From bc93275f00badba594b32a6251f1bbe94d880ba6 Mon Sep 17 00:00:00 2001
From: Thomas Schroeter <thomas.schroeter@r3.com>
Date: Wed, 13 Jun 2018 13:18:44 +0100
Subject: [PATCH] Add HA notary setup tutorial (#937)

---
 .../installing-percona.rst                    | 180 +++++++++++++++++
 ...alling-the-notary-service-bootstrapper.rst |  33 ++++
 ...stalling-the-notary-service-monitoring.rst |   6 +
 .../installing-the-notary-service-netman.rst  | 155 +++++++++++++++
 .../installing-the-notary-service.rst         |  39 ++++
 .../running-a-notary-cluster/introduction.rst | 181 ++++++++++++++++++
 .../operating-percona.rst                     | 129 +++++++++++++
 .../resources/doorman-light.png               | Bin 0 -> 7199 bytes
 .../resources/ha-notary-overview2.png         | Bin 0 -> 18717 bytes
 .../resources/node.conf                       |  42 ++++
 .../resources/percona-colocated.png           | Bin 0 -> 4678 bytes
 .../resources/wsrep.cnf                       |  48 +++++
 .../running-a-notary-cluster/toctree.rst      |  13 ++
 docs/source/tutorials-index.rst               |   3 +-
 14 files changed, 828 insertions(+), 1 deletion(-)
 create mode 100644 docs/source/running-a-notary-cluster/installing-percona.rst
 create mode 100644 docs/source/running-a-notary-cluster/installing-the-notary-service-bootstrapper.rst
 create mode 100644 docs/source/running-a-notary-cluster/installing-the-notary-service-monitoring.rst
 create mode 100644 docs/source/running-a-notary-cluster/installing-the-notary-service-netman.rst
 create mode 100644 docs/source/running-a-notary-cluster/installing-the-notary-service.rst
 create mode 100644 docs/source/running-a-notary-cluster/introduction.rst
 create mode 100644 docs/source/running-a-notary-cluster/operating-percona.rst
 create mode 100644 docs/source/running-a-notary-cluster/resources/doorman-light.png
 create mode 100644 docs/source/running-a-notary-cluster/resources/ha-notary-overview2.png
 create mode 100644 docs/source/running-a-notary-cluster/resources/node.conf
 create mode 100644 docs/source/running-a-notary-cluster/resources/percona-colocated.png
 create mode 100644 docs/source/running-a-notary-cluster/resources/wsrep.cnf
 create mode 100644 docs/source/running-a-notary-cluster/toctree.rst

diff --git a/docs/source/running-a-notary-cluster/installing-percona.rst b/docs/source/running-a-notary-cluster/installing-percona.rst
new file mode 100644
index 0000000000..3157e91649
--- /dev/null
+++ b/docs/source/running-a-notary-cluster/installing-percona.rst
@@ -0,0 +1,180 @@
+================================
+Percona, the underlying Database
+================================
+
+Percona's `documentation page <https://www.percona.com/doc>`__ explains the installation in detail.
+
+In this section we're setting up a
+three-node Percona cluster.  A three-node cluster can tolerate one crash
+fault. In production, you probably want to run five nodes, to be able to 
+tolerate up to two faults.
+
+Host names and IP addresses used in the example are listed in the table below.
+
+========= ========
+Host      IP
+========= ========
+percona-1 10.1.0.1
+percona-2 10.1.0.2
+percona-3 10.1.0.3
+========= ========
+
+Installation
+============
+
+Percona provides repositories for the YUM and APT package managers.
+Alternatively you can install from source. For simplicity, we are going to
+install Percona using the default data directory ``/var/lib/mysql``.
+
+.. note::
+
+  The steps below should be run on all your Percona nodes, unless otherwise
+  mentioned. You should write down the host names or IP addresses of all your
+  Percona nodes before starting the installation, to configure the data
+  replication and later to configure the JDBC connection of your notary
+  cluster.
+
+Run the commands below on all nodes of your Percona cluster to configure the
+Percona repositories and install the service.
+
+.. code:: sh
+  
+  wget https://repo.percona.com/apt/percona-release_0.1-4.$(lsb_release -sc)_all.deb
+  sudo dpkg -i percona-release_0.1-4.$(lsb_release -sc)_all.deb
+  sudo apt-get update
+  sudo apt-get install percona-xtradb-cluster-57
+
+The service will start up automatically after the installation, you can confirm that the service is
+running with ``service mysql status``, start the service with ``sudo service mysql start`` and stop with
+``sudo service mysql stop``.
+
+Configuration
+=============
+
+Configure the MySQL Root Password (if necessary)
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Some distros allow root access to the database through a Unix domain socket, others
+require you to find the temporary password in the log file and change it upon
+first login.
+
+Stop the Service
+^^^^^^^^^^^^^^^^
+
+.. code:: sh
+
+  sudo service mysql stop
+
+Setup replication
+^^^^^^^^^^^^^^^^^
+
+Variables you need to change from the defaults are listed in the table below.
+
+======================  ===========================================================  ==========================================================
+Variable Name           Example                                                      Description                   
+======================  ===========================================================  ==========================================================
+wsrep_cluster_address   gcomm://10.1.0.1,10.1.0.2,10.1.0.3                           The addresses of all the cluster nodes (host and port)
+wsrep_node_address      10.1.0.1                                                     The address of the Percona node
+wsrep_cluster_name      notary-cluster-1                                             The name of the Percona cluster
+wsrep_sst_auth          username:password                                            The credentials for SST
+wsrep_provider_options  "gcache.size=8G"                                             Replication options
+======================  ===========================================================  ==========================================================
+
+Configure all replicas via
+``/etc/mysql/percona-xtradb-cluster.conf.d/wsrep.cnf`` as shown in the template
+below. 
+
+.. literalinclude:: resources/wsrep.cnf
+   :caption: wsrep.cnf
+   :name: wsrep-cnf
+
+The file ``/etc/mysql/percona-xtradb-cluster.conf.d/mysqld.cnf`` contains additional settings like the data directory. We're assuming
+you keep the default ``/var/lib/mysql``.
+
+Configure AppArmor, SELinux or other Kernel Security Module
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+If you're changing the location of the database data directory, you might need to
+configure your security module accordingly.
+
+On the first Percona node
+^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Start the Database
+~~~~~~~~~~~~~~~~~~
+
+.. code:: sh
+
+  sudo /etc/init.d/mysql bootstrap-pxc
+
+
+Watch the logs using ``tail -f /var/log/mysqld.log``. Look for a log entry like
+``WSREP: Setting wsrep_ready to true``.
+
+Create the Corda User
+~~~~~~~~~~~~~~~~~~~~~
+
+.. code:: sql
+
+  CREATE USER corda IDENTIFIED BY '{{ password }}';
+
+Create the Database and Tables
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. code:: sql
+
+  CREATE DATABASE corda;
+ 
+  CREATE TABLE IF NOT EXISTS corda.notary_committed_states (
+                                issue_transaction_id BINARY(32) NOT NULL,
+                                issue_transaction_output_id INT UNSIGNED NOT NULL,
+                                consuming_transaction_id BINARY(32) NOT NULL,
+                                CONSTRAINT id PRIMARY KEY (issue_transaction_id, issue_transaction_output_id)
+                                );
+         
+  GRANT SELECT, INSERT ON corda.notary_committed_states TO 'corda';
+         
+  CREATE TABLE IF NOT EXISTS corda.notary_request_log (
+                                consuming_transaction_id BINARY(32) NOT NULL,
+                                requesting_party_name TEXT NOT NULL,
+                                request_signature BLOB NOT NULL,
+                                request_date TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+                                request_id INT UNSIGNED NOT NULL AUTO_INCREMENT,
+                                CONSTRAINT rid PRIMARY KEY (request_id)
+                                );
+         
+  GRANT INSERT ON corda.notary_request_log TO 'corda';
+
+Create the SST User
+~~~~~~~~~~~~~~~~~~~
+
+.. code:: sql
+  
+  CREATE USER ‘{{ sst_user }}’@’localhost’ IDENTIFIED BY ‘{{ sst_pass }}‘;
+  GRANT RELOAD, LOCK TABLES, PROCESS, REPLICATION CLIENT ON *.* TO ‘{{ sst_user }}’@’localhost’;
+  FLUSH PRIVILEGES;
+
+
+On all other Nodes
+^^^^^^^^^^^^^^^^^^
+
+Once you have updated the ``wsrep.cnf`` on all nodes, start MySQL on all the
+remaining nodes of your cluster. Run this command on all nodes of your cluster,
+except the first one. The config file is shown `above <#wsrep-cnf>`__.
+
+.. code:: sh
+
+  service mysql start
+
+Watch the logs using ``tail -f /var/log/mysqld.log``. Make sure you can start
+the MySQL client on the command line and access the ``corda`` database on all
+nodes.
+
+.. code:: sh
+
+  mysql
+  mysql> use corda;
+  # The output should be `Database changed`.
+
+In the next section, we're :doc:`installing-the-notary-service`. You can read about :doc:`operating-percona` in a later section of this tutorial.
+
diff --git a/docs/source/running-a-notary-cluster/installing-the-notary-service-bootstrapper.rst b/docs/source/running-a-notary-cluster/installing-the-notary-service-bootstrapper.rst
new file mode 100644
index 0000000000..0ef0b9e825
--- /dev/null
+++ b/docs/source/running-a-notary-cluster/installing-the-notary-service-bootstrapper.rst
@@ -0,0 +1,33 @@
+Using the Bootstrapper
+++++++++++++++++++++++
+
+You can skip this section when you're setting up or joining a cluster with
+doorman and network map.
+
+Once the database is set up, you can prepare your configuration files of your notary
+nodes and use the bootstrapper to create a Corda network, see
+:doc:`../setting-up-a-corda-network`. Remember to configure
+``notary.serviceLegalName`` in addition to ``myLegalName`` for all members of
+your cluster.
+
+You can find the documentation of the bootstrapper at :doc:`../setting-up-a-corda-network`.
+
+Expected Outcome
+~~~~~~~~~~~~~~~~
+
+You will go from a set of configuration files to a directory tree containing a fully functional Corda network.
+
+The notaries will be visible and available on the network. You can list available notaries using the node shell.
+
+.. code:: sh
+
+  run notaryIdentities
+
+The output of the above command should include the ``notary.serviceLegalName``
+you have configured, e.g. ``O=HA Notary, L=London, C=GB``.
+
+CorDapp developers should select the notary service identity from the network map cache.
+
+.. code:: kotlin
+
+  serviceHub.networkMapCache.getNotary(CordaX500Name("HA Notary", "London", "GB"))
diff --git a/docs/source/running-a-notary-cluster/installing-the-notary-service-monitoring.rst b/docs/source/running-a-notary-cluster/installing-the-notary-service-monitoring.rst
new file mode 100644
index 0000000000..6764008373
--- /dev/null
+++ b/docs/source/running-a-notary-cluster/installing-the-notary-service-monitoring.rst
@@ -0,0 +1,6 @@
+
+Monitoring
+++++++++++
+
+The notary health-check CorDapp monitors all notaries of the network and
+serves a metrics website (TBD where the documentation is hosted).
diff --git a/docs/source/running-a-notary-cluster/installing-the-notary-service-netman.rst b/docs/source/running-a-notary-cluster/installing-the-notary-service-netman.rst
new file mode 100644
index 0000000000..c660616843
--- /dev/null
+++ b/docs/source/running-a-notary-cluster/installing-the-notary-service-netman.rst
@@ -0,0 +1,155 @@
+In a network with Doorman and Network map
++++++++++++++++++++++++++++++++++++++++++
+
+You can skip this section if you're not setting up or joining a network with
+doorman and network map service.
+
+Expected Outcome
+~~~~~~~~~~~~~~~~
+
+You will go from a set of configuration files to a fully functional Corda network.
+The network map will be advertising the service identity of the Notary.  Every
+notary replica has obtained its own identity and the shared service identity
+from the doorman. 
+
+Using the registration tool, you will obtain the serivce identity of your notary
+cluster and distribute it to the keystores of all replicas of your notary
+cluster.
+
+The individual node identity is used by the messaging layer to route requests to
+individual notary replicas. The notary replicas sign using the service identity
+private key.
+
+========  =========================== ===========================
+Host      Individual identity         Service identity
+========  =========================== ===========================
+notary-1  O=Replica 1, L=London, C=GB O=HA Notary, L=London, C=GB
+notary-2  O=Replica 2, L=London, C=GB O=HA Notary, L=London, C=GB
+notary-3  O=Replica 3, L=London, C=GB O=HA Notary, L=London, C=GB
+========  =========================== ===========================
+
+The notaries will be visible and available on the network. To list available notary
+identities using the Corda node shell
+
+.. code:: sh
+
+  run notaryIdentities
+
+The output of the above command should include ``O=HA Notary, L=London, C=GB``.
+
+CorDapp developers should select the notary service identity from the network map cache.
+
+.. code:: kotlin
+
+  serviceHub.networkMapCache.getNotary(CordaX500Name("HA Notary", "London", "GB"))
+
+Every notary replica's keystore contains the private key of the replica and the
+private key of the notary service (with aliases ``identity-private-key`` and
+``distributed-notary-private key`` in the keystore). We're going to create and
+populate the node's keystores later in this tutorial.
+
+The Notary, the Doorman and the Network Map
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The notary is an essential component of every Corda network, therefore the
+Notary identity needs to be created first, before other nodes can join the
+network, since the Notary identity is part of the network parameters.
