Master Linux Directory Structure Quickly: A Practical Guide for Ops Engineers

Why Understanding Linux Directory Structure Is Important

Junior and mid‑level engineers often know that /etc holds configuration files and /var/log holds logs, but they cannot explain why the layout is designed that way or where specific files belong. This leads to common problems such as:

Disk space runs out and the large files cannot be located.

Configuration files for a service are unknown.

Systemd unit files for a service cannot be found.

Kernel parameters are hard to locate.

Unclear which logs can be safely deleted.

Understanding the origin and logic of the directory layout lets you infer answers instead of memorising paths.

Filesystem Hierarchy Standard (FHS) Overview

The FHS 3.0 (published 2015) defines the purpose of each top‑level directory. Its design classifies files by two orthogonal dimensions: static vs. dynamic content and system‑wide vs. user‑specific.

/
├── bin      # basic system commands (available to all users)
├── sbin     # system administration commands (usually require root)
├── boot     # files needed for booting the system
├── dev      # device files (everything is a file)
├── etc      # system‑wide configuration files
├── home     # regular user home directories
├── lib, lib64   # shared libraries
├── media    # mount points for removable media
├── mnt      # temporary mount points
├── opt      # optional third‑party software
├── proc     # pseudo‑filesystem exposing kernel and process info
├── root     # home directory of the root user
├── srv      # service data (rarely used)
├── sys      # pseudo‑filesystem for kernel/device info
├── tmp      # temporary files (cleared on reboot)
└── var      # variable data such as logs, databases, caches

/bin and /sbin: System Commands

/bin – Basic User Commands

Commands in /bin must be available even in single‑user mode because the root partition is mounted first.

# Typical files in /bin
/bin/ls        # list directory contents
/bin/cp        # copy files
/bin/mv        # move/rename files
/bin/rm        # delete files
/bin/cat       # display file contents
/bin/chmod     # change file permissions
/bin/chown     # change file owner
/bin/date      # show/set system time
/bin/echo      # output text
/bin/pwd       # show current directory
/bin/mkdir     # create directories
/bin/grep      # search text
/bin/find      # locate files
/bin/tar       # archive files
/bin/gzip      # compress files
/bin/awk       # text processing
/bin/sed       # stream editor
/bin/sort      # sort lines
/bin/uniq      # filter duplicate lines
/bin/cut       # cut fields
/bin/wc        # count lines/words/bytes

/sbin – System Administration Commands

These commands usually require root privileges.

/sbin/ifconfig      # configure network interfaces (replaced by ip)
/sbin/route         # manage routing tables
/sbin/iptables      # firewall rules
/sbin/fdisk         # disk partitioning
/sbin/mkfs          # create filesystems
/sbin/fsck          # filesystem check
/sbin/mount         # mount filesystems
/sbin/umount        # unmount filesystems
/sbin/modprobe      # load kernel modules
/sbin/lsmod         # list loaded modules
/sbin/insmod        # insert a kernel module
/sbin/rmmod         # remove a kernel module
/sbin/sysctl        # adjust kernel parameters
/sbin/halt          # power off
/sbin/reboot        # reboot system
/sbin/shutdown      # graceful shutdown
/sbin/init          # init process (PID 1)
/sbin/runlevel      # show current runlevel

On modern CentOS/RHEL 7+ /bin and /sbin are symlinks to /usr/bin and /usr/sbin respectively, preserving compatibility with older installations that kept them on the root partition.

If a minimal Docker image lacks these symlinks, which ls may fail; check /usr/bin instead.

When the disk is full, start by inspecting /usr, which often consumes the most space because most packages reside there.

/usr – User Programs

/usr

is one of the largest directories, holding user‑installed applications and libraries.

/usr/bin/          # user commands (mirrors /bin)
/usr/sbin/         # system admin commands (mirrors /sbin)
/usr/lib/, /usr/lib64/   # shared libraries (32‑bit and 64‑bit)
/usr/lib/systemd/system/ # systemd unit files (e.g., nginx.service)
/usr/local/        # manually compiled software (higher priority than /usr/bin)
/usr/share/        # architecture‑independent data (docs, man pages, timezones)
/usr/include/      # C header files for compilation
/usr/src/          # kernel source (usually not used directly)

Common /usr Operations for Ops Engineers

# Find which package provides a binary (example: nginx)
rpm -qf /usr/sbin/nginx   # CentOS/RHEL
dpkg -S /usr/sbin/nginx   # Ubuntu/Debian

# Show disk usage of /usr
du -sh /usr

# List the 20 largest files in /usr
find /usr -type f -exec du -h {} + | sort -rh | head -20

# /usr/local is the preferred location for software compiled from source
# Example layout for a compiled nginx:
/usr/local/nginx/conf/      # configuration files
/usr/local/nginx/logs/      # logs (often symlinked to /var/log/nginx)
/usr/local/nginx/html/      # website files
/usr/local/nginx/sbin/      # management commands

/etc – Configuration Files

/etc

stores system‑wide configuration files. The name originates from “etcetera” and is humorously expanded to “Editable Text Configuration”.

