Senior Linux Admin Interview Question #2

You can see all the questions I have compiled here.

Question

You are already logged into a server and a user runs a fork bomb script. How can you stop the fork bomb without restarting the server or bringing any services offline that are currently running?

You also know the name of the running fork bomb script.

Reason for the this question

This will tell you how well the canidate knows about the signals Linux uses with processes. I would think most people would say the easy thing

killall -9 scriptName

This will not work due the nature of a fork bomb. The reason is the killall does not hold a lock on the process table so each one that is killed a new one takes its place in the process table.

Also you will not be able to run a killall due to the shell forking off another shell to run the killall

This question also tells you if the admin knows about Linux internals. That just running a killall will fork a new process buy running exec killall will run the killall in the current process and not fork out a new one

Answer

So for this I will use a fork bomb script that is written in C. Below is an example

#include 

int main(void)
{
  for(;;)
    fork();
  return 0;
}

We can compile it like

gcc -o fork fork.c

So the way to stop it is sending a SIGSTOP signal to each fork bomb process and once they are all stopped you can send a SIGKILL to each process.

So if you run a

killall -STOP fork

You will get a error message like resources not avaliable so you cannot run that. You can run it with exec.

exec killall -STOP fork
exec killall -9 fork

That will stop the fork bomb.

Senior Linux Admin Interview Question #1

So I’m starting a bit of a series on my blog. I’ve found there are no good senior level Linux admin questions out there to ask. A lot of companies with a sys admin team have their default questions they ask but when you are hiring your first sys admin and want a senior guy there is no real way to tell how good he is if no one on your team knows Linux all that well.

So maybe some of these will help some companies figure it all out.

Question

The server is running Apache and by mistake one of the log files gets deleted via

rm domain.com-access_log

Without installing any 3rd party recovery tools how can you recover this file that your boss needs. Also assume that as soon as the log file was deleted that Apache was not restarted.

Reason for this question

This is a really tough question to answer. I would think a lot of senior guys might not even know the answer to this. I certainly did not when I got it asked by Google five years ago.

If the person gets it right I would say he has a really great grasp on how Linux /proc system works and I would say he is a pretty solid admin if he answered all your other questions correctly

Answer

So the simple answer is the deleted file is still held open by Apache so it can still be recovered in the /proc filesystem.

So here is how to get to it. For example I have a really small access_log

  4 -rw-r--r--   1 root root   2262 Jan 13 12:32 access_log

So lets remove it

rm -f access_log

So the file has been deleted now. So lets find the process number for the main apache process. It will be owned by root

[root@laptop httpd]# ps aux | grep httpd
root      8070  0.0  0.3  38468 10948 ?        Ss   12:31   0:00 /usr/sbin/httpd
apache    8072  0.0  0.1  38388  5844 ?        S    12:31   0:00 /usr/sbin/httpd
apache    8073  0.0  0.3  40752 11532 ?        S    12:31   0:00 /usr/sbin/httpd

So we see that the pid for the main apache process is 8070. So now lets list the file descriptors

ls -lsa /proc/8070/fd

We get something like

0 l-wx------ 1 root root 64 Jan 13 12:34 11 -> /var/log/httpd/access_log (deleted)

As you can see that is our file and its marked as deleted.. so we can do

cp /proc/8070/fd/11 /tmp/access_log

Then from there you can stop apache.. move the access_log in its correct place and start apache back up

One of my most hated interview questions use to be “How many IPs in this subnet?”

I use to hate this question. I was reading a post on Reddit about some guy that went through the programming interview at Facebook and it made me remember the simple interview question I always hated answering. It always went something like this

How many usable IPs in a /24

Ok that is an easy one.. 256-2=254 not a big deal.. next!

Then they would ask

How many usable IPs in a /28

That is what usually made me say “Networking is not really my strong point” Well got that one wrong.. So I went out to fix this many many years ago. Well there’s an easy step you can do in your head.

All subnets going up are half of the one below it. So your /24 would have 256 IPs in it. So it would go like this

/25 = 128
/26 = 64
/27 = 32
/28 = 16

So there was my answer 16 IPs and 14 are usable. Its really that easy to figure out. Anything between /24 and /32 is easy to figure out if you can easily do the math in your head like that. You can do the oppsite if they give you a /29

/32 = 1
/31 = 2
/30 = 4
/29 = 8

Now there is also a little math formula you can use also.

So back to our question.. If we want to know how many usably IPs in a /28. We would go like

2^(32-28) - 2

Which would be

(2^4) - 2 = 14

That broken down is like saying

(2*2*2*2) - 2 = 14

When you toss exponents in it gets a bit rough but its easier if they tell you.. So how many in a /20

(2^(32-20)) = 4096

We won’t worry about usable in this case because it depends how you will subnet it off.