Linux Study Guide

LPIC-2: Linux Engineer Study Guide

LPIC-2: Linux Engineer validates the advanced administration skills needed to manage small-to-medium mixed networks, covering the kernel, capacity planning, system startup, storage, networking, and core network services (web, file, DNS, email). It is aimed at experienced administrators who already hold LPIC-1 and run production Linux systems. The certification is split across two exams (201 and 202) and tests both command-line fluency and architectural judgment.

Domain 1 Domain 2 Domain 3 Domain 4 Domain 5 Domain 6

Practice LPIC-2 questions free Create free account

Domain 1: Capacity Planning

Key concepts you must know · 241 practice questions

vmstat reports paging activity, run/blocked process counts, block I/O, and CPU time; the si/so columns show pages swapped in/out per second and should normally read 0.
free -m distinguishes 'used', 'free', and 'available' memory; because buffers/cache are reclaimable, the 'available' column is the true indicator of memory pressure, not 'free'.
Sustained nonzero si/so in vmstat combined with growing used swap and near-zero available memory signals a genuine memory shortage rather than normal caching.
iostat -x shows per-device %util (approaching 100% means saturation) plus await (average I/O service time); high values indicate the disk is the bottleneck.
High %iowait in top/iostat means the CPU is idle waiting on I/O; processes stuck in the D (uninterruptible sleep) state are blocked on disk or network I/O.
sysstat provides sar for historical trend analysis; sadc (the data collector, run via sa1) writes binary records under /var/log/sa/saNN, read back with sar -u -f.
sar -u reports historical CPU utilization; sar collects retained metrics on a schedule, making it the standard tool for capacity trending over days or weeks.
ps aux --sort=-%mem | head lists the top memory consumers; --sort=-%cpu ranks by CPU usage instead.
The OOM killer selects a victim process based on its oom_score, which is biased by oom_score_adj (range -1000 to +1000) to protect or sacrifice specific processes.
vm.swappiness (0-100) controls how aggressively the kernel swaps; a low value like 1-10 favors keeping pages in RAM, useful for latency-sensitive or database workloads.
systemd resource limits cap a service via directives such as MemoryMax=512M and CPUQuota=50% in the unit file, enforced through cgroups.
For trend retention and alerting, feed collected metrics into a time-series monitoring system such as Prometheus or collectd rather than relying on point-in-time tools.
Disk I/O bottlenecks are addressed by adding faster storage (NVMe/SSD) or spreading load; memory pressure is addressed by adding RAM or reducing working set.
top provides a real-time, continuously refreshing view of CPU and memory per process, while free and vmstat give point-in-time and rate snapshots respectively.

Domain 2: Linux Kernel

Key concepts you must know · 234 practice questions

modprobe loads a module by name and automatically resolves dependencies via modules.dep, unlike the low-level insmod which loads only one explicit file; modprobe -r unloads modules.
lsmod formats /proc/modules into a table of loaded modules with their size and the modules that depend on each one.
depmod scans installed modules and rebuilds modules.dep, the dependency map modprobe consults; run it after adding new modules.
Module options are set persistently in a file under /etc/modprobe.d/ ending in .conf, using the syntax 'options <module> <param>=<value>'.
To prevent a module from auto-loading, add 'blacklist <module>' in /etc/modprobe.d/*.conf; to fully block manual loading too, also set 'install <module> /bin/true'.
To force a module to load early at boot, list it in a file under /etc/modules-load.d/; modprobe behavior and options stay in /etc/modprobe.d/.
uname -r prints the running kernel release; a 'invalid module format' error usually means the module was built for a different kernel version than the one running.
If a needed driver lives in a module, rebuild the initramfs with dracut (Red Hat) or mkinitramfs/update-initramfs (Debian) so it is available during early boot.
dmesg reads the kernel ring buffer for hardware probing and driver messages; -T adds human-readable timestamps and -w follows new entries. journalctl -k shows the same kernel log.
Runtime kernel parameters live under /proc/sys and are volatile; persist them in /etc/sysctl.conf or /etc/sysctl.d/, applied at boot or on demand with sysctl -p.
The recommended tuning workflow is sysctl -w to apply live and observe, then persist the value in /etc/sysctl.d/ once validated.
/proc is a virtual procfs filesystem populated by the kernel, exposing per-PID directories plus system files like /proc/cpuinfo, /proc/meminfo, and /proc/modules.
UEFI Secure Boot can refuse to load unsigned modules, requiring kernel modules to be signed with an enrolled key (MOK) before they load.
Kernel tracing data is exposed through files under /sys/kernel/debug/tracing (debugfs), used by tools like ftrace for low-level kernel diagnostics.

Domain 3: System Startup

Key concepts you must know · 248 practice questions

systemd starts units in parallel based on declared dependencies and supports socket and D-Bus activation to launch services on demand.
systemctl is the primary control tool: start, stop, restart, enable (autostart), disable, mask, and status; it is dependency-aware and logs to the journal.
disable removes autostart but still permits manual start; mask symlinks the unit to /dev/null so it cannot be started by any means until unmasked.
Ordering and requirements are separate: After=/Before= set sequence, while Wants= (soft) and Requires= (hard) set dependency strength; a network service should use After= and Wants= on network-online.target.
systemctl set-default <target> sets the boot target (e.g., multi-user.target or graphical.target); systemctl list-dependencies <target> shows what it pulls in.
rescue.target (formerly runlevel 1) gives a minimal single-user maintenance environment; emergency.target is even more minimal with only the root filesystem mounted read-only.
Restart=on-failure with RestartSec controls automatic restarts; StartLimitIntervalSec and StartLimitBurst prevent rapid crash-loop restarts from running unbounded.
A Type=oneshot service runs once and exits; pairing it with RemainAfterExit=yes keeps it reported as active after the process finishes.
systemd timers replace cron with journal logging, dependency handling, and Persistent=true, which runs a missed job after the machine powers back on.
At the GRUB menu, press 'e' to edit a boot entry and Ctrl-x (or F10) to boot it; appending rd.break or init=/bin/bash to the linux line drops to a shell for password/recovery.
After editing GRUB configuration sources, regenerate the config with grub2-mkconfig -o /boot/grub2/grub.cfg (Red Hat) or update-grub (Debian).
journald storage and size are tuned with SystemMaxUse= (total disk cap), MaxRetentionSec= (age cap), and Storage= (volatile vs persistent) in journald.conf.
nice -n 19 lowers CPU scheduling priority for a new command and renice 19 -p <pid> adjusts a running one; ionice -c2 -n7 sets best-effort I/O priority and -c3 sets idle.
Configuration management and infrastructure-as-code tools like Ansible apply version-controlled desired state idempotently across many hosts, eliminating configuration drift.

Domain 4: Filesystem and Devices

Key concepts you must know · 242 practice questions

Reference filesystems in /etc/fstab by UUID= or LABEL= rather than kernel device names like /dev/sdb1, because device names can change between boots while UUIDs are stable.
Growing an ext filesystem on LVM is a two-step process: lvextend -L +10G /dev/vg/lv to enlarge the logical volume, then resize2fs /dev/vg/lv to grow the filesystem onto it.
XFS can be grown online with xfs_growfs but cannot be shrunk; repair is done offline with xfs_repair on an unmounted device, and fsck.xfs is effectively a no-op.
df reports space usage but a filesystem can report full while df shows free space if it has exhausted its inodes; check inode usage with df -i.
LVM snapshots create an online point-in-time copy of a volume, ideal for consistent backups of a live filesystem without taking it offline.
mount -o ro mounts a filesystem read-only, useful for safe inspection or recovery; mount -o remount,rw changes it back without unmounting.
RAID provides disk fault tolerance (mdadm software RAID with levels like RAID1 or RAID6); layering LVM on top of RAID adds flexible logical volume management.
rsync -aHAX --numeric-ids preserves hard links, ACLs, extended attributes, and raw numeric UID/GID, making it suitable for full filesystem-level migrations.
Journaling filesystems (ext4, XFS) protect metadata integrity after a crash; pairing them with a battery- or flash-backed write cache keeps performance safe.
e2image -ra copies only the used blocks of an ext filesystem, producing a compact image far faster than a raw dd of the whole device.
When extending storage you may first need to grow the physical volume and volume group (pvresize, vgextend) before lvextend has room to expand the logical volume.
tar preserves permissions, ownership, and timestamps; combine it with a compressor via -z (gzip), -j (bzip2), or -J (xz) to produce .tar.gz, .tar.bz2, or .tar.xz archives.
rsync uses a delta-transfer algorithm to send only changed file portions; --link-dest=<previous-backup> creates space-efficient incremental snapshots via hard links.
NFS mount tuning uses rsize/wsize to set larger read/write block sizes for throughput, and write-critical data should avoid async exports to prevent data loss on server crash.

Domain 5: Networking Configuration

Key concepts you must know · 263 practice questions

ip route from iproute2 prints the kernel routing table (destination, via gateway, dev); the legacy route -n shows the same data numerically.
ip route add default via <gateway> sets the default route and ip route add 10.0.0.0/24 via 192.168.1.1 dev eth0 adds a static route; both are non-persistent and lost on reboot.
ip addr add <ip>/<mask> dev <iface> assigns an address live; persistence requires a NetworkManager profile (nmcli) or the distro's interface config files.
nmcli con add type ethernet with ipv4.method manual and a static ipv4.addresses entry creates a persistent connection profile under NetworkManager.
ss -tlnp lists listening TCP sockets numerically with the owning PID and program, replacing the older netstat -tlnp for identifying which daemon owns a port.
tcpdump uses BPF filter syntax: tcpdump -i eth0 tcp port 443 captures only HTTPS traffic on eth0, and -n disables name resolution for speed and clarity.
nftables is the modern netfilter framework configured with nft; nft -f loads a complete ruleset from a file as one atomic transaction, and it supersedes iptables.
iptables-save exports the running ruleset to a file and iptables-restore reimports it; this is the standard way to persist iptables rules.
Bonding active-backup mode provides failover with no switch configuration, while 802.3ad (LACP) aggregates bandwidth but requires matching switch-side LACP configuration.
Policy-based routing uses multiple routing tables plus ip rule entries to route by source address, mark, or other criteria rather than destination alone.
SYN flood mitigation uses net.ipv4.tcp_syncookies (SYN cookies) and connection rate-limiting via nftables limit or iptables hashlimit.
A floating/virtual IP managed by keepalived (VRRP) provides service failover between nodes; round-robin DNS is simpler but lacks health checks, weighting, and fast failover.
sysctl name=value is runtime-only; network tunables like net.ipv4.ip_forward must be written to /etc/sysctl.conf or /etc/sysctl.d/ to persist across reboots.
Tunnels and VPNs commonly break on MTU/MSS mismatch; lowering the interface MTU or clamping MSS (MSS clamping) fixes intermittent large-packet failures.

Domain 6: System Services

Key concepts you must know · 238 practice questions

OpenSSH server config is /etc/ssh/sshd_config; harden with PermitRootLogin no (or prohibit-password) and PasswordAuthentication no using key-based authentication, effective after reload.
StrictModes in sshd rejects key auth if ~/.ssh or ~/.ssh/authorized_keys is group- or other-writable, or the user's home directory is writable by group/other; fix the permissions.
Apache config lives under /etc/httpd (Red Hat) or /etc/apache2 (Debian); validate syntax with apachectl configtest or httpd -t before reloading.
The DocumentRoot directive sets the directory served for a host or virtual host; the first-listed virtual host serves requests whose Host header matches no ServerName or ServerAlias.
BIND's named reads named.conf; validate with named-checkconf and validate zone files with named-checkzone; forgetting to increment the SOA serial means secondaries never pull the update.
A secondary (slave) DNS zone receives updates via zone transfers triggered by NOTIFY from the primary, providing redundancy without manual zone editing.
Postfix reads main.cf (parameters like myhostname, mydestination, relayhost) and master.cf (service processes); relayhost = [smtp.isp.example]:587 routes outbound mail through a smart host.
A typical mail stack pairs Postfix as the MTA with Dovecot as the MDA/IMAP store; transport_maps entries route specific domains to designated relays.
Samba's smbd implements SMB/CIFS for Windows-compatible file and printer sharing, letting a Linux host serve shares to or join a Windows network.
Apache's prefork MPM isolates each request in its own process at higher memory cost, while the event/worker MPM scales many connections cheaply using threads.
rsyslog routes by facility.priority; a selector like *.info;mail.none;authpriv.none /var/log/messages logs everything at info and above except mail and authpriv.
Centralized logging forwards over UDP (single @) for speed or TCP/RELP (@@) for reliable delivery to a remote syslog collector.
logrotate rotates by size or time, compresses old copies, and runs a postrotate script (e.g., signaling the daemon to reopen its log file); logrotate -d does a dry run.
Nagios-style monitoring plugins signal state by exit code (0=OK, 1=WARNING, 2=CRITICAL, 3=UNKNOWN), and NRPE lets the monitoring server execute checks on remote hosts.

LPIC-2 exam tips

Know the persistence boundary cold: ip addr/ip route, sysctl -w, and modprobe options are all volatile, while /etc/sysctl.d/, /etc/modprobe.d/, NetworkManager profiles, and iptables-save make them survive a reboot. The exam loves to ask which command persists a change.
For each network service, memorize the daemon name, its main config file, and its syntax-check command: sshd_config, httpd/apache2 + apachectl configtest, named.conf + named-checkconf/named-checkzone, main.cf for Postfix. Wrong config path by distro is a common trap.
Distinguish systemd verbs precisely: enable vs start, disable vs mask, Wants vs Requires, After vs network-online.target. These nuanced differences appear repeatedly.
Practice the LVM grow workflow end to end (pvresize, vgextend, lvextend -L +N, then resize2fs for ext or xfs_growfs for XFS) and remember XFS cannot shrink and uses xfs_repair, not fsck.
Read interpretation of monitoring output is heavily tested: nonzero si/so means swapping, high %iowait plus D-state processes means I/O bottleneck, and 'available' (not 'free') memory is the real metric. Be ready to diagnose from sample vmstat/iostat/free output.

Study guide FAQ

How is the LPIC-2 certification structured and what does each exam cover?

LPIC-2 requires passing two 90-minute exams, 201 and 202, each with about 60 questions and a passing score around 500-625 on a scaled range. The 201 exam covers capacity planning, the Linux kernel, system startup, filesystems/devices, and advanced storage; the 202 exam covers networking configuration, DNS, web services, file sharing, email, and system security. You must hold an active LPIC-1 to receive the LPIC-2 certificate.

How much of the exam is command-line recall versus conceptual?

A large share is exact command, option, and file-path recall: you must know flags like rsync -aHAX, ss -tlnp, lvextend -L +10G, and config paths such as /etc/ssh/sshd_config and main.cf. Roughly the remainder tests diagnosis and architecture, such as interpreting vmstat/iostat output or choosing active-backup versus 802.3ad bonding. Fill-in-the-blank questions give no answer choices, so spelling commands correctly matters.

Do I need to know both systemd and the legacy SysV/init tooling?

Focus primarily on systemd, since it is dominant on current distributions: systemctl, unit dependency directives, targets, journald tuning, and systemd timers. You should still recognize legacy equivalents (runlevels mapping to targets, cron versus timers, route versus ip) because questions sometimes contrast the old and new tools or ask which modern command replaces a deprecated one.

Is the exam tied to a specific distribution like Red Hat or Debian?

No, LPIC-2 is intentionally distribution-neutral, but it expects you to know where both families differ. The classic split is config locations such as /etc/httpd versus /etc/apache2 and grub2-mkconfig versus update-grub. Expect questions that hinge on knowing both Red Hat-family and Debian-family conventions rather than assuming one.

Test yourself: 1,466 LPIC-2 practice questions