Skip to content

Linux interview quick ref

Linux interview quick ref - one screen

Core mental model

  • Linux = kernel + userspace. Kernel handles CPU, memory, devices, filesystems, network. Userspace is systemd, shells, daemons, tools.
  • Boot chain: UEFI/BIOS -> bootloader -> kernel -> initramfs -> PID 1 (systemd) -> services
  • Syscall boundary matters: apps ask kernel to do work via open/read/write, fork/exec, socket/connect, mmap, etc.

systemd

  • PID 1 is special: adopts orphans, manages services, exiting PID 1 = bad day.
  • Commands: systemctl status/start/stop/restart/enable, journalctl -u svc -b, systemctl list-units --failed
  • Important nuance: network.target != “network ready”; use network-online.target only for services that truly need configured connectivity.

Processes / signals

  • fork() clones, exec() replaces, parent wait() reaps.
  • States: running, sleeping, stopped, zombie.
  • SIGTERM = polite, SIGKILL = murder, SIGHUP often reload.
  • Zombie = dead child not reaped. CLOSE_WAIT usually means app bug / socket not closed.

Filesystems / storage

  • Inode = metadata + block pointers, not filename.
  • Hard link = same inode. Symlink = path reference.
  • Mounts make filesystems visible in one tree.
  • LVM mental model: PV -> VG -> LV -> filesystem
  • Know caveat: XFS grows, does not shrink. ext4 can usually shrink offline.
  • Deleted-open-file leak: process holds disk space after file deleted - find with lsof +L1.

Memory

  • Look at MemAvailable, not raw MemFree.
  • Linux uses free RAM for page cache - that is normal, not a crime.
  • OOM killer triggers under memory pressure when reclaim/swap are insufficient.
  • Fast checks: free -h, vmstat 1, dmesg -T | grep -i oom

Networking

  • Use ip, not old ifconfig/route.
  • Checks: ip a, ip r, ss -tulpn, ping, curl, resolvectl status
  • DNS path matters: app -> NSS -> resolver (systemd-resolved or other) -> DNS server
  • Know basics: route table, default gateway, CIDR, MTU, TCP handshake, listen vs established.

Firewalls / isolation

  • Modern framing: nftables first, iptables mostly legacy/compat layer.
  • cgroups v2 = unified resource control hierarchy. Namespaces isolate pid/net/mount/user views.
  • Containers are basically namespaces + cgroups + filesystem packaging, not tiny VMs.

Permissions / security

  • Standard bits: user/group/other + rwx.
  • Also know: ACLs, capabilities, sudo, SSH key auth.
  • SELinux/AppArmor = MAC layer beyond chmod/chown.
  • LUKS = block-device encryption, usually unlocked before root mount if root is encrypted.

Troubleshooting flow

    1. Define symptom
    1. Check service: systemctl status
    1. Check logs: journalctl -xeu svc
    1. Check resources: CPU/mem/disk/inodes
    1. Check network/listeners/routes/DNS
    1. Check recent changes
    1. Use strace if behavior is mysterious

High-value commands

systemctl journalctl ps top/htop ss ip df du findmnt lsblk lsof strace dmesg free vmstat iostat resolvectl

Good interview lines

  • “I troubleshoot Linux from the bottom up: service state, logs, resources, network, recent change, then syscall-level tracing if needed.”
  • “I treat memory pressure, inode exhaustion, and deleted-open-file leaks as separate failure classes.”
  • “For modern Linux I think in systemd, cgroup v2, nftables, and iproute2, not legacy scripts and folklore.”