Linux Study Guide

LPIC-1: Linux Administrator Study Guide

LPIC-1: Linux Administrator validates the ability to perform maintenance tasks on the command line, install and configure a Linux workstation, and configure basic networking. It is a vendor-neutral certification earned by passing two 90-minute exams (101 and 102), each scored 200-800 with a 500 pass mark, aimed at junior administrators and anyone working at the Linux command line regardless of distribution.

Domain 1 Domain 2 Domain 3 Domain 4 Domain 5 Domain 6

Practice LPIC-1 questions free Create free account

Domain 1: System Architecture

Key concepts you must know · 299 practice questions

On legacy BIOS systems the firmware loads the boot loader from the Master Boot Record (MBR) in the first 512 bytes of the disk; on UEFI systems the firmware reads boot entries and loads an EFI executable from the EFI System Partition (ESP).
Check for the directory /sys/firmware/efi to determine whether a system booted in UEFI mode; if it exists the system is UEFI, otherwise it booted via legacy BIOS.
dmesg prints the kernel ring buffer, a fixed-size in-memory log of kernel messages from boot onward (hardware detection, driver init); on systemd systems journalctl -k shows the same kernel messages.
/proc/cpuinfo is a kernel-generated pseudo-file showing per-core CPU details: model name, cache size, flags, and core count; /proc/meminfo shows memory and /proc/interrupts shows per-CPU IRQ counts.
/sys (sysfs) exposes the kernel device model as a navigable tree of buses, devices, and drivers and allows reading/writing kernel parameters at runtime; USB devices appear under /sys/bus/usb/devices/.
lsmod lists currently loaded kernel modules (reading /proc/modules) with name, size, use count, and dependents; modinfo shows details about a specific module.
modprobe loads a module by name and automatically resolves dependencies using the modules.dep database built by depmod; insmod inserts a single .ko file and fails if prerequisites are missing.
To prevent a module from loading, add a line 'blacklist modulename' to a file under /etc/modprobe.d/; to autoload modules at boot list them in /etc/modules-load.d/ files.
systemd targets replace SysV runlevels: multi-user.target equals runlevel 3 (multi-user, networked, no GUI), graphical.target equals runlevel 5 (with display manager), and rescue.target is single-user maintenance mode.
systemctl set-default sets the default boot target (for example systemctl set-default multi-user.target); systemctl isolate switches the running system to a target immediately (for example systemctl isolate rescue.target).
systemctl list-units --failed shows units that failed to start, and systemctl status <unit> shows a service's state, PID, and recent log lines.
After the kernel initializes it starts PID 1 (systemd on modern distros, traditionally /sbin/init); PID 1 adopts orphaned processes and is the ancestor of all user-space processes.
The initramfs (initial RAM filesystem) provides a temporary root filesystem containing the drivers and tools needed to detect and mount the real root filesystem before pivoting to it.
udevadm monitor prints kernel and udev uevents in real time, and lsusb / lspci list connected USB and PCI hardware; D-Bus is the inter-process message bus that desktop and systemd services rely on.

