Skip to content

trimstray/test-your-sysadmin-skills

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Master


"A great Admin doesn't need to know everything, but they should be able to come up with amazing solutions to impossible projects." - cwheeler33 (ServerFault)

"My skills are making things work, not knowing a billion facts. [...] If I need to fix a system I’ll identify the problem, check the logs and look up the errors. If I need to implement a solution I’ll research the right solution, implement and document it, the later on only really have a general idea of how it works unless I interact with it frequently... it’s why it’s documented." - Sparcrypt (Reddit)


Pull Requests MIT License

Created by trimstray and contributors



ℹ️  This project contains 284 test questions and answers that can be used as a test your knowledge or during an interview/exam for position such as Linux (*nix) System Administrator.

✔️  The answers are only examples and do not exhaust the whole topic. Most of them contains useful resources for a deeper understanding.

⚠️  Questions marked *** don't have answer yet or answer is incomplete - make a pull request to add them!

🚥  If you find something which doesn't make sense, or something doesn't seem right, please make a pull request and please add valid and well-reasoned explanations about your changes or comments.

📚  In order to improve your knowledge/skills please see devops-interview-questions. It looks really interesting.


» All suggestions are welcome «


Table of Contents

The type of chapter Number of questions Short description
Introduction
🔸 Simple Questions 14 questions Relaxed, fun and simple - are great for starting everything.
General Knowledge
🔸 Junior Sysadmin 65 questions Reasonably simple and straight based on basic knowledge.
🔸 Regular Sysadmin 94 questions The mid level of questions if that you have sound knowledge.
🔸 Senior Sysadmin 99 questions Hard questions and riddles. Check it if you want to be good.
Secret Knowledge
🔸 Guru Sysadmin 12 questions Really deep questions are to get to know Guru Sysadmin.

  • What did you learn this week?
  • What excites or interests you about the sysadmin world?
  • What is a recent technical challenge you experienced and how did you solve it?
  • Tell me about the last major project you finished.
  • Do you contribute to any open source projects?
  • Describe the setup of your homelab.
  • What personal achievement are you most proud of?
  • Tell me about the biggest mistake you've made. How would you do it differently today?
  • What software tools are you going to install on the first day at a new job?
  • Tell me about how you manage your knowledge database (e.g. wikis, files, portals).
  • What news sources do you check daily? (sysadmin, security-related or other)
  • Your NOC team has a new budget for sysadmin certifications. What certificate would you like and why?
  • How do you interact with developers: us vs. them or all pulling together with a different approach?
  • Which sysadmin question would you ask, if you were interviewing me, to know, how good I'm with non-standard situations?
System Questions (37)
Give some examples of Linux distribution. What is your favorite distro and why?
- Red Hat Enterprise Linux - Fedora - CentOS - Debian - Ubuntu - Mint - SUSE Linux Enterprise Server (SLES) - SUSE Linux Enterprise Desktop (SLED) - Slackware - Arch - Kali - Backbox

My favorite Linux distribution:

  • Arch Linux, which offers a nice minimalist base system on which one can build a custom operating system. The beauty of it too is that it has the Arch User Repository (AUR), which when combined with its official binary repositories allows it to probably have the largest repositories of any distribution. Its packaging process is also very simple, which means if one wants a package not in its official repositories or the AUR, it should be easy to make it for oneself.
  • Linux Mint, which is also built from Ubuntu LTS releases, but features editions featuring a few different desktop environments, including Cinnamon, MATE and Xfce. Mint is quite polished and its aesthetics are rather appealing, I especially like its new icon theme, although I do quite dislike its GTK+ theme (too bland to my taste). I’ve also found a bug in its latest release Mint 19, that is getting quite irritating as I asked for with it over a fortnight ago on their forums and I have received no replies so far and it is a bug that makes my life on it more difficult.
  • Kali Linux, is a Debian-based Linux distribution aimed at advanced Penetration Testing and Security Auditing. Kali contains several hundred tools which are geared towards various information security tasks, such as Penetration Testing, Security research, Computer Forensics and Reverse Engineering.

Useful resources:

What are the differences between Unix, Linux, BSD, and GNU?

GNU isn't really an OS. It's more of a set of rules or philosophies that govern free software, that at the same time gave birth to a bunch of tools while trying to create an OS. So GNU tools are basically open versions of tools that already existed, but were reimplemented to conform to principals of open software. GNU/Linux is a mesh of those tools and the Linux kernel to form a complete OS, but there are other GNUs, e.g. GNU/Hurd.

Unix and BSD are "older" implementations of POSIX that are various levels of "closed source". Unix is usually totally closed source, but there are as many flavors of Unix as there are Linux (if not more). BSD is not usually considered "open", but it was considered to be very open when it was released. Its licensing also allowed for commercial use with far fewer restrictions than the more "open" licenses of the time allowed.

Linux is the newest of the four. Strictly speaking, it's "just a kernel"; however, in general, it's thought of as a full OS when combined with GNU Tools and several other core components.

The main governing differences between these are their ideals. Unix, Linux, and BSD have different ideals that they implement. They are all POSIX, and are all basically interchangeable. They do solve some of the same problems in different ways. So other then ideals and how they choose to implement POSIX standards, there is little difference.

For more info I suggest your read a brief article on the creation of GNU, OSS, Linux, BSD, and UNIX. They will be slanted towards their individual ideas, but those articles should give you a better idea of the differences.

Useful resources:

What is a CLI? Tell me about your favorite CLI tools, tips, and hacks.

CLI is an acronym for Command Line Interface or Command Language Interpreter. The command line is one of the most powerful ways to control your system/computer.

In Unix like systems, CLI is the interface by which a user can type commands for the system to execute. The CLI is very powerful, but is not very error-tolerant.

The CLI allows you to do manipulations with your system’s internals and with code in a much more fine-tuned way. It offers greater flexibility and control than a GUI regardless of what OS is used. Many programs that you might want to use in your software that are hosted on say Github also require running some commands on the CLI in order to get them running.

My favorite tools

  • screen - free terminal multiplexer, I can start a session and My terminals will be saved even when you connection is lost, so you can resume later or from home
  • ssh - the most valuable over-all command to learn, I can use it to do some amazing things:
    • mount a file system over the internet with sshfs
    • forward commands: runs against a rsync server with no rsync deamon by starting one itself via ssh
    • run in batch files: I can redirect the output from the remote command and use it within local batch file
  • vi/vim - is the most popular and powerful text editor, it's universal, it's work very fast, even on large files
  • bash-completion - contains a number of predefined completion rules for shell

Tips & Hacks

  • searches the command history with CTRL + R
  • popd/pushd and other shell builtins which allow you manipulate the directory stack
  • editing keyboard shortcuts like a CTRL + U, CTRL + E
  • combinations will be auto-expanded:
    • !* - all arguments of last command
    • !! - the whole of last command
    • !ssh - last command starting with ssh

Useful resources:

What is your favorite shell and why?

BASH is my favorite. It’s really a preferential kind of thing, where I love the syntax and it just "clicks" for me. The input/output redirection syntax (>>, << 2>&1, 2>, 1>, etc) is similar to C++ which makes it easier for me to recognize.

I also like the ZSH shell, because is much more customizable than BASH. It has the Oh-My-Zsh framework, powerful context based tab completion, pattern matching/globbing on steroids, loadable modules and more.

Useful resources:

How do you get help on the command line? ***
  • man [commandname] can be used to see a description of a command (ex.: man less, man cat)

  • -h or --help some programs will implement printing instructions when passed this parameter (ex.: python -h and python --help)

Your first 5 commands on a *nix server after login.
  • w - a lot of great information in there with the server uptime
  • top - you can see all running processes, then order them by CPU, memory utilization and more
  • netstat - to know on what port and IP your server is listening on and what processes are using those
  • df - reports the amount of available disk space being used by file systems
  • history - tell you what was previously run by the user you are currently connected to

Useful resources:

What do the fields in ls -al output mean?

In the order of output:

-rwxrw-r--    1    root   root 2048    Jan 13 07:11 db.dump
  • file permissions,
  • number of links,
  • owner name,
  • owner group,
  • file size,
  • time of last modification,
  • file/directory name

File permissions is displayed as following:

  • first character is - or l or d, d indicates a directory, a - represents a file, l is a symlink (or soft link) - special type of file
  • three sets of characters, three times, indicating permissions for owner, group and other:
    • r = readable
    • w = writable
    • x = executable

In your example -rwxrw-r--, this means the line displayed is:

  • a regular file (displayed as -)
  • readable, writable and executable by owner (rwx)
  • readable, writable, but not executable by group (rw-)
  • readable but not writable or executable by other (r--)

Useful resources:

How do you get a list of logged-in users?

For a summary of logged-in users, including each login of a username, the terminal users are attached to, the date/time they logged in, and possibly the computer from which they are making the connection, enter:

# It uses /var/run/utmp and /var/log/wtmp files to get the details.
who

For extensive information, including username, terminal, IP number of the source computer, the time the login began, any idle time, process CPU cycles, job CPU cycles, and the currently running command, enter:

# It uses /var/run/utmp, and their processes /proc.
w

Also important for displays a list of last logged in users, enter:

# It uses /var/log/wtmp.
last

Useful resources:

What is the advantage of executing the running processes in the background? How can you do that?

The most significant advantage of executing the running process in the background is that you can do any other task simultaneously while other processes are running in the background. So, more processes can be completed in the background while you are working on different processes. It can be achieved by adding a special character & at the end of the command.

Generally applications that take too long to execute and doesn't require user interaction are sent to background so that we can continue our work in terminal.

For example if you want to download something in background, you can:

wget https://url-to-download.com/download.tar.gz &

When you run the above command you get the following output:

[1] 2203

Here 1 is the serial number of job and 2203 is PID of the job.

You can see the jobs running in background using the following command:

jobs

When you execute job in background it give you a PID of job, you can kill the job running in background using the following command:

kill PID

Replace the PID with the PID of the job. If you have only one job running you can bring it to foreground using:

fg

If you have multiple jobs running in background you can bring any job in foreground using:

fg %#

Replace the # with serial number of the job.

Useful resources:

Before you can manage processes, you must be able to identify them. Which tools will you use? ***

To be completed.

Running the command as root user. It is a good or bad practices?

Running (everything) as root is bad because:

  • Stupidity: nothing prevents you from making a careless mistake. If you try to change the system in any potentially harmful way, you need to use sudo, which ensures a pause (while you're entering the password) to ensure that you aren't about to make a mistake.

  • Security: harder to hack if you don't know the admin user's login account. root means you already have one half of the working set of admin credentials.

  • You don't really need it: if you need to run several commands as root, and you're annoyed by having to enter your password several times when sudo has expired, all you need to do is sudo -i and you are now root. Want to run some commands using pipes? Then use sudo sh -c "command1 | command2".

  • You can always use it in the recovery console: the recovery console allows you to recover from a major mistake, or fix a problem caused by an app (which you still had to run as sudo). Ubuntu doesn't have a password for the root account in this case, but you can search online for changing that - this will make it harder for anyone that has physical access to your box to be able to do harm.

Useful resources:

How to check memory stats and CPU stats?

You'd use top/htop for both. Using free and vmstat command we can display the physical and virtual memory statistics respectively. With the help of sar command we see the CPU utilization & other stats (but sar isn't even installed in most systems).

Useful resources:

What is load average?

Linux load averages are "system load averages" that show the running thread (task) demand on the system as an average number of running plus waiting threads. This measures demand, which can be greater than what the system is currently processing. Most tools show three averages, for 1, 5, and 15 minutes.

These 3 numbers are not the numbers for the different CPUs. These numbers are mean values of the load number for a given period of time (of the last 1, 5 and 15 minutes).

Load average is usually described as "average length of run queue". So few CPU-consuming processes or threads can raise load average above 1. There is no problem if load average is less than total number of CPU cores. But if it gets higher than number of CPUs, this means some threads/processes will stay in queue, ready to run, but waiting for free CPU.

It is meant to give you an idea of the state of the system, averaged over several periods of time. Since it is averaged, it takes time for it to go back to 0 after a heavy load was placed on the system.

Some interpretations:

  • if the averages are 0.0, then your system is idle
  • if the 1 minute average is higher than the 5 or 15 minute averages, then load is increasing
  • if the 1 minute average is lower than the 5 or 15 minute averages, then load is decreasing
  • if they are higher than your CPU count, then you might have a performance problem (it depends)

Useful resources:

Where is my password stored on Linux/Unix?

The passwords are not stored anywhere on the system at all. What is stored in /etc/shadow are so called hashes of the passwords.

A hash of some text is created by performing a so called one way function on the text (password), thus creating a string to check against. By design it is "impossible" (computationally infeasible) to reverse that process.

Older Unix variants stored the encrypted passwords in /etc/passwd along with other information about each account.

Newer ones simply have a * in the relevant field in /etc/passwd and use /etc/shadow to store the password, in part to ensure nobody gets read access to the passwords when they only need the other stuff (shadow is usually protected more strongly than passwd).

