Linux Processes

← Back to all decks

108 cards — 🟢 22 easy | 🟡 62 medium | 🔴 16 hard

🟢 Easy (22)

1. SIGHUP, SIGINT, SIGKILL, and SIGTERM POSIX signals. Explain.

Show answer

- **SIGHUP** - is sent to a process when its controlling terminal is closed. It was originally designed to notify the process of a serial line drop (a hangup). Many daemons will reload their configuration files and reopen their logfiles instead of exiting when receiving this signal.


Remember: SIGTERM(15)=polite, SIGKILL(9)=forced, SIGHUP(1)=reload, SIGINT(2)=Ctrl+C.

Gotcha: SIGKILL can't be caught. Always try SIGTERM first.

2. What's the difference between a zombie and an orphan process?

Show answer

A zombie has exited but its parent hasn't called `wait()` yet, so it still has a PID entry.

An orphan's parent has exited; it gets reparented to PID 1 (systemd), which will reap it correctly.

Remember: Zombie = done but parent didn't wait(). Uses only PID entry. Can't kill it.

Gotcha: Fix parent or kill parent → init adopts and reaps zombies.

3. What signal does the kill command send by default, and how does it differ from SIGKILL?

Show answer

By default, `kill` sends SIGTERM (signal 15). This is a "soft" kill that allows
the process to catch the signal and perform cleanup operations before terminating.

SIGKILL (signal 9) is different because:
- It cannot be caught, blocked, or ignored by the process
- The kernel immediately terminates the process
- No cleanup handlers run, which can lead to data corruption
- Use `kill -9 PID` o

Remember: SIGTERM(15)=polite, SIGKILL(9)=forced, SIGHUP(1)=reload, SIGINT(2)=Ctrl+C.

Gotcha: SIGKILL can't be caught. Always try SIGTERM first.

4. What is the return value of fork()?

Show answer

- On success, the PID of the child process in parent and 0 in child process
- On error, -1 in the parent

Under the hood: fork()=duplicate parent, exec()=replace child memory. fork+exec=launch.

5. What is a process, and how do you list processes in Linux?

Show answer

A process is an executing program. You can list processes with commands like ps -aux or use an interactive viewer like top.

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

6. What is a Daemon in Linux?

Show answer

A background process. Most of these processes are waiting for requests or set of conditions to be met before actually running anything.
Some examples: sshd, crond, rpcbind.

Remember: Daemon = background, no terminal. Modern: let systemd manage it.

7. What is the advantage of executing the running processes in the background? How can you do that?

Show answer

The most significant advantage of executing the running process in the background is that you can do any other task simultaneously while other processes are running in the background. So, more processes can be completed in the background while you are working on different processes. It can be achieved by adding a special character `&` at the end of the command.


Remember: Ctrl+Z=suspend, bg=background, fg=foreground, jobs=list. &=start in background.

8. What is the difference between a "Zombie" process and an "Orphan" process?

Show answer

Both involve parent-child process relationships but are fundamentally different states.

Orphan Process:
- A LIVE process whose parent has terminated
- Automatically adopted by init (PID 1) or systemd
- Continues executing normally
- Not a problem - this is normal process lifecycle
- Example: Parent exits before child completes

Zombie Process:

Remember: Zombie = done but parent didn't wait(). Uses only PID entry. Can't kill it.

Gotcha: Fix parent or kill parent → init adopts and reaps zombies.

9. What is the init process?

Show answer

It is the first process executed by the kernel during the booting of a system. It is a daemon process which runs till the system is shutdown. That is why, it is the parent of all the processes

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

10. What is context switch?

Show answer

From [wikipedia](https://en.wikipedia.org/wiki/Context_switch): a context switch is the process of storing the state of a process or thread, so that it can be restored and resume execution at a later point

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

11. What is a zombie process?

Show answer

A process which has finished to run but has not exited.

One reason it happens is when a parent process is programmed incorrectly. Every parent process should execute wait() to get the exit code from the child process which finished to run. But when the parent isn't checking for the child exit code, the child process can still exists although it finished to run.

Remember: Zombie = done but parent didn't wait(). Uses only PID entry. Can't kill it.

Gotcha: Fix parent or kill parent → init adopts and reaps zombies.

12. What is a trap in bash scripting and how is it used for cleanup?

Show answer

A trap is a mechanism that allows the shell to intercept signals sent to a process and perform a specific action, such as handling errors or cleaning up resources before terminating the process.

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

13. Why should you always send SIGTERM before SIGKILL when stopping a process?

Show answer

SIGTERM (15) allows the process to catch the signal and shut down gracefully (flush buffers, close connections, remove PID files). SIGKILL (9) cannot be caught -- the kernel terminates the process immediately, leaving behind shared memory, temp files, and locks. Always SIGTERM first, wait, then SIGKILL only if needed.