Domain 2: Linux Installation and Package Management

Key concepts you must know · 251 practice questions

The boot loader's job is to load and start the Linux kernel; GRUB 2 is configured by editing /etc/default/grub and templates in /etc/grub.d/, then regenerating /boot/grub/grub.cfg with grub-mkconfig (or update-grub on Debian).
A minimal UEFI install needs a Linux root (/) partition plus an EFI System Partition (ESP), typically a FAT32 partition mounted at /boot/efi; partition tables are MBR (max ~2 TiB, 4 primary) or GPT (GUID Partition Table) for larger disks.
dpkg is the low-level Debian tool: dpkg -i package.deb installs a local .deb but does NOT fetch dependencies; running apt-get install -f afterward resolves and installs missing dependencies.
dpkg -P (purge) removes a package and deletes its configuration files, whereas dpkg -r (remove) leaves config files behind; dpkg -l lists installed packages and dpkg -L lists files owned by a package.
apt update refreshes the local package index from configured repositories (it installs nothing); apt upgrade then installs newer versions; install a specific version with apt-get install pkg=version.
APT repositories are defined in /etc/apt/sources.list and files under /etc/apt/sources.list.d/; these tell APT where to download packages and index metadata.
rpm is the low-level RPM tool: rpm -ivh package.rpm installs with verbose output and a hash progress bar but does not resolve dependencies; rpm -e removes a package.
RPM query options: rpm -qa lists all installed packages, rpm -qi shows package info, rpm -ql lists files in a package, and rpm -V verifies installed files against the RPM database.
yum/dnf are the dependency-resolving front ends for RPM systems: yum install httpd fetches a package and its dependencies; install a local file with dnf install ./package.rpm or yum localinstall package.rpm.
yum provides (or dnf provides) shows which package supplies a given file or capability; yum clean all clears cached package data, headers, and metadata.
Shared library handling: ldconfig rebuilds the linker cache from directories listed in /etc/ld.so.conf (and /etc/ld.so.conf.d/); ldd lists the shared libraries a binary requires.
tar archive flags: -c create, -x extract, -t list, -f file; -z uses gzip (.tar.gz), -j uses bzip2 (.tar.bz2), and -J uses xz (.tar.xz); for example tar -czf archive.tar.gz dir.
Debian uses APT/dpkg with .deb packages while Red Hat-based systems use dnf/yum/rpm with .rpm packages; knowing both families and their equivalent commands is required for LPIC-1.
Repository priorities and pinning let APT prefer specific versions or repositories; equivalent control on RPM systems comes from dnf module/version locks and enabled/disabled repos.

Domain 3: GNU and Unix Commands

Key concepts you must know · 254 practice questions

The pipe operator | connects the stdout of one command to the stdin of the next; for example ls -la | grep '.txt' filters the listing line by line.
Redirection: > overwrites a file, >> appends, < feeds a file as stdin; file descriptor 2 is stderr so 2> redirects errors and command > out.log 2>&1 merges stderr into stdout.
tee writes its input to a file AND passes it through to stdout simultaneously (command | tee output.txt), useful for logging while still seeing or piping output.
grep searches text for patterns; grep -r searches recursively through a directory tree, grep -i ignores case, grep -v inverts the match, and grep -E enables extended regular expressions.
find locates files by criteria: find /etc -name '*.conf' matches by name, -size +100M by size, -mtime -7 by modification time within 7 days, and -type f/d by type; quote glob patterns to stop the shell expanding them.
xargs builds and runs command lines from standard input, commonly paired with find (find ... | xargs rm) to act on each result; find -exec is the in-place alternative.
sed edits streams: sed 's/old/new/' substitutes the first match per line, adding /g makes it global per line, and -i edits the file in place (sed -i 's/http/https/g' config.conf).
awk processes text by fields: awk '{print $1}' prints the first whitespace-delimited field; combining awk '{print $1}' file | sort | uniq | wc -l counts distinct values.
Field/line utilities: wc -l counts lines, sort orders lines, uniq removes adjacent duplicates (use sort first), and cut -d: -f1,3 extracts colon-delimited fields 1 and 3 from /etc/passwd.
tail prints the end of a file (tail -n 20 file shows the last 20 lines, tail -f follows growth); head prints the beginning; cat concatenates files to stdout.
Hard links (ln target link) share an inode and must stay on the same filesystem; symbolic links (ln -s target link) are pointers that can cross filesystems but become dangling if the target is deleted.
cp -r recursively copies a directory and its contents; mv renames or moves; rm -r removes directory trees and rm -f forces removal without prompting.
kill sends a signal to a process by PID and can send ANY signal (not only termination); kill -9 (SIGKILL) cannot be caught, kill -15 (SIGTERM) is the default graceful stop, and kill -l lists signals.
Process and job control: ps aux and top/htop show processes, nice/renice adjust scheduling priority, & backgrounds a job, jobs lists them, and fg/bg resume them; nohup keeps a job running after logout.

Domain 4: Devices, Linux Filesystems, FHS

Key concepts you must know · 251 practice questions

mkfs creates filesystems; mkfs.ext4 (a wrapper for mke2fs) writes the superblock, inode tables, and journal onto a partition, and mkswap formats a partition or file as swap.
mount attaches a filesystem with the device first and mount point second (mount /dev/sdc1 /mnt/data); the type is auto-detected when -t is omitted; umount detaches it.
/etc/fstab declares persistent mounts in six fields: device/UUID, mount point, type, options, dump (field 5), and fsck pass order (field 6); 0 in field 6 means never check, 1 is the root filesystem, 2 is other filesystems.
An fstab NFS line looks like 192.168.1.10:/export/data /mnt/shared nfs defaults 0 0; running mount -a mounts everything in fstab that is not already mounted.
fsck checks and repairs filesystems and dispatches to a helper such as fsck.ext4 (alias e2fsck); always unmount the partition before running fsck on it to avoid corruption.
Swap is enabled with mkswap /dev/sdc2 then swapon /dev/sdc2, and disabled with swapoff; swapon -s or free -h shows active swap usage.
LVM layering is physical volumes (pvcreate) to volume groups (vgcreate) to logical volumes; create a logical volume with lvcreate -L 10G -n data vg01 or lvcreate -n lv_projects -L 500G vg_data.
blkid displays block device attributes such as UUID and filesystem type, which is how stable UUIDs for fstab entries are obtained; lsblk shows the block device tree.
df -h reports per-filesystem disk space in human-readable units; du -sh shows the total size of a directory; lsof and fuser show which processes hold files open.
Disk space deleted but not freed is usually a large file unlinked while a process still holds it open; the space is reclaimed only when the descriptor is closed or the process exits (lsof +L1 finds these).
FHS layout: /bin and /sbin hold essential binaries, /etc holds system configuration, /dev holds device nodes, and these must reside on the root partition since they are needed before other filesystems mount.
FHS variable and temporary data: /var holds logs (/var/log), spool, and caches that grow during operation, /tmp is temporary scratch space, and /home holds user directories.
/dev/null is the null device that discards all writes and returns EOF on read; /dev/zero supplies endless null bytes and /dev/urandom supplies random data.
Reading through a dangling symbolic link (one whose target was deleted) fails with a no-such-file error even though the link itself still exists in the directory listing.

Domain 5: Shells and Shell Scripting

Key concepts you must know · 246 practice questions

A script's first line must be a shebang beginning with the exact two bytes #! followed by the interpreter path, for example #!/bin/bash; the kernel reads it and runs the script with that interpreter.
chmod +x script.sh sets the execute bit so the script can run as ./script.sh; without execute permission the script must be invoked explicitly as bash script.sh.
The special parameter $? holds the exit status of the last command (0 = success, non-zero = failure), and scripts test it to decide branching.
Positional parameters: $1, $2, ... are arguments, $0 is the script name, $# is the argument count, and $@ / $* expand to all arguments.
Variable assignment has no spaces around = (NAME="John"); a plain assignment is local to the shell, while export NAME="John" places it in the environment so child processes inherit it.
Quoting matters: single quotes preserve every character literally, while double quotes still allow variable expansion ($VAR) and command substitution ($(cmd) or backticks).
Conditional tests use test or [ ] (or [[ ]] in bash): -f checks a regular file exists, -d a directory, -r readable, -w writable, -x executable; for example if [ -f /path ]; then ...; fi.
The for loop iterates a word list: for item in list; do ...; done (for example for i in 1 2 3 4 5; do echo $i; done prints 1 through 5 each on its own line).
The while loop with read processes input line by line: while read line; do echo $line; done < servers.txt reads servers.txt one line at a time.
read assigns a line of standard input to one or more variables; combined with a loop and input redirection it is the standard way to process a file's lines.
Functions are defined as name() { commands; } or function name { commands; }; arguments inside a function are $1, $2, ..., and return passes back an exit status (function backup() { cp $1 $2; return $?; }).
Login shells read /etc/profile then a user file such as ~/.bash_profile or ~/.bash_login; non-login interactive shells read ~/.bashrc; logout runs ~/.bash_logout.
Key environment variables: HOME is the user's home directory, PATH is the colon-separated list of directories searched for commands, PS1 is the prompt, and SHELL names the login shell.
Command substitution $(command) captures a command's output into a variable; arithmetic uses $((expr)); and && / || chain commands by success or failure of the previous one.

Domain 6: User Interfaces and Desktops, Admin Tasks, Networking

Key concepts you must know · 204 practice questions

The X Window System is a client-server graphical stack: the X Server manages display and input hardware while a separate Window Manager (and clients) draws and controls windows; the DISPLAY variable names the target display (for example :0).
Common desktop environments are GNOME, KDE Plasma, and Xfce, and a display manager (gdm, sddm, lightdm) provides graphical login; modern systems may use Wayland instead of the X11 protocol.
useradd creates an account by writing /etc/passwd, /etc/shadow, and /etc/group; useradd -m creates the home directory and -s sets the login shell (useradd -m -s /bin/bash webadmin).
/etc/passwd fields (colon-separated) are username, password placeholder x, UID, GID, GECOS comment, home directory, and login shell; encrypted passwords and aging live in /etc/shadow.
Account maintenance: passwd sets or changes passwords (passwd -l locks, passwd -u unlocks), usermod modifies account attributes, userdel removes accounts, and chage manages password aging.
cron schedules recurring jobs with five time fields: minute, hour, day-of-month, month, day-of-week (for example 0 3 * * * runs daily at 03:00, and 30 2 * * 0 runs at 02:30 every Sunday); crontab -e edits a user's crontab and /etc/crontab is the system-wide file.
/etc/resolv.conf configures the DNS resolver via nameserver, search, and domain lines; /etc/hosts maps hostnames to IPs locally; /etc/nsswitch.conf sets the lookup order (for example hosts: files dns).
The iproute2 suite replaces deprecated net-tools: ip addr show (or ip a) lists interfaces and addresses, ip route show displays the routing table, and ip link manages interface state.
NetworkManager's CLI nmcli configures connections persistently; nmcli con mod sets ipv4.addresses, ipv4.gateway, ipv4.dns and ipv4.method manual for a static configuration.
ss (socket statistics) is the modern netstat replacement reading sockets via netlink; ss -tlnp lists TCP listening sockets with ports and owning processes.
Connectivity testing: ping checks reachability, nc -zv host 443 tests whether a TCP port is open, and traceroute / tracepath shows the path to a host; dig and host query DNS.
SSH provides encrypted remote shell access; ssh user@host and ssh -l user host are equivalent, the default port is 22, and key-based auth uses ~/.ssh/authorized_keys with keys generated by ssh-keygen.
System logging: traditional syslog writes to files under /var/log (messages, syslog, auth.log), while systemd-journald is queried with journalctl (for example journalctl -u sshd or journalctl -b for the current boot).
Localization and time: timedatectl sets time zone and enables NTP, the TZ variable and /etc/localtime control the zone, and locale plus the LANG/LC_* variables control language and character encoding (UTF-8).

LPIC-1 exam tips

Master the two package-management families side by side: for every Debian apt/dpkg command know the Red Hat dnf/yum/rpm equivalent, since the exam tests both regardless of which distro you use day to day.
Memorize the six fstab fields in order and the cron five-field time format cold; these structured-field questions are common and easy points once the column meanings are automatic.
Practice building real pipelines (grep | sort | uniq | wc -l, find | xargs, sed -i) at an actual terminal rather than memorizing flags, because LPIC-1 favors questions that combine several commands.
Know which tool is current versus deprecated: prefer ip over ifconfig, ss over netstat, journalctl over reading raw logs, and systemctl targets over numeric runlevels, but recognize the legacy commands too.
Read each question for exact wording such as overwrite vs append (> vs >>), remove vs purge (dpkg -r vs -P), and isolate vs set-default; LPIC-1 distinguishes closely related commands by their precise behavior.

Study guide FAQ

How is LPIC-1 structured and what do I need to pass?

LPIC-1 requires passing two separate 90-minute exams, 101 and 102, each with about 60 questions (multiple choice and fill-in-the-blank). Each exam is scored on a 200-800 scale with a passing score around 500. You must pass both to earn the certification, and it is valid for five years.

Do I need to know one specific Linux distribution?

No. LPIC-1 is intentionally vendor-neutral and tests both major package families, so you must be comfortable with Debian-based apt/dpkg and Red Hat-based dnf/yum/rpm, plus tools that work everywhere. Pick one distribution to practice on but study the commands and config-file locations of both.

How much memorization of exact commands and file paths is expected?

A lot. LPIC-1 includes fill-in-the-blank items where you type the exact command, option, or path with no choices given, so you must know things like /etc/fstab field order, /etc/resolv.conf, crontab syntax, and flags such as tar -czf or ip addr show precisely rather than just recognizing them.

Is LPIC-1 still relevant given systemd and modern tooling?

Yes. Current LPIC-1 objectives cover systemd (systemctl, targets, journalctl) alongside legacy SysV-init concepts, and modern networking tools like ip, ss, and nmcli. Studying the up-to-date objectives ensures you learn today's standard tools while still recognizing the older commands you may meet on existing systems.

Test yourself: 1,505 LPIC-1 practice questions