Portal | Level: L0: Entry | Topics: Linux | Domain: Linux

Linux — Trivia & Knowledge Compendium

~800+ Q&A pairs covering everything from Linus Torvalds' famous email to eBPF internals. Compiled from local study materials, interview prep banks, certification resources, and web research.

Last updated: 2026-03-26

---

1. Origins, History & Trivia

Q: Who created Linux, and in what year?

A: Linus Torvalds created Linux in 1991 while a 21-year-old computer science student at the University of Helsinki, Finland.

Q: What was the famous opening line of Linus Torvalds' Usenet post announcing Linux?

A: "Hello everybody out there using minix - I'm doing a (free) operating system (just a hobby, won't be big and professional like gnu) for 386(486) AT clones." Posted on comp.os.minix on August 25, 1991.

Q: What was the first version number of the Linux kernel?

A: Linux 0.01, released September 17, 1991. It was not publicly announced; only 0.02 (October 1991) was posted to comp.os.minix.

Q: What operating system inspired Linus to write Linux?

A: MINIX, a small Unix-like teaching OS written by Andrew S. Tanenbaum for his textbook "Operating Systems: Design and Implementation."

Q: What was the original name Linus considered for the kernel before "Linux"?

A: Linus originally wanted to call it "Freax" (a portmanteau of free, freak, and x for Unix). Ari Lemmke, who hosted the FTP upload, named the directory "linux" instead.

Q: What was the Tanenbaum-Torvalds debate about?

A: In January 1992, Andrew Tanenbaum posted "LINUX is obsolete" on comp.os.minix, arguing that a monolithic kernel was a step backward and that microkernels were the future. Torvalds defended Linux's pragmatic monolithic design.

Q: Who is Richard Stallman, and what is his role in the Linux ecosystem?

A: Richard Stallman founded the GNU Project in 1983 and the Free Software Foundation in 1985. He created core userland tools (GCC, Bash, coreutils) that, combined with the Linux kernel, form a complete operating system.

Q: What does GNU stand for?

A: GNU stands for "GNU's Not Unix" — a recursive acronym, a tradition in hacker culture.

Q: Why does Stallman insist on calling the OS "GNU/Linux"?

A: Because the complete operating system includes GNU userland tools (compiler, shell, coreutils, C library) alongside the Linux kernel. Stallman argues calling it just "Linux" erases the GNU Project's foundational contributions.

Q: What license is the Linux kernel released under?

A: The GNU General Public License version 2 (GPLv2) only — not "or later." Linus has explicitly stated it will remain GPLv2.

Q: What are the four freedoms of the GPL?

A: Freedom 0: run the program; Freedom 1: study and modify source code; Freedom 2: redistribute copies; Freedom 3: distribute modified versions. The GPL's "copyleft" requirement mandates derivative works also be GPL-licensed.

Q: What is the oldest actively maintained Linux distribution?

A: Slackware, first released on July 17, 1993 by Patrick Volkerding. It remains actively developed.

Q: How does Debian name its releases?

A: Debian releases are named after characters from the Pixar movie Toy Story. Examples: Buzz, Rex, Woody, Sarge, Etch, Lenny, Squeeze, Wheezy, Jessie, Stretch, Buster, Bullseye, Bookworm, Trixie. The unstable branch is always called "Sid" (the destructive kid).

Q: How does Ubuntu version numbering work?

A: Ubuntu uses YY.MM format — e.g., 24.04 was released in April 2024. LTS (Long Term Support) releases come every two years in April (even years) and are supported for five years.

Q: What is the relationship between RHEL, CentOS, Rocky Linux, and AlmaLinux?

A: CentOS was a free rebuild of RHEL source. In 2020, Red Hat shifted CentOS to CentOS Stream (a rolling preview of RHEL). Rocky Linux (founded by CentOS co-founder Gregory Kurtzer) and AlmaLinux (backed by CloudLinux) emerged as 1:1 RHEL-compatible replacements.

Q: What does RHEL stand for?

A: Red Hat Enterprise Linux.

Q: Who founded Red Hat?

A: Bob Young and Marc Ewing founded Red Hat in 1994. The name comes from Ewing's red Cornell lacrosse cap.

Q: What was the Heartbleed vulnerability?

A: CVE-2014-0160 — a buffer over-read bug in OpenSSL's TLS heartbeat extension that allowed attackers to read up to 64KB of server memory per request, potentially exposing private keys, passwords, and session data.

Q: What was Shellshock?

A: CVE-2014-6271 — a family of vulnerabilities in GNU Bash that allowed remote code execution through crafted environment variables. It affected CGI scripts, SSH, DHCP clients, and more.

Q: What was Dirty COW?

A: CVE-2016-5195 — a race condition in the kernel's copy-on-write (COW) mechanism in memory management that allowed unprivileged local users to gain write access to read-only memory mappings, enabling privilege escalation.

Q: What was Log4Shell?

A: CVE-2021-44228 — a critical RCE vulnerability in Apache Log4j 2 (a Java logging library) that allowed attackers to execute arbitrary code via crafted log messages containing JNDI lookups. While not a Linux bug per se, it devastated Linux-hosted Java services.

Q: What is the Linux Foundation?

A: A non-profit technology consortium founded in 2000 (as Open Source Development Labs, renamed in 2007) that hosts and promotes Linux development. It employs Linus Torvalds and Greg Kroah-Hartman and hosts projects like Kubernetes, Node.js, and Hyperledger.

Q: What is kernel.org?

A: The primary distribution point for Linux kernel source code, maintained by the Linux Kernel Organization. It hosts stable, mainline, longterm, and next kernel trees.

Q: What are the Linux kernel version numbering conventions?

A: Since 2004 (2.6.x era), the kernel uses major.minor.patch. After 3.0 (2011), Linus resets the minor version at his discretion. Version 6.x started in October 2022. Odd/even minor numbering for dev/stable was abandoned after 2.6.

Q: What is a Linux kernel LTS release?

A: A Long Term Support kernel receives bug fixes and security patches for 2-6 years, compared to the ~3-month lifecycle of a regular stable release. Greg Kroah-Hartman maintains LTS kernels.

Q: Who is Greg Kroah-Hartman?

A: The stable kernel maintainer and one of the most prolific Linux kernel contributors. He manages the stable release process and maintains the driver core, staging tree, and USB subsystem.

Q: What was the first Linux distribution?

A: MCC Interim Linux (Manchester Computing Centre), released in February 1992, was arguably the first. SLS (Softlanding Linux System) in 1992 was the first widely used distribution. Slackware and Debian both appeared in 1993.

Q: What architecture was Linux originally written for?

A: The Intel 80386 (i386). Linus wrote it specifically for his 386-based PC.

Q: How many lines of code are in a modern Linux kernel?

A: Approximately 30-35 million lines of code as of kernel 6.x, making it one of the largest collaborative software projects in history.

Q: What programming language is the Linux kernel primarily written in?

A: C, with some assembly for architecture-specific code. As of kernel 6.1, Rust was introduced as a second supported language for new driver development.

Q: When was Rust support officially added to the Linux kernel?

A: Linux 6.1 (December 2022) was the first release with initial Rust infrastructure merged into the mainline kernel.

Q: What is the Linux kernel mailing list (LKML)?

A: The primary communication channel for Linux kernel development, hosted at lkml.org. It receives hundreds of messages daily covering patches, reviews, and discussions.

Q: What company acquired Red Hat in 2019?

A: IBM acquired Red Hat for approximately $34 billion, the largest software acquisition at the time.

Q: What is Arch Linux known for?

A: Its rolling-release model, minimalist design philosophy, and "The Arch Way" (simplicity, user-centricity). The meme "I use Arch btw" is a well-known joke in the Linux community.

Q: What was Ubuntu's first release?

A: Ubuntu 4.10 "Warty Warthog," released October 20, 2004. It was founded by Mark Shuttleworth and developed by Canonical.

Q: What is Gentoo Linux known for?

A: Source-based package management via Portage where packages are compiled from source on the user's machine, allowing extreme customization and optimization through USE flags.

Q: What does the term "distro-hopping" mean?

A: The practice of frequently switching between Linux distributions, common among new Linux users exploring the ecosystem.

Q: What is a Linux "spin" or "flavor"?

A: A variant of a distribution with a different default desktop environment or package selection, such as Kubuntu (Ubuntu with KDE) or Fedora Spins.

Q: What was the "Year of the Linux Desktop" meme?

A: A recurring joke/prediction in the Linux community that "this year" Linux will finally achieve mainstream desktop adoption. It has been predicted annually since the late 1990s.

Q: What is Android's relationship to Linux?

A: Android uses the Linux kernel but replaces most of the GNU userland with its own (Bionic libc, Dalvik/ART runtime). It is the most widely deployed Linux kernel variant by device count.

Q: What embedded operating system is used in most consumer routers and is based on Linux?

A: OpenWrt (formerly also DD-WRT) is the most popular Linux-based router firmware.

Q: What year did Linux first surpass 50% of the web server market?

A: By the mid-2000s, Linux-based servers (primarily running Apache) held over 60% of the public web server market.

Q: What supercomputing milestone does Linux hold?

A: As of 2017, Linux runs on 100% of the world's Top 500 supercomputers.

Q: What is the origin of the term "free software" vs "open source"?

A: "Free software" was coined by Richard Stallman (free as in freedom, not price). "Open source" was coined in 1998 by Christine Peterson and adopted by Eric Raymond and Bruce Perens to make the concept more business-friendly. The OSI (Open Source Initiative) maintains the Open Source Definition.

Q: What is the difference between the GPL, LGPL, MIT, and Apache licenses?

A: GPL: strong copyleft — derivatives must also be GPL. LGPL: weak copyleft — allows linking with proprietary code. MIT: permissive — do anything with attribution. Apache 2.0: permissive with patent grant. The kernel uses GPLv2.

Q: What is the BSD license?

A: A permissive license allowing redistribution in source or binary form with minimal restrictions (attribution required). Unlike GPL, it does not require derivative works to be open source.

Q: Who is the creator of MINIX 3?

A: Andrew S. Tanenbaum. MINIX 3 is a microkernel-based OS designed for reliability. Intel's Management Engine runs a modified MINIX 3, meaning MINIX may be the most widely deployed OS by unit count.

Q: What is the Linux Standard Base (LSB)?

A: A joint ISO/IEC and Linux Foundation project to standardize the internal structure of Linux distributions. It defines package formats, filesystem layout, library interfaces, and commands for binary compatibility.

Q: What was the "SCO vs IBM" lawsuit?

A: SCO Group sued IBM in 2003 claiming IBM contributed SCO's proprietary Unix code to Linux. The case dragged on for years, threatening Linux adoption. SCO ultimately lost and went bankrupt in 2007. The case was significant for validating Linux's legal standing.

Q: What is Linus's Law?

A: "Given enough eyeballs, all bugs are shallow" — coined by Eric Raymond in "The Cathedral and the Bazaar," attributed to Linus. It means with many code reviewers, bugs are found quickly.

Q: What was the first commercial Linux distribution?

A: Yggdrasil Linux, released in December 1992, was the first commercial Linux distribution to be sold. SLS and MCC were earlier but free.

Q: What is the Debian Social Contract?

A: A founding document of the Debian Project that commits to keeping Debian 100% free software, giving back to the free software community, not hiding problems, and prioritizing users and free software.

Q: What is systemd's creator known for?

A: Lennart Poettering, a Red Hat developer, created systemd (2010), PulseAudio, and Avahi. systemd's adoption was controversial, leading to the "systemd wars" in the Linux community.

Q: What is the Devuan distribution?

A: A fork of Debian that replaces systemd with SysVinit or OpenRC. Created by developers who objected to Debian's adoption of systemd as the default init system.

---

2. Kernel Architecture & Internals

Q: Is the Linux kernel monolithic or microkernel?

A: Monolithic — the entire OS runs in kernel space as a single binary image. However, it supports loadable kernel modules (LKMs) that can be inserted and removed at runtime, giving it some microkernel flexibility.

Q: What is the difference between kernel space and user space?

A: Kernel space runs with full hardware access (ring 0 on x86), while user space runs with restricted privileges (ring 3). Transitions between them happen via system calls, which are the defined interface between user programs and the kernel.

Q: What is a system call (syscall)?

A: The programmatic interface by which user-space processes request services from the kernel (e.g., file I/O, process creation, networking). On x86-64, the syscall instruction transfers control to the kernel. There are roughly 450+ syscalls.

Q: What is the syscall number for write on x86-64 Linux?

A: Syscall number 1. read is 0, open is 2, close is 3, exit is 60, fork is 57.

Q: What is a loadable kernel module (LKM)?

A: Code that can be loaded into a running kernel to extend functionality (e.g., device drivers, filesystems) without rebooting. Managed with insmod, rmmod, modprobe, and lsmod.

Q: What is the difference between insmod and modprobe?

A: insmod loads a specific module file without resolving dependencies. modprobe is smarter — it resolves and loads dependencies automatically using modules.dep.

Q: What command lists currently loaded kernel modules?

A: lsmod, which reads from /proc/modules.

Q: What is the Completely Fair Scheduler (CFS)?

A: The default Linux process scheduler from kernel 2.6.23 (2007) to 6.5, designed by Ingo Molnar. It uses a red-black tree to track virtual runtime, ensuring each process gets a fair share of CPU proportional to its weight (nice value).

Q: What replaced CFS in Linux 6.6?

A: EEVDF (Earliest Eligible Virtual Deadline First), which improves latency fairness by considering both virtual runtime and virtual deadlines, reducing scheduling latency for interactive workloads.

Q: What data structure does CFS use internally?

A: A red-black tree (self-balancing binary search tree) ordered by each task's virtual runtime (vruntime). The leftmost node (smallest vruntime) is the next task to run.

Q: What is virtual memory?

A: An abstraction where each process sees a contiguous, private address space. The kernel and MMU translate virtual addresses to physical addresses via page tables, allowing memory isolation, overcommit, and swapping.

Q: What is a page table?

A: A hierarchical data structure (4 or 5 levels on x86-64) that maps virtual addresses to physical page frames. Each entry (PTE) contains the physical frame number and flags (present, read/write, user/supervisor, dirty, accessed).

Q: What is the TLB?

A: Translation Lookaside Buffer — a CPU cache for recent virtual-to-physical address translations. TLB misses require expensive page table walks, so TLB efficiency is critical for performance.

Q: What are huge pages?

A: Memory pages larger than the default 4KB — typically 2MB or 1GB on x86-64. They reduce TLB misses for large working sets. Configured via hugetlbfs (static) or Transparent Huge Pages (THP, dynamic).

Q: What is NUMA?

A: Non-Uniform Memory Access — a memory architecture where each CPU socket has "local" memory with faster access and "remote" memory on other sockets with higher latency. The kernel's NUMA-aware allocator tries to place memory close to the CPU that uses it.

Q: What is the OOM killer?

A: The Out-Of-Memory killer — a kernel mechanism that selects and kills processes when the system is critically low on memory. It uses oom_score (0-1000) to choose victims, preferring processes with high memory usage and low importance.

Q: What is oom_score_adj?

A: A per-process tunable (-1000 to 1000) in /proc/PID/oom_score_adj that biases the OOM killer. -1000 disables OOM killing for that process; 1000 makes it the first victim.

Q: What is the SLUB allocator?

A: The default slab allocator in modern Linux kernels, replacing the original SLAB allocator. It manages small kernel memory allocations efficiently using per-CPU caches and object pools organized by size.

Q: What is the difference between kmalloc and vmalloc?

A: kmalloc allocates physically contiguous memory from the slab allocator (fast, limited size). vmalloc allocates virtually contiguous but potentially physically non-contiguous memory (slower due to page table setup, can allocate larger regions).

Q: What is the VFS (Virtual Filesystem Switch)?

A: An abstraction layer that provides a uniform interface for all filesystems. It defines common objects (superblock, inode, dentry, file) so that open(), read(), write() work identically regardless of the underlying filesystem.

Q: What is an inode?

A: An index node — a kernel data structure storing metadata about a file: permissions, ownership, size, timestamps, and pointers to data blocks. Each file has a unique inode number within its filesystem. Notably, an inode does NOT store the filename.

Q: What is eBPF?

A: Extended Berkeley Packet Filter — a technology allowing sandboxed programs to run inside the Linux kernel without modifying kernel source or loading modules. Used for networking, observability, security, and tracing. Programs are verified for safety before execution.

Q: What is a kprobe?

A: A kernel debugging mechanism that allows inserting breakpoints at virtually any kernel function. When the probed instruction executes, a registered handler runs. Used for dynamic tracing without recompilation.

Q: What is ftrace?

A: The kernel's built-in function tracer, accessible via /sys/kernel/debug/tracing/. It can trace function calls, measure latencies, and generate call graphs. Backends include function tracer, function_graph, and various event tracers.

Q: What is perf?

A: A powerful Linux profiling tool that leverages hardware performance counters, tracepoints, kprobes, and uprobes. It can profile CPU cycles, cache misses, branch mispredictions, and more with minimal overhead.

Q: What kernel configuration file controls module parameters at load time?

A: /etc/modprobe.d/*.conf files contain options and aliases for kernel modules.

Q: What is the kernel ring buffer?

A: A fixed-size buffer in kernel memory that stores kernel log messages, accessible via dmesg. It contains boot messages, driver initialization output, and runtime kernel messages.

Q: What is copy-on-write (COW)?

A: A memory optimization where forked processes initially share the same physical pages as the parent. Pages are only copied when one process writes to them, reducing memory usage and fork time.

Q: How many privilege rings does x86 architecture define, and which does Linux use?

A: x86 defines 4 rings (0-3). Linux uses only ring 0 (kernel) and ring 3 (user space). Rings 1 and 2 are unused.

Q: What is a context switch?

A: The process of saving the state (registers, program counter, page table pointer) of the currently running process and restoring the state of the next process to run. Context switches are expensive due to cache and TLB invalidation.

Q: What is the difference between a process context switch and an interrupt?

A: A process context switch saves/restores full process state including user-space registers and page tables. An interrupt only saves minimal CPU state, runs the interrupt handler in kernel context, then returns — no page table switch is needed if returning to the same process.

Q: What is a softirq?

A: A deferred interrupt handling mechanism in the kernel. Hardware interrupts (hardirqs) run minimal code quickly, then schedule softirqs to do the heavier processing. Network packet processing and block I/O completion use softirqs.

Q: What is kernel preemption?

A: The ability of the kernel to interrupt a currently running kernel-mode task to schedule a higher-priority task. Controlled by CONFIG_PREEMPT (full), CONFIG_PREEMPT_VOLUNTARY, or CONFIG_PREEMPT_NONE.

Q: What is RCU (Read-Copy-Update)?

A: A synchronization mechanism optimized for read-heavy workloads. Readers access shared data without locks; writers create a copy, modify it, and atomically replace the pointer. Reclamation of old data waits until all readers complete.

Q: What are the main kernel memory zones on x86-64?

A: ZONE_DMA (first 16MB for legacy DMA), ZONE_DMA32 (first 4GB for 32-bit DMA), ZONE_NORMAL (rest of physical memory). There is no ZONE_HIGHMEM on 64-bit because all physical memory is directly mappable.

---

3. Boot Process

Q: What is BIOS?

A: Basic Input/Output System — legacy firmware stored in ROM that initializes hardware and loads the first 512-byte sector (MBR) from the boot device. Limited to 16-bit real mode, 1MB address space, and MBR partition tables (max 2TB disks).

