Linux sysadmin
A cheatsheet for sysadmin commands on Linux.
Users and groups
# list users
$ cat /etc/passwd | cut -d: -f 1
# create new user
$ adduser USERNAME
# delete a user
$ deluser --remove-home USERNAME
# add user to group
$ usermod -aG GROUP USERNAME
$ adduser USERNAME GROUP # on Alpine
# remove user from group
$ gpasswd -d USERNAME GROUP
# create a new group
$ addgroup GROUP
# delete a group
$ delgroup GROUP
# list groups
$ getent group
# list groups user is in
$ groups USER
# change login shell
$ chsh
# if not available, manually edit /etc/passwd
File ACLs and extended attributes
See also: "Notes on Linux file ACLs"
# give bob read-write access to myfile.txt
setfacl --modify u:bob:rw myfile.txt
# set multiple ACLs at once
setfacl -m u:bob:rw,u:alice:r,o::--- myfile.txt
# show all ACLs on myfile.txt
getfacl myfile.txt
# set a file attribute (may require 'attr' package)
setfattr -n NAME -v VALUE PATH
# see all file attributes
getfattr -d -m - PATH
# some filesystem attributes (e.g., immutable) are not printed above
lsattr -l PATH
# make a file immutable
sudo chattr +i PATH
Grant sudo privileges
Run sudo visudo and add this line (substitute actual username for iafisher):
iafisher ALL=(ALL) NOPASSWD: ALL
SSH
See ssh
Network config
- Network config is in
/etc/network/interfaces - DNS config is in
/etc/resolve.conf - Hostname is at
/etc/hostname, runhostname -F /etc/hostnameto set - Custom hostname overrides are in
/etc/hosts
Check if any process is listening on a port:
$ sudo ss -ltnp | grep :22
Configure firewall (iptables)
# must be run as root
$ iptables -L
$ iptables -A INPUT -p tcp --dport 22 -j ACCEPT
$ iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
# delete a rule
$ iptables -L --line-numbers
$ iptables -D INPUT 3
# deny everything except SSH/HTTP/HTTPS
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
Configure firewall (firewalld)
$ firewall-cmd --list-all
# list open ports
# (only shows explicit ports, not those from services)
$ firewall-cmd --list-ports
# allow HTTP traffic
$ firewall-cmd --zone=public --add-service=http
# deny HTTP traffic
$ firewall-cmd --zone=public --remove-service=http
# save changes
$ firewall-cmd --runtime-to-permanent
$ firewall-cmd --get-active-zones
Disks and partitions
# list block devices
$ lsblk
# list partitions
$ fdisk -l
# create partition table
$ fdisk /dev/XXX
# list currently-mounted filesystems
$ mount # or
$ df -h
# format a disk with a filesystem
$ mkfs -t ext4 /dev/XXX
# mount a device
$ mount /dev/XXX path/to/mount
# unmount a device
$ umount path/to/mount
Package management
systemd
See systemd
Bibliography
- "Linux Performance Analysis in 60,000 Milliseconds" (Netflix, 2015)