For more info consult man crypt, man shadow, man passwd.

Useful resources:

How to recursively change permissions for all directories except files and for all files except directories?

To change all the directories e.g. to 755 (drwxr-xr-x):

find /opt/data -type d -exec chmod 755 {} \;

To change all the files e.g. to 644 (-rw-r--r--):

find /opt/data -type f -exec chmod 644 {} \;

Useful resources:

Every command fails with command not found. How to trace the source of the error and resolve it?

It looks that at one point or another are overwriting the default PATH environment variable. The type of errors you have, indicates that PATH does not contain e.g. /bin, where the commands (including bash) reside.

One way to begin debugging your bash script or command would be to start a subshell with the -x option:

bash --login -x

This will show you every command, and its arguments, which is executed when starting that shell.

Also very helpful is show PATH variable values:

echo $PATH

If you run this:

PATH=/bin:/sbin:/usr/bin:/usr/sbin

most commands should start working - and then you can edit ~/.bash_profile instead of ~/.bashrc and fix whatever is resetting PATH there. Default PATH variable values for root and other users is in /etc/profile file.

Useful resource:

You typing CTRL + C but your script still running. How do you stop it?

In most cases, you can stop a running script by using the CTRL + C keyboard combination. This sends an interrupt signal (SIGINT) to the script, which terminates its execution. If this does not work and the script is still running, you can try using the CTRL + \ combination, which sends a quit signal (SIGQUIT) to the script, which may terminate it immediately.

Alternatively, if you are using a terminal or command line interface, you can try using the kill command to send a signal to the script process. You can find the process ID (PID) of the script by using the ps or top command, and then use kill with the PID to stop the script.

In some cases, you may need to use the kill -9 command to force the script to stop, as the regular kill command may not work if the script is stuck or not responding. The -9 option sends a SIGKILL signal, which forces the process to stop immediately.

What is grep command? How to match multiple strings in the same line?

The grep utilities are a family of Unix tools, including egrep and fgrep.

grep searches file patterns. If you are looking for a specific pattern in the output of another command, grep highlights the relevant lines. Use this grep command for searching log files, specific processes, and more.

For match multiple strings:

grep -E "string1|string2" filename

or

grep -e "string1" -e "string2" filename

Useful resources:

Explain the file content commands along with the description.
  • head: to check the starting of a file.
  • tail: to check the ending of the file. It is the reverse of head command.
  • cat: used to view, create, concatenate the files.
  • more: used to display the text in the terminal window in pager form.
  • less: used to view the text in the backward direction and also provides single line movement.

Useful resources:

SIGHUP, SIGINT, SIGKILL, and SIGTERM POSIX signals. Explain.
  • SIGHUP - is sent to a process when its controlling terminal is closed. It was originally designed to notify the process of a serial line drop (a hangup). Many daemons will reload their configuration files and reopen their logfiles instead of exiting when receiving this signal.
  • SIGINT - is sent to a process by its controlling terminal when a user wishes to interrupt the process. This is typically initiated by pressing Ctrl+C, but on some systems, the "delete" character or "break" key can be used.
  • SIGKILL - is sent to a process to cause it to terminate immediately (kill). In contrast to SIGTERM and SIGINT, this signal cannot be caught or ignored, and the receiving process cannot perform any clean-up upon receiving this signal.
  • SIGTERM - is sent to a process to request its termination. Unlike the SIGKILL signal, it can be caught and interpreted or ignored by the process. This allows the process to perform nice termination releasing resources and saving state if appropriate. SIGINT is nearly identical to SIGTERM.

Useful resources:

What does kill command do?

In Unix and Unix-like operating systems, kill is a command used to send a signal to a process. By default, the message sent is the termination signal, which requests that the process exit. But kill is something of a misnomer; the signal sent may have nothing to do with process killing.

Useful resources:

What is the difference between rm and rm -rf?

rm only deletes the named files (and not directories). With -rf as you say:

  • -r, -R, --recursive recursively deletes content of a directory, including hidden files and sub directories
  • -f, --force ignore nonexistent files, never prompt

Useful resources:

How do I grep recursively? Explain on several examples. ***

To be completed.

archive.tgz has ~30 GB. How do you list content of it and extract only one file?
# list of content
tar tf archive.tgz

# extract file
tar xf archive.tgz filename

Useful resources:

Execute combine multiple shell commands in one line.

If you want to execute each command only if the previous one succeeded, then combine them using the && operator:

cd /my_folder && rm *.jar && svn co path to repo && mvn compile package install

If one of the commands fails, then all other commands following it won't be executed.

If you want to execute all commands regardless of whether the previous ones failed or not, separate them with semicolons:

cd /my_folder; rm *.jar; svn co path to repo; mvn compile package install

In your case, I think you want the first case where execution of the next command depends on the success of the previous one.

You can also put all commands in a script and execute that instead:

#! /bin/sh
cd /my_folder \
&& rm *.jar \
&& svn co path to repo \
&& mvn compile package install

Useful resources:

What symbolic representation can you pass to chmod to give all users execute access to a file without affecting other permissions?
chmod a+x /path/to/file
  • a - for all users
  • x - for execution permission
  • r - for read permission
  • w - for write permission

Useful resources:

How can I sync two local directories?

To sync the contents of dir1 to dir2 on the same system, type:

rsync -av --progress --delete dir1/ dir2
  • -a, --archive - archive mode
  • --delete - delete extraneous files from dest dirs
  • -v, --verbose - verbose mode (increase verbosity)
  • --progress - show progress during transfer

Useful resources:

Many basic maintenance tasks require you to edit config files. Explain ways to undo the changes you make.
  • manually backup of a file before editing (with brace expansion like this: cp filename{,.orig})
  • manual copy of the directory structure where file is stored (e.g. cp, rsync or tar)
  • make a backup of original file in your editor (e.g. set rules in your editor configuration file)
  • the best solution is to use git (or any other version control) to keep track of configuration files (e.g. etckeeper for /etc directory)

Useful resources:

You have to find all files larger than 20MB. How you do it?
find / -type f -size +20M

Useful resources:

Why do we use sudo su - and not just sudo su?

sudo is in most modern Linux distributions where (but not always) the root user is disabled and has no password set. Therefore you cannot switch to the root user with su (you can try). You have to call sudo with root privileges: sudo su.

su just switches the user, providing a normal shell with an environment nearly the same as with the old user.

su - invokes a login shell after switching the user. A login shell resets most environment variables, providing a clean base.

Useful resources:

How to find files that have been modified on your system in the past 60 minutes?
find / -mmin -60 -type f

Useful resources:

What are the main reasons for keeping old log files?

They are essential to investigate issues on the system. Log management is absolutely critical for IT security.

Servers, firewalls, and other IT equipment keep log files that record important events and transactions. This information can provide important clues about hostile activity affecting your network from within and without. Log data can also provide information for identifying and troubleshooting equipment problems including configuration problems and hardware failure.

It’s your server’s record of who’s come to your site, when, and exactly what they looked at. It’s incredibly detailed, showing:

  • where folks came from
  • what browser they were using
  • exactly which files they looked at
  • how long it took to load each file
  • and a whole bunch of other nerdy stuff

Factors to consider:

  • legal requirements for retention or destruction
  • company policies for retention and destruction
  • how long the logs are useful
  • what questions you're hoping to answer from the logs
  • how much space they take up

By collecting and analyzing logs, you can understand what transpires within your network. Each log file contains many pieces of information that can be invaluable, especially if you know how to read them and analyze them.

Useful resources:

What is an incremental backup?

An incremental backup is a type of backup that only copies files that have changed since the previous backup.

Useful resources:

What is RAID? What is RAID0, RAID1, RAID5, RAID6, RAID10?

A RAID (Redundant Array of Inexpensive Disks) is a technology that is used to increase the performance and/or reliability of data storage.

  • RAID0: Also known as disk striping, is a technique that breaks up a file and spreads the data across all the disk drives in a RAID group. There are no safeguards against failure
  • RAID1: A popular disk subsystem that increases safety by writing the same data on two drives. Called "mirroring," RAID 1 does not increase write performance, but read performance may equal up to the sum of each disks' performance. However, if one drive fails, the second drive is used, and the failed drive is manually replaced. After replacement, the RAID controller duplicates the contents of the working drive onto the new one
  • RAID5: It is disk subsystem that increases safety by computing parity data and increasing speed by interleaving data across three or more drives (striping). Upon failure of a single drive, subsequent reads can be calculated from the distributed parity such that no data is lost
  • RAID6: RAID 6 extends RAID 5 by adding another parity block. It requires a minimum of four disks and can continue to execute read and write of any two concurrent disk failures. RAID 6 does not have a performance penalty for read operations, but it does have a performance penalty on write operations because of the overhead associated with parity calculations
  • RAID10: Also known as RAID 1+0, is a RAID configuration that combines disk mirroring and disk striping to protect data. It requires a minimum of four disks, and stripes data across mirrored pairs. As long as one disk in each mirrored pair is functional, data can be retrieved. If two disks in the same mirrored pair fail, all data will be lost because there is no parity in the striped sets

Useful resources:

How is a user’s default group determined? How would you change it?
useradd -m -g initial_group username

-g/--gid: defines the group name or number of the user's initial login group. If specified, the group name must exist; if a group number is provided, it must refer to an already existing group.

If not specified, the behaviour of useradd will depend on the USERGROUPS_ENAB variable contained in /etc/login.defs. The default behaviour (USERGROUPS_ENAB yes) is to create a group with the same name as the username, with GID equal to UID.

Useful resources:

What is your best command line text editor for daily working and scripting? ***

To be completed.

Why would you want to mount servers in a rack?
  • Protecting Hardware
  • Proper Cooling
  • Organized Workspace
  • Better Power Management
  • Cleaner Environment

Useful resources:

Network Questions (23)
Draw me a simple network diagram: you have 20 systems, 1 router, 4 switches, 5 servers, and a small IP block. ***

To be completed.

What are the most important things to understand about the OSI (or any other) model?

The most important things to understand about the OSI (or any other) model are:

  • we can divide up the protocols into layers
  • layers provide encapsulation
  • layers provide abstraction
  • layers decouple functions from others

Useful resources:

What is the difference between a VLAN and a subnet? Do you need a VLAN to setup a subnet?

VLANs and subnets solve different problems. VLANs work at Layer 2, thereby altering broadcast domains (for instance). Whereas subnets are Layer 3 in the current context.

Subnet - is a range of IP addresses determined by part of an address (often called the network address) and a subnet mask (netmask). For example, if the netmask is 255.255.255.0 (or /24 for short), and the network address is 192.168.10.0, then that defines a range of IP addresses 192.168.10.0 through 192.168.10.255. Shorthand for writing that is 192.168.10.0/24.

VLAN - a good way to think of this is "switch partitioning." Let's say you have an 8 port switch that is VLAN-able. You can assign 4 ports to one VLAN (say VLAN 1) and 4 ports to another VLAN (say VLAN 2). VLAN 1 won't see any of VLAN 2's traffic and vice versa, logically, you now have two separate switches. Normally on a switch, if the switch hasn't seen a MAC address it will "flood" the traffic to all other ports. VLANs prevent this.

Subnet is nothing more than an IP address range of IP addresses that help hosts communicate over layer 2 and 3. Each subnet does not require its own VLAN. VLANs are implemented for isolation (are sandbox for layer two communication, no 2 systems of 2 different VLANs may communicate but it can be done through Inter VLAN routing), ease of management and security.

Useful resources:

List 5 common network ports you should know.
SERVICE PORT
SMTP 25
FTP 20 for data transfer and 21 for connection established
DNS 53
DHCP 67/UDP for DHCP server, 68/UDP for DHCP client
SSH 22

Useful resources:

What POP and IMAP are, and how to choose which of them you should implement?

POP and IMAP are both protocols for retrieving messages from a mail server to a mail client.

POP (Post Office Protocol) uses a one way push from mail server to client. By default this will send messages to the POP mail client and remove them from the mail server, though it is possible to configure the mail server to retain all messages. Any actions you take on the message in your mail client (labeling, deleting, moving to a folder) will not be reflected on the mail server, and thus inaccessible to other mail clients pulling from the mail server. POP uses little storage space on the mail server and can be seen as more secure since messages only exist on one mail client instead of the mail server and multiple clients.

IMAP (Internet Message Access Protocol) uses two way communication between mail server and client. Deleting or labeling a message in your mail client configured with IMAP will also delete or label the message on the mail server. IMAP allows for a similar experience when accessing mail across different clients or devices since messages can existing in the same state across multiple devices. IMAP can also save disk space on the mail client by selectively syncing messages, deleting older messages from the mail client since it can sync them from the mail server later as needed.

Choose IMAP if you need to access messages across multiple devices and you want to save disk space on your client device. Choose POP if you want to save disk space on your mail server, only access messages from one client device, and ensure that messages do not exist on multiple systems.

How to check default route and routing table?

Using the commands netstat -nr, route -n or ip route show we can see the default route and routing tables.

Useful resources:

What is the difference between 127.0.0.1 and localhost?

Well, the most likely difference is that you still have to do an actual lookup of localhost somewhere.

If you use 127.0.0.1, then (intelligent) software will just turn that directly into an IP address and use it. Some implementations of gethostbyname will detect the dotted format (and presumably the equivalent IPv6 format) and not do a lookup at all.

Otherwise, the name has to be resolved. And there's no guarantee that your hosts file will actually be used for that resolution (first, or at all) so localhost may become a totally different IP address.

By that I mean that, on some systems, a local hosts file can be bypassed. The host.conf file controls this on Linux (and many other Unices).

If you use a Unix domain socket it'll be slightly faster than using TCP/IP (because of the less overhead you have). Windows is using TCP/IP as a default, whereas Linux tries to use a Unix Domain Socket if you choose localhost and TCP/IP if you take 127.0.0.1.

Useful resources:

Which port is used for ping command?

ping uses ICMP, specifically ICMP echo request and ICMP echo reply packets. There is no 'port' associated with ICMP. Ports are associated with the two IP transport layer protocols, TCP and UDP. ICMP, TCP, and UDP are "siblings"; they are not based on each other, but are three separate protocols that run on top of IP.

ICMP packets are identified by the 'protocol' field in the IP datagram header. ICMP does not use either UDP or TCP communications services, it uses raw IP communications services. This means that the ICMP message is carried directly in an IP datagram data field. raw comes from how this is implemented in software, to create and send an ICMP message, one opens a raw socket, builds a buffer containing the ICMP message, and then writes the buffer containing the message to the raw socket.

The IP protocol value for ICMP is 1. The protocol field is part of the IP header and identifies what is in the data portion of the IP datagram.

However, you could use nmap to see whether ports are open or not:

nmap -p 80 example.com

Useful resources:

Server A can't talk to Server B. Describe possible reasons in a few steps.

To troubleshoot communication problems between servers, it is better to ideally follow the TCP/IP stack:

  1. Application Layer: are the services up and running on both servers? Are they correctly configured (eg. bind the correct IP and correct port)? Do application and system logs show meaningful errors?

  2. Transport Layer: are the ports used by the application open (try telnet!)? Is it possible to ping the server?

  3. Network Layer: is there a firewall on the network or on the OS correctly configured? Is the IP stack correctly configured (IP, routes, dns, etc.)? Are switches and routers working (check the ARP table!)?

  4. Physical Layer: are the servers connected to a network? Are packets being lost?

Why won’t the hostnames resolve on your server? Fix this issue. ***

To be completed.

How to resolve the domain name (using external dns) with CLI? Can IPs be resolved to domain names?

Examples for resolve IP address to domain name:

# with host command:
host domain.com 8.8.8.8

# with dig command:
dig @9.9.9.9 google.com

# with nslookup command:
nslookup domain.com 8.8.8.8

You can (sometimes) resolve an IP Address back to a hostname. IP Address can be stored against a PTR record. You can then do:

dig A <hostname>

To lookup the IPv4 address for a host, or:

dig AAAA <hostname>

To lookup the IPv6 address for a host, or:

dig PTR ZZZ.YYY.XXX.WWW.in-addr.arpa.

To lookup the hostname for IPv4 address WWW.XXX.YYY.ZZZ (note the octets are reversed), or:

dig PTR b.a.9.8.7.6.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.

Useful resources:

How to test port connectivity with telnet or nc?
# with telnet command:
telnet code42.example.com 5432

# with nc (netcat) command:
nc -vz code42.example.com 5432
Why should you avoid telnet to administer a system remotely?

Modern operating systems have turned off all potentially insecure services by default. On the other hand, some vendors of network devices still allow to establish communication using the telnet protocol.

Telnet uses most insecure method for communication. It sends data across the network in plain text format and anybody can easily find out the password using the network tool.

In the case of Telnet, these include the passing of login credentials in plain text, which means anyone running a sniffer on your network can find the information he needs to take control of a device in a few seconds by eavesdropping on a Telnet login session.

Useful resources:

What is the difference between wget and curl?

The main differences are: wget's major strong side compared to curl is its ability to download recursively. wget is command line only. curl supports FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, POP3, IMAP, SMTP, RTMP and RTSP.

Useful resources:

What is SSH and how does it work?

SSH stands for Secure Shell. It is a protocol that lets you drop from a server "A" into a shell session to a server "B". It allows you interact with your server "B".

An SSH connection to be established, the remote machine (server A) must be running a piece of software called an SSH daemon and the user's computer (server B) must have an SSH client.

The SSH daemon and SSH client listen for connections on a specific network port (default 22), authenticates connection requests, and spawns the appropriate environment if the user provides the correct credentials.

Useful resources:

Most tutorials suggest using SSH key authentication rather than password authentication. Why it is considered more secure?

An SSH key is an access credential in the SSH protocol. Its function is similar to that of user names and passwords, but the keys are primarily used for automated processes and for implementing single sign-on by system administrators and power users.

Instead of requiring a user's password, it is possible to confirm the client's identity by using asymmetric cryptography algorithms, with public and private keys.

If your SSH service only allows public-key authentication, an attacker needs a copy of a private key corresponding to a public key stored on the server.

If your SSH service allows password based authentication, then your Internet connected SSH server will be hammered day and night by bot-nets trying to guess user-names and passwords. The bot net needs no information, it can just try popular names and popular passwords. Apart from anything else this clogs your logs.

Useful resources:

What is a packet filter and how does it work?

Packet filtering is a firewall technique used to control network access by monitoring outgoing and incoming packets and allowing them to pass or halt based on the source and destination Internet Protocol (IP) addresses, protocols and ports.

Packet filtering is appropriate where there are modest security requirements. The internal (private) networks of many organizations are not highly segmented. Highly sophisticated firewalls are not necessary for isolating one part of the organization from another.

However it is prudent to provide some sort of protection of the production network from a lab or experimental network. A packet filtering device is a very appropriate measure for providing isolation of one subnet from another.

Operating at the network layer and transport layer of the TCP/IP protocol stack, every packet is examined as it enters the protocol stack. The network and transport headers are examined closely for the following information:

  • protocol (IP header, network layer) - in the IP header, byte 9 (remember the byte count begins with zero) identifies the protocol of the packet. Most filter devices have the capability to differentiate between TCP, UPD, and ICMP.
  • source address (IP header, network layer) - the source address is the 32-bit IP address of the host which created the packet.
  • destination address (IP header, network layer) - the destination address is the 32-bit IP address of the host the packet is destined for.
  • source port (TCP or UDP header, transport layer) - each end of a TCP or UDP network connection is bound to a port. TCP ports are separate and distinct from UDP ports. Ports numbered below 1024 are reserved – they have a specifically defined use. Ports numbered above 1024 (inclusive) are known as ephemeral ports. They can be used however a vendor chooses. For a list of "well known" ports, refer to RFP1700. The source port is a pseudo-randomly assigned ephemeral port number. Thus it is often not very useful to filter on the source port.
  • destination port (TCP or UDP header, transport layer) - the destination port number indicates a port that the packet is sent to. Each service on the destination host listens to a port. Some well-known ports that might be filtered are 20/TCP and 21/TCP - ftp connection/data, 23/TCP - telnet, 80/TCP - http, and 53/TCP - DNS zone transfers.
  • connection status (TCP header, transport layer) - the connection status tells whether the packet is the first packet of the network session. The ACK bit in the TCP header is set to “false” or 0 if this is the first packet in the session. It is simple to disallow a host from establishing a connection by rejecting or discarding any packets which have the ACK bit set to "false" or 0.

Useful resources:

What are the advantages of using a reverse proxy server?

Hide the topology and characteristics of your back-end servers

The reverse proxy server can hide the presence and characteristics of the origin server. It acts as an intermediate between internet cloud and web server. It is good for security reason especially when you are using web hosting services.

Allows transparent maintenance of backend servers

Changes you make to servers running behind a reverse proxy are going to be completely transparent to your end users.

Load Balancing

The reverse proxy will then enforce a load balancing algorithm like round robin, weighted round robin, least connections, weighted least connections, or random, to distribute the load among the servers in the cluster.

When a server goes down, the system will automatically failover to the next server up and users can continue with their secure file transfer activities.

SSL offloading/termination

Handles incoming HTTPS connections, decrypting the requests and passing unencrypted requests on to the web servers.

IP masking

Using a single ip but different URLs to route to different back end servers.

Useful resources:

What is the difference between a router and a gateway? What is the default gateway?

Router describes the general technical function (layer-3 forwarding) or a hardware device intended for that purpose, while gateway describes the function for the local segment (providing connectivity to elsewhere). You could also state that "you set up a router as gateway". Another term is hop which describes the forwarding in between subnets.

The term default gateway is used to mean the router on your LAN which has the responsibility of being the first point of contact for traffic to computers outside the LAN.

It's just a matter of perspective, the device is the same.

Useful resources:

Explain the function of each of the following DNS records: SOA, PTR, A, MX, and CNAME.

DNS records are basically mapping files that tell the DNS server which IP address each domain is associated with, and how to handle requests sent to each domain. Some DNS records syntax that are commonly used in nearly all DNS record configurations are A, AAAA, CNAME, MX, PTR, NS, SOA, SRV, TXT, and NAPTR.

  • SOA - A Start Of Authority
  • A - Address Mapping records
  • AAAA - IP Version 6 Address records
  • CNAME - Canonical Name records
  • MX - Mail exchanger record
  • NS - Name Server records
  • PTR - Reverse-lookup Pointer records

Useful resources:

Why couldn't MAC addresses be used instead of IPv4/6 for networking?

The OSI model explains why it doesn't make sense to make routing, a layer 3 concept, decisions based on a physical, layer 2, mechanism.

Modern networking is broken into many different layers to accomplish your end to end communication. Your network card (what is addressed by the mac address - physical address) needs to only be responsible for communicating with peers on it's physical network.

The communication that you are allowed to accomplish with your MAC address is going to be limited to other devices that reside within physical contact to your machine. On the internet, for example, you are not physically connected to each machine. That's why we make use of TCP/IP (a layer 3, logical address) mechanism when we need to communicate with a machine that we are not physically connected to.

IP is an arbitrary numbering scheme imposed in a hierarchical fashion on a group of computers to logically distinguish them as a group (that's what a subnet is). Sending messages between those groups is done by routing tables, themselves divided into multiple levels so that we don't have to keep track of every single subnet.

It's also pretty easy to relate this to another pair of systems. You have a State Issued ID Number, why would you need a mailing address if that ID number is already unique to just you? You need the mailing address because it's an arbitrary system that describes where the unique destination for communications to you should go.

On the other hand, the distribution of MAC addresses across the network is random and completely unrelated to topology. Routes grouping would be impossible, every router would need to keep track of routes for every single device that relays traffic trough it. That is what layer 2 switches do, and that does not scale well beyond a certain number of hosts.

Useful resources:

What is the smallest IPv4 subnet mask that can be applied to a network containing up to 30 devices?

Whether you have a standard /24 VLAN for end users, a /30 for point-to-point links, or something in between and subnet that must contain up to 30 devices works out to be a /27 - or a subnet mask of 255.255.255.224.

Useful resources:

What are some common HTTP status codes?
  • 1xx - Informational responses - communicates transfer protocol-level information
  • 2xx - Success - indicates that the client’s request was accepted successfully
  • 3xx - Redirection - indicates that the client must take some additional action in order to complete their request
  • 4xx - Client side error - this category of error status codes points the finger at clients
  • 5xx - Server side error - the server takes responsibility for these error status codes

Useful resources:

Devops Questions (5)
What is DevOps? Which is more important to the success of any DevOps community: how people communicate or the tools that you choose to deploy? ***

DevOps is a cohesive team that engages in both Development and Operations tasks, or it's individual Operations and Development teams that work very closely together. It's more of a "way" of working collaboratively with other departments to achieve common goals.

What is a version control? Are your commit messages good looking?

It is a system that records changes to a file or set of files over time so that you can recall specific versions later. Version control systems consist of a central shared repository where teammates can commit changes to a file or set of file. Then you can mention the uses of version control.

Version control allows you to:

  • revert files back to a previous state
  • revert the entire project back to a previous state
  • compare changes over time
  • see who last modified something that might be causing a problem
  • who introduced an issue and when

The seven rules of a great commit message:

  • separate subject from body with a blank line
  • limit the subject line to 50 characters
  • capitalize the subject line
  • do not end the subject line with a period
  • use the imperative mood in the subject line
  • wrap the body at 72 characters
  • use the body to explain what and why vs. how

Useful resources:

Explain some basic git commands.
  • git init - create a new local repository
  • git commit -m "message" - commit changes to head
  • git status - list the files you've added with git add and also commit any files you've changed since then
  • git push origin master - send changes to the master branch of your remote repository
Explain a simple Continuous Integration pipeline.
  • clone repository
  • deploy stage (QA)
  • testing environment (QA)
  • deploy stage (PROD)
Explain some basic docker commands.
  • docker ps - show running containers
  • docker ps -a - show all containers
  • docker images - show docker images
  • docker logs <container-id|container-name> - get logs from container
  • docker network ls - show all docker networks
  • docker volumes ls - show all docker volumes
  • docker exec -it <container-id|container-name> bash - execute bash in container with interactive shell
Cyber Security Questions (1)
What is a Security Misconfiguration?

Security misconfiguration is a vulnerability when a device/application/network is configured in a way which can be exploited by an attacker to take advantage of it. This can be as simple as leaving the default username/password unchanged or too simple for device accounts etc.

System Questions (60)
Tell me about your experience with the production environments? ***

To be completed.

Which distribution would you select for running a major web server? ***

To be completed.

Explain in a few points the boot process of the Linux system.

BIOS: Full form of BIOS is Basic Input or Output System that performs integrity checks and it will search and load and then it will execute the bootloader.

Bootloader: Since the earlier phases are not specific to the operating system, the BIOS-based boot process for x86 and x86-64 architectures is considered to start when the master boot record (MBR) code is executed in real mode and the first-stage boot loader is loaded. In UEFI systems, a payload, such as the Linux kernel, can be executed directly. Thus no boot loader is necessary. Some popular bootloaders: GRUB, Syslinux/Isolinux or Lilo.

Kernel: The kernel in Linux handles all operating system processes, such as memory management, task scheduling, I/O, interprocess communication, and overall system control. This is loaded in two stages - in the first stage, the kernel (as a compressed image file) is loaded into memory and decompressed, and a few fundamental functions such as basic memory management are set up.

Init: Is the parent of all processes on the system, it is executed by the kernel and is responsible for starting all other processes.

  • SysV init - init's job is "to get everything running the way it should be once the kernel is fully running. Essentially it establishes and operates the entire user space. This includes checking and mounting file systems, starting up necessary user services, and ultimately switching to a user-environment when system startup is completed.
  • systemd - the developers of systemd aimed to replace the Linux init system inherited from Unix System V. Like init, systemd is a daemon that manages other daemons. All daemons, including systemd, are background processes. Systemd is the first daemon to start (during booting) and the last daemon to terminate (during shutdown).
  • runinit - runinit is an init scheme for Unix-like operating systems that initializes, supervises, and ends processes throughout the operating system. It is a reimplementation of the daemontools process supervision toolkit that runs on the Linux, Mac OS X, *BSD, and Solaris operating systems.

Useful resources:

How and why Linux daemons drop privileges? Why some daemons need root permissions to start? Explain. ***

To be completed.

Why is a load of 1.00 not ideal on a single-core machine?

The problem with a load of 1.00 is that you have no headroom. In practice, many sysadmins will draw a line at 0.70.

The "Need to Look into it" Rule of Thumb: 0.70 If your load average is staying above > 0.70, it's time to investigate before things get worse.

The "Fix this now" Rule of Thumb: 1.00. If your load average stays above 1.00, find the problem and fix it now. Otherwise, you're going to get woken up in the middle of the night, and it's not going to be fun.

Rule of Thumb: 5.0. If your load average is above 5.00, you could be in serious trouble, your box is either hanging or slowing way down, and this will (inexplicably) happen in the worst possible time like in the middle of the night or when you're presenting at a conference. Don't let it get there.

Useful resources:

What does it mean when the effective user is root, but the real user ID is still your name?

The real user ID is who you really are (the user who owns the process), and the effective user ID is what the operating system looks at to make a decision whether or not you are allowed to do something (most of the time, there are some exceptions).

When you log in, the login shell sets both the real and effective user ID to the same value (your real user ID) as supplied by the password file.

If, for instance, you execute setuid, and besides running as another user (e.g. root) the setuid program is also supposed to do something on your behalf.

After executing setuid, it will have your real ID (since you're the process owner) and the effective user id of the file owner (for example root) since it is setuid.

Let's use the case of passwd:

-rwsr-xr-x 1 root root 45396 may 25  2012 /usr/bin/passwd

When user2 wants to change their password, they execute /usr/bin/passwd.

The RUID will be user2 but the EUID of that process will be root.

user2 can use only passwd to change their own password, because internally passwd checks the RUID and, if it is not root, its actions will be limited to real user's password.

It's necessary that the EUID becomes root in the case of passwd because the process needs to write to /etc/passwd and/or /etc/shadow.

Useful resources:

Developer added cron job which generate massive log files. How do you prevent them from getting so big?

Using logrotate is the usual way of dealing with logfiles. But instead of adding content to /etc/logrotate.conf you should add your own job to /etc/logrotate.d/, otherwise you would have to look at more diffs of configuration files during release upgrades.

If it's actively being written to you don't really have much you can do by way of truncate. Your only options are to truncate the file:

: >/var/log/massive-logfile

It's very helpful, because it's truncate the file without disrupting the processes.

Useful resources:

How the Linux kernel creates, manages and deletes the processes in the system? ***

To be completed.

Useful resources:

Explain the selected information you can see in top and htop. How to diagnose load, high user time and out-of-memory problems with these tools? ***

To be completed.

Useful resources:

How would you recognize a process that is hogging resources?

top works reasonably well, as long as you look at the right numbers.

  • M Sorts by current resident memory usage
  • T Sorts by total ( or cummulative) CPU usage
  • P Sorts by current CPU usage (this is the default refresh)
  • ? Displays a usage summary for all top commands

This is very important information to obtain when problem solving why a computer process is running slowly and making decisions on what processes to kill/software to uninstall.

Useful resources:

You need to upgrade ntpd service at 200 servers. What is the best way to go about upgrading all of these to the latest?

By using Infrastructure as a Code approach, there are multiple good ways:

  1. Configuration Synchronization Change Management Model:

There are Configuration Management Tools (Ansible, Chef, Puppet, Saltstack, ...), that can be used to automatically update ntpd service on all servers. To keep systems stable, system packages on servers are usually auto-updated with only security updates. Major or minor versions of packages are usually version locked in configuration definitions to prevent misconfiguration of the service. Change is then deployed by changing ntpd version in configuration definition.

With this approach, it is important to be careful when deploying changes into infrastructure massively. The pipeline of deployment should include Unit, Integration and System tests, and eventually be first deployed into Staging environment to prove configuration. If tests prove configuration correctness, deployment should be done by incremental rollout with ability to rollback in case of errors or failure.

  1. Immutable Servers Model:

In Immutable Server model, whole unit (server, container) is replaced by new updated image rather than making changes to running server (this eliminates configuration drift). With this approach you usually build server image with tools like Packer or Docker with Dockerfile. This image is then tested and deployed similarly as in option above (1.), but now using techniques such as Canary Release, which also has ability to incremental rollout and rollback.

Useful resources:

How to permanently set $PATH on Linux/Unix? Why is this variable so important? ***

To be completed.

When your server is booting up some errors appears on the console. How to examine boot messages and where are they stored?

Your console has two types of messages:

  • generated by the kernel (via printk)
  • generated by userspace (usually your init system)

Kernel messages are always stored in the kmsg buffer, visible via dmesg command. They're also often copied to your syslog. This also applies to userspace messages written to /dev/kmsg, but those are fairly rare.

Meanwhile, when userspace writes its fancy boot status text to /dev/console or /dev/tty1, it's not stored anywhere at all. It just goes to the screen and that's it.

dmesg is used to review boot messages contained in the kernel ring buffer. A ring buffer is a buffer of fixed size for which any new data added to it overwrites the oldest data in it.

It shows operations once the boot process has completed, such as command line options passed to the kernel; hardware components detected, events when a new USB device is added, or errors like NIC (Network Interface Card) failure and the drivers report no link activity detected on the network and so much more.

If system logging is done via the journal component you should use journalctl. It shows messages include kernel and boot messages; messages from syslog or various services.

Boot issues/errors calls for a system administrator to look into certain important files in conjunction with particular commands (handled differently by different versions of Linux):

  • /var/log/boot.log - system boot log, it contains all that unfolded during the system boot
  • /var/log/messages - stores global system messages, including the messages that are logged during system boot
  • /var/log/dmesg - contains kernel ring buffer information

Useful resources:

Swap usage too high. What are the reasons for this and how to resolve swapping problems?

Swap space is a restricted amount of physical memory that is allocated for use by the operating system when available memory has been fully utilized. It is memory management that involves swapping sections of memory to and from physical storage.

If the system needs more memory resources and the RAM is full, inactive pages in memory are moved to the swap space. While swap space can help machines with a small amount of RAM, it should not be considered a replacement for more RAM. Swap space is located on hard drives, which have a slower access time than physical memory.

Workload increases your RAM demand. You are running a workload that requires more memory. Usage of the entire swap indicates that. Also, changing swappiness to 1 might not be a wise decision. Setting swappiness to 1 does not indicate that swapping will not be done. It just indicates how aggressive kernel will be in respect of swapping, it does not eliminate swapping. Swapping will happen if needs to be done.

  • Increasing the size of the swap space - firstly, you'd have increased disk use. If your disks aren't fast enough to keep up, then your system might end up thrashing, and you'd experience slowdowns as data is swapped in and out of memory. This would result in a bottleneck.

  • Adding more RAM - the real solution is to add more memory. There's no substitute for RAM, and if you have enough memory, you'll swap less.

For monitoring swap space usage:

  • cat /proc/swaps - to see total and used swap size
  • grep SwapTotal /proc/meminfo - to show total swap space
  • free - to display the amount of free and used system memory (also swap)
  • vmstat - to check swapping statistics
  • top, htop- to check swap space usage
  • atop - to show is that your system is overcommitting memory
  • or use one-liner shell command to list all applications with how much swap space search is using in kilobytes:
for _fd in /proc/*/status ; do
  awk '/VmSwap|Name/{printf $2 " " $3}END{ print ""}' $_fd
done | sort -k 2 -n -r | less

Useful resources:

What is umask? How to set it permanently for a user?

On Linux and other Unix-like operating systems, new files are created with a default set of permissions. Specifically, a new file's permissions may be restricted in a specific way by applying a permissions "mask" called the umask. The umask command is used to set this mask, or to show you its current value.

Permanently change (set e.g. umask 02):

  • ~/.profile
  • ~/.bashrc
  • ~/.zshrc
  • ~/.cshrc

Useful resources:

Explain the differences among the following umask values: 000, 002, 022, 027, 077, and 277.
Umask File result Directory result
000 666 rw- rw- rw- 777 rwx rwx rwx
002 664 rw- rw- r-- 775 rwx rwx r-x
022 644 rw- r-- r-- 755 rwx r-x r-x
027 640 rw- r-- --- 750 rwx r-x ---
077 600 rw---- --- 700 rwx --- ---
277 400 r-- --- --- 500 r-x --- ---

Useful resources:

What is the difference between a symbolic link and a hard link?

Underneath the file system files are represented by inodes (or is it multiple inodes not sure)

  • a file in the file system is basically a link to an inode
  • a hard link then just creates another file with a link to the same underlying inode

When you delete a file it removes one link to the underlying inode. The inode is only deleted (or deletable/over-writable) when all links to the inode have been deleted.

  • a symbolic link is a link to another name in the file system

Once a hard link has been made the link is to the inode. deleting renaming or moving the original file will not affect the hard link as it links to the underlying inode. Any changes to the data on the inode is reflected in all files that refer to that inode.

Note: Hard links are only valid within the same file system. Symbolic links can span file systems as they are simply the name of another file.

Differences:

  • Hardlink cannot be created for directories. Hard link can only be created for a file
  • Softlink also termed a symbolic links or symlinks can link to a directory

Useful resources:

How does the sticky bit work? The SUID/GUID is the same?

This is probably one of my most irksome things that people mess up all the time. The SUID/GUID bit and the sticky-bit are 2 completely different things.

If you do a man chmod you can read about the SUID and sticky-bits.

SUID/GUID

What the above man page is trying to say is that the position that the x bit takes in the rwxrwxrwx for the user octal (1st group of rwx) and the group octal (2nd group of rwx) can take an additional state where the x becomes an s. When this occurs this file when executed (if it's a program and not just a shell script) will run with the permissions of the owner or the group of the file.

So if the file is owned by root and the SUID bit is turned on, the program will run as root. Even if you execute it as a regular user. The same thing applies to the GUID bit.

Examples:

no suid/guid - just the bits rwxr-xr-x are set.

ls -lt b.pl
-rwxr-xr-x 1 root root 179 Jan  9 01:01 b.pl

suid & user's executable bit enabled (lowercase s) - the bits rwsr-x-r-x are set.

chmod u+s b.pl
ls -lt b.pl
-rwsr-xr-x 1 root root 179 Jan  9 01:01 b.pl

suid enabled & executable bit disabled (uppercase S) - the bits rwSr-xr-x are set.

chmod u-x b.pl
ls -lt b.pl
-rwSr-xr-x 1 root root 179 Jan  9 01:01 b.pl

guid & group's executable bit enabled (lowercase s) - the bits rwxr-sr-x are set.

chmod g+s b.pl
ls -lt b.pl
-rwxr-sr-x 1 root root 179 Jan  9 01:01 b.pl

guid enabled & executable bit disabled (uppercase S) - the bits rwxr-Sr-x are set.

chmod g-x b.pl
ls -lt b.pl
-rwxr-Sr-x 1 root root 179 Jan  9 01:01 b.pl

sticky bit

The sticky bit on the other hand is denoted as t, such as with the /tmp directory:

ls -l /|grep tmp
drwxrwxrwt. 168 root root 28672 Jun 14 08:36 tmp

This bit should have always been called the restricted deletion bit given that's what it really connotes. When this mode bit is enabled, it makes a directory such that users can only delete files & directories within it that they are the owners of.

Useful resources:

What does LC_ALL=C before command do? In what cases it will be useful?

LC_ALL is the environment variable that overrides all the other localisation settings. This sets all LC_ type variables at once to a specified locale.

The main reason to set LC_ALL=C before command is that fine to simply get English output (general change the locale used by the command).

On the other hand, also important is to increase the speed of command execution with LC_ALL=C e.g. grep or fgrep. Using the LC_ALL=C locale increased our performance and brought command execution time down.

For example, if you set LC_ALL=en_US.utf8 your system opened multiple files from the /usr/lib/locale directory. For LC_ALL=C a minimum amount of open and read operations is performed.

If you want to restore all your normal (original) locale settings for the session:

LC_ALL=

If LC_ALL does not work, try using LANG (if that still does not work, try LANGUAGE):

LANG=C date +%A
Monday

Useful resources:

How to make high availability of web application? ***

To be completed.

You are configuring a new server. One of the steps is setting the permissions to the app directories. What steps will you take and what mistakes to avoid?

1) Main requirements - remember about this

  • which users have access to the app filesystem
  • permissions for web servers, e.g. Apache and app servers e.g. uwsgi
  • permissions for specific directories like a uploads, cache and main app directory like a /var/www/app01/html
  • correct umask value for users and suid/sgid (only for specific situations)
  • permissions for all future files and directories
  • permissions for cron jobs and scripts

2) Application directories

/var/www contains a directory for each website (isolation of the apps), e.g. /var/www/app01, /var/www/app02

mkdir /var/www/{app01,app02}

3) Application owner and group

Each application has a designated owner (e.g. u01-prod, u02-prod) and group (e.g. g01-prod, g02-prod) which are set as the owner of all files and directories in the website's directory:

chown -R u01-prod:g01-prod /var/www/app01
chown -R u02-prod:g02-prod /var/www/app02

4) Developers owner and group

All of the users that maintain the website have own groups and they're attach to application group:

id alice
uid=2000(alice) gid=4000(alice) groups=8000(g01-prod)
id bob
uid=2001(bob) gid=4001(bob) groups=8000(g01-prod),8001(g02-prod)

So alice user has standard privileges for /var/www/app01 and bob user has standard privileges for /var/www/app01 and /var/www/app02.

5) Web server owner and group

Any files or directories that need to be written by the webserver have their owner. If the web servers is Apache, default owner/group are apache:apache or www-data:www-data and for Nginx it will be nginx:nginx. Don't change these settings.

If applications works with app servers like a uwsgi or php-fpm should set the appropriate user and group (e.g. for app01 it will be u01-prod:g01-prod) in specific config files.

6) Permissions

Set properly permissions with Access Control Lists:

# For web server
setfacl -Rdm "g:apache:rwx" /var/www/app01
setfacl -Rm "g:apache:rwx" /var/www/app01

# For developers
setfacl -Rdm "g:g01-prod:rwx" /var/www/app01
setfacl -Rm "g:g01-prod:rwx" /var/www/app01

If you use SELinux remember about security context:

chcon -R system_u:object_r:httpd_sys_content_t /var/www/app01

7) Security mistakes

  • root owner for files and directories
  • root never executes any files in website directory, and shouldn't be creating files in there
  • to wide permissions like a 777 so some critical files may be world-writable and world-readable
  • avoid creating maintenance scripts or other critical files with suid root

If you allow your site to modify the files which form the code running your site, you make it much easier for someone to take over your server.

A file upload tool allows users to upload a file with any name and any contents. This allows a user to upload a mail relay PHP script to your site, which they can place wherever they want to turn your server into a machine to forward unsolicited commercial email. This script could also be used to read every email address out of your database, or other personal information.

If the malicious user can upload a file with any name but not control the contents, then they could easily upload a file which overwrites your index.php (or another critical file) and breaks your site.

Useful resources:

What steps will be taken by init when you run telinit 1 from run level 3? What will be the final result of this? If you use telinit 6 instead of reboot command your server will be restarted? ***

To be completed.

Useful resources:

I have forgotten the root password! What do I do in BSD? What is the purpose of booting into single user mode?

Restart the system, type boot -s at the Boot: prompt to enter single-user mode.

At the question about the shell to use, hit Enter which will display a # prompt.

Enter mount -urw / to remount the root file system read/write, then run mount -a to remount all the file systems.

Run passwd root to change the root password then run exit to continue booting.

Single user mode should basically let you log in with root access & change just about anything. For example, you might use single-user mode when you are restoring a damaged master database or a system database, or when you are changing server configuration options (e.g. password recovery).

Useful resources:

How could you modify a text file without invoking a text editor?

For example:

# cat  >filename ... - overwrite file
# cat >>filename ... - append to file
cat > filename << __EOF__
data
__EOF__
How to change the kernel parameters? What kernel options might you need to tune? ***

To set the kernel parameters in Unix-like, first edit the file /etc/sysctl.conf after making the changes save the file and run the command sysctl -p, this command will make the changes permanently without rebooting the machine.

Useful resources:

Explain the /proc filesystem.

/proc is a virtual file system that provides detailed information about kernel, hardware and running processes.

Since /proc contains virtual files, it is called virtual file system. These virtual files have unique qualities. Most of them are listed as zero bytes in size.

Virtual files such as /proc/interrupts, /proc/meminfo, /proc/mounts and /proc/partitions provide an up-to-the-moment glimpse of the system’s hardware. Others: /proc/filesystems file and the /proc/sys/ directory provide system configuration information and interfaces.

Useful resources:

Describe your data backup process. How often should you test your backups? ***

To be completed.

Explain three types of journaling in ext3/ext4.

There are three types of journaling available in ext3/ext4 file systems:

  • Journal - metadata and content are saved in the journal
  • Ordered - only metadata is saved in the journal. Metadata are journaled only after writing the content to disk. This is the default
  • Writeback - only metadata is saved in the journal. Metadata might be journaled either before or after the content is written to the disk
What is an inode? How to find file's inode number and how can you use it?

An inode is a data structure on a filesystem on Linux and other Unix-like operating systems that stores all the information about a file except its name and its actual data. A data structure is a way of storing data so that it can be used efficiently.

A Unix file is stored in two different parts of the disk - the data blocks and the inodes. I won't get into superblocks and other esoteric information. The data blocks contain the "contents" of the file. The information about the file is stored elsewhere - in the inode.

A file's inode number can easily be found by using the ls command, which by default lists the objects (i.e. files, links and directories) in the current directory (i.e. the directory in which the user is currently working), with its -i option. Thus, for example, the following will show the name of each object in the current directory together with its inode number:

ls -i

df's -i option instructs it to supply information about inodes on each filesystem rather than about available space. Specifically, it tells df to return for each mounted filesystem the total number of inodes, the number of free inodes, the number of used inodes and the percentage of inodes used. This option can be used together with the -h option as follows to make the output easier to read:

df -hi

Finding files by inodes

If you know the inode, you can find it using the find command:

find . -inum 435304 -print

Deleting files with strange names

Sometimes files are created with strange characters in the filename. The Unix file system will allow any character as part of a filename except for a null (ASCII 000) or a "/". Every other character is allowed.

Users can create files with characters that make it difficult to see the directory or file. They can create the directory ".. " with a space at the end, or create a file that has a backspace in the name, using:

touch `printf "aa\bb"`

Now what what happens when you use the ls command:

ls
aa?b
ls | grep 'a'
ab

Note that when ls sends the result to a terminal, it places a "?" in the filename to show an unprintable character.

You can get rid of this file by using rm -i * and it will prompt you before it deletes each file. But you can also use find to remove the file, once you know the inode number.

ls -i
435304 aa?b
find . -inum 435304 -delete

Useful resources:

ls -l shows file attributes as question marks. What this means and what steps will you take to remove unused "zombie" files?

This problem may be more difficult to solve because several steps may be required - sometimes you have get test/file: Permission denied, test/file: No such file or directory or test/file: Input/output error.

That happens when the user can't do a stat() on the files (which requires execute permissions), but can read the directory entries (which requires read access on the directory). So you get a list of files in the directory, but can't get any information on the files because they can't be read. If you have a directory which has read permission but not execute, you'll see this.

Some processes like a rsync generates temporary files that get created and dropped fast which will cause errors if you try to call other simple file management commands like rm, mv etc.

Example of output:

?????????? ? ?        ?               ?            ? sess_kee6fu9ag7tiph2jae
  1. change permissions: chmod 0777 sess_kee6fu9ag7tiph2jae and try remove
  2. change owner: chown root:root sess_kee6fu9ag7tiph2jae and try remove
  3. change permissions and owner for directory: chmod -R 0777 dir/ && chown -R root:root dir/ and try remove
  4. recreate file: touch sess_kee6fu9ag7tiph2jae and try remove
  5. watch out for other running processes on the server for example rsync, sometimes you can see this as a transient error when an NFS server is heavily overloaded
  6. find file inode: ls -i, and try remove: find . -inum <inode_num> -delete
  7. remount (if possible) your filesystem
  8. boot system into single-user mode and repair your filesystem with fsck

Useful resources:

To LVM or not to LVM. What benefits does it provide?
  • LVM makes it quite easy to move file systems around
  • you can extend a volume group onto a new physical volume
  • move any number of logical volumes of an old physical one
  • remove that volume from the volume group without needing to unmount any partitions
  • you can also make snapshots of logical volumes for making backups
  • LVM has built in mirroring support so you can have a logical volume mirrored across multiple physical volumes
  • LVM even supports TRIM

Useful resources:

How to increase the size of LVM partition?

Use the lvextend command for resize LVM partition.

  • extending the size by 500MB:
lvextend -L +500M /dev/vgroup/lvolume
  • extending all available free space:
lvextend -l +100%FREE /dev/vgroup/lvolume

and resize2fs or xfs_growfs to resize filesystem:

  • for ext filesystems:
resize2fs /dev/vgroup/lvolume
  • for xfs filesystem:
xfs_growfs mountpoint_for_/dev/vgroup/lvolume

Useful resources:

What is a zombie/defunct process?

Is a process that has completed execution (via the exit system call) but still has an entry in the process table: it is a process in the "Terminated state".

Processes marked defunct are dead processes (so-called "zombies") that remain because their parent has not destroyed them properly. These processes will be destroyed by init if the parent process exits.

Useful resources:

What is the proper way to upgrade/update a system in production? Do you automate these processes? Do you set downtime for them? Write recommendations. ***

To be completed.

Your friend during configuration of the MySQL server asked you: Should I run sudo mysql_secure_installation after installing mysql? What do you think about it?

It would be better if you run command as it provides many security options like:

  • You can set a password for root accounts
  • You can remove root accounts that are accessible from outside the local host
  • You can remove anonymous-user accounts
  • You can remove the test database, which by default can be accessed by anonymous users

Useful resources:

Present and explain the good ways of using the kill command.

Speaking of killing processes never use kill -9/SIGKILL unless absolutely mandatory. This kill can cause problems because of its brute force.

Always try to use the following simple procedure:

  • first, send SIGTERM (kill -15) signal first which tells the process to shutdown and is generally accepted as the signal to use when shutting down cleanly (but remember that this signal can be ignored).
  • next try to send SIGHUP (kill -1) signal which is commonly used to tell a process to shutdown and restart, this signal can also be caught and ignored by a process.

The far majority of the time, this is all you need - and is much cleaner.

Useful resources:

What is strace command and how should be used? Explain example of connect to an already running process.

strace is a powerful command line tool for debugging and troubleshooting programs in Unix-like operating systems such as Linux. It captures and records all system calls made by a process and the signals received by the process.

Strace Overview

strace can be seen as a light weight debugger. It allows a programmer/user to quickly find out how a program is interacting with the OS. It does this by monitoring system calls and signals.

Uses

Good for when you don't have source code or don't want to be bothered to really go through it. Also, useful for your own code if you don't feel like opening up GDB, but are just interested in understanding external interaction.

Example of attach to the process

strace -p <PID> - to attach a process to strace.

strace -e trace=read,write -p <PID> - by this you can also trace a process/program for an event, like read and write (in this example). So here it will print all such events that include read and write system calls by the process.

Other such examples

  • -e trace=network - trace all the network related system calls.
  • -e trace=signal - trace all signal related system calls.
  • -e trace=ipc - trace all IPC related system calls.
  • -e trace=desc - trace all file descriptor related system calls.
  • -e trace=memory - trace all memory mapping related system calls.

Useful resources:

When would you use access control lists instead of or in conjunction with the chmod command? ***

To be completed.

Which algorithms are supported in /etc/shadow file?

Typical current algorithms are:

  • MD5
  • SHA-1 (also called SHA)

both should not be used for cryptographic/security purposes any more!!

  • SHA-256
  • SHA-512
  • SHA-3 (KECCAK was announced the winner in the competition for a new federal approved hash algorithm in October 2012)

Useful resources:

What is the use of ulimit in Unix-like systems?

Most Unix-like operating systems, including Linux and BSD, provide ways to limit and control the usage of system resources such as threads, files, and network connections on a per-process and per-user basis. These "ulimits" prevent single users from using too many system resources.

What are soft limits and hard limits?

Hard limit is the maximum allowed to a user, set by the superuser or root. This value is set in the file /etc/security/limits.conf. The user can increase the soft limit on their own in times of needing more resources, but cannot set the soft limit higher than the hard limit.

During configuration HAProxy to working with Redis you get General socket error (Permission denied) from log. SELinux is enable. Explain basic SELinux troubleshooting in CLI. ***

Useful resources:

You have configured an RSA key login but your server show Server refused our key as expected. Where will you look for the cause of the problem?

Server side

Setting LogLevel VERBOSE in file /etc/ssh/sshd_config is probably what you need, although there are higher levels:

SSH auth failures are logged in /var/log/auth.log, /var/log/secure or /var/log/audit/audit.log.

The following should give you only ssh related log lines (for example):

grep 'sshd' /var/log/auth.log

Next, the most simple command to list all failed SSH logins is the one shown below:

grep "Failed password" /var/log/auth.log

also useful is:

grep "Failed\|Failure" /var/log/auth.log

On newer Linux distributions you can query the runtime log file maintained by Systemd daemon via journalctl command (ssh.service or sshd.service). For example:

journalctl _SYSTEMD_UNIT=ssh.service | egrep "Failed|Failure"

Client side

Also you should run SSH client with -v|--verbose - it is in first level of verbosity. Next, you can enable additional (level 2 and 3) verbosity for even more debugging messages as shown with e.g. -vv.

Useful resources:

Why do most distros use ext4, as opposed to XFS or other filesystems? Why are there so many of them? ***

To be completed.

A project manager needs a new SQL Server. What do you ask her/his? ***

I want the DBA to ask questions like:

  • How big will the database be? (whether we can add the database to an existing server)
  • How critical is the database? (about clustering, disaster recovery, high availability)
Create a file with 100 lines with random values.

For example:

cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 100 > /path/to/file
How to run script as another user without password?

For example (with visudo command):

user1 ALL=(user2) NOPASSWD: /opt/scripts/bin/generate.sh

The command paths must be absolute! Then call sudo -u user2 /opt/scripts/bin/generate.sh from a user1 shell.

How to check if running as root in a bash script? What should you watch out for?

In a bash script, you have several ways to check if the running user is root.

As a warning, do not check if a user is root by using the root username. Nothing guarantees that the user with ID 0 is called root. It's a very strong convention that is broadly followed but anybody could rename the superuser another name.

I think the best way when using bash is to use $EUID because $UID could be changed and not reflect the real user running the script.

if (( $EUID != 0 )); then
  echo "Please run as root"
  exit
fi
Can you give a particular example when is indicated to use nobody account? Tell me the differences running httpd service as a nobody and www-data accounts.

In many Unix variants, nobody is the conventional name of a user account which owns no files, is in no privileged groups, and has no abilities except those which every other user has.

It is common to run daemons as nobody, especially servers, in order to limit the damage that could be done by a malicious user who gained control of them.

However, the usefulness of this technique is reduced if more than one daemon is run like this, because then gaining control of one daemon would provide control of them all. The reason is that nobody-owned processes have the ability to send signals to each other and even debug each other, allowing them to read or even modify each other's memory.

When should I use nobody account?

When permissions aren't required for a program's operations. This is most notable when there isn't ever going to be any disk activity.

A real world example of this is memcached (a key-value in-memory cache/database/thing), sitting on my computer and my server running under the nobody account. Why? Because it just doesn't need any permissions and to give it an account that did have write access to files would just be a needless risk.

A good example are also web servers. Imagine if Apache ran as root and someone found a way to send custom commands to the console through Apache would have access to your entire system.

nobody account also is used as a restricted shell for giving users filesystem access without an actual shell like bash. This should prevent them from being able to execute things.

nobody or www-data for httpd (Apache)

Upon starting Apache needs root access, but it quickly drops this and assumes the identity of a non privileged user. This user can either be nobody or apache, or www-data.

Several applications use the user nobody as a default. For example you probably never really want say the Apache service to be overwriting files that belong to bind. Having a per-service account tends to be a very good idea.

Getting Apache to run as nobody:nobody is pretty easy, just update the user and group settings. But as I mentioned above I don't really recommend that particular user/group. It is entirely possible that you may be tempted to add a service to the system at some time in the future that also runs as nobody, and you will forget that have given write access on the filesystem to the user nobody.

If somehow, nobody were to become compromised they could potentially have more impact than if an application isolate user, such as www-data. Of course a lot of this will depend on the file and group permissions. nobody uses the permissions of others, while an application specific user could be configured to allow file read access, but other could still be denied.

Useful resources:

Is there a way to redirect output to a file and have it display on stdout?

The command you want is named tee:

foo | tee output.file

For example, if you only care about stdout:

ls -a | tee output.file

If you want to include stderr, do:

program [arguments...] 2>&1 | tee outfile

2>&1 redirects channel 2 (stderr/standard error) into channel 1 (stdout/standard output), such that both is written as stdout. It is also directed to the given output file as of the tee command.

Furthermore, if you want to append to the log file, use tee -a as:

program [arguments...] 2>&1 | tee -a outfile

What is the preferred bash shebang and why? What is the difference between executing a file using ./script or bash script?

You should use #!/usr/bin/env bash for portability: different *nixes put bash in different places, and using /usr/bin/env is a workaround to run the first bash found on the PATH.

Running ./script does exactly that, and requires execute permission on the file, but is agnostic to what type of a program it is. It might be a bash script, an sh script, or a Perl, Python, awk, or expect script, or an actual binary executable. Running bash script would force it to be run under sh, instead of anything else.

Useful resources:

You must run command that will be performed for a very long time. How to prevent killing this process after the ssh session drops?

Use nohup to make your process ignore the hangup signal:

nohup long-running-process &
exit

or you want to be using GNU Screen:

screen -d -m long-running-process
exit

Useful resources:

What is the main purpose of the intermediate certification authorities?

To find out the main purpose of an intermediate CA, you should first learn about Root CAs, Intermediate CAs, and the SSL Certificate Chain Trust.

Root CAs are primary CAs which typically don’t directly sign end entity/server certificates. They issue Root certificates which are usually pre-installed within all browsers, mobiles, and applications. The private key of these certificates is used to sign other subsequent certificates called intermediate certificates. Root CAs are usually kept "offline” and in a highly secure environment with stringently limited access.

Intermediates CAs are CAs that subordinate to the Root CA by one or more levels, being trusted by these to sign certificates on their behalf. The purpose of creating and using Intermediate CAs is primarily for security because if the intermediate private key is compromised, then the Root CA can revoke the intermediate certificate and create a new one with a new cryptographic key pair.

SSL Certificate Chain Trust is the list of SSL certificates, from the root certificate to the end entity/server certificate. For an SSL Certificate to be trusted, it must be issued by a trusted CAs which is included in the trusted CA list of the connecting device (browser, mobile, and application). Therefore, the connecting device will test the trustworthiness of each SSL Certificate in the Chain Trust until it matches the one issued by a trusted CA.

The Root-Intermediate CA structure is created by each major CA to protect against the disastrous effects of a root key compromise. If a root key is compromised, it would render the root and all subordinated certificates untrustworthy. For this reason, creating an Intermediate CA is a best practice to ensure a rigorous protection of the primary root key.

Useful resources:

How to reload PostgreSQL after configuration changes?

Solution 1:

systemctl reload postgresql

Solution 2:

su - postgres
/usr/bin/pg_ctl reload

Solution 3:

SELECT pg_reload_conf();
You have added several aliases to .profile. How to reload shell without exit?

The best way is exec $SHELL -l because exec replaces the current process with a new one. Also good (but other) solution is . ~/.profile.

Useful resources:

How to exit without saving shell history?
kill -9 $$

or

unset HISTFILE && exit

Useful resources:

What is this UID 0 toor account? Have I been compromised?

toor is an alternative superuser account, where toor is root spelled backwards. It is intended to be used with a non-standard shell so the default shell for root does not need to change.

This is important as shells which are not part of the base distribution, but are instead installed from ports or packages, are installed in /usr/local/bin which, by default, resides on a different file system. If root's shell is located in /usr/local/bin and the file system containing /usr/local/bin) is not mounted, root will not be able to log in to fix a problem and will have to reboot into single-user mode in order to enter the path to a shell.

Some people use toor for day-to-day root tasks with a non-standard shell, leaving root, with a standard shell, for single-user mode or emergencies. By default, a user cannot log in using toor as it does not have a password, so log in as root and set a password for toor before using it to login.

Useful resources:

Is there an easy way to search inside 1000s of files in a complex directory structure to find files which contain a specific string?

For example use fgrep:

fgrep * -R "string"

or:

grep -insr "pattern" *
  • -i ignore case distinctions in both the PATTERN and the input files
  • -n prefix each line of output with the 1-based line number within its input file
  • -s suppress error messages about nonexistent or unreadable files.
  • -r read all files under each directory, recursively.

Useful resources:

How to find out the dynamic libraries executables loads when run?

You can do this with ldd command:

ldd /bin/ls
You have the task of sync the testing and production environments. What steps will you take?

It's easy to get dragged down into bikeshedding about cloning environments and miss the real point:

  • only production is production

and every time you deploy there you are testing a unique combination of deploy code + software + environment.

Every once in a while a good solution is regular cloning of the production servers to create testing servers. You can create instances with an exact copy of your production environment under a dev/test with snapshots, for example:

  • generate a snapshot of production
  • copy the snapshot to staging (or other)
  • create a new disk using this snapshot

Sure, you can spin up clones of various system components or entire systems, and capture real traffic to replay offline (the gold standard of systems testing). But many systems are too big, complex, and cost-prohibitive to clone.

Before environment synchronization a good way is keeping track of every change that you make to the testing environment and provide a way for propagating this to the production environment, so that you do not skip any step and do it as smoothly as possible.

Also structure comparison tool or deploy scripts that update the testing environment from production environment is a good solution.

Presync tasks

First of all is informing developers and clients about not making changes on the test environment (if possible, disabling test domains that target this environment or set static pages with information about synchronization).

It is also important to make backup/snapshots of both environments.

Database servers

  • sync/update system version (e.g. packages)
  • create dump file from database on production db server
  • import dump file on testing db server
  • if necessary, syncs login permissions, roles, database permissions, open connections to the database and other

Web/App servers

  • sync/update system version (e.g. packages)
  • if necessary, updated kernel parameters, firewall rules and other
  • sync/update configuration files of all running/important services
  • sync/update user accounts (e.g. permissions) and their home directories
  • deploy project from git/svn repository
  • sync/update important directories existing in project, e.g. static, asset and other
  • sync/update permissions for project directory
  • remove/update all webhooks
  • update cron jobs

Others tasks

  • updated configurations of load balancers for testing domains and specific urls
  • updated configurations of queues, session and storage instances

Useful resources:

Network Questions (24)
Configure a virtual interface on your workstation. ***

To be completed.

According to an HTTP monitor, a website is down. You're able to telnet to the port, so how do you resolve it?

If you can telnet to the port, this means that the service listening on the port is running and you can connect to it (it's not a networking problem). It is good to check this way for the IP address to which the domain is resolved and using the same domain to test connection.

First of all check if your site is online from a other location. It then lets you know if the site is down everywhere, or if only your network is unable to view it. It is also a good idea to check what the web browser returns.

If only IP connection working

  • you can use whois to see what DNS servers serve up the hostname to the site: whois www.example.com
  • you can use tools like dig or host to test DNS to see if the host name is resolving: host www.example.org dns.example.org
  • you can also check global public dns servers: host www.example.com 9.9.9.9

If domain not resolved it's probably problem with DNS servers.

If domain resolved properly

  • investigate the log files and resolve the issue regarding to the logs, it's the best way to show what's wrong
  • check the http status code, usually it will be the response with the 5xx, maybe server is overload because clients making lot's of connection to the website or specific url? maybe your caching rules not working properly?
  • check web/proxy server configuration (e.g. nginx -t -c </path/to/nginx.conf>), maybe another sysadmin has made some changes to the domain configuration?
  • maybe something on the server has crashed? maybe run out of space or run out of memory?
  • maybe it's a programming error on the website?
Load balancing can dramatically impact server performance. Discuss several load balancing mechanisms. ***

To be completed.

