Linux Deep Dive Roadmap

Linux is the operating system of the internet — the vast majority of servers, containers, and cloud infrastructure run Linux. Choose a distribution to learn on: Ubuntu LTS (most beginner-friendly, massive community, what most tutorials use), Debian (minimal, stable, what Ubuntu is based on), or Rocky Linux/AlmaLinux (RHEL-compatible for enterprise environments). Practice environments: WSL2 (Windows Subsystem for Linux — Linux inside Windows, minimal overhead), VirtualBox or VMware (full VM — safer for learning destructive commands), or a cheap VPS on Hetzner/DigitalOcean. Start with Ubuntu 24.04 LTS if in doubt.

The shell is your primary interface on a Linux server. Learn: bash vs zsh (both are POSIX-compatible, zsh has better autocomplete), terminal shortcuts (Ctrl+C kill, Ctrl+Z suspend, Ctrl+R history search, Tab autocomplete), navigation (pwd, ls -la, cd, cd ~, cd -, pushd/popd), file operations (cp, mv, rm -rf, mkdir -p, touch, ln -s for symlinks), viewing files (cat, less, head -n, tail -f for live logs, file for type detection), history (!!, !cmd, history | grep), command chaining (&&, ||, ;), redirection (> overwrite, >> append, 2>&1 stderr), and piping (|).

Linux has a unified filesystem tree — everything is a file, including devices and processes. Learn the FHS (Filesystem Hierarchy Standard): / (root), /etc (config files), /var (variable data — logs, databases), /tmp (temporary, cleared on boot), /home (user home dirs), /root (root user's home), /proc (virtual FS for process/kernel info), /sys (kernel device info), /usr (user programs), /bin and /sbin (essential binaries). Disk management: df -h (disk usage), du -sh /* (directory sizes), lsblk (block devices), fdisk/gdisk (partition tables), mkfs (format), mount/umount, /etc/fstab (auto-mount at boot), LVM (logical volume management).

Linux permissions are fundamental to security. Every file has an owner (user), a group, and three permission sets (owner, group, others) — each with read (r=4), write (w=2), execute (x=1). ls -la shows permissions as -rwxr-xr-x. chmod changes permissions (chmod 755 file or chmod +x script), chown changes owner (chown user:group file). Special bits: setuid (s on user execute — runs as file owner), setgid (s on group execute — new files inherit group), sticky bit (t on directory — only owner can delete their files — used on /tmp). ACLs (getfacl, setfacl) for fine-grained permissions beyond owner/group/other.

Every running program is a process with a PID (process ID). View processes: ps aux (snapshot), top/htop (interactive, real-time), pgrep name (find PID by name). Process states: running, sleeping, stopped, zombie. Send signals with kill PID or kill -SIGNAME PID — SIGTERM (graceful shutdown), SIGKILL (-9, forceful — no cleanup), SIGHUP (reload config — used by many daemons), SIGSTOP/SIGCONT (pause/resume). Job control: & to background a command, jobs to list, fg %1 to foreground, Ctrl+Z to suspend. nohup and disown to keep processes running after logout. nice/renice for CPU priority (nice -n 19 for lowest priority).

The Linux power-user toolkit is text processing. grep — search file content (grep -r pattern dir, -i case-insensitive, -v invert, -n line numbers, -E extended regex). sed — stream editor for substitution (sed 's/old/new/g' file, -i for in-place edit, /d to delete matching lines). awk — field-based text processing (awk '{print $1, $3}' for columns, /pattern/ for filtering, NR for line numbers, sum+=$5 for aggregation). find — search filesystem (find . -name '*.log' -mtime +7 -delete). cut, sort, uniq, wc, tr, xargs. Learn to chain these into one-liners that replace entire scripts.

Network commands every sysadmin needs: ip addr (show interfaces, replace ifconfig), ip route (routing table), ss -tulpn (open ports and listening services — replace netstat), ping, traceroute/tracepath, nslookup/dig (DNS queries), curl -v (HTTP debugging), wget, nc (netcat — test TCP/UDP connectivity). SSH deep dive: key-based auth (ssh-keygen, ssh-copy-id), ~/.ssh/config for named connections, SSH tunnels (port forwarding: -L local, -R remote, -D SOCKS proxy), SCP/SFTP for file transfer. Firewall: ufw (Ubuntu's simple wrapper around iptables), firewalld (RHEL/CentOS), nftables (modern replacement for iptables).

Shell scripting automates repetitive tasks. Learn: shebang (#!/bin/bash), variables ($VAR, ${VAR}), command substitution ($(command)), arithmetic ($(( ))), if/elif/else (test operators: -f file exists, -d dir, -z empty string, -eq numeric equal, ==, !=), for loops (for f in *.log; do; done), while read for processing lines, functions (local variables, return codes), exit codes ($? — 0 is success), set -euo pipefail (fail fast on errors), trap for cleanup on EXIT or SIGINT, and getopts for argument parsing. Write defensive scripts: quote all variables, check exit codes, log to stderr.

