Back to cert prep

Practice area

LPIC-1 101: GNU and Unix Commands

Use core command-line tools to inspect files, transform text, manage processes, and explain output under exam-style pressure.

Linux One Liners is an independent study and practice resource. It is not affiliated with, endorsed by, or approved by LPI, The Linux Foundation, CompTIA, or any certification provider. This site does not provide exam dumps or real exam questions.

Source status

Source status: LPI LPIC-1 overview verified July 3, 2026. Current version 5.0; exams 101-500 and 102-500.

This page paraphrases study areas into command practice. It does not copy official objective text wholesale and is not an exam dump.

Plain-English goal

Practice area: shell commands, text filters, file operations, streams, processes, priorities, regex, and editing. Exam/domain: 101-500.

read the situation

Command, output, and next step

Command anatomy

find /var -xdev -type f -mtime -7 -size +10M -printf '%TY-%Tm-%Td %s %p\n' 2>/dev/null | sort -r | head -20
find
walk a directory tree
-xdev
stay on one filesystem when present
-type f
limit the result to files
-size/-mtime/-perm
filter by size, age, or mode
-printf
choose the fields you need to read

Annotated output

root 524288000 2026-07-03 /var/log/journal/2f/system.journal
www-data 248512000 2026-07-02 /var/log/nginx/access.log
deploy 146800640 2026-07-01 /var/tmp/app-export.tar

What to notice

owner
who owns the file
bytes
how large it is before human formatting
date
whether this is recent growth
path
the exact file, not the directory guess

Safe vs unsafe move

Common wrong move

Deleting the largest file without proving its mount point, owner, or whether a service still has it open.

Next safe command

du -xhd1 /var | sort -h

Troubleshooting ladder

  1. Name the symptom.
  2. Inspect read-only state.
  3. Find the owner, service, file, device, mount, or route.
  4. Read the decisive output field.
  5. Choose the next narrow command.
  6. Avoid broad or destructive changes.
  7. Make the smallest justified change if required.
  8. Verify and record what changed.

How to get help

  1. Know the commandUse command --help, then man command for the full reference.
  2. Know the conceptUse apropos keyword or man -k keyword to discover command names.
  3. Maybe a shell builtinUse type command, command -V command, then help command.
  4. Service behaviorUse systemctl status service and journalctl -u service before restarting.
  5. Package ownershipUse dpkg -S, rpm -qf, or the distro package tool for the installed file.

Study plan

  1. Rehearse everyday shell movement and file operations, including globbing, quoting, hidden files, and safe previews before removal.
  2. Build text pipelines one stage at a time: search, cut fields, sort, count, and summarize without losing the original evidence.
  3. Practice process inspection before signaling: PID, PPID, state, command arguments, CPU, memory, job control, and priority.
  4. Use regex and vi basics enough to edit a config in a terminal without breaking syntax.

Command labs

Run these in a lab shell or disposable machine first. The point is to explain the output, not just memorize the command.

Find files by attributes

find /var -xdev -type f -mtime -7 -size +10M -printf '%TY-%Tm-%Td %s %p\n' 2>/dev/null | sort -r | head -20

Recent large files should be sorted by date with byte counts and full paths.

Annotated output
root 524288000 2026-07-03 /var/log/journal/2f/system.journal
www-data 248512000 2026-07-02 /var/log/nginx/access.log
deploy 146800640 2026-07-01 /var/tmp/app-export.tar

What to notice: owner, bytes, date, path.

Next safe command: du -xhd1 /var | sort -h

Count repeated log patterns

grep -iE 'error|failed|denied' /var/log/syslog 2>/dev/null | cut -d' ' -f5- | sort | uniq -c | sort -nr | head

Repeated messages should be grouped and counted so the noisy issue is obvious.

Annotated output
3 nginx[2310]: open() "/srv/app/current/.env" failed (13: Permission denied)
2 sshd[2249]: Failed password for invalid user deploy from 203.0.113.44
1 app[412]: ERROR db timeout user=ana

What to notice: count, service/process, message, object, next-check.

Next safe command: grep -Rni -C2 'Permission denied' /var/log 2>/dev/null | head -80

Inspect process tree

ps -eo pid,ppid,stat,pcpu,pmem,comm,args --sort=-pcpu | head -25

High-CPU processes should include PID, parent PID, state, and command arguments.

Annotated output
PID  PPID STAT %CPU %MEM COMMAND   COMMAND
421  1    S    87.4 12.1 python3   python3 worker.py
2310 1    S     3.2  1.4 nginx     nginx: worker process
944  1    Ss    0.5  0.8 sshd      /usr/sbin/sshd -D

What to notice: PID/PPID, STAT, CPU/MEM, command/args.

Next safe command: systemctl status worker.service --no-pager

command families

Commands to practice

  • pwd
  • ls
  • cp
  • mv
  • rm
  • find
  • grep
  • sed
  • awk
  • sort
  • uniq
  • cut
  • wc
  • xargs
  • ps
  • kill
  • nice
  • renice
  • vi

Related drills

Flashcards

Why sort before head in a ranking pipeline?

head should receive already-ranked rows; otherwise it only shows the first original lines.

What does xargs help with?

It turns input rows into command arguments, but it must be used carefully with spaces and destructive commands.

Why inspect PPID before killing a process?

The parent process can explain whether a process is supervised or part of a larger service tree.

What is the difference between grep -n and grep -C?

-n shows line numbers; -C adds context lines around matches.

command purpose

When does `grep -n -C2` beat a plain `grep`?

Use it when the matching line is not enough. `-n` gives a line number and `-C2` shows nearby context so you can decide the next narrow command.

Log triage: read the evidence around the match before editing files or restarting services.

expected output field

In `sort | uniq -c | sort -nr`, which field proves the repeat count?

The first numeric column from `uniq -c` is the count. The final `sort -nr` ranks the largest repeated messages first.

Use this to separate the loudest repeated failure from one-off log noise.

dangerous wrong move

Why is `rm -rf /var/log` the wrong answer to repeated log errors?

It destroys evidence and does not fix the service or file that produced the errors. Read the repeated message and inspect the named object instead.

Deletion is not troubleshooting.

next diagnostic step

A grep match names `/srv/app/current/.env`. What should come next?

Run `namei -l /srv/app/current/.env` to inspect each path component before changing permissions.

The failure may be directory traversal, not the final file mode.

help command

You forgot what `grep -C` does. What local help should you use first?

Run `grep --help` for a quick flag reminder, then `man grep` if you need the full reference.

Cert practice should teach how to recover from memory gaps.

safe first command

Before sending a kill signal, which process field should you inspect?

Inspect PID, PPID, state, CPU, memory, and command arguments with `ps`. PPID often reveals a supervisor or parent service.

A process tree explains whether killing one child will actually solve anything.

flag meaning

Why preview `xargs` targets with `echo`?

It proves which arguments would be passed before a destructive command receives them.

This is especially important when filenames contain spaces or surprising characters.

cert objective link

What skill connects grep pipelines, ps output, and xargs safety?

Reading command output before chaining actions. The LPIC topic is command fluency, but the real habit is safe interpretation.

Pipelines are only useful if each stage preserves the evidence you need.

Quick quiz

Check the reasoning locally in your browser. Answers are not sent anywhere.

Which pipeline counts repeated matching log messages?
Show answer

Answer: grep pattern file | sort | uniq -c | sort -nr

Why: The pipeline searches, groups, counts, and ranks repeated lines.

  • rm -rf /var/log: That destroys or removes state before the evidence is understood.
  • chmod 777 file: That changes access broadly before proving which path component or owner is wrong.
  • systemctl reboot: That changes runtime state before reading the output that explains the failure.
Which command should you inspect before sending kill signals?
Show answer

Answer: ps

Why: ps shows process identity and state.

  • mkfs: That destroys or removes state before the evidence is understood.
  • passwd: That does not answer the question the output is asking you to prove first.
  • tar -x: That does not answer the question the output is asking you to prove first.
What is a safer first step before xargs rm?
Show answer

Answer: xargs echo or print the target list

Why: Preview the argument list before destructive action.

  • run it with sudo immediately: That raises privilege before you have proved the target and effect.
  • hide errors: That does not answer the question the output is asking you to prove first.
  • delete recursively: That destroys or removes state before the evidence is understood.

interactive shell

Pipeline output playground

Pick a pipeline and compare how each stage changes the same small log sample.

Input sample

Jul 03 10:01 app[412]: INFO started worker
Jul 03 10:03 app[412]: ERROR db timeout user=ana
Jul 03 10:04 app[412]: ERROR db timeout user=ana
Jul 03 10:07 app[510]: WARN retrying request user=bo
Jul 03 10:08 app[510]: ERROR permission denied user=bo

Pipeline

grep ERROR app.log

Output

Jul 03 10:03 app[412]: ERROR db timeout user=ana
Jul 03 10:04 app[412]: ERROR db timeout user=ana
Jul 03 10:08 app[510]: ERROR permission denied user=bo

Filtering first leaves only error rows.

Self-test before moving on