Remember: SIGTERM(15)=polite, SIGKILL(9)=forced, SIGHUP(1)=reload, SIGINT(2)=Ctrl+C.

Gotcha: SIGKILL can't be caught. Always try SIGTERM first.

14. How do you view the process tree showing parent-child relationships?

Show answer

Use pstree -p to show the full process tree with PIDs. Alternatively, ps auxf or ps -ef --forest shows processes in a hierarchical tree format. This is critical for understanding which process spawned which child.

Remember: `ps aux`(BSD, %CPU/%MEM) vs `ps -ef`(UNIX, PPID). Both show all processes.

Example: `ps aux --sort=-%mem | head` — top memory consumers.

15. How do you suspend a running foreground process and then resume it in the background?

Show answer

Press Ctrl+Z to suspend the foreground process (sends SIGTSTP, puts it in Stopped state). Then use bg %1 to resume it in the background. Use jobs -l to list all jobs with their status and PIDs. Use fg %1 to bring it back to the foreground.

Remember: Ctrl+Z=suspend, bg=background, fg=foreground, jobs=list. &=start in background.

16. What is DNF and what is it used for in Linux package management?

Show answer

From the [repo](https://github.com/rpm-software-management/dnf):

"Dandified YUM (DNF) is the next upcoming major version of YUM. It does package management using RPM, libsolv and hawkey libraries."

Official [docs](https://dnf.readthedocs.io/en/latest/)

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

17. What is a TTY device?

Show answer

TTY (TeleTYpewriter) is a terminal device for user I/O.

Types:
- /dev/tty[1-6]: Virtual consoles (Ctrl+Alt+F1-F6)
- /dev/pts/N: Pseudo-terminals (SSH, terminal emulators)
- /dev/ttyS*: Serial ports
- /dev/ttyUSB*: USB serial devices

TTY subsystem provides:
- Line editing (backspace, etc.)
- Signal generation (Ctrl+C)
- Job control (foreground/background)
- Terminal modes (raw, cooked)

Commands:
- tty - Print current terminal
- who - Shows user terminals
- stty - Configure terminal settings
- write - Send message to terminal

Check terminal:
- tty command or echo $TTY
- /dev/pts/0 typical for SSH/terminal

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

18. What is an exit code? What exit codes are you familiar with?

Show answer

An exit code (or return code) represents the code returned by a child process to its
parent process.

0 is an exit code which represents success while anything higher than 1 represents error.
Each number has different meaning, based on how the application was developed.

I consider this as a good blog post to read more about it: https://shapeshed.com/unix-exit-codes

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

19. What does kill command do?

Show answer

In Unix and Unix-like operating systems, `kill` is a command used to send a signal to a process. By default, the message sent is the termination signal, which requests that the process exit. But `kill` is something of a misnomer; the signal sent may have nothing to do with process killing.

Remember: SIGTERM(15)=polite, SIGKILL(9)=forced, SIGHUP(1)=reload, SIGINT(2)=Ctrl+C.

Gotcha: SIGKILL can't be caught. Always try SIGTERM first.

20. How do you get a list of logged-in users?

Show answer

For a summary of logged-in users, including each login of a username, the terminal users are attached to, the date/time they logged in, and possibly the computer from which they are making the connection, enter:

```bash\n# It uses /var/run/utmp and /var/log/wtmp files to get the details.\nwho\n```

For extensive information, including username, terminal, IP number of the source computer, the time the login began, any idle time, process CPU cycles, job CPU cycles, and the currently running command, enter:

```bash\n# It uses /var/run/utmp, and their processes /proc.\nw\n```

Also important for displays a list of last logged in users, enter:

```bash\n# It uses /var/log/wtmp.\nlast\n```

21. What is grep command? How to match multiple strings in the same line?

Show answer

The `grep` utilities are a family of Unix tools, including `egrep` and `fgrep`.

`grep` searches file patterns. If you are looking for a specific pattern in the output of another command, `grep` highlights the relevant lines. Use this grep command for searching log files, specific processes, and more.

For match multiple strings:

