Linux offers countless commands and utilities, which help you perform your system administration tasks quickly and efficiently.
Your work as system admin includes installing and running software, controlling access, monitoring, ensuring availability, backups, restoring backups, and of course firefighting. 😜
In this article, we review some of the commands frequently used by Linux system administrators in their day to day work.
Use uname command with the -a flag to print system information. This command will show you the kernel name, kernel release, kernel version, hostname, processor type & your hardware platform information.
ubuntu@ubuntu18:~$ uname -a
Linux ubuntu18 5.3.0-1028-azure #29~18.04.1-Ubuntu SMP Fri Jun 5 14:32:34 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
To see only the total usage only use -s (summary) flag.
ubuntu@ubuntu18:~$ sudo du -hs /var/log
Use free command to see total, used, and free system memory. Use -h flag for human-readable format.
ubuntu@ubuntu18:~$ free -h
total used free shared buff/cache available
Mem: 889M 272M 100M 712K 517M 443M
Swap: 0B 0B 0B
total - Total installed memory (memtotal + swaptotal)
used - used memory
free - unused memory (memfree + swapfree)
buffers - memory used by kernel buffers
cache - memory used by page caches
buff/cache - sum of buffers and cache
available - Estimated memory available for starting new applications, without swapping
Use ps to display status information about processes running on the system. To see all processes owned by user ubuntu, use -u flag with the user name:
R – Running or ready to run, S – Sleeping, I – Idle, T – Stopped, Z – Zombie, D – Waiting for Disk I/O, X – Dead, W – Swapped out, N – Low priority process, < – High priority process
While ps command shows a snapshot of the state of processes at any moment, top shows a continuously updating (every three seconds, by default) list of system processes in order of process activity.
The top command output consists of two main parts: The system summary at the top and the table of processes sorted by CPU activity.
top - 14:25:32 up 44 days, 11:37, 1 user, load average: 0.00, 0.00, 0.00
Tasks: 114 total, 1 running, 59 sleeping, 0 stopped, 0 zombie
%Cpu(s): 0.3 us, 0.0 sy, 0.0 ni, 99.7 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem : 910992 total, 101208 free, 274712 used, 535072 buff/cache
KiB Swap: 0 total, 0 free, 0 used. 458492 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
50497 ubuntu 20 0 44528 3944 3368 R 0.7 0.4 0:00.15 top
1 root 20 0 160076 7020 4400 S 0.0 0.8 0:34.85 systemd
2 root 20 0 0 0 0 S 0.0 0.0 0:00.08 kthreadd
3 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 rcu_gp
4 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 rcu_par_gp
6 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 kworker/0:+
9 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 mm_percpu_+
Some of the fields in the system summary are as follows:
Uptime. Time since the machine was last booted.
Load average refers to the number of processes that are waiting to run, value less than 1.0 means the machine is not busy. There are 3 values. First is the average of the last 60 seconds, second is the average of the last 5 minutes and the third shows the average of the last 15 minutes.
This row describes the activities of the CPU.
0.3 us, user
0.3% CPU is being used for user processes.
0.0 sy, system
0.0% CPU is being used for system processes.
0.0 ni, nice
0.0% CPU is being used by low priority(nice) processes
99.7 id, idle
99.7% CPU is idle
0.0 wa, IO-wait
0.0% CPU is waiting for I/O
time spent on hardware interrupts
time spent on software interrupts
time stone from this VM by the hypervisor
Process table fields are as follows:
Process Identification Number
Virtual memory used by the process (KB)
Physical memory used by the process
Shared memory used by the process
Process status. R – Running, S – sleeping, I – Idle, T – stopped, Z – zombie, D – waiting for disk I/O, W- swapped out, X – dead
CPU time process is using in percentage
The physical memory process is using
Total CPU time used by the process
Name of the program
While top is running, you can issue a number of commands. Press h or ? to see commands which can be run while top is running. Press k to kill a process. Press q to quit top.
dig is a great tool for DNS queries. It is used as follows :
dig <DNS server> <domain> <query-type>
<DNS server> is the DNS server name you wish to query
<domain> is the domain name you wish to query about
<query-type> is the name of the record you wish to know – A, MX, NS SOA, etc.
w shows users currently logged on and their processes. The header shows the current time, system uptime, number of users logged on, and system load averages.
