Linux Interview Questions
A comprehensive collection of 50+ Linux interview questions spanning beginner to advanced levels. Each answer includes practical context and relevant commands.
Beginner Level (Questions 1-15)
1. What is Linux?
Linux is a free, open-source, Unix-like operating system kernel created by Linus Torvalds in 1991. It manages hardware resources and allows software to run on computers. When combined with GNU utilities and tools, it forms a complete operating system (GNU/Linux). Linux powers servers, desktops, embedded systems, and billions of devices worldwide.
2. What is the difference between a kernel and an operating system?
A kernel is the core component that manages hardware resources (CPU, memory, I/O) and facilitates communication between software and hardware. An operating system (OS) is a complete software system that includes the kernel plus utilities, libraries, shells, and applications. Think of the kernel as the engine and the OS as the entire vehicle.
3. Name some popular Linux distributions.
Popular distributions include Ubuntu (user-friendly, based on Debian), CentOS/RHEL (enterprise, rpm-based), Fedora (cutting-edge, rpm-based), Debian (stable, deb-based), Arch (minimalist, rolling release), and Alpine (lightweight, container-focused). Each has different package managers, release cycles, and target audiences.
4. Explain the Linux filesystem hierarchy.
The Linux filesystem uses a hierarchical tree structure starting from the root directory (/). Key directories include /bin (essential binaries), /home (user home directories), /etc (configuration files), /var (variable data like logs), /tmp (temporary files), /opt (optional software), and /usr (user programs and data). All files and directories follow this standard (FHS).
5. What does the ls command do and what are common options?
The ls command lists files and directories in a directory. Common options include -l (long format showing permissions and details), -a (show all files including hidden ones starting with .), -h (human-readable file sizes), -R (recursive listing of subdirectories), and -t (sort by modification time).
6. Explain the cd, pwd, and cp commands.
The cd command changes the current directory (cd ~ goes to home, cd .. goes up one level). The pwd command prints the working directory path. The cp command copies files or directories (cp file1 file2 creates a copy, cp -r dir1 dir2 recursively copies directories).
7. What does the mv command do and how is it different from cp?
The mv command moves or renames files and directories. Unlike cp which creates a copy, mv removes the original file after moving it. Syntax: mv oldname newname (rename) or mv file /path/ (move to directory). If moving across filesystems, the original file is deleted after copying.
8. What does the rm command do and why should you be careful with it?
The rm command permanently deletes files and directories. Use rm filename to delete a file, rm -r directory to delete a directory recursively, and rm -f to force deletion without prompting. Be careful because deleted files cannot be easily recovered; consider using rm -i (interactive mode) to confirm each deletion.
9. Explain file permissions (chmod and chown).
File permissions in Linux are represented as rwx (read, write, execute) for owner, group, and others. The chmod command changes permissions numerically (chmod 755 file means rwxr-xr-x) or symbolically (chmod u+x file). The chown command changes ownership (chown user:group file). Use ls -l to view current permissions.
10. What is the difference between soft links and hard links?
A soft link (symbolic link) is a shortcut to a file or directory, created with ln -s original link. It contains a reference to the original path and breaks if the original is deleted. A hard link is created with ln original link and points directly to the same inode. Hard links cannot span filesystems and don't work for directories.
11. What is the root user and why is it powerful?
The root user (UID 0) is the superuser with unlimited privileges on a Linux system. It can modify any file, install software, change permissions, and access restricted resources. Most operations requiring elevated privilege use sudo (which grants temporary root access) instead of logging in as root directly for security reasons.
12. What are package managers and name a few examples.
Package managers automate software installation, updates, and removal. They resolve dependencies and maintain a database of installed packages. Examples include apt/aptitude (Debian/Ubuntu), yum/dnf (RHEL/CentOS/Fedora), pacman (Arch), apk (Alpine), and zypper (openSUSE). Each uses different commands and package formats.
13. What is a shell and what is the default Linux shell?
A shell is a command interpreter that reads user input, executes commands, and returns results. It provides scripting capabilities and environment variable management. The default Linux shell is typically Bash (Bourne Again Shell), though other shells like Zsh, Fish, Ksh, and Dash are available.
14. What are environment variables and what is the PATH variable?
Environment variables are global settings that shells and programs use (NAME=value format). The PATH variable contains a colon-separated list of directories where the shell searches for executable programs. View PATH with echo $PATH and add directories by appending to it: export PATH=$PATH:/new/path.
