Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s arguments with respect to claim(s) 1-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Objections
Claim 19 is objected to because of the following informalities: “cause the processing device is to generate” should be “cause the processing device [[is]] to generate.” Appropriate correction is required.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim(s) 1-4, 8-12, and 16-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brasser (F. Brasser, P. Jauernig, F. Pustelnik, A.-R. Sadeghi, and E. Stapf, ‘‘Trusted container extensions for container-based confidential computing,’’ 2022, arXiv:2205.05747) and further in view of Bandi (US 11,399,013) and further in view of Zihnioglu (US 11,637,909).
Regarding claim 1, Brasser teaches: A method comprising:
sending a first command from a computing device to a container agent of a confidential virtual machine (VM) running on a host computing system (Section VI, “Docker only interacts with the kata-runtime via standardized Open Container Interface (OCI) commands and does not manage the execution of containers itself, but delegates this functionality to the runtime. This allows the Container Owner to manage the container state with existing tools, such that R6 is fulfilled” and IV, “R1 Container Confidentiality: Confidentiality of all data & code inside containers must be ensured at all times”), wherein the first command is sent to the container agent through a control plane of the host computing system and causes the container agent to communicate with a relying party to verify confidentiality of the confidential VM (Section VI, “We implement a secure proxy on both sides, such that all commands from the Container Owner are sent via an authenticated secure channel” and Section V, “After the attestation report has been validated, the Deploy Service creates an identity CertRootV M in the form of a certificate and injects it in the Root VM via the TEE Primitives”).
Brasser does not teach; however, Bandi discloses: receiving network information for the container agent from the relying party (col. 3:22-29, “To perform the verification, the identity sidecar may execute a set of verification protocol operations, which may include local attestation to verify the contents of the secure enclave, remote attestation to verify the identity of the processor associated with the enclave, and verification that the service's name or identifier was associated with the processor at a previous time, e.g., when the service was started on the processor”);
establishing a network connection with the container agent based on the network information received from the relying party (col. 3:29-31, “If any of these verification steps fails, then the service's identity may have been compromised, and the service may be stopped”); and
sending, by a processing device, a second command from the computing device to the container agent of the confidential VM via the second network connection (col. 4:63-65, “Communication between service instances 232, such as requests and responses, located on different servers 220 may be sent via the network 212”).
It would have been obvious to a person having ordinary skill in the art, at the effective filing date of the invention, to have applied the known technique of receiving network information for the container agent from the relying party; establishing a network connection with the container agent based on the network information received from the relying party; and sending, by a processing device, a second command from the computing device to the container agent of the confidential VM via the network connection, as taught by Bandi, in the same way to the method, as taught by Brasser. Both inventions are in the field of secure container communication, and combining them would have predictably resulted in “securing service meshes,” as indicated by Bandi (col. 1:6-7).
Brasser and Bandi do not teach; however, Zihnioglu discloses: the network connection includes a first network connection to receive commands from at least the relying party (col. 1:42-44, “a communications session that spans over two communications connections: the TCP connection established between the source computer and the proxy server”) and a second network connection to send commands to the container agent (col. 1:45-46, “and the TCP connection established between the proxy server and the destination host” and col. 1:46-49, “the source computer starts transmitting data through the proxy server to the destination host, and the destination host starts transmitting data through the proxy server to the source computer”).
It would have been obvious to a person having ordinary skill in the art, at the effective filing date of the invention, to have applied the known technique of the network connection includes a first network connection to receive commands from at least the relying party and a second network connection to send commands to the container agent, as taught by Zihnioglu, in the same way to the network connection, as taught by Brasser and Bandi. Both inventions are in the field of secure proxy based network communications, and combining them would have predictably resulted in a method to “prevent the delay in establishing the TCP connections when the proxy server is in the process of enabling source hosts to access the services provided by the destination hosts,” as indicated by Zihnioglu (col. 2:55-58).
Regarding claim 2, Brasser teaches: The method of claim 1, further comprising translating the second command from a first format generated by a user interface to a second format applicable to the container agent (Section II C, “The kata-runtime process runs on the underlying host system and receives Open Catalog Interface (OCI) compatible commands from containers (a standardized high-level container runtime), which are translated into internal commands”).
Regarding claim 3, Brasser teaches: The method of claim 2, wherein the host computing system comprises a first instance of a software stack that passes the first command from the control plane to the container agent (Section VI, “Host System. The Host System runs the Host Service, which manages the lifecycle of SC-VMS and configures KVM as the hypervisor accordingly. Furthermore, the Host Service includes a switch, which routes incoming connections to a destination SC-VM”), and wherein translating the second command comprises passing the second command through a second instance of the software stack (Section II C, “The kata-runtime process runs on the underlying host system and receives Open Catalog Interface (OCI) compatible commands from containers (a standardized high-level container runtime), which are translated into internal commands”).
Regarding claim 4, Brasser teaches: The method of claim 2, wherein the host computing system comprises a software stack that passes the first command from the control plane to the container agent (Section VI, “Host System. The Host System runs the Host Service, which manages the lifecycle of SC-VMS and configures KVM as the hypervisor accordingly. Furthermore, the Host Service includes a switch, which routes incoming connections to a destination SC-VM”), and wherein translating the second command comprises generating an equivalent transformation of the second command that would be performed by the software stack (Section II C, “The kata-runtime process runs on the underlying host system and receives Open Catalog Interface (OCI) compatible commands from containers (a standardized high-level container runtime), which are translated into internal commands”).
Regarding claim 8, Brasser teaches: The method of claim 1, further comprising sending a third command from the computing device to the container agent of the confidential VM via the relying party over a second network connection between the relying party and the container agent (Section V, “The channel is used by the Container Owner to securely exchange commands and data with the SC-VM” and Section VI, “We implement a secure proxy on both sides, such that all commands from the Container Owner are sent via an authenticated secure channel.”).
Claims 9-12 and 16-20 recite commensurate subject matter as claims 1-4 and 8. Therefore, they are rejected for the same reasons.
Claim(s) 5, 7, 13, and 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brasser, Bandi, and Zihnioglu, as applied above, and further in view of Desai (US 2022/0197684).
Regarding claim 5, Brasser, Bandi, and Zihnioglu do not teach; however, Desai discloses: the second command is a command to retrieve logs or metrics from the container agent or execute a function within a container instantiated by the container agent (claim 1, “executing, in the pod VM by the pod VM agent, at least one probe of an application executing in one or more of the containers; and returning, from the pod VM agent to the pod VM controller, application health status obtained from the at least one probe”).
It would have been obvious to a person having ordinary skill in the art, at the effective filing date of the invention, to have applied the known technique of the second command is a command to retrieve logs or metrics from the container agent or execute a function within a container instantiated by the container agent, as taught by Desai, in the same way to the second command, as taught by Brasser, Bandi, and Zihnioglu. Both inventions are in the field of managing VM/container agents, and combining them would have predictably resulted in “returning, from the pod VM agent to the pod VM controller, application health status obtained from the at least one probe,” as indicated by Desai (¶ 4).
Regarding claim 7, Brasser, Bandi, and Zihnioglu do not teach; however, Desai discloses: after establishing the network connection with the container agent (¶ 33, “Pod VM agent 212 establishes a channel with pod VM controller 216”), sending a third command from the computing device to the container agent of the confidential VM via the control plane of the host computing system (¶ 33, “Pod VM controller 216 obtains information describing probes to be run from supervisor Kubernetes master 104 and forwards this information to pod VM agent 212 over the hypervisor-to-guest channel”).
It would have been obvious to a person having ordinary skill in the art, at the effective filing date of the invention, to have applied the known technique of after establishing the network connection with the container agent, sending a third command from the computing device to the container agent of the confidential VM via the control plane of the host computing system, as taught by Desai, in the same way to the second command, as taught by Brasser, Bandi, and Zihnioglu. Both inventions are in the field of managing VM/container agents, and combining them would have predictably resulted in “returning, from the pod VM agent to the pod VM controller, application health status obtained from the at least one probe,” as indicated by Desai (¶ 4).
Claims 13 and 15 recite commensurate subject matter as claims 5 and 7. Therefore, they are rejected for the same reasons.
Claim(s) 6 and 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brasser, Bandi, and Zihnioglu, as applied above, and further in view of Rosoff (US 2021/0311764).
Regarding claim 6, Brasser, Bandi, and Zihnioglu do not teach; however, Rosoff discloses: the first and second commands are kubectl commands received from a kubectl command line interface (¶ 35, “Kubernetes client 102 represents an input interface for a user to supervisor Kubernetes master 104. Kubernetes client 102 is commonly referred to as kubectl. Through Kubernetes client 102, a user submits desired states of the Kubernetes system, e.g., as YAML documents, to supervisor Kubernetes master 1104”).
It would have been obvious to a person having ordinary skill in the art, at the effective filing date of the invention, to have applied the known technique of the first and second commands are kubectl commands received from a kubectl command line interface, as taught by Rosoff, in the same way to the commands, as taught by Brasser, Bandi, and Zihnioglu. Both inventions are in the field of managing VM/container agents, and combining them would have predictably resulted in “a platform for automating deployment, scaling, and operations of application containers across clusters of hosts,” as indicated by Rosoff (¶ 1).
Claim 14 recites commensurate subject matter as claim 6. Therefore, they are rejected for the same reasons.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JACOB D DASCOMB whose telephone number is (571)272-9993. The examiner can normally be reached M-F 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Pierre Vital can be reached at (571) 272-4215. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/JACOB D DASCOMB/Primary Examiner, Art Unit 2198