18:07:33 up 46 days, 15:19, 2 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
ubuntu pts/0 18.104.22.168 17:28 2.00s 0.10s 0.00s w
ubuntu pts/1 22.214.171.124 17:58 9:07 0.05s 0.01s vi
The next part shows the usernames, the terminal, and the remote IP from which they are logged on, login time, idle time, JCPU, PCPU, and the program they are running. JCPU is the time used by all processes attached to the tty whereas PCPU is the time used by the current process.
With GNU tar you can archive multiple files into a single file.
As an example create a directory myfiles and three files a.txt, b.txt, c.txt in myfiles directory:
Now to create an archive named allfiles.tar containing all files in myfiles directory:
ubuntu@ubuntu18:~$ tar -cvf allfiles.tar myfiles
List all files in the current directory. You can see myfiles directory and allfiles.tar archive:
You may unpack an archive with -x flag. So, to unpack allfiles.tar:
ubuntu@ubuntu18:~$ tar -xvf allfiles.tar
You may also compress this archive with -z flag. This would create an archive compressed with gzip.
ubuntu@ubuntu18:~$ tar -zcvf allfiles.tar.gz myfiles
To unpack a compressed archive use -z with -x flag.
ubuntu@ubuntu18:~$ tar -zxvf allfiles.tar.gz
grep is used to search for a pattern in a file, or a set of files. It print all lines matching that pattern. For example, to search for the line containing “ServerRoot” in /etc/apache2/apache2.conf:
ubuntu@ubuntu18:~$ grep ServerRoot /etc/apache2/apache2.conf
# ServerRoot: The top of the directory tree under which the server's
To search in all files in a directory use *. To include search in subdirectories use -r (recursive) flag. So, to search for all lines containing the pattern “VirtualHost” in all files in /etc/apache2:
ubuntu@ubuntu18:~$ cd /etc/apache2
ubuntu@ubuntu18:/etc/apache2$ grep -r VirtualHost *
apache2.conf:# If you do not specify an ErrorLog directive within a <VirtualHost>
apache2.conf:# logged here. If you *do* define an error logfile for a <VirtualHost>
conf-available/localized-error-pages.conf:# even on a per-VirtualHost basis. If you include the Alias in the global server
conf-available/other-vhosts-access-log.conf:# Define an access log for VirtualHosts that don't define their own logfile
ports.conf:# have to change the VirtualHost statement in
<a href="https://geekflare.com/rsync-guide/">rsync</a> is a fast command-line tool for synchronizing files and directories between two locations. Can be used for both local and remote copying and is fast because it sends only the differences between the source files and the existing files in the destination.
It is widely used for backups and as an improved copy command for daily use.
Here is an example:
To copy/rsync all files from myfiles directory to backups directory:
ubuntu@ubuntu18:~$ rsync -avh myfiles/ /backups
sending incremental file list
sent 218 bytes received 76 bytes 588.00 bytes/sec
total size is 0 speedup is 0.00
To rsync all files from myfiles directory to backups directory on a remote host, include remote_user @remote_host in destination name. So, to rsync myfiles folder to a remote host with IP 10.0.0.50:
vagrant@ubuntu-xenial:~$ rsync -avh myfiles/ firstname.lastname@example.org:/home/vagrant
sending incremental file list
sent 230 bytes received 76 bytes 47.08 bytes/sec
total size is 0 speedup is 0.00
ss command is used to dump socket statistics, similar to the legacy netstat utility. To display TCP sockets use -t flag.
To see service status, use systemctl status command. The following example shows apache2 status while it is running:
ubuntu@ubuntu18:~$ sudo systemctl status apache2
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2020-08-19 11:34:04 UTC; 2s ago
Process: 25346 ExecStop=/usr/sbin/apachectl stop (code=exited, status=0/SUCCESS)
Process: 18202 ExecReload=/usr/sbin/apachectl graceful (code=exited, status=0/SUCCESS)
Process: 25536 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
Main PID: 25555 (apache2)
Tasks: 55 (limit: 1024)
├─25555 /usr/sbin/apache2 -k start
├─25558 /usr/sbin/apache2 -k start
└─25559 /usr/sbin/apache2 -k start
Aug 19 11:34:04 ubuntu18 systemd: Starting The Apache HTTP Server...
