DETAILED ACTION
I.	Claims 1-20 have been examined.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Priority
The current application is a continuation of PCT/CN2018/123473, filed 12/25/2018 claims foreign priority to 201711472539.7, filed 12/29/2017.
Information Disclosure Statement
The information disclosure statements (IDS) submitted on 07/28/2020 and 12/30/2020 have been considered by the examiner.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by United States Patent No. US 8600998 B1 to Chaudhary et al., hereinafter Chaudhary.
Regarding claim 1, Chaudhary teaches a processing method for a container security policy, comprising: 
obtaining a container image (column 14, lines 1-11, “metadata is collected for an initial version of the plurality of data containers. This may be referred to as "baseline" metadata information (or baseline image. Storage environments typically maintain a snapshot of the file system and the associated data containers. A file system manager (302, FIG. 3A0 or any other module may take the actual snapshot and communicate it to catalog controller 410. The snapshots being a point in time copy of the file system may be used to restore a storage file system to an instance when the snapshot was taken.” and lines 12-30, “A first snapshot for a data volume operates as a starting point and once that is created, metadata for data containers that may have changed after the first snapshot is collected and processed. One process that may be used to obtain differential information is called "SnapDiff" that is provided by NetApp Inc. the assignee of the present application. Metadata collection module 416 may use the SnapDiff process to first obtain baseline metadata information for the plurality of data containers that may be stored in data volume 418. Once the baseline is established, metadata collection module 416 may only collect information for data containers that may have been created, modified or deleted from the baseline snapshot. If there are no changes to data containers after the baseline image, then metadata for those data containers is not collected. It is noteworthy that system 400 may establish any snapshot to be a baseline and then collect incremental metadata for data containers that are modified or created after the baseline is established.”, and column 16, lines 51-58, “When the first snapshot is taken, then metadata collected for that snapshot may be used as a baseline image for database table 414 (FIG. 4A), as described below. As more snapshots are taken, metadata for data containers that were created, modified or deleted from the initial snapshot is collected and indexed, as described below. If there is no change in the data containers after the initial snapshot, then no metadata is collected for the unchanged data containers.”); 
obtaining a security policy, wherein the security policy is associated with the container image (column 19, lines 63-67 and column 20, lines 1-6); 
starting a container based on the container image (column 19, lines 63-67 and column 20, lines 1-6); 
and running the container according to the security policy (column 19, lines 63-67 and column 20, lines 1-6).
Regarding claim 2, Chaudhary teaches wherein obtaining the security policy comprises: determining index information of the security policy based on the container image; obtaining the security policy based on the index information (column 7, lines 12-17, column 10, lines 60-67, “The file system 302 illustratively may implement a write-anywhere file system having an on-disk format representation that is block-based using, e.g., 4 kilobyte (KB) blocks and using index nodes (inodes) to identify data containers and metadata for the data container (such as creation time, access permissions, size and others). The file system uses data containers to store metadata describing the layout of its file system; these metadata data containers include, among others, an inode data container. A data container handle, i.e., an identifier that includes an inode number (inum), may be used to retrieve an inode from disk”, column 11, lines 1-3, and column 17, lines 34-44, “Database 414 may also include a second searchable segment, for example, a data container table that may store metadata information regarding a plurality of data containers. FIG. 4E shows an example of data container table 452 that stores information regarding a plurality of data containers, for example, files. Each file in the data container table 452 is associated with an entry in the directories table 450. This allows one to include a path for a file only once in the directories table and one does not have to copy the path in data container table 452 every time the metadata for the file is indexed.”).
Regarding claim 3, Chaudhary teaches wherein the container image comprises the index information (column 17, lines 34-44, “Database 414 may also include a second searchable segment, for example, a data container table that may store metadata information regarding a plurality of data containers. FIG. 4E shows an example of data container table 452 that stores information regarding a plurality of data containers, for example, files. Each file in the data container table 452 is associated with an entry in the directories table 450. This allows one to include a path for a file only once in the directories table and one does not have to copy the path in data container table 452 every time the metadata for the file is indexed.”).
Regarding claim 4, Chaudhary teaches wherein the index information comprises a globally unique identifier of the security policy (column 4, lines 1-16, “The term global namespace refers to a virtual hierarchical collection of unique volume names or identifiers and directory paths to the volumes, in which the volumes are stored on multiple server nodes within a clustered storage server system. The term virtual in this context means a logical representation of an entity”, and column 12, lines 32-51, “The global namespace 394 may be maintained by storage operating system and may be used in a cluster environment, for example, 200, FIG. 2. In the global namespace 394, each volume RT, vol1-vol5 represents a virtualized container storing a portion of the global namespace 394 descending from a single root directory.”).
Regarding claim 5, Chaudhary teaches wherein determining index information of the security policy based on the container image comprises: calculating the index information according to a preset rule and metadata of the container image (column 2, lines 1-26, “A metadata collection module collects metadata associated with the plurality of data containers. The metadata includes an attribute that is associated with the plurality of data containers. The system further includes a catalog module that is executed by the plurality of nodes and pre-processes the collected metadata by extracting one or more fields. The catalog module stores the pre-processed metadata in a searchable data structure for responding to a user query requesting information regarding any data container stored at any storage volume and managed by any node in the clustered environment”, column 10, lines 60-67, “using index nodes (inodes) to identify data containers and metadata for the data container (such as creation time, access permissions, size and others). The file system uses data containers to store metadata describing the layout of its file system; these metadata data containers include, among others, an inode data container.”, and column 11, lines 1-3).
Regarding claim 6, Chaudhary teaches wherein the container image is obtained from a container repository, and wherein, before obtaining the container image from the container repository, the processing method further comprises: embedding the index information of the security policy into an original container image to obtain the container image; and publishing the container image, the security policy, and the index information to the container repository (column 14, lines 11-30, column 16, lines 51-58, column 19, lines 63-67 and column 20, lines 1-6).
Regarding claim 7, Chaudhary teaches wherein the index information comprises a globally unique identifier of the security policy (column 4, lines 1-16, “The term global namespace refers to a virtual hierarchical collection of unique volume names or identifiers and directory paths to the volumes, in which the volumes are stored on multiple server nodes within a clustered storage server system. The term virtual in this context means a logical representation of an entity”, and column 12, lines 32-51, “The global namespace 394 may be maintained by storage operating system and may be used in a cluster environment, for example, 200, FIG. 2. In the global namespace 394, each volume RT, vol1-vol5 represents a virtualized container storing a portion of the global namespace 394 descending from a single root directory.”).
Regarding claim 8, Chaudhary teaches wherein the container image is obtained from a container repository, and wherein, before obtaining the container image from the container repository, the processing method further comprises: calculating the index information of the security policy according to a preset rule and metadata of the container image; publishing the container image, the security policy, and the index information of the security policy to the container repository (column 14, lines 11-30, column 16, lines 51-58, column 19, lines 63-67 and column 20, lines 1-6).
Regarding claim 9, Chaudhary teaches wherein a root file system of the container image comprises the security policy; and wherein obtaining the security policy comprises: obtaining the security policy from the root file system (column 9, lines 1-9).
Regarding claim 10, Chaudhary teaches wherein the container image is obtained from a container repository, and wherein, before obtaining the container image from the container repository, the processing method further comprises: embedding the security policy into a root file system of an original container image to obtain a container image (column 9, lines 1-9); 
and publishing the container image to a container repository (column 14, lines 11-30, column 16, lines 51-58, column 19, lines 63-67 and column 20, lines 1-6).
Regarding claim 11, Chaudhary discloses a computer, the computer comprising at least one processor and a memory coupled to the at least one processor, wherein the memory stores instructions executable by the at least on processor, 
and wherein the instructions, when executed by the at least one processor, instruct the at least one processor to: 
obtain a container image (column 14, lines 1-11, “metadata is collected for an initial version of the plurality of data containers. This may be referred to as "baseline" metadata information (or baseline image. Storage environments typically maintain a snapshot of the file system and the associated data containers. A file system manager (302, FIG. 3A0 or any other module may take the actual snapshot and communicate it to catalog controller 410. The snapshots being a point in time copy of the file system may be used to restore a storage file system to an instance when the snapshot was taken.” and lines 12-30, “A first snapshot for a data volume operates as a starting point and once that is created, metadata for data containers that may have changed after the first snapshot is collected and processed. One process that may be used to obtain differential information is called "SnapDiff" that is provided by NetApp Inc. the assignee of the present application. Metadata collection module 416 may use the SnapDiff process to first obtain baseline metadata information for the plurality of data containers that may be stored in data volume 418. Once the baseline is established, metadata collection module 416 may only collect information for data containers that may have been created, modified or deleted from the baseline snapshot. If there are no changes to data containers after the baseline image, then metadata for those data containers is not collected. It is noteworthy that system 400 may establish any snapshot to be a baseline and then collect incremental metadata for data containers that are modified or created after the baseline is established.”, and column 16, lines 51-58, “When the first snapshot is taken, then metadata collected for that snapshot may be used as a baseline image for database table 414 (FIG. 4A), as described below. As more snapshots are taken, metadata for data containers that were created, modified or deleted from the initial snapshot is collected and indexed, as described below. If there is no change in the data containers after the initial snapshot, then no metadata is collected for the unchanged data containers.”); 
obtain a security policy, wherein the security policy is associated with the container image (column 19, lines 63-67 and column 20, lines 1-6); 
start a container based on the container image (column 19, lines 63-67 and column 20, lines 1-6); 
and run the container according to the security policy (column 19, lines 63-67 and column 20, lines 1-6).
Regarding claim 12, Chaudhary discloses wherein obtaining the security policy comprises: determining index information of the security policy based on the container image; obtaining the security policy based on the index information (column 7, lines 12-17, column 10, lines 60-67, “The file system 302 illustratively may implement a write-anywhere file system having an on-disk format representation that is block-based using, e.g., 4 kilobyte (KB) blocks and using index nodes (inodes) to identify data containers and metadata for the data container (such as creation time, access permissions, size and others). The file system uses data containers to store metadata describing the layout of its file system; these metadata data containers include, among others, an inode data container. A data container handle, i.e., an identifier that includes an inode number (inum), may be used to retrieve an inode from disk”, column 11, lines 1-3, and column 17, lines 34-44, “Database 414 may also include a second searchable segment, for example, a data container table that may store metadata information regarding a plurality of data containers. FIG. 4E shows an example of data container table 452 that stores information regarding a plurality of data containers, for example, files. Each file in the data container table 452 is associated with an entry in the directories table 450. This allows one to include a path for a file only once in the directories table and one does not have to copy the path in data container table 452 every time the metadata for the file is indexed.”).
Regarding claim 13, Chaudhary discloses wherein the container image comprises the index information (column 17, lines 34-44, “Database 414 may also include a second searchable segment, for example, a data container table that may store metadata information regarding a plurality of data containers. FIG. 4E shows an example of data container table 452 that stores information regarding a plurality of data containers, for example, files. Each file in the data container table 452 is associated with an entry in the directories table 450. This allows one to include a path for a file only once in the directories table and one does not have to copy the path in data container table 452 every time the metadata for the file is indexed.”).
Regarding claim 14, Chaudhary discloses wherein the index information comprises a globally unique identifier of the security policy (column 4, lines 1-16, “The term global namespace refers to a virtual hierarchical collection of unique volume names or identifiers and directory paths to the volumes, in which the volumes are stored on multiple server nodes within a clustered storage server system. The term virtual in this context means a logical representation of an entity”, and column 12, lines 32-51, “The global namespace 394 may be maintained by storage operating system and may be used in a cluster environment, for example, 200, FIG. 2. In the global namespace 394, each volume RT, vol1-vol5 represents a virtualized container storing a portion of the global namespace 394 descending from a single root directory.”).
Regarding claim 15, Chaudhary discloses wherein determining index information of the security policy based on the container image comprises: calculating the index information according to a preset rule and metadata of the container image (column 2, lines 1-26, “A metadata collection module collects metadata associated with the plurality of data containers. The metadata includes an attribute that is associated with the plurality of data containers. The system further includes a catalog module that is executed by the plurality of nodes and pre-processes the collected metadata by extracting one or more fields. The catalog module stores the pre-processed metadata in a searchable data structure for responding to a user query requesting information regarding any data container stored at any storage volume and managed by any node in the clustered environment”, column 10, lines 60-67, “using index nodes (inodes) to identify data containers and metadata for the data container (such as creation time, access permissions, size and others). The file system uses data containers to store metadata describing the layout of its file system; these metadata data containers include, among others, an inode data container.”, and column 11, lines 1-3).
Regarding claim 16, Chaudhary discloses wherein a root file system of the container image comprises the security policy, and wherein obtaining the security policy comprises: obtaining the security policy from the root file system (column 9, lines 1-9).
Regarding claim 17, Chaudhary et al. discloses a processing system for a container security policy, comprising a first computer, a container repository, and a second computer (column 4, lines 42-54, “distributed between two or more computers”), 
wherein: the first computer is configure to publish a container image to the container repository (column 14, lines 11-30 and column 16, lines 51-58); 
and the second computer is configure to: 
obtain the container image from the container repository (column 14, lines 1-11, “metadata is collected for an initial version of the plurality of data containers. This may be referred to as "baseline" metadata information (or baseline image. Storage environments typically maintain a snapshot of the file system and the associated data containers. A file system manager (302, FIG. 3A0 or any other module may take the actual snapshot and communicate it to catalog controller 410. The snapshots being a point in time copy of the file system may be used to restore a storage file system to an instance when the snapshot was taken.” and lines 12-30, “A first snapshot for a data volume operates as a starting point and once that is created, metadata for data containers that may have changed after the first snapshot is collected and processed. One process that may be used to obtain differential information is called "SnapDiff" that is provided by NetApp Inc. the assignee of the present application. Metadata collection module 416 may use the SnapDiff process to first obtain baseline metadata information for the plurality of data containers that may be stored in data volume 418. Once the baseline is established, metadata collection module 416 may only collect information for data containers that may have been created, modified or deleted from the baseline snapshot. If there are no changes to data containers after the baseline image, then metadata for those data containers is not collected. It is noteworthy that system 400 may establish any snapshot to be a baseline and then collect incremental metadata for data containers that are modified or created after the baseline is established.”, and column 16, lines 51-58, “When the first snapshot is taken, then metadata collected for that snapshot may be used as a baseline image for database table 414 (FIG. 4A), as described below. As more snapshots are taken, metadata for data containers that were created, modified or deleted from the initial snapshot is collected and indexed, as described below. If there is no change in the data containers after the initial snapshot, then no metadata is collected for the unchanged data containers.”); 
obtain a security policy, wherein the security policy is associated with the container image (column 19, lines 63-67 and column 20, lines 1-6); 
start a container based on the container image (column 19, lines 63-67 and column 20, lines 1-6); 
and run the container according to the security policy (column 19, lines 63-67 and column 20, lines 1-6).
Regarding claim 18, Chaudhary discloses wherein the first computer is further configure to: embed index information of the security policy into an original container image to obtain the container image; and publish the container image, the security policy, and the index information to the container repository (column 7, lines 12-17, column 10, lines 60-67, “The file system 302 illustratively may implement a write-anywhere file system having an on-disk format representation that is block-based using, e.g., 4 kilobyte (KB) blocks and using index nodes (inodes) to identify data containers and metadata for the data container (such as creation time, access permissions, size and others). The file system uses data containers to store metadata describing the layout of its file system; these metadata data containers include, among others, an inode data container. A data container handle, i.e., an identifier that includes an inode number (inum), may be used to retrieve an inode from disk”, column 11, lines 1-3, and column 17, lines 34-44, “Database 414 may also include a second searchable segment, for example, a data container table that may store metadata information regarding a plurality of data containers. FIG. 4E shows an example of data container table 452 that stores information regarding a plurality of data containers, for example, files. Each file in the data container table 452 is associated with an entry in the directories table 450. This allows one to include a path for a file only once in the directories table and one does not have to copy the path in data container table 452 every time the metadata for the file is indexed.”).
Regarding claim 19, Chaudhary discloses wherein the first computer is further configure to: calculate index information of the security policy according to a preset rule and metadata of the container image; publish the container image, the security policy, and the index information of the security policy to the container repository (column 2, lines 1-26, “A metadata collection module collects metadata associated with the plurality of data containers. The metadata includes an attribute that is associated with the plurality of data containers. The system further includes a catalog module that is executed by the plurality of nodes and pre-processes the collected metadata by extracting one or more fields. The catalog module stores the pre-processed metadata in a searchable data structure for responding to a user query requesting information regarding any data container stored at any storage volume and managed by any node in the clustered environment”, column 10, lines 60-67, “using index nodes (inodes) to identify data containers and metadata for the data container (such as creation time, access permissions, size and others). The file system uses data containers to store metadata describing the layout of its file system; these metadata data containers include, among others, an inode data container.”, and column 11, lines 1-3).
Regarding claim 20, Chaudhary discloses wherein the first computer is further configure to: embed the security policy into a root file system of an original container image to obtain a container image (column 9, lines 1-9); 
and publish the container image to a container repository (column 14, lines 11-30, column 16, lines 51-58, column 19, lines 63-67 and column 20, lines 1-6).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The references cited on form PTO-892 are cited to further show the state of the art with respect to security policies for containers.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEREMIAH L AVERY whose telephone number is (571)272-8627. The examiner can normally be reached M-F 8:30am -5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/JEREMIAH L AVERY/Primary Examiner, Art Unit 2431