK1pkm*f49t{y
z7p9aP4LNYiIeo%|S4{_G0V~)<(zwv+^>KaWrH$$%ZJB(^%-J*FoDDx;A_r^DL7n-E
zCuGh=hlu`s;NY-d^l@sgw!+4x6<dD`?qhW+XPhlLQx>P-Abap|XFN7bk&_)ge@tvF
zz^tCk(foHGZJXnn7>~CK`}aOMLU-9c=4W(~Jf}UdBbZGpa5dQ(G#&zBMg~#{IMOc6
zQ@Au_hx$3v!Tl5xV8Z!eDA|hA8|}8BF<s3#P^_W!X~vZ;n_?zcRDN0hs9>b?Q>K2b
z?s$x-$-{H_Zzo=#U5+{iD1o9FAkhj?umpjnf0-V%*2vGJwTy>yS}ElW6%`AbM_Im}
zh3UuY4-B6HO1$OR+MaccOEJ#u2oG1=uh`gFt8ct6gY7(cf;M4Q5X#&mVanKe8Mn=B
zjSXq>-n@O=jTT&JRal!~&Y;7ugQMqGYE^*uiRcd|yC{Weq0|v@V(kX-P#k%nfYdB-
zJqS|?4hgY$H%Rx|j)$EY052tX;?z1)>Z&%3#*!P(FHFVgIgd(M+0S+BU{#U!(G++L
zN)ThV4**lt%jClJB+q)|)5{N~)o4^JY~kp;fBo9FKD!Gak64Wznsoj+Ty_1y23FV7
z9RIL=-J>DIrNG99&?vN^U8v@i$_DJY?epM!W9fva<G=G}tLATgn*6x(%r(Bfx40$D
z)k35{Pfd<?Bf}*Cat?gG^LYHLi#^f!lk)&n3(PZBX?p2cUzw@f+B5~<AH>)vLwaz~
z5ZVnM6|1lUu<eu=mfU~iW=Nro6CimNei6Ml3{uAdMJ4K5XBBRvH}-!(RKzIX5a;d-
zz_0pbJNA#SUA!}B|M}ER;MTRdvmWT3U}f+I%-lZo$M&0@pn60d^oqLyb!ysiS+(sL
zIpL<TO7YK_#m_;p=-cQkgYag;j4>l3iY86Ft@Gg>q8vQJl7Ws()pU1vQ<(tyIKx}p
z#UVJq15NeS$jF40&t738AOyRCM@d@g>*~^0BXB@>TP7PdTI<diM-wXp02Jp*Q{gvs
zlU?22YnF&#wrfgTMsy%vSLPF?et|p63VsHAG-x(1060fsv6SkCN0#zvNewW32F@}3
zAd2)bbmT&1gBZ*@2L~6x)<Ntgu94lwgUit3<1xT>mIibB3WEIFn9Y>neEEPFvKNsf
z3EATcXaLqZ-@LnjI=z2Xd14S_Zx<q`{Baw}wv6(n@!nO%P6r$l%;^{{x?sq7VG{d<
zk7@3hd2s0SObJh)q7c!2`w9XsEoY0$Qh#&v_rureOYrsr7bnvqjsa!hPPoO{m}_I?
zUD956loi^jy;AB=UnBOTDeT(F+h6Hf3<i4FD?9z#A&Ww;tlz(6-e;iC6fpx@h!IgY
z2lny;=rOB+l+r0o&;r`HtQ-e7q__XTP9X*NvC9V{F+5?8v;fhnWOZX0IaA_TMnWnp
z9Kkdy(TZoBryt-pQpQ<3Ts($$k||ze>1znd@H!){!yndh<hjh#ZNF6v*)GMFK>d_!
zr#Iag|LH{f$N4YIN_8#VQm=<bEm+ZMy;CTs*4I8jo#&J6arS}jt#v#3!$>QP(@gi@
zCk>^JNc=Z#ZPgCWI2=H~iPvpHB6lLZu;k#xB3X*c2Fy~X{PZvsb!dUXQO48`^{2*H
zHzIV)6Yd&fL{?RN9~x2tj*oYwLbwQN>(I`3_4gZPji!d&k6Yk2ilG>U(uW$cGEDOa
zG6t-V9HEnl645JN=z+(I;oV&WxE{c_@E-x}c!i*WESeDfA?{4t#_Yn0r6a18Mg-*<
z*2S^n;h<%=gdPD8XVBhU^3Fg4sCu~H!4amE3w4T<^GKlpLmOU$s1{D6d?9pRf5~&4
zwj@HsDH=)}nvg?aIl};Vk7OVk!5lu2Do_rRVab`iJ)6^hm3@R6)r|P7yT*l!#Y~IA
zXdO%ZwuP@6c!?71K7cp0jE&#DYtmvXd&zRTW8VS~`OoIweyeu*n-_L-{>*Q#N@{nS
z(R$uV?oTPiFdc@)rzILj)vP|XlL!Y*K@L5M(v#hDnwnf={7^$@MA%-fuQ&=o=sP;Y
z!&q!g0RW70@Nxj;iB&@;5h59AgDJSIfSqNTH-|Q6IjB=Ng7+6oo-Y+{ISYdTWpBW~
zx#u3mHIe_C!HYhVtV_t8q3p8wp?zPxrYFs?Z509<hEmAOsGl$GcJ91bYoZSVg18P0
zU8vXk6C8Gd&ROB&Viqga7B4Ct6z7UN;5mcQ8B`-a&^6<oK<SIS_7yU!x_3rCr`W#_
zmdT83Q@n%6UzI<sysAn)mEiBd>Iiup9Z19oLXMl?3v0i+-fn=?0%BrMQT$1|N!WW&
zbp%W)V>q7m+6OVDlam<<CR!m^^{up((_6CBCUQOcW-Ss5Mb<^j^&&mt=IQ!QsCQrC
zNTgN`Z4;A_SZBJmt8_j}WbqadO+@Zl*K&XmE^T(n$;n}gf5LkdfUbGAq4mo1Yo_H~
z@dU|4=Ale9Zx6a~MzH^{&jv~VAWCozPyhO|lHy-U(qDi7u;1P~Y{y>hImX8zb`+0`
z3@k9Pm%Zt{AF&Rg+r)@Hb<!v~R*?p}x@0L-#sGl*?)U6lL?LkS*}34?&!1|bouNKj
zr*l(iO3V!vu9`bsP$!une2~fxVRAOl-fn>P6M6tVc;#mYOIi|E^T;bU?do$me@e1E
z>v`7k&EXv>E-F24s%Q3PR%5US<Q($n&kOZ#Ulz^oP1I6ROgNqyOYOiCAYt%LLU&OC
z^$%db+R)b!q;>W7-f47BXwr$>%sn6HEwuo2&f?9TDdb1}xg^hhv@qh+k?n$KU^cyO
zRlj=ms!)R?6GxhYSOJ4TR}9#Pu0GgLikd~YsMq_)CeZ9=rvHwiPj517-_2ZZIQHf@
zbFKRWMoT*DyqK26#C<hv9E~HJO@OWedD`WbU!A|mt!Ec9%;#>K`nd#<W4VHA9hQz`
zD;`M_(QPVO9r}W^;0;_fDDroPs_c=LhPGQTOI9%JlJ<z><UfQ7?LNU{)?!!ye?Gc%
zD{cQe_{PEaE^_zmp5D=vKlt%|7?#$eM1YeJ8hIZ+zf)I+!NLGJ_!y=z%Sd=>_8eV_
z5y@I~A@utcUPwVIXpD4hS(YW3(xt_-i*86P#~ss}P{f)nu{C;mX8exK_3_F&hjUtM
z6`^7O04)KMTrJzO(7=Jc!I~F)ZZ;>UK~806y$Q1+-I5}Kt?SV+v$yY8X;kMA<K4QI
z2WX8yP&~B4?Gs$=>wM*uk1>CJ(y<?Cr~<_DPlj-QRkS_qF$ovgy~d9vMe=3E6RpVW
z?+ZL%zir9tP-qz%?~SYR*a{y$CQI^5AQ^==CXo*sVNhfE*HJ|m1L0kK_FE)Y_9fB{
z0l}++eZ@Hr-q(+_LH{|?CtG8FK0R>5Ty))3QGcjhP?ZX#FW^Jw<MqL5T!nNLquMzZ
zc14VHTi=%dF5!1x<LNcddNXo*kj?J7%+pi7E+UeL80!@8z{4Twy7g+SMyo7;ma%So
zp)q#Sk*W{IWC=(Anx4w{?@OLckgf#QF65l)mA<`t`7&)ci(vh#rMo?KB7Z7vg&Kr$
z$fAp_ygGnZ#{%aC?6!+QpkOSbwY%&6QnDNKaCfuKtL9SrCzQnh6M=#>&3MT-nl27k
z$ODVhk>QQ>;FdGD`Z_y#!&B)bnLTp`1@|G>#pbo^eIv=f>l^ET2=wpPGGl3)SXV#1
zZ)9FX@?YE%Y0Bt!D5?ewc}~aTi|6_V_2L#Av|AXb{Ve;KD*wX7c@=iE^DmuyeDs?M
zb#QW??fTblmKM4-JWu%H6^h=70**jwuD@^^PZ^+4PNc}&{2X->1zfMm3LO9grRQGl
zRcCE|eW!X;(5h4sae}UaJO&!yjZnUvpPnq6PS2BC3VVjD8>R*Xr&l?2Kq9~rq99iC
z043#$+bQ{t8`)^PBhtChowN8TG4}7T<8;}Kz$%C^xZY*k2*nu%`x^2;39JpNz2DE|
zC(t``@3oeq<4zrc;mv)YKhq*tg3ixS_ljz<r%)SLZ#yPJDxrA8wAR<G$EgJv|1m&8
zOJAM(A|X9i3EgJ2@=-x&t(x?o2INomuTaagMSLiRGa`P_Enr{z{=>Tp9yZduxrSX6
z*&=Gzh0=-1{j*jJHMAkKYtib}Vp1vAO+|cSW@(C%SUSA~_&096jeCeS|JDs~hdmRn
zd-hD}z=5dR_rq-h{WUg$h?XETA6j}uaxc4^kx^lu{T*zucxdmA9A;p&KoQCv4jLLx
zGv&{*eGayj2J!Z@gQ-iGHmF7U^Izw(Q4X!SGI?g7)~r(|9!u0l2HtJz{sJS4LtE|~
zSR5V$9-ye~lLO5mQFhJnF5)k{F6+oib2b!Els+!<=Z(Sb?1J>WdpB*``rfEdnAtYB
z!0yH=<Ry`Jlww97K9rnBlK8?cr@k=oo@r|@Mk=eOq2X-UouRp*s33R6IJbSqrmZR5
zGgJD#^w{xu!>$H__dKKk8?BMiU4|iqLOjsxMp>b}eQNCoCd5jxs>IlH$Po~2-TvWb
zUi6{OoNV&$dKPZG=W{4Muj_+M>@QX6xiN>Bu``7Xij{|onA&*&I~m87jbJ83XbPuo
zEf~(!mIaIA>W<X+T-7t+iGKKX6iblkqqu%EPOQD5sb?~|uYD`rQIgX;?-=6X&ZrD3
z6Du8?K?oHzoF7X~<N8zv-xV?=jw`A{WoNfmBdn&cEASC5n@uqAq3cUK*_t<EC9RA@
z333Zs2nJWFPv3sM_k)ClBX{Ze@#B(jWlt^V;Jc9mSqv7=2_R6r>4TWj>Rz_j9$%L{
zxa%G~7JMVrx3p95(Bn(Jok43~_1^z}`$)I(ASH-yLZl=SrPvRkij@ukhW{F!;VUJ4
zC~z*|42pvWXHxrSgA-dwt@QWf^#*RdYPP%Dz+8|#1C}8k{J!hh3558)89qwhsOepx
z649)c!v}Q>nHrS63t<w~7K8}%E}VT2f*%BX`S;CxzOhIYlxFShr|{TYYz=)pJ(GpS
zoHitZOT!R^o{&5(Xr*UF=*T0GWihQY#Gg{$b&MWkUQyA^s${AC_uQpiZcBHUU$OTQ
zz?mzHGk4pDzAr3k4$SLl%7o&HeE76jfn(D#UclBOItGZ<f?a7PWSvz=pW|CN8{Pwd
zoF{A$*&#-4X3kN}Cgc|c$!L`0O#knqTEh32o+Br&rdsF}Oo27yg~QuebOp|BJCPzG
zt6#D8l^t7~#QKvC%m8XJm$iQio(9?nKu$-B)`6IT6g-$;KOpM+f#;MwDE4J6j8zJ!
z%im>Zq@<Liv%BXt?THJa&6|EvpuZb4JjGDLtGpc!N!sLsSrBzw)-|H(33?eY{)CLJ
z-xo6*QQ3IL&PTNY9i2zpTam>DD?XY3A;72DLHt4X-};x-TT+%W?v+d{@9n*OBmRtW
zcZs2K^LcGoE-sMgI`klj$@uN(P7VE)Du2WlxZO4fH#auPW^c%uHZ8Yv?PA(33>~yJ
zf$j<yLBK(i;R9?GnF_V+65ti^&Z-_fIGGXke8vq9Y1HOrvX`_=vdicW$U1N!NZ7lY
zDVDrZ0QNbs+XMvZ82A^o=sr;XN+u56xPG0olpqqI@B?1B&maIn&)jn0lp_>c@NCb%
zr70j~v(ICEVuB2kc!OYM6zAsVCOQV#4|BwtQ@GVUK>sT7u*}1G4?Y}*vIF0w`b4T`
z*1UdY?R;EeaQb`rS62~vdT6LnSJ%2_d^vKE(5i3H5NK*?`9PA(D=vOd!(<xhE#5;W
zFaV@nB*Pi<3Ss5Kyv#1?><^bE523s{A^i2yM(P$Ux?<a-<Yisn;%%2A4L;UQO4(n0
zC^$L3Fd^8fbex4AKbUXHm}8wgiaWxmpitb*Fl-uTxmJU?78$B;7?x$VzFti5e1@^-
z5P}uaN|{5sO|v+jU8|RMBC(KYlkFWsatn}~h^WOboQ-5C#svo1Uk<Gh%xp~8YSbY?
zfY6m0k|rq6FDI+5b;2RL6>sD$w0#bm);a4Zo;5LgkDO8}zsU`Rv1@E<F?X36f6l(M
z79!m2xhhWfBS-WQD|oE%9cRO_M9FwmMgi9?qSx4v#r8>SynwI#<&{R6FJ~-D$6akD
zz2q!ksjBQ4p1^$+#~BIW8?e}4(ql+p9?+fU=7x*l%uo%vrV?@|WTGVlHgk2Jo7=Fy
zIa!TY`Lqht%WXncA$Lz)4O;uTZ6E6+lX>6$qvzDJH<nG~N<2Zc>r)+Vl4i{gU$5kW
zGq@Lz@DMecK21(q6vfiKK89s~){fb>ia>8GG1Fl!$?JD|e|N{Z*=HLH0~1KVF~3*V
zT6xPFk&oYnblZ|kvL{48vgaN!lzt$yoc-u;<@Y^S_Kiox-Ed~Fx1j)(<agG^W*xjQ
zZrc7!4f#Lq#ye1^SND1meL0&O5GXI-R(@-J_zGztn|9Gg5xy)V-wATzEc<VCO-R-O
zKbHS+L$hBSi#V-P{0}2^PI}J&o)Y@s|C@al%U^c?;LJIlU=7-q;c;{XUM+#3wz;X7
z+8!76nM}Xy7@0C)l@Ac%^6*q!S%0ej-TxCdNv2=v!hb&a1)*OZpSmp!wjRs#*7liM
z<TR8$eM(SrXrrd#`hZYB(I+lVRXbLgd_HDq=QRzDbr&d1J3)J-+Mo<wHmbH0buxLS
z#2@BerS0{|_RIY_bbIVnr@%#_1OgF`&&YUhIk<V)kk9n{<7%gJ^NPBiTn!T(jgwpN
ztQLIy{Cv;#Hzo@jE-n4gVct5rEy6TFr_XA(Vxs@n?me$FcnaDF*VW;5Zq$!_=)2%W
zDz14)tU#rZnMK}JJxxt-z#oSId{K98RP7LWUyoGO(3EvzXh00R2vUoEXla1)G{9`q
z@<IuFBd=XeAK)5FpD(HUupa>fBkUUIGBb~cxS+iW#7Ik{+b+jM2d*%30r?PAi!jU6
zBmK+ZJfo$NBuWIeK7#?io{yI|USlOyiqgq%TW*h@#iFLUW?Rnwx?9--sadRxZqM~y
z>(;J41RnVxvI={1aDEWZ0Tom28St~T#6CF0s_p<JN6;Ca(-hF1bln@}v0+eF@8vKW
z720@AtK3$FvO?NR$xG1QVm+Hh^8vu#5TblX;#pzGB20d?@&s>8z@<z362Gl>Q{|bu
zj3b|@v9hUOTqrYkCIxm|G;@!7ye!)L71yc?U?`!TkZH(`|2iiffZ{;giea#%yvFdK
ztma3D2J%c)eOb)s9OI1$WlnW!FS6JuGUigRF1Ath<Yr;D4uPs^tE+2<U1qUt@A>dq
zP3q@BO1skB=ocC&4}R4)Shw5O-w<;{#^&D0i8=Kr)Gu%xp0TkzKxT{%Y6%I-pw#|{
zvNC}<2EU2C28epR2!#N}u8=kWwh%*$DeR7cu}ylnN%XFZ50);<I+YOW={iq($nIOe
zz&Z?&=x)!Wr9@JC0D5UM_d_901<A6RVxxdt9=5RXqfqg}ko%5mMn`ePP~;nF2`DI#
zmjB>Gb%I-&h25?couPYb-T~p|Xpeb^A6c54C)AfZp(K5B0>ePN0HEwicPV<<pHeLm
zaRgQ_2)Ac4uquaFM1=idzJs!xTVbuM=|9mvU~R%$|DeME_w>~@q26)I;X!{vUMP)A
z+;foJNfb9l0iuF}v|xhfoKiL_P+h3xLi)t~4|7Fi9F;XR<){w#{=-~>QMh-gVg^RT
zyv94Xdf!J@B6JkN6r9Uu^UY*H<O;PZN!y_V0moZPtjCq==^TcRiR_hRD7!|zqV(68
zoIEbG`+~&Tp|H9Y789%ecl@d6){vLBG_$bz^>oQgMWOR`PHwoDzRJH&K2-^$v~>zH
zKma=v1JG6l3di5f19TZO&C|HT9sOIv)_u^f_4>0!yXISWUCV}SUCGsoPo|=aj9lbB
ze{X`~oE8#)%A6Hf_Y~h%;>b&G2pJ>?0Gli$-%n_$0r26s7jljJVu#VxegOPFi$MbG
zo}M0}m5{GeVV(1X_8T5NNXz8d+g#B_M3o^f#}$`@w!+OV=o%h(Y1WFc5DG<beQj(m
z#!G&ria?U14z4=q9SBUK8hu%ijz&cruavF=f1ZwYN2|lcVegzmO9o@fFUkdQzb1J0
zCT*6Y-WMy+0aA$9;BdKw=pfq3Lq=XY8pta!mZ?8|2|G@g0FS_<QGs-n&-3rHEcwe$
zQ;${NlP2a;K(`Cw9z{EK%I9b;i>uoXr1_t|_6YWBJ*0cJINn=Kqq9rp@g@6pQl83A
z8%5`PSqC28GW4T3WyWi{vFklr(_dH;u50|<loKc<F1dd7L9uI%Me}Uu_JAz3OH!Uj
z_#*<)Nl3SdgX034{b$9VP`@BKiWU^2^B~?0(mo=fL?EOC;(j+<0p|!>Dd+^fkrzh<
z4SYm!O@E+BDSS$#2|Q{fJvn$227`9<0Yry#M2rY1@*y1u1j0G!()*H!05~|$wTC|E
z3EwtXEcI9w+<1SI!H`(H>E&eEr_4xgn$Xc)SD(BOs1Fh`At52l<`Ss1NE_8Co0hxC
zwh%D$7+jxSJ?lV6;l(C8s;7qubQGdx|DmJEWP|T)SwFR8@nSMy;?!mW7lngas0NBc
zC<GyKtd)dh%ee5wEdH<y2lUZGqG!j9pJh6z!)1j%HAl636w3YyNYY$?h}X*8oHXl?
z@KRkK=FxqO@h-*v$xUfR^(o*tzSQm^Et~c`AwU^Hme*VGoKa{S(J1gu>5qHpU}+c3
zkc9dGOQu!yjAigePzV@Q!(>;Y1*UL?(x(EgCONRxZRp&AUWmLTJqqzOufV~shKP7f
zsK-$IC^Q6&A2KW+oc_VTFHVtG+k61>QY(w>C?&*?4-evyfIy$J@9=BPL*y6MbDNfV
zhJbSK2CoVl$MIW#N|ojYlhds>iPs`zCtB?ibp<jdGMN}qda+L*J;U&}7_Gi>D|s-$
zx=uQ!zi5g2j=HRrmQAcUS)am2`W;V#RGsyVawv@H`x3)J=@8)H=uC!G5ibaRPV{f;
zw6Oqz*TtuQ%)r<{*%|m`_96#YfjWv&aMS*zvJuz}u*)%IeDW=wi(Rx7d`~WUsCsZL
zQg9)>KG;3VK$}Og#nkA75|fmY0&ec?57C|~RN0uwqgEfqw1wvh#@~DD+qraVz9pt4
zaG0``SVdk793PY2$Wc)9O`@iDbH<Ml^~*8Z()+=%T|W{%=B`LV)Cf{XZB<(T-V96?
z00<C;x!P|9-fE;p+9S}YU<qv8v!UTj&Y*lCh=7R-feio&aRIRN5ZjwMdYlFxC{_SD
zugfX6vy*1r?tf;T6Ct0R21BARM$lSk8^Fu-74UXJ7O_A6zG_BdA~R;%GbQ^SuTHr?
zE7~40><$qy<(;Bk5ist>c9^?)!9W1k8?J}N4P-VFOfb<sD);{OS$dZG)MXsa{E*x%
zS-(dKYWmCYrUC}X7)LvAfH}T_j*uj*FpLdN9!2;#B6hufe3)o!7=9ttnu1dYlSSbe
zrZxzD|1GSHg@FXU0&$iU^`p76b02(wu*`sl4})V3HlXKM*M#kW3uy)`D=U()I)Q<b
zX#}u6Wt&6p2ERG)x^@172Bsz$1JN;tAR{9wIk|cEx5f3wBuT++UjY>xu8iFaaXUNK
z4cCQAz8yNt^QG7{(7v_bZDvqol9n>F^r09(KqCwW6tGdszJL$OwdCdHg|U1_gy37q
z^)3VkLIcf;q<bxW{Q&IQ6Ypzj((&wx$k+iX8B#g};jfVR>j4GTNZaKoe~3Y=Z>hc0
zT>0D-NDnQd0OLn%#2?{Jtmyu6{lejqmr*y{qf?BU;w#YF0qdZ3Uzo53J$_5?G=FaO
z`+5mC|HawPB6kiuq=zyX?#EY_*38wIJ1v@%x%rNatkL-dzf(15Bke(1Bd;O=g5q#b
zQEUlhxu~YyZLa%T7G#5Z&n}#HXolDbt$X7jiw6?}3p4^WG19_CB$m*MJRFsvz%zzC
ziOs>SK?0{!NbY{O)YmRe*$DZzbsPyZT}V3!QD7<jA9hDe4M90^aY|K2-r=*E>>vxR
z?r-5d=m=ztCoQJ;|M%?tzv9{HyGR@y(mgBi>>T|0{BTp*qJ=x#x!<yjdCg)Io+tOK
zg3N<@TMxbBTgvl5MC=f76w<dNd!7&IIl8*Pi3lhV%n_lrXnS^la=z<G4N>ul+az+r
zLQxWs?0E{KAf>Azp+N)rPd?S<WPZV3D+w3}Bi^<_mw-KrHDA(&J~nBkWm=@|7-8dw
zX9lmRRFsCE+nF;Tz^l}5nuj)s_Fh(3b8h3w%*RYJU$1VsUiU|T!%rlmbR*DFvIgkH
znu1`2Ys`XdPN~PF2R=Te3oeJALg+=jO5;W(6QDf<xqtP*s^!a*wKoq<NNVd%u7lPZ
z-kh22{b$?tW&uWqria16uLKQvc-0CeE5==jtog%IG%hD$C__7@C-p4JXCSS0QGJk?
zy0TwdXyeW!3l?2eTPn@Vxm{o>EJDl(kz$|EYxi(tU56#drd-dnPo3?La;}tCia0)B
zf1Gp8vkcF^(E8q5B$SGbjsOh;nqZE#_HSsbHhMS+rin^MqL%r$^+J;17o*B<H#|Z7
z8U;lWe*;MYgxQZcT`pg%Pqpb6>U-D}r}bfYTr$fEsr-H{?7qPI(aAcm*eSeRb?suo
z;-Dnk_4%uUT*L|_y|TOt+0W1YqmnEheZaaxLiP0d%ga}aD_L!LhO;=OSZXbb92$O*
z+V@%=Q2YI#%WGNxbBDFudQnjp6FUGEkh4T(&k2ZY1~~_c3JYmIhmJsJ{Jg;C%`4$$
zsf}G_C770|Yw}b#>|Z9TAvvV-sy!MVXeYYSzJR<&>+>0_KEst84g1?%hrVf!D1e3e
z|H`v7p_109*S>ch=UYD;&gDVmG}|OEpFfs*JgzL$J4%u3jB(_<7PIe<-#8EK^>V#n
zQPXa)w^=fie_$u)95ZmYz!~g{Mfd)2hARg$a2$!0v5ORTVbfv`=;c%Mq>@s?d;0qW
zK?Kpm3XKQ`G>2EuhU<gUV`8|YQoK+~G1y0i`~0lz!EqVcstEETrFqdS%eY+5`E%A9
zPM_e)xqGJkki~gTL+1fG0~hCqsA3><kc?>=S@iJX2dM5&Pff_cb4s)s{%*rQ$E&t$
zP<14GcByM<m;)`P$SHgPD|t0g<h0`fw6AdZC83fWQJ#5wmjURtkdLZP%eYj{9oHt`
z1Zvn0(FI(<D(THf-Y2HFkX6Cyjvdd7wl@vCLkvd%I1-JbdNb4W$1(0k48WDR0I=z*
z(Cyv!(o1ZQ<xIr>#H^Tj_wJtciP^Gwvx1k}es(ihhIfo2hheZI%gd+ZwYU_;?&FJ7
z7IT9qzBZnr-Lf?NT<%)1ujB^VXf5HU&0AUi)lIz7n(u_=#$u<9XH9-NWpl)Rt6?=;
z>!WzhKefa*CiY1}wlecZ3z3Lb`!8!;OxHNegR&0F2+^5nbgv#jbjNX8i;31$17tYX
z*OSNq_4W`9(Gb;85G~d{&P8~4p;e+$o2d(4Cv$mM{G1lXnKl<`&M>d=LE5`g21EH8
zU<c$mYEJ+2NUY@S(#4DGKd`8CH}t<KH`ZfjwdsN>PBHu@tnwg-qQb{<_(HqE0ze<t
zxuUJ@MxkF;t*nD=(M#DA@O4C;U^)cI{tea*(&8_Su$&`3@aCfKLn((cdA$cU)*A~Y
zs+|pn$KAmSRL34x3&ZeV`$KC3O%V8QGkoG-uU?X3kNb2-v3K0tn?Z^kq<&rIx|d#e
z@)p>q^Jr7|q{-RB=7#58o*H)Y(+P(L2hW634;LXqs3^ZQn18QZJ3atL3iuqtqcW5^
zaZoU#YkHs-S|O=?cVgz_*|w=@xVpZ4`K>?e#9&F9lA>9#yP~*)`~p=T7xCJitg#{w
zcDV69PGeK}IK1vv_q}7~WirC^1eWAv+gQFjbh+eGH8bC?I0-;j!hevx7LSpcVpf4h
zU{;xriJ5?Au*T@0DlsjBA)?Ss5Q^CHLdG6I8Kk<y`j+c2FBjh*0GsEB_LEVL%$0t(
zwSSHPs{#e<1H%K}m%l8~#*INy0dr1xj@{lC37pAgerL+XG}igTn?AjH!<SUWGEZ~!
zp+@K$?m_=W>l6T#QSbpoOyQ?I5l8_<Z~MO%jiWHVBY|!fJ`%>Y1xPiENKHo*3LIx9
z_T~aBQsP}mh#v9uB#}hnlNwl#by@&cj-5PtS7yrwDXAq0zU+#f>hBTI*=`jY`Ve8v
zw9^HLh0M46so|27`)s=gZ%)MY0+=Cafs%%3XASIHhp-0=KI#}n4^Hx_LWV}{kfQsu
zJ<8A}`#{1)n@lJbMPT?g(L=#pa`VX|kGX}Yam<;<z&7lg@7gv_NcXt4V3b6P;$K;<
zqa#B6DE$F%XS}4+OY0oux}C#`@B65$91{>$31FFHX<NVYh2;9CCV!M2tf%XUkG^{2
zSyuS`eS0Jx<!+lBHvVwNo%)*NLM6u5v8OZ~zVJ8&-u&9sv0-sgm1Otz#+J9=52hYh
z_T!cFJF~YCc*PNn4zv+0h5OZW47dpG_QB38TF6W5!J?z-uGhxy!>~gRJBp7bWfq<Y
z+!vy-(sI7Ep{Q1Z!BDxi5DFP>H?Oo|IJvO1636g);_PtS5%A-ek>Ti9(`;#B<S|<`
z$ge@YH~ZdK1EO{qs9+TQLWBsGyg-3nj%Wc)Wadxi)8UCtR_Xsbwd8OJ{G%1Wx##S)
zz>61s;3}c*Zxk?#`+-bpf&_8aSl&0rR7C;e)?DgIwz+{%=B1ckl62AiHI}j)=r8!@
z`AATUDl+X){?e;@L6Sn;@D!15lFY9-;xQ$?!fJ7R@#5y~0dTEFc{vvv143JcA^xs}
zl@Pttd{7qAJA@bL9#-B_q|Dm2YM*|;<G3+YjHlBNF4i@G2V1htSV0;g;{c@M@$n%m
zASRVy<ni4}Sq)?luupaE6KBK^<~5&RxEI<mtjJ*7vZbitLxS!iF)l~rKlL*XieBUG
zi((X<IJZ!jkr~N7&$+%LY1M>ygMn9oGC&vmc^t-O^}?Nz!Ru@vzdo4c_fx?9xAUdi
z4)&ElFH6V#9RK-HQBHdaPmvt+To&Lz_4W4)(-U5&WL)k~*;^dlK2kSj(&6P2Z}H}S
z)9COPx1qJbk->~LTKaLHGMW@KT^bZ&IP5j!;Q*hxTFu#WdwHT}<%P{}%(^=fyt<h~
zn!iD*>8}^32R#SL)1=s#{*pObWf+%a$Af3v4!247O)h%T@I~2gBG^o6_G@9-(tz6E
zPG$Th7C5zb$Ej#Fq~4hGJ=3N+UfJWR81Ffo<q(^M?2P08hto*epVPiP$@`x_njANU
z0@tqpYvGyA_kZEI$wn?rQsGAB|LWCwp&Iqy2%fMY-~a9(2Bw*M7oHf-vZ={q;Kxq&
LeQKF1hkXAFdw?Nm