Q: What is UEFI?

A: Unified Extensible Firmware Interface — the modern replacement for BIOS. It supports GPT partitions, 64-bit mode, Secure Boot, network booting, and a shell environment. Boot loaders are stored as EFI executables on the ESP (EFI System Partition).

Q: What is Secure Boot?

A: A UEFI feature that verifies the cryptographic signature of boot loaders and kernels before execution, preventing unsigned or tampered code from running. Linux distros use Microsoft-signed shim bootloaders for compatibility.

Q: What is the difference between GPT and MBR?

A: MBR (Master Boot Record) supports up to 4 primary partitions and 2TB disks. GPT (GUID Partition Table) supports up to 128 partitions, disks larger than 2TB, and includes a backup partition table. GPT requires UEFI (or a BIOS boot partition).

Q: What is the ESP?

A: The EFI System Partition — a FAT32-formatted partition (typically 100-550MB) at the beginning of the disk containing UEFI boot loaders. Mounted at /boot/efi on Linux.

Q: What is GRUB2?

A: GRand Unified Bootloader version 2 — the default bootloader for most Linux distributions. It supports multiple OSes, filesystems, UEFI, and offers a rescue shell.

Q: What is GRUB2's main configuration file?

A: /boot/grub2/grub.cfg (or /boot/grub/grub.cfg on Debian-family). It is auto-generated by grub2-mkconfig / update-grub from scripts in /etc/grub.d/ and settings in /etc/default/grub.

Q: What are the stages of GRUB2 boot loading?

A: Stage 1: The boot.img in the MBR (446 bytes) loads stage 1.5. Stage 1.5 (core.img): filesystem-aware code in the post-MBR gap loads stage 2. Stage 2: Full GRUB environment reads grub.cfg, displays menu, and loads the kernel and initramfs.

Q: How do you enter GRUB rescue mode?

A: Press 'c' at the GRUB menu for a command shell, or 'e' to edit a boot entry. If GRUB can't find its config, it drops to grub rescue> automatically.

Q: What is initramfs?

A: Initial RAM Filesystem — a compressed cpio archive loaded into memory by the bootloader alongside the kernel. It contains essential drivers, scripts, and tools needed to mount the real root filesystem (e.g., LVM, RAID, encryption, network drivers).

Q: What is the difference between initramfs and initrd?

A: initrd (initial RAM disk) is an older mechanism that creates a block device in RAM and mounts it as a filesystem. initramfs is a cpio archive extracted into a tmpfs instance. Modern Linux uses initramfs, though the term "initrd" persists colloquially.

Q: What is switch_root?

A: A command executed at the end of initramfs processing that atomically pivots from the temporary root filesystem to the real root. It deletes everything in the initramfs, mounts the real root at /, and exec's the real init process.

Q: What is systemd's role in the boot process?

A: systemd is PID 1 — the first user-space process. The kernel execs it after mounting the root filesystem. systemd parses its unit files, builds a dependency graph, and starts services in parallel to reach the default target.

Q: What are systemd targets, and how do they map to SysVinit runlevels?

A: Targets are systemd unit files grouping services. poweroff.target=runlevel 0, rescue.target=1, multi-user.target=3, graphical.target=5, reboot.target=6.

Q: How do you set the default systemd target?

A: systemctl set-default multi-user.target (creates a symlink at /etc/systemd/system/default.target).

Q: What kernel parameter boots into single-user/rescue mode?

A: Append single, 1, or systemd.unit=rescue.target to the kernel command line in GRUB.

Q: What does the rd.break kernel parameter do?

A: It interrupts the boot process inside the initramfs before the root filesystem is mounted, dropping to an emergency shell. Useful for resetting a forgotten root password (the real root is at /sysroot).

Q: What does the init= kernel parameter do?

A: It overrides the default init process. For example, init=/bin/bash boots directly into a root shell without running systemd, useful for emergency recovery.

Q: What does the quiet kernel parameter do?

A: Suppresses most kernel boot messages, showing only critical errors. The splash parameter enables a graphical boot screen.

Q: What is the GRUB_CMDLINE_LINUX variable?

A: A setting in /etc/default/grub that specifies kernel parameters added to every boot entry when grub2-mkconfig regenerates grub.cfg.

Q: What is the boot sequence order from power-on to login prompt?

A: Firmware (BIOS/UEFI) → Bootloader (GRUB2) → Kernel loading + initramfs → Kernel initialization → PID 1 (systemd) → Default target → Login prompt.

Q: How do you regenerate the initramfs on RHEL/Fedora vs Debian/Ubuntu?

A: RHEL/Fedora: dracut -f. Debian/Ubuntu: update-initramfs -u.

Q: What is the difference between dracut and mkinitcpio?

A: dracut is used by RHEL/Fedora to generate initramfs images using a modular, event-driven approach. mkinitcpio is Arch Linux's tool with a hook-based system. Both produce initramfs cpio archives.

Q: What is PXE boot?

A: Preboot Execution Environment — boots a system over the network. The NIC firmware requests an IP via DHCP, downloads a bootloader via TFTP, and then loads the kernel and initramfs. Used for automated OS deployment.

Q: What is the purpose of the /boot partition?

A: Stores the kernel (vmlinuz), initramfs, and GRUB files. Often a separate partition to ensure the bootloader can access it regardless of the root filesystem type or encryption. Typically 500MB-1GB, formatted as ext4 or xfs.

Q: What does grub2-install do?

A: Installs the GRUB bootloader to a device's MBR or EFI partition. On BIOS: grub2-install /dev/sda. On UEFI: installs to the ESP. Must be run after disk replacement or MBR corruption.

Q: What kernel parameter forces a root password reset?

A: On RHEL: append rd.break to interrupt in initramfs, then mount -o remount,rw /sysroot && chroot /sysroot && passwd root. On systems with SELinux: touch /.autorelabel before rebooting.

Q: What does systemd-analyze show?

A: Boot time analysis. systemd-analyze shows total boot time (firmware, loader, kernel, userspace). systemd-analyze blame shows per-unit startup times. systemd-analyze critical-chain shows the critical path.

Q: What is the emergency.target in systemd?

A: A minimal target that provides a root shell with only the root filesystem mounted read-only. Fewer services than rescue.target. Access with systemd.unit=emergency.target on the kernel command line.

Q: What is the rescue.target in systemd?

A: Equivalent to single-user mode. Starts a minimal system with basic services and a root shell. The root filesystem is mounted read-write. Access with systemd.unit=rescue.target.

---

4. Process Management

Q: What is a process in Linux?

A: An instance of a running program with its own virtual address space, file descriptors, registers, and kernel metadata stored in a task_struct. Each process has a unique PID.

Q: What is the fork() system call?

A: It creates a new child process that is a near-exact copy of the parent. The child gets a new PID but inherits the parent's memory (via COW), file descriptors, and environment. Fork returns 0 to the child and the child's PID to the parent.

Q: What is the exec() family of system calls?

A: Functions (execve, execvp, execl, etc.) that replace the current process image with a new program. After exec, the PID stays the same but code, data, and stack are replaced.

Q: What is the clone() system call?

A: A more flexible version of fork() that allows fine-grained sharing of resources (memory, file descriptors, signal handlers, namespaces) between parent and child. It is the underlying syscall for creating both processes and threads.

Q: What is PID 1, and why is it special?

A: PID 1 is the init process (systemd on modern systems). It is the ancestor of all user-space processes, adopts orphaned processes, and cannot be killed by signals it does not explicitly handle. If PID 1 dies, the kernel panics.

Q: What is a zombie process?

A: A process that has finished execution but whose exit status has not yet been read by its parent via wait(). It occupies a slot in the process table (shown as state Z) but consumes no other resources.

Q: How do you clean up zombie processes?

A: You cannot kill a zombie — it is already dead. You must signal the parent to call wait() (e.g., kill -SIGCHLD <parent_pid>). If the parent is unresponsive, killing the parent causes init to adopt and reap the zombies.

Q: What is an orphan process?

A: A process whose parent has terminated. Orphans are automatically adopted by PID 1 (init/systemd), which will eventually reap their exit status.

Q: What signal number is SIGHUP?

A: 1. Originally "hangup" — sent when a terminal disconnects. Daemons often repurpose it to trigger config reload.

Q: What signal number is SIGINT?

A: 2. Sent when the user presses Ctrl-C. Default action is to terminate the process.

Q: What signal number is SIGQUIT?

A: 3. Sent by Ctrl-\. Default action is to terminate and produce a core dump.

Q: What signal number is SIGKILL?

A: 9. Immediately terminates a process. Cannot be caught, blocked, or ignored.

Q: What signal number is SIGTERM?

A: 15. The default signal sent by kill. It asks a process to terminate gracefully and can be caught for cleanup.

Q: What is SIGSTOP?

A: Signal 19 (on most architectures) that pauses a process. Like SIGKILL, it cannot be caught, blocked, or ignored. SIGCONT (18) resumes a stopped process.

Q: What is the difference between SIGTERM and SIGKILL?

A: SIGTERM (15) is a polite request that the process can catch and handle for graceful shutdown. SIGKILL (9) forces immediate termination at the kernel level with no cleanup opportunity.

Q: What are SIGUSR1 and SIGUSR2?

A: Signals 10 and 12 — user-defined signals with no predefined meaning. Applications use them for custom purposes (e.g., log rotation, debug toggling).

Q: What is SIGPIPE?

A: Signal 13, sent when a process writes to a pipe with no readers. Default action is termination. Many applications ignore it and check write return values instead.

Q: What is SIGCHLD?

A: Signal 17, sent to a parent process when a child terminates or stops. Allows the parent to asynchronously reap child exit status.

Q: What is SIGALRM?

A: Signal 14, sent when a timer set by alarm() expires. Used for implementing timeouts.

Q: What is SIGSEGV?

A: Signal 11 — segmentation fault. Sent when a process accesses invalid memory. Default action is termination with core dump.

Q: What are the Linux process states and their codes?

A: R = Running/runnable, S = Interruptible sleep, D = Uninterruptible sleep (usually I/O), Z = Zombie, T = Stopped (signal or debugger), I = Idle kernel thread (not consuming CPU).

Q: What is the D (uninterruptible sleep) state, and why can't you kill processes in it?

A: A process in D state is waiting for I/O completion (e.g., disk, NFS). It cannot be interrupted by signals (not even SIGKILL) because doing so could corrupt kernel data structures. It will exit D state when the I/O completes.

Q: What does the nice command do?

A: Sets the scheduling priority of a process. Nice values range from -20 (highest priority) to 19 (lowest priority). Default is 0. Only root can set negative nice values.

Q: What does renice do?

A: Changes the nice value of a running process. Usage: renice -n 10 -p <PID>.

Q: What is ionice?

A: Sets the I/O scheduling class and priority of a process. Classes: 1=realtime, 2=best-effort (default), 3=idle. Priorities range from 0 (highest) to 7 (lowest) within classes 1 and 2.

Q: What are cgroups?

A: Control Groups — a kernel feature for organizing processes into hierarchical groups and applying resource limits (CPU, memory, I/O, network, PIDs). cgroups v1 uses multiple independent hierarchies; cgroups v2 uses a unified hierarchy.

Q: What is the key difference between cgroups v1 and v2?

A: v1 has separate hierarchies per resource controller (cpu, memory, blkio, etc.). v2 has a single unified hierarchy where all controllers are managed together, simplifying configuration and avoiding inconsistencies.

Q: What are Linux namespaces?

A: Kernel features that isolate and virtualize system resources for groups of processes. Each namespace type provides an independent instance of a global resource.

Q: What are the 8 types of Linux namespaces?

A: Mount (mnt), UTS (hostname), IPC (inter-process communication), Network (net), PID, User (UID/GID mapping), Cgroup, and Time (clock offsets, added in kernel 5.6).

Q: What does the unshare command do?

A: Creates new namespaces and runs a command in them, without forking. For example, unshare --net bash starts a shell with its own isolated network namespace.

Q: What does the nsenter command do?

A: Enters an existing namespace of a running process. For example, nsenter -t <PID> -n bash enters the network namespace of process PID.

Q: What information can you find in /proc/PID/status?

A: Process name, state, TGID, PID, PPid, UID/GID (real, effective, saved, filesystem), memory usage (VmSize, VmRSS, VmSwap), threads, voluntary/involuntary context switches, capabilities, cgroup, and namespace info.

Q: What is /proc/PID/maps?

A: Shows the virtual memory mappings of a process — address ranges, permissions, offsets, device, inode, and mapped file paths. Useful for understanding a process's memory layout.

Q: What is /proc/PID/fd/?

A: A directory containing symbolic links for each open file descriptor of the process. ls -la /proc/PID/fd/ shows what files, sockets, and pipes a process has open.

Q: What is the difference between nohup and disown?

A: nohup runs a command immune to SIGHUP with output redirected to nohup.out (used at launch). disown removes an already-running background job from the shell's job table so it won't receive SIGHUP when the shell exits.

Q: What is the difference between screen and tmux?

A: Both are terminal multiplexers. tmux is more modern with a client-server architecture, better scripting support, and easier keybindings. screen is older but still widely available. Both allow sessions to persist after disconnection.

Q: What command shows the process tree?

A: pstree shows processes in a tree hierarchy. ps auxf also shows a forest view.

Q: What is a thread in Linux?

A: A lightweight process sharing the same address space, file descriptors, and signal handlers with other threads in the same thread group. Created via clone() with CLONE_VM, CLONE_FILES, CLONE_SIGHAND flags.

Q: What is a daemon?

A: A background process that runs without a controlling terminal, typically started at boot. Conventionally named with a trailing 'd' (sshd, httpd, crond).

Q: What is /proc/PID/cmdline?

A: Contains the command and arguments used to start the process, with arguments separated by null bytes.

---

5. File Systems & Storage

Q: What filesystem does most RHEL/CentOS/Fedora systems use by default?

A: XFS — chosen for its scalability, performance with large files, and support for online growth. RHEL 7+ uses XFS as default.

Q: What filesystem does Debian/Ubuntu use by default?

A: ext4 — the most widely deployed Linux filesystem, known for backward compatibility, reliability, and mature tooling.

Q: What is ext4?

A: The fourth extended filesystem — supports volumes up to 1 exabyte, files up to 16TB, extents-based allocation, delayed allocation, journal checksumming, and online defragmentation. Backward compatible with ext2/ext3.

Q: What is XFS?

A: A high-performance 64-bit journaling filesystem originally developed by SGI. Known for excellent parallel I/O, allocation group-based design, online growth (but not shrinking), and reflink/COW support.

Q: What is Btrfs?

A: B-tree filesystem — a copy-on-write filesystem with built-in volume management, snapshots, checksumming, compression, RAID, and send/receive for incremental backups. Default on openSUSE and Fedora workstation.

Q: What is the ZFS licensing controversy?

A: ZFS is licensed under the CDDL (Common Development and Distribution License), which the FSF considers incompatible with GPLv2. This prevents ZFS from being distributed as part of the Linux kernel. Ubuntu includes it via DKMS; others use OpenZFS as a loadable module.

Q: What is tmpfs?

A: A filesystem that keeps all files in virtual memory (RAM + swap). Files are not persisted to disk. Used for /tmp, /run, and /dev/shm. Size is dynamic up to a configurable limit.

Q: What is procfs?

A: A virtual filesystem mounted at /proc that exposes kernel and process information as files. It contains no actual files on disk — the kernel generates content dynamically when files are read.

Q: What is sysfs?

A: A virtual filesystem mounted at /sys that exports information about kernel objects (devices, drivers, buses, modules) as a structured directory tree with attributes as files.

Q: What is an inode, and what does it store?

A: An index node storing file metadata: file type, permissions, owner UID/GID, size, timestamps (atime, mtime, ctime), hard link count, and pointers to data blocks. It does NOT contain the filename — that's stored in the directory entry.

Q: What is inode exhaustion?

A: Running out of inodes before running out of disk space, preventing creation of new files. Common with filesystems storing millions of tiny files. Check with df -i.

Q: What is the difference between a hard link and a soft (symbolic) link?

A: A hard link is another directory entry pointing to the same inode — same file, same data. A soft link is a special file containing a path to the target. Hard links can't cross filesystems or link to directories; soft links can do both.

Q: What happens when you delete the target of a symbolic link?

A: The symlink becomes a "dangling" or "broken" link. Accessing it returns ENOENT (No such file or directory).

Q: What happens when you delete a hard link?

A: The inode's link count decreases by one. The file data is only freed when the link count reaches zero AND no process has the file open.

Q: What are the three journaling modes in ext4?

A: data=journal: both data and metadata are journaled (safest, slowest). data=ordered (default): metadata is journaled, data is flushed before metadata commits. data=writeback: only metadata is journaled (fastest, least safe).

Q: What is LVM?

A: Logical Volume Manager — an abstraction layer between physical disks and filesystems. It allows flexible volume management including resizing, snapshots, and spanning multiple disks.

Q: What are the three LVM layers?

A: PV (Physical Volume) = a disk or partition. VG (Volume Group) = a pool of PVs. LV (Logical Volume) = a virtual partition carved from a VG, onto which you create a filesystem.

Q: How do you create an LVM logical volume?

A: pvcreate /dev/sdb → vgcreate myvg /dev/sdb → lvcreate -L 10G -n mylv myvg → mkfs.xfs /dev/myvg/mylv.

Q: What is an LVM snapshot?

A: A point-in-time copy of a logical volume using copy-on-write. The snapshot stores only changed blocks, making it space-efficient. Used for backups and testing.

Q: What is LVM thin provisioning?

A: A feature allowing LVs to be larger than the actual available storage, with physical space allocated only when data is written. Enables overcommitment and more flexible storage management.

Q: What is RAID 0?

A: Striping — data is distributed across multiple disks for performance. No redundancy. If one disk fails, all data is lost. Read/write speed scales with the number of disks.

Q: What is RAID 1?

A: Mirroring — data is duplicated on two or more disks. Provides redundancy (survives disk failure) but usable capacity is only half. Read speed improves, write speed does not.

Q: What is RAID 5?

A: Distributed parity — data and parity are striped across 3+ disks. Survives one disk failure. Usable capacity = (N-1) disks. Write penalty due to parity calculation.

Q: What is RAID 6?

A: Like RAID 5 but with double distributed parity across 4+ disks. Survives two simultaneous disk failures. Usable capacity = (N-2) disks.

Q: What is RAID 10?

A: A nested RAID: mirrors (RAID 1) that are then striped (RAID 0). Requires at least 4 disks. Provides both redundancy and performance. Usable capacity is 50%.

Q: What is LUKS?

A: Linux Unified Key Setup — the standard for Linux disk encryption. It stores encryption metadata in a header on the partition and supports multiple key slots (up to 8). Uses dm-crypt as the kernel-level encryption layer.

Q: What is dm-crypt?

A: A kernel device-mapper target that provides transparent encryption of block devices. LUKS uses dm-crypt as its backend. cryptsetup is the userspace tool for managing LUKS volumes.

Q: What are the fields in /etc/fstab?

A: Device (UUID/path), mount point, filesystem type, mount options, dump flag (0/1), fsck pass number (0/1/2). Six fields separated by whitespace.

Q: What do the mount options noexec, nosuid, and nodev mean?

A: noexec: prevents execution of binaries. nosuid: ignores setuid/setgid bits. nodev: ignores device files. Commonly applied to /tmp and removable media for security.

Q: What is NFS?

A: Network File System — a distributed filesystem protocol allowing clients to access files over a network as if they were local. NFSv4 uses TCP port 2049 and supports Kerberos authentication.

Q: What is iSCSI?

A: Internet Small Computer Systems Interface — a protocol that allows SCSI commands to be sent over TCP/IP networks, providing block-level access to remote storage. Uses initiators (clients) and targets (servers).

Q: What is a loopback device?

A: A pseudo-device (/dev/loopN) that makes a regular file accessible as a block device. Used to mount disk images (ISOs, filesystem images): mount -o loop image.iso /mnt.

Q: How do you check filesystem disk usage?

A: df -h shows mounted filesystem usage in human-readable format. du -sh /path shows directory/file space usage.

Q: What is the tune2fs command?

A: Adjusts tunable parameters on ext2/ext3/ext4 filesystems, such as mount count, check intervals, reserved block percentage, and enabling/disabling features like journaling.

Q: What is fsck?

A: Filesystem check — scans and repairs filesystem inconsistencies. Must be run on unmounted filesystems (or read-only mounted root in single-user mode). ext4 uses e2fsck; XFS uses xfs_repair.

Q: What is a block device?

A: A device that provides buffered, random-access I/O in fixed-size blocks (sectors). Examples: hard drives, SSDs, partitions, LVM logical volumes. Listed with lsblk.

Q: What is the difference between block and character devices?

A: Block devices handle data in blocks with buffering (disks, partitions). Character devices transfer data character by character without buffering (terminals, serial ports, /dev/null).

---

6. Users, Groups & Permissions

Q: What is the format of /etc/passwd?

A: username:x:UID:GID:comment:home_directory:shell. The x indicates the password is in /etc/shadow. Seven colon-separated fields.

Q: What is the format of /etc/shadow?

A: username:encrypted_password:last_change:min_age:max_age:warn:inactive:expire:reserved. Nine colon-separated fields. Only readable by root.

Q: What is the format of /etc/group?

A: group_name:password:GID:member_list. The member_list is a comma-separated list of usernames who are supplementary members of the group.

Q: What UID is reserved for root?

A: UID 0. Any account with UID 0 has full superuser privileges.

Q: What is the typical UID range for system accounts vs regular users?

A: System accounts: 1-999 (or 1-499 on older systems). Regular users: 1000+ (or 500+ on older systems). Defined in /etc/login.defs.

Q: How does chmod octal notation work?

A: Three octal digits represent owner, group, and others. Each digit is the sum of: read=4, write=2, execute=1. Example: chmod 755 = rwxr-xr-x.

Q: How does chmod symbolic notation work?

A: Format: [ugoa][+-=][rwxXsStT]. Examples: chmod u+x file adds execute for owner. chmod go-w file removes write for group and others. chmod a=r file sets read-only for all.

Q: What is the setuid bit?

A: When set on an executable (octal 4000, chmod u+s), the process runs with the file owner's effective UID instead of the caller's. Example: /usr/bin/passwd runs as root to modify /etc/shadow.

Q: What is the setgid bit?

A: Octal 2000 (chmod g+s). On executables: process runs with the file's group effective GID. On directories: new files inherit the directory's group rather than the creator's primary group.

Q: What is the sticky bit?

A: Octal 1000 (chmod +t). On directories: only the file owner, directory owner, or root can delete files within. Set on /tmp to prevent users from deleting each other's files.

Q: What does umask do?

A: Sets the default permission mask for new files and directories. The umask is subtracted from the maximum permissions (666 for files, 777 for directories). A umask of 022 results in files at 644 and directories at 755.

Q: What is an ACL in Linux?

A: Access Control List — extends the traditional user/group/other permission model to allow fine-grained permissions for specific users and groups on individual files. Managed with getfacl and setfacl.

Q: How do you set a default ACL on a directory?

A: setfacl -d -m u:alice:rwx /shared/ — the -d flag sets a default ACL that new files and subdirectories inherit.

Q: What is PAM?

A: Pluggable Authentication Modules — a framework that separates authentication logic from applications. Configuration files in /etc/pam.d/ define stacks of modules (auth, account, password, session) for each service.

Q: What is the correct way to edit the sudoers file?

A: Always use visudo, which validates syntax before saving. Editing /etc/sudoers directly risks syntax errors that can lock you out of sudo.

Q: What is the basic sudoers syntax?

A: user HOST=(RUNAS) COMMANDS. Example: alice ALL=(ALL) ALL allows alice to run any command as any user on any host. %wheel ALL=(ALL) ALL allows the wheel group.

Q: What is NOPASSWD in sudoers?

A: alice ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx allows alice to run that specific command via sudo without entering a password.

Q: What is the difference between RUID, EUID, and SUID?

A: RUID (Real UID): the actual user who started the process. EUID (Effective UID): the UID used for permission checks (can differ from RUID via setuid). SUID (Saved UID): saves the previous EUID so the process can switch back.

Q: What command shows your current UID and group memberships?

A: id — shows UID, GID, and all supplementary groups for the current user or specified username.

Q: How do you lock a user account?

A: usermod -L username (prepends ! to the password hash in /etc/shadow) or passwd -l username. To also expire the account: chage -E 0 username.

Q: What is /etc/login.defs?

A: Configuration file defining default settings for user account creation: UID/GID ranges, password aging defaults, umask, home directory creation, and encryption method.

Q: What is the newgrp command?

A: Temporarily changes the user's primary group for the current shell session. Useful for creating files with a different group ownership.

---

7. Networking

Q: What are the 7 layers of the OSI model?

A: From bottom to top: Physical (1), Data Link (2), Network (3), Transport (4), Session (5), Presentation (6), Application (7). Mnemonic: "Please Do Not Throw Sausage Pizza Away."

Q: What are the layers of the TCP/IP model?

A: Four layers: Network Access/Link (1), Internet/Network (2), Transport (3), Application (4). It maps to OSI as: Layers 1-2 → Link, Layer 3 → Internet, Layer 4 → Transport, Layers 5-7 → Application.

Q: Describe the TCP three-way handshake.

A: Client sends SYN (seq=x). Server responds with SYN-ACK (seq=y, ack=x+1). Client sends ACK (seq=x+1, ack=y+1). Connection is now ESTABLISHED.

Q: What is the TCP TIME_WAIT state?

A: After sending the final ACK in connection teardown, the initiating side enters TIME_WAIT for 2×MSL (typically 60 seconds). This ensures late duplicate packets are handled and the remote end can retransmit its FIN if the ACK was lost.

Q: What are the common TCP socket states?

A: LISTEN, SYN_SENT, SYN_RECV, ESTABLISHED, FIN_WAIT1, FIN_WAIT2, CLOSE_WAIT, TIME_WAIT, LAST_ACK, CLOSING, CLOSED.

Q: Why is the ip command preferred over ifconfig?

A: ifconfig, route, netstat, and arp are from the deprecated net-tools package. The ip command (from iproute2) supports newer features like network namespaces, multiple routing tables, and policy routing.

Q: What replaces ifconfig in the ip command suite?

A: ip addr show (or ip a) replaces ifconfig. ip route replaces route. ip neigh replaces arp. ip link replaces ifconfig for interface state management.

Q: What are the iptables tables and their purposes?

A: filter (default): packet filtering (INPUT, FORWARD, OUTPUT). nat: network address translation (PREROUTING, OUTPUT, POSTROUTING). mangle: packet alteration. raw: exemption from connection tracking. security: SELinux MAC rules.

Q: What are the iptables chains in the filter table?

A: INPUT (packets destined for the local host), FORWARD (packets routed through the host), OUTPUT (packets generated by the local host).

Q: What is nftables?

A: The replacement for iptables, ip6tables, arptables, and ebtables. It uses a single framework with a new syntax, improved performance, and atomic rule updates. The nft command is the primary interface.

Q: What is the DNS resolution order on Linux?

A: Controlled by /etc/nsswitch.conf (the hosts: line). Typically: files dns meaning check /etc/hosts first, then DNS resolvers listed in /etc/resolv.conf.

Q: What is /etc/resolv.conf?

A: Contains DNS resolver configuration: nameserver (IP of DNS server, up to 3), search (domain search list), and options (timeout, attempts, etc.). Often managed by NetworkManager or systemd-resolved.

Q: What are network bonding modes?

A: Mode 0: balance-rr (round-robin). Mode 1: active-backup. Mode 2: balance-xor. Mode 3: broadcast. Mode 4: 802.3ad (LACP). Mode 5: balance-tlb (adaptive transmit load balancing). Mode 6: balance-alb (adaptive load balancing).

Q: What is the most common bonding mode in production?

A: Mode 4 (802.3ad / LACP) — requires switch support. Mode 1 (active-backup) is used when switch configuration isn't possible.

Q: What is a network bridge?

A: A software device that connects two or more network segments at Layer 2 (data link). Commonly used in virtualization to connect VMs to the physical network.

Q: What is a VLAN?

A: Virtual LAN — a Layer 2 network segmentation technique using 802.1Q tagging. In Linux, created with ip link add link eth0 name eth0.100 type vlan id 100.

Q: What is the difference between ss and netstat?

A: ss (socket statistics) is faster, uses kernel netlink sockets directly, and is the modern replacement for netstat (deprecated, from net-tools). Common usage: ss -tlnp shows listening TCP sockets with process info.

Q: What are the key ss flags?

A: -t TCP, -u UDP, -l listening, -n numeric (no DNS resolution), -p show process, -a all sockets, -s summary statistics, -4/-6 IPv4/IPv6 only.

Q: What is SSH key-based authentication?

A: The user generates a key pair (public/private). The public key is placed in ~/.ssh/authorized_keys on the server. During login, the client proves possession of the private key via a challenge-response protocol without transmitting the key.

Q: What is SSH agent forwarding?

A: Allows using local SSH keys on remote servers without copying private keys. The remote server forwards key operations back to the local ssh-agent. Enabled with ssh -A or ForwardAgent yes. Use cautiously — a compromised remote host can use your agent.

Q: What is SSH ProxyJump?

A: A feature (ssh -J jump_host target_host or ProxyJump in ssh_config) that connects to a target through an intermediate bastion/jump host without needing a shell on the jump host.

Q: What is SSH tunneling (port forwarding)?

A: Local forwarding (-L): forwards a local port to a remote destination through the SSH connection. Remote forwarding (-R): forwards a remote port back to a local destination. Dynamic forwarding (-D): creates a SOCKS proxy.

Q: What is the well-known port for SSH?

A: 22/tcp.

Q: What is port 25 used for?

A: SMTP (Simple Mail Transfer Protocol) — email delivery between mail servers.

Q: What is port 53 used for?

A: DNS (Domain Name System) — uses both TCP and UDP. UDP for queries under 512 bytes; TCP for zone transfers and large responses.

Q: What is port 80 used for?

A: HTTP (Hypertext Transfer Protocol) — unencrypted web traffic.

Q: What is port 443 used for?

A: HTTPS (HTTP Secure) — TLS-encrypted web traffic.

Q: What are ports 3306, 5432, and 6379?

A: 3306 = MySQL/MariaDB, 5432 = PostgreSQL, 6379 = Redis.

Q: What is port 8080 commonly used for?

A: An alternative HTTP port, often used for web application servers, proxies, and development servers to avoid requiring root for binding to port 80.

Q: What is the ephemeral port range in Linux?

A: 32768-60999 by default, configurable via /proc/sys/net/ipv4/ip_local_port_range. Used for outbound connections.

Q: What is the MTU?

A: Maximum Transmission Unit — the largest packet size that can be sent on a network link without fragmentation. Default is 1500 bytes for Ethernet. Jumbo frames use 9000 bytes.

Q: What command shows the routing table?

A: ip route show (or ip r). The route -n command is deprecated but still commonly used.

Q: What is ARP?

A: Address Resolution Protocol — maps IPv4 addresses to MAC addresses on a local network. View the ARP cache with ip neigh show.

Q: What is the loopback interface?

A: lo — a virtual network interface with address 127.0.0.1/8 (IPv4) and ::1/128 (IPv6). Traffic sent to it never leaves the host; used for inter-process communication and testing.

---

8. Package Management

Q: What are the two main package management families?

A: Debian-based (.deb packages, dpkg/apt) and Red Hat-based (.rpm packages, rpm/yum/dnf).

Q: What is the difference between dpkg and apt?

A: dpkg is the low-level tool that installs/removes .deb files without resolving dependencies. apt is the high-level tool that resolves dependencies, downloads from repositories, and calls dpkg.

Q: What is the difference between rpm, yum, and dnf?

A: rpm is the low-level package installer (no dependency resolution). yum (Yellowdog Updater Modified) is the traditional high-level resolver. dnf (Dandified YUM) replaced yum in Fedora 22+ and RHEL 9 with better dependency resolution (libsolv) and performance.

Q: How do you list all installed packages on Debian/Ubuntu?

A: dpkg -l or apt list --installed.

Q: How do you list all installed packages on RHEL/Fedora?

A: rpm -qa or dnf list installed.

Q: How do you find which package provides a file on RHEL?

A: dnf provides /path/to/file or rpm -qf /path/to/file for already installed files.

Q: How do you find which package provides a file on Debian?

A: dpkg -S /path/to/file for installed packages. apt-file search /path/to/file for all available packages (requires apt-file).

Q: Where are apt repository definitions stored?

A: /etc/apt/sources.list and files in /etc/apt/sources.list.d/.

Q: Where are yum/dnf repository definitions stored?

A: /etc/yum.repos.d/*.repo files.

Q: How does GPG key verification work for packages?

A: Repositories sign packages with GPG keys. The package manager verifies signatures against trusted keys. On RHEL: rpm --import <key-url>. On Debian: apt-key add <key> (deprecated) or keys in /etc/apt/trusted.gpg.d/.

Q: What is the difference between snap, flatpak, and AppImage?

A: Snap (Canonical): sandboxed, auto-updating, uses squashfs, centralized Snap Store. Flatpak (Red Hat/Freedesktop): sandboxed via bubblewrap, Flathub as main repo, desktop-focused. AppImage: single-file portable executables, no installation, no sandboxing.

Q: What is Pacman?

A: The package manager for Arch Linux. Uses .pkg.tar.zst packages and the -S (sync/install), -R (remove), -Q (query), -U (upgrade local) operations. Example: pacman -Syu does a full system upgrade.

Q: What is zypper?

A: The package manager for SUSE/openSUSE. Supports RPM packages with libsolv dependency resolver, patterns, patches, and repository management.

Q: What is the AUR?

A: Arch User Repository — a community-driven repository of build scripts (PKGBUILDs) for Arch Linux. Packages are built from source by the user. Helpers like yay or paru automate the process.

Q: How do you rebuild an RPM package?

A: Use rpmbuild with a .spec file. The spec defines sources, build steps, dependencies, and file lists. Build with rpmbuild -ba package.spec.

Q: What is dpkg-buildpackage?

A: The Debian tool for building .deb packages from source. It reads debian/control, debian/rules, and other files in the debian/ directory.

Q: What does apt-mark hold <package> do?

A: Prevents a package from being automatically upgraded. Equivalent to dnf versionlock add <package> on RHEL.

---

9. Shell & Bash Scripting

Q: What is the difference between a login shell and a non-login shell?

A: A login shell is started for user authentication (SSH, console login, su -). A non-login shell is started otherwise (opening a terminal emulator, running bash). They source different startup files.

Q: What is the difference between an interactive and non-interactive shell?

A: An interactive shell reads commands from the user (terminal). A non-interactive shell executes commands from a script or pipe. Interactive shells show prompts and enable job control.

Q: What files does a Bash login shell source?

A: First /etc/profile, then the first found of ~/.bash_profile, ~/.bash_login, or ~/.profile (only one). On logout: ~/.bash_logout.

Q: What files does a Bash interactive non-login shell source?

A: /etc/bash.bashrc (on some distros) and ~/.bashrc. This is why .bash_profile often sources .bashrc.

Q: What is the shebang (#!)?

A: The first line of a script (e.g., #!/bin/bash or #!/usr/bin/env python3) that tells the kernel which interpreter to use. #!/usr/bin/env is preferred for portability as it searches PATH.

Q: What does ${var:-default} do?

A: Returns $var if it is set and non-null, otherwise returns default. Does not assign default to var.

Q: What does ${var:=default} do?

A: Returns $var if set and non-null, otherwise assigns default to var AND returns it.

Q: What does ${var:+alternate} do?

A: Returns alternate if $var is set and non-null, otherwise returns nothing.

Q: What does ${var:?error_message} do?

A: Returns $var if set and non-null, otherwise prints error_message to stderr and exits.

Q: What does ${#var} do?

A: Returns the length (number of characters) of the value of $var.

Q: What does ${var%pattern} do?

A: Removes the shortest match of pattern from the end of $var. ${var%%pattern} removes the longest match. Used for suffix stripping (e.g., ${filename%.txt}).

Q: What does ${var#pattern} do?

A: Removes the shortest match of pattern from the beginning of $var. ${var##pattern} removes the longest match. Used for prefix stripping (e.g., ${path##*/} extracts the filename).

Q: What does exit code 0 mean?

A: Success. Any non-zero exit code indicates failure.

Q: What does exit code 1 mean?

A: General error — the most common failure exit code.

Q: What does exit code 2 mean?

A: Misuse of shell command or built-in, such as invalid options or missing required arguments.

Q: What does exit code 126 mean?

A: Command found but not executable (permission denied).

Q: What does exit code 127 mean?

A: Command not found.

Q: What does exit code 128+n mean?

A: The process was killed by signal n. For example, 137 = 128+9 (killed by SIGKILL), 143 = 128+15 (killed by SIGTERM).

Q: What does exit code 130 mean?

A: Process terminated by Ctrl-C (128 + 2 for SIGINT).

Q: What does > vs >> do?

A: > redirects stdout to a file, overwriting it. >> appends to the file.

Q: What does 2> do?

A: Redirects stderr (file descriptor 2) to a file. 2>/dev/null discards error messages.

Q: What does 2>&1 do?

A: Redirects stderr to wherever stdout is currently going. Combined with >, it captures both stdout and stderr to the same file: command > file 2>&1.

Q: What does &> do?

A: Bash shorthand for redirecting both stdout and stderr to a file: command &> file is equivalent to command > file 2>&1.

Q: What is a here document (heredoc)?

A: A redirection that allows multi-line input: command <<EOF ... EOF. With <<'EOF' (quoted delimiter), variable expansion is disabled. <<-EOF allows leading tabs to be stripped.

Q: What is a here string?

A: <<< feeds a string directly as stdin: grep "pattern" <<< "$variable".

Q: What is process substitution?

A: <(command) creates a temporary file descriptor containing the command's output. Useful for comparing outputs: diff <(sort file1) <(sort file2).

Q: What does set -e do?

A: Causes the script to exit immediately when any command returns a non-zero exit code (with some exceptions like conditions in if statements).

Q: What does set -u do?

A: Treats references to unset variables as errors, causing the script to exit.

Q: What does set -o pipefail do?

A: Causes a pipeline to return the exit code of the last command that failed (non-zero), rather than only the last command. Without this, false | true returns 0.

Q: What does set -x do?

A: Enables debug mode — each command is printed to stderr before execution, prefixed with +.

Q: How do you define a Bash array?

A: arr=(one two three). Access: ${arr[0]}. All elements: ${arr[@]}. Length: ${#arr[@]}.

Q: How do you define a Bash associative array?

A: declare -A map; map[key1]=val1; map[key2]=val2. Access: ${map[key1]}. All keys: ${!map[@]}.

Q: What is trap in Bash?

A: Registers a command to execute when a signal is received or on script exit: trap 'rm -f /tmp/lockfile' EXIT. Common signals to trap: EXIT, ERR, INT, TERM.

Q: What is job control?

A: Interactive shell feature for managing background/foreground processes. command & runs in background. Ctrl-Z suspends foreground job. bg resumes in background. fg brings to foreground. jobs lists current jobs.

Q: What is the difference between $@ and $*?

A: Unquoted, they are identical. Quoted: "$@" expands to separate words (preserving arguments), "$*" expands to a single word with arguments joined by the first character of IFS. Always use "$@" for passing arguments.

Q: What is $??

A: The exit status of the last executed command.

Q: What is $$?

A: The PID of the current shell/script.

Q: What is $!?

A: The PID of the most recently backgrounded process.

Q: What is $0?

A: The name of the script or shell.

Q: What is $#?

A: The number of positional parameters passed to the script.

---

10. Text Processing

Q: What does grep stand for?

A: "Global Regular Expression Print" — from the ed command g/re/p.

Q: What is the difference between grep -E and grep -P?

A: -E uses Extended Regular Expressions (ERE): +, ?, |, {}, () without backslash escaping. -P uses Perl-Compatible Regular Expressions (PCRE) with advanced features like lookahead, lookbehind, and \d.

Q: What does grep -r do?

A: Recursively searches through directories. -R follows symbolic links; -r does not.

Q: What does grep -l do?

A: Prints only the filenames of files containing matches, not the matching lines.

Q: What does grep -c do?

A: Prints only the count of matching lines per file.

Q: What does grep -v do?

A: Inverts the match — shows lines that do NOT match the pattern.

Q: What does grep -i do?

A: Case-insensitive matching.

Q: What does grep -o do?

A: Prints only the matched portion of the line, not the entire line.

Q: How do you perform a basic sed substitution?

A: sed 's/old/new/' file replaces the first occurrence per line. sed 's/old/new/g' file replaces all occurrences. sed -i 's/old/new/g' file edits in place.

Q: How do you delete lines with sed?

A: sed '/pattern/d' file deletes lines matching the pattern. sed '5d' file deletes line 5. sed '3,7d' file deletes lines 3-7.

Q: What is the basic structure of an awk program?

A: awk 'pattern {action}' file. If no pattern, the action runs on every line. If no action, matching lines are printed. $1, $2, etc., are fields; $0 is the whole line.

Q: What are awk's key built-in variables?

A: NR = current record/line number, NF = number of fields in current record, FS = field separator (default whitespace), OFS = output field separator, RS = record separator, ORS = output record separator, FILENAME = current filename.

Q: What is BEGIN/END in awk?

A: BEGIN {actions} runs before any input is processed (good for initialization). END {actions} runs after all input is processed (good for summaries). Example: awk 'BEGIN{sum=0} {sum+=$1} END{print sum}'.

Q: What does the cut command do?

A: Extracts sections from lines. -d sets delimiter, -f selects fields: cut -d: -f1,3 /etc/passwd extracts username and UID.

Q: What does the sort command do?

A: Sorts lines. Key flags: -n numeric sort, -r reverse, -k sort by field, -u unique, -t field separator, -h human-readable numbers, -V version sort.

Q: What does uniq do?

A: Filters adjacent duplicate lines. Usually paired with sort first: sort file | uniq. -c counts occurrences, -d shows only duplicates, -u shows only unique lines.

Q: What does tr do?

A: Translates or deletes characters: tr 'a-z' 'A-Z' converts lowercase to uppercase. tr -d '\r' removes carriage returns. tr -s ' ' squeezes repeated spaces.

Q: What does wc do?

A: Word count. -l lines, -w words, -c bytes, -m characters. wc -l file counts lines.

Q: What does tee do?

A: Reads stdin, writes to both stdout and one or more files: command | tee output.log displays output and saves it. -a appends instead of overwriting.

Q: What does xargs do?

A: Builds and executes commands from stdin. find . -name "*.log" | xargs rm. Use -0 with find -print0 for filenames with spaces. -I {} sets a placeholder: echo file | xargs -I {} cp {} backup/.

Q: How does find -exec work?

A: Executes a command on each match: find /var -name "*.log" -exec gzip {} \;. Using + instead of \; batches files into fewer command invocations: find . -name "*.txt" -exec wc -l {} +.

Q: What is find -print0?

A: Outputs filenames separated by null bytes instead of newlines, safely handling filenames with spaces and special characters. Used with xargs -0.

Q: What is the difference between BRE, ERE, and PCRE?

A: BRE (Basic Regular Expressions): grep default, requires \ for (), {}, +, ?. ERE (Extended): grep -E/egrep, no backslash needed. PCRE (Perl-Compatible): grep -P, adds \d, \w, lookaround, non-greedy quantifiers.

Q: How do you count occurrences of a word in a file using command-line tools?

A: grep -o -w "word" file | wc -l — -o prints each match on its own line, -w matches whole words only.

---

11. systemd

Q: What is systemd?

A: The default init system and service manager on most modern Linux distributions. Created by Lennart Poettering and Kay Sievers. It manages services, logging, device events, mount points, timers, and more.

Q: What are the main systemd unit types?

A: service (daemons), socket (IPC/network sockets), timer (cron replacement), mount (mount points), device (udev devices), target (groups of units), path (file monitoring), slice (cgroup resource management), scope (externally created processes).

Q: What is the command to start a service?

A: systemctl start <service>.

Q: What is the difference between enable and start?

A: start immediately begins the service. enable creates symlinks so the service starts automatically at boot. Use both: systemctl enable --now <service>.

Q: What does systemctl mask do?

A: Creates a symlink to /dev/null, making it impossible to start the unit (manually or as a dependency). Stronger than disable. Undo with systemctl unmask.

Q: What does systemctl daemon-reload do?

A: Reloads systemd's configuration — required after modifying unit files. It does NOT restart any services; it just re-reads the files.

Q: Where are systemd unit files stored?

A: /usr/lib/systemd/system/ (package defaults), /etc/systemd/system/ (admin overrides, highest priority), /run/systemd/system/ (runtime generated).

Q: How do you override part of a unit file without modifying the original?

A: Create a drop-in directory: /etc/systemd/system/<unit>.d/override.conf. Use systemctl edit <unit> to create it automatically.

Q: What is socket activation?

A: systemd listens on a socket and starts the associated service only when a connection arrives. This speeds up boot (services start on demand) and allows zero-downtime restarts.

Q: What are the key dependency directives in systemd?

A: Requires=: hard dependency (if the required unit fails, this unit fails). Wants=: soft dependency (failure is tolerated). After=/Before=: ordering only, no dependency. BindsTo=: like Requires but also stops this unit when the other stops.

Q: How do you view logs with journalctl?

A: journalctl shows all logs. -u <service> filters by unit. -b shows current boot. --since "1 hour ago" filters by time. -p err shows priority err and above. -f follows (like tail -f). -k shows kernel messages.

Q: What log priorities does journalctl support?

A: 0=emerg, 1=alert, 2=crit, 3=err, 4=warning, 5=notice, 6=info, 7=debug. Use -p 0..3 to show only critical messages.

Q: How does systemd integrate with cgroups?

A: Each systemd service runs in its own cgroup, allowing resource accounting and limits. Use CPUQuota=, MemoryMax=, IOWeight= in unit files. systemd-cgtop shows per-service resource usage.

Q: What is a systemd timer?

A: A replacement for cron jobs. Timer units (.timer) activate associated service units on a schedule. Support calendar events (OnCalendar=), monotonic timers (OnBootSec=, OnUnitActiveSec=), and persistent timers that catch up on missed runs.

Q: What does systemctl list-units --type=service --state=failed show?

A: All service units currently in a failed state. Useful for troubleshooting boot or runtime failures.

Q: What is systemd-tmpfiles?

A: Manages creation, deletion, and cleanup of temporary and volatile files. Configuration in /etc/tmpfiles.d/ and /usr/lib/tmpfiles.d/. Runs at boot via systemd-tmpfiles-setup.service.

Q: What is systemd-resolved?

A: systemd's DNS resolver daemon. It provides a local DNS stub listener at 127.0.0.53, supports DNSSEC, DNS-over-TLS, and LLMNR. Configured via resolvectl or /etc/systemd/resolved.conf.

Q: What is systemd-networkd?

A: systemd's network management daemon for configuring network interfaces via .network, .netdev, and .link files in /etc/systemd/network/. Lightweight alternative to NetworkManager for servers and containers.

Q: How do you check why a service failed?

A: systemctl status <service> shows recent log output and the exit code. journalctl -u <service> -b --no-pager shows full logs for the current boot.

---

12. Security

Q: What is SELinux?

A: Security-Enhanced Linux — a Mandatory Access Control (MAC) system developed by the NSA and Red Hat. It enforces security policies beyond traditional DAC (discretionary access control), labeling every process, file, and resource with a security context.

Q: What are the three SELinux modes?

A: enforcing: policies are enforced, violations are blocked and logged. permissive: violations are logged but not blocked (useful for debugging). disabled: SELinux is completely off.

Q: How do you check the current SELinux mode?

A: getenforce or sestatus for detailed status.

Q: How do you temporarily change SELinux mode?

A: setenforce 0 (permissive) or setenforce 1 (enforcing). Permanent changes require editing /etc/selinux/config.

Q: What is an SELinux security context?

A: A label in the format user:role:type:level (e.g., system_u:object_r:httpd_sys_content_t:s0). The type field is most important for policy enforcement (type enforcement).

Q: What is restorecon?

A: Restores the default SELinux context on files based on the file context database. Usage: restorecon -Rv /var/www/html/.

Q: What are SELinux booleans?

A: Runtime toggles that modify SELinux policy without recompiling. Example: setsebool -P httpd_can_network_connect on allows Apache to make network connections. List with getsebool -a.

Q: What is audit2allow?

A: A tool that generates SELinux policy allow rules from audit log denials: grep denied /var/log/audit/audit.log | audit2allow -M mypolicy && semodule -i mypolicy.pp.

Q: What is AppArmor?

A: A Linux security module (alternative to SELinux) using path-based Mandatory Access Control. Used by Ubuntu, Debian, and SUSE. Profiles restrict what files, capabilities, and network access an application can use.

Q: What are AppArmor's two modes?

A: enforce: violations are blocked and logged. complain: violations are logged but allowed (equivalent to SELinux permissive).

Q: What is firewalld?

A: A dynamic firewall manager (frontend to nftables/iptables) using zones and services. Default on RHEL/Fedora. Supports runtime and permanent configurations.

Q: What is a firewalld zone?

A: A trust level for a network interface. Common zones: drop (drop all incoming), block (reject all incoming), public (default, limited incoming), trusted (accept all), dmz, home, work, internal.

Q: What is a firewalld rich rule?

A: A complex firewall rule with specific match criteria. Example: firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.0/8 port port=8080 protocol=tcp accept' --permanent.

Q: How do you harden SSH?

A: In /etc/ssh/sshd_config: PermitRootLogin no, PasswordAuthentication no, PubkeyAuthentication yes, AllowUsers admin, Port 2222 (non-default), MaxAuthTries 3. Also deploy fail2ban and use key-based authentication only.

Q: What is fail2ban?

A: An intrusion prevention daemon that monitors log files and bans IP addresses showing malicious behavior (repeated failed logins, etc.) by adding firewall rules. Configurable jails define services to protect.

Q: What is auditd?

A: The Linux Audit daemon — records security-relevant events based on rules. Rules define file watches (-w) and syscall auditing (-a). Logs go to /var/log/audit/audit.log.

Q: What are ausearch and aureport?

A: ausearch searches audit logs with filters (e.g., ausearch -k mykey -ts today). aureport generates summary reports from audit logs (logins, file access, syscalls, etc.).

Q: What are Linux capabilities?

A: Fine-grained privileges that decompose root's power into distinct units. Instead of running as root, a process can have only the capabilities it needs. Viewed with getpcaps <PID> or getcap <file>.

Q: What is CAP_NET_BIND_SERVICE?

A: A capability allowing a process to bind to ports below 1024 without running as root.

Q: What is CAP_SYS_ADMIN?

A: The "new root" capability — a catch-all granting many administrative operations (mounting filesystems, setting hostname, loading kernel modules). Should be avoided when possible.

Q: What is seccomp?

A: Secure Computing mode — a kernel feature that restricts the system calls a process can make. Used by containers (Docker, Kubernetes), browsers, and sandboxes to reduce the attack surface. seccomp-bpf allows flexible filtering using BPF programs.

Q: What is /etc/login.defs used for in security?

A: Defines password aging policies (PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_MIN_LEN, PASS_WARN_AGE), UID/GID allocation ranges, and default umask for new users.

Q: What is the purpose of /etc/securetty?

A: Historically listed terminal devices from which root was allowed to log in. Modern systems using PAM may not use it, and systemd-based systems have deprecated it.

Q: What is chroot?

A: Changes the apparent root directory for a process and its children. Provides basic isolation but is NOT a security boundary (root can escape a chroot). Used for system repair and build environments.

Q: What is the principle of least privilege?

A: Users and processes should have only the minimum permissions needed to perform their tasks. Implemented via capabilities, SELinux/AppArmor, sudoers restrictions, and file permissions.

Q: What is AIDE?

A: Advanced Intrusion Detection Environment — a file integrity monitoring tool that creates a database of file checksums and attributes, then periodically checks for unauthorized changes. Similar to Tripwire.

Q: What is chage used for?

A: Manages password aging policies per user. chage -l user lists policy. chage -M 90 user sets maximum password age to 90 days. chage -E 2026-12-31 user sets account expiry date.

Q: What are the common Linux capabilities?

A: CAP_NET_BIND_SERVICE (bind low ports), CAP_NET_RAW (raw sockets, ping), CAP_SYS_ADMIN (broad admin), CAP_SYS_PTRACE (debug processes), CAP_DAC_OVERRIDE (bypass file permissions), CAP_CHOWN (change file ownership), CAP_SETUID/CAP_SETGID (change UID/GID), CAP_NET_ADMIN (network configuration).

Q: How do you set a capability on a file?

A: setcap cap_net_bind_service+ep /usr/bin/myapp — grants the binary the ability to bind to ports below 1024 without root. getcap /usr/bin/myapp verifies.

Q: What is pam_tally2 / pam_faillock?

A: PAM modules for account lockout after failed login attempts. pam_tally2 is deprecated; pam_faillock (RHEL 8+) is the replacement. Configured in /etc/security/faillock.conf.

Q: What is pam_limits?

A: A PAM module that enforces resource limits from /etc/security/limits.conf — such as max open files (nofile), max processes (nproc), max memory size, and CPU time per user or group.

Q: What is the difference between DAC and MAC?

A: DAC (Discretionary Access Control): file owners set permissions (traditional chmod). MAC (Mandatory Access Control): system-wide policy enforced regardless of ownership (SELinux, AppArmor). MAC overrides DAC.

Q: What is FIPS mode in Linux?

A: Federal Information Processing Standards compliance mode, required by US government systems. Restricts the system to FIPS-approved cryptographic algorithms. Enabled via fips=1 kernel parameter on RHEL.

Q: What is lynis?

A: An open-source security auditing tool that scans Linux systems for security issues, configuration problems, and hardening opportunities. Generates a hardening index and actionable recommendations.

Q: What is the umask for a secure system?

A: umask 077 ensures new files are only accessible by the creating user (files get 600, directories get 700). Default of 022 allows group and others to read.

---

13. System Monitoring & Performance

Q: What is load average?

A: The average number of processes in the run queue (running + waiting for CPU + uninterruptible I/O) over 1, 5, and 15 minutes. Displayed by uptime, top, and in /proc/loadavg.

Q: How do you interpret load average?

A: Divide by the number of CPU cores. A load of 4.0 on a 4-core system means 100% utilization. Above the core count indicates processes are waiting. Consistently high 15-minute averages suggest sustained overload.

Q: What are the key columns in top?

A: PID, USER, PR (priority), NI (nice), VIRT (virtual memory), RES (resident physical memory), SHR (shared memory), S (state), %CPU, %MEM, TIME+, COMMAND.

Q: What is the difference between VIRT, RES, and SHR in top?

A: VIRT = total virtual memory (allocated, not necessarily used). RES = actual physical memory in use (resident set size). SHR = memory shared with other processes (shared libraries, shared memory segments).

Q: What does vmstat show?

A: System-wide stats: processes (r=running, b=blocked), memory (swap, free, buffer, cache), swap I/O, block I/O, CPU percentages (user, system, idle, iowait, steal). Usage: vmstat 1 5 (every 1 second, 5 times).

Q: What does iostat show?

A: CPU utilization and device I/O statistics: tps (transfers/sec), read/write bandwidth, average queue size, await (latency), and utilization. Part of the sysstat package.

Q: What does mpstat show?

A: Per-CPU statistics including user, system, iowait, soft IRQ, steal, and idle percentages. mpstat -P ALL 1 shows all CPUs every second.

Q: What does pidstat show?

A: Per-process resource statistics: CPU, memory, I/O, context switches. pidstat -d 1 shows disk I/O per process every second.

Q: What does sar do?

A: System Activity Reporter — collects and reports historical system performance data (CPU, memory, disk, network). Data is stored by sadc and queried with sar. Part of sysstat.

Q: What does free show?

A: Memory usage: total, used, free, shared, buffers, cache, and available. free -h for human-readable output.

Q: What is the difference between buffers and cache in memory?

A: Buffers: kernel buffer cache for raw block device I/O metadata. Cache: page cache for file data read from disk. Both can be reclaimed under memory pressure, so the "available" column is more meaningful than "free."

Q: What is the "available" column in free?

A: An estimate of how much memory is available for starting new applications without swapping. It accounts for reclaimable cache and buffers. More useful than "free" for capacity planning.

Q: What does strace do?

A: Traces system calls made by a process: strace -p <PID> attaches to a running process. strace command traces from start. -e trace=network filters to network syscalls. -c provides a summary of syscall counts and times.

Q: What does ltrace do?

A: Traces dynamic library calls made by a process, similar to how strace traces system calls. Useful for debugging library interactions.

Q: What is bpftrace?

A: A high-level tracing language for Linux using eBPF. Allows one-liner performance tools: bpftrace -e 'tracepoint:syscalls:sys_enter_open { printf("%s %s\n", comm, str(args->filename)); }'.

Q: What does dmesg show?

A: The kernel ring buffer — messages from the kernel about hardware, drivers, and system events. dmesg -T shows human-readable timestamps. dmesg --level=err,warn filters by severity.

Q: What does lsof do?

A: Lists open files — including regular files, directories, sockets, pipes, and devices. lsof -i :80 shows what's using port 80. lsof +D /var/log shows processes with files open in that directory.

Q: What does fuser do?

A: Identifies processes using files or sockets: fuser -v /var/log/syslog shows who has the file open. fuser -k 8080/tcp kills the process using that port.

Q: What is the USE Method for performance analysis?

A: Utilization, Saturation, Errors — check all resources (CPU, memory, network, disk) for these three metrics. Created by Brendan Gregg as a systematic approach to performance troubleshooting.

Q: What does /proc/meminfo contain?

A: Detailed memory statistics: MemTotal, MemFree, MemAvailable, Buffers, Cached, SwapTotal, SwapFree, Active, Inactive, Dirty, Slab, PageTables, HugePages_*, and more.

Q: What does /proc/cpuinfo contain?

A: CPU details per logical core: vendor, model name, frequency, cache size, core/thread IDs, flags (sse, avx, vmx, etc.), and bugs (spectre, meltdown mitigations).

Q: What does /proc/loadavg contain?

A: Five fields: 1-minute load, 5-minute load, 15-minute load, running/total processes, last PID assigned.

Q: How do you identify which process is consuming the most disk I/O?

A: Use iotop (interactive, shows per-process I/O), pidstat -d 1, or dstat --top-io. Also check /proc/PID/io for cumulative I/O statistics.

---

14. Containers & Virtualization

Q: What are the fundamental Linux technologies behind containers?

A: Namespaces (isolation), cgroups (resource limits), overlay/union filesystems (layered images), seccomp (syscall filtering), and capabilities (privilege restriction).

Q: How do containers differ from virtual machines?

A: Containers share the host kernel and use namespaces/cgroups for isolation — they start in milliseconds with minimal overhead. VMs run their own kernel on a hypervisor, providing stronger isolation but with more resource overhead and slower startup.

Q: What is the difference between Docker and Podman?

A: Docker uses a client-server architecture with a root daemon (dockerd). Podman is daemonless, runs rootless by default, is OCI-compliant, and generates systemd unit files. Podman is CLI-compatible with Docker.

Q: What is a rootless container?

A: A container running entirely under an unprivileged user (no root daemon). Uses user namespaces to map container root to an unprivileged host UID. Podman supports this natively; Docker requires additional configuration.

Q: What is KVM?

A: Kernel-based Virtual Machine — a Linux kernel module that turns Linux into a Type-1 hypervisor. It uses hardware virtualization extensions (Intel VT-x, AMD-V) and works with QEMU for device emulation.

Q: What is QEMU?

A: Quick EMUlator — a software-based machine emulator and virtualizer. When paired with KVM, it provides hardware-accelerated virtual machines. QEMU handles device emulation while KVM handles CPU virtualization.

Q: What is libvirt?

A: A toolkit providing a common API for managing virtualization platforms (KVM/QEMU, Xen, etc.). The virsh CLI and virt-manager GUI use libvirt.

Q: What is the OCI specification?

A: Open Container Initiative — defines standards for container images (image-spec) and runtimes (runtime-spec). Ensures interoperability between Docker, Podman, containerd, CRI-O, and other container tools.

Q: How can you detect if you're inside a container?

A: Check /proc/1/cgroup — if it shows docker, containerd, or kubepods paths, you're in a container. Also check for /.dockerenv file or the container environment variable.

Q: What is an overlay filesystem?

A: A union filesystem that layers a read-write upper directory on top of read-only lower directories. Used by Docker/Podman to create container filesystems from stacked image layers. The default is overlay2.

Q: What is containerd?

A: An industry-standard container runtime that manages the container lifecycle (image pull, storage, execution, networking). Docker uses containerd internally; Kubernetes can use it directly via CRI.

Q: What is runc?

A: The reference implementation of the OCI runtime specification. It creates and runs containers using Linux namespaces, cgroups, and seccomp. Both Docker and Podman use it (or compatible alternatives like crun).

Q: What is a Type-1 vs Type-2 hypervisor?

A: Type-1 (bare-metal): runs directly on hardware (KVM, ESXi, Xen, Hyper-V). Type-2 (hosted): runs on top of a host OS (VirtualBox, VMware Workstation). KVM is technically Type-1 because the kernel IS the hypervisor.

Q: What is crun?

A: A fast, lightweight OCI container runtime written in C. Alternative to runc with lower memory usage and faster startup. Used by default in some Podman configurations.

Q: What is buildah?

A: A tool for building OCI container images without requiring a daemon or running containers. Works with Podman. Supports Dockerfile builds and scriptable image creation.

Q: What is skopeo?

A: A tool for working with container registries — copying images between registries, inspecting images remotely, and deleting tags. Does not require a daemon or pulling the full image.

Q: What is the container networking model?

A: Each container gets its own network namespace with a virtual Ethernet pair (veth). One end is in the container, the other connects to a bridge (docker0). NAT rules (via iptables/nftables) enable outbound connectivity.

Q: What is a container volume?

A: A mechanism for persistent storage that outlives the container. Bind mounts map host directories into containers. Named volumes are managed by the container runtime. tmpfs mounts exist only in memory.

Q: What is the /proc/1/cgroup trick for detecting containers?

A: Inside a container, /proc/1/cgroup shows cgroup paths containing "docker", "kubepods", or "containerd" instead of the default / seen on a bare host. Not foolproof but commonly used.

Q: What is virtio?

A: A paravirtualization standard for I/O in virtual machines. virtio devices (network, disk, memory, GPU) provide near-native performance by avoiding full hardware emulation. Used by KVM/QEMU.

Q: What is virt-install?

A: A command-line tool for creating KVM virtual machines. Defines CPU, memory, disk, network, and installation source in a single command. Part of the virt-manager package.

Q: What is virsh?

A: The libvirt command-line interface. virsh list --all shows VMs. virsh start/shutdown/destroy vm manages lifecycle. virsh console vm attaches to the serial console.

Q: What is live migration?

A: Moving a running VM from one physical host to another with minimal downtime. KVM/libvirt supports live migration over shared storage or with storage migration. The VM's memory is iteratively copied while it runs.

Q: What is cloud-init?

A: An industry standard for initializing cloud instances on first boot. Handles SSH keys, hostname, network, user creation, package installation, and custom scripts. Reads metadata from the cloud provider.

Q: What is the difference between crun and runc?

A: Both are OCI-compliant container runtimes. runc is written in Go (reference implementation). crun is written in C, resulting in significantly lower memory overhead and faster container creation.

---

15. Cron & Scheduling

Q: What is the cron syntax format?

A: Five fields: minute (0-59) hour (0-23) day-of-month (1-31) month (1-12) day-of-week (0-7, where 0 and 7 are Sunday). Followed by the command.

Q: What does */5 * * * * mean in cron?

A: Run every 5 minutes.

Q: What does 0 2 * * 1-5 mean in cron?

A: Run at 2:00 AM Monday through Friday.

Q: What does 0 0 1 * * mean in cron?

A: Run at midnight on the first day of every month.

Q: What is the difference between crontab -e and /etc/crontab?

A: crontab -e edits the per-user crontab (stored in /var/spool/cron/). /etc/crontab is the system-wide crontab that includes a user field (which user to run as) and uses a slightly different format.

Q: What is /etc/cron.d/?

A: A directory for drop-in cron files using the same format as /etc/crontab (with user field). Packages can install cron jobs here without modifying the system crontab.

Q: What are the cron special strings?

A: @reboot (on startup), @yearly/@annually (Jan 1 midnight), @monthly (1st midnight), @weekly (Sunday midnight), @daily/@midnight, @hourly.

Q: What is anacron?

A: A cron complement for machines not running 24/7. It ensures daily, weekly, and monthly jobs run even if the machine was off at the scheduled time. Uses timestamps in /var/spool/anacron/ to track execution.

Q: What is a systemd timer?

A: A unit type (.timer) that triggers activation of an associated .service unit on a schedule. Advantages over cron: dependency management, logging via journal, resource control, and persistent timers.

Q: What does OnCalendar= do in a systemd timer?

A: Specifies a calendar-based schedule: OnCalendar=*-*-* 02:00:00 (daily at 2 AM), OnCalendar=Mon *-*-* 09:00:00 (Mondays at 9 AM), OnCalendar=hourly.

Q: What does Persistent=true do in a systemd timer?

A: If the timer was missed (machine was off), it triggers the service immediately at next boot. Similar to anacron behavior.

Q: What is the at command?

A: Schedules a one-time command execution: echo "backup.sh" | at 2:00 AM tomorrow. Managed with atq (list queue), atrm (remove job), batch (run when load is low).

Q: How do you list active systemd timers?

A: systemctl list-timers --all shows all timers, their next/last trigger times, and associated units.

---

16. /proc and /sys Filesystems

Q: What is /proc/cpuinfo?

A: Contains information about each CPU/core: processor number, vendor, model name, clock speed, cache size, CPU flags (instruction set extensions), and known hardware bugs.

Q: What is /proc/meminfo?

A: Contains detailed memory statistics: total, free, available, buffers, cached, swap, active, inactive, slab, page tables, huge pages, and more.

Q: What is /proc/loadavg?

A: Contains load averages (1, 5, 15 minutes), the count of runnable/total kernel scheduling entities, and the PID of the most recently created process.

Q: What is /proc/mounts?

A: Lists all currently mounted filesystems with device, mount point, filesystem type, and options. Equivalent to the output of mount command. Symlink to /proc/self/mounts.

Q: What is /proc/cmdline?

A: Contains the kernel command line passed by the bootloader (GRUB). Shows all kernel parameters used during boot.

Q: What is /proc/version?

A: Contains the kernel version string, compiler version, and build date. Similar to uname -a.

Q: What does /proc/net/ contain?

A: Network-related pseudo-files: tcp and tcp6 (open TCP connections), udp, arp, route, dev (interface statistics), snmp (protocol statistics), sockstat (socket summary).

Q: What is /proc/sys/?

A: A directory tree of tunable kernel parameters. Values can be read and written at runtime. Changes are temporary unless persisted via sysctl.conf.

Q: What is sysctl?

A: A command to read and write kernel parameters at runtime. sysctl -a lists all. sysctl vm.swappiness=10 changes the value. Persistent changes go in /etc/sysctl.conf or /etc/sysctl.d/*.conf.

Q: What does vm.swappiness control?

A: How aggressively the kernel swaps memory pages to disk (0-200, default 60). Lower values prefer keeping data in RAM and evicting file cache. 0 means swap only to avoid OOM. Higher values swap more aggressively.

Q: What does net.ipv4.ip_forward control?

A: Enables/disables IP packet forwarding between interfaces. Must be set to 1 for the system to act as a router, NAT gateway, or for container networking to work.

Q: What does kernel.panic control?

A: Number of seconds the kernel waits before automatically rebooting after a panic. 0 means no auto-reboot (waits for manual intervention).

Q: What does fs.file-max control?

A: The system-wide maximum number of open file descriptors. Check current usage with cat /proc/sys/fs/file-nr (allocated, free, max).

Q: What is /sys/class/?

A: Contains symbolic links organized by device class (net, block, tty, input, etc.). For example, /sys/class/net/eth0/ contains attributes for the eth0 network interface.

Q: What is /sys/block/?

A: Contains entries for each block device (sda, nvme0n1, etc.) with attributes like size, queue parameters, and partitions.

Q: What is /sys/devices/?

A: The master tree of all devices in the system, organized by bus topology. /sys/class/ and /sys/block/ are symlinks into this hierarchy.

Q: What does net.core.somaxconn control?

A: The maximum number of queued connection requests for a listening socket (backlog). Default was 128, often increased to 4096+ for high-traffic servers.

Q: What does vm.overcommit_memory control?

A: 0 = heuristic overcommit (default, kernel estimates). 1 = always overcommit (never fail malloc). 2 = don't overcommit (limit to swap + ratio of physical RAM). Setting 2 is used in environments requiring guaranteed memory.

---

17. Filesystem Hierarchy Standard

Q: What is the FHS?

A: The Filesystem Hierarchy Standard — a specification defining the directory structure and contents of Unix-like systems. Maintained by the Linux Foundation.

Q: What is the purpose of /bin?

A: Essential command binaries needed for single-user mode and booting (ls, cp, mount, bash). On modern systems with UsrMerge, /bin is a symlink to /usr/bin.

Q: What is the purpose of /sbin?

A: Essential system administration binaries (fsck, fdisk, init, iptables). With UsrMerge, /sbin symlinks to /usr/sbin.

Q: What is the purpose of /usr?

A: Secondary hierarchy containing the majority of user applications, libraries, documentation, and shared data. /usr/bin for user commands, /usr/sbin for system admin commands, /usr/lib for libraries, /usr/share for architecture-independent data.

Q: What is the purpose of /etc?

A: Host-specific system configuration files. Everything in /etc should be text files (no binaries). Examples: /etc/fstab, /etc/passwd, /etc/ssh/sshd_config.

Q: What is the purpose of /var?

A: Variable data — files that change during operation: logs (/var/log), mail (/var/mail), spool (/var/spool), caches (/var/cache), temporary persistent files (/var/tmp), runtime data (/var/run → /run).

Q: What is the purpose of /tmp?

A: Temporary files. Often a tmpfs (RAM-backed). Files may be deleted on reboot or by systemd-tmpfiles. World-writable with the sticky bit set.

Q: What is the difference between /tmp and /var/tmp?

A: /tmp is cleared on reboot (often tmpfs). /var/tmp persists across reboots and is for temporary files that should survive reboots (e.g., large downloads, package build files).

Q: What is the purpose of /opt?

A: Add-on application software packages. Third-party software installs here to avoid conflicts with system packages. Each package gets its own subdirectory (e.g., /opt/google/chrome).

Q: What is the purpose of /srv?

A: Data served by the system — e.g., web server files (/srv/www), FTP files (/srv/ftp). Less commonly used; many distros use /var/www instead.

Q: What is the purpose of /dev?

A: Device files — special files representing hardware and virtual devices. Managed by udev. Contains block devices (disks), character devices (terminals), and special files (/dev/null, /dev/zero, /dev/urandom).

Q: What is the purpose of /proc?

A: Virtual filesystem providing kernel and process information. Not stored on disk — generated dynamically by the kernel.

Q: What is the purpose of /sys?

A: Virtual filesystem (sysfs) exporting kernel object information about devices, drivers, and buses as a structured hierarchy.

Q: What is the purpose of /run?

A: Runtime data since last boot — tmpfs mounted early in boot. Contains PID files, sockets, and other transient data. Replaced /var/run.

Q: What is the purpose of /home?

A: User home directories. Each user typically has /home/username/. Root's home is /root.

Q: What is the purpose of /mnt and /media?

A: /mnt is for temporarily mounting filesystems (admin use). /media is for auto-mounted removable media (USB drives, CDs). Desktop environments use /media/username/.

Q: What is UsrMerge?

A: The initiative to merge /bin → /usr/bin, /sbin → /usr/sbin, /lib → /usr/lib, /lib64 → /usr/lib64. The root-level directories become symlinks. Adopted by Fedora, Arch, Debian 12+, Ubuntu 23.04+, and others.

Q: Why was UsrMerge implemented?

A: Simplifies packaging (no need to decide between /bin and /usr/bin), eliminates path issues, simplifies initramfs construction, and aligns with how most modern systems actually use the filesystem.

---

18. Environment & Shell Variables

Q: What is the PATH variable?

A: A colon-separated list of directories the shell searches for executable commands. Searched left to right. Example: /usr/local/bin:/usr/bin:/bin.

Q: What is the HOME variable?

A: The current user's home directory path. Used by cd with no arguments and tilde expansion (~).

Q: What is the USER variable?

A: The current user's login name. Set by the login process.

Q: What is the SHELL variable?

A: The path to the user's default login shell, as specified in /etc/passwd.

Q: What is the TERM variable?

A: Identifies the terminal type (e.g., xterm-256color, screen, linux). Applications use it to determine terminal capabilities via terminfo/termcap.

Q: What is the LANG variable?

A: Sets the default locale for the system (e.g., en_US.UTF-8). Affects date formats, number formats, sorting, and character encoding.

Q: What is LC_ALL?

A: Overrides ALL locale variables (LANG, LC_TIME, LC_NUMERIC, etc.) unconditionally. Setting LC_ALL=C forces the POSIX locale for consistent behavior in scripts.

Q: What is LD_LIBRARY_PATH?

A: A colon-separated list of directories the dynamic linker searches for shared libraries before the default paths. Useful for development but considered a security risk in production.

Q: What is the EDITOR and VISUAL variable?

A: EDITOR specifies the default text editor for line-based editing. VISUAL specifies the full-screen editor. Programs check VISUAL first, falling back to EDITOR.

Q: What does $? contain?

A: The exit status of the most recently executed foreground command. 0 = success, non-zero = failure.

Q: What does $$ contain?

A: The process ID (PID) of the current shell. In a script, it's the PID of the script's shell process.

Q: What does $! contain?

A: The PID of the last background process started.

Q: What does $0 contain?

A: The name of the script or shell. In an interactive shell, it's the shell name (e.g., -bash for login shell).

Q: What does $# contain?

A: The number of positional parameters (arguments) passed to the script or function.

Q: What does $@ contain?

A: All positional parameters. When double-quoted ("$@"), each parameter is a separate word, preserving whitespace within arguments.

Q: What does $* contain?

A: All positional parameters. When double-quoted ("$*"), all parameters are joined into a single word separated by the first character of IFS.

Q: What does the export command do?

A: Makes a variable available to child processes (adds it to the environment). Without export, variables are local to the current shell.

Q: What does the env command do?

A: Without arguments, prints all environment variables. With arguments, runs a command in a modified environment: env VAR=value command.

Q: What does printenv do?

A: Prints environment variables. printenv HOME prints just the HOME variable. Unlike env, it doesn't run commands.

Q: What is IFS?

A: Internal Field Separator — controls word splitting in Bash. Default is space, tab, newline. Changing IFS affects how the shell splits unquoted variables and command substitution output.

---

19. Device Management

Q: What is udev?

A: The device manager for the Linux kernel. It dynamically creates/removes device nodes in /dev, handles device events, and applies rules to set permissions, ownership, and create symlinks.

Q: Where are udev rules stored?

A: /usr/lib/udev/rules.d/ (defaults) and /etc/udev/rules.d/ (overrides). Files are processed in lexical order; /etc/ rules take precedence over /usr/lib/.

Q: What is a udev rule?

A: A line matching device attributes and performing actions. Example: SUBSYSTEM=="net", ATTR{address}=="00:11:22:33:44:55", NAME="lan0" renames a NIC based on MAC address. Match keys use ==, assignment keys use =.

Q: What is the difference between block and character devices?

A: Block devices (b): provide random access to fixed-size blocks with buffering (disks, partitions). Character devices (c): provide sequential unbuffered access byte-by-byte (terminals, serial ports, /dev/null).

Q: What are major and minor device numbers?

A: Major number identifies the driver (e.g., 8 = SCSI/SATA disk). Minor number identifies the specific device instance (e.g., 0 = sda, 1 = sda1, 16 = sdb). Visible with ls -l /dev/.

Q: What is lsblk?

A: Lists block devices in a tree format showing name, size, type (disk, partition, lvm), mountpoint, and other attributes. lsblk -f adds filesystem and UUID info.

Q: What is blkid?

A: Displays block device attributes: UUID, filesystem type, label, and partition type GUID. Used to find UUIDs for fstab entries.

Q: What is the difference between fdisk, parted, and gdisk?

A: fdisk: traditional partitioning tool, supports MBR and GPT. parted: supports MBR and GPT with resize capability. gdisk: GPT-specific tool (like fdisk but for GPT only).

Q: What is /dev/null?

A: A special device that discards everything written to it and returns EOF on read. The "bit bucket." Common usage: command 2>/dev/null discards stderr.

Q: What is /dev/zero?

A: A special device that produces an infinite stream of null bytes (0x00) on read. Used to create empty files or zero-fill disks: dd if=/dev/zero of=file bs=1M count=100.

Q: What is /dev/urandom?

A: A pseudo-random number generator that never blocks. Uses the kernel's CSPRNG (cryptographically secure PRNG). Suitable for most purposes including cryptographic key generation on modern kernels.

Q: What is the difference between /dev/random and /dev/urandom?

A: Historically, /dev/random blocked when the entropy pool was depleted while /dev/urandom never blocked. Since kernel 5.6, /dev/random also uses the CSPRNG and only blocks until initially seeded. In practice, /dev/urandom is recommended for almost all uses.

Q: What command reloads udev rules without rebooting?

A: udevadm control --reload-rules && udevadm trigger.

Q: What is udevadm monitor?

A: Watches udev events in real time — shows kernel uevents and udev rule processing. Useful for debugging device detection.

---

20. Logging

Q: What is rsyslog?

A: The default syslog daemon on most Linux distributions. An enhanced version of syslogd with reliable delivery, TCP transport, content-based filtering, database output, and high performance.

Q: What is syslog-ng?

A: An alternative syslog daemon with advanced log routing, filtering by message content/regex, structured data support, and flexible output options (files, databases, network, message queues).

Q: What is journald?

A: systemd's logging daemon (systemd-journald). Stores structured, binary logs with rich metadata (unit, PID, UID, boot ID, etc.). Queried with journalctl. Can forward to syslog.

Q: Where are traditional log files stored?

A: /var/log/. Key files: messages or syslog (general), auth.log or secure (authentication), kern.log (kernel), dmesg (kernel ring buffer), boot.log (boot messages).

Q: What is the difference between /var/log/messages and /var/log/syslog?

A: RHEL/CentOS uses /var/log/messages. Debian/Ubuntu uses /var/log/syslog. Both serve the same purpose — general system log messages. The name is a distribution convention.

Q: What is /var/log/auth.log?

A: Authentication-related logs on Debian/Ubuntu (login attempts, sudo usage, SSH sessions). RHEL uses /var/log/secure.

Q: What is logrotate?

A: A utility that rotates, compresses, and removes old log files. Configuration in /etc/logrotate.conf and /etc/logrotate.d/. Options include rotation frequency (daily, weekly), compression, max age, and post-rotation scripts.

Q: What are syslog facilities?

A: Categories for log messages: kern, user, mail, daemon, auth, syslog, lpr, news, uucp, cron, authpriv, ftp, local0-local7. Used in rsyslog rules to route messages.

Q: What are syslog priorities (severities)?

A: 0=emerg, 1=alert, 2=crit, 3=err, 4=warning, 5=notice, 6=info, 7=debug. In rsyslog rules, *.err matches all facilities at error level and above.

Q: How do you send a message to syslog from the command line?

A: logger -p local0.info "My log message". The -t flag sets a tag, -p sets facility.priority.

Q: How do you view only error-level journal entries?

A: journalctl -p err or journalctl -p 3. Use -p 0..3 to show emerg through err.

Q: How do you persist journald logs across reboots?

A: Create /var/log/journal/ directory: mkdir -p /var/log/journal && systemd-tmpfiles --create --prefix /var/log/journal. Or set Storage=persistent in /etc/systemd/journald.conf.

Q: What is structured logging?

A: Logging with key-value metadata (timestamp, host, service, severity, message) rather than free-form text. journald stores structured data natively. JSON is a common structured log format.

Q: What does journalctl --disk-usage show?

A: The total disk space used by the journal. Control maximum size with SystemMaxUse= in /etc/systemd/journald.conf.

Q: What does journalctl -b -1 show?

A: Logs from the previous boot. -b 0 is the current boot, -b -2 is two boots ago. Requires persistent journal storage.

Q: What is the logrotate copytruncate directive?

A: Instead of renaming the log file and creating a new one (which requires the application to reopen), copytruncate copies the file then truncates the original. Useful for apps that don't handle SIGHUP for log reopening.

Q: What does logrotate postrotate/endscript do?

A: Runs a script after log rotation. Commonly used to send SIGHUP to a daemon so it reopens log files: postrotate /usr/bin/systemctl reload rsyslog endscript.

Q: What is journalctl --vacuum-time=7d?

A: Removes journal entries older than 7 days. --vacuum-size=1G removes entries until the journal is under 1GB. Useful for reclaiming disk space.

Q: What is the logger command?

A: Sends messages to the system log from the command line or scripts: logger -p local0.warning "Disk usage high". Useful for integrating custom scripts with the centralized logging infrastructure.

Q: What is ELK/EFK stack?

A: ELK: Elasticsearch (storage/search), Logstash (processing), Kibana (visualization). EFK replaces Logstash with Fluentd/Fluent Bit (lighter weight). Used for centralized log aggregation and analysis.

Q: What is the difference between Fluentd and Fluent Bit?

A: Fluentd is a full-featured log collector/processor written in Ruby/C. Fluent Bit is a lightweight subset written in C, optimized for embedded systems and containers. Both are CNCF projects.

Q: What is log shipping?

A: Forwarding logs from local systems to a centralized logging server. rsyslog can forward via TCP/UDP. journald can forward to a remote journal-remote. Common in production for compliance and troubleshooting.

---

21. Quick-Fire Trivia & Rapid Recall

Q: What is Tux?

A: The Linux mascot — a penguin. Created by Larry Ewing in 1996 using GIMP. Linus Torvalds suggested a penguin because he was bitten by a fairy penguin at an Australian zoo and thought penguins were "sitting around lounging" — a good vibe for an OS.

Q: Where does the name "grep" come from?

A: From the ed editor command g/re/p — "global / regular expression / print."

Q: Where does the name "awk" come from?

A: Named after its creators: Alfred Aho, Peter Weinberger, and Brian Kernighan.

Q: Where does the name "sed" come from?

A: "Stream EDitor."

Q: What does "sudo" stand for?

A: "Superuser do" — though it also works to run commands as other non-root users.

Q: What does "SSH" stand for?

A: Secure Shell.

Q: What does "POSIX" stand for?

A: Portable Operating System Interface — a family of IEEE standards (1003.x) for Unix-like OS compatibility.

Q: What does "TTY" stand for?

A: TeleTYpewriter — a historical term for the text input/output terminal devices. In Linux, /dev/tty* are virtual consoles and /dev/pts/* are pseudo-terminals.

Q: What does "PTY" stand for?

A: Pseudo-TeletYpe — a pair of virtual devices (master/slave) used by terminal emulators and SSH. The master side is the emulator; the slave side (/dev/pts/N) is what the shell sees.

Q: What are file descriptors 0, 1, and 2?

A: 0 = stdin (standard input), 1 = stdout (standard output), 2 = stderr (standard error). Every process inherits these three FDs.

Q: What is the make menuconfig command?

A: An ncurses-based interface for configuring Linux kernel build options. Generates a .config file that controls which features and drivers are compiled.

Q: What is a bzImage?

A: "Big zImage" — the compressed Linux kernel image format used on x86. Created by make bzImage. Despite the name, it uses gzip (or other) compression, not bzip2.

Q: What does "cat" stand for?

A: ConCATenate — originally designed to concatenate files, though commonly used to display single files.

Q: What does "ls" stand for?

A: "LiSt" — lists directory contents.

Q: What does "dd" stand for?

A: Officially "convert and copy" (from IBM's JCL dd = Data Definition). Jokingly called "disk destroyer" due to its potential for data loss when misused.

Q: What does "tee" refer to?

A: A T-shaped pipe fitting — the command splits output like a T-junction in plumbing, sending it to both stdout and a file.

Q: What is the maximum filename length in most Linux filesystems?

A: 255 bytes (characters in UTF-8 may use multiple bytes).

Q: What is the maximum path length in Linux?

A: 4096 bytes (PATH_MAX), defined in the kernel.

Q: What character is forbidden in Linux filenames?

A: The forward slash / (directory separator) and the null byte \0. Everything else is technically valid, though many characters cause practical issues.

Q: What happens when you run :(){ :|:& };: in a shell?

A: This is a fork bomb — a function named : that calls itself twice, piping to itself, backgrounded. It exponentially spawns processes until the system is overwhelmed. Mitigated by ulimit or cgroup PID limits.

Q: What is /dev/shm?

A: A tmpfs mount for POSIX shared memory. Applications using shm_open() create files here. Commonly used for high-speed inter-process communication.

Q: What does "RTFM" stand for?

A: "Read The Fine Manual" — a common response in Linux communities directing users to read documentation (man pages).

Q: What is a man page section number system?

A: 1=user commands, 2=system calls, 3=library functions, 4=special files, 5=file formats, 6=games, 7=miscellaneous, 8=system administration. Access with man 5 passwd for the passwd file format.

Q: What is the info command?

A: GNU's documentation system, often more detailed than man pages for GNU tools. Navigate with info coreutils for detailed documentation.

Q: What is /etc/motd?

A: "Message of the Day" — displayed to users after login. Can be static (file content) or dynamic (generated by scripts in /etc/update-motd.d/ on Ubuntu).

Q: What does "ping" stand for?

A: Named after sonar ping sounds. Sends ICMP echo request packets and measures round-trip time.

Q: What is wget vs curl?

A: wget is a non-interactive downloader (recursive download, resume). curl is a data transfer tool supporting many protocols (HTTP, FTP, SMTP, etc.) with more flexible output options. curl is better for APIs; wget for mirroring websites.

Q: What is /etc/hostname?

A: Contains the system's static hostname. Set with hostnamectl set-hostname.

Q: What is the uptime command?

A: Shows current time, how long the system has been running, number of logged-in users, and load averages.

Q: What does whoami do?

A: Prints the effective username of the current user.

Q: What does which do?

A: Shows the full path of a command by searching PATH. which python3 might show /usr/bin/python3.

Q: What does type do in Bash?

A: Shows how a command name would be interpreted — whether it's an alias, function, builtin, or external command with path.

Q: What is a FIFO (named pipe)?

A: A special file that allows inter-process communication. Created with mkfifo. One process writes, another reads. Data flows through the kernel buffer, not the filesystem.

Q: What is inotifywait?

A: A tool that watches filesystem events (create, modify, delete, move) on files or directories. Part of inotify-tools. Useful for triggering actions on file changes.

Q: What is the magic number in a Linux executable?

A: ELF binaries start with the magic bytes \x7fELF (hex: 7f 45 4c 46). ELF stands for Executable and Linkable Format.

Q: What is the file command?

A: Determines a file's type by examining its content (magic numbers, headers), not its extension: file /bin/ls outputs "ELF 64-bit LSB executable."

Q: What is a core dump?

A: A file containing the memory image of a process at the time it crashed. Generated by signals like SIGSEGV, SIGABRT. Analyzed with gdb for debugging. Controlled by ulimit -c and /proc/sys/kernel/core_pattern.

Q: What is xargs -0?

A: Reads null-delimited input (from find -print0). Safely handles filenames with spaces, newlines, and special characters.

Q: What is watch?

A: Runs a command repeatedly (default every 2 seconds) and displays the output. watch -n 1 'ss -tlnp' monitors listening ports every second. -d highlights changes.

Q: What is an epoch timestamp?

A: The number of seconds since January 1, 1970 00:00:00 UTC (Unix epoch). Used internally by Linux for timestamps. Convert with date -d @1711411200.

Q: What is the Year 2038 problem?

A: 32-bit time_t (signed) overflows on January 19, 2038 03:14:07 UTC. Linux has migrated to 64-bit time on 64-bit systems. 32-bit systems need kernel and library patches.

Q: What does stat show?

A: Detailed file information: size, blocks, device, inode, links, permissions (octal and symbolic), UID/GID, timestamps (access, modify, change, birth).

Q: What are the three timestamps on a Linux file?

A: atime (last access), mtime (last content modification), ctime (last metadata change — permissions, ownership, link count). Some filesystems also support btime/crtime (birth/creation time).

Q: What does touch actually do?

A: Updates the access and modification timestamps of a file. If the file doesn't exist, it creates an empty file. Not primarily a file creation tool, despite common use.

Q: What is the column command useful for?

A: Formats input into aligned columns: mount | column -t produces a neatly formatted table.

Q: What is screen used for?

A: A terminal multiplexer that allows running multiple virtual terminals within one session, detaching and reattaching sessions, and keeping processes alive after disconnection.

Q: What does "cpio" stand for?

A: "Copy In and Out" — an archive format and utility used by initramfs, RPM packages, and the find | cpio pattern.

Q: What does "wget" stand for?

A: "Web GET" — a non-interactive network downloader.

Q: What does "tar" stand for?

A: "Tape ARchive" — originally designed for writing data to tape drives.

Q: What does "rsync" stand for?

A: "Remote Sync" — an efficient file transfer tool that only copies differences (delta encoding). rsync -avz source/ dest/ is the most common invocation.

Q: What are the "dotfiles"?

A: Configuration files in the home directory starting with a dot (hidden by default). Examples: .bashrc, .vimrc, .ssh/, .gitconfig. Often version-controlled for portability.

Q: What is the alias command?

A: Creates shorthand for commands: alias ll='ls -la'. Defined in .bashrc for persistence. unalias ll removes it. alias with no arguments lists all aliases.

Q: What is the sticky bit shown as in ls -l?

A: A lowercase t in the others' execute position: drwxrwxrwt (e.g., /tmp). If execute is not set, it shows as uppercase T.

Q: What is the chattr command?

A: Changes file attributes on ext2/ext3/ext4 filesystems. chattr +i file makes it immutable (cannot be modified, deleted, renamed, or linked — even by root). chattr +a file makes it append-only. View with lsattr.

Q: What is the last command?

A: Shows the last logged-in users by reading /var/log/wtmp. last reboot shows system reboot history. lastb shows failed login attempts from /var/log/btmp.

Q: What is the w command?

A: Shows who is currently logged in and what they are doing (current command). More informative than who, includes idle time, login time, and load averages.

Q: What does sync do?

A: Flushes filesystem buffers — writes all modified in-memory data to disk. Important before removing external drives or shutting down.

Q: What is mktemp?

A: Creates a temporary file or directory with a unique name. mktemp /tmp/myapp.XXXXXX creates something like /tmp/myapp.a3b4c5. Prevents race conditions in temp file creation.

Q: What does readlink -f do?

A: Resolves a symbolic link to its absolute canonical path, following all intermediate symlinks. Useful in scripts to find the real location of a file.

Q: What is the yes command?

A: Repeatedly outputs a string (default "y") until killed. Used to auto-accept prompts: yes | apt-get install package. Also used for stress testing.

Q: What is /etc/shells?

A: Lists valid login shells. chsh only allows shells listed here. FTP servers check this file to allow/deny user access.

Q: What is sysdig?

A: A system-level exploration and troubleshooting tool combining the functionality of strace, tcpdump, lsof, and more. Uses a scripting language called "chisels" for analysis. The commercial version (Sysdig Secure) is popular in Kubernetes environments.

Q: What is coredumpctl?

A: A systemd tool for managing core dumps stored by systemd-coredump. coredumpctl list shows recent crashes. coredumpctl debug PID opens the core dump in gdb.

Q: What does loginctl do?

A: Manages systemd user sessions. loginctl list-sessions shows active sessions. loginctl terminate-session ID kills a session. Part of systemd-logind.

Q: What is a "magic SysRq key"?

A: A kernel-level key combination (Alt+SysRq+key) for emergency actions even when the system is unresponsive. "REISUB" is the safe reboot sequence: unRaw, tErminate, kIll, Sync, Unmount, reBoot. Enabled via kernel.sysrq.

Q: What does xxd do?

A: Creates a hex dump of a file. xxd file | head shows the binary content in hex. Can also reverse a hex dump back to binary with xxd -r.

Q: What is /proc/self?

A: A symbolic link to the /proc/PID directory of the current process. Useful for a process to introspect without knowing its own PID.

Q: What does the timeout command do?

A: Runs a command with a time limit: timeout 30s curl http://example.com. Sends SIGTERM (or specified signal) when the time expires.

---

22. Comparison & Ecosystem

Q: What is the difference between Linux, Unix, and BSD?

A: Unix is the original OS (Bell Labs, 1969). BSD (Berkeley Software Distribution) is a Unix derivative with its own kernel and userland. Linux is a Unix-like kernel written from scratch by Linus Torvalds with GNU userland. Linux is not Unix-certified, but follows POSIX standards.

Q: Which BSD variants are actively developed?

A: FreeBSD (servers/storage, powers Netflix CDN), OpenBSD (security-focused, developed OpenSSH), NetBSD (portability, runs on 50+ platforms), DragonFlyBSD (performance, HAMMER filesystem).

Q: What is the difference between systemd and SysVinit?

A: SysVinit uses sequential shell scripts in /etc/init.d/ and /etc/rc.d/ with numeric runlevels (0-6). systemd uses declarative unit files, parallel startup, dependency management, socket activation, cgroup integration, and journald. systemd boots significantly faster.

Q: What is Upstart?

A: An event-based init system developed by Canonical for Ubuntu (2006-2015). Replaced by systemd in Ubuntu 15.04. It used .conf files in /etc/init/ and supported event-driven service management.

Q: What is OpenRC?

A: A dependency-based init system used by Gentoo and Alpine Linux. Compatible with SysVinit scripts but adds dependency tracking, parallel startup, and a service supervision framework. Lighter than systemd.

Q: Compare ext4 vs XFS vs Btrfs.

A: ext4: most stable, mature, can shrink and grow, max 1EB volume. XFS: best for large files and parallel I/O, can only grow (not shrink), used by RHEL. Btrfs: modern COW filesystem with snapshots, checksumming, compression, and built-in RAID, but RAID 5/6 is still experimental.

Q: When would you choose ext4?

A: For general-purpose use, boot partitions, and environments requiring maximum stability and tooling maturity. Best choice when you need online shrinking capability.

Q: When would you choose XFS?

A: For large file workloads, high-throughput I/O, and environments with many parallel operations. Excellent for media servers, databases, and enterprise storage. Handles large directories efficiently.

Q: When would you choose Btrfs?

A: When you need built-in snapshots, checksumming for data integrity, transparent compression, or send/receive for backups. Good for desktop and NAS use cases.

Q: What is the difference between iptables and nftables?

A: iptables: legacy packet filter using separate tools for IPv4/IPv6/ARP/bridge. nftables: modern replacement with unified syntax, atomic rule updates, maps/sets, better performance, and simplified architecture. nftables is the default in Debian 10+, RHEL 8+.

Q: What is the relationship between firewalld, iptables, and nftables?

A: firewalld is a frontend/management layer. On RHEL 7, it used iptables as backend. RHEL 8+ uses nftables as backend. Direct iptables/nftables rules and firewalld rules can coexist but may conflict.

Q: Compare SELinux vs AppArmor.

A: SELinux: label-based MAC, more granular, steeper learning curve, used by RHEL/Fedora/CentOS. AppArmor: path-based MAC, simpler to configure, used by Ubuntu/Debian/SUSE. Both achieve Mandatory Access Control but through different mechanisms.

Q: What is the advantage of SELinux's label-based approach?

A: Labels follow the object (file, process) regardless of path. If a file is moved or hard-linked, the security context stays correct. Path-based systems (AppArmor) can be bypassed by accessing the same file through a different path.

Q: What is the advantage of AppArmor's path-based approach?

A: Much simpler to understand and write profiles — rules use familiar filesystem paths. No need to manage labeling or relabeling. Easier adoption curve for administrators.

Q: How do RHEL and Ubuntu differ in their default security stack?

A: RHEL uses SELinux (enforcing by default), firewalld, and auditd. Ubuntu uses AppArmor (enabled by default), ufw (simplified iptables frontend), and relies on journald for audit logging.

Q: What is the difference between cron and systemd timers?

A: Cron: simple syntax, single config file, minimal logging, no dependency awareness, per-user crontabs. Timers: full systemd integration, journal logging, dependencies, resource control, persistent timers, calendar and monotonic scheduling, can be monitored with systemctl.

Q: What is the difference between TCP and UDP?

A: TCP: connection-oriented, reliable (acknowledgments, retransmission, ordering), flow control, slower. UDP: connectionless, unreliable (no guarantees), no flow control, faster. TCP for web/SSH/email; UDP for DNS queries, streaming, gaming.

Q: What is the difference between su and sudo?

A: su switches to another user entirely (requires that user's password, or root's for su). sudo runs a single command as another user (requires the caller's password, authorization via sudoers). sudo provides better auditing and granular control.

Q: What is the difference between su and su -?

A: su switches user but keeps the current environment (PATH, HOME may not change). su - (or su -l) simulates a full login shell, setting the target user's complete environment.

Q: What is the difference between hard and soft limits in ulimit?

A: Soft limits are the effective current limits that processes observe. Hard limits are the ceiling that soft limits cannot exceed. Non-root users can lower hard limits but cannot raise them. Root can set both freely.

Q: What is the difference between TCP CLOSE_WAIT and TIME_WAIT?

A: CLOSE_WAIT: the remote end has closed but the local application hasn't — usually a bug (application not calling close()). TIME_WAIT: the local end initiated close and is waiting 2×MSL for late packets — normal behavior.

Q: What is the difference between /dev/random and /dev/urandom in practice?

A: On modern kernels (5.6+), they are equivalent for cryptographic purposes once initially seeded. Use /dev/urandom — it never blocks and is cryptographically secure. /dev/random blocking behavior was an unnecessary precaution.

Q: What is the difference between a bind mount and a regular mount?

A: A regular mount attaches a filesystem (from a device) to a directory. A bind mount makes an existing directory tree available at another location: mount --bind /old/path /new/path. The same data is accessible from both paths.

Q: What is the difference between kill and killall?

A: kill sends a signal to a specific PID. killall sends a signal to all processes matching a name. pkill matches by pattern (name, user, etc.) and is generally preferred over killall.

Q: What is the difference between less and more?

A: more can only scroll forward; less can scroll both forward and backward, search, and supports many navigation commands. "Less is more" — less is the superior pager.

Q: What is the difference between locate and find?

A: locate searches a pre-built database (updatedb) — very fast but may be stale. find searches the filesystem in real-time — slower but always current. locate doesn't check permissions.

Q: What is the difference between a physical and virtual console?

A: Physical consoles are the TTYs accessible via Ctrl-Alt-F1 through F6 on the hardware. Virtual/pseudo-terminals (/dev/pts/*) are created by terminal emulators and SSH.

Q: What is a swap partition vs a swap file?

A: A swap partition is a dedicated partition formatted as swap. A swap file is a regular file on an existing filesystem used as swap. Performance is nearly identical on modern kernels. Swap files are more flexible (can be resized easily).

Q: What is the difference between shutdown, halt, poweroff, and reboot?

A: shutdown gracefully notifies users and stops services before halting/rebooting (safest). halt stops the CPU. poweroff stops the CPU and powers off the machine. reboot restarts. On systemd systems, all ultimately call systemctl.

Q: What is the difference between SATA, SAS, and NVMe?

A: SATA: consumer-grade, 6 Gbps, uses AHCI protocol, appears as /dev/sd*. SAS: enterprise, 12+ Gbps, also /dev/sd*. NVMe: PCIe-attached SSDs, up to 32 Gbps+, appears as /dev/nvme*, lowest latency.

Q: What is the difference between tar and gzip?

A: tar is an archiver — bundles multiple files into one. gzip is a compressor — reduces file size. Combined: tar czf archive.tar.gz dir/ creates a compressed archive. tar does not compress by itself.

Q: What compression tools are available on Linux?

A: gzip/gunzip (.gz, fast), bzip2/bunzip2 (.bz2, better ratio), xz/unxz (.xz, best ratio, slower), zstd (.zst, excellent speed/ratio balance), lz4 (.lz4, fastest), zip/unzip (.zip, cross-platform).

Q: What is the difference between ps aux and ps -ef?

A: ps aux is BSD-style showing USER, PID, %CPU, %MEM, VSZ, RSS, TTY, STAT, START, TIME, COMMAND. ps -ef is POSIX-style showing UID, PID, PPID, C, STIME, TTY, TIME, CMD. Both show all processes; different column layouts.

Q: What is the difference between ip addr and ip link?

A: ip addr shows/manages IP addresses on interfaces. ip link shows/manages link-layer properties (up/down state, MTU, MAC address). Use ip link set eth0 up to bring an interface up.

Q: What is the difference between /etc/environment and shell profile files?

A: /etc/environment is read by PAM (not a shell script — just KEY=VALUE lines) and sets variables for all login sessions regardless of shell. Profile files (.bashrc, .profile) are shell-specific and support scripting.

Q: What is the difference between a process and a thread in terms of memory?

A: Processes have separate virtual address spaces (isolated memory). Threads within the same process share the same address space, heap, and global variables, but each has its own stack.

Q: What is the difference between static and dynamic linking?

A: Static linking embeds library code into the executable at compile time (larger binary, no runtime dependencies). Dynamic linking loads shared libraries (.so files) at runtime (smaller binary, requires libraries present at runtime).

Q: What is ldconfig?

A: Updates the shared library cache (/etc/ld.so.cache) so the dynamic linker can find shared libraries. Run after installing new libraries. Configuration in /etc/ld.so.conf and /etc/ld.so.conf.d/.

Q: What is ldd?

A: Lists shared library dependencies of an executable: ldd /bin/ls. Shows which .so files are needed and where they resolve to. Note: do not use ldd on untrusted binaries — it may execute them.

Q: What is the difference between a pipe and a socket?

A: Pipes (|) are unidirectional (one writer, one reader) and work between related processes. Sockets are bidirectional, support networking (TCP/UDP), and can connect unrelated processes across machines.

Q: What is a Unix domain socket?

A: A socket for inter-process communication on the same host, using a filesystem path instead of IP:port. Faster than TCP loopback because it bypasses the network stack. Used by Docker, MySQL, PostgreSQL, and systemd.

Q: What is the difference between multicast, broadcast, and unicast?

A: Unicast: one-to-one communication. Broadcast: one-to-all on a network segment (e.g., 255.255.255.255). Multicast: one-to-many for subscribed receivers (224.0.0.0/4).

Q: What is the purpose of the /etc/hosts file?

A: Static hostname-to-IP mapping that is consulted before DNS (by default). Format: IP_address hostname [aliases]. Commonly used for local overrides and development.

Q: What is a reverse DNS lookup?

A: Resolving an IP address to a hostname (opposite of normal DNS). Uses PTR records in the in-addr.arpa domain. Commonly used for email verification and logging.

Q: What does traceroute do?

A: Shows the path packets take to reach a destination by sending probes with incrementing TTL values. Each hop's router responds with ICMP Time Exceeded. traceroute -n skips DNS resolution for faster output.

Q: What does mtr do?

A: Combines ping and traceroute into a single tool that continuously displays per-hop statistics (packet loss, latency, jitter). More informative than either tool alone for network troubleshooting.

Q: What is the dig command used for?

A: DNS lookup utility that queries DNS servers directly. dig example.com A queries A records. dig @8.8.8.8 example.com uses a specific DNS server. Shows query details, answer section, and timing.

Q: What is the nslookup command?

A: An older DNS query tool. nslookup example.com performs a forward lookup. Less detailed output than dig but simpler syntax. Considered deprecated by some in favor of dig.

Q: What is tcpdump?

A: A packet capture tool that displays network packets matching filter expressions. tcpdump -i eth0 port 80 -w capture.pcap captures HTTP traffic to a file. Uses BPF (Berkeley Packet Filter) syntax.

Q: What does netcat (nc) do?

A: A versatile networking tool for reading/writing TCP and UDP connections. Used for port scanning (nc -zv host 1-1000), file transfer, banner grabbing, and creating simple client-server connections.

Q: What is ICMP?

A: Internet Control Message Protocol — used for error reporting and diagnostics (ping, traceroute, destination unreachable, TTL exceeded). Not a transport protocol — it operates at the network layer.

Q: What is the difference between DHCP and static IP configuration?

A: DHCP dynamically assigns IP addresses, subnet mask, gateway, and DNS from a server. Static IP is manually configured and does not change. Servers typically use static IPs; workstations use DHCP.

Q: What is NetworkManager?

A: A daemon managing network connections on Linux desktops and servers. Configured via nmcli (CLI), nmtui (TUI), or GUI. Handles Wi-Fi, Ethernet, VPN, bonding, VLAN, and bridging. Default on RHEL, Fedora, Ubuntu desktop.

Q: What is the nmcli command?

A: NetworkManager's CLI tool. nmcli device status shows interfaces. nmcli connection show lists connections. nmcli connection modify eth0 ipv4.addresses 10.0.0.5/24 sets a static IP.

Q: What is the ethtool command?

A: Queries and controls network driver and hardware settings: speed, duplex, auto-negotiation, ring buffer size, offload features, and driver info. ethtool eth0 shows link status and speed.

Q: What is the difference between a hub, switch, and router?

A: Hub: Layer 1, broadcasts all traffic to all ports. Switch: Layer 2, forwards frames based on MAC addresses. Router: Layer 3, forwards packets between networks based on IP addresses.

Q: What is NAT?

A: Network Address Translation — remaps IP addresses in packet headers, allowing multiple devices to share a single public IP. Types: SNAT (source NAT/masquerade), DNAT (destination NAT/port forwarding).

Q: What is the subnet mask 255.255.255.0 in CIDR notation?

A: /24 — meaning 24 bits for network, 8 bits for hosts, allowing 254 usable addresses.

Q: What are the private IP address ranges?

A: 10.0.0.0/8 (Class A), 172.16.0.0/12 (Class B), 192.168.0.0/16 (Class C). Defined in RFC 1918, not routable on the public internet.

Q: What is ip netns?

A: Manages network namespaces. ip netns add ns1 creates a namespace. ip netns exec ns1 bash runs commands inside it. Used by containers and for network testing/isolation.

Q: What does sysctl net.ipv4.tcp_fin_timeout control?

A: The time (in seconds) a socket stays in FIN_WAIT2 state. Default is 60. Lowering it frees resources faster on servers with many short-lived connections.

Q: What is arp -a replaced by?

A: ip neigh show — displays the ARP/neighbor cache on modern Linux systems.

Q: What is the nmap command?

A: Network exploration and security auditing tool. nmap -sT host performs a TCP connect scan. nmap -sV host detects service versions. nmap -O host attempts OS detection.

Q: What are well-known ports 110, 143, 993, and 995?

A: 110 = POP3 (email retrieval), 143 = IMAP (email access), 993 = IMAPS (IMAP over TLS), 995 = POP3S (POP3 over TLS).

Q: What is port 514 used for?

A: UDP 514 = syslog (traditional). TCP 514 = RSH (remote shell, deprecated). rsyslog can use TCP 514 for reliable log transport.

Q: What is port 123 used for?

A: NTP (Network Time Protocol) — for clock synchronization.

Q: What is the difference between NTP and chrony?

A: NTP (ntpd) is the classic time synchronization daemon. chrony (chronyd) is the modern replacement — faster synchronization, better for intermittent connections, handles large clock jumps, and is the default on RHEL/Fedora.

Q: What are ports 2049 and 111 used for?

A: 2049 = NFS (Network File System). 111 = rpcbind/portmapper (maps RPC services to ports, used by NFSv3). NFSv4 only needs port 2049.

Q: What is an ICMP redirect?

A: A message from a router telling a host that a better route exists for a destination. Often disabled for security (net.ipv4.conf.all.accept_redirects = 0).

Q: What is TCP keepalive?

A: Periodic probes sent on idle TCP connections to detect dead peers. Configured via net.ipv4.tcp_keepalive_time (default 7200 seconds), tcp_keepalive_intvl, and tcp_keepalive_probes.

Q: What does ip route add default via 10.0.0.1 do?

A: Sets 10.0.0.1 as the default gateway. All traffic without a more specific route is sent to this address.

Q: What is proxy ARP?

A: When a router answers ARP requests on behalf of another network, making hosts on different subnets appear to be on the same LAN. Controlled via net.ipv4.conf.all.proxy_arp.

Q: What is the difference between Layer 4 and Layer 7 load balancing?

A: Layer 4 (transport): routes based on IP and port, fast, cannot inspect content. Layer 7 (application): routes based on HTTP headers, URLs, cookies — more flexible but higher overhead.

Q: What is the maximum size of a TCP window?

A: 65,535 bytes with the standard 16-bit window field. TCP window scaling (RFC 1323) extends this to over 1GB using a scale factor negotiated in the handshake.

Q: What is TCP slow start?

A: A congestion control mechanism where the sender starts with a small congestion window and doubles it each RTT until reaching the slow start threshold, then switches to congestion avoidance (linear growth).

Q: What is the difference between ip route and ip rule?

A: ip route manages routing tables (where to send packets). ip rule manages the routing policy database (which routing table to use, based on source IP, mark, etc.). Together they enable policy-based routing.

Q: What does resolvectl status show?

A: Current DNS resolver configuration from systemd-resolved: DNS servers, search domains, DNSSEC status, and per-link configuration. Replacement for checking /etc/resolv.conf directly.

Q: What is the iperf3 tool?

A: A network bandwidth measurement tool. Run iperf3 -s on the server and iperf3 -c server_ip on the client to measure TCP/UDP throughput between two endpoints.

Q: What is a TAP vs TUN device?

A: TUN (tunnel) operates at Layer 3 (IP packets). TAP (network tap) operates at Layer 2 (Ethernet frames). Used by VPNs — OpenVPN can use either; WireGuard uses TUN.

Q: What is WireGuard?

A: A modern VPN protocol integrated into the Linux kernel since 5.6. Faster, simpler, and more secure than IPsec and OpenVPN. Uses Curve25519, ChaCha20, and Poly1305 cryptography.

Q: What is the tc command?

A: Traffic Control — configures the kernel's packet scheduler for QoS, rate limiting, traffic shaping, and simulation of network conditions (latency, loss). Example: tc qdisc add dev eth0 root netem delay 100ms.

Q: What is the difference between iptables INPUT and FORWARD chains?

A: INPUT applies to packets destined for the local machine. FORWARD applies to packets being routed through the machine to another destination. A machine must have ip_forward=1 to process FORWARD rules.

Q: What is the conntrack command?

A: Manages the kernel's connection tracking table (used by stateful firewalling in iptables/nftables). conntrack -L lists tracked connections. conntrack -F flushes the table.

Q: What does the ip -s link show command display?

A: Interface statistics including RX/TX bytes, packets, errors, dropped, overruns, and carrier errors. Useful for diagnosing network interface problems.

Q: What is DPDK?

A: Data Plane Development Kit — a set of libraries for fast packet processing that bypasses the kernel network stack entirely. Used in high-performance networking (NFV, SDN). Packets go directly from NIC to userspace via huge pages and poll mode drivers.

Q: What kernel parameter controls the maximum number of connections tracked by netfilter?

A: net.netfilter.nf_conntrack_max — default varies by system memory. If exhausted, new connections are dropped. Monitor with /proc/sys/net/netfilter/nf_conntrack_count.

Q: What is the difference between ip link set dev eth0 down and ifdown eth0?

A: ip link directly changes the interface state at the kernel level. ifdown uses the distribution's network configuration system (ifupdown, NetworkManager) which may also remove routes, release DHCP, and run scripts.

Q: What is GRE tunneling?

A: Generic Routing Encapsulation — a tunneling protocol that encapsulates packets inside IP packets. Used for connecting remote networks. Created in Linux with ip tunnel add.

Q: What is the bridge command?

A: Part of iproute2, manages Linux bridge devices. bridge fdb show displays the forwarding database (MAC table). bridge link shows bridge ports and their states.

Q: How do you create a virtual Ethernet pair (veth)?

A: ip link add veth0 type veth peer name veth1 — creates two connected virtual interfaces. Moving one end to a network namespace creates a connection between namespaces. Fundamental to container networking.

Q: What is the purpose of keepalived?

A: Implements VRRP (Virtual Router Redundancy Protocol) for high-availability virtual IP addresses. Also provides health checking for LVS (Linux Virtual Server) load balancing.

Q: What is LVS (Linux Virtual Server)?

A: A Layer 4 load balancer built into the Linux kernel using IPVS (IP Virtual Server). Supports NAT, Direct Routing (DR), and IP tunneling modes. Managed with ipvsadm.

Q: What is the maximum number of TCP connections a Linux server can handle?

A: Theoretically limited by available file descriptors, memory, and the ephemeral port range. A server can handle millions of connections since it uses one port (e.g., 80) and connections are identified by the 4-tuple (src_ip, src_port, dst_ip, dst_port).

Q: What does sysctl net.core.rmem_max control?

A: Maximum receive socket buffer size in bytes. Increase for high-throughput applications. Often tuned alongside net.core.wmem_max (send buffer) and the TCP-specific net.ipv4.tcp_rmem/net.ipv4.tcp_wmem.

Q: What is the socat command?

A: "SOcket CAT" — a multipurpose relay tool that establishes two bidirectional byte streams and transfers data. More powerful than netcat, supporting Unix sockets, SSL, proxy protocols, and file descriptors.

Q: What is the /proc/net/tcp file format?

A: Each line represents a TCP socket with hex-encoded local/remote addresses and ports, socket state, transmit/receive queue sizes, timer info, UID, inode, and more. ss reads this for its output.

Q: What are the common HTTP status code ranges?

A: 1xx: informational. 2xx: success (200 OK, 201 Created, 204 No Content). 3xx: redirection (301 Moved, 302 Found, 304 Not Modified). 4xx: client error (400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found). 5xx: server error (500 Internal, 502 Bad Gateway, 503 Service Unavailable).

Q: What is SNI (Server Name Indication)?

A: A TLS extension that allows the client to indicate the hostname it's connecting to during the TLS handshake. Enables multiple HTTPS sites on the same IP address. Without SNI, one IP = one SSL certificate.

Q: What is the curl -v flag useful for?

A: Verbose mode showing the complete request/response cycle: DNS resolution, TCP connection, TLS handshake, request headers, response headers, and body. Essential for HTTP debugging.

Q: What is the host command?

A: Simple DNS lookup tool: host example.com returns A records. host -t MX example.com queries MX records. Simpler output than dig, good for quick lookups.

Q: What is a Linux bridge and how does it relate to containers?

A: A software Layer 2 switch in the kernel. Docker creates docker0 bridge by default. Container veth pairs connect to this bridge, enabling container-to-container and container-to-host communication.

Q: What is macvlan?

A: A Linux network driver that allows creating multiple virtual interfaces with distinct MAC addresses on a single physical interface. Each virtual interface gets its own IP and appears as a separate device on the network. Used in container networking.

Q: What is ipvlan?

A: Similar to macvlan but all virtual interfaces share the parent's MAC address and use different IPs. Avoids MAC address table overflow on switches. Supports L2 and L3 modes.

Q: What is the XDP (eXpress Data Path) framework?

A: An eBPF-based programmable packet processing framework that runs at the earliest point in the network stack (before skb allocation). Achieves near-line-rate packet processing for DDoS mitigation, load balancing, and filtering.

Q: How do you persistently set a static IP on RHEL 9?

A: nmcli connection modify eth0 ipv4.addresses 10.0.0.5/24 ipv4.gateway 10.0.0.1 ipv4.dns "8.8.8.8" ipv4.method manual && nmcli connection up eth0.

Q: What is the difference between TCP RST and FIN?

A: FIN is a graceful connection close — both sides complete the four-way teardown. RST (reset) is an abrupt close — immediately drops the connection without waiting for acknowledgments. RST indicates an error or rejected connection.

Q: What is eBPF used for in networking?

A: Traffic control, XDP packet processing, socket filtering, load balancing (Cilium, Katran), network observability, and programmable firewalling. It allows custom network logic without kernel modifications.

Q: What is Cilium?

A: A Kubernetes CNI plugin that uses eBPF for networking, security, and observability. Replaces kube-proxy and iptables with eBPF programs for higher performance and more granular network policies.

Q: What does /proc/sys/net/ipv4/tcp_syncookies control?

A: Enables SYN cookies — a defense against SYN flood attacks. When the SYN queue is full, the server encodes connection state in the SYN-ACK sequence number instead of allocating resources, allowing legitimate connections to complete.

Q: What is the difference between symmetric and asymmetric routing?

A: Symmetric: packets take the same path in both directions. Asymmetric: packets take different paths. Asymmetric routing can cause issues with stateful firewalls and reverse path filtering (rp_filter).

Q: What is reverse path filtering?

A: A security feature (net.ipv4.conf.all.rp_filter) that drops packets arriving on an interface if the source address would not be routed back through that same interface. Prevents IP spoofing. Values: 0=disabled, 1=strict, 2=loose.

Q: What is systemd-networkd-wait-online.service?

A: A systemd service that blocks boot until network connectivity is established. Often causes boot delays when not all interfaces come up. Can be configured with --any to proceed when any interface is online.

Q: What is a gratuitous ARP?

A: An ARP reply sent without being requested, used to announce an IP address change, update ARP caches after failover, or detect IP conflicts. Important in high-availability setups.

Q: What is the arping command?

A: Sends ARP request packets to detect if an IP address is in use on the local network and identify the responding MAC address. arping -D 10.0.0.1 checks for duplicate addresses.

Q: What is ss -i useful for?

A: Shows internal TCP information including congestion window (cwnd), round-trip time (rtt), retransmissions, and MSS. Valuable for diagnosing TCP performance issues.

Q: What is a bonding vs teaming?

A: Bonding (kernel module) and teaming (userspace, NetworkManager) both aggregate network interfaces for redundancy/performance. Teaming is the newer approach with better integration into NetworkManager and JSON-based configuration.

Q: What is the bmon tool?

A: A real-time bandwidth monitor that shows per-interface traffic rates and statistics in a terminal-based UI. Simpler alternative to iftop for quick bandwidth monitoring.

Q: What is the difference between IPv4 and IPv6 address sizes?

A: IPv4: 32-bit addresses (~4.3 billion). IPv6: 128-bit addresses (~3.4 x 10^38). IPv6 addresses are written in hexadecimal groups separated by colons (e.g., 2001:0db8::1).

Q: What is the loopback address in IPv6?

A: ::1 (equivalent to 127.0.0.1 in IPv4).

Q: What is a link-local address in IPv6?

A: An auto-configured address in the fe80::/10 range, used for communication on the local network segment. Every IPv6-enabled interface has one. Not routable beyond the local link.

Q: What Linux kernel parameter enables IPv6?

A: net.ipv6.conf.all.disable_ipv6 = 0 (0 enables, 1 disables). Can be set per-interface with net.ipv6.conf.<iface>.disable_ipv6.

Q: What is the ss -s command useful for?

A: Shows socket statistics summary: total, TCP, UDP, RAW, FRAG, and per-state counts (ESTAB, SYN-SENT, TIME-WAIT, etc.). Quick overview of connection health.

Q: What is tshark?

A: The command-line version of Wireshark for packet capture and analysis. Supports all Wireshark dissectors and display filters. Useful for scripted packet analysis.

Q: What is the difference between HTTP/1.1, HTTP/2, and HTTP/3?

A: HTTP/1.1: text-based, one request per connection (or pipelining). HTTP/2: binary framing, multiplexing multiple streams over one TCP connection, header compression. HTTP/3: uses QUIC (UDP-based) instead of TCP, reducing connection setup latency.

Q: What is the ip -brief addr show command?

A: Shows a compact summary of all interfaces with their state and IP addresses. Much more readable than the full ip addr show output.

Q: What is RFC 5737?

A: Defines documentation IP address ranges: 192.0.2.0/24 (TEST-NET-1), 198.51.100.0/24 (TEST-NET-2), 203.0.113.0/24 (TEST-NET-3). Should be used in documentation and examples instead of real addresses.

Q: What is iftop?

A: Displays real-time bandwidth usage per connection on a network interface. Shows source, destination, and transfer rates. Requires root/capabilities.

Q: What happens when you ping ::1?

A: Sends ICMPv6 echo requests to the IPv6 loopback address. Equivalent to ping 127.0.0.1 for IPv6 connectivity testing.

Q: What is nftables advantage over iptables for large rulesets?

A: nftables supports sets, maps, and concatenations that replace hundreds of individual rules with a single rule referencing a set. Dramatically better performance for large rulesets and atomic rule replacement.

Q: What is the difference between a raw socket and a regular socket?

A: Regular sockets use TCP or UDP at the transport layer. Raw sockets allow direct access to lower-layer protocols (IP, ICMP), enabling custom packet construction. Requires CAP_NET_RAW capability.

Q: What is the maximum number of file descriptors per process?

A: Controlled by ulimit -n (soft limit, default 1024) and /proc/sys/fs/nr_open (hard limit, default 1048576). Can be set per-service in systemd with LimitNOFILE=.

Q: What is epoll in Linux?

A: A scalable I/O event notification mechanism that efficiently monitors large numbers of file descriptors (sockets). Used by high-performance servers (nginx, Node.js). Superior to select and poll for many concurrent connections.

Q: What is the thundering herd problem?

A: When many sleeping processes/threads are woken simultaneously by a single event (e.g., new connection on a listening socket), but only one can handle it. The others waste CPU waking up and going back to sleep. EPOLLEXCLUSIVE mitigates this.

Q: What is the taskset command?

A: Sets or retrieves the CPU affinity of a process — which CPUs it can run on. taskset -c 0,1 command restricts to CPUs 0 and 1. Useful for performance tuning and NUMA optimization.

Q: What is the numactl command?

A: Controls NUMA policy for processes. numactl --cpunodebind=0 --membind=0 command pins both CPU and memory to NUMA node 0. numactl --hardware shows NUMA topology.

Q: What is /proc/PID/oom_score?

A: The current OOM killer score (0-1000) for a process. Higher means more likely to be killed when memory is critically low. Based on memory usage, oom_score_adj, and other factors.

Q: What is the difference between softirq and hardirq?

A: Hardirqs (hardware interrupts) are triggered by hardware events and must be handled quickly with interrupts disabled. Softirqs are deferred processing scheduled by hardirqs to run with interrupts enabled, handling the bulk of the work.

Q: What is /proc/interrupts?

A: Shows interrupt counts per CPU for each IRQ line, including the interrupt controller, device, and type. Useful for identifying interrupt imbalances and NIC queue distribution.

Q: What is irqbalance?

A: A daemon that distributes hardware interrupts across CPUs for better performance. Prevents all interrupts from being handled by CPU 0. Can be tuned to ban certain CPUs from handling specific interrupts.

Q: What is the perf top command?

A: A real-time performance profiler showing which functions consume the most CPU, similar to top but at the function/instruction level. Excellent for identifying hot spots.

Q: What is perf record and perf report?

A: perf record -g command profiles a command, capturing stack traces. perf report displays the collected data as an interactive call graph. Essential for performance analysis and optimization.

Q: What is a flame graph?

A: A visualization of profiled stack traces where the x-axis represents the proportion of time spent and the y-axis shows the call stack. Created by Brendan Gregg. Generated from perf record data using flamegraph.pl.

Q: What does /proc/PID/smaps show?

A: Detailed memory information for each virtual memory area of a process: size, RSS, PSS (proportional set size), shared/private clean/dirty pages, referenced, anonymous, swap. More detailed than /proc/PID/maps.

Q: What is PSS (Proportional Set Size)?

A: A memory metric that divides shared pages equally among all processes sharing them. More accurate than RSS for processes sharing libraries. PSS of all processes sums to total physical memory used.

Q: What is cgroups v2 memory.pressure?

A: A file in cgroups v2 that reports memory pressure metrics (some, full) with 10-second, 60-second, and 300-second averages. Part of the PSI (Pressure Stall Information) system. Non-zero values indicate resource contention.

Q: What is PSI (Pressure Stall Information)?

A: Kernel metrics (since 5.2) in /proc/pressure/{cpu,memory,io} showing the percentage of time tasks are stalled waiting for resources. Provides a unified view of resource contention without needing to interpret multiple metrics.

Q: What is the turbostat command?

A: Reports CPU frequency, C-states, power consumption, and temperature per core. Useful for verifying CPU power management, frequency scaling, and thermal throttling.

Q: What is slabtop?

A: Displays kernel slab allocator statistics in real-time — showing object caches, their sizes, and utilization. Useful for diagnosing kernel memory issues and identifying which subsystems consume the most kernel memory.

Q: What is nproc?

A: Prints the number of available processing units (CPU cores/threads). Commonly used in build scripts: make -j$(nproc).

Q: What does getconf _NPROCESSORS_ONLN return?

A: The number of online processors, similar to nproc. A POSIX-compliant way to query CPU count.

Q: What is stress-ng?

A: A stress testing tool that exercises various system resources (CPU, memory, I/O, network). Used for stability testing, benchmarking, and validating resource limits. More comprehensive than the older stress tool.

Q: What is cgroup memory.max in cgroups v2?

A: The hard memory limit for a cgroup. If a process in the cgroup exceeds this, the OOM killer is invoked for that cgroup. Set to max for no limit.

Q: What is memory.high in cgroups v2?

A: A memory throttling threshold. When usage exceeds memory.high, the kernel aggressively reclaims memory from the cgroup, slowing it down. Unlike memory.max, it does not trigger OOM killing.

Q: What does systemd-cgtop show?

A: Real-time resource usage (CPU, memory, I/O) per cgroup/service, similar to top but organized by systemd unit. Shows which services consume the most resources.

Q: What is the difference between uptime load average and CPU utilization?

A: Load average counts all tasks in the run queue (including those waiting for I/O in D state). CPU utilization only measures actual CPU busy time. A system can have high load average but low CPU utilization if many processes are in D state (I/O-bound).

Q: What is swappiness and what's a good value for servers?

A: vm.swappiness controls the kernel's tendency to swap. Default is 60. For database servers: 1-10 (minimize swapping). For desktop: 60 (responsive). Value 0 doesn't disable swap; it just makes the kernel prefer dropping cache over swapping.

Q: What does cat /proc/PID/wchan show?

A: The kernel function a sleeping process is blocked in. Helps identify why a process is stuck (waiting on I/O, lock, futex, etc.).

Q: What is the difference between vmstat si/so and sar -W?

A: Both show swap activity. vmstat si=swap in (pages from swap to RAM), so=swap out (pages from RAM to swap). sar -W shows pswpin/s and pswpout/s. High swap activity indicates memory pressure.

Q: What is an I/O scheduler?

A: Kernel component that orders and merges block I/O requests for optimal disk performance. Modern options: mq-deadline (good for SSDs and HDDs), bfq (fairness-oriented), none/noop (no reordering, best for NVMe).

Q: How do you change the I/O scheduler for a block device?

A: echo mq-deadline > /sys/block/sda/queue/scheduler. Check current scheduler: cat /sys/block/sda/queue/scheduler (active one shown in brackets).

Q: What is CPU steal time?

A: The percentage of time a virtual CPU waits for the hypervisor to schedule it on a physical CPU. Visible in top as st. High steal indicates the host is overcommitted or noisy neighbors are consuming resources.

Q: What is iowait in CPU statistics?

A: The percentage of time the CPU is idle while the system has outstanding I/O requests. High iowait suggests I/O bottleneck but can be misleading — it's measured per CPU and only when the CPU would otherwise be idle.

Q: What is the tuna command?

A: A tool for tuning system performance: adjusting IRQ affinity, CPU affinity, process priorities, and isolating CPUs. Provides both CLI and GUI. Common in RHEL for real-time tuning.

Q: What is tuned?

A: A systemd service that applies performance profiles to optimize the system for specific workloads. Profiles include throughput-performance, latency-performance, virtual-guest, powersave. Set with tuned-adm profile <name>.

Q: What is process accounting in Linux?

A: The psacct/acct package records process creation, CPU time, and memory usage. lastcomm shows recently executed commands. sa summarizes accounting data. Useful for auditing and capacity planning.

Q: What is the difference between user time and system time in process statistics?

A: User time: CPU time spent executing user-space code. System time: CPU time spent in kernel code on behalf of the process (system calls, page faults). time command reports both as user and sys.

Q: What is the mpstat -I ALL command useful for?

A: Shows interrupt statistics per CPU including hardware interrupts, software interrupts, and individual interrupt counts. Helps diagnose interrupt storms and imbalances.

Q: What is the difference between xfs_growfs and resize2fs?

A: xfs_growfs grows XFS filesystems (must be mounted, specify mount point). resize2fs resizes ext4 filesystems (can grow online or shrink offline). XFS cannot be shrunk; ext4 can.

Q: What is dmidecode?

A: Dumps BIOS/UEFI DMI (SMBIOS) table data: hardware model, serial number, BIOS version, RAM slots, CPU sockets. Requires root: dmidecode -t memory shows memory modules.

Q: What is the difference between reboot and shutdown -r now?

A: Functionally equivalent on modern systemd systems. shutdown provides the ability to schedule reboots (shutdown -r +10 "message") and notify logged-in users. Both ultimately call systemctl reboot.

Q: What is the install command?

A: Copies files while setting permissions and ownership in one step: install -m 755 -o root -g root binary /usr/local/bin/. More efficient than separate cp/chmod/chown.

Q: What is mkfs a frontend for?

A: mkfs is a wrapper that calls filesystem-specific tools: mkfs.ext4, mkfs.xfs, mkfs.btrfs, etc. Usage: mkfs -t ext4 /dev/sda1 or mkfs.ext4 /dev/sda1.

Q: What is a mount namespace used for in containers?

A: Gives each container its own view of the filesystem mount tree, isolated from the host and other containers. The container sees only its own root filesystem and mounted volumes.

Q: What is the difference between journalctl -xe and journalctl -u service?

A: -xe shows the end of the journal with explanatory text for catalog entries. -u service filters by a specific systemd unit. Combine them: journalctl -xeu nginx.service.

Q: What is the lscpu command?

A: Displays CPU architecture information: model name, cores, threads, sockets, NUMA nodes, cache sizes, flags, and virtualization capabilities. Reads from /proc/cpuinfo and sysfs.

Q: What is the lsmod vs /proc/modules relationship?

A: lsmod is a formatted reader of /proc/modules. Both show loaded kernel modules with size and dependency (used-by) information. modinfo module_name shows detailed module information.

Q: What is the difference between TCP Nagle's algorithm and TCP_NODELAY?

A: Nagle's algorithm buffers small packets to reduce network overhead by combining them. Setting TCP_NODELAY disables Nagle's, sending packets immediately. Low-latency applications (games, trading) use TCP_NODELAY.

Q: What is the hostnamectl command?

A: Manages the system hostname on systemd systems. hostnamectl set-hostname myserver sets all three hostname types (static, transient, pretty). Shows OS and kernel info with hostnamectl status.

Q: What is timedatectl?

A: Manages system time, timezone, and NTP synchronization on systemd systems. timedatectl set-timezone America/New_York. timedatectl set-ntp true enables time synchronization.

Q: What is localectl?

A: Manages system locale and keyboard layout on systemd systems. localectl set-locale LANG=en_US.UTF-8. localectl set-keymap us.

Q: What are the six fields of crontab -l output?

A: Minute, hour, day of month, month, day of week, and command. Unlike /etc/crontab, per-user crontabs do NOT have a username field.

Q: What is the column -t command useful for?

A: Formats whitespace-delimited input into aligned columns. cat /etc/fstab | column -t produces a neatly formatted table.

Q: What does findmnt do?

A: Shows mounted filesystems in a tree format. findmnt -t ext4 filters by type. findmnt /boot shows the mount for a specific path. More informative than mount for understanding the mount hierarchy.

Q: What is the purpose of the alternatives system?

A: Manages symbolic links for choosing between multiple versions of a command (e.g., java, python, editor). alternatives --config java on RHEL or update-alternatives --config java on Debian.

Q: What is dbus (D-Bus)?

A: A message bus system for inter-process communication. systemd uses it extensively for service management. dbus-monitor watches messages. Two buses: system bus (root services) and session bus (user applications).

Q: What is the difference between kill -l and trap -l?

A: Both list available signals. kill -l lists signal names (may include numbers). trap -l also lists signals. Both show the same signals; kill -l 9 returns "KILL".

Q: What does getent do?

A: Queries Name Service Switch databases: getent passwd username looks up a user (local or LDAP/NIS), getent hosts hostname resolves a hostname, getent group groupname queries groups. Works with any NSS source.

Q: What is the difference between adduser and useradd?

A: useradd is the low-level binary that creates users. adduser (on Debian) is a friendly wrapper script that interactively sets password, creates home directory, and copies skeleton. On RHEL, adduser is a symlink to useradd.

Q: What is the /etc/skel directory?

A: The skeleton directory — its contents are copied to a new user's home directory at creation time. Contains default .bashrc, .profile, and other dotfiles.

Q: What is the w command's JCPU and PCPU columns?

A: JCPU: total CPU time used by all processes attached to the user's tty. PCPU: CPU time of the current process shown in the WHAT column.

Q: What is the difference between wall and write?

A: wall broadcasts a message to all logged-in users' terminals. write user sends a message to a specific user's terminal. Both are one-way messaging tools.

Q: What is the chvt command?

A: Changes the foreground virtual terminal (console): chvt 3 switches to tty3. Equivalent to pressing Ctrl+Alt+F3 but usable from scripts.

Q: What is the fmt command?

A: Reformats text to a specified width: fmt -w 72 file wraps lines to 72 characters. Useful for formatting email text and documentation.

Q: What is the rev command?

A: Reverses each line of input character by character. echo "hello" | rev outputs "olleh". A quirky but occasionally useful text processing tool.

Q: What is nl used for?

A: Numbers lines of a file. More configurable than cat -n: can number only non-blank lines, use custom formats, and handle section headers.

Q: What is the paste command?

A: Merges lines from multiple files side by side: paste file1 file2 outputs corresponding lines tab-separated. paste -s file joins all lines of a single file into one line.