+Adding a Corda notary to an existing network is covered in
+the network services documentation (TBD where this is hosted). Removing a notary from a network
+is currently not supported.
+
+.. image:: resources/doorman-light.png
+  :scale: 70%
+
+
+The notary sends a certificate signing request (CSR) to the doorman for
+approval. Once approved, the notary obtains a signed certificate from the
+doorman. The notary can then produce a signed node info file that contains the
+P2P addresses, the legal identity, certificate and public key. The node infos
+of all notaries that are part of the network are included in the network
+parameters. Therefore, the notary node info files have to be present when the
+network parameters are created.
+
+Registering with the Doorman
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Obtaining the individual Node Identities
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Write the configuration files for your replicas as described in :doc:`installing-the-notary-service`.
+
+Register all the notary replicas with the doorman using the ``--initial-registration``  flag.
+
+.. code:: sh
+
+  java -jar corda.jar --initial-registration \
+      --network-root-truststore-password '{{ root-truststore-password }}' \
+      --network-root-truststore network-root-truststore.jks
+
+Obtaining the distributed Service Identity
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Once you completed the initial registration for all notary nodes, you can use
+the registration tool to submit the certificate signing request (CSR) for the
+service identity of your notary cluster.  Read the documentation about the
+`registration tool <https://github.com/corda/network-services/tree/master/registration-tool>`__
+for detailed instructions.
+
+Use the configuration file template below to configure the registration tool.
+
+::
+
+  legalName = "{{ X500 name of the notary service }}"
+  email = "test@email.com"
+  compatibilityZoneURL = "https://{{ host }}:{{ port }}"
+  networkRootTrustStorePath = "network-root-truststore.jks"
+  
+  networkRootTrustStorePassword = ""
+  keyStorePassword = ""
+  trustStorePassword = ""
+  
+  crlCheckSoftFail = true
+
+Run the command below to obtain the service identity of the notary cluster.
+
+.. code:: sh
+
+  java -jar registration-tool.jar --config-file '{{ registation-config-file }}'
+
+The service identity will be stored in a file
+``certificates/notaryidentitykeystore.jks``. Distribute the
+``distributed-notary-private-key`` into the keystores of all notary nodes that
+are part of the cluster as follows:
+
+* Copy the notary service identity to all notary nodes, placing it in the same directory as the ``nodekeystore.jks`` file and run the following command to import the service identity into the node's keystore:
+
+.. code:: sh
+
+  registration-tool.jar --importkeystore \
+    --srcalias distributed-notary-private-key \
+    --srckeystore certificates/notaryidentitykeystore.jks \
+    --destkeystore certificates/nodekeystore.jks
+
+* Check that the private keys are available in the keystore using the following command
+
+.. code:: sh
+
+  keytool -list -v -keystore certificates/nodekeystore.jks | grep Alias
+
+  # Output:
+  # Alias name: cordaclientca
+  # Alias name: identity-private-key
+  # Alias name: distributed-notary-private-key
+
+Network Map: Setting the Network Parameters
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This step is only applicable if you're the operator of the network map service.
+In case the network map is operated by somebody else, you might need to send
+them the node-info file of one of your notary nodes for inclusion in the
+network parameters.
+
+Copy the node info file of one of the notary replicas to the network map to
+include the service identity in the network parameters. Follow the
+instructions in the manual of the network services to generate the network
+parameters (TBD where the documentation is hosted). 
diff --git a/docs/source/running-a-notary-cluster/installing-the-notary-service.rst b/docs/source/running-a-notary-cluster/installing-the-notary-service.rst
new file mode 100644
index 0000000000..1d7bf68aeb
--- /dev/null
+++ b/docs/source/running-a-notary-cluster/installing-the-notary-service.rst
@@ -0,0 +1,39 @@
+=============================
+Setting up the Notary Service
+=============================
+
+In the previous section of this tutorial we set up a Percona cluster.
+
+On top of the Percona cluster we're deploying three Corda notary nodes ``notary-{1,2,3}`` and
+a single regular Corda node ``node-1`` that runs the notary health-check CorDapp.
+
+If you're deploying VMs in your environment you might need to adjust the host names accordingly.
+
+Configuration Files
++++++++++++++++++++
+
+Below is a template for the notary configuration. Notice the parameters
+``rewriteBatchedStatements=true&useSSL=false&failOverReadOnly=false`` of the
+JDBC URL.  See :doc:`../corda-configuration-file` for a complete reference.
+
+Put the IP address or host name of the nearest Percona server first in the JDBC
+URL. When running a Percona and a Notary replica on a single machine, list the
+local IP first.
+
+.. literalinclude:: resources/node.conf
+  :caption: node.conf
+  :name: node-conf
+
+.. note::
+
+  Omit ``compatibilityZoneURL`` and set ``devMode = true`` when using the bootstrapper.
+
+
+Next Steps
+++++++++++
+
+.. toctree::
+  :maxdepth: 1
+
+  installing-the-notary-service-bootstrapper
+  installing-the-notary-service-netman
diff --git a/docs/source/running-a-notary-cluster/introduction.rst b/docs/source/running-a-notary-cluster/introduction.rst
new file mode 100644
index 0000000000..8be2e2e7ef
--- /dev/null
+++ b/docs/source/running-a-notary-cluster/introduction.rst
@@ -0,0 +1,181 @@
+=====================================
+Highly Available Notary Service Setup
+=====================================
+
+About the HA Notary Installation
+================================
+
+In this chapter you'll learn how to set up, configure and start a highly
+available (HA) Corda Notary from scratch. If you're targeting an environment
+with doorman and network map, you require the registration tool. If you don't
+require the doorman and network map, and you don't want to join an existing
+network, the bootstrapper allows you to set up a cluster of nodes from a set of
+configuration files.
+
+The HA Notary relies on a Percona/XtraDB (Percona) cluster. How to set up Percona
+is described below.
+
+This guide assumes you're running a Debian-based Linux OS.
+
+Double curly braces ``{{ }}`` are used to represent placeholder values
+throughout this guide.
+
+Overview
+========
+
+.. image:: resources/ha-notary-overview2.png
+  :scale: 75 %
+
+The figure above displays the Corda nodes in green on the top, then the Corda
+notaries in red in the middle and on the bottom are the Percona nodes in blue.
+
+Corda nodes that request a notarisation by the service name of the Notary,
+will connect to the available Notary nodes in a round-robin fashion.
+
+Since our Notary cluster consists of several Percona nodes and several Corda
+Notary nodes, we achieve high availability (HA). Individual nodes of the
+Percona and Notary clusters can fail, while clients are still able to
+notarise transactions. The Notary cluster remains available. A three-node
+Percona cluster as shown in the figure above can tolerate one crash fault.
+
+.. note::
+
+  In production you should consider running five nodes or more, to be able to
+  tolerate more than one simultaneous crash fault. One single Corda Notary
+  replica is enough to serve traffic in principal, although its capacity might
+  not be sufficient, depending on your throughput and latency requirements.
+
+Colocating Percona and the Notary Service
++++++++++++++++++++++++++++++++++++++++++
+
+.. image:: resources/percona-colocated.png
+  :scale: 50%
+
+You can run a Percona DB service and a Corda Notary service on the same machine.
+
+Summary
++++++++
+
+* Corda nodes communicate with the Notary cluster via P2P messaging, the messaging layer handles selecting an appropriate Notary replica by the service legal name.
+* Corda nodes connect to the Notary cluster members round-robin.
+* The notaries communicate with the underlying Percona cluster via JDBC.
+* The Percona nodes communicate with each other via group communication (GComm).
+* The Percona replicas should only be reachable from each other and from the Notary nodes.
+* The Notary P2P ports should be reachable from the internet (or at least from the rest of the Corda network you're building or joining).
+* We recommend running the notaries and the Percona service in a joined private subnet, opening up the P2P ports of the notaries for external traffic.
+
+Legal Names and Identities
+++++++++++++++++++++++++++
+
+Every Notary replica has two legal names. Its own legal name, specified by
+``myLegalName``, e.g ``O=Replica 1, C=GB, L=London`` and the service legal name
+specified in configuration by ``notary.serviceLegalName``, e.g. ``O=HA Notary,
+C=GB, L=London``. Only the service legal name is included in the network
+parameters. CorDapp developers should select the Notary service identity from the network map cache.
+
+.. code:: kotlin
+
+  serviceHub.networkMapCache.getNotary(CordaX500Name("HA Notary", "London", "GB"))
+
+Every Notary replica's keystore contains the private key of the replica and the
+private key of the Notary service (with aliases ``identity-private-key`` and
+``distributed-notary-private key`` in the keystore). We're going to create and
+populate the node's keystores later in this tutorial.
+
+
+Choosing Installation Path
+==========================
+
+.. note:: 
+
+  If you want to connect to a Corda network with a doorman and network map service,
+  use the registration tool to create your service identity. In case you want
+  to set up a test network for development or a private network without doorman and
+  network map, using the bootstrapper is recommended.
+
+Expected Data Volume
+====================
+
+For non-validating notaries the Notary stores roughly one kilobyte per transaction.
+
+Prerequisites
+=============
+
+* Java runtime
+* Corda JAR
+* Notary Health-Check JAR
+* Bootstrapper JAR (only required when setting up network without doorman and network map)
+* Network Registration tool (only required when setting up a network with doorman and network map)
+* Root access to a Linux machine or VM to install Percona
+* The private IP addresses of your DB hosts (where we're going to install Percona)
+* The public IP addresses of your Notary hosts (in order to advertise these IPs for P2P traffic)
+
+Your Corda distribution should contain all the JARs listed above.
+
+
+Security
+========
+
+Credentials
++++++++++++
+
+Make sure you have the following credentials available, create them if necessary and always
+keep them safe.
+
+================================ ============================================================================================================
+Password or Keystore             Description
+================================ ============================================================================================================
+database root password           used to create the Corda user, setting up the DB and tables (only required for some installation methods)
+Corda DB user password           used by the Notary service to access the DB
+SST DB user password             used by the Percona cluster for data replication (SST stands for state snapshot transfer)
+Network root truststore password (not required when using the bootstrapper)
+Node keystore password           (not required when using the bootstrapper)
+The network root truststore      (not required when using the bootstrapper)
+================================ ============================================================================================================
+
+Networking
+++++++++++
+
+Percona Cluster
+~~~~~~~~~~~~~~~
+=====  =======================
+Port   Purpose
+=====  =======================
+3306   MySQL client connections (from the Corda Notary nodes)
+4444   SST via rsync and Percona XtraBackup
+4567   Write-set replication traffic (over TCP) and multicast replication (over TCP and UDP)
+4568   IST (Incremental State Transfer)
+=====  =======================
+
+Follow the `Percona documentation <https://www.percona.com/doc/percona-xtradb-cluster/5.7/security/encrypt-traffic.html>`__
+if you need to encrypt the traffic between your Corda nodes and Percona and between Percona nodes.
+
+Corda Node
+~~~~~~~~~~
+
+=========  ======= ==============================
+Port       Example Purpose
+=========  ======= ==============================
+P2P Port   10002   P2P traffic (external)
+RPC Port   10003   RPC traffic (internal only)
+=========  ======= ==============================
+
+Later in the tutorial we're covering the Notary service configuration in details, in :doc:`installing-the-notary-service`.
+
+Keys and Certificates
++++++++++++++++++++++
+
+Keys are stored the same way as for regular Corda nodes in the ``certificates``
+directory. If you're interested in the details you can find out
+more in the :doc:`../permissioning` document.
+
+
+Next Steps
+==========
+
+.. toctree::
+   :maxdepth: 1
+
+   installing-percona
+   installing-the-notary-service
+   operating-percona
diff --git a/docs/source/running-a-notary-cluster/operating-percona.rst b/docs/source/running-a-notary-cluster/operating-percona.rst
new file mode 100644
index 0000000000..1f6802cbe2
--- /dev/null
+++ b/docs/source/running-a-notary-cluster/operating-percona.rst
@@ -0,0 +1,129 @@
+==============================
+Percona Monitoring, Backup and Restore (Advanced)
+==============================
+
+Monitoring
+==========
+
+Percona Monitoring and Management (PMM) is a platform for managing and
+monitoring your Percona cluster.  See the `PMM documentation
+<https://www.percona.com/doc/percona-monitoring-and-management/index.html>`__.
+
+Running PMM Server
+^^^^^^^^^^^^^^^^^^
+
+Install PMM Server on a single machine of your cluster.
+
+.. code:: sh
+
+   docker run -d \
+     -p 80:80 \
+     --volumes-from pmm-data \
+     --name pmm-server \
+     percona/pmm-server:latest
+
+Installing PMM  Client
+^^^^^^^^^^^^^^^^^^^^^^
+
+You need to configure the Percona repositories first, as described above.
+Install and configure PMM Client on all the machines that are running Percona.
+
+.. code:: sh
+
+  sudo apt-get install pmm-client
+  sudo pmm-admin config --server ${PMM_HOST}:${PMM_PORT}
+
+
+
+Backup
+======
+
+You can take backups with the ``XtraBackup`` tool. The command below creates a
+backup in ``/data/backups``.