```bash\ngrep -E "string1|string2" filename\n```

or

```bash\ngrep -e "string1" -e "string2" filename\n```

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

22. Explain environment variables. How do you list all of them?

Show answer

Environment variables are name-value pairs passed to processes.

Purpose:
- Configure program behavior
- Pass information to child processes
- System configuration (PATH, HOME, etc.)

Common variables:
- PATH: Command search paths
- HOME: User's home directory
- USER: Current username
- SHELL: Default shell
- LANG: Language/locale
- PWD: Current directory

List them:
- env - All environment variables
- printenv - Same as env
- printenv VAR - Specific variable
- echo $VAR - Print specific value
- export - Show exported variables

Set variables:
- export VAR=value (for child processes)
- VAR=value (shell only, not inherited)

Persistence: Add to ~/.bashrc or ~/.profile

🟡 Medium (62)

1. how to list all the processes running in your system?

Show answer

The "ps" command can be used to list all the processes running in a system. The "ps aux" command provides a detailed list of all the processes, including the ones running in the background.

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

2. What is the difference between a process and a thread?

Show answer

Processes are independent; threads share resources within a process.

Process:
- Independent execution unit
- Own memory space (heap, stack)
- Own file descriptors
- Own PID
- Higher creation overhead

Under the hood: processes have separate address spaces (isolated). Threads share address space (can access each other's memory). Linux treats both as 'tasks' via clone().

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

3. How to change the priority of a process? Why would you want to do that?

Show answer

To change the priority of a process, you can use the nice command in Linux. The nice command allows you to specify the priority of a process by assigning a priority value ranging from -20 to 19. A higher value of priority means lower priority for the process, and vice versa.


Remember: Nice: -20(high) to 19(low). Higher nice = nicer to others = lower priority.

4. What is a quick way to check if a process is in uninterruptible sleep (D state) and why does it matter?

Show answer

D state processes are stuck waiting for I/O and cannot be killed until the I/O completes.

Quick check:
- `ps -eo pid,state,comm | grep ' D'`
- In top/htop: look for 'D' in the S (state) column
- `cat /proc//status | grep State`

Why D state matters:
- Process is in uninterruptible sleep waiting for I/O (disk, network, etc.)
- SIGKILL (kill -9) will NOT terminate the process

Remember: R=running, S=sleeping, D=uninterruptible(I/O), Z=zombie, T=stopped.

5. How do you diagnose a stuck process?

Show answer

Inspect what the process is waiting on, check scheduling state, and capture stack context.
- `/proc//stat` or `ps -o stat` to confirm D (uninterruptible) vs R/S state.
- `/proc//wchan` – kernel wait channel for the blocking point.
- `/proc//stack` – kernel stack trace for I/O waits.
- `strace -p` – see which syscall is blocked.
- `gdb -p` or `pstack` – userspace backtrace when not in kernel wait.

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

6. How to get rid of zombie processes?

Show answer

You can't kill a zombie process the regular way with `kill -9` for example as it's already dead.

One way to kill zombie process is by sending SIGCHLD to the parent process telling it to terminate its child processes. This might not work if the parent process wasn't programmed properly. The invocation is `kill -s SIGCHLD [parent_pid]`

You can also try closing/terminating the parent process.

Remember: Zombie = done but parent didn't wait(). Uses only PID entry. Can't kill it.

Gotcha: Fix parent or kill parent → init adopts and reaps zombies.

7. Tell me everything you know about the Linux boot process

Show answer

Another way to ask this: what happens from the moment you turned on the server until you get a prompt

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

8. Explain the pipe() system call. What does it used for?

Show answer

[Unix pipe implementation](https://toroid.org/unix-pipe-implementation)

"Pipes provide a unidirectional interprocess communication channel. A pipe has a read end and a write end. Data written to the write end of a pipe can be read from the read end of the pipe.
A pipe is created using pipe(2), which returns two file descriptors, one referring to the read end of the pipe, the other referring to the write end."

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

9. What signals are you familiar with?

Show answer

SIGTERM - default signal for terminating a process
SIGHUP - common usage is for reloading configuration
SIGKILL - a signal which cannot caught or ignored

To view all available signals run `kill -l`

Remember: SIGTERM(15)=polite, SIGKILL(9)=forced, SIGHUP(1)=reload, SIGINT(2)=Ctrl+C.

Gotcha: SIGKILL can't be caught. Always try SIGTERM first.

10. What is a zombie/defunct process?

Show answer

Is a process that has completed execution (via the `exit` system call) but still has an entry in the process table: it is a process in the "**Terminated state**".

Processes marked **defunct** are dead processes (so-called "zombies") that remain because their parent has not destroyed them properly. These processes will be destroyed by init if the parent process exits.

Remember: Zombie = done but parent didn't wait(). Uses only PID entry. Can't kill it.

Gotcha: Fix parent or kill parent → init adopts and reaps zombies.

11. Explain the exec() system call

Show answer

It transforms the current running program into another program.
Given the name of an executable and some arguments, it loads the code and static data from the specified executable and overwrites its current code segment and current static code data. After initializing its memory space (like stack and heap) the OS runs the program passing any arguments as the argv of that process.

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

12. What are the differences between threads and processes?

Show answer

Threads share resources; processes are isolated.

Memory:
- Process: Own virtual address space
- Thread: Shares address space with other threads

Creation:
- Process: fork() - copies memory (CoW)
- Thread: clone() or pthread_create() - shares memory

Overhead:
- Process: Higher (separate page tables)

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

13. True or False? A successful call to exec() never returns

Show answer

True
Since a successful exec replace the current process, it can't return anything to the process that made the call.

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

14. Describe how to make a certain process/app a service

Show answer

The process will need a `.service` file to be created at the location `/etc/systemd/system/service-name.service` to be made into a service. The file has certain characteristics and need certain inputs to work. More details here.

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

15. Why running a new program is done using the fork() and exec() system calls? why a different API wasn't developed where there is one call to run a new program?

Show answer

This way provides a lot of flexibility. It allows the shell for example, to run code after the call to fork() but before the call to exec(). Such code can be used to alter the environment of the program it about to run.

Under the hood: fork()=duplicate parent, exec()=replace child memory. fork+exec=launch.

16. ls -l shows file attributes as question marks. What this means and what steps will you take to remove unused "zombie" files?

Show answer

This problem may be more difficult to solve because several steps may be required - sometimes you have get `test/file: Permission denied`, `test/file: No such file or directory` or `test/file: Input/output error`.


Remember: `ps aux`(BSD, %CPU/%MEM) vs `ps -ef`(UNIX, PPID). Both show all processes.

Example: `ps aux --sort=-%mem | head` — top memory consumers.

17. Can you describe how processes are being created?

Show answer

In Linux, processes are created via fork() and exec():

1. fork() - Creates child process
- Duplicates parent process
- Child gets copy of memory (copy-on-write)
- Child has new PID
- Returns 0 in child, child PID in parent

2. exec() - Replaces process image
- Loads new program into memory

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

18. How can you print information on the BIOS, motherboard, processor and RAM?

Show answer

`dmidecode` (note: not 'dmidecoode'). It reads SMBIOS/DMI data from the BIOS: `dmidecode -t bios` for BIOS info, `-t baseboard` for motherboard, `-t processor`, `-t memory`. Requires root.

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

19. What does strace do? What about ltrace?

Show answer

Both are tracing tools but at different levels:

strace - System call tracer:
- Traces kernel syscalls (open, read, write, etc.)
- Shows interaction with kernel
- strace -p PID (attach to process)
- strace -e open cmd (filter specific calls)
- Useful for: debugging, understanding program behavior

ltrace - Library call tracer:

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

20. True or False? In a child PID namespace all processes are aware of parent PID namespace and processes and the parent PID namespace has no visibility of child PID namespace processes

Show answer

False. The opposite is true. Parent PID namespace is aware and has visibility of processes in child PID namespace and child PID namespace has no visibility as to what is going on in the parent PID namespace.

Remember: PID 1=init/systemd. $$=current, $PPID=parent. `pidof name` finds PIDs.

21. What does the execve() system call do in Linux?

Show answer

Executes a program. The program is passed as a filename (or path) and must be a binary executable or a script.

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

22. What system calls are used for creating a new process?

Show answer

fork(), exec() and the wait() system call is also included in this workflow.

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

23. What time namespaces are used for?

Show answer