literal 42919
zcmcG$2Q=1w+&_LvRGMT|L=m~oluC9ISs58+k7Q(KkC2j3q%x9~$S5-_qp}OhUfCkD
zM@82E_3eJ1=lsrj&Uw!NJm>dwx=-$_i|ac+pZEK<-roR~i?TbZ4p5Ouq@8jXq}50y
zauE`V?CDlYypnO1e;9vlc94=&--<8Ktyk~i|MxqdzwCI)_L`%M(G63QnT@TrDX)Xc
z4O3Ga2XkA;8S?kyB+?<0ob*|B*XYS!m&>$T8>ePHB9d;ie!fe==FG;*6`w$<5>QEV
zGTcxwFf>KZ%a%ugBV77L^?`+bw|OnC0<x>_Qcygpxx8nqrEyuG%ELY*mwpM?Ygdh~
z&~Mg^SaHzP&pBb%5dBZF!#jtD=uq816S*|ff4|&i64bf&Pwt_{S7=}8k0R2)uWQ^Y
z+eN%aJ<d)k^7p00h<*R@Hhtr)bN~Ku!2j}1SKG25r4)*;-Vi-VI+hW_t{cUuQDYf!
z4__&ik2%BSO*KrJow!-vGbvOoGrFm8QYFhJNp{f7>~JUEb1y|+LoUnVkNhs@n1=G@
ziMJ|G9(fown%o~0``q**-QJYp*59{T7Rv8*4wfD@tY~uVQRei?e=E-}$>y=2V=?be
z<|{c<IzPN^EN^aU&V=W37U@f@SjC-fdm9UE4fGgN6+1Ew{6j;jnGPOQP<k928(bH`
z&vxd_{<W3gnbpnIbZJivzt2`#S&4?<TG@6(T~H)ov$@sLbCL$zOM1K1O}Y=CyF1WV
z>Ou0+c%}JVr@)528Rxb1=MSrZ05vJg><jab{l}%*KX+!E2$<H=hFM&CsaW>b;d|v5
zUhUiu!3RZZ^LRr;Lzfo5NKo(Hdpj}l$i991;=R`X*f}^<d<<n%&D1ZwG4eaD_S2`b
za9*8b_CwNo3^<>$ynM?xF00-mI#OebD%<4O0_7TZuCMLsI@x$V*Q$%=-Me>VEy=ql
zr=~)~!|$e~aDE)Qarw%XvaYWE{oWg5*FHxjO|W+ClTV_d3HTQFIa9cF(cDUw)!~?}
z4%M_6cZyv+IZ2+~ZsrQvsEtBd=trgp7B@XTE8i=}il(0WJW>}?C7FCah~B(8Q7%AG
zRaKQMZsf)pV-u4)9mi0q=O3Dr6sY&@yEiakDC#!9`R&`cA8TvN({&26Zmu}*U>4oy
zzw2Pytgt@a;NajsVMosPOoPmc1gy`}Ur{HobFBBKUOIX(JaIL{;C(QQ*AiL9-JKQn
zPfyGZhe#w`O1?NdKQEPhF~-o)Fn)qH-16JUP&+55s<u~JdHNhYJUcQnGF(@e?ETvR
z;n^4{yDhJ@og^nG7b)z-6)Wnd_B=<!$*X9#x$I(ndinPoo3784%Tm;-emSCNx?br!
z5^21&mt^QTW$3A%#l%9#qa}Bu-u%6g-t)}~!-88x&OdXmsHjj?QBh%4GB;0Ia)}ea
z**c2*w{hs`_o^b|fM37nc`(s_b*ejWY3+AE8Hs~~W1oQWW_q5>K5h%6WnaGRR!gN_
zUS5toZOdF<Ud~k#t94dIWzW#?u#?^nR#w*1fr*KryE_@BI35qSC`+_C+2>;W9)A3(
z@r{`>k8a_fn&5-yzUEtJdvADQsTu!S9N)TYmyC?e-Hf0#O<i3ko4%55va+(1{qNs*
zw@(ZW`6@j-_1vbnC@hMegj+<-%)Fj+{&mi(<6x41?7LsbSV)b+3xY*;zgf!)xqpo~
zZXpRV8dS)>t)qVK$v~QQj!`h5v)V}-@Tro$_a%EXsh%g2;^QR}Y2xZ7`(f30)lR~~
z!U;IFdqF|xEG@bC^os6e=oP0W{&PT)cDJ)-N5+HJR&`oh+C!&K(d!jClFcS0$wnG5
zyUg@ey;OQeB57)Bc4iroN1d|fYWTgda62=TUwm!x5>_m6w#>}T$Bqx(b3`#Z`9LjI
z+RBROz$vS(+}zxvo=bb4K7Fdf6;|lACaj%r6_A@NSXoo^0>_e-lhf=Js==d^zaw2c
zuRLJyQ9}!hE5=?IFYb~$caHkN0jj5plsY;(tA8dkmj-U{c2v>+x$B_t9eQ5vc<+t%
z%f-&T;v1_Dkx`ajPZEx|rfF=S`dW~=n48$AkT;oV#%;gmU3T$KD<i4#_`-dm{?Cb7
z3Z3sqWBKWC*in)MwRFizj&B0Vb1u!+S1T#rSbNSi-W63`NjFvN{G;`sFt-AmUYchs
z-TBr*lsgZk)E5*KFtB|~(CbQg@q&zWP}s4t(8g&Ov*^~Ujp~lr<EDY~@oZz=dE8hP
zl<`?tvdkGowY0Pfi;9e~_Fexh{&TH9l1y1y+11U>s43yR<xC*T&}3gJBb#jSo#J8<
z_n$xfl*N}fNAT%!h31>DW82N*Li_vs*Y>_J`x0w3Snjt^$nH>2Z*LP8+5H12slFE2
zG88C%oEZK5jD4PO`bXQV$dlLUJ#XF|937>UkdPp1X$Z4en#wZD>!P17U(M3oa8ss%
zMB&@FMq`c7FUZN=!izO5-uDao+_&GR+$n|q>ZdJ(B6U<>CujrJvR5HOf}el4mzS68
z`sx|ynZEQ>O4!%4b2Th4;^Rqkb935GH#2|S*#7OtnP6rys@=PHFOIit>FVkdvLCwB
zor`0v@gXB07#zIy>G9E^5IK_H>5gK@ao@2q^QD!Qir(IX75=+r9UTR+><4FNLa+(S
z`ukZn)>kqM?>C-QT3SJ&A~q*ZT)=tqa!;ZC3u$eVkjr#*q}h9~wJgVRwQr-Nfg?{(
zSsx%7e()hP?p6F~(*N$}?A%-#KKkLKN4_N`qN}S5UtE9px)9d}w?Q#Va2py+M<mN^
z!Y*OQF%?%=SHsGC)Lf-$@;b>J8cvf2T%B*1Ia#Po2P@=H*Y}c<F4kTjTK!d9E;*#z
z@Qk1S_?z+*jHeyd^+}{o?qRY^+@crU=NcdDrdEDFuI&=&Y`T5tPL0(2482`R53aFp
z7L+oKSLZ?tAt%{6JGW!;G{i~lCOy1xB+2<1w?4DeS-ET1I5utCWQWyv)ztLx$&+**
zzb4C`{Bud(v18@eSKDmYIpdxZx4o!KA3uKlVBo#x_u+#ilep*QsXuXI9(VcQuhQUt
ze5|Y6dpl=w(NQs4h}z@#bkz&lkcV+`A@%i&xOU{+S{aong}NDQ*|z=S_Zd&`stI9{
zm6GyZI#+;db)V^s+Eo5^E*5HPRV9tkTMxwljIntxHpyx$XL2eiC`3j@886R|eEg!7
zUi^UR3=NCtEZL9N)E7=(Z5q=H-@mY-tFHa|c{?WNV3Ff^LO%CbY=~Jj1!LTq%kMnT
zyiQNgw(2?_CP?MC>5bW!>MWy*EYIZ|s3i5#XZAXb)|cUxW8UkYiAhODzb3nq!p+uK
zm-n5tqz&h};=8ou>bdawG<)+Ac6OugTnqE=+<!FFwf*ECa}46FD)C{Jf^nYn+en7v
z%}K@~Y=3*Q%e1aytmu9ev8Cza8KUQV&X#Ri8c&WpW>USQ=e;+J!OfpxOH5uC%jtT>
z^a|lTw+aeQhw~c*V<(uPc(WIk&>8%@D$*Er>eF>O*MGCdynj5w+LyaC`pv};<?_Dw
zt=PLw?+`B--_S|ranb4Cl&;7^TJ|~D-e35nMcee96j^0YL(5XL>Xt2AaxL4aIx_Um
zsj1Nz8ygP{4Q-Ol+x`qirh7!ham;79CS<rajQiu~&sDd#?5@nXPG`|Y9cz%PmC0OR
zUoWqu<>)Hov^!tSYjvN~kJhr*)Jum$FW|yaCMG5h;0HU4UHJPvX2eK-=~uSwX5LIH
zSss11Pt^6;{KCTASKIf4zox!kE^!sWrZTd&PJiT$rT~CNY%ro^$Hw}l+pPSaVVF5^
zpIPjHb$4#r1IE*pdqsqV_B}qTOsUf8Sc;oAXOuT&@aK9*#^B1#dw*R%e?^Xpd(><L
z-@e@mV&ETYe149=6!-U^$a0y{Z_Uutc{L9t+a`Vd>5k)9s?x4YQK%Mj>vxe=0L!7}
z?J_enJ96a6hsH*gXtV3rgYvDv4&kOsqYBlY6uP7l!ARQ0B7Pqzi)dvepY^pBlZNOs
zg%00?FKgA+)m0Gq%d(Yo^XAPY63&dkldI_OT+0s*iqMm9*|nKOK%F3Z-twNe4s#76
zGbB=Tb90tq*`~zgSK?p!KoxxA;^HDZa!l*wbMFw_<;<BgKtCz2Ci+|&)&+Ygzgc$W
zm<GfunbZWI|2^#&62(bNmH6_dG1lT(M`m243}1u^*6Rg%dEW;Q9(1qfym^!DG@-eJ
zMV#r@ty^3xBj4k^WdLy7GA=P{*#9juj@-&43;R<U?hdjD)$t$dOFYb@#xih!`Lg8m
zB3-LT2m1uXsYrI3x*x=Jl!cDOYJL{sV;KH(*<9BfMb3Uo+eo1qrF9S>0=vUr8_>hZ
z);81m%HjA=U%u3YackL4wDXdDo<Bc~gS_;snt?64Bx=*ac)Nj3XDvQAD@5?oDH|U>
zdeq+hJI*SgEcn=wq}0@Z+FxH`8=V*(y-P+;c}PTrQ8t9RDn<2${5J_~&Rol+13vB^
z9u*A@yDTg$hJ-ymJ@?Si_+qW42zLGY(Y76{LStFC73-`@Go|Z|S<vv0-!uIzd6sSE
z0M!qpq5?}jeh*dbmS|1$ByfZ3*|TI)Qc?p013o($PZ5ZH2^D*AdOD+R{ycYJ*ui6h
zHa+`L%c`e)i<^pFY{T4$hJ|%|<Hn6fynZ7@S|@Czp}t<))m5lE_#k(Czp%^nj=g*L
z0%fsm%xtVlko?HCOwG*jW@fHB4>z~4t<K$f*N?7So0yQt&#F@0YD`nr&bpM_$JVMB
zv@3yv^!eFo|A2sieesJpBj9!I5NEB$yT$5URl6ltNu&#kij_Ev*?}_hxu%C`GI?$!
zzZLe=r?uEq$b5*Nii@kUe^Q}EBvSrTSIv5oZ%m3%+i2~?sF+XvM*NHUO=|bI`>W8#
zj{NiEsghQ!cRmxnCXL{i(!0k#Z55I{+4)awfv~u^_~krHI-m0JV2hTQ7EF=xoVZ(&
zPoEy<=H3omZ=BVVZ><w1viE!{<5{JYv1d_HtZZ!LfL#abbRFLneMq?&Bh1x1ChYX%
z$gW7cm0#BOMU68jL_~^P@1c~}vA=x!?AfcGM}Bl<hWz<CK~(Ug7o$IbgFL`44onyO
zAydNrxhjaEYRY3}sz75D_easwR@KqbF~Bf6m)O$dZ?y9)jX*TA3JPj6->-8yr*H9j
zdcrI%aVHg3vv4OFm&9ex9}O`g=IyWd1L3oZukeIkIA%8>Iob1eukE{K4qaVc`E(r%
zHI0#7+qRtr1oZXw-9t;8czkAdup;ufDb<dhJFA!_syv=|c6Wz=Z0YGKsmx6{U07!f
zu({5g+fI8^`rPFil#BbQRK~xjdzYpP`VGy@{B7T_(Z`6m@Hrf;@>r3Ul^sT{k_7};
zR8pF&X0*L$Ay|4*W@~4li!!Y^L;3{0L2^FVLZ_Axx_=7khTo6iCGLW(yu`Qj28m|$
z;&+(MrYUK+@8bVXPbnoXV`dmSPjb1Mukzq2*;}cAXCYJrtyzn#?XR?U6K4fX6Z-I>
z4;X6@S%5m1UqpmfYTW_w$D1p^guK^92^?PRGP9|1wIq1<p{6Q`CW-2{-?P)Utm5L#
z<KyF&vK(Yo{%2@uZS^<Hdp-9le|+@hNey<jiwX+ddC|Ui?rhF;OMMK4L$RIykf<mV
z$Rd~vn5$1xl4+{TVR^Pyq0X+ZFjum$n3$Ma;XGb6_E2$;jkVtb06io>emXiz!A(@f
zugLfGQ<xh)fBRj*=@W`JptQyh9RNT-wbV)iA^PuTF-B>LJYlvA_e%eV-rcZq+#2(*
z`RPldfdfQ8$+^0%yrN=oYKk|%8vS|j!Rfv|Enz?7Z)#ZfzZ3IX8r*W#%xrkF>&@l&
zUSb4vj}~>y(Pdi&`x<)lMf^5Ua5$eH6}sbvBQ%@0Y#9cUJP<+mqwv$GPh2fHOA;;R
zbmk+fEg}Lg^N0A`#dyVQXd<k)R9tb}JJ&UO?}WoS-5a0Ug9@W5eNyTEJf+=rWRFQB
zMb#Eob<SI3U*8_MeK0=jr_9p)WN)z+lU};R_Xbm$$AI!5mKVNL)6ucZe4*PPP2#k=
zMJ>ZAa^u_9ySrI3PU$t>B5!?Q_>xbO`r^w337c!zt^t1e<mEY~+8)tlunTjJAljeo
z<;(jL)&9BG5FPOD<_bvTCg56rmn;)&>j%loajb_AKd)qT39^YR`tVZJ<t%~7&o>2{
zG{rKJW<ep#T3czKKYxDj!2`P6ta={nt8M{|b>$xoce9AoCZ}J{9tuk()zs9madA<#
zBrEf)?w;t(W;<oma}TYv;_FvNFeu-oBz9C#b?u8_sA<KWBp=`_V>HOlQjgQGU%wt0
z8S$H(w5or0dN*prvE#>Sbo>PK>H*06-{j;RL+cl`Y`qZeHCn$v%<;$k^{yOtMMXuB
zyNsOO=gyr2Y1tm8nWlBtPu3(T@KS#Szi0tBPppB=!fS^@!)dJ_^8$|=?36kKzUGU6
zR5?+ftF}$LpR1Ug05zANiaU-y+?Q+qqnu+;?AL#~6*+svRF57%o>M7N_VDnz%J<&u
z%Vu+LpC_PH`Jq#jIA4#wy6#q6U$1_q3A?B&oQCL7MU8FTz{M9YUL0$C#Q@4g!N|yn
z?lCYoTw|#d5Ll4A^$tH6gp<J4k9#g(zI=$A`&BE0KmE-^8A}ZEo&Hy@ToH0#OsOpq
z^Z0eo`<2HzM~e|QR@P=SU>#XwV^&%!3e61N)Z@xy^sQ(yp1-=x%saE5^95e^Rgv@h
zHMt+x*KTo4)p5FKKTzV?jrFyv@X-7BcjVnZK3@L(od2QF3$5*CJ9g|C7#_Y2I6REb
z{P5G&NKv=rz_PbDR=-PtxiHc5>+Alwm!pwx{WTxlIP#1GM?<VwP*&D4tG<%`kR|ro
z9@_5o9w_jYqaRNO(9W?_r>a5l?5BIq5a;_U^IbX4nXJTB|AL;^%a<=_fB&wTdA|`H
zAAcxX#AO#gx+X~>qVg7#K0BRF*Z9)i!@;tq5s_XM_2f$i=RSPW-A$5=t&-VidS6Q}
z!n|+O1)*DJ^gr81`9o<lUhw4S=iAxatDc#=di+YjmXTHq?B7JS)P0kJ*V|v0yD$?_
z@ml>ptF9c1{rmSX%~tFdKrI&%5g|As$SR%kq4=x~Ym3ks>~;aKRoBSKNW<ak2SbYq
zU*4B2G>F{0f1kEy`1kMMgtB+ay8FnxnrlCQv<-2xnPz8YNjf{9LYMFbb}9e#Y1{ja
z^<w$=b?C3z0lDVe>jBCShsg^7>0L-tBaqeM!-sJdmqwr2+AWMK3EK8CG4Sit%07IP
zpI;4iDUXX0Mekkcg(Hw0Xo{uflGMJ9jHHUPT{ko&d3bmn;owNSc~Lq7SkUgzq6K7-
z57pI_`uh4@r+NC_CwRe4DyyqmQC_i;HNSc!6;W*2^5UHTuB2&Y0|SFqaI?SiAk;K0
zf%3-2J@425a63<S-XiG3X#G=5|GOEMdDlCtLnPMkv3Rdizq$6=S1pyG{Vy-ZaJ{tn
zn$P>^*A#a<i{G=!s;=(tArzDvWr?*r=x0pf;o;^jFL$1@>hys|!U~1vbJWR8&*Jj(
zPI6p~-bw%*$Ot<5R<~ZfU?WHpfXAyJF4AY@o|xu2Sj_g?rgnOqdR4jT7VJ0t<V*31
ztyJTCzddETCD-m+Kkd0+v-XJMgUJB#Jd**Vn+#@;qlR45PH?nJ_}%5Oh;%XALmJTA
zeaZ8rRB-{tOxK$&fX_4%5Qg-aj1oAXr+&r_5^<T{Oahw^N<Rj+QmtihGwD%2q{kuh
zpQhB))mz<Ou|58D%wbe<#{t0$)?HRsR)-?$6c)EkH79M?%+ybBj$W!_FnHqnJk4<6
z!!54ix39kbO29un0RDQ#n>kxi3}z}MBt#;Clj*a@K{C0=cF*c-{?1pL>1to^TUuBI
zK!ZGMdT%DDR#sX%G35A(6QR-3_W^lQM8CyGMNw_vzCB&GJIzKbL-#C%x#udJ^1LSQ
z?!p9l<bSuc>F(XTh29(D2Tt4Qer8XKnog22S#dPv)%A|_fAw2K_Q#*m=|h5YivCG%
z%(RpdhwCiJ-zJb4rJ{!AtS^y1%&D6(Dc_v)tp9VApS3Lif$5T?;U~V!Npth_<&W4E
zaJFPm)>&1ZAT%7J6rsDRFM9|J*y)G*;?!3L000?vby}Led$Fn^CyNpC3`C;?&*IWS
zmcjaYuH<ZPYHG^L&AkKRZ4)`UMp3Zb5gH!t+^qz`zeT>q?)S7FnkE5}&)wZYUE|)N
zX=r%p>hb*qVfyy%YHOwe3y|vF+qcQzt^Lv=`MqdbURfb0Rfn*IV80GRV*%Ind-38$
z;l{1<L(R~jaZ{ynSdSh*HUd0`u0v=AKPO(<Hlbps$<=@U+!p*TDTDjZE9rffXFw1{
zoF{$K(|JMreT$qXSW%~O%&v=L)KRBx`GPB}CH<jhYCDq#<Z_r^L~yX48Lo2Ruf9to
zG*f(c^|bY2g<47)htQTTdYSKgXA5i{zSSvw$qe?R)k*%E;1#2_a8X9XsE!h7voyn|
z|J?%^DFfgYDVLIW_4M?p_lccL<mPY7At(Ku*k?E{bX`$5hBLS!{8^^7uPmFOkORw=
zo%KeI-BeD&V$${ZP8}dWm`Z#3c*eyC+Z_p$Lf;I#>Krzvqu!1L8ZOZTI;sbsF&h8b
z(>B_^LSOCLoyR=?V;|d$8#D7yXUR0Fg$p_-?zZ1maG0vudK3+pm6b~=X|o9F*lYj&
zeLr32F2-zPBTsy`ul$e!*=^4=vD)FD{TEeli`5@{T|6p?8ji1S_i;1lz}k<hL&I%f
z=Dw_z{~rFBNRzuf!F+@9@__q`W`o(T=CgO5;=0Sr@6232Ongd0t!ir7E|RF6reS@~
z=ERMe^Uo<MeWX;E9;qbd%&wg|e<kulmQxY$kGV4kiTAUnNry52YZy_NQgKZ^{rA-b
zt!=me{jOPIhcj^j?p@#)==}Q;tfiHP{(oOur1@XI>64=#DNXzIkrpSt&1pw?pD5sO
z;@~@|bpG3i9Z}^9lh<SL{rib2IoYQF?XxX!AN*y7RY&}Sga7>({GUggV41%mPuU))
z%qt)!t{42aCT`eE{?;z}^SIoJ-dBtGNUBOXb5dL!t8=vSB$r3?*^M3al1A|@E8n*i
zhClQ-U~AbUo=SZ{XKq3cKeBkdGv}Q8gHa}hJIC4w6E4X`(nY7xjFCR{e)F^{QOOzk
zd#tsx3F;>ra#7KxS)0zg-COLQ5g2#%uG#xB$aCVgQqqN5&3kb=U5tkX8_9n1bmb7P
z-QscBcp7i|jhhDzcm}ACH4>LTO?0waM*XvlkdASi<O)qox>C}PzpImr`u4#D%U?X_
zf=`-Vl2=r&)f}j~_o#(%>QapNO+J)?xIoCoQGLNApTa^R=+3OrYK)AGV7r`$ru;BU
zd!B3s@UO7AxT39%E`&uQ<B5})>+HbDsjMimI!>nh194_<mfyGEriaNx-Bj1&mi0n~
zlTdC538=T&#UGlO`0}^Cx`lRUJI<5)bmXh)U0GdS-NV8X(%E@AZ{has+eX)}-34_I
zY5|f0qS0ZU!WIpUi!=CV;)cC_8N37)s5v)mLTySH>e#|0lOL2)YwphRKN~9hjXp+R
zZH1YcxXoNFF_a<@2o1cJ*)?BZz6GzsxGIp2ARlNR$K2+x0(zW}sQQnCC@Cp1G&c6#
zd-URy$Ygac`^ip$rKP10m6g)beHnTp(c(9Yr2ov$+7akQtsOofZ?0`WGwc|;p5wh)
zCr|I$uraZ{(-^{NbmKI)6{Cj14%Z_zAFAu)pD+=N@`8@=PG{%oo&b~_Lx3}aj-twK
zf{aXn>6VvD72fL$EQHil#4~hVCpCkIKxA;hE?n43OXXKv0<jyW$8d~GpX$@;@$mrQ
zgY6U)6hne<b%XES+X{8zm0EjJMwK-rK|-Y?#4E^mhXn=Iqfg)Xb^#xwyc!)IP6<n)
zK1M_<Iy^dh2foKTG7n2uxeGd3R#UTuoN|YxeBh{=&HBDxl2`iYrlinqQW7?sJ%Y;P
zuibgWo*$AHLYa5<^65mrK5N_O0xW;8^|J=wgGp)ufTBiFGC=681C|L*zAl_M+xqJ%
z(uWeag<0sP;TOI`pFiU;dM~a{=S<AW>*3X&uU@IGaV;z?oCA1<F{1Gj<gKEtjI5!d
zfvZJKRP^EF$1fg<3kx3r#{-B_O3F~kGOeTMF?h#>W3GZyN$6JlPh7jV(pgbK4*qNW
z2To|Vt}hU5#mA3ZVH9eQTyg9LSF8H=>9LWiX_Ea){rw|CLK%k}yt^;&aNJxG!#ij0
zd}6a>db+@F;*6Su8+>EX7y%2(rl+TqUXJ$`pI-kn!B3KeVPLnheiJhKrRa^ZCN|w-
z=bbnZ3YF~Iad-u_^#w~gVS1^>qN(KnnFa7_ds|eLpkL}P<h5ET#491ea#T6?4wiJl
z;^^oovAtYf@jB2UNX6?#Co)N>7hcOF4A4C(u`LOo7{+K5-0as^-cU*o+6RP$)ZhY>
zk#M@^U|Gx(UiZ<2$w&}L{6T=quy9|AQv541_O`|H<2FktiU@Cah5<=N0#4>WsRZ#0
z7xy-7JA#a~x3_QIwvGCGoRIw{$lNfZuKRH(n~vzHYpACgY@rF*4E0LLZT<*s8q&b~
zjWvFN-NyIc-g$Md?(Rc4zM=2fAP@99^{?rjw&{_C7g6Lg6YT4|X)ey+e~V2|;Vn3K
zj$@5vIO#&yIabmD;maJqx)pl#9=ICuvxSZm?Mf4(6v4s4rZx<yA=DZYF(K903|0Qz
z?kpEgQrkvOPL6%~WUG8hX(`N7F5NS{-2Dk@32JLaC|>8}<pT@#pw0Qcdc_SfD)Urn
za`I7TG50$#k=Xe72%&KdN_W_6g?*#$5NB~^_ik+KWds5ytk<^=X3{b;th~HC?d|RH
z#=U)>3rY}th#!TBH`Z5L-0nsN{~@oNk60#Y`obO>#f=FIkQvlw?n^)#uCA^ga@Yg^
zqJrR3sH5O51JJ}G32&*bHdQ!^D>-VOSN@q3N{QlYbwWc-Q9q6ElW-1j+PC4t`=bv1
z6?hy*cf4DjuTyL3fE>iDlV3UBk_=ng2LfiqR%Y(&dO-FhALv9fQ*T?djLt!<w}EVW
z9%dMhvMEt+Z((8K06aT8J3Gl2G7q4Q#yiDAMeVTk_*<7wJJL@IT6fd_oai9r2f(1#
zm)myl)^dB9j71IRdiY|j=r%Ssw$^kVEl<NW)4xZb#>Lf^xflN6W(tbu*jEqblTfRg
zBl}uf_Tr`yo<pR7Nt%@&AtMC@Y<u+Rk$O?l+Vb}}eCP+4{+nBHuL;{1oc*Y<^W@fe
zJM+1d*V_jw1NL&ITX&BVjZ-?4FUHw~@x-+qzh?R~on6OqK!Xq)VdOliT@=6h=MXFF
zCK!oQFy{}2(!PsMG#|-@2|n~5;+HWhg>g~ylW<$r?hJVO<X_?>_*GMbgMzqKQ@vsc
zgAob_VE_}A-_kNo;3gz>YDUH&tQ5TeMQyt&8d1{=SvF42t&FE_q_18*l5g7|%&rg~
zj}11IHHb}g8+7SnoH#FY1dN7q)EaODRSWBuQ_95ZaCaJiZMubYcgKF;$jE(!eFWAa
zO?1+T2!A*fOhR@fSRr?Vf`V#~V{>)pTI?keyqqSPAw7C@WCT=j7h!rsN52iHBI3#!
zUf%wMTs_$)`JXrgvJ}lU><8}r3dh$VA+w8%mCy?2es&l{Jbi~2mG$P$?Z=PzVt1uE
z>S0CQfx6>7)$NCSO^EK$uw^7AedLRvb_}9!47r(_o8N;9H;i7w-f+@-;RsG5LF=(}
zsybJYvN~6oY5pB`denIwmJzO2;mws(&{UgVDlvk&MeN(Dbj-MN>$mUUP4JKGqf?#P
z<i*ZYQl6folarG~rGTp<$?^Cw!W%@xgT_U~TGHn=3huvj+DeFf1Rn!wxPzniDX(2X
z*25lFX8sNWPEczI#BBLDza*`3_WL<yVx{3#ivI_prvE7(^|UAewGhYxf6#zAIXQh`
zTS-0l0d`YMeLa0cjiRfwbF65qx?HS;cg6%Oaqy)%M`*U;59B>4JBJ>BYTY6tWt^%`
z<P&gpDJ4kw$Z>3yfQ%qXEd9mWM;DHeNcgAqmVJ|31N=U0F^mU00pKX&+k{`(#I1DC
z=#D0HfLhR)AKAb8uF{J~XynFuMXL7F5Lbq}^rFxK$QJnef0F$ApDxn>@}4{z|2MSO
z#?CFm5Fq!DYwV+!NDQg&w|Z?^*4|BZ?PWDx!#U(+!on_d{9T-Cn$CRFqMp9Oc|48r
z8R;28=cG+tR|Tm*S?srSOfeYr@$c<K%}J5DpeTPfrkg%1{gO_{`NOQdo$aX)pk+Ud
ze4;ie`u9{+AIyrf@7y_QZFKc&3O+TI9;#f^hrVA)MKQ<!uh5zcW>4gkh#TyF|8LqZ
zOa~=bS5Hr2&E?xiYJtyCKGfGKeGm{+j1i_o2&-u>d{3zO<A1Np;va3;tv?_L8M~vD
zgZ^h*v~Zv<GXM{(J!L`dLjT22<`o6XOP}2Hmv^OQ5niY23z?(_TX=mZ!|&d6wB88Y
zapY>P!1L?YVdHb-H&$1*sH$C3A5?3$G5BUN5=%xSU`Vec5Lumn^ALb28cz$ZckmIZ
zF5n^8nbO~T4jj;C{eqhOU$9YLzRhMUwT0=hpL$90h=6$a8toh3y;a0VEUqt;y%U>b
z66+BCu=d2)l6&vJM|TY96#ya3o60YteuSU~BqCKtoS6L|9690Z69NY!2X}&kwj%(8
zIN;W>kpinOUnJ~|=f8b|AeYwjfHi^YsRIvn`9rp#i|j_4b_x5&bQM05lX{dIYO1%V
zwrO%Wn}Gf$P%#QSng>`wNUTVddo0M;ffh;f>m4{CXig%1L;w#F2wwq{>O;qlLA8Q)
zi8VlAE|3?72o@3N*R^J>&82iRox^Jfl@DzgRK6Kgr)ggg^G%#&I4!B&#W-m4yF2Nd
z%JRQU$`3tz$FE<%xLQyGxt?^uSbF&MX#m>yi}-=_rx~D$Fp0U-68@*4tZWVV$-T6C
zJ2M4NvL%LXu7O*GpWoV*Vs_=`;jRC1H&6Guo*O1njD$vMcjlP_!B~Dj%JI&X@<Vrb
zky^W)bl7!(^jNc60n?2WVdL#Dn=N-clK$?-#XyKZn@L3W!BWQt;i`L3thHRS@1-!s
zntse4wfc1S+@l=2B>`57?KiDo<%u%I`(Wp!#i(mvrU1Vl%0+4lglIETcEI5emSzwd
zB3jlFnt+Tz1!-;9a8;pwWfEWJTN@ZCc~dU_)dW(y+cNZ)eCDAv{|&AjJ8`07tmy?c
zE$tm#3syJ?M7#$AmrC-*gZuXHAJ6$Ht$x?V%Po;+EI0df`H!=|j&a_IGj2*f@>=3c
z6S0>sgydO&rN_dns(!#oM%uEA2~Nsi9TVY_$?m-E6CIiU2#?5wFhB6|Asvi}yjN>{
z-R97GZ*||+=PajvOZ~{K>UUP2-Ts%MNuJ{iQ%K<H_EIDua&kgupL9+B#Ueh+(7xK*
zOU6t2HLl@@Ys&0*8rjaVrYwtb9E@X8{BZiF)t<&Y&vVM}>s=yv|7}Z)&Hu8B=iP1~
z6aqb6IZ+CgX8$2pDF5G6M*jY$gac*OY4pqz3ex)e?=pg<q_vUSsTnp4$jVOB_^*m)
zc-`9XTkDP^9LYb5IHeQ)D!-{8Nxt@>y*sVk?E;EX4ow|_v=(b?Ya7lRt5L-!CywKd
z>XeMHw6pT^eV?Y<`z;v$S4Q}6E&X50JdRS&Rfw+mz_lcmYqlgI=cA*Z&-@K1CkoOc
zT>XB}g$Lbk1a<|aODnY+d8xh$3rpd7cou)q@l&Vn;vNH?&VD)?7Z0!_%-wO_;l9CM
zyty3q>|G$VLr0HpId$sP7!+ZM+V^1X1dJDMI34BSpoFr07A7wwT|yjn_3$vk&cRY_
zahj`T2gM^2P4JL%g+p?Ce+|9YL4ya5H*bt5lX-B!@9b^LunUZEl5=zc0->E&y?09D
zV4exocX_G!)ED^oEVc)tDzL6QB7Y+r^8kmWxw;A@HjKqS^gT^@y6uX$n?}R%Q0^Jc
zZmy}4A*aAV4{IG~LR`hCj}`6XXSY^3a-*TY!%09eCnv`jD;PC{5G6ns4N<$7=Ii*K
z)R^HmbbkF>0sMFrm>sMC16bl7Iy%3e9$h&4gJ1|kuCs>_UkE}Y5#as(-UenR!(I->
z53ti8hK7>Ci6as^K*`m}NI!&gk9=(%&fgAsTJwdA6M<I6v&9<4&erfa{>FT=49R{?
z_v+9+yEJY&KSx>X(kpl2!Uw<Y3?$mVK?%6PPnTuSpHKA+4hU#U(+xY%@`ImFHPj?Y
z&f+^=<|Xx>>x`3s>w4b$oaYEF=d5R$+>r*6jEP6)xzMKJ)3QNn!f95P`)wy9eg6_y
zL-<yuqO!qEWua`cv#@0}SBieN{oU~3RpJ2M4-gSHg3^!$vj@@vyfL<yBkP%7U~Yts
z{6wA|cM6f9U_x?1p61xGV;_Kgvyn~KV|b&BOPnjO)nv`!RRBj0%`6c7oQwn<ule+u
zDmzY-{>k?uhoxB~#B)%X$T&;fUIZv|oCBPNv9yWgy1FC)GX1L5cvZW@fGee>CXFX4
zMyuqas(q$Ymc!2<8tKzJm_%Lo5JCt#G?D8C08Z)oWbfoe@Y4+a(m>#Kf}8+QSHWxB
z!@%HgKU`ggSMWnM$V+I<gRxW~z}Hyn;j%c{wKvXt{mgXF+e_D;Hs|Y0t*3wgDD1u#
zX50HuZAHboRS|Y}iVs0+TDhquOM-(7aJ_<H0ns8{OVDg!d@bYs*3G&_j&c*GB*N^+
z2m67Wb0|gK!JBn-^Is}lxIiL-BFmNx6d+&*pnm)Pdx<DP3)YwEW9u8g`@M;b`{Gy=
zd8zx)a`aF;oN1UK-5TF`G4dV<0g1<;l^}(PrMrnV`|~Fe`Dsj6W&zDqS2T#787{lM
zg-A|)fZRkxRh@+6d*_;diSTUQv7>eAAkR$xD-#<VK4*iVkdThZd_iOwh#Lx-aA0~m
z7_oVyz7jXC^w_W@4wjkbl;Y{F*hD)>gh2|of*E1Pgprpis1anYO+{?0{EC@;-R%a1
zLX!FJ4^>}Z-&lJ(BZp#Syz>g~JRwUVazIXG_F;>+jV9Oicg-`s%E{Ot)$nSl;~&Z5
zwUp1xx-su5)ZO%p&73zANn<#1S?)hAOMbTN979&;*)-%2<NnLAh>%ZUL&b@^`D;Hy
zN*wwZNCOBaoWltrH)juzMKMnNAOaRhg?&V}3TgRS7*~g|{!wuV|A_EY5VVABAepK@
z1e$j*Fp$VQHO8MM|LMoCGO+A&v??TEA-LkOQ2e~}MLPJF$jH&m+&{2?|8p##kp?s5
z4Ux<}tFO-tq~Q<!l-OU#pT5?$sC{g!sJP>$a@;OIDWVWapFcks#Q%<S<6`3_K0ZFe
zSteXFaKi-1Uyw)6LGKcrUPus}+JKmW1$^lAX$GY45EEhG)BOO7MugMg8Wj%pCmoPX
z$#Qph50CuaWfoVe-q(Ng_rd!Q9vqISYl5GnmK^bW$y}HPWv!C*wYFBiq)tcUYb>HC
z{a!0ONsZ7i(!>9mM*Tc*Zq5m+WZ9PHhZ@Et?6?(aoC-+4Tu;m_ur>KIUQaX-?C^WT
zLBbb?=!mN%h1AwACLt0714EvhGjt}xse=;o=l4tq<Wqzh-kjhwc=y_=OaE^E&j=)6
zhzutYVMeY7**2(;a|k7yw54g_#K~1Uhfcz9B>C}bL1nWn9vz=|$rr7We|BBQt%2M6
z_Y29E|6CSd!()InFnKYE7>My{CMOhzrW{iR&*hPbt=qTn<#&hJQ0VbHL%thM^#HaP
zp*)ZdL1;n{fe_Wa5MHp4vSYZ4<iW@K`bq>b_t4Ydg`H1G=WxgmD7!z`ke%f!nBMB5
zh*aABSTPS{OiYldSdQmrWpTQAp}5tgUP>m?%p}PhH;xYt4b{fH6kW!kz<zL5th8#F
zzjjczaiC$vlYcDXD-WH=UEhUPAOo`xx$kU~nqBEd+UDIGjHj$5v1+4ZV(jO?$=$hg
z=K~x)BK_c1lEr9t{=LG<GK51&Bxh&mu-F2Cb0T*E29qYbsPF0S783Gu;joa<WyJzi
zc&0Nq5?kjr9KT|6X&d}*bYLV-bV^RZ@aw!W!nP;&1Th<c?MRG{5Fr5M6%dh0QHf1T
z{Zyk9KjritE<DKxCtY4&zXOStEh?S0p--Qtp0a&@{nA``40MZ#D;c#3)@!B^--y-!
zm_x}9wCawZ-*b4)59>xyMFJviCfd_UJ|IzSM~-ZUylbf=>a;AP6Kj(6`Q!`H?_v2X
zs`2BV84dlL(nK?@>w^9KD2OJHaFijkOHkIcx*dr@72*cLwZKM6b3Di0*YALE@-c|*
z%T0`e=6kT{HC}G3+vavq!ixzO3dv`6)icbEo%VVgbxB&f2n1G$Wakl5@F_1gMzOf!
zw^EKW#sq?I=i<VUOee9cJMkaocjeG#D*S^OYN^>|49k2e=(;Iy4kO?wvA#r3Oo(8k
zBqSsdoB|f@>&w}MDzU!4eqf<7cf(Jl4fUOF#*h!@FYJV4Cr?tSl+CE^#D09mGXn+f
z!-o$fgnyfaN=s^zS^JHgxQeEvw2nelLh>aZQ9)!v;Mo+kyIlyp|D+2UK{z*LC$7~?
zVkn>y<2#tVcr9-e)%tCiw{f)Saa<g~CKl06GLo44q9lBdP=qw0Jf+-!cQi$>_!QcR
zFUraw`Z#POGGsthp%76;6qMwqzmGoSKuH>ync0nj4U(VU2TX9-6GA(()u0OW#V!bo
ztCduj{_gYOVrw8PT8ZJE$!;EvQf2O*mc8|I;jOUu_LTXOd|nYrBfI7zr|U>z7{c<g
zY(Z3ai%IqUTXAtLqhI3q#h+|_!t_jUUvtjb?ZEPo_u1LmLP~`#F;P)m>v721p)ky`
z>S%j+4W$eFYUMeZ%?(v;-MzcUpT%n{sqn@K6?#mH{eC5e>qaaLy>Uqgw<w{mX4(~;
zUkWAnL7}s(&*VUGR#sd40OgK-KFFX95nH~%<{;v;<fP8L>sn9Uu*E?8NbxrWvhwpa
z-<oTDD^|a>)n%z|${(6-#2<0`wTtFa`hCNfLT9ps>3V-5mjiKnXmxo3C8Yx7OJTFH
zR6)eh2p1<Oi4?{cy`7#%a;C2|6a|%#N+&Yk%K$cJn>QuMd)LS+iT7=?&JaQVgx*_c
zeP&~QH;fTtt<|j~P#hlRjcF}X$-e0GOS&<+sqc>*JxcCVJG+6Z!mvRf9I%I0TSq5o
zp*3&Ej~_1iCI6N|^I{f?sD|%9R(a!V7qqvCps%5aZkc7h!EXbUQt1AZtNQ-_+rX-;
z2>2XWXt@?8St#j==pfQNgrW)!$8K)uJb{$i890+r;L?KYIl|<tZZX1Uz|9H)J&d?;
zwC8ZMqpWgg9L>%dhGq^Ww{U7clGKL251lzt;0dn_37X;Mh4Mo^SkfqI`yd;W?zNn3
z!Zz40+qC9AT)i_I&ISVMluIM)d~JuMynlgA(kvjY6##@E@Ir$w>GSXGu@ga2FVUye
zzlprQc)mc7vHZbnm?>f7<+rOLwhswjzkZ#t><F|<cu!cbsp^67Z4Mndk|;I7uY~Jd
zwb1I=OI>t6Y?R2x7Nu>!Gcbw;K%$E4NVVy1HMnzKtLfIsz;)hwhCYo;i@JP&Jh&U%
zW~|&o!cKMEpKo-QpsGz%R`0MS(}?Xr^p$F*pXzhMkDel@?Ic4aDImv(6}R$>Oum>U
zhYE7>>eZ`<U@C3=_TKP^*<px$IeT+Ndm5XohK|c-A}It79`J(*g4h?S{Ie&jIdA;2
zUd)}0-Go3ZBSWdCrj~`ue=y=lTO;hw$Y;;arK%ePH4h!kKw-h?;cikRBJB~{{>S8l
zvo;py=d+BfsEGcygnLK!WTRO9F$O<~=qNIXoh5E3=I7_*RXAs{3W+64QkUgO3!E`A
zWnn>eflZMir4T4Q()(-P?#7KxDocuSDsvDPs57a{$yb%*#Ql&`asM?LfZQvQwT?Vy
z<a@b{$4hI;wC&q)dT`OiMK!fYm(Lg=)eJ6>KK})dq2zeFh*TC^E14tpB+0bHpa`Xf
z)cNkF2z1zB)L%l!AvGevZZGmR@A{U3DqAb;P`I*JSS9pU8#KRNws81N%9Y5>?F}(a
zo&MVaZf23w2CH1sUU)gnMw~HxR)r)}S#z%R6i6BskV6Cn1ZIEzs@AbB_51ko0)k%9
ztF%tq@Bg=UY~i%p6f0;!<5TW0tQ^bJ!#udN>g?IG#5m;oLfnSB`K)gmYmeJ9aP=Va
zen7YOksmh%1O;hj=U~nIgoNydK|w?T37X0A*r@i&Km2*YKpXoQ8HWM5HI`#BP%{MM
zc#BE{YI{qX2Dj(>@^_LC@KFW)nAq6ZC7>EI5<=jZXQFP=s`{Os6B45GmLQZE1pA_<
z!&X~7HA1~-4+$%)=iN<4%xdABWMHh=jnvY8yn5XJ*lpCcz|)H8g_~?`Z83s22yX<6
zlDddxcU=m4^g*YN7)*lV0uU3ZpFi(J%9U&54qp&rznVJRY`Sw(JI~j4cWY17+GsSY
zdp|v9w26n8mw?2WZ%ok2)F*Jz)#Fc>ig(h+)&XK}tS*GOGQTRW9v^baXC*2QW&E03
z(v%mEg3|`Q%1Bd?VNH8GJ*c9Vh%G{@1oKDS)DXT6y5&9oNN!<DkMlyp!p1-ZM5SAC
z78Vg1PLA{9639{LKJ^*5==F<^P>1P0g|Js#5B3R2d4>-osVwc~B~CzO*yCV+Wk};m
ztj>}nHsGk+%+Ot68v^EAjs=Is4r(>j*plQlks?Q+CyXT_H&Ncx!vx5Nx-Ns!-q||-
z_fLfHyvj$2DH!GS1rq%TbOJ0$!>fl9wi#obq>&ZAHfc7Q`yVhG3*C_tjwI4px#mrq
zP*H2JgEWeC)c@YOFGu4%S;hD05~{Ck!=~DTsgWk^S*y-0GIU*^urRvjmKLNaC{Le0
zP55&#fsMO~2s<PI!UKF57Ul<!k(dZXin_GcfkZGVTc<z+mpeA9SS~}oYYAWw<ndV=
zgYbDXyG8xvU-89u{3Cy9EeWNvv&e}XS;HU%_RprOC*b#QrJ_=^=tVSQKM}P6PM6{e
zD{pJluvU1$=Vj*SvMucU|FO5aQ;5CAL}RMt;m6-5^dBA(6j&b&T1&Eq8Uh0o%@Xhc
z3)g$B=pLa_sZ;2GeV!bU8x|39^w)x3sryME2DaSNwO?O_x&O6_c_~E_e-nZYG+QPS
zXGJFW9^9mvl7(I3O9SKwBaoATo=H`lO;{q-q5921WK_gU_wEIn{FlV_|7Q$7wYL8a
z#>n;CULE4SqOHAYKp=JNv`CtwXq+WIv+dfYmJkc2{`EkbUyK_3`3O!$#2DxQXBOb^
zC;v}V_i3I!oAkixFxHo;*M}2NjI%UeI}DT#6m&N<R5fYj%(x`gPzzl*|Dn(i9iO)D
z6@I3ry?^Xyf>zl@;C^E047$P#)RIi4zQp&_eWgJF{zDN4UT1+^HAV?c3gM&z3#$p$
za5E((aSz$&F}w5uGwiDGy>4RN3_@zSg}wo!eQwa7rM$B8ThhD}k_brB5CLXl%&M=C
z8Bn|i(h;UUNu)xjiEzz{b{Vu}%zB3)`u`lH0KR+$!l(w<*yCSMxg*TCy0)gk^BWDD
zn2WPqxDQJh8DEW;pROJ!+zdijz+u3TuXMx?TlqD04wPFx{8K|i^@m&JhysNi6meD`
zw}n}JG|O(VoXcQ$>492@66pJOvjb-<tEvu*i5(;Y$Sy855FgMo*<L;s^Ed@@=PvBU
z6tRt|sj0ssu*g?{c5CEYpFD5c$|9(z5XkL*zfNAKucVF}R~)R9uy_geL;sR~b$;X|
z6>p7U@@Vrb!|yOjmu9>-f^ezdYq~vle;Ua1TCVec!?lJn)A8pMLr=cq(##Ruo}WLn
zvV>5fkbftf6O8Kl!U;A6{UVn6Uu^|({WAnt2QnT;mcNS8w&WICJMn}8LKDSp#W26d
zpeG2^J%|s4+DHsEHzHB5Tk1{+$y*jtR6;udSRp*1dZ+8d*yXU{DMiJ^hyXPaRC#vF
z+81$Y1cOS|B3iB$!}_HNkoJXHoT{sW57N8#cC;a8J2XZTT+JG+I84yofwCAjQ-Xni
z)V+bJsq~yxe1m~dgN&Q1)Bv%U-&|7)%k<aZIdZ0tkWwMp5q9qmCZRoO0^q%T>r2DC
zk)b+(5^)Q{CK0PxU2IW?LtTNv8d6H^2J{e2;q5wQ+jk$7AA_84YV$K+x_14!{qp*!
zy0qF73Jk3l+7DAQi@K5!<QIfGTibp<F<75MBvIlx-Id5ccFY;ybSuhQO(I`JQ_X0{
z7V(8^5~9n%2QsUkLTco5EnA3iJh8w~S9XxbdfuLZ5adJ14+frdevy3eBfyhoV9QZa
zQ4u4gP*lk{t(1sC&sqG3p^OBnWh!1eGBPq^qL>s96_SWMAd-Cx16_NdST<Sqb`!n`
zk>kK1(*cOdF~UyZwwu7z1Sv(jtvWCoGYAp~&U#&s`PSpdk82NpCXDyxg^e$LH~r5$
zr3bNWG?#4(<gD38on_p5nM5Y{Flg<FdDb2}llv4V0RmO8n44b72xOnW-%GMIR!kVJ
z+&8y*`=Rrh)qC$BJ=NM-C3Vm+a(S)HcJ%nB<Bm-IUlwLX>$^SLwLPY8b<OCTCg&gz
z?R)!n-Z;QAb`0G%XUs_0J33<OCaK;uq6++id!!-7Rea3j-HU_-A-e$*fE`Ah&0DaA
z?gO5|Lqpj(==o<n`Ld2q%e$K%F~23&mS-@*&J`92AMMd@@g>O>7yh&e@qYF^ftg3p
z#vCwxfC3_e`jefPmmYq@FJ+E`N?h#8-JiZ+NB%4?szhDXkD6XW1IGgrUcH$D={m&8
zc@Jdu7{&!IMhiWEBlgcf0YDlE)ex2EGL#f79`}*8Tx2sayqUr}URGAdqhA7LXdhHV
zLes(vP}2NC9YcVlkn4V(E^B9ZY-9P0_oA&Ld1zAY=;QaJ3&lg5NL;N<iW^!xJLJ8$
zZQF*2Z-gO*F^>XB-?ffm&<x$TQsBP17APAKL2qNN#@tkf@&Q2?yc-N$>U%;3CUNq#
zm4Kq&E`0v@aR5_HAL<kezSozP-HMK8QoD5NCzlQjm7gyv@Cm~Yq?p6kkv%_*age5W
zkkHFIIwGLRgpU_Otx`mW?q`Ow1s;4Lr>Pm<aBcy35VN6Dsp^(3SlxsW|MhEeb1ffH
z`*A;rh+t~-4e2SB@P$%Xwm{LTd&kT>J3EiLFPak%RiIs4;R+ZX^ta3_V#;Ii3v*nH
z*L>B5abJLg1cUcp@DuK$KA9Ip{L)j4!u1lc=@CMyCLB}HU-_gFJ!+WKhXn*eH`e+$
z*fAlaT}RLV^1yEA@LzALJKj#3_}+}+z1*$r(z6POfpi)E0V-6-OR&>tKtRLazt<$3
z4|4t4ru7t$$H2t7WSMI>%H7bwfFu+REUOX7J?MQ;qFn583zxtm3O$!|PEA3$Sw)O!
zX?dB9qQVG6F!g8&R|@S8qdL^bNyLF_Qto2<h<+lctV|GhQ=4bs%Vq+%SDMChJ&Gmn
z^RtEJf}!2kQ8B5!EsR?jx(f0wF+70?J=|r1sy=~Y6dB3T>?TBs*fA-$^2H!s^YN1>
zcb+|C+<8DS9xqFl^=9M7gS-MzH|=WSQhtX@If_Zt%CfSv-^Cy(5IX|lmeShx8k{i1
zfMnPU5YdPy(%@kbmDmH0zqm!~U-HyAK|qJ2P>yy+qzr-7P62M-?)&M{jo}5%vcv;(
zbql(<xF8Yxy&<OMB}(QlNX>Y#gwAx1{0nuiE7`^r5I91MpY!|VM9+XTW7JIwDIA5K
z?^t|>aJ$%TzCe)xTvO*#<)j6>e*@x(OPivjHF`!}U9Mv{T8km@0bGX1U&L34Y$yz0
zX_PIMKQ3|>&@C&`be>`i5(8yd(aO55={^@9?<sZ(fx<J3f~sD3%y4cfjjp1zeARj^
zk2ma@#h+ewn`_omk={)~uTfFR8^KPdj!61RmBEbIFYYOXqb8%e`{C-fYdMgSMMXsm
z9mi>)VR?IdPwm-fVlu3@z$b^kWPv0a7I#aZg}D17Cu}|<Dad$rCyRJAhKotW@B)bZ
zCvR}z7CfGU1PFX3-)cX+gYIIhyN6Dl2=(sK_Ek&2s{MFwhxIH6sf&vut}pt_+sTFQ
zn^TI`S61eYqn=4fn0TIK7-w(Njh47cO(aEo_2EmeuP!LJS~`UWjTuz{frXyMM#(+*
zg^SJL0rrXAP~|o>UW0El@rgM<iHUI%B=pby8|yA`LGFcwm@SNc#`Hwo>3*IiCQ-3^
znYiKO$Bz%;dVKr#Z4VREeT+O{T-FfN11W8m_?g%%r$1N4a=ZsO%RzV=`gLZ@c8vlX
zJXU2~3O=S@u`>nLri${?iyDJa%d1*jpJ0H4hJisV$uuBJD}3Q5bn*DH&!jMUKl!9$
z<FHhVIfG^JXue170DM5hw{z5Wp2R0!e~jqhUHCC4FuF%V5@i`1jhK2x($OQepFL^+
zX&WMCi%$yz>Ue}xNAu*0b}?0b)doEA01$6*a#9fkJ%OGxTUAx_SUa0G^OLi&{K)f;
ze82Pa>z|ATUd!{Qa9-zTXB+ps4^2-u03KXWR<41Z48xwVU;q%metm`wGJaCC$Szi8
z))Wsk@I{LO^B;lUM^5D%1LgOJXBU()bMKBG)U}M5Q%VjUqHJsx@xC!hE)^<i+q<oQ
zmVVx6RN0^IG56{7^6D?g_!dur&!1!CBxPBWc5ZK4eW5HbpMYZ)-dJk0gt%Xioa`Og
z8ep~M=nu;){TuqvJx_YA{nR3cO956@k3_m@cKvDG;l_B((8oE_435<WB_(!NRw>3w
zQ6=2TlP68_oQM*nG*_o=y~(L;gz?x3_>K+Owz10;e-^7^fw%w!+_POO#KgpiLJQD9
zafpvEI7Ix<RzIn^diU@S>}hCXS0UZppq|~tIkDWnswY+&H3;T+2C3nT-7Tdl2evct
zRU)~^Iaa!co7DN%;V4vkPJ8xqssa)G1{^TJ5h#yYY;0^iK60t&<UN_eiEW>kKiAju
zw20RIcoY#)gJ(Kj*EqznLpFV@^T5X4Br&nw-z`iJ{t6G*eAo}4F|Ze-PJzI@5MD5o
z;)_AbS!fF;W@a^zPjX#s6`C>C7}J5d9LX}3e0Z_3KzxQqMrCj-gIb>#4wCVgACG%s
z<)1U(Co?sn@%z+V?+fo6Y%}4f(z7kt+64`++TGf<+VAG={`!WqbAH1wR8njHIP5EG
zglx7@O>at5=K{_e>woX<H}B_L{0Zmyp{3<9`UCyjMt9r|-6s~|sb22-w@{Kd{&c*T
zpDb(rUWl9{a!S1O`lyt|9YmXrTc*%nGX4TO?%}aQ<39u0BKz9s15mqEQq>calUoq@
zwGOd1)d8DC05jL7_dt?bYN<}9S}GVAdtW-km*kvSTfpIXLr2NMGuJ_(4VPvIaq4v#
zVSjS@C9vDYFDh6R0D&XLGw)2G@P_@lPpc|<f<fg(L|Tb_5ha-;^UnBXmNiFP18c*p
zS1X|hC}QeN|K9aOs%w^Q1y{2?^!UW;%}k811$@2TTX)LqGW2SMKF^P`le+mvfDHE@
zI3N$R0QtZ>{{Em6OnB{gz4s#f&0Cm5h>g&94}c6}a_yQ7T#wp3`6q`D^bE|TsJ{8p
z$6?*wa;u?xG{~*1{#e}Md5Avb6ed&K``wC>-&BecEGsYfh2e;2$$WtXPZIL@#e+wA
z6&4pyd}{-!L-_U!QmVCKnbmkSO6ME1-QYFf@i><D@wV1vtDEn#PBL6l4*A?(!uOA1
z^Y=mwRw?0;BpW{sHj*4V)LOo(X@41OVet53Y-_6w^CbY!kAkr|IH;OL=Ff2t=rPW*
z`Q#T`E>C;5SZ`CYel)%0D{rn<R#uMj2&yeDtO5!g@2KeNdI}zbx}NuCj5<u#;l%k9
zC0ayO75;ooD9e}m*N1+&H5S^N5N(m$<Jq0T6pgZ7w2M8f%aU@7VN5ZLL-a>nqehKW
zXR{&@Ei<;T_=J*(=ck37TEj<Rx`Mc{G&D3@ckUb^reiU|$-=^drVC(3JSf4zVZnHT
zve#xPdHK&DO8}CaHw_Ap9+jwjNNGzN+bn9hbZZxF&nJf)H!xwTS$sT1K8g5d<zYR3
z@hq<Ubq}^+rZZA7V9`W`4XB_YCnA~$Xl7_-r90|L21G$zV3_|M7ZZ6E<8poy5pE_X
zCPHL&8wt~LoCieb$v%2M?w369%}8w+2uc&U)|7{Gw9u`fAceQgUVnHnc#6|`{Op;|
z=vxKTpNm!ZNBP!(xUObzB3F-HI7mxd$zb4lD<mW&|94*2JWqhvU^xXYW%3(If6ll^
z8A?1nJcJsDqSXG<7Q&K=iAf9{p8j^F<51pHBylk55hkgv9;D4MDcMA^U0(a)fJIbt
z6ojl6xI##DUjXHSpMMqX9gkLOetvEX9#l{X^oDrKZX*9*SP0PhRKi;v^9|j}@x>_Y
z8%+!mE*8k`Q~?~2EsebhscoabJ2~!?oSk~``ZNCHW0JBac)$`dw1}Z?sQ$}<f^Xdx
zUOERfqom@wOfP%AVI&fd`vQY}T+r{uc<It5T=Q~>l}>k~!%p@CSkJd<84xog7)C<W
zBsmLFfpI-&NWtD~KN%o3aAlu%ob1d7oMgfC$KbUpqUR!3LX6N9E88zWan{A-Y@Wl&
zg0~p@?3n^W5@$S@j=|hCLj9%_)~dqPChp~?6DQuVis^?<jR)=jtml68Xz~q-2YRjg
zBWL=dND@!ysgD(VhE_X_xq4jH)3$v_xVQodI;y4BK|>yahi4$+xHsN#S0haPt^!*Y
z;EgBWg*AL}kFXnw2bpB&<Ph==<QU?yPsDU<#mNj|SQXt{f@*gfs_I#qW-ToGQvBh&
zKuG(5eCRWqsW?n94g3&M{0Lld;yF$TL1e#q!*=YLiiliycXt%XR2E{G;wzIUS}jl7
z*w_dwi}3w3V}=D-iM@zX>Z#^ZsSd1t!)sUN)w}Jlty}-tPCX`h_E7ZGr=L#udsawn
zEGtJxM`J%#H8oLlMrxg~?iQR{-?eMkYyHwFL?a2W`i6sp1@JdS(YB`;Ve-UM16=-&
zIcLsa<9*mD?h!XZ8i5mV+&uOdIss7{;OJpW0ScxVvQQ`B(#M!O1l1+y4*U9=U9swa
z7lT%^FgtjTU`=>{U;gjp<9QY>lp-P`@Uus51tn-kLX^jw%>KXX-aMYmb?y7tyqa69
zXwW>!(5R>+ng>!6ilPxAjZ#QyRB1+qjAfoORm#w$fl!2K(1ef_N<x0`Q+w^bpVzbR
z-+e!?*YnS_{@HEmJ6zX!9p`a;rW5}?8{1(XMPMT6(gCo<3!<l~^}{`s|BI-G`<i2u
z?lJlFnYclFhwiI4j7wq?C9&!*P1kdR5%@kV$zY9NX1NntZormXw{1HsVW>NG*bYhc
z@!?<E)Te1o*clXFV?F!p#2P92ZHtU`vu%Egv4z2OqIve^z%ZS#N2O({LrY(LN&Hx<
zTlBuU`1~pnbpjj_8JF6jF#LMD*YTLqaXp?D92?i{G3c!Me1!_N#TF)6Cl9xsGE-HZ
zO%1QW4I8})Lk{*BdzF4k|7R!5y?fTL3aRgScVu^~9y4{1fsP6i$X4ojkC}hGN!@kv
zaB!2wj;xbC-qj1(ugt&q%s+<Aju?7v^&x(N7izy?{{a3+{CURN)$_!UX8y6}^zi3@
zw*2+XK9>!fE)H0du)g|w%P;LZGoM#$`MW!VA7$r^9b9JBQ~cjxW5qjxrvLVr3$6_N
z{kr4kD<0Q!_3Yx*(<Gqm&ZK8qC%Y^WuVB%;tl;l=8Q#(6_b>nVABbO_?I!$DMMXXg
zPLel&o}1|>6e4&Owgc#CjIN;!xt(35*FaHqCpUp|YercS6@!hg{L`f=fp^pac+jQc
zG1#XQGAd^Cf(KCr#s-x}UWi0|Ufk%+b?`TRn4ROFhDIL-N{gkqBOBsMi`pA-?pvBd
zlvvzC^{Z5r7N`@loM{B^wIpLw(RzaOf_3G=TRL{_YVs_2NtXdCx~0>g)qRogNMNAY
zUY0!qWyB2h7d+Y#NACtJGs)nNhzJZ5ci>3r@wQX_)6l`5W1Ad$dl3RSR^dwE{Oq*Q
zRVixJ=ZLt*&@@)){DliYkX#vLl76nx8cKi|579V66}$;JZ=AhpJ5h4Buh{5e4(~Av
z^qpomF);9OLur4sb4QOZ&{{T2-1V%!eecVJUZmrq%suV9$<4<n3$@7?y7~fM^*r1c
zs>}J)r%O=K8FU44B*9nwT31&Jznqs`iVKNb0IzXr!f^#PHE(VXK+I$M?!NdHsox`}
zOmU~f9p~`V`f#@aY5YY3!=QHKxGQ&NrKGu(=1_-(-Z3j{@yI7n#qNUUg5Bj@;Z;;L
zfJ-i*<K@Yz_zRC;&8$jp7z5lnl&ZVZR?m$W?jbF$2~MrGY|ig5Bo+z{i8ScZMfJVL
zo;V_pBllnj$S#;PYSeM60i4(^I`EF&x|OhKP&;%1*8%_GYY$dbJd2+V6Py71qLRM%
zLs~W`O+Q2z5NJO`={WoE8v$tQ-#L$6p0I5M&dSw*C~&ocM@%{u<Zt`>`c?!p1EG8L
zKYa%k7`Nt5TdId<L^=Q=gFhJ(bE|$@s_tpLKzCh32hsDdzh;smN@NoVN6=$iIBT5+
zpp|S3mzhnKj9MO6RkJQTUpfaXajQR)@dA!zUH+`2Y@a(NWMRen(3XrIeFFOO{rmTq
zw15T7P-=)bVMkFUd{$<$_d>Y&f`S5=MSgJauk=C42QmM*7ol1ZP5Y3Bye%#5Fdgcc
zE2yxvYQ8~r__8SPOnVAot2EUpVl~X|9}rzuUzgIHfqCgGLmq;jg|@B0tKC4sm}(c(
z9kd#!9BEXiPM3KKvVqoe<oNN?fnlOH{9fgTbfU3<m5kWkr-MfDh|cxX-cUDQS=khg
zfdo?4(`@S72&JklU+<CHWuujqEhxKy)-B>am>P7Du>F<33C;TVomy4X`M~k!xE&<`
z9m*Y4O&-;ht)4fbZgzxzh0(xURC;S;>Arp678j>Ztx8-PxO-xi)l>g=Qc_YtihXDZ
zg{kq>sl^fQ(%Y+EPeXTl7uBkzQ4g7xk9>d!v*jaieLq*^#B#BR4Ld;SsMwvon#e*Z
zxW09moSfWpL&I#)`^p{>cW&>)rN~;n!yu1AYg+6^Ahn_9yrray_puKlWlwEU%do~%
zKf8E%Xn;OgXPahuM`%r$FyRupg=h<co~yXVrFqG`%Fg}^g@V|%#U~^D<1stweE!J=
zEX-FsM9Mh8*(ZK4v=k~Uu%Hm#Tg~6L^sV0CrKL*u-xfbObPmw&RvQ}`06u7QU;*cq
z;c8rFL{LxAt`JbPfR<-G7zXO*Ifusyrx%?Pk0-OWiI{*4i|*{xd;2;l?Mt@i*rzn*
zlt`mbiC%28;{X$}#N8qIIKGUcr4kk`IWH%@R_xYs8<wnZ;E_O683Z*k{kDcJ5-l2h
z{yBwn_gym|hq)|G8c4}0k2~eGy#u+Nx1f8sZtXki$F=M;yQFxm<G1eIS;|$RIQ-S4
zhxYmgz>9~OnWpRlD!sp<Gf-)uwLMAUuX#FekRR0<9Rd6}KG=jiJD$}(zZ@8t9d0ne
z@vmiiVMlml7hES$o+~czGy{R7cpKYS#w(Uq0OHfPApx*1%bsKAX&4~`YlQv~8hWzB
z&xwr2!*RQDLx2)QBpGAhP*T(GAMj!juSn#Unu3HQ9-Swp(6Vb9v$N&~(pvI-ci{HI
zy6dmMY1(Z8+Q!XE-=s7G&axx$Om>tYv<}0{8ahdy?gb4my>UH5yJf*UD6D({*TsZ`
zkFqVb;RC&WVYNaItkUgfv_FcJCc(kLWiQs(mtvTweH2Pq09fsk-NX*!r|uHAEJ{EM
z(EWHx7ieh}bISziLo7?Hb~Put-H;~j#HX^gwMAntOpxa+cU();-_@;GW6_;%BL4dI
z>tvbG;lH2e$3G==1KEejU(066t}RXEPm1Jc3iy-pL_D%o9g$VSHZf-9_37MeVOBM8
zuzGjzC^rRT+mg2`hK7dXUjd>mr-foyHANL6nOSF!$c?S1N1s0PDHKd?;^I(nMQ6U&
zKDo9S+?mc%Aj441Ty-b9tF=~E8CZ_uXUyi81sqM$;4?-Ou}v+eKQJ{J5Gd}=>=TMQ
z=XWd!R%G&uO8YdY?*{!*Vd2|{mg>9ene1(E>1h_xN%mlmcd0T(e=5zg`#)(|xIAJ@
z`Y)QTg_bv3zpEcnk?LH1_IGm?N|l*;#KI)$jg8haKaGG4E5jT;@f!D<N8Uc!!@sbv
z#q`x5_g&;iUlY$vncDK|Gyga+oWE@O^PR!})_(o<NxV5f?{b!x)je$(5m_eR@}nbb
z=U*8Xs>{F%Ix=SuPe3~1oPu#d2&!b1vCS4b7Z^?0N8Qf)1V(Hs+VlOGaY|!#XOZeE
z^6MZ)gvu7}mH+d^PR+HSUwI;AyNZ8H^i@?1`wF^Ip;D5PdJ5&gTN|fQ(?*A;k{Ey)
z`snu^tWTyiGdef1MV&r<x?i|aJ@|D`Y3X$A{9ysA$i=9@3l=UMK6tPr;G(}y2oYVf
z5EsHACE{pHryY7RO<mnby}8jv5K{~#7GXP0=4)yW8#OBY-+L-UFdz@8*0Rf3_Safi
zq=C}b|9F3j<+`YA?&o?DW`VF)Tmojmr-Al%b~*sFf>}nY!)wRbyvV719ldTI@KZs`
zUUeG$3m$5Nnp+EIQ?yfZ&iDV;0{nYxWueQGbiUk#P7d<@DSCO7b4%ABIcFGw`yqJ^
zs1w4X^W-}pWCyfxnk+eKRM>UD<pFMR6SLv6SiS2Wo*oizbdx@&f2EDq=4ae1^!KB4
z#!Kubb@6zg@%!=IRs*=4_3$uUJ2fQN0#}D76VQ&<15N-$jNkBNFyol!<5`z@0!R=(
zgUEq~N-n}ke#O7BOEHRKxvaS$YSmDLXJBSc3%HgtGKX;>QtJFFa|;-Z;CvorWu2m4
zd@T=)Qr!Gn6<u_^tpmIdJghqcg=m6PaWraf*s#I9e5v6STC26x;K`FG<H$%u1uz9G
z3zCUKRd`y7TgY&QWaYJO8(^?lc38mya_`M?>WDrhIvJ|qJ>3R8Wv`n_bVR~PX=YZc
zbE=6OiKrD7{Q;di2M@JM9d|4u3i{!zVSOk=`V0DsCu7{otOtFhzP^;6W@mjSj+cL5
zQISsP+Dcot*Qb{WE{JjI)B8wZMM9>%o;T&KNKv@UCNT>)wen)nM|jn5pF^GmU1X>w
zCJGU45JelsR>f=S4X+cYNYG;X(?Z#mdU<-L=daqE0goA%B#E<<^5lf7E9tok@aLfE
zX0Kh;CeD!Q_1Hy)WQeOyLK963Wf!k$@)H5Yc)(}kuHbL=45qYv{DpsgI${yM<?T!+
z5BvqCym&F<3p26v&3MA5^9XS{RuQxKaePpLMj;y@#d@Bf_M773fLEK=ub+)(iFgKo
z;~h_f`je-NNQ(|qB-*nR02b(#C;sVBoeWDxttR@RJTd>lgP?n>=Pli2a6Vy=%EO5?
z28>o_JbWf;^J-pKU)8h~--{6e+)Y2Am0L@(IWIb;$y277k4#IcPE&xb6%s^LR!rJG
zw6DCAx+U=FjA3waFYG}DF2zQ$M(y(F_-vyv8zk?Z!ot8q?+6Gzkjb8>b`G~+!S$Ny
zAa-0YtE_&3CYv{RzeVFpMutgr15#oi1Qr#S&G#>q*uH%`=O#Emc8R%iMM8FK@+p~D
zX=$CLr9HRBYubWO^h2j^cx{siqYuz&)h;Ys&MmFfbZa|Nq@MLpFzlhUmM_S@d4+X|
z#3K6IHNo*oJoZrP+@XWh&?<9+rMW`WZ@>H#y+Wn3mc)_^CGYxlI(**z<I--^>3tdh
zMogXRiDCor1#?z6es-5w(&z6(AC4zy`0{hrR>;8)CnZe-`JH2TPy!drV<I#AqNlg{
z(f?z6_YqIq9_v0(^-0L7`}EG^Cr!#9xWcwDKy~8wi+g^Sjr6Le*h(<7DnyJDAH0uD
zU+JM12NM#e2*Mc#8W2XJUD!cXOx0wW&^iP)C7^IdlSQ1t5s)#moii{6SXW~Vdh%<N
ziAlR&D-$h6fKS6swPL>hIEn`Q_kMI|bWmNSm5&n<R5?pqX;xUL?xS-?Rxvm&r2{t`
zIBP51mQYf_@#&mlM75d~pd)D@xo8l1AAq2!ik=RAL0bXQcZmmv74b25jGGChq>8$5
zeM!JG3D1L@;klL-<Wl?TNWYu_&E6ofQwZB+W(QYf`+o>L{wO0OfC&z>(@}Q$YznGX
z)NKSLVirU5?gxcLB;VN!7lJdcL2)5kjJB;Y6^YlvBa+h@L#mffI<Vi22>l5tL2#2j
zN>5+M3KJyMvhg`xW;vfc8OXi>ShyrAu@#QH^iaL9;1$<^I<1E&E1!eEQ;SXFOT*WT
z0~~NqUtkhIfR{=gIeOy6h{==tVEa|{>A?DCe16EJOi$PiIWeE@Fb3W2AD;{X*;x+3
z>u6l5V<7HOjbYD36`mXWqLy9TJ9WNMUf(Pe-PdNeN79x7<M`TTu^V=wbw)5QHT7aS
z6;VVc((+rL-~1W^iiP$b?2uenvD1JG1x%Rt9)Z{phFatuD3oTh;quUQW+jMH1)SVd
zO6opcGvGxV?t$PZ3M+rQ)<FCUoKWP@8b;jD$T)!@%ChtpM-vbvDA-B~@e-6`yFqt>
z7wW-gnaR4bdx~_|H$W5lA@6fg3;#f5fs5xI_l`UN=HtitocxjL-!&lKek-WF$Xyp1
ziK2jUZFoPCHsSTwDj;6dJiPZy8LLeN2P8AbPYZLfFtk0TMKOPyv(o8k`H0(@oiEGm
z_bRVeUHOM|>%;wf^r?>S2qM*|qm9Mk$Nv#yl9KJw{x%Mkb3>(C`X!aiX8!^E`Y%wa
zcAXCP$j!97UFi|IU#wGOiE8bqy^jo0*VPqWmA|r!)3LlRfLp~fGhAd9W_7<_?7Wb_
z2{u}v`QP_v;wApqR_>9-M*lQ!P%OwE#uH@2vN1YtfL<g3;@}j^no6e-@mRDzP(>kk
z>h&bGrump|+O&u}$*eSzj1w_(HZ1g1K0(_bgN~IkZt2G4+=7za5h^Mkco@p{s($>~
z#rnO6viK3l2cW$L`4RCZgbdmY$}lTtznqilMDjPLAfb+7m1E^IHhIu88;1_LeKL3(
z+8|^vIk+LcYWahU2sAcHVgndubfXuukw(U~P`2a)6l%*=Y(J=^8=WZO)e!6Az!0yd
zr68TK(6o*t<>f=?U%9lz%gT5F%n$|@PveG7;1i5Oc6FaK$YUZN;2kf8g8h`}o74v#
zQdeNV>tLNVj|Yu8oa9SScxIt-)GzqTy6E9=@o=2-l45uyO?c=twbW-Q82R{cz8*Q*
zFG@?sBw{6_faU&TVsz&S1&YIzt?$}W?o}F^S>bGJ;=wvONd4qYKUw9X@{Kj+#NY}%
zEu>-2ym>V&<OyO3+uQ5_k5L9nBk&;}I0=!&Df=r{=f`dV+Mt7Yy{Ey7b1@7*tZZ35
z-(6PE)1AVFNAY|>C*)ZmQ_Xg;1+){^-!n2YM(_wDjAZVej-`tlurgs=J4e#hkX;JC
zB)$qhc`|J|$f0mB;qF99Ojz{)6p(YwY*3nLj-_h!GVkIg;@_GhzUi;N=b{LbsjNIP
z({HehOyC_W;}=HPx9sDcxjLG!>R?BOlplSxRDmhG3d#i$LFM=^YsXgR(+-Y?5o6|6
z3fy^#3!SB2Bwzvpi7f;fTN%=Q0*7$qfreQTrZ`sNY@kLk`jL|-U*H#o@|v9kRP)x|
zy9ekrz~yM~*MU<Aumi(cZ@Co#I?+IHSaO8kRFDifA6LVnb?GzC5nc-T@b)oDg<3W5
zw8u*Wbo_MX<JEy(d9rF~XL4}hdQF)M=TOYDP9zMBtm7jDmAU~V^!D6rP?)H^RNf6r
zXgqOi=&XJ`c0lixj{L{Dss9Giywkq8T~GQ_&)CjUES*JDPMDS0XtoV<5|yH*9O-4I
zr5(fYdG_?_>HL-B{<pd`hAIsJ&3vgo>U&h#XA5gVX7VD9(xH8YHU<gKdZ;4m{aG)s
z6Fh<ZU{rJ?g6b#m^%B(j2cUZ*gbG!fga9Eoy;5O-u2l<+0buGYn+foB>@rXGseEJm
z6FXnq&Ko(6&@~=Fnyprh5hh$H8lD66(G{P<HhbpVusuCMKf&hGd+MmDD<Xxwm%)XZ
zTsfT(>+FSE&dvGDUe;rZH@kDNqe;lsmT%Zmz%vMQ1@UrxkorL3wgPYrpHO=5`ST0x
z46VO_1mRhH1O_?<4${$PZ4v?*5WRtP+q2k=cYc03H0-3L{;t1L0(biEsK_f6rW^@0
zCg0S&V?NY}uQmhw5_gAdgktbE2w1S!NS)=3l611-ur6s=T7ZsdsPNo9X3TK@5V6=Z
z-;_OX9YDTFrdsztd#ayLw+$1Mf4u9=#Alt&0Jri}vPVs;cFuDee>GGI#Df|@2J17$
zf%{s%oX7tm_(!uV@oI{&XlyKu>j-qp_Fnfm#(70@fe@NLSZZLaGI{a_`=R{YDLQ(*
zXv?7H0GBt^InzFj9O=Z49D|a}OO+<iw$y8<NHtiHe=Wl@OjLXBWmj$?Ne{{wo_0~P
zzp-;}?6E>RMHs5=K&CAZw&XVLe4@-E%JqNjo<3u`J0cN*7;f3}Wqa(G78a<J00I6l
zVS+opALQI2u>-{7^kj;P>-`1zDUKH7;ghSRIEZeV9NV&|mz*+{9eAd4+L|oR((DAp
z$E4Fnr3{tSrQZ!nMVEX_TqWP@o;`bpK;Y@qGYAAKYwX1S__cA@p2*$zwr9P1<wc7o
zSla2+r=O{$eH%v0&9|<2X@nXmyP%5EgcEQs2rUjs0v#NpJ`rjr8F?x2fsB%p8-qnF
z-3@y2F^ZEWnSnzI;D|X_?bnZWpNmqm=u9(FImXp&o@i`aEGb}D3WRgpsoHidDReaX
zwh?7+wD*gSI!lWFn4mLGo9O-<+AFbDG1-a*jwv{-a!oIaz`dGT`v)ws0%j)u(w_UN
z@O@?+Gc?mHTS%rb8tH_5V9^Rco9wQK>)6Mbw1fDXg&j=i&Y2Uvr^$}eu;Q%>o0SwA
zE2!u`Q??DqVv~Drl@W=?2cf=&R8%xzltN4{z}<T5SAn`A_pdKiZ+^s%du-#_hz!fv
zJKKHVG~1Z~&hAS}a)_=1$saai#33Z$*=*wMULg=p*EScG00xWaLV&3EZc!~1P}sC-
z*Lj`zp-_8^2QR9$v1J#tIm0gIDP$O&(&FN>G<v%+xV<}Sbr@gR)FWJ-Y{Y`}kayI7
zeeEv5K%#^J14j-YKD!~A9ZnIRh;IhNvF=d$2GktrR)sZ1h@?_e56LYJ6y|_V#Vhnh
z?Ev&8@Kabr#5ocDXBNMIe^;z?UX&T=S%JQxr?fwV&b#vRG*(9eoQ_bouUPT^-Mc%0
zQQm!P9Z>TZ7NMs4@uKM0ecpCQ$zstjysKYxIr81eV)M^uk9h<cM2E*@9=*6?iN0G?
z-*7AMczIu_jNYER=RNCU8yqa^#K9i_Klt1K-rxOas7_T^*VQw;_t-Q|wHACYxSPQ7
zLfz0&D;XV<cT>J*uC;82c(rDq7PQbTxYa(t4%=E**xZu;1@rsw-gC(ew8DX5gInf}
zV?)BCkIGB->^W=x{P}0BnWOtDSsaAHU}Oux@1dl9^O(Q|S@~vcNfWIMzviY+v;u;U
zTw4=1f5l1ZN#X!T#tD+|G^6YLNlVuton6f#Lb20$HsLH$sx4dlDs&b%2MI)8ST_*%
zMo>60%yBFg*al&D>)~uE^7C&lCL@(q1FsZ6|AmK#2ZxCC<S>~&5SjE0dNv!yB@gZ=
zkdg6VQ1~tU9lV&q@ahYciX7W9--jk&)m*elhM|q|WtnAyiB&q_{T8H)toz$62%hJD
zw664mKp+7w-WM*+hv_XIG{3Kq`$<U!<|p$HJ|HA&Y^vI8My-N>aB_9+CBm}l0~f*4
zArcnzV)&{QZ(33j5i<Rnm1L)OJeVdtj)KXeO#HJ8Z7I9#dFFZH?u$GSm;-MM+>B-W
zBjMAlkdAyv;%yHxrHf`0!uU3uI1R7-*(m(@jIML`d(nQefwTHU&c1*8fX$mrDYqkq
z2AQY?A-2ZBR#*#uD}XM>W0rLXpFKb2AjnXb8J9LKz9u4N;faLVQ$V@ZeI>b|-V+qf
z<~<AMF_l`-K<|tN%pdw&Xvb+iK5kqVmMfyB$kx9oKu2PGwh$x0pq_y0jL(4QZyQPb
zmG%?OsU3MYFCqg3H!I7J8bti~8W>4>zYW(c?X>3}@3Su|YP0*vR&Qt-O}OhVK&X0?
ztEl^NE0?6kn_$=zLO@~oK|ButAsXgS4M~4X<;xS*iTT;QxvEoc#85c6DK?+_U<_Ln
z((t)3-dSi%+p6?KRZQ4|2YpiOUJX;^7J;a?a`zm;qE|ijUqhWq>yqv3HVMBI_HqD<
zcc_a@NGPFgw5<6F?kUW$0-VLYkG<)<5NGBF#cdOGJ6q4zEn5apoajpB*@kzCdKPE9
z@WQxOj&N;PsN+dB?XjMlLCDos<O|<nHZdR|D$7EwItoS+lvyyVnVBbPzQ5uelJtz?
zOaPD_b};iC?yD1&wis2yHo0kq=*G|h3rluHMCF9KByI&05Q^{Edk(L6z3<AZT=wq!
z9jh>H+4)dYP+bV^C8Za35>t_l%bJb;hFqZ=^9}hvUug*&f1up&f0Q0Xarcicylxvu
z1OjATh(k-sHiM!PM=D?}ds0&N`ST)RY8q<0Tp&Dw7vLyDq(Q6OdiBO|`^~=MNG{Rh
zPhDf|lSo|=SV3RK^+&E=yTdjPF7X8@bD72p3sOr66tTSM<<&}@e@cxgp+mwfIn%62
zY#cyBNDs<zqG*ph7{SmHkQWjv+HFB-bIb(&oOePMuPAY>%h#nLx)6F^6PM<^YyKvg
ze-(j$@qzAYvYPQNvxug63<bd;)KPE<9Gd4QWUr!y;1rwW-R_7d#qf1lC*kJJ?Icbx
zi6)TRiHd#f*s+y1cxr{F4F>;PsIyuzAj~?5IcgT2ICDu3^R`auiH|OIlm|%4`#CvF
zOOt5v?b=QK88<@2=;9~fIa(?GhfP^_JN9#d>=D_cJA5;8Um*N+N=+-y<$QnXlo}~p
zu7*)*HYmU$p3%S?oS7awnE`G3?NYxhl)UYPJbA?-A(!-Y3bgWDEqMdI*$L4`uDRQu
z0XwI<|KXNq_VnNQY}NJu4xhDux=G-(TCo?esMX3npc4aWMmuwxTK<FGpG((*7a5<b
zE{P~8EgRvjDIFN#w|GVC{!?wb;06HmDM)s>xo9AKt|_YuRb$y@qH+H>wXWBYUAZPC
zuTnll!~>1()tz%&W;N&9OtfHagcAVOSBRDm{$eJx4xJ7cTX6u(J;lz~M)zv#gtT=x
zXE*|MbVbjpF;$JFJyUlYQ^|=wh~1eFgjbB~3S=VA%9Fr8kJs1lp*?AcLW8S4F6jQF
zM+<Ih^_<>If7eHyx85Bc(pqiccoY0lLWIK309gwwwubbD5yrLpANqig>TL85kc%Ac
zH`tfDET<SZnih&i5KYR8^?RH_cmXK|c}%>jlheGTvywwSWNz8noh0qIhXfrmjqks7
zv9*no-Hb89X_wfsoX~k{lDgx*-$HzsXQ~Fi)1Upp<D=I2WftmH!p~ay!sj43_#a`s
zkp}t+Uk+7LYvNKWmM(%xWlDd?wkYy#=$c4AVVTMxi2ac=MfK3Kvh07yc;~#RX4n)5
znqZZ8<|+T!i0WsZrDeL<L^HC|)15()cmOS|lQSu`)_Vj7B7xOJcWu=|zAO?v`RLK<
zvAe(X34*x;m~Lci>|372SYWtk7kE*;Vd*e^!m&!L2LMAf?;_MvoWvwTrG;$^$Jhq@
zrBt*BbfVCA-B|J?*x%W~t&*87A24NeNozoSx3bN989UM#yBd<W)fonu2c;)8G6_mz
z=1NVSWB)X)?_sF{1H{p#w49fWZQC3lF!dbH$+A(Mw$SuzSf;au9Y21Y@j)&o3NZ^P
z?g#8^PZpJreazQJLLemSJ9m!V=_Mb^r%{Pgx*djq{AyjLIR*89rU$jKe~zeV3L<SV
z+;t#)cGF5*pvibT6#uzNoO;TcSZA4v#Tf9~q0R_w<pEo;NHAfW;93c|*C7j1@hCh1
zjgyFn<3I50u*zK82f@Gz7z2EY(?)LLmroPge_L1mlZYJztq!Up4mQHA!URX~R*do~
zbSo%==0VtNk1G?*o85rB%xmK(On8rA(-b6x8SgL_$<t_35_Jj{r%m$$#c`edDU|j{
zM1qLpRbgKZ%~l|V5zf$pg8GErM@r~vu%k=`Z4l>ch~pO#|B4SrYNYU~9If(F-<$k>
zCu#{}yRs1!#>*3WYlxOMtGf_j$}KJ`cAS%&quT#zkH2woVj{!t-TdWmbH#XzXI#Qz
z+ml`DpNm3pyhLT8?pXKOe`*u|jT{Fm7NGFWhdTFKns}K0Y5#L-eU$d#gTXd=oj2uM
zOY%;Cd~JQ&=~(jgF7<x?Ew2{uuBsbn3i2o(Vm|$h&}#3$rI*1Sv;X5KqObq&TKC_t
z*5xe2fUi6^j0Ng_Gf_NEYc3eyt8fBB%OR->!MFVAth(<n-{$oU__cYQ;++%+BN<zz
z;5d~drJ5(|J}rE;Gb+2<?#GuQSY5}{vPH(Jh7H^7Am^qb8c+J(uiw9$LO=@$3TyDX
z9e-unpaI0KNLM-cjFoy*ZBL{<_jwZFq?i-*HV&jdmohc3Ox$&b`clJopMyV+e)iBz
zzu+y&KX*sgj$Sc{CvGihGUg3&+TIlo6sWa*d0y>-US1*y#<8%lu*_40*iofK&;!JS
zR})jIE$!x+-6+t$l8c?2>jp^Z=BJeQnNOOlb24~9+O}l=bsAe|*^6sqMM_3PLoCD;
zWz{$K6x}u%_Of4V)M*zOrWp<v=?yIGd`U5KkoPyE>bN_l*JEnNgb|J+qPrMRwaxS8
zU$|udD9#$ywD*_GqkT2*ZaP<Yspamv5<BMm_@qfqsjEzmW@~Oi%uLIp-!VQ^!_Ly>
zZ!N&<#BcFfQ-m-AL>6A!7bj-;ifbq73i38^q;R0T^PznGEgznK^@!9+;E>jF9R34a
z@4OKj%9Msv;GAISuEGq0^VX5RqWn`G2TO{eK@znEgT@5I<989wm~cglGsOIMzk2yn
zqiN-<l)bB>V!mw!ZN&{WlU+|}qPStE^qw%^HSSe8rPtFuCyB>SgsNaNEXBz(eB8Lx
zR5sY4OD)R6F=HYhHZU`jMw$~VnKl-sA>4t!?G%3-+4TBu2wt(h6McVtZ{zzx;`;%L
zk_>wnpZ@ioQE%?AW!Rt<m`Z4FVV%^k#whd*==eR6bDpGimY)*YTWd~~xCc5*$RwUi
zg>L>;momlrV-H~csF-aBWfw&Bxo`7ft(3QARP3}bn`<qMf&#;qDsXHk14)rM`s1~2
z=>T!OD^5s3>H{XM-MI37v}M2}U6ZfBd?x%DJ;A+dP@{`>(3INPrYMidbH)%<;zV4s
zya>nXeKU)VrHljQ1dS@e;t}EsFd^ovpjTtT(kX3Za?at?G3v5__otlU#CXy%ZZjdV
zs~IO$D=90F`L;bCX`^t7vK0zHtU=s{Kgj??^N3d2h}?YUD*3MtKl?AUt!dA}8l%~=
z@{=jh6JUMCJS1AxCxNhX`#^$oaDsT%5mVd+&=0G!|IQVz59o}Uw?eWNXIJ`F)vF<>
z5V3qH(e6NSdA^QVF-cG*u*yQ12wxzqtLRr+%-lN(00cEB>JW3RU(?OrxtcyzXA3Xv
zTtI#%<Nq60(+38g0EElAI*~o%OUi#ljnuH){L^_y^r>{O2V|ABc4R@5HKp=GKw|>F
z0xN)b8m6LRXl75GCV4o5ED~}Mo<FZKjb?bco9lg=hYTL<JKv6;fLW%PIw7tKM+<VU
zC*!|Zc=&3><773B9{~@jOW-Rkjkxw&$Pe-#<<N&Bh4EU`DeLAaJ!O|)jhpwRFKj>k
zkcUHvdj6J(+TI9)e~V|=vnc0WRky1>f@Fgx=aSY0PRo1nz^O$LE)7k>De70x`+u3^
z<nG?rBHnQ7vryIg@|uKf98l;JK`i@D-r}2i{Tl;(44132BFJg=$L%YBmKaGvbz&cK
zMl5VqD9j6#x*aE{GD_f2$DM5uxvh4GC<@qAP@06r^<Og8wRm^c^XLP@63Jjn2ecXp
z9hFM!pWU~{T)o=<iRF=yU02UW4ubQbK^cnhiFtC|#^-_=x%|qw5XUb3&|U5-<!?Qg
z7w9A;yE^g+!_Zc2jf_W7c)@uwsm>vJKpRWzUMbY6debMh7P@uXsYtD6hS%lDEMUh4
z_-|cV=!Pt?2Pbv(Iv&*Y!DaClYwPv&;v9s26i7Li9uv3jBDj8WXaVQvJqvu5XzKzV
zCtT0It0ymH=z)?q;mBA-?!vY~*hD(6V&Q}UZ9}^!@dWTjoPfzWVv7s_MegFlf)(5r
zZ=hArQ~7@JJLk)0Au;aOUsI-d*5AZbXfVuF$w%KSH|#W1L=CGzXqf4=j%`e_sq7~q
zB&Gs17O|s9np(A6br8cjx|MA5CV4hG^s22+g*@d<8N4y1O3X;8$t~R;u(;qSDS|_|
zP0)Td;1}p)<{*s$AaTmvv$%Wg)6(m;88=6Xb4?hru>(E}L<fo9hu;6VawRCSkoeMh
zZ9A`rt?<#iRA*b-9CHN!Zf?UYoG@y$Cv9bq<oPptrzV7yEVnUR?Ljk$*JKiy>GuYR
zK=@gBI0V%OPb90I{p~K*$AI#T8CM)?gaiqRV}I`HzU&lDjaZvX!?`E>V|<Yf2?-J6
z(wh<fw#yEScSBCVx>y=;_v67}jN0B;*_wKPE{>s2CT_g6S8_$%hE~0-AEnf0YfisC
zph)l=qy~sX0v*|62{ocIgyYK~9EMM~n*AQQx3BNR(^uYAk2%WlPwWb5j|YJ$+K2+k
zrc94^Q~9ACLl=+8U<q0W82}Gv{jWd+t=qkiS4XVO%nXdY=gc<N?`-m8h-0;lJbYz<
z{a+8}oiFv%Rd9d0yVEewF6{@e2v}X6+FY{meoB0Uva;p9Jms(rYwEXY>0NsavRD1M
z(%rpX&k;V!N1oJPMB%N2f1BMIa`8T0yjcot6+E8^A%TpHjN7f`{VhR0WTS(sUF{!^
zVsGT=Luaw!@Nn`aoZ{o-uTH8hTciB5|M_Iw^Ru@{2R*97n!vu%6LQwe+aJI|fW{y=
zA~p0MzU(z%CjxBX5Ydx^_NtX$Ioh26+Uvm_z0ckIH~VfpyI;on`e5hzn-bo(?l-eX
zLcp(0=H{D*8>J<hdMqe8e0aHgh2Fw<7RL<IMt`%hnlP)~N^ON39{sMn=o@w#+VHrl
zyYcq5j{Dr#^yrgPm2zQwrfTU$+is<*MP^ffP8gn|)U&s1<>B@Lk`^3`X6YVaQk<0&
z<ZTyvCx&lSQ)n60ciZ!s9gIv|m^l@3esh9kCvmP35eteaw1urAS4}gt2JQBEa2*MB
z?3pCl3E2kVNW|8{K!5!(%7+-W1W669)?Uy1&#tqQy4c*Ze!mOUX&%EE-r;BEcJHdH
zvM?LYV00Ge<mTm_6PzgzBl8u@XI5>wf>E;cDb6OL(<zC5FmN4XbK;M8&eP4WV0ZBU
zb_E<KtomBu_eg4Unxa;Ot;y|7ULzI7FjBG8ih2Hi%eR@gOD)eXLgvtXuXX2NSzBe7
z?)AR=sCwVYEcwD06EETb&)w1a>C2CV7cArr;x{!i<&g@Dx@`*CChY5i(uJD}om*z1
zyTeE?ezU`dU(1-4QjwvF9OGg#+Dh?4=l4DRal7&Tz=$QuSIjUz1G=O!+sJQ}#w-Hk
z;u<N3OGSi!h~%F%hdvcl8KIw%mR30A*x=|_AL0Hsw9)mx7`=*8R#_H+Kgw&Zqbh2=
zg@L>Yud|=)94(?YcJ3P|4jBdoxHasQs(<`$!fD$FEH&sm`_e|+nJy_FtAmo|<mE+9
zFzCno@^Zs`r(us5CUv!W6SY;<a^92)R*qY1E?EX1b@-f6DsLom5D}{h?GarHv#{FF
zkHe6|E>GMQtz#c1#GvtNmVtK%V961UK2JQ`&Ng<bfGwAo7}QCuSn<Ll3&WmOxMBRU
zc>`?^qSa}?Orq1y0gE3Or`%tXxWi=hpr-F~=Q~Bpr(cZdZ(C#*P|!}rvD){kwL;F5
z-Fe~ayMJ8CP7C6S-$tL|m~A*6+6~^FJe}DmvJaI<g@t~P$WnUFM&Q`#eJ2tBf%9d@
z)z#&{ulm(1W*mqty8h2oQG6wm0ET^Mpqqw>Q-!wDH{7UINfR)X5IyV~$DEzr3hnsY
zty`lr3+<kc>+4a3{<5{kf#F(<TMOQQ0v(|Q#~c}$3@J=c*9<dx2!?#;&P+BzYUTFN
z1rpyIj+&10H67&^ZS6K=`b|~8gn8#TSB7<GYQhQR%eu64+jnrBYk~R*rFIv=*1-ei
z!#8u}ssyTD5h#ofhb&YL4h^Sg`M~TQQav|?4O8R%&WgMfglota?c})J8xM2u!9dbk
ztp?{#WZvnz%{0*L;#@zSuw4~th9(B}(?`BGliZ|iRsQaag_r3k5ekzx`4r71yw;WI
z=plHqxN&Dh;4$3yj5TY9fHNAJ0|=bpc7qa|=-%k3XSD3+rxiXOt_F_NOWu6dG|kkg
zm5W-b$;QHd#hvZ-%yUD9n2+@G)9>D`B~WE~nDA<|j?d?9({lERtdl)@_|cO_yx!B;
zB1Xu`EwJ=IbJeOjR5p9zRI5J_igH{kfnA%nteYv_T5H6~z|N6#K{CN14I>owp6azX
zmnA-K4$IxG<M@NYUB9V3H?LT2u02UvYhU2TYv-AeU<T9qCbz+xT#FGG$Y2lSTY-2R
zkSBv6l2dvwk^@9%zMQTZV2{pqnTN7=vF`_BV2W=`_UmW(e$q(JymmQ#S{Qp=Tb=5f
zJGnG_(;SmF1IIN_@1S8>{X0!Zr@dsDu6)GS!E_;<ohld6RRpcWngA4NhIJO_GSlo_
zX48UkdiciL?`MUEk3+@X)YNv!Xp?`ID-7K8V@-rLkJgT>mp|6n_w~FQErfrI76tnH
z-g*<Qd02kcg{RN5qX-D<<Y)TuLZdfF00Lag5JS9oZ*!-L6YhUCF^r0obj$tS*7P?r
zp<qah?GWt5tr&7ic*P}Oe+|&IT6A2;lQh9aT)v8o=R?-KF1NbU^PQF1m$vO_cczzJ
zKR`*zhGT{)BRaD+2@1YfuAHW}Z0AW9CJ`<w@q~e_TrdHEV)w~ghaNg~NYG0})5uTy
znU)=yNp*I0UnYowS$kWLCQW+{vmj0v0l4jH{5mh<8;hiCWY~;)#|H&zM|b(SnGX24
zK|n{)Y=SR_5wZXN=`8?UnzM>hY=Ak64{xDM5KkRl8pXFB)CXg;kN)`yvvP7vZ)EQ*
zLPaII)ig^Ee+mIkXyNl592RJ3ykmIBgtxFDFvdD`>R5*yWj9=ef6|`2x#<NQ(p>uc
zA`6XT;Uk^dch@c4qyF_?PhkPUFM_F11JMvy2uai-D#bP+0-C#^30nl720oDd-S6_{
zgYZ{EiA)AXzx7r7e$HK1upUTSP+vkX$yG&=DGUa{@;i3liw|O&7QHduXa4op%l~l5
zO<!$R=vWdyz+_ik5mdy$y^UKDzVFMveSx`L$l1mGONO1u`)4pGR6=C&%O?F9ffE@}
zc-+p<D{1U`ZV?lQ6~=|VD=S+7E-EW8uM_xLDGyX#R!;6MtA%T=x4aoiZTYLNL27+V
z8z+TJ8${QYOd7S#$6-}l6>XKk3U*_`eB&Hw3m+lU-I>3%RU!jF-Rv%K5_-}W#-ILF
zZq%sD>^5R7r{V1D6{(i*mfWC*3Ww-?3%C4t>~$I_OM$Ra{=T8>VGriizz{{R@=VR5
zIIUtor-9<UZ3=+xTmRtRLJ%SJR(u9q=$8Zn0(I<@5md+@sE(;?i)jp%T{<l)uG8A2
z$=0z!VU1tzbRPTVR-5jpFI;%YJdHfjjO`&eIX!AfOk5lrX$Pu$N8i+GW`2?HCml9;
ztQPbwLB{3JKZca&(Jk9TQ@ZW^04{cY?+6(g0%sNhDQGFzPp?RIUzsj9{^Qg&4xj4t
zFX+n@q-@w#u9be$@BQ|JJ-(%b`6h5IAxO^-2U&o%@_pzyJa-?CUnRB6ed4q=zsl#N
zpB&%vyTC!+X!aG~v?w~i&E;gW=I7r$mx#Y?f#m$<cMSZSVxMgl{42inA4uI(iGR`g
zn*RhB9}DNrZzwPJUnZSVxj&t);Lt4Wd(T|V2-9Zx;^RY7yvB`4@cumZY*9(+o~)dP
zrp6Ni^{?(FjTrr(Ug1B!nNGxFZSCHyFzE5FW2^*3cp<1Ex{<>{M5GGTuZ-sQa_<!@
zvzC-Kx9i;b@U9g#yL~z=wCUo%CZq;+Rqukt3C~{-Hy0=RB{qD%naH?+uFqq5hW(kV
z$q2CuNOQ-Rb)RnU^ywZvNmmGab9w(~?oBQ*4?ttZs%C$B9K#AxJB7NJiCviX4)r$n
zMPetJEm%*~1H5XvTl3+-7a$t~XQY$74Ulyb{Us2>d&aWMKo5@QQAq+IBFcw1H^;6i
zkVVcQh`8FrH_NuKhYk8cVdytBH8&@Kq%$66aULIBn#oOCystb#Yd1$ZWTm0-22<}P
zDJk@zdF9jI3GkYHpZMfKOVs<EEqe6mQ6uu0A$U507GTz4U&UcEaT^PC3QP%1=D9$1
za!4a;FA$7K`Vy3UbaY7k_M59N_%~|j#$Ha0u?@F;At;clhCr_QZI1pBZ3J_+%z~+J
z8&oePkG!4P6qb3wtL|j+w$F3NSInFI<bJYgb6b$4p%6zve2-?&+qpSAPee3cP_mRl
zi-2nFGy<wG5E@_6kt-sTQ<)N2crNTl`p=?CIS(Q`?8|7Z__?Kv4Ri;1$1FOqLpvxd
zL-Fl!<kgd~Wn+aO2ne5-xy+|Yvmue<15G|#;&_LjwH7r+Ppm2EkBE<afEDw;h%7_8
zDn1oyMqCh}!?oF#RXorFjpVe5aU2#RfCw^S*>6O`no3F#cf?cq7L+O`)AqhpTxw1<
z>?4_ralcCS<RzK=iRYhP(ZC-r1qVO$ExOZ(T>;@la$eoA@(#1A?Exf&01u);$Sv9D
zuCubBh=l@!-y4YKLTt%mgrmfARE0!bR5N-&X2Dxjm3nXj@+89JYi_Q37AJ1Yz2&*D
z>a;?FgOBiO#8i$F%KX)h_ysw={Z)9FC3f2<JD%SAYJJlm9rmjRNQEfk(hRtM{Q^N5
ztIf<hxaP@3Q8(Gya+n5G)Mn<S>Af<^%bn9Wwz*4lLeq%O&tm_G?jBrmH(PVbl0UhO
zL)6p;qPo_&R)9i)6)A=u2^x7P?w&Vtv?CbVWnT<HSPNQy#?|%mvR~33k%0k2RaGyV
zdE2&kg#1{_U_fz2$~d7c{u(-bLa)=1D{(50FA`lLy@C#kNpqa-Q=_PCB|%}1==X#!
za4X^qo2u7Zvu7WSNko)_xl;cR8+JAbs#3NByJo5TP|6d`Bf^4<YBQ<`u=0S=0{xlA
zjNn#Gy%xEQV4mnAAEO`;{ui#CVbR#VO?BnDooVWY;uP0$_1>|cM>}|rxDO^A_C2{M
z_)M9Tbtw(8w|Ayk`d`1kz1?BZ#Co-Z!3&ezeFrPtJb0$#-Y>7CS6<3_GV#GF^g=KO
z5j%t|1(0(j=)rFZ@a1?l;APO~_T2|QUb=W%Dh;Zftn3qo%4(El;&3DRQKya^S<Uk+
z41@jqFU0Ib^*MO>aP`aWS>pWxyj<Ut04!v15(31PRM6ir&6>u9gfmxH*FIkqa`*1k
zvrV*9I@Vn5(+cn~X-d(vuS?3R03_LrCIFAHte325Vwj%1_m?U<ZtZhQh)+>zo<4Uj
zFuoF}Jz|Mmh2|3r>bO@>`TYs(IX3|fH!J=+`8AIsll~!91q_S7;g*5^o#8;v2X?Sy
zr%po^6f~=9vL{*1f&&qO*%9YU>Khtd&YhdfP!ki*69kwcgbkOzUy9;p3UD9HW_eh{
zpWhA)sc)i|{ne*Wu;j-LIP1olXAh@2Yo*)RoIR(edRDxl)xD?AG1hJZOr)(wezH%D
z=h!^}uUx<7PSXq}?RXKSHVik0IyWk5n~yt+qO^qS4?Ii|jx^|b<;e#f?RtIM@c7qI
z&w^F!rN6x*KDtUmL~$~H$ffh^nV=<qbn7OArGRcU7NZ)lXKUB*K}PiSgv=mH7bQc8
z8hCWWv~DV5phVf_hRDLCfY$L2C<HIiUgPFnL3Tg_$E<(!mxhK0))7(2_yLt~CA;SG
z8`g3Xf;2~$Hr>2(J^?=<U?u>3T!cQ~>~jOSp+l7Fb{#4fH`qfm^;EsOTzdb}gFZ+G
z9qIHUZyDXKz}|S4G%Vjou1sjH?Kd`FFhiSP>u&l5egLG4t>+TYrAs7L24~={j0~-c
zsfcQr#s#nDVq{M;TOfCc3aE&UNHl{2RDc)`jyEdUr2NzSe6qPTx41LyK23e(s0#Qf
z1|`&!3hCftw3!^S_~4_1UJ%uW^~u37GVy+Ot!7m>u;2xGMnCTLLP)K69K9+uH8f<$
zj0xnI#iH_3Nd=VPl9lZ1u>RsKtulFa(dGY^<=euDur`ImgB8>|S6wqy*eW?XF9WZo
zfYgtiJlXz9Me^RUg3{+Co+CVkW!~0pr0SyVo}P$MUH9N?oMnDDM+Ozy0}`C$jR`}V
zD?S3>yKH4^p-lkd7r72>nS379Tr&VNCFCc*)jxN23<xGIq?9-cm*!Lg!h@5FMdi{s
ztpqYf%iif0r6-LMLKx)WquO)Mn-lU99*s-SVp<8o8D*ct2{Z#b-Wamr(X{*0DWfhe
zH+r0&nKj`?eNTxGA=U0)l5^}{o13hdm)^nPg^gTgxb&hytF(p~_11c_B)NwO*)mB2
z5(KnEV7^Rtc12pVM_`zUMdEwi!>qCDZL_aTK4i%?iRFaFiQZ%L-Ueyneo5v&Nkhw+
z5s*Klp8I)``&r>H_sKlFf$ED9YdtWR;pjQtRli73K?&GB1g_sIpxwckh(+-NC<G@~
zWD{euwcN4F|8w87MZ%#XuiqYBlCFGZ->^}m7508u>@hLqjv}#~MAL72xTf;}Yd0;S
zLH6EVy};zSNaTf9DrQ{?=1|~wJy8pD2fMkpmqL44OzCm6nHE`|yvmaYoya<o2!5Mj
zJqDMeoF?anzu`MtC}E!4+x*MWXtD5oQwFds@T)yJnuS9-7Ng?=+@sZ*9hIDIl5;TI
zX#ta=s8mGrmU`QFlkIAQ=_7uiGBIE}zw(~Fo>u#0mcZ`n5gNta=tY#)DKKo(ECh76
zi)6Dt${R2EscU)Jmgax!6{flOT5d|}ntko=ewwvQN#WR_v<@nj=dv?H-?mlx863Id
zNXc9usvnavK%QRlUajoh=a{Vpgiiep?(z6pZDEeJEi!@N><nyp-Y+2{xOwGW=GRUc
zyDleBcGdIPD^~_XFl85R;UH@WocagqzgkVVu#g9#8LqCLB9J?#L%yXrg;cKX%MM*K
zHfO}I+H?Q5P)`n24US*9OtTa^6lkEW#){2*Il-7mZ7!ZS-cq?_;%p@@B^#1Rtg*CR
zxbXOlGF|=lPi0qlKl!kkVs~hDP-w%iBpqGd*<d3r(CX=tvu(dAKi`*f|0^xF_mSlL
zN&#kO=WULni7*VP*!(*2DDpmf-7%t;;Z@j;v~seFN;TZMLj1KGs^6clGxSM8bLtzX
z@B;Sj4pR*k<Sji#<d!aOJGuvN@>q=Vfp133(i&5VfCHHH`z@TY;m(0e2K6uO(@OPH
ztUeU&-E-f~f0e7rqI07Sa>f*XYCYhGLQ#61UMAG8A(uZeuG(DJtyyV7Zw*Tq42+@`
z7Dp6C26-6Udzgo&pHdL&ydr`o4oNNS>X4cKJWeT1>N{x?43JL?97IGD<E}UXMps^v
z7#?`4S?1A7@z_v$k~@w{JvB8|!zxK5!2kO7<z`k%8!m7U(5m>x?Q{$r*~-<%tKU?c
zQQC#MoDivBsy0nkHO}xboZ13lFF^~7VNmPm$zDq|CP-;dIG48kM%rM<ys%ai>poUT
zIMDD_G2VzET}}Gn^`YCBC_Mfp7ZP%NSJStAh1$jKTxG;#gDid)OfJpnI?|ZM+C{yi
zXL~9Cn?xB*EbFR-u2aaPK79(eJ~QDyNbzDm0WEaI6(3T@wxiYQS2VH8ZKP-SStmTW
zy1M7wx?AU6U7@i;p=P(!{1;anBBd8fNVIQSFnfls)xPZH?<SV7L1GRw=%7m_$Yk5k
zT5}rL4j<1q-@hEjN#*HaWa3yqsQPS++=;pIL2?V-syrj=!z+e_i5C0n-1<AldccC5
z<sp0wKzW4jtZISseiB_D7QY)@!_nsL+=;snm+XW`<XqRTOgM&ZGSiK-&_9g(F&RV)
zRDkxW)ceHS>pmOgmrgX=q9o+_d-f#jXPpYwmAqG8V`Nm<WS`35&uAX&xkUfjSOMs*
zD|+s`X`@GLt%6Ns8BhR{t67GB_3IZpst7Kf;wg^u;{aS&$QE%%12#Kh{$}$7<vC7E
zK{$tzd7<yCg)5D<wNF>Sp<fDp>giHf`C=Xu9b!GhNrxEq*lE+-Pg-z$X@*mq4eeA{
z|Jv8hHSdEh&iu1y{U1NRq!R*_x5W5t{i~ftPl<;Nn6k>Jar3j_Gq=lH3#}Mf%s6%%
zlfhO7fj7P*E8V(%`#RcOk?Nu_0EEwLwA{}|Fn_C2a6ZB{&+HVjvq826(<AjTeSJHD
z>0!@S75UAuUOI-W(iKfLYAGh-$eD<aDhIbxuyOoMCMuBbS^M0B`}ea&Mzq<P@X#(g
zZsngF;xjl=L7*F#Q>QK2e86k)V(9}TWuGMGHVUSnE-sL#9uVp)Zi-l%eLz+ras{Lp
z`~qiKqR*n@&WzCSDJhwX8aN`cT@w9Z+KJ?txG>n1JJctM3sbfS`l;_b$IN#H^#SOg
zZHc=XXSuA07-4(LHOSen<<@=I#ZdzcUW_RWZ!_QoGxnbY2Anu>pbcxfnEh}hEvdVI
zEqpZt%e(^PqQ*%RUjagkyNHhN9@4KV1mKwL`1oW-l>?)&P`e}A@{LupCagsWc-eGC
zDvpLmCs;~`SM7hHdXik_tD9aO1JyeuHFl{&%VoCTwX08)vdxmceO-#^14_u{dh9jz
z{DXn^UHEn6nvc@b#JFC<7I-T^f0@~vYCb5Bo|Uh4mnS@uSv*g>kgXLbEt2sK+o(v6
zgOCl9m?}<$gcvX8>j*d_-cI%B%R0-j3V)2P)oY)6=t^{6bHuLir`fd*jyv1GkZw$J
z8fbR}>>1?35m=9)o7F8=heB5>Lo`$}$bc=;rf&NlBV-YanK`{0z7yh%3Gr0ki<3J7
zj3ilE;`#aw>zxC7L9<f=#e|RRwcnL1*fR$SsS2ujOII5syU_YA;iE>?t27Kg6Y*=S
zfcN_SQCd<`%_%80fE{n&zMTO$hglE=*n`d8;2-w|7Xl5kaNf&1+}t^H=Kj|Wi^#zF
zjaGd8^p_OG746=0?B0Zc3q>Uc$_VrA3YtMT#MrS^4EcEUA<fe|_nwm^lt=6z59r_t
zYVAr}f1hM~u5JuKqsEHe6FKO>H6<cEe8a07N-RH-aaZ^5Nrrc1^(^!jn1h+NoX}vt
zFDc=$khtu%Mk{I)sw!SYEL%lzB{GlqZ{H4S6?eUK)U)`;`&VMdeh53>^v=@I$5OHH
zzF-eiN1GkCL*>sFEm9ZJtORWm@o_`V)lMrisKNQewfcmj8r`CrW@savVqM8)lkwc`
z`~KLfggx{0nhu*BuX=j$+pzLvO;f#|#YYO4ZZ@>(GQelp!QfS6j1wQyTe=x!fQh{<
zqKDB^yIYvxK1N1s@r4w-KR@-Epf>N1B`Lr?XBl0UAAVg2Y`1W6;903}GXMeapUnDm
z=CiS2buKb?0#|#cu*0~W!oGjly8V@(+5R1S*du<%Kcf{5{uQlw&Z6m`qQWJ;FPr>r
zJ3og5;Wt8fVZ=Yf5KaG;&iL;y@&D$p1~hkQ-f=UeG;Bng1ph6VvuJkY%+>q<KVlM;
AC;$Ke