+
+.. code:: sh
+
+  xtrabackup --backup --target-dir=/data/backups/
+
+
+Restore
+=======
+
+Stop the Cluster
+^^^^^^^^^^^^^^^^
+
+Stop the Percona cluster by shutting down nodes one by one. Prepare the backup to restore using
+
+.. code:: sh
+
+  xtrabackup --prepare --target-dir=/data/backups/
+
+Restore from a Backup
+^^^^^^^^^^^^^^^^^^^^^
+
+.. code:: sh
+
+  mv '{{ data-directory }}' '{{ data-directory-backup }}'
+  xtrabackup --copy-back --target-dir=/data/backups/
+  sudo chown -R mysql:mysql '{{ data-directory }}'
+
+Note that you might need the data in ``{{ data-direcotry-backup }}`` in case you
+need to repair and replay from the binlog, as described below.
+
+Start the first Node
+^^^^^^^^^^^^^^^^^^^^
+
+.. code:: sh
+
+  /etc/init.d/mysql bootstrap-pxc
+
+Repair
+======
+
+You can recover from some accidents, e.g. a table drop, by restoring the last
+backup and then applying the binlog up to the offending statement.
+
+Replay the Binary Log
+^^^^^^^^^^^^^^^^^^^^^
+
+XtraBackup records the binlog position of the backup in
+``xtrabackup_binlog_info``. Use this positon to start replaying the binlog from
+your data directory (e.g. ``/var/lib/mysql``, or the target directory of the move command
+used in the backup step above).
+
+.. code:: sh
+
+  mysqlbinlog '{{ binlog-file }}' --start-position=<start-position> > binlog.sql
+ 
+In case there are offending statements, such as
+accidental table drops, you can open ``binlog.sql`` for examination.
+
+Optionally can also pass ``--base64-output=decode-rows`` to decode every statement into a human readable format.
+
+.. code:: sh
+
+  mysqlbinlog $BINLOG_FILE --start-position=$START_POS --stop-position=$STOP_POS > binlog.sql
+  # Replay the binlog
+  mysql -u root -p < binlog.sql
+
+Start remaining Nodes
+^^^^^^^^^^^^^^^^^^^^^
+
+Finally, start the remaining nodes of the cluster.
+
+Restarting a Cluster
+====================
+When all nodes of the cluster are down, manual intervention is needed to bring
+the cluster back up. On the node with the most advanced replication index,
+``set safe_to_bootstrap: 1`` in the file ``grastate.dat`` in the data directory.
+You can use ``SHOW GLOBAL STATUS LIKE 'wsrep_last_committed';`` to find out the
+sequence number of the last committed transaction.  Start the first node using
+``/etc/init.d/mysql bootstrap-pxc``. Bring back one node at a time and watch
+the logs. If a SST is required, the first node can only
+serve as a donor for one node a time.
+
+See the documentation of the safe to bootstrap feature. Similar to restoring
+from backup, restarting the entire cluster is an operation that deserves
+practice. See the `documentation
+<http://galeracluster.com/2016/11/introducing-the-safe-to-bootstrap-feature-in-galera-cluster/>`__
+of this feature.
diff --git a/docs/source/running-a-notary-cluster/resources/doorman-light.png b/docs/source/running-a-notary-cluster/resources/doorman-light.png
new file mode 100644
index 0000000000000000000000000000000000000000..2305e9682a294a13c57b45b36d255d483cdad1e1
GIT binary patch
literal 7199
zcmds6cU05Mmrv*f5v7PAO#<=^QWa5ZKqYh{1dtjrpb(mXl+cS<>Ae$$KnNlhinQ>g
zcYF{)K|s0$A@q_^Ha>UH+1+#Yx9^>^=XZAZkMEh8JKsAq_s;!(?`J;q6mAUT1POuw
z005_+?sZcDfB_Ex05{p_0szTBJds{7-P1DC0s!8|bL=}X)7xSwT~i|fAn+Uj5dIJV
zpwdO*-vIz$c>sWX8vszr008*!=hWU*qjxaeF@RkM96gTjX{5K<@9SFm005`6e?CAx
z->4M2koAF{(GAvV7A7t^MV)2a;{d=JZoTVTh=9@M+}^~3o`LAWn0E})_h07x&Z@R6
z{^Wy53VVyvw|BvoSKvXzm8g&DR;~F(Loy{Wws#Xg;zg`_ypOMG5JWExzGRQ&ebT1^
zWDC>*@R^<s2bG+FMkCm;+7KrASw04Q0tkrEjRrspwg1`Ofu|5EMpAbCvkeyZ;m_(J
z>l$2SEB+J2)m#81ICYl+u}fHG#;=-BalofaoA|L!meF$1=yDJ;9E9W}0{DoKU?3#e
z{D1e0lyy!Gp#_>TJl8;qJia8gKcY49$}^+^<xAlR_*mb^=|dX1qvGuXz5vT$S(r%K
z$;EPi*?V|!xL6dlML0Ouk-b$`Zh(w&&f=nl%FErn3frRDWx*0H;p#VYs|YZRF+*yt
zDzH=CgStZ>Sroc8_&qz4uvS16?dkS)OUJ7U(7v4xf*aMVOilUc<}sq(r}uE-FDhj;
zL7Y}1+HJ3^V%2(Q^v3pQrX^SVG}Y#rLH-3bfhaxm82Cs?pu-pMvKW6gRcE)0hA6Z4
z1J-+`vi3P1AoGj1SLOKH9x9PPj}lU+azHzcR|M`Gle@HLl}fxI<P%!Ln9n<iBH2=$
ze%zVD-D{(s4^oeeCaNRJwm;TU(3MRN0pOz~km_o4QxcPxP~>4Y!FFJEHG}`Rud!(!
zcMI=iQ6mktZZu9NeNB7bJ5=;i`q^i7FHux%MF#$Xw*!@9L2|5(+JcW&2%fhfJO2nP
zjJ&2si$i(E)?^IXB1E;yKFsIYl0%<2b$ZG0ISIK7D|u@Xkh39j_?SEspep2GHu}0;
zF$Jfq6}l=^E?g8DsU|x)9rREnQV`7Bl56maT-DmT0X}-w_D9m1nVd=6lBwD3XBMK$
zR`iBq8ZHN&GnX*s@KMnzFaP*Ekjo5HLy<$N7laUQZJ;QN0W*u>Pr`#-_?|C!JQ!$d
z%-iY3Qd?f;yZxZex$|q~M#czSzMB-<s;4|SFyl1LM|V0O!XQ)(Y=g_JDm!mP(qrM^
zr^W3iT_W?eM?GktZ^Gb?3h(5o3N6x@P4}7sKCAB_xc9St@1K{9R^of^3H$p;@qT!5
zb{ikXi=6np7+Fzg-fe|luc;A0$ldFZN`ng9I$?h7Y{aM%8}$S0MQXICJStd+ipPY8
zLZ5Re$}Z20DY#cvRw_znaP2Qol_yvlzkhK~r>vyn6*EG|^JNiEK|awY7NeU#zyuAC
zm6XGj{#MLJ@b^OoH=d!HF#2BN<;I)7PQ=7ux7DVvTE1H7k`!*Lo|$}3gnd`QUoS9W
z7erUf7!#}feHI|&PhD)w*hp^^Cg9}LT9v*GLk6T!tbO2USz8Hyt<R1eF6^IOU!-qY
z@Vr&|?e204bs>F&cm|P~p!@r|;ftICUeD~je|sM>+D#j1Y~Nv1XR4g(Lm4K!tyoo+
z*}&~aH&f<U0-<vZsbjpxDXWU9C^aLqjsCJW4t%Oq4N^=}^!y6gvRP-{EPm8*P_2!a
zv9pZr;*NJ@Ph?@lNL^lcw5Dz^^;R|Uwq^&%e*(kDp4gMk0#4L?u^ubOR=w@OeWJUi
z#-#b=*ri3c#{#6T6rq<84%KCJeK<te<!bUR0W+gDwC<4v3Y|YeI2I5#va`Ume<Q(j
z=P4Ttk84M_J(7oC_Vf(qGBiY{+NqWqp*(3G8bvut1(HT<vM%Z;1^~bMMU%Y8YFQ!v
zQofcckC2v(Xad+|&JD@#SU=Q#0AknR_bgjufwX&a<Lz=-I)?C=vVI>sMYT-%s(2au
zK3XVTGI}A$*3gV=@hyj>2~tq6AzW~~nC4I4l0RVh;dYpC`N^&TaM*Y)E4k(3CCCTk
zLRJ#y6B}oK?V_o-l+)78=igFONAASZI1y7<W0!SS+&YF5rq8s?2y?-LCEY$yXdCQ@
z;vN3$8_PkI8FZ*&m=Q{?{M+F3Zq2t}<PHu8cGyCe&ZxQi;~r1NmwhaDeRDT9duE``
zQx2&_5%skd<r+)w-itRVX%<x8J*yrw0=A2Fm{6a{6eeyQ>@kI%oD~*azGzV5%6pth
zNurr<mPT0@U7ctT$v+hwpP&JEKj_gX9}rDAh%jAIJiS;oQk~~!B4TL&5AsKURA5?P
zZFomeNj-oMV?KM(;(K*zI$v^Dy-6ZnjGud5#39KbfrA|rFW)KI5&f_pmNCmctF1i&
zHuPrqK6{pO@>~s5O+vyBTe5AWt!_uqLp@n7S&4tA?(L`lmw>?wlW>(h;q_+i3C4&0
z)I`f0zcMxhV%9v7A1hw|?AHRB@g1e&a?l(0d>9~PozTGn|HrR--o-wu;^_9HSc{4t
z(}3(BzDe&5Vh55ehj`bQnTwu|o%2wgsMr`0{Cs$^7zqDqCR^z_NL?QL@&{MR!N;Ej
z2+X83RT5F0YFG^Vv%lj~CF0on4)l_Ih5J`oY2Z-1@ce>zXOIApG~(Ea<IIdzf%wbq
z?)sYy!Hk)(e|peG@sb;t&NXw*qkDN}uw@NzalqD3m#scQ{t)$h_Xc8<nQBcCexASE
z6IREFhh^mCuDc6%?5{mco+D0L9Bj3Fz_mOrHL%7NqSSllj_Kx&nNolReJ3UY?wtDr
zkDNAAP@JNdkq;^FS=d<EhkiYQh|!x<bCigwSqzj4*Pq92+(9=;1I{CKuwAwl->E7S
ztDXU8l^(t}RNil>7wXBa0Ty1r8liI8s~6ESMjfgOxAriptP3hlP@H3e_-9R&9sTC?
zBgb_iEJe}8xS{=mdFeU>Uzf#COt(L(N8cso{CIdd_}A7Kmv|oSJ6@*LBbnjm9WqDT
zbI7EfQUC!|6VT|_kDkCZg0O^y>?8N#wtsDW0+GA^ttvul`B{a4;YaS&-)}S|00=s%
z%Ya|rcWDyh!xBD$(9z~ciS+2ZYQ#<=jA^X(sZuO~2tIGe?UcLuf6lch*BB`C=Mqvu
ze?Nd{f25q)jQI<&b(ihum-BZ6^H&USMUr#FmO?H2gY1ALRkG_fTq+W~(4jtbrx7`s
z;%Ik-sB@hi5(}rA3oAIM;j@aqHJcgvVTW6KIdA$?B=VaNn=$5W*idt=yf7A@^h(+&
zw5;SlxS#o0$g-I_w878b4tv~jn&P+pHCqP&yXSVILul`I2{%Lg>seXLZ4M=?#z>VD
zIE@d|brtD}4MM)d`}zBUK4CTWDopUkF4Gz}P<Yf?8#4i|GDEY(DgI;TYO1$iW*UZ8
z-hwVyRrR=xmZr?`A`Vd){k5-%>4IO25nEvytd3{Hmq9!F+3^D-7GI^e5hjW~{`>8%
zE=|YK4Wi@K4W`}q((j7)m1+aF;vN+xP<+Td*1kfo&Eg^7I(;}flY6d8uY}H-*NHjr
zpn`;pfd@w2((`mz1R`IQ7V_{`fRaj_g}rz_4fyD#EdbsHz2Cz3`X#uRm(AVSu(t<n
z*?bY`U6;jI^7z(S7L5AF2|9|8^#su)1mkNr_<DVf61u{^bL}WH+s@N&sQOyiEsKMY
zoKqL7@wQ)=a<SU1x&rvcZPG2cvRqNtO%0~+{#cb7B|h}hU}>J;&du0YKZ2T_*LxmJ
zxB@Hpwyd;76J+5SD-$OaC!b54AV{(5m3ROL-tcW=zZI+oV}8rp@?g-p+N7wefg4|-
z;CDq;c(WlTLS<e1nN{k?hWBgtzUYwVVQa<ZnRj1!JScLmAJ=FlyJ=M!LE9Q4)fVO)
zT!G|N+%b|SpC+aH?*0;^7Js@2oE6nX5_}c4POmx%>UZA}>9Xq5%4J!wKDK|vkjn(2
zLcc5J0@27bL4F>(nHq;D3HwOyy(j9ZDKH6as3G9^LmUTCl5=7~*IJqYlvL-K(4Wmf
z@C{QPY}zJefK`?popKUyw6@baQpjaX;y4e6ryps*16>Q#=>n1TG_FH{=(sLUgoU#~
zcvh|=lP|Z047Aq(6RFawN&qN<ojA}de<NA^ce&<X@k8vrzi_H-g8j`jAqQ<Jc<a;0
zS)N0!MJ`Zx#XhX`*(*1;d{PbDAiQt=@-a**JTQs8+5ITnE9*ycqo_};b0-t#8|47>
zd2B&wJXpG__@##G9)$_se^YEGGdqcZyk2pA+aFs+GE!lt3v&UWDu;~eyO!~4MH>Yk
zg0AVr`vG`Y{>I_J2fm-9&@QZm^6Uy#ic%j|RtAg@?l{4<cwxw6Qac_%zKSlfZM<b?