Package managers install, update, and remove software while handling dependencies. Debian/Ubuntu: apt (apt update, apt install, apt remove, apt upgrade, apt autoremove — clean orphaned deps), dpkg for .deb files. RHEL/CentOS/Fedora: dnf (replaces yum), rpm for .rpm files. Snap and Flatpak for distro-agnostic packages. Adding PPAs and third-party repos (/etc/apt/sources.list.d/). Compiling from source (./configure && make && make install — when no package exists). Understanding apt pinning to prevent specific packages from auto-upgrading. unattended-upgrades for automatic security patches.

Disk and filesystem management is core sysadmin knowledge. Block devices: lsblk (list block devices), fdisk/gdisk (partition tables — MBR vs GPT), lsblk -f (show filesystem types). Filesystems: mkfs.ext4 /dev/sdb1, mkfs.xfs. Mount and unmount: mount /dev/sdb1 /mnt/data, /etc/fstab (persistent mounts with UUID — lsblk -o NAME,UUID). Inodes: each file is an inode — df -i to see inode usage (can run out of inodes even with free space). LVM (Logical Volume Manager): physical volumes (PV), volume groups (VG), logical volumes (LV) — resize-without-downtime. pvcreate, vgcreate, lvcreate, lvextend + resize2fs. Swap: mkswap, swapon, check with free -h and swapon --show. du -sh * (disk usage by directory), df -h (filesystem usage). find / -size +100M (find large files).

Multi-user system administration. User management: useradd/adduser (adduser is friendlier on Debian), userdel, usermod (add to groups: usermod -aG docker john), passwd (change password), id (show UID/GIDs). Groups: groupadd, groupdel, /etc/group. sudo — grant specific users root-equivalent commands via /etc/sudoers (edit with visudo — never edit directly). Sudoers syntax: user ALL=(ALL) NOPASSWD:ALL (dangerous) vs john ALL=(ALL) /usr/bin/systemctl restart nginx (specific command). /etc/passwd and /etc/shadow (password hashes — use sha512). Service accounts (no shell, no home — useradd -r -s /usr/sbin/nologin) for running daemons.

systemd is the init system on every major Linux distribution — PID 1, manages services, mounts, and the boot process. systemctl commands: start, stop, restart, reload, enable (start at boot), disable, status, is-active, is-enabled. journalctl for logs — journalctl -u nginx -f (follow service logs), -since '1 hour ago', --no-pager -n 100. Write custom unit files (/etc/systemd/system/myapp.service) — [Unit] dependencies, [Service] ExecStart/User/Restart/RestartSec/Environment, [Install] WantedBy. systemd timers as a cron replacement — more control and logging. systemd-analyze blame to identify slow boot services.

Linux has two main logging systems working together. journald (systemd's binary log — fast, structured, persistent in /var/log/journal) queried with journalctl. rsyslog (traditional syslog daemon) writes text files to /var/log/ — /var/log/syslog, auth.log, kern.log, dpkg.log, nginx/access.log. logrotate manages log file rotation, compression, and deletion — config in /etc/logrotate.d/. Centralized logging: forward rsyslog to a remote host or use Filebeat to ship logs to Elasticsearch or Loki. Log levels — debug, info, notice, warning, error, critical, alert, emergency. Set correct log level in production (info, not debug).

Performance analysis follows the USE method — Utilization, Saturation, Errors. CPU: top/htop, mpstat (per-core), perf stat for performance counters. Load average (the 3 numbers in uptime — 1/5/15 minute averages, compare to CPU count). Memory: free -h, /proc/meminfo, vmstat (memory + swap paging), smem (per-process memory). Disk I/O: iostat (device utilization and throughput), iotop (per-process I/O — like top for disk), lsof (open files), strace (system call tracing — debug what a process is doing). Network: iftop (per-host traffic), nethogs (per-process), ss -s (socket statistics), nload. Brendan Gregg's Linux Performance tools map is the definitive reference.

Hardening a fresh Linux server before exposing it to the internet. SSH hardening (/etc/ssh/sshd_config): disable root login (PermitRootLogin no), disable password auth (PasswordAuthentication no — keys only), change port (obscurity, not security but reduces noise), AllowUsers whitelist. Firewall: ufw default deny incoming, allow only needed ports. Fail2ban — reads logs and automatically bans IPs with too many failed auth attempts. unattended-upgrades for auto security patches. AppArmor/SELinux (mandatory access control — confines what processes can do). Lynis — security auditing tool. CIS Benchmarks for Ubuntu/RHEL are the gold standard for hardening checklists.

Nginx is the most deployed web server and reverse proxy. Learn: nginx.conf structure (worker_processes, events, http block), virtual hosts (server blocks in /etc/nginx/sites-available + symlink to sites-enabled), location blocks with regex matching, proxy_pass for reverse proxying to a backend app, load balancing (upstream block with multiple servers and least_conn policy), static file serving with efficient caching headers, gzip compression, SSL/TLS termination with Let's Encrypt certificates (Certbot), HTTP/2 (add http2 to listen directive), rate limiting (limit_req_zone), and security headers (X-Frame-Options, CSP, HSTS). Test config with nginx -t before reloading.