One of the more complicated aspects of Linux is that many tasks must be controlled via commands. However, this is also a reason many people enjoy it, as the commands tend to be concise yet powerful. The author has compiled relevant articles to gradually summarize for future learning and reference. If there are any errors, please feel free to communicate and correct them.
Basic Operations
Linux Shutdown and Restart
# Shutdown
shutdown -h now
# Restart
shutdown -r now
View System and CPU Information
# View system kernel information
uname -a
# View system kernel version
cat /proc/version
# View current user environment variables
env
cat /proc/cpuinfo
# Check how many logical CPUs there are, including CPU model
cat /proc/cpuinfo | grep name | cut -f2 -d: | uniq -c
# Check how many CPUs there are and how many cores each has
cat /proc/cpuinfo | grep physical | uniq -c
# Check if the current CPU is running in 32bit or 64bit mode; running in 32bit does not mean the CPU does not support 64bit
getconf LONG_BIT
# If the result is greater than 0, it indicates support for 64bit computing. lm indicates long mode; supporting lm means 64bit
cat /proc/cpuinfo | grep flags | grep ' lm ' | wc -l
Create Soft Link
ln -s /usr/local/jdk1.8/ jdk
RPM Related
# Check if the software is installed via RPM
rpm -qa | grep software_name
SSH Key
# Create SSH key
ssh-keygen -t rsa -C [email protected]
# Copy the content of id_rsa.pub to the home/username/.ssh/authorized_keys of the server to be controlled; if it does not exist, create it (permissions for .ssh should be 700, and authorized_keys should be 600)
Command Renaming
# Add renaming configuration in each user's .bash_profile
alias ll='ls -alF'
Synchronize Server Time
sudo ntpdate -u ntp.api.bz
Run Command in Background
# Run in background and output to nohup.out
nohup xxx &
# Run in background without any output
nohup xxx > /dev/null &
# Run in background and redirect error output to log
nohup xxx >out.log 2>&1 &
Force Active User Logout
# Command to force an active user logout. TTY indicates terminal name
pkill -kill -t [TTY]
View Command Path
which <command>
View Maximum Open File Descriptor Count for Process
ulimit -n
Configure DNS
vim /etc/resolv.conf
NSLookup, View Domain Routing Table
nslookup google.com
Last, Recent Login Information List
# Last 5 logged in accounts
last -n 5
Set Fixed IP
ifconfig em1 192.168.5.177 netmask 255.255.255.0
View Environment Variables Loaded in Process
# You can also go to the /proc directory to view what is loaded in the process memory
ps eww -p XXXXX(process_id)
View Process Tree to Find Server Processes
ps auwxf
View Process Startup Path
cd /proc/xxx(process_id)
ls -all
# cwd corresponds to the startup path
Add User and Configure Sudo Permissions
# Add user
useradd username
passwd username
# Add sudo permission
vim /etc/sudoers
# Modify the file to include
# root ALL=(ALL) ALL
# username ALL=(ALL) ALL
Force Close All Processes with Name Containing xxx
ps aux|grep xxx | grep -v grep | awk '{print $2}' | xargs kill -9
Disk, File, Directory Related Operations
Vim Operations
# In normal mode, g means global, x means the content to find, y means the content to replace
:%s/x/y/g
# In normal mode
0 # Move cursor to the beginning of the line (number 0)
$ # Move cursor to the end of the line
shift + g # Jump to the end of the file
gg # Jump to the beginning of the file
# Show line numbers
:set nu
# Remove line numbers
:set nonu
# Search
/xxx(search content) # Search from the beginning, press n to find the next
?xxx(search content) # Search from the end
Open Read-Only File and Save After Modification (Without Switching Users)
# In normal mode
:w !sudo tee %
View Basic Information of Disk, File Directory
# View disk mount status
mount
# View disk partition information
df
# View directory and subdirectory sizes
du -H -h
# View the size of each file and folder in the current directory without recursion
du -sh *
WC Command
# View how many lines are in the file
wc -l filename
# View how many words are in the file
wc -w filename
# View the length of the longest line in the file
wc -L filename
# Count bytes
wc -c
Common Compression and Decompression Commands
Compression Command
tar czvf xxx.tar compress_directory
zip -r xxx.zip compress_directory
Decompression Command
tar zxvf xxx.tar
# Decompress to a specified folder
tar zxvf xxx.tar -C /xxx/yyy/
unzip xxx.zip
Change File Owner and Group
chown eagleye.eagleye xxx.log
CP, SCP, MKDIR
# Copy
cp xxx.log
# Copy and force overwrite same name file
cp -f xxx.log
# Copy directory
cp -r xxx(source_directory) yyy(target_directory)
# Remote copy
scp -P ssh_port [email protected]:/home/username/xxx /home/xxx
# Create directories in cascade
mkdir -p /xxx/yyy/zzz
# Batch create directories, will create java, resources folders in both test and main
mkdir -p src/{test,main}/{java,resources}
Compare Two Files
diff -u 1.txt 2.txt
Log Output Byte Count, Can Be Used for Performance Testing
# If doing performance testing, you can output a '.' to the log each time it executes, so the byte count in the log reflects the actual performance test run count, and you can see the real-time rate.
tail -f xxx.log | pv -bt
View and Remove Special Characters
# View special characters
cat -v xxx.sh
# Remove special characters
sed -i 's/^M//g' env.sh # Remove special characters from the file, e.g., ^M: input like this: ctrl+v+enter
Handle Special Character Issues in Files Caused by System Reasons
# You can convert to the file format of this system
cat file.sh > file.sh_bak
# First copy the content of file.sh, then run, paste the content, and finally ctrl + d to save and exit
cat > file1.sh
# In vim, set file encoding and format as follows
:set fileencodings=utf-8 , then w (save) to convert to utf8 format,
:set fileformat=unix
# Use dos2unix for file formatting on mac
find . -name "*.sh" | xargs dos2unix
Tee, Redirect While Outputting to Screen
awk '{print $0}' xxx.log | tee test.log
Search Related
Grep
# Reverse match, find content that does not contain xxx
grep -v xxx
# Exclude all empty lines
grep -v '^
'
# If the result is 2, it indicates that the second line is empty
grep -n "^$" 111.txt
# Query lines starting with abc
grep -n "^abc" 111.txt
# List which line the word appears in the article
grep 'xxx' -n xxx.log
# Count how many times the substring appears
grep 'xxx' -c xxx.log
# Compare without case sensitivity
grep 'xxx' -i xxx.log
Awk
# Use ':' as the delimiter, if the fifth field has user, output that line
awk -F ':' '{if ($5 ~ /user/) print $0}' /etc/passwd
# Count how many times a character (string) appears in a single file (Chinese is ineffective)
awk -v RS='character' 'END {print --NR}' xxx.txt
Find Command
# Find files with .mysql suffix in the directory
find /home/eagleye -name '*.mysql' -print
# Find files accessed within the last 3 days starting from the /usr directory.
find /usr -atime 3 –print
# Find files modified within the last 5 days starting from the /usr directory.
find /usr -ctime 5 –print
# Find files owned by jacky, starting with j, starting from the /doc directory.
find /doc -user jacky -name 'j*' –print
# Find files whose names start with ja or ma starting from the /doc directory.
find /doc \( -name 'ja*' -o- -name 'ma*' \) –print
# Find and delete all files ending with bak starting from the /doc directory. -exec option means execute, rm is the delete command, { } indicates the filename, "\;" indicates the end of the command.
find /doc -name '*bak' -exec rm {} \;
Network Related
View Which Process is Using the Port
lsof -i:port
Get Local IP Address
/sbin/ifconfig -a|grep inet|grep -v 127.0.0.1|grep -v inet6|awk '{print $2}'|tr -d "addr:"
IPTables
# View iptables status
service iptables status
# Block an IP
iptables -I INPUT -s ***.***.***.*** -j DROP
# Unblock an IP
iptables -D INPUT -s ***.***.***.*** -j DROP
# Note: -I indicates Insert (add), -D indicates Delete (remove). The following are the rules, INPUT indicates incoming, ***.***.***.*** indicates the IP to be blocked, DROP indicates to drop the connection.
# Open access to port 9090
/sbin/iptables -I INPUT -p tcp --dport 9090 -j ACCEPT
# Firewall start, stop, restart
/etc/init.d/iptables status
/etc/init.d/iptables start
/etc/init.d/iptables stop
/etc/init.d/iptables restart
NC Command, TCP Debugging Tool
# Send TCP request to a specific endpoint, sending the content of data to the other end
nc 192.168.0.11 8000 < data.txt
# nc can act as a server, listening on a specific port, storing the content of a request in received_data
nc -l 8000 > received_data
# The above only listens once; to listen multiple times, add the -k parameter
nc -lk 8000
TCPDump
# Dump TCP packets from local port 12301
tcpdump -i em1 tcp port 12301 -s 1500 -w abc.pcap
Trace Network Routing Path
# traceroute uses UDP by default; if -I is used, it changes to ICMP
traceroute -I www.163.com
# Trace from the third hop of ttl
traceroute -M 3 www.163.com
# Trace with port
traceroute -p 8080 192.168.10.11
# Show all local open ports
ss -l
# Show specific sockets opened by each process
ss -pl
# Show all TCP sockets
ss -t -a
# Show all UDP sockets
ss -u -a
# Show all established SMTP connections
ss -o state established '( dport = :smtp or sport = :smtp )'
# Show all established HTTP connections
ss -o state established '( dport = :http or sport = :http )'
# Find all processes connected to the X server
ss -x src /tmp/.X11-unix/*
# List current socket statistics
ss -s
# Explanation: netstat traverses each PID directory under /proc, while ss directly reads statistics information under /proc/net. Hence, ss consumes fewer resources and time than netstat when executed.
Netstat
# Output the connection count for each IP, and the total count for each state
netstat -n | awk '/^tcp/ {n=split($(NF-1),array,":");if(n<=2)++S[array[(1)]];else++S[array[(4)]];++s[$NF];++N} END {for(a in S){printf("%-20s %s\n", a, S[a]);++I}printf("%-20s %s\n","TOTAL_IP",I);for(a in s) printf("%-20s %s\n",a, s[a]);printf("%-20s %s\n","TOTAL_LINK",N);}'
# Count all connection states,
# CLOSED: No connection is active or in progress
# LISTEN: The server is waiting for incoming calls
# SYN_RECV: A connection request has been received, waiting for confirmation
# SYN_SENT: The application has started to open a connection
# ESTABLISHED: Normal data transfer state
# FIN_WAIT1: The application says it is done
# FIN_WAIT2: The other side has agreed to release
# ITMED_WAIT: Waiting for all packets to die
# CLOSING: Both sides are trying to close
# TIME_WAIT: The actively closing connection has not yet waited for feedback from the other end
# LAST_ACK: Waiting for all packets to die
netstat -n | awk '/^tcp/ {++state[$NF]} END {for(key in state) print key,"\t",state[key]}'
# Find the most TIME_WAIT connections
netstat -n|grep TIME_WAIT|awk '{print $5}'|sort|uniq -c|sort -rn|head -n20
Monitor Linux Performance Commands
Top
Press uppercase F or O and then a-z to sort the processes according to the corresponding column, then press Enter. The uppercase R key can reverse the current sorting.
PID Process ID
PPID Parent Process ID
RUSER Real User Name
UID User ID of the process owner
USER Username of the process owner
GROUP Group Name of the process owner
TTY Terminal name that started the process. Processes not started from a terminal show as ?
PR Priority
NI Nice value. Negative values indicate high priority, positive values indicate low priority
P Last CPU used, meaningful only in multi-CPU environments
%CPU Percentage of CPU time used from last update to now
TIME Total CPU time used by the process, in seconds
TIME+ Total CPU time used by the process, in 1/100 seconds
%MEM Percentage of physical memory used by the process
VIRT Total amount of virtual memory used by the process, in KB. VIRT=SWAP+RES
SWAP Size of virtual memory used by the process that has been swapped out, in KB.
RES Size of physical memory used by the process that has not been swapped out, in KB. RES=CODE+DATA
CODE Size of physical memory occupied by executable code, in KB
DATA Size occupied by parts other than executable code (data segment + stack), in KB
SHR Size of shared memory, in KB
nFLT Number of page faults
nDRT Number of pages modified since last write.
S Process status. D=Uninterruptible sleep state, R=Running, S=Sleeping, T=Tracing/Stopped, Z=Zombie process
COMMAND Command name/command line
WCHAN If the process is sleeping, shows the name of the system function it is sleeping in
Flags Task flags, refer to sched.h
Dmesg, View System Logs
dmesg
Iostat, Disk IO Monitoring
iostat -xz 1
# r/s, w/s, rkB/s, wkB/s: indicates read/write counts per second and read/write data amount (in kilobytes). Excessive read/write can lead to performance issues.
# await: Average wait time for IO operations, in milliseconds. This is the time consumed by the application when interacting with the disk, including IO wait and actual operation time. If this value is too high, the hardware may be bottlenecked or malfunctioning.
# avgqu-sz: Average number of requests sent to the device. If this value is greater than 1, the hardware device may be saturated (some frontend hardware supports parallel writes).
# %util: Device utilization. This number indicates how busy the device is; if it exceeds 60, it may affect IO performance (can refer to average wait time for IO operations). If it reaches 100%, the hardware device is saturated.
# If the displayed data is for logical devices, then device utilization does not represent that the actual hardware device is saturated. It is worth noting that even if IO performance is not ideal, it does not necessarily mean that application performance will be poor; strategies such as pre-reading and write caching can improve application performance.
Free, Memory Usage
free -m
eg:
total used free shared buffers cached
Mem: 1002 769 232 0 62 421
-/+ buffers/cache: 286 715
Swap: 1153 0 1153
First part Mem line:
total Total memory: 1002M
used Memory used: 769M
free Free memory: 232M
shared Currently deprecated, always 0
buffers Buffer cache memory: 62M
cached Page cache memory: 421M
Relationship: total(1002M) = used(769M) + free(232M)
Second part (-/+ buffers/cache):
(-buffers/cache) used memory: 286M (refers to used in the first part - buffers - cached)
(+buffers/cache) free memory: 715M (refers to free in the first part + buffers + cached)
It can be seen that -buffers/cache reflects the memory actually consumed by the program, while +buffers/cache reflects the total amount of memory that can be allocated.
The third part refers to the swap partition.
Sar, View Network Throughput Status
# The sar command can be used to view the throughput of network devices. When troubleshooting performance issues, you can determine whether the network device is saturated by its throughput.
sar -n DEV 1
# The sar command is used here to view the TCP connection status, which includes:
# active/s: Number of TCP connections initiated locally per second, created through connect calls;
# passive/s: Number of TCP connections initiated remotely per second, created through accept calls;
# retrans/s: Number of TCP retransmissions per second;
# The number of TCP connections can be used to determine whether performance issues are due to too many connections being established, and further determine whether they are actively initiated connections or passively accepted connections. TCP retransmissions may be due to poor network conditions or excessive server load causing packet loss.
sar -n TCP,ETCP 1
Vmstat, Monitor CPU Usage, Memory Usage, Virtual Memory Interaction, IO Read and Write Over Given Time
# 2 indicates collecting status information every 2 seconds, 1 indicates only collect once (ignore continuous collection)
vmstat 2 1
eg:
r b swpd free buff cache si so bi bo in cs us sy id wa
1 0 0 3499840 315836 3819660 0 0 0 1 2 0 0 0 100 0
0 0 0 3499584 315836 3819660 0 0 0 0 88 158 0 0 100 0
0 0 0 3499708 315836 3819660 0 0 0 2 86 162 0 0 100 0
0 0 0 3499708 315836 3819660 0 0 0 10 81 151 0 0 100 0
1 0 0 3499732 315836 3819660 0 0 0 2 83 154 0 0 100 0
-
r Represents the run queue (how many processes are actually assigned to the CPU); if the tested server’s CPU is relatively idle with no programs running, when this value exceeds the number of CPUs, a CPU bottleneck will occur. This is also related to the load in top; generally, if the load exceeds 3, it is considered high, over 5 is high, and over 10 is abnormal, indicating a dangerous state for the server. The load in top is similar to the running queue per second. If the running queue is too large, it indicates that your CPU is very busy, which generally causes high CPU usage. -
b Represents blocked processes; this is self-explanatory, processes are blocked, understood by everyone. -
swpd Size of virtual memory used; if greater than 0, indicates that your machine’s physical memory is insufficient; if not due to program memory leaks, then you should upgrade the memory or migrate memory-intensive tasks to other machines. -
free Size of free physical memory; my machine has a total of 8G, with 3415M remaining. -
buff Linux/Unix systems use buffer to store contents, permissions, etc. of directories; my machine occupies about 300M. -
cache Cache is directly used to remember the files we open, providing buffers for files; my machine occupies about 300M (this is the smart aspect of Linux/Unix, taking part of the free physical memory to cache files and directories to improve program execution performance; when a program uses memory, buffer/cached will be quickly utilized). -
si Size of virtual memory read from disk per second; if this value is greater than 0, it indicates insufficient physical memory or memory leaks, and you should check memory-consuming processes. My machine has ample memory, everything is normal. -
so Size of virtual memory written to disk per second; if this value is greater than 0, similar to above. -
bi Number of blocks received per second by block devices; block devices refer to all disks and other block devices on the system; the default block size is 1024 bytes; my machine has no IO operations, so it is always 0, but I have seen it reach 140000/s on machines processing large data transfers (2-3T), with a disk write speed of about 140M per second. -
bo Number of blocks sent per second by block devices; for example, when reading files, bo should be greater than 0. Bi and bo should generally be close to 0; otherwise, it indicates that IO is too frequent, requiring adjustments. -
in Number of CPU interrupts per second, including time interrupts. -
cs Number of context switches per second; for example, when we call system functions, a context switch occurs; thread switching also requires process context switching; this value should be as small as possible; if it is too large, consider reducing the number of threads or processes. For example, in web servers like Apache and Nginx, we generally conduct performance tests with thousands or even tens of thousands of concurrent tests, and the number of processes can be adjusted downwards until cs reaches a relatively small value, which indicates the appropriate number of processes and threads. System calls also cause context switches when our code enters kernel space, which consumes resources and should be avoided as much as possible; excessive context switch counts indicate that your CPU is wasting most of its time on context switching, resulting in less time for doing actual work, which is undesirable. -
us User CPU time; I once saw this approach close to 100 on a server doing frequent encryption and decryption, with the run queue reaching 80 (the machine was under stress testing, performance was poor). -
sy System CPU time; if too high, indicates long system call times, such as frequent IO operations. id Idle CPU time; generally speaking, id + us + sy = 100; I generally consider id as idle CPU usage rate, us as user CPU usage rate, and sy as system CPU usage rate. wt IO wait CPU time. Source: siye1982.github.io
Beijing Winut Technology Co., Ltd. (abbreviated as Winut) is a leader in the domestic industrial control security industry and a subsidiary of the China State-owned Capital Venture Investment Fund. With outstanding technical innovation capabilities, it has become one of the six enterprises globally to receive the ISASecure certification from the International Society of Automation, as well as one of the first national-level specialized and innovative “Little Giant” enterprises.
Winut relies on its pioneering core technology concept of industrial network “white environment” and is based on its independently developed full series of industrial control security products to provide comprehensive lifecycle defense solutions and specialized security services for important national industry users such as electric power, rail transit, petroleum and petrochemicals, municipal, tobacco, smart manufacturing, and military industries. To date, it has achieved safe and compliant business operations for over 4,000 industry clients in China and along the “Belt and Road”.
As a national team in China’s industrial control security, Winut actively promotes the construction of industrial clusters and the development of ecological circles, leads and participates in the formulation of national and industry standards in the field of industrial control security, and major activities for network security assurance, always taking the protection of China’s critical information infrastructure network security as its mission, and is committed to becoming a backbone force in building a cyber power!