z+#uJHF`TgZq)g#@$Pdq_`STdJd%Nb<j7o0Uz=`OfTN9;5L0@oA3O(2)UvFK_FOm9n
zt}k=}TM`P2%WrZ6JE00t27(yLRHng0rcfcE2l>#`!_~!G8qZv#Kq47}lVyX}d{Sdp
zWtIHb5+b<H=PD1@R(_J8TmDd0aVx<%B!<y19Xi+dK%zMy?Hx)BB{)q}$0t8X80a$l
z`aF!fcY6O~Z!j(_PfOU*!d3!aeJYCyZer$KDsI|Yyn@@we#Ar;x`%CgcWh6CD0m2{
zjNvGjCAOKwzU`j1NK4GKIerm;w?><RJUsnFdi5EAT=I-jH9s(W*g_dw#jfo7c)au`
zJ0dj6roY^3-6cY<;gyYztPcrS6JA?+MfE_M0l)BD&&FV6P{ZefuG`C=&~XoqW&2ot
ztRPQ7{8`S8;2e@P?Q_9v<%X4?8Z_~G@$kTB43dTcZ$!;BAs5?piW2KyAggq&yjv~D
zG@)}}oNW#HHV#o=yKe;a4y+%?+i)1sC&5e3)O#8%G7l0Ozc1a%W9#ukL+biEeA2pz
zMVipqor4*BqV(*Q`fuqC(}xz;7CTzw*1wrv#-hzovpfi}@&t~h;NonX4ZPigc)@0+
zn&m~s<sf+RXBiup&Y;xgca}W)HZ~KCzOKM=5OyN@UaZTt(71@s(sbD3!ff3hPvP%p
zqVjEI&qSFF_IPBvci9_sYlx`szR`5ljkDo!mJ6rC&CiR<ELuNVkfPV46jFO>v^RWg
zSdHP^7>8)!p6xG2W;3gHKIJ1bR=d3OB%jn95d6i+?DWy#-jz}SUm!iL#=obs!z&L)
zK(hyW(s=1o(N0=sKlO#16Imm>pW07M`}9W_3yCYkRu{A2TODID&IV6~Q0iCG22AGY
z`H+@%3XbuncK$?e$mBZQrrA%-Mmz_*F{7DJ$8;3eb)?4zBLeq7_=osUXteXo`Lo{z
z{sRBB>MHdUNCpqb(`ll=3p#hK;$Jm3vti1AT17{ybW}ae{7^1fiq0cR{$Jsd{xR1@
zsSA$cYTqOBAQlFm2JTSVk9-r9mu!%fTjMkad--yoW}&Uhj5ym-w(gTfA8VB7LZtB5
z{WKgJ!)h1p8_<pH>vuzzmInC2S@X?w;>ZBeck>`Leg5VwAHoDtTt>c`mkh<N7(>0|
zvkyb)BeTK}E>VlH=zTneb;DbDOp<Kerg5cB1i@2o9I$Iwybx}k9T0l{wzGS8y!N%U
z#|dvs-N7as0RxwhJ_NAWZ*aw9BAUjXUr*dJ<pYy^^X+d{*-Fm{_a7G=J2v>4<aPA%
z3*k9`aklo*G0Q%KXa$E@m8vSV)0N_;136=soa9>X6Br|O&NG$kaG1!pdTL2Gx+H0a
z<@{m7_8Ggmu;iUGtO|eK{^<nO18tq~7llp7_ussc&=Pu#Jt~5vUsC(Ua^bQCN-~Ow
zVrK9^DAf|xb9a0yOTIr7_cQt0ehVyf4w7q|aoB|Eta_`VfJPn5uSr!Aq=}Y%JJC;^
zxn+xzy{p7O1cOVzu8~TwoqT!U+t%QQ0L%s!Ynwpk$4qiS3Kq<MkJH!0oc*JFG3dN$
zf~Z=%>*ErvSbTT&uE>kW*fut1uLbVXT6eFt{SM7iuL{R~Qg`xNEs6JPRYbXQ$W(od
z)A?e-dsiI;ZoM(gTqurur9FB@tK8)?-Es(aI4Q<pLN|gH%|x=dZoQ+bm|L-0z7TQ|
zukrS~)EQbRX6y#MSPb<jHnR}vHPBnJ8Ib84O?Nu;P?BgzhlNX#yQ@BrZ_>x6Rw9@v
z5ld}Z6B~b9bKibZv*h%`aTql;0&yt+yHNcr{lyD48$a$4{A3^-R_){CV$2@SPt?g`
zt?9~swPMR2L*A$G!5$tgL)`-FPbJ~3mR2IP1GSkrN_mn<IqWt3!<l8Rt;Nf*%E{@-
z7z5g_pJBGUdzm5oJY!hUuJml`pd0?_O;?DFD=_tsY`lxhF~eC4l*mBwCE$tMs7`|k
zNY{Bf4j<>Aq_iClLWMb_nFuMajv`>ZdVD}1-%^dY-s9Ef-JO?|lYz$|e|$HKd^GC*
zJh^;%{A-QA{~bX~X$Id5g~}-^I&k+~=oWXSC_X*UkIvMg>wVHyZnux0D=!%s`hI84
z=t8I}?r?9ep2A{&PJ;W*(=EemIyraJg}U6Z+v~(l%9^@1m)7!!jnjh?*+FUUOQ#U&
zm(_7Kbt3Q@=-lOK9?5#cxzi?tq<x>#H3syY-U`2NC+r!mW9UudKB?gH;HCJta`Pdo
z_;)Q}EA7IM(21w9YME)ogTVJ?@;BDbO@cSsNS9xxQ+Y+MdsGc?OXJ-yc%Q%I3N&9C
zyx(%!NM+1{h0e}B#&<Ot*9ppD^<mb15*BR;vwFb+&CZO`;%W%v#N^g5)?_S1Jo00U
z;QG6fk(OwVwtzfNII`P4(*rov>z_LLE$Cq=pwjR4e2l4tJ)qj|Y~|Ogm58o!y>UL=
z)W}eH7P-Uh>X;>ifajKXqjqF}tBq@YMAuq26Pmvm=&gjdU)r!uKW1_+W*POIPRofR
z^rq%?8qfY+nkhl0%Ls>nowpHf*D3j7Jrl}k9$<{BOH@7MtyH+%=4H^{d=kliW`%Yb
z9NEaWp1U7Ro1lHj5*<Vip6-|4-JD)GaoaX%Y}{1Wo}{w$kJ>Fd?4n#(7X@Eg&CGwO
zSR3oM?4`kkN7|dWXT1++Ov!KBI74;0X0~)KQ5pX6{&yc!g2OaEBAGCcb!a`NWWnet
zO5H4x_kfH|bBWvWnk;6X1Q&84Y&72|1vXL!BPk~bSjmHta>0XfHB1qn6aNpg2W11B
zhkGw8wr&skb?7yzl|8YU^%qXo|LprBYS^hb8MVn!o&@@ZndE~Tw;nh;JaAG$c{|Yy
zfTFy@6&d-<GV+%Y3Q8)MlvR}ErRC*S<mFFrgI@dx1$R$Jm%Et%TEW5OoiJSipm)Rg
K`fKgmk^ce?3sKkr

literal 0
HcmV?d00001

diff --git a/docs/source/running-a-notary-cluster/resources/ha-notary-overview2.png b/docs/source/running-a-notary-cluster/resources/ha-notary-overview2.png
new file mode 100644
index 0000000000000000000000000000000000000000..37c70056c873d54ec07884c816e846a8a117e941
GIT binary patch
literal 18717
zcmeIZWmH^2vnWa+0S0H#BshZvPl7uGfx#sNcMZYaEesZdy9c-6A-D|?EP-G_gS&*_
z4tE%m?|k>HbAP<^&O7hk_r6(c*6yyVuC85OUDZ{4?@%QLDQt{K7)VG+*wPRQ6(l4S
zDEvQ;jsk~BymMB9U+$ZW$%`Q&RYqc78a{ycsf-~i@<>P?^hij4aN=_~$Zs79$(aKQ
zY104+i9ZPmiNr3gL0J$9>7Kljoa&34n;SR{8ylOAjZI!&-sa}!+}zy7#f5}~gulQ4
z@bEAxDQV86Yee&Fi}&)5DXQN2+8@T8QwQyXs*F^u1toQ#^U6Mn@3tmqAi^cY)b*BN
z=A-QF>^wX?)YR0hsi}#LjU^!=0TSUQRY5<GrgyJ@4A1o_>q{^&Fp!s*Z)<C-uCC@1
zVtt_`*s)yH@-w%Wl}}w={ne{iZ^=O*bPP#cf-V-`a)zgQbZn-?WWf6mQfQdf2uSOm
zaJDgXJ3gf1!orQ9WF&pcqEVZx)lk6iW`##hK`F}rBEk<HA6KO~Ss^>-9wz>MW>I8f
z>IYm(Xi9DvR@qoy4XDC;=o(NI>Zbs+WK8>FfPMt3lqIH1C8kF$+Dk7KI$mTlW?UBj
z2e^bRzD0DFk%WBm{P{nhMYm&+Gw|h1@??x~CG}D3`?808CVy%BP)h%ab6UAXK?Yo#
z_l#tvB#=TLkVD`dfE`5B5ebPj_4a>H+BqN&4n%X3mVbe^h>C{8fZN5aKY)ZJStl(a
zrs_7elWvi^B<W&y@RmvxSQ;ZED@_+oHErzqnIh6GcUUE_wE62qh6#Q0#qj6R&EZwO
z>znRSbU#@&nvlSdkjJ4Xf{`+EK$F=vZ$(sMpdc@NuK)U91%^M)uuI5Wy$RQJlSq4V
zwE4F#&k2jhv2>*-^|fwF&?iP*2A3GOA4s6c1!4O`e|AU=E@dTQ85%yPGCbiJIZy_p
zjME+vLMDW;j=Z2(upm*`FT>(BajPh96rc<4OQA><xxjEg_&|+8&rwGqZuVOy8iV2(
zI+5RGZ+ZMU2w`*);-$QU8)x?%&3oO44|Nm@hTaZD0Y1Cs1nI$oPeMg~JFg$~>wgxJ
zQ%GILF0bv9r8Q1;rk`2QDF#D5eMqBls&UsQ<k?WS67{Cve4a=TnLrW|Uv6NU+xl1M
z{}(!lrS{n2dPxoTz8EuSlaH#n=NYtKBUNtBL(!~E==auK(C2C>^%$(z+EP2~vv&08
z!BpAq-ecR=t1nC5cQ)cDBz_pec;P6oSRA<i^F(d10=VCB)O;3qU$LZM#=*NhbWy^8
z>_$cuj5{GBu`5)DpIy7YLC_EUQM_yIad^5%>yc{dt+*bpFXWRsJ6A32Xz><`Js}{m
zJCfrZLeaXnEd5#YXmy&hDIs`0oPo0G>X*lvt3+q1j7CXIx8iK{4e`VF>=vHP9uZvI
z;SnLYRQbdptd5laNO|mTV$b09y_X(5xI@~C8_g%{8`_(=muN<Pw9a#}xFNGzc@SZ<
zS1^ww(-*&lMv_W*u|3QO&*k!-d~oomH<XDBy5f(Pv-ogLsjOAu<uT9a84R&96z&Cs
z77ry8qPi7d#89-->aUTz&siR}AHV!4qtV!+f3<nln7sCCF11|9qrufXe|R)UZ<6K;
z`ue*p<B*mHBend>4Rsd1gptUKGf}o6)2<Lvtx1_)Z25tz^`y7xu8mMv8Ps{}VyscI
zM3M7&iy(G+<Pr1tGAQ+fy<c?D0P&)^IAD#5VEx6ZiSDe)R&-p9#C2VaUDY}3{zl0K
zJzC2!IAqrA{IC*hNPALkn84$N)!AgJ(k*>_y_w-{f%c+iVuhKv?RPZKOk@s?Im^gS
z#qwRv%p%UC(4fY|q|(*CNjb>#P5dLts$7GVTr_(|!tht_LVSh_>Vq;C#Th)xu<)+x
zAcwV=Y$9P}-uv;RpMNuc0LfpV2@iooIz@JS@S3A{WSZs6o1-bMsO;xP7%+mL8#bTM
z7SvkuzHV*N?|l-p<^S+0(eUdv<R{^~EJAS<y)iLVaRjrR@+R&tWx5STV~?tFP&Whf
z?8IeY$y37L5*72N1MJcum|Y@6EOUW}f!tuw=Y(ZcRUakg%iq5|95>^eOShkVru(Qo
zw^VDHmQkS(zq8SX68nViDkv=8q##ftwe$;bv`A;K=&VrOLE21Gdf&dshQzEE`6@o}
zcq{;17djP{9+F(C7@(2D0wU`{Gsf7*{-L}+_Su4&8u(cL88_v3<9d8L?y`)&Sbd}2
z6?NN~rrmF~a}z%AoB<`{Cm!J_kvN;4vdxk6dm|^u9|v_ZI#G)zvPXqku%<5YObOIv
zDjADfr<TIhE}%nB-aRiMjP#AkF&uO3SU~#{*C-)bt9;3~{!#or$9&D%@pz%uybrUb
z4iATN3LIW;0))J;0KMbx`m<778!O>bks05oBa2%dzd3kQe!qwW$!!r39C_}x-spX<
z=~ICPT>CMu2S!Uum})D;?T8L^2IVtZuyFPFg(05}<Ou-3_`4O?F??O^j?3OwV`-vz
zso=x`Os($yS`u182cT?Cv=(g^Ka3Fcy4ElWojny5KAoDDNbLw$+>ftWTa7C^p9Rex
zJ<;809zXHcP9K5<PBO7@Kh3**Eh~s$ogZVx2#QM}e;*e|psdGo8AhKY0DKpWrUFyW
zFOIVN2qJVWk5c*ujXn>|F`S>&3`-Ds@OzbsB9iB+&%sZ#@-fLCN(1jmOYhHbQ=to+
zNzzQCvdHe1RIBW!noYB0<VECdlez$04-k)1bskRVwTa6|Cs0D<FN#onfmFR_?}5R=
zj{35`lXEQ8ViQMID^=8y(+_j8Q&=lm!<B;HV>F3DIRVnexiaStu};pCBA#wBg|t~J
