Linux Commands for DevOps Engineers

The complete Linux command reference for DevOps engineers — file system, processes, networking, SSH, systemd, and bash one-liners for production.

File System and Navigation

Essential commands for navigating directories and managing files on production servers.

BASH

pwd                             ## Print current working directory
ls -la                          ## List all files with permissions and owner
ls -lhS                         ## List sorted by size, human-readable
cd -                            ## Return to previous directory
tree -L 2                       ## Directory tree, 2 levels deep
mkdir -p /opt/app/logs          ## Create nested directories
cp -r /opt/app/ /opt/app-bak/   ## Recursive copy
mv /tmp/config.yaml /etc/app/   ## Move or rename file
rm -rf /tmp/build/              ## Force delete directory
stat /etc/nginx/nginx.conf      ## Full file metadata and timestamps

Parameter Breakdown:

-la: Combines -l long format and -a show hidden files
-lhS: -h human-readable sizes, -S sort by size descending
-p: Create all parent directories without error if they exist
-r: Recursive — applies operation to all nested contents

Finding Files and Disk Usage

BASH

find /var/log -name "*.log" -mtime +7        ## Files older than 7 days
find /app -name "*.conf" -type f             ## All config files under /app
du -sh /var/log/*                            ## Size of each item in /var/log
du -sh * | sort -rh | head -10              ## Top 10 largest in current dir
df -h                                        ## Disk space per mount point
df -ih                                       ## Inode usage per mount point

Parameter Breakdown:

-mtime +7: Files modified more than 7 days ago
-type f: Match files only, not directories
-sh: -s summary per argument, -h human-readable output
-ih: Shows inode counts — full inodes block new files even with free space

File Permissions and Ownership

BASH

chmod 755 /opt/app/deploy.sh            ## rwxr-xr-x owner full, others r+x
chmod 644 /etc/app/config.yaml          ## rw-r--r-- owner rw, others read
chmod -R 750 /opt/app/                  ## Recursive permission change
chown appuser:appgroup /opt/app/        ## Change owner and group
chown -R nginx:nginx /var/www/html/     ## Recursive ownership change
stat -c "%a %n" /etc/nginx/nginx.conf   ## Show octal permissions

Quick Permission Reference:

Octal	Symbol	Meaning
`7`	`rwx`	Read, write, execute
`6`	`rw-`	Read and write only
`5`	`r-x`	Read and execute
`4`	`r--`	Read only

Process Management

BASH

ps aux                          ## All processes with user, PID, CPU, MEM
ps aux --sort=-%cpu | head -10  ## Top CPU-consuming processes
ps -ef --forest                 ## Full process tree
kill PID                        ## Graceful stop (SIGTERM)
kill -9 PID                     ## Force kill (SIGKILL) — last resort
kill -HUP PID                   ## Reload config without restart
pkill -f "node /app/index.js"   ## Kill by full command pattern
lsof -i :4000                   ## Which process is using port 4000
lsof -p 1234                    ## All files opened by PID 1234
nohup ./start.sh &              ## Run after terminal closes

Parameter Breakdown:

aux: Shows all processes for all users with detailed resource columns
-9: Sends SIGKILL — process cannot catch or ignore this signal
-HUP: Sends SIGHUP — nginx and other daemons reload config on this signal
-f: Match against the full command string including arguments

systemd Service Management

BASH

systemctl start nginx
systemctl stop nginx
systemctl restart nginx
systemctl reload nginx            ## Reload config without full restart
systemctl status nginx            ## Status and last journal lines
systemctl enable nginx            ## Enable on boot
systemctl disable nginx           ## Disable on boot
systemctl daemon-reload           ## Reload after editing unit files
systemctl list-units --failed     ## Show all failed units

Parameter Breakdown:

reload: Sends SIGHUP — faster than restart, no downtime
daemon-reload: Required after creating or editing .service files in /etc/systemd/system/
--failed: Filters to only units in a failed state

journalctl Log Querying

BASH

journalctl -u nginx                         ## All logs for nginx
journalctl -u nginx -f                      ## Follow live log output
journalctl -u nginx -n 100                  ## Last 100 lines
journalctl -u nginx --since "1 hour ago"    ## Logs from last hour
journalctl -p err -b                        ## All errors since last boot
journalctl --since "2024-01-15 10:00" \
           --until "2024-01-15 11:00"       ## Time range query
journalctl --disk-usage                     ## Total journal size on disk

Parameter Breakdown:

-u: Filter by systemd unit name
-f: Follow mode — streams new lines as they arrive
-p err: Priority filter — err, warning, info, debug
-b: Since last boot — useful for crash post-mortems

Networking

BASH

ip a                               ## All interfaces and IP addresses
ip r                               ## Routing table
ss -tulpn                          ## All listening ports with processes
ss -tulpn | grep :443              ## Who is listening on port 443
dig api.razorpay.com +short        ## DNS lookup, IP only
dig @8.8.8.8 api.razorpay.com     ## Query specific DNS server
curl -I https://api.example.com    ## HTTP response headers only
curl -w "\nTotal: %{time_total}s\n" \
     https://api.example.com       ## Response time measurement
ping -c 4 db.internal.swiggy.net   ## Connectivity test, 4 packets
mtr db.internal.swiggy.net        ## Live continuous traceroute

Parameter Breakdown:

-tulpn: -t TCP, -u UDP, -l listening, -p process name, -n numeric
+short: Returns only the resolved IP, no verbose DNS output
-I: HEAD request — retrieves headers without downloading body
-w: Write-out format for timing and response metrics

SSH and Remote Access

BASH

ssh ubuntu@10.0.1.50 -i ~/.ssh/prod.pem     ## Connect with identity file
ssh -p 2222 ubuntu@10.0.1.50               ## Non-standard port
ssh -L 5432:localhost:5432 \
    ubuntu@bastion.internal.zerodha.net    ## Tunnel remote DB to local
scp deploy.sh ubuntu@10.0.1.50:/opt/app/  ## Copy file to remote host
rsync -avz ./dist/ \
      ubuntu@10.0.1.50:/opt/app/dist/     ## Incremental directory sync
ssh-keygen -t ed25519 -C "ops@zerodha.net" ## Generate ed25519 keypair
ssh-copy-id ubuntu@10.0.1.50              ## Push public key to host

Parameter Breakdown:

-i: Identity file — path to the private key for authentication
-L: Local port forward — local_port:remote_host:remote_port
-avz: -a archive mode, -v verbose, -z compress during transfer
ed25519: Preferred over RSA — shorter keys with stronger security

Text Processing

BASH

grep "ERROR" /var/log/app/error.log         ## Lines containing ERROR
grep -r "connection refused" /var/log/      ## Recursive search
grep -n "FATAL" /var/log/app/error.log      ## Show matching line numbers
grep -c "ERROR" /var/log/app/error.log      ## Count matching lines
grep -A 3 -B 2 "FATAL" /var/log/app/app.log ## 3 after, 2 before match
awk '{print $1, $9}' /var/log/nginx/access.log  ## Print columns 1 and 9
awk '$9 == "500" {print $0}' access.log     ## Lines where col 9 is 500
sed 's/old-host/new-host/g' config.yaml    ## Replace all occurrences
sed -i 's/DEBUG/INFO/g' /etc/app/app.conf  ## Replace in-place
cut -d: -f1 /etc/passwd                    ## First field using : delimiter
sort -k2 -rn report.txt                    ## Sort by col 2, reverse numeric
uniq -c | sort -rn                         ## Count duplicates, sort desc

Parameter Breakdown:

-r: Recursive — search all files in directory tree
-n: Prefix each match with its line number
-A / -B: Lines of context after/before each match
-i: In-place edit — modifies the file directly
-d: Delimiter character for cut

Resource Monitoring

BASH

free -h                          ## RAM and swap in human-readable units
vmstat 1 5                       ## CPU and memory stats, 5 samples
uptime                           ## Load average: 1m, 5m, 15m
iostat -xz 1 3                   ## Disk I/O stats, 3 samples
iotop                            ## Live per-process disk I/O
top -bn1 | grep "Cpu(s)"         ## Single-shot CPU snapshot
cat /proc/meminfo | \
  grep -E "MemAvailable|Cached"  ## Detailed memory breakdown
dmesg | grep -i "oom\|killed"    ## OOMKiller events in kernel log

Parameter Breakdown:

-h: Human-readable — converts bytes to KB/MB/GB automatically
-xz: -x extended stats, -z omit zero-activity devices
-bn1: -b batch mode, -n1 single iteration — scriptable snapshot
vmstat 1 5: Sample interval 1 second, total of 5 samples

Bash One-Liners for Production

BASH

## Kill whichever process owns a port
kill $(lsof -t -i:3000)

## Health check with pass/fail output
curl -sf http://localhost:4000/health \
  && echo "UP" || echo "DOWN"

## Compress logs older than 7 days
find /var/log/app -name "*.log" \
  -mtime +7 -exec gzip {} \;

## Watch disk usage, refresh every 2 seconds
watch -n 2 'df -h'

## Test TCP port without telnet
timeout 3 bash -c \
  'cat < /dev/null > /dev/tcp/db.internal.swiggy.net/5432' \
  && echo "open" || echo "closed"

## Top 10 largest directories under /var
du -h /var/* 2>/dev/null | sort -rh | head -10

## Find all files changed in last 10 minutes
find /etc /opt -mmin -10 -type f 2>/dev/null

Quick Reference Table

Task	Command
Process on a port	`lsof -i :PORT`
Follow service log	`journalctl -u SERVICE -f`
Largest directories	`du -sh * \| sort -rh \| head`
Who owns a process	`ps aux \| grep NAME`
Disk inode usage	`df -ih`
All listening ports	`ss -tulpn`
OOMKill events	`dmesg \| grep -i oom`
Files changed recently	`find /etc -mmin -30 -type f`