Unit 3 - Practice Quiz

A package manager is a tool that automates the management of software packages, handling tasks like installation, upgrades, and dependency resolution, which simplifies software administration.

A dependency is a prerequisite piece of software that must be installed for another program to work. Package managers are crucial for automatically identifying and installing these dependencies.

dnf (and its predecessor yum) is the standard high-level package manager for RPM-based systems. apt-get is for Debian-based systems, and pacman is for Arch Linux.

Files used by the Red Hat Package Manager are packaged with the .rpm extension. .deb is for Debian packages, .tar.gz is a compressed archive, and .exe is for Windows executables.

The sudo apt update command synchronizes the local package index files from the repositories. apt upgrade is used to install the newest versions of all packages currently installed.

dpkg is the underlying package manager for Debian-based systems. Higher-level tools like apt and apt-get use dpkg to perform package installation, removal, and management.

The ./configure script prepares the source code for compilation on the specific system by checking for necessary libraries, tools, and system features, and then generating a customized Makefile.

The make utility follows the instructions in the Makefile (created by the ./configure script) to convert the human-readable source code into machine-executable binary files.

A repository (or 'repo') is a storage location from which your system retrieves and installs software updates and applications. Package managers are configured to use one or more repositories.

The official repositories contain software that has been tested and packaged specifically for the distribution, making it the most secure and reliable method for acquiring software.

Sandboxing creates a controlled, isolated environment. If the sandboxed application is compromised, the isolation helps prevent it from harming the rest of the system.

Containerization technologies are a popular way to create isolated (sandboxed) environments where applications can run with their own dependencies and limited access to the host system.

RAID is a storage technology that combines multiple physical disk drives into one or more logical units for the purposes of data redundancy, performance improvement, or both.

The primary physical difference is that SSDs use flash memory chips for data storage, resulting in faster access times and better durability, whereas HDDs rely on mechanical spinning disks and read/write heads.

Formatting (or 'making a filesystem') is the process of preparing a data storage device such as a hard disk drive or partition for initial use by writing a new filesystem to it.

The Fourth Extended Filesystem (ext4) is a journaling file system for Linux and the successor to ext3. It is the default for many popular distributions like Debian and Ubuntu. NTFS is for Windows, and APFS is for macOS.

NAS is a file-level computer data storage server connected to a computer network, providing data access to a diverse group of clients.

LVM adds a layer of abstraction over physical storage, allowing administrators to create logical volumes that can be easily resized, moved, and managed without repartitioning disks.

The df (disk free) command reports filesystem disk space usage. The -h flag makes the output 'human-readable' (e.g., showing MB and GB instead of just blocks).

S.M.A.R.T. is a monitoring system included in storage devices that detects and reports on various indicators of reliability, with the intent of enabling the anticipation of hardware failures.

The command rpm -qf (query file) is used to determine which installed package owns a specific file. yum whatprovides (or dnf whatprovides) is similar but queries configured repositories to find which package provides a file, regardless of whether it's installed. rpm -ql lists all files within an installed package, but you need to know the package name first. dnf search searches package names and descriptions, not file paths.

apt list --upgradable is the modern and direct command to display a list of all packages that can be upgraded. apt-get upgrade --simulate (or -s) will show what would happen during an upgrade but is more verbose. dpkg --get-selections | grep hold lists packages that are explicitly held back from upgrades. apt-cache policy shows repository priority information but doesn't list upgradable packages directly.

The first step in using a block device with LVM is to initialize it as a Physical Volume (PV) using the pvcreate command. Only after a device is a PV can it be added to a Volume Group (VG) with vgcreate or vgextend. Creating a filesystem with mkfs or a logical volume with lvcreate are later steps in the process and cannot be done on a raw, unprepared block device.

The make utility uses the -j or --jobs flag to specify the number of commands to run simultaneously, which parallelizes the compilation process across multiple CPU cores. make -j 8 will run up to 8 jobs in parallel. The other options use incorrect syntax or commands for the standard make utility.

This is a classic issue. When a file is deleted, its name is removed from the directory structure, so du (which sums file sizes) no longer sees it. However, if a process still has the file open, the kernel will not release the blocks on the disk. df reports block usage from the filesystem's perspective and correctly shows the space as still occupied. The space is only truly freed when the process closes the file handle (or terminates).

The main goal of sandboxing is isolation. It uses kernel features like namespaces and cgroups to create a restricted environment for an application. If the sandboxed application is compromised, the attacker's access is limited to the sandbox, preventing them from easily affecting the host operating system or other applications. While containers help with dependencies, their primary security benefit is isolation.

The fundamental difference lies in the access protocol and how the storage is presented to the client. A NAS device serves files over the network (file-level access). A client operating system sees it as a network share. A SAN provides block-level access (like iSCSI or Fibre Channel), which makes the remote storage appear as a local disk to the client operating system, which can then be partitioned and formatted with a filesystem.

Language-specific package managers and version managers (like nvm for Node.js, pyenv for Python, rbenv for Ruby) are designed specifically for this purpose. They allow developers to manage project-specific dependencies in an isolated environment (node_modules folder) without affecting system-wide installations or other projects. The other methods all involve system-wide installation, which is what needs to be avoided.

The dnf command can install local RPM files while resolving their dependencies from configured repositories. The --enablerepo flag allows you to temporarily enable a disabled repository for a single transaction. This is the most direct way to solve the problem. Option B is incorrect as rpm has no --resolve-deps flag. Option C would fail on the first command. Option D uses rpm for the final install, which would not resolve dependencies from the newly enabled repo.

The dd command is the classic tool for this task. if=/dev/zero provides a stream of null bytes, and bs=1M count=2048 specifies writing 2048 blocks of 1 Megabyte each, resulting in a 2GB file filled with zeros. While fallocate and truncate can create a file of a specific size much faster, they create a sparse file, which is not pre-allocated with zeros. mkfs is used to create a filesystem inside a file or on a device, not to create the file itself.

On Debian-based systems, running apt-get install <package_name> for a package that is already installed will cause apt to check the repositories for a newer version. If one is found, it will upgrade that specific package and any dependencies it requires. apt-get upgrade would upgrade all upgradable packages. The --only-upgrade flag is a valid flag for apt-get install, but simply running apt-get install openssl achieves the same desired outcome and is more common practice. Using dpkg directly would not resolve any new dependencies the updated package might have.

'Dependency hell' is the classic problem where installing or updating one piece of software breaks another. This typically occurs because Application A needs libfoo.so.1, while Application B needs libfoo.so.2, and the system can only have one version easily accessible, or installing one overwrites the other. Modern package managers and containerization are designed to mitigate this problem.

The correct process is to first create the Logical Volume (LV) from the Volume Group (VG) using lvcreate. Then, a filesystem is created on the newly created LV device (/dev/vg_name/lv_name). Finally, an entry is added to /etc/fstab for persistent mounting, and the filesystem is mounted. The other options perform these steps in the wrong order or use incorrect commands (lvextend is for resizing, not creating).

The standard convention for software compiled manually by a local administrator is to install it into the /usr/local hierarchy. This isolates it from the software managed by the system's package manager (which typically uses /usr/bin, /usr/lib, etc.), preventing conflicts and making it easier to manage or remove manually installed software. While this default can be changed with a ./configure --prefix=/path option, /usr/local is the standard default.

This command pipeline is a powerful way to find large disk space consumers. du -ah calculates disk usage for all files and directories in a human-readable format. This output is then piped to sort -rh, which sorts the lines numerically (-n) in reverse (largest first, -r), correctly interpreting the human-readable suffixes like M and G (-h). Finally, head -n 20 displays the top 20 largest items. ls -lSh only shows file sizes in the current directory, not subdirectories. find is good but requires you to guess a size (+100M). df shows overall filesystem usage, not individual file/directory sizes.

AppArmor and SELinux are Mandatory Access Control (MAC) systems. They work by enforcing a detailed security policy that is independent of standard Linux user/group permissions. A profile (AppArmor) or context (SELinux) is associated with an application, and the kernel's Linux Security Module (LSM) framework enforces the rules in that policy, such as what files it can read/write or what network capabilities it has. This is a more granular and powerful control than just running as an unprivileged user.

RAID 1 (Mirroring) writes identical data to two or more disks simultaneously. This provides excellent redundancy, as the array can survive the failure of any single disk (in a 2-disk array). However, since every piece of data must be written to every disk in the mirror, the write performance is typically limited to the speed of the slowest disk in the set and offers no improvement over a single disk. Read performance, however, can be improved as data can be read from any disk in the mirror.

AppImage is a format for distributing portable software on Linux that does not require superuser permissions to install. The entire application and its dependencies are contained within a single file. The standard procedure is to download the file, make it executable using chmod, and then simply execute it. It does not integrate with the system package manager like apt or yum.

Swap space (either a partition or a file) is used by the kernel as virtual memory. When the system's physical RAM is full, the kernel's memory manager can 'swap out' memory pages that are not currently in active use to the swap space on the disk. This frees up RAM for active processes. It also enables hibernation, where the entire contents of RAM are written to swap before shutdown.

A repository (or 'repo') is a remote storage location from which package managers like apt and dnf retrieve and install software. It contains the actual package files (e.g., .deb, .rpm), along with metadata files that list available packages, their versions, and their dependencies. It also typically holds GPG keys to verify the authenticity and integrity of the packages.

dnf update --allowerasing is the correct choice because it allows DNF to resolve the conflict by removing the package that owns the conflicting file (bar-1.0) to complete the transaction for foo-2.0. This is superior to --skip-broken, which would simply not update foo and its dependents. Forcing removal with rpm -e --nodeps is risky and can leave the system in an inconsistent state. --setopt=tsflags=noscripts would not resolve a file conflict.

This configuration correctly sets the priorities. The default priority for installed packages is 100. The default for uninstalled packages from a target release is 500. A priority between 500 and 1000 allows version downgrades. A priority > 1000 will force a version, even if it's a downgrade. By setting the testing version to 900, apt will prefer it over stable (default 500) for installation. Crucially, by setting the Debian-Security label to 1001 for nginx, any package from a security repository will be prioritized over all other versions, ensuring security patches are always applied first.

LD_LIBRARY_PATH is a mechanism to tell the dynamic linker where to find shared libraries at runtime. The ./configure script and the subsequent compilation process need to know where to find libraries and header files at compile time. LDFLAGS is used to pass options to the linker (like -L to add a library search path), and CPPFLAGS is used to pass options to the C preprocessor (like -I to add an include file search path). This is the standard, most portable way to solve the issue when a specific --with-... flag is not available or doesn't work.

When an XFS log recovery fails, it means the primary recovery mechanism is broken. The -L option for xfs_repair tells it to zero out (reset) the log. This is a last-resort option that may result in the loss of metadata for transactions that were in-flight during the crash, but it is often the only way to make the filesystem mountable again without a full mkfs. The other options are incorrect: xfs_repair -n is a no-op check; mount will likely fail again without addressing the log issue; xfs_admin -z is not a standard command for this purpose, and zeroing the log is what -L does.

ProtectSystem=strict mounts /usr and /boot read-only and /etc read-only for the service. PrivateNetwork=yes sets up a new network namespace with only a loopback device (lo), satisfying the network requirement. ReadWritePaths=/var/lib/legacy-svc creates a writeable bind mount for the state directory. BindReadOnlyPaths=/etc is redundant with ProtectSystem=strict but reinforces the read-only requirement for /etc. This combination is the most direct and secure way to achieve the stated goals using modern systemd features. The other options are either less secure or don't meet all requirements (RootDirectory is too restrictive; InaccessiblePaths=/ would block needed access; NetworkNamespacePath is for joining existing namespaces).

This sequence is correct and demonstrates a nuanced understanding of LVM thin provisioning.

