linux plus practice test Advanced Practice Exam: Hard Questions 2025

A Linux server uses systemd-networkd and is multihomed: eno1 (management) and eno2 (production). After a maintenance window, the server intermittently loses SSH connectivity on the management network, but production traffic remains stable. `ip route` shows two default routes with different metrics, and packet captures show replies leaving via the wrong interface (asymmetric routing). You must make routing deterministic so replies to management-sourced connections always return via eno1 without breaking production routing. Which approach is BEST?

A host runs a database on LVM-backed storage. You extend the underlying virtual disk and then run `pvresize` and `lvextend -l +100%FREE /dev/vg0/db`. The logical volume shows the new size, but the filesystem remains unchanged and the application still reports the old capacity. The filesystem is XFS and is mounted at `/var/lib/db`. What is the MOST appropriate next step with minimal downtime?

You are hardening a multi-user build server. Developers must be able to run a single maintenance script as root via sudo, but the script needs a controlled set of environment variables (e.g., `BUILD_ID`) and must not allow privilege escalation via environment injection or path manipulation. Which sudoers configuration is BEST?

A security team reports that a systemd service running as a non-root user can still read `/etc/shadow` when it should not. The service unit includes `User=appsvc` and the file permissions on `/etc/shadow` are correct. Audit logs show the service successfully opening the file shortly after startup. Which is the MOST likely cause?

You are designing network segmentation for containerized workloads on a single Linux host. Security requires that containers cannot initiate connections to the host management interface, but containers must still reach the internet and selected internal services. You want a solution that is auditable, persistent, and does not rely on per-container manual firewall rules. Which approach is BEST?

You maintain a fleet of Linux servers and need to automate a change: update a config file only if a specific key is present, create a timestamped backup of the original, validate syntax before restarting the service, and ensure the operation is idempotent. You must use shell scripting (not a full configuration management platform). Which design is BEST?

A CI pipeline builds container images and must prevent secrets from ending up in the final image layers. During build, the process needs access to a private SSH key to fetch a dependency. Which approach BEST meets the requirement to avoid persisting secrets in image layers?

After enabling a new systemd drop-in for `sshd.service`, SSH logins start failing intermittently. `systemctl status sshd` shows the service is active, but logs include: `sshd[PID]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use`. You also notice a socket unit `sshd.socket` is enabled. What is the MOST likely root cause and fix?

A production system intermittently hangs under I/O load. `top` shows high iowait, and `dmesg` shows repeated messages about a disk being reset. The root filesystem is on that disk. You need to collect actionable diagnostics for the storage team while keeping the system stable and minimizing additional I/O. Which is the BEST next step?

A service fails only when started by systemd, but works when started manually from an interactive shell. The unit file includes `ExecStart=/usr/local/bin/app`. `journalctl -u app` shows: `app: error while loading shared libraries: libcustom.so: cannot open shared object file`. The library exists in `/opt/custom/lib`. You must fix this in a secure, maintainable way consistent with best practices. What should you do?