20 Essential Linux Commands Every Ops Engineer Must Master

Introduction: Lessons from Early Command‑Line Mistakes

When a production server once spiked to 90% CPU on a rainy Friday night, I frantically ran ps -ef | grep java without knowing which process was misbehaving. That experience taught me that mastering Linux commands is a survival skill for any operations engineer.

Why These Commands Matter

In today’s cloud‑native, micro‑service world, a medium‑size internet company may run hundreds of servers, and you often have only minutes to diagnose a failure. Proper use of these commands can act like a “x‑ray vision” into the system, and statistics show that about 70% of production incidents can be pinpointed quickly with them.

Core Toolbox: 20 Commands Explained

🔍 System Monitoring (the "health check" tools)

1. top – System "health monitor"

# Basic usage
top

# Show processes for a specific user
top -u nginx

# Monitor a specific PID
top -p 1234

Tip: Pay attention to load average; a single‑core server above 1.0 or a multi‑core server above 70% of its cores signals trouble.

2. htop – Enhanced top

# Colorful, mouse‑friendly UI
htop

# Show only your own processes
htop -u $(whoami)

Note: CentOS does not include htop by default; install the EPEL repository first.

3. iotop – Disk I/O "microscope"

# Real‑time I/O view
iotop

# Show only processes doing I/O
iotop -o

Example: A noisy log writer once saturated disk I/O, causing database latency despite normal CPU and memory.

📊 Performance Analysis (deep kernel insight)

4. vmstat – Virtual memory statistics

# Every 2 seconds, 10 times
vmstat 2 10

# Detailed memory info
vmstat -s

5. iostat – I/O statistics

# Per‑second I/O stats
iostat 1

# Extended device stats
iostat -x 1

Best practice: Combine vmstat and iostat to quickly locate whether the bottleneck lies in CPU, memory, or disk.

6. sar – System activity reporter

# CPU usage history
sar -u

# Memory usage history
sar -r

# Network statistics
sar -n DEV

🔧 Process Management (process "life‑or‑death" control)

7. ps – Process snapshot

# All processes
ps aux

# Process tree
ps -ef --forest

# Find a specific process
ps aux | grep nginx

8. pstree – Process hierarchy

# Show tree
pstree

# Show tree for a user
pstree -u username

9. lsof – "Everything open" viewer

# Check port usage
lsof -i:80

# Find which process holds a file
lsof /var/log/messages

# List files opened by a PID
lsof -p 1234

Lesson: After deleting a large file, use lsof to ensure no process still holds it, otherwise disk space won’t be reclaimed.

🌐 Network Diagnosis (network "stethoscope")

10. netstat – Network connections

# All connections
netstat -tulnp

# TCP statistics
netstat -st

11. ss – Modern netstat replacement

# All TCP connections
ss -tulnp

# Specific port
ss -tlnp | grep :80

Trend: Newer Linux distributions recommend ss for faster, richer output.

12. tcpdump – Packet sniffer

# Capture traffic on port 80
tcpdump -i any port 80

# Capture traffic from a host
tcpdump host 192.168.1.100

# Save to file
tcpdump -w capture.pcap

💾 Disk Management (storage "caretaker")

13. df – Disk usage overview

# Human‑readable output
df -h

# Show inode usage
df -i

14. du – Directory size

# Current directory size
du -sh *

# Top 10 largest directories
du -h | sort -hr | head -10

Tip: Use this du pipeline to instantly locate the biggest space consumers.

15. find – File search "detective"

# Files larger than 100 M
find / -size +100M -type f

# Logs older than 7 days
find /var/log -name "*.log" -mtime +7

# Delete empty files
find /tmp -empty -type f -delete

🔐 System Information (system "ID card")

16. uname – System info

# All info
uname -a

# Kernel version only
uname -r

17. uptime – Run time and load

# Show uptime, users, load
uptime

# Pretty output
uptime -p

18. free – Memory usage

# Human‑readable memory
free -h

# Update every second
free -s 1

⚡ System Tuning (performance "catalyst")

19. sysctl – Kernel parameter tuning

# List all parameters
sysctl -a

# Change a parameter
sysctl -w net.ipv4.ip_forward=1

# Load from config file
sysctl -p

20. crontab – Scheduled tasks

# List jobs
crontab -l

# Edit jobs
crontab -e

# View cron logs
tail -f /var/log/cron

Common Pitfalls

Trap 1: Overusing kill -9

Instead of immediately killing a stuck process, try kill -15 (SIGTERM) first to allow graceful shutdown.

Trap 2: Ignoring System Logs

Commands show "what" happened; logs reveal "why". Use journalctl -f or tail -f /var/log/messages for real‑time insight.

Trap 3: Operating Without Backups

Always back up before any delete or modify operation; many outages stem from a single careless rm command.

Advanced Techniques: Combining Commands

# Top 5 CPU‑hungry processes
ps aux | sort -k3 -nr | head -5

# Real‑time network connection count
watch -n 1 "netstat -an | wc -l"

# Batch kill nginx processes
ps aux | grep nginx | awk '{print $2}' | xargs kill

Future Outlook: Command Line in the Cloud‑Native Era

With Kubernetes, Docker, and containers, classic Linux commands integrate with modern tools: kubectl + ps: Diagnose processes inside pods docker stats + top: Monitor container resources prometheus + sar: Historical performance analysis

Regardless of new technologies, these foundational commands remain the "inner kung fu" of every operations engineer.

Conclusion & Call to Action

These twenty commands form the "twenty‑four arts" of ops. Practice a few daily, document useful parameter combos, and experiment in non‑critical environments to solidify your skill set.