diff --git a/webpages/admin-gui.md b/webpages/admin-gui.md
index b968a74..325c227 100644
--- a/webpages/admin-gui.md
+++ b/webpages/admin-gui.md
@@ -12,10 +12,10 @@ layout: vm-operator
 An overview display shows the current CPU and RAM usage and a graph
 with recent changes.
 
-![VM-Operator GUI](VM-Operator-GUI-preview.png)
+![VM-Operator admin GUI preview](VM-Operator-GUI-preview.png)
 
 The detail display lists all VMs. From here you can start and stop
 the VMs and adjust the CPU and RAM usages (modifies the definition
 in kubernetes).
 
-![VM-Operator GUI](VM-Operator-GUI-view.png)
+![VM-Operator admin GUI view](VM-Operator-GUI-view.png)
diff --git a/webpages/index.md b/webpages/index.md
index 34a3c99..6dc3c10 100644
--- a/webpages/index.md
+++ b/webpages/index.md
@@ -9,7 +9,7 @@ layout: vm-operator
 
 # Welcome to VM-Operator
 
-![Overview picture](index-pic.svg)
+![VM-Operator summary picture](index-pic.svg)
 
 This project provides an easy to use and flexible solution for
 running QEMU/KVM based virtual machines (VMs) in Kubernetes pods.

From bd54d293eba68fc92e9824aa71f5ade9fbefff49 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 30 Mar 2025 21:58:22 +0200
Subject: [PATCH 259/274] Update picture.

---
 webpages/VmAccess-preview.png | Bin 13757 -> 14080 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/webpages/VmAccess-preview.png b/webpages/VmAccess-preview.png
index d13387f723813849a9bbd485f17f3b9d4abbf7d7..a97f7e18aad0dc3554dd43313b82ccf4a19bbefe 100644
GIT binary patch
literal 14080
zcmcJ$1yEM;*ERYeNC-$6D2)mz(kYFkba#m~2uOFRAV?$K3L@RoDIqNl(p}QsaQE|n
zXYPIH&iBpx&D^=pFvxk%InO!2v-jF-t-a4@1vv@aTg0~z2n4R=D^Vo`0)-NO$S~1i
zOP*=<KKw$n7nW4Pgnu5GMgj2mLkBSp2W1-*2WJC2V}z--jg>Kjy`i14v9-OKjl(u-
zg8%|SiI5b1sp68fIpyr3e0bHit1d208>RG>K0ZU{<<q|VqDI?P>hG~{WvMI7<_JbS
zuYC7-Rdp!$sf+E`7x)Ay4{xIEmPlnkYJZyET^?NSkkNB?*-t~$W2W@mJh69wcQw6(
zn|8&+K4JflGqq}bj|rPF<~Kyyz)gJN6GkjbD&IFhv$M0MVqap;rK=2JJn>ZsWdG%h
z9~glk6n-jx;}zz&2mjgYiO>JR#?8a&xj)T*9`)RKWu4v4A~}QQ#WRNjzW8Z@m5dbP
z9PtM0+kPJ9)czl{-DG~uFIjLnSg!S6UW%*@HC^-ERmW6})=@^pcNYmLwhj1_%4Ixc
zuKF9Pg-e!rw%^!@|0X?GSH#v2UsbZ|M!VUE5J{e^8W#V^HFUnIk6Je?IQI>eX7H_T
zNEAZnZ&BqC79w{#{Cv~nOL$j@!{eoVzHF7glKPm>m%^*g+LRX2>sAtB<RMGagZCMA
zUL9{uk(IL~_TUh+2S~><qU=mL&#<^1nAKR($R@NLtPO6)$fgP;>()4FZdbe=`@+<4
zF_63RB`&TVPw+y>&W=^RK<8z8ze1rN{~JTYhg{aA5fKr3n}uluYYrY~Ynd|ftYT|v
zmET9#9}0T$Jr)mseQ~lYMI@oP@H=GTZ?WMM8k*@M!|r5WqGY+YTG#!~I=n*hUz{{+
zapz+9X$NqYZc`viABHBe?Q~~qz8x>Lud!<Iy3DKKvYFm+NJPcBt<jum+!e!aJ^9xl
z@%#5DHRs~#5i{P`bxFMl8JauT_vv5%8_K>o7?jtkeD}VoNqBF6pWEx=g}%q`&2;gQ
zH$4d)O9J9z#a0uXS4R~M#V)&VGJ@tu+9<q(<uVsi+_w~~p9;*)`BN;%>U$ZikK`{+
z`>UtF_Wpj~fVKI_W~R!Z?tF~}-n)(m=t4fJpFdYuu&86tJ#H3}QSg>}*H7K;_1?qC
ztED>3Hpf_HG}G`1Z~pOM^M!3r07|kBR~tIcgT^n^(q9*anIGVol^wNSovx(jSDYVj
zZ#xM3-zF2z93;S3@W^{C5gMMFy4^Eau@Bd>cQ~p~BzWwD5Dz7ltZ~|eV__XjtfzPm
z-1zNR{!l-8;;UEZ7JaTErTx>4z}(ziil{k%FjIcNgEp1f^bhI9h0)@nNtSj6qw|y_
z(f)GJV@}QyH!IiXT;jg>%3=tI9H#*PU>m~p(_FQFHP1MI9Gkw@Yc9lZvxX(Ag+!VD
zI+;kHE`-@Ib267p`w7h*4(ZLKHL1ZLvgZA1HxXlFV;d6{y#^!`XpCe+92P@}#@Eb$
zhh6A79(B3dB=I-~W=IEhQQW`(yTrIFj@zCFo}<xf-!}+@Smzl}q7ZS^#@xbsDaDBM
zm1hM#u+z@|zG0&eiWE_6W-uxD7l_nir_FIY{^<n--B5GCy&K{vdmdqCGi{^mom+MC
zVLJ2KS~^Q&2ku)mI*y)hf0TedX=<U^mwIMw-FKZYNVzSAGM#6VO07Owjg_=oPwg(W
zaoaEBAgm_JGrTU(oYvQevPGt<9lxoty}iDgFL7S&`!%Ti`fwpk@C{wOC9~(5Ljt?`
ze35L0^;G5gRt-v}-BO_LJ_`-ar?|KWze7kQ+}wCdO?uKyds85Z{73cNLnbG6{4W8D
z)bccbRoX5D1O=t57wUD#u{4`gPHcHklw0AD@kE`RxLlp~dTUj5w71U=tLq!L1Q4{e
zw%WFlIqw`dTqiTtpER9K(x3A<ZNxR#OY^$yP}(nd8}xmB+4B20tHY{-p4X}IpJZP3
zf<4#A&z}dCS&rJBZ&oPhYwbQ=zc}6h{P}b7`a<c8ce4l<7M9wpv-Od^U=prS<xDw1
z%`oJ?gB3RV%RPw_ii!j)y{V?l-SGz-W09~dyOZ|45z*1c74nfCErIu*$1xk+*xlVl
ze(F!|7NGBS+Pb!%%J0r8DJeM#53;4LjqUAUW`UDg)LYotb#7Zc$)U&7?!9ieX=M{c
z?d(bhtz>EL=zCvs02(|N5J;J>b7!+(mQhkt%A0VppGG8b*~mrG$e!$VF?9_yEZ8E*
zUTFIEtB?{)dhvf%L6l{lIDMfZN3dDk;`o(xY$M6;k1)&T3H~FPw7=XS-1M5&{;BHr
z(ckiI3&HD)(y5zoCNAs_w@k4fcC}h?Cgyv84<+MubGw!2v^|aMBb8w{w)k9^-1KEc
zY;4;{Jc0HY2JQCVURqw>#O?a?(6zx#L*@q?<(|8(MDbiU<ZYp3B88)oiHTjX-0?h)
zIbF`F!NE8ty(zL<TEt>vVk2L>J30(Hqn_pIRDFT8{5HDY(bcuE+Mix~IHK*b^9w^S
zIc&S(I^}%3AvJ`A%WijG3<n(*(lt-3EYNo0H@D~3R_987zIKI@hQ_Py>AL(bbUbpL
zMu;!6@|hw7RK!Pg+!DsF?(W537!;!E{mg*e!otED#cysxoIHx8m0#|RejZHDpMZ`_
zTm<-l432d}Saf8}OxL>V07}d?`w!MQ+rXl`T<o@;Zj|<tcD}nfvHc;R8rpBR2pCAk
z$Cnf)coio>;W@N*xCvX0&JNZ*_Bv>XvX%Y&(<NYCTu$cvlR4v4J&!c+(`)!><uBWK
zpOe(N9ljYY(3MGG?-=LVIjTiLCd1H>N+>D!ykeD=>m-K5>Q8dz4$)N9c!DIXhUC?a
zWHb!o4lc7*v+3s69mb805^sVGv+=&B16o9ntUq^7RWxOA*3;?O4m1qqLu*<(&bNQV
z)$+A$Pj(CnbgG1*Bqj4Weo*QutoJ<U@$>)?{ab1K*!yA^!_UtziQE3u#>U%q9vjW8
zN~lz5H*Z!=7MKtI7@2@jch>N}x^T4^$?Lcy&-Y#`<4wmGY9nLgU8n{{c1u#0rvD%!
zPT)_JN_c<|IV|qF)uj~Hp9S8bm1DM<=9{0N$Hc>{nDBOT;*?F~G#>aanZ)lNlfv(Q
zqsU^I&N6>@+I>3%J|X3I8ye5MSj$X}<Fq11*wpT#+ti=Z5Hac$O;<R=o#=UAItGhB
z*2<45Hf$rjcdr#PL$lNb_w@9%JAor8`nfs}yR&X|uXc=&<xG8@qb5`Vv!N^k2y?bl
z)86tU?06X(LPEkU{RV-GX}4U*bAZg<Uhk_&04qEnI4SF!7R-@C{oW#jW&oU(Z{MF?
zS2SFPK&)w<-}OFQqlKdbLPCsxeYlB+jxOA>zDRL>g0Wq9Om1syD=H?Y8Rk6Sf(3W%
z0*KLX#vUg_lj3z|&S^E?GG1o+kn^oZe6RcAzu_mev}_hbPXR<eN@X;?X5Q&$>kSVN
ze_gQ&Q9K4Q3^>6hFL3(A!qIkWq5gae`D3^>S(T?z+_b)L;y!)6IU$j&mS1}|;i`iw
zC15b)Uo3wwXhfsYY8>?^7LR<$<idusv%SkCmg;jYrAahP1A!)6M-qRlBMPP(@0M~-
z1M@%MGcs&X-tE@g)NFDBA6PgjjtTEyKZJOv82J&Gno40c{vsxmo|~H+VcqQi<&QbG
zX%C&xP3-&3){`%Ohmu*UmzC8{C@3`}FmZ4eFOO$T{}vfcI*#hrULH*#?%usy<aOzm
zdG5WI5&MAE2vhlo%s0pN5e32_;7hDf2j=@FC^GaLykrtNL&QUfUv{*b_2;THL9T9W
zO*mzF1Eh?MkC*lebQy;6{|=`TiQ{!<^u9iy`S!$2tw3kZ_Ouom79T!*$dk1SdifDO
zA~Mo2zgTJDpx$AP5X$Gz3ANl|R+H`r>zD2Aul^0^Vo(!hZ#u<{22)2d*xZ)qKaAq=
zpg%`uDNDS}h}GL3s5|5GS!%iQEQaV&wJ0u4O46>25fTd7DkFRRM}G}(PZa3Y5eo_m
zlDluPSe_u*%?Er59*e&_J21CoXiwZX8N+By^}bp|rm+etYdjh1Q$@1gS6@S11vP(<
zBQ}&<dHIeit2qwsR|xLsrTfwNZT=AW$wg5#v0M?^nr^wZjC!~}8s>*hBrF;78sfv6
zH`NMIli==MQ7<n6C?TYRUZhfI!8##vFG#e0>bSgr|9)|K`Acl<N_8W(EIqcVfoiFV
zYz@upl|RYZis|S;JCa`5HdRmV`7=Cy`W0BNT$tl*BZ|NAuV269W+Gr!Bmj^qVZ{<T
zt>!CcybJ+TN3;~zmQ#7%kGIMM1f>tB=C^9L%m3t#H+TyIeja6cOm}v7KcT1ZHaMOA
z_3;#HB;ZN<VXY?P_<(UpaPZF~3Qdis@9<2Vx-Kt+EZ5yUZAX6rC}!){aN?41Iy`N*
zs+dBjPA@2j$89!Nk}*|scDR1${(Y0tmE}K>iUGmF-%WZFZue3@depQPvbZzX3@Hcb
zn)+g6Wn-*#WTn5@P@?b;2{kH9)CF1Xk|KhPH<MP~bcS)ta8)$ITXsDDONWxg>mjr~
zLBqUeLwPf;_hT(SS{PZ;XBchGS|Zt_&T{WRNA0_5alYgCAb$9;Bfnz06H3pY)*vG8
zce6emPlhZwJkJhnPc=fsMb3{l$Lid<;MW2Gyn^_3Z+AQ!S&Sx)<8ZEem|<IJL`;mh
zoZRhi-@eHm8%$KGSKE^kJ$}bwIr4;;cfvZb5q8s!8JwSQ4U#)vl2KE;k4ys~IL&W4
z)75g#$4aQ-(2?=vOnTWdKnv{|KL(4@0xM@3`L30GBu`qVrItMghKJ<kKpg;I-cHxX
z1I%+DaE*=VNR^_6K6iC>9m-MdTI1>B?pxbfsSy(ueKA!J3ppb6)u`H^AzG?c1dkt$
zx_4sO)^aGzfJg|^`$33!g?$x$A)Cz~5>5_J8+~3EVxflQAw&9MCMWKhFjOi}GxZ{W
z`UbZP%{n}D*U){0QXuhH>^$l1v~3pi3vLUGwW5#?oQ70-I})L&Av^lv7C>XIL?zv7
z2ivn7KZn1GU;v$vRZ{v=7Fozg))zITLcgs9%Aqv3dZJ{L)QQt>k)EA?`%!sM%Ga-y
z>tdWh$TQpQ?tds)Hb(NXw^P;k%Cvfv<@sBEP*5?kund4B>NNy3H8)Gj%dfzq#`T!g
z;FoxM{b~Baw=bTQtyfpwMY9Fb887H9!0WvAgp$%HFOMD+oP%ztB_!11fz9V0G2OGC
z-@|6=dU`2S<$rE86AHmYU`%yh<F<y(Lc_pt=hNBhaV?Gd=72kJhx`zQx@I+ftS}^9
z{3TsT;npKb%WDFxdo<lyEDz=?^)alwPCgCIJ}AL1i)-Y;k?-hUoso~3!W#nexQ^`s
zx@v^dcJ!j8=m2#rlsRfkrZhS(Zgt1d;G884PvE3+9M9OYD~2HtFh+_|z?9=>Z7pAo
z!8k~_DXsLP&7z;|$|a?xp92F+j+)^y2a)kQy@TSMS(ZJ(L5TcIs6&*sD?r}MtG=t_
zQ@JO4hQAiW3bUZ#%r}aEHQV*2(@;Z7+m`m#L`8iMYokXRyuE*FF-%n0&{9#ML`ykN
zt=tlmkO2B-slHHFR4d78Gd*eTs-=}6lF!V~pA1ZHyxhuCcX`Y4Z?&W4z~CS(e#L~m
znp#Zr3@aU7;K6}IjaEb}FanLAW)Wq^KCvr3dwf#Izg(Nr5&!x}TuZ34uPp4SvxCmP
zZ;1q%GNdbgOFMZZm>nu^*uC<-I{NTyjAGFj*)>wtqZ$LaNXLUN;oM=nm1O6b)4xZX
z6BD|xU=`Ed4*wYo{E7b|o5*TAFZxvSx+9X74af$vcqedJ#<7{+h5}P!eLbWsU*+NK
zax`Xoda>VodNg6PNp3hXQXU)tK~L^=Vo-m&Oadv?%GS%*oTHk10&-&Wz;7uq!^v^3
z>E^WCI>ShwW^>dt<&Cqvx3qHOBPs&d7xr+2Cb)YnhQBpFF8UGa%_cif8-OyZ-D$$6
z*DlAAvXBHFy;tcmZ82TT4HU~smMEyGh#A~~Q;?}+^`5+t8O4^wdUzuKxBb2lG=2DR
zV|@>nciQ{fbI78sxvy;O?Q-4mbSZi@&`mf!N@9bvCjCSmaI6upnt^kMx=j!+`JU=g
zXmgf@b-!s-J>IAX9WB>teyDIrjiKeU_<*}b*q)jhbYhq2S;qLR;#uy5moM=hcV+E2
zYWhW9M14#Ze4(l1Xc7jdhl+8JwIicuZrpmUp6;JLm-+FFS5-vu%isXVDfEhAh>{vt
z>f+*J@|%(h3iu4#<v&N%I@vC)EysVF-@SLQ*yGd=MD}yFyw|OP_naoo%Cu74{ymGm
zR4%g^ZZc!n;vHqEcG|S?R8%Gu2gEak7*7)PPC4CQnXnQB&h^HS?0iP&A*)e98QWeE
zQ+?6%!X>|?hzNsC6|2D?xDA(Te9cpK5eM5dsXUJV`T+RJJr5MYstNe@`d!>UAu)01
zhnv_sN0GXC{B8%cnW<inxVgv7C3YbF^ULZ7UcTeUdC2O!IZ;t++;#tV@Iw&~4?cJ-
zZ)fV0f%yWd-+E_@e)DFrNe^)-g`gaOyrh)WJk%T<(ieRTVVeg~lzS4nBE!QQ<JnAC
zC#%>nZj;W!*+s?0$A>?B!X+{B#0??ijrsdm16BeH3kxYC;F%136YLn=H(9&CHqv8z
zx0ar~7uD^p3hou3Wf2MMD9Nl})Hind-X^9jgsc$Z9Jk_w9=G~4eRa9fXI}mJ@;0q*
zSHznx>n-}Um75G&CR3ZIZB(E#n&Hv25Qof~?0sV+<8dfLS8zS|riW@J&$o+)ijISP
z3{R-3ZPx~<VIxrb5&7m=@|VT;$jSeJpA-j(2yO~3J9`vVXcotRDmCK?QW^7Qqk4u*
zozVb437~wxDP>nK#b`g^cVh>OYA0s{wu$8qmpE-|v9hscs~3_xPrK4WF<)#Y()azM
z*obw92C>tKiWeRc@e6duQ+oREND;A*$86Aq2GYEJZ>bBG^${Ceq*j>)0R=@ba7G)l
zKlO_93k$noW`HPi`elVw_4uTu!Fq+qS>+qZiUpT^0-1XXE{{f?8^>^tYC3ol!4!fi
zm6b32+t|(eeBi0<{U)&~deeIA-)JGSG}m2GZay!p6^0^ndUd{yOnvjoN*1J~0ODMN
zO$jH4WjsAwFVuvS0><(K;sc4d1wPM1rh9l$yE$E#2=xM=jBHbNZ1-sWMaiB_aH@C2
z&+djZ#Sg*a<JVEb2ASh#Olu0dL*KUXLrt!!y(s?PsOvwxviOvv$;tMiJ%P9oTQ6Rd
z=X-iunnt}x)j(@Dp`PcV>PUfZ7lh3Q&(8C-xVSjF{R%;FEkH9Z#+#-XEVf7J2~OwY
zrGL7adwTqFPNno=UgxM;WnaxR6n|EhIGG39{sfiJKQ3G*R^d{V5$lmsEZfgLwhoqz
zq%mNAz?afOTM(w2tEQMKNA?Nlp;AGc`=vfh8p-MIfyOz_plkl8jTjCVG&2^H)yltR
zw>4>wYrI?(Fn6sM*EL%Y6&t)fX=LIW2Qs9W5;3fiGJO|Jp1r?@VbSN$6*>=XTt7Kr
zy)oL*XLHBBA};xO(N7#CQNj8F^;Zw(I@x9pOVxGAdeq%|bI|#qCU?QId8T_e6~sNo
zJ5WaM?6|+9?Yy6PMxc<poImoHBMM6}8>SoI5D<CUj2}8|pLE}*pIxchRDOsiYy2=C
z^^tE@ZNXZ@oA1U6aYeI)uGAEReP)4zQ`VeB*HI~^_g4$wj71U*6;fXc2nVbmc!O)5
z#<!@?hD~+%F$(zD!D!+5!YqVB!kDeE5Lo}4jSKxmU&vJXT^FPubq)>G3avfDwAGcw
z{l9JR#pW#J@&C_;|K@`;c=icnX8f-|`(GL7%RkV=JB;2yvQ4^g*Bz|(e}sf#HT;cp
zv@vGS7Bn|7lCKS>)EvaI6p<Ka>Q~ly855|_&3Hzv@o``#HC&xN2hN#cIa;vlz*GKq
ztO+P%ynrVUL{RPA(z_Ml_1}N|AS5FTX=rFjGbU&vayf|38*PRhJY9;_*Qj-2fgCDh
z+#V~X1$}D*lGb74Z^Ugfp2@sN+*x{cJb;$!8z;gi35f$}Y>7Qk*Mb$(#mD@@TH{y@
z142Vh#!8G4NO!VktGdge2C{z#tT4@O@BJRGU}BCy$jz;)6>_huQ`2=GY5RX*=wyQ0
z!=VrW!(q8{s<4zMuEr2)vsKxzXl?5QV1iAU;(g`1Ueety^XAPPu)-y{|0Ln7PRL??
z1%rf9ulALWPEwcER_(r=)7B(bW8-^NZqGAzaGgpE1f91?{qZPFz!F6uUH013<wTqZ
z%swFXgXEHVSS&~A{jo0x<pr0(PBw+g1y@qreHr7GS7QjKTx49F*_6PuXIMU$=f~Qy
zkozRw-rjH(osL_+S)JBWcjy@yaD6~X#!d_s>Qf}kNr0mPWgKY)`TC-zrKKVM{xrX1
zU|`^|K7tF*JxEo38o8u)kP9f_8c=g_#U9Uir;_u#X&m#K4?J1-Oz&THYAByu>R<r`
zJOw|V+x>_h5cLTQOT_A`85lys;^OFz|Aq_z8XdMK<9&R5NbIcrvbwGRJ&hAje`cRN
z_EtQ-zpqeV5Uh#3buO!M(V2SBev2}2Q=))9x*e>(|Mj})3U1K;U{w*+tA(cySkjxJ
zbJh*zeB9z-1!3O4Z33DP0rqqlNVGekHNh}KfP0b#0&sNc0!wjtGKx4nV>vP<#hM7S
zoKdGz2r4@!HulFaCVxluy=A4OZlR!{kaFAk0ubK_Pfo^d1Z>}S(2r%*Et$Rz{*U&`
ze|;a&vekhMYzS_o>lGDsm&bXl8!5c5F3-(J@*W}&$c@0Fy0TNgkp*Zr1mX(flaPdD
z-60VocI=R#%w{G9Y2CT*n_OI8W`ki5%omN4o&By4k)F#h^RFCG5Wv{y<qxg79N$}f
z5Osj+2^xQ6rXh7_=N&PZwM?d5GSUEprTz{v&HnapUo#uEuT7P?Y|-aCv?bt6d7W=^
z`8y)30<zL?dtcW~?ZG9M8n)erY!kk|x-9Niw*b)w_pMW9=La5-hBr8;zX3F#S?WdR
z!Z#m003%qZ-XosE>*W1}bq%f$#9_pjFHOK(zn@b3l5km(_kr^%DJN$F@rX=?0^J%V
z6_u7=!Rv0w;CL{?z_=@M@BaGoqeivEGlab0<xfXfAYot`GX>peNXyC!fSi4|*iL|?
zj!3Luej==XUbeKx^62qn^YNe0fZeZj&<0)mIRf?CJw9Fm*RsgzH8vIL)K7#`wo2{6
zfOMW_=_jO}Ti9@gbT{B)nn5l|gON{4KA5M;ruEb8y<TA^R1~N6A2RX6W@b-kJoa&e
zh?stWAVp#r-^uJp<CxYduP*!Gt*ILOy+uh&pR?1`{(4XM+vI$!_&LG>4U<2^-e6LR
zn(vvrK)3O~;phJfBmbw4<ItWYoJHwplm|g=hY^xyHh4@Ku^O<(H+CG;VH?B3YyJnr
z&7Yl?Fqc(Va{N%r?)#4^*KNXPQmVPe8c4WT=qajdcquL_jj8FS{XybJ)_nN2I#UjD
zbd^fe3v5y>Dyo){S$wD*wx#XNwf}P!`9H5W|7}k#yz<=ukK(i)u|1po0@*6mS2rXu
z+t!6{bnxok4Cngx7==0~t>nh<BS$6!70$5wsOc%1Y4i}Z$Sj;%Ts-FqY5b~XPM_LS
zB7Q>pCZeiaM5bNT0i;zpUk8G^s`W?gpaUxZF*EPHzM$J%#>{;t5`T}~=Sh~R*rK_R
zi&ArO9n;IjBwd6np};iy7ut2-tgPC#3ETTG2!*#aQQK9EDzQ`cK1JY1tGbG`sp6ly
zVP<!?=3!6Xl+|pIo^h&>3Fu7ATUJ{Of3{vxGg1HBnmjyr2M(Y14Mz*l>P{MVqc1e?
zvYMDFI5Mc2o+_^wT`%~p#AB8;#Z<>nD3lgxJG^0cPoTU)*Dsnu|Mp``+;&xl%mdGS
zwIDV3DFI;`(P%K!p`j-?>Po0pFDm_T&ag(NNg|*`vw*-xq@9S{gUsJ*HA?SCznQhk
zm~YlkcH)o;%Z`Wo8#xNR>x17^7~2067#=*?emkF}GD`HgGPLhhu8J^tP7uBLnJLB9
zkd(|vB|4^q+c~=+vR$6%DO8XX2!tUjtQ1j#n^Gd)=JCFnk5XM^8#cORIv~bwcRVhm
zEZRgZp_XN)DoD;8jbQ3cEVcYlm3X)zO)D0#{_BXCj{m^AE7nq2?)v#B-!S}9|6DF7
z^@%g$%zdACEc8siJ4v+7TlIe!eI|RP!y{>YoolO7JiG}QE)a<OpOCWvWfbkiLdKq?
z&FXRi_@hC&manFVuG5a#bry}V=E&p=pX=9`>o^HZC#nWm(xUQgac`p9iOVJ7Pe1ED
zT(lgGA0$>V=UVvw)N$T(6OYlF(bcnR#qPoM@FmGy-!~EHK&*YD$V?+W)<QbcR^#kQ
zZ9(Qd`Rj2QpD>s;5@DWD!dJ)3)^V8@4iDC|Z_s!}i-%n&EvNMMmhK4^42bO|6o$TY
zZQ85|n#yw(g8J6b#bi?*5yfNey7{;G<MnyNwMf3&V40;lba4RnH>PT0!9wl>qc=9}
z5;VDHg*BN)nMCyTt-1Woc)r~QG5SKjkXsfQmQ}f)0Zr8V!QJW46Pwjb=D(X>iKp^K
zb~uO}>-UFhlSAVSm_ypIh30>enVYYnih(WkQC-i~&w8qw;K2j4;};))H8%NSYXbEa
zre;b_&gQAvsVa4)v<b^<&Ogj?ElUlN*w?gw8XJotuE5_Y;BlNZQtV*E*?SyD$$IeH
zV=Sd~y>qnT)3Dl-EAN3V@GWX+AR07((rm`~3jG6Q=M~rrz`xOP983hTfYym&(wBoK
z)ZM3!r=CBbV^37nF({L`k_lK|cN_lo?%mre)Wp&7h{>&Pn11K<<KOCe|HJ#6oj;D#
z*uF14C^TI2%e;&C6}XV4EOfAuy;FZHuj@<a6qk9dv!hLE9UW3+hZ@lT5jZ;r6F}71
zK*OCKZ_9(M1><3U=K6{&K0aQLVl*DCWWqaln!zATF1QA*gJhK<T+>BcHAw1s=ysn;
zuN!pk=b#|Np)5s@!(nyA;^Jb_>t8pZ#EOQI^FM&`1<R4V;)!kO=%G}CwNDm0R%$Ab
zxB{zWj3E^`=d)+ekX>3RT9fH3>WZWddCoNgyLkoOo|82fH^iu`O4fgdq6GDRQ8s&H
znuGjbxUvSRt+&bD-KO8tqnWd#jYNs&ff#*2=QgeJh}qk%FTsm(nSGA|6c8hXm?I5*
zYh**gsDqH)WflcVW2T(IMc~_Qxq~e0U~u-=xjTdOhJGtG9^VdvC;899LN%*VJ3fNb
zdUDm_62unb0iR3J)E;!Ml6nQsgQ1-}2-WFN5_dC+P3^D$&^7s#ZXnX&u%#h8QoK&V
z5Mf9<u)ZLl^a4c)m=oOncgZ^l=nQVe%($*3dqATI$%3I=yB}Q81@cfG$);72Fh%Mc
zEuR?kiwFp`g@^S<SB15?kNm7@fR)grNGisr@aeOlqjAo*C6i|2%NSTcG@01WFY^eq
zTBAtse+6EW%_}PKOaeQM9<i|WTc1KR9yu%m?2=xmG91Vu0&W)CY;=NGCyzn$&qk~3
zp}dB^coMI3D7AD9(j<AhhI+apc-;ZLHW$d_2Lc{0@ofxUu%^&Rn1f-0G_j!jBTLX*
z#UbGg*0!$l0}gOo%0dXip!IVW2plaRAE^|NAGF{wg&Z8%;nM=gDXtk0r2p_aG;|rP
z8lNv(a?qLJb=sh$q--oex+)Ia)5)+JNUJ4wDfIK_m-%YYej_hT+3tz)s1Nrvb>us-
zs-D_&`$k-HOXlu_ZazoT7lpW?Pwn-4ttz{vv0`-#@bZ7WX%-|V7=6*W#JLomk`gMO
z4(H*$RLoY%QlVS7lB!Q=9`jbp&$(NOQne2P6J#$;P5j{SKwMm0oQyVHf%T0BEe&8n
zs6IecZr~H_j$$k44)2{TgzW>@wqMV$(2KRxw0N0ut^*BIpRu=2S(gd}q$OxL85Xa?
z1kSRis!>qU5#b357P@K*3J4&*p_i0bS62wR#P88PSN47fnhu{(iEcd{Wf`)b@*{nG
z6P=9(H<zWxxw6aiubZt9L(1BM#{|hkfhM+lJU-xGVo-BL58SwMBk%G>M@I)@(rLm<
zfwi{Ytp5?PIN!0iG+?3vBh^f#8?~5id=IzkZ}JzKf^ge%iT0c0Wu-MXBrkvvmus7v
zGv2#*Pcv5Yiuy~9b89Di&Pq4(k}h{})NjeqPezD+B-UES4gIQW<$b}?M?V?HUDrIu
zS{Bh95X1XX+kbZ3DEv8HQ>s(M)#$M#W}(XJHEUdop3cqfshWz3&4GadgbT<hSLg>K
zhl8YJ=nbIt>+A172-uBOb~VdiczgNwgQq;Z#I6UVnNSpJoUE!H)|w#RUU-}^=WCTc
z;^2seF&$(uf-SRM)H~qG9OIcYY#}Tnl3Y-F4<BF1+L{qL7C;;(W?(?&(~R$7{Key{
zaHrVCP@86ZM%7=?H2ONkP(3H~eNe9!Z@LwA@^hov`O>^=2@&C3)z#y9x?Ew5@P3Vp
zoZ?O9a^orm5)KPAq06&FfP9cs8_4;j4KQ-pO#dMJ)kv=w{8Dkitxmoz=s6`bR-oZi
z%VzPrA3+ON2)rR3Cjn(b)=?gmBH*^rT(ev1ya!RVIig!-chd)~E8Rhss4pJ%m1D*v
z0*FG~z}dOVBD-y8=Z^N#;iiV8^}=6_!B^^p3WUO)S$!yX2?$=o>;s!g_f93MPQKb5
z5)$dRZ|M;*1+xUM$}+&wqTuyum;}nAWG3WJ9deEW97GuyF@pgJsBdc%6@?N@2Wp_5
zUbyZ(0r6so`4!x_my#0B#`}qp33!bcRAsIu>aww6`z-+(D;rI;KNA8E@i^a1&FSck
zd9+qvcxUsZXnKG4d;CvlaM$;kPIR&6-)Pan+6B}ExlwueF0jz;cV=J0yg<{*?n3+v
z+q5ZUtIi1g@7IIhpRZS@VBWfw2Gcpn_C1)P_Wy>SfxNVB{#3*8z8Z9qzavNu3`$1E
ztxu%q;-{M)RGtESBH^jy1!2oQ2BYKxK2s8$!WXI+2d_ou6VZ0|8ZlGK*W!*w8)wy`
z7Z%7=W&JQIrBlVN3obEm+kziLZ+sqUfuA>KjJ-A4op0S3FAD-Mis0ToF&CE?fHb6h
zF5xiCGrrk2ps7<`Iy!92Z)|Q|2g2X!*v1zu6{U1>Txb=WJ2OHN)GV{O2l&Z#aKhCD
zi&U9pGoKvcxH|O+)2G6Jbots%&;0~(VXC70qh;i)Q_-ixYqM9!G~S01b$rYpR?deX
z(F^qio)a@u@~l>qD!XI~ccT&mBuj*neghnxwCiF(N~w{#WthF&1-lWoFGuw`0HFk^
zW79uL-ym`>0FI0QoFdKT2nq6EubGj%5VM;JL4aW3k+;muq{0YcH~@vagN{73C}6au
zd#NiH!odK>fo_wvY%Nc_)G$&}y@whMZNoLt(k7+xb?(PEc1E;qkVUX!Dc@}0r@Fy8
z;X31rgZp4A!ZB{T?!r^xUPw18owi>V3jg^==}+sa1h7<KSs+RB9H)G-?m)|i0BN5C
zUE26tj9NO@4IB|koB&h7c5eYYTNuK#<If)xFvwwgfaP@~0@(>65-=tky+a)Go5wWM
zW~To3oPFKl=ENv*B|zK-m@O?WEj!TbkA5g{uOBaxq_5bEV~Eb>x*+Es5*O3ZpLoPh
zW5(YU_Yc!kxvBJD*N8Q<lxcf08M{OFKiGEvO-B9ywx`M&V!X<p7C@!+N_wL6Xb}7s
z=x631nBNs9(8|DmmyaA96&C(5(E79jyr6$0`AF>?#TbasrJGTRVl`b0QdFlDIK?wv
zG^)FbYp72J1@)1eps||~MCtp8&J&DDx<aWL43z{Jy#Ppr@k9o2pbp&X23qljZIw`A
z3in6nuup-1_l?JrD|?l3rux#^WE&Eh=)Z<=hMuZ%g3QCBB!PvDq0uvH%O<UunChpG
zl1#Q#ek}CiRe&WGiprb8;<xars3~)7)n@q}?hXFPwvW1&gSncAiAn-gIghX?XLDy5
z_j|V0Yu#k(r(1X%enjT8v8KuPkRZQ+H5Kpc<;s2+PU;`r4{Os;?s|s=damsKb(*L9
z@g;B|^PI7t^-=hU;|*)M_kLNz9&UHLjXqJkvrbyG{SaYD+0sqDUzVfDtI-vFQY{l!
zXj#!S&=SN|`F+0Yl6y6zwPHW0ySC<WP^GiH@_N->_R>&Rmk#dw$yAYV7_w%HwkHm_
zW-DttjEj{iVd-kWc18>?;=e7N%9=9A%~I&DGe50HPo>p;RQmNK@Ksgbf{+%<=3`Ww
zH*1Ac-$eY)pce<dgBt7e+UrF2Kc*yn-ab;TJDk7x2q~7GO5J1iU-x{|Az#({h}Fdu
z9%J}Z`+6{f&x_|v+Xgd3E)B<QIr``}_h*u}Ow`rbNcE`#JnTNg)y(C;88>i#%o_up
zMSlNb?s=r9!t1G{QDyFEMj!A#+QC#aAI`a_sHkYhJ}Qt?;ZS&P|4&L2#fY_eZ;>>H
zmMBbtGdtT@BN4xPno#I#Y65jl>0cN2)Im-3>bl6zAJ0N6(>0gQ+)o~*-u@aT?Pooj
zs}kDvrFUg_ZVTtC`)QH3*W#P^3%{d%^a@viL&J<n5<rN37emEU-6t#b4A1Wk;VA5%
zUvp5i&lU>ytsYTr2;>{?d@0p=#%#MCOZ4Kz=#FsisRNUU-^!qO^5moRX4a5f2}1{&
zR#QS39IZ?{0j~weM{vKpao|>o(QuOXlsgG)>vSHcjVYomt*n%~A6tX}Sm{!H<Jdf&
zs<g2s&Ul6F%)NSwu<?^Wv65{1yiECfxT|~5f9wRykNN}#A2H3Q$cngTX_I}p2(&--
z^R-8`aNVY=x5f1SPP8-myHxJjm_GScw2Fxdjdq1Kasbs~weNj+IDSSDTH{x>UyJt>
z`W|+po#wWWCcf%o8L0emDgEMy0phq-#dLS;tr~gz(ryZ?SlXlgHAKlU>m#2wH_<e<
zxG^tQf5Cyhj&_EvuhX`4{<spQ9V6T$ar74GYWd2p&`n3Wn=t)rK2gp9R4*{bbm}86
z-*mZm*X#S+e@uGgJICmcs8!c<s?a}b`@z6-o?|9=qV9$HnbynJ%oV%(_aE1`^t=1Z
za`pT(fzVM?`vJ~sRancasNA)1Y_%y{xpyz@0ou9xMadb@DR#7(!c=OoP91>k&wuj*
zl<C<UZO3nk-5v*JKCRR1g}8ksFRxzxlzc2&>%yeJq`ahzQ;{<pCAu<PS=3`e;h(P=
z@@5paCYc}jq{mK<dRb%bXBu99O;q}mD4U_w|I=I<n)cE{K6|Bgy+#iMFh}rLSBwG(
zE8h*bXMS!~MnNyTRo{_uXZj0*ZugQRzGa%QsllIf**m++7sFyrLoi@wa8HsiapkBO
z&ne%2u+x=IOk8{bMmloT3m;Ha^1F)3cTZ&dswwYx{B=99u%6kF?P6i|Skt_PWAfob
zg^zT_%Q`|K1x?{|WV~OumUDt6OWE4=3*XvDcXIKJ_l9j^$v#b5O^rVL;N+OAb}g@=
z@c^2dU*(bm@8x-azh|4#*b;r?jx!@q^Q_u09CI?6#OmR{-g0fv6PfI}XGFiMwT@#D
zE76M9GiId0!yd>{eeiZ*NyUV~o-29(WcS!9@U_uI4qG?Lg9opWBZ1Hbq%$pLzQ>s-
z%RE70-r~!|^p2;ivAWqckN2%UZ@#{6GgK-3L50)hw5N&k7z#QI_+H#=S6yvMYm=05
z5muH1<$*&UFgVfQ-!Cd5p&uJ&IQgoA3wN<EQr6W}f@VT~vGiJp$`74wb6wT&)%t5B
zrUc9eUXr%xd+_*>f6kXS3ZMYIn6)N0C~8RHq4HwK#+xlad#Spdh_6a_Pd0)58+Zw$
z`5&wFvOZyR7pzEgD>qa-udw~qZ{3)l>)s;UGF}rEOGoO)$PUmAzu$5ivc@M}0cC*V
zv;K?GreJpVb<H)d+QaMT;@}s%x^D4S+n^=OsZ)uU=j6bk20JmXMcMdT*wT!>wzcx!
zkJs)sIgzeH0${8?l|>q|ade{?@Q#9K+CMr`RZ0%z3nEaZRHF)mD(|b#abqfyM+^9T
z!lNi~ASf7Xk9Zu-_yIpK%fVB~r1Ua4*)+u!JzuTMG}Y6Di&Xz1jMA{V?ipPj7J75@
zF|D-`)_+y%K^;KavE&|H;`bDJqC}S-?fZ19ttGw|4(OEre_6uWD(SDq)16aG?hC8D
z{ZB3YpZwwfkM{Ea{%}Q9kY%wX8Y5K`;+S*ok(O<vh0n85{;RJjdUGzQjOst{$>gCJ
zCDzkLch1%0H@VyCR;`qyKcSTl*o$1xe0v*3<xI5W^PTzec8;Y42~Q!rCf}zNRZf$o
z*p%^wlr4wKDeE1h1#Fodl+vd0GQxM~$N%byWbl5wnZ?il%x>OyCp2?3nn_>#cJt03
z!iiD&FZfGy|A@cDwCX1vp>UH3sAQ|e^(-gq3Q*BemyYQy9~yP3OLXeoZstv7&lp^@
zwqEni`tHD!+$9-MPso_k$D?hQz4=#-4BiUjNxoe=CL<(-uqg8g6bTrBS4O~UgV#hV
zdYDW-SmJ)ZaGj6YDaNJ3h920<mnbxmSpSJZr&GhR*i9QMx;ye`;tYZoWyED#R&|>N
z+Y)DLLFUPao0b3Qp^=z1Y#~DvS%$u7j)<;j5EWa=+5WAI(DbUA7@4w7nkwwvNO)Z?
zKdDKZK%MtiB&)WJ0_(9NK@~Qpyh!^nXGUz05~QudyO^t(*<#;tt}+VKW529+one{D
zo8iWuYcz4CeG#GNw8?$OssvUaF%q>RDrA|Er-(j0a~=&_V2t}d)5dK{p|GYEUfKtP
zpSO97HnYlcDY7pEavBG<f@%b)On)s{3)Z(7<F;$s=j91dIG;mGNUDf#-T2BU%j%4>
z+*6!OhdjkMXZgRJ4etilHW&juc8!8MJ9KwuzjH1~u9OxYUutMr3V{i3wG(CSMwQ%~
z7P$Mw=iMFAKO@o8g@x!5ojN!=4x}|XbCuX+Sd@y<mA5GQFsanLlK4l6#%|(U3%5tk
zWZ2Yb(})_+^|Z&)HcU+&anMPhxeyD(%VUoEaJh-&3YuL>o4uo1Z*v8=gcr3$B;Y#5
zmmc10{y6&##-N)ReRi0Ab*7xlx*uXaQ6z9>yP-3}ij`WzjTSDZX|O;i^hCp#X~%&v
w3@yx^5fzik@&zGZ6Ok)hwn9@||1~PdnqJU73Yxd@3L8RFOir{w`1ObX3(gwkzW@LL

literal 13757
zcmb_@1yojVx95xeK~PGNkQ5L>TDnmX5$Q%iQbM{r3=k0nr5kAh>Fx&U?glC8ZkYXk
zGi%MaW@g=W@65Pl`Fc2<^PKbSy??Pc{t9xE*tbY;ArJ^`sTa?b5C{}q_@cl-ha=f^
zZ<gVof9%DiR50L=2gaMv@c(-b5*iN5*2WIb`gTSL6Dw;=BNlr@J0l}2dsAzNZPYpu
z1mZqI>e*8jm$=PoR}UGJ>+9W78Ja@>XUqlDVw>i8&wfrEYi7OpLgbiImR6(X=-f|q
zXdYhWpqj(D^*23LQ(BcfVj}HX=BFPee*gGC;}|#g^6qjDitY-Deh?Sskq|6N8O?9M
z9A_S4KVu)?ThSBPs>e=(Cx&4w|905w9iCX21b(d;M$!#TU1}eN_da=eVn3fWs$)>A
z+@ELi!DIZkLnwwp_~PUiwa={w9=>>DX#altN{vSQ{2;$aDL2Kt-5RF8^xDxHjU2eB
zW=z#-gMeS}pS^MUGCmu|n>90hve~{k*fkG)eDRDXUSrO_Zgc!K9^U>wbbNJ_d77kg
z>E7u#DqJ2W-2quVvCm35&zhX=<AUVNQtd_faZMt#hM#O^C0rEAqn-J>N2)0M;3cat
zeczdOU<g<eHL?-mPfTW&OL_0DvinAi%KNNr-<EGXU%!dZd5aveU3<<NFW^`h)27GX
zm!~VLq@;w<D6^ty`h;B+WwJ3=AQLYzY%npDsXSiiU1wLP-}K4jbSaXxCZfEYulD-N
zePMC2!gdjzl9Ey-PbdEKXN=^O6iiG^+qbT1;c^*<!&#~_F<erc>0{xsv7J8^Q%Hnd
z*i)W=t)ySa!o_79a54;ujg>y$nvUkNB&B^G$Z)jRQ8`{@k}|j!CF)%}AzPrZ(T@|m
z=+LDT-%(-iDuJVe_=wW;x^uB)IMX6%kUy?WJx`}&Q`hUXWm%{#h(h^88LSc3+h&%~
z<cF&@)!W;<ay;wpT(WknMyI#Y_ja_9D~IUS39WjrHnpH&Y*&{|PaJ;}v93o$Uy}HE
zxvk;%QAN#-sftiZD$g*Z&WOzEyM7UDx<T+X&7bd>@wU9(-Q9g-WOV1wog^pasYYda
z;g-C*tBxQF!6B<Jz6QZgpG6ISt;^+>qhB80zL*pJ{@^v*(yo-NwQ^5eEUsM!d-_7~
ziMA+8J$*v&qkXJnO?idodq!v92L;Xq8J-@j4f@H8UfyN@^h8I8G9e*?&FK7Svtx6n
z#(h$|$De?{Z_UBQoov)`?~fD*C+BO|QzDV86T{lmWimu{P0c-yHyGWqy!32r!LUO-
z)-y6zR;)!Py{)seiMg+<h+JQrX;nHrl9G}#<84aXU+FEfTY9PEwno<x&XnO~A6IHU
zD`GbEvqAJ~7q=vKfhbEgyOlOrsPW=--~aPxg(K$@!m5>6o5#fO9+o*jespaq5Fwf+
zM5HG2-v88kuzrUgarx29Q0Zz?ro%fHZ`;ABmUvG`DIGPgGHl%@-f?{-&Fk_Ek(!pa
zJ850_s@w32Rh`{~N$nQ~JZ*x6{OAw?kMP!)y6dZ0LMAl?9tp|szr)$lj}6g1&yS4e
z>fd)I2*<*9QsLs_B4%6`vF+^av~_}QX5g$x>bc~eX9tQ^k66dctP>C1q{qHdi@%VP
z(jQEhHRF{~{Iw(7%VD#3-RN9aN{{$zb)6+dId6$oDtcKt<*Jm!j`+JyfLOijLRzR)
zLF8d#DCqh)@qoFF4r_lv+`{5li=jzR+&n}Og3Ej)kd)g@LrAB@OcmY`x<&+L5IO&i
zC)sK_<hhd(*kn9EuIqLklr!Y$xVVPQ5^yL4*gZ~c5LQ#=`idNwxVZE}LUF6Brnx#b
z9bM6!YXfPwh20M3x_M_G(9$-UxuSo3Ut&IrPeCCIA-y(H!URuHbZY#j_99-;nZsu8
z2@Nf6w1{UVM=zY_viOx3nN}2nPJfd8C>ILaC>I0RY87;1-@fwq_gCv=T@4n!noEn+
zN!G3NdiLxYJ6vG7JGL!NI`Yeqh<a*zdg0r_hm;;WPdg&(IAdCigE}MG_7?)!25Q`$
z1swl2j};i69*zo5ZmssGtc?}Wj*pKMby5hsam~-qlM6WfHaLULly!08i)7O+9Z$Hp
z@KDRskyTN-3#(1{zP_s7>tIsz4hRdoi%&oR7f5LujSLNK8c37A$7PE5{rmSoO5vF4
zDrZjf5$1qv3Ahkj?Fo$^F4gjG8x=hVN66EU=)3)rRIh4y*duz7p$=8XKQJ)W{dlV@
z>hZ_H40%C|;Pww_w=r;W%lNDf>^8<8H#Rl7uIH46l}boT?nB7z9}LRx&wa!lC^C^>
z?oE`Jlf!}K8n*`Cb66Yj)v0mY{hOT^5)+ff+^ff)Z#K-BoSeKmlt}>VS{XM<q@$*8
zFq_5|+Cd~GB_V5I3uACZs)4WdLYnpgIyNHXB9KfPwJDx>rcn>8^s+L-IpGi4?~*wT
zO){Jt3d7(25qYm&o}_5p&P(!wIrZ3lCU(5mvr2+5Dw2HT&`k!#{1)TKh9@2#LI{0*
zeVkFt&iAM{5q+jyPMzdvlZH$WtY>SxeJ}|=fBj0w$r)N)%r%mu)dqF0y|c3@%6V(5
zqAO7}vAOw~oxOeg@85c}wVpBwLgQP47sv?NZ6TI=`I3g7UeY!6g}l7UK&n)8bF<Cb
z03DoO;d#!JAs273yU^ls&@ah)DO`KLCD<BF)eE<fl9PJ~wInt5!APF2yn{n=_vqG7
z&)kUu!<!HV4%;)+e+!0&RFG#cbw(n$bGp)zmYVv#_x1TKxv-g#-TG7oXGKLthvz%3
zGAmoCTJ>k%WzO3=e@Al651-?<TCPW%B+SP<&rpksCQ^%k>Pwd;E47;L2$dIUhqZ^f
z9&gVE`}y76oG2+epTI&#<uvY^8<ZDKQ%ZXoNb>lGyuAF?<+eA|WPSywNe{c@UzNT6
z{d@d&51u}K%B))(myzf-VNi$SvJ|eaQEo%6nG=C5>`)5}y|2AmgDBRAPQP7Uo}=bF
zuB&CYd7Z7%BhC)jGi0h<_a72Gl&NoO`Ur?JzrEc%QDPn~=*+s<`W60?VUh6!#&DY#
zy6zi8GGz!kpYAPn^#A#MhjtYb_9hOw-a@lKkF)_Yv8O8RJFXQhTe41D6WgC(d!xDr
z&-{8GBCp)Y;oT~#ApSh!{qns@slB%^J)8^!R^o?wQVV*~e*0=hOP<P(HZR!LP%iW?
z^HpP{sO4yKSxrUx`1}L4<SB%U<wP+Gvowyd`%&@f1$?&v9wUfKRL;qXhnQ9SJ`0Pi
zYnN)ex6_Lk7`3&vPAl13Ww~~fYHVwJOP&9qq3urD_a^n5o<MR)$;vLB>@GrJFwh4X
z7#fb}>!TuAv`XKs_9gvUUfw$#)wMs`c!kUzs7jeCnISEEg98IUwaQox+k%!BS^^x_
z41^e8)p^y}6|)<6k;L#=c4R7Ngei4E{rMgCNEvam?S0(|wW2$mNj>a*86O|t1yb~P
zZ*SY+VCc`E45VD9^-1D>W97EA(b3Uear~iCQ6$;;!8Jz}9e0CRG>h}ynECmmF$o^B
zyY9U)()7cjh~hNCne{qn$<ZuHhI;F9ww6II<nrxkbCRi(iv;WB<b**|3ISk051SBp
zkF(WS%j;zRCVXGAH$m9-@^Cc#%zmXOKAPK{2+H@u=}O|w!1>8)SNn_0%gx%-9IdiK
zh}N^C%}%&LzgY<h7W&nG;<W|^+Ko72_XvRfy&l2sx%v6`I(aKgk-Ez(iQdLguZ1pl
znmX*fA)Y?rQuXZjiUzBhZ^Q~;oh%B$7ZS%Hx)}#8-_BI?!zW`v`RbE}fDZHF^+Suv
z(yst8eT7T$JsK}x-hu+R0;TZgeMZJF4Igh78Fdm-dY$O&xNmaTYtSIGcD%sQ&n{uP
zldUcl^5U0vh0-f|sH1tcXN<8tmJ99liN&U|Z?#S~%Vtfd#yCQU6n-UaTbnSON7R|Q
zBk&@;zn#rQ?)FyJ-?4PhUb*y2x#eg@<{ZR+`IJ?ybf&>e(9-jT$~RZG0SAo4u&`8e
zr(&z=7=XSBkK9Lk_V)JtUKiy`UJL-ivaviY4%2998D!>TK_7_o8IC3y=@87?<=+7C
zpr(e2bCnO;BMf`->)YD==%gcdcA9Yaf71r<z-vT&3lDFJV9~N*y@qfzsegw8^wIyJ
zY@oFVMEIMTYFA`XKuX6z!G3Jiao21#7yCybISS-lwgjKU=EU&ApLrm2Ne2VEu1kao
zuFLn(u}JDS#*17x3fd5czgwG|`KCqG=^i|oTVKx(i|m3>46<EpeI?_*n&gLI?ofUI
z{you>uecwMVu67~rQ>?*?qXYeH#cSc=5!S?`=?Bn^y|r@UJ-NKg*^F0kw7wDIsO3-
z60D8cy1KrQCJ1$mdWiL~`$MK&9kD4a5DLmYyrw0Z>9VoL1<dTVQekjMlLXgR8a;7w
z@q2*WE4_)%S;v#WzXt{f!&9EJM;rhVU!5$=YpG61NC+h7SE``G#}_;NJB$+cgs0nN
zf=$-?%&jINFc7OJK{&f>G+UjG$6`$H@S3{@=bh;FMN!|V4cp!9759^3qqlRZvmb5F
zJpqV9G;1ksGKeg;G;MBX>AI6$KfyjMA{a~ZPbR7&XPt~dqTp85_KntrIY<@q1XIq@
zA5T#|JU!dHy8i6UH^uQAl3Vuwdc|2~(rSsV`q(!pI2iZdy?ax&o|F2q-Be|SLr`^z
zjDkxoCzass4Gau0^KcBJhlPh5IcJDEZA1-oiHeHGZl4Wjt7o_!{!L9y-GS7wKUh@+
zj+E-7*bw4Jn_j<nc&LgaE(?j18>lX9_viDloI##vZY7jt*c~3KY{isM5)>pq#LyNo
zD3pJgm1xq?(2P|&GQnC-&d=>v`=~X`tYkYQSjMYeIlV7-Zvv=pOqSt#dwW+cWkH>|
zgO6`8e20M~3d9N!AR@QI&1Qdsf6&nxsg0B}<S1_3xKZx79?{|eKS9c4VS31mfrVB4
zbDAFFW^u6z*mBN@>+XWYQpsJli1pbz(L|3uOaM65Qd#AD$#X||aQ(x&o!!Sl`+2X5
z(pwzZ*cQL%uX%I5`HctUs2i9RGVyVR5Aa@BIhAN-aaiK=TF*F)UAd?Io{x2T6nt@G
z6lc4W=jh=&+0}!~(%ol`Z|g7^Y?Q7wN*_nLyIy|r{)=|C_p9q8T0~+V?>G1fbnZ>w
z#}6L(K>qBVZ`Xy!#dQ@JwuQYLGAlV)?Qhz$7ZwsS?N3GnY?>>Z^;+DnyGAD;bvNmX
z(&uJjWyN9tq;6n91JWQhBZEoM{^>G3tHtn5%df>4w{Fp}uyh-cXg5%FMf~~mCbqMX
zj+;B&b$_|Qenk#28Bp~THkneA7+RY8HnZ|+`pa-eQ!dhgwk(xQg915|$(1aK)$EV}
z|F`r!>iO|{8|_x(g}xwBG>c6ebiFTIK#_*+jeMt-G=<j!b)ANTLuu_5QCLEPoQ;i5
zlI2X9H5Cd9iZ7*WT3XsTc^M8KIk`oNrAn^$_;NJ_-OHab6VZu@+cq1eZ^x;;FA7>5
zzCLe)Jw-8;%7=v_72U>$g^-ZY2^4A5sqz9<_LvVNL|WJM_E277Uwr^;pqjVBJ39fM
zXgXcV4Zu+1X3s(4SXn7N%OZg@ds1ijyX@C+XlizSL5Dad=Yx>2rM9=T7;>}4Ths9)
z!-&KuXKrNjfi3REE4w%LSFvsWSd=#Hpc!tDI56BLAV>+r1r}lAyu$f*IExUu5s+0K
z{(i}E7N~}}!$SdM)viS?Nn!l^1p1}VF~)Am3<{Q<Ce`NU<>9ll)f|L$JC3`d=JU4h
z=9JAC01QK2(Q%naJ3CnWSXU=XD;ebAYM7&vi4Urnj-UVD#|FJS7R!0PYJCwyBwg>`
zA*zfhOeCH?`_XU8=dk*XgE`-FvUDh0J^06u`#4l0GJt^Pp68|0DY)$Dfi<+rzkV^(
zy+dLppcBQ23d+*wZX&Hg%dcjLMa8Jo*cwQGFE1}S?6yL}zI1p@T<3-lXvjpfwzgJM
zR=y|bWRcYA=&P1Z2gn5g&-%KuIYHPR3Gk9Z<oZV&<7(D;>6=M<@>(nsxu=vOmhORn
zdp2-RbVZ+Ec3qMmkeMEz?#4Lz(0jLxchvmOfBdUU?;WklEjHnUjdA7i3SO(JpFTfR
zLO%LuZkc<vj$XWZ^3>MWR!#KbawMxa03(lIRdZ|WUK6e;qIIrdn6nNZujO0DtoQZn
zH7Op`z9-RE0$lRa(kY-ZUQToK@kIgQw?Ex8imfr#5*B&~|3hs>SxYbK0Y>7)mdcL%
z`GdH#jCT_l2icYTfDd7l@D3d-J#(|PD+>3VnX>BZp8zpz1tRk~IGFza{U`TyXG$%#
zf+&SMwx+B4O}U;ue?IYA?(*yqNO|GU*w|;FPyhgJ&W|i10M$%uhy$<BfpX{S)>%D<
z)7G_X+=k7r;7E2#V77Xm-R1;0+#y}Yyzd7J>~zU^&)Aqo1ncW8a%zDI;`;JyS2wpp
z^HEkP!=Ij~JnG*afx^hFRVu@8tx#kv`#g}O!6ec1`BFzX61Ru#WxP?fR#1i%{_I#@
zzT2!^eKadbHqSQRI>~?4nX@dtYi>$Do1JNONJ1jI-Y_H3rJAe#iXV$>_uwEEYM!r1
znM42)5w%jDjxf~CTb>ClAoQ2~=@SrvWUb}4i(uu5Xq8&%18uH87?1`CSB}2+CDzG5
z$GPZW%G&|XwGYHZQ>d+4$5=o-J~6Qu>8ijZYSeiN7a4aOz)N7(EdISL_a-<~-E*mf
zkcdsE3rKi0*V_<@;O>iLynV{QK)iau2MFgafHJ~JEnw0^KI6VE3?>NN(O#p*jazSn
z0+&KyXzi%t@B5pS_XPzf7xF6^1e~|Jz;hZeF((E#t*E08#0fSVh;Sc3o!=7v;PvL^
z@hrWlsBUzv<s=WQPW21O2Y!cDJXcp&x!2l{ZGIFe@6Y>DF<N^7D&vZr)GuFvhDUxd
zm^q$t$1N|Sh@RES*L$y|j%Mgmce)%46m7tYKj#Mo3lh7EOmM55Hj@Dhi0CpF0RN0Y
z?|5A7wh>tuuC1*h0oJ%a=A{?f`mEU_yK(*Ik6sUSI%tjamh^iPhR!TZtN(d-Qb(FH
zs-q~<dHgKAL7PViV`YxG8&OEgYq<SY0f93d-DtG^cqh_!CW*q6WcNp+vgO)zRar}U
zC)jowVnd^&kx;`KYlf1s9&_>nw*qhF1T^vQ?r!8_e!Z?5F`xvsg{(JKhpTgQdLXpI
z3H%>!PL`=V39xVV2|8~*;Ngh?_n=6x;YPseO<c;20aYbbbSwqAVh<3ZM4R047Vw;;
zC1%4ne!Lw_?;z0_44SHPw$4(^d8wg60?ro~(vyVudI4IYNJHKC79q&Cq(MPDMTf1a
zXsGPpPflFYx+VHEmFbt1%=U4YA0JL|a&VAGkk_Bofj%|@#`WOgLwrig9^ln*APtDd
z#k%gbL3;?@P>$AUrVeP7%Q28Qq8B@;CcO!&J?;+x*H=~~)zl(dE<h()OqG8JHQARe
zaT{3{#l&ua|5QSfwg+65X;KBO4Y2<}6cs`^SWQ>90EgLD*_=oPv!mlq`03b8$d6$&
z*T0z=QM}fa{r&w8>m%3zM^H)IJ30&+eK6H}ABWQmI;<)rTRzG%z~+t>;d^I%o!_&~
z?~SW(q>anCYWMS-XP{Z8?C$8&?po=Y5U~mQKoK`f;J7!ozIjYRYvsmEXX9(`f8fV<
z-kj;Ju<dU4r}(wB<EZ0UccGU3Jk%k`QR}qt6>bBva*xmEKDXIWeP`!wsLW#G;{IR0
z7=Tj8y2sJH#lfhW)eLfQtuF~xM@Q$Mn>RV#4orzyG~e_~kD78-L$qG3h+Zd2g+2s1
z1+-Zj64@0j5aicuv-3agq0#L6H-OT$O-{x_Mda|ha0zfLJT(obPxJ_(6m|n24@w~}
zNQ08q;jdu!fVtO~Ax{PD;6p|RJ-Eb%ATs~us(7U^$-H^<07_F4SjbGIyjH*d33822
zg}2;s(AYQ%a=aygcz;M){(F3UH<XCa0RbuCYayjR;9Df?qY<+bs1=_TQ=Weh3u}fm
zKwqvv{$`jBXQ?^v!+||W)#Sl7jVdP=Ffou0Qic7BW>-ePsRpDd#{;0iwTqFuUP*un
z)%!hyPQ8X>`+efL^D8TUk&%(glF7NG;ImrS91>AeQ(MebM<1?_D(7f&U!BihYkti_
zEcz;dOT-06YV)Mh-Il8t?M%G;_lnqkWA8ctO<(GKi*e5Sekvk-xB5HUqw&=V)z<YV
z9Fph5^t`iIdmk=JJgz*9vTlxx*l*;@(9a@OvAV8jnw|Mn6Pa~&0|<$ewTwh^ono81
z3b#W>Kw!1Jb};Zk1u&}p`Z+Yx)YN1Y+vt*cP9QJT@at6(xs%scnt^w|+~Iv(qM$q<
zzwwYld+Z02Bdy0TI9w~xv1D&xo~_aNds5kuRBN&@lTfKFe^8&I09{YV#@4$acEcH2
zqz6mP)w4q@K~U0ga}O{3cNJPeVOGh}3`apl|2chE!r$Y)@%q`4i<gGPvbTH2j^|9B
z5G92eL*n<3ZHMGmPT3MMGrQ3n(ZOnA+l~Zu>CeBCzC1PDnQQP3BCF9wD&}8WWkKzs
z^n)pqxF0@zI9boDI{_h>sa;{0d1d3ytzGHh5AG^E7+y+;{mFDk!@EsX2TR|73mUrZ
zR|~y3X7!WIr3{|($W^oP7~kxBq5H|%NhlaEH-_siKIF9r=zTNZv}V|v&&U`|62E!0
zHQfoQ!SA~F05qQwXe`$FyG*x5&Q@uWmT1PO#2IP2GYYGF0;uwyHt_^2Uz=2fN=Re2
z1SOrYz2!zqy&J?+G!r~HYB;WD=r~)IF{ocw;a?vuF!3G=?asbg+IJBa3QSZoW+(B!
z6_j**JhF4TACCE5AP+AYtAa_Fg3Sl7u>e2&6dFl33IDY=)6?&w!y94Cry&-849TB9
z`I_-Q#ZdfbVE=!1rv7|%^nupYzaO&rl&3=DgSW61lJH;aY5m*Uez=|dJ#;fLFd*SH
z#zMNhP(@{8dA@$UiJLXeg>c#!dkP>529!e8BQXqKgMC^$Y;;u8ugkf4+Igc$Z@JK<
zmlE6n)7e^Kf%qVxFFckL&ERLcF8I@Lxe1b2IIa_cEt3Li?BeR0IYC72bI!0giV^Mu
zp2inY4B^n5K}u00w@B94rUR*%w~1LFFf#{&2bMX~3Z(#)MbgBXFW#0^Ng?oHJ=j?+
z0Dl@6+2=vzQqY7#G6DqjMwY)zQWnHmgGQ=8`<vZy$!$Ku4wYHJY2!Dzd1GMH?nPz#
z>`Xh)_CtoDW0N*Zv(@~usVMEh2^zUWLD3EFLil-^)ie#b`lCATve8ca%d+4<kJq@D
zg?h74`&22ic=W~#O4`|RfJ<L2C=Vx(fuKPEsw_ck1>lM?SQla&d_AD@sP*8ixSVg6
ztqo@21`xAB!t(%y8D#te57%OzSJMgx0|}R@LQ*HoiMHhW=fJ=RtgLd;*B~Yk<otHe
zqMhdIQL3w}!47vm+otoeVap1q2nh*6U|?bv2+D)E1YIO(!u0397DN_*;EAR{B@y5p
zaDu>gSnWfJmumxx*orJ5P~TBLfBt-*mi8mqHGLKKCPo!d8C17cR#pVHb6sr&i-Lat
zet}#Yl;%v;Y$9Ob$P5dmmq$`n!1fMsSl>>TvdqlP(47zyicQI@P;G)|rnqW|{t*S5
zIRMcuu!^uY@2gW2x1$YzfCVt67XUGluwPv*w1jK~fO5B8A7NQ?1%g?k;g_-$V{c3W
z)?Z_9Z!lyp$_|)|k1fX7!LslV4!)^(eRb*ZcPNv@o141%Qm!N+FSE`4@ULnBJC`$%
z$c{)hc|E=Rdd$Ke``x^8BA%oGj&cb??O=W&UPw!$>Rp`d@<fJ*gd|VpBK=Oopa}Dx
zXh)=Aa@w4@Lrg3gOexIgdBz0_APwRX-n|bz$@h>DgMI>Hu`uB*Uu#oS20%s=&}z_n
z8H+Q4peEv;2XsX;aj(-QV%VpjYB{9fP#{!(DxkcBrt}yV5~l2~E?i^RZHu+-dw!t?
zI?jT%6a}(LAybJCo=F_aFw*h>DwPb28Ol=a>`#=$m|s?55fs{OCitaWmyjYEtSNj1
zfols55lZ)s#{p|K?#IT^Zv{;>0JO_U$PQY)yGKXMK&H7YCsa<QWMtm7d?EA=(kd;3
z8|Tu(TVEf|+Xnz0taLO-OccLug0MUVI7s_*-$%hY4%tiwbT{b;djvveu-4NZh$Cc;
zAd+1vr^_Tk^b+;1jpk87pARty>RT=S{OpVa9Ac0xFQE?u8@K>L#{8<#2Y}?R+k2lH
z*jOhD0N0_MRLrzI1cFc;ISZf_2?TlfV!sy^$;{!!@qv7?E0n`fbjl>HCH?woRM$KH
zD;aO0)wBSzO$5wG64;>Y_2n^;n~%fxQ0OHAvf8`5)4=m13YG<T@fIOtzHv7xxF*lT
z8C8)54QzjgVwRu?tuRN39{;+lGild-q_+tU^c?I$zMJ?R<mT$=F#F&ch5r@rhMqff
z$bUEx@NdQQKQlkj-Mc?*%C&mvcHmaCNB8~o^b|gW(E_SsZf?$fT1~$RILENn2fSpA
z4X>!m=P6IKhZok?{ME8m8%Y8akC|THJUw%z-jc^@B7TxR%=i=wzdB7;UpM%H4@10#
zSE$5O{Bki2#lpBV9NyEH)YLu<uQ(>2{wJp!{)-RuZ>P@<@xGce-z$+w=K5xBbH{n`
zHKs16{5;N=Dhg?r+mbIIct{Ia&{a#kRhZggE~k(txot1!>0Ti0E37J}5+>p6`^zW)
z9nGh_nv8OR*BH(QY$~tgSv$}p8%IZep=I!E#`)yiNCt@&&l#33hvTuv#^LBnQm@M(
zq<3yPFU$OlnRR{`=Id_H=&^~G!&zoI?Og0Z{gO%DyyB>FBzm&(l904E-S75oO|5-?
zw*<Vc#%M~*hS?)4X+$IiPSdF3j=*`<oTXML@q*Vv7bcf`(z*-@d=J~HX>@$9#CdYY
z-ZDr0^SPA%;cG1v^KB>nUc#-;WeK974+Cm*0tEH=wT-X&Zs~q~4uF(@f~_&ddLpD1
zJRYlCj+?#Xn4Y1vQwxPJAt7zgkj96BaBpw#H}v;Tqq5(#Onsb|=MJ4CO#Tyf6xtX>
z-tB$+*!WIukX#_)#+_I%Ft)a=Zu{C0z$k{=``aVuk^Gnj$4mLk>kJNuZZ+gYnDaN_
zwmNx|DgB^LSkjx~FMD(-G|GuH{-P}>Y3)Gi5Ryzo!<;OXa6NZC!q<nnmoGihp1+5g
zp0!+N_Vwc&$rVeT+?ucaAgrtG-w+q*#6Tw0P~oihNDxEO<LEihU7|w#=B>761x^#z
zI2ey<bPW0wIWE}GG8NjCWPHS04#$#BH^TS2sMz@GY~<xU9X<3vHu~cAeD{=!x=UJH
zXp3R%+%BTV^U61`M(N{PSr~;6gMj<_H%>Z?d7a{*)_nmQn7vv5Qe@qJwX74Db^2lR
z4o=}?jCoS`#Z`&%MThRu@ij4wwl|6Rb7H-taTX86?gnp&i&a#Q^|$Kf4b26SDF814
zxAI>^<*siIPk5`-43qm+&qC<s+qjAZ@vjK^<i;B=slIg+-F9D6JlkgoE$kd)-R;hl
z`_g8ZUVdz;vf7*a^hQQ2(GNZA#C3*u{&wklEq<<1aMMosJC>S}+}B#mPGg=c4nz%;
zn<!K>_q4+!hC8c@<8m@M#$9MWx_UAZ%vrv26?D;Q`y&3fdZdbjnsDoq80`gKB*osP
z=y7IWpF&BjO|NI6DB=FrlZ`(UtZasZiDj;DhUx6~=KIhnL@$dX@axZe)>ex)Zmf-?
zJ0*0}IN4dM-p~lcmbf+RZYv=N!y{z8R&T%p2XYbe{rmg8JT_p?Z%%gR!8sc=@KVNh
z0QppXG+`bm;P?g9JaU{uv(y5!9y-rR-G8zeEDAIMfF%Ige_u@rR?5}p4_KP6b`8Z9
zz4!*SFC;ozs>bb*M9_&D+MG6L+))$7!0Xg<wcEi;cmcg*uvNi~!6zh?aB~xoj%1|+
zf8gN20opd*$Y~%xn;*)ZJi{Kc$IhD*EjOt=>Y?Wh5;++<5lAp8v(}C6b#}TMnCm*!
z_6u%%J#<H>b8=qDu(nc6u6Fn6YG2@tx$5_be+gegSjs<a^@*c)QAOOo!Jkx_zL&;E
zZ3_-Gu}pHg)yyDD^9(pWRln)vm7RtrCd!wX(N)>TOzc4avjChj@U4)>Gss_LQxE21
zP<IlqFZ|}4{Fr)SUIUT_3D-ix!kF0DFbeP<I3ft)&M$;aCtwLcThPbX_YNK&vVotO
znF)QUaJ1V*$UKV(jfr^)Pz^6*xmWc1A3ZQgk!|zLQT<!xz;2MO51@+3COiy0pwH=E
zpApCMT0f+t^94i#l^WJ&+#S;blPt^;i>p4dr<FLALNDNgJ9~Qza}6K=EG_N+36<Xi
zK|F2|%efzk9(=XUu^wc^aICvd*wvLAULKOrc5pcQx$5WQUvpeO?bh|l-2K1uqb%tq
znXeL>!^r7eP#D8T^DPZ5C$5`pqpJP_O1ikX!0IipqG}CZr1Ue0z8ki-y=DqG@&mJ{
z2;LXcwhy6`-r3z%q|~agqoeZJL7DZ~|0;3v;c+pvwO$pQ-qFk<s?iBn%U%K(9*OP1
z$we-9#6gPPcmmN7`cM|>U?Y2-Fx<q{xx2q_2(lk~FgJF<x7)3|z6^%Js)@B7w7&I2
zWTyx?h%%5Lgvj-U{fy`F>j>soV!-1+`}@Npij1*u6EV*L0aR@q4R>s5YuksBk$x~<
z5lBi0{Ni+@sCRWFhYSb;>)wUgm%2FFx>hfudBK&Hb&o>P@F8a5SFY$ft7@5jOVtCM
zQBxj<7_sEFVU~~OefLPc&P>{G=HV@W;p#cI>I4D-(JYfFGEL)xLg{&+hyZ$RA>usr
zQ?VnGAjYe$xf!MjqrjfTuSO6us^|f4`qxyND>NI_KM+GF_trc3Saso+E*GEW!}J8G
zYWO7hU&SqkFvWy|oEc!vyQv2=crU-*K(c9XXgfpm8AR6?;X2YF?T+-ef!pL&A+in{
zXaQ}xsVkx3Cikn=Ty-{dTuyFuZ4z|-qAXqEMzd}cz^`7|Vho?31j_}8=d<;Zobb1x
zx<GA!If_MsIuQX%{FQ7#Kmh6wcr3MG$BnV?K(TkB258Ax&s0~mTmqL$={NoT`**!6
zTBH$W>9RFC0va-iKY#v|S5ww!5#c!Nlx3zW#+`1L&_))no$jJpy;*a0c4p*ea^tA;
zHX>EuZR|w-tIF6WJ<W7Su%dMMH=5)b?`~UXYeg}7c#SFLg6fC7Cm542jmA-sVgro8
zAn5w;!0=8eFzVg%oKR2Tc)-^*WO;?lz|N7&(MstD-_GQ5w~F83`e8@$t0Lo9!nkwb
z8I(m?-5UC^|F%Rk`-rG4T|HZkCHrl9r3aAHf|a_+1-4mCozUy8>h=)Hti6@4J{mUX
zYkmsP$k!@z)zN|;k78>(SqqmEOMWWUsvODs#4?1>yDxX$dnljK1p{`NSXilWuY=7=
zq-i<;Gb>fJC|&XjQJuYI1(E!776|BXwJbaA?{LSzs8F}a={)!}Kd(PMZ0~sGPIpyU
zFr-IWjj%q-?oy^e-4x2Uxp`&n)0DFz*m<~DPxJZsN|#R>5m1$>@@X5!n#%wCEDCa>
zga`#GfFdJ_$;oAultMVVI<=wHKYsk!=hLSF;NFoD=8Ps`4<9{xq$cd4EL=5b&em~p
z+^9$<tn&^HHEYLX^oIe9`_30>q6V#`>Q5{LW<~teAFq!)v5n4V>;;T1rRJv_dMH>h
z=d+YfORu1hh{_IjUUtGbNH~<yRuVs7UzB_(^4V?3h6XGSh8EbqOiU>mZO_!G4T2Ow
zBUztpiNCfIbmNbuq|&V~iyKLPcz)E>f~!-%!12bL4O>+1r^K6|y!&Tr%SJ_^Hae7j
zb-S1L?S<vnVI4czw>Y-mq~o#kdz`RCMk4~}&9_svo~GZy2lMwa(ymRPt#k|ksfijv
zi??M00jt_7hI#>t1Ze_-k;!Q>mT%DOU52e=>%SiDHbbTqzIEt{;$osen6RmIF^6_y
zW6J$dLM8P};!UlqR{?TK&d&$C*0rKX-OvbDbBs0@xz`4NmpvPK<inCyxWR5V#DMHK
z+-9qO0v>fkLqnXXcLK~>f!X%L#)f?~Pj>~HG;$QA@NOR4E<6)C{X>9MTN9<00kBgb
z5|;qh4%SEI?=39h{14XyEbiu(7JYUSm&0N8Ot3lpyS#aaf33Dx3<-V8t;DK77ti7-
zQSLXdMtjSZ@1OzG%oTQ)PTP9M$2hD7hnV{EnH#4;q}*Six!GU*RvAX?_-*D8AP@j>
z_lDJVA2p@iItrwS=Ch><AY!2bYh<x4xCrJu!F6qf0ftU!ifoNYS7a1xvVbx}CO%TX
z641-x-MQ0HXw*r<uJ;5|g}9bVJv5(msozYmotBQQS}g2g+TNbQynwpsY#Em~rHz%y
zR98nvR^7Sh&#&4#%rY;Hdey@$mxOFO=Lj3){*C<K=hmg(qRu?MMX-i+yZ#Sj)Bk?*
ze`3n||Ig{=jwh{cZJbt9d|)}k$ldX<yn+HAc-*uiB08I*DR>L4J1SKu&Vz#6)lJ~c
z3|T$@jvShV$yrcjOzOERRs3R~@s~%0XQ8F8v-$9DtY9@dwGVe0&MeHvmBcDoZ0(Tx
z;EhZPz?^t;vE6!19t--%r<)J?Qu|GZK*KFie*3@o;uMxy*@$xaZ5RGQPA9??9$SG?
zkZx%6QnAoV;*WmzpP5wGU$B@9crcQ9Fm>nqAd4DcEDKuTkFiO)V7@J7tW(=|RqcBM
z{XEl@e;CEHB$x{1ciJF<p4~jSQ)ax97-b+@<07J?+kqU8m0FUux3|OL&*w2dc{bxv
z4`Kf3ru)$bH7%|9<}!w@Zb(cXLm@219&8p$mpK%$Gd_WJJ|T<0P)j|}^rc0Q-RA7z
zZ4a1YzypxxlV%RN0;VF#xb!oB=r|!c19UxAH`C!_@NyV<zCIU+hQ-^FU-!U7`q#Zb
z_~bD}eEWu{Sz;#f<jK1U**gohpbx%0U}ygZW|Sff=a$6MG<!-ls+TvztPzaqfqz7C
znr=k><!PfjUkePK0q*q!5yh`)*7#f~2M1wCFtD-HAgSn_IC9+3Z~<7W4&q2r@J||R
zOhJvK1TJ#R*2#*x)##jBu0vBW5r8Q3>;}1QWRt<*^>b{2c)927VLzZxy8uIBYS|^H
zfSX~n=~VT9%gV3Y`E=*M{ga31?5E{t4Mxkbl~_SVlR2K4hW+{u1;?Au6S53E&Mw$u
z80J=vjX8Rj2QVIqq6el0_;s26sWjOd1vKKHu;$@#f!k}PV}gaN6(0I2(0{;^%y<_Q
z6!#y*F$nO_Ka`oO+_>+9mj;&U|MI&FHnIIUr>D8Ea~XZ`%>Ey2;Qx%1@xR^tKm5gs
zr{5dZQ~EV7h{X6Lk0|tMg#Y!+7oe=1O{lk6##cIUGTg!FX*Fp2_VwB4<VWRH?X@aA
zkLK4+QS*r_3;QwVW0E(d3ll3c4B~AF#O{9G5Kr#gDJlE@yOs7?|8Ehx9~j)aNWtn*
z`nRT#DqL1m>)OSH2V>mS$L6)|5zF}ORDf#ls9NvHg>wTHwa@;>rg$l9?YGO$8vfV&
zC1unkSf4^HzvEeT%+%7T*M!T;4SQG~f_`xnn4UI|$Fq8tF~~m^`D}dQtrv&}jcUQz
zS>9>Z^8Qr^0Voy_x~3&|C53osYlm(Q0u<1G!jZ;7v!1MEoAS%Z@lW?Ie`L{Z9eXq1
zUoL}|lat_M!#hwcCze-+nn9=5)LW84J$^9rkv*xIGh$F#vqD_WG8IX$aqMDQ;A~KT
zxAk9~+j@6W@r0<_GT@(Lg^!#mcW%wFj-`|k)|W2Z^O({FP6w;@mg!|S#JS3kjZlX^
zvXR{<!g}pqql5X%Ry1E7KY!Sqg`_@6Y*YtNdaja}&Vypuy*q=j+Vbxjkw*|`1Cy|>
zA}L|Uin&*nUht?632~_xrvCApqGc@weX`H4{tXUP7RO%Q-oy{|nO@Sm&#(O40$+nu
zG})rSy)kF5ooCR2KzT04ttKdfb_so6F7A<N)GXVtyNWhmTI+aQZSxA8`)hN2K9-kv
zJ!(%mx}-1y&fhc9-B5R{405Z*Z`|s%8gHnE5$fCMzqW`yf>M;k8}9QaK5V{hR9ubm
zB6d>h9`V%bB-;9yX>nsLdgcA1K;D5%%jIuH+%X-D*xAx!jRqrWj4EC~Ze6WG@<W%~
zJto;!7Lfl_!MB)1`3T@uF<DSR!eim!_x10vn|KpfTbiGOZylG}EASU{^32jY#zq&s
zwOhD@jUBgh1J?-`y#D-DnX`EH^h4RkBQB4mojFH`$q`S<PU7TZMrM*tG;2kx+s7*^
zCm+m(H8Z!r6t;%zoB9er>_E?GB96PQDj5)pAlmwwulU5bo2fyIr{Zqy!`y@?p?!o#
z@3V<tzF3X0l(?l!khyeAzk7HhpCR@OVeLaYibDK}WG;raZ()6e%V3|~4%xXY)~Lp}
tJS6$DGOL^{-lvQK`+-o)^uaaC@tuYrfzR$7!|z`qq$K2?<%;Qj_-{7-Vrc*X


From 2b3420c8016e92fb4ba52c5198cb1971a40051cb Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Mon, 31 Mar 2025 12:21:47 +0200
Subject: [PATCH 260/274] Update component picture.

---
 .../jdrupes/vmoperator/manager/package-info.java | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/package-info.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/package-info.java
index 337b5e3..1d05ec9 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/package-info.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/package-info.java
@@ -1,6 +1,6 @@
 /*
  * VM-Operator
- * Copyright (C) 2023 Michael N. Lipp
+ * Copyright (C) 2023,2025 Michael N. Lipp
  * 
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as
@@ -83,8 +83,18 @@
  * [YamlConfigurationStore] *-right[hidden]- [Controller]
  *
  * [Manager] *-- [Controller]
- * [Controller] *-- [VmWatcher]
- * [Controller] *-- [Reconciler]
+ * Component VmMonitor as VmMonitor <<internal>>
+ * [Controller] *-- [VmMonitor]
+ * [VmMonitor] -right[hidden]- [PoolMonitor]
+ * Component PoolMonitor as PoolMonitor <<internal>>
+ * [Controller] *-- [PoolMonitor]
+ * Component PodMonitor as PodMonitor <<internal>>
+ * [Controller] *-- [PodMonitor]
+ * [PodMonitor] -up[hidden]- VmMonitor
+ * Component DisplaySecretMonitor as DisplaySecretMonitor <<internal>>
+ * [Controller] *-- [DisplaySecretMonitor]
+ * [DisplaySecretMonitor] -up[hidden]- VmMonitor
+ * [Controller] *-left- [Reconciler]
  * [Controller] -right[hidden]- [GuiHttpServer]
  * 
  * [Manager] *-down- [GuiSocketServer:8080]

From d67f374de7b5393024bcd4092f5d9b13155840d1 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 13 Apr 2025 16:48:42 +0200
Subject: [PATCH 261/274] Try umami.

---
 webpages/_includes/umami.html      | 1 +
 webpages/_layouts/vm-operator.html | 1 +
 2 files changed, 2 insertions(+)
 create mode 100644 webpages/_includes/umami.html

diff --git a/webpages/_includes/umami.html b/webpages/_includes/umami.html
new file mode 100644
index 0000000..8066278
--- /dev/null
+++ b/webpages/_includes/umami.html
@@ -0,0 +1 @@
+<script defer src="https://gotit.mnl.de/script.js" data-website-id="14b277ad-d330-4a54-82f1-a77d111240ac"></script>
diff --git a/webpages/_layouts/vm-operator.html b/webpages/_layouts/vm-operator.html
index b85f650..40bdff7 100644
--- a/webpages/_layouts/vm-operator.html
+++ b/webpages/_layouts/vm-operator.html
@@ -8,6 +8,7 @@
     <link rel="stylesheet" href="stylesheets/styles.css">
     <link rel="stylesheet" href="stylesheets/pygment_trac.css">
     <meta name="viewport" content="width=device-width">
+    {% include umami.html %}
     <!--[if lt IE 9]>
     <script src="//html5shiv.googlecode.com/svn/trunk/html5.js"></script>
     <![endif]-->

From 5bcf0ba0512950ba73adafe692998749f9afc4d6 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 13 Apr 2025 17:01:38 +0200
Subject: [PATCH 262/274] Add umami to javadoc.

---
 misc/javadoc.bottom.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/misc/javadoc.bottom.txt b/misc/javadoc.bottom.txt
index dfc3373..d5589ac 100644
--- a/misc/javadoc.bottom.txt
+++ b/misc/javadoc.bottom.txt
@@ -32,4 +32,5 @@
     <noscript><p><img referrerpolicy="no-referrer-when-downgrade"
       src="//piwik.mnl.de/matomo.php?idsite=17&amp;rec=1&amp;action_name=VM-Operator" style="border:0;" alt="" /></p></noscript>
     <!-- End Matomo Code -->
+    <script defer src="https://gotit.mnl.de/script.js" data-website-id="14b277ad-d330-4a54-82f1-a77d111240ac"></script>
 </div>
\ No newline at end of file

From 6ef4c2aaa26eb9480edcecffc5239a8ae2979e44 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Mon, 14 Apr 2025 12:08:48 +0200
Subject: [PATCH 263/274] Fix return value.

---
 .../src/org/jdrupes/vmoperator/common/VmExtraData.java        | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmExtraData.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmExtraData.java
index 83d9577..6a94c9c 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmExtraData.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmExtraData.java
@@ -118,14 +118,14 @@ public class VmExtraData {
         if (addr.isEmpty()) {
             logger
                 .severe(() -> "Failed to find display IP for " + vmDef.name());
-            return null;
+            return Optional.empty();
         }
         var port = vmDef.<Number> fromVm("display", "spice", "port")
             .map(Number::longValue);
         if (port.isEmpty()) {
             logger
                 .severe(() -> "No port defined for display of " + vmDef.name());
-            return null;
+            return Optional.empty();
         }
         StringBuffer data = new StringBuffer(100)
             .append("[virt-viewer]\ntype=spice\nhost=")

From 7d298ce24b91269dcb4cb68af2ae01397339ba10 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Mon, 14 Apr 2025 21:39:35 +0200
Subject: [PATCH 264/274] Clarify intend.

---
 .../src/org/jdrupes/vmoperator/common/K8sClusterGenericStub.java | 1 +
 .../src/org/jdrupes/vmoperator/common/K8sGenericStub.java        | 1 +
 2 files changed, 2 insertions(+)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sClusterGenericStub.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sClusterGenericStub.java
index af87af2..6b5fd7e 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sClusterGenericStub.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sClusterGenericStub.java
@@ -240,6 +240,7 @@ public class K8sClusterGenericStub<O extends KubernetesObject,
      * @param <L> the object list type
      * @param <R> the result type
      */
+    @FunctionalInterface
     public interface GenericSupplier<O extends KubernetesObject,
             L extends KubernetesListObject,
             R extends K8sClusterGenericStub<O, L>> {
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java
index b8f1992..aef791f 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java
@@ -359,6 +359,7 @@ public class K8sGenericStub<O extends KubernetesObject,
      * @param <L> the object list type
      * @param <R> the result type
      */
+    @FunctionalInterface
     public interface GenericSupplier<O extends KubernetesObject,
             L extends KubernetesListObject, R extends K8sGenericStub<O, L>> {
 

From b7fad4614db37bc9f72b3d622fc708d15bdde5e9 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Tue, 29 Apr 2025 14:02:12 +0200
Subject: [PATCH 265/274] Improve debug messages.

---
 .../runner/qemu/GuestAgentClient.java         | 16 ++++++-----
 .../vmoperator/runner/qemu/QemuMonitor.java   | 25 ++++++++++-------
 .../runner/qemu/VmopAgentClient.java          | 27 +++++++++++++------
 .../runner/qemu/events/MonitorEvent.java      | 18 +++++++++++++
 .../runner/qemu/events/OsinfoEvent.java       | 19 +++++++++++++
 5 files changed, 81 insertions(+), 24 deletions(-)

diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java
index b0001e4..45d2487 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/GuestAgentClient.java
@@ -69,14 +69,14 @@ public class GuestAgentClient extends AgentConnector {
      */
     @Override
     protected void agentConnected() {
-        logger.fine(() -> "guest agent connected");
+        logger.fine(() -> "Guest agent connected");
         connected = true;
         rep().fire(new GuestAgentCommand(new QmpGuestGetOsinfo()));
     }
 
     @Override
     protected void agentDisconnected() {
-        logger.fine(() -> "guest agent disconnected");
+        logger.fine(() -> "Guest agent disconnected");
         connected = false;
     }
 
@@ -88,15 +88,16 @@ public class GuestAgentClient extends AgentConnector {
      */
     @Override
     protected void processInput(String line) throws IOException {
-        logger.fine(() -> "guest agent(in): " + line);
+        logger.finer(() -> "guest agent(in): " + line);
         try {
             var response = mapper.readValue(line, ObjectNode.class);
             if (response.has("return") || response.has("error")) {
                 QmpCommand executed = executing.poll();
-                logger.fine(() -> String.format("(Previous \"guest agent(in)\""
+                logger.finer(() -> String.format("(Previous \"guest agent(in)\""
                     + " is result from executing %s)", executed));
                 if (executed instanceof QmpGuestGetOsinfo) {
                     var osInfo = new OsinfoEvent(response.get("return"));
+                    logger.fine(() -> "Guest agent triggers: " + osInfo);
                     rep().fire(osInfo);
                 }
             }
@@ -120,10 +121,11 @@ public class GuestAgentClient extends AgentConnector {
             return;
         }
         var command = event.command();
-        logger.fine(() -> "guest agent(out): " + command.toString());
+        logger.fine(() -> "Guest handles: " + event);
         String asText;
         try {
             asText = command.asText();
+            logger.finer(() -> "guest agent(out): " + asText);
         } catch (JsonProcessingException e) {
             logger.log(Level.SEVERE, e,
                 () -> "Cannot serialize Json: " + e.getMessage());
@@ -163,8 +165,8 @@ public class GuestAgentClient extends AgentConnector {
         }
         event.suspendHandling();
         suspendedStop = event;
-        logger.fine(() -> "Sending powerdown command, waiting for"
-            + " termination until " + waitUntil);
+        logger.fine(() -> "Attempting shutdown through guest agent,"
+            + " waiting for termination until " + waitUntil);
         powerdownTimer = Components.schedule(t -> {
             logger.fine(() -> "Powerdown timeout reached.");
             synchronized (this) {
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
index 6be7603..e844bc4 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
@@ -108,24 +108,30 @@ public class QemuMonitor extends QemuConnector {
     @Override
     protected void processInput(String line)
             throws IOException {
-        logger.fine(() -> "monitor(in): " + line);
+        logger.finer(() -> "monitor(in): " + line);
         try {
             var response = mapper.readValue(line, ObjectNode.class);
             if (response.has("QMP")) {
                 monitorReady = true;
+                logger.fine(() -> "QMP connection ready");
                 rep().fire(new MonitorReady());
                 return;
             }
             if (response.has("return") || response.has("error")) {
                 QmpCommand executed = executing.poll();
-                logger.fine(
+                logger.finer(
                     () -> String.format("(Previous \"monitor(in)\" is result "
                         + "from executing %s)", executed));
-                rep().fire(MonitorResult.from(executed, response));
+                var monRes = MonitorResult.from(executed, response);
+                logger.fine(() -> "QMP triggers: " + monRes);
+                rep().fire(monRes);
                 return;
             }
             if (response.has("event")) {
-                MonitorEvent.from(response).ifPresent(rep()::fire);
+                MonitorEvent.from(response).ifPresent(me -> {
+                    logger.fine(() -> "QMP triggers: " + me);
+                    rep().fire(me);
+                });
             }
         } catch (JsonProcessingException e) {
             throw new IOException(e);
@@ -141,7 +147,7 @@ public class QemuMonitor extends QemuConnector {
     public void onClosed(Closed<?> event, SocketIOChannel channel) {
         channel.associated(this, getClass()).ifPresent(qm -> {
             super.onClosed(event, channel);
-            logger.finer(() -> "QMP socket closed.");
+            logger.fine(() -> "QMP connection closed.");
             monitorReady = false;
         });
     }
@@ -158,7 +164,7 @@ public class QemuMonitor extends QemuConnector {
     public void onMonitorCommand(MonitorCommand event) throws IOException {
         // Check prerequisites
         if (!monitorReady && !(event.command() instanceof QmpCapabilities)) {
-            logger.severe(() -> "Premature monitor command (not ready): "
+            logger.severe(() -> "Premature QMP command (not ready): "
                 + event.command());
             rep().fire(new Stop());
             return;
@@ -166,10 +172,11 @@ public class QemuMonitor extends QemuConnector {
 
         // Send the command
         var command = event.command();
-        logger.fine(() -> "monitor(out): " + command.toString());
+        logger.fine(() -> "QMP handles: " + event.toString());
         String asText;
         try {
             asText = command.asText();
+            logger.finer(() -> "monitor(out): " + asText);
         } catch (JsonProcessingException e) {
             logger.log(Level.SEVERE, e,
                 () -> "Cannot serialize Json: " + e.getMessage());
@@ -192,8 +199,8 @@ public class QemuMonitor extends QemuConnector {
     @SuppressWarnings("PMD.AvoidSynchronizedStatement")
     public void onStop(Stop event) {
         if (!monitorReady) {
-            logger.fine(() -> "No QMP connection,"
-                + " cannot send powerdown command");
+            logger.fine(() -> "Not sending QMP powerdown command"
+                + " because QMP connection is closed");
             return;
         }
 
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmopAgentClient.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmopAgentClient.java
index f50d397..cac41d4 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmopAgentClient.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmopAgentClient.java
@@ -59,10 +59,14 @@ public class VmopAgentClient extends AgentConnector {
      */
     @Handler
     public void onVmopAgentLogIn(VmopAgentLogIn event) throws IOException {
-        logger.fine(() -> "vmop agent(out): login " + event.user());
         if (writer().isPresent()) {
+            logger.fine(() -> "Vmop agent handles:" + event);
             executing.add(event);
+            logger.finer(() -> "vmop agent(out): login " + event.user());
             sendCommand("login " + event.user());
+        } else {
+            logger
+                .warning(() -> "No vmop agent connection for sending " + event);
         }
     }
 
@@ -74,9 +78,10 @@ public class VmopAgentClient extends AgentConnector {
      */
     @Handler
     public void onVmopAgentLogout(VmopAgentLogOut event) throws IOException {
-        logger.fine(() -> "vmop agent(out): logout");
         if (writer().isPresent()) {
+            logger.fine(() -> "Vmop agent handles:" + event);
             executing.add(event);
+            logger.finer(() -> "vmop agent(out): logout");
             sendCommand("logout");
         }
     }
@@ -85,23 +90,27 @@ public class VmopAgentClient extends AgentConnector {
     @SuppressWarnings({ "PMD.UnnecessaryReturn",
         "PMD.AvoidLiteralsInIfCondition" })
     protected void processInput(String line) throws IOException {
-        logger.fine(() -> "vmop agent(in): " + line);
+        logger.finer(() -> "vmop agent(in): " + line);
 
         // Check validity
         if (line.isEmpty() || !Character.isDigit(line.charAt(0))) {
-            logger.warning(() -> "Illegal response: " + line);
+            logger.warning(() -> "Illegal vmop agent response: " + line);
             return;
         }
 
         // Check positive responses
         if (line.startsWith("220 ")) {
-            rep().fire(new VmopAgentConnected());
+            var evt = new VmopAgentConnected();
+            logger.fine(() -> "Vmop agent triggers " + evt);
+            rep().fire(evt);
             return;
         }
         if (line.startsWith("201 ")) {
             Event<?> cmd = executing.pop();
             if (cmd instanceof VmopAgentLogIn login) {
-                rep().fire(new VmopAgentLoggedIn(login));
+                var evt = new VmopAgentLoggedIn(login);
+                logger.fine(() -> "Vmop agent triggers " + evt);
+                rep().fire(evt);
             } else {
                 logger.severe(() -> "Response " + line
                     + " does not match executing command " + cmd);
@@ -111,7 +120,9 @@ public class VmopAgentClient extends AgentConnector {
         if (line.startsWith("202 ")) {
             Event<?> cmd = executing.pop();
             if (cmd instanceof VmopAgentLogOut logout) {
-                rep().fire(new VmopAgentLoggedOut(logout));
+                var evt = new VmopAgentLoggedOut(logout);
+                logger.fine(() -> "Vmop agent triggers " + evt);
+                rep().fire(evt);
             } else {
                 logger.severe(() -> "Response " + line
                     + "does not match executing command " + cmd);
@@ -125,7 +136,7 @@ public class VmopAgentClient extends AgentConnector {
         }
 
         // Error
-        logger.warning(() -> "Error response: " + line);
+        logger.warning(() -> "Error response from vmop agent: " + line);
         executing.pop();
     }
 
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/MonitorEvent.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/MonitorEvent.java
index e35a172..6663fa4 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/MonitorEvent.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/MonitorEvent.java
@@ -20,6 +20,8 @@ package org.jdrupes.vmoperator.runner.qemu.events;
 
 import com.fasterxml.jackson.databind.JsonNode;
 import java.util.Optional;
+import org.jgrapes.core.Channel;
+import org.jgrapes.core.Components;
 import org.jgrapes.core.Event;
 
 /**
@@ -112,4 +114,20 @@ public class MonitorEvent extends Event<Void> {
     public JsonNode data() {
         return data;
     }
+
+    /*
+     * (non-Javadoc)
+     * 
+     * @see java.lang.Object#toString()
+     */
+    @Override
+    public String toString() {
+        StringBuilder builder = new StringBuilder();
+        builder.append(Components.objectName(this)).append(" [").append(data);
+        if (channels() != null) {
+            builder.append(", channels=").append(Channel.toString(channels()));
+        }
+        builder.append(']');
+        return builder.toString();
+    }
 }
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/OsinfoEvent.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/OsinfoEvent.java
index 294ac7b..0e90019 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/OsinfoEvent.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/OsinfoEvent.java
@@ -19,6 +19,8 @@
 package org.jdrupes.vmoperator.runner.qemu.events;
 
 import com.fasterxml.jackson.databind.JsonNode;
+import org.jgrapes.core.Channel;
+import org.jgrapes.core.Components;
 import org.jgrapes.core.Event;
 
 /**
@@ -40,4 +42,21 @@ public class OsinfoEvent extends Event<Void> {
     public JsonNode osinfo() {
         return osinfo;
     }
+
+    /*
+     * (non-Javadoc)
+     * 
+     * @see java.lang.Object#toString()
+     */
+    @Override
+    public String toString() {
+        StringBuilder builder = new StringBuilder();
+        builder.append(Components.objectName(this)).append(" [")
+            .append(osinfo);
+        if (channels() != null) {
+            builder.append(", channels=").append(Channel.toString(channels()));
+        }
+        builder.append(']');
+        return builder.toString();
+    }
 }

From 10f3028f06d58d81f6972d5c29fcf8f1dfc698a7 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Wed, 30 Apr 2025 16:27:15 +0200
Subject: [PATCH 266/274] Increase concurrency and avoid race condition.

---
 .../vmoperator/manager/Controller.java        |  3 +-
 .../jdrupes/vmoperator/manager/VmMonitor.java | 58 +++++++++++++------
 2 files changed, 42 insertions(+), 19 deletions(-)

diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
index c15acc5..ce14488 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Controller.java
@@ -50,6 +50,7 @@ import org.jdrupes.vmoperator.manager.events.VmPoolChanged;
 import org.jdrupes.vmoperator.manager.events.VmResourceChanged;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Component;
+import org.jgrapes.core.EventPipeline;
 import org.jgrapes.core.annotation.Handler;
 import org.jgrapes.core.events.HandlingError;
 import org.jgrapes.core.events.Start;
@@ -94,7 +95,7 @@ import org.jgrapes.util.events.ConfigurationUpdate;
 public class Controller extends Component {
 
     private String namespace;
-    private final ChannelManager<String, VmChannel, ?> chanMgr;
+    private final ChannelManager<String, VmChannel, EventPipeline> chanMgr;
 
     /**
      * Creates a new instance.
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
index 09bade8..b667aa6 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
@@ -22,7 +22,6 @@ import com.google.gson.JsonObject;
 import io.kubernetes.client.apimachinery.GroupVersionKind;
 import io.kubernetes.client.custom.V1Patch;
 import io.kubernetes.client.openapi.ApiException;
-import io.kubernetes.client.openapi.models.V1ObjectMeta;
 import io.kubernetes.client.util.Watch;
 import io.kubernetes.client.util.generic.options.ListOptions;
 import java.io.IOException;
@@ -32,7 +31,6 @@ import java.util.ArrayList;
 import java.util.Collections;
 import java.util.Optional;
 import java.util.Set;
-import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.stream.Collectors;
 import org.jdrupes.vmoperator.common.Constants.Crd;
 import org.jdrupes.vmoperator.common.Constants.Status;
@@ -57,16 +55,28 @@ import org.jdrupes.vmoperator.manager.events.VmResourceChanged;
 import org.jdrupes.vmoperator.util.GsonPtr;
 import org.jgrapes.core.Channel;
 import org.jgrapes.core.Event;
+import org.jgrapes.core.EventPipeline;
 import org.jgrapes.core.annotation.Handler;
 
 /**
- * Watches for changes of VM definitions.
+ * Watches for changes of VM definitions. When a VM definition (CR)
+ * becomes known, is is registered with a {@link ChannelManager} and thus
+ * gets an associated {@link VmChannel} and an associated
+ * {@link EventPipeline}.
+ * 
+ * The {@link EventPipeline} is used for submitting an action that processes
+ * the change data from kubernetes, eventually transforming it to a
+ * {@link VmResourceChanged} event that is handled by another
+ * {@link EventPipeline} associated with the {@link VmChannel}. This
+ * event pipeline should be used for all events related to changes of
+ * a particular VM.
  */
 @SuppressWarnings({ "PMD.DataflowAnomalyAnalysis", "PMD.ExcessiveImports" })
 public class VmMonitor extends
         AbstractMonitor<VmDefinition, VmDefinitions, VmChannel> {
 
-    private final ChannelManager<String, VmChannel, ?> channelManager;
+    private final ChannelManager<String, VmChannel,
+            EventPipeline> channelManager;
 
     /**
      * Instantiates a new VM definition watcher.
@@ -75,7 +85,7 @@ public class VmMonitor extends
      * @param channelManager the channel manager
      */
     public VmMonitor(Channel componentChannel,
-            ChannelManager<String, VmChannel, ?> channelManager) {
+            ChannelManager<String, VmChannel, EventPipeline> channelManager) {
         super(componentChannel, VmDefinition.class,
             VmDefinitions.class);
         this.channelManager = channelManager;
@@ -122,14 +132,18 @@ public class VmMonitor extends
     @Override
     protected void handleChange(K8sClient client,
             Watch.Response<VmDefinition> response) {
-        V1ObjectMeta metadata = response.object.getMetadata();
-        AtomicBoolean toBeAdded = new AtomicBoolean(false);
-        VmChannel channel = channelManager.channel(metadata.getName())
-            .orElseGet(() -> {
-                toBeAdded.set(true);
-                return channelManager.createChannel(metadata.getName());
-            });
+        var name = response.object.getMetadata().getName();
 
+        // Process the response data on a VM specific pipeline to
+        // increase concurrency when e.g. starting many VMs.
+        var preparing = channelManager.associated(name)
+            .orElseGet(() -> newEventPipeline());
+        preparing.submit("VmChange[" + name + "]",
+            () -> processChange(client, response, preparing));
+    }
+
+    private void processChange(K8sClient client,
+            Watch.Response<VmDefinition> response, EventPipeline preparing) {
         // Get full definition and associate with channel as backup
         var vmDef = response.object;
         if (vmDef.data() == null) {
@@ -137,6 +151,9 @@ public class VmMonitor extends
             // https://github.com/kubernetes-client/java/issues/3215
             vmDef = getModel(client, vmDef);
         }
+        var name = response.object.getMetadata().getName();
+        var channel = channelManager.channel(name)
+            .orElseGet(() -> channelManager.createChannel(name));
         if (vmDef.data() != null) {
             // New data, augment and save
             addExtraData(vmDef, channel.vmDefinition());
@@ -150,9 +167,7 @@ public class VmMonitor extends
                 + response.object.getMetadata());
             return;
         }
-        if (toBeAdded.get()) {
-            channelManager.put(vmDef.name(), channel);
-        }
+        channelManager.put(name, channel, preparing);
 
         // Create and fire changed event. Remove channel from channel
         // manager on completion.
@@ -199,9 +214,16 @@ public class VmMonitor extends
     @Handler
     public void onPodChanged(PodChanged event, VmChannel channel) {
         var vmDef = channel.vmDefinition();
-        updateNodeInfo(event, vmDef);
-        channel
-            .fire(new VmResourceChanged(ResponseType.MODIFIED, vmDef, false, true));
+
+        // Make sure that this is properly sync'd with VM CR changes.
+        channelManager.associated(vmDef.name())
+            .orElseGet(() -> activeEventPipeline())
+            .submit("NodeInfo[" + vmDef.name() + "]",
+                () -> {
+                    updateNodeInfo(event, vmDef);
+                    channel.fire(new VmResourceChanged(ResponseType.MODIFIED,
+                        vmDef, false, true));
+                });
     }
 
     private void updateNodeInfo(PodChanged event, VmDefinition vmDef) {

From a5433c869bb5d25601060200cba2335bf250788a Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 3 May 2025 22:29:42 +0200
Subject: [PATCH 267/274] Upgrade webconsole base library.

---
 org.jdrupes.vmoperator.manager/build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/org.jdrupes.vmoperator.manager/build.gradle b/org.jdrupes.vmoperator.manager/build.gradle
index eda5ce0..4ce4ed0 100644
--- a/org.jdrupes.vmoperator.manager/build.gradle
+++ b/org.jdrupes.vmoperator.manager/build.gradle
@@ -17,7 +17,7 @@ dependencies {
     implementation 'org.jgrapes:org.jgrapes.io:[2.12.1,3)'
     implementation 'org.jgrapes:org.jgrapes.http:[3.5.0,4)'
     
-    implementation 'org.jgrapes:org.jgrapes.webconsole.base:[2.2.0,3)'
+    implementation 'org.jgrapes:org.jgrapes.webconsole.base:[2.3.0,3)'
     implementation 'org.jgrapes:org.jgrapes.webconsole.vuejs:[1.8.0,2)'
     implementation 'org.jgrapes:org.jgrapes.webconsole.rbac:[1.4.0,2)'
     implementation 'org.jgrapes:org.jgrapes.webconlet.oidclogin:[1.7.0,2)'

From 76b579c404f4ea691bf5a00cde47ddb8d35b1342 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sun, 4 May 2025 11:36:55 +0200
Subject: [PATCH 268/274] Add key, allowing vue to optimize.

---
 .../org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html
index 5a28cb8..3197440 100644
--- a/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html
+++ b/org.jdrupes.vmoperator.vmmgmt/resources/org/jdrupes/vmoperator/vmmgmt/VmMgmt-view.ftl.html
@@ -30,7 +30,7 @@
       </tr>
     </thead>
     <tbody>
-      <template v-for="(entry, rowIndex) in filteredData">
+      <template v-for="(entry, rowIndex) in filteredData" :key="entry.name">
         <tr :class="[(rowIndex % 2) ? 'odd' : 'even']"
           :aria-expanded="(entry.name in detailsByName) ? 'true' : 'false'">
           <td v-for="key in controller.keys" 

From fa84110e1d06eccb0015d3a44e09daec19867f80 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Mon, 14 Jul 2025 17:34:09 +0200
Subject: [PATCH 269/274] Handle configuration value properly.

---
 .../manager/DisplaySecretReconciler.java       | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
index 60d27d4..1e3eb0f 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretReconciler.java
@@ -66,7 +66,6 @@ import org.jose4j.base64url.Base64;
  *   * `passwordValidity`: the validity of the random password in seconds.
  *     Used to calculate the password expiry time in the generated secret.
  */
-@SuppressWarnings({ "PMD.DataflowAnomalyAnalysis", "PMD.TooManyStaticImports" })
 public class DisplaySecretReconciler extends Component {
 
     protected final Logger logger = Logger.getLogger(getClass().getName());
@@ -104,12 +103,15 @@ public class DisplaySecretReconciler extends Component {
                 return oldConfig;
             }).ifPresent(c -> {
                 try {
-                    if (c.containsKey("passwordValidity")) {
-                        passwordValidity = Integer
-                            .parseInt((String) c.get("passwordValidity"));
-                    }
-                } catch (ClassCastException e) {
-                    logger.config("Malformed configuration: " + e.getMessage());
+                    Optional.ofNullable(c.get("passwordValidity"))
+                        .map(p -> p instanceof Integer ? (Integer) p
+                            : Integer.valueOf((String) p))
+                        .ifPresent(p -> {
+                            passwordValidity = p;
+                        });
+                } catch (NumberFormatException e) {
+                    logger.warning(
+                        () -> "Malformed configuration: " + e.getMessage());
                 }
             });
     }
@@ -190,7 +192,6 @@ public class DisplaySecretReconciler extends Component {
      * @throws ApiException the api exception
      */
     @Handler
-    @SuppressWarnings("PMD.StringInstantiation")
     public void onGetDisplaySecret(GetDisplaySecret event, VmChannel channel)
             throws ApiException {
         // Get VM definition and check if running
@@ -319,7 +320,6 @@ public class DisplaySecretReconciler extends Component {
     /**
      * The Class PendingGet.
      */
-    @SuppressWarnings("PMD.DataClass")
     private static class PendingRequest {
         public final GetDisplaySecret event;
         public final long expectedSerial;

From 00e9affee4c2bde08184a1709792ecd3b365ed8d Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 26 Jul 2025 15:18:22 +0200
Subject: [PATCH 270/274] Fix evaluation of template source.

---
 .../org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml
index 5dc8d9b..0200021 100644
--- a/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml
+++ b/org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerConfig.ftl.yaml
@@ -37,7 +37,7 @@ data:
       # The template to use. Resolved relative to /usr/share/vmrunner/templates.
       # template: "Standard-VM-latest.ftl.yaml"
       <#if spec.runnerTemplate?? && spec.runnerTemplate.source?? >
-      template: ${ cm.spec().runnerTemplate.source }
+      template: ${ spec.runnerTemplate.source }
       </#if>
     
       # The template is copied to the data diretory when the VM starts for

From fccf2a6b65c0eb0e939a5dbd516a7ff723b915bb Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Sat, 26 Jul 2025 22:43:45 +0200
Subject: [PATCH 271/274] Fix branch evaluation.

---
 .gitlab-ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 7dff899..b7b04f0 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -24,7 +24,7 @@ stages:
         - "*/build"
   before_script:
     - echo -n $CI_REGISTRY_PASSWORD | podman login -u "$CI_REGISTRY_USER" --password-stdin $CI_REGISTRY
-    - git switch $(git branch -r --sort="authordate" --contains $CI_COMMIT_SHA | head -1 | sed -e 's#[^/]*/##')
+    - git switch $(git branch -r --sort="authordate" --contains $CI_COMMIT_SHA | head -1 | sed -e 's#.*/##')
     - git pull
     - git reset --hard $CI_COMMIT_SHA
   

From 7b8df80828c6acf1518d397c534724be86c543f7 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Fri, 1 Aug 2025 17:41:03 +0200
Subject: [PATCH 272/274] Use display manager for login.

---
 dev-example/vmop-agent/gdm/PostLogin/Default |  3 ++
 dev-example/vmop-agent/vmop-agent            | 45 ++++++--------------
 2 files changed, 17 insertions(+), 31 deletions(-)
 create mode 100755 dev-example/vmop-agent/gdm/PostLogin/Default

diff --git a/dev-example/vmop-agent/gdm/PostLogin/Default b/dev-example/vmop-agent/gdm/PostLogin/Default
new file mode 100755
index 0000000..8a70890
--- /dev/null
+++ b/dev-example/vmop-agent/gdm/PostLogin/Default
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+sed -i '/AutomaticLogin/d' /etc/gdm/custom.conf
diff --git a/dev-example/vmop-agent/vmop-agent b/dev-example/vmop-agent/vmop-agent
index f61a55e..9f4d9e7 100755
--- a/dev-example/vmop-agent/vmop-agent
+++ b/dev-example/vmop-agent/vmop-agent
@@ -72,8 +72,8 @@ doLogin() {
     return
   fi
   
-  # Check if this user is already logged in on tty1
-  curUser=$(loginctl -j | jq -r '.[] | select(.tty=="tty1") | .user')
+  # Check if this user is already logged in on tty2
+  curUser=$(loginctl -j | jq -r '.[] | select(.tty=="tty2") | .user')
   if [ "$curUser" = "$user" ]; then
     echo >&${con} "201 User already logged in"
     return
@@ -96,17 +96,14 @@ doLogin() {
       return
     fi
   fi
-  
-  # Start the desktop for the user
-  systemd-run 2>$temperr \
-    --unit vmop-user-desktop --uid=$uid --gid=$uid \
-    --working-directory="/home/$user" -p TTYPath=/dev/tty1 \
-    -p PAMName=login -p StandardInput=tty -p StandardOutput=journal \
-    -p Conflicts="gdm.service getty@tty1.service" \
-    -E XDG_RUNTIME_DIR="/run/user/$uid" \
-    -E XDG_CURRENT_DESKTOP=GNOME \
-    -p ExecStartPre="/usr/bin/chvt 1" \
-    dbus-run-session -- gnome-shell --display-server --wayland
+
+  # Configure user as auto login user
+  sed -i '/AutomaticLogin/d' /etc/gdm/custom.conf
+  sed -i '/\[daemon\]/a AutomaticLoginEnable=true\nAutomaticLogin='$user \
+    /etc/gdm/custom.conf
+
+  # Activate user    
+  systemctl restart gdm
   if [ $? -eq 0 ]; then
     echo >&${con} "201 User logged in successfully"
   else
@@ -117,14 +114,8 @@ doLogin() {
 # Attempt to log out a user currently using tty1. This is an intermediate
 # operation that can be invoked from other operations
 attemptLogout() {
-  systemctl status vmop-user-desktop > /dev/null 2>&1
-  if [ $? = 0 ]; then
-    systemctl stop vmop-user-desktop
-  fi
-  loginctl -j | jq -r '.[] | select(.tty=="tty1") | .session' \
-  | while read sid; do
-    loginctl kill-session $sid
-  done
+  sed -i '/AutomaticLogin/d' /etc/gdm/custom.conf
+  systemctl stop gdm
   echo >&${con} "102 Desktop stopped"
 }
 
@@ -133,15 +124,7 @@ attemptLogout() {
 # Also try to restart gdm, if it is not running.
 doLogout() {
   attemptLogout
-  systemctl status gdm >/dev/null 2>&1
-  if [ $? != 0 ]; then
-    systemctl restart gdm 2>$temperr
-    if [ $? -eq 0 ]; then
-      echo >&${con} "102 gdm restarted"
-    else
-      echo >&${con} "102 Restarting gdm failed: $(tr '\n' ' ' <${temperr})"
-    fi
-  fi
+  systemctl restart gdm
   echo >&${con} "202 User logged out"
 }
 
@@ -153,7 +136,7 @@ while read line <&${con}; do
 done
 
 onExit() {
-  attemptLogout
+  doLogout
   if [ -n "$temperr" ]; then
     rm -f $temperr
   fi

From 470c2661572e59cf99552122db299726e866afe0 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Mon, 11 Aug 2025 12:50:28 +0200
Subject: [PATCH 273/274] Build with woodpecker (#1)

Reviewed-on: https://forgejo.mnl.de/mnl/VM-Operator/pulls/1
Co-authored-by: Michael N. Lipp <mnl@mnl.de>
Co-committed-by: Michael N. Lipp <mnl@mnl.de>
---
 .gitlab-ci.yml         | 78 ------------------------------------------
 .woodpecker/build.yaml | 38 ++++++++++++++++++++
 2 files changed, 38 insertions(+), 78 deletions(-)
 delete mode 100644 .gitlab-ci.yml
 create mode 100644 .woodpecker/build.yaml

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
deleted file mode 100644
index b7b04f0..0000000
--- a/.gitlab-ci.yml
+++ /dev/null
@@ -1,78 +0,0 @@
-stages:
-  - build
-  - test
-  - publish
-  - deploy
-
-.any-job:
-  rules:
-    - if: $CI_SERVER_HOST == "gitlab.mnl.de"
-
-.gradle-job:
-  extends: .any-job
-  image: registry.mnl.de/org/jgrapes/jdk21-builder:v2
-  cache:
-    - key: dependencies-${CI_COMMIT_BRANCH}
-      policy: pull-push  
-      paths:
-        - .gradle
-        - node_modules
-    - key: "$CI_COMMIT_SHA"
-      policy: pull-push
-      paths:
-        - build
-        - "*/build"
-  before_script:
-    - echo -n $CI_REGISTRY_PASSWORD | podman login -u "$CI_REGISTRY_USER" --password-stdin $CI_REGISTRY
-    - git switch $(git branch -r --sort="authordate" --contains $CI_COMMIT_SHA | head -1 | sed -e 's#.*/##')
-    - git pull
-    - git reset --hard $CI_COMMIT_SHA
-  
-build-jars:
-  stage: build
-  extends: .gradle-job  
-  script:
-    - ./gradlew -Pdocker.registry=$CI_REGISTRY_IMAGE build apidocs
-
-publish-images:
-  stage: publish
-  extends: .gradle-job  
-  dependencies:
-    - build-jars
-  script:
-    - ./gradlew -Pdocker.registry=$CI_REGISTRY_IMAGE publishImage
-
-.pages-job:
-  extends: .any-job
-  image: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/ruby:3.2
-  variables:
-    JEKYLL_ENV: production
-    LC_ALL: C.UTF-8
-  before_script:
-    - git fetch origin gh-pages
-    - git checkout gh-pages
-    - gem install bundler
-    - bundle install
-
-test-pages:
-  stage: test
-  extends: .pages-job
-  rules:
-    - if: $CI_COMMIT_BRANCH == "gh-pages"
-  script:
-    - bundle exec jekyll build -d test
-  artifacts:
-    paths:
-      - test
-      
-#publish-pages:
-#  stage: publish
-#  extends: .pages-job
-#  rules:
-#    - if: $CI_COMMIT_BRANCH == "gh-pages"
-#  script:
-#    - bundle exec jekyll build -d public
-#  artifacts:
-#    paths:
-#      - public
-#  environment: production
diff --git a/.woodpecker/build.yaml b/.woodpecker/build.yaml
new file mode 100644
index 0000000..56a575c
--- /dev/null
+++ b/.woodpecker/build.yaml
@@ -0,0 +1,38 @@
+when:
+- event: push
+  evaluate: 'CI_SYSTEM_HOST == "woodpecker.mnl.de"'
+
+clone:
+- name: git
+  image: woodpeckerci/plugin-git
+  settings:
+    partial: false
+    tags: true
+    depth: 0
+
+steps:
+- name: prepare
+  image: alpine
+  commands:
+    # Because we run the next step as user 1000 to make podman work:
+    - mkdir /woodpecker/workflow
+    - chown 1000:1000 /woodpecker/workflow
+    - chown -R 1000:1000 $CI_WORKSPACE
+
+- name: build-jars
+  image: registry.mnl.de/mnl/jdk21-builder:v4
+  environment:
+    HOME: /woodpecker/workflow
+    REGISTRY: registry.mnl.de
+    REGISTRY_USER: mnl
+    REGISTRY_TOKEN:
+      from_secret: REGISTRY_TOKEN
+  commands:
+    - echo $REGISTRY_TOKEN | podman login -u $REGISTRY_USER --password-stdin $REGISTRY
+    - ./gradlew -Pdocker.registry=$REGISTRY/$REGISTRY_USER build apidocs publishImage
+  backend_options:
+    kubernetes:
+      securityContext:
+        privileged: true
+        runAsUser: 1000
+        runAsGroup: 1000

From c6c6358426287c0258edd9869adf3db3d9bbec17 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Mon, 11 Aug 2025 20:32:08 +0200
Subject: [PATCH 274/274] Fix warnings.

---
 .../vmoperator/common/Convertions.java        |  9 +++-----
 .../org/jdrupes/vmoperator/common/K8s.java    |  4 +---
 .../jdrupes/vmoperator/common/K8sClient.java  | 10 +++------
 .../common/K8sClusterGenericStub.java         |  9 +-------
 .../vmoperator/common/K8sDynamicModel.java    |  1 -
 .../common/K8sDynamicModelsBase.java          |  2 +-
 .../vmoperator/common/K8sDynamicStub.java     |  5 -----
 .../vmoperator/common/K8sDynamicStubBase.java |  2 --
 .../vmoperator/common/K8sGenericStub.java     |  9 ++------
 .../vmoperator/common/K8sObserver.java        |  6 +----
 .../vmoperator/common/K8sV1ConfigMapStub.java |  1 -
 .../common/K8sV1DeploymentStub.java           |  1 -
 .../vmoperator/common/K8sV1NodeStub.java      |  4 +---
 .../vmoperator/common/K8sV1PodStub.java       |  1 -
 .../vmoperator/common/K8sV1PvcStub.java       |  1 -
 .../vmoperator/common/K8sV1SecretStub.java    |  1 -
 .../vmoperator/common/K8sV1ServiceStub.java   |  1 -
 .../common/K8sV1StatefulSetStub.java          |  1 -
 .../vmoperator/common/VmDefinition.java       |  5 ++---
 .../vmoperator/common/VmDefinitionStub.java   |  5 -----
 .../vmoperator/common/VmExtraData.java        |  1 -
 .../org/jdrupes/vmoperator/common/VmPool.java |  1 -
 .../vmoperator/manager/events/AssignVm.java   |  1 -
 .../manager/events/ChannelDictionary.java     |  1 -
 .../manager/events/ChannelManager.java        |  2 --
 .../manager/events/GetDisplaySecret.java      |  1 -
 .../vmoperator/manager/events/GetPools.java   |  1 -
 .../vmoperator/manager/events/GetVms.java     |  1 -
 .../vmoperator/manager/events/ModifyVm.java   |  1 -
 .../vmoperator/manager/events/ResetVm.java    |  1 -
 .../manager/events/UpdateAssignment.java      |  1 -
 .../vmoperator/manager/events/VmChannel.java  |  3 ---
 .../manager/events/VmPoolChanged.java         |  1 -
 .../vmoperator/manager/AbstractMonitor.java   |  2 --
 .../manager/ConfigMapReconciler.java          |  3 ---
 .../jdrupes/vmoperator/manager/Constants.java |  1 -
 .../manager/DisplaySecretMonitor.java         |  1 -
 .../manager/LoadBalancerReconciler.java       |  3 +--
 .../jdrupes/vmoperator/manager/Manager.java   |  8 +++----
 .../vmoperator/manager/PodReconciler.java     |  1 -
 .../vmoperator/manager/PoolMonitor.java       |  1 -
 .../vmoperator/manager/PvcReconciler.java     |  3 +--
 .../vmoperator/manager/Reconciler.java        | 10 ++-------
 .../jdrupes/vmoperator/manager/VmMonitor.java |  4 ----
 .../runner/qemu/CdMediaController.java        |  5 +----
 .../vmoperator/runner/qemu/Configuration.java |  8 -------
 .../runner/qemu/ConsoleTracker.java           |  6 +----
 .../vmoperator/runner/qemu/Constants.java     |  1 -
 .../vmoperator/runner/qemu/CpuController.java |  1 -
 .../runner/qemu/DisplayController.java        |  5 +----
 .../vmoperator/runner/qemu/QemuMonitor.java   |  3 ---
 .../vmoperator/runner/qemu/RamController.java |  1 -
 .../vmoperator/runner/qemu/Runner.java        | 12 ++--------
 .../vmoperator/runner/qemu/StatusUpdater.java | 10 ++-------
 .../vmoperator/runner/qemu/VmDefUpdater.java  |  1 -
 .../runner/qemu/VmopAgentClient.java          |  3 +--
 .../runner/qemu/commands/QmpCapabilities.java |  3 +--
 .../runner/qemu/commands/QmpChangeMedium.java |  3 +--
 .../runner/qemu/commands/QmpCommand.java      |  3 +--
 .../runner/qemu/commands/QmpCont.java         |  3 +--
 .../runner/qemu/commands/QmpDelCpu.java       |  3 +--
 .../runner/qemu/commands/QmpOpenTray.java     |  3 +--
 .../runner/qemu/commands/QmpPowerdown.java    |  3 +--
 .../commands/QmpQueryHotpluggableCpus.java    |  3 +--
 .../runner/qemu/commands/QmpRemoveMedium.java |  3 +--
 .../runner/qemu/commands/QmpReset.java        |  3 +--
 .../runner/qemu/commands/QmpSetBalloon.java   |  3 +--
 .../runner/qemu/events/MonitorEvent.java      |  1 -
 .../runner/qemu/events/RunnerStateChange.java |  1 -
 .../org/jdrupes/vmoperator/util/DataPath.java |  3 ---
 .../org/jdrupes/vmoperator/util/GsonPtr.java  |  6 ++---
 .../jdrupes/vmoperator/vmaccess/VmAccess.java | 22 +++++++------------
 .../jdrupes/vmoperator/vmmgmt/TimeSeries.java |  1 -
 .../org/jdrupes/vmoperator/vmmgmt/VmMgmt.java | 17 +++++---------
 74 files changed, 56 insertions(+), 215 deletions(-)

diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Convertions.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Convertions.java
index 47b7208..68f52eb 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Convertions.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/Convertions.java
@@ -32,13 +32,11 @@ import java.util.regex.Pattern;
 public class Convertions {
 
     @SuppressWarnings({ "PMD.UseConcurrentHashMap",
-        "PMD.FieldNamingConventions", "PMD.VariableNamingConventions" })
+        "PMD.FieldNamingConventions" })
     private static final Map<String, BigInteger> unitMap = new HashMap<>();
-    @SuppressWarnings({ "PMD.FieldNamingConventions",
-        "PMD.VariableNamingConventions" })
+    @SuppressWarnings({ "PMD.FieldNamingConventions" })
     private static final List<Map.Entry<String, BigInteger>> unitMappings;
-    @SuppressWarnings({ "PMD.FieldNamingConventions",
-        "PMD.VariableNamingConventions" })
+    @SuppressWarnings({ "PMD.FieldNamingConventions" })
     private static final Pattern memorySize
         = Pattern.compile("^\\s*(\\d+(\\.\\d+)?)\\s*([A-Za-z]*)\\s*");
 
@@ -69,7 +67,6 @@ public class Convertions {
      * @param amount the amount
      * @return the big integer
      */
-    @SuppressWarnings("PMD.DataflowAnomalyAnalysis")
     public static BigInteger parseMemory(Object amount) {
         if (amount == null) {
             return (BigInteger) amount;
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8s.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8s.java
index 7a28185..3870337 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8s.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8s.java
@@ -47,8 +47,7 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
 /**
  * Helpers for K8s API.
  */
-@SuppressWarnings({ "PMD.ShortClassName", "PMD.UseUtilityClass",
-    "PMD.DataflowAnomalyAnalysis" })
+@SuppressWarnings({ "PMD.ShortClassName", "PMD.UseUtilityClass" })
 public class K8s {
 
     /**
@@ -113,7 +112,6 @@ public class K8s {
     public static JsonObject yamlToJson(ApiClient client, Reader yaml) {
         // Avoid Yaml.load due to
         // https://github.com/kubernetes-client/java/issues/2741
-        @SuppressWarnings("PMD.UseConcurrentHashMap")
         Map<String, Object> yamlData
             = new Yaml(new SafeConstructor(new LoaderOptions())).load(yaml);
 
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sClient.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sClient.java
index 37b0b97..272da2b 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sClient.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sClient.java
@@ -48,8 +48,7 @@ import okhttp3.Response;
  * A client with some additional properties.
  */
 @SuppressWarnings({ "PMD.ExcessivePublicCount", "PMD.TooManyMethods",
-    "PMD.LinguisticNaming", "checkstyle:LineLength",
-    "PMD.CouplingBetweenObjects", "PMD.GodClass" })
+    "checkstyle:LineLength", "PMD.CouplingBetweenObjects", "PMD.GodClass" })
 public class K8sClient extends ApiClient {
 
     private ApiClient apiClient;
@@ -231,7 +230,6 @@ public class K8sClient extends ApiClient {
      * @return the api client
      * @see ApiClient#setKeyManagers(javax.net.ssl.KeyManager[])
      */
-    @SuppressWarnings("PMD.UseVarargs")
     @Override
     public ApiClient setKeyManagers(KeyManager[] managers) {
         return apiClient().setKeyManagers(managers);
@@ -638,7 +636,6 @@ public class K8sClient extends ApiClient {
      * @return the string
      * @see ApiClient#selectHeaderAccept(java.lang.String[])
      */
-    @SuppressWarnings("PMD.UseVarargs")
     @Override
     public String selectHeaderAccept(String[] accepts) {
         return apiClient().selectHeaderAccept(accepts);
@@ -651,7 +648,6 @@ public class K8sClient extends ApiClient {
      * @return the string
      * @see ApiClient#selectHeaderContentType(java.lang.String[])
      */
-    @SuppressWarnings("PMD.UseVarargs")
     @Override
     public String selectHeaderContentType(String[] contentTypes) {
         return apiClient().selectHeaderContentType(contentTypes);
@@ -818,7 +814,7 @@ public class K8sClient extends ApiClient {
      * @throws ApiException the api exception
      * @see ApiClient#buildCall(java.lang.String, java.lang.String, java.util.List, java.util.List, java.lang.Object, java.util.Map, java.util.Map, java.util.Map, java.lang.String[], io.kubernetes.client.openapi.ApiCallback)
      */
-    @SuppressWarnings({ "rawtypes", "PMD.ExcessiveParameterList" })
+    @SuppressWarnings({ "rawtypes" })
     @Override
     public Call buildCall(String path, String method, List<Pair> queryParams,
             List<Pair> collectionQueryParams, Object body,
@@ -847,7 +843,7 @@ public class K8sClient extends ApiClient {
      * @throws ApiException the api exception
      * @see ApiClient#buildRequest(java.lang.String, java.lang.String, java.util.List, java.util.List, java.lang.Object, java.util.Map, java.util.Map, java.util.Map, java.lang.String[], io.kubernetes.client.openapi.ApiCallback)
      */
-    @SuppressWarnings({ "rawtypes", "PMD.ExcessiveParameterList" })
+    @SuppressWarnings({ "rawtypes" })
     @Override
     public Request buildRequest(String path, String method,
             List<Pair> queryParams, List<Pair> collectionQueryParams,
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sClusterGenericStub.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sClusterGenericStub.java
index 6b5fd7e..59b4d12 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sClusterGenericStub.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sClusterGenericStub.java
@@ -45,8 +45,7 @@ import java.util.function.Function;
  * @param <O> the generic type
  * @param <L> the generic type
  */
-@SuppressWarnings({ "PMD.DataflowAnomalyAnalysis",
-    "PMD.CouplingBetweenObjects" })
+@SuppressWarnings({ "PMD.CouplingBetweenObjects" })
 public class K8sClusterGenericStub<O extends KubernetesObject,
         L extends KubernetesListObject> {
     protected final K8sClient client;
@@ -255,7 +254,6 @@ public class K8sClusterGenericStub<O extends KubernetesObject,
          * @param name the name
          * @return the result
          */
-        @SuppressWarnings("PMD.UseObjectForClearerAPI")
         R get(Class<O> objectClass, Class<L> objectListClass, K8sClient client,
                 APIResource context, String name);
     }
@@ -284,7 +282,6 @@ public class K8sClusterGenericStub<O extends KubernetesObject,
      * @return the stub if the object exists
      * @throws ApiException the api exception
      */
-    @SuppressWarnings({ "PMD.AvoidBranchingStatementAsLastInLoop" })
     public static <O extends KubernetesObject, L extends KubernetesListObject,
             R extends K8sClusterGenericStub<O, L>>
             R get(Class<O> objectClass, Class<L> objectListClass,
@@ -315,8 +312,6 @@ public class K8sClusterGenericStub<O extends KubernetesObject,
      * @return the stub if the object exists
      * @throws ApiException the api exception
      */
-    @SuppressWarnings({ "PMD.AvoidBranchingStatementAsLastInLoop",
-        "PMD.UseObjectForClearerAPI" })
     public static <O extends KubernetesObject, L extends KubernetesListObject,
             R extends K8sClusterGenericStub<O, L>>
             R get(Class<O> objectClass, Class<L> objectListClass,
@@ -341,8 +336,6 @@ public class K8sClusterGenericStub<O extends KubernetesObject,
      * @return the stub if the object exists
      * @throws ApiException the api exception
      */
-    @SuppressWarnings({ "PMD.AvoidBranchingStatementAsLastInLoop",
-        "PMD.AvoidInstantiatingObjectsInLoops", "PMD.UseObjectForClearerAPI" })
     public static <O extends KubernetesObject, L extends KubernetesListObject,
             R extends K8sClusterGenericStub<O, L>>
             R create(Class<O> objectClass, Class<L> objectListClass,
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sDynamicModel.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sDynamicModel.java
index dd2bdd5..2392d3e 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sDynamicModel.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sDynamicModel.java
@@ -29,7 +29,6 @@ import io.kubernetes.client.openapi.models.V1ObjectMeta;
  * notably the metadata, is made available through the methods
  * defined by {@link KubernetesObject}.
  */
-@SuppressWarnings("PMD.DataClass")
 public class K8sDynamicModel implements KubernetesObject {
 
     private final V1ObjectMeta metadata;
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sDynamicModelsBase.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sDynamicModelsBase.java
index 1813621..4e21c0e 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sDynamicModelsBase.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sDynamicModelsBase.java
@@ -62,7 +62,7 @@ public class K8sDynamicModelsBase<T extends K8sDynamicModel>
             } catch (InstantiationException | IllegalAccessException
                     | IllegalArgumentException | InvocationTargetException
                     | NoSuchMethodException | SecurityException exc) {
-                throw new IllegalArgumentException(exc); // NOPMD
+                throw new IllegalArgumentException(exc);
             }
         }
     }
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sDynamicStub.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sDynamicStub.java
index afed802..c0303c2 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sDynamicStub.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sDynamicStub.java
@@ -31,7 +31,6 @@ import java.util.Collection;
  * state and can therefore be used for any kind of object, especially
  * custom objects.
  */
-@SuppressWarnings("PMD.DataflowAnomalyAnalysis")
 public class K8sDynamicStub
         extends K8sDynamicStubBase<K8sDynamicModel, K8sDynamicModels> {
 
@@ -64,8 +63,6 @@ public class K8sDynamicStub
      * @return the stub if the object exists
      * @throws ApiException the api exception
      */
-    @SuppressWarnings({ "PMD.AvoidBranchingStatementAsLastInLoop",
-        "PMD.AvoidInstantiatingObjectsInLoops", "PMD.UseObjectForClearerAPI" })
     public static K8sDynamicStub get(K8sClient client,
             GroupVersionKind gvk, String namespace, String name)
             throws ApiException {
@@ -83,8 +80,6 @@ public class K8sDynamicStub
      * @return the stub if the object exists
      * @throws ApiException the api exception
      */
-    @SuppressWarnings({ "PMD.AvoidBranchingStatementAsLastInLoop",
-        "PMD.AvoidInstantiatingObjectsInLoops", "PMD.UseObjectForClearerAPI" })
     public static K8sDynamicStub get(K8sClient client,
             APIResource context, String namespace, String name) {
         return new K8sDynamicStub(client, context, namespace, name);
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sDynamicStubBase.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sDynamicStubBase.java
index 44f419c..ae3f012 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sDynamicStubBase.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sDynamicStubBase.java
@@ -26,7 +26,6 @@ import io.kubernetes.client.Discovery.APIResource;
  * state and can therefore be used for any kind of object, especially
  * custom objects.
  */
-@SuppressWarnings("PMD.DataflowAnomalyAnalysis")
 public abstract class K8sDynamicStubBase<O extends K8sDynamicModel,
         L extends K8sDynamicModelsBase<O>> extends K8sGenericStub<O, L> {
 
@@ -40,7 +39,6 @@ public abstract class K8sDynamicStubBase<O extends K8sDynamicModel,
      * @param namespace the namespace
      * @param name the name
      */
-    @SuppressWarnings("PMD.ConstructorCallsOverridableMethod")
     public K8sDynamicStubBase(Class<O> objectClass,
             Class<L> objectListClass, DynamicTypeAdapterFactory<O, L> taf,
             K8sClient client, APIResource context, String namespace,
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java
index aef791f..9ba376f 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sGenericStub.java
@@ -48,7 +48,7 @@ import java.util.function.Function;
  * @param <O> the generic type
  * @param <L> the generic type
  */
-@SuppressWarnings({ "PMD.DataflowAnomalyAnalysis", "PMD.TooManyMethods" })
+@SuppressWarnings({ "PMD.TooManyMethods" })
 public class K8sGenericStub<O extends KubernetesObject,
         L extends KubernetesListObject> {
     protected final K8sClient client;
@@ -200,7 +200,6 @@ public class K8sGenericStub<O extends KubernetesObject,
      * @return the updated model or empty if the object was not found
      * @throws ApiException the api exception
      */
-    @SuppressWarnings("PMD.AssignmentInOperand")
     public Optional<O> updateStatus(O object, Function<O, Object> updater)
             throws ApiException {
         return K8s.optional(api.updateStatus(object, updater));
@@ -218,7 +217,7 @@ public class K8sGenericStub<O extends KubernetesObject,
      * @return the updated model or empty if the object was not found
      * @throws ApiException the api exception
      */
-    @SuppressWarnings({ "PMD.AssignmentInOperand", "PMD.UnusedAssignment" })
+    @SuppressWarnings({ "PMD.AssignmentInOperand" })
     public Optional<O> updateStatus(Function<O, Object> updater, O current,
             int retries) throws ApiException {
         while (true) {
@@ -248,7 +247,6 @@ public class K8sGenericStub<O extends KubernetesObject,
      * @return the updated model or empty if the object was not found
      * @throws ApiException the api exception
      */
-    @SuppressWarnings({ "PMD.AssignmentInOperand", "PMD.UnusedAssignment" })
     public Optional<O> updateStatus(Function<O, Object> updater, int retries)
             throws ApiException {
         return updateStatus(updater, null, retries);
@@ -371,7 +369,6 @@ public class K8sGenericStub<O extends KubernetesObject,
          * @param name the name
          * @return the result
          */
-        @SuppressWarnings("PMD.UseObjectForClearerAPI")
         R get(K8sClient client, String namespace, String name);
     }
 
@@ -397,8 +394,6 @@ public class K8sGenericStub<O extends KubernetesObject,
      * @return the stub if the object exists
      * @throws ApiException the api exception
      */
-    @SuppressWarnings({ "PMD.AvoidBranchingStatementAsLastInLoop",
-        "PMD.AvoidInstantiatingObjectsInLoops", "PMD.UseObjectForClearerAPI" })
     public static <O extends KubernetesObject, L extends KubernetesListObject,
             R extends K8sGenericStub<O, L>>
             R create(Class<O> objectClass, Class<L> objectListClass,
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sObserver.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sObserver.java
index f3e10bb..9e22382 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sObserver.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sObserver.java
@@ -50,7 +50,6 @@ public class K8sObserver<O extends KubernetesObject,
         ADDED, MODIFIED, DELETED
     }
 
-    @SuppressWarnings("PMD.FieldNamingConventions")
     protected final Logger logger = Logger.getLogger(getClass().getName());
 
     protected final K8sClient client;
@@ -73,8 +72,7 @@ public class K8sObserver<O extends KubernetesObject,
      * @param namespace the namespace
      * @param options the options
      */
-    @SuppressWarnings({ "PMD.AvoidBranchingStatementAsLastInLoop",
-        "PMD.UseObjectForClearerAPI", "PMD.AvoidCatchingThrowable",
+    @SuppressWarnings({ "PMD.AvoidCatchingThrowable",
         "PMD.CognitiveComplexity", "PMD.AvoidCatchingGenericException" })
     public K8sObserver(Class<O> objectClass, Class<L> objectListClass,
             K8sClient client, APIResource context, String namespace,
@@ -100,7 +98,6 @@ public class K8sObserver<O extends KubernetesObject,
                     while (!Thread.currentThread().isInterrupted()) {
                         Instant startedAt = Instant.now();
                         try {
-                            @SuppressWarnings("PMD.AvoidInstantiatingObjectsInLoops")
                             var changed
                                 = api.watch(namespace, options).iterator();
                             while (changed.hasNext()) {
@@ -233,7 +230,6 @@ public class K8sObserver<O extends KubernetesObject,
     }
 
     @Override
-    @SuppressWarnings("PMD.UseLocaleWithCaseConversions")
     public String toString() {
         return "Observer for " + K8s.toString(context) + " " + namespace;
     }
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sV1ConfigMapStub.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sV1ConfigMapStub.java
index c85726e..07c59b2 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sV1ConfigMapStub.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sV1ConfigMapStub.java
@@ -26,7 +26,6 @@ import java.util.List;
 /**
  * A stub for config maps (v1).
  */
-@SuppressWarnings("PMD.DataflowAnomalyAnalysis")
 public class K8sV1ConfigMapStub
         extends K8sGenericStub<V1ConfigMap, V1ConfigMapList> {
 
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sV1DeploymentStub.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sV1DeploymentStub.java
index 16e5c82..9075a84 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sV1DeploymentStub.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sV1DeploymentStub.java
@@ -29,7 +29,6 @@ import java.util.Optional;
 /**
  * A stub for pods (v1).
  */
-@SuppressWarnings("PMD.DataflowAnomalyAnalysis")
 public class K8sV1DeploymentStub
         extends K8sGenericStub<V1Deployment, V1DeploymentList> {
 
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sV1NodeStub.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sV1NodeStub.java
index 050c593..ea1237d 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sV1NodeStub.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sV1NodeStub.java
@@ -29,7 +29,6 @@ import java.util.List;
 /**
  * A stub for nodes (v1).
  */
-@SuppressWarnings("PMD.DataflowAnomalyAnalysis")
 public class K8sV1NodeStub extends K8sClusterGenericStub<V1Node, V1NodeList> {
 
     public static final APIResource CONTEXT = new APIResource("", List.of("v1"),
@@ -74,8 +73,7 @@ public class K8sV1NodeStub extends K8sClusterGenericStub<V1Node, V1NodeList> {
     /**
      * Provide {@link GenericSupplier}.
      */
-    @SuppressWarnings({ "PMD.UnusedFormalParameter",
-        "PMD.UnusedPrivateMethod" })
+    @SuppressWarnings({ "PMD.UnusedFormalParameter" })
     private static K8sV1NodeStub getGeneric(Class<V1Node> objectClass,
             Class<V1NodeList> objectListClass, K8sClient client,
             APIResource context, String name) {
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sV1PodStub.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sV1PodStub.java
index 21ac931..f21bb47 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sV1PodStub.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sV1PodStub.java
@@ -29,7 +29,6 @@ import java.util.List;
 /**
  * A stub for pods (v1).
  */
-@SuppressWarnings("PMD.DataflowAnomalyAnalysis")
 public class K8sV1PodStub extends K8sGenericStub<V1Pod, V1PodList> {
 
     /** The pods' context. */
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sV1PvcStub.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sV1PvcStub.java
index 876e648..c46a60f 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sV1PvcStub.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sV1PvcStub.java
@@ -29,7 +29,6 @@ import java.util.List;
 /**
  * A stub for pods (v1).
  */
-@SuppressWarnings("PMD.DataflowAnomalyAnalysis")
 public class K8sV1PvcStub extends
         K8sGenericStub<V1PersistentVolumeClaim, V1PersistentVolumeClaimList> {
 
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sV1SecretStub.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sV1SecretStub.java
index a847d36..9c1c086 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sV1SecretStub.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sV1SecretStub.java
@@ -29,7 +29,6 @@ import java.util.List;
 /**
  * A stub for secrets (v1).
  */
-@SuppressWarnings("PMD.DataflowAnomalyAnalysis")
 public class K8sV1SecretStub extends K8sGenericStub<V1Secret, V1SecretList> {
 
     public static final APIResource CONTEXT = new APIResource("", List.of("v1"),
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sV1ServiceStub.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sV1ServiceStub.java
index 2157a1d..863f86f 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sV1ServiceStub.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sV1ServiceStub.java
@@ -29,7 +29,6 @@ import java.util.List;
 /**
  * A stub for secrets (v1).
  */
-@SuppressWarnings("PMD.DataflowAnomalyAnalysis")
 public class K8sV1ServiceStub extends K8sGenericStub<V1Service, V1ServiceList> {
 
     public static final APIResource CONTEXT = new APIResource("", List.of("v1"),
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sV1StatefulSetStub.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sV1StatefulSetStub.java
index b918725..be30b00 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sV1StatefulSetStub.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/K8sV1StatefulSetStub.java
@@ -26,7 +26,6 @@ import java.util.List;
 /**
  * A stub for stateful sets (v1).
  */
-@SuppressWarnings("PMD.DataflowAnomalyAnalysis")
 public class K8sV1StatefulSetStub
         extends K8sGenericStub<V1StatefulSet, V1StatefulSetList> {
 
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
index 0a25dd6..a0b66bf 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
@@ -46,11 +46,10 @@ import org.jdrupes.vmoperator.util.DataPath;
 /**
  * Represents a VM definition.
  */
-@SuppressWarnings({ "PMD.DataClass", "PMD.TooManyMethods",
-    "PMD.CouplingBetweenObjects" })
+@SuppressWarnings({ "PMD.DataClass", "PMD.TooManyMethods" })
 public class VmDefinition extends K8sDynamicModel {
 
-    @SuppressWarnings({ "PMD.FieldNamingConventions", "unused" })
+    @SuppressWarnings({ "unused" })
     private static final Logger logger
         = Logger.getLogger(VmDefinition.class.getName());
     @SuppressWarnings("PMD.FieldNamingConventions")
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinitionStub.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinitionStub.java
index 72194da..377220a 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinitionStub.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinitionStub.java
@@ -31,7 +31,6 @@ import java.util.Collection;
  * state and can therefore be used for any kind of object, especially
  * custom objects.
  */
-@SuppressWarnings("PMD.DataflowAnomalyAnalysis")
 public class VmDefinitionStub
         extends K8sDynamicStubBase<VmDefinition, VmDefinitions> {
 
@@ -64,8 +63,6 @@ public class VmDefinitionStub
      * @return the stub if the object exists
      * @throws ApiException the api exception
      */
-    @SuppressWarnings({ "PMD.AvoidBranchingStatementAsLastInLoop",
-        "PMD.AvoidInstantiatingObjectsInLoops", "PMD.UseObjectForClearerAPI" })
     public static VmDefinitionStub get(K8sClient client,
             GroupVersionKind gvk, String namespace, String name)
             throws ApiException {
@@ -83,8 +80,6 @@ public class VmDefinitionStub
      * @return the stub if the object exists
      * @throws ApiException the api exception
      */
-    @SuppressWarnings({ "PMD.AvoidBranchingStatementAsLastInLoop",
-        "PMD.AvoidInstantiatingObjectsInLoops", "PMD.UseObjectForClearerAPI" })
     public static VmDefinitionStub get(K8sClient client,
             APIResource context, String namespace, String name) {
         return new VmDefinitionStub(client, context, namespace, name);
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmExtraData.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmExtraData.java
index 6a94c9c..e1565c5 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmExtraData.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmExtraData.java
@@ -34,7 +34,6 @@ import java.util.logging.Logger;
  */
 public class VmExtraData {
 
-    @SuppressWarnings("PMD.FieldNamingConventions")
     private static final Logger logger
         = Logger.getLogger(VmExtraData.class.getName());
 
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
index 2bf1c30..f7aaa67 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmPool.java
@@ -35,7 +35,6 @@ import org.jdrupes.vmoperator.util.DataPath;
 /**
  * Represents a VM pool.
  */
-@SuppressWarnings({ "PMD.DataClass" })
 public class VmPool {
 
     private final String name;
diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/AssignVm.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/AssignVm.java
index 21e6031..7252c6a 100644
--- a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/AssignVm.java
+++ b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/AssignVm.java
@@ -24,7 +24,6 @@ import org.jgrapes.core.Event;
 /**
  * Assign a VM from a pool to a user.
  */
-@SuppressWarnings("PMD.DataClass")
 public class AssignVm extends Event<VmData> {
 
     private final String fromPool;
diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/ChannelDictionary.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/ChannelDictionary.java
index 05a079e..2b23532 100644
--- a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/ChannelDictionary.java
+++ b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/ChannelDictionary.java
@@ -43,7 +43,6 @@ public interface ChannelDictionary<K, C extends Channel, A> {
      * @param channel the channel
      * @param associated the associated
      */
-    @SuppressWarnings("PMD.ShortClassName")
     public record Value<C extends Channel, A>(C channel, A associated) {
     }
 
diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/ChannelManager.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/ChannelManager.java
index ce0e4f0..da36123 100644
--- a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/ChannelManager.java
+++ b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/ChannelManager.java
@@ -149,8 +149,6 @@ public class ChannelManager<K, C extends Channel, A>
      * @param supplier the supplier
      * @return the channel
      */
-    @SuppressWarnings({ "PMD.AssignmentInOperand",
-        "PMD.DataflowAnomalyAnalysis" })
     public C computeIfAbsent(K key, Function<K, C> supplier) {
         return entries.computeIfAbsent(key,
             k -> new Value<>(supplier.apply(k), null)).channel();
diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetDisplaySecret.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetDisplaySecret.java
index 2f7dbd6..dc47b4a 100644
--- a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetDisplaySecret.java
+++ b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetDisplaySecret.java
@@ -24,7 +24,6 @@ import org.jgrapes.core.Event;
 /**
  * Gets the current display secret and optionally updates it.
  */
-@SuppressWarnings("PMD.DataClass")
 public class GetDisplaySecret extends Event<String> {
 
     private final VmDefinition vmDef;
diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetPools.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetPools.java
index 40fa6ad..b563c9c 100644
--- a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetPools.java
+++ b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetPools.java
@@ -27,7 +27,6 @@ import org.jgrapes.core.Event;
 /**
  * Gets the known pools' definitions.
  */
-@SuppressWarnings("PMD.DataClass")
 public class GetPools extends Event<List<VmPool>> {
 
     private String name;
diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetVms.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetVms.java
index 8b00698..0e24013 100644
--- a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetVms.java
+++ b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/GetVms.java
@@ -27,7 +27,6 @@ import org.jgrapes.core.Event;
 /**
  * Gets the known VMs' definitions and channels.
  */
-@SuppressWarnings("PMD.DataClass")
 public class GetVms extends Event<List<GetVms.VmData>> {
 
     private String name;
diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/ModifyVm.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/ModifyVm.java
index 8f735da..9e19255 100644
--- a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/ModifyVm.java
+++ b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/ModifyVm.java
@@ -24,7 +24,6 @@ import org.jgrapes.core.Event;
 /**
  * Modifies a VM.
  */
-@SuppressWarnings("PMD.DataClass")
 public class ModifyVm extends Event<Void> {
 
     private final String name;
diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/ResetVm.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/ResetVm.java
index f3320c8..778820e 100644
--- a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/ResetVm.java
+++ b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/ResetVm.java
@@ -23,7 +23,6 @@ import org.jgrapes.core.Event;
 /**
  * Triggers a reset of the VM.
  */
-@SuppressWarnings("PMD.DataClass")
 public class ResetVm extends Event<String> {
 
     private final String vmName;
diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/UpdateAssignment.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/UpdateAssignment.java
index af9dde0..b4fcf56 100644
--- a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/UpdateAssignment.java
+++ b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/UpdateAssignment.java
@@ -24,7 +24,6 @@ import org.jgrapes.core.Event;
 /**
  * Note the assignment to a user in the VM status.
  */
-@SuppressWarnings("PMD.DataClass")
 public class UpdateAssignment extends Event<Boolean> {
 
     private final VmPool fromPool;
diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/VmChannel.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/VmChannel.java
index 7b03ad3..73507ae 100644
--- a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/VmChannel.java
+++ b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/VmChannel.java
@@ -28,7 +28,6 @@ import org.jgrapes.core.Subchannel.DefaultSubchannel;
 /**
  * A subchannel used to send the events related to a specific VM.
  */
-@SuppressWarnings("PMD.DataClass")
 public class VmChannel extends DefaultSubchannel {
 
     private final EventPipeline pipeline;
@@ -56,7 +55,6 @@ public class VmChannel extends DefaultSubchannel {
      * @param definition the definition
      * @return the watch channel
      */
-    @SuppressWarnings("PMD.LinguisticNaming")
     public VmChannel setVmDefinition(VmDefinition definition) {
         this.definition = definition;
         return this;
@@ -87,7 +85,6 @@ public class VmChannel extends DefaultSubchannel {
      * @param generation the generation to set
      * @return true if value has changed
      */
-    @SuppressWarnings("PMD.LinguisticNaming")
     public boolean setGeneration(long generation) {
         if (this.generation == generation) {
             return false;
diff --git a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/VmPoolChanged.java b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/VmPoolChanged.java
index 0c506a1..0c3f3a1 100644
--- a/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/VmPoolChanged.java
+++ b/org.jdrupes.vmoperator.manager.events/src/org/jdrupes/vmoperator/manager/events/VmPoolChanged.java
@@ -26,7 +26,6 @@ import org.jgrapes.core.Event;
 /**
  * Indicates a change in a pool configuration. 
  */
-@SuppressWarnings("PMD.DataClass")
 public class VmPoolChanged extends Event<Void> {
 
     private final VmPool vmPool;
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/AbstractMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/AbstractMonitor.java
index eb545a3..c10752e 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/AbstractMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/AbstractMonitor.java
@@ -51,7 +51,6 @@ import org.jgrapes.util.events.ConfigurationUpdate;
  * @param <O> the object type for the context
  * @param <L> the object list type for the context
  */
-@SuppressWarnings({ "PMD.DataflowAnomalyAnalysis" })
 public abstract class AbstractMonitor<O extends KubernetesObject,
         L extends KubernetesListObject, C extends Channel> extends Component {
 
@@ -181,7 +180,6 @@ public abstract class AbstractMonitor<O extends KubernetesObject,
      * @param event the event
      */
     @Handler(priority = 10)
-    @SuppressWarnings("PMD.AvoidInstantiatingObjectsInLoops")
     public void onStart(Start event) {
         try {
             // Get namespace
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java
index 264a166..0ca6312 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/ConfigMapReconciler.java
@@ -56,7 +56,6 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
 /**
  * Delegee for reconciling the config map
  */
-@SuppressWarnings("PMD.DataflowAnomalyAnalysis")
 /* default */ class ConfigMapReconciler {
 
     protected final Logger logger = Logger.getLogger(getClass().getName());
@@ -81,7 +80,6 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
      * @throws TemplateException the template exception
      * @throws ApiException the API exception
      */
-    @SuppressWarnings("PMD.AvoidDuplicateLiterals")
     public void reconcile(Map<String, Object> model, VmChannel channel,
             boolean modelChanged)
             throws IOException, TemplateException, ApiException {
@@ -189,7 +187,6 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
     private final TemplateMethodModelEx adjustCloudInitMetaModel
         = new TemplateMethodModelEx() {
             @Override
-            @SuppressWarnings("PMD.PreserveStackTrace")
             public Object exec(@SuppressWarnings("rawtypes") List arguments)
                     throws TemplateModelException {
                 @SuppressWarnings("unchecked")
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Constants.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Constants.java
index c5c8528..2ef4199 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Constants.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Constants.java
@@ -21,7 +21,6 @@ package org.jdrupes.vmoperator.manager;
 /**
  * Some constants.
  */
-@SuppressWarnings("PMD.DataClass")
 public class Constants extends org.jdrupes.vmoperator.common.Constants {
 
     /** The Constant STATE_RUNNING. */
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java
index a254c0e..b094b79 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/DisplaySecretMonitor.java
@@ -42,7 +42,6 @@ import org.jgrapes.core.Channel;
  * of the pod running the VM in response to force an update of the files 
  * in the pod that reflect the information from the secret.
  */
-@SuppressWarnings({ "PMD.DataflowAnomalyAnalysis", "PMD.TooManyStaticImports" })
 public class DisplaySecretMonitor
         extends AbstractMonitor<V1Secret, V1SecretList, VmChannel> {
 
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/LoadBalancerReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/LoadBalancerReconciler.java
index d190cef..a66b432 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/LoadBalancerReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/LoadBalancerReconciler.java
@@ -45,7 +45,6 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
 /**
  * Delegee for reconciling the service
  */
-@SuppressWarnings("PMD.DataflowAnomalyAnalysis")
 /* default */ class LoadBalancerReconciler {
 
     private static final String LOAD_BALANCER_SERVICE = "loadBalancerService";
@@ -86,7 +85,7 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
         }
 
         // Check if to be generated
-        @SuppressWarnings({ "PMD.AvoidDuplicateLiterals", "unchecked" })
+        @SuppressWarnings({ "unchecked" })
         var lbsDef = Optional.of(model)
             .map(m -> (Map<String, Object>) m.get("reconciler"))
             .map(c -> c.get(LOAD_BALANCER_SERVICE)).orElse(Boolean.FALSE);
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Manager.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Manager.java
index 41b59f9..f431c9d 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Manager.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Manager.java
@@ -81,7 +81,7 @@ import org.jgrapes.webconsole.vuejs.VueJsConsoleWeblet;
 /**
  * The application class.
  */
-@SuppressWarnings({ "PMD.DataflowAnomalyAnalysis", "PMD.ExcessiveImports" })
+@SuppressWarnings({ "PMD.ExcessiveImports" })
 public class Manager extends Component {
 
     private static String version;
@@ -97,8 +97,8 @@ public class Manager extends Component {
      * @throws IOException Signals that an I/O exception has occurred.
      * @throws URISyntaxException 
      */
-    @SuppressWarnings({ "PMD.TooFewBranchesForASwitchStatement",
-        "PMD.NcssCount", "PMD.ConstructorCallsOverridableMethod" })
+    @SuppressWarnings({ "PMD.NcssCount",
+        "PMD.ConstructorCallsOverridableMethod" })
     public Manager(CommandLine cmdLine) throws IOException, URISyntaxException {
         super(new NamedChannel("manager"));
         // Prepare component tree
@@ -217,7 +217,6 @@ public class Manager extends Component {
      * @param event the event
      */
     @Handler
-    @SuppressWarnings("PMD.DataflowAnomalyAnalysis")
     public void onConfigurationUpdate(ConfigurationUpdate event) {
         event.structured(componentPath()).ifPresent(c -> {
             if (c.containsKey("clusterName")) {
@@ -291,7 +290,6 @@ public class Manager extends Component {
      * @param args the arguments
      * @throws Exception the exception
      */
-    @SuppressWarnings("PMD.SignatureDeclareThrowsException")
     public static void main(String[] args) {
         try {
             // Instance logger is not available yet.
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PodReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PodReconciler.java
index 4b7f394..4733e73 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PodReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PodReconciler.java
@@ -43,7 +43,6 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
 /**
  * Delegee for reconciling the pod.
  */
-@SuppressWarnings("PMD.DataflowAnomalyAnalysis")
 /* default */ class PodReconciler {
 
     protected final Logger logger = Logger.getLogger(getClass().getName());
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
index 1bc323c..e554d5a 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PoolMonitor.java
@@ -53,7 +53,6 @@ import org.jgrapes.core.events.Attached;
  * {@link VmPoolChanged} events fired on a special pipeline to
  * avoid concurrent change informations.
  */
-@SuppressWarnings({ "PMD.DataflowAnomalyAnalysis", "PMD.ExcessiveImports" })
 public class PoolMonitor extends
         AbstractMonitor<K8sDynamicModel, K8sDynamicModels, Channel> {
 
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
index e297183..515bfc9 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/PvcReconciler.java
@@ -49,7 +49,6 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
 /**
  * Delegee for reconciling the stateful set (effectively the pod).
  */
-@SuppressWarnings("PMD.DataflowAnomalyAnalysis")
 /* default */ class PvcReconciler {
 
     protected final Logger logger = Logger.getLogger(getClass().getName());
@@ -75,7 +74,7 @@ import org.yaml.snakeyaml.constructor.SafeConstructor;
      * @throws TemplateException the template exception
      * @throws ApiException the api exception
      */
-    @SuppressWarnings({ "PMD.AvoidDuplicateLiterals", "unchecked" })
+    @SuppressWarnings({ "unchecked" })
     public void reconcile(VmDefinition vmDef, Map<String, Object> model,
             VmChannel channel, boolean specChanged)
             throws IOException, TemplateException, ApiException {
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
index 700b081..e580c48 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/Reconciler.java
@@ -137,15 +137,13 @@ import org.jgrapes.util.events.ConfigurationUpdate;
  *   
  * @see org.jdrupes.vmoperator.manager.DisplaySecretReconciler
  */
-@SuppressWarnings({ "PMD.DataflowAnomalyAnalysis",
-    "PMD.AvoidDuplicateLiterals" })
+@SuppressWarnings({ "PMD.AvoidDuplicateLiterals" })
 public class Reconciler extends Component {
 
     /** The Constant mapper. */
     @SuppressWarnings("PMD.FieldNamingConventions")
     protected static final ObjectMapper mapper = new ObjectMapper();
 
-    @SuppressWarnings("PMD.SingularField")
     private final Configuration fmConfig;
     private final ConfigMapReconciler cmReconciler;
     private final DisplaySecretReconciler dsReconciler;
@@ -203,7 +201,6 @@ public class Reconciler extends Component {
      * @throws IOException Signals that an I/O exception has occurred.
      */
     @Handler
-    @SuppressWarnings("PMD.ConfusingTernary")
     public void onVmResourceChanged(VmResourceChanged event, VmChannel channel)
             throws ApiException, TemplateException, IOException {
         // Ownership relationships takes care of deletions
@@ -338,7 +335,6 @@ public class Reconciler extends Component {
     private final TemplateMethodModelEx formatMemoryModel
         = new TemplateMethodModelEx() {
             @Override
-            @SuppressWarnings("PMD.PreserveStackTrace")
             public Object exec(@SuppressWarnings("rawtypes") List arguments)
                     throws TemplateModelException {
                 var arg = arguments.get(0);
@@ -368,8 +364,7 @@ public class Reconciler extends Component {
     private final TemplateMethodModelEx imgageLocationModel
         = new TemplateMethodModelEx() {
             @Override
-            @SuppressWarnings({ "PMD.PreserveStackTrace",
-                "PMD.AvoidLiteralsInIfCondition" })
+            @SuppressWarnings({ "PMD.AvoidLiteralsInIfCondition" })
             public Object exec(@SuppressWarnings("rawtypes") List arguments)
                     throws TemplateModelException {
                 var image = ((SimpleScalar) arguments.get(0)).getAsString();
@@ -394,7 +389,6 @@ public class Reconciler extends Component {
     private final TemplateMethodModelEx toJsonModel
         = new TemplateMethodModelEx() {
             @Override
-            @SuppressWarnings("PMD.PreserveStackTrace")
             public Object exec(@SuppressWarnings("rawtypes") List arguments)
                     throws TemplateModelException {
                 try {
diff --git a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
index b667aa6..22f083c 100644
--- a/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
+++ b/org.jdrupes.vmoperator.manager/src/org/jdrupes/vmoperator/manager/VmMonitor.java
@@ -71,7 +71,6 @@ import org.jgrapes.core.annotation.Handler;
  * event pipeline should be used for all events related to changes of
  * a particular VM.
  */
-@SuppressWarnings({ "PMD.DataflowAnomalyAnalysis", "PMD.ExcessiveImports" })
 public class VmMonitor extends
         AbstractMonitor<VmDefinition, VmDefinitions, VmChannel> {
 
@@ -107,7 +106,6 @@ public class VmMonitor extends
         purge();
     }
 
-    @SuppressWarnings("PMD.CognitiveComplexity")
     private void purge() throws ApiException {
         // Get existing CRs (VMs)
         var known = K8sDynamicStub.list(client(), context(), namespace())
@@ -192,7 +190,6 @@ public class VmMonitor extends
         }
     }
 
-    @SuppressWarnings("PMD.AvoidDuplicateLiterals")
     private void addExtraData(VmDefinition vmDef, VmDefinition prevState) {
         var extra = new VmExtraData(vmDef);
         var prevExtra = Optional.ofNullable(prevState).map(VmDefinition::extra);
@@ -241,7 +238,6 @@ public class VmMonitor extends
             .ofNullable(pod.getSpec().getNodeName()).orElse("");
         logger.finer(() -> "Adding node name " + nodeName
             + " to VM info for " + vmDef.name());
-        @SuppressWarnings("PMD.AvoidInstantiatingObjectsInLoops")
         var addrs = new ArrayList<String>();
         Optional.ofNullable(pod.getStatus().getPodIPs())
             .orElse(Collections.emptyList()).stream()
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/CdMediaController.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/CdMediaController.java
index 0a8971c..c4ac871 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/CdMediaController.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/CdMediaController.java
@@ -36,7 +36,6 @@ import org.jgrapes.core.annotation.Handler;
 /**
  * The Class CdMediaController.
  */
-@SuppressWarnings("PMD.DataflowAnomalyAnalysis")
 public class CdMediaController extends Component {
 
     /**
@@ -55,7 +54,6 @@ public class CdMediaController extends Component {
      *
      * @param componentChannel the component channel
      */
-    @SuppressWarnings("PMD.AssignmentToNonFinalStatic")
     public CdMediaController(Channel componentChannel) {
         super(componentChannel);
     }
@@ -66,8 +64,7 @@ public class CdMediaController extends Component {
      * @param event the event
      */
     @Handler
-    @SuppressWarnings({ "PMD.AvoidLiteralsInIfCondition",
-        "PMD.AvoidInstantiatingObjectsInLoops" })
+    @SuppressWarnings({ "PMD.AvoidInstantiatingObjectsInLoops" })
     public void onConfigureQemu(ConfigureQemu event) {
         if (event.runState() == RunState.TERMINATING) {
             return;
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Configuration.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Configuration.java
index 50635b5..87e8c76 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Configuration.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Configuration.java
@@ -39,11 +39,9 @@ import org.jdrupes.vmoperator.util.FsdUtils;
 /**
  * The configuration information from the configuration file.
  */
-@SuppressWarnings({ "PMD.ExcessivePublicCount", "PMD.TooManyFields" })
 public class Configuration implements Dto {
     private static final String CI_INSTANCE_ID = "instance-id";
 
-    @SuppressWarnings("PMD.FieldNamingConventions")
     protected final Logger logger = Logger.getLogger(getClass().getName());
 
     /** Configuration timestamp. */
@@ -95,15 +93,12 @@ public class Configuration implements Dto {
     public static class CloudInit implements Dto {
 
         /** The meta data. */
-        @SuppressWarnings("PMD.UseConcurrentHashMap")
         public Map<String, Object> metaData;
 
         /** The user data. */
-        @SuppressWarnings("PMD.UseConcurrentHashMap")
         public Map<String, Object> userData;
 
         /** The network config. */
-        @SuppressWarnings("PMD.UseConcurrentHashMap")
         public Map<String, Object> networkConfig;
     }
 
@@ -299,7 +294,6 @@ public class Configuration implements Dto {
         return true;
     }
 
-    @SuppressWarnings("PMD.AvoidLiteralsInIfCondition")
     private void checkDrives() {
         for (Drive drive : vm.drives) {
             if (drive.file != null || drive.device != null
@@ -319,7 +313,6 @@ public class Configuration implements Dto {
         }
     }
 
-    @SuppressWarnings("PMD.AvoidDeeplyNestedIfStmts")
     private boolean checkRuntimeDir() {
         // Runtime directory (sockets etc.)
         if (runtimeDir == null) {
@@ -355,7 +348,6 @@ public class Configuration implements Dto {
         return true;
     }
 
-    @SuppressWarnings("PMD.AvoidDeeplyNestedIfStmts")
     private boolean checkDataDir() {
         // Data directory
         if (dataDir == null) {
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java
index ddfc702..b50b481 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/ConsoleTracker.java
@@ -41,7 +41,6 @@ import org.jgrapes.core.events.Start;
  * A (sub)component that updates the console status in the CR status.
  * Created as child of {@link StatusUpdater}.
  */
-@SuppressWarnings("PMD.DataflowAnomalyAnalysis")
 public class ConsoleTracker extends VmDefUpdater {
 
     private VmDefinitionStub vmStub;
@@ -53,7 +52,6 @@ public class ConsoleTracker extends VmDefUpdater {
      *
      * @param componentChannel the component channel
      */
-    @SuppressWarnings("PMD.ConstructorCallsOverridableMethod")
     public ConsoleTracker(Channel componentChannel) {
         super(componentChannel);
         apiClient = (K8sClient) io.kubernetes.client.openapi.Configuration
@@ -91,8 +89,7 @@ public class ConsoleTracker extends VmDefUpdater {
      * @throws ApiException the api exception
      */
     @Handler
-    @SuppressWarnings({ "PMD.AvoidLiteralsInIfCondition",
-        "PMD.AvoidDuplicateLiterals" })
+    @SuppressWarnings({ "PMD.AvoidLiteralsInIfCondition" })
     public void onSpiceInitialized(SpiceInitializedEvent event)
             throws ApiException {
         if (vmStub == null) {
@@ -127,7 +124,6 @@ public class ConsoleTracker extends VmDefUpdater {
      * @throws ApiException the api exception
      */
     @Handler
-    @SuppressWarnings("PMD.AvoidDuplicateLiterals")
     public void onSpiceDisconnected(SpiceDisconnectedEvent event)
             throws ApiException {
         if (vmStub == null) {
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Constants.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Constants.java
index ca88f0b..eac05fa 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Constants.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Constants.java
@@ -21,7 +21,6 @@ package org.jdrupes.vmoperator.runner.qemu;
 /**
  * Some constants.
  */
-@SuppressWarnings("PMD.DataClass")
 public class Constants extends org.jdrupes.vmoperator.common.Constants {
 
     /**
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/CpuController.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/CpuController.java
index b0abfd4..440da91 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/CpuController.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/CpuController.java
@@ -41,7 +41,6 @@ import org.jgrapes.core.annotation.Handler;
 /**
  * The Class CpuController.
  */
-@SuppressWarnings("PMD.DataflowAnomalyAnalysis")
 public class CpuController extends Component {
 
     private Integer currentCpus;
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
index f5deda8..c3bec93 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/DisplayController.java
@@ -43,7 +43,6 @@ import org.jgrapes.util.events.WatchFile;
 /**
  * The Class DisplayController.
  */
-@SuppressWarnings("PMD.DataflowAnomalyAnalysis")
 public class DisplayController extends Component {
 
     private String currentPassword;
@@ -59,8 +58,7 @@ public class DisplayController extends Component {
      * @param componentChannel the component channel
      * @param configDir 
      */
-    @SuppressWarnings({ "PMD.AssignmentToNonFinalStatic",
-        "PMD.ConstructorCallsOverridableMethod" })
+    @SuppressWarnings({ "PMD.ConstructorCallsOverridableMethod" })
     public DisplayController(Channel componentChannel, Path configDir) {
         super(componentChannel);
         this.configDir = configDir;
@@ -114,7 +112,6 @@ public class DisplayController extends Component {
      * @param event the event
      */
     @Handler
-    @SuppressWarnings("PMD.EmptyCatchBlock")
     public void onFileChanged(FileChanged event) {
         if (event.path().equals(configDir.resolve(DisplaySecret.PASSWORD))) {
             logger.fine(() -> "Display password updated");
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
index e844bc4..feeb76a 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/QemuMonitor.java
@@ -54,7 +54,6 @@ import org.jgrapes.util.events.ConfigurationUpdate;
  * If the log level for this class is set to fine, the messages 
  * exchanged on the monitor socket are logged.
  */
-@SuppressWarnings("PMD.DataflowAnomalyAnalysis")
 public class QemuMonitor extends QemuConnector {
 
     private int powerdownTimeout;
@@ -72,8 +71,6 @@ public class QemuMonitor extends QemuConnector {
      * @param configDir the config dir
      * @throws IOException Signals that an I/O exception has occurred.
      */
-    @SuppressWarnings({ "PMD.AssignmentToNonFinalStatic",
-        "PMD.ConstructorCallsOverridableMethod" })
     public QemuMonitor(Channel componentChannel, Path configDir)
             throws IOException {
         super(componentChannel);
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/RamController.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/RamController.java
index 9cdc2b5..81a10f9 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/RamController.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/RamController.java
@@ -39,7 +39,6 @@ public class RamController extends Component {
      *
      * @param componentChannel the component channel
      */
-    @SuppressWarnings("PMD.AssignmentToNonFinalStatic")
     public RamController(Channel componentChannel) {
         super(componentChannel);
     }
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
index 5c0da21..4819dcd 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Runner.java
@@ -201,8 +201,7 @@ import org.jgrapes.util.events.WatchFile;
  * 
  */
 @SuppressWarnings({ "PMD.ExcessiveImports", "PMD.AvoidPrintStackTrace",
-    "PMD.DataflowAnomalyAnalysis", "PMD.TooManyMethods",
-    "PMD.CouplingBetweenObjects", "PMD.TooManyFields" })
+    "PMD.TooManyMethods", "PMD.CouplingBetweenObjects" })
 public class Runner extends Component {
 
     private static final String TEMPLATE_DIR
@@ -218,7 +217,6 @@ public class Runner extends Component {
         .builder().disable(YAMLGenerator.Feature.WRITE_DOC_START_MARKER)
         .build());
     private final JsonNode defaults;
-    @SuppressWarnings("PMD.UseConcurrentHashMap")
     private final File configFile;
     private final Path configDir;
     private Configuration initialConfig;
@@ -250,8 +248,7 @@ public class Runner extends Component {
      * @param cmdLine the cmd line
      * @throws IOException Signals that an I/O exception has occurred.
      */
-    @SuppressWarnings({ "PMD.SystemPrintln",
-        "PMD.ConstructorCallsOverridableMethod" })
+    @SuppressWarnings({ "PMD.ConstructorCallsOverridableMethod" })
     public Runner(CommandLine cmdLine) throws IOException {
         yamlMapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES,
             false);
@@ -387,8 +384,6 @@ public class Runner extends Component {
         }
     }
 
-    @SuppressWarnings({ "PMD.CognitiveComplexity",
-        "PMD.DataflowAnomalyAnalysis" })
     private void setFirmwarePaths(Configuration config) throws IOException {
         JsonNode firmware = defaults.path("firmware").path(config.vm.firmware);
         // Get file for firmware ROM
@@ -620,8 +615,6 @@ public class Runner extends Component {
      * @throws InterruptedException the interrupted exception
      */
     @Handler
-    @SuppressWarnings({ "PMD.SwitchStmtsShouldHaveDefault",
-        "PMD.TooFewBranchesForASwitchStatement" })
     public void onProcessStarted(ProcessStarted event, ProcessChannel channel)
             throws InterruptedException {
         event.startEvent().associated(CommandDefinition.class)
@@ -778,7 +771,6 @@ public class Runner extends Component {
             "The VM has been shut down"));
     }
 
-    @SuppressWarnings("PMD.ConfusingArgumentToVarargsMethod")
     private void shutdown() {
         if (!Set.of(RunState.TERMINATING, RunState.STOPPED).contains(state)) {
             fire(new Stop());
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
index b5d02c2..127c070 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/StatusUpdater.java
@@ -66,8 +66,7 @@ import org.jgrapes.core.events.Start;
 /**
  * Updates the CR status.
  */
-@SuppressWarnings({ "PMD.DataflowAnomalyAnalysis",
-    "PMD.CouplingBetweenObjects" })
+@SuppressWarnings({ "PMD.CouplingBetweenObjects" })
 public class StatusUpdater extends VmDefUpdater {
 
     @SuppressWarnings("PMD.FieldNamingConventions")
@@ -90,7 +89,6 @@ public class StatusUpdater extends VmDefUpdater {
      *
      * @param componentChannel the component channel
      */
-    @SuppressWarnings("PMD.ConstructorCallsOverridableMethod")
     public StatusUpdater(Channel componentChannel) {
         super(componentChannel);
         attach(new ConsoleTracker(componentChannel));
@@ -153,7 +151,6 @@ public class StatusUpdater extends VmDefUpdater {
      * @throws ApiException 
      */
     @Handler
-    @SuppressWarnings("PMD.AvoidDuplicateLiterals")
     public void onConfigureQemu(ConfigureQemu event)
             throws ApiException {
         guestShutdownStops = event.configuration().guestShutdownStops;
@@ -187,8 +184,7 @@ public class StatusUpdater extends VmDefUpdater {
      * @throws ApiException 
      */
     @Handler
-    @SuppressWarnings({ "PMD.AvoidLiteralsInIfCondition",
-        "PMD.AssignmentInOperand", "PMD.AvoidDuplicateLiterals" })
+    @SuppressWarnings({ "PMD.AssignmentInOperand" })
     public void onRunnerStateChanged(RunnerStateChange event)
             throws ApiException {
         VmDefinition vmDef;
@@ -425,7 +421,6 @@ public class StatusUpdater extends VmDefUpdater {
      * @throws ApiException 
      */
     @Handler
-    @SuppressWarnings("PMD.AssignmentInOperand")
     public void onVmopAgentLoggedIn(VmopAgentLoggedIn event)
             throws ApiException {
         vmStub.updateStatus(from -> {
@@ -442,7 +437,6 @@ public class StatusUpdater extends VmDefUpdater {
      * @throws ApiException 
      */
     @Handler
-    @SuppressWarnings("PMD.AssignmentInOperand")
     public void onVmopAgentLoggedOut(VmopAgentLoggedOut event)
             throws ApiException {
         vmStub.updateStatus(from -> {
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmDefUpdater.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmDefUpdater.java
index 49c9e67..406a0bc 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmDefUpdater.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmDefUpdater.java
@@ -43,7 +43,6 @@ import org.jgrapes.util.events.InitialConfiguration;
 /**
  * Updates the CR status.
  */
-@SuppressWarnings("PMD.DataflowAnomalyAnalysis")
 public class VmDefUpdater extends Component {
 
     protected String namespace;
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmopAgentClient.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmopAgentClient.java
index cac41d4..a940d73 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmopAgentClient.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/VmopAgentClient.java
@@ -87,8 +87,7 @@ public class VmopAgentClient extends AgentConnector {
     }
 
     @Override
-    @SuppressWarnings({ "PMD.UnnecessaryReturn",
-        "PMD.AvoidLiteralsInIfCondition" })
+    @SuppressWarnings({ "PMD.AvoidLiteralsInIfCondition" })
     protected void processInput(String line) throws IOException {
         logger.finer(() -> "vmop agent(in): " + line);
 
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpCapabilities.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpCapabilities.java
index ffd6ca6..918b7d5 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpCapabilities.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpCapabilities.java
@@ -25,8 +25,7 @@ import com.fasterxml.jackson.databind.JsonNode;
  */
 public class QmpCapabilities extends QmpCommand {
 
-    @SuppressWarnings({ "PMD.FieldNamingConventions",
-        "PMD.VariableNamingConventions" })
+    @SuppressWarnings({ "PMD.FieldNamingConventions" })
     private static final JsonNode jsonTemplate
         = parseJson("{ \"execute\": \"qmp_capabilities\" }");
 
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpChangeMedium.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpChangeMedium.java
index 158a318..b60b619 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpChangeMedium.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpChangeMedium.java
@@ -27,8 +27,7 @@ import com.fasterxml.jackson.databind.node.ObjectNode;
  */
 public class QmpChangeMedium extends QmpCommand {
 
-    @SuppressWarnings({ "PMD.FieldNamingConventions",
-        "PMD.VariableNamingConventions" })
+    @SuppressWarnings({ "PMD.FieldNamingConventions" })
     private static final JsonNode jsonTemplate
         = parseJson("{ \"execute\": \"blockdev-change-medium\",\"arguments\": {"
             + "\"id\": \"\",\"filename\": \"\",\"format\": \"raw\","
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpCommand.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpCommand.java
index f91d702..0db58e2 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpCommand.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpCommand.java
@@ -30,8 +30,7 @@ import java.util.logging.Logger;
  */
 public abstract class QmpCommand {
 
-    @SuppressWarnings({ "PMD.FieldNamingConventions",
-        "PMD.VariableNamingConventions" })
+    @SuppressWarnings({ "PMD.FieldNamingConventions" })
     protected static final ObjectMapper mapper = new ObjectMapper();
 
     /**
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpCont.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpCont.java
index 7b1abbd..0e06e34 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpCont.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpCont.java
@@ -25,8 +25,7 @@ import com.fasterxml.jackson.databind.JsonNode;
  */
 public class QmpCont extends QmpCommand {
 
-    @SuppressWarnings({ "PMD.FieldNamingConventions",
-        "PMD.VariableNamingConventions" })
+    @SuppressWarnings({ "PMD.FieldNamingConventions" })
     private static final JsonNode jsonTemplate
         = parseJson("{ \"execute\": \"cont\" }");
 
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpDelCpu.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpDelCpu.java
index 46fba32..a97e6c6 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpDelCpu.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpDelCpu.java
@@ -27,8 +27,7 @@ import com.fasterxml.jackson.databind.node.ObjectNode;
  */
 public class QmpDelCpu extends QmpCommand {
 
-    @SuppressWarnings({ "PMD.FieldNamingConventions",
-        "PMD.VariableNamingConventions" })
+    @SuppressWarnings({ "PMD.FieldNamingConventions" })
     private static final JsonNode jsonTemplate
         = parseJson("{ \"execute\": \"device_del\", "
             + "\"arguments\": " + "{ \"id\": 0 } }");
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpOpenTray.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpOpenTray.java
index 2f9ad55..88a392c 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpOpenTray.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpOpenTray.java
@@ -27,8 +27,7 @@ import com.fasterxml.jackson.databind.node.ObjectNode;
  */
 public class QmpOpenTray extends QmpCommand {
 
-    @SuppressWarnings({ "PMD.FieldNamingConventions",
-        "PMD.VariableNamingConventions" })
+    @SuppressWarnings({ "PMD.FieldNamingConventions" })
     private static final JsonNode jsonTemplate
         = parseJson("{ \"execute\": \"blockdev-open-tray\",\"arguments\": {"
             + "\"id\": \"\" } }");
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpPowerdown.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpPowerdown.java
index 108a355..dfb7d96 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpPowerdown.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpPowerdown.java
@@ -25,8 +25,7 @@ import com.fasterxml.jackson.databind.JsonNode;
  */
 public class QmpPowerdown extends QmpCommand {
 
-    @SuppressWarnings({ "PMD.FieldNamingConventions",
-        "PMD.VariableNamingConventions" })
+    @SuppressWarnings({ "PMD.FieldNamingConventions" })
     private static final JsonNode jsonTemplate
         = parseJson("{ \"execute\": \"system_powerdown\" }");
 
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpQueryHotpluggableCpus.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpQueryHotpluggableCpus.java
index 6f87d10..d4fb5cc 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpQueryHotpluggableCpus.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpQueryHotpluggableCpus.java
@@ -25,8 +25,7 @@ import com.fasterxml.jackson.databind.JsonNode;
  */
 public class QmpQueryHotpluggableCpus extends QmpCommand {
 
-    @SuppressWarnings({ "PMD.FieldNamingConventions",
-        "PMD.VariableNamingConventions" })
+    @SuppressWarnings({ "PMD.FieldNamingConventions" })
     private static final JsonNode jsonTemplate = parseJson(
         "{\"execute\":\"query-hotpluggable-cpus\",\"arguments\":{}}");
 
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpRemoveMedium.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpRemoveMedium.java
index cc74555..71360cf 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpRemoveMedium.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpRemoveMedium.java
@@ -27,8 +27,7 @@ import com.fasterxml.jackson.databind.node.ObjectNode;
  */
 public class QmpRemoveMedium extends QmpCommand {
 
-    @SuppressWarnings({ "PMD.FieldNamingConventions",
-        "PMD.VariableNamingConventions" })
+    @SuppressWarnings({ "PMD.FieldNamingConventions" })
     private static final JsonNode jsonTemplate
         = parseJson("{ \"execute\": \"blockdev-remove-medium\",\"arguments\": {"
             + "\"id\": \"\" } }");
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpReset.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpReset.java
index 0bcffc4..5364811 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpReset.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpReset.java
@@ -25,8 +25,7 @@ import com.fasterxml.jackson.databind.JsonNode;
  */
 public class QmpReset extends QmpCommand {
 
-    @SuppressWarnings({ "PMD.FieldNamingConventions",
-        "PMD.VariableNamingConventions" })
+    @SuppressWarnings({ "PMD.FieldNamingConventions" })
     private static final JsonNode jsonTemplate
         = parseJson("{ \"execute\": \"system_reset\" }");
 
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpSetBalloon.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpSetBalloon.java
index c7f6bed..f9d4c5d 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpSetBalloon.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/commands/QmpSetBalloon.java
@@ -28,8 +28,7 @@ import java.math.BigInteger;
  */
 public class QmpSetBalloon extends QmpCommand {
 
-    @SuppressWarnings({ "PMD.FieldNamingConventions",
-        "PMD.VariableNamingConventions" })
+    @SuppressWarnings({ "PMD.FieldNamingConventions" })
     private static final JsonNode jsonTemplate
         = parseJson("{ \"execute\": \"balloon\", "
             + "\"arguments\": " + "{ \"value\": 0 } }");
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/MonitorEvent.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/MonitorEvent.java
index 6663fa4..93e7785 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/MonitorEvent.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/MonitorEvent.java
@@ -49,7 +49,6 @@ public class MonitorEvent extends Event<Void> {
      * @param response the response
      * @return the optional
      */
-    @SuppressWarnings("PMD.TooFewBranchesForASwitchStatement")
     public static Optional<MonitorEvent> from(JsonNode response) {
         try {
             var kind = Kind.valueOf(response.get("event").asText());
diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/RunnerStateChange.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/RunnerStateChange.java
index 829cc88..261eebf 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/RunnerStateChange.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/events/RunnerStateChange.java
@@ -26,7 +26,6 @@ import org.jgrapes.core.Event;
 /**
  * The Class RunnerStateChange.
  */
-@SuppressWarnings("PMD.DataClass")
 public class RunnerStateChange extends Event<Void> {
 
     /**
diff --git a/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/DataPath.java b/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/DataPath.java
index 445d383..e83cf27 100644
--- a/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/DataPath.java
+++ b/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/DataPath.java
@@ -32,7 +32,6 @@ import java.util.logging.Logger;
  */
 public final class DataPath {
 
-    @SuppressWarnings("PMD.FieldNamingConventions")
     private static final Logger logger
         = Logger.getLogger(DataPath.class.getName());
 
@@ -56,7 +55,6 @@ public final class DataPath {
      * @param selectors the selectors
      * @return the result
      */
-    @SuppressWarnings("PMD.UseLocaleWithCaseConversions")
     public static <T> Optional<T> get(Object from, Object... selectors) {
         Object cur = from;
         for (var selector : selectors) {
@@ -132,7 +130,6 @@ public final class DataPath {
     @SuppressWarnings({ "PMD.CognitiveComplexity", "unchecked" })
     public static <T> T deepCopy(T object) {
         if (object instanceof Map map) {
-            @SuppressWarnings("PMD.UseConcurrentHashMap")
             Map<Object, Object> copy;
             try {
                 copy = (Map<Object, Object>) object.getClass().getConstructor()
diff --git a/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/GsonPtr.java b/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/GsonPtr.java
index f78374c..c6fb101 100644
--- a/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/GsonPtr.java
+++ b/org.jdrupes.vmoperator.util/src/org/jdrupes/vmoperator/util/GsonPtr.java
@@ -32,8 +32,7 @@ import java.util.function.Supplier;
 /**
  * Utility class for pointing to elements on a Gson (Json) tree.
  */
-@SuppressWarnings({ "PMD.DataflowAnomalyAnalysis",
-    "PMD.ClassWithOnlyPrivateConstructorsShouldBeFinal", "PMD.GodClass" })
+@SuppressWarnings({ "PMD.ClassWithOnlyPrivateConstructorsShouldBeFinal" })
 public class GsonPtr {
 
     private final JsonElement position;
@@ -102,7 +101,7 @@ public class GsonPtr {
      * @param selectors the selectors
      * @return the Gson pointer
      */
-    @SuppressWarnings({ "PMD.ShortMethodName", "PMD.PreserveStackTrace" })
+    @SuppressWarnings({ "PMD.PreserveStackTrace" })
     public Optional<GsonPtr> get(Object... selectors) {
         JsonElement element = position;
         for (Object sel : selectors) {
@@ -146,7 +145,6 @@ public class GsonPtr {
      * @param cls the cls
      * @return the result
      */
-    @SuppressWarnings({ "PMD.AvoidBranchingStatementAsLastInLoop" })
     public <T extends JsonElement> T getAs(Class<T> cls) {
         if (cls.isAssignableFrom(position.getClass())) {
             return cls.cast(position);
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index b48aa7e..f30b771 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -111,9 +111,8 @@ import org.jgrapes.webconsole.base.freemarker.FreeMarkerConlet;
  *     users and roles.
  *
  */
-@SuppressWarnings({ "PMD.DataflowAnomalyAnalysis", "PMD.ExcessiveImports",
-    "PMD.CouplingBetweenObjects", "PMD.GodClass", "PMD.TooManyMethods",
-    "PMD.CyclomaticComplexity" })
+@SuppressWarnings({ "PMD.ExcessiveImports", "PMD.CouplingBetweenObjects",
+    "PMD.GodClass", "PMD.TooManyMethods", "PMD.CyclomaticComplexity" })
 public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
 
     private static final String VM_NAME_PROPERTY = "vmName";
@@ -167,7 +166,7 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
      * 
      * @param event the event
      */
-    @SuppressWarnings({ "unchecked", "PMD.AvoidDuplicateLiterals" })
+    @SuppressWarnings({ "unchecked" })
     @Handler
     public void onConfigurationUpdate(ConfigurationUpdate event) {
         event.structured(componentPath())
@@ -267,7 +266,7 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
     public void onConsoleConfigured(ConsoleConfigured event,
             ConsoleConnection connection) throws InterruptedException,
             IOException {
-        @SuppressWarnings({ "unchecked", "PMD.PrematureDeclaration" })
+        @SuppressWarnings({ "unchecked" })
         final var rendered
             = (Set<ResourceModel>) connection.session().get(RENDERED);
         connection.session().remove(RENDERED);
@@ -277,8 +276,7 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
         addMissingConlets(event, connection, rendered);
     }
 
-    @SuppressWarnings({ "PMD.AvoidInstantiatingObjectsInLoops",
-        "PMD.AvoidDuplicateLiterals" })
+    @SuppressWarnings({ "PMD.AvoidInstantiatingObjectsInLoops" })
     private void addMissingConlets(ConsoleConfigured event,
             ConsoleConnection connection, final Set<ResourceModel> rendered)
             throws InterruptedException {
@@ -406,7 +404,6 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
     }
 
     @Override
-    @SuppressWarnings({ "PMD.AvoidInstantiatingObjectsInLoops" })
     protected Set<RenderMode> doRenderConlet(RenderConletRequestBase<?> event,
             ConsoleConnection channel, String conletId, ResourceModel model)
             throws Exception {
@@ -655,9 +652,8 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
      * @throws InterruptedException 
      */
     @Handler(namedChannels = "manager")
-    @SuppressWarnings({ "PMD.ConfusingTernary", "PMD.CognitiveComplexity",
-        "PMD.AvoidInstantiatingObjectsInLoops", "PMD.AvoidDuplicateLiterals",
-        "PMD.ConfusingArgumentToVarargsMethod" })
+    @SuppressWarnings({ "PMD.CognitiveComplexity",
+        "PMD.AvoidInstantiatingObjectsInLoops" })
     public void onVmResourceChanged(VmResourceChanged event, VmChannel channel)
             throws IOException, InterruptedException {
         var vmDef = event.vmDefinition();
@@ -853,8 +849,7 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
                 model.getConletId(), "openConsole", cf)));
     }
 
-    @SuppressWarnings({ "PMD.AvoidLiteralsInIfCondition",
-        "PMD.UseLocaleWithCaseConversions" })
+    @SuppressWarnings({ "PMD.UseLocaleWithCaseConversions" })
     private void selectResource(NotifyConletModel event,
             ConsoleConnection channel, ResourceModel model)
             throws JsonProcessingException, InterruptedException {
@@ -881,7 +876,6 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
     /**
      * The Class AccessModel.
      */
-    @SuppressWarnings("PMD.DataClass")
     public static class ResourceModel extends ConletBaseModel {
 
         /**
diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/TimeSeries.java b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/TimeSeries.java
index 29d0b8e..7e1f39e 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/TimeSeries.java
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/TimeSeries.java
@@ -28,7 +28,6 @@ import java.util.List;
 /**
  * The Class TimeSeries.
  */
-@SuppressWarnings("PMD.DataflowAnomalyAnalysis")
 public class TimeSeries {
 
     @SuppressWarnings("PMD.LooseCoupling")
diff --git a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
index 97d6867..e4380ba 100644
--- a/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
+++ b/org.jdrupes.vmoperator.vmmgmt/src/org/jdrupes/vmoperator/vmmgmt/VmMgmt.java
@@ -75,8 +75,7 @@ import org.jgrapes.webconsole.base.freemarker.FreeMarkerConlet;
 /**
  * The Class {@link VmMgmt}.
  */
-@SuppressWarnings({ "PMD.DataflowAnomalyAnalysis", "PMD.CouplingBetweenObjects",
-    "PMD.ExcessiveImports" })
+@SuppressWarnings({ "PMD.CouplingBetweenObjects", "PMD.ExcessiveImports" })
 public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
 
     private Class<?> preferredIpVersion = Inet4Address.class;
@@ -112,7 +111,7 @@ public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
      * 
      * @param event the event
      */
-    @SuppressWarnings({ "unchecked", "PMD.AvoidDuplicateLiterals" })
+    @SuppressWarnings({ "unchecked" })
     @Handler
     public void onConfigurationUpdate(ConfigurationUpdate event) {
         event.structured("/Manager/GuiHttpServer"
@@ -177,7 +176,6 @@ public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
     }
 
     @Override
-    @SuppressWarnings("PMD.AvoidInstantiatingObjectsInLoops")
     protected Set<RenderMode> doRenderConlet(RenderConletRequestBase<?> event,
             ConsoleConnection channel, String conletId, VmsModel conletState)
             throws Exception {
@@ -230,7 +228,6 @@ public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
             simplifiedVmDefinition(vmDef, user, roles)));
     }
 
-    @SuppressWarnings("PMD.AvoidDuplicateLiterals")
     private Map<String, Object> simplifiedVmDefinition(VmDefinition vmDef,
             String user, List<String> roles) {
         // Convert RAM sizes to unitless numbers
@@ -270,9 +267,8 @@ public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
      * @throws IOException 
      */
     @Handler(namedChannels = "manager")
-    @SuppressWarnings({ "PMD.ConfusingTernary", "PMD.CognitiveComplexity",
-        "PMD.AvoidInstantiatingObjectsInLoops", "PMD.AvoidDuplicateLiterals",
-        "PMD.ConfusingArgumentToVarargsMethod" })
+    @SuppressWarnings({ "PMD.CognitiveComplexity",
+        "PMD.AvoidInstantiatingObjectsInLoops" })
     public void onVmResourceChanged(VmResourceChanged event, VmChannel channel)
             throws IOException {
         var vmName = event.vmDefinition().name();
@@ -378,8 +374,6 @@ public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
 
     }
 
-    @SuppressWarnings({ "PMD.AvoidLiteralsInIfCondition",
-        "PMD.LambdaCanBeMethodReference" })
     private Summary evaluateSummary(boolean force) {
         if (!force && cachedSummary != null) {
             return cachedSummary;
@@ -402,8 +396,7 @@ public class VmMgmt extends FreeMarkerConlet<VmMgmt.VmsModel> {
     }
 
     @Override
-    @SuppressWarnings({ "PMD.AvoidDecimalLiteralsInBigDecimalConstructor",
-        "PMD.NcssCount" })
+    @SuppressWarnings({ "PMD.NcssCount" })
     protected void doUpdateConletState(NotifyConletModel event,
             ConsoleConnection channel, VmsModel model) throws Exception {
         event.stop();