z`g<(Yb}<r@`^nCR&j@28$M*HCBhMewjK4b5%d8iSCriS|>}eL-%S_wsyw;|YOD$s|
za9sBreS%?cE85}YOv>P?LBT6ORy{0A4t>>+=5SW&L1$PHC76!gH=y>cV-OD^)Yp}w
zZNk7L%z|bEj((Cy1sfVn0{wGG&#;2L-5W(@Jw^h2d`>nO0u1?M%Q+|xzof2sS{%y+
zWO)twB&qPTy3gS}zr>2(D)uTL)JT(2{1Jfsx2u}cH}@G8<M(rkvXcE~;g=Rnz9>A5
zZGYyK%PWFOCAWG18+EZ)A<4`?#LDX}iCxzDI~d`L|J8wF|DUM?MjIf5lK#a}vMd3}
z$}f|85gPfYT_1#0CJHu#pIq+&lJ5Z;(Lg4splyn%sE1J%p8u_gh4Z&wZ4ZKAgyJyC
zx(F0I|16Fd5|vw`DBmr>7&?haqO}{!gU$dXrxe}~-<`4HS8C<C+iNnuA<g|Zx*RBK
znI+PPj!q+O!pAvCyfhIoJyA}-0C-Eq7OCx;3hCE}4<ts9?%!q-g)c<fPzjOPHW&^q
zHPHP8paJ(W@7V?0{Vu;A(QgMM=}?njZnd7>;%J|t-JlX9&xgbZRNx`;Sdl>kk?IVl
z#o#FKU;OBp_bR@X;K0C0+YWQLF!^`41QR(Ew;fg|1m=S)9x<{(fbMPQYxQ*dS6Jm1
z%{{laIKDy_5S;AEvbo#Mv55K12z%>|EdWl7am05{bOM^WK9+;y0rb;2zY?M(%fcSa
z`x6k!gs^L&wLOZ$L+Ta<Baxv1?%831?zcVtuL20_0J;}C;i^_Ov;~+K<t7Rlb7G-(
ztdDte9gcj;Y?aul>K4lWRD1B)au{u|;J%YzGo76D1To$NquGa;&yg_}8&8;GD%RC;
z_Y><JMFLG*4-6pEwh6#*E-WLFM%`P)elnk^vMya?h7YL}fYBF9GgB?<PqV;)>fl|O
z3HC&ee3O`Fq|dzmH=jURZt3mqptw1mEYMVgI<OCOQwnX*Np!>Qpu{{hMw*pO5#>mu
z<#ilAXVQ~`Zi{{Ws@+b~RsHa%`Bo_0F|p}hM$c4bgPvTCZ#P__Y?gc*s$*C+ITN7I
z(s;A#VU40Bstr7T(zBanV+K2F9*P>adxoD{FdTSPj#Dt&uMZYV2<ggEWn-crOV)5=
z8pC+~dv4TWap1D(9=3X`zMwrZPHsFk!1kum!-Pf;A~T`LNUlU<)02l>+<E};v)78@
zpeQ>Td<$yvwFMP)Zx>J>@tov2EXH8st{~ehTImPv|6q)t&Q)1Zl71XDwW4!{Q+e<Z
ztKf~cDqs0~%$3DTEw5rde*X2)#K@P1zvTw9_K;G`{is<Xqys9IJ4wrD8AUto>bv1p
z)~aU>OJhFSP37#kOAr9sW@V8boz5<S<UMJ?%4og|r|08fN%6BTmHl-~#SLL%MU40y
zp^dsv^4FiKF0`qBDLKBbJ0C;h$bJBLAkE*8^WvR_x!29C4h(AKTwUv&$tfiRaf%Yj
z2fa6+tgS8bhN0AZ^WnwLq?h(ybH=-VY=OzkF!ob~lBD&ZL7}l;iK;f$WeLcBkF9qI
z%ns3d*RPw=>g@t_U`|^tyivhQIQx9E!o+6UWt<V&a^P3*ljgsa`xslKg>*wT-VMF!
z1t}2}$8qTG6e_66E{syoOO*hRV{?6PX1B+o4zgU+%Vah`8E`)Yy~$J(reAwOm&H#%
zG8dyHXV+}PRUXuA)#yY|tf<zQR6^G!Tu`NJ6Jcg5q4H`Q8@cQglcDWZbIS=GnM|}t
zrQqo^y`LmziZRvmAwg%xZx}f6c#QbS%SQRpKSzWNRDJszN~lD>lYHoLH5TK&Swxoy
z-A4+a&?oEjR^7w&6e>hN9m<DRPGG9eBq~|)<u9SQ7qe;Z6qJGpaigbLu!BNpRKjCH
zJHZkiAbjEoHQ+nXAG<1HXc9$U-S0KLXfh#_Pu}UM_eEmA*l!n89C)joo$!bPsV#zd
zR-mDUPi7<@dNPZ{L_t6>UzmtBUjB1%a5{2?Q=8@?)3<z!sYrAG(<j7=kJfBCcFI?X
z<njY9=L@}z*ab>kwH#88t6<BKOH?=E#_renwk9Z8d#f)Ad7F_am@*&}nJRBBumt5U
zqm)#W4^Mm_BJnN;Lt`zVODXeN@D`Gw0Tne;gg+FC7Zr#+PYOZzGybmzyyew-&Jt%=
zr-?+;g4%Z9cq&^IhJE_%DbiOe*2`}<J#`F*J~y`WR7j}!#Mi64*JdQXCy#m2{iOR?
zpaDopX0?HKct{7^Rd_ha1}M$99f9>*%tZDC7)~bi4$)a|xy3X#y`d(%-^T6AdP`tF
z4c?gl>MVxj6cHXc++MlmfV57<jJZICRMvAls7_q#R0Q6`=@qubMZ0I$O^Sm&pY#;Y
z;3>iQZHe+f{*eYEeP85HCvSI7y=SgdP)%#_0)@OMh^`{rAIGEvs4*mpR%HnI`1%9N
zWW{|o&hP$K8pzC#)<wBl{E4ugs2(S@y+h?c?n8ahT(RqMKLZKiAK_hvUle<lwMBh;
z4|JdZxL1-au-WgmUvC9+6yEv-&*MEMxuA*)G6=fUc4qi(Nh;?z61?*%Djfe9llhhd
zch%EQR0}>h`D@z8_I^bbgtz#ZaEc?H$N-^RFx_M72W8#u8QDZT=La)w55}sLQ{j~<
za))1{;3#F*$2Fm$G~?835tZ?{O)woCD#IsHco3>AaVqL4QE;#*n93iD;|~=@29P5I
z{O<$#?*owmASZOteIR5V4}uPg`cD1-;DD%N=DDLhi+*<1egNfGiHm+LR15~BqTVct
z4WI`EK<QL%dx8;#t^WWg3LaHwK$8ce0%ZN5h2;u3DIhFh0un%3Kb?$IniRxx518G;
z&-Xfp1EPTplJItR_zp6Rs<;mcIp19VAPu831VrH-jrEHC`$_-B_)h=R>M;8WNpffO
zZZ%(WgaVZ^{bb1A6*NPKll8_9eaNXFxQB0~Cl=3p`X=Ggb-0Z`bJZW?z0<0<$LRE#
zn;;biG-!03RhiMS>{wU#%L-Aqgav7S+<O-m!XsJz0{OeeJ`a($9REm5M%H&`DHkf^
zgD8x!E|^qZWdn*R9RUa3X6{|Fp~okIoL>{j;#li-CGzqfp&-_Jv_MgFn+sY}Z^ca@
z9T_AcR4<+|%!%LXL-yS+8$^aG5ny-lQTbT#Xt$6dgDXan=BzqRZ7e%ZA@(Ld>hdvO
z`DcAk&Q~{)i<hCB=1&ENZw81rFoniSBD##9yANtK*%&#n<KLN*--Odl<woMF%12`I
zpwKuqD|Xc80BX9Idzqi2hwVu}@@R?!Wg+ajY#rO0S*qM*lycQC7#xrYq2e_&ya&=f
zway<Pa={C{(GNoAo}!~|u9z>bZNDPe%MQ?(A%!lo!^*ym3;Ev}Gsi>?N`locW-;X=
zRTS`e^g1=ET(T-clRvsv%@Lk`$ABthlvuc;`*HTM$1`+Pr3=ieT2g+fXjv=gJCHbi
z{2YZ+pY?GS!bNG8jk@Uiu0Sr=_ez2^ttapNY_$Y`D*iX^Iq&X4^-iP6*(aEz$W>A?
z%V+hTlfvEV!OW3r60a@Ky$3=!Mw#cuKgaJ^ipfmnL{GPxfI~0!713k+k{ML4<@R4J
zzHSi4q6K|D{?#d@yeh@CtVs?_HVHFB^IXp5og`}umD>N!cx2>m4pRDIN`Y22k>N2m
zWVT7xmlu<uCOOGJ;jLeTHzf6d+CzDvcd>{YWTiD%K(nZi=iOV=LUMR{z|K@AHVvdW
z9J}|Og9-R_f<HV-nqfP|jQ_=?|0~U4rNAnomH?}06uu70Wat|oG7Rf#^HP#;s2oJ>
zJb3~aPFF=U9_cCyaqN=>!vncji@ghPp7ZIjjt%!Qey|2)j;L!>pUYhRUKl@%J)jKB
zJnI@q$k4s-o;gG!w{;;gc5<hJD8b$b^!X(Z8T1C#tHYri#W<C&#PZpVKuM!j;K||h
zSDrAsBbJ!32yS2>z$U6m<$Fksn@lqVe@(V;l08cH9fP8J0Z)e&{rl{6bK;Y1Yk)}q
zV$SuI+@;0!Vl}Ra7rk2R=~>vC#GF?y#pTX{`QQe@!;G=x@vy<pSXRhHMN7G`inhlg
z-`2Ts*4nHz?=0D8vQP`<Ss8VH@<QxykWqZ)XOsLfDbkEquTDUlM5t%go!OOMuUWIw
zXvYO&uV&@0^nXDlQ?HsX17kmwC#YUPRdyKPe_0)zsb$TAd<_$n$RzN-9&)VoK3X&e
zK0GU($UBEzwG;n5J<S;$b6{WJDrL})vWq-lmOI7YI&Ya>i<GFjcvNZWs2V~7-4pYr
z$A$Lr{iceM(izt2-V>W4aF$!vl&DNkUY4?d23P_K&{5ZN#eY?qyEYs0LIU?64Q2BB
zqD0223hG*61ozspE<~x+<X+lGNxboOpy5$Bu8Di1mH4}4ZBRs+`W$LvAe?2poawMP
zK{D9VCoaC9$v#GTVSYIFBi0%+(Im`A;{9r+wytP*ggs-Z+jCTXr-go7kRu0+uJSR%
z8vBAml*%*R^baJS)&ZdCgC)P1xS*mGJX|$kA4&l@Q5h`uA)+m!b0m<rmrC1-%g<oz
zdp-+&Ji~S8qVZ9u7Xyc{(zoJ$sl9p8bXEX?Ol-|H{cBzD-rO3KL}uS<Pm)(mAmsO0
zL2LX_Z-lKE?f${o@jY|_Aa}W<9A~SkPNrbh(IP<v5XYreiY4P1wVg%ZC=O?IBS7<7
zA<1w!Y<Z`b1yW$|n_$NFenf85kpHC!&anNpBNNGvJnnM##-=yYbg(J?h$`Nfvn{Mq
zTZIGnvc%>Hk1^h_il&`Q?FMH1IaE8cjKg~t#56V5hkV`%f$JlYV>bR6(O&blG{dcV
zB-4tYX$(ish0n6H10psrHb(|CDrd-kdRNUN+aKpYY$1*M{qkHRXuW@1=_d(|3X=rf
z7|+MdQ}KF@G3EqY4@}^<Q?grPTR5f3D|J-#s5*zM3B=+)onlYFG`oq!qK*Y&<enCe
z(R44vnemPdUVj;L!LM%%2Hkv_JL|WWg-ITTdZ~XLkoIQJ@Q!2ES&^VG;jw!xCD++}
zrQgL!54v1-cY)|Ckh3p8Jv66*=no&Tuh7Sz^7yjimk1<R(i_H}x0DIu@)zyOI%iyu
zG_IYxLo|++=|>J}t110o-y;C}oF-!o!S{|ae#+qTAf*UAMZF9X_LUrL)oT9HJ((5E
zvOJg(N|`BSd7U_8<vqBO{MOQ&9m2+POgSm7ah|0IFVeGTm|lP~MP3$^>v_etPVd9_
zqVVPBR%GkxPO!eu)po!6+1%F7<jR&gH+Z(Lg*|hxOtGc*XtG;honL(6=L#!@Adbk3
zJ?WYbbn76pqm6%@Y|^Ap$HLfuHBB4u;$^j5ZT>ygz~T6>JZtS&{ylW1V9dpUDH#1|
zM_s?>0&&3cQ~Z(huVc;s2Tpk4qaZuvqZ<9c3;Rze*Y=q{G~s*yWoPm)4tU})75I^#
zv|mhuu#tky^{x%^->R%c10si3k{uSVd01`3GXWzeG<(skKky<ltkCna?k^PZOd!aC
zgGLUz0#6y9#s=IyK!;~5AbJP9Fl%M2_i9K$Wa(+Xkemt<JnVUc2dDZOxD#1g+{M76
z@y=@lIx6a(!i4b6b_@^d{Ps5nBLx30b&A54{m*1v|2(YrA&#zk8vv25X=8;NETAHq
zkC)Nf4ga()p#i=(Clz)mx4GOp(Qv!(DVj#zz1x(|DZ=45<qbZu4I-sWj}}13tVJ|S
zHQ-GiM244O#fOeLj%W(Ib%|-zA>WQX6hbpJ#6fVpz=6TA5VJmjmkb|N8HNs&uY=K^
zV-}QII?An88-|sYzYY&b4m2JgtIyk-tdQ(h|MWvlW8%zeB4?V}BRHU<VrjAhQlNgQ
z0B2fIZ5Yc|z79kaur*AqHjKw9UspkEv@r~>Hcb3gw!ZL##N>LU<oIgjM?iW_MdM_J
zoVohp=YU4K?T>-!--4|98?$q;184wfsojm|rGvMiifmk*VH&{8@mKX|h)fnVdY8%q
zH}7&;fHUI$f}s2e-HL<nvS8}0yEHgT=`Ih36y7Dm|2@OCqc}h@{rxw}{ExdzE*Rwt
zHiHAClip>5TiG%~ZZq+Q2Y_yi6lq?_h#zBASrH}bB3iwu2tLL!P^PI053#-isX58e
z=sK>4D!@`7(wIwq5$Pb6)`!?e;{m15=}kItG={8Y8NW?m;`M~B<60!Ka;1rZ?QlP?
zAJYkbFtMb6pBG9yZfu2&C<CAXaSB_f804TnmCuGm5Sn@%#X-aa+kTw>mP0t?^}I(&
zI6|S;qA)-D)ErLn`WS|??uq*d>tL1Uoq&+`$EV!jF-WJ8rz?xN)6pU<$eS)L5B534
z?C~zD!?Ct3<1w1~Xnz8^n==#@VQVeGh$511af`%#HVRyboKHQpa$hlt^!-wRk1bse
zC1UMnJsmkefRt_D_eOSo|Im6QPNn-Em<^(89T=m1{JHJjtTxPzA2KF9$4hhwvkH58
z6%|yH-p+xITHSL5*}5}_%<MlUj{mLg;y-1TPA)GLJGjK6q3x@Cm0McmLz7k$`PIw~
zncstu0X!h@@f!Z@>d6XuSM^Vye&1Zqz4!Hb1@j%CJWa$Am{_pV$nRj*(l}+mIgb=L
z^VM~!=%1{RO;mR(3cNXIhj&LND`X1Pok9c2T`Q(1E2L}Tdl|FwmqB;6VRS_KIyte+
zY<rn`2ZgTwkQU~G!CJLp_yF7~z$;yo6{u=XS%G%Hkr1uuKs%+k2;*)8^A;kE$=hxa
z%$tN*AuWe)cr)M@uT^PEO{Rl@@*7*jn+PaBLoFW8oi}R+Yoepwd9!9ot$#Gde11^;
zrFbE7#zi*ccgxNrRhVoB;o1HdWv+jAy8jodWAI_y)!6_yzf`Lb28Ingvd5Ue#F2r*
zPBSL7eZHQyR&0&9sOG*;{E2jqcp|bbc%vTWM{hZ|Q9w>B?5F44(qynJl^Y)4_Gagl
zMG5DthXw3sK?a1VSLr}H+VL%aF07RMSg@?t94NX#kih(RkO2<y)eb}5yPs?toB+}Q
zDc`_A6teUoSdMfXq1?FueM-F^k(c2x$N-(~3Okg(Z2W<C9VZ~kU)FaC8uX8zyl<Ck
zi1G7B6L22>ioPh@M4R&?AOmFKEArvCqrQ2JO!|8Szc+T#gUy_NTL3xk<y_NqIyXJ5
zgB41*A-z9ORatj4wF^{^^}9!U#M32>fo+w-8T#zYLW;f5c)(121*abORXoF!VKx2T
zh4~8U&5m(Hc6qc{Wy2hh5j|3coSx|uD*lJ;phF}y`IHcr<6#McmX5O&@ozMtA#0<V
zXG0rq)LCd6*25-*$G_xIqz=yZj4Cx`6h0LOcNujboDHS-W|Kr{l=K)hMSVxH;(9_6
zxS>X@NMhb-R2R0gZ)M*QKfp=$bOyZgOb@btk2{4h(yZic{?f_bev;*Vxr2KpuaN#X
z{O1ZZ4v%i7SdxF&-TaE8T<hIZ`fI(?n8_vkJWaEuKq!Slopfv#Kb5_Y_mB?-kB&}>
z0loN|XUO&!On^|^>sWg6_@3&=v7uk<_+HjKl~8x=fx);OletBL$gLGoJ%Wjt?(gRo
zE(rJ{NPr%G?ey5DAZxm3;$Ma*J##b=uzLCz5(nCi$%1_K=>m<Nbb|;E<GFDWR#GYs
z%f(}Y-M3Te#D@5+(ZsbnI<pdFAOur^`8wjum`~^25#&OhOhsbVmlePf2(&7g|FcVz
z@X~6Mj!ci;t(xRyPIqaj3W$x}9hns48)KuEZk3!AXIC^pKUn^etgf{=rNnWC;TLF`
z_f~6?bb|G-Ds#`0{cE4uI=XYKQ%32AT&l-%l-Unuy~)&==ewmcqa)NIH>ac$(c`=n
z)P30BWq%xfxU^jdp#v<5g^NPtTYiMC-A+WBsAR*NPEjVJTWe*XxnWj+4gI;W;XzyR
z4!ZY2feI$0U)Jq-D<=ztv0hL>&zIZFr>Sm=J(Z`wq-)RXs{Uw6K--rHM2Pbvw&Gpj
z-Cf5(nPf=9mP#%2$p+TO_p@>P-*rE=N!$nHj=PoxJ2^GgxpB>|0A<iDWi;BscZySn
zz0V6-z1n(LR1&Vsj!~zE+uU%Om88e^&b2{?E)K^>TM@R)q|t*A=A&$qWAatJNVXQ4
zX?5>_ail4nneUCa5a8zbg#)HLVhx!AyEZPmh0+FkAs*}5=Vm&g(7yIWXF4xU8*0RQ
z+OZo>Z{wJ*8h8WxS(g!dBah{9t?-BD5m%AHEzsXay3Rofl9U?{h=ZCEJKVzFDoEG4
zC_ywZ=?p^yvAQikwbuAU`5QnBU)mEzy!68^H3e9gdGxBUO0hwsL)3s;GOIo|%*pU^
zJ6}r_fU}bnjF@c3g1UAu<(I8BRaV3RWa3>wBZ~>Q-qPI=B7nAoU2tI27t0m|YknF-
zOPozs6D~c>I|6Kgwv&=2b-~`$I)Z}&WTH5LAM;`OxXj%YU>N>Tq(}|Jf}#j8oHz2{
zzyVK(YD+awM`|UEXP0V*=B7l!<UgY-<T1H$_8*l8UjIM^Zmx$wcQgwfqbA+Hoz!wi
zDM_h=top&F0W)7Lo9^VHH54G;BsbyF8@ZE*957vB7aVZ;#j@^>0JQKqP~=7_OuvuZ
zg!iu|=m51WR)<-$={OE#<wJK<#X%oqrb6nb#S-9~L+?8)V4Rq{?)%HofLk;2{$LC&
zWBJH#m>eK?yV*Wi0#}KDBvg!w<=<|l?|gvgm|HR$zo<rT_vU&Av=4Su$gohmg7b_V
zzD|BPGK{Pruf|^I{pqvG6taALVp#NtTP#opb4&Uk!}Fmqm=;jYE(+n}oK#@}_T+#P
z-X5o0+izf6XwN<8m2EA{*t^{{PHJEj%NWE)6@?xD0CnF=;C2c;E-jU&SgILAC>B=_
zhX24Y{HoRa2Wr@!*4FJ>;q(J%S%|EmyAJN!baCQmE{W}<O~FCko}SLm001R@0-cTt
zWsDGiqtImJ^vj=L4`dh#&W{CF7V4(N284bDweQVR^e6HKLvevyzzo(zlJQ`tW_?EX
z$o0Y)sBw0t{`H<>Uq^;AZg_;NST_kt_a{FnF8&s<Sb%*4a^)?et<(F&$llq}p6<G}
zNn@t4%Vwae$k?7PK{+gKMvsL!b*Hjx!9iIXM&Vt;Cck$fQu3sTho2*`7d|h=I|19*
zH~>l-8;~Ghc7JT@%bGm;7|CGAX!iO*>0p|)#5dDh8p3uy_7a<cHaHtmRgAK?DH*^x
zyY(ZRdXjq*7Pk9qrzQrKuiE^9aItuRv)>nbduzUqg0G!PEC_s$)|{9eJ+f><v<vqA
z4_0=-v;6thv8hWti622(6OVp2jIIy*o^c<1@3g=iSrX#oBRCO*p@pCT68lRWldEZ+
z(-zWfBqB^2M(u;EyPnOt2nfd9Ym6dj%bIZ@aMiU^d=L-X9?IO+YvDQJNE$n?pe!W~
zW;QD_F*9vqsFmX7IN-2%bc$23?b^2cgqIf971H_RM@&SuX~JaLpibVAT9@2xqlQkV
z?JnV~Xb!e>hwu8=OHwO_r6a`3*{xJYZ%msK*MbvGmue;v7Vv{kkVs5NuXuZfrFvAi
zG~z1Vlt)1wx6rrCX2eTR8@7>NI)uGhl_OS~-f>+%KJ0xG%r)nGb4BSQJMqJf9VgN*
z<G26fdfR)96_2e=h?%YT_O2P%bF098N$d9Xv3R@Rn?DK{PaNp6n7oB8!hFDUMBZ!1
zlm}x5E=}rAWqf1kfadOWD9_~Q@qNiv#aVkc*KoE~a|Wqk%{m+ItR|HU`R?h05@rbR
zlc`6qF!Hf+qA@Tr^?t4364A|AHj!wdQD@!M#VT3(eoO3!E0`s2d~q#|7XO92G2b8#
zt&LgG$jSzFX@sf{TVlb!;OWkQlEOx#di<H@lZkCd;x1yfc)RjFivD)C{x6m_2;V>^
z<JK6p*10?s#1dDFiO*l}>*UC4L#8)p6SyytZcMPKd^~gJaq~u<5$&+RbKnvpwiL;K
zg!X_~Ex|5wZ&oF5PiqIUk+y8-TMlY3H(5NzrCXLaf70y#?AyGV)Xp4h<p~R$j-4L!