In time namespaces processes can use different system time.

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

24. Why do we need the wait() system call?

Show answer

wait() is used by a parent process to wait for the child process to finish execution.
If wait is not used by a parent process then a child process might become a zombie process.

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

25. What is strace command and how should be used? Explain example of connect to an already running process.

Show answer

`strace` is a powerful command line tool for debugging and troubleshooting programs in Unix-like operating systems such as Linux. It captures and records all system calls made by a process and the signals received by the process.


Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

26. Explain the fork() system call

Show answer

fork() is used for creating a new process. It does so by cloning the calling process but the child process has its own PID and any memory locks, I/O operations and semaphores are not inherited.

Under the hood: fork()=duplicate parent, exec()=replace child memory. fork+exec=launch.

27. What does kill 0 do in Linux process management?

Show answer

kill 0 sends a signal to all processes in the current process group. It is used to check if the processes exist or not

Remember: SIGTERM(15)=polite, SIGKILL(9)=forced, SIGHUP(1)=reload, SIGINT(2)=Ctrl+C.

Gotcha: SIGKILL can't be caught. Always try SIGTERM first.

28. How the waitpid() is different from wait()?

Show answer

The waitpid() is a non-blocking version of the wait() function.
It also supports using library routine (e.g. system()) to wait a child process without messing up with other children processes for which the process has not waited.

Remember: PID 1=init/systemd. $$=current, $PPID=parent. `pidof name` finds PIDs.

29. How a program executes a system call?

Show answer

- A program executes a trap instruction. The instruction jump into the kernel while raising the privileged level to kernel space.
- Once in kernel space, it can perform any privileged operation
- Once it's finished, it calls a "return-from-trap" instruction which returns to user space while reducing back the privilege level to user space.

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

30. Name one reason for fork() to fail

Show answer

fork() can fail when there is not enough memory to create a new process, or when the user/system has hit the maximum process limit (check with `ulimit -u`).
Under the hood: fork() duplicates the parent process, then exec() replaces the child's memory image. Together, fork+exec is how Linux launches new programs. errno is set to ENOMEM or EAGAIN on failure.

31. True or False? With UTS namespaces, processes may appear to have different hostnames.

Show answer

TRUE.

UTS namespace isolates:
- Hostname (nodename)
- Domain name (NIS domain)

Each UTS namespace can have different:
- hostname (set with hostname command)
- uname output

Use cases:
- Containers have own hostname

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

32. Where can you find information on the processor (like number of CPUs)?

Show answer

/proc/cpuinfo

You can also use `nproc` for number of processors

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

33. What does /proc//fd contain and why is it useful?

Show answer

It contains symbolic links to every file descriptor the process has open, including files, sockets, and pipes. Useful for debugging what resources a process is using without strace.

Remember: PID 1=init/systemd. $$=current, $PPID=parent. `pidof name` finds PIDs.

34. Name at least five attributes every Linux process has.

Show answer

PID, memory mappings, open file descriptors, credentials (UID/GID), environment variables, and scheduling state (running, sleeping, etc.).

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

35. What is Software-Defined Networking (SDN), and how does it impact data center architecture?

Show answer

Software-Defined Networking (SDN) is an architectural approach that separates the control plane from the data plane in networking devices, enabling centralized network management through software. **Key Components:* • SDN comprises a centralized controller, which communicates with network devices, and the data plane, responsible for forwarding traffic based on controller instructions. • OpenFlow Protocol: SDN often employs the OpenFlow protocol, allowing the controller to communicate with network devices and dictate their behavior.

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

36. What is a zombie process, and how do you eliminate one?

Show answer

A zombie is a process that has exited but whose parent has not called wait() to collect its exit status. It holds a PID slot but uses no CPU or memory. You cannot kill a zombie (it is already dead). You must fix or kill its parent process. When the parent dies, PID 1 (init/systemd) adopts and reaps the zombie.

Remember: Zombie = done but parent didn't wait(). Uses only PID entry. Can't kill it.

Gotcha: Fix parent or kill parent → init adopts and reaps zombies.

37. What is a D-state (uninterruptible sleep) process, and why can't you kill it?

Show answer

A D-state process is waiting for a kernel-level I/O operation and cannot be interrupted by any signal, including SIGKILL. Common causes: unreachable NFS server, failing disk, hung FUSE filesystem, dead iSCSI target. Find them with: ps aux | awk '$8 ~ /D/'. You fix the underlying I/O problem, or reboot.

Remember: SIGTERM(15)=polite, SIGKILL(9)=forced, SIGHUP(1)=reload, SIGINT(2)=Ctrl+C.

Gotcha: SIGKILL can't be caught. Always try SIGTERM first.

38. How do you ensure a process survives terminal logout?

Show answer

Use nohup ./script.sh > /var/log/output.log 2>&1 & to ignore SIGHUP (sent when the terminal closes). Modern alternatives: tmux or screen for interactive sessions, or systemd-run --unit=my-task for permanent background tasks. The shell sends SIGHUP to all children on exit, which kills them without protection.

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

39. How do you find the open file descriptors and file descriptor count for a running process?

Show answer

List open file descriptors: ls -la /proc//fd/. Count them: ls /proc//fd/ | wc -l. The /proc filesystem is a virtual filesystem exposing kernel process state as files. You can also check resource limits with cat /proc//limits to see the max open files limit.

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

40. Describe the fork-exec-wait process lifecycle in Linux.

Show answer

1) fork(): parent creates a child (near-exact copy with new PID). 2) exec(): child replaces its memory with a new program (PID stays the same). 3) exit(): child terminates, becomes a zombie. 4) wait(): parent collects exit status, zombie is reaped, PID is freed. Every process follows this pattern. PID 1 is the only exception (no parent).

Under the hood: fork()=duplicate parent, exec()=replace child memory. fork+exec=launch.

41. Explain what each of the following commands does and give an example on how to use it:

Show answer

* touch - update file's timestamp. More commonly used for creating files
* ls - listing files and directories
* rm - remove files and directories
* cat - create, view and concatenate files
* cp - copy files and directories
* mkdir - create directories
* pwd - print current working directory (= at what path the user currently located)
* cd - change directory

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

42. What do we grep for in each of the following commands?:

Show answer

1. An IP address
2. The word "error" or "failure"
3. Lines which end with a number

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

43. How packages installation/removal is performed on the distribution you are using?

Show answer

The answer depends on the distribution being used.

In Fedora/CentOS/RHEL/Rocky it can be done with `rpm` or `dnf` commands.
In Ubuntu it can be done with the `apt` command.

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

44. Specify which command would you use (and how) for each of the following scenarios

Show answer

- `rm -rf dir`
- `cat or less`
- `chmod 777 /tmp/x`
- `cd ~`
- `sed -i s/good/great/g /tmp/y`

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

45. How do you find all processes owned by a specific user in Linux?

Show answer

If you mention at any point ps command with arguments, be familiar with what these arguments does exactly.

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

46. Find all the files which end with '.yml' and replace the number 1 in 2 in each file

Show answer

find /some_dir -iname \*.yml -print0 | xargs -0 -r sed -i "s/1/2/g"

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

47. What the awk command does? Have you used it? What for?

Show answer

From Wikipedia: "AWK is domain-specific language designed for text processing and typically used as a data extraction and reporting tool"

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

48. What does it mean when the effective user is root, but the real user ID is still your name?

Show answer

The **real user ID** is who you really are (the user who owns the process), and the **effective user ID** is what the operating system looks at to make a decision whether or not you are allowed to do something (most of the time, there are some exceptions).

When you log in, the login shell sets both the **real and effective user ID** to the same value (your **real user ID**) as supplied by the password file.

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

49. How to print every line that is longer than 79 characters?

Show answer

`awk 'length($0) > 79' file`

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

50. Developer added cron job which generate massive log files. How do you prevent them from getting so big?

Show answer

Using `logrotate` is the usual way of dealing with logfiles. But instead of adding content to `/etc/logrotate.conf` you should add your own job to `/etc/logrotate.d/`, otherwise you would have to look at more diffs of configuration files during release upgrades.

If it's actively being written to you don't really have much you can do by way of truncate. Your only options are to truncate the file:

```bash\n: >/var/log/massive-logfile\n```

It's very helpful, because it's truncate the file without disrupting the processes.

Remember: Cron fields: minute hour day month weekday. "MHDMW."

Example: `*/5 * * * *` = every 5min. `0 2 * * 0` = 2AM Sundays.

51. What kind of information one can find in /proc?

Show answer

It contains useful information about the processes that are currently running, it is regarded as control and information center for kernel.

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

52. What is the difference between a service failure and a dependency failure?

Show answer

Service failure is the unit itself exiting non-zero or crashing. The process ran but failed.

Dependency failure means a required unit (specified via `Requires=` or `BindsTo=`) failed earlier, so systemd never attempted to start the dependent service.

To diagnose:
```bash\nsystemctl status myservice\njournalctl -u myservice\nsystemctl list-dependencies myservice --reverse\n```

Dependency failures show "dependency failed" in status; service failures show the actual exit code.

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

53. How to print the 4th column in a file?

Show answer

`awk '{print $4}' file`

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

54. What a double dash (--) mean?

Show answer

It's used in commands to mark the end of commands options. One common example is when used with git to discard local changes: `git checkout -- some_file`

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

55. Using sed, extract the date from the following line: 201.7.19.90 - - [05/Jun/1985:13:42:99 +0000] "GET /site HTTP/1.1" 200 32421

Show answer

`echo $line | sed 's/.*\[//g;s/].*//g;s/:.*//g'`

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

56. Present and explain the good ways of using the kill command.

Show answer

Speaking of killing processes never use `kill -9/SIGKILL` unless absolutely mandatory. This kill can cause problems because of its brute force.

Always try to use the following simple procedure:

- first, send **SIGTERM** (`kill -15`) signal first which tells the process to shutdown and is generally accepted as the signal to use when shutting down cleanly (but remember that this signal can be ignored).
- next try to send **SIGHUP** (`kill -1`) signal which is commonly used to tell a process to shutdown and restart, this signal can also be caught and ignored by a process.

The far majority of the time, this is all you need - and is much cleaner.

57. What are hidden files/directories? How to list them?

Show answer

These are files directly not displayed after performing a standard ls direct listing. An example of these files are .bashrc which are used to execute some scripts. Some also store configuration about services on your host like .KUBECONFIG. The command used to list them is, `ls -a`

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

58. Which line numbers will be printed when running grep '\baaa\b' on the following content:

Show answer

Lines 1 and 3. The `\b` anchor matches a word boundary, so `\baaa\b` matches 'aaa' only as a whole word — not when it appears as a substring inside a longer string like 'aaaa' or 'xaaax'.

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

59. How to print the shared libraries required by a certain program?

Show answer

Use ldd or other tools:

ldd (List Dynamic Dependencies):
- ldd /bin/ls
- Shows all shared libraries needed
- Security note: Don't run on untrusted binaries

Alternative methods:
- readelf -d binary | grep NEEDED
- objdump -p binary | grep NEEDED

Runtime loaded libraries:
- lsof -p PID | grep '.so' - Currently loaded
- cat /proc/PID/maps - Memory mappings

If library missing:
- ldd shows "not found"
- Fix: Install package or set LD_LIBRARY_PATH

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

60. Explain Linux I/O redirection

Show answer

In Linux, IO redirection is a way of changing the default input/output behavior of a command or program. It allows you to redirect input and output from/to different sources/destinations, such as files, devices, and other commands.

Here are some common examples of IO redirection:
* Redirecting Standard Output (stdout):
`ls > filelist.txt`
* Redirecting Standard Error (stderr):
`ls /some/nonexistent/directory 2> error.txt`
* Appending to a file:
`echo "hello" >> myfile.txt`
* Redirecting Input (stdin):
`sort < unsorted.txt`
* Using Pipes: Pipes ("|"):
`ls | grep "\.txt$"`

61. Fix the following commands:

Show answer

```\nsed 's/1/2/g' /tmp/myFile # sed "s/1/2/g" is also fine\nfind . -iname "*.yaml" -exec sed -i "s/1/2/g" {} \;\n```

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

62. What can be found in /proc/cmdline?

Show answer

The command passed to the boot loader to run the kernel

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

🔴 Hard (16)

1. What types of namespaces are there in Linux?

Show answer

- Process ID namespaces: these namespaces include independent set of process IDs
- Mount namespaces: Isolation and control of mountpoints
- Network namespaces: Isolates system networking resources such as routing table, interfaces, ARP table, etc.
- UTS namespaces: Isolate host and domains
- IPC namespaces: Isolates interprocess communications
- User namespaces: Isolate user and group IDs
- Time namespaces: Isolates time machine

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

2. What happens during fork() vs exec()?

Show answer

Two separate operations that are often used together:

**fork()**:
* Creates a new process (child) as copy of parent
* Uses copy-on-write for memory efficiency
* Child gets new PID, inherits file descriptors
* Returns twice: 0 to child, child PID to parent

**exec()**:
* Replaces current process image with new program

Under the hood: fork()=duplicate parent, exec()=replace child memory. fork+exec=launch.

3. How to limit processes to not exceed more than X% of CPU usage?

Show answer

**nice/renice**

nice is a great tool for 'one off' tweaks to a system:

```bash\nnice COMMAND\n```

**cpulimit**

cpulimit if you need to run a CPU intensive job and having free CPU time is essential for the responsiveness of a system:

```bash\ncpulimit -l 50 COMMAND\n```

**cgroups**

cgroups apply limits to a set of processes, rather than to just one:



Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

4. How do you debug a hung process?

Show answer

Step-by-step approach:

1. **Identify state**: `ps aux | grep PID` - check state column (D=uninterruptible, S=sleeping, R=running)

2. **Trace syscalls**:
```bash\nstrace -p PID\n```
Shows what syscall it's blocked on.

3. **Check kernel stack**:
```bash\ncat /proc/PID/stack\n```
Shows where in kernel the process is waiting.


Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

5. Explain Kernel Threads

Show answer

Kernel threads are processes that run entirely in kernel space.

Characteristics:
- No user-space address space (mm = NULL)
- Run kernel code only
- Created by kernel, not by user programs
- Visible in ps with brackets: [kthreadd], [ksoftirqd]

Common kernel threads:
- kthreadd: Parent of all kernel threads (PID 2)

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

6. Explain Process Descriptor and Task Structure

Show answer

The task_struct is the kernel's representation of a process/thread.

Process Descriptor (task_struct):
- Kernel data structure for each process/thread
- Contains all process information
- Defined in include/linux/sched.h

Key fields:
- state: Running, sleeping, stopped, etc.
- pid, tgid: Process and thread group IDs

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

7. What are cgroups (control groups) and how does Linux use them for resource limits?

Show answer

cgroups (Control Groups) limit and monitor resource usage for process groups.

Control:
- CPU time/shares
- Memory limits
- I/O bandwidth
- Network priority
- Device access

Use cases:

Remember: `ps aux`(BSD, %CPU/%MEM) vs `ps -ef`(UNIX, PPID). Both show all processes.

Example: `ps aux --sort=-%mem | head` — top memory consumers.

8. What if kill -9 does not work? Describe exceptions for which the use of SIGKILL is insufficient.

Show answer

`kill -9` (`SIGKILL`) always works, provided you have the permission to kill the process. Basically either the process must be started by you and not be setuid or setgid, or you must be root. There is one exception: even root cannot send a fatal signal to PID 1 (the init process).


Remember: SIGTERM(15)=polite, SIGKILL(9)=forced, SIGHUP(1)=reload, SIGINT(2)=Ctrl+C.

Gotcha: SIGKILL can't be caught. Always try SIGTERM first.

9. How do you trace a system call in Linux? Explain the possible methods.

Show answer

**SystemTap**

This is the most powerful method. It can even show the call arguments:

Usage:

```bash\nsudo apt-get install systemtap\nsudo stap -e 'probe syscall.mkdir { printf("%s[%d] -> %s(%s)\n", execname(), pid(), name, argstr) }'\n```

Then on another terminal:

```bash\nsudo rm -rf /tmp/a /tmp/b\nmkdir /tmp/a\nmkdir /tmp/b\n```

Sample output:



Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

10. Difference between nohup, disown, and &. What happens when using all together?

Show answer

- `&` puts the job in the background, that is, makes it block on attempting to read input, and makes the shell not wait for its completion
- `disown` removes the process from the shell's job control, but it still leaves it connected to the terminal. One of the results is that the shell won't send it a **SIGHUP**.

Remember: `nohup cmd &` survives logout. Output→nohup.out. Modern: tmux or systemd.

11. What is the meaning of the error maxproc limit exceeded by uid %i ... in FreeBSD?

Show answer

The FreeBSD kernel will only allow a certain number of processes to exist at one time. The number is based on the **kern.maxusers** variable.

**kern.maxusers** also affects various other in-kernel limits, such as network buffers. If the machine is heavily loaded, increase **kern.maxusers**. This will increase these other system limits in addition to the maximum number of processes.


Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

12. What are segmentation faults (segfaults), and how can identify what's causing them?

Show answer

A **segmentation fault** (aka _segfault_) is a common condition that causes programs to crash. Segfaults are caused by a program trying to read or write an illegal memory location.

Program memory is divided into different segments:



Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

13. A system has run queue length = 1, load avg = 40, CPU idle = 80%. Explain precisely what state those tasks are in and why they count toward load.

Show answer

The tasks are in D state (uninterruptible sleep), waiting on I/O completion rather than CPU.

Key points:
- D state processes are waiting on block layer or filesystem operations
- Typical causes: NFS hangs, slow SAN, hung device, journal flush
- Linux load average includes both runnable (R) AND uninterruptible (D) processes
- This is why load can be high while CPU is idle - tasks are blocked

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

14. What are the most common ulimit-related production failures, and how do you fix them?

Show answer

Too many open files -- increase nofile limit. "Cannot fork" -- hit max processes (nproc). "No core dump generated" -- core file size is 0. Set permanently in /etc/security/limits.conf (e.g., appuser soft nofile 65536) or in systemd unit files with LimitNOFILE=65536 and LimitNPROC=4096. Check current limits with cat /proc//limits."

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.

15. What are the different ways to send signals to processes, and when would you use each?

Show answer

kill -SIGTERM (by PID, most common). killall -TERM nginx (by process name, all matching). pkill -TERM -f "python app.py" (by command pattern). kill -0 checks if a process exists without sending a signal. Use pkill -f when the process name alone is ambiguous. Always prefer SIGTERM before SIGKILL.

Remember: SIGTERM(15)=polite, SIGKILL(9)=forced, SIGHUP(1)=reload, SIGINT(2)=Ctrl+C.

Gotcha: SIGKILL can't be caught. Always try SIGTERM first.

16. Why do containers need a proper init process like tini or dumb-init?

Show answer

If PID 1 in a container is not a proper init, it will not reap zombie children or forward signals correctly. This causes zombie accumulation (PID table filling up) and processes that cannot be gracefully stopped. tini and dumb-init act as lightweight init processes that handle signal forwarding and zombie reaping.

Remember: Tools: ps(list), top(monitor), kill(signal), lsof(files), strace(syscalls).

Gotcha: kill -15 first, kill -9 as last resort. -9 prevents graceful cleanup.