15. Explain stdin, stdout, and stderr with an example.
stdin (file descriptor 0) is standard input from the keyboard. stdout (file descriptor 1) is standard output displayed on the terminal. stderr (file descriptor 2) is error messages. You can redirect them: command > output.txt (stdout to file), command 2> errors.txt (stderr to file), command 2>&1 (merge stderr into stdout).
Intermediate Level (Questions 16-35)
16. What is the difference between kill and kill -9?
The kill command sends a signal to a process (default SIGTERM, signal 15). The kill -9 command sends SIGKILL which forces immediate termination without cleanup. SIGTERM allows graceful shutdown, while SIGKILL bypasses all signal handlers. Use kill -15 PID first, then kill -9 PID if the process doesn't stop.
17. How do you find files on a Linux system?
Use the find command to search by name, type, size, etc.: find / -name filename (search by name), find / -type f -name "*.txt" (find all txt files), find / -size +100M (files larger than 100MB). The locate command is faster but uses a pre-built database. Update the database with updatedb.
18. What is the difference between grep and egrep?
grep (Global Regular Expression Print) searches text patterns. egrep (extended grep) is equivalent to grep -E and supports extended regular expressions. Extended regex allows +, ?, |, and () without escaping, while basic grep requires backslashes. For example: grep -E "pattern1|pattern2" vs grep "pattern1|pattern2".
19. What is an inode and why is it important?
An inode is a data structure that stores metadata about a file: permissions, ownership, timestamps, and pointers to data blocks on disk. Every file has a unique inode number. View inode info with ls -i. The filesystem maps inode numbers to actual file data. Running out of inodes (even with free space) prevents file creation.
20. What is swap and why do systems use it?
Swap is disk space used as virtual memory when physical RAM is exhausted. When RAM is full, the kernel moves inactive memory pages to swap. Access is slower than RAM but prevents out-of-memory crashes. Check swap with free -h or swapon --show. Create swap with fallocate, mkswap, and swapon commands.
21. How does cron work and what is the crontab file?
Cron is a daemon that runs scheduled tasks (cron jobs) at specified times. The crontab file contains scheduled commands in the format: minute hour day month weekday command. Edit your crontab with crontab -e, list entries with crontab -l, and remove with crontab -r. The crond daemon checks crontabs every minute and executes due jobs.
22. What are iptables and what do they do?
iptables is a utility to configure firewall rules in Linux using the Netfilter framework. It controls inbound, outbound, and forwarded network traffic. Common usage: iptables -A INPUT -p tcp --dport 22 -j ACCEPT (allow SSH), iptables -L (list rules), iptables -F (flush all rules). Modern systems often use firewalld or ufw as higher-level alternatives.
23. What is SELinux and what problem does it solve?
SELinux (Security-Enhanced Linux) is a mandatory access control (MAC) system that enforces security policies beyond standard permissions. It restricts what processes can do even if they run as root. Check status with getenforce, disable with setenforce 0, view policies with getsebool. SELinux prevents privilege escalation and limits damage from compromised processes.
24. What is the difference between su and sudo?
Both su and sudo grant elevated privileges. The su command switches user (su - username) and requires the target user's password. The sudo command (sudo command) runs a single command as root and requires your own password. sudo is preferred because it logs commands, requires less sharing of passwords, and allows granular permission control via /etc/sudoers.
25. How do you check disk usage on a Linux system?
Use df -h to show filesystem space usage in human-readable format. Use du -sh directory to show directory size, or du -h --max-depth=1 for subdirectory breakdown. Use ls -lh for individual file sizes. Use ncdu for an interactive disk usage analyzer. These tools help identify what is consuming disk space.
26. What is LVM (Logical Volume Manager)?
LVM abstracts physical storage into logical volumes, allowing flexible resizing and management. It creates a layer between physical disks (PV) and mount points (LV) using volume groups (VG). Benefits include resizing filesystems without unmounting, creating snapshots, and managing multiple disks as one. Create LVM with pvcreate, vgcreate, and lvcreate.
27. Explain the difference between TCP and UDP.
TCP (Transmission Control Protocol) is connection-oriented, reliable, and ordered; used for applications requiring accuracy like HTTP, SSH, and email. UDP (User Datagram Protocol) is connectionless, fast, and unreliable; used for speed-sensitive applications like DNS, streaming, and gaming. TCP has overhead from acknowledgments; UDP is lightweight but may lose packets.
28. How does SSH work at a high level?
SSH (Secure Shell) establishes encrypted remote connections. The SSH protocol uses asymmetric keys (public/private) to authenticate the server and optionally the client. It encrypts all communication using symmetric encryption after key exchange. SSH keys are stored in ~/.ssh/id_rsa (private) and ~/.ssh/id_rsa.pub (public). Use ssh-keygen to generate keys and ssh-copy-id to install public keys on servers.
29. What are runlevels and systemd targets?
Runlevels (0-6) are predefined system states: 0 (halt), 1 (single-user), 2-4 (multi-user), 5 (graphical), 6 (reboot). Modern systems use systemd targets instead: multi-user.target, graphical.target, rescue.target, etc. View current runlevel with runlevel, set with init N or systemctl isolate target.target. Systemd targets are more flexible and better documented.
30. How would you troubleshoot a service not starting?
First, check if the service exists: systemctl status servicename. View error logs: journalctl -u servicename -n 50. Check if the service is enabled: systemctl is-enabled servicename. Try starting manually: systemctl start servicename. Check configuration syntax: grep -v "^#" /etc/config/file. Review dependencies and conflicts in the service file. Verify permissions and required resources.
31. What is the /proc filesystem and what can you find there?
/proc is a virtual filesystem providing kernel and process information. Key files: /proc/meminfo (memory stats), /proc/cpuinfo (CPU info), /proc/uptime (uptime), /proc/loadavg (load average), /proc/PID/status (process info), /proc/net/tcp (network connections). Reading these files doesn't access disk; the kernel generates data on-the-fly. Useful for monitoring and debugging.
32. Explain the Linux boot process.
The boot process: firmware (BIOS/UEFI) loads bootloader (GRUB), bootloader loads kernel and initramfs, kernel extracts initramfs (contains drivers and init), init mounts root filesystem, systemd starts as PID 1, systemd loads targets and services, shell/login prompt appears. Key files: /boot/vmlinuz (kernel), /boot/initramfs (initial root filesystem), /etc/systemd/system/ (service definitions).
33. What are signals in Linux?
Signals are inter-process communication mechanisms for asynchronous notifications. Common signals: SIGTERM (15, graceful termination), SIGKILL (9, force termination), SIGSTOP (19, pause process), SIGCONT (18, resume process), SIGHUP (1, hangup/reload), SIGINT (2, interrupt from keyboard). Catch signals in scripts with trap: trap "echo Received SIGTERM" SIGTERM.
34. Explain sticky bit, SUID, and SGID permissions.
These are special permission bits: SUID (4000) runs files as the owner (chmod u+s file), SGID (2000) runs as group owner (chmod g+s file), sticky bit (1000) prevents non-owners deleting files in directories (chmod o+t directory). View with ls -l: a leading 's' indicates SUID/SGID, 't' indicates sticky bit. Example: -rwsr-xr-x (SUID), drwxrwxrwt (sticky bit on /tmp).
35. What is umask and how does it work?
umask (user file creation mask) determines default permissions for new files and directories. It's a three-digit value subtracted from default permissions (666 for files, 777 for directories). Default umask is typically 0022 (results in 644 files, 755 directories). View with umask, change with umask 0077 (restrictive, creates 600 files, 700 directories). Set permanently in shell profiles.
Advanced Level (Questions 36-50+)
36. Explain the Linux boot process in exhaustive detail.
The process begins with firmware (BIOS reads MBR or UEFI reads GPT) finding the bootloader. GRUB loads, reads /boot/grub/grub.cfg, and presents a menu. The selected kernel image (vmlinuz) is loaded into memory along with the initramfs (compressed root filesystem containing drivers and init). The kernel decompresses and mounts initramfs. The init process (in initramfs) loads modules, mounts the real root filesystem, and passes control to systemd (PID 1). Systemd reads /etc/systemd/system/default.target (symlink to multi-user or graphical) and starts services in dependency order. Network, storage, and login services initialize. The system reaches the target state (login prompt for multi-user, GUI for graphical).
37. How does virtual memory work in Linux?
Virtual memory creates an abstraction where each process sees its own address space larger than physical RAM. The MMU (Memory Management Unit) translates virtual to physical addresses using page tables. When RAM is full, the kernel moves least-used pages to swap disk. Page faults occur when a process accesses a page not in RAM, triggering a page fetch from disk. The TLB (Translation Lookaside Buffer) caches translations for speed. Configure swappiness with sysctl vm.swappiness (0-100; lower means prefer keeping data in RAM).
38. What is the OOM killer and when does it trigger?
The OOM (Out of Memory) killer activates when available memory is critically low and swap is exhausted. It terminates processes to free memory, selecting targets by badness score (process size, memory consumption, oom_score). Check oom_score with cat /proc/PID/oom_score. Adjust oom_score_adj (-1000 to 1000) to protect important processes. View logs with journalctl | grep -i oom or dmesg | grep -i oom.
39. How do you tune kernel parameters using sysctl?
Kernel parameters control OS behavior. View all with sysctl -a. Modify temporarily: sysctl -w net.ipv4.ip_forward=1 (enable IP forwarding). Persist in /etc/sysctl.conf or /etc/sysctl.d/99-custom.conf, then apply with sysctl -p. Key parameters: vm.swappiness (swap preference), net.ipv4.tcp_max_syn_backlog (connection queue), fs.file-max (max open files). Test changes before production deployment.
40. Explain namespaces and cgroups in Linux.
Namespaces provide process isolation: PID namespace (process trees), network namespace (network interfaces), mount namespace (filesystem views), UTS namespace (hostname), IPC namespace (inter-process communication), and user namespace (UID/GID). Cgroups limit and monitor resource usage (CPU, memory, I/O). Containers use both to isolate workloads. Create namespaces with unshare or nsenter; manage cgroups with systemd-cgls or direct /sys/fs/cgroup manipulation.
41. What are zombie processes and how do you eliminate them?
Zombie processes are children whose parent hasn't reaped their exit status, causing them to remain in the process table. They consume minimal resources but clutter process listings. View with ps aux | grep Z. The parent process should call wait() or waitpid() to reap them. If the parent is already dead, init (PID 1) automatically reaps orphans. Killing a zombie's parent forces reaping.
42. How do pipes work internally in Linux?
Pipes (|) connect stdout of one process to stdin of another. They create an in-memory buffer managed by the kernel. Data flows unidirectionally. Named pipes (FIFOs) exist on disk: mkfifo /tmp/pipe, then process1 > /tmp/pipe & process2 < /tmp/pipe. Pipes use a circular buffer; if full, the writing process blocks. Anonymous pipes have no persistent inode. View pipe usage in /proc/PID/fd/.
43. Explain copy-on-write (COW) in Linux.
Copy-on-write is a kernel optimization where a forked child process initially shares the parent's memory pages. Only when a process writes to a page is a private copy created. This saves memory and speeds up fork() calls. Used in fork(), snapshot creation, and container images. Filesystem COW (Btrfs, ZFS) allows creating cheap snapshots. Monitor COW with tools tracking page faults.
44. What is a D-state process and how do you handle it?
A D-state (uninterruptible sleep) process is waiting for I/O that cannot be interrupted by signals. View with ps aux (shows D in STAT column). Causes: slow storage, NFS mounts, or kernel bugs. D-state processes cannot be killed normally. Root cause: check iostat for high I/O wait, verify storage connectivity, inspect dmesg for errors. Solutions: fix underlying I/O issue, restart service, or reboot if necessary.
45. Explain key /proc/sys/vm parameters for performance tuning.
Key parameters: vm.swappiness (0-100, default 60; lower reduces swap use), vm.dirty_ratio (percentage of RAM for dirty pages before sync), vm.dirty_background_ratio (async sync threshold), vm.max_map_count (max memory map areas per process, increase for Java/browsers), vm.overcommit_memory (0 = balanced, 1 = always allow, 2 = strict limit), vm.page-cluster (read-ahead pages). Example: sysctl -w vm.swappiness=10 for memory-heavy workloads.
46. How would you approach debugging Linux performance issues?
Use the performance analysis workflow: top/htop (CPU and memory), iostat -x 1 5 (disk I/O patterns), netstat/ss (network connections), vmstat 1 5 (context switches and paging), strace -p PID (system calls), perf top (CPU profiling), journalctl (system logs), dmesg (kernel messages). Profile sequentially: identify bottleneck (CPU, disk, network, memory), drill down with appropriate tools, measure before/after changes. Use monitoring tools like Prometheus or Grafana for trends.
47. Explain RAID levels (0, 1, 5, 6, 10).
RAID 0 (striping): data split across disks, fast but no redundancy. RAID 1 (mirroring): identical copies on two disks, good redundancy. RAID 5 (striping with parity): requires 3+ disks, tolerates one failure using parity blocks. RAID 6 (dual parity): requires 4+ disks, tolerates two simultaneous failures. RAID 10 (1+0): mirrors of stripes, good performance and redundancy. Manage with mdadm: mdadm --create, mdadm --manage. RAID protects against drive failure but not logical errors or ransomware.
48. How does NFS (Network File System) work?
NFS allows mounting remote filesystems over the network. Server exports directories in /etc/exports, client mounts with mount -t nfs server:/path /mount. Uses RPC (Remote Procedure Call) for communication. Stateless design: server doesn't track client state, allowing recovery. NFS versions: v3 (simple, locking issues), v4 (modern, stateful, secure, encryption support). Performance: fast for reads, slower for writes. Common issues: firewall blocking ports 111 and 2049, network latency affecting throughput.
49. Explain load average and its interpretation.
Load average is the average number of processes in the runnable queue over 1, 5, and 15 minutes. View with uptime or cat /proc/loadavg. Interpretation: load 4.0 on 4-core CPU means fully utilized; load 2.0 on 8-core means underutilized. Values above CPU count indicate queued processes waiting for CPU. High load with low CPU usage suggests other bottlenecks (I/O wait). Compare load to CPU count: loadavg/$(grep -c processor /proc/cpuinfo) gives utilization ratio.
50. How would you recover a system that won't boot?
Boot into recovery/single-user mode (GRUB menu, edit kernel parameters, add 'single' or 'rd.break'). Mount root filesystem: mount -o rw,remount /. Check filesystem integrity: fsck /dev/sda1. Inspect logs: cat /var/log/boot.log, journalctl --no-pager. Verify bootloader: grub2-install /dev/sda, grub2-mkconfig -o /boot/grub2/grub.cfg. Check kernel modules: ls -la /lib/modules/$(uname -r) or lsmod. Reinstall failed packages: rpm -Va or dpkg --configure -a. As last resort, boot from live ISO, mount filesystems, and troubleshoot from there.
51. What is systemd and how does it differ from older init systems?
Systemd is a modern init system replacing SysVinit and Upstart. It manages services, mounts, timers, and more through unit files. Key advantages: parallel service startup (faster boot), dependency management, integrated logging (journald), socket activation, and timer support. Unit files use declarative syntax. Key commands: systemctl start/stop/restart/reload service, systemctl enable (autostart), systemctl status. View units with systemctl list-units. Check failures with systemctl --failed.
52. Explain the difference between /dev/null, /dev/zero, and /dev/urandom.
/dev/null is a null device that discards all data written to it; reading returns EOF. Use to suppress output: command > /dev/null 2>&1. /dev/zero provides infinite null bytes; used to create files: dd if=/dev/zero of=file bs=1M count=100. /dev/urandom provides cryptographically secure random bytes; used for passwords and keys: openssl rand -base64 32. /dev/random (slower) blocks until sufficient entropy is available.
Tips for Linux Interviews
-
Practice command line fundamentals: Be comfortable with grep, sed, awk, find, and pipes. Interviewers often ask you to write one-liners or explain command combinations. Use Linux regularly and practice scripting challenges on platforms like HackerRank.
-
Understand the "why" behind concepts: Don't just memorize facts. Understand why inodes exist, why signals are used, how virtual memory improves system design. This helps you answer follow-up questions and shows deeper knowledge.
-
Know your distribution: Many interview questions vary by distro. Be specific about package managers (apt vs yum), service management (systemd vs SysVinit), and configuration file locations. Mention if answering for a specific distro.
-
Draw diagrams when explaining processes: When describing the boot sequence, virtual memory, or networking, sketching a diagram on a whiteboard or paper helps communicate complex concepts. Many interviewers appreciate visual explanations.
-
Share real-world examples and experiences: Interviewers value practical experience. If you've debugged a performance issue, managed containers, or optimized a system, share your story. Mention tools you've used and lessons learned.
-
Stay current with modern tools: Know systemd, containers (Docker/Kubernetes), cloud platforms (AWS, Azure, GCP), and Infrastructure as Code. While traditional topics are important, modern DevOps and cloud skills are increasingly valued.
-
Ask clarifying questions and admit gaps: If unsure about a question, ask the interviewer to clarify scope. If you don't know something, say so honestly—interviewers respect candor more than guessing. Follow up with how you would research or approach the topic.