List examples of network troubleshooting tools that can degrade during DNS issues. ***

To be completed.

Explain difference between HTTP 1.1 and HTTP 2.0.

HTTP/2 supports queries multiplexing, headers compression, priority and more intelligent packet streaming management. This results in reduced latency and accelerates content download on modern web pages.

Key differences with HTTP/1.1:

  • it is binary, instead of textual
  • fully multiplexed, instead of ordered and blocking
  • can therefore use one connection for parallelism
  • uses header compression to reduce overhead
  • allows servers to "push" responses proactively into client caches

Useful resources:

Dev team reports an error: POST http://ws.int/api/v1/Submit/ resulted in a 413 Request Entity Too Large. What's wrong?

Modify NGINX configuration file for domain

Set correct client_max_body_size variable value:

client_max_body_size 20M;

Restart Nginx to apply the changes.

Modify php.ini file for upload limits

It’s not needed on all configurations, but you may also have to modify the PHP upload settings as well to ensure that nothing is going out of limit by php configurations.

Now find following directives one by one:

upload_max_filesize
post_max_size

and increase its limit to 20M, by default they are 8M and 2M:

upload_max_filesize = 20M
post_max_size = 20M

Finally save it and restart PHP.

Useful resources:

What is handshake mechanism and why do we need 3 way handshake?

Handshaking begins when one device sends a message to another device indicating that it wants to establish a communications channel. The two devices then send several messages back and forth that enable them to agree on a communications protocol.

A three-way handshake is a method used in a TCP/IP network to create a connection between a local host/client and server. It is a three-step method that requires both the client and server to exchange SYN and ACK (SYN, SYN-ACK, ACK) packets before actual data communication begins.

Useful resources:

Why is UDP faster than TCP?

UDP is faster than TCP, and the simple reason is because its nonexistent acknowledge packet (ACK) that permits a continuous packet stream, instead of TCP that acknowledges a set of packets, calculated by using the TCP window size and round-trip time (RTT).

Useful resources:

Which, in your opinion, are the 5 most important OpenSSH parameters that improve the security? ***

To be completed.

Useful resources:

What is NAT? What is it used for?

It enables private IP networks that use unregistered IP addresses to connect to the Internet. NAT operates on a router, usually connecting two networks together, and translates the private (not globally unique) addresses in the internal network into legal addresses, before packets are forwarded to another network.

Workstations or other computers requiring special access outside the network can be assigned specific external IPs using NAT, allowing them to communicate with computers and applications that require a unique public IP address. NAT is also a very important aspect of firewall security.

Useful resources:

What is the purpose of Spanning Tree?

This protocol operates at layer 2 of the OSI model with the purpose of preventing loops on the network. Without STP, a redundant switch deployment would create broadcast storms that cripple even the most robust networks. There are several iterations based on the original IEEE 802.1D standard; each operates slightly different than the others while largely accomplishing the same loop-free goal.

How to check which ports are listening on my Linux Server?

Use the:

  • lsof -i
  • ss -l
  • netstat -atn - for tcp
  • netstat -aun - for udp
  • netstat -tulapn
What mean Host key verification failed when you connect to the remote host? Do you accept it automatically?

Host key verification failed means that the host key of the remote host was changed. This can easily happen when connecting to a computer who's host keys in /etc/ssh have changed if that computer was upgraded without copying its old host keys. The host keys here are proof when you reconnect to a remote computer with ssh that you are talking to the same computer you connected to the first time you accessed it.

Whenever you connect to a server via SSH, that server's public key is stored in your home directory (or possibly in your local account settings if using a Mac or Windows desktop) file called known_hosts. When you reconnect to the same server, the SSH connection will verify the current public key matches the one you have saved in your known_hosts file. If the server's key has changed since the last time you connected to it, you will receive the above error.

Don't delete the entire known_hosts file as recommended by some people, this totally voids the point of the warning. It's a security feature to warn you that a man in the middle attack may have happened.

Before accepting the new host key, contact your/other system administrator for verification.

Useful resources:

How to send an HTTP request using telnet?

For example:

telnet example.com 80
Trying 192.168.252.10...
Connected to example.com.
Escape character is '^]'.
GET /questions HTTP/1.0
Host: example.com

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
...
How do you kill program using e.g. 80 port in Linux?

To list any process listening to the port 80:

# with lsof
lsof -i:80

# with fuser
fuser 80/tcp

To kill any process listening to the port 80:

kill $(lsof -t -i:80)

or more violently:

kill -9 $(lsof -t -i:80)

or with fuser command:

fuser -k 80/tcp

Useful resources:

You get curl: (56) TCP connection reset by peer. What steps will you take to solve this problem?
  • check if the URL is correct, maybe you should add www or set correctly Host: header? Check also scheme (http or https)
  • check the domain is resolving into a correct IP address
  • enable debug tracing with --trace-ascii curl.dump. Recv failure is a really generic error so its hard for more info
  • use external proxy with --proxy for debug connection from external ip
  • use network sniffer (e.g. tcpdump) for debug connection in the lower TCP/IP layers
  • check firewall rules on the production environment and on the exit point of your network, also check your NAT rules
  • check MTU size of packets traveling over your network
  • check SSL version with ssl/tls curl params if you connecting to https protocol
  • it may be a problem on the client side e.g. the netfilter drop or limit connections from your IP address to the domain

Useful resources:

How to allow traffic to/from specific IP with iptables?

For example:

/sbin/iptables -A INPUT -p tcp -s XXX.XXX.XXX.XXX -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -d  XXX.XXX.XXX.XXX -j ACCEPT
How to block abusive IP addresses with pf in OpenBSD?

The best way to do this is to define a table and create a rule to block the hosts, in pf.conf:

table <badhosts> persist
block on fxp0 from <badhosts> to any

And then dynamically add/delete IP addresses from it:

pfctl -t badhosts -T add 1.2.3.4
pfctl -t badhosts -T delete 1.2.3.4
When does the web server like Apache or Nginx write info to log file? Before or after serving the request?

Both servers provides very comprehensive and flexible logging capabilities - for logging everything that happens on your server, from the initial request, through the URL mapping process, to the final resolution of the connection, including any errors that may have occurred in the process.

Apache

The Apache server access log records all requests processed by the server (after the request has been completed).

Nginx

NGINX writes information about client requests in the access log right after the request is processed.

Useful resources:

Analyse web server log and show only 5xx http codes. What external tools do you use?
tail -n 100 -f /path/to/logfile | grep "HTTP/[1-2].[0-1]\" [5]"

Examples of http/https log management tools:

  • goaccess - is an open source real-time web log analyzer and interactive viewer that runs in a terminal in *nix systems or through your browser
  • graylog - is a free and open-source log management platform that supports in-depth log collection and analysis

Useful resources:

Developer uses private key on the server to deploy app through ssh. Why it is incorrect behavior and what is the better (but not ideal) solution in such situations?

You have the private key for your personal account. The server needs your public key so that it can verify that your private key for the account you are trying to use is authorized.

The whole point with private keys is that they are private, meaning only you have your private key. If someone takes over your private key, it will be able to impersonate you any time he wants.

A better solutions is the use of ssh key forwarding. An essence, you need to create a ~/.ssh/config file, if it doesn't exist. Then, add the hosts (either domain name or IP address in the file and set ForwardAgent yes). Example:

Host git.example.com
    User john
    PreferredAuthentications publickey
    IdentityFile ~/.ssh/id_rsa.git.example.com
    ForwardAgent yes

Your remote server must allow SSH agent forwarding on inbound connections and your local ssh-agent must be running.

Forwarding an ssh agent carries its own security risk. If someone on the remote machine can gain access to your forwarded ssh agent connection, they can still make use of your keys. However, this is better than storing keys on remote machines: the attacker can only use the ssh agent connection, not the key itself. Thus, only while you're logged into the remote machine can they do anything. If you store the key on the remote machine, they can make a copy of it and use it whenever they want.

If you use ssh keys remember about passphrases which is strongly recommended to reduce risk of keys accidentally leaking.

Useful resources:

What is the difference between CORS and CSPs?

CORS allows the Same Origin Policy to be relaxed for a domain.

e.g. normally if the user logs into both example.com and example.org, the Same Origin Policy prevents example.com from making an AJAX request to example.org/current_user/full_user_details and gaining access to the response.

This is the default policy of the web and prevents the user's data from being leaked when logged into multiple sites at the same time.

Now with CORS, example.org could set a policy to say it will allow the origin https://example.com to read responses made by AJAX. This would be done if both example.com and example.org are ran by the same company and data sharing between the origins is to be allowed in the user's browser. It only affects the client-side of things, not the server-side.

CSPs on the other hand set a policy of what content can run on the current site. For example, if JavaScript can be executed inline, or which domains .js files can be loaded from. This can be beneficial to act as another line of defense against XSS attacks, where the attacker will try and inject script into the HTML page. Normally output would be encoded, however say the developer had forgotten only on one output field. Because the policy is preventing in-line script from executing, the attack is thwarted.

Useful resources:

Explain four types of responses from firewall when scanning with nmap.

There might be four types of responses:

  • Open port - few ports in the case of the firewall
  • Closed port - most ports are closed because of the firewall
  • Filtered - nmap is not sure whether the port is open or not
  • Unfiltered - nmap can access the port but is still confused about the open status of the port

Useful resources:

What does a tcpdump do? How to capture only incoming traffic to your interface?

tcpdump is a most powerful and widely used command-line packets sniffer or package analyzer tool which is used to capture or filter TCP/IP packets that received or transferred over a network on a specific interface.

tcpdump puts your network card into promiscuous mode, which basically tells it to accept every packet it receives. It allows the user to see all traffic being passed over the network. Wireshark uses pcap to capture packets.

If you want to view only packets that come to your interface you should:

  • -Q in - for Linux tcpdump version
  • -D in - for BSD tcpdump version

Both params set send/receive direction direction for which packets should be captured.

tcpdump -nei eth0 -Q in host 192.168.252.125 and port 8080
Devops Questions (7)
Which are the top DevOps tools? Which tools have you worked on?

The most popular DevOps tools are mentioned below:

  • Git : Version Control System tool
  • Jenkins : Continuous Integration tool
  • Selenium : Continuous Testing tool
  • Puppet, Chef, Ansible : Configuration Management and Deployment tools
  • Nagios : Continuous Monitoring tool
  • Docker : Containerization tool
How do all these tools work together?

The most popular DevOps tools are mentioned below:

  • Developers develop the code and this source code is managed by Version Control System tools like Git etc.
  • Developers send this code to the Git repository and any changes made in the code is committed to this Repository
  • Jenkins pulls this code from the repository using the Git plugin and build it using tools like Ant or Maven
  • Configuration management tools like puppet deploys & provisions testing environment and then Jenkins releases this code on the test environment on which testing is done using tools like selenium
  • Once the code is tested, Jenkins send it for deployment on the production server (even production server is provisioned & maintained by tools like puppet)
  • After deployment It is continuously monitored by tools like Nagios
  • Docker containers provides testing environment to test the build features
What are playbooks in Ansible?

Playbooks are Ansible’s configuration, deployment, and orchestration language.

They can describe a policy you want your remote systems to enforce, or a set of steps in a general IT process. Playbooks are designed to be human-readable and are developed in a basic text language.

At a basic level, playbooks can be used to manage configurations of and deployments to remote machines.

What is NRPE (Nagios Remote Plugin Executor) in Nagios?

The NRPE addon is designed to allow you to execute Nagios plugins on remote Linux/Unix machines. The main reason for doing this is to allow Nagios to monitor "local" resources (like CPU load, memory usage, etc.) on remote machines.

Since these public resources are not usually exposed to external machines, an agent like NRPE must be installed on the remote Linux/Unix machines.

What is the difference between Active and Passive check in Nagios?

The major difference between Active and Passive checks is that Active checks are initiated and performed by Nagios, while passive checks are performed by external applications.

Passive checks are useful for monitoring services that are:

  • asynchronous in nature and cannot be monitored effectively by polling their status on a regularly scheduled basis.
  • located behind a firewall and cannot be checked actively from the monitoring host.

The main features of Actives checks are as follows:

  • active checks are initiated by the Nagios process.
  • active checks are run on a regularly scheduled basis.
How to git clone including submodules?

For example:

# With -j8 - performance optimization
git clone --recurse-submodules -j8 git://github.com/foo/bar.git

# For already cloned repos or older Git versions
git clone git://github.com/foo/bar.git
cd bar
git submodule update --init --recursive
Mention what are the advantages of using Redis? What is redis-cli?
  • it provides high speed (exceptionally faster than others)
  • it supports a server-side locking
  • it has got lots of client lib
  • it has got command level Atomic Operation (tx operation)
  • supports for rich data types like hashes, sets, bitmaps

redis-cli is the Redis command line interface, a simple program that allows to send commands to Redis, and read the replies sent by the server, directly from the terminal.