1. lvcreate -L 20G -T vg_data/thin_pool: This command creates the thin pool. The -T or --thinpool flag is key. The size (-L 20G) specifies the actual physical space allocated for the pool.
2. lvcreate -V 100G -T vg_data/thin_pool -n lv_thin: This creates the thin logical volume. -V or --virtualsize specifies the apparent size of the volume (100GiB), which can be larger than the pool itself. -T specifies which pool it belongs to, and -n gives it a name.
3. mkfs.ext4 /dev/vg_data/lv_thin: Formats the newly created thin volume. The other options use incorrect syntax or misunderstand the relationship between the thin pool and the thin volume.

This is the canonical ZFS workflow for this task. zfs snapshot zpool1/data@backup creates an instantaneous, read-only, space-efficient snapshot of the dataset. The second command, zfs clone zpool1/data@backup zpool1/dev_clone, then creates a new writable dataset (zpool1/dev_clone) whose initial contents are identical to the snapshot. This clone is also space-efficient, as it only stores new or modified blocks (Copy-on-Write). send/receive is for replication, not local cloning. Cloning a dataset directly is not possible; you must clone a snapshot. promote is used for swapping a clone with its origin dataset.

This sequence is correct for a basic verification. gpg --import dev.key adds the developer's public key to the user's keyring. gpg --verify app.tar.gz.asc app.tar.gz then uses the public key to check if the signature in app.tar.gz.asc is valid for the file app.tar.gz. GPG will output a 'Good signature' message but also a warning like 'This key is not certified with a trusted signature!'. This is expected and correct behavior, as the user has not established a trust path to the key. The option with --edit-key and setting ultimate trust (5) is insecure without out-of-band verification of the key's fingerprint. The other options use incorrect commands or logic.

For large sequential workloads, striped configurations excel. RAID-Z1 is ZFS's equivalent of RAID 5, offering striping with single-parity protection. ZFS is particularly well-suited for this task because its integrated nature (volume manager + filesystem) avoids the abstraction penalties of LVM+MD+FS. Its Copy-on-Write architecture and advanced caching (ARC) are highly beneficial for large file I/O. RAID 10 would sacrifice half the capacity for mirroring and doesn't offer as much sequential read performance as a wide stripe. LVM RAID 5 suffers from the 'write hole' and generally has poorer performance than ZFS's RAID-Z. RAID 0 provides no redundancy, making it unsuitable for a critical workload.

The %pretrans scriptlet is executed at the very beginning of a transaction, before any packages are installed or erased. A non-zero exit code from this scriptlet will cause the entire DNF/YUM transaction to abort. This is the correct place for a global pre-flight check that must pass for the transaction to even begin. %pre runs just before the specific package is installed but after the transaction has been validated and started. %verifyscript runs during rpm -V. %triggerin runs when another package is installed.

When a file is deleted on a Unix-like system, the disk space is not freed until all processes that have the file open close their file descriptors. The truncate command can be used to shrink a file to a specified size. By targeting the file descriptor in the /proc filesystem (/proc/<pid>/fd/<fd_num>), we can command the kernel to truncate the underlying file data to zero bytes, which immediately frees the disk space, even while the process keeps the (now empty) file descriptor open. Restarting or killing the process would also work but is forbidden by the prompt. drop_caches affects memory caches, not disk allocation for deleted files. Sending SIGHUP might cause the daemon to re-read its config, but it's not guaranteed to close and reopen log files.

While apt-cache policy is useful for seeing available versions, aptitude in its interactive mode is the most powerful tool for diagnosing and resolving complex dependency conflicts. When you try to install libfoo1 within aptitude, it will present one or more potential solutions to the conflict, clearly showing the dependency chains and trade-offs (e.g., "keep libfoo1 at current version", "downgrade package X to satisfy Y"). This analytical capability is far superior to the often-terse output of apt or apt-get for such intricate problems. dpkg --get-selections only shows the hold state, not the reason. apt-get -f install is for fixing broken dependencies, not resolving holds due to version conflicts.

The --private=<dir> option is the most effective and concise way to achieve this. It creates a new, temporary home directory for the sandboxed application and then bind-mounts the specified directory (~/Pictures in this case) inside that new home directory. This automatically denies access to all other files in the user's real home directory (like ~/.ssh, ~/.config, etc.) while providing access to the required folder. The default firejail profile will handle X11 and D-Bus access appropriately. --private alone creates a completely empty temporary home. --whitelist works from the current home directory and is less secure than creating a new private one. --blacklist is prone to errors as you might miss a directory.

This is a classic iSCSI setup issue. The discovery process works because it's a broadcast/request that doesn't typically require authentication or authorization. The login process, however, is where the target authenticates the initiator. A common security practice is to configure an Access Control List (ACL) on the target that specifies which initiator IQNs (iSCSI Qualified Names) are allowed to log in. If the client's IQN (from /etc/iscsi/initiatorname.iscsi) isn't in the target's ACL, the target will simply refuse or drop the connection, often resulting in a timeout on the client side. A CHAP error would produce a specific authentication failure message (code 24), not a timeout. Incorrect portal IP would cause discovery to fail. An offline LUN would typically allow a login to succeed but fail I/O later.

checkinstall is specifically designed for this scenario. It monitors the make install step to see what files are being placed where. Instead of letting them be copied directly into the filesystem, it packages them into a proper .deb, .rpm, or Slackware package. This package can then be installed with the system's package manager (dpkg -i or rpm -i), making the system aware of the software and allowing for clean uninstallation. stow is an alternative but works differently (symlinks from /usr/local/stow/). make package is not a universal standard. alien is for converting existing packages, not creating them from source.

The inline_data filesystem feature allows ext4 to store the contents of very small files directly within the inode table itself, rather than allocating a separate data block. This dramatically reduces storage overhead for workloads with a vast number of tiny files because it saves the space of a data block (typically 4KB) and the pointer to it for each file that fits. Changing the bytes-per-inode ratio (-i) would allow for more files but wouldn't make the storage of each file more efficient. A smaller block size (-b 1024) helps but has performance trade-offs and doesn't eliminate the block allocation entirely like inline_data does. large_file is for supporting files >2TB and is irrelevant here.

This is a fundamental concept of Copy-on-Write (CoW) filesystems with snapshots. When a file is "deleted" from the active subvolume, the filesystem only removes the link to it from the current filesystem tree. The actual data blocks on disk are not freed as long as at least one snapshot still references them. The space is only truly reclaimed when the last reference (from both the active filesystem and all snapshots) to a data block is removed. Therefore, to free the space, the administrator must delete the old snapshots that are holding onto the data.

This option correctly identifies the core difference and its security consequence. A statically linked binary is a monolithic file containing all necessary code from its libraries. If a vulnerability (like Heartbleed in OpenSSL) is found in a library, every single statically linked application that used it must be individually recompiled and redeployed. With dynamic linking, the binary only contains references to shared libraries (.so files) on the system. To patch the vulnerability, an administrator only needs to update the single shared library file (e.g., libssl.so), and all dynamically linked applications will automatically and immediately use the patched version upon their next launch.

In an initramfs environment, device discovery can be complex. Even if the RAID array is assembled, LVM might have already scanned for physical volumes (PVs) and found nothing, populating its cache with this negative result. pvscan uses this cache and thus also finds nothing. The command vgscan (or lvm vgscan) forces a re-scan of all block devices for LVM metadata, ignoring the potentially stale cache. The --mknodes option ensures that the device nodes in /dev are created if they are missing. Once the scan successfully identifies the PV on /dev/md0 and the vg_root volume group, vgchange -ay can activate the logical volumes within it, allowing the boot process to continue.

This is the correct approach for integrating non-Flatpak software into a Flatpak ecosystem. The Flatpak manifest file is a blueprint that tells flatpak-builder what to do. It can be configured to download a specific .deb file as a source, run commands to extract it, and then place the resulting files in the correct locations within the Flatpak's sandbox filesystem (/app). This results in a fully self-contained Flatpak package that can be installed and managed like any other, perfectly adhering to the company policy. The other methods violate the 'Flatpak-only' rule or, in the case of Docker, introduce a different containerization technology that is less suited for desktop GUI applications.