/etc/passwd        # user account information
/etc/shadow        # encrypted passwords (root‑only readable)
/etc/group         # group definitions
/etc/sudoers       # sudo permissions (edit with visudo)
/etc/hosts         # static hostname resolution
/etc/hostname      # system hostname (CentOS/RHEL 7+)
/etc/resolv.conf   # DNS resolver configuration
/etc/sysconfig/    # CentOS/RHEL specific configs (network, iptables, selinux)
/etc/systemd/      # systemd configuration
/etc/ssh/sshd_config   # SSH daemon configuration
/etc/nginx/        # Nginx configuration (CentOS/RHEL)
/etc/httpd/        # Apache configuration (CentOS/RHEL)
/etc/php.ini       # PHP main configuration
/etc/mysql/        # MySQL configuration
/etc/redis/        # Redis configuration
/etc/docker/daemon.json   # Docker daemon configuration
/etc/crontab       # System‑wide cron jobs
/etc/logrotate.d/  # Log rotation policies
/etc/sysctl.conf   # Kernel parameters (persistent)

Typical /etc Operations

# Find all configuration files for a service (example: nginx)
find /etc -name "*nginx*" -type f

# View network configuration (CentOS)
cat /etc/sysconfig/network-scripts/ifcfg-eth0

# View DNS servers
cat /etc/resolv.conf

# Verify SSH daemon configuration syntax
sshd -t

# Edit sudoers safely
visudo

/var – Variable Data

/var

grows fastest because it stores runtime data such as logs, databases, caches, and queues. When the disk is near capacity, /var is usually the culprit.

/var Sub‑directories

/var/log/          # system and application logs
  messages (CentOS) / syslog (Ubuntu)
  auth.log / secure (authentication logs)
  nginx/, httpd/, mysql/, redis/, docker/, kubelet/, audit/
/var/lib/          # application data (MySQL, Docker, Kubernetes, etc.)
/var/cache/        # caches for yum, apt, nginx, composer, etc.
/var/spool/        # queues (mail, cron, at)
/var/tmp/          # temporary files that survive reboots
/var/run/ (or /run) # PID files, sockets, runtime state
/var/lock/         # lock files (prevent resource contention)

Log‑Viewing Commands

# Tail system log (CentOS)
tail -f /var/log/messages
# Tail system log (Ubuntu)
tail -f /var/log/syslog
# Tail authentication log (CentOS)
tail -f /var/log/secure
# Tail authentication log (Ubuntu)
tail -f /var/log/auth.log
# Tail Nginx access and error logs
tail -f /var/log/nginx/access.log
tail -f /var/log/nginx/error.log
# Tail MySQL logs
tail -f /var/log/mysql/error.log
tail -f /var/log/mysql/slow.log
# Docker logs via journalctl
journalctl -u docker --since "1 hour ago"
# Kubernetes pod logs
kubectl logs -n namespace podname --tail=100 -f

Disk‑Cleanup Commands

# Show directory sizes under /var
du -sh /var/* | sort -rh
# Find the 20 largest files in /var
find /var -type f -exec du -h {} + | sort -rh | head -20
# Find files older than 7 days (use with caution)
find /var/log -name "*.log.*" -mtime +7 -ls
# Truncate a large log safely
truncate -s 0 /var/log/nginx/access.log
# Or redirect empty output
> /var/log/nginx/access.log
# Force log rotation immediately
logrotate -f /etc/logrotate.d/nginx

Risk Reminders

Do not rm /var/log/nginx/access.log directly; it breaks the inode and Nginx cannot write.

Use truncate or redirection to clear logs safely.

Never delete active MySQL binlogs without a backup strategy.

Deleting a log file that a process still holds does not free space until the process closes the file descriptor.

/dev – Device Files

/dev

implements the “everything is a file” philosophy.

# Block devices
/dev/sda, /dev/sda1, /dev/sdb, /dev/vda, /dev/nvme0n1, /dev/nvme0n1p1
# Character devices
/dev/null   # discards output, reads EOF
/dev/zero   # endless zeros
/dev/random # blocking high‑quality random numbers
/dev/urandom# non‑blocking random numbers
/dev/loop0  # loop device for mounting ISO images
/dev/tty1   # first virtual terminal
/dev/console# system console
/dev/pts/0  # pseudo‑terminal (SSH sessions)

Typical /dev Operations

# List block devices (clearer than fdisk -l)
lsblk
# Show detailed block info
blkid
# List SCSI devices
lsscsi
# List NVMe devices
nvme list
# Find the root partition
df -h
lsblk

/proc and /sys – Kernel Interfaces

Both are pseudo‑filesystems that expose kernel data. Reading files retrieves kernel information; writing files (or using sysctl) changes kernel parameters.

/proc Details

/proc/cpuinfo      # CPU details
/proc/meminfo      # Memory usage
/proc/loadavg      # System load averages
/proc/uptime       # System uptime
/proc/diskstats    # Disk I/O statistics
/proc/net/dev      # Network interface stats
/proc/sys/kernel/  # Kernel parameters (modifiable via sysctl)
/proc/sys/net/     # Network parameters

Common /proc Commands

# CPU model and core count
cat /proc/cpuinfo | grep "model name" | head -1
cat /proc/cpuinfo | grep processor | wc -l
# Memory summary
cat /proc/meminfo | head -5
# Load average
cat /proc/loadavg
# Inspect a specific process (PID 1234)
cat /proc/1234/maps      # memory mappings
cat /proc/1234/cmdline | tr '\0' ' '
ls -la /proc/1234/fd/   # file descriptors
cat /proc/1234/environ | tr '\0' '
'
cat /proc/1234/comm      # command name

/sys Details

/sys/block/            # all block devices (e.g., sda, nvme0n1)
/sys/block/sda/queue/  # queue parameters (read_ahead_kb, scheduler)
/sys/class/net/        # network interfaces (operstate, speed)
/sys/devices/          # internal device tree
/sys/module/           # loaded kernel modules and parameters
/sys/power/            # power management
/sys/kernel/mm/       # memory management (hugepages, transparent_hugepage)

Typical /sys Operations

# View current I/O scheduler
cat /sys/block/sda/queue/scheduler
# Temporarily change scheduler
echo mq-deadline > /sys/block/sda/queue/scheduler
# Make scheduler permanent via GRUB
# Edit /etc/default/grub and add elevator=mq-deadline
# Apply changes
grub2-mkconfig -o /boot/grub2/grub.cfg
# Adjust kernel parameters temporarily
echo 134217728 > /proc/sys/net/core/rmem_max
# Make permanent by adding to /etc/sysctl.conf and running sysctl -p
# View and change swappiness
cat /proc/sys/vm/swappiness   # default 60
echo 10 > /proc/sys/vm/swappiness   # temporary
# Permanent change
echo "vm.swappiness = 10" >> /etc/sysctl.conf
sysctl -p
# Disable transparent hugepages (common for databases)
cat /sys/kernel/mm/transparent_hugepage/enabled
echo never > /sys/kernel/mm/transparent_hugepage/enabled

/lib and /lib64 – System Libraries

Store shared libraries (.so) required by binaries.

# Show library dependencies of a binary (example: nginx)
ldd /usr/sbin/nginx
# Sample output (truncated)
linux-vdso.so.1 (0x00007ffd5a9cf000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f8a4c6d5000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f8a4c4a0000)
libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f8a4c270000)
# Missing libraries cause "error while loading shared libraries"
# Resolve by installing the required package or adjusting LD_LIBRARY_PATH

/boot – Boot Files

/boot/vmlinuz-5.4.0-generic   # compressed kernel image
/boot/initrd.img-5.4.0-generic # initramfs
/boot/System.map-5.4.0-generic # symbol table for debugging
/boot/config-5.4.0-generic   # kernel compile options
/boot/grub/grub.cfg          # GRUB2 main config
/boot/efi/EFI/ubuntu/        # UEFI boot files (Ubuntu example)
/boot/memtest86+            # memory test utility

Typical /boot Operations

# List installed kernels
ls -la /boot/vmlinuz-*
ls -la /boot/initrd.img-*
# Show current kernel version
uname -r
# Clean old kernels (CentOS/RHEL)
package-cleanup --oldkernels --count=2
# Or manually remove older kernel packages
yum remove $(rpm -qa | grep kernel | grep -v $(uname -r))
# Clean old kernels (Ubuntu)
apt autoremove --purge linux-image-$(uname -r | sed 's/-generic//')-*
apt-get autoremove -y
# Check /boot usage
df -h /boot

Risk Reminders

Never delete files in /boot manually; use the package manager.

Ensure a working newer kernel is bootable before removing old ones.

If /boot is a separate partition and fills up, kernel upgrades will fail and the system may become unbootable.

/root and /home – User Directories

/root – Root User Home

/root/
├── .bashrc
├── .bash_profile
├── .bash_history
├── .ssh/
│   ├── authorized_keys
│   ├── id_rsa
│   └── id_rsa.pub
└── anaconda-ks.cfg   # installer answer file (CentOS)

/home – Regular User Homes

/home/username/
├── .bashrc
├── .bash_profile
├── .bash_history
├── .ssh/authorized_keys
├── Documents/
├── Downloads/
└── .config/   # user‑level application configs

Common /home Operations

# Show size of each user home
du -sh /home/*
# Current user
whoami
# User details
id
id username
# Change a user's home directory
usermod -d /new/home/username username

/tmp – Temporary Files

/tmp

is world‑writable with the sticky bit (mode 1777). Files may be cleared on reboot depending on systemd configuration.

# Verify permissions
ls -ld /tmp   # should show drwxrwxrwt
# Find largest files in /tmp
find /tmp -type f -exec du -h {} + | sort -rh | head -10
# Find files not accessed for 30 days
find /tmp -type f -atime +30 -ls
# Find files not modified for 30 days
find /tmp -type f -mtime +30 -ls

Sticky Bit Explanation

# /tmp permissions should be 1777
ls -ld /tmp
# drwxrwxrwt root root /tmp
# The "t" (sticky bit) prevents users from deleting files they do not own.

Other Directories: /srv, /opt, /mnt, /media

/srv – Service Data (rarely used)

/srv/
├── www/   # website data (sometimes used by Nginx/Apache)
├── ftp/   # FTP service data
├── git/   # Git repositories
└── vpn/   # VPN service data

/opt – Optional/Third‑Party Software

/opt/
├── google/chrome/
├── jetbrains/Toolbox/
├── vmware/
└── docker-desktop/

Many commercial and some open‑source packages install under /opt.

/mnt and /media – Mount Points

/mnt/      # temporary manual mounts
/media/    # automatically mounted removable media (CDs, USB drives)
# Example mounts
mount -o loop /path/to/centos.iso /mnt
mount /dev/sdc1 /mnt
mount -t nfs 10.0.0.100:/data /mnt
# List all mounts
df -hT

Disk Partitions and Mount Relationships

Understanding how directories map to partitions helps diagnose space issues.

# Show current mounts and sizes
df -h
# Example output
Filesystem      Size  Used Avail Use% Mounted on
/dev/sda1       100G   50G   50G  50% /
tmpfs           7.8G     0  7.8G   0% /dev/shm
/dev/sda2       500G  300G  200G  60% /data
/dev/sdb1       1.0T  800G  200G  80% /backup
/dev/sdc1       200G  100G  100G  50% /mnt/backup2

The root partition ( /dev/sda1) contains all directories unless they have separate mounts.

Separate partitions for /var or /var/log protect the system from running out of space on the root filesystem.

Memory‑based filesystems like tmpfs do not consume disk space.

# Which partition a directory resides on
df -h /var/log
# Inode information (helps locate underlying device)
stat /var/log/nginx/access.log
# List partition table
fdisk -l /dev/sda
# LVM commands (if applicable)
lvs
pvs
vgs

Summary of Directory Classification

The Linux filesystem hierarchy follows three orthogonal dimensions:

Static vs. Dynamic : Directories such as /bin, /sbin, /usr, /etc, /lib contain files that rarely change after installation (static). Directories such as /var, /tmp, /run hold data that grows during operation (dynamic).

Shared vs. Machine‑Specific : /usr and /opt can be shared across systems (read‑only). /etc, /var, /run are machine‑specific.

System vs. User Level : /bin, /sbin, /etc are system‑wide; /home/username is user‑specific.

Key directories to remember: /etc – all configuration files. /var/log – logs for troubleshooting. /var/lib – database data, Docker storage. /proc – read‑only kernel and process info. /sys – kernel device interface; writable parameters. /usr/local – manually compiled software. /run – PID files, sockets, runtime state.

Practical daily rules for ops engineers:

"Find configuration → look under /etc."

"Check logs → look under /var/log."

"Adjust kernel parameters → edit /proc/sys or /etc/sysctl.conf."

By grasping the logical design behind the hierarchy, you can infer the purpose of unknown paths, locate files efficiently, and troubleshoot without memorising every directory.