Practice area
LPIC-1 101: GNU and Unix Commands
Use core command-line tools to inspect files, transform text, manage processes, and explain output under exam-style pressure.
Linux One Liners is an independent study and practice resource. It is not affiliated with, endorsed by, or approved by LPI, The Linux Foundation, CompTIA, or any certification provider. This site does not provide exam dumps or real exam questions.
Source status
Source status: LPI LPIC-1 overview verified July 3, 2026. Current version 5.0; exams 101-500 and 102-500.
This page paraphrases study areas into command practice. It does not copy official objective text wholesale and is not an exam dump.
Plain-English goal
Practice area: shell commands, text filters, file operations, streams, processes, priorities, regex, and editing. Exam/domain: 101-500.
read the situation
Command, output, and next step
Command anatomy
find /var -xdev -type f -mtime -7 -size +10M -printf '%TY-%Tm-%Td %s %p\n' 2>/dev/null | sort -r | head -20
find- walk a directory tree
-xdev- stay on one filesystem when present
-type f- limit the result to files
-size/-mtime/-perm- filter by size, age, or mode
-printf- choose the fields you need to read
Annotated output
root 524288000 2026-07-03 /var/log/journal/2f/system.journal
www-data 248512000 2026-07-02 /var/log/nginx/access.log
deploy 146800640 2026-07-01 /var/tmp/app-export.tar
What to notice
- owner
- who owns the file
- bytes
- how large it is before human formatting
- date
- whether this is recent growth
- path
- the exact file, not the directory guess
Safe vs unsafe move
Common wrong move
Deleting the largest file without proving its mount point, owner, or whether a service still has it open.
Next safe command
du -xhd1 /var | sort -h
Troubleshooting ladder
- Name the symptom.
- Inspect read-only state.
- Find the owner, service, file, device, mount, or route.
- Read the decisive output field.
- Choose the next narrow command.
- Avoid broad or destructive changes.
- Make the smallest justified change if required.
- Verify and record what changed.
How to get help
- Know the commandUse
command --help, thenman commandfor the full reference. - Know the conceptUse
apropos keywordorman -k keywordto discover command names. - Maybe a shell builtinUse
type command,command -V command, thenhelp command. - Service behaviorUse
systemctl status serviceandjournalctl -u servicebefore restarting. - Package ownershipUse
dpkg -S,rpm -qf, or the distro package tool for the installed file.
Study plan
- Rehearse everyday shell movement and file operations, including globbing, quoting, hidden files, and safe previews before removal.
- Build text pipelines one stage at a time: search, cut fields, sort, count, and summarize without losing the original evidence.
- Practice process inspection before signaling: PID, PPID, state, command arguments, CPU, memory, job control, and priority.
- Use regex and vi basics enough to edit a config in a terminal without breaking syntax.
Command labs
Run these in a lab shell or disposable machine first. The point is to explain the output, not just memorize the command.
Find files by attributes
find /var -xdev -type f -mtime -7 -size +10M -printf '%TY-%Tm-%Td %s %p\n' 2>/dev/null | sort -r | head -20
Recent large files should be sorted by date with byte counts and full paths.
Annotated output
root 524288000 2026-07-03 /var/log/journal/2f/system.journal
www-data 248512000 2026-07-02 /var/log/nginx/access.log
deploy 146800640 2026-07-01 /var/tmp/app-export.tar
What to notice: owner, bytes, date, path.
Next safe command: du -xhd1 /var | sort -h
Count repeated log patterns
grep -iE 'error|failed|denied' /var/log/syslog 2>/dev/null | cut -d' ' -f5- | sort | uniq -c | sort -nr | head
Repeated messages should be grouped and counted so the noisy issue is obvious.
Annotated output
3 nginx[2310]: open() "/srv/app/current/.env" failed (13: Permission denied)
2 sshd[2249]: Failed password for invalid user deploy from 203.0.113.44
1 app[412]: ERROR db timeout user=ana
What to notice: count, service/process, message, object, next-check.
Next safe command: grep -Rni -C2 'Permission denied' /var/log 2>/dev/null | head -80
Inspect process tree
ps -eo pid,ppid,stat,pcpu,pmem,comm,args --sort=-pcpu | head -25
High-CPU processes should include PID, parent PID, state, and command arguments.
Annotated output
PID PPID STAT %CPU %MEM COMMAND COMMAND
421 1 S 87.4 12.1 python3 python3 worker.py
2310 1 S 3.2 1.4 nginx nginx: worker process
944 1 Ss 0.5 0.8 sshd /usr/sbin/sshd -D
What to notice: PID/PPID, STAT, CPU/MEM, command/args.
Next safe command: systemctl status worker.service --no-pager
command families
Commands to practice
pwdlscpmvrmfindgrepsedawksortuniqcutwcxargspskillnicerenicevi
Related drills
Flashcards
Why sort before head in a ranking pipeline?
head should receive already-ranked rows; otherwise it only shows the first original lines.
What does xargs help with?
It turns input rows into command arguments, but it must be used carefully with spaces and destructive commands.
Why inspect PPID before killing a process?
The parent process can explain whether a process is supervised or part of a larger service tree.
What is the difference between grep -n and grep -C?
-n shows line numbers; -C adds context lines around matches.
command purpose
When does `grep -n -C2` beat a plain `grep`?
Use it when the matching line is not enough. `-n` gives a line number and `-C2` shows nearby context so you can decide the next narrow command.
Log triage: read the evidence around the match before editing files or restarting services.
expected output field
In `sort | uniq -c | sort -nr`, which field proves the repeat count?
The first numeric column from `uniq -c` is the count. The final `sort -nr` ranks the largest repeated messages first.
Use this to separate the loudest repeated failure from one-off log noise.
dangerous wrong move
Why is `rm -rf /var/log` the wrong answer to repeated log errors?
It destroys evidence and does not fix the service or file that produced the errors. Read the repeated message and inspect the named object instead.
Deletion is not troubleshooting.
next diagnostic step
A grep match names `/srv/app/current/.env`. What should come next?
Run `namei -l /srv/app/current/.env` to inspect each path component before changing permissions.
The failure may be directory traversal, not the final file mode.
help command
You forgot what `grep -C` does. What local help should you use first?
Run `grep --help` for a quick flag reminder, then `man grep` if you need the full reference.
Cert practice should teach how to recover from memory gaps.
safe first command
Before sending a kill signal, which process field should you inspect?
Inspect PID, PPID, state, CPU, memory, and command arguments with `ps`. PPID often reveals a supervisor or parent service.
A process tree explains whether killing one child will actually solve anything.
flag meaning
Why preview `xargs` targets with `echo`?
It proves which arguments would be passed before a destructive command receives them.
This is especially important when filenames contain spaces or surprising characters.
cert objective link
What skill connects grep pipelines, ps output, and xargs safety?
Reading command output before chaining actions. The LPIC topic is command fluency, but the real habit is safe interpretation.
Pipelines are only useful if each stage preserves the evidence you need.
Quick quiz
Check the reasoning locally in your browser. Answers are not sent anywhere.
interactive shell
Pipeline output playground
Pick a pipeline and compare how each stage changes the same small log sample.
Input sample
Jul 03 10:01 app[412]: INFO started worker
Jul 03 10:03 app[412]: ERROR db timeout user=ana
Jul 03 10:04 app[412]: ERROR db timeout user=ana
Jul 03 10:07 app[510]: WARN retrying request user=bo
Jul 03 10:08 app[510]: ERROR permission denied user=bo
Pipeline
grep ERROR app.log
Output
Jul 03 10:03 app[412]: ERROR db timeout user=ana
Jul 03 10:04 app[412]: ERROR db timeout user=ana
Jul 03 10:08 app[510]: ERROR permission denied user=bo
Filtering first leaves only error rows.