DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.



Claim(s) 3, 5, 6, 12, 14 and 15 is/are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

Claim 3 (similarly claim 12) recite: “executing a subsequent task in the execution pipeline that requires the one or more digital certificates”.  It is unclear where/when the subsequent task will be executed within the execution pipeline.

Claim 5 (similarly claim 14) recites the limitation "the sequence".  There is insufficient antecedent basis for this limitation in the claim.
Claim 6 (similarly claim 15) recites the limitation "the digital certificates".  There is insufficient antecedent basis for this limitation in the claim.


Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claim(s) 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Vaddi et al. (Pub 20200287724) (hereafter Vaddi) in view of Joshi et al. (Pub 20180287883) (hereafter Joshi).

As per claim 1, Vaddi teaches:
A distributed computing system comprising a plurality of computers storing instructions that are operable, when executed by the plurality of computers, to cause the plurality of computers to perform operations comprising: ([Paragraph 26], The hosting system 204 may be, for example, a computing node or a cluster of computing nodes, also referred to as a cluster. A computing node, also referred to as a node, may be a computing device (e.g., a personal computer, a laptop, or a desktop) or a Virtual Machine (VM) running on a computing device. The cluster may refer to a set of nodes which have their resources, such as storage, processor, and memory, managed together.)
receiving, by the distributed computing system, a source container image;  ([Paragraph 28], The container may provide, among other things, code, runtime, system tools, system libraries, and settings to the service. Further, the container can provide a consistent runtime environment to the service regardless of the node it is hosted in.  [Paragraph 30], In an example, the container 208 may be part of a pod 210, which may be the smallest functional unit that can be managed, i.e., created, deployed, and deleted, by the container orchestration platform 209.)
receiving, by the distributed computing system, one or more digital certificates; 
executing, by the distributed computing system, a certificate injection task, including: 
launching a container instance from the source container image, 
executing injection code within an execution environment of the launched container instance that writes the one or more digital certificates to one or more corresponding locations within a file system of the execution environment, and ([Paragraph 15], For instance, upon injection of the certificate, the service deployed in the container can retrieve the certificate from the certificate storage location and use the certificate for determining whether a software program can be trusted. [Paragraph 16], The injection of certificates in response to initialization of a container ensures that a container has all certificates that can be used for establishing trusted communications before a service becomes operational. [Paragraph 17], Since the present subject matter enables injection of certificates even after initialization of containers, the certificates may not have to be bundled with container images, from which containers are created. Therefore, the present subject matter can be used to establish trusted communications using certificates issued by private certification authorities (CAs), which are generally not bundled with container images. Accordingly, the present subject matter can be used in on-premises (on-prem) clusters, which generally use certificates issued by private CAs for establishing trusted communications.  [Paragraph 10], Further, if a certificate is to be deployed in a container after initialization of the container, the container may have to be redeployed…)
However, Vaddi does not explicitly disclose generating an output container image having the one or more digital certificates.
Joshi teaches generating an output container image having the one or more digital certificates. ([Paragraph 54], some embodiments of the container manager 20 may further be configured to deploy new versions of images of containers…  [Paragraph 57], In some embodiments, the container packager 12 includes a controller 42, a composition parser 44, an image ingest module 46, a dependency consolidator 48, an application consolidator 50, an installation packager 52, and a package deployment module 54.  [Paragraph 75], In some embodiments, the installation package further includes a cryptographic security certificate of the monolithic application, such as one supplied by a third party that certifies the monolithic application 17 as authentic and authorized, like an entity operating an application store server from which computing devices download various applications, like native applications, executing on mobile devices or on desktop devices.)
Joshi also teaches receiving container image and receiving digital certificate ([Paragraph 77], In some embodiments, the installation package may be stored in memory, for example, in the package deployment module 54. In some embodiments, the package deployment module 54 may supply the package to a repository of applications from which applications are downloaded, such as one that supplied a cryptographic certificate within the installation package. Or in some embodiments, the package deployment module 54 may supply the installation package to requesting computing devices, such as computing device 15.  [Paragraph 57], In some embodiments, the container packager 12 includes a controller 42, a composition parser 44, an image ingest module 46, a dependency consolidator 48, an application consolidator 50, an installation packager 52, and a package deployment module 54.)
It would have been obvious to a person with ordinary skill in the art before the effective filing date of the invention, to combine the teachings of Vaddi wherein a source container image is received, digital certificate is received and injected into a container image, into teachings of Joshi wherein container image is built/re-built (i.e. new version) with certificate, because this would enhance the teachings of Vaddi wherein by injecting the certificate to an already initialized container image, it allows a container to establish trusted communication as needed and the container image can be re-built as a new version of the container image with the newly modified certificate.

As per claim 2, rejection of claim 1 is incorporated:
Joshi teaches wherein the distributed computing system comprises a container integration pipeline configured to execute a plurality of tasks in a predefined sequence. ([Paragraph 30], In some cases, some of the application components may be distinct from one another and serve different purposes, for instance, in different stages of a pipeline in which a transaction is processed by the distributed application. An example includes a web server that receives a request, a controller that composes a query to a database based on the request, a database that services the query and provides a query result, and a view generator that composes instructions for a web browser to render a display responsive to the request to the web server.  [Paragraph 42], For instance, a given website request and the chain of events in a pipeline by which the given website request is serviced is an example of a transaction. In many cases, the distributed application may service a relatively large number of transactions concurrently, for instance, after a relatively large number of users make requests at around the same time.  [Paragraph 56], In some embodiments, each of the services may be associated with an image in the image repository 22 that includes the application component and dependencies of the application component, such as libraries called by the application component and frameworks that call the application component within the context of a container. In some embodiments, upon the container manager 20 receiving a command to run a composition file, the container manager may identify the corresponding repositories in the image repository 22 and instruct container engines 34 on one or more of the computing devices 14 to instantiate a container, store the image within the instantiated container, and execute the image to instantiate the corresponding service. In some embodiments, a multi-container application may execute on a single computing device 14 or multiple computing devices 14. In some embodiments, containers and instances of services may that be dynamically scaled, adding or removing containers and corresponding services as needed, in some cases, responses to events or metrics gathered by a monitoring application.  [Paragraph 57],  In some embodiments, the container packager 12 includes a controller 42, a composition parser 44, an image ingest module 46, a dependency consolidator 48, an application consolidator 50, an installation packager 52, and a package deployment module 54. In some embodiments, the controller 42 directs the operation of the other components 46-52 of the container packager 12 and routes communication therebetween.  [Paragraph 60], In some embodiments, the retrieved container images also include dependencies of the application component. The term “dependencies” is used herein to refer to software relied upon by the application component to execute for at least some operations. This software may be stored in the same container as the application component. Examples include libraries called by the application component (e.g., libraries imported by code of the application component from a predefined directory within the container filesystem) and frameworks that call the application component from within the same user space instance corresponding to the respective container.)

As per claim 3, rejection of claim 2 is incorporated:
Joshi teaches wherein the operations further comprise executing a subsequent task in the execution pipeline that requires the one or more digital certificates. ([Paragraph 77], In some embodiments, the installation package may be stored in memory, for example, in the package deployment module 54. In some embodiments, the package deployment module 54 may supply the package to a repository of applications from which applications are downloaded, such as one that supplied a cryptographic certificate within the installation package. Or in some embodiments, the package deployment module 54 may supply the installation package to requesting computing devices, such as computing device 15.  [Paragraph 57], In some embodiments, the container packager 12 includes a controller 42, a composition parser 44, an image ingest module 46, a dependency consolidator 48, an application consolidator 50, an installation packager 52, and a package deployment module 54.  [Paragraph 75], In some embodiments, the installation package further includes a cryptographic security certificate of the monolithic application, such as one supplied by a third party that certifies the monolithic application 17 as authentic and authorized, like an entity operating an application store server from which computing devices download various applications, like native applications, executing on mobile devices or on desktop devices.  [Paragraph 60], In some embodiments, the retrieved container images also include dependencies of the application component. The term “dependencies” is used herein to refer to software relied upon by the application component to execute for at least some operations. This software may be stored in the same container as the application component. Examples include libraries called by the application component (e.g., libraries imported by code of the application component from a predefined directory within the container filesystem) and frameworks that call the application component from within the same user space instance corresponding to the respective container.)

As per claim 4, rejection of claim 3 is incorporated:
Vaddi teaches wherein the subsequent task in the execution pipeline is a get-secrets task that uses the one or more digital certificates to obtain secrets from a secrets database. ([Paragraph 43], Although the trust establishment is explained with reference to a single certificate (the certificate 107), in an example, several certificates can be injected. For example, different software programs may use certificates issued by different trusted entities and may present such certificates to the services they are to communicate with. Accordingly, the memory 104 may store certificates (e.g., root certificates) of all such trusted entities and, upon receiving a pod creation event, may inject all such certificates into the containers of the created pod. Therefore, the present subject matter can be utilized to establish trusted communication with a wide variety of software programs.  [Paragraph 48], A certificate may be injected into the containers that host services that are to use the certificate for establishing trusted communication.  [Paragraph 15], For instance, upon injection of the certificate, the service deployed in the container can retrieve the certificate from the certificate storage location and use the certificate for determining whether a software program can be trusted.)
Joshi teaches pipeline and dependency to install certificate(s) and accessing database with established certificate ([Paragraph 30], An example includes a web server that receives a request, a controller that composes a query to a database based on the request, a database that services the query and provides a query result, and a view generator that composes instructions for a web browser to render a display responsive to the request to the web server. Often, pipelines in commercial implementations are substantially more complex, for instance, including more than 10 or more than 20 stages, often with load-balancing at the various stages including more than 5 or more than 10 instances configured to service transactions at any given stage. Or some embodiments have a hub-and-spoke architecture, rather than a pipeline, or a combination thereof. In some cases, multiple software applications may be distributed across the same collection of computing devices, in some cases sharing some of the same instances of application components, and in some cases having distinct application components that are unshared.  [Paragraph 75], In some embodiments, the installation package further includes a cryptographic security certificate of the monolithic application, such as one supplied by a third party that certifies the monolithic application 17 as authentic and authorized, like an entity operating an application store server from which computing devices download various applications, like native applications, executing on mobile devices or on desktop devices.)

As per claim 5, rejection of claim 2 is incorporated:
Vaddi teaches wherein the certificate injection task is located at a position in the sequence before all other tasks that modify the source container image in the predefined sequence. ([Paragraph 14], the injection of the certificate may be performed in response to initialization of the container…  [Paragraph 16], The injection of certificates in response to initialization of a container ensures that a container has all certificates that can be used for establishing trusted communications before a service becomes operational.)

As per claim 6, rejection of claim 2 is incorporated:
Joshi teaches wherein the operations further comprise deploying, on a deployment platform, a final version of the source container image having the digital certificates after all tasks of the container integration pipeline have been executed. ([Paragraph 54], Some embodiments of the container manager 20 may further be configured to deploy new versions of images of containers, for instance, to rollout updates or revisions to application code. [Paragraph 57],  In some embodiments, the container packager 12 includes a controller 42, a composition parser 44, an image ingest module 46, a dependency consolidator 48, an application consolidator 50, an installation packager 52, and a package deployment module 54. In some embodiments, the controller 42 directs the operation of the other components 46-52 of the container packager 12 and routes communication therebetween.  [Paragraph 60], In some embodiments, the retrieved container images also include dependencies of the application component. The term “dependencies” is used herein to refer to software relied upon by the application component to execute for at least some operations. This software may be stored in the same container as the application component. Examples include libraries called by the application component (e.g., libraries imported by code of the application component from a predefined directory within the container filesystem) and frameworks that call the application component from within the same user space instance corresponding to the respective container. [Paragraph 75], In some embodiments, the installation package further includes a cryptographic security certificate of the monolithic application, such as one supplied by a third party that certifies the monolithic application 17 as authentic and authorized, like an entity operating an application store server from which computing devices download various applications, like native applications, executing on mobile devices or on desktop devices.)
As per claim 7, rejection of claim 1 is incorporated:
Vaddi teaches wherein only the certificate injection task is configured to write certificates to the source container image. ([Paragraph 25], The instructions 106, when executed by the processor 102, enable injection of the certificate 107 from the memory 104 into a certificate storage location (CSL) of the container. Here, injection of a certificate into a container may refer to writing the certificate into a storage region within the container. The certificate storage location may be a location in the container that is designated for storing digital certificates.  [Paragraph 40], If the container orchestration platform 209 is Kubernetes®, in an example, the injection command may be a kubectl exec command. The injection command may specify the name of the pod 210, which hosts the container 208, and the CSL 214, so that the certificate 107 can be injected into the CSL 214 of the container hosted in the pod 210.  [Paragraph 13], Further, the certificate storage location may be a location in the container designated for storing certificates.  [Paragraph 25], The instructions 106, when executed by the processor 102, enable injection of the certificate 107 from the memory 104 into a certificate storage location (CSL) of the container.)

As per claim 8, rejection of claim 1 is incorporated:
Vaddi teaches wherein launching the container instance from the source container image comprises launching a non-privileged container instance. ([Paragraph 9], In some cases, before exchanging information with the software program, the service may have to verify that the software program is trustworthy. For example, the service may have to ensure that the software program is not used by an attacker who may use information provided by the service in a way that would be harmful to a computing environment having the service.  [Paragraph 17], Since the present subject matter enables injection of certificates even after initialization of containers, the certificates may not have to be bundled with container images, from which containers are created…  [Paragraph 47], It is to be noted that the injection of the certificates in response to the memory 104 getting updated, as explained above, may be performed even after initialization of the container 208, and during runtime of the container 208.)

As per claim 9, rejection of claim 8 is incorporated:
Vaddi teaches wherein the non-privileged container instance does not have container builder software installed. ([Paragraph 9], In some cases, before exchanging information with the software program, the service may have to verify that the software program is trustworthy. For example, the service may have to ensure that the software program is not used by an attacker who may use information provided by the service in a way that would be harmful to a computing environment having the service.  [Paragraph 17], Since the present subject matter enables injection of certificates even after initialization of containers, the certificates may not have to be bundled with container images, from which containers are created…  [Paragraph 47], It is to be noted that the injection of the certificates in response to the memory 104 getting updated, as explained above, may be performed even after initialization of the container 208, and during runtime of the container 208.)
Joshi teaches ([Paragraph 18], In some embodiments, the computing environment 10 may include the container packager 12, a plurality of computing devices 14, an application monitor 16 of a monitoring application, a composition file repository 18, a container manager 20, and an image repository 22. These components may communicate with one another via a network 21, such as the Internet and various local area networks.  [Paragraph 57], In some embodiments, the container packager 12 includes a controller 42, a composition parser 44, an image ingest module 46, a dependency consolidator 48, an application consolidator 50, an installation packager 52, and a package deployment module 54. In some embodiments, the controller 42 directs the operation of the other components 46-52 of the container packager 12 and routes communication therebetween. In some embodiments, the controller 42 executes the process of FIG. 2 by making corresponding calls to the various components illustrated, which is some cases, may be software modules, like functions or methods, or in some cases, may be respective services running in different processes or hosts.)

As per claims 10-18, these are method claims corresponding to the system claims 1-9.  Therefore, rejected based on similar rationale.

As per claims 19 and 20, these are non-transitory computer storage media claims corresponding to the system claims 1 and 2.  Therefore, rejected based on similar rationale.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DONG U KIM whose telephone number is (571)270-1313. The examiner can normally be reached 9:00am - 5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Emerson Puente can be reached on 5712723652. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/DONG U KIM/Primary Examiner, Art Unit 2196