Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

EXAMINER’S AMENDMENT

1. An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee. 

2. Authorization for this examiner’s amendment was given in a telephone interview with Daniel Lee, on 07/14/2022.

1. (Currently Amended) A method for constructing a lightweight container-based user environment (CUE), wherein the method comprises the following steps:
(1) preparing, by a main process used to execute user environment construction, a socket pair for interprocess communication, calling a clone function, clone(), to obtain a child process, and serving the main process as a parent process of the child process;
(2) elevating permission of the child process to root, executing namespace isolation, calling the clone function, clone(), to obtain a grandchild process, and sending a process identification (PID) of the grandchild process to the parent process, and setting, by the parent process, cgroups for the grandchild process according to the process identification (PID); and
(3) setting, by the grandchild process, permission of the grandchild process to execute a command and a file, then as an independent process, sequentially preparing an overlay file system of the grandchild process, setting a hostname, and limiting permission by using a capability mechanism of a Linux kernel, , init.sh, and finally constructing [[the]] a container according to the initialization script.

2. (Currently Amended) The method for constructing a lightweight (CUE) according to claim 1, wherein the step (2) specifically comprises the following steps:
(2.1) executing, by the child process, setresuid(
(2.2) calling, by the child process, the clone function clone() to obtain the grandchild process, and sending, by the grandchild process, a communication-ready message to the parent process, and waiting for a response from the parent process; and
(2.3) sending, by the child process, the process identification (PID) of the grandchild process to the parent process, sending, by the parent process, an acknowledgment feedback to the child process after successfully receiving the communication-ready message, and sending, by the child process after receiving the acknowledgment feedback, a message to the parent process to notify the parent process that a task of the child process has been completed; and meanwhile, setting, by the parent process, cgroups for the grandchild process after receiving the communication-ready message sent by the grandchild process, and sending a message to the grandchild process to notify the grandchild process that the grandchild process has obtained a resource.

3. (Currently Amended) The method for constructing a lightweight (CUE) according to claim 2, wherein in the step (2.2), after the calling, by the child process, the clone function clone() to obtain the grandchild process, the process identification (PID) of the grandchild process in a new namespace is 1.

4. (Currently Amended) The method for constructing a lightweight (CUE) according to claim 1, wherein the step (3) specifically comprises the following steps:
(3.1) calling, by the grandchild process, setsid() after receiving a message, so that the grandchild process becomes a leading process of a new session to prevent the grandchild process from becoming an orphaned process after the parent process ends; then calling setuid(executed with root permission; then calling setgid(
(3.2) after the communication ends, sequentially preparing, by the grandchild process as an independent process, the overlay file system of the grandchild process, setting the hostname, and limiting the permission by using the capability mechanism of the Linux kernel, and finally executing the initialization script init.sh to start the container.

5. (Currently Amended) The method for constructing a lightweight (CUE) according to claim 1, wherein the preparing an overlay file system the grandchild process is specifically overlapping an empty folder on "/" of a host based on the overlay file system, changing the root to a merged folder, binding user directories of other users, and mounting an empty folder to the merged folder to hide content.

6. (Currently Amended) A system for constructing a lightweight (CUE), comprising a computer device having a memory, wherein the computer device is programmed or configured to perform the steps of the method for constructing a lightweight (CUE) according to claim 1.

7. (Currently Amended) A system for constructing a lightweight (CUE), comprising a computer device having a memory, wherein the computer device is programmed or configured to perform the steps of the method for constructing a lightweight (CUE) according to claim 2.

8. (Currently Amended) A system for constructing a lightweight (CUE), comprising a computer device having a memory, wherein the computer device is programmed or configured to perform the steps of the method for constructing a lightweight (CUE) according to claim 3.

9. (Currently Amended) A system for constructing a lightweight (CUE), comprising a computer device having a memory, wherein the computer device is programmed or configured to perform the steps of the method for constructing a lightweight (CUE) according to claim 4.

10. (Currently Amended) A system for constructing a lightweight (CUE), comprising a computer device having a memory, wherein the computer device is programmed or configured to perform the steps of the method for constructing a lightweight (CUE) according to claim 5.

11. (Currently Amended) A system for constructing a lightweight (CUE), comprising a computer device having a non-transitory computer readable storage medium, wherein [[a]] the storage medium of the computer device stores a computer program that is programmed or configured to perform the method for constructing a lightweight (CUE) according to claim 1.

12. (Currently Amended) A system for constructing a lightweight (CUE), comprising a computer device having a non-transitory computer readable storage medium, wherein [[a]] the storage medium of the computer device stores a computer program that is programmed or configured to perform the method for constructing a lightweight (CUE) according to claim 2.

13. (Currently Amended) A system for constructing a lightweight (CUE), comprising a computer device having a non-transitory computer readable storage medium, wherein [[a]] the storage medium of the computer device stores a computer program that is programmed or configured to perform the method for constructing a lightweight (CUE) according to claim 3.

14. (Currently Amended) A system for constructing a lightweight (CUE), comprising a computer device having a non-transitory computer readable storage medium, wherein [[a]] the storage medium of the computer device stores a computer program that is programmed or configured to perform the method for constructing a lightweight (CUE) according to claim 4.

15. (Currently Amended) A system for constructing a lightweight (CUE), comprising a computer device having a non-transitory computer readable storage medium, wherein [[a]] the storage medium of the computer device stores a computer program that is programmed or configured to perform the method for constructing a lightweight (CUE) according to claim 5.

16. (Currently Amended) A non-transitory computer readable storage medium, wherein the computer readable storage medium stores a computer program that is programmed or configured to perform the method for constructing a lightweight (CUE) according to claim 1.

17. (Currently Amended) A non-transitory computer readable storage medium, wherein the computer readable storage medium stores a computer program that is programmed or configured to perform the method for constructing a lightweight (CUE) according to claim 2.

18. (Currently Amended) A non-transitory computer readable storage medium, wherein the computer readable storage medium stores a computer program that is programmed or configured to perform the method for constructing a lightweight (CUE) according to claim 3.

19. (Currently Amended) A non-transitory computer readable storage medium, wherein the computer readable storage medium stores a computer program that is programmed or configured to perform the method for constructing a lightweight (CUE) according to claim 4.

20. (Currently Amended) A non-transitory computer readable storage medium, wherein the computer readable storage medium stores a computer program that is programmed or configured to perform the method for constructing a lightweight (CUE) according to claim 5.






Reasons for Allowance

3. The following is an examiner’s statement of reasons for allowance: the prior-art, the prior-art, Wier (US Patent 11157331), in view of Ananthakrishnan (US PGPub 20180189339), in view of Schneider (US PGPub 20090125711), in view of Choi (US PGPub 20130227652), and further in view of Hadas (US PGPub 20140181950) failed to disclose: a method for constructing a lightweight container-based user environment (CUE), wherein the method comprises the following steps: (1) preparing, by a main process used to execute user environment construction, a socket pair for interprocess communication, calling a clone function, clone(), to obtain a child process, and serving the main process as a parent process of the child process; (2) elevating permission of the child process to root, executing namespace isolation, calling the clone function, clone(), to obtain a grandchild process, and sending a process identification (PID) of the grandchild process to the parent process, and setting, by the parent process, cgroups for the grandchild process according to the process identification (PID); and (3) setting, by the grandchild process, permission of the grandchild process to execute a command and a file, then as an independent process, sequentially preparing an overlay file system of the grandchild process, setting a hostname, and limiting permission by using a capability mechanism of a Linux kernel, executing an initialization script, init.sh, and finally constructing a container according to the initialization script, as recited by the independent claim 1.

Regarding Claim 1, the closest prior-art found, Wier, Ananthakrishnan, Schneider, Choi and Hadas discloses of a method for constructing a lightweight container-based user environment (CUE), wherein the method comprises the following steps: (1) preparing, by a main process used to execute user environment construction, a socket pair for interprocess communication, calling a clone function, clone(), to obtain a child process, and serving the main process as a parent process of the child process; (2) elevating permission of the child process to root, executing namespace isolation, calling the clone function, clone(), to obtain a grandchild process, and sending a process identification (PID) of the grandchild process to the parent process, and setting, by the parent process, cgroups for the grandchild process according to the process identification (PID), and limiting permission by using a capability mechanism of a Linux kernel, executing an initialization script, init.sh, and finally constructing a container according to the initialization script.
Respectively, Wier teaches of Irrespective of how creation of a data object assignment container is initiated, after a data object assignment container is generated, it can be assigned to a user by an administrator (or a user who has the authorization to configure assignments) or by application of assignment rules (e.g., by a rules based engine to provide data object assignment container assignments to appropriate users or groups of users). Accordingly communication links 201, 202, and 203 of the illustrated embodiment may comprise socket pairs facilitating secure inter-process communications.
Ananthakrishnan teaches that For example, a system call to create a new process may be an exec (e.g., execve), a fork, or a clone system call, where a direct edge between two nodes in the tree represents a parent-child relationship between the two processes corresponding to the two nodes. For example, the root node of the tree may represent the target process and nodes directly connected to the root node by edges may represent child processes of the target process, and nodes directly connected to those child nodes may represent grandchild processes of the target process, nodes directly connected to those grandchild nodes may represent great grandchild processes of the target process, and so on.
Schneider teaches that a chroot on POSIX type systems is an operation that changes the apparent disk root directory for the current running process and its children. A program that is re-rooted to another directory cannot access or name files outside that directory, called a chroot jail. The term "chroot" may refer to the chroot(2) system call. In other words, the location of the root directory for a running process is changed so that the process cannot access any files in the remainder of the system.
Choi teaches the Linux kernel 120 may request the process generated by the application to assign the manager permission in operation 162.  Accordingly, even though the SU command is installed by a malicious user, process, or application, assignment of the manager permission to the executed application may be restricted. For the above operation, in operation 142, the Linux kernel 120 may assign UID to the corresponding application. Further, in operation 143, the permission manager 130 may assign user permission to the generated process. If the process is assigned with the user permission, the corresponding process may perform the predetermined work using an accessible file or an I/O device. If an application is executed, the Linux kernel 120 may assign UID to the executed application in operation 161. Further, the Linux kernel 120 may request the process generated by the application to assign the manager permission in operation 162.
Hadas teaches that as a part of the steps that may be taken by a child process for the purpose of setting up the child's process environment (e.g., after the arrival of a request), the child process may be also implemented to set the following parameters for the child process: a real, effective file system and saved user id and group id (euid, suid, ruid, fsuid, egid, sgid, rgid, fsgid), the child process file descriptors, the child process env, argv, session id and process group id, the child process process-id (pid) and parent-process-id (ppid), the child process current working directory (cwd) and root directory, the child process file system mount table, ulimits, Cgroups or other process environment parameters.
However, the prior art, Wier, Ananthakrishnan, Schneider, Choi and Hadas failed to disclose the following subject matter such as “(3) setting, by the grandchild process, permission of the grandchild process to execute a command and a file, then as an independent process, sequentially preparing an overlay file system of the grandchild process, setting a hostname””
Claim 6 is a system claim, similar to the claim 1, and claim 11 is another system claim, also similar to the claim 1. And Claim 16 is a product claim, similar to the claim 1. Also, the system claims 7-10 and 12-15 as well as the product claims 17-20 contain the allowable subject matter, from the claims 6, 11 and 16 respectively. Therefore, claims 1-20 are allowed.

4. Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”



Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAE UK JEON whose telephone number is (571)270-3649.  The examiner can normally be reached on 9am-6pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Chat Do can be reached on 571-272-3721.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/JAE U JEON/Primary Examiner, Art Unit 2193