DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
This office action is in response to the arguments/remarks filed on 12/09/2020. Claims 1 – 25 are presently pending in the application and have been examined below, of which claims 1, 9, 16, 21, and 25 are presented in independent form. 
Claims 1 – 25 are pending for consideration.

Information Disclosure Statement
The information disclosure statements (IDS) dated 09/10/2020, 09/10/2020, and 09/10/2020 have been received and considered.

Response to Arguments
Applicant’s arguments with respect to claims 1 – 25 have been considered but they are moot in view of new grounds of rejection.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1 – 25 are rejected under 35 U.S.C. 103 as being unpatentable over Griffin et al. (US 2019/0310872) (hereafter Griffin) and in view of Coady et al. (US 2019/0347127) (here after Coady).

Regarding claim 1 Griffin teaches: A system, comprising: a memory that stores computer executable components; and a processor that executes the computer executable components stored in the memory, wherein the computer executable components comprise: (Griffin, in Para. [0020] discloses “Nodes 120A-B may comprise one or more computing devices with one or more processors communicatively coupled to memory devices and input/output (I/0) devices”)
a container inspection control component that defines one or more constrained capabilities of a container inspection of a virtual container, (Examiner note: container inspection of a virtual container is met by the operation system kernel management that manages multiples virtual containers; container capabilities constrains are met by the computational and data file systems limits) (Griffin, in Para. [0020] discloses “operating system level virtualization may include a single operating system kernel that manages multiple isolated virtual containers. Each virtual container may share the kernel of the underlying operating system without requiring its own kernel.” Griffin, in Para. [0036] discloses “Operating system inspection module 212 may analyze the operating system to identify features of the operating system. The features of the operating system may include operating system type data, release data, version data, build data, patch data, other operating system indication data, or a combination thereof.” Griffin, in Para. [0024] discloses “Operating system level virtualization may provide resource management features that isolate or limit the impact of one container (e.g., container 125A) on the resources of another container (e.g., container 125B or 125C)” Griffin, in Para. [0025] discloses “The limits may restrict the rate of the activity, the aggregate amount of the activity, or a combination thereof. The limits may include one or more of filesystem limits, disk limits, input/out (I/O) limits, memory limits, CPU limits, network limits, other limits, or a combination thereof.”);

Griffin fails to explicitly teach: wherein the one or more constrained capabilities limits the container inspection to read-only operations on the virtual container; and a container inspection component that performs the container inspection on the virtual container based on the one or more constrained capabilities.
Coady from the analogous technical field teaches: wherein the one or more constrained capabilities limits the container inspection to read-only operations on the virtual container (Examiner note: inspection to the read-only operations on the container is met by the analysis on readiness of the container images) (Coady, in Para. [0015] discloses “the technology may analyze readiness of the container images to route service requests to a container supported by the container images.” Coady, in Para. [0043] discloses “Data store 330 may include various data, including rules 134, computer code 332, parent image 336, container image 132, readiness factors 136”); and a container inspection component that performs the container inspection on the virtual container based on the one or more constrained capabilities (Coady, in Para. [0047] discloses “the kernel level rules may enable manager 110 to identify operating system ("OS") specific processes ( e.g., system processes that are exclusive to the operating system) that are already included within the operating system managing the containers and do not need to be executed within a container”).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Griffin, in view of the teaching of Coady which discloses operations on readiness and operating system level operations on containers in order to improve virtual container management in the system (Coady, [0015, 0043, 0047]). 

Regarding claim 2 Griffin teaches: The system of claim 1, wherein the container inspection component comprises an inspection instance comprising at least one of: a kernel construct; a security construct; or a containerization construct (Griffin, in Para. [0033] discloses “Virtual machine inspection component 210 may enable agent 116 to inspect the virtual machine to identify data indicating a configuration of the virtual machine. The configuration of a virtual machine may relate to data of the guest operating system, running processes, filesystem, other data, or a combination thereof.” Griffin, in Para. [0020] discloses “operating system level virtualization may include a single operating system kernel that manages multiple isolated virtual containers. Each virtual container may share the kernel of the underlying operating system without requiring its own kernel.”).

Regarding claim 3 Griffin teaches: The system of claim 1, wherein the container inspection control component defines the one or more constrained capabilities based on one or more control components selected from a group consisting of privilege separation, namespace, capability-based security, secure computing mode, netfilter, control groups, and Security-Enhanced Linux, thereby facilitating improved security associated with at least one of: the container inspection component; the virtual container; or one or more resources of a container-based virtualization environment (Griffin, in Para. [0020] discloses “the configuration pseudo-filesystem may be the same as the Unix or Linux based proc filesystem (ProcFS), system filesystem (SysFS), other filesystem, or a combination thereof. In one example, virtual machine inspection component 210 may gather data from the virtual machine using an operating system inspection module 212, a process inspection module 214, and a storage inspection module 216.”).

Regarding claim 4 Griffin teaches: The system of claim 1, further comprising a control level component that defines a level of control of the container inspection component based on one or more combinations of one or more control components selected from a group consisting of access control components and resource constraint components (Examiner note: access control is performed by the distributed system manager) (Griffin, in Para. [0017] discloses “The distributed system 100 may include a manager 110, a plurality of nodes 120A, 120B, and an image repository 130 coupled via a network 140.” Griffin, in Para. [0018] discloses “virtual machine analysis component 112 may receive data 113 (e.g., configuration data) from an agent 116 that has access to content of the virtual machine. Virtual machine analysis component 112 may analyze data 113 to identify a set of processes executing on the virtual machine that provide one or more services.” Griffin, in Para. [0025] discloses “The operating system level virtualization may also limit (e.g., isolate) a container's access to one or more computing resources by monitoring the containers activity and restricting the activity in view of one or more limits.”).

Regarding claim 5 Griffin teaches: The system of claim 1, wherein the container inspection inspects a live runtime state of the virtual container (Griffin, in Para. [0020] discloses “operating system level virtualization may include a single operating system kernel that manages multiple isolated virtual containers. Each virtual container may share the kernel of the underlying operating system without requiring its own kernel.” Griffin, in Para. [0030] discloses “Container images 132A-C may include one or more computer programs along with a filesystem that contains the computer code, runtime, system tools, system libraries, other data, or a combination thereof to support the execution of a service within a container on node 120B.” Griffin, in Para. [0049] discloses “The links of a process may be detected during a static analysis of the computer code or by a runtime analysis of the computer code and may be stored as link data 334.).

Regarding claim 6 Griffin teaches: The system of claim 1, wherein the container inspection inspects at least one of a memory state, a disk state, or a network state of the virtual container (Griffin, in Para. [0036] discloses “Operating system inspection module 212 may analyze the operating system to identify features of the operating system. The features of the operating system may include operating system type data, release data, version data, build data, patch data, other operating system indication data, or a combination thereof.” Griffin, in Para. [0020] discloses “operating system level virtualization may include a single operating system kernel that manages multiple isolated virtual containers. Each virtual container may share the kernel of the underlying operating system without requiring its own kernel.” Griffin, in Para. [0025] discloses “The limits may restrict the rate of the activity, the aggregate amount of the activity, or a combination thereof. The limits may include one or more of file system limits, disk limits, input/out (I/O) limits, memory limits, CPU limits, network limits, other limits, or a combination thereof.”).

Regarding claim 7 Griffin teaches: The system of claim 1, wherein the container inspection is generated via execution of a Bourne-Again Shell command (Examiner note: the Bourne-Shell command interpreter is a default shell of many Unix/Linux operating systems, therefore application of the Bourne-shell commands is met by the application of the kernel level operating system commands) (Griffin, in Para. [0020] discloses “operating system level virtualization may include a single operating system kernel that manages multiple isolated virtual containers.”).

Regarding claim 8 Griffin fails to explicitly teach: The system of claim 1, wherein the one or more constrained capabilities prevents the container inspection from accessing read privileged files in the virtual container
Coady from the analogous technical field teaches: The system of claim 1, wherein the one or more constrained capabilities prevents the container inspection from accessing read privileged files in the virtual container (Examiner note: as noted above, inspection to the read-only operations, i.e. read privileges files on a container is met by the analysis on readiness of the container images) (Coady, in Para. [0015] discloses “the technology may analyze readiness of the container images to route service requests to a container supported by the container images.” Coady, in Para. [0043] discloses “Data store 330 may include various data, including rules 134, computer code 332, parent image 336, container image 132, readiness factors 136”);
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Griffin, in view of the teaching of Coady which discloses operations on readiness on containers in order to improve virtual container management in the system (Coady, [0015, 0043]).

Regarding claim 9, claim 9 discloses a method that is substantially equivalent to the system of claim 1. Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 9 and rejected for the same reasons.
Regarding claim 10, claim 10 dependent on claim 9 discloses a method that is substantially equivalent to the system of claim 3 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 3 are equally applicable to claim 10 and rejected for the same reasons.

Regarding claim 11, claim 11 dependent on claim 9 discloses a method that is substantially equivalent to the system of claim 4 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 4 are equally applicable to claim 11 and rejected for the same reasons.

Regarding claim 12, claim 12 dependent on claim 9 discloses a method that is substantially equivalent to the system of claim 6 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 6 are equally applicable to claim 12 and rejected for the same reasons.

Regarding claim 13, claim 13 dependent on claim 9 discloses a method that is substantially equivalent to the system of claim 5 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 5 are equally applicable to claim 13 and rejected for the same reasons.

Regarding claim 14, claim 14 dependent on claim 9 discloses a method that is substantially equivalent to the system of claim 7 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 7 are equally applicable to claim 14 and rejected for the same reasons.

Regarding claim 15, claim 15 dependent on claim 9 discloses a method that is substantially equivalent to the system of claim 8 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 8 are equally applicable to claim 15 and rejected for the same reasons.

Regarding claim 16, claim 16 discloses a system that is substantially equivalent to the system of claim 1. Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 16 and rejected for the same reasons.

Regarding claim 17 Griffin teaches: The system of claim 16, wherein the container inspection inspects a live runtime state of the virtual container (Griffin, in Para. [0030] discloses “Container images 132A-C may include one or more computer programs along with a filesystem that contains the computer code, runtime, system tools, system libraries, other data, or a combination thereof to support the execution of a service within a container on node 120B.” Griffin, in Para. [0049] discloses “The links of a process may be detected during a static analysis of the computer code or by a runtime analysis of the computer code and may be stored as link data 334.) based on one or more read-only actions (Griffin, in Para. [0053] discloses “Container image 132 may represent a chain of layers that when run as a container includes one or more copy-on-write (COW) volumes (which may also be referred to as "layers…the topmost layer may be a raw or COW volume, which may be made read-only before the initialization of the container image as a container.”).

Regarding claim 18, claim 18 dependent on claim 16 discloses a system that is substantially equivalent to the system of claim 3 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 3 are equally applicable to claim 18 and rejected for the same reasons.

Regarding claim 19, claim 19 dependent on claim 16 discloses a system that is substantially equivalent to the system of claim 4 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 4 are equally applicable to claim 19 and rejected for the same reasons.

Regarding claim 20 Griffin teaches: The system of claim 16, wherein the container inspection control componentPage 41 of 44 P201801714US01 prevents execution of one or more write operations by the container inspection component (Examiner note: as noted above, control over process/operation execution (i.e. permission/denial of execution) in a virtual machine/container is performed by the VM analysis component 112) (Griffin, in Para. [0018] discloses “Virtual machine analysis component 112 may analyze data 113 to identify a set of processes executing on the virtual machine that provide one or more services”), thereby facilitating a safer inspection ability, without hampering the processing capacity associated with one or more resources of a container-based virtualization environment (Griffin, in Para. [0024] discloses “Operating system level virtualization may provide resource management features that isolate or limit the impact of one container (e.g., container 125A) on the resources of another container (e.g., container 125B or 125C)”).

Regarding claim 21, claim 21 discloses a computer program product that is substantially equivalent to the system of claim 1. Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 21 and rejected for the same reasons.

Regarding claim 22, claim 22 dependent on claim 21 discloses a computer program product that is substantially equivalent to the system of claim 3 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 3 are equally applicable to claim 22 and rejected for the same reasons.

Regarding claim 23, claim 23 dependent on claim 21 discloses a computer program product that is substantially equivalent to the system of claim 4 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 4 are equally applicable to claim 23 and rejected for the same reasons.

Regarding claim 24 Griffin fails to explicitly teach: The computer program product of claim 21, wherein the container inspection inspects a live runtime state of the virtual container based on one or more read-only actions
Coady from the analogous technical field teaches: The computer program product of claim 21, wherein the container inspection inspects a live runtime state of the virtual container (Coady, in Para. [0047] discloses “the kernel level rules may enable manager 110 to identify operating system ("OS") specific processes ( e.g., system processes that are exclusive to the operating system) that are already included within the operating system managing the containers and do not need to be executed within a container”) based on one or more read-only actions (Examiner note: as noted above, inspection to the read-only operations on the container is met by the analysis on readiness of the container images) (Coady, in Para. [0015] discloses “the technology may analyze readiness of the container images to route service requests to a container supported by the container images.” Coady, in Para. [0043] discloses “Data store 330 may include various data, including rules 134, computer code 332, parent image 336, container image 132, readiness factors 136”).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Griffin, in view of the teaching of Coady which discloses operations on readiness and operating system level operations on containers in order to improve virtual container management in the system (Coady, [0015, 0043, 0047]).

Regarding claim 25, claim 25 discloses a computer program product that is substantially equivalent to the system of claim 1. Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 25 and rejected for the same reasons.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is listed on the enclosed PTO-892 form.
Applicant's amendment necessitated the new ground(s) of rejection presented in
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP
§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37
CFR 1.136(a).

MONTHS from the mailing date of this action. In the event a first reply is filed within
TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VLADIMIR IVANOVICH GAVRILENKO whose telephone number is (313) 446-6530.  The examiner can normally be reached on Monday-Friday 7:30-4:30 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information 

/V.I.G./Examiner, Art Unit 2431         

/LYNN D FEILD/Supervisory Patent Examiner, Art Unit 2431