Aug 19 11:34:04 ubuntu18 systemd: Started The Apache HTTP Server.
UFW – uncomplicated firewall is an easy to use frontend for iptables. It is available by default, on Ubuntu-based distributions. On CentOS, you can install ufw from the EPEL repository.
To enable ufw:
$ sudo ufw enable
Check firewall status with ufw status:
$ sudo ufw status
Default UFW policies allow all outgoing traffic and block all incoming traffic.
The following command allows incoming traffic on HTTP port:
$ sudo ufw allow http
Rule added (v6)
You can deny traffic on any port. Here is an example to block traffic on port 21:
$ sudo ufw deny 21
Rule added (v6)
Use journalctl to view logs collected by systemd. systemd collects log in a central location in a binary format. To view these logs:
ubuntu@ubuntu18:~$ sudo journalctl
-- Logs begin at Mon 2020-06-29 02:48:31 UTC, end at Wed 2020-08-19 15:07:59 UTC. --
Jun 29 02:48:31 ubuntu kernel: Linux version 5.3.0-1028-azure (buildd@lcy01-amd64-003) (gcc version 7.5.0 (Ubuntu
Jun 29 02:48:31 ubuntu kernel: Command line: BOOT_IMAGE=/boot/vmlinuz-5.3.0-1028-azure root=UUID=b0dd9d06-536e-41
Jun 29 02:48:31 ubuntu kernel: KERNEL supported cpus:
Jun 29 02:48:31 ubuntu kernel: Intel GenuineIntel
Mostly, you would prefer seeing the logs in reverse order, that is, the latest logs first:
ubuntu@ubuntu18:~$ sudo journalctl -r
-- Logs begin at Mon 2020-06-29 02:48:31 UTC, end at Wed 2020-08-19 15:10:16 UTC. --
Aug 19 15:10:16 ubuntu18 sudo: pam_unix(sudo:session): session opened for user root by ubuntu(uid=0)
Aug 19 15:10:16 ubuntu18 sudo: ubuntu : TTY=pts/1 ; PWD=/home/ubuntu ; USER=root ; COMMAND=/bin/journalc
Aug 19 15:10:11 ubuntu18 sudo: pam_unix(sudo:session): session closed for user root
Aug 19 15:07:59 ubuntu18 sudo: pam_unix(sudo:session): session opened for user root by ubuntu(uid=0)
Aug 19 15:07:59 ubuntu18 sudo: ubuntu : TTY=pts/1 ; PWD=/home/ubuntu ; USER=root ; COMMAND=/bin/journalc
Aug 19 15:07:56 ubuntu18 sudo: pam_unix(sudo:session): session closed for user root
Aug 19 15:06:47 ubuntu18 sudo: pam_unix(sudo:session): session opened for user root by ubuntu(uid=0)
To view logs of a specific service, for example mysql use -u flag:
ubuntu@ubuntu18:~$ sudo journalctl -u mysql
-- Logs begin at Mon 2020-06-29 02:48:31 UTC, end at Wed 2020-08-19 15:11:34 UTC. --
Aug 16 12:30:02 ubuntu18 systemd: Starting MySQL Community Server...
Aug 16 12:30:03 ubuntu18 systemd: Started MySQL Community Server.
Aug 19 15:03:27 ubuntu18 systemd: Stopping MySQL Community Server...
Aug 19 15:03:29 ubuntu18 systemd: Stopped MySQL Community Server.
kill and killall
You may need to kill a runaway process or when you need to free some system resources. kill with -l flag shows all the signals you can send to a process.
Two most commonly used signals are SIGTERM AND SIGKILL. You can also use -9 for SIGKILL and -15 for SIGTERM. SIGTERM allows a process to complete before it is terminated and therefore is called soft kill. SIGKILL terminates the process immediately. Here is an example: