Linux Interview Questions

The maximum length for a filename under Linux is 255 bytes. 

The daemon that controls that print spooling process is the Line printing daemon. 

Daemons also referred to as the background process, is a long-running Linux program that runs in the background. They do not have any controlling terminal, therefore, they run in the background. These are the processes that are generally started when the system is bootstrapped and terminate or end only when the system is shut down. It is simply the way of extending the functionality of the base OS. It provides and offers several functions that are not available in OS. Its main purpose is to handle periodic requests and then forward the requests to the appropriate programs for execution.  

Proc file system is a pseudo or virtual file system that provides an interface to the kernel data structure. It generally includes useful information about processes that are running currently. It can also be used to change some kernel parameters at runtime or during execution. It is also regarded as a control and information center for the kernel. All files under this directory are named virtual files. 

LVM (Logical Volume Management) is basically a tool that provides logical volume management for the Linux kernel. It is being introduced simply to make physical storage device management easier. It also includes allocating disks, striping, mirroring, resizing logical volumes. Its main advantages are increased abstraction, flexibility, and control. It simply allows for flexible disk space management. It is especially required to resize the size of the file system online. In Linux, the size of the LVM partition can be extended using “lvextend” command and can be reduced using “lvreduce” commands, respectively.  

File that is used to automatically mount file systems is a Fstab file. 

There are three owners in the Linux System i.e., user, group, and others. These owners have three types of permissions defined as listed below: 

• Read (r): It allows the user to open and read the file or list the directory. 
• Write (w): It allows the user to open and modify the file. One can also add new files to the directory. 
• Execute (x): It allows the user to execute or run the file.  One can also lookup a specific file within a directory. 

The typical size for a swap partition under a Linux system should be twice the amount of physical memory or RAM available on the system. 

Linux that is specially designed by Sun micro system is Solaris.

Zombie Process, also referred to as a defunct or dead process in Linux, is a process that has finished the execution, but its entry remains in the process table. It usually happens due to a lack of correspondence between parent and child processes. This process occurs for the child process because the parent process needs to read the status of the child process. Once it is completed using the wait system call, this process is removed from the process table. 

VI editor (Visual Editor) is basically a default text editor that usually comes with most of the Linux OS. There are basically three types of modes used in VI editor as given below: 

• Command Mode/Regular Mode: It is the default mode for the vi editors. It is generally used to type commands that usually perform particular or specific vi functions. To enter this mode from another mode (Insert mode), one must press [esc]. In simple words, it lets you view the content.  
• Insertion Mode/Edit Mode: This mode allows you to do text editing, or type text into a file. To enter this mode from another mode (command mode), one must press [esc]. In simple words, it lets you delete or insert text or content. 
• Ex Mode/Replacement Mode: This mode is generally used to save the files and execution of the commands. It basically executes files with different parameters. To enter this mode, one must press [:]. In simple words, it lets you overwrite content or text. 

Linux shell is a user interface present between user and kernel. It is used for executing commands and communication with Linux OS. Linux shell is basically a program used by users for executing commands. It accepts human-readable commands as input and converts them into kernel understandable language. 

Different types of shells are commonly used on typical Linux system as listed below: 

• CSH (C Shell)
• KSH (Korn Shell)
• BASH (Bourne Again Shell)
• TCSH
• ZSH
• Bourne Shell

Linux Process is a type of process that can be in a number of different states. The process enters these states from start till end. Process states in Linux are as follows:  

• New/Ready: In this state, a new process is created and is ready to run.
• Running: In this state, the process is being executed.
• Blocked/Wait: In this state, the process is waiting for input from the user and if doesn't have resources to run such as memory, file locks, input, then it can remain in a waiting or blocked state.
• Terminated/Completed: In this state, the process has completed the execution or terminated by the OS.
• Zombie: In this state, the process is terminated but information regarding the process still exists and is available in the process table.

Swap space, as the name suggests, is basically a space on a hard disk that is used when the amount of physical memory or RAM is full. It is considered a substitute for physical memory. Its main function is to substitute disk space for RAM memory when real RAM does not have enough space to hold all programs that are executing, and more space is required. In simple words, it can be used as an extension of RAM by Linux. 

LILO (Linux Loader) is basically a bootloader for Linux that is used to load Linux into memory and start the OS. It is also known as a boot manager that facilitates a dual boot of a computer. It can function as either a master boot program or secondary boot program and performs various functions such as locating kernel, identifying other supporting programs, loading memory, and starting the kernel. If you want to use Linux OS, then you need to install a special bootloader i.e., LILO for it as it allows fast boot of Linux OS. 

There are two types of Linux user mode as given below:  

• Command Line 
• GUI  

A kernel is considered the main component of Linux OS. It is simply a resource manager that acts as a bridge between hardware and software. Its main role is to manage hardware resources for users and is generally used to provide an interface for user-level interaction. A kernel is the first program that is loaded whenever a computer system starts. It is also referred to as low-level system software.

Its other main functions include: 

• Memory Management
• Process Management
• Device Management
• Storage Management
• Manage access, and use of various peripherals that are connected to the computer.

BASH (Bourne Again Shell) is basically a command language interpreter. It was written by Brian Fox for GNU OS and can be used in place of Bourne Shell. It is similar to Bourne Shell but includes some additional features such as command-line editing that make it easier and more convenient to use. It is the default user shell on most Linux installations. It is basically an interpreted and non-compiled process that can also run in the terminal window. It is also capable of reading commands from shell scripts.

Linux generally consists of five basic elements or components as given below: 

• Kernel: It is considered a core or main part of Linux and is generally responsible for all major activities of OS such as process management, device management, etc.  
• System Library: These are special functions or programs with the help of which application programs or system utilities can access features of the kernel without any requirement of code. It is simply used to implement the functionality of the OS. 
• System Utility: These are utility programs that are responsible to perform specialized and individual-level tasks. They are considered more liable and allow users to manage the computer.  
• Hardware: It is physical hardware that includes items such as a mouse, keyboard, display, CPU, etc. 
• Shell: It is an environment in which we can run our commands, shell scripts, and programs. It is an interface between user and kernel that hides all complexities of functions of the kernel from the user. It is used to execute commands. 

CLI (Command Line Interface): It is basically a command-line program that usually accepts text as input to execute or run functions of the operating system. It allows users to type declarative commands simply to give instructions to the computer to perform or execute operations. It usually requires less memory to use as compared to other interfaces as well as it does not require Windows and a low-resolution monitor can be used. It usually provides greater flexibility of use and can also be used to perform things easily that are most difficult to do with GUI.  

GUI (Graphical User Interface): It is basically a human-computer interface that allows users to interact with electronic devices through graphical icons and visual indicators. The use of these graphical elements or icons makes it easier for users to interact with the system. It is visually intuitive and allows higher productivity. It is usually a combination of graphical and textual interaction that uses menus, buttons, message boxes, etc. 

The first process started by the kernel in Linux is “init” and its process id is 1.

INODE: It is a unique name given to each file by OS. Each inode has a unique inode number within a file system. It stores various information about files in Linux such as ownership, file size, file type, access mode, number of links, etc.  

Process Id (Identifier): It is a unique Id given to each process. It is simply used to uniquely identify an active process throughout the system until the process terminates.

Shell Script, as name suggests, is a script especially written for shell. Here, script means programming language that is being used to control applications. It simply allows the execution of different commands that are entered in the shell.  It generally helps you to create complex programs containing conditional statements, loops, and functions. It is very easy to debug, can simplify everyday automation processes, and is much quicker as compared to writing big programs.

Load average, as the name suggests, is the average system load on Linux servers being calculated over a given period of time. The load average of Linux servers can be found using “top” and “uptime” commands. It is simply used to keep track of system resources. It is represented by a decimal number starting at 0.00.  It tells you the load that the system has been under.

Cron: It is a program in Linux that is used to execute tasks at a scheduled time. It works effectively on machines that run continuously. 

Anacron: It is a program in Linux that is used to execute tasks at certain intervals. It works effectively on machines that are powered off in a day or week. 

NIC (Network Interface Card) teaming has several advantages as given below: 

• Load Balancing  
• Failover  
• Increases uptime

Standard streams are basically I/O (Input and Output) communication channels between a program and its environment in Linux. Input and output in the Linux environment are distributed across three standard streams. Three standard streams in Linux are as follows:

1. Standard Input (stdin)
2. Standard Output (stdout)
3. Standard Error (stderr)

Hard Links: It is a special kind of file that points to the same underlying inode as another file. It can be referred to as an additional name for an existing file on Linux OS. Total number of hard links for a file can be displayed using the “ls -l” command. Such links cannot be used across file systems. Hard links can be created using the following command: 
$ ln [original filename] [link name] 

Soft Links: It is also termed a symbolic Link. Soft links are kinds of files that usually point to another file. It does not include any amount of data in the target file and simply points to another entry anywhere in the file system. Such links can be used across file systems. Soft links can be created using the following command: 
$ ln -s [original filename] [link name] 

SSH (Secure Shell), as the name suggests, is basically a protocol that is being used to securely connect to remote servers or systems and enables two systems to communicate. It is considered the most common way to have access to remote Linux servers. It generally transmits data over encrypted channels therefore security is considered at a high level. To connect to a remote server via SSH, you need to own a domain name and IP address.

Default ports used for various services are as follows:

Different network bonding modes used in Linux are listed below: 

• Mode-0 (balance-rr): It is the default mode and is based on round-robin policy. It offers features like fault tolerance and load balancing. 
• Mode-1 (active-backup): It is based on an active-backup policy. In this, only one node responds or works at the time of failure of other nodes. 
• Mode-2 (balance-xor): It sets an XOR (exclusive-or) mode for providing load balancing and fault tolerance.  
• Mode-3 (broadcast): It is based on broadcast policy. It sets a broadcast mode for providing fault tolerance and can be used only for specific purposes.  
• Mode-4 (802.3ad): It is based on IEEE 802.3ad standard also known as Dynamic Link Aggregation mode. It sets an IEEE 802.3ad dynamic link aggregation mode and creates aggregation groups that share the same speed and duplex settings. 
• Mode-5 (balance-tlb): It is also known as Adaptive TLB (Transmit Load Balancing). It sets TLB mode for fault tolerance and load balancing. In this mode, traffic will be loaded based on each slave of the network.  
• Mode-6 (balance-alb): It is also known as Adaptive Load Balancing. It sets ALB mode for fault tolerance and load balancing. It doesn’t need any special switch support.  

Network Bonding, also known as NIC Teaming, is a type of bonding that is used to connect multiple network interfaces into a single interface. It usually improves performance and redundancy simply by increasing network throughput and bandwidth.

/etc/resolv.conf: It is used to configure DNS name servers as it contains the details of the nameserver i.e., details of your DNS server. The DNS server is then used to resolve the hostname of the IP address. 

/etc/hosts: It is used to map or translate any hostname or domain name to its relevant IP address. 

There are basically five Linux directory commands that are used to work with files and directories as given below: 

• pwd: It stands for “print working directory”. This command is generally used to display the path of the present or current working directory. 
  Syntax: $ pwd 
• cd: It stands for “change directory”. This command is generally used to change the present working directory to the directory that we want to work on. 
  Syntax: $ cd <path to new directory> 
• Is: It stands for “list”. This command is generally used to show the full list of content of files and directories in the present working directory. 
  Syntax: $ ls 
• mkdir: It stands for “make directory”. This command generally allows users to create directories in Linux.  
  Syntax: $ mkdir <name (and path if required) of new directory> 
• rmdir: It stands for “remove directory”. This command is used to remove/delete each directory that is specified on the command line. 
  Syntax: $ rmdir <name (and path if required) of directory> 

The command that is used to review boot messages is the “dmesg” command.

Umask, also known as user file-creation mask, is a Linux command that allows you to set up default permissions for new files and folders that you create. In Linux OS, umask command is used to set default file and folder permission. It is also used by other commands in Linux like mkdir, tee, touch, etc. that create files and directories. 

Syntax: umask [-p] [-S] [mask]  

Where,  
[mask]: It represents the permission masks that you are applying. 
[-S]: It displays the current mask as a symbolic value. 
[-p]: It displays the current mask along with umask command thus allowing it to be copied and pasted as a future input.  

In Linux, a pipe is basically a form of redirection that is used to send the output of one command to another command for further processing. It simply takes the output from one command and uses it as an input for another. It provides asynchronous execution of commands with help of buffered I/O routines. 

The command used mostly to check memory status in Linux is “free”. Other commands that can be used are given below: 

• “cat” command: It can be used to show or display Linux memory information. (cat/proc/meminfo)
• “vmstat” command: It can be used to report statistics of virtual memory. 
• “top” command: It can be used to check the usage of memory. 
• “htop” command: It can be used to find the memory load of each process. 

# netstat -ntlp

“pwd” command is basically a command that is used to print the complete path of the current working directory starting from the root (/). Here, “pwd” stands for Print Working Directory. It is considered one of the most basic and most used commands in Linux. This command is usually a built-in shell command and is also available in different shells such as bash, ksh, zsh, bourne shell, etc.

“env” command is basically a shell command that is used to print a list of current environmental variables. Here, “env” stands for the environment. It can also run another process in another environment without any modification of the current environment. It allows you to run programs in a modified environment. It is generally used by shell scripts to launch the correct interpreter. It can also be useful for checking if wrong environment variables prevent the application from starting during troubleshooting.  

Example: 

$env
PHYTHON_PIP_VERSION=9.0L1
HOME=/root
DB_NAME=test
PATH=/usr/local/bin:/usr/local/sbin
LAND=C.UTF=8
PYTHON_VERSION=3.4.6
PWD=/
DB_URI=mongodb://database:27017/test

Grep (Global regular expression print) is a command that is used to the global search for a string of characters in a specified file. The text search pattern is generally known as a regular expression. It simply makes use of pattern-based searching.  

Syntax: grep [options] pattern [files] 
Example: $ grep -c "linux" interview.txt   

The above command will usually print the total count of the word “Linux” in the file “interview.txt”. 

The command that is used to count the number of characters in a file in Linux is “wc”. Here “wc” stands for word count. It is used to count the number of lines, words, and characters in a text file. 

The command used to check the size of the file or directory is “du”. Here “du” stands for disk usage that is used to check information of disk usage of files and directories on a machine. It is also used to display files and directory sizes in a recursive manner. 

Example:  
$ du -sh /var/log/*
1.8M /var/log/anaconda
384K /var/log/audit
4.0K /var/log/boot.log
0 /var/log/chrony
4.0K /var/log/cron
4.0K /var/log/maillog
64K /var/log/messages 

The command used to check the default run level is “/etc/inittab”. 

Linux ping (Packet Internet Groper) command is a command that is used to check connection status between source and destination. In simple words, this command is used to check whether a network is available and if the host is reachable. It can also be used to troubleshoot different connectivity issues, verify connectivity at an IP -level to a second TCP/IP device, and name resolution. One can use this command to test both the computer name and IP address of the computer. 

netstat (Network statics) command is generally a networking tool being used for troubleshooting and configuration and used to display all network connections on a system. It simply provides a way to check whether various aspects of TCP/IP are working and what connections are present. 

Samba is basically an open-source software suite. It runs a number of different Operating systems such as OpenVMS, IBM , etc. It is generally used to connect Linux machines to Microsoft network resources simply by providing Microsoft SMB support. It provides more secure, stable, fast file and print services for every client or user using SMB (Server Message Block) or CIFS (Central Server Message Block) protocol.

BASH (Bourne Again Shell): It is basically a powerful command shell and scripting language that is being developed from the Bourne shell used on UNIX systems. It runs on multiple OS and new features are added regularly. It can read and execute commands from a file known as a shell script. 

DOS (Disk Operating System): It is basically an OS that runs from a hard disk drive. It was the first OS system used by IBM-compatible computers. It basically provides a command-line in which users are allowed to give instructions in the form of commands. 

Linux: It is an open-source and free-to-use Operating system that was first developed in 1991 by Linus Torvalds. It is specially designed to offer free and low-cost OS for personal computer users. It has very low hardware requirements and facilitates powerful support for networking. Different versions of Linux are known as variants. 
Example: Red Hat, Android, etc. 

Unix: It is a closed source OS derived from the original AT&T Unix and was first developed in the 1960s. It is not open source and is not free to use. It is generally capable of handling activities from multiple users at the same time. Furthermore, it is specially designed to be more portable, multi-user, and multitasking in a time-sharing configuration. Different versions of Unix are known as distros. 
Example: HP-UX, Solaris, etc. 

systemd is the init system and service manager used in most modern Linux distributions like RHEL, Ubuntu, and Debian. It runs as PID 1, meaning it is the first userspace process started by the kernel during boot. From there, it is responsible for starting services, managing dependencies, restarting failed processes, and handling the overall system state.

In day-to-day administration, most interactions with systemd happen through the systemctl command.

Some of the most commonly used operations are:

systemctl start nginx
systemctl stop nginx
systemctl restart nginx
systemctl status nginx
systemctl enable nginx
systemctl disable nginx

• start and stop affect the current running session only
• enable and disable control whether the service starts automatically during boot

One thing that catches people off guard quite often is that editing a unit file alone is not enough. systemd caches unit definitions, so after creating or modifying one, the configuration has to be reloaded manually:

systemctl daemon-reload

Without this, systemd may continue using the older configuration even though the file has already been updated on disk.

A systemd service is defined using a unit file, usually stored under /etc/systemd/system/. A basic unit file looks like this:

[Unit]
Description=My Application Service
After=network.target

[Service]
ExecStart=/usr/bin/myapp --config /etc/myapp/config.yml
Type=simple
Restart=on-failure

[Install]
WantedBy=multi-user.target

The file is generally divided into three sections:

• [Unit] - describes the service and its dependencies
• [Service] - defines how the process should start and behave
• [Install] - controls when the service should be activated during boot

For example, After=network.target ensures the network stack is available before the application starts, while Restart=on-failure automatically restarts the service if it crashes.

systemd also replaces the older SysV runlevel model with named targets. Instead of numeric runlevels, it uses targets like:

• multi-user.target for non-graphical multi-user systems
• graphical.target for desktop environments

When troubleshooting services, logs are usually checked through journalctl:

journalctl -u nginx -f
journalctl -u nginx --since "1 hour ago"

The -f flag streams logs in real time, similar to tail -f, while --since helps isolate logs during a specific incident window.

In live systems, this is especially helpful during failed deployments or unexpected service restarts because the systemd logs often reveal whether the problem is related to dependency order, startup command failures, or services repeatedly crashing and restarting.

User and group management in Linux is handled through a set of command line tools that interact directly with the system's user database files. The most common operations cover creating users, modifying their properties, setting passwords, and controlling access.

Creating a new user with a home directory and a login shell is done with useradd:

useradd -m -s /bin/bash username

The -m flag creates the home directory, and -s sets the default shell. Once the user exists, a password is assigned using passwd username, which prompts for the new password and stores it in /etc/shadow rather than /etc/passwd.

Adding an existing user to a group is done with usermod:

usermod -aG groupname username

The -a flag appends the user to the group without removing them from existing groups. Omitting -a replaces all current group memberships, which is a common mistake worth knowing in interviews.

Every user on the system has an entry in /etc/passwd following this format:

username:x:UID:GID:comment:home_directory:shell

The x in the password field indicates that the actual password hash is stored in /etc/shadow, which is only readable by root. The /etc/group file follows a similar structure, mapping group names to their GID and member list.

For sudo access, users are granted privileges through /etc/sudoers, which should always be edited using visudo to prevent syntax errors that could lock out admin access. Accounts can be temporarily locked without deletion using usermod -L username, and password expiry policies are managed with the chage command, which controls how long a password remains valid before the user is forced to change it.

cron is a background daemon used for running scheduled commands automatically at fixed intervals. In Linux systems, it is commonly used for tasks like backups, cleanup scripts, log rotation, and health checks.

Each user can maintain their own cron jobs using:

crontab -e

Every cron entry follows a five-field schedule format before the command itself:

minute hour day month weekday command

A typical example looks like this:

30 2 * * 0 /opt/backup.sh

This runs the backup script every Sunday at 2:30 AM.

For frequently used schedules, cron also supports shortcuts:

@reboot /opt/startup.sh
@daily /opt/cleanup.sh
@weekly /opt/weekly-report.sh

These are often easier to read and maintain than remembering the full five-field syntax for common intervals.

One thing worth remembering is that cron jobs run in a very minimal environment. Commands that work perfectly in an interactive shell may fail inside cron because expected environment variables or absolute paths are missing. This is one of the most common reasons cron jobs silently fail in production.

For long-running or important jobs, output is usually redirected into log files:

30 2 * * 0 /opt/backup.sh >> /var/log/backup.log 2>&1

Here:

• >> appends output instead of overwriting the file
• 2>&1 redirects errors into the same log file

This makes troubleshooting much easier later.

System-wide scheduled tasks are typically stored under /etc/cron.d/, while user-specific jobs remain inside individual crontabs.

When a cron job does not behave as expected, debugging usually starts with checking:

• /var/log/syslog on Debian-based systems
• journalctl -u cron on systemd-based distributions

In practice, most cron issues end up being related to incorrect paths, missing execution permissions, or scripts depending on environment variables that are available in a normal shell but not inside the cron execution context.

LVM (Logical Volume Manager) adds a flexible abstraction layer between physical disks and filesystems. Instead of working with fixed disk partitions directly, storage is organized in a way that allows volumes to be resized, extended, snapshotted, and managed much more easily.

This flexibility is the main reason LVM is heavily preferred in server environments where storage requirements change over time.

LVM works through three layers:

• Physical Volumes (PV) - actual disks or partitions
• Volume Groups (VG) - pooled storage created from one or more physical volumes
• Logical Volumes (LV) - virtual partitions carved out from the volume group

A basic setup looks like this:

pvcreate /dev/sdb
vgcreate vg0 /dev/sdb
lvcreate -L 20G -n lv0 vg0
mkfs.ext4 /dev/vg0/lv0

This creates:

• a physical volume from /dev/sdb
• a volume group called vg0
• a 20GB logical volume named lv0
• an ext4 filesystem on top of it

One of the biggest advantages of LVM is that storage can often be expanded online without taking applications offline.

For an ext4 filesystem, extending a logical volume usually involves two steps:

lvextend -L +10G /dev/vg0/lv0
resize2fs /dev/vg0/lv0

• lvextend increases the logical volume size
• resize2fs expands the filesystem to use the newly available space

For XFS filesystems, the resize command is different:

xfs_growfs /mountpoint

Another reason administrators prefer LVM is snapshot support. Before resizing, migrating, or performing filesystem-level changes, snapshots provide a rollback point in case something fails during the operation.

lvcreate -s -L 5G -n lv0-snapshot /dev/vg0/lv0

This creates a snapshot of the logical volume that can be used for recovery if the resize or migration process goes wrong.

LVM also supports thin provisioning, where logical volumes can be allocated more virtual space than physically exists. This is commonly used in virtualization and development environments where storage usage grows unpredictably over time.

Useful inspection commands include:

• pvdisplay - physical volume details
• vgdisplay - volume group information
• lvdisplay - logical volume status and sizeIn Linux, process resource limits are usually controlled using either ulimit or cgroups, but they operate at very different levels.

Here’s what you need to keep in mind:

• ulimit controls limits for a user session or shell
• cgroups enforce limits at the kernel level and are commonly used for containers and services

ulimit is the lighter and simpler mechanism. It is often used to control things like:

• maximum open files
• number of processes
• stack size
• memory limits for a user session

One of the most commonly adjusted settings in production systems is the open file descriptor limit:

ulimit -n 65536

This is especially important for applications like Nginx, databases, or proxies that may handle thousands of simultaneous connections.

By default, this change only affects the current shell session. To make it persistent, limits are usually configured in:

/etc/security/limits.conf

Example:

nginx soft nofile 65536
nginx hard nofile 65536

• the soft limit is applied by default
• the hard limit is the maximum value the user can raise it to without root access

Where ulimit starts becoming insufficient is large-scale or containerized workloads. This is where cgroups become much more important.

cgroups (control groups) enforce CPU, memory, and I/O limits directly through the kernel. Unlike ulimit, they apply consistently even if processes fork child processes or move across sessions.

Modern container platforms like Docker and Kubernetes rely heavily on cgroups underneath. Without them, one container consuming excessive CPU or memory could easily affect every other workload running on the same host.

For services managed through systemd, cgroup-based limits can be applied directly inside unit files:

[Service]
CPUQuota=50%
MemoryMax=512M

Here:

• CPUQuota=50% limits CPU usage
• MemoryMax=512M caps memory consumption

If the memory limit is exceeded, the kernel's OOM killer may terminate the process to protect the rest of the system from running out of memory entirely.

Modern Linux systems now default to cgroups v2, which replaces the older separate controller model with a unified hierarchy that is easier to manage and behaves more consistently across different resource types.

Linux logging is handled by a combination of three tools that cover collection, storage, and retention. Understanding how they work together is as important as knowing each one individually.

1. Journald - journald is the logging component of systemd. It collects log output from services, the kernel, and the boot process and stores everything in a binary format that is queryable through journalctl. The binary format allows filtering by time, service, priority, and other fields without needing text parsing tools:

journalctl -u nginx -f
journalctl -u nginx -n 100
journalctl -u nginx --since "1 hour ago"

-f follows the log in real time, -n 100 shows the last 100 lines, and --since filters by time window, which is particularly useful during incident investigation.

2. rsyslog - rsyslog is the traditional logging daemon that writes plain text log files to /var/log/. Common files include syslog for general system messages, auth.log for authentication events, and messages on RHEL-based systems. Because these are plain text files, standard tools like grep, awk, and sed work directly against them:

grep "Failed password" /var/log/auth.log
awk '/error/ {print $0}' /var/log/syslog

rsyslog also supports forwarding logs to a remote syslog server by adding a forwarding rule to its configuration, which is the standard approach for centralizing logs across multiple servers before an ELK stack or similar solution is in place.

3. logrotate - logrotate manages log file retention so that logs do not grow indefinitely and fill the disk. Each application gets a configuration file in /etc/logrotate.d/ that defines the rotation policy:

/var/log/nginx/*.log {
    daily
    rotate 14
    compress
    missingok
    notifempty
}

This configuration rotates Nginx logs daily, keeps 14 copies, compresses old logs to save space, and skips rotation if the log file is empty. In production environments where log volume is high, logs are typically shipped to an ELK stack where Elasticsearch indexes them, Logstash processes and enriches them, and Kibana provides a queryable interface for searching and visualizing across all servers in one place.

Linux file permissions control what the owner, group, and all other users can do with a file or directory. Each of these three categories gets three permission bits: read, write, and execute, represented numerically as 4, 2, and 1 respectively. A permission like 755 means the owner has full read, write, and execute access while the group and others have read and execute only.

Setting permissions is done with chmod:

chmod 755 /opt/myapp/start.sh

This produces the permission string rwxr-xr-x, where the owner can read, write, and execute, and both the group and others can read and execute but not write.

Ownership is managed separately using chown and chgrp:

chown alice /opt/myapp/config.yml
chgrp developers /opt/myapp/config.yml

The first command transfers file ownership to the user alice and the second assigns it to the developers group.

Beyond the standard nine permission bits, Linux has three special permission bits that modify execution behavior.

SUID (4000) causes a file to execute with the permissions of the file owner rather than the user running it. The most common example is /usr/bin/passwd, which needs to write to /etc/shadow as root regardless of who invokes it:

chmod 4755 /usr/bin/passwd

SUID binaries are a security concern because any vulnerability in a SUID binary can be exploited to gain elevated privileges, so they should be audited regularly.

SGID (2000) on a file works similarly to SUID but applies the group owner's permissions during execution. On a directory, SGID causes all newly created files inside to inherit the directory's group rather than the creating user's primary group, which is useful for shared project directories:

chmod 2755 /opt/shared-project

Sticky bit (1000) is most commonly seen on /tmp. When set on a directory, it restricts file deletion so that only the file owner can delete their own files, even if other users have write access to the directory:

chmod +t /tmp

The umask value controls the default permissions assigned to newly created files and directories by subtracting from the maximum permission. A umask of 022 means new files get 644 and new directories get 755 by default.

Diagnosing latency and packet loss usually starts with basic connectivity checks and then moves gradually toward deeper network analysis if the issue is not obvious from the initial results.

The starting point is ping with a high packet count to get a statistically meaningful measurement of packet loss and round-trip time:

ping -c 100 <target-host>

A small number of dropped packets across 100 pings points to an unstable network path. When packet loss is confirmed, mtr identifies exactly where in the routing path it is occurring by showing per-hop latency and loss in real time:

mtr <target-host>

If the path looks clean but throughput is still poor, iperf3 measures the actual available bandwidth between two servers, which distinguishes a latency problem from a bandwidth saturation problem:

iperf3 -c <target-host>

When the issue is not visible at the routing level, tcpdump captures raw packets for deeper analysis in Wireshark:

tcpdump -i eth0 -w capture.pcap host <target-ip>

The capture file reveals retransmissions, out-of-order packets, and TCP window issues that explain latency at the connection level without being visible through ping or mtr.

ss -s gives a socket summary that shows receive buffer overflows, which indicate the application is not consuming incoming data fast enough and the kernel is dropping packets at the socket level rather than the network level. For NIC-level issues, /proc/net/dev shows interface error and drop counters, and ethtool surfaces hardware-level statistics like duplex mismatches or excessive collisions that would not appear in any of the above tools.

The easiest way to distinguish network latency from application latency is by comparing basic network response times with actual application response times. If ping responses are normal but requests to the application are still slow, the delay is usually happening inside the application or backend services rather than in the network itself.

A network namespace is a kernel feature that creates a completely isolated copy of the network stack, including its own network interfaces, routing tables, iptables rules, and sockets. Processes running inside a namespace see only the network resources that belong to it, with no visibility into interfaces or connections in other namespaces or the host.

Creating and inspecting namespaces manually is done through the ip netns commands:

ip netns add myns
ip netns exec myns ip addr show
ip netns exec myns ping 8.8.8.8

The first command creates a new namespace and the second runs a command inside it, showing only the interfaces that exist within that isolated network stack.

Every Docker container gets its own network namespace by default, which is what provides network isolation between containers. The container sees only a single virtual ethernet interface called eth0 inside its namespace, with no awareness of other containers or the host network. Communication between the container namespace and the host is established through a veth pair, which is a virtual cable with one end inside the container namespace and the other end connected to the docker0 bridge on the host. The host bridge then handles routing between containers and outbound traffic to the external network.

In Kubernetes, every pod gets its own network namespace shared across all containers in that pod, which is why containers within the same pod can communicate over localhost. Networking across nodes and pods is handled by CNI plugins. Flannel creates an overlay network that routes pod traffic across nodes, while Calico uses BGP-based routing with network policy enforcement, giving teams control over which pods can communicate with each other at the network level.

Network connectivity issues are usually easier to troubleshoot when checked layer by layer, starting from basic network connectivity before moving toward services and applications. This helps eliminate lower-level problems early instead of spending time debugging issues higher up the stack.

Step 1: Verify the network interface is up

The first check confirms the network interface exists, is in an UP state, and has the expected IP address assigned:

ip addr show

Step 2: Test Layer 3 reachability

If the interface looks correct, ping tests whether the destination host is reachable at the IP level:

ping -c 4 <target-host>

Packet loss or no response here points to a routing or firewall issue rather than an application problem.

Step 3: Trace the routing path

When ping fails or shows intermittent loss, mtr combines traceroute and ping to show the full routing path and per-hop packet loss in real time:

mtr <target-host>

This identifies exactly which hop in the path is dropping packets.

Step 4: Test TCP port connectivity

Once Layer 3 is confirmed reachable, testing whether a specific TCP port is open rules out firewall blocks at the destination:

nc -zv <target-host> 443

Step 5: Check DNS resolution

If the connection uses a hostname rather than an IP, verifying DNS resolution is the next step:

dig +short <hostname>

A missing or incorrect DNS record here explains connectivity failures that only affect hostname-based connections.

Step 6: Test at the HTTP layer

For web services, curl tests the full HTTP stack, including TLS handshake and response codes:

curl -v http://<target-host>

Step 7: Capture packets

When all previous steps pass, but the application still cannot connect, tcpdump captures the actual packets to reveal what is happening at the wire level:

tcpdump -i eth0 host <target-ip>

Alongside these checks, ip route show helps verify that the system has a valid route to the destination, while reviewing iptables rules on both servers helps rule out local firewall issues. In containerized setups and VPN networks, MTU mismatches are also a common cause of strange connectivity problems. In those cases, smaller packets may work normally while larger ones get dropped silently, which can often be confirmed using commands like ping -s 1400 <host>.

SSH tunneling encrypts arbitrary TCP traffic through an existing SSH connection, allowing services that are not directly accessible to be reached securely without setting up a VPN or opening additional firewall ports. There are three types of port forwarding, each serving a different direction of access.

Local Port Forwarding

Local forwarding makes a remote service accessible on a local port. A common use case is accessing a database sitting behind a bastion host that is not directly reachable from your machine:

ssh -L 5432:db-server:5432 user@bastion-host

After running this command, connecting to localhost:5432 on your machine transparently routes the connection through the bastion host to the database server, as if the database were running locally.

Remote Port Forwarding -

Remote forwarding works in the opposite direction, exposing a service running locally to a remote server. This is commonly used to expose a local webhook endpoint for testing against an external service:

ssh -R 9090:localhost:3000 user@remote-server

Anyone connecting to port 9090 on the remote server is forwarded to port 3000 on your local machine through the SSH tunnel.

Dynamic Port Forwarding -

Dynamic forwarding creates a SOCKS5 proxy on the local machine that routes all traffic through the SSH connection, rather than forwarding a single port to a fixed destination:

ssh -D 1080 user@remote-server

Once the proxy is running, configuring a browser or application to use localhost:1080 as a SOCKS5 proxy routes all its traffic through the remote server, which is useful for accessing internal networks or bypassing network restrictions entirely.

iptables is the traditional Linux firewall tool that filters network packets by passing them through a series of tables and chains, evaluating rules top-to-bottom until a match is found. Understanding the relationship between tables and chains is the foundation of working with iptables effectively.

Tables group chains by their purpose. The filter table is the default and handles the decision of whether to allow or drop packets. It contains three built-in chains: INPUT for packets destined for the local system, OUTPUT for packets originating from it, and FORWARD for packets being routed through the system. The nat table handles address translation and contains PREROUTING and POSTROUTING chains that modify packets before and after routing decisions are made. The mangle table is used for specialized packet alteration.

A basic firewall configuration that allows SSH, permits established connections, and drops everything else looks like this:

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P INPUT DROP

The first rule accepts incoming TCP connections on port 22. The second uses stateful matching to allow packets belonging to already established connections, which is essential for allowing response traffic back in without explicitly opening every outbound port. The third sets the default policy for the INPUT chain to DROP, meaning any packet that does not match an earlier rule is silently discarded.

When a rule uses RETURN, processing jumps back to the calling chain rather than continuing through the current one, which is useful for organizing rules into custom chains.

nftables is the modern successor to iptables, offering better performance and a cleaner syntax. firewalld sits on top of either nftables or iptables as a higher-level management layer, providing zone-based firewall management without requiring direct rule manipulation.

ss is the modern replacement for netstat and should be the default choice on any current Linux system. While netstat reads network information from /proc filesystem files, ss reads directly from the kernel, making it significantly faster and more accurate, particularly on systems with thousands of active connections. netstat is deprecated and not installed by default on most modern distributions.

The most commonly used ss command is:

ss -tulnp

This shows all TCP and UDP listening sockets along with the process name and PID responsible for each one, which is the fastest way to identify what process is bound to a specific port.

ss -s
ss -tp state established

ss -s gives a summary of connection counts across all states. ss -tp state established filters to only active established connections. During high-traffic incidents, checking for TIME_WAIT accumulation is important since a large number of sockets stuck in TIME_WAIT indicates connections are being closed faster than the kernel can reclaim them, which can exhaust available ports under sustained load.

The biggest difference between processes and threads is whether memory is shared or isolated.

A process runs independently with its own memory space, file descriptors, and system resources. One process cannot directly access another process’s memory, which is what gives processes strong isolation.

Threads are lighter. Multiple threads inside the same process share the same memory space and resources while still having their own stack and CPU state.

Because threads share memory directly, communication between them is faster than communication between separate processes. This is why multithreaded applications are commonly used for web servers, databases, and parallel workloads. The downside is that shared memory also increases the risk of race conditions if synchronization is not handled properly.

In Linux, both processes and threads are created internally using the clone() system call. The difference mainly comes from which resources are shared and which are kept separate.

fork() is used to create a new process.

When a process calls fork(), the kernel creates a child process that initially looks almost identical to the parent. Linux uses a technique called copy-on-write here. Instead of copying all memory immediately, the parent and child temporarily share the same physical memory pages until one of them modifies the data.

This keeps fork() relatively fast even when the parent process has a large memory footprint.

After fork(), the child process often calls exec() to replace itself with an entirely different program. This fork() + exec() pattern is how Linux typically launches new applications and shell commands.

Two terms that often come up at the interviews are:

• Zombie process - a process that has finished execution but whose exit status has not yet been collected by the parent
• Orphan process - a child process whose parent exited before it did

Linux automatically reassigns orphan processes to init or systemd, which later cleans them up properly.

Every Linux process runs with its own virtual address space instead of directly accessing physical RAM. The kernel manages the mapping between virtual memory and physical memory in the background.

You usually notice virtual memory behavior more clearly when a system starts running low on RAM. Heavy swap usage, rising I/O wait, or applications suddenly becoming slow are common signs of memory pressure.

Linux manages memory using paging.

Here’s the difference -

Not every memory page needs to stay in RAM at all times. Linux can move less active pages out of physical memory when space is needed elsewhere.

When a process tries to access data that is not currently loaded in RAM, a page fault occurs. The kernel then loads the required page into memory and updates the page table before execution continues.

If RAM starts filling up, Linux may move inactive pages into swap space on disk. Since disk access is much slower than RAM, excessive swapping usually causes noticeable slowdowns and high I/O wait.

Checking swap usage is often one of the first troubleshooting steps during memory-related performance issues.

Page table lookups are relatively expensive, so CPUs use a small cache called the TLB (Translation Lookaside Buffer) to store recently used address translations.

• a TLB hit means the mapping is already cached
• a TLB miss means the CPU has to check the page table again

Frequent TLB misses increase memory access overhead, especially on memory-intensive workloads.

Linux also supports huge pages, which use larger page sizes like 2MB instead of 4KB. Larger pages reduce the number of page table entries and TLB lookups needed, which can improve performance for databases, virtualization systems, and large-memory applications.

System memory information can be checked through:

/proc/meminfo

This includes RAM usage, swap usage, cached memory, and other memory statistics useful during troubleshooting.

CFS (Completely Fair Scheduler) is the default CPU scheduler in Linux. It decides which runnable process gets CPU time next.

Instead of relying on fixed CPU slices, CFS keeps track of how much CPU time processes are already getting and tries to balance execution between them.

Linux tracks this using vruntime. A process that has used less CPU time usually ends up with a lower vruntime, so it gets scheduled sooner than processes that have already run heavily.

You notice this behavior more clearly on systems running multiple CPU-heavy workloads together. Without fair scheduling, one busy process could dominate CPU time while others remain stuck waiting.

Runnable processes are organized in a red-black tree sorted by vruntime. The scheduler usually picks the process with the lowest value next.

Priority is adjusted using nice values:

• -20 - higher priority
• 19 - lower priority

Higher-priority processes accumulate vruntime more slowly, which means they get CPU access more frequently.

Linux also supports real-time schedulers like SCHED_FIFO and SCHED_RR, which run ahead of normal CFS tasks whenever they are active.

CFS also works underneath container CPU limits. Docker and Kubernetes use cgroups to restrict how much CPU time containers are allowed to consume.

The Linux kernel handles core system operations like memory management, process scheduling, hardware communication, filesystems, and networking. Applications cannot directly interact with hardware, so requests like reading files, sending network data, or allocating memory go through the kernel.

Linux divides execution into two areas: user space and kernel space.

Applications such as browsers, databases, editors, and web servers run in user space. These programs have restricted access and cannot directly access hardware or protected system memory. If one application crashes, the failure is usually limited to that process.

Kernel space has full access to memory, CPU instructions, and hardware devices. Because of this, issues inside kernel space are much more serious. A faulty driver or kernel module can crash the entire operating system.

When a user space application needs something from the system, it makes a system call. The CPU switches execution into kernel space, the operation is completed, and execution returns to the application.

Too many system calls can affect performance. For example, calling read() one byte at a time creates thousands of unnecessary transitions between user space and kernel space. Buffered I/O reduces this overhead by reading larger chunks of data at once instead of repeatedly requesting very small reads.

At the CPU level, this separation is enforced using privilege rings:

• kernel space runs at ring 0
• user space runs at ring 3

This isolation is one reason Linux systems remain stable even when individual applications fail.

The first step is identifying which processes are consuming more than 1GB of RAM before sending any signals. ps aux sorted by RSS memory usage with an awk filter handles this cleanly:

ps aux --sort=-%rss | awk 'NR>1 && $6 > 1048576 {print $2, $11}'

RSS is measured in kilobytes, so 1048576 represents 1GB. This prints the PID and process name for every process exceeding that threshold, giving a clear picture of what needs to be killed before touching anything.

The correct approach is always to send SIGTERM first, which gives the process a chance to clean up open file handles and flush buffers before exiting:

ps aux | awk '$6 > 1048576 {print $2}' | xargs -r kill -15

xargs -r ensures the kill command is not run at all if no processes match, which prevents errors when the filter returns nothing. After waiting a few seconds, verifying whether the processes have exited is the next step. If any are still running, escalating to SIGKILL forces immediate termination without any cleanup:

ps aux | awk '$6 > 1048576 {print $2}' | xargs -r kill -9

For deeper inspection of a specific process, /proc/<pid>/status shows the VmRSS field which gives the exact physical memory consumption at that moment. When processes are being killed by the kernel rather than manually, dmesg shows the OOM killer logs including which process was selected for termination and why.

To prevent recurrence in production, setting MemoryMax in the service's systemd unit file caps physical memory consumption at the kernel level before it reaches a point where manual intervention is needed.

Passwordless SSH relies on asymmetric key authentication where the source server holds a private key and the target server holds the corresponding public key. The first step is generating a key pair on the source server. ed25519 is the preferred algorithm over RSA because it produces smaller keys with stronger security:

ssh-keygen -t ed25519 -C "your@email.com"

The public key is then copied to the target server using ssh-copy-id, which handles appending it to the correct file automatically:

ssh-copy-id -i ~/.ssh/id_ed25519.pub user@target-host

File permissions on the target server are critical and SSH will silently refuse key authentication if they are wrong. The .ssh directory must be set to 700 and authorized_keys must be set to 600, both owned by the user.

For managing multiple servers, defining host aliases in ~/.ssh/config avoids typing full hostnames and usernames repeatedly:

Host prod-db
    HostName 10.0.1.50
    User ubuntu
    IdentityFile ~/.ssh/id_ed25519

For multi-hop access through a bastion host, ProxyJump handles the chain transparently:

Host internal-server
    ProxyJump bastion-host

Once key authentication is confirmed working, password authentication should be disabled in /etc/ssh/sshd_config on the target server by setting PasswordAuthentication no and reloading the SSH daemon. This eliminates brute force attacks entirely since only clients with a valid private key can authenticate.

When a production server runs out of disk space, the first priority is figuring out which partition is full and what is consuming the storage.

df -h
du -sh /* | sort -rh

df -h shows disk usage across all mounted partitions. du -sh ranked by size points to the largest directories immediately. Once the general area is identified, large log files are the most common culprit:

find /var/log -size +100M

Before deleting anything, checking for files that are deleted but still holding space is critical. When a file is removed with rm while a process still has it open, the inode is not released and the space is not reclaimed until that process closes the file descriptor. lsof +L1 surfaces these hidden space consumers:

lsof +L1

For files that are actively being written to and cannot be closed, the safe way to free space without stopping the process is truncating the file in place rather than deleting it:

> /var/log/application.log

This empties the file while keeping the file descriptor valid so the writing process continues without errors.

For immediate space recovery, compressing large logs with gzip, clearing /tmp, and removing old application artifacts usually recovers enough room to stabilize the server. The long-term fix depends on the root cause: configuring logrotate if logs are the issue, extending the LVM logical volume if the partition is genuinely undersized, or mounting additional storage for directories with unpredictable growth.

A high load average only tells you that the system is under pressure somewhere. Since load average includes both actively running processes and processes stuck waiting on resources, the investigation starts with figuring out what the system is actually waiting on.

Step 1: Get an immediate overview

top or htop gives the first useful signal. The key things to look at are the CPU usage breakdown and the load average across the three time windows:

top

If %us (user CPU) is high, the bottleneck is computation. If %wa (I/O wait) is high, processes are spending most of their time waiting for disk reads or writes. The three load average numbers represent the 1, 5, and 15 minute windows. A load that is high at 1 minute but lower at 15 minutes indicates a recent spike. A load that is consistently high across all three windows indicates a sustained problem.

Step 2: Check the run queue and swap

vmstat gives a broader picture of system activity over time:

vmstat 1 5

The r column shows how many processes are waiting for CPU time. When r consistently exceeds the number of CPU cores, the system is CPU-saturated. The si and so columns show swap-in and swap-out activity. Active swapping is a strong signal of memory pressure and will cause severe performance degradation.

Step 3: Investigate disk I/O

If I/O wait was high in the previous step, iostat narrows it down to specific devices:

iostat -x 1 5

The await column shows the average time per I/O request in milliseconds and %util shows how busy the device is. A %util consistently near 100% means the disk is saturated and cannot keep up with demand.

Step 4: Identify which process is causing I/O

iotop shows per-process disk read and write rates in real time, making it straightforward to identify which process is responsible for the disk activity:

iotop

Step 5: Check memory pressure

free -h

If available memory is near zero and swap usage is growing, the system is memory-starved. Processes are being pushed to swap, which is orders of magnitude slower than RAM and amplifies I/O wait significantly.

Step 6: Profile the specific process

Once the offending process is identified, strace shows the system calls it is making in real time, revealing whether it is stuck on disk reads, network calls, or lock contention:

strace -p <pid>

For CPU-bound processes, perf top shows which functions are consuming the most CPU cycles, pointing directly at the code path causing the bottleneck without requiring a full profiling setup.

Linux, like windows, iOS, and Mac, is an operating system that helps one to use or utilize old and outdated computer systems such as Firewall, router, backup server, etc. It makes computer systems more secure than Windows and does not require any use of Anti-Virus Programs. It is becoming increasingly popular as the OS for servers because it comes with the capabilities to heavily encrypt and protect all of a computer's data. The above given are all important questions along with answers related to Linux that were recently asked in Interviews. It will give you a better understanding of all the important topics related to Linux and will help you to crack the interviews.