Useful resources:

Cyber Security Questions (4)
What is XSS, how will you mitigate it?

Cross Site Scripting is a JavaScript vulnerability in the web applications. The easiest way to explain this is a case when a user enters a script in the client side input fields and that input gets processed without getting validated. This leads to untrusted data getting saved and executed on the client side.

Countermeasures of XSS are input validation, implementing a CSP (Content security policy) and other.

HIDS vs NIDS and which one is better and why?

HIDS is host intrusion detection system and NIDS is network intrusion detection system. Both the systems work on the similar lines. It’s just that the placement in different. HIDS is placed on each host whereas NIDS is placed in the network. For an enterprise, NIDS is preferred as HIDS is difficult to manage, plus it consumes processing power of the host as well.

What is compliance?

Abiding by a set of standards set by a government/Independent party/organisation, e.g. an industry which stores, processes or transmits Payment related information needs to be complied with PCI DSS (Payment card Industry Data Security Standard). Other compliance examples can be an organisation complying with its own policies.

What is a WAF and what are its types?

WAF stands for web application firewall. It is used to protect the application by filtering legitimate traffic from malicious traffic. WAF can be either a box type or cloud based.

System Questions (61)
Explain the current architecture you’re responsible for and point out where it’s scalable or fault-tolerant. ***

To be completed.

Tell me how code gets deployed in your current production. ***

To be completed.

What are the different types of kernels? Explain.

Monolithic Kernels

Earlier in this type of kernel architecture, all the basic system services like a process and memory management, interrupt handling etc were packaged into a single module in kernel space. This type of architecture led to some serious drawbacks like:

  • the size of the kernel, which was huge
  • poor maintainability, which means bug fixing or addition of new features resulted in recompilation of the whole kernel which could consume hours

In a modern day approach to monolithic architecture, the kernel consists of different modules which can be dynamically loaded and unloaded. This modular approach allows easy extension of OS's capabilities. With this approach, maintainability of kernel became very easy as only the concerned module needs to be loaded and unloaded every time there is a change or bug fix in a particular module.

Linux follows the monolithic modular approach.

Microkernels

This architecture majorly caters to the problem of ever growing size of kernel code which we could not control in the monolithic approach. This architecture allows some basic services like device driver management, protocol stack, file system etc to run in user space.

In this architecture, all the basic OS services which are made part of user space are made to run as servers which are used by other programs in the system through inter process communication (IPC).

Example: We have servers for device drivers, network protocol stacks, file systems, graphics, etc. Microkernel servers are essentially daemon programs like any others, except that the kernel grants some of them privileges to interact with parts of physical memory that are otherwise off limits to most programs.

Hybrid Kernels (Modular Kernels)

This is a combination of the above two, where the key idea is that Operating System services are in Kernel Space, and there is no message passing, no performance overhead and no reliability benefits, of having services in user space.

This is used by Microsoft's NT kernels, all the way up to the latest Windows version.

Useful resources:

The program returns the error of the missing library. How to provide dynamically linkable libraries?

Environment variable LD_LIBRARY_PATH is a colon-separated set of directories where libraries should be searched for first, before the standard set of directories; this is useful when debugging a new library or using a nonstandard library for special purposes.

The best way to use LD_LIBRARY_PATH is to set it on the command line or script immediately before executing the program. This way the new LD_LIBRARY_PATH isolated from the rest of your system.

Example of use:

export LD_LIBRARY_PATH="/list/of/library/paths:/another/path" ./program

Useful resources:

Write the most important rules for using root privileges safely for novice administrators. ***

To be completed.

What is the advantage of synchronizing UID/GID across multiple systems?

There are several principle reasons why you want to co-ordinate the user/UID and group/GID management across your network.

The first is relatively obvious - it has to do with user and administrative convenience.

If each of your users are expected to have relatively uniform access to the systems throughout the network, then they'll expect the same username and password to work on each system that they are supposed to use. If they change their password they will expect that change to be global.

It also has a relationship with names and group names in Unix and Linux. They are mapped into numeric forms (UID's and GID's respectively). All file ownership (inodes) and processes use these numerics for all access and identity determination throughout the kernel and drivers. These numeric values are reverse mapped back to their corresponding principle symbolic representations (the names) by the utilities that display or process that information.

It is also recommended that you adopt a policy that UID's are not re-used. When a user leaves your organization you "retire" their UID (disabling their access by *'ing out their passwd, removing them from the groups maps, setting their "shell" to some /bin/denied binary and their home directory to a secured graveyard - I use /home/.graveyard on my systems).

The reason for this may not be obvious. However, if you are maintaining archival backups for several years (or indefinitely) you'll want to avoid any ambiguities and confusion that might result from restoring one (long gone) user's files and finding them owned by one of your new users.

Useful resources:

What principles to follow for successful system performance tuning? ***

To be completed.

Useful resources:

Describe start-up configuration files and directory in BSD systems.

In BSD the primary start-up configuration file is /etc/defaults/rc.conf. System startup scripts such as /etc/rc and /etc/rc.d just include this file.

If you want to add other programs to system startup you need to change /etc/rc.conf file instead of /etc/defaults/rc.conf.

CPU spent the most of the time for a IO operations to complete. Which tools do you use for diagnose what process(es) did exactly wait for IO? How to minimize IO wait time? ***

To be completed.

Useful resources:

The Junior dev accidentally destroyed production database. How can you prevent such situations?

Create disaster recovery plan

Disaster recovery and business continuity planning are integral parts of the overall risk management for an organization. Is a documented process or set of procedures to recover and protect a business IT infrastructure.

If you don’t have a recovery solution, then your restoration efforts will become rebuilding efforts, starting from scratch to recreate whatever was lost.

You should use commonly occurring real life data disaster scenarios to simulate what your backups will and won’t do in a crisis.

Create disaster recovery center

As a result, in the event of unplanned interruptions in the functioning of the primary location, service and all operational activities are switched to the backup center and therefore the unavailability of services is limited to the absolute minimum.

Does the facility have sufficient bandwidth options and power to scale and deal with the increased load during a major disaster? Are resources available to periodically test failover?

Create regular backups and tested it!

Backups are a way to protect the investment in data. By having several copies of the data, it does not matter as much if one is destroyed (the cost is only that of the restoration of the lost data from the backup).

When you lose data, one thing is certain: downtime.

To assure the validity and integrity of any backup, it's essential to carry out regular restoration tests. Ideally, a test should be conducted after every backup completes to ensure data can be successfully secured and recovered. However, this often isn't practical due to a lack of available resources or time constraints.

Make backups of entire virtual machines and important components in the middle of them.

Create snapshots: vm, disks or lvm

Snapshots are perfect if you want to recover a server from a previous state but it's only a "quick method", it cannot restore the system after too many items changed.

Create them always before making changes on production environments (and not only).

Disk snapshots are used to generate a snapshot of an entire disk. These snapshots don't make it easy to restore individual chunks of data (e.g. a lost user account), though it's possible. The primary purpose is to restore entire disks in case of disk failure.

The LVM snapshots can be primarily used to easily copy data from production environment to staging environment.

Remember: Snapshots are not backups!

Development and testing environments

A production environment is the real instance of the application and its database used by the company or the clients. The production database has all the real data.

Setting up development environments based directly on the production database, instead of using a backup for this (removing the need for the above). Dev and test environment that your engineers can get to and a prod environment that only a few people can push updates to following an approved change.

All environments such as prod, dev and test should have one major difference: authorization data for services. For example postgres database instance on testing environment should be consistent (if possible) with the production base, however, in order to eliminate errors of database names and logins and passwords for authorization should be different.

Single point of failure

The general method to avoid single points of failures is to provide redundant components for each necessary resource, so service can continue if a component fails.

Synchronization and replication process for databases

The replication procedure is super fragile and prone to error.

A good idea is also slightly longer delay of data replication (e.g. for DRC). As in replicas, the data changes will usually be replicated within minutes, so the lost data won’t be on the replica database either once that happens.

Create database model with users, roles and rights, use different methods of protection

Only very advanced devs have permissions for db admin access. The other really don't need write access to clone a database. On the other hand just don't give a developer write access to prod.

The production database should refuse connections from any server and pc which isn't the one running the production application, even if it provides a valid username/password.

How the hell development machines can access a production database right like that? How about a simple firewall rule to just let the servers needing the DB data access the database?

Create summary/postmortem documents after failures

The post-mortem audience includes customers, direct reports, peers, the company's executive team and often investors.

Explain what caused the outage on a timeline. Every incident begins with a specific trigger at a specific time, which often causes some unexpected behavior. For example, our servers were rebooted and we expected them to come back up intact, which didn't happen.

Furthermore, every incident has a root cause: the reboot itself was trigger, however a bug in the driver caused the actual outage. Finally, there are consequences to every incident, the most obvious one is that the site goes down.

The post-mortem answers the single most important question of what could have prevented the outage.

Despite how painful an outage may have been, the worst thing you can do is to bury it and never properly close the incident in a clear and transparent way.

If you also made a big mistake...

"Humans are just apes with bigger computers." - african_cheetah (Reddit)

"I've come to appreciate not having access to things I don't absolutely need." - warm_vanilla_sugar (Reddit)

Document whatever happened somewhere. Write setup guides. Failure is instructive.

Useful resources:

How to add new disk in Linux server without rebooting? How to rescan and add it in LVM?

To be completed.

Useful resources:

Explain each system calls used for process management in Linux.

There are some system calls for process management. These are as follows:

  • fork(): it is used to create a new process
  • exec(): it is used to execute a new process
  • wait(): it is used to make the process to wait
  • exit(): it is used to exit or terminate the process
  • getpid(): it is used to find the unique process ID
  • getppid(): it is used to check the parent process ID
  • nice(): it is used to bias the currently running process property

Useful resources:

Can’t mount the root file system. Why? ***

To be completed.

Useful resources:

You have to delete 100GB files. Which method will be the most optimal? ***

To be completed.

Useful resources:

Explain interrupts and interrupt handlers in Linux.

Here's a high-level view of the low-level processing. I'm describing a simple typical architecture, real architectures can be more complex or differ in ways that don't matter at this level of detail.

When an interrupt occurs, the processor looks if interrupts are masked. If they are, nothing happens until they are unmasked. When interrupts become unmasked, if there are any pending interrupts, the processor picks one.

Then the processor executes the interrupt by branching to a particular address in memory. The code at that address is called the interrupt handler. When the processor branches there, it masks interrupts (so the interrupt handler has exclusive control) and saves the contents of some registers in some place (typically other registers).

The interrupt handler does what it must do, typically by communicating with the peripheral that triggered the interrupt to send or receive data. If the interrupt was raised by the timer, the handler might trigger the OS scheduler, to switch to a different thread. When the handler finishes executing, it executes a special return-from-interrupt instruction that restores the saved registers and unmasks interrupts.

The interrupt handler must run quickly, because it's preventing any other interrupt from running. In the Linux kernel, interrupt processing is divided in two parts:

  • The "top half" is the interrupt handler. It does the minimum necessary, typically communicate with the hardware and set a flag somewhere in kernel memory.
  • The "bottom half" does any other necessary processing, for example copying data into process memory, updating kernel data structures, etc. It can take its time and even block waiting for some other part of the system since it runs with interrupts enabled.

Useful resources:

What considerations come into play when designing a highly available application, both at the architecture level and the application level? ***

To be completed.

What fields are stored in an inode?

Within a POSIX system, a file has the following attributes which may be retrieved by the stat system call:

  • Device ID (this identifies the device containing the file; that is, the scope of uniqueness of the serial number). File serial numbers
  • The file mode which determines the file type and how the file's owner, its group, and others can access the file
  • A link count telling how many hard links point to the inode
  • The User ID of the file's owner
  • The Group ID of the file
  • The device ID of the file if it is a device file.
  • The size of the file in bytes
  • Timestamps telling when the inode itself was last modified (ctime, inode change time), the file content last modified (mtime, modification time), and last accessed (atime, access time)
  • The preferred I/O block size
  • The number of blocks allocated to this file

Useful resources:

Ordinary users are able to read /etc/passwd. Is it a security hole? Do you know other password shadowing scheme?

Typically, the hashed passwords are stored in /etc/shadow on most Linux systems:

-rw-r----- 1 root shadow 1349 2016-07-03 03:54 /etc/shadow

They are stored in /etc/master.passwd on BSD systems.

Programs that need to perform authentication still need to run with root privileges:

-rwsr-xr-x 1 root root 42792 2016-02-14 14:13 /usr/bin/passwd

If you dislike the setuid root programs and one single file containing all the hashed passwords on your system, you can replace it with the Openwall TCB PAM module. This provides every single user with their own file for storing their hashed password - as a result the number of setuid root programs on the system can be drastically reduced.

Useful resources:

What are some of the benefits of using systemd over SysV init? ***

To be completed.

How do you run command every time a file is modified?

For example: