DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is responsive to communication received on 04/21/2022. Claims 1,3-6, 8-11, 13-16 and 18-20 are pending of which claims 1 and 11 are amended.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1,3-6, 8-11, 13-16 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Ruty US 2019/0079788 further in view of Wanser US 2014/0337497, Assadzadeh US 2010/0257264, Qureshi US 9,916,233 and Feng US 2018/0046503.
Regarding claims 1 and 11, Ruty teaches a method and device manager implementing the method comprising: 
receiving, from a network management node, a policy update request for the network device(administrators push out policies/configuration through controllers that are propagated and received by leafs/spines of network, ¶38)
["To illustrate, one or more administrators can define configurations at a logical level (e.g., application or software level) through Controllers 216, which can implement or propagate such configurations through Network Environment 200. In some examples, Controllers 216 can be Application Policy Infrastructure Controllers (APICs) in an ACI framework. In other examples, Controllers 216 can be one or more management components for associated with other SDN solutions, such as NSX Managers.", ¶38]
, the identified policy comprising rules which determine how the network device should operate in the communication network 
["Leafs 204 can be responsible for routing and/or bridging tenant or customer packets and applying network policies or rules. Network policies and rules can be driven by one or more Controllers 216, and/or implemented or enforced by one or more devices, such as Leafs 204. Leafs 204 can connect other elements to the Fabric 220. For example, Leafs 204 can connect Servers 206, Hypervisors 208, Virtual Machines (VMs) 210, Applications 212, Network Device 214, etc., with Fabric 220. Such elements can reside in one or more logical or virtual layers or networks, such as an overlay network. In some cases, Leafs 204 can encapsulate and decapsulate packets to and from such elements (e.g., Servers 206) in order to enable communications throughout Network Environment 200 and Fabric 220. Leafs 204 can also provide any other devices, services, tenants, or workloads with access to Fabric 220. ", ¶33]
identifying program components required to fulfil the identified policy
["A system can determine whether a block of a container image used in running a container is present in local storage at a host. If the block of the container image is present in the local storage at the host, then the system can use the block in the local storage to run the container at the host..", ¶20]
[" Leafs 204 can be responsible for routing and/or bridging tenant or customer packets and applying network policies or rules. Network policies and rules can be driven by one or more Controllers 216, and/or implemented or enforced by one or more devices, such as Leafs 204. ", ¶33]
determine existing program components present in the network device and 
[" A system can determine whether a block of a container image virtualized at a host and used in running a container is present in local storage at the host. If the block of the container image is present in the local storage at the host, then the system can use the block in the local storage to run the container at the host. If the system determines the block of the container image is absent from the local storage, the system can subsequently fetch the block of the container image for the host from a container image storage node where the container image resides in its entirety.", ¶21]
pushing to the network device the required program components absent in the network device to fulfill the identified policy.
["In predictively virtualizing a container image at the host 302, the predictive container image virtualization system 500 can predict portions of a virtualized container image to send to the host 302. The predictive container image virtualization system 500 can then send predicted portions of the virtualized container images to the host 302, as part of predictively virtualizing container images at the host 302. Additionally, as part of predictively virtualizing container images at the host 302, the predictive container image virtualization system 500 can predict portions of container image to send to the host 302 without receiving requests for the predicted portions of the container image. Subsequently, the predictive container image virtualization system 500 can send the predicted portions of the container image to the host 302 without receiving requests for the portions of the container image, e.g. as part of the container image virtualization system 500 prefetching the predicted portions for the host 302. ", ¶84]

Ruty teaches  in response to receiving policy updates distributing such update to leaf nodes(¶36) but does not teach in response to receiving the policy update request identifying a policy for the network device out of a set of predefined policies. Wanser in an analogous area of computer networking teaches a SDN system. Wanser teaches teach in response to receiving the policy update request identifying a policy for the network device out of a set of predefined policies.
["The device further determines the plurality of matching policies for the segment from the plurality of subnets of the virtual network identifier, where each of the plurality of subnets corresponds to one of the plurality of matching policies. The device additionally applies the plurality of matching policies to each network access device that corresponds to one of the plurality of matching endpoints. ", ¶6]

   ["To determine which of these policies apply for a VNI, the VNI can be represented as a dotted decimal number, in which each of the numbers corresponds to a different subnet of the VNI.", ¶29]

It would have been obvious to a person of ordinary skill in the art at the time of the filing to modify Ruty distribution of updates to network policy with the method of determining which policy should be enforce at as device based on the VLAN to which the device belongs as taught by Wanser. The reason for this modification would be to ensure that policies are customized for the needs of particular VLAN/subnets.
	Ruty/Wanser do not teach from where the policies are accessed and thus does not teach identifying a policy for the network device out of a set of predefined policies by accessing the set of predefined policies from storage or database external to the device manager. Assadzadeh in the same area of policy enforcement in computing networks teaches a method for policy interpretation. Assadzadeh teaches identifying a policy for the network device out of a set of predefined policies by accessing the set of predefined policies from storage or database external to the device manager.
["Next, the management server may then retrieve, from database 106, policy definitions (act 308) and, service definitions defined for the subscriber device, based on the subscriber's definition and configuration (act 310). For example, a service requiring a high bandwidth will not be defined for the subscriber when the subscriber device is accessing the network via a low-speed dialup connection. The management server may then download the service and policy rule definitions to one or more routers 116, 118 for installation (act 312). ", ¶106]

It would have been obvious to a person of ordinary skill in the art at the time of the filing to modify Ruty/Wanser with accessing policies from an external database as taught by Assadzadeh. The motivation for this modification would be to provide a central storage and repository for retrieval of polices. Retrieval of policies from a policy database is a well established practice, and such a modification requires only the skill of one of ordinary skill and can implemented to achieve predictable results.
	The combination of Ruty/Wanser/Assadzadeh has been discussed above.  Ruty teaches determining the absence of software block of a container image.  The examiner contends that though the term difference is not used, one of ordinary skill would interpret determining an absence of a block implies determining a difference in the blocks from the blocks that are expect to be present.  In order to lay this issue to rest the examiner affords the assertion that determining absence does not imply determining a difference. Thus under such an assumption Ruty/Wanser/Assadzadeh does not teach determining a difference between program components identified to fulfill the identified policy from existing program components installed on the network device to identify required program components absent in the network device to fulfill the identified policy. Qureshi in the same field of endeavor teaches a system for updates of software deployment using application containers.   Qureshi determining a difference between program components identified to fulfill the identified policy from existing program components installed on the network device to identify required program components absent in the network device to fulfill the identified policy.

[“Using this information, the deployment agent 214 or the deployment engine 216, depending on the implementation, may determine differences between the software package and software currently resident on the device 202. In this manner, one software package may be created for multiple devices having different configurations, and only portions of the software package different from the software currently resident on individual devices need be provided to the individual device by the deployment service 212. Bandwidth usage and other resource usage may be conserved thereby because redundant software libraries and other dependencies need not be downloaded from the deployment service 212 when they are already resident on the device 202.”, Col 9 Lines 10-22]

It would have been obvious to a person of ordinary skill in the art at the time of the filing to modify Ruty/Wanser/Assadzadeh with determination of absent software portions by way of difference determination as taught by Qureshi. The reason for this modification would be to identify only portions that are needed to be retrieved thus reserving transmission bandwidth.
	Although Ruty and discussed above teaches determination be direct querying  existing program component installed on a network device Ruty does not teach such information is retrieved from data storage regarding installed component of different network devices. Thus the combination of Ruty/Wanser/Assadzadeh/Qureshi do not teach retrieving information on existing program components present in installed on the network device from a data storage containing currently installed program components in different network devices, including the network device. Feng in the same field of endeavor teaches a system for container deployment tracking and communication. Feng teaches t retrieving information on existing program components present in installed on the network device from a data storage containing currently installed program components in different network devices, including the network device(¶s 4,5 see also fig 6B).  

[" According to another embodiment of the present invention, a computer program product for facilitating data-locality-aware task scheduling on hyper-converged computing infrastructures is provided. The computer program product comprises a computer readable storage medium and program instructions stored on the computer readable storage medium. The program instructions include: program instructions to identify a plurality of data blocks referenced in an input/output (I/O) request that is based on scheduling logic that executes within a container that is deployed on a hyper-converged infrastructure; program instructions to scan a block-location mapping table using a data block identifier that is associated with a present data block of the plurality of data blocks, and in response, identify one or more physical nodes of the hyper-converged infrastructure that store the present data block; program instructions to scan a container-instance mapping table using one or more respective physical node identifiers that are associated with the one or more physical nodes that store the present data block, and in response, identify one or more containers that are deployed on the one or more physical nodes that store the present data block; and program instructions to provide the scheduling logic with a list of one or more container identifiers that are respectively associated with the one or more one or more containers that are deployed on the one or more physical nodes that store the present data block.", ¶4]

["According to another embodiment of the present invention, a computer system for facilitating data-locality-aware task scheduling on hyper-converged computing infrastructures is provided. The computer system includes one or more computer processors, one or more computer readable storage media, and program instructions stored on the computer readable storage media for execution by at least one of the one or more processors. The program instructions include: program instructions to identify a plurality of data blocks referenced in an input/output (I/O) request that is based on scheduling logic that executes within a container that is deployed on a hyper-converged infrastructure; program instructions to scan a block-location mapping table using a data block identifier that is associated with a present data block of the plurality of data blocks, and in response, identify one or more physical nodes of the hyper-converged infrastructure that store the present data block; program instructions to scan a container-instance mapping table using one or more respective physical node identifiers that are associated with the one or more physical nodes that store the present data block, and in response, identify one or more containers that are deployed on the one or more physical nodes that store the present data block; and program instructions to provide the scheduling logic with a list of one or more container identifiers that are respectively associated with the one or more one or more containers that are deployed on the one or more physical nodes that store the present data block.", ¶5]	
	
It would have been obvious to a person of ordinary skill in the art at the time of the effective filing of the instant application to modify Ruty/Wanser/Assadzadeh/Qureshi with a container mapping table of Feng  for storing a directory of containers installed on various devices to determine what containers absent from a node. The reason for this modification would be to provide a known alternative from direct query of components in a device.  Although Feng does not teach use of such directory to determine absence difference of containers one of ordinary skill would be motivated to make such a modification for instance to determine absence/presence of containers at multiple nodes with a single query versus querying nodes one by one.
		

Regarding claims 3 and 13, Ruty teaches wherein the method is performed in response to the management node detecting that the network device  has joined the communication network , or that a policy affecting the network device  has been added, removed, or changed.
["In some cases, VMs 210 and/or Hypervisors 208 can be migrated to other Servers 206. Servers 206 can similarly be migrated to other locations in Network Environment 200. For example, a server connected to a specific leaf can be changed to connect to a different or additional leaf. Such configuration or deployment changes can involve modifications to settings, configurations and policies that are applied to the resources being migrated as well as other network components", ¶36]

Regarding claims 4 and 14, Ruty teaches wherein the added, removed, or changed policy is valid for any one or more of: an identity of the network device , a type of the network device , a model of the network device , and a manufacturer of the network device (policies are applied to a group of devices with the same profile/  application model , ¶40).
["ACI can provide an application-centric or policy-based solution through scalable distributed enforcement. ACI supports integration of physical and virtual environments under a declarative configuration model for networks, servers, services, security, requirements, etc. For example, the ACI framework implements EPGs, which can include a collection of endpoints or applications that share common configuration requirements, such as security, QoS, services, etc. Endpoints can be virtual/logical or physical devices, such as VMs, containers, hosts, or physical servers that are connected to Network Environment 200. Endpoints can have one or more attributes such as a VM name, guest OS name, a security tag, application profile, etc. Application configurations can be applied between EPGs, instead of endpoints directly, in the form of contracts. Leafs 204 can classify incoming traffic into different EPGs. The classification can be based on, for example, a network segment identifier such as a VLAN ID, VXLAN Network Identifier (VNID), NVGRE Virtual Subnet Identifier (VSID), MAC address, IP address, etc. ", ¶40]

Regarding claims 5 and 15, Ruty teaches wherein the identified policy is valid for one or more of: an identity of the network device , a type of the network device , a model of the network device , and a manufacturer of the network device(policies are applied to a group of devices with the same profile/  application model , ¶40).
["ACI can provide an application-centric or policy-based solution through scalable distributed enforcement. ACI supports integration of physical and virtual environments under a declarative configuration model for networks, servers, services, security, requirements, etc. For example, the ACI framework implements EPGs, which can include a collection of endpoints or applications that share common configuration requirements, such as security, QoS, services, etc. Endpoints can be virtual/logical or physical devices, such as VMs, containers, hosts, or physical servers that are connected to Network Environment 200. Endpoints can have one or more attributes such as a VM name, guest OS name, a security tag, application profile, etc. Application configurations can be applied between EPGs, instead of endpoints directly, in the form of contracts. Leafs 204 can classify incoming traffic into different EPGs. The classification can be based on, for example, a network segment identifier such as a VLAN ID, VXLAN Network Identifier (VNID), NVGRE Virtual Subnet Identifier (VSID), MAC address, IP address, etc. ", ¶40]
	

Regarding claims 6 and 16, the combination of Ruty/Wanser/Assadzadeh /Qureshi is discussed above. Ruty/Wanser/Qureshi do do not teach wherein the policies in the set of predefined policies have priorities so that a policy with a first priority overrides a conflicting policy with a second priority lower than the first priority. Assadzadeh in the same area of policy enforcement in computing networks teaches a method for policy interpretation. Assadzadeh teaches wherein the policies in the set of predefined policies have priorities so that a policy with a first priority overrides a conflicting policy with a second priority lower than the first priority.
["As can be seen from this example, each PR includes a condition and an action. In PR1, the condition is FTP traffic and the action is rate limit to 64 kbps. In PR2, the condition is video teleconferencing traffic and the action is forward. When traffic satisfies or matches conditions of more than one policy, one policy has a higher priority (lower precedence number) than the other matching policies and the actions cannot be combined, then the other matching policies are said to be eclipsed or overridden by the policy with the higher priority. ", ¶48]

It would have been obvious to a person of ordinary skill in the art at the time of the filing to modify Ruty/Wanser/Assadzadeh/Qureshi with overriding by a higher precedence policy over a lower precedence policy as taught by Assadzadeh . The reason for this modification would be to determine which policy is applied when conflicting policies exist for a device.
Regarding claims 8 and 18, Ruty teaches, wherein the required program components are to be executed in a dataplane of the network device to perform operations related to any one or more of: switching, forwarding, routing, firewalling, caching, and packet inspection.
["Such configurations can define rules, policies, priorities, protocols, attributes, objects, etc., for routing and/or classifying traffic in Network Environment 100. For example, such configurations can define attributes and objects for classifying and processing traffic based on Endpoint Groups (EPGs), Security Groups (SGs), VM types, bridge domains (BDs), virtual routing and forwarding instances (VRFs), tenants, priorities, firewall rules, etc.", ¶39]
["Controllers 216 can provide centralized access to fabric information, application configuration, resource configuration, application-level configuration modeling for a software-defined network (SDN) infrastructure, integration with management systems or servers, etc. Controllers 216 can form a control plane that interfaces with an application plane via northbound APIs and a data plane via southbound APIs. ", ¶44]

Regarding claims 9 and 19, Ruty teaches, wherein the communication network  is a Software Defined Network, SDN (SDN).
["Returning now to FIG. 2A, Network Environment 200 can deploy different hosts via Leafs 204, Servers 206, Hypervisors 208, VMs 210, Applications 212, and Controllers 216, such as VMWARE ESXi hosts, WINDOWS HYPER-V hosts, bare metal physical hosts, etc. Network Environment 200 may interoperate with a variety of Hypervisors 208, Servers 206 (e.g., physical and/or virtual servers), SDN orchestration platforms, etc. Network Environment 200 may implement a declarative model to allow its integration with application design and holistic network policy. ", ¶44]

Regarding claims 10 and 20, Ruty teaches wherein the device manager obtains from a program component provider any required program components that need to be pushed to the network device.
["More specifically, the container image virtualization system 300 can send a request for the portion of the virtualized container image layers 310 to a node or a controller of a node where the portion resides, e.g. in the container image layers 316 of the container image 314 stored at the container image storage node 304. In response to a request for the portion of the virtualized container image layers 310, the container image virtualization system 300 can retrieve the portion of the virtualized container image layers 310 from the container image layers 316 of the container image 314 stored at the container image storage node 304. The container image virtualization system 300 can then provide the retrieved portion of the virtualized container image layers 310 to the host 302, where it can be used to execute the container 306 at the host 302. ", ¶72]


Applicant Remarks
Applicant’s arguments with respect to claims1-6, 8-16 and 18-20 have been considered but are moot because the new ground of rejection does not rely on the combination of references applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Conclusion

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TOM Y. CHANG whose telephone number is (571)270-5938.  The examiner can normally be reached on Monday - Thursday from 9am to 5pm.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, William Trost , can be reached on (571)272-7872. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through 
Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/TOM Y CHANG/
Primary Examiner, Art Unit 2456