z%wn(Rk=)IA*!g3fa@RH-$mRRoRmWgK0igY8cc-e)ZRhybzjcdWGmdOu|5)!&6!Dho
z_(EI8nl-jJg_tEGn8i@3f~#0Tkux1*X(}}*$_@oIy5~o?O>nheHCDty2QN?iKZMlX
z18%yt0SDH*6JKy<U<9jj)_`H};La6S1Lk)vo)LRGGRP_)*o6az72iVDVGx_}>-_>`
z$4=FW`H|*FX!_T3qiY;`(+H2cXGcdi94T@smafB`gwZh-FvfSfZ+eZX8#(TR@bK^#
zaH=DP?k_F32>NE{{!-=5fz@V#VVk$S)nNE5yTdrUih)L$RjaB=zGFh585Bt2Qo9VV
zj<*tx!mmvALII**4tPMd`*5)ffnR#ht7WLYPl`pk3c%?Bt(VAv5_qH%R0S}knkc*;
zEK=H<cb&UJ1~A`2YabFT1dbGUj0!+NtWfBfA3Xd~8Sbf)s*;)BjLX!}p!t?ky!`{u
zGGqGa;*FUeAQI+YQBHA3&QEPPq<R|s=4Dn>mE6K~Tk9+0{$R)Se~MsWKBAU4L%8wz
zFd$mBte%OK7GL<d<Xw0Zhh;Mhze>iCCI89-g}%C-o;u5m)}p59_dsyk;)iwQhpuF*
zBpLn)96WrgIy1?AW{cE66+2faj|&rnF~Jo@9{rn&H4S4|-#d<*c$3WQjG^JeztgSL
zwrTZ3`!S?2hZ#t$7-%6j);hrYahs}tFJ%`IZOb4UoJ7}^2FgI<Vu3CG9_ywrcl6JJ
z#PWe6vyp-4c-b=x%uR(OIB50Z<8F6COM(r@YRfT>E-w0kS1;1N$GxNUwx}Bao&tVB
z81rG2eFfmkC@*7|V*B6h5-5saEE^D;rh#@rOw^Y#6C<x^pHQMQ!01eDyWb7_E<6W=
z$kdZD&>R$%G&H8ge3rOo5Wa^zM(H_G*&HoFuy_3$BX0NQp|>^K!-#RKJ8`68i$xqF
z1J9D__B)O(_MQ$o{7=a2B92!2YZJ(%p<**s<ohpKBaXj8o8!qsV3-`6E40dhNp-wa
z9mCAlXhi0;-}Tc~iwgUfKj)#ZTu-9rZmcrT$`lzN1dewmV)&fU(m4Rqp?NrnqZP8F
zJaA+n{z^`7=knvPy5A|M;PzeLK35zrV1hu813c<tVsSsA;%}*Z+?#4V#rL#RdPtR#
z(5t>dMXnOMpRGXmhfjcf3RWkX<C~`mJOzs+I4(XX2JKvXzACm)t|A4$1_F!2_~XlP
zZcpFB2A`y}nvnW0H-AXd*p{y@CeqQ7{9sGLICx3)yhbz{TJ9AxUH}i}lpNE!8eK7~
z=80wm?(XyiPiQnfG<V(>DOuZ=<u@!`vFjIaQz2qL$84^>BKft5pdKlI_-7q5%3}SY
z5~Fu!Ogj3QyiKl5l|cbmh(rM#yST@3Q6|bSqRXN^W8R?2rZ8Bot`M~JZjO~YANJOA
z$~VzAoEUN{#U#Yh=Y}|Na}|l~JcxTPqNlTy_$_s1Y|*X7qxl0*DYf(vPoDJ9{?cQ^
zg$vm&%^nK`Ik&|#44z)X$5sbtM~hbVI%<Lu_RPdW+B$=4!Kvfu9t*EkO3>@aU3ODW
zjVzsxp0vZadHM$f{@ZlnM=D|H>wG{nOvj;_ab8R4aC2XpX_0j7dS%i-R^(^w@5Uon
zP9kae0qUlo^nGGHbSdFBhb)%9di`i%nDc|yeG7if0_6Y;=@@3WoAvb{Xek(Us&jAE
zmgccy_kK<1B;<usWuczPzsrGqC64)ock~^?qPm4yw)_0y8$z$M{lQdAHR$0E?%Un*
z%QM^<N(+6=(ny{TZ{KkV?aZI|r#arlXy(6pbLP0fBWvYt{JPFq?@ceb#BOu<*Py2p
zse=47S>OE64_dGKo9mUV!pqFlbztotMvsD+^MxftUit=%xl`GZz{wOu1pH5mgMITe
zw))<;7qwRR%|*;S<>l%{&H36Pa&uj<Q>skK!&w4H(QXqGcN9q{keb@EXnUR}mX;2o
zp_N?IH()ZjlBvm8y+~_rKWG#wVyC=3zGoZ0ziAs%RDlOaKm;jFD6W4Wh|fM+8JpvE
z@A2JD=_r<VNtSz#TOHOfsN{CU^YH+UJtjC;n_rhnkNFvAKJok*Xj%^JKD9`_Tgb7s
z`{9e{!a?<mUb|iS3C&{}@v9`70$WSdAE1jv^Y+&_>V}xr*T)1H#R}Hc*g1@k&^&LV
z$$&?a-jzR}k3>9idSq%QkIdRp+KNB)VNr)ProlxjZHG<HtXWARbjj{n{E4Fa<D}S0
zrRI5F!4UK3T$ab(9Sg5_&g0&0&qB}N$Yo7|)NUjfIDzc6+##cpR|`tIAF0R`^NDc@
z?JR+>NnEbT!?3@;Nu{WVqCI(m7E7TlDh=|Ld7)d$-^5C>8+LULMcwqbk16D#Qs{I_
zwPH)0)oxZc2bvrA39HcE>=d!LV~(kJ<f9FVUd6O{u~eMZGrPzmm%_?hX$|`-`sg=2
z=s`6WOqcS=8(JK{Fg=6zG#(`m+W~|3KUgxoBJ0%_e-tKd?~Tql*`hK_4q(_1zu5Dm
zU+hKOckj4-8EMo|c2@tbd43%9ogV9A8kb2o`%SeXW7DHT`QeNtf|q&uQxfE%rC&Zu
zp4k<Dj1@Uqae4D8rH|e<!l#vHVUr^|hC?|s55Oo~;q~L4VXSDF-L~z=2+!j$bdKLP
zQCO=rev$O?jG)PY_dZ?sRp``Yd5C(HT0IJ`cB;?<wLE{{n3^Ll<1sQea=yQmYLOB$
zUX^AQA&<P%Ufp`e^IIw9SCV~akRfTrm^+LyR*9{QB}|Rs>fo_M|0|&n*YTbn9Sa@>
zY+0q=-y4BnHdXDDgsfAflk&YG=u=Qj-yF^nyY8;Aj&A{1-`3dUEcZ5FPMn3SeuJKM
z5I8%TH6>Kk@^?R_P<RGdail+6+Eb-~MJq;dcN<Y<G1Du5ak~P5_gr~9=3E8$w{5$U
z?TlY%&pPpwuK+PBjW#AZZk~R)mV`kb3h3ywipk|{)*h}<d?0&ClbD9Fa{gxUlaz4{
z>$Lh(_)6Y3RhG~qV@eRBjKp^O3^I~&`Px>%Hn-}2_qEzA16HjK+7e^bTwGc`JvVvx
zl4w$qO|ApZv{eK>=lfxkgXr)qK|Ii0waCC1&RjjhK1V#-M-uj+)+~2OHN-=Jf?;w<
z`8h35MRs$%9nB1L-F>Zr1+Q;eX87)V)kP!+v>n%KBK!@}9G<P--}UQVIB=@i7eiLU
zMKiw4K^Vyuv+W$Y!i(NG^Y?XwFxQK|DIfWKmdMZox$oOE&2{pIP-kf_*NE=QdH$_r
z9gZWt!VT++SUboOh&A5X@|z0M_hrsxNSnE09v?ItxbFKnv}q?B_p^sW>E?^^(e4j=
zS>LqQ0D3L<c-;=RzB$*CL5h$nec)ts44{=hnFd|}OYkh%2RD6V3t?sN^K39ReiSib
zlU224d*u4n3C%_R8CWo-bhY(hr0a$3T(XmU<+Tm^qpxo7dP-ZlW(B6m>$rN6&eqoR
zeAQ7~s<!vvm>QLDCJt*rHGQ|d-en7LSgKr@j9=y*Y=s?PP21Uf&kmc<X$9S4Gb(Pe
z(<ThL1A{DHp-116_oI@7n$ESiVvm0MtH(}B>bYFl8SYpv+Y;}meQ~;Jm=1X5YagC$
zq`_5W9i$?rjcNwL=F?@nh1S&ELQQG1-MiRPtRkoRO3HN%#`JYuKar}*ze$Fd#h4lS
z77tC6($2$}?JVa<bC0`^1xSF`5g~*4q6$}CuF9|PfVONPlNzDEqSjM2dhE26(d&uz
zzLo&>`vB+iZu91fw=ZL-C?5}1)*KK#<mtW-2y5p#+B6sip%`DdQg;@;z_wLb(MF*%
zq&^++Ab+1?VqhifeC*|8x+2lFGp5tbGk+gQ{A@LY#2g+m{3}@%ZQ_GCMV|luv183P
zxVnkbj=3NJVgW5XZ3Yn`MsK17sCQ4Itwxeyi->4^aj;MGzJJ3jfO8*!2`}rAa`m=N
zB$QxxjdUCp01{b$(ay4rXEF*3>e?QHVPJSdFDd_w<8x`z?*6vhmFDT$-r^e(659mz
zu%)we$MbI2&o0!4)bNK{IrI-nr<tcSc@Sl>PDELZh6G*~vxb+&V8rmU*bSmA_R1Wh
zfespNFO)|8qE<&xN60kW8j;e_Fm;seXL<Df%CZV@_0IL#KQS$%eVRD=(M6($x6f=a
zy<6+wP}(&eSq{$+!15jk;8AgsF&^!I!=+|90;4Jbe<XVhG8xr}6b2~AV!g)(KHFsf
zBLOPl;SmY&PW=JU_ve@ZXM|eCz>-&if3!nIopTKa-z`N{l(H}US;?(VxFJ1-t^Z>G
zU#}b@h+DPlr}?R!u`yQAN1VU5GC%c}P|CcP!PDN8O@Fm%{S|zR{87Jl7Sz0drR#`V
zcb8$|Nje+*suL=p1o_We63G<)YRaYM%1mb+<z89bTwRp8^mVVSQx5x?X8LkvQHCYf
z+GQ4A8%iumtXCc!)PDd}gQvTQEjc3V<{**Cz*F$1Up47PuwzQ*OkXB$;QPexeShP#
zwzDq$B9aEaT=A(Gg?IJ2jt~u^KSn0czJN`hk)|_J)MU)o%m=KVNmIy6B-sqAb7rFC
z)t_ZsE;X*)aCh`tqf1<yAS?ZQoB7dp^-cVVdgMj!+i5mXo?&{f@^sdOGqu%)Xu?gf
zoX7A)UY)%Ib>?RuIxfq*92~LD&vSB|JeW_mh~GL^k`9&5)Cmrl^YZa!gq;1R_Y}Qk
z-qmF(8?2Th1e-jSze~~)!vcXB7<&nceKl#OW|Ks$Ri*<~j|)oBMq7<|?1kqNlvqPh
zp2z?76E0*)^`06lA)`J<HWT08(9gvDmb9+SC?(OHHA$^XjH;md>j-QBwpG^hMI$=(
zE^KQxVP})QLx%Jt-y~toTpQ%&P0f8)g4x;-4g5davaW?1c{;Y}WXP631C)0Sl1PDt
z5G9yY_(v(XC72Z{GkC%6baByXix>O$jpV!KVUGUoLOpnoLaz+eq>J9Wd_DiIrq15Y
zyOC}ol)s=(@Y^qqW@~F7lz%dY7XOO@)a5bFW7HI{-mymG<;Lpjt1m0(bE#cjJH0#S
z&2zO|uH&LG8F&Vb(9kI(!N2yu@qeRp)UC6#1N;e2Mb2-xJy)!s7qlJq@NoQb+wivx
z8me~ZiH0Wr3AjUmM?SY*{)*ftB6LKer|8Z#*9@A7N)!-tHSrO(+Hu$m{bD8k<L?Qe
zp%q3x&Xyf*(<Sw%rqb&kUtJCU#EAEJ%-9w_E*3x9`kz~TP~vbAT5S9~c|Pe$E`^g@
z6Nl53T|KX`YHN1)dWam(UlWON6I4B*9y;4Fnp_lK{N`Zqk<sk%jO=;peWJh7Me}?_
zPn7RqscX!KZI-2+xcgvi>p`={+|eoL-$_=J-^0Q~jZmD0TlLad6A@9gE89G5>+I6*
z;E@<RnLYobbEdxxS!uG2Qob{Pr5g`JE*ldsXUoh5iwN5)j<o*?P@4Ia@*SEfsH$O9
z^5zSiiw#HaxPRl@Lwmx|N#z*gY>G#rfxHy%PyGKxIAqkn>bQN{dKV-Okp2t<kox_<
zO*R)76rql)PRfOl<>jKYy@T-fIH--1XOfXB%c7+G#18&wfShNtZZIU|poUuat-Q>K
zoS#-$7V{pWI`B8Nq#7sDU$6dYmrSCEHq~pCSW{7dA2Q=!ywAY+Nfi7c=bIIjmn8@O
zZWlSLnX%ji?I;TTbCTn#A;s783$ExB$Z$ldsW@-aeBpce%Uw>N;^7~lbl%7=lfgd&
ziAbn=N+%;()(v}f_qhrDS-XL@6T|ISD<Y5gc<HhUyG>kf8N$DCks9J8>*0wim>_5A
zIP$!_XP&ag)Tf`t<C1QNYxmQvExGw^d~U~6Zi##U@pm`>_n>d~Z|=Q`q9A&G?@bJx
z6P?ow4JQ*rCsTf72UGY3=^4jUURDlnRt_H3r=0xH`S_o5GIMb7b8zG|zQ+BZ23Xsg
aSeUv0uLlgTey_fjRr-a3L>buN?f(F9BHXJ0

literal 0
HcmV?d00001

diff --git a/docs/source/running-a-notary-cluster/resources/node.conf b/docs/source/running-a-notary-cluster/resources/node.conf
new file mode 100644
index 0000000000..502f2fc651
--- /dev/null
+++ b/docs/source/running-a-notary-cluster/resources/node.conf
@@ -0,0 +1,42 @@
+notary {
+  mysql {
+      connectionRetries={{ number of Percona nodes }}
+      dataSource {
+          autoCommit="false"
+          jdbcUrl="jdbc:mysql://{{ your cluster IPs }}/{{ DB name, e.g. corda }}?rewriteBatchedStatements=true&useSSL=false&failOverReadOnly=false"
+          username={{ DB username }}
+          password={{ DB password }}
+      }
+  }
+  validating=false
+  serviceLegalName="O=HA Notary, C=GB, L=London"
+}
+
+compatibilityZoneURL = "https://example.com:1300"
+devMode = false
+
+rpcSettings {
+      address : "localhost:18003"
+      adminAddress : "localhost:18004"
+}
+keyStorePassword = ""
+trustStorePassword = ""
+p2pAddress : "{{ fully qualified domain name, e.g. host.example.com (or localhost in development) }}:{{ P2P port }}"
+
+rpcUsers=[]
+myLegalName : "O=Replica 1, C=GB, L=London"
+
+// We recommend using Postgres for the node database, or an other supported
+// database that you already have set up. Note that the notarised states
+// are written to the MySQL database configured in `notary.mysql`.
+dataSourceProperties = {
+    dataSourceClassName = "org.postgresql.ds.PGSimpleDataSource"
+    dataSource.url = "jdbc:postgresql://[HOST]:[PORT]/postgres"
+    dataSource.user = [USER]
+    dataSource.password = [PASSWORD]
+}
+database = {
+    transactionIsolationLevel = READ_COMMITTED
+    schema = [SCHEMA]
+}
+jarDirs = [PATH_TO_JDBC_DRIVER_DIR]
diff --git a/docs/source/running-a-notary-cluster/resources/percona-colocated.png b/docs/source/running-a-notary-cluster/resources/percona-colocated.png
new file mode 100644
index 0000000000000000000000000000000000000000..f47ff09971a6d2bdc2dd8250844f1910d80d80fc
GIT binary patch
literal 4678
zcmeHLX;>228m7fuaH%oTGIMOxt_e7kV7Mh}YKCiRMrvwiX5xlQE?5~l<(SP_TB0@N
zt{JH)D54dT(^P^>kRsxi8ZPCCOCWN&_x9)hxIbo|d7k-kJAdBue&6}d^PTU<`<-*H
zd%8PosBKpR000`UE{@&+z<Le<u&z{PgTeyo868)^#&CO-JpfRb3tSCWQt)p>UA$2M
zK=M8S;PN#9K%y{Ro&o?8pa6jA3;=+*3jpZG6t#F+D;)Wr$BsM6<#NUJrP-mY27C6X
zs2$PLW*x938=IHy1&4ule6vxhaF?mCwjOQ&!KbFM_-)@>sB7IcG;!4YMm@Df*%P<X
z^e`})s&?_=I^Y)7bN4pc2C4?#RI>2gU}U}?WVFdS5*S+zOsrEmc}*x3c64<3`}<$H
zawRV>Pb?N=Fc^_Y)Y#ZqR#v8`rw0aurBbP*qhn7`Pj<;NQIXcV5I1K>zz<3WE()R=
z<KiC=0O%<kdc<|E2^qH)MrEuk%1L>2lhS78J%=B52mpZ1cU>LrkK+bri?e;Vqd`tK
zUa6PKlwB*k9**wbVkno#r@8CwD~+BzKfLu&&C>n&AD2S<YU9aHIw#Ca;4sCOe`1_j
zcXeA#r193|5!UUs>oMpzW(^z-tpgno93V2Ek)|6&?o%WVD5(Ft5k0oSO<q!TVy(Yx
zG`(CCvvnYNDqq0$oPzX>69Od_ojFJ{O>dC$3+G<;GZav*xcMvjBQ-dWBEgy58RNOv
z^7*B%^+EIo9nfdW9gxqvs3fvJ!iI=p$T)(a0^(s3bHWhRi#~H~)q4?17By+_7HW+=
zeTar&mzN6MA3G7|GMUY+9ljq^4;ALzV@M~-gLd8!aWw}0VLFl7W>1~{t(FRgUqOE4
znpO?Xy{MR5n=616<38nl{FvlmIrPYOrIG(3bCz<89Ul-4$JgOVepsu)M_s=Lv#;{g
z*T$O+TBc*QO|XN==%%}j%}X%){An&<ty>zIx~<vYhBS7+3AS9#o+gwuLqHI0CK`c^
zE=;gG#mhTE;$#Wt5*zQ%-pYSsaI@FP27j?V-V*KT60KRCVQ;*nE3Gb><d@{u+01<3
z7K9#5T(Sy|L}AnjH|6{qP(z;Y&wbQsmZN4;TX{ks&$%<!IBP-INJ0n{nC<Ln+aAl8
z7*eqoLVjQ_(UBBdXtfwpy}${4SF795po5e>d~{!8ab(p(Jkfr#jZ@PS^${YN<kAf0
zW)csykGmvQHT8sOirj=UTKNU@`QJh&W0rX#JqfJXWh#UV5nsS$bq4oaHP*(~tcpxo
z6M}<k1|DSM%XV~tiXj`+pxqNmDGADU?Yu0!-ydZnK8i8_SoY@BD0liI_d)9*YAIhQ
znT{6Dxn`9GwzT(Ne|1Pjkb#xlhz|D|tH$#kOw|}S_}yxqlle4*<LMRk3sPa{!O4Bz
zQxN*wkVJa0DL4eqXn%WMS6eXlgr_QCva8UG@0|^jE3}2PSnk3x$TU}@SS=gFxMh2&
zZ747sJ&#;QEJju_+!KiPN!C)0Oosd9tC4Q*8V{oET%6H0^VvFm93iUAYOCklcRof-
zZ0>Y%yMIoa9q^eddl$Im9kR$8=DJg1I+7<;IbR5?O)#f5_ST{ZL+Y>Aj<~%DiHWR0
z6V=k5G|T|WKYm%;vc=J%v(^Z%HVehR`XUr26eh=v?sYzkgib8sXgW}5j*tv8G5tA6
zD|JD=J|R)BCG2Ye*YkWr9MVtuOC@r2TXI(KgpDlu4N^9No}(3l`*-7Z!;=z2(ZNNJ
zOEEqf$Z)ewaElu{634<;j+<Oe^P1Ap%^-rdBI3<y5%#3-zmh*x0|~)a<0rgae1M+-
zRnK^#TQZV}H&>U%6EOvT!MKEe3i>57Xjv-r(gPRq+CQ0rPd?_np#@})uuiDJK>~N)
zm~TBNLt^LmmL4uY2eXw<GUsvlE>>e8i5RO-h`q1~&%lH;NBraH=ik-hNFJF+H#ESb
z!LawBBUC2d`mLq|?P#QBuE%IL_JE44L0sgn-+aTcwM|wOe+l2CYleNyU!fp&XZhq|
zK9r0>FT6vQaHzq!<U>b^s=<~BRK-9v6T0KU=?<+TO`nJJY$=uZp*w0S=!G58>Xxf6
zqSwrTbrx7Wo7lb5Ux6cyxz&pY8TX2>Armx@=5~#OUKkl{>O$J7vL=^Mi!Wud16`+o
zt0rKcn+<5_GS)8K;}2IGO2(Ahqx98m=(HcCs=N#rQCPwqs5`Op_Ovq3NHxc_R>bbi
z;IlodcJWNHp_utX>b%vuU6_jbC-{DGUgKHP?h?@w``g!geG_(&jB{FGTRTsN!H?DK
zw_vOfCS1mn4#KGO!>a?sP9v_Tjx8QDRPVYVe^xOuW1o&U505p@m~Y0B^yBEwJHbPf
z`OSM@1b6d%YX2cd>EUf>{DN#-ZL7%hHOj^%pIJp&-TukHQ%gDi7&vp};c^6jBC(%5
zmvlNyDaesp&FQutII)~2Vx2Bsm~pbSYd)$4?qw7|$li8MFU~scjZ^LEsRPvPy@An`
z*HO1HnH~8-7Bl5uQwv^t0a=u5$>twqUX>ps19|ED7pEIfrlxNNOCC69Ma$Np0Tl;u
zCemrrBuyhrrf3NTMrm`;vv$dlL2IDiOX=93ZXOZZvRz7Q_@cAeO9JvuZ`s-;pBT-o
z;jbhv-4jZZN$~N+Ug~r{-lHr%tz{~J4%*tXdG$zP)K{7Q%bHn~2Eo_Z7@H9DpO(nQ
zk@&v``GYX&EL7wfqgDc@|Nj?<4V&rc<s=hb1O`QqP;Y%;-KVuL7l<#Yn0&e1n0z}v
zMPh!>8n&<E{gN!~yU%sL@SH0Uqd}gwadujPG(zQ#0f4(*QjbY8YHiE>Ky;!?HxGrz
zc|>A+_4IUojA_Fm_-o5NkWTV`s_Tl&)m(W}3{Vj0V2!YQ{1z2D?1rl{t6^C)THDqt
z@3WHfcv1<ymC>5{vXjkDzurtO=eRX9Y$_U7&^Ys{C2`TCwk)1SON4r=s{Y~@xY>lW
zN}g*1I7NNL=sw;7;fFFDOEGM3D|I3S4n&2Hm6#C%pUv*Ie$<T$J#+eX0FJD?07IF!
z0NL|Ui`p*FdAfClbGuC=|M*mx00!HM^zm~K!3cwPGAUK#r9gx4Q>#Ee(dWm~wi}jd
z_XkM8i;<Mi-%zVKuUc3e&_2rNEvVvZdfhMuD1#N-mMNw7g_kOBvtA6_lx*Squ?0Db
zQbq{unXRkKt1sgBx}|zCx(a-@Z|Dsf4UYIdI=fkm4AE)FtWc`|eN1>#s&Bm8;Afi2
zU?t{c882ipLS!>&BePC;;~u_1so}WM7!3B@>_9v{Wu?-tj0D`ch_oX_oMP<};L?x6
zEi1?#i!7(s;U9A6?oVRQG(F;E(`{gvQn_)`%DGc^vW2O>Ux+WBDirMosZF-<X|wku
zwvlyPrZ`~Kd1p^b13SIwSoug=PoEGkCvbF=QZ(`uqNWvGI20vP-xD;o^<1h{3@x_x
zCAZ84F{foIlHuOai=WsIym3RGS5C_9I65#<F#6M!&9%u~ownZRm{S|<E=idsIpuhI
zu({UYz=v{+C!2@x;qU&kmo|Fhu&LtmY$AT1y<et1(p0GbC%y+1A**@v^_3|PM4_ds
zzbfcntkX&C*<frKA~Y^c0f6tI=9Xqqm>JaKxH${~g(JR)nL?omC=|q{J^QbKsOYm1
Y=Pv#4fbeWU+P`vib#ixnj68GopNEaxr~m)}

literal 0
HcmV?d00001

diff --git a/docs/source/running-a-notary-cluster/resources/wsrep.cnf b/docs/source/running-a-notary-cluster/resources/wsrep.cnf
new file mode 100644
index 0000000000..3d7f42fb7e
--- /dev/null
+++ b/docs/source/running-a-notary-cluster/resources/wsrep.cnf
@@ -0,0 +1,48 @@
+[mysqld]
+# Path to Galera library
+wsrep_provider=/usr/lib/galera3/libgalera_smm.so
+wsrep_provider_options="gcache.size=8G"
+# TODO set options related to the timeouts for WAN:
+# evs.keepalive_period=PT3s
+# evs.inactive_check_period=PT10S
+# evs.suspect_timeout=PT30S
+# evs.install_timeout=PT1M
+# evs.send_window=1024
+# evs.user_send_window=512
+
+# Cluster connection URL contains IPs of nodes
+#If no IP is found, this implies that a new cluster needs to be created,
+#in order to do that you need to bootstrap this node
+wsrep_cluster_address="gcomm://{{ your_cluster_IPs }}"
+
+# In order for Galera to work correctly binlog format should be ROW
+binlog_format=ROW
+
+# MyISAM storage engine has only experimental support
+default_storage_engine=InnoDB
+
+# Slave thread to use
+wsrep_slave_threads= 8
+
+wsrep_log_conflicts
+
+# This changes how InnoDB autoincrement locks are managed and is a requirement for Galera
+innodb_autoinc_lock_mode=2
+
+# Node IP address
+wsrep_node_address={{ node_address }}
+
+# Cluster name
+wsrep_cluster_name={{ cluster_name }}
+
+#If wsrep_node_name is not specified,  then system hostname will be used
+#wsrep_node_name=
+
+#pxc_strict_mode allowed values: DISABLED,PERMISSIVE,ENFORCING,MASTER
+pxc_strict_mode=ENFORCING
+
+# SST method
+wsrep_sst_method=xtrabackup-v2
+
+#Authentication for SST method
+wsrep_sst_auth={{ sst_user }}:{{ sst_pass }}
diff --git a/docs/source/running-a-notary-cluster/toctree.rst b/docs/source/running-a-notary-cluster/toctree.rst
new file mode 100644
index 0000000000..667477749f
--- /dev/null
+++ b/docs/source/running-a-notary-cluster/toctree.rst
@@ -0,0 +1,13 @@
+========================
+Running a notary cluster
+========================
+
+.. toctree::
+  :maxdepth: 1
+
+  introduction
+  installing-percona
+  installing-the-notary-service
+  installing-the-notary-service-bootstrapper
+  installing-the-notary-service-netman
+  operating-percona
diff --git a/docs/source/tutorials-index.rst b/docs/source/tutorials-index.rst
index dab76fb001..8ef20b5c6a 100644
--- a/docs/source/tutorials-index.rst
+++ b/docs/source/tutorials-index.rst
@@ -27,9 +27,10 @@ World tutorials, and can be read in any order.
    flow-state-machines
    flow-testing
    running-a-notary
+   running-a-notary-cluster/toctree
    oracles
    tutorial-custom-notary
    tutorial-tear-offs
    tutorial-attachments
    event-scheduling
-   tutorial-observer-nodes
\ No newline at end of file
+